From c4e73a6b1604343e1461012197de2aae6fc8c15a Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 14 May 2021 22:13:36 -0400 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...e-to-deliver-midi-messages-for-multi.patch | 58 ++++ ...x-race-in-handling-acomp-eld-notific.patch | 66 ++++ ...sa-hdsp-don-t-disable-if-not-enabled.patch | 49 +++ ...a-hdspm-don-t-disable-if-not-enabled.patch | 49 +++ ...rme9652-don-t-disable-if-not-enabled.patch | 49 +++ ...eakpoint-do-not-directly-check-the-e.patch | 48 +++ ..._rt5640-add-quirk-for-the-chuwi-hi8-.patch | 56 ++++ ..._rt5640-enable-jack-detect-support-o.patch | 41 +++ ...snd_ssi_master_clk_start-from-rsnd_s.patch | 116 +++++++ ...check-convert-rate-in-rsnd_hw_params.patch | 113 +++++++ ...generalize-support-for-alc3263-codec.patch | 99 ++++++ ...rt286_set_gpio_-readable-and-writabl.patch | 39 +++ ...heck-for-zapped-sk-before-connecting.patch | 69 +++++ ...lize-skb_queue_head-at-l2cap_chan_cr.patch | 43 +++ ...nf_not_complete-as-l2cap_chan-defaul.patch | 77 +++++ ...n-add-pci-ids-for-hyper-v-vf-devices.patch | 86 ++++++ ...tx_work_queue-fix-tx_skb-race-condit.patch | 49 +++ ...eak-on-getattr-error-in-__fh_to_dent.patch | 37 +++ queue-5.4/cuse-prevent-clone.patch | 37 +++ ...fixed-divide-by-zero-kernel-crash-du.patch | 112 +++++++ ...force-vsync-flip-when-reconfiguring-.patch | 45 +++ ...oid-power-table-parsing-memory-leaks.patch | 64 ++++ ...ff-by-one-power_state-index-heap-ove.patch | 119 ++++++++ ...x-a-use-after-free-bug-in-enic_hard_.patch | 69 +++++ ...x-out-of-bounds-warning-in-store_lin.patch | 50 +++ ...dant-call-to-f2fs_balance_fs-if-an-e.patch | 45 +++ ...ix-out-of-bounds-warning-in-__skb_fl.patch | 53 ++++ queue-5.4/fs-dlm-fix-debugfs-dump.patch | 40 +++ ...dd-i2c_aq_no_rep_start-adapter-quirk.patch | 39 +++ ...early-when-rdwr-parameters-are-wrong.patch | 46 +++ ...e-identifiers-for-2.5g-and-5g-adapte.patch | 96 ++++++ ...tart-auto-negotiation-after-fec-modi.patch | 41 +++ ...se-after-free-in-i40e_client_subtask.patch | 37 +++ ...odule-fix-symbolizer-crash-on-fdescr.patch | 120 ++++++++ ...emove-duplicate-free-resources-calls.patch | 36 +++ ...-performance-counter-pre-initializat.patch | 98 ++++++ ...ev_-hold-put-in-ndo_-un-init-methods.patch | 98 ++++++ ...nfig-nconf-stop-endless-search-loops.patch | 62 ++++ ...e-fix-error-return-code-of-kexec_cal.patch | 45 +++ ...rong-result-value-for-trace_mm_colla.patch | 63 ++++ ...al-missing-rmap_item-for-stable_node.patch | 57 ++++ ...he-beacon-s-crc-after-channel-switch.patch | 52 ++++ ...e-the-error-case-in-hugetlb_fix_rese.patch | 57 ++++ ...-potential-indeterminate-pte-entry-i.patch | 50 +++ .../mt76-mt76x0-disable-gtk-offloading.patch | 46 +++ ...suppression-is-enabled-exclude-rarp-.patch | 44 +++ ...rnet-mtk_eth_soc-fix-rx-vlan-offload.patch | 50 +++ ...mp-to-handle-more-then-one-trailing-.patch | 52 ++++ ...ck-for-hns3_nic_state_inited-in-hns3.patch | 44 +++ ...-phy-loopback-setting-in-hclge_mac_s.patch | 39 +++ ...s3-fix-for-vxlan-gpe-tx-checksum-bug.patch | 51 ++++ ...orrect-configuration-for-igu_egu_hw_.patch | 56 ++++ ...ize-the-message-content-in-hclge_get.patch | 38 +++ ...if_tx_disable-to-stop-the-transmit-q.patch | 44 +++ ...revent-cycle_time-0-in-parse_taprio_.patch | 46 +++ ...et-stmmac-set-fifo-sizes-for-ipq806x.patch | 44 +++ ...ink_osf-fix-a-missing-skb_header_poi.patch | 36 +++ ...es-avoid-overflows-in-nft_hash_bucke.patch | 76 +++++ ...mark-add-new-revision-to-fix-structu.patch | 173 +++++++++++ ...ly-with-attribute-generation-counter.patch | 49 +++ ...lush-out-writes-in-nfs42_proc_falloc.patch | 78 +++++ ...x-handling-of-sr_eof-in-seek-s-reply.patch | 43 +++ ...dpoint-fix-missing-destroy_workqueue.patch | 47 +++ ...turn-value-of-iproc_msi_irq_domain_a.patch | 43 +++ ...node-in-pci_scan_device-s-error-path.patch | 38 +++ ...use-int-for-register-masks-in-exynos.patch | 72 +++++ ...ix-incorrect-size-check-in-decode_nf.patch | 52 ++++ ...mmu-annotate-nested-lock-for-lockdep.patch | 70 +++++ ...stop-calling-printk-in-rtas_stop_sel.patch | 72 +++++ ...p-set-numa-node-before-updating-mask.patch | 90 ++++++ ...ible-buffer-overflow-in-qtnf_event_h.patch | 43 +++ ...-fix-performance-counter-initializat.patch | 125 ++++++++ ...-code-returned-by-riscv_hartid_to_cp.patch | 39 +++ ..._native-fix-error-return-code-of-qco.patch | 39 +++ ...-ds1307-fix-wday-settings-for-rx8130.patch | 53 ++++ .../rtc-fsl-ftm-alarm-add-module_table.patch | 36 +++ ...broken-tracex1-due-to-kprobe-argumen.patch | 49 +++ ...nfairness-caused-by-missing-load-dec.patch | 123 ++++++++ ...ed-fix-out-of-bound-access-in-uclamp.patch | 49 +++ ...date-earlier-in-sctp_sf_do_dupcook_a.patch | 96 ++++++ ...mib_currestab-leak-in-sctp_sf_do_dup.patch | 52 ++++ ...bounds-warning-in-sctp_process_ascon.patch | 44 +++ ...cc-to-clang-in-lib.mk-if-llvm-is-set.patch | 42 +++ queue-5.4/series | 89 ++++++ ...c-disallow-tcp_ulp-in-smc_setsockopt.patch | 55 ++++ ...fix-misplaced-barrier-in-call_decode.patch | 68 +++++ ...of-fix-error-return-code-of-thermal_.patch | 53 ++++ ...dest-node-s-address-to-network-order.patch | 41 +++ ...t-of-bounds-warnings-in-wl3501_mgmt_.patch | 286 ++++++++++++++++++ ...t-of-bounds-warnings-in-wl3501_send_.patch | 147 +++++++++ 90 files changed, 5797 insertions(+) create mode 100644 queue-5.4/alsa-bebob-enable-to-deliver-midi-messages-for-multi.patch create mode 100644 queue-5.4/alsa-hda-hdmi-fix-race-in-handling-acomp-eld-notific.patch create mode 100644 queue-5.4/alsa-hdsp-don-t-disable-if-not-enabled.patch create mode 100644 queue-5.4/alsa-hdspm-don-t-disable-if-not-enabled.patch create mode 100644 queue-5.4/alsa-rme9652-don-t-disable-if-not-enabled.patch create mode 100644 queue-5.4/arm-9064-1-hw_breakpoint-do-not-directly-check-the-e.patch create mode 100644 queue-5.4/asoc-intel-bytcr_rt5640-add-quirk-for-the-chuwi-hi8-.patch create mode 100644 queue-5.4/asoc-intel-bytcr_rt5640-enable-jack-detect-support-o.patch create mode 100644 queue-5.4/asoc-rsnd-call-rsnd_ssi_master_clk_start-from-rsnd_s.patch create mode 100644 queue-5.4/asoc-rsnd-core-check-convert-rate-in-rsnd_hw_params.patch create mode 100644 queue-5.4/asoc-rt286-generalize-support-for-alc3263-codec.patch create mode 100644 queue-5.4/asoc-rt286-make-rt286_set_gpio_-readable-and-writabl.patch create mode 100644 queue-5.4/bluetooth-check-for-zapped-sk-before-connecting.patch create mode 100644 queue-5.4/bluetooth-initialize-skb_queue_head-at-l2cap_chan_cr.patch create mode 100644 queue-5.4/bluetooth-set-conf_not_complete-as-l2cap_chan-defaul.patch create mode 100644 queue-5.4/bnxt_en-add-pci-ids-for-hyper-v-vf-devices.patch create mode 100644 queue-5.4/can-m_can-m_can_tx_work_queue-fix-tx_skb-race-condit.patch create mode 100644 queue-5.4/ceph-fix-inode-leak-on-getattr-error-in-__fh_to_dent.patch create mode 100644 queue-5.4/cuse-prevent-clone.patch create mode 100644 queue-5.4/drm-amd-display-fixed-divide-by-zero-kernel-crash-du.patch create mode 100644 queue-5.4/drm-amd-display-force-vsync-flip-when-reconfiguring-.patch create mode 100644 queue-5.4/drm-radeon-avoid-power-table-parsing-memory-leaks.patch create mode 100644 queue-5.4/drm-radeon-fix-off-by-one-power_state-index-heap-ove.patch create mode 100644 queue-5.4/ethernet-enic-fix-a-use-after-free-bug-in-enic_hard_.patch create mode 100644 queue-5.4/ethtool-ioctl-fix-out-of-bounds-warning-in-store_lin.patch create mode 100644 queue-5.4/f2fs-fix-a-redundant-call-to-f2fs_balance_fs-if-an-e.patch create mode 100644 queue-5.4/flow_dissector-fix-out-of-bounds-warning-in-__skb_fl.patch create mode 100644 queue-5.4/fs-dlm-fix-debugfs-dump.patch create mode 100644 queue-5.4/i2c-add-i2c_aq_no_rep_start-adapter-quirk.patch create mode 100644 queue-5.4/i2c-bail-out-early-when-rdwr-parameters-are-wrong.patch create mode 100644 queue-5.4/i40e-fix-phy-type-identifiers-for-2.5g-and-5g-adapte.patch create mode 100644 queue-5.4/i40e-fix-the-restart-auto-negotiation-after-fec-modi.patch create mode 100644 queue-5.4/i40e-fix-use-after-free-in-i40e_client_subtask.patch create mode 100644 queue-5.4/ia64-module-fix-symbolizer-crash-on-fdescr.patch create mode 100644 queue-5.4/iavf-remove-duplicate-free-resources-calls.patch create mode 100644 queue-5.4/iommu-amd-remove-performance-counter-pre-initializat.patch create mode 100644 queue-5.4/ip6_vti-proper-dev_-hold-put-in-ndo_-un-init-methods.patch create mode 100644 queue-5.4/kconfig-nconf-stop-endless-search-loops.patch create mode 100644 queue-5.4/kernel-kexec_file-fix-error-return-code-of-kexec_cal.patch create mode 100644 queue-5.4/khugepaged-fix-wrong-result-value-for-trace_mm_colla.patch create mode 100644 queue-5.4/ksm-fix-potential-missing-rmap_item-for-stable_node.patch create mode 100644 queue-5.4/mac80211-clear-the-beacon-s-crc-after-channel-switch.patch create mode 100644 queue-5.4/mm-hugeltb-handle-the-error-case-in-hugetlb_fix_rese.patch create mode 100644 queue-5.4/mm-migrate.c-fix-potential-indeterminate-pte-entry-i.patch create mode 100644 queue-5.4/mt76-mt76x0-disable-gtk-offloading.patch create mode 100644 queue-5.4/net-bridge-when-suppression-is-enabled-exclude-rarp-.patch create mode 100644 queue-5.4/net-ethernet-mtk_eth_soc-fix-rx-vlan-offload.patch create mode 100644 queue-5.4/net-fix-nla_strcmp-to-handle-more-then-one-trailing-.patch create mode 100644 queue-5.4/net-hns3-add-check-for-hns3_nic_state_inited-in-hns3.patch create mode 100644 queue-5.4/net-hns3-disable-phy-loopback-setting-in-hclge_mac_s.patch create mode 100644 queue-5.4/net-hns3-fix-for-vxlan-gpe-tx-checksum-bug.patch create mode 100644 queue-5.4/net-hns3-fix-incorrect-configuration-for-igu_egu_hw_.patch create mode 100644 queue-5.4/net-hns3-initialize-the-message-content-in-hclge_get.patch create mode 100644 queue-5.4/net-hns3-use-netif_tx_disable-to-stop-the-transmit-q.patch create mode 100644 queue-5.4/net-sched-tapr-prevent-cycle_time-0-in-parse_taprio_.patch create mode 100644 queue-5.4/net-stmmac-set-fifo-sizes-for-ipq806x.patch create mode 100644 queue-5.4/netfilter-nfnetlink_osf-fix-a-missing-skb_header_poi.patch create mode 100644 queue-5.4/netfilter-nftables-avoid-overflows-in-nft_hash_bucke.patch create mode 100644 queue-5.4/netfilter-xt_secmark-add-new-revision-to-fix-structu.patch create mode 100644 queue-5.4/nfs-deal-correctly-with-attribute-generation-counter.patch create mode 100644 queue-5.4/nfsv4.2-always-flush-out-writes-in-nfs42_proc_falloc.patch create mode 100644 queue-5.4/nfsv4.2-fix-handling-of-sr_eof-in-seek-s-reply.patch create mode 100644 queue-5.4/pci-endpoint-fix-missing-destroy_workqueue.patch create mode 100644 queue-5.4/pci-iproc-fix-return-value-of-iproc_msi_irq_domain_a.patch create mode 100644 queue-5.4/pci-release-of-node-in-pci_scan_device-s-error-path.patch create mode 100644 queue-5.4/pinctrl-samsung-use-int-for-register-masks-in-exynos.patch create mode 100644 queue-5.4/pnfs-flexfiles-fix-incorrect-size-check-in-decode_nf.patch create mode 100644 queue-5.4/powerpc-iommu-annotate-nested-lock-for-lockdep.patch create mode 100644 queue-5.4/powerpc-pseries-stop-calling-printk-in-rtas_stop_sel.patch create mode 100644 queue-5.4/powerpc-smp-set-numa-node-before-updating-mask.patch create mode 100644 queue-5.4/qtnfmac-fix-possible-buffer-overflow-in-qtnf_event_h.patch create mode 100644 queue-5.4/revert-iommu-amd-fix-performance-counter-initializat.patch create mode 100644 queue-5.4/risc-v-fix-error-code-returned-by-riscv_hartid_to_cp.patch create mode 100644 queue-5.4/rpmsg-qcom_glink_native-fix-error-return-code-of-qco.patch create mode 100644 queue-5.4/rtc-ds1307-fix-wday-settings-for-rx8130.patch create mode 100644 queue-5.4/rtc-fsl-ftm-alarm-add-module_table.patch create mode 100644 queue-5.4/samples-bpf-fix-broken-tracex1-due-to-kprobe-argumen.patch create mode 100644 queue-5.4/sched-fair-fix-unfairness-caused-by-missing-load-dec.patch create mode 100644 queue-5.4/sched-fix-out-of-bound-access-in-uclamp.patch create mode 100644 queue-5.4/sctp-do-asoc-update-earlier-in-sctp_sf_do_dupcook_a.patch create mode 100644 queue-5.4/sctp-fix-a-sctp_mib_currestab-leak-in-sctp_sf_do_dup.patch create mode 100644 queue-5.4/sctp-fix-out-of-bounds-warning-in-sctp_process_ascon.patch create mode 100644 queue-5.4/selftests-set-cc-to-clang-in-lib.mk-if-llvm-is-set.patch create mode 100644 queue-5.4/smc-disallow-tcp_ulp-in-smc_setsockopt.patch create mode 100644 queue-5.4/sunrpc-fix-misplaced-barrier-in-call_decode.patch create mode 100644 queue-5.4/thermal-thermal_of-fix-error-return-code-of-thermal_.patch create mode 100644 queue-5.4/tipc-convert-dest-node-s-address-to-network-order.patch create mode 100644 queue-5.4/wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_mgmt_.patch create mode 100644 queue-5.4/wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_send_.patch diff --git a/queue-5.4/alsa-bebob-enable-to-deliver-midi-messages-for-multi.patch b/queue-5.4/alsa-bebob-enable-to-deliver-midi-messages-for-multi.patch new file mode 100644 index 00000000000..3668ec611b1 --- /dev/null +++ b/queue-5.4/alsa-bebob-enable-to-deliver-midi-messages-for-multi.patch @@ -0,0 +1,58 @@ +From b72c4bf779e51b5482dc16143cd5ce783e04e1ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Mar 2021 12:28:31 +0900 +Subject: ALSA: bebob: enable to deliver MIDI messages for multiple ports + +From: Takashi Sakamoto + +[ Upstream commit d2b6f15bc18ac8fbce25398290774c21f5b2cd44 ] + +Current implementation of bebob driver doesn't correctly handle the case +that the device has multiple MIDI ports. The cause is the number of MIDI +conformant data channels is passed to AM824 data block processing layer. + +This commit fixes the bug. + +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20210321032831.340278-4-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/bebob/bebob_stream.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/sound/firewire/bebob/bebob_stream.c b/sound/firewire/bebob/bebob_stream.c +index ce07ea0d4e71..3935e90c8e8f 100644 +--- a/sound/firewire/bebob/bebob_stream.c ++++ b/sound/firewire/bebob/bebob_stream.c +@@ -534,20 +534,22 @@ int snd_bebob_stream_init_duplex(struct snd_bebob *bebob) + static int keep_resources(struct snd_bebob *bebob, struct amdtp_stream *stream, + unsigned int rate, unsigned int index) + { +- struct snd_bebob_stream_formation *formation; ++ unsigned int pcm_channels; ++ unsigned int midi_ports; + struct cmp_connection *conn; + int err; + + if (stream == &bebob->tx_stream) { +- formation = bebob->tx_stream_formations + index; ++ pcm_channels = bebob->tx_stream_formations[index].pcm; ++ midi_ports = bebob->midi_input_ports; + conn = &bebob->out_conn; + } else { +- formation = bebob->rx_stream_formations + index; ++ pcm_channels = bebob->rx_stream_formations[index].pcm; ++ midi_ports = bebob->midi_output_ports; + conn = &bebob->in_conn; + } + +- err = amdtp_am824_set_parameters(stream, rate, formation->pcm, +- formation->midi, false); ++ err = amdtp_am824_set_parameters(stream, rate, pcm_channels, midi_ports, false); + if (err < 0) + return err; + +-- +2.30.2 + diff --git a/queue-5.4/alsa-hda-hdmi-fix-race-in-handling-acomp-eld-notific.patch b/queue-5.4/alsa-hda-hdmi-fix-race-in-handling-acomp-eld-notific.patch new file mode 100644 index 00000000000..da8292553bf --- /dev/null +++ b/queue-5.4/alsa-hda-hdmi-fix-race-in-handling-acomp-eld-notific.patch @@ -0,0 +1,66 @@ +From a177b61a0c001a6b038451c491765001d0bf69a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Apr 2021 16:11:57 +0300 +Subject: ALSA: hda/hdmi: fix race in handling acomp ELD notification at resume + +From: Kai Vehmanen + +[ Upstream commit 0c37e2eb6b83e375e8a654d01598292d5591fc65 ] + +When snd-hda-codec-hdmi is used with ASoC HDA controller like SOF (acomp +used for ELD notifications), display connection change done during suspend, +can be lost due to following sequence of events: + + 1. system in S3 suspend + 2. DP/HDMI receiver connected + 3. system resumed + 4. HDA controller resumed, but card->deferred_resume_work not complete + 5. acomp eld_notify callback + 6. eld_notify ignored as power state is not CTL_POWER_D0 + 7. HDA resume deferred work completed, power state set to CTL_POWER_D0 + +This results in losing the notification, and the jack state reported to +user-space is not correct. + +The check on step 6 was added in commit 8ae743e82f0b ("ALSA: hda - Skip +ELD notification during system suspend"). It would seem with the deferred +resume logic in ASoC core, this check is not safe. + +Fix the issue by modifying the check to use "dev.power.power_state.event" +instead of ALSA specific card power state variable. + +BugLink: https://github.com/thesofproject/linux/issues/2825 +Suggested-by: Takashi Iwai +Signed-off-by: Kai Vehmanen +Link: https://lore.kernel.org/r/20210416131157.1881366-1-kai.vehmanen@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_hdmi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index ce38b5d4670d..f620b402b309 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -2567,7 +2567,7 @@ static void generic_acomp_pin_eld_notify(void *audio_ptr, int port, int dev_id) + /* skip notification during system suspend (but not in runtime PM); + * the state will be updated at resume + */ +- if (snd_power_get_state(codec->card) != SNDRV_CTL_POWER_D0) ++ if (codec->core.dev.power.power_state.event == PM_EVENT_SUSPEND) + return; + /* ditto during suspend/resume process itself */ + if (snd_hdac_is_in_pm(&codec->core)) +@@ -2772,7 +2772,7 @@ static void intel_pin_eld_notify(void *audio_ptr, int port, int pipe) + /* skip notification during system suspend (but not in runtime PM); + * the state will be updated at resume + */ +- if (snd_power_get_state(codec->card) != SNDRV_CTL_POWER_D0) ++ if (codec->core.dev.power.power_state.event == PM_EVENT_SUSPEND) + return; + /* ditto during suspend/resume process itself */ + if (snd_hdac_is_in_pm(&codec->core)) +-- +2.30.2 + diff --git a/queue-5.4/alsa-hdsp-don-t-disable-if-not-enabled.patch b/queue-5.4/alsa-hdsp-don-t-disable-if-not-enabled.patch new file mode 100644 index 00000000000..c16f073b9c6 --- /dev/null +++ b/queue-5.4/alsa-hdsp-don-t-disable-if-not-enabled.patch @@ -0,0 +1,49 @@ +From 28d44bf81f9e3d36f6008d6c737b75828c7e6185 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Mar 2021 11:38:38 -0400 +Subject: ALSA: hdsp: don't disable if not enabled + +From: Tong Zhang + +[ Upstream commit 507cdb9adba006a7798c358456426e1aea3d9c4f ] + +hdsp wants to disable a not enabled pci device, which makes kernel +throw a warning. Make sure the device is enabled before calling disable. + +[ 1.758292] snd_hdsp 0000:00:03.0: disabling already-disabled device +[ 1.758327] WARNING: CPU: 0 PID: 180 at drivers/pci/pci.c:2146 pci_disable_device+0x91/0xb0 +[ 1.766985] Call Trace: +[ 1.767121] snd_hdsp_card_free+0x94/0xf0 [snd_hdsp] +[ 1.767388] release_card_device+0x4b/0x80 [snd] +[ 1.767639] device_release+0x3b/0xa0 +[ 1.767838] kobject_put+0x94/0x1b0 +[ 1.768027] put_device+0x13/0x20 +[ 1.768207] snd_card_free+0x61/0x90 [snd] +[ 1.768430] snd_hdsp_probe+0x524/0x5e0 [snd_hdsp] + +Suggested-by: Takashi Iwai +Signed-off-by: Tong Zhang +Link: https://lore.kernel.org/r/20210321153840.378226-2-ztong0001@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/rme9652/hdsp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c +index 5cbdc9be9c7e..c7b3e76ea2d2 100644 +--- a/sound/pci/rme9652/hdsp.c ++++ b/sound/pci/rme9652/hdsp.c +@@ -5326,7 +5326,8 @@ static int snd_hdsp_free(struct hdsp *hdsp) + if (hdsp->port) + pci_release_regions(hdsp->pci); + +- pci_disable_device(hdsp->pci); ++ if (pci_is_enabled(hdsp->pci)) ++ pci_disable_device(hdsp->pci); + return 0; + } + +-- +2.30.2 + diff --git a/queue-5.4/alsa-hdspm-don-t-disable-if-not-enabled.patch b/queue-5.4/alsa-hdspm-don-t-disable-if-not-enabled.patch new file mode 100644 index 00000000000..0cc712ce3fc --- /dev/null +++ b/queue-5.4/alsa-hdspm-don-t-disable-if-not-enabled.patch @@ -0,0 +1,49 @@ +From a9eb160962730309fd9ebb7f9c1bc1024c8747ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Mar 2021 11:38:39 -0400 +Subject: ALSA: hdspm: don't disable if not enabled + +From: Tong Zhang + +[ Upstream commit 790f5719b85e12e10c41753b864e74249585ed08 ] + +hdspm wants to disable a not enabled pci device, which makes kernel +throw a warning. Make sure the device is enabled before calling disable. + +[ 1.786391] snd_hdspm 0000:00:03.0: disabling already-disabled device +[ 1.786400] WARNING: CPU: 0 PID: 182 at drivers/pci/pci.c:2146 pci_disable_device+0x91/0xb0 +[ 1.795181] Call Trace: +[ 1.795320] snd_hdspm_card_free+0x58/0xa0 [snd_hdspm] +[ 1.795595] release_card_device+0x4b/0x80 [snd] +[ 1.795860] device_release+0x3b/0xa0 +[ 1.796072] kobject_put+0x94/0x1b0 +[ 1.796260] put_device+0x13/0x20 +[ 1.796438] snd_card_free+0x61/0x90 [snd] +[ 1.796659] snd_hdspm_probe+0x97b/0x1440 [snd_hdspm] + +Suggested-by: Takashi Iwai +Signed-off-by: Tong Zhang +Link: https://lore.kernel.org/r/20210321153840.378226-3-ztong0001@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/rme9652/hdspm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c +index 81a6f4b2bd3c..e34f07c9ff47 100644 +--- a/sound/pci/rme9652/hdspm.c ++++ b/sound/pci/rme9652/hdspm.c +@@ -6889,7 +6889,8 @@ static int snd_hdspm_free(struct hdspm * hdspm) + if (hdspm->port) + pci_release_regions(hdspm->pci); + +- pci_disable_device(hdspm->pci); ++ if (pci_is_enabled(hdspm->pci)) ++ pci_disable_device(hdspm->pci); + return 0; + } + +-- +2.30.2 + diff --git a/queue-5.4/alsa-rme9652-don-t-disable-if-not-enabled.patch b/queue-5.4/alsa-rme9652-don-t-disable-if-not-enabled.patch new file mode 100644 index 00000000000..cc7487e81e5 --- /dev/null +++ b/queue-5.4/alsa-rme9652-don-t-disable-if-not-enabled.patch @@ -0,0 +1,49 @@ +From 62bface8e7ce05575b97cb40d31cb7be9f56725b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Mar 2021 11:38:40 -0400 +Subject: ALSA: rme9652: don't disable if not enabled + +From: Tong Zhang + +[ Upstream commit f57a741874bb6995089020e97a1dcdf9b165dcbe ] + +rme9652 wants to disable a not enabled pci device, which makes kernel +throw a warning. Make sure the device is enabled before calling disable. + +[ 1.751595] snd_rme9652 0000:00:03.0: disabling already-disabled device +[ 1.751605] WARNING: CPU: 0 PID: 174 at drivers/pci/pci.c:2146 pci_disable_device+0x91/0xb0 +[ 1.759968] Call Trace: +[ 1.760145] snd_rme9652_card_free+0x76/0xa0 [snd_rme9652] +[ 1.760434] release_card_device+0x4b/0x80 [snd] +[ 1.760679] device_release+0x3b/0xa0 +[ 1.760874] kobject_put+0x94/0x1b0 +[ 1.761059] put_device+0x13/0x20 +[ 1.761235] snd_card_free+0x61/0x90 [snd] +[ 1.761454] snd_rme9652_probe+0x3be/0x700 [snd_rme9652] + +Suggested-by: Takashi Iwai +Signed-off-by: Tong Zhang +Link: https://lore.kernel.org/r/20210321153840.378226-4-ztong0001@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/rme9652/rme9652.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/rme9652/rme9652.c b/sound/pci/rme9652/rme9652.c +index 4c851f8dcaf8..73ad6e74aac9 100644 +--- a/sound/pci/rme9652/rme9652.c ++++ b/sound/pci/rme9652/rme9652.c +@@ -1745,7 +1745,8 @@ static int snd_rme9652_free(struct snd_rme9652 *rme9652) + if (rme9652->port) + pci_release_regions(rme9652->pci); + +- pci_disable_device(rme9652->pci); ++ if (pci_is_enabled(rme9652->pci)) ++ pci_disable_device(rme9652->pci); + return 0; + } + +-- +2.30.2 + diff --git a/queue-5.4/arm-9064-1-hw_breakpoint-do-not-directly-check-the-e.patch b/queue-5.4/arm-9064-1-hw_breakpoint-do-not-directly-check-the-e.patch new file mode 100644 index 00000000000..cd8b641f05a --- /dev/null +++ b/queue-5.4/arm-9064-1-hw_breakpoint-do-not-directly-check-the-e.patch @@ -0,0 +1,48 @@ +From 9959f5b56d246b8dcd46fbf971b146b0bb027292 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Feb 2021 03:00:05 +0100 +Subject: ARM: 9064/1: hw_breakpoint: Do not directly check the event's + overflow_handler hook + +From: Zhen Lei + +[ Upstream commit a506bd5756290821a4314f502b4bafc2afcf5260 ] + +The commit 1879445dfa7b ("perf/core: Set event's default +::overflow_handler()") set a default event->overflow_handler in +perf_event_alloc(), and replace the check event->overflow_handler with +is_default_overflow_handler(), but one is missing. + +Currently, the bp->overflow_handler can not be NULL. As a result, +enable_single_step() is always not invoked. + +Comments from Zhen Lei: + + https://patchwork.kernel.org/project/linux-arm-kernel/patch/20210207105934.2001-1-thunder.leizhen@huawei.com/ + +Fixes: 1879445dfa7b ("perf/core: Set event's default ::overflow_handler()") +Signed-off-by: Zhen Lei +Cc: Wang Nan +Acked-by: Will Deacon +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/hw_breakpoint.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c +index 7021ef0b4e71..b06d9ea07c84 100644 +--- a/arch/arm/kernel/hw_breakpoint.c ++++ b/arch/arm/kernel/hw_breakpoint.c +@@ -883,7 +883,7 @@ static void breakpoint_handler(unsigned long unknown, struct pt_regs *regs) + info->trigger = addr; + pr_debug("breakpoint fired: address = 0x%x\n", addr); + perf_bp_event(bp, regs); +- if (!bp->overflow_handler) ++ if (is_default_overflow_handler(bp)) + enable_single_step(bp, addr); + goto unlock; + } +-- +2.30.2 + diff --git a/queue-5.4/asoc-intel-bytcr_rt5640-add-quirk-for-the-chuwi-hi8-.patch b/queue-5.4/asoc-intel-bytcr_rt5640-add-quirk-for-the-chuwi-hi8-.patch new file mode 100644 index 00000000000..8b659e8e9e4 --- /dev/null +++ b/queue-5.4/asoc-intel-bytcr_rt5640-add-quirk-for-the-chuwi-hi8-.patch @@ -0,0 +1,56 @@ +From c300ad619349520f02d9fd7502333ff38f2a7cf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 23:10:54 +0100 +Subject: ASoC: Intel: bytcr_rt5640: Add quirk for the Chuwi Hi8 tablet + +From: Hans de Goede + +[ Upstream commit 875c40eadf6ac6644c0f71842a4f30dd9968d281 ] + +The Chuwi Hi8 tablet is using an analog mic on IN1 and has its +jack-detect connected to JD2_IN4N, instead of using the default +IN3 for its internal mic and JD1_IN4P for jack-detect. + +It also only has 1 speaker. + +Add a quirk applying the correct settings for this configuration. + +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20210325221054.22714-1-hdegoede@redhat.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/bytcr_rt5640.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c +index 006cf1e8b602..46a81d4f0b2d 100644 +--- a/sound/soc/intel/boards/bytcr_rt5640.c ++++ b/sound/soc/intel/boards/bytcr_rt5640.c +@@ -512,6 +512,23 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = { + BYT_RT5640_SSP0_AIF1 | + BYT_RT5640_MCLK_EN), + }, ++ { ++ /* Chuwi Hi8 (CWI509) */ ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "Hampoo"), ++ DMI_MATCH(DMI_BOARD_NAME, "BYT-PA03C"), ++ DMI_MATCH(DMI_SYS_VENDOR, "ilife"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "S806"), ++ }, ++ .driver_data = (void *)(BYT_RT5640_IN1_MAP | ++ BYT_RT5640_JD_SRC_JD2_IN4N | ++ BYT_RT5640_OVCD_TH_2000UA | ++ BYT_RT5640_OVCD_SF_0P75 | ++ BYT_RT5640_MONO_SPEAKER | ++ BYT_RT5640_DIFF_MIC | ++ BYT_RT5640_SSP0_AIF1 | ++ BYT_RT5640_MCLK_EN), ++ }, + { + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Circuitco"), +-- +2.30.2 + diff --git a/queue-5.4/asoc-intel-bytcr_rt5640-enable-jack-detect-support-o.patch b/queue-5.4/asoc-intel-bytcr_rt5640-enable-jack-detect-support-o.patch new file mode 100644 index 00000000000..0d7294766bc --- /dev/null +++ b/queue-5.4/asoc-intel-bytcr_rt5640-enable-jack-detect-support-o.patch @@ -0,0 +1,41 @@ +From 5eefb238b2f889a97b2858b1daff4355a6ece588 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Mar 2021 12:48:50 +0100 +Subject: ASoC: Intel: bytcr_rt5640: Enable jack-detect support on Asus T100TAF + +From: Hans de Goede + +[ Upstream commit b7c7203a1f751348f35fc4bcb157572d303f7573 ] + +The Asus T100TAF uses the same jack-detect settings as the T100TA, +this has been confirmed on actual hardware. + +Add these settings to the T100TAF quirks to enable jack-detect support +on the T100TAF. + +Signed-off-by: Hans de Goede +Acked-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20210312114850.13832-1-hdegoede@redhat.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/bytcr_rt5640.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c +index cfd307717473..006cf1e8b602 100644 +--- a/sound/soc/intel/boards/bytcr_rt5640.c ++++ b/sound/soc/intel/boards/bytcr_rt5640.c +@@ -476,6 +476,9 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T100TAF"), + }, + .driver_data = (void *)(BYT_RT5640_IN1_MAP | ++ BYT_RT5640_JD_SRC_JD2_IN4N | ++ BYT_RT5640_OVCD_TH_2000UA | ++ BYT_RT5640_OVCD_SF_0P75 | + BYT_RT5640_MONO_SPEAKER | + BYT_RT5640_DIFF_MIC | + BYT_RT5640_SSP0_AIF2 | +-- +2.30.2 + diff --git a/queue-5.4/asoc-rsnd-call-rsnd_ssi_master_clk_start-from-rsnd_s.patch b/queue-5.4/asoc-rsnd-call-rsnd_ssi_master_clk_start-from-rsnd_s.patch new file mode 100644 index 00000000000..cd425688d0c --- /dev/null +++ b/queue-5.4/asoc-rsnd-call-rsnd_ssi_master_clk_start-from-rsnd_s.patch @@ -0,0 +1,116 @@ +From 20d064bd92a3c2f0d2bc8dc03c1ea10d24e09cdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Apr 2021 13:28:38 +0900 +Subject: ASoC: rsnd: call rsnd_ssi_master_clk_start() from rsnd_ssi_init() + +From: Kuninori Morimoto + +[ Upstream commit a122a116fc6d8fcf2f202dcd185173a54268f239 ] + +Current rsnd needs to call .prepare (P) for clock settings, +.trigger for playback start (S) and stop (E). +It should be called as below from SSI point of view. + + P -> S -> E -> P -> S -> E -> ... + +But, if you used MIXer, below case might happen + + (2) + 1: P -> S ---> E -> ... + 2: P ----> S -> ... + (1) (3) + +P(1) setups clock, but E(2) resets it. and starts playback (3). +In such case, it will reports "SSI parent/child should use same rate". + +rsnd_ssi_master_clk_start() which is the main function at (P) +was called from rsnd_ssi_init() (= S) before, +but was moved by below patch to rsnd_soc_dai_prepare() (= P) to avoid +using clk_get_rate() which shouldn't be used under atomic context. + + commit 4d230d1271064 ("ASoC: rsnd: fixup not to call clk_get/set + under non-atomic") + +Because of above patch, rsnd_ssi_master_clk_start() is now called at (P) +which is for non atomic context. But (P) is assuming that spin lock is +*not* used. +One issue now is rsnd_ssi_master_clk_start() is checking ssi->xxx +which should be protected by spin lock. + +After above patch, adg.c had below patch for other reasons. + + commit 06e8f5c842f2d ("ASoC: rsnd: don't call clk_get_rate() + under atomic context") + +clk_get_rate() is used at probe() timing by this patch. +In other words, rsnd_ssi_master_clk_start() is no longer using +clk_get_rate() any more. + +This means we can call it from rsnd_ssi_init() (= S) again which is +protected by spin lock. +This patch re-move it to under spin lock, and solves +1. checking ssi->xxx without spin lock issue. +2. clk setting / device start / device stop race condition. + +Reported-by: Linh Phung T. Y. +Signed-off-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/875z0x1jt5.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sh/rcar/ssi.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/sound/soc/sh/rcar/ssi.c b/sound/soc/sh/rcar/ssi.c +index 47d5ddb526f2..8926dd69e8b8 100644 +--- a/sound/soc/sh/rcar/ssi.c ++++ b/sound/soc/sh/rcar/ssi.c +@@ -507,10 +507,15 @@ static int rsnd_ssi_init(struct rsnd_mod *mod, + struct rsnd_priv *priv) + { + struct rsnd_ssi *ssi = rsnd_mod_to_ssi(mod); ++ int ret; + + if (!rsnd_ssi_is_run_mods(mod, io)) + return 0; + ++ ret = rsnd_ssi_master_clk_start(mod, io); ++ if (ret < 0) ++ return ret; ++ + ssi->usrcnt++; + + rsnd_mod_power_on(mod); +@@ -1060,13 +1065,6 @@ static int rsnd_ssi_pio_pointer(struct rsnd_mod *mod, + return 0; + } + +-static int rsnd_ssi_prepare(struct rsnd_mod *mod, +- struct rsnd_dai_stream *io, +- struct rsnd_priv *priv) +-{ +- return rsnd_ssi_master_clk_start(mod, io); +-} +- + static struct rsnd_mod_ops rsnd_ssi_pio_ops = { + .name = SSI_NAME, + .probe = rsnd_ssi_common_probe, +@@ -1079,7 +1077,6 @@ static struct rsnd_mod_ops rsnd_ssi_pio_ops = { + .pointer = rsnd_ssi_pio_pointer, + .pcm_new = rsnd_ssi_pcm_new, + .hw_params = rsnd_ssi_hw_params, +- .prepare = rsnd_ssi_prepare, + .get_status = rsnd_ssi_get_status, + }; + +@@ -1166,7 +1163,6 @@ static struct rsnd_mod_ops rsnd_ssi_dma_ops = { + .pcm_new = rsnd_ssi_pcm_new, + .fallback = rsnd_ssi_fallback, + .hw_params = rsnd_ssi_hw_params, +- .prepare = rsnd_ssi_prepare, + .get_status = rsnd_ssi_get_status, + }; + +-- +2.30.2 + diff --git a/queue-5.4/asoc-rsnd-core-check-convert-rate-in-rsnd_hw_params.patch b/queue-5.4/asoc-rsnd-core-check-convert-rate-in-rsnd_hw_params.patch new file mode 100644 index 00000000000..b84069d3859 --- /dev/null +++ b/queue-5.4/asoc-rsnd-core-check-convert-rate-in-rsnd_hw_params.patch @@ -0,0 +1,113 @@ +From 367aef231ee1f49e1f5eeba2632fff4a3e69ad15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Mar 2021 14:47:35 +1000 +Subject: ASoC: rsnd: core: Check convert rate in rsnd_hw_params + +From: Mikhail Durnev + +[ Upstream commit 19c6a63ced5e07e40f3a5255cb1f0fe0d3be7b14 ] + +snd_pcm_hw_params_set_rate_near can return incorrect sample rate in +some cases, e.g. when the backend output rate is set to some value higher +than 48000 Hz and the input rate is 8000 Hz. So passing the value returned +by snd_pcm_hw_params_set_rate_near to snd_pcm_hw_params will result in +"FSO/FSI ratio error" and playing no audio at all while the userland +is not properly notified about the issue. + +If SRC is unable to convert the requested sample rate to the sample rate +the backend is using, then the requested sample rate should be adjusted in +rsnd_hw_params. The userland will be notified about that change in the +returned hw_params structure. + +Signed-off-by: Mikhail Durnev +Link: https://lore.kernel.org/r/1615870055-13954-1-git-send-email-mikhail_durnev@mentor.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sh/rcar/core.c | 69 +++++++++++++++++++++++++++++++++++++++- + 1 file changed, 68 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/sh/rcar/core.c b/sound/soc/sh/rcar/core.c +index a6c1cf987e6e..df8d7b53b760 100644 +--- a/sound/soc/sh/rcar/core.c ++++ b/sound/soc/sh/rcar/core.c +@@ -1426,8 +1426,75 @@ static int rsnd_hw_params(struct snd_pcm_substream *substream, + } + if (io->converted_chan) + dev_dbg(dev, "convert channels = %d\n", io->converted_chan); +- if (io->converted_rate) ++ if (io->converted_rate) { ++ /* ++ * SRC supports convert rates from params_rate(hw_params)/k_down ++ * to params_rate(hw_params)*k_up, where k_up is always 6, and ++ * k_down depends on number of channels and SRC unit. ++ * So all SRC units can upsample audio up to 6 times regardless ++ * its number of channels. And all SRC units can downsample ++ * 2 channel audio up to 6 times too. ++ */ ++ int k_up = 6; ++ int k_down = 6; ++ int channel; ++ struct rsnd_mod *src_mod = rsnd_io_to_mod_src(io); ++ + dev_dbg(dev, "convert rate = %d\n", io->converted_rate); ++ ++ channel = io->converted_chan ? io->converted_chan : ++ params_channels(hw_params); ++ ++ switch (rsnd_mod_id(src_mod)) { ++ /* ++ * SRC0 can downsample 4, 6 and 8 channel audio up to 4 times. ++ * SRC1, SRC3 and SRC4 can downsample 4 channel audio ++ * up to 4 times. ++ * SRC1, SRC3 and SRC4 can downsample 6 and 8 channel audio ++ * no more than twice. ++ */ ++ case 1: ++ case 3: ++ case 4: ++ if (channel > 4) { ++ k_down = 2; ++ break; ++ } ++ fallthrough; ++ case 0: ++ if (channel > 2) ++ k_down = 4; ++ break; ++ ++ /* Other SRC units do not support more than 2 channels */ ++ default: ++ if (channel > 2) ++ return -EINVAL; ++ } ++ ++ if (params_rate(hw_params) > io->converted_rate * k_down) { ++ hw_param_interval(hw_params, SNDRV_PCM_HW_PARAM_RATE)->min = ++ io->converted_rate * k_down; ++ hw_param_interval(hw_params, SNDRV_PCM_HW_PARAM_RATE)->max = ++ io->converted_rate * k_down; ++ hw_params->cmask |= SNDRV_PCM_HW_PARAM_RATE; ++ } else if (params_rate(hw_params) * k_up < io->converted_rate) { ++ hw_param_interval(hw_params, SNDRV_PCM_HW_PARAM_RATE)->min = ++ (io->converted_rate + k_up - 1) / k_up; ++ hw_param_interval(hw_params, SNDRV_PCM_HW_PARAM_RATE)->max = ++ (io->converted_rate + k_up - 1) / k_up; ++ hw_params->cmask |= SNDRV_PCM_HW_PARAM_RATE; ++ } ++ ++ /* ++ * TBD: Max SRC input and output rates also depend on number ++ * of channels and SRC unit: ++ * SRC1, SRC3 and SRC4 do not support more than 128kHz ++ * for 6 channel and 96kHz for 8 channel audio. ++ * Perhaps this function should return EINVAL if the input or ++ * the output rate exceeds the limitation. ++ */ ++ } + } + + ret = rsnd_dai_call(hw_params, io, substream, hw_params); +-- +2.30.2 + diff --git a/queue-5.4/asoc-rt286-generalize-support-for-alc3263-codec.patch b/queue-5.4/asoc-rt286-generalize-support-for-alc3263-codec.patch new file mode 100644 index 00000000000..c34695a003d --- /dev/null +++ b/queue-5.4/asoc-rt286-generalize-support-for-alc3263-codec.patch @@ -0,0 +1,99 @@ +From faf4bd1f8d83660f6c6057734302d61b34f6a516 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Apr 2021 09:46:58 -0400 +Subject: ASoC: rt286: Generalize support for ALC3263 codec + +From: David Ward + +[ Upstream commit aa2f9c12821e6a4ba1df4fb34a3dbc6a2a1ee7fe ] + +The ALC3263 codec on the XPS 13 9343 is also found on the Latitude 13 7350 +and Venue 11 Pro 7140. They require the same handling for the combo jack to +work with a headset: GPIO pin 6 must be set. + +The HDA driver always sets this pin on the ALC3263, which it distinguishes +by the codec vendor/device ID 0x10ec0288 and PCI subsystem vendor ID 0x1028 +(Dell). The ASoC driver does not use PCI, so adapt this check to use DMI to +determine if Dell is the system vendor. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=150601 +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=205961 +Signed-off-by: David Ward +Reviewed-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20210418134658.4333-6-david.ward@gatech.edu +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt286.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/sound/soc/codecs/rt286.c b/sound/soc/codecs/rt286.c +index 9593a9a27bf8..03e3e0aa25a2 100644 +--- a/sound/soc/codecs/rt286.c ++++ b/sound/soc/codecs/rt286.c +@@ -1115,12 +1115,11 @@ static const struct dmi_system_id force_combo_jack_table[] = { + { } + }; + +-static const struct dmi_system_id dmi_dell_dino[] = { ++static const struct dmi_system_id dmi_dell[] = { + { +- .ident = "Dell Dino", ++ .ident = "Dell", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "XPS 13 9343") + } + }, + { } +@@ -1131,7 +1130,7 @@ static int rt286_i2c_probe(struct i2c_client *i2c, + { + struct rt286_platform_data *pdata = dev_get_platdata(&i2c->dev); + struct rt286_priv *rt286; +- int i, ret, val; ++ int i, ret, vendor_id; + + rt286 = devm_kzalloc(&i2c->dev, sizeof(*rt286), + GFP_KERNEL); +@@ -1147,14 +1146,15 @@ static int rt286_i2c_probe(struct i2c_client *i2c, + } + + ret = regmap_read(rt286->regmap, +- RT286_GET_PARAM(AC_NODE_ROOT, AC_PAR_VENDOR_ID), &val); ++ RT286_GET_PARAM(AC_NODE_ROOT, AC_PAR_VENDOR_ID), &vendor_id); + if (ret != 0) { + dev_err(&i2c->dev, "I2C error %d\n", ret); + return ret; + } +- if (val != RT286_VENDOR_ID && val != RT288_VENDOR_ID) { ++ if (vendor_id != RT286_VENDOR_ID && vendor_id != RT288_VENDOR_ID) { + dev_err(&i2c->dev, +- "Device with ID register %#x is not rt286\n", val); ++ "Device with ID register %#x is not rt286\n", ++ vendor_id); + return -ENODEV; + } + +@@ -1178,8 +1178,8 @@ static int rt286_i2c_probe(struct i2c_client *i2c, + if (pdata) + rt286->pdata = *pdata; + +- if (dmi_check_system(force_combo_jack_table) || +- dmi_check_system(dmi_dell_dino)) ++ if ((vendor_id == RT288_VENDOR_ID && dmi_check_system(dmi_dell)) || ++ dmi_check_system(force_combo_jack_table)) + rt286->pdata.cbj_en = true; + + regmap_write(rt286->regmap, RT286_SET_AUDIO_POWER, AC_PWRST_D3); +@@ -1218,7 +1218,7 @@ static int rt286_i2c_probe(struct i2c_client *i2c, + regmap_update_bits(rt286->regmap, RT286_DEPOP_CTRL3, 0xf777, 0x4737); + regmap_update_bits(rt286->regmap, RT286_DEPOP_CTRL4, 0x00ff, 0x003f); + +- if (dmi_check_system(dmi_dell_dino)) { ++ if (vendor_id == RT288_VENDOR_ID && dmi_check_system(dmi_dell)) { + regmap_update_bits(rt286->regmap, + RT286_SET_GPIO_MASK, 0x40, 0x40); + regmap_update_bits(rt286->regmap, +-- +2.30.2 + diff --git a/queue-5.4/asoc-rt286-make-rt286_set_gpio_-readable-and-writabl.patch b/queue-5.4/asoc-rt286-make-rt286_set_gpio_-readable-and-writabl.patch new file mode 100644 index 00000000000..6cf95918a82 --- /dev/null +++ b/queue-5.4/asoc-rt286-make-rt286_set_gpio_-readable-and-writabl.patch @@ -0,0 +1,39 @@ +From b0cb4cd1d77bd74127bd1514dda516c4ec9a4a3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Apr 2021 09:46:57 -0400 +Subject: ASoC: rt286: Make RT286_SET_GPIO_* readable and writable + +From: David Ward + +[ Upstream commit cd8499d5c03ba260e3191e90236d0e5f6b147563 ] + +The GPIO configuration cannot be applied if the registers are inaccessible. +This prevented the headset mic from working on the Dell XPS 13 9343. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=114171 +Signed-off-by: David Ward +Link: https://lore.kernel.org/r/20210418134658.4333-5-david.ward@gatech.edu +Reviewed-by: Pierre-Louis Bossart +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt286.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/codecs/rt286.c b/sound/soc/codecs/rt286.c +index 03e3e0aa25a2..d8ab8af2c786 100644 +--- a/sound/soc/codecs/rt286.c ++++ b/sound/soc/codecs/rt286.c +@@ -171,6 +171,9 @@ static bool rt286_readable_register(struct device *dev, unsigned int reg) + case RT286_PROC_COEF: + case RT286_SET_AMP_GAIN_ADC_IN1: + case RT286_SET_AMP_GAIN_ADC_IN2: ++ case RT286_SET_GPIO_MASK: ++ case RT286_SET_GPIO_DIRECTION: ++ case RT286_SET_GPIO_DATA: + case RT286_SET_POWER(RT286_DAC_OUT1): + case RT286_SET_POWER(RT286_DAC_OUT2): + case RT286_SET_POWER(RT286_ADC_IN1): +-- +2.30.2 + diff --git a/queue-5.4/bluetooth-check-for-zapped-sk-before-connecting.patch b/queue-5.4/bluetooth-check-for-zapped-sk-before-connecting.patch new file mode 100644 index 00000000000..6013a390256 --- /dev/null +++ b/queue-5.4/bluetooth-check-for-zapped-sk-before-connecting.patch @@ -0,0 +1,69 @@ +From 2aee6bf051f68df8360c8da47ee93ae00a516561 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Mar 2021 16:32:20 +0800 +Subject: Bluetooth: check for zapped sk before connecting + +From: Archie Pusaka + +[ Upstream commit 3af70b39fa2d415dc86c370e5b24ddb9fdacbd6f ] + +There is a possibility of receiving a zapped sock on +l2cap_sock_connect(). This could lead to interesting crashes, one +such case is tearing down an already tore l2cap_sock as is happened +with this call trace: + +__dump_stack lib/dump_stack.c:15 [inline] +dump_stack+0xc4/0x118 lib/dump_stack.c:56 +register_lock_class kernel/locking/lockdep.c:792 [inline] +register_lock_class+0x239/0x6f6 kernel/locking/lockdep.c:742 +__lock_acquire+0x209/0x1e27 kernel/locking/lockdep.c:3105 +lock_acquire+0x29c/0x2fb kernel/locking/lockdep.c:3599 +__raw_spin_lock_bh include/linux/spinlock_api_smp.h:137 [inline] +_raw_spin_lock_bh+0x38/0x47 kernel/locking/spinlock.c:175 +spin_lock_bh include/linux/spinlock.h:307 [inline] +lock_sock_nested+0x44/0xfa net/core/sock.c:2518 +l2cap_sock_teardown_cb+0x88/0x2fb net/bluetooth/l2cap_sock.c:1345 +l2cap_chan_del+0xa3/0x383 net/bluetooth/l2cap_core.c:598 +l2cap_chan_close+0x537/0x5dd net/bluetooth/l2cap_core.c:756 +l2cap_chan_timeout+0x104/0x17e net/bluetooth/l2cap_core.c:429 +process_one_work+0x7e3/0xcb0 kernel/workqueue.c:2064 +worker_thread+0x5a5/0x773 kernel/workqueue.c:2196 +kthread+0x291/0x2a6 kernel/kthread.c:211 +ret_from_fork+0x4e/0x80 arch/x86/entry/entry_64.S:604 + +Signed-off-by: Archie Pusaka +Reported-by: syzbot+abfc0f5e668d4099af73@syzkaller.appspotmail.com +Reviewed-by: Alain Michaud +Reviewed-by: Abhishek Pandit-Subedi +Reviewed-by: Guenter Roeck +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 8648c5211ebe..e693fee08623 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -179,9 +179,17 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, + struct l2cap_chan *chan = l2cap_pi(sk)->chan; + struct sockaddr_l2 la; + int len, err = 0; ++ bool zapped; + + BT_DBG("sk %p", sk); + ++ lock_sock(sk); ++ zapped = sock_flag(sk, SOCK_ZAPPED); ++ release_sock(sk); ++ ++ if (zapped) ++ return -EINVAL; ++ + if (!addr || alen < offsetofend(struct sockaddr, sa_family) || + addr->sa_family != AF_BLUETOOTH) + return -EINVAL; +-- +2.30.2 + diff --git a/queue-5.4/bluetooth-initialize-skb_queue_head-at-l2cap_chan_cr.patch b/queue-5.4/bluetooth-initialize-skb_queue_head-at-l2cap_chan_cr.patch new file mode 100644 index 00000000000..78227d93456 --- /dev/null +++ b/queue-5.4/bluetooth-initialize-skb_queue_head-at-l2cap_chan_cr.patch @@ -0,0 +1,43 @@ +From 9722253c85a22b651596a562e32691c95224624d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Mar 2021 07:52:07 +0900 +Subject: Bluetooth: initialize skb_queue_head at l2cap_chan_create() + +From: Tetsuo Handa + +[ Upstream commit be8597239379f0f53c9710dd6ab551bbf535bec6 ] + +syzbot is hitting "INFO: trying to register non-static key." message [1], +for "struct l2cap_chan"->tx_q.lock spinlock is not yet initialized when +l2cap_chan_del() is called due to e.g. timeout. + +Since "struct l2cap_chan"->lock mutex is initialized at l2cap_chan_create() +immediately after "struct l2cap_chan" is allocated using kzalloc(), let's +as well initialize "struct l2cap_chan"->{tx_q,srej_q}.lock spinlocks there. + +[1] https://syzkaller.appspot.com/bug?extid=fadfba6a911f6bf71842 + +Reported-and-tested-by: syzbot +Signed-off-by: Tetsuo Handa +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index f5039700d927..959a16b13303 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -450,6 +450,8 @@ struct l2cap_chan *l2cap_chan_create(void) + if (!chan) + return NULL; + ++ skb_queue_head_init(&chan->tx_q); ++ skb_queue_head_init(&chan->srej_q); + mutex_init(&chan->lock); + + /* Set default lock nesting level */ +-- +2.30.2 + diff --git a/queue-5.4/bluetooth-set-conf_not_complete-as-l2cap_chan-defaul.patch b/queue-5.4/bluetooth-set-conf_not_complete-as-l2cap_chan-defaul.patch new file mode 100644 index 00000000000..ddcd1a9f5ef --- /dev/null +++ b/queue-5.4/bluetooth-set-conf_not_complete-as-l2cap_chan-defaul.patch @@ -0,0 +1,77 @@ +From 2354aafddc2a0ea286105c7f64bbad583345cb01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Mar 2021 14:02:15 +0800 +Subject: Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default + +From: Archie Pusaka + +[ Upstream commit 3a9d54b1947ecea8eea9a902c0b7eb58a98add8a ] + +Currently l2cap_chan_set_defaults() reset chan->conf_state to zero. +However, there is a flag CONF_NOT_COMPLETE which is set when +creating the l2cap_chan. It is suggested that the flag should be +cleared when l2cap_chan is ready, but when l2cap_chan_set_defaults() +is called, l2cap_chan is not yet ready. Therefore, we must set this +flag as the default. + +Example crash call trace: +__dump_stack lib/dump_stack.c:15 [inline] +dump_stack+0xc4/0x118 lib/dump_stack.c:56 +panic+0x1c6/0x38b kernel/panic.c:117 +__warn+0x170/0x1b9 kernel/panic.c:471 +warn_slowpath_fmt+0xc7/0xf8 kernel/panic.c:494 +debug_print_object+0x175/0x193 lib/debugobjects.c:260 +debug_object_assert_init+0x171/0x1bf lib/debugobjects.c:614 +debug_timer_assert_init kernel/time/timer.c:629 [inline] +debug_assert_init kernel/time/timer.c:677 [inline] +del_timer+0x7c/0x179 kernel/time/timer.c:1034 +try_to_grab_pending+0x81/0x2e5 kernel/workqueue.c:1230 +cancel_delayed_work+0x7c/0x1c4 kernel/workqueue.c:2929 +l2cap_clear_timer+0x1e/0x41 include/net/bluetooth/l2cap.h:834 +l2cap_chan_del+0x2d8/0x37e net/bluetooth/l2cap_core.c:640 +l2cap_chan_close+0x532/0x5d8 net/bluetooth/l2cap_core.c:756 +l2cap_sock_shutdown+0x806/0x969 net/bluetooth/l2cap_sock.c:1174 +l2cap_sock_release+0x64/0x14d net/bluetooth/l2cap_sock.c:1217 +__sock_release+0xda/0x217 net/socket.c:580 +sock_close+0x1b/0x1f net/socket.c:1039 +__fput+0x322/0x55c fs/file_table.c:208 +____fput+0x17/0x19 fs/file_table.c:244 +task_work_run+0x19b/0x1d3 kernel/task_work.c:115 +exit_task_work include/linux/task_work.h:21 [inline] +do_exit+0xe4c/0x204a kernel/exit.c:766 +do_group_exit+0x291/0x291 kernel/exit.c:891 +get_signal+0x749/0x1093 kernel/signal.c:2396 +do_signal+0xa5/0xcdb arch/x86/kernel/signal.c:737 +exit_to_usermode_loop arch/x86/entry/common.c:243 [inline] +prepare_exit_to_usermode+0xed/0x235 arch/x86/entry/common.c:277 +syscall_return_slowpath+0x3a7/0x3b3 arch/x86/entry/common.c:348 +int_ret_from_sys_call+0x25/0xa3 + +Signed-off-by: Archie Pusaka +Reported-by: syzbot+338f014a98367a08a114@syzkaller.appspotmail.com +Reviewed-by: Alain Michaud +Reviewed-by: Abhishek Pandit-Subedi +Reviewed-by: Guenter Roeck +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 3499bace25ec..f5039700d927 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -515,7 +515,9 @@ void l2cap_chan_set_defaults(struct l2cap_chan *chan) + chan->flush_to = L2CAP_DEFAULT_FLUSH_TO; + chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO; + chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO; ++ + chan->conf_state = 0; ++ set_bit(CONF_NOT_COMPLETE, &chan->conf_state); + + set_bit(FLAG_FORCE_ACTIVE, &chan->flags); + } +-- +2.30.2 + diff --git a/queue-5.4/bnxt_en-add-pci-ids-for-hyper-v-vf-devices.patch b/queue-5.4/bnxt_en-add-pci-ids-for-hyper-v-vf-devices.patch new file mode 100644 index 00000000000..133e1757fd2 --- /dev/null +++ b/queue-5.4/bnxt_en-add-pci-ids-for-hyper-v-vf-devices.patch @@ -0,0 +1,86 @@ +From dd8aa0c10e05f573b8bfc076d15249a77fd4b0b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Apr 2021 13:45:25 -0400 +Subject: bnxt_en: Add PCI IDs for Hyper-V VF devices. + +From: Michael Chan + +[ Upstream commit 7fbf359bb2c19c824cbb1954020680824f6ee5a5 ] + +Support VF device IDs used by the Hyper-V hypervisor. + +Reviewed-by: Vasundhara Volam +Reviewed-by: Andy Gospodarek +Signed-off-by: Edwin Peer +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 588389697cf9..106f2b2ce17f 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -125,7 +125,10 @@ enum board_idx { + NETXTREME_E_VF, + NETXTREME_C_VF, + NETXTREME_S_VF, ++ NETXTREME_C_VF_HV, ++ NETXTREME_E_VF_HV, + NETXTREME_E_P5_VF, ++ NETXTREME_E_P5_VF_HV, + }; + + /* indexed by enum above */ +@@ -173,7 +176,10 @@ static const struct { + [NETXTREME_E_VF] = { "Broadcom NetXtreme-E Ethernet Virtual Function" }, + [NETXTREME_C_VF] = { "Broadcom NetXtreme-C Ethernet Virtual Function" }, + [NETXTREME_S_VF] = { "Broadcom NetXtreme-S Ethernet Virtual Function" }, ++ [NETXTREME_C_VF_HV] = { "Broadcom NetXtreme-C Virtual Function for Hyper-V" }, ++ [NETXTREME_E_VF_HV] = { "Broadcom NetXtreme-E Virtual Function for Hyper-V" }, + [NETXTREME_E_P5_VF] = { "Broadcom BCM5750X NetXtreme-E Ethernet Virtual Function" }, ++ [NETXTREME_E_P5_VF_HV] = { "Broadcom BCM5750X NetXtreme-E Virtual Function for Hyper-V" }, + }; + + static const struct pci_device_id bnxt_pci_tbl[] = { +@@ -225,15 +231,25 @@ static const struct pci_device_id bnxt_pci_tbl[] = { + { PCI_VDEVICE(BROADCOM, 0xd804), .driver_data = BCM58804 }, + #ifdef CONFIG_BNXT_SRIOV + { PCI_VDEVICE(BROADCOM, 0x1606), .driver_data = NETXTREME_E_VF }, ++ { PCI_VDEVICE(BROADCOM, 0x1607), .driver_data = NETXTREME_E_VF_HV }, ++ { PCI_VDEVICE(BROADCOM, 0x1608), .driver_data = NETXTREME_E_VF_HV }, + { PCI_VDEVICE(BROADCOM, 0x1609), .driver_data = NETXTREME_E_VF }, ++ { PCI_VDEVICE(BROADCOM, 0x16bd), .driver_data = NETXTREME_E_VF_HV }, + { PCI_VDEVICE(BROADCOM, 0x16c1), .driver_data = NETXTREME_E_VF }, ++ { PCI_VDEVICE(BROADCOM, 0x16c2), .driver_data = NETXTREME_C_VF_HV }, ++ { PCI_VDEVICE(BROADCOM, 0x16c3), .driver_data = NETXTREME_C_VF_HV }, ++ { PCI_VDEVICE(BROADCOM, 0x16c4), .driver_data = NETXTREME_E_VF_HV }, ++ { PCI_VDEVICE(BROADCOM, 0x16c5), .driver_data = NETXTREME_E_VF_HV }, + { PCI_VDEVICE(BROADCOM, 0x16cb), .driver_data = NETXTREME_C_VF }, + { PCI_VDEVICE(BROADCOM, 0x16d3), .driver_data = NETXTREME_E_VF }, + { PCI_VDEVICE(BROADCOM, 0x16dc), .driver_data = NETXTREME_E_VF }, + { PCI_VDEVICE(BROADCOM, 0x16e1), .driver_data = NETXTREME_C_VF }, + { PCI_VDEVICE(BROADCOM, 0x16e5), .driver_data = NETXTREME_C_VF }, ++ { PCI_VDEVICE(BROADCOM, 0x16e6), .driver_data = NETXTREME_C_VF_HV }, + { PCI_VDEVICE(BROADCOM, 0x1806), .driver_data = NETXTREME_E_P5_VF }, + { PCI_VDEVICE(BROADCOM, 0x1807), .driver_data = NETXTREME_E_P5_VF }, ++ { PCI_VDEVICE(BROADCOM, 0x1808), .driver_data = NETXTREME_E_P5_VF_HV }, ++ { PCI_VDEVICE(BROADCOM, 0x1809), .driver_data = NETXTREME_E_P5_VF_HV }, + { PCI_VDEVICE(BROADCOM, 0xd800), .driver_data = NETXTREME_S_VF }, + #endif + { 0 } +@@ -263,7 +279,8 @@ static struct workqueue_struct *bnxt_pf_wq; + static bool bnxt_vf_pciid(enum board_idx idx) + { + return (idx == NETXTREME_C_VF || idx == NETXTREME_E_VF || +- idx == NETXTREME_S_VF || idx == NETXTREME_E_P5_VF); ++ idx == NETXTREME_S_VF || idx == NETXTREME_C_VF_HV || ++ idx == NETXTREME_E_VF_HV || idx == NETXTREME_E_P5_VF); + } + + #define DB_CP_REARM_FLAGS (DB_KEY_CP | DB_IDX_VALID) +-- +2.30.2 + diff --git a/queue-5.4/can-m_can-m_can_tx_work_queue-fix-tx_skb-race-condit.patch b/queue-5.4/can-m_can-m_can_tx_work_queue-fix-tx_skb-race-condit.patch new file mode 100644 index 00000000000..c315cf3004e --- /dev/null +++ b/queue-5.4/can-m_can-m_can_tx_work_queue-fix-tx_skb-race-condit.patch @@ -0,0 +1,49 @@ +From f43af97658deab842a62643884c73d990a1ea5f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 May 2021 13:32:27 +0200 +Subject: can: m_can: m_can_tx_work_queue(): fix tx_skb race condition + +From: Marc Kleine-Budde + +[ Upstream commit e04b2cfe61072c7966e1a5fb73dd1feb30c206ed ] + +The m_can_start_xmit() function checks if the cdev->tx_skb is NULL and +returns with NETDEV_TX_BUSY in case tx_sbk is not NULL. + +There is a race condition in the m_can_tx_work_queue(), where first +the skb is send to the driver and then the case tx_sbk is set to NULL. +A TX complete IRQ might come in between and wake the queue, which +results in tx_skb not being cleared yet. + +Fixes: f524f829b75a ("can: m_can: Create a m_can platform framework") +Tested-by: Torin Cooper-Bennun +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/m_can/m_can.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c +index b2224113987c..de275ccb4fd0 100644 +--- a/drivers/net/can/m_can/m_can.c ++++ b/drivers/net/can/m_can/m_can.c +@@ -1418,6 +1418,8 @@ static netdev_tx_t m_can_tx_handler(struct m_can_classdev *cdev) + int i; + int putidx; + ++ cdev->tx_skb = NULL; ++ + /* Generate ID field for TX buffer Element */ + /* Common to all supported M_CAN versions */ + if (cf->can_id & CAN_EFF_FLAG) { +@@ -1534,7 +1536,6 @@ static void m_can_tx_work_queue(struct work_struct *ws) + tx_work); + + m_can_tx_handler(cdev); +- cdev->tx_skb = NULL; + } + + static netdev_tx_t m_can_start_xmit(struct sk_buff *skb, +-- +2.30.2 + diff --git a/queue-5.4/ceph-fix-inode-leak-on-getattr-error-in-__fh_to_dent.patch b/queue-5.4/ceph-fix-inode-leak-on-getattr-error-in-__fh_to_dent.patch new file mode 100644 index 00000000000..aefeeac5b03 --- /dev/null +++ b/queue-5.4/ceph-fix-inode-leak-on-getattr-error-in-__fh_to_dent.patch @@ -0,0 +1,37 @@ +From c306f54a13a43e5eaa48c751b34c9c15f768ad03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Mar 2021 09:21:53 -0400 +Subject: ceph: fix inode leak on getattr error in __fh_to_dentry + +From: Jeff Layton + +[ Upstream commit 1775c7ddacfcea29051c67409087578f8f4d751b ] + +Fixes: 878dabb64117 ("ceph: don't return -ESTALE if there's still an open file") +Signed-off-by: Jeff Layton +Reviewed-by: Xiubo Li +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/export.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/ceph/export.c b/fs/ceph/export.c +index e088843a7734..baa6368bece5 100644 +--- a/fs/ceph/export.c ++++ b/fs/ceph/export.c +@@ -178,8 +178,10 @@ static struct dentry *__fh_to_dentry(struct super_block *sb, u64 ino) + return ERR_CAST(inode); + /* We need LINK caps to reliably check i_nlink */ + err = ceph_do_getattr(inode, CEPH_CAP_LINK_SHARED, false); +- if (err) ++ if (err) { ++ iput(inode); + return ERR_PTR(err); ++ } + /* -ESTALE if inode as been unlinked and no file is open */ + if ((inode->i_nlink == 0) && (atomic_read(&inode->i_count) == 1)) { + iput(inode); +-- +2.30.2 + diff --git a/queue-5.4/cuse-prevent-clone.patch b/queue-5.4/cuse-prevent-clone.patch new file mode 100644 index 00000000000..c66c33a06c5 --- /dev/null +++ b/queue-5.4/cuse-prevent-clone.patch @@ -0,0 +1,37 @@ +From 816ae05bb13fd88f31c247fbaa88738f03b062b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Apr 2021 10:40:58 +0200 +Subject: cuse: prevent clone + +From: Miklos Szeredi + +[ Upstream commit 8217673d07256b22881127bf50dce874d0e51653 ] + +For cloned connections cuse_channel_release() will be called more than +once, resulting in use after free. + +Prevent device cloning for CUSE, which does not make sense at this point, +and highly unlikely to be used in real life. + +Signed-off-by: Miklos Szeredi +Signed-off-by: Sasha Levin +--- + fs/fuse/cuse.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c +index 00015d851382..e51b7019e887 100644 +--- a/fs/fuse/cuse.c ++++ b/fs/fuse/cuse.c +@@ -624,6 +624,8 @@ static int __init cuse_init(void) + cuse_channel_fops.owner = THIS_MODULE; + cuse_channel_fops.open = cuse_channel_open; + cuse_channel_fops.release = cuse_channel_release; ++ /* CUSE is not prepared for FUSE_DEV_IOC_CLONE */ ++ cuse_channel_fops.unlocked_ioctl = NULL; + + cuse_class = class_create(THIS_MODULE, "cuse"); + if (IS_ERR(cuse_class)) +-- +2.30.2 + diff --git a/queue-5.4/drm-amd-display-fixed-divide-by-zero-kernel-crash-du.patch b/queue-5.4/drm-amd-display-fixed-divide-by-zero-kernel-crash-du.patch new file mode 100644 index 00000000000..5bb02169906 --- /dev/null +++ b/queue-5.4/drm-amd-display-fixed-divide-by-zero-kernel-crash-du.patch @@ -0,0 +1,112 @@ +From 4a382354449447ae482b833a203ad9f0a185878c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Dec 2020 19:14:48 -0500 +Subject: drm/amd/display: fixed divide by zero kernel crash during dsc + enablement + +From: Robin Singh + +[ Upstream commit 19cc1f3829567e7dca21c1389ea6407b8f5efab4 ] + +[why] +During dsc enable, a divide by zero condition triggered the +kernel crash. + +[how] +An IGT test, which enable the DSC, was crashing at the time of +restore the default dsc status, becaue of h_totals value +becoming 0. So add a check before divide condition. If h_total +is zero, gracefully ignore and set the default value. + +kernel panic log: + + [ 128.758827] divide error: 0000 [#1] PREEMPT SMP NOPTI + [ 128.762714] CPU: 5 PID: 4562 Comm: amd_dp_dsc Tainted: G W 5.4.19-android-x86_64 #1 + [ 128.769728] Hardware name: ADVANCED MICRO DEVICES, INC. Mauna/Mauna, BIOS WMN0B13N Nov 11 2020 + [ 128.777695] RIP: 0010:hubp2_vready_at_or_After_vsync+0x37/0x7a [amdgpu] + [ 128.785707] Code: 80 02 00 00 48 89 f3 48 8b 7f 08 b ...... + [ 128.805696] RSP: 0018:ffffad8f82d43628 EFLAGS: 00010246 + ...... + [ 128.857707] CR2: 00007106d8465000 CR3: 0000000426530000 CR4: 0000000000140ee0 + [ 128.865695] Call Trace: + [ 128.869712] hubp3_setup+0x1f/0x7f [amdgpu] + [ 128.873705] dcn20_update_dchubp_dpp+0xc8/0x54a [amdgpu] + [ 128.877706] dcn20_program_front_end_for_ctx+0x31d/0x463 [amdgpu] + [ 128.885706] dc_commit_state+0x3d2/0x658 [amdgpu] + [ 128.889707] amdgpu_dm_atomic_commit_tail+0x4b3/0x1e7c [amdgpu] + [ 128.897699] ? dm_read_reg_func+0x41/0xb5 [amdgpu] + [ 128.901707] ? dm_read_reg_func+0x41/0xb5 [amdgpu] + [ 128.905706] ? __is_insn_slot_addr+0x43/0x48 + [ 128.909706] ? fill_plane_buffer_attributes+0x29e/0x3dc [amdgpu] + [ 128.917705] ? dm_plane_helper_prepare_fb+0x255/0x284 [amdgpu] + [ 128.921700] ? usleep_range+0x7c/0x7c + [ 128.925705] ? preempt_count_sub+0xf/0x18 + [ 128.929706] ? _raw_spin_unlock_irq+0x13/0x24 + [ 128.933732] ? __wait_for_common+0x11e/0x18f + [ 128.937705] ? _raw_spin_unlock_irq+0x13/0x24 + [ 128.941706] ? __wait_for_common+0x11e/0x18f + [ 128.945705] commit_tail+0x8b/0xd2 [drm_kms_helper] + [ 128.949707] drm_atomic_helper_commit+0xd8/0xf5 [drm_kms_helper] + [ 128.957706] amdgpu_dm_atomic_commit+0x337/0x360 [amdgpu] + [ 128.961705] ? drm_atomic_check_only+0x543/0x68d [drm] + [ 128.969705] ? drm_atomic_set_property+0x760/0x7af [drm] + [ 128.973704] ? drm_mode_atomic_ioctl+0x6f3/0x85a [drm] + [ 128.977705] drm_mode_atomic_ioctl+0x6f3/0x85a [drm] + [ 128.985705] ? drm_atomic_set_property+0x7af/0x7af [drm] + [ 128.989706] drm_ioctl_kernel+0x82/0xda [drm] + [ 128.993706] drm_ioctl+0x225/0x319 [drm] + [ 128.997707] ? drm_atomic_set_property+0x7af/0x7af [drm] + [ 129.001706] ? preempt_count_sub+0xf/0x18 + [ 129.005713] amdgpu_drm_ioctl+0x4b/0x76 [amdgpu] + [ 129.009705] vfs_ioctl+0x1d/0x2a + [ 129.013705] do_vfs_ioctl+0x419/0x43d + [ 129.017707] ksys_ioctl+0x52/0x71 + [ 129.021707] __x64_sys_ioctl+0x16/0x19 + [ 129.025706] do_syscall_64+0x78/0x85 + [ 129.029705] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Signed-off-by: Robin Singh +Reviewed-by: Harry Wentland +Reviewed-by: Robin Singh +Acked-by: Aurabindo Pillai +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hubp.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hubp.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hubp.c +index 69e2aae42394..b250ef75c163 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hubp.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hubp.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2012-17 Advanced Micro Devices, Inc. ++ * Copyright 2012-2021 Advanced Micro Devices, Inc. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), +@@ -179,11 +179,14 @@ void hubp2_vready_at_or_After_vsync(struct hubp *hubp, + else + Set HUBP_VREADY_AT_OR_AFTER_VSYNC = 0 + */ +- if ((pipe_dest->vstartup_start - (pipe_dest->vready_offset+pipe_dest->vupdate_width +- + pipe_dest->vupdate_offset) / pipe_dest->htotal) <= pipe_dest->vblank_end) { +- value = 1; +- } else +- value = 0; ++ if (pipe_dest->htotal != 0) { ++ if ((pipe_dest->vstartup_start - (pipe_dest->vready_offset+pipe_dest->vupdate_width ++ + pipe_dest->vupdate_offset) / pipe_dest->htotal) <= pipe_dest->vblank_end) { ++ value = 1; ++ } else ++ value = 0; ++ } ++ + REG_UPDATE(DCHUBP_CNTL, HUBP_VREADY_AT_OR_AFTER_VSYNC, value); + } + +-- +2.30.2 + diff --git a/queue-5.4/drm-amd-display-force-vsync-flip-when-reconfiguring-.patch b/queue-5.4/drm-amd-display-force-vsync-flip-when-reconfiguring-.patch new file mode 100644 index 00000000000..21df02ecee1 --- /dev/null +++ b/queue-5.4/drm-amd-display-force-vsync-flip-when-reconfiguring-.patch @@ -0,0 +1,45 @@ +From cd92e20268dec8449b55df356d7e10218ac67cfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Mar 2021 11:03:35 -0400 +Subject: drm/amd/display: Force vsync flip when reconfiguring MPCC + +From: Anthony Wang + +[ Upstream commit 56d63782af9bbd1271bff1422a6a013123eade4d ] + +[Why] +Underflow observed when disabling PIP overlay in-game when +vsync is disabled, due to OTC master lock not working with +game pipe which is immediate flip. + +[How] +When performing a full update, override flip_immediate value +to false for all planes, so that flip occurs on vsync. + +Signed-off-by: Anthony Wang +Acked-by: Bindu Ramamurthy +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c +index 092db590087c..14dc1b8719a9 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -2050,6 +2050,10 @@ static void commit_planes_for_stream(struct dc *dc, + plane_state->triplebuffer_flips = true; + } + } ++ if (update_type == UPDATE_TYPE_FULL) { ++ /* force vsync flip when reconfiguring pipes to prevent underflow */ ++ plane_state->flip_immediate = false; ++ } + } + } + #endif +-- +2.30.2 + diff --git a/queue-5.4/drm-radeon-avoid-power-table-parsing-memory-leaks.patch b/queue-5.4/drm-radeon-avoid-power-table-parsing-memory-leaks.patch new file mode 100644 index 00000000000..28eeaaa80ad --- /dev/null +++ b/queue-5.4/drm-radeon-avoid-power-table-parsing-memory-leaks.patch @@ -0,0 +1,64 @@ +From e0cd1e3642b3e6563bbe7c01c8994c163cc11f36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 May 2021 22:06:08 -0700 +Subject: drm/radeon: Avoid power table parsing memory leaks + +From: Kees Cook + +[ Upstream commit c69f27137a38d24301a6b659454a91ad85dff4aa ] + +Avoid leaving a hanging pre-allocated clock_info if last mode is +invalid, and avoid heap corruption if no valid modes are found. + +Bug: https://bugzilla.kernel.org/show_bug.cgi?id=211537 +Fixes: 6991b8f2a319 ("drm/radeon/kms: fix segfault in pm rework") +Signed-off-by: Kees Cook +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_atombios.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c +index 97703449e049..9e0aa357585f 100644 +--- a/drivers/gpu/drm/radeon/radeon_atombios.c ++++ b/drivers/gpu/drm/radeon/radeon_atombios.c +@@ -2136,11 +2136,14 @@ static int radeon_atombios_parse_power_table_1_3(struct radeon_device *rdev) + return state_index; + /* last mode is usually default, array is low to high */ + for (i = 0; i < num_modes; i++) { +- rdev->pm.power_state[state_index].clock_info = +- kcalloc(1, sizeof(struct radeon_pm_clock_info), +- GFP_KERNEL); ++ /* avoid memory leaks from invalid modes or unknown frev. */ ++ if (!rdev->pm.power_state[state_index].clock_info) { ++ rdev->pm.power_state[state_index].clock_info = ++ kzalloc(sizeof(struct radeon_pm_clock_info), ++ GFP_KERNEL); ++ } + if (!rdev->pm.power_state[state_index].clock_info) +- return state_index; ++ goto out; + rdev->pm.power_state[state_index].num_clock_modes = 1; + rdev->pm.power_state[state_index].clock_info[0].voltage.type = VOLTAGE_NONE; + switch (frev) { +@@ -2259,8 +2262,15 @@ static int radeon_atombios_parse_power_table_1_3(struct radeon_device *rdev) + break; + } + } ++out: ++ /* free any unused clock_info allocation. */ ++ if (state_index && state_index < num_modes) { ++ kfree(rdev->pm.power_state[state_index].clock_info); ++ rdev->pm.power_state[state_index].clock_info = NULL; ++ } ++ + /* last mode is usually default */ +- if (rdev->pm.default_power_state_index == -1) { ++ if (state_index && rdev->pm.default_power_state_index == -1) { + rdev->pm.power_state[state_index - 1].type = + POWER_STATE_TYPE_DEFAULT; + rdev->pm.default_power_state_index = state_index - 1; +-- +2.30.2 + diff --git a/queue-5.4/drm-radeon-fix-off-by-one-power_state-index-heap-ove.patch b/queue-5.4/drm-radeon-fix-off-by-one-power_state-index-heap-ove.patch new file mode 100644 index 00000000000..3b6ec120a95 --- /dev/null +++ b/queue-5.4/drm-radeon-fix-off-by-one-power_state-index-heap-ove.patch @@ -0,0 +1,119 @@ +From c2e1d19b5c0b5704dee275c3ae917a733a0c53d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 May 2021 22:06:07 -0700 +Subject: drm/radeon: Fix off-by-one power_state index heap overwrite + +From: Kees Cook + +[ Upstream commit 5bbf219328849e83878bddb7c226d8d42e84affc ] + +An out of bounds write happens when setting the default power state. +KASAN sees this as: + +[drm] radeon: 512M of GTT memory ready. +[drm] GART: num cpu pages 131072, num gpu pages 131072 +================================================================== +BUG: KASAN: slab-out-of-bounds in +radeon_atombios_parse_power_table_1_3+0x1837/0x1998 [radeon] +Write of size 4 at addr ffff88810178d858 by task systemd-udevd/157 + +CPU: 0 PID: 157 Comm: systemd-udevd Not tainted 5.12.0-E620 #50 +Hardware name: eMachines eMachines E620 /Nile , BIOS V1.03 09/30/2008 +Call Trace: + dump_stack+0xa5/0xe6 + print_address_description.constprop.0+0x18/0x239 + kasan_report+0x170/0x1a8 + radeon_atombios_parse_power_table_1_3+0x1837/0x1998 [radeon] + radeon_atombios_get_power_modes+0x144/0x1888 [radeon] + radeon_pm_init+0x1019/0x1904 [radeon] + rs690_init+0x76e/0x84a [radeon] + radeon_device_init+0x1c1a/0x21e5 [radeon] + radeon_driver_load_kms+0xf5/0x30b [radeon] + drm_dev_register+0x255/0x4a0 [drm] + radeon_pci_probe+0x246/0x2f6 [radeon] + pci_device_probe+0x1aa/0x294 + really_probe+0x30e/0x850 + driver_probe_device+0xe6/0x135 + device_driver_attach+0xc1/0xf8 + __driver_attach+0x13f/0x146 + bus_for_each_dev+0xfa/0x146 + bus_add_driver+0x2b3/0x447 + driver_register+0x242/0x2c1 + do_one_initcall+0x149/0x2fd + do_init_module+0x1ae/0x573 + load_module+0x4dee/0x5cca + __do_sys_finit_module+0xf1/0x140 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Without KASAN, this will manifest later when the kernel attempts to +allocate memory that was stomped, since it collides with the inline slab +freelist pointer: + +invalid opcode: 0000 [#1] SMP NOPTI +CPU: 0 PID: 781 Comm: openrc-run.sh Tainted: G W 5.10.12-gentoo-E620 #2 +Hardware name: eMachines eMachines E620 /Nile , BIOS V1.03 09/30/2008 +RIP: 0010:kfree+0x115/0x230 +Code: 89 c5 e8 75 ea ff ff 48 8b 00 0f ba e0 09 72 63 e8 1f f4 ff ff 41 89 c4 48 8b 45 00 0f ba e0 10 72 0a 48 8b 45 08 a8 01 75 02 <0f> 0b 44 89 e1 48 c7 c2 00 f0 ff ff be 06 00 00 00 48 d3 e2 48 c7 +RSP: 0018:ffffb42f40267e10 EFLAGS: 00010246 +RAX: ffffd61280ee8d88 RBX: 0000000000000004 RCX: 000000008010000d +RDX: 4000000000000000 RSI: ffffffffba1360b0 RDI: ffffd61280ee8d80 +RBP: ffffd61280ee8d80 R08: ffffffffb91bebdf R09: 0000000000000000 +R10: ffff8fe2c1047ac8 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000100 +FS: 00007fe80eff6b68(0000) GS:ffff8fe339c00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fe80eec7bc0 CR3: 0000000038012000 CR4: 00000000000006f0 +Call Trace: + __free_fdtable+0x16/0x1f + put_files_struct+0x81/0x9b + do_exit+0x433/0x94d + do_group_exit+0xa6/0xa6 + __x64_sys_exit_group+0xf/0xf + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x7fe80ef64bea +Code: Unable to access opcode bytes at RIP 0x7fe80ef64bc0. +RSP: 002b:00007ffdb1c47528 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fe80ef64bea +RDX: 00007fe80ef64f60 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 +R10: 00007fe80ee2c620 R11: 0000000000000246 R12: 00007fe80eff41e0 +R13: 00000000ffffffff R14: 0000000000000024 R15: 00007fe80edf9cd0 +Modules linked in: radeon(+) ath5k(+) snd_hda_codec_realtek ... + +Use a valid power_state index when initializing the "flags" and "misc" +and "misc2" fields. + +Bug: https://bugzilla.kernel.org/show_bug.cgi?id=211537 +Reported-by: Erhard F. +Fixes: a48b9b4edb8b ("drm/radeon/kms/pm: add asic specific callbacks for getting power state (v2)") +Fixes: 79daedc94281 ("drm/radeon/kms: minor pm cleanups") +Signed-off-by: Kees Cook +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_atombios.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c +index 226a7bf0eb7a..97703449e049 100644 +--- a/drivers/gpu/drm/radeon/radeon_atombios.c ++++ b/drivers/gpu/drm/radeon/radeon_atombios.c +@@ -2266,10 +2266,10 @@ static int radeon_atombios_parse_power_table_1_3(struct radeon_device *rdev) + rdev->pm.default_power_state_index = state_index - 1; + rdev->pm.power_state[state_index - 1].default_clock_mode = + &rdev->pm.power_state[state_index - 1].clock_info[0]; +- rdev->pm.power_state[state_index].flags &= ++ rdev->pm.power_state[state_index - 1].flags &= + ~RADEON_PM_STATE_SINGLE_DISPLAY_ONLY; +- rdev->pm.power_state[state_index].misc = 0; +- rdev->pm.power_state[state_index].misc2 = 0; ++ rdev->pm.power_state[state_index - 1].misc = 0; ++ rdev->pm.power_state[state_index - 1].misc2 = 0; + } + return state_index; + } +-- +2.30.2 + diff --git a/queue-5.4/ethernet-enic-fix-a-use-after-free-bug-in-enic_hard_.patch b/queue-5.4/ethernet-enic-fix-a-use-after-free-bug-in-enic_hard_.patch new file mode 100644 index 00000000000..64038bda60e --- /dev/null +++ b/queue-5.4/ethernet-enic-fix-a-use-after-free-bug-in-enic_hard_.patch @@ -0,0 +1,69 @@ +From 15fea053dcf75a98bc52096dfc30c12b18dc9ba4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 May 2021 04:58:18 -0700 +Subject: ethernet:enic: Fix a use after free bug in enic_hard_start_xmit + +From: Lv Yunlong + +[ Upstream commit 643001b47adc844ae33510c4bb93c236667008a3 ] + +In enic_hard_start_xmit, it calls enic_queue_wq_skb(). Inside +enic_queue_wq_skb, if some error happens, the skb will be freed +by dev_kfree_skb(skb). But the freed skb is still used in +skb_tx_timestamp(skb). + +My patch makes enic_queue_wq_skb() return error and goto spin_unlock() +incase of error. The solution is provided by Govind. +See https://lkml.org/lkml/2021/4/30/961. + +Fixes: fb7516d42478e ("enic: add sw timestamp support") +Signed-off-by: Lv Yunlong +Acked-by: Govindarajulu Varadarajan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cisco/enic/enic_main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c +index 8314102002b0..03c8af58050c 100644 +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -803,7 +803,7 @@ static inline int enic_queue_wq_skb_encap(struct enic *enic, struct vnic_wq *wq, + return err; + } + +-static inline void enic_queue_wq_skb(struct enic *enic, ++static inline int enic_queue_wq_skb(struct enic *enic, + struct vnic_wq *wq, struct sk_buff *skb) + { + unsigned int mss = skb_shinfo(skb)->gso_size; +@@ -849,6 +849,7 @@ static inline void enic_queue_wq_skb(struct enic *enic, + wq->to_use = buf->next; + dev_kfree_skb(skb); + } ++ return err; + } + + /* netif_tx_lock held, process context with BHs disabled, or BH */ +@@ -892,7 +893,8 @@ static netdev_tx_t enic_hard_start_xmit(struct sk_buff *skb, + return NETDEV_TX_BUSY; + } + +- enic_queue_wq_skb(enic, wq, skb); ++ if (enic_queue_wq_skb(enic, wq, skb)) ++ goto error; + + if (vnic_wq_desc_avail(wq) < MAX_SKB_FRAGS + ENIC_DESC_MAX_SPLITS) + netif_tx_stop_queue(txq); +@@ -900,6 +902,7 @@ static netdev_tx_t enic_hard_start_xmit(struct sk_buff *skb, + if (!netdev_xmit_more() || netif_xmit_stopped(txq)) + vnic_wq_doorbell(wq); + ++error: + spin_unlock(&enic->wq_lock[txq_map]); + + return NETDEV_TX_OK; +-- +2.30.2 + diff --git a/queue-5.4/ethtool-ioctl-fix-out-of-bounds-warning-in-store_lin.patch b/queue-5.4/ethtool-ioctl-fix-out-of-bounds-warning-in-store_lin.patch new file mode 100644 index 00000000000..a7b7976bea0 --- /dev/null +++ b/queue-5.4/ethtool-ioctl-fix-out-of-bounds-warning-in-store_lin.patch @@ -0,0 +1,50 @@ +From 523da41101a8ca2703cba67b70b5292fd722a7a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Apr 2021 15:15:40 -0500 +Subject: ethtool: ioctl: Fix out-of-bounds warning in + store_link_ksettings_for_user() + +From: Gustavo A. R. Silva + +[ Upstream commit c1d9e34e11281a8ba1a1c54e4db554232a461488 ] + +Fix the following out-of-bounds warning: + +net/ethtool/ioctl.c:492:2: warning: 'memcpy' offset [49, 84] from the object at 'link_usettings' is out of the bounds of referenced subobject 'base' with type 'struct ethtool_link_settings' at offset 0 [-Warray-bounds] + +The problem is that the original code is trying to copy data into a +some struct members adjacent to each other in a single call to +memcpy(). This causes a legitimate compiler warning because memcpy() +overruns the length of &link_usettings.base. Fix this by directly +using &link_usettings and _from_ as destination and source addresses, +instead. + +This helps with the ongoing efforts to globally enable -Warray-bounds +and get us closer to being able to tighten the FORTIFY_SOURCE routines +on memcpy(). + +Link: https://github.com/KSPP/linux/issues/109 +Reported-by: kernel test robot +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/ethtool.c b/net/core/ethtool.c +index cd9bc67381b2..76506975d59a 100644 +--- a/net/core/ethtool.c ++++ b/net/core/ethtool.c +@@ -589,7 +589,7 @@ store_link_ksettings_for_user(void __user *to, + { + struct ethtool_link_usettings link_usettings; + +- memcpy(&link_usettings.base, &from->base, sizeof(link_usettings)); ++ memcpy(&link_usettings, from, sizeof(link_usettings)); + bitmap_to_arr32(link_usettings.link_modes.supported, + from->link_modes.supported, + __ETHTOOL_LINK_MODE_MASK_NBITS); +-- +2.30.2 + diff --git a/queue-5.4/f2fs-fix-a-redundant-call-to-f2fs_balance_fs-if-an-e.patch b/queue-5.4/f2fs-fix-a-redundant-call-to-f2fs_balance_fs-if-an-e.patch new file mode 100644 index 00000000000..0964335ca64 --- /dev/null +++ b/queue-5.4/f2fs-fix-a-redundant-call-to-f2fs_balance_fs-if-an-e.patch @@ -0,0 +1,45 @@ +From 0731c8002d896ea62e96a7e1e275369ca218d7dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Mar 2021 09:21:18 +0000 +Subject: f2fs: fix a redundant call to f2fs_balance_fs if an error occurs + +From: Colin Ian King + +[ Upstream commit 28e18ee636ba28532dbe425540af06245a0bbecb ] + +The uninitialized variable dn.node_changed does not get set when a +call to f2fs_get_node_page fails. This uninitialized value gets used +in the call to f2fs_balance_fs() that may or not may not balances +dirty node and dentry pages depending on the uninitialized state of +the variable. Fix this by only calling f2fs_balance_fs if err is +not set. + +Thanks to Jaegeuk Kim for suggesting an appropriate fix. + +Addresses-Coverity: ("Uninitialized scalar variable") +Fixes: 2a3407607028 ("f2fs: call f2fs_balance_fs only when node was changed") +Signed-off-by: Colin Ian King +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/inline.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c +index cbd17e4ff920..c6bd669f4b4e 100644 +--- a/fs/f2fs/inline.c ++++ b/fs/f2fs/inline.c +@@ -216,7 +216,8 @@ out: + + f2fs_put_page(page, 1); + +- f2fs_balance_fs(sbi, dn.node_changed); ++ if (!err) ++ f2fs_balance_fs(sbi, dn.node_changed); + + return err; + } +-- +2.30.2 + diff --git a/queue-5.4/flow_dissector-fix-out-of-bounds-warning-in-__skb_fl.patch b/queue-5.4/flow_dissector-fix-out-of-bounds-warning-in-__skb_fl.patch new file mode 100644 index 00000000000..ee21473c5e3 --- /dev/null +++ b/queue-5.4/flow_dissector-fix-out-of-bounds-warning-in-__skb_fl.patch @@ -0,0 +1,53 @@ +From a6327ddf8d500228e05c4ed2397b2f80978d897c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Apr 2021 14:31:51 -0500 +Subject: flow_dissector: Fix out-of-bounds warning in + __skb_flow_bpf_to_target() + +From: Gustavo A. R. Silva + +[ Upstream commit 1e3d976dbb23b3fce544752b434bdc32ce64aabc ] + +Fix the following out-of-bounds warning: + +net/core/flow_dissector.c:835:3: warning: 'memcpy' offset [33, 48] from the object at 'flow_keys' is out of the bounds of referenced subobject 'ipv6_src' with type '__u32[4]' {aka 'unsigned int[4]'} at offset 16 [-Warray-bounds] + +The problem is that the original code is trying to copy data into a +couple of struct members adjacent to each other in a single call to +memcpy(). So, the compiler legitimately complains about it. As these +are just a couple of members, fix this by copying each one of them in +separate calls to memcpy(). + +This helps with the ongoing efforts to globally enable -Warray-bounds +and get us closer to being able to tighten the FORTIFY_SOURCE routines +on memcpy(). + +Link: https://github.com/KSPP/linux/issues/109 +Reported-by: kernel test robot +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/flow_dissector.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c +index da86c0e1b677..96957a7c732f 100644 +--- a/net/core/flow_dissector.c ++++ b/net/core/flow_dissector.c +@@ -811,8 +811,10 @@ static void __skb_flow_bpf_to_target(const struct bpf_flow_keys *flow_keys, + key_addrs = skb_flow_dissector_target(flow_dissector, + FLOW_DISSECTOR_KEY_IPV6_ADDRS, + target_container); +- memcpy(&key_addrs->v6addrs, &flow_keys->ipv6_src, +- sizeof(key_addrs->v6addrs)); ++ memcpy(&key_addrs->v6addrs.src, &flow_keys->ipv6_src, ++ sizeof(key_addrs->v6addrs.src)); ++ memcpy(&key_addrs->v6addrs.dst, &flow_keys->ipv6_dst, ++ sizeof(key_addrs->v6addrs.dst)); + key_control->addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS; + } + +-- +2.30.2 + diff --git a/queue-5.4/fs-dlm-fix-debugfs-dump.patch b/queue-5.4/fs-dlm-fix-debugfs-dump.patch new file mode 100644 index 00000000000..32240a406b7 --- /dev/null +++ b/queue-5.4/fs-dlm-fix-debugfs-dump.patch @@ -0,0 +1,40 @@ +From 466b84d5605089449ef2fcdd405959ef92ff7868 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Mar 2021 17:05:08 -0500 +Subject: fs: dlm: fix debugfs dump + +From: Alexander Aring + +[ Upstream commit 92c48950b43f4a767388cf87709d8687151a641f ] + +This patch fixes the following message which randomly pops up during +glocktop call: + +seq_file: buggy .next function table_seq_next did not update position index + +The issue is that seq_read_iter() in fs/seq_file.c also needs an +increment of the index in an non next record case as well which this +patch fixes otherwise seq_read_iter() will print out the above message. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/debug_fs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/dlm/debug_fs.c b/fs/dlm/debug_fs.c +index d6bbccb0ed15..d5bd990bcab8 100644 +--- a/fs/dlm/debug_fs.c ++++ b/fs/dlm/debug_fs.c +@@ -542,6 +542,7 @@ static void *table_seq_next(struct seq_file *seq, void *iter_ptr, loff_t *pos) + + if (bucket >= ls->ls_rsbtbl_size) { + kfree(ri); ++ ++*pos; + return NULL; + } + tree = toss ? &ls->ls_rsbtbl[bucket].toss : &ls->ls_rsbtbl[bucket].keep; +-- +2.30.2 + diff --git a/queue-5.4/i2c-add-i2c_aq_no_rep_start-adapter-quirk.patch b/queue-5.4/i2c-add-i2c_aq_no_rep_start-adapter-quirk.patch new file mode 100644 index 00000000000..67621cb0933 --- /dev/null +++ b/queue-5.4/i2c-add-i2c_aq_no_rep_start-adapter-quirk.patch @@ -0,0 +1,39 @@ +From 2a420995d1143d7d5d96b76cee7d05e6a4454ef5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Mar 2021 19:19:20 +0000 +Subject: i2c: Add I2C_AQ_NO_REP_START adapter quirk +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bence Csókás + +[ Upstream commit aca01415e076aa96cca0f801f4420ee5c10c660d ] + +This quirk signifies that the adapter cannot do a repeated +START, it always issues a STOP condition after transfers. + +Suggested-by: Wolfram Sang +Signed-off-by: Bence Csókás +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + include/linux/i2c.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/i2c.h b/include/linux/i2c.h +index 1361637c369d..af2b799d7a66 100644 +--- a/include/linux/i2c.h ++++ b/include/linux/i2c.h +@@ -677,6 +677,8 @@ struct i2c_adapter_quirks { + #define I2C_AQ_NO_ZERO_LEN_READ BIT(5) + #define I2C_AQ_NO_ZERO_LEN_WRITE BIT(6) + #define I2C_AQ_NO_ZERO_LEN (I2C_AQ_NO_ZERO_LEN_READ | I2C_AQ_NO_ZERO_LEN_WRITE) ++/* adapter cannot do repeated START */ ++#define I2C_AQ_NO_REP_START BIT(7) + + /* + * i2c_adapter is the structure used to identify a physical i2c bus along +-- +2.30.2 + diff --git a/queue-5.4/i2c-bail-out-early-when-rdwr-parameters-are-wrong.patch b/queue-5.4/i2c-bail-out-early-when-rdwr-parameters-are-wrong.patch new file mode 100644 index 00000000000..a453caf7bfc --- /dev/null +++ b/queue-5.4/i2c-bail-out-early-when-rdwr-parameters-are-wrong.patch @@ -0,0 +1,46 @@ +From 4062f635ee76a503ab7db0872173cd0b76464196 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Mar 2021 12:57:34 +0100 +Subject: i2c: bail out early when RDWR parameters are wrong + +From: Wolfram Sang + +[ Upstream commit 71581562ee36032d2d574a9b23ad4af6d6a64cf7 ] + +The buggy parameters currently get caught later, but emit a noisy WARN. +Userspace should not be able to trigger this, so add similar checks much +earlier. Also avoids some unneeded code paths, of course. Apply kernel +coding stlye to a comment while here. + +Reported-by: syzbot+ffb0b3ffa6cfbc7d7b3f@syzkaller.appspotmail.com +Tested-by: syzbot+ffb0b3ffa6cfbc7d7b3f@syzkaller.appspotmail.com +Signed-off-by: Wolfram Sang +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-dev.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c +index 94beacc41302..a3fec3df11b6 100644 +--- a/drivers/i2c/i2c-dev.c ++++ b/drivers/i2c/i2c-dev.c +@@ -440,8 +440,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + sizeof(rdwr_arg))) + return -EFAULT; + +- /* Put an arbitrary limit on the number of messages that can +- * be sent at once */ ++ if (!rdwr_arg.msgs || rdwr_arg.nmsgs == 0) ++ return -EINVAL; ++ ++ /* ++ * Put an arbitrary limit on the number of messages that can ++ * be sent at once ++ */ + if (rdwr_arg.nmsgs > I2C_RDWR_IOCTL_MAX_MSGS) + return -EINVAL; + +-- +2.30.2 + diff --git a/queue-5.4/i40e-fix-phy-type-identifiers-for-2.5g-and-5g-adapte.patch b/queue-5.4/i40e-fix-phy-type-identifiers-for-2.5g-and-5g-adapte.patch new file mode 100644 index 00000000000..126957a7d36 --- /dev/null +++ b/queue-5.4/i40e-fix-phy-type-identifiers-for-2.5g-and-5g-adapte.patch @@ -0,0 +1,96 @@ +From e897565e7ce83328f4c5350409d4a13449a13efa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Apr 2021 14:43:07 +0000 +Subject: i40e: Fix PHY type identifiers for 2.5G and 5G adapters + +From: Mateusz Palczewski + +[ Upstream commit 15395ec4685bd45a43d1b54b8fd9846b87e2c621 ] + +Unlike other supported adapters, 2.5G and 5G use different +PHY type identifiers for reading/writing PHY settings +and for reading link status. This commit introduces +separate PHY identifiers for these two operation types. + +Fixes: 2e45d3f4677a ("i40e: Add support for X710 B/P & SFP+ cards") +Signed-off-by: Dawid Lukwinski +Signed-off-by: Mateusz Palczewski +Reviewed-by: Aleksandr Loktionov +Tested-by: Dave Switzer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h | 6 ++++-- + drivers/net/ethernet/intel/i40e/i40e_common.c | 4 ++-- + drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 4 ++-- + drivers/net/ethernet/intel/i40e/i40e_type.h | 7 ++----- + 4 files changed, 10 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h b/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h +index d7684ac2522e..57a8328e9b4f 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h ++++ b/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h +@@ -1893,8 +1893,10 @@ enum i40e_aq_phy_type { + I40E_PHY_TYPE_25GBASE_LR = 0x22, + I40E_PHY_TYPE_25GBASE_AOC = 0x23, + I40E_PHY_TYPE_25GBASE_ACC = 0x24, +- I40E_PHY_TYPE_2_5GBASE_T = 0x30, +- I40E_PHY_TYPE_5GBASE_T = 0x31, ++ I40E_PHY_TYPE_2_5GBASE_T = 0x26, ++ I40E_PHY_TYPE_5GBASE_T = 0x27, ++ I40E_PHY_TYPE_2_5GBASE_T_LINK_STATUS = 0x30, ++ I40E_PHY_TYPE_5GBASE_T_LINK_STATUS = 0x31, + I40E_PHY_TYPE_MAX, + I40E_PHY_TYPE_NOT_SUPPORTED_HIGH_TEMP = 0xFD, + I40E_PHY_TYPE_EMPTY = 0xFE, +diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c +index 66f7deaf46ae..6475f78e85f6 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_common.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_common.c +@@ -1156,8 +1156,8 @@ static enum i40e_media_type i40e_get_media_type(struct i40e_hw *hw) + break; + case I40E_PHY_TYPE_100BASE_TX: + case I40E_PHY_TYPE_1000BASE_T: +- case I40E_PHY_TYPE_2_5GBASE_T: +- case I40E_PHY_TYPE_5GBASE_T: ++ case I40E_PHY_TYPE_2_5GBASE_T_LINK_STATUS: ++ case I40E_PHY_TYPE_5GBASE_T_LINK_STATUS: + case I40E_PHY_TYPE_10GBASE_T: + media = I40E_MEDIA_TYPE_BASET; + break; +diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +index 502b4abc0aab..e4d0b7747e84 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +@@ -839,8 +839,8 @@ static void i40e_get_settings_link_up(struct i40e_hw *hw, + 10000baseT_Full); + break; + case I40E_PHY_TYPE_10GBASE_T: +- case I40E_PHY_TYPE_5GBASE_T: +- case I40E_PHY_TYPE_2_5GBASE_T: ++ case I40E_PHY_TYPE_5GBASE_T_LINK_STATUS: ++ case I40E_PHY_TYPE_2_5GBASE_T_LINK_STATUS: + case I40E_PHY_TYPE_1000BASE_T: + case I40E_PHY_TYPE_100BASE_TX: + ethtool_link_ksettings_add_link_mode(ks, supported, Autoneg); +diff --git a/drivers/net/ethernet/intel/i40e/i40e_type.h b/drivers/net/ethernet/intel/i40e/i40e_type.h +index b43ec94a0f29..666a251e8c72 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_type.h ++++ b/drivers/net/ethernet/intel/i40e/i40e_type.h +@@ -253,11 +253,8 @@ struct i40e_phy_info { + #define I40E_CAP_PHY_TYPE_25GBASE_ACC BIT_ULL(I40E_PHY_TYPE_25GBASE_ACC + \ + I40E_PHY_TYPE_OFFSET) + /* Offset for 2.5G/5G PHY Types value to bit number conversion */ +-#define I40E_PHY_TYPE_OFFSET2 (-10) +-#define I40E_CAP_PHY_TYPE_2_5GBASE_T BIT_ULL(I40E_PHY_TYPE_2_5GBASE_T + \ +- I40E_PHY_TYPE_OFFSET2) +-#define I40E_CAP_PHY_TYPE_5GBASE_T BIT_ULL(I40E_PHY_TYPE_5GBASE_T + \ +- I40E_PHY_TYPE_OFFSET2) ++#define I40E_CAP_PHY_TYPE_2_5GBASE_T BIT_ULL(I40E_PHY_TYPE_2_5GBASE_T) ++#define I40E_CAP_PHY_TYPE_5GBASE_T BIT_ULL(I40E_PHY_TYPE_5GBASE_T) + #define I40E_HW_CAP_MAX_GPIO 30 + /* Capabilities of a PF or a VF or the whole device */ + struct i40e_hw_capabilities { +-- +2.30.2 + diff --git a/queue-5.4/i40e-fix-the-restart-auto-negotiation-after-fec-modi.patch b/queue-5.4/i40e-fix-the-restart-auto-negotiation-after-fec-modi.patch new file mode 100644 index 00000000000..64944ce66a1 --- /dev/null +++ b/queue-5.4/i40e-fix-the-restart-auto-negotiation-after-fec-modi.patch @@ -0,0 +1,41 @@ +From f0f771e64d91368fdee36f4b5dacf1ef4a330b3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Apr 2021 14:19:40 +0000 +Subject: i40e: fix the restart auto-negotiation after FEC modified + +From: Jaroslaw Gawin + +[ Upstream commit 61343e6da7810de81d6b826698946ae4f9070819 ] + +When FEC mode was changed the link didn't know it because +the link was not reset and new parameters were not negotiated. +Set a flag 'I40E_AQ_PHY_ENABLE_ATOMIC_LINK' in 'abilities' +to restart the link and make it run with the new settings. + +Fixes: 1d96340196f1 ("i40e: Add support FEC configuration for Fortville 25G") +Signed-off-by: Jaroslaw Gawin +Signed-off-by: Mateusz Palczewski +Tested-by: Dave Switzer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +index b519e5af5ed9..502b4abc0aab 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +@@ -1406,7 +1406,8 @@ static int i40e_set_fec_cfg(struct net_device *netdev, u8 fec_cfg) + + memset(&config, 0, sizeof(config)); + config.phy_type = abilities.phy_type; +- config.abilities = abilities.abilities; ++ config.abilities = abilities.abilities | ++ I40E_AQ_PHY_ENABLE_ATOMIC_LINK; + config.phy_type_ext = abilities.phy_type_ext; + config.link_speed = abilities.link_speed; + config.eee_capability = abilities.eee_capability; +-- +2.30.2 + diff --git a/queue-5.4/i40e-fix-use-after-free-in-i40e_client_subtask.patch b/queue-5.4/i40e-fix-use-after-free-in-i40e_client_subtask.patch new file mode 100644 index 00000000000..39627bf47e3 --- /dev/null +++ b/queue-5.4/i40e-fix-use-after-free-in-i40e_client_subtask.patch @@ -0,0 +1,37 @@ +From 0f7723f19304dc467b8833595f578566b7b95076 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Apr 2021 22:41:18 +0800 +Subject: i40e: Fix use-after-free in i40e_client_subtask() + +From: Yunjian Wang + +[ Upstream commit 38318f23a7ef86a8b1862e5e8078c4de121960c3 ] + +Currently the call to i40e_client_del_instance frees the object +pf->cinst, however pf->cinst->lan_info is being accessed after +the free. Fix this by adding the missing return. + +Addresses-Coverity: ("Read from pointer after free") +Fixes: 7b0b1a6d0ac9 ("i40e: Disable iWARP VSI PETCP_ENA flag on netdev down events") +Signed-off-by: Yunjian Wang +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_client.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c +index e81530ca08d0..5706abb3c0ea 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_client.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_client.c +@@ -377,6 +377,7 @@ void i40e_client_subtask(struct i40e_pf *pf) + clear_bit(__I40E_CLIENT_INSTANCE_OPENED, + &cdev->state); + i40e_client_del_instance(pf); ++ return; + } + } + } +-- +2.30.2 + diff --git a/queue-5.4/ia64-module-fix-symbolizer-crash-on-fdescr.patch b/queue-5.4/ia64-module-fix-symbolizer-crash-on-fdescr.patch new file mode 100644 index 00000000000..9c18fb52918 --- /dev/null +++ b/queue-5.4/ia64-module-fix-symbolizer-crash-on-fdescr.patch @@ -0,0 +1,120 @@ +From 9239e421a3a8179eacd622754e7e7dde86465d97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Apr 2021 22:53:48 -0700 +Subject: ia64: module: fix symbolizer crash on fdescr + +From: Sergei Trofimovich + +[ Upstream commit 99e729bd40fb3272fa4b0140839d5e957b58588a ] + +Noticed failure as a crash on ia64 when tried to symbolize all backtraces +collected by page_owner=on: + + $ cat /sys/kernel/debug/page_owner + + + CPU: 1 PID: 2074 Comm: cat Not tainted 5.12.0-rc4 #226 + Hardware name: hp server rx3600, BIOS 04.03 04/08/2008 + ip is at dereference_module_function_descriptor+0x41/0x100 + +Crash happens at dereference_module_function_descriptor() due to +use-after-free when dereferencing ".opd" section header. + +All section headers are already freed after module is laoded successfully. + +To keep symbolizer working the change stores ".opd" address and size after +module is relocated to a new place and before section headers are +discarded. + +To make similar errors less obscure module_finalize() now zeroes out all +variables relevant to module loading only. + +Link: https://lkml.kernel.org/r/20210403074803.3309096-1-slyfox@gentoo.org +Signed-off-by: Sergei Trofimovich +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/ia64/include/asm/module.h | 6 +++++- + arch/ia64/kernel/module.c | 29 +++++++++++++++++++++++++---- + 2 files changed, 30 insertions(+), 5 deletions(-) + +diff --git a/arch/ia64/include/asm/module.h b/arch/ia64/include/asm/module.h +index f319144260ce..9fbf32e6e881 100644 +--- a/arch/ia64/include/asm/module.h ++++ b/arch/ia64/include/asm/module.h +@@ -14,16 +14,20 @@ + struct elf64_shdr; /* forward declration */ + + struct mod_arch_specific { ++ /* Used only at module load time. */ + struct elf64_shdr *core_plt; /* core PLT section */ + struct elf64_shdr *init_plt; /* init PLT section */ + struct elf64_shdr *got; /* global offset table */ + struct elf64_shdr *opd; /* official procedure descriptors */ + struct elf64_shdr *unwind; /* unwind-table section */ + unsigned long gp; /* global-pointer for module */ ++ unsigned int next_got_entry; /* index of next available got entry */ + ++ /* Used at module run and cleanup time. */ + void *core_unw_table; /* core unwind-table cookie returned by unwinder */ + void *init_unw_table; /* init unwind-table cookie returned by unwinder */ +- unsigned int next_got_entry; /* index of next available got entry */ ++ void *opd_addr; /* symbolize uses .opd to get to actual function */ ++ unsigned long opd_size; + }; + + #define MODULE_PROC_FAMILY "ia64" +diff --git a/arch/ia64/kernel/module.c b/arch/ia64/kernel/module.c +index 1a42ba885188..ee693c8cec49 100644 +--- a/arch/ia64/kernel/module.c ++++ b/arch/ia64/kernel/module.c +@@ -905,9 +905,31 @@ register_unwind_table (struct module *mod) + int + module_finalize (const Elf_Ehdr *hdr, const Elf_Shdr *sechdrs, struct module *mod) + { ++ struct mod_arch_specific *mas = &mod->arch; ++ + DEBUGP("%s: init: entry=%p\n", __func__, mod->init); +- if (mod->arch.unwind) ++ if (mas->unwind) + register_unwind_table(mod); ++ ++ /* ++ * ".opd" was already relocated to the final destination. Store ++ * it's address for use in symbolizer. ++ */ ++ mas->opd_addr = (void *)mas->opd->sh_addr; ++ mas->opd_size = mas->opd->sh_size; ++ ++ /* ++ * Module relocation was already done at this point. Section ++ * headers are about to be deleted. Wipe out load-time context. ++ */ ++ mas->core_plt = NULL; ++ mas->init_plt = NULL; ++ mas->got = NULL; ++ mas->opd = NULL; ++ mas->unwind = NULL; ++ mas->gp = 0; ++ mas->next_got_entry = 0; ++ + return 0; + } + +@@ -926,10 +948,9 @@ module_arch_cleanup (struct module *mod) + + void *dereference_module_function_descriptor(struct module *mod, void *ptr) + { +- Elf64_Shdr *opd = mod->arch.opd; ++ struct mod_arch_specific *mas = &mod->arch; + +- if (ptr < (void *)opd->sh_addr || +- ptr >= (void *)(opd->sh_addr + opd->sh_size)) ++ if (ptr < mas->opd_addr || ptr >= mas->opd_addr + mas->opd_size) + return ptr; + + return dereference_function_descriptor(ptr); +-- +2.30.2 + diff --git a/queue-5.4/iavf-remove-duplicate-free-resources-calls.patch b/queue-5.4/iavf-remove-duplicate-free-resources-calls.patch new file mode 100644 index 00000000000..fb0cf195301 --- /dev/null +++ b/queue-5.4/iavf-remove-duplicate-free-resources-calls.patch @@ -0,0 +1,36 @@ +From e5b68342b224c05ee01b07d847ab528d8d0acccb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Mar 2021 15:41:42 +0100 +Subject: iavf: remove duplicate free resources calls + +From: Stefan Assmann + +[ Upstream commit 1a0e880b028f97478dc689e2900b312741d0d772 ] + +Both iavf_free_all_tx_resources() and iavf_free_all_rx_resources() have +already been called in the very same function. +Remove the duplicate calls. + +Signed-off-by: Stefan Assmann +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index cffc8c1044f2..a97e1f9ca1ed 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -3906,8 +3906,6 @@ static void iavf_remove(struct pci_dev *pdev) + + iounmap(hw->hw_addr); + pci_release_regions(pdev); +- iavf_free_all_tx_resources(adapter); +- iavf_free_all_rx_resources(adapter); + iavf_free_queues(adapter); + kfree(adapter->vf_res); + spin_lock_bh(&adapter->mac_vlan_list_lock); +-- +2.30.2 + diff --git a/queue-5.4/iommu-amd-remove-performance-counter-pre-initializat.patch b/queue-5.4/iommu-amd-remove-performance-counter-pre-initializat.patch new file mode 100644 index 00000000000..a60c8fa0bba --- /dev/null +++ b/queue-5.4/iommu-amd-remove-performance-counter-pre-initializat.patch @@ -0,0 +1,98 @@ +From 47d00c8e3e813ecc6a93f1d88975b2078e56fdfe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Apr 2021 03:58:48 -0500 +Subject: iommu/amd: Remove performance counter pre-initialization test + +From: Suravee Suthikulpanit + +[ Upstream commit 994d6608efe4a4c8834bdc5014c86f4bc6aceea6 ] + +In early AMD desktop/mobile platforms (during 2013), when the IOMMU +Performance Counter (PMC) support was first introduced in +commit 30861ddc9cca ("perf/x86/amd: Add IOMMU Performance Counter +resource management"), there was a HW bug where the counters could not +be accessed. The result was reading of the counter always return zero. + +At the time, the suggested workaround was to add a test logic prior +to initializing the PMC feature to check if the counters can be programmed +and read back the same value. This has been working fine until the more +recent desktop/mobile platforms start enabling power gating for the PMC, +which prevents access to the counters. This results in the PMC support +being disabled unnecesarily. + +Unfortunatly, there is no documentation of since which generation +of hardware the original PMC HW bug was fixed. Although, it was fixed +soon after the first introduction of the PMC. Base on this, we assume +that the buggy platforms are less likely to be in used, and it should +be relatively safe to remove this legacy logic. + +Link: https://lore.kernel.org/linux-iommu/alpine.LNX.3.20.13.2006030935570.3181@monopod.intra.ispras.ru/ +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201753 +Cc: Tj (Elloe Linux) +Cc: Shuah Khan +Cc: Alexander Monakov +Cc: David Coe +Cc: Paul Menzel +Signed-off-by: Suravee Suthikulpanit +Tested-by: Shuah Khan +Link: https://lore.kernel.org/r/20210409085848.3908-3-suravee.suthikulpanit@amd.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu_init.c | 24 +----------------------- + 1 file changed, 1 insertion(+), 23 deletions(-) + +diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c +index 31d7e2d4f304..692401e941a7 100644 +--- a/drivers/iommu/amd_iommu_init.c ++++ b/drivers/iommu/amd_iommu_init.c +@@ -1672,33 +1672,16 @@ static int __init init_iommu_all(struct acpi_table_header *table) + return 0; + } + +-static int iommu_pc_get_set_reg(struct amd_iommu *iommu, u8 bank, u8 cntr, +- u8 fxn, u64 *value, bool is_write); +- + static void init_iommu_perf_ctr(struct amd_iommu *iommu) + { ++ u64 val; + struct pci_dev *pdev = iommu->dev; +- u64 val = 0xabcd, val2 = 0, save_reg = 0; + + if (!iommu_feature(iommu, FEATURE_PC)) + return; + + amd_iommu_pc_present = true; + +- /* save the value to restore, if writable */ +- if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, false)) +- goto pc_false; +- +- /* Check if the performance counters can be written to */ +- if ((iommu_pc_get_set_reg(iommu, 0, 0, 0, &val, true)) || +- (iommu_pc_get_set_reg(iommu, 0, 0, 0, &val2, false)) || +- (val != val2)) +- goto pc_false; +- +- /* restore */ +- if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, true)) +- goto pc_false; +- + pci_info(pdev, "IOMMU performance counters supported\n"); + + val = readl(iommu->mmio_base + MMIO_CNTR_CONF_OFFSET); +@@ -1706,11 +1689,6 @@ static void init_iommu_perf_ctr(struct amd_iommu *iommu) + iommu->max_counters = (u8) ((val >> 7) & 0xf); + + return; +- +-pc_false: +- pci_err(pdev, "Unable to read/write to IOMMU perf counter.\n"); +- amd_iommu_pc_present = false; +- return; + } + + static ssize_t amd_iommu_show_cap(struct device *dev, +-- +2.30.2 + diff --git a/queue-5.4/ip6_vti-proper-dev_-hold-put-in-ndo_-un-init-methods.patch b/queue-5.4/ip6_vti-proper-dev_-hold-put-in-ndo_-un-init-methods.patch new file mode 100644 index 00000000000..5f2d4bae51a --- /dev/null +++ b/queue-5.4/ip6_vti-proper-dev_-hold-put-in-ndo_-un-init-methods.patch @@ -0,0 +1,98 @@ +From 47af251fe18d41bf25afd7d88f66be76929921f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Mar 2021 12:12:54 -0700 +Subject: ip6_vti: proper dev_{hold|put} in ndo_[un]init methods + +From: Eric Dumazet + +[ Upstream commit 40cb881b5aaa0b69a7d93dec8440d5c62dae299f ] + +After adopting CONFIG_PCPU_DEV_REFCNT=n option, syzbot was able to trigger +a warning [1] + +Issue here is that: + +- all dev_put() should be paired with a corresponding prior dev_hold(). + +- A driver doing a dev_put() in its ndo_uninit() MUST also + do a dev_hold() in its ndo_init(), only when ndo_init() + is returning 0. + +Otherwise, register_netdevice() would call ndo_uninit() +in its error path and release a refcount too soon. + +Therefore, we need to move dev_hold() call from +vti6_tnl_create2() to vti6_dev_init_gen() + +[1] +WARNING: CPU: 0 PID: 15951 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31 +Modules linked in: +CPU: 0 PID: 15951 Comm: syz-executor.3 Not tainted 5.12.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31 +Code: 1d 6a 5a e8 09 31 ff 89 de e8 8d 1a ab fd 84 db 75 e0 e8 d4 13 ab fd 48 c7 c7 a0 e1 c1 89 c6 05 4a 5a e8 09 01 e8 2e 36 fb 04 <0f> 0b eb c4 e8 b8 13 ab fd 0f b6 1d 39 5a e8 09 31 ff 89 de e8 58 +RSP: 0018:ffffc90001eaef28 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: 0000000000040000 RSI: ffffffff815c51f5 RDI: fffff520003d5dd7 +RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 +R10: ffffffff815bdf8e R11: 0000000000000000 R12: ffff88801bb1c568 +R13: ffff88801f69e800 R14: 00000000ffffffff R15: ffff888050889d40 +FS: 00007fc79314e700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f1c1ff47108 CR3: 0000000020fd5000 CR4: 00000000001506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + __refcount_dec include/linux/refcount.h:344 [inline] + refcount_dec include/linux/refcount.h:359 [inline] + dev_put include/linux/netdevice.h:4135 [inline] + vti6_dev_uninit+0x31a/0x360 net/ipv6/ip6_vti.c:297 + register_netdevice+0xadf/0x1500 net/core/dev.c:10308 + vti6_tnl_create2+0x1b5/0x400 net/ipv6/ip6_vti.c:190 + vti6_newlink+0x9d/0xd0 net/ipv6/ip6_vti.c:1020 + __rtnl_newlink+0x1062/0x1710 net/core/rtnetlink.c:3443 + rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3491 + rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5553 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502 + netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] + netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 + netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:674 + ____sys_sendmsg+0x331/0x810 net/socket.c:2350 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 + __sys_sendmmsg+0x195/0x470 net/socket.c:2490 + __do_sys_sendmmsg net/socket.c:2519 [inline] + __se_sys_sendmmsg net/socket.c:2516 [inline] + __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2516 + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_vti.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c +index cc6180e08a4f..01ddb0f70c57 100644 +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -192,7 +192,6 @@ static int vti6_tnl_create2(struct net_device *dev) + + strcpy(t->parms.name, dev->name); + +- dev_hold(dev); + vti6_tnl_link(ip6n, t); + + return 0; +@@ -921,6 +920,7 @@ static inline int vti6_dev_init_gen(struct net_device *dev) + dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats); + if (!dev->tstats) + return -ENOMEM; ++ dev_hold(dev); + return 0; + } + +-- +2.30.2 + diff --git a/queue-5.4/kconfig-nconf-stop-endless-search-loops.patch b/queue-5.4/kconfig-nconf-stop-endless-search-loops.patch new file mode 100644 index 00000000000..801cb0ece97 --- /dev/null +++ b/queue-5.4/kconfig-nconf-stop-endless-search-loops.patch @@ -0,0 +1,62 @@ +From afddb4e00db22da9406f659789f4868a6e5a58b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Apr 2021 09:28:03 +0200 +Subject: kconfig: nconf: stop endless search loops + +From: Mihai Moldovan + +[ Upstream commit 8c94b430b9f6213dec84e309bb480a71778c4213 ] + +If the user selects the very first entry in a page and performs a +search-up operation, or selects the very last entry in a page and +performs a search-down operation that will not succeed (e.g., via +[/]asdfzzz[Up Arrow]), nconf will never terminate searching the page. + +The reason is that in this case, the starting point will be set to -1 +or n, which is then translated into (n - 1) (i.e., the last entry of +the page) or 0 (i.e., the first entry of the page) and finally the +search begins. This continues to work fine until the index reaches 0 or +(n - 1), at which point it will be decremented to -1 or incremented to +n, but not checked against the starting point right away. Instead, it's +wrapped around to the bottom or top again, after which the starting +point check occurs... and naturally fails. + +My original implementation added another check for -1 before wrapping +the running index variable around, but Masahiro Yamada pointed out that +the actual issue is that the comparison point (starting point) exceeds +bounds (i.e., the [0,n-1] interval) in the first place and that, +instead, the starting point should be fixed. + +This has the welcome side-effect of also fixing the case where the +starting point was n while searching down, which also lead to an +infinite loop. + +OTOH, this code is now essentially all his work. + +Amazingly, nobody seems to have been hit by this for 11 years - or at +the very least nobody bothered to debug and fix this. + +Signed-off-by: Mihai Moldovan +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/nconf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c +index b7c1ef757178..331b2cc917ec 100644 +--- a/scripts/kconfig/nconf.c ++++ b/scripts/kconfig/nconf.c +@@ -503,8 +503,8 @@ static int get_mext_match(const char *match_str, match_f flag) + else if (flag == FIND_NEXT_MATCH_UP) + --match_start; + ++ match_start = (match_start + items_num) % items_num; + index = match_start; +- index = (index + items_num) % items_num; + while (true) { + char *str = k_menu_items[index].str; + if (strcasestr(str, match_str) != NULL) +-- +2.30.2 + diff --git a/queue-5.4/kernel-kexec_file-fix-error-return-code-of-kexec_cal.patch b/queue-5.4/kernel-kexec_file-fix-error-return-code-of-kexec_cal.patch new file mode 100644 index 00000000000..9c1dced0b13 --- /dev/null +++ b/queue-5.4/kernel-kexec_file-fix-error-return-code-of-kexec_cal.patch @@ -0,0 +1,45 @@ +From b8bc0ff81cd0b99675183b3e84142f1bdc8c36f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 18:04:38 -0700 +Subject: kernel: kexec_file: fix error return code of + kexec_calculate_store_digests() + +From: Jia-Ju Bai + +[ Upstream commit 31d82c2c787d5cf65fedd35ebbc0c1bd95c1a679 ] + +When vzalloc() returns NULL to sha_regions, no error return code of +kexec_calculate_store_digests() is assigned. To fix this bug, ret is +assigned with -ENOMEM in this case. + +Link: https://lkml.kernel.org/r/20210309083904.24321-1-baijiaju1990@gmail.com +Fixes: a43cac0d9dc2 ("kexec: split kexec_file syscall code to kexec_file.c") +Signed-off-by: Jia-Ju Bai +Reported-by: TOTE Robot +Acked-by: Baoquan He +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/kexec_file.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c +index 4e74db89bd23..b17998fa03f1 100644 +--- a/kernel/kexec_file.c ++++ b/kernel/kexec_file.c +@@ -740,8 +740,10 @@ static int kexec_calculate_store_digests(struct kimage *image) + + sha_region_sz = KEXEC_SEGMENT_MAX * sizeof(struct kexec_sha_region); + sha_regions = vzalloc(sha_region_sz); +- if (!sha_regions) ++ if (!sha_regions) { ++ ret = -ENOMEM; + goto out_free_desc; ++ } + + desc->tfm = tfm; + +-- +2.30.2 + diff --git a/queue-5.4/khugepaged-fix-wrong-result-value-for-trace_mm_colla.patch b/queue-5.4/khugepaged-fix-wrong-result-value-for-trace_mm_colla.patch new file mode 100644 index 00000000000..ffb4cb2c949 --- /dev/null +++ b/queue-5.4/khugepaged-fix-wrong-result-value-for-trace_mm_colla.patch @@ -0,0 +1,63 @@ +From 5fe5b7d9b8c1b40c30593cbfe396d8f09f407158 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 May 2021 18:33:46 -0700 +Subject: khugepaged: fix wrong result value for + trace_mm_collapse_huge_page_isolate() + +From: Miaohe Lin + +[ Upstream commit 74e579bf231a337ab3786d59e64bc94f45ca7b3f ] + +In writable and !referenced case, the result value should be +SCAN_LACK_REFERENCED_PAGE for trace_mm_collapse_huge_page_isolate() +instead of default 0 (SCAN_FAIL) here. + +Link: https://lkml.kernel.org/r/20210306032947.35921-5-linmiaohe@huawei.com +Fixes: 7d2eba0557c1 ("mm: add tracepoint for scanning pages") +Signed-off-by: Miaohe Lin +Acked-by: Kirill A. Shutemov +Cc: Dan Carpenter +Cc: Ebru Akagunduz +Cc: Mike Kravetz +Cc: Rik van Riel +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/khugepaged.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/mm/khugepaged.c b/mm/khugepaged.c +index f0d7e6483ba3..3c2326568193 100644 +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -628,17 +628,17 @@ static int __collapse_huge_page_isolate(struct vm_area_struct *vma, + mmu_notifier_test_young(vma->vm_mm, address)) + referenced++; + } +- if (likely(writable)) { +- if (likely(referenced)) { +- result = SCAN_SUCCEED; +- trace_mm_collapse_huge_page_isolate(page, none_or_zero, +- referenced, writable, result); +- return 1; +- } +- } else { ++ ++ if (unlikely(!writable)) { + result = SCAN_PAGE_RO; ++ } else if (unlikely(!referenced)) { ++ result = SCAN_LACK_REFERENCED_PAGE; ++ } else { ++ result = SCAN_SUCCEED; ++ trace_mm_collapse_huge_page_isolate(page, none_or_zero, ++ referenced, writable, result); ++ return 1; + } +- + out: + release_pte_pages(pte, _pte); + trace_mm_collapse_huge_page_isolate(page, none_or_zero, +-- +2.30.2 + diff --git a/queue-5.4/ksm-fix-potential-missing-rmap_item-for-stable_node.patch b/queue-5.4/ksm-fix-potential-missing-rmap_item-for-stable_node.patch new file mode 100644 index 00000000000..ec580f3c7a8 --- /dev/null +++ b/queue-5.4/ksm-fix-potential-missing-rmap_item-for-stable_node.patch @@ -0,0 +1,57 @@ +From e28c898151d9147e12ea13ba3b75d0eec90d9182 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 May 2021 18:37:45 -0700 +Subject: ksm: fix potential missing rmap_item for stable_node + +From: Miaohe Lin + +[ Upstream commit c89a384e2551c692a9fe60d093fd7080f50afc51 ] + +When removing rmap_item from stable tree, STABLE_FLAG of rmap_item is +cleared with head reserved. So the following scenario might happen: For +ksm page with rmap_item1: + +cmp_and_merge_page + stable_node->head = &migrate_nodes; + remove_rmap_item_from_tree, but head still equal to stable_node; + try_to_merge_with_ksm_page failed; + return; + +For the same ksm page with rmap_item2, stable node migration succeed this +time. The stable_node->head does not equal to migrate_nodes now. For ksm +page with rmap_item1 again: + +cmp_and_merge_page + stable_node->head != &migrate_nodes && rmap_item->head == stable_node + return; + +We would miss the rmap_item for stable_node and might result in failed +rmap_walk_ksm(). Fix this by set rmap_item->head to NULL when rmap_item +is removed from stable tree. + +Link: https://lkml.kernel.org/r/20210330140228.45635-5-linmiaohe@huawei.com +Fixes: 4146d2d673e8 ("ksm: make !merge_across_nodes migration safe") +Signed-off-by: Miaohe Lin +Cc: Hugh Dickins +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/ksm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/mm/ksm.c b/mm/ksm.c +index e486c54d921b..0bbae78aaaa0 100644 +--- a/mm/ksm.c ++++ b/mm/ksm.c +@@ -793,6 +793,7 @@ static void remove_rmap_item_from_tree(struct rmap_item *rmap_item) + stable_node->rmap_hlist_len--; + + put_anon_vma(rmap_item->anon_vma); ++ rmap_item->head = NULL; + rmap_item->address &= PAGE_MASK; + + } else if (rmap_item->address & UNSTABLE_FLAG) { +-- +2.30.2 + diff --git a/queue-5.4/mac80211-clear-the-beacon-s-crc-after-channel-switch.patch b/queue-5.4/mac80211-clear-the-beacon-s-crc-after-channel-switch.patch new file mode 100644 index 00000000000..e99882f4518 --- /dev/null +++ b/queue-5.4/mac80211-clear-the-beacon-s-crc-after-channel-switch.patch @@ -0,0 +1,52 @@ +From f616e94ae8570b9c5287fd88db696ccf670a073c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Apr 2021 14:31:25 +0200 +Subject: mac80211: clear the beacon's CRC after channel switch + +From: Emmanuel Grumbach + +[ Upstream commit d6843d1ee283137723b4a8c76244607ce6db1951 ] + +After channel switch, we should consider any beacon with a +CSA IE as a new switch. If the CSA IE is a leftover from +before the switch that the AP forgot to remove, we'll get +a CSA-to-Self. + +This caused issues in iwlwifi where the firmware saw a beacon +with a CSA-to-Self with mode = 1 on the new channel after a +switch. The firmware considered this a new switch and closed +its queues. Since the beacon didn't change between before and +after the switch, we wouldn't handle it (the CRC is the same) +and we wouldn't let the firmware open its queues again or +disconnect if the CSA IE stays for too long. + +Clear the CRC valid state after we switch to make sure that +we handle the beacon and handle the CSA IE as required. + +Signed-off-by: Emmanuel Grumbach +Link: https://lore.kernel.org/r/20210408143124.b9e68aa98304.I465afb55ca2c7d59f7bf610c6046a1fd732b4c28@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mlme.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 17a3a1c938be..44fd922cc32a 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1215,6 +1215,11 @@ static void ieee80211_chswitch_post_beacon(struct ieee80211_sub_if_data *sdata) + + sdata->vif.csa_active = false; + ifmgd->csa_waiting_bcn = false; ++ /* ++ * If the CSA IE is still present on the beacon after the switch, ++ * we need to consider it as a new CSA (possibly to self). ++ */ ++ ifmgd->beacon_crc_valid = false; + + ret = drv_post_channel_switch(sdata); + if (ret) { +-- +2.30.2 + diff --git a/queue-5.4/mm-hugeltb-handle-the-error-case-in-hugetlb_fix_rese.patch b/queue-5.4/mm-hugeltb-handle-the-error-case-in-hugetlb_fix_rese.patch new file mode 100644 index 00000000000..331cec8e29f --- /dev/null +++ b/queue-5.4/mm-hugeltb-handle-the-error-case-in-hugetlb_fix_rese.patch @@ -0,0 +1,57 @@ +From 796a0bac0c65e8f772bb8433b9f819ba8ba70454 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 May 2021 18:34:38 -0700 +Subject: mm/hugeltb: handle the error case in hugetlb_fix_reserve_counts() + +From: Miaohe Lin + +[ Upstream commit da56388c4397878a65b74f7fe97760f5aa7d316b ] + +A rare out of memory error would prevent removal of the reserve map region +for a page. hugetlb_fix_reserve_counts() handles this rare case to avoid +dangling with incorrect counts. Unfortunately, hugepage_subpool_get_pages +and hugetlb_acct_memory could possibly fail too. We should correctly +handle these cases. + +Link: https://lkml.kernel.org/r/20210410072348.20437-5-linmiaohe@huawei.com +Fixes: b5cec28d36f5 ("hugetlbfs: truncate_hugepages() takes a range of pages") +Signed-off-by: Miaohe Lin +Cc: Feilong Lin +Cc: Mike Kravetz +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/hugetlb.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index 5253c67acb1d..3b08e34a775d 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -591,13 +591,20 @@ void hugetlb_fix_reserve_counts(struct inode *inode) + { + struct hugepage_subpool *spool = subpool_inode(inode); + long rsv_adjust; ++ bool reserved = false; + + rsv_adjust = hugepage_subpool_get_pages(spool, 1); +- if (rsv_adjust) { ++ if (rsv_adjust > 0) { + struct hstate *h = hstate_inode(inode); + +- hugetlb_acct_memory(h, 1); ++ if (!hugetlb_acct_memory(h, 1)) ++ reserved = true; ++ } else if (!rsv_adjust) { ++ reserved = true; + } ++ ++ if (!reserved) ++ pr_warn("hugetlb: Huge Page Reserved count may go negative.\n"); + } + + /* +-- +2.30.2 + diff --git a/queue-5.4/mm-migrate.c-fix-potential-indeterminate-pte-entry-i.patch b/queue-5.4/mm-migrate.c-fix-potential-indeterminate-pte-entry-i.patch new file mode 100644 index 00000000000..8c6af3bdfeb --- /dev/null +++ b/queue-5.4/mm-migrate.c-fix-potential-indeterminate-pte-entry-i.patch @@ -0,0 +1,50 @@ +From fd077acbad2a7c26bf5f2ea00b5b977085501b01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 May 2021 18:37:10 -0700 +Subject: mm/migrate.c: fix potential indeterminate pte entry in + migrate_vma_insert_page() + +From: Miaohe Lin + +[ Upstream commit 34f5e9b9d1990d286199084efa752530ee3d8297 ] + +If the zone device page does not belong to un-addressable device memory, +the variable entry will be uninitialized and lead to indeterminate pte +entry ultimately. Fix this unexpected case and warn about it. + +Link: https://lkml.kernel.org/r/20210325131524.48181-4-linmiaohe@huawei.com +Fixes: df6ad69838fc ("mm/device-public-memory: device memory cache coherent with CPU") +Signed-off-by: Miaohe Lin +Reviewed-by: David Hildenbrand +Cc: Alistair Popple +Cc: Jerome Glisse +Cc: Rafael Aquini +Cc: Yang Shi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/migrate.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/mm/migrate.c b/mm/migrate.c +index c4c313e47f12..00bbe57c1ce2 100644 +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -2771,6 +2771,13 @@ static void migrate_vma_insert_page(struct migrate_vma *migrate, + + swp_entry = make_device_private_entry(page, vma->vm_flags & VM_WRITE); + entry = swp_entry_to_pte(swp_entry); ++ } else { ++ /* ++ * For now we only support migrating to un-addressable ++ * device memory. ++ */ ++ pr_warn_once("Unsupported ZONE_DEVICE page type.\n"); ++ goto abort; + } + } else { + entry = mk_pte(page, vma->vm_page_prot); +-- +2.30.2 + diff --git a/queue-5.4/mt76-mt76x0-disable-gtk-offloading.patch b/queue-5.4/mt76-mt76x0-disable-gtk-offloading.patch new file mode 100644 index 00000000000..67e81a4c61c --- /dev/null +++ b/queue-5.4/mt76-mt76x0-disable-gtk-offloading.patch @@ -0,0 +1,46 @@ +From 7420989f460b1ec186013270dbad1be17a8d5533 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Feb 2021 16:09:17 +0100 +Subject: mt76: mt76x0: disable GTK offloading + +From: David Bauer + +[ Upstream commit 4b36cc6b390f18dbc59a45fb4141f90d7dfe2b23 ] + +When operating two VAP on a MT7610 with encryption (PSK2, SAE, OWE), +only the first one to be created will transmit properly encrypteded +frames. + +All subsequently created VAPs will sent out frames with the payload left +unencrypted, breaking multicast traffic (ICMP6 NDP) and potentially +disclosing information to a third party. + +Disable GTK offloading and encrypt these frames in software to +circumvent this issue. THis only seems to be necessary on MT7610 chips, +as MT7612 is not affected from our testing. + +Signed-off-by: David Bauer +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt76x02_util.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76x02_util.c b/drivers/net/wireless/mediatek/mt76/mt76x02_util.c +index de0d6f21c621..075871f52bad 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76x02_util.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x02_util.c +@@ -450,6 +450,10 @@ int mt76x02_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, + !(key->flags & IEEE80211_KEY_FLAG_PAIRWISE)) + return -EOPNOTSUPP; + ++ /* MT76x0 GTK offloading does not work with more than one VIF */ ++ if (is_mt76x0(dev) && !(key->flags & IEEE80211_KEY_FLAG_PAIRWISE)) ++ return -EOPNOTSUPP; ++ + msta = sta ? (struct mt76x02_sta *)sta->drv_priv : NULL; + wcid = msta ? &msta->wcid : &mvif->group_wcid; + +-- +2.30.2 + diff --git a/queue-5.4/net-bridge-when-suppression-is-enabled-exclude-rarp-.patch b/queue-5.4/net-bridge-when-suppression-is-enabled-exclude-rarp-.patch new file mode 100644 index 00000000000..598ebe5f654 --- /dev/null +++ b/queue-5.4/net-bridge-when-suppression-is-enabled-exclude-rarp-.patch @@ -0,0 +1,44 @@ +From 5b52e4dcb98bed52995375e164663d6daa8fa0d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Mar 2021 17:45:27 +0200 +Subject: net: bridge: when suppression is enabled exclude RARP packets + +From: Nikolay Aleksandrov + +[ Upstream commit 0353b4a96b7a9f60fe20d1b3ebd4931a4085f91c ] + +Recently we had an interop issue where RARP packets got suppressed with +bridge neigh suppression enabled, but the check in the code was meant to +suppress GARP. Exclude RARP packets from it which would allow some VMWare +setups to work, to quote the report: +"Those RARP packets usually get generated by vMware to notify physical +switches when vMotion occurs. vMware may use random sip/tip or just use +sip=tip=0. So the RARP packet sometimes get properly flooded by the vtep +and other times get dropped by the logic" + +Reported-by: Amer Abdalamer +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_arp_nd_proxy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/bridge/br_arp_nd_proxy.c b/net/bridge/br_arp_nd_proxy.c +index b18cdf03edb3..c4e0f4777df5 100644 +--- a/net/bridge/br_arp_nd_proxy.c ++++ b/net/bridge/br_arp_nd_proxy.c +@@ -155,7 +155,9 @@ void br_do_proxy_suppress_arp(struct sk_buff *skb, struct net_bridge *br, + if (br_opt_get(br, BROPT_NEIGH_SUPPRESS_ENABLED)) { + if (p && (p->flags & BR_NEIGH_SUPPRESS)) + return; +- if (ipv4_is_zeronet(sip) || sip == tip) { ++ if (parp->ar_op != htons(ARPOP_RREQUEST) && ++ parp->ar_op != htons(ARPOP_RREPLY) && ++ (ipv4_is_zeronet(sip) || sip == tip)) { + /* prevent flooding to neigh suppress ports */ + BR_INPUT_SKB_CB(skb)->proxyarp_replied = 1; + return; +-- +2.30.2 + diff --git a/queue-5.4/net-ethernet-mtk_eth_soc-fix-rx-vlan-offload.patch b/queue-5.4/net-ethernet-mtk_eth_soc-fix-rx-vlan-offload.patch new file mode 100644 index 00000000000..a5658f13af3 --- /dev/null +++ b/queue-5.4/net-ethernet-mtk_eth_soc-fix-rx-vlan-offload.patch @@ -0,0 +1,50 @@ +From 8df4156e8c3f9da29919e34db2de7dfc9c7b9eb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Apr 2021 22:20:54 -0700 +Subject: net: ethernet: mtk_eth_soc: fix RX VLAN offload + +From: Felix Fietkau + +[ Upstream commit 3f57d8c40fea9b20543cab4da12f4680d2ef182c ] + +The VLAN ID in the rx descriptor is only valid if the RX_DMA_VTAG bit is +set. Fixes frames wrongly marked with VLAN tags. + +Signed-off-by: Felix Fietkau +[Ilya: fix commit message] +Signed-off-by: Ilya Lipnitskiy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 +- + drivers/net/ethernet/mediatek/mtk_eth_soc.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index d01b3a1b40f4..7e3806fd70b2 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -1315,7 +1315,7 @@ static int mtk_poll_rx(struct napi_struct *napi, int budget, + skb->protocol = eth_type_trans(skb, netdev); + + if (netdev->features & NETIF_F_HW_VLAN_CTAG_RX && +- RX_DMA_VID(trxd.rxd3)) ++ (trxd.rxd2 & RX_DMA_VTAG)) + __vlan_hwaccel_put_tag(skb, htons(ETH_P_8021Q), + RX_DMA_VID(trxd.rxd3)); + skb_record_rx_queue(skb, 0); +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.h b/drivers/net/ethernet/mediatek/mtk_eth_soc.h +index 1e787f3577aa..1e9202b34d35 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.h ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.h +@@ -293,6 +293,7 @@ + #define RX_DMA_LSO BIT(30) + #define RX_DMA_PLEN0(_x) (((_x) & 0x3fff) << 16) + #define RX_DMA_GET_PLEN0(_x) (((_x) >> 16) & 0x3fff) ++#define RX_DMA_VTAG BIT(15) + + /* QDMA descriptor rxd3 */ + #define RX_DMA_VID(_x) ((_x) & 0xfff) +-- +2.30.2 + diff --git a/queue-5.4/net-fix-nla_strcmp-to-handle-more-then-one-trailing-.patch b/queue-5.4/net-fix-nla_strcmp-to-handle-more-then-one-trailing-.patch new file mode 100644 index 00000000000..551ec7de7d9 --- /dev/null +++ b/queue-5.4/net-fix-nla_strcmp-to-handle-more-then-one-trailing-.patch @@ -0,0 +1,52 @@ +From 5d771e011662e189efaae5b992c2535a7e90f873 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 May 2021 09:58:31 -0700 +Subject: net: fix nla_strcmp to handle more then one trailing null character +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +[ Upstream commit 2c16db6c92b0ee4aa61e88366df82169e83c3f7e ] + +Android userspace has been using TCA_KIND with a char[IFNAMESIZ] +many-null-terminated buffer containing the string 'bpf'. + +This works on 4.19 and ceases to work on 5.10. + +I'm not entirely sure what fixes tag to use, but I think the issue +was likely introduced in the below mentioned 5.4 commit. + +Reported-by: Nucca Chen +Cc: Cong Wang +Cc: David Ahern +Cc: David S. Miller +Cc: Jakub Kicinski +Cc: Jamal Hadi Salim +Cc: Jiri Pirko +Cc: Jiri Pirko +Fixes: 62794fc4fbf5 ("net_sched: add max len check for TCA_KIND") +Change-Id: I66dc281f165a2858fc29a44869a270a2d698a82b +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + lib/nlattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/nlattr.c b/lib/nlattr.c +index cace9b307781..0d84f79cb4b5 100644 +--- a/lib/nlattr.c ++++ b/lib/nlattr.c +@@ -609,7 +609,7 @@ int nla_strcmp(const struct nlattr *nla, const char *str) + int attrlen = nla_len(nla); + int d; + +- if (attrlen > 0 && buf[attrlen - 1] == '\0') ++ while (attrlen > 0 && buf[attrlen - 1] == '\0') + attrlen--; + + d = attrlen - len; +-- +2.30.2 + diff --git a/queue-5.4/net-hns3-add-check-for-hns3_nic_state_inited-in-hns3.patch b/queue-5.4/net-hns3-add-check-for-hns3_nic_state_inited-in-hns3.patch new file mode 100644 index 00000000000..8ec1c95a383 --- /dev/null +++ b/queue-5.4/net-hns3-add-check-for-hns3_nic_state_inited-in-hns3.patch @@ -0,0 +1,44 @@ +From a9058614bc76ea428711b937e9643582d37310cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Apr 2021 16:34:52 +0800 +Subject: net: hns3: add check for HNS3_NIC_STATE_INITED in + hns3_reset_notify_up_enet() + +From: Jian Shen + +[ Upstream commit b4047aac4ec1066bab6c71950623746d7bcf7154 ] + +In some cases, the device is not initialized because reset failed. +If another task calls hns3_reset_notify_up_enet() before reset +retry, it will cause an error since uninitialized pointer access. +So add check for HNS3_NIC_STATE_INITED before calling +hns3_nic_net_open() in hns3_reset_notify_up_enet(). + +Fixes: bb6b94a896d4 ("net: hns3: Add reset interface implementation in client") +Signed-off-by: Jian Shen +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index 696f21543aa7..6b43cbf4f909 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -4280,6 +4280,11 @@ static int hns3_reset_notify_up_enet(struct hnae3_handle *handle) + struct hns3_nic_priv *priv = netdev_priv(kinfo->netdev); + int ret = 0; + ++ if (!test_bit(HNS3_NIC_STATE_INITED, &priv->state)) { ++ netdev_err(kinfo->netdev, "device is not initialized yet\n"); ++ return -EFAULT; ++ } ++ + clear_bit(HNS3_NIC_STATE_RESETTING, &priv->state); + + if (netif_running(kinfo->netdev)) { +-- +2.30.2 + diff --git a/queue-5.4/net-hns3-disable-phy-loopback-setting-in-hclge_mac_s.patch b/queue-5.4/net-hns3-disable-phy-loopback-setting-in-hclge_mac_s.patch new file mode 100644 index 00000000000..04d94300980 --- /dev/null +++ b/queue-5.4/net-hns3-disable-phy-loopback-setting-in-hclge_mac_s.patch @@ -0,0 +1,39 @@ +From 99c80d9ef740a05897da79d58938c639ddb1fe61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Apr 2021 17:06:22 +0800 +Subject: net: hns3: disable phy loopback setting in hclge_mac_start_phy + +From: Yufeng Mo + +[ Upstream commit 472497d0bdae890a896013332a0b673f9acdf2bf ] + +If selftest and reset are performed at the same time, the phy +loopback setting may be still in enable state after the reset, +and device cannot link up. So fix this issue by disabling phy +loopback before phy_start(). + +Fixes: 256727da7395 ("net: hns3: Add MDIO support to HNS3 Ethernet driver for hip08 SoC") +Signed-off-by: Yufeng Mo +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c +index dc4dfd4602ab..c8f979c55fec 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c +@@ -255,6 +255,8 @@ void hclge_mac_start_phy(struct hclge_dev *hdev) + if (!phydev) + return; + ++ phy_loopback(phydev, false); ++ + phy_start(phydev); + } + +-- +2.30.2 + diff --git a/queue-5.4/net-hns3-fix-for-vxlan-gpe-tx-checksum-bug.patch b/queue-5.4/net-hns3-fix-for-vxlan-gpe-tx-checksum-bug.patch new file mode 100644 index 00000000000..d74e8f5d066 --- /dev/null +++ b/queue-5.4/net-hns3-fix-for-vxlan-gpe-tx-checksum-bug.patch @@ -0,0 +1,51 @@ +From af1088e43dfadd1cfc71e696a136024ff72f906d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Apr 2021 17:06:19 +0800 +Subject: net: hns3: fix for vxlan gpe tx checksum bug + +From: Hao Chen + +[ Upstream commit 905416f18fe74bdd4de91bf94ef5a790a36e4b99 ] + +When skb->ip_summed is CHECKSUM_PARTIAL, for non-tunnel udp packet, +which has a dest port as the IANA assigned, the hardware is expected +to do the checksum offload, but the hardware whose version is below +V3 will not do the checksum offload when udp dest port is 4790. + +So fixes it by doing the checksum in software for this case. + +Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC") +Signed-off-by: Hao Chen +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index 6b43cbf4f909..3dd3b8047968 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -796,7 +796,7 @@ static int hns3_get_l4_protocol(struct sk_buff *skb, u8 *ol4_proto, + * and it is udp packet, which has a dest port as the IANA assigned. + * the hardware is expected to do the checksum offload, but the + * hardware will not do the checksum offload when udp dest port is +- * 4789 or 6081. ++ * 4789, 4790 or 6081. + */ + static bool hns3_tunnel_csum_bug(struct sk_buff *skb) + { +@@ -806,7 +806,8 @@ static bool hns3_tunnel_csum_bug(struct sk_buff *skb) + + if (!(!skb->encapsulation && + (l4.udp->dest == htons(IANA_VXLAN_UDP_PORT) || +- l4.udp->dest == htons(GENEVE_UDP_PORT)))) ++ l4.udp->dest == htons(GENEVE_UDP_PORT) || ++ l4.udp->dest == htons(4790)))) + return false; + + skb_checksum_help(skb); +-- +2.30.2 + diff --git a/queue-5.4/net-hns3-fix-incorrect-configuration-for-igu_egu_hw_.patch b/queue-5.4/net-hns3-fix-incorrect-configuration-for-igu_egu_hw_.patch new file mode 100644 index 00000000000..53b00ff386f --- /dev/null +++ b/queue-5.4/net-hns3-fix-incorrect-configuration-for-igu_egu_hw_.patch @@ -0,0 +1,56 @@ +From 3a495d3fbeec8d7cf4c1140bc57a368e1901c1f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Apr 2021 16:34:50 +0800 +Subject: net: hns3: fix incorrect configuration for igu_egu_hw_err + +From: Yufeng Mo + +[ Upstream commit 2867298dd49ee84214b8721521dc7a5a6382520c ] + +According to the UM, the type and enable status of igu_egu_hw_err +should be configured separately. Currently, the type field is +incorrect when disable this error. So fix it by configuring these +two fields separately. + +Fixes: bf1faf9415dd ("net: hns3: Add enable and process hw errors from IGU, EGU and NCSI") +Signed-off-by: Yufeng Mo +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c | 3 ++- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.h | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c +index 87dece0e745d..53fd6e4d9e2d 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c +@@ -753,8 +753,9 @@ static int hclge_config_igu_egu_hw_err_int(struct hclge_dev *hdev, bool en) + + /* configure IGU,EGU error interrupts */ + hclge_cmd_setup_basic_desc(&desc, HCLGE_IGU_COMMON_INT_EN, false); ++ desc.data[0] = cpu_to_le32(HCLGE_IGU_ERR_INT_TYPE); + if (en) +- desc.data[0] = cpu_to_le32(HCLGE_IGU_ERR_INT_EN); ++ desc.data[0] |= cpu_to_le32(HCLGE_IGU_ERR_INT_EN); + + desc.data[1] = cpu_to_le32(HCLGE_IGU_ERR_INT_EN_MASK); + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.h +index 876fd81ad2f1..8eccdb651a3c 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.h +@@ -33,7 +33,8 @@ + #define HCLGE_TQP_ECC_ERR_INT_EN_MASK 0x0FFF + #define HCLGE_MSIX_SRAM_ECC_ERR_INT_EN_MASK 0x0F000000 + #define HCLGE_MSIX_SRAM_ECC_ERR_INT_EN 0x0F000000 +-#define HCLGE_IGU_ERR_INT_EN 0x0000066F ++#define HCLGE_IGU_ERR_INT_EN 0x0000000F ++#define HCLGE_IGU_ERR_INT_TYPE 0x00000660 + #define HCLGE_IGU_ERR_INT_EN_MASK 0x000F + #define HCLGE_IGU_TNL_ERR_INT_EN 0x0002AABF + #define HCLGE_IGU_TNL_ERR_INT_EN_MASK 0x003F +-- +2.30.2 + diff --git a/queue-5.4/net-hns3-initialize-the-message-content-in-hclge_get.patch b/queue-5.4/net-hns3-initialize-the-message-content-in-hclge_get.patch new file mode 100644 index 00000000000..d3d81d21cc3 --- /dev/null +++ b/queue-5.4/net-hns3-initialize-the-message-content-in-hclge_get.patch @@ -0,0 +1,38 @@ +From 126a3b752007578d11528c1a98a649025a8160ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Apr 2021 16:34:51 +0800 +Subject: net: hns3: initialize the message content in hclge_get_link_mode() + +From: Yufeng Mo + +[ Upstream commit 568a54bdf70b143f3e0befa298e22ad469ffc732 ] + +The message sent to VF should be initialized, otherwise random +value of some contents may cause improper processing by the target. +So add a initialization to message in hclge_get_link_mode(). + +Fixes: 9194d18b0577 ("net: hns3: fix the problem that the supported port is empty") +Signed-off-by: Yufeng Mo +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c +index f5da28a60d00..23a706a1765a 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c +@@ -455,7 +455,7 @@ static void hclge_get_link_mode(struct hclge_vport *vport, + unsigned long advertising; + unsigned long supported; + unsigned long send_data; +- u8 msg_data[10]; ++ u8 msg_data[10] = {}; + u8 dest_vfid; + + advertising = hdev->hw.mac.advertising[0]; +-- +2.30.2 + diff --git a/queue-5.4/net-hns3-use-netif_tx_disable-to-stop-the-transmit-q.patch b/queue-5.4/net-hns3-use-netif_tx_disable-to-stop-the-transmit-q.patch new file mode 100644 index 00000000000..71fe1b93ae0 --- /dev/null +++ b/queue-5.4/net-hns3-use-netif_tx_disable-to-stop-the-transmit-q.patch @@ -0,0 +1,44 @@ +From 797eb5a6e468b3b08e8f8893bf79d10c7b252190 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Apr 2021 17:06:20 +0800 +Subject: net: hns3: use netif_tx_disable to stop the transmit queue + +From: Peng Li + +[ Upstream commit b416e872be06fdace3c36cf5210130509d0f0e72 ] + +Currently, netif_tx_stop_all_queues() is used to ensure that +the xmit is not running, but for the concurrent case it will +not take effect, since netif_tx_stop_all_queues() just sets +a flag without locking to indicate that the xmit queue(s) +should not be run. + +So use netif_tx_disable() to replace netif_tx_stop_all_queues(), +it takes the xmit queue lock while marking the queue stopped. + +Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC") +Signed-off-by: Peng Li +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index 3dd3b8047968..5f2948bafff2 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -539,8 +539,8 @@ static int hns3_nic_net_stop(struct net_device *netdev) + if (h->ae_algo->ops->set_timer_task) + h->ae_algo->ops->set_timer_task(priv->ae_handle, false); + +- netif_tx_stop_all_queues(netdev); + netif_carrier_off(netdev); ++ netif_tx_disable(netdev); + + hns3_nic_net_down(netdev); + +-- +2.30.2 + diff --git a/queue-5.4/net-sched-tapr-prevent-cycle_time-0-in-parse_taprio_.patch b/queue-5.4/net-sched-tapr-prevent-cycle_time-0-in-parse_taprio_.patch new file mode 100644 index 00000000000..9373e8a5b6a --- /dev/null +++ b/queue-5.4/net-sched-tapr-prevent-cycle_time-0-in-parse_taprio_.patch @@ -0,0 +1,46 @@ +From f530a071e859062f81b80b6b733b60a5276d925b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Apr 2021 07:30:46 +0800 +Subject: net: sched: tapr: prevent cycle_time == 0 in parse_taprio_schedule + +From: Du Cheng + +[ Upstream commit ed8157f1ebf1ae81a8fa2653e3f20d2076fad1c9 ] + +There is a reproducible sequence from the userland that will trigger a WARN_ON() +condition in taprio_get_start_time, which causes kernel to panic if configured +as "panic_on_warn". Catch this condition in parse_taprio_schedule to +prevent this condition. + +Reported as bug on syzkaller: +https://syzkaller.appspot.com/bug?extid=d50710fd0873a9c6b40c + +Reported-by: syzbot+d50710fd0873a9c6b40c@syzkaller.appspotmail.com +Signed-off-by: Du Cheng +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/sch_taprio.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c +index 09116be99511..a4de4853c79d 100644 +--- a/net/sched/sch_taprio.c ++++ b/net/sched/sch_taprio.c +@@ -900,6 +900,12 @@ static int parse_taprio_schedule(struct taprio_sched *q, struct nlattr **tb, + + list_for_each_entry(entry, &new->entries, list) + cycle = ktime_add_ns(cycle, entry->interval); ++ ++ if (!cycle) { ++ NL_SET_ERR_MSG(extack, "'cycle_time' can never be 0"); ++ return -EINVAL; ++ } ++ + new->cycle_time = cycle; + } + +-- +2.30.2 + diff --git a/queue-5.4/net-stmmac-set-fifo-sizes-for-ipq806x.patch b/queue-5.4/net-stmmac-set-fifo-sizes-for-ipq806x.patch new file mode 100644 index 00000000000..69c312df23b --- /dev/null +++ b/queue-5.4/net-stmmac-set-fifo-sizes-for-ipq806x.patch @@ -0,0 +1,44 @@ +From bb751db08a6b53ef8999217d2384705e3573c69b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Mar 2021 13:18:26 +0000 +Subject: net: stmmac: Set FIFO sizes for ipq806x + +From: Jonathan McDowell + +[ Upstream commit e127906b68b49ddb3ecba39ffa36a329c48197d3 ] + +Commit eaf4fac47807 ("net: stmmac: Do not accept invalid MTU values") +started using the TX FIFO size to verify what counts as a valid MTU +request for the stmmac driver. This is unset for the ipq806x variant. +Looking at older patches for this it seems the RX + TXs buffers can be +up to 8k, so set appropriately. + +(I sent this as an RFC patch in June last year, but received no replies. +I've been running with this on my hardware (a MikroTik RB3011) since +then with larger MTUs to support both the internal qca8k switch and +VLANs with no problems. Without the patch it's impossible to set the +larger MTU required to support this.) + +Signed-off-by: Jonathan McDowell +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c +index 826626e870d5..0f56f8e33691 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c +@@ -351,6 +351,8 @@ static int ipq806x_gmac_probe(struct platform_device *pdev) + plat_dat->bsp_priv = gmac; + plat_dat->fix_mac_speed = ipq806x_gmac_fix_mac_speed; + plat_dat->multicast_filter_bins = 0; ++ plat_dat->tx_fifo_size = 8192; ++ plat_dat->rx_fifo_size = 8192; + + err = stmmac_dvr_probe(&pdev->dev, plat_dat, &stmmac_res); + if (err) +-- +2.30.2 + diff --git a/queue-5.4/netfilter-nfnetlink_osf-fix-a-missing-skb_header_poi.patch b/queue-5.4/netfilter-nfnetlink_osf-fix-a-missing-skb_header_poi.patch new file mode 100644 index 00000000000..1fb5df9eb1f --- /dev/null +++ b/queue-5.4/netfilter-nfnetlink_osf-fix-a-missing-skb_header_poi.patch @@ -0,0 +1,36 @@ +From 40eeda763b1d2b93f50eb7c6e3fd1d869c01aac3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 May 2021 22:25:24 +0200 +Subject: netfilter: nfnetlink_osf: Fix a missing skb_header_pointer() NULL + check + +From: Pablo Neira Ayuso + +[ Upstream commit 5e024c325406470d1165a09c6feaf8ec897936be ] + +Do not assume that the tcph->doff field is correct when parsing for TCP +options, skb_header_pointer() might fail to fetch these bits. + +Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_osf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c +index 916a3c7f9eaf..79fbf37291f3 100644 +--- a/net/netfilter/nfnetlink_osf.c ++++ b/net/netfilter/nfnetlink_osf.c +@@ -186,6 +186,8 @@ static const struct tcphdr *nf_osf_hdr_ctx_init(struct nf_osf_hdr_ctx *ctx, + + ctx->optp = skb_header_pointer(skb, ip_hdrlen(skb) + + sizeof(struct tcphdr), ctx->optsize, opts); ++ if (!ctx->optp) ++ return NULL; + } + + return tcp; +-- +2.30.2 + diff --git a/queue-5.4/netfilter-nftables-avoid-overflows-in-nft_hash_bucke.patch b/queue-5.4/netfilter-nftables-avoid-overflows-in-nft_hash_bucke.patch new file mode 100644 index 00000000000..678ce5d59df --- /dev/null +++ b/queue-5.4/netfilter-nftables-avoid-overflows-in-nft_hash_bucke.patch @@ -0,0 +1,76 @@ +From 4e57c68959475e742df34dd83dbde97bea445fb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 05:53:23 -0700 +Subject: netfilter: nftables: avoid overflows in nft_hash_buckets() + +From: Eric Dumazet + +[ Upstream commit a54754ec9891830ba548e2010c889e3c8146e449 ] + +Number of buckets being stored in 32bit variables, we have to +ensure that no overflows occur in nft_hash_buckets() + +syzbot injected a size == 0x40000000 and reported: + +UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 +shift exponent 64 is too large for 64-bit type 'long unsigned int' +CPU: 1 PID: 29539 Comm: syz-executor.4 Not tainted 5.12.0-rc7-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x141/0x1d7 lib/dump_stack.c:120 + ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 + __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327 + __roundup_pow_of_two include/linux/log2.h:57 [inline] + nft_hash_buckets net/netfilter/nft_set_hash.c:411 [inline] + nft_hash_estimate.cold+0x19/0x1e net/netfilter/nft_set_hash.c:652 + nft_select_set_ops net/netfilter/nf_tables_api.c:3586 [inline] + nf_tables_newset+0xe62/0x3110 net/netfilter/nf_tables_api.c:4322 + nfnetlink_rcv_batch+0xa09/0x24b0 net/netfilter/nfnetlink.c:488 + nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:612 [inline] + nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:630 + netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] + netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 + netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:674 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + +Fixes: 0ed6389c483d ("netfilter: nf_tables: rename set implementations") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_hash.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c +index b331a3c9a3a8..9de0eb20e954 100644 +--- a/net/netfilter/nft_set_hash.c ++++ b/net/netfilter/nft_set_hash.c +@@ -393,9 +393,17 @@ static void nft_rhash_destroy(const struct nft_set *set) + (void *)set); + } + ++/* Number of buckets is stored in u32, so cap our result to 1U<<31 */ ++#define NFT_MAX_BUCKETS (1U << 31) ++ + static u32 nft_hash_buckets(u32 size) + { +- return roundup_pow_of_two(size * 4 / 3); ++ u64 val = div_u64((u64)size * 4, 3); ++ ++ if (val >= NFT_MAX_BUCKETS) ++ return NFT_MAX_BUCKETS; ++ ++ return roundup_pow_of_two(val); + } + + static bool nft_rhash_estimate(const struct nft_set_desc *desc, u32 features, +-- +2.30.2 + diff --git a/queue-5.4/netfilter-xt_secmark-add-new-revision-to-fix-structu.patch b/queue-5.4/netfilter-xt_secmark-add-new-revision-to-fix-structu.patch new file mode 100644 index 00000000000..3c3c9007a75 --- /dev/null +++ b/queue-5.4/netfilter-xt_secmark-add-new-revision-to-fix-structu.patch @@ -0,0 +1,173 @@ +From 83628f7da7c583b55d0ba19ee895bf9acfcf0b5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Apr 2021 14:00:13 +0200 +Subject: netfilter: xt_SECMARK: add new revision to fix structure layout + +From: Pablo Neira Ayuso + +[ Upstream commit c7d13358b6a2f49f81a34aa323a2d0878a0532a2 ] + +This extension breaks when trying to delete rules, add a new revision to +fix this. + +Fixes: 5e6874cdb8de ("[SECMARK]: Add xtables SECMARK target") +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/uapi/linux/netfilter/xt_SECMARK.h | 6 ++ + net/netfilter/xt_SECMARK.c | 88 ++++++++++++++++++----- + 2 files changed, 75 insertions(+), 19 deletions(-) + +diff --git a/include/uapi/linux/netfilter/xt_SECMARK.h b/include/uapi/linux/netfilter/xt_SECMARK.h +index 1f2a708413f5..beb2cadba8a9 100644 +--- a/include/uapi/linux/netfilter/xt_SECMARK.h ++++ b/include/uapi/linux/netfilter/xt_SECMARK.h +@@ -20,4 +20,10 @@ struct xt_secmark_target_info { + char secctx[SECMARK_SECCTX_MAX]; + }; + ++struct xt_secmark_target_info_v1 { ++ __u8 mode; ++ char secctx[SECMARK_SECCTX_MAX]; ++ __u32 secid; ++}; ++ + #endif /*_XT_SECMARK_H_target */ +diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c +index 2317721f3ecb..ea7aeea19b3b 100644 +--- a/net/netfilter/xt_SECMARK.c ++++ b/net/netfilter/xt_SECMARK.c +@@ -26,10 +26,9 @@ MODULE_ALIAS("ip6t_SECMARK"); + static u8 mode; + + static unsigned int +-secmark_tg(struct sk_buff *skb, const struct xt_action_param *par) ++secmark_tg(struct sk_buff *skb, const struct xt_secmark_target_info_v1 *info) + { + u32 secmark = 0; +- const struct xt_secmark_target_info *info = par->targinfo; + + switch (mode) { + case SECMARK_MODE_SEL: +@@ -43,7 +42,7 @@ secmark_tg(struct sk_buff *skb, const struct xt_action_param *par) + return XT_CONTINUE; + } + +-static int checkentry_lsm(struct xt_secmark_target_info *info) ++static int checkentry_lsm(struct xt_secmark_target_info_v1 *info) + { + int err; + +@@ -75,15 +74,15 @@ static int checkentry_lsm(struct xt_secmark_target_info *info) + return 0; + } + +-static int secmark_tg_check(const struct xt_tgchk_param *par) ++static int ++secmark_tg_check(const char *table, struct xt_secmark_target_info_v1 *info) + { +- struct xt_secmark_target_info *info = par->targinfo; + int err; + +- if (strcmp(par->table, "mangle") != 0 && +- strcmp(par->table, "security") != 0) { ++ if (strcmp(table, "mangle") != 0 && ++ strcmp(table, "security") != 0) { + pr_info_ratelimited("only valid in \'mangle\' or \'security\' table, not \'%s\'\n", +- par->table); ++ table); + return -EINVAL; + } + +@@ -118,25 +117,76 @@ static void secmark_tg_destroy(const struct xt_tgdtor_param *par) + } + } + +-static struct xt_target secmark_tg_reg __read_mostly = { +- .name = "SECMARK", +- .revision = 0, +- .family = NFPROTO_UNSPEC, +- .checkentry = secmark_tg_check, +- .destroy = secmark_tg_destroy, +- .target = secmark_tg, +- .targetsize = sizeof(struct xt_secmark_target_info), +- .me = THIS_MODULE, ++static int secmark_tg_check_v0(const struct xt_tgchk_param *par) ++{ ++ struct xt_secmark_target_info *info = par->targinfo; ++ struct xt_secmark_target_info_v1 newinfo = { ++ .mode = info->mode, ++ }; ++ int ret; ++ ++ memcpy(newinfo.secctx, info->secctx, SECMARK_SECCTX_MAX); ++ ++ ret = secmark_tg_check(par->table, &newinfo); ++ info->secid = newinfo.secid; ++ ++ return ret; ++} ++ ++static unsigned int ++secmark_tg_v0(struct sk_buff *skb, const struct xt_action_param *par) ++{ ++ const struct xt_secmark_target_info *info = par->targinfo; ++ struct xt_secmark_target_info_v1 newinfo = { ++ .secid = info->secid, ++ }; ++ ++ return secmark_tg(skb, &newinfo); ++} ++ ++static int secmark_tg_check_v1(const struct xt_tgchk_param *par) ++{ ++ return secmark_tg_check(par->table, par->targinfo); ++} ++ ++static unsigned int ++secmark_tg_v1(struct sk_buff *skb, const struct xt_action_param *par) ++{ ++ return secmark_tg(skb, par->targinfo); ++} ++ ++static struct xt_target secmark_tg_reg[] __read_mostly = { ++ { ++ .name = "SECMARK", ++ .revision = 0, ++ .family = NFPROTO_UNSPEC, ++ .checkentry = secmark_tg_check_v0, ++ .destroy = secmark_tg_destroy, ++ .target = secmark_tg_v0, ++ .targetsize = sizeof(struct xt_secmark_target_info), ++ .me = THIS_MODULE, ++ }, ++ { ++ .name = "SECMARK", ++ .revision = 1, ++ .family = NFPROTO_UNSPEC, ++ .checkentry = secmark_tg_check_v1, ++ .destroy = secmark_tg_destroy, ++ .target = secmark_tg_v1, ++ .targetsize = sizeof(struct xt_secmark_target_info_v1), ++ .usersize = offsetof(struct xt_secmark_target_info_v1, secid), ++ .me = THIS_MODULE, ++ }, + }; + + static int __init secmark_tg_init(void) + { +- return xt_register_target(&secmark_tg_reg); ++ return xt_register_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg)); + } + + static void __exit secmark_tg_exit(void) + { +- xt_unregister_target(&secmark_tg_reg); ++ xt_unregister_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg)); + } + + module_init(secmark_tg_init); +-- +2.30.2 + diff --git a/queue-5.4/nfs-deal-correctly-with-attribute-generation-counter.patch b/queue-5.4/nfs-deal-correctly-with-attribute-generation-counter.patch new file mode 100644 index 00000000000..a42b27d10a3 --- /dev/null +++ b/queue-5.4/nfs-deal-correctly-with-attribute-generation-counter.patch @@ -0,0 +1,49 @@ +From e5d0f7a2547c8d3a20cb7da31dde1587c2364281 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Mar 2021 16:46:05 -0400 +Subject: NFS: Deal correctly with attribute generation counter overflow + +From: Trond Myklebust + +[ Upstream commit 9fdbfad1777cb4638f489eeb62d85432010c0031 ] + +We need to use unsigned long subtraction and then convert to signed in +order to deal correcly with C overflow rules. + +Fixes: f5062003465c ("NFS: Set an attribute barrier on all updates") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/inode.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c +index 53604cc090ca..8c0f916380c4 100644 +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -1618,10 +1618,10 @@ EXPORT_SYMBOL_GPL(_nfs_display_fhandle); + */ + static int nfs_inode_attrs_need_update(const struct inode *inode, const struct nfs_fattr *fattr) + { +- const struct nfs_inode *nfsi = NFS_I(inode); ++ unsigned long attr_gencount = NFS_I(inode)->attr_gencount; + +- return ((long)fattr->gencount - (long)nfsi->attr_gencount) > 0 || +- ((long)nfsi->attr_gencount - (long)nfs_read_attr_generation_counter() > 0); ++ return (long)(fattr->gencount - attr_gencount) > 0 || ++ (long)(attr_gencount - nfs_read_attr_generation_counter()) > 0; + } + + static int nfs_refresh_inode_locked(struct inode *inode, struct nfs_fattr *fattr) +@@ -2049,7 +2049,7 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr) + nfsi->attrtimeo_timestamp = now; + } + /* Set the barrier to be more recent than this fattr */ +- if ((long)fattr->gencount - (long)nfsi->attr_gencount > 0) ++ if ((long)(fattr->gencount - nfsi->attr_gencount) > 0) + nfsi->attr_gencount = fattr->gencount; + } + +-- +2.30.2 + diff --git a/queue-5.4/nfsv4.2-always-flush-out-writes-in-nfs42_proc_falloc.patch b/queue-5.4/nfsv4.2-always-flush-out-writes-in-nfs42_proc_falloc.patch new file mode 100644 index 00000000000..5c9b7160096 --- /dev/null +++ b/queue-5.4/nfsv4.2-always-flush-out-writes-in-nfs42_proc_falloc.patch @@ -0,0 +1,78 @@ +From ec1e148c3cbb584ab38ab6802887da9dbccd6973 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Mar 2021 18:17:14 -0400 +Subject: NFSv4.2: Always flush out writes in nfs42_proc_fallocate() + +From: Trond Myklebust + +[ Upstream commit 99f23783224355e7022ceea9b8d9f62c0fd01bd8 ] + +Whether we're allocating or delallocating space, we should flush out the +pending writes in order to avoid races with attribute updates. + +Fixes: 1e564d3dbd68 ("NFSv4.2: Fix a race in nfs42_proc_deallocate()") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs42proc.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c +index 9b61c80a93e9..5c84e5b8c0d6 100644 +--- a/fs/nfs/nfs42proc.c ++++ b/fs/nfs/nfs42proc.c +@@ -59,7 +59,8 @@ static int _nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep, + static int nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep, + loff_t offset, loff_t len) + { +- struct nfs_server *server = NFS_SERVER(file_inode(filep)); ++ struct inode *inode = file_inode(filep); ++ struct nfs_server *server = NFS_SERVER(inode); + struct nfs4_exception exception = { }; + struct nfs_lock_context *lock; + int err; +@@ -68,9 +69,13 @@ static int nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep, + if (IS_ERR(lock)) + return PTR_ERR(lock); + +- exception.inode = file_inode(filep); ++ exception.inode = inode; + exception.state = lock->open_context->state; + ++ err = nfs_sync_inode(inode); ++ if (err) ++ goto out; ++ + do { + err = _nfs42_proc_fallocate(msg, filep, lock, offset, len); + if (err == -ENOTSUPP) { +@@ -79,7 +84,7 @@ static int nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep, + } + err = nfs4_handle_exception(server, err, &exception); + } while (exception.retry); +- ++out: + nfs_put_lock_context(lock); + return err; + } +@@ -117,16 +122,13 @@ int nfs42_proc_deallocate(struct file *filep, loff_t offset, loff_t len) + return -EOPNOTSUPP; + + inode_lock(inode); +- err = nfs_sync_inode(inode); +- if (err) +- goto out_unlock; + + err = nfs42_proc_fallocate(&msg, filep, offset, len); + if (err == 0) + truncate_pagecache_range(inode, offset, (offset + len) -1); + if (err == -EOPNOTSUPP) + NFS_SERVER(inode)->caps &= ~NFS_CAP_DEALLOCATE; +-out_unlock: ++ + inode_unlock(inode); + return err; + } +-- +2.30.2 + diff --git a/queue-5.4/nfsv4.2-fix-handling-of-sr_eof-in-seek-s-reply.patch b/queue-5.4/nfsv4.2-fix-handling-of-sr_eof-in-seek-s-reply.patch new file mode 100644 index 00000000000..3569940a63a --- /dev/null +++ b/queue-5.4/nfsv4.2-fix-handling-of-sr_eof-in-seek-s-reply.patch @@ -0,0 +1,43 @@ +From ddf42ef4d762adfcd64413002d87aa96c1374e71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Mar 2021 15:30:25 -0400 +Subject: NFSv4.2 fix handling of sr_eof in SEEK's reply + +From: Olga Kornievskaia + +[ Upstream commit 73f5c88f521a630ea1628beb9c2d48a2e777a419 ] + +Currently the client ignores the value of the sr_eof of the SEEK +operation. According to the spec, if the server didn't find the +requested extent and reached the end of the file, the server +would return sr_eof=true. In case the request for DATA and no +data was found (ie in the middle of the hole), then the lseek +expects that ENXIO would be returned. + +Fixes: 1c6dcbe5ceff8 ("NFS: Implement SEEK") +Signed-off-by: Olga Kornievskaia +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs42proc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c +index 5c84e5b8c0d6..6b7c926824ae 100644 +--- a/fs/nfs/nfs42proc.c ++++ b/fs/nfs/nfs42proc.c +@@ -500,7 +500,10 @@ static loff_t _nfs42_proc_llseek(struct file *filep, + if (status) + return status; + +- return vfs_setpos(filep, res.sr_offset, inode->i_sb->s_maxbytes); ++ if (whence == SEEK_DATA && res.sr_eof) ++ return -NFS4ERR_NXIO; ++ else ++ return vfs_setpos(filep, res.sr_offset, inode->i_sb->s_maxbytes); + } + + loff_t nfs42_proc_llseek(struct file *filep, loff_t offset, int whence) +-- +2.30.2 + diff --git a/queue-5.4/pci-endpoint-fix-missing-destroy_workqueue.patch b/queue-5.4/pci-endpoint-fix-missing-destroy_workqueue.patch new file mode 100644 index 00000000000..a5aca0aedea --- /dev/null +++ b/queue-5.4/pci-endpoint-fix-missing-destroy_workqueue.patch @@ -0,0 +1,47 @@ +From 3feba5c5f22ff872cefb0919d8d2e2e82259e3aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Mar 2021 16:40:12 +0800 +Subject: PCI: endpoint: Fix missing destroy_workqueue() + +From: Yang Yingliang + +[ Upstream commit acaef7981a218813e3617edb9c01837808de063c ] + +Add the missing destroy_workqueue() before return from +pci_epf_test_init() in the error handling case and add +destroy_workqueue() in pci_epf_test_exit(). + +Link: https://lore.kernel.org/r/20210331084012.2091010-1-yangyingliang@huawei.com +Fixes: 349e7a85b25fa ("PCI: endpoint: functions: Add an EP function to test PCI") +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Sasha Levin +--- + drivers/pci/endpoint/functions/pci-epf-test.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/pci/endpoint/functions/pci-epf-test.c b/drivers/pci/endpoint/functions/pci-epf-test.c +index 1cfe3687a211..6dcee39b364a 100644 +--- a/drivers/pci/endpoint/functions/pci-epf-test.c ++++ b/drivers/pci/endpoint/functions/pci-epf-test.c +@@ -604,6 +604,7 @@ static int __init pci_epf_test_init(void) + + ret = pci_epf_register_driver(&test_driver); + if (ret) { ++ destroy_workqueue(kpcitest_workqueue); + pr_err("Failed to register pci epf test driver --> %d\n", ret); + return ret; + } +@@ -614,6 +615,8 @@ module_init(pci_epf_test_init); + + static void __exit pci_epf_test_exit(void) + { ++ if (kpcitest_workqueue) ++ destroy_workqueue(kpcitest_workqueue); + pci_epf_unregister_driver(&test_driver); + } + module_exit(pci_epf_test_exit); +-- +2.30.2 + diff --git a/queue-5.4/pci-iproc-fix-return-value-of-iproc_msi_irq_domain_a.patch b/queue-5.4/pci-iproc-fix-return-value-of-iproc_msi_irq_domain_a.patch new file mode 100644 index 00000000000..6007be2f193 --- /dev/null +++ b/queue-5.4/pci-iproc-fix-return-value-of-iproc_msi_irq_domain_a.patch @@ -0,0 +1,43 @@ +From 05f87d12f33b9d75e6e37a85d1c9f1d9ec2bcbc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Mar 2021 15:22:02 +0100 +Subject: PCI: iproc: Fix return value of iproc_msi_irq_domain_alloc() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 1e83130f01b04c16579ed5a5e03d729bcffc4c5d ] + +IRQ domain alloc function should return zero on success. Non-zero value +indicates failure. + +Link: https://lore.kernel.org/r/20210303142202.25780-1-pali@kernel.org +Fixes: fc54bae28818 ("PCI: iproc: Allow allocation of multiple MSIs") +Signed-off-by: Pali Rohár +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Krzysztof Wilczyński +Acked-by: Ray Jui +Acked-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-iproc-msi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/controller/pcie-iproc-msi.c b/drivers/pci/controller/pcie-iproc-msi.c +index a1298f6784ac..f40d17b285c5 100644 +--- a/drivers/pci/controller/pcie-iproc-msi.c ++++ b/drivers/pci/controller/pcie-iproc-msi.c +@@ -271,7 +271,7 @@ static int iproc_msi_irq_domain_alloc(struct irq_domain *domain, + NULL, NULL); + } + +- return hwirq; ++ return 0; + } + + static void iproc_msi_irq_domain_free(struct irq_domain *domain, +-- +2.30.2 + diff --git a/queue-5.4/pci-release-of-node-in-pci_scan_device-s-error-path.patch b/queue-5.4/pci-release-of-node-in-pci_scan_device-s-error-path.patch new file mode 100644 index 00000000000..b69aecdc337 --- /dev/null +++ b/queue-5.4/pci-release-of-node-in-pci_scan_device-s-error-path.patch @@ -0,0 +1,38 @@ +From a8a102b1ba95e2da155c35ebc745809cad8225a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jan 2021 02:28:26 +0300 +Subject: PCI: Release OF node in pci_scan_device()'s error path + +From: Dmitry Baryshkov + +[ Upstream commit c99e755a4a4c165cad6effb39faffd0f3377c02d ] + +In pci_scan_device(), if pci_setup_device() fails for any reason, the code +will not release device's of_node by calling pci_release_of_node(). Fix +that by calling the release function. + +Fixes: 98d9f30c820d ("pci/of: Match PCI devices to OF nodes dynamically") +Link: https://lore.kernel.org/r/20210124232826.1879-1-dmitry.baryshkov@linaro.org +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Bjorn Helgaas +Reviewed-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/pci/probe.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c +index 8fa13486f2f1..f28213b62527 100644 +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -2299,6 +2299,7 @@ static struct pci_dev *pci_scan_device(struct pci_bus *bus, int devfn) + pci_set_of_node(dev); + + if (pci_setup_device(dev)) { ++ pci_release_of_node(dev); + pci_bus_put(dev->bus); + kfree(dev); + return NULL; +-- +2.30.2 + diff --git a/queue-5.4/pinctrl-samsung-use-int-for-register-masks-in-exynos.patch b/queue-5.4/pinctrl-samsung-use-int-for-register-masks-in-exynos.patch new file mode 100644 index 00000000000..7d717cd6706 --- /dev/null +++ b/queue-5.4/pinctrl-samsung-use-int-for-register-masks-in-exynos.patch @@ -0,0 +1,72 @@ +From 18421af93d689471d22952745fa5064c931849c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Apr 2021 21:50:29 +0200 +Subject: pinctrl: samsung: use 'int' for register masks in Exynos + +From: Krzysztof Kozlowski + +[ Upstream commit fa0c10a5f3a49130dd11281aa27e7e1c8654abc7 ] + +The Special Function Registers on all Exynos SoC, including ARM64, are +32-bit wide, so entire driver uses matching functions like readl() or +writel(). On 64-bit ARM using unsigned long for register masks: +1. makes little sense as immediately after bitwise operation it will be + cast to 32-bit value when calling writel(), +2. is actually error-prone because it might promote other operands to + 64-bit. + +Addresses-Coverity: Unintentional integer overflow +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Sylwester Nawrocki +Link: https://lore.kernel.org/r/20210408195029.69974-1-krzysztof.kozlowski@canonical.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/samsung/pinctrl-exynos.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/pinctrl/samsung/pinctrl-exynos.c b/drivers/pinctrl/samsung/pinctrl-exynos.c +index 84501c785473..1cf31fe2674d 100644 +--- a/drivers/pinctrl/samsung/pinctrl-exynos.c ++++ b/drivers/pinctrl/samsung/pinctrl-exynos.c +@@ -55,7 +55,7 @@ static void exynos_irq_mask(struct irq_data *irqd) + struct exynos_irq_chip *our_chip = to_exynos_irq_chip(chip); + struct samsung_pin_bank *bank = irq_data_get_irq_chip_data(irqd); + unsigned long reg_mask = our_chip->eint_mask + bank->eint_offset; +- unsigned long mask; ++ unsigned int mask; + unsigned long flags; + + spin_lock_irqsave(&bank->slock, flags); +@@ -83,7 +83,7 @@ static void exynos_irq_unmask(struct irq_data *irqd) + struct exynos_irq_chip *our_chip = to_exynos_irq_chip(chip); + struct samsung_pin_bank *bank = irq_data_get_irq_chip_data(irqd); + unsigned long reg_mask = our_chip->eint_mask + bank->eint_offset; +- unsigned long mask; ++ unsigned int mask; + unsigned long flags; + + /* +@@ -474,7 +474,7 @@ static void exynos_irq_eint0_15(struct irq_desc *desc) + chained_irq_exit(chip, desc); + } + +-static inline void exynos_irq_demux_eint(unsigned long pend, ++static inline void exynos_irq_demux_eint(unsigned int pend, + struct irq_domain *domain) + { + unsigned int irq; +@@ -491,8 +491,8 @@ static void exynos_irq_demux_eint16_31(struct irq_desc *desc) + { + struct irq_chip *chip = irq_desc_get_chip(desc); + struct exynos_muxed_weint_data *eintd = irq_desc_get_handler_data(desc); +- unsigned long pend; +- unsigned long mask; ++ unsigned int pend; ++ unsigned int mask; + int i; + + chained_irq_enter(chip, desc); +-- +2.30.2 + diff --git a/queue-5.4/pnfs-flexfiles-fix-incorrect-size-check-in-decode_nf.patch b/queue-5.4/pnfs-flexfiles-fix-incorrect-size-check-in-decode_nf.patch new file mode 100644 index 00000000000..04cb6863024 --- /dev/null +++ b/queue-5.4/pnfs-flexfiles-fix-incorrect-size-check-in-decode_nf.patch @@ -0,0 +1,52 @@ +From 89e29ef2c0c7c5645a29298ac7b63110fd894809 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Mar 2021 11:56:49 +0300 +Subject: pNFS/flexfiles: fix incorrect size check in decode_nfs_fh() + +From: Nikola Livic + +[ Upstream commit ed34695e15aba74f45247f1ee2cf7e09d449f925 ] + +We (adam zabrocki, alexander matrosov, alexander tereshkin, maksym +bazalii) observed the check: + + if (fh->size > sizeof(struct nfs_fh)) + +should not use the size of the nfs_fh struct which includes an extra two +bytes from the size field. + +struct nfs_fh { + unsigned short size; + unsigned char data[NFS_MAXFHSIZE]; +} + +but should determine the size from data[NFS_MAXFHSIZE] so the memcpy +will not write 2 bytes beyond destination. The proposed fix is to +compare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs +code base. + +Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver") +Signed-off-by: Nikola Livic +Signed-off-by: Dan Carpenter +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/flexfilelayout/flexfilelayout.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/flexfilelayout/flexfilelayout.c b/fs/nfs/flexfilelayout/flexfilelayout.c +index 1741d902b0d8..fa1c920afb49 100644 +--- a/fs/nfs/flexfilelayout/flexfilelayout.c ++++ b/fs/nfs/flexfilelayout/flexfilelayout.c +@@ -103,7 +103,7 @@ static int decode_nfs_fh(struct xdr_stream *xdr, struct nfs_fh *fh) + if (unlikely(!p)) + return -ENOBUFS; + fh->size = be32_to_cpup(p++); +- if (fh->size > sizeof(struct nfs_fh)) { ++ if (fh->size > NFS_MAXFHSIZE) { + printk(KERN_ERR "NFS flexfiles: Too big fh received %d\n", + fh->size); + return -EOVERFLOW; +-- +2.30.2 + diff --git a/queue-5.4/powerpc-iommu-annotate-nested-lock-for-lockdep.patch b/queue-5.4/powerpc-iommu-annotate-nested-lock-for-lockdep.patch new file mode 100644 index 00000000000..5c7b44eaf9f --- /dev/null +++ b/queue-5.4/powerpc-iommu-annotate-nested-lock-for-lockdep.patch @@ -0,0 +1,70 @@ +From 16385a1edc2c7d0fd441bbf8ceebc0642c40fd52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Mar 2021 17:36:53 +1100 +Subject: powerpc/iommu: Annotate nested lock for lockdep + +From: Alexey Kardashevskiy + +[ Upstream commit cc7130bf119add37f36238343a593b71ef6ecc1e ] + +The IOMMU table is divided into pools for concurrent mappings and each +pool has a separate spinlock. When taking the ownership of an IOMMU group +to pass through a device to a VM, we lock these spinlocks which triggers +a false negative warning in lockdep (below). + +This fixes it by annotating the large pool's spinlock as a nest lock +which makes lockdep not complaining when locking nested locks if +the nest lock is locked already. + +=== +WARNING: possible recursive locking detected +5.11.0-le_syzkaller_a+fstn1 #100 Not tainted +-------------------------------------------- +qemu-system-ppc/4129 is trying to acquire lock: +c0000000119bddb0 (&(p->lock)/1){....}-{2:2}, at: iommu_take_ownership+0xac/0x1e0 + +but task is already holding lock: +c0000000119bdd30 (&(p->lock)/1){....}-{2:2}, at: iommu_take_ownership+0xac/0x1e0 + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&(p->lock)/1); + lock(&(p->lock)/1); +=== + +Signed-off-by: Alexey Kardashevskiy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210301063653.51003-1-aik@ozlabs.ru +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/iommu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/kernel/iommu.c b/arch/powerpc/kernel/iommu.c +index 9704f3f76e63..d7d42bd448c4 100644 +--- a/arch/powerpc/kernel/iommu.c ++++ b/arch/powerpc/kernel/iommu.c +@@ -1057,7 +1057,7 @@ int iommu_take_ownership(struct iommu_table *tbl) + + spin_lock_irqsave(&tbl->large_pool.lock, flags); + for (i = 0; i < tbl->nr_pools; i++) +- spin_lock(&tbl->pools[i].lock); ++ spin_lock_nest_lock(&tbl->pools[i].lock, &tbl->large_pool.lock); + + iommu_table_release_pages(tbl); + +@@ -1085,7 +1085,7 @@ void iommu_release_ownership(struct iommu_table *tbl) + + spin_lock_irqsave(&tbl->large_pool.lock, flags); + for (i = 0; i < tbl->nr_pools; i++) +- spin_lock(&tbl->pools[i].lock); ++ spin_lock_nest_lock(&tbl->pools[i].lock, &tbl->large_pool.lock); + + memset(tbl->it_map, 0, sz); + +-- +2.30.2 + diff --git a/queue-5.4/powerpc-pseries-stop-calling-printk-in-rtas_stop_sel.patch b/queue-5.4/powerpc-pseries-stop-calling-printk-in-rtas_stop_sel.patch new file mode 100644 index 00000000000..a3a497266fc --- /dev/null +++ b/queue-5.4/powerpc-pseries-stop-calling-printk-in-rtas_stop_sel.patch @@ -0,0 +1,72 @@ +From 6df44e208325344966657ca7e345feccf6c619ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Apr 2021 23:54:13 +1000 +Subject: powerpc/pseries: Stop calling printk in rtas_stop_self() + +From: Michael Ellerman + +[ Upstream commit ed8029d7b472369a010a1901358567ca3b6dbb0d ] + +RCU complains about us calling printk() from an offline CPU: + + ============================= + WARNING: suspicious RCU usage + 5.12.0-rc7-02874-g7cf90e481cb8 #1 Not tainted + ----------------------------- + kernel/locking/lockdep.c:3568 RCU-list traversed in non-reader section!! + + other info that might help us debug this: + + RCU used illegally from offline CPU! + rcu_scheduler_active = 2, debug_locks = 1 + no locks held by swapper/0/0. + + stack backtrace: + CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc7-02874-g7cf90e481cb8 #1 + Call Trace: + dump_stack+0xec/0x144 (unreliable) + lockdep_rcu_suspicious+0x124/0x144 + __lock_acquire+0x1098/0x28b0 + lock_acquire+0x128/0x600 + _raw_spin_lock_irqsave+0x6c/0xc0 + down_trylock+0x2c/0x70 + __down_trylock_console_sem+0x60/0x140 + vprintk_emit+0x1a8/0x4b0 + vprintk_func+0xcc/0x200 + printk+0x40/0x54 + pseries_cpu_offline_self+0xc0/0x120 + arch_cpu_idle_dead+0x54/0x70 + do_idle+0x174/0x4a0 + cpu_startup_entry+0x38/0x40 + rest_init+0x268/0x388 + start_kernel+0x748/0x790 + start_here_common+0x1c/0x614 + +Which happens because by the time we get to rtas_stop_self() we are +already offline. In addition the message can be spammy, and is not that +helpful for users, so remove it. + +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210418135413.1204031-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/hotplug-cpu.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/hotplug-cpu.c b/arch/powerpc/platforms/pseries/hotplug-cpu.c +index bbda646b63b5..210e6f563eb4 100644 +--- a/arch/powerpc/platforms/pseries/hotplug-cpu.c ++++ b/arch/powerpc/platforms/pseries/hotplug-cpu.c +@@ -91,9 +91,6 @@ static void rtas_stop_self(void) + + BUG_ON(rtas_stop_self_token == RTAS_UNKNOWN_SERVICE); + +- printk("cpu %u (hwid %u) Ready to die...\n", +- smp_processor_id(), hard_smp_processor_id()); +- + rtas_call_unlocked(&args, rtas_stop_self_token, 0, 1, NULL); + + panic("Alas, I survived.\n"); +-- +2.30.2 + diff --git a/queue-5.4/powerpc-smp-set-numa-node-before-updating-mask.patch b/queue-5.4/powerpc-smp-set-numa-node-before-updating-mask.patch new file mode 100644 index 00000000000..19181b7da62 --- /dev/null +++ b/queue-5.4/powerpc-smp-set-numa-node-before-updating-mask.patch @@ -0,0 +1,90 @@ +From 5796db6681edab74c1e365b7cdbe3ceb5dbefe92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Apr 2021 21:12:00 +0530 +Subject: powerpc/smp: Set numa node before updating mask + +From: Srikar Dronamraju + +[ Upstream commit 6980d13f0dd189846887bbbfa43793d9a41768d3 ] + +Geethika reported a trace when doing a dlpar CPU add. + +------------[ cut here ]------------ +WARNING: CPU: 152 PID: 1134 at kernel/sched/topology.c:2057 +CPU: 152 PID: 1134 Comm: kworker/152:1 Not tainted 5.12.0-rc5-master #5 +Workqueue: events cpuset_hotplug_workfn +NIP: c0000000001cfc14 LR: c0000000001cfc10 CTR: c0000000007e3420 +REGS: c0000034a08eb260 TRAP: 0700 Not tainted (5.12.0-rc5-master+) +MSR: 8000000000029033 CR: 28828422 XER: 00000020 +CFAR: c0000000001fd888 IRQMASK: 0 #012GPR00: c0000000001cfc10 +c0000034a08eb500 c000000001f35400 0000000000000027 #012GPR04: +c0000035abaa8010 c0000035abb30a00 0000000000000027 c0000035abaa8018 +#012GPR08: 0000000000000023 c0000035abaaef48 00000035aa540000 +c0000035a49dffe8 #012GPR12: 0000000028828424 c0000035bf1a1c80 +0000000000000497 0000000000000004 #012GPR16: c00000000347a258 +0000000000000140 c00000000203d468 c000000001a1a490 #012GPR20: +c000000001f9c160 c0000034adf70920 c0000034aec9fd20 0000000100087bd3 +#012GPR24: 0000000100087bd3 c0000035b3de09f8 0000000000000030 +c0000035b3de09f8 #012GPR28: 0000000000000028 c00000000347a280 +c0000034aefe0b00 c0000000010a2a68 +NIP [c0000000001cfc14] build_sched_domains+0x6a4/0x1500 +LR [c0000000001cfc10] build_sched_domains+0x6a0/0x1500 +Call Trace: +[c0000034a08eb500] [c0000000001cfc10] build_sched_domains+0x6a0/0x1500 (unreliable) +[c0000034a08eb640] [c0000000001d1e6c] partition_sched_domains_locked+0x3ec/0x530 +[c0000034a08eb6e0] [c0000000002936d4] rebuild_sched_domains_locked+0x524/0xbf0 +[c0000034a08eb7e0] [c000000000296bb0] rebuild_sched_domains+0x40/0x70 +[c0000034a08eb810] [c000000000296e74] cpuset_hotplug_workfn+0x294/0xe20 +[c0000034a08ebc30] [c000000000178dd0] process_one_work+0x300/0x670 +[c0000034a08ebd10] [c0000000001791b8] worker_thread+0x78/0x520 +[c0000034a08ebda0] [c000000000185090] kthread+0x1a0/0x1b0 +[c0000034a08ebe10] [c00000000000ccec] ret_from_kernel_thread+0x5c/0x70 +Instruction dump: +7d2903a6 4e800421 e8410018 7f67db78 7fe6fb78 7f45d378 7f84e378 7c681b78 +3c62ff1a 3863c6f8 4802dc35 60000000 <0fe00000> 3920fff4 f9210070 e86100a0 +---[ end trace 532d9066d3d4d7ec ]--- + +Some of the per-CPU masks use cpu_cpu_mask as a filter to limit the search +for related CPUs. On a dlpar add of a CPU, update cpu_cpu_mask before +updating the per-CPU masks. This will ensure the cpu_cpu_mask is updated +correctly before its used in setting the masks. Setting the numa_node will +ensure that when cpu_cpu_mask() gets called, the correct node number is +used. This code movement helped fix the above call trace. + +Reported-by: Geetika Moolchandani +Signed-off-by: Srikar Dronamraju +Reviewed-by: Nathan Lynch +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210401154200.150077-1-srikar@linux.vnet.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/smp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c +index ea6adbf6a221..b24d860bbab9 100644 +--- a/arch/powerpc/kernel/smp.c ++++ b/arch/powerpc/kernel/smp.c +@@ -1254,6 +1254,9 @@ void start_secondary(void *unused) + + vdso_getcpu_init(); + #endif ++ set_numa_node(numa_cpu_lookup_table[cpu]); ++ set_numa_mem(local_memory_node(numa_cpu_lookup_table[cpu])); ++ + /* Update topology CPU masks */ + add_cpu_to_masks(cpu); + +@@ -1266,9 +1269,6 @@ void start_secondary(void *unused) + if (!cpumask_equal(cpu_l2_cache_mask(cpu), sibling_mask(cpu))) + shared_caches = true; + +- set_numa_node(numa_cpu_lookup_table[cpu]); +- set_numa_mem(local_memory_node(numa_cpu_lookup_table[cpu])); +- + smp_wmb(); + notify_cpu_starting(cpu); + set_cpu_online(cpu, true); +-- +2.30.2 + diff --git a/queue-5.4/qtnfmac-fix-possible-buffer-overflow-in-qtnf_event_h.patch b/queue-5.4/qtnfmac-fix-possible-buffer-overflow-in-qtnf_event_h.patch new file mode 100644 index 00000000000..b1f1cbdd031 --- /dev/null +++ b/queue-5.4/qtnfmac-fix-possible-buffer-overflow-in-qtnf_event_h.patch @@ -0,0 +1,43 @@ +From 1cf894f9a3b51001dcb41ff5326ac9218e3d9e7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Apr 2021 15:58:42 +0100 +Subject: qtnfmac: Fix possible buffer overflow in + qtnf_event_handle_external_auth + +From: Lee Gibson + +[ Upstream commit 130f634da1af649205f4a3dd86cbe5c126b57914 ] + +Function qtnf_event_handle_external_auth calls memcpy without +checking the length. +A user could control that length and trigger a buffer overflow. +Fix by checking the length is within the maximum allowed size. + +Signed-off-by: Lee Gibson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210419145842.345787-1-leegib@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/quantenna/qtnfmac/event.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/quantenna/qtnfmac/event.c b/drivers/net/wireless/quantenna/qtnfmac/event.c +index 7846383c8828..3f24dbdae8d0 100644 +--- a/drivers/net/wireless/quantenna/qtnfmac/event.c ++++ b/drivers/net/wireless/quantenna/qtnfmac/event.c +@@ -599,8 +599,10 @@ qtnf_event_handle_external_auth(struct qtnf_vif *vif, + return 0; + + if (ev->ssid_len) { +- memcpy(auth.ssid.ssid, ev->ssid, ev->ssid_len); +- auth.ssid.ssid_len = ev->ssid_len; ++ int len = clamp_val(ev->ssid_len, 0, IEEE80211_MAX_SSID_LEN); ++ ++ memcpy(auth.ssid.ssid, ev->ssid, len); ++ auth.ssid.ssid_len = len; + } + + auth.key_mgmt_suite = le32_to_cpu(ev->akm_suite); +-- +2.30.2 + diff --git a/queue-5.4/revert-iommu-amd-fix-performance-counter-initializat.patch b/queue-5.4/revert-iommu-amd-fix-performance-counter-initializat.patch new file mode 100644 index 00000000000..31c927ab3c3 --- /dev/null +++ b/queue-5.4/revert-iommu-amd-fix-performance-counter-initializat.patch @@ -0,0 +1,125 @@ +From e09503cfea00127df2eb5f1277d67638baff7bc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Apr 2021 03:58:47 -0500 +Subject: Revert "iommu/amd: Fix performance counter initialization" + +From: Paul Menzel + +[ Upstream commit 715601e4e36903a653cd4294dfd3ed0019101991 ] + +This reverts commit 6778ff5b21bd8e78c8bd547fd66437cf2657fd9b. + +The original commit tries to address an issue, where PMC power-gating +causing the IOMMU PMC pre-init test to fail on certain desktop/mobile +platforms where the power-gating is normally enabled. + +There have been several reports that the workaround still does not +guarantee to work, and can add up to 100 ms (on the worst case) +to the boot process on certain platforms such as the MSI B350M MORTAR +with AMD Ryzen 3 2200G. + +Therefore, revert this commit as a prelude to removing the pre-init +test. + +Link: https://lore.kernel.org/linux-iommu/alpine.LNX.3.20.13.2006030935570.3181@monopod.intra.ispras.ru/ +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201753 +Cc: Tj (Elloe Linux) +Cc: Shuah Khan +Cc: Alexander Monakov +Cc: David Coe +Signed-off-by: Paul Menzel +Signed-off-by: Suravee Suthikulpanit +Link: https://lore.kernel.org/r/20210409085848.3908-2-suravee.suthikulpanit@amd.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu_init.c | 45 +++++++++------------------------- + 1 file changed, 11 insertions(+), 34 deletions(-) + +diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c +index ad714ff375f8..31d7e2d4f304 100644 +--- a/drivers/iommu/amd_iommu_init.c ++++ b/drivers/iommu/amd_iommu_init.c +@@ -12,7 +12,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -254,8 +253,6 @@ static enum iommu_init_state init_state = IOMMU_START_STATE; + static int amd_iommu_enable_interrupts(void); + static int __init iommu_go_to_state(enum iommu_init_state state); + static void init_device_table_dma(void); +-static int iommu_pc_get_set_reg(struct amd_iommu *iommu, u8 bank, u8 cntr, +- u8 fxn, u64 *value, bool is_write); + + static bool amd_iommu_pre_enabled = true; + +@@ -1675,11 +1672,13 @@ static int __init init_iommu_all(struct acpi_table_header *table) + return 0; + } + +-static void __init init_iommu_perf_ctr(struct amd_iommu *iommu) ++static int iommu_pc_get_set_reg(struct amd_iommu *iommu, u8 bank, u8 cntr, ++ u8 fxn, u64 *value, bool is_write); ++ ++static void init_iommu_perf_ctr(struct amd_iommu *iommu) + { +- int retry; + struct pci_dev *pdev = iommu->dev; +- u64 val = 0xabcd, val2 = 0, save_reg, save_src; ++ u64 val = 0xabcd, val2 = 0, save_reg = 0; + + if (!iommu_feature(iommu, FEATURE_PC)) + return; +@@ -1687,39 +1686,17 @@ static void __init init_iommu_perf_ctr(struct amd_iommu *iommu) + amd_iommu_pc_present = true; + + /* save the value to restore, if writable */ +- if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, false) || +- iommu_pc_get_set_reg(iommu, 0, 0, 8, &save_src, false)) +- goto pc_false; +- +- /* +- * Disable power gating by programing the performance counter +- * source to 20 (i.e. counts the reads and writes from/to IOMMU +- * Reserved Register [MMIO Offset 1FF8h] that are ignored.), +- * which never get incremented during this init phase. +- * (Note: The event is also deprecated.) +- */ +- val = 20; +- if (iommu_pc_get_set_reg(iommu, 0, 0, 8, &val, true)) ++ if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, false)) + goto pc_false; + + /* Check if the performance counters can be written to */ +- val = 0xabcd; +- for (retry = 5; retry; retry--) { +- if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &val, true) || +- iommu_pc_get_set_reg(iommu, 0, 0, 0, &val2, false) || +- val2) +- break; +- +- /* Wait about 20 msec for power gating to disable and retry. */ +- msleep(20); +- } +- +- /* restore */ +- if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, true) || +- iommu_pc_get_set_reg(iommu, 0, 0, 8, &save_src, true)) ++ if ((iommu_pc_get_set_reg(iommu, 0, 0, 0, &val, true)) || ++ (iommu_pc_get_set_reg(iommu, 0, 0, 0, &val2, false)) || ++ (val != val2)) + goto pc_false; + +- if (val != val2) ++ /* restore */ ++ if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, true)) + goto pc_false; + + pci_info(pdev, "IOMMU performance counters supported\n"); +-- +2.30.2 + diff --git a/queue-5.4/risc-v-fix-error-code-returned-by-riscv_hartid_to_cp.patch b/queue-5.4/risc-v-fix-error-code-returned-by-riscv_hartid_to_cp.patch new file mode 100644 index 00000000000..dc1f4770c34 --- /dev/null +++ b/queue-5.4/risc-v-fix-error-code-returned-by-riscv_hartid_to_cp.patch @@ -0,0 +1,39 @@ +From f73ec2d38e1cd858aebda08b4f32c0f7aafba66a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Apr 2021 14:25:22 +0530 +Subject: RISC-V: Fix error code returned by riscv_hartid_to_cpuid() + +From: Anup Patel + +[ Upstream commit 533b4f3a789d49574e7ae0f6ececed153f651f97 ] + +We should return a negative error code upon failure in +riscv_hartid_to_cpuid() instead of NR_CPUS. This is also +aligned with all uses of riscv_hartid_to_cpuid() which +expect negative error code upon failure. + +Fixes: 6825c7a80f18 ("RISC-V: Add logical CPU indexing for RISC-V") +Fixes: f99fb607fb2b ("RISC-V: Use Linux logical CPU number instead of hartid") +Signed-off-by: Anup Patel +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/kernel/smp.c b/arch/riscv/kernel/smp.c +index 5c9ec78422c2..098c04adbaaf 100644 +--- a/arch/riscv/kernel/smp.c ++++ b/arch/riscv/kernel/smp.c +@@ -51,7 +51,7 @@ int riscv_hartid_to_cpuid(int hartid) + return i; + + pr_err("Couldn't find cpu id for hartid [%d]\n", hartid); +- return i; ++ return -ENOENT; + } + + void riscv_cpuid_to_hartid_mask(const struct cpumask *in, struct cpumask *out) +-- +2.30.2 + diff --git a/queue-5.4/rpmsg-qcom_glink_native-fix-error-return-code-of-qco.patch b/queue-5.4/rpmsg-qcom_glink_native-fix-error-return-code-of-qco.patch new file mode 100644 index 00000000000..1eca03e0736 --- /dev/null +++ b/queue-5.4/rpmsg-qcom_glink_native-fix-error-return-code-of-qco.patch @@ -0,0 +1,39 @@ +From 22329bf8dd856c67fbb7517cf5eb1f325e16e98b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Mar 2021 05:36:24 -0800 +Subject: rpmsg: qcom_glink_native: fix error return code of + qcom_glink_rx_data() + +From: Jia-Ju Bai + +[ Upstream commit 26594c6bbb60c6bc87e3762a86ceece57d164c66 ] + +When idr_find() returns NULL to intent, no error return code of +qcom_glink_rx_data() is assigned. +To fix this bug, ret is assigned with -ENOENT in this case. + +Fixes: 64f95f87920d ("rpmsg: glink: Use the local intents when receiving data") +Reported-by: TOTE Robot +Signed-off-by: Jia-Ju Bai +Link: https://lore.kernel.org/r/20210306133624.17237-1-baijiaju1990@gmail.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/qcom_glink_native.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c +index d5114abcde19..0f10b3f84705 100644 +--- a/drivers/rpmsg/qcom_glink_native.c ++++ b/drivers/rpmsg/qcom_glink_native.c +@@ -857,6 +857,7 @@ static int qcom_glink_rx_data(struct qcom_glink *glink, size_t avail) + dev_err(glink->dev, + "no intent found for channel %s intent %d", + channel->name, liid); ++ ret = -ENOENT; + goto advance_rx; + } + } +-- +2.30.2 + diff --git a/queue-5.4/rtc-ds1307-fix-wday-settings-for-rx8130.patch b/queue-5.4/rtc-ds1307-fix-wday-settings-for-rx8130.patch new file mode 100644 index 00000000000..b772fe6f444 --- /dev/null +++ b/queue-5.4/rtc-ds1307-fix-wday-settings-for-rx8130.patch @@ -0,0 +1,53 @@ +From 502dd1b5babbc3a74c1182a29c7ce7c2f7ae24fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Apr 2021 11:39:17 +0900 +Subject: rtc: ds1307: Fix wday settings for rx8130 + +From: Nobuhiro Iwamatsu + +[ Upstream commit 204756f016726a380bafe619438ed979088bd04a ] + +rx8130 wday specifies the bit position, not BCD. + +Fixes: ee0981be7704 ("rtc: ds1307: Add support for Epson RX8130CE") +Signed-off-by: Nobuhiro Iwamatsu +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20210420023917.1949066-1-nobuhiro1.iwamatsu@toshiba.co.jp +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-ds1307.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c +index 1f7e8aefc1eb..99b93f56a2d5 100644 +--- a/drivers/rtc/rtc-ds1307.c ++++ b/drivers/rtc/rtc-ds1307.c +@@ -265,7 +265,11 @@ static int ds1307_get_time(struct device *dev, struct rtc_time *t) + t->tm_min = bcd2bin(regs[DS1307_REG_MIN] & 0x7f); + tmp = regs[DS1307_REG_HOUR] & 0x3f; + t->tm_hour = bcd2bin(tmp); +- t->tm_wday = bcd2bin(regs[DS1307_REG_WDAY] & 0x07) - 1; ++ /* rx8130 is bit position, not BCD */ ++ if (ds1307->type == rx_8130) ++ t->tm_wday = fls(regs[DS1307_REG_WDAY] & 0x7f); ++ else ++ t->tm_wday = bcd2bin(regs[DS1307_REG_WDAY] & 0x07) - 1; + t->tm_mday = bcd2bin(regs[DS1307_REG_MDAY] & 0x3f); + tmp = regs[DS1307_REG_MONTH] & 0x1f; + t->tm_mon = bcd2bin(tmp) - 1; +@@ -312,7 +316,11 @@ static int ds1307_set_time(struct device *dev, struct rtc_time *t) + regs[DS1307_REG_SECS] = bin2bcd(t->tm_sec); + regs[DS1307_REG_MIN] = bin2bcd(t->tm_min); + regs[DS1307_REG_HOUR] = bin2bcd(t->tm_hour); +- regs[DS1307_REG_WDAY] = bin2bcd(t->tm_wday + 1); ++ /* rx8130 is bit position, not BCD */ ++ if (ds1307->type == rx_8130) ++ regs[DS1307_REG_WDAY] = 1 << t->tm_wday; ++ else ++ regs[DS1307_REG_WDAY] = bin2bcd(t->tm_wday + 1); + regs[DS1307_REG_MDAY] = bin2bcd(t->tm_mday); + regs[DS1307_REG_MONTH] = bin2bcd(t->tm_mon + 1); + +-- +2.30.2 + diff --git a/queue-5.4/rtc-fsl-ftm-alarm-add-module_table.patch b/queue-5.4/rtc-fsl-ftm-alarm-add-module_table.patch new file mode 100644 index 00000000000..337e17bfa51 --- /dev/null +++ b/queue-5.4/rtc-fsl-ftm-alarm-add-module_table.patch @@ -0,0 +1,36 @@ +From 1026edd6f1f9b79f7b753f7d6cbc9250df954353 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Apr 2021 10:40:06 +0200 +Subject: rtc: fsl-ftm-alarm: add MODULE_TABLE() + +From: Michael Walle + +[ Upstream commit 7fcb86185978661c9188397d474f90364745b8d9 ] + +The module doesn't load automatically. Fix it by adding the missing +MODULE_TABLE(). + +Fixes: 7b0b551dbc1e ("rtc: fsl-ftm-alarm: add FTM alarm driver") +Signed-off-by: Michael Walle +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20210414084006.17933-1-michael@walle.cc +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-fsl-ftm-alarm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/rtc/rtc-fsl-ftm-alarm.c b/drivers/rtc/rtc-fsl-ftm-alarm.c +index 8df2075af9a2..835695bedaac 100644 +--- a/drivers/rtc/rtc-fsl-ftm-alarm.c ++++ b/drivers/rtc/rtc-fsl-ftm-alarm.c +@@ -316,6 +316,7 @@ static const struct of_device_id ftm_rtc_match[] = { + { .compatible = "fsl,lx2160a-ftm-alarm", }, + { }, + }; ++MODULE_DEVICE_TABLE(of, ftm_rtc_match); + + static struct platform_driver ftm_rtc_driver = { + .probe = ftm_rtc_probe, +-- +2.30.2 + diff --git a/queue-5.4/samples-bpf-fix-broken-tracex1-due-to-kprobe-argumen.patch b/queue-5.4/samples-bpf-fix-broken-tracex1-due-to-kprobe-argumen.patch new file mode 100644 index 00000000000..aa654d1979e --- /dev/null +++ b/queue-5.4/samples-bpf-fix-broken-tracex1-due-to-kprobe-argumen.patch @@ -0,0 +1,49 @@ +From 30aec8ab097b785f9a58d0b56e47eb1ccbf37fdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Apr 2021 23:48:03 +0800 +Subject: samples/bpf: Fix broken tracex1 due to kprobe argument change + +From: Yaqi Chen + +[ Upstream commit 137733d08f4ab14a354dacaa9a8fc35217747605 ] + +>From commit c0bbbdc32feb ("__netif_receive_skb_core: pass skb by +reference"), the first argument passed into __netif_receive_skb_core +has changed to reference of a skb pointer. + +This commit fixes by using bpf_probe_read_kernel. + +Signed-off-by: Yaqi Chen +Signed-off-by: Alexei Starovoitov +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20210416154803.37157-1-chendotjs@gmail.com +Signed-off-by: Sasha Levin +--- + samples/bpf/tracex1_kern.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/samples/bpf/tracex1_kern.c b/samples/bpf/tracex1_kern.c +index 107da148820f..9c74b45c5720 100644 +--- a/samples/bpf/tracex1_kern.c ++++ b/samples/bpf/tracex1_kern.c +@@ -20,7 +20,7 @@ + SEC("kprobe/__netif_receive_skb_core") + int bpf_prog1(struct pt_regs *ctx) + { +- /* attaches to kprobe netif_receive_skb, ++ /* attaches to kprobe __netif_receive_skb_core, + * looks for packets on loobpack device and prints them + */ + char devname[IFNAMSIZ]; +@@ -29,7 +29,7 @@ int bpf_prog1(struct pt_regs *ctx) + int len; + + /* non-portable! works for the given kernel only */ +- skb = (struct sk_buff *) PT_REGS_PARM1(ctx); ++ bpf_probe_read_kernel(&skb, sizeof(skb), (void *)PT_REGS_PARM1(ctx)); + dev = _(skb->dev); + len = _(skb->len); + +-- +2.30.2 + diff --git a/queue-5.4/sched-fair-fix-unfairness-caused-by-missing-load-dec.patch b/queue-5.4/sched-fair-fix-unfairness-caused-by-missing-load-dec.patch new file mode 100644 index 00000000000..f0e462012ea --- /dev/null +++ b/queue-5.4/sched-fair-fix-unfairness-caused-by-missing-load-dec.patch @@ -0,0 +1,123 @@ +From da1264ebef092b01974c4ca214928bdfb67b8ef2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 16:19:50 +0200 +Subject: sched/fair: Fix unfairness caused by missing load decay + +From: Odin Ugedal + +[ Upstream commit 0258bdfaff5bd13c4d2383150b7097aecd6b6d82 ] + +This fixes an issue where old load on a cfs_rq is not properly decayed, +resulting in strange behavior where fairness can decrease drastically. +Real workloads with equally weighted control groups have ended up +getting a respective 99% and 1%(!!) of cpu time. + +When an idle task is attached to a cfs_rq by attaching a pid to a cgroup, +the old load of the task is attached to the new cfs_rq and sched_entity by +attach_entity_cfs_rq. If the task is then moved to another cpu (and +therefore cfs_rq) before being enqueued/woken up, the load will be moved +to cfs_rq->removed from the sched_entity. Such a move will happen when +enforcing a cpuset on the task (eg. via a cgroup) that force it to move. + +The load will however not be removed from the task_group itself, making +it look like there is a constant load on that cfs_rq. This causes the +vruntime of tasks on other sibling cfs_rq's to increase faster than they +are supposed to; causing severe fairness issues. If no other task is +started on the given cfs_rq, and due to the cpuset it would not happen, +this load would never be properly unloaded. With this patch the load +will be properly removed inside update_blocked_averages. This also +applies to tasks moved to the fair scheduling class and moved to another +cpu, and this path will also fix that. For fork, the entity is queued +right away, so this problem does not affect that. + +This applies to cases where the new process is the first in the cfs_rq, +issue introduced 3d30544f0212 ("sched/fair: Apply more PELT fixes"), and +when there has previously been load on the cgroup but the cgroup was +removed from the leaflist due to having null PELT load, indroduced +in 039ae8bcf7a5 ("sched/fair: Fix O(nr_cgroups) in the load balancing +path"). + +For a simple cgroup hierarchy (as seen below) with two equally weighted +groups, that in theory should get 50/50 of cpu time each, it often leads +to a load of 60/40 or 70/30. + +parent/ + cg-1/ + cpu.weight: 100 + cpuset.cpus: 1 + cg-2/ + cpu.weight: 100 + cpuset.cpus: 1 + +If the hierarchy is deeper (as seen below), while keeping cg-1 and cg-2 +equally weighted, they should still get a 50/50 balance of cpu time. +This however sometimes results in a balance of 10/90 or 1/99(!!) between +the task groups. + +$ ps u -C stress +USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND +root 18568 1.1 0.0 3684 100 pts/12 R+ 13:36 0:00 stress --cpu 1 +root 18580 99.3 0.0 3684 100 pts/12 R+ 13:36 0:09 stress --cpu 1 + +parent/ + cg-1/ + cpu.weight: 100 + sub-group/ + cpu.weight: 1 + cpuset.cpus: 1 + cg-2/ + cpu.weight: 100 + sub-group/ + cpu.weight: 10000 + cpuset.cpus: 1 + +This can be reproduced by attaching an idle process to a cgroup and +moving it to a given cpuset before it wakes up. The issue is evident in +many (if not most) container runtimes, and has been reproduced +with both crun and runc (and therefore docker and all its "derivatives"), +and with both cgroup v1 and v2. + +Fixes: 3d30544f0212 ("sched/fair: Apply more PELT fixes") +Fixes: 039ae8bcf7a5 ("sched/fair: Fix O(nr_cgroups) in the load balancing path") +Signed-off-by: Odin Ugedal +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Vincent Guittot +Link: https://lkml.kernel.org/r/20210501141950.23622-2-odin@uged.al +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 93ab546b6e16..092aa5e47251 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -10146,16 +10146,22 @@ static void propagate_entity_cfs_rq(struct sched_entity *se) + { + struct cfs_rq *cfs_rq; + ++ list_add_leaf_cfs_rq(cfs_rq_of(se)); ++ + /* Start to propagate at parent */ + se = se->parent; + + for_each_sched_entity(se) { + cfs_rq = cfs_rq_of(se); + +- if (cfs_rq_throttled(cfs_rq)) +- break; ++ if (!cfs_rq_throttled(cfs_rq)){ ++ update_load_avg(cfs_rq, se, UPDATE_TG); ++ list_add_leaf_cfs_rq(cfs_rq); ++ continue; ++ } + +- update_load_avg(cfs_rq, se, UPDATE_TG); ++ if (list_add_leaf_cfs_rq(cfs_rq)) ++ break; + } + } + #else +-- +2.30.2 + diff --git a/queue-5.4/sched-fix-out-of-bound-access-in-uclamp.patch b/queue-5.4/sched-fix-out-of-bound-access-in-uclamp.patch new file mode 100644 index 00000000000..afbf0962446 --- /dev/null +++ b/queue-5.4/sched-fix-out-of-bound-access-in-uclamp.patch @@ -0,0 +1,49 @@ +From fb3df8439e4a5c561ba0e751e5127f86522e2faf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Apr 2021 15:14:12 +0000 +Subject: sched: Fix out-of-bound access in uclamp + +From: Quentin Perret + +[ Upstream commit 6d2f8909a5fabb73fe2a63918117943986c39b6c ] + +Util-clamp places tasks in different buckets based on their clamp values +for performance reasons. However, the size of buckets is currently +computed using a rounding division, which can lead to an off-by-one +error in some configurations. + +For instance, with 20 buckets, the bucket size will be 1024/20=51. A +task with a clamp of 1024 will be mapped to bucket id 1024/51=20. Sadly, +correct indexes are in range [0,19], hence leading to an out of bound +memory access. + +Clamp the bucket id to fix the issue. + +Fixes: 69842cba9ace ("sched/uclamp: Add CPU's clamp buckets refcounting") +Suggested-by: Qais Yousef +Signed-off-by: Quentin Perret +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Vincent Guittot +Reviewed-by: Dietmar Eggemann +Link: https://lkml.kernel.org/r/20210430151412.160913-1-qperret@google.com +Signed-off-by: Sasha Levin +--- + kernel/sched/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 2ce61018e33b..a3e95d7779e1 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -820,7 +820,7 @@ DEFINE_STATIC_KEY_FALSE(sched_uclamp_used); + + static inline unsigned int uclamp_bucket_id(unsigned int clamp_value) + { +- return clamp_value / UCLAMP_BUCKET_DELTA; ++ return min_t(unsigned int, clamp_value / UCLAMP_BUCKET_DELTA, UCLAMP_BUCKETS - 1); + } + + static inline unsigned int uclamp_bucket_base_value(unsigned int clamp_value) +-- +2.30.2 + diff --git a/queue-5.4/sctp-do-asoc-update-earlier-in-sctp_sf_do_dupcook_a.patch b/queue-5.4/sctp-do-asoc-update-earlier-in-sctp_sf_do_dupcook_a.patch new file mode 100644 index 00000000000..92760c8bcb2 --- /dev/null +++ b/queue-5.4/sctp-do-asoc-update-earlier-in-sctp_sf_do_dupcook_a.patch @@ -0,0 +1,96 @@ +From fdd6355f9a7e15de948b5a0dbe7f751cbae76e6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 04:02:58 +0800 +Subject: sctp: do asoc update earlier in sctp_sf_do_dupcook_a + +From: Xin Long + +[ Upstream commit 35b4f24415c854cd718ccdf38dbea6297f010aae ] + +There's a panic that occurs in a few of envs, the call trace is as below: + + [] general protection fault, ... 0x29acd70f1000a: 0000 [#1] SMP PTI + [] RIP: 0010:sctp_ulpevent_notify_peer_addr_change+0x4b/0x1fa [sctp] + [] sctp_assoc_control_transport+0x1b9/0x210 [sctp] + [] sctp_do_8_2_transport_strike.isra.16+0x15c/0x220 [sctp] + [] sctp_cmd_interpreter.isra.21+0x1231/0x1a10 [sctp] + [] sctp_do_sm+0xc3/0x2a0 [sctp] + [] sctp_generate_timeout_event+0x81/0xf0 [sctp] + +This is caused by a transport use-after-free issue. When processing a +duplicate COOKIE-ECHO chunk in sctp_sf_do_dupcook_a(), both COOKIE-ACK +and SHUTDOWN chunks are allocated with the transort from the new asoc. +However, later in the sideeffect machine, the old asoc is used to send +them out and old asoc's shutdown_last_sent_to is set to the transport +that SHUTDOWN chunk attached to in sctp_cmd_setup_t2(), which actually +belongs to the new asoc. After the new_asoc is freed and the old asoc +T2 timeout, the old asoc's shutdown_last_sent_to that is already freed +would be accessed in sctp_sf_t2_timer_expire(). + +Thanks Alexander and Jere for helping dig into this issue. + +To fix it, this patch is to do the asoc update first, then allocate +the COOKIE-ACK and SHUTDOWN chunks with the 'updated' old asoc. This +would make more sense, as a chunk from an asoc shouldn't be sent out +with another asoc. We had fixed quite a few issues caused by this. + +Fixes: 145cb2f7177d ("sctp: Fix bundling of SHUTDOWN with COOKIE-ACK") +Reported-by: Alexander Sverdlin +Reported-by: syzbot+bbe538efd1046586f587@syzkaller.appspotmail.com +Reported-by: Michal Tesar +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 25 ++++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index 84138a07e936..72e4eaffacdb 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -1841,20 +1841,35 @@ static enum sctp_disposition sctp_sf_do_dupcook_a( + SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); + sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL()); + +- repl = sctp_make_cookie_ack(new_asoc, chunk); ++ /* Update the content of current association. */ ++ if (sctp_assoc_update((struct sctp_association *)asoc, new_asoc)) { ++ struct sctp_chunk *abort; ++ ++ abort = sctp_make_abort(asoc, NULL, sizeof(struct sctp_errhdr)); ++ if (abort) { ++ sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); ++ sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); ++ } ++ sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNABORTED)); ++ sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, ++ SCTP_PERR(SCTP_ERROR_RSRC_LOW)); ++ SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); ++ SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); ++ goto nomem; ++ } ++ ++ repl = sctp_make_cookie_ack(asoc, chunk); + if (!repl) + goto nomem; + + /* Report association restart to upper layer. */ + ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, +- new_asoc->c.sinit_num_ostreams, +- new_asoc->c.sinit_max_instreams, ++ asoc->c.sinit_num_ostreams, ++ asoc->c.sinit_max_instreams, + NULL, GFP_ATOMIC); + if (!ev) + goto nomem_ev; + +- /* Update the content of current association. */ +- sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); + sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); + if ((sctp_state(asoc, SHUTDOWN_PENDING) || + sctp_state(asoc, SHUTDOWN_SENT)) && +-- +2.30.2 + diff --git a/queue-5.4/sctp-fix-a-sctp_mib_currestab-leak-in-sctp_sf_do_dup.patch b/queue-5.4/sctp-fix-a-sctp_mib_currestab-leak-in-sctp_sf_do_dup.patch new file mode 100644 index 00000000000..869ead974ad --- /dev/null +++ b/queue-5.4/sctp-fix-a-sctp_mib_currestab-leak-in-sctp_sf_do_dup.patch @@ -0,0 +1,52 @@ +From d16f5b23e2de79cb7a01041e31479871790efbd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 May 2021 04:41:20 +0800 +Subject: sctp: fix a SCTP_MIB_CURRESTAB leak in sctp_sf_do_dupcook_b + +From: Xin Long + +[ Upstream commit f282df0391267fb2b263da1cc3233aa6fb81defc ] + +Normally SCTP_MIB_CURRESTAB is always incremented once asoc enter into +ESTABLISHED from the state < ESTABLISHED and decremented when the asoc +is being deleted. + +However, in sctp_sf_do_dupcook_b(), the asoc's state can be changed to +ESTABLISHED from the state >= ESTABLISHED where it shouldn't increment +SCTP_MIB_CURRESTAB. Otherwise, one asoc may increment MIB_CURRESTAB +multiple times but only decrement once at the end. + +I was able to reproduce it by using scapy to do the 4-way shakehands, +after that I replayed the COOKIE-ECHO chunk with 'peer_vtag' field +changed to different values, and SCTP_MIB_CURRESTAB was incremented +multiple times and never went back to 0 even when the asoc was freed. + +This patch is to fix it by only incrementing SCTP_MIB_CURRESTAB when +the state < ESTABLISHED in sctp_sf_do_dupcook_b(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Marcelo Ricardo Leitner +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index 72e4eaffacdb..82a202d71a31 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -1933,7 +1933,8 @@ static enum sctp_disposition sctp_sf_do_dupcook_b( + sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); + sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, + SCTP_STATE(SCTP_STATE_ESTABLISHED)); +- SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); ++ if (asoc->state < SCTP_STATE_ESTABLISHED) ++ SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); + sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); + + repl = sctp_make_cookie_ack(new_asoc, chunk); +-- +2.30.2 + diff --git a/queue-5.4/sctp-fix-out-of-bounds-warning-in-sctp_process_ascon.patch b/queue-5.4/sctp-fix-out-of-bounds-warning-in-sctp_process_ascon.patch new file mode 100644 index 00000000000..0217173d06b --- /dev/null +++ b/queue-5.4/sctp-fix-out-of-bounds-warning-in-sctp_process_ascon.patch @@ -0,0 +1,44 @@ +From 2d5218f2f21cdb988f0bef2c2260260dcf3e8e00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Apr 2021 14:12:36 -0500 +Subject: sctp: Fix out-of-bounds warning in sctp_process_asconf_param() + +From: Gustavo A. R. Silva + +[ Upstream commit e5272ad4aab347dde5610c0aedb786219e3ff793 ] + +Fix the following out-of-bounds warning: + +net/sctp/sm_make_chunk.c:3150:4: warning: 'memcpy' offset [17, 28] from the object at 'addr' is out of the bounds of referenced subobject 'v4' with type 'struct sockaddr_in' at offset 0 [-Warray-bounds] + +This helps with the ongoing efforts to globally enable -Warray-bounds +and get us closer to being able to tighten the FORTIFY_SOURCE routines +on memcpy(). + +Link: https://github.com/KSPP/linux/issues/109 +Reported-by: kernel test robot +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Kees Cook +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/sm_make_chunk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c +index d5eda966a706..4ffb9116b6f2 100644 +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -3134,7 +3134,7 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc, + * primary. + */ + if (af->is_any(&addr)) +- memcpy(&addr.v4, sctp_source(asconf), sizeof(addr)); ++ memcpy(&addr, sctp_source(asconf), sizeof(addr)); + + if (security_sctp_bind_connect(asoc->ep->base.sk, + SCTP_PARAM_SET_PRIMARY, +-- +2.30.2 + diff --git a/queue-5.4/selftests-set-cc-to-clang-in-lib.mk-if-llvm-is-set.patch b/queue-5.4/selftests-set-cc-to-clang-in-lib.mk-if-llvm-is-set.patch new file mode 100644 index 00000000000..4025cb100b6 --- /dev/null +++ b/queue-5.4/selftests-set-cc-to-clang-in-lib.mk-if-llvm-is-set.patch @@ -0,0 +1,42 @@ +From 84c1a804b3023ff91163b1e7414c21b77841d71e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Apr 2021 08:34:13 -0700 +Subject: selftests: Set CC to clang in lib.mk if LLVM is set + +From: Yonghong Song + +[ Upstream commit 26e6dd1072763cd5696b75994c03982dde952ad9 ] + +selftests/bpf/Makefile includes lib.mk. With the following command + make -j60 LLVM=1 LLVM_IAS=1 <=== compile kernel + make -j60 -C tools/testing/selftests/bpf LLVM=1 LLVM_IAS=1 V=1 +some files are still compiled with gcc. This patch +fixed lib.mk issue which sets CC to gcc in all cases. + +Signed-off-by: Yonghong Song +Signed-off-by: Alexei Starovoitov +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20210413153413.3027426-1-yhs@fb.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/lib.mk | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/testing/selftests/lib.mk b/tools/testing/selftests/lib.mk +index 3ed0134a764d..67386aa3f31d 100644 +--- a/tools/testing/selftests/lib.mk ++++ b/tools/testing/selftests/lib.mk +@@ -1,6 +1,10 @@ + # This mimics the top-level Makefile. We do it explicitly here so that this + # Makefile can operate with or without the kbuild infrastructure. ++ifneq ($(LLVM),) ++CC := clang ++else + CC := $(CROSS_COMPILE)gcc ++endif + + ifeq (0,$(MAKELEVEL)) + ifeq ($(OUTPUT),) +-- +2.30.2 + diff --git a/queue-5.4/series b/queue-5.4/series index 1605f97c83c..2b40fe28757 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -3,3 +3,92 @@ tpm-tpm_tis-extend-locality-handling-to-tpm2-in-tpm_tis_gen_interrupt.patch tpm-tpm_tis-reserve-locality-in-tpm_tis_resume.patch kvm-x86-mmu-remove-the-defunct-update_pte-paging-hook.patch pm-runtime-fix-unpaired-parent-child_count-for-force_resume.patch +fs-dlm-fix-debugfs-dump.patch +tipc-convert-dest-node-s-address-to-network-order.patch +asoc-intel-bytcr_rt5640-enable-jack-detect-support-o.patch +net-stmmac-set-fifo-sizes-for-ipq806x.patch +asoc-rsnd-core-check-convert-rate-in-rsnd_hw_params.patch +i2c-bail-out-early-when-rdwr-parameters-are-wrong.patch +alsa-hdsp-don-t-disable-if-not-enabled.patch +alsa-hdspm-don-t-disable-if-not-enabled.patch +alsa-rme9652-don-t-disable-if-not-enabled.patch +alsa-bebob-enable-to-deliver-midi-messages-for-multi.patch +bluetooth-set-conf_not_complete-as-l2cap_chan-defaul.patch +bluetooth-initialize-skb_queue_head-at-l2cap_chan_cr.patch +net-bridge-when-suppression-is-enabled-exclude-rarp-.patch +bluetooth-check-for-zapped-sk-before-connecting.patch +ip6_vti-proper-dev_-hold-put-in-ndo_-un-init-methods.patch +asoc-intel-bytcr_rt5640-add-quirk-for-the-chuwi-hi8-.patch +i2c-add-i2c_aq_no_rep_start-adapter-quirk.patch +mac80211-clear-the-beacon-s-crc-after-channel-switch.patch +pinctrl-samsung-use-int-for-register-masks-in-exynos.patch +mt76-mt76x0-disable-gtk-offloading.patch +cuse-prevent-clone.patch +asoc-rsnd-call-rsnd_ssi_master_clk_start-from-rsnd_s.patch +revert-iommu-amd-fix-performance-counter-initializat.patch +iommu-amd-remove-performance-counter-pre-initializat.patch +drm-amd-display-force-vsync-flip-when-reconfiguring-.patch +selftests-set-cc-to-clang-in-lib.mk-if-llvm-is-set.patch +kconfig-nconf-stop-endless-search-loops.patch +alsa-hda-hdmi-fix-race-in-handling-acomp-eld-notific.patch +sctp-fix-out-of-bounds-warning-in-sctp_process_ascon.patch +flow_dissector-fix-out-of-bounds-warning-in-__skb_fl.patch +powerpc-smp-set-numa-node-before-updating-mask.patch +asoc-rt286-generalize-support-for-alc3263-codec.patch +ethtool-ioctl-fix-out-of-bounds-warning-in-store_lin.patch +net-sched-tapr-prevent-cycle_time-0-in-parse_taprio_.patch +samples-bpf-fix-broken-tracex1-due-to-kprobe-argumen.patch +powerpc-pseries-stop-calling-printk-in-rtas_stop_sel.patch +drm-amd-display-fixed-divide-by-zero-kernel-crash-du.patch +wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_send_.patch +wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_mgmt_.patch +qtnfmac-fix-possible-buffer-overflow-in-qtnf_event_h.patch +powerpc-iommu-annotate-nested-lock-for-lockdep.patch +iavf-remove-duplicate-free-resources-calls.patch +net-ethernet-mtk_eth_soc-fix-rx-vlan-offload.patch +bnxt_en-add-pci-ids-for-hyper-v-vf-devices.patch +ia64-module-fix-symbolizer-crash-on-fdescr.patch +asoc-rt286-make-rt286_set_gpio_-readable-and-writabl.patch +thermal-thermal_of-fix-error-return-code-of-thermal_.patch +f2fs-fix-a-redundant-call-to-f2fs_balance_fs-if-an-e.patch +pci-iproc-fix-return-value-of-iproc_msi_irq_domain_a.patch +pci-release-of-node-in-pci_scan_device-s-error-path.patch +arm-9064-1-hw_breakpoint-do-not-directly-check-the-e.patch +rpmsg-qcom_glink_native-fix-error-return-code-of-qco.patch +nfsv4.2-always-flush-out-writes-in-nfs42_proc_falloc.patch +nfs-deal-correctly-with-attribute-generation-counter.patch +pci-endpoint-fix-missing-destroy_workqueue.patch +pnfs-flexfiles-fix-incorrect-size-check-in-decode_nf.patch +nfsv4.2-fix-handling-of-sr_eof-in-seek-s-reply.patch +rtc-fsl-ftm-alarm-add-module_table.patch +ceph-fix-inode-leak-on-getattr-error-in-__fh_to_dent.patch +rtc-ds1307-fix-wday-settings-for-rx8130.patch +net-hns3-fix-incorrect-configuration-for-igu_egu_hw_.patch +net-hns3-initialize-the-message-content-in-hclge_get.patch +net-hns3-add-check-for-hns3_nic_state_inited-in-hns3.patch +net-hns3-fix-for-vxlan-gpe-tx-checksum-bug.patch +net-hns3-use-netif_tx_disable-to-stop-the-transmit-q.patch +net-hns3-disable-phy-loopback-setting-in-hclge_mac_s.patch +sctp-do-asoc-update-earlier-in-sctp_sf_do_dupcook_a.patch +risc-v-fix-error-code-returned-by-riscv_hartid_to_cp.patch +sunrpc-fix-misplaced-barrier-in-call_decode.patch +ethernet-enic-fix-a-use-after-free-bug-in-enic_hard_.patch +sctp-fix-a-sctp_mib_currestab-leak-in-sctp_sf_do_dup.patch +netfilter-xt_secmark-add-new-revision-to-fix-structu.patch +drm-radeon-fix-off-by-one-power_state-index-heap-ove.patch +drm-radeon-avoid-power-table-parsing-memory-leaks.patch +khugepaged-fix-wrong-result-value-for-trace_mm_colla.patch +mm-hugeltb-handle-the-error-case-in-hugetlb_fix_rese.patch +mm-migrate.c-fix-potential-indeterminate-pte-entry-i.patch +ksm-fix-potential-missing-rmap_item-for-stable_node.patch +net-fix-nla_strcmp-to-handle-more-then-one-trailing-.patch +smc-disallow-tcp_ulp-in-smc_setsockopt.patch +netfilter-nfnetlink_osf-fix-a-missing-skb_header_poi.patch +can-m_can-m_can_tx_work_queue-fix-tx_skb-race-condit.patch +sched-fix-out-of-bound-access-in-uclamp.patch +sched-fair-fix-unfairness-caused-by-missing-load-dec.patch +kernel-kexec_file-fix-error-return-code-of-kexec_cal.patch +netfilter-nftables-avoid-overflows-in-nft_hash_bucke.patch +i40e-fix-use-after-free-in-i40e_client_subtask.patch +i40e-fix-the-restart-auto-negotiation-after-fec-modi.patch +i40e-fix-phy-type-identifiers-for-2.5g-and-5g-adapte.patch diff --git a/queue-5.4/smc-disallow-tcp_ulp-in-smc_setsockopt.patch b/queue-5.4/smc-disallow-tcp_ulp-in-smc_setsockopt.patch new file mode 100644 index 00000000000..8f114b772e3 --- /dev/null +++ b/queue-5.4/smc-disallow-tcp_ulp-in-smc_setsockopt.patch @@ -0,0 +1,55 @@ +From e3625a14ce2c8c8d324e72c1bb9151a7708d461c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 May 2021 12:40:48 -0700 +Subject: smc: disallow TCP_ULP in smc_setsockopt() + +From: Cong Wang + +[ Upstream commit 8621436671f3a4bba5db57482e1ee604708bf1eb ] + +syzbot is able to setup kTLS on an SMC socket which coincidentally +uses sk_user_data too. Later, kTLS treats it as psock so triggers a +refcnt warning. The root cause is that smc_setsockopt() simply calls +TCP setsockopt() which includes TCP_ULP. I do not think it makes +sense to setup kTLS on top of SMC sockets, so we should just disallow +this setup. + +It is hard to find a commit to blame, but we can apply this patch +since the beginning of TCP_ULP. + +Reported-and-tested-by: syzbot+b54a1ce86ba4a623b7f0@syzkaller.appspotmail.com +Fixes: 734942cc4ea6 ("tcp: ULP infrastructure") +Cc: John Fastabend +Signed-off-by: Karsten Graul +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index dc09a72f8110..51986f7ead81 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -1709,6 +1709,9 @@ static int smc_setsockopt(struct socket *sock, int level, int optname, + struct smc_sock *smc; + int val, rc; + ++ if (level == SOL_TCP && optname == TCP_ULP) ++ return -EOPNOTSUPP; ++ + smc = smc_sk(sk); + + /* generic setsockopts reaching us here always apply to the +@@ -1730,7 +1733,6 @@ static int smc_setsockopt(struct socket *sock, int level, int optname, + if (rc || smc->use_fallback) + goto out; + switch (optname) { +- case TCP_ULP: + case TCP_FASTOPEN: + case TCP_FASTOPEN_CONNECT: + case TCP_FASTOPEN_KEY: +-- +2.30.2 + diff --git a/queue-5.4/sunrpc-fix-misplaced-barrier-in-call_decode.patch b/queue-5.4/sunrpc-fix-misplaced-barrier-in-call_decode.patch new file mode 100644 index 00000000000..aba2b44bb28 --- /dev/null +++ b/queue-5.4/sunrpc-fix-misplaced-barrier-in-call_decode.patch @@ -0,0 +1,68 @@ +From d34390948374f5671720d840b14d29a0e98fe209 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 14:10:51 +1000 +Subject: sunrpc: Fix misplaced barrier in call_decode + +From: Baptiste Lepers + +[ Upstream commit f8f7e0fb22b2e75be55f2f0c13e229e75b0eac07 ] + +Fix a misplaced barrier in call_decode. The struct rpc_rqst is modified +as follows by xprt_complete_rqst: + +req->rq_private_buf.len = copied; +/* Ensure all writes are done before we update */ +/* req->rq_reply_bytes_recvd */ +smp_wmb(); +req->rq_reply_bytes_recvd = copied; + +And currently read as follows by call_decode: + +smp_rmb(); // misplaced +if (!req->rq_reply_bytes_recvd) + goto out; +req->rq_rcv_buf.len = req->rq_private_buf.len; + +This patch places the smp_rmb after the if to ensure that +rq_reply_bytes_recvd and rq_private_buf.len are read in order. + +Fixes: 9ba828861c56a ("SUNRPC: Don't try to parse incomplete RPC messages") +Signed-off-by: Baptiste Lepers +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/clnt.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index f1088ca39d44..b6039642df67 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -2505,12 +2505,6 @@ call_decode(struct rpc_task *task) + task->tk_flags &= ~RPC_CALL_MAJORSEEN; + } + +- /* +- * Ensure that we see all writes made by xprt_complete_rqst() +- * before it changed req->rq_reply_bytes_recvd. +- */ +- smp_rmb(); +- + /* + * Did we ever call xprt_complete_rqst()? If not, we should assume + * the message is incomplete. +@@ -2519,6 +2513,11 @@ call_decode(struct rpc_task *task) + if (!req->rq_reply_bytes_recvd) + goto out; + ++ /* Ensure that we see all writes made by xprt_complete_rqst() ++ * before it changed req->rq_reply_bytes_recvd. ++ */ ++ smp_rmb(); ++ + req->rq_rcv_buf.len = req->rq_private_buf.len; + + /* Check that the softirq receive buffer is valid */ +-- +2.30.2 + diff --git a/queue-5.4/thermal-thermal_of-fix-error-return-code-of-thermal_.patch b/queue-5.4/thermal-thermal_of-fix-error-return-code-of-thermal_.patch new file mode 100644 index 00000000000..be0f4e38080 --- /dev/null +++ b/queue-5.4/thermal-thermal_of-fix-error-return-code-of-thermal_.patch @@ -0,0 +1,53 @@ +From 255918129d51c48f7d36f963a0c23dfc6a6adbd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Mar 2021 04:24:23 -0800 +Subject: thermal: thermal_of: Fix error return code of + thermal_of_populate_bind_params() + +From: Jia-Ju Bai + +[ Upstream commit 45c7eaeb29d67224db4ba935deb575586a1fda09 ] + +When kcalloc() returns NULL to __tcbp or of_count_phandle_with_args() +returns zero or -ENOENT to count, no error return code of +thermal_of_populate_bind_params() is assigned. +To fix these bugs, ret is assigned with -ENOMEM and -ENOENT in these +cases, respectively. + +Fixes: a92bab8919e3 ("of: thermal: Allow multiple devices to share cooling map") +Reported-by: TOTE Robot +Signed-off-by: Jia-Ju Bai +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20210310122423.3266-1-baijiaju1990@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/thermal/of-thermal.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/thermal/of-thermal.c b/drivers/thermal/of-thermal.c +index dc5093be553e..68d0c181ec7b 100644 +--- a/drivers/thermal/of-thermal.c ++++ b/drivers/thermal/of-thermal.c +@@ -712,14 +712,17 @@ static int thermal_of_populate_bind_params(struct device_node *np, + + count = of_count_phandle_with_args(np, "cooling-device", + "#cooling-cells"); +- if (!count) { ++ if (count <= 0) { + pr_err("Add a cooling_device property with at least one device\n"); ++ ret = -ENOENT; + goto end; + } + + __tcbp = kcalloc(count, sizeof(*__tcbp), GFP_KERNEL); +- if (!__tcbp) ++ if (!__tcbp) { ++ ret = -ENOMEM; + goto end; ++ } + + for (i = 0; i < count; i++) { + ret = of_parse_phandle_with_args(np, "cooling-device", +-- +2.30.2 + diff --git a/queue-5.4/tipc-convert-dest-node-s-address-to-network-order.patch b/queue-5.4/tipc-convert-dest-node-s-address-to-network-order.patch new file mode 100644 index 00000000000..2bacfe5c2fb --- /dev/null +++ b/queue-5.4/tipc-convert-dest-node-s-address-to-network-order.patch @@ -0,0 +1,41 @@ +From 1ea2ce82b5c70ca7311f960e13967845495658d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Mar 2021 10:33:22 +0700 +Subject: tipc: convert dest node's address to network order + +From: Hoang Le + +[ Upstream commit 1980d37565061ab44bdc2f9e4da477d3b9752e81 ] + +(struct tipc_link_info)->dest is in network order (__be32), so we must +convert the value to network order before assigning. The problem detected +by sparse: + +net/tipc/netlink_compat.c:699:24: warning: incorrect type in assignment (different base types) +net/tipc/netlink_compat.c:699:24: expected restricted __be32 [usertype] dest +net/tipc/netlink_compat.c:699:24: got int + +Acked-by: Jon Maloy +Signed-off-by: Hoang Le +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/netlink_compat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c +index 11be9a84f8de..561ea834f732 100644 +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -673,7 +673,7 @@ static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg, + if (err) + return err; + +- link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]); ++ link_info.dest = htonl(nla_get_flag(link[TIPC_NLA_LINK_DEST])); + link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP])); + nla_strlcpy(link_info.str, link[TIPC_NLA_LINK_NAME], + TIPC_MAX_LINK_NAME); +-- +2.30.2 + diff --git a/queue-5.4/wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_mgmt_.patch b/queue-5.4/wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_mgmt_.patch new file mode 100644 index 00000000000..e428047fb1c --- /dev/null +++ b/queue-5.4/wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_mgmt_.patch @@ -0,0 +1,286 @@ +From f6990f8069e6214c1b94fdd042572cc11258f531 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Apr 2021 18:45:15 -0500 +Subject: wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join + +From: Gustavo A. R. Silva + +[ Upstream commit bb43e5718d8f1b46e7a77e7b39be3c691f293050 ] + +Fix the following out-of-bounds warnings by adding a new structure +wl3501_req instead of duplicating the same members in structure +wl3501_join_req and wl3501_scan_confirm: + +arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [39, 108] from the object at 'sig' is out of the bounds of referenced subobject 'beacon_period' with type 'short unsigned int' at offset 36 [-Warray-bounds] +arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [25, 95] from the object at 'sig' is out of the bounds of referenced subobject 'beacon_period' with type 'short unsigned int' at offset 22 [-Warray-bounds] + +Refactor the code, accordingly: + +$ pahole -C wl3501_req drivers/net/wireless/wl3501_cs.o +struct wl3501_req { + u16 beacon_period; /* 0 2 */ + u16 dtim_period; /* 2 2 */ + u16 cap_info; /* 4 2 */ + u8 bss_type; /* 6 1 */ + u8 bssid[6]; /* 7 6 */ + struct iw_mgmt_essid_pset ssid; /* 13 34 */ + struct iw_mgmt_ds_pset ds_pset; /* 47 3 */ + struct iw_mgmt_cf_pset cf_pset; /* 50 8 */ + struct iw_mgmt_ibss_pset ibss_pset; /* 58 4 */ + struct iw_mgmt_data_rset bss_basic_rset; /* 62 10 */ + + /* size: 72, cachelines: 2, members: 10 */ + /* last cacheline: 8 bytes */ +}; + +$ pahole -C wl3501_join_req drivers/net/wireless/wl3501_cs.o +struct wl3501_join_req { + u16 next_blk; /* 0 2 */ + u8 sig_id; /* 2 1 */ + u8 reserved; /* 3 1 */ + struct iw_mgmt_data_rset operational_rset; /* 4 10 */ + u16 reserved2; /* 14 2 */ + u16 timeout; /* 16 2 */ + u16 probe_delay; /* 18 2 */ + u8 timestamp[8]; /* 20 8 */ + u8 local_time[8]; /* 28 8 */ + struct wl3501_req req; /* 36 72 */ + + /* size: 108, cachelines: 2, members: 10 */ + /* last cacheline: 44 bytes */ +}; + +$ pahole -C wl3501_scan_confirm drivers/net/wireless/wl3501_cs.o +struct wl3501_scan_confirm { + u16 next_blk; /* 0 2 */ + u8 sig_id; /* 2 1 */ + u8 reserved; /* 3 1 */ + u16 status; /* 4 2 */ + char timestamp[8]; /* 6 8 */ + char localtime[8]; /* 14 8 */ + struct wl3501_req req; /* 22 72 */ + /* --- cacheline 1 boundary (64 bytes) was 30 bytes ago --- */ + u8 rssi; /* 94 1 */ + + /* size: 96, cachelines: 2, members: 8 */ + /* padding: 1 */ + /* last cacheline: 32 bytes */ +}; + +The problem is that the original code is trying to copy data into a +bunch of struct members adjacent to each other in a single call to +memcpy(). Now that a new struct wl3501_req enclosing all those adjacent +members is introduced, memcpy() doesn't overrun the length of +&sig.beacon_period and &this->bss_set[i].beacon_period, because the +address of the new struct object _req_ is used as the destination, +instead. + +This helps with the ongoing efforts to globally enable -Warray-bounds +and get us closer to being able to tighten the FORTIFY_SOURCE routines +on memcpy(). + +Link: https://github.com/KSPP/linux/issues/109 +Reported-by: kernel test robot +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Kees Cook +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1fbaf516da763b50edac47d792a9145aa4482e29.1618442265.git.gustavoars@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501.h | 35 +++++++++++-------------- + drivers/net/wireless/wl3501_cs.c | 44 +++++++++++++++++--------------- + 2 files changed, 38 insertions(+), 41 deletions(-) + +diff --git a/drivers/net/wireless/wl3501.h b/drivers/net/wireless/wl3501.h +index 077a934ae3b5..a10ee5a68012 100644 +--- a/drivers/net/wireless/wl3501.h ++++ b/drivers/net/wireless/wl3501.h +@@ -379,16 +379,7 @@ struct wl3501_get_confirm { + u8 mib_value[100]; + }; + +-struct wl3501_join_req { +- u16 next_blk; +- u8 sig_id; +- u8 reserved; +- struct iw_mgmt_data_rset operational_rset; +- u16 reserved2; +- u16 timeout; +- u16 probe_delay; +- u8 timestamp[8]; +- u8 local_time[8]; ++struct wl3501_req { + u16 beacon_period; + u16 dtim_period; + u16 cap_info; +@@ -401,6 +392,19 @@ struct wl3501_join_req { + struct iw_mgmt_data_rset bss_basic_rset; + }; + ++struct wl3501_join_req { ++ u16 next_blk; ++ u8 sig_id; ++ u8 reserved; ++ struct iw_mgmt_data_rset operational_rset; ++ u16 reserved2; ++ u16 timeout; ++ u16 probe_delay; ++ u8 timestamp[8]; ++ u8 local_time[8]; ++ struct wl3501_req req; ++}; ++ + struct wl3501_join_confirm { + u16 next_blk; + u8 sig_id; +@@ -443,16 +447,7 @@ struct wl3501_scan_confirm { + u16 status; + char timestamp[8]; + char localtime[8]; +- u16 beacon_period; +- u16 dtim_period; +- u16 cap_info; +- u8 bss_type; +- u8 bssid[ETH_ALEN]; +- struct iw_mgmt_essid_pset ssid; +- struct iw_mgmt_ds_pset ds_pset; +- struct iw_mgmt_cf_pset cf_pset; +- struct iw_mgmt_ibss_pset ibss_pset; +- struct iw_mgmt_data_rset bss_basic_rset; ++ struct wl3501_req req; + u8 rssi; + }; + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index 96eb69678855..122d36439319 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -590,7 +590,7 @@ static int wl3501_mgmt_join(struct wl3501_card *this, u16 stas) + struct wl3501_join_req sig = { + .sig_id = WL3501_SIG_JOIN_REQ, + .timeout = 10, +- .ds_pset = { ++ .req.ds_pset = { + .el = { + .id = IW_MGMT_INFO_ELEMENT_DS_PARAMETER_SET, + .len = 1, +@@ -599,7 +599,7 @@ static int wl3501_mgmt_join(struct wl3501_card *this, u16 stas) + }, + }; + +- memcpy(&sig.beacon_period, &this->bss_set[stas].beacon_period, 72); ++ memcpy(&sig.req, &this->bss_set[stas].req, sizeof(sig.req)); + return wl3501_esbq_exec(this, &sig, sizeof(sig)); + } + +@@ -667,35 +667,37 @@ static void wl3501_mgmt_scan_confirm(struct wl3501_card *this, u16 addr) + if (sig.status == WL3501_STATUS_SUCCESS) { + pr_debug("success"); + if ((this->net_type == IW_MODE_INFRA && +- (sig.cap_info & WL3501_MGMT_CAPABILITY_ESS)) || ++ (sig.req.cap_info & WL3501_MGMT_CAPABILITY_ESS)) || + (this->net_type == IW_MODE_ADHOC && +- (sig.cap_info & WL3501_MGMT_CAPABILITY_IBSS)) || ++ (sig.req.cap_info & WL3501_MGMT_CAPABILITY_IBSS)) || + this->net_type == IW_MODE_AUTO) { + if (!this->essid.el.len) + matchflag = 1; + else if (this->essid.el.len == 3 && + !memcmp(this->essid.essid, "ANY", 3)) + matchflag = 1; +- else if (this->essid.el.len != sig.ssid.el.len) ++ else if (this->essid.el.len != sig.req.ssid.el.len) + matchflag = 0; +- else if (memcmp(this->essid.essid, sig.ssid.essid, ++ else if (memcmp(this->essid.essid, sig.req.ssid.essid, + this->essid.el.len)) + matchflag = 0; + else + matchflag = 1; + if (matchflag) { + for (i = 0; i < this->bss_cnt; i++) { +- if (ether_addr_equal_unaligned(this->bss_set[i].bssid, sig.bssid)) { ++ if (ether_addr_equal_unaligned(this->bss_set[i].req.bssid, ++ sig.req.bssid)) { + matchflag = 0; + break; + } + } + } + if (matchflag && (i < 20)) { +- memcpy(&this->bss_set[i].beacon_period, +- &sig.beacon_period, 73); ++ memcpy(&this->bss_set[i].req, ++ &sig.req, sizeof(sig.req)); + this->bss_cnt++; + this->rssi = sig.rssi; ++ this->bss_set[i].rssi = sig.rssi; + } + } + } else if (sig.status == WL3501_STATUS_TIMEOUT) { +@@ -887,19 +889,19 @@ static void wl3501_mgmt_join_confirm(struct net_device *dev, u16 addr) + if (this->join_sta_bss < this->bss_cnt) { + const int i = this->join_sta_bss; + memcpy(this->bssid, +- this->bss_set[i].bssid, ETH_ALEN); +- this->chan = this->bss_set[i].ds_pset.chan; ++ this->bss_set[i].req.bssid, ETH_ALEN); ++ this->chan = this->bss_set[i].req.ds_pset.chan; + iw_copy_mgmt_info_element(&this->keep_essid.el, +- &this->bss_set[i].ssid.el); ++ &this->bss_set[i].req.ssid.el); + wl3501_mgmt_auth(this); + } + } else { + const int i = this->join_sta_bss; + +- memcpy(&this->bssid, &this->bss_set[i].bssid, ETH_ALEN); +- this->chan = this->bss_set[i].ds_pset.chan; ++ memcpy(&this->bssid, &this->bss_set[i].req.bssid, ETH_ALEN); ++ this->chan = this->bss_set[i].req.ds_pset.chan; + iw_copy_mgmt_info_element(&this->keep_essid.el, +- &this->bss_set[i].ssid.el); ++ &this->bss_set[i].req.ssid.el); + wl3501_online(dev); + } + } else { +@@ -1575,30 +1577,30 @@ static int wl3501_get_scan(struct net_device *dev, struct iw_request_info *info, + for (i = 0; i < this->bss_cnt; ++i) { + iwe.cmd = SIOCGIWAP; + iwe.u.ap_addr.sa_family = ARPHRD_ETHER; +- memcpy(iwe.u.ap_addr.sa_data, this->bss_set[i].bssid, ETH_ALEN); ++ memcpy(iwe.u.ap_addr.sa_data, this->bss_set[i].req.bssid, ETH_ALEN); + current_ev = iwe_stream_add_event(info, current_ev, + extra + IW_SCAN_MAX_DATA, + &iwe, IW_EV_ADDR_LEN); + iwe.cmd = SIOCGIWESSID; + iwe.u.data.flags = 1; +- iwe.u.data.length = this->bss_set[i].ssid.el.len; ++ iwe.u.data.length = this->bss_set[i].req.ssid.el.len; + current_ev = iwe_stream_add_point(info, current_ev, + extra + IW_SCAN_MAX_DATA, + &iwe, +- this->bss_set[i].ssid.essid); ++ this->bss_set[i].req.ssid.essid); + iwe.cmd = SIOCGIWMODE; +- iwe.u.mode = this->bss_set[i].bss_type; ++ iwe.u.mode = this->bss_set[i].req.bss_type; + current_ev = iwe_stream_add_event(info, current_ev, + extra + IW_SCAN_MAX_DATA, + &iwe, IW_EV_UINT_LEN); + iwe.cmd = SIOCGIWFREQ; +- iwe.u.freq.m = this->bss_set[i].ds_pset.chan; ++ iwe.u.freq.m = this->bss_set[i].req.ds_pset.chan; + iwe.u.freq.e = 0; + current_ev = iwe_stream_add_event(info, current_ev, + extra + IW_SCAN_MAX_DATA, + &iwe, IW_EV_FREQ_LEN); + iwe.cmd = SIOCGIWENCODE; +- if (this->bss_set[i].cap_info & WL3501_MGMT_CAPABILITY_PRIVACY) ++ if (this->bss_set[i].req.cap_info & WL3501_MGMT_CAPABILITY_PRIVACY) + iwe.u.data.flags = IW_ENCODE_ENABLED | IW_ENCODE_NOKEY; + else + iwe.u.data.flags = IW_ENCODE_DISABLED; +-- +2.30.2 + diff --git a/queue-5.4/wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_send_.patch b/queue-5.4/wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_send_.patch new file mode 100644 index 00000000000..bfd35ff1477 --- /dev/null +++ b/queue-5.4/wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_send_.patch @@ -0,0 +1,147 @@ +From adfde0528333101ad267b6ec8b5e059c33476d00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Apr 2021 18:43:19 -0500 +Subject: wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt + +From: Gustavo A. R. Silva + +[ Upstream commit 820aa37638a252b57967bdf4038a514b1ab85d45 ] + +Fix the following out-of-bounds warnings by enclosing structure members +daddr and saddr into new struct addr, in structures wl3501_md_req and +wl3501_md_ind: + +arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [18, 23] from the object at 'sig' is out of the bounds of referenced subobject 'daddr' with type 'u8[6]' {aka 'unsigned char[6]'} at offset 11 [-Warray-bounds] +arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [18, 23] from the object at 'sig' is out of the bounds of referenced subobject 'daddr' with type 'u8[6]' {aka 'unsigned char[6]'} at offset 11 [-Warray-bounds] + +Refactor the code, accordingly: + +$ pahole -C wl3501_md_req drivers/net/wireless/wl3501_cs.o +struct wl3501_md_req { + u16 next_blk; /* 0 2 */ + u8 sig_id; /* 2 1 */ + u8 routing; /* 3 1 */ + u16 data; /* 4 2 */ + u16 size; /* 6 2 */ + u8 pri; /* 8 1 */ + u8 service_class; /* 9 1 */ + struct { + u8 daddr[6]; /* 10 6 */ + u8 saddr[6]; /* 16 6 */ + } addr; /* 10 12 */ + + /* size: 22, cachelines: 1, members: 8 */ + /* last cacheline: 22 bytes */ +}; + +$ pahole -C wl3501_md_ind drivers/net/wireless/wl3501_cs.o +struct wl3501_md_ind { + u16 next_blk; /* 0 2 */ + u8 sig_id; /* 2 1 */ + u8 routing; /* 3 1 */ + u16 data; /* 4 2 */ + u16 size; /* 6 2 */ + u8 reception; /* 8 1 */ + u8 pri; /* 9 1 */ + u8 service_class; /* 10 1 */ + struct { + u8 daddr[6]; /* 11 6 */ + u8 saddr[6]; /* 17 6 */ + } addr; /* 11 12 */ + + /* size: 24, cachelines: 1, members: 9 */ + /* padding: 1 */ + /* last cacheline: 24 bytes */ +}; + +The problem is that the original code is trying to copy data into a +couple of arrays adjacent to each other in a single call to memcpy(). +Now that a new struct _addr_ enclosing those two adjacent arrays +is introduced, memcpy() doesn't overrun the length of &sig.daddr[0] +and &sig.daddr, because the address of the new struct object _addr_ +is used, instead. + +This helps with the ongoing efforts to globally enable -Warray-bounds +and get us closer to being able to tighten the FORTIFY_SOURCE routines +on memcpy(). + +Link: https://github.com/KSPP/linux/issues/109 +Reported-by: kernel test robot +Reviewed-by: Kees Cook +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/d260fe56aed7112bff2be5b4d152d03ad7b78e78.1618442265.git.gustavoars@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501.h | 12 ++++++++---- + drivers/net/wireless/wl3501_cs.c | 10 ++++++---- + 2 files changed, 14 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/wl3501.h b/drivers/net/wireless/wl3501.h +index efdce9ae36ea..077a934ae3b5 100644 +--- a/drivers/net/wireless/wl3501.h ++++ b/drivers/net/wireless/wl3501.h +@@ -471,8 +471,10 @@ struct wl3501_md_req { + u16 size; + u8 pri; + u8 service_class; +- u8 daddr[ETH_ALEN]; +- u8 saddr[ETH_ALEN]; ++ struct { ++ u8 daddr[ETH_ALEN]; ++ u8 saddr[ETH_ALEN]; ++ } addr; + }; + + struct wl3501_md_ind { +@@ -484,8 +486,10 @@ struct wl3501_md_ind { + u8 reception; + u8 pri; + u8 service_class; +- u8 daddr[ETH_ALEN]; +- u8 saddr[ETH_ALEN]; ++ struct { ++ u8 daddr[ETH_ALEN]; ++ u8 saddr[ETH_ALEN]; ++ } addr; + }; + + struct wl3501_md_confirm { +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index 007bf6803293..96eb69678855 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -469,6 +469,7 @@ static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len) + struct wl3501_md_req sig = { + .sig_id = WL3501_SIG_MD_REQ, + }; ++ size_t sig_addr_len = sizeof(sig.addr); + u8 *pdata = (char *)data; + int rc = -EIO; + +@@ -484,9 +485,9 @@ static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len) + goto out; + } + rc = 0; +- memcpy(&sig.daddr[0], pdata, 12); +- pktlen = len - 12; +- pdata += 12; ++ memcpy(&sig.addr, pdata, sig_addr_len); ++ pktlen = len - sig_addr_len; ++ pdata += sig_addr_len; + sig.data = bf; + if (((*pdata) * 256 + (*(pdata + 1))) > 1500) { + u8 addr4[ETH_ALEN] = { +@@ -980,7 +981,8 @@ static inline void wl3501_md_ind_interrupt(struct net_device *dev, + } else { + skb->dev = dev; + skb_reserve(skb, 2); /* IP headers on 16 bytes boundaries */ +- skb_copy_to_linear_data(skb, (unsigned char *)&sig.daddr, 12); ++ skb_copy_to_linear_data(skb, (unsigned char *)&sig.addr, ++ sizeof(sig.addr)); + wl3501_receive(this, skb->data, pkt_len); + skb_put(skb, pkt_len); + skb->protocol = eth_type_trans(skb, dev); +-- +2.30.2 + -- 2.47.3