--- /dev/null
+From b642d4825441bf30c72b72deb739bd2d5f53af08 Mon Sep 17 00:00:00 2001
+From: Ondrej Jirman <megous@megous.com>
+Date: Sat, 22 Feb 2020 23:31:53 +0100
+Subject: ARM: dts: sun8i-a83t-tbs-a711: Fix USB OTG mode detection
+
+From: Ondrej Jirman <megous@megous.com>
+
+commit b642d4825441bf30c72b72deb739bd2d5f53af08 upstream.
+
+USB-ID signal has a pullup on the schematic, but in reality it's not
+pulled up, so add a GPIO pullup. And we also need a usb0_vbus_power-supply
+for VBUS detection.
+
+This fixes OTG mode detection and charging issues on TBS A711 tablet.
+The issues came from ID pin reading 0, causing host mode to be enabled,
+when it should not be, leading to DRVVBUS being enabled, which disabled
+the charger.
+
+Fixes: f2f221c7810b824e ("ARM: dts: sun8i: a711: Enable USB OTG")
+Signed-off-by: Ondrej Jirman <megous@megous.com>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/sun8i-a83t-tbs-a711.dts | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/sun8i-a83t-tbs-a711.dts
++++ b/arch/arm/boot/dts/sun8i-a83t-tbs-a711.dts
+@@ -482,7 +482,8 @@
+ };
+
+ &usbphy {
+- usb0_id_det-gpios = <&pio 7 11 GPIO_ACTIVE_HIGH>; /* PH11 */
++ usb0_id_det-gpios = <&pio 7 11 (GPIO_ACTIVE_HIGH | GPIO_PULL_UP)>; /* PH11 */
++ usb0_vbus_power-supply = <&usb_power_supply>;
+ usb0_vbus-supply = <®_drivevbus>;
+ usb1_vbus-supply = <®_vmain>;
+ usb2_vbus-supply = <®_vmain>;
--- /dev/null
+From da6c7faeb103c493e505e87643272f70be586635 Mon Sep 17 00:00:00 2001
+From: Yoshiki Komachi <komachi.yoshiki@gmail.com>
+Date: Tue, 10 Mar 2020 16:32:29 +0900
+Subject: bpf/btf: Fix BTF verification of enum members in struct/union
+
+From: Yoshiki Komachi <komachi.yoshiki@gmail.com>
+
+commit da6c7faeb103c493e505e87643272f70be586635 upstream.
+
+btf_enum_check_member() was currently sure to recognize the size of
+"enum" type members in struct/union as the size of "int" even if
+its size was packed.
+
+This patch fixes BTF enum verification to use the correct size
+of member in BPF programs.
+
+Fixes: 179cde8cef7e ("bpf: btf: Check members of struct/union")
+Signed-off-by: Yoshiki Komachi <komachi.yoshiki@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/1583825550-18606-2-git-send-email-komachi.yoshiki@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/bpf/btf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/bpf/btf.c
++++ b/kernel/bpf/btf.c
+@@ -2309,7 +2309,7 @@ static int btf_enum_check_member(struct
+
+ struct_size = struct_type->size;
+ bytes_offset = BITS_ROUNDDOWN_BYTES(struct_bits_off);
+- if (struct_size - bytes_offset < sizeof(int)) {
++ if (struct_size - bytes_offset < member_type->size) {
+ btf_verifier_log_member(env, struct_type, member,
+ "Member exceeds struct_size");
+ return -EINVAL;
--- /dev/null
+From 62039c30c19dcab96621e074aeeb90da7100def7 Mon Sep 17 00:00:00 2001
+From: Andrii Nakryiko <andriin@fb.com>
+Date: Mon, 9 Mar 2020 15:27:55 -0700
+Subject: bpf: Initialize storage pointers to NULL to prevent freeing garbage pointer
+
+From: Andrii Nakryiko <andriin@fb.com>
+
+commit 62039c30c19dcab96621e074aeeb90da7100def7 upstream.
+
+Local storage array isn't initialized, so if cgroup storage allocation fails
+for BPF_CGROUP_STORAGE_SHARED, error handling code will attempt to free
+uninitialized pointer for BPF_CGROUP_STORAGE_PERCPU storage type. Avoid this
+by always initializing storage pointers to NULLs.
+
+Fixes: 8bad74f9840f ("bpf: extend cgroup bpf core to allow multiple cgroup storage types")
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20200309222756.1018737-1-andriin@fb.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/bpf/cgroup.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/bpf/cgroup.c
++++ b/kernel/bpf/cgroup.c
+@@ -303,8 +303,8 @@ int __cgroup_bpf_attach(struct cgroup *c
+ {
+ struct list_head *progs = &cgrp->bpf.progs[type];
+ struct bpf_prog *old_prog = NULL;
+- struct bpf_cgroup_storage *storage[MAX_BPF_CGROUP_STORAGE_TYPE],
+- *old_storage[MAX_BPF_CGROUP_STORAGE_TYPE] = {NULL};
++ struct bpf_cgroup_storage *storage[MAX_BPF_CGROUP_STORAGE_TYPE] = {};
++ struct bpf_cgroup_storage *old_storage[MAX_BPF_CGROUP_STORAGE_TYPE] = {};
+ enum bpf_cgroup_storage_type stype;
+ struct bpf_prog_list *pl;
+ bool pl_was_allocated;
--- /dev/null
+From 90db6d772f749e38171d04619a5e3cd8804a6d02 Mon Sep 17 00:00:00 2001
+From: John Fastabend <john.fastabend@gmail.com>
+Date: Tue, 10 Mar 2020 09:41:48 -0700
+Subject: bpf, sockmap: Remove bucket->lock from sock_{hash|map}_free
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+commit 90db6d772f749e38171d04619a5e3cd8804a6d02 upstream.
+
+The bucket->lock is not needed in the sock_hash_free and sock_map_free
+calls, in fact it is causing a splat due to being inside rcu block.
+
+| BUG: sleeping function called from invalid context at net/core/sock.c:2935
+| in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 62, name: kworker/0:1
+| 3 locks held by kworker/0:1/62:
+| #0: ffff88813b019748 ((wq_completion)events){+.+.}, at: process_one_work+0x1d7/0x5e0
+| #1: ffffc900000abe50 ((work_completion)(&map->work)){+.+.}, at: process_one_work+0x1d7/0x5e0
+| #2: ffff8881381f6df8 (&stab->lock){+...}, at: sock_map_free+0x26/0x180
+| CPU: 0 PID: 62 Comm: kworker/0:1 Not tainted 5.5.0-04008-g7b083332376e #454
+| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
+| Workqueue: events bpf_map_free_deferred
+| Call Trace:
+| dump_stack+0x71/0xa0
+| ___might_sleep.cold+0xa6/0xb6
+| lock_sock_nested+0x28/0x90
+| sock_map_free+0x5f/0x180
+| bpf_map_free_deferred+0x58/0x80
+| process_one_work+0x260/0x5e0
+| worker_thread+0x4d/0x3e0
+| kthread+0x108/0x140
+| ? process_one_work+0x5e0/0x5e0
+| ? kthread_park+0x90/0x90
+| ret_from_fork+0x3a/0x50
+
+The reason we have stab->lock and bucket->locks in sockmap code is to
+handle checking EEXIST in update/delete cases. We need to be careful during
+an update operation that we check for EEXIST and we need to ensure that the
+psock object is not in some partial state of removal/insertion while we do
+this. So both map_update_common and sock_map_delete need to guard from being
+run together potentially deleting an entry we are checking, etc. But by the
+time we get to the tear-down code in sock_{ma[|hash}_free we have already
+disconnected the map and we just did synchronize_rcu() in the line above so
+no updates/deletes should be in flight. Because of this we can drop the
+bucket locks from the map free'ing code, noting no update/deletes can be
+in-flight.
+
+Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface")
+Reported-by: Jakub Sitnicki <jakub@cloudflare.com>
+Suggested-by: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/158385850787.30597.8346421465837046618.stgit@john-Precision-5820-Tower
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/sock_map.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/core/sock_map.c
++++ b/net/core/sock_map.c
+@@ -233,8 +233,11 @@ static void sock_map_free(struct bpf_map
+ struct bpf_stab *stab = container_of(map, struct bpf_stab, map);
+ int i;
+
++ /* After the sync no updates or deletes will be in-flight so it
++ * is safe to walk map and remove entries without risking a race
++ * in EEXIST update case.
++ */
+ synchronize_rcu();
+- raw_spin_lock_bh(&stab->lock);
+ for (i = 0; i < stab->map.max_entries; i++) {
+ struct sock **psk = &stab->sks[i];
+ struct sock *sk;
+@@ -248,7 +251,6 @@ static void sock_map_free(struct bpf_map
+ release_sock(sk);
+ }
+ }
+- raw_spin_unlock_bh(&stab->lock);
+
+ /* wait for psock readers accessing its map link */
+ synchronize_rcu();
+@@ -863,10 +865,13 @@ static void sock_hash_free(struct bpf_ma
+ struct hlist_node *node;
+ int i;
+
++ /* After the sync no updates or deletes will be in-flight so it
++ * is safe to walk map and remove entries without risking a race
++ * in EEXIST update case.
++ */
+ synchronize_rcu();
+ for (i = 0; i < htab->buckets_num; i++) {
+ bucket = sock_hash_select_bucket(htab, i);
+- raw_spin_lock_bh(&bucket->lock);
+ hlist_for_each_entry_safe(elem, node, &bucket->head, node) {
+ hlist_del_rcu(&elem->node);
+ lock_sock(elem->sk);
+@@ -875,7 +880,6 @@ static void sock_hash_free(struct bpf_ma
+ rcu_read_unlock();
+ release_sock(elem->sk);
+ }
+- raw_spin_unlock_bh(&bucket->lock);
+ }
+
+ /* wait for psock readers accessing its map link */
--- /dev/null
+From 80f1f85036355e5581ec0b99913410345ad3491b Mon Sep 17 00:00:00 2001
+From: Luke Nelson <lukenels@cs.washington.edu>
+Date: Thu, 5 Mar 2020 15:44:12 -0800
+Subject: bpf, x32: Fix bug with JMP32 JSET BPF_X checking upper bits
+
+From: Luke Nelson <lukenels@cs.washington.edu>
+
+commit 80f1f85036355e5581ec0b99913410345ad3491b upstream.
+
+The current x32 BPF JIT is incorrect for JMP32 JSET BPF_X when the upper
+32 bits of operand registers are non-zero in certain situations.
+
+The problem is in the following code:
+
+ case BPF_JMP | BPF_JSET | BPF_X:
+ case BPF_JMP32 | BPF_JSET | BPF_X:
+ ...
+
+ /* and dreg_lo,sreg_lo */
+ EMIT2(0x23, add_2reg(0xC0, sreg_lo, dreg_lo));
+ /* and dreg_hi,sreg_hi */
+ EMIT2(0x23, add_2reg(0xC0, sreg_hi, dreg_hi));
+ /* or dreg_lo,dreg_hi */
+ EMIT2(0x09, add_2reg(0xC0, dreg_lo, dreg_hi));
+
+This code checks the upper bits of the operand registers regardless if
+the BPF instruction is BPF_JMP32 or BPF_JMP64. Registers dreg_hi and
+dreg_lo are not loaded from the stack for BPF_JMP32, however, they can
+still be polluted with values from previous instructions.
+
+The following BPF program demonstrates the bug. The jset64 instruction
+loads the temporary registers and performs the jump, since ((u64)r7 &
+(u64)r8) is non-zero. The jset32 should _not_ be taken, as the lower
+32 bits are all zero, however, the current JIT will take the branch due
+the pollution of temporary registers from the earlier jset64.
+
+ mov64 r0, 0
+ ld64 r7, 0x8000000000000000
+ ld64 r8, 0x8000000000000000
+ jset64 r7, r8, 1
+ exit
+ jset32 r7, r8, 1
+ mov64 r0, 2
+ exit
+
+The expected return value of this program is 2; under the buggy x32 JIT
+it returns 0. The fix is to skip using the upper 32 bits for jset32 and
+compare the upper 32 bits for jset64 only.
+
+All tests in test_bpf.ko and selftests/bpf/test_verifier continue to
+pass with this change.
+
+We found this bug using our automated verification tool, Serval.
+
+Fixes: 69f827eb6e14 ("x32: bpf: implement jitting of JMP32")
+Co-developed-by: Xi Wang <xi.wang@gmail.com>
+Signed-off-by: Xi Wang <xi.wang@gmail.com>
+Signed-off-by: Luke Nelson <luke.r.nels@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20200305234416.31597-1-luke.r.nels@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/net/bpf_jit_comp32.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/net/bpf_jit_comp32.c
++++ b/arch/x86/net/bpf_jit_comp32.c
+@@ -2039,10 +2039,12 @@ static int do_jit(struct bpf_prog *bpf_p
+ }
+ /* and dreg_lo,sreg_lo */
+ EMIT2(0x23, add_2reg(0xC0, sreg_lo, dreg_lo));
+- /* and dreg_hi,sreg_hi */
+- EMIT2(0x23, add_2reg(0xC0, sreg_hi, dreg_hi));
+- /* or dreg_lo,dreg_hi */
+- EMIT2(0x09, add_2reg(0xC0, dreg_lo, dreg_hi));
++ if (is_jmp64) {
++ /* and dreg_hi,sreg_hi */
++ EMIT2(0x23, add_2reg(0xC0, sreg_hi, dreg_hi));
++ /* or dreg_lo,dreg_hi */
++ EMIT2(0x09, add_2reg(0xC0, dreg_lo, dreg_hi));
++ }
+ goto emit_cond_jmp;
+ }
+ case BPF_JMP | BPF_JSET | BPF_K:
--- /dev/null
+From d944b27df121e2ee854a6c2fad13d6c6300792d4 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Tue, 24 Mar 2020 23:28:11 +0800
+Subject: i2c: nvidia-gpu: Handle timeout correctly in gpu_i2c_check_status()
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit d944b27df121e2ee854a6c2fad13d6c6300792d4 upstream.
+
+Nvidia card may come with a "phantom" UCSI device, and its driver gets
+stuck in probe routine, prevents any system PM operations like suspend.
+
+There's an unaccounted case that the target time can equal to jiffies in
+gpu_i2c_check_status(), let's solve that by using readl_poll_timeout()
+instead of jiffies comparison functions.
+
+Fixes: c71bcdcb42a7 ("i2c: add i2c bus driver for NVIDIA GPU")
+Suggested-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Ajay Gupta <ajayg@nvidia.com>
+Tested-by: Ajay Gupta <ajayg@nvidia.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-nvidia-gpu.c | 18 +++++++-----------
+ 1 file changed, 7 insertions(+), 11 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-nvidia-gpu.c
++++ b/drivers/i2c/busses/i2c-nvidia-gpu.c
+@@ -8,6 +8,7 @@
+ #include <linux/delay.h>
+ #include <linux/i2c.h>
+ #include <linux/interrupt.h>
++#include <linux/iopoll.h>
+ #include <linux/module.h>
+ #include <linux/pci.h>
+ #include <linux/platform_device.h>
+@@ -75,20 +76,15 @@ static void gpu_enable_i2c_bus(struct gp
+
+ static int gpu_i2c_check_status(struct gpu_i2c_dev *i2cd)
+ {
+- unsigned long target = jiffies + msecs_to_jiffies(1000);
+ u32 val;
++ int ret;
+
+- do {
+- val = readl(i2cd->regs + I2C_MST_CNTL);
+- if (!(val & I2C_MST_CNTL_CYCLE_TRIGGER))
+- break;
+- if ((val & I2C_MST_CNTL_STATUS) !=
+- I2C_MST_CNTL_STATUS_BUS_BUSY)
+- break;
+- usleep_range(500, 600);
+- } while (time_is_after_jiffies(target));
++ ret = readl_poll_timeout(i2cd->regs + I2C_MST_CNTL, val,
++ !(val & I2C_MST_CNTL_CYCLE_TRIGGER) ||
++ (val & I2C_MST_CNTL_STATUS) != I2C_MST_CNTL_STATUS_BUS_BUSY,
++ 500, 1000 * USEC_PER_MSEC);
+
+- if (time_is_before_jiffies(target)) {
++ if (ret) {
+ dev_err(i2cd->dev, "i2c timeout error %x\n", val);
+ return -ETIMEDOUT;
+ }
netfilter-flowtable-reload-ip-v6-h-in-nf_flow_tuple_ip-v6.patch
netfilter-nft_fwd_netdev-validate-family-and-chain-type.patch
netfilter-nft_fwd_netdev-allow-to-redirect-to-ifb-via-ingress.patch
+i2c-nvidia-gpu-handle-timeout-correctly-in-gpu_i2c_check_status.patch
+bpf-x32-fix-bug-with-jmp32-jset-bpf_x-checking-upper-bits.patch
+bpf-initialize-storage-pointers-to-null-to-prevent-freeing-garbage-pointer.patch
+bpf-btf-fix-btf-verification-of-enum-members-in-struct-union.patch
+bpf-sockmap-remove-bucket-lock-from-sock_-hash-map-_free.patch
+arm-dts-sun8i-a83t-tbs-a711-fix-usb-otg-mode-detection.patch
+vti6-fix-memory-leak-of-skb-if-input-policy-check-fails.patch
--- /dev/null
+From 2a9de3af21aa8c31cd68b0b39330d69f8c1e59df Mon Sep 17 00:00:00 2001
+From: Torsten Hilbrich <torsten.hilbrich@secunet.com>
+Date: Wed, 11 Mar 2020 11:19:06 +0100
+Subject: vti6: Fix memory leak of skb if input policy check fails
+
+From: Torsten Hilbrich <torsten.hilbrich@secunet.com>
+
+commit 2a9de3af21aa8c31cd68b0b39330d69f8c1e59df upstream.
+
+The vti6_rcv function performs some tests on the retrieved tunnel
+including checking the IP protocol, the XFRM input policy, the
+source and destination address.
+
+In all but one places the skb is released in the error case. When
+the input policy check fails the network packet is leaked.
+
+Using the same goto-label discard in this case to fix this problem.
+
+Fixes: ed1efb2aefbb ("ipv6: Add support for IPsec virtual tunnel interfaces")
+Signed-off-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
+Reviewed-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/ip6_vti.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -311,7 +311,7 @@ static int vti6_rcv(struct sk_buff *skb)
+
+ if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
+ rcu_read_unlock();
+- return 0;
++ goto discard;
+ }
+
+ ipv6h = ipv6_hdr(skb);
projects / thirdparty / kernel / stable-queue.git / commitdiff
