From: Sasha Levin Date: Mon, 25 Jan 2021 03:21:27 +0000 (-0500) Subject: Fixes for 5.10 X-Git-Tag: v4.19.171~32 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d81b156e0e1ced125afb1dd9cec3fb8fb55f1cb4;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/alsa-hda-balance-runtime-system-pm-if-direct-complet.patch b/queue-5.10/alsa-hda-balance-runtime-system-pm-if-direct-complet.patch new file mode 100644 index 00000000000..99100fa03c5 --- /dev/null +++ b/queue-5.10/alsa-hda-balance-runtime-system-pm-if-direct-complet.patch @@ -0,0 +1,115 @@ +From 02fa8b9f0dfbd33984047c7ef8f8c722fdc55a81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jan 2021 23:21:43 +0800 +Subject: ALSA: hda: Balance runtime/system PM if direct-complete is disabled + +From: Kai-Heng Feng + +[ Upstream commit 2b73649cee65b8e33c75c66348cb1bfe0ff9d766 ] + +After hibernation, HDA controller can't be runtime-suspended after +commit 215a22ed31a1 ("ALSA: hda: Refactor codjc PM to use +direct-complete optimization"), which enables direct-complete for HDA +codec. + +The HDA codec driver didn't expect direct-complete will be disabled +after it returns a positive value from prepare() callback. However, +there are some places that PM core can disable direct-complete. For +instance, system hibernation or when codec has subordinates like LEDs. + +So if the codec is prepared for direct-complete but PM core still calls +codec's suspend or freeze callback, partially revert the commit and take +the original approach, which uses pm_runtime_force_*() helpers to +ensure PM refcount are balanced. Meanwhile, still keep prepare() and +complete() callbacks to enable direct-complete and request a resume for +jack detection, respectively. + +Reported-by: Kenneth R. Crudup +Fixes: 215a22ed31a1 ("ALSA: hda: Refactor codec PM to use direct-complete optimization") +Signed-off-by: Kai-Heng Feng +Link: https://lore.kernel.org/r/20210119152145.346558-1-kai.heng.feng@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_codec.c | 24 +++++++----------------- + 1 file changed, 7 insertions(+), 17 deletions(-) + +diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c +index 687216e745267..eec1775dfffe9 100644 +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -2934,7 +2934,7 @@ static void hda_call_codec_resume(struct hda_codec *codec) + snd_hdac_leave_pm(&codec->core); + } + +-static int hda_codec_suspend(struct device *dev) ++static int hda_codec_runtime_suspend(struct device *dev) + { + struct hda_codec *codec = dev_to_hda_codec(dev); + unsigned int state; +@@ -2953,7 +2953,7 @@ static int hda_codec_suspend(struct device *dev) + return 0; + } + +-static int hda_codec_resume(struct device *dev) ++static int hda_codec_runtime_resume(struct device *dev) + { + struct hda_codec *codec = dev_to_hda_codec(dev); + +@@ -2968,16 +2968,6 @@ static int hda_codec_resume(struct device *dev) + return 0; + } + +-static int hda_codec_runtime_suspend(struct device *dev) +-{ +- return hda_codec_suspend(dev); +-} +- +-static int hda_codec_runtime_resume(struct device *dev) +-{ +- return hda_codec_resume(dev); +-} +- + #endif /* CONFIG_PM */ + + #ifdef CONFIG_PM_SLEEP +@@ -2998,31 +2988,31 @@ static void hda_codec_pm_complete(struct device *dev) + static int hda_codec_pm_suspend(struct device *dev) + { + dev->power.power_state = PMSG_SUSPEND; +- return hda_codec_suspend(dev); ++ return pm_runtime_force_suspend(dev); + } + + static int hda_codec_pm_resume(struct device *dev) + { + dev->power.power_state = PMSG_RESUME; +- return hda_codec_resume(dev); ++ return pm_runtime_force_resume(dev); + } + + static int hda_codec_pm_freeze(struct device *dev) + { + dev->power.power_state = PMSG_FREEZE; +- return hda_codec_suspend(dev); ++ return pm_runtime_force_suspend(dev); + } + + static int hda_codec_pm_thaw(struct device *dev) + { + dev->power.power_state = PMSG_THAW; +- return hda_codec_resume(dev); ++ return pm_runtime_force_resume(dev); + } + + static int hda_codec_pm_restore(struct device *dev) + { + dev->power.power_state = PMSG_RESTORE; +- return hda_codec_resume(dev); ++ return pm_runtime_force_resume(dev); + } + #endif /* CONFIG_PM_SLEEP */ + +-- +2.27.0 + diff --git a/queue-5.10/arm64-entry-remove-redundant-irq-flag-tracing.patch b/queue-5.10/arm64-entry-remove-redundant-irq-flag-tracing.patch new file mode 100644 index 00000000000..0e300dc8a7b --- /dev/null +++ b/queue-5.10/arm64-entry-remove-redundant-irq-flag-tracing.patch @@ -0,0 +1,84 @@ +From 74025921d947a6f3eaf807f2734797719d762014 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jan 2021 14:53:10 +0000 +Subject: arm64: entry: remove redundant IRQ flag tracing + +From: Mark Rutland + +[ Upstream commit df06824767cc9a32fbdb0e3d3b7e169292a5b5fe ] + +All EL0 returns go via ret_to_user(), which masks IRQs and notifies +lockdep and tracing before calling into do_notify_resume(). Therefore, +there's no need for do_notify_resume() to call trace_hardirqs_off(), and +the comment is stale. The call is simply redundant. + +In ret_to_user() we call exit_to_user_mode(), which notifies lockdep and +tracing the IRQs will be enabled in userspace, so there's no need for +el0_svc_common() to call trace_hardirqs_on() before returning. Further, +at the start of ret_to_user() we call trace_hardirqs_off(), so not only +is this redundant, but it is immediately undone. + +In addition to being redundant, the trace_hardirqs_on() in +el0_svc_common() leaves lockdep inconsistent with the hardware state, +and is liable to cause issues for any C code or instrumentation +between this and the call to trace_hardirqs_off() which undoes it in +ret_to_user(). + +This patch removes the redundant tracing calls and associated stale +comments. + +Fixes: 23529049c684 ("arm64: entry: fix non-NMI user<->kernel transitions") +Signed-off-by: Mark Rutland +Acked-by: Will Deacon +Cc: James Morse +Cc: Will Deacon +Link: https://lore.kernel.org/r/20210107145310.44616-1-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/signal.c | 7 ------- + arch/arm64/kernel/syscall.c | 9 +-------- + 2 files changed, 1 insertion(+), 15 deletions(-) + +diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c +index a8184cad88907..50852992752b0 100644 +--- a/arch/arm64/kernel/signal.c ++++ b/arch/arm64/kernel/signal.c +@@ -914,13 +914,6 @@ static void do_signal(struct pt_regs *regs) + asmlinkage void do_notify_resume(struct pt_regs *regs, + unsigned long thread_flags) + { +- /* +- * The assembly code enters us with IRQs off, but it hasn't +- * informed the tracing code of that for efficiency reasons. +- * Update the trace code with the current status. +- */ +- trace_hardirqs_off(); +- + do { + /* Check valid user FS if needed */ + addr_limit_user_check(); +diff --git a/arch/arm64/kernel/syscall.c b/arch/arm64/kernel/syscall.c +index f8f758e4a3064..6fa8cfb8232aa 100644 +--- a/arch/arm64/kernel/syscall.c ++++ b/arch/arm64/kernel/syscall.c +@@ -165,15 +165,8 @@ static void el0_svc_common(struct pt_regs *regs, int scno, int sc_nr, + if (!has_syscall_work(flags) && !IS_ENABLED(CONFIG_DEBUG_RSEQ)) { + local_daif_mask(); + flags = current_thread_info()->flags; +- if (!has_syscall_work(flags) && !(flags & _TIF_SINGLESTEP)) { +- /* +- * We're off to userspace, where interrupts are +- * always enabled after we restore the flags from +- * the SPSR. +- */ +- trace_hardirqs_on(); ++ if (!has_syscall_work(flags) && !(flags & _TIF_SINGLESTEP)) + return; +- } + local_daif_restore(DAIF_PROCCTX); + } + +-- +2.27.0 + diff --git a/queue-5.10/bpf-prevent-double-bpf_prog_put-call-from-bpf_tracin.patch b/queue-5.10/bpf-prevent-double-bpf_prog_put-call-from-bpf_tracin.patch new file mode 100644 index 00000000000..47d00dddeb9 --- /dev/null +++ b/queue-5.10/bpf-prevent-double-bpf_prog_put-call-from-bpf_tracin.patch @@ -0,0 +1,68 @@ +From c775a36d81b9c097f91bc398eb78f54fd73e4c32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jan 2021 20:16:50 +0100 +Subject: bpf: Prevent double bpf_prog_put call from bpf_tracing_prog_attach +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jiri Olsa + +[ Upstream commit 5541075a348b6ca6ac668653f7d2c423ae8e00b6 ] + +The bpf_tracing_prog_attach error path calls bpf_prog_put +on prog, which causes refcount underflow when it's called +from link_create function. + + link_create + prog = bpf_prog_get <-- get + ... + tracing_bpf_link_attach(prog.. + bpf_tracing_prog_attach(prog.. + out_put_prog: + bpf_prog_put(prog); <-- put + + if (ret < 0) + bpf_prog_put(prog); <-- put + +Removing bpf_prog_put call from bpf_tracing_prog_attach +and making sure its callers call it instead. + +Fixes: 4a1e7c0c63e0 ("bpf: Support attaching freplace programs to multiple attach points") +Signed-off-by: Jiri Olsa +Signed-off-by: Daniel Borkmann +Acked-by: Toke Høiland-Jørgensen +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20210111191650.1241578-1-jolsa@kernel.org +Signed-off-by: Sasha Levin +--- + kernel/bpf/syscall.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 8f50c9c19f1b0..9433ab9995cd7 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -2717,7 +2717,6 @@ out_unlock: + out_put_prog: + if (tgt_prog_fd && tgt_prog) + bpf_prog_put(tgt_prog); +- bpf_prog_put(prog); + return err; + } + +@@ -2830,7 +2829,10 @@ static int bpf_raw_tracepoint_open(const union bpf_attr *attr) + tp_name = prog->aux->attach_func_name; + break; + } +- return bpf_tracing_prog_attach(prog, 0, 0); ++ err = bpf_tracing_prog_attach(prog, 0, 0); ++ if (err >= 0) ++ return err; ++ goto out_put_prog; + case BPF_PROG_TYPE_RAW_TRACEPOINT: + case BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE: + if (strncpy_from_user(buf, +-- +2.27.0 + diff --git a/queue-5.10/bpf-reject-too-big-ctx_size_in-for-raw_tp-test-run.patch b/queue-5.10/bpf-reject-too-big-ctx_size_in-for-raw_tp-test-run.patch new file mode 100644 index 00000000000..70b4ae3488e --- /dev/null +++ b/queue-5.10/bpf-reject-too-big-ctx_size_in-for-raw_tp-test-run.patch @@ -0,0 +1,81 @@ +From 4ea3f7c81b79548b4309083e610a20cec96148ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Jan 2021 15:42:54 -0800 +Subject: bpf: Reject too big ctx_size_in for raw_tp test run + +From: Song Liu + +[ Upstream commit 7ac6ad051150592557520b45773201b987ecfce3 ] + +syzbot reported a WARNING for allocating too big memory: + +WARNING: CPU: 1 PID: 8484 at mm/page_alloc.c:4976 __alloc_pages_nodemask+0x5f8/0x730 mm/page_alloc.c:5011 +Modules linked in: +CPU: 1 PID: 8484 Comm: syz-executor862 Not tainted 5.11.0-rc2-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:__alloc_pages_nodemask+0x5f8/0x730 mm/page_alloc.c:4976 +Code: 00 00 0c 00 0f 85 a7 00 00 00 8b 3c 24 4c 89 f2 44 89 e6 c6 44 24 70 00 48 89 6c 24 58 e8 d0 d7 ff ff 49 89 c5 e9 ea fc ff ff <0f> 0b e9 b5 fd ff ff 89 74 24 14 4c 89 4c 24 08 4c 89 74 24 18 e8 +RSP: 0018:ffffc900012efb10 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 1ffff9200025df66 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000140dc0 +RBP: 0000000000140dc0 R08: 0000000000000000 R09: 0000000000000000 +R10: ffffffff81b1f7e1 R11: 0000000000000000 R12: 0000000000000014 +R13: 0000000000000014 R14: 0000000000000000 R15: 0000000000000000 +FS: 000000000190c880(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f08b7f316c0 CR3: 0000000012073000 CR4: 00000000001506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: +alloc_pages_current+0x18c/0x2a0 mm/mempolicy.c:2267 +alloc_pages include/linux/gfp.h:547 [inline] +kmalloc_order+0x2e/0xb0 mm/slab_common.c:837 +kmalloc_order_trace+0x14/0x120 mm/slab_common.c:853 +kmalloc include/linux/slab.h:557 [inline] +kzalloc include/linux/slab.h:682 [inline] +bpf_prog_test_run_raw_tp+0x4b5/0x670 net/bpf/test_run.c:282 +bpf_prog_test_run kernel/bpf/syscall.c:3120 [inline] +__do_sys_bpf+0x1ea9/0x4f10 kernel/bpf/syscall.c:4398 +do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 +entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x440499 +Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007ffe1f3bfb18 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 +RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440499 +RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a +RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401ca0 +R13: 0000000000401d30 R14: 0000000000000000 R15: 0000000000000000 + +This is because we didn't filter out too big ctx_size_in. Fix it by +rejecting ctx_size_in that are bigger than MAX_BPF_FUNC_ARGS (12) u64 +numbers. + +Fixes: 1b4d60ec162f ("bpf: Enable BPF_PROG_TEST_RUN for raw_tracepoint") +Reported-by: syzbot+4f98876664c7337a4ae6@syzkaller.appspotmail.com +Signed-off-by: Song Liu +Signed-off-by: Alexei Starovoitov +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20210112234254.1906829-1-songliubraving@fb.com +Signed-off-by: Sasha Levin +--- + net/bpf/test_run.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c +index c1c30a9f76f34..8b796c499cbb2 100644 +--- a/net/bpf/test_run.c ++++ b/net/bpf/test_run.c +@@ -272,7 +272,8 @@ int bpf_prog_test_run_raw_tp(struct bpf_prog *prog, + kattr->test.repeat) + return -EINVAL; + +- if (ctx_size_in < prog->aux->max_ctx_offset) ++ if (ctx_size_in < prog->aux->max_ctx_offset || ++ ctx_size_in > MAX_BPF_FUNC_ARGS * sizeof(u64)) + return -EINVAL; + + if ((kattr->test.flags & BPF_F_TEST_RUN_ON_CPU) == 0 && cpu != 0) +-- +2.27.0 + diff --git a/queue-5.10/btrfs-print-the-actual-offset-in-btrfs_root_name.patch b/queue-5.10/btrfs-print-the-actual-offset-in-btrfs_root_name.patch new file mode 100644 index 00000000000..f347ee780d1 --- /dev/null +++ b/queue-5.10/btrfs-print-the-actual-offset-in-btrfs_root_name.patch @@ -0,0 +1,86 @@ +From 4ffe3b6d58eb232e2cbe2903e2a68a6a5281db0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Dec 2020 11:18:44 -0500 +Subject: btrfs: print the actual offset in btrfs_root_name + +From: Josef Bacik + +[ Upstream commit 71008734d27f2276fcef23a5e546d358430f2d52 ] + +We're supposed to print the root_key.offset in btrfs_root_name in the +case of a reloc root, not the objectid. Fix this helper to take the key +so we have access to the offset when we need it. + +Fixes: 457f1864b569 ("btrfs: pretty print leaked root name") +Reviewed-by: Qu Wenruo +Reviewed-by: Nikolay Borisov +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/disk-io.c | 2 +- + fs/btrfs/print-tree.c | 10 +++++----- + fs/btrfs/print-tree.h | 2 +- + 3 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index af97ddcc6b3e8..56f3b9acd2154 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -1482,7 +1482,7 @@ void btrfs_check_leaked_roots(struct btrfs_fs_info *fs_info) + root = list_first_entry(&fs_info->allocated_roots, + struct btrfs_root, leak_list); + btrfs_err(fs_info, "leaked root %s refcount %d", +- btrfs_root_name(root->root_key.objectid, buf), ++ btrfs_root_name(&root->root_key, buf), + refcount_read(&root->refs)); + while (refcount_read(&root->refs) > 1) + btrfs_put_root(root); +diff --git a/fs/btrfs/print-tree.c b/fs/btrfs/print-tree.c +index 7695c4783d33b..c62771f3af8c6 100644 +--- a/fs/btrfs/print-tree.c ++++ b/fs/btrfs/print-tree.c +@@ -26,22 +26,22 @@ static const struct root_name_map root_map[] = { + { BTRFS_DATA_RELOC_TREE_OBJECTID, "DATA_RELOC_TREE" }, + }; + +-const char *btrfs_root_name(u64 objectid, char *buf) ++const char *btrfs_root_name(const struct btrfs_key *key, char *buf) + { + int i; + +- if (objectid == BTRFS_TREE_RELOC_OBJECTID) { ++ if (key->objectid == BTRFS_TREE_RELOC_OBJECTID) { + snprintf(buf, BTRFS_ROOT_NAME_BUF_LEN, +- "TREE_RELOC offset=%llu", objectid); ++ "TREE_RELOC offset=%llu", key->offset); + return buf; + } + + for (i = 0; i < ARRAY_SIZE(root_map); i++) { +- if (root_map[i].id == objectid) ++ if (root_map[i].id == key->objectid) + return root_map[i].name; + } + +- snprintf(buf, BTRFS_ROOT_NAME_BUF_LEN, "%llu", objectid); ++ snprintf(buf, BTRFS_ROOT_NAME_BUF_LEN, "%llu", key->objectid); + return buf; + } + +diff --git a/fs/btrfs/print-tree.h b/fs/btrfs/print-tree.h +index 78b99385a503f..8c3e9319ec4ef 100644 +--- a/fs/btrfs/print-tree.h ++++ b/fs/btrfs/print-tree.h +@@ -11,6 +11,6 @@ + + void btrfs_print_leaf(struct extent_buffer *l); + void btrfs_print_tree(struct extent_buffer *c, bool follow); +-const char *btrfs_root_name(u64 objectid, char *buf); ++const char *btrfs_root_name(const struct btrfs_key *key, char *buf); + + #endif +-- +2.27.0 + diff --git a/queue-5.10/can-dev-can_restart-fix-use-after-free-bug.patch b/queue-5.10/can-dev-can_restart-fix-use-after-free-bug.patch new file mode 100644 index 00000000000..6cea3e6f1dc --- /dev/null +++ b/queue-5.10/can-dev-can_restart-fix-use-after-free-bug.patch @@ -0,0 +1,46 @@ +From a68f0ad8e788e736d7dc23e75500a6d067777ca1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jan 2021 20:41:35 +0900 +Subject: can: dev: can_restart: fix use after free bug + +From: Vincent Mailhol + +[ Upstream commit 03f16c5075b22c8902d2af739969e878b0879c94 ] + +After calling netif_rx_ni(skb), dereferencing skb is unsafe. +Especially, the can_frame cf which aliases skb memory is accessed +after the netif_rx_ni() in: + stats->rx_bytes += cf->len; + +Reordering the lines solves the issue. + +Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface") +Link: https://lore.kernel.org/r/20210120114137.200019-2-mailhol.vincent@wanadoo.fr +Signed-off-by: Vincent Mailhol +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/dev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c +index 81e39d7507d8f..09879aea9f7cc 100644 +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -592,11 +592,11 @@ static void can_restart(struct net_device *dev) + + cf->can_id |= CAN_ERR_RESTARTED; + +- netif_rx_ni(skb); +- + stats->rx_packets++; + stats->rx_bytes += cf->can_dlc; + ++ netif_rx_ni(skb); ++ + restart: + netdev_dbg(dev, "restarted\n"); + priv->can_stats.restarts++; +-- +2.27.0 + diff --git a/queue-5.10/can-peak_usb-fix-use-after-free-bugs.patch b/queue-5.10/can-peak_usb-fix-use-after-free-bugs.patch new file mode 100644 index 00000000000..20d934a72e7 --- /dev/null +++ b/queue-5.10/can-peak_usb-fix-use-after-free-bugs.patch @@ -0,0 +1,59 @@ +From 862c7dca860234f94f345a323bf373e1870fc492 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jan 2021 20:41:37 +0900 +Subject: can: peak_usb: fix use after free bugs + +From: Vincent Mailhol + +[ Upstream commit 50aca891d7a554db0901b245167cd653d73aaa71 ] + +After calling peak_usb_netif_rx_ni(skb), dereferencing skb is unsafe. +Especially, the can_frame cf which aliases skb memory is accessed +after the peak_usb_netif_rx_ni(). + +Reordering the lines solves the issue. + +Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters") +Link: https://lore.kernel.org/r/20210120114137.200019-4-mailhol.vincent@wanadoo.fr +Signed-off-by: Vincent Mailhol +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c +index d29d20525588c..d565922838186 100644 +--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c +@@ -512,11 +512,11 @@ static int pcan_usb_fd_decode_canmsg(struct pcan_usb_fd_if *usb_if, + else + memcpy(cfd->data, rm->d, cfd->len); + +- peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(rm->ts_low)); +- + netdev->stats.rx_packets++; + netdev->stats.rx_bytes += cfd->len; + ++ peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(rm->ts_low)); ++ + return 0; + } + +@@ -578,11 +578,11 @@ static int pcan_usb_fd_decode_status(struct pcan_usb_fd_if *usb_if, + if (!skb) + return -ENOMEM; + +- peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(sm->ts_low)); +- + netdev->stats.rx_packets++; + netdev->stats.rx_bytes += cf->can_dlc; + ++ peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(sm->ts_low)); ++ + return 0; + } + +-- +2.27.0 + diff --git a/queue-5.10/can-vxcan-vxcan_xmit-fix-use-after-free-bug.patch b/queue-5.10/can-vxcan-vxcan_xmit-fix-use-after-free-bug.patch new file mode 100644 index 00000000000..0bc6b768642 --- /dev/null +++ b/queue-5.10/can-vxcan-vxcan_xmit-fix-use-after-free-bug.patch @@ -0,0 +1,53 @@ +From fd0aa8dfe4ca8bc0c34e71c0abd6b2571b94a1f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jan 2021 20:41:36 +0900 +Subject: can: vxcan: vxcan_xmit: fix use after free bug + +From: Vincent Mailhol + +[ Upstream commit 75854cad5d80976f6ea0f0431f8cedd3bcc475cb ] + +After calling netif_rx_ni(skb), dereferencing skb is unsafe. +Especially, the canfd_frame cfd which aliases skb memory is accessed +after the netif_rx_ni(). + +Fixes: a8f820a380a2 ("can: add Virtual CAN Tunnel driver (vxcan)") +Link: https://lore.kernel.org/r/20210120114137.200019-3-mailhol.vincent@wanadoo.fr +Signed-off-by: Vincent Mailhol +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/vxcan.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/can/vxcan.c b/drivers/net/can/vxcan.c +index d6ba9426be4de..b1baa4ac1d537 100644 +--- a/drivers/net/can/vxcan.c ++++ b/drivers/net/can/vxcan.c +@@ -39,6 +39,7 @@ static netdev_tx_t vxcan_xmit(struct sk_buff *skb, struct net_device *dev) + struct net_device *peer; + struct canfd_frame *cfd = (struct canfd_frame *)skb->data; + struct net_device_stats *peerstats, *srcstats = &dev->stats; ++ u8 len; + + if (can_dropped_invalid_skb(dev, skb)) + return NETDEV_TX_OK; +@@ -61,12 +62,13 @@ static netdev_tx_t vxcan_xmit(struct sk_buff *skb, struct net_device *dev) + skb->dev = peer; + skb->ip_summed = CHECKSUM_UNNECESSARY; + ++ len = cfd->len; + if (netif_rx_ni(skb) == NET_RX_SUCCESS) { + srcstats->tx_packets++; +- srcstats->tx_bytes += cfd->len; ++ srcstats->tx_bytes += len; + peerstats = &peer->stats; + peerstats->rx_packets++; +- peerstats->rx_bytes += cfd->len; ++ peerstats->rx_bytes += len; + } + + out_unlock: +-- +2.27.0 + diff --git a/queue-5.10/crypto-omap-sham-fix-link-error-without-crypto-engin.patch b/queue-5.10/crypto-omap-sham-fix-link-error-without-crypto-engin.patch new file mode 100644 index 00000000000..a92282afddd --- /dev/null +++ b/queue-5.10/crypto-omap-sham-fix-link-error-without-crypto-engin.patch @@ -0,0 +1,48 @@ +From 793ff612e5fd50546f9cc0552fb06c8dcae7997c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Jan 2021 15:03:04 +0100 +Subject: crypto: omap-sham - Fix link error without crypto-engine + +From: Arnd Bergmann + +[ Upstream commit 382811940303f7cd01d0f3dcdf432dfd89c5a98e ] + +The driver was converted to use the crypto engine helper +but is missing the corresponding Kconfig statement to ensure +it is available: + +arm-linux-gnueabi-ld: drivers/crypto/omap-sham.o: in function `omap_sham_probe': +omap-sham.c:(.text+0x374): undefined reference to `crypto_engine_alloc_init' +arm-linux-gnueabi-ld: omap-sham.c:(.text+0x384): undefined reference to `crypto_engine_start' +arm-linux-gnueabi-ld: omap-sham.c:(.text+0x510): undefined reference to `crypto_engine_exit' +arm-linux-gnueabi-ld: drivers/crypto/omap-sham.o: in function `omap_sham_finish_req': +omap-sham.c:(.text+0x98c): undefined reference to `crypto_finalize_hash_request' +arm-linux-gnueabi-ld: omap-sham.c:(.text+0x9a0): undefined reference to `crypto_transfer_hash_request_to_engine' +arm-linux-gnueabi-ld: drivers/crypto/omap-sham.o: in function `omap_sham_update': +omap-sham.c:(.text+0xf24): undefined reference to `crypto_transfer_hash_request_to_engine' +arm-linux-gnueabi-ld: drivers/crypto/omap-sham.o: in function `omap_sham_final': +omap-sham.c:(.text+0x1020): undefined reference to `crypto_transfer_hash_request_to_engine' + +Fixes: 133c3d434d91 ("crypto: omap-sham - convert to use crypto engine") +Signed-off-by: Arnd Bergmann +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/crypto/Kconfig b/drivers/crypto/Kconfig +index 9d6645b1f0abe..ff5e85eefbf69 100644 +--- a/drivers/crypto/Kconfig ++++ b/drivers/crypto/Kconfig +@@ -366,6 +366,7 @@ if CRYPTO_DEV_OMAP + config CRYPTO_DEV_OMAP_SHAM + tristate "Support for OMAP MD5/SHA1/SHA2 hw accelerator" + depends on ARCH_OMAP2PLUS ++ select CRYPTO_ENGINE + select CRYPTO_SHA1 + select CRYPTO_MD5 + select CRYPTO_SHA256 +-- +2.27.0 + diff --git a/queue-5.10/drm-amdkfd-fix-out-of-bounds-read-in-kdf_create_vcra.patch b/queue-5.10/drm-amdkfd-fix-out-of-bounds-read-in-kdf_create_vcra.patch new file mode 100644 index 00000000000..46eade6aff1 --- /dev/null +++ b/queue-5.10/drm-amdkfd-fix-out-of-bounds-read-in-kdf_create_vcra.patch @@ -0,0 +1,58 @@ +From 02c9e80788198a10f0b3685f99c65cf26b49071e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jan 2021 16:05:28 -0500 +Subject: drm/amdkfd: Fix out-of-bounds read in kdf_create_vcrat_image_cpu() + +From: Jeremy Cline + +[ Upstream commit 8b335bff643f3b39935c7377dbcd361c5b605d98 ] + +KASAN reported a slab-out-of-bounds read of size 1 in +kdf_create_vcrat_image_cpu(). + +This occurs when, for example, when on an x86_64 with a single NUMA node +because kfd_fill_iolink_info_for_cpu() is a no-op, but afterwards the +sub_type_hdr->length, which is out-of-bounds, is read and multiplied by +entries. Fortunately, entries is 0 in this case so the overall +crat_table->length is still correct. + +Check if there were any entries before de-referencing sub_type_hdr which +may be pointing to out-of-bounds memory. + +Fixes: b7b6c38529c9 ("drm/amdkfd: Calculate CPU VCRAT size dynamically (v2)") +Suggested-by: Felix Kuehling +Signed-off-by: Jeremy Cline +Reviewed-by: Felix Kuehling +Signed-off-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_crat.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c +index d7f67620f57ba..31d793ee0836e 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c +@@ -1034,11 +1034,14 @@ static int kfd_create_vcrat_image_cpu(void *pcrat_image, size_t *size) + (struct crat_subtype_iolink *)sub_type_hdr); + if (ret < 0) + return ret; +- crat_table->length += (sub_type_hdr->length * entries); +- crat_table->total_entries += entries; + +- sub_type_hdr = (typeof(sub_type_hdr))((char *)sub_type_hdr + +- sub_type_hdr->length * entries); ++ if (entries) { ++ crat_table->length += (sub_type_hdr->length * entries); ++ crat_table->total_entries += entries; ++ ++ sub_type_hdr = (typeof(sub_type_hdr))((char *)sub_type_hdr + ++ sub_type_hdr->length * entries); ++ } + #else + pr_info("IO link not available for non x86 platforms\n"); + #endif +-- +2.27.0 + diff --git a/queue-5.10/drm-vc4-unify-pcm-card-s-driver_name.patch b/queue-5.10/drm-vc4-unify-pcm-card-s-driver_name.patch new file mode 100644 index 00000000000..612ccd71eb8 --- /dev/null +++ b/queue-5.10/drm-vc4-unify-pcm-card-s-driver_name.patch @@ -0,0 +1,47 @@ +From 4ed7797d8c0a164d87287c86f724591d1ed1eccc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jan 2021 20:12:09 +0100 +Subject: drm/vc4: Unify PCM card's driver_name + +From: Nicolas Saenz Julienne + +[ Upstream commit 33c74535b03ecf11359de14bc88302595b1de44f ] + +User-space ALSA matches a card's driver name against an internal list of +aliases in order to select the correct configuration for the system. +When the driver name isn't defined, the match is performed against the +card's name. + +With the introduction of RPi4 we now have two HDMI ports with two +distinct audio cards. This is reflected in their names, making them +different from previous RPi versions. With this, ALSA ultimately misses +the board's configuration on RPi4. + +In order to avoid this, set "card->driver_name" to "vc4-hdmi" +unanimously. + +Signed-off-by: Nicolas Saenz Julienne +Fixes: f437bc1ec731 ("drm/vc4: drv: Support BCM2711") +Reviewed-by: Takashi Iwai +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20210115191209.12852-1-nsaenzjulienne@suse.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_hdmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c +index afc178b0d89f4..eaba98e15de46 100644 +--- a/drivers/gpu/drm/vc4/vc4_hdmi.c ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c +@@ -1268,6 +1268,7 @@ static int vc4_hdmi_audio_init(struct vc4_hdmi *vc4_hdmi) + card->dai_link = dai_link; + card->num_links = 1; + card->name = vc4_hdmi->variant->card_name; ++ card->driver_name = "vc4-hdmi"; + card->dev = dev; + card->owner = THIS_MODULE; + +-- +2.27.0 + diff --git a/queue-5.10/gpio-sifive-select-irq_domain_hierarchy-rather-than-.patch b/queue-5.10/gpio-sifive-select-irq_domain_hierarchy-rather-than-.patch new file mode 100644 index 00000000000..83aaaa55115 --- /dev/null +++ b/queue-5.10/gpio-sifive-select-irq_domain_hierarchy-rather-than-.patch @@ -0,0 +1,46 @@ +From 792b8d76a2a701435c1d97c183c92a80f606ddc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jan 2021 19:18:13 -0800 +Subject: gpio: sifive: select IRQ_DOMAIN_HIERARCHY rather than depend on it + +From: Randy Dunlap + +[ Upstream commit 18eedf2b5ec7c8ce2bb23d9148cfd63949207414 ] + +This is the only driver in the kernel source tree that depends on +IRQ_DOMAIN_HIERARCHY instead of selecting it. Since it is not a +visible Kconfig symbol, depending on it (expecting a user to +set/enable it) doesn't make much sense, so change it to select +instead of "depends on". + +Fixes: 96868dce644d ("gpio/sifive: Add GPIO driver for SiFive SoCs") +Signed-off-by: Randy Dunlap +Cc: Linus Walleij +Cc: Bartosz Golaszewski +Cc: linux-gpio@vger.kernel.org +Cc: Thierry Reding +Cc: Greentime Hu +Cc: Yash Shah +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/Kconfig | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpio/Kconfig b/drivers/gpio/Kconfig +index 5d4de5cd67595..f20ac3d694246 100644 +--- a/drivers/gpio/Kconfig ++++ b/drivers/gpio/Kconfig +@@ -508,7 +508,8 @@ config GPIO_SAMA5D2_PIOBU + + config GPIO_SIFIVE + bool "SiFive GPIO support" +- depends on OF_GPIO && IRQ_DOMAIN_HIERARCHY ++ depends on OF_GPIO ++ select IRQ_DOMAIN_HIERARCHY + select GPIO_GENERIC + select GPIOLIB_IRQCHIP + select REGMAP_MMIO +-- +2.27.0 + diff --git a/queue-5.10/gpiolib-cdev-fix-frame-size-warning-in-gpio_ioctl.patch b/queue-5.10/gpiolib-cdev-fix-frame-size-warning-in-gpio_ioctl.patch new file mode 100644 index 00000000000..8c91f7e6e46 --- /dev/null +++ b/queue-5.10/gpiolib-cdev-fix-frame-size-warning-in-gpio_ioctl.patch @@ -0,0 +1,233 @@ +From 9ef7f0053a0c6e35ffab584ca1e72af792ede08e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Dec 2020 00:10:40 +0800 +Subject: gpiolib: cdev: fix frame size warning in gpio_ioctl() + +From: Kent Gibson + +[ Upstream commit 2e202ad873365513c6ad72e29a531071dffa498a ] + +The kernel test robot reports the following warning in [1]: + + drivers/gpio/gpiolib-cdev.c: In function 'gpio_ioctl': + >>drivers/gpio/gpiolib-cdev.c:1437:1: warning: the frame size of 1040 bytes is larger than 1024 bytes [-Wframe-larger-than=] + +Refactor gpio_ioctl() to handle each ioctl in its own helper function +and so reduce the variables stored on the stack to those explicitly +required to service the ioctl at hand. + +The lineinfo_get_v1() helper handles both the GPIO_GET_LINEINFO_IOCTL +and GPIO_GET_LINEINFO_WATCH_IOCTL, as per the corresponding v2 +implementation - lineinfo_get(). + +[1] https://lore.kernel.org/lkml/202012270910.VW3qc1ER-lkp@intel.com/ + +Fixes: aad955842d1c ("gpiolib: cdev: support GPIO_V2_GET_LINEINFO_IOCTL and GPIO_V2_GET_LINEINFO_WATCH_IOCTL") +Reported-by: kernel test robot +Signed-off-by: Kent Gibson +Reviewed-by: Linus Walleij +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-cdev.c | 145 ++++++++++++++++++------------------ + 1 file changed, 73 insertions(+), 72 deletions(-) + +diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c +index e9faeaf65d14f..689c06cbbb457 100644 +--- a/drivers/gpio/gpiolib-cdev.c ++++ b/drivers/gpio/gpiolib-cdev.c +@@ -1960,6 +1960,21 @@ struct gpio_chardev_data { + #endif + }; + ++static int chipinfo_get(struct gpio_chardev_data *cdev, void __user *ip) ++{ ++ struct gpio_device *gdev = cdev->gdev; ++ struct gpiochip_info chipinfo; ++ ++ memset(&chipinfo, 0, sizeof(chipinfo)); ++ ++ strscpy(chipinfo.name, dev_name(&gdev->dev), sizeof(chipinfo.name)); ++ strscpy(chipinfo.label, gdev->label, sizeof(chipinfo.label)); ++ chipinfo.lines = gdev->ngpio; ++ if (copy_to_user(ip, &chipinfo, sizeof(chipinfo))) ++ return -EFAULT; ++ return 0; ++} ++ + #ifdef CONFIG_GPIO_CDEV_V1 + /* + * returns 0 if the versions match, else the previously selected ABI version +@@ -1974,6 +1989,41 @@ static int lineinfo_ensure_abi_version(struct gpio_chardev_data *cdata, + + return abiv; + } ++ ++static int lineinfo_get_v1(struct gpio_chardev_data *cdev, void __user *ip, ++ bool watch) ++{ ++ struct gpio_desc *desc; ++ struct gpioline_info lineinfo; ++ struct gpio_v2_line_info lineinfo_v2; ++ ++ if (copy_from_user(&lineinfo, ip, sizeof(lineinfo))) ++ return -EFAULT; ++ ++ /* this doubles as a range check on line_offset */ ++ desc = gpiochip_get_desc(cdev->gdev->chip, lineinfo.line_offset); ++ if (IS_ERR(desc)) ++ return PTR_ERR(desc); ++ ++ if (watch) { ++ if (lineinfo_ensure_abi_version(cdev, 1)) ++ return -EPERM; ++ ++ if (test_and_set_bit(lineinfo.line_offset, cdev->watched_lines)) ++ return -EBUSY; ++ } ++ ++ gpio_desc_to_lineinfo(desc, &lineinfo_v2); ++ gpio_v2_line_info_to_v1(&lineinfo_v2, &lineinfo); ++ ++ if (copy_to_user(ip, &lineinfo, sizeof(lineinfo))) { ++ if (watch) ++ clear_bit(lineinfo.line_offset, cdev->watched_lines); ++ return -EFAULT; ++ } ++ ++ return 0; ++} + #endif + + static int lineinfo_get(struct gpio_chardev_data *cdev, void __user *ip, +@@ -2011,6 +2061,22 @@ static int lineinfo_get(struct gpio_chardev_data *cdev, void __user *ip, + return 0; + } + ++static int lineinfo_unwatch(struct gpio_chardev_data *cdev, void __user *ip) ++{ ++ __u32 offset; ++ ++ if (copy_from_user(&offset, ip, sizeof(offset))) ++ return -EFAULT; ++ ++ if (offset >= cdev->gdev->ngpio) ++ return -EINVAL; ++ ++ if (!test_and_clear_bit(offset, cdev->watched_lines)) ++ return -EBUSY; ++ ++ return 0; ++} ++ + /* + * gpio_ioctl() - ioctl handler for the GPIO chardev + */ +@@ -2018,80 +2084,24 @@ static long gpio_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + { + struct gpio_chardev_data *cdev = file->private_data; + struct gpio_device *gdev = cdev->gdev; +- struct gpio_chip *gc = gdev->chip; + void __user *ip = (void __user *)arg; +- __u32 offset; + + /* We fail any subsequent ioctl():s when the chip is gone */ +- if (!gc) ++ if (!gdev->chip) + return -ENODEV; + + /* Fill in the struct and pass to userspace */ + if (cmd == GPIO_GET_CHIPINFO_IOCTL) { +- struct gpiochip_info chipinfo; +- +- memset(&chipinfo, 0, sizeof(chipinfo)); +- +- strscpy(chipinfo.name, dev_name(&gdev->dev), +- sizeof(chipinfo.name)); +- strscpy(chipinfo.label, gdev->label, +- sizeof(chipinfo.label)); +- chipinfo.lines = gdev->ngpio; +- if (copy_to_user(ip, &chipinfo, sizeof(chipinfo))) +- return -EFAULT; +- return 0; ++ return chipinfo_get(cdev, ip); + #ifdef CONFIG_GPIO_CDEV_V1 +- } else if (cmd == GPIO_GET_LINEINFO_IOCTL) { +- struct gpio_desc *desc; +- struct gpioline_info lineinfo; +- struct gpio_v2_line_info lineinfo_v2; +- +- if (copy_from_user(&lineinfo, ip, sizeof(lineinfo))) +- return -EFAULT; +- +- /* this doubles as a range check on line_offset */ +- desc = gpiochip_get_desc(gc, lineinfo.line_offset); +- if (IS_ERR(desc)) +- return PTR_ERR(desc); +- +- gpio_desc_to_lineinfo(desc, &lineinfo_v2); +- gpio_v2_line_info_to_v1(&lineinfo_v2, &lineinfo); +- +- if (copy_to_user(ip, &lineinfo, sizeof(lineinfo))) +- return -EFAULT; +- return 0; + } else if (cmd == GPIO_GET_LINEHANDLE_IOCTL) { + return linehandle_create(gdev, ip); + } else if (cmd == GPIO_GET_LINEEVENT_IOCTL) { + return lineevent_create(gdev, ip); +- } else if (cmd == GPIO_GET_LINEINFO_WATCH_IOCTL) { +- struct gpio_desc *desc; +- struct gpioline_info lineinfo; +- struct gpio_v2_line_info lineinfo_v2; +- +- if (copy_from_user(&lineinfo, ip, sizeof(lineinfo))) +- return -EFAULT; +- +- /* this doubles as a range check on line_offset */ +- desc = gpiochip_get_desc(gc, lineinfo.line_offset); +- if (IS_ERR(desc)) +- return PTR_ERR(desc); +- +- if (lineinfo_ensure_abi_version(cdev, 1)) +- return -EPERM; +- +- if (test_and_set_bit(lineinfo.line_offset, cdev->watched_lines)) +- return -EBUSY; +- +- gpio_desc_to_lineinfo(desc, &lineinfo_v2); +- gpio_v2_line_info_to_v1(&lineinfo_v2, &lineinfo); +- +- if (copy_to_user(ip, &lineinfo, sizeof(lineinfo))) { +- clear_bit(lineinfo.line_offset, cdev->watched_lines); +- return -EFAULT; +- } +- +- return 0; ++ } else if (cmd == GPIO_GET_LINEINFO_IOCTL || ++ cmd == GPIO_GET_LINEINFO_WATCH_IOCTL) { ++ return lineinfo_get_v1(cdev, ip, ++ cmd == GPIO_GET_LINEINFO_WATCH_IOCTL); + #endif /* CONFIG_GPIO_CDEV_V1 */ + } else if (cmd == GPIO_V2_GET_LINEINFO_IOCTL || + cmd == GPIO_V2_GET_LINEINFO_WATCH_IOCTL) { +@@ -2100,16 +2110,7 @@ static long gpio_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + } else if (cmd == GPIO_V2_GET_LINE_IOCTL) { + return linereq_create(gdev, ip); + } else if (cmd == GPIO_GET_LINEINFO_UNWATCH_IOCTL) { +- if (copy_from_user(&offset, ip, sizeof(offset))) +- return -EFAULT; +- +- if (offset >= cdev->gdev->ngpio) +- return -EINVAL; +- +- if (!test_and_clear_bit(offset, cdev->watched_lines)) +- return -EBUSY; +- +- return 0; ++ return lineinfo_unwatch(cdev, ip); + } + return -EINVAL; + } +-- +2.27.0 + diff --git a/queue-5.10/i2c-octeon-check-correct-size-of-maximum-recv_len-pa.patch b/queue-5.10/i2c-octeon-check-correct-size-of-maximum-recv_len-pa.patch new file mode 100644 index 00000000000..c2ea7cde8e9 --- /dev/null +++ b/queue-5.10/i2c-octeon-check-correct-size-of-maximum-recv_len-pa.patch @@ -0,0 +1,37 @@ +From 2890e66a41aeaee7db7bef2b8d0619b103444234 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Jan 2021 13:43:08 +0100 +Subject: i2c: octeon: check correct size of maximum RECV_LEN packet + +From: Wolfram Sang + +[ Upstream commit 1b2cfa2d1dbdcc3b6dba1ecb7026a537a1d7277f ] + +I2C_SMBUS_BLOCK_MAX defines already the maximum number as defined in the +SMBus 2.0 specs. No reason to add one to it. + +Fixes: 886f6f8337dd ("i2c: octeon: Support I2C_M_RECV_LEN") +Signed-off-by: Wolfram Sang +Reviewed-by: Robert Richter +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-octeon-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-octeon-core.c b/drivers/i2c/busses/i2c-octeon-core.c +index d9607905dc2f1..845eda70b8cab 100644 +--- a/drivers/i2c/busses/i2c-octeon-core.c ++++ b/drivers/i2c/busses/i2c-octeon-core.c +@@ -347,7 +347,7 @@ static int octeon_i2c_read(struct octeon_i2c *i2c, int target, + if (result) + return result; + if (recv_len && i == 0) { +- if (data[i] > I2C_SMBUS_BLOCK_MAX + 1) ++ if (data[i] > I2C_SMBUS_BLOCK_MAX) + return -EPROTO; + length += data[i]; + } +-- +2.27.0 + diff --git a/queue-5.10/i2c-sprd-depend-on-common_clk-to-fix-compile-tests.patch b/queue-5.10/i2c-sprd-depend-on-common_clk-to-fix-compile-tests.patch new file mode 100644 index 00000000000..d5ec2f3967c --- /dev/null +++ b/queue-5.10/i2c-sprd-depend-on-common_clk-to-fix-compile-tests.patch @@ -0,0 +1,40 @@ +From 63d4e60351a2f0c53a1267224ac33c4022083bbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Jan 2021 12:43:13 +0100 +Subject: i2c: sprd: depend on COMMON_CLK to fix compile tests + +From: Krzysztof Kozlowski + +[ Upstream commit 9ecd1d2b302b600351fac50779f43fcb680c1a16 ] + +The I2C_SPRD uses Common Clock Framework thus it cannot be built on +platforms without it (e.g. compile test on MIPS with LANTIQ): + + /usr/bin/mips-linux-gnu-ld: drivers/i2c/busses/i2c-sprd.o: in function `sprd_i2c_probe': + i2c-sprd.c:(.text.sprd_i2c_probe+0x254): undefined reference to `clk_set_parent' + +Fixes: 4a2d5f663dab ("i2c: Enable compile testing for more drivers") +Reported-by: kernel test robot +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Baolin Wang +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/i2c/busses/Kconfig b/drivers/i2c/busses/Kconfig +index a49e0ed4a599d..7e693dcbdd196 100644 +--- a/drivers/i2c/busses/Kconfig ++++ b/drivers/i2c/busses/Kconfig +@@ -1012,6 +1012,7 @@ config I2C_SIRF + config I2C_SPRD + tristate "Spreadtrum I2C interface" + depends on I2C=y && (ARCH_SPRD || COMPILE_TEST) ++ depends on COMMON_CLK + help + If you say yes to this option, support will be included for the + Spreadtrum I2C interface. +-- +2.27.0 + diff --git a/queue-5.10/iov_iter-fix-the-uaccess-area-in-copy_compat_iovec_f.patch b/queue-5.10/iov_iter-fix-the-uaccess-area-in-copy_compat_iovec_f.patch new file mode 100644 index 00000000000..06a4858b19d --- /dev/null +++ b/queue-5.10/iov_iter-fix-the-uaccess-area-in-copy_compat_iovec_f.patch @@ -0,0 +1,36 @@ +From 6ddccbde0638133ea0c71dcd1c96bdb5843f83b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jan 2021 18:19:26 +0100 +Subject: iov_iter: fix the uaccess area in copy_compat_iovec_from_user + +From: Christoph Hellwig + +[ Upstream commit a959a9782fa87669feeed095ced5d78181a7c02d ] + +sizeof needs to be called on the compat pointer, not the native one. + +Fixes: 89cd35c58bc2 ("iov_iter: transparently handle compat iovecs in import_iovec") +Reported-by: David Laight +Signed-off-by: Christoph Hellwig +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + lib/iov_iter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/iov_iter.c b/lib/iov_iter.c +index 1635111c5bd2a..a21e6a5792c5a 100644 +--- a/lib/iov_iter.c ++++ b/lib/iov_iter.c +@@ -1658,7 +1658,7 @@ static int copy_compat_iovec_from_user(struct iovec *iov, + (const struct compat_iovec __user *)uvec; + int ret = -EFAULT, i; + +- if (!user_access_begin(uvec, nr_segs * sizeof(*uvec))) ++ if (!user_access_begin(uiov, nr_segs * sizeof(*uiov))) + return -EFAULT; + + for (i = 0; i < nr_segs; i++) { +-- +2.27.0 + diff --git a/queue-5.10/nfsd-don-t-set-eof-on-a-truncated-read_plus.patch b/queue-5.10/nfsd-don-t-set-eof-on-a-truncated-read_plus.patch new file mode 100644 index 00000000000..2df32a52f39 --- /dev/null +++ b/queue-5.10/nfsd-don-t-set-eof-on-a-truncated-read_plus.patch @@ -0,0 +1,47 @@ +From 0f28a0037dcee82c74210fac593a409428105194 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Dec 2020 12:26:15 -0500 +Subject: nfsd: Don't set eof on a truncated READ_PLUS + +From: Trond Myklebust + +[ Upstream commit b68f0cbd3f95f2df81e525c310a41fc73c2ed0d3 ] + +If the READ_PLUS operation was truncated due to an error, then ensure we +clear the 'eof' flag. + +Fixes: 9f0b5792f07d ("NFSD: Encode a full READ_PLUS reply") +Signed-off-by: Trond Myklebust +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4xdr.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c +index 26f6e277101de..5f5169b9c2e90 100644 +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -4736,14 +4736,15 @@ out: + if (nfserr && segments == 0) + xdr_truncate_encode(xdr, starting_len); + else { +- tmp = htonl(eof); +- write_bytes_to_xdr_buf(xdr->buf, starting_len, &tmp, 4); +- tmp = htonl(segments); +- write_bytes_to_xdr_buf(xdr->buf, starting_len + 4, &tmp, 4); + if (nfserr) { + xdr_truncate_encode(xdr, last_segment); + nfserr = nfs_ok; ++ eof = 0; + } ++ tmp = htonl(eof); ++ write_bytes_to_xdr_buf(xdr->buf, starting_len, &tmp, 4); ++ tmp = htonl(segments); ++ write_bytes_to_xdr_buf(xdr->buf, starting_len + 4, &tmp, 4); + } + + return nfserr; +-- +2.27.0 + diff --git a/queue-5.10/nfsd-fixes-for-nfsd4_encode_read_plus_data.patch b/queue-5.10/nfsd-fixes-for-nfsd4_encode_read_plus_data.patch new file mode 100644 index 00000000000..d339d792f8b --- /dev/null +++ b/queue-5.10/nfsd-fixes-for-nfsd4_encode_read_plus_data.patch @@ -0,0 +1,46 @@ +From b72ac41b4de4c66e5599342b1fbe559a62aeb2ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Dec 2020 12:26:14 -0500 +Subject: nfsd: Fixes for nfsd4_encode_read_plus_data() + +From: Trond Myklebust + +[ Upstream commit 72d78717c6d06adf65d2e3dccc96d9e9dc978593 ] + +Ensure that we encode the data payload + padding, and that we truncate +the preallocated buffer to the actual read size. + +Fixes: 528b84934eb9 ("NFSD: Add READ_PLUS data support") +Signed-off-by: Trond Myklebust +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4xdr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c +index 833a2c64dfe80..26f6e277101de 100644 +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -4632,6 +4632,7 @@ nfsd4_encode_read_plus_data(struct nfsd4_compoundres *resp, + resp->rqstp->rq_vec, read->rd_vlen, maxcount, eof); + if (nfserr) + return nfserr; ++ xdr_truncate_encode(xdr, starting_len + 16 + xdr_align_size(*maxcount)); + + tmp = htonl(NFS4_CONTENT_DATA); + write_bytes_to_xdr_buf(xdr->buf, starting_len, &tmp, 4); +@@ -4639,6 +4640,10 @@ nfsd4_encode_read_plus_data(struct nfsd4_compoundres *resp, + write_bytes_to_xdr_buf(xdr->buf, starting_len + 4, &tmp64, 8); + tmp = htonl(*maxcount); + write_bytes_to_xdr_buf(xdr->buf, starting_len + 12, &tmp, 4); ++ ++ tmp = xdr_zero; ++ write_bytes_to_xdr_buf(xdr->buf, starting_len + 16 + *maxcount, &tmp, ++ xdr_pad_size(*maxcount)); + return nfs_ok; + } + +-- +2.27.0 + diff --git a/queue-5.10/perf-evlist-fix-id-index-for-heterogeneous-systems.patch b/queue-5.10/perf-evlist-fix-id-index-for-heterogeneous-systems.patch new file mode 100644 index 00000000000..f10ef3fa0d4 --- /dev/null +++ b/queue-5.10/perf-evlist-fix-id-index-for-heterogeneous-systems.patch @@ -0,0 +1,78 @@ +From 26f130dcb91e4673f47fe19d51657c1ef53d8f8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jan 2021 14:54:46 +0200 +Subject: perf evlist: Fix id index for heterogeneous systems + +From: Adrian Hunter + +[ Upstream commit fc705fecf3a0c9128933cc6db59159c050aaca33 ] + +perf_evlist__set_sid_idx() updates perf_sample_id with the evlist map +index, CPU number and TID. It is passed indexes to the evsel's cpu and +thread maps, but references the evlist's maps instead. That results in +using incorrect CPU numbers on heterogeneous systems. Fix it by using +evsel maps. + +The id index (PERF_RECORD_ID_INDEX) is used by AUX area tracing when in +sampling mode. Having an incorrect CPU number causes the trace data to +be attributed to the wrong CPU, and can result in decoder errors because +the trace data is then associated with the wrong process. + +Committer notes: + +Keep the class prefix convention in the function name, switching from +perf_evlist__set_sid_idx() to perf_evsel__set_sid_idx(). + +Fixes: 3c659eedada2fbf9 ("perf tools: Add id index") +Signed-off-by: Adrian Hunter +Cc: Jin Yao +Cc: Jiri Olsa +Link: http://lore.kernel.org/lkml/20210121125446.11287-1-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/lib/perf/evlist.c | 17 ++++------------- + 1 file changed, 4 insertions(+), 13 deletions(-) + +diff --git a/tools/lib/perf/evlist.c b/tools/lib/perf/evlist.c +index cfcdbd7be066e..17465d454a0e3 100644 +--- a/tools/lib/perf/evlist.c ++++ b/tools/lib/perf/evlist.c +@@ -367,21 +367,13 @@ static struct perf_mmap* perf_evlist__alloc_mmap(struct perf_evlist *evlist, boo + return map; + } + +-static void perf_evlist__set_sid_idx(struct perf_evlist *evlist, +- struct perf_evsel *evsel, int idx, int cpu, +- int thread) ++static void perf_evsel__set_sid_idx(struct perf_evsel *evsel, int idx, int cpu, int thread) + { + struct perf_sample_id *sid = SID(evsel, cpu, thread); + + sid->idx = idx; +- if (evlist->cpus && cpu >= 0) +- sid->cpu = evlist->cpus->map[cpu]; +- else +- sid->cpu = -1; +- if (!evsel->system_wide && evlist->threads && thread >= 0) +- sid->tid = perf_thread_map__pid(evlist->threads, thread); +- else +- sid->tid = -1; ++ sid->cpu = perf_cpu_map__cpu(evsel->cpus, cpu); ++ sid->tid = perf_thread_map__pid(evsel->threads, thread); + } + + static struct perf_mmap* +@@ -500,8 +492,7 @@ mmap_per_evsel(struct perf_evlist *evlist, struct perf_evlist_mmap_ops *ops, + if (perf_evlist__id_add_fd(evlist, evsel, cpu, thread, + fd) < 0) + return -1; +- perf_evlist__set_sid_idx(evlist, evsel, idx, cpu, +- thread); ++ perf_evsel__set_sid_idx(evsel, idx, cpu, thread); + } + } + +-- +2.27.0 + diff --git a/queue-5.10/pinctrl-aspeed-g6-fix-pwmg0-pinctrl-setting.patch b/queue-5.10/pinctrl-aspeed-g6-fix-pwmg0-pinctrl-setting.patch new file mode 100644 index 00000000000..169262b1cf1 --- /dev/null +++ b/queue-5.10/pinctrl-aspeed-g6-fix-pwmg0-pinctrl-setting.patch @@ -0,0 +1,39 @@ +From 40a3062829d7cf94a4dd88d53e5d5f59c699248a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Dec 2020 10:49:12 +0800 +Subject: pinctrl: aspeed: g6: Fix PWMG0 pinctrl setting + +From: Billy Tsai + +[ Upstream commit 92ff62a7bcc17d47c0ce8dddfb7a6e1a2e55ebf4 ] + +The SCU offset for signal PWM8 in group PWM8G0 is wrong, fix it from +SCU414 to SCU4B4. + +Signed-off-by: Billy Tsai +Fixes: 2eda1cdec49f ("pinctrl: aspeed: Add AST2600 pinmux support") +Reviewed-by: Joel Stanley +Reviewed-by: Andrew Jeffery +Link: https://lore.kernel.org/r/20201217024912.3198-1-billy_tsai@aspeedtech.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c b/drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c +index 34803a6c76643..5c1a109842a76 100644 +--- a/drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c ++++ b/drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c +@@ -347,7 +347,7 @@ FUNC_GROUP_DECL(RMII4, F24, E23, E24, E25, C25, C24, B26, B25, B24); + + #define D22 40 + SIG_EXPR_LIST_DECL_SESG(D22, SD1CLK, SD1, SIG_DESC_SET(SCU414, 8)); +-SIG_EXPR_LIST_DECL_SEMG(D22, PWM8, PWM8G0, PWM8, SIG_DESC_SET(SCU414, 8)); ++SIG_EXPR_LIST_DECL_SEMG(D22, PWM8, PWM8G0, PWM8, SIG_DESC_SET(SCU4B4, 8)); + PIN_DECL_2(D22, GPIOF0, SD1CLK, PWM8); + GROUP_DECL(PWM8G0, D22); + +-- +2.27.0 + diff --git a/queue-5.10/pinctrl-mediatek-fix-fallback-call-path.patch b/queue-5.10/pinctrl-mediatek-fix-fallback-call-path.patch new file mode 100644 index 00000000000..e1b294fe9bf --- /dev/null +++ b/queue-5.10/pinctrl-mediatek-fix-fallback-call-path.patch @@ -0,0 +1,41 @@ +From cc967fd763c359635835c06b604bf9be2c21a52a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Dec 2020 17:04:25 +0800 +Subject: pinctrl: mediatek: Fix fallback call path + +From: Hsin-Yi Wang + +[ Upstream commit 81bd1579b43e0e285cba667399f1b063f1ce7672 ] + +Some SoCs, eg. mt8183, are using a pinconfig operation bias_set_combo. +The fallback path in mtk_pinconf_adv_pull_set() should also try this +operation. + +Fixes: cafe19db7751 ("pinctrl: mediatek: Backward compatible to previous Mediatek's bias-pull usage") +Signed-off-by: Hsin-Yi Wang +Acked-by: Sean Wang +Link: https://lore.kernel.org/r/20201228090425.2130569-1-hsinyi@chromium.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c b/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c +index 7e950f5d62d0f..7815426e7aeaa 100644 +--- a/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c ++++ b/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c +@@ -926,6 +926,10 @@ int mtk_pinconf_adv_pull_set(struct mtk_pinctrl *hw, + err = hw->soc->bias_set(hw, desc, pullup); + if (err) + return err; ++ } else if (hw->soc->bias_set_combo) { ++ err = hw->soc->bias_set_combo(hw, desc, pullup, arg); ++ if (err) ++ return err; + } else { + return -ENOTSUPP; + } +-- +2.27.0 + diff --git a/queue-5.10/platform-x86-hp-wmi-don-t-log-a-warning-on-hpwmi_ret.patch b/queue-5.10/platform-x86-hp-wmi-don-t-log-a-warning-on-hpwmi_ret.patch new file mode 100644 index 00000000000..650c978120f --- /dev/null +++ b/queue-5.10/platform-x86-hp-wmi-don-t-log-a-warning-on-hpwmi_ret.patch @@ -0,0 +1,46 @@ +From 763c1dc0b3d252a97d53a4d01fd46fb325d954cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jan 2021 00:27:44 +0100 +Subject: platform/x86: hp-wmi: Don't log a warning on + HPWMI_RET_UNKNOWN_COMMAND errors + +From: Hans de Goede + +[ Upstream commit d35c9a029a73e84d84337403d20b060494890570 ] + +The recently added thermal policy support makes a +hp_wmi_perform_query(0x4c, ...) call on older devices which do not +support thermal policies this causes the following warning to be +logged (seen on a HP Stream x360 Convertible PC 11): + +[ 26.805305] hp_wmi: query 0x4c returned error 0x3 + +Error 0x3 is HPWMI_RET_UNKNOWN_COMMAND error. This commit silences +the warning for unknown-command errors, silencing the new warning. + +Cc: Elia Devito +Fixes: 81c93798ef3e ("platform/x86: hp-wmi: add support for thermal policy") +Link: https://lore.kernel.org/r/20210114232744.154886-1-hdegoede@redhat.com +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/hp-wmi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/hp-wmi.c b/drivers/platform/x86/hp-wmi.c +index ecd477964d117..18bf8aeb5f870 100644 +--- a/drivers/platform/x86/hp-wmi.c ++++ b/drivers/platform/x86/hp-wmi.c +@@ -247,7 +247,8 @@ static int hp_wmi_perform_query(int query, enum hp_wmi_command command, + ret = bios_return->return_code; + + if (ret) { +- if (ret != HPWMI_RET_UNKNOWN_CMDTYPE) ++ if (ret != HPWMI_RET_UNKNOWN_COMMAND && ++ ret != HPWMI_RET_UNKNOWN_CMDTYPE) + pr_warn("query 0x%x returned error 0x%x\n", query, ret); + goto out_free; + } +-- +2.27.0 + diff --git a/queue-5.10/platform-x86-intel-vbtn-drop-hp-stream-x360-converti.patch b/queue-5.10/platform-x86-intel-vbtn-drop-hp-stream-x360-converti.patch new file mode 100644 index 00000000000..3fcc856926d --- /dev/null +++ b/queue-5.10/platform-x86-intel-vbtn-drop-hp-stream-x360-converti.patch @@ -0,0 +1,72 @@ +From 706ad85ddf52f38dca369038c04cbd80a832c1c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Jan 2021 15:34:32 +0100 +Subject: platform/x86: intel-vbtn: Drop HP Stream x360 Convertible PC 11 from + allow-list + +From: Hans de Goede + +[ Upstream commit 070222731be52d741e55d8967b1764482b81e54c ] + +THe HP Stream x360 Convertible PC 11 DSDT has the following VGBS function: + + Method (VGBS, 0, Serialized) + { + If ((^^PCI0.LPCB.EC0.ROLS == Zero)) + { + VBDS = Zero + } + Else + { + VBDS = Zero + } + + Return (VBDS) /* \_SB_.VGBI.VBDS */ + } + +Which is obviously wrong, because it always returns 0 independent of the +2-in-1 being in laptop or tablet mode. This causes the intel-vbtn driver +to initially report SW_TABLET_MODE = 1 to userspace, which is known to +cause problems when the 2-in-1 is actually in laptop mode. + +During earlier testing this turned out to not be a problem because the +2-in-1 would do a Notify(..., 0xCC) or Notify(..., 0xCD) soon after +the intel-vbtn driver loaded, correcting the SW_TABLET_MODE state. + +Further testing however has shown that this Notify() soon after the +intel-vbtn driver loads, does not always happen. When the Notify +does not happen, then intel-vbtn reports SW_TABLET_MODE = 1 resulting in +a non-working touchpad. + +IOW the tablet-mode reporting is not reliable on this device, so it +should be dropped from the allow-list, fixing the touchpad sometimes +not working. + +Fixes: 8169bd3e6e19 ("platform/x86: intel-vbtn: Switch to an allow-list for SW_TABLET_MODE reporting") +Link: https://lore.kernel.org/r/20210114143432.31750-1-hdegoede@redhat.com +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel-vbtn.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c +index 3b49a1f4061bc..65fb3a3031470 100644 +--- a/drivers/platform/x86/intel-vbtn.c ++++ b/drivers/platform/x86/intel-vbtn.c +@@ -204,12 +204,6 @@ static const struct dmi_system_id dmi_switches_allow_list[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "Venue 11 Pro 7130"), + }, + }, +- { +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), +- DMI_MATCH(DMI_PRODUCT_NAME, "HP Stream x360 Convertible PC 11"), +- }, +- }, + { + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), +-- +2.27.0 + diff --git a/queue-5.10/powerpc-fix-alignment-bug-within-the-init-sections.patch b/queue-5.10/powerpc-fix-alignment-bug-within-the-init-sections.patch new file mode 100644 index 00000000000..ec0d9b535ef --- /dev/null +++ b/queue-5.10/powerpc-fix-alignment-bug-within-the-init-sections.patch @@ -0,0 +1,71 @@ +From 52770a53a8bd3e98c3051d8d1b2545d7df2d9a9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Jan 2021 22:11:56 +0200 +Subject: powerpc: Fix alignment bug within the init sections + +From: Ariel Marcovitch + +[ Upstream commit 2225a8dda263edc35a0e8b858fe2945cf6240fde ] + +This is a bug that causes early crashes in builds with an .exit.text +section smaller than a page and an .init.text section that ends in the +beginning of a physical page (this is kinda random, which might +explain why this wasn't really encountered before). + +The init sections are ordered like this: + .init.text + .exit.text + .init.data + +Currently, these sections aren't page aligned. + +Because the init code might become read-only at runtime and because +the .init.text section can potentially reside on the same physical +page as .init.data, the beginning of .init.data might be mapped +read-only along with .init.text. + +Then when the kernel tries to modify a variable in .init.data (like +kthreadd_done, used in kernel_init()) the kernel panics. + +To avoid this, make _einittext page aligned and also align .exit.text +to make sure .init.data is always seperated from the text segments. + +Fixes: 060ef9d89d18 ("powerpc32: PAGE_EXEC required for inittext") +Signed-off-by: Ariel Marcovitch +Reviewed-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210102201156.10805-1-ariel.marcovitch@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/vmlinux.lds.S | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/powerpc/kernel/vmlinux.lds.S b/arch/powerpc/kernel/vmlinux.lds.S +index 50507dac118ae..83281aee14d2f 100644 +--- a/arch/powerpc/kernel/vmlinux.lds.S ++++ b/arch/powerpc/kernel/vmlinux.lds.S +@@ -187,6 +187,12 @@ SECTIONS + .init.text : AT(ADDR(.init.text) - LOAD_OFFSET) { + _sinittext = .; + INIT_TEXT ++ ++ /* ++ *.init.text might be RO so we must ensure this section ends on ++ * a page boundary. ++ */ ++ . = ALIGN(PAGE_SIZE); + _einittext = .; + #ifdef CONFIG_PPC64 + *(.tramp.ftrace.init); +@@ -200,6 +206,8 @@ SECTIONS + EXIT_TEXT + } + ++ . = ALIGN(PAGE_SIZE); ++ + INIT_DATA_SECTION(16) + + . = ALIGN(8); +-- +2.27.0 + diff --git a/queue-5.10/powerpc-use-the-common-init_data_section-macro-in-vm.patch b/queue-5.10/powerpc-use-the-common-init_data_section-macro-in-vm.patch new file mode 100644 index 00000000000..0a333a359eb --- /dev/null +++ b/queue-5.10/powerpc-use-the-common-init_data_section-macro-in-vm.patch @@ -0,0 +1,60 @@ +From 60db73aaab5eeaac474c57d920bfd4ee42c8d3cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Nov 2020 18:59:10 +0800 +Subject: powerpc: Use the common INIT_DATA_SECTION macro in vmlinux.lds.S + +From: Youling Tang + +[ Upstream commit fdcfeaba38e5b183045f5b079af94f97658eabe6 ] + +Use the common INIT_DATA_SECTION rule for the linker script in an effort +to regularize the linker script. + +Signed-off-by: Youling Tang +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1604487550-20040-1-git-send-email-tangyouling@loongson.cn +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/vmlinux.lds.S | 19 +------------------ + 1 file changed, 1 insertion(+), 18 deletions(-) + +diff --git a/arch/powerpc/kernel/vmlinux.lds.S b/arch/powerpc/kernel/vmlinux.lds.S +index f887f9d5b9e84..50507dac118ae 100644 +--- a/arch/powerpc/kernel/vmlinux.lds.S ++++ b/arch/powerpc/kernel/vmlinux.lds.S +@@ -200,21 +200,7 @@ SECTIONS + EXIT_TEXT + } + +- .init.data : AT(ADDR(.init.data) - LOAD_OFFSET) { +- INIT_DATA +- } +- +- .init.setup : AT(ADDR(.init.setup) - LOAD_OFFSET) { +- INIT_SETUP(16) +- } +- +- .initcall.init : AT(ADDR(.initcall.init) - LOAD_OFFSET) { +- INIT_CALLS +- } +- +- .con_initcall.init : AT(ADDR(.con_initcall.init) - LOAD_OFFSET) { +- CON_INITCALL +- } ++ INIT_DATA_SECTION(16) + + . = ALIGN(8); + __ftr_fixup : AT(ADDR(__ftr_fixup) - LOAD_OFFSET) { +@@ -242,9 +228,6 @@ SECTIONS + __stop___fw_ftr_fixup = .; + } + #endif +- .init.ramfs : AT(ADDR(.init.ramfs) - LOAD_OFFSET) { +- INIT_RAM_FS +- } + + PERCPU_SECTION(L1_CACHE_BYTES) + +-- +2.27.0 + diff --git a/queue-5.10/printk-fix-kmsg_dump_get_buffer-length-calulations.patch b/queue-5.10/printk-fix-kmsg_dump_get_buffer-length-calulations.patch new file mode 100644 index 00000000000..8582ab6a158 --- /dev/null +++ b/queue-5.10/printk-fix-kmsg_dump_get_buffer-length-calulations.patch @@ -0,0 +1,53 @@ +From e3346945bca0232750950ebd7e1e158383ec686a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jan 2021 17:50:13 +0106 +Subject: printk: fix kmsg_dump_get_buffer length calulations + +From: John Ogness + +[ Upstream commit 89ccf18f032f26946e2ea6258120472eec6aa745 ] + +kmsg_dump_get_buffer() uses @syslog to determine if the syslog +prefix should be written to the buffer. However, when calculating +the maximum number of records that can fit into the buffer, it +always counts the bytes from the syslog prefix. + +Use @syslog when calculating the maximum number of records that can +fit into the buffer. + +Fixes: e2ae715d66bf ("kmsg - kmsg_dump() use iterator to receive log buffer content") +Signed-off-by: John Ogness +Reviewed-by: Petr Mladek +Acked-by: Sergey Senozhatsky +Signed-off-by: Petr Mladek +Link: https://lore.kernel.org/r/20210113164413.1599-1-john.ogness@linutronix.de +Signed-off-by: Sasha Levin +--- + kernel/printk/printk.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c +index 1246b3b330fd1..807810216492a 100644 +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -3394,7 +3394,7 @@ bool kmsg_dump_get_buffer(struct kmsg_dumper *dumper, bool syslog, + while (prb_read_valid_info(prb, seq, &info, &line_count)) { + if (r.info->seq >= dumper->next_seq) + break; +- l += get_record_print_text_size(&info, line_count, true, time); ++ l += get_record_print_text_size(&info, line_count, syslog, time); + seq = r.info->seq + 1; + } + +@@ -3404,7 +3404,7 @@ bool kmsg_dump_get_buffer(struct kmsg_dumper *dumper, bool syslog, + &info, &line_count)) { + if (r.info->seq >= dumper->next_seq) + break; +- l -= get_record_print_text_size(&info, line_count, true, time); ++ l -= get_record_print_text_size(&info, line_count, syslog, time); + seq = r.info->seq + 1; + } + +-- +2.27.0 + diff --git a/queue-5.10/printk-ringbuffer-fix-line-counting.patch b/queue-5.10/printk-ringbuffer-fix-line-counting.patch new file mode 100644 index 00000000000..5031e880e55 --- /dev/null +++ b/queue-5.10/printk-ringbuffer-fix-line-counting.patch @@ -0,0 +1,45 @@ +From ace6b21908a2114cc2f5c78dc758eef09d06f38e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jan 2021 15:48:34 +0106 +Subject: printk: ringbuffer: fix line counting + +From: John Ogness + +[ Upstream commit 668af87f995b6d6d09595c088ad1fb5dd9ff25d2 ] + +Counting text lines in a record simply involves counting the number +of newline characters (+1). However, it is searching the full data +block for newline characters, even though the text data can be (and +often is) a subset of that area. Since the extra area in the data +block was never initialized, the result is that extra newlines may +be seen and counted. + +Restrict newline searching to the text data length. + +Fixes: b6cf8b3f3312 ("printk: add lockless ringbuffer") +Signed-off-by: John Ogness +Reviewed-by: Petr Mladek +Acked-by: Sergey Senozhatsky +Signed-off-by: Petr Mladek +Link: https://lore.kernel.org/r/20210113144234.6545-1-john.ogness@linutronix.de +Signed-off-by: Sasha Levin +--- + kernel/printk/printk_ringbuffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/printk/printk_ringbuffer.c b/kernel/printk/printk_ringbuffer.c +index 74e25a1704f2b..617dd63589650 100644 +--- a/kernel/printk/printk_ringbuffer.c ++++ b/kernel/printk/printk_ringbuffer.c +@@ -1720,7 +1720,7 @@ static bool copy_data(struct prb_data_ring *data_ring, + + /* Caller interested in the line count? */ + if (line_count) +- *line_count = count_lines(data, data_size); ++ *line_count = count_lines(data, len); + + /* Caller interested in the data content? */ + if (!buf || !buf_size) +-- +2.27.0 + diff --git a/queue-5.10/rdma-cma-fix-error-flow-in-default_roce_mode_store.patch b/queue-5.10/rdma-cma-fix-error-flow-in-default_roce_mode_store.patch new file mode 100644 index 00000000000..925e58c72c8 --- /dev/null +++ b/queue-5.10/rdma-cma-fix-error-flow-in-default_roce_mode_store.patch @@ -0,0 +1,41 @@ +From 9fbbacaaae915937f5b9cfa41b8eeef4beedd4ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jan 2021 15:02:14 +0200 +Subject: RDMA/cma: Fix error flow in default_roce_mode_store + +From: Neta Ostrovsky + +[ Upstream commit 7c7b3e5d9aeed31d35c5dab0bf9c0fd4c8923206 ] + +In default_roce_mode_store(), we took a reference to cma_dev, but didn't +return it with cma_dev_put in the error flow. + +Fixes: 1c15b4f2a42f ("RDMA/core: Modify enum ib_gid_type and enum rdma_network_type") +Link: https://lore.kernel.org/r/20210113130214.562108-1-leon@kernel.org +Signed-off-by: Neta Ostrovsky +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma_configfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/cma_configfs.c b/drivers/infiniband/core/cma_configfs.c +index 7ec4af2ed87ab..35d1ec1095f9c 100644 +--- a/drivers/infiniband/core/cma_configfs.c ++++ b/drivers/infiniband/core/cma_configfs.c +@@ -131,8 +131,10 @@ static ssize_t default_roce_mode_store(struct config_item *item, + return ret; + + gid_type = ib_cache_gid_parse_type_str(buf); +- if (gid_type < 0) ++ if (gid_type < 0) { ++ cma_configfs_params_put(cma_dev); + return -EINVAL; ++ } + + ret = cma_set_default_gid_type(cma_dev, group->port_num, gid_type); + +-- +2.27.0 + diff --git a/queue-5.10/rdma-ucma-do-not-miss-ctx-destruction-steps-in-some-.patch b/queue-5.10/rdma-ucma-do-not-miss-ctx-destruction-steps-in-some-.patch new file mode 100644 index 00000000000..f7755e90de0 --- /dev/null +++ b/queue-5.10/rdma-ucma-do-not-miss-ctx-destruction-steps-in-some-.patch @@ -0,0 +1,320 @@ +From fbefcc22db92689f447db5b2ee2404f9f2aaa133 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jan 2021 13:13:27 +0200 +Subject: RDMA/ucma: Do not miss ctx destruction steps in some cases + +From: Jason Gunthorpe + +[ Upstream commit 8ae291cc95e49011b736b641b0cfad502b7a1526 ] + +The destruction flow is very complicated here because the cm_id can be +destroyed from the event handler at any time if the device is +hot-removed. This leaves behind a partial ctx with no cm_id in the +xarray, and will let user space leak memory. + +Make everything consistent in this flow in all places: + + - Return the xarray back to XA_ZERO_ENTRY before beginning any + destruction. The thread that reaches this first is responsible to + kfree, everyone else does nothing. + + - Test the xarray during the special hot-removal case to block the + queue_work, this has much simpler locking and doesn't require a + 'destroying' + + - Fix the ref initialization so that it is only positive if cm_id != + NULL, then rely on that to guide the destruction process in all cases. + +Now the new ucma_destroy_private_ctx() can be called in all places that +want to free the ctx, including all the error unwinds, and none of the +details are missed. + +Fixes: a1d33b70dbbc ("RDMA/ucma: Rework how new connections are passed through event delivery") +Link: https://lore.kernel.org/r/20210105111327.230270-1-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/ucma.c | 135 ++++++++++++++++++--------------- + 1 file changed, 72 insertions(+), 63 deletions(-) + +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c +index ffe2563ad3456..2cc785c1970b4 100644 +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -95,8 +95,6 @@ struct ucma_context { + u64 uid; + + struct list_head list; +- /* sync between removal event and id destroy, protected by file mut */ +- int destroying; + struct work_struct close_work; + }; + +@@ -122,7 +120,7 @@ static DEFINE_XARRAY_ALLOC(ctx_table); + static DEFINE_XARRAY_ALLOC(multicast_table); + + static const struct file_operations ucma_fops; +-static int __destroy_id(struct ucma_context *ctx); ++static int ucma_destroy_private_ctx(struct ucma_context *ctx); + + static inline struct ucma_context *_ucma_find_context(int id, + struct ucma_file *file) +@@ -179,19 +177,14 @@ static void ucma_close_id(struct work_struct *work) + + /* once all inflight tasks are finished, we close all underlying + * resources. The context is still alive till its explicit destryoing +- * by its creator. ++ * by its creator. This puts back the xarray's reference. + */ + ucma_put_ctx(ctx); + wait_for_completion(&ctx->comp); + /* No new events will be generated after destroying the id. */ + rdma_destroy_id(ctx->cm_id); + +- /* +- * At this point ctx->ref is zero so the only place the ctx can be is in +- * a uevent or in __destroy_id(). Since the former doesn't touch +- * ctx->cm_id and the latter sync cancels this, there is no races with +- * this store. +- */ ++ /* Reading the cm_id without holding a positive ref is not allowed */ + ctx->cm_id = NULL; + } + +@@ -204,7 +197,6 @@ static struct ucma_context *ucma_alloc_ctx(struct ucma_file *file) + return NULL; + + INIT_WORK(&ctx->close_work, ucma_close_id); +- refcount_set(&ctx->ref, 1); + init_completion(&ctx->comp); + /* So list_del() will work if we don't do ucma_finish_ctx() */ + INIT_LIST_HEAD(&ctx->list); +@@ -218,6 +210,13 @@ static struct ucma_context *ucma_alloc_ctx(struct ucma_file *file) + return ctx; + } + ++static void ucma_set_ctx_cm_id(struct ucma_context *ctx, ++ struct rdma_cm_id *cm_id) ++{ ++ refcount_set(&ctx->ref, 1); ++ ctx->cm_id = cm_id; ++} ++ + static void ucma_finish_ctx(struct ucma_context *ctx) + { + lockdep_assert_held(&ctx->file->mut); +@@ -303,7 +302,7 @@ static int ucma_connect_event_handler(struct rdma_cm_id *cm_id, + ctx = ucma_alloc_ctx(listen_ctx->file); + if (!ctx) + goto err_backlog; +- ctx->cm_id = cm_id; ++ ucma_set_ctx_cm_id(ctx, cm_id); + + uevent = ucma_create_uevent(listen_ctx, event); + if (!uevent) +@@ -321,8 +320,7 @@ static int ucma_connect_event_handler(struct rdma_cm_id *cm_id, + return 0; + + err_alloc: +- xa_erase(&ctx_table, ctx->id); +- kfree(ctx); ++ ucma_destroy_private_ctx(ctx); + err_backlog: + atomic_inc(&listen_ctx->backlog); + /* Returning error causes the new ID to be destroyed */ +@@ -356,8 +354,12 @@ static int ucma_event_handler(struct rdma_cm_id *cm_id, + wake_up_interruptible(&ctx->file->poll_wait); + } + +- if (event->event == RDMA_CM_EVENT_DEVICE_REMOVAL && !ctx->destroying) +- queue_work(system_unbound_wq, &ctx->close_work); ++ if (event->event == RDMA_CM_EVENT_DEVICE_REMOVAL) { ++ xa_lock(&ctx_table); ++ if (xa_load(&ctx_table, ctx->id) == ctx) ++ queue_work(system_unbound_wq, &ctx->close_work); ++ xa_unlock(&ctx_table); ++ } + return 0; + } + +@@ -461,13 +463,12 @@ static ssize_t ucma_create_id(struct ucma_file *file, const char __user *inbuf, + ret = PTR_ERR(cm_id); + goto err1; + } +- ctx->cm_id = cm_id; ++ ucma_set_ctx_cm_id(ctx, cm_id); + + resp.id = ctx->id; + if (copy_to_user(u64_to_user_ptr(cmd.response), + &resp, sizeof(resp))) { +- xa_erase(&ctx_table, ctx->id); +- __destroy_id(ctx); ++ ucma_destroy_private_ctx(ctx); + return -EFAULT; + } + +@@ -477,8 +478,7 @@ static ssize_t ucma_create_id(struct ucma_file *file, const char __user *inbuf, + return 0; + + err1: +- xa_erase(&ctx_table, ctx->id); +- kfree(ctx); ++ ucma_destroy_private_ctx(ctx); + return ret; + } + +@@ -516,68 +516,73 @@ static void ucma_cleanup_mc_events(struct ucma_multicast *mc) + rdma_unlock_handler(mc->ctx->cm_id); + } + +-/* +- * ucma_free_ctx is called after the underlying rdma CM-ID is destroyed. At +- * this point, no new events will be reported from the hardware. However, we +- * still need to cleanup the UCMA context for this ID. Specifically, there +- * might be events that have not yet been consumed by the user space software. +- * mutex. After that we release them as needed. +- */ +-static int ucma_free_ctx(struct ucma_context *ctx) ++static int ucma_cleanup_ctx_events(struct ucma_context *ctx) + { + int events_reported; + struct ucma_event *uevent, *tmp; + LIST_HEAD(list); + +- ucma_cleanup_multicast(ctx); +- +- /* Cleanup events not yet reported to the user. */ ++ /* Cleanup events not yet reported to the user.*/ + mutex_lock(&ctx->file->mut); + list_for_each_entry_safe(uevent, tmp, &ctx->file->event_list, list) { +- if (uevent->ctx == ctx || uevent->conn_req_ctx == ctx) ++ if (uevent->ctx != ctx) ++ continue; ++ ++ if (uevent->resp.event == RDMA_CM_EVENT_CONNECT_REQUEST && ++ xa_cmpxchg(&ctx_table, uevent->conn_req_ctx->id, ++ uevent->conn_req_ctx, XA_ZERO_ENTRY, ++ GFP_KERNEL) == uevent->conn_req_ctx) { + list_move_tail(&uevent->list, &list); ++ continue; ++ } ++ list_del(&uevent->list); ++ kfree(uevent); + } + list_del(&ctx->list); + events_reported = ctx->events_reported; + mutex_unlock(&ctx->file->mut); + + /* +- * If this was a listening ID then any connections spawned from it +- * that have not been delivered to userspace are cleaned up too. +- * Must be done outside any locks. ++ * If this was a listening ID then any connections spawned from it that ++ * have not been delivered to userspace are cleaned up too. Must be done ++ * outside any locks. + */ + list_for_each_entry_safe(uevent, tmp, &list, list) { +- list_del(&uevent->list); +- if (uevent->resp.event == RDMA_CM_EVENT_CONNECT_REQUEST && +- uevent->conn_req_ctx != ctx) +- __destroy_id(uevent->conn_req_ctx); ++ ucma_destroy_private_ctx(uevent->conn_req_ctx); + kfree(uevent); + } +- +- mutex_destroy(&ctx->mutex); +- kfree(ctx); + return events_reported; + } + +-static int __destroy_id(struct ucma_context *ctx) ++/* ++ * When this is called the xarray must have a XA_ZERO_ENTRY in the ctx->id (ie ++ * the ctx is not public to the user). This either because: ++ * - ucma_finish_ctx() hasn't been called ++ * - xa_cmpxchg() succeed to remove the entry (only one thread can succeed) ++ */ ++static int ucma_destroy_private_ctx(struct ucma_context *ctx) + { ++ int events_reported; ++ + /* +- * If the refcount is already 0 then ucma_close_id() has already +- * destroyed the cm_id, otherwise holding the refcount keeps cm_id +- * valid. Prevent queue_work() from being called. ++ * Destroy the underlying cm_id. New work queuing is prevented now by ++ * the removal from the xarray. Once the work is cancled ref will either ++ * be 0 because the work ran to completion and consumed the ref from the ++ * xarray, or it will be positive because we still have the ref from the ++ * xarray. This can also be 0 in cases where cm_id was never set + */ +- if (refcount_inc_not_zero(&ctx->ref)) { +- rdma_lock_handler(ctx->cm_id); +- ctx->destroying = 1; +- rdma_unlock_handler(ctx->cm_id); +- ucma_put_ctx(ctx); +- } +- + cancel_work_sync(&ctx->close_work); +- /* At this point it's guaranteed that there is no inflight closing task */ +- if (ctx->cm_id) ++ if (refcount_read(&ctx->ref)) + ucma_close_id(&ctx->close_work); +- return ucma_free_ctx(ctx); ++ ++ events_reported = ucma_cleanup_ctx_events(ctx); ++ ucma_cleanup_multicast(ctx); ++ ++ WARN_ON(xa_cmpxchg(&ctx_table, ctx->id, XA_ZERO_ENTRY, NULL, ++ GFP_KERNEL) != NULL); ++ mutex_destroy(&ctx->mutex); ++ kfree(ctx); ++ return events_reported; + } + + static ssize_t ucma_destroy_id(struct ucma_file *file, const char __user *inbuf, +@@ -596,14 +601,17 @@ static ssize_t ucma_destroy_id(struct ucma_file *file, const char __user *inbuf, + + xa_lock(&ctx_table); + ctx = _ucma_find_context(cmd.id, file); +- if (!IS_ERR(ctx)) +- __xa_erase(&ctx_table, ctx->id); ++ if (!IS_ERR(ctx)) { ++ if (__xa_cmpxchg(&ctx_table, ctx->id, ctx, XA_ZERO_ENTRY, ++ GFP_KERNEL) != ctx) ++ ctx = ERR_PTR(-ENOENT); ++ } + xa_unlock(&ctx_table); + + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + +- resp.events_reported = __destroy_id(ctx); ++ resp.events_reported = ucma_destroy_private_ctx(ctx); + if (copy_to_user(u64_to_user_ptr(cmd.response), + &resp, sizeof(resp))) + ret = -EFAULT; +@@ -1777,15 +1785,16 @@ static int ucma_close(struct inode *inode, struct file *filp) + * prevented by this being a FD release function. The list_add_tail() in + * ucma_connect_event_handler() can run concurrently, however it only + * adds to the list *after* a listening ID. By only reading the first of +- * the list, and relying on __destroy_id() to block ++ * the list, and relying on ucma_destroy_private_ctx() to block + * ucma_connect_event_handler(), no additional locking is needed. + */ + while (!list_empty(&file->ctx_list)) { + struct ucma_context *ctx = list_first_entry( + &file->ctx_list, struct ucma_context, list); + +- xa_erase(&ctx_table, ctx->id); +- __destroy_id(ctx); ++ WARN_ON(xa_cmpxchg(&ctx_table, ctx->id, ctx, XA_ZERO_ENTRY, ++ GFP_KERNEL) != ctx); ++ ucma_destroy_private_ctx(ctx); + } + kfree(file); + return 0; +-- +2.27.0 + diff --git a/queue-5.10/rdma-umem-avoid-undefined-behavior-of-rounddown_pow_.patch b/queue-5.10/rdma-umem-avoid-undefined-behavior-of-rounddown_pow_.patch new file mode 100644 index 00000000000..8a001251d36 --- /dev/null +++ b/queue-5.10/rdma-umem-avoid-undefined-behavior-of-rounddown_pow_.patch @@ -0,0 +1,42 @@ +From 7c32e223fe3817048ac46e0fc8c222626fda64a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jan 2021 14:16:59 +0200 +Subject: RDMA/umem: Avoid undefined behavior of rounddown_pow_of_two() + +From: Aharon Landau + +[ Upstream commit b79f2dc5ffe17b03ec8c55f0d63f65e87bcac676 ] + +rounddown_pow_of_two() is undefined when the input is 0. Therefore we need +to avoid it in ib_umem_find_best_pgsz and return 0. Otherwise, it could +result in not rejecting an invalid page size which eventually causes a +kernel oops due to the logical inconsistency. + +Fixes: 3361c29e9279 ("RDMA/umem: Use simpler logic for ib_umem_find_best_pgsz()") +Link: https://lore.kernel.org/r/20210113121703.559778-2-leon@kernel.org +Signed-off-by: Aharon Landau +Reviewed-by: Jason Gunthorpe +Reviewed-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/umem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c +index e9fecbdf391bc..5157ae29a4460 100644 +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -126,7 +126,7 @@ unsigned long ib_umem_find_best_pgsz(struct ib_umem *umem, + */ + if (mask) + pgsz_bitmap &= GENMASK(count_trailing_zeros(mask), 0); +- return rounddown_pow_of_two(pgsz_bitmap); ++ return pgsz_bitmap ? rounddown_pow_of_two(pgsz_bitmap) : 0; + } + EXPORT_SYMBOL(ib_umem_find_best_pgsz); + +-- +2.27.0 + diff --git a/queue-5.10/scsi-megaraid_sas-fix-megasas_ioc_firmware-regressio.patch b/queue-5.10/scsi-megaraid_sas-fix-megasas_ioc_firmware-regressio.patch new file mode 100644 index 00000000000..ff6eec33350 --- /dev/null +++ b/queue-5.10/scsi-megaraid_sas-fix-megasas_ioc_firmware-regressio.patch @@ -0,0 +1,80 @@ +From fd5715df28037c43b9cfca54d28c952365b359e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jan 2021 00:41:04 +0100 +Subject: scsi: megaraid_sas: Fix MEGASAS_IOC_FIRMWARE regression + +From: Arnd Bergmann + +[ Upstream commit b112036535eda34460677ea883eaecc3a45a435d ] + +Phil Oester reported that a fix for a possible buffer overrun that I sent +caused a regression that manifests in this output: + + Event Message: A PCI parity error was detected on a component at bus 0 device 5 function 0. + Severity: Critical + Message ID: PCI1308 + +The original code tried to handle the sense data pointer differently when +using 32-bit 64-bit DMA addressing, which would lead to a 32-bit dma_addr_t +value of 0x11223344 to get stored + +32-bit kernel: 44 33 22 11 ?? ?? ?? ?? +64-bit LE kernel: 44 33 22 11 00 00 00 00 +64-bit BE kernel: 00 00 00 00 44 33 22 11 + +or a 64-bit dma_addr_t value of 0x1122334455667788 to get stored as + +32-bit kernel: 88 77 66 55 ?? ?? ?? ?? +64-bit kernel: 88 77 66 55 44 33 22 11 + +In my patch, I tried to ensure that the same value is used on both 32-bit +and 64-bit kernels, and picked what seemed to be the most sensible +combination, storing 32-bit addresses in the first four bytes (as 32-bit +kernels already did), and 64-bit addresses in eight consecutive bytes (as +64-bit kernels already did), but evidently this was incorrect. + +Always storing the dma_addr_t pointer as 64-bit little-endian, +i.e. initializing the second four bytes to zero in case of 32-bit +addressing, apparently solved the problem for Phil, and is consistent with +what all 64-bit little-endian machines did before. + +I also checked in the history that in previous versions of the code, the +pointer was always in the first four bytes without padding, and that +previous attempts to fix 64-bit user space, big-endian architectures and +64-bit DMA were clearly flawed and seem to have introduced made this worse. + +Link: https://lore.kernel.org/r/20210104234137.438275-1-arnd@kernel.org +Fixes: 381d34e376e3 ("scsi: megaraid_sas: Check user-provided offsets") +Fixes: 107a60dd71b5 ("scsi: megaraid_sas: Add support for 64bit consistent DMA") +Fixes: 94cd65ddf4d7 ("[SCSI] megaraid_sas: addded support for big endian architecture") +Fixes: 7b2519afa1ab ("[SCSI] megaraid_sas: fix 64 bit sense pointer truncation") +Reported-by: Phil Oester +Tested-by: Phil Oester +Signed-off-by: Arnd Bergmann +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/megaraid/megaraid_sas_base.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c +index 9ebeb031329d9..cc45cdac13844 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -8232,11 +8232,9 @@ megasas_mgmt_fw_ioctl(struct megasas_instance *instance, + goto out; + } + ++ /* always store 64 bits regardless of addressing */ + sense_ptr = (void *)cmd->frame + ioc->sense_off; +- if (instance->consistent_mask_64bit) +- put_unaligned_le64(sense_handle, sense_ptr); +- else +- put_unaligned_le32(sense_handle, sense_ptr); ++ put_unaligned_le64(sense_handle, sense_ptr); + } + + /* +-- +2.27.0 + diff --git a/queue-5.10/scsi-ufs-fix-tm-request-when-non-fatal-error-happens.patch b/queue-5.10/scsi-ufs-fix-tm-request-when-non-fatal-error-happens.patch new file mode 100644 index 00000000000..3a0c4acdd58 --- /dev/null +++ b/queue-5.10/scsi-ufs-fix-tm-request-when-non-fatal-error-happens.patch @@ -0,0 +1,82 @@ +From 0a1e271c730138d79212b469470660d23385a6fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jan 2021 10:53:16 -0800 +Subject: scsi: ufs: Fix tm request when non-fatal error happens + +From: Jaegeuk Kim + +[ Upstream commit eeb1b55b6e25c5f7265ff45cd050f3bc2cc423a4 ] + +When non-fatal error like line-reset happens, ufshcd_err_handler() starts +to abort tasks by ufshcd_try_to_abort_task(). When it tries to issue a task +management request, we hit two warnings: + +WARNING: CPU: 7 PID: 7 at block/blk-core.c:630 blk_get_request+0x68/0x70 +WARNING: CPU: 4 PID: 157 at block/blk-mq-tag.c:82 blk_mq_get_tag+0x438/0x46c + +After fixing the above warnings we hit another tm_cmd timeout which may be +caused by unstable controller state: + +__ufshcd_issue_tm_cmd: task management cmd 0x80 timed-out + +Then, ufshcd_err_handler() enters full reset, and kernel gets stuck. It +turned out ufshcd_print_trs() printed too many messages on console which +requires CPU locks. Likewise hba->silence_err_logs, we need to avoid too +verbose messages. This is actually not an error case. + +Link: https://lore.kernel.org/r/20210107185316.788815-3-jaegeuk@kernel.org +Fixes: 69a6c269c097 ("scsi: ufs: Use blk_{get,put}_request() to allocate and free TMFs") +Reviewed-by: Can Guo +Signed-off-by: Jaegeuk Kim +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 974a4f339ede2..8132893284670 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -4913,7 +4913,8 @@ ufshcd_transfer_rsp_status(struct ufs_hba *hba, struct ufshcd_lrb *lrbp) + break; + } /* end of switch */ + +- if ((host_byte(result) != DID_OK) && !hba->silence_err_logs) ++ if ((host_byte(result) != DID_OK) && ++ (host_byte(result) != DID_REQUEUE) && !hba->silence_err_logs) + ufshcd_print_trs(hba, 1 << lrbp->task_tag, true); + return result; + } +@@ -6208,9 +6209,13 @@ static irqreturn_t ufshcd_intr(int irq, void *__hba) + intr_status = ufshcd_readl(hba, REG_INTERRUPT_STATUS); + } + +- if (enabled_intr_status && retval == IRQ_NONE) { +- dev_err(hba->dev, "%s: Unhandled interrupt 0x%08x\n", +- __func__, intr_status); ++ if (enabled_intr_status && retval == IRQ_NONE && ++ !ufshcd_eh_in_progress(hba)) { ++ dev_err(hba->dev, "%s: Unhandled interrupt 0x%08x (0x%08x, 0x%08x)\n", ++ __func__, ++ intr_status, ++ hba->ufs_stats.last_intr_status, ++ enabled_intr_status); + ufshcd_dump_regs(hba, 0, UFSHCI_REG_SPACE_SIZE, "host_regs: "); + } + +@@ -6254,7 +6259,10 @@ static int __ufshcd_issue_tm_cmd(struct ufs_hba *hba, + * Even though we use wait_event() which sleeps indefinitely, + * the maximum wait time is bounded by %TM_CMD_TIMEOUT. + */ +- req = blk_get_request(q, REQ_OP_DRV_OUT, BLK_MQ_REQ_RESERVED); ++ req = blk_get_request(q, REQ_OP_DRV_OUT, 0); ++ if (IS_ERR(req)) ++ return PTR_ERR(req); ++ + req->end_io_data = &wait; + free_slot = req->tag; + WARN_ON_ONCE(free_slot < 0 || free_slot >= hba->nutmrs); +-- +2.27.0 + diff --git a/queue-5.10/scsi-ufs-ufshcd-pltfrm-depends-on-has_iomem.patch b/queue-5.10/scsi-ufs-ufshcd-pltfrm-depends-on-has_iomem.patch new file mode 100644 index 00000000000..8e977842cde --- /dev/null +++ b/queue-5.10/scsi-ufs-ufshcd-pltfrm-depends-on-has_iomem.patch @@ -0,0 +1,49 @@ +From 4ca5ce8dbf665fcbe24d7b558f9a9f307515128b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jan 2021 20:08:22 -0800 +Subject: scsi: ufs: ufshcd-pltfrm depends on HAS_IOMEM + +From: Randy Dunlap + +[ Upstream commit 5e6ddadf7637d336acaad1df1f3bcbb07f7d104d ] + +Building ufshcd-pltfrm.c on arch/s390/ has a linker error since S390 does +not support IOMEM, so add a dependency on HAS_IOMEM. + +s390-linux-ld: drivers/scsi/ufs/ufshcd-pltfrm.o: in function `ufshcd_pltfrm_init': +ufshcd-pltfrm.c:(.text+0x38e): undefined reference to `devm_platform_ioremap_resource' + +where that devm_ function is inside an #ifdef CONFIG_HAS_IOMEM/#endif +block. + +Link: lore.kernel.org/r/202101031125.ZEFCUiKi-lkp@intel.com +Link: https://lore.kernel.org/r/20210106040822.933-1-rdunlap@infradead.org +Fixes: 03b1781aa978 ("[SCSI] ufs: Add Platform glue driver for ufshcd") +Cc: "James E.J. Bottomley" +Cc: "Martin K. Petersen" +Cc: Alim Akhtar +Cc: Avri Altman +Cc: linux-scsi@vger.kernel.org +Reported-by: kernel test robot +Signed-off-by: Randy Dunlap +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/ufs/Kconfig b/drivers/scsi/ufs/Kconfig +index dcdb4eb1f90ba..c339517b7a094 100644 +--- a/drivers/scsi/ufs/Kconfig ++++ b/drivers/scsi/ufs/Kconfig +@@ -72,6 +72,7 @@ config SCSI_UFS_DWC_TC_PCI + config SCSI_UFSHCD_PLATFORM + tristate "Platform bus based UFS Controller support" + depends on SCSI_UFSHCD ++ depends on HAS_IOMEM + help + This selects the UFS host controller support. Select this if + you have an UFS controller on Platform bus. +-- +2.27.0 + diff --git a/queue-5.10/selftests-net-fib_tests-remove-duplicate-log-test.patch b/queue-5.10/selftests-net-fib_tests-remove-duplicate-log-test.patch new file mode 100644 index 00000000000..d1c9c80e870 --- /dev/null +++ b/queue-5.10/selftests-net-fib_tests-remove-duplicate-log-test.patch @@ -0,0 +1,39 @@ +From 84a5488a0b0b6f5363a4ea91c885691e6675ab52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jan 2021 10:59:30 +0800 +Subject: selftests: net: fib_tests: remove duplicate log test + +From: Hangbin Liu + +[ Upstream commit fd23d2dc180fccfad4b27a8e52ba1bc415d18509 ] + +The previous test added an address with a specified metric and check if +correspond route was created. I somehow added two logs for the same +test. Remove the duplicated one. + +Reported-by: Antoine Tenart +Fixes: 0d29169a708b ("selftests/net/fib_tests: update addr_metric_test for peer route testing") +Signed-off-by: Hangbin Liu +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20210119025930.2810532-1-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/fib_tests.sh | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/tools/testing/selftests/net/fib_tests.sh b/tools/testing/selftests/net/fib_tests.sh +index 84205c3a55ebe..2b5707738609e 100755 +--- a/tools/testing/selftests/net/fib_tests.sh ++++ b/tools/testing/selftests/net/fib_tests.sh +@@ -1055,7 +1055,6 @@ ipv6_addr_metric_test() + + check_route6 "2001:db8:104::1 dev dummy2 proto kernel metric 260" + log_test $? 0 "Set metric with peer route on local side" +- log_test $? 0 "User specified metric on local address" + check_route6 "2001:db8:104::2 dev dummy2 proto kernel metric 260" + log_test $? 0 "Set metric with peer route on peer side" + +-- +2.27.0 + diff --git a/queue-5.10/series b/queue-5.10/series index f4ce08dc1a7..5fe976aded5 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -74,3 +74,38 @@ libperf-tests-fail-when-failing-to-get-a-tracepoint-.patch risc-v-set-current-memblock-limit.patch risc-v-fix-maximum-allowed-phsyical-memory-for-rv32.patch x86-xen-fix-nopvspin-build-error.patch +nfsd-fixes-for-nfsd4_encode_read_plus_data.patch +nfsd-don-t-set-eof-on-a-truncated-read_plus.patch +gpiolib-cdev-fix-frame-size-warning-in-gpio_ioctl.patch +pinctrl-aspeed-g6-fix-pwmg0-pinctrl-setting.patch +pinctrl-mediatek-fix-fallback-call-path.patch +rdma-ucma-do-not-miss-ctx-destruction-steps-in-some-.patch +btrfs-print-the-actual-offset-in-btrfs_root_name.patch +scsi-megaraid_sas-fix-megasas_ioc_firmware-regressio.patch +scsi-ufs-ufshcd-pltfrm-depends-on-has_iomem.patch +scsi-ufs-fix-tm-request-when-non-fatal-error-happens.patch +crypto-omap-sham-fix-link-error-without-crypto-engin.patch +bpf-prevent-double-bpf_prog_put-call-from-bpf_tracin.patch +powerpc-use-the-common-init_data_section-macro-in-vm.patch +powerpc-fix-alignment-bug-within-the-init-sections.patch +arm64-entry-remove-redundant-irq-flag-tracing.patch +bpf-reject-too-big-ctx_size_in-for-raw_tp-test-run.patch +drm-amdkfd-fix-out-of-bounds-read-in-kdf_create_vcra.patch +rdma-umem-avoid-undefined-behavior-of-rounddown_pow_.patch +rdma-cma-fix-error-flow-in-default_roce_mode_store.patch +printk-ringbuffer-fix-line-counting.patch +printk-fix-kmsg_dump_get_buffer-length-calulations.patch +iov_iter-fix-the-uaccess-area-in-copy_compat_iovec_f.patch +i2c-octeon-check-correct-size-of-maximum-recv_len-pa.patch +drm-vc4-unify-pcm-card-s-driver_name.patch +platform-x86-intel-vbtn-drop-hp-stream-x360-converti.patch +platform-x86-hp-wmi-don-t-log-a-warning-on-hpwmi_ret.patch +gpio-sifive-select-irq_domain_hierarchy-rather-than-.patch +alsa-hda-balance-runtime-system-pm-if-direct-complet.patch +xsk-clear-pool-even-for-inactive-queues.patch +selftests-net-fib_tests-remove-duplicate-log-test.patch +can-dev-can_restart-fix-use-after-free-bug.patch +can-vxcan-vxcan_xmit-fix-use-after-free-bug.patch +can-peak_usb-fix-use-after-free-bugs.patch +perf-evlist-fix-id-index-for-heterogeneous-systems.patch +i2c-sprd-depend-on-common_clk-to-fix-compile-tests.patch diff --git a/queue-5.10/xsk-clear-pool-even-for-inactive-queues.patch b/queue-5.10/xsk-clear-pool-even-for-inactive-queues.patch new file mode 100644 index 00000000000..12e45ab8fd0 --- /dev/null +++ b/queue-5.10/xsk-clear-pool-even-for-inactive-queues.patch @@ -0,0 +1,55 @@ +From 1f5f09cedbad60fabd46671578bb8eb96272480a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jan 2021 18:03:33 +0200 +Subject: xsk: Clear pool even for inactive queues +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maxim Mikityanskiy + +[ Upstream commit b425e24a934e21a502d25089c6c7443d799c5594 ] + +The number of queues can change by other means, rather than ethtool. For +example, attaching an mqprio qdisc with num_tc > 1 leads to creating +multiple sets of TX queues, which may be then destroyed when mqprio is +deleted. If an AF_XDP socket is created while mqprio is active, +dev->_tx[queue_id].pool will be filled, but then real_num_tx_queues may +decrease with deletion of mqprio, which will mean that the pool won't be +NULLed, and a further increase of the number of TX queues may expose a +dangling pointer. + +To avoid any potential misbehavior, this commit clears pool for RX and +TX queues, regardless of real_num_*_queues, still taking into +consideration num_*_queues to avoid overflows. + +Fixes: 1c1efc2af158 ("xsk: Create and free buffer pool independently from umem") +Fixes: a41b4f3c58dd ("xsk: simplify xdp_clear_umem_at_qid implementation") +Signed-off-by: Maxim Mikityanskiy +Signed-off-by: Daniel Borkmann +Acked-by: Björn Töpel +Link: https://lore.kernel.org/bpf/20210118160333.333439-1-maximmi@mellanox.com +Signed-off-by: Sasha Levin +--- + net/xdp/xsk.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c +index d5f42c62fd79e..52fd1f96b241e 100644 +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -107,9 +107,9 @@ EXPORT_SYMBOL(xsk_get_pool_from_qid); + + void xsk_clear_pool_at_qid(struct net_device *dev, u16 queue_id) + { +- if (queue_id < dev->real_num_rx_queues) ++ if (queue_id < dev->num_rx_queues) + dev->_rx[queue_id].pool = NULL; +- if (queue_id < dev->real_num_tx_queues) ++ if (queue_id < dev->num_tx_queues) + dev->_tx[queue_id].pool = NULL; + } + +-- +2.27.0 +