From: Sasha Levin Date: Tue, 10 Nov 2020 15:06:07 +0000 (-0500) Subject: Fixes for 5.9 X-Git-Tag: v4.4.243~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f9b24cf050de08d8cc12df2f1e793d60d54105ed;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.9 Signed-off-by: Sasha Levin --- diff --git a/queue-5.9/afs-fix-incorrect-freeing-of-the-acl-passed-to-the-y.patch b/queue-5.9/afs-fix-incorrect-freeing-of-the-acl-passed-to-the-y.patch new file mode 100644 index 00000000000..dc36e51d09f --- /dev/null +++ b/queue-5.9/afs-fix-incorrect-freeing-of-the-acl-passed-to-the-y.patch @@ -0,0 +1,70 @@ +From e9eb47d199f56aa893dff7ffe8194fce632b4131 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Nov 2020 16:33:07 +0000 +Subject: afs: Fix incorrect freeing of the ACL passed to the YFS ACL store op + +From: David Howells + +[ Upstream commit f4c79144edd8a49ffca8fa737a31d606be742a34 ] + +The cleanup for the yfs_store_opaque_acl2_operation calls the wrong +function to destroy the ACL content buffer. It's an afs_acl struct, not +a yfs_acl struct - and the free function for latter may pass invalid +pointers to kfree(). + +Fix this by using the afs_acl_put() function. The yfs_acl_put() +function is then no longer used and can be removed. + + general protection fault, probably for non-canonical address 0x7ebde00000000: 0000 [#1] SMP PTI + ... + RIP: 0010:compound_head+0x0/0x11 + ... + Call Trace: + virt_to_cache+0x8/0x51 + kfree+0x5d/0x79 + yfs_free_opaque_acl+0x16/0x29 + afs_put_operation+0x60/0x114 + __vfs_setxattr+0x67/0x72 + __vfs_setxattr_noperm+0x66/0xe9 + vfs_setxattr+0x67/0xce + setxattr+0x14e/0x184 + __do_sys_fsetxattr+0x66/0x8f + do_syscall_64+0x2d/0x3a + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: e49c7b2f6de7 ("afs: Build an abstraction around an "operation" concept") +Signed-off-by: David Howells +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/xattr.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/fs/afs/xattr.c b/fs/afs/xattr.c +index 38884d6c57cdc..95c573dcda116 100644 +--- a/fs/afs/xattr.c ++++ b/fs/afs/xattr.c +@@ -148,11 +148,6 @@ static const struct xattr_handler afs_xattr_afs_acl_handler = { + .set = afs_xattr_set_acl, + }; + +-static void yfs_acl_put(struct afs_operation *op) +-{ +- yfs_free_opaque_acl(op->yacl); +-} +- + static const struct afs_operation_ops yfs_fetch_opaque_acl_operation = { + .issue_yfs_rpc = yfs_fs_fetch_opaque_acl, + .success = afs_acl_success, +@@ -246,7 +241,7 @@ error: + static const struct afs_operation_ops yfs_store_opaque_acl2_operation = { + .issue_yfs_rpc = yfs_fs_store_opaque_acl2, + .success = afs_acl_success, +- .put = yfs_acl_put, ++ .put = afs_acl_put, + }; + + /* +-- +2.27.0 + diff --git a/queue-5.9/afs-fix-warning-due-to-unadvanced-marshalling-pointe.patch b/queue-5.9/afs-fix-warning-due-to-unadvanced-marshalling-pointe.patch new file mode 100644 index 00000000000..bc3bb4566f9 --- /dev/null +++ b/queue-5.9/afs-fix-warning-due-to-unadvanced-marshalling-pointe.patch @@ -0,0 +1,43 @@ +From 0dc642a8ddb13c450c95d681e2001a090abd9b2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Nov 2020 16:32:58 +0000 +Subject: afs: Fix warning due to unadvanced marshalling pointer + +From: David Howells + +[ Upstream commit c80afa1d9c3603d5eddeb8d63368823b1982f3f0 ] + +When using the afs.yfs.acl xattr to change an AuriStor ACL, a warning +can be generated when the request is marshalled because the buffer +pointer isn't increased after adding the last element, thereby +triggering the check at the end if the ACL wasn't empty. This just +causes something like the following warning, but doesn't stop the call +from happening successfully: + + kAFS: YFS.StoreOpaqueACL2: Request buffer underflow (36<108) + +Fix this simply by increasing the count prior to the check. + +Fixes: f5e4546347bc ("afs: Implement YFS ACL setting") +Signed-off-by: David Howells +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/yfsclient.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/afs/yfsclient.c b/fs/afs/yfsclient.c +index 3b1239b7e90d8..bd787e71a657f 100644 +--- a/fs/afs/yfsclient.c ++++ b/fs/afs/yfsclient.c +@@ -1990,6 +1990,7 @@ void yfs_fs_store_opaque_acl2(struct afs_operation *op) + memcpy(bp, acl->data, acl->size); + if (acl->size != size) + memset((void *)bp + acl->size, 0, size - acl->size); ++ bp += size / sizeof(__be32); + yfs_check_req(call, bp); + + trace_afs_make_fs_call(call, &vp->fid); +-- +2.27.0 + diff --git a/queue-5.9/alsa-hda-prevent-undefined-shift-in-snd_hdac_ext_bus.patch b/queue-5.9/alsa-hda-prevent-undefined-shift-in-snd_hdac_ext_bus.patch new file mode 100644 index 00000000000..71f5b45a2c6 --- /dev/null +++ b/queue-5.9/alsa-hda-prevent-undefined-shift-in-snd_hdac_ext_bus.patch @@ -0,0 +1,37 @@ +From 0149302a30bc1010922510e171470f9e07683d36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Nov 2020 13:18:07 +0300 +Subject: ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link() + +From: Dan Carpenter + +[ Upstream commit 158e1886b6262c1d1c96a18c85fac5219b8bf804 ] + +This is harmless, but the "addr" comes from the user and it could lead +to a negative shift or to shift wrapping if it's too high. + +Fixes: 0b00a5615dc4 ("ALSA: hdac_ext: add hdac extended controller") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20201103101807.GC1127762@mwanda +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/ext/hdac_ext_controller.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/hda/ext/hdac_ext_controller.c b/sound/hda/ext/hdac_ext_controller.c +index 4d060d5b1db6d..b0c0ef824d7d9 100644 +--- a/sound/hda/ext/hdac_ext_controller.c ++++ b/sound/hda/ext/hdac_ext_controller.c +@@ -148,6 +148,8 @@ struct hdac_ext_link *snd_hdac_ext_bus_get_link(struct hdac_bus *bus, + return NULL; + if (bus->idx != bus_idx) + return NULL; ++ if (addr < 0 || addr > 31) ++ return NULL; + + list_for_each_entry(hlink, &bus->hlink_list, list) { + for (i = 0; i < HDA_MAX_CODECS; i++) { +-- +2.27.0 + diff --git a/queue-5.9/asoc-codecs-wcd9335-set-digital-gain-range-correctly.patch b/queue-5.9/asoc-codecs-wcd9335-set-digital-gain-range-correctly.patch new file mode 100644 index 00000000000..11ce1eef281 --- /dev/null +++ b/queue-5.9/asoc-codecs-wcd9335-set-digital-gain-range-correctly.patch @@ -0,0 +1,39 @@ +From f153716d460e7163a3a99b1592515fedabc2a1d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Oct 2020 15:43:40 +0000 +Subject: ASoC: codecs: wcd9335: Set digital gain range correctly + +From: Srinivas Kandagatla + +[ Upstream commit 6d6bc54ab4f2404d46078abc04bf4dee4db01def ] + +digital gain range is -84dB min to 40dB max, however this was not +correctly specified in the range. + +Fix this by with correct range! + +Fixes: 8c4f021d806a ("ASoC: wcd9335: add basic controls") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20201028154340.17090-2-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wcd9335.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/wcd9335.c b/sound/soc/codecs/wcd9335.c +index f2d9d52ee171b..4d2b1ec7c03bb 100644 +--- a/sound/soc/codecs/wcd9335.c ++++ b/sound/soc/codecs/wcd9335.c +@@ -618,7 +618,7 @@ static const char * const sb_tx8_mux_text[] = { + "ZERO", "RX_MIX_TX8", "DEC8", "DEC8_192" + }; + +-static const DECLARE_TLV_DB_SCALE(digital_gain, 0, 1, 0); ++static const DECLARE_TLV_DB_SCALE(digital_gain, -8400, 100, -8400); + static const DECLARE_TLV_DB_SCALE(line_gain, 0, 7, 1); + static const DECLARE_TLV_DB_SCALE(analog_gain, 0, 25, 1); + static const DECLARE_TLV_DB_SCALE(ear_pa_gain, 0, 150, 0); +-- +2.27.0 + diff --git a/queue-5.9/asoc-codecs-wcd934x-set-digital-gain-range-correctly.patch b/queue-5.9/asoc-codecs-wcd934x-set-digital-gain-range-correctly.patch new file mode 100644 index 00000000000..9c45013897f --- /dev/null +++ b/queue-5.9/asoc-codecs-wcd934x-set-digital-gain-range-correctly.patch @@ -0,0 +1,39 @@ +From 20fa86e74ab809216024bdcc16ee84e2eb77adfd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Oct 2020 15:43:39 +0000 +Subject: ASoC: codecs: wcd934x: Set digital gain range correctly + +From: Srinivas Kandagatla + +[ Upstream commit fc0522bbe02fa4beb95c0514ace66b585616f111 ] + +digital gain range is -84dB min to 40dB max, however this was not +correctly specified in the range. + +Fix this by with correct range! + +Fixes: 1cde8b822332 ("ASoC: wcd934x: add basic controls") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20201028154340.17090-1-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wcd934x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/wcd934x.c b/sound/soc/codecs/wcd934x.c +index 35697b072367a..40f682f5dab8b 100644 +--- a/sound/soc/codecs/wcd934x.c ++++ b/sound/soc/codecs/wcd934x.c +@@ -551,7 +551,7 @@ struct wcd_iir_filter_ctl { + struct soc_bytes_ext bytes_ext; + }; + +-static const DECLARE_TLV_DB_SCALE(digital_gain, 0, 1, 0); ++static const DECLARE_TLV_DB_SCALE(digital_gain, -8400, 100, -8400); + static const DECLARE_TLV_DB_SCALE(line_gain, 0, 7, 1); + static const DECLARE_TLV_DB_SCALE(analog_gain, 0, 25, 1); + static const DECLARE_TLV_DB_SCALE(ear_pa_gain, 0, 150, 0); +-- +2.27.0 + diff --git a/queue-5.9/asoc-codecs-wsa881x-add-missing-stream-rates-and-for.patch b/queue-5.9/asoc-codecs-wsa881x-add-missing-stream-rates-and-for.patch new file mode 100644 index 00000000000..fa1fa8dd9c4 --- /dev/null +++ b/queue-5.9/asoc-codecs-wsa881x-add-missing-stream-rates-and-for.patch @@ -0,0 +1,37 @@ +From ce14b5717cde677ab9006043a9f6a6f07a2fcfa3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Oct 2020 14:05:18 +0100 +Subject: ASoC: codecs: wsa881x: add missing stream rates and format + +From: Srinivas Kandagatla + +[ Upstream commit f47d0742515748162d3fc35f04331c5b81c0ed47 ] + +Add missing supported rates and formats for the stream, without +which attempt to do playback will fail to find any matching rates/format. + +Fixes: a0aab9e1404a ("ASoC: codecs: add wsa881x amplifier support") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20201022130518.31723-1-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wsa881x.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/codecs/wsa881x.c b/sound/soc/codecs/wsa881x.c +index d39d479e23786..5456124457a7c 100644 +--- a/sound/soc/codecs/wsa881x.c ++++ b/sound/soc/codecs/wsa881x.c +@@ -1026,6 +1026,8 @@ static struct snd_soc_dai_driver wsa881x_dais[] = { + .id = 0, + .playback = { + .stream_name = "SPKR Playback", ++ .rates = SNDRV_PCM_RATE_48000, ++ .formats = SNDRV_PCM_FMTBIT_S16_LE, + .rate_max = 48000, + .rate_min = 48000, + .channels_min = 1, +-- +2.27.0 + diff --git a/queue-5.9/asoc-intel-kbl_rt5663_max98927-fix-kabylake_ssp_fixu.patch b/queue-5.9/asoc-intel-kbl_rt5663_max98927-fix-kabylake_ssp_fixu.patch new file mode 100644 index 00000000000..cd467d59970 --- /dev/null +++ b/queue-5.9/asoc-intel-kbl_rt5663_max98927-fix-kabylake_ssp_fixu.patch @@ -0,0 +1,155 @@ +From f4cde55b1fbee0ed2dd3f352464b0dff920b6bce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Oct 2020 14:16:24 +0000 +Subject: ASoC: Intel: kbl_rt5663_max98927: Fix kabylake_ssp_fixup function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tomasz Figa + +[ Upstream commit 9fe9efd6924c9a62ebb759025bb8927e398f51f7 ] + +This is a copy of commit 5c5f1baee85a ("ASoC: Intel: +kbl_rt5663_rt5514_max98927: Fix kabylake_ssp_fixup function") applied to +the kbl_rt5663_max98927 board file. + +Original explanation of the change: + +kabylake_ssp_fixup function uses snd_soc_dpcm to identify the +codecs DAIs. The HW parameters are changed based on the codec DAI of the +stream. The earlier approach to get snd_soc_dpcm was using container_of() +macro on snd_pcm_hw_params. + +The structures have been modified over time and snd_soc_dpcm does not have +snd_pcm_hw_params as a reference but as a copy. This causes the current +driver to crash when used. + +This patch changes the way snd_soc_dpcm is extracted. snd_soc_pcm_runtime +holds 2 dpcm instances (one for playback and one for capture). 2 codecs +on the SSP are dmic (capture) and speakers (playback). Based on the +stream direction, snd_soc_dpcm is extracted from snd_soc_pcm_runtime. + +Fixes a boot crash on a HP Chromebook x2: + +[ 16.582225] BUG: kernel NULL pointer dereference, address: 0000000000000050 +[ 16.582231] #PF: supervisor read access in kernel mode +[ 16.582233] #PF: error_code(0x0000) - not-present page +[ 16.582234] PGD 0 P4D 0 +[ 16.582238] Oops: 0000 [#1] PREEMPT SMP PTI +[ 16.582241] CPU: 0 PID: 1980 Comm: cras Tainted: G C 5.4.58 #1 +[ 16.582243] Hardware name: HP Soraka/Soraka, BIOS Google_Soraka.10431.75.0 08/30/2018 +[ 16.582247] RIP: 0010:kabylake_ssp_fixup+0x19/0xbb [snd_soc_kbl_rt5663_max98927] +[ 16.582250] Code: c6 6f c5 80 c0 44 89 f2 31 c0 e8 3e c9 4c d6 eb de 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 53 48 89 f3 48 8b 46 c8 48 8b 4e d0 <48> 8b 49 10 4c 8b 78 10 4c 8b 31 4c 89 f7 48 c7 c6 4b c2 80 c0 e8 +[ 16.582252] RSP: 0000:ffffaf7e81e0b958 EFLAGS: 00010282 +[ 16.582254] RAX: ffffffff96f13e0d RBX: ffffaf7e81e0ba00 RCX: 0000000000000040 +[ 16.582256] RDX: ffffaf7e81e0ba00 RSI: ffffaf7e81e0ba00 RDI: ffffa3b208558028 +[ 16.582258] RBP: ffffaf7e81e0b970 R08: ffffa3b203b54160 R09: ffffaf7e81e0ba00 +[ 16.582259] R10: 0000000000000000 R11: ffffffffc080b345 R12: ffffa3b209fb6e00 +[ 16.582261] R13: ffffa3b1b1a47838 R14: ffffa3b1e6197f28 R15: ffffaf7e81e0ba00 +[ 16.582263] FS: 00007eb3f25aaf80(0000) GS:ffffa3b236a00000(0000) knlGS:0000000000000000 +[ 16.582265] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 16.582267] CR2: 0000000000000050 CR3: 0000000246bc8006 CR4: 00000000003606f0 +[ 16.582269] Call Trace: +[ 16.582275] snd_soc_link_be_hw_params_fixup+0x21/0x68 +[ 16.582278] snd_soc_dai_hw_params+0x25/0x94 +[ 16.582282] soc_pcm_hw_params+0x2d8/0x583 +[ 16.582288] dpcm_be_dai_hw_params+0x172/0x29e +[ 16.582291] dpcm_fe_dai_hw_params+0x9f/0x12f +[ 16.582295] snd_pcm_hw_params+0x137/0x41c +[ 16.582298] snd_pcm_hw_params_user+0x3c/0x71 +[ 16.582301] snd_pcm_common_ioctl+0x2c6/0x565 +[ 16.582304] snd_pcm_ioctl+0x32/0x36 +[ 16.582307] do_vfs_ioctl+0x506/0x783 +[ 16.582311] ksys_ioctl+0x58/0x83 +[ 16.582313] __x64_sys_ioctl+0x1a/0x1e +[ 16.582316] do_syscall_64+0x54/0x7e +[ 16.582319] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 16.582322] RIP: 0033:0x7eb3f1886157 +[ 16.582324] Code: 8a 66 90 48 8b 05 11 dd 2b 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 dc 2b 00 f7 d8 64 89 01 48 +[ 16.582326] RSP: 002b:00007ffff7559818 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +[ 16.582329] RAX: ffffffffffffffda RBX: 00005acc9188b140 RCX: 00007eb3f1886157 +[ 16.582330] RDX: 00007ffff7559940 RSI: 00000000c2604111 RDI: 000000000000001e +[ 16.582332] RBP: 00007ffff7559840 R08: 0000000000000004 R09: 0000000000000000 +[ 16.582333] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000bb80 +[ 16.582335] R13: 00005acc91702e80 R14: 00007ffff7559940 R15: 00005acc91702e80 +[ 16.582337] Modules linked in: rfcomm cmac algif_hash algif_skcipher af_alg uinput hid_google_hammer snd_soc_kbl_rt5663_max98927 snd_soc_hdac_hdmi snd_soc_dmic snd_soc_skl_ssp_clk snd_soc_skl snd_soc_sst_ipc snd_soc_sst_dsp snd_soc_hdac_hda snd_soc_acpi_intel_match snd_soc_acpi snd_hda_ext_core snd_intel_dspcfg snd_hda_codec snd_hwdep snd_hda_core ipu3_cio2 ipu3_imgu(C) videobuf2_v4l2 videobuf2_common videobuf2_dma_sg videobuf2_memops snd_soc_rt5663 snd_soc_max98927 snd_soc_rl6231 ov5670 ov13858 acpi_als v4l2_fwnode dw9714 fuse xt_MASQUERADE iio_trig_sysfs cros_ec_light_prox cros_ec_sensors cros_ec_sensors_core cros_ec_sensors_ring industrialio_triggered_buffer kfifo_buf industrialio cros_ec_sensorhub cdc_ether usbnet btusb btrtl btintel btbcm bluetooth ecdh_generic ecc lzo_rle lzo_compress iwlmvm zram iwl7000_mac80211 r8152 mii iwlwifi cfg80211 joydev +[ 16.584243] gsmi: Log Shutdown Reason 0x03 +[ 16.584246] CR2: 0000000000000050 +[ 16.584248] ---[ end trace c8511d090c11edff ]--- + +Suggested-by: Łukasz Majczak +Fixes: 2e5894d73789e ("ASoC: pcm: Add support for DAI multicodec") +Signed-off-by: Tomasz Figa +Acked-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20201014141624.4143453-1-tfiga@chromium.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/kbl_rt5663_max98927.c | 39 ++++++++++++++++---- + 1 file changed, 31 insertions(+), 8 deletions(-) + +diff --git a/sound/soc/intel/boards/kbl_rt5663_max98927.c b/sound/soc/intel/boards/kbl_rt5663_max98927.c +index 3ea4602dfb3ee..9a4b3d0973f65 100644 +--- a/sound/soc/intel/boards/kbl_rt5663_max98927.c ++++ b/sound/soc/intel/boards/kbl_rt5663_max98927.c +@@ -401,17 +401,40 @@ static int kabylake_ssp_fixup(struct snd_soc_pcm_runtime *rtd, + struct snd_interval *chan = hw_param_interval(params, + SNDRV_PCM_HW_PARAM_CHANNELS); + struct snd_mask *fmt = hw_param_mask(params, SNDRV_PCM_HW_PARAM_FORMAT); +- struct snd_soc_dpcm *dpcm = container_of( +- params, struct snd_soc_dpcm, hw_params); +- struct snd_soc_dai_link *fe_dai_link = dpcm->fe->dai_link; +- struct snd_soc_dai_link *be_dai_link = dpcm->be->dai_link; ++ struct snd_soc_dpcm *dpcm, *rtd_dpcm = NULL; ++ ++ /* ++ * The following loop will be called only for playback stream ++ * In this platform, there is only one playback device on every SSP ++ */ ++ for_each_dpcm_fe(rtd, SNDRV_PCM_STREAM_PLAYBACK, dpcm) { ++ rtd_dpcm = dpcm; ++ break; ++ } ++ ++ /* ++ * This following loop will be called only for capture stream ++ * In this platform, there is only one capture device on every SSP ++ */ ++ for_each_dpcm_fe(rtd, SNDRV_PCM_STREAM_CAPTURE, dpcm) { ++ rtd_dpcm = dpcm; ++ break; ++ } ++ ++ if (!rtd_dpcm) ++ return -EINVAL; ++ ++ /* ++ * The above 2 loops are mutually exclusive based on the stream direction, ++ * thus rtd_dpcm variable will never be overwritten ++ */ + + /* + * The ADSP will convert the FE rate to 48k, stereo, 24 bit + */ +- if (!strcmp(fe_dai_link->name, "Kbl Audio Port") || +- !strcmp(fe_dai_link->name, "Kbl Audio Headset Playback") || +- !strcmp(fe_dai_link->name, "Kbl Audio Capture Port")) { ++ if (!strcmp(rtd_dpcm->fe->dai_link->name, "Kbl Audio Port") || ++ !strcmp(rtd_dpcm->fe->dai_link->name, "Kbl Audio Headset Playback") || ++ !strcmp(rtd_dpcm->fe->dai_link->name, "Kbl Audio Capture Port")) { + rate->min = rate->max = 48000; + chan->min = chan->max = 2; + snd_mask_none(fmt); +@@ -421,7 +444,7 @@ static int kabylake_ssp_fixup(struct snd_soc_pcm_runtime *rtd, + * The speaker on the SSP0 supports S16_LE and not S24_LE. + * thus changing the mask here + */ +- if (!strcmp(be_dai_link->name, "SSP0-Codec")) ++ if (!strcmp(rtd_dpcm->be->dai_link->name, "SSP0-Codec")) + snd_mask_set_format(fmt, SNDRV_PCM_FORMAT_S16_LE); + + return 0; +-- +2.27.0 + diff --git a/queue-5.9/can-can_create_echo_skb-fix-echo-skb-generation-alwa.patch b/queue-5.9/can-can_create_echo_skb-fix-echo-skb-generation-alwa.patch new file mode 100644 index 00000000000..7eb72231ef7 --- /dev/null +++ b/queue-5.9/can-can_create_echo_skb-fix-echo-skb-generation-alwa.patch @@ -0,0 +1,99 @@ +From 569c1356bc39fee1ebf16f4f58734451a7fb795f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 09:39:02 +0100 +Subject: can: can_create_echo_skb(): fix echo skb generation: always use + skb_clone() + +From: Oleksij Rempel + +[ Upstream commit 286228d382ba6320f04fa2e7c6fc8d4d92e428f4 ] + +All user space generated SKBs are owned by a socket (unless injected into the +key via AF_PACKET). If a socket is closed, all associated skbs will be cleaned +up. + +This leads to a problem when a CAN driver calls can_put_echo_skb() on a +unshared SKB. If the socket is closed prior to the TX complete handler, +can_get_echo_skb() and the subsequent delivering of the echo SKB to all +registered callbacks, a SKB with a refcount of 0 is delivered. + +To avoid the problem, in can_get_echo_skb() the original SKB is now always +cloned, regardless of shared SKB or not. If the process exists it can now +safely discard its SKBs, without disturbing the delivery of the echo SKB. + +The problem shows up in the j1939 stack, when it clones the incoming skb, which +detects the already 0 refcount. + +We can easily reproduce this with following example: + +testj1939 -B -r can0: & +cansend can0 1823ff40#0123 + +WARNING: CPU: 0 PID: 293 at lib/refcount.c:25 refcount_warn_saturate+0x108/0x174 +refcount_t: addition on 0; use-after-free. +Modules linked in: coda_vpu imx_vdoa videobuf2_vmalloc dw_hdmi_ahb_audio vcan +CPU: 0 PID: 293 Comm: cansend Not tainted 5.5.0-rc6-00376-g9e20dcb7040d #1 +Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) +Backtrace: +[] (dump_backtrace) from [] (show_stack+0x20/0x24) +[] (show_stack) from [] (dump_stack+0x8c/0xa0) +[] (dump_stack) from [] (__warn+0xe0/0x108) +[] (__warn) from [] (warn_slowpath_fmt+0xa8/0xcc) +[] (warn_slowpath_fmt) from [] (refcount_warn_saturate+0x108/0x174) +[] (refcount_warn_saturate) from [] (j1939_can_recv+0x20c/0x210) +[] (j1939_can_recv) from [] (can_rcv_filter+0xb4/0x268) +[] (can_rcv_filter) from [] (can_receive+0xb0/0xe4) +[] (can_receive) from [] (can_rcv+0x48/0x98) +[] (can_rcv) from [] (__netif_receive_skb_one_core+0x64/0x88) +[] (__netif_receive_skb_one_core) from [] (__netif_receive_skb+0x38/0x94) +[] (__netif_receive_skb) from [] (netif_receive_skb_internal+0x64/0xf8) +[] (netif_receive_skb_internal) from [] (netif_receive_skb+0x34/0x19c) +[] (netif_receive_skb) from [] (can_rx_offload_napi_poll+0x58/0xb4) + +Fixes: 0ae89beb283a ("can: add destructor for self generated skbs") +Signed-off-by: Oleksij Rempel +Link: http://lore.kernel.org/r/20200124132656.22156-1-o.rempel@pengutronix.de +Acked-by: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + include/linux/can/skb.h | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +diff --git a/include/linux/can/skb.h b/include/linux/can/skb.h +index 900b9f4e06054..fc61cf4eff1c9 100644 +--- a/include/linux/can/skb.h ++++ b/include/linux/can/skb.h +@@ -61,21 +61,17 @@ static inline void can_skb_set_owner(struct sk_buff *skb, struct sock *sk) + */ + static inline struct sk_buff *can_create_echo_skb(struct sk_buff *skb) + { +- if (skb_shared(skb)) { +- struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC); ++ struct sk_buff *nskb; + +- if (likely(nskb)) { +- can_skb_set_owner(nskb, skb->sk); +- consume_skb(skb); +- return nskb; +- } else { +- kfree_skb(skb); +- return NULL; +- } ++ nskb = skb_clone(skb, GFP_ATOMIC); ++ if (unlikely(!nskb)) { ++ kfree_skb(skb); ++ return NULL; + } + +- /* we can assume to have an unshared skb with proper owner */ +- return skb; ++ can_skb_set_owner(nskb, skb->sk); ++ consume_skb(skb); ++ return nskb; + } + + #endif /* !_CAN_SKB_H */ +-- +2.27.0 + diff --git a/queue-5.9/can-dev-__can_get_echo_skb-fix-real-payload-length-r.patch b/queue-5.9/can-dev-__can_get_echo_skb-fix-real-payload-length-r.patch new file mode 100644 index 00000000000..86788bf3da6 --- /dev/null +++ b/queue-5.9/can-dev-__can_get_echo_skb-fix-real-payload-length-r.patch @@ -0,0 +1,49 @@ +From 852196da891535003d3192dfbf57584c046a6f3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Oct 2020 08:44:43 +0200 +Subject: can: dev: __can_get_echo_skb(): fix real payload length return value + for RTR frames + +From: Oliver Hartkopp + +[ Upstream commit ed3320cec279407a86bc4c72edc4a39eb49165ec ] + +The can_get_echo_skb() function returns the number of received bytes to +be used for netdev statistics. In the case of RTR frames we get a valid +(potential non-zero) data length value which has to be passed for further +operations. But on the wire RTR frames have no payload length. Therefore +the value to be used in the statistics has to be zero for RTR frames. + +Reported-by: Vincent Mailhol +Signed-off-by: Oliver Hartkopp +Link: https://lore.kernel.org/r/20201020064443.80164-1-socketcan@hartkopp.net +Fixes: cf5046b309b3 ("can: dev: let can_get_echo_skb() return dlc of CAN frame") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/dev.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c +index e291fda395a0f..d5e52ffc7ed25 100644 +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -486,9 +486,13 @@ __can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr) + */ + struct sk_buff *skb = priv->echo_skb[idx]; + struct canfd_frame *cf = (struct canfd_frame *)skb->data; +- u8 len = cf->len; + +- *len_ptr = len; ++ /* get the real payload length for netdev statistics */ ++ if (cf->can_id & CAN_RTR_FLAG) ++ *len_ptr = 0; ++ else ++ *len_ptr = cf->len; ++ + priv->echo_skb[idx] = NULL; + + return skb; +-- +2.27.0 + diff --git a/queue-5.9/can-dev-can_get_echo_skb-prevent-call-to-kfree_skb-i.patch b/queue-5.9/can-dev-can_get_echo_skb-prevent-call-to-kfree_skb-i.patch new file mode 100644 index 00000000000..76149989c00 --- /dev/null +++ b/queue-5.9/can-dev-can_get_echo_skb-prevent-call-to-kfree_skb-i.patch @@ -0,0 +1,67 @@ +From c94de5b05217edda78d390cbd1b411e088adf8d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Oct 2020 00:41:45 +0900 +Subject: can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ + context + +From: Vincent Mailhol + +[ Upstream commit 2283f79b22684d2812e5c76fc2280aae00390365 ] + +If a driver calls can_get_echo_skb() during a hardware IRQ (which is often, but +not always, the case), the 'WARN_ON(in_irq)' in +net/core/skbuff.c#skb_release_head_state() might be triggered, under network +congestion circumstances, together with the potential risk of a NULL pointer +dereference. + +The root cause of this issue is the call to kfree_skb() instead of +dev_kfree_skb_irq() in net/core/dev.c#enqueue_to_backlog(). + +This patch prevents the skb to be freed within the call to netif_rx() by +incrementing its reference count with skb_get(). The skb is finally freed by +one of the in-irq-context safe functions: dev_consume_skb_any() or +dev_kfree_skb_any(). The "any" version is used because some drivers might call +can_get_echo_skb() in a normal context. + +The reason for this issue to occur is that initially, in the core network +stack, loopback skb were not supposed to be received in hardware IRQ context. +The CAN stack is an exeption. + +This bug was previously reported back in 2017 in [1] but the proposed patch +never got accepted. + +While [1] directly modifies net/core/dev.c, we try to propose here a +smoother modification local to CAN network stack (the assumption +behind is that only CAN devices are affected by this issue). + +[1] http://lore.kernel.org/r/57a3ffb6-3309-3ad5-5a34-e93c3fe3614d@cetitec.com + +Signed-off-by: Vincent Mailhol +Link: https://lore.kernel.org/r/20201002154219.4887-2-mailhol.vincent@wanadoo.fr +Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/dev.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c +index 68834a2853c9d..e291fda395a0f 100644 +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -512,7 +512,11 @@ unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx) + if (!skb) + return 0; + +- netif_rx(skb); ++ skb_get(skb); ++ if (netif_rx(skb) == NET_RX_SUCCESS) ++ dev_consume_skb_any(skb); ++ else ++ dev_kfree_skb_any(skb); + + return len; + } +-- +2.27.0 + diff --git a/queue-5.9/can-flexcan-flexcan_remove-disable-wakeup-completely.patch b/queue-5.9/can-flexcan-flexcan_remove-disable-wakeup-completely.patch new file mode 100644 index 00000000000..d6f7c728d99 --- /dev/null +++ b/queue-5.9/can-flexcan-flexcan_remove-disable-wakeup-completely.patch @@ -0,0 +1,49 @@ +From 8ea425f85d44db83e6aad6821baeb0d91a959046 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Oct 2020 02:45:27 +0800 +Subject: can: flexcan: flexcan_remove(): disable wakeup completely + +From: Joakim Zhang + +[ Upstream commit ab07ff1c92fa60f29438e655a1b4abab860ed0b6 ] + +With below sequence, we can see wakeup default is enabled after re-load module, +if it was enabled before, so we need disable wakeup in flexcan_remove(). + +| # cat /sys/bus/platform/drivers/flexcan/5a8e0000.can/power/wakeup +| disabled +| # echo enabled > /sys/bus/platform/drivers/flexcan/5a8e0000.can/power/wakeup +| # cat /sys/bus/platform/drivers/flexcan/5a8e0000.can/power/wakeup +| enabled +| # rmmod flexcan +| # modprobe flexcan +| # cat /sys/bus/platform/drivers/flexcan/5a8e0000.can/power/wakeup +| enabled + +Fixes: de3578c198c6 ("can: flexcan: add self wakeup support") +Fixes: 915f9666421c ("can: flexcan: add support for DT property 'wakeup-source'") +Signed-off-by: Joakim Zhang +Link: https://lore.kernel.org/r/20201020184527.8190-1-qiangqing.zhang@nxp.com +[mkl: streamlined commit message] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/flexcan.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c +index bc504e09f2259..a330d6c56242e 100644 +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -1695,6 +1695,8 @@ static int flexcan_remove(struct platform_device *pdev) + { + struct net_device *dev = platform_get_drvdata(pdev); + ++ device_set_wakeup_enable(&pdev->dev, false); ++ device_set_wakeup_capable(&pdev->dev, false); + unregister_flexcandev(dev); + pm_runtime_disable(&pdev->dev); + free_candev(dev); +-- +2.27.0 + diff --git a/queue-5.9/can-flexcan-remove-flexcan_quirk_disable_mecr-quirk-.patch b/queue-5.9/can-flexcan-remove-flexcan_quirk_disable_mecr-quirk-.patch new file mode 100644 index 00000000000..65a7f2b3035 --- /dev/null +++ b/queue-5.9/can-flexcan-remove-flexcan_quirk_disable_mecr-quirk-.patch @@ -0,0 +1,40 @@ +From d4c641dae7d15e5f0dc7425aa18b2d6e35c81d07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Oct 2020 23:53:55 +0800 +Subject: can: flexcan: remove FLEXCAN_QUIRK_DISABLE_MECR quirk for LS1021A + +From: Joakim Zhang + +[ Upstream commit 018799649071a1638c0c130526af36747df4355a ] + +After double check with Layerscape CAN owner (Pankaj Bansal), confirm that +LS1021A doesn't support ECC feature, so remove FLEXCAN_QUIRK_DISABLE_MECR +quirk. + +Fixes: 99b7668c04b27 ("can: flexcan: adding platform specific details for LS1021A") +Cc: Pankaj Bansal +Signed-off-by: Joakim Zhang +Link: https://lore.kernel.org/r/20201020155402.30318-4-qiangqing.zhang@nxp.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/flexcan.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c +index bc21a82cf3a76..bc504e09f2259 100644 +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -321,8 +321,7 @@ static const struct flexcan_devtype_data fsl_vf610_devtype_data = { + + static const struct flexcan_devtype_data fsl_ls1021a_r2_devtype_data = { + .quirks = FLEXCAN_QUIRK_DISABLE_RXFG | FLEXCAN_QUIRK_ENABLE_EACEN_RRS | +- FLEXCAN_QUIRK_DISABLE_MECR | FLEXCAN_QUIRK_BROKEN_PERR_STATE | +- FLEXCAN_QUIRK_USE_OFF_TIMESTAMP, ++ FLEXCAN_QUIRK_BROKEN_PERR_STATE | FLEXCAN_QUIRK_USE_OFF_TIMESTAMP, + }; + + static const struct can_bittiming_const flexcan_bittiming_const = { +-- +2.27.0 + diff --git a/queue-5.9/can-j1939-j1939_sk_bind-return-failure-if-netdev-is-.patch b/queue-5.9/can-j1939-j1939_sk_bind-return-failure-if-netdev-is-.patch new file mode 100644 index 00000000000..76996b8d59a --- /dev/null +++ b/queue-5.9/can-j1939-j1939_sk_bind-return-failure-if-netdev-is-.patch @@ -0,0 +1,58 @@ +From eae4ba757e4d408654ab56aa86354eeb90eefcf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 14:31:48 +0800 +Subject: can: j1939: j1939_sk_bind(): return failure if netdev is down + +From: Zhang Changzhong + +[ Upstream commit 08c487d8d807535f509ed80c6a10ad90e6872139 ] + +When a netdev down event occurs after a successful call to +j1939_sk_bind(), j1939_netdev_notify() can handle it correctly. + +But if the netdev already in down state before calling j1939_sk_bind(), +j1939_sk_release() will stay in wait_event_interruptible() blocked +forever. Because in this case, j1939_netdev_notify() won't be called and +j1939_tp_txtimer() won't call j1939_session_cancel() or other function +to clear session for ENETDOWN error, this lead to mismatch of +j1939_session_get/put() and jsk->skb_pending will never decrease to +zero. + +To reproduce it use following commands: +1. ip link add dev vcan0 type vcan +2. j1939acd -r 100,80-120 1122334455667788 vcan0 +3. presses ctrl-c and thread will be blocked forever + +This patch adds check for ndev->flags in j1939_sk_bind() to avoid this +kind of situation and return with -ENETDOWN. + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/r/1599460308-18770-1-git-send-email-zhangchangzhong@huawei.com +Acked-by: Oleksij Rempel +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/j1939/socket.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c +index 1be4c898b2fa8..f23966526a885 100644 +--- a/net/can/j1939/socket.c ++++ b/net/can/j1939/socket.c +@@ -475,6 +475,12 @@ static int j1939_sk_bind(struct socket *sock, struct sockaddr *uaddr, int len) + goto out_release_sock; + } + ++ if (!(ndev->flags & IFF_UP)) { ++ dev_put(ndev); ++ ret = -ENETDOWN; ++ goto out_release_sock; ++ } ++ + priv = j1939_netdev_start(ndev); + dev_put(ndev); + if (IS_ERR(priv)) { +-- +2.27.0 + diff --git a/queue-5.9/can-j1939-swap-addr-and-pgn-in-the-send-example.patch b/queue-5.9/can-j1939-swap-addr-and-pgn-in-the-send-example.patch new file mode 100644 index 00000000000..f1fb1fe9ca5 --- /dev/null +++ b/queue-5.9/can-j1939-swap-addr-and-pgn-in-the-send-example.patch @@ -0,0 +1,38 @@ +From 3502972a770226abf7ccb42324c7755ee1da8a13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Oct 2020 10:37:08 +0200 +Subject: can: j1939: swap addr and pgn in the send example + +From: Yegor Yefremov + +[ Upstream commit ea780d39b1888ed5afc243c29b23d9bdb3828c7a ] + +The address was wrongly assigned to the PGN field and vice versa. + +Signed-off-by: Yegor Yefremov +Link: https://lore.kernel.org/r/20201022083708.8755-1-yegorslists@googlemail.com +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + Documentation/networking/j1939.rst | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Documentation/networking/j1939.rst b/Documentation/networking/j1939.rst +index f5be243d250a4..4b0db514b2010 100644 +--- a/Documentation/networking/j1939.rst ++++ b/Documentation/networking/j1939.rst +@@ -414,8 +414,8 @@ Send: + .can_family = AF_CAN, + .can_addr.j1939 = { + .name = J1939_NO_NAME; +- .pgn = 0x30, +- .addr = 0x12300, ++ .addr = 0x30, ++ .pgn = 0x12300, + }, + }; + +-- +2.27.0 + diff --git a/queue-5.9/can-peak_canfd-pucan_handle_can_rx-fix-echo-manageme.patch b/queue-5.9/can-peak_canfd-pucan_handle_can_rx-fix-echo-manageme.patch new file mode 100644 index 00000000000..379a7de5a44 --- /dev/null +++ b/queue-5.9/can-peak_canfd-pucan_handle_can_rx-fix-echo-manageme.patch @@ -0,0 +1,65 @@ +From 403a89e2f717c3540f88ffb933a9ad942331ffe9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 17:39:47 +0200 +Subject: can: peak_canfd: pucan_handle_can_rx(): fix echo management when + loopback is on + +From: Stephane Grosjean + +[ Upstream commit 93ef65e5a6357cc7381f85fcec9283fe29970045 ] + +Echo management is driven by PUCAN_MSG_LOOPED_BACK bit, while loopback +frames are identified with PUCAN_MSG_SELF_RECEIVE bit. Those bits are set +for each outgoing frame written to the IP core so that a copy of each one +will be placed into the rx path. Thus, + +- when PUCAN_MSG_LOOPED_BACK is set then the rx frame is an echo of a + previously sent frame, +- when PUCAN_MSG_LOOPED_BACK+PUCAN_MSG_SELF_RECEIVE are set, then the rx + frame is an echo AND a loopback frame. Therefore, this frame must be + put into the socket rx path too. + +This patch fixes how CAN frames are handled when these are sent while the +can interface is configured in "loopback on" mode. + +Signed-off-by: Stephane Grosjean +Link: https://lore.kernel.org/r/20201013153947.28012-1-s.grosjean@peak-system.com +Fixes: 8ac8321e4a79 ("can: peak: add support for PEAK PCAN-PCIe FD CAN-FD boards") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/peak_canfd/peak_canfd.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/can/peak_canfd/peak_canfd.c b/drivers/net/can/peak_canfd/peak_canfd.c +index 10aa3e457c33d..40c33b8a5fda3 100644 +--- a/drivers/net/can/peak_canfd/peak_canfd.c ++++ b/drivers/net/can/peak_canfd/peak_canfd.c +@@ -262,8 +262,7 @@ static int pucan_handle_can_rx(struct peak_canfd_priv *priv, + cf_len = get_can_dlc(pucan_msg_get_dlc(msg)); + + /* if this frame is an echo, */ +- if ((rx_msg_flags & PUCAN_MSG_LOOPED_BACK) && +- !(rx_msg_flags & PUCAN_MSG_SELF_RECEIVE)) { ++ if (rx_msg_flags & PUCAN_MSG_LOOPED_BACK) { + unsigned long flags; + + spin_lock_irqsave(&priv->echo_lock, flags); +@@ -277,7 +276,13 @@ static int pucan_handle_can_rx(struct peak_canfd_priv *priv, + netif_wake_queue(priv->ndev); + + spin_unlock_irqrestore(&priv->echo_lock, flags); +- return 0; ++ ++ /* if this frame is only an echo, stop here. Otherwise, ++ * continue to push this application self-received frame into ++ * its own rx queue. ++ */ ++ if (!(rx_msg_flags & PUCAN_MSG_SELF_RECEIVE)) ++ return 0; + } + + /* otherwise, it should be pushed into rx fifo */ +-- +2.27.0 + diff --git a/queue-5.9/can-peak_usb-add-range-checking-in-decode-operations.patch b/queue-5.9/can-peak_usb-add-range-checking-in-decode-operations.patch new file mode 100644 index 00000000000..5cf44939538 --- /dev/null +++ b/queue-5.9/can-peak_usb-add-range-checking-in-decode-operations.patch @@ -0,0 +1,129 @@ +From 3123c58a778c43d5d161b3c3d3e5755f1cc14e59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 17:06:04 +0300 +Subject: can: peak_usb: add range checking in decode operations + +From: Dan Carpenter + +[ Upstream commit a6921dd524fe31d1f460c161d3526a407533b6db ] + +These values come from skb->data so Smatch considers them untrusted. I +believe Smatch is correct but I don't have a way to test this. + +The usb_if->dev[] array has 2 elements but the index is in the 0-15 +range without checks. The cfd->len can be up to 255 but the maximum +valid size is CANFD_MAX_DLEN (64) so that could lead to memory +corruption. + +Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20200813140604.GA456946@mwanda +Acked-by: Stephane Grosjean +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 48 +++++++++++++++++----- + 1 file changed, 37 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c +index 47cc1ff5b88e8..dee3e689b54da 100644 +--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c +@@ -468,12 +468,18 @@ static int pcan_usb_fd_decode_canmsg(struct pcan_usb_fd_if *usb_if, + struct pucan_msg *rx_msg) + { + struct pucan_rx_msg *rm = (struct pucan_rx_msg *)rx_msg; +- struct peak_usb_device *dev = usb_if->dev[pucan_msg_get_channel(rm)]; +- struct net_device *netdev = dev->netdev; ++ struct peak_usb_device *dev; ++ struct net_device *netdev; + struct canfd_frame *cfd; + struct sk_buff *skb; + const u16 rx_msg_flags = le16_to_cpu(rm->flags); + ++ if (pucan_msg_get_channel(rm) >= ARRAY_SIZE(usb_if->dev)) ++ return -ENOMEM; ++ ++ dev = usb_if->dev[pucan_msg_get_channel(rm)]; ++ netdev = dev->netdev; ++ + if (rx_msg_flags & PUCAN_MSG_EXT_DATA_LEN) { + /* CANFD frame case */ + skb = alloc_canfd_skb(netdev, &cfd); +@@ -519,15 +525,21 @@ static int pcan_usb_fd_decode_status(struct pcan_usb_fd_if *usb_if, + struct pucan_msg *rx_msg) + { + struct pucan_status_msg *sm = (struct pucan_status_msg *)rx_msg; +- struct peak_usb_device *dev = usb_if->dev[pucan_stmsg_get_channel(sm)]; +- struct pcan_usb_fd_device *pdev = +- container_of(dev, struct pcan_usb_fd_device, dev); ++ struct pcan_usb_fd_device *pdev; + enum can_state new_state = CAN_STATE_ERROR_ACTIVE; + enum can_state rx_state, tx_state; +- struct net_device *netdev = dev->netdev; ++ struct peak_usb_device *dev; ++ struct net_device *netdev; + struct can_frame *cf; + struct sk_buff *skb; + ++ if (pucan_stmsg_get_channel(sm) >= ARRAY_SIZE(usb_if->dev)) ++ return -ENOMEM; ++ ++ dev = usb_if->dev[pucan_stmsg_get_channel(sm)]; ++ pdev = container_of(dev, struct pcan_usb_fd_device, dev); ++ netdev = dev->netdev; ++ + /* nothing should be sent while in BUS_OFF state */ + if (dev->can.state == CAN_STATE_BUS_OFF) + return 0; +@@ -579,9 +591,14 @@ static int pcan_usb_fd_decode_error(struct pcan_usb_fd_if *usb_if, + struct pucan_msg *rx_msg) + { + struct pucan_error_msg *er = (struct pucan_error_msg *)rx_msg; +- struct peak_usb_device *dev = usb_if->dev[pucan_ermsg_get_channel(er)]; +- struct pcan_usb_fd_device *pdev = +- container_of(dev, struct pcan_usb_fd_device, dev); ++ struct pcan_usb_fd_device *pdev; ++ struct peak_usb_device *dev; ++ ++ if (pucan_ermsg_get_channel(er) >= ARRAY_SIZE(usb_if->dev)) ++ return -EINVAL; ++ ++ dev = usb_if->dev[pucan_ermsg_get_channel(er)]; ++ pdev = container_of(dev, struct pcan_usb_fd_device, dev); + + /* keep a trace of tx and rx error counters for later use */ + pdev->bec.txerr = er->tx_err_cnt; +@@ -595,11 +612,17 @@ static int pcan_usb_fd_decode_overrun(struct pcan_usb_fd_if *usb_if, + struct pucan_msg *rx_msg) + { + struct pcan_ufd_ovr_msg *ov = (struct pcan_ufd_ovr_msg *)rx_msg; +- struct peak_usb_device *dev = usb_if->dev[pufd_omsg_get_channel(ov)]; +- struct net_device *netdev = dev->netdev; ++ struct peak_usb_device *dev; ++ struct net_device *netdev; + struct can_frame *cf; + struct sk_buff *skb; + ++ if (pufd_omsg_get_channel(ov) >= ARRAY_SIZE(usb_if->dev)) ++ return -EINVAL; ++ ++ dev = usb_if->dev[pufd_omsg_get_channel(ov)]; ++ netdev = dev->netdev; ++ + /* allocate an skb to store the error frame */ + skb = alloc_can_err_skb(netdev, &cf); + if (!skb) +@@ -716,6 +739,9 @@ static int pcan_usb_fd_encode_msg(struct peak_usb_device *dev, + u16 tx_msg_size, tx_msg_flags; + u8 can_dlc; + ++ if (cfd->len > CANFD_MAX_DLEN) ++ return -EINVAL; ++ + tx_msg_size = ALIGN(sizeof(struct pucan_tx_msg) + cfd->len, 4); + tx_msg->size = cpu_to_le16(tx_msg_size); + tx_msg->type = cpu_to_le16(PUCAN_MSG_CAN_TX); +-- +2.27.0 + diff --git a/queue-5.9/can-peak_usb-peak_usb_get_ts_time-fix-timestamp-wrap.patch b/queue-5.9/can-peak_usb-peak_usb_get_ts_time-fix-timestamp-wrap.patch new file mode 100644 index 00000000000..1f74b8e5991 --- /dev/null +++ b/queue-5.9/can-peak_usb-peak_usb_get_ts_time-fix-timestamp-wrap.patch @@ -0,0 +1,96 @@ +From 5a1e9ceca163ffd944ea01f6efbade9c33f353f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Oct 2020 10:56:31 +0200 +Subject: can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping + +From: Stephane Grosjean + +[ Upstream commit ecc7b4187dd388549544195fb13a11b4ea8e6a84 ] + +Fabian Inostroza has discovered a potential +problem in the hardware timestamp reporting from the PCAN-USB USB CAN interface +(only), related to the fact that a timestamp of an event may precede the +timestamp used for synchronization when both records are part of the same USB +packet. However, this case was used to detect the wrapping of the time counter. + +This patch details and fixes the two identified cases where this problem can +occur. + +Reported-by: Fabian Inostroza +Signed-off-by: Stephane Grosjean +Link: https://lore.kernel.org/r/20201014085631.15128-1-s.grosjean@peak-system.com +Fixes: bb4785551f64 ("can: usb: PEAK-System Technik USB adapters driver core") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/peak_usb/pcan_usb_core.c | 51 ++++++++++++++++++-- + 1 file changed, 46 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_core.c b/drivers/net/can/usb/peak_usb/pcan_usb_core.c +index d91df34e7fa88..c2764799f9efb 100644 +--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c +@@ -130,14 +130,55 @@ void peak_usb_get_ts_time(struct peak_time_ref *time_ref, u32 ts, ktime_t *time) + /* protect from getting time before setting now */ + if (ktime_to_ns(time_ref->tv_host)) { + u64 delta_us; ++ s64 delta_ts = 0; ++ ++ /* General case: dev_ts_1 < dev_ts_2 < ts, with: ++ * ++ * - dev_ts_1 = previous sync timestamp ++ * - dev_ts_2 = last sync timestamp ++ * - ts = event timestamp ++ * - ts_period = known sync period (theoretical) ++ * ~ dev_ts2 - dev_ts1 ++ * *but*: ++ * ++ * - time counters wrap (see adapter->ts_used_bits) ++ * - sometimes, dev_ts_1 < ts < dev_ts2 ++ * ++ * "normal" case (sync time counters increase): ++ * must take into account case when ts wraps (tsw) ++ * ++ * < ts_period > < > ++ * | | | ++ * ---+--------+----+-------0-+--+--> ++ * ts_dev_1 | ts_dev_2 | ++ * ts tsw ++ */ ++ if (time_ref->ts_dev_1 < time_ref->ts_dev_2) { ++ /* case when event time (tsw) wraps */ ++ if (ts < time_ref->ts_dev_1) ++ delta_ts = 1 << time_ref->adapter->ts_used_bits; ++ ++ /* Otherwise, sync time counter (ts_dev_2) has wrapped: ++ * handle case when event time (tsn) hasn't. ++ * ++ * < ts_period > < > ++ * | | | ++ * ---+--------+--0-+---------+--+--> ++ * ts_dev_1 | ts_dev_2 | ++ * tsn ts ++ */ ++ } else if (time_ref->ts_dev_1 < ts) { ++ delta_ts = -(1 << time_ref->adapter->ts_used_bits); ++ } + +- delta_us = ts - time_ref->ts_dev_2; +- if (ts < time_ref->ts_dev_2) +- delta_us &= (1 << time_ref->adapter->ts_used_bits) - 1; ++ /* add delay between last sync and event timestamps */ ++ delta_ts += (signed int)(ts - time_ref->ts_dev_2); + +- delta_us += time_ref->ts_total; ++ /* add time from beginning to last sync */ ++ delta_ts += time_ref->ts_total; + +- delta_us *= time_ref->adapter->us_per_ts_scale; ++ /* convert ticks number into microseconds */ ++ delta_us = delta_ts * time_ref->adapter->us_per_ts_scale; + delta_us >>= time_ref->adapter->us_per_ts_shift; + + *time = ktime_add_us(time_ref->tv_host_0, delta_us); +-- +2.27.0 + diff --git a/queue-5.9/can-rx-offload-don-t-call-kfree_skb-from-irq-context.patch b/queue-5.9/can-rx-offload-don-t-call-kfree_skb-from-irq-context.patch new file mode 100644 index 00000000000..18413634d88 --- /dev/null +++ b/queue-5.9/can-rx-offload-don-t-call-kfree_skb-from-irq-context.patch @@ -0,0 +1,98 @@ +From 91a796aa525b3cd36419526bd7385b4e40b6815a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jun 2020 12:47:06 +0200 +Subject: can: rx-offload: don't call kfree_skb() from IRQ context + +From: Marc Kleine-Budde + +[ Upstream commit 2ddd6bfe7bdbb6c661835c3ff9cab8e0769940a6 ] + +A CAN driver, using the rx-offload infrastructure, is reading CAN frames +(usually in IRQ context) from the hardware and placing it into the rx-offload +queue to be delivered to the networking stack via NAPI. + +In case the rx-offload queue is full, trying to add more skbs results in the +skbs being dropped using kfree_skb(). If done from hard-IRQ context this +results in the following warning: + +[ 682.552693] ------------[ cut here ]------------ +[ 682.557360] WARNING: CPU: 0 PID: 3057 at net/core/skbuff.c:650 skb_release_head_state+0x74/0x84 +[ 682.566075] Modules linked in: can_raw can coda_vpu flexcan dw_hdmi_ahb_audio v4l2_jpeg imx_vdoa can_dev +[ 682.575597] CPU: 0 PID: 3057 Comm: cansend Tainted: G W 5.7.0+ #18 +[ 682.583098] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) +[ 682.589657] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[ 682.597423] [] (show_stack) from [] (dump_stack+0xe0/0x114) +[ 682.604759] [] (dump_stack) from [] (__warn+0xc0/0x10c) +[ 682.611742] [] (__warn) from [] (warn_slowpath_fmt+0x5c/0xc0) +[ 682.619248] [] (warn_slowpath_fmt) from [] (skb_release_head_state+0x74/0x84) +[ 682.628143] [] (skb_release_head_state) from [] (skb_release_all+0xc/0x24) +[ 682.636774] [] (skb_release_all) from [] (kfree_skb+0x74/0x1c8) +[ 682.644479] [] (kfree_skb) from [] (can_rx_offload_queue_sorted+0xe0/0xe8 [can_dev]) +[ 682.654051] [] (can_rx_offload_queue_sorted [can_dev]) from [] (can_rx_offload_get_echo_skb+0x48/0x94 [can_dev]) +[ 682.666007] [] (can_rx_offload_get_echo_skb [can_dev]) from [] (flexcan_irq+0x194/0x5dc [flexcan]) +[ 682.676734] [] (flexcan_irq [flexcan]) from [] (__handle_irq_event_percpu+0x4c/0x3ec) +[ 682.686322] [] (__handle_irq_event_percpu) from [] (handle_irq_event_percpu+0x2c/0x88) +[ 682.695993] [] (handle_irq_event_percpu) from [] (handle_irq_event+0x38/0x5c) +[ 682.704887] [] (handle_irq_event) from [] (handle_fasteoi_irq+0xc8/0x180) +[ 682.713432] [] (handle_fasteoi_irq) from [] (generic_handle_irq+0x30/0x44) +[ 682.722063] [] (generic_handle_irq) from [] (__handle_domain_irq+0x64/0xdc) +[ 682.730783] [] (__handle_domain_irq) from [] (gic_handle_irq+0x48/0x9c) +[ 682.739158] [] (gic_handle_irq) from [] (__irq_svc+0x70/0x98) +[ 682.746656] Exception stack(0xe80e9dd8 to 0xe80e9e20) +[ 682.751725] 9dc0: 00000001 e80e8000 +[ 682.759922] 9de0: e820cf80 00000000 ffffe000 00000000 eaf08fe4 00000000 600d0013 00000000 +[ 682.768117] 9e00: c1732e3c c16093a8 e820d4c0 e80e9e28 c018a57c c018b870 600d0013 ffffffff +[ 682.776315] [] (__irq_svc) from [] (lock_acquire+0x108/0x4e8) +[ 682.783821] [] (lock_acquire) from [] (down_write+0x48/0xa8) +[ 682.791242] [] (down_write) from [] (unlink_file_vma+0x24/0x40) +[ 682.798922] [] (unlink_file_vma) from [] (free_pgtables+0x34/0xb8) +[ 682.806858] [] (free_pgtables) from [] (exit_mmap+0xe4/0x170) +[ 682.814361] [] (exit_mmap) from [] (mmput+0x5c/0x110) +[ 682.821171] [] (mmput) from [] (do_exit+0x374/0xbe4) +[ 682.827892] [] (do_exit) from [] (do_group_exit+0x38/0xb4) +[ 682.835132] [] (do_group_exit) from [] (__wake_up_parent+0x0/0x14) +[ 682.843063] irq event stamp: 1936 +[ 682.846399] hardirqs last enabled at (1935): [] rmqueue+0xf4/0xc64 +[ 682.853553] hardirqs last disabled at (1936): [] __irq_svc+0x60/0x98 +[ 682.860799] softirqs last enabled at (1878): [] raw_release+0x108/0x1f0 [can_raw] +[ 682.869256] softirqs last disabled at (1876): [] release_sock+0x18/0x98 +[ 682.876753] ---[ end trace 7bca4751ce44c444 ]--- + +This patch fixes the problem by replacing the kfree_skb() by +dev_kfree_skb_any(), as rx-offload might be called from threaded IRQ handlers +as well. + +Fixes: ca913f1ac024 ("can: rx-offload: can_rx_offload_queue_sorted(): fix error handling, avoid skb mem leak") +Fixes: 6caf8a6d6586 ("can: rx-offload: can_rx_offload_queue_tail(): fix error handling, avoid skb mem leak") +Link: http://lore.kernel.org/r/20201019190524.1285319-3-mkl@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/rx-offload.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/can/rx-offload.c b/drivers/net/can/rx-offload.c +index e8328910a2349..0283b5cad746a 100644 +--- a/drivers/net/can/rx-offload.c ++++ b/drivers/net/can/rx-offload.c +@@ -245,7 +245,7 @@ int can_rx_offload_queue_sorted(struct can_rx_offload *offload, + + if (skb_queue_len(&offload->skb_queue) > + offload->skb_queue_len_max) { +- kfree_skb(skb); ++ dev_kfree_skb_any(skb); + return -ENOBUFS; + } + +@@ -290,7 +290,7 @@ int can_rx_offload_queue_tail(struct can_rx_offload *offload, + { + if (skb_queue_len(&offload->skb_queue) > + offload->skb_queue_len_max) { +- kfree_skb(skb); ++ dev_kfree_skb_any(skb); + return -ENOBUFS; + } + +-- +2.27.0 + diff --git a/queue-5.9/can-ti_hecc-ti_hecc_probe-add-missed-clk_disable_unp.patch b/queue-5.9/can-ti_hecc-ti_hecc_probe-add-missed-clk_disable_unp.patch new file mode 100644 index 00000000000..abaf728b28d --- /dev/null +++ b/queue-5.9/can-ti_hecc-ti_hecc_probe-add-missed-clk_disable_unp.patch @@ -0,0 +1,60 @@ +From 64e42151eb0cdfe0e71d89c906b52775f46b8140 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jul 2020 16:04:39 +0800 +Subject: can: ti_hecc: ti_hecc_probe(): add missed clk_disable_unprepare() in + error path + +From: Zhang Changzhong + +[ Upstream commit e002103b36a695f7cb6048b96da73e66c86ddffb ] + +The driver forgets to call clk_disable_unprepare() in error path after +a success calling for clk_prepare_enable(). + +Fix it by adding a clk_disable_unprepare() in error path. + +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/r/1594973079-27743-1-git-send-email-zhangchangzhong@huawei.com +Fixes: befa60113ce7 ("can: ti_hecc: add missing prepare and unprepare of the clock") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/ti_hecc.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/can/ti_hecc.c b/drivers/net/can/ti_hecc.c +index 94b1491b569f3..228ecd45ca6c1 100644 +--- a/drivers/net/can/ti_hecc.c ++++ b/drivers/net/can/ti_hecc.c +@@ -950,7 +950,7 @@ static int ti_hecc_probe(struct platform_device *pdev) + err = clk_prepare_enable(priv->clk); + if (err) { + dev_err(&pdev->dev, "clk_prepare_enable() failed\n"); +- goto probe_exit_clk; ++ goto probe_exit_release_clk; + } + + priv->offload.mailbox_read = ti_hecc_mailbox_read; +@@ -959,7 +959,7 @@ static int ti_hecc_probe(struct platform_device *pdev) + err = can_rx_offload_add_timestamp(ndev, &priv->offload); + if (err) { + dev_err(&pdev->dev, "can_rx_offload_add_timestamp() failed\n"); +- goto probe_exit_clk; ++ goto probe_exit_disable_clk; + } + + err = register_candev(ndev); +@@ -977,7 +977,9 @@ static int ti_hecc_probe(struct platform_device *pdev) + + probe_exit_offload: + can_rx_offload_del(&priv->offload); +-probe_exit_clk: ++probe_exit_disable_clk: ++ clk_disable_unprepare(priv->clk); ++probe_exit_release_clk: + clk_put(priv->clk); + probe_exit_candev: + free_candev(ndev); +-- +2.27.0 + diff --git a/queue-5.9/can-xilinx_can-handle-failure-cases-of-pm_runtime_ge.patch b/queue-5.9/can-xilinx_can-handle-failure-cases-of-pm_runtime_ge.patch new file mode 100644 index 00000000000..1205c26fca0 --- /dev/null +++ b/queue-5.9/can-xilinx_can-handle-failure-cases-of-pm_runtime_ge.patch @@ -0,0 +1,63 @@ +From 2ca6b2767c36bc9ee62a79cb26cae7231b896c0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 22:32:39 -0500 +Subject: can: xilinx_can: handle failure cases of pm_runtime_get_sync + +From: Navid Emamdoost + +[ Upstream commit 79c43333bdd5a7026a5aab606b53053b643585e7 ] + +Calling pm_runtime_get_sync increments the counter even in case of +failure, causing incorrect ref count. Call pm_runtime_put if +pm_runtime_get_sync fails. + +Signed-off-by: Navid Emamdoost +Link: https://lore.kernel.org/r/20200605033239.60664-1-navid.emamdoost@gmail.com +Fixes: 4716620d1b62 ("can: xilinx: Convert to runtime_pm") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/xilinx_can.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/can/xilinx_can.c b/drivers/net/can/xilinx_can.c +index c1dbab8c896d5..748ff70f6a7bf 100644 +--- a/drivers/net/can/xilinx_can.c ++++ b/drivers/net/can/xilinx_can.c +@@ -1391,7 +1391,7 @@ static int xcan_open(struct net_device *ndev) + if (ret < 0) { + netdev_err(ndev, "%s: pm_runtime_get failed(%d)\n", + __func__, ret); +- return ret; ++ goto err; + } + + ret = request_irq(ndev->irq, xcan_interrupt, priv->irq_flags, +@@ -1475,6 +1475,7 @@ static int xcan_get_berr_counter(const struct net_device *ndev, + if (ret < 0) { + netdev_err(ndev, "%s: pm_runtime_get failed(%d)\n", + __func__, ret); ++ pm_runtime_put(priv->dev); + return ret; + } + +@@ -1789,7 +1790,7 @@ static int xcan_probe(struct platform_device *pdev) + if (ret < 0) { + netdev_err(ndev, "%s: pm_runtime_get failed(%d)\n", + __func__, ret); +- goto err_pmdisable; ++ goto err_disableclks; + } + + if (priv->read_reg(priv, XCAN_SR_OFFSET) != XCAN_SR_CONFIG_MASK) { +@@ -1824,7 +1825,6 @@ static int xcan_probe(struct platform_device *pdev) + + err_disableclks: + pm_runtime_put(priv->dev); +-err_pmdisable: + pm_runtime_disable(&pdev->dev); + err_free: + free_candev(ndev); +-- +2.27.0 + diff --git a/queue-5.9/ceph-check-session-state-after-bumping-session-s_seq.patch b/queue-5.9/ceph-check-session-state-after-bumping-session-s_seq.patch new file mode 100644 index 00000000000..77700664a58 --- /dev/null +++ b/queue-5.9/ceph-check-session-state-after-bumping-session-s_seq.patch @@ -0,0 +1,179 @@ +From 137b1125848af6a44ce33ca52c9c684998b3d99b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 09:39:06 -0400 +Subject: ceph: check session state after bumping session->s_seq + +From: Jeff Layton + +[ Upstream commit 62575e270f661aba64778cbc5f354511cf9abb21 ] + +Some messages sent by the MDS entail a session sequence number +increment, and the MDS will drop certain types of requests on the floor +when the sequence numbers don't match. + +In particular, a REQUEST_CLOSE message can cross with one of the +sequence morphing messages from the MDS which can cause the client to +stall, waiting for a response that will never come. + +Originally, this meant an up to 5s delay before the recurring workqueue +job kicked in and resent the request, but a recent change made it so +that the client would never resend, causing a 60s stall unmounting and +sometimes a blockisting event. + +Add a new helper for incrementing the session sequence and then testing +to see whether a REQUEST_CLOSE needs to be resent, and move the handling +of CEPH_MDS_SESSION_CLOSING into that function. Change all of the +bare sequence counter increments to use the new helper. + +Reorganize check_session_state with a switch statement. It should no +longer be called when the session is CLOSING, so throw a warning if it +ever is (but still handle that case sanely). + +[ idryomov: whitespace, pr_err() call fixup ] + +URL: https://tracker.ceph.com/issues/47563 +Fixes: fa9967734227 ("ceph: fix potential mdsc use-after-free crash") +Reported-by: Patrick Donnelly +Signed-off-by: Jeff Layton +Reviewed-by: Ilya Dryomov +Reviewed-by: Xiubo Li +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/caps.c | 2 +- + fs/ceph/mds_client.c | 50 +++++++++++++++++++++++++++++++------------- + fs/ceph/mds_client.h | 1 + + fs/ceph/quota.c | 2 +- + fs/ceph/snap.c | 2 +- + 5 files changed, 39 insertions(+), 18 deletions(-) + +diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c +index 034b3f4fdd3a7..64a64a29f5c79 100644 +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -4064,7 +4064,7 @@ void ceph_handle_caps(struct ceph_mds_session *session, + vino.snap, inode); + + mutex_lock(&session->s_mutex); +- session->s_seq++; ++ inc_session_sequence(session); + dout(" mds%d seq %lld cap seq %u\n", session->s_mds, session->s_seq, + (unsigned)seq); + +diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c +index 76d8d9495d1d4..b2214679baf4e 100644 +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -4227,7 +4227,7 @@ static void handle_lease(struct ceph_mds_client *mdsc, + dname.len, dname.name); + + mutex_lock(&session->s_mutex); +- session->s_seq++; ++ inc_session_sequence(session); + + if (!inode) { + dout("handle_lease no inode %llx\n", vino.ino); +@@ -4381,28 +4381,48 @@ static void maybe_recover_session(struct ceph_mds_client *mdsc) + + bool check_session_state(struct ceph_mds_session *s) + { +- if (s->s_state == CEPH_MDS_SESSION_CLOSING) { +- dout("resending session close request for mds%d\n", +- s->s_mds); +- request_close_session(s); +- return false; +- } +- if (s->s_ttl && time_after(jiffies, s->s_ttl)) { +- if (s->s_state == CEPH_MDS_SESSION_OPEN) { ++ switch (s->s_state) { ++ case CEPH_MDS_SESSION_OPEN: ++ if (s->s_ttl && time_after(jiffies, s->s_ttl)) { + s->s_state = CEPH_MDS_SESSION_HUNG; + pr_info("mds%d hung\n", s->s_mds); + } +- } +- if (s->s_state == CEPH_MDS_SESSION_NEW || +- s->s_state == CEPH_MDS_SESSION_RESTARTING || +- s->s_state == CEPH_MDS_SESSION_CLOSED || +- s->s_state == CEPH_MDS_SESSION_REJECTED) +- /* this mds is failed or recovering, just wait */ ++ break; ++ case CEPH_MDS_SESSION_CLOSING: ++ /* Should never reach this when we're unmounting */ ++ WARN_ON_ONCE(true); ++ fallthrough; ++ case CEPH_MDS_SESSION_NEW: ++ case CEPH_MDS_SESSION_RESTARTING: ++ case CEPH_MDS_SESSION_CLOSED: ++ case CEPH_MDS_SESSION_REJECTED: + return false; ++ } + + return true; + } + ++/* ++ * If the sequence is incremented while we're waiting on a REQUEST_CLOSE reply, ++ * then we need to retransmit that request. ++ */ ++void inc_session_sequence(struct ceph_mds_session *s) ++{ ++ lockdep_assert_held(&s->s_mutex); ++ ++ s->s_seq++; ++ ++ if (s->s_state == CEPH_MDS_SESSION_CLOSING) { ++ int ret; ++ ++ dout("resending session close request for mds%d\n", s->s_mds); ++ ret = request_close_session(s); ++ if (ret < 0) ++ pr_err("unable to close session to mds%d: %d\n", ++ s->s_mds, ret); ++ } ++} ++ + /* + * delayed work -- periodically trim expired leases, renew caps with mds + */ +diff --git a/fs/ceph/mds_client.h b/fs/ceph/mds_client.h +index 658800605bfb4..11f20a4d36bc5 100644 +--- a/fs/ceph/mds_client.h ++++ b/fs/ceph/mds_client.h +@@ -480,6 +480,7 @@ struct ceph_mds_client { + extern const char *ceph_mds_op_name(int op); + + extern bool check_session_state(struct ceph_mds_session *s); ++void inc_session_sequence(struct ceph_mds_session *s); + + extern struct ceph_mds_session * + __ceph_lookup_mds_session(struct ceph_mds_client *, int mds); +diff --git a/fs/ceph/quota.c b/fs/ceph/quota.c +index cc2c4d40b0222..2b213f864c564 100644 +--- a/fs/ceph/quota.c ++++ b/fs/ceph/quota.c +@@ -53,7 +53,7 @@ void ceph_handle_quota(struct ceph_mds_client *mdsc, + + /* increment msg sequence number */ + mutex_lock(&session->s_mutex); +- session->s_seq++; ++ inc_session_sequence(session); + mutex_unlock(&session->s_mutex); + + /* lookup inode */ +diff --git a/fs/ceph/snap.c b/fs/ceph/snap.c +index 923be9399b21c..cc9a9bfc790a3 100644 +--- a/fs/ceph/snap.c ++++ b/fs/ceph/snap.c +@@ -873,7 +873,7 @@ void ceph_handle_snap(struct ceph_mds_client *mdsc, + ceph_snap_op_name(op), split, trace_len); + + mutex_lock(&session->s_mutex); +- session->s_seq++; ++ inc_session_sequence(session); + mutex_unlock(&session->s_mutex); + + down_write(&mdsc->snap_rwsem); +-- +2.27.0 + diff --git a/queue-5.9/dm-raid-fix-discard-limits-for-raid1-and-raid10.patch b/queue-5.9/dm-raid-fix-discard-limits-for-raid1-and-raid10.patch new file mode 100644 index 00000000000..12af28c005e --- /dev/null +++ b/queue-5.9/dm-raid-fix-discard-limits-for-raid1-and-raid10.patch @@ -0,0 +1,58 @@ +From ba4db06d47008d44d789bd54bf849665577a6468 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 13:14:52 -0400 +Subject: dm raid: fix discard limits for raid1 and raid10 + +From: Mike Snitzer + +[ Upstream commit e0910c8e4f87bb9f767e61a778b0d9271c4dc512 ] + +Block core warned that discard_granularity was 0 for dm-raid with +personality of raid1. Reason is that raid_io_hints() was incorrectly +special-casing raid1 rather than raid0. + +But since commit 29efc390b9462 ("md/md0: optimize raid0 discard +handling") even raid0 properly handles large discards. + +Fix raid_io_hints() by removing discard limits settings for raid1. +Also, fix limits for raid10 by properly stacking underlying limits as +done in blk_stack_limits(). + +Depends-on: 29efc390b9462 ("md/md0: optimize raid0 discard handling") +Fixes: 61697a6abd24a ("dm: eliminate 'split_discard_bios' flag from DM target interface") +Cc: stable@vger.kernel.org +Reported-by: Zdenek Kabelac +Reported-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-raid.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c +index 8d2b835d7a108..b45232f9b5c6c 100644 +--- a/drivers/md/dm-raid.c ++++ b/drivers/md/dm-raid.c +@@ -3730,12 +3730,14 @@ static void raid_io_hints(struct dm_target *ti, struct queue_limits *limits) + blk_limits_io_opt(limits, chunk_size_bytes * mddev_data_stripes(rs)); + + /* +- * RAID1 and RAID10 personalities require bio splitting, +- * RAID0/4/5/6 don't and process large discard bios properly. ++ * RAID10 personality requires bio splitting, ++ * RAID0/1/4/5/6 don't and process large discard bios properly. + */ +- if (rs_is_raid1(rs) || rs_is_raid10(rs)) { +- limits->discard_granularity = chunk_size_bytes; +- limits->max_discard_sectors = rs->md.chunk_sectors; ++ if (rs_is_raid10(rs)) { ++ limits->discard_granularity = max(chunk_size_bytes, ++ limits->discard_granularity); ++ limits->max_discard_sectors = min_not_zero(rs->md.chunk_sectors, ++ limits->max_discard_sectors); + } + } + +-- +2.27.0 + diff --git a/queue-5.9/drm-i915-gem-flush-coherency-domains-on-first-set-do.patch b/queue-5.9/drm-i915-gem-flush-coherency-domains-on-first-set-do.patch new file mode 100644 index 00000000000..fd4cd6d3165 --- /dev/null +++ b/queue-5.9/drm-i915-gem-flush-coherency-domains-on-first-set-do.patch @@ -0,0 +1,89 @@ +From 796f969672c3ccafe78d092aef05be6de0fac156 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Oct 2020 21:38:25 +0100 +Subject: drm/i915/gem: Flush coherency domains on first set-domain-ioctl +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chris Wilson + +[ Upstream commit 59dd13ad310793757e34afa489dd6fc8544fc3da ] + +Avoid skipping what appears to be a no-op set-domain-ioctl if the cache +coherency state is inconsistent with our target domain. This also has +the utility of using the population of the pages to validate the backing +store. + +The danger in skipping the first set-domain is leaving the cache +inconsistent and submitting stale data, or worse leaving the clean data +in the cache and not flushing it to the GPU. The impact should be small +as it requires a no-op set-domain as the very first ioctl in a +particular sequence not found in typical userspace. + +Reported-by: Zbigniew Kempczyński +Fixes: 754a25442705 ("drm/i915: Skip object locking around a no-op set-domain ioctl") +Testcase: igt/gem_mmap_offset/blt-coherency +Signed-off-by: Chris Wilson +Cc: Joonas Lahtinen +Cc: Matthew Auld +Cc: Zbigniew Kempczyński +Cc: # v5.2+ +Reviewed-by: Matthew Auld +Link: https://patchwork.freedesktop.org/patch/msgid/20201019203825.10966-1-chris@chris-wilson.co.uk +(cherry picked from commit 44c2200afcd59f441b43f27829b4003397cc495d) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gem/i915_gem_domain.c | 28 ++++++++++------------ + 1 file changed, 13 insertions(+), 15 deletions(-) + +diff --git a/drivers/gpu/drm/i915/gem/i915_gem_domain.c b/drivers/gpu/drm/i915/gem/i915_gem_domain.c +index 7f76fc68f498a..ba8758011e297 100644 +--- a/drivers/gpu/drm/i915/gem/i915_gem_domain.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_domain.c +@@ -484,21 +484,6 @@ i915_gem_set_domain_ioctl(struct drm_device *dev, void *data, + if (!obj) + return -ENOENT; + +- /* +- * Already in the desired write domain? Nothing for us to do! +- * +- * We apply a little bit of cunning here to catch a broader set of +- * no-ops. If obj->write_domain is set, we must be in the same +- * obj->read_domains, and only that domain. Therefore, if that +- * obj->write_domain matches the request read_domains, we are +- * already in the same read/write domain and can skip the operation, +- * without having to further check the requested write_domain. +- */ +- if (READ_ONCE(obj->write_domain) == read_domains) { +- err = 0; +- goto out; +- } +- + /* + * Try to flush the object off the GPU without holding the lock. + * We will repeat the flush holding the lock in the normal manner +@@ -536,6 +521,19 @@ i915_gem_set_domain_ioctl(struct drm_device *dev, void *data, + if (err) + goto out; + ++ /* ++ * Already in the desired write domain? Nothing for us to do! ++ * ++ * We apply a little bit of cunning here to catch a broader set of ++ * no-ops. If obj->write_domain is set, we must be in the same ++ * obj->read_domains, and only that domain. Therefore, if that ++ * obj->write_domain matches the request read_domains, we are ++ * already in the same read/write domain and can skip the operation, ++ * without having to further check the requested write_domain. ++ */ ++ if (READ_ONCE(obj->write_domain) == read_domains) ++ goto out_unpin; ++ + err = i915_gem_object_lock_interruptible(obj); + if (err) + goto out_unpin; +-- +2.27.0 + diff --git a/queue-5.9/drm-i915-hold-onto-an-explicit-ref-to-i915_vma_work..patch b/queue-5.9/drm-i915-hold-onto-an-explicit-ref-to-i915_vma_work..patch new file mode 100644 index 00000000000..f7ace66665e --- /dev/null +++ b/queue-5.9/drm-i915-hold-onto-an-explicit-ref-to-i915_vma_work..patch @@ -0,0 +1,59 @@ +From 933bb75072aac04a8d2c6eb8b870c89e5eebcc84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Nov 2020 16:19:31 +0000 +Subject: drm/i915: Hold onto an explicit ref to i915_vma_work.pinned + +From: Chris Wilson + +[ Upstream commit 537457a979a02a410b555fab289dcb28b588f33b ] + +Since __vma_release is run by a kworker after the fence has been +signaled, it is no longer protected by the active reference on the vma, +and so the alias of vw->pinned to vma->obj is also not protected by a +reference on the object. Add an explicit reference for vw->pinned so it +will always be safe. + +Found by inspection. + +Fixes: 54d7195f8c64 ("drm/i915: Unpin vma->obj on early error") +Reported-by: Tvrtko Ursulin +Signed-off-by: Chris Wilson +Cc: Tvrtko Ursulin +Cc: # v5.6+ +Reviewed-by: Tvrtko Ursulin +Link: https://patchwork.freedesktop.org/patch/msgid/20201102161931.30031-1-chris@chris-wilson.co.uk +(cherry picked from commit bc73e5d33048b7ab5f12b11b5d923700467a8e1d) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/i915_vma.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/i915_vma.c b/drivers/gpu/drm/i915/i915_vma.c +index bc64f773dcdb4..034d0a8d24c8c 100644 +--- a/drivers/gpu/drm/i915/i915_vma.c ++++ b/drivers/gpu/drm/i915/i915_vma.c +@@ -315,8 +315,10 @@ static void __vma_release(struct dma_fence_work *work) + { + struct i915_vma_work *vw = container_of(work, typeof(*vw), base); + +- if (vw->pinned) ++ if (vw->pinned) { + __i915_gem_object_unpin_pages(vw->pinned); ++ i915_gem_object_put(vw->pinned); ++ } + } + + static const struct dma_fence_work_ops bind_ops = { +@@ -430,7 +432,7 @@ int i915_vma_bind(struct i915_vma *vma, + + if (vma->obj) { + __i915_gem_object_pin_pages(vma->obj); +- work->pinned = vma->obj; ++ work->pinned = i915_gem_object_get(vma->obj); + } + } else { + ret = vma->ops->bind_vma(vma->vm, vma, cache_level, bind_flags); +-- +2.27.0 + diff --git a/queue-5.9/drm-panfrost-fix-module-unload.patch b/queue-5.9/drm-panfrost-fix-module-unload.patch new file mode 100644 index 00000000000..6624ecc6964 --- /dev/null +++ b/queue-5.9/drm-panfrost-fix-module-unload.patch @@ -0,0 +1,54 @@ +From 04412c80432c7d657050cc38e488089690229778 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Oct 2020 14:58:33 +0000 +Subject: drm/panfrost: Fix module unload + +From: Steven Price + +[ Upstream commit 876b15d2c88d8c005f1aebeaa23f1e448d834757 ] + +When unloading the call to pm_runtime_put_sync_suspend() will attempt to +turn the GPU cores off, however panfrost_device_fini() will have turned +the clocks off. This leads to the hardware locking up. + +Instead don't call pm_runtime_put_sync_suspend() and instead simply mark +the device as suspended using pm_runtime_set_suspended(). And also +include this on the error path in panfrost_probe(). + +Fixes: aebe8c22a912 ("drm/panfrost: Fix possible suspend in panfrost_remove") +Signed-off-by: Steven Price +Reviewed-by: Tomeu Vizoso +Signed-off-by: Boris Brezillon +Link: https://patchwork.freedesktop.org/patch/msgid/20201030145833.29006-1-steven.price@arm.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panfrost/panfrost_drv.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/panfrost/panfrost_drv.c b/drivers/gpu/drm/panfrost/panfrost_drv.c +index f2dd259f28995..5d95917f923a1 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_drv.c ++++ b/drivers/gpu/drm/panfrost/panfrost_drv.c +@@ -626,6 +626,7 @@ static int panfrost_probe(struct platform_device *pdev) + err_out1: + pm_runtime_disable(pfdev->dev); + panfrost_device_fini(pfdev); ++ pm_runtime_set_suspended(pfdev->dev); + err_out0: + drm_dev_put(ddev); + return err; +@@ -640,9 +641,9 @@ static int panfrost_remove(struct platform_device *pdev) + panfrost_gem_shrinker_cleanup(ddev); + + pm_runtime_get_sync(pfdev->dev); +- panfrost_device_fini(pfdev); +- pm_runtime_put_sync_suspend(pfdev->dev); + pm_runtime_disable(pfdev->dev); ++ panfrost_device_fini(pfdev); ++ pm_runtime_set_suspended(pfdev->dev); + + drm_dev_put(ddev); + return 0; +-- +2.27.0 + diff --git a/queue-5.9/drm-panfrost-move-devfreq_init-fini-in-device.patch b/queue-5.9/drm-panfrost-move-devfreq_init-fini-in-device.patch new file mode 100644 index 00000000000..a3c8b8abf96 --- /dev/null +++ b/queue-5.9/drm-panfrost-move-devfreq_init-fini-in-device.patch @@ -0,0 +1,126 @@ +From 6ad41a41c6f760cc18a411a3ce534e177d895c09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 11:54:03 +0200 +Subject: drm/panfrost: move devfreq_init()/fini() in device +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Clément Péron + +[ Upstream commit 25e247bbf85af3ad721dfeb2e2caf405f43b7e66 ] + +Later we will introduce devfreq probing regulator if they +are present. As regulator should be probe only one time we +need to get this logic in the device_init(). + +panfrost_device is already taking care of devfreq_resume() +and devfreq_suspend(), so it's not totally illogic to move +the devfreq_init() and devfreq_fini() here. + +Reviewed-by: Alyssa Rosenzweig +Reviewed-by: Steven Price +Signed-off-by: Clément Péron +Signed-off-by: Rob Herring +Link: https://patchwork.freedesktop.org/patch/msgid/20200710095409.407087-9-peron.clem@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panfrost/panfrost_device.c | 12 +++++++++++- + drivers/gpu/drm/panfrost/panfrost_drv.c | 15 ++------------- + 2 files changed, 13 insertions(+), 14 deletions(-) + +diff --git a/drivers/gpu/drm/panfrost/panfrost_device.c b/drivers/gpu/drm/panfrost/panfrost_device.c +index 9f89984f652a6..36b5c8fea3eba 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_device.c ++++ b/drivers/gpu/drm/panfrost/panfrost_device.c +@@ -214,9 +214,16 @@ int panfrost_device_init(struct panfrost_device *pfdev) + return err; + } + ++ err = panfrost_devfreq_init(pfdev); ++ if (err) { ++ if (err != -EPROBE_DEFER) ++ dev_err(pfdev->dev, "devfreq init failed %d\n", err); ++ goto out_clk; ++ } ++ + err = panfrost_regulator_init(pfdev); + if (err) +- goto out_clk; ++ goto out_devfreq; + + err = panfrost_reset_init(pfdev); + if (err) { +@@ -265,6 +272,8 @@ out_reset: + panfrost_reset_fini(pfdev); + out_regulator: + panfrost_regulator_fini(pfdev); ++out_devfreq: ++ panfrost_devfreq_fini(pfdev); + out_clk: + panfrost_clk_fini(pfdev); + return err; +@@ -278,6 +287,7 @@ void panfrost_device_fini(struct panfrost_device *pfdev) + panfrost_gpu_fini(pfdev); + panfrost_pm_domain_fini(pfdev); + panfrost_reset_fini(pfdev); ++ panfrost_devfreq_fini(pfdev); + panfrost_regulator_fini(pfdev); + panfrost_clk_fini(pfdev); + } +diff --git a/drivers/gpu/drm/panfrost/panfrost_drv.c b/drivers/gpu/drm/panfrost/panfrost_drv.c +index f6d5d03201fad..f2dd259f28995 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_drv.c ++++ b/drivers/gpu/drm/panfrost/panfrost_drv.c +@@ -14,7 +14,6 @@ + #include + + #include "panfrost_device.h" +-#include "panfrost_devfreq.h" + #include "panfrost_gem.h" + #include "panfrost_mmu.h" + #include "panfrost_job.h" +@@ -606,13 +605,6 @@ static int panfrost_probe(struct platform_device *pdev) + goto err_out0; + } + +- err = panfrost_devfreq_init(pfdev); +- if (err) { +- if (err != -EPROBE_DEFER) +- dev_err(&pdev->dev, "Fatal error during devfreq init\n"); +- goto err_out1; +- } +- + pm_runtime_set_active(pfdev->dev); + pm_runtime_mark_last_busy(pfdev->dev); + pm_runtime_enable(pfdev->dev); +@@ -625,16 +617,14 @@ static int panfrost_probe(struct platform_device *pdev) + */ + err = drm_dev_register(ddev, 0); + if (err < 0) +- goto err_out2; ++ goto err_out1; + + panfrost_gem_shrinker_init(ddev); + + return 0; + +-err_out2: +- pm_runtime_disable(pfdev->dev); +- panfrost_devfreq_fini(pfdev); + err_out1: ++ pm_runtime_disable(pfdev->dev); + panfrost_device_fini(pfdev); + err_out0: + drm_dev_put(ddev); +@@ -650,7 +640,6 @@ static int panfrost_remove(struct platform_device *pdev) + panfrost_gem_shrinker_cleanup(ddev); + + pm_runtime_get_sync(pfdev->dev); +- panfrost_devfreq_fini(pfdev); + panfrost_device_fini(pfdev); + pm_runtime_put_sync_suspend(pfdev->dev); + pm_runtime_disable(pfdev->dev); +-- +2.27.0 + diff --git a/queue-5.9/drm-panfrost-rename-error-labels-in-device_init.patch b/queue-5.9/drm-panfrost-rename-error-labels-in-device_init.patch new file mode 100644 index 00000000000..7c526bda5ac --- /dev/null +++ b/queue-5.9/drm-panfrost-rename-error-labels-in-device_init.patch @@ -0,0 +1,103 @@ +From 0dc5248217e94653466fe3a4bb23fa8bf76f3f7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 11:54:02 +0200 +Subject: drm/panfrost: rename error labels in device_init +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Clément Péron + +[ Upstream commit d3c335da0200be9287cdf5755d19f62ce1670a8d ] + +Rename goto labels in device_init it will be easier to maintain. + +Reviewed-by: Alyssa Rosenzweig +Reviewed-by: Steven Price +Signed-off-by: Clément Péron +Signed-off-by: Rob Herring +Link: https://patchwork.freedesktop.org/patch/msgid/20200710095409.407087-8-peron.clem@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panfrost/panfrost_device.c | 30 +++++++++++----------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/drivers/gpu/drm/panfrost/panfrost_device.c b/drivers/gpu/drm/panfrost/panfrost_device.c +index b172087eee6ae..9f89984f652a6 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_device.c ++++ b/drivers/gpu/drm/panfrost/panfrost_device.c +@@ -216,56 +216,56 @@ int panfrost_device_init(struct panfrost_device *pfdev) + + err = panfrost_regulator_init(pfdev); + if (err) +- goto err_out0; ++ goto out_clk; + + err = panfrost_reset_init(pfdev); + if (err) { + dev_err(pfdev->dev, "reset init failed %d\n", err); +- goto err_out1; ++ goto out_regulator; + } + + err = panfrost_pm_domain_init(pfdev); + if (err) +- goto err_out2; ++ goto out_reset; + + res = platform_get_resource(pfdev->pdev, IORESOURCE_MEM, 0); + pfdev->iomem = devm_ioremap_resource(pfdev->dev, res); + if (IS_ERR(pfdev->iomem)) { + dev_err(pfdev->dev, "failed to ioremap iomem\n"); + err = PTR_ERR(pfdev->iomem); +- goto err_out3; ++ goto out_pm_domain; + } + + err = panfrost_gpu_init(pfdev); + if (err) +- goto err_out3; ++ goto out_pm_domain; + + err = panfrost_mmu_init(pfdev); + if (err) +- goto err_out4; ++ goto out_gpu; + + err = panfrost_job_init(pfdev); + if (err) +- goto err_out5; ++ goto out_mmu; + + err = panfrost_perfcnt_init(pfdev); + if (err) +- goto err_out6; ++ goto out_job; + + return 0; +-err_out6: ++out_job: + panfrost_job_fini(pfdev); +-err_out5: ++out_mmu: + panfrost_mmu_fini(pfdev); +-err_out4: ++out_gpu: + panfrost_gpu_fini(pfdev); +-err_out3: ++out_pm_domain: + panfrost_pm_domain_fini(pfdev); +-err_out2: ++out_reset: + panfrost_reset_fini(pfdev); +-err_out1: ++out_regulator: + panfrost_regulator_fini(pfdev); +-err_out0: ++out_clk: + panfrost_clk_fini(pfdev); + return err; + } +-- +2.27.0 + diff --git a/queue-5.9/drm-vc4-bo-add-a-managed-action-to-cleanup-the-cache.patch b/queue-5.9/drm-vc4-bo-add-a-managed-action-to-cleanup-the-cache.patch new file mode 100644 index 00000000000..74d44e56b90 --- /dev/null +++ b/queue-5.9/drm-vc4-bo-add-a-managed-action-to-cleanup-the-cache.patch @@ -0,0 +1,85 @@ +From 7e21d1e98be880d8552099b0f0b7c7332843a7a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Oct 2020 20:00:59 +0100 +Subject: drm/vc4: bo: Add a managed action to cleanup the cache + +From: Maxime Ripard + +[ Upstream commit 1c80be48c70a2198f7cf04a546b3805b92293ac6 ] + +The BO cache needs to be cleaned up using vc4_bo_cache_destroy, but it's +not used consistently (vc4_drv's bind calls it in its error path, but +doesn't in unbind), and we can make that automatic through a managed +action. Let's remove the requirement to call vc4_bo_cache_destroy. + +Fixes: c826a6e10644 ("drm/vc4: Add a BO cache.") +Acked-by: Daniel Vetter +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20201029190104.2181730-1-maxime@cerno.tech +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_bo.c | 5 +++-- + drivers/gpu/drm/vc4/vc4_drv.c | 1 - + drivers/gpu/drm/vc4/vc4_drv.h | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c +index 74ceebd62fbce..073b528f33337 100644 +--- a/drivers/gpu/drm/vc4/vc4_bo.c ++++ b/drivers/gpu/drm/vc4/vc4_bo.c +@@ -1005,6 +1005,7 @@ int vc4_get_tiling_ioctl(struct drm_device *dev, void *data, + return 0; + } + ++static void vc4_bo_cache_destroy(struct drm_device *dev, void *unused); + int vc4_bo_cache_init(struct drm_device *dev) + { + struct vc4_dev *vc4 = to_vc4_dev(dev); +@@ -1033,10 +1034,10 @@ int vc4_bo_cache_init(struct drm_device *dev) + INIT_WORK(&vc4->bo_cache.time_work, vc4_bo_cache_time_work); + timer_setup(&vc4->bo_cache.time_timer, vc4_bo_cache_time_timer, 0); + +- return 0; ++ return drmm_add_action_or_reset(dev, vc4_bo_cache_destroy, NULL); + } + +-void vc4_bo_cache_destroy(struct drm_device *dev) ++static void vc4_bo_cache_destroy(struct drm_device *dev, void *unused) + { + struct vc4_dev *vc4 = to_vc4_dev(dev); + int i; +diff --git a/drivers/gpu/drm/vc4/vc4_drv.c b/drivers/gpu/drm/vc4/vc4_drv.c +index f6995e7f6eb6e..c7aeaba3fabe8 100644 +--- a/drivers/gpu/drm/vc4/vc4_drv.c ++++ b/drivers/gpu/drm/vc4/vc4_drv.c +@@ -311,7 +311,6 @@ unbind_all: + gem_destroy: + vc4_gem_destroy(drm); + drm_mode_config_cleanup(drm); +- vc4_bo_cache_destroy(drm); + dev_put: + drm_dev_put(drm); + return ret; +diff --git a/drivers/gpu/drm/vc4/vc4_drv.h b/drivers/gpu/drm/vc4/vc4_drv.h +index fa19160c801f8..528c28895a8e0 100644 +--- a/drivers/gpu/drm/vc4/vc4_drv.h ++++ b/drivers/gpu/drm/vc4/vc4_drv.h +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -786,7 +787,6 @@ struct drm_gem_object *vc4_prime_import_sg_table(struct drm_device *dev, + struct sg_table *sgt); + void *vc4_prime_vmap(struct drm_gem_object *obj); + int vc4_bo_cache_init(struct drm_device *dev); +-void vc4_bo_cache_destroy(struct drm_device *dev); + int vc4_bo_inc_usecnt(struct vc4_bo *bo); + void vc4_bo_dec_usecnt(struct vc4_bo *bo); + void vc4_bo_add_to_purgeable_pool(struct vc4_bo *bo); +-- +2.27.0 + diff --git a/queue-5.9/genirq-let-generic_irq_ipi-select-irq_domain_hierarc.patch b/queue-5.9/genirq-let-generic_irq_ipi-select-irq_domain_hierarc.patch new file mode 100644 index 00000000000..bfe3daf1dda --- /dev/null +++ b/queue-5.9/genirq-let-generic_irq_ipi-select-irq_domain_hierarc.patch @@ -0,0 +1,37 @@ +From 422eb8bc1382ef82fb9bd7acc415e825583e041e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 21:41:44 +0100 +Subject: genirq: Let GENERIC_IRQ_IPI select IRQ_DOMAIN_HIERARCHY + +From: Marc Zyngier + +[ Upstream commit 151a535171be6ff824a0a3875553ea38570f4c05 ] + +kernel/irq/ipi.c otherwise fails to compile if nothing else +selects it. + +Fixes: 379b656446a3 ("genirq: Add GENERIC_IRQ_IPI Kconfig symbol") +Reported-by: Pavel Machek +Tested-by: Pavel Machek +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20201015101222.GA32747@amd +Signed-off-by: Sasha Levin +--- + kernel/irq/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/irq/Kconfig b/kernel/irq/Kconfig +index 10a5aff4eecc8..164a031cfdb66 100644 +--- a/kernel/irq/Kconfig ++++ b/kernel/irq/Kconfig +@@ -82,6 +82,7 @@ config IRQ_FASTEOI_HIERARCHY_HANDLERS + # Generic IRQ IPI support + config GENERIC_IRQ_IPI + bool ++ select IRQ_DOMAIN_HIERARCHY + + # Generic MSI interrupt support + config GENERIC_MSI_IRQ +-- +2.27.0 + diff --git a/queue-5.9/hv_balloon-disable-warning-when-floor-reached.patch b/queue-5.9/hv_balloon-disable-warning-when-floor-reached.patch new file mode 100644 index 00000000000..23238370347 --- /dev/null +++ b/queue-5.9/hv_balloon-disable-warning-when-floor-reached.patch @@ -0,0 +1,40 @@ +From 2b7944f307e1f27b334f656ab15277d741f2cb6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Oct 2020 09:12:15 +0200 +Subject: hv_balloon: disable warning when floor reached + +From: Olaf Hering + +[ Upstream commit 2c3bd2a5c86fe744e8377733c5e511a5ca1e14f5 ] + +It is not an error if the host requests to balloon down, but the VM +refuses to do so. Without this change a warning is logged in dmesg +every five minutes. + +Fixes: b3bb97b8a49f3 ("Drivers: hv: balloon: Add logging for dynamic memory operations") + +Signed-off-by: Olaf Hering +Reviewed-by: Michael Kelley +Link: https://lore.kernel.org/r/20201008071216.16554-1-olaf@aepfle.de +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/hv_balloon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hv/hv_balloon.c b/drivers/hv/hv_balloon.c +index 32e3bc0aa665a..0f50295d02149 100644 +--- a/drivers/hv/hv_balloon.c ++++ b/drivers/hv/hv_balloon.c +@@ -1275,7 +1275,7 @@ static void balloon_up(struct work_struct *dummy) + + /* Refuse to balloon below the floor. */ + if (avail_pages < num_pages || avail_pages - num_pages < floor) { +- pr_warn("Balloon request will be partially fulfilled. %s\n", ++ pr_info("Balloon request will be partially fulfilled. %s\n", + avail_pages < num_pages ? "Not enough memory." : + "Balloon floor reached."); + +-- +2.27.0 + diff --git a/queue-5.9/ib-srpt-fix-memory-leak-in-srpt_add_one.patch b/queue-5.9/ib-srpt-fix-memory-leak-in-srpt_add_one.patch new file mode 100644 index 00000000000..5817747cf25 --- /dev/null +++ b/queue-5.9/ib-srpt-fix-memory-leak-in-srpt_add_one.patch @@ -0,0 +1,85 @@ +From 6a24226663e79dcf79a0035b3cb02ba9030f8862 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Oct 2020 08:50:51 +0200 +Subject: IB/srpt: Fix memory leak in srpt_add_one + +From: Maor Gottlieb + +[ Upstream commit 372a1786283e50e7cb437ab7fdb1b95597310ad7 ] + +Failure in srpt_refresh_port() for the second port will leave MAD +registered for the first one, however, the srpt_add_one() will be marked +as "failed" and SRPT will leak resources for that registered but not used +and released first port. + +Unregister the MAD agent for all ports in case of failure. + +Fixes: a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1") +Link: https://lore.kernel.org/r/20201028065051.112430-1-leon@kernel.org +Signed-off-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Reviewed-by: Bart Van Assche +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c +index 0065eb17ae36b..1b096305de1a4 100644 +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -622,10 +622,11 @@ static int srpt_refresh_port(struct srpt_port *sport) + /** + * srpt_unregister_mad_agent - unregister MAD callback functions + * @sdev: SRPT HCA pointer. ++ * #port_cnt: number of ports with registered MAD + * + * Note: It is safe to call this function more than once for the same device. + */ +-static void srpt_unregister_mad_agent(struct srpt_device *sdev) ++static void srpt_unregister_mad_agent(struct srpt_device *sdev, int port_cnt) + { + struct ib_port_modify port_modify = { + .clr_port_cap_mask = IB_PORT_DEVICE_MGMT_SUP, +@@ -633,7 +634,7 @@ static void srpt_unregister_mad_agent(struct srpt_device *sdev) + struct srpt_port *sport; + int i; + +- for (i = 1; i <= sdev->device->phys_port_cnt; i++) { ++ for (i = 1; i <= port_cnt; i++) { + sport = &sdev->port[i - 1]; + WARN_ON(sport->port != i); + if (sport->mad_agent) { +@@ -3185,7 +3186,8 @@ static int srpt_add_one(struct ib_device *device) + if (ret) { + pr_err("MAD registration failed for %s-%d.\n", + dev_name(&sdev->device->dev), i); +- goto err_event; ++ i--; ++ goto err_port; + } + } + +@@ -3197,7 +3199,8 @@ static int srpt_add_one(struct ib_device *device) + pr_debug("added %s.\n", dev_name(&device->dev)); + return 0; + +-err_event: ++err_port: ++ srpt_unregister_mad_agent(sdev, i); + ib_unregister_event_handler(&sdev->event_handler); + err_cm: + if (sdev->cm_id) +@@ -3221,7 +3224,7 @@ static void srpt_remove_one(struct ib_device *device, void *client_data) + struct srpt_device *sdev = client_data; + int i; + +- srpt_unregister_mad_agent(sdev); ++ srpt_unregister_mad_agent(sdev, sdev->device->phys_port_cnt); + + ib_unregister_event_handler(&sdev->event_handler); + +-- +2.27.0 + diff --git a/queue-5.9/io_uring-ensure-consistent-view-of-original-task-mm-.patch b/queue-5.9/io_uring-ensure-consistent-view-of-original-task-mm-.patch new file mode 100644 index 00000000000..f4e118e9293 --- /dev/null +++ b/queue-5.9/io_uring-ensure-consistent-view-of-original-task-mm-.patch @@ -0,0 +1,68 @@ +From be8046cd68b521f8e5e2744b4e226e4ab10854b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Nov 2020 10:39:05 -0700 +Subject: io_uring: ensure consistent view of original task ->mm from SQPOLL + +From: Jens Axboe + +[ Upstream commit 4b70cf9dea4cd239b425f3282fa56ce19e234c8a ] + +Ensure we get a valid view of the task mm, by using task_lock() when +attempting to grab the original task mm. + +Reported-by: syzbot+b57abf7ee60829090495@syzkaller.appspotmail.com +Fixes: 2aede0e417db ("io_uring: stash ctx task reference for SQPOLL") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io_uring.c | 27 ++++++++++++++++++++------- + 1 file changed, 20 insertions(+), 7 deletions(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 1033e0e18f24f..2d5ca9476814d 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -952,20 +952,33 @@ static void io_sq_thread_drop_mm(void) + if (mm) { + kthread_unuse_mm(mm); + mmput(mm); ++ current->mm = NULL; + } + } + + static int __io_sq_thread_acquire_mm(struct io_ring_ctx *ctx) + { +- if (!current->mm) { +- if (unlikely(!(ctx->flags & IORING_SETUP_SQPOLL) || +- !ctx->sqo_task->mm || +- !mmget_not_zero(ctx->sqo_task->mm))) +- return -EFAULT; +- kthread_use_mm(ctx->sqo_task->mm); ++ struct mm_struct *mm; ++ ++ if (current->mm) ++ return 0; ++ ++ /* Should never happen */ ++ if (unlikely(!(ctx->flags & IORING_SETUP_SQPOLL))) ++ return -EFAULT; ++ ++ task_lock(ctx->sqo_task); ++ mm = ctx->sqo_task->mm; ++ if (unlikely(!mm || !mmget_not_zero(mm))) ++ mm = NULL; ++ task_unlock(ctx->sqo_task); ++ ++ if (mm) { ++ kthread_use_mm(mm); ++ return 0; + } + +- return 0; ++ return -EFAULT; + } + + static int io_sq_thread_acquire_mm(struct io_ring_ctx *ctx, +-- +2.27.0 + diff --git a/queue-5.9/iommu-vt-d-fix-a-bug-for-pdp-check-in-prq_event_thre.patch b/queue-5.9/iommu-vt-d-fix-a-bug-for-pdp-check-in-prq_event_thre.patch new file mode 100644 index 00000000000..abd92496912 --- /dev/null +++ b/queue-5.9/iommu-vt-d-fix-a-bug-for-pdp-check-in-prq_event_thre.patch @@ -0,0 +1,40 @@ +From b0aaf97350602138d182daa076a416b4c324caa7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Oct 2020 10:37:24 +0800 +Subject: iommu/vt-d: Fix a bug for PDP check in prq_event_thread + +From: Liu, Yi L + +[ Upstream commit 71cd8e2d16703a9df5c86a9e19f4cba99316cc53 ] + +In prq_event_thread(), the QI_PGRP_PDP is wrongly set by +'req->pasid_present' which should be replaced to +'req->priv_data_present'. + +Fixes: 5b438f4ba315 ("iommu/vt-d: Support page request in scalable mode") +Signed-off-by: Liu, Yi L +Signed-off-by: Yi Sun +Acked-by: Lu Baolu +Link: https://lore.kernel.org/r/1604025444-6954-3-git-send-email-yi.y.sun@linux.intel.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel/svm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/intel/svm.c b/drivers/iommu/intel/svm.c +index a71fbbddaa66e..20fa8c7fcd8e7 100644 +--- a/drivers/iommu/intel/svm.c ++++ b/drivers/iommu/intel/svm.c +@@ -1001,7 +1001,7 @@ no_pasid: + resp.qw0 = QI_PGRP_PASID(req->pasid) | + QI_PGRP_DID(req->rid) | + QI_PGRP_PASID_P(req->pasid_present) | +- QI_PGRP_PDP(req->pasid_present) | ++ QI_PGRP_PDP(req->priv_data_present) | + QI_PGRP_RESP_CODE(result) | + QI_PGRP_RESP_TYPE; + resp.qw1 = QI_PGRP_IDX(req->prg_index) | +-- +2.27.0 + diff --git a/queue-5.9/iommu-vt-d-fix-sid-not-set-issue-in-intel_svm_bind_g.patch b/queue-5.9/iommu-vt-d-fix-sid-not-set-issue-in-intel_svm_bind_g.patch new file mode 100644 index 00000000000..54f267f9f40 --- /dev/null +++ b/queue-5.9/iommu-vt-d-fix-sid-not-set-issue-in-intel_svm_bind_g.patch @@ -0,0 +1,57 @@ +From 7f11f1c050fab9d379f8e2f23bb5af51e651b0b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Oct 2020 10:37:23 +0800 +Subject: iommu/vt-d: Fix sid not set issue in intel_svm_bind_gpasid() + +From: Liu Yi L + +[ Upstream commit eea4e29ab8bef254b228d6e1e3de188087b2c7d0 ] + +Should get correct sid and set it into sdev. Because we execute +'sdev->sid != req->rid' in the loop of prq_event_thread(). + +Fixes: eb8d93ea3c1d ("iommu/vt-d: Report page request faults for guest SVA") +Signed-off-by: Liu Yi L +Signed-off-by: Yi Sun +Acked-by: Lu Baolu +Link: https://lore.kernel.org/r/1604025444-6954-2-git-send-email-yi.y.sun@linux.intel.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel/svm.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/iommu/intel/svm.c b/drivers/iommu/intel/svm.c +index 95c3164a2302f..a71fbbddaa66e 100644 +--- a/drivers/iommu/intel/svm.c ++++ b/drivers/iommu/intel/svm.c +@@ -278,6 +278,7 @@ int intel_svm_bind_gpasid(struct iommu_domain *domain, struct device *dev, + struct intel_iommu *iommu = device_to_iommu(dev, NULL, NULL); + struct intel_svm_dev *sdev = NULL; + struct dmar_domain *dmar_domain; ++ struct device_domain_info *info; + struct intel_svm *svm = NULL; + int ret = 0; + +@@ -302,6 +303,10 @@ int intel_svm_bind_gpasid(struct iommu_domain *domain, struct device *dev, + if (data->hpasid <= 0 || data->hpasid >= PASID_MAX) + return -EINVAL; + ++ info = get_domain_info(dev); ++ if (!info) ++ return -EINVAL; ++ + dmar_domain = to_dmar_domain(domain); + + mutex_lock(&pasid_mutex); +@@ -349,6 +354,7 @@ int intel_svm_bind_gpasid(struct iommu_domain *domain, struct device *dev, + goto out; + } + sdev->dev = dev; ++ sdev->sid = PCI_DEVID(info->bus, info->devfn); + + /* Only count users if device has aux domains */ + if (iommu_dev_feature_enabled(dev, IOMMU_DEV_FEAT_AUX)) +-- +2.27.0 + diff --git a/queue-5.9/irqchip-sifive-plic-fix-broken-irq_set_affinity-call.patch b/queue-5.9/irqchip-sifive-plic-fix-broken-irq_set_affinity-call.patch new file mode 100644 index 00000000000..10fa3cefb74 --- /dev/null +++ b/queue-5.9/irqchip-sifive-plic-fix-broken-irq_set_affinity-call.patch @@ -0,0 +1,63 @@ +From f4a8ef6867bf285e1c0a26f11388a90f7b958f49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Oct 2020 16:15:32 +0800 +Subject: irqchip/sifive-plic: Fix broken irq_set_affinity() callback + +From: Greentime Hu + +[ Upstream commit a7480c5d725c4ecfc627e70960f249c34f5d13e8 ] + +An interrupt submitted to an affinity change will always be left enabled +after plic_set_affinity() has been called, while the expectation is that +it should stay in whatever state it was before the call. + +Preserving the configuration fixes a PWM hang issue on the Unleashed +board. + +[ 919.015783] rcu: INFO: rcu_sched detected stalls on CPUs/tasks: +[ 919.020922] rcu: 0-...0: (0 ticks this GP) +idle=7d2/1/0x4000000000000002 softirq=1424/1424 fqs=105807 +[ 919.030295] (detected by 1, t=225825 jiffies, g=1561, q=3496) +[ 919.036109] Task dump for CPU 0: +[ 919.039321] kworker/0:1 R running task 0 30 2 0x00000008 +[ 919.046359] Workqueue: events set_brightness_delayed +[ 919.051302] Call Trace: +[ 919.053738] [] __schedule+0x194/0x4de +[ 982.035783] rcu: INFO: rcu_sched detected stalls on CPUs/tasks: +[ 982.040923] rcu: 0-...0: (0 ticks this GP) +idle=7d2/1/0x4000000000000002 softirq=1424/1424 fqs=113325 +[ 982.050294] (detected by 1, t=241580 jiffies, g=1561, q=3509) +[ 982.056108] Task dump for CPU 0: +[ 982.059321] kworker/0:1 R running task 0 30 2 0x00000008 +[ 982.066359] Workqueue: events set_brightness_delayed +[ 982.071302] Call Trace: +[ 982.073739] [] __schedule+0x194/0x4de +[..] + +Fixes: bb0fed1c60cc ("irqchip/sifive-plic: Switch to fasteoi flow") +Signed-off-by: Greentime Hu +[maz: tidy-up commit message] +Signed-off-by: Marc Zyngier +Reviewed-by: Anup Patel +Link: https://lore.kernel.org/r/20201020081532.2377-1-greentime.hu@sifive.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-sifive-plic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-sifive-plic.c b/drivers/irqchip/irq-sifive-plic.c +index eaa3e9fe54e91..4048657ece0ac 100644 +--- a/drivers/irqchip/irq-sifive-plic.c ++++ b/drivers/irqchip/irq-sifive-plic.c +@@ -151,7 +151,7 @@ static int plic_set_affinity(struct irq_data *d, + return -EINVAL; + + plic_irq_toggle(&priv->lmask, d, 0); +- plic_irq_toggle(cpumask_of(cpu), d, 1); ++ plic_irq_toggle(cpumask_of(cpu), d, !irqd_irq_masked(d)); + + irq_data_update_effective_affinity(d, cpumask_of(cpu)); + +-- +2.27.0 + diff --git a/queue-5.9/irqchip-sifive-plic-fix-chip_data-access-within-a-hi.patch b/queue-5.9/irqchip-sifive-plic-fix-chip_data-access-within-a-hi.patch new file mode 100644 index 00000000000..684eb25cc79 --- /dev/null +++ b/queue-5.9/irqchip-sifive-plic-fix-chip_data-access-within-a-hi.patch @@ -0,0 +1,70 @@ +From c10f2dab0f055acbb1e163d207859a47f600f811 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Oct 2020 10:37:38 +0800 +Subject: irqchip/sifive-plic: Fix chip_data access within a hierarchy + +From: Greentime Hu + +[ Upstream commit f9ac7bbd6e4540dcc6df621b9c9b6eb2e26ded1d ] + +The plic driver crashes in plic_irq_unmask() when the interrupt is within a +hierarchy, as it picks the top-level chip_data instead of its local one. + +Using irq_data_get_irq_chip_data() instead of irq_get_chip_data() solves +the issue for good. + +Fixes: f1ad1133b18f ("irqchip/sifive-plic: Add support for multiple PLICs") +Signed-off-by: Greentime Hu +[maz: rewrote commit message] +Signed-off-by: Marc Zyngier +Reviewed-by: Anup Patel +Reviewed-by: Atish Patra +Link: https://lore.kernel.org/r/20201029023738.127472-1-greentime.hu@sifive.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-sifive-plic.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/irqchip/irq-sifive-plic.c b/drivers/irqchip/irq-sifive-plic.c +index 4048657ece0ac..6f432d2a5cebd 100644 +--- a/drivers/irqchip/irq-sifive-plic.c ++++ b/drivers/irqchip/irq-sifive-plic.c +@@ -99,7 +99,7 @@ static inline void plic_irq_toggle(const struct cpumask *mask, + struct irq_data *d, int enable) + { + int cpu; +- struct plic_priv *priv = irq_get_chip_data(d->irq); ++ struct plic_priv *priv = irq_data_get_irq_chip_data(d); + + writel(enable, priv->regs + PRIORITY_BASE + d->hwirq * PRIORITY_PER_ID); + for_each_cpu(cpu, mask) { +@@ -115,7 +115,7 @@ static void plic_irq_unmask(struct irq_data *d) + { + struct cpumask amask; + unsigned int cpu; +- struct plic_priv *priv = irq_get_chip_data(d->irq); ++ struct plic_priv *priv = irq_data_get_irq_chip_data(d); + + cpumask_and(&amask, &priv->lmask, cpu_online_mask); + cpu = cpumask_any_and(irq_data_get_affinity_mask(d), +@@ -127,7 +127,7 @@ static void plic_irq_unmask(struct irq_data *d) + + static void plic_irq_mask(struct irq_data *d) + { +- struct plic_priv *priv = irq_get_chip_data(d->irq); ++ struct plic_priv *priv = irq_data_get_irq_chip_data(d); + + plic_irq_toggle(&priv->lmask, d, 0); + } +@@ -138,7 +138,7 @@ static int plic_set_affinity(struct irq_data *d, + { + unsigned int cpu; + struct cpumask amask; +- struct plic_priv *priv = irq_get_chip_data(d->irq); ++ struct plic_priv *priv = irq_data_get_irq_chip_data(d); + + cpumask_and(&amask, &priv->lmask, mask_val); + +-- +2.27.0 + diff --git a/queue-5.9/kbuild-explicitly-specify-the-build-id-style.patch b/queue-5.9/kbuild-explicitly-specify-the-build-id-style.patch new file mode 100644 index 00000000000..f834bc8f262 --- /dev/null +++ b/queue-5.9/kbuild-explicitly-specify-the-build-id-style.patch @@ -0,0 +1,165 @@ +From c64a75c279af31423368be8bbbfb3d0423efbd0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Sep 2020 16:21:40 -0700 +Subject: kbuild: explicitly specify the build id style + +From: Bill Wendling + +[ Upstream commit a968433723310f35898b4a2f635a7991aeef66b1 ] + +ld's --build-id defaults to "sha1" style, while lld defaults to "fast". +The build IDs are very different between the two, which may confuse +programs that reference them. + +Signed-off-by: Bill Wendling +Acked-by: David S. Miller +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + Makefile | 4 ++-- + arch/arm/vdso/Makefile | 2 +- + arch/arm64/kernel/vdso/Makefile | 2 +- + arch/arm64/kernel/vdso32/Makefile | 2 +- + arch/mips/vdso/Makefile | 2 +- + arch/riscv/kernel/vdso/Makefile | 2 +- + arch/s390/kernel/vdso64/Makefile | 2 +- + arch/sparc/vdso/Makefile | 2 +- + arch/x86/entry/vdso/Makefile | 2 +- + tools/testing/selftests/bpf/Makefile | 2 +- + 10 files changed, 11 insertions(+), 11 deletions(-) + +diff --git a/Makefile b/Makefile +index 035d86a0d291d..245c66fa8be17 100644 +--- a/Makefile ++++ b/Makefile +@@ -973,8 +973,8 @@ KBUILD_CPPFLAGS += $(KCPPFLAGS) + KBUILD_AFLAGS += $(KAFLAGS) + KBUILD_CFLAGS += $(KCFLAGS) + +-KBUILD_LDFLAGS_MODULE += --build-id +-LDFLAGS_vmlinux += --build-id ++KBUILD_LDFLAGS_MODULE += --build-id=sha1 ++LDFLAGS_vmlinux += --build-id=sha1 + + ifeq ($(CONFIG_STRIP_ASM_SYMS),y) + LDFLAGS_vmlinux += $(call ld-option, -X,) +diff --git a/arch/arm/vdso/Makefile b/arch/arm/vdso/Makefile +index a54f70731d9f1..150ce6e6a5d31 100644 +--- a/arch/arm/vdso/Makefile ++++ b/arch/arm/vdso/Makefile +@@ -19,7 +19,7 @@ ccflags-y += -DDISABLE_BRANCH_PROFILING -DBUILD_VDSO32 + ldflags-$(CONFIG_CPU_ENDIAN_BE8) := --be8 + ldflags-y := -Bsymbolic --no-undefined -soname=linux-vdso.so.1 \ + -z max-page-size=4096 -nostdlib -shared $(ldflags-y) \ +- --hash-style=sysv --build-id \ ++ --hash-style=sysv --build-id=sha1 \ + -T + + obj-$(CONFIG_VDSO) += vdso.o +diff --git a/arch/arm64/kernel/vdso/Makefile b/arch/arm64/kernel/vdso/Makefile +index 45d5cfe464290..871915097f9d1 100644 +--- a/arch/arm64/kernel/vdso/Makefile ++++ b/arch/arm64/kernel/vdso/Makefile +@@ -24,7 +24,7 @@ btildflags-$(CONFIG_ARM64_BTI_KERNEL) += -z force-bti + # routines, as x86 does (see 6f121e548f83 ("x86, vdso: Reimplement vdso.so + # preparation in build-time C")). + ldflags-y := -shared -nostdlib -soname=linux-vdso.so.1 --hash-style=sysv \ +- -Bsymbolic $(call ld-option, --no-eh-frame-hdr) --build-id -n \ ++ -Bsymbolic $(call ld-option, --no-eh-frame-hdr) --build-id=sha1 -n \ + $(btildflags-y) -T + + ccflags-y := -fno-common -fno-builtin -fno-stack-protector -ffixed-x18 +diff --git a/arch/arm64/kernel/vdso32/Makefile b/arch/arm64/kernel/vdso32/Makefile +index d6adb4677c25f..4fa4b3fe8efb7 100644 +--- a/arch/arm64/kernel/vdso32/Makefile ++++ b/arch/arm64/kernel/vdso32/Makefile +@@ -128,7 +128,7 @@ VDSO_LDFLAGS += -Wl,-Bsymbolic -Wl,--no-undefined -Wl,-soname=linux-vdso.so.1 + VDSO_LDFLAGS += -Wl,-z,max-page-size=4096 -Wl,-z,common-page-size=4096 + VDSO_LDFLAGS += -nostdlib -shared -mfloat-abi=soft + VDSO_LDFLAGS += -Wl,--hash-style=sysv +-VDSO_LDFLAGS += -Wl,--build-id ++VDSO_LDFLAGS += -Wl,--build-id=sha1 + VDSO_LDFLAGS += $(call cc32-ldoption,-fuse-ld=bfd) + + +diff --git a/arch/mips/vdso/Makefile b/arch/mips/vdso/Makefile +index 57fe832352819..5810cc12bc1d9 100644 +--- a/arch/mips/vdso/Makefile ++++ b/arch/mips/vdso/Makefile +@@ -61,7 +61,7 @@ endif + # VDSO linker flags. + ldflags-y := -Bsymbolic --no-undefined -soname=linux-vdso.so.1 \ + $(filter -E%,$(KBUILD_CFLAGS)) -nostdlib -shared \ +- -G 0 --eh-frame-hdr --hash-style=sysv --build-id -T ++ -G 0 --eh-frame-hdr --hash-style=sysv --build-id=sha1 -T + + CFLAGS_REMOVE_vdso.o = -pg + +diff --git a/arch/riscv/kernel/vdso/Makefile b/arch/riscv/kernel/vdso/Makefile +index 478e7338ddc10..7d6a94d45ec94 100644 +--- a/arch/riscv/kernel/vdso/Makefile ++++ b/arch/riscv/kernel/vdso/Makefile +@@ -49,7 +49,7 @@ $(obj)/vdso.so.dbg: $(src)/vdso.lds $(obj-vdso) FORCE + # refer to these symbols in the kernel code rather than hand-coded addresses. + + SYSCFLAGS_vdso.so.dbg = -shared -s -Wl,-soname=linux-vdso.so.1 \ +- -Wl,--build-id -Wl,--hash-style=both ++ -Wl,--build-id=sha1 -Wl,--hash-style=both + $(obj)/vdso-dummy.o: $(src)/vdso.lds $(obj)/rt_sigreturn.o FORCE + $(call if_changed,vdsold) + +diff --git a/arch/s390/kernel/vdso64/Makefile b/arch/s390/kernel/vdso64/Makefile +index 4a66a1cb919b1..edc473b32e420 100644 +--- a/arch/s390/kernel/vdso64/Makefile ++++ b/arch/s390/kernel/vdso64/Makefile +@@ -19,7 +19,7 @@ KBUILD_AFLAGS_64 += -m64 -s + KBUILD_CFLAGS_64 := $(filter-out -m64,$(KBUILD_CFLAGS)) + KBUILD_CFLAGS_64 += -m64 -fPIC -shared -fno-common -fno-builtin + ldflags-y := -fPIC -shared -nostdlib -soname=linux-vdso64.so.1 \ +- --hash-style=both --build-id -T ++ --hash-style=both --build-id=sha1 -T + + $(targets:%=$(obj)/%.dbg): KBUILD_CFLAGS = $(KBUILD_CFLAGS_64) + $(targets:%=$(obj)/%.dbg): KBUILD_AFLAGS = $(KBUILD_AFLAGS_64) +diff --git a/arch/sparc/vdso/Makefile b/arch/sparc/vdso/Makefile +index f44355e46f31f..469dd23887abb 100644 +--- a/arch/sparc/vdso/Makefile ++++ b/arch/sparc/vdso/Makefile +@@ -115,7 +115,7 @@ quiet_cmd_vdso = VDSO $@ + -T $(filter %.lds,$^) $(filter %.o,$^) && \ + sh $(srctree)/$(src)/checkundef.sh '$(OBJDUMP)' '$@' + +-VDSO_LDFLAGS = -shared --hash-style=both --build-id -Bsymbolic ++VDSO_LDFLAGS = -shared --hash-style=both --build-id=sha1 -Bsymbolic + GCOV_PROFILE := n + + # +diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile +index 215376d975a29..ebba25ed9a386 100644 +--- a/arch/x86/entry/vdso/Makefile ++++ b/arch/x86/entry/vdso/Makefile +@@ -176,7 +176,7 @@ quiet_cmd_vdso = VDSO $@ + -T $(filter %.lds,$^) $(filter %.o,$^) && \ + sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@' + +-VDSO_LDFLAGS = -shared --hash-style=both --build-id \ ++VDSO_LDFLAGS = -shared --hash-style=both --build-id=sha1 \ + $(call ld-option, --eh-frame-hdr) -Bsymbolic + GCOV_PROFILE := n + +diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile +index fc946b7ac288d..daf186f88a636 100644 +--- a/tools/testing/selftests/bpf/Makefile ++++ b/tools/testing/selftests/bpf/Makefile +@@ -133,7 +133,7 @@ $(OUTPUT)/%:%.c + + $(OUTPUT)/urandom_read: urandom_read.c + $(call msg,BINARY,,$@) +- $(Q)$(CC) $(LDFLAGS) -o $@ $< $(LDLIBS) -Wl,--build-id ++ $(Q)$(CC) $(LDFLAGS) -o $@ $< $(LDLIBS) -Wl,--build-id=sha1 + + $(OUTPUT)/test_stub.o: test_stub.c $(BPFOBJ) + $(call msg,CC,,$@) +-- +2.27.0 + diff --git a/queue-5.9/kunit-don-t-fail-test-suites-if-one-of-them-is-empty.patch b/queue-5.9/kunit-don-t-fail-test-suites-if-one-of-them-is-empty.patch new file mode 100644 index 00000000000..c4502d12471 --- /dev/null +++ b/queue-5.9/kunit-don-t-fail-test-suites-if-one-of-them-is-empty.patch @@ -0,0 +1,39 @@ +From c6267c8d4eaae58ccc94a9beb113d17438b39d6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 19:28:17 +0300 +Subject: kunit: Don't fail test suites if one of them is empty + +From: Andy Shevchenko + +[ Upstream commit 3fc48259d5250f7a3ee021ad0492b604c428c564 ] + +Empty test suite is okay test suite. + +Don't fail the rest of the test suites if one of them is empty. + +Fixes: 6ebf5866f2e8 ("kunit: tool: add Python wrappers for running KUnit tests") +Signed-off-by: Andy Shevchenko +Reviewed-by: Brendan Higgins +Tested-by: Brendan Higgins +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/kunit/kunit_parser.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/kunit/kunit_parser.py b/tools/testing/kunit/kunit_parser.py +index 62a0848699671..91036d5d51cf6 100644 +--- a/tools/testing/kunit/kunit_parser.py ++++ b/tools/testing/kunit/kunit_parser.py +@@ -232,7 +232,7 @@ def parse_test_suite(lines: List[str]) -> TestSuite: + return None + test_suite.name = name + expected_test_case_num = parse_subtest_plan(lines) +- if not expected_test_case_num: ++ if expected_test_case_num is None: + return None + while expected_test_case_num > 0: + test_case = parse_test_case(lines) +-- +2.27.0 + diff --git a/queue-5.9/kunit-fix-kunit.py-raw_output-option.patch b/queue-5.9/kunit-fix-kunit.py-raw_output-option.patch new file mode 100644 index 00000000000..74dee17fa29 --- /dev/null +++ b/queue-5.9/kunit-fix-kunit.py-raw_output-option.patch @@ -0,0 +1,39 @@ +From c30ba428ac8ffcf752527d283f2beb484a11eef1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Oct 2020 20:04:55 -0700 +Subject: kunit: Fix kunit.py --raw_output option + +From: David Gow + +[ Upstream commit 3023d8ff3fc60e5d32dc1d05f99ad6ffa12b0033 ] + +Due to the raw_output() function on kunit_parser.py actually being a +generator, it only runs if something reads the lines it returns. Since +we no-longer do that (parsing doesn't actually happen if raw_output is +enabled), it was not printing anything. + +Fixes: 45ba7a893ad8 ("kunit: kunit_tool: Separate out config/build/exec/parse") +Signed-off-by: David Gow +Reviewed-by: Brendan Higgins +Tested-by: Brendan Higgins +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/kunit/kunit_parser.py | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/tools/testing/kunit/kunit_parser.py b/tools/testing/kunit/kunit_parser.py +index f13e0c0d66639..62a0848699671 100644 +--- a/tools/testing/kunit/kunit_parser.py ++++ b/tools/testing/kunit/kunit_parser.py +@@ -65,7 +65,6 @@ def isolate_kunit_output(kernel_output): + def raw_output(kernel_output): + for line in kernel_output: + print(line) +- yield line + + DIVIDER = '=' * 60 + +-- +2.27.0 + diff --git a/queue-5.9/kvm-arm64-force-pte-mapping-on-fault-resulting-in-a-.patch b/queue-5.9/kvm-arm64-force-pte-mapping-on-fault-resulting-in-a-.patch new file mode 100644 index 00000000000..eb433b1ab8a --- /dev/null +++ b/queue-5.9/kvm-arm64-force-pte-mapping-on-fault-resulting-in-a-.patch @@ -0,0 +1,45 @@ +From 9839f6b9a91436708dc4912c681327bc1a7d5427 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Oct 2020 16:54:07 +0530 +Subject: KVM: arm64: Force PTE mapping on fault resulting in a device mapping + +From: Santosh Shukla + +[ Upstream commit 91a2c34b7d6fadc9c5d9433c620ea4c32ee7cae8 ] + +VFIO allows a device driver to resolve a fault by mapping a MMIO +range. This can be subsequently result in user_mem_abort() to +try and compute a huge mapping based on the MMIO pfn, which is +a sure recipe for things to go wrong. + +Instead, force a PTE mapping when the pfn faulted in has a device +mapping. + +Fixes: 6d674e28f642 ("KVM: arm/arm64: Properly handle faulting of device mappings") +Suggested-by: Marc Zyngier +Signed-off-by: Santosh Shukla +[maz: rewritten commit message] +Signed-off-by: Marc Zyngier +Reviewed-by: Gavin Shan +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/1603711447-11998-2-git-send-email-sashukla@nvidia.com +Signed-off-by: Sasha Levin +--- + arch/arm64/kvm/mmu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c +index 3d26b47a13430..7a4ad984d54e0 100644 +--- a/arch/arm64/kvm/mmu.c ++++ b/arch/arm64/kvm/mmu.c +@@ -1920,6 +1920,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa, + if (kvm_is_device_pfn(pfn)) { + mem_type = PAGE_S2_DEVICE; + flags |= KVM_S2PTE_FLAG_IS_IOMAP; ++ force_pte = true; + } else if (logging_active) { + /* + * Faults on pages in a memslot with logging enabled +-- +2.27.0 + diff --git a/queue-5.9/mac80211-don-t-require-vht-elements-for-he-on-2.4-gh.patch b/queue-5.9/mac80211-don-t-require-vht-elements-for-he-on-2.4-gh.patch new file mode 100644 index 00000000000..34de24043fa --- /dev/null +++ b/queue-5.9/mac80211-don-t-require-vht-elements-for-he-on-2.4-gh.patch @@ -0,0 +1,46 @@ +From 6db73e4b05335fe318b2d00d97b6291ee17532e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 14:01:57 +0200 +Subject: mac80211: don't require VHT elements for HE on 2.4 GHz + +From: Johannes Berg + +[ Upstream commit c2f46814521113f6699a74e0a0424cbc5b305479 ] + +After the previous similar bugfix there was another bug here, +if no VHT elements were found we also disabled HE. Fix this to +disable HE only on the 5 GHz band; on 6 GHz it was already not +disabled, and on 2.4 GHz there need (should) not be any VHT. + +Fixes: 57fa5e85d53c ("mac80211: determine chandef from HE 6 GHz operation") +Link: https://lore.kernel.org/r/20201013140156.535a2fc6192f.Id6e5e525a60ac18d245d86f4015f1b271fce6ee6@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mlme.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 2e400b0ff6961..0f30f50c46b1b 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -5359,6 +5359,7 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata, + struct cfg80211_assoc_request *req) + { + bool is_6ghz = req->bss->channel->band == NL80211_BAND_6GHZ; ++ bool is_5ghz = req->bss->channel->band == NL80211_BAND_5GHZ; + struct ieee80211_local *local = sdata->local; + struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; + struct ieee80211_bss *bss = (void *)req->bss->priv; +@@ -5507,7 +5508,7 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata, + if (vht_ie && vht_ie[1] >= sizeof(struct ieee80211_vht_cap)) + memcpy(&assoc_data->ap_vht_cap, vht_ie + 2, + sizeof(struct ieee80211_vht_cap)); +- else if (!is_6ghz) ++ else if (is_5ghz) + ifmgd->flags |= IEEE80211_STA_DISABLE_VHT | + IEEE80211_STA_DISABLE_HE; + rcu_read_unlock(); +-- +2.27.0 + diff --git a/queue-5.9/mm-memcg-link-page-counters-to-root-if-use_hierarchy.patch b/queue-5.9/mm-memcg-link-page-counters-to-root-if-use_hierarchy.patch new file mode 100644 index 00000000000..996f8e7e8e2 --- /dev/null +++ b/queue-5.9/mm-memcg-link-page-counters-to-root-if-use_hierarchy.patch @@ -0,0 +1,108 @@ +From 77f999a460d1455d7f0513e20c01c52605b5577a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Nov 2020 17:07:34 -0800 +Subject: mm: memcg: link page counters to root if use_hierarchy is false +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Roman Gushchin + +[ Upstream commit 8de15e920dc85d1705ab9c202c95d56845bc2d48 ] + +Richard reported a warning which can be reproduced by running the LTP +madvise6 test (cgroup v1 in the non-hierarchical mode should be used): + + WARNING: CPU: 0 PID: 12 at mm/page_counter.c:57 page_counter_uncharge (mm/page_counter.c:57 mm/page_counter.c:50 mm/page_counter.c:156) + Modules linked in: + CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.9.0-rc7-22-default #77 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812d-rebuilt.opensuse.org 04/01/2014 + Workqueue: events drain_local_stock + RIP: 0010:page_counter_uncharge (mm/page_counter.c:57 mm/page_counter.c:50 mm/page_counter.c:156) + Call Trace: + __memcg_kmem_uncharge (mm/memcontrol.c:3022) + drain_obj_stock (./include/linux/rcupdate.h:689 mm/memcontrol.c:3114) + drain_local_stock (mm/memcontrol.c:2255) + process_one_work (./arch/x86/include/asm/jump_label.h:25 ./include/linux/jump_label.h:200 ./include/trace/events/workqueue.h:108 kernel/workqueue.c:2274) + worker_thread (./include/linux/list.h:282 kernel/workqueue.c:2416) + kthread (kernel/kthread.c:292) + ret_from_fork (arch/x86/entry/entry_64.S:300) + +The problem occurs because in the non-hierarchical mode non-root page +counters are not linked to root page counters, so the charge is not +propagated to the root memory cgroup. + +After the removal of the original memory cgroup and reparenting of the +object cgroup, the root cgroup might be uncharged by draining a objcg +stock, for example. It leads to an eventual underflow of the charge and +triggers a warning. + +Fix it by linking all page counters to corresponding root page counters +in the non-hierarchical mode. + +Please note, that in the non-hierarchical mode all objcgs are always +reparented to the root memory cgroup, even if the hierarchy has more +than 1 level. This patch doesn't change it. + +The patch also doesn't affect how the hierarchical mode is working, +which is the only sane and truly supported mode now. + +Thanks to Richard for reporting, debugging and providing an alternative +version of the fix! + +Fixes: bf4f059954dc ("mm: memcg/slab: obj_cgroup API") +Reported-by: +Signed-off-by: Roman Gushchin +Signed-off-by: Andrew Morton +Reviewed-by: Shakeel Butt +Reviewed-by: Michal Koutný +Acked-by: Johannes Weiner +Cc: Michal Hocko +Cc: +Link: https://lkml.kernel.org/r/20201026231326.3212225-1-guro@fb.com +Debugged-by: Richard Palethorpe +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/memcontrol.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index 9eefdb9cc2303..de51787831728 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -5298,7 +5298,13 @@ mem_cgroup_css_alloc(struct cgroup_subsys_state *parent_css) + memcg->swappiness = mem_cgroup_swappiness(parent); + memcg->oom_kill_disable = parent->oom_kill_disable; + } +- if (parent && parent->use_hierarchy) { ++ if (!parent) { ++ page_counter_init(&memcg->memory, NULL); ++ page_counter_init(&memcg->swap, NULL); ++ page_counter_init(&memcg->memsw, NULL); ++ page_counter_init(&memcg->kmem, NULL); ++ page_counter_init(&memcg->tcpmem, NULL); ++ } else if (parent->use_hierarchy) { + memcg->use_hierarchy = true; + page_counter_init(&memcg->memory, &parent->memory); + page_counter_init(&memcg->swap, &parent->swap); +@@ -5306,11 +5312,11 @@ mem_cgroup_css_alloc(struct cgroup_subsys_state *parent_css) + page_counter_init(&memcg->kmem, &parent->kmem); + page_counter_init(&memcg->tcpmem, &parent->tcpmem); + } else { +- page_counter_init(&memcg->memory, NULL); +- page_counter_init(&memcg->swap, NULL); +- page_counter_init(&memcg->memsw, NULL); +- page_counter_init(&memcg->kmem, NULL); +- page_counter_init(&memcg->tcpmem, NULL); ++ page_counter_init(&memcg->memory, &root_mem_cgroup->memory); ++ page_counter_init(&memcg->swap, &root_mem_cgroup->swap); ++ page_counter_init(&memcg->memsw, &root_mem_cgroup->memsw); ++ page_counter_init(&memcg->kmem, &root_mem_cgroup->kmem); ++ page_counter_init(&memcg->tcpmem, &root_mem_cgroup->tcpmem); + /* + * Deeper hierachy with use_hierarchy == false doesn't make + * much sense so let cgroup subsystem know about this +-- +2.27.0 + diff --git a/queue-5.9/mm-memcontrol-correct-the-nr_anon_thps-counter-of-hi.patch b/queue-5.9/mm-memcontrol-correct-the-nr_anon_thps-counter-of-hi.patch new file mode 100644 index 00000000000..360b18fe346 --- /dev/null +++ b/queue-5.9/mm-memcontrol-correct-the-nr_anon_thps-counter-of-hi.patch @@ -0,0 +1,56 @@ +From d12f5cc12212b466bb5612e7a826a94bb12d1451 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Nov 2020 17:07:30 -0800 +Subject: mm: memcontrol: correct the NR_ANON_THPS counter of hierarchical + memcg + +From: zhongjiang-ali + +[ Upstream commit 7de2e9f195b9cb27583c5c64deaaf5e6afcc163e ] + +memcg_page_state will get the specified number in hierarchical memcg, It +should multiply by HPAGE_PMD_NR rather than an page if the item is +NR_ANON_THPS. + +[akpm@linux-foundation.org: fix printk warning] +[akpm@linux-foundation.org: use u64 cast, per Michal] + +Fixes: 468c398233da ("mm: memcontrol: switch to native NR_ANON_THPS counter") +Signed-off-by: zhongjiang-ali +Signed-off-by: Andrew Morton +Acked-by: Johannes Weiner +Acked-by: Michal Hocko +Link: https://lkml.kernel.org/r/1603722395-72443-1-git-send-email-zhongjiang-ali@linux.alibaba.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/memcontrol.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index de51787831728..51ce5d172855a 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -4068,11 +4068,17 @@ static int memcg_stat_show(struct seq_file *m, void *v) + (u64)memsw * PAGE_SIZE); + + for (i = 0; i < ARRAY_SIZE(memcg1_stats); i++) { ++ unsigned long nr; ++ + if (memcg1_stats[i] == MEMCG_SWAP && !do_memsw_account()) + continue; ++ nr = memcg_page_state(memcg, memcg1_stats[i]); ++#ifdef CONFIG_TRANSPARENT_HUGEPAGE ++ if (memcg1_stats[i] == NR_ANON_THPS) ++ nr *= HPAGE_PMD_NR; ++#endif + seq_printf(m, "total_%s %llu\n", memcg1_stat_names[i], +- (u64)memcg_page_state(memcg, memcg1_stats[i]) * +- PAGE_SIZE); ++ (u64)nr * PAGE_SIZE); + } + + for (i = 0; i < ARRAY_SIZE(memcg1_events); i++) +-- +2.27.0 + diff --git a/queue-5.9/mtd-spi-nor-fix-address-width-on-flash-chips-16mb.patch b/queue-5.9/mtd-spi-nor-fix-address-width-on-flash-chips-16mb.patch new file mode 100644 index 00000000000..35ea3c56502 --- /dev/null +++ b/queue-5.9/mtd-spi-nor-fix-address-width-on-flash-chips-16mb.patch @@ -0,0 +1,59 @@ +From 8438202b95b0fa25e2ed0f8eb044476494ee61a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Oct 2020 15:23:46 +0200 +Subject: mtd: spi-nor: Fix address width on flash chips > 16MB +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bert Vermeulen + +[ Upstream commit 324f78dfb442b82365548b657ec4e6974c677502 ] + +If a flash chip has more than 16MB capacity but its BFPT reports +BFPT_DWORD1_ADDRESS_BYTES_3_OR_4, the spi-nor framework defaults to 3. + +The check in spi_nor_set_addr_width() doesn't catch it because addr_width +did get set. This fixes that check. + +Fixes: f9acd7fa80be ("mtd: spi-nor: sfdp: default to addr_width of 3 for configurable widths") +Signed-off-by: Bert Vermeulen +Signed-off-by: Vignesh Raghavendra +Reviewed-by: Tudor Ambarus +Reviewed-by: Pratyush Yadav +Reviewed-by: Joel Stanley +Reviewed-by: Cédric Le Goater +Tested-by: Joel Stanley +Tested-by: Cédric Le Goater +Link: https://lore.kernel.org/r/20201006132346.12652-1-bert@biot.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/spi-nor/core.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/mtd/spi-nor/core.c b/drivers/mtd/spi-nor/core.c +index b37d6c1936de1..f0ae7a01703a1 100644 +--- a/drivers/mtd/spi-nor/core.c ++++ b/drivers/mtd/spi-nor/core.c +@@ -3008,13 +3008,15 @@ static int spi_nor_set_addr_width(struct spi_nor *nor) + /* already configured from SFDP */ + } else if (nor->info->addr_width) { + nor->addr_width = nor->info->addr_width; +- } else if (nor->mtd.size > 0x1000000) { +- /* enable 4-byte addressing if the device exceeds 16MiB */ +- nor->addr_width = 4; + } else { + nor->addr_width = 3; + } + ++ if (nor->addr_width == 3 && nor->mtd.size > 0x1000000) { ++ /* enable 4-byte addressing if the device exceeds 16MiB */ ++ nor->addr_width = 4; ++ } ++ + if (nor->addr_width > SPI_NOR_MAX_ADDR_WIDTH) { + dev_dbg(nor->dev, "address width is too large: %u\n", + nor->addr_width); +-- +2.27.0 + diff --git a/queue-5.9/nbd-don-t-update-block-size-after-device-is-started.patch b/queue-5.9/nbd-don-t-update-block-size-after-device-is-started.patch new file mode 100644 index 00000000000..a019090b6fe --- /dev/null +++ b/queue-5.9/nbd-don-t-update-block-size-after-device-is-started.patch @@ -0,0 +1,72 @@ +From 80d138ac02a0858d064a435d9e552a87c179d710 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Oct 2020 15:24:34 +0800 +Subject: nbd: don't update block size after device is started + +From: Ming Lei + +[ Upstream commit b40813ddcd6bf9f01d020804e4cb8febc480b9e4 ] + +Mounted NBD device can be resized, one use case is rbd-nbd. + +Fix the issue by setting up default block size, then not touch it +in nbd_size_update() any more. This kind of usage is aligned with loop +which has same use case too. + +Cc: stable@vger.kernel.org +Fixes: c8a83a6b54d0 ("nbd: Use set_blocksize() to set device blocksize") +Reported-by: lining +Signed-off-by: Ming Lei +Cc: Josef Bacik +Cc: Jan Kara +Tested-by: lining +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index f46e26c9d9b3c..d76fca629c143 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -296,7 +296,7 @@ static void nbd_size_clear(struct nbd_device *nbd) + } + } + +-static void nbd_size_update(struct nbd_device *nbd) ++static void nbd_size_update(struct nbd_device *nbd, bool start) + { + struct nbd_config *config = nbd->config; + struct block_device *bdev = bdget_disk(nbd->disk, 0); +@@ -312,7 +312,8 @@ static void nbd_size_update(struct nbd_device *nbd) + if (bdev) { + if (bdev->bd_disk) { + bd_set_size(bdev, config->bytesize); +- set_blocksize(bdev, config->blksize); ++ if (start) ++ set_blocksize(bdev, config->blksize); + } else + bdev->bd_invalidated = 1; + bdput(bdev); +@@ -327,7 +328,7 @@ static void nbd_size_set(struct nbd_device *nbd, loff_t blocksize, + config->blksize = blocksize; + config->bytesize = blocksize * nr_blocks; + if (nbd->task_recv != NULL) +- nbd_size_update(nbd); ++ nbd_size_update(nbd, false); + } + + static void nbd_complete_rq(struct request *req) +@@ -1307,7 +1308,7 @@ static int nbd_start_device(struct nbd_device *nbd) + args->index = i; + queue_work(nbd->recv_workq, &args->work); + } +- nbd_size_update(nbd); ++ nbd_size_update(nbd, true); + return error; + } + +-- +2.27.0 + diff --git a/queue-5.9/net-xfrm-fix-a-race-condition-during-allocing-spi.patch b/queue-5.9/net-xfrm-fix-a-race-condition-during-allocing-spi.patch new file mode 100644 index 00000000000..dc1be2aadf9 --- /dev/null +++ b/queue-5.9/net-xfrm-fix-a-race-condition-during-allocing-spi.patch @@ -0,0 +1,94 @@ +From b542aa3f9477cb620eb6a301b92412cc96fdeca4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Oct 2020 09:05:35 +0200 +Subject: net: xfrm: fix a race condition during allocing spi + +From: zhuoliang zhang + +[ Upstream commit a779d91314ca7208b7feb3ad817b62904397c56d ] + +we found that the following race condition exists in +xfrm_alloc_userspi flow: + +user thread state_hash_work thread +---- ---- +xfrm_alloc_userspi() + __find_acq_core() + /*alloc new xfrm_state:x*/ + xfrm_state_alloc() + /*schedule state_hash_work thread*/ + xfrm_hash_grow_check() xfrm_hash_resize() + xfrm_alloc_spi /*hold lock*/ + x->id.spi = htonl(spi) spin_lock_bh(&net->xfrm.xfrm_state_lock) + /*waiting lock release*/ xfrm_hash_transfer() + spin_lock_bh(&net->xfrm.xfrm_state_lock) /*add x into hlist:net->xfrm.state_byspi*/ + hlist_add_head_rcu(&x->byspi) + spin_unlock_bh(&net->xfrm.xfrm_state_lock) + + /*add x into hlist:net->xfrm.state_byspi 2 times*/ + hlist_add_head_rcu(&x->byspi) + +1. a new state x is alloced in xfrm_state_alloc() and added into the bydst hlist +in __find_acq_core() on the LHS; +2. on the RHS, state_hash_work thread travels the old bydst and tranfers every xfrm_state +(include x) into the new bydst hlist and new byspi hlist; +3. user thread on the LHS gets the lock and adds x into the new byspi hlist again. + +So the same xfrm_state (x) is added into the same list_hash +(net->xfrm.state_byspi) 2 times that makes the list_hash become +an inifite loop. + +To fix the race, x->id.spi = htonl(spi) in the xfrm_alloc_spi() is moved +to the back of spin_lock_bh, sothat state_hash_work thread no longer add x +which id.spi is zero into the hash_list. + +Fixes: f034b5d4efdf ("[XFRM]: Dynamic xfrm_state hash table sizing.") +Signed-off-by: zhuoliang zhang +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index efc89a92961df..ee6ac32bb06d7 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -2004,6 +2004,7 @@ int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high) + int err = -ENOENT; + __be32 minspi = htonl(low); + __be32 maxspi = htonl(high); ++ __be32 newspi = 0; + u32 mark = x->mark.v & x->mark.m; + + spin_lock_bh(&x->lock); +@@ -2022,21 +2023,22 @@ int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high) + xfrm_state_put(x0); + goto unlock; + } +- x->id.spi = minspi; ++ newspi = minspi; + } else { + u32 spi = 0; + for (h = 0; h < high-low+1; h++) { + spi = low + prandom_u32()%(high-low+1); + x0 = xfrm_state_lookup(net, mark, &x->id.daddr, htonl(spi), x->id.proto, x->props.family); + if (x0 == NULL) { +- x->id.spi = htonl(spi); ++ newspi = htonl(spi); + break; + } + xfrm_state_put(x0); + } + } +- if (x->id.spi) { ++ if (newspi) { + spin_lock_bh(&net->xfrm.xfrm_state_lock); ++ x->id.spi = newspi; + h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, x->props.family); + hlist_add_head_rcu(&x->byspi, net->xfrm.state_byspi + h); + spin_unlock_bh(&net->xfrm.xfrm_state_lock); +-- +2.27.0 + diff --git a/queue-5.9/netfilter-ipset-update-byte-and-packet-counters-rega.patch b/queue-5.9/netfilter-ipset-update-byte-and-packet-counters-rega.patch new file mode 100644 index 00000000000..74639f857f4 --- /dev/null +++ b/queue-5.9/netfilter-ipset-update-byte-and-packet-counters-rega.patch @@ -0,0 +1,71 @@ +From 7dfaef808151e6a502d4fef8beb3a013f5bb2bf5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Oct 2020 16:39:46 +0100 +Subject: netfilter: ipset: Update byte and packet counters regardless of + whether they match + +From: Stefano Brivio + +[ Upstream commit 7d10e62c2ff8e084c136c94d32d9a94de4d31248 ] + +In ip_set_match_extensions(), for sets with counters, we take care of +updating counters themselves by calling ip_set_update_counter(), and of +checking if the given comparison and values match, by calling +ip_set_match_counter() if needed. + +However, if a given comparison on counters doesn't match the configured +values, that doesn't mean the set entry itself isn't matching. + +This fix restores the behaviour we had before commit 4750005a85f7 +("netfilter: ipset: Fix "don't update counters" mode when counters used +at the matching"), without reintroducing the issue fixed there: back +then, mtype_data_match() first updated counters in any case, and then +took care of matching on counters. + +Now, if the IPSET_FLAG_SKIP_COUNTER_UPDATE flag is set, +ip_set_update_counter() will anyway skip counter updates if desired. + +The issue observed is illustrated by this reproducer: + + ipset create c hash:ip counters + ipset add c 192.0.2.1 + iptables -I INPUT -m set --match-set c src --bytes-gt 800 -j DROP + +if we now send packets from 192.0.2.1, bytes and packets counters +for the entry as shown by 'ipset list' are always zero, and, no +matter how many bytes we send, the rule will never match, because +counters themselves are not updated. + +Reported-by: Mithil Mhatre +Fixes: 4750005a85f7 ("netfilter: ipset: Fix "don't update counters" mode when counters used at the matching") +Signed-off-by: Stefano Brivio +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c +index 920b7c4331f0c..2643dc982eb4e 100644 +--- a/net/netfilter/ipset/ip_set_core.c ++++ b/net/netfilter/ipset/ip_set_core.c +@@ -652,13 +652,14 @@ ip_set_match_extensions(struct ip_set *set, const struct ip_set_ext *ext, + if (SET_WITH_COUNTER(set)) { + struct ip_set_counter *counter = ext_counter(data, set); + ++ ip_set_update_counter(counter, ext, flags); ++ + if (flags & IPSET_FLAG_MATCH_COUNTERS && + !(ip_set_match_counter(ip_set_get_packets(counter), + mext->packets, mext->packets_op) && + ip_set_match_counter(ip_set_get_bytes(counter), + mext->bytes, mext->bytes_op))) + return false; +- ip_set_update_counter(counter, ext, flags); + } + if (SET_WITH_SKBINFO(set)) + ip_set_get_skbinfo(ext_skbinfo(data, set), +-- +2.27.0 + diff --git a/queue-5.9/netfilter-nf_tables-missing-validation-from-the-abor.patch b/queue-5.9/netfilter-nf_tables-missing-validation-from-the-abor.patch new file mode 100644 index 00000000000..4c50a96d9e0 --- /dev/null +++ b/queue-5.9/netfilter-nf_tables-missing-validation-from-the-abor.patch @@ -0,0 +1,164 @@ +From d6dad3d8cc56f69645aadd6204af0f1b39258f04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Oct 2020 13:50:03 +0100 +Subject: netfilter: nf_tables: missing validation from the abort path + +From: Pablo Neira Ayuso + +[ Upstream commit c0391b6ab810381df632677a1dcbbbbd63d05b6d ] + +If userspace does not include the trailing end of batch message, then +nfnetlink aborts the transaction. This allows to check that ruleset +updates trigger no errors. + +After this patch, invoking this command from the prerouting chain: + + # nft -c add rule x y fib saddr . oif type local + +fails since oif is not supported there. + +This patch fixes the lack of rule validation from the abort/check path +to catch configuration errors such as the one above. + +Fixes: a654de8fdc18 ("netfilter: nf_tables: fix chain dependency validation") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/linux/netfilter/nfnetlink.h | 9 ++++++++- + net/netfilter/nf_tables_api.c | 15 ++++++++++----- + net/netfilter/nfnetlink.c | 22 ++++++++++++++++++---- + 3 files changed, 36 insertions(+), 10 deletions(-) + +diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h +index 89016d08f6a27..f6267e2883f26 100644 +--- a/include/linux/netfilter/nfnetlink.h ++++ b/include/linux/netfilter/nfnetlink.h +@@ -24,6 +24,12 @@ struct nfnl_callback { + const u_int16_t attr_count; /* number of nlattr's */ + }; + ++enum nfnl_abort_action { ++ NFNL_ABORT_NONE = 0, ++ NFNL_ABORT_AUTOLOAD, ++ NFNL_ABORT_VALIDATE, ++}; ++ + struct nfnetlink_subsystem { + const char *name; + __u8 subsys_id; /* nfnetlink subsystem ID */ +@@ -31,7 +37,8 @@ struct nfnetlink_subsystem { + const struct nfnl_callback *cb; /* callback for individual types */ + struct module *owner; + int (*commit)(struct net *net, struct sk_buff *skb); +- int (*abort)(struct net *net, struct sk_buff *skb, bool autoload); ++ int (*abort)(struct net *net, struct sk_buff *skb, ++ enum nfnl_abort_action action); + void (*cleanup)(struct net *net); + bool (*valid_genid)(struct net *net, u32 genid); + }; +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 1c90bd1fce60c..4305d96334082 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7992,12 +7992,16 @@ static void nf_tables_abort_release(struct nft_trans *trans) + kfree(trans); + } + +-static int __nf_tables_abort(struct net *net, bool autoload) ++static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + { + struct nft_trans *trans, *next; + struct nft_trans_elem *te; + struct nft_hook *hook; + ++ if (action == NFNL_ABORT_VALIDATE && ++ nf_tables_validate(net) < 0) ++ return -EAGAIN; ++ + list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list, + list) { + switch (trans->msg_type) { +@@ -8129,7 +8133,7 @@ static int __nf_tables_abort(struct net *net, bool autoload) + nf_tables_abort_release(trans); + } + +- if (autoload) ++ if (action == NFNL_ABORT_AUTOLOAD) + nf_tables_module_autoload(net); + else + nf_tables_module_autoload_cleanup(net); +@@ -8142,9 +8146,10 @@ static void nf_tables_cleanup(struct net *net) + nft_validate_state_update(net, NFT_VALIDATE_SKIP); + } + +-static int nf_tables_abort(struct net *net, struct sk_buff *skb, bool autoload) ++static int nf_tables_abort(struct net *net, struct sk_buff *skb, ++ enum nfnl_abort_action action) + { +- int ret = __nf_tables_abort(net, autoload); ++ int ret = __nf_tables_abort(net, action); + + mutex_unlock(&net->nft.commit_mutex); + +@@ -8775,7 +8780,7 @@ static void __net_exit nf_tables_exit_net(struct net *net) + { + mutex_lock(&net->nft.commit_mutex); + if (!list_empty(&net->nft.commit_list)) +- __nf_tables_abort(net, false); ++ __nf_tables_abort(net, NFNL_ABORT_NONE); + __nft_release_tables(net); + mutex_unlock(&net->nft.commit_mutex); + WARN_ON_ONCE(!list_empty(&net->nft.tables)); +diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c +index 3a2e64e13b227..212c37f53f5f4 100644 +--- a/net/netfilter/nfnetlink.c ++++ b/net/netfilter/nfnetlink.c +@@ -316,7 +316,7 @@ static void nfnetlink_rcv_batch(struct sk_buff *skb, struct nlmsghdr *nlh, + return netlink_ack(skb, nlh, -EINVAL, NULL); + replay: + status = 0; +- ++replay_abort: + skb = netlink_skb_clone(oskb, GFP_KERNEL); + if (!skb) + return netlink_ack(oskb, nlh, -ENOMEM, NULL); +@@ -482,7 +482,7 @@ ack: + } + done: + if (status & NFNL_BATCH_REPLAY) { +- ss->abort(net, oskb, true); ++ ss->abort(net, oskb, NFNL_ABORT_AUTOLOAD); + nfnl_err_reset(&err_list); + kfree_skb(skb); + module_put(ss->owner); +@@ -493,11 +493,25 @@ done: + status |= NFNL_BATCH_REPLAY; + goto done; + } else if (err) { +- ss->abort(net, oskb, false); ++ ss->abort(net, oskb, NFNL_ABORT_NONE); + netlink_ack(oskb, nlmsg_hdr(oskb), err, NULL); + } + } else { +- ss->abort(net, oskb, false); ++ enum nfnl_abort_action abort_action; ++ ++ if (status & NFNL_BATCH_FAILURE) ++ abort_action = NFNL_ABORT_NONE; ++ else ++ abort_action = NFNL_ABORT_VALIDATE; ++ ++ err = ss->abort(net, oskb, abort_action); ++ if (err == -EAGAIN) { ++ nfnl_err_reset(&err_list); ++ kfree_skb(skb); ++ module_put(ss->owner); ++ status |= NFNL_BATCH_FAILURE; ++ goto replay_abort; ++ } + } + if (ss->cleanup) + ss->cleanup(net); +-- +2.27.0 + diff --git a/queue-5.9/netfilter-nftables-fix-netlink-report-logic-in-flowt.patch b/queue-5.9/netfilter-nftables-fix-netlink-report-logic-in-flowt.patch new file mode 100644 index 00000000000..b08c1d5475e --- /dev/null +++ b/queue-5.9/netfilter-nftables-fix-netlink-report-logic-in-flowt.patch @@ -0,0 +1,44 @@ +From a6576bc2267b0911403d3d2c2c5a480200ae80bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Oct 2020 22:17:49 +0200 +Subject: netfilter: nftables: fix netlink report logic in flowtable and genid + +From: Pablo Neira Ayuso + +[ Upstream commit dceababac29d1c53cbc1f7ddf6f688d2df01da87 ] + +The netlink report should be sent regardless the available listeners. + +Fixes: 84d7fce69388 ("netfilter: nf_tables: export rule-set generation ID") +Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 72f3ee47e478f..1c90bd1fce60c 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7076,7 +7076,7 @@ static void nf_tables_flowtable_notify(struct nft_ctx *ctx, + GFP_KERNEL); + kfree(buf); + +- if (ctx->report && ++ if (!ctx->report && + !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) + return; + +@@ -7198,7 +7198,7 @@ static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb, + audit_log_nfcfg("?:0;?:0", 0, net->nft.base_seq, + AUDIT_NFT_OP_GEN_REGISTER, GFP_KERNEL); + +- if (nlmsg_report(nlh) && ++ if (!nlmsg_report(nlh) && + !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) + return; + +-- +2.27.0 + diff --git a/queue-5.9/netfilter-use-actual-socket-sk-rather-than-skb-sk-wh.patch b/queue-5.9/netfilter-use-actual-socket-sk-rather-than-skb-sk-wh.patch new file mode 100644 index 00000000000..875f19d610f --- /dev/null +++ b/queue-5.9/netfilter-use-actual-socket-sk-rather-than-skb-sk-wh.patch @@ -0,0 +1,302 @@ +From 83ee66e525b133e3c0b7a6beb0a373cbd7264fa3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Oct 2020 03:56:06 +0100 +Subject: netfilter: use actual socket sk rather than skb sk when routing + harder + +From: Jason A. Donenfeld + +[ Upstream commit 46d6c5ae953cc0be38efd0e469284df7c4328cf8 ] + +If netfilter changes the packet mark when mangling, the packet is +rerouted using the route_me_harder set of functions. Prior to this +commit, there's one big difference between route_me_harder and the +ordinary initial routing functions, described in the comment above +__ip_queue_xmit(): + + /* Note: skb->sk can be different from sk, in case of tunnels */ + int __ip_queue_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl, + +That function goes on to correctly make use of sk->sk_bound_dev_if, +rather than skb->sk->sk_bound_dev_if. And indeed the comment is true: a +tunnel will receive a packet in ndo_start_xmit with an initial skb->sk. +It will make some transformations to that packet, and then it will send +the encapsulated packet out of a *new* socket. That new socket will +basically always have a different sk_bound_dev_if (otherwise there'd be +a routing loop). So for the purposes of routing the encapsulated packet, +the routing information as it pertains to the socket should come from +that socket's sk, rather than the packet's original skb->sk. For that +reason __ip_queue_xmit() and related functions all do the right thing. + +One might argue that all tunnels should just call skb_orphan(skb) before +transmitting the encapsulated packet into the new socket. But tunnels do +*not* do this -- and this is wisely avoided in skb_scrub_packet() too -- +because features like TSQ rely on skb->destructor() being called when +that buffer space is truely available again. Calling skb_orphan(skb) too +early would result in buffers filling up unnecessarily and accounting +info being all wrong. Instead, additional routing must take into account +the new sk, just as __ip_queue_xmit() notes. + +So, this commit addresses the problem by fishing the correct sk out of +state->sk -- it's already set properly in the call to nf_hook() in +__ip_local_out(), which receives the sk as part of its normal +functionality. So we make sure to plumb state->sk through the various +route_me_harder functions, and then make correct use of it following the +example of __ip_queue_xmit(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jason A. Donenfeld +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/linux/netfilter_ipv4.h | 2 +- + include/linux/netfilter_ipv6.h | 10 +++++----- + net/ipv4/netfilter.c | 8 +++++--- + net/ipv4/netfilter/iptable_mangle.c | 2 +- + net/ipv4/netfilter/nf_reject_ipv4.c | 2 +- + net/ipv6/netfilter.c | 6 +++--- + net/ipv6/netfilter/ip6table_mangle.c | 2 +- + net/netfilter/ipvs/ip_vs_core.c | 4 ++-- + net/netfilter/nf_nat_proto.c | 4 ++-- + net/netfilter/nf_synproxy_core.c | 2 +- + net/netfilter/nft_chain_route.c | 4 ++-- + net/netfilter/utils.c | 4 ++-- + 12 files changed, 26 insertions(+), 24 deletions(-) + +diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h +index 082e2c41b7ff9..5b70ca868bb19 100644 +--- a/include/linux/netfilter_ipv4.h ++++ b/include/linux/netfilter_ipv4.h +@@ -16,7 +16,7 @@ struct ip_rt_info { + u_int32_t mark; + }; + +-int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned addr_type); ++int ip_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb, unsigned addr_type); + + struct nf_queue_entry; + +diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h +index 9b67394471e1c..48314ade1506f 100644 +--- a/include/linux/netfilter_ipv6.h ++++ b/include/linux/netfilter_ipv6.h +@@ -42,7 +42,7 @@ struct nf_ipv6_ops { + #if IS_MODULE(CONFIG_IPV6) + int (*chk_addr)(struct net *net, const struct in6_addr *addr, + const struct net_device *dev, int strict); +- int (*route_me_harder)(struct net *net, struct sk_buff *skb); ++ int (*route_me_harder)(struct net *net, struct sock *sk, struct sk_buff *skb); + int (*dev_get_saddr)(struct net *net, const struct net_device *dev, + const struct in6_addr *daddr, unsigned int srcprefs, + struct in6_addr *saddr); +@@ -143,9 +143,9 @@ static inline int nf_br_ip6_fragment(struct net *net, struct sock *sk, + #endif + } + +-int ip6_route_me_harder(struct net *net, struct sk_buff *skb); ++int ip6_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb); + +-static inline int nf_ip6_route_me_harder(struct net *net, struct sk_buff *skb) ++static inline int nf_ip6_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb) + { + #if IS_MODULE(CONFIG_IPV6) + const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops(); +@@ -153,9 +153,9 @@ static inline int nf_ip6_route_me_harder(struct net *net, struct sk_buff *skb) + if (!v6_ops) + return -EHOSTUNREACH; + +- return v6_ops->route_me_harder(net, skb); ++ return v6_ops->route_me_harder(net, sk, skb); + #elif IS_BUILTIN(CONFIG_IPV6) +- return ip6_route_me_harder(net, skb); ++ return ip6_route_me_harder(net, sk, skb); + #else + return -EHOSTUNREACH; + #endif +diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c +index a058213b77a78..7c841037c5334 100644 +--- a/net/ipv4/netfilter.c ++++ b/net/ipv4/netfilter.c +@@ -17,17 +17,19 @@ + #include + + /* route_me_harder function, used by iptable_nat, iptable_mangle + ip_queue */ +-int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned int addr_type) ++int ip_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb, unsigned int addr_type) + { + const struct iphdr *iph = ip_hdr(skb); + struct rtable *rt; + struct flowi4 fl4 = {}; + __be32 saddr = iph->saddr; +- const struct sock *sk = skb_to_full_sk(skb); +- __u8 flags = sk ? inet_sk_flowi_flags(sk) : 0; ++ __u8 flags; + struct net_device *dev = skb_dst(skb)->dev; + unsigned int hh_len; + ++ sk = sk_to_full_sk(sk); ++ flags = sk ? inet_sk_flowi_flags(sk) : 0; ++ + if (addr_type == RTN_UNSPEC) + addr_type = inet_addr_type_dev_table(net, dev, saddr); + if (addr_type == RTN_LOCAL || addr_type == RTN_UNICAST) +diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c +index f703a717ab1d2..8330795892730 100644 +--- a/net/ipv4/netfilter/iptable_mangle.c ++++ b/net/ipv4/netfilter/iptable_mangle.c +@@ -62,7 +62,7 @@ ipt_mangle_out(struct sk_buff *skb, const struct nf_hook_state *state) + iph->daddr != daddr || + skb->mark != mark || + iph->tos != tos) { +- err = ip_route_me_harder(state->net, skb, RTN_UNSPEC); ++ err = ip_route_me_harder(state->net, state->sk, skb, RTN_UNSPEC); + if (err < 0) + ret = NF_DROP_ERR(err); + } +diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c +index 9dcfa4e461b65..93b07739807b2 100644 +--- a/net/ipv4/netfilter/nf_reject_ipv4.c ++++ b/net/ipv4/netfilter/nf_reject_ipv4.c +@@ -145,7 +145,7 @@ void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook) + ip4_dst_hoplimit(skb_dst(nskb))); + nf_reject_ip_tcphdr_put(nskb, oldskb, oth); + +- if (ip_route_me_harder(net, nskb, RTN_UNSPEC)) ++ if (ip_route_me_harder(net, nskb->sk, nskb, RTN_UNSPEC)) + goto free_nskb; + + niph = ip_hdr(nskb); +diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c +index 6d0e942d082d4..ab9a279dd6d47 100644 +--- a/net/ipv6/netfilter.c ++++ b/net/ipv6/netfilter.c +@@ -20,10 +20,10 @@ + #include + #include "../bridge/br_private.h" + +-int ip6_route_me_harder(struct net *net, struct sk_buff *skb) ++int ip6_route_me_harder(struct net *net, struct sock *sk_partial, struct sk_buff *skb) + { + const struct ipv6hdr *iph = ipv6_hdr(skb); +- struct sock *sk = sk_to_full_sk(skb->sk); ++ struct sock *sk = sk_to_full_sk(sk_partial); + unsigned int hh_len; + struct dst_entry *dst; + int strict = (ipv6_addr_type(&iph->daddr) & +@@ -84,7 +84,7 @@ static int nf_ip6_reroute(struct sk_buff *skb, + if (!ipv6_addr_equal(&iph->daddr, &rt_info->daddr) || + !ipv6_addr_equal(&iph->saddr, &rt_info->saddr) || + skb->mark != rt_info->mark) +- return ip6_route_me_harder(entry->state.net, skb); ++ return ip6_route_me_harder(entry->state.net, entry->state.sk, skb); + } + return 0; + } +diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c +index 1a2748611e003..cee74803d7a1c 100644 +--- a/net/ipv6/netfilter/ip6table_mangle.c ++++ b/net/ipv6/netfilter/ip6table_mangle.c +@@ -57,7 +57,7 @@ ip6t_mangle_out(struct sk_buff *skb, const struct nf_hook_state *state) + skb->mark != mark || + ipv6_hdr(skb)->hop_limit != hop_limit || + flowlabel != *((u_int32_t *)ipv6_hdr(skb)))) { +- err = ip6_route_me_harder(state->net, skb); ++ err = ip6_route_me_harder(state->net, state->sk, skb); + if (err < 0) + ret = NF_DROP_ERR(err); + } +diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c +index e3668a6e54e47..570d8ef6fb8b6 100644 +--- a/net/netfilter/ipvs/ip_vs_core.c ++++ b/net/netfilter/ipvs/ip_vs_core.c +@@ -742,12 +742,12 @@ static int ip_vs_route_me_harder(struct netns_ipvs *ipvs, int af, + struct dst_entry *dst = skb_dst(skb); + + if (dst->dev && !(dst->dev->flags & IFF_LOOPBACK) && +- ip6_route_me_harder(ipvs->net, skb) != 0) ++ ip6_route_me_harder(ipvs->net, skb->sk, skb) != 0) + return 1; + } else + #endif + if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL) && +- ip_route_me_harder(ipvs->net, skb, RTN_LOCAL) != 0) ++ ip_route_me_harder(ipvs->net, skb->sk, skb, RTN_LOCAL) != 0) + return 1; + + return 0; +diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c +index 59151dc07fdc1..e87b6bd6b3cdb 100644 +--- a/net/netfilter/nf_nat_proto.c ++++ b/net/netfilter/nf_nat_proto.c +@@ -715,7 +715,7 @@ nf_nat_ipv4_local_fn(void *priv, struct sk_buff *skb, + + if (ct->tuplehash[dir].tuple.dst.u3.ip != + ct->tuplehash[!dir].tuple.src.u3.ip) { +- err = ip_route_me_harder(state->net, skb, RTN_UNSPEC); ++ err = ip_route_me_harder(state->net, state->sk, skb, RTN_UNSPEC); + if (err < 0) + ret = NF_DROP_ERR(err); + } +@@ -953,7 +953,7 @@ nf_nat_ipv6_local_fn(void *priv, struct sk_buff *skb, + + if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.dst.u3, + &ct->tuplehash[!dir].tuple.src.u3)) { +- err = nf_ip6_route_me_harder(state->net, skb); ++ err = nf_ip6_route_me_harder(state->net, state->sk, skb); + if (err < 0) + ret = NF_DROP_ERR(err); + } +diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c +index 9cca35d229273..d7d34a62d3bf5 100644 +--- a/net/netfilter/nf_synproxy_core.c ++++ b/net/netfilter/nf_synproxy_core.c +@@ -446,7 +446,7 @@ synproxy_send_tcp(struct net *net, + + skb_dst_set_noref(nskb, skb_dst(skb)); + nskb->protocol = htons(ETH_P_IP); +- if (ip_route_me_harder(net, nskb, RTN_UNSPEC)) ++ if (ip_route_me_harder(net, nskb->sk, nskb, RTN_UNSPEC)) + goto free_nskb; + + if (nfct) { +diff --git a/net/netfilter/nft_chain_route.c b/net/netfilter/nft_chain_route.c +index 8826bbe71136c..edd02cda57fca 100644 +--- a/net/netfilter/nft_chain_route.c ++++ b/net/netfilter/nft_chain_route.c +@@ -42,7 +42,7 @@ static unsigned int nf_route_table_hook4(void *priv, + iph->daddr != daddr || + skb->mark != mark || + iph->tos != tos) { +- err = ip_route_me_harder(state->net, skb, RTN_UNSPEC); ++ err = ip_route_me_harder(state->net, state->sk, skb, RTN_UNSPEC); + if (err < 0) + ret = NF_DROP_ERR(err); + } +@@ -92,7 +92,7 @@ static unsigned int nf_route_table_hook6(void *priv, + skb->mark != mark || + ipv6_hdr(skb)->hop_limit != hop_limit || + flowlabel != *((u32 *)ipv6_hdr(skb)))) { +- err = nf_ip6_route_me_harder(state->net, skb); ++ err = nf_ip6_route_me_harder(state->net, state->sk, skb); + if (err < 0) + ret = NF_DROP_ERR(err); + } +diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c +index cedf47ab3c6f9..2182d361e273f 100644 +--- a/net/netfilter/utils.c ++++ b/net/netfilter/utils.c +@@ -191,8 +191,8 @@ static int nf_ip_reroute(struct sk_buff *skb, const struct nf_queue_entry *entry + skb->mark == rt_info->mark && + iph->daddr == rt_info->daddr && + iph->saddr == rt_info->saddr)) +- return ip_route_me_harder(entry->state.net, skb, +- RTN_UNSPEC); ++ return ip_route_me_harder(entry->state.net, entry->state.sk, ++ skb, RTN_UNSPEC); + } + #endif + return 0; +-- +2.27.0 + diff --git a/queue-5.9/pci-always-enable-acs-even-if-no-acs-capability.patch b/queue-5.9/pci-always-enable-acs-even-if-no-acs-capability.patch new file mode 100644 index 00000000000..abc09a7884a --- /dev/null +++ b/queue-5.9/pci-always-enable-acs-even-if-no-acs-capability.patch @@ -0,0 +1,58 @@ +From 75e57ebf1fdc934806624492fbc27c2a2848baf3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Oct 2020 16:15:45 -0700 +Subject: PCI: Always enable ACS even if no ACS Capability + +From: Rajat Jain + +[ Upstream commit 462b58fb033996e999cc213ed0b430d4f22a28fe ] + +Some devices support ACS functionality even though they don't have a +spec-compliant ACS Capability; pci_enable_acs() has a quirk mechanism to +handle them. + +We want to enable ACS whenever possible, but 52fbf5bdeeef ("PCI: Cache ACS +capability offset in device") inadvertently broke this by calling +pci_enable_acs() only if we find an ACS Capability. + +This resulted in ACS not being enabled for these non-compliant devices, +which means devices can't be separated into different IOMMU groups, which +in turn means we may not be able to pass those devices through to VMs, as +reported by Boris V: + + https://lore.kernel.org/r/74aeea93-8a46-5f5a-343c-790d4c655da3@bstnet.org + +Fixes: 52fbf5bdeeef ("PCI: Cache ACS capability offset in device") +Link: https://lore.kernel.org/r/20201028231545.4116866-1-rajatja@google.com +Reported-by: Boris V +Signed-off-by: Rajat Jain +Signed-off-by: Bjorn Helgaas +Reviewed-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index e39c5499770ff..b2fed944903e2 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -3503,8 +3503,13 @@ void pci_acs_init(struct pci_dev *dev) + { + dev->acs_cap = pci_find_ext_capability(dev, PCI_EXT_CAP_ID_ACS); + +- if (dev->acs_cap) +- pci_enable_acs(dev); ++ /* ++ * Attempt to enable ACS regardless of capability because some Root ++ * Ports (e.g. those quirked with *_intel_pch_acs_*) do not have ++ * the standard ACS capability but still support ACS via those ++ * quirks. ++ */ ++ pci_enable_acs(dev); + } + + /** +-- +2.27.0 + diff --git a/queue-5.9/pci-mvebu-fix-duplicate-resource-requests.patch b/queue-5.9/pci-mvebu-fix-duplicate-resource-requests.patch new file mode 100644 index 00000000000..1612076b41e --- /dev/null +++ b/queue-5.9/pci-mvebu-fix-duplicate-resource-requests.patch @@ -0,0 +1,100 @@ +From 4877125f37ee1cfbab0066b38332b3667229cbee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Oct 2020 09:52:52 -0500 +Subject: PCI: mvebu: Fix duplicate resource requests +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rob Herring + +[ Upstream commit 832ea234277a2465ec6602fa6a4db5cd9ee87ae3 ] + +With commit 669cbc708122 ("PCI: Move DT resource setup into +devm_pci_alloc_host_bridge()"), the DT 'ranges' is parsed and populated +into resources when the host bridge is allocated. The resources are +requested as well, but that happens a second time for the mvebu driver in +mvebu_pcie_parse_request_resources(). We should only be requesting the +additional resources added in mvebu_pcie_parse_request_resources(). These +are not added by default because they use custom properties rather than +standard DT address translation. + +Also, the bus ranges was also populated by default, so we can remove it +from mvebu_pci_host_probe(). + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=209729 +Fixes: 669cbc708122 ("PCI: Move DT resource setup into devm_pci_alloc_host_bridge()") +Link: https://lore.kernel.org/r/20201023145252.2691779-1-robh@kernel.org +Reported-by: vtolkm@googlemail.com +Tested-by: Jan Kundrát +Signed-off-by: Rob Herring +Signed-off-by: Bjorn Helgaas +Acked-by: Lorenzo Pieralisi +Cc: Thomas Petazzoni +Cc: Jason Cooper +Cc: Russell King +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-mvebu.c | 23 ++++++++++------------- + 1 file changed, 10 insertions(+), 13 deletions(-) + +diff --git a/drivers/pci/controller/pci-mvebu.c b/drivers/pci/controller/pci-mvebu.c +index c39978b750ec6..653c0b3d29125 100644 +--- a/drivers/pci/controller/pci-mvebu.c ++++ b/drivers/pci/controller/pci-mvebu.c +@@ -960,25 +960,16 @@ static void mvebu_pcie_powerdown(struct mvebu_pcie_port *port) + } + + /* +- * We can't use devm_of_pci_get_host_bridge_resources() because we +- * need to parse our special DT properties encoding the MEM and IO +- * apertures. ++ * devm_of_pci_get_host_bridge_resources() only sets up translateable resources, ++ * so we need extra resource setup parsing our special DT properties encoding ++ * the MEM and IO apertures. + */ + static int mvebu_pcie_parse_request_resources(struct mvebu_pcie *pcie) + { + struct device *dev = &pcie->pdev->dev; +- struct device_node *np = dev->of_node; + struct pci_host_bridge *bridge = pci_host_bridge_from_priv(pcie); + int ret; + +- /* Get the bus range */ +- ret = of_pci_parse_bus_range(np, &pcie->busn); +- if (ret) { +- dev_err(dev, "failed to parse bus-range property: %d\n", ret); +- return ret; +- } +- pci_add_resource(&bridge->windows, &pcie->busn); +- + /* Get the PCIe memory aperture */ + mvebu_mbus_get_pcie_mem_aperture(&pcie->mem); + if (resource_size(&pcie->mem) == 0) { +@@ -988,6 +979,9 @@ static int mvebu_pcie_parse_request_resources(struct mvebu_pcie *pcie) + + pcie->mem.name = "PCI MEM"; + pci_add_resource(&bridge->windows, &pcie->mem); ++ ret = devm_request_resource(dev, &iomem_resource, &pcie->mem); ++ if (ret) ++ return ret; + + /* Get the PCIe IO aperture */ + mvebu_mbus_get_pcie_io_aperture(&pcie->io); +@@ -1001,9 +995,12 @@ static int mvebu_pcie_parse_request_resources(struct mvebu_pcie *pcie) + pcie->realio.name = "PCI I/O"; + + pci_add_resource(&bridge->windows, &pcie->realio); ++ ret = devm_request_resource(dev, &ioport_resource, &pcie->realio); ++ if (ret) ++ return ret; + } + +- return devm_request_pci_bus_resources(dev, &bridge->windows); ++ return 0; + } + + /* +-- +2.27.0 + diff --git a/queue-5.9/perf-tools-add-missing-swap-for-cgroup-events.patch b/queue-5.9/perf-tools-add-missing-swap-for-cgroup-events.patch new file mode 100644 index 00000000000..e9ecfb55099 --- /dev/null +++ b/queue-5.9/perf-tools-add-missing-swap-for-cgroup-events.patch @@ -0,0 +1,60 @@ +From 77ecb2e3e0c0074fae6ea060b032dc3e4866b3cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Nov 2020 23:02:28 +0900 +Subject: perf tools: Add missing swap for cgroup events + +From: Namhyung Kim + +[ Upstream commit 2c589d933e54d183ee2a052971b730e423c62031 ] + +It was missed to add a swap function for PERF_RECORD_CGROUP. + +Fixes: ba78c1c5461c ("perf tools: Basic support for CGROUP event") +Signed-off-by: Namhyung Kim +Acked-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Mark Rutland +Cc: Peter Zijlstra +Cc: Stephane Eranian +Link: http://lore.kernel.org/lkml/20201102140228.303657-1-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/session.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c +index d20b16ee73772..098080287c687 100644 +--- a/tools/perf/util/session.c ++++ b/tools/perf/util/session.c +@@ -711,6 +711,18 @@ static void perf_event__namespaces_swap(union perf_event *event, + swap_sample_id_all(event, &event->namespaces.link_info[i]); + } + ++static void perf_event__cgroup_swap(union perf_event *event, bool sample_id_all) ++{ ++ event->cgroup.id = bswap_64(event->cgroup.id); ++ ++ if (sample_id_all) { ++ void *data = &event->cgroup.path; ++ ++ data += PERF_ALIGN(strlen(data) + 1, sizeof(u64)); ++ swap_sample_id_all(event, data); ++ } ++} ++ + static u8 revbyte(u8 b) + { + int rev = (b >> 4) | ((b & 0xf) << 4); +@@ -953,6 +965,7 @@ static perf_event__swap_op perf_event__swap_ops[] = { + [PERF_RECORD_SWITCH] = perf_event__switch_swap, + [PERF_RECORD_SWITCH_CPU_WIDE] = perf_event__switch_swap, + [PERF_RECORD_NAMESPACES] = perf_event__namespaces_swap, ++ [PERF_RECORD_CGROUP] = perf_event__cgroup_swap, + [PERF_RECORD_TEXT_POKE] = perf_event__text_poke_swap, + [PERF_RECORD_HEADER_ATTR] = perf_event__hdr_attr_swap, + [PERF_RECORD_HEADER_EVENT_TYPE] = perf_event__event_type_swap, +-- +2.27.0 + diff --git a/queue-5.9/perf-tools-add-missing-swap-for-ino_generation.patch b/queue-5.9/perf-tools-add-missing-swap-for-ino_generation.patch new file mode 100644 index 00000000000..1a9c8572ecb --- /dev/null +++ b/queue-5.9/perf-tools-add-missing-swap-for-ino_generation.patch @@ -0,0 +1,36 @@ +From 633de747c6939e97205a83d2bf48316490394449 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Nov 2020 00:31:03 +0100 +Subject: perf tools: Add missing swap for ino_generation + +From: Jiri Olsa + +[ Upstream commit fe01adb72356a4e2f8735e4128af85921ca98fa1 ] + +We are missing swap for ino_generation field. + +Fixes: 5c5e854bc760 ("perf tools: Add attr->mmap2 support") +Signed-off-by: Jiri Olsa +Acked-by: Namhyung Kim +Link: https://lore.kernel.org/r/20201101233103.3537427-2-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/session.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c +index 7a5f03764702b..d20b16ee73772 100644 +--- a/tools/perf/util/session.c ++++ b/tools/perf/util/session.c +@@ -595,6 +595,7 @@ static void perf_event__mmap2_swap(union perf_event *event, + event->mmap2.maj = bswap_32(event->mmap2.maj); + event->mmap2.min = bswap_32(event->mmap2.min); + event->mmap2.ino = bswap_64(event->mmap2.ino); ++ event->mmap2.ino_generation = bswap_64(event->mmap2.ino_generation); + + if (sample_id_all) { + void *data = &event->mmap2.filename; +-- +2.27.0 + diff --git a/queue-5.9/perf-trace-fix-segfault-when-trying-to-trace-events-.patch b/queue-5.9/perf-trace-fix-segfault-when-trying-to-trace-events-.patch new file mode 100644 index 00000000000..25571612cb3 --- /dev/null +++ b/queue-5.9/perf-trace-fix-segfault-when-trying-to-trace-events-.patch @@ -0,0 +1,77 @@ +From ce447a3b1adf6d52d377fc6b565ded78f4b31739 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Oct 2020 12:43:57 +0300 +Subject: perf trace: Fix segfault when trying to trace events by cgroup + +From: Stanislav Ivanichkin + +[ Upstream commit a6293f36ac92ab513771a98efe486477be2f981f ] + + # ./perf trace -e sched:sched_switch -G test -a sleep 1 + perf: Segmentation fault + Obtained 11 stack frames. + ./perf(sighandler_dump_stack+0x43) [0x55cfdc636db3] + /lib/x86_64-linux-gnu/libc.so.6(+0x3efcf) [0x7fd23eecafcf] + ./perf(parse_cgroups+0x36) [0x55cfdc673f36] + ./perf(+0x3186ed) [0x55cfdc70d6ed] + ./perf(parse_options_subcommand+0x629) [0x55cfdc70e999] + ./perf(cmd_trace+0x9c2) [0x55cfdc5ad6d2] + ./perf(+0x1e8ae0) [0x55cfdc5ddae0] + ./perf(+0x1e8ded) [0x55cfdc5ddded] + ./perf(main+0x370) [0x55cfdc556f00] + /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe6) [0x7fd23eeadb96] + ./perf(_start+0x29) [0x55cfdc557389] + Segmentation fault + # + + It happens because "struct trace" in option->value is passed to the + parse_cgroups function instead of "struct evlist". + +Fixes: 9ea42ba4411ac ("perf trace: Support setting cgroups as targets") +Signed-off-by: Stanislav Ivanichkin +Tested-by: Arnaldo Carvalho de Melo +Acked-by: Namhyung Kim +Cc: Dmitry Monakhov +Link: http://lore.kernel.org/lkml/20201027094357.94881-1-sivanichkin@yandex-team.ru +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-trace.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index 44a75f234db17..de80534473afa 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -4639,9 +4639,9 @@ do_concat: + err = 0; + + if (lists[0]) { +- struct option o = OPT_CALLBACK('e', "event", &trace->evlist, "event", +- "event selector. use 'perf list' to list available events", +- parse_events_option); ++ struct option o = { ++ .value = &trace->evlist, ++ }; + err = parse_events_option(&o, lists[0], 0); + } + out: +@@ -4655,9 +4655,12 @@ static int trace__parse_cgroups(const struct option *opt, const char *str, int u + { + struct trace *trace = opt->value; + +- if (!list_empty(&trace->evlist->core.entries)) +- return parse_cgroups(opt, str, unset); +- ++ if (!list_empty(&trace->evlist->core.entries)) { ++ struct option o = { ++ .value = &trace->evlist, ++ }; ++ return parse_cgroups(&o, str, unset); ++ } + trace->cgroup = evlist__findnew_cgroup(trace->evlist, str); + + return 0; +-- +2.27.0 + diff --git a/queue-5.9/powerpc-eeh_cache-fix-a-possible-debugfs-deadlock.patch b/queue-5.9/powerpc-eeh_cache-fix-a-possible-debugfs-deadlock.patch new file mode 100644 index 00000000000..8a4f9fc2a31 --- /dev/null +++ b/queue-5.9/powerpc-eeh_cache-fix-a-possible-debugfs-deadlock.patch @@ -0,0 +1,86 @@ +From 0311b13aa594f40bbc05ccadaac241fdec20726c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Oct 2020 11:27:17 -0400 +Subject: powerpc/eeh_cache: Fix a possible debugfs deadlock + +From: Qian Cai + +[ Upstream commit fd552e0542b4532483289cce48fdbd27b692984b ] + +Lockdep complains that a possible deadlock below in +eeh_addr_cache_show() because it is acquiring a lock with IRQ enabled, +but eeh_addr_cache_insert_dev() needs to acquire the same lock with IRQ +disabled. Let's just make eeh_addr_cache_show() acquire the lock with +IRQ disabled as well. + + CPU0 CPU1 + ---- ---- + lock(&pci_io_addr_cache_root.piar_lock); + local_irq_disable(); + lock(&tp->lock); + lock(&pci_io_addr_cache_root.piar_lock); + + lock(&tp->lock); + + *** DEADLOCK *** + + lock_acquire+0x140/0x5f0 + _raw_spin_lock_irqsave+0x64/0xb0 + eeh_addr_cache_insert_dev+0x48/0x390 + eeh_probe_device+0xb8/0x1a0 + pnv_pcibios_bus_add_device+0x3c/0x80 + pcibios_bus_add_device+0x118/0x290 + pci_bus_add_device+0x28/0xe0 + pci_bus_add_devices+0x54/0xb0 + pcibios_init+0xc4/0x124 + do_one_initcall+0xac/0x528 + kernel_init_freeable+0x35c/0x3fc + kernel_init+0x24/0x148 + ret_from_kernel_thread+0x5c/0x80 + + lock_acquire+0x140/0x5f0 + _raw_spin_lock+0x4c/0x70 + eeh_addr_cache_show+0x38/0x110 + seq_read+0x1a0/0x660 + vfs_read+0xc8/0x1f0 + ksys_read+0x74/0x130 + system_call_exception+0xf8/0x1d0 + system_call_common+0xe8/0x218 + +Fixes: 5ca85ae6318d ("powerpc/eeh_cache: Add a way to dump the EEH address cache") +Signed-off-by: Qian Cai +Reviewed-by: Oliver O'Halloran +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201028152717.8967-1-cai@redhat.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/eeh_cache.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/kernel/eeh_cache.c b/arch/powerpc/kernel/eeh_cache.c +index 6b50bf15d8c19..bf3270426d82d 100644 +--- a/arch/powerpc/kernel/eeh_cache.c ++++ b/arch/powerpc/kernel/eeh_cache.c +@@ -264,8 +264,9 @@ static int eeh_addr_cache_show(struct seq_file *s, void *v) + { + struct pci_io_addr_range *piar; + struct rb_node *n; ++ unsigned long flags; + +- spin_lock(&pci_io_addr_cache_root.piar_lock); ++ spin_lock_irqsave(&pci_io_addr_cache_root.piar_lock, flags); + for (n = rb_first(&pci_io_addr_cache_root.rb_root); n; n = rb_next(n)) { + piar = rb_entry(n, struct pci_io_addr_range, rb_node); + +@@ -273,7 +274,7 @@ static int eeh_addr_cache_show(struct seq_file *s, void *v) + (piar->flags & IORESOURCE_IO) ? "i/o" : "mem", + &piar->addr_lo, &piar->addr_hi, pci_name(piar->pcidev)); + } +- spin_unlock(&pci_io_addr_cache_root.piar_lock); ++ spin_unlock_irqrestore(&pci_io_addr_cache_root.piar_lock, flags); + + return 0; + } +-- +2.27.0 + diff --git a/queue-5.9/rdma-ucma-fix-error-cases-around-ucma_alloc_ctx.patch b/queue-5.9/rdma-ucma-fix-error-cases-around-ucma_alloc_ctx.patch new file mode 100644 index 00000000000..1ba3419c57c --- /dev/null +++ b/queue-5.9/rdma-ucma-fix-error-cases-around-ucma_alloc_ctx.patch @@ -0,0 +1,188 @@ +From 7cf00d16fe4cffcc645be7118f502d812d59d44a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 15:05:16 +0300 +Subject: RDMA/ucma: Fix error cases around ucma_alloc_ctx() + +From: Jason Gunthorpe + +[ Upstream commit 620db1a1183d69cc49981ee59c9207e53befeae4 ] + +The store to ctx->cm_id was based on the idea that _ucma_find_context() +would not return the ctx until it was fully setup. + +Without locking this doesn't work properly. + +Split things so that the xarray is allocated with NULL to reserve the ID +and once everything is final set the cm_id and store. + +Along the way this shows that the error unwind in ucma_get_event() if a +new ctx is created is wrong, fix it up. + +Link: https://lore.kernel.org/r/20200818120526.702120-5-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/ucma.c | 68 +++++++++++++++++++++------------- + 1 file changed, 42 insertions(+), 26 deletions(-) + +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c +index 6f42ff8f2ec57..45b3e9f76c3b2 100644 +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -130,6 +130,7 @@ static DEFINE_XARRAY_ALLOC(ctx_table); + static DEFINE_XARRAY_ALLOC(multicast_table); + + static const struct file_operations ucma_fops; ++static int __destroy_id(struct ucma_context *ctx); + + static inline struct ucma_context *_ucma_find_context(int id, + struct ucma_file *file) +@@ -139,7 +140,7 @@ static inline struct ucma_context *_ucma_find_context(int id, + ctx = xa_load(&ctx_table, id); + if (!ctx) + ctx = ERR_PTR(-ENOENT); +- else if (ctx->file != file || !ctx->cm_id) ++ else if (ctx->file != file) + ctx = ERR_PTR(-EINVAL); + return ctx; + } +@@ -217,18 +218,23 @@ static struct ucma_context *ucma_alloc_ctx(struct ucma_file *file) + refcount_set(&ctx->ref, 1); + init_completion(&ctx->comp); + INIT_LIST_HEAD(&ctx->mc_list); ++ /* So list_del() will work if we don't do ucma_finish_ctx() */ ++ INIT_LIST_HEAD(&ctx->list); + ctx->file = file; + mutex_init(&ctx->mutex); + +- if (xa_alloc(&ctx_table, &ctx->id, ctx, xa_limit_32b, GFP_KERNEL)) +- goto error; +- +- list_add_tail(&ctx->list, &file->ctx_list); ++ if (xa_alloc(&ctx_table, &ctx->id, NULL, xa_limit_32b, GFP_KERNEL)) { ++ kfree(ctx); ++ return NULL; ++ } + return ctx; ++} + +-error: +- kfree(ctx); +- return NULL; ++static void ucma_finish_ctx(struct ucma_context *ctx) ++{ ++ lockdep_assert_held(&ctx->file->mut); ++ list_add_tail(&ctx->list, &ctx->file->ctx_list); ++ xa_store(&ctx_table, ctx->id, ctx, GFP_KERNEL); + } + + static struct ucma_multicast* ucma_alloc_multicast(struct ucma_context *ctx) +@@ -399,7 +405,7 @@ out: + static ssize_t ucma_get_event(struct ucma_file *file, const char __user *inbuf, + int in_len, int out_len) + { +- struct ucma_context *ctx; ++ struct ucma_context *ctx = NULL; + struct rdma_ucm_get_event cmd; + struct ucma_event *uevent; + int ret = 0; +@@ -429,33 +435,46 @@ static ssize_t ucma_get_event(struct ucma_file *file, const char __user *inbuf, + mutex_lock(&file->mut); + } + +- uevent = list_entry(file->event_list.next, struct ucma_event, list); ++ uevent = list_first_entry(&file->event_list, struct ucma_event, list); + + if (uevent->resp.event == RDMA_CM_EVENT_CONNECT_REQUEST) { + ctx = ucma_alloc_ctx(file); + if (!ctx) { + ret = -ENOMEM; +- goto done; ++ goto err_unlock; + } +- uevent->ctx->backlog++; +- ctx->cm_id = uevent->cm_id; +- ctx->cm_id->context = ctx; + uevent->resp.id = ctx->id; ++ ctx->cm_id = uevent->cm_id; + } + + if (copy_to_user(u64_to_user_ptr(cmd.response), + &uevent->resp, + min_t(size_t, out_len, sizeof(uevent->resp)))) { + ret = -EFAULT; +- goto done; ++ goto err_ctx; ++ } ++ ++ if (ctx) { ++ uevent->ctx->backlog++; ++ uevent->cm_id->context = ctx; ++ ucma_finish_ctx(ctx); + } + + list_del(&uevent->list); + uevent->ctx->events_reported++; + if (uevent->mc) + uevent->mc->events_reported++; ++ mutex_unlock(&file->mut); ++ + kfree(uevent); +-done: ++ return 0; ++ ++err_ctx: ++ if (ctx) { ++ xa_erase(&ctx_table, ctx->id); ++ kfree(ctx); ++ } ++err_unlock: + mutex_unlock(&file->mut); + return ret; + } +@@ -498,9 +517,7 @@ static ssize_t ucma_create_id(struct ucma_file *file, const char __user *inbuf, + if (ret) + return ret; + +- mutex_lock(&file->mut); + ctx = ucma_alloc_ctx(file); +- mutex_unlock(&file->mut); + if (!ctx) + return -ENOMEM; + +@@ -511,24 +528,23 @@ static ssize_t ucma_create_id(struct ucma_file *file, const char __user *inbuf, + ret = PTR_ERR(cm_id); + goto err1; + } ++ ctx->cm_id = cm_id; + + resp.id = ctx->id; + if (copy_to_user(u64_to_user_ptr(cmd.response), + &resp, sizeof(resp))) { +- ret = -EFAULT; +- goto err2; ++ xa_erase(&ctx_table, ctx->id); ++ __destroy_id(ctx); ++ return -EFAULT; + } + +- ctx->cm_id = cm_id; ++ mutex_lock(&file->mut); ++ ucma_finish_ctx(ctx); ++ mutex_unlock(&file->mut); + return 0; + +-err2: +- rdma_destroy_id(cm_id); + err1: + xa_erase(&ctx_table, ctx->id); +- mutex_lock(&file->mut); +- list_del(&ctx->list); +- mutex_unlock(&file->mut); + kfree(ctx); + return ret; + } +-- +2.27.0 + diff --git a/queue-5.9/risc-v-fix-the-vdso-symbol-generaton-for-binutils-2..patch b/queue-5.9/risc-v-fix-the-vdso-symbol-generaton-for-binutils-2..patch new file mode 100644 index 00000000000..9b0a1ec9491 --- /dev/null +++ b/queue-5.9/risc-v-fix-the-vdso-symbol-generaton-for-binutils-2..patch @@ -0,0 +1,99 @@ +From 466d696117db97802e4c2b2745f7af9c259ac92a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Oct 2020 21:50:47 -0700 +Subject: RISC-V: Fix the VDSO symbol generaton for binutils-2.35+ + +From: Palmer Dabbelt + +[ Upstream commit c2c81bb2f69138f902e1a58d3bef6ad97fb8a92c ] + +We were relying on GNU ld's ability to re-link executable files in order +to extract our VDSO symbols. This behavior was deemed a bug as of +binutils-2.35 (specifically the binutils-gdb commit a87e1817a4 ("Have +the linker fail if any attempt to link in an executable is made."), but +as that has been backported to at least Debian's binutils-2.34 in may +manifest in other places. + +The previous version of this was a bit of a mess: we were linking a +static executable version of the VDSO, containing only a subset of the +input symbols, which we then linked into the kernel. This worked, but +certainly wasn't a supported path through the toolchain. Instead this +new version parses the textual output of nm to produce a symbol table. +Both rely on near-zero addresses being linkable, but as we rely on weak +undefined symbols being linkable elsewhere I don't view this as a major +issue. + +Fixes: e2c0cdfba7f6 ("RISC-V: User-facing API") +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/vdso/.gitignore | 1 + + arch/riscv/kernel/vdso/Makefile | 18 +++++++++--------- + arch/riscv/kernel/vdso/so2s.sh | 6 ++++++ + 3 files changed, 16 insertions(+), 9 deletions(-) + create mode 100755 arch/riscv/kernel/vdso/so2s.sh + +diff --git a/arch/riscv/kernel/vdso/.gitignore b/arch/riscv/kernel/vdso/.gitignore +index 11ebee9e4c1d6..3a19def868ecc 100644 +--- a/arch/riscv/kernel/vdso/.gitignore ++++ b/arch/riscv/kernel/vdso/.gitignore +@@ -1,3 +1,4 @@ + # SPDX-License-Identifier: GPL-2.0-only + vdso.lds + *.tmp ++vdso-syms.S +diff --git a/arch/riscv/kernel/vdso/Makefile b/arch/riscv/kernel/vdso/Makefile +index 7d6a94d45ec94..cb8f9e4cfcbf8 100644 +--- a/arch/riscv/kernel/vdso/Makefile ++++ b/arch/riscv/kernel/vdso/Makefile +@@ -43,19 +43,14 @@ $(obj)/vdso.o: $(obj)/vdso.so + SYSCFLAGS_vdso.so.dbg = $(c_flags) + $(obj)/vdso.so.dbg: $(src)/vdso.lds $(obj-vdso) FORCE + $(call if_changed,vdsold) ++SYSCFLAGS_vdso.so.dbg = -shared -s -Wl,-soname=linux-vdso.so.1 \ ++ -Wl,--build-id -Wl,--hash-style=both + + # We also create a special relocatable object that should mirror the symbol + # table and layout of the linked DSO. With ld --just-symbols we can then + # refer to these symbols in the kernel code rather than hand-coded addresses. +- +-SYSCFLAGS_vdso.so.dbg = -shared -s -Wl,-soname=linux-vdso.so.1 \ +- -Wl,--build-id=sha1 -Wl,--hash-style=both +-$(obj)/vdso-dummy.o: $(src)/vdso.lds $(obj)/rt_sigreturn.o FORCE +- $(call if_changed,vdsold) +- +-LDFLAGS_vdso-syms.o := -r --just-symbols +-$(obj)/vdso-syms.o: $(obj)/vdso-dummy.o FORCE +- $(call if_changed,ld) ++$(obj)/vdso-syms.S: $(obj)/vdso.so FORCE ++ $(call if_changed,so2s) + + # strip rule for the .so file + $(obj)/%.so: OBJCOPYFLAGS := -S +@@ -73,6 +68,11 @@ quiet_cmd_vdsold = VDSOLD $@ + $(patsubst %, -G __vdso_%, $(vdso-syms)) $@.tmp $@ && \ + rm $@.tmp + ++# Extracts symbol offsets from the VDSO, converting them into an assembly file ++# that contains the same symbols at the same offsets. ++quiet_cmd_so2s = SO2S $@ ++ cmd_so2s = $(NM) -D $< | $(srctree)/$(src)/so2s.sh > $@ ++ + # install commands for the unstripped file + quiet_cmd_vdso_install = INSTALL $@ + cmd_vdso_install = cp $(obj)/$@.dbg $(MODLIB)/vdso/$@ +diff --git a/arch/riscv/kernel/vdso/so2s.sh b/arch/riscv/kernel/vdso/so2s.sh +new file mode 100755 +index 0000000000000..e64cb6d9440e7 +--- /dev/null ++++ b/arch/riscv/kernel/vdso/so2s.sh +@@ -0,0 +1,6 @@ ++#!/bin/sh ++# SPDX-License-Identifier: GPL-2.0+ ++# Copyright 2020 Palmer Dabbelt ++ ++sed 's!\([0-9a-f]*\) T \([a-z0-9_]*\)\(@@LINUX_4.15\)*!.global \2\n.set \2,0x\1!' \ ++| grep '^\.' +-- +2.27.0 + diff --git a/queue-5.9/selftests-binderfs-use-skip-instead-of-xfail.patch b/queue-5.9/selftests-binderfs-use-skip-instead-of-xfail.patch new file mode 100644 index 00000000000..8e5c05c9499 --- /dev/null +++ b/queue-5.9/selftests-binderfs-use-skip-instead-of-xfail.patch @@ -0,0 +1,60 @@ +From 136e5e1c303e14f5b19bfa1093692f08e0166f34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Oct 2020 15:26:33 +0300 +Subject: selftests: binderfs: use SKIP instead of XFAIL + +From: Tommi Rantala + +[ Upstream commit 7d764b685ee1bc73a9fa2b6cb4d42fa72b943145 ] + +XFAIL is gone since commit 9847d24af95c ("selftests/harness: Refactor XFAIL +into SKIP"), use SKIP instead. + +Fixes: 9847d24af95c ("selftests/harness: Refactor XFAIL into SKIP") +Signed-off-by: Tommi Rantala +Reviewed-by: Kees Cook +Acked-by: Christian Brauner +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../selftests/filesystems/binderfs/binderfs_test.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/filesystems/binderfs/binderfs_test.c b/tools/testing/selftests/filesystems/binderfs/binderfs_test.c +index 1d27f52c61e61..477cbb042f5ba 100644 +--- a/tools/testing/selftests/filesystems/binderfs/binderfs_test.c ++++ b/tools/testing/selftests/filesystems/binderfs/binderfs_test.c +@@ -74,7 +74,7 @@ static int __do_binderfs_test(struct __test_metadata *_metadata) + ret = mount(NULL, binderfs_mntpt, "binder", 0, 0); + EXPECT_EQ(ret, 0) { + if (errno == ENODEV) +- XFAIL(goto out, "binderfs missing"); ++ SKIP(goto out, "binderfs missing"); + TH_LOG("%s - Failed to mount binderfs", strerror(errno)); + goto rmdir; + } +@@ -475,10 +475,10 @@ TEST(binderfs_stress) + TEST(binderfs_test_privileged) + { + if (geteuid() != 0) +- XFAIL(return, "Tests are not run as root. Skipping privileged tests"); ++ SKIP(return, "Tests are not run as root. Skipping privileged tests"); + + if (__do_binderfs_test(_metadata)) +- XFAIL(return, "The Android binderfs filesystem is not available"); ++ SKIP(return, "The Android binderfs filesystem is not available"); + } + + TEST(binderfs_test_unprivileged) +@@ -511,7 +511,7 @@ TEST(binderfs_test_unprivileged) + ret = wait_for_pid(pid); + if (ret) { + if (ret == 2) +- XFAIL(return, "The Android binderfs filesystem is not available"); ++ SKIP(return, "The Android binderfs filesystem is not available"); + ASSERT_EQ(ret, 0) { + TH_LOG("wait_for_pid() failed"); + } +-- +2.27.0 + diff --git a/queue-5.9/selftests-clone3-use-skip-instead-of-xfail.patch b/queue-5.9/selftests-clone3-use-skip-instead-of-xfail.patch new file mode 100644 index 00000000000..78fb6084b3f --- /dev/null +++ b/queue-5.9/selftests-clone3-use-skip-instead-of-xfail.patch @@ -0,0 +1,38 @@ +From 88a10f8f8a2afb68a6aa4939d84b53b301194952 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Oct 2020 15:26:32 +0300 +Subject: selftests: clone3: use SKIP instead of XFAIL + +From: Tommi Rantala + +[ Upstream commit afba8b0a2cc532b54eaf4254092f57bba5d7eb65 ] + +XFAIL is gone since commit 9847d24af95c ("selftests/harness: Refactor XFAIL +into SKIP"), use SKIP instead. + +Fixes: 9847d24af95c ("selftests/harness: Refactor XFAIL into SKIP") +Signed-off-by: Tommi Rantala +Reviewed-by: Kees Cook +Acked-by: Christian Brauner +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/clone3/clone3_cap_checkpoint_restore.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/clone3/clone3_cap_checkpoint_restore.c b/tools/testing/selftests/clone3/clone3_cap_checkpoint_restore.c +index 9562425aa0a90..614091de4c545 100644 +--- a/tools/testing/selftests/clone3/clone3_cap_checkpoint_restore.c ++++ b/tools/testing/selftests/clone3/clone3_cap_checkpoint_restore.c +@@ -145,7 +145,7 @@ TEST(clone3_cap_checkpoint_restore) + test_clone3_supported(); + + EXPECT_EQ(getuid(), 0) +- XFAIL(return, "Skipping all tests as non-root\n"); ++ SKIP(return, "Skipping all tests as non-root"); + + memset(&set_tid, 0, sizeof(set_tid)); + +-- +2.27.0 + diff --git a/queue-5.9/selftests-core-use-skip-instead-of-xfail-in-close_ra.patch b/queue-5.9/selftests-core-use-skip-instead-of-xfail-in-close_ra.patch new file mode 100644 index 00000000000..2cab24299c9 --- /dev/null +++ b/queue-5.9/selftests-core-use-skip-instead-of-xfail-in-close_ra.patch @@ -0,0 +1,65 @@ +From 46825b77cbae15b2f59d28e4a5b05d2a9ae4c989 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Oct 2020 15:26:31 +0300 +Subject: selftests: core: use SKIP instead of XFAIL in close_range_test.c + +From: Tommi Rantala + +[ Upstream commit 1d44d0dd61b6121b49f25b731f2f7f605cb3c896 ] + +XFAIL is gone since commit 9847d24af95c ("selftests/harness: Refactor XFAIL +into SKIP"), use SKIP instead. + +Fixes: 9847d24af95c ("selftests/harness: Refactor XFAIL into SKIP") +Signed-off-by: Tommi Rantala +Reviewed-by: Kees Cook +Acked-by: Christian Brauner +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/core/close_range_test.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/core/close_range_test.c b/tools/testing/selftests/core/close_range_test.c +index c99b98b0d461f..575b391ddc78d 100644 +--- a/tools/testing/selftests/core/close_range_test.c ++++ b/tools/testing/selftests/core/close_range_test.c +@@ -44,7 +44,7 @@ TEST(close_range) + fd = open("/dev/null", O_RDONLY | O_CLOEXEC); + ASSERT_GE(fd, 0) { + if (errno == ENOENT) +- XFAIL(return, "Skipping test since /dev/null does not exist"); ++ SKIP(return, "Skipping test since /dev/null does not exist"); + } + + open_fds[i] = fd; +@@ -52,7 +52,7 @@ TEST(close_range) + + EXPECT_EQ(-1, sys_close_range(open_fds[0], open_fds[100], -1)) { + if (errno == ENOSYS) +- XFAIL(return, "close_range() syscall not supported"); ++ SKIP(return, "close_range() syscall not supported"); + } + + EXPECT_EQ(0, sys_close_range(open_fds[0], open_fds[50], 0)); +@@ -108,7 +108,7 @@ TEST(close_range_unshare) + fd = open("/dev/null", O_RDONLY | O_CLOEXEC); + ASSERT_GE(fd, 0) { + if (errno == ENOENT) +- XFAIL(return, "Skipping test since /dev/null does not exist"); ++ SKIP(return, "Skipping test since /dev/null does not exist"); + } + + open_fds[i] = fd; +@@ -197,7 +197,7 @@ TEST(close_range_unshare_capped) + fd = open("/dev/null", O_RDONLY | O_CLOEXEC); + ASSERT_GE(fd, 0) { + if (errno == ENOENT) +- XFAIL(return, "Skipping test since /dev/null does not exist"); ++ SKIP(return, "Skipping test since /dev/null does not exist"); + } + + open_fds[i] = fd; +-- +2.27.0 + diff --git a/queue-5.9/selftests-filter-kselftest-headers-from-command-in-l.patch b/queue-5.9/selftests-filter-kselftest-headers-from-command-in-l.patch new file mode 100644 index 00000000000..77004e0d3c9 --- /dev/null +++ b/queue-5.9/selftests-filter-kselftest-headers-from-command-in-l.patch @@ -0,0 +1,63 @@ +From 3892606be20bea6f1144b0c81836e9c555f0b53b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Oct 2020 15:26:21 +0300 +Subject: selftests: filter kselftest headers from command in lib.mk +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tommi Rantala + +[ Upstream commit f825d3f7ed9305e7dd0a3e0a74673a4257d0cc53 ] + +Commit 1056d3d2c97e ("selftests: enforce local header dependency in +lib.mk") added header dependency to the rule, but as the rule uses $^, +the headers are added to the compiler command line. + +This can cause unexpected precompiled header files being generated when +compilation fails: + + $ echo { >> openat2_test.c + + $ make + gcc -Wall -O2 -g -fsanitize=address -fsanitize=undefined openat2_test.c + tools/testing/selftests/kselftest_harness.h tools/testing/selftests/kselftest.h helpers.c + -o tools/testing/selftests/openat2/openat2_test + openat2_test.c:313:1: error: expected identifier or ‘(’ before ‘{’ token + 313 | { + | ^ + make: *** [../lib.mk:140: tools/testing/selftests/openat2/openat2_test] Error 1 + + $ file openat2_test* + openat2_test: GCC precompiled header (version 014) for C + openat2_test.c: C source, ASCII text + +Fix it by filtering out the headers, so that we'll only pass the actual +*.c files in the compiler command line. + +Fixes: 1056d3d2c97e ("selftests: enforce local header dependency in lib.mk") +Signed-off-by: Tommi Rantala +Acked-by: Kees Cook +Reviewed-by: Christian Brauner +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/lib.mk | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/lib.mk b/tools/testing/selftests/lib.mk +index 7a17ea8157367..66f3317dc3654 100644 +--- a/tools/testing/selftests/lib.mk ++++ b/tools/testing/selftests/lib.mk +@@ -137,7 +137,7 @@ endif + ifeq ($(OVERRIDE_TARGETS),) + LOCAL_HDRS := $(selfdir)/kselftest_harness.h $(selfdir)/kselftest.h + $(OUTPUT)/%:%.c $(LOCAL_HDRS) +- $(LINK.c) $^ $(LDLIBS) -o $@ ++ $(LINK.c) $(filter-out $(LOCAL_HDRS),$^) $(LDLIBS) -o $@ + + $(OUTPUT)/%.o:%.S + $(COMPILE.S) $^ -o $@ +-- +2.27.0 + diff --git a/queue-5.9/series b/queue-5.9/series new file mode 100644 index 00000000000..5a2c3750fe6 --- /dev/null +++ b/queue-5.9/series @@ -0,0 +1,74 @@ +drm-i915-hold-onto-an-explicit-ref-to-i915_vma_work..patch +drm-i915-gem-flush-coherency-domains-on-first-set-do.patch +mm-memcg-link-page-counters-to-root-if-use_hierarchy.patch +rdma-ucma-fix-error-cases-around-ucma_alloc_ctx.patch +nbd-don-t-update-block-size-after-device-is-started.patch +kvm-arm64-force-pte-mapping-on-fault-resulting-in-a-.patch +dm-raid-fix-discard-limits-for-raid1-and-raid10.patch +xfrm-interface-fix-the-priorities-for-ipip-and-ipv6-.patch +asoc-intel-kbl_rt5663_max98927-fix-kabylake_ssp_fixu.patch +genirq-let-generic_irq_ipi-select-irq_domain_hierarc.patch +hv_balloon-disable-warning-when-floor-reached.patch +net-xfrm-fix-a-race-condition-during-allocing-spi.patch +asoc-codecs-wsa881x-add-missing-stream-rates-and-for.patch +spi-imx-fix-runtime-pm-support-for-config_pm.patch +irqchip-sifive-plic-fix-broken-irq_set_affinity-call.patch +kunit-fix-kunit.py-raw_output-option.patch +kunit-don-t-fail-test-suites-if-one-of-them-is-empty.patch +usb-gadget-fsl-fix-null-pointer-checking.patch +selftests-filter-kselftest-headers-from-command-in-l.patch +asoc-codecs-wcd934x-set-digital-gain-range-correctly.patch +asoc-codecs-wcd9335-set-digital-gain-range-correctly.patch +mtd-spi-nor-fix-address-width-on-flash-chips-16mb.patch +xfs-set-xefi_discard-when-creating-a-deferred-agfl-f.patch +mac80211-don-t-require-vht-elements-for-he-on-2.4-gh.patch +netfilter-nftables-fix-netlink-report-logic-in-flowt.patch +netfilter-use-actual-socket-sk-rather-than-skb-sk-wh.patch +netfilter-nf_tables-missing-validation-from-the-abor.patch +pci-always-enable-acs-even-if-no-acs-capability.patch +netfilter-ipset-update-byte-and-packet-counters-rega.patch +irqchip-sifive-plic-fix-chip_data-access-within-a-hi.patch +powerpc-eeh_cache-fix-a-possible-debugfs-deadlock.patch +drm-vc4-bo-add-a-managed-action-to-cleanup-the-cache.patch +ib-srpt-fix-memory-leak-in-srpt_add_one.patch +mm-memcontrol-correct-the-nr_anon_thps-counter-of-hi.patch +drm-panfrost-rename-error-labels-in-device_init.patch +drm-panfrost-move-devfreq_init-fini-in-device.patch +drm-panfrost-fix-module-unload.patch +perf-trace-fix-segfault-when-trying-to-trace-events-.patch +perf-tools-add-missing-swap-for-ino_generation.patch +perf-tools-add-missing-swap-for-cgroup-events.patch +alsa-hda-prevent-undefined-shift-in-snd_hdac_ext_bus.patch +iommu-vt-d-fix-sid-not-set-issue-in-intel_svm_bind_g.patch +iommu-vt-d-fix-a-bug-for-pdp-check-in-prq_event_thre.patch +afs-fix-warning-due-to-unadvanced-marshalling-pointe.patch +afs-fix-incorrect-freeing-of-the-acl-passed-to-the-y.patch +vfio-pci-implement-ioeventfd-thread-handler-for-cont.patch +can-rx-offload-don-t-call-kfree_skb-from-irq-context.patch +can-dev-can_get_echo_skb-prevent-call-to-kfree_skb-i.patch +can-dev-__can_get_echo_skb-fix-real-payload-length-r.patch +can-can_create_echo_skb-fix-echo-skb-generation-alwa.patch +can-j1939-swap-addr-and-pgn-in-the-send-example.patch +can-j1939-j1939_sk_bind-return-failure-if-netdev-is-.patch +can-ti_hecc-ti_hecc_probe-add-missed-clk_disable_unp.patch +can-xilinx_can-handle-failure-cases-of-pm_runtime_ge.patch +can-peak_usb-add-range-checking-in-decode-operations.patch +can-peak_usb-peak_usb_get_ts_time-fix-timestamp-wrap.patch +can-peak_canfd-pucan_handle_can_rx-fix-echo-manageme.patch +can-flexcan-remove-flexcan_quirk_disable_mecr-quirk-.patch +can-flexcan-flexcan_remove-disable-wakeup-completely.patch +xfs-flush-new-eof-page-on-truncate-to-avoid-post-eof.patch +xfs-fix-missing-cow-blocks-writeback-conversion-retr.patch +xfs-fix-scrub-flagging-rtinherit-even-if-there-is-no.patch +io_uring-ensure-consistent-view-of-original-task-mm-.patch +spi-fsl-dspi-fix-wrong-pointer-in-suspend-resume.patch +pci-mvebu-fix-duplicate-resource-requests.patch +ceph-check-session-state-after-bumping-session-s_seq.patch +selftests-core-use-skip-instead-of-xfail-in-close_ra.patch +selftests-clone3-use-skip-instead-of-xfail.patch +selftests-binderfs-use-skip-instead-of-xfail.patch +x86-speculation-allow-ibpb-to-be-conditionally-enabl.patch +kbuild-explicitly-specify-the-build-id-style.patch +risc-v-fix-the-vdso-symbol-generaton-for-binutils-2..patch +usb-apple-mfi-fastcharge-fix-reference-leak-in-apple.patch +tpm-efi-don-t-create-binary_bios_measurements-file-f.patch diff --git a/queue-5.9/spi-fsl-dspi-fix-wrong-pointer-in-suspend-resume.patch b/queue-5.9/spi-fsl-dspi-fix-wrong-pointer-in-suspend-resume.patch new file mode 100644 index 00000000000..a74da11bba7 --- /dev/null +++ b/queue-5.9/spi-fsl-dspi-fix-wrong-pointer-in-suspend-resume.patch @@ -0,0 +1,67 @@ +From 5a682944eeb3f1c606aa5c5b93da13f61d4602f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Nov 2020 10:05:46 +0800 +Subject: spi: fsl-dspi: fix wrong pointer in suspend/resume + +From: Zhao Qiang + +[ Upstream commit 9bd77a9ce31dd242fece27219d14fbee5068dd85 ] + +Since commit 530b5affc675 ("spi: fsl-dspi: fix use-after-free in +remove path"), this driver causes a "NULL pointer dereference" +in dspi_suspend/resume. +This is because since this commit, the drivers private data point to +"dspi" instead of "ctlr", the codes in suspend and resume func were +not modified correspondly. + +Fixes: 530b5affc675 ("spi: fsl-dspi: fix use-after-free in remove path") +Signed-off-by: Zhao Qiang +Reviewed-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20201103020546.1822-1-qiang.zhao@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-fsl-dspi.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/drivers/spi/spi-fsl-dspi.c b/drivers/spi/spi-fsl-dspi.c +index 108a7d50d2c37..a96762ffb70b6 100644 +--- a/drivers/spi/spi-fsl-dspi.c ++++ b/drivers/spi/spi-fsl-dspi.c +@@ -1106,12 +1106,11 @@ MODULE_DEVICE_TABLE(of, fsl_dspi_dt_ids); + #ifdef CONFIG_PM_SLEEP + static int dspi_suspend(struct device *dev) + { +- struct spi_controller *ctlr = dev_get_drvdata(dev); +- struct fsl_dspi *dspi = spi_controller_get_devdata(ctlr); ++ struct fsl_dspi *dspi = dev_get_drvdata(dev); + + if (dspi->irq) + disable_irq(dspi->irq); +- spi_controller_suspend(ctlr); ++ spi_controller_suspend(dspi->ctlr); + clk_disable_unprepare(dspi->clk); + + pinctrl_pm_select_sleep_state(dev); +@@ -1121,8 +1120,7 @@ static int dspi_suspend(struct device *dev) + + static int dspi_resume(struct device *dev) + { +- struct spi_controller *ctlr = dev_get_drvdata(dev); +- struct fsl_dspi *dspi = spi_controller_get_devdata(ctlr); ++ struct fsl_dspi *dspi = dev_get_drvdata(dev); + int ret; + + pinctrl_pm_select_default_state(dev); +@@ -1130,7 +1128,7 @@ static int dspi_resume(struct device *dev) + ret = clk_prepare_enable(dspi->clk); + if (ret) + return ret; +- spi_controller_resume(ctlr); ++ spi_controller_resume(dspi->ctlr); + if (dspi->irq) + enable_irq(dspi->irq); + +-- +2.27.0 + diff --git a/queue-5.9/spi-imx-fix-runtime-pm-support-for-config_pm.patch b/queue-5.9/spi-imx-fix-runtime-pm-support-for-config_pm.patch new file mode 100644 index 00000000000..415a0298789 --- /dev/null +++ b/queue-5.9/spi-imx-fix-runtime-pm-support-for-config_pm.patch @@ -0,0 +1,73 @@ +From ebf9fb3dbbbcf9b66cd578ab8da5cc2992fa15a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Oct 2020 12:45:13 +0200 +Subject: spi: imx: fix runtime pm support for !CONFIG_PM + +From: Sascha Hauer + +[ Upstream commit 43b6bf406cd0319e522638f97c9086b7beebaeaa ] + +525c9e5a32bd introduced pm_runtime support for the i.MX SPI driver. With +this pm_runtime is used to bring up the clocks initially. When CONFIG_PM +is disabled the clocks are no longer enabled and the driver doesn't work +anymore. Fix this by enabling the clocks in the probe function and +telling pm_runtime that the device is active using +pm_runtime_set_active(). + +Fixes: 525c9e5a32bd spi: imx: enable runtime pm support +Tested-by: Christian Eggers [tested for !CONFIG_PM only] +Signed-off-by: Sascha Hauer +Link: https://lore.kernel.org/r/20201021104513.21560-1-s.hauer@pengutronix.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-imx.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c +index e38e5ad3c7068..9aac515b718c8 100644 +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -1674,15 +1674,18 @@ static int spi_imx_probe(struct platform_device *pdev) + goto out_master_put; + } + +- pm_runtime_enable(spi_imx->dev); ++ ret = clk_prepare_enable(spi_imx->clk_per); ++ if (ret) ++ goto out_master_put; ++ ++ ret = clk_prepare_enable(spi_imx->clk_ipg); ++ if (ret) ++ goto out_put_per; ++ + pm_runtime_set_autosuspend_delay(spi_imx->dev, MXC_RPM_TIMEOUT); + pm_runtime_use_autosuspend(spi_imx->dev); +- +- ret = pm_runtime_get_sync(spi_imx->dev); +- if (ret < 0) { +- dev_err(spi_imx->dev, "failed to enable clock\n"); +- goto out_runtime_pm_put; +- } ++ pm_runtime_set_active(spi_imx->dev); ++ pm_runtime_enable(spi_imx->dev); + + spi_imx->spi_clk = clk_get_rate(spi_imx->clk_per); + /* +@@ -1722,8 +1725,12 @@ out_bitbang_start: + spi_imx_sdma_exit(spi_imx); + out_runtime_pm_put: + pm_runtime_dont_use_autosuspend(spi_imx->dev); +- pm_runtime_put_sync(spi_imx->dev); ++ pm_runtime_set_suspended(&pdev->dev); + pm_runtime_disable(spi_imx->dev); ++ ++ clk_disable_unprepare(spi_imx->clk_ipg); ++out_put_per: ++ clk_disable_unprepare(spi_imx->clk_per); + out_master_put: + spi_master_put(master); + +-- +2.27.0 + diff --git a/queue-5.9/tpm-efi-don-t-create-binary_bios_measurements-file-f.patch b/queue-5.9/tpm-efi-don-t-create-binary_bios_measurements-file-f.patch new file mode 100644 index 00000000000..420cd24c18d --- /dev/null +++ b/queue-5.9/tpm-efi-don-t-create-binary_bios_measurements-file-f.patch @@ -0,0 +1,117 @@ +From 558310d399b3b86e56aed221dd933dd4c799383f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Oct 2020 10:41:02 -0500 +Subject: tpm: efi: Don't create binary_bios_measurements file for an empty log +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tyler Hicks + +[ Upstream commit 8ffd778aff45be760292225049e0141255d4ad6e ] + +Mimic the pre-existing ACPI and Device Tree event log behavior by not +creating the binary_bios_measurements file when the EFI TPM event log is +empty. + +This fixes the following NULL pointer dereference that can occur when +reading /sys/kernel/security/tpm0/binary_bios_measurements after the +kernel received an empty event log from the firmware: + + BUG: kernel NULL pointer dereference, address: 000000000000002c + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] SMP PTI + CPU: 2 PID: 3932 Comm: fwupdtpmevlog Not tainted 5.9.0-00003-g629990edad62 #17 + Hardware name: LENOVO 20LCS03L00/20LCS03L00, BIOS N27ET38W (1.24 ) 11/28/2019 + RIP: 0010:tpm2_bios_measurements_start+0x3a/0x550 + Code: 54 53 48 83 ec 68 48 8b 57 70 48 8b 1e 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 8b 82 c0 06 00 00 48 8b 8a c8 06 00 00 <44> 8b 60 1c 48 89 4d a0 4c 89 e2 49 83 c4 20 48 83 fb 00 75 2a 49 + RSP: 0018:ffffa9c901203db0 EFLAGS: 00010246 + RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000010 + RDX: ffff8ba1eb99c000 RSI: ffff8ba1e4ce8280 RDI: ffff8ba1e4ce8258 + RBP: ffffa9c901203e40 R08: ffffa9c901203dd8 R09: ffff8ba1ec443300 + R10: ffffa9c901203e50 R11: 0000000000000000 R12: ffff8ba1e4ce8280 + R13: ffffa9c901203ef0 R14: ffffa9c901203ef0 R15: ffff8ba1e4ce8258 + FS: 00007f6595460880(0000) GS:ffff8ba1ef880000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000000000000002c CR3: 00000007d8d18003 CR4: 00000000003706e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + ? __kmalloc_node+0x113/0x320 + ? kvmalloc_node+0x31/0x80 + seq_read+0x94/0x420 + vfs_read+0xa7/0x190 + ksys_read+0xa7/0xe0 + __x64_sys_read+0x1a/0x20 + do_syscall_64+0x37/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +In this situation, the bios_event_log pointer in the tpm_bios_log struct +was not NULL but was equal to the ZERO_SIZE_PTR (0x10) value. This was +due to the following kmemdup() in tpm_read_log_efi(): + +int tpm_read_log_efi(struct tpm_chip *chip) +{ +... + /* malloc EventLog space */ + log->bios_event_log = kmemdup(log_tbl->log, log_size, GFP_KERNEL); + if (!log->bios_event_log) { + ret = -ENOMEM; + goto out; + } +... +} + +When log_size is zero, due to an empty event log from firmware, +ZERO_SIZE_PTR is returned from kmemdup(). Upon a read of the +binary_bios_measurements file, the tpm2_bios_measurements_start() +function does not perform a ZERO_OR_NULL_PTR() check on the +bios_event_log pointer before dereferencing it. + +Rather than add a ZERO_OR_NULL_PTR() check in functions that make use of +the bios_event_log pointer, simply avoid creating the +binary_bios_measurements_file as is done in other event log retrieval +backends. + +Explicitly ignore all of the events in the final event log when the main +event log is empty. The list of events in the final event log cannot be +accurately parsed without referring to the first event in the main event +log (the event log header) so the final event log is useless in such a +situation. + +Fixes: 58cc1e4faf10 ("tpm: parse TPM event logs based on EFI table") +Link: https://lore.kernel.org/linux-integrity/E1FDCCCB-CA51-4AEE-AC83-9CDE995EAE52@canonical.com/ +Reported-by: Kai-Heng Feng +Reported-by: Kenneth R. Crudup +Reported-by: Mimi Zohar +Cc: Thiébaud Weksteen +Cc: Ard Biesheuvel +Signed-off-by: Tyler Hicks +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + drivers/char/tpm/eventlog/efi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/char/tpm/eventlog/efi.c b/drivers/char/tpm/eventlog/efi.c +index 6bb023de17f1f..35229e5143cac 100644 +--- a/drivers/char/tpm/eventlog/efi.c ++++ b/drivers/char/tpm/eventlog/efi.c +@@ -41,6 +41,11 @@ int tpm_read_log_efi(struct tpm_chip *chip) + log_size = log_tbl->size; + memunmap(log_tbl); + ++ if (!log_size) { ++ pr_warn("UEFI TPM log area empty\n"); ++ return -EIO; ++ } ++ + log_tbl = memremap(efi.tpm_log, sizeof(*log_tbl) + log_size, + MEMREMAP_WB); + if (!log_tbl) { +-- +2.27.0 + diff --git a/queue-5.9/usb-apple-mfi-fastcharge-fix-reference-leak-in-apple.patch b/queue-5.9/usb-apple-mfi-fastcharge-fix-reference-leak-in-apple.patch new file mode 100644 index 00000000000..09f58d36715 --- /dev/null +++ b/queue-5.9/usb-apple-mfi-fastcharge-fix-reference-leak-in-apple.patch @@ -0,0 +1,46 @@ +From 6641a47aee2349af02dbc8501f62519b2de15ada Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Nov 2020 10:26:50 +0800 +Subject: USB: apple-mfi-fastcharge: fix reference leak in + apple_mfi_fc_set_property + +From: Zhang Qilong + +[ Upstream commit 00bd6bca3fb1e98190a24eda2583062803c9e8b5 ] + +pm_runtime_get_sync() will increment pm usage at first and it +will resume the device later. If runtime of the device has +error or device is in inaccessible state(or other error state), +resume operation will fail. If we do not call put operation to +decrease the reference, the result is that this device cannot +enter the idle state and always stay busy or other non-idle +state. + +Fixes: 249fa8217b846 ("USB: Add driver to control USB fast charge for iOS devices") +Signed-off-by: Zhang Qilong +Link: https://lore.kernel.org/r/20201102022650.67115-1-zhangqilong3@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/misc/apple-mfi-fastcharge.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/misc/apple-mfi-fastcharge.c b/drivers/usb/misc/apple-mfi-fastcharge.c +index 579d8c84de42c..9de0171b51776 100644 +--- a/drivers/usb/misc/apple-mfi-fastcharge.c ++++ b/drivers/usb/misc/apple-mfi-fastcharge.c +@@ -120,8 +120,10 @@ static int apple_mfi_fc_set_property(struct power_supply *psy, + dev_dbg(&mfi->udev->dev, "prop: %d\n", psp); + + ret = pm_runtime_get_sync(&mfi->udev->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_noidle(&mfi->udev->dev); + return ret; ++ } + + switch (psp) { + case POWER_SUPPLY_PROP_CHARGE_TYPE: +-- +2.27.0 + diff --git a/queue-5.9/usb-gadget-fsl-fix-null-pointer-checking.patch b/queue-5.9/usb-gadget-fsl-fix-null-pointer-checking.patch new file mode 100644 index 00000000000..cf6f7213c4f --- /dev/null +++ b/queue-5.9/usb-gadget-fsl-fix-null-pointer-checking.patch @@ -0,0 +1,39 @@ +From 90648ddb3f7f59eb7dcbc1330221759cc8782258 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Oct 2020 12:33:26 +0800 +Subject: usb: gadget: fsl: fix null pointer checking +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ran Wang + +[ Upstream commit 48e7bbbbb261b007fe78aa14ae62df01d236497e ] + +fsl_ep_fifo_status() should return error if _ep->desc is null. + +Fixes: 75eaa498c99e (“usb: gadget: Correct NULL pointer checking in fsl gadget”) +Reviewed-by: Peter Chen +Signed-off-by: Ran Wang +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/fsl_udc_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/fsl_udc_core.c b/drivers/usb/gadget/udc/fsl_udc_core.c +index a6f7b2594c090..c0cb007b749ff 100644 +--- a/drivers/usb/gadget/udc/fsl_udc_core.c ++++ b/drivers/usb/gadget/udc/fsl_udc_core.c +@@ -1051,7 +1051,7 @@ static int fsl_ep_fifo_status(struct usb_ep *_ep) + u32 bitmask; + struct ep_queue_head *qh; + +- if (!_ep || _ep->desc || !(_ep->desc->bEndpointAddress&0xF)) ++ if (!_ep || !_ep->desc || !(_ep->desc->bEndpointAddress&0xF)) + return -ENODEV; + + ep = container_of(_ep, struct fsl_ep, ep); +-- +2.27.0 + diff --git a/queue-5.9/vfio-pci-implement-ioeventfd-thread-handler-for-cont.patch b/queue-5.9/vfio-pci-implement-ioeventfd-thread-handler-for-cont.patch new file mode 100644 index 00000000000..11a2a5d05d7 --- /dev/null +++ b/queue-5.9/vfio-pci-implement-ioeventfd-thread-handler-for-cont.patch @@ -0,0 +1,110 @@ +From ef3bbb2d3a2ef48c5d4280b619a63bf796d613f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Nov 2020 15:02:00 -0700 +Subject: vfio/pci: Implement ioeventfd thread handler for contended memory + lock + +From: Alex Williamson + +[ Upstream commit 38565c93c8a1306dc5f245572a545fbea908ac41 ] + +The ioeventfd is called under spinlock with interrupts disabled, +therefore if the memory lock is contended defer code that might +sleep to a thread context. + +Fixes: bc93b9ae0151 ("vfio-pci: Avoid recursive read-lock usage") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=209253#c1 +Reported-by: Ian Pilcher +Tested-by: Ian Pilcher +Tested-by: Justin Gatzen +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci_rdwr.c | 43 ++++++++++++++++++++++++++------ + 1 file changed, 35 insertions(+), 8 deletions(-) + +diff --git a/drivers/vfio/pci/vfio_pci_rdwr.c b/drivers/vfio/pci/vfio_pci_rdwr.c +index 9e353c484ace2..a0b5fc8e46f4d 100644 +--- a/drivers/vfio/pci/vfio_pci_rdwr.c ++++ b/drivers/vfio/pci/vfio_pci_rdwr.c +@@ -356,34 +356,60 @@ ssize_t vfio_pci_vga_rw(struct vfio_pci_device *vdev, char __user *buf, + return done; + } + +-static int vfio_pci_ioeventfd_handler(void *opaque, void *unused) ++static void vfio_pci_ioeventfd_do_write(struct vfio_pci_ioeventfd *ioeventfd, ++ bool test_mem) + { +- struct vfio_pci_ioeventfd *ioeventfd = opaque; +- + switch (ioeventfd->count) { + case 1: +- vfio_pci_iowrite8(ioeventfd->vdev, ioeventfd->test_mem, ++ vfio_pci_iowrite8(ioeventfd->vdev, test_mem, + ioeventfd->data, ioeventfd->addr); + break; + case 2: +- vfio_pci_iowrite16(ioeventfd->vdev, ioeventfd->test_mem, ++ vfio_pci_iowrite16(ioeventfd->vdev, test_mem, + ioeventfd->data, ioeventfd->addr); + break; + case 4: +- vfio_pci_iowrite32(ioeventfd->vdev, ioeventfd->test_mem, ++ vfio_pci_iowrite32(ioeventfd->vdev, test_mem, + ioeventfd->data, ioeventfd->addr); + break; + #ifdef iowrite64 + case 8: +- vfio_pci_iowrite64(ioeventfd->vdev, ioeventfd->test_mem, ++ vfio_pci_iowrite64(ioeventfd->vdev, test_mem, + ioeventfd->data, ioeventfd->addr); + break; + #endif + } ++} ++ ++static int vfio_pci_ioeventfd_handler(void *opaque, void *unused) ++{ ++ struct vfio_pci_ioeventfd *ioeventfd = opaque; ++ struct vfio_pci_device *vdev = ioeventfd->vdev; ++ ++ if (ioeventfd->test_mem) { ++ if (!down_read_trylock(&vdev->memory_lock)) ++ return 1; /* Lock contended, use thread */ ++ if (!__vfio_pci_memory_enabled(vdev)) { ++ up_read(&vdev->memory_lock); ++ return 0; ++ } ++ } ++ ++ vfio_pci_ioeventfd_do_write(ioeventfd, false); ++ ++ if (ioeventfd->test_mem) ++ up_read(&vdev->memory_lock); + + return 0; + } + ++static void vfio_pci_ioeventfd_thread(void *opaque, void *unused) ++{ ++ struct vfio_pci_ioeventfd *ioeventfd = opaque; ++ ++ vfio_pci_ioeventfd_do_write(ioeventfd, ioeventfd->test_mem); ++} ++ + long vfio_pci_ioeventfd(struct vfio_pci_device *vdev, loff_t offset, + uint64_t data, int count, int fd) + { +@@ -457,7 +483,8 @@ long vfio_pci_ioeventfd(struct vfio_pci_device *vdev, loff_t offset, + ioeventfd->test_mem = vdev->pdev->resource[bar].flags & IORESOURCE_MEM; + + ret = vfio_virqfd_enable(ioeventfd, vfio_pci_ioeventfd_handler, +- NULL, NULL, &ioeventfd->virqfd, fd); ++ vfio_pci_ioeventfd_thread, NULL, ++ &ioeventfd->virqfd, fd); + if (ret) { + kfree(ioeventfd); + goto out_unlock; +-- +2.27.0 + diff --git a/queue-5.9/x86-speculation-allow-ibpb-to-be-conditionally-enabl.patch b/queue-5.9/x86-speculation-allow-ibpb-to-be-conditionally-enabl.patch new file mode 100644 index 00000000000..2fe4128989e --- /dev/null +++ b/queue-5.9/x86-speculation-allow-ibpb-to-be-conditionally-enabl.patch @@ -0,0 +1,152 @@ +From 9fa98c9d7b16c30f06d59f4a782052e49db8aec9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Nov 2020 16:33:04 +1100 +Subject: x86/speculation: Allow IBPB to be conditionally enabled on CPUs with + always-on STIBP + +From: Anand K Mistry + +[ Upstream commit 1978b3a53a74e3230cd46932b149c6e62e832e9a ] + +On AMD CPUs which have the feature X86_FEATURE_AMD_STIBP_ALWAYS_ON, +STIBP is set to on and + + spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED + +At the same time, IBPB can be set to conditional. + +However, this leads to the case where it's impossible to turn on IBPB +for a process because in the PR_SPEC_DISABLE case in ib_prctl_set() the + + spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED + +condition leads to a return before the task flag is set. Similarly, +ib_prctl_get() will return PR_SPEC_DISABLE even though IBPB is set to +conditional. + +More generally, the following cases are possible: + +1. STIBP = conditional && IBPB = on for spectre_v2_user=seccomp,ibpb +2. STIBP = on && IBPB = conditional for AMD CPUs with + X86_FEATURE_AMD_STIBP_ALWAYS_ON + +The first case functions correctly today, but only because +spectre_v2_user_ibpb isn't updated to reflect the IBPB mode. + +At a high level, this change does one thing. If either STIBP or IBPB +is set to conditional, allow the prctl to change the task flag. +Also, reflect that capability when querying the state. This isn't +perfect since it doesn't take into account if only STIBP or IBPB is +unconditionally on. But it allows the conditional feature to work as +expected, without affecting the unconditional one. + + [ bp: Massage commit message and comment; space out statements for + better readability. ] + +Fixes: 21998a351512 ("x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced IBRS.") +Signed-off-by: Anand K Mistry +Signed-off-by: Borislav Petkov +Acked-by: Thomas Gleixner +Acked-by: Tom Lendacky +Link: https://lkml.kernel.org/r/20201105163246.v2.1.Ifd7243cd3e2c2206a893ad0a5b9a4f19549e22c6@changeid +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/bugs.c | 51 ++++++++++++++++++++++++-------------- + 1 file changed, 33 insertions(+), 18 deletions(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index d3f0db463f96a..581fb7223ad0e 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -1254,6 +1254,14 @@ static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl) + return 0; + } + ++static bool is_spec_ib_user_controlled(void) ++{ ++ return spectre_v2_user_ibpb == SPECTRE_V2_USER_PRCTL || ++ spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP || ++ spectre_v2_user_stibp == SPECTRE_V2_USER_PRCTL || ++ spectre_v2_user_stibp == SPECTRE_V2_USER_SECCOMP; ++} ++ + static int ib_prctl_set(struct task_struct *task, unsigned long ctrl) + { + switch (ctrl) { +@@ -1261,16 +1269,26 @@ static int ib_prctl_set(struct task_struct *task, unsigned long ctrl) + if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE && + spectre_v2_user_stibp == SPECTRE_V2_USER_NONE) + return 0; ++ + /* +- * Indirect branch speculation is always disabled in strict +- * mode. It can neither be enabled if it was force-disabled +- * by a previous prctl call. ++ * With strict mode for both IBPB and STIBP, the instruction ++ * code paths avoid checking this task flag and instead, ++ * unconditionally run the instruction. However, STIBP and IBPB ++ * are independent and either can be set to conditionally ++ * enabled regardless of the mode of the other. ++ * ++ * If either is set to conditional, allow the task flag to be ++ * updated, unless it was force-disabled by a previous prctl ++ * call. Currently, this is possible on an AMD CPU which has the ++ * feature X86_FEATURE_AMD_STIBP_ALWAYS_ON. In this case, if the ++ * kernel is booted with 'spectre_v2_user=seccomp', then ++ * spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP and ++ * spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED. + */ +- if (spectre_v2_user_ibpb == SPECTRE_V2_USER_STRICT || +- spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT || +- spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED || ++ if (!is_spec_ib_user_controlled() || + task_spec_ib_force_disable(task)) + return -EPERM; ++ + task_clear_spec_ib_disable(task); + task_update_spec_tif(task); + break; +@@ -1283,10 +1301,10 @@ static int ib_prctl_set(struct task_struct *task, unsigned long ctrl) + if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE && + spectre_v2_user_stibp == SPECTRE_V2_USER_NONE) + return -EPERM; +- if (spectre_v2_user_ibpb == SPECTRE_V2_USER_STRICT || +- spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT || +- spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED) ++ ++ if (!is_spec_ib_user_controlled()) + return 0; ++ + task_set_spec_ib_disable(task); + if (ctrl == PR_SPEC_FORCE_DISABLE) + task_set_spec_ib_force_disable(task); +@@ -1351,20 +1369,17 @@ static int ib_prctl_get(struct task_struct *task) + if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE && + spectre_v2_user_stibp == SPECTRE_V2_USER_NONE) + return PR_SPEC_ENABLE; +- else if (spectre_v2_user_ibpb == SPECTRE_V2_USER_STRICT || +- spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT || +- spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED) +- return PR_SPEC_DISABLE; +- else if (spectre_v2_user_ibpb == SPECTRE_V2_USER_PRCTL || +- spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP || +- spectre_v2_user_stibp == SPECTRE_V2_USER_PRCTL || +- spectre_v2_user_stibp == SPECTRE_V2_USER_SECCOMP) { ++ else if (is_spec_ib_user_controlled()) { + if (task_spec_ib_force_disable(task)) + return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE; + if (task_spec_ib_disable(task)) + return PR_SPEC_PRCTL | PR_SPEC_DISABLE; + return PR_SPEC_PRCTL | PR_SPEC_ENABLE; +- } else ++ } else if (spectre_v2_user_ibpb == SPECTRE_V2_USER_STRICT || ++ spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT || ++ spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED) ++ return PR_SPEC_DISABLE; ++ else + return PR_SPEC_NOT_AFFECTED; + } + +-- +2.27.0 + diff --git a/queue-5.9/xfrm-interface-fix-the-priorities-for-ipip-and-ipv6-.patch b/queue-5.9/xfrm-interface-fix-the-priorities-for-ipip-and-ipv6-.patch new file mode 100644 index 00000000000..1a36a6cbd0b --- /dev/null +++ b/queue-5.9/xfrm-interface-fix-the-priorities-for-ipip-and-ipv6-.patch @@ -0,0 +1,121 @@ +From 8c18562e3e4a54a66866e3ac13bd111616864af2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Oct 2020 16:13:24 +0800 +Subject: xfrm: interface: fix the priorities for ipip and ipv6 tunnels + +From: Xin Long + +[ Upstream commit 7fe94612dd4cfcd35fe0ec87745fb31ad2be71f8 ] + +As Nicolas noticed in his case, when xfrm_interface module is installed +the standard IP tunnels will break in receiving packets. + +This is caused by the IP tunnel handlers with a higher priority in xfrm +interface processing incoming packets by xfrm_input(), which would drop +the packets and return 0 instead when anything wrong happens. + +Rather than changing xfrm_input(), this patch is to adjust the priority +for the IP tunnel handlers in xfrm interface, so that the packets would +go to xfrmi's later than the others', as the others' would not drop the +packets when the handlers couldn't process them. + +Note that IPCOMP also defines its own IPIP tunnel handler and it calls +xfrm_input() as well, so we must make its priority lower than xfrmi's, +which means having xfrmi loaded would still break IPCOMP. We may seek +another way to fix it in xfrm_input() in the future. + +Reported-by: Nicolas Dichtel +Tested-by: Nicolas Dichtel +Fixes: da9bbf0598c9 ("xfrm: interface: support IPIP and IPIP6 tunnels processing with .cb_handler") +FIxes: d7b360c2869f ("xfrm: interface: support IP6IP6 and IP6IP tunnels processing with .cb_handler") +Signed-off-by: Xin Long +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv4/xfrm4_tunnel.c | 4 ++-- + net/ipv6/xfrm6_tunnel.c | 4 ++-- + net/xfrm/xfrm_interface.c | 8 ++++---- + 3 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/net/ipv4/xfrm4_tunnel.c b/net/ipv4/xfrm4_tunnel.c +index dc19aff7c2e00..fb0648e7fb32f 100644 +--- a/net/ipv4/xfrm4_tunnel.c ++++ b/net/ipv4/xfrm4_tunnel.c +@@ -64,14 +64,14 @@ static int xfrm_tunnel_err(struct sk_buff *skb, u32 info) + static struct xfrm_tunnel xfrm_tunnel_handler __read_mostly = { + .handler = xfrm_tunnel_rcv, + .err_handler = xfrm_tunnel_err, +- .priority = 3, ++ .priority = 4, + }; + + #if IS_ENABLED(CONFIG_IPV6) + static struct xfrm_tunnel xfrm64_tunnel_handler __read_mostly = { + .handler = xfrm_tunnel_rcv, + .err_handler = xfrm_tunnel_err, +- .priority = 2, ++ .priority = 3, + }; + #endif + +diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c +index 25b7ebda2fabf..f696d46e69100 100644 +--- a/net/ipv6/xfrm6_tunnel.c ++++ b/net/ipv6/xfrm6_tunnel.c +@@ -303,13 +303,13 @@ static const struct xfrm_type xfrm6_tunnel_type = { + static struct xfrm6_tunnel xfrm6_tunnel_handler __read_mostly = { + .handler = xfrm6_tunnel_rcv, + .err_handler = xfrm6_tunnel_err, +- .priority = 2, ++ .priority = 3, + }; + + static struct xfrm6_tunnel xfrm46_tunnel_handler __read_mostly = { + .handler = xfrm6_tunnel_rcv, + .err_handler = xfrm6_tunnel_err, +- .priority = 2, ++ .priority = 3, + }; + + static int __net_init xfrm6_tunnel_net_init(struct net *net) +diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c +index a8f66112c52b4..0bb7963b9f6bc 100644 +--- a/net/xfrm/xfrm_interface.c ++++ b/net/xfrm/xfrm_interface.c +@@ -830,14 +830,14 @@ static struct xfrm6_tunnel xfrmi_ipv6_handler __read_mostly = { + .handler = xfrmi6_rcv_tunnel, + .cb_handler = xfrmi_rcv_cb, + .err_handler = xfrmi6_err, +- .priority = -1, ++ .priority = 2, + }; + + static struct xfrm6_tunnel xfrmi_ip6ip_handler __read_mostly = { + .handler = xfrmi6_rcv_tunnel, + .cb_handler = xfrmi_rcv_cb, + .err_handler = xfrmi6_err, +- .priority = -1, ++ .priority = 2, + }; + #endif + +@@ -875,14 +875,14 @@ static struct xfrm_tunnel xfrmi_ipip_handler __read_mostly = { + .handler = xfrmi4_rcv_tunnel, + .cb_handler = xfrmi_rcv_cb, + .err_handler = xfrmi4_err, +- .priority = -1, ++ .priority = 3, + }; + + static struct xfrm_tunnel xfrmi_ipip6_handler __read_mostly = { + .handler = xfrmi4_rcv_tunnel, + .cb_handler = xfrmi_rcv_cb, + .err_handler = xfrmi4_err, +- .priority = -1, ++ .priority = 2, + }; + #endif + +-- +2.27.0 + diff --git a/queue-5.9/xfs-fix-missing-cow-blocks-writeback-conversion-retr.patch b/queue-5.9/xfs-fix-missing-cow-blocks-writeback-conversion-retr.patch new file mode 100644 index 00000000000..d533bbf59f8 --- /dev/null +++ b/queue-5.9/xfs-fix-missing-cow-blocks-writeback-conversion-retr.patch @@ -0,0 +1,71 @@ +From 2eb13dd8159ae8a5ccdfbccb9c353f3920a9057a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Nov 2020 17:14:06 -0800 +Subject: xfs: fix missing CoW blocks writeback conversion retry + +From: Darrick J. Wong + +[ Upstream commit c2f09217a4305478c55adc9a98692488dd19cd32 ] + +In commit 7588cbeec6df, we tried to fix a race stemming from the lack of +coordination between higher level code that wants to allocate and remap +CoW fork extents into the data fork. Christoph cites as examples the +always_cow mode, and a directio write completion racing with writeback. + +According to the comments before the goto retry, we want to restart the +lookup to catch the extent in the data fork, but we don't actually reset +whichfork or cow_fsb, which means the second try executes using stale +information. Up until now I think we've gotten lucky that either +there's something left in the CoW fork to cause cow_fsb to be reset, or +either data/cow fork sequence numbers have advanced enough to force a +fresh lookup from the data fork. However, if we reach the retry with an +empty stable CoW fork and a stable data fork, neither of those things +happens. The retry foolishly re-calls xfs_convert_blocks on the CoW +fork which fails again. This time, we toss the write. + +I've recently been working on extending reflink to the realtime device. +When the realtime extent size is larger than a single block, we have to +force the page cache to CoW the entire rt extent if a write (or +fallocate) are not aligned with the rt extent size. The strategy I've +chosen to deal with this is derived from Dave's blocksize > pagesize +series: dirtying around the write range, and ensuring that writeback +always starts mapping on an rt extent boundary. This has brought this +race front and center, since generic/522 blows up immediately. + +However, I'm pretty sure this is a bug outright, independent of that. + +Fixes: 7588cbeec6df ("xfs: retry COW fork delalloc conversion when no extent was found") +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_aops.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c +index b35611882ff9c..e4210779cd79e 100644 +--- a/fs/xfs/xfs_aops.c ++++ b/fs/xfs/xfs_aops.c +@@ -346,8 +346,8 @@ xfs_map_blocks( + ssize_t count = i_blocksize(inode); + xfs_fileoff_t offset_fsb = XFS_B_TO_FSBT(mp, offset); + xfs_fileoff_t end_fsb = XFS_B_TO_FSB(mp, offset + count); +- xfs_fileoff_t cow_fsb = NULLFILEOFF; +- int whichfork = XFS_DATA_FORK; ++ xfs_fileoff_t cow_fsb; ++ int whichfork; + struct xfs_bmbt_irec imap; + struct xfs_iext_cursor icur; + int retries = 0; +@@ -381,6 +381,8 @@ xfs_map_blocks( + * landed in a hole and we skip the block. + */ + retry: ++ cow_fsb = NULLFILEOFF; ++ whichfork = XFS_DATA_FORK; + xfs_ilock(ip, XFS_ILOCK_SHARED); + ASSERT(ip->i_df.if_format != XFS_DINODE_FMT_BTREE || + (ip->i_df.if_flags & XFS_IFEXTENTS)); +-- +2.27.0 + diff --git a/queue-5.9/xfs-fix-scrub-flagging-rtinherit-even-if-there-is-no.patch b/queue-5.9/xfs-fix-scrub-flagging-rtinherit-even-if-there-is-no.patch new file mode 100644 index 00000000000..f04b0bcba83 --- /dev/null +++ b/queue-5.9/xfs-fix-scrub-flagging-rtinherit-even-if-there-is-no.patch @@ -0,0 +1,37 @@ +From 23097d9884840590461d8c241aa35e83c26f3254 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Nov 2020 17:14:07 -0800 +Subject: xfs: fix scrub flagging rtinherit even if there is no rt device + +From: Darrick J. Wong + +[ Upstream commit c1f6b1ac00756a7108e5fcb849a2f8230c0b62a5 ] + +The kernel has always allowed directories to have the rtinherit flag +set, even if there is no rt device, so this check is wrong. + +Fixes: 80e4e1268802 ("xfs: scrub inodes") +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/xfs/scrub/inode.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/xfs/scrub/inode.c b/fs/xfs/scrub/inode.c +index 6d483ab29e639..1bea029b634a6 100644 +--- a/fs/xfs/scrub/inode.c ++++ b/fs/xfs/scrub/inode.c +@@ -121,8 +121,7 @@ xchk_inode_flags( + goto bad; + + /* rt flags require rt device */ +- if ((flags & (XFS_DIFLAG_REALTIME | XFS_DIFLAG_RTINHERIT)) && +- !mp->m_rtdev_targp) ++ if ((flags & XFS_DIFLAG_REALTIME) && !mp->m_rtdev_targp) + goto bad; + + /* new rt bitmap flag only valid for rbmino */ +-- +2.27.0 + diff --git a/queue-5.9/xfs-flush-new-eof-page-on-truncate-to-avoid-post-eof.patch b/queue-5.9/xfs-flush-new-eof-page-on-truncate-to-avoid-post-eof.patch new file mode 100644 index 00000000000..02df7b0684c --- /dev/null +++ b/queue-5.9/xfs-flush-new-eof-page-on-truncate-to-avoid-post-eof.patch @@ -0,0 +1,70 @@ +From 2a8a108c4f863fe03c8766595dd25627ef1c5f4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Oct 2020 14:30:48 -0700 +Subject: xfs: flush new eof page on truncate to avoid post-eof corruption + +From: Brian Foster + +[ Upstream commit 869ae85dae64b5540e4362d7fe4cd520e10ec05c ] + +It is possible to expose non-zeroed post-EOF data in XFS if the new +EOF page is dirty, backed by an unwritten block and the truncate +happens to race with writeback. iomap_truncate_page() will not zero +the post-EOF portion of the page if the underlying block is +unwritten. The subsequent call to truncate_setsize() will, but +doesn't dirty the page. Therefore, if writeback happens to complete +after iomap_truncate_page() (so it still sees the unwritten block) +but before truncate_setsize(), the cached page becomes inconsistent +with the on-disk block. A mapped read after the associated page is +reclaimed or invalidated exposes non-zero post-EOF data. + +For example, consider the following sequence when run on a kernel +modified to explicitly flush the new EOF page within the race +window: + +$ xfs_io -fc "falloc 0 4k" -c fsync /mnt/file +$ xfs_io -c "pwrite 0 4k" -c "truncate 1k" /mnt/file + ... +$ xfs_io -c "mmap 0 4k" -c "mread -v 1k 8" /mnt/file +00000400: 00 00 00 00 00 00 00 00 ........ +$ umount /mnt/; mount /mnt/ +$ xfs_io -c "mmap 0 4k" -c "mread -v 1k 8" /mnt/file +00000400: cd cd cd cd cd cd cd cd ........ + +Update xfs_setattr_size() to explicitly flush the new EOF page prior +to the page truncate to ensure iomap has the latest state of the +underlying block. + +Fixes: 68a9f5e7007c ("xfs: implement iomap based buffered write path") +Signed-off-by: Brian Foster +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_iops.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c +index 80a13c8561d85..bf93a7152181c 100644 +--- a/fs/xfs/xfs_iops.c ++++ b/fs/xfs/xfs_iops.c +@@ -911,6 +911,16 @@ xfs_setattr_size( + error = iomap_zero_range(inode, oldsize, newsize - oldsize, + &did_zeroing, &xfs_buffered_write_iomap_ops); + } else { ++ /* ++ * iomap won't detect a dirty page over an unwritten block (or a ++ * cow block over a hole) and subsequently skips zeroing the ++ * newly post-EOF portion of the page. Flush the new EOF to ++ * convert the block before the pagecache truncate. ++ */ ++ error = filemap_write_and_wait_range(inode->i_mapping, newsize, ++ newsize); ++ if (error) ++ return error; + error = iomap_truncate_page(inode, newsize, &did_zeroing, + &xfs_buffered_write_iomap_ops); + } +-- +2.27.0 + diff --git a/queue-5.9/xfs-set-xefi_discard-when-creating-a-deferred-agfl-f.patch b/queue-5.9/xfs-set-xefi_discard-when-creating-a-deferred-agfl-f.patch new file mode 100644 index 00000000000..b198476ff75 --- /dev/null +++ b/queue-5.9/xfs-set-xefi_discard-when-creating-a-deferred-agfl-f.patch @@ -0,0 +1,55 @@ +From 7d092328e4b3c551753675b00f7c910c3636f577 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Oct 2020 15:19:38 -0700 +Subject: xfs: set xefi_discard when creating a deferred agfl free log intent + item + +From: Darrick J. Wong + +[ Upstream commit 2c334e12f957cd8c6bb66b4aa3f79848b7c33cab ] + +Make sure that we actually initialize xefi_discard when we're scheduling +a deferred free of an AGFL block. This was (eventually) found by the +UBSAN while I was banging on realtime rmap problems, but it exists in +the upstream codebase. While we're at it, rearrange the structure to +reduce the struct size from 64 to 56 bytes. + +Fixes: fcb762f5de2e ("xfs: add bmapi nodiscard flag") +Signed-off-by: Darrick J. Wong +Reviewed-by: Brian Foster +Signed-off-by: Sasha Levin +--- + fs/xfs/libxfs/xfs_alloc.c | 1 + + fs/xfs/libxfs/xfs_bmap.h | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c +index 852b536551b53..15640015be9d2 100644 +--- a/fs/xfs/libxfs/xfs_alloc.c ++++ b/fs/xfs/libxfs/xfs_alloc.c +@@ -2467,6 +2467,7 @@ xfs_defer_agfl_block( + new->xefi_startblock = XFS_AGB_TO_FSB(mp, agno, agbno); + new->xefi_blockcount = 1; + new->xefi_oinfo = *oinfo; ++ new->xefi_skip_discard = false; + + trace_xfs_agfl_free_defer(mp, agno, 0, agbno, 1); + +diff --git a/fs/xfs/libxfs/xfs_bmap.h b/fs/xfs/libxfs/xfs_bmap.h +index e1bd484e55485..6747e97a79490 100644 +--- a/fs/xfs/libxfs/xfs_bmap.h ++++ b/fs/xfs/libxfs/xfs_bmap.h +@@ -52,9 +52,9 @@ struct xfs_extent_free_item + { + xfs_fsblock_t xefi_startblock;/* starting fs block number */ + xfs_extlen_t xefi_blockcount;/* number of blocks in extent */ ++ bool xefi_skip_discard; + struct list_head xefi_list; + struct xfs_owner_info xefi_oinfo; /* extent owner */ +- bool xefi_skip_discard; + }; + + #define XFS_BMAP_MAX_NMAP 4 +-- +2.27.0 +