From 4596e1c24b947f202cb08e56f9bea8b9e7579781 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 7 Feb 2021 22:55:08 -0500 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...-a20-bananapro-fix-ethernet-phy-mode.patch | 43 ++++++ ...c-meson-g12-set-fl-adj-property-valu.patch | 43 ++++++ ...4-dts-ls1046a-fix-dcfg-address-range.patch | 37 +++++ ...630-keep-both-touchpad-devices-enabl.patch | 73 +++++++++ ...-rockchip-fix-vopl-iommu-irq-on-px30.patch | 39 +++++ ...group-fix-optlen-warn_on_once-toctou.patch | 46 ++++++ ...-cgroup-fix-problematic-bounds-check.patch | 39 +++++ ...-don-t-report-link-up-for-a-vf-who-h.patch | 100 ++++++++++++ ...-value-of-ret_val-in-igc_config_fc_a.patch | 36 +++++ ...ult-return-value-to-igc_err_nvm-in-i.patch | 48 ++++++ .../input-i8042-unbreak-pegatron-c15b.patch | 45 ++++++ ...start-bottom-up-allocations-with-ker.patch | 146 ++++++++++++++++++ ...copy-the-skb-before-sending-a-packet.patch | 51 ++++++ ...x-leak-upon-failure-of-rule-creation.patch | 56 +++++++ ...ntry-enable-should-be-written-after-.patch | 50 ++++++ ...t-of-bounds-access-when-receiving-mu.patch | 55 +++++++ ...-shutdown-if-config_debug_shirq-is-s.patch | 46 ++++++ ...ck-around-release-of-dst-cached-on-u.patch | 109 +++++++++++++ queue-5.4/series | 19 +++ ...u_dev-only-with-the-contained-struct.patch | 46 ++++++ 20 files changed, 1127 insertions(+) create mode 100644 queue-5.4/arm-dts-sun7i-a20-bananapro-fix-ethernet-phy-mode.patch create mode 100644 queue-5.4/arm64-dts-amlogic-meson-g12-set-fl-adj-property-valu.patch create mode 100644 queue-5.4/arm64-dts-ls1046a-fix-dcfg-address-range.patch create mode 100644 queue-5.4/arm64-dts-qcom-c630-keep-both-touchpad-devices-enabl.patch create mode 100644 queue-5.4/arm64-dts-rockchip-fix-vopl-iommu-irq-on-px30.patch create mode 100644 queue-5.4/bpf-cgroup-fix-optlen-warn_on_once-toctou.patch create mode 100644 queue-5.4/bpf-cgroup-fix-problematic-bounds-check.patch create mode 100644 queue-5.4/i40e-revert-i40e-don-t-report-link-up-for-a-vf-who-h.patch create mode 100644 queue-5.4/igc-check-return-value-of-ret_val-in-igc_config_fc_a.patch create mode 100644 queue-5.4/igc-set-the-default-return-value-to-igc_err_nvm-in-i.patch create mode 100644 queue-5.4/input-i8042-unbreak-pegatron-c15b.patch create mode 100644 queue-5.4/memblock-do-not-start-bottom-up-allocations-with-ker.patch create mode 100644 queue-5.4/net-lapb-copy-the-skb-before-sending-a-packet.patch create mode 100644 queue-5.4/net-mlx5-fix-leak-upon-failure-of-rule-creation.patch create mode 100644 queue-5.4/net-mvpp2-tcam-entry-enable-should-be-written-after-.patch create mode 100644 queue-5.4/nvmet-tcp-fix-out-of-bounds-access-when-receiving-mu.patch create mode 100644 queue-5.4/r8169-fix-wol-on-shutdown-if-config_debug_shirq-is-s.patch create mode 100644 queue-5.4/rxrpc-fix-deadlock-around-release-of-dst-cached-on-u.patch create mode 100644 queue-5.4/um-virtio-free-vu_dev-only-with-the-contained-struct.patch diff --git a/queue-5.4/arm-dts-sun7i-a20-bananapro-fix-ethernet-phy-mode.patch b/queue-5.4/arm-dts-sun7i-a20-bananapro-fix-ethernet-phy-mode.patch new file mode 100644 index 00000000000..3d6a0cbcdef --- /dev/null +++ b/queue-5.4/arm-dts-sun7i-a20-bananapro-fix-ethernet-phy-mode.patch @@ -0,0 +1,43 @@ +From e628b36dda195c490d4536d503c1047399fa25ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jan 2021 12:18:42 +0100 +Subject: ARM: dts: sun7i: a20: bananapro: Fix ethernet phy-mode + +From: Hermann Lauer + +[ Upstream commit a900cac3750b9f0b8f5ed0503d9c6359532f644d ] + +BPi Pro needs TX and RX delay for Gbit to work reliable and avoid high +packet loss rates. The realtek phy driver overrides the settings of the +pull ups for the delays, so fix this for BananaPro. + +Fix the phy-mode description to correctly reflect this so that the +implementation doesn't reconfigure the delays incorrectly. This +happened with commit bbc4d71d6354 ("net: phy: realtek: fix rtl8211e +rx/tx delay config"). + +Fixes: 10662a33dcd9 ("ARM: dts: sun7i: Add dts file for Bananapro board") +Signed-off-by: Hermann Lauer +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20210128111842.GA11919@lemon.iwr.uni-heidelberg.de +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/sun7i-a20-bananapro.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/sun7i-a20-bananapro.dts b/arch/arm/boot/dts/sun7i-a20-bananapro.dts +index 01ccff756996d..5740f9442705c 100644 +--- a/arch/arm/boot/dts/sun7i-a20-bananapro.dts ++++ b/arch/arm/boot/dts/sun7i-a20-bananapro.dts +@@ -110,7 +110,7 @@ + pinctrl-names = "default"; + pinctrl-0 = <&gmac_rgmii_pins>; + phy-handle = <&phy1>; +- phy-mode = "rgmii"; ++ phy-mode = "rgmii-id"; + phy-supply = <®_gmac_3v3>; + status = "okay"; + }; +-- +2.27.0 + diff --git a/queue-5.4/arm64-dts-amlogic-meson-g12-set-fl-adj-property-valu.patch b/queue-5.4/arm64-dts-amlogic-meson-g12-set-fl-adj-property-valu.patch new file mode 100644 index 00000000000..eb5654053bc --- /dev/null +++ b/queue-5.4/arm64-dts-amlogic-meson-g12-set-fl-adj-property-valu.patch @@ -0,0 +1,43 @@ +From ccdbcaee6a99b2cdded3fa2d391e97e9e367480b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Dec 2020 12:17:47 +0300 +Subject: arm64: dts: amlogic: meson-g12: Set FL-adj property value + +From: Serge Semin + +[ Upstream commit 7386a559caa6414e74578172c2bc4e636d6bd0a0 ] + +In accordance with the DWC USB3 bindings the property is supposed to have +uint32 type. It's erroneous from the DT schema and driver points of view +to declare it as boolean. As Neil suggested set it to 0x20 so not break +the platform and to make the dtbs checker happy. + +Link: https://lore.kernel.org/linux-usb/20201010224121.12672-16-Sergey.Semin@baikalelectronics.ru/ +Signed-off-by: Serge Semin +Reviewed-by: Martin Blumenstingl +Reviewed-by: Neil Armstrong +Reviewed-by: Krzysztof Kozlowski +Fixes: 9baf7d6be730 ("arm64: dts: meson: g12a: Add G12A USB nodes") +Signed-off-by: Kevin Hilman +Link: https://lore.kernel.org/r/20201210091756.18057-3-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi b/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi +index 354ef2f3eac67..9533c85fb0a30 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi +@@ -2382,7 +2382,7 @@ + interrupts = ; + dr_mode = "host"; + snps,dis_u2_susphy_quirk; +- snps,quirk-frame-length-adjustment; ++ snps,quirk-frame-length-adjustment = <0x20>; + snps,parkmode-disable-ss-quirk; + }; + }; +-- +2.27.0 + diff --git a/queue-5.4/arm64-dts-ls1046a-fix-dcfg-address-range.patch b/queue-5.4/arm64-dts-ls1046a-fix-dcfg-address-range.patch new file mode 100644 index 00000000000..9b344c2d0b6 --- /dev/null +++ b/queue-5.4/arm64-dts-ls1046a-fix-dcfg-address-range.patch @@ -0,0 +1,37 @@ +From e432ac3b7441cc5889c135195871c1083d9ef894 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jan 2021 16:52:37 +0100 +Subject: arm64: dts: ls1046a: fix dcfg address range + +From: Zyta Szpak + +[ Upstream commit aa880c6f3ee6dbd0d5ab02026a514ff8ea0a3328 ] + +Dcfg was overlapping with clockgen address space which resulted +in failure in memory allocation for dcfg. According regs description +dcfg size should not be bigger than 4KB. + +Signed-off-by: Zyta Szpak +Fixes: 8126d88162a5 ("arm64: dts: add QorIQ LS1046A SoC support") +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi b/arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi +index d4c1da3d4bde2..04d4b1b11a00a 100644 +--- a/arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi ++++ b/arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi +@@ -304,7 +304,7 @@ + + dcfg: dcfg@1ee0000 { + compatible = "fsl,ls1046a-dcfg", "syscon"; +- reg = <0x0 0x1ee0000 0x0 0x10000>; ++ reg = <0x0 0x1ee0000 0x0 0x1000>; + big-endian; + }; + +-- +2.27.0 + diff --git a/queue-5.4/arm64-dts-qcom-c630-keep-both-touchpad-devices-enabl.patch b/queue-5.4/arm64-dts-qcom-c630-keep-both-touchpad-devices-enabl.patch new file mode 100644 index 00000000000..c0205d8ea94 --- /dev/null +++ b/queue-5.4/arm64-dts-qcom-c630-keep-both-touchpad-devices-enabl.patch @@ -0,0 +1,73 @@ +From c1b08baa3ea65666cbfa059ed716fd5caad859e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Jan 2021 12:59:40 +0800 +Subject: arm64: dts: qcom: c630: keep both touchpad devices enabled + +From: Shawn Guo + +[ Upstream commit a9164910c5ceed63551280a4a0b85d37ac2b19a5 ] + +Indicated by AML code in ACPI table, the touchpad in-use could be found +on two possible slave addresses on &i2c3, i.e. hid@15 and hid@2c. And +which one is in-use can be determined by reading another address on the +I2C bus. Unfortunately, for DT boot, there is currently no support in +firmware to make this check and patch DT accordingly. This results in +a non-functional touchpad on those C630 devices with hid@2c. + +As i2c-hid driver will stop probing the device if there is nothing on +the slave address, we can actually keep both devices enabled in DT, and +i2c-hid driver will only probe the existing one. The only problem is +that we cannot set up pinctrl in both device nodes, as two devices with +the same pinctrl will cause pin conflict that makes the second device +fail to probe. Let's move the pinctrl state up to parent node to solve +this problem. As the pinctrl state of parent node is already defined in +sdm845.dtsi, it ends up with overwriting pinctrl-0 with i2c3_hid_active +state added in there. + +Fixes: 11d0e4f28156 ("arm64: dts: qcom: c630: Polish i2c-hid devices") +Signed-off-by: Shawn Guo +Link: https://lore.kernel.org/r/20210102045940.26874-1-shawn.guo@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts b/arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts +index f539b3655f6b9..e638f216dbfb3 100644 +--- a/arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts ++++ b/arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts +@@ -243,6 +243,8 @@ + &i2c3 { + status = "okay"; + clock-frequency = <400000>; ++ /* Overwrite pinctrl-0 from sdm845.dtsi */ ++ pinctrl-0 = <&qup_i2c3_default &i2c3_hid_active>; + + tsel: hid@15 { + compatible = "hid-over-i2c"; +@@ -250,9 +252,6 @@ + hid-descr-addr = <0x1>; + + interrupts-extended = <&tlmm 37 IRQ_TYPE_LEVEL_HIGH>; +- +- pinctrl-names = "default"; +- pinctrl-0 = <&i2c3_hid_active>; + }; + + tsc2: hid@2c { +@@ -261,11 +260,6 @@ + hid-descr-addr = <0x20>; + + interrupts-extended = <&tlmm 37 IRQ_TYPE_LEVEL_HIGH>; +- +- pinctrl-names = "default"; +- pinctrl-0 = <&i2c3_hid_active>; +- +- status = "disabled"; + }; + }; + +-- +2.27.0 + diff --git a/queue-5.4/arm64-dts-rockchip-fix-vopl-iommu-irq-on-px30.patch b/queue-5.4/arm64-dts-rockchip-fix-vopl-iommu-irq-on-px30.patch new file mode 100644 index 00000000000..008e397dd89 --- /dev/null +++ b/queue-5.4/arm64-dts-rockchip-fix-vopl-iommu-irq-on-px30.patch @@ -0,0 +1,39 @@ +From 5d7eff93b346d2a3cbe995934989b54c792a5716 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Jan 2021 12:06:27 +0100 +Subject: arm64: dts: rockchip: fix vopl iommu irq on px30 + +From: Sandy Huang + +[ Upstream commit 656c648354e1561fa4f445b0b3252ec1d24e3951 ] + +The vop-mmu shares the irq with its matched vop but not the vpu. + +Fixes: 7053e06b1422 ("arm64: dts: rockchip: add core dtsi file for PX30 SoCs") +Signed-off-by: Sandy Huang +Signed-off-by: Heiko Stuebner +Reviewed-by: Ezequiel Garcia +Reviewed-by: Paul Kocialkowski +Tested-by: Paul Kocialkowski +Link: https://lore.kernel.org/r/20210108110627.3231226-1-heiko@sntech.de +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/px30.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/rockchip/px30.dtsi b/arch/arm64/boot/dts/rockchip/px30.dtsi +index 9e09909a510a1..98b014a8f9165 100644 +--- a/arch/arm64/boot/dts/rockchip/px30.dtsi ++++ b/arch/arm64/boot/dts/rockchip/px30.dtsi +@@ -860,7 +860,7 @@ + vopl_mmu: iommu@ff470f00 { + compatible = "rockchip,iommu"; + reg = <0x0 0xff470f00 0x0 0x100>; +- interrupts = ; ++ interrupts = ; + interrupt-names = "vopl_mmu"; + clocks = <&cru ACLK_VOPL>, <&cru HCLK_VOPL>; + clock-names = "aclk", "hclk"; +-- +2.27.0 + diff --git a/queue-5.4/bpf-cgroup-fix-optlen-warn_on_once-toctou.patch b/queue-5.4/bpf-cgroup-fix-optlen-warn_on_once-toctou.patch new file mode 100644 index 00000000000..532650ec0e7 --- /dev/null +++ b/queue-5.4/bpf-cgroup-fix-optlen-warn_on_once-toctou.patch @@ -0,0 +1,46 @@ +From 86fac4c9f7aec6385a413458bebb0101c8816ae6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Jan 2021 17:42:31 +0100 +Subject: bpf, cgroup: Fix optlen WARN_ON_ONCE toctou + +From: Loris Reiff + +[ Upstream commit bb8b81e396f7afbe7c50d789e2107512274d2a35 ] + +A toctou issue in `__cgroup_bpf_run_filter_getsockopt` can trigger a +WARN_ON_ONCE in a check of `copy_from_user`. + +`*optlen` is checked to be non-negative in the individual getsockopt +functions beforehand. Changing `*optlen` in a race to a negative value +will result in a `copy_from_user(ctx.optval, optval, ctx.optlen)` with +`ctx.optlen` being a negative integer. + +Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks") +Signed-off-by: Loris Reiff +Signed-off-by: Daniel Borkmann +Reviewed-by: Stanislav Fomichev +Link: https://lore.kernel.org/bpf/20210122164232.61770-1-loris.reiff@liblor.ch +Signed-off-by: Sasha Levin +--- + kernel/bpf/cgroup.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c +index 5a8b4dfdb1419..5b2413eb79db4 100644 +--- a/kernel/bpf/cgroup.c ++++ b/kernel/bpf/cgroup.c +@@ -1109,6 +1109,11 @@ int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level, + goto out; + } + ++ if (ctx.optlen < 0) { ++ ret = -EFAULT; ++ goto out; ++ } ++ + if (copy_from_user(ctx.optval, optval, + min(ctx.optlen, max_optlen)) != 0) { + ret = -EFAULT; +-- +2.27.0 + diff --git a/queue-5.4/bpf-cgroup-fix-problematic-bounds-check.patch b/queue-5.4/bpf-cgroup-fix-problematic-bounds-check.patch new file mode 100644 index 00000000000..a61ca5ccb78 --- /dev/null +++ b/queue-5.4/bpf-cgroup-fix-problematic-bounds-check.patch @@ -0,0 +1,39 @@ +From 0ac834337d78628b0bf0bad859eb0dafd10c299d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Jan 2021 17:42:32 +0100 +Subject: bpf, cgroup: Fix problematic bounds check + +From: Loris Reiff + +[ Upstream commit f4a2da755a7e1f5d845c52aee71336cee289935a ] + +Since ctx.optlen is signed, a larger value than max_value could be +passed, as it is later on used as unsigned, which causes a WARN_ON_ONCE +in the copy_to_user. + +Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks") +Signed-off-by: Loris Reiff +Signed-off-by: Daniel Borkmann +Reviewed-by: Stanislav Fomichev +Link: https://lore.kernel.org/bpf/20210122164232.61770-2-loris.reiff@liblor.ch +Signed-off-by: Sasha Levin +--- + kernel/bpf/cgroup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c +index 5b2413eb79db4..c2f0aa818b7af 100644 +--- a/kernel/bpf/cgroup.c ++++ b/kernel/bpf/cgroup.c +@@ -1131,7 +1131,7 @@ int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level, + goto out; + } + +- if (ctx.optlen > max_optlen) { ++ if (ctx.optlen > max_optlen || ctx.optlen < 0) { + ret = -EFAULT; + goto out; + } +-- +2.27.0 + diff --git a/queue-5.4/i40e-revert-i40e-don-t-report-link-up-for-a-vf-who-h.patch b/queue-5.4/i40e-revert-i40e-don-t-report-link-up-for-a-vf-who-h.patch new file mode 100644 index 00000000000..587384eb9b6 --- /dev/null +++ b/queue-5.4/i40e-revert-i40e-don-t-report-link-up-for-a-vf-who-h.patch @@ -0,0 +1,100 @@ +From 10eaed8a4a501899e83aff578e3772df22074aec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Jan 2021 00:22:23 +0000 +Subject: i40e: Revert "i40e: don't report link up for a VF who hasn't enabled + queues" + +From: Aleksandr Loktionov + +[ Upstream commit f559a356043a55bab25a4c00505ea65c50a956fb ] + +This reverts commit 2ad1274fa35ace5c6360762ba48d33b63da2396c + +VF queues were not brought up when PF was brought up after being +downed if the VF driver disabled VFs queues during PF down. +This could happen in some older or external VF driver implementations. +The problem was that PF driver used vf->queues_enabled as a condition +to decide what link-state it would send out which caused the issue. + +Remove the check for vf->queues_enabled in the VF link notify. +Now VF will always be notified of the current link status. +Also remove the queues_enabled member from i40e_vf structure as it is +not used anymore. Otherwise VNF implementation was broken and caused +a link flap. + +The original commit was a workaround to avoid breaking existing VFs though +it's really a fault of the VF code not the PF. The commit should be safe to +revert as all of the VFs we know of have been fixed. Also, since we now +know there is a related bug in the workaround, removing it is preferred. + +Fixes: 2ad1274fa35a ("i40e: don't report link up for a VF who hasn't enabled") +Signed-off-by: Aleksandr Loktionov +Signed-off-by: Arkadiusz Kubalewski +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 13 +------------ + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h | 1 - + 2 files changed, 1 insertion(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index c20dc689698ed..5acd599d6b9af 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -55,12 +55,7 @@ static void i40e_vc_notify_vf_link_state(struct i40e_vf *vf) + + pfe.event = VIRTCHNL_EVENT_LINK_CHANGE; + pfe.severity = PF_EVENT_SEVERITY_INFO; +- +- /* Always report link is down if the VF queues aren't enabled */ +- if (!vf->queues_enabled) { +- pfe.event_data.link_event.link_status = false; +- pfe.event_data.link_event.link_speed = 0; +- } else if (vf->link_forced) { ++ if (vf->link_forced) { + pfe.event_data.link_event.link_status = vf->link_up; + pfe.event_data.link_event.link_speed = + (vf->link_up ? VIRTCHNL_LINK_SPEED_40GB : 0); +@@ -70,7 +65,6 @@ static void i40e_vc_notify_vf_link_state(struct i40e_vf *vf) + pfe.event_data.link_event.link_speed = + i40e_virtchnl_link_speed(ls->link_speed); + } +- + i40e_aq_send_msg_to_vf(hw, abs_vf_id, VIRTCHNL_OP_EVENT, + 0, (u8 *)&pfe, sizeof(pfe), NULL); + } +@@ -2393,8 +2387,6 @@ static int i40e_vc_enable_queues_msg(struct i40e_vf *vf, u8 *msg) + } + } + +- vf->queues_enabled = true; +- + error_param: + /* send the response to the VF */ + return i40e_vc_send_resp_to_vf(vf, VIRTCHNL_OP_ENABLE_QUEUES, +@@ -2416,9 +2408,6 @@ static int i40e_vc_disable_queues_msg(struct i40e_vf *vf, u8 *msg) + struct i40e_pf *pf = vf->pf; + i40e_status aq_ret = 0; + +- /* Immediately mark queues as disabled */ +- vf->queues_enabled = false; +- + if (!test_bit(I40E_VF_STATE_ACTIVE, &vf->vf_states)) { + aq_ret = I40E_ERR_PARAM; + goto error_param; +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h +index 7164b9bb294ff..f65cc0c165502 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h +@@ -99,7 +99,6 @@ struct i40e_vf { + unsigned int tx_rate; /* Tx bandwidth limit in Mbps */ + bool link_forced; + bool link_up; /* only valid if VF link is forced */ +- bool queues_enabled; /* true if the VF queues are enabled */ + bool spoofchk; + u16 num_mac; + u16 num_vlan; +-- +2.27.0 + diff --git a/queue-5.4/igc-check-return-value-of-ret_val-in-igc_config_fc_a.patch b/queue-5.4/igc-check-return-value-of-ret_val-in-igc_config_fc_a.patch new file mode 100644 index 00000000000..713a55d834f --- /dev/null +++ b/queue-5.4/igc-check-return-value-of-ret_val-in-igc_config_fc_a.patch @@ -0,0 +1,36 @@ +From 9395240bbd5c6b3ce6b6900cf606dad8104f203d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jan 2021 14:10:38 +0800 +Subject: igc: check return value of ret_val in igc_config_fc_after_link_up + +From: Kevin Lo + +[ Upstream commit b881145642ce0bbe2be521e0882e72a5cebe93b8 ] + +Check return value from ret_val to make error check actually work. + +Fixes: 4eb8080143a9 ("igc: Add setup link functionality") +Signed-off-by: Kevin Lo +Acked-by: Sasha Neftin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_mac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_mac.c b/drivers/net/ethernet/intel/igc/igc_mac.c +index 5eeb4c8caf4ae..08adf103e90b4 100644 +--- a/drivers/net/ethernet/intel/igc/igc_mac.c ++++ b/drivers/net/ethernet/intel/igc/igc_mac.c +@@ -647,7 +647,7 @@ s32 igc_config_fc_after_link_up(struct igc_hw *hw) + } + + out: +- return 0; ++ return ret_val; + } + + /** +-- +2.27.0 + diff --git a/queue-5.4/igc-set-the-default-return-value-to-igc_err_nvm-in-i.patch b/queue-5.4/igc-set-the-default-return-value-to-igc_err_nvm-in-i.patch new file mode 100644 index 00000000000..6d860e12139 --- /dev/null +++ b/queue-5.4/igc-set-the-default-return-value-to-igc_err_nvm-in-i.patch @@ -0,0 +1,48 @@ +From fac0f8d0c144cb0431acaacf9ce7caa70b0b9ba1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Dec 2020 22:18:19 +0800 +Subject: igc: set the default return value to -IGC_ERR_NVM in + igc_write_nvm_srwr + +From: Kevin Lo + +[ Upstream commit ebc8d125062e7dccb7922b2190b097c20d88ad96 ] + +This patch sets the default return value to -IGC_ERR_NVM in +igc_write_nvm_srwr. Without this change it wouldn't lead to a shadow RAM +write EEWR timeout. + +Fixes: ab4056126813 ("igc: Add NVM support") +Signed-off-by: Kevin Lo +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_i225.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_i225.c b/drivers/net/ethernet/intel/igc/igc_i225.c +index c25f555aaf822..ed5d09c11c389 100644 +--- a/drivers/net/ethernet/intel/igc/igc_i225.c ++++ b/drivers/net/ethernet/intel/igc/igc_i225.c +@@ -219,9 +219,9 @@ static s32 igc_write_nvm_srwr(struct igc_hw *hw, u16 offset, u16 words, + u16 *data) + { + struct igc_nvm_info *nvm = &hw->nvm; ++ s32 ret_val = -IGC_ERR_NVM; + u32 attempts = 100000; + u32 i, k, eewr = 0; +- s32 ret_val = 0; + + /* A check for invalid values: offset too large, too many words, + * too many words for the offset, and not enough words. +@@ -229,7 +229,6 @@ static s32 igc_write_nvm_srwr(struct igc_hw *hw, u16 offset, u16 words, + if (offset >= nvm->word_size || (words > (nvm->word_size - offset)) || + words == 0) { + hw_dbg("nvm parameter(s) out of bounds\n"); +- ret_val = -IGC_ERR_NVM; + goto out; + } + +-- +2.27.0 + diff --git a/queue-5.4/input-i8042-unbreak-pegatron-c15b.patch b/queue-5.4/input-i8042-unbreak-pegatron-c15b.patch new file mode 100644 index 00000000000..9234c334a18 --- /dev/null +++ b/queue-5.4/input-i8042-unbreak-pegatron-c15b.patch @@ -0,0 +1,45 @@ +From 8e062acfc0b362855795b473c5a7c71d7a8442c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Jan 2021 17:59:51 -0800 +Subject: Input: i8042 - unbreak Pegatron C15B +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexey Dobriyan + +[ Upstream commit a3a9060ecad030e2c7903b2b258383d2c716b56c ] + +g++ reports + + drivers/input/serio/i8042-x86ia64io.h:225:3: error: ‘.matches’ designator used multiple times in the same initializer list + +C99 semantics is that last duplicated initialiser wins, +so DMI entry gets overwritten. + +Fixes: a48491c65b51 ("Input: i8042 - add ByteSpeed touchpad to noloop table") +Signed-off-by: Alexey Dobriyan +Acked-by: Po-Hsu Lin +Link: https://lore.kernel.org/r/20201228072335.GA27766@localhost.localdomain +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/serio/i8042-x86ia64io.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h +index eca931da76c3a..b7dbcbac3a1a5 100644 +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -219,6 +219,8 @@ static const struct dmi_system_id __initconst i8042_dmi_noloop_table[] = { + DMI_MATCH(DMI_SYS_VENDOR, "PEGATRON CORPORATION"), + DMI_MATCH(DMI_PRODUCT_NAME, "C15B"), + }, ++ }, ++ { + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "ByteSpeed LLC"), + DMI_MATCH(DMI_PRODUCT_NAME, "ByteSpeed Laptop C15B"), +-- +2.27.0 + diff --git a/queue-5.4/memblock-do-not-start-bottom-up-allocations-with-ker.patch b/queue-5.4/memblock-do-not-start-bottom-up-allocations-with-ker.patch new file mode 100644 index 00000000000..07ec3d1f286 --- /dev/null +++ b/queue-5.4/memblock-do-not-start-bottom-up-allocations-with-ker.patch @@ -0,0 +1,146 @@ +From bf697ad87db59bbb3021464f382db1afbd180aac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Feb 2021 18:32:36 -0800 +Subject: memblock: do not start bottom-up allocations with kernel_end + +From: Roman Gushchin + +[ Upstream commit 2dcb3964544177c51853a210b6ad400de78ef17d ] + +With kaslr the kernel image is placed at a random place, so starting the +bottom-up allocation with the kernel_end can result in an allocation +failure and a warning like this one: + + hugetlb_cma: reserve 2048 MiB, up to 2048 MiB per node + ------------[ cut here ]------------ + memblock: bottom-up allocation failed, memory hotremove may be affected + WARNING: CPU: 0 PID: 0 at mm/memblock.c:332 memblock_find_in_range_node+0x178/0x25a + Modules linked in: + CPU: 0 PID: 0 Comm: swapper Not tainted 5.10.0+ #1169 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 + RIP: 0010:memblock_find_in_range_node+0x178/0x25a + Code: e9 6d ff ff ff 48 85 c0 0f 85 da 00 00 00 80 3d 9b 35 df 00 00 75 15 48 c7 c7 c0 75 59 88 c6 05 8b 35 df 00 01 e8 25 8a fa ff <0f> 0b 48 c7 44 24 20 ff ff ff ff 44 89 e6 44 89 ea 48 c7 c1 70 5c + RSP: 0000:ffffffff88803d18 EFLAGS: 00010086 ORIG_RAX: 0000000000000000 + RAX: 0000000000000000 RBX: 0000000240000000 RCX: 00000000ffffdfff + RDX: 00000000ffffdfff RSI: 00000000ffffffea RDI: 0000000000000046 + RBP: 0000000100000000 R08: ffffffff88922788 R09: 0000000000009ffb + R10: 00000000ffffe000 R11: 3fffffffffffffff R12: 0000000000000000 + R13: 0000000000000000 R14: 0000000080000000 R15: 00000001fb42c000 + FS: 0000000000000000(0000) GS:ffffffff88f71000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffffa080fb401000 CR3: 00000001fa80a000 CR4: 00000000000406b0 + Call Trace: + memblock_alloc_range_nid+0x8d/0x11e + cma_declare_contiguous_nid+0x2c4/0x38c + hugetlb_cma_reserve+0xdc/0x128 + flush_tlb_one_kernel+0xc/0x20 + native_set_fixmap+0x82/0xd0 + flat_get_apic_id+0x5/0x10 + register_lapic_address+0x8e/0x97 + setup_arch+0x8a5/0xc3f + start_kernel+0x66/0x547 + load_ucode_bsp+0x4c/0xcd + secondary_startup_64_no_verify+0xb0/0xbb + random: get_random_bytes called from __warn+0xab/0x110 with crng_init=0 + ---[ end trace f151227d0b39be70 ]--- + +At the same time, the kernel image is protected with memblock_reserve(), +so we can just start searching at PAGE_SIZE. In this case the bottom-up +allocation has the same chances to success as a top-down allocation, so +there is no reason to fallback in the case of a failure. All together it +simplifies the logic. + +Link: https://lkml.kernel.org/r/20201217201214.3414100-2-guro@fb.com +Fixes: 8fabc623238e ("powerpc: Ensure that swiotlb buffer is allocated from low memory") +Signed-off-by: Roman Gushchin +Reviewed-by: Mike Rapoport +Cc: Joonsoo Kim +Cc: Michal Hocko +Cc: Rik van Riel +Cc: Wonhyuk Yang +Cc: Thiago Jung Bauermann +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/memblock.c | 49 ++++++------------------------------------------- + 1 file changed, 6 insertions(+), 43 deletions(-) + +diff --git a/mm/memblock.c b/mm/memblock.c +index c4b16cae2bc9b..11f6ae37d6699 100644 +--- a/mm/memblock.c ++++ b/mm/memblock.c +@@ -257,14 +257,6 @@ __memblock_find_range_top_down(phys_addr_t start, phys_addr_t end, + * + * Find @size free area aligned to @align in the specified range and node. + * +- * When allocation direction is bottom-up, the @start should be greater +- * than the end of the kernel image. Otherwise, it will be trimmed. The +- * reason is that we want the bottom-up allocation just near the kernel +- * image so it is highly likely that the allocated memory and the kernel +- * will reside in the same node. +- * +- * If bottom-up allocation failed, will try to allocate memory top-down. +- * + * Return: + * Found address on success, 0 on failure. + */ +@@ -273,8 +265,6 @@ static phys_addr_t __init_memblock memblock_find_in_range_node(phys_addr_t size, + phys_addr_t end, int nid, + enum memblock_flags flags) + { +- phys_addr_t kernel_end, ret; +- + /* pump up @end */ + if (end == MEMBLOCK_ALLOC_ACCESSIBLE || + end == MEMBLOCK_ALLOC_KASAN) +@@ -283,40 +273,13 @@ static phys_addr_t __init_memblock memblock_find_in_range_node(phys_addr_t size, + /* avoid allocating the first page */ + start = max_t(phys_addr_t, start, PAGE_SIZE); + end = max(start, end); +- kernel_end = __pa_symbol(_end); +- +- /* +- * try bottom-up allocation only when bottom-up mode +- * is set and @end is above the kernel image. +- */ +- if (memblock_bottom_up() && end > kernel_end) { +- phys_addr_t bottom_up_start; +- +- /* make sure we will allocate above the kernel */ +- bottom_up_start = max(start, kernel_end); + +- /* ok, try bottom-up allocation first */ +- ret = __memblock_find_range_bottom_up(bottom_up_start, end, +- size, align, nid, flags); +- if (ret) +- return ret; +- +- /* +- * we always limit bottom-up allocation above the kernel, +- * but top-down allocation doesn't have the limit, so +- * retrying top-down allocation may succeed when bottom-up +- * allocation failed. +- * +- * bottom-up allocation is expected to be fail very rarely, +- * so we use WARN_ONCE() here to see the stack trace if +- * fail happens. +- */ +- WARN_ONCE(IS_ENABLED(CONFIG_MEMORY_HOTREMOVE), +- "memblock: bottom-up allocation failed, memory hotremove may be affected\n"); +- } +- +- return __memblock_find_range_top_down(start, end, size, align, nid, +- flags); ++ if (memblock_bottom_up()) ++ return __memblock_find_range_bottom_up(start, end, size, align, ++ nid, flags); ++ else ++ return __memblock_find_range_top_down(start, end, size, align, ++ nid, flags); + } + + /** +-- +2.27.0 + diff --git a/queue-5.4/net-lapb-copy-the-skb-before-sending-a-packet.patch b/queue-5.4/net-lapb-copy-the-skb-before-sending-a-packet.patch new file mode 100644 index 00000000000..b4a8aa24daa --- /dev/null +++ b/queue-5.4/net-lapb-copy-the-skb-before-sending-a-packet.patch @@ -0,0 +1,51 @@ +From a0ef7504e9069c1b6db8d3f22b7390b2aed7046f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Jan 2021 21:57:06 -0800 +Subject: net: lapb: Copy the skb before sending a packet + +From: Xie He + +[ Upstream commit 88c7a9fd9bdd3e453f04018920964c6f848a591a ] + +When sending a packet, we will prepend it with an LAPB header. +This modifies the shared parts of a cloned skb, so we should copy the +skb rather than just clone it, before we prepend the header. + +In "Documentation/networking/driver.rst" (the 2nd point), it states +that drivers shouldn't modify the shared parts of a cloned skb when +transmitting. + +The "dev_queue_xmit_nit" function in "net/core/dev.c", which is called +when an skb is being sent, clones the skb and sents the clone to +AF_PACKET sockets. Because the LAPB drivers first remove a 1-byte +pseudo-header before handing over the skb to us, if we don't copy the +skb before prepending the LAPB header, the first byte of the packets +received on AF_PACKET sockets can be corrupted. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xie He +Acked-by: Martin Schiller +Link: https://lore.kernel.org/r/20210201055706.415842-1-xie.he.0141@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/lapb/lapb_out.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/lapb/lapb_out.c b/net/lapb/lapb_out.c +index 7a4d0715d1c32..a966d29c772d9 100644 +--- a/net/lapb/lapb_out.c ++++ b/net/lapb/lapb_out.c +@@ -82,7 +82,8 @@ void lapb_kick(struct lapb_cb *lapb) + skb = skb_dequeue(&lapb->write_queue); + + do { +- if ((skbn = skb_clone(skb, GFP_ATOMIC)) == NULL) { ++ skbn = skb_copy(skb, GFP_ATOMIC); ++ if (!skbn) { + skb_queue_head(&lapb->write_queue, skb); + break; + } +-- +2.27.0 + diff --git a/queue-5.4/net-mlx5-fix-leak-upon-failure-of-rule-creation.patch b/queue-5.4/net-mlx5-fix-leak-upon-failure-of-rule-creation.patch new file mode 100644 index 00000000000..f2129cf2f54 --- /dev/null +++ b/queue-5.4/net-mlx5-fix-leak-upon-failure-of-rule-creation.patch @@ -0,0 +1,56 @@ +From 244663cfa6a5ddc027acfefea787c078be2ec3cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jan 2021 17:41:18 +0200 +Subject: net/mlx5: Fix leak upon failure of rule creation + +From: Maor Gottlieb + +[ Upstream commit a5bfe6b4675e0eefbd9418055b5cc6e89af27eb4 ] + +When creation of a new rule that requires allocation of an FTE fails, +need to call to tree_put_node on the FTE in order to release its' +resource. + +Fixes: cefc23554fc2 ("net/mlx5: Fix FTE cleanup") +Signed-off-by: Maor Gottlieb +Reviewed-by: Alaa Hleihel +Reviewed-by: Mark Bloch +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index 4944c40436f08..11e12761b0a6e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -1697,6 +1697,7 @@ search_again_locked: + if (!fte_tmp) + continue; + rule = add_rule_fg(g, spec, flow_act, dest, dest_num, fte_tmp); ++ /* No error check needed here, because insert_fte() is not called */ + up_write_ref_node(&fte_tmp->node, false); + tree_put_node(&fte_tmp->node, false); + kmem_cache_free(steering->ftes_cache, fte); +@@ -1745,6 +1746,8 @@ skip_search: + up_write_ref_node(&g->node, false); + rule = add_rule_fg(g, spec, flow_act, dest, dest_num, fte); + up_write_ref_node(&fte->node, false); ++ if (IS_ERR(rule)) ++ tree_put_node(&fte->node, false); + return rule; + } + rule = ERR_PTR(-ENOENT); +@@ -1844,6 +1847,8 @@ search_again_locked: + up_write_ref_node(&g->node, false); + rule = add_rule_fg(g, spec, flow_act, dest, dest_num, fte); + up_write_ref_node(&fte->node, false); ++ if (IS_ERR(rule)) ++ tree_put_node(&fte->node, false); + tree_put_node(&g->node, false); + return rule; + +-- +2.27.0 + diff --git a/queue-5.4/net-mvpp2-tcam-entry-enable-should-be-written-after-.patch b/queue-5.4/net-mvpp2-tcam-entry-enable-should-be-written-after-.patch new file mode 100644 index 00000000000..bc5298a7b81 --- /dev/null +++ b/queue-5.4/net-mvpp2-tcam-entry-enable-should-be-written-after-.patch @@ -0,0 +1,50 @@ +From f8f338c875acd421e9236cfc817415cf2f2a1e25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Feb 2021 11:35:39 +0200 +Subject: net: mvpp2: TCAM entry enable should be written after SRAM data + +From: Stefan Chulski + +[ Upstream commit 43f4a20a1266d393840ce010f547486d14cc0071 ] + +Last TCAM data contains TCAM enable bit. +It should be written after SRAM data before entry enabled. + +Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit") +Signed-off-by: Stefan Chulski +Link: https://lore.kernel.org/r/1612172139-28343-1-git-send-email-stefanc@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +index a30eb90ba3d28..dd590086fe6a5 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +@@ -29,16 +29,16 @@ static int mvpp2_prs_hw_write(struct mvpp2 *priv, struct mvpp2_prs_entry *pe) + /* Clear entry invalidation bit */ + pe->tcam[MVPP2_PRS_TCAM_INV_WORD] &= ~MVPP2_PRS_TCAM_INV_MASK; + +- /* Write tcam index - indirect access */ +- mvpp2_write(priv, MVPP2_PRS_TCAM_IDX_REG, pe->index); +- for (i = 0; i < MVPP2_PRS_TCAM_WORDS; i++) +- mvpp2_write(priv, MVPP2_PRS_TCAM_DATA_REG(i), pe->tcam[i]); +- + /* Write sram index - indirect access */ + mvpp2_write(priv, MVPP2_PRS_SRAM_IDX_REG, pe->index); + for (i = 0; i < MVPP2_PRS_SRAM_WORDS; i++) + mvpp2_write(priv, MVPP2_PRS_SRAM_DATA_REG(i), pe->sram[i]); + ++ /* Write tcam index - indirect access */ ++ mvpp2_write(priv, MVPP2_PRS_TCAM_IDX_REG, pe->index); ++ for (i = 0; i < MVPP2_PRS_TCAM_WORDS; i++) ++ mvpp2_write(priv, MVPP2_PRS_TCAM_DATA_REG(i), pe->tcam[i]); ++ + return 0; + } + +-- +2.27.0 + diff --git a/queue-5.4/nvmet-tcp-fix-out-of-bounds-access-when-receiving-mu.patch b/queue-5.4/nvmet-tcp-fix-out-of-bounds-access-when-receiving-mu.patch new file mode 100644 index 00000000000..adce2cf2d0b --- /dev/null +++ b/queue-5.4/nvmet-tcp-fix-out-of-bounds-access-when-receiving-mu.patch @@ -0,0 +1,55 @@ +From 5d0a5757ac064b22c6cf5ba68b3bbc3fb768afcc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Feb 2021 01:20:25 -0800 +Subject: nvmet-tcp: fix out-of-bounds access when receiving multiple h2cdata + PDUs + +From: Sagi Grimberg + +[ Upstream commit cb8563f5c735a042ea2dd7df1ad55ae06d63ffeb ] + +When the host sends multiple h2cdata PDUs, we keep track on +the receive progress and calculate the scatterlist index and +offsets. + +The issue is that sg_offset should only be kept for the first +iov entry we map in the iovec as this is the difference between +our cursor and the sg entry offset itself. + +In addition, the sg index was calculated wrong because we should +not round up when dividing the command byte offset with PAG_SIZE. + +Fixes: 872d26a391da ("nvmet-tcp: add NVMe over TCP target driver") +Reported-by: Narayan Ayalasomayajula +Tested-by: Narayan Ayalasomayajula +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index e31823f19a0fa..9242224156f5b 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -292,7 +292,7 @@ static void nvmet_tcp_map_pdu_iovec(struct nvmet_tcp_cmd *cmd) + length = cmd->pdu_len; + cmd->nr_mapped = DIV_ROUND_UP(length, PAGE_SIZE); + offset = cmd->rbytes_done; +- cmd->sg_idx = DIV_ROUND_UP(offset, PAGE_SIZE); ++ cmd->sg_idx = offset / PAGE_SIZE; + sg_offset = offset % PAGE_SIZE; + sg = &cmd->req.sg[cmd->sg_idx]; + +@@ -305,6 +305,7 @@ static void nvmet_tcp_map_pdu_iovec(struct nvmet_tcp_cmd *cmd) + length -= iov_len; + sg = sg_next(sg); + iov++; ++ sg_offset = 0; + } + + iov_iter_kvec(&cmd->recv_msg.msg_iter, READ, cmd->iov, +-- +2.27.0 + diff --git a/queue-5.4/r8169-fix-wol-on-shutdown-if-config_debug_shirq-is-s.patch b/queue-5.4/r8169-fix-wol-on-shutdown-if-config_debug_shirq-is-s.patch new file mode 100644 index 00000000000..87869b20bdc --- /dev/null +++ b/queue-5.4/r8169-fix-wol-on-shutdown-if-config_debug_shirq-is-s.patch @@ -0,0 +1,46 @@ +From c98396ba32307ba0f13e58ac09217e628c740e0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Feb 2021 21:50:56 +0100 +Subject: r8169: fix WoL on shutdown if CONFIG_DEBUG_SHIRQ is set + +From: Heiner Kallweit + +[ Upstream commit cc9f07a838c4988ed244d0907cb71d54b85482a5 ] + +So far phy_disconnect() is called before free_irq(). If CONFIG_DEBUG_SHIRQ +is set and interrupt is shared, then free_irq() creates an "artificial" +interrupt by calling the interrupt handler. The "link change" flag is set +in the interrupt status register, causing phylib to eventually call +phy_suspend(). Because the net_device is detached from the PHY already, +the PHY driver can't recognize that WoL is configured and powers down the +PHY. + +Fixes: f1e911d5d0df ("r8169: add basic phylib support") +Signed-off-by: Heiner Kallweit +Link: https://lore.kernel.org/r/fe732c2c-a473-9088-3974-df83cfbd6efd@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index 366ca1b5da5cc..1e8244ec5b332 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -6419,10 +6419,10 @@ static int rtl8169_close(struct net_device *dev) + + cancel_work_sync(&tp->wk.work); + +- phy_disconnect(tp->phydev); +- + free_irq(pci_irq_vector(pdev, 0), tp); + ++ phy_disconnect(tp->phydev); ++ + dma_free_coherent(&pdev->dev, R8169_RX_RING_BYTES, tp->RxDescArray, + tp->RxPhyAddr); + dma_free_coherent(&pdev->dev, R8169_TX_RING_BYTES, tp->TxDescArray, +-- +2.27.0 + diff --git a/queue-5.4/rxrpc-fix-deadlock-around-release-of-dst-cached-on-u.patch b/queue-5.4/rxrpc-fix-deadlock-around-release-of-dst-cached-on-u.patch new file mode 100644 index 00000000000..b950d32fb8e --- /dev/null +++ b/queue-5.4/rxrpc-fix-deadlock-around-release-of-dst-cached-on-u.patch @@ -0,0 +1,109 @@ +From e1768945b8366bd37e42074ec3f8f1b11e7c56c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jan 2021 23:53:50 +0000 +Subject: rxrpc: Fix deadlock around release of dst cached on udp tunnel + +From: David Howells + +[ Upstream commit 5399d52233c47905bbf97dcbaa2d7a9cc31670ba ] + +AF_RXRPC sockets use UDP ports in encap mode. This causes socket and dst +from an incoming packet to get stolen and attached to the UDP socket from +whence it is leaked when that socket is closed. + +When a network namespace is removed, the wait for dst records to be cleaned +up happens before the cleanup of the rxrpc and UDP socket, meaning that the +wait never finishes. + +Fix this by moving the rxrpc (and, by dependence, the afs) private +per-network namespace registrations to the device group rather than subsys +group. This allows cached rxrpc local endpoints to be cleared and their +UDP sockets closed before we try waiting for the dst records. + +The symptom is that lines looking like the following: + + unregister_netdevice: waiting for lo to become free + +get emitted at regular intervals after running something like the +referenced syzbot test. + +Thanks to Vadim for tracking this down and work out the fix. + +Reported-by: syzbot+df400f2f24a1677cd7e0@syzkaller.appspotmail.com +Reported-by: Vadim Fedorenko +Fixes: 5271953cad31 ("rxrpc: Use the UDP encap_rcv hook") +Signed-off-by: David Howells +Acked-by: Vadim Fedorenko +Link: https://lore.kernel.org/r/161196443016.3868642.5577440140646403533.stgit@warthog.procyon.org.uk +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + fs/afs/main.c | 6 +++--- + net/rxrpc/af_rxrpc.c | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/fs/afs/main.c b/fs/afs/main.c +index c9c45d7078bd1..5cd26af2464c9 100644 +--- a/fs/afs/main.c ++++ b/fs/afs/main.c +@@ -186,7 +186,7 @@ static int __init afs_init(void) + goto error_cache; + #endif + +- ret = register_pernet_subsys(&afs_net_ops); ++ ret = register_pernet_device(&afs_net_ops); + if (ret < 0) + goto error_net; + +@@ -206,7 +206,7 @@ static int __init afs_init(void) + error_proc: + afs_fs_exit(); + error_fs: +- unregister_pernet_subsys(&afs_net_ops); ++ unregister_pernet_device(&afs_net_ops); + error_net: + #ifdef CONFIG_AFS_FSCACHE + fscache_unregister_netfs(&afs_cache_netfs); +@@ -237,7 +237,7 @@ static void __exit afs_exit(void) + + proc_remove(afs_proc_symlink); + afs_fs_exit(); +- unregister_pernet_subsys(&afs_net_ops); ++ unregister_pernet_device(&afs_net_ops); + #ifdef CONFIG_AFS_FSCACHE + fscache_unregister_netfs(&afs_cache_netfs); + #endif +diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c +index 2921fc2767134..9bacec6653bac 100644 +--- a/net/rxrpc/af_rxrpc.c ++++ b/net/rxrpc/af_rxrpc.c +@@ -976,7 +976,7 @@ static int __init af_rxrpc_init(void) + goto error_security; + } + +- ret = register_pernet_subsys(&rxrpc_net_ops); ++ ret = register_pernet_device(&rxrpc_net_ops); + if (ret) + goto error_pernet; + +@@ -1021,7 +1021,7 @@ error_key_type: + error_sock: + proto_unregister(&rxrpc_proto); + error_proto: +- unregister_pernet_subsys(&rxrpc_net_ops); ++ unregister_pernet_device(&rxrpc_net_ops); + error_pernet: + rxrpc_exit_security(); + error_security: +@@ -1043,7 +1043,7 @@ static void __exit af_rxrpc_exit(void) + unregister_key_type(&key_type_rxrpc); + sock_unregister(PF_RXRPC); + proto_unregister(&rxrpc_proto); +- unregister_pernet_subsys(&rxrpc_net_ops); ++ unregister_pernet_device(&rxrpc_net_ops); + ASSERTCMP(atomic_read(&rxrpc_n_tx_skbs), ==, 0); + ASSERTCMP(atomic_read(&rxrpc_n_rx_skbs), ==, 0); + +-- +2.27.0 + diff --git a/queue-5.4/series b/queue-5.4/series index e4cd9f26544..285dae03115 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -1,3 +1,22 @@ usb-serial-cp210x-add-pid-vid-for-wsda-200-usb.patch usb-serial-cp210x-add-new-vid-pid-for-supporting-teraoka-ad2000.patch usb-serial-option-adding-support-for-cinterion-mv31.patch +arm64-dts-qcom-c630-keep-both-touchpad-devices-enabl.patch +input-i8042-unbreak-pegatron-c15b.patch +arm64-dts-amlogic-meson-g12-set-fl-adj-property-valu.patch +arm64-dts-rockchip-fix-vopl-iommu-irq-on-px30.patch +bpf-cgroup-fix-optlen-warn_on_once-toctou.patch +bpf-cgroup-fix-problematic-bounds-check.patch +um-virtio-free-vu_dev-only-with-the-contained-struct.patch +rxrpc-fix-deadlock-around-release-of-dst-cached-on-u.patch +arm64-dts-ls1046a-fix-dcfg-address-range.patch +igc-set-the-default-return-value-to-igc_err_nvm-in-i.patch +igc-check-return-value-of-ret_val-in-igc_config_fc_a.patch +i40e-revert-i40e-don-t-report-link-up-for-a-vf-who-h.patch +net-mlx5-fix-leak-upon-failure-of-rule-creation.patch +net-lapb-copy-the-skb-before-sending-a-packet.patch +net-mvpp2-tcam-entry-enable-should-be-written-after-.patch +r8169-fix-wol-on-shutdown-if-config_debug_shirq-is-s.patch +arm-dts-sun7i-a20-bananapro-fix-ethernet-phy-mode.patch +nvmet-tcp-fix-out-of-bounds-access-when-receiving-mu.patch +memblock-do-not-start-bottom-up-allocations-with-ker.patch diff --git a/queue-5.4/um-virtio-free-vu_dev-only-with-the-contained-struct.patch b/queue-5.4/um-virtio-free-vu_dev-only-with-the-contained-struct.patch new file mode 100644 index 00000000000..05c19dc4388 --- /dev/null +++ b/queue-5.4/um-virtio-free-vu_dev-only-with-the-contained-struct.patch @@ -0,0 +1,46 @@ +From 1928af7594df5f6973203cdf2dc06b3b0ca656e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jan 2021 22:15:21 +0100 +Subject: um: virtio: free vu_dev only with the contained struct device + +From: Johannes Berg + +[ Upstream commit f4172b084342fd3f9e38c10650ffe19eac30d8ce ] + +Since struct device is refcounted, we shouldn't free the vu_dev +immediately when it's removed from the platform device, but only +when the references actually all go away. Move the freeing to +the release to accomplish that. + +Fixes: 5d38f324993f ("um: drivers: Add virtio vhost-user driver") +Signed-off-by: Johannes Berg +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/drivers/virtio_uml.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/um/drivers/virtio_uml.c b/arch/um/drivers/virtio_uml.c +index 179b41ad63baf..18618af3835f9 100644 +--- a/arch/um/drivers/virtio_uml.c ++++ b/arch/um/drivers/virtio_uml.c +@@ -959,6 +959,7 @@ static void virtio_uml_release_dev(struct device *d) + } + + os_close_file(vu_dev->sock); ++ kfree(vu_dev); + } + + /* Platform device */ +@@ -977,7 +978,7 @@ static int virtio_uml_probe(struct platform_device *pdev) + if (!pdata) + return -EINVAL; + +- vu_dev = devm_kzalloc(&pdev->dev, sizeof(*vu_dev), GFP_KERNEL); ++ vu_dev = kzalloc(sizeof(*vu_dev), GFP_KERNEL); + if (!vu_dev) + return -ENOMEM; + +-- +2.27.0 + -- 2.47.3