From: Sasha Levin Date: Sat, 4 Dec 2021 03:39:58 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v4.4.294~55 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=df04f9ac351c65a3c80d1fcc85409cab490a5d8b;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/ata-ahci-add-green-sardine-vendor-id-as-board_ahci_m.patch b/queue-5.4/ata-ahci-add-green-sardine-vendor-id-as-board_ahci_m.patch new file mode 100644 index 00000000000..3e14eba0e1f --- /dev/null +++ b/queue-5.4/ata-ahci-add-green-sardine-vendor-id-as-board_ahci_m.patch @@ -0,0 +1,42 @@ +From 2cc3041ebfcf354f2c0934d9e0ee551de979aa9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Nov 2021 14:15:38 -0600 +Subject: ata: ahci: Add Green Sardine vendor ID as board_ahci_mobile + +From: Mario Limonciello + +[ Upstream commit 1527f69204fe35f341cb599f1cb01bd02daf4374 ] + +AMD requires that the SATA controller be configured for devsleep in order +for S0i3 entry to work properly. + +commit b1a9585cc396 ("ata: ahci: Enable DEVSLP by default on x86 with +SLP_S0") sets up a kernel policy to enable devsleep on Intel mobile +platforms that are using s0ix. Add the PCI ID for the SATA controller in +Green Sardine platforms to extend this policy by default for AMD based +systems using s0i3 as well. + +Cc: Nehal-bakulchandra Shah +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=214091 +Signed-off-by: Mario Limonciello +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/ahci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index 8beb418ce167b..6f572967b5552 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -420,6 +420,7 @@ static const struct pci_device_id ahci_pci_tbl[] = { + /* AMD */ + { PCI_VDEVICE(AMD, 0x7800), board_ahci }, /* AMD Hudson-2 */ + { PCI_VDEVICE(AMD, 0x7900), board_ahci }, /* AMD CZ */ ++ { PCI_VDEVICE(AMD, 0x7901), board_ahci_mobile }, /* AMD Green Sardine */ + /* AMD is using RAID class only for ahci controllers */ + { PCI_VENDOR_ID_AMD, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, + PCI_CLASS_STORAGE_RAID << 8, 0xffffff, board_ahci }, +-- +2.33.0 + diff --git a/queue-5.4/atlantic-fix-oob-read-and-write-in-hw_atl_utils_fw_r.patch b/queue-5.4/atlantic-fix-oob-read-and-write-in-hw_atl_utils_fw_r.patch new file mode 100644 index 00000000000..8fa169f7ccb --- /dev/null +++ b/queue-5.4/atlantic-fix-oob-read-and-write-in-hw_atl_utils_fw_r.patch @@ -0,0 +1,92 @@ +From db888225e1ed1cd86a763e2f33923a4face3a86e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Nov 2021 22:24:40 -0500 +Subject: atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait + +From: Zekun Shen + +[ Upstream commit b922f622592af76b57cbc566eaeccda0b31a3496 ] + +This bug report shows up when running our research tools. The +reports is SOOB read, but it seems SOOB write is also possible +a few lines below. + +In details, fw.len and sw.len are inputs coming from io. A len +over the size of self->rpc triggers SOOB. The patch fixes the +bugs by adding sanity checks. + +The bugs are triggerable with compromised/malfunctioning devices. +They are potentially exploitable given they first leak up to +0xffff bytes and able to overwrite the region later. + +The patch is tested with QEMU emulater. +This is NOT tested with a real device. + +Attached is the log we found by fuzzing. + +BUG: KASAN: slab-out-of-bounds in + hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic] +Read of size 4 at addr ffff888016260b08 by task modprobe/213 +CPU: 0 PID: 213 Comm: modprobe Not tainted 5.6.0 #1 +Call Trace: + dump_stack+0x76/0xa0 + print_address_description.constprop.0+0x16/0x200 + ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic] + ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic] + __kasan_report.cold+0x37/0x7c + ? aq_hw_read_reg_bit+0x60/0x70 [atlantic] + ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic] + kasan_report+0xe/0x20 + hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic] + hw_atl_utils_fw_rpc_call+0x95/0x130 [atlantic] + hw_atl_utils_fw_rpc_wait+0x176/0x210 [atlantic] + hw_atl_utils_mpi_create+0x229/0x2e0 [atlantic] + ? hw_atl_utils_fw_rpc_wait+0x210/0x210 [atlantic] + ? hw_atl_utils_initfw+0x9f/0x1c8 [atlantic] + hw_atl_utils_initfw+0x12a/0x1c8 [atlantic] + aq_nic_ndev_register+0x88/0x650 [atlantic] + ? aq_nic_ndev_init+0x235/0x3c0 [atlantic] + aq_pci_probe+0x731/0x9b0 [atlantic] + ? aq_pci_func_init+0xc0/0xc0 [atlantic] + local_pci_probe+0xd3/0x160 + pci_device_probe+0x23f/0x3e0 + +Reported-by: Brendan Dolan-Gavitt +Signed-off-by: Zekun Shen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c +index 873f9865f0d15..b7d70c33459fd 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c ++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c +@@ -481,6 +481,11 @@ int hw_atl_utils_fw_rpc_wait(struct aq_hw_s *self, + goto err_exit; + + if (fw.len == 0xFFFFU) { ++ if (sw.len > sizeof(self->rpc)) { ++ printk(KERN_INFO "Invalid sw len: %x\n", sw.len); ++ err = -EINVAL; ++ goto err_exit; ++ } + err = hw_atl_utils_fw_rpc_call(self, sw.len); + if (err < 0) + goto err_exit; +@@ -489,6 +494,11 @@ int hw_atl_utils_fw_rpc_wait(struct aq_hw_s *self, + + if (rpc) { + if (fw.len) { ++ if (fw.len > sizeof(self->rpc)) { ++ printk(KERN_INFO "Invalid fw len: %x\n", fw.len); ++ err = -EINVAL; ++ goto err_exit; ++ } + err = + hw_atl_utils_fw_downld_dwords(self, + self->rpc_addr, +-- +2.33.0 + diff --git a/queue-5.4/btrfs-check-integrity-fix-a-warning-on-write-caching.patch b/queue-5.4/btrfs-check-integrity-fix-a-warning-on-write-caching.patch new file mode 100644 index 00000000000..bdbe266bc13 --- /dev/null +++ b/queue-5.4/btrfs-check-integrity-fix-a-warning-on-write-caching.patch @@ -0,0 +1,113 @@ +From 416ca35ae6fa23ddb1e91045cbed32f0bf2d7d70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 06:32:54 +0800 +Subject: btrfs: check-integrity: fix a warning on write caching disabled disk + +From: Wang Yugui + +[ Upstream commit a91cf0ffbc244792e0b3ecf7d0fddb2f344b461f ] + +When a disk has write caching disabled, we skip submission of a bio with +flush and sync requests before writing the superblock, since it's not +needed. However when the integrity checker is enabled, this results in +reports that there are metadata blocks referred by a superblock that +were not properly flushed. So don't skip the bio submission only when +the integrity checker is enabled for the sake of simplicity, since this +is a debug tool and not meant for use in non-debug builds. + +fstests/btrfs/220 trigger a check-integrity warning like the following +when CONFIG_BTRFS_FS_CHECK_INTEGRITY=y and the disk with WCE=0. + + btrfs: attempt to write superblock which references block M @5242880 (sdb2/5242880/0) which is not flushed out of disk's write cache (block flush_gen=1, dev->flush_gen=0)! + ------------[ cut here ]------------ + WARNING: CPU: 28 PID: 843680 at fs/btrfs/check-integrity.c:2196 btrfsic_process_written_superblock+0x22a/0x2a0 [btrfs] + CPU: 28 PID: 843680 Comm: umount Not tainted 5.15.0-0.rc5.39.el8.x86_64 #1 + Hardware name: Dell Inc. Precision T7610/0NK70N, BIOS A18 09/11/2019 + RIP: 0010:btrfsic_process_written_superblock+0x22a/0x2a0 [btrfs] + RSP: 0018:ffffb642afb47940 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 + RDX: 00000000ffffffff RSI: ffff8b722fc97d00 RDI: ffff8b722fc97d00 + RBP: ffff8b5601c00000 R08: 0000000000000000 R09: c0000000ffff7fff + R10: 0000000000000001 R11: ffffb642afb476f8 R12: ffffffffffffffff + R13: ffffb642afb47974 R14: ffff8b5499254c00 R15: 0000000000000003 + FS: 00007f00a06d4080(0000) GS:ffff8b722fc80000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fff5cff5ff0 CR3: 00000001c0c2a006 CR4: 00000000001706e0 + Call Trace: + btrfsic_process_written_block+0x2f7/0x850 [btrfs] + __btrfsic_submit_bio.part.19+0x310/0x330 [btrfs] + ? bio_associate_blkg_from_css+0xa4/0x2c0 + btrfsic_submit_bio+0x18/0x30 [btrfs] + write_dev_supers+0x81/0x2a0 [btrfs] + ? find_get_pages_range_tag+0x219/0x280 + ? pagevec_lookup_range_tag+0x24/0x30 + ? __filemap_fdatawait_range+0x6d/0xf0 + ? __raw_callee_save___native_queued_spin_unlock+0x11/0x1e + ? find_first_extent_bit+0x9b/0x160 [btrfs] + ? __raw_callee_save___native_queued_spin_unlock+0x11/0x1e + write_all_supers+0x1b3/0xa70 [btrfs] + ? __raw_callee_save___native_queued_spin_unlock+0x11/0x1e + btrfs_commit_transaction+0x59d/0xac0 [btrfs] + close_ctree+0x11d/0x339 [btrfs] + generic_shutdown_super+0x71/0x110 + kill_anon_super+0x14/0x30 + btrfs_kill_super+0x12/0x20 [btrfs] + deactivate_locked_super+0x31/0x70 + cleanup_mnt+0xb8/0x140 + task_work_run+0x6d/0xb0 + exit_to_user_mode_prepare+0x1f0/0x200 + syscall_exit_to_user_mode+0x12/0x30 + do_syscall_64+0x46/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + RIP: 0033:0x7f009f711dfb + RSP: 002b:00007fff5cff7928 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 + RAX: 0000000000000000 RBX: 000055b68c6c9970 RCX: 00007f009f711dfb + RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000055b68c6c9b50 + RBP: 0000000000000000 R08: 000055b68c6ca900 R09: 00007f009f795580 + R10: 0000000000000000 R11: 0000000000000246 R12: 000055b68c6c9b50 + R13: 00007f00a04bf184 R14: 0000000000000000 R15: 00000000ffffffff + ---[ end trace 2c4b82abcef9eec4 ]--- + S-65536(sdb2/65536/1) + --> + M-1064960(sdb2/1064960/1) + +Reviewed-by: Filipe Manana +Signed-off-by: Wang Yugui +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/disk-io.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index 1499531bc1511..f18c6d97932ed 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -3636,11 +3636,23 @@ static void btrfs_end_empty_barrier(struct bio *bio) + */ + static void write_dev_flush(struct btrfs_device *device) + { +- struct request_queue *q = bdev_get_queue(device->bdev); + struct bio *bio = device->flush_bio; + ++#ifndef CONFIG_BTRFS_FS_CHECK_INTEGRITY ++ /* ++ * When a disk has write caching disabled, we skip submission of a bio ++ * with flush and sync requests before writing the superblock, since ++ * it's not needed. However when the integrity checker is enabled, this ++ * results in reports that there are metadata blocks referred by a ++ * superblock that were not properly flushed. So don't skip the bio ++ * submission only when the integrity checker is enabled for the sake ++ * of simplicity, since this is a debug tool and not meant for use in ++ * non-debug builds. ++ */ ++ struct request_queue *q = bdev_get_queue(device->bdev); + if (!test_bit(QUEUE_FLAG_WC, &q->queue_flags)) + return; ++#endif + + bio_reset(bio); + bio->bi_end_io = btrfs_end_empty_barrier; +-- +2.33.0 + diff --git a/queue-5.4/drm-sun4i-fix-unmet-dependency-on-reset_controller-f.patch b/queue-5.4/drm-sun4i-fix-unmet-dependency-on-reset_controller-f.patch new file mode 100644 index 00000000000..cd2b2e4ce7b --- /dev/null +++ b/queue-5.4/drm-sun4i-fix-unmet-dependency-on-reset_controller-f.patch @@ -0,0 +1,53 @@ +From f3da08b19ac05f553ea5200e53f6604235f606e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Nov 2021 22:23:51 -0500 +Subject: drm/sun4i: fix unmet dependency on RESET_CONTROLLER for + PHY_SUN6I_MIPI_DPHY + +From: Julian Braha + +[ Upstream commit bb162bb2b4394108c8f055d1b115735331205e28 ] + +When PHY_SUN6I_MIPI_DPHY is selected, and RESET_CONTROLLER +is not selected, Kbuild gives the following warning: + +WARNING: unmet direct dependencies detected for PHY_SUN6I_MIPI_DPHY + Depends on [n]: (ARCH_SUNXI [=n] || COMPILE_TEST [=y]) && HAS_IOMEM [=y] && COMMON_CLK [=y] && RESET_CONTROLLER [=n] + Selected by [y]: + - DRM_SUN6I_DSI [=y] && HAS_IOMEM [=y] && DRM_SUN4I [=y] + +This is because DRM_SUN6I_DSI selects PHY_SUN6I_MIPI_DPHY +without selecting or depending on RESET_CONTROLLER, despite +PHY_SUN6I_MIPI_DPHY depending on RESET_CONTROLLER. + +These unmet dependency bugs were detected by Kismet, +a static analysis tool for Kconfig. Please advise if this +is not the appropriate solution. + +v2: +Fixed indentation to match the rest of the file. + +Signed-off-by: Julian Braha +Acked-by: Jernej Skrabec +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20211109032351.43322-1-julianbraha@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sun4i/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/sun4i/Kconfig b/drivers/gpu/drm/sun4i/Kconfig +index 37e90e42943f6..0e2d304f0d83f 100644 +--- a/drivers/gpu/drm/sun4i/Kconfig ++++ b/drivers/gpu/drm/sun4i/Kconfig +@@ -46,6 +46,7 @@ config DRM_SUN6I_DSI + default MACH_SUN8I + select CRC_CCITT + select DRM_MIPI_DSI ++ select RESET_CONTROLLER + select PHY_SUN6I_MIPI_DPHY + help + Choose this option if you want have an Allwinner SoC with +-- +2.33.0 + diff --git a/queue-5.4/ethernet-hisilicon-hns-hns_dsaf_misc-fix-a-possible-.patch b/queue-5.4/ethernet-hisilicon-hns-hns_dsaf_misc-fix-a-possible-.patch new file mode 100644 index 00000000000..250b56b9f9e --- /dev/null +++ b/queue-5.4/ethernet-hisilicon-hns-hns_dsaf_misc-fix-a-possible-.patch @@ -0,0 +1,49 @@ +From a554daf526b571cf9034043d0a073ab6533ab5da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Nov 2021 11:44:53 +0800 +Subject: ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array + overflow in hns_dsaf_ge_srst_by_port() + +From: Teng Qi + +[ Upstream commit a66998e0fbf213d47d02813b9679426129d0d114 ] + +The if statement: + if (port >= DSAF_GE_NUM) + return; + +limits the value of port less than DSAF_GE_NUM (i.e., 8). +However, if the value of port is 6 or 7, an array overflow could occur: + port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off; + +because the length of dsaf_dev->mac_cb is DSAF_MAX_PORT_NUM (i.e., 6). + +To fix this possible array overflow, we first check port and if it is +greater than or equal to DSAF_MAX_PORT_NUM, the function returns. + +Reported-by: TOTE Robot +Signed-off-by: Teng Qi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c +index ed3829ae4ef1b..580199fdd0c22 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c +@@ -398,6 +398,10 @@ static void hns_dsaf_ge_srst_by_port(struct dsaf_device *dsaf_dev, u32 port, + return; + + if (!HNS_DSAF_IS_DEBUG(dsaf_dev)) { ++ /* DSAF_MAX_PORT_NUM is 6, but DSAF_GE_NUM is 8. ++ We need check to prevent array overflow */ ++ if (port >= DSAF_MAX_PORT_NUM) ++ return; + reg_val_1 = 0x1 << port; + port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off; + /* there is difference between V1 and V2 in register.*/ +-- +2.33.0 + diff --git a/queue-5.4/gfs2-fix-length-of-holes-reported-at-end-of-file.patch b/queue-5.4/gfs2-fix-length-of-holes-reported-at-end-of-file.patch new file mode 100644 index 00000000000..ea442897d18 --- /dev/null +++ b/queue-5.4/gfs2-fix-length-of-holes-reported-at-end-of-file.patch @@ -0,0 +1,40 @@ +From f8d963ae1ce01a6a7da5556ff1e5a35b5bfe6804 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Nov 2021 00:18:56 +0100 +Subject: gfs2: Fix length of holes reported at end-of-file + +From: Andreas Gruenbacher + +[ Upstream commit f3506eee81d1f700d9ee2d2f4a88fddb669ec032 ] + +Fix the length of holes reported at the end of a file: the length is +relative to the beginning of the extent, not the seek position which is +rounded down to the filesystem block size. + +This bug went unnoticed for some time, but is now caught by the +following assertion in iomap_iter_done(): + + WARN_ON_ONCE(iter->iomap.offset + iter->iomap.length <= iter->pos) + +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/bmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/gfs2/bmap.c b/fs/gfs2/bmap.c +index aaec3c5b02028..dec5285a02e9d 100644 +--- a/fs/gfs2/bmap.c ++++ b/fs/gfs2/bmap.c +@@ -940,7 +940,7 @@ static int gfs2_iomap_get(struct inode *inode, loff_t pos, loff_t length, + else if (height == ip->i_height) + ret = gfs2_hole_size(inode, lblock, len, mp, iomap); + else +- iomap->length = size - pos; ++ iomap->length = size - iomap->offset; + } else if (flags & IOMAP_WRITE) { + u64 alloc_size; + +-- +2.33.0 + diff --git a/queue-5.4/mac80211-do-not-access-the-iv-when-it-was-stripped.patch b/queue-5.4/mac80211-do-not-access-the-iv-when-it-was-stripped.patch new file mode 100644 index 00000000000..e39e8ce12dc --- /dev/null +++ b/queue-5.4/mac80211-do-not-access-the-iv-when-it-was-stripped.patch @@ -0,0 +1,39 @@ +From 34a869ffdcfb4b14fc90fe7d09a4efc4668b9b8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Nov 2021 10:46:57 +0800 +Subject: mac80211: do not access the IV when it was stripped + +From: Xing Song + +[ Upstream commit 77dfc2bc0bb4b8376ecd7a430f27a4a8fff6a5a0 ] + +ieee80211_get_keyid() will return false value if IV has been stripped, +such as return 0 for IP/ARP frames due to LLC header, and return -EINVAL +for disassociation frames due to its length... etc. Don't try to access +it if it's not present. + +Signed-off-by: Xing Song +Link: https://lore.kernel.org/r/20211101024657.143026-1-xing.song@mediatek.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/rx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index c7e6bf7c22c78..282bf336b15a4 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -1918,7 +1918,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx) + int keyid = rx->sta->ptk_idx; + sta_ptk = rcu_dereference(rx->sta->ptk[keyid]); + +- if (ieee80211_has_protected(fc)) { ++ if (ieee80211_has_protected(fc) && ++ !(status->flag & RX_FLAG_IV_STRIPPED)) { + cs = rx->sta->cipher_scheme; + keyid = ieee80211_get_keyid(rx->skb, cs); + +-- +2.33.0 + diff --git a/queue-5.4/net-ethernet-dec-tulip-de4x5-fix-possible-array-over.patch b/queue-5.4/net-ethernet-dec-tulip-de4x5-fix-possible-array-over.patch new file mode 100644 index 00000000000..78a979bb1f3 --- /dev/null +++ b/queue-5.4/net-ethernet-dec-tulip-de4x5-fix-possible-array-over.patch @@ -0,0 +1,58 @@ +From 1c2a13155d119aa4fc537108ba393e8ec2166206 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Nov 2021 15:01:18 +0800 +Subject: net: ethernet: dec: tulip: de4x5: fix possible array overflows in + type3_infoblock() + +From: Teng Qi + +[ Upstream commit 0fa68da72c3be09e06dd833258ee89c33374195f ] + +The definition of macro MOTO_SROM_BUG is: + #define MOTO_SROM_BUG (lp->active == 8 && (get_unaligned_le32( + dev->dev_addr) & 0x00ffffff) == 0x3e0008) + +and the if statement + if (MOTO_SROM_BUG) lp->active = 0; + +using this macro indicates lp->active could be 8. If lp->active is 8 and +the second comparison of this macro is false. lp->active will remain 8 in: + lp->phy[lp->active].gep = (*p ? p : NULL); p += (2 * (*p) + 1); + lp->phy[lp->active].rst = (*p ? p : NULL); p += (2 * (*p) + 1); + lp->phy[lp->active].mc = get_unaligned_le16(p); p += 2; + lp->phy[lp->active].ana = get_unaligned_le16(p); p += 2; + lp->phy[lp->active].fdx = get_unaligned_le16(p); p += 2; + lp->phy[lp->active].ttm = get_unaligned_le16(p); p += 2; + lp->phy[lp->active].mci = *p; + +However, the length of array lp->phy is 8, so array overflows can occur. +To fix these possible array overflows, we first check lp->active and then +return -EINVAL if it is greater or equal to ARRAY_SIZE(lp->phy) (i.e. 8). + +Reported-by: TOTE Robot +Signed-off-by: Teng Qi +Reviewed-by: Arnd Bergmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/dec/tulip/de4x5.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/dec/tulip/de4x5.c b/drivers/net/ethernet/dec/tulip/de4x5.c +index a80252973171f..c97fc0e384ca6 100644 +--- a/drivers/net/ethernet/dec/tulip/de4x5.c ++++ b/drivers/net/ethernet/dec/tulip/de4x5.c +@@ -4708,6 +4708,10 @@ type3_infoblock(struct net_device *dev, u_char count, u_char *p) + lp->ibn = 3; + lp->active = *p++; + if (MOTO_SROM_BUG) lp->active = 0; ++ /* if (MOTO_SROM_BUG) statement indicates lp->active could ++ * be 8 (i.e. the size of array lp->phy) */ ++ if (WARN_ON(lp->active >= ARRAY_SIZE(lp->phy))) ++ return -EINVAL; + lp->phy[lp->active].gep = (*p ? p : NULL); p += (2 * (*p) + 1); + lp->phy[lp->active].rst = (*p ? p : NULL); p += (2 * (*p) + 1); + lp->phy[lp->active].mc = get_unaligned_le16(p); p += 2; +-- +2.33.0 + diff --git a/queue-5.4/net-return-correct-error-code.patch b/queue-5.4/net-return-correct-error-code.patch new file mode 100644 index 00000000000..682bbe95942 --- /dev/null +++ b/queue-5.4/net-return-correct-error-code.patch @@ -0,0 +1,35 @@ +From 83d6e5de7d6cc1fd41236aecd4d88d96f5c961b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Nov 2021 16:14:48 +0800 +Subject: net: return correct error code + +From: liuguoqiang + +[ Upstream commit 6def480181f15f6d9ec812bca8cbc62451ba314c ] + +When kmemdup called failed and register_net_sysctl return NULL, should +return ENOMEM instead of ENOBUFS + +Signed-off-by: liuguoqiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/devinet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index 603a3495afa62..4a8ad46397c0e 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -2585,7 +2585,7 @@ static int __devinet_sysctl_register(struct net *net, char *dev_name, + free: + kfree(t); + out: +- return -ENOBUFS; ++ return -ENOMEM; + } + + static void __devinet_sysctl_unregister(struct net *net, +-- +2.33.0 + diff --git a/queue-5.4/net-smc-avoid-warning-of-possible-recursive-locking.patch b/queue-5.4/net-smc-avoid-warning-of-possible-recursive-locking.patch new file mode 100644 index 00000000000..e6fa0637508 --- /dev/null +++ b/queue-5.4/net-smc-avoid-warning-of-possible-recursive-locking.patch @@ -0,0 +1,96 @@ +From 6ab6f92f63d1fec35fd94e22e9e5b43c12e808e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Nov 2021 20:32:53 +0800 +Subject: net/smc: Avoid warning of possible recursive locking + +From: Wen Gu + +[ Upstream commit 7a61432dc81375be06b02f0061247d3efbdfce3a ] + +Possible recursive locking is detected by lockdep when SMC +falls back to TCP. The corresponding warnings are as follows: + + ============================================ + WARNING: possible recursive locking detected + 5.16.0-rc1+ #18 Tainted: G E + -------------------------------------------- + wrk/1391 is trying to acquire lock: + ffff975246c8e7d8 (&ei->socket.wq.wait){..-.}-{3:3}, at: smc_switch_to_fallback+0x109/0x250 [smc] + + but task is already holding lock: + ffff975246c8f918 (&ei->socket.wq.wait){..-.}-{3:3}, at: smc_switch_to_fallback+0xfe/0x250 [smc] + + other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&ei->socket.wq.wait); + lock(&ei->socket.wq.wait); + + *** DEADLOCK *** + + May be due to missing lock nesting notation + + 2 locks held by wrk/1391: + #0: ffff975246040130 (sk_lock-AF_SMC){+.+.}-{0:0}, at: smc_connect+0x43/0x150 [smc] + #1: ffff975246c8f918 (&ei->socket.wq.wait){..-.}-{3:3}, at: smc_switch_to_fallback+0xfe/0x250 [smc] + + stack backtrace: + Call Trace: + + dump_stack_lvl+0x56/0x7b + __lock_acquire+0x951/0x11f0 + lock_acquire+0x27a/0x320 + ? smc_switch_to_fallback+0x109/0x250 [smc] + ? smc_switch_to_fallback+0xfe/0x250 [smc] + _raw_spin_lock_irq+0x3b/0x80 + ? smc_switch_to_fallback+0x109/0x250 [smc] + smc_switch_to_fallback+0x109/0x250 [smc] + smc_connect_fallback+0xe/0x30 [smc] + __smc_connect+0xcf/0x1090 [smc] + ? mark_held_locks+0x61/0x80 + ? __local_bh_enable_ip+0x77/0xe0 + ? lockdep_hardirqs_on+0xbf/0x130 + ? smc_connect+0x12a/0x150 [smc] + smc_connect+0x12a/0x150 [smc] + __sys_connect+0x8a/0xc0 + ? syscall_enter_from_user_mode+0x20/0x70 + __x64_sys_connect+0x16/0x20 + do_syscall_64+0x34/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +The nested locking in smc_switch_to_fallback() is considered to +possibly cause a deadlock because smc_wait->lock and clc_wait->lock +are the same type of lock. But actually it is safe so far since +there is no other place trying to obtain smc_wait->lock when +clc_wait->lock is held. So the patch replaces spin_lock() with +spin_lock_nested() to avoid false report by lockdep. + +Link: https://lkml.org/lkml/2021/11/19/962 +Fixes: 2153bd1e3d3d ("Transfer remaining wait queue entries during fallback") +Reported-by: syzbot+e979d3597f48262cb4ee@syzkaller.appspotmail.com +Signed-off-by: Wen Gu +Acked-by: Tony Lu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 00d3787387172..fa3b20e5f4608 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -483,7 +483,7 @@ static void smc_switch_to_fallback(struct smc_sock *smc) + * to clcsocket->wq during the fallback. + */ + spin_lock_irqsave(&smc_wait->lock, flags); +- spin_lock(&clc_wait->lock); ++ spin_lock_nested(&clc_wait->lock, SINGLE_DEPTH_NESTING); + list_splice_init(&smc_wait->head, &clc_wait->head); + spin_unlock(&clc_wait->lock); + spin_unlock_irqrestore(&smc_wait->lock, flags); +-- +2.33.0 + diff --git a/queue-5.4/net-smc-transfer-remaining-wait-queue-entries-during.patch b/queue-5.4/net-smc-transfer-remaining-wait-queue-entries-during.patch new file mode 100644 index 00000000000..1e6602393b5 --- /dev/null +++ b/queue-5.4/net-smc-transfer-remaining-wait-queue-entries-during.patch @@ -0,0 +1,87 @@ +From 9fc4d1ea9100cc4998f2cf101c101a338dd85dbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Nov 2021 15:33:35 +0800 +Subject: net/smc: Transfer remaining wait queue entries during fallback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wen Gu + +[ Upstream commit 2153bd1e3d3dbf6a3403572084ef6ed31c53c5f0 ] + +The SMC fallback is incomplete currently. There may be some +wait queue entries remaining in smc socket->wq, which should +be removed to clcsocket->wq during the fallback. + +For example, in nginx/wrk benchmark, this issue causes an +all-zeros test result: + +server: nginx -g 'daemon off;' +client: smc_run wrk -c 1 -t 1 -d 5 http://11.200.15.93/index.html + + Running 5s test @ http://11.200.15.93/index.html + 1 threads and 1 connections + Thread Stats Avg Stdev Max ± Stdev + Latency 0.00us 0.00us 0.00us -nan% + Req/Sec 0.00 0.00 0.00 -nan% + 0 requests in 5.00s, 0.00B read + Requests/sec: 0.00 + Transfer/sec: 0.00B + +The reason for this all-zeros result is that when wrk used SMC +to replace TCP, it added an eppoll_entry into smc socket->wq +and expected to be notified if epoll events like EPOLL_IN/ +EPOLL_OUT occurred on the smc socket. + +However, once a fallback occurred, wrk switches to use clcsocket. +Now it is clcsocket->wq instead of smc socket->wq which will +be woken up. The eppoll_entry remaining in smc socket->wq does +not work anymore and wrk stops the test. + +This patch fixes this issue by removing remaining wait queue +entries from smc socket->wq to clcsocket->wq during the fallback. + +Link: https://www.spinics.net/lists/netdev/msg779769.html +Signed-off-by: Wen Gu +Reviewed-by: Tony Lu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 5e1493f8deba7..00d3787387172 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -467,12 +467,26 @@ static void smc_link_save_peer_info(struct smc_link *link, + + static void smc_switch_to_fallback(struct smc_sock *smc) + { ++ wait_queue_head_t *smc_wait = sk_sleep(&smc->sk); ++ wait_queue_head_t *clc_wait = sk_sleep(smc->clcsock->sk); ++ unsigned long flags; ++ + smc->use_fallback = true; + if (smc->sk.sk_socket && smc->sk.sk_socket->file) { + smc->clcsock->file = smc->sk.sk_socket->file; + smc->clcsock->file->private_data = smc->clcsock; + smc->clcsock->wq.fasync_list = + smc->sk.sk_socket->wq.fasync_list; ++ ++ /* There may be some entries remaining in ++ * smc socket->wq, which should be removed ++ * to clcsocket->wq during the fallback. ++ */ ++ spin_lock_irqsave(&smc_wait->lock, flags); ++ spin_lock(&clc_wait->lock); ++ list_splice_init(&smc_wait->head, &clc_wait->head); ++ spin_unlock(&clc_wait->lock); ++ spin_unlock_irqrestore(&smc_wait->lock, flags); + } + } + +-- +2.33.0 + diff --git a/queue-5.4/net-tulip-de4x5-fix-the-problem-that-the-array-lp-ph.patch b/queue-5.4/net-tulip-de4x5-fix-the-problem-that-the-array-lp-ph.patch new file mode 100644 index 00000000000..9ab744c89b4 --- /dev/null +++ b/queue-5.4/net-tulip-de4x5-fix-the-problem-that-the-array-lp-ph.patch @@ -0,0 +1,66 @@ +From 4cc316280e949728949317d76456c5c34cf59d71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Nov 2021 13:46:32 +0800 +Subject: net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be + out of bound + +From: zhangyue + +[ Upstream commit 61217be886b5f7402843677e4be7e7e83de9cb41 ] + +In line 5001, if all id in the array 'lp->phy[8]' is not 0, when the +'for' end, the 'k' is 8. + +At this time, the array 'lp->phy[8]' may be out of bound. + +Signed-off-by: zhangyue +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/dec/tulip/de4x5.c | 30 +++++++++++++++----------- + 1 file changed, 17 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/dec/tulip/de4x5.c b/drivers/net/ethernet/dec/tulip/de4x5.c +index c813e6f2b371e..a80252973171f 100644 +--- a/drivers/net/ethernet/dec/tulip/de4x5.c ++++ b/drivers/net/ethernet/dec/tulip/de4x5.c +@@ -4999,19 +4999,23 @@ mii_get_phy(struct net_device *dev) + } + if ((j == limit) && (i < DE4X5_MAX_MII)) { + for (k=0; k < DE4X5_MAX_PHY && lp->phy[k].id; k++); +- lp->phy[k].addr = i; +- lp->phy[k].id = id; +- lp->phy[k].spd.reg = GENERIC_REG; /* ANLPA register */ +- lp->phy[k].spd.mask = GENERIC_MASK; /* 100Mb/s technologies */ +- lp->phy[k].spd.value = GENERIC_VALUE; /* TX & T4, H/F Duplex */ +- lp->mii_cnt++; +- lp->active++; +- printk("%s: Using generic MII device control. If the board doesn't operate,\nplease mail the following dump to the author:\n", dev->name); +- j = de4x5_debug; +- de4x5_debug |= DEBUG_MII; +- de4x5_dbg_mii(dev, k); +- de4x5_debug = j; +- printk("\n"); ++ if (k < DE4X5_MAX_PHY) { ++ lp->phy[k].addr = i; ++ lp->phy[k].id = id; ++ lp->phy[k].spd.reg = GENERIC_REG; /* ANLPA register */ ++ lp->phy[k].spd.mask = GENERIC_MASK; /* 100Mb/s technologies */ ++ lp->phy[k].spd.value = GENERIC_VALUE; /* TX & T4, H/F Duplex */ ++ lp->mii_cnt++; ++ lp->active++; ++ printk("%s: Using generic MII device control. If the board doesn't operate,\nplease mail the following dump to the author:\n", dev->name); ++ j = de4x5_debug; ++ de4x5_debug |= DEBUG_MII; ++ de4x5_dbg_mii(dev, k); ++ de4x5_debug = j; ++ printk("\n"); ++ } else { ++ goto purgatory; ++ } + } + } + purgatory: +-- +2.33.0 + diff --git a/queue-5.4/perf-hist-fix-memory-leak-of-a-perf_hpp_fmt.patch b/queue-5.4/perf-hist-fix-memory-leak-of-a-perf_hpp_fmt.patch new file mode 100644 index 00000000000..4bb60a4aaa4 --- /dev/null +++ b/queue-5.4/perf-hist-fix-memory-leak-of-a-perf_hpp_fmt.patch @@ -0,0 +1,101 @@ +From 5abf431f2021d4610d5bba7647f357f7dbafcb2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Nov 2021 23:12:47 -0800 +Subject: perf hist: Fix memory leak of a perf_hpp_fmt + +From: Ian Rogers + +[ Upstream commit 0ca1f534a776cc7d42f2c33da4732b74ec2790cd ] + +perf_hpp__column_unregister() removes an entry from a list but doesn't +free the memory causing a memory leak spotted by leak sanitizer. + +Add the free while at the same time reducing the scope of the function +to static. + +Signed-off-by: Ian Rogers +Reviewed-by: Kajol Jain +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Link: http://lore.kernel.org/lkml/20211118071247.2140392-1-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/ui/hist.c | 28 ++++++++++++++-------------- + tools/perf/util/hist.h | 1 - + 2 files changed, 14 insertions(+), 15 deletions(-) + +diff --git a/tools/perf/ui/hist.c b/tools/perf/ui/hist.c +index f736755000616..9ae316445f04b 100644 +--- a/tools/perf/ui/hist.c ++++ b/tools/perf/ui/hist.c +@@ -472,6 +472,18 @@ struct perf_hpp_list perf_hpp_list = { + #undef __HPP_SORT_ACC_FN + #undef __HPP_SORT_RAW_FN + ++static void fmt_free(struct perf_hpp_fmt *fmt) ++{ ++ /* ++ * At this point fmt should be completely ++ * unhooked, if not it's a bug. ++ */ ++ BUG_ON(!list_empty(&fmt->list)); ++ BUG_ON(!list_empty(&fmt->sort_list)); ++ ++ if (fmt->free) ++ fmt->free(fmt); ++} + + void perf_hpp__init(void) + { +@@ -535,9 +547,10 @@ void perf_hpp_list__prepend_sort_field(struct perf_hpp_list *list, + list_add(&format->sort_list, &list->sorts); + } + +-void perf_hpp__column_unregister(struct perf_hpp_fmt *format) ++static void perf_hpp__column_unregister(struct perf_hpp_fmt *format) + { + list_del_init(&format->list); ++ fmt_free(format); + } + + void perf_hpp__cancel_cumulate(void) +@@ -609,19 +622,6 @@ void perf_hpp__append_sort_keys(struct perf_hpp_list *list) + } + + +-static void fmt_free(struct perf_hpp_fmt *fmt) +-{ +- /* +- * At this point fmt should be completely +- * unhooked, if not it's a bug. +- */ +- BUG_ON(!list_empty(&fmt->list)); +- BUG_ON(!list_empty(&fmt->sort_list)); +- +- if (fmt->free) +- fmt->free(fmt); +-} +- + void perf_hpp__reset_output_field(struct perf_hpp_list *list) + { + struct perf_hpp_fmt *fmt, *tmp; +diff --git a/tools/perf/util/hist.h b/tools/perf/util/hist.h +index 4792731307947..ecce30f086de7 100644 +--- a/tools/perf/util/hist.h ++++ b/tools/perf/util/hist.h +@@ -361,7 +361,6 @@ enum { + }; + + void perf_hpp__init(void); +-void perf_hpp__column_unregister(struct perf_hpp_fmt *format); + void perf_hpp__cancel_cumulate(void); + void perf_hpp__setup_output_field(struct perf_hpp_list *list); + void perf_hpp__reset_output_field(struct perf_hpp_list *list); +-- +2.33.0 + diff --git a/queue-5.4/perf-report-fix-memory-leaks-around-perf_tip.patch b/queue-5.4/perf-report-fix-memory-leaks-around-perf_tip.patch new file mode 100644 index 00000000000..a05e22ef843 --- /dev/null +++ b/queue-5.4/perf-report-fix-memory-leaks-around-perf_tip.patch @@ -0,0 +1,127 @@ +From b98bc1cc2e0046f56d0bb7a608b67befb438f2be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Nov 2021 23:38:04 -0800 +Subject: perf report: Fix memory leaks around perf_tip() + +From: Ian Rogers + +[ Upstream commit d9fc706108c15f8bc2d4ccccf8e50f74830fabd9 ] + +perf_tip() may allocate memory or use a literal, this means memory +wasn't freed if allocated. Change the API so that literals aren't used. + +At the same time add missing frees for system_path. These issues were +spotted using leak sanitizer. + +Signed-off-by: Ian Rogers +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Link: http://lore.kernel.org/lkml/20211118073804.2149974-1-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-report.c | 15 +++++++++------ + tools/perf/util/util.c | 14 +++++++------- + tools/perf/util/util.h | 2 +- + 3 files changed, 17 insertions(+), 14 deletions(-) + +diff --git a/tools/perf/builtin-report.c b/tools/perf/builtin-report.c +index d3c0b04e2e22b..dc228bdf2bbc2 100644 +--- a/tools/perf/builtin-report.c ++++ b/tools/perf/builtin-report.c +@@ -569,14 +569,17 @@ static int report__browse_hists(struct report *rep) + int ret; + struct perf_session *session = rep->session; + struct evlist *evlist = session->evlist; +- const char *help = perf_tip(system_path(TIPDIR)); ++ char *help = NULL, *path = NULL; + +- if (help == NULL) { ++ path = system_path(TIPDIR); ++ if (perf_tip(&help, path) || help == NULL) { + /* fallback for people who don't install perf ;-) */ +- help = perf_tip(DOCDIR); +- if (help == NULL) +- help = "Cannot load tips.txt file, please install perf!"; ++ free(path); ++ path = system_path(DOCDIR); ++ if (perf_tip(&help, path) || help == NULL) ++ help = strdup("Cannot load tips.txt file, please install perf!"); + } ++ free(path); + + switch (use_browser) { + case 1: +@@ -598,7 +601,7 @@ static int report__browse_hists(struct report *rep) + ret = perf_evlist__tty_browse_hists(evlist, rep, help); + break; + } +- ++ free(help); + return ret; + } + +diff --git a/tools/perf/util/util.c b/tools/perf/util/util.c +index ae56c766eda16..b3c1ae288b478 100644 +--- a/tools/perf/util/util.c ++++ b/tools/perf/util/util.c +@@ -343,32 +343,32 @@ fetch_kernel_version(unsigned int *puint, char *str, + return 0; + } + +-const char *perf_tip(const char *dirpath) ++int perf_tip(char **strp, const char *dirpath) + { + struct strlist *tips; + struct str_node *node; +- char *tip = NULL; + struct strlist_config conf = { + .dirname = dirpath, + .file_only = true, + }; ++ int ret = 0; + ++ *strp = NULL; + tips = strlist__new("tips.txt", &conf); + if (tips == NULL) +- return errno == ENOENT ? NULL : +- "Tip: check path of tips.txt or get more memory! ;-p"; ++ return -errno; + + if (strlist__nr_entries(tips) == 0) + goto out; + + node = strlist__entry(tips, random() % strlist__nr_entries(tips)); +- if (asprintf(&tip, "Tip: %s", node->s) < 0) +- tip = (char *)"Tip: get more memory! ;-)"; ++ if (asprintf(strp, "Tip: %s", node->s) < 0) ++ ret = -ENOMEM; + + out: + strlist__delete(tips); + +- return tip; ++ return ret; + } + + char *perf_exe(char *buf, int len) +diff --git a/tools/perf/util/util.h b/tools/perf/util/util.h +index 9969b8b46f7c3..e4a7e1cafc70a 100644 +--- a/tools/perf/util/util.h ++++ b/tools/perf/util/util.h +@@ -37,7 +37,7 @@ int fetch_kernel_version(unsigned int *puint, + #define KVER_FMT "%d.%d.%d" + #define KVER_PARAM(x) KVER_VERSION(x), KVER_PATCHLEVEL(x), KVER_SUBLEVEL(x) + +-const char *perf_tip(const char *dirpath); ++int perf_tip(char **strp, const char *dirpath); + + #ifndef HAVE_SCHED_GETCPU_SUPPORT + int sched_getcpu(void); +-- +2.33.0 + diff --git a/queue-5.4/platform-x86-thinkpad_acpi-fix-wwan-device-disabled-.patch b/queue-5.4/platform-x86-thinkpad_acpi-fix-wwan-device-disabled-.patch new file mode 100644 index 00000000000..13c6e16dd7f --- /dev/null +++ b/queue-5.4/platform-x86-thinkpad_acpi-fix-wwan-device-disabled-.patch @@ -0,0 +1,70 @@ +From 0663ce17d461e624112aac241b64d040036c8b58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Nov 2021 14:06:48 +0800 +Subject: platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 + deep + +From: Slark Xiao + +[ Upstream commit 39f53292181081d35174a581a98441de5da22bc9 ] + +When WWAN device wake from S3 deep, under thinkpad platform, +WWAN would be disabled. This disable status could be checked +by command 'nmcli r wwan' or 'rfkill list'. + +Issue analysis as below: + When host resume from S3 deep, thinkpad_acpi driver would +call hotkey_resume() function. Finnaly, it will use +wan_get_status to check the current status of WWAN device. +During this resume progress, wan_get_status would always +return off even WWAN boot up completely. + In patch V2, Hans said 'sw_state should be unchanged +after a suspend/resume. It's better to drop the +tpacpi_rfk_update_swstate call all together from the +resume path'. + And it's confimed by Lenovo that GWAN is no longer + available from WHL generation because the design does not + match with current pin control. + +Signed-off-by: Slark Xiao +Link: https://lore.kernel.org/r/20211108060648.8212-1-slark_xiao@163.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/thinkpad_acpi.c | 12 ------------ + 1 file changed, 12 deletions(-) + +diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c +index 3028d9f1ac59c..5d114088c88fb 100644 +--- a/drivers/platform/x86/thinkpad_acpi.c ++++ b/drivers/platform/x86/thinkpad_acpi.c +@@ -1188,15 +1188,6 @@ static int tpacpi_rfk_update_swstate(const struct tpacpi_rfk *tp_rfk) + return status; + } + +-/* Query FW and update rfkill sw state for all rfkill switches */ +-static void tpacpi_rfk_update_swstate_all(void) +-{ +- unsigned int i; +- +- for (i = 0; i < TPACPI_RFK_SW_MAX; i++) +- tpacpi_rfk_update_swstate(tpacpi_rfkill_switches[i]); +-} +- + /* + * Sync the HW-blocking state of all rfkill switches, + * do notice it causes the rfkill core to schedule uevents +@@ -3135,9 +3126,6 @@ static void tpacpi_send_radiosw_update(void) + if (wlsw == TPACPI_RFK_RADIO_OFF) + tpacpi_rfk_update_hwblock_state(true); + +- /* Sync sw blocking state */ +- tpacpi_rfk_update_swstate_all(); +- + /* Sync hw blocking state last if it is hw-unblocked */ + if (wlsw == TPACPI_RFK_RADIO_ON) + tpacpi_rfk_update_hwblock_state(false); +-- +2.33.0 + diff --git a/queue-5.4/s390-setup-avoid-using-memblock_enforce_memory_limit.patch b/queue-5.4/s390-setup-avoid-using-memblock_enforce_memory_limit.patch new file mode 100644 index 00000000000..94f3b1f6864 --- /dev/null +++ b/queue-5.4/s390-setup-avoid-using-memblock_enforce_memory_limit.patch @@ -0,0 +1,56 @@ +From a3612540501968af7247a19411aea1de3056ea4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Oct 2021 13:38:17 +0200 +Subject: s390/setup: avoid using memblock_enforce_memory_limit + +From: Vasily Gorbik + +[ Upstream commit 5dbc4cb4667457b0c53bcd7bff11500b3c362975 ] + +There is a difference in how architectures treat "mem=" option. For some +that is an amount of online memory, for s390 and x86 this is the limiting +max address. Some memblock api like memblock_enforce_memory_limit() +take limit argument and explicitly treat it as the size of online memory, +and use __find_max_addr to convert it to an actual max address. Current +s390 usage: + +memblock_enforce_memory_limit(memblock_end_of_DRAM()); + +yields different results depending on presence of memory holes (offline +memory blocks in between online memory). If there are no memory holes +limit == max_addr in memblock_enforce_memory_limit() and it does trim +online memory and reserved memory regions. With memory holes present it +actually does nothing. + +Since we already use memblock_remove() explicitly to trim online memory +regions to potential limit (think mem=, kdump, addressing limits, etc.) +drop the usage of memblock_enforce_memory_limit() altogether. Trimming +reserved regions should not be required, since we now use +memblock_set_current_limit() to limit allocations and any explicit memory +reservations above the limit is an actual problem we should not hide. + +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/setup.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c +index f661f176966f5..9a0316a067a11 100644 +--- a/arch/s390/kernel/setup.c ++++ b/arch/s390/kernel/setup.c +@@ -841,9 +841,6 @@ static void __init setup_memory(void) + storage_key_init_range(reg->base, reg->base + reg->size); + } + psw_set_key(PAGE_DEFAULT_KEY); +- +- /* Only cosmetics */ +- memblock_enforce_memory_limit(memblock_end_of_DRAM()); + } + + /* +-- +2.33.0 + diff --git a/queue-5.4/scsi-iscsi-unblock-session-then-wake-up-error-handle.patch b/queue-5.4/scsi-iscsi-unblock-session-then-wake-up-error-handle.patch new file mode 100644 index 00000000000..59ebe858cd8 --- /dev/null +++ b/queue-5.4/scsi-iscsi-unblock-session-then-wake-up-error-handle.patch @@ -0,0 +1,53 @@ +From 42e2f614d394b7340f9d323f312520bb2a809910 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 17:10:47 -0500 +Subject: scsi: iscsi: Unblock session then wake up error handler + +From: Mike Christie + +[ Upstream commit a0c2f8b6709a9a4af175497ca65f93804f57b248 ] + +We can race where iscsi_session_recovery_timedout() has woken up the error +handler thread and it's now setting the devices to offline, and +session_recovery_timedout()'s call to scsi_target_unblock() is also trying +to set the device's state to transport-offline. We can then get a mix of +states. + +For the case where we can't relogin we want the devices to be in +transport-offline so when we have repaired the connection +__iscsi_unblock_session() can set the state back to running. + +Set the device state then call into libiscsi to wake up the error handler. + +Link: https://lore.kernel.org/r/20211105221048.6541-2-michael.christie@oracle.com +Reviewed-by: Lee Duncan +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 6f21cb75d95fd..f6cce0befa7de 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -1894,12 +1894,12 @@ static void session_recovery_timedout(struct work_struct *work) + } + spin_unlock_irqrestore(&session->lock, flags); + +- if (session->transport->session_recovery_timedout) +- session->transport->session_recovery_timedout(session); +- + ISCSI_DBG_TRANS_SESSION(session, "Unblocking SCSI target\n"); + scsi_target_unblock(&session->dev, SDEV_TRANSPORT_OFFLINE); + ISCSI_DBG_TRANS_SESSION(session, "Completed unblocking SCSI target\n"); ++ ++ if (session->transport->session_recovery_timedout) ++ session->transport->session_recovery_timedout(session); + } + + static void __iscsi_unblock_session(struct work_struct *work) +-- +2.33.0 + diff --git a/queue-5.4/series b/queue-5.4/series index bd00494f6d2..4cd3394e4e3 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -2,3 +2,21 @@ nfsv42-fix-pagecache-invalidation-after-copy-clone.patch of-clk-make-linux-of_clk.h-self-contained.patch arm64-dts-mcbin-support-2w-sfp-modules.patch can-j1939-j1939_tp_cmd_recv-check-the-dst-address-of-tp.cm_bam.patch +gfs2-fix-length-of-holes-reported-at-end-of-file.patch +drm-sun4i-fix-unmet-dependency-on-reset_controller-f.patch +mac80211-do-not-access-the-iv-when-it-was-stripped.patch +net-smc-transfer-remaining-wait-queue-entries-during.patch +atlantic-fix-oob-read-and-write-in-hw_atl_utils_fw_r.patch +net-return-correct-error-code.patch +platform-x86-thinkpad_acpi-fix-wwan-device-disabled-.patch +s390-setup-avoid-using-memblock_enforce_memory_limit.patch +btrfs-check-integrity-fix-a-warning-on-write-caching.patch +thermal-core-reset-previous-low-and-high-trip-during.patch +scsi-iscsi-unblock-session-then-wake-up-error-handle.patch +ata-ahci-add-green-sardine-vendor-id-as-board_ahci_m.patch +ethernet-hisilicon-hns-hns_dsaf_misc-fix-a-possible-.patch +net-tulip-de4x5-fix-the-problem-that-the-array-lp-ph.patch +net-ethernet-dec-tulip-de4x5-fix-possible-array-over.patch +perf-hist-fix-memory-leak-of-a-perf_hpp_fmt.patch +perf-report-fix-memory-leaks-around-perf_tip.patch +net-smc-avoid-warning-of-possible-recursive-locking.patch diff --git a/queue-5.4/thermal-core-reset-previous-low-and-high-trip-during.patch b/queue-5.4/thermal-core-reset-previous-low-and-high-trip-during.patch new file mode 100644 index 00000000000..2dab041234e --- /dev/null +++ b/queue-5.4/thermal-core-reset-previous-low-and-high-trip-during.patch @@ -0,0 +1,50 @@ +From 52fdeb4011f9a52a10f80564424154d398900118 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 01:30:40 +0530 +Subject: thermal: core: Reset previous low and high trip during thermal zone + init + +From: Manaf Meethalavalappu Pallikunhi + +[ Upstream commit 99b63316c39988039965693f5f43d8b4ccb1c86c ] + +During the suspend is in process, thermal_zone_device_update bails out +thermal zone re-evaluation for any sensor trip violation without +setting next valid trip to that sensor. It assumes during resume +it will re-evaluate same thermal zone and update trip. But when it is +in suspend temperature goes down and on resume path while updating +thermal zone if temperature is less than previously violated trip, +thermal zone set trip function evaluates the same previous high and +previous low trip as new high and low trip. Since there is no change +in high/low trip, it bails out from thermal zone set trip API without +setting any trip. It leads to a case where sensor high trip or low +trip is disabled forever even though thermal zone has a valid high +or low trip. + +During thermal zone device init, reset thermal zone previous high +and low trip. It resolves above mentioned scenario. + +Signed-off-by: Manaf Meethalavalappu Pallikunhi +Reviewed-by: Thara Gopinath +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/thermal/thermal_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c +index 20eab56b02cb9..f4490b8120176 100644 +--- a/drivers/thermal/thermal_core.c ++++ b/drivers/thermal/thermal_core.c +@@ -460,6 +460,8 @@ static void thermal_zone_device_init(struct thermal_zone_device *tz) + { + struct thermal_instance *pos; + tz->temperature = THERMAL_TEMP_INVALID; ++ tz->prev_low_trip = -INT_MAX; ++ tz->prev_high_trip = INT_MAX; + list_for_each_entry(pos, &tz->thermal_instances, tz_node) + pos->initialized = false; + } +-- +2.33.0 +