From a73e88160a3dbb0509f25cbe6cf5726839a6a604 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Tue, 10 Nov 2020 10:06:07 -0500 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...due-to-unadvanced-marshalling-pointe.patch | 43 +++ ...-undefined-shift-in-snd_hdac_ext_bus.patch | 37 +++ ...335-set-digital-gain-range-correctly.patch | 39 +++ ...t5663_max98927-fix-kabylake_ssp_fixu.patch | 155 +++++++++ ...chedule-when-cloning-lots-of-extents.patch | 98 ++++++ ...t-devices-outside-of-the-chunk_mutex.patch | 192 +++++++++++ ...s-output-proper-root-owner-for-trace.patch | 124 +++++++ ...cho_skb-fix-echo-skb-generation-alwa.patch | 99 ++++++ ...t_echo_skb-fix-real-payload-length-r.patch | 49 +++ ...echo_skb-prevent-call-to-kfree_skb-i.patch | 67 ++++ ...can_remove-disable-wakeup-completely.patch | 49 +++ ...ve-flexcan_quirk_disable_mecr-quirk-.patch | 40 +++ ...sk_bind-return-failure-if-netdev-is-.patch | 58 ++++ ...wap-addr-and-pgn-in-the-send-example.patch | 38 +++ ...ucan_handle_can_rx-fix-echo-manageme.patch | 65 ++++ ...-range-checking-in-decode-operations.patch | 129 ++++++++ ...k_usb_get_ts_time-fix-timestamp-wrap.patch | 96 ++++++ ...on-t-call-kfree_skb-from-irq-context.patch | 98 ++++++ ...ecc_probe-add-missed-clk_disable_unp.patch | 60 ++++ ...andle-failure-cases-of-pm_runtime_ge.patch | 63 ++++ ...-discard-limits-for-raid1-and-raid10.patch | 58 ++++ ...sh-coherency-domains-on-first-set-do.patch | 89 ++++++ ...ic_irq_ipi-select-irq_domain_hierarc.patch | 37 +++ ...n-disable-warning-when-floor-reached.patch | 40 +++ ...-bug-for-pdp-check-in-prq_event_thre.patch | 40 +++ ...pte-mapping-on-fault-resulting-in-a-.patch | 45 +++ ...e-block-size-after-device-is-started.patch | 72 +++++ ...a-race-condition-during-allocing-spi.patch | 94 ++++++ ...update-byte-and-packet-counters-rega.patch | 71 ++++ ...les-missing-validation-from-the-abor.patch | 163 ++++++++++ ...tual-socket-sk-rather-than-skb-sk-wh.patch | 302 ++++++++++++++++++ ...re-pcie-is-reset-before-init-for-rev.patch | 59 ++++ ...-add-missing-swap-for-ino_generation.patch | 36 +++ ...egfault-when-trying-to-trace-events-.patch | 77 +++++ ...ache-fix-a-possible-debugfs-deadlock.patch | 86 +++++ queue-5.4/series | 42 +++ ...efined-behaviour-in-timespec64_to_ns.patch | 75 +++++ ...eate-binary_bios_measurements-file-f.patch | 117 +++++++ ...continue-to-process-pending-requests.patch | 76 +++++ ...reclaim-extra-trbs-after-request-com.patch | 54 ++++ ...agging-rtinherit-even-if-there-is-no.patch | 37 +++ ...f-page-on-truncate-to-avoid-post-eof.patch | 70 ++++ ...card-when-creating-a-deferred-agfl-f.patch | 55 ++++ 43 files changed, 3394 insertions(+) create mode 100644 queue-5.4/afs-fix-warning-due-to-unadvanced-marshalling-pointe.patch create mode 100644 queue-5.4/alsa-hda-prevent-undefined-shift-in-snd_hdac_ext_bus.patch create mode 100644 queue-5.4/asoc-codecs-wcd9335-set-digital-gain-range-correctly.patch create mode 100644 queue-5.4/asoc-intel-kbl_rt5663_max98927-fix-kabylake_ssp_fixu.patch create mode 100644 queue-5.4/btrfs-reschedule-when-cloning-lots-of-extents.patch create mode 100644 queue-5.4/btrfs-sysfs-init-devices-outside-of-the-chunk_mutex.patch create mode 100644 queue-5.4/btrfs-tracepoints-output-proper-root-owner-for-trace.patch create mode 100644 queue-5.4/can-can_create_echo_skb-fix-echo-skb-generation-alwa.patch create mode 100644 queue-5.4/can-dev-__can_get_echo_skb-fix-real-payload-length-r.patch create mode 100644 queue-5.4/can-dev-can_get_echo_skb-prevent-call-to-kfree_skb-i.patch create mode 100644 queue-5.4/can-flexcan-flexcan_remove-disable-wakeup-completely.patch create mode 100644 queue-5.4/can-flexcan-remove-flexcan_quirk_disable_mecr-quirk-.patch create mode 100644 queue-5.4/can-j1939-j1939_sk_bind-return-failure-if-netdev-is-.patch create mode 100644 queue-5.4/can-j1939-swap-addr-and-pgn-in-the-send-example.patch create mode 100644 queue-5.4/can-peak_canfd-pucan_handle_can_rx-fix-echo-manageme.patch create mode 100644 queue-5.4/can-peak_usb-add-range-checking-in-decode-operations.patch create mode 100644 queue-5.4/can-peak_usb-peak_usb_get_ts_time-fix-timestamp-wrap.patch create mode 100644 queue-5.4/can-rx-offload-don-t-call-kfree_skb-from-irq-context.patch create mode 100644 queue-5.4/can-ti_hecc-ti_hecc_probe-add-missed-clk_disable_unp.patch create mode 100644 queue-5.4/can-xilinx_can-handle-failure-cases-of-pm_runtime_ge.patch create mode 100644 queue-5.4/dm-raid-fix-discard-limits-for-raid1-and-raid10.patch create mode 100644 queue-5.4/drm-i915-gem-flush-coherency-domains-on-first-set-do.patch create mode 100644 queue-5.4/genirq-let-generic_irq_ipi-select-irq_domain_hierarc.patch create mode 100644 queue-5.4/hv_balloon-disable-warning-when-floor-reached.patch create mode 100644 queue-5.4/iommu-vt-d-fix-a-bug-for-pdp-check-in-prq_event_thre.patch create mode 100644 queue-5.4/kvm-arm64-force-pte-mapping-on-fault-resulting-in-a-.patch create mode 100644 queue-5.4/nbd-don-t-update-block-size-after-device-is-started.patch create mode 100644 queue-5.4/net-xfrm-fix-a-race-condition-during-allocing-spi.patch create mode 100644 queue-5.4/netfilter-ipset-update-byte-and-packet-counters-rega.patch create mode 100644 queue-5.4/netfilter-nf_tables-missing-validation-from-the-abor.patch create mode 100644 queue-5.4/netfilter-use-actual-socket-sk-rather-than-skb-sk-wh.patch create mode 100644 queue-5.4/pci-qcom-make-sure-pcie-is-reset-before-init-for-rev.patch create mode 100644 queue-5.4/perf-tools-add-missing-swap-for-ino_generation.patch create mode 100644 queue-5.4/perf-trace-fix-segfault-when-trying-to-trace-events-.patch create mode 100644 queue-5.4/powerpc-eeh_cache-fix-a-possible-debugfs-deadlock.patch create mode 100644 queue-5.4/series create mode 100644 queue-5.4/time-prevent-undefined-behaviour-in-timespec64_to_ns.patch create mode 100644 queue-5.4/tpm-efi-don-t-create-binary_bios_measurements-file-f.patch create mode 100644 queue-5.4/usb-dwc3-gadget-continue-to-process-pending-requests.patch create mode 100644 queue-5.4/usb-dwc3-gadget-reclaim-extra-trbs-after-request-com.patch create mode 100644 queue-5.4/xfs-fix-scrub-flagging-rtinherit-even-if-there-is-no.patch create mode 100644 queue-5.4/xfs-flush-new-eof-page-on-truncate-to-avoid-post-eof.patch create mode 100644 queue-5.4/xfs-set-xefi_discard-when-creating-a-deferred-agfl-f.patch diff --git a/queue-5.4/afs-fix-warning-due-to-unadvanced-marshalling-pointe.patch b/queue-5.4/afs-fix-warning-due-to-unadvanced-marshalling-pointe.patch new file mode 100644 index 00000000000..9ccd3703ab6 --- /dev/null +++ b/queue-5.4/afs-fix-warning-due-to-unadvanced-marshalling-pointe.patch @@ -0,0 +1,43 @@ +From 6a1cdf298ca7e03f036321ffc8debb13eacdc317 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Nov 2020 16:32:58 +0000 +Subject: afs: Fix warning due to unadvanced marshalling pointer + +From: David Howells + +[ Upstream commit c80afa1d9c3603d5eddeb8d63368823b1982f3f0 ] + +When using the afs.yfs.acl xattr to change an AuriStor ACL, a warning +can be generated when the request is marshalled because the buffer +pointer isn't increased after adding the last element, thereby +triggering the check at the end if the ACL wasn't empty. This just +causes something like the following warning, but doesn't stop the call +from happening successfully: + + kAFS: YFS.StoreOpaqueACL2: Request buffer underflow (36<108) + +Fix this simply by increasing the count prior to the check. + +Fixes: f5e4546347bc ("afs: Implement YFS ACL setting") +Signed-off-by: David Howells +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/yfsclient.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/afs/yfsclient.c b/fs/afs/yfsclient.c +index d21cf61d86b9f..3b19b009452a2 100644 +--- a/fs/afs/yfsclient.c ++++ b/fs/afs/yfsclient.c +@@ -2162,6 +2162,7 @@ int yfs_fs_store_opaque_acl2(struct afs_fs_cursor *fc, const struct afs_acl *acl + memcpy(bp, acl->data, acl->size); + if (acl->size != size) + memset((void *)bp + acl->size, 0, size - acl->size); ++ bp += size / sizeof(__be32); + yfs_check_req(call, bp); + + trace_afs_make_fs_call(call, &vnode->fid); +-- +2.27.0 + diff --git a/queue-5.4/alsa-hda-prevent-undefined-shift-in-snd_hdac_ext_bus.patch b/queue-5.4/alsa-hda-prevent-undefined-shift-in-snd_hdac_ext_bus.patch new file mode 100644 index 00000000000..100407b9cfe --- /dev/null +++ b/queue-5.4/alsa-hda-prevent-undefined-shift-in-snd_hdac_ext_bus.patch @@ -0,0 +1,37 @@ +From 8d908395c4e841f09230599e2946d9e5ab668c19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Nov 2020 13:18:07 +0300 +Subject: ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link() + +From: Dan Carpenter + +[ Upstream commit 158e1886b6262c1d1c96a18c85fac5219b8bf804 ] + +This is harmless, but the "addr" comes from the user and it could lead +to a negative shift or to shift wrapping if it's too high. + +Fixes: 0b00a5615dc4 ("ALSA: hdac_ext: add hdac extended controller") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20201103101807.GC1127762@mwanda +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/ext/hdac_ext_controller.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/hda/ext/hdac_ext_controller.c b/sound/hda/ext/hdac_ext_controller.c +index 09ff209df4a30..c87187f635733 100644 +--- a/sound/hda/ext/hdac_ext_controller.c ++++ b/sound/hda/ext/hdac_ext_controller.c +@@ -148,6 +148,8 @@ struct hdac_ext_link *snd_hdac_ext_bus_get_link(struct hdac_bus *bus, + return NULL; + if (bus->idx != bus_idx) + return NULL; ++ if (addr < 0 || addr > 31) ++ return NULL; + + list_for_each_entry(hlink, &bus->hlink_list, list) { + for (i = 0; i < HDA_MAX_CODECS; i++) { +-- +2.27.0 + diff --git a/queue-5.4/asoc-codecs-wcd9335-set-digital-gain-range-correctly.patch b/queue-5.4/asoc-codecs-wcd9335-set-digital-gain-range-correctly.patch new file mode 100644 index 00000000000..4c8ea235327 --- /dev/null +++ b/queue-5.4/asoc-codecs-wcd9335-set-digital-gain-range-correctly.patch @@ -0,0 +1,39 @@ +From 9d17cc8dd6ef8128d7bbe2986a11d4bfd00eba10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Oct 2020 15:43:40 +0000 +Subject: ASoC: codecs: wcd9335: Set digital gain range correctly + +From: Srinivas Kandagatla + +[ Upstream commit 6d6bc54ab4f2404d46078abc04bf4dee4db01def ] + +digital gain range is -84dB min to 40dB max, however this was not +correctly specified in the range. + +Fix this by with correct range! + +Fixes: 8c4f021d806a ("ASoC: wcd9335: add basic controls") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20201028154340.17090-2-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wcd9335.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/wcd9335.c b/sound/soc/codecs/wcd9335.c +index f318403133e96..81906c25e4a87 100644 +--- a/sound/soc/codecs/wcd9335.c ++++ b/sound/soc/codecs/wcd9335.c +@@ -618,7 +618,7 @@ static const char * const sb_tx8_mux_text[] = { + "ZERO", "RX_MIX_TX8", "DEC8", "DEC8_192" + }; + +-static const DECLARE_TLV_DB_SCALE(digital_gain, 0, 1, 0); ++static const DECLARE_TLV_DB_SCALE(digital_gain, -8400, 100, -8400); + static const DECLARE_TLV_DB_SCALE(line_gain, 0, 7, 1); + static const DECLARE_TLV_DB_SCALE(analog_gain, 0, 25, 1); + static const DECLARE_TLV_DB_SCALE(ear_pa_gain, 0, 150, 0); +-- +2.27.0 + diff --git a/queue-5.4/asoc-intel-kbl_rt5663_max98927-fix-kabylake_ssp_fixu.patch b/queue-5.4/asoc-intel-kbl_rt5663_max98927-fix-kabylake_ssp_fixu.patch new file mode 100644 index 00000000000..9007e8be1b1 --- /dev/null +++ b/queue-5.4/asoc-intel-kbl_rt5663_max98927-fix-kabylake_ssp_fixu.patch @@ -0,0 +1,155 @@ +From 60de5283b79e12af7c8f072af34f14ee2aa08ec1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Oct 2020 14:16:24 +0000 +Subject: ASoC: Intel: kbl_rt5663_max98927: Fix kabylake_ssp_fixup function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tomasz Figa + +[ Upstream commit 9fe9efd6924c9a62ebb759025bb8927e398f51f7 ] + +This is a copy of commit 5c5f1baee85a ("ASoC: Intel: +kbl_rt5663_rt5514_max98927: Fix kabylake_ssp_fixup function") applied to +the kbl_rt5663_max98927 board file. + +Original explanation of the change: + +kabylake_ssp_fixup function uses snd_soc_dpcm to identify the +codecs DAIs. The HW parameters are changed based on the codec DAI of the +stream. The earlier approach to get snd_soc_dpcm was using container_of() +macro on snd_pcm_hw_params. + +The structures have been modified over time and snd_soc_dpcm does not have +snd_pcm_hw_params as a reference but as a copy. This causes the current +driver to crash when used. + +This patch changes the way snd_soc_dpcm is extracted. snd_soc_pcm_runtime +holds 2 dpcm instances (one for playback and one for capture). 2 codecs +on the SSP are dmic (capture) and speakers (playback). Based on the +stream direction, snd_soc_dpcm is extracted from snd_soc_pcm_runtime. + +Fixes a boot crash on a HP Chromebook x2: + +[ 16.582225] BUG: kernel NULL pointer dereference, address: 0000000000000050 +[ 16.582231] #PF: supervisor read access in kernel mode +[ 16.582233] #PF: error_code(0x0000) - not-present page +[ 16.582234] PGD 0 P4D 0 +[ 16.582238] Oops: 0000 [#1] PREEMPT SMP PTI +[ 16.582241] CPU: 0 PID: 1980 Comm: cras Tainted: G C 5.4.58 #1 +[ 16.582243] Hardware name: HP Soraka/Soraka, BIOS Google_Soraka.10431.75.0 08/30/2018 +[ 16.582247] RIP: 0010:kabylake_ssp_fixup+0x19/0xbb [snd_soc_kbl_rt5663_max98927] +[ 16.582250] Code: c6 6f c5 80 c0 44 89 f2 31 c0 e8 3e c9 4c d6 eb de 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 53 48 89 f3 48 8b 46 c8 48 8b 4e d0 <48> 8b 49 10 4c 8b 78 10 4c 8b 31 4c 89 f7 48 c7 c6 4b c2 80 c0 e8 +[ 16.582252] RSP: 0000:ffffaf7e81e0b958 EFLAGS: 00010282 +[ 16.582254] RAX: ffffffff96f13e0d RBX: ffffaf7e81e0ba00 RCX: 0000000000000040 +[ 16.582256] RDX: ffffaf7e81e0ba00 RSI: ffffaf7e81e0ba00 RDI: ffffa3b208558028 +[ 16.582258] RBP: ffffaf7e81e0b970 R08: ffffa3b203b54160 R09: ffffaf7e81e0ba00 +[ 16.582259] R10: 0000000000000000 R11: ffffffffc080b345 R12: ffffa3b209fb6e00 +[ 16.582261] R13: ffffa3b1b1a47838 R14: ffffa3b1e6197f28 R15: ffffaf7e81e0ba00 +[ 16.582263] FS: 00007eb3f25aaf80(0000) GS:ffffa3b236a00000(0000) knlGS:0000000000000000 +[ 16.582265] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 16.582267] CR2: 0000000000000050 CR3: 0000000246bc8006 CR4: 00000000003606f0 +[ 16.582269] Call Trace: +[ 16.582275] snd_soc_link_be_hw_params_fixup+0x21/0x68 +[ 16.582278] snd_soc_dai_hw_params+0x25/0x94 +[ 16.582282] soc_pcm_hw_params+0x2d8/0x583 +[ 16.582288] dpcm_be_dai_hw_params+0x172/0x29e +[ 16.582291] dpcm_fe_dai_hw_params+0x9f/0x12f +[ 16.582295] snd_pcm_hw_params+0x137/0x41c +[ 16.582298] snd_pcm_hw_params_user+0x3c/0x71 +[ 16.582301] snd_pcm_common_ioctl+0x2c6/0x565 +[ 16.582304] snd_pcm_ioctl+0x32/0x36 +[ 16.582307] do_vfs_ioctl+0x506/0x783 +[ 16.582311] ksys_ioctl+0x58/0x83 +[ 16.582313] __x64_sys_ioctl+0x1a/0x1e +[ 16.582316] do_syscall_64+0x54/0x7e +[ 16.582319] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 16.582322] RIP: 0033:0x7eb3f1886157 +[ 16.582324] Code: 8a 66 90 48 8b 05 11 dd 2b 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 dc 2b 00 f7 d8 64 89 01 48 +[ 16.582326] RSP: 002b:00007ffff7559818 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +[ 16.582329] RAX: ffffffffffffffda RBX: 00005acc9188b140 RCX: 00007eb3f1886157 +[ 16.582330] RDX: 00007ffff7559940 RSI: 00000000c2604111 RDI: 000000000000001e +[ 16.582332] RBP: 00007ffff7559840 R08: 0000000000000004 R09: 0000000000000000 +[ 16.582333] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000bb80 +[ 16.582335] R13: 00005acc91702e80 R14: 00007ffff7559940 R15: 00005acc91702e80 +[ 16.582337] Modules linked in: rfcomm cmac algif_hash algif_skcipher af_alg uinput hid_google_hammer snd_soc_kbl_rt5663_max98927 snd_soc_hdac_hdmi snd_soc_dmic snd_soc_skl_ssp_clk snd_soc_skl snd_soc_sst_ipc snd_soc_sst_dsp snd_soc_hdac_hda snd_soc_acpi_intel_match snd_soc_acpi snd_hda_ext_core snd_intel_dspcfg snd_hda_codec snd_hwdep snd_hda_core ipu3_cio2 ipu3_imgu(C) videobuf2_v4l2 videobuf2_common videobuf2_dma_sg videobuf2_memops snd_soc_rt5663 snd_soc_max98927 snd_soc_rl6231 ov5670 ov13858 acpi_als v4l2_fwnode dw9714 fuse xt_MASQUERADE iio_trig_sysfs cros_ec_light_prox cros_ec_sensors cros_ec_sensors_core cros_ec_sensors_ring industrialio_triggered_buffer kfifo_buf industrialio cros_ec_sensorhub cdc_ether usbnet btusb btrtl btintel btbcm bluetooth ecdh_generic ecc lzo_rle lzo_compress iwlmvm zram iwl7000_mac80211 r8152 mii iwlwifi cfg80211 joydev +[ 16.584243] gsmi: Log Shutdown Reason 0x03 +[ 16.584246] CR2: 0000000000000050 +[ 16.584248] ---[ end trace c8511d090c11edff ]--- + +Suggested-by: Łukasz Majczak +Fixes: 2e5894d73789e ("ASoC: pcm: Add support for DAI multicodec") +Signed-off-by: Tomasz Figa +Acked-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20201014141624.4143453-1-tfiga@chromium.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/kbl_rt5663_max98927.c | 39 ++++++++++++++++---- + 1 file changed, 31 insertions(+), 8 deletions(-) + +diff --git a/sound/soc/intel/boards/kbl_rt5663_max98927.c b/sound/soc/intel/boards/kbl_rt5663_max98927.c +index 7cefda341fbf8..a540a2dad80c3 100644 +--- a/sound/soc/intel/boards/kbl_rt5663_max98927.c ++++ b/sound/soc/intel/boards/kbl_rt5663_max98927.c +@@ -401,17 +401,40 @@ static int kabylake_ssp_fixup(struct snd_soc_pcm_runtime *rtd, + struct snd_interval *channels = hw_param_interval(params, + SNDRV_PCM_HW_PARAM_CHANNELS); + struct snd_mask *fmt = hw_param_mask(params, SNDRV_PCM_HW_PARAM_FORMAT); +- struct snd_soc_dpcm *dpcm = container_of( +- params, struct snd_soc_dpcm, hw_params); +- struct snd_soc_dai_link *fe_dai_link = dpcm->fe->dai_link; +- struct snd_soc_dai_link *be_dai_link = dpcm->be->dai_link; ++ struct snd_soc_dpcm *dpcm, *rtd_dpcm = NULL; ++ ++ /* ++ * The following loop will be called only for playback stream ++ * In this platform, there is only one playback device on every SSP ++ */ ++ for_each_dpcm_fe(rtd, SNDRV_PCM_STREAM_PLAYBACK, dpcm) { ++ rtd_dpcm = dpcm; ++ break; ++ } ++ ++ /* ++ * This following loop will be called only for capture stream ++ * In this platform, there is only one capture device on every SSP ++ */ ++ for_each_dpcm_fe(rtd, SNDRV_PCM_STREAM_CAPTURE, dpcm) { ++ rtd_dpcm = dpcm; ++ break; ++ } ++ ++ if (!rtd_dpcm) ++ return -EINVAL; ++ ++ /* ++ * The above 2 loops are mutually exclusive based on the stream direction, ++ * thus rtd_dpcm variable will never be overwritten ++ */ + + /* + * The ADSP will convert the FE rate to 48k, stereo, 24 bit + */ +- if (!strcmp(fe_dai_link->name, "Kbl Audio Port") || +- !strcmp(fe_dai_link->name, "Kbl Audio Headset Playback") || +- !strcmp(fe_dai_link->name, "Kbl Audio Capture Port")) { ++ if (!strcmp(rtd_dpcm->fe->dai_link->name, "Kbl Audio Port") || ++ !strcmp(rtd_dpcm->fe->dai_link->name, "Kbl Audio Headset Playback") || ++ !strcmp(rtd_dpcm->fe->dai_link->name, "Kbl Audio Capture Port")) { + rate->min = rate->max = 48000; + channels->min = channels->max = 2; + snd_mask_none(fmt); +@@ -421,7 +444,7 @@ static int kabylake_ssp_fixup(struct snd_soc_pcm_runtime *rtd, + * The speaker on the SSP0 supports S16_LE and not S24_LE. + * thus changing the mask here + */ +- if (!strcmp(be_dai_link->name, "SSP0-Codec")) ++ if (!strcmp(rtd_dpcm->be->dai_link->name, "SSP0-Codec")) + snd_mask_set_format(fmt, SNDRV_PCM_FORMAT_S16_LE); + + return 0; +-- +2.27.0 + diff --git a/queue-5.4/btrfs-reschedule-when-cloning-lots-of-extents.patch b/queue-5.4/btrfs-reschedule-when-cloning-lots-of-extents.patch new file mode 100644 index 00000000000..69db20bc6da --- /dev/null +++ b/queue-5.4/btrfs-reschedule-when-cloning-lots-of-extents.patch @@ -0,0 +1,98 @@ +From a534dd68c9f8de231e6a25033d47c91ca524038a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Sep 2020 17:27:29 +0900 +Subject: btrfs: reschedule when cloning lots of extents + +From: Johannes Thumshirn + +[ Upstream commit 6b613cc97f0ace77f92f7bc112b8f6ad3f52baf8 ] + +We have several occurrences of a soft lockup from fstest's generic/175 +testcase, which look more or less like this one: + + watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [xfs_io:10030] + Kernel panic - not syncing: softlockup: hung tasks + CPU: 0 PID: 10030 Comm: xfs_io Tainted: G L 5.9.0-rc5+ #768 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4-rebuilt.opensuse.org 04/01/2014 + Call Trace: + + dump_stack+0x77/0xa0 + panic+0xfa/0x2cb + watchdog_timer_fn.cold+0x85/0xa5 + ? lockup_detector_update_enable+0x50/0x50 + __hrtimer_run_queues+0x99/0x4c0 + ? recalibrate_cpu_khz+0x10/0x10 + hrtimer_run_queues+0x9f/0xb0 + update_process_times+0x28/0x80 + tick_handle_periodic+0x1b/0x60 + __sysvec_apic_timer_interrupt+0x76/0x210 + asm_call_on_stack+0x12/0x20 + + sysvec_apic_timer_interrupt+0x7f/0x90 + asm_sysvec_apic_timer_interrupt+0x12/0x20 + RIP: 0010:btrfs_tree_unlock+0x91/0x1a0 [btrfs] + RSP: 0018:ffffc90007123a58 EFLAGS: 00000282 + RAX: ffff8881cea2fbe0 RBX: ffff8881cea2fbe0 RCX: 0000000000000000 + RDX: ffff8881d23fd200 RSI: ffffffff82045220 RDI: ffff8881cea2fba0 + RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000032 + R10: 0000160000000000 R11: 0000000000001000 R12: 0000000000001000 + R13: ffff8882357fd5b0 R14: ffff88816fa76e70 R15: ffff8881cea2fad0 + ? btrfs_tree_unlock+0x15b/0x1a0 [btrfs] + btrfs_release_path+0x67/0x80 [btrfs] + btrfs_insert_replace_extent+0x177/0x2c0 [btrfs] + btrfs_replace_file_extents+0x472/0x7c0 [btrfs] + btrfs_clone+0x9ba/0xbd0 [btrfs] + btrfs_clone_files.isra.0+0xeb/0x140 [btrfs] + ? file_update_time+0xcd/0x120 + btrfs_remap_file_range+0x322/0x3b0 [btrfs] + do_clone_file_range+0xb7/0x1e0 + vfs_clone_file_range+0x30/0xa0 + ioctl_file_clone+0x8a/0xc0 + do_vfs_ioctl+0x5b2/0x6f0 + __x64_sys_ioctl+0x37/0xa0 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x7f87977fc247 + RSP: 002b:00007ffd51a2f6d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 + RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f87977fc247 + RDX: 00007ffd51a2f710 RSI: 000000004020940d RDI: 0000000000000003 + RBP: 0000000000000004 R08: 00007ffd51a79080 R09: 0000000000000000 + R10: 00005621f11352f2 R11: 0000000000000206 R12: 0000000000000000 + R13: 0000000000000000 R14: 00005621f128b958 R15: 0000000080000000 + Kernel Offset: disabled + ---[ end Kernel panic - not syncing: softlockup: hung tasks ]--- + +All of these lockup reports have the call chain btrfs_clone_files() -> +btrfs_clone() in common. btrfs_clone_files() calls btrfs_clone() with +both source and destination extents locked and loops over the source +extent to create the clones. + +Conditionally reschedule in the btrfs_clone() loop, to give some time back +to other processes. + +CC: stable@vger.kernel.org # 4.4+ +Reviewed-by: Josef Bacik +Signed-off-by: Johannes Thumshirn +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ioctl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index 63394b450afcc..3fd6c9aed7191 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -3752,6 +3752,8 @@ process_slot: + ret = -EINTR; + goto out; + } ++ ++ cond_resched(); + } + ret = 0; + +-- +2.27.0 + diff --git a/queue-5.4/btrfs-sysfs-init-devices-outside-of-the-chunk_mutex.patch b/queue-5.4/btrfs-sysfs-init-devices-outside-of-the-chunk_mutex.patch new file mode 100644 index 00000000000..3c9abeb4dce --- /dev/null +++ b/queue-5.4/btrfs-sysfs-init-devices-outside-of-the-chunk_mutex.patch @@ -0,0 +1,192 @@ +From cf7e4ad88d8cb110a445e430d5f97eff65a368fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Sep 2020 08:09:01 -0400 +Subject: btrfs: sysfs: init devices outside of the chunk_mutex + +From: Josef Bacik + +[ Upstream commit ca10845a56856fff4de3804c85e6424d0f6d0cde ] + +While running btrfs/061, btrfs/073, btrfs/078, or btrfs/178 we hit the +following lockdep splat: + + ====================================================== + WARNING: possible circular locking dependency detected + 5.9.0-rc3+ #4 Not tainted + ------------------------------------------------------ + kswapd0/100 is trying to acquire lock: + ffff96ecc22ef4a0 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node.part.0+0x3f/0x330 + + but task is already holding lock: + ffffffff8dd74700 (fs_reclaim){+.+.}-{0:0}, at: __fs_reclaim_acquire+0x5/0x30 + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #3 (fs_reclaim){+.+.}-{0:0}: + fs_reclaim_acquire+0x65/0x80 + slab_pre_alloc_hook.constprop.0+0x20/0x200 + kmem_cache_alloc+0x37/0x270 + alloc_inode+0x82/0xb0 + iget_locked+0x10d/0x2c0 + kernfs_get_inode+0x1b/0x130 + kernfs_get_tree+0x136/0x240 + sysfs_get_tree+0x16/0x40 + vfs_get_tree+0x28/0xc0 + path_mount+0x434/0xc00 + __x64_sys_mount+0xe3/0x120 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + + -> #2 (kernfs_mutex){+.+.}-{3:3}: + __mutex_lock+0x7e/0x7e0 + kernfs_add_one+0x23/0x150 + kernfs_create_link+0x63/0xa0 + sysfs_do_create_link_sd+0x5e/0xd0 + btrfs_sysfs_add_devices_dir+0x81/0x130 + btrfs_init_new_device+0x67f/0x1250 + btrfs_ioctl+0x1ef/0x2e20 + __x64_sys_ioctl+0x83/0xb0 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + + -> #1 (&fs_info->chunk_mutex){+.+.}-{3:3}: + __mutex_lock+0x7e/0x7e0 + btrfs_chunk_alloc+0x125/0x3a0 + find_free_extent+0xdf6/0x1210 + btrfs_reserve_extent+0xb3/0x1b0 + btrfs_alloc_tree_block+0xb0/0x310 + alloc_tree_block_no_bg_flush+0x4a/0x60 + __btrfs_cow_block+0x11a/0x530 + btrfs_cow_block+0x104/0x220 + btrfs_search_slot+0x52e/0x9d0 + btrfs_insert_empty_items+0x64/0xb0 + btrfs_insert_delayed_items+0x90/0x4f0 + btrfs_commit_inode_delayed_items+0x93/0x140 + btrfs_log_inode+0x5de/0x2020 + btrfs_log_inode_parent+0x429/0xc90 + btrfs_log_new_name+0x95/0x9b + btrfs_rename2+0xbb9/0x1800 + vfs_rename+0x64f/0x9f0 + do_renameat2+0x320/0x4e0 + __x64_sys_rename+0x1f/0x30 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + + -> #0 (&delayed_node->mutex){+.+.}-{3:3}: + __lock_acquire+0x119c/0x1fc0 + lock_acquire+0xa7/0x3d0 + __mutex_lock+0x7e/0x7e0 + __btrfs_release_delayed_node.part.0+0x3f/0x330 + btrfs_evict_inode+0x24c/0x500 + evict+0xcf/0x1f0 + dispose_list+0x48/0x70 + prune_icache_sb+0x44/0x50 + super_cache_scan+0x161/0x1e0 + do_shrink_slab+0x178/0x3c0 + shrink_slab+0x17c/0x290 + shrink_node+0x2b2/0x6d0 + balance_pgdat+0x30a/0x670 + kswapd+0x213/0x4c0 + kthread+0x138/0x160 + ret_from_fork+0x1f/0x30 + + other info that might help us debug this: + + Chain exists of: + &delayed_node->mutex --> kernfs_mutex --> fs_reclaim + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(fs_reclaim); + lock(kernfs_mutex); + lock(fs_reclaim); + lock(&delayed_node->mutex); + + *** DEADLOCK *** + + 3 locks held by kswapd0/100: + #0: ffffffff8dd74700 (fs_reclaim){+.+.}-{0:0}, at: __fs_reclaim_acquire+0x5/0x30 + #1: ffffffff8dd65c50 (shrinker_rwsem){++++}-{3:3}, at: shrink_slab+0x115/0x290 + #2: ffff96ed2ade30e0 (&type->s_umount_key#36){++++}-{3:3}, at: super_cache_scan+0x38/0x1e0 + + stack backtrace: + CPU: 0 PID: 100 Comm: kswapd0 Not tainted 5.9.0-rc3+ #4 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014 + Call Trace: + dump_stack+0x8b/0xb8 + check_noncircular+0x12d/0x150 + __lock_acquire+0x119c/0x1fc0 + lock_acquire+0xa7/0x3d0 + ? __btrfs_release_delayed_node.part.0+0x3f/0x330 + __mutex_lock+0x7e/0x7e0 + ? __btrfs_release_delayed_node.part.0+0x3f/0x330 + ? __btrfs_release_delayed_node.part.0+0x3f/0x330 + ? lock_acquire+0xa7/0x3d0 + ? find_held_lock+0x2b/0x80 + __btrfs_release_delayed_node.part.0+0x3f/0x330 + btrfs_evict_inode+0x24c/0x500 + evict+0xcf/0x1f0 + dispose_list+0x48/0x70 + prune_icache_sb+0x44/0x50 + super_cache_scan+0x161/0x1e0 + do_shrink_slab+0x178/0x3c0 + shrink_slab+0x17c/0x290 + shrink_node+0x2b2/0x6d0 + balance_pgdat+0x30a/0x670 + kswapd+0x213/0x4c0 + ? _raw_spin_unlock_irqrestore+0x41/0x50 + ? add_wait_queue_exclusive+0x70/0x70 + ? balance_pgdat+0x670/0x670 + kthread+0x138/0x160 + ? kthread_create_worker_on_cpu+0x40/0x40 + ret_from_fork+0x1f/0x30 + +This happens because we are holding the chunk_mutex at the time of +adding in a new device. However we only need to hold the +device_list_mutex, as we're going to iterate over the fs_devices +devices. Move the sysfs init stuff outside of the chunk_mutex to get +rid of this lockdep splat. + +CC: stable@vger.kernel.org # 4.4.x: f3cd2c58110dad14e: btrfs: sysfs, rename device_link add/remove functions +CC: stable@vger.kernel.org # 4.4.x +Reported-by: David Sterba +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/volumes.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 58910a0a3e4a4..00e7816dc9a1e 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -2728,9 +2728,6 @@ int btrfs_init_new_device(struct btrfs_fs_info *fs_info, const char *device_path + btrfs_set_super_num_devices(fs_info->super_copy, + orig_super_num_devices + 1); + +- /* add sysfs device entry */ +- btrfs_sysfs_add_device_link(fs_devices, device); +- + /* + * we've got more storage, clear any full flags on the space + * infos +@@ -2738,6 +2735,10 @@ int btrfs_init_new_device(struct btrfs_fs_info *fs_info, const char *device_path + btrfs_clear_space_info_full(fs_info); + + mutex_unlock(&fs_info->chunk_mutex); ++ ++ /* Add sysfs device entry */ ++ btrfs_sysfs_add_device_link(fs_devices, device); ++ + mutex_unlock(&fs_devices->device_list_mutex); + + if (seeding_dev) { +-- +2.27.0 + diff --git a/queue-5.4/btrfs-tracepoints-output-proper-root-owner-for-trace.patch b/queue-5.4/btrfs-tracepoints-output-proper-root-owner-for-trace.patch new file mode 100644 index 00000000000..a555890c3ff --- /dev/null +++ b/queue-5.4/btrfs-tracepoints-output-proper-root-owner-for-trace.patch @@ -0,0 +1,124 @@ +From 8774930cf30f217de1e57c6f2aff373ef5af9f55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jul 2020 09:42:49 +0800 +Subject: btrfs: tracepoints: output proper root owner for + trace_find_free_extent() + +From: Qu Wenruo + +The current trace event always output result like this: + + find_free_extent: root=2(EXTENT_TREE) len=16384 empty_size=0 flags=4(METADATA) + find_free_extent: root=2(EXTENT_TREE) len=16384 empty_size=0 flags=4(METADATA) + find_free_extent: root=2(EXTENT_TREE) len=8192 empty_size=0 flags=1(DATA) + find_free_extent: root=2(EXTENT_TREE) len=8192 empty_size=0 flags=1(DATA) + find_free_extent: root=2(EXTENT_TREE) len=4096 empty_size=0 flags=1(DATA) + find_free_extent: root=2(EXTENT_TREE) len=4096 empty_size=0 flags=1(DATA) + +T's saying we're allocating data extent for EXTENT tree, which is not +even possible. + +It's because we always use EXTENT tree as the owner for +trace_find_free_extent() without using the @root from +btrfs_reserve_extent(). + +This patch will change the parameter to use proper @root for +trace_find_free_extent(): + +Now it looks much better: + + find_free_extent: root=5(FS_TREE) len=16384 empty_size=0 flags=36(METADATA|DUP) + find_free_extent: root=5(FS_TREE) len=8192 empty_size=0 flags=1(DATA) + find_free_extent: root=5(FS_TREE) len=16384 empty_size=0 flags=1(DATA) + find_free_extent: root=5(FS_TREE) len=4096 empty_size=0 flags=1(DATA) + find_free_extent: root=5(FS_TREE) len=8192 empty_size=0 flags=1(DATA) + find_free_extent: root=5(FS_TREE) len=16384 empty_size=0 flags=36(METADATA|DUP) + find_free_extent: root=7(CSUM_TREE) len=16384 empty_size=0 flags=36(METADATA|DUP) + find_free_extent: root=2(EXTENT_TREE) len=16384 empty_size=0 flags=36(METADATA|DUP) + find_free_extent: root=1(ROOT_TREE) len=16384 empty_size=0 flags=36(METADATA|DUP) + +Reported-by: Hans van Kranenburg +CC: stable@vger.kernel.org # 5.4+ +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +--- + fs/btrfs/extent-tree.c | 7 ++++--- + include/trace/events/btrfs.h | 10 ++++++---- + 2 files changed, 10 insertions(+), 7 deletions(-) + +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index 388449101705e..c6d9e8c07c236 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -3800,11 +3800,12 @@ static int find_free_extent_update_loop(struct btrfs_fs_info *fs_info, + * |- Push harder to find free extents + * |- If not found, re-iterate all block groups + */ +-static noinline int find_free_extent(struct btrfs_fs_info *fs_info, ++static noinline int find_free_extent(struct btrfs_root *root, + u64 ram_bytes, u64 num_bytes, u64 empty_size, + u64 hint_byte, struct btrfs_key *ins, + u64 flags, int delalloc) + { ++ struct btrfs_fs_info *fs_info = root->fs_info; + int ret = 0; + int cache_block_group_error = 0; + struct btrfs_free_cluster *last_ptr = NULL; +@@ -3833,7 +3834,7 @@ static noinline int find_free_extent(struct btrfs_fs_info *fs_info, + ins->objectid = 0; + ins->offset = 0; + +- trace_find_free_extent(fs_info, num_bytes, empty_size, flags); ++ trace_find_free_extent(root, num_bytes, empty_size, flags); + + space_info = btrfs_find_space_info(fs_info, flags); + if (!space_info) { +@@ -4141,7 +4142,7 @@ int btrfs_reserve_extent(struct btrfs_root *root, u64 ram_bytes, + flags = get_alloc_profile_by_root(root, is_data); + again: + WARN_ON(num_bytes < fs_info->sectorsize); +- ret = find_free_extent(fs_info, ram_bytes, num_bytes, empty_size, ++ ret = find_free_extent(root, ram_bytes, num_bytes, empty_size, + hint_byte, ins, flags, delalloc); + if (!ret && !is_data) { + btrfs_dec_block_group_reservations(fs_info, ins->objectid); +diff --git a/include/trace/events/btrfs.h b/include/trace/events/btrfs.h +index 75ae1899452b9..94a3adb65b8af 100644 +--- a/include/trace/events/btrfs.h ++++ b/include/trace/events/btrfs.h +@@ -1159,25 +1159,27 @@ DEFINE_EVENT(btrfs__reserved_extent, btrfs_reserved_extent_free, + + TRACE_EVENT(find_free_extent, + +- TP_PROTO(const struct btrfs_fs_info *fs_info, u64 num_bytes, ++ TP_PROTO(const struct btrfs_root *root, u64 num_bytes, + u64 empty_size, u64 data), + +- TP_ARGS(fs_info, num_bytes, empty_size, data), ++ TP_ARGS(root, num_bytes, empty_size, data), + + TP_STRUCT__entry_btrfs( ++ __field( u64, root_objectid ) + __field( u64, num_bytes ) + __field( u64, empty_size ) + __field( u64, data ) + ), + +- TP_fast_assign_btrfs(fs_info, ++ TP_fast_assign_btrfs(root->fs_info, ++ __entry->root_objectid = root->root_key.objectid; + __entry->num_bytes = num_bytes; + __entry->empty_size = empty_size; + __entry->data = data; + ), + + TP_printk_btrfs("root=%llu(%s) len=%llu empty_size=%llu flags=%llu(%s)", +- show_root_type(BTRFS_EXTENT_TREE_OBJECTID), ++ show_root_type(__entry->root_objectid), + __entry->num_bytes, __entry->empty_size, __entry->data, + __print_flags((unsigned long)__entry->data, "|", + BTRFS_GROUP_FLAGS)) +-- +2.27.0 + diff --git a/queue-5.4/can-can_create_echo_skb-fix-echo-skb-generation-alwa.patch b/queue-5.4/can-can_create_echo_skb-fix-echo-skb-generation-alwa.patch new file mode 100644 index 00000000000..11b5623e244 --- /dev/null +++ b/queue-5.4/can-can_create_echo_skb-fix-echo-skb-generation-alwa.patch @@ -0,0 +1,99 @@ +From 83e11e8e47d80c66831394f786167de7a55a54f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 09:39:02 +0100 +Subject: can: can_create_echo_skb(): fix echo skb generation: always use + skb_clone() + +From: Oleksij Rempel + +[ Upstream commit 286228d382ba6320f04fa2e7c6fc8d4d92e428f4 ] + +All user space generated SKBs are owned by a socket (unless injected into the +key via AF_PACKET). If a socket is closed, all associated skbs will be cleaned +up. + +This leads to a problem when a CAN driver calls can_put_echo_skb() on a +unshared SKB. If the socket is closed prior to the TX complete handler, +can_get_echo_skb() and the subsequent delivering of the echo SKB to all +registered callbacks, a SKB with a refcount of 0 is delivered. + +To avoid the problem, in can_get_echo_skb() the original SKB is now always +cloned, regardless of shared SKB or not. If the process exists it can now +safely discard its SKBs, without disturbing the delivery of the echo SKB. + +The problem shows up in the j1939 stack, when it clones the incoming skb, which +detects the already 0 refcount. + +We can easily reproduce this with following example: + +testj1939 -B -r can0: & +cansend can0 1823ff40#0123 + +WARNING: CPU: 0 PID: 293 at lib/refcount.c:25 refcount_warn_saturate+0x108/0x174 +refcount_t: addition on 0; use-after-free. +Modules linked in: coda_vpu imx_vdoa videobuf2_vmalloc dw_hdmi_ahb_audio vcan +CPU: 0 PID: 293 Comm: cansend Not tainted 5.5.0-rc6-00376-g9e20dcb7040d #1 +Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) +Backtrace: +[] (dump_backtrace) from [] (show_stack+0x20/0x24) +[] (show_stack) from [] (dump_stack+0x8c/0xa0) +[] (dump_stack) from [] (__warn+0xe0/0x108) +[] (__warn) from [] (warn_slowpath_fmt+0xa8/0xcc) +[] (warn_slowpath_fmt) from [] (refcount_warn_saturate+0x108/0x174) +[] (refcount_warn_saturate) from [] (j1939_can_recv+0x20c/0x210) +[] (j1939_can_recv) from [] (can_rcv_filter+0xb4/0x268) +[] (can_rcv_filter) from [] (can_receive+0xb0/0xe4) +[] (can_receive) from [] (can_rcv+0x48/0x98) +[] (can_rcv) from [] (__netif_receive_skb_one_core+0x64/0x88) +[] (__netif_receive_skb_one_core) from [] (__netif_receive_skb+0x38/0x94) +[] (__netif_receive_skb) from [] (netif_receive_skb_internal+0x64/0xf8) +[] (netif_receive_skb_internal) from [] (netif_receive_skb+0x34/0x19c) +[] (netif_receive_skb) from [] (can_rx_offload_napi_poll+0x58/0xb4) + +Fixes: 0ae89beb283a ("can: add destructor for self generated skbs") +Signed-off-by: Oleksij Rempel +Link: http://lore.kernel.org/r/20200124132656.22156-1-o.rempel@pengutronix.de +Acked-by: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + include/linux/can/skb.h | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +diff --git a/include/linux/can/skb.h b/include/linux/can/skb.h +index a954def26c0dd..0783b0c6d9e2f 100644 +--- a/include/linux/can/skb.h ++++ b/include/linux/can/skb.h +@@ -61,21 +61,17 @@ static inline void can_skb_set_owner(struct sk_buff *skb, struct sock *sk) + */ + static inline struct sk_buff *can_create_echo_skb(struct sk_buff *skb) + { +- if (skb_shared(skb)) { +- struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC); ++ struct sk_buff *nskb; + +- if (likely(nskb)) { +- can_skb_set_owner(nskb, skb->sk); +- consume_skb(skb); +- return nskb; +- } else { +- kfree_skb(skb); +- return NULL; +- } ++ nskb = skb_clone(skb, GFP_ATOMIC); ++ if (unlikely(!nskb)) { ++ kfree_skb(skb); ++ return NULL; + } + +- /* we can assume to have an unshared skb with proper owner */ +- return skb; ++ can_skb_set_owner(nskb, skb->sk); ++ consume_skb(skb); ++ return nskb; + } + + #endif /* !_CAN_SKB_H */ +-- +2.27.0 + diff --git a/queue-5.4/can-dev-__can_get_echo_skb-fix-real-payload-length-r.patch b/queue-5.4/can-dev-__can_get_echo_skb-fix-real-payload-length-r.patch new file mode 100644 index 00000000000..7fad56a55e1 --- /dev/null +++ b/queue-5.4/can-dev-__can_get_echo_skb-fix-real-payload-length-r.patch @@ -0,0 +1,49 @@ +From 8c26159ce080a722710d017eb64ca79484173be4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Oct 2020 08:44:43 +0200 +Subject: can: dev: __can_get_echo_skb(): fix real payload length return value + for RTR frames + +From: Oliver Hartkopp + +[ Upstream commit ed3320cec279407a86bc4c72edc4a39eb49165ec ] + +The can_get_echo_skb() function returns the number of received bytes to +be used for netdev statistics. In the case of RTR frames we get a valid +(potential non-zero) data length value which has to be passed for further +operations. But on the wire RTR frames have no payload length. Therefore +the value to be used in the statistics has to be zero for RTR frames. + +Reported-by: Vincent Mailhol +Signed-off-by: Oliver Hartkopp +Link: https://lore.kernel.org/r/20201020064443.80164-1-socketcan@hartkopp.net +Fixes: cf5046b309b3 ("can: dev: let can_get_echo_skb() return dlc of CAN frame") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/dev.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c +index de3c589b1ae0e..448d1548cca39 100644 +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -486,9 +486,13 @@ __can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr) + */ + struct sk_buff *skb = priv->echo_skb[idx]; + struct canfd_frame *cf = (struct canfd_frame *)skb->data; +- u8 len = cf->len; + +- *len_ptr = len; ++ /* get the real payload length for netdev statistics */ ++ if (cf->can_id & CAN_RTR_FLAG) ++ *len_ptr = 0; ++ else ++ *len_ptr = cf->len; ++ + priv->echo_skb[idx] = NULL; + + return skb; +-- +2.27.0 + diff --git a/queue-5.4/can-dev-can_get_echo_skb-prevent-call-to-kfree_skb-i.patch b/queue-5.4/can-dev-can_get_echo_skb-prevent-call-to-kfree_skb-i.patch new file mode 100644 index 00000000000..f067f267216 --- /dev/null +++ b/queue-5.4/can-dev-can_get_echo_skb-prevent-call-to-kfree_skb-i.patch @@ -0,0 +1,67 @@ +From 075eb6332098d6a8b0d01af1ae5a99487b8b71ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Oct 2020 00:41:45 +0900 +Subject: can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ + context + +From: Vincent Mailhol + +[ Upstream commit 2283f79b22684d2812e5c76fc2280aae00390365 ] + +If a driver calls can_get_echo_skb() during a hardware IRQ (which is often, but +not always, the case), the 'WARN_ON(in_irq)' in +net/core/skbuff.c#skb_release_head_state() might be triggered, under network +congestion circumstances, together with the potential risk of a NULL pointer +dereference. + +The root cause of this issue is the call to kfree_skb() instead of +dev_kfree_skb_irq() in net/core/dev.c#enqueue_to_backlog(). + +This patch prevents the skb to be freed within the call to netif_rx() by +incrementing its reference count with skb_get(). The skb is finally freed by +one of the in-irq-context safe functions: dev_consume_skb_any() or +dev_kfree_skb_any(). The "any" version is used because some drivers might call +can_get_echo_skb() in a normal context. + +The reason for this issue to occur is that initially, in the core network +stack, loopback skb were not supposed to be received in hardware IRQ context. +The CAN stack is an exeption. + +This bug was previously reported back in 2017 in [1] but the proposed patch +never got accepted. + +While [1] directly modifies net/core/dev.c, we try to propose here a +smoother modification local to CAN network stack (the assumption +behind is that only CAN devices are affected by this issue). + +[1] http://lore.kernel.org/r/57a3ffb6-3309-3ad5-5a34-e93c3fe3614d@cetitec.com + +Signed-off-by: Vincent Mailhol +Link: https://lore.kernel.org/r/20201002154219.4887-2-mailhol.vincent@wanadoo.fr +Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/dev.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c +index 3a33fb5034005..de3c589b1ae0e 100644 +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -512,7 +512,11 @@ unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx) + if (!skb) + return 0; + +- netif_rx(skb); ++ skb_get(skb); ++ if (netif_rx(skb) == NET_RX_SUCCESS) ++ dev_consume_skb_any(skb); ++ else ++ dev_kfree_skb_any(skb); + + return len; + } +-- +2.27.0 + diff --git a/queue-5.4/can-flexcan-flexcan_remove-disable-wakeup-completely.patch b/queue-5.4/can-flexcan-flexcan_remove-disable-wakeup-completely.patch new file mode 100644 index 00000000000..f75e5d3ee0c --- /dev/null +++ b/queue-5.4/can-flexcan-flexcan_remove-disable-wakeup-completely.patch @@ -0,0 +1,49 @@ +From eba5c632e77d47a792a00a8fc29b2525d909148c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Oct 2020 02:45:27 +0800 +Subject: can: flexcan: flexcan_remove(): disable wakeup completely + +From: Joakim Zhang + +[ Upstream commit ab07ff1c92fa60f29438e655a1b4abab860ed0b6 ] + +With below sequence, we can see wakeup default is enabled after re-load module, +if it was enabled before, so we need disable wakeup in flexcan_remove(). + +| # cat /sys/bus/platform/drivers/flexcan/5a8e0000.can/power/wakeup +| disabled +| # echo enabled > /sys/bus/platform/drivers/flexcan/5a8e0000.can/power/wakeup +| # cat /sys/bus/platform/drivers/flexcan/5a8e0000.can/power/wakeup +| enabled +| # rmmod flexcan +| # modprobe flexcan +| # cat /sys/bus/platform/drivers/flexcan/5a8e0000.can/power/wakeup +| enabled + +Fixes: de3578c198c6 ("can: flexcan: add self wakeup support") +Fixes: 915f9666421c ("can: flexcan: add support for DT property 'wakeup-source'") +Signed-off-by: Joakim Zhang +Link: https://lore.kernel.org/r/20201020184527.8190-1-qiangqing.zhang@nxp.com +[mkl: streamlined commit message] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/flexcan.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c +index fbf812cf4f5da..130f3022d3396 100644 +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -1676,6 +1676,8 @@ static int flexcan_remove(struct platform_device *pdev) + { + struct net_device *dev = platform_get_drvdata(pdev); + ++ device_set_wakeup_enable(&pdev->dev, false); ++ device_set_wakeup_capable(&pdev->dev, false); + unregister_flexcandev(dev); + pm_runtime_disable(&pdev->dev); + free_candev(dev); +-- +2.27.0 + diff --git a/queue-5.4/can-flexcan-remove-flexcan_quirk_disable_mecr-quirk-.patch b/queue-5.4/can-flexcan-remove-flexcan_quirk_disable_mecr-quirk-.patch new file mode 100644 index 00000000000..1ff7cfcca77 --- /dev/null +++ b/queue-5.4/can-flexcan-remove-flexcan_quirk_disable_mecr-quirk-.patch @@ -0,0 +1,40 @@ +From b9ce406423461f726c3c05f2e09faf987a4bdb77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Oct 2020 23:53:55 +0800 +Subject: can: flexcan: remove FLEXCAN_QUIRK_DISABLE_MECR quirk for LS1021A + +From: Joakim Zhang + +[ Upstream commit 018799649071a1638c0c130526af36747df4355a ] + +After double check with Layerscape CAN owner (Pankaj Bansal), confirm that +LS1021A doesn't support ECC feature, so remove FLEXCAN_QUIRK_DISABLE_MECR +quirk. + +Fixes: 99b7668c04b27 ("can: flexcan: adding platform specific details for LS1021A") +Cc: Pankaj Bansal +Signed-off-by: Joakim Zhang +Link: https://lore.kernel.org/r/20201020155402.30318-4-qiangqing.zhang@nxp.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/flexcan.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c +index d59c6c87164f4..fbf812cf4f5da 100644 +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -321,8 +321,7 @@ static const struct flexcan_devtype_data fsl_vf610_devtype_data = { + + static const struct flexcan_devtype_data fsl_ls1021a_r2_devtype_data = { + .quirks = FLEXCAN_QUIRK_DISABLE_RXFG | FLEXCAN_QUIRK_ENABLE_EACEN_RRS | +- FLEXCAN_QUIRK_DISABLE_MECR | FLEXCAN_QUIRK_BROKEN_PERR_STATE | +- FLEXCAN_QUIRK_USE_OFF_TIMESTAMP, ++ FLEXCAN_QUIRK_BROKEN_PERR_STATE | FLEXCAN_QUIRK_USE_OFF_TIMESTAMP, + }; + + static const struct can_bittiming_const flexcan_bittiming_const = { +-- +2.27.0 + diff --git a/queue-5.4/can-j1939-j1939_sk_bind-return-failure-if-netdev-is-.patch b/queue-5.4/can-j1939-j1939_sk_bind-return-failure-if-netdev-is-.patch new file mode 100644 index 00000000000..fa49991a216 --- /dev/null +++ b/queue-5.4/can-j1939-j1939_sk_bind-return-failure-if-netdev-is-.patch @@ -0,0 +1,58 @@ +From c0f3f01e29cf2a07bf7fd78c441100782c31a8be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 14:31:48 +0800 +Subject: can: j1939: j1939_sk_bind(): return failure if netdev is down + +From: Zhang Changzhong + +[ Upstream commit 08c487d8d807535f509ed80c6a10ad90e6872139 ] + +When a netdev down event occurs after a successful call to +j1939_sk_bind(), j1939_netdev_notify() can handle it correctly. + +But if the netdev already in down state before calling j1939_sk_bind(), +j1939_sk_release() will stay in wait_event_interruptible() blocked +forever. Because in this case, j1939_netdev_notify() won't be called and +j1939_tp_txtimer() won't call j1939_session_cancel() or other function +to clear session for ENETDOWN error, this lead to mismatch of +j1939_session_get/put() and jsk->skb_pending will never decrease to +zero. + +To reproduce it use following commands: +1. ip link add dev vcan0 type vcan +2. j1939acd -r 100,80-120 1122334455667788 vcan0 +3. presses ctrl-c and thread will be blocked forever + +This patch adds check for ndev->flags in j1939_sk_bind() to avoid this +kind of situation and return with -ENETDOWN. + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/r/1599460308-18770-1-git-send-email-zhangchangzhong@huawei.com +Acked-by: Oleksij Rempel +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/j1939/socket.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c +index bf9fd6ee88fe0..0470909605392 100644 +--- a/net/can/j1939/socket.c ++++ b/net/can/j1939/socket.c +@@ -475,6 +475,12 @@ static int j1939_sk_bind(struct socket *sock, struct sockaddr *uaddr, int len) + goto out_release_sock; + } + ++ if (!(ndev->flags & IFF_UP)) { ++ dev_put(ndev); ++ ret = -ENETDOWN; ++ goto out_release_sock; ++ } ++ + priv = j1939_netdev_start(ndev); + dev_put(ndev); + if (IS_ERR(priv)) { +-- +2.27.0 + diff --git a/queue-5.4/can-j1939-swap-addr-and-pgn-in-the-send-example.patch b/queue-5.4/can-j1939-swap-addr-and-pgn-in-the-send-example.patch new file mode 100644 index 00000000000..4b000c26526 --- /dev/null +++ b/queue-5.4/can-j1939-swap-addr-and-pgn-in-the-send-example.patch @@ -0,0 +1,38 @@ +From b2dd0f142b6623109f07a346632f1de8470ce607 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Oct 2020 10:37:08 +0200 +Subject: can: j1939: swap addr and pgn in the send example + +From: Yegor Yefremov + +[ Upstream commit ea780d39b1888ed5afc243c29b23d9bdb3828c7a ] + +The address was wrongly assigned to the PGN field and vice versa. + +Signed-off-by: Yegor Yefremov +Link: https://lore.kernel.org/r/20201022083708.8755-1-yegorslists@googlemail.com +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + Documentation/networking/j1939.rst | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Documentation/networking/j1939.rst b/Documentation/networking/j1939.rst +index f5be243d250a4..4b0db514b2010 100644 +--- a/Documentation/networking/j1939.rst ++++ b/Documentation/networking/j1939.rst +@@ -414,8 +414,8 @@ Send: + .can_family = AF_CAN, + .can_addr.j1939 = { + .name = J1939_NO_NAME; +- .pgn = 0x30, +- .addr = 0x12300, ++ .addr = 0x30, ++ .pgn = 0x12300, + }, + }; + +-- +2.27.0 + diff --git a/queue-5.4/can-peak_canfd-pucan_handle_can_rx-fix-echo-manageme.patch b/queue-5.4/can-peak_canfd-pucan_handle_can_rx-fix-echo-manageme.patch new file mode 100644 index 00000000000..7659aec06c5 --- /dev/null +++ b/queue-5.4/can-peak_canfd-pucan_handle_can_rx-fix-echo-manageme.patch @@ -0,0 +1,65 @@ +From 42385733e016a884c740e7822becee60a070ed87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 17:39:47 +0200 +Subject: can: peak_canfd: pucan_handle_can_rx(): fix echo management when + loopback is on + +From: Stephane Grosjean + +[ Upstream commit 93ef65e5a6357cc7381f85fcec9283fe29970045 ] + +Echo management is driven by PUCAN_MSG_LOOPED_BACK bit, while loopback +frames are identified with PUCAN_MSG_SELF_RECEIVE bit. Those bits are set +for each outgoing frame written to the IP core so that a copy of each one +will be placed into the rx path. Thus, + +- when PUCAN_MSG_LOOPED_BACK is set then the rx frame is an echo of a + previously sent frame, +- when PUCAN_MSG_LOOPED_BACK+PUCAN_MSG_SELF_RECEIVE are set, then the rx + frame is an echo AND a loopback frame. Therefore, this frame must be + put into the socket rx path too. + +This patch fixes how CAN frames are handled when these are sent while the +can interface is configured in "loopback on" mode. + +Signed-off-by: Stephane Grosjean +Link: https://lore.kernel.org/r/20201013153947.28012-1-s.grosjean@peak-system.com +Fixes: 8ac8321e4a79 ("can: peak: add support for PEAK PCAN-PCIe FD CAN-FD boards") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/peak_canfd/peak_canfd.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/can/peak_canfd/peak_canfd.c b/drivers/net/can/peak_canfd/peak_canfd.c +index 6b0c6a99fc8d6..91b156b2123a3 100644 +--- a/drivers/net/can/peak_canfd/peak_canfd.c ++++ b/drivers/net/can/peak_canfd/peak_canfd.c +@@ -248,8 +248,7 @@ static int pucan_handle_can_rx(struct peak_canfd_priv *priv, + cf_len = get_can_dlc(pucan_msg_get_dlc(msg)); + + /* if this frame is an echo, */ +- if ((rx_msg_flags & PUCAN_MSG_LOOPED_BACK) && +- !(rx_msg_flags & PUCAN_MSG_SELF_RECEIVE)) { ++ if (rx_msg_flags & PUCAN_MSG_LOOPED_BACK) { + unsigned long flags; + + spin_lock_irqsave(&priv->echo_lock, flags); +@@ -263,7 +262,13 @@ static int pucan_handle_can_rx(struct peak_canfd_priv *priv, + netif_wake_queue(priv->ndev); + + spin_unlock_irqrestore(&priv->echo_lock, flags); +- return 0; ++ ++ /* if this frame is only an echo, stop here. Otherwise, ++ * continue to push this application self-received frame into ++ * its own rx queue. ++ */ ++ if (!(rx_msg_flags & PUCAN_MSG_SELF_RECEIVE)) ++ return 0; + } + + /* otherwise, it should be pushed into rx fifo */ +-- +2.27.0 + diff --git a/queue-5.4/can-peak_usb-add-range-checking-in-decode-operations.patch b/queue-5.4/can-peak_usb-add-range-checking-in-decode-operations.patch new file mode 100644 index 00000000000..77a19624374 --- /dev/null +++ b/queue-5.4/can-peak_usb-add-range-checking-in-decode-operations.patch @@ -0,0 +1,129 @@ +From 8302d2990a1172bb218bd6a598050d831c161225 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 17:06:04 +0300 +Subject: can: peak_usb: add range checking in decode operations + +From: Dan Carpenter + +[ Upstream commit a6921dd524fe31d1f460c161d3526a407533b6db ] + +These values come from skb->data so Smatch considers them untrusted. I +believe Smatch is correct but I don't have a way to test this. + +The usb_if->dev[] array has 2 elements but the index is in the 0-15 +range without checks. The cfd->len can be up to 255 but the maximum +valid size is CANFD_MAX_DLEN (64) so that could lead to memory +corruption. + +Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20200813140604.GA456946@mwanda +Acked-by: Stephane Grosjean +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 48 +++++++++++++++++----- + 1 file changed, 37 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c +index 47cc1ff5b88e8..dee3e689b54da 100644 +--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c +@@ -468,12 +468,18 @@ static int pcan_usb_fd_decode_canmsg(struct pcan_usb_fd_if *usb_if, + struct pucan_msg *rx_msg) + { + struct pucan_rx_msg *rm = (struct pucan_rx_msg *)rx_msg; +- struct peak_usb_device *dev = usb_if->dev[pucan_msg_get_channel(rm)]; +- struct net_device *netdev = dev->netdev; ++ struct peak_usb_device *dev; ++ struct net_device *netdev; + struct canfd_frame *cfd; + struct sk_buff *skb; + const u16 rx_msg_flags = le16_to_cpu(rm->flags); + ++ if (pucan_msg_get_channel(rm) >= ARRAY_SIZE(usb_if->dev)) ++ return -ENOMEM; ++ ++ dev = usb_if->dev[pucan_msg_get_channel(rm)]; ++ netdev = dev->netdev; ++ + if (rx_msg_flags & PUCAN_MSG_EXT_DATA_LEN) { + /* CANFD frame case */ + skb = alloc_canfd_skb(netdev, &cfd); +@@ -519,15 +525,21 @@ static int pcan_usb_fd_decode_status(struct pcan_usb_fd_if *usb_if, + struct pucan_msg *rx_msg) + { + struct pucan_status_msg *sm = (struct pucan_status_msg *)rx_msg; +- struct peak_usb_device *dev = usb_if->dev[pucan_stmsg_get_channel(sm)]; +- struct pcan_usb_fd_device *pdev = +- container_of(dev, struct pcan_usb_fd_device, dev); ++ struct pcan_usb_fd_device *pdev; + enum can_state new_state = CAN_STATE_ERROR_ACTIVE; + enum can_state rx_state, tx_state; +- struct net_device *netdev = dev->netdev; ++ struct peak_usb_device *dev; ++ struct net_device *netdev; + struct can_frame *cf; + struct sk_buff *skb; + ++ if (pucan_stmsg_get_channel(sm) >= ARRAY_SIZE(usb_if->dev)) ++ return -ENOMEM; ++ ++ dev = usb_if->dev[pucan_stmsg_get_channel(sm)]; ++ pdev = container_of(dev, struct pcan_usb_fd_device, dev); ++ netdev = dev->netdev; ++ + /* nothing should be sent while in BUS_OFF state */ + if (dev->can.state == CAN_STATE_BUS_OFF) + return 0; +@@ -579,9 +591,14 @@ static int pcan_usb_fd_decode_error(struct pcan_usb_fd_if *usb_if, + struct pucan_msg *rx_msg) + { + struct pucan_error_msg *er = (struct pucan_error_msg *)rx_msg; +- struct peak_usb_device *dev = usb_if->dev[pucan_ermsg_get_channel(er)]; +- struct pcan_usb_fd_device *pdev = +- container_of(dev, struct pcan_usb_fd_device, dev); ++ struct pcan_usb_fd_device *pdev; ++ struct peak_usb_device *dev; ++ ++ if (pucan_ermsg_get_channel(er) >= ARRAY_SIZE(usb_if->dev)) ++ return -EINVAL; ++ ++ dev = usb_if->dev[pucan_ermsg_get_channel(er)]; ++ pdev = container_of(dev, struct pcan_usb_fd_device, dev); + + /* keep a trace of tx and rx error counters for later use */ + pdev->bec.txerr = er->tx_err_cnt; +@@ -595,11 +612,17 @@ static int pcan_usb_fd_decode_overrun(struct pcan_usb_fd_if *usb_if, + struct pucan_msg *rx_msg) + { + struct pcan_ufd_ovr_msg *ov = (struct pcan_ufd_ovr_msg *)rx_msg; +- struct peak_usb_device *dev = usb_if->dev[pufd_omsg_get_channel(ov)]; +- struct net_device *netdev = dev->netdev; ++ struct peak_usb_device *dev; ++ struct net_device *netdev; + struct can_frame *cf; + struct sk_buff *skb; + ++ if (pufd_omsg_get_channel(ov) >= ARRAY_SIZE(usb_if->dev)) ++ return -EINVAL; ++ ++ dev = usb_if->dev[pufd_omsg_get_channel(ov)]; ++ netdev = dev->netdev; ++ + /* allocate an skb to store the error frame */ + skb = alloc_can_err_skb(netdev, &cf); + if (!skb) +@@ -716,6 +739,9 @@ static int pcan_usb_fd_encode_msg(struct peak_usb_device *dev, + u16 tx_msg_size, tx_msg_flags; + u8 can_dlc; + ++ if (cfd->len > CANFD_MAX_DLEN) ++ return -EINVAL; ++ + tx_msg_size = ALIGN(sizeof(struct pucan_tx_msg) + cfd->len, 4); + tx_msg->size = cpu_to_le16(tx_msg_size); + tx_msg->type = cpu_to_le16(PUCAN_MSG_CAN_TX); +-- +2.27.0 + diff --git a/queue-5.4/can-peak_usb-peak_usb_get_ts_time-fix-timestamp-wrap.patch b/queue-5.4/can-peak_usb-peak_usb_get_ts_time-fix-timestamp-wrap.patch new file mode 100644 index 00000000000..06b4b8d939b --- /dev/null +++ b/queue-5.4/can-peak_usb-peak_usb_get_ts_time-fix-timestamp-wrap.patch @@ -0,0 +1,96 @@ +From 0da98b96d8b2cf72fe72e7602749b85ff4e8d817 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Oct 2020 10:56:31 +0200 +Subject: can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping + +From: Stephane Grosjean + +[ Upstream commit ecc7b4187dd388549544195fb13a11b4ea8e6a84 ] + +Fabian Inostroza has discovered a potential +problem in the hardware timestamp reporting from the PCAN-USB USB CAN interface +(only), related to the fact that a timestamp of an event may precede the +timestamp used for synchronization when both records are part of the same USB +packet. However, this case was used to detect the wrapping of the time counter. + +This patch details and fixes the two identified cases where this problem can +occur. + +Reported-by: Fabian Inostroza +Signed-off-by: Stephane Grosjean +Link: https://lore.kernel.org/r/20201014085631.15128-1-s.grosjean@peak-system.com +Fixes: bb4785551f64 ("can: usb: PEAK-System Technik USB adapters driver core") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/peak_usb/pcan_usb_core.c | 51 ++++++++++++++++++-- + 1 file changed, 46 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_core.c b/drivers/net/can/usb/peak_usb/pcan_usb_core.c +index 0b7766b715fd2..c844c6abe5fcd 100644 +--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c +@@ -130,14 +130,55 @@ void peak_usb_get_ts_time(struct peak_time_ref *time_ref, u32 ts, ktime_t *time) + /* protect from getting time before setting now */ + if (ktime_to_ns(time_ref->tv_host)) { + u64 delta_us; ++ s64 delta_ts = 0; ++ ++ /* General case: dev_ts_1 < dev_ts_2 < ts, with: ++ * ++ * - dev_ts_1 = previous sync timestamp ++ * - dev_ts_2 = last sync timestamp ++ * - ts = event timestamp ++ * - ts_period = known sync period (theoretical) ++ * ~ dev_ts2 - dev_ts1 ++ * *but*: ++ * ++ * - time counters wrap (see adapter->ts_used_bits) ++ * - sometimes, dev_ts_1 < ts < dev_ts2 ++ * ++ * "normal" case (sync time counters increase): ++ * must take into account case when ts wraps (tsw) ++ * ++ * < ts_period > < > ++ * | | | ++ * ---+--------+----+-------0-+--+--> ++ * ts_dev_1 | ts_dev_2 | ++ * ts tsw ++ */ ++ if (time_ref->ts_dev_1 < time_ref->ts_dev_2) { ++ /* case when event time (tsw) wraps */ ++ if (ts < time_ref->ts_dev_1) ++ delta_ts = 1 << time_ref->adapter->ts_used_bits; ++ ++ /* Otherwise, sync time counter (ts_dev_2) has wrapped: ++ * handle case when event time (tsn) hasn't. ++ * ++ * < ts_period > < > ++ * | | | ++ * ---+--------+--0-+---------+--+--> ++ * ts_dev_1 | ts_dev_2 | ++ * tsn ts ++ */ ++ } else if (time_ref->ts_dev_1 < ts) { ++ delta_ts = -(1 << time_ref->adapter->ts_used_bits); ++ } + +- delta_us = ts - time_ref->ts_dev_2; +- if (ts < time_ref->ts_dev_2) +- delta_us &= (1 << time_ref->adapter->ts_used_bits) - 1; ++ /* add delay between last sync and event timestamps */ ++ delta_ts += (signed int)(ts - time_ref->ts_dev_2); + +- delta_us += time_ref->ts_total; ++ /* add time from beginning to last sync */ ++ delta_ts += time_ref->ts_total; + +- delta_us *= time_ref->adapter->us_per_ts_scale; ++ /* convert ticks number into microseconds */ ++ delta_us = delta_ts * time_ref->adapter->us_per_ts_scale; + delta_us >>= time_ref->adapter->us_per_ts_shift; + + *time = ktime_add_us(time_ref->tv_host_0, delta_us); +-- +2.27.0 + diff --git a/queue-5.4/can-rx-offload-don-t-call-kfree_skb-from-irq-context.patch b/queue-5.4/can-rx-offload-don-t-call-kfree_skb-from-irq-context.patch new file mode 100644 index 00000000000..4d94271baa5 --- /dev/null +++ b/queue-5.4/can-rx-offload-don-t-call-kfree_skb-from-irq-context.patch @@ -0,0 +1,98 @@ +From 5acd31695b9af7125529ba547a63b187295db049 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jun 2020 12:47:06 +0200 +Subject: can: rx-offload: don't call kfree_skb() from IRQ context + +From: Marc Kleine-Budde + +[ Upstream commit 2ddd6bfe7bdbb6c661835c3ff9cab8e0769940a6 ] + +A CAN driver, using the rx-offload infrastructure, is reading CAN frames +(usually in IRQ context) from the hardware and placing it into the rx-offload +queue to be delivered to the networking stack via NAPI. + +In case the rx-offload queue is full, trying to add more skbs results in the +skbs being dropped using kfree_skb(). If done from hard-IRQ context this +results in the following warning: + +[ 682.552693] ------------[ cut here ]------------ +[ 682.557360] WARNING: CPU: 0 PID: 3057 at net/core/skbuff.c:650 skb_release_head_state+0x74/0x84 +[ 682.566075] Modules linked in: can_raw can coda_vpu flexcan dw_hdmi_ahb_audio v4l2_jpeg imx_vdoa can_dev +[ 682.575597] CPU: 0 PID: 3057 Comm: cansend Tainted: G W 5.7.0+ #18 +[ 682.583098] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) +[ 682.589657] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[ 682.597423] [] (show_stack) from [] (dump_stack+0xe0/0x114) +[ 682.604759] [] (dump_stack) from [] (__warn+0xc0/0x10c) +[ 682.611742] [] (__warn) from [] (warn_slowpath_fmt+0x5c/0xc0) +[ 682.619248] [] (warn_slowpath_fmt) from [] (skb_release_head_state+0x74/0x84) +[ 682.628143] [] (skb_release_head_state) from [] (skb_release_all+0xc/0x24) +[ 682.636774] [] (skb_release_all) from [] (kfree_skb+0x74/0x1c8) +[ 682.644479] [] (kfree_skb) from [] (can_rx_offload_queue_sorted+0xe0/0xe8 [can_dev]) +[ 682.654051] [] (can_rx_offload_queue_sorted [can_dev]) from [] (can_rx_offload_get_echo_skb+0x48/0x94 [can_dev]) +[ 682.666007] [] (can_rx_offload_get_echo_skb [can_dev]) from [] (flexcan_irq+0x194/0x5dc [flexcan]) +[ 682.676734] [] (flexcan_irq [flexcan]) from [] (__handle_irq_event_percpu+0x4c/0x3ec) +[ 682.686322] [] (__handle_irq_event_percpu) from [] (handle_irq_event_percpu+0x2c/0x88) +[ 682.695993] [] (handle_irq_event_percpu) from [] (handle_irq_event+0x38/0x5c) +[ 682.704887] [] (handle_irq_event) from [] (handle_fasteoi_irq+0xc8/0x180) +[ 682.713432] [] (handle_fasteoi_irq) from [] (generic_handle_irq+0x30/0x44) +[ 682.722063] [] (generic_handle_irq) from [] (__handle_domain_irq+0x64/0xdc) +[ 682.730783] [] (__handle_domain_irq) from [] (gic_handle_irq+0x48/0x9c) +[ 682.739158] [] (gic_handle_irq) from [] (__irq_svc+0x70/0x98) +[ 682.746656] Exception stack(0xe80e9dd8 to 0xe80e9e20) +[ 682.751725] 9dc0: 00000001 e80e8000 +[ 682.759922] 9de0: e820cf80 00000000 ffffe000 00000000 eaf08fe4 00000000 600d0013 00000000 +[ 682.768117] 9e00: c1732e3c c16093a8 e820d4c0 e80e9e28 c018a57c c018b870 600d0013 ffffffff +[ 682.776315] [] (__irq_svc) from [] (lock_acquire+0x108/0x4e8) +[ 682.783821] [] (lock_acquire) from [] (down_write+0x48/0xa8) +[ 682.791242] [] (down_write) from [] (unlink_file_vma+0x24/0x40) +[ 682.798922] [] (unlink_file_vma) from [] (free_pgtables+0x34/0xb8) +[ 682.806858] [] (free_pgtables) from [] (exit_mmap+0xe4/0x170) +[ 682.814361] [] (exit_mmap) from [] (mmput+0x5c/0x110) +[ 682.821171] [] (mmput) from [] (do_exit+0x374/0xbe4) +[ 682.827892] [] (do_exit) from [] (do_group_exit+0x38/0xb4) +[ 682.835132] [] (do_group_exit) from [] (__wake_up_parent+0x0/0x14) +[ 682.843063] irq event stamp: 1936 +[ 682.846399] hardirqs last enabled at (1935): [] rmqueue+0xf4/0xc64 +[ 682.853553] hardirqs last disabled at (1936): [] __irq_svc+0x60/0x98 +[ 682.860799] softirqs last enabled at (1878): [] raw_release+0x108/0x1f0 [can_raw] +[ 682.869256] softirqs last disabled at (1876): [] release_sock+0x18/0x98 +[ 682.876753] ---[ end trace 7bca4751ce44c444 ]--- + +This patch fixes the problem by replacing the kfree_skb() by +dev_kfree_skb_any(), as rx-offload might be called from threaded IRQ handlers +as well. + +Fixes: ca913f1ac024 ("can: rx-offload: can_rx_offload_queue_sorted(): fix error handling, avoid skb mem leak") +Fixes: 6caf8a6d6586 ("can: rx-offload: can_rx_offload_queue_tail(): fix error handling, avoid skb mem leak") +Link: http://lore.kernel.org/r/20201019190524.1285319-3-mkl@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/rx-offload.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/can/rx-offload.c b/drivers/net/can/rx-offload.c +index 84cae167e42f6..7e75a87a8a6a9 100644 +--- a/drivers/net/can/rx-offload.c ++++ b/drivers/net/can/rx-offload.c +@@ -272,7 +272,7 @@ int can_rx_offload_queue_sorted(struct can_rx_offload *offload, + + if (skb_queue_len(&offload->skb_queue) > + offload->skb_queue_len_max) { +- kfree_skb(skb); ++ dev_kfree_skb_any(skb); + return -ENOBUFS; + } + +@@ -317,7 +317,7 @@ int can_rx_offload_queue_tail(struct can_rx_offload *offload, + { + if (skb_queue_len(&offload->skb_queue) > + offload->skb_queue_len_max) { +- kfree_skb(skb); ++ dev_kfree_skb_any(skb); + return -ENOBUFS; + } + +-- +2.27.0 + diff --git a/queue-5.4/can-ti_hecc-ti_hecc_probe-add-missed-clk_disable_unp.patch b/queue-5.4/can-ti_hecc-ti_hecc_probe-add-missed-clk_disable_unp.patch new file mode 100644 index 00000000000..92bacf56c98 --- /dev/null +++ b/queue-5.4/can-ti_hecc-ti_hecc_probe-add-missed-clk_disable_unp.patch @@ -0,0 +1,60 @@ +From 0ccab5e0d9b824e2df387c27a3be9178d23a19d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jul 2020 16:04:39 +0800 +Subject: can: ti_hecc: ti_hecc_probe(): add missed clk_disable_unprepare() in + error path + +From: Zhang Changzhong + +[ Upstream commit e002103b36a695f7cb6048b96da73e66c86ddffb ] + +The driver forgets to call clk_disable_unprepare() in error path after +a success calling for clk_prepare_enable(). + +Fix it by adding a clk_disable_unprepare() in error path. + +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/r/1594973079-27743-1-git-send-email-zhangchangzhong@huawei.com +Fixes: befa60113ce7 ("can: ti_hecc: add missing prepare and unprepare of the clock") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/ti_hecc.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/can/ti_hecc.c b/drivers/net/can/ti_hecc.c +index 31ad364a89bbe..d3a7631eecaf2 100644 +--- a/drivers/net/can/ti_hecc.c ++++ b/drivers/net/can/ti_hecc.c +@@ -936,7 +936,7 @@ static int ti_hecc_probe(struct platform_device *pdev) + err = clk_prepare_enable(priv->clk); + if (err) { + dev_err(&pdev->dev, "clk_prepare_enable() failed\n"); +- goto probe_exit_clk; ++ goto probe_exit_release_clk; + } + + priv->offload.mailbox_read = ti_hecc_mailbox_read; +@@ -945,7 +945,7 @@ static int ti_hecc_probe(struct platform_device *pdev) + err = can_rx_offload_add_timestamp(ndev, &priv->offload); + if (err) { + dev_err(&pdev->dev, "can_rx_offload_add_timestamp() failed\n"); +- goto probe_exit_clk; ++ goto probe_exit_disable_clk; + } + + err = register_candev(ndev); +@@ -963,7 +963,9 @@ static int ti_hecc_probe(struct platform_device *pdev) + + probe_exit_offload: + can_rx_offload_del(&priv->offload); +-probe_exit_clk: ++probe_exit_disable_clk: ++ clk_disable_unprepare(priv->clk); ++probe_exit_release_clk: + clk_put(priv->clk); + probe_exit_candev: + free_candev(ndev); +-- +2.27.0 + diff --git a/queue-5.4/can-xilinx_can-handle-failure-cases-of-pm_runtime_ge.patch b/queue-5.4/can-xilinx_can-handle-failure-cases-of-pm_runtime_ge.patch new file mode 100644 index 00000000000..c4fd55e3831 --- /dev/null +++ b/queue-5.4/can-xilinx_can-handle-failure-cases-of-pm_runtime_ge.patch @@ -0,0 +1,63 @@ +From b5e82439a905b750ab50899c8635836f6d42facc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 22:32:39 -0500 +Subject: can: xilinx_can: handle failure cases of pm_runtime_get_sync + +From: Navid Emamdoost + +[ Upstream commit 79c43333bdd5a7026a5aab606b53053b643585e7 ] + +Calling pm_runtime_get_sync increments the counter even in case of +failure, causing incorrect ref count. Call pm_runtime_put if +pm_runtime_get_sync fails. + +Signed-off-by: Navid Emamdoost +Link: https://lore.kernel.org/r/20200605033239.60664-1-navid.emamdoost@gmail.com +Fixes: 4716620d1b62 ("can: xilinx: Convert to runtime_pm") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/xilinx_can.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/can/xilinx_can.c b/drivers/net/can/xilinx_can.c +index 2be846ee627d1..0de39ebb35662 100644 +--- a/drivers/net/can/xilinx_can.c ++++ b/drivers/net/can/xilinx_can.c +@@ -1384,7 +1384,7 @@ static int xcan_open(struct net_device *ndev) + if (ret < 0) { + netdev_err(ndev, "%s: pm_runtime_get failed(%d)\n", + __func__, ret); +- return ret; ++ goto err; + } + + ret = request_irq(ndev->irq, xcan_interrupt, priv->irq_flags, +@@ -1468,6 +1468,7 @@ static int xcan_get_berr_counter(const struct net_device *ndev, + if (ret < 0) { + netdev_err(ndev, "%s: pm_runtime_get failed(%d)\n", + __func__, ret); ++ pm_runtime_put(priv->dev); + return ret; + } + +@@ -1783,7 +1784,7 @@ static int xcan_probe(struct platform_device *pdev) + if (ret < 0) { + netdev_err(ndev, "%s: pm_runtime_get failed(%d)\n", + __func__, ret); +- goto err_pmdisable; ++ goto err_disableclks; + } + + if (priv->read_reg(priv, XCAN_SR_OFFSET) != XCAN_SR_CONFIG_MASK) { +@@ -1818,7 +1819,6 @@ static int xcan_probe(struct platform_device *pdev) + + err_disableclks: + pm_runtime_put(priv->dev); +-err_pmdisable: + pm_runtime_disable(&pdev->dev); + err_free: + free_candev(ndev); +-- +2.27.0 + diff --git a/queue-5.4/dm-raid-fix-discard-limits-for-raid1-and-raid10.patch b/queue-5.4/dm-raid-fix-discard-limits-for-raid1-and-raid10.patch new file mode 100644 index 00000000000..c8ff497e894 --- /dev/null +++ b/queue-5.4/dm-raid-fix-discard-limits-for-raid1-and-raid10.patch @@ -0,0 +1,58 @@ +From 3ab5d0d953229c59c52f8ed94bc9b1a85c5bcf6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 13:14:52 -0400 +Subject: dm raid: fix discard limits for raid1 and raid10 + +From: Mike Snitzer + +[ Upstream commit e0910c8e4f87bb9f767e61a778b0d9271c4dc512 ] + +Block core warned that discard_granularity was 0 for dm-raid with +personality of raid1. Reason is that raid_io_hints() was incorrectly +special-casing raid1 rather than raid0. + +But since commit 29efc390b9462 ("md/md0: optimize raid0 discard +handling") even raid0 properly handles large discards. + +Fix raid_io_hints() by removing discard limits settings for raid1. +Also, fix limits for raid10 by properly stacking underlying limits as +done in blk_stack_limits(). + +Depends-on: 29efc390b9462 ("md/md0: optimize raid0 discard handling") +Fixes: 61697a6abd24a ("dm: eliminate 'split_discard_bios' flag from DM target interface") +Cc: stable@vger.kernel.org +Reported-by: Zdenek Kabelac +Reported-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-raid.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c +index b0aa595e4375d..2f41e38e06475 100644 +--- a/drivers/md/dm-raid.c ++++ b/drivers/md/dm-raid.c +@@ -3744,12 +3744,14 @@ static void raid_io_hints(struct dm_target *ti, struct queue_limits *limits) + blk_limits_io_opt(limits, chunk_size_bytes * mddev_data_stripes(rs)); + + /* +- * RAID1 and RAID10 personalities require bio splitting, +- * RAID0/4/5/6 don't and process large discard bios properly. ++ * RAID10 personality requires bio splitting, ++ * RAID0/1/4/5/6 don't and process large discard bios properly. + */ +- if (rs_is_raid1(rs) || rs_is_raid10(rs)) { +- limits->discard_granularity = chunk_size_bytes; +- limits->max_discard_sectors = rs->md.chunk_sectors; ++ if (rs_is_raid10(rs)) { ++ limits->discard_granularity = max(chunk_size_bytes, ++ limits->discard_granularity); ++ limits->max_discard_sectors = min_not_zero(rs->md.chunk_sectors, ++ limits->max_discard_sectors); + } + } + +-- +2.27.0 + diff --git a/queue-5.4/drm-i915-gem-flush-coherency-domains-on-first-set-do.patch b/queue-5.4/drm-i915-gem-flush-coherency-domains-on-first-set-do.patch new file mode 100644 index 00000000000..e1292b6e6ce --- /dev/null +++ b/queue-5.4/drm-i915-gem-flush-coherency-domains-on-first-set-do.patch @@ -0,0 +1,89 @@ +From 842a88888277085ed518b314ab018fea6fc9213d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Oct 2020 21:38:25 +0100 +Subject: drm/i915/gem: Flush coherency domains on first set-domain-ioctl +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chris Wilson + +[ Upstream commit 59dd13ad310793757e34afa489dd6fc8544fc3da ] + +Avoid skipping what appears to be a no-op set-domain-ioctl if the cache +coherency state is inconsistent with our target domain. This also has +the utility of using the population of the pages to validate the backing +store. + +The danger in skipping the first set-domain is leaving the cache +inconsistent and submitting stale data, or worse leaving the clean data +in the cache and not flushing it to the GPU. The impact should be small +as it requires a no-op set-domain as the very first ioctl in a +particular sequence not found in typical userspace. + +Reported-by: Zbigniew Kempczyński +Fixes: 754a25442705 ("drm/i915: Skip object locking around a no-op set-domain ioctl") +Testcase: igt/gem_mmap_offset/blt-coherency +Signed-off-by: Chris Wilson +Cc: Joonas Lahtinen +Cc: Matthew Auld +Cc: Zbigniew Kempczyński +Cc: # v5.2+ +Reviewed-by: Matthew Auld +Link: https://patchwork.freedesktop.org/patch/msgid/20201019203825.10966-1-chris@chris-wilson.co.uk +(cherry picked from commit 44c2200afcd59f441b43f27829b4003397cc495d) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gem/i915_gem_domain.c | 28 ++++++++++------------ + 1 file changed, 13 insertions(+), 15 deletions(-) + +diff --git a/drivers/gpu/drm/i915/gem/i915_gem_domain.c b/drivers/gpu/drm/i915/gem/i915_gem_domain.c +index 9c58e8fac1d97..a4b48c9abeacd 100644 +--- a/drivers/gpu/drm/i915/gem/i915_gem_domain.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_domain.c +@@ -605,21 +605,6 @@ i915_gem_set_domain_ioctl(struct drm_device *dev, void *data, + if (!obj) + return -ENOENT; + +- /* +- * Already in the desired write domain? Nothing for us to do! +- * +- * We apply a little bit of cunning here to catch a broader set of +- * no-ops. If obj->write_domain is set, we must be in the same +- * obj->read_domains, and only that domain. Therefore, if that +- * obj->write_domain matches the request read_domains, we are +- * already in the same read/write domain and can skip the operation, +- * without having to further check the requested write_domain. +- */ +- if (READ_ONCE(obj->write_domain) == read_domains) { +- err = 0; +- goto out; +- } +- + /* + * Try to flush the object off the GPU without holding the lock. + * We will repeat the flush holding the lock in the normal manner +@@ -657,6 +642,19 @@ i915_gem_set_domain_ioctl(struct drm_device *dev, void *data, + if (err) + goto out; + ++ /* ++ * Already in the desired write domain? Nothing for us to do! ++ * ++ * We apply a little bit of cunning here to catch a broader set of ++ * no-ops. If obj->write_domain is set, we must be in the same ++ * obj->read_domains, and only that domain. Therefore, if that ++ * obj->write_domain matches the request read_domains, we are ++ * already in the same read/write domain and can skip the operation, ++ * without having to further check the requested write_domain. ++ */ ++ if (READ_ONCE(obj->write_domain) == read_domains) ++ goto out_unpin; ++ + err = i915_gem_object_lock_interruptible(obj); + if (err) + goto out_unpin; +-- +2.27.0 + diff --git a/queue-5.4/genirq-let-generic_irq_ipi-select-irq_domain_hierarc.patch b/queue-5.4/genirq-let-generic_irq_ipi-select-irq_domain_hierarc.patch new file mode 100644 index 00000000000..ca94e15a834 --- /dev/null +++ b/queue-5.4/genirq-let-generic_irq_ipi-select-irq_domain_hierarc.patch @@ -0,0 +1,37 @@ +From 0032092e457da4d7161feeb9b84309b7c1829386 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 21:41:44 +0100 +Subject: genirq: Let GENERIC_IRQ_IPI select IRQ_DOMAIN_HIERARCHY + +From: Marc Zyngier + +[ Upstream commit 151a535171be6ff824a0a3875553ea38570f4c05 ] + +kernel/irq/ipi.c otherwise fails to compile if nothing else +selects it. + +Fixes: 379b656446a3 ("genirq: Add GENERIC_IRQ_IPI Kconfig symbol") +Reported-by: Pavel Machek +Tested-by: Pavel Machek +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20201015101222.GA32747@amd +Signed-off-by: Sasha Levin +--- + kernel/irq/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/irq/Kconfig b/kernel/irq/Kconfig +index f92d9a6873720..4e11120265c74 100644 +--- a/kernel/irq/Kconfig ++++ b/kernel/irq/Kconfig +@@ -81,6 +81,7 @@ config IRQ_FASTEOI_HIERARCHY_HANDLERS + # Generic IRQ IPI support + config GENERIC_IRQ_IPI + bool ++ select IRQ_DOMAIN_HIERARCHY + + # Generic MSI interrupt support + config GENERIC_MSI_IRQ +-- +2.27.0 + diff --git a/queue-5.4/hv_balloon-disable-warning-when-floor-reached.patch b/queue-5.4/hv_balloon-disable-warning-when-floor-reached.patch new file mode 100644 index 00000000000..3c3c5ea5439 --- /dev/null +++ b/queue-5.4/hv_balloon-disable-warning-when-floor-reached.patch @@ -0,0 +1,40 @@ +From bcb84dfd166196016ec4fb751d7ce9e535296803 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Oct 2020 09:12:15 +0200 +Subject: hv_balloon: disable warning when floor reached + +From: Olaf Hering + +[ Upstream commit 2c3bd2a5c86fe744e8377733c5e511a5ca1e14f5 ] + +It is not an error if the host requests to balloon down, but the VM +refuses to do so. Without this change a warning is logged in dmesg +every five minutes. + +Fixes: b3bb97b8a49f3 ("Drivers: hv: balloon: Add logging for dynamic memory operations") + +Signed-off-by: Olaf Hering +Reviewed-by: Michael Kelley +Link: https://lore.kernel.org/r/20201008071216.16554-1-olaf@aepfle.de +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/hv_balloon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hv/hv_balloon.c b/drivers/hv/hv_balloon.c +index 930674117533e..bd4e72f6dfd49 100644 +--- a/drivers/hv/hv_balloon.c ++++ b/drivers/hv/hv_balloon.c +@@ -1277,7 +1277,7 @@ static void balloon_up(struct work_struct *dummy) + + /* Refuse to balloon below the floor. */ + if (avail_pages < num_pages || avail_pages - num_pages < floor) { +- pr_warn("Balloon request will be partially fulfilled. %s\n", ++ pr_info("Balloon request will be partially fulfilled. %s\n", + avail_pages < num_pages ? "Not enough memory." : + "Balloon floor reached."); + +-- +2.27.0 + diff --git a/queue-5.4/iommu-vt-d-fix-a-bug-for-pdp-check-in-prq_event_thre.patch b/queue-5.4/iommu-vt-d-fix-a-bug-for-pdp-check-in-prq_event_thre.patch new file mode 100644 index 00000000000..ae4e38462d6 --- /dev/null +++ b/queue-5.4/iommu-vt-d-fix-a-bug-for-pdp-check-in-prq_event_thre.patch @@ -0,0 +1,40 @@ +From 60c4f423ad0cbe03a285a5c0b6be04ce26e87a26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Oct 2020 10:37:24 +0800 +Subject: iommu/vt-d: Fix a bug for PDP check in prq_event_thread + +From: Liu, Yi L + +[ Upstream commit 71cd8e2d16703a9df5c86a9e19f4cba99316cc53 ] + +In prq_event_thread(), the QI_PGRP_PDP is wrongly set by +'req->pasid_present' which should be replaced to +'req->priv_data_present'. + +Fixes: 5b438f4ba315 ("iommu/vt-d: Support page request in scalable mode") +Signed-off-by: Liu, Yi L +Signed-off-by: Yi Sun +Acked-by: Lu Baolu +Link: https://lore.kernel.org/r/1604025444-6954-3-git-send-email-yi.y.sun@linux.intel.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel-svm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/intel-svm.c b/drivers/iommu/intel-svm.c +index 1d3816cd65d57..ec69a99b99bab 100644 +--- a/drivers/iommu/intel-svm.c ++++ b/drivers/iommu/intel-svm.c +@@ -646,7 +646,7 @@ static irqreturn_t prq_event_thread(int irq, void *d) + resp.qw0 = QI_PGRP_PASID(req->pasid) | + QI_PGRP_DID(req->rid) | + QI_PGRP_PASID_P(req->pasid_present) | +- QI_PGRP_PDP(req->pasid_present) | ++ QI_PGRP_PDP(req->priv_data_present) | + QI_PGRP_RESP_CODE(result) | + QI_PGRP_RESP_TYPE; + resp.qw1 = QI_PGRP_IDX(req->prg_index) | +-- +2.27.0 + diff --git a/queue-5.4/kvm-arm64-force-pte-mapping-on-fault-resulting-in-a-.patch b/queue-5.4/kvm-arm64-force-pte-mapping-on-fault-resulting-in-a-.patch new file mode 100644 index 00000000000..7c59e6905f4 --- /dev/null +++ b/queue-5.4/kvm-arm64-force-pte-mapping-on-fault-resulting-in-a-.patch @@ -0,0 +1,45 @@ +From 0a9202aa2e43c69b0f2e02a3363f64010361932b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Oct 2020 16:54:07 +0530 +Subject: KVM: arm64: Force PTE mapping on fault resulting in a device mapping + +From: Santosh Shukla + +[ Upstream commit 91a2c34b7d6fadc9c5d9433c620ea4c32ee7cae8 ] + +VFIO allows a device driver to resolve a fault by mapping a MMIO +range. This can be subsequently result in user_mem_abort() to +try and compute a huge mapping based on the MMIO pfn, which is +a sure recipe for things to go wrong. + +Instead, force a PTE mapping when the pfn faulted in has a device +mapping. + +Fixes: 6d674e28f642 ("KVM: arm/arm64: Properly handle faulting of device mappings") +Suggested-by: Marc Zyngier +Signed-off-by: Santosh Shukla +[maz: rewritten commit message] +Signed-off-by: Marc Zyngier +Reviewed-by: Gavin Shan +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/1603711447-11998-2-git-send-email-sashukla@nvidia.com +Signed-off-by: Sasha Levin +--- + virt/kvm/arm/mmu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/virt/kvm/arm/mmu.c b/virt/kvm/arm/mmu.c +index 8700402f3000d..03a586ab6d27b 100644 +--- a/virt/kvm/arm/mmu.c ++++ b/virt/kvm/arm/mmu.c +@@ -1756,6 +1756,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa, + if (kvm_is_device_pfn(pfn)) { + mem_type = PAGE_S2_DEVICE; + flags |= KVM_S2PTE_FLAG_IS_IOMAP; ++ force_pte = true; + } else if (logging_active) { + /* + * Faults on pages in a memslot with logging enabled +-- +2.27.0 + diff --git a/queue-5.4/nbd-don-t-update-block-size-after-device-is-started.patch b/queue-5.4/nbd-don-t-update-block-size-after-device-is-started.patch new file mode 100644 index 00000000000..cae8ac5e34e --- /dev/null +++ b/queue-5.4/nbd-don-t-update-block-size-after-device-is-started.patch @@ -0,0 +1,72 @@ +From ce99de2d056efce2b5937e16173f5f10067a7980 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Oct 2020 15:24:34 +0800 +Subject: nbd: don't update block size after device is started + +From: Ming Lei + +[ Upstream commit b40813ddcd6bf9f01d020804e4cb8febc480b9e4 ] + +Mounted NBD device can be resized, one use case is rbd-nbd. + +Fix the issue by setting up default block size, then not touch it +in nbd_size_update() any more. This kind of usage is aligned with loop +which has same use case too. + +Cc: stable@vger.kernel.org +Fixes: c8a83a6b54d0 ("nbd: Use set_blocksize() to set device blocksize") +Reported-by: lining +Signed-off-by: Ming Lei +Cc: Josef Bacik +Cc: Jan Kara +Tested-by: lining +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 742f8160b6e28..62a873718b5bb 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -296,7 +296,7 @@ static void nbd_size_clear(struct nbd_device *nbd) + } + } + +-static void nbd_size_update(struct nbd_device *nbd) ++static void nbd_size_update(struct nbd_device *nbd, bool start) + { + struct nbd_config *config = nbd->config; + struct block_device *bdev = bdget_disk(nbd->disk, 0); +@@ -312,7 +312,8 @@ static void nbd_size_update(struct nbd_device *nbd) + if (bdev) { + if (bdev->bd_disk) { + bd_set_size(bdev, config->bytesize); +- set_blocksize(bdev, config->blksize); ++ if (start) ++ set_blocksize(bdev, config->blksize); + } else + bdev->bd_invalidated = 1; + bdput(bdev); +@@ -327,7 +328,7 @@ static void nbd_size_set(struct nbd_device *nbd, loff_t blocksize, + config->blksize = blocksize; + config->bytesize = blocksize * nr_blocks; + if (nbd->task_recv != NULL) +- nbd_size_update(nbd); ++ nbd_size_update(nbd, false); + } + + static void nbd_complete_rq(struct request *req) +@@ -1293,7 +1294,7 @@ static int nbd_start_device(struct nbd_device *nbd) + args->index = i; + queue_work(nbd->recv_workq, &args->work); + } +- nbd_size_update(nbd); ++ nbd_size_update(nbd, true); + return error; + } + +-- +2.27.0 + diff --git a/queue-5.4/net-xfrm-fix-a-race-condition-during-allocing-spi.patch b/queue-5.4/net-xfrm-fix-a-race-condition-during-allocing-spi.patch new file mode 100644 index 00000000000..bc38a0b784b --- /dev/null +++ b/queue-5.4/net-xfrm-fix-a-race-condition-during-allocing-spi.patch @@ -0,0 +1,94 @@ +From ffac45d361075df325a71fde4c1d8052f4267c7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Oct 2020 09:05:35 +0200 +Subject: net: xfrm: fix a race condition during allocing spi + +From: zhuoliang zhang + +[ Upstream commit a779d91314ca7208b7feb3ad817b62904397c56d ] + +we found that the following race condition exists in +xfrm_alloc_userspi flow: + +user thread state_hash_work thread +---- ---- +xfrm_alloc_userspi() + __find_acq_core() + /*alloc new xfrm_state:x*/ + xfrm_state_alloc() + /*schedule state_hash_work thread*/ + xfrm_hash_grow_check() xfrm_hash_resize() + xfrm_alloc_spi /*hold lock*/ + x->id.spi = htonl(spi) spin_lock_bh(&net->xfrm.xfrm_state_lock) + /*waiting lock release*/ xfrm_hash_transfer() + spin_lock_bh(&net->xfrm.xfrm_state_lock) /*add x into hlist:net->xfrm.state_byspi*/ + hlist_add_head_rcu(&x->byspi) + spin_unlock_bh(&net->xfrm.xfrm_state_lock) + + /*add x into hlist:net->xfrm.state_byspi 2 times*/ + hlist_add_head_rcu(&x->byspi) + +1. a new state x is alloced in xfrm_state_alloc() and added into the bydst hlist +in __find_acq_core() on the LHS; +2. on the RHS, state_hash_work thread travels the old bydst and tranfers every xfrm_state +(include x) into the new bydst hlist and new byspi hlist; +3. user thread on the LHS gets the lock and adds x into the new byspi hlist again. + +So the same xfrm_state (x) is added into the same list_hash +(net->xfrm.state_byspi) 2 times that makes the list_hash become +an inifite loop. + +To fix the race, x->id.spi = htonl(spi) in the xfrm_alloc_spi() is moved +to the back of spin_lock_bh, sothat state_hash_work thread no longer add x +which id.spi is zero into the hash_list. + +Fixes: f034b5d4efdf ("[XFRM]: Dynamic xfrm_state hash table sizing.") +Signed-off-by: zhuoliang zhang +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index aaea8cb7459d8..61fd0569d3934 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -2001,6 +2001,7 @@ int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high) + int err = -ENOENT; + __be32 minspi = htonl(low); + __be32 maxspi = htonl(high); ++ __be32 newspi = 0; + u32 mark = x->mark.v & x->mark.m; + + spin_lock_bh(&x->lock); +@@ -2019,21 +2020,22 @@ int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high) + xfrm_state_put(x0); + goto unlock; + } +- x->id.spi = minspi; ++ newspi = minspi; + } else { + u32 spi = 0; + for (h = 0; h < high-low+1; h++) { + spi = low + prandom_u32()%(high-low+1); + x0 = xfrm_state_lookup(net, mark, &x->id.daddr, htonl(spi), x->id.proto, x->props.family); + if (x0 == NULL) { +- x->id.spi = htonl(spi); ++ newspi = htonl(spi); + break; + } + xfrm_state_put(x0); + } + } +- if (x->id.spi) { ++ if (newspi) { + spin_lock_bh(&net->xfrm.xfrm_state_lock); ++ x->id.spi = newspi; + h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, x->props.family); + hlist_add_head_rcu(&x->byspi, net->xfrm.state_byspi + h); + spin_unlock_bh(&net->xfrm.xfrm_state_lock); +-- +2.27.0 + diff --git a/queue-5.4/netfilter-ipset-update-byte-and-packet-counters-rega.patch b/queue-5.4/netfilter-ipset-update-byte-and-packet-counters-rega.patch new file mode 100644 index 00000000000..2d59fedb042 --- /dev/null +++ b/queue-5.4/netfilter-ipset-update-byte-and-packet-counters-rega.patch @@ -0,0 +1,71 @@ +From 57a78d3d928c7e5fc23bf388dff3e33386359d5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Oct 2020 16:39:46 +0100 +Subject: netfilter: ipset: Update byte and packet counters regardless of + whether they match + +From: Stefano Brivio + +[ Upstream commit 7d10e62c2ff8e084c136c94d32d9a94de4d31248 ] + +In ip_set_match_extensions(), for sets with counters, we take care of +updating counters themselves by calling ip_set_update_counter(), and of +checking if the given comparison and values match, by calling +ip_set_match_counter() if needed. + +However, if a given comparison on counters doesn't match the configured +values, that doesn't mean the set entry itself isn't matching. + +This fix restores the behaviour we had before commit 4750005a85f7 +("netfilter: ipset: Fix "don't update counters" mode when counters used +at the matching"), without reintroducing the issue fixed there: back +then, mtype_data_match() first updated counters in any case, and then +took care of matching on counters. + +Now, if the IPSET_FLAG_SKIP_COUNTER_UPDATE flag is set, +ip_set_update_counter() will anyway skip counter updates if desired. + +The issue observed is illustrated by this reproducer: + + ipset create c hash:ip counters + ipset add c 192.0.2.1 + iptables -I INPUT -m set --match-set c src --bytes-gt 800 -j DROP + +if we now send packets from 192.0.2.1, bytes and packets counters +for the entry as shown by 'ipset list' are always zero, and, no +matter how many bytes we send, the rule will never match, because +counters themselves are not updated. + +Reported-by: Mithil Mhatre +Fixes: 4750005a85f7 ("netfilter: ipset: Fix "don't update counters" mode when counters used at the matching") +Signed-off-by: Stefano Brivio +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c +index 133a3f1b6f56c..3cc4daa856d6b 100644 +--- a/net/netfilter/ipset/ip_set_core.c ++++ b/net/netfilter/ipset/ip_set_core.c +@@ -485,13 +485,14 @@ ip_set_match_extensions(struct ip_set *set, const struct ip_set_ext *ext, + if (SET_WITH_COUNTER(set)) { + struct ip_set_counter *counter = ext_counter(data, set); + ++ ip_set_update_counter(counter, ext, flags); ++ + if (flags & IPSET_FLAG_MATCH_COUNTERS && + !(ip_set_match_counter(ip_set_get_packets(counter), + mext->packets, mext->packets_op) && + ip_set_match_counter(ip_set_get_bytes(counter), + mext->bytes, mext->bytes_op))) + return false; +- ip_set_update_counter(counter, ext, flags); + } + if (SET_WITH_SKBINFO(set)) + ip_set_get_skbinfo(ext_skbinfo(data, set), +-- +2.27.0 + diff --git a/queue-5.4/netfilter-nf_tables-missing-validation-from-the-abor.patch b/queue-5.4/netfilter-nf_tables-missing-validation-from-the-abor.patch new file mode 100644 index 00000000000..ef635661c27 --- /dev/null +++ b/queue-5.4/netfilter-nf_tables-missing-validation-from-the-abor.patch @@ -0,0 +1,163 @@ +From 7930377d1b249b4365c04a410c4ec520375ea7a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Oct 2020 13:50:03 +0100 +Subject: netfilter: nf_tables: missing validation from the abort path + +From: Pablo Neira Ayuso + +[ Upstream commit c0391b6ab810381df632677a1dcbbbbd63d05b6d ] + +If userspace does not include the trailing end of batch message, then +nfnetlink aborts the transaction. This allows to check that ruleset +updates trigger no errors. + +After this patch, invoking this command from the prerouting chain: + + # nft -c add rule x y fib saddr . oif type local + +fails since oif is not supported there. + +This patch fixes the lack of rule validation from the abort/check path +to catch configuration errors such as the one above. + +Fixes: a654de8fdc18 ("netfilter: nf_tables: fix chain dependency validation") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/linux/netfilter/nfnetlink.h | 9 ++++++++- + net/netfilter/nf_tables_api.c | 15 ++++++++++----- + net/netfilter/nfnetlink.c | 22 ++++++++++++++++++---- + 3 files changed, 36 insertions(+), 10 deletions(-) + +diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h +index 89016d08f6a27..f6267e2883f26 100644 +--- a/include/linux/netfilter/nfnetlink.h ++++ b/include/linux/netfilter/nfnetlink.h +@@ -24,6 +24,12 @@ struct nfnl_callback { + const u_int16_t attr_count; /* number of nlattr's */ + }; + ++enum nfnl_abort_action { ++ NFNL_ABORT_NONE = 0, ++ NFNL_ABORT_AUTOLOAD, ++ NFNL_ABORT_VALIDATE, ++}; ++ + struct nfnetlink_subsystem { + const char *name; + __u8 subsys_id; /* nfnetlink subsystem ID */ +@@ -31,7 +37,8 @@ struct nfnetlink_subsystem { + const struct nfnl_callback *cb; /* callback for individual types */ + struct module *owner; + int (*commit)(struct net *net, struct sk_buff *skb); +- int (*abort)(struct net *net, struct sk_buff *skb, bool autoload); ++ int (*abort)(struct net *net, struct sk_buff *skb, ++ enum nfnl_abort_action action); + void (*cleanup)(struct net *net); + bool (*valid_genid)(struct net *net, u32 genid); + }; +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 5a77b7a177229..51391d5d22656 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7010,11 +7010,15 @@ static void nf_tables_abort_release(struct nft_trans *trans) + kfree(trans); + } + +-static int __nf_tables_abort(struct net *net, bool autoload) ++static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + { + struct nft_trans *trans, *next; + struct nft_trans_elem *te; + ++ if (action == NFNL_ABORT_VALIDATE && ++ nf_tables_validate(net) < 0) ++ return -EAGAIN; ++ + list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list, + list) { + switch (trans->msg_type) { +@@ -7132,7 +7136,7 @@ static int __nf_tables_abort(struct net *net, bool autoload) + nf_tables_abort_release(trans); + } + +- if (autoload) ++ if (action == NFNL_ABORT_AUTOLOAD) + nf_tables_module_autoload(net); + else + nf_tables_module_autoload_cleanup(net); +@@ -7145,9 +7149,10 @@ static void nf_tables_cleanup(struct net *net) + nft_validate_state_update(net, NFT_VALIDATE_SKIP); + } + +-static int nf_tables_abort(struct net *net, struct sk_buff *skb, bool autoload) ++static int nf_tables_abort(struct net *net, struct sk_buff *skb, ++ enum nfnl_abort_action action) + { +- int ret = __nf_tables_abort(net, autoload); ++ int ret = __nf_tables_abort(net, action); + + mutex_unlock(&net->nft.commit_mutex); + +@@ -7754,7 +7759,7 @@ static void __net_exit nf_tables_exit_net(struct net *net) + { + mutex_lock(&net->nft.commit_mutex); + if (!list_empty(&net->nft.commit_list)) +- __nf_tables_abort(net, false); ++ __nf_tables_abort(net, NFNL_ABORT_NONE); + __nft_release_tables(net); + mutex_unlock(&net->nft.commit_mutex); + WARN_ON_ONCE(!list_empty(&net->nft.tables)); +diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c +index 6d03b09096210..81c86a156c6c0 100644 +--- a/net/netfilter/nfnetlink.c ++++ b/net/netfilter/nfnetlink.c +@@ -315,7 +315,7 @@ static void nfnetlink_rcv_batch(struct sk_buff *skb, struct nlmsghdr *nlh, + return netlink_ack(skb, nlh, -EINVAL, NULL); + replay: + status = 0; +- ++replay_abort: + skb = netlink_skb_clone(oskb, GFP_KERNEL); + if (!skb) + return netlink_ack(oskb, nlh, -ENOMEM, NULL); +@@ -481,7 +481,7 @@ ack: + } + done: + if (status & NFNL_BATCH_REPLAY) { +- ss->abort(net, oskb, true); ++ ss->abort(net, oskb, NFNL_ABORT_AUTOLOAD); + nfnl_err_reset(&err_list); + kfree_skb(skb); + module_put(ss->owner); +@@ -492,11 +492,25 @@ done: + status |= NFNL_BATCH_REPLAY; + goto done; + } else if (err) { +- ss->abort(net, oskb, false); ++ ss->abort(net, oskb, NFNL_ABORT_NONE); + netlink_ack(oskb, nlmsg_hdr(oskb), err, NULL); + } + } else { +- ss->abort(net, oskb, false); ++ enum nfnl_abort_action abort_action; ++ ++ if (status & NFNL_BATCH_FAILURE) ++ abort_action = NFNL_ABORT_NONE; ++ else ++ abort_action = NFNL_ABORT_VALIDATE; ++ ++ err = ss->abort(net, oskb, abort_action); ++ if (err == -EAGAIN) { ++ nfnl_err_reset(&err_list); ++ kfree_skb(skb); ++ module_put(ss->owner); ++ status |= NFNL_BATCH_FAILURE; ++ goto replay_abort; ++ } + } + if (ss->cleanup) + ss->cleanup(net); +-- +2.27.0 + diff --git a/queue-5.4/netfilter-use-actual-socket-sk-rather-than-skb-sk-wh.patch b/queue-5.4/netfilter-use-actual-socket-sk-rather-than-skb-sk-wh.patch new file mode 100644 index 00000000000..bdc4c5c9177 --- /dev/null +++ b/queue-5.4/netfilter-use-actual-socket-sk-rather-than-skb-sk-wh.patch @@ -0,0 +1,302 @@ +From 31116e2cc4380003461e8e9f6703e157b7bc79d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Oct 2020 03:56:06 +0100 +Subject: netfilter: use actual socket sk rather than skb sk when routing + harder + +From: Jason A. Donenfeld + +[ Upstream commit 46d6c5ae953cc0be38efd0e469284df7c4328cf8 ] + +If netfilter changes the packet mark when mangling, the packet is +rerouted using the route_me_harder set of functions. Prior to this +commit, there's one big difference between route_me_harder and the +ordinary initial routing functions, described in the comment above +__ip_queue_xmit(): + + /* Note: skb->sk can be different from sk, in case of tunnels */ + int __ip_queue_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl, + +That function goes on to correctly make use of sk->sk_bound_dev_if, +rather than skb->sk->sk_bound_dev_if. And indeed the comment is true: a +tunnel will receive a packet in ndo_start_xmit with an initial skb->sk. +It will make some transformations to that packet, and then it will send +the encapsulated packet out of a *new* socket. That new socket will +basically always have a different sk_bound_dev_if (otherwise there'd be +a routing loop). So for the purposes of routing the encapsulated packet, +the routing information as it pertains to the socket should come from +that socket's sk, rather than the packet's original skb->sk. For that +reason __ip_queue_xmit() and related functions all do the right thing. + +One might argue that all tunnels should just call skb_orphan(skb) before +transmitting the encapsulated packet into the new socket. But tunnels do +*not* do this -- and this is wisely avoided in skb_scrub_packet() too -- +because features like TSQ rely on skb->destructor() being called when +that buffer space is truely available again. Calling skb_orphan(skb) too +early would result in buffers filling up unnecessarily and accounting +info being all wrong. Instead, additional routing must take into account +the new sk, just as __ip_queue_xmit() notes. + +So, this commit addresses the problem by fishing the correct sk out of +state->sk -- it's already set properly in the call to nf_hook() in +__ip_local_out(), which receives the sk as part of its normal +functionality. So we make sure to plumb state->sk through the various +route_me_harder functions, and then make correct use of it following the +example of __ip_queue_xmit(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jason A. Donenfeld +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/linux/netfilter_ipv4.h | 2 +- + include/linux/netfilter_ipv6.h | 10 +++++----- + net/ipv4/netfilter.c | 8 +++++--- + net/ipv4/netfilter/iptable_mangle.c | 2 +- + net/ipv4/netfilter/nf_reject_ipv4.c | 2 +- + net/ipv6/netfilter.c | 6 +++--- + net/ipv6/netfilter/ip6table_mangle.c | 2 +- + net/netfilter/ipvs/ip_vs_core.c | 4 ++-- + net/netfilter/nf_nat_proto.c | 4 ++-- + net/netfilter/nf_synproxy_core.c | 2 +- + net/netfilter/nft_chain_route.c | 4 ++-- + net/netfilter/utils.c | 4 ++-- + 12 files changed, 26 insertions(+), 24 deletions(-) + +diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h +index 082e2c41b7ff9..5b70ca868bb19 100644 +--- a/include/linux/netfilter_ipv4.h ++++ b/include/linux/netfilter_ipv4.h +@@ -16,7 +16,7 @@ struct ip_rt_info { + u_int32_t mark; + }; + +-int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned addr_type); ++int ip_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb, unsigned addr_type); + + struct nf_queue_entry; + +diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h +index 9b67394471e1c..48314ade1506f 100644 +--- a/include/linux/netfilter_ipv6.h ++++ b/include/linux/netfilter_ipv6.h +@@ -42,7 +42,7 @@ struct nf_ipv6_ops { + #if IS_MODULE(CONFIG_IPV6) + int (*chk_addr)(struct net *net, const struct in6_addr *addr, + const struct net_device *dev, int strict); +- int (*route_me_harder)(struct net *net, struct sk_buff *skb); ++ int (*route_me_harder)(struct net *net, struct sock *sk, struct sk_buff *skb); + int (*dev_get_saddr)(struct net *net, const struct net_device *dev, + const struct in6_addr *daddr, unsigned int srcprefs, + struct in6_addr *saddr); +@@ -143,9 +143,9 @@ static inline int nf_br_ip6_fragment(struct net *net, struct sock *sk, + #endif + } + +-int ip6_route_me_harder(struct net *net, struct sk_buff *skb); ++int ip6_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb); + +-static inline int nf_ip6_route_me_harder(struct net *net, struct sk_buff *skb) ++static inline int nf_ip6_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb) + { + #if IS_MODULE(CONFIG_IPV6) + const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops(); +@@ -153,9 +153,9 @@ static inline int nf_ip6_route_me_harder(struct net *net, struct sk_buff *skb) + if (!v6_ops) + return -EHOSTUNREACH; + +- return v6_ops->route_me_harder(net, skb); ++ return v6_ops->route_me_harder(net, sk, skb); + #elif IS_BUILTIN(CONFIG_IPV6) +- return ip6_route_me_harder(net, skb); ++ return ip6_route_me_harder(net, sk, skb); + #else + return -EHOSTUNREACH; + #endif +diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c +index a058213b77a78..7c841037c5334 100644 +--- a/net/ipv4/netfilter.c ++++ b/net/ipv4/netfilter.c +@@ -17,17 +17,19 @@ + #include + + /* route_me_harder function, used by iptable_nat, iptable_mangle + ip_queue */ +-int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned int addr_type) ++int ip_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb, unsigned int addr_type) + { + const struct iphdr *iph = ip_hdr(skb); + struct rtable *rt; + struct flowi4 fl4 = {}; + __be32 saddr = iph->saddr; +- const struct sock *sk = skb_to_full_sk(skb); +- __u8 flags = sk ? inet_sk_flowi_flags(sk) : 0; ++ __u8 flags; + struct net_device *dev = skb_dst(skb)->dev; + unsigned int hh_len; + ++ sk = sk_to_full_sk(sk); ++ flags = sk ? inet_sk_flowi_flags(sk) : 0; ++ + if (addr_type == RTN_UNSPEC) + addr_type = inet_addr_type_dev_table(net, dev, saddr); + if (addr_type == RTN_LOCAL || addr_type == RTN_UNICAST) +diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c +index bb9266ea37858..ae45bcdd335ea 100644 +--- a/net/ipv4/netfilter/iptable_mangle.c ++++ b/net/ipv4/netfilter/iptable_mangle.c +@@ -62,7 +62,7 @@ ipt_mangle_out(struct sk_buff *skb, const struct nf_hook_state *state) + iph->daddr != daddr || + skb->mark != mark || + iph->tos != tos) { +- err = ip_route_me_harder(state->net, skb, RTN_UNSPEC); ++ err = ip_route_me_harder(state->net, state->sk, skb, RTN_UNSPEC); + if (err < 0) + ret = NF_DROP_ERR(err); + } +diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c +index 2361fdac2c438..57817313a85c1 100644 +--- a/net/ipv4/netfilter/nf_reject_ipv4.c ++++ b/net/ipv4/netfilter/nf_reject_ipv4.c +@@ -127,7 +127,7 @@ void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook) + ip4_dst_hoplimit(skb_dst(nskb))); + nf_reject_ip_tcphdr_put(nskb, oldskb, oth); + +- if (ip_route_me_harder(net, nskb, RTN_UNSPEC)) ++ if (ip_route_me_harder(net, nskb->sk, nskb, RTN_UNSPEC)) + goto free_nskb; + + niph = ip_hdr(nskb); +diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c +index 6d0e942d082d4..ab9a279dd6d47 100644 +--- a/net/ipv6/netfilter.c ++++ b/net/ipv6/netfilter.c +@@ -20,10 +20,10 @@ + #include + #include "../bridge/br_private.h" + +-int ip6_route_me_harder(struct net *net, struct sk_buff *skb) ++int ip6_route_me_harder(struct net *net, struct sock *sk_partial, struct sk_buff *skb) + { + const struct ipv6hdr *iph = ipv6_hdr(skb); +- struct sock *sk = sk_to_full_sk(skb->sk); ++ struct sock *sk = sk_to_full_sk(sk_partial); + unsigned int hh_len; + struct dst_entry *dst; + int strict = (ipv6_addr_type(&iph->daddr) & +@@ -84,7 +84,7 @@ static int nf_ip6_reroute(struct sk_buff *skb, + if (!ipv6_addr_equal(&iph->daddr, &rt_info->daddr) || + !ipv6_addr_equal(&iph->saddr, &rt_info->saddr) || + skb->mark != rt_info->mark) +- return ip6_route_me_harder(entry->state.net, skb); ++ return ip6_route_me_harder(entry->state.net, entry->state.sk, skb); + } + return 0; + } +diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c +index 070afb97fa2ba..401e8dcb2c84b 100644 +--- a/net/ipv6/netfilter/ip6table_mangle.c ++++ b/net/ipv6/netfilter/ip6table_mangle.c +@@ -57,7 +57,7 @@ ip6t_mangle_out(struct sk_buff *skb, const struct nf_hook_state *state) + skb->mark != mark || + ipv6_hdr(skb)->hop_limit != hop_limit || + flowlabel != *((u_int32_t *)ipv6_hdr(skb)))) { +- err = ip6_route_me_harder(state->net, skb); ++ err = ip6_route_me_harder(state->net, state->sk, skb); + if (err < 0) + ret = NF_DROP_ERR(err); + } +diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c +index 64a05906cc0e6..89aa1fc334b19 100644 +--- a/net/netfilter/ipvs/ip_vs_core.c ++++ b/net/netfilter/ipvs/ip_vs_core.c +@@ -748,12 +748,12 @@ static int ip_vs_route_me_harder(struct netns_ipvs *ipvs, int af, + struct dst_entry *dst = skb_dst(skb); + + if (dst->dev && !(dst->dev->flags & IFF_LOOPBACK) && +- ip6_route_me_harder(ipvs->net, skb) != 0) ++ ip6_route_me_harder(ipvs->net, skb->sk, skb) != 0) + return 1; + } else + #endif + if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL) && +- ip_route_me_harder(ipvs->net, skb, RTN_LOCAL) != 0) ++ ip_route_me_harder(ipvs->net, skb->sk, skb, RTN_LOCAL) != 0) + return 1; + + return 0; +diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c +index 59151dc07fdc1..e87b6bd6b3cdb 100644 +--- a/net/netfilter/nf_nat_proto.c ++++ b/net/netfilter/nf_nat_proto.c +@@ -715,7 +715,7 @@ nf_nat_ipv4_local_fn(void *priv, struct sk_buff *skb, + + if (ct->tuplehash[dir].tuple.dst.u3.ip != + ct->tuplehash[!dir].tuple.src.u3.ip) { +- err = ip_route_me_harder(state->net, skb, RTN_UNSPEC); ++ err = ip_route_me_harder(state->net, state->sk, skb, RTN_UNSPEC); + if (err < 0) + ret = NF_DROP_ERR(err); + } +@@ -953,7 +953,7 @@ nf_nat_ipv6_local_fn(void *priv, struct sk_buff *skb, + + if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.dst.u3, + &ct->tuplehash[!dir].tuple.src.u3)) { +- err = nf_ip6_route_me_harder(state->net, skb); ++ err = nf_ip6_route_me_harder(state->net, state->sk, skb); + if (err < 0) + ret = NF_DROP_ERR(err); + } +diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c +index b9cbe1e2453e8..4bb4cfde28b47 100644 +--- a/net/netfilter/nf_synproxy_core.c ++++ b/net/netfilter/nf_synproxy_core.c +@@ -446,7 +446,7 @@ synproxy_send_tcp(struct net *net, + + skb_dst_set_noref(nskb, skb_dst(skb)); + nskb->protocol = htons(ETH_P_IP); +- if (ip_route_me_harder(net, nskb, RTN_UNSPEC)) ++ if (ip_route_me_harder(net, nskb->sk, nskb, RTN_UNSPEC)) + goto free_nskb; + + if (nfct) { +diff --git a/net/netfilter/nft_chain_route.c b/net/netfilter/nft_chain_route.c +index 8826bbe71136c..edd02cda57fca 100644 +--- a/net/netfilter/nft_chain_route.c ++++ b/net/netfilter/nft_chain_route.c +@@ -42,7 +42,7 @@ static unsigned int nf_route_table_hook4(void *priv, + iph->daddr != daddr || + skb->mark != mark || + iph->tos != tos) { +- err = ip_route_me_harder(state->net, skb, RTN_UNSPEC); ++ err = ip_route_me_harder(state->net, state->sk, skb, RTN_UNSPEC); + if (err < 0) + ret = NF_DROP_ERR(err); + } +@@ -92,7 +92,7 @@ static unsigned int nf_route_table_hook6(void *priv, + skb->mark != mark || + ipv6_hdr(skb)->hop_limit != hop_limit || + flowlabel != *((u32 *)ipv6_hdr(skb)))) { +- err = nf_ip6_route_me_harder(state->net, skb); ++ err = nf_ip6_route_me_harder(state->net, state->sk, skb); + if (err < 0) + ret = NF_DROP_ERR(err); + } +diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c +index 51b454d8fa9c9..924195861faf7 100644 +--- a/net/netfilter/utils.c ++++ b/net/netfilter/utils.c +@@ -191,8 +191,8 @@ static int nf_ip_reroute(struct sk_buff *skb, const struct nf_queue_entry *entry + skb->mark == rt_info->mark && + iph->daddr == rt_info->daddr && + iph->saddr == rt_info->saddr)) +- return ip_route_me_harder(entry->state.net, skb, +- RTN_UNSPEC); ++ return ip_route_me_harder(entry->state.net, entry->state.sk, ++ skb, RTN_UNSPEC); + } + #endif + return 0; +-- +2.27.0 + diff --git a/queue-5.4/pci-qcom-make-sure-pcie-is-reset-before-init-for-rev.patch b/queue-5.4/pci-qcom-make-sure-pcie-is-reset-before-init-for-rev.patch new file mode 100644 index 00000000000..74abcbda65d --- /dev/null +++ b/queue-5.4/pci-qcom-make-sure-pcie-is-reset-before-init-for-rev.patch @@ -0,0 +1,59 @@ +From 3dab0318bccd31f394f4a3a8561d3f062e7f6dd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Sep 2020 14:49:54 +0200 +Subject: PCI: qcom: Make sure PCIe is reset before init for rev 2.1.0 + +From: Ansuel Smith + +[ Upstream commit d3d4d028afb785e52c55024d779089654f8302e7 ] + +Qsdk U-Boot can incorrectly leave the PCIe interface in an undefined +state if bootm command is used instead of bootipq. This is caused by the +not deinit of PCIe when bootm is called. Reset the PCIe before init +anyway to fix this U-Boot bug. + +Link: https://lore.kernel.org/r/20200901124955.137-1-ansuelsmth@gmail.com +Fixes: 82a823833f4e ("PCI: qcom: Add Qualcomm PCIe controller driver") +Signed-off-by: Ansuel Smith +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Bjorn Andersson +Cc: stable@vger.kernel.org # v4.19+ +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/dwc/pcie-qcom.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/pci/controller/dwc/pcie-qcom.c b/drivers/pci/controller/dwc/pcie-qcom.c +index 374db5d59cf87..14196c0287a24 100644 +--- a/drivers/pci/controller/dwc/pcie-qcom.c ++++ b/drivers/pci/controller/dwc/pcie-qcom.c +@@ -303,6 +303,9 @@ static void qcom_pcie_deinit_2_1_0(struct qcom_pcie *pcie) + clk_disable_unprepare(res->core_clk); + clk_disable_unprepare(res->aux_clk); + clk_disable_unprepare(res->ref_clk); ++ ++ writel(1, pcie->parf + PCIE20_PARF_PHY_CTRL); ++ + regulator_bulk_disable(ARRAY_SIZE(res->supplies), res->supplies); + } + +@@ -315,6 +318,16 @@ static int qcom_pcie_init_2_1_0(struct qcom_pcie *pcie) + u32 val; + int ret; + ++ /* reset the PCIe interface as uboot can leave it undefined state */ ++ reset_control_assert(res->pci_reset); ++ reset_control_assert(res->axi_reset); ++ reset_control_assert(res->ahb_reset); ++ reset_control_assert(res->por_reset); ++ reset_control_assert(res->ext_reset); ++ reset_control_assert(res->phy_reset); ++ ++ writel(1, pcie->parf + PCIE20_PARF_PHY_CTRL); ++ + ret = regulator_bulk_enable(ARRAY_SIZE(res->supplies), res->supplies); + if (ret < 0) { + dev_err(dev, "cannot enable regulators\n"); +-- +2.27.0 + diff --git a/queue-5.4/perf-tools-add-missing-swap-for-ino_generation.patch b/queue-5.4/perf-tools-add-missing-swap-for-ino_generation.patch new file mode 100644 index 00000000000..b581f76354d --- /dev/null +++ b/queue-5.4/perf-tools-add-missing-swap-for-ino_generation.patch @@ -0,0 +1,36 @@ +From 8a5714cddb7cd14a2e44616afe62f2948e68771e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Nov 2020 00:31:03 +0100 +Subject: perf tools: Add missing swap for ino_generation + +From: Jiri Olsa + +[ Upstream commit fe01adb72356a4e2f8735e4128af85921ca98fa1 ] + +We are missing swap for ino_generation field. + +Fixes: 5c5e854bc760 ("perf tools: Add attr->mmap2 support") +Signed-off-by: Jiri Olsa +Acked-by: Namhyung Kim +Link: https://lore.kernel.org/r/20201101233103.3537427-2-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/session.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c +index 5c172845fa5ac..ff524a3fc5003 100644 +--- a/tools/perf/util/session.c ++++ b/tools/perf/util/session.c +@@ -588,6 +588,7 @@ static void perf_event__mmap2_swap(union perf_event *event, + event->mmap2.maj = bswap_32(event->mmap2.maj); + event->mmap2.min = bswap_32(event->mmap2.min); + event->mmap2.ino = bswap_64(event->mmap2.ino); ++ event->mmap2.ino_generation = bswap_64(event->mmap2.ino_generation); + + if (sample_id_all) { + void *data = &event->mmap2.filename; +-- +2.27.0 + diff --git a/queue-5.4/perf-trace-fix-segfault-when-trying-to-trace-events-.patch b/queue-5.4/perf-trace-fix-segfault-when-trying-to-trace-events-.patch new file mode 100644 index 00000000000..768f2852fc8 --- /dev/null +++ b/queue-5.4/perf-trace-fix-segfault-when-trying-to-trace-events-.patch @@ -0,0 +1,77 @@ +From 1eac0dd9995ad2cca4634e2e0de15821622baf5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Oct 2020 12:43:57 +0300 +Subject: perf trace: Fix segfault when trying to trace events by cgroup + +From: Stanislav Ivanichkin + +[ Upstream commit a6293f36ac92ab513771a98efe486477be2f981f ] + + # ./perf trace -e sched:sched_switch -G test -a sleep 1 + perf: Segmentation fault + Obtained 11 stack frames. + ./perf(sighandler_dump_stack+0x43) [0x55cfdc636db3] + /lib/x86_64-linux-gnu/libc.so.6(+0x3efcf) [0x7fd23eecafcf] + ./perf(parse_cgroups+0x36) [0x55cfdc673f36] + ./perf(+0x3186ed) [0x55cfdc70d6ed] + ./perf(parse_options_subcommand+0x629) [0x55cfdc70e999] + ./perf(cmd_trace+0x9c2) [0x55cfdc5ad6d2] + ./perf(+0x1e8ae0) [0x55cfdc5ddae0] + ./perf(+0x1e8ded) [0x55cfdc5ddded] + ./perf(main+0x370) [0x55cfdc556f00] + /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe6) [0x7fd23eeadb96] + ./perf(_start+0x29) [0x55cfdc557389] + Segmentation fault + # + + It happens because "struct trace" in option->value is passed to the + parse_cgroups function instead of "struct evlist". + +Fixes: 9ea42ba4411ac ("perf trace: Support setting cgroups as targets") +Signed-off-by: Stanislav Ivanichkin +Tested-by: Arnaldo Carvalho de Melo +Acked-by: Namhyung Kim +Cc: Dmitry Monakhov +Link: http://lore.kernel.org/lkml/20201027094357.94881-1-sivanichkin@yandex-team.ru +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-trace.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index bb5130d021554..a5201de1a191d 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -3979,9 +3979,9 @@ do_concat: + err = 0; + + if (lists[0]) { +- struct option o = OPT_CALLBACK('e', "event", &trace->evlist, "event", +- "event selector. use 'perf list' to list available events", +- parse_events_option); ++ struct option o = { ++ .value = &trace->evlist, ++ }; + err = parse_events_option(&o, lists[0], 0); + } + out: +@@ -3995,9 +3995,12 @@ static int trace__parse_cgroups(const struct option *opt, const char *str, int u + { + struct trace *trace = opt->value; + +- if (!list_empty(&trace->evlist->core.entries)) +- return parse_cgroups(opt, str, unset); +- ++ if (!list_empty(&trace->evlist->core.entries)) { ++ struct option o = { ++ .value = &trace->evlist, ++ }; ++ return parse_cgroups(&o, str, unset); ++ } + trace->cgroup = evlist__findnew_cgroup(trace->evlist, str); + + return 0; +-- +2.27.0 + diff --git a/queue-5.4/powerpc-eeh_cache-fix-a-possible-debugfs-deadlock.patch b/queue-5.4/powerpc-eeh_cache-fix-a-possible-debugfs-deadlock.patch new file mode 100644 index 00000000000..90903fc6394 --- /dev/null +++ b/queue-5.4/powerpc-eeh_cache-fix-a-possible-debugfs-deadlock.patch @@ -0,0 +1,86 @@ +From cea09430544155f302f5044971eceac4f2a629a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Oct 2020 11:27:17 -0400 +Subject: powerpc/eeh_cache: Fix a possible debugfs deadlock + +From: Qian Cai + +[ Upstream commit fd552e0542b4532483289cce48fdbd27b692984b ] + +Lockdep complains that a possible deadlock below in +eeh_addr_cache_show() because it is acquiring a lock with IRQ enabled, +but eeh_addr_cache_insert_dev() needs to acquire the same lock with IRQ +disabled. Let's just make eeh_addr_cache_show() acquire the lock with +IRQ disabled as well. + + CPU0 CPU1 + ---- ---- + lock(&pci_io_addr_cache_root.piar_lock); + local_irq_disable(); + lock(&tp->lock); + lock(&pci_io_addr_cache_root.piar_lock); + + lock(&tp->lock); + + *** DEADLOCK *** + + lock_acquire+0x140/0x5f0 + _raw_spin_lock_irqsave+0x64/0xb0 + eeh_addr_cache_insert_dev+0x48/0x390 + eeh_probe_device+0xb8/0x1a0 + pnv_pcibios_bus_add_device+0x3c/0x80 + pcibios_bus_add_device+0x118/0x290 + pci_bus_add_device+0x28/0xe0 + pci_bus_add_devices+0x54/0xb0 + pcibios_init+0xc4/0x124 + do_one_initcall+0xac/0x528 + kernel_init_freeable+0x35c/0x3fc + kernel_init+0x24/0x148 + ret_from_kernel_thread+0x5c/0x80 + + lock_acquire+0x140/0x5f0 + _raw_spin_lock+0x4c/0x70 + eeh_addr_cache_show+0x38/0x110 + seq_read+0x1a0/0x660 + vfs_read+0xc8/0x1f0 + ksys_read+0x74/0x130 + system_call_exception+0xf8/0x1d0 + system_call_common+0xe8/0x218 + +Fixes: 5ca85ae6318d ("powerpc/eeh_cache: Add a way to dump the EEH address cache") +Signed-off-by: Qian Cai +Reviewed-by: Oliver O'Halloran +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201028152717.8967-1-cai@redhat.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/eeh_cache.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/kernel/eeh_cache.c b/arch/powerpc/kernel/eeh_cache.c +index cf11277ebd020..000ebb5a6fb3c 100644 +--- a/arch/powerpc/kernel/eeh_cache.c ++++ b/arch/powerpc/kernel/eeh_cache.c +@@ -272,8 +272,9 @@ static int eeh_addr_cache_show(struct seq_file *s, void *v) + { + struct pci_io_addr_range *piar; + struct rb_node *n; ++ unsigned long flags; + +- spin_lock(&pci_io_addr_cache_root.piar_lock); ++ spin_lock_irqsave(&pci_io_addr_cache_root.piar_lock, flags); + for (n = rb_first(&pci_io_addr_cache_root.rb_root); n; n = rb_next(n)) { + piar = rb_entry(n, struct pci_io_addr_range, rb_node); + +@@ -281,7 +282,7 @@ static int eeh_addr_cache_show(struct seq_file *s, void *v) + (piar->flags & IORESOURCE_IO) ? "i/o" : "mem", + &piar->addr_lo, &piar->addr_hi, pci_name(piar->pcidev)); + } +- spin_unlock(&pci_io_addr_cache_root.piar_lock); ++ spin_unlock_irqrestore(&pci_io_addr_cache_root.piar_lock, flags); + + return 0; + } +-- +2.27.0 + diff --git a/queue-5.4/series b/queue-5.4/series new file mode 100644 index 00000000000..b1c133a6db7 --- /dev/null +++ b/queue-5.4/series @@ -0,0 +1,42 @@ +drm-i915-gem-flush-coherency-domains-on-first-set-do.patch +time-prevent-undefined-behaviour-in-timespec64_to_ns.patch +nbd-don-t-update-block-size-after-device-is-started.patch +kvm-arm64-force-pte-mapping-on-fault-resulting-in-a-.patch +pci-qcom-make-sure-pcie-is-reset-before-init-for-rev.patch +usb-dwc3-gadget-continue-to-process-pending-requests.patch +usb-dwc3-gadget-reclaim-extra-trbs-after-request-com.patch +dm-raid-fix-discard-limits-for-raid1-and-raid10.patch +btrfs-tracepoints-output-proper-root-owner-for-trace.patch +btrfs-sysfs-init-devices-outside-of-the-chunk_mutex.patch +btrfs-reschedule-when-cloning-lots-of-extents.patch +asoc-intel-kbl_rt5663_max98927-fix-kabylake_ssp_fixu.patch +genirq-let-generic_irq_ipi-select-irq_domain_hierarc.patch +hv_balloon-disable-warning-when-floor-reached.patch +net-xfrm-fix-a-race-condition-during-allocing-spi.patch +asoc-codecs-wcd9335-set-digital-gain-range-correctly.patch +xfs-set-xefi_discard-when-creating-a-deferred-agfl-f.patch +netfilter-use-actual-socket-sk-rather-than-skb-sk-wh.patch +netfilter-nf_tables-missing-validation-from-the-abor.patch +netfilter-ipset-update-byte-and-packet-counters-rega.patch +powerpc-eeh_cache-fix-a-possible-debugfs-deadlock.patch +perf-trace-fix-segfault-when-trying-to-trace-events-.patch +perf-tools-add-missing-swap-for-ino_generation.patch +alsa-hda-prevent-undefined-shift-in-snd_hdac_ext_bus.patch +iommu-vt-d-fix-a-bug-for-pdp-check-in-prq_event_thre.patch +afs-fix-warning-due-to-unadvanced-marshalling-pointe.patch +can-rx-offload-don-t-call-kfree_skb-from-irq-context.patch +can-dev-can_get_echo_skb-prevent-call-to-kfree_skb-i.patch +can-dev-__can_get_echo_skb-fix-real-payload-length-r.patch +can-can_create_echo_skb-fix-echo-skb-generation-alwa.patch +can-j1939-swap-addr-and-pgn-in-the-send-example.patch +can-j1939-j1939_sk_bind-return-failure-if-netdev-is-.patch +can-ti_hecc-ti_hecc_probe-add-missed-clk_disable_unp.patch +can-xilinx_can-handle-failure-cases-of-pm_runtime_ge.patch +can-peak_usb-add-range-checking-in-decode-operations.patch +can-peak_usb-peak_usb_get_ts_time-fix-timestamp-wrap.patch +can-peak_canfd-pucan_handle_can_rx-fix-echo-manageme.patch +can-flexcan-remove-flexcan_quirk_disable_mecr-quirk-.patch +can-flexcan-flexcan_remove-disable-wakeup-completely.patch +xfs-flush-new-eof-page-on-truncate-to-avoid-post-eof.patch +xfs-fix-scrub-flagging-rtinherit-even-if-there-is-no.patch +tpm-efi-don-t-create-binary_bios_measurements-file-f.patch diff --git a/queue-5.4/time-prevent-undefined-behaviour-in-timespec64_to_ns.patch b/queue-5.4/time-prevent-undefined-behaviour-in-timespec64_to_ns.patch new file mode 100644 index 00000000000..5cd5a972c5b --- /dev/null +++ b/queue-5.4/time-prevent-undefined-behaviour-in-timespec64_to_ns.patch @@ -0,0 +1,75 @@ +From 1576034634512ab27c2c2fefccd454a66ef4b9c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Sep 2020 17:30:13 +0800 +Subject: time: Prevent undefined behaviour in timespec64_to_ns() + +From: Zeng Tao + +[ Upstream commit cb47755725da7b90fecbb2aa82ac3b24a7adb89b ] + +UBSAN reports: + +Undefined behaviour in ./include/linux/time64.h:127:27 +signed integer overflow: +17179869187 * 1000000000 cannot be represented in type 'long long int' +Call Trace: + timespec64_to_ns include/linux/time64.h:127 [inline] + set_cpu_itimer+0x65c/0x880 kernel/time/itimer.c:180 + do_setitimer+0x8e/0x740 kernel/time/itimer.c:245 + __x64_sys_setitimer+0x14c/0x2c0 kernel/time/itimer.c:336 + do_syscall_64+0xa1/0x540 arch/x86/entry/common.c:295 + +Commit bd40a175769d ("y2038: itimer: change implementation to timespec64") +replaced the original conversion which handled time clamping correctly with +timespec64_to_ns() which has no overflow protection. + +Fix it in timespec64_to_ns() as this is not necessarily limited to the +usage in itimers. + +[ tglx: Added comment and adjusted the fixes tag ] + +Fixes: 361a3bf00582 ("time64: Add time64.h header and define struct timespec64") +Signed-off-by: Zeng Tao +Signed-off-by: Thomas Gleixner +Reviewed-by: Arnd Bergmann +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/1598952616-6416-1-git-send-email-prime.zeng@hisilicon.com +Signed-off-by: Sasha Levin +--- + include/linux/time64.h | 4 ++++ + kernel/time/itimer.c | 4 ---- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/include/linux/time64.h b/include/linux/time64.h +index 19125489ae948..5eab3f2635186 100644 +--- a/include/linux/time64.h ++++ b/include/linux/time64.h +@@ -132,6 +132,10 @@ static inline bool timespec64_valid_settod(const struct timespec64 *ts) + */ + static inline s64 timespec64_to_ns(const struct timespec64 *ts) + { ++ /* Prevent multiplication overflow */ ++ if ((unsigned long long)ts->tv_sec >= KTIME_SEC_MAX) ++ return KTIME_MAX; ++ + return ((s64) ts->tv_sec * NSEC_PER_SEC) + ts->tv_nsec; + } + +diff --git a/kernel/time/itimer.c b/kernel/time/itimer.c +index 77f1e5635cc18..62dc9757118c6 100644 +--- a/kernel/time/itimer.c ++++ b/kernel/time/itimer.c +@@ -147,10 +147,6 @@ static void set_cpu_itimer(struct task_struct *tsk, unsigned int clock_id, + u64 oval, nval, ointerval, ninterval; + struct cpu_itimer *it = &tsk->signal->it[clock_id]; + +- /* +- * Use the to_ktime conversion because that clamps the maximum +- * value to KTIME_MAX and avoid multiplication overflows. +- */ + nval = ktime_to_ns(timeval_to_ktime(value->it_value)); + ninterval = ktime_to_ns(timeval_to_ktime(value->it_interval)); + +-- +2.27.0 + diff --git a/queue-5.4/tpm-efi-don-t-create-binary_bios_measurements-file-f.patch b/queue-5.4/tpm-efi-don-t-create-binary_bios_measurements-file-f.patch new file mode 100644 index 00000000000..83c9c0a6c48 --- /dev/null +++ b/queue-5.4/tpm-efi-don-t-create-binary_bios_measurements-file-f.patch @@ -0,0 +1,117 @@ +From 6bae50f8e1cd2fd5df15329ffe40984eea2153e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Oct 2020 10:41:02 -0500 +Subject: tpm: efi: Don't create binary_bios_measurements file for an empty log +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tyler Hicks + +[ Upstream commit 8ffd778aff45be760292225049e0141255d4ad6e ] + +Mimic the pre-existing ACPI and Device Tree event log behavior by not +creating the binary_bios_measurements file when the EFI TPM event log is +empty. + +This fixes the following NULL pointer dereference that can occur when +reading /sys/kernel/security/tpm0/binary_bios_measurements after the +kernel received an empty event log from the firmware: + + BUG: kernel NULL pointer dereference, address: 000000000000002c + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] SMP PTI + CPU: 2 PID: 3932 Comm: fwupdtpmevlog Not tainted 5.9.0-00003-g629990edad62 #17 + Hardware name: LENOVO 20LCS03L00/20LCS03L00, BIOS N27ET38W (1.24 ) 11/28/2019 + RIP: 0010:tpm2_bios_measurements_start+0x3a/0x550 + Code: 54 53 48 83 ec 68 48 8b 57 70 48 8b 1e 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 8b 82 c0 06 00 00 48 8b 8a c8 06 00 00 <44> 8b 60 1c 48 89 4d a0 4c 89 e2 49 83 c4 20 48 83 fb 00 75 2a 49 + RSP: 0018:ffffa9c901203db0 EFLAGS: 00010246 + RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000010 + RDX: ffff8ba1eb99c000 RSI: ffff8ba1e4ce8280 RDI: ffff8ba1e4ce8258 + RBP: ffffa9c901203e40 R08: ffffa9c901203dd8 R09: ffff8ba1ec443300 + R10: ffffa9c901203e50 R11: 0000000000000000 R12: ffff8ba1e4ce8280 + R13: ffffa9c901203ef0 R14: ffffa9c901203ef0 R15: ffff8ba1e4ce8258 + FS: 00007f6595460880(0000) GS:ffff8ba1ef880000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000000000000002c CR3: 00000007d8d18003 CR4: 00000000003706e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + ? __kmalloc_node+0x113/0x320 + ? kvmalloc_node+0x31/0x80 + seq_read+0x94/0x420 + vfs_read+0xa7/0x190 + ksys_read+0xa7/0xe0 + __x64_sys_read+0x1a/0x20 + do_syscall_64+0x37/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +In this situation, the bios_event_log pointer in the tpm_bios_log struct +was not NULL but was equal to the ZERO_SIZE_PTR (0x10) value. This was +due to the following kmemdup() in tpm_read_log_efi(): + +int tpm_read_log_efi(struct tpm_chip *chip) +{ +... + /* malloc EventLog space */ + log->bios_event_log = kmemdup(log_tbl->log, log_size, GFP_KERNEL); + if (!log->bios_event_log) { + ret = -ENOMEM; + goto out; + } +... +} + +When log_size is zero, due to an empty event log from firmware, +ZERO_SIZE_PTR is returned from kmemdup(). Upon a read of the +binary_bios_measurements file, the tpm2_bios_measurements_start() +function does not perform a ZERO_OR_NULL_PTR() check on the +bios_event_log pointer before dereferencing it. + +Rather than add a ZERO_OR_NULL_PTR() check in functions that make use of +the bios_event_log pointer, simply avoid creating the +binary_bios_measurements_file as is done in other event log retrieval +backends. + +Explicitly ignore all of the events in the final event log when the main +event log is empty. The list of events in the final event log cannot be +accurately parsed without referring to the first event in the main event +log (the event log header) so the final event log is useless in such a +situation. + +Fixes: 58cc1e4faf10 ("tpm: parse TPM event logs based on EFI table") +Link: https://lore.kernel.org/linux-integrity/E1FDCCCB-CA51-4AEE-AC83-9CDE995EAE52@canonical.com/ +Reported-by: Kai-Heng Feng +Reported-by: Kenneth R. Crudup +Reported-by: Mimi Zohar +Cc: Thiébaud Weksteen +Cc: Ard Biesheuvel +Signed-off-by: Tyler Hicks +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + drivers/char/tpm/eventlog/efi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/char/tpm/eventlog/efi.c b/drivers/char/tpm/eventlog/efi.c +index 6bb023de17f1f..35229e5143cac 100644 +--- a/drivers/char/tpm/eventlog/efi.c ++++ b/drivers/char/tpm/eventlog/efi.c +@@ -41,6 +41,11 @@ int tpm_read_log_efi(struct tpm_chip *chip) + log_size = log_tbl->size; + memunmap(log_tbl); + ++ if (!log_size) { ++ pr_warn("UEFI TPM log area empty\n"); ++ return -EIO; ++ } ++ + log_tbl = memremap(efi.tpm_log, sizeof(*log_tbl) + log_size, + MEMREMAP_WB); + if (!log_tbl) { +-- +2.27.0 + diff --git a/queue-5.4/usb-dwc3-gadget-continue-to-process-pending-requests.patch b/queue-5.4/usb-dwc3-gadget-continue-to-process-pending-requests.patch new file mode 100644 index 00000000000..db0fa10485c --- /dev/null +++ b/queue-5.4/usb-dwc3-gadget-continue-to-process-pending-requests.patch @@ -0,0 +1,76 @@ +From de92803f50c2a5a42003f6314bad570e6961b678 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Mar 2020 01:40:42 -0700 +Subject: usb: dwc3: gadget: Continue to process pending requests + +From: Thinh Nguyen + +[ Upstream commit d9feef974e0d8cb6842533c92476a1b32a41ba31 ] + +If there are still pending requests because no TRB was available, +prepare more when started requests are completed. + +Introduce dwc3_gadget_ep_should_continue() to check for incomplete and +pending requests to resume updating new TRBs to the controller's TRB +cache. + +Signed-off-by: Thinh Nguyen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/gadget.c | 24 +++++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 1d65de84464d5..b6a454211329b 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2644,10 +2644,8 @@ static int dwc3_gadget_ep_cleanup_completed_request(struct dwc3_ep *dep, + + req->request.actual = req->request.length - req->remaining; + +- if (!dwc3_gadget_ep_request_completed(req)) { +- __dwc3_gadget_kick_transfer(dep); ++ if (!dwc3_gadget_ep_request_completed(req)) + goto out; +- } + + dwc3_gadget_giveback(dep, req, status); + +@@ -2671,6 +2669,24 @@ static void dwc3_gadget_ep_cleanup_completed_requests(struct dwc3_ep *dep, + } + } + ++static bool dwc3_gadget_ep_should_continue(struct dwc3_ep *dep) ++{ ++ struct dwc3_request *req; ++ ++ if (!list_empty(&dep->pending_list)) ++ return true; ++ ++ /* ++ * We only need to check the first entry of the started list. We can ++ * assume the completed requests are removed from the started list. ++ */ ++ req = next_request(&dep->started_list); ++ if (!req) ++ return false; ++ ++ return !dwc3_gadget_ep_request_completed(req); ++} ++ + static void dwc3_gadget_endpoint_frame_from_event(struct dwc3_ep *dep, + const struct dwc3_event_depevt *event) + { +@@ -2700,6 +2716,8 @@ static void dwc3_gadget_endpoint_transfer_in_progress(struct dwc3_ep *dep, + + if (stop) + dwc3_stop_active_transfer(dep, true, true); ++ else if (dwc3_gadget_ep_should_continue(dep)) ++ __dwc3_gadget_kick_transfer(dep); + + /* + * WORKAROUND: This is the 2nd half of U1/U2 -> U0 workaround. +-- +2.27.0 + diff --git a/queue-5.4/usb-dwc3-gadget-reclaim-extra-trbs-after-request-com.patch b/queue-5.4/usb-dwc3-gadget-reclaim-extra-trbs-after-request-com.patch new file mode 100644 index 00000000000..ee7e2e0740f --- /dev/null +++ b/queue-5.4/usb-dwc3-gadget-reclaim-extra-trbs-after-request-com.patch @@ -0,0 +1,54 @@ +From 875874ddf331f4a609adacc8da0b5f028e638e2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 01:21:24 -0700 +Subject: usb: dwc3: gadget: Reclaim extra TRBs after request completion + +From: Thinh Nguyen + +[ Upstream commit 690e5c2dc29f8891fcfd30da67e0d5837c2c9df5 ] + +An SG request may be partially completed (due to no available TRBs). +Don't reclaim extra TRBs and clear the needs_extra_trb flag until the +request is fully completed. Otherwise, the driver will reclaim the wrong +TRB. + +Cc: stable@vger.kernel.org +Fixes: 1f512119a08c ("usb: dwc3: gadget: add remaining sg entries to ring") +Signed-off-by: Thinh Nguyen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/gadget.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index b6a454211329b..9269cda4c1831 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2627,6 +2627,11 @@ static int dwc3_gadget_ep_cleanup_completed_request(struct dwc3_ep *dep, + ret = dwc3_gadget_ep_reclaim_trb_linear(dep, req, event, + status); + ++ req->request.actual = req->request.length - req->remaining; ++ ++ if (!dwc3_gadget_ep_request_completed(req)) ++ goto out; ++ + if (req->needs_extra_trb) { + unsigned int maxp = usb_endpoint_maxp(dep->endpoint.desc); + +@@ -2642,11 +2647,6 @@ static int dwc3_gadget_ep_cleanup_completed_request(struct dwc3_ep *dep, + req->needs_extra_trb = false; + } + +- req->request.actual = req->request.length - req->remaining; +- +- if (!dwc3_gadget_ep_request_completed(req)) +- goto out; +- + dwc3_gadget_giveback(dep, req, status); + + out: +-- +2.27.0 + diff --git a/queue-5.4/xfs-fix-scrub-flagging-rtinherit-even-if-there-is-no.patch b/queue-5.4/xfs-fix-scrub-flagging-rtinherit-even-if-there-is-no.patch new file mode 100644 index 00000000000..edc1e355620 --- /dev/null +++ b/queue-5.4/xfs-fix-scrub-flagging-rtinherit-even-if-there-is-no.patch @@ -0,0 +1,37 @@ +From 5d94d239674b9dc20dfb18e358abb101b64bc8db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Nov 2020 17:14:07 -0800 +Subject: xfs: fix scrub flagging rtinherit even if there is no rt device + +From: Darrick J. Wong + +[ Upstream commit c1f6b1ac00756a7108e5fcb849a2f8230c0b62a5 ] + +The kernel has always allowed directories to have the rtinherit flag +set, even if there is no rt device, so this check is wrong. + +Fixes: 80e4e1268802 ("xfs: scrub inodes") +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/xfs/scrub/inode.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/xfs/scrub/inode.c b/fs/xfs/scrub/inode.c +index 6d483ab29e639..1bea029b634a6 100644 +--- a/fs/xfs/scrub/inode.c ++++ b/fs/xfs/scrub/inode.c +@@ -121,8 +121,7 @@ xchk_inode_flags( + goto bad; + + /* rt flags require rt device */ +- if ((flags & (XFS_DIFLAG_REALTIME | XFS_DIFLAG_RTINHERIT)) && +- !mp->m_rtdev_targp) ++ if ((flags & XFS_DIFLAG_REALTIME) && !mp->m_rtdev_targp) + goto bad; + + /* new rt bitmap flag only valid for rbmino */ +-- +2.27.0 + diff --git a/queue-5.4/xfs-flush-new-eof-page-on-truncate-to-avoid-post-eof.patch b/queue-5.4/xfs-flush-new-eof-page-on-truncate-to-avoid-post-eof.patch new file mode 100644 index 00000000000..3d8c34fd683 --- /dev/null +++ b/queue-5.4/xfs-flush-new-eof-page-on-truncate-to-avoid-post-eof.patch @@ -0,0 +1,70 @@ +From bca5edaa0b8e8e351369f6d093fd02b23dfae0d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Oct 2020 14:30:48 -0700 +Subject: xfs: flush new eof page on truncate to avoid post-eof corruption + +From: Brian Foster + +[ Upstream commit 869ae85dae64b5540e4362d7fe4cd520e10ec05c ] + +It is possible to expose non-zeroed post-EOF data in XFS if the new +EOF page is dirty, backed by an unwritten block and the truncate +happens to race with writeback. iomap_truncate_page() will not zero +the post-EOF portion of the page if the underlying block is +unwritten. The subsequent call to truncate_setsize() will, but +doesn't dirty the page. Therefore, if writeback happens to complete +after iomap_truncate_page() (so it still sees the unwritten block) +but before truncate_setsize(), the cached page becomes inconsistent +with the on-disk block. A mapped read after the associated page is +reclaimed or invalidated exposes non-zero post-EOF data. + +For example, consider the following sequence when run on a kernel +modified to explicitly flush the new EOF page within the race +window: + +$ xfs_io -fc "falloc 0 4k" -c fsync /mnt/file +$ xfs_io -c "pwrite 0 4k" -c "truncate 1k" /mnt/file + ... +$ xfs_io -c "mmap 0 4k" -c "mread -v 1k 8" /mnt/file +00000400: 00 00 00 00 00 00 00 00 ........ +$ umount /mnt/; mount /mnt/ +$ xfs_io -c "mmap 0 4k" -c "mread -v 1k 8" /mnt/file +00000400: cd cd cd cd cd cd cd cd ........ + +Update xfs_setattr_size() to explicitly flush the new EOF page prior +to the page truncate to ensure iomap has the latest state of the +underlying block. + +Fixes: 68a9f5e7007c ("xfs: implement iomap based buffered write path") +Signed-off-by: Brian Foster +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_iops.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c +index fe285d123d69f..dec511823fcbc 100644 +--- a/fs/xfs/xfs_iops.c ++++ b/fs/xfs/xfs_iops.c +@@ -885,6 +885,16 @@ xfs_setattr_size( + error = iomap_zero_range(inode, oldsize, newsize - oldsize, + &did_zeroing, &xfs_iomap_ops); + } else { ++ /* ++ * iomap won't detect a dirty page over an unwritten block (or a ++ * cow block over a hole) and subsequently skips zeroing the ++ * newly post-EOF portion of the page. Flush the new EOF to ++ * convert the block before the pagecache truncate. ++ */ ++ error = filemap_write_and_wait_range(inode->i_mapping, newsize, ++ newsize); ++ if (error) ++ return error; + error = iomap_truncate_page(inode, newsize, &did_zeroing, + &xfs_iomap_ops); + } +-- +2.27.0 + diff --git a/queue-5.4/xfs-set-xefi_discard-when-creating-a-deferred-agfl-f.patch b/queue-5.4/xfs-set-xefi_discard-when-creating-a-deferred-agfl-f.patch new file mode 100644 index 00000000000..e57c21acd1a --- /dev/null +++ b/queue-5.4/xfs-set-xefi_discard-when-creating-a-deferred-agfl-f.patch @@ -0,0 +1,55 @@ +From 123ac6b6a79bf52de8e118b0dfc15bde12f97368 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Oct 2020 15:19:38 -0700 +Subject: xfs: set xefi_discard when creating a deferred agfl free log intent + item + +From: Darrick J. Wong + +[ Upstream commit 2c334e12f957cd8c6bb66b4aa3f79848b7c33cab ] + +Make sure that we actually initialize xefi_discard when we're scheduling +a deferred free of an AGFL block. This was (eventually) found by the +UBSAN while I was banging on realtime rmap problems, but it exists in +the upstream codebase. While we're at it, rearrange the structure to +reduce the struct size from 64 to 56 bytes. + +Fixes: fcb762f5de2e ("xfs: add bmapi nodiscard flag") +Signed-off-by: Darrick J. Wong +Reviewed-by: Brian Foster +Signed-off-by: Sasha Levin +--- + fs/xfs/libxfs/xfs_alloc.c | 1 + + fs/xfs/libxfs/xfs_bmap.h | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c +index 0a36f532cf86c..436f686a98918 100644 +--- a/fs/xfs/libxfs/xfs_alloc.c ++++ b/fs/xfs/libxfs/xfs_alloc.c +@@ -2209,6 +2209,7 @@ xfs_defer_agfl_block( + new->xefi_startblock = XFS_AGB_TO_FSB(mp, agno, agbno); + new->xefi_blockcount = 1; + new->xefi_oinfo = *oinfo; ++ new->xefi_skip_discard = false; + + trace_xfs_agfl_free_defer(mp, agno, 0, agbno, 1); + +diff --git a/fs/xfs/libxfs/xfs_bmap.h b/fs/xfs/libxfs/xfs_bmap.h +index e2798c6f3a5f3..093716a074fb7 100644 +--- a/fs/xfs/libxfs/xfs_bmap.h ++++ b/fs/xfs/libxfs/xfs_bmap.h +@@ -52,9 +52,9 @@ struct xfs_extent_free_item + { + xfs_fsblock_t xefi_startblock;/* starting fs block number */ + xfs_extlen_t xefi_blockcount;/* number of blocks in extent */ ++ bool xefi_skip_discard; + struct list_head xefi_list; + struct xfs_owner_info xefi_oinfo; /* extent owner */ +- bool xefi_skip_discard; + }; + + #define XFS_BMAP_MAX_NMAP 4 +-- +2.27.0 + -- 2.47.3