From: Sasha Levin Date: Sat, 26 Jun 2021 01:30:25 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v5.12.14~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e6121e5eedc4cbaf2efac99b8c384f989440f9d4;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/cfg80211-call-cfg80211_leave_ocb-when-switching-away.patch b/queue-5.10/cfg80211-call-cfg80211_leave_ocb-when-switching-away.patch new file mode 100644 index 00000000000..da976f6389b --- /dev/null +++ b/queue-5.10/cfg80211-call-cfg80211_leave_ocb-when-switching-away.patch @@ -0,0 +1,62 @@ +From 1703cd83e473ed07d1e24e3b61149b73b7ec1547 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Apr 2021 14:39:41 +0800 +Subject: cfg80211: call cfg80211_leave_ocb when switching away from OCB + +From: Du Cheng + +[ Upstream commit a64b6a25dd9f984ed05fade603a00e2eae787d2f ] + +If the userland switches back-and-forth between NL80211_IFTYPE_OCB and +NL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), there is a +chance where the cleanup cfg80211_leave_ocb() is not called. This leads +to initialization of in-use memory (e.g. init u.ibss while in-use by +u.ocb) due to a shared struct/union within ieee80211_sub_if_data: + +struct ieee80211_sub_if_data { + ... + union { + struct ieee80211_if_ap ap; + struct ieee80211_if_vlan vlan; + struct ieee80211_if_managed mgd; + struct ieee80211_if_ibss ibss; // <- shares address + struct ieee80211_if_mesh mesh; + struct ieee80211_if_ocb ocb; // <- shares address + struct ieee80211_if_mntr mntr; + struct ieee80211_if_nan nan; + } u; + ... +} + +Therefore add handling of otype == NL80211_IFTYPE_OCB, during +cfg80211_change_iface() to perform cleanup when leaving OCB mode. + +link to syzkaller bug: +https://syzkaller.appspot.com/bug?id=0612dbfa595bf4b9b680ff7b4948257b8e3732d5 + +Reported-by: syzbot+105896fac213f26056f9@syzkaller.appspotmail.com +Signed-off-by: Du Cheng +Link: https://lore.kernel.org/r/20210428063941.105161-1-ducheng2@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/util.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/wireless/util.c b/net/wireless/util.c +index 2731267fd0f9..4fb8d1b14e76 100644 +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -1059,6 +1059,9 @@ int cfg80211_change_iface(struct cfg80211_registered_device *rdev, + case NL80211_IFTYPE_MESH_POINT: + /* mesh should be handled? */ + break; ++ case NL80211_IFTYPE_OCB: ++ cfg80211_leave_ocb(rdev, dev); ++ break; + default: + break; + } +-- +2.30.2 + diff --git a/queue-5.10/dmaengine-mediatek-do-not-issue-a-new-desc-if-one-is.patch b/queue-5.10/dmaengine-mediatek-do-not-issue-a-new-desc-if-one-is.patch new file mode 100644 index 00000000000..6b26032e115 --- /dev/null +++ b/queue-5.10/dmaengine-mediatek-do-not-issue-a-new-desc-if-one-is.patch @@ -0,0 +1,80 @@ +From 2004c37bbd835ecfb712aa9f77187b1cc9f1e42d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 May 2021 21:26:41 +0200 +Subject: dmaengine: mediatek: do not issue a new desc if one is still current + +From: Guillaume Ranquet + +[ Upstream commit 2537b40b0a4f61d2c83900744fe89b09076be9c6 ] + +Avoid issuing a new desc if one is still being processed as this can +lead to some desc never being marked as completed. + +Signed-off-by: Guillaume Ranquet + +Link: https://lore.kernel.org/r/20210513192642.29446-3-granquet@baylibre.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/mediatek/mtk-uart-apdma.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/drivers/dma/mediatek/mtk-uart-apdma.c b/drivers/dma/mediatek/mtk-uart-apdma.c +index e38b67fc0c0c..a09ab2dd3b46 100644 +--- a/drivers/dma/mediatek/mtk-uart-apdma.c ++++ b/drivers/dma/mediatek/mtk-uart-apdma.c +@@ -204,14 +204,9 @@ static void mtk_uart_apdma_start_rx(struct mtk_chan *c) + + static void mtk_uart_apdma_tx_handler(struct mtk_chan *c) + { +- struct mtk_uart_apdma_desc *d = c->desc; +- + mtk_uart_apdma_write(c, VFF_INT_FLAG, VFF_TX_INT_CLR_B); + mtk_uart_apdma_write(c, VFF_INT_EN, VFF_INT_EN_CLR_B); + mtk_uart_apdma_write(c, VFF_EN, VFF_EN_CLR_B); +- +- list_del(&d->vd.node); +- vchan_cookie_complete(&d->vd); + } + + static void mtk_uart_apdma_rx_handler(struct mtk_chan *c) +@@ -242,9 +237,17 @@ static void mtk_uart_apdma_rx_handler(struct mtk_chan *c) + + c->rx_status = d->avail_len - cnt; + mtk_uart_apdma_write(c, VFF_RPT, wg); ++} + +- list_del(&d->vd.node); +- vchan_cookie_complete(&d->vd); ++static void mtk_uart_apdma_chan_complete_handler(struct mtk_chan *c) ++{ ++ struct mtk_uart_apdma_desc *d = c->desc; ++ ++ if (d) { ++ list_del(&d->vd.node); ++ vchan_cookie_complete(&d->vd); ++ c->desc = NULL; ++ } + } + + static irqreturn_t mtk_uart_apdma_irq_handler(int irq, void *dev_id) +@@ -258,6 +261,7 @@ static irqreturn_t mtk_uart_apdma_irq_handler(int irq, void *dev_id) + mtk_uart_apdma_rx_handler(c); + else if (c->dir == DMA_MEM_TO_DEV) + mtk_uart_apdma_tx_handler(c); ++ mtk_uart_apdma_chan_complete_handler(c); + spin_unlock_irqrestore(&c->vc.lock, flags); + + return IRQ_HANDLED; +@@ -363,7 +367,7 @@ static void mtk_uart_apdma_issue_pending(struct dma_chan *chan) + unsigned long flags; + + spin_lock_irqsave(&c->vc.lock, flags); +- if (vchan_issue_pending(&c->vc)) { ++ if (vchan_issue_pending(&c->vc) && !c->desc) { + vd = vchan_next_desc(&c->vc); + c->desc = to_mtk_uart_apdma_desc(&vd->tx); + +-- +2.30.2 + diff --git a/queue-5.10/dmaengine-mediatek-free-the-proper-desc-in-desc_free.patch b/queue-5.10/dmaengine-mediatek-free-the-proper-desc-in-desc_free.patch new file mode 100644 index 00000000000..f84e790bda7 --- /dev/null +++ b/queue-5.10/dmaengine-mediatek-free-the-proper-desc-in-desc_free.patch @@ -0,0 +1,95 @@ +From b55ed5da90fe1f9ec9bf7582377d0baeff411851 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 May 2021 21:26:40 +0200 +Subject: dmaengine: mediatek: free the proper desc in desc_free handler + +From: Guillaume Ranquet + +[ Upstream commit 0a2ff58f9f8f95526ecb0ccd7517fefceb96f661 ] + +The desc_free handler assumed that the desc we want to free was always + the current one associated with the channel. + +This is seldom the case and this is causing use after free crashes in + multiple places (tx/rx/terminate...). + + BUG: KASAN: use-after-free in mtk_uart_apdma_rx_handler+0x120/0x304 + + Call trace: + dump_backtrace+0x0/0x1b0 + show_stack+0x24/0x34 + dump_stack+0xe0/0x150 + print_address_description+0x8c/0x55c + __kasan_report+0x1b8/0x218 + kasan_report+0x14/0x20 + __asan_load4+0x98/0x9c + mtk_uart_apdma_rx_handler+0x120/0x304 + mtk_uart_apdma_irq_handler+0x50/0x80 + __handle_irq_event_percpu+0xe0/0x210 + handle_irq_event+0x8c/0x184 + handle_fasteoi_irq+0x1d8/0x3ac + __handle_domain_irq+0xb0/0x110 + gic_handle_irq+0x50/0xb8 + el0_irq_naked+0x60/0x6c + + Allocated by task 3541: + __kasan_kmalloc+0xf0/0x1b0 + kasan_kmalloc+0x10/0x1c + kmem_cache_alloc_trace+0x90/0x2dc + mtk_uart_apdma_prep_slave_sg+0x6c/0x1a0 + mtk8250_dma_rx_complete+0x220/0x2e4 + vchan_complete+0x290/0x340 + tasklet_action_common+0x220/0x298 + tasklet_action+0x28/0x34 + __do_softirq+0x158/0x35c + + Freed by task 3541: + __kasan_slab_free+0x154/0x224 + kasan_slab_free+0x14/0x24 + slab_free_freelist_hook+0xf8/0x15c + kfree+0xb4/0x278 + mtk_uart_apdma_desc_free+0x34/0x44 + vchan_complete+0x1bc/0x340 + tasklet_action_common+0x220/0x298 + tasklet_action+0x28/0x34 + __do_softirq+0x158/0x35c + + The buggy address belongs to the object at ffff000063606800 + which belongs to the cache kmalloc-256 of size 256 + The buggy address is located 176 bytes inside of + 256-byte region [ffff000063606800, ffff000063606900) + The buggy address belongs to the page: + page:fffffe00016d8180 refcount:1 mapcount:0 mapping:ffff00000302f600 index:0x0 compound_mapcount: 0 + flags: 0xffff00000010200(slab|head) + raw: 0ffff00000010200 dead000000000100 dead000000000122 ffff00000302f600 + raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + +Signed-off-by: Guillaume Ranquet + +Link: https://lore.kernel.org/r/20210513192642.29446-2-granquet@baylibre.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/mediatek/mtk-uart-apdma.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/dma/mediatek/mtk-uart-apdma.c b/drivers/dma/mediatek/mtk-uart-apdma.c +index 27c07350971d..e38b67fc0c0c 100644 +--- a/drivers/dma/mediatek/mtk-uart-apdma.c ++++ b/drivers/dma/mediatek/mtk-uart-apdma.c +@@ -131,10 +131,7 @@ static unsigned int mtk_uart_apdma_read(struct mtk_chan *c, unsigned int reg) + + static void mtk_uart_apdma_desc_free(struct virt_dma_desc *vd) + { +- struct dma_chan *chan = vd->tx.chan; +- struct mtk_chan *c = to_mtk_uart_apdma_chan(chan); +- +- kfree(c->desc); ++ kfree(container_of(vd, struct mtk_uart_apdma_desc, vd)); + } + + static void mtk_uart_apdma_start_tx(struct mtk_chan *c) +-- +2.30.2 + diff --git a/queue-5.10/dmaengine-mediatek-use-gfp_nowait-instead-of-gfp_ato.patch b/queue-5.10/dmaengine-mediatek-use-gfp_nowait-instead-of-gfp_ato.patch new file mode 100644 index 00000000000..8441e0d7406 --- /dev/null +++ b/queue-5.10/dmaengine-mediatek-use-gfp_nowait-instead-of-gfp_ato.patch @@ -0,0 +1,39 @@ +From b011b1a015fab314238522af71be6179ab08da80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 May 2021 21:26:42 +0200 +Subject: dmaengine: mediatek: use GFP_NOWAIT instead of GFP_ATOMIC in prep_dma + +From: Guillaume Ranquet + +[ Upstream commit 9041575348b21ade1fb74d790f1aac85d68198c7 ] + +As recommended by the doc in: +Documentation/drivers-api/dmaengine/provider.rst + +Use GFP_NOWAIT to not deplete the emergency pool. + +Signed-off-by: Guillaume Ranquet + +Link: https://lore.kernel.org/r/20210513192642.29446-4-granquet@baylibre.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/mediatek/mtk-uart-apdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/mediatek/mtk-uart-apdma.c b/drivers/dma/mediatek/mtk-uart-apdma.c +index a09ab2dd3b46..375e7e647df6 100644 +--- a/drivers/dma/mediatek/mtk-uart-apdma.c ++++ b/drivers/dma/mediatek/mtk-uart-apdma.c +@@ -349,7 +349,7 @@ static struct dma_async_tx_descriptor *mtk_uart_apdma_prep_slave_sg + return NULL; + + /* Now allocate and setup the descriptor */ +- d = kzalloc(sizeof(*d), GFP_ATOMIC); ++ d = kzalloc(sizeof(*d), GFP_NOWAIT); + if (!d) + return NULL; + +-- +2.30.2 + diff --git a/queue-5.10/dmaengine-rcar-dmac-fix-pm-reference-leak-in-rcar_dm.patch b/queue-5.10/dmaengine-rcar-dmac-fix-pm-reference-leak-in-rcar_dm.patch new file mode 100644 index 00000000000..408861196e3 --- /dev/null +++ b/queue-5.10/dmaengine-rcar-dmac-fix-pm-reference-leak-in-rcar_dm.patch @@ -0,0 +1,41 @@ +From 04618d971ffbfdb933b4565712b74ef15f058375 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 May 2021 14:36:03 +0800 +Subject: dmaengine: rcar-dmac: Fix PM reference leak in rcar_dmac_probe() + +From: Zou Wei + +[ Upstream commit dea8464ddf553803382efb753b6727dbf3931d06 ] + +pm_runtime_get_sync will increment pm usage counter even it failed. +Forgetting to putting operation will result in reference leak here. +Fix it by replacing it with pm_runtime_resume_and_get to keep usage +counter balanced. + +Reported-by: Hulk Robot +Signed-off-by: Zou Wei +Reviewed-by: Laurent Pinchart +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/1622442963-54095-1-git-send-email-zou_wei@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/sh/rcar-dmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/sh/rcar-dmac.c b/drivers/dma/sh/rcar-dmac.c +index a57705356e8b..991a7b5da29f 100644 +--- a/drivers/dma/sh/rcar-dmac.c ++++ b/drivers/dma/sh/rcar-dmac.c +@@ -1874,7 +1874,7 @@ static int rcar_dmac_probe(struct platform_device *pdev) + + /* Enable runtime PM and initialize the device. */ + pm_runtime_enable(&pdev->dev); +- ret = pm_runtime_get_sync(&pdev->dev); ++ ret = pm_runtime_resume_and_get(&pdev->dev); + if (ret < 0) { + dev_err(&pdev->dev, "runtime PM get sync failed (%d)\n", ret); + return ret; +-- +2.30.2 + diff --git a/queue-5.10/dmaengine-stm32-mdma-fix-pm-reference-leak-in-stm32_.patch b/queue-5.10/dmaengine-stm32-mdma-fix-pm-reference-leak-in-stm32_.patch new file mode 100644 index 00000000000..14d5c000959 --- /dev/null +++ b/queue-5.10/dmaengine-stm32-mdma-fix-pm-reference-leak-in-stm32_.patch @@ -0,0 +1,49 @@ +From 9e7b7043c05ab524a60208ac9f933dd69282e578 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 May 2021 16:18:24 +0800 +Subject: dmaengine: stm32-mdma: fix PM reference leak in + stm32_mdma_alloc_chan_resourc() + +From: Yu Kuai + +[ Upstream commit 83eb4868d325b86e18509d0874e911497667cb54 ] + +pm_runtime_get_sync will increment pm usage counter even it failed. +Forgetting to putting operation will result in reference leak here. +Fix it by replacing it with pm_runtime_resume_and_get to keep usage +counter balanced. + +Reported-by: Hulk Robot +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20210517081826.1564698-2-yukuai3@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/stm32-mdma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/stm32-mdma.c b/drivers/dma/stm32-mdma.c +index 08cfbfab837b..9d473923712a 100644 +--- a/drivers/dma/stm32-mdma.c ++++ b/drivers/dma/stm32-mdma.c +@@ -1448,7 +1448,7 @@ static int stm32_mdma_alloc_chan_resources(struct dma_chan *c) + return -ENOMEM; + } + +- ret = pm_runtime_get_sync(dmadev->ddev.dev); ++ ret = pm_runtime_resume_and_get(dmadev->ddev.dev); + if (ret < 0) + return ret; + +@@ -1714,7 +1714,7 @@ static int stm32_mdma_pm_suspend(struct device *dev) + u32 ccr, id; + int ret; + +- ret = pm_runtime_get_sync(dev); ++ ret = pm_runtime_resume_and_get(dev); + if (ret < 0) + return ret; + +-- +2.30.2 + diff --git a/queue-5.10/dmaengine-xilinx-dpdma-add-missing-dependencies-to-k.patch b/queue-5.10/dmaengine-xilinx-dpdma-add-missing-dependencies-to-k.patch new file mode 100644 index 00000000000..f53c774945f --- /dev/null +++ b/queue-5.10/dmaengine-xilinx-dpdma-add-missing-dependencies-to-k.patch @@ -0,0 +1,39 @@ +From d1c81dcd4b8996361a496a9a54be0b3e00c5ec1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 May 2021 18:24:17 +0300 +Subject: dmaengine: xilinx: dpdma: Add missing dependencies to Kconfig + +From: Laurent Pinchart + +[ Upstream commit 32828b82fb875b06511918b139d3a3cd93d34262 ] + +The driver depends on both OF and IOMEM support, express those +dependencies in Kconfig. This fixes a build failure on S390 reported by +the 0day bot. + +Reported-by: kernel test robot +Signed-off-by: Laurent Pinchart +Tested-by: Jianqiang Chen +Reviewed-by: Jianqiang Chen +Link: https://lore.kernel.org/r/20210520152420.23986-2-laurent.pinchart@ideasonboard.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/dma/Kconfig b/drivers/dma/Kconfig +index f2db761ee548..f28bb2334e74 100644 +--- a/drivers/dma/Kconfig ++++ b/drivers/dma/Kconfig +@@ -693,6 +693,7 @@ config XILINX_ZYNQMP_DMA + + config XILINX_ZYNQMP_DPDMA + tristate "Xilinx DPDMA Engine" ++ depends on HAS_IOMEM && OF + select DMA_ENGINE + select DMA_VIRTUAL_CHANNELS + help +-- +2.30.2 + diff --git a/queue-5.10/dmaengine-xilinx-dpdma-limit-descriptor-ids-to-16-bi.patch b/queue-5.10/dmaengine-xilinx-dpdma-limit-descriptor-ids-to-16-bi.patch new file mode 100644 index 00000000000..eb1e3bce1b5 --- /dev/null +++ b/queue-5.10/dmaengine-xilinx-dpdma-limit-descriptor-ids-to-16-bi.patch @@ -0,0 +1,60 @@ +From 0e4125bab4e4369c99fc695a17b0153994713de5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 May 2021 18:24:20 +0300 +Subject: dmaengine: xilinx: dpdma: Limit descriptor IDs to 16 bits + +From: Laurent Pinchart + +[ Upstream commit 9f007e7b6643799e2a6538a5fe04f51c371c6657 ] + +While the descriptor ID is stored in a 32-bit field in the hardware +descriptor, only 16 bits are used by the hardware and are reported +through the XILINX_DPDMA_CH_DESC_ID register. Failure to handle the +wrap-around results in a descriptor ID mismatch after 65536 frames. Fix +it. + +Signed-off-by: Laurent Pinchart +Tested-by: Jianqiang Chen +Reviewed-by: Jianqiang Chen +Link: https://lore.kernel.org/r/20210520152420.23986-5-laurent.pinchart@ideasonboard.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/xilinx_dpdma.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/xilinx/xilinx_dpdma.c b/drivers/dma/xilinx/xilinx_dpdma.c +index ff7dfb3fdeb4..6c709803203a 100644 +--- a/drivers/dma/xilinx/xilinx_dpdma.c ++++ b/drivers/dma/xilinx/xilinx_dpdma.c +@@ -113,6 +113,7 @@ + #define XILINX_DPDMA_CH_VDO 0x020 + #define XILINX_DPDMA_CH_PYLD_SZ 0x024 + #define XILINX_DPDMA_CH_DESC_ID 0x028 ++#define XILINX_DPDMA_CH_DESC_ID_MASK GENMASK(15, 0) + + /* DPDMA descriptor fields */ + #define XILINX_DPDMA_DESC_CONTROL_PREEMBLE 0xa5 +@@ -866,7 +867,8 @@ static void xilinx_dpdma_chan_queue_transfer(struct xilinx_dpdma_chan *chan) + * will be used, but it should be enough. + */ + list_for_each_entry(sw_desc, &desc->descriptors, node) +- sw_desc->hw.desc_id = desc->vdesc.tx.cookie; ++ sw_desc->hw.desc_id = desc->vdesc.tx.cookie ++ & XILINX_DPDMA_CH_DESC_ID_MASK; + + sw_desc = list_first_entry(&desc->descriptors, + struct xilinx_dpdma_sw_desc, node); +@@ -1086,7 +1088,8 @@ static void xilinx_dpdma_chan_vsync_irq(struct xilinx_dpdma_chan *chan) + if (!chan->running || !pending) + goto out; + +- desc_id = dpdma_read(chan->reg, XILINX_DPDMA_CH_DESC_ID); ++ desc_id = dpdma_read(chan->reg, XILINX_DPDMA_CH_DESC_ID) ++ & XILINX_DPDMA_CH_DESC_ID_MASK; + + /* If the retrigger raced with vsync, retry at the next frame. */ + sw_desc = list_first_entry(&pending->descriptors, +-- +2.30.2 + diff --git a/queue-5.10/dmaengine-zynqmp_dma-fix-pm-reference-leak-in-zynqmp.patch b/queue-5.10/dmaengine-zynqmp_dma-fix-pm-reference-leak-in-zynqmp.patch new file mode 100644 index 00000000000..d3f6534789e --- /dev/null +++ b/queue-5.10/dmaengine-zynqmp_dma-fix-pm-reference-leak-in-zynqmp.patch @@ -0,0 +1,40 @@ +From 7a5da771bec4807af67297e999b743e6e7478a94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 May 2021 16:18:26 +0800 +Subject: dmaengine: zynqmp_dma: Fix PM reference leak in + zynqmp_dma_alloc_chan_resourc() + +From: Yu Kuai + +[ Upstream commit 8982d48af36d2562c0f904736b0fc80efc9f2532 ] + +pm_runtime_get_sync will increment pm usage counter even it failed. +Forgetting to putting operation will result in reference leak here. +Fix it by replacing it with pm_runtime_resume_and_get to keep usage +counter balanced. + +Reported-by: Hulk Robot +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20210517081826.1564698-4-yukuai3@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/zynqmp_dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/xilinx/zynqmp_dma.c b/drivers/dma/xilinx/zynqmp_dma.c +index d8419565b92c..5fecf5aa6e85 100644 +--- a/drivers/dma/xilinx/zynqmp_dma.c ++++ b/drivers/dma/xilinx/zynqmp_dma.c +@@ -468,7 +468,7 @@ static int zynqmp_dma_alloc_chan_resources(struct dma_chan *dchan) + struct zynqmp_dma_desc_sw *desc; + int i, ret; + +- ret = pm_runtime_get_sync(chan->dev); ++ ret = pm_runtime_resume_and_get(chan->dev); + if (ret < 0) + return ret; + +-- +2.30.2 + diff --git a/queue-5.10/drm-vc4-hdmi-make-sure-the-controller-is-powered-in-.patch b/queue-5.10/drm-vc4-hdmi-make-sure-the-controller-is-powered-in-.patch new file mode 100644 index 00000000000..bcc0af5b91f --- /dev/null +++ b/queue-5.10/drm-vc4-hdmi-make-sure-the-controller-is-powered-in-.patch @@ -0,0 +1,53 @@ +From 3c0f22484c670f144383d4e9fe4851fa35f6e6bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 May 2021 11:10:59 +0200 +Subject: drm/vc4: hdmi: Make sure the controller is powered in detect + +From: Maxime Ripard + +[ Upstream commit 9984d6664ce9dcbbc713962539eaf7636ea246c2 ] + +If the HPD GPIO is not available and drm_probe_ddc fails, we end up +reading the HDMI_HOTPLUG register, but the controller might be powered +off resulting in a CPU hang. Make sure we have the power domain and the +HSM clock powered during the detect cycle to prevent the hang from +happening. + +Fixes: 4f6e3d66ac52 ("drm/vc4: Add runtime PM support to the HDMI encoder driver") +Signed-off-by: Maxime Ripard +Reviewed-by: Dave Stevenson +Link: https://patchwork.freedesktop.org/patch/msgid/20210525091059.234116-4-maxime@cerno.tech +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_hdmi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c +index 5978e99a0e85..88a8cb840cd5 100644 +--- a/drivers/gpu/drm/vc4/vc4_hdmi.c ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c +@@ -146,6 +146,8 @@ vc4_hdmi_connector_detect(struct drm_connector *connector, bool force) + struct vc4_hdmi *vc4_hdmi = connector_to_vc4_hdmi(connector); + bool connected = false; + ++ WARN_ON(pm_runtime_resume_and_get(&vc4_hdmi->pdev->dev)); ++ + if (vc4_hdmi->hpd_gpio) { + if (gpio_get_value_cansleep(vc4_hdmi->hpd_gpio) ^ + vc4_hdmi->hpd_active_low) +@@ -167,10 +169,12 @@ vc4_hdmi_connector_detect(struct drm_connector *connector, bool force) + } + } + ++ pm_runtime_put(&vc4_hdmi->pdev->dev); + return connector_status_connected; + } + + cec_phys_addr_invalidate(vc4_hdmi->cec_adap); ++ pm_runtime_put(&vc4_hdmi->pdev->dev); + return connector_status_disconnected; + } + +-- +2.30.2 + diff --git a/queue-5.10/drm-vc4-hdmi-move-the-hsm-clock-enable-to-runtime_pm.patch b/queue-5.10/drm-vc4-hdmi-move-the-hsm-clock-enable-to-runtime_pm.patch new file mode 100644 index 00000000000..71aeb7d4677 --- /dev/null +++ b/queue-5.10/drm-vc4-hdmi-move-the-hsm-clock-enable-to-runtime_pm.patch @@ -0,0 +1,120 @@ +From f006b47c06f019e6ed4065a31ff1b93f0109ecac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 May 2021 11:10:58 +0200 +Subject: drm/vc4: hdmi: Move the HSM clock enable to runtime_pm + +From: Maxime Ripard + +[ Upstream commit 411efa18e4b03840553ff58ad9b4621b82a30c04 ] + +In order to access the HDMI controller, we need to make sure the HSM +clock is enabled. If we were to access it with the clock disabled, the +CPU would completely hang, resulting in an hard crash. + +Since we have different code path that would require it, let's move that +clock enable / disable to runtime_pm that will take care of the +reference counting for us. + +Fixes: 4f6e3d66ac52 ("drm/vc4: Add runtime PM support to the HDMI encoder driver") +Signed-off-by: Maxime Ripard +Reviewed-by: Dave Stevenson +Link: https://patchwork.freedesktop.org/patch/msgid/20210525091059.234116-3-maxime@cerno.tech +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_hdmi.c | 40 +++++++++++++++++++++++++--------- + 1 file changed, 30 insertions(+), 10 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c +index af5f01eff872..5978e99a0e85 100644 +--- a/drivers/gpu/drm/vc4/vc4_hdmi.c ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c +@@ -415,7 +415,6 @@ static void vc4_hdmi_encoder_post_crtc_powerdown(struct drm_encoder *encoder) + HDMI_READ(HDMI_VID_CTL) & ~VC4_HD_VID_CTL_ENABLE); + + clk_disable_unprepare(vc4_hdmi->pixel_bvb_clock); +- clk_disable_unprepare(vc4_hdmi->hsm_clock); + clk_disable_unprepare(vc4_hdmi->pixel_clock); + + ret = pm_runtime_put(&vc4_hdmi->pdev->dev); +@@ -666,13 +665,6 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder) + return; + } + +- ret = clk_prepare_enable(vc4_hdmi->hsm_clock); +- if (ret) { +- DRM_ERROR("Failed to turn on HSM clock: %d\n", ret); +- clk_disable_unprepare(vc4_hdmi->pixel_clock); +- return; +- } +- + vc4_hdmi_cec_update_clk_div(vc4_hdmi); + + /* +@@ -683,7 +675,6 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder) + (hsm_rate > VC4_HSM_MID_CLOCK ? 150000000 : 75000000)); + if (ret) { + DRM_ERROR("Failed to set pixel bvb clock rate: %d\n", ret); +- clk_disable_unprepare(vc4_hdmi->hsm_clock); + clk_disable_unprepare(vc4_hdmi->pixel_clock); + return; + } +@@ -691,7 +682,6 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder) + ret = clk_prepare_enable(vc4_hdmi->pixel_bvb_clock); + if (ret) { + DRM_ERROR("Failed to turn on pixel bvb clock: %d\n", ret); +- clk_disable_unprepare(vc4_hdmi->hsm_clock); + clk_disable_unprepare(vc4_hdmi->pixel_clock); + return; + } +@@ -1724,6 +1714,29 @@ static int vc5_hdmi_init_resources(struct vc4_hdmi *vc4_hdmi) + return 0; + } + ++#ifdef CONFIG_PM ++static int vc4_hdmi_runtime_suspend(struct device *dev) ++{ ++ struct vc4_hdmi *vc4_hdmi = dev_get_drvdata(dev); ++ ++ clk_disable_unprepare(vc4_hdmi->hsm_clock); ++ ++ return 0; ++} ++ ++static int vc4_hdmi_runtime_resume(struct device *dev) ++{ ++ struct vc4_hdmi *vc4_hdmi = dev_get_drvdata(dev); ++ int ret; ++ ++ ret = clk_prepare_enable(vc4_hdmi->hsm_clock); ++ if (ret) ++ return ret; ++ ++ return 0; ++} ++#endif ++ + static int vc4_hdmi_bind(struct device *dev, struct device *master, void *data) + { + const struct vc4_hdmi_variant *variant = of_device_get_match_data(dev); +@@ -1959,11 +1972,18 @@ static const struct of_device_id vc4_hdmi_dt_match[] = { + {} + }; + ++static const struct dev_pm_ops vc4_hdmi_pm_ops = { ++ SET_RUNTIME_PM_OPS(vc4_hdmi_runtime_suspend, ++ vc4_hdmi_runtime_resume, ++ NULL) ++}; ++ + struct platform_driver vc4_hdmi_driver = { + .probe = vc4_hdmi_dev_probe, + .remove = vc4_hdmi_dev_remove, + .driver = { + .name = "vc4_hdmi", + .of_match_table = vc4_hdmi_dt_match, ++ .pm = &vc4_hdmi_pm_ops, + }, + }; +-- +2.30.2 + diff --git a/queue-5.10/inet-annotate-data-race-in-inet_send_prepare-and-ine.patch b/queue-5.10/inet-annotate-data-race-in-inet_send_prepare-and-ine.patch new file mode 100644 index 00000000000..fec72bae6bc --- /dev/null +++ b/queue-5.10/inet-annotate-data-race-in-inet_send_prepare-and-ine.patch @@ -0,0 +1,88 @@ +From b2015fb71e237f6a205b0bef408107330ab2a159 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jun 2021 00:59:45 -0700 +Subject: inet: annotate data race in inet_send_prepare() and + inet_dgram_connect() + +From: Eric Dumazet + +[ Upstream commit dcd01eeac14486b56a790f5cce9b823440ba5b34 ] + +Both functions are known to be racy when reading inet_num +as we do not want to grab locks for the common case the socket +has been bound already. The race is resolved in inet_autobind() +by reading again inet_num under the socket lock. + +syzbot reported: +BUG: KCSAN: data-race in inet_send_prepare / udp_lib_get_port + +write to 0xffff88812cba150e of 2 bytes by task 24135 on cpu 0: + udp_lib_get_port+0x4b2/0xe20 net/ipv4/udp.c:308 + udp_v6_get_port+0x5e/0x70 net/ipv6/udp.c:89 + inet_autobind net/ipv4/af_inet.c:183 [inline] + inet_send_prepare+0xd0/0x210 net/ipv4/af_inet.c:807 + inet6_sendmsg+0x29/0x80 net/ipv6/af_inet6.c:639 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg net/socket.c:674 [inline] + ____sys_sendmsg+0x360/0x4d0 net/socket.c:2350 + ___sys_sendmsg net/socket.c:2404 [inline] + __sys_sendmmsg+0x315/0x4b0 net/socket.c:2490 + __do_sys_sendmmsg net/socket.c:2519 [inline] + __se_sys_sendmmsg net/socket.c:2516 [inline] + __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2516 + do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff88812cba150e of 2 bytes by task 24132 on cpu 1: + inet_send_prepare+0x21/0x210 net/ipv4/af_inet.c:806 + inet6_sendmsg+0x29/0x80 net/ipv6/af_inet6.c:639 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg net/socket.c:674 [inline] + ____sys_sendmsg+0x360/0x4d0 net/socket.c:2350 + ___sys_sendmsg net/socket.c:2404 [inline] + __sys_sendmmsg+0x315/0x4b0 net/socket.c:2490 + __do_sys_sendmmsg net/socket.c:2519 [inline] + __se_sys_sendmmsg net/socket.c:2516 [inline] + __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2516 + do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x0000 -> 0x9db4 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 24132 Comm: syz-executor.2 Not tainted 5.13.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/af_inet.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index b7260c8cef2e..8267349afe23 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -572,7 +572,7 @@ int inet_dgram_connect(struct socket *sock, struct sockaddr *uaddr, + return err; + } + +- if (!inet_sk(sk)->inet_num && inet_autobind(sk)) ++ if (data_race(!inet_sk(sk)->inet_num) && inet_autobind(sk)) + return -EAGAIN; + return sk->sk_prot->connect(sk, uaddr, addr_len); + } +@@ -799,7 +799,7 @@ int inet_send_prepare(struct sock *sk) + sock_rps_record_flow(sk); + + /* We may need to bind the socket. */ +- if (!inet_sk(sk)->inet_num && !sk->sk_prot->no_autobind && ++ if (data_race(!inet_sk(sk)->inet_num) && !sk->sk_prot->no_autobind && + inet_autobind(sk)) + return -EAGAIN; + +-- +2.30.2 + diff --git a/queue-5.10/inet-annotate-date-races-around-sk-sk_txhash.patch b/queue-5.10/inet-annotate-date-races-around-sk-sk_txhash.patch new file mode 100644 index 00000000000..9e037860a54 --- /dev/null +++ b/queue-5.10/inet-annotate-date-races-around-sk-sk_txhash.patch @@ -0,0 +1,97 @@ +From d955519a2f04086f3e677f8a2e8539ab4114126f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 07:44:11 -0700 +Subject: inet: annotate date races around sk->sk_txhash + +From: Eric Dumazet + +[ Upstream commit b71eaed8c04f72a919a9c44e83e4ee254e69e7f3 ] + +UDP sendmsg() path can be lockless, it is possible for another +thread to re-connect an change sk->sk_txhash under us. + +There is no serious impact, but we can use READ_ONCE()/WRITE_ONCE() +pair to document the race. + +BUG: KCSAN: data-race in __ip4_datagram_connect / skb_set_owner_w + +write to 0xffff88813397920c of 4 bytes by task 30997 on cpu 1: + sk_set_txhash include/net/sock.h:1937 [inline] + __ip4_datagram_connect+0x69e/0x710 net/ipv4/datagram.c:75 + __ip6_datagram_connect+0x551/0x840 net/ipv6/datagram.c:189 + ip6_datagram_connect+0x2a/0x40 net/ipv6/datagram.c:272 + inet_dgram_connect+0xfd/0x180 net/ipv4/af_inet.c:580 + __sys_connect_file net/socket.c:1837 [inline] + __sys_connect+0x245/0x280 net/socket.c:1854 + __do_sys_connect net/socket.c:1864 [inline] + __se_sys_connect net/socket.c:1861 [inline] + __x64_sys_connect+0x3d/0x50 net/socket.c:1861 + do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff88813397920c of 4 bytes by task 31039 on cpu 0: + skb_set_hash_from_sk include/net/sock.h:2211 [inline] + skb_set_owner_w+0x118/0x220 net/core/sock.c:2101 + sock_alloc_send_pskb+0x452/0x4e0 net/core/sock.c:2359 + sock_alloc_send_skb+0x2d/0x40 net/core/sock.c:2373 + __ip6_append_data+0x1743/0x21a0 net/ipv6/ip6_output.c:1621 + ip6_make_skb+0x258/0x420 net/ipv6/ip6_output.c:1983 + udpv6_sendmsg+0x160a/0x16b0 net/ipv6/udp.c:1527 + inet6_sendmsg+0x5f/0x80 net/ipv6/af_inet6.c:642 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg net/socket.c:674 [inline] + ____sys_sendmsg+0x360/0x4d0 net/socket.c:2350 + ___sys_sendmsg net/socket.c:2404 [inline] + __sys_sendmmsg+0x315/0x4b0 net/socket.c:2490 + __do_sys_sendmmsg net/socket.c:2519 [inline] + __se_sys_sendmmsg net/socket.c:2516 [inline] + __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2516 + do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0xbca3c43d -> 0xfdb309e0 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 31039 Comm: syz-executor.2 Not tainted 5.13.0-rc3-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 9199ab7ab2da..3c7addf95150 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1900,7 +1900,8 @@ static inline u32 net_tx_rndhash(void) + + static inline void sk_set_txhash(struct sock *sk) + { +- sk->sk_txhash = net_tx_rndhash(); ++ /* This pairs with READ_ONCE() in skb_set_hash_from_sk() */ ++ WRITE_ONCE(sk->sk_txhash, net_tx_rndhash()); + } + + static inline bool sk_rethink_txhash(struct sock *sk) +@@ -2172,9 +2173,12 @@ static inline void sock_poll_wait(struct file *filp, struct socket *sock, + + static inline void skb_set_hash_from_sk(struct sk_buff *skb, struct sock *sk) + { +- if (sk->sk_txhash) { ++ /* This pairs with WRITE_ONCE() in sk_set_txhash() */ ++ u32 txhash = READ_ONCE(sk->sk_txhash); ++ ++ if (txhash) { + skb->l4_hash = 1; +- skb->hash = sk->sk_txhash; ++ skb->hash = txhash; + } + } + +-- +2.30.2 + diff --git a/queue-5.10/kvm-selftests-fix-kvm_check_cap-assertion.patch b/queue-5.10/kvm-selftests-fix-kvm_check_cap-assertion.patch new file mode 100644 index 00000000000..caeef1ba0e7 --- /dev/null +++ b/queue-5.10/kvm-selftests-fix-kvm_check_cap-assertion.patch @@ -0,0 +1,36 @@ +From 66faf0b6451d1fa3b066f9952d07e1679623b72a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jun 2021 16:04:43 +0100 +Subject: KVM: selftests: Fix kvm_check_cap() assertion + +From: Fuad Tabba + +[ Upstream commit d8ac05ea13d789d5491a5920d70a05659015441d ] + +KVM_CHECK_EXTENSION ioctl can return any negative value on error, +and not necessarily -1. Change the assertion to reflect that. + +Signed-off-by: Fuad Tabba +Message-Id: <20210615150443.1183365-1-tabba@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kvm/lib/kvm_util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/kvm/lib/kvm_util.c b/tools/testing/selftests/kvm/lib/kvm_util.c +index 126c6727a6b0..49805fd16fdf 100644 +--- a/tools/testing/selftests/kvm/lib/kvm_util.c ++++ b/tools/testing/selftests/kvm/lib/kvm_util.c +@@ -55,7 +55,7 @@ int kvm_check_cap(long cap) + exit(KSFT_SKIP); + + ret = ioctl(kvm_fd, KVM_CHECK_EXTENSION, cap); +- TEST_ASSERT(ret != -1, "KVM_CHECK_EXTENSION IOCTL failed,\n" ++ TEST_ASSERT(ret >= 0, "KVM_CHECK_EXTENSION IOCTL failed,\n" + " rc: %i errno: %i", ret, errno); + + close(kvm_fd); +-- +2.30.2 + diff --git a/queue-5.10/locking-lockdep-improve-noinstr-vs-errors.patch b/queue-5.10/locking-lockdep-improve-noinstr-vs-errors.patch new file mode 100644 index 00000000000..48b0a11ec9b --- /dev/null +++ b/queue-5.10/locking-lockdep-improve-noinstr-vs-errors.patch @@ -0,0 +1,89 @@ +From c6d016543e4a0ab1c4f61ab2debb59c7f80d092f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jun 2021 13:12:38 +0200 +Subject: locking/lockdep: Improve noinstr vs errors + +From: Peter Zijlstra + +[ Upstream commit 49faa77759b211fff344898edc23bb780707fff5 ] + +Better handle the failure paths. + + vmlinux.o: warning: objtool: debug_locks_off()+0x23: call to console_verbose() leaves .noinstr.text section + vmlinux.o: warning: objtool: debug_locks_off()+0x19: call to __kasan_check_write() leaves .noinstr.text section + + debug_locks_off+0x19/0x40: + instrument_atomic_write at include/linux/instrumented.h:86 + (inlined by) __debug_locks_off at include/linux/debug_locks.h:17 + (inlined by) debug_locks_off at lib/debug_locks.c:41 + +Fixes: 6eebad1ad303 ("lockdep: __always_inline more for noinstr") +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20210621120120.784404944@infradead.org +Signed-off-by: Sasha Levin +--- + include/linux/debug_locks.h | 2 ++ + kernel/locking/lockdep.c | 4 +++- + lib/debug_locks.c | 2 +- + 3 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/include/linux/debug_locks.h b/include/linux/debug_locks.h +index 2915f56ad421..edb5c186b0b7 100644 +--- a/include/linux/debug_locks.h ++++ b/include/linux/debug_locks.h +@@ -27,8 +27,10 @@ extern int debug_locks_off(void); + int __ret = 0; \ + \ + if (!oops_in_progress && unlikely(c)) { \ ++ instrumentation_begin(); \ + if (debug_locks_off() && !debug_locks_silent) \ + WARN(1, "DEBUG_LOCKS_WARN_ON(%s)", #c); \ ++ instrumentation_end(); \ + __ret = 1; \ + } \ + __ret; \ +diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c +index 858b96b438ce..cdca007551e7 100644 +--- a/kernel/locking/lockdep.c ++++ b/kernel/locking/lockdep.c +@@ -842,7 +842,7 @@ static int count_matching_names(struct lock_class *new_class) + } + + /* used from NMI context -- must be lockless */ +-static __always_inline struct lock_class * ++static noinstr struct lock_class * + look_up_lock_class(const struct lockdep_map *lock, unsigned int subclass) + { + struct lockdep_subclass_key *key; +@@ -850,12 +850,14 @@ look_up_lock_class(const struct lockdep_map *lock, unsigned int subclass) + struct lock_class *class; + + if (unlikely(subclass >= MAX_LOCKDEP_SUBCLASSES)) { ++ instrumentation_begin(); + debug_locks_off(); + printk(KERN_ERR + "BUG: looking up invalid subclass: %u\n", subclass); + printk(KERN_ERR + "turning off the locking correctness validator.\n"); + dump_stack(); ++ instrumentation_end(); + return NULL; + } + +diff --git a/lib/debug_locks.c b/lib/debug_locks.c +index 06d3135bd184..a75ee30b77cb 100644 +--- a/lib/debug_locks.c ++++ b/lib/debug_locks.c +@@ -36,7 +36,7 @@ EXPORT_SYMBOL_GPL(debug_locks_silent); + /* + * Generic 'turn off all lock debugging' function: + */ +-noinstr int debug_locks_off(void) ++int debug_locks_off(void) + { + if (debug_locks && __debug_locks_off()) { + if (!debug_locks_silent) { +-- +2.30.2 + diff --git a/queue-5.10/mac80211-drop-multicast-fragments.patch b/queue-5.10/mac80211-drop-multicast-fragments.patch new file mode 100644 index 00000000000..bd7ae8be277 --- /dev/null +++ b/queue-5.10/mac80211-drop-multicast-fragments.patch @@ -0,0 +1,54 @@ +From 95e970d730e3a0c9a541d6a69bd7e0dd0f6ee589 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jun 2021 16:13:06 +0200 +Subject: mac80211: drop multicast fragments + +From: Johannes Berg + +[ Upstream commit a9799541ca34652d9996e45f80e8e03144c12949 ] + +These are not permitted by the spec, just drop them. + +Link: https://lore.kernel.org/r/20210609161305.23def022b750.Ibd6dd3cdce573dae262fcdc47f8ac52b883a9c50@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/rx.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index ef8ff0bc66f1..38b5695c2a0c 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2250,17 +2250,15 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) + sc = le16_to_cpu(hdr->seq_ctrl); + frag = sc & IEEE80211_SCTL_FRAG; + +- if (is_multicast_ether_addr(hdr->addr1)) { +- I802_DEBUG_INC(rx->local->dot11MulticastReceivedFrameCount); +- goto out_no_led; +- } +- + if (rx->sta) + cache = &rx->sta->frags; + + if (likely(!ieee80211_has_morefrags(fc) && frag == 0)) + goto out; + ++ if (is_multicast_ether_addr(hdr->addr1)) ++ return RX_DROP_MONITOR; ++ + I802_DEBUG_INC(rx->local->rx_handlers_fragments); + + if (skb_linearize(rx->skb)) +@@ -2386,7 +2384,6 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) + + out: + ieee80211_led_rx(rx->local); +- out_no_led: + if (rx->sta) + rx->sta->rx_stats.packets++; + return RX_CONTINUE; +-- +2.30.2 + diff --git a/queue-5.10/mac80211-handle-various-extensible-elements-correctl.patch b/queue-5.10/mac80211-handle-various-extensible-elements-correctl.patch new file mode 100644 index 00000000000..261026855bc --- /dev/null +++ b/queue-5.10/mac80211-handle-various-extensible-elements-correctl.patch @@ -0,0 +1,128 @@ +From c828fb595e96f2213ca0b75d6c85bbf7007191a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 13:41:45 +0300 +Subject: mac80211: handle various extensible elements correctly + +From: Johannes Berg + +[ Upstream commit 652e8363bbc7d149fa194a5cbf30b1001c0274b0 ] + +Various elements are parsed with a requirement to have an +exact size, when really we should only check that they have +the minimum size that we need. Check only that and therefore +ignore any additional data that they might carry. + +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20210618133832.cd101f8040a4.Iadf0e9b37b100c6c6e79c7b298cc657c2be9151a@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/util.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/net/mac80211/util.c b/net/mac80211/util.c +index d8f9fb0646a4..fbf56a203c0e 100644 +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -954,7 +954,7 @@ static void ieee80211_parse_extension_element(u32 *crc, + + switch (elem->data[0]) { + case WLAN_EID_EXT_HE_MU_EDCA: +- if (len == sizeof(*elems->mu_edca_param_set)) { ++ if (len >= sizeof(*elems->mu_edca_param_set)) { + elems->mu_edca_param_set = data; + if (crc) + *crc = crc32_be(*crc, (void *)elem, +@@ -975,7 +975,7 @@ static void ieee80211_parse_extension_element(u32 *crc, + } + break; + case WLAN_EID_EXT_UORA: +- if (len == 1) ++ if (len >= 1) + elems->uora_element = data; + break; + case WLAN_EID_EXT_MAX_CHANNEL_SWITCH_TIME: +@@ -983,7 +983,7 @@ static void ieee80211_parse_extension_element(u32 *crc, + elems->max_channel_switch_time = data; + break; + case WLAN_EID_EXT_MULTIPLE_BSSID_CONFIGURATION: +- if (len == sizeof(*elems->mbssid_config_ie)) ++ if (len >= sizeof(*elems->mbssid_config_ie)) + elems->mbssid_config_ie = data; + break; + case WLAN_EID_EXT_HE_SPR: +@@ -992,7 +992,7 @@ static void ieee80211_parse_extension_element(u32 *crc, + elems->he_spr = data; + break; + case WLAN_EID_EXT_HE_6GHZ_CAPA: +- if (len == sizeof(*elems->he_6ghz_capa)) ++ if (len >= sizeof(*elems->he_6ghz_capa)) + elems->he_6ghz_capa = data; + break; + } +@@ -1081,14 +1081,14 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, + + switch (id) { + case WLAN_EID_LINK_ID: +- if (elen + 2 != sizeof(struct ieee80211_tdls_lnkie)) { ++ if (elen + 2 < sizeof(struct ieee80211_tdls_lnkie)) { + elem_parse_failed = true; + break; + } + elems->lnk_id = (void *)(pos - 2); + break; + case WLAN_EID_CHAN_SWITCH_TIMING: +- if (elen != sizeof(struct ieee80211_ch_switch_timing)) { ++ if (elen < sizeof(struct ieee80211_ch_switch_timing)) { + elem_parse_failed = true; + break; + } +@@ -1251,7 +1251,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, + elems->sec_chan_offs = (void *)pos; + break; + case WLAN_EID_CHAN_SWITCH_PARAM: +- if (elen != ++ if (elen < + sizeof(*elems->mesh_chansw_params_ie)) { + elem_parse_failed = true; + break; +@@ -1260,7 +1260,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, + break; + case WLAN_EID_WIDE_BW_CHANNEL_SWITCH: + if (!action || +- elen != sizeof(*elems->wide_bw_chansw_ie)) { ++ elen < sizeof(*elems->wide_bw_chansw_ie)) { + elem_parse_failed = true; + break; + } +@@ -1279,7 +1279,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, + ie = cfg80211_find_ie(WLAN_EID_WIDE_BW_CHANNEL_SWITCH, + pos, elen); + if (ie) { +- if (ie[1] == sizeof(*elems->wide_bw_chansw_ie)) ++ if (ie[1] >= sizeof(*elems->wide_bw_chansw_ie)) + elems->wide_bw_chansw_ie = + (void *)(ie + 2); + else +@@ -1323,7 +1323,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, + elems->cisco_dtpc_elem = pos; + break; + case WLAN_EID_ADDBA_EXT: +- if (elen != sizeof(struct ieee80211_addba_ext_ie)) { ++ if (elen < sizeof(struct ieee80211_addba_ext_ie)) { + elem_parse_failed = true; + break; + } +@@ -1349,7 +1349,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, + elem, elems); + break; + case WLAN_EID_S1G_CAPABILITIES: +- if (elen == sizeof(*elems->s1g_capab)) ++ if (elen >= sizeof(*elems->s1g_capab)) + elems->s1g_capab = (void *)pos; + else + elem_parse_failed = true; +-- +2.30.2 + diff --git a/queue-5.10/mac80211-remove-warning-in-ieee80211_get_sband.patch b/queue-5.10/mac80211-remove-warning-in-ieee80211_get_sband.patch new file mode 100644 index 00000000000..92201064420 --- /dev/null +++ b/queue-5.10/mac80211-remove-warning-in-ieee80211_get_sband.patch @@ -0,0 +1,39 @@ +From c8c4a60d09afc420edc9b32b444d345edc95ea48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 May 2021 16:47:17 +0200 +Subject: mac80211: remove warning in ieee80211_get_sband() + +From: Johannes Berg + +[ Upstream commit 0ee4d55534f82a0624701d0bb9fc2304d4529086 ] + +Syzbot reports that it's possible to hit this from userspace, +by trying to add a station before any other connection setup +has been done. Instead of trying to catch this in some other +way simply remove the warning, that will appropriately reject +the call from userspace. + +Reported-by: syzbot+7716dbc401d9a437890d@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20210517164715.f537da276d17.Id05f40ec8761d6a8cc2df87f1aa09c651988a586@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/ieee80211_i.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index be40f6b16199..a83f0c2fcdf7 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -1445,7 +1445,7 @@ ieee80211_get_sband(struct ieee80211_sub_if_data *sdata) + rcu_read_lock(); + chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf); + +- if (WARN_ON_ONCE(!chanctx_conf)) { ++ if (!chanctx_conf) { + rcu_read_unlock(); + return NULL; + } +-- +2.30.2 + diff --git a/queue-5.10/mac80211-reset-profile_periodicity-ema_ap.patch b/queue-5.10/mac80211-reset-profile_periodicity-ema_ap.patch new file mode 100644 index 00000000000..9db84dbd30a --- /dev/null +++ b/queue-5.10/mac80211-reset-profile_periodicity-ema_ap.patch @@ -0,0 +1,61 @@ +From 7994f02450eb54f84b70039eff2f6ab73ffcb4f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 13:41:49 +0300 +Subject: mac80211: reset profile_periodicity/ema_ap + +From: Johannes Berg + +[ Upstream commit bbc6f03ff26e7b71d6135a7b78ce40e7dee3d86a ] + +Apparently we never clear these values, so they'll remain set +since the setting of them is conditional. Clear the values in +the relevant other cases. + +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20210618133832.316e32d136a9.I2a12e51814258e1e1b526103894f4b9f19a91c8d@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mlme.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 6d3220c66931..fbe26e912300 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -4019,10 +4019,14 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata, + if (elems.mbssid_config_ie) + bss_conf->profile_periodicity = + elems.mbssid_config_ie->profile_periodicity; ++ else ++ bss_conf->profile_periodicity = 0; + + if (elems.ext_capab_len >= 11 && + (elems.ext_capab[10] & WLAN_EXT_CAPA11_EMA_SUPPORT)) + bss_conf->ema_ap = true; ++ else ++ bss_conf->ema_ap = false; + + /* continue assoc process */ + ifmgd->assoc_data->timeout = jiffies; +@@ -5749,12 +5753,16 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata, + beacon_ies->data, beacon_ies->len); + if (elem && elem->datalen >= 3) + sdata->vif.bss_conf.profile_periodicity = elem->data[2]; ++ else ++ sdata->vif.bss_conf.profile_periodicity = 0; + + elem = cfg80211_find_elem(WLAN_EID_EXT_CAPABILITY, + beacon_ies->data, beacon_ies->len); + if (elem && elem->datalen >= 11 && + (elem->data[10] & WLAN_EXT_CAPA11_EMA_SUPPORT)) + sdata->vif.bss_conf.ema_ap = true; ++ else ++ sdata->vif.bss_conf.ema_ap = false; + } else { + assoc_data->timeout = jiffies; + assoc_data->timeout_started = true; +-- +2.30.2 + diff --git a/queue-5.10/mac80211_hwsim-drop-pending-frames-on-stop.patch b/queue-5.10/mac80211_hwsim-drop-pending-frames-on-stop.patch new file mode 100644 index 00000000000..6b51a165e52 --- /dev/null +++ b/queue-5.10/mac80211_hwsim-drop-pending-frames-on-stop.patch @@ -0,0 +1,47 @@ +From c4f21c2cbd335326e7ee3d54016d2c00c09a97f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 May 2021 17:04:31 +0200 +Subject: mac80211_hwsim: drop pending frames on stop + +From: Johannes Berg + +[ Upstream commit bd18de517923903a177508fc8813f44e717b1c00 ] + +Syzbot reports that we may be able to get into a situation where +mac80211 has pending ACK frames on shutdown with hwsim. It appears +that the reason for this is that syzbot uses the wmediumd hooks to +intercept/injection frames, and may shut down hwsim, removing the +radio(s), while frames are pending in the air simulation. + +Clean out the pending queue when the interface is stopped, after +this the frames can't be reported back to mac80211 properly anyway. + +Reported-by: syzbot+a063bbf0b15737362592@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20210517170429.b0f85ab0eda1.Ie42a6ec6b940c971f3441286aeaaae2fe368e29a@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mac80211_hwsim.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index 3b3fc7c9c91d..f147d4feedb9 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -1623,8 +1623,13 @@ static int mac80211_hwsim_start(struct ieee80211_hw *hw) + static void mac80211_hwsim_stop(struct ieee80211_hw *hw) + { + struct mac80211_hwsim_data *data = hw->priv; ++ + data->started = false; + hrtimer_cancel(&data->beacon_timer); ++ ++ while (!skb_queue_empty(&data->pending)) ++ ieee80211_free_txskb(hw, skb_dequeue(&data->pending)); ++ + wiphy_dbg(hw->wiphy, "%s\n", __func__); + } + +-- +2.30.2 + diff --git a/queue-5.10/net-annotate-data-race-in-sock_error.patch b/queue-5.10/net-annotate-data-race-in-sock_error.patch new file mode 100644 index 00000000000..a74d6ad538a --- /dev/null +++ b/queue-5.10/net-annotate-data-race-in-sock_error.patch @@ -0,0 +1,95 @@ +From 891025704e224258227fb606c9a8789f22606e28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 07:27:37 -0700 +Subject: net: annotate data race in sock_error() + +From: Eric Dumazet + +[ Upstream commit f13ef10059ccf5f4ed201cd050176df62ec25bb8 ] + +sock_error() is known to be racy. The code avoids +an atomic operation is sk_err is zero, and this field +could be changed under us, this is fine. + +Sysbot reported: + +BUG: KCSAN: data-race in sock_alloc_send_pskb / unix_release_sock + +write to 0xffff888131855630 of 4 bytes by task 9365 on cpu 1: + unix_release_sock+0x2e9/0x6e0 net/unix/af_unix.c:550 + unix_release+0x2f/0x50 net/unix/af_unix.c:859 + __sock_release net/socket.c:599 [inline] + sock_close+0x6c/0x150 net/socket.c:1258 + __fput+0x25b/0x4e0 fs/file_table.c:280 + ____fput+0x11/0x20 fs/file_table.c:313 + task_work_run+0xae/0x130 kernel/task_work.c:164 + tracehook_notify_resume include/linux/tracehook.h:189 [inline] + exit_to_user_mode_loop kernel/entry/common.c:174 [inline] + exit_to_user_mode_prepare+0x156/0x190 kernel/entry/common.c:208 + __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline] + syscall_exit_to_user_mode+0x20/0x40 kernel/entry/common.c:301 + do_syscall_64+0x56/0x90 arch/x86/entry/common.c:57 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff888131855630 of 4 bytes by task 9385 on cpu 0: + sock_error include/net/sock.h:2269 [inline] + sock_alloc_send_pskb+0xe4/0x4e0 net/core/sock.c:2336 + unix_dgram_sendmsg+0x478/0x1610 net/unix/af_unix.c:1671 + unix_seqpacket_sendmsg+0xc2/0x100 net/unix/af_unix.c:2055 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg net/socket.c:674 [inline] + ____sys_sendmsg+0x360/0x4d0 net/socket.c:2350 + __sys_sendmsg_sock+0x25/0x30 net/socket.c:2416 + io_sendmsg fs/io_uring.c:4367 [inline] + io_issue_sqe+0x231a/0x6750 fs/io_uring.c:6135 + __io_queue_sqe+0xe9/0x360 fs/io_uring.c:6414 + __io_req_task_submit fs/io_uring.c:2039 [inline] + io_async_task_func+0x312/0x590 fs/io_uring.c:5074 + __tctx_task_work fs/io_uring.c:1910 [inline] + tctx_task_work+0x1d4/0x3d0 fs/io_uring.c:1924 + task_work_run+0xae/0x130 kernel/task_work.c:164 + tracehook_notify_signal include/linux/tracehook.h:212 [inline] + handle_signal_work kernel/entry/common.c:145 [inline] + exit_to_user_mode_loop kernel/entry/common.c:171 [inline] + exit_to_user_mode_prepare+0xf8/0x190 kernel/entry/common.c:208 + __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline] + syscall_exit_to_user_mode+0x20/0x40 kernel/entry/common.c:301 + do_syscall_64+0x56/0x90 arch/x86/entry/common.c:57 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x00000000 -> 0x00000068 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 9385 Comm: syz-executor.3 Not tainted 5.13.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index f68184b8c0aa..9199ab7ab2da 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -2232,8 +2232,13 @@ struct sk_buff *sock_dequeue_err_skb(struct sock *sk); + static inline int sock_error(struct sock *sk) + { + int err; +- if (likely(!sk->sk_err)) ++ ++ /* Avoid an atomic operation for the common case. ++ * This is racy since another cpu/thread can change sk_err under us. ++ */ ++ if (likely(data_race(!sk->sk_err))) + return 0; ++ + err = xchg(&sk->sk_err, 0); + return -err; + } +-- +2.30.2 + diff --git a/queue-5.10/net-caif-fix-memory-leak-in-ldisc_open.patch b/queue-5.10/net-caif-fix-memory-leak-in-ldisc_open.patch new file mode 100644 index 00000000000..a9ba6708678 --- /dev/null +++ b/queue-5.10/net-caif-fix-memory-leak-in-ldisc_open.patch @@ -0,0 +1,53 @@ +From 1c835198e825602b5f42474ba92949ffdc77bed6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 17:51:22 +0300 +Subject: net: caif: fix memory leak in ldisc_open + +From: Pavel Skripkin + +[ Upstream commit 58af3d3d54e87bfc1f936e16c04ade3369d34011 ] + +Syzbot reported memory leak in tty_init_dev(). +The problem was in unputted tty in ldisc_open() + +static int ldisc_open(struct tty_struct *tty) +{ +... + ser->tty = tty_kref_get(tty); +... + result = register_netdevice(dev); + if (result) { + rtnl_unlock(); + free_netdev(dev); + return -ENODEV; + } +... +} + +Ser pointer is netdev private_data, so after free_netdev() +this pointer goes away with unputted tty reference. So, fix +it by adding tty_kref_put() before freeing netdev. + +Reported-and-tested-by: syzbot+f303e045423e617d2cad@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/caif/caif_serial.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c +index d025ea434933..39fbd0be179c 100644 +--- a/drivers/net/caif/caif_serial.c ++++ b/drivers/net/caif/caif_serial.c +@@ -351,6 +351,7 @@ static int ldisc_open(struct tty_struct *tty) + rtnl_lock(); + result = register_netdevice(dev); + if (result) { ++ tty_kref_put(tty); + rtnl_unlock(); + free_netdev(dev); + return -ENODEV; +-- +2.30.2 + diff --git a/queue-5.10/net-ethtool-clear-heap-allocations-for-ethtool-funct.patch b/queue-5.10/net-ethtool-clear-heap-allocations-for-ethtool-funct.patch new file mode 100644 index 00000000000..4b843cf3e71 --- /dev/null +++ b/queue-5.10/net-ethtool-clear-heap-allocations-for-ethtool-funct.patch @@ -0,0 +1,72 @@ +From 765c4a2340fb1c1e740e6cdcf4c442c2fff8ac38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jun 2021 03:34:25 +0100 +Subject: net: ethtool: clear heap allocations for ethtool function + +From: Austin Kim + +[ Upstream commit 80ec82e3d2c1fab42eeb730aaa7985494a963d3f ] + +Several ethtool functions leave heap uncleared (potentially) by +drivers. This will leave the unused portion of heap unchanged and +might copy the full contents back to userspace. + +Signed-off-by: Austin Kim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ethtool/ioctl.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/ethtool/ioctl.c b/net/ethtool/ioctl.c +index 2917af3f5ac1..68ff19af195c 100644 +--- a/net/ethtool/ioctl.c ++++ b/net/ethtool/ioctl.c +@@ -1421,7 +1421,7 @@ static int ethtool_get_any_eeprom(struct net_device *dev, void __user *useraddr, + if (eeprom.offset + eeprom.len > total_len) + return -EINVAL; + +- data = kmalloc(PAGE_SIZE, GFP_USER); ++ data = kzalloc(PAGE_SIZE, GFP_USER); + if (!data) + return -ENOMEM; + +@@ -1486,7 +1486,7 @@ static int ethtool_set_eeprom(struct net_device *dev, void __user *useraddr) + if (eeprom.offset + eeprom.len > ops->get_eeprom_len(dev)) + return -EINVAL; + +- data = kmalloc(PAGE_SIZE, GFP_USER); ++ data = kzalloc(PAGE_SIZE, GFP_USER); + if (!data) + return -ENOMEM; + +@@ -1765,7 +1765,7 @@ static int ethtool_self_test(struct net_device *dev, char __user *useraddr) + return -EFAULT; + + test.len = test_len; +- data = kmalloc_array(test_len, sizeof(u64), GFP_USER); ++ data = kcalloc(test_len, sizeof(u64), GFP_USER); + if (!data) + return -ENOMEM; + +@@ -2281,7 +2281,7 @@ static int ethtool_get_tunable(struct net_device *dev, void __user *useraddr) + ret = ethtool_tunable_valid(&tuna); + if (ret) + return ret; +- data = kmalloc(tuna.len, GFP_USER); ++ data = kzalloc(tuna.len, GFP_USER); + if (!data) + return -ENOMEM; + ret = ops->get_tunable(dev, &tuna, data); +@@ -2473,7 +2473,7 @@ static int get_phy_tunable(struct net_device *dev, void __user *useraddr) + ret = ethtool_phy_tunable_valid(&tuna); + if (ret) + return ret; +- data = kmalloc(tuna.len, GFP_USER); ++ data = kzalloc(tuna.len, GFP_USER); + if (!data) + return -ENOMEM; + if (phy_drv_tunable) { +-- +2.30.2 + diff --git a/queue-5.10/net-ipv4-remove-unneed-bug-function.patch b/queue-5.10/net-ipv4-remove-unneed-bug-function.patch new file mode 100644 index 00000000000..ab2eaab16fa --- /dev/null +++ b/queue-5.10/net-ipv4-remove-unneed-bug-function.patch @@ -0,0 +1,49 @@ +From 0e32e2a8d299e33f922bfb2fec9fc4b236dfb0f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 09:53:15 +0800 +Subject: net: ipv4: Remove unneed BUG() function + +From: Zheng Yongjun + +[ Upstream commit 5ac6b198d7e312bd10ebe7d58c64690dc59cc49a ] + +When 'nla_parse_nested_deprecated' failed, it's no need to +BUG() here, return -EINVAL is ok. + +Signed-off-by: Zheng Yongjun +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/devinet.c | 2 +- + net/ipv6/addrconf.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index 123a6d39438f..7c1859777429 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -1989,7 +1989,7 @@ static int inet_set_link_af(struct net_device *dev, const struct nlattr *nla) + return -EAFNOSUPPORT; + + if (nla_parse_nested_deprecated(tb, IFLA_INET_MAX, nla, NULL, NULL) < 0) +- BUG(); ++ return -EINVAL; + + if (tb[IFLA_INET_CONF]) { + nla_for_each_nested(a, tb[IFLA_INET_CONF], rem) +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 4c881f5d9080..884d430e23cb 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -5799,7 +5799,7 @@ static int inet6_set_link_af(struct net_device *dev, const struct nlattr *nla) + return -EAFNOSUPPORT; + + if (nla_parse_nested_deprecated(tb, IFLA_INET6_MAX, nla, NULL, NULL) < 0) +- BUG(); ++ return -EINVAL; + + if (tb[IFLA_INET6_TOKEN]) { + err = inet6_set_iftoken(idev, nla_data(tb[IFLA_INET6_TOKEN])); +-- +2.30.2 + diff --git a/queue-5.10/net-ll_temac-add-memory-barriers-for-tx-bd-access.patch b/queue-5.10/net-ll_temac-add-memory-barriers-for-tx-bd-access.patch new file mode 100644 index 00000000000..709e43bce8b --- /dev/null +++ b/queue-5.10/net-ll_temac-add-memory-barriers-for-tx-bd-access.patch @@ -0,0 +1,76 @@ +From 279cf9141d01cd7940f681a319fd8943b16b4f0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 12:52:28 +0200 +Subject: net: ll_temac: Add memory-barriers for TX BD access + +From: Esben Haabendal + +[ Upstream commit 28d9fab458b16bcd83f9dd07ede3d585c3e1a69e ] + +Add a couple of memory-barriers to ensure correct ordering of read/write +access to TX BDs. + +In xmit_done, we should ensure that reading the additional BD fields are +only done after STS_CTRL_APP0_CMPLT bit is set. + +When xmit_done marks the BD as free by setting APP0=0, we need to ensure +that the other BD fields are reset first, so we avoid racing with the xmit +path, which writes to the same fields. + +Finally, making sure to read APP0 of next BD after the current BD, ensures +that we see all available buffers. + +Signed-off-by: Esben Haabendal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/ll_temac_main.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c +index 01bb36e7cff0..b105e1d35d15 100644 +--- a/drivers/net/ethernet/xilinx/ll_temac_main.c ++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c +@@ -774,12 +774,15 @@ static void temac_start_xmit_done(struct net_device *ndev) + stat = be32_to_cpu(cur_p->app0); + + while (stat & STS_CTRL_APP0_CMPLT) { ++ /* Make sure that the other fields are read after bd is ++ * released by dma ++ */ ++ rmb(); + dma_unmap_single(ndev->dev.parent, be32_to_cpu(cur_p->phys), + be32_to_cpu(cur_p->len), DMA_TO_DEVICE); + skb = (struct sk_buff *)ptr_from_txbd(cur_p); + if (skb) + dev_consume_skb_irq(skb); +- cur_p->app0 = 0; + cur_p->app1 = 0; + cur_p->app2 = 0; + cur_p->app3 = 0; +@@ -788,6 +791,12 @@ static void temac_start_xmit_done(struct net_device *ndev) + ndev->stats.tx_packets++; + ndev->stats.tx_bytes += be32_to_cpu(cur_p->len); + ++ /* app0 must be visible last, as it is used to flag ++ * availability of the bd ++ */ ++ smp_mb(); ++ cur_p->app0 = 0; ++ + lp->tx_bd_ci++; + if (lp->tx_bd_ci >= lp->tx_bd_num) + lp->tx_bd_ci = 0; +@@ -814,6 +823,9 @@ static inline int temac_check_tx_bd_space(struct temac_local *lp, int num_frag) + if (cur_p->app0) + return NETDEV_TX_BUSY; + ++ /* Make sure to read next bd app0 after this one */ ++ rmb(); ++ + tail++; + if (tail >= lp->tx_bd_num) + tail = 0; +-- +2.30.2 + diff --git a/queue-5.10/net-ll_temac-avoid-ndo_start_xmit-returning-netdev_t.patch b/queue-5.10/net-ll_temac-avoid-ndo_start_xmit-returning-netdev_t.patch new file mode 100644 index 00000000000..ef111061aa1 --- /dev/null +++ b/queue-5.10/net-ll_temac-avoid-ndo_start_xmit-returning-netdev_t.patch @@ -0,0 +1,40 @@ +From 0f1bfcf48eeb88de3258e1d16312e7b18ae405b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 12:52:38 +0200 +Subject: net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY + +From: Esben Haabendal + +[ Upstream commit f6396341194234e9b01cd7538bc2c6ac4501ab14 ] + +As documented in Documentation/networking/driver.rst, the ndo_start_xmit +method must not return NETDEV_TX_BUSY under any normal circumstances, and +as recommended, we simply stop the tx queue in advance, when there is a +risk that the next xmit would cause a NETDEV_TX_BUSY return. + +Signed-off-by: Esben Haabendal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/ll_temac_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c +index b105e1d35d15..6bd3a389d389 100644 +--- a/drivers/net/ethernet/xilinx/ll_temac_main.c ++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c +@@ -942,6 +942,11 @@ temac_start_xmit(struct sk_buff *skb, struct net_device *ndev) + wmb(); + lp->dma_out(lp, TX_TAILDESC_PTR, tail_p); /* DMA start */ + ++ if (temac_check_tx_bd_space(lp, MAX_SKB_FRAGS + 1)) { ++ netdev_info(ndev, "%s -> netif_stop_queue\n", __func__); ++ netif_stop_queue(ndev); ++ } ++ + return NETDEV_TX_OK; + } + +-- +2.30.2 + diff --git a/queue-5.10/net-packet-annotate-accesses-to-po-bind.patch b/queue-5.10/net-packet-annotate-accesses-to-po-bind.patch new file mode 100644 index 00000000000..78026c671af --- /dev/null +++ b/queue-5.10/net-packet-annotate-accesses-to-po-bind.patch @@ -0,0 +1,135 @@ +From 1306687e44458a0de491e234faa049fd0f9dd6a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 06:42:01 -0700 +Subject: net/packet: annotate accesses to po->bind + +From: Eric Dumazet + +[ Upstream commit c7d2ef5dd4b03ed0ee1d13bc0c55f9cf62d49bd6 ] + +tpacket_snd(), packet_snd(), packet_getname() and packet_seq_show() +can read po->num without holding a lock. This means other threads +can change po->num at the same time. + +KCSAN complained about this known fact [1] +Add READ_ONCE()/WRITE_ONCE() to address the issue. + +[1] BUG: KCSAN: data-race in packet_do_bind / packet_sendmsg + +write to 0xffff888131a0dcc0 of 2 bytes by task 24714 on cpu 0: + packet_do_bind+0x3ab/0x7e0 net/packet/af_packet.c:3181 + packet_bind+0xc3/0xd0 net/packet/af_packet.c:3255 + __sys_bind+0x200/0x290 net/socket.c:1637 + __do_sys_bind net/socket.c:1648 [inline] + __se_sys_bind net/socket.c:1646 [inline] + __x64_sys_bind+0x3d/0x50 net/socket.c:1646 + do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff888131a0dcc0 of 2 bytes by task 24719 on cpu 1: + packet_snd net/packet/af_packet.c:2899 [inline] + packet_sendmsg+0x317/0x3570 net/packet/af_packet.c:3040 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg net/socket.c:674 [inline] + ____sys_sendmsg+0x360/0x4d0 net/socket.c:2350 + ___sys_sendmsg net/socket.c:2404 [inline] + __sys_sendmsg+0x1ed/0x270 net/socket.c:2433 + __do_sys_sendmsg net/socket.c:2442 [inline] + __se_sys_sendmsg net/socket.c:2440 [inline] + __x64_sys_sendmsg+0x42/0x50 net/socket.c:2440 + do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x0000 -> 0x1200 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 24719 Comm: syz-executor.5 Not tainted 5.13.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 7892d7074847..c4eb26f0f1a7 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2682,7 +2682,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + } + if (likely(saddr == NULL)) { + dev = packet_cached_dev_get(po); +- proto = po->num; ++ proto = READ_ONCE(po->num); + } else { + err = -EINVAL; + if (msg->msg_namelen < sizeof(struct sockaddr_ll)) +@@ -2895,7 +2895,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + + if (likely(saddr == NULL)) { + dev = packet_cached_dev_get(po); +- proto = po->num; ++ proto = READ_ONCE(po->num); + } else { + err = -EINVAL; + if (msg->msg_namelen < sizeof(struct sockaddr_ll)) +@@ -3170,7 +3170,7 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex, + /* prevents packet_notifier() from calling + * register_prot_hook() + */ +- po->num = 0; ++ WRITE_ONCE(po->num, 0); + __unregister_prot_hook(sk, true); + rcu_read_lock(); + dev_curr = po->prot_hook.dev; +@@ -3180,7 +3180,7 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex, + } + + BUG_ON(po->running); +- po->num = proto; ++ WRITE_ONCE(po->num, proto); + po->prot_hook.type = proto; + + if (unlikely(unlisted)) { +@@ -3525,7 +3525,7 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr, + + sll->sll_family = AF_PACKET; + sll->sll_ifindex = po->ifindex; +- sll->sll_protocol = po->num; ++ sll->sll_protocol = READ_ONCE(po->num); + sll->sll_pkttype = 0; + rcu_read_lock(); + dev = dev_get_by_index_rcu(sock_net(sk), po->ifindex); +@@ -4413,7 +4413,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + was_running = po->running; + num = po->num; + if (was_running) { +- po->num = 0; ++ WRITE_ONCE(po->num, 0); + __unregister_prot_hook(sk, false); + } + spin_unlock(&po->bind_lock); +@@ -4448,7 +4448,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + + spin_lock(&po->bind_lock); + if (was_running) { +- po->num = num; ++ WRITE_ONCE(po->num, num); + register_prot_hook(sk); + } + spin_unlock(&po->bind_lock); +@@ -4616,7 +4616,7 @@ static int packet_seq_show(struct seq_file *seq, void *v) + s, + refcount_read(&s->sk_refcnt), + s->sk_type, +- ntohs(po->num), ++ ntohs(READ_ONCE(po->num)), + po->ifindex, + po->running, + atomic_read(&s->sk_rmem_alloc), +-- +2.30.2 + diff --git a/queue-5.10/net-packet-annotate-accesses-to-po-ifindex.patch b/queue-5.10/net-packet-annotate-accesses-to-po-ifindex.patch new file mode 100644 index 00000000000..cf764d44237 --- /dev/null +++ b/queue-5.10/net-packet-annotate-accesses-to-po-ifindex.patch @@ -0,0 +1,119 @@ +From 353ccd61180d410bace9101f77a9141f1d696f46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 06:42:02 -0700 +Subject: net/packet: annotate accesses to po->ifindex + +From: Eric Dumazet + +[ Upstream commit e032f7c9c7cefffcfb79b9fc16c53011d2d9d11f ] + +Like prior patch, we need to annotate lockless accesses to po->ifindex +For instance, packet_getname() is reading po->ifindex (twice) while +another thread is able to change po->ifindex. + +KCSAN reported: + +BUG: KCSAN: data-race in packet_do_bind / packet_getname + +write to 0xffff888143ce3cbc of 4 bytes by task 25573 on cpu 1: + packet_do_bind+0x420/0x7e0 net/packet/af_packet.c:3191 + packet_bind+0xc3/0xd0 net/packet/af_packet.c:3255 + __sys_bind+0x200/0x290 net/socket.c:1637 + __do_sys_bind net/socket.c:1648 [inline] + __se_sys_bind net/socket.c:1646 [inline] + __x64_sys_bind+0x3d/0x50 net/socket.c:1646 + do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff888143ce3cbc of 4 bytes by task 25578 on cpu 0: + packet_getname+0x5b/0x1a0 net/packet/af_packet.c:3525 + __sys_getsockname+0x10e/0x1a0 net/socket.c:1887 + __do_sys_getsockname net/socket.c:1902 [inline] + __se_sys_getsockname net/socket.c:1899 [inline] + __x64_sys_getsockname+0x3e/0x50 net/socket.c:1899 + do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x00000000 -> 0x00000001 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 25578 Comm: syz-executor.5 Not tainted 5.13.0-rc6-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index c4eb26f0f1a7..08144559eed5 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3186,11 +3186,11 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex, + if (unlikely(unlisted)) { + dev_put(dev); + po->prot_hook.dev = NULL; +- po->ifindex = -1; ++ WRITE_ONCE(po->ifindex, -1); + packet_cached_dev_reset(po); + } else { + po->prot_hook.dev = dev; +- po->ifindex = dev ? dev->ifindex : 0; ++ WRITE_ONCE(po->ifindex, dev ? dev->ifindex : 0); + packet_cached_dev_assign(po, dev); + } + } +@@ -3504,7 +3504,7 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr, + uaddr->sa_family = AF_PACKET; + memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data)); + rcu_read_lock(); +- dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex); ++ dev = dev_get_by_index_rcu(sock_net(sk), READ_ONCE(pkt_sk(sk)->ifindex)); + if (dev) + strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data)); + rcu_read_unlock(); +@@ -3519,16 +3519,18 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr, + struct sock *sk = sock->sk; + struct packet_sock *po = pkt_sk(sk); + DECLARE_SOCKADDR(struct sockaddr_ll *, sll, uaddr); ++ int ifindex; + + if (peer) + return -EOPNOTSUPP; + ++ ifindex = READ_ONCE(po->ifindex); + sll->sll_family = AF_PACKET; +- sll->sll_ifindex = po->ifindex; ++ sll->sll_ifindex = ifindex; + sll->sll_protocol = READ_ONCE(po->num); + sll->sll_pkttype = 0; + rcu_read_lock(); +- dev = dev_get_by_index_rcu(sock_net(sk), po->ifindex); ++ dev = dev_get_by_index_rcu(sock_net(sk), ifindex); + if (dev) { + sll->sll_hatype = dev->type; + sll->sll_halen = dev->addr_len; +@@ -4107,7 +4109,7 @@ static int packet_notifier(struct notifier_block *this, + } + if (msg == NETDEV_UNREGISTER) { + packet_cached_dev_reset(po); +- po->ifindex = -1; ++ WRITE_ONCE(po->ifindex, -1); + if (po->prot_hook.dev) + dev_put(po->prot_hook.dev); + po->prot_hook.dev = NULL; +@@ -4617,7 +4619,7 @@ static int packet_seq_show(struct seq_file *seq, void *v) + refcount_read(&s->sk_refcnt), + s->sk_type, + ntohs(READ_ONCE(po->num)), +- po->ifindex, ++ READ_ONCE(po->ifindex), + po->running, + atomic_read(&s->sk_rmem_alloc), + from_kuid_munged(seq_user_ns(seq), sock_i_uid(s)), +-- +2.30.2 + diff --git a/queue-5.10/net-packet-annotate-data-race-in-packet_sendmsg.patch b/queue-5.10/net-packet-annotate-data-race-in-packet_sendmsg.patch new file mode 100644 index 00000000000..1e228ec6cf2 --- /dev/null +++ b/queue-5.10/net-packet-annotate-data-race-in-packet_sendmsg.patch @@ -0,0 +1,46 @@ +From 1f2dabdd38e604e8cf0beec02bb78ad07a4a4361 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 09:00:12 -0700 +Subject: net/packet: annotate data race in packet_sendmsg() + +From: Eric Dumazet + +[ Upstream commit d1b5bee4c8be01585033be9b3a8878789285285f ] + +There is a known race in packet_sendmsg(), addressed +in commit 32d3182cd2cd ("net/packet: fix race in tpacket_snd()") + +Now we have data_race(), we can use it to avoid a future KCSAN warning, +as syzbot loves stressing af_packet sockets :) + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index ddb68aa836f7..7892d7074847 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3033,10 +3033,13 @@ static int packet_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) + struct sock *sk = sock->sk; + struct packet_sock *po = pkt_sk(sk); + +- if (po->tx_ring.pg_vec) ++ /* Reading tx_ring.pg_vec without holding pg_vec_lock is racy. ++ * tpacket_snd() will redo the check safely. ++ */ ++ if (data_race(po->tx_ring.pg_vec)) + return tpacket_snd(po, msg); +- else +- return packet_snd(sock, msg, len); ++ ++ return packet_snd(sock, msg, len); + } + + /* +-- +2.30.2 + diff --git a/queue-5.10/net-phy-dp83867-perform-soft-reset-and-retain-establ.patch b/queue-5.10/net-phy-dp83867-perform-soft-reset-and-retain-establ.patch new file mode 100644 index 00000000000..c1af68b6c96 --- /dev/null +++ b/queue-5.10/net-phy-dp83867-perform-soft-reset-and-retain-establ.patch @@ -0,0 +1,53 @@ +From 213c157f49861d37001e404ae3b4fb220fa532aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jun 2021 19:43:42 -0500 +Subject: net: phy: dp83867: perform soft reset and retain established link + +From: Praneeth Bajjuri + +[ Upstream commit da9ef50f545f86ffe6ff786174d26500c4db737a ] + +Current logic is performing hard reset and causing the programmed +registers to be wiped out. + +as per datasheet: https://www.ti.com/lit/ds/symlink/dp83867cr.pdf +8.6.26 Control Register (CTRL) + +do SW_RESTART to perform a reset not including the registers, +If performed when link is already present, +it will drop the link and trigger re-auto negotiation. + +Signed-off-by: Praneeth Bajjuri +Signed-off-by: Geet Modi +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/dp83867.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/net/phy/dp83867.c b/drivers/net/phy/dp83867.c +index 69d3eacc2b96..c716074fdef0 100644 +--- a/drivers/net/phy/dp83867.c ++++ b/drivers/net/phy/dp83867.c +@@ -792,16 +792,12 @@ static int dp83867_phy_reset(struct phy_device *phydev) + { + int err; + +- err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESET); ++ err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESTART); + if (err < 0) + return err; + + usleep_range(10, 20); + +- /* After reset FORCE_LINK_GOOD bit is set. Although the +- * default value should be unset. Disable FORCE_LINK_GOOD +- * for the phy to work properly. +- */ + return phy_modify(phydev, MII_DP83867_PHYCTRL, + DP83867_PHYCR_FORCE_LINK_GOOD, 0); + } +-- +2.30.2 + diff --git a/queue-5.10/net-qed-fix-memcpy-overflow-of-qed_dcbx_params.patch b/queue-5.10/net-qed-fix-memcpy-overflow-of-qed_dcbx_params.patch new file mode 100644 index 00000000000..9b1c5fe7710 --- /dev/null +++ b/queue-5.10/net-qed-fix-memcpy-overflow-of-qed_dcbx_params.patch @@ -0,0 +1,50 @@ +From 952ee88821858bf47c462f8764e2194308f73f53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jun 2021 10:09:53 -0700 +Subject: net: qed: Fix memcpy() overflow of qed_dcbx_params() + +From: Kees Cook + +[ Upstream commit 1c200f832e14420fa770193f9871f4ce2df00d07 ] + +The source (&dcbx_info->operational.params) and dest +(&p_hwfn->p_dcbx_info->set.config.params) are both struct qed_dcbx_params +(560 bytes), not struct qed_dcbx_admin_params (564 bytes), which is used +as the memcpy() size. + +However it seems that struct qed_dcbx_operational_params +(dcbx_info->operational)'s layout matches struct qed_dcbx_admin_params +(p_hwfn->p_dcbx_info->set.config)'s 4 byte difference (3 padding, 1 byte +for "valid"). + +On the assumption that the size is wrong (rather than the source structure +type), adjust the memcpy() size argument to be 4 bytes smaller and add +a BUILD_BUG_ON() to validate any changes to the structure sizes. + +Signed-off-by: Kees Cook +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_dcbx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c +index 17d5b649eb36..e81dd34a3cac 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c +@@ -1266,9 +1266,11 @@ int qed_dcbx_get_config_params(struct qed_hwfn *p_hwfn, + p_hwfn->p_dcbx_info->set.ver_num |= DCBX_CONFIG_VERSION_STATIC; + + p_hwfn->p_dcbx_info->set.enabled = dcbx_info->operational.enabled; ++ BUILD_BUG_ON(sizeof(dcbx_info->operational.params) != ++ sizeof(p_hwfn->p_dcbx_info->set.config.params)); + memcpy(&p_hwfn->p_dcbx_info->set.config.params, + &dcbx_info->operational.params, +- sizeof(struct qed_dcbx_admin_params)); ++ sizeof(p_hwfn->p_dcbx_info->set.config.params)); + p_hwfn->p_dcbx_info->set.config.valid = true; + + memcpy(params, &p_hwfn->p_dcbx_info->set, sizeof(struct qed_dcbx_set)); +-- +2.30.2 + diff --git a/queue-5.10/pci-add-amd-rs690-quirk-to-enable-64-bit-dma.patch b/queue-5.10/pci-add-amd-rs690-quirk-to-enable-64-bit-dma.patch new file mode 100644 index 00000000000..085ed296361 --- /dev/null +++ b/queue-5.10/pci-add-amd-rs690-quirk-to-enable-64-bit-dma.patch @@ -0,0 +1,96 @@ +From 2ca96a1c80e796d81ab1445bf52d8d1856c87590 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 17:48:23 -0400 +Subject: PCI: Add AMD RS690 quirk to enable 64-bit DMA + +From: Mikel Rychliski + +[ Upstream commit cacf994a91d3a55c0c2f853d6429cd7b86113915 ] + +Although the AMD RS690 chipset has 64-bit DMA support, BIOS implementations +sometimes fail to configure the memory limit registers correctly. + +The Acer F690GVM mainboard uses this chipset and a Marvell 88E8056 NIC. The +sky2 driver programs the NIC to use 64-bit DMA, which will not work: + + sky2 0000:02:00.0: error interrupt status=0x8 + sky2 0000:02:00.0 eth0: tx timeout + sky2 0000:02:00.0 eth0: transmit ring 0 .. 22 report=0 done=0 + +Other drivers required by this mainboard either don't support 64-bit DMA, +or have it disabled using driver specific quirks. For example, the ahci +driver has quirks to enable or disable 64-bit DMA depending on the BIOS +version (see ahci_sb600_enable_64bit() in ahci.c). This ahci quirk matches +against the SB600 SATA controller, but the real issue is almost certainly +with the RS690 PCI host that it was commonly attached to. + +To avoid this issue in all drivers with 64-bit DMA support, fix the +configuration of the PCI host. If the kernel is aware of physical memory +above 4GB, but the BIOS never configured the PCI host with this +information, update the registers with our values. + +[bhelgaas: drop PCI_DEVICE_ID_ATI_RS690 definition] +Link: https://lore.kernel.org/r/20210611214823.4898-1-mikel@mikelr.com +Signed-off-by: Mikel Rychliski +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + arch/x86/pci/fixup.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 44 insertions(+) + +diff --git a/arch/x86/pci/fixup.c b/arch/x86/pci/fixup.c +index 0a0e168be1cb..9b0e771302ce 100644 +--- a/arch/x86/pci/fixup.c ++++ b/arch/x86/pci/fixup.c +@@ -779,4 +779,48 @@ DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x1571, pci_amd_enable_64bit_bar); + DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x15b1, pci_amd_enable_64bit_bar); + DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x1601, pci_amd_enable_64bit_bar); + ++#define RS690_LOWER_TOP_OF_DRAM2 0x30 ++#define RS690_LOWER_TOP_OF_DRAM2_VALID 0x1 ++#define RS690_UPPER_TOP_OF_DRAM2 0x31 ++#define RS690_HTIU_NB_INDEX 0xA8 ++#define RS690_HTIU_NB_INDEX_WR_ENABLE 0x100 ++#define RS690_HTIU_NB_DATA 0xAC ++ ++/* ++ * Some BIOS implementations support RAM above 4GB, but do not configure the ++ * PCI host to respond to bus master accesses for these addresses. These ++ * implementations set the TOP_OF_DRAM_SLOT1 register correctly, so PCI DMA ++ * works as expected for addresses below 4GB. ++ * ++ * Reference: "AMD RS690 ASIC Family Register Reference Guide" (pg. 2-57) ++ * https://www.amd.com/system/files/TechDocs/43372_rs690_rrg_3.00o.pdf ++ */ ++static void rs690_fix_64bit_dma(struct pci_dev *pdev) ++{ ++ u32 val = 0; ++ phys_addr_t top_of_dram = __pa(high_memory - 1) + 1; ++ ++ if (top_of_dram <= (1ULL << 32)) ++ return; ++ ++ pci_write_config_dword(pdev, RS690_HTIU_NB_INDEX, ++ RS690_LOWER_TOP_OF_DRAM2); ++ pci_read_config_dword(pdev, RS690_HTIU_NB_DATA, &val); ++ ++ if (val) ++ return; ++ ++ pci_info(pdev, "Adjusting top of DRAM to %pa for 64-bit DMA support\n", &top_of_dram); ++ ++ pci_write_config_dword(pdev, RS690_HTIU_NB_INDEX, ++ RS690_UPPER_TOP_OF_DRAM2 | RS690_HTIU_NB_INDEX_WR_ENABLE); ++ pci_write_config_dword(pdev, RS690_HTIU_NB_DATA, top_of_dram >> 32); ++ ++ pci_write_config_dword(pdev, RS690_HTIU_NB_INDEX, ++ RS690_LOWER_TOP_OF_DRAM2 | RS690_HTIU_NB_INDEX_WR_ENABLE); ++ pci_write_config_dword(pdev, RS690_HTIU_NB_DATA, ++ top_of_dram | RS690_LOWER_TOP_OF_DRAM2_VALID); ++} ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x7910, rs690_fix_64bit_dma); ++ + #endif +-- +2.30.2 + diff --git a/queue-5.10/perf-x86-intel-lbr-zero-the-xstate-buffer-on-allocat.patch b/queue-5.10/perf-x86-intel-lbr-zero-the-xstate-buffer-on-allocat.patch new file mode 100644 index 00000000000..72fb870acc1 --- /dev/null +++ b/queue-5.10/perf-x86-intel-lbr-zero-the-xstate-buffer-on-allocat.patch @@ -0,0 +1,50 @@ +From 15e5b630c762699b0185dc4f9b66b23e94149f66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 15:03:16 +0200 +Subject: perf/x86/intel/lbr: Zero the xstate buffer on allocation + +From: Thomas Gleixner + +[ Upstream commit 7f049fbdd57f6ea71dc741d903c19c73b2f70950 ] + +XRSTORS requires a valid xstate buffer to work correctly. XSAVES does not +guarantee to write a fully valid buffer according to the SDM: + + "XSAVES does not write to any parts of the XSAVE header other than the + XSTATE_BV and XCOMP_BV fields." + +XRSTORS triggers a #GP: + + "If bytes 63:16 of the XSAVE header are not all zero." + +It's dubious at best how this can work at all when the buffer is not zeroed +before use. + +Allocate the buffers with __GFP_ZERO to prevent XRSTORS failure. + +Fixes: ce711ea3cab9 ("perf/x86/intel/lbr: Support XSAVES/XRSTORS for LBR context switch") +Signed-off-by: Thomas Gleixner +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/87wnr0wo2z.ffs@nanos.tec.linutronix.de +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/lbr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/events/intel/lbr.c b/arch/x86/events/intel/lbr.c +index 6c1231837382..29ec4fe48507 100644 +--- a/arch/x86/events/intel/lbr.c ++++ b/arch/x86/events/intel/lbr.c +@@ -730,7 +730,8 @@ void reserve_lbr_buffers(void) + if (!kmem_cache || cpuc->lbr_xsave) + continue; + +- cpuc->lbr_xsave = kmem_cache_alloc_node(kmem_cache, GFP_KERNEL, ++ cpuc->lbr_xsave = kmem_cache_alloc_node(kmem_cache, ++ GFP_KERNEL | __GFP_ZERO, + cpu_to_node(cpu)); + } + } +-- +2.30.2 + diff --git a/queue-5.10/perf-x86-lbr-remove-cpuc-lbr_xsave-allocation-from-a.patch b/queue-5.10/perf-x86-lbr-remove-cpuc-lbr_xsave-allocation-from-a.patch new file mode 100644 index 00000000000..b647c594e27 --- /dev/null +++ b/queue-5.10/perf-x86-lbr-remove-cpuc-lbr_xsave-allocation-from-a.patch @@ -0,0 +1,132 @@ +From 40c25d9f17d2fdcc9032047f9f84906ce9382355 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Apr 2021 13:22:47 +0800 +Subject: perf/x86/lbr: Remove cpuc->lbr_xsave allocation from atomic context + +From: Like Xu + +[ Upstream commit 488e13a489e9707a7e81e1991fdd1f20c0f04689 ] + +If the kernel is compiled with the CONFIG_LOCKDEP option, the conditional +might_sleep_if() deep in kmem_cache_alloc() will generate the following +trace, and potentially cause a deadlock when another LBR event is added: + + [] BUG: sleeping function called from invalid context at include/linux/sched/mm.h:196 + [] Call Trace: + [] kmem_cache_alloc+0x36/0x250 + [] intel_pmu_lbr_add+0x152/0x170 + [] x86_pmu_add+0x83/0xd0 + +Make it symmetric with the release_lbr_buffers() call and mirror the +existing DS buffers. + +Fixes: c085fb8774 ("perf/x86/intel/lbr: Support XSAVES for arch LBR read") +Signed-off-by: Like Xu +[peterz: simplified] +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Kan Liang +Link: https://lkml.kernel.org/r/20210430052247.3079672-2-like.xu@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/core.c | 6 ++++-- + arch/x86/events/intel/lbr.c | 26 ++++++++++++++++++++------ + arch/x86/events/perf_event.h | 6 ++++++ + 3 files changed, 30 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c +index a88c94d65693..b7f8ed87bfbc 100644 +--- a/arch/x86/events/core.c ++++ b/arch/x86/events/core.c +@@ -372,10 +372,12 @@ int x86_reserve_hardware(void) + if (!atomic_inc_not_zero(&pmc_refcount)) { + mutex_lock(&pmc_reserve_mutex); + if (atomic_read(&pmc_refcount) == 0) { +- if (!reserve_pmc_hardware()) ++ if (!reserve_pmc_hardware()) { + err = -EBUSY; +- else ++ } else { + reserve_ds_buffers(); ++ reserve_lbr_buffers(); ++ } + } + if (!err) + atomic_inc(&pmc_refcount); +diff --git a/arch/x86/events/intel/lbr.c b/arch/x86/events/intel/lbr.c +index e2b0efcba101..6c1231837382 100644 +--- a/arch/x86/events/intel/lbr.c ++++ b/arch/x86/events/intel/lbr.c +@@ -658,7 +658,6 @@ static inline bool branch_user_callstack(unsigned br_sel) + + void intel_pmu_lbr_add(struct perf_event *event) + { +- struct kmem_cache *kmem_cache = event->pmu->task_ctx_cache; + struct cpu_hw_events *cpuc = this_cpu_ptr(&cpu_hw_events); + + if (!x86_pmu.lbr_nr) +@@ -696,11 +695,6 @@ void intel_pmu_lbr_add(struct perf_event *event) + perf_sched_cb_inc(event->ctx->pmu); + if (!cpuc->lbr_users++ && !event->total_time_running) + intel_pmu_lbr_reset(); +- +- if (static_cpu_has(X86_FEATURE_ARCH_LBR) && +- kmem_cache && !cpuc->lbr_xsave && +- (cpuc->lbr_users != cpuc->lbr_pebs_users)) +- cpuc->lbr_xsave = kmem_cache_alloc(kmem_cache, GFP_KERNEL); + } + + void release_lbr_buffers(void) +@@ -721,6 +715,26 @@ void release_lbr_buffers(void) + } + } + ++void reserve_lbr_buffers(void) ++{ ++ struct kmem_cache *kmem_cache; ++ struct cpu_hw_events *cpuc; ++ int cpu; ++ ++ if (!static_cpu_has(X86_FEATURE_ARCH_LBR)) ++ return; ++ ++ for_each_possible_cpu(cpu) { ++ cpuc = per_cpu_ptr(&cpu_hw_events, cpu); ++ kmem_cache = x86_get_pmu(cpu)->task_ctx_cache; ++ if (!kmem_cache || cpuc->lbr_xsave) ++ continue; ++ ++ cpuc->lbr_xsave = kmem_cache_alloc_node(kmem_cache, GFP_KERNEL, ++ cpu_to_node(cpu)); ++ } ++} ++ + void intel_pmu_lbr_del(struct perf_event *event) + { + struct cpu_hw_events *cpuc = this_cpu_ptr(&cpu_hw_events); +diff --git a/arch/x86/events/perf_event.h b/arch/x86/events/perf_event.h +index 6a8edfe59b09..d4f2ea2d9a9e 100644 +--- a/arch/x86/events/perf_event.h ++++ b/arch/x86/events/perf_event.h +@@ -1122,6 +1122,8 @@ void reserve_ds_buffers(void); + + void release_lbr_buffers(void); + ++void reserve_lbr_buffers(void); ++ + extern struct event_constraint bts_constraint; + extern struct event_constraint vlbr_constraint; + +@@ -1267,6 +1269,10 @@ static inline void release_lbr_buffers(void) + { + } + ++static inline void reserve_lbr_buffers(void) ++{ ++} ++ + static inline int intel_pmu_init(void) + { + return 0; +-- +2.30.2 + diff --git a/queue-5.10/perf-x86-track-pmu-in-per-cpu-cpu_hw_events.patch b/queue-5.10/perf-x86-track-pmu-in-per-cpu-cpu_hw_events.patch new file mode 100644 index 00000000000..d869a909984 --- /dev/null +++ b/queue-5.10/perf-x86-track-pmu-in-per-cpu-cpu_hw_events.patch @@ -0,0 +1,192 @@ +From 32d91fcb293437756c87ffedf4e2cec29414a5f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Apr 2021 07:30:43 -0700 +Subject: perf/x86: Track pmu in per-CPU cpu_hw_events + +From: Kan Liang + +[ Upstream commit 61e76d53c39bb768ad264d379837cfc56b9e35b4 ] + +Some platforms, e.g. Alder Lake, have hybrid architecture. In the same +package, there may be more than one type of CPU. The PMU capabilities +are different among different types of CPU. Perf will register a +dedicated PMU for each type of CPU. + +Add a 'pmu' variable in the struct cpu_hw_events to track the dedicated +PMU of the current CPU. + +Current x86_get_pmu() use the global 'pmu', which will be broken on a +hybrid platform. Modify it to apply the 'pmu' of the specific CPU. + +Initialize the per-CPU 'pmu' variable with the global 'pmu'. There is +nothing changed for the non-hybrid platforms. + +The is_x86_event() will be updated in the later patch ("perf/x86: +Register hybrid PMUs") for hybrid platforms. For the non-hybrid +platforms, nothing is changed here. + +Suggested-by: Peter Zijlstra (Intel) +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/1618237865-33448-4-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/core.c | 17 +++++++++++++---- + arch/x86/events/intel/core.c | 2 +- + arch/x86/events/intel/ds.c | 4 ++-- + arch/x86/events/intel/lbr.c | 9 +++++---- + arch/x86/events/perf_event.h | 4 +++- + 5 files changed, 24 insertions(+), 12 deletions(-) + +diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c +index b7f8ed87bfbc..e6db1a1f22d7 100644 +--- a/arch/x86/events/core.c ++++ b/arch/x86/events/core.c +@@ -45,9 +45,11 @@ + #include "perf_event.h" + + struct x86_pmu x86_pmu __read_mostly; ++static struct pmu pmu; + + DEFINE_PER_CPU(struct cpu_hw_events, cpu_hw_events) = { + .enabled = 1, ++ .pmu = &pmu, + }; + + DEFINE_STATIC_KEY_FALSE(rdpmc_never_available_key); +@@ -712,16 +714,23 @@ void x86_pmu_enable_all(int added) + } + } + +-static struct pmu pmu; +- + static inline int is_x86_event(struct perf_event *event) + { + return event->pmu == &pmu; + } + +-struct pmu *x86_get_pmu(void) ++struct pmu *x86_get_pmu(unsigned int cpu) + { +- return &pmu; ++ struct cpu_hw_events *cpuc = &per_cpu(cpu_hw_events, cpu); ++ ++ /* ++ * All CPUs of the hybrid type have been offline. ++ * The x86_get_pmu() should not be invoked. ++ */ ++ if (WARN_ON_ONCE(!cpuc->pmu)) ++ return &pmu; ++ ++ return cpuc->pmu; + } + /* + * Event scheduler state: +diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c +index ee659b5faf71..3b8b8eede1a8 100644 +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -4747,7 +4747,7 @@ static void update_tfa_sched(void *ignored) + * and if so force schedule out for all event types all contexts + */ + if (test_bit(3, cpuc->active_mask)) +- perf_pmu_resched(x86_get_pmu()); ++ perf_pmu_resched(x86_get_pmu(smp_processor_id())); + } + + static ssize_t show_sysctl_tfa(struct device *cdev, +diff --git a/arch/x86/events/intel/ds.c b/arch/x86/events/intel/ds.c +index 31a7a6566d07..945d470f62d0 100644 +--- a/arch/x86/events/intel/ds.c ++++ b/arch/x86/events/intel/ds.c +@@ -2076,7 +2076,7 @@ void __init intel_ds_init(void) + PERF_SAMPLE_TIME; + x86_pmu.flags |= PMU_FL_PEBS_ALL; + pebs_qual = "-baseline"; +- x86_get_pmu()->capabilities |= PERF_PMU_CAP_EXTENDED_REGS; ++ x86_get_pmu(smp_processor_id())->capabilities |= PERF_PMU_CAP_EXTENDED_REGS; + } else { + /* Only basic record supported */ + x86_pmu.large_pebs_flags &= +@@ -2091,7 +2091,7 @@ void __init intel_ds_init(void) + + if (x86_pmu.intel_cap.pebs_output_pt_available) { + pr_cont("PEBS-via-PT, "); +- x86_get_pmu()->capabilities |= PERF_PMU_CAP_AUX_OUTPUT; ++ x86_get_pmu(smp_processor_id())->capabilities |= PERF_PMU_CAP_AUX_OUTPUT; + } + + break; +diff --git a/arch/x86/events/intel/lbr.c b/arch/x86/events/intel/lbr.c +index 29ec4fe48507..9c1a013d5682 100644 +--- a/arch/x86/events/intel/lbr.c ++++ b/arch/x86/events/intel/lbr.c +@@ -699,7 +699,7 @@ void intel_pmu_lbr_add(struct perf_event *event) + + void release_lbr_buffers(void) + { +- struct kmem_cache *kmem_cache = x86_get_pmu()->task_ctx_cache; ++ struct kmem_cache *kmem_cache; + struct cpu_hw_events *cpuc; + int cpu; + +@@ -708,6 +708,7 @@ void release_lbr_buffers(void) + + for_each_possible_cpu(cpu) { + cpuc = per_cpu_ptr(&cpu_hw_events, cpu); ++ kmem_cache = x86_get_pmu(cpu)->task_ctx_cache; + if (kmem_cache && cpuc->lbr_xsave) { + kmem_cache_free(kmem_cache, cpuc->lbr_xsave); + cpuc->lbr_xsave = NULL; +@@ -1624,7 +1625,7 @@ void intel_pmu_lbr_init_hsw(void) + x86_pmu.lbr_sel_mask = LBR_SEL_MASK; + x86_pmu.lbr_sel_map = hsw_lbr_sel_map; + +- x86_get_pmu()->task_ctx_cache = create_lbr_kmem_cache(size, 0); ++ x86_get_pmu(smp_processor_id())->task_ctx_cache = create_lbr_kmem_cache(size, 0); + + if (lbr_from_signext_quirk_needed()) + static_branch_enable(&lbr_from_quirk_key); +@@ -1644,7 +1645,7 @@ __init void intel_pmu_lbr_init_skl(void) + x86_pmu.lbr_sel_mask = LBR_SEL_MASK; + x86_pmu.lbr_sel_map = hsw_lbr_sel_map; + +- x86_get_pmu()->task_ctx_cache = create_lbr_kmem_cache(size, 0); ++ x86_get_pmu(smp_processor_id())->task_ctx_cache = create_lbr_kmem_cache(size, 0); + + /* + * SW branch filter usage: +@@ -1741,7 +1742,7 @@ static bool is_arch_lbr_xsave_available(void) + + void __init intel_pmu_arch_lbr_init(void) + { +- struct pmu *pmu = x86_get_pmu(); ++ struct pmu *pmu = x86_get_pmu(smp_processor_id()); + union cpuid28_eax eax; + union cpuid28_ebx ebx; + union cpuid28_ecx ecx; +diff --git a/arch/x86/events/perf_event.h b/arch/x86/events/perf_event.h +index d4f2ea2d9a9e..f07d77cffb3c 100644 +--- a/arch/x86/events/perf_event.h ++++ b/arch/x86/events/perf_event.h +@@ -326,6 +326,8 @@ struct cpu_hw_events { + int n_pair; /* Large increment events */ + + void *kfree_on_online[X86_PERF_KFREE_MAX]; ++ ++ struct pmu *pmu; + }; + + #define __EVENT_CONSTRAINT_RANGE(c, e, n, m, w, o, f) { \ +@@ -897,7 +899,7 @@ static struct perf_pmu_events_ht_attr event_attr_##v = { \ + .event_str_ht = ht, \ + } + +-struct pmu *x86_get_pmu(void); ++struct pmu *x86_get_pmu(unsigned int cpu); + extern struct x86_pmu x86_pmu __read_mostly; + + static __always_inline struct x86_perf_task_context_opt *task_context_opt(void *ctx) +-- +2.30.2 + diff --git a/queue-5.10/ping-check-return-value-of-function-ping_queue_rcv_s.patch b/queue-5.10/ping-check-return-value-of-function-ping_queue_rcv_s.patch new file mode 100644 index 00000000000..8caa123b376 --- /dev/null +++ b/queue-5.10/ping-check-return-value-of-function-ping_queue_rcv_s.patch @@ -0,0 +1,56 @@ +From 33aa988162ec3b551b87601826a8fc697f9e8b6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 09:41:36 +0800 +Subject: ping: Check return value of function 'ping_queue_rcv_skb' + +From: Zheng Yongjun + +[ Upstream commit 9d44fa3e50cc91691896934d106c86e4027e61ca ] + +Function 'ping_queue_rcv_skb' not always return success, which will +also return fail. If not check the wrong return value of it, lead to function +`ping_rcv` return success. + +Signed-off-by: Zheng Yongjun +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/ping.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index 248856b301c4..8ce8b7300b9d 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -952,6 +952,7 @@ bool ping_rcv(struct sk_buff *skb) + struct sock *sk; + struct net *net = dev_net(skb->dev); + struct icmphdr *icmph = icmp_hdr(skb); ++ bool rc = false; + + /* We assume the packet has already been checked by icmp_rcv */ + +@@ -966,14 +967,15 @@ bool ping_rcv(struct sk_buff *skb) + struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC); + + pr_debug("rcv on socket %p\n", sk); +- if (skb2) +- ping_queue_rcv_skb(sk, skb2); ++ if (skb2 && !ping_queue_rcv_skb(sk, skb2)) ++ rc = true; + sock_put(sk); +- return true; + } +- pr_debug("no socket, dropping\n"); + +- return false; ++ if (!rc) ++ pr_debug("no socket, dropping\n"); ++ ++ return rc; + } + EXPORT_SYMBOL_GPL(ping_rcv); + +-- +2.30.2 + diff --git a/queue-5.10/r8152-avoid-memcpy-over-reading-of-eth_ss_stats.patch b/queue-5.10/r8152-avoid-memcpy-over-reading-of-eth_ss_stats.patch new file mode 100644 index 00000000000..e7ac651ac9c --- /dev/null +++ b/queue-5.10/r8152-avoid-memcpy-over-reading-of-eth_ss_stats.patch @@ -0,0 +1,40 @@ +From 6d1b349474aca50dd6e8c5677640890ab2b1e9d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 12:53:03 -0700 +Subject: r8152: Avoid memcpy() over-reading of ETH_SS_STATS + +From: Kees Cook + +[ Upstream commit 99718abdc00e86e4f286dd836408e2834886c16e ] + +In preparation for FORTIFY_SOURCE performing compile-time and run-time +field bounds checking for memcpy(), memmove(), and memset(), avoid +intentionally reading across neighboring array fields. + +The memcpy() is copying the entire structure, not just the first array. +Adjust the source argument so the compiler can do appropriate bounds +checking. + +Signed-off-by: Kees Cook +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index f5010f8ac1ec..95e27fb7d2c1 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -6054,7 +6054,7 @@ static void rtl8152_get_strings(struct net_device *dev, u32 stringset, u8 *data) + { + switch (stringset) { + case ETH_SS_STATS: +- memcpy(data, *rtl8152_gstrings, sizeof(rtl8152_gstrings)); ++ memcpy(data, rtl8152_gstrings, sizeof(rtl8152_gstrings)); + break; + } + } +-- +2.30.2 + diff --git a/queue-5.10/r8169-avoid-memcpy-over-reading-of-eth_ss_stats.patch b/queue-5.10/r8169-avoid-memcpy-over-reading-of-eth_ss_stats.patch new file mode 100644 index 00000000000..33500932adb --- /dev/null +++ b/queue-5.10/r8169-avoid-memcpy-over-reading-of-eth_ss_stats.patch @@ -0,0 +1,40 @@ +From b7cf7f3a3a049b3b646eff1677447d0a5a733259 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 12:53:59 -0700 +Subject: r8169: Avoid memcpy() over-reading of ETH_SS_STATS + +From: Kees Cook + +[ Upstream commit da5ac772cfe2a03058b0accfac03fad60c46c24d ] + +In preparation for FORTIFY_SOURCE performing compile-time and run-time +field bounds checking for memcpy(), memmove(), and memset(), avoid +intentionally reading across neighboring array fields. + +The memcpy() is copying the entire structure, not just the first array. +Adjust the source argument so the compiler can do appropriate bounds +checking. + +Signed-off-by: Kees Cook +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index 3bb36f4a984e..a6bf80b52967 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -1673,7 +1673,7 @@ static void rtl8169_get_strings(struct net_device *dev, u32 stringset, u8 *data) + { + switch(stringset) { + case ETH_SS_STATS: +- memcpy(data, *rtl8169_gstrings, sizeof(rtl8169_gstrings)); ++ memcpy(data, rtl8169_gstrings, sizeof(rtl8169_gstrings)); + break; + } + } +-- +2.30.2 + diff --git a/queue-5.10/recordmcount-correct-st_shndx-handling.patch b/queue-5.10/recordmcount-correct-st_shndx-handling.patch new file mode 100644 index 00000000000..e3c24d90533 --- /dev/null +++ b/queue-5.10/recordmcount-correct-st_shndx-handling.patch @@ -0,0 +1,61 @@ +From 3bcbff0ad46f7bd91e7e78565d31c5322eefa278 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 23:41:26 +0800 +Subject: recordmcount: Correct st_shndx handling + +From: Peter Zijlstra + +[ Upstream commit fb780761e7bd9f2e94f5b9a296ead6b35b944206 ] + +One should only use st_shndx when >SHN_UNDEF and = SHN_LORESERVE && st_shndx != SHN_XINDEX. + +Link: https://lore.kernel.org/lkml/20210607023839.26387-1-mark-pk.tsai@mediatek.com/ +Link: https://lkml.kernel.org/r/20210616154126.2794-1-mark-pk.tsai@mediatek.com + +Reported-by: Mark-PK Tsai +Tested-by: Mark-PK Tsai +Signed-off-by: Peter Zijlstra (Intel) +[handle endianness of sym->st_shndx] +Signed-off-by: Mark-PK Tsai +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + scripts/recordmcount.h | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/scripts/recordmcount.h b/scripts/recordmcount.h +index f9b19524da11..1e9baa5c4fc6 100644 +--- a/scripts/recordmcount.h ++++ b/scripts/recordmcount.h +@@ -192,15 +192,20 @@ static unsigned int get_symindex(Elf_Sym const *sym, Elf32_Word const *symtab, + Elf32_Word const *symtab_shndx) + { + unsigned long offset; ++ unsigned short shndx = w2(sym->st_shndx); + int index; + +- if (sym->st_shndx != SHN_XINDEX) +- return w2(sym->st_shndx); ++ if (shndx > SHN_UNDEF && shndx < SHN_LORESERVE) ++ return shndx; + +- offset = (unsigned long)sym - (unsigned long)symtab; +- index = offset / sizeof(*sym); ++ if (shndx == SHN_XINDEX) { ++ offset = (unsigned long)sym - (unsigned long)symtab; ++ index = offset / sizeof(*sym); + +- return w(symtab_shndx[index]); ++ return w(symtab_shndx[index]); ++ } ++ ++ return 0; + } + + static unsigned int get_shnum(Elf_Ehdr const *ehdr, Elf_Shdr const *shdr0) +-- +2.30.2 + diff --git a/queue-5.10/riscv32-use-medany-c-model-for-modules.patch b/queue-5.10/riscv32-use-medany-c-model-for-modules.patch new file mode 100644 index 00000000000..5877ee2b814 --- /dev/null +++ b/queue-5.10/riscv32-use-medany-c-model-for-modules.patch @@ -0,0 +1,39 @@ +From b1e3478336dd038aa48c1147f9fdb5b2a7d24325 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Jun 2021 15:09:40 -0700 +Subject: riscv32: Use medany C model for modules + +From: Khem Raj + +[ Upstream commit 5d2388dbf84adebeb6d9742164be8d32728e4269 ] + +When CONFIG_CMODEL_MEDLOW is used it ends up generating riscv_hi20_rela +relocations in modules which are not resolved during runtime and +following errors would be seen + +[ 4.802714] virtio_input: target 00000000c1539090 can not be addressed by the 32-bit offset from PC = 39148b7b +[ 4.854800] virtio_input: target 00000000c1539090 can not be addressed by the 32-bit offset from PC = 9774456d + +Signed-off-by: Khem Raj +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/Makefile b/arch/riscv/Makefile +index e241e0e85ac8..226c366072da 100644 +--- a/arch/riscv/Makefile ++++ b/arch/riscv/Makefile +@@ -14,7 +14,7 @@ ifeq ($(CONFIG_DYNAMIC_FTRACE),y) + LDFLAGS_vmlinux := --no-relax + endif + +-ifeq ($(CONFIG_64BIT)$(CONFIG_CMODEL_MEDLOW),yy) ++ifeq ($(CONFIG_CMODEL_MEDLOW),y) + KBUILD_CFLAGS_MODULE += -mcmodel=medany + endif + +-- +2.30.2 + diff --git a/queue-5.10/series b/queue-5.10/series index ddee0e90979..c9e8925a79a 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -12,3 +12,46 @@ arm64-ignore-any-dma-offsets-in-the-max_zone_phys-calculation.patch arm64-force-no_block_mappings-if-crashkernel-reservation-is-required.patch spi-spi-nxp-fspi-move-the-register-operation-after-t.patch revert-pci-pm-do-not-read-power-state-in-pci_enable_.patch +drm-vc4-hdmi-move-the-hsm-clock-enable-to-runtime_pm.patch +drm-vc4-hdmi-make-sure-the-controller-is-powered-in-.patch +x86-entry-fix-noinstr-fail-in-__do_fast_syscall_32.patch +x86-xen-fix-noinstr-fail-in-exc_xen_unknown_trap.patch +locking-lockdep-improve-noinstr-vs-errors.patch +perf-x86-lbr-remove-cpuc-lbr_xsave-allocation-from-a.patch +perf-x86-intel-lbr-zero-the-xstate-buffer-on-allocat.patch +dmaengine-zynqmp_dma-fix-pm-reference-leak-in-zynqmp.patch +dmaengine-stm32-mdma-fix-pm-reference-leak-in-stm32_.patch +dmaengine-xilinx-dpdma-add-missing-dependencies-to-k.patch +dmaengine-xilinx-dpdma-limit-descriptor-ids-to-16-bi.patch +mac80211-remove-warning-in-ieee80211_get_sband.patch +mac80211_hwsim-drop-pending-frames-on-stop.patch +cfg80211-call-cfg80211_leave_ocb-when-switching-away.patch +dmaengine-rcar-dmac-fix-pm-reference-leak-in-rcar_dm.patch +dmaengine-mediatek-free-the-proper-desc-in-desc_free.patch +dmaengine-mediatek-do-not-issue-a-new-desc-if-one-is.patch +dmaengine-mediatek-use-gfp_nowait-instead-of-gfp_ato.patch +net-ipv4-remove-unneed-bug-function.patch +mac80211-drop-multicast-fragments.patch +net-ethtool-clear-heap-allocations-for-ethtool-funct.patch +inet-annotate-data-race-in-inet_send_prepare-and-ine.patch +ping-check-return-value-of-function-ping_queue_rcv_s.patch +net-annotate-data-race-in-sock_error.patch +inet-annotate-date-races-around-sk-sk_txhash.patch +net-packet-annotate-data-race-in-packet_sendmsg.patch +net-phy-dp83867-perform-soft-reset-and-retain-establ.patch +riscv32-use-medany-c-model-for-modules.patch +net-caif-fix-memory-leak-in-ldisc_open.patch +net-packet-annotate-accesses-to-po-bind.patch +net-packet-annotate-accesses-to-po-ifindex.patch +r8152-avoid-memcpy-over-reading-of-eth_ss_stats.patch +sh_eth-avoid-memcpy-over-reading-of-eth_ss_stats.patch +r8169-avoid-memcpy-over-reading-of-eth_ss_stats.patch +kvm-selftests-fix-kvm_check_cap-assertion.patch +net-qed-fix-memcpy-overflow-of-qed_dcbx_params.patch +mac80211-reset-profile_periodicity-ema_ap.patch +mac80211-handle-various-extensible-elements-correctl.patch +recordmcount-correct-st_shndx-handling.patch +pci-add-amd-rs690-quirk-to-enable-64-bit-dma.patch +net-ll_temac-add-memory-barriers-for-tx-bd-access.patch +net-ll_temac-avoid-ndo_start_xmit-returning-netdev_t.patch +perf-x86-track-pmu-in-per-cpu-cpu_hw_events.patch diff --git a/queue-5.10/sh_eth-avoid-memcpy-over-reading-of-eth_ss_stats.patch b/queue-5.10/sh_eth-avoid-memcpy-over-reading-of-eth_ss_stats.patch new file mode 100644 index 00000000000..ab9ff255dc1 --- /dev/null +++ b/queue-5.10/sh_eth-avoid-memcpy-over-reading-of-eth_ss_stats.patch @@ -0,0 +1,40 @@ +From fe8813be0b78a7f246be9e5cd66e7b6ad0fa3a14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 12:53:33 -0700 +Subject: sh_eth: Avoid memcpy() over-reading of ETH_SS_STATS + +From: Kees Cook + +[ Upstream commit 224004fbb033600715dbd626bceec10bfd9c58bc ] + +In preparation for FORTIFY_SOURCE performing compile-time and run-time +field bounds checking for memcpy(), memmove(), and memset(), avoid +intentionally reading across neighboring array fields. + +The memcpy() is copying the entire structure, not just the first array. +Adjust the source argument so the compiler can do appropriate bounds +checking. + +Signed-off-by: Kees Cook +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/sh_eth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index 6d84266c03ca..5cab2d3c0023 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -2287,7 +2287,7 @@ static void sh_eth_get_strings(struct net_device *ndev, u32 stringset, u8 *data) + { + switch (stringset) { + case ETH_SS_STATS: +- memcpy(data, *sh_eth_gstrings_stats, ++ memcpy(data, sh_eth_gstrings_stats, + sizeof(sh_eth_gstrings_stats)); + break; + } +-- +2.30.2 + diff --git a/queue-5.10/x86-entry-fix-noinstr-fail-in-__do_fast_syscall_32.patch b/queue-5.10/x86-entry-fix-noinstr-fail-in-__do_fast_syscall_32.patch new file mode 100644 index 00000000000..fbf48c41405 --- /dev/null +++ b/queue-5.10/x86-entry-fix-noinstr-fail-in-__do_fast_syscall_32.patch @@ -0,0 +1,39 @@ +From f590afbf49086826039f7134d4e8c01f5f3cca4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jun 2021 13:12:34 +0200 +Subject: x86/entry: Fix noinstr fail in __do_fast_syscall_32() + +From: Peter Zijlstra + +[ Upstream commit 240001d4e3041832e8a2654adc3ccf1683132b92 ] + +Fix: + + vmlinux.o: warning: objtool: __do_fast_syscall_32()+0xf5: call to trace_hardirqs_off() leaves .noinstr.text section + +Fixes: 5d5675df792f ("x86/entry: Fix entry/exit mismatch on failed fast 32-bit syscalls") +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20210621120120.467898710@infradead.org +Signed-off-by: Sasha Levin +--- + arch/x86/entry/common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c +index 2e4d91f3feea..93a3122cd15f 100644 +--- a/arch/x86/entry/common.c ++++ b/arch/x86/entry/common.c +@@ -127,8 +127,8 @@ static noinstr bool __do_fast_syscall_32(struct pt_regs *regs) + /* User code screwed up. */ + regs->ax = -EFAULT; + +- instrumentation_end(); + local_irq_disable(); ++ instrumentation_end(); + irqentry_exit_to_user_mode(regs); + return false; + } +-- +2.30.2 + diff --git a/queue-5.10/x86-xen-fix-noinstr-fail-in-exc_xen_unknown_trap.patch b/queue-5.10/x86-xen-fix-noinstr-fail-in-exc_xen_unknown_trap.patch new file mode 100644 index 00000000000..83b59920f20 --- /dev/null +++ b/queue-5.10/x86-xen-fix-noinstr-fail-in-exc_xen_unknown_trap.patch @@ -0,0 +1,40 @@ +From eadf789de29160b3913a086bc10729417ee8cd17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jun 2021 13:12:36 +0200 +Subject: x86/xen: Fix noinstr fail in exc_xen_unknown_trap() + +From: Peter Zijlstra + +[ Upstream commit 4c9c26f1e67648f41f28f8c997c5c9467a3dbbe4 ] + +Fix: + + vmlinux.o: warning: objtool: exc_xen_unknown_trap()+0x7: call to printk() leaves .noinstr.text section + +Fixes: 2e92493637a0 ("x86/xen: avoid warning in Xen pv guest with CONFIG_AMD_MEM_ENCRYPT enabled") +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20210621120120.606560778@infradead.org +Signed-off-by: Sasha Levin +--- + arch/x86/xen/enlighten_pv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c +index 8064df638222..d3cdf467d91f 100644 +--- a/arch/x86/xen/enlighten_pv.c ++++ b/arch/x86/xen/enlighten_pv.c +@@ -586,8 +586,10 @@ DEFINE_IDTENTRY_RAW(xenpv_exc_debug) + DEFINE_IDTENTRY_RAW(exc_xen_unknown_trap) + { + /* This should never happen and there is no way to handle it. */ ++ instrumentation_begin(); + pr_err("Unknown trap in Xen PV mode."); + BUG(); ++ instrumentation_end(); + } + + struct trap_array_entry { +-- +2.30.2 +