From 275ce5127f825aae903d04ef640c0bd57f5e361f Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 7 Feb 2021 22:55:09 -0500 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...4-dts-ls1046a-fix-dcfg-address-range.patch | 37 +++++ .../input-i8042-unbreak-pegatron-c15b.patch | 45 ++++++ ...start-bottom-up-allocations-with-ker.patch | 146 ++++++++++++++++++ ...copy-the-skb-before-sending-a-packet.patch | 51 ++++++ ...ntry-enable-should-be-written-after-.patch | 50 ++++++ ...ck-around-release-of-dst-cached-on-u.patch | 109 +++++++++++++ queue-4.19/series | 6 + 7 files changed, 444 insertions(+) create mode 100644 queue-4.19/arm64-dts-ls1046a-fix-dcfg-address-range.patch create mode 100644 queue-4.19/input-i8042-unbreak-pegatron-c15b.patch create mode 100644 queue-4.19/memblock-do-not-start-bottom-up-allocations-with-ker.patch create mode 100644 queue-4.19/net-lapb-copy-the-skb-before-sending-a-packet.patch create mode 100644 queue-4.19/net-mvpp2-tcam-entry-enable-should-be-written-after-.patch create mode 100644 queue-4.19/rxrpc-fix-deadlock-around-release-of-dst-cached-on-u.patch diff --git a/queue-4.19/arm64-dts-ls1046a-fix-dcfg-address-range.patch b/queue-4.19/arm64-dts-ls1046a-fix-dcfg-address-range.patch new file mode 100644 index 00000000000..adb672b7520 --- /dev/null +++ b/queue-4.19/arm64-dts-ls1046a-fix-dcfg-address-range.patch @@ -0,0 +1,37 @@ +From c0a6d6c6475c8c17f1f4fe09f5dd822c8d58d343 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jan 2021 16:52:37 +0100 +Subject: arm64: dts: ls1046a: fix dcfg address range + +From: Zyta Szpak + +[ Upstream commit aa880c6f3ee6dbd0d5ab02026a514ff8ea0a3328 ] + +Dcfg was overlapping with clockgen address space which resulted +in failure in memory allocation for dcfg. According regs description +dcfg size should not be bigger than 4KB. + +Signed-off-by: Zyta Szpak +Fixes: 8126d88162a5 ("arm64: dts: add QorIQ LS1046A SoC support") +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi b/arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi +index de6af453a6e16..f4eb4d3b6cabf 100644 +--- a/arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi ++++ b/arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi +@@ -303,7 +303,7 @@ + + dcfg: dcfg@1ee0000 { + compatible = "fsl,ls1046a-dcfg", "syscon"; +- reg = <0x0 0x1ee0000 0x0 0x10000>; ++ reg = <0x0 0x1ee0000 0x0 0x1000>; + big-endian; + }; + +-- +2.27.0 + diff --git a/queue-4.19/input-i8042-unbreak-pegatron-c15b.patch b/queue-4.19/input-i8042-unbreak-pegatron-c15b.patch new file mode 100644 index 00000000000..800cf90376a --- /dev/null +++ b/queue-4.19/input-i8042-unbreak-pegatron-c15b.patch @@ -0,0 +1,45 @@ +From 04eea39a1b610a6b64126961cd8666d9dc2dbbd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Jan 2021 17:59:51 -0800 +Subject: Input: i8042 - unbreak Pegatron C15B +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexey Dobriyan + +[ Upstream commit a3a9060ecad030e2c7903b2b258383d2c716b56c ] + +g++ reports + + drivers/input/serio/i8042-x86ia64io.h:225:3: error: ‘.matches’ designator used multiple times in the same initializer list + +C99 semantics is that last duplicated initialiser wins, +so DMI entry gets overwritten. + +Fixes: a48491c65b51 ("Input: i8042 - add ByteSpeed touchpad to noloop table") +Signed-off-by: Alexey Dobriyan +Acked-by: Po-Hsu Lin +Link: https://lore.kernel.org/r/20201228072335.GA27766@localhost.localdomain +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/serio/i8042-x86ia64io.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h +index b256e3006a6fb..844875df8cad7 100644 +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -223,6 +223,8 @@ static const struct dmi_system_id __initconst i8042_dmi_noloop_table[] = { + DMI_MATCH(DMI_SYS_VENDOR, "PEGATRON CORPORATION"), + DMI_MATCH(DMI_PRODUCT_NAME, "C15B"), + }, ++ }, ++ { + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "ByteSpeed LLC"), + DMI_MATCH(DMI_PRODUCT_NAME, "ByteSpeed Laptop C15B"), +-- +2.27.0 + diff --git a/queue-4.19/memblock-do-not-start-bottom-up-allocations-with-ker.patch b/queue-4.19/memblock-do-not-start-bottom-up-allocations-with-ker.patch new file mode 100644 index 00000000000..9186b6e7ab5 --- /dev/null +++ b/queue-4.19/memblock-do-not-start-bottom-up-allocations-with-ker.patch @@ -0,0 +1,146 @@ +From e9c27bbc325ed308984f0894b6708c3817dea01c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Feb 2021 18:32:36 -0800 +Subject: memblock: do not start bottom-up allocations with kernel_end + +From: Roman Gushchin + +[ Upstream commit 2dcb3964544177c51853a210b6ad400de78ef17d ] + +With kaslr the kernel image is placed at a random place, so starting the +bottom-up allocation with the kernel_end can result in an allocation +failure and a warning like this one: + + hugetlb_cma: reserve 2048 MiB, up to 2048 MiB per node + ------------[ cut here ]------------ + memblock: bottom-up allocation failed, memory hotremove may be affected + WARNING: CPU: 0 PID: 0 at mm/memblock.c:332 memblock_find_in_range_node+0x178/0x25a + Modules linked in: + CPU: 0 PID: 0 Comm: swapper Not tainted 5.10.0+ #1169 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 + RIP: 0010:memblock_find_in_range_node+0x178/0x25a + Code: e9 6d ff ff ff 48 85 c0 0f 85 da 00 00 00 80 3d 9b 35 df 00 00 75 15 48 c7 c7 c0 75 59 88 c6 05 8b 35 df 00 01 e8 25 8a fa ff <0f> 0b 48 c7 44 24 20 ff ff ff ff 44 89 e6 44 89 ea 48 c7 c1 70 5c + RSP: 0000:ffffffff88803d18 EFLAGS: 00010086 ORIG_RAX: 0000000000000000 + RAX: 0000000000000000 RBX: 0000000240000000 RCX: 00000000ffffdfff + RDX: 00000000ffffdfff RSI: 00000000ffffffea RDI: 0000000000000046 + RBP: 0000000100000000 R08: ffffffff88922788 R09: 0000000000009ffb + R10: 00000000ffffe000 R11: 3fffffffffffffff R12: 0000000000000000 + R13: 0000000000000000 R14: 0000000080000000 R15: 00000001fb42c000 + FS: 0000000000000000(0000) GS:ffffffff88f71000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffffa080fb401000 CR3: 00000001fa80a000 CR4: 00000000000406b0 + Call Trace: + memblock_alloc_range_nid+0x8d/0x11e + cma_declare_contiguous_nid+0x2c4/0x38c + hugetlb_cma_reserve+0xdc/0x128 + flush_tlb_one_kernel+0xc/0x20 + native_set_fixmap+0x82/0xd0 + flat_get_apic_id+0x5/0x10 + register_lapic_address+0x8e/0x97 + setup_arch+0x8a5/0xc3f + start_kernel+0x66/0x547 + load_ucode_bsp+0x4c/0xcd + secondary_startup_64_no_verify+0xb0/0xbb + random: get_random_bytes called from __warn+0xab/0x110 with crng_init=0 + ---[ end trace f151227d0b39be70 ]--- + +At the same time, the kernel image is protected with memblock_reserve(), +so we can just start searching at PAGE_SIZE. In this case the bottom-up +allocation has the same chances to success as a top-down allocation, so +there is no reason to fallback in the case of a failure. All together it +simplifies the logic. + +Link: https://lkml.kernel.org/r/20201217201214.3414100-2-guro@fb.com +Fixes: 8fabc623238e ("powerpc: Ensure that swiotlb buffer is allocated from low memory") +Signed-off-by: Roman Gushchin +Reviewed-by: Mike Rapoport +Cc: Joonsoo Kim +Cc: Michal Hocko +Cc: Rik van Riel +Cc: Wonhyuk Yang +Cc: Thiago Jung Bauermann +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/memblock.c | 49 ++++++------------------------------------------- + 1 file changed, 6 insertions(+), 43 deletions(-) + +diff --git a/mm/memblock.c b/mm/memblock.c +index bb4e32c6b19e9..4f7c5c3c442c3 100644 +--- a/mm/memblock.c ++++ b/mm/memblock.c +@@ -234,14 +234,6 @@ __memblock_find_range_top_down(phys_addr_t start, phys_addr_t end, + * + * Find @size free area aligned to @align in the specified range and node. + * +- * When allocation direction is bottom-up, the @start should be greater +- * than the end of the kernel image. Otherwise, it will be trimmed. The +- * reason is that we want the bottom-up allocation just near the kernel +- * image so it is highly likely that the allocated memory and the kernel +- * will reside in the same node. +- * +- * If bottom-up allocation failed, will try to allocate memory top-down. +- * + * Return: + * Found address on success, 0 on failure. + */ +@@ -250,8 +242,6 @@ phys_addr_t __init_memblock memblock_find_in_range_node(phys_addr_t size, + phys_addr_t end, int nid, + enum memblock_flags flags) + { +- phys_addr_t kernel_end, ret; +- + /* pump up @end */ + if (end == MEMBLOCK_ALLOC_ACCESSIBLE) + end = memblock.current_limit; +@@ -259,40 +249,13 @@ phys_addr_t __init_memblock memblock_find_in_range_node(phys_addr_t size, + /* avoid allocating the first page */ + start = max_t(phys_addr_t, start, PAGE_SIZE); + end = max(start, end); +- kernel_end = __pa_symbol(_end); +- +- /* +- * try bottom-up allocation only when bottom-up mode +- * is set and @end is above the kernel image. +- */ +- if (memblock_bottom_up() && end > kernel_end) { +- phys_addr_t bottom_up_start; +- +- /* make sure we will allocate above the kernel */ +- bottom_up_start = max(start, kernel_end); + +- /* ok, try bottom-up allocation first */ +- ret = __memblock_find_range_bottom_up(bottom_up_start, end, +- size, align, nid, flags); +- if (ret) +- return ret; +- +- /* +- * we always limit bottom-up allocation above the kernel, +- * but top-down allocation doesn't have the limit, so +- * retrying top-down allocation may succeed when bottom-up +- * allocation failed. +- * +- * bottom-up allocation is expected to be fail very rarely, +- * so we use WARN_ONCE() here to see the stack trace if +- * fail happens. +- */ +- WARN_ONCE(IS_ENABLED(CONFIG_MEMORY_HOTREMOVE), +- "memblock: bottom-up allocation failed, memory hotremove may be affected\n"); +- } +- +- return __memblock_find_range_top_down(start, end, size, align, nid, +- flags); ++ if (memblock_bottom_up()) ++ return __memblock_find_range_bottom_up(start, end, size, align, ++ nid, flags); ++ else ++ return __memblock_find_range_top_down(start, end, size, align, ++ nid, flags); + } + + /** +-- +2.27.0 + diff --git a/queue-4.19/net-lapb-copy-the-skb-before-sending-a-packet.patch b/queue-4.19/net-lapb-copy-the-skb-before-sending-a-packet.patch new file mode 100644 index 00000000000..28e21147751 --- /dev/null +++ b/queue-4.19/net-lapb-copy-the-skb-before-sending-a-packet.patch @@ -0,0 +1,51 @@ +From 73cfdda14318c78fca5164a3672f5ddc159d8f97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Jan 2021 21:57:06 -0800 +Subject: net: lapb: Copy the skb before sending a packet + +From: Xie He + +[ Upstream commit 88c7a9fd9bdd3e453f04018920964c6f848a591a ] + +When sending a packet, we will prepend it with an LAPB header. +This modifies the shared parts of a cloned skb, so we should copy the +skb rather than just clone it, before we prepend the header. + +In "Documentation/networking/driver.rst" (the 2nd point), it states +that drivers shouldn't modify the shared parts of a cloned skb when +transmitting. + +The "dev_queue_xmit_nit" function in "net/core/dev.c", which is called +when an skb is being sent, clones the skb and sents the clone to +AF_PACKET sockets. Because the LAPB drivers first remove a 1-byte +pseudo-header before handing over the skb to us, if we don't copy the +skb before prepending the LAPB header, the first byte of the packets +received on AF_PACKET sockets can be corrupted. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xie He +Acked-by: Martin Schiller +Link: https://lore.kernel.org/r/20210201055706.415842-1-xie.he.0141@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/lapb/lapb_out.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/lapb/lapb_out.c b/net/lapb/lapb_out.c +index eda726e22f645..621c66f001177 100644 +--- a/net/lapb/lapb_out.c ++++ b/net/lapb/lapb_out.c +@@ -87,7 +87,8 @@ void lapb_kick(struct lapb_cb *lapb) + skb = skb_dequeue(&lapb->write_queue); + + do { +- if ((skbn = skb_clone(skb, GFP_ATOMIC)) == NULL) { ++ skbn = skb_copy(skb, GFP_ATOMIC); ++ if (!skbn) { + skb_queue_head(&lapb->write_queue, skb); + break; + } +-- +2.27.0 + diff --git a/queue-4.19/net-mvpp2-tcam-entry-enable-should-be-written-after-.patch b/queue-4.19/net-mvpp2-tcam-entry-enable-should-be-written-after-.patch new file mode 100644 index 00000000000..1a51514ad63 --- /dev/null +++ b/queue-4.19/net-mvpp2-tcam-entry-enable-should-be-written-after-.patch @@ -0,0 +1,50 @@ +From 9439a2120191f41c4d908788740b94ebabed810a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Feb 2021 11:35:39 +0200 +Subject: net: mvpp2: TCAM entry enable should be written after SRAM data + +From: Stefan Chulski + +[ Upstream commit 43f4a20a1266d393840ce010f547486d14cc0071 ] + +Last TCAM data contains TCAM enable bit. +It should be written after SRAM data before entry enabled. + +Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit") +Signed-off-by: Stefan Chulski +Link: https://lore.kernel.org/r/1612172139-28343-1-git-send-email-stefanc@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +index a30eb90ba3d28..dd590086fe6a5 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +@@ -29,16 +29,16 @@ static int mvpp2_prs_hw_write(struct mvpp2 *priv, struct mvpp2_prs_entry *pe) + /* Clear entry invalidation bit */ + pe->tcam[MVPP2_PRS_TCAM_INV_WORD] &= ~MVPP2_PRS_TCAM_INV_MASK; + +- /* Write tcam index - indirect access */ +- mvpp2_write(priv, MVPP2_PRS_TCAM_IDX_REG, pe->index); +- for (i = 0; i < MVPP2_PRS_TCAM_WORDS; i++) +- mvpp2_write(priv, MVPP2_PRS_TCAM_DATA_REG(i), pe->tcam[i]); +- + /* Write sram index - indirect access */ + mvpp2_write(priv, MVPP2_PRS_SRAM_IDX_REG, pe->index); + for (i = 0; i < MVPP2_PRS_SRAM_WORDS; i++) + mvpp2_write(priv, MVPP2_PRS_SRAM_DATA_REG(i), pe->sram[i]); + ++ /* Write tcam index - indirect access */ ++ mvpp2_write(priv, MVPP2_PRS_TCAM_IDX_REG, pe->index); ++ for (i = 0; i < MVPP2_PRS_TCAM_WORDS; i++) ++ mvpp2_write(priv, MVPP2_PRS_TCAM_DATA_REG(i), pe->tcam[i]); ++ + return 0; + } + +-- +2.27.0 + diff --git a/queue-4.19/rxrpc-fix-deadlock-around-release-of-dst-cached-on-u.patch b/queue-4.19/rxrpc-fix-deadlock-around-release-of-dst-cached-on-u.patch new file mode 100644 index 00000000000..42034f8719d --- /dev/null +++ b/queue-4.19/rxrpc-fix-deadlock-around-release-of-dst-cached-on-u.patch @@ -0,0 +1,109 @@ +From f5213c03f71f869c8d93d6443fc9de8e09eb6171 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jan 2021 23:53:50 +0000 +Subject: rxrpc: Fix deadlock around release of dst cached on udp tunnel + +From: David Howells + +[ Upstream commit 5399d52233c47905bbf97dcbaa2d7a9cc31670ba ] + +AF_RXRPC sockets use UDP ports in encap mode. This causes socket and dst +from an incoming packet to get stolen and attached to the UDP socket from +whence it is leaked when that socket is closed. + +When a network namespace is removed, the wait for dst records to be cleaned +up happens before the cleanup of the rxrpc and UDP socket, meaning that the +wait never finishes. + +Fix this by moving the rxrpc (and, by dependence, the afs) private +per-network namespace registrations to the device group rather than subsys +group. This allows cached rxrpc local endpoints to be cleared and their +UDP sockets closed before we try waiting for the dst records. + +The symptom is that lines looking like the following: + + unregister_netdevice: waiting for lo to become free + +get emitted at regular intervals after running something like the +referenced syzbot test. + +Thanks to Vadim for tracking this down and work out the fix. + +Reported-by: syzbot+df400f2f24a1677cd7e0@syzkaller.appspotmail.com +Reported-by: Vadim Fedorenko +Fixes: 5271953cad31 ("rxrpc: Use the UDP encap_rcv hook") +Signed-off-by: David Howells +Acked-by: Vadim Fedorenko +Link: https://lore.kernel.org/r/161196443016.3868642.5577440140646403533.stgit@warthog.procyon.org.uk +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + fs/afs/main.c | 6 +++--- + net/rxrpc/af_rxrpc.c | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/fs/afs/main.c b/fs/afs/main.c +index 107427688eddd..8ecb127be63f9 100644 +--- a/fs/afs/main.c ++++ b/fs/afs/main.c +@@ -190,7 +190,7 @@ static int __init afs_init(void) + goto error_cache; + #endif + +- ret = register_pernet_subsys(&afs_net_ops); ++ ret = register_pernet_device(&afs_net_ops); + if (ret < 0) + goto error_net; + +@@ -210,7 +210,7 @@ static int __init afs_init(void) + error_proc: + afs_fs_exit(); + error_fs: +- unregister_pernet_subsys(&afs_net_ops); ++ unregister_pernet_device(&afs_net_ops); + error_net: + #ifdef CONFIG_AFS_FSCACHE + fscache_unregister_netfs(&afs_cache_netfs); +@@ -241,7 +241,7 @@ static void __exit afs_exit(void) + + proc_remove(afs_proc_symlink); + afs_fs_exit(); +- unregister_pernet_subsys(&afs_net_ops); ++ unregister_pernet_device(&afs_net_ops); + #ifdef CONFIG_AFS_FSCACHE + fscache_unregister_netfs(&afs_cache_netfs); + #endif +diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c +index 57f835d2442ec..fb7e3fffcb5ef 100644 +--- a/net/rxrpc/af_rxrpc.c ++++ b/net/rxrpc/af_rxrpc.c +@@ -1010,7 +1010,7 @@ static int __init af_rxrpc_init(void) + goto error_security; + } + +- ret = register_pernet_subsys(&rxrpc_net_ops); ++ ret = register_pernet_device(&rxrpc_net_ops); + if (ret) + goto error_pernet; + +@@ -1055,7 +1055,7 @@ error_key_type: + error_sock: + proto_unregister(&rxrpc_proto); + error_proto: +- unregister_pernet_subsys(&rxrpc_net_ops); ++ unregister_pernet_device(&rxrpc_net_ops); + error_pernet: + rxrpc_exit_security(); + error_security: +@@ -1077,7 +1077,7 @@ static void __exit af_rxrpc_exit(void) + unregister_key_type(&key_type_rxrpc); + sock_unregister(PF_RXRPC); + proto_unregister(&rxrpc_proto); +- unregister_pernet_subsys(&rxrpc_net_ops); ++ unregister_pernet_device(&rxrpc_net_ops); + ASSERTCMP(atomic_read(&rxrpc_n_tx_skbs), ==, 0); + ASSERTCMP(atomic_read(&rxrpc_n_rx_skbs), ==, 0); + +-- +2.27.0 + diff --git a/queue-4.19/series b/queue-4.19/series index e4cd9f26544..56a81896831 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -1,3 +1,9 @@ usb-serial-cp210x-add-pid-vid-for-wsda-200-usb.patch usb-serial-cp210x-add-new-vid-pid-for-supporting-teraoka-ad2000.patch usb-serial-option-adding-support-for-cinterion-mv31.patch +input-i8042-unbreak-pegatron-c15b.patch +rxrpc-fix-deadlock-around-release-of-dst-cached-on-u.patch +arm64-dts-ls1046a-fix-dcfg-address-range.patch +net-lapb-copy-the-skb-before-sending-a-packet.patch +net-mvpp2-tcam-entry-enable-should-be-written-after-.patch +memblock-do-not-start-bottom-up-allocations-with-ker.patch -- 2.47.3