From 62126768c5b7b5227d08d4478c696ec1c47259b8 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 20 Sep 2021 11:39:41 -0400 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...c-export-clear_user_page-for-modules.patch | 45 ++++++ ...bfq-honor-already-setup-queue-merges.patch | 85 ++++++++++ ...gpmc-fix-the-ecc-bytes-vs.-oob-bytes.patch | 43 +++++ ...ethtool-fix-an-error-code-in-cxgb2.c.patch | 39 +++++ ...odel-reject-silly-quantum-parameters.patch | 89 +++++++++++ ...se-after-free-in-fuse_read_interrupt.patch | 61 ++++++++ ...gre-validate-csum_start-only-on-pull.patch | 77 +++++++++ ...-psci-resets-before-userspace-touche.patch | 51 ++++++ ...axp20x-update-axp288-volatile-ranges.patch | 80 ++++++++++ ...d-db8500-prcmu-adjust-map-to-reality.patch | 59 +++++++ ...q_create_mapping-to-resolve-a-mappin.patch | 95 +++++++++++ ...-gpio-irq-resource-when-no-irq-is-se.patch | 40 +++++ ...-fix-a-resource-leak-in-the-error-ha.patch | 53 +++++++ ...x-calculating-number-of-switch-ports.patch | 49 ++++++ ..._eth-fix-freeing-wrong-tx-descriptor.patch | 40 +++++ ...-avoid-altsetting-toggling-for-telit.patch | 38 +++++ ...ter-socket-icmp6-fix-use-after-scope.patch | 64 ++++++++ ...-fix-an-error-code-in-ntb_msit_probe.patch | 44 ++++++ ...ix-an-error-code-in-perf_setup_inbuf.patch | 40 +++++ ...ks-for-cavium-multi-function-devices.patch | 44 ++++++ ...ks-for-nxp-lx2xx0-and-lx2xx2-platfor.patch | 148 ++++++++++++++++++ ...str_match_path-alloc-while-atomic-bu.patch | 42 +++++ ...ci-ibmphp-fix-double-unmap-of-io_mem.patch | 64 ++++++++ ...egister_driver-stub-for-config_pci-n.patch | 42 +++++ ...ot-overwrite-feature_check_ldflags-l.patch | 138 ++++++++++++++++ ...dundant-unlock-in-qlcnic_pinit_from_.patch | 38 +++++ queue-5.4/series | 28 ++++ ...nfo-in-nh_create_ipv4-nh_create_ipv6.patch | 137 ++++++++++++++++ ...eject-events-which-have-the-same-nam.patch | 129 +++++++++++++++ 29 files changed, 1902 insertions(+) create mode 100644 queue-5.4/arc-export-clear_user_page-for-modules.patch create mode 100644 queue-5.4/block-bfq-honor-already-setup-queue-merges.patch create mode 100644 queue-5.4/dt-bindings-mtd-gpmc-fix-the-ecc-bytes-vs.-oob-bytes.patch create mode 100644 queue-5.4/ethtool-fix-an-error-code-in-cxgb2.c.patch create mode 100644 queue-5.4/fq_codel-reject-silly-quantum-parameters.patch create mode 100644 queue-5.4/fuse-fix-use-after-free-in-fuse_read_interrupt.patch create mode 100644 queue-5.4/ip_gre-validate-csum_start-only-on-pull.patch create mode 100644 queue-5.4/kvm-arm64-handle-psci-resets-before-userspace-touche.patch create mode 100644 queue-5.4/mfd-axp20x-update-axp288-volatile-ranges.patch create mode 100644 queue-5.4/mfd-db8500-prcmu-adjust-map-to-reality.patch create mode 100644 queue-5.4/mfd-don-t-use-irq_create_mapping-to-resolve-a-mappin.patch create mode 100644 queue-5.4/mfd-tqmx86-clear-gpio-irq-resource-when-no-irq-is-se.patch create mode 100644 queue-5.4/mtd-rawnand-cafe-fix-a-resource-leak-in-the-error-ha.patch create mode 100644 queue-5.4/net-dsa-b53-fix-calculating-number-of-switch-ports.patch create mode 100644 queue-5.4/net-renesas-sh_eth-fix-freeing-wrong-tx-descriptor.patch create mode 100644 queue-5.4/net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch create mode 100644 queue-5.4/netfilter-socket-icmp6-fix-use-after-scope.patch create mode 100644 queue-5.4/ntb-fix-an-error-code-in-ntb_msit_probe.patch create mode 100644 queue-5.4/ntb-perf-fix-an-error-code-in-perf_setup_inbuf.patch create mode 100644 queue-5.4/pci-add-acs-quirks-for-cavium-multi-function-devices.patch create mode 100644 queue-5.4/pci-add-acs-quirks-for-nxp-lx2xx0-and-lx2xx2-platfor.patch create mode 100644 queue-5.4/pci-fix-pci_dev_str_match_path-alloc-while-atomic-bu.patch create mode 100644 queue-5.4/pci-ibmphp-fix-double-unmap-of-io_mem.patch create mode 100644 queue-5.4/pci-sync-__pci_register_driver-stub-for-config_pci-n.patch create mode 100644 queue-5.4/perf-unwind-do-not-overwrite-feature_check_ldflags-l.patch create mode 100644 queue-5.4/qlcnic-remove-redundant-unlock-in-qlcnic_pinit_from_.patch create mode 100644 queue-5.4/set-fc_nlinfo-in-nh_create_ipv4-nh_create_ipv6.patch create mode 100644 queue-5.4/tracing-probes-reject-events-which-have-the-same-nam.patch diff --git a/queue-5.4/arc-export-clear_user_page-for-modules.patch b/queue-5.4/arc-export-clear_user_page-for-modules.patch new file mode 100644 index 00000000000..ac8e8bb4687 --- /dev/null +++ b/queue-5.4/arc-export-clear_user_page-for-modules.patch @@ -0,0 +1,45 @@ +From 5c03e71b0004fb3d64ae0050e000cb30ec9aa3f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Aug 2021 14:05:33 -0700 +Subject: ARC: export clear_user_page() for modules + +From: Randy Dunlap + +[ Upstream commit 6b5ff0405e4190f23780362ea324b250bc495683 ] + +0day bot reports a build error: + ERROR: modpost: "clear_user_page" [drivers/media/v4l2-core/videobuf-dma-sg.ko] undefined! +so export it in arch/arc/ to fix the build error. + +In most ARCHes, clear_user_page() is a macro. OTOH, in a few +ARCHes it is a function and needs to be exported. +PowerPC exported it in 2004. It looks like nds32 and nios2 +still need to have it exported. + +Fixes: 4102b53392d63 ("ARC: [mm] Aliasing VIPT dcache support 2/4") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Guenter Roeck +Cc: linux-snps-arc@lists.infradead.org +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/mm/cache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arc/mm/cache.c b/arch/arc/mm/cache.c +index a2fbea3ee07c..102418ac5ff4 100644 +--- a/arch/arc/mm/cache.c ++++ b/arch/arc/mm/cache.c +@@ -1123,7 +1123,7 @@ void clear_user_page(void *to, unsigned long u_vaddr, struct page *page) + clear_page(to); + clear_bit(PG_dc_clean, &page->flags); + } +- ++EXPORT_SYMBOL(clear_user_page); + + /********************************************************************** + * Explicit Cache flush request from user space via syscall +-- +2.30.2 + diff --git a/queue-5.4/block-bfq-honor-already-setup-queue-merges.patch b/queue-5.4/block-bfq-honor-already-setup-queue-merges.patch new file mode 100644 index 00000000000..ef9b4184c26 --- /dev/null +++ b/queue-5.4/block-bfq-honor-already-setup-queue-merges.patch @@ -0,0 +1,85 @@ +From c9100d4c76f4db72a06fc43a1ee2397b64bfc205 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Aug 2021 16:13:52 +0200 +Subject: block, bfq: honor already-setup queue merges + +From: Paolo Valente + +[ Upstream commit 2d52c58b9c9bdae0ca3df6a1eab5745ab3f7d80b ] + +The function bfq_setup_merge prepares the merging between two +bfq_queues, say bfqq and new_bfqq. To this goal, it assigns +bfqq->new_bfqq = new_bfqq. Then, each time some I/O for bfqq arrives, +the process that generated that I/O is disassociated from bfqq and +associated with new_bfqq (merging is actually a redirection). In this +respect, bfq_setup_merge increases new_bfqq->ref in advance, adding +the number of processes that are expected to be associated with +new_bfqq. + +Unfortunately, the stable-merging mechanism interferes with this +setup. After bfqq->new_bfqq has been set by bfq_setup_merge, and +before all the expected processes have been associated with +bfqq->new_bfqq, bfqq may happen to be stably merged with a different +queue than the current bfqq->new_bfqq. In this case, bfqq->new_bfqq +gets changed. So, some of the processes that have been already +accounted for in the ref counter of the previous new_bfqq will not be +associated with that queue. This creates an unbalance, because those +references will never be decremented. + +This commit fixes this issue by reestablishing the previous, natural +behaviour: once bfqq->new_bfqq has been set, it will not be changed +until all expected redirections have occurred. + +Signed-off-by: Davide Zini +Signed-off-by: Paolo Valente +Link: https://lore.kernel.org/r/20210802141352.74353-2-paolo.valente@linaro.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index 73bffd7af15c..8dee243e639f 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -2523,6 +2523,15 @@ bfq_setup_merge(struct bfq_queue *bfqq, struct bfq_queue *new_bfqq) + * are likely to increase the throughput. + */ + bfqq->new_bfqq = new_bfqq; ++ /* ++ * The above assignment schedules the following redirections: ++ * each time some I/O for bfqq arrives, the process that ++ * generated that I/O is disassociated from bfqq and ++ * associated with new_bfqq. Here we increases new_bfqq->ref ++ * in advance, adding the number of processes that are ++ * expected to be associated with new_bfqq as they happen to ++ * issue I/O. ++ */ + new_bfqq->ref += process_refs; + return new_bfqq; + } +@@ -2582,6 +2591,10 @@ bfq_setup_cooperator(struct bfq_data *bfqd, struct bfq_queue *bfqq, + { + struct bfq_queue *in_service_bfqq, *new_bfqq; + ++ /* if a merge has already been setup, then proceed with that first */ ++ if (bfqq->new_bfqq) ++ return bfqq->new_bfqq; ++ + /* + * Do not perform queue merging if the device is non + * rotational and performs internal queueing. In fact, such a +@@ -2636,9 +2649,6 @@ bfq_setup_cooperator(struct bfq_data *bfqd, struct bfq_queue *bfqq, + if (bfq_too_late_for_merging(bfqq)) + return NULL; + +- if (bfqq->new_bfqq) +- return bfqq->new_bfqq; +- + if (!io_struct || unlikely(bfqq == &bfqd->oom_bfqq)) + return NULL; + +-- +2.30.2 + diff --git a/queue-5.4/dt-bindings-mtd-gpmc-fix-the-ecc-bytes-vs.-oob-bytes.patch b/queue-5.4/dt-bindings-mtd-gpmc-fix-the-ecc-bytes-vs.-oob-bytes.patch new file mode 100644 index 00000000000..211e6db9be4 --- /dev/null +++ b/queue-5.4/dt-bindings-mtd-gpmc-fix-the-ecc-bytes-vs.-oob-bytes.patch @@ -0,0 +1,43 @@ +From 9d7b89c0089d3673df5228a042b72f13946061f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 16:39:45 +0200 +Subject: dt-bindings: mtd: gpmc: Fix the ECC bytes vs. OOB bytes equation + +From: Miquel Raynal + +[ Upstream commit 778cb8e39f6ec252be50fc3850d66f3dcbd5dd5a ] + +"PAGESIZE / 512" is the number of ECC chunks. +"ECC_BYTES" is the number of bytes needed to store a single ECC code. +"2" is the space reserved by the bad block marker. + +"2 + (PAGESIZE / 512) * ECC_BYTES" should of course be lower or equal +than the total number of OOB bytes, otherwise it won't fit. + +Fix the equation by substituting s/>=/<=/. + +Suggested-by: Ryan J. Barnett +Signed-off-by: Miquel Raynal +Acked-by: Rob Herring +Link: https://lore.kernel.org/linux-mtd/20210610143945.3504781-1-miquel.raynal@bootlin.com +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/mtd/gpmc-nand.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/devicetree/bindings/mtd/gpmc-nand.txt b/Documentation/devicetree/bindings/mtd/gpmc-nand.txt +index 44919d48d241..c459f169a904 100644 +--- a/Documentation/devicetree/bindings/mtd/gpmc-nand.txt ++++ b/Documentation/devicetree/bindings/mtd/gpmc-nand.txt +@@ -122,7 +122,7 @@ on various other factors also like; + so the device should have enough free bytes available its OOB/Spare + area to accommodate ECC for entire page. In general following expression + helps in determining if given device can accommodate ECC syndrome: +- "2 + (PAGESIZE / 512) * ECC_BYTES" >= OOBSIZE" ++ "2 + (PAGESIZE / 512) * ECC_BYTES" <= OOBSIZE" + where + OOBSIZE number of bytes in OOB/spare area + PAGESIZE number of bytes in main-area of device page +-- +2.30.2 + diff --git a/queue-5.4/ethtool-fix-an-error-code-in-cxgb2.c.patch b/queue-5.4/ethtool-fix-an-error-code-in-cxgb2.c.patch new file mode 100644 index 00000000000..85f8f03e1ce --- /dev/null +++ b/queue-5.4/ethtool-fix-an-error-code-in-cxgb2.c.patch @@ -0,0 +1,39 @@ +From cd270aba12b3aed8b4efcb99096f68096ccc92e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Sep 2021 14:42:33 +0800 +Subject: ethtool: Fix an error code in cxgb2.c + +From: Yang Li + +[ Upstream commit 7db8263a12155c7ae4ad97e850f1e499c73765fc ] + +When adapter->registered_device_map is NULL, the value of err is +uncertain, we set err to -EINVAL to avoid ambiguity. + +Clean up smatch warning: +drivers/net/ethernet/chelsio/cxgb/cxgb2.c:1114 init_one() warn: missing +error code 'err' + +Reported-by: Abaci Robot +Signed-off-by: Yang Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb/cxgb2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/chelsio/cxgb/cxgb2.c b/drivers/net/ethernet/chelsio/cxgb/cxgb2.c +index 0ccdde366ae1..540d99f59226 100644 +--- a/drivers/net/ethernet/chelsio/cxgb/cxgb2.c ++++ b/drivers/net/ethernet/chelsio/cxgb/cxgb2.c +@@ -1153,6 +1153,7 @@ static int init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + if (!adapter->registered_device_map) { + pr_err("%s: could not register any net devices\n", + pci_name(pdev)); ++ err = -EINVAL; + goto out_release_adapter_res; + } + +-- +2.30.2 + diff --git a/queue-5.4/fq_codel-reject-silly-quantum-parameters.patch b/queue-5.4/fq_codel-reject-silly-quantum-parameters.patch new file mode 100644 index 00000000000..7f24c101998 --- /dev/null +++ b/queue-5.4/fq_codel-reject-silly-quantum-parameters.patch @@ -0,0 +1,89 @@ +From 2c205c50c5d935ae7624b905b2165ecd4c62d837 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Sep 2021 15:03:43 -0700 +Subject: fq_codel: reject silly quantum parameters + +From: Eric Dumazet + +[ Upstream commit c7c5e6ff533fe1f9afef7d2fa46678987a1335a7 ] + +syzbot found that forcing a big quantum attribute would crash hosts fast, +essentially using this: + +tc qd replace dev eth0 root fq_codel quantum 4294967295 + +This is because fq_codel_dequeue() would have to loop +~2^31 times in : + + if (flow->deficit <= 0) { + flow->deficit += q->quantum; + list_move_tail(&flow->flowchain, &q->old_flows); + goto begin; + } + +SFQ max quantum is 2^19 (half a megabyte) +Lets adopt a max quantum of one megabyte for FQ_CODEL. + +Fixes: 4b549a2ef4be ("fq_codel: Fair Queue Codel AQM") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/uapi/linux/pkt_sched.h | 2 ++ + net/sched/sch_fq_codel.c | 12 ++++++++++-- + 2 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/include/uapi/linux/pkt_sched.h b/include/uapi/linux/pkt_sched.h +index edbbf4bfdd9e..4a245d7a5c8d 100644 +--- a/include/uapi/linux/pkt_sched.h ++++ b/include/uapi/linux/pkt_sched.h +@@ -807,6 +807,8 @@ struct tc_codel_xstats { + + /* FQ_CODEL */ + ++#define FQ_CODEL_QUANTUM_MAX (1 << 20) ++ + enum { + TCA_FQ_CODEL_UNSPEC, + TCA_FQ_CODEL_TARGET, +diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c +index 76d72c3f52ed..86fb2f953bd5 100644 +--- a/net/sched/sch_fq_codel.c ++++ b/net/sched/sch_fq_codel.c +@@ -370,6 +370,7 @@ static int fq_codel_change(struct Qdisc *sch, struct nlattr *opt, + { + struct fq_codel_sched_data *q = qdisc_priv(sch); + struct nlattr *tb[TCA_FQ_CODEL_MAX + 1]; ++ u32 quantum = 0; + int err; + + if (!opt) +@@ -387,6 +388,13 @@ static int fq_codel_change(struct Qdisc *sch, struct nlattr *opt, + q->flows_cnt > 65536) + return -EINVAL; + } ++ if (tb[TCA_FQ_CODEL_QUANTUM]) { ++ quantum = max(256U, nla_get_u32(tb[TCA_FQ_CODEL_QUANTUM])); ++ if (quantum > FQ_CODEL_QUANTUM_MAX) { ++ NL_SET_ERR_MSG(extack, "Invalid quantum"); ++ return -EINVAL; ++ } ++ } + sch_tree_lock(sch); + + if (tb[TCA_FQ_CODEL_TARGET]) { +@@ -413,8 +421,8 @@ static int fq_codel_change(struct Qdisc *sch, struct nlattr *opt, + if (tb[TCA_FQ_CODEL_ECN]) + q->cparams.ecn = !!nla_get_u32(tb[TCA_FQ_CODEL_ECN]); + +- if (tb[TCA_FQ_CODEL_QUANTUM]) +- q->quantum = max(256U, nla_get_u32(tb[TCA_FQ_CODEL_QUANTUM])); ++ if (quantum) ++ q->quantum = quantum; + + if (tb[TCA_FQ_CODEL_DROP_BATCH_SIZE]) + q->drop_batch_size = max(1U, nla_get_u32(tb[TCA_FQ_CODEL_DROP_BATCH_SIZE])); +-- +2.30.2 + diff --git a/queue-5.4/fuse-fix-use-after-free-in-fuse_read_interrupt.patch b/queue-5.4/fuse-fix-use-after-free-in-fuse_read_interrupt.patch new file mode 100644 index 00000000000..bcc808833ea --- /dev/null +++ b/queue-5.4/fuse-fix-use-after-free-in-fuse_read_interrupt.patch @@ -0,0 +1,61 @@ +From 6e0c71a3561ccece64997547ae6563bd5f30b0ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Aug 2021 13:22:58 +0200 +Subject: fuse: fix use after free in fuse_read_interrupt() + +From: Miklos Szeredi + +[ Upstream commit e1e71c168813564be0f6ea3d6740a059ca42d177 ] + +There is a potential race between fuse_read_interrupt() and +fuse_request_end(). + +TASK1 + in fuse_read_interrupt(): delete req->intr_entry (while holding + fiq->lock) + +TASK2 + in fuse_request_end(): req->intr_entry is empty -> skip fiq->lock + wake up TASK3 + +TASK3 + request is freed + +TASK1 + in fuse_read_interrupt(): dereference req->in.h.unique ***BAM*** + +Fix by always grabbing fiq->lock if the request was ever interrupted +(FR_INTERRUPTED set) thereby serializing with concurrent +fuse_read_interrupt() calls. + +FR_INTERRUPTED is set before the request is queued on fiq->interrupts. +Dequeing the request is done with list_del_init() but FR_INTERRUPTED is not +cleared in this case. + +Reported-by: lijiazi +Signed-off-by: Miklos Szeredi +Signed-off-by: Sasha Levin +--- + fs/fuse/dev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c +index 16aa55b73ccf..7205a89fbb5f 100644 +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -282,10 +282,10 @@ void fuse_request_end(struct fuse_conn *fc, struct fuse_req *req) + + /* + * test_and_set_bit() implies smp_mb() between bit +- * changing and below intr_entry check. Pairs with ++ * changing and below FR_INTERRUPTED check. Pairs with + * smp_mb() from queue_interrupt(). + */ +- if (!list_empty(&req->intr_entry)) { ++ if (test_bit(FR_INTERRUPTED, &req->flags)) { + spin_lock(&fiq->lock); + list_del_init(&req->intr_entry); + spin_unlock(&fiq->lock); +-- +2.30.2 + diff --git a/queue-5.4/ip_gre-validate-csum_start-only-on-pull.patch b/queue-5.4/ip_gre-validate-csum_start-only-on-pull.patch new file mode 100644 index 00000000000..67c6214fb87 --- /dev/null +++ b/queue-5.4/ip_gre-validate-csum_start-only-on-pull.patch @@ -0,0 +1,77 @@ +From ff3a77fbefda6af5f93ac446665be60a8d68fd2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Sep 2021 11:21:09 -0400 +Subject: ip_gre: validate csum_start only on pull + +From: Willem de Bruijn + +[ Upstream commit 8a0ed250f911da31a2aef52101bc707846a800ff ] + +The GRE tunnel device can pull existing outer headers in ipge_xmit. +This is a rare path, apparently unique to this device. The below +commit ensured that pulling does not move skb->data beyond csum_start. + +But it has a false positive if ip_summed is not CHECKSUM_PARTIAL and +thus csum_start is irrelevant. + +Refine to exclude this. At the same time simplify and strengthen the +test. + +Simplify, by moving the check next to the offending pull, making it +more self documenting and removing an unnecessary branch from other +code paths. + +Strengthen, by also ensuring that the transport header is correct and +therefore the inner headers will be after skb_reset_inner_headers. +The transport header is set to csum_start in skb_partial_csum_set. + +Link: https://lore.kernel.org/netdev/YS+h%2FtqCJJiQei+W@shredder/ +Fixes: 1d011c4803c7 ("ip_gre: add validation for csum_start") +Reported-by: Ido Schimmel +Suggested-by: Alexander Duyck +Signed-off-by: Willem de Bruijn +Reviewed-by: Alexander Duyck +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index fd8298b8b1c5..c4989e5903e4 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -446,8 +446,6 @@ static void __gre_xmit(struct sk_buff *skb, struct net_device *dev, + + static int gre_handle_offloads(struct sk_buff *skb, bool csum) + { +- if (csum && skb_checksum_start(skb) < skb->data) +- return -EINVAL; + return iptunnel_handle_offloads(skb, csum ? SKB_GSO_GRE_CSUM : SKB_GSO_GRE); + } + +@@ -605,15 +603,20 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb, + } + + if (dev->header_ops) { ++ const int pull_len = tunnel->hlen + sizeof(struct iphdr); ++ + if (skb_cow_head(skb, 0)) + goto free_skb; + + tnl_params = (const struct iphdr *)skb->data; + ++ if (pull_len > skb_transport_offset(skb)) ++ goto free_skb; ++ + /* Pull skb since ip_tunnel_xmit() needs skb->data pointing + * to gre header. + */ +- skb_pull(skb, tunnel->hlen + sizeof(struct iphdr)); ++ skb_pull(skb, pull_len); + skb_reset_mac_header(skb); + } else { + if (skb_cow_head(skb, dev->needed_headroom)) +-- +2.30.2 + diff --git a/queue-5.4/kvm-arm64-handle-psci-resets-before-userspace-touche.patch b/queue-5.4/kvm-arm64-handle-psci-resets-before-userspace-touche.patch new file mode 100644 index 00000000000..d71185e9401 --- /dev/null +++ b/queue-5.4/kvm-arm64-handle-psci-resets-before-userspace-touche.patch @@ -0,0 +1,51 @@ +From c9757243add646f6fdfa6e458648280ebd8f08c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Aug 2021 20:21:31 +0000 +Subject: KVM: arm64: Handle PSCI resets before userspace touches vCPU state + +From: Oliver Upton + +[ Upstream commit 6826c6849b46aaa91300201213701eb861af4ba0 ] + +The CPU_ON PSCI call takes a payload that KVM uses to configure a +destination vCPU to run. This payload is non-architectural state and not +exposed through any existing UAPI. Effectively, we have a race between +CPU_ON and userspace saving/restoring a guest: if the target vCPU isn't +ran again before the VMM saves its state, the requested PC and context +ID are lost. When restored, the target vCPU will be runnable and start +executing at its old PC. + +We can avoid this race by making sure the reset payload is serviced +before userspace can access a vCPU's state. + +Fixes: 358b28f09f0a ("arm/arm64: KVM: Allow a VCPU to fully reset itself") +Signed-off-by: Oliver Upton +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20210818202133.1106786-3-oupton@google.com +Signed-off-by: Sasha Levin +--- + virt/kvm/arm/arm.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/virt/kvm/arm/arm.c b/virt/kvm/arm/arm.c +index 4af85605730e..f7150fbeeb55 100644 +--- a/virt/kvm/arm/arm.c ++++ b/virt/kvm/arm/arm.c +@@ -1141,6 +1141,14 @@ long kvm_arch_vcpu_ioctl(struct file *filp, + if (copy_from_user(®, argp, sizeof(reg))) + break; + ++ /* ++ * We could owe a reset due to PSCI. Handle the pending reset ++ * here to ensure userspace register accesses are ordered after ++ * the reset. ++ */ ++ if (kvm_check_request(KVM_REQ_VCPU_RESET, vcpu)) ++ kvm_reset_vcpu(vcpu); ++ + if (ioctl == KVM_SET_ONE_REG) + r = kvm_arm_set_reg(vcpu, ®); + else +-- +2.30.2 + diff --git a/queue-5.4/mfd-axp20x-update-axp288-volatile-ranges.patch b/queue-5.4/mfd-axp20x-update-axp288-volatile-ranges.patch new file mode 100644 index 00000000000..6f434567dd0 --- /dev/null +++ b/queue-5.4/mfd-axp20x-update-axp288-volatile-ranges.patch @@ -0,0 +1,80 @@ +From f2ae8b8f387fe9bede42cd8e7081e3c6bb639713 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Jun 2021 19:12:39 +0200 +Subject: mfd: axp20x: Update AXP288 volatile ranges + +From: Hans de Goede + +[ Upstream commit f949a9ebce7a18005266b859a17f10c891bb13d7 ] + +On Cherry Trail devices with an AXP288 PMIC the external SD-card slot +used the AXP's DLDO2 as card-voltage and either DLDO3 or GPIO1LDO +(GPIO1 pin in low noise LDO mode) as signal-voltage. + +These regulators are turned on/off and in case of the signal-voltage +also have their output-voltage changed by the _PS0 and _PS3 power- +management ACPI methods on the MMC-controllers ACPI fwnode as well as +by the _DSM ACPI method for changing the signal voltage. + +The AML code implementing these methods is directly accessing the +PMIC through ACPI I2C OpRegion accesses, instead of using the special +PMIC OpRegion handled by drivers/acpi/pmic/intel_pmic_xpower.c . + +This means that the contents of the involved PMIC registers can change +without the change being made through the regmap interface, so regmap +should not cache the contents of these registers. + +Mark the regulator power on/off, the regulator voltage control and the +GPIO1 control registers as volatile, to avoid regmap caching them. + +Specifically this fixes an issue on some models where the i915 driver +toggles another LDO using the same on/off register on/off through +MIPI sequences (through intel_soc_pmic_exec_mipi_pmic_seq_element()) +which then writes back a cached on/off register-value where the +card-voltage is off causing the external sdcard slot to stop working +when the screen goes blank, or comes back on again. + +The regulator register-range now marked volatile also includes the +buck regulator control registers. This is done on purpose these are +normally not touched by the AML code, but they are updated directly +by the SoC's PUNIT which means that they may also change without going +through regmap. + +Note the AXP288 PMIC is only used on Bay- and Cherry-Trail platforms, +so even though this is an ACPI specific problem there is no need to +make the new volatile ranges conditional since these platforms always +use ACPI. + +Fixes: dc91c3b6fe66 ("mfd: axp20x: Mark AXP20X_VBUS_IPSOUT_MGMT as volatile") +Fixes: cd53216625a0 ("mfd: axp20x: Fix axp288 volatile ranges") +Reported-and-tested-by: Clamshell +Signed-off-by: Hans de Goede +Reviewed-by: Chen-Yu Tsai +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/axp20x.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/axp20x.c b/drivers/mfd/axp20x.c +index aa59496e4376..9db1000944c3 100644 +--- a/drivers/mfd/axp20x.c ++++ b/drivers/mfd/axp20x.c +@@ -125,12 +125,13 @@ static const struct regmap_range axp288_writeable_ranges[] = { + + static const struct regmap_range axp288_volatile_ranges[] = { + regmap_reg_range(AXP20X_PWR_INPUT_STATUS, AXP288_POWER_REASON), ++ regmap_reg_range(AXP22X_PWR_OUT_CTRL1, AXP22X_ALDO3_V_OUT), + regmap_reg_range(AXP288_BC_GLOBAL, AXP288_BC_GLOBAL), + regmap_reg_range(AXP288_BC_DET_STAT, AXP20X_VBUS_IPSOUT_MGMT), + regmap_reg_range(AXP20X_CHRG_BAK_CTRL, AXP20X_CHRG_BAK_CTRL), + regmap_reg_range(AXP20X_IRQ1_EN, AXP20X_IPSOUT_V_HIGH_L), + regmap_reg_range(AXP20X_TIMER_CTRL, AXP20X_TIMER_CTRL), +- regmap_reg_range(AXP22X_GPIO_STATE, AXP22X_GPIO_STATE), ++ regmap_reg_range(AXP20X_GPIO1_CTRL, AXP22X_GPIO_STATE), + regmap_reg_range(AXP288_RT_BATT_V_H, AXP288_RT_BATT_V_L), + regmap_reg_range(AXP20X_FG_RES, AXP288_FG_CC_CAP_REG), + }; +-- +2.30.2 + diff --git a/queue-5.4/mfd-db8500-prcmu-adjust-map-to-reality.patch b/queue-5.4/mfd-db8500-prcmu-adjust-map-to-reality.patch new file mode 100644 index 00000000000..01384f11f23 --- /dev/null +++ b/queue-5.4/mfd-db8500-prcmu-adjust-map-to-reality.patch @@ -0,0 +1,59 @@ +From b567602d06ec36e2470b71fa05bc8daf1943b139 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Aug 2021 01:33:13 +0200 +Subject: mfd: db8500-prcmu: Adjust map to reality + +From: Linus Walleij + +[ Upstream commit ec343111c056ec3847800302f6dbc57281f833fa ] + +These are the actual frequencies reported by the PLL, so let's +report these. The roundoffs are inappropriate, we should round +to the frequency that the clock will later report. + +Drop some whitespace at the same time. + +Cc: phone-devel@vger.kernel.org +Signed-off-by: Linus Walleij +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/db8500-prcmu.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/drivers/mfd/db8500-prcmu.c b/drivers/mfd/db8500-prcmu.c +index dfac6afa82ca..f1f2ad9ff0b3 100644 +--- a/drivers/mfd/db8500-prcmu.c ++++ b/drivers/mfd/db8500-prcmu.c +@@ -1695,22 +1695,20 @@ static long round_clock_rate(u8 clock, unsigned long rate) + } + + static const unsigned long db8500_armss_freqs[] = { +- 200000000, +- 400000000, +- 800000000, ++ 199680000, ++ 399360000, ++ 798720000, + 998400000 + }; + + /* The DB8520 has slightly higher ARMSS max frequency */ + static const unsigned long db8520_armss_freqs[] = { +- 200000000, +- 400000000, +- 800000000, ++ 199680000, ++ 399360000, ++ 798720000, + 1152000000 + }; + +- +- + static long round_armss_rate(unsigned long rate) + { + unsigned long freq = 0; +-- +2.30.2 + diff --git a/queue-5.4/mfd-don-t-use-irq_create_mapping-to-resolve-a-mappin.patch b/queue-5.4/mfd-don-t-use-irq_create_mapping-to-resolve-a-mappin.patch new file mode 100644 index 00000000000..cc0cb29f3a8 --- /dev/null +++ b/queue-5.4/mfd-don-t-use-irq_create_mapping-to-resolve-a-mappin.patch @@ -0,0 +1,95 @@ +From 8f04daa3f2f5bbf5b8fcd105852eb5e1691715ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Jul 2021 19:07:54 +0100 +Subject: mfd: Don't use irq_create_mapping() to resolve a mapping + +From: Marc Zyngier + +[ Upstream commit 9ff80e2de36d0554e3a6da18a171719fe8663c17 ] + +Although irq_create_mapping() is able to deal with duplicate +mappings, it really isn't supposed to be a substitute for +irq_find_mapping(), and can result in allocations that take place +in atomic context if the mapping didn't exist. + +Fix the handful of MFD drivers that use irq_create_mapping() in +interrupt context by using irq_find_mapping() instead. + +Cc: Linus Walleij +Cc: Lee Jones +Cc: Maxime Coquelin +Cc: Alexandre Torgue +Signed-off-by: Marc Zyngier +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/ab8500-core.c | 2 +- + drivers/mfd/stmpe.c | 4 ++-- + drivers/mfd/tc3589x.c | 2 +- + drivers/mfd/wm8994-irq.c | 2 +- + 4 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/mfd/ab8500-core.c b/drivers/mfd/ab8500-core.c +index 3e9dc92cb467..842de1f352df 100644 +--- a/drivers/mfd/ab8500-core.c ++++ b/drivers/mfd/ab8500-core.c +@@ -493,7 +493,7 @@ static int ab8500_handle_hierarchical_line(struct ab8500 *ab8500, + if (line == AB8540_INT_GPIO43F || line == AB8540_INT_GPIO44F) + line += 1; + +- handle_nested_irq(irq_create_mapping(ab8500->domain, line)); ++ handle_nested_irq(irq_find_mapping(ab8500->domain, line)); + } + + return 0; +diff --git a/drivers/mfd/stmpe.c b/drivers/mfd/stmpe.c +index 1aee3b3253fc..508349399f8a 100644 +--- a/drivers/mfd/stmpe.c ++++ b/drivers/mfd/stmpe.c +@@ -1091,7 +1091,7 @@ static irqreturn_t stmpe_irq(int irq, void *data) + + if (variant->id_val == STMPE801_ID || + variant->id_val == STMPE1600_ID) { +- int base = irq_create_mapping(stmpe->domain, 0); ++ int base = irq_find_mapping(stmpe->domain, 0); + + handle_nested_irq(base); + return IRQ_HANDLED; +@@ -1119,7 +1119,7 @@ static irqreturn_t stmpe_irq(int irq, void *data) + while (status) { + int bit = __ffs(status); + int line = bank * 8 + bit; +- int nestedirq = irq_create_mapping(stmpe->domain, line); ++ int nestedirq = irq_find_mapping(stmpe->domain, line); + + handle_nested_irq(nestedirq); + status &= ~(1 << bit); +diff --git a/drivers/mfd/tc3589x.c b/drivers/mfd/tc3589x.c +index 67c9995bb1aa..23cfbd050120 100644 +--- a/drivers/mfd/tc3589x.c ++++ b/drivers/mfd/tc3589x.c +@@ -187,7 +187,7 @@ again: + + while (status) { + int bit = __ffs(status); +- int virq = irq_create_mapping(tc3589x->domain, bit); ++ int virq = irq_find_mapping(tc3589x->domain, bit); + + handle_nested_irq(virq); + status &= ~(1 << bit); +diff --git a/drivers/mfd/wm8994-irq.c b/drivers/mfd/wm8994-irq.c +index 6c3a619e2628..651a028bc519 100644 +--- a/drivers/mfd/wm8994-irq.c ++++ b/drivers/mfd/wm8994-irq.c +@@ -154,7 +154,7 @@ static irqreturn_t wm8994_edge_irq(int irq, void *data) + struct wm8994 *wm8994 = data; + + while (gpio_get_value_cansleep(wm8994->pdata.irq_gpio)) +- handle_nested_irq(irq_create_mapping(wm8994->edge_irq, 0)); ++ handle_nested_irq(irq_find_mapping(wm8994->edge_irq, 0)); + + return IRQ_HANDLED; + } +-- +2.30.2 + diff --git a/queue-5.4/mfd-tqmx86-clear-gpio-irq-resource-when-no-irq-is-se.patch b/queue-5.4/mfd-tqmx86-clear-gpio-irq-resource-when-no-irq-is-se.patch new file mode 100644 index 00000000000..44ae25adef9 --- /dev/null +++ b/queue-5.4/mfd-tqmx86-clear-gpio-irq-resource-when-no-irq-is-se.patch @@ -0,0 +1,40 @@ +From 5b26574c1fdf5fca7371a5108e8fa144b7a3d7af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 12:00:48 +0200 +Subject: mfd: tqmx86: Clear GPIO IRQ resource when no IRQ is set + +From: Matthias Schiffer + +[ Upstream commit a946506c48f3bd09363c9d2b0a178e55733bcbb6 ] + +The driver was registering IRQ 0 when no IRQ was set. This leads to +warnings with newer kernels. + +Clear the resource flags, so no resource is registered at all in this +case. + +Fixes: 2f17dd34ffed ("mfd: tqmx86: IO controller with I2C, Wachdog and GPIO") +Signed-off-by: Matthias Schiffer +Reviewed-by: Andrew Lunn +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/tqmx86.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/mfd/tqmx86.c b/drivers/mfd/tqmx86.c +index 22d2f02d855c..ccc5a9ac788c 100644 +--- a/drivers/mfd/tqmx86.c ++++ b/drivers/mfd/tqmx86.c +@@ -210,6 +210,8 @@ static int tqmx86_probe(struct platform_device *pdev) + + /* Assumes the IRQ resource is first. */ + tqmx_gpio_resources[0].start = gpio_irq; ++ } else { ++ tqmx_gpio_resources[0].flags = 0; + } + + ocores_platfom_data.clock_khz = tqmx86_board_id_to_clk_rate(board_id); +-- +2.30.2 + diff --git a/queue-5.4/mtd-rawnand-cafe-fix-a-resource-leak-in-the-error-ha.patch b/queue-5.4/mtd-rawnand-cafe-fix-a-resource-leak-in-the-error-ha.patch new file mode 100644 index 00000000000..52144378b34 --- /dev/null +++ b/queue-5.4/mtd-rawnand-cafe-fix-a-resource-leak-in-the-error-ha.patch @@ -0,0 +1,53 @@ +From 527f9b2d9913e8166e94de1ce3fbe9c2a989c7e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Aug 2021 09:58:45 +0200 +Subject: mtd: rawnand: cafe: Fix a resource leak in the error handling path of + 'cafe_nand_probe()' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christophe JAILLET + +[ Upstream commit 6b430c7595e4eb95fae8fb54adc3c3ce002e75ae ] + +A successful 'init_rs_non_canonical()' call should be balanced by a +corresponding 'free_rs()' call in the error handling path of the probe, as +already done in the remove function. + +Update the error handling path accordingly. + +Fixes: 8c61b7a7f4d4 ("[MTD] [NAND] Use rslib for CAFÉ ECC") +Signed-off-by: Christophe JAILLET +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/fd313d3fb787458bcc73189e349f481133a2cdc9.1629532640.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/cafe_nand.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/raw/cafe_nand.c b/drivers/mtd/nand/raw/cafe_nand.c +index 2d1c22dc88c1..cc5009200cc2 100644 +--- a/drivers/mtd/nand/raw/cafe_nand.c ++++ b/drivers/mtd/nand/raw/cafe_nand.c +@@ -757,7 +757,7 @@ static int cafe_nand_probe(struct pci_dev *pdev, + "CAFE NAND", mtd); + if (err) { + dev_warn(&pdev->dev, "Could not register IRQ %d\n", pdev->irq); +- goto out_ior; ++ goto out_free_rs; + } + + /* Disable master reset, enable NAND clock */ +@@ -801,6 +801,8 @@ static int cafe_nand_probe(struct pci_dev *pdev, + /* Disable NAND IRQ in global IRQ mask register */ + cafe_writel(cafe, ~1 & cafe_readl(cafe, GLOBAL_IRQ_MASK), GLOBAL_IRQ_MASK); + free_irq(pdev->irq, mtd); ++ out_free_rs: ++ free_rs(cafe->rs); + out_ior: + pci_iounmap(pdev, cafe->mmio); + out_free_mtd: +-- +2.30.2 + diff --git a/queue-5.4/net-dsa-b53-fix-calculating-number-of-switch-ports.patch b/queue-5.4/net-dsa-b53-fix-calculating-number-of-switch-ports.patch new file mode 100644 index 00000000000..cb9a0a21c40 --- /dev/null +++ b/queue-5.4/net-dsa-b53-fix-calculating-number-of-switch-ports.patch @@ -0,0 +1,49 @@ +From 96264d3aff09e97d80c1cfba5317fa88a28c8e2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Sep 2021 10:30:50 +0200 +Subject: net: dsa: b53: Fix calculating number of switch ports +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit cdb067d31c0fe4cce98b9d15f1f2ef525acaa094 ] + +It isn't true that CPU port is always the last one. Switches BCM5301x +have 9 ports (port 6 being inactive) and they use port 5 as CPU by +default (depending on design some other may be CPU ports too). + +A more reliable way of determining number of ports is to check for the +last set bit in the "enabled_ports" bitfield. + +This fixes b53 internal state, it will allow providing accurate info to +the DSA and is required to fix BCM5301x support. + +Fixes: 967dd82ffc52 ("net: dsa: b53: Add support for Broadcom RoboSwitch") +Signed-off-by: Rafał Miłecki +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index e78b683f7305..825d840cdb8c 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -2353,9 +2353,8 @@ static int b53_switch_init(struct b53_device *dev) + dev->cpu_port = 5; + } + +- /* cpu port is always last */ +- dev->num_ports = dev->cpu_port + 1; + dev->enabled_ports |= BIT(dev->cpu_port); ++ dev->num_ports = fls(dev->enabled_ports); + + /* Include non standard CPU port built-in PHYs to be probed */ + if (is539x(dev) || is531x5(dev)) { +-- +2.30.2 + diff --git a/queue-5.4/net-renesas-sh_eth-fix-freeing-wrong-tx-descriptor.patch b/queue-5.4/net-renesas-sh_eth-fix-freeing-wrong-tx-descriptor.patch new file mode 100644 index 00000000000..a033f2dfbd6 --- /dev/null +++ b/queue-5.4/net-renesas-sh_eth-fix-freeing-wrong-tx-descriptor.patch @@ -0,0 +1,40 @@ +From 44c47affd11d95b3be1842587e6e4f235a780a6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 20:29:40 +0900 +Subject: net: renesas: sh_eth: Fix freeing wrong tx descriptor + +From: Yoshihiro Shimoda + +[ Upstream commit 0341d5e3d1ee2a36dd5a49b5bef2ce4ad1cfa6b4 ] + +The cur_tx counter must be incremented after TACT bit of +txdesc->status was set. However, a CPU is possible to reorder +instructions and/or memory accesses between cur_tx and +txdesc->status. And then, if TX interrupt happened at such a +timing, the sh_eth_tx_free() may free the descriptor wrongly. +So, add wmb() before cur_tx++. +Otherwise NETDEV WATCHDOG timeout is possible to happen. + +Fixes: 86a74ff21a7a ("net: sh_eth: add support for Renesas SuperH Ethernet") +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/sh_eth.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index 931a44fe7afe..50d85d037230 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -2567,6 +2567,7 @@ static int sh_eth_start_xmit(struct sk_buff *skb, struct net_device *ndev) + else + txdesc->status |= cpu_to_le32(TD_TACT); + ++ wmb(); /* cur_tx must be incremented after TACT bit was set */ + mdp->cur_tx++; + + if (!(sh_eth_read(ndev, EDTRR) & mdp->cd->edtrr_trns)) +-- +2.30.2 + diff --git a/queue-5.4/net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch b/queue-5.4/net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch new file mode 100644 index 00000000000..be74944bf3d --- /dev/null +++ b/queue-5.4/net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch @@ -0,0 +1,38 @@ +From 78874be5d3dd5d9c1ff8d6c69ce5a372f2202186 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Sep 2021 12:51:22 +0200 +Subject: net: usb: cdc_mbim: avoid altsetting toggling for Telit LN920 + +From: Daniele Palmas + +[ Upstream commit aabbdc67f3485b5db27ab4eba01e5fbf1ffea62c ] + +Add quirk CDC_MBIM_FLAG_AVOID_ALTSETTING_TOGGLE for Telit LN920 +0x1061 composition in order to avoid bind error. + +Signed-off-by: Daniele Palmas +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc_mbim.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/usb/cdc_mbim.c b/drivers/net/usb/cdc_mbim.c +index eb100eb33de3..77ac5a721e7b 100644 +--- a/drivers/net/usb/cdc_mbim.c ++++ b/drivers/net/usb/cdc_mbim.c +@@ -653,6 +653,11 @@ static const struct usb_device_id mbim_devs[] = { + .driver_info = (unsigned long)&cdc_mbim_info_avoid_altsetting_toggle, + }, + ++ /* Telit LN920 */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x1bc7, 0x1061, USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE), ++ .driver_info = (unsigned long)&cdc_mbim_info_avoid_altsetting_toggle, ++ }, ++ + /* default entry */ + { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE), + .driver_info = (unsigned long)&cdc_mbim_info_zlp, +-- +2.30.2 + diff --git a/queue-5.4/netfilter-socket-icmp6-fix-use-after-scope.patch b/queue-5.4/netfilter-socket-icmp6-fix-use-after-scope.patch new file mode 100644 index 00000000000..17fe711b2c4 --- /dev/null +++ b/queue-5.4/netfilter-socket-icmp6-fix-use-after-scope.patch @@ -0,0 +1,64 @@ +From a048146c561dfee2f068cc078bf109f028f40343 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Sep 2021 15:23:35 +0200 +Subject: netfilter: socket: icmp6: fix use-after-scope + +From: Benjamin Hesmans + +[ Upstream commit 730affed24bffcd1eebd5903171960f5ff9f1f22 ] + +Bug reported by KASAN: + +BUG: KASAN: use-after-scope in inet6_ehashfn (net/ipv6/inet6_hashtables.c:40) +Call Trace: +(...) +inet6_ehashfn (net/ipv6/inet6_hashtables.c:40) +(...) +nf_sk_lookup_slow_v6 (net/ipv6/netfilter/nf_socket_ipv6.c:91 +net/ipv6/netfilter/nf_socket_ipv6.c:146) + +It seems that this bug has already been fixed by Eric Dumazet in the +past in: +commit 78296c97ca1f ("netfilter: xt_socket: fix a stack corruption bug") + +But a variant of the same issue has been introduced in +commit d64d80a2cde9 ("netfilter: x_tables: don't extract flow keys on early demuxed sks in socket match") + +`daddr` and `saddr` potentially hold a reference to ipv6_var that is no +longer in scope when the call to `nf_socket_get_sock_v6` is made. + +Fixes: d64d80a2cde9 ("netfilter: x_tables: don't extract flow keys on early demuxed sks in socket match") +Acked-by: Matthieu Baerts +Signed-off-by: Benjamin Hesmans +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv6/netfilter/nf_socket_ipv6.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/ipv6/netfilter/nf_socket_ipv6.c b/net/ipv6/netfilter/nf_socket_ipv6.c +index b9df879c48d3..69c021704abd 100644 +--- a/net/ipv6/netfilter/nf_socket_ipv6.c ++++ b/net/ipv6/netfilter/nf_socket_ipv6.c +@@ -99,7 +99,7 @@ struct sock *nf_sk_lookup_slow_v6(struct net *net, const struct sk_buff *skb, + { + __be16 uninitialized_var(dport), uninitialized_var(sport); + const struct in6_addr *daddr = NULL, *saddr = NULL; +- struct ipv6hdr *iph = ipv6_hdr(skb); ++ struct ipv6hdr *iph = ipv6_hdr(skb), ipv6_var; + struct sk_buff *data_skb = NULL; + int doff = 0; + int thoff = 0, tproto; +@@ -129,8 +129,6 @@ struct sock *nf_sk_lookup_slow_v6(struct net *net, const struct sk_buff *skb, + thoff + sizeof(*hp); + + } else if (tproto == IPPROTO_ICMPV6) { +- struct ipv6hdr ipv6_var; +- + if (extract_icmp6_fields(skb, thoff, &tproto, &saddr, &daddr, + &sport, &dport, &ipv6_var)) + return NULL; +-- +2.30.2 + diff --git a/queue-5.4/ntb-fix-an-error-code-in-ntb_msit_probe.patch b/queue-5.4/ntb-fix-an-error-code-in-ntb_msit_probe.patch new file mode 100644 index 00000000000..c64250cdeae --- /dev/null +++ b/queue-5.4/ntb-fix-an-error-code-in-ntb_msit_probe.patch @@ -0,0 +1,44 @@ +From ed6238b5f4d43a1b6bf102191093004c6e7bf0ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jun 2021 13:56:20 +0800 +Subject: NTB: Fix an error code in ntb_msit_probe() + +From: Yang Li + +[ Upstream commit 319f83ac98d7afaabab84ce5281a819a358b9895 ] + +When the value of nm->isr_ctx is false, the value of ret is 0. +So, we set ret to -ENOMEM to indicate this error. + +Clean up smatch warning: +drivers/ntb/test/ntb_msi_test.c:373 ntb_msit_probe() warn: missing +error code 'ret'. + +Reported-by: Abaci Robot +Signed-off-by: Yang Li +Reviewed-by: Logan Gunthorpe +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/test/ntb_msi_test.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/ntb/test/ntb_msi_test.c b/drivers/ntb/test/ntb_msi_test.c +index 99d826ed9c34..662067dc9ce2 100644 +--- a/drivers/ntb/test/ntb_msi_test.c ++++ b/drivers/ntb/test/ntb_msi_test.c +@@ -372,8 +372,10 @@ static int ntb_msit_probe(struct ntb_client *client, struct ntb_dev *ntb) + if (ret) + goto remove_dbgfs; + +- if (!nm->isr_ctx) ++ if (!nm->isr_ctx) { ++ ret = -ENOMEM; + goto remove_dbgfs; ++ } + + ntb_link_enable(ntb, NTB_SPEED_AUTO, NTB_WIDTH_AUTO); + +-- +2.30.2 + diff --git a/queue-5.4/ntb-perf-fix-an-error-code-in-perf_setup_inbuf.patch b/queue-5.4/ntb-perf-fix-an-error-code-in-perf_setup_inbuf.patch new file mode 100644 index 00000000000..bbcc4969e5a --- /dev/null +++ b/queue-5.4/ntb-perf-fix-an-error-code-in-perf_setup_inbuf.patch @@ -0,0 +1,40 @@ +From 378ac6fe9ff4264414adceea1ed68082b0669306 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jun 2021 16:40:36 +0800 +Subject: NTB: perf: Fix an error code in perf_setup_inbuf() + +From: Yang Li + +[ Upstream commit 0097ae5f7af5684f961a5f803ff7ad3e6f933668 ] + +When the function IS_ALIGNED() returns false, the value of ret is 0. +So, we set ret to -EINVAL to indicate this error. + +Clean up smatch warning: +drivers/ntb/test/ntb_perf.c:602 perf_setup_inbuf() warn: missing error +code 'ret'. + +Reported-by: Abaci Robot +Signed-off-by: Yang Li +Reviewed-by: Serge Semin +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/test/ntb_perf.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/ntb/test/ntb_perf.c b/drivers/ntb/test/ntb_perf.c +index 5ce4766a6c9e..251fe75798c1 100644 +--- a/drivers/ntb/test/ntb_perf.c ++++ b/drivers/ntb/test/ntb_perf.c +@@ -597,6 +597,7 @@ static int perf_setup_inbuf(struct perf_peer *peer) + return -ENOMEM; + } + if (!IS_ALIGNED(peer->inbuf_xlat, xlat_align)) { ++ ret = -EINVAL; + dev_err(&perf->ntb->dev, "Unaligned inbuf allocated\n"); + goto err_free_inbuf; + } +-- +2.30.2 + diff --git a/queue-5.4/pci-add-acs-quirks-for-cavium-multi-function-devices.patch b/queue-5.4/pci-add-acs-quirks-for-cavium-multi-function-devices.patch new file mode 100644 index 00000000000..5a8cf4def86 --- /dev/null +++ b/queue-5.4/pci-add-acs-quirks-for-cavium-multi-function-devices.patch @@ -0,0 +1,44 @@ +From 15ee1f5b4c61d3fe28cbe1e06b63d10652f0108d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 17:54:25 +0530 +Subject: PCI: Add ACS quirks for Cavium multi-function devices + +From: George Cherian + +[ Upstream commit 32837d8a8f63eb95dcb9cd005524a27f06478832 ] + +Some Cavium endpoints are implemented as multi-function devices without ACS +capability, but they actually don't support peer-to-peer transactions. + +Add ACS quirks to declare DMA isolation for the following devices: + + - BGX device found on Octeon-TX (8xxx) + - CGX device found on Octeon-TX2 (9xxx) + - RPM device found on Octeon-TX3 (10xxx) + +Link: https://lore.kernel.org/r/20210810122425.1115156-1-george.cherian@marvell.com +Signed-off-by: George Cherian +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index e230a7b5e70a..686298c0f6cd 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4922,6 +4922,10 @@ static const struct pci_dev_acs_enabled { + { 0x10df, 0x720, pci_quirk_mf_endpoint_acs }, /* Emulex Skyhawk-R */ + /* Cavium ThunderX */ + { PCI_VENDOR_ID_CAVIUM, PCI_ANY_ID, pci_quirk_cavium_acs }, ++ /* Cavium multi-function devices */ ++ { PCI_VENDOR_ID_CAVIUM, 0xA026, pci_quirk_mf_endpoint_acs }, ++ { PCI_VENDOR_ID_CAVIUM, 0xA059, pci_quirk_mf_endpoint_acs }, ++ { PCI_VENDOR_ID_CAVIUM, 0xA060, pci_quirk_mf_endpoint_acs }, + /* APM X-Gene */ + { PCI_VENDOR_ID_AMCC, 0xE004, pci_quirk_xgene_acs }, + /* Ampere Computing */ +-- +2.30.2 + diff --git a/queue-5.4/pci-add-acs-quirks-for-nxp-lx2xx0-and-lx2xx2-platfor.patch b/queue-5.4/pci-add-acs-quirks-for-nxp-lx2xx0-and-lx2xx2-platfor.patch new file mode 100644 index 00000000000..07889e8d4a6 --- /dev/null +++ b/queue-5.4/pci-add-acs-quirks-for-nxp-lx2xx0-and-lx2xx2-platfor.patch @@ -0,0 +1,148 @@ +From c70f02c8b73a3e59c684a032042233f6e2dca425 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jul 2021 14:17:47 +0200 +Subject: PCI: Add ACS quirks for NXP LX2xx0 and LX2xx2 platforms + +From: Wasim Khan + +[ Upstream commit d08c8b855140e9f5240b3ffd1b8b9d435675e281 ] + +Root Ports in NXP LX2xx0 and LX2xx2, where each Root Port is a Root Complex +with unique segment numbers, do provide isolation features to disable peer +transactions and validate bus numbers in requests, but do not provide an +actual PCIe ACS capability. + +Add ACS quirks for NXP LX2xx0 A/C/E/N and LX2xx2 A/C/E/N platforms. + + LX2xx0A : without security features + CAN-FD + LX2160A (0x8d81) - 16 cores + LX2120A (0x8da1) - 12 cores + LX2080A (0x8d83) - 8 cores + + LX2xx0C : security features + CAN-FD + LX2160C (0x8d80) - 16 cores + LX2120C (0x8da0) - 12 cores + LX2080C (0x8d82) - 8 cores + + LX2xx0E : security features + CAN + LX2160E (0x8d90) - 16 cores + LX2120E (0x8db0) - 12 cores + LX2080E (0x8d92) - 8 cores + + LX2xx0N : without security features + CAN + LX2160N (0x8d91) - 16 cores + LX2120N (0x8db1) - 12 cores + LX2080N (0x8d93) - 8 cores + + LX2xx2A : without security features + CAN-FD + LX2162A (0x8d89) - 16 cores + LX2122A (0x8da9) - 12 cores + LX2082A (0x8d8b) - 8 cores + + LX2xx2C : security features + CAN-FD + LX2162C (0x8d88) - 16 cores + LX2122C (0x8da8) - 12 cores + LX2082C (0x8d8a) - 8 cores + + LX2xx2E : security features + CAN + LX2162E (0x8d98) - 16 cores + LX2122E (0x8db8) - 12 cores + LX2082E (0x8d9a) - 8 cores + + LX2xx2N : without security features + CAN + LX2162N (0x8d99) - 16 cores + LX2122N (0x8db9) - 12 cores + LX2082N (0x8d9b) - 8 cores + +[bhelgaas: put PCI_VENDOR_ID_NXP definition next to PCI_VENDOR_ID_FREESCALE +as a clue that they share the same Device ID namespace] +Link: https://lore.kernel.org/r/20210729121747.1823086-1-wasim.khan@oss.nxp.com +Link: https://lore.kernel.org/r/20210803180021.3252886-1-wasim.khan@oss.nxp.com +Signed-off-by: Wasim Khan +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 45 +++++++++++++++++++++++++++++++++++++++++ + include/linux/pci_ids.h | 3 ++- + 2 files changed, 47 insertions(+), 1 deletion(-) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 34c68a7313db..e230a7b5e70a 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4684,6 +4684,18 @@ static int pci_quirk_qcom_rp_acs(struct pci_dev *dev, u16 acs_flags) + PCI_ACS_SV | PCI_ACS_RR | PCI_ACS_CR | PCI_ACS_UF); + } + ++/* ++ * Each of these NXP Root Ports is in a Root Complex with a unique segment ++ * number and does provide isolation features to disable peer transactions ++ * and validate bus numbers in requests, but does not provide an ACS ++ * capability. ++ */ ++static int pci_quirk_nxp_rp_acs(struct pci_dev *dev, u16 acs_flags) ++{ ++ return pci_acs_ctrl_enabled(acs_flags, ++ PCI_ACS_SV | PCI_ACS_RR | PCI_ACS_CR | PCI_ACS_UF); ++} ++ + static int pci_quirk_al_acs(struct pci_dev *dev, u16 acs_flags) + { + if (pci_pcie_type(dev) != PCI_EXP_TYPE_ROOT_PORT) +@@ -4930,6 +4942,39 @@ static const struct pci_dev_acs_enabled { + { PCI_VENDOR_ID_ZHAOXIN, 0x3038, pci_quirk_mf_endpoint_acs }, + { PCI_VENDOR_ID_ZHAOXIN, 0x3104, pci_quirk_mf_endpoint_acs }, + { PCI_VENDOR_ID_ZHAOXIN, 0x9083, pci_quirk_mf_endpoint_acs }, ++ /* NXP root ports, xx=16, 12, or 08 cores */ ++ /* LX2xx0A : without security features + CAN-FD */ ++ { PCI_VENDOR_ID_NXP, 0x8d81, pci_quirk_nxp_rp_acs }, ++ { PCI_VENDOR_ID_NXP, 0x8da1, pci_quirk_nxp_rp_acs }, ++ { PCI_VENDOR_ID_NXP, 0x8d83, pci_quirk_nxp_rp_acs }, ++ /* LX2xx0C : security features + CAN-FD */ ++ { PCI_VENDOR_ID_NXP, 0x8d80, pci_quirk_nxp_rp_acs }, ++ { PCI_VENDOR_ID_NXP, 0x8da0, pci_quirk_nxp_rp_acs }, ++ { PCI_VENDOR_ID_NXP, 0x8d82, pci_quirk_nxp_rp_acs }, ++ /* LX2xx0E : security features + CAN */ ++ { PCI_VENDOR_ID_NXP, 0x8d90, pci_quirk_nxp_rp_acs }, ++ { PCI_VENDOR_ID_NXP, 0x8db0, pci_quirk_nxp_rp_acs }, ++ { PCI_VENDOR_ID_NXP, 0x8d92, pci_quirk_nxp_rp_acs }, ++ /* LX2xx0N : without security features + CAN */ ++ { PCI_VENDOR_ID_NXP, 0x8d91, pci_quirk_nxp_rp_acs }, ++ { PCI_VENDOR_ID_NXP, 0x8db1, pci_quirk_nxp_rp_acs }, ++ { PCI_VENDOR_ID_NXP, 0x8d93, pci_quirk_nxp_rp_acs }, ++ /* LX2xx2A : without security features + CAN-FD */ ++ { PCI_VENDOR_ID_NXP, 0x8d89, pci_quirk_nxp_rp_acs }, ++ { PCI_VENDOR_ID_NXP, 0x8da9, pci_quirk_nxp_rp_acs }, ++ { PCI_VENDOR_ID_NXP, 0x8d8b, pci_quirk_nxp_rp_acs }, ++ /* LX2xx2C : security features + CAN-FD */ ++ { PCI_VENDOR_ID_NXP, 0x8d88, pci_quirk_nxp_rp_acs }, ++ { PCI_VENDOR_ID_NXP, 0x8da8, pci_quirk_nxp_rp_acs }, ++ { PCI_VENDOR_ID_NXP, 0x8d8a, pci_quirk_nxp_rp_acs }, ++ /* LX2xx2E : security features + CAN */ ++ { PCI_VENDOR_ID_NXP, 0x8d98, pci_quirk_nxp_rp_acs }, ++ { PCI_VENDOR_ID_NXP, 0x8db8, pci_quirk_nxp_rp_acs }, ++ { PCI_VENDOR_ID_NXP, 0x8d9a, pci_quirk_nxp_rp_acs }, ++ /* LX2xx2N : without security features + CAN */ ++ { PCI_VENDOR_ID_NXP, 0x8d99, pci_quirk_nxp_rp_acs }, ++ { PCI_VENDOR_ID_NXP, 0x8db9, pci_quirk_nxp_rp_acs }, ++ { PCI_VENDOR_ID_NXP, 0x8d9b, pci_quirk_nxp_rp_acs }, + /* Zhaoxin Root/Downstream Ports */ + { PCI_VENDOR_ID_ZHAOXIN, PCI_ANY_ID, pci_quirk_zhaoxin_pcie_ports_acs }, + { 0 } +diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h +index 0ad57693f392..42588645478d 100644 +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -2476,7 +2476,8 @@ + #define PCI_VENDOR_ID_TDI 0x192E + #define PCI_DEVICE_ID_TDI_EHCI 0x0101 + +-#define PCI_VENDOR_ID_FREESCALE 0x1957 ++#define PCI_VENDOR_ID_FREESCALE 0x1957 /* duplicate: NXP */ ++#define PCI_VENDOR_ID_NXP 0x1957 /* duplicate: FREESCALE */ + #define PCI_DEVICE_ID_MPC8308 0xc006 + #define PCI_DEVICE_ID_MPC8315E 0x00b4 + #define PCI_DEVICE_ID_MPC8315 0x00b5 +-- +2.30.2 + diff --git a/queue-5.4/pci-fix-pci_dev_str_match_path-alloc-while-atomic-bu.patch b/queue-5.4/pci-fix-pci_dev_str_match_path-alloc-while-atomic-bu.patch new file mode 100644 index 00000000000..37c631165ff --- /dev/null +++ b/queue-5.4/pci-fix-pci_dev_str_match_path-alloc-while-atomic-bu.patch @@ -0,0 +1,42 @@ +From db50bab909259bc5b79a5f46ae9c21cf485f160f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Aug 2021 10:00:04 +0300 +Subject: PCI: Fix pci_dev_str_match_path() alloc while atomic bug + +From: Dan Carpenter + +[ Upstream commit 7eb6ea4148579b85540a41d57bcec315b8af8ff8 ] + +pci_dev_str_match_path() is often called with a spinlock held so the +allocation has to be atomic. The call tree is: + + pci_specified_resource_alignment() <-- takes spin_lock(); + pci_dev_str_match() + pci_dev_str_match_path() + +Fixes: 45db33709ccc ("PCI: Allow specifying devices using a base bus and path of devfns") +Link: https://lore.kernel.org/r/20210812070004.GC31863@kili +Signed-off-by: Dan Carpenter +Signed-off-by: Bjorn Helgaas +Reviewed-by: Logan Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 91b2733ded17..b9550cd4280c 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -224,7 +224,7 @@ static int pci_dev_str_match_path(struct pci_dev *dev, const char *path, + + *endptr = strchrnul(path, ';'); + +- wpath = kmemdup_nul(path, *endptr - path, GFP_KERNEL); ++ wpath = kmemdup_nul(path, *endptr - path, GFP_ATOMIC); + if (!wpath) + return -ENOMEM; + +-- +2.30.2 + diff --git a/queue-5.4/pci-ibmphp-fix-double-unmap-of-io_mem.patch b/queue-5.4/pci-ibmphp-fix-double-unmap-of-io_mem.patch new file mode 100644 index 00000000000..1ba4252ce03 --- /dev/null +++ b/queue-5.4/pci-ibmphp-fix-double-unmap-of-io_mem.patch @@ -0,0 +1,64 @@ +From eb36f693fc7c6801ba58ff0a1fe63cd054f9cd9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Aug 2021 11:57:51 -0500 +Subject: PCI: ibmphp: Fix double unmap of io_mem + +From: Vishal Aslot + +[ Upstream commit faa2e05ad0dccf37f995bcfbb8d1980d66c02c11 ] + +ebda_rsrc_controller() calls iounmap(io_mem) on the error path. Its caller, +ibmphp_access_ebda(), also calls iounmap(io_mem) on good and error paths. + +Remove the iounmap(io_mem) invocation from ebda_rsrc_controller(). + +[bhelgaas: remove item from TODO] +Link: https://lore.kernel.org/r/20210818165751.591185-1-os.vaslot@gmail.com +Signed-off-by: Vishal Aslot +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/hotplug/TODO | 3 --- + drivers/pci/hotplug/ibmphp_ebda.c | 5 +---- + 2 files changed, 1 insertion(+), 7 deletions(-) + +diff --git a/drivers/pci/hotplug/TODO b/drivers/pci/hotplug/TODO +index a32070be5adf..cc6194aa24c1 100644 +--- a/drivers/pci/hotplug/TODO ++++ b/drivers/pci/hotplug/TODO +@@ -40,9 +40,6 @@ ibmphp: + + * The return value of pci_hp_register() is not checked. + +-* iounmap(io_mem) is called in the error path of ebda_rsrc_controller() +- and once more in the error path of its caller ibmphp_access_ebda(). +- + * The various slot data structures are difficult to follow and need to be + simplified. A lot of functions are too large and too complex, they need + to be broken up into smaller, manageable pieces. Negative examples are +diff --git a/drivers/pci/hotplug/ibmphp_ebda.c b/drivers/pci/hotplug/ibmphp_ebda.c +index 11a2661dc062..7fb75401ad8a 100644 +--- a/drivers/pci/hotplug/ibmphp_ebda.c ++++ b/drivers/pci/hotplug/ibmphp_ebda.c +@@ -714,8 +714,7 @@ static int __init ebda_rsrc_controller(void) + /* init hpc structure */ + hpc_ptr = alloc_ebda_hpc(slot_num, bus_num); + if (!hpc_ptr) { +- rc = -ENOMEM; +- goto error_no_hpc; ++ return -ENOMEM; + } + hpc_ptr->ctlr_id = ctlr_id; + hpc_ptr->ctlr_relative_id = ctlr; +@@ -910,8 +909,6 @@ error: + kfree(tmp_slot); + error_no_slot: + free_ebda_hpc(hpc_ptr); +-error_no_hpc: +- iounmap(io_mem); + return rc; + } + +-- +2.30.2 + diff --git a/queue-5.4/pci-sync-__pci_register_driver-stub-for-config_pci-n.patch b/queue-5.4/pci-sync-__pci_register_driver-stub-for-config_pci-n.patch new file mode 100644 index 00000000000..f0da4a19aa0 --- /dev/null +++ b/queue-5.4/pci-sync-__pci_register_driver-stub-for-config_pci-n.patch @@ -0,0 +1,42 @@ +From 567435a5eb21377627e4cd3c7b6a8d55a01c487d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Aug 2021 18:36:19 +0300 +Subject: PCI: Sync __pci_register_driver() stub for CONFIG_PCI=n + +From: Andy Shevchenko + +[ Upstream commit 817f9916a6e96ae43acdd4e75459ef4f92d96eb1 ] + +The CONFIG_PCI=y case got a new parameter long time ago. Sync the stub as +well. + +[bhelgaas: add parameter names] +Fixes: 725522b5453d ("PCI: add the sysfs driver name to all modules") +Link: https://lore.kernel.org/r/20210813153619.89574-1-andriy.shevchenko@linux.intel.com +Reported-by: kernel test robot +Signed-off-by: Andy Shevchenko +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + include/linux/pci.h | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/include/linux/pci.h b/include/linux/pci.h +index 6a6a819c5b49..9a937f8b2783 100644 +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -1688,8 +1688,9 @@ static inline int pci_enable_device(struct pci_dev *dev) { return -EIO; } + static inline void pci_disable_device(struct pci_dev *dev) { } + static inline int pci_assign_resource(struct pci_dev *dev, int i) + { return -EBUSY; } +-static inline int __pci_register_driver(struct pci_driver *drv, +- struct module *owner) ++static inline int __must_check __pci_register_driver(struct pci_driver *drv, ++ struct module *owner, ++ const char *mod_name) + { return 0; } + static inline int pci_register_driver(struct pci_driver *drv) + { return 0; } +-- +2.30.2 + diff --git a/queue-5.4/perf-unwind-do-not-overwrite-feature_check_ldflags-l.patch b/queue-5.4/perf-unwind-do-not-overwrite-feature_check_ldflags-l.patch new file mode 100644 index 00000000000..6f9085bda7a --- /dev/null +++ b/queue-5.4/perf-unwind-do-not-overwrite-feature_check_ldflags-l.patch @@ -0,0 +1,138 @@ +From 89a75b260522b25d5fe61c9c90545fc2af93cf8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Aug 2021 21:43:40 +0800 +Subject: perf unwind: Do not overwrite + FEATURE_CHECK_LDFLAGS-libunwind-{x86,aarch64} + +From: Li Huafei + +[ Upstream commit cdf32b44678c382a31dc183d9a767306915cda7b ] + +When setting LIBUNWIND_DIR, we first set + + FEATURE_CHECK_LDFLAGS-libunwind-{aarch64,x86} = -L$(LIBUNWIND_DIR)/lib. + + +This happens a bit before, the overwritting, in: + + libunwind_arch_set_flags = $(eval $(libunwind_arch_set_flags_code)) + define libunwind_arch_set_flags_code + FEATURE_CHECK_CFLAGS-libunwind-$(1) = -I$(LIBUNWIND_DIR)/include + FEATURE_CHECK_LDFLAGS-libunwind-$(1) = -L$(LIBUNWIND_DIR)/lib + endef + + ifdef LIBUNWIND_DIR + LIBUNWIND_CFLAGS = -I$(LIBUNWIND_DIR)/include + LIBUNWIND_LDFLAGS = -L$(LIBUNWIND_DIR)/lib + LIBUNWIND_ARCHS = x86 x86_64 arm aarch64 debug-frame-arm debug-frame-aarch64 + $(foreach libunwind_arch,$(LIBUNWIND_ARCHS),$(call libunwind_arch_set_flags,$(libunwind_arch))) + endif + +Look at that 'foreach' on all the LIBUNWIND_ARCHS. + + +After commit 5c4d7c82c0dc ("perf unwind: Do not put libunwind-{x86,aarch64} +in FEATURE_TESTS_BASIC"), FEATURE_CHECK_LDFLAGS-libunwind-{x86,aarch64} is +overwritten. As a result, the remote libunwind libraries cannot be searched +from $(LIBUNWIND_DIR)/lib directory during feature check tests. Fix it with +variable appending. + +Before this patch: + + perf$ make VF=1 LIBUNWIND_DIR=/opt/libunwind_aarch64 + BUILD: Doing 'make -j16' parallel build + + ... + ... libopencsd: [ OFF ] + ... libunwind-x86: [ OFF ] + ... libunwind-x86_64: [ OFF ] + ... libunwind-arm: [ OFF ] + ... libunwind-aarch64: [ OFF ] + ... libunwind-debug-frame: [ OFF ] + ... libunwind-debug-frame-arm: [ OFF ] + ... libunwind-debug-frame-aarch64: [ OFF ] + ... cxx: [ OFF ] + + + perf$ cat ../build/feature/test-libunwind-aarch64.make.output + /usr/bin/ld: cannot find -lunwind-aarch64 + /usr/bin/ld: cannot find -lunwind-aarch64 + collect2: error: ld returned 1 exit status + +After this patch: + + perf$ make VF=1 LIBUNWIND_DIR=/opt/libunwind_aarch64 + BUILD: Doing 'make -j16' parallel build + + ... libopencsd: [ OFF ] + ... libunwind-x86: [ OFF ] + ... libunwind-x86_64: [ OFF ] + ... libunwind-arm: [ OFF ] + ... libunwind-aarch64: [ on ] + ... libunwind-debug-frame: [ OFF ] + ... libunwind-debug-frame-arm: [ OFF ] + ... libunwind-debug-frame-aarch64: [ OFF ] + ... cxx: [ OFF ] + + + perf$ cat ../build/feature/test-libunwind-aarch64.make.output + + perf$ ldd ./perf + linux-vdso.so.1 (0x00007ffdf07da000) + libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f30953dc000) + librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f30951d4000) + libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f3094e36000) + libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f3094c32000) + libelf.so.1 => /usr/lib/x86_64-linux-gnu/libelf.so.1 (0x00007f3094a18000) + libdw.so.1 => /usr/lib/x86_64-linux-gnu/libdw.so.1 (0x00007f30947cc000) + libunwind-x86_64.so.8 => /usr/lib/x86_64-linux-gnu/libunwind-x86_64.so.8 (0x00007f30945ad000) + libunwind.so.8 => /usr/lib/x86_64-linux-gnu/libunwind.so.8 (0x00007f3094392000) + liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f309416c000) + libunwind-aarch64.so.8 => not found + libslang.so.2 => /lib/x86_64-linux-gnu/libslang.so.2 (0x00007f3093c8a000) + libpython2.7.so.1.0 => /usr/local/lib/libpython2.7.so.1.0 (0x00007f309386b000) + libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f309364e000) + libnuma.so.1 => /usr/lib/x86_64-linux-gnu/libnuma.so.1 (0x00007f3093443000) + libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f3093052000) + /lib64/ld-linux-x86-64.so.2 (0x00007f3096097000) + libbz2.so.1.0 => /lib/x86_64-linux-gnu/libbz2.so.1.0 (0x00007f3092e42000) + libutil.so.1 => /lib/x86_64-linux-gnu/libutil.so.1 (0x00007f3092c3f000) + +Fixes: 5c4d7c82c0dceccf ("perf unwind: Do not put libunwind-{x86,aarch64} in FEATURE_TESTS_BASIC") +Signed-off-by: Li Huafei +Cc: Alexander Shishkin +Cc: He Kuang +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Zhang Jinhao +Link: http://lore.kernel.org/lkml/20210823134340.60955-1-lihuafei1@huawei.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/Makefile.config | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config +index 9832affd5d54..c75c9b03d6e7 100644 +--- a/tools/perf/Makefile.config ++++ b/tools/perf/Makefile.config +@@ -118,10 +118,10 @@ FEATURE_CHECK_LDFLAGS-libunwind = $(LIBUNWIND_LDFLAGS) $(LIBUNWIND_LIBS) + FEATURE_CHECK_CFLAGS-libunwind-debug-frame = $(LIBUNWIND_CFLAGS) + FEATURE_CHECK_LDFLAGS-libunwind-debug-frame = $(LIBUNWIND_LDFLAGS) $(LIBUNWIND_LIBS) + +-FEATURE_CHECK_LDFLAGS-libunwind-arm = -lunwind -lunwind-arm +-FEATURE_CHECK_LDFLAGS-libunwind-aarch64 = -lunwind -lunwind-aarch64 +-FEATURE_CHECK_LDFLAGS-libunwind-x86 = -lunwind -llzma -lunwind-x86 +-FEATURE_CHECK_LDFLAGS-libunwind-x86_64 = -lunwind -llzma -lunwind-x86_64 ++FEATURE_CHECK_LDFLAGS-libunwind-arm += -lunwind -lunwind-arm ++FEATURE_CHECK_LDFLAGS-libunwind-aarch64 += -lunwind -lunwind-aarch64 ++FEATURE_CHECK_LDFLAGS-libunwind-x86 += -lunwind -llzma -lunwind-x86 ++FEATURE_CHECK_LDFLAGS-libunwind-x86_64 += -lunwind -llzma -lunwind-x86_64 + + FEATURE_CHECK_LDFLAGS-libcrypto = -lcrypto + +-- +2.30.2 + diff --git a/queue-5.4/qlcnic-remove-redundant-unlock-in-qlcnic_pinit_from_.patch b/queue-5.4/qlcnic-remove-redundant-unlock-in-qlcnic_pinit_from_.patch new file mode 100644 index 00000000000..ba7d0620eb4 --- /dev/null +++ b/queue-5.4/qlcnic-remove-redundant-unlock-in-qlcnic_pinit_from_.patch @@ -0,0 +1,38 @@ +From b196e1b585990b0fddd7745b9eb79243245eff0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Sep 2021 15:35:43 +0800 +Subject: qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom + +From: Dinghao Liu + +[ Upstream commit 9ddbc2a00d7f63fa9748f4278643193dac985f2d ] + +Previous commit 68233c583ab4 removes the qlcnic_rom_lock() +in qlcnic_pinit_from_rom(), but remains its corresponding +unlock function, which is odd. I'm not very sure whether the +lock is missing, or the unlock is redundant. This bug is +suggested by a static analysis tool, please advise. + +Fixes: 68233c583ab4 ("qlcnic: updated reset sequence") +Signed-off-by: Dinghao Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_init.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_init.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_init.c +index c48a0e2d4d7e..6a009d51ec51 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_init.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_init.c +@@ -440,7 +440,6 @@ int qlcnic_pinit_from_rom(struct qlcnic_adapter *adapter) + QLCWR32(adapter, QLCNIC_CRB_PEG_NET_4 + 0x3c, 1); + msleep(20); + +- qlcnic_rom_unlock(adapter); + /* big hammer don't reset CAM block on reset */ + QLCWR32(adapter, QLCNIC_ROMUSB_GLB_SW_RESET, 0xfeffffff); + +-- +2.30.2 + diff --git a/queue-5.4/series b/queue-5.4/series index aa883ab607d..7cfad263dc0 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -230,3 +230,31 @@ net-hns3-change-affinity_mask-to-numa-node-range.patch net-hns3-disable-mac-in-flr-process.patch net-hns3-fix-the-timing-issue-of-vf-clearing-interrupt-sources.patch mm-memory_hotplug-use-unsigned-long-for-pfn-in-zone_for_pfn_range.patch +dt-bindings-mtd-gpmc-fix-the-ecc-bytes-vs.-oob-bytes.patch +mfd-db8500-prcmu-adjust-map-to-reality.patch +pci-add-acs-quirks-for-nxp-lx2xx0-and-lx2xx2-platfor.patch +fuse-fix-use-after-free-in-fuse_read_interrupt.patch +mfd-don-t-use-irq_create_mapping-to-resolve-a-mappin.patch +tracing-probes-reject-events-which-have-the-same-nam.patch +pci-add-acs-quirks-for-cavium-multi-function-devices.patch +set-fc_nlinfo-in-nh_create_ipv4-nh_create_ipv6.patch +net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch +block-bfq-honor-already-setup-queue-merges.patch +pci-ibmphp-fix-double-unmap-of-io_mem.patch +ethtool-fix-an-error-code-in-cxgb2.c.patch +ntb-fix-an-error-code-in-ntb_msit_probe.patch +ntb-perf-fix-an-error-code-in-perf_setup_inbuf.patch +mfd-axp20x-update-axp288-volatile-ranges.patch +pci-fix-pci_dev_str_match_path-alloc-while-atomic-bu.patch +mfd-tqmx86-clear-gpio-irq-resource-when-no-irq-is-se.patch +kvm-arm64-handle-psci-resets-before-userspace-touche.patch +pci-sync-__pci_register_driver-stub-for-config_pci-n.patch +mtd-rawnand-cafe-fix-a-resource-leak-in-the-error-ha.patch +arc-export-clear_user_page-for-modules.patch +perf-unwind-do-not-overwrite-feature_check_ldflags-l.patch +net-dsa-b53-fix-calculating-number-of-switch-ports.patch +netfilter-socket-icmp6-fix-use-after-scope.patch +fq_codel-reject-silly-quantum-parameters.patch +qlcnic-remove-redundant-unlock-in-qlcnic_pinit_from_.patch +ip_gre-validate-csum_start-only-on-pull.patch +net-renesas-sh_eth-fix-freeing-wrong-tx-descriptor.patch diff --git a/queue-5.4/set-fc_nlinfo-in-nh_create_ipv4-nh_create_ipv6.patch b/queue-5.4/set-fc_nlinfo-in-nh_create_ipv4-nh_create_ipv6.patch new file mode 100644 index 00000000000..fd067a27f92 --- /dev/null +++ b/queue-5.4/set-fc_nlinfo-in-nh_create_ipv4-nh_create_ipv6.patch @@ -0,0 +1,137 @@ +From 2e72a518699eb1d4072e16a49776c49bdba70b4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Sep 2021 05:20:14 +0000 +Subject: Set fc_nlinfo in nh_create_ipv4, nh_create_ipv6 + +From: Ryoga Saito + +[ Upstream commit 9aca491e0dccf8a9d84a5b478e5eee3c6ea7803b ] + +This patch fixes kernel NULL pointer dereference when creating nexthop +which is bound with SRv6 decapsulation. In the creation of nexthop, +__seg6_end_dt_vrf_build is called. __seg6_end_dt_vrf_build expects +fc_lninfo in fib6_config is set correctly, but it isn't set in +nh_create_ipv6, which causes kernel crash. + +Here is steps to reproduce kernel crash: + +1. modprobe vrf +2. ip -6 nexthop add encap seg6local action End.DT4 vrftable 1 dev eth0 + +We got the following message: + +[ 901.370336] BUG: kernel NULL pointer dereference, address: 0000000000000ba0 +[ 901.371658] #PF: supervisor read access in kernel mode +[ 901.372672] #PF: error_code(0x0000) - not-present page +[ 901.373672] PGD 0 P4D 0 +[ 901.374248] Oops: 0000 [#1] SMP PTI +[ 901.374944] CPU: 0 PID: 8593 Comm: ip Not tainted 5.14-051400-generic #202108310811-Ubuntu +[ 901.376404] Hardware name: Red Hat KVM, BIOS 1.11.1-4.module_el8.2.0+320+13f867d7 04/01/2014 +[ 901.377907] RIP: 0010:vrf_ifindex_lookup_by_table_id+0x19/0x90 [vrf] +[ 901.379182] Code: c1 e9 72 ff ff ff e8 96 49 01 c2 66 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 56 41 55 41 89 f5 41 54 53 8b 05 47 4c 00 00 <48> 8b 97 a0 0b 00 00 48 8b 1c c2 e8 57 27 53 c1 4c 8d a3 88 00 00 +[ 901.382652] RSP: 0018:ffffbf2d02043590 EFLAGS: 00010282 +[ 901.383746] RAX: 000000000000000b RBX: ffff990808255e70 RCX: ffffbf2d02043aa8 +[ 901.385436] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 0000000000000000 +[ 901.386924] RBP: ffffbf2d020435b0 R08: 00000000000000c0 R09: ffff990808255e40 +[ 901.388537] R10: ffffffff83b08c90 R11: 0000000000000009 R12: 0000000000000000 +[ 901.389937] R13: 0000000000000001 R14: 0000000000000000 R15: 000000000000000b +[ 901.391226] FS: 00007fe49381f740(0000) GS:ffff99087dc00000(0000) knlGS:0000000000000000 +[ 901.392737] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 901.393803] CR2: 0000000000000ba0 CR3: 000000000e3e8003 CR4: 0000000000770ef0 +[ 901.395122] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 901.396496] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 901.397833] PKRU: 55555554 +[ 901.398578] Call Trace: +[ 901.399144] l3mdev_ifindex_lookup_by_table_id+0x3b/0x70 +[ 901.400179] __seg6_end_dt_vrf_build+0x34/0xd0 +[ 901.401067] seg6_end_dt4_build+0x16/0x20 +[ 901.401904] seg6_local_build_state+0x271/0x430 +[ 901.402797] lwtunnel_build_state+0x81/0x130 +[ 901.403645] fib_nh_common_init+0x82/0x100 +[ 901.404465] ? sock_def_readable+0x4b/0x80 +[ 901.405285] fib6_nh_init+0x115/0x7c0 +[ 901.406033] nh_create_ipv6.isra.0+0xe1/0x140 +[ 901.406932] rtm_new_nexthop+0x3b7/0xeb0 +[ 901.407828] rtnetlink_rcv_msg+0x152/0x3a0 +[ 901.408663] ? rtnl_calcit.isra.0+0x130/0x130 +[ 901.409535] netlink_rcv_skb+0x55/0x100 +[ 901.410319] rtnetlink_rcv+0x15/0x20 +[ 901.411026] netlink_unicast+0x1a8/0x250 +[ 901.411813] netlink_sendmsg+0x238/0x470 +[ 901.412602] ? _copy_from_user+0x2b/0x60 +[ 901.413394] sock_sendmsg+0x65/0x70 +[ 901.414112] ____sys_sendmsg+0x218/0x290 +[ 901.414929] ? copy_msghdr_from_user+0x5c/0x90 +[ 901.415814] ___sys_sendmsg+0x81/0xc0 +[ 901.416559] ? fsnotify_destroy_marks+0x27/0xf0 +[ 901.417447] ? call_rcu+0xa4/0x230 +[ 901.418153] ? kmem_cache_free+0x23f/0x410 +[ 901.418972] ? dentry_free+0x37/0x70 +[ 901.419705] ? mntput_no_expire+0x4c/0x260 +[ 901.420574] __sys_sendmsg+0x62/0xb0 +[ 901.421297] __x64_sys_sendmsg+0x1f/0x30 +[ 901.422057] do_syscall_64+0x5c/0xc0 +[ 901.422756] ? syscall_exit_to_user_mode+0x27/0x50 +[ 901.423675] ? __x64_sys_close+0x12/0x40 +[ 901.424462] ? do_syscall_64+0x69/0xc0 +[ 901.425219] ? irqentry_exit_to_user_mode+0x9/0x20 +[ 901.426149] ? irqentry_exit+0x19/0x30 +[ 901.426901] ? exc_page_fault+0x89/0x160 +[ 901.427709] ? asm_exc_page_fault+0x8/0x30 +[ 901.428536] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 901.429514] RIP: 0033:0x7fe493945747 +[ 901.430248] Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 +[ 901.433549] RSP: 002b:00007ffe9932cf68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +[ 901.434981] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe493945747 +[ 901.436303] RDX: 0000000000000000 RSI: 00007ffe9932cfe0 RDI: 0000000000000003 +[ 901.437607] RBP: 00000000613053f7 R08: 0000000000000001 R09: 00007ffe9932d07c +[ 901.438990] R10: 000055f4a903a010 R11: 0000000000000246 R12: 0000000000000001 +[ 901.440340] R13: 0000000000000001 R14: 000055f4a802b163 R15: 000055f4a8042020 +[ 901.441630] Modules linked in: vrf nls_utf8 isofs nls_iso8859_1 dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua intel_rapl_msr intel_rapl_common isst_if_mbox_msr isst_if_common nfit rapl input_leds joydev serio_raw qemu_fw_cfg mac_hid sch_fq_codel drm virtio_rng ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd virtio_net net_failover cryptd psmouse virtio_blk failover i2c_piix4 pata_acpi floppy +[ 901.450808] CR2: 0000000000000ba0 +[ 901.451514] ---[ end trace c27b934b99ade304 ]--- +[ 901.452403] RIP: 0010:vrf_ifindex_lookup_by_table_id+0x19/0x90 [vrf] +[ 901.453626] Code: c1 e9 72 ff ff ff e8 96 49 01 c2 66 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 56 41 55 41 89 f5 41 54 53 8b 05 47 4c 00 00 <48> 8b 97 a0 0b 00 00 48 8b 1c c2 e8 57 27 53 c1 4c 8d a3 88 00 00 +[ 901.456910] RSP: 0018:ffffbf2d02043590 EFLAGS: 00010282 +[ 901.457912] RAX: 000000000000000b RBX: ffff990808255e70 RCX: ffffbf2d02043aa8 +[ 901.459238] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 0000000000000000 +[ 901.460552] RBP: ffffbf2d020435b0 R08: 00000000000000c0 R09: ffff990808255e40 +[ 901.461882] R10: ffffffff83b08c90 R11: 0000000000000009 R12: 0000000000000000 +[ 901.463208] R13: 0000000000000001 R14: 0000000000000000 R15: 000000000000000b +[ 901.464529] FS: 00007fe49381f740(0000) GS:ffff99087dc00000(0000) knlGS:0000000000000000 +[ 901.466058] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 901.467189] CR2: 0000000000000ba0 CR3: 000000000e3e8003 CR4: 0000000000770ef0 +[ 901.468515] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 901.469858] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 901.471139] PKRU: 55555554 + +Signed-off-by: Ryoga Saito +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/nexthop.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c +index f5f4369c131c..858bb10d8341 100644 +--- a/net/ipv4/nexthop.c ++++ b/net/ipv4/nexthop.c +@@ -1183,6 +1183,7 @@ static int nh_create_ipv4(struct net *net, struct nexthop *nh, + .fc_gw4 = cfg->gw.ipv4, + .fc_gw_family = cfg->gw.ipv4 ? AF_INET : 0, + .fc_flags = cfg->nh_flags, ++ .fc_nlinfo = cfg->nlinfo, + .fc_encap = cfg->nh_encap, + .fc_encap_type = cfg->nh_encap_type, + }; +@@ -1218,6 +1219,7 @@ static int nh_create_ipv6(struct net *net, struct nexthop *nh, + .fc_ifindex = cfg->nh_ifindex, + .fc_gateway = cfg->gw.ipv6, + .fc_flags = cfg->nh_flags, ++ .fc_nlinfo = cfg->nlinfo, + .fc_encap = cfg->nh_encap, + .fc_encap_type = cfg->nh_encap_type, + }; +-- +2.30.2 + diff --git a/queue-5.4/tracing-probes-reject-events-which-have-the-same-nam.patch b/queue-5.4/tracing-probes-reject-events-which-have-the-same-nam.patch new file mode 100644 index 00000000000..76209929a8e --- /dev/null +++ b/queue-5.4/tracing-probes-reject-events-which-have-the-same-nam.patch @@ -0,0 +1,129 @@ +From a2b2a7a010dbee4bd8e18577cd734bb8ec3f2c14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Aug 2021 19:26:02 +0900 +Subject: tracing/probes: Reject events which have the same name of existing + one + +From: Masami Hiramatsu + +[ Upstream commit 8e242060c6a4947e8ae7d29794af6a581db08841 ] + +Since kprobe_events and uprobe_events only check whether the +other same-type probe event has the same name or not, if the +user gives the same name of the existing tracepoint event (or +the other type of probe events), it silently fails to create +the tracefs entry (but registered.) as below. + +/sys/kernel/tracing # ls events/task/task_rename +enable filter format hist id trigger +/sys/kernel/tracing # echo p:task/task_rename vfs_read >> kprobe_events +[ 113.048508] Could not create tracefs 'task_rename' directory +/sys/kernel/tracing # cat kprobe_events +p:task/task_rename vfs_read + +To fix this issue, check whether the existing events have the +same name or not in trace_probe_register_event_call(). If exists, +it rejects to register the new event. + +Link: https://lkml.kernel.org/r/162936876189.187130.17558311387542061930.stgit@devnote2 + +Signed-off-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_kprobe.c | 6 +++++- + kernel/trace/trace_probe.c | 25 +++++++++++++++++++++++++ + kernel/trace/trace_probe.h | 1 + + kernel/trace/trace_uprobe.c | 6 +++++- + 4 files changed, 36 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c +index 233322c77b76..5de084dab4fa 100644 +--- a/kernel/trace/trace_kprobe.c ++++ b/kernel/trace/trace_kprobe.c +@@ -646,7 +646,11 @@ static int register_trace_kprobe(struct trace_kprobe *tk) + /* Register new event */ + ret = register_kprobe_event(tk); + if (ret) { +- pr_warn("Failed to register probe event(%d)\n", ret); ++ if (ret == -EEXIST) { ++ trace_probe_log_set_index(0); ++ trace_probe_log_err(0, EVENT_EXIST); ++ } else ++ pr_warn("Failed to register probe event(%d)\n", ret); + goto end; + } + +diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c +index f98d6d94cbbf..23e85cb15134 100644 +--- a/kernel/trace/trace_probe.c ++++ b/kernel/trace/trace_probe.c +@@ -1029,11 +1029,36 @@ error: + return ret; + } + ++static struct trace_event_call * ++find_trace_event_call(const char *system, const char *event_name) ++{ ++ struct trace_event_call *tp_event; ++ const char *name; ++ ++ list_for_each_entry(tp_event, &ftrace_events, list) { ++ if (!tp_event->class->system || ++ strcmp(system, tp_event->class->system)) ++ continue; ++ name = trace_event_name(tp_event); ++ if (!name || strcmp(event_name, name)) ++ continue; ++ return tp_event; ++ } ++ ++ return NULL; ++} ++ + int trace_probe_register_event_call(struct trace_probe *tp) + { + struct trace_event_call *call = trace_probe_event_call(tp); + int ret; + ++ lockdep_assert_held(&event_mutex); ++ ++ if (find_trace_event_call(trace_probe_group_name(tp), ++ trace_probe_name(tp))) ++ return -EEXIST; ++ + ret = register_trace_event(&call->event); + if (!ret) + return -ENODEV; +diff --git a/kernel/trace/trace_probe.h b/kernel/trace/trace_probe.h +index a0ff9e200ef6..bab9e0dba9af 100644 +--- a/kernel/trace/trace_probe.h ++++ b/kernel/trace/trace_probe.h +@@ -410,6 +410,7 @@ extern int traceprobe_define_arg_fields(struct trace_event_call *event_call, + C(NO_EVENT_NAME, "Event name is not specified"), \ + C(EVENT_TOO_LONG, "Event name is too long"), \ + C(BAD_EVENT_NAME, "Event name must follow the same rules as C identifiers"), \ ++ C(EVENT_EXIST, "Given group/event name is already used by another event"), \ + C(RETVAL_ON_PROBE, "$retval is not available on probe"), \ + C(BAD_STACK_NUM, "Invalid stack number"), \ + C(BAD_ARG_NUM, "Invalid argument number"), \ +diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c +index 5294843de6ef..b515db036bec 100644 +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -514,7 +514,11 @@ static int register_trace_uprobe(struct trace_uprobe *tu) + + ret = register_uprobe_event(tu); + if (ret) { +- pr_warn("Failed to register probe event(%d)\n", ret); ++ if (ret == -EEXIST) { ++ trace_probe_log_set_index(0); ++ trace_probe_log_err(0, EVENT_EXIST); ++ } else ++ pr_warn("Failed to register probe event(%d)\n", ret); + goto end; + } + +-- +2.30.2 + -- 2.47.3