From b978eabe43bc3d0eb469d70a8ca89e0922999322 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 23 May 2022 17:26:39 +0200 Subject: [PATCH] 5.4-stable patches added patches: arm-dts-imx7-use-audio_mclk_post_div-instead-audio_mclk_root_clk.patch block-return-elevator_discard_merge-if-possible.patch firmware_loader-use-kernel-credentials-when-reading-firmware.patch net-stmmac-disable-split-header-sph-for-intel-platforms.patch reinstate-some-of-swiotlb-rework-fix-info-leak-with-dma_from_device.patch --- ...post_div-instead-audio_mclk_root_clk.patch | 143 ++++++++++++++++++ ...n-elevator_discard_merge-if-possible.patch | 118 +++++++++++++++ ...el-credentials-when-reading-firmware.patch | 87 +++++++++++ ...split-header-sph-for-intel-platforms.patch | 67 ++++++++ ...k-fix-info-leak-with-dma_from_device.patch | 96 ++++++++++++ queue-5.4/series | 5 + 6 files changed, 516 insertions(+) create mode 100644 queue-5.4/arm-dts-imx7-use-audio_mclk_post_div-instead-audio_mclk_root_clk.patch create mode 100644 queue-5.4/block-return-elevator_discard_merge-if-possible.patch create mode 100644 queue-5.4/firmware_loader-use-kernel-credentials-when-reading-firmware.patch create mode 100644 queue-5.4/net-stmmac-disable-split-header-sph-for-intel-platforms.patch create mode 100644 queue-5.4/reinstate-some-of-swiotlb-rework-fix-info-leak-with-dma_from_device.patch diff --git a/queue-5.4/arm-dts-imx7-use-audio_mclk_post_div-instead-audio_mclk_root_clk.patch b/queue-5.4/arm-dts-imx7-use-audio_mclk_post_div-instead-audio_mclk_root_clk.patch new file mode 100644 index 00000000000..b242ed68b9a --- /dev/null +++ b/queue-5.4/arm-dts-imx7-use-audio_mclk_post_div-instead-audio_mclk_root_clk.patch @@ -0,0 +1,143 @@ +From 4cb7df64c732b2b9918424095c11660c2a8c4a33 Mon Sep 17 00:00:00 2001 +From: Abel Vesa +Date: Thu, 27 Jan 2022 16:10:51 +0200 +Subject: ARM: dts: imx7: Use audio_mclk_post_div instead audio_mclk_root_clk + +From: Abel Vesa + +commit 4cb7df64c732b2b9918424095c11660c2a8c4a33 upstream. + +The audio_mclk_root_clk was added as a gate with the CCGR121 (0x4790), +but according to the reference manual, there is no such gate. Moreover, +the consumer driver of the mentioned clock might gate it and leave +the ECSPI2 (the true owner of that gate) hanging. So lets use the +audio_mclk_post_div, which is the parent. + +Signed-off-by: Abel Vesa +Signed-off-by: Shawn Guo +[ps: backport to 5.4] +Signed-off-by: Philippe Schenker +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/imx7-colibri.dtsi | 4 ++-- + arch/arm/boot/dts/imx7-mba7.dtsi | 2 +- + arch/arm/boot/dts/imx7d-nitrogen7.dts | 2 +- + arch/arm/boot/dts/imx7d-pico-hobbit.dts | 4 ++-- + arch/arm/boot/dts/imx7d-pico-pi.dts | 4 ++-- + arch/arm/boot/dts/imx7d-sdb.dts | 2 +- + arch/arm/boot/dts/imx7s-warp.dts | 4 ++-- + 7 files changed, 11 insertions(+), 11 deletions(-) + +--- a/arch/arm/boot/dts/imx7-colibri.dtsi ++++ b/arch/arm/boot/dts/imx7-colibri.dtsi +@@ -77,7 +77,7 @@ + + dailink_master: simple-audio-card,codec { + sound-dai = <&codec>; +- clocks = <&clks IMX7D_AUDIO_MCLK_ROOT_CLK>; ++ clocks = <&clks IMX7D_AUDIO_MCLK_ROOT_DIV>; + }; + }; + }; +@@ -152,7 +152,7 @@ + compatible = "fsl,sgtl5000"; + #sound-dai-cells = <0>; + reg = <0x0a>; +- clocks = <&clks IMX7D_AUDIO_MCLK_ROOT_CLK>; ++ clocks = <&clks IMX7D_AUDIO_MCLK_ROOT_DIV>; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_sai1_mclk>; + VDDA-supply = <®_module_3v3_avdd>; +--- a/arch/arm/boot/dts/imx7-mba7.dtsi ++++ b/arch/arm/boot/dts/imx7-mba7.dtsi +@@ -250,7 +250,7 @@ + tlv320aic32x4: audio-codec@18 { + compatible = "ti,tlv320aic32x4"; + reg = <0x18>; +- clocks = <&clks IMX7D_AUDIO_MCLK_ROOT_CLK>; ++ clocks = <&clks IMX7D_AUDIO_MCLK_ROOT_DIV>; + clock-names = "mclk"; + ldoin-supply = <®_audio_3v3>; + iov-supply = <®_audio_3v3>; +--- a/arch/arm/boot/dts/imx7d-nitrogen7.dts ++++ b/arch/arm/boot/dts/imx7d-nitrogen7.dts +@@ -284,7 +284,7 @@ + codec: wm8960@1a { + compatible = "wlf,wm8960"; + reg = <0x1a>; +- clocks = <&clks IMX7D_AUDIO_MCLK_ROOT_CLK>; ++ clocks = <&clks IMX7D_AUDIO_MCLK_ROOT_DIV>; + clock-names = "mclk"; + wlf,shared-lrclk; + }; +--- a/arch/arm/boot/dts/imx7d-pico-hobbit.dts ++++ b/arch/arm/boot/dts/imx7d-pico-hobbit.dts +@@ -31,7 +31,7 @@ + + dailink_master: simple-audio-card,codec { + sound-dai = <&sgtl5000>; +- clocks = <&clks IMX7D_AUDIO_MCLK_ROOT_CLK>; ++ clocks = <&clks IMX7D_AUDIO_MCLK_ROOT_DIV>; + }; + }; + }; +@@ -41,7 +41,7 @@ + #sound-dai-cells = <0>; + reg = <0x0a>; + compatible = "fsl,sgtl5000"; +- clocks = <&clks IMX7D_AUDIO_MCLK_ROOT_CLK>; ++ clocks = <&clks IMX7D_AUDIO_MCLK_ROOT_DIV>; + VDDA-supply = <®_2p5v>; + VDDIO-supply = <®_vref_1v8>; + }; +--- a/arch/arm/boot/dts/imx7d-pico-pi.dts ++++ b/arch/arm/boot/dts/imx7d-pico-pi.dts +@@ -31,7 +31,7 @@ + + dailink_master: simple-audio-card,codec { + sound-dai = <&sgtl5000>; +- clocks = <&clks IMX7D_AUDIO_MCLK_ROOT_CLK>; ++ clocks = <&clks IMX7D_AUDIO_MCLK_ROOT_DIV>; + }; + }; + }; +@@ -41,7 +41,7 @@ + #sound-dai-cells = <0>; + reg = <0x0a>; + compatible = "fsl,sgtl5000"; +- clocks = <&clks IMX7D_AUDIO_MCLK_ROOT_CLK>; ++ clocks = <&clks IMX7D_AUDIO_MCLK_ROOT_DIV>; + VDDA-supply = <®_2p5v>; + VDDIO-supply = <®_vref_1v8>; + }; +--- a/arch/arm/boot/dts/imx7d-sdb.dts ++++ b/arch/arm/boot/dts/imx7d-sdb.dts +@@ -356,7 +356,7 @@ + codec: wm8960@1a { + compatible = "wlf,wm8960"; + reg = <0x1a>; +- clocks = <&clks IMX7D_AUDIO_MCLK_ROOT_CLK>; ++ clocks = <&clks IMX7D_AUDIO_MCLK_ROOT_DIV>; + clock-names = "mclk"; + wlf,shared-lrclk; + }; +--- a/arch/arm/boot/dts/imx7s-warp.dts ++++ b/arch/arm/boot/dts/imx7s-warp.dts +@@ -75,7 +75,7 @@ + + dailink_master: simple-audio-card,codec { + sound-dai = <&codec>; +- clocks = <&clks IMX7D_AUDIO_MCLK_ROOT_CLK>; ++ clocks = <&clks IMX7D_AUDIO_MCLK_ROOT_DIV>; + }; + }; + }; +@@ -232,7 +232,7 @@ + #sound-dai-cells = <0>; + reg = <0x0a>; + compatible = "fsl,sgtl5000"; +- clocks = <&clks IMX7D_AUDIO_MCLK_ROOT_CLK>; ++ clocks = <&clks IMX7D_AUDIO_MCLK_ROOT_DIV>; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_sai1_mclk>; + VDDA-supply = <&vgen4_reg>; diff --git a/queue-5.4/block-return-elevator_discard_merge-if-possible.patch b/queue-5.4/block-return-elevator_discard_merge-if-possible.patch new file mode 100644 index 00000000000..fdf3aa8f441 --- /dev/null +++ b/queue-5.4/block-return-elevator_discard_merge-if-possible.patch @@ -0,0 +1,118 @@ +From 866663b7b52d2da267b28e12eed89ee781b8fed1 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Thu, 29 Jul 2021 11:42:26 +0800 +Subject: block: return ELEVATOR_DISCARD_MERGE if possible + +From: Ming Lei + +commit 866663b7b52d2da267b28e12eed89ee781b8fed1 upstream. + +When merging one bio to request, if they are discard IO and the queue +supports multi-range discard, we need to return ELEVATOR_DISCARD_MERGE +because both block core and related drivers(nvme, virtio-blk) doesn't +handle mixed discard io merge(traditional IO merge together with +discard merge) well. + +Fix the issue by returning ELEVATOR_DISCARD_MERGE in this situation, +so both blk-mq and drivers just need to handle multi-range discard. + +Reported-by: Oleksandr Natalenko +Signed-off-by: Ming Lei +Tested-by: Oleksandr Natalenko +Fixes: 2705dfb20947 ("block: fix discard request merge") +Link: https://lore.kernel.org/r/20210729034226.1591070-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Gwendal Grignou +Signed-off-by: Greg Kroah-Hartman +--- + block/bfq-iosched.c | 3 +++ + block/blk-merge.c | 15 --------------- + block/elevator.c | 3 +++ + block/mq-deadline.c | 2 ++ + include/linux/blkdev.h | 16 ++++++++++++++++ + 5 files changed, 24 insertions(+), 15 deletions(-) + +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -2251,6 +2251,9 @@ static int bfq_request_merge(struct requ + __rq = bfq_find_rq_fmerge(bfqd, bio, q); + if (__rq && elv_bio_merge_ok(__rq, bio)) { + *req = __rq; ++ ++ if (blk_discard_mergable(__rq)) ++ return ELEVATOR_DISCARD_MERGE; + return ELEVATOR_FRONT_MERGE; + } + +--- a/block/blk-merge.c ++++ b/block/blk-merge.c +@@ -721,21 +721,6 @@ static void blk_account_io_merge(struct + part_stat_unlock(); + } + } +-/* +- * Two cases of handling DISCARD merge: +- * If max_discard_segments > 1, the driver takes every bio +- * as a range and send them to controller together. The ranges +- * needn't to be contiguous. +- * Otherwise, the bios/requests will be handled as same as +- * others which should be contiguous. +- */ +-static inline bool blk_discard_mergable(struct request *req) +-{ +- if (req_op(req) == REQ_OP_DISCARD && +- queue_max_discard_segments(req->q) > 1) +- return true; +- return false; +-} + + static enum elv_merge blk_try_req_merge(struct request *req, + struct request *next) +--- a/block/elevator.c ++++ b/block/elevator.c +@@ -337,6 +337,9 @@ enum elv_merge elv_merge(struct request_ + __rq = elv_rqhash_find(q, bio->bi_iter.bi_sector); + if (__rq && elv_bio_merge_ok(__rq, bio)) { + *req = __rq; ++ ++ if (blk_discard_mergable(__rq)) ++ return ELEVATOR_DISCARD_MERGE; + return ELEVATOR_BACK_MERGE; + } + +--- a/block/mq-deadline.c ++++ b/block/mq-deadline.c +@@ -452,6 +452,8 @@ static int dd_request_merge(struct reque + + if (elv_bio_merge_ok(__rq, bio)) { + *rq = __rq; ++ if (blk_discard_mergable(__rq)) ++ return ELEVATOR_DISCARD_MERGE; + return ELEVATOR_FRONT_MERGE; + } + } +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -1409,6 +1409,22 @@ static inline int queue_limit_discard_al + return offset << SECTOR_SHIFT; + } + ++/* ++ * Two cases of handling DISCARD merge: ++ * If max_discard_segments > 1, the driver takes every bio ++ * as a range and send them to controller together. The ranges ++ * needn't to be contiguous. ++ * Otherwise, the bios/requests will be handled as same as ++ * others which should be contiguous. ++ */ ++static inline bool blk_discard_mergable(struct request *req) ++{ ++ if (req_op(req) == REQ_OP_DISCARD && ++ queue_max_discard_segments(req->q) > 1) ++ return true; ++ return false; ++} ++ + static inline int bdev_discard_alignment(struct block_device *bdev) + { + struct request_queue *q = bdev_get_queue(bdev); diff --git a/queue-5.4/firmware_loader-use-kernel-credentials-when-reading-firmware.patch b/queue-5.4/firmware_loader-use-kernel-credentials-when-reading-firmware.patch new file mode 100644 index 00000000000..e3de9f5f5b0 --- /dev/null +++ b/queue-5.4/firmware_loader-use-kernel-credentials-when-reading-firmware.patch @@ -0,0 +1,87 @@ +From 581dd69830341d299b0c097fc366097ab497d679 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= +Date: Mon, 2 May 2022 10:49:52 +1000 +Subject: firmware_loader: use kernel credentials when reading firmware +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thiébaud Weksteen + +commit 581dd69830341d299b0c097fc366097ab497d679 upstream. + +Device drivers may decide to not load firmware when probed to avoid +slowing down the boot process should the firmware filesystem not be +available yet. In this case, the firmware loading request may be done +when a device file associated with the driver is first accessed. The +credentials of the userspace process accessing the device file may be +used to validate access to the firmware files requested by the driver. +Ensure that the kernel assumes the responsibility of reading the +firmware. + +This was observed on Android for a graphic driver loading their firmware +when the device file (e.g. /dev/mali0) was first opened by userspace +(i.e. surfaceflinger). The security context of surfaceflinger was used +to validate the access to the firmware file (e.g. +/vendor/firmware/mali.bin). + +Previously, Android configurations were not setting up the +firmware_class.path command line argument and were relying on the +userspace fallback mechanism. In this case, the security context of the +userspace daemon (i.e. ueventd) was consistently used to read firmware +files. More Android devices are now found to set firmware_class.path +which gives the kernel the opportunity to read the firmware directly +(via kernel_read_file_from_path_initns). In this scenario, the current +process credentials were used, even if unrelated to the loading of the +firmware file. + +Signed-off-by: Thiébaud Weksteen +Cc: # 5.10 +Reviewed-by: Paul Moore +Acked-by: Luis Chamberlain +Link: https://lore.kernel.org/r/20220502004952.3970800-1-tweek@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/firmware_loader/main.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/drivers/base/firmware_loader/main.c ++++ b/drivers/base/firmware_loader/main.c +@@ -761,6 +761,8 @@ _request_firmware(const struct firmware + enum fw_opt opt_flags) + { + struct firmware *fw = NULL; ++ struct cred *kern_cred = NULL; ++ const struct cred *old_cred; + int ret; + + if (!firmware_p) +@@ -776,6 +778,18 @@ _request_firmware(const struct firmware + if (ret <= 0) /* error or already assigned */ + goto out; + ++ /* ++ * We are about to try to access the firmware file. Because we may have been ++ * called by a driver when serving an unrelated request from userland, we use ++ * the kernel credentials to read the file. ++ */ ++ kern_cred = prepare_kernel_cred(NULL); ++ if (!kern_cred) { ++ ret = -ENOMEM; ++ goto out; ++ } ++ old_cred = override_creds(kern_cred); ++ + ret = fw_get_filesystem_firmware(device, fw->priv, "", NULL); + #ifdef CONFIG_FW_LOADER_COMPRESS + if (ret == -ENOENT) +@@ -792,6 +806,9 @@ _request_firmware(const struct firmware + } else + ret = assign_fw(fw, device, opt_flags); + ++ revert_creds(old_cred); ++ put_cred(kern_cred); ++ + out: + if (ret < 0) { + fw_abort_batch_reqs(fw); diff --git a/queue-5.4/net-stmmac-disable-split-header-sph-for-intel-platforms.patch b/queue-5.4/net-stmmac-disable-split-header-sph-for-intel-platforms.patch new file mode 100644 index 00000000000..e8ac6b177b9 --- /dev/null +++ b/queue-5.4/net-stmmac-disable-split-header-sph-for-intel-platforms.patch @@ -0,0 +1,67 @@ +From 47f753c1108e287edb3e27fad8a7511a9d55578e Mon Sep 17 00:00:00 2001 +From: Tan Tee Min +Date: Fri, 29 Apr 2022 19:58:07 +0800 +Subject: net: stmmac: disable Split Header (SPH) for Intel platforms + +From: Tan Tee Min + +commit 47f753c1108e287edb3e27fad8a7511a9d55578e upstream. + +Based on DesignWare Ethernet QoS datasheet, we are seeing the limitation +of Split Header (SPH) feature is not supported for Ipv4 fragmented packet. +This SPH limitation will cause ping failure when the packets size exceed +the MTU size. For example, the issue happens once the basic ping packet +size is larger than the configured MTU size and the data is lost inside +the fragmented packet, replaced by zeros/corrupted values, and leads to +ping fail. + +So, disable the Split Header for Intel platforms. + +v2: Add fixes tag in commit message. + +Fixes: 67afd6d1cfdf("net: stmmac: Add Split Header support and enable it in XGMAC cores") +Cc: # 5.10.x +Suggested-by: Ong, Boon Leong +Signed-off-by: Mohammad Athari Bin Ismail +Signed-off-by: Wong Vee Khee +Signed-off-by: Tan Tee Min +Signed-off-by: David S. Miller +Signed-off-by: Tan Tee Min +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- + drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c | 1 + + include/linux/stmmac.h | 1 + + 3 files changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -4531,7 +4531,7 @@ int stmmac_dvr_probe(struct device *devi + dev_info(priv->device, "TSO feature enabled\n"); + } + +- if (priv->dma_cap.sphen) { ++ if (priv->dma_cap.sphen && !priv->plat->sph_disable) { + ndev->hw_features |= NETIF_F_GRO; + priv->sph = true; + dev_info(priv->device, "SPH feature enabled\n"); +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c +@@ -119,6 +119,7 @@ static int intel_mgbe_common_data(struct + plat->has_gmac4 = 1; + plat->force_sf_dma_mode = 0; + plat->tso_en = 1; ++ plat->sph_disable = 1; + + plat->rx_sched_algorithm = MTL_RX_ALGORITHM_SP; + +--- a/include/linux/stmmac.h ++++ b/include/linux/stmmac.h +@@ -179,5 +179,6 @@ struct plat_stmmacenet_data { + int mac_port_sel_speed; + bool en_tx_lpi_clockgating; + int has_xgmac; ++ bool sph_disable; + }; + #endif diff --git a/queue-5.4/reinstate-some-of-swiotlb-rework-fix-info-leak-with-dma_from_device.patch b/queue-5.4/reinstate-some-of-swiotlb-rework-fix-info-leak-with-dma_from_device.patch new file mode 100644 index 00000000000..80c3b2df846 --- /dev/null +++ b/queue-5.4/reinstate-some-of-swiotlb-rework-fix-info-leak-with-dma_from_device.patch @@ -0,0 +1,96 @@ +From 901c7280ca0d5e2b4a8929fbe0bfb007ac2a6544 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 28 Mar 2022 11:37:05 -0700 +Subject: Reinstate some of "swiotlb: rework "fix info leak with DMA_FROM_DEVICE"" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +commit 901c7280ca0d5e2b4a8929fbe0bfb007ac2a6544 upstream. + +Halil Pasic points out [1] that the full revert of that commit (revert +in bddac7c1e02b), and that a partial revert that only reverts the +problematic case, but still keeps some of the cleanups is probably +better.  + +And that partial revert [2] had already been verified by Oleksandr +Natalenko to also fix the issue, I had just missed that in the long +discussion. + +So let's reinstate the cleanups from commit aa6f8dcbab47 ("swiotlb: +rework "fix info leak with DMA_FROM_DEVICE""), and effectively only +revert the part that caused problems. + +Link: https://lore.kernel.org/all/20220328013731.017ae3e3.pasic@linux.ibm.com/ [1] +Link: https://lore.kernel.org/all/20220324055732.GB12078@lst.de/ [2] +Link: https://lore.kernel.org/all/4386660.LvFx2qVVIh@natalenko.name/ [3] +Suggested-by: Halil Pasic +Tested-by: Oleksandr Natalenko +Cc: Christoph Hellwig" +Signed-off-by: Linus Torvalds +[OP: backport to 5.4: adjusted context] +Signed-off-by: Ovidiu Panait +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/DMA-attributes.txt | 10 ---------- + include/linux/dma-mapping.h | 8 -------- + kernel/dma/swiotlb.c | 13 ++++++++----- + 3 files changed, 8 insertions(+), 23 deletions(-) + +--- a/Documentation/DMA-attributes.txt ++++ b/Documentation/DMA-attributes.txt +@@ -156,13 +156,3 @@ accesses to DMA buffers in both privileg + subsystem that the buffer is fully accessible at the elevated privilege + level (and ideally inaccessible or at least read-only at the + lesser-privileged levels). +- +-DMA_ATTR_PRIVILEGED +-------------------- +- +-Some advanced peripherals such as remote processors and GPUs perform +-accesses to DMA buffers in both privileged "supervisor" and unprivileged +-"user" modes. This attribute is used to indicate to the DMA-mapping +-subsystem that the buffer is fully accessible at the elevated privilege +-level (and ideally inaccessible or at least read-only at the +-lesser-privileged levels). +--- a/include/linux/dma-mapping.h ++++ b/include/linux/dma-mapping.h +@@ -71,14 +71,6 @@ + #define DMA_ATTR_PRIVILEGED (1UL << 9) + + /* +- * This is a hint to the DMA-mapping subsystem that the device is expected +- * to overwrite the entire mapped size, thus the caller does not require any +- * of the previous buffer contents to be preserved. This allows +- * bounce-buffering implementations to optimise DMA_FROM_DEVICE transfers. +- */ +-#define DMA_ATTR_OVERWRITE (1UL << 10) +- +-/* + * A dma_addr_t can hold any valid DMA or bus address for the platform. + * It can be given to a device to use as a DMA source or target. A CPU cannot + * reference a dma_addr_t directly because there may be translation between +--- a/kernel/dma/swiotlb.c ++++ b/kernel/dma/swiotlb.c +@@ -571,11 +571,14 @@ found: + */ + for (i = 0; i < nslots; i++) + io_tlb_orig_addr[index+i] = orig_addr + (i << IO_TLB_SHIFT); +- if (!(attrs & DMA_ATTR_SKIP_CPU_SYNC) && +- (!(attrs & DMA_ATTR_OVERWRITE) || dir == DMA_TO_DEVICE || +- dir == DMA_BIDIRECTIONAL)) +- swiotlb_bounce(orig_addr, tlb_addr, mapping_size, DMA_TO_DEVICE); +- ++ /* ++ * When dir == DMA_FROM_DEVICE we could omit the copy from the orig ++ * to the tlb buffer, if we knew for sure the device will ++ * overwirte the entire current content. But we don't. Thus ++ * unconditional bounce may prevent leaking swiotlb content (i.e. ++ * kernel memory) to user-space. ++ */ ++ swiotlb_bounce(orig_addr, tlb_addr, mapping_size, DMA_TO_DEVICE); + return tlb_addr; + } + diff --git a/queue-5.4/series b/queue-5.4/series index a2e164cf607..2974dfd83ed 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -57,5 +57,10 @@ ethernet-tulip-fix-missing-pci_disable_device-on-err.patch net-stmmac-fix-missing-pci_disable_device-on-error-i.patch net-atlantic-verify-hw_head_-lies-within-tx-buffer-r.patch input-ili210x-fix-reset-timing.patch +block-return-elevator_discard_merge-if-possible.patch +net-stmmac-disable-split-header-sph-for-intel-platforms.patch +firmware_loader-use-kernel-credentials-when-reading-firmware.patch +arm-dts-imx7-use-audio_mclk_post_div-instead-audio_mclk_root_clk.patch +reinstate-some-of-swiotlb-rework-fix-info-leak-with-dma_from_device.patch i2c-mt7621-fix-missing-clk_disable_unprepare-on-erro.patch afs-fix-afs_getattr-to-refetch-file-status-if-callba.patch -- 2.47.3