From: Greg Kroah-Hartman Date: Sun, 12 Dec 2021 14:56:35 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.4.295~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c7db2ae376a177cf33f1ff277e69295d7af71f8a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: asoc-qdsp6-q6routing-fix-return-value-from-msm_routing_put_audio_mixer.patch block-fix-ioprio_get-ioprio_who_pgrp-vs-setuid-2.patch i40e-fix-pre-set-max-number-of-queues-for-vf.patch mtd-rawnand-fsmc-take-instruction-delay-into-account.patch net-altera-set-a-couple-error-code-in-probe.patch net-cdc_ncm-allow-for-dwntboutmaxsize-to-be-unset-or-zero.patch net-fec-only-clear-interrupt-of-handling-queue-in-fec_enet_rx_queue.patch net-neigh-clear-whole-pneigh_entry-at-alloc-time.patch net-qla3xxx-fix-an-error-code-in-ql_adapter_up.patch qede-validate-non-lso-skb-length.patch tools-build-remove-needless-libpython-version-feature-check-that-breaks-test-all-fast-path.patch tracefs-set-all-files-to-the-same-group-ownership-as-the-mount-option.patch --- diff --git a/queue-4.19/asoc-qdsp6-q6routing-fix-return-value-from-msm_routing_put_audio_mixer.patch b/queue-4.19/asoc-qdsp6-q6routing-fix-return-value-from-msm_routing_put_audio_mixer.patch new file mode 100644 index 00000000000..d110782f1b8 --- /dev/null +++ b/queue-4.19/asoc-qdsp6-q6routing-fix-return-value-from-msm_routing_put_audio_mixer.patch @@ -0,0 +1,60 @@ +From 4739d88ad8e1900f809f8a5c98f3c1b65bf76220 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Tue, 30 Nov 2021 16:31:10 +0000 +Subject: ASoC: qdsp6: q6routing: Fix return value from msm_routing_put_audio_mixer + +From: Srinivas Kandagatla + +commit 4739d88ad8e1900f809f8a5c98f3c1b65bf76220 upstream. + +msm_routing_put_audio_mixer() can return incorrect value in various scenarios. + +scenario 1: +amixer cset iface=MIXER,name='SLIMBUS_0_RX Audio Mixer MultiMedia1' 1 +amixer cset iface=MIXER,name='SLIMBUS_0_RX Audio Mixer MultiMedia1' 0 + +return value is 0 instead of 1 eventhough value was changed + +scenario 2: +amixer cset iface=MIXER,name='SLIMBUS_0_RX Audio Mixer MultiMedia1' 1 +amixer cset iface=MIXER,name='SLIMBUS_0_RX Audio Mixer MultiMedia1' 1 + +return value is 1 instead of 0 eventhough the value was not changed + +scenario 3: +amixer cset iface=MIXER,name='SLIMBUS_0_RX Audio Mixer MultiMedia1' 0 +return value is 1 instead of 0 eventhough the value was not changed + +Fix this by adding checks, so that change notifications are sent correctly. + +Fixes: e3a33673e845 ("ASoC: qdsp6: q6routing: Add q6routing driver") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20211130163110.5628-1-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/q6routing.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/sound/soc/qcom/qdsp6/q6routing.c ++++ b/sound/soc/qcom/qdsp6/q6routing.c +@@ -440,14 +440,16 @@ static int msm_routing_put_audio_mixer(s + struct session_data *session = &data->sessions[session_id]; + + if (ucontrol->value.integer.value[0]) { ++ if (session->port_id == be_id) ++ return 0; ++ + session->port_id = be_id; + snd_soc_dapm_mixer_update_power(dapm, kcontrol, 1, update); + } else { +- if (session->port_id == be_id) { +- session->port_id = -1; ++ if (session->port_id == -1 || session->port_id != be_id) + return 0; +- } + ++ session->port_id = -1; + snd_soc_dapm_mixer_update_power(dapm, kcontrol, 0, update); + } + diff --git a/queue-4.19/block-fix-ioprio_get-ioprio_who_pgrp-vs-setuid-2.patch b/queue-4.19/block-fix-ioprio_get-ioprio_who_pgrp-vs-setuid-2.patch new file mode 100644 index 00000000000..5d6800f8c63 --- /dev/null +++ b/queue-4.19/block-fix-ioprio_get-ioprio_who_pgrp-vs-setuid-2.patch @@ -0,0 +1,43 @@ +From e6a59aac8a8713f335a37d762db0dbe80e7f6d38 Mon Sep 17 00:00:00 2001 +From: Davidlohr Bueso +Date: Fri, 10 Dec 2021 10:20:58 -0800 +Subject: block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2) + +From: Davidlohr Bueso + +commit e6a59aac8a8713f335a37d762db0dbe80e7f6d38 upstream. + +do_each_pid_thread(PIDTYPE_PGID) can race with a concurrent +change_pid(PIDTYPE_PGID) that can move the task from one hlist +to another while iterating. Serialize ioprio_get to take +the tasklist_lock in this case, just like it's set counterpart. + +Fixes: d69b78ba1de (ioprio: grab rcu_read_lock in sys_ioprio_{set,get}()) +Acked-by: Oleg Nesterov +Signed-off-by: Davidlohr Bueso +Link: https://lore.kernel.org/r/20211210182058.43417-1-dave@stgolabs.net +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/ioprio.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/block/ioprio.c ++++ b/block/ioprio.c +@@ -206,6 +206,7 @@ SYSCALL_DEFINE2(ioprio_get, int, which, + pgrp = task_pgrp(current); + else + pgrp = find_vpid(who); ++ read_lock(&tasklist_lock); + do_each_pid_thread(pgrp, PIDTYPE_PGID, p) { + tmpio = get_task_ioprio(p); + if (tmpio < 0) +@@ -215,6 +216,8 @@ SYSCALL_DEFINE2(ioprio_get, int, which, + else + ret = ioprio_best(ret, tmpio); + } while_each_pid_thread(pgrp, PIDTYPE_PGID, p); ++ read_unlock(&tasklist_lock); ++ + break; + case IOPRIO_WHO_USER: + uid = make_kuid(current_user_ns(), who); diff --git a/queue-4.19/i40e-fix-pre-set-max-number-of-queues-for-vf.patch b/queue-4.19/i40e-fix-pre-set-max-number-of-queues-for-vf.patch new file mode 100644 index 00000000000..eb4b14b92ef --- /dev/null +++ b/queue-4.19/i40e-fix-pre-set-max-number-of-queues-for-vf.patch @@ -0,0 +1,38 @@ +From 8aa55ab422d9d0d825ebfb877702ed661e96e682 Mon Sep 17 00:00:00 2001 +From: Mateusz Palczewski +Date: Fri, 16 Jul 2021 11:33:56 +0200 +Subject: i40e: Fix pre-set max number of queues for VF + +From: Mateusz Palczewski + +commit 8aa55ab422d9d0d825ebfb877702ed661e96e682 upstream. + +After setting pre-set combined to 16 queues and reserving 16 queues by +tc qdisc, pre-set maximum combined queues returned to default value +after VF reset being 4 and this generated errors during removing tc. +Fixed by removing clear num_req_queues before reset VF. + +Fixes: e284fc280473 (i40e: Add and delete cloud filter) +Signed-off-by: Grzegorz Szczurek +Signed-off-by: Mateusz Palczewski +Tested-by: Bindushree P +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -3580,11 +3580,6 @@ static int i40e_vc_add_qch_msg(struct i4 + + /* set this flag only after making sure all inputs are sane */ + vf->adq_enabled = true; +- /* num_req_queues is set when user changes number of queues via ethtool +- * and this causes issue for default VSI(which depends on this variable) +- * when ADq is enabled, hence reset it. +- */ +- vf->num_req_queues = 0; + + /* reset the VF in order to allocate resources */ + i40e_vc_notify_vf_reset(vf); diff --git a/queue-4.19/mtd-rawnand-fsmc-take-instruction-delay-into-account.patch b/queue-4.19/mtd-rawnand-fsmc-take-instruction-delay-into-account.patch new file mode 100644 index 00000000000..01f13db6007 --- /dev/null +++ b/queue-4.19/mtd-rawnand-fsmc-take-instruction-delay-into-account.patch @@ -0,0 +1,44 @@ +From a4ca0c439f2d5ce9a3dc118d882f9f03449864c8 Mon Sep 17 00:00:00 2001 +From: Herve Codina +Date: Fri, 19 Nov 2021 16:03:15 +0100 +Subject: mtd: rawnand: fsmc: Take instruction delay into account + +From: Herve Codina + +commit a4ca0c439f2d5ce9a3dc118d882f9f03449864c8 upstream. + +The FSMC NAND controller should apply a delay after the +instruction has been issued on the bus. +The FSMC NAND controller driver did not handle this delay. + +Add this waiting delay in the FSMC NAND controller driver. + +Fixes: 4da712e70294 ("mtd: nand: fsmc: use ->exec_op()") +Signed-off-by: Herve Codina +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20211119150316.43080-4-herve.codina@bootlin.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/fsmc_nand.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/mtd/nand/raw/fsmc_nand.c ++++ b/drivers/mtd/nand/raw/fsmc_nand.c +@@ -18,6 +18,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -700,6 +701,9 @@ static int fsmc_exec_op(struct nand_chip + instr->ctx.waitrdy.timeout_ms); + break; + } ++ ++ if (instr->delay_ns) ++ ndelay(instr->delay_ns); + } + + return ret; diff --git a/queue-4.19/net-altera-set-a-couple-error-code-in-probe.patch b/queue-4.19/net-altera-set-a-couple-error-code-in-probe.patch new file mode 100644 index 00000000000..2123c236d9c --- /dev/null +++ b/queue-4.19/net-altera-set-a-couple-error-code-in-probe.patch @@ -0,0 +1,45 @@ +From badd7857f5c933a3dc34942a2c11d67fdbdc24de Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 3 Dec 2021 13:11:28 +0300 +Subject: net: altera: set a couple error code in probe() + +From: Dan Carpenter + +commit badd7857f5c933a3dc34942a2c11d67fdbdc24de upstream. + +There are two error paths which accidentally return success instead of +a negative error code. + +Fixes: bbd2190ce96d ("Altera TSE: Add main and header file for Altera Ethernet Driver") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/altera/altera_tse_main.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/altera/altera_tse_main.c ++++ b/drivers/net/ethernet/altera/altera_tse_main.c +@@ -1445,16 +1445,19 @@ static int altera_tse_probe(struct platf + priv->rxdescmem_busaddr = dma_res->start; + + } else { ++ ret = -ENODEV; + goto err_free_netdev; + } + +- if (!dma_set_mask(priv->device, DMA_BIT_MASK(priv->dmaops->dmamask))) ++ if (!dma_set_mask(priv->device, DMA_BIT_MASK(priv->dmaops->dmamask))) { + dma_set_coherent_mask(priv->device, + DMA_BIT_MASK(priv->dmaops->dmamask)); +- else if (!dma_set_mask(priv->device, DMA_BIT_MASK(32))) ++ } else if (!dma_set_mask(priv->device, DMA_BIT_MASK(32))) { + dma_set_coherent_mask(priv->device, DMA_BIT_MASK(32)); +- else ++ } else { ++ ret = -EIO; + goto err_free_netdev; ++ } + + /* MAC address space */ + ret = request_and_map(pdev, "control_port", &control_port, diff --git a/queue-4.19/net-cdc_ncm-allow-for-dwntboutmaxsize-to-be-unset-or-zero.patch b/queue-4.19/net-cdc_ncm-allow-for-dwntboutmaxsize-to-be-unset-or-zero.patch new file mode 100644 index 00000000000..3efe5bfe12b --- /dev/null +++ b/queue-4.19/net-cdc_ncm-allow-for-dwntboutmaxsize-to-be-unset-or-zero.patch @@ -0,0 +1,73 @@ +From 2be6d4d16a0849455a5c22490e3c5983495fed00 Mon Sep 17 00:00:00 2001 +From: Lee Jones +Date: Thu, 2 Dec 2021 14:34:37 +0000 +Subject: net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lee Jones + +commit 2be6d4d16a0849455a5c22490e3c5983495fed00 upstream. + +Currently, due to the sequential use of min_t() and clamp_t() macros, +in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is not set, the logic +sets tx_max to 0. This is then used to allocate the data area of the +SKB requested later in cdc_ncm_fill_tx_frame(). + +This does not cause an issue presently because when memory is +allocated during initialisation phase of SKB creation, more memory +(512b) is allocated than is required for the SKB headers alone (320b), +leaving some space (512b - 320b = 192b) for CDC data (172b). + +However, if more elements (for example 3 x u64 = [24b]) were added to +one of the SKB header structs, say 'struct skb_shared_info', +increasing its original size (320b [320b aligned]) to something larger +(344b [384b aligned]), then suddenly the CDC data (172b) no longer +fits in the spare SKB data area (512b - 384b = 128b). + +Consequently the SKB bounds checking semantics fails and panics: + + skbuff: skb_over_panic: text:ffffffff830a5b5f len:184 put:172 \ + head:ffff888119227c00 data:ffff888119227c00 tail:0xb8 end:0x80 dev: + + ------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:110! + RIP: 0010:skb_panic+0x14f/0x160 net/core/skbuff.c:106 + + Call Trace: + + skb_over_panic+0x2c/0x30 net/core/skbuff.c:115 + skb_put+0x205/0x210 net/core/skbuff.c:1877 + skb_put_zero include/linux/skbuff.h:2270 [inline] + cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1116 [inline] + cdc_ncm_fill_tx_frame+0x127f/0x3d50 drivers/net/usb/cdc_ncm.c:1293 + cdc_ncm_tx_fixup+0x98/0xf0 drivers/net/usb/cdc_ncm.c:1514 + +By overriding the max value with the default CDC_NCM_NTB_MAX_SIZE_TX +when not offered through the system provided params, we ensure enough +data space is allocated to handle the CDC data, meaning no crash will +occur. + +Cc: Oliver Neukum +Fixes: 289507d3364f9 ("net: cdc_ncm: use sysfs for rx/tx aggregation tuning") +Signed-off-by: Lee Jones +Reviewed-by: Bjørn Mork +Link: https://lore.kernel.org/r/20211202143437.1411410-1-lee.jones@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cdc_ncm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -177,6 +177,8 @@ static u32 cdc_ncm_check_tx_max(struct u + /* clamp new_tx to sane values */ + min = ctx->max_datagram_size + ctx->max_ndp_size + sizeof(struct usb_cdc_ncm_nth16); + max = min_t(u32, CDC_NCM_NTB_MAX_SIZE_TX, le32_to_cpu(ctx->ncm_parm.dwNtbOutMaxSize)); ++ if (max == 0) ++ max = CDC_NCM_NTB_MAX_SIZE_TX; /* dwNtbOutMaxSize not set */ + + /* some devices set dwNtbOutMaxSize too low for the above default */ + min = min(min, max); diff --git a/queue-4.19/net-fec-only-clear-interrupt-of-handling-queue-in-fec_enet_rx_queue.patch b/queue-4.19/net-fec-only-clear-interrupt-of-handling-queue-in-fec_enet_rx_queue.patch new file mode 100644 index 00000000000..3ee999e7f7a --- /dev/null +++ b/queue-4.19/net-fec-only-clear-interrupt-of-handling-queue-in-fec_enet_rx_queue.patch @@ -0,0 +1,61 @@ +From b5bd95d17102b6719e3531d627875b9690371383 Mon Sep 17 00:00:00 2001 +From: Joakim Zhang +Date: Mon, 6 Dec 2021 21:54:57 +0800 +Subject: net: fec: only clear interrupt of handling queue in fec_enet_rx_queue() + +From: Joakim Zhang + +commit b5bd95d17102b6719e3531d627875b9690371383 upstream. + +Background: +We have a customer is running a Profinet stack on the 8MM which receives and +responds PNIO packets every 4ms and PNIO-CM packets every 40ms. However, from +time to time the received PNIO-CM package is "stock" and is only handled when +receiving a new PNIO-CM or DCERPC-Ping packet (tcpdump shows the PNIO-CM and +the DCERPC-Ping packet at the same time but the PNIO-CM HW timestamp is from +the expected 40 ms and not the 2s delay of the DCERPC-Ping). + +After debugging, we noticed PNIO, PNIO-CM and DCERPC-Ping packets would +be handled by different RX queues. + +The root cause should be driver ack all queues' interrupt when handle a +specific queue in fec_enet_rx_queue(). The blamed patch is introduced to +receive as much packets as possible once to avoid interrupt flooding. +But it's unreasonable to clear other queues'interrupt when handling one +queue, this patch tries to fix it. + +Fixes: ed63f1dcd578 (net: fec: clear receive interrupts before processing a packet) +Cc: Russell King +Reported-by: Nicolas Diaz +Signed-off-by: Joakim Zhang +Link: https://lore.kernel.org/r/20211206135457.15946-1-qiangqing.zhang@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/fec.h | 3 +++ + drivers/net/ethernet/freescale/fec_main.c | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/fec.h ++++ b/drivers/net/ethernet/freescale/fec.h +@@ -373,6 +373,9 @@ struct bufdesc_ex { + #define FEC_ENET_WAKEUP ((uint)0x00020000) /* Wakeup request */ + #define FEC_ENET_TXF (FEC_ENET_TXF_0 | FEC_ENET_TXF_1 | FEC_ENET_TXF_2) + #define FEC_ENET_RXF (FEC_ENET_RXF_0 | FEC_ENET_RXF_1 | FEC_ENET_RXF_2) ++#define FEC_ENET_RXF_GET(X) (((X) == 0) ? FEC_ENET_RXF_0 : \ ++ (((X) == 1) ? FEC_ENET_RXF_1 : \ ++ FEC_ENET_RXF_2)) + #define FEC_ENET_TS_AVAIL ((uint)0x00010000) + #define FEC_ENET_TS_TIMER ((uint)0x00008000) + +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -1441,7 +1441,7 @@ fec_enet_rx_queue(struct net_device *nde + break; + pkt_received++; + +- writel(FEC_ENET_RXF, fep->hwp + FEC_IEVENT); ++ writel(FEC_ENET_RXF_GET(queue_id), fep->hwp + FEC_IEVENT); + + /* Check for errors. */ + status ^= BD_ENET_RX_LAST; diff --git a/queue-4.19/net-neigh-clear-whole-pneigh_entry-at-alloc-time.patch b/queue-4.19/net-neigh-clear-whole-pneigh_entry-at-alloc-time.patch new file mode 100644 index 00000000000..d790ada4fc3 --- /dev/null +++ b/queue-4.19/net-neigh-clear-whole-pneigh_entry-at-alloc-time.patch @@ -0,0 +1,93 @@ +From e195e9b5dee6459d8c8e6a314cc71a644a0537fd Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 6 Dec 2021 08:53:29 -0800 +Subject: net, neigh: clear whole pneigh_entry at alloc time + +From: Eric Dumazet + +commit e195e9b5dee6459d8c8e6a314cc71a644a0537fd upstream. + +Commit 2c611ad97a82 ("net, neigh: Extend neigh->flags to 32 bit +to allow for extensions") enables a new KMSAM warning [1] + +I think the bug is actually older, because the following intruction +only occurred if ndm->ndm_flags had NTF_PROXY set. + + pn->flags = ndm->ndm_flags; + +Let's clear all pneigh_entry fields at alloc time. + +[1] +BUG: KMSAN: uninit-value in pneigh_fill_info+0x986/0xb30 net/core/neighbour.c:2593 + pneigh_fill_info+0x986/0xb30 net/core/neighbour.c:2593 + pneigh_dump_table net/core/neighbour.c:2715 [inline] + neigh_dump_info+0x1e3f/0x2c60 net/core/neighbour.c:2832 + netlink_dump+0xaca/0x16a0 net/netlink/af_netlink.c:2265 + __netlink_dump_start+0xd1c/0xee0 net/netlink/af_netlink.c:2370 + netlink_dump_start include/linux/netlink.h:254 [inline] + rtnetlink_rcv_msg+0x181b/0x18c0 net/core/rtnetlink.c:5534 + netlink_rcv_skb+0x447/0x800 net/netlink/af_netlink.c:2491 + rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5589 + netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] + netlink_unicast+0x1095/0x1360 net/netlink/af_netlink.c:1345 + netlink_sendmsg+0x16f3/0x1870 net/netlink/af_netlink.c:1916 + sock_sendmsg_nosec net/socket.c:704 [inline] + sock_sendmsg net/socket.c:724 [inline] + sock_write_iter+0x594/0x690 net/socket.c:1057 + call_write_iter include/linux/fs.h:2162 [inline] + new_sync_write fs/read_write.c:503 [inline] + vfs_write+0x1318/0x2030 fs/read_write.c:590 + ksys_write+0x28c/0x520 fs/read_write.c:643 + __do_sys_write fs/read_write.c:655 [inline] + __se_sys_write fs/read_write.c:652 [inline] + __x64_sys_write+0xdb/0x120 fs/read_write.c:652 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Uninit was created at: + slab_post_alloc_hook mm/slab.h:524 [inline] + slab_alloc_node mm/slub.c:3251 [inline] + slab_alloc mm/slub.c:3259 [inline] + __kmalloc+0xc3c/0x12d0 mm/slub.c:4437 + kmalloc include/linux/slab.h:595 [inline] + pneigh_lookup+0x60f/0xd70 net/core/neighbour.c:766 + arp_req_set_public net/ipv4/arp.c:1016 [inline] + arp_req_set+0x430/0x10a0 net/ipv4/arp.c:1032 + arp_ioctl+0x8d4/0xb60 net/ipv4/arp.c:1232 + inet_ioctl+0x4ef/0x820 net/ipv4/af_inet.c:947 + sock_do_ioctl net/socket.c:1118 [inline] + sock_ioctl+0xa3f/0x13e0 net/socket.c:1235 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:874 [inline] + __se_sys_ioctl+0x2df/0x4a0 fs/ioctl.c:860 + __x64_sys_ioctl+0xd8/0x110 fs/ioctl.c:860 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +CPU: 1 PID: 20001 Comm: syz-executor.0 Not tainted 5.16.0-rc3-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 62dd93181aaa ("[IPV6] NDISC: Set per-entry is_router flag in Proxy NA.") +Signed-off-by: Eric Dumazet +Cc: Roopa Prabhu +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20211206165329.1049835-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/neighbour.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -635,7 +635,7 @@ struct pneigh_entry * pneigh_lookup(stru + + ASSERT_RTNL(); + +- n = kmalloc(sizeof(*n) + key_len, GFP_KERNEL); ++ n = kzalloc(sizeof(*n) + key_len, GFP_KERNEL); + if (!n) + goto out; + diff --git a/queue-4.19/net-qla3xxx-fix-an-error-code-in-ql_adapter_up.patch b/queue-4.19/net-qla3xxx-fix-an-error-code-in-ql_adapter_up.patch new file mode 100644 index 00000000000..6c34789c068 --- /dev/null +++ b/queue-4.19/net-qla3xxx-fix-an-error-code-in-ql_adapter_up.patch @@ -0,0 +1,57 @@ +From d17b9737c2bc09b4ac6caf469826e5a7ce3ffab7 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 7 Dec 2021 11:24:16 +0300 +Subject: net/qla3xxx: fix an error code in ql_adapter_up() + +From: Dan Carpenter + +commit d17b9737c2bc09b4ac6caf469826e5a7ce3ffab7 upstream. + +The ql_wait_for_drvr_lock() fails and returns false, then this +function should return an error code instead of returning success. + +The other problem is that the success path prints an error message +netdev_err(ndev, "Releasing driver lock\n"); Delete that and +re-order the code a little to make it more clear. + +Fixes: 5a4faa873782 ("[PATCH] qla3xxx NIC driver") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20211207082416.GA16110@kili +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qla3xxx.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qla3xxx.c ++++ b/drivers/net/ethernet/qlogic/qla3xxx.c +@@ -3496,20 +3496,19 @@ static int ql_adapter_up(struct ql3_adap + + spin_lock_irqsave(&qdev->hw_lock, hw_flags); + +- err = ql_wait_for_drvr_lock(qdev); +- if (err) { +- err = ql_adapter_initialize(qdev); +- if (err) { +- netdev_err(ndev, "Unable to initialize adapter\n"); +- goto err_init; +- } +- netdev_err(ndev, "Releasing driver lock\n"); +- ql_sem_unlock(qdev, QL_DRVR_SEM_MASK); +- } else { ++ if (!ql_wait_for_drvr_lock(qdev)) { + netdev_err(ndev, "Could not acquire driver lock\n"); ++ err = -ENODEV; + goto err_lock; + } + ++ err = ql_adapter_initialize(qdev); ++ if (err) { ++ netdev_err(ndev, "Unable to initialize adapter\n"); ++ goto err_init; ++ } ++ ql_sem_unlock(qdev, QL_DRVR_SEM_MASK); ++ + spin_unlock_irqrestore(&qdev->hw_lock, hw_flags); + + set_bit(QL_ADAPTER_UP, &qdev->flags); diff --git a/queue-4.19/qede-validate-non-lso-skb-length.patch b/queue-4.19/qede-validate-non-lso-skb-length.patch new file mode 100644 index 00000000000..dbf511f4432 --- /dev/null +++ b/queue-4.19/qede-validate-non-lso-skb-length.patch @@ -0,0 +1,50 @@ +From 8e227b198a55859bf790dc7f4b1e30c0859c6756 Mon Sep 17 00:00:00 2001 +From: Manish Chopra +Date: Fri, 3 Dec 2021 09:44:13 -0800 +Subject: qede: validate non LSO skb length + +From: Manish Chopra + +commit 8e227b198a55859bf790dc7f4b1e30c0859c6756 upstream. + +Although it is unlikely that stack could transmit a non LSO +skb with length > MTU, however in some cases or environment such +occurrences actually resulted into firmware asserts due to packet +length being greater than the max supported by the device (~9700B). + +This patch adds the safeguard for such odd cases to avoid firmware +asserts. + +v2: Added "Fixes" tag with one of the initial driver commit + which enabled the TX traffic actually (as this was probably + day1 issue which was discovered recently by some customer + environment) + +Fixes: a2ec6172d29c ("qede: Add support for link") +Signed-off-by: Manish Chopra +Signed-off-by: Alok Prasad +Signed-off-by: Prabhakar Kushwaha +Signed-off-by: Ariel Elior +Link: https://lore.kernel.org/r/20211203174413.13090-1-manishc@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qede/qede_fp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/ethernet/qlogic/qede/qede_fp.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_fp.c +@@ -1606,6 +1606,13 @@ netdev_tx_t qede_start_xmit(struct sk_bu + data_split = true; + } + } else { ++ if (unlikely(skb->len > ETH_TX_MAX_NON_LSO_PKT_LEN)) { ++ DP_ERR(edev, "Unexpected non LSO skb length = 0x%x\n", skb->len); ++ qede_free_failed_tx_pkt(txq, first_bd, 0, false); ++ qede_update_tx_producer(txq); ++ return NETDEV_TX_OK; ++ } ++ + val |= ((skb->len & ETH_TX_DATA_1ST_BD_PKT_LEN_MASK) << + ETH_TX_DATA_1ST_BD_PKT_LEN_SHIFT); + } diff --git a/queue-4.19/series b/queue-4.19/series index 0e1153fd54a..9b9a6780a72 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -36,3 +36,15 @@ binder-use-wake_up_pollfree.patch signalfd-use-wake_up_pollfree.patch aio-keep-poll-requests-on-waitqueue-until-completed.patch aio-fix-use-after-free-due-to-missing-pollfree-handling.patch +tracefs-set-all-files-to-the-same-group-ownership-as-the-mount-option.patch +block-fix-ioprio_get-ioprio_who_pgrp-vs-setuid-2.patch +qede-validate-non-lso-skb-length.patch +asoc-qdsp6-q6routing-fix-return-value-from-msm_routing_put_audio_mixer.patch +i40e-fix-pre-set-max-number-of-queues-for-vf.patch +mtd-rawnand-fsmc-take-instruction-delay-into-account.patch +tools-build-remove-needless-libpython-version-feature-check-that-breaks-test-all-fast-path.patch +net-cdc_ncm-allow-for-dwntboutmaxsize-to-be-unset-or-zero.patch +net-altera-set-a-couple-error-code-in-probe.patch +net-fec-only-clear-interrupt-of-handling-queue-in-fec_enet_rx_queue.patch +net-neigh-clear-whole-pneigh_entry-at-alloc-time.patch +net-qla3xxx-fix-an-error-code-in-ql_adapter_up.patch diff --git a/queue-4.19/tools-build-remove-needless-libpython-version-feature-check-that-breaks-test-all-fast-path.patch b/queue-4.19/tools-build-remove-needless-libpython-version-feature-check-that-breaks-test-all-fast-path.patch new file mode 100644 index 00000000000..ed86b071927 --- /dev/null +++ b/queue-4.19/tools-build-remove-needless-libpython-version-feature-check-that-breaks-test-all-fast-path.patch @@ -0,0 +1,183 @@ +From 3d1d57debee2d342a47615707588b96658fabb85 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Tue, 30 Nov 2021 10:12:41 -0300 +Subject: tools build: Remove needless libpython-version feature check that breaks test-all fast path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnaldo Carvalho de Melo + +commit 3d1d57debee2d342a47615707588b96658fabb85 upstream. + +Since 66dfdff03d196e51 ("perf tools: Add Python 3 support") we don't use +the tools/build/feature/test-libpython-version.c version in any Makefile +feature check: + + $ find tools/ -type f | xargs grep feature-libpython-version + $ + +The only place where this was used was removed in 66dfdff03d196e51: + + - ifneq ($(feature-libpython-version), 1) + - $(warning Python 3 is not yet supported; please set) + - $(warning PYTHON and/or PYTHON_CONFIG appropriately.) + - $(warning If you also have Python 2 installed, then) + - $(warning try something like:) + - $(warning $(and ,)) + - $(warning $(and ,) make PYTHON=python2) + - $(warning $(and ,)) + - $(warning Otherwise, disable Python support entirely:) + - $(warning $(and ,)) + - $(warning $(and ,) make NO_LIBPYTHON=1) + - $(warning $(and ,)) + - $(error $(and ,)) + - else + - LDFLAGS += $(PYTHON_EMBED_LDFLAGS) + - EXTLIBS += $(PYTHON_EMBED_LIBADD) + - LANG_BINDINGS += $(obj-perf)python/perf.so + - $(call detected,CONFIG_LIBPYTHON) + - endif + +And nowadays we either build with PYTHON=python3 or just install the +python3 devel packages and perf will build against it. + +But the leftover feature-libpython-version check made the fast path +feature detection to break in all cases except when python2 devel files +were installed: + + $ rpm -qa | grep python.*devel + python3-devel-3.9.7-1.fc34.x86_64 + $ rm -rf /tmp/build/perf ; mkdir -p /tmp/build/perf ; + $ make -C tools/perf O=/tmp/build/perf install-bin + make: Entering directory '/var/home/acme/git/perf/tools/perf' + BUILD: Doing 'make -j32' parallel build + HOSTCC /tmp/build/perf/fixdep.o + + $ cat /tmp/build/perf/feature/test-all.make.output + In file included from test-all.c:18: + test-libpython-version.c:5:10: error: #error + 5 | #error + | ^~~~~ + $ ldd ~/bin/perf | grep python + libpython3.9.so.1.0 => /lib64/libpython3.9.so.1.0 (0x00007fda6dbcf000) + $ + +As python3 is the norm these days, fix this by just removing the unused +feature-libpython-version feature check, making the test-all fast path +to work with the common case. + +With this: + + $ rm -rf /tmp/build/perf ; mkdir -p /tmp/build/perf ; + $ make -C tools/perf O=/tmp/build/perf install-bin |& head + make: Entering directory '/var/home/acme/git/perf/tools/perf' + BUILD: Doing 'make -j32' parallel build + HOSTCC /tmp/build/perf/fixdep.o + HOSTLD /tmp/build/perf/fixdep-in.o + LINK /tmp/build/perf/fixdep + + Auto-detecting system features: + ... dwarf: [ on ] + ... dwarf_getlocations: [ on ] + ... glibc: [ on ] + $ ldd ~/bin/perf | grep python + libpython3.9.so.1.0 => /lib64/libpython3.9.so.1.0 (0x00007f58800b0000) + $ cat /tmp/build/perf/feature/test-all.make.output + $ + +Reviewed-by: James Clark +Fixes: 66dfdff03d196e51 ("perf tools: Add Python 3 support") +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Jaroslav Škarvada +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: https://lore.kernel.org/lkml/YaYmeeC6CS2b8OSz@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/build/Makefile.feature | 1 - + tools/build/feature/Makefile | 4 ---- + tools/build/feature/test-all.c | 5 ----- + tools/build/feature/test-libpython-version.c | 11 ----------- + tools/perf/Makefile.config | 2 -- + 5 files changed, 23 deletions(-) + delete mode 100644 tools/build/feature/test-libpython-version.c + +--- a/tools/build/Makefile.feature ++++ b/tools/build/Makefile.feature +@@ -50,7 +50,6 @@ FEATURE_TESTS_BASIC := + numa_num_possible_cpus \ + libperl \ + libpython \ +- libpython-version \ + libslang \ + libcrypto \ + libunwind \ +--- a/tools/build/feature/Makefile ++++ b/tools/build/feature/Makefile +@@ -29,7 +29,6 @@ FILES= + test-numa_num_possible_cpus.bin \ + test-libperl.bin \ + test-libpython.bin \ +- test-libpython-version.bin \ + test-libslang.bin \ + test-libcrypto.bin \ + test-libunwind.bin \ +@@ -203,9 +202,6 @@ $(OUTPUT)test-libperl.bin: + $(OUTPUT)test-libpython.bin: + $(BUILD) $(FLAGS_PYTHON_EMBED) + +-$(OUTPUT)test-libpython-version.bin: +- $(BUILD) +- + $(OUTPUT)test-libbfd.bin: + $(BUILD) -DPACKAGE='"perf"' -lbfd -ldl + +--- a/tools/build/feature/test-all.c ++++ b/tools/build/feature/test-all.c +@@ -14,10 +14,6 @@ + # include "test-libpython.c" + #undef main + +-#define main main_test_libpython_version +-# include "test-libpython-version.c" +-#undef main +- + #define main main_test_libperl + # include "test-libperl.c" + #undef main +@@ -181,7 +177,6 @@ + int main(int argc, char *argv[]) + { + main_test_libpython(); +- main_test_libpython_version(); + main_test_libperl(); + main_test_hello(); + main_test_libelf(); +--- a/tools/build/feature/test-libpython-version.c ++++ /dev/null +@@ -1,11 +0,0 @@ +-// SPDX-License-Identifier: GPL-2.0 +-#include +- +-#if PY_VERSION_HEX >= 0x03000000 +- #error +-#endif +- +-int main(void) +-{ +- return 0; +-} +--- a/tools/perf/Makefile.config ++++ b/tools/perf/Makefile.config +@@ -224,8 +224,6 @@ endif + + FEATURE_CHECK_CFLAGS-libpython := $(PYTHON_EMBED_CCOPTS) + FEATURE_CHECK_LDFLAGS-libpython := $(PYTHON_EMBED_LDOPTS) +-FEATURE_CHECK_CFLAGS-libpython-version := $(PYTHON_EMBED_CCOPTS) +-FEATURE_CHECK_LDFLAGS-libpython-version := $(PYTHON_EMBED_LDOPTS) + + CFLAGS += -fno-omit-frame-pointer + CFLAGS += -ggdb3 diff --git a/queue-4.19/tracefs-set-all-files-to-the-same-group-ownership-as-the-mount-option.patch b/queue-4.19/tracefs-set-all-files-to-the-same-group-ownership-as-the-mount-option.patch new file mode 100644 index 00000000000..3c818efb128 --- /dev/null +++ b/queue-4.19/tracefs-set-all-files-to-the-same-group-ownership-as-the-mount-option.patch @@ -0,0 +1,146 @@ +From 48b27b6b5191e2e1f2798cd80877b6e4ef47c351 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Tue, 7 Dec 2021 17:17:29 -0500 +Subject: tracefs: Set all files to the same group ownership as the mount option + +From: Steven Rostedt (VMware) + +commit 48b27b6b5191e2e1f2798cd80877b6e4ef47c351 upstream. + +As people have been asking to allow non-root processes to have access to +the tracefs directory, it was considered best to only allow groups to have +access to the directory, where it is easier to just set the tracefs file +system to a specific group (as other would be too dangerous), and that way +the admins could pick which processes would have access to tracefs. + +Unfortunately, this broke tooling on Android that expected the other bit +to be set. For some special cases, for non-root tools to trace the system, +tracefs would be mounted and change the permissions of the top level +directory which gave access to all running tasks permission to the +tracing directory. Even though this would be dangerous to do in a +production environment, for testing environments this can be useful. + +Now with the new changes to not allow other (which is still the proper +thing to do), it breaks the testing tooling. Now more code needs to be +loaded on the system to change ownership of the tracing directory. + +The real solution is to have tracefs honor the gid=xxx option when +mounting. That is, + +(tracing group tracing has value 1003) + + mount -t tracefs -o gid=1003 tracefs /sys/kernel/tracing + +should have it that all files in the tracing directory should be of the +given group. + +Copy the logic from d_walk() from dcache.c and simplify it for the mount +case of tracefs if gid is set. All the files in tracefs will be walked and +their group will be set to the value passed in. + +Link: https://lkml.kernel.org/r/20211207171729.2a54e1b3@gandalf.local.home + +Cc: Ingo Molnar +Cc: Kees Cook +Cc: Andrew Morton +Cc: Linus Torvalds +Cc: linux-fsdevel@vger.kernel.org +Cc: Al Viro +Cc: Greg Kroah-Hartman +Reported-by: Kalesh Singh +Reported-by: Yabin Cui +Fixes: 49d67e445742 ("tracefs: Have tracefs directories not set OTH permission bits by default") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman +--- + fs/tracefs/inode.c | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 72 insertions(+) + +--- a/fs/tracefs/inode.c ++++ b/fs/tracefs/inode.c +@@ -162,6 +162,77 @@ struct tracefs_fs_info { + struct tracefs_mount_opts mount_opts; + }; + ++static void change_gid(struct dentry *dentry, kgid_t gid) ++{ ++ if (!dentry->d_inode) ++ return; ++ dentry->d_inode->i_gid = gid; ++} ++ ++/* ++ * Taken from d_walk, but without he need for handling renames. ++ * Nothing can be renamed while walking the list, as tracefs ++ * does not support renames. This is only called when mounting ++ * or remounting the file system, to set all the files to ++ * the given gid. ++ */ ++static void set_gid(struct dentry *parent, kgid_t gid) ++{ ++ struct dentry *this_parent; ++ struct list_head *next; ++ ++ this_parent = parent; ++ spin_lock(&this_parent->d_lock); ++ ++ change_gid(this_parent, gid); ++repeat: ++ next = this_parent->d_subdirs.next; ++resume: ++ while (next != &this_parent->d_subdirs) { ++ struct list_head *tmp = next; ++ struct dentry *dentry = list_entry(tmp, struct dentry, d_child); ++ next = tmp->next; ++ ++ spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED); ++ ++ change_gid(dentry, gid); ++ ++ if (!list_empty(&dentry->d_subdirs)) { ++ spin_unlock(&this_parent->d_lock); ++ spin_release(&dentry->d_lock.dep_map, 1, _RET_IP_); ++ this_parent = dentry; ++ spin_acquire(&this_parent->d_lock.dep_map, 0, 1, _RET_IP_); ++ goto repeat; ++ } ++ spin_unlock(&dentry->d_lock); ++ } ++ /* ++ * All done at this level ... ascend and resume the search. ++ */ ++ rcu_read_lock(); ++ascend: ++ if (this_parent != parent) { ++ struct dentry *child = this_parent; ++ this_parent = child->d_parent; ++ ++ spin_unlock(&child->d_lock); ++ spin_lock(&this_parent->d_lock); ++ ++ /* go into the first sibling still alive */ ++ do { ++ next = child->d_child.next; ++ if (next == &this_parent->d_subdirs) ++ goto ascend; ++ child = list_entry(next, struct dentry, d_child); ++ } while (unlikely(child->d_flags & DCACHE_DENTRY_KILLED)); ++ rcu_read_unlock(); ++ goto resume; ++ } ++ rcu_read_unlock(); ++ spin_unlock(&this_parent->d_lock); ++ return; ++} ++ + static int tracefs_parse_options(char *data, struct tracefs_mount_opts *opts) + { + substring_t args[MAX_OPT_ARGS]; +@@ -194,6 +265,7 @@ static int tracefs_parse_options(char *d + if (!gid_valid(gid)) + return -EINVAL; + opts->gid = gid; ++ set_gid(tracefs_mount->mnt_root, gid); + break; + case Opt_mode: + if (match_octal(&args[0], &option))