From d8fb99dbc934a600aa54806e3033ed8c33427610 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 28 Sep 2020 00:17:06 -0400 Subject: [PATCH] Fixes for 5.8 Signed-off-by: Sasha Levin --- ...-asihpi-fix-iounmap-in-error-handler.patch | 59 +++++ ...missed-pci_disable_device-for-eni_in.patch | 36 +++ ...add-missing-include-for-in_interrupt.patch | 37 ++++ ...ix-type-misuse-for-backbone_gw-hash-.patch | 54 +++++ ...-fix-duplicate-mcast-packets-from-bl.patch | 205 +++++++++++++++++ ...-fix-duplicate-mcast-packets-in-bla-.patch | 206 ++++++++++++++++++ ...uplicate-mcast-packets-in-bla-.patch-11308 | 172 +++++++++++++++ ...-tt-fix-wrongly-dropped-or-rerouted-.patch | 59 +++++ ...u-warning-for-bpffs-map-pretty-print.patch | 74 +++++++ ...x-clobbering-of-r2-in-bpf_gen_ld_abs.patch | 66 ++++++ ...fg80211-fix-6-ghz-channel-conversion.patch | 37 ++++ ...ers-h8300_timer8-fix-wrong-return-va.patch | 41 ++++ ...ers-timer-ti-dm-do-reset-before-enab.patch | 121 ++++++++++ ...csc-secondary-csc-register-correctio.patch | 39 ++++ ...rm-vc4-vc4_hdmi-fill-asoc-card-owner.patch | 75 +++++++ ...-the-data-path-at-the-right-time-dur.patch | 63 ++++++ ...242-check-status-of-adf7242_read_reg.patch | 51 +++++ ...ne-possible-memleak-in-ca8210_dev_co.patch | 35 +++ ...sidering-the-tx-delay-for-timestamps.patch | 64 ++++++ ...-fix-wrong-timestamp-latency-numbers.patch | 58 +++++ ...openat-openat2-unified-prep-handling.patch | 56 +++++ ...d-a-dedicated-invd-intercept-routine.patch | 53 +++++ ...u-context-if-guest-toggles-cr4.smap-.patch | 52 +++++ ...et-direct-dependendices-config-warni.patch | 41 ++++ ...-failure-from-uninitialized-variable.patch | 52 +++++ ...disable-he-if-ht-is-missing-on-2.4-g.patch | 46 ++++ ...mhz-association-to-160-80-80-ap-on-6.patch | 45 ++++ .../mac802154-tx-fix-use-after-free.patch | 170 +++++++++++++++ ...issing-cpu_1074k-into-__get_cpu_type.patch | 36 +++ ...fix-fp-register-access-if-msa-enable.patch | 101 +++++++++ .../mm-validate-pmd-after-splitting.patch | 74 +++++++ ...ase-aes-key-storage-size-to-256-bits.patch | 80 +++++++ ...-mlx5e_fec_in_caps-returns-a-boolean.patch | 47 ++++ ...t-qed-disable-arfs-for-npar-and-100g.patch | 98 +++++++++ ...a-personality-shouldn-t-fail-vf-load.patch | 36 +++ ...-qede-disable-arfs-for-npar-and-100g.patch | 77 +++++++ ...ack-nf_conncount_init-is-failing-wit.patch | 50 +++++ ...ink-add-a-range-check-for-l3-l4-prot.patch | 68 ++++++ ...ink-fix-mark-based-dump-filtering-re.patch | 83 +++++++ ...ta-use-socket-user_ns-to-retrieve-sk.patch | 40 ++++ ...onfig-dependency-warning-when-crypto.patch | 46 ++++ ...ra30-disable-clock-on-error-in-probe.patch | 46 ++++ ...-fix-ordering-of-cq-pool-destruction.patch | 69 ++++++ ...p-fix-page-selection-for-noinc-reads.patch | 84 +++++++ ...-fix-page-selection-for-noinc-writes.patch | 149 +++++++++++++ ...ulator-axp20x-fix-ldo2-4-description.patch | 59 +++++ queue-5.8/series | 51 +++++ ...-probe-regression-on-iproc-platforms.patch | 40 ++++ ...-use-xspi-mode-instead-of-dma-for-dp.patch | 60 +++++ queue-5.8/sunrpc-fix-svc_flush_dcache.patch | 57 +++++ ...id-counting-local-symbols-in-abi-che.patch | 76 +++++++ ...f-pinned-pages-umem-size-discrepancy.patch | 85 ++++++++ 52 files changed, 3679 insertions(+) create mode 100644 queue-5.8/alsa-asihpi-fix-iounmap-in-error-handler.patch create mode 100644 queue-5.8/atm-eni-fix-the-missed-pci_disable_device-for-eni_in.patch create mode 100644 queue-5.8/batman-adv-add-missing-include-for-in_interrupt.patch create mode 100644 queue-5.8/batman-adv-bla-fix-type-misuse-for-backbone_gw-hash-.patch create mode 100644 queue-5.8/batman-adv-mcast-fix-duplicate-mcast-packets-from-bl.patch create mode 100644 queue-5.8/batman-adv-mcast-fix-duplicate-mcast-packets-in-bla-.patch create mode 100644 queue-5.8/batman-adv-mcast-fix-duplicate-mcast-packets-in-bla-.patch-11308 create mode 100644 queue-5.8/batman-adv-mcast-tt-fix-wrongly-dropped-or-rerouted-.patch create mode 100644 queue-5.8/bpf-fix-a-rcu-warning-for-bpffs-map-pretty-print.patch create mode 100644 queue-5.8/bpf-fix-clobbering-of-r2-in-bpf_gen_ld_abs.patch create mode 100644 queue-5.8/cfg80211-fix-6-ghz-channel-conversion.patch create mode 100644 queue-5.8/clocksource-drivers-h8300_timer8-fix-wrong-return-va.patch create mode 100644 queue-5.8/clocksource-drivers-timer-ti-dm-do-reset-before-enab.patch create mode 100644 queue-5.8/drm-sun4i-sun8i-csc-secondary-csc-register-correctio.patch create mode 100644 queue-5.8/drm-vc4-vc4_hdmi-fill-asoc-card-owner.patch create mode 100644 queue-5.8/hv_netvsc-switch-the-data-path-at-the-right-time-dur.patch create mode 100644 queue-5.8/ieee802154-adf7242-check-status-of-adf7242_read_reg.patch create mode 100644 queue-5.8/ieee802154-fix-one-possible-memleak-in-ca8210_dev_co.patch create mode 100644 queue-5.8/igc-fix-not-considering-the-tx-delay-for-timestamps.patch create mode 100644 queue-5.8/igc-fix-wrong-timestamp-latency-numbers.patch create mode 100644 queue-5.8/io_uring-fix-openat-openat2-unified-prep-handling.patch create mode 100644 queue-5.8/kvm-svm-add-a-dedicated-invd-intercept-routine.patch create mode 100644 queue-5.8/kvm-x86-reset-mmu-context-if-guest-toggles-cr4.smap-.patch create mode 100644 queue-5.8/lib80211-fix-unmet-direct-dependendices-config-warni.patch create mode 100644 queue-5.8/libbpf-fix-build-failure-from-uninitialized-variable.patch create mode 100644 queue-5.8/mac80211-do-not-disable-he-if-ht-is-missing-on-2.4-g.patch create mode 100644 queue-5.8/mac80211-fix-80-mhz-association-to-160-80-80-ap-on-6.patch create mode 100644 queue-5.8/mac802154-tx-fix-use-after-free.patch create mode 100644 queue-5.8/mips-add-the-missing-cpu_1074k-into-__get_cpu_type.patch create mode 100644 queue-5.8/mips-loongson-3-fix-fp-register-access-if-msa-enable.patch create mode 100644 queue-5.8/mm-validate-pmd-after-splitting.patch create mode 100644 queue-5.8/mwifiex-increase-aes-key-storage-size-to-256-bits.patch create mode 100644 queue-5.8/net-mlx5e-mlx5e_fec_in_caps-returns-a-boolean.patch create mode 100644 queue-5.8/net-qed-disable-arfs-for-npar-and-100g.patch create mode 100644 queue-5.8/net-qed-rdma-personality-shouldn-t-fail-vf-load.patch create mode 100644 queue-5.8/net-qede-disable-arfs-for-npar-and-100g.patch create mode 100644 queue-5.8/netfilter-conntrack-nf_conncount_init-is-failing-wit.patch create mode 100644 queue-5.8/netfilter-ctnetlink-add-a-range-check-for-l3-l4-prot.patch create mode 100644 queue-5.8/netfilter-ctnetlink-fix-mark-based-dump-filtering-re.patch create mode 100644 queue-5.8/netfilter-nft_meta-use-socket-user_ns-to-retrieve-sk.patch create mode 100644 queue-5.8/nvme-tcp-fix-kconfig-dependency-warning-when-crypto.patch create mode 100644 queue-5.8/pm-devfreq-tegra30-disable-clock-on-error-in-probe.patch create mode 100644 queue-5.8/rdma-core-fix-ordering-of-cq-pool-destruction.patch create mode 100644 queue-5.8/regmap-fix-page-selection-for-noinc-reads.patch create mode 100644 queue-5.8/regmap-fix-page-selection-for-noinc-writes.patch create mode 100644 queue-5.8/regulator-axp20x-fix-ldo2-4-description.patch create mode 100644 queue-5.8/spi-bcm-qspi-fix-probe-regression-on-iproc-platforms.patch create mode 100644 queue-5.8/spi-spi-fsl-dspi-use-xspi-mode-instead-of-dma-for-dp.patch create mode 100644 queue-5.8/sunrpc-fix-svc_flush_dcache.patch create mode 100644 queue-5.8/tools-libbpf-avoid-counting-local-symbols-in-abi-che.patch create mode 100644 queue-5.8/xsk-fix-number-of-pinned-pages-umem-size-discrepancy.patch diff --git a/queue-5.8/alsa-asihpi-fix-iounmap-in-error-handler.patch b/queue-5.8/alsa-asihpi-fix-iounmap-in-error-handler.patch new file mode 100644 index 00000000000..e6926fcf4d7 --- /dev/null +++ b/queue-5.8/alsa-asihpi-fix-iounmap-in-error-handler.patch @@ -0,0 +1,59 @@ +From 6f77ede4789bf7743a09f5961a859adc547f4e53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Sep 2020 09:52:30 -0700 +Subject: ALSA: asihpi: fix iounmap in error handler + +From: Tom Rix + +[ Upstream commit 472eb39103e885f302fd8fd6eff104fcf5503f1b ] + +clang static analysis flags this problem +hpioctl.c:513:7: warning: Branch condition evaluates to + a garbage value + if (pci.ap_mem_base[idx]) { + ^~~~~~~~~~~~~~~~~~~~ + +If there is a failure in the middle of the memory space loop, +only some of the memory spaces need to be cleaned up. + +At the error handler, idx holds the number of successful +memory spaces mapped. So rework the handler loop to use the +old idx. + +There is a second problem, the memory space loop conditionally +iomaps()/sets the mem_base so it is necessay to initize pci. + +Fixes: 719f82d3987a ("ALSA: Add support of AudioScience ASI boards") +Signed-off-by: Tom Rix +Link: https://lore.kernel.org/r/20200913165230.17166-1-trix@redhat.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/asihpi/hpioctl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c +index 496dcde9715d6..9790f5108a166 100644 +--- a/sound/pci/asihpi/hpioctl.c ++++ b/sound/pci/asihpi/hpioctl.c +@@ -343,7 +343,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev, + struct hpi_message hm; + struct hpi_response hr; + struct hpi_adapter adapter; +- struct hpi_pci pci; ++ struct hpi_pci pci = { 0 }; + + memset(&adapter, 0, sizeof(adapter)); + +@@ -499,7 +499,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev, + return 0; + + err: +- for (idx = 0; idx < HPI_MAX_ADAPTER_MEM_SPACES; idx++) { ++ while (--idx >= 0) { + if (pci.ap_mem_base[idx]) { + iounmap(pci.ap_mem_base[idx]); + pci.ap_mem_base[idx] = NULL; +-- +2.25.1 + diff --git a/queue-5.8/atm-eni-fix-the-missed-pci_disable_device-for-eni_in.patch b/queue-5.8/atm-eni-fix-the-missed-pci_disable_device-for-eni_in.patch new file mode 100644 index 00000000000..ad9e6490d3c --- /dev/null +++ b/queue-5.8/atm-eni-fix-the-missed-pci_disable_device-for-eni_in.patch @@ -0,0 +1,36 @@ +From 0982709cd9d58a8c9af5b491c847ce096cf8031e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 10:51:03 +0800 +Subject: atm: eni: fix the missed pci_disable_device() for eni_init_one() + +From: Jing Xiangfeng + +[ Upstream commit c2b947879ca320ac5505c6c29a731ff17da5e805 ] + +eni_init_one() misses to call pci_disable_device() in an error path. +Jump to err_disable to fix it. + +Fixes: ede58ef28e10 ("atm: remove deprecated use of pci api") +Signed-off-by: Jing Xiangfeng +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/atm/eni.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/atm/eni.c b/drivers/atm/eni.c +index 17d47ad03ab79..de50fb0541a20 100644 +--- a/drivers/atm/eni.c ++++ b/drivers/atm/eni.c +@@ -2239,7 +2239,7 @@ static int eni_init_one(struct pci_dev *pci_dev, + + rc = dma_set_mask_and_coherent(&pci_dev->dev, DMA_BIT_MASK(32)); + if (rc < 0) +- goto out; ++ goto err_disable; + + rc = -ENOMEM; + eni_dev = kmalloc(sizeof(struct eni_dev), GFP_KERNEL); +-- +2.25.1 + diff --git a/queue-5.8/batman-adv-add-missing-include-for-in_interrupt.patch b/queue-5.8/batman-adv-add-missing-include-for-in_interrupt.patch new file mode 100644 index 00000000000..00dc44f9891 --- /dev/null +++ b/queue-5.8/batman-adv-add-missing-include-for-in_interrupt.patch @@ -0,0 +1,37 @@ +From b77cda1e2f45c3534de8c55b9a86dbea971b182e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 13:58:16 +0200 +Subject: batman-adv: Add missing include for in_interrupt() + +From: Sven Eckelmann + +[ Upstream commit 4bba9dab86b6ac15ca560ef1f2b5aa4529cbf784 ] + +The fix for receiving (internally generated) bla packets outside the +interrupt context introduced the usage of in_interrupt(). But this +functionality is only defined in linux/preempt.h which was not included +with the same patch. + +Fixes: 279e89b2281a ("batman-adv: bla: use netif_rx_ni when not in interrupt context") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/bridge_loop_avoidance.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c +index e8e86e52d461a..f8c8c38e258a1 100644 +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include + #include + #include +-- +2.25.1 + diff --git a/queue-5.8/batman-adv-bla-fix-type-misuse-for-backbone_gw-hash-.patch b/queue-5.8/batman-adv-bla-fix-type-misuse-for-backbone_gw-hash-.patch new file mode 100644 index 00000000000..beeb17e8ec5 --- /dev/null +++ b/queue-5.8/batman-adv-bla-fix-type-misuse-for-backbone_gw-hash-.patch @@ -0,0 +1,54 @@ +From f9684d7fbe6097dc4639816599b40e5ce702edb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 17:34:48 +0200 +Subject: batman-adv: bla: fix type misuse for backbone_gw hash indexing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +[ Upstream commit 097930e85f90f252c44dc0d084598265dd44ca48 ] + +It seems that due to a copy & paste error the void pointer +in batadv_choose_backbone_gw() is cast to the wrong type. + +Fixing this by using "struct batadv_bla_backbone_gw" instead of "struct +batadv_bla_claim" which better matches the caller's side. + +For now it seems that we were lucky because the two structs both have +their orig/vid and addr/vid in the beginning. However I stumbled over +this issue when I was trying to add some debug variables in front of +"orig" in batadv_backbone_gw, which caused hash lookups to fail. + +Fixes: 07568d0369f9 ("batman-adv: don't rely on positions in struct for hashing") +Signed-off-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Sasha Levin +--- + net/batman-adv/bridge_loop_avoidance.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c +index cfb9e16afe38a..e8e86e52d461a 100644 +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -83,11 +83,12 @@ static inline u32 batadv_choose_claim(const void *data, u32 size) + */ + static inline u32 batadv_choose_backbone_gw(const void *data, u32 size) + { +- const struct batadv_bla_claim *claim = (struct batadv_bla_claim *)data; ++ const struct batadv_bla_backbone_gw *gw; + u32 hash = 0; + +- hash = jhash(&claim->addr, sizeof(claim->addr), hash); +- hash = jhash(&claim->vid, sizeof(claim->vid), hash); ++ gw = (struct batadv_bla_backbone_gw *)data; ++ hash = jhash(&gw->orig, sizeof(gw->orig), hash); ++ hash = jhash(&gw->vid, sizeof(gw->vid), hash); + + return hash % size; + } +-- +2.25.1 + diff --git a/queue-5.8/batman-adv-mcast-fix-duplicate-mcast-packets-from-bl.patch b/queue-5.8/batman-adv-mcast-fix-duplicate-mcast-packets-from-bl.patch new file mode 100644 index 00000000000..69add76f578 --- /dev/null +++ b/queue-5.8/batman-adv-mcast-fix-duplicate-mcast-packets-from-bl.patch @@ -0,0 +1,205 @@ +From 6c35caa801414463cf07352d1c59cb7282102c34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 09:54:10 +0200 +Subject: batman-adv: mcast: fix duplicate mcast packets from BLA backbone to + mesh +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +[ Upstream commit 2369e827046920ef0599e6a36b975ac5c0a359c2 ] + +Scenario: +* Multicast frame send from BLA backbone gateways (multiple nodes + with their bat0 bridged together, with BLA enabled) sharing the same + LAN to nodes in the mesh + +Issue: +* Nodes receive the frame multiple times on bat0 from the mesh, + once from each foreign BLA backbone gateway which shares the same LAN + with another + +For multicast frames via batman-adv broadcast packets coming from the +same BLA backbone but from different backbone gateways duplicates are +currently detected via a CRC history of previously received packets. + +However this CRC so far was not performed for multicast frames received +via batman-adv unicast packets. Fixing this by appyling the same check +for such packets, too. + +Room for improvements in the future: Ideally we would introduce the +possibility to not only claim a client, but a complete originator, too. +This would allow us to only send a multicast-in-unicast packet from a BLA +backbone gateway claiming the node and by that avoid potential redundant +transmissions in the first place. + +Fixes: 279e89b2281a ("batman-adv: add broadcast duplicate check") +Signed-off-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/bridge_loop_avoidance.c | 103 +++++++++++++++++++++---- + 1 file changed, 87 insertions(+), 16 deletions(-) + +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c +index 164ba5706aa4e..8002a7f8f3fad 100644 +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -1581,13 +1581,16 @@ int batadv_bla_init(struct batadv_priv *bat_priv) + } + + /** +- * batadv_bla_check_bcast_duplist() - Check if a frame is in the broadcast dup. ++ * batadv_bla_check_duplist() - Check if a frame is in the broadcast dup. + * @bat_priv: the bat priv with all the soft interface information +- * @skb: contains the bcast_packet to be checked ++ * @skb: contains the multicast packet to be checked ++ * @payload_ptr: pointer to position inside the head buffer of the skb ++ * marking the start of the data to be CRC'ed ++ * @orig: originator mac address, NULL if unknown + * +- * check if it is on our broadcast list. Another gateway might +- * have sent the same packet because it is connected to the same backbone, +- * so we have to remove this duplicate. ++ * Check if it is on our broadcast list. Another gateway might have sent the ++ * same packet because it is connected to the same backbone, so we have to ++ * remove this duplicate. + * + * This is performed by checking the CRC, which will tell us + * with a good chance that it is the same packet. If it is furthermore +@@ -1596,19 +1599,17 @@ int batadv_bla_init(struct batadv_priv *bat_priv) + * + * Return: true if a packet is in the duplicate list, false otherwise. + */ +-bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv, +- struct sk_buff *skb) ++static bool batadv_bla_check_duplist(struct batadv_priv *bat_priv, ++ struct sk_buff *skb, u8 *payload_ptr, ++ const u8 *orig) + { +- int i, curr; +- __be32 crc; +- struct batadv_bcast_packet *bcast_packet; + struct batadv_bcast_duplist_entry *entry; + bool ret = false; +- +- bcast_packet = (struct batadv_bcast_packet *)skb->data; ++ int i, curr; ++ __be32 crc; + + /* calculate the crc ... */ +- crc = batadv_skb_crc32(skb, (u8 *)(bcast_packet + 1)); ++ crc = batadv_skb_crc32(skb, payload_ptr); + + spin_lock_bh(&bat_priv->bla.bcast_duplist_lock); + +@@ -1627,8 +1628,21 @@ bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv, + if (entry->crc != crc) + continue; + +- if (batadv_compare_eth(entry->orig, bcast_packet->orig)) +- continue; ++ /* are the originators both known and not anonymous? */ ++ if (orig && !is_zero_ether_addr(orig) && ++ !is_zero_ether_addr(entry->orig)) { ++ /* If known, check if the new frame came from ++ * the same originator: ++ * We are safe to take identical frames from the ++ * same orig, if known, as multiplications in ++ * the mesh are detected via the (orig, seqno) pair. ++ * So we can be a bit more liberal here and allow ++ * identical frames from the same orig which the source ++ * host might have sent multiple times on purpose. ++ */ ++ if (batadv_compare_eth(entry->orig, orig)) ++ continue; ++ } + + /* this entry seems to match: same crc, not too old, + * and from another gw. therefore return true to forbid it. +@@ -1644,7 +1658,14 @@ bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv, + entry = &bat_priv->bla.bcast_duplist[curr]; + entry->crc = crc; + entry->entrytime = jiffies; +- ether_addr_copy(entry->orig, bcast_packet->orig); ++ ++ /* known originator */ ++ if (orig) ++ ether_addr_copy(entry->orig, orig); ++ /* anonymous originator */ ++ else ++ eth_zero_addr(entry->orig); ++ + bat_priv->bla.bcast_duplist_curr = curr; + + out: +@@ -1653,6 +1674,48 @@ bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv, + return ret; + } + ++/** ++ * batadv_bla_check_ucast_duplist() - Check if a frame is in the broadcast dup. ++ * @bat_priv: the bat priv with all the soft interface information ++ * @skb: contains the multicast packet to be checked, decapsulated from a ++ * unicast_packet ++ * ++ * Check if it is on our broadcast list. Another gateway might have sent the ++ * same packet because it is connected to the same backbone, so we have to ++ * remove this duplicate. ++ * ++ * Return: true if a packet is in the duplicate list, false otherwise. ++ */ ++static bool batadv_bla_check_ucast_duplist(struct batadv_priv *bat_priv, ++ struct sk_buff *skb) ++{ ++ return batadv_bla_check_duplist(bat_priv, skb, (u8 *)skb->data, NULL); ++} ++ ++/** ++ * batadv_bla_check_bcast_duplist() - Check if a frame is in the broadcast dup. ++ * @bat_priv: the bat priv with all the soft interface information ++ * @skb: contains the bcast_packet to be checked ++ * ++ * Check if it is on our broadcast list. Another gateway might have sent the ++ * same packet because it is connected to the same backbone, so we have to ++ * remove this duplicate. ++ * ++ * Return: true if a packet is in the duplicate list, false otherwise. ++ */ ++bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv, ++ struct sk_buff *skb) ++{ ++ struct batadv_bcast_packet *bcast_packet; ++ u8 *payload_ptr; ++ ++ bcast_packet = (struct batadv_bcast_packet *)skb->data; ++ payload_ptr = (u8 *)(bcast_packet + 1); ++ ++ return batadv_bla_check_duplist(bat_priv, skb, payload_ptr, ++ bcast_packet->orig); ++} ++ + /** + * batadv_bla_is_backbone_gw_orig() - Check if the originator is a gateway for + * the VLAN identified by vid. +@@ -1867,6 +1930,14 @@ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb, + packet_type == BATADV_UNICAST) + goto handled; + ++ /* potential duplicates from foreign BLA backbone gateways via ++ * multicast-in-unicast packets ++ */ ++ if (is_multicast_ether_addr(ethhdr->h_dest) && ++ packet_type == BATADV_UNICAST && ++ batadv_bla_check_ucast_duplist(bat_priv, skb)) ++ goto handled; ++ + ether_addr_copy(search_claim.addr, ethhdr->h_source); + search_claim.vid = vid; + claim = batadv_claim_hash_find(bat_priv, &search_claim); +-- +2.25.1 + diff --git a/queue-5.8/batman-adv-mcast-fix-duplicate-mcast-packets-in-bla-.patch b/queue-5.8/batman-adv-mcast-fix-duplicate-mcast-packets-in-bla-.patch new file mode 100644 index 00000000000..d258c932d03 --- /dev/null +++ b/queue-5.8/batman-adv-mcast-fix-duplicate-mcast-packets-in-bla-.patch @@ -0,0 +1,206 @@ +From a42d873aa35a0c3a321bca5b58d06a7732971bf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 09:54:08 +0200 +Subject: batman-adv: mcast: fix duplicate mcast packets in BLA backbone from + LAN +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +[ Upstream commit 3236d215ad38a3f5372e65cd1e0a52cf93d3c6a2 ] + +Scenario: +* Multicast frame send from a BLA backbone (multiple nodes with + their bat0 bridged together, with BLA enabled) + +Issue: +* BLA backbone nodes receive the frame multiple times on bat0 + +For multicast frames received via batman-adv broadcast packets the +originator of the broadcast packet is checked before decapsulating and +forwarding the frame to bat0 (batadv_bla_is_backbone_gw()-> +batadv_recv_bcast_packet()). If it came from a node which shares the +same BLA backbone with us then it is not forwarded to bat0 to avoid a +loop. + +When sending a multicast frame in a non-4-address batman-adv unicast +packet we are currently missing this check - and cannot do so because +the batman-adv unicast packet has no originator address field. + +However, we can simply fix this on the sender side by only sending the +multicast frame via unicasts to interested nodes which do not share the +same BLA backbone with us. This also nicely avoids some unnecessary +transmissions on mesh side. + +Note that no infinite loop was observed, probably because of dropping +via batadv_interface_tx()->batadv_bla_tx(). However the duplicates still +utterly confuse switches/bridges, ICMPv6 duplicate address detection and +neighbor discovery and therefore leads to long delays before being able +to establish TCP connections, for instance. And it also leads to the Linux +bridge printing messages like: +"br-lan: received packet on eth1 with own address as source address ..." + +Fixes: 2d3f6ccc4ea5 ("batman-adv: Modified forwarding behaviour for multicast packets") +Signed-off-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/multicast.c | 46 ++++++++++++++++++++++++++------- + net/batman-adv/multicast.h | 15 +++++++++++ + net/batman-adv/soft-interface.c | 5 ++-- + 3 files changed, 53 insertions(+), 13 deletions(-) + +diff --git a/net/batman-adv/multicast.c b/net/batman-adv/multicast.c +index 9ebdc1e864b96..3aaa6612f8c9f 100644 +--- a/net/batman-adv/multicast.c ++++ b/net/batman-adv/multicast.c +@@ -51,6 +51,7 @@ + #include + #include + ++#include "bridge_loop_avoidance.h" + #include "hard-interface.h" + #include "hash.h" + #include "log.h" +@@ -1434,6 +1435,35 @@ batadv_mcast_forw_mode(struct batadv_priv *bat_priv, struct sk_buff *skb, + return BATADV_FORW_ALL; + } + ++/** ++ * batadv_mcast_forw_send_orig() - send a multicast packet to an originator ++ * @bat_priv: the bat priv with all the soft interface information ++ * @skb: the multicast packet to send ++ * @vid: the vlan identifier ++ * @orig_node: the originator to send the packet to ++ * ++ * Return: NET_XMIT_DROP in case of error or NET_XMIT_SUCCESS otherwise. ++ */ ++int batadv_mcast_forw_send_orig(struct batadv_priv *bat_priv, ++ struct sk_buff *skb, ++ unsigned short vid, ++ struct batadv_orig_node *orig_node) ++{ ++ /* Avoid sending multicast-in-unicast packets to other BLA ++ * gateways - they already got the frame from the LAN side ++ * we share with them. ++ * TODO: Refactor to take BLA into account earlier, to avoid ++ * reducing the mcast_fanout count. ++ */ ++ if (batadv_bla_is_backbone_gw_orig(bat_priv, orig_node->orig, vid)) { ++ dev_kfree_skb(skb); ++ return NET_XMIT_SUCCESS; ++ } ++ ++ return batadv_send_skb_unicast(bat_priv, skb, BATADV_UNICAST, 0, ++ orig_node, vid); ++} ++ + /** + * batadv_mcast_forw_tt() - forwards a packet to multicast listeners + * @bat_priv: the bat priv with all the soft interface information +@@ -1471,8 +1501,8 @@ batadv_mcast_forw_tt(struct batadv_priv *bat_priv, struct sk_buff *skb, + break; + } + +- batadv_send_skb_unicast(bat_priv, newskb, BATADV_UNICAST, 0, +- orig_entry->orig_node, vid); ++ batadv_mcast_forw_send_orig(bat_priv, newskb, vid, ++ orig_entry->orig_node); + } + rcu_read_unlock(); + +@@ -1513,8 +1543,7 @@ batadv_mcast_forw_want_all_ipv4(struct batadv_priv *bat_priv, + break; + } + +- batadv_send_skb_unicast(bat_priv, newskb, BATADV_UNICAST, 0, +- orig_node, vid); ++ batadv_mcast_forw_send_orig(bat_priv, newskb, vid, orig_node); + } + rcu_read_unlock(); + return ret; +@@ -1551,8 +1580,7 @@ batadv_mcast_forw_want_all_ipv6(struct batadv_priv *bat_priv, + break; + } + +- batadv_send_skb_unicast(bat_priv, newskb, BATADV_UNICAST, 0, +- orig_node, vid); ++ batadv_mcast_forw_send_orig(bat_priv, newskb, vid, orig_node); + } + rcu_read_unlock(); + return ret; +@@ -1618,8 +1646,7 @@ batadv_mcast_forw_want_all_rtr4(struct batadv_priv *bat_priv, + break; + } + +- batadv_send_skb_unicast(bat_priv, newskb, BATADV_UNICAST, 0, +- orig_node, vid); ++ batadv_mcast_forw_send_orig(bat_priv, newskb, vid, orig_node); + } + rcu_read_unlock(); + return ret; +@@ -1656,8 +1683,7 @@ batadv_mcast_forw_want_all_rtr6(struct batadv_priv *bat_priv, + break; + } + +- batadv_send_skb_unicast(bat_priv, newskb, BATADV_UNICAST, 0, +- orig_node, vid); ++ batadv_mcast_forw_send_orig(bat_priv, newskb, vid, orig_node); + } + rcu_read_unlock(); + return ret; +diff --git a/net/batman-adv/multicast.h b/net/batman-adv/multicast.h +index ebf825991ecd9..3e114bc5ca3bb 100644 +--- a/net/batman-adv/multicast.h ++++ b/net/batman-adv/multicast.h +@@ -46,6 +46,11 @@ enum batadv_forw_mode + batadv_mcast_forw_mode(struct batadv_priv *bat_priv, struct sk_buff *skb, + struct batadv_orig_node **mcast_single_orig); + ++int batadv_mcast_forw_send_orig(struct batadv_priv *bat_priv, ++ struct sk_buff *skb, ++ unsigned short vid, ++ struct batadv_orig_node *orig_node); ++ + int batadv_mcast_forw_send(struct batadv_priv *bat_priv, struct sk_buff *skb, + unsigned short vid); + +@@ -71,6 +76,16 @@ batadv_mcast_forw_mode(struct batadv_priv *bat_priv, struct sk_buff *skb, + return BATADV_FORW_ALL; + } + ++static inline int ++batadv_mcast_forw_send_orig(struct batadv_priv *bat_priv, ++ struct sk_buff *skb, ++ unsigned short vid, ++ struct batadv_orig_node *orig_node) ++{ ++ kfree_skb(skb); ++ return NET_XMIT_DROP; ++} ++ + static inline int + batadv_mcast_forw_send(struct batadv_priv *bat_priv, struct sk_buff *skb, + unsigned short vid) +diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c +index f1f1c86f34193..d2183aea4e4ad 100644 +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -364,9 +364,8 @@ static netdev_tx_t batadv_interface_tx(struct sk_buff *skb, + goto dropped; + ret = batadv_send_skb_via_gw(bat_priv, skb, vid); + } else if (mcast_single_orig) { +- ret = batadv_send_skb_unicast(bat_priv, skb, +- BATADV_UNICAST, 0, +- mcast_single_orig, vid); ++ ret = batadv_mcast_forw_send_orig(bat_priv, skb, vid, ++ mcast_single_orig); + } else if (forw_mode == BATADV_FORW_SOME) { + ret = batadv_mcast_forw_send(bat_priv, skb, vid); + } else { +-- +2.25.1 + diff --git a/queue-5.8/batman-adv-mcast-fix-duplicate-mcast-packets-in-bla-.patch-11308 b/queue-5.8/batman-adv-mcast-fix-duplicate-mcast-packets-in-bla-.patch-11308 new file mode 100644 index 00000000000..2b46730c75a --- /dev/null +++ b/queue-5.8/batman-adv-mcast-fix-duplicate-mcast-packets-in-bla-.patch-11308 @@ -0,0 +1,172 @@ +From c7f4bbb11bd954d5cc5e1630b35261b73e6b3e69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 09:54:09 +0200 +Subject: batman-adv: mcast: fix duplicate mcast packets in BLA backbone from + mesh +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +[ Upstream commit 74c09b7275126da1b642b90c9cdc3ae8b729ad4b ] + +Scenario: +* Multicast frame send from mesh to a BLA backbone (multiple nodes + with their bat0 bridged together, with BLA enabled) + +Issue: +* BLA backbone nodes receive the frame multiple times on bat0, + once from mesh->bat0 and once from each backbone_gw from LAN + +For unicast, a node will send only to the best backbone gateway +according to the TQ. However for multicast we currently cannot determine +if multiple destination nodes share the same backbone if they don't share +the same backbone with us. So we need to keep sending the unicasts to +all backbone gateways and let the backbone gateways decide which one +will forward the frame. We can use the CLAIM mechanism to make this +decision. + +One catch: The batman-adv gateway feature for DHCP packets potentially +sends multicast packets in the same batman-adv unicast header as the +multicast optimizations code. And we are not allowed to drop those even +if we did not claim the source address of the sender, as for such +packets there is only this one multicast-in-unicast packet. + +How can we distinguish the two cases? + +The gateway feature uses a batman-adv unicast 4 address header. While +the multicast-to-unicasts feature uses a simple, 3 address batman-adv +unicast header. So let's use this to distinguish. + +Fixes: fe2da6ff27c7 ("batman-adv: check incoming packet type for bla") +Signed-off-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/bridge_loop_avoidance.c | 34 +++++++++++++++++++------- + net/batman-adv/bridge_loop_avoidance.h | 4 +-- + net/batman-adv/soft-interface.c | 6 ++--- + 3 files changed, 30 insertions(+), 14 deletions(-) + +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c +index f8c8c38e258a1..164ba5706aa4e 100644 +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -1814,7 +1814,7 @@ batadv_bla_loopdetect_check(struct batadv_priv *bat_priv, struct sk_buff *skb, + * @bat_priv: the bat priv with all the soft interface information + * @skb: the frame to be checked + * @vid: the VLAN ID of the frame +- * @is_bcast: the packet came in a broadcast packet type. ++ * @packet_type: the batman packet type this frame came in + * + * batadv_bla_rx avoidance checks if: + * * we have to race for a claim +@@ -1826,7 +1826,7 @@ batadv_bla_loopdetect_check(struct batadv_priv *bat_priv, struct sk_buff *skb, + * further process the skb. + */ + bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb, +- unsigned short vid, bool is_bcast) ++ unsigned short vid, int packet_type) + { + struct batadv_bla_backbone_gw *backbone_gw; + struct ethhdr *ethhdr; +@@ -1848,9 +1848,24 @@ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb, + goto handled; + + if (unlikely(atomic_read(&bat_priv->bla.num_requests))) +- /* don't allow broadcasts while requests are in flight */ +- if (is_multicast_ether_addr(ethhdr->h_dest) && is_bcast) +- goto handled; ++ /* don't allow multicast packets while requests are in flight */ ++ if (is_multicast_ether_addr(ethhdr->h_dest)) ++ /* Both broadcast flooding or multicast-via-unicasts ++ * delivery might send to multiple backbone gateways ++ * sharing the same LAN and therefore need to coordinate ++ * which backbone gateway forwards into the LAN, ++ * by claiming the payload source address. ++ * ++ * Broadcast flooding and multicast-via-unicasts ++ * delivery use the following two batman packet types. ++ * Note: explicitly exclude BATADV_UNICAST_4ADDR, ++ * as the DHCP gateway feature will send explicitly ++ * to only one BLA gateway, so the claiming process ++ * should be avoided there. ++ */ ++ if (packet_type == BATADV_BCAST || ++ packet_type == BATADV_UNICAST) ++ goto handled; + + ether_addr_copy(search_claim.addr, ethhdr->h_source); + search_claim.vid = vid; +@@ -1885,13 +1900,14 @@ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb, + goto allow; + } + +- /* if it is a broadcast ... */ +- if (is_multicast_ether_addr(ethhdr->h_dest) && is_bcast) { ++ /* if it is a multicast ... */ ++ if (is_multicast_ether_addr(ethhdr->h_dest) && ++ (packet_type == BATADV_BCAST || packet_type == BATADV_UNICAST)) { + /* ... drop it. the responsible gateway is in charge. + * +- * We need to check is_bcast because with the gateway ++ * We need to check packet type because with the gateway + * feature, broadcasts (like DHCP requests) may be sent +- * using a unicast packet type. ++ * using a unicast 4 address packet type. See comment above. + */ + goto handled; + } else { +diff --git a/net/batman-adv/bridge_loop_avoidance.h b/net/batman-adv/bridge_loop_avoidance.h +index 41edb2c4a3277..a81c41b636f93 100644 +--- a/net/batman-adv/bridge_loop_avoidance.h ++++ b/net/batman-adv/bridge_loop_avoidance.h +@@ -35,7 +35,7 @@ static inline bool batadv_bla_is_loopdetect_mac(const uint8_t *mac) + + #ifdef CONFIG_BATMAN_ADV_BLA + bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb, +- unsigned short vid, bool is_bcast); ++ unsigned short vid, int packet_type); + bool batadv_bla_tx(struct batadv_priv *bat_priv, struct sk_buff *skb, + unsigned short vid); + bool batadv_bla_is_backbone_gw(struct sk_buff *skb, +@@ -66,7 +66,7 @@ bool batadv_bla_check_claim(struct batadv_priv *bat_priv, u8 *addr, + + static inline bool batadv_bla_rx(struct batadv_priv *bat_priv, + struct sk_buff *skb, unsigned short vid, +- bool is_bcast) ++ int packet_type) + { + return false; + } +diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c +index d2183aea4e4ad..012b6d0b87ead 100644 +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -424,10 +424,10 @@ void batadv_interface_rx(struct net_device *soft_iface, + struct vlan_ethhdr *vhdr; + struct ethhdr *ethhdr; + unsigned short vid; +- bool is_bcast; ++ int packet_type; + + batadv_bcast_packet = (struct batadv_bcast_packet *)skb->data; +- is_bcast = (batadv_bcast_packet->packet_type == BATADV_BCAST); ++ packet_type = batadv_bcast_packet->packet_type; + + skb_pull_rcsum(skb, hdr_size); + skb_reset_mac_header(skb); +@@ -470,7 +470,7 @@ void batadv_interface_rx(struct net_device *soft_iface, + /* Let the bridge loop avoidance check the packet. If will + * not handle it, we can safely push it up. + */ +- if (batadv_bla_rx(bat_priv, skb, vid, is_bcast)) ++ if (batadv_bla_rx(bat_priv, skb, vid, packet_type)) + goto out; + + if (orig_node) +-- +2.25.1 + diff --git a/queue-5.8/batman-adv-mcast-tt-fix-wrongly-dropped-or-rerouted-.patch b/queue-5.8/batman-adv-mcast-tt-fix-wrongly-dropped-or-rerouted-.patch new file mode 100644 index 00000000000..d5b83fcfac6 --- /dev/null +++ b/queue-5.8/batman-adv-mcast-tt-fix-wrongly-dropped-or-rerouted-.patch @@ -0,0 +1,59 @@ +From 6ab12f1ec991358a42a22aca001eb9f1c96ddd7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 20:28:00 +0200 +Subject: batman-adv: mcast/TT: fix wrongly dropped or rerouted packets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +[ Upstream commit 7dda5b3384121181c4e79f6eaeac2b94c0622c8d ] + +The unicast packet rerouting code makes several assumptions. For +instance it assumes that there is always exactly one destination in the +TT. This breaks for multicast frames in a unicast packets in several ways: + +For one thing if there is actually no TT entry and the destination node +was selected due to the multicast tvlv flags it announced. Then an +intermediate node will wrongly drop the packet. + +For another thing if there is a TT entry but the TTVN of this entry is +newer than the originally addressed destination node: Then the +intermediate node will wrongly redirect the packet, leading to +duplicated multicast packets at a multicast listener and missing +packets at other multicast listeners or multicast routers. + +Fixing this by not applying the unicast packet rerouting to batman-adv +unicast packets with a multicast payload. We are not able to detect a +roaming multicast listener at the moment and will just continue to send +the multicast frame to both the new and old destination for a while in +case of such a roaming multicast listener. + +Fixes: a73105b8d4c7 ("batman-adv: improved client announcement mechanism") +Signed-off-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/routing.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c +index d343382e96641..e6515df546a60 100644 +--- a/net/batman-adv/routing.c ++++ b/net/batman-adv/routing.c +@@ -826,6 +826,10 @@ static bool batadv_check_unicast_ttvn(struct batadv_priv *bat_priv, + vid = batadv_get_vid(skb, hdr_len); + ethhdr = (struct ethhdr *)(skb->data + hdr_len); + ++ /* do not reroute multicast frames in a unicast header */ ++ if (is_multicast_ether_addr(ethhdr->h_dest)) ++ return true; ++ + /* check if the destination client was served by this node and it is now + * roaming. In this case, it means that the node has got a ROAM_ADV + * message and that it knows the new destination in the mesh to re-route +-- +2.25.1 + diff --git a/queue-5.8/bpf-fix-a-rcu-warning-for-bpffs-map-pretty-print.patch b/queue-5.8/bpf-fix-a-rcu-warning-for-bpffs-map-pretty-print.patch new file mode 100644 index 00000000000..45bd6d99757 --- /dev/null +++ b/queue-5.8/bpf-fix-a-rcu-warning-for-bpffs-map-pretty-print.patch @@ -0,0 +1,74 @@ +From 78b2a76b75b7380d6317fb2c8f8d0d4e44b12228 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 17:44:01 -0700 +Subject: bpf: Fix a rcu warning for bpffs map pretty-print + +From: Yonghong Song + +[ Upstream commit ce880cb825fcc22d4e39046a6c3a3a7f6603883d ] + +Running selftest + ./btf_btf -p +the kernel had the following warning: + [ 51.528185] WARNING: CPU: 3 PID: 1756 at kernel/bpf/hashtab.c:717 htab_map_get_next_key+0x2eb/0x300 + [ 51.529217] Modules linked in: + [ 51.529583] CPU: 3 PID: 1756 Comm: test_btf Not tainted 5.9.0-rc1+ #878 + [ 51.530346] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-1.el7.centos 04/01/2014 + [ 51.531410] RIP: 0010:htab_map_get_next_key+0x2eb/0x300 + ... + [ 51.542826] Call Trace: + [ 51.543119] map_seq_next+0x53/0x80 + [ 51.543528] seq_read+0x263/0x400 + [ 51.543932] vfs_read+0xad/0x1c0 + [ 51.544311] ksys_read+0x5f/0xe0 + [ 51.544689] do_syscall_64+0x33/0x40 + [ 51.545116] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The related source code in kernel/bpf/hashtab.c: + 709 static int htab_map_get_next_key(struct bpf_map *map, void *key, void *next_key) + 710 { + 711 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); + 712 struct hlist_nulls_head *head; + 713 struct htab_elem *l, *next_l; + 714 u32 hash, key_size; + 715 int i = 0; + 716 + 717 WARN_ON_ONCE(!rcu_read_lock_held()); + +In kernel/bpf/inode.c, bpffs map pretty print calls map->ops->map_get_next_key() +without holding a rcu_read_lock(), hence causing the above warning. +To fix the issue, just surrounding map->ops->map_get_next_key() with rcu read lock. + +Fixes: a26ca7c982cb ("bpf: btf: Add pretty print support to the basic arraymap") +Reported-by: Alexei Starovoitov +Signed-off-by: Yonghong Song +Signed-off-by: Alexei Starovoitov +Acked-by: Andrii Nakryiko +Cc: Martin KaFai Lau +Link: https://lore.kernel.org/bpf/20200916004401.146277-1-yhs@fb.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/inode.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c +index fb878ba3f22f0..18f4969552ac2 100644 +--- a/kernel/bpf/inode.c ++++ b/kernel/bpf/inode.c +@@ -226,10 +226,12 @@ static void *map_seq_next(struct seq_file *m, void *v, loff_t *pos) + else + prev_key = key; + ++ rcu_read_lock(); + if (map->ops->map_get_next_key(map, prev_key, key)) { + map_iter(m)->done = true; +- return NULL; ++ key = NULL; + } ++ rcu_read_unlock(); + return key; + } + +-- +2.25.1 + diff --git a/queue-5.8/bpf-fix-clobbering-of-r2-in-bpf_gen_ld_abs.patch b/queue-5.8/bpf-fix-clobbering-of-r2-in-bpf_gen_ld_abs.patch new file mode 100644 index 00000000000..1cae3d81861 --- /dev/null +++ b/queue-5.8/bpf-fix-clobbering-of-r2-in-bpf_gen_ld_abs.patch @@ -0,0 +1,66 @@ +From 95f3046b98c4fa8456bb58536b5045fcee98912a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 00:04:10 +0200 +Subject: bpf: Fix clobbering of r2 in bpf_gen_ld_abs + +From: Daniel Borkmann + +[ Upstream commit e6a18d36118bea3bf497c9df4d9988b6df120689 ] + +Bryce reported that he saw the following with: + + 0: r6 = r1 + 1: r1 = 12 + 2: r0 = *(u16 *)skb[r1] + +The xlated sequence was incorrectly clobbering r2 with pointer +value of r6 ... + + 0: (bf) r6 = r1 + 1: (b7) r1 = 12 + 2: (bf) r1 = r6 + 3: (bf) r2 = r1 + 4: (85) call bpf_skb_load_helper_16_no_cache#7692160 + +... and hence call to the load helper never succeeded given the +offset was too high. Fix it by reordering the load of r6 to r1. + +Other than that the insn has similar calling convention than BPF +helpers, that is, r0 - r5 are scratch regs, so nothing else +affected after the insn. + +Fixes: e0cea7ce988c ("bpf: implement ld_abs/ld_ind in native bpf") +Reported-by: Bryce Kahle +Signed-off-by: Daniel Borkmann +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/cace836e4d07bb63b1a53e49c5dfb238a040c298.1599512096.git.daniel@iogearbox.net +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/core/filter.c b/net/core/filter.c +index d13ea1642b974..0261531d4fda6 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -6998,8 +6998,6 @@ static int bpf_gen_ld_abs(const struct bpf_insn *orig, + bool indirect = BPF_MODE(orig->code) == BPF_IND; + struct bpf_insn *insn = insn_buf; + +- /* We're guaranteed here that CTX is in R6. */ +- *insn++ = BPF_MOV64_REG(BPF_REG_1, BPF_REG_CTX); + if (!indirect) { + *insn++ = BPF_MOV64_IMM(BPF_REG_2, orig->imm); + } else { +@@ -7007,6 +7005,8 @@ static int bpf_gen_ld_abs(const struct bpf_insn *orig, + if (orig->imm) + *insn++ = BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, orig->imm); + } ++ /* We're guaranteed here that CTX is in R6. */ ++ *insn++ = BPF_MOV64_REG(BPF_REG_1, BPF_REG_CTX); + + switch (BPF_SIZE(orig->code)) { + case BPF_B: +-- +2.25.1 + diff --git a/queue-5.8/cfg80211-fix-6-ghz-channel-conversion.patch b/queue-5.8/cfg80211-fix-6-ghz-channel-conversion.patch new file mode 100644 index 00000000000..a23e9d03837 --- /dev/null +++ b/queue-5.8/cfg80211-fix-6-ghz-channel-conversion.patch @@ -0,0 +1,37 @@ +From 1efc6e38728a83091568ed3d887503bd7d9f1496 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 11:52:23 +0200 +Subject: cfg80211: fix 6 GHz channel conversion + +From: Johannes Berg + +[ Upstream commit c0de8776af6543e10d1a5c8969679fd9f6b66fa9 ] + +We shouldn't accept any channels bigger than 233, fix that. + +Reported-by: Amar +Fixes: d1a1646c0de7 ("cfg80211: adapt to new channelization of the 6GHz band") +Signed-off-by: Johannes Berg +Link: https://lore.kernel.org/r/20200917115222.312ba6f1d461.I3a8c8fbcc3cc019814fd9cd0aced7eb591626136@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/wireless/util.c b/net/wireless/util.c +index a72d2ad6ade8b..0f95844e73d80 100644 +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -95,7 +95,7 @@ u32 ieee80211_channel_to_freq_khz(int chan, enum nl80211_band band) + /* see 802.11ax D6.1 27.3.23.2 */ + if (chan == 2) + return MHZ_TO_KHZ(5935); +- if (chan <= 253) ++ if (chan <= 233) + return MHZ_TO_KHZ(5950 + chan * 5); + break; + case NL80211_BAND_60GHZ: +-- +2.25.1 + diff --git a/queue-5.8/clocksource-drivers-h8300_timer8-fix-wrong-return-va.patch b/queue-5.8/clocksource-drivers-h8300_timer8-fix-wrong-return-va.patch new file mode 100644 index 00000000000..914aa5f393f --- /dev/null +++ b/queue-5.8/clocksource-drivers-h8300_timer8-fix-wrong-return-va.patch @@ -0,0 +1,41 @@ +From 0482d112ede12b6a42ddc5f01373e6b3d253d81d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 19:15:41 +0800 +Subject: clocksource/drivers/h8300_timer8: Fix wrong return value in + h8300_8timer_init() + +From: Tianjia Zhang + +[ Upstream commit 400d033f5a599120089b5f0c54d14d198499af5a ] + +In the init function, if the call to of_iomap() fails, the return +value is ENXIO instead of -ENXIO. + +Change to the right negative errno. + +Fixes: 691f8f878290f ("clocksource/drivers/h8300_timer8: Convert init function to return error") +Cc: Daniel Lezcano +Signed-off-by: Tianjia Zhang +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20200802111541.5429-1-tianjia.zhang@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + drivers/clocksource/h8300_timer8.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clocksource/h8300_timer8.c b/drivers/clocksource/h8300_timer8.c +index 1d740a8c42ab3..47114c2a7cb54 100644 +--- a/drivers/clocksource/h8300_timer8.c ++++ b/drivers/clocksource/h8300_timer8.c +@@ -169,7 +169,7 @@ static int __init h8300_8timer_init(struct device_node *node) + return PTR_ERR(clk); + } + +- ret = ENXIO; ++ ret = -ENXIO; + base = of_iomap(node, 0); + if (!base) { + pr_err("failed to map registers for clockevent\n"); +-- +2.25.1 + diff --git a/queue-5.8/clocksource-drivers-timer-ti-dm-do-reset-before-enab.patch b/queue-5.8/clocksource-drivers-timer-ti-dm-do-reset-before-enab.patch new file mode 100644 index 00000000000..a376e0febe8 --- /dev/null +++ b/queue-5.8/clocksource-drivers-timer-ti-dm-do-reset-before-enab.patch @@ -0,0 +1,121 @@ +From f2ae990e49d53c8e70651adab9bb1a6360a8db8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 12:24:28 +0300 +Subject: clocksource/drivers/timer-ti-dm: Do reset before enable + +From: Tony Lindgren + +[ Upstream commit 164805157f3c6834670afbaff563353c773131f1 ] + +Commit 6cfcd5563b4f ("clocksource/drivers/timer-ti-dm: Fix suspend and +resume for am3 and am4") exposed a new issue for type2 dual mode timers +on at least omap5 where the clockevent will stop when the SoC starts +entering idle states during the boot. + +Turns out we are wrongly first enabling the system timer and then +resetting it, while we must also re-enable it after reset. The current +sequence leaves the timer module in a partially initialized state. This +issue went unnoticed earlier with ti-sysc driver reconfiguring the timer +module until we fixed the issue of ti-sysc reconfiguring system timers. + +Let's fix the issue by calling dmtimer_systimer_enable() from reset for +both type1 and type2 timers, and switch the order of reset and enable in +dmtimer_systimer_setup(). Let's also move dmtimer_systimer_enable() and +dmtimer_systimer_disable() to do this without adding forward declarations. + +Fixes: 6cfcd5563b4f ("clocksource/drivers/timer-ti-dm: Fix suspend and resume for am3 and am4") +Reported-by: H. Nikolaus Schaller" +Signed-off-by: Tony Lindgren +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20200817092428.6176-1-tony@atomide.com +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-ti-dm-systimer.c | 44 +++++++++++----------- + 1 file changed, 23 insertions(+), 21 deletions(-) + +diff --git a/drivers/clocksource/timer-ti-dm-systimer.c b/drivers/clocksource/timer-ti-dm-systimer.c +index f6fd1c1cc527f..33b3e8aa2cc50 100644 +--- a/drivers/clocksource/timer-ti-dm-systimer.c ++++ b/drivers/clocksource/timer-ti-dm-systimer.c +@@ -69,12 +69,33 @@ static bool dmtimer_systimer_revision1(struct dmtimer_systimer *t) + return !(tidr >> 16); + } + ++static void dmtimer_systimer_enable(struct dmtimer_systimer *t) ++{ ++ u32 val; ++ ++ if (dmtimer_systimer_revision1(t)) ++ val = DMTIMER_TYPE1_ENABLE; ++ else ++ val = DMTIMER_TYPE2_ENABLE; ++ ++ writel_relaxed(val, t->base + t->sysc); ++} ++ ++static void dmtimer_systimer_disable(struct dmtimer_systimer *t) ++{ ++ if (!dmtimer_systimer_revision1(t)) ++ return; ++ ++ writel_relaxed(DMTIMER_TYPE1_DISABLE, t->base + t->sysc); ++} ++ + static int __init dmtimer_systimer_type1_reset(struct dmtimer_systimer *t) + { + void __iomem *syss = t->base + OMAP_TIMER_V1_SYS_STAT_OFFSET; + int ret; + u32 l; + ++ dmtimer_systimer_enable(t); + writel_relaxed(BIT(1) | BIT(2), t->base + t->ifctrl); + ret = readl_poll_timeout_atomic(syss, l, l & BIT(0), 100, + DMTIMER_RESET_WAIT); +@@ -88,6 +109,7 @@ static int __init dmtimer_systimer_type2_reset(struct dmtimer_systimer *t) + void __iomem *sysc = t->base + t->sysc; + u32 l; + ++ dmtimer_systimer_enable(t); + l = readl_relaxed(sysc); + l |= BIT(0); + writel_relaxed(l, sysc); +@@ -336,26 +358,6 @@ static int __init dmtimer_systimer_init_clock(struct dmtimer_systimer *t, + return 0; + } + +-static void dmtimer_systimer_enable(struct dmtimer_systimer *t) +-{ +- u32 val; +- +- if (dmtimer_systimer_revision1(t)) +- val = DMTIMER_TYPE1_ENABLE; +- else +- val = DMTIMER_TYPE2_ENABLE; +- +- writel_relaxed(val, t->base + t->sysc); +-} +- +-static void dmtimer_systimer_disable(struct dmtimer_systimer *t) +-{ +- if (!dmtimer_systimer_revision1(t)) +- return; +- +- writel_relaxed(DMTIMER_TYPE1_DISABLE, t->base + t->sysc); +-} +- + static int __init dmtimer_systimer_setup(struct device_node *np, + struct dmtimer_systimer *t) + { +@@ -409,8 +411,8 @@ static int __init dmtimer_systimer_setup(struct device_node *np, + t->wakeup = regbase + _OMAP_TIMER_WAKEUP_EN_OFFSET; + t->ifctrl = regbase + _OMAP_TIMER_IF_CTRL_OFFSET; + +- dmtimer_systimer_enable(t); + dmtimer_systimer_reset(t); ++ dmtimer_systimer_enable(t); + pr_debug("dmtimer rev %08x sysc %08x\n", readl_relaxed(t->base), + readl_relaxed(t->base + t->sysc)); + +-- +2.25.1 + diff --git a/queue-5.8/drm-sun4i-sun8i-csc-secondary-csc-register-correctio.patch b/queue-5.8/drm-sun4i-sun8i-csc-secondary-csc-register-correctio.patch new file mode 100644 index 00000000000..05bf510c4dc --- /dev/null +++ b/queue-5.8/drm-sun4i-sun8i-csc-secondary-csc-register-correctio.patch @@ -0,0 +1,39 @@ +From 74de80245f876e674ddd5b02eec6698bb0e12d2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Sep 2020 18:21:39 +0200 +Subject: drm/sun4i: sun8i-csc: Secondary CSC register correction + +From: Martin Cerveny + +[ Upstream commit cab4c03b4ba54c8d9378298cacb8bc0fd74ceece ] + +"Allwinner V3s" has secondary video layer (VI). +Decoded video is displayed in wrong colors until +secondary CSC registers are programmed correctly. + +Fixes: 883029390550 ("drm/sun4i: Add DE2 CSC library") +Signed-off-by: Martin Cerveny +Reviewed-by: Jernej Skrabec +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20200906162140.5584-2-m.cerveny@computer.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sun4i/sun8i_csc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/sun4i/sun8i_csc.h b/drivers/gpu/drm/sun4i/sun8i_csc.h +index f42441b1b14dd..a55a38ad849c1 100644 +--- a/drivers/gpu/drm/sun4i/sun8i_csc.h ++++ b/drivers/gpu/drm/sun4i/sun8i_csc.h +@@ -12,7 +12,7 @@ struct sun8i_mixer; + + /* VI channel CSC units offsets */ + #define CCSC00_OFFSET 0xAA050 +-#define CCSC01_OFFSET 0xFA000 ++#define CCSC01_OFFSET 0xFA050 + #define CCSC10_OFFSET 0xA0000 + #define CCSC11_OFFSET 0xF0000 + +-- +2.25.1 + diff --git a/queue-5.8/drm-vc4-vc4_hdmi-fill-asoc-card-owner.patch b/queue-5.8/drm-vc4-vc4_hdmi-fill-asoc-card-owner.patch new file mode 100644 index 00000000000..48acc933143 --- /dev/null +++ b/queue-5.8/drm-vc4-vc4_hdmi-fill-asoc-card-owner.patch @@ -0,0 +1,75 @@ +From a45a3154c5f9f0777ca93829074573893c7be0c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jul 2020 09:39:49 +0200 +Subject: drm/vc4/vc4_hdmi: fill ASoC card owner + +From: Marek Szyprowski + +[ Upstream commit ec653df2a0cbc306a4bfcb0e3484d318fa779002 ] + +card->owner is a required property and since commit 81033c6b584b ("ALSA: +core: Warn on empty module") a warning is issued if it is empty. Fix lack +of it. This fixes following warning observed on RaspberryPi 3B board +with ARM 32bit kernel and multi_v7_defconfig: + +------------[ cut here ]------------ +WARNING: CPU: 1 PID: 210 at sound/core/init.c:207 snd_card_new+0x378/0x398 [snd] +Modules linked in: vc4(+) snd_soc_core ac97_bus snd_pcm_dmaengine bluetooth snd_pcm snd_timer crc32_arm_ce raspberrypi_hwmon snd soundcore ecdh_generic ecc bcm2835_thermal phy_generic +CPU: 1 PID: 210 Comm: systemd-udevd Not tainted 5.8.0-rc1-00027-g81033c6b584b #1087 +Hardware name: BCM2835 +[] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[] (show_stack) from [] (dump_stack+0xd4/0xe8) +[] (dump_stack) from [] (__warn+0xdc/0xf4) +[] (__warn) from [] (warn_slowpath_fmt+0xb0/0xb8) +[] (warn_slowpath_fmt) from [] (snd_card_new+0x378/0x398 [snd]) +[] (snd_card_new [snd]) from [] (snd_soc_bind_card+0x280/0x99c [snd_soc_core]) +[] (snd_soc_bind_card [snd_soc_core]) from [] (devm_snd_soc_register_card+0x34/0x6c [snd_soc_core]) +[] (devm_snd_soc_register_card [snd_soc_core]) from [] (vc4_hdmi_bind+0x43c/0x5f4 [vc4]) +[] (vc4_hdmi_bind [vc4]) from [] (component_bind_all+0xec/0x24c) +[] (component_bind_all) from [] (vc4_drm_bind+0xd4/0x174 [vc4]) +[] (vc4_drm_bind [vc4]) from [] (try_to_bring_up_master+0x160/0x1b0) +[] (try_to_bring_up_master) from [] (component_master_add_with_match+0xd0/0x104) +[] (component_master_add_with_match) from [] (vc4_platform_drm_probe+0x9c/0xbc [vc4]) +[] (vc4_platform_drm_probe [vc4]) from [] (platform_drv_probe+0x6c/0xa4) +[] (platform_drv_probe) from [] (really_probe+0x210/0x350) +[] (really_probe) from [] (driver_probe_device+0x5c/0xb4) +[] (driver_probe_device) from [] (device_driver_attach+0x58/0x60) +[] (device_driver_attach) from [] (__driver_attach+0x80/0xbc) +[] (__driver_attach) from [] (bus_for_each_dev+0x68/0xb4) +[] (bus_for_each_dev) from [] (bus_add_driver+0x130/0x1e8) +[] (bus_add_driver) from [] (driver_register+0x78/0x110) +[] (driver_register) from [] (do_one_initcall+0x50/0x220) +[] (do_one_initcall) from [] (do_init_module+0x60/0x210) +[] (do_init_module) from [] (load_module+0x1e34/0x2338) +[] (load_module) from [] (sys_finit_module+0xac/0xbc) +[] (sys_finit_module) from [] (ret_fast_syscall+0x0/0x54) +Exception stack(0xeded9fa8 to 0xeded9ff0) +... +---[ end trace 6414689569c2bc08 ]--- + +Fixes: bb7d78568814 ("drm/vc4: Add HDMI audio support") +Suggested-by: Takashi Iwai +Signed-off-by: Marek Szyprowski +Tested-by: Stefan Wahren +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20200701073949.28941-1-m.szyprowski@samsung.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_hdmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c +index 625bfcf52dc4d..bdcc54c87d7e8 100644 +--- a/drivers/gpu/drm/vc4/vc4_hdmi.c ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c +@@ -1117,6 +1117,7 @@ static int vc4_hdmi_audio_init(struct vc4_hdmi *hdmi) + card->num_links = 1; + card->name = "vc4-hdmi"; + card->dev = dev; ++ card->owner = THIS_MODULE; + + /* + * Be careful, snd_soc_register_card() calls dev_set_drvdata() and +-- +2.25.1 + diff --git a/queue-5.8/hv_netvsc-switch-the-data-path-at-the-right-time-dur.patch b/queue-5.8/hv_netvsc-switch-the-data-path-at-the-right-time-dur.patch new file mode 100644 index 00000000000..fc74d874642 --- /dev/null +++ b/queue-5.8/hv_netvsc-switch-the-data-path-at-the-right-time-dur.patch @@ -0,0 +1,63 @@ +From 844fa1b62b74a95b1c40f674c2ba96e17533d66b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 21:07:32 -0700 +Subject: hv_netvsc: Switch the data path at the right time during hibernation + +From: Dexuan Cui + +[ Upstream commit de214e52de1bba5392b5b7054924a08dbd57c2f6 ] + +When netvsc_resume() is called, the mlx5 VF NIC has not been resumed yet, +so in the future the host might sliently fail the call netvsc_vf_changed() +-> netvsc_switch_datapath() there, even if the call works now. + +Call netvsc_vf_changed() in the NETDEV_CHANGE event handler: at that time +the mlx5 VF NIC has been resumed. + +Fixes: 19162fd4063a ("hv_netvsc: Fix hibernation for mlx5 VF driver") +Signed-off-by: Dexuan Cui +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hyperv/netvsc_drv.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c +index 8309194b351a9..a2db5ef3b62a2 100644 +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -2576,7 +2576,6 @@ static int netvsc_resume(struct hv_device *dev) + struct net_device *net = hv_get_drvdata(dev); + struct net_device_context *net_device_ctx; + struct netvsc_device_info *device_info; +- struct net_device *vf_netdev; + int ret; + + rtnl_lock(); +@@ -2589,15 +2588,6 @@ static int netvsc_resume(struct hv_device *dev) + netvsc_devinfo_put(device_info); + net_device_ctx->saved_netvsc_dev_info = NULL; + +- /* A NIC driver (e.g. mlx5) may keep the VF network interface across +- * hibernation, but here the data path is implicitly switched to the +- * netvsc NIC since the vmbus channel is closed and re-opened, so +- * netvsc_vf_changed() must be used to switch the data path to the VF. +- */ +- vf_netdev = rtnl_dereference(net_device_ctx->vf_netdev); +- if (vf_netdev && netvsc_vf_changed(vf_netdev) != NOTIFY_OK) +- ret = -EINVAL; +- + rtnl_unlock(); + + return ret; +@@ -2658,6 +2648,7 @@ static int netvsc_netdev_event(struct notifier_block *this, + return netvsc_unregister_vf(event_dev); + case NETDEV_UP: + case NETDEV_DOWN: ++ case NETDEV_CHANGE: + return netvsc_vf_changed(event_dev); + default: + return NOTIFY_DONE; +-- +2.25.1 + diff --git a/queue-5.8/ieee802154-adf7242-check-status-of-adf7242_read_reg.patch b/queue-5.8/ieee802154-adf7242-check-status-of-adf7242_read_reg.patch new file mode 100644 index 00000000000..444033562bb --- /dev/null +++ b/queue-5.8/ieee802154-adf7242-check-status-of-adf7242_read_reg.patch @@ -0,0 +1,51 @@ +From f26233cc871d1b23f522ba204bb5798ab7278a54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 07:23:39 -0700 +Subject: ieee802154/adf7242: check status of adf7242_read_reg + +From: Tom Rix + +[ Upstream commit e3914ed6cf44bfe1f169e26241f8314556fd1ac1 ] + +Clang static analysis reports this error + +adf7242.c:887:6: warning: Assigned value is garbage or undefined + len = len_u8; + ^ ~~~~~~ + +len_u8 is set in + adf7242_read_reg(lp, 0, &len_u8); + +When this call fails, len_u8 is not set. + +So check the return code. + +Fixes: 7302b9d90117 ("ieee802154/adf7242: Driver for ADF7242 MAC IEEE802154") + +Signed-off-by: Tom Rix +Acked-by: Michael Hennerich +Link: https://lore.kernel.org/r/20200802142339.21091-1-trix@redhat.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/adf7242.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c +index c11f32f644db3..7db9cbd0f5ded 100644 +--- a/drivers/net/ieee802154/adf7242.c ++++ b/drivers/net/ieee802154/adf7242.c +@@ -882,7 +882,9 @@ static int adf7242_rx(struct adf7242_local *lp) + int ret; + u8 lqi, len_u8, *data; + +- adf7242_read_reg(lp, 0, &len_u8); ++ ret = adf7242_read_reg(lp, 0, &len_u8); ++ if (ret) ++ return ret; + + len = len_u8; + +-- +2.25.1 + diff --git a/queue-5.8/ieee802154-fix-one-possible-memleak-in-ca8210_dev_co.patch b/queue-5.8/ieee802154-fix-one-possible-memleak-in-ca8210_dev_co.patch new file mode 100644 index 00000000000..a7a566018b9 --- /dev/null +++ b/queue-5.8/ieee802154-fix-one-possible-memleak-in-ca8210_dev_co.patch @@ -0,0 +1,35 @@ +From 29b71131dd411f8e0ad792d2761095965f0df315 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jul 2020 22:33:15 +0800 +Subject: ieee802154: fix one possible memleak in ca8210_dev_com_init + +From: Liu Jian + +[ Upstream commit 88f46b3fe2ac41c381770ebad9f2ee49346b57a2 ] + +We should call destroy_workqueue to destroy mlme_workqueue in error branch. + +Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") +Signed-off-by: Liu Jian +Link: https://lore.kernel.org/r/20200720143315.40523-1-liujian56@huawei.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/ca8210.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c +index e04c3b60cae78..4eb64709d44cb 100644 +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -2925,6 +2925,7 @@ static int ca8210_dev_com_init(struct ca8210_priv *priv) + ); + if (!priv->irq_workqueue) { + dev_crit(&priv->spi->dev, "alloc of irq_workqueue failed!\n"); ++ destroy_workqueue(priv->mlme_workqueue); + return -ENOMEM; + } + +-- +2.25.1 + diff --git a/queue-5.8/igc-fix-not-considering-the-tx-delay-for-timestamps.patch b/queue-5.8/igc-fix-not-considering-the-tx-delay-for-timestamps.patch new file mode 100644 index 00000000000..90118c2cdcd --- /dev/null +++ b/queue-5.8/igc-fix-not-considering-the-tx-delay-for-timestamps.patch @@ -0,0 +1,64 @@ +From d5f669830ac7998c85c547c5831b6883b4ec1cc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 16:40:02 -0700 +Subject: igc: Fix not considering the TX delay for timestamps + +From: Vinicius Costa Gomes + +[ Upstream commit 4406e977a4a1e997818b6d77c3218ef8d15b2abf ] + +When timestamping a packet there's a delay between the start of the +packet and the point where the hardware actually captures the +timestamp. This difference needs to be considered if we want accurate +timestamps. + +This was done on the RX side, but not on the TX side. + +Fixes: 2c344ae24501 ("igc: Add support for TX timestamping") +Signed-off-by: Vinicius Costa Gomes +Tested-by: Aaron Brown +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_ptp.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c +index 61e38853aa47d..9f191a7f3c71a 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ptp.c ++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c +@@ -471,12 +471,31 @@ static void igc_ptp_tx_hwtstamp(struct igc_adapter *adapter) + struct sk_buff *skb = adapter->ptp_tx_skb; + struct skb_shared_hwtstamps shhwtstamps; + struct igc_hw *hw = &adapter->hw; ++ int adjust = 0; + u64 regval; + + regval = rd32(IGC_TXSTMPL); + regval |= (u64)rd32(IGC_TXSTMPH) << 32; + igc_ptp_systim_to_hwtstamp(adapter, &shhwtstamps, regval); + ++ switch (adapter->link_speed) { ++ case SPEED_10: ++ adjust = IGC_I225_TX_LATENCY_10; ++ break; ++ case SPEED_100: ++ adjust = IGC_I225_TX_LATENCY_100; ++ break; ++ case SPEED_1000: ++ adjust = IGC_I225_TX_LATENCY_1000; ++ break; ++ case SPEED_2500: ++ adjust = IGC_I225_TX_LATENCY_2500; ++ break; ++ } ++ ++ shhwtstamps.hwtstamp = ++ ktime_add_ns(shhwtstamps.hwtstamp, adjust); ++ + /* Clear the lock early before calling skb_tstamp_tx so that + * applications are not woken up before the lock bit is clear. We use + * a copy of the skb pointer to ensure other threads can't change it +-- +2.25.1 + diff --git a/queue-5.8/igc-fix-wrong-timestamp-latency-numbers.patch b/queue-5.8/igc-fix-wrong-timestamp-latency-numbers.patch new file mode 100644 index 00000000000..45afec3b718 --- /dev/null +++ b/queue-5.8/igc-fix-wrong-timestamp-latency-numbers.patch @@ -0,0 +1,58 @@ +From 66e814fc1dc1676210888727b4b34d3507aedad4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 16:40:01 -0700 +Subject: igc: Fix wrong timestamp latency numbers + +From: Vinicius Costa Gomes + +[ Upstream commit f03369b9bfab8e23ac28ca7ab7e6631c374b7cbe ] + +The previous timestamping latency numbers were obtained by +interpolating the i210 numbers with the i225 crystal clock value. That +calculation was wrong. + +Use the correct values from real measurements. + +Fixes: 81b055205e8b ("igc: Add support for RX timestamping") +Signed-off-by: Vinicius Costa Gomes +Tested-by: Aaron Brown +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc.h | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h +index 5dbc5a156626a..206b73aa6d7a7 100644 +--- a/drivers/net/ethernet/intel/igc/igc.h ++++ b/drivers/net/ethernet/intel/igc/igc.h +@@ -298,18 +298,14 @@ extern char igc_driver_version[]; + #define IGC_RX_HDR_LEN IGC_RXBUFFER_256 + + /* Transmit and receive latency (for PTP timestamps) */ +-/* FIXME: These values were estimated using the ones that i225 has as +- * basis, they seem to provide good numbers with ptp4l/phc2sys, but we +- * need to confirm them. +- */ +-#define IGC_I225_TX_LATENCY_10 9542 +-#define IGC_I225_TX_LATENCY_100 1024 +-#define IGC_I225_TX_LATENCY_1000 178 +-#define IGC_I225_TX_LATENCY_2500 64 +-#define IGC_I225_RX_LATENCY_10 20662 +-#define IGC_I225_RX_LATENCY_100 2213 +-#define IGC_I225_RX_LATENCY_1000 448 +-#define IGC_I225_RX_LATENCY_2500 160 ++#define IGC_I225_TX_LATENCY_10 240 ++#define IGC_I225_TX_LATENCY_100 58 ++#define IGC_I225_TX_LATENCY_1000 80 ++#define IGC_I225_TX_LATENCY_2500 1325 ++#define IGC_I225_RX_LATENCY_10 6450 ++#define IGC_I225_RX_LATENCY_100 185 ++#define IGC_I225_RX_LATENCY_1000 300 ++#define IGC_I225_RX_LATENCY_2500 1485 + + /* RX and TX descriptor control thresholds. + * PTHRESH - MAC will consider prefetch if it has fewer than this number of +-- +2.25.1 + diff --git a/queue-5.8/io_uring-fix-openat-openat2-unified-prep-handling.patch b/queue-5.8/io_uring-fix-openat-openat2-unified-prep-handling.patch new file mode 100644 index 00000000000..1feba547e33 --- /dev/null +++ b/queue-5.8/io_uring-fix-openat-openat2-unified-prep-handling.patch @@ -0,0 +1,56 @@ +From 990e5b593618936505957d43ca7394d882ec5111 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 19:36:24 -0600 +Subject: io_uring: fix openat/openat2 unified prep handling + +From: Jens Axboe + +[ Upstream commit 4eb8dded6b82e184c09bb963bea0335fa3f30b55 ] + +A previous commit unified how we handle prep for these two functions, +but this means that we check the allowed context (SQPOLL, specifically) +later than we should. Move the ring type checking into the two parent +functions, instead of doing it after we've done some setup work. + +Fixes: ec65fea5a8d7 ("io_uring: deduplicate io_openat{,2}_prep()") +Reported-by: Andy Lutomirski +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io_uring.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index d05023ca74bdc..849e39c3cfcd7 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -3056,8 +3056,6 @@ static int __io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe + const char __user *fname; + int ret; + +- if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL))) +- return -EINVAL; + if (unlikely(sqe->ioprio || sqe->buf_index)) + return -EINVAL; + if (unlikely(req->flags & REQ_F_FIXED_FILE)) +@@ -3084,6 +3082,8 @@ static int io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) + { + u64 flags, mode; + ++ if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL))) ++ return -EINVAL; + if (req->flags & REQ_F_NEED_CLEANUP) + return 0; + mode = READ_ONCE(sqe->len); +@@ -3098,6 +3098,8 @@ static int io_openat2_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) + size_t len; + int ret; + ++ if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL))) ++ return -EINVAL; + if (req->flags & REQ_F_NEED_CLEANUP) + return 0; + how = u64_to_user_ptr(READ_ONCE(sqe->addr2)); +-- +2.25.1 + diff --git a/queue-5.8/kvm-svm-add-a-dedicated-invd-intercept-routine.patch b/queue-5.8/kvm-svm-add-a-dedicated-invd-intercept-routine.patch new file mode 100644 index 00000000000..16e026030e5 --- /dev/null +++ b/queue-5.8/kvm-svm-add-a-dedicated-invd-intercept-routine.patch @@ -0,0 +1,53 @@ +From 3a13ecd138929ab29e7edc4468b5b7e8e98ac37f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 13:41:57 -0500 +Subject: KVM: SVM: Add a dedicated INVD intercept routine + +From: Tom Lendacky + +[ Upstream commit 4bb05f30483fd21ea5413eaf1182768f251cf625 ] + +The INVD instruction intercept performs emulation. Emulation can't be done +on an SEV guest because the guest memory is encrypted. + +Provide a dedicated intercept routine for the INVD intercept. And since +the instruction is emulated as a NOP, just skip it instead. + +Fixes: 1654efcbc431 ("KVM: SVM: Add KVM_SEV_INIT command") +Signed-off-by: Tom Lendacky +Message-Id: +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/svm/svm.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c +index f8ead44c3265e..10aba4b6df6ed 100644 +--- a/arch/x86/kvm/svm/svm.c ++++ b/arch/x86/kvm/svm/svm.c +@@ -2169,6 +2169,12 @@ static int iret_interception(struct vcpu_svm *svm) + return 1; + } + ++static int invd_interception(struct vcpu_svm *svm) ++{ ++ /* Treat an INVD instruction as a NOP and just skip it. */ ++ return kvm_skip_emulated_instruction(&svm->vcpu); ++} ++ + static int invlpg_interception(struct vcpu_svm *svm) + { + if (!static_cpu_has(X86_FEATURE_DECODEASSISTS)) +@@ -2758,7 +2764,7 @@ static int (*const svm_exit_handlers[])(struct vcpu_svm *svm) = { + [SVM_EXIT_RDPMC] = rdpmc_interception, + [SVM_EXIT_CPUID] = cpuid_interception, + [SVM_EXIT_IRET] = iret_interception, +- [SVM_EXIT_INVD] = emulate_on_interception, ++ [SVM_EXIT_INVD] = invd_interception, + [SVM_EXIT_PAUSE] = pause_interception, + [SVM_EXIT_HLT] = halt_interception, + [SVM_EXIT_INVLPG] = invlpg_interception, +-- +2.25.1 + diff --git a/queue-5.8/kvm-x86-reset-mmu-context-if-guest-toggles-cr4.smap-.patch b/queue-5.8/kvm-x86-reset-mmu-context-if-guest-toggles-cr4.smap-.patch new file mode 100644 index 00000000000..917f7eaff75 --- /dev/null +++ b/queue-5.8/kvm-x86-reset-mmu-context-if-guest-toggles-cr4.smap-.patch @@ -0,0 +1,52 @@ +From 97c6ed9efd44b30bca47b58727b7321c3f2c5dbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 14:53:52 -0700 +Subject: KVM: x86: Reset MMU context if guest toggles CR4.SMAP or CR4.PKE + +From: Sean Christopherson + +[ Upstream commit 8d214c481611b29458a57913bd786f0ac06f0605 ] + +Reset the MMU context during kvm_set_cr4() if SMAP or PKE is toggled. +Recent commits to (correctly) not reload PDPTRs when SMAP/PKE are +toggled inadvertantly skipped the MMU context reset due to the mask +of bits that triggers PDPTR loads also being used to trigger MMU context +resets. + +Fixes: 427890aff855 ("kvm: x86: Toggling CR4.SMAP does not load PDPTEs in PAE mode") +Fixes: cb957adb4ea4 ("kvm: x86: Toggling CR4.PKE does not load PDPTEs in PAE mode") +Cc: Jim Mattson +Cc: Peter Shier +Cc: Oliver Upton +Signed-off-by: Sean Christopherson +Message-Id: <20200923215352.17756-1-sean.j.christopherson@intel.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/x86.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index f5481ae588aff..a04f8abd0ead9 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -968,6 +968,7 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) + unsigned long old_cr4 = kvm_read_cr4(vcpu); + unsigned long pdptr_bits = X86_CR4_PGE | X86_CR4_PSE | X86_CR4_PAE | + X86_CR4_SMEP; ++ unsigned long mmu_role_bits = pdptr_bits | X86_CR4_SMAP | X86_CR4_PKE; + + if (kvm_valid_cr4(vcpu, cr4)) + return 1; +@@ -995,7 +996,7 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) + if (kvm_x86_ops.set_cr4(vcpu, cr4)) + return 1; + +- if (((cr4 ^ old_cr4) & pdptr_bits) || ++ if (((cr4 ^ old_cr4) & mmu_role_bits) || + (!(cr4 & X86_CR4_PCIDE) && (old_cr4 & X86_CR4_PCIDE))) + kvm_mmu_reset_context(vcpu); + +-- +2.25.1 + diff --git a/queue-5.8/lib80211-fix-unmet-direct-dependendices-config-warni.patch b/queue-5.8/lib80211-fix-unmet-direct-dependendices-config-warni.patch new file mode 100644 index 00000000000..954a2e16bd8 --- /dev/null +++ b/queue-5.8/lib80211-fix-unmet-direct-dependendices-config-warni.patch @@ -0,0 +1,41 @@ +From 940efa9721685c80d05bda29211efca8299f984a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 12:54:53 +0300 +Subject: lib80211: fix unmet direct dependendices config warning when !CRYPTO + +From: Necip Fazil Yildiran + +[ Upstream commit b959ba9f468b1c581f40e92661ad58b093abaa03 ] + +When LIB80211_CRYPT_CCMP is enabled and CRYPTO is disabled, it results in unmet +direct dependencies config warning. The reason is that LIB80211_CRYPT_CCMP +selects CRYPTO_AES and CRYPTO_CCM, which are subordinate to CRYPTO. This is +reproducible with CRYPTO disabled and R8188EU enabled, where R8188EU selects +LIB80211_CRYPT_CCMP but does not select or depend on CRYPTO. + +Honor the kconfig menu hierarchy to remove kconfig dependency warnings. + +Fixes: a11e2f85481c ("lib80211: use crypto API ccm(aes) transform for CCMP processing") +Signed-off-by: Necip Fazil Yildiran +Link: https://lore.kernel.org/r/20200909095452.3080-1-fazilyildiran@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/wireless/Kconfig b/net/wireless/Kconfig +index faf74850a1b52..27026f587fa61 100644 +--- a/net/wireless/Kconfig ++++ b/net/wireless/Kconfig +@@ -217,6 +217,7 @@ config LIB80211_CRYPT_WEP + + config LIB80211_CRYPT_CCMP + tristate ++ select CRYPTO + select CRYPTO_AES + select CRYPTO_CCM + +-- +2.25.1 + diff --git a/queue-5.8/libbpf-fix-build-failure-from-uninitialized-variable.patch b/queue-5.8/libbpf-fix-build-failure-from-uninitialized-variable.patch new file mode 100644 index 00000000000..0c040c12a06 --- /dev/null +++ b/queue-5.8/libbpf-fix-build-failure-from-uninitialized-variable.patch @@ -0,0 +1,52 @@ +From bd890fd2362be0c963b812af14e25d241d8c79c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Aug 2020 17:03:04 -0700 +Subject: libbpf: Fix build failure from uninitialized variable warning + +From: Tony Ambardar + +[ Upstream commit 3168c158ad3535af1cd7423c9f8cd5ac549f2f9c ] + +While compiling libbpf, some GCC versions (at least 8.4.0) have difficulty +determining control flow and a emit warning for potentially uninitialized +usage of 'map', which results in a build error if using "-Werror": + +In file included from libbpf.c:56: +libbpf.c: In function '__bpf_object__open': +libbpf_internal.h:59:2: warning: 'map' may be used uninitialized in this function [-Wmaybe-uninitialized] + libbpf_print(level, "libbpf: " fmt, ##__VA_ARGS__); \ + ^~~~~~~~~~~~ +libbpf.c:5032:18: note: 'map' was declared here + struct bpf_map *map, *targ_map; + ^~~ + +The warning/error is false based on code inspection, so silence it with a +NULL initialization. + +Fixes: 646f02ffdd49 ("libbpf: Add BTF-defined map-in-map support") +Reference: 063e68813391 ("libbpf: Fix false uninitialized variable warning") +Signed-off-by: Tony Ambardar +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20200831000304.1696435-1-Tony.Ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index 3ac0094706b81..236c91aff48f8 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -5030,8 +5030,8 @@ static int bpf_object__collect_map_relos(struct bpf_object *obj, + int i, j, nrels, new_sz; + const struct btf_var_secinfo *vi = NULL; + const struct btf_type *sec, *var, *def; ++ struct bpf_map *map = NULL, *targ_map; + const struct btf_member *member; +- struct bpf_map *map, *targ_map; + const char *name, *mname; + Elf_Data *symbols; + unsigned int moff; +-- +2.25.1 + diff --git a/queue-5.8/mac80211-do-not-disable-he-if-ht-is-missing-on-2.4-g.patch b/queue-5.8/mac80211-do-not-disable-he-if-ht-is-missing-on-2.4-g.patch new file mode 100644 index 00000000000..c2359f1dc74 --- /dev/null +++ b/queue-5.8/mac80211-do-not-disable-he-if-ht-is-missing-on-2.4-g.patch @@ -0,0 +1,46 @@ +From f72a7f90ae8fda0457d90066d2951b19cc96b559 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 10:29:02 +0000 +Subject: mac80211: do not disable HE if HT is missing on 2.4 GHz + +From: Wen Gong + +[ Upstream commit 780a8c9efc65f6d86acd44794495cedcd32eeb26 ] + +VHT is not supported on 2.4 GHz, but HE is; don't disable HE if HT +is missing there, do that only on 5 GHz (6 GHz is only HE). + +Fixes: 57fa5e85d53ce51 ("mac80211: determine chandef from HE 6 GHz operation") +Signed-off-by: Wen Gong +Link: https://lore.kernel.org/r/010101747cb617f2-593c5410-1648-4a42-97a0-f3646a5a6dd1-000000@us-west-2.amazonses.com +[rewrite the commit message] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mlme.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index b2a9d47cf86dd..c85186799d059 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -4853,6 +4853,7 @@ static int ieee80211_prep_channel(struct ieee80211_sub_if_data *sdata, + struct ieee80211_supported_band *sband; + struct cfg80211_chan_def chandef; + bool is_6ghz = cbss->channel->band == NL80211_BAND_6GHZ; ++ bool is_5ghz = cbss->channel->band == NL80211_BAND_5GHZ; + struct ieee80211_bss *bss = (void *)cbss->priv; + int ret; + u32 i; +@@ -4871,7 +4872,7 @@ static int ieee80211_prep_channel(struct ieee80211_sub_if_data *sdata, + ifmgd->flags |= IEEE80211_STA_DISABLE_HE; + } + +- if (!sband->vht_cap.vht_supported && !is_6ghz) { ++ if (!sband->vht_cap.vht_supported && is_5ghz) { + ifmgd->flags |= IEEE80211_STA_DISABLE_VHT; + ifmgd->flags |= IEEE80211_STA_DISABLE_HE; + } +-- +2.25.1 + diff --git a/queue-5.8/mac80211-fix-80-mhz-association-to-160-80-80-ap-on-6.patch b/queue-5.8/mac80211-fix-80-mhz-association-to-160-80-80-ap-on-6.patch new file mode 100644 index 00000000000..211e2dac83a --- /dev/null +++ b/queue-5.8/mac80211-fix-80-mhz-association-to-160-80-80-ap-on-6.patch @@ -0,0 +1,45 @@ +From 570634500c024a70683ee981d47c77a3db721e6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 13:53:04 +0200 +Subject: mac80211: fix 80 MHz association to 160/80+80 AP on 6 GHz + +From: John Crispin + +[ Upstream commit 75bcbd6913de649601f4e7d3fb6d2b5effc24e9e ] + +When trying to associate to an AP support 180 or 80+80 MHz on 6 GHz with a +STA that only has 80 Mhz support the cf2 field inside the chandef will get +set causing the association to fail when trying to validate the chandef. +Fix this by checking the support flags prior to setting cf2. + +Fixes: 57fa5e85d53ce ("mac80211: determine chandef from HE 6 GHz operation") +Signed-off-by: John Crispin +Link: https://lore.kernel.org/r/20200918115304.1135693-1-john@phrozen.org +[reword commit message a bit] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/util.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/util.c b/net/mac80211/util.c +index dd9f5c7a1ade6..7b1f3645603ca 100644 +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -3354,9 +3354,10 @@ bool ieee80211_chandef_he_6ghz_oper(struct ieee80211_sub_if_data *sdata, + he_chandef.center_freq1 = + ieee80211_channel_to_frequency(he_6ghz_oper->ccfs0, + NL80211_BAND_6GHZ); +- he_chandef.center_freq2 = +- ieee80211_channel_to_frequency(he_6ghz_oper->ccfs1, +- NL80211_BAND_6GHZ); ++ if (support_80_80 || support_160) ++ he_chandef.center_freq2 = ++ ieee80211_channel_to_frequency(he_6ghz_oper->ccfs1, ++ NL80211_BAND_6GHZ); + } + + if (!cfg80211_chandef_valid(&he_chandef)) { +-- +2.25.1 + diff --git a/queue-5.8/mac802154-tx-fix-use-after-free.patch b/queue-5.8/mac802154-tx-fix-use-after-free.patch new file mode 100644 index 00000000000..c24ad3a7b6d --- /dev/null +++ b/queue-5.8/mac802154-tx-fix-use-after-free.patch @@ -0,0 +1,170 @@ +From 9399a4084bfb7b777a51d0191fc7480e60bcd306 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 03:40:25 -0700 +Subject: mac802154: tx: fix use-after-free + +From: Eric Dumazet + +[ Upstream commit 0ff4628f4c6c1ab87eef9f16b25355cadc426d64 ] + +syzbot reported a bug in ieee802154_tx() [1] + +A similar issue in ieee802154_xmit_worker() is also fixed in this patch. + +[1] +BUG: KASAN: use-after-free in ieee802154_tx+0x3d2/0x480 net/mac802154/tx.c:88 +Read of size 4 at addr ffff8880251a8c70 by task syz-executor.3/928 + +CPU: 0 PID: 928 Comm: syz-executor.3 Not tainted 5.9.0-rc3-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x198/0x1fd lib/dump_stack.c:118 + print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383 + __kasan_report mm/kasan/report.c:513 [inline] + kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 + ieee802154_tx+0x3d2/0x480 net/mac802154/tx.c:88 + ieee802154_subif_start_xmit+0xbe/0xe4 net/mac802154/tx.c:130 + __netdev_start_xmit include/linux/netdevice.h:4634 [inline] + netdev_start_xmit include/linux/netdevice.h:4648 [inline] + dev_direct_xmit+0x4e9/0x6e0 net/core/dev.c:4203 + packet_snd net/packet/af_packet.c:2989 [inline] + packet_sendmsg+0x2413/0x5290 net/packet/af_packet.c:3014 + sock_sendmsg_nosec net/socket.c:651 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:671 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2407 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x45d5b9 +Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007fc98e749c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 000000000002ccc0 RCX: 000000000045d5b9 +RDX: 0000000000000000 RSI: 0000000020007780 RDI: 000000000000000b +RBP: 000000000118d020 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cfec +R13: 00007fff690c720f R14: 00007fc98e74a9c0 R15: 000000000118cfec + +Allocated by task 928: + kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 + kasan_set_track mm/kasan/common.c:56 [inline] + __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461 + slab_post_alloc_hook mm/slab.h:518 [inline] + slab_alloc_node mm/slab.c:3254 [inline] + kmem_cache_alloc_node+0x136/0x3e0 mm/slab.c:3574 + __alloc_skb+0x71/0x550 net/core/skbuff.c:198 + alloc_skb include/linux/skbuff.h:1094 [inline] + alloc_skb_with_frags+0x92/0x570 net/core/skbuff.c:5771 + sock_alloc_send_pskb+0x72a/0x880 net/core/sock.c:2348 + packet_alloc_skb net/packet/af_packet.c:2837 [inline] + packet_snd net/packet/af_packet.c:2932 [inline] + packet_sendmsg+0x19fb/0x5290 net/packet/af_packet.c:3014 + sock_sendmsg_nosec net/socket.c:651 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:671 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2407 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Freed by task 928: + kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 + kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 + kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355 + __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422 + __cache_free mm/slab.c:3418 [inline] + kmem_cache_free.part.0+0x74/0x1e0 mm/slab.c:3693 + kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:622 + __kfree_skb net/core/skbuff.c:679 [inline] + consume_skb net/core/skbuff.c:838 [inline] + consume_skb+0xcf/0x160 net/core/skbuff.c:832 + __dev_kfree_skb_any+0x9c/0xc0 net/core/dev.c:3107 + fakelb_hw_xmit+0x20e/0x2a0 drivers/net/ieee802154/fakelb.c:81 + drv_xmit_async net/mac802154/driver-ops.h:16 [inline] + ieee802154_tx+0x282/0x480 net/mac802154/tx.c:81 + ieee802154_subif_start_xmit+0xbe/0xe4 net/mac802154/tx.c:130 + __netdev_start_xmit include/linux/netdevice.h:4634 [inline] + netdev_start_xmit include/linux/netdevice.h:4648 [inline] + dev_direct_xmit+0x4e9/0x6e0 net/core/dev.c:4203 + packet_snd net/packet/af_packet.c:2989 [inline] + packet_sendmsg+0x2413/0x5290 net/packet/af_packet.c:3014 + sock_sendmsg_nosec net/socket.c:651 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:671 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2407 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The buggy address belongs to the object at ffff8880251a8c00 + which belongs to the cache skbuff_head_cache of size 224 +The buggy address is located 112 bytes inside of + 224-byte region [ffff8880251a8c00, ffff8880251a8ce0) +The buggy address belongs to the page: +page:0000000062b6a4f1 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x251a8 +flags: 0xfffe0000000200(slab) +raw: 00fffe0000000200 ffffea0000435c88 ffffea00028b6c08 ffff8880a9055d00 +raw: 0000000000000000 ffff8880251a80c0 000000010000000c 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8880251a8b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880251a8b80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc +>ffff8880251a8c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8880251a8c80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc + ffff8880251a8d00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb + +Fixes: 409c3b0c5f03 ("mac802154: tx: move stats tx increment") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Alexander Aring +Cc: Stefan Schmidt +Cc: linux-wpan@vger.kernel.org +Link: https://lore.kernel.org/r/20200908104025.4009085-1-edumazet@google.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + net/mac802154/tx.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/mac802154/tx.c b/net/mac802154/tx.c +index ab52811523e99..c829e4a753256 100644 +--- a/net/mac802154/tx.c ++++ b/net/mac802154/tx.c +@@ -34,11 +34,11 @@ void ieee802154_xmit_worker(struct work_struct *work) + if (res) + goto err_tx; + +- ieee802154_xmit_complete(&local->hw, skb, false); +- + dev->stats.tx_packets++; + dev->stats.tx_bytes += skb->len; + ++ ieee802154_xmit_complete(&local->hw, skb, false); ++ + return; + + err_tx: +@@ -78,6 +78,8 @@ ieee802154_tx(struct ieee802154_local *local, struct sk_buff *skb) + + /* async is priority, otherwise sync is fallback */ + if (local->ops->xmit_async) { ++ unsigned int len = skb->len; ++ + ret = drv_xmit_async(local, skb); + if (ret) { + ieee802154_wake_queue(&local->hw); +@@ -85,7 +87,7 @@ ieee802154_tx(struct ieee802154_local *local, struct sk_buff *skb) + } + + dev->stats.tx_packets++; +- dev->stats.tx_bytes += skb->len; ++ dev->stats.tx_bytes += len; + } else { + local->tx_skb = skb; + queue_work(local->workqueue, &local->tx_work); +-- +2.25.1 + diff --git a/queue-5.8/mips-add-the-missing-cpu_1074k-into-__get_cpu_type.patch b/queue-5.8/mips-add-the-missing-cpu_1074k-into-__get_cpu_type.patch new file mode 100644 index 00000000000..3f34da9e0cb --- /dev/null +++ b/queue-5.8/mips-add-the-missing-cpu_1074k-into-__get_cpu_type.patch @@ -0,0 +1,36 @@ +From 8c698cb0e2fb28251e133d0f7959608a9d32d39f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 14:53:12 +0800 +Subject: MIPS: Add the missing 'CPU_1074K' into __get_cpu_type() + +From: Wei Li + +[ Upstream commit e393fbe6fa27af23f78df6e16a8fd2963578a8c4 ] + +Commit 442e14a2c55e ("MIPS: Add 1074K CPU support explicitly.") split +1074K from the 74K as an unique CPU type, while it missed to add the +'CPU_1074K' in __get_cpu_type(). So let's add it back. + +Fixes: 442e14a2c55e ("MIPS: Add 1074K CPU support explicitly.") +Signed-off-by: Wei Li +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/cpu-type.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/mips/include/asm/cpu-type.h b/arch/mips/include/asm/cpu-type.h +index 75a7a382da099..3288cef4b168c 100644 +--- a/arch/mips/include/asm/cpu-type.h ++++ b/arch/mips/include/asm/cpu-type.h +@@ -47,6 +47,7 @@ static inline int __pure __get_cpu_type(const int cpu_type) + case CPU_34K: + case CPU_1004K: + case CPU_74K: ++ case CPU_1074K: + case CPU_M14KC: + case CPU_M14KEC: + case CPU_INTERAPTIV: +-- +2.25.1 + diff --git a/queue-5.8/mips-loongson-3-fix-fp-register-access-if-msa-enable.patch b/queue-5.8/mips-loongson-3-fix-fp-register-access-if-msa-enable.patch new file mode 100644 index 00000000000..a2610078a07 --- /dev/null +++ b/queue-5.8/mips-loongson-3-fix-fp-register-access-if-msa-enable.patch @@ -0,0 +1,101 @@ +From 6b51d98fa25ad1a940656d81e7e40fcd9c99cc1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 15:44:03 +0800 +Subject: MIPS: Loongson-3: Fix fp register access if MSA enabled + +From: Huacai Chen + +[ Upstream commit 01ce6d4d2c8157b076425e3dd8319948652583c5 ] + +If MSA is enabled, FPU_REG_WIDTH is 128 rather than 64, then get_fpr64() +/set_fpr64() in the original unaligned instruction emulation code access +the wrong fp registers. This is because the current code doesn't specify +the correct index field, so fix it. + +Fixes: f83e4f9896eff614d0f2547a ("MIPS: Loongson-3: Add some unaligned instructions emulation") +Signed-off-by: Huacai Chen +Signed-off-by: Pei Huang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/loongson64/cop2-ex.c | 24 ++++++++---------------- + 1 file changed, 8 insertions(+), 16 deletions(-) + +diff --git a/arch/mips/loongson64/cop2-ex.c b/arch/mips/loongson64/cop2-ex.c +index f130f62129b86..00055d4b6042f 100644 +--- a/arch/mips/loongson64/cop2-ex.c ++++ b/arch/mips/loongson64/cop2-ex.c +@@ -95,10 +95,8 @@ static int loongson_cu2_call(struct notifier_block *nfb, unsigned long action, + if (res) + goto fault; + +- set_fpr64(current->thread.fpu.fpr, +- insn.loongson3_lswc2_format.rt, value); +- set_fpr64(current->thread.fpu.fpr, +- insn.loongson3_lswc2_format.rq, value_next); ++ set_fpr64(¤t->thread.fpu.fpr[insn.loongson3_lswc2_format.rt], 0, value); ++ set_fpr64(¤t->thread.fpu.fpr[insn.loongson3_lswc2_format.rq], 0, value_next); + compute_return_epc(regs); + own_fpu(1); + } +@@ -130,15 +128,13 @@ static int loongson_cu2_call(struct notifier_block *nfb, unsigned long action, + goto sigbus; + + lose_fpu(1); +- value_next = get_fpr64(current->thread.fpu.fpr, +- insn.loongson3_lswc2_format.rq); ++ value_next = get_fpr64(¤t->thread.fpu.fpr[insn.loongson3_lswc2_format.rq], 0); + + StoreDW(addr + 8, value_next, res); + if (res) + goto fault; + +- value = get_fpr64(current->thread.fpu.fpr, +- insn.loongson3_lswc2_format.rt); ++ value = get_fpr64(¤t->thread.fpu.fpr[insn.loongson3_lswc2_format.rt], 0); + + StoreDW(addr, value, res); + if (res) +@@ -204,8 +200,7 @@ static int loongson_cu2_call(struct notifier_block *nfb, unsigned long action, + if (res) + goto fault; + +- set_fpr64(current->thread.fpu.fpr, +- insn.loongson3_lsdc2_format.rt, value); ++ set_fpr64(¤t->thread.fpu.fpr[insn.loongson3_lsdc2_format.rt], 0, value); + compute_return_epc(regs); + own_fpu(1); + +@@ -221,8 +216,7 @@ static int loongson_cu2_call(struct notifier_block *nfb, unsigned long action, + if (res) + goto fault; + +- set_fpr64(current->thread.fpu.fpr, +- insn.loongson3_lsdc2_format.rt, value); ++ set_fpr64(¤t->thread.fpu.fpr[insn.loongson3_lsdc2_format.rt], 0, value); + compute_return_epc(regs); + own_fpu(1); + break; +@@ -286,8 +280,7 @@ static int loongson_cu2_call(struct notifier_block *nfb, unsigned long action, + goto sigbus; + + lose_fpu(1); +- value = get_fpr64(current->thread.fpu.fpr, +- insn.loongson3_lsdc2_format.rt); ++ value = get_fpr64(¤t->thread.fpu.fpr[insn.loongson3_lsdc2_format.rt], 0); + + StoreW(addr, value, res); + if (res) +@@ -305,8 +298,7 @@ static int loongson_cu2_call(struct notifier_block *nfb, unsigned long action, + goto sigbus; + + lose_fpu(1); +- value = get_fpr64(current->thread.fpu.fpr, +- insn.loongson3_lsdc2_format.rt); ++ value = get_fpr64(¤t->thread.fpu.fpr[insn.loongson3_lsdc2_format.rt], 0); + + StoreDW(addr, value, res); + if (res) +-- +2.25.1 + diff --git a/queue-5.8/mm-validate-pmd-after-splitting.patch b/queue-5.8/mm-validate-pmd-after-splitting.patch new file mode 100644 index 00000000000..b7b9789bc38 --- /dev/null +++ b/queue-5.8/mm-validate-pmd-after-splitting.patch @@ -0,0 +1,74 @@ +From 86dc5946b25e2c2586264aa673d54041660d4d2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 23:32:15 -0700 +Subject: mm: validate pmd after splitting + +From: Minchan Kim + +[ Upstream commit ce2684254bd4818ca3995c0d021fb62c4cf10a19 ] + +syzbot reported the following KASAN splat: + + general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN + KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] + CPU: 1 PID: 6826 Comm: syz-executor142 Not tainted 5.9.0-rc4-syzkaller #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + RIP: 0010:__lock_acquire+0x84/0x2ae0 kernel/locking/lockdep.c:4296 + Code: ff df 8a 04 30 84 c0 0f 85 e3 16 00 00 83 3d 56 58 35 08 00 0f 84 0e 17 00 00 83 3d 25 c7 f5 07 00 74 2c 4c 89 e8 48 c1 e8 03 <80> 3c 30 00 74 12 4c 89 ef e8 3e d1 5a 00 48 be 00 00 00 00 00 fc + RSP: 0018:ffffc90004b9f850 EFLAGS: 00010006 + Call Trace: + lock_acquire+0x140/0x6f0 kernel/locking/lockdep.c:5006 + __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] + _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 + spin_lock include/linux/spinlock.h:354 [inline] + madvise_cold_or_pageout_pte_range+0x52f/0x25c0 mm/madvise.c:389 + walk_pmd_range mm/pagewalk.c:89 [inline] + walk_pud_range mm/pagewalk.c:160 [inline] + walk_p4d_range mm/pagewalk.c:193 [inline] + walk_pgd_range mm/pagewalk.c:229 [inline] + __walk_page_range+0xe7b/0x1da0 mm/pagewalk.c:331 + walk_page_range+0x2c3/0x5c0 mm/pagewalk.c:427 + madvise_pageout_page_range mm/madvise.c:521 [inline] + madvise_pageout mm/madvise.c:557 [inline] + madvise_vma mm/madvise.c:946 [inline] + do_madvise+0x12d0/0x2090 mm/madvise.c:1145 + __do_sys_madvise mm/madvise.c:1171 [inline] + __se_sys_madvise mm/madvise.c:1169 [inline] + __x64_sys_madvise+0x76/0x80 mm/madvise.c:1169 + do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The backing vma was shmem. + +In case of split page of file-backed THP, madvise zaps the pmd instead +of remapping of sub-pages. So we need to check pmd validity after +split. + +Reported-by: syzbot+ecf80462cb7d5d552bc7@syzkaller.appspotmail.com +Fixes: 1a4e58cce84e ("mm: introduce MADV_PAGEOUT") +Signed-off-by: Minchan Kim +Acked-by: Kirill A. Shutemov +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/madvise.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/madvise.c b/mm/madvise.c +index d4aa5f7765435..0e0d61003fc6f 100644 +--- a/mm/madvise.c ++++ b/mm/madvise.c +@@ -381,9 +381,9 @@ static int madvise_cold_or_pageout_pte_range(pmd_t *pmd, + return 0; + } + ++regular_page: + if (pmd_trans_unstable(pmd)) + return 0; +-regular_page: + #endif + tlb_change_page_size(tlb, PAGE_SIZE); + orig_pte = pte = pte_offset_map_lock(vma->vm_mm, pmd, addr, &ptl); +-- +2.25.1 + diff --git a/queue-5.8/mwifiex-increase-aes-key-storage-size-to-256-bits.patch b/queue-5.8/mwifiex-increase-aes-key-storage-size-to-256-bits.patch new file mode 100644 index 00000000000..939f2046b4b --- /dev/null +++ b/queue-5.8/mwifiex-increase-aes-key-storage-size-to-256-bits.patch @@ -0,0 +1,80 @@ +From efb720c131a9579222d9b3bedb764dcf4e49dcdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 17:38:29 +0200 +Subject: mwifiex: Increase AES key storage size to 256 bits + +From: Maximilian Luz + +[ Upstream commit 4afc850e2e9e781976fb2c7852ce7bac374af938 ] + +Following commit e18696786548 ("mwifiex: Prevent memory corruption +handling keys") the mwifiex driver fails to authenticate with certain +networks, specifically networks with 256 bit keys, and repeatedly asks +for the password. The kernel log repeats the following lines (id and +bssid redacted): + + mwifiex_pcie 0000:01:00.0: info: trying to associate to '' bssid + mwifiex_pcie 0000:01:00.0: info: associated to bssid successfully + mwifiex_pcie 0000:01:00.0: crypto keys added + mwifiex_pcie 0000:01:00.0: info: successfully disconnected from : reason code 3 + +Tracking down this problem lead to the overflow check introduced by the +aforementioned commit into mwifiex_ret_802_11_key_material_v2(). This +check fails on networks with 256 bit keys due to the current storage +size for AES keys in struct mwifiex_aes_param being only 128 bit. + +To fix this issue, increase the storage size for AES keys to 256 bit. + +Fixes: e18696786548 ("mwifiex: Prevent memory corruption handling keys") +Signed-off-by: Maximilian Luz +Reported-by: Kaloyan Nikolov +Tested-by: Kaloyan Nikolov +Reviewed-by: Dan Carpenter +Reviewed-by: Brian Norris +Tested-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200825153829.38043-1-luzmaximilian@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/fw.h | 2 +- + drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/fw.h b/drivers/net/wireless/marvell/mwifiex/fw.h +index 8047e307892e3..d9f8bdbc817b2 100644 +--- a/drivers/net/wireless/marvell/mwifiex/fw.h ++++ b/drivers/net/wireless/marvell/mwifiex/fw.h +@@ -954,7 +954,7 @@ struct mwifiex_tkip_param { + struct mwifiex_aes_param { + u8 pn[WPA_PN_SIZE]; + __le16 key_len; +- u8 key[WLAN_KEY_LEN_CCMP]; ++ u8 key[WLAN_KEY_LEN_CCMP_256]; + } __packed; + + struct mwifiex_wapi_param { +diff --git a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c +index 962d8bfe6f101..119ccacd1fcc4 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c +@@ -619,7 +619,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, + key_v2 = &resp->params.key_material_v2; + + len = le16_to_cpu(key_v2->key_param_set.key_params.aes.key_len); +- if (len > WLAN_KEY_LEN_CCMP) ++ if (len > sizeof(key_v2->key_param_set.key_params.aes.key)) + return -EINVAL; + + if (le16_to_cpu(key_v2->action) == HostCmd_ACT_GEN_SET) { +@@ -635,7 +635,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, + return 0; + + memset(priv->aes_key_v2.key_param_set.key_params.aes.key, 0, +- WLAN_KEY_LEN_CCMP); ++ sizeof(key_v2->key_param_set.key_params.aes.key)); + priv->aes_key_v2.key_param_set.key_params.aes.key_len = + cpu_to_le16(len); + memcpy(priv->aes_key_v2.key_param_set.key_params.aes.key, +-- +2.25.1 + diff --git a/queue-5.8/net-mlx5e-mlx5e_fec_in_caps-returns-a-boolean.patch b/queue-5.8/net-mlx5e-mlx5e_fec_in_caps-returns-a-boolean.patch new file mode 100644 index 00000000000..8c7a713ae90 --- /dev/null +++ b/queue-5.8/net-mlx5e-mlx5e_fec_in_caps-returns-a-boolean.patch @@ -0,0 +1,47 @@ +From 8381a6f0788a25ae5b8543927e882096962093ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 11:00:06 -0700 +Subject: net/mlx5e: mlx5e_fec_in_caps() returns a boolean + +From: Saeed Mahameed + +[ Upstream commit cb39ccc5cbe1011d8d21886b75e2468070ac672c ] + +Returning errno is a bug, fix that. + +Also fixes smatch warnings: +drivers/net/ethernet/mellanox/mlx5/core/en/port.c:453 +mlx5e_fec_in_caps() warn: signedness bug returning '(-95)' + +Fixes: 2132b71f78d2 ("net/mlx5e: Advertise globaly supported FEC modes") +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Signed-off-by: Saeed Mahameed +Reviewed-by: Moshe Shemesh +Reviewed-by: Aya Levin +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/port.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/port.c b/drivers/net/ethernet/mellanox/mlx5/core/en/port.c +index 3cf3e35053f77..98e909bf3c1ec 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/port.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/port.c +@@ -487,11 +487,8 @@ bool mlx5e_fec_in_caps(struct mlx5_core_dev *dev, int fec_policy) + int err; + int i; + +- if (!MLX5_CAP_GEN(dev, pcam_reg)) +- return -EOPNOTSUPP; +- +- if (!MLX5_CAP_PCAM_REG(dev, pplm)) +- return -EOPNOTSUPP; ++ if (!MLX5_CAP_GEN(dev, pcam_reg) || !MLX5_CAP_PCAM_REG(dev, pplm)) ++ return false; + + MLX5_SET(pplm_reg, in, local_port, 1); + err = mlx5_core_access_reg(dev, in, sz, out, sz, MLX5_REG_PPLM, 0, 0); +-- +2.25.1 + diff --git a/queue-5.8/net-qed-disable-arfs-for-npar-and-100g.patch b/queue-5.8/net-qed-disable-arfs-for-npar-and-100g.patch new file mode 100644 index 00000000000..19c163443a8 --- /dev/null +++ b/queue-5.8/net-qed-disable-arfs-for-npar-and-100g.patch @@ -0,0 +1,98 @@ +From 87a70a6cd49de8824a14eb897ecd20fac921aa86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 20:43:08 +0300 +Subject: net: qed: Disable aRFS for NPAR and 100G + +From: Dmitry Bogdanov + +[ Upstream commit 2d2fe8433796603091ac8ea235b9165ac5a85f9a ] + +In CMT and NPAR the PF is unknown when the GFS block processes the +packet. Therefore cannot use searcher as it has a per PF database, +and thus ARFS must be disabled. + +Fixes: d51e4af5c209 ("qed: aRFS infrastructure support") +Signed-off-by: Manish Chopra +Signed-off-by: Igor Russkikh +Signed-off-by: Michal Kalderon +Signed-off-by: Dmitry Bogdanov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_dev.c | 11 ++++++++++- + drivers/net/ethernet/qlogic/qed/qed_l2.c | 3 +++ + drivers/net/ethernet/qlogic/qed/qed_main.c | 2 ++ + include/linux/qed/qed_if.h | 1 + + 4 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c +index dbdac983ccde5..105d9afe825f1 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c +@@ -4191,7 +4191,8 @@ static int qed_hw_get_nvm_info(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt) + cdev->mf_bits = BIT(QED_MF_LLH_MAC_CLSS) | + BIT(QED_MF_LLH_PROTO_CLSS) | + BIT(QED_MF_LL2_NON_UNICAST) | +- BIT(QED_MF_INTER_PF_SWITCH); ++ BIT(QED_MF_INTER_PF_SWITCH) | ++ BIT(QED_MF_DISABLE_ARFS); + break; + case NVM_CFG1_GLOB_MF_MODE_DEFAULT: + cdev->mf_bits = BIT(QED_MF_LLH_MAC_CLSS) | +@@ -4204,6 +4205,14 @@ static int qed_hw_get_nvm_info(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt) + + DP_INFO(p_hwfn, "Multi function mode is 0x%lx\n", + cdev->mf_bits); ++ ++ /* In CMT the PF is unknown when the GFS block processes the ++ * packet. Therefore cannot use searcher as it has a per PF ++ * database, and thus ARFS must be disabled. ++ * ++ */ ++ if (QED_IS_CMT(cdev)) ++ cdev->mf_bits |= BIT(QED_MF_DISABLE_ARFS); + } + + DP_INFO(p_hwfn, "Multi function mode is 0x%lx\n", +diff --git a/drivers/net/ethernet/qlogic/qed/qed_l2.c b/drivers/net/ethernet/qlogic/qed/qed_l2.c +index 29810a1aa2106..b2cd153321720 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_l2.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_l2.c +@@ -2001,6 +2001,9 @@ void qed_arfs_mode_configure(struct qed_hwfn *p_hwfn, + struct qed_ptt *p_ptt, + struct qed_arfs_config_params *p_cfg_params) + { ++ if (test_bit(QED_MF_DISABLE_ARFS, &p_hwfn->cdev->mf_bits)) ++ return; ++ + if (p_cfg_params->mode != QED_FILTER_CONFIG_MODE_DISABLE) { + qed_gft_config(p_hwfn, p_ptt, p_hwfn->rel_pf_id, + p_cfg_params->tcp, +diff --git a/drivers/net/ethernet/qlogic/qed/qed_main.c b/drivers/net/ethernet/qlogic/qed/qed_main.c +index 11367a248d55e..05eff348b22a8 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_main.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_main.c +@@ -289,6 +289,8 @@ int qed_fill_dev_info(struct qed_dev *cdev, + dev_info->fw_eng = FW_ENGINEERING_VERSION; + dev_info->b_inter_pf_switch = test_bit(QED_MF_INTER_PF_SWITCH, + &cdev->mf_bits); ++ if (!test_bit(QED_MF_DISABLE_ARFS, &cdev->mf_bits)) ++ dev_info->b_arfs_capable = true; + dev_info->tx_switching = true; + + if (hw_info->b_wol_support == QED_WOL_SUPPORT_PME) +diff --git a/include/linux/qed/qed_if.h b/include/linux/qed/qed_if.h +index 8cb76405cbce1..78ba1dc54fd57 100644 +--- a/include/linux/qed/qed_if.h ++++ b/include/linux/qed/qed_if.h +@@ -648,6 +648,7 @@ struct qed_dev_info { + #define QED_MFW_VERSION_3_OFFSET 24 + + u32 flash_size; ++ bool b_arfs_capable; + bool b_inter_pf_switch; + bool tx_switching; + bool rdma_supported; +-- +2.25.1 + diff --git a/queue-5.8/net-qed-rdma-personality-shouldn-t-fail-vf-load.patch b/queue-5.8/net-qed-rdma-personality-shouldn-t-fail-vf-load.patch new file mode 100644 index 00000000000..9a7cff50ee8 --- /dev/null +++ b/queue-5.8/net-qed-rdma-personality-shouldn-t-fail-vf-load.patch @@ -0,0 +1,36 @@ +From 6521fb13b541e9183843b14cf8e1c574a02531ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 20:43:10 +0300 +Subject: net: qed: RDMA personality shouldn't fail VF load + +From: Dmitry Bogdanov + +[ Upstream commit ce1cf9e5025f4e2d2198728391f1847b3e168bc6 ] + +Fix the assert during VF driver installation when the personality is iWARP + +Fixes: 1fe614d10f45 ("qed: Relax VF firmware requirements") +Signed-off-by: Igor Russkikh +Signed-off-by: Michal Kalderon +Signed-off-by: Dmitry Bogdanov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_sriov.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_sriov.c b/drivers/net/ethernet/qlogic/qed/qed_sriov.c +index 20679fd4204be..229c6f3ff3935 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_sriov.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_sriov.c +@@ -97,6 +97,7 @@ static int qed_sp_vf_start(struct qed_hwfn *p_hwfn, struct qed_vf_info *p_vf) + p_ramrod->personality = PERSONALITY_ETH; + break; + case QED_PCI_ETH_ROCE: ++ case QED_PCI_ETH_IWARP: + p_ramrod->personality = PERSONALITY_RDMA_AND_ETH; + break; + default: +-- +2.25.1 + diff --git a/queue-5.8/net-qede-disable-arfs-for-npar-and-100g.patch b/queue-5.8/net-qede-disable-arfs-for-npar-and-100g.patch new file mode 100644 index 00000000000..33e6286b5a6 --- /dev/null +++ b/queue-5.8/net-qede-disable-arfs-for-npar-and-100g.patch @@ -0,0 +1,77 @@ +From 0baca51869214570e2ee7f1c4349e4655f0945b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 20:43:09 +0300 +Subject: net: qede: Disable aRFS for NPAR and 100G + +From: Dmitry Bogdanov + +[ Upstream commit 0367f05885b9f21d062447bd2ba1302ba3cc7392 ] + +In some configurations ARFS cannot be used, so disable it if device +is not capable. + +Fixes: e4917d46a653 ("qede: Add aRFS support") +Signed-off-by: Manish Chopra +Signed-off-by: Igor Russkikh +Signed-off-by: Michal Kalderon +Signed-off-by: Dmitry Bogdanov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qede/qede_filter.c | 3 +++ + drivers/net/ethernet/qlogic/qede/qede_main.c | 11 +++++------ + 2 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qede/qede_filter.c b/drivers/net/ethernet/qlogic/qede/qede_filter.c +index fe72bb6c9455e..203cc76214c70 100644 +--- a/drivers/net/ethernet/qlogic/qede/qede_filter.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_filter.c +@@ -336,6 +336,9 @@ int qede_alloc_arfs(struct qede_dev *edev) + { + int i; + ++ if (!edev->dev_info.common.b_arfs_capable) ++ return -EINVAL; ++ + edev->arfs = vzalloc(sizeof(*edev->arfs)); + if (!edev->arfs) + return -ENOMEM; +diff --git a/drivers/net/ethernet/qlogic/qede/qede_main.c b/drivers/net/ethernet/qlogic/qede/qede_main.c +index 29e285430f995..082055ee2d397 100644 +--- a/drivers/net/ethernet/qlogic/qede/qede_main.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_main.c +@@ -827,7 +827,7 @@ static void qede_init_ndev(struct qede_dev *edev) + NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM | + NETIF_F_TSO | NETIF_F_TSO6 | NETIF_F_HW_TC; + +- if (!IS_VF(edev) && edev->dev_info.common.num_hwfns == 1) ++ if (edev->dev_info.common.b_arfs_capable) + hw_features |= NETIF_F_NTUPLE; + + if (edev->dev_info.common.vxlan_enable || +@@ -2278,7 +2278,7 @@ static void qede_unload(struct qede_dev *edev, enum qede_unload_mode mode, + qede_vlan_mark_nonconfigured(edev); + edev->ops->fastpath_stop(edev->cdev); + +- if (!IS_VF(edev) && edev->dev_info.common.num_hwfns == 1) { ++ if (edev->dev_info.common.b_arfs_capable) { + qede_poll_for_freeing_arfs_filters(edev); + qede_free_arfs(edev); + } +@@ -2345,10 +2345,9 @@ static int qede_load(struct qede_dev *edev, enum qede_load_mode mode, + if (rc) + goto err2; + +- if (!IS_VF(edev) && edev->dev_info.common.num_hwfns == 1) { +- rc = qede_alloc_arfs(edev); +- if (rc) +- DP_NOTICE(edev, "aRFS memory allocation failed\n"); ++ if (qede_alloc_arfs(edev)) { ++ edev->ndev->features &= ~NETIF_F_NTUPLE; ++ edev->dev_info.common.b_arfs_capable = false; + } + + qede_napi_add_enable(edev); +-- +2.25.1 + diff --git a/queue-5.8/netfilter-conntrack-nf_conncount_init-is-failing-wit.patch b/queue-5.8/netfilter-conntrack-nf_conncount_init-is-failing-wit.patch new file mode 100644 index 00000000000..06bed945e8d --- /dev/null +++ b/queue-5.8/netfilter-conntrack-nf_conncount_init-is-failing-wit.patch @@ -0,0 +1,50 @@ +From eae219f39b59ed29aa604eeba0e2d7b6c5a6aa4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Sep 2020 16:56:02 +0200 +Subject: netfilter: conntrack: nf_conncount_init is failing with IPv6 disabled + +From: Eelco Chaudron + +[ Upstream commit 526e81b990e53e31ba40ba304a2285ffd098721f ] + +The openvswitch module fails initialization when used in a kernel +without IPv6 enabled. nf_conncount_init() fails because the ct code +unconditionally tries to initialize the netns IPv6 related bit, +regardless of the build option. The change below ignores the IPv6 +part if not enabled. + +Note that the corresponding _put() function already has this IPv6 +configuration check. + +Fixes: 11efd5cb04a1 ("openvswitch: Support conntrack zone limit") +Signed-off-by: Eelco Chaudron +Reviewed-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_proto.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c +index a0560d175a7ff..aaf4293ddd459 100644 +--- a/net/netfilter/nf_conntrack_proto.c ++++ b/net/netfilter/nf_conntrack_proto.c +@@ -565,6 +565,7 @@ static int nf_ct_netns_inet_get(struct net *net) + int err; + + err = nf_ct_netns_do_get(net, NFPROTO_IPV4); ++#if IS_ENABLED(CONFIG_IPV6) + if (err < 0) + goto err1; + err = nf_ct_netns_do_get(net, NFPROTO_IPV6); +@@ -575,6 +576,7 @@ static int nf_ct_netns_inet_get(struct net *net) + err2: + nf_ct_netns_put(net, NFPROTO_IPV4); + err1: ++#endif + return err; + } + +-- +2.25.1 + diff --git a/queue-5.8/netfilter-ctnetlink-add-a-range-check-for-l3-l4-prot.patch b/queue-5.8/netfilter-ctnetlink-add-a-range-check-for-l3-l4-prot.patch new file mode 100644 index 00000000000..ab65f79a9f8 --- /dev/null +++ b/queue-5.8/netfilter-ctnetlink-add-a-range-check-for-l3-l4-prot.patch @@ -0,0 +1,68 @@ +From b2106b50895406c67807377fa557244c03314ee4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 19:38:32 +0000 +Subject: netfilter: ctnetlink: add a range check for l3/l4 protonum + +From: Will McVicker + +[ Upstream commit 1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6 ] + +The indexes to the nf_nat_l[34]protos arrays come from userspace. So +check the tuple's family, e.g. l3num, when creating the conntrack in +order to prevent an OOB memory access during setup. Here is an example +kernel panic on 4.14.180 when userspace passes in an index greater than +NFPROTO_NUMPROTO. + +Internal error: Oops - BUG: 0 [#1] PREEMPT SMP +Modules linked in:... +Process poc (pid: 5614, stack limit = 0x00000000a3933121) +CPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483 +Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM +task: 000000002a3dfffe task.stack: 00000000a3933121 +pc : __cfi_check_fail+0x1c/0x24 +lr : __cfi_check_fail+0x1c/0x24 +... +Call trace: +__cfi_check_fail+0x1c/0x24 +name_to_dev_t+0x0/0x468 +nfnetlink_parse_nat_setup+0x234/0x258 +ctnetlink_parse_nat_setup+0x4c/0x228 +ctnetlink_new_conntrack+0x590/0xc40 +nfnetlink_rcv_msg+0x31c/0x4d4 +netlink_rcv_skb+0x100/0x184 +nfnetlink_rcv+0xf4/0x180 +netlink_unicast+0x360/0x770 +netlink_sendmsg+0x5a0/0x6a4 +___sys_sendmsg+0x314/0x46c +SyS_sendmsg+0xb4/0x108 +el0_svc_naked+0x34/0x38 + +This crash is not happening since 5.4+, however, ctnetlink still +allows for creating entries with unsupported layer 3 protocol number. + +Fixes: c1d10adb4a521 ("[NETFILTER]: Add ctnetlink port for nf_conntrack") +Signed-off-by: Will McVicker +[pablo@netfilter.org: rebased original patch on top of nf.git] +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 832eabecfbddc..d65846aa80591 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -1404,7 +1404,8 @@ ctnetlink_parse_tuple_filter(const struct nlattr * const cda[], + if (err < 0) + return err; + +- ++ if (l3num != NFPROTO_IPV4 && l3num != NFPROTO_IPV6) ++ return -EOPNOTSUPP; + tuple->src.l3num = l3num; + + if (flags & CTA_FILTER_FLAG(CTA_IP_DST) || +-- +2.25.1 + diff --git a/queue-5.8/netfilter-ctnetlink-fix-mark-based-dump-filtering-re.patch b/queue-5.8/netfilter-ctnetlink-fix-mark-based-dump-filtering-re.patch new file mode 100644 index 00000000000..675f077c2fd --- /dev/null +++ b/queue-5.8/netfilter-ctnetlink-fix-mark-based-dump-filtering-re.patch @@ -0,0 +1,83 @@ +From 807958b06b722c412bad2445eb38c8eed9ebbea3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Sep 2020 08:56:19 +0200 +Subject: netfilter: ctnetlink: fix mark based dump filtering regression + +From: Martin Willi + +[ Upstream commit 6c0d95d1238d944fe54f0bbfc7ec017d78435daa ] + +conntrack mark based dump filtering may falsely skip entries if a mask +is given: If the mask-based check does not filter out the entry, the +else-if check is always true and compares the mark without considering +the mask. The if/else-if logic seems wrong. + +Given that the mask during filter setup is implicitly set to 0xffffffff +if not specified explicitly, the mark filtering flags seem to just +complicate things. Restore the previously used approach by always +matching against a zero mask is no filter mark is given. + +Fixes: cb8aa9a3affb ("netfilter: ctnetlink: add kernel side filtering for dump") +Signed-off-by: Martin Willi +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 19 +++---------------- + 1 file changed, 3 insertions(+), 16 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index d65846aa80591..c3a4214dc9588 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -851,7 +851,6 @@ static int ctnetlink_done(struct netlink_callback *cb) + } + + struct ctnetlink_filter { +- u_int32_t cta_flags; + u8 family; + + u_int32_t orig_flags; +@@ -906,10 +905,6 @@ static int ctnetlink_parse_tuple_filter(const struct nlattr * const cda[], + struct nf_conntrack_zone *zone, + u_int32_t flags); + +-/* applied on filters */ +-#define CTA_FILTER_F_CTA_MARK (1 << 0) +-#define CTA_FILTER_F_CTA_MARK_MASK (1 << 1) +- + static struct ctnetlink_filter * + ctnetlink_alloc_filter(const struct nlattr * const cda[], u8 family) + { +@@ -930,14 +925,10 @@ ctnetlink_alloc_filter(const struct nlattr * const cda[], u8 family) + #ifdef CONFIG_NF_CONNTRACK_MARK + if (cda[CTA_MARK]) { + filter->mark.val = ntohl(nla_get_be32(cda[CTA_MARK])); +- filter->cta_flags |= CTA_FILTER_FLAG(CTA_MARK); +- +- if (cda[CTA_MARK_MASK]) { ++ if (cda[CTA_MARK_MASK]) + filter->mark.mask = ntohl(nla_get_be32(cda[CTA_MARK_MASK])); +- filter->cta_flags |= CTA_FILTER_FLAG(CTA_MARK_MASK); +- } else { ++ else + filter->mark.mask = 0xffffffff; +- } + } else if (cda[CTA_MARK_MASK]) { + err = -EINVAL; + goto err_filter; +@@ -1117,11 +1108,7 @@ static int ctnetlink_filter_match(struct nf_conn *ct, void *data) + } + + #ifdef CONFIG_NF_CONNTRACK_MARK +- if ((filter->cta_flags & CTA_FILTER_FLAG(CTA_MARK_MASK)) && +- (ct->mark & filter->mark.mask) != filter->mark.val) +- goto ignore_entry; +- else if ((filter->cta_flags & CTA_FILTER_FLAG(CTA_MARK)) && +- ct->mark != filter->mark.val) ++ if ((ct->mark & filter->mark.mask) != filter->mark.val) + goto ignore_entry; + #endif + +-- +2.25.1 + diff --git a/queue-5.8/netfilter-nft_meta-use-socket-user_ns-to-retrieve-sk.patch b/queue-5.8/netfilter-nft_meta-use-socket-user_ns-to-retrieve-sk.patch new file mode 100644 index 00000000000..7a588a2ce86 --- /dev/null +++ b/queue-5.8/netfilter-nft_meta-use-socket-user_ns-to-retrieve-sk.patch @@ -0,0 +1,40 @@ +From a26079e0a62a8fde620899a938933e67b03ca894 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Sep 2020 19:00:52 +0200 +Subject: netfilter: nft_meta: use socket user_ns to retrieve skuid and skgid + +From: Pablo Neira Ayuso + +[ Upstream commit 0c92411bb81de9bc516d6924f50289d8d5f880e5 ] + +... instead of using init_user_ns. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Tested-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_meta.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c +index 7bc6537f3ccb5..b37bd02448d8c 100644 +--- a/net/netfilter/nft_meta.c ++++ b/net/netfilter/nft_meta.c +@@ -147,11 +147,11 @@ nft_meta_get_eval_skugid(enum nft_meta_keys key, + + switch (key) { + case NFT_META_SKUID: +- *dest = from_kuid_munged(&init_user_ns, ++ *dest = from_kuid_munged(sock_net(sk)->user_ns, + sock->file->f_cred->fsuid); + break; + case NFT_META_SKGID: +- *dest = from_kgid_munged(&init_user_ns, ++ *dest = from_kgid_munged(sock_net(sk)->user_ns, + sock->file->f_cred->fsgid); + break; + default: +-- +2.25.1 + diff --git a/queue-5.8/nvme-tcp-fix-kconfig-dependency-warning-when-crypto.patch b/queue-5.8/nvme-tcp-fix-kconfig-dependency-warning-when-crypto.patch new file mode 100644 index 00000000000..d0f47e73f3e --- /dev/null +++ b/queue-5.8/nvme-tcp-fix-kconfig-dependency-warning-when-crypto.patch @@ -0,0 +1,46 @@ +From c6edfb24ae31b0f969debf3c9af75deb5a9ad896 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 18:01:21 +0300 +Subject: nvme-tcp: fix kconfig dependency warning when !CRYPTO + +From: Necip Fazil Yildiran + +[ Upstream commit af5ad17854f96a6d3c9775e776bd01ab262672a1 ] + +When NVME_TCP is enabled and CRYPTO is disabled, it results in the +following Kbuild warning: + +WARNING: unmet direct dependencies detected for CRYPTO_CRC32C + Depends on [n]: CRYPTO [=n] + Selected by [y]: + - NVME_TCP [=y] && INET [=y] && BLK_DEV_NVME [=y] + +The reason is that NVME_TCP selects CRYPTO_CRC32C without depending on or +selecting CRYPTO while CRYPTO_CRC32C is subordinate to CRYPTO. + +Honor the kconfig menu hierarchy to remove kconfig dependency warnings. + +Fixes: 79fd751d61aa ("nvme: tcp: selects CRYPTO_CRC32C for nvme-tcp") +Signed-off-by: Necip Fazil Yildiran +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nvme/host/Kconfig b/drivers/nvme/host/Kconfig +index 3ed9786b88d8e..a44d49d63968a 100644 +--- a/drivers/nvme/host/Kconfig ++++ b/drivers/nvme/host/Kconfig +@@ -73,6 +73,7 @@ config NVME_TCP + depends on INET + depends on BLK_DEV_NVME + select NVME_FABRICS ++ select CRYPTO + select CRYPTO_CRC32C + help + This provides support for the NVMe over Fabrics protocol using +-- +2.25.1 + diff --git a/queue-5.8/pm-devfreq-tegra30-disable-clock-on-error-in-probe.patch b/queue-5.8/pm-devfreq-tegra30-disable-clock-on-error-in-probe.patch new file mode 100644 index 00000000000..ed88b19fb92 --- /dev/null +++ b/queue-5.8/pm-devfreq-tegra30-disable-clock-on-error-in-probe.patch @@ -0,0 +1,46 @@ +From 9e641e940d117d0832619a0d810175c9bad5daeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 10:25:57 +0300 +Subject: PM / devfreq: tegra30: Disable clock on error in probe + +From: Dan Carpenter + +[ Upstream commit 6bf560766a8ef5afe4faa3244220cf5b3a934549 ] + +This error path needs to call clk_disable_unprepare(). + +Fixes: 7296443b900e ("PM / devfreq: tegra30: Handle possible round-rate error") +Signed-off-by: Dan Carpenter +Reviewed-by: Dmitry Osipenko +Signed-off-by: Dan Carpenter +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/devfreq/tegra30-devfreq.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/devfreq/tegra30-devfreq.c b/drivers/devfreq/tegra30-devfreq.c +index e94a27804c209..dedd39de73675 100644 +--- a/drivers/devfreq/tegra30-devfreq.c ++++ b/drivers/devfreq/tegra30-devfreq.c +@@ -836,7 +836,8 @@ static int tegra_devfreq_probe(struct platform_device *pdev) + rate = clk_round_rate(tegra->emc_clock, ULONG_MAX); + if (rate < 0) { + dev_err(&pdev->dev, "Failed to round clock rate: %ld\n", rate); +- return rate; ++ err = rate; ++ goto disable_clk; + } + + tegra->max_freq = rate / KHZ; +@@ -897,6 +898,7 @@ static int tegra_devfreq_probe(struct platform_device *pdev) + dev_pm_opp_remove_all_dynamic(&pdev->dev); + + reset_control_reset(tegra->reset); ++disable_clk: + clk_disable_unprepare(tegra->clock); + + return err; +-- +2.25.1 + diff --git a/queue-5.8/rdma-core-fix-ordering-of-cq-pool-destruction.patch b/queue-5.8/rdma-core-fix-ordering-of-cq-pool-destruction.patch new file mode 100644 index 00000000000..ed1695b7897 --- /dev/null +++ b/queue-5.8/rdma-core-fix-ordering-of-cq-pool-destruction.patch @@ -0,0 +1,69 @@ +From b9df3e2d2adf65a7272109f8d6de3a13d5f117f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 15:20:18 -0300 +Subject: RDMA/core: Fix ordering of CQ pool destruction + +From: Jason Gunthorpe + +[ Upstream commit 4aa1615268a8ac2b20096211d3f9ac53874067d7 ] + +rxe will hold a refcount on the IB device as long as CQ objects exist, +this causes destruction of a rxe device to hang if the CQ pool has any +cached CQs since they are being destroyed after the refcount must go to +zero. + +Treat the CQ pool like a client and create/destroy it before/after all +other clients. No users of CQ pool can exist past a client remove call. + +Link: https://lore.kernel.org/r/e8a240aa-9e9b-3dca-062f-9130b787f29b@acm.org +Fixes: c7ff819aefea ("RDMA/core: Introduce shared CQ pool API") +Tested-by: Bart Van Assche +Tested-by: Yi Zhang +Signed-off-by: Bart Van Assche +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/device.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c +index eadba29432dd7..abcfe4dc1284f 100644 +--- a/drivers/infiniband/core/device.c ++++ b/drivers/infiniband/core/device.c +@@ -1282,6 +1282,8 @@ static void disable_device(struct ib_device *device) + remove_client_context(device, cid); + } + ++ ib_cq_pool_destroy(device); ++ + /* Pairs with refcount_set in enable_device */ + ib_device_put(device); + wait_for_completion(&device->unreg_completion); +@@ -1325,6 +1327,8 @@ static int enable_device_and_get(struct ib_device *device) + goto out; + } + ++ ib_cq_pool_init(device); ++ + down_read(&clients_rwsem); + xa_for_each_marked (&clients, index, client, CLIENT_REGISTERED) { + ret = add_client_context(device, client); +@@ -1397,7 +1401,6 @@ int ib_register_device(struct ib_device *device, const char *name) + goto dev_cleanup; + } + +- ib_cq_pool_init(device); + ret = enable_device_and_get(device); + dev_set_uevent_suppress(&device->dev, false); + /* Mark for userspace that device is ready */ +@@ -1452,7 +1455,6 @@ static void __ib_unregister_device(struct ib_device *ib_dev) + goto out; + + disable_device(ib_dev); +- ib_cq_pool_destroy(ib_dev); + + /* Expedite removing unregistered pointers from the hash table */ + free_netdevs(ib_dev); +-- +2.25.1 + diff --git a/queue-5.8/regmap-fix-page-selection-for-noinc-reads.patch b/queue-5.8/regmap-fix-page-selection-for-noinc-reads.patch new file mode 100644 index 00000000000..5a3e83f020c --- /dev/null +++ b/queue-5.8/regmap-fix-page-selection-for-noinc-reads.patch @@ -0,0 +1,84 @@ +From 446c175de3793c9d38b70e1c942965c28746266d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 18:34:04 +0300 +Subject: regmap: fix page selection for noinc reads + +From: Dmitry Baryshkov + +[ Upstream commit 4003324856311faebb46cbd56a1616bd3f3b67c2 ] + +Non-incrementing reads can fail if register + length crosses page +border. However for non-incrementing reads we should not check for page +border crossing. Fix this by passing additional flag to _regmap_raw_read +and passing length to _regmap_select_page basing on the flag. + +Signed-off-by: Dmitry Baryshkov +Fixes: 74fe7b551f33 ("regmap: Add regmap_noinc_read API") +Link: https://lore.kernel.org/r/20200917153405.3139200-1-dmitry.baryshkov@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regmap.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index 795a62a040220..71a3e1d1e3be8 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -2455,7 +2455,7 @@ int regmap_raw_write_async(struct regmap *map, unsigned int reg, + EXPORT_SYMBOL_GPL(regmap_raw_write_async); + + static int _regmap_raw_read(struct regmap *map, unsigned int reg, void *val, +- unsigned int val_len) ++ unsigned int val_len, bool noinc) + { + struct regmap_range_node *range; + int ret; +@@ -2468,7 +2468,7 @@ static int _regmap_raw_read(struct regmap *map, unsigned int reg, void *val, + range = _regmap_range_lookup(map, reg); + if (range) { + ret = _regmap_select_page(map, ®, range, +- val_len / map->format.val_bytes); ++ noinc ? 1 : val_len / map->format.val_bytes); + if (ret != 0) + return ret; + } +@@ -2506,7 +2506,7 @@ static int _regmap_bus_read(void *context, unsigned int reg, + if (!map->format.parse_val) + return -EINVAL; + +- ret = _regmap_raw_read(map, reg, work_val, map->format.val_bytes); ++ ret = _regmap_raw_read(map, reg, work_val, map->format.val_bytes, false); + if (ret == 0) + *val = map->format.parse_val(work_val); + +@@ -2622,7 +2622,7 @@ int regmap_raw_read(struct regmap *map, unsigned int reg, void *val, + + /* Read bytes that fit into whole chunks */ + for (i = 0; i < chunk_count; i++) { +- ret = _regmap_raw_read(map, reg, val, chunk_bytes); ++ ret = _regmap_raw_read(map, reg, val, chunk_bytes, false); + if (ret != 0) + goto out; + +@@ -2633,7 +2633,7 @@ int regmap_raw_read(struct regmap *map, unsigned int reg, void *val, + + /* Read remaining bytes */ + if (val_len) { +- ret = _regmap_raw_read(map, reg, val, val_len); ++ ret = _regmap_raw_read(map, reg, val, val_len, false); + if (ret != 0) + goto out; + } +@@ -2708,7 +2708,7 @@ int regmap_noinc_read(struct regmap *map, unsigned int reg, + read_len = map->max_raw_read; + else + read_len = val_len; +- ret = _regmap_raw_read(map, reg, val, read_len); ++ ret = _regmap_raw_read(map, reg, val, read_len, true); + if (ret) + goto out_unlock; + val = ((u8 *)val) + read_len; +-- +2.25.1 + diff --git a/queue-5.8/regmap-fix-page-selection-for-noinc-writes.patch b/queue-5.8/regmap-fix-page-selection-for-noinc-writes.patch new file mode 100644 index 00000000000..77bd59035cb --- /dev/null +++ b/queue-5.8/regmap-fix-page-selection-for-noinc-writes.patch @@ -0,0 +1,149 @@ +From 966b6cd1e49f98aad06d4facc654033311da6a9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 18:34:05 +0300 +Subject: regmap: fix page selection for noinc writes + +From: Dmitry Baryshkov + +[ Upstream commit 05669b63170771d554854c0e465b76dc98fc7c84 ] + +Non-incrementing writes can fail if register + length crosses page +border. However for non-incrementing writes we should not check for page +border crossing. Fix this by passing additional flag to _regmap_raw_write +and passing length to _regmap_select_page basing on the flag. + +Signed-off-by: Dmitry Baryshkov +Fixes: cdf6b11daa77 ("regmap: Add regmap_noinc_write API") +Link: https://lore.kernel.org/r/20200917153405.3139200-2-dmitry.baryshkov@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/internal.h | 2 +- + drivers/base/regmap/regcache.c | 2 +- + drivers/base/regmap/regmap.c | 21 +++++++++++---------- + 3 files changed, 13 insertions(+), 12 deletions(-) + +diff --git a/drivers/base/regmap/internal.h b/drivers/base/regmap/internal.h +index 3d80c4b43f720..d7c01b70e43db 100644 +--- a/drivers/base/regmap/internal.h ++++ b/drivers/base/regmap/internal.h +@@ -259,7 +259,7 @@ bool regcache_set_val(struct regmap *map, void *base, unsigned int idx, + int regcache_lookup_reg(struct regmap *map, unsigned int reg); + + int _regmap_raw_write(struct regmap *map, unsigned int reg, +- const void *val, size_t val_len); ++ const void *val, size_t val_len, bool noinc); + + void regmap_async_complete_cb(struct regmap_async *async, int ret); + +diff --git a/drivers/base/regmap/regcache.c b/drivers/base/regmap/regcache.c +index a93cafd7be4f2..7f4b3b62492ca 100644 +--- a/drivers/base/regmap/regcache.c ++++ b/drivers/base/regmap/regcache.c +@@ -717,7 +717,7 @@ static int regcache_sync_block_raw_flush(struct regmap *map, const void **data, + + map->cache_bypass = true; + +- ret = _regmap_raw_write(map, base, *data, count * val_bytes); ++ ret = _regmap_raw_write(map, base, *data, count * val_bytes, false); + if (ret) + dev_err(map->dev, "Unable to sync registers %#x-%#x. %d\n", + base, cur - map->reg_stride, ret); +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index 71a3e1d1e3be8..9751304c5c158 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -1469,7 +1469,7 @@ static void regmap_set_work_buf_flag_mask(struct regmap *map, int max_bytes, + } + + static int _regmap_raw_write_impl(struct regmap *map, unsigned int reg, +- const void *val, size_t val_len) ++ const void *val, size_t val_len, bool noinc) + { + struct regmap_range_node *range; + unsigned long flags; +@@ -1528,7 +1528,7 @@ static int _regmap_raw_write_impl(struct regmap *map, unsigned int reg, + win_residue, val_len / map->format.val_bytes); + ret = _regmap_raw_write_impl(map, reg, val, + win_residue * +- map->format.val_bytes); ++ map->format.val_bytes, noinc); + if (ret != 0) + return ret; + +@@ -1542,7 +1542,7 @@ static int _regmap_raw_write_impl(struct regmap *map, unsigned int reg, + win_residue = range->window_len - win_offset; + } + +- ret = _regmap_select_page(map, ®, range, val_num); ++ ret = _regmap_select_page(map, ®, range, noinc ? 1 : val_num); + if (ret != 0) + return ret; + } +@@ -1750,7 +1750,8 @@ static int _regmap_bus_raw_write(void *context, unsigned int reg, + map->work_buf + + map->format.reg_bytes + + map->format.pad_bytes, +- map->format.val_bytes); ++ map->format.val_bytes, ++ false); + } + + static inline void *_regmap_map_get_context(struct regmap *map) +@@ -1844,7 +1845,7 @@ int regmap_write_async(struct regmap *map, unsigned int reg, unsigned int val) + EXPORT_SYMBOL_GPL(regmap_write_async); + + int _regmap_raw_write(struct regmap *map, unsigned int reg, +- const void *val, size_t val_len) ++ const void *val, size_t val_len, bool noinc) + { + size_t val_bytes = map->format.val_bytes; + size_t val_count = val_len / val_bytes; +@@ -1865,7 +1866,7 @@ int _regmap_raw_write(struct regmap *map, unsigned int reg, + + /* Write as many bytes as possible with chunk_size */ + for (i = 0; i < chunk_count; i++) { +- ret = _regmap_raw_write_impl(map, reg, val, chunk_bytes); ++ ret = _regmap_raw_write_impl(map, reg, val, chunk_bytes, noinc); + if (ret) + return ret; + +@@ -1876,7 +1877,7 @@ int _regmap_raw_write(struct regmap *map, unsigned int reg, + + /* Write remaining bytes */ + if (val_len) +- ret = _regmap_raw_write_impl(map, reg, val, val_len); ++ ret = _regmap_raw_write_impl(map, reg, val, val_len, noinc); + + return ret; + } +@@ -1909,7 +1910,7 @@ int regmap_raw_write(struct regmap *map, unsigned int reg, + + map->lock(map->lock_arg); + +- ret = _regmap_raw_write(map, reg, val, val_len); ++ ret = _regmap_raw_write(map, reg, val, val_len, false); + + map->unlock(map->lock_arg); + +@@ -1967,7 +1968,7 @@ int regmap_noinc_write(struct regmap *map, unsigned int reg, + write_len = map->max_raw_write; + else + write_len = val_len; +- ret = _regmap_raw_write(map, reg, val, write_len); ++ ret = _regmap_raw_write(map, reg, val, write_len, true); + if (ret) + goto out_unlock; + val = ((u8 *)val) + write_len; +@@ -2444,7 +2445,7 @@ int regmap_raw_write_async(struct regmap *map, unsigned int reg, + + map->async = true; + +- ret = _regmap_raw_write(map, reg, val, val_len); ++ ret = _regmap_raw_write(map, reg, val, val_len, false); + + map->async = false; + +-- +2.25.1 + diff --git a/queue-5.8/regulator-axp20x-fix-ldo2-4-description.patch b/queue-5.8/regulator-axp20x-fix-ldo2-4-description.patch new file mode 100644 index 00000000000..85ba994d610 --- /dev/null +++ b/queue-5.8/regulator-axp20x-fix-ldo2-4-description.patch @@ -0,0 +1,59 @@ +From 7b40b70d0a870ed5e670b0c887aad8566ee15d36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 08:51:42 +0800 +Subject: regulator: axp20x: fix LDO2/4 description + +From: Icenowy Zheng + +[ Upstream commit fbb5a79d2fe7b01c6424fbbc04368373b1672d61 ] + +Currently we wrongly set the mask of value of LDO2/4 both to the mask of +LDO2, and the LDO4 voltage configuration is left untouched. This leads +to conflict when LDO2/4 are both in use. + +Fix this issue by setting different vsel_mask to both regulators. + +Fixes: db4a555f7c4c ("regulator: axp20x: use defines for masks") +Signed-off-by: Icenowy Zheng +Link: https://lore.kernel.org/r/20200923005142.147135-1-icenowy@aosc.io +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/axp20x-regulator.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/regulator/axp20x-regulator.c b/drivers/regulator/axp20x-regulator.c +index fbc95cadaf539..126649c172e11 100644 +--- a/drivers/regulator/axp20x-regulator.c ++++ b/drivers/regulator/axp20x-regulator.c +@@ -42,8 +42,9 @@ + + #define AXP20X_DCDC2_V_OUT_MASK GENMASK(5, 0) + #define AXP20X_DCDC3_V_OUT_MASK GENMASK(7, 0) +-#define AXP20X_LDO24_V_OUT_MASK GENMASK(7, 4) ++#define AXP20X_LDO2_V_OUT_MASK GENMASK(7, 4) + #define AXP20X_LDO3_V_OUT_MASK GENMASK(6, 0) ++#define AXP20X_LDO4_V_OUT_MASK GENMASK(3, 0) + #define AXP20X_LDO5_V_OUT_MASK GENMASK(7, 4) + + #define AXP20X_PWR_OUT_EXTEN_MASK BIT_MASK(0) +@@ -542,14 +543,14 @@ static const struct regulator_desc axp20x_regulators[] = { + AXP20X_PWR_OUT_CTRL, AXP20X_PWR_OUT_DCDC3_MASK), + AXP_DESC_FIXED(AXP20X, LDO1, "ldo1", "acin", 1300), + AXP_DESC(AXP20X, LDO2, "ldo2", "ldo24in", 1800, 3300, 100, +- AXP20X_LDO24_V_OUT, AXP20X_LDO24_V_OUT_MASK, ++ AXP20X_LDO24_V_OUT, AXP20X_LDO2_V_OUT_MASK, + AXP20X_PWR_OUT_CTRL, AXP20X_PWR_OUT_LDO2_MASK), + AXP_DESC(AXP20X, LDO3, "ldo3", "ldo3in", 700, 3500, 25, + AXP20X_LDO3_V_OUT, AXP20X_LDO3_V_OUT_MASK, + AXP20X_PWR_OUT_CTRL, AXP20X_PWR_OUT_LDO3_MASK), + AXP_DESC_RANGES(AXP20X, LDO4, "ldo4", "ldo24in", + axp20x_ldo4_ranges, AXP20X_LDO4_V_OUT_NUM_VOLTAGES, +- AXP20X_LDO24_V_OUT, AXP20X_LDO24_V_OUT_MASK, ++ AXP20X_LDO24_V_OUT, AXP20X_LDO4_V_OUT_MASK, + AXP20X_PWR_OUT_CTRL, AXP20X_PWR_OUT_LDO4_MASK), + AXP_DESC_IO(AXP20X, LDO5, "ldo5", "ldo5in", 1800, 3300, 100, + AXP20X_LDO5_V_OUT, AXP20X_LDO5_V_OUT_MASK, +-- +2.25.1 + diff --git a/queue-5.8/series b/queue-5.8/series index ffd0fdfea65..0f4baabc15d 100644 --- a/queue-5.8/series +++ b/queue-5.8/series @@ -18,3 +18,54 @@ i2c-core-call-i2c_acpi_install_space_handler-before-.patch objtool-fix-noreturn-detection-for-ignored-functions.patch i2c-mediatek-send-i2c-master-code-at-more-than-1mhz.patch riscv-fix-kendryte-k210-device-tree.patch +ieee802154-fix-one-possible-memleak-in-ca8210_dev_co.patch +ieee802154-adf7242-check-status-of-adf7242_read_reg.patch +clocksource-drivers-h8300_timer8-fix-wrong-return-va.patch +clocksource-drivers-timer-ti-dm-do-reset-before-enab.patch +mwifiex-increase-aes-key-storage-size-to-256-bits.patch +batman-adv-bla-fix-type-misuse-for-backbone_gw-hash-.patch +libbpf-fix-build-failure-from-uninitialized-variable.patch +atm-eni-fix-the-missed-pci_disable_device-for-eni_in.patch +batman-adv-mcast-tt-fix-wrongly-dropped-or-rerouted-.patch +netfilter-ctnetlink-add-a-range-check-for-l3-l4-prot.patch +netfilter-ctnetlink-fix-mark-based-dump-filtering-re.patch +netfilter-conntrack-nf_conncount_init-is-failing-wit.patch +netfilter-nft_meta-use-socket-user_ns-to-retrieve-sk.patch +mac802154-tx-fix-use-after-free.patch +bpf-fix-clobbering-of-r2-in-bpf_gen_ld_abs.patch +tools-libbpf-avoid-counting-local-symbols-in-abi-che.patch +drm-vc4-vc4_hdmi-fill-asoc-card-owner.patch +net-qed-disable-arfs-for-npar-and-100g.patch +net-qede-disable-arfs-for-npar-and-100g.patch +net-qed-rdma-personality-shouldn-t-fail-vf-load.patch +igc-fix-wrong-timestamp-latency-numbers.patch +igc-fix-not-considering-the-tx-delay-for-timestamps.patch +drm-sun4i-sun8i-csc-secondary-csc-register-correctio.patch +hv_netvsc-switch-the-data-path-at-the-right-time-dur.patch +spi-spi-fsl-dspi-use-xspi-mode-instead-of-dma-for-dp.patch +rdma-core-fix-ordering-of-cq-pool-destruction.patch +batman-adv-add-missing-include-for-in_interrupt.patch +xsk-fix-number-of-pinned-pages-umem-size-discrepancy.patch +nvme-tcp-fix-kconfig-dependency-warning-when-crypto.patch +batman-adv-mcast-fix-duplicate-mcast-packets-in-bla-.patch +batman-adv-mcast-fix-duplicate-mcast-packets-in-bla-.patch-11308 +batman-adv-mcast-fix-duplicate-mcast-packets-from-bl.patch +bpf-fix-a-rcu-warning-for-bpffs-map-pretty-print.patch +lib80211-fix-unmet-direct-dependendices-config-warni.patch +mac80211-do-not-disable-he-if-ht-is-missing-on-2.4-g.patch +cfg80211-fix-6-ghz-channel-conversion.patch +mac80211-fix-80-mhz-association-to-160-80-80-ap-on-6.patch +alsa-asihpi-fix-iounmap-in-error-handler.patch +io_uring-fix-openat-openat2-unified-prep-handling.patch +sunrpc-fix-svc_flush_dcache.patch +regmap-fix-page-selection-for-noinc-reads.patch +regmap-fix-page-selection-for-noinc-writes.patch +net-mlx5e-mlx5e_fec_in_caps-returns-a-boolean.patch +mips-loongson-3-fix-fp-register-access-if-msa-enable.patch +pm-devfreq-tegra30-disable-clock-on-error-in-probe.patch +mips-add-the-missing-cpu_1074k-into-__get_cpu_type.patch +regulator-axp20x-fix-ldo2-4-description.patch +spi-bcm-qspi-fix-probe-regression-on-iproc-platforms.patch +kvm-x86-reset-mmu-context-if-guest-toggles-cr4.smap-.patch +kvm-svm-add-a-dedicated-invd-intercept-routine.patch +mm-validate-pmd-after-splitting.patch diff --git a/queue-5.8/spi-bcm-qspi-fix-probe-regression-on-iproc-platforms.patch b/queue-5.8/spi-bcm-qspi-fix-probe-regression-on-iproc-platforms.patch new file mode 100644 index 00000000000..21045555b4f --- /dev/null +++ b/queue-5.8/spi-bcm-qspi-fix-probe-regression-on-iproc-platforms.patch @@ -0,0 +1,40 @@ +From cc369b3e0eafa23e02bfe60c1319442b13536068 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 08:25:38 -0700 +Subject: spi: bcm-qspi: Fix probe regression on iProc platforms + +From: Ray Jui + +[ Upstream commit 00fb259c618ea1198fc51b53a6167aa0d78672a9 ] + +iProc chips have QSPI controller that does not have the MSPI_REV +offset. Reading from that offset will cause a bus error. Fix it by +having MSPI_REV query disabled in the generic compatible string. + +Fixes: 3a01f04d74ef ("spi: bcm-qspi: Handle lack of MSPI_REV offset") +Link: https://lore.kernel.org/linux-arm-kernel/20200909211857.4144718-1-f.fainelli@gmail.com/T/#u +Signed-off-by: Ray Jui +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20200910152539.45584-3-ray.jui@broadcom.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm-qspi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm-qspi.c b/drivers/spi/spi-bcm-qspi.c +index 681d090851756..9cfa15ec8b08c 100644 +--- a/drivers/spi/spi-bcm-qspi.c ++++ b/drivers/spi/spi-bcm-qspi.c +@@ -1295,7 +1295,7 @@ static const struct of_device_id bcm_qspi_of_match[] = { + }, + { + .compatible = "brcm,spi-bcm-qspi", +- .data = &bcm_qspi_rev_data, ++ .data = &bcm_qspi_no_rev_data, + }, + { + .compatible = "brcm,spi-bcm7216-qspi", +-- +2.25.1 + diff --git a/queue-5.8/spi-spi-fsl-dspi-use-xspi-mode-instead-of-dma-for-dp.patch b/queue-5.8/spi-spi-fsl-dspi-use-xspi-mode-instead-of-dma-for-dp.patch new file mode 100644 index 00000000000..7d14c010fe6 --- /dev/null +++ b/queue-5.8/spi-spi-fsl-dspi-use-xspi-mode-instead-of-dma-for-dp.patch @@ -0,0 +1,60 @@ +From 01c9f3b9d7790fed412025fba55d6428f342789a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 15:15:32 +0300 +Subject: spi: spi-fsl-dspi: use XSPI mode instead of DMA for DPAA2 SoCs + +From: Vladimir Oltean + +[ Upstream commit 505623a2be48b36de533951ced130876a76a2d55 ] + +The arch/arm64/boot/dts/freescale/fsl-ls208xa.dtsi device tree lacks DMA +channels for DSPI, so naturally, the driver fails to probe: + +[ 2.945302] fsl-dspi 2100000.spi: rx dma channel not available +[ 2.951134] fsl-dspi 2100000.spi: can't get dma channels + +In retrospect, this should have been obvious, because LS2080A, LS2085A +LS2088A and LX2160A don't appear to have an eDMA module at all. Looking +again at their datasheets, the CTARE register (which is specific to XSPI +functionality) seems to be documented, so switch them to XSPI mode +instead. + +Fixes: 0feaf8f5afe0 ("spi: spi-fsl-dspi: Convert the instantiations that support it to DMA") +Reported-by: Qiang Zhao +Tested-by: Qiang Zhao +Signed-off-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20200910121532.1138596-1-olteanv@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-fsl-dspi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-fsl-dspi.c b/drivers/spi/spi-fsl-dspi.c +index 91c6affe139c9..283f2468a2f46 100644 +--- a/drivers/spi/spi-fsl-dspi.c ++++ b/drivers/spi/spi-fsl-dspi.c +@@ -174,17 +174,17 @@ static const struct fsl_dspi_devtype_data devtype_data[] = { + .fifo_size = 16, + }, + [LS2080A] = { +- .trans_mode = DSPI_DMA_MODE, ++ .trans_mode = DSPI_XSPI_MODE, + .max_clock_factor = 8, + .fifo_size = 4, + }, + [LS2085A] = { +- .trans_mode = DSPI_DMA_MODE, ++ .trans_mode = DSPI_XSPI_MODE, + .max_clock_factor = 8, + .fifo_size = 4, + }, + [LX2160A] = { +- .trans_mode = DSPI_DMA_MODE, ++ .trans_mode = DSPI_XSPI_MODE, + .max_clock_factor = 8, + .fifo_size = 4, + }, +-- +2.25.1 + diff --git a/queue-5.8/sunrpc-fix-svc_flush_dcache.patch b/queue-5.8/sunrpc-fix-svc_flush_dcache.patch new file mode 100644 index 00000000000..f11b99da720 --- /dev/null +++ b/queue-5.8/sunrpc-fix-svc_flush_dcache.patch @@ -0,0 +1,57 @@ +From f5ac65cfa3dfbd6f09cf8bc07c76546e88439f22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Sep 2020 13:46:25 -0400 +Subject: SUNRPC: Fix svc_flush_dcache() + +From: Chuck Lever + +[ Upstream commit 13a9a9d74d4d9689ad65938966dbc66386063648 ] + +On platforms that implement flush_dcache_page(), a large NFS WRITE +triggers the WARN_ONCE in bvec_iter_advance(): + +Sep 20 14:01:05 klimt.1015granger.net kernel: Attempted to advance past end of bvec iter +Sep 20 14:01:05 klimt.1015granger.net kernel: WARNING: CPU: 0 PID: 1032 at include/linux/bvec.h:101 bvec_iter_advance.isra.0+0xa7/0x158 [sunrpc] + +Sep 20 14:01:05 klimt.1015granger.net kernel: Call Trace: +Sep 20 14:01:05 klimt.1015granger.net kernel: svc_tcp_recvfrom+0x60c/0x12c7 [sunrpc] +Sep 20 14:01:05 klimt.1015granger.net kernel: ? bvec_iter_advance.isra.0+0x158/0x158 [sunrpc] +Sep 20 14:01:05 klimt.1015granger.net kernel: ? del_timer_sync+0x4b/0x55 +Sep 20 14:01:05 klimt.1015granger.net kernel: ? test_bit+0x1d/0x27 [sunrpc] +Sep 20 14:01:05 klimt.1015granger.net kernel: svc_recv+0x1193/0x15e4 [sunrpc] +Sep 20 14:01:05 klimt.1015granger.net kernel: ? try_to_freeze.isra.0+0x6f/0x6f [sunrpc] +Sep 20 14:01:05 klimt.1015granger.net kernel: ? refcount_sub_and_test.constprop.0+0x13/0x40 [sunrpc] +Sep 20 14:01:05 klimt.1015granger.net kernel: ? svc_xprt_put+0x1e/0x29f [sunrpc] +Sep 20 14:01:05 klimt.1015granger.net kernel: ? svc_send+0x39f/0x3c1 [sunrpc] +Sep 20 14:01:05 klimt.1015granger.net kernel: nfsd+0x282/0x345 [nfsd] +Sep 20 14:01:05 klimt.1015granger.net kernel: ? __kthread_parkme+0x74/0xba +Sep 20 14:01:05 klimt.1015granger.net kernel: kthread+0x2ad/0x2bc +Sep 20 14:01:05 klimt.1015granger.net kernel: ? nfsd_destroy+0x124/0x124 [nfsd] +Sep 20 14:01:05 klimt.1015granger.net kernel: ? test_bit+0x1d/0x27 +Sep 20 14:01:05 klimt.1015granger.net kernel: ? kthread_mod_delayed_work+0x115/0x115 +Sep 20 14:01:05 klimt.1015granger.net kernel: ret_from_fork+0x22/0x30 + +Reported-by: He Zhe +Fixes: ca07eda33e01 ("SUNRPC: Refactor svc_recvfrom()") +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/svcsock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c +index c537272f9c7ed..183d2465df7a3 100644 +--- a/net/sunrpc/svcsock.c ++++ b/net/sunrpc/svcsock.c +@@ -228,7 +228,7 @@ static int svc_one_sock_name(struct svc_sock *svsk, char *buf, int remaining) + static void svc_flush_bvec(const struct bio_vec *bvec, size_t size, size_t seek) + { + struct bvec_iter bi = { +- .bi_size = size, ++ .bi_size = size + seek, + }; + struct bio_vec bv; + +-- +2.25.1 + diff --git a/queue-5.8/tools-libbpf-avoid-counting-local-symbols-in-abi-che.patch b/queue-5.8/tools-libbpf-avoid-counting-local-symbols-in-abi-che.patch new file mode 100644 index 00000000000..94796b58252 --- /dev/null +++ b/queue-5.8/tools-libbpf-avoid-counting-local-symbols-in-abi-che.patch @@ -0,0 +1,76 @@ +From 0daee764052d494c9a94a5bb6cfb11fe73bbfb54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Sep 2020 14:48:31 -0700 +Subject: tools/libbpf: Avoid counting local symbols in ABI check + +From: Tony Ambardar + +[ Upstream commit 746f534a4809e07f427f7d13d10f3a6a9641e5c3 ] + +Encountered the following failure building libbpf from kernel 5.8.5 sources +with GCC 8.4.0 and binutils 2.34: (long paths shortened) + + Warning: Num of global symbols in sharedobjs/libbpf-in.o (234) does NOT + match with num of versioned symbols in libbpf.so (236). Please make sure + all LIBBPF_API symbols are versioned in libbpf.map. + --- libbpf_global_syms.tmp 2020-09-02 07:30:58.920084380 +0000 + +++ libbpf_versioned_syms.tmp 2020-09-02 07:30:58.924084388 +0000 + @@ -1,3 +1,5 @@ + +_fini + +_init + bpf_btf_get_fd_by_id + bpf_btf_get_next_id + bpf_create_map + make[4]: *** [Makefile:210: check_abi] Error 1 + +Investigation shows _fini and _init are actually local symbols counted +amongst global ones: + + $ readelf --dyn-syms --wide libbpf.so|head -10 + + Symbol table '.dynsym' contains 343 entries: + Num: Value Size Type Bind Vis Ndx Name + 0: 00000000 0 NOTYPE LOCAL DEFAULT UND + 1: 00004098 0 SECTION LOCAL DEFAULT 11 + 2: 00004098 8 FUNC LOCAL DEFAULT 11 _init@@LIBBPF_0.0.1 + 3: 00023040 8 FUNC LOCAL DEFAULT 14 _fini@@LIBBPF_0.0.1 + 4: 00000000 0 OBJECT GLOBAL DEFAULT ABS LIBBPF_0.0.4 + 5: 00000000 0 OBJECT GLOBAL DEFAULT ABS LIBBPF_0.0.1 + 6: 0000ffa4 8 FUNC GLOBAL DEFAULT 12 bpf_object__find_map_by_offset@@LIBBPF_0.0.1 + +A previous commit filtered global symbols in sharedobjs/libbpf-in.o. Do the +same with the libbpf.so DSO for consistent comparison. + +Fixes: 306b267cb3c4 ("libbpf: Verify versioned symbols") +Signed-off-by: Tony Ambardar +Signed-off-by: Alexei Starovoitov +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20200905214831.1565465-1-Tony.Ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/Makefile | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/lib/bpf/Makefile b/tools/lib/bpf/Makefile +index bf8ed134cb8a3..c820b0be9d637 100644 +--- a/tools/lib/bpf/Makefile ++++ b/tools/lib/bpf/Makefile +@@ -152,6 +152,7 @@ GLOBAL_SYM_COUNT = $(shell readelf -s --wide $(BPF_IN_SHARED) | \ + awk '/GLOBAL/ && /DEFAULT/ && !/UND/ {print $$NF}' | \ + sort -u | wc -l) + VERSIONED_SYM_COUNT = $(shell readelf --dyn-syms --wide $(OUTPUT)libbpf.so | \ ++ awk '/GLOBAL/ && /DEFAULT/ && !/UND/ {print $$NF}' | \ + grep -Eo '[^ ]+@LIBBPF_' | cut -d@ -f1 | sort -u | wc -l) + + CMD_TARGETS = $(LIB_TARGET) $(PC_FILE) +@@ -219,6 +220,7 @@ check_abi: $(OUTPUT)libbpf.so + awk '/GLOBAL/ && /DEFAULT/ && !/UND/ {print $$NF}'| \ + sort -u > $(OUTPUT)libbpf_global_syms.tmp; \ + readelf --dyn-syms --wide $(OUTPUT)libbpf.so | \ ++ awk '/GLOBAL/ && /DEFAULT/ && !/UND/ {print $$NF}'| \ + grep -Eo '[^ ]+@LIBBPF_' | cut -d@ -f1 | \ + sort -u > $(OUTPUT)libbpf_versioned_syms.tmp; \ + diff -u $(OUTPUT)libbpf_global_syms.tmp \ +-- +2.25.1 + diff --git a/queue-5.8/xsk-fix-number-of-pinned-pages-umem-size-discrepancy.patch b/queue-5.8/xsk-fix-number-of-pinned-pages-umem-size-discrepancy.patch new file mode 100644 index 00000000000..c4eeea3651f --- /dev/null +++ b/queue-5.8/xsk-fix-number-of-pinned-pages-umem-size-discrepancy.patch @@ -0,0 +1,85 @@ +From 5328cd4c5f3840e380280e0f54798d44935c3e43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 09:56:09 +0200 +Subject: xsk: Fix number of pinned pages/umem size discrepancy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Björn Töpel + +[ Upstream commit 2b1667e54caf95e1e4249d9068eea7a3089a5229 ] + +For AF_XDP sockets, there was a discrepancy between the number of of +pinned pages and the size of the umem region. + +The size of the umem region is used to validate the AF_XDP descriptor +addresses. The logic that pinned the pages covered by the region only +took whole pages into consideration, creating a mismatch between the +size and pinned pages. A user could then pass AF_XDP addresses outside +the range of pinned pages, but still within the size of the region, +crashing the kernel. + +This change correctly calculates the number of pages to be +pinned. Further, the size check for the aligned mode is +simplified. Now the code simply checks if the size is divisible by the +chunk size. + +Fixes: bbff2f321a86 ("xsk: new descriptor addressing scheme") +Reported-by: Ciara Loftus +Signed-off-by: Björn Töpel +Signed-off-by: Alexei Starovoitov +Tested-by: Ciara Loftus +Acked-by: Song Liu +Link: https://lore.kernel.org/bpf/20200910075609.7904-1-bjorn.topel@gmail.com +Signed-off-by: Sasha Levin +--- + net/xdp/xdp_umem.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c +index e97db37354e4f..b010bfde01490 100644 +--- a/net/xdp/xdp_umem.c ++++ b/net/xdp/xdp_umem.c +@@ -303,10 +303,10 @@ static int xdp_umem_account_pages(struct xdp_umem *umem) + + static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr) + { ++ u32 npgs_rem, chunk_size = mr->chunk_size, headroom = mr->headroom; + bool unaligned_chunks = mr->flags & XDP_UMEM_UNALIGNED_CHUNK_FLAG; +- u32 chunk_size = mr->chunk_size, headroom = mr->headroom; + u64 npgs, addr = mr->addr, size = mr->len; +- unsigned int chunks, chunks_per_page; ++ unsigned int chunks, chunks_rem; + int err; + + if (chunk_size < XDP_UMEM_MIN_CHUNK_SIZE || chunk_size > PAGE_SIZE) { +@@ -336,19 +336,18 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr) + if ((addr + size) < addr) + return -EINVAL; + +- npgs = size >> PAGE_SHIFT; ++ npgs = div_u64_rem(size, PAGE_SIZE, &npgs_rem); ++ if (npgs_rem) ++ npgs++; + if (npgs > U32_MAX) + return -EINVAL; + +- chunks = (unsigned int)div_u64(size, chunk_size); ++ chunks = (unsigned int)div_u64_rem(size, chunk_size, &chunks_rem); + if (chunks == 0) + return -EINVAL; + +- if (!unaligned_chunks) { +- chunks_per_page = PAGE_SIZE / chunk_size; +- if (chunks < chunks_per_page || chunks % chunks_per_page) +- return -EINVAL; +- } ++ if (!unaligned_chunks && chunks_rem) ++ return -EINVAL; + + if (headroom >= chunk_size - XDP_PACKET_HEADROOM) + return -EINVAL; +-- +2.25.1 + -- 2.47.3