From eeb8a7265cdc78cd7c751614b4b966f7a677be4f Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 26 Jun 2023 00:23:23 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...64-add-missing-set-way-cmo-encodings.patch | 43 +++++++ ...add-quirk-to-active-high-jack-detect.patch | 59 ++++++++++ ...t-extend-xmit-workaround-to-be3-chip.patch | 48 ++++++++ ...ace-condition-uaf-in-exynos_g2d_exec.patch | 37 ++++++ ...exynos-vidi-fix-a-wrong-error-return.patch | 38 ++++++ ...ace-condition-uaf-in-radeon_gem_set_.patch | 54 +++++++++ ...ror-check-to-wacom_parse_and_registe.patch | 44 +++++++ ...2154-hwsim-fix-possible-memory-leaks.patch | 50 ++++++++ ...on-t-set-last_initiator-if-tx-in-pro.patch | 41 +++++++ .../mmc-mtk-sd-fix-deferred-probing.patch | 39 +++++++ ...rt-to-devm_platform_ioremap_resource.patch | 54 +++++++++ .../mmc-mvsdio-fix-deferred-probing.patch | 39 +++++++ .../mmc-omap-fix-deferred-probing.patch | 39 +++++++ .../mmc-omap_hsmmc-fix-deferred-probing.patch | 44 +++++++ .../mmc-sdhci-acpi-fix-deferred-probing.patch | 40 +++++++ ...mmc-usdhi60rol0-fix-deferred-probing.patch | 43 +++++++ ...d-high-load-if-qca7000-is-not-availa.patch | 40 +++++++ ...les-disallow-element-updates-of-boun.patch | 49 ++++++++ ...er-nfnetlink_osf-fix-module-autoload.patch | 40 +++++++ ...rror-checking-for-debugfs_create_dir.patch | 40 +++++++ ...swap_protected-to-rcu_replace_pointe.patch | 65 +++++++++++ ...ter-device-when-the-only-path-is-gon.patch | 62 ++++++++++ ...m-acquire-qdisc-lock-in-netem_change.patch | 109 ++++++++++++++++++ ...i-prevent-login-threads-from-racing-.patch | 71 ++++++++++++ queue-4.19/series | 26 +++++ ...t-udc-fix-null-dereference-in-remove.patch | 39 +++++++ ...e-the-skb-after-offloading-if-needed.patch | 64 ++++++++++ 27 files changed, 1317 insertions(+) create mode 100644 queue-4.19/arm64-add-missing-set-way-cmo-encodings.patch create mode 100644 queue-4.19/asoc-nau8824-add-quirk-to-active-high-jack-detect.patch create mode 100644 queue-4.19/be2net-extend-xmit-workaround-to-be3-chip.patch create mode 100644 queue-4.19/drm-exynos-fix-race-condition-uaf-in-exynos_g2d_exec.patch create mode 100644 queue-4.19/drm-exynos-vidi-fix-a-wrong-error-return.patch create mode 100644 queue-4.19/drm-radeon-fix-race-condition-uaf-in-radeon_gem_set_.patch create mode 100644 queue-4.19/hid-wacom-add-error-check-to-wacom_parse_and_registe.patch create mode 100644 queue-4.19/ieee802154-hwsim-fix-possible-memory-leaks.patch create mode 100644 queue-4.19/media-cec-core-don-t-set-last_initiator-if-tx-in-pro.patch create mode 100644 queue-4.19/mmc-mtk-sd-fix-deferred-probing.patch create mode 100644 queue-4.19/mmc-mvsdio-convert-to-devm_platform_ioremap_resource.patch create mode 100644 queue-4.19/mmc-mvsdio-fix-deferred-probing.patch create mode 100644 queue-4.19/mmc-omap-fix-deferred-probing.patch create mode 100644 queue-4.19/mmc-omap_hsmmc-fix-deferred-probing.patch create mode 100644 queue-4.19/mmc-sdhci-acpi-fix-deferred-probing.patch create mode 100644 queue-4.19/mmc-usdhi60rol0-fix-deferred-probing.patch create mode 100644 queue-4.19/net-qca_spi-avoid-high-load-if-qca7000-is-not-availa.patch create mode 100644 queue-4.19/netfilter-nf_tables-disallow-element-updates-of-boun.patch create mode 100644 queue-4.19/netfilter-nfnetlink_osf-fix-module-autoload.patch create mode 100644 queue-4.19/nfcsim.c-fix-error-checking-for-debugfs_create_dir.patch create mode 100644 queue-4.19/rcu-upgrade-rcu_swap_protected-to-rcu_replace_pointe.patch create mode 100644 queue-4.19/s390-cio-unregister-device-when-the-only-path-is-gon.patch create mode 100644 queue-4.19/sch_netem-acquire-qdisc-lock-in-netem_change.patch create mode 100644 queue-4.19/scsi-target-iscsi-prevent-login-threads-from-racing-.patch create mode 100644 queue-4.19/usb-gadget-udc-fix-null-dereference-in-remove.patch create mode 100644 queue-4.19/xfrm-linearize-the-skb-after-offloading-if-needed.patch diff --git a/queue-4.19/arm64-add-missing-set-way-cmo-encodings.patch b/queue-4.19/arm64-add-missing-set-way-cmo-encodings.patch new file mode 100644 index 00000000000..3c8e13d3664 --- /dev/null +++ b/queue-4.19/arm64-add-missing-set-way-cmo-encodings.patch @@ -0,0 +1,43 @@ +From e55324af3d8113a76f35cbcb7c81caced9534102 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 21:46:00 +0100 +Subject: arm64: Add missing Set/Way CMO encodings + +From: Marc Zyngier + +[ Upstream commit 8d0f019e4c4f2ee2de81efd9bf1c27e9fb3c0460 ] + +Add the missing Set/Way CMOs that apply to tagged memory. + +Signed-off-by: Marc Zyngier +Reviewed-by: Cornelia Huck +Reviewed-by: Steven Price +Reviewed-by: Oliver Upton +Link: https://lore.kernel.org/r/20230515204601.1270428-2-maz@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/sysreg.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/arm64/include/asm/sysreg.h b/arch/arm64/include/asm/sysreg.h +index e90cf51b87eca..22266c7e2cc1e 100644 +--- a/arch/arm64/include/asm/sysreg.h ++++ b/arch/arm64/include/asm/sysreg.h +@@ -98,8 +98,14 @@ + (!!x)<<8 | 0x1f) + + #define SYS_DC_ISW sys_insn(1, 0, 7, 6, 2) ++#define SYS_DC_IGSW sys_insn(1, 0, 7, 6, 4) ++#define SYS_DC_IGDSW sys_insn(1, 0, 7, 6, 6) + #define SYS_DC_CSW sys_insn(1, 0, 7, 10, 2) ++#define SYS_DC_CGSW sys_insn(1, 0, 7, 10, 4) ++#define SYS_DC_CGDSW sys_insn(1, 0, 7, 10, 6) + #define SYS_DC_CISW sys_insn(1, 0, 7, 14, 2) ++#define SYS_DC_CIGSW sys_insn(1, 0, 7, 14, 4) ++#define SYS_DC_CIGDSW sys_insn(1, 0, 7, 14, 6) + + #define SYS_OSDTRRX_EL1 sys_reg(2, 0, 0, 0, 2) + #define SYS_MDCCINT_EL1 sys_reg(2, 0, 0, 2, 0) +-- +2.39.2 + diff --git a/queue-4.19/asoc-nau8824-add-quirk-to-active-high-jack-detect.patch b/queue-4.19/asoc-nau8824-add-quirk-to-active-high-jack-detect.patch new file mode 100644 index 00000000000..b03cc384e34 --- /dev/null +++ b/queue-4.19/asoc-nau8824-add-quirk-to-active-high-jack-detect.patch @@ -0,0 +1,59 @@ +From 724741241cf732101a9acc7ac1de0190852c6ad9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 15:19:11 -0300 +Subject: ASoC: nau8824: Add quirk to active-high jack-detect + +From: Edson Juliano Drosdeck + +[ Upstream commit e384dba03e3294ce7ea69e4da558e9bf8f0e8946 ] + +Add entries for Positivo laptops: CW14Q01P, K1424G, N14ZP74G to the +DMI table, so that active-high jack-detect will work properly on +these laptops. + +Signed-off-by: Edson Juliano Drosdeck +Link: https://lore.kernel.org/r/20230529181911.632851-1-edson.drosdeck@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/nau8824.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/sound/soc/codecs/nau8824.c b/sound/soc/codecs/nau8824.c +index 4f18bb272e929..0ecea65a80b46 100644 +--- a/sound/soc/codecs/nau8824.c ++++ b/sound/soc/codecs/nau8824.c +@@ -1899,6 +1899,30 @@ static const struct dmi_system_id nau8824_quirk_table[] = { + }, + .driver_data = (void *)(NAU8824_JD_ACTIVE_HIGH), + }, ++ { ++ /* Positivo CW14Q01P */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Positivo Tecnologia SA"), ++ DMI_MATCH(DMI_BOARD_NAME, "CW14Q01P"), ++ }, ++ .driver_data = (void *)(NAU8824_JD_ACTIVE_HIGH), ++ }, ++ { ++ /* Positivo K1424G */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Positivo Tecnologia SA"), ++ DMI_MATCH(DMI_BOARD_NAME, "K1424G"), ++ }, ++ .driver_data = (void *)(NAU8824_JD_ACTIVE_HIGH), ++ }, ++ { ++ /* Positivo N14ZP74G */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Positivo Tecnologia SA"), ++ DMI_MATCH(DMI_BOARD_NAME, "N14ZP74G"), ++ }, ++ .driver_data = (void *)(NAU8824_JD_ACTIVE_HIGH), ++ }, + {} + }; + +-- +2.39.2 + diff --git a/queue-4.19/be2net-extend-xmit-workaround-to-be3-chip.patch b/queue-4.19/be2net-extend-xmit-workaround-to-be3-chip.patch new file mode 100644 index 00000000000..04195a0b013 --- /dev/null +++ b/queue-4.19/be2net-extend-xmit-workaround-to-be3-chip.patch @@ -0,0 +1,48 @@ +From a3e9ac7f526ce41118144e2fbbf937e808a8aee5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 17:45:49 +0100 +Subject: be2net: Extend xmit workaround to BE3 chip + +From: Ross Lagerwall + +[ Upstream commit 7580e0a78eb29e7bb1a772eba4088250bbb70d41 ] + +We have seen a bug where the NIC incorrectly changes the length in the +IP header of a padded packet to include the padding bytes. The driver +already has a workaround for this so do the workaround for this NIC too. +This resolves the issue. + +The NIC in question identifies itself as follows: + +[ 8.828494] be2net 0000:02:00.0: FW version is 10.7.110.31 +[ 8.834759] be2net 0000:02:00.0: Emulex OneConnect(be3): PF FLEX10 port 1 + +02:00.0 Ethernet controller: Emulex Corporation OneConnect 10Gb NIC (be3) (rev 01) + +Fixes: ca34fe38f06d ("be2net: fix wrong usage of adapter->generation") +Signed-off-by: Ross Lagerwall +Link: https://lore.kernel.org/r/20230616164549.2863037-1-ross.lagerwall@citrix.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index 05cb2f7cc35c3..8603df2ae1736 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -1136,8 +1136,8 @@ static struct sk_buff *be_lancer_xmit_workarounds(struct be_adapter *adapter, + eth_hdr_len = ntohs(skb->protocol) == ETH_P_8021Q ? + VLAN_ETH_HLEN : ETH_HLEN; + if (skb->len <= 60 && +- (lancer_chip(adapter) || skb_vlan_tag_present(skb)) && +- is_ipv4_pkt(skb)) { ++ (lancer_chip(adapter) || BE3_chip(adapter) || ++ skb_vlan_tag_present(skb)) && is_ipv4_pkt(skb)) { + ip = (struct iphdr *)ip_hdr(skb); + pskb_trim(skb, eth_hdr_len + ntohs(ip->tot_len)); + } +-- +2.39.2 + diff --git a/queue-4.19/drm-exynos-fix-race-condition-uaf-in-exynos_g2d_exec.patch b/queue-4.19/drm-exynos-fix-race-condition-uaf-in-exynos_g2d_exec.patch new file mode 100644 index 00000000000..34a51c625e5 --- /dev/null +++ b/queue-4.19/drm-exynos-fix-race-condition-uaf-in-exynos_g2d_exec.patch @@ -0,0 +1,37 @@ +From f66969ce1970ac28bd4a9f83da71f9e68f5dd0f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 May 2023 21:01:31 +0800 +Subject: drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl + +From: Min Li + +[ Upstream commit 48bfd02569f5db49cc033f259e66d57aa6efc9a3 ] + +If it is async, runqueue_node is freed in g2d_runqueue_worker on another +worker thread. So in extreme cases, if g2d_runqueue_worker runs first, and +then executes the following if statement, there will be use-after-free. + +Signed-off-by: Min Li +Reviewed-by: Andi Shyti +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/exynos/exynos_drm_g2d.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/exynos/exynos_drm_g2d.c b/drivers/gpu/drm/exynos/exynos_drm_g2d.c +index f2481a2014bb3..2b7ecc02b2774 100644 +--- a/drivers/gpu/drm/exynos/exynos_drm_g2d.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.c +@@ -1327,7 +1327,7 @@ int exynos_g2d_exec_ioctl(struct drm_device *drm_dev, void *data, + /* Let the runqueue know that there is work to do. */ + queue_work(g2d->g2d_workq, &g2d->runqueue_work); + +- if (runqueue_node->async) ++ if (req->async) + goto out; + + wait_for_completion(&runqueue_node->complete); +-- +2.39.2 + diff --git a/queue-4.19/drm-exynos-vidi-fix-a-wrong-error-return.patch b/queue-4.19/drm-exynos-vidi-fix-a-wrong-error-return.patch new file mode 100644 index 00000000000..d73ec6f9f89 --- /dev/null +++ b/queue-4.19/drm-exynos-vidi-fix-a-wrong-error-return.patch @@ -0,0 +1,38 @@ +From 09d74d82e2f0d1df3f6eaac30ece1f08ff56e8fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 08:55:05 +0900 +Subject: drm/exynos: vidi: fix a wrong error return + +From: Inki Dae + +[ Upstream commit 4a059559809fd1ddbf16f847c4d2237309c08edf ] + +Fix a wrong error return by dropping an error return. + +When vidi driver is remvoed, if ctx->raw_edid isn't same as fake_edid_info +then only what we have to is to free ctx->raw_edid so that driver removing +can work correctly - it's not an error case. + +Signed-off-by: Inki Dae +Reviewed-by: Andi Shyti +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/exynos/exynos_drm_vidi.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exynos/exynos_drm_vidi.c +index 19697c1362d8f..947c9627c565a 100644 +--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c +@@ -480,8 +480,6 @@ static int vidi_remove(struct platform_device *pdev) + if (ctx->raw_edid != (struct edid *)fake_edid_info) { + kfree(ctx->raw_edid); + ctx->raw_edid = NULL; +- +- return -EINVAL; + } + + component_del(&pdev->dev, &vidi_component_ops); +-- +2.39.2 + diff --git a/queue-4.19/drm-radeon-fix-race-condition-uaf-in-radeon_gem_set_.patch b/queue-4.19/drm-radeon-fix-race-condition-uaf-in-radeon_gem_set_.patch new file mode 100644 index 00000000000..3e4d4839f24 --- /dev/null +++ b/queue-4.19/drm-radeon-fix-race-condition-uaf-in-radeon_gem_set_.patch @@ -0,0 +1,54 @@ +From 03b356496899cbd9638cb52d1013f9f589b0a120 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Jun 2023 15:43:45 +0800 +Subject: drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Min Li + +[ Upstream commit 982b173a6c6d9472730c3116051977e05d17c8c5 ] + +Userspace can race to free the gobj(robj converted from), robj should not +be accessed again after drm_gem_object_put, otherwith it will result in +use-after-free. + +Reviewed-by: Christian König +Signed-off-by: Min Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_gem.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c +index 27d8e7dd2d067..46f7789693ea0 100644 +--- a/drivers/gpu/drm/radeon/radeon_gem.c ++++ b/drivers/gpu/drm/radeon/radeon_gem.c +@@ -377,7 +377,6 @@ int radeon_gem_set_domain_ioctl(struct drm_device *dev, void *data, + struct radeon_device *rdev = dev->dev_private; + struct drm_radeon_gem_set_domain *args = data; + struct drm_gem_object *gobj; +- struct radeon_bo *robj; + int r; + + /* for now if someone requests domain CPU - +@@ -390,13 +389,12 @@ int radeon_gem_set_domain_ioctl(struct drm_device *dev, void *data, + up_read(&rdev->exclusive_lock); + return -ENOENT; + } +- robj = gem_to_radeon_bo(gobj); + + r = radeon_gem_set_domain(gobj, args->read_domains, args->write_domain); + + drm_gem_object_put_unlocked(gobj); + up_read(&rdev->exclusive_lock); +- r = radeon_gem_handle_lockup(robj->rdev, r); ++ r = radeon_gem_handle_lockup(rdev, r); + return r; + } + +-- +2.39.2 + diff --git a/queue-4.19/hid-wacom-add-error-check-to-wacom_parse_and_registe.patch b/queue-4.19/hid-wacom-add-error-check-to-wacom_parse_and_registe.patch new file mode 100644 index 00000000000..df08c2ddd36 --- /dev/null +++ b/queue-4.19/hid-wacom-add-error-check-to-wacom_parse_and_registe.patch @@ -0,0 +1,44 @@ +From f7baa1ade378a77d275198a4c85d832af2f0de72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 14:47:45 +0300 +Subject: HID: wacom: Add error check to wacom_parse_and_register() + +From: Denis Arefev + +[ Upstream commit 16a9c24f24fbe4564284eb575b18cc20586b9270 ] + + Added a variable check and + transition in case of an error + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Denis Arefev +Reviewed-by: Ping Cheng +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/wacom_sys.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c +index 4e4a3424c1f9f..c50b26a9bc445 100644 +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -2390,8 +2390,13 @@ static int wacom_parse_and_register(struct wacom *wacom, bool wireless) + goto fail_quirks; + } + +- if (features->device_type & WACOM_DEVICETYPE_WL_MONITOR) ++ if (features->device_type & WACOM_DEVICETYPE_WL_MONITOR) { + error = hid_hw_open(hdev); ++ if (error) { ++ hid_err(hdev, "hw open failed\n"); ++ goto fail_quirks; ++ } ++ } + + wacom_set_shared_values(wacom_wac); + devres_close_group(&hdev->dev, wacom); +-- +2.39.2 + diff --git a/queue-4.19/ieee802154-hwsim-fix-possible-memory-leaks.patch b/queue-4.19/ieee802154-hwsim-fix-possible-memory-leaks.patch new file mode 100644 index 00000000000..04439247710 --- /dev/null +++ b/queue-4.19/ieee802154-hwsim-fix-possible-memory-leaks.patch @@ -0,0 +1,50 @@ +From 6d35f8a6309332af9d47741348bef38b2a58ae89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Apr 2023 10:20:48 +0800 +Subject: ieee802154: hwsim: Fix possible memory leaks + +From: Chen Aotian + +[ Upstream commit a61675294735570daca3779bd1dbb3715f7232bd ] + +After replacing e->info, it is necessary to free the old einfo. + +Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb") +Reviewed-by: Miquel Raynal +Reviewed-by: Alexander Aring +Signed-off-by: Chen Aotian +Link: https://lore.kernel.org/r/20230409022048.61223-1-chenaotian2@163.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/mac802154_hwsim.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c +index d07e5571e07ae..1ac600d186886 100644 +--- a/drivers/net/ieee802154/mac802154_hwsim.c ++++ b/drivers/net/ieee802154/mac802154_hwsim.c +@@ -540,7 +540,7 @@ static int hwsim_del_edge_nl(struct sk_buff *msg, struct genl_info *info) + static int hwsim_set_edge_lqi(struct sk_buff *msg, struct genl_info *info) + { + struct nlattr *edge_attrs[MAC802154_HWSIM_EDGE_ATTR_MAX + 1]; +- struct hwsim_edge_info *einfo; ++ struct hwsim_edge_info *einfo, *einfo_old; + struct hwsim_phy *phy_v0; + struct hwsim_edge *e; + u32 v0, v1; +@@ -580,8 +580,10 @@ static int hwsim_set_edge_lqi(struct sk_buff *msg, struct genl_info *info) + list_for_each_entry_rcu(e, &phy_v0->edges, list) { + if (e->endpoint->idx == v1) { + einfo->lqi = lqi; +- rcu_assign_pointer(e->info, einfo); ++ einfo_old = rcu_replace_pointer(e->info, einfo, ++ lockdep_is_held(&hwsim_phys_lock)); + rcu_read_unlock(); ++ kfree_rcu(einfo_old, rcu); + mutex_unlock(&hwsim_phys_lock); + return 0; + } +-- +2.39.2 + diff --git a/queue-4.19/media-cec-core-don-t-set-last_initiator-if-tx-in-pro.patch b/queue-4.19/media-cec-core-don-t-set-last_initiator-if-tx-in-pro.patch new file mode 100644 index 00000000000..f95463c37bf --- /dev/null +++ b/queue-4.19/media-cec-core-don-t-set-last_initiator-if-tx-in-pro.patch @@ -0,0 +1,41 @@ +From 29aa58264d5ec89732e9624d1631a54c3996f049 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Apr 2023 16:07:28 +0100 +Subject: media: cec: core: don't set last_initiator if tx in progress + +From: Hans Verkuil + +[ Upstream commit 73af6c7511038249cad3d5f3b44bf8d78ac0f499 ] + +When a message was received the last_initiator is set to 0xff. +This will force the signal free time for the next transmit +to that for a new initiator. However, if a new transmit is +already in progress, then don't set last_initiator, since +that's the initiator of the current transmit. Overwriting +this would cause the signal free time of a following transmit +to be that of the new initiator instead of a next transmit. + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/cec/cec-adap.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/cec/cec-adap.c b/drivers/media/cec/cec-adap.c +index a42043379d676..2f49c4db49b35 100644 +--- a/drivers/media/cec/cec-adap.c ++++ b/drivers/media/cec/cec-adap.c +@@ -1032,7 +1032,8 @@ void cec_received_msg_ts(struct cec_adapter *adap, + mutex_lock(&adap->lock); + dprintk(2, "%s: %*ph\n", __func__, msg->len, msg->msg); + +- adap->last_initiator = 0xff; ++ if (!adap->transmit_in_progress) ++ adap->last_initiator = 0xff; + + /* Check if this message was for us (directed or broadcast). */ + if (!cec_msg_is_broadcast(msg)) +-- +2.39.2 + diff --git a/queue-4.19/mmc-mtk-sd-fix-deferred-probing.patch b/queue-4.19/mmc-mtk-sd-fix-deferred-probing.patch new file mode 100644 index 00000000000..08a863e0467 --- /dev/null +++ b/queue-4.19/mmc-mtk-sd-fix-deferred-probing.patch @@ -0,0 +1,39 @@ +From bc8def9375766236d3e0a05e554bbb5033055ae4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jun 2023 23:36:13 +0300 +Subject: mmc: mtk-sd: fix deferred probing + +From: Sergey Shtylyov + +[ Upstream commit 0c4dc0f054891a2cbde0426b0c0fdf232d89f47f ] + +The driver overrides the error codes returned by platform_get_irq() to +-EINVAL, so if it returns -EPROBE_DEFER, the driver will fail the probe +permanently instead of the deferred probing. Switch to propagating the +error codes upstream. + +Fixes: 208489032bdd ("mmc: mediatek: Add Mediatek MMC driver") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20230617203622.6812-4-s.shtylyov@omp.ru +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/mtk-sd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c +index 967e47770af67..d42c5da1a2260 100644 +--- a/drivers/mmc/host/mtk-sd.c ++++ b/drivers/mmc/host/mtk-sd.c +@@ -1912,7 +1912,7 @@ static int msdc_drv_probe(struct platform_device *pdev) + + host->irq = platform_get_irq(pdev, 0); + if (host->irq < 0) { +- ret = -EINVAL; ++ ret = host->irq; + goto host_free; + } + +-- +2.39.2 + diff --git a/queue-4.19/mmc-mvsdio-convert-to-devm_platform_ioremap_resource.patch b/queue-4.19/mmc-mvsdio-convert-to-devm_platform_ioremap_resource.patch new file mode 100644 index 00000000000..73a32db1e33 --- /dev/null +++ b/queue-4.19/mmc-mvsdio-convert-to-devm_platform_ioremap_resource.patch @@ -0,0 +1,54 @@ +From af7123249f5bb1478cf3acbce53940edf226998f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Dec 2019 17:51:18 +0000 +Subject: mmc: mvsdio: convert to devm_platform_ioremap_resource + +From: Yangtao Li + +[ Upstream commit 0a337eb168d6cbb85f6b4eb56d1be55e24c80452 ] + +Use devm_platform_ioremap_resource() to simplify code. + +Signed-off-by: Yangtao Li +Link: https://lore.kernel.org/r/20191215175120.3290-11-tiny.windzz@gmail.com +Signed-off-by: Ulf Hansson +Stable-dep-of: 8d84064da0d4 ("mmc: mvsdio: fix deferred probing") +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/mvsdio.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/mmc/host/mvsdio.c b/drivers/mmc/host/mvsdio.c +index e22bbff89c8d2..3ad8d1108fd08 100644 +--- a/drivers/mmc/host/mvsdio.c ++++ b/drivers/mmc/host/mvsdio.c +@@ -699,16 +699,14 @@ static int mvsd_probe(struct platform_device *pdev) + struct mmc_host *mmc = NULL; + struct mvsd_host *host = NULL; + const struct mbus_dram_target_info *dram; +- struct resource *r; + int ret, irq; + + if (!np) { + dev_err(&pdev->dev, "no DT node\n"); + return -ENODEV; + } +- r = platform_get_resource(pdev, IORESOURCE_MEM, 0); + irq = platform_get_irq(pdev, 0); +- if (!r || irq < 0) ++ if (irq < 0) + return -ENXIO; + + mmc = mmc_alloc_host(sizeof(struct mvsd_host), &pdev->dev); +@@ -761,7 +759,7 @@ static int mvsd_probe(struct platform_device *pdev) + + spin_lock_init(&host->lock); + +- host->base = devm_ioremap_resource(&pdev->dev, r); ++ host->base = devm_platform_ioremap_resource(pdev, 0); + if (IS_ERR(host->base)) { + ret = PTR_ERR(host->base); + goto out; +-- +2.39.2 + diff --git a/queue-4.19/mmc-mvsdio-fix-deferred-probing.patch b/queue-4.19/mmc-mvsdio-fix-deferred-probing.patch new file mode 100644 index 00000000000..9610d04d23b --- /dev/null +++ b/queue-4.19/mmc-mvsdio-fix-deferred-probing.patch @@ -0,0 +1,39 @@ +From 472d8a2d61580c180a83da09c46e306a031b6d52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jun 2023 23:36:14 +0300 +Subject: mmc: mvsdio: fix deferred probing + +From: Sergey Shtylyov + +[ Upstream commit 8d84064da0d4672e74f984e8710f27881137472c ] + +The driver overrides the error codes returned by platform_get_irq() to +-ENXIO, so if it returns -EPROBE_DEFER, the driver will fail the probe +permanently instead of the deferred probing. Switch to propagating the +error codes upstream. + +Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20230617203622.6812-5-s.shtylyov@omp.ru +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/mvsdio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/mvsdio.c b/drivers/mmc/host/mvsdio.c +index 3ad8d1108fd08..fff9980a3ef28 100644 +--- a/drivers/mmc/host/mvsdio.c ++++ b/drivers/mmc/host/mvsdio.c +@@ -707,7 +707,7 @@ static int mvsd_probe(struct platform_device *pdev) + } + irq = platform_get_irq(pdev, 0); + if (irq < 0) +- return -ENXIO; ++ return irq; + + mmc = mmc_alloc_host(sizeof(struct mvsd_host), &pdev->dev); + if (!mmc) { +-- +2.39.2 + diff --git a/queue-4.19/mmc-omap-fix-deferred-probing.patch b/queue-4.19/mmc-omap-fix-deferred-probing.patch new file mode 100644 index 00000000000..81197623e3e --- /dev/null +++ b/queue-4.19/mmc-omap-fix-deferred-probing.patch @@ -0,0 +1,39 @@ +From e5c5a9adb03991a3cd651e90f0aa0272d9fe9e5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jun 2023 23:36:15 +0300 +Subject: mmc: omap: fix deferred probing + +From: Sergey Shtylyov + +[ Upstream commit aedf4ba1ad00aaa94c1b66c73ecaae95e2564b95 ] + +The driver overrides the error codes returned by platform_get_irq() to +-ENXIO, so if it returns -EPROBE_DEFER, the driver will fail the probe +permanently instead of the deferred probing. Switch to propagating the +error codes upstream. + +Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20230617203622.6812-6-s.shtylyov@omp.ru +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/omap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/omap.c b/drivers/mmc/host/omap.c +index b2873a2432b69..345b35483cee7 100644 +--- a/drivers/mmc/host/omap.c ++++ b/drivers/mmc/host/omap.c +@@ -1347,7 +1347,7 @@ static int mmc_omap_probe(struct platform_device *pdev) + + irq = platform_get_irq(pdev, 0); + if (irq < 0) +- return -ENXIO; ++ return irq; + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + host->virt_base = devm_ioremap_resource(&pdev->dev, res); +-- +2.39.2 + diff --git a/queue-4.19/mmc-omap_hsmmc-fix-deferred-probing.patch b/queue-4.19/mmc-omap_hsmmc-fix-deferred-probing.patch new file mode 100644 index 00000000000..61864e4ebde --- /dev/null +++ b/queue-4.19/mmc-omap_hsmmc-fix-deferred-probing.patch @@ -0,0 +1,44 @@ +From f231be8d8d8f1715abce7661ece8a49a32a26ccb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jun 2023 23:36:16 +0300 +Subject: mmc: omap_hsmmc: fix deferred probing + +From: Sergey Shtylyov + +[ Upstream commit fb51b74a57859b707c3e8055ed0c25a7ca4f6a29 ] + +The driver overrides the error codes returned by platform_get_irq() to +-ENXIO, so if it returns -EPROBE_DEFER, the driver will fail the probe +permanently instead of the deferred probing. Switch to propagating the +error codes upstream. + +Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20230617203622.6812-7-s.shtylyov@omp.ru +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/omap_hsmmc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/mmc/host/omap_hsmmc.c b/drivers/mmc/host/omap_hsmmc.c +index 0135693afa158..881d1de4a5635 100644 +--- a/drivers/mmc/host/omap_hsmmc.c ++++ b/drivers/mmc/host/omap_hsmmc.c +@@ -2006,9 +2006,11 @@ static int omap_hsmmc_probe(struct platform_device *pdev) + } + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- irq = platform_get_irq(pdev, 0); +- if (res == NULL || irq < 0) ++ if (!res) + return -ENXIO; ++ irq = platform_get_irq(pdev, 0); ++ if (irq < 0) ++ return irq; + + base = devm_ioremap_resource(&pdev->dev, res); + if (IS_ERR(base)) +-- +2.39.2 + diff --git a/queue-4.19/mmc-sdhci-acpi-fix-deferred-probing.patch b/queue-4.19/mmc-sdhci-acpi-fix-deferred-probing.patch new file mode 100644 index 00000000000..9d5f70de906 --- /dev/null +++ b/queue-4.19/mmc-sdhci-acpi-fix-deferred-probing.patch @@ -0,0 +1,40 @@ +From eb01a95494209b4af9e79d950cd9c1f0f0d4cece Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jun 2023 23:36:18 +0300 +Subject: mmc: sdhci-acpi: fix deferred probing + +From: Sergey Shtylyov + +[ Upstream commit b465dea5e1540c7d7b5211adaf94926980d3014b ] + +The driver overrides the error codes returned by platform_get_irq() to +-EINVAL, so if it returns -EPROBE_DEFER, the driver will fail the probe +permanently instead of the deferred probing. Switch to propagating the +error codes upstream. + +Fixes: 1b7ba57ecc86 ("mmc: sdhci-acpi: Handle return value of platform_get_irq") +Signed-off-by: Sergey Shtylyov +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20230617203622.6812-9-s.shtylyov@omp.ru +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-acpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/sdhci-acpi.c b/drivers/mmc/host/sdhci-acpi.c +index 6cc187ce3a329..069b9a07aca5d 100644 +--- a/drivers/mmc/host/sdhci-acpi.c ++++ b/drivers/mmc/host/sdhci-acpi.c +@@ -721,7 +721,7 @@ static int sdhci_acpi_probe(struct platform_device *pdev) + host->ops = &sdhci_acpi_ops_dflt; + host->irq = platform_get_irq(pdev, 0); + if (host->irq < 0) { +- err = -EINVAL; ++ err = host->irq; + goto err_free; + } + +-- +2.39.2 + diff --git a/queue-4.19/mmc-usdhi60rol0-fix-deferred-probing.patch b/queue-4.19/mmc-usdhi60rol0-fix-deferred-probing.patch new file mode 100644 index 00000000000..6bddd21dbc6 --- /dev/null +++ b/queue-4.19/mmc-usdhi60rol0-fix-deferred-probing.patch @@ -0,0 +1,43 @@ +From 529fd25e05d894f1a4ed5415cc24503d87219aae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jun 2023 23:36:22 +0300 +Subject: mmc: usdhi60rol0: fix deferred probing + +From: Sergey Shtylyov + +[ Upstream commit 413db499730248431c1005b392e8ed82c4fa19bf ] + +The driver overrides the error codes returned by platform_get_irq_byname() +to -ENODEV, so if it returns -EPROBE_DEFER, the driver will fail the probe +permanently instead of the deferred probing. Switch to propagating error +codes upstream. + +Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20230617203622.6812-13-s.shtylyov@omp.ru +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/usdhi6rol0.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/mmc/host/usdhi6rol0.c b/drivers/mmc/host/usdhi6rol0.c +index b88728b686e8a..e436f7e7a3ee0 100644 +--- a/drivers/mmc/host/usdhi6rol0.c ++++ b/drivers/mmc/host/usdhi6rol0.c +@@ -1749,8 +1749,10 @@ static int usdhi6_probe(struct platform_device *pdev) + irq_cd = platform_get_irq_byname(pdev, "card detect"); + irq_sd = platform_get_irq_byname(pdev, "data"); + irq_sdio = platform_get_irq_byname(pdev, "SDIO"); +- if (irq_sd < 0 || irq_sdio < 0) +- return -ENODEV; ++ if (irq_sd < 0) ++ return irq_sd; ++ if (irq_sdio < 0) ++ return irq_sdio; + + mmc = mmc_alloc_host(sizeof(struct usdhi6_host), dev); + if (!mmc) +-- +2.39.2 + diff --git a/queue-4.19/net-qca_spi-avoid-high-load-if-qca7000-is-not-availa.patch b/queue-4.19/net-qca_spi-avoid-high-load-if-qca7000-is-not-availa.patch new file mode 100644 index 00000000000..0fea215da64 --- /dev/null +++ b/queue-4.19/net-qca_spi-avoid-high-load-if-qca7000-is-not-availa.patch @@ -0,0 +1,40 @@ +From bcbd47cc7f8578cd09e1cb378821aa1fbc991f3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 23:06:56 +0200 +Subject: net: qca_spi: Avoid high load if QCA7000 is not available + +From: Stefan Wahren + +[ Upstream commit 92717c2356cb62c89e8a3dc37cbbab2502562524 ] + +In case the QCA7000 is not available via SPI (e.g. in reset), +the driver will cause a high load. The reason for this is +that the synchronization is never finished and schedule() +is never called. Since the synchronization is not timing +critical, it's safe to drop this from the scheduling condition. + +Signed-off-by: Stefan Wahren +Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qualcomm/qca_spi.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c +index afd49c7fd87fe..3e6095f0cb5f5 100644 +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -553,8 +553,7 @@ qcaspi_spi_thread(void *data) + while (!kthread_should_stop()) { + set_current_state(TASK_INTERRUPTIBLE); + if ((qca->intr_req == qca->intr_svc) && +- (qca->txr.skb[qca->txr.head] == NULL) && +- (qca->sync == QCASPI_SYNC_READY)) ++ !qca->txr.skb[qca->txr.head]) + schedule(); + + set_current_state(TASK_RUNNING); +-- +2.39.2 + diff --git a/queue-4.19/netfilter-nf_tables-disallow-element-updates-of-boun.patch b/queue-4.19/netfilter-nf_tables-disallow-element-updates-of-boun.patch new file mode 100644 index 00000000000..b48180f6bdf --- /dev/null +++ b/queue-4.19/netfilter-nf_tables-disallow-element-updates-of-boun.patch @@ -0,0 +1,49 @@ +From c10dd91165ee5aa7646693cf6cdbbacdf7037156 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 15:20:16 +0200 +Subject: netfilter: nf_tables: disallow element updates of bound anonymous + sets + +From: Pablo Neira Ayuso + +[ Upstream commit c88c535b592d3baeee74009f3eceeeaf0fdd5e1b ] + +Anonymous sets come with NFT_SET_CONSTANT from userspace. Although API +allows to create anonymous sets without NFT_SET_CONSTANT, it makes no +sense to allow to add and to delete elements for bound anonymous sets. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 62bc4cd0b7bec..2968f21915ddf 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4640,7 +4640,8 @@ static int nf_tables_newsetelem(struct net *net, struct sock *nlsk, + if (IS_ERR(set)) + return PTR_ERR(set); + +- if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT) ++ if (!list_empty(&set->bindings) && ++ (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS))) + return -EBUSY; + + nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { +@@ -4823,7 +4824,9 @@ static int nf_tables_delsetelem(struct net *net, struct sock *nlsk, + set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask); + if (IS_ERR(set)) + return PTR_ERR(set); +- if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT) ++ ++ if (!list_empty(&set->bindings) && ++ (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS))) + return -EBUSY; + + if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) { +-- +2.39.2 + diff --git a/queue-4.19/netfilter-nfnetlink_osf-fix-module-autoload.patch b/queue-4.19/netfilter-nfnetlink_osf-fix-module-autoload.patch new file mode 100644 index 00000000000..014320f5757 --- /dev/null +++ b/queue-4.19/netfilter-nfnetlink_osf-fix-module-autoload.patch @@ -0,0 +1,40 @@ +From 138476ad6bfa8e259dcd34f956957fadaa37c225 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 10:14:25 +0200 +Subject: netfilter: nfnetlink_osf: fix module autoload + +From: Pablo Neira Ayuso + +[ Upstream commit 62f9a68a36d4441a6c412b81faed102594bc6670 ] + +Move the alias from xt_osf to nfnetlink_osf. + +Fixes: f9324952088f ("netfilter: nfnetlink_osf: extract nfnetlink_subsystem code from xt_osf.c") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_osf.c | 1 + + net/netfilter/xt_osf.c | 1 - + 2 files changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c +index 917f06110c823..21e4554c76955 100644 +--- a/net/netfilter/nfnetlink_osf.c ++++ b/net/netfilter/nfnetlink_osf.c +@@ -442,3 +442,4 @@ module_init(nfnl_osf_init); + module_exit(nfnl_osf_fini); + + MODULE_LICENSE("GPL"); ++MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_OSF); +diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c +index bf7bba80e24c1..226a317d52a0d 100644 +--- a/net/netfilter/xt_osf.c ++++ b/net/netfilter/xt_osf.c +@@ -90,4 +90,3 @@ MODULE_AUTHOR("Evgeniy Polyakov "); + MODULE_DESCRIPTION("Passive OS fingerprint matching."); + MODULE_ALIAS("ipt_osf"); + MODULE_ALIAS("ip6t_osf"); +-MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_OSF); +-- +2.39.2 + diff --git a/queue-4.19/nfcsim.c-fix-error-checking-for-debugfs_create_dir.patch b/queue-4.19/nfcsim.c-fix-error-checking-for-debugfs_create_dir.patch new file mode 100644 index 00000000000..09e7e6ac3bb --- /dev/null +++ b/queue-4.19/nfcsim.c-fix-error-checking-for-debugfs_create_dir.patch @@ -0,0 +1,40 @@ +From df0a367ea00e0acc8cbdf3210eb6df1e576eb97d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 22:27:46 +0500 +Subject: nfcsim.c: Fix error checking for debugfs_create_dir + +From: Osama Muhammad + +[ Upstream commit 9b9e46aa07273ceb96866b2e812b46f1ee0b8d2f ] + +This patch fixes the error checking in nfcsim.c. +The DebugFS kernel API is developed in +a way that the caller can safely ignore the errors that +occur during the creation of DebugFS nodes. + +Signed-off-by: Osama Muhammad +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/nfc/nfcsim.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/nfc/nfcsim.c b/drivers/nfc/nfcsim.c +index 533e3aa6275cd..cf07b366500e9 100644 +--- a/drivers/nfc/nfcsim.c ++++ b/drivers/nfc/nfcsim.c +@@ -345,10 +345,6 @@ static struct dentry *nfcsim_debugfs_root; + static void nfcsim_debugfs_init(void) + { + nfcsim_debugfs_root = debugfs_create_dir("nfcsim", NULL); +- +- if (!nfcsim_debugfs_root) +- pr_err("Could not create debugfs entry\n"); +- + } + + static void nfcsim_debugfs_remove(void) +-- +2.39.2 + diff --git a/queue-4.19/rcu-upgrade-rcu_swap_protected-to-rcu_replace_pointe.patch b/queue-4.19/rcu-upgrade-rcu_swap_protected-to-rcu_replace_pointe.patch new file mode 100644 index 00000000000..412dff928de --- /dev/null +++ b/queue-4.19/rcu-upgrade-rcu_swap_protected-to-rcu_replace_pointe.patch @@ -0,0 +1,65 @@ +From efbe4c1ef4095a69fb7539c86a3121f61c84509c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Sep 2019 15:05:11 -0700 +Subject: rcu: Upgrade rcu_swap_protected() to rcu_replace_pointer() + +From: Paul E. McKenney + +[ Upstream commit a63fc6b75cca984c71f095282e0227a390ba88f3 ] + +Although the rcu_swap_protected() macro follows the example of +swap(), the interactions with RCU make its update of its argument +somewhat counter-intuitive. This commit therefore introduces +an rcu_replace_pointer() that returns the old value of the RCU +pointer instead of doing the argument update. Once all the uses of +rcu_swap_protected() are updated to instead use rcu_replace_pointer(), +rcu_swap_protected() will be removed. + +Link: https://lore.kernel.org/lkml/CAHk-=wiAsJLw1egFEE=Z7-GGtM6wcvtyytXZA1+BHqta4gg6Hw@mail.gmail.com/ +Reported-by: Linus Torvalds +[ paulmck: From rcu_replace() to rcu_replace_pointer() per Ingo Molnar. ] +Signed-off-by: Paul E. McKenney +Cc: Bart Van Assche +Cc: Christoph Hellwig +Cc: Hannes Reinecke +Cc: Johannes Thumshirn +Cc: Shane M Seymour +Cc: Martin K. Petersen +Stable-dep-of: a61675294735 ("ieee802154: hwsim: Fix possible memory leaks") +Signed-off-by: Sasha Levin +--- + include/linux/rcupdate.h | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h +index 68cbe111420bc..cf139d6e5c1d3 100644 +--- a/include/linux/rcupdate.h ++++ b/include/linux/rcupdate.h +@@ -410,6 +410,24 @@ static inline void rcu_preempt_sleep_check(void) { } + _r_a_p__v; \ + }) + ++/** ++ * rcu_replace_pointer() - replace an RCU pointer, returning its old value ++ * @rcu_ptr: RCU pointer, whose old value is returned ++ * @ptr: regular pointer ++ * @c: the lockdep conditions under which the dereference will take place ++ * ++ * Perform a replacement, where @rcu_ptr is an RCU-annotated ++ * pointer and @c is the lockdep argument that is passed to the ++ * rcu_dereference_protected() call used to read that pointer. The old ++ * value of @rcu_ptr is returned, and @rcu_ptr is set to @ptr. ++ */ ++#define rcu_replace_pointer(rcu_ptr, ptr, c) \ ++({ \ ++ typeof(ptr) __tmp = rcu_dereference_protected((rcu_ptr), (c)); \ ++ rcu_assign_pointer((rcu_ptr), (ptr)); \ ++ __tmp; \ ++}) ++ + /** + * rcu_swap_protected() - swap an RCU and a regular pointer + * @rcu_ptr: RCU pointer +-- +2.39.2 + diff --git a/queue-4.19/s390-cio-unregister-device-when-the-only-path-is-gon.patch b/queue-4.19/s390-cio-unregister-device-when-the-only-path-is-gon.patch new file mode 100644 index 00000000000..86186c86524 --- /dev/null +++ b/queue-4.19/s390-cio-unregister-device-when-the-only-path-is-gon.patch @@ -0,0 +1,62 @@ +From a4ae945492a3acc544eaa3852b24ea4033a71ed3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 20:53:20 +0200 +Subject: s390/cio: unregister device when the only path is gone + +From: Vineeth Vijayan + +[ Upstream commit 89c0c62e947a01e7a36b54582fd9c9e346170255 ] + +Currently, if the device is offline and all the channel paths are +either configured or varied offline, the associated subchannel gets +unregistered. Don't unregister the subchannel, instead unregister +offline device. + +Signed-off-by: Vineeth Vijayan +Reviewed-by: Peter Oberparleiter +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/device.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c +index c9bc9a6bd73b7..ee4338158ae2e 100644 +--- a/drivers/s390/cio/device.c ++++ b/drivers/s390/cio/device.c +@@ -1353,6 +1353,7 @@ void ccw_device_set_notoper(struct ccw_device *cdev) + enum io_sch_action { + IO_SCH_UNREG, + IO_SCH_ORPH_UNREG, ++ IO_SCH_UNREG_CDEV, + IO_SCH_ATTACH, + IO_SCH_UNREG_ATTACH, + IO_SCH_ORPH_ATTACH, +@@ -1385,7 +1386,7 @@ static enum io_sch_action sch_get_action(struct subchannel *sch) + } + if ((sch->schib.pmcw.pam & sch->opm) == 0) { + if (ccw_device_notify(cdev, CIO_NO_PATH) != NOTIFY_OK) +- return IO_SCH_UNREG; ++ return IO_SCH_UNREG_CDEV; + return IO_SCH_DISC; + } + if (device_is_disconnected(cdev)) +@@ -1447,6 +1448,7 @@ static int io_subchannel_sch_event(struct subchannel *sch, int process) + case IO_SCH_ORPH_ATTACH: + ccw_device_set_disconnected(cdev); + break; ++ case IO_SCH_UNREG_CDEV: + case IO_SCH_UNREG_ATTACH: + case IO_SCH_UNREG: + if (!cdev) +@@ -1480,6 +1482,7 @@ static int io_subchannel_sch_event(struct subchannel *sch, int process) + if (rc) + goto out; + break; ++ case IO_SCH_UNREG_CDEV: + case IO_SCH_UNREG_ATTACH: + spin_lock_irqsave(sch->lock, flags); + if (cdev->private->flags.resuming) { +-- +2.39.2 + diff --git a/queue-4.19/sch_netem-acquire-qdisc-lock-in-netem_change.patch b/queue-4.19/sch_netem-acquire-qdisc-lock-in-netem_change.patch new file mode 100644 index 00000000000..d44e05ec6af --- /dev/null +++ b/queue-4.19/sch_netem-acquire-qdisc-lock-in-netem_change.patch @@ -0,0 +1,109 @@ +From 5331fa25e578272f015e3129a8b4b905eee15183 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 18:44:25 +0000 +Subject: sch_netem: acquire qdisc lock in netem_change() + +From: Eric Dumazet + +[ Upstream commit 2174a08db80d1efeea382e25ac41c4e7511eb6d6 ] + +syzbot managed to trigger a divide error [1] in netem. + +It could happen if q->rate changes while netem_enqueue() +is running, since q->rate is read twice. + +It turns out netem_change() always lacked proper synchronization. + +[1] +divide error: 0000 [#1] SMP KASAN +CPU: 1 PID: 7867 Comm: syz-executor.1 Not tainted 6.1.30-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 +RIP: 0010:div64_u64 include/linux/math64.h:69 [inline] +RIP: 0010:packet_time_ns net/sched/sch_netem.c:357 [inline] +RIP: 0010:netem_enqueue+0x2067/0x36d0 net/sched/sch_netem.c:576 +Code: 89 e2 48 69 da 00 ca 9a 3b 42 80 3c 28 00 4c 8b a4 24 88 00 00 00 74 0d 4c 89 e7 e8 c3 4f 3b fd 48 8b 4c 24 18 48 89 d8 31 d2 <49> f7 34 24 49 01 c7 4c 8b 64 24 48 4d 01 f7 4c 89 e3 48 c1 eb 03 +RSP: 0018:ffffc9000dccea60 EFLAGS: 00010246 +RAX: 000001a442624200 RBX: 000001a442624200 RCX: ffff888108a4f000 +RDX: 0000000000000000 RSI: 000000000000070d RDI: 000000000000070d +RBP: ffffc9000dcceb90 R08: ffffffff849c5e26 R09: fffffbfff10e1297 +R10: 0000000000000000 R11: dffffc0000000001 R12: ffff888108a4f358 +R13: dffffc0000000000 R14: 0000001a8cd9a7ec R15: 0000000000000000 +FS: 00007fa73fe18700(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fa73fdf7718 CR3: 000000011d36e000 CR4: 0000000000350ee0 +Call Trace: + +[] __dev_xmit_skb net/core/dev.c:3931 [inline] +[] __dev_queue_xmit+0xcf5/0x3370 net/core/dev.c:4290 +[] dev_queue_xmit include/linux/netdevice.h:3030 [inline] +[] neigh_hh_output include/net/neighbour.h:531 [inline] +[] neigh_output include/net/neighbour.h:545 [inline] +[] ip_finish_output2+0xb92/0x10d0 net/ipv4/ip_output.c:235 +[] __ip_finish_output+0xc3/0x2b0 +[] ip_finish_output+0x31/0x2a0 net/ipv4/ip_output.c:323 +[] NF_HOOK_COND include/linux/netfilter.h:298 [inline] +[] ip_output+0x224/0x2a0 net/ipv4/ip_output.c:437 +[] dst_output include/net/dst.h:444 [inline] +[] ip_local_out net/ipv4/ip_output.c:127 [inline] +[] __ip_queue_xmit+0x1425/0x2000 net/ipv4/ip_output.c:542 +[] ip_queue_xmit+0x4c/0x70 net/ipv4/ip_output.c:556 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Stephen Hemminger +Cc: Jamal Hadi Salim +Cc: Cong Wang +Cc: Jiri Pirko +Reviewed-by: Jamal Hadi Salim +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230620184425.1179809-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/sch_netem.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c +index 31793af1a77bd..93548b9e07cf1 100644 +--- a/net/sched/sch_netem.c ++++ b/net/sched/sch_netem.c +@@ -943,6 +943,7 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt, + if (ret < 0) + return ret; + ++ sch_tree_lock(sch); + /* backup q->clg and q->loss_model */ + old_clg = q->clg; + old_loss_model = q->loss_model; +@@ -951,7 +952,7 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt, + ret = get_loss_clg(q, tb[TCA_NETEM_LOSS]); + if (ret) { + q->loss_model = old_loss_model; +- return ret; ++ goto unlock; + } + } else { + q->loss_model = CLG_RANDOM; +@@ -1018,6 +1019,8 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt, + /* capping jitter to the range acceptable by tabledist() */ + q->jitter = min_t(s64, abs(q->jitter), INT_MAX); + ++unlock: ++ sch_tree_unlock(sch); + return ret; + + get_table_failure: +@@ -1027,7 +1030,8 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt, + */ + q->clg = old_clg; + q->loss_model = old_loss_model; +- return ret; ++ ++ goto unlock; + } + + static int netem_init(struct Qdisc *sch, struct nlattr *opt, +-- +2.39.2 + diff --git a/queue-4.19/scsi-target-iscsi-prevent-login-threads-from-racing-.patch b/queue-4.19/scsi-target-iscsi-prevent-login-threads-from-racing-.patch new file mode 100644 index 00000000000..f13784e8f95 --- /dev/null +++ b/queue-4.19/scsi-target-iscsi-prevent-login-threads-from-racing-.patch @@ -0,0 +1,71 @@ +From 0eb67a16083d23be4368aeaf535b8d5482b5a62f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 May 2023 18:22:19 +0200 +Subject: scsi: target: iscsi: Prevent login threads from racing between each + other + +From: Maurizio Lombardi + +[ Upstream commit 2a737d3b8c792400118d6cf94958f559de9c5e59 ] + +The tpg->np_login_sem is a semaphore that is used to serialize the login +process when multiple login threads run concurrently against the same +target portal group. + +The iscsi_target_locate_portal() function finds the tpg, calls +iscsit_access_np() against the np_login_sem semaphore and saves the tpg +pointer in conn->tpg; + +If iscsi_target_locate_portal() fails, the caller will check for the +conn->tpg pointer and, if it's not NULL, then it will assume that +iscsi_target_locate_portal() called iscsit_access_np() on the semaphore. + +Make sure that conn->tpg gets initialized only if iscsit_access_np() was +successful, otherwise iscsit_deaccess_np() may end up being called against +a semaphore we never took, allowing more than one thread to access the same +tpg. + +Signed-off-by: Maurizio Lombardi +Link: https://lore.kernel.org/r/20230508162219.1731964-4-mlombard@redhat.com +Reviewed-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target_nego.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c +index 5db8842a80265..e39177f9fdb0a 100644 +--- a/drivers/target/iscsi/iscsi_target_nego.c ++++ b/drivers/target/iscsi/iscsi_target_nego.c +@@ -1072,6 +1072,7 @@ int iscsi_target_locate_portal( + iscsi_target_set_sock_callbacks(conn); + + login->np = np; ++ conn->tpg = NULL; + + login_req = (struct iscsi_login_req *) login->req; + payload_length = ntoh24(login_req->dlength); +@@ -1141,7 +1142,6 @@ int iscsi_target_locate_portal( + */ + sessiontype = strncmp(s_buf, DISCOVERY, 9); + if (!sessiontype) { +- conn->tpg = iscsit_global->discovery_tpg; + if (!login->leading_connection) + goto get_target; + +@@ -1158,9 +1158,11 @@ int iscsi_target_locate_portal( + * Serialize access across the discovery struct iscsi_portal_group to + * process login attempt. + */ ++ conn->tpg = iscsit_global->discovery_tpg; + if (iscsit_access_np(np, conn->tpg) < 0) { + iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR, + ISCSI_LOGIN_STATUS_SVC_UNAVAILABLE); ++ conn->tpg = NULL; + ret = -1; + goto out; + } +-- +2.39.2 + diff --git a/queue-4.19/series b/queue-4.19/series index bbda31db69c..b56449cfb70 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -11,3 +11,29 @@ drivers-hv-vmbus-fix-vmbus_wait_for_unload-to-scan-present-cpus.patch pci-hv-fix-a-race-condition-bug-in-hv_pci_query_relations.patch cgroup-do-not-corrupt-task-iteration-when-rebinding-subsystem.patch nilfs2-prevent-general-protection-fault-in-nilfs_clear_dirty_page.patch +rcu-upgrade-rcu_swap_protected-to-rcu_replace_pointe.patch +ieee802154-hwsim-fix-possible-memory-leaks.patch +xfrm-linearize-the-skb-after-offloading-if-needed.patch +net-qca_spi-avoid-high-load-if-qca7000-is-not-availa.patch +mmc-mtk-sd-fix-deferred-probing.patch +mmc-mvsdio-convert-to-devm_platform_ioremap_resource.patch +mmc-mvsdio-fix-deferred-probing.patch +mmc-omap-fix-deferred-probing.patch +mmc-omap_hsmmc-fix-deferred-probing.patch +mmc-sdhci-acpi-fix-deferred-probing.patch +mmc-usdhi60rol0-fix-deferred-probing.patch +be2net-extend-xmit-workaround-to-be3-chip.patch +netfilter-nf_tables-disallow-element-updates-of-boun.patch +netfilter-nfnetlink_osf-fix-module-autoload.patch +sch_netem-acquire-qdisc-lock-in-netem_change.patch +scsi-target-iscsi-prevent-login-threads-from-racing-.patch +hid-wacom-add-error-check-to-wacom_parse_and_registe.patch +arm64-add-missing-set-way-cmo-encodings.patch +media-cec-core-don-t-set-last_initiator-if-tx-in-pro.patch +nfcsim.c-fix-error-checking-for-debugfs_create_dir.patch +usb-gadget-udc-fix-null-dereference-in-remove.patch +s390-cio-unregister-device-when-the-only-path-is-gon.patch +asoc-nau8824-add-quirk-to-active-high-jack-detect.patch +drm-exynos-vidi-fix-a-wrong-error-return.patch +drm-exynos-fix-race-condition-uaf-in-exynos_g2d_exec.patch +drm-radeon-fix-race-condition-uaf-in-radeon_gem_set_.patch diff --git a/queue-4.19/usb-gadget-udc-fix-null-dereference-in-remove.patch b/queue-4.19/usb-gadget-udc-fix-null-dereference-in-remove.patch new file mode 100644 index 00000000000..748eae1d2d1 --- /dev/null +++ b/queue-4.19/usb-gadget-udc-fix-null-dereference-in-remove.patch @@ -0,0 +1,39 @@ +From 1ffe9690bb1dc94298ccb0e5681e7bcc8250c71f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 18:38:37 +0300 +Subject: usb: gadget: udc: fix NULL dereference in remove() + +From: Dan Carpenter + +[ Upstream commit 016da9c65fec9f0e78c4909ed9a0f2d567af6775 ] + +The "udc" pointer was never set in the probe() function so it will +lead to a NULL dereference in udc_pci_remove() when we do: + + usb_del_gadget_udc(&udc->gadget); + +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/ZG+A/dNpFWAlCChk@kili +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/amd5536udc_pci.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/gadget/udc/amd5536udc_pci.c b/drivers/usb/gadget/udc/amd5536udc_pci.c +index 362284057d307..a3d15c3fb82a9 100644 +--- a/drivers/usb/gadget/udc/amd5536udc_pci.c ++++ b/drivers/usb/gadget/udc/amd5536udc_pci.c +@@ -171,6 +171,9 @@ static int udc_pci_probe( + retval = -ENODEV; + goto err_probe; + } ++ ++ udc = dev; ++ + return 0; + + err_probe: +-- +2.39.2 + diff --git a/queue-4.19/xfrm-linearize-the-skb-after-offloading-if-needed.patch b/queue-4.19/xfrm-linearize-the-skb-after-offloading-if-needed.patch new file mode 100644 index 00000000000..b12aba15918 --- /dev/null +++ b/queue-4.19/xfrm-linearize-the-skb-after-offloading-if-needed.patch @@ -0,0 +1,64 @@ +From 79acff0f8c00f39566bf0e4999a966bbae1f6d22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 12:02:02 +0200 +Subject: xfrm: Linearize the skb after offloading if needed. + +From: Sebastian Andrzej Siewior + +[ Upstream commit f015b900bc3285322029b4a7d132d6aeb0e51857 ] + +With offloading enabled, esp_xmit() gets invoked very late, from within +validate_xmit_xfrm() which is after validate_xmit_skb() validates and +linearizes the skb if the underlying device does not support fragments. + +esp_output_tail() may add a fragment to the skb while adding the auth +tag/ IV. Devices without the proper support will then send skb->data +points to with the correct length so the packet will have garbage at the +end. A pcap sniffer will claim that the proper data has been sent since +it parses the skb properly. + +It is not affected with INET_ESP_OFFLOAD disabled. + +Linearize the skb after offloading if the sending hardware requires it. +It was tested on v4, v6 has been adopted. + +Fixes: 7785bba299a8d ("esp: Add a software GRO codepath") +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv4/esp4_offload.c | 3 +++ + net/ipv6/esp6_offload.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c +index 58834a10c0be7..93045373e44bd 100644 +--- a/net/ipv4/esp4_offload.c ++++ b/net/ipv4/esp4_offload.c +@@ -237,6 +237,9 @@ static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_ + + secpath_reset(skb); + ++ if (skb_needs_linearize(skb, skb->dev->features) && ++ __skb_linearize(skb)) ++ return -ENOMEM; + return 0; + } + +diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c +index eeee64a8a72c2..69313ec24264e 100644 +--- a/net/ipv6/esp6_offload.c ++++ b/net/ipv6/esp6_offload.c +@@ -272,6 +272,9 @@ static int esp6_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features + + secpath_reset(skb); + ++ if (skb_needs_linearize(skb, skb->dev->features) && ++ __skb_linearize(skb)) ++ return -ENOMEM; + return 0; + } + +-- +2.39.2 + -- 2.47.3