From: Sasha Levin Date: Mon, 26 Jul 2021 02:40:54 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v4.4.277~78 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=073a471f24cb47417a4cb53646e9669e714d3675;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/e1000e-fix-an-error-handling-path-in-e1000_probe.patch b/queue-4.14/e1000e-fix-an-error-handling-path-in-e1000_probe.patch new file mode 100644 index 00000000000..7472554f980 --- /dev/null +++ b/queue-4.14/e1000e-fix-an-error-handling-path-in-e1000_probe.patch @@ -0,0 +1,38 @@ +From 45a8cf46b5ecaba75000fe5b23d0e31c93ee833a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 07:05:53 +0200 +Subject: e1000e: Fix an error handling path in 'e1000_probe()' + +From: Christophe JAILLET + +[ Upstream commit 4589075608420bc49fcef6e98279324bf2bb91ae ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 111b9dc5c981 ("e1000e: add aer support") +Signed-off-by: Christophe JAILLET +Acked-by: Sasha Neftin +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index f50d0da8fefe..116914de603e 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -7392,6 +7392,7 @@ err_flashmap: + err_ioremap: + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-4.14/fm10k-fix-an-error-handling-path-in-fm10k_probe.patch b/queue-4.14/fm10k-fix-an-error-handling-path-in-fm10k_probe.patch new file mode 100644 index 00000000000..bce6f4d2004 --- /dev/null +++ b/queue-4.14/fm10k-fix-an-error-handling-path-in-fm10k_probe.patch @@ -0,0 +1,36 @@ +From 5f46eaed1b8021a58238be41fe51e6377267c697 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 07:00:36 +0200 +Subject: fm10k: Fix an error handling path in 'fm10k_probe()' + +From: Christophe JAILLET + +[ Upstream commit e85e14d68f517ef12a5fb8123fff65526b35b6cd ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 19ae1b3fb99c ("fm10k: Add support for PCI power management and error handling") +Signed-off-by: Christophe JAILLET +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/fm10k/fm10k_pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_pci.c b/drivers/net/ethernet/intel/fm10k/fm10k_pci.c +index 63784576ae8b..6b71fc19ab38 100644 +--- a/drivers/net/ethernet/intel/fm10k/fm10k_pci.c ++++ b/drivers/net/ethernet/intel/fm10k/fm10k_pci.c +@@ -2095,6 +2095,7 @@ err_sw_init: + err_ioremap: + free_netdev(netdev); + err_alloc_netdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-4.14/iavf-fix-an-error-handling-path-in-iavf_probe.patch b/queue-4.14/iavf-fix-an-error-handling-path-in-iavf_probe.patch new file mode 100644 index 00000000000..db6cfcf0c67 --- /dev/null +++ b/queue-4.14/iavf-fix-an-error-handling-path-in-iavf_probe.patch @@ -0,0 +1,36 @@ +From d163d270e093a2375380954e8737d401723e023c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 07:53:02 +0200 +Subject: iavf: Fix an error handling path in 'iavf_probe()' + +From: Christophe JAILLET + +[ Upstream commit af30cbd2f4d6d66a9b6094e0aa32420bc8b20e08 ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 5eae00c57f5e ("i40evf: main driver core") +Signed-off-by: Christophe JAILLET +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40evf/i40evf_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/i40evf/i40evf_main.c b/drivers/net/ethernet/intel/i40evf/i40evf_main.c +index 1b5d204c57c1..ad2dd5b747b2 100644 +--- a/drivers/net/ethernet/intel/i40evf/i40evf_main.c ++++ b/drivers/net/ethernet/intel/i40evf/i40evf_main.c +@@ -2924,6 +2924,7 @@ static int i40evf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + err_ioremap: + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-4.14/igb-check-if-num-of-q_vectors-is-smaller-than-max-be.patch b/queue-4.14/igb-check-if-num-of-q_vectors-is-smaller-than-max-be.patch new file mode 100644 index 00000000000..822367c036c --- /dev/null +++ b/queue-4.14/igb-check-if-num-of-q_vectors-is-smaller-than-max-be.patch @@ -0,0 +1,59 @@ +From 664e4d710ec8389a95aa0a859fe961456b7ab86f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Apr 2021 10:19:23 +0000 +Subject: igb: Check if num of q_vectors is smaller than max before array + access + +From: Aleksandr Loktionov + +[ Upstream commit 6c19d772618fea40d9681f259368f284a330fd90 ] + +Ensure that the adapter->q_vector[MAX_Q_VECTORS] array isn't accessed +beyond its size. It was fixed by using a local variable num_q_vectors +as a limit for loop index, and ensure that num_q_vectors is not bigger +than MAX_Q_VECTORS. + +Fixes: 047e0030f1e6 ("igb: add new data structure for handling interrupts and NAPI") +Signed-off-by: Aleksandr Loktionov +Reviewed-by: Grzegorz Siwik +Reviewed-by: Arkadiusz Kubalewski +Reviewed-by: Slawomir Laba +Reviewed-by: Sylwester Dziedziuch +Reviewed-by: Mateusz Palczewski +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index c4898bb9896f..6bd30d51dafc 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -949,6 +949,7 @@ static void igb_configure_msix(struct igb_adapter *adapter) + **/ + static int igb_request_msix(struct igb_adapter *adapter) + { ++ unsigned int num_q_vectors = adapter->num_q_vectors; + struct net_device *netdev = adapter->netdev; + int i, err = 0, vector = 0, free_vector = 0; + +@@ -957,7 +958,13 @@ static int igb_request_msix(struct igb_adapter *adapter) + if (err) + goto err_out; + +- for (i = 0; i < adapter->num_q_vectors; i++) { ++ if (num_q_vectors > MAX_Q_VECTORS) { ++ num_q_vectors = MAX_Q_VECTORS; ++ dev_warn(&adapter->pdev->dev, ++ "The number of queue vectors (%d) is higher than max allowed (%d)\n", ++ adapter->num_q_vectors, MAX_Q_VECTORS); ++ } ++ for (i = 0; i < num_q_vectors; i++) { + struct igb_q_vector *q_vector = adapter->q_vector[i]; + + vector++; +-- +2.30.2 + diff --git a/queue-4.14/igb-fix-an-error-handling-path-in-igb_probe.patch b/queue-4.14/igb-fix-an-error-handling-path-in-igb_probe.patch new file mode 100644 index 00000000000..310dc14995b --- /dev/null +++ b/queue-4.14/igb-fix-an-error-handling-path-in-igb_probe.patch @@ -0,0 +1,37 @@ +From 2429283fb8eb82e2c6f3610e97fbee71372d3ef6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 22:08:33 +0200 +Subject: igb: Fix an error handling path in 'igb_probe()' + +From: Christophe JAILLET + +[ Upstream commit fea03b1cebd653cd095f2e9a58cfe1c85661c363 ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 40a914fa72ab ("igb: Add support for pci-e Advanced Error Reporting") +Signed-off-by: Christophe JAILLET +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 36c656736811..c4898bb9896f 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -2784,6 +2784,7 @@ err_sw_init: + err_ioremap: + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-4.14/igb-fix-use-after-free-error-during-reset.patch b/queue-4.14/igb-fix-use-after-free-error-during-reset.patch new file mode 100644 index 00000000000..a0101e15182 --- /dev/null +++ b/queue-4.14/igb-fix-use-after-free-error-during-reset.patch @@ -0,0 +1,45 @@ +From 9801b6c1f5b0d306044aa788e9a4f3543233679a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 May 2021 17:31:04 -0700 +Subject: igb: Fix use-after-free error during reset + +From: Vinicius Costa Gomes + +[ Upstream commit 7b292608db23ccbbfbfa50cdb155d01725d7a52e ] + +Cleans the next descriptor to watch (next_to_watch) when cleaning the +TX ring. + +Failure to do so can cause invalid memory accesses. If igb_poll() runs +while the controller is reset this can lead to the driver try to free +a skb that was already freed. + +(The crash is harder to reproduce with the igb driver, but the same +potential problem exists as the code is identical to igc) + +Fixes: 7cc6fd4c60f2 ("igb: Don't bother clearing Tx buffer_info in igb_clean_tx_ring") +Signed-off-by: Vinicius Costa Gomes +Reported-by: Erez Geva +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 50fa0401c701..36c656736811 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -3962,6 +3962,8 @@ static void igb_clean_tx_ring(struct igb_ring *tx_ring) + DMA_TO_DEVICE); + } + ++ tx_buffer->next_to_watch = NULL; ++ + /* move us one more past the eop_desc for start of next pkt */ + tx_buffer++; + i++; +-- +2.30.2 + diff --git a/queue-4.14/ixgbe-fix-an-error-handling-path-in-ixgbe_probe.patch b/queue-4.14/ixgbe-fix-an-error-handling-path-in-ixgbe_probe.patch new file mode 100644 index 00000000000..aa419774351 --- /dev/null +++ b/queue-4.14/ixgbe-fix-an-error-handling-path-in-ixgbe_probe.patch @@ -0,0 +1,37 @@ +From 40cb4ebc820ab97c46456e5b6aa2c25a702131cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 15:46:09 +0200 +Subject: ixgbe: Fix an error handling path in 'ixgbe_probe()' + +From: Christophe JAILLET + +[ Upstream commit dd2aefcd5e37989ae5f90afdae44bbbf3a2990da ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 6fabd715e6d8 ("ixgbe: Implement PCIe AER support") +Signed-off-by: Christophe JAILLET +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +index e9205c893531..daf94d5cbef1 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -10572,6 +10572,7 @@ err_ioremap: + disable_dev = !test_and_set_bit(__IXGBE_DISABLED, &adapter->state); + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-4.14/liquidio-fix-unintentional-sign-extension-issue-on-l.patch b/queue-4.14/liquidio-fix-unintentional-sign-extension-issue-on-l.patch new file mode 100644 index 00000000000..9565fa12df8 --- /dev/null +++ b/queue-4.14/liquidio-fix-unintentional-sign-extension-issue-on-l.patch @@ -0,0 +1,43 @@ +From db36a97c80c6323a5609023201fda1393b877563 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jul 2021 16:23:43 +0100 +Subject: liquidio: Fix unintentional sign extension issue on left shift of u16 + +From: Colin Ian King + +[ Upstream commit e7efc2ce3d0789cd7c21b70ff00cd7838d382639 ] + +Shifting the u16 integer oct->pcie_port by CN23XX_PKT_INPUT_CTL_MAC_NUM_POS +(29) bits will be promoted to a 32 bit signed int and then sign-extended +to a u64. In the cases where oct->pcie_port where bit 2 is set (e.g. 3..7) +the shifted value will be sign extended and the top 32 bits of the result +will be set. + +Fix this by casting the u16 values to a u64 before the 29 bit left shift. + +Addresses-Coverity: ("Unintended sign extension") + +Fixes: 3451b97cce2d ("liquidio: CN23XX register setup") +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c +index 30f0e54f658e..4248ba307b66 100644 +--- a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c ++++ b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c +@@ -420,7 +420,7 @@ static int cn23xx_pf_setup_global_input_regs(struct octeon_device *oct) + * bits 32:47 indicate the PVF num. + */ + for (q_no = 0; q_no < ern; q_no++) { +- reg_val = oct->pcie_port << CN23XX_PKT_INPUT_CTL_MAC_NUM_POS; ++ reg_val = (u64)oct->pcie_port << CN23XX_PKT_INPUT_CTL_MAC_NUM_POS; + + /* for VF assigned queues. */ + if (q_no < oct->sriov_info.pf_srn) { +-- +2.30.2 + diff --git a/queue-4.14/net-decnet-fix-sleeping-inside-in-af_decnet.patch b/queue-4.14/net-decnet-fix-sleeping-inside-in-af_decnet.patch new file mode 100644 index 00000000000..0ad96335fa2 --- /dev/null +++ b/queue-4.14/net-decnet-fix-sleeping-inside-in-af_decnet.patch @@ -0,0 +1,126 @@ +From 33a8249c0df8f0f53b52094b7b65e114d66ba53a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jul 2021 17:13:20 +0800 +Subject: net: decnet: Fix sleeping inside in af_decnet + +From: Yajun Deng + +[ Upstream commit 5f119ba1d5771bbf46d57cff7417dcd84d3084ba ] + +The release_sock() is blocking function, it would change the state +after sleeping. use wait_woken() instead. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yajun Deng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/decnet/af_decnet.c | 27 ++++++++++++--------------- + 1 file changed, 12 insertions(+), 15 deletions(-) + +diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c +index 8dbfcd388633..9c7b8ff4556a 100644 +--- a/net/decnet/af_decnet.c ++++ b/net/decnet/af_decnet.c +@@ -824,7 +824,7 @@ static int dn_auto_bind(struct socket *sock) + static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation) + { + struct dn_scp *scp = DN_SK(sk); +- DEFINE_WAIT(wait); ++ DEFINE_WAIT_FUNC(wait, woken_wake_function); + int err; + + if (scp->state != DN_CR) +@@ -834,11 +834,11 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation) + scp->segsize_loc = dst_metric_advmss(__sk_dst_get(sk)); + dn_send_conn_conf(sk, allocation); + +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); ++ add_wait_queue(sk_sleep(sk), &wait); + for(;;) { + release_sock(sk); + if (scp->state == DN_CC) +- *timeo = schedule_timeout(*timeo); ++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo); + lock_sock(sk); + err = 0; + if (scp->state == DN_RUN) +@@ -852,9 +852,8 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation) + err = -EAGAIN; + if (!*timeo) + break; +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + } +- finish_wait(sk_sleep(sk), &wait); ++ remove_wait_queue(sk_sleep(sk), &wait); + if (err == 0) { + sk->sk_socket->state = SS_CONNECTED; + } else if (scp->state != DN_CC) { +@@ -866,7 +865,7 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation) + static int dn_wait_run(struct sock *sk, long *timeo) + { + struct dn_scp *scp = DN_SK(sk); +- DEFINE_WAIT(wait); ++ DEFINE_WAIT_FUNC(wait, woken_wake_function); + int err = 0; + + if (scp->state == DN_RUN) +@@ -875,11 +874,11 @@ static int dn_wait_run(struct sock *sk, long *timeo) + if (!*timeo) + return -EALREADY; + +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); ++ add_wait_queue(sk_sleep(sk), &wait); + for(;;) { + release_sock(sk); + if (scp->state == DN_CI || scp->state == DN_CC) +- *timeo = schedule_timeout(*timeo); ++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo); + lock_sock(sk); + err = 0; + if (scp->state == DN_RUN) +@@ -893,9 +892,8 @@ static int dn_wait_run(struct sock *sk, long *timeo) + err = -ETIMEDOUT; + if (!*timeo) + break; +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + } +- finish_wait(sk_sleep(sk), &wait); ++ remove_wait_queue(sk_sleep(sk), &wait); + out: + if (err == 0) { + sk->sk_socket->state = SS_CONNECTED; +@@ -1040,16 +1038,16 @@ static void dn_user_copy(struct sk_buff *skb, struct optdata_dn *opt) + + static struct sk_buff *dn_wait_for_connect(struct sock *sk, long *timeo) + { +- DEFINE_WAIT(wait); ++ DEFINE_WAIT_FUNC(wait, woken_wake_function); + struct sk_buff *skb = NULL; + int err = 0; + +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); ++ add_wait_queue(sk_sleep(sk), &wait); + for(;;) { + release_sock(sk); + skb = skb_dequeue(&sk->sk_receive_queue); + if (skb == NULL) { +- *timeo = schedule_timeout(*timeo); ++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo); + skb = skb_dequeue(&sk->sk_receive_queue); + } + lock_sock(sk); +@@ -1064,9 +1062,8 @@ static struct sk_buff *dn_wait_for_connect(struct sock *sk, long *timeo) + err = -EAGAIN; + if (!*timeo) + break; +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + } +- finish_wait(sk_sleep(sk), &wait); ++ remove_wait_queue(sk_sleep(sk), &wait); + + return skb == NULL ? ERR_PTR(err) : skb; + } +-- +2.30.2 + diff --git a/queue-4.14/net-fix-uninit-value-in-caif_seqpkt_sendmsg.patch b/queue-4.14/net-fix-uninit-value-in-caif_seqpkt_sendmsg.patch new file mode 100644 index 00000000000..fb3b8b2bbb4 --- /dev/null +++ b/queue-4.14/net-fix-uninit-value-in-caif_seqpkt_sendmsg.patch @@ -0,0 +1,57 @@ +From 9327ac5e5547048c9ba796eb2361b1c4ea15ec4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 20:22:04 +0800 +Subject: net: fix uninit-value in caif_seqpkt_sendmsg + +From: Ziyang Xuan + +[ Upstream commit 991e634360f2622a683b48dfe44fe6d9cb765a09 ] + +When nr_segs equal to zero in iovec_from_user, the object +msg->msg_iter.iov is uninit stack memory in caif_seqpkt_sendmsg +which is defined in ___sys_sendmsg. So we cann't just judge +msg->msg_iter.iov->base directlly. We can use nr_segs to judge +msg in caif_seqpkt_sendmsg whether has data buffers. + +===================================================== +BUG: KMSAN: uninit-value in caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 + caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg net/socket.c:672 [inline] + ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2343 + ___sys_sendmsg net/socket.c:2397 [inline] + __sys_sendmmsg+0x808/0xc90 net/socket.c:2480 + __compat_sys_sendmmsg net/compat.c:656 [inline] + +Reported-by: syzbot+09a5d591c1f98cf5efcb@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=1ace85e8fc9b0d5a45c08c2656c3e91762daa9b8 +Fixes: bece7b2398d0 ("caif: Rewritten socket implementation") +Signed-off-by: Ziyang Xuan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/caif/caif_socket.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c +index df936d2f58bd..c44ade1b1833 100644 +--- a/net/caif/caif_socket.c ++++ b/net/caif/caif_socket.c +@@ -539,7 +539,8 @@ static int caif_seqpkt_sendmsg(struct socket *sock, struct msghdr *msg, + goto err; + + ret = -EINVAL; +- if (unlikely(msg->msg_iter.iov->iov_base == NULL)) ++ if (unlikely(msg->msg_iter.nr_segs == 0) || ++ unlikely(msg->msg_iter.iov->iov_base == NULL)) + goto err; + noblock = msg->msg_flags & MSG_DONTWAIT; + +-- +2.30.2 + diff --git a/queue-4.14/netrom-decrease-sock-refcount-when-sock-timers-expir.patch b/queue-4.14/netrom-decrease-sock-refcount-when-sock-timers-expir.patch new file mode 100644 index 00000000000..eed00f97c4a --- /dev/null +++ b/queue-4.14/netrom-decrease-sock-refcount-when-sock-timers-expir.patch @@ -0,0 +1,118 @@ +From 2a5630790ad236110223177a7a9a5ce7c44c672d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 22:40:13 +0800 +Subject: netrom: Decrease sock refcount when sock timers expire + +From: Nguyen Dinh Phi + +[ Upstream commit 517a16b1a88bdb6b530f48d5d153478b2552d9a8 ] + +Commit 63346650c1a9 ("netrom: switch to sock timer API") switched to use +sock timer API. It replaces mod_timer() by sk_reset_timer(), and +del_timer() by sk_stop_timer(). + +Function sk_reset_timer() will increase the refcount of sock if it is +called on an inactive timer, hence, in case the timer expires, we need to +decrease the refcount ourselves in the handler, otherwise, the sock +refcount will be unbalanced and the sock will never be freed. + +Signed-off-by: Nguyen Dinh Phi +Reported-by: syzbot+10f1194569953b72f1ae@syzkaller.appspotmail.com +Fixes: 63346650c1a9 ("netrom: switch to sock timer API") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netrom/nr_timer.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/net/netrom/nr_timer.c b/net/netrom/nr_timer.c +index f0ecaec1ff3d..d1a0b7056743 100644 +--- a/net/netrom/nr_timer.c ++++ b/net/netrom/nr_timer.c +@@ -125,11 +125,9 @@ static void nr_heartbeat_expiry(unsigned long param) + is accepted() it isn't 'dead' so doesn't get removed. */ + if (sock_flag(sk, SOCK_DESTROY) || + (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) { +- sock_hold(sk); + bh_unlock_sock(sk); + nr_destroy_socket(sk); +- sock_put(sk); +- return; ++ goto out; + } + break; + +@@ -150,6 +148,8 @@ static void nr_heartbeat_expiry(unsigned long param) + + nr_start_heartbeat(sk); + bh_unlock_sock(sk); ++out: ++ sock_put(sk); + } + + static void nr_t2timer_expiry(unsigned long param) +@@ -163,6 +163,7 @@ static void nr_t2timer_expiry(unsigned long param) + nr_enquiry_response(sk); + } + bh_unlock_sock(sk); ++ sock_put(sk); + } + + static void nr_t4timer_expiry(unsigned long param) +@@ -172,6 +173,7 @@ static void nr_t4timer_expiry(unsigned long param) + bh_lock_sock(sk); + nr_sk(sk)->condition &= ~NR_COND_PEER_RX_BUSY; + bh_unlock_sock(sk); ++ sock_put(sk); + } + + static void nr_idletimer_expiry(unsigned long param) +@@ -200,6 +202,7 @@ static void nr_idletimer_expiry(unsigned long param) + sock_set_flag(sk, SOCK_DEAD); + } + bh_unlock_sock(sk); ++ sock_put(sk); + } + + static void nr_t1timer_expiry(unsigned long param) +@@ -212,8 +215,7 @@ static void nr_t1timer_expiry(unsigned long param) + case NR_STATE_1: + if (nr->n2count == nr->n2) { + nr_disconnect(sk, ETIMEDOUT); +- bh_unlock_sock(sk); +- return; ++ goto out; + } else { + nr->n2count++; + nr_write_internal(sk, NR_CONNREQ); +@@ -223,8 +225,7 @@ static void nr_t1timer_expiry(unsigned long param) + case NR_STATE_2: + if (nr->n2count == nr->n2) { + nr_disconnect(sk, ETIMEDOUT); +- bh_unlock_sock(sk); +- return; ++ goto out; + } else { + nr->n2count++; + nr_write_internal(sk, NR_DISCREQ); +@@ -234,8 +235,7 @@ static void nr_t1timer_expiry(unsigned long param) + case NR_STATE_3: + if (nr->n2count == nr->n2) { + nr_disconnect(sk, ETIMEDOUT); +- bh_unlock_sock(sk); +- return; ++ goto out; + } else { + nr->n2count++; + nr_requeue_frames(sk); +@@ -244,5 +244,7 @@ static void nr_t1timer_expiry(unsigned long param) + } + + nr_start_t1timer(sk); ++out: + bh_unlock_sock(sk); ++ sock_put(sk); + } +-- +2.30.2 + diff --git a/queue-4.14/perf-lzma-close-lzma-stream-on-exit.patch b/queue-4.14/perf-lzma-close-lzma-stream-on-exit.patch new file mode 100644 index 00000000000..422aafbc0e2 --- /dev/null +++ b/queue-4.14/perf-lzma-close-lzma-stream-on-exit.patch @@ -0,0 +1,72 @@ +From 82ed725274abb2ab9b432c7a4842f7a39d323e72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:19 +0200 +Subject: perf lzma: Close lzma stream on exit + +From: Riccardo Mancini + +[ Upstream commit f8cbb0f926ae1e1fb5f9e51614e5437560ed4039 ] + +ASan reports memory leaks when running: + + # perf test "88: Check open filename arg using perf trace + vfs_getname" + +One of these is caused by the lzma stream never being closed inside +lzma_decompress_to_file(). + +This patch adds the missing lzma_end(). + +Signed-off-by: Riccardo Mancini +Fixes: 80a32e5b498a7547 ("perf tools: Add lzma decompression support for kernel module") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/aaf50bdce7afe996cfc06e1bbb36e4a2a9b9db93.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/lzma.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/util/lzma.c b/tools/perf/util/lzma.c +index 07498eaddc08..bbf4c6bc2c2e 100644 +--- a/tools/perf/util/lzma.c ++++ b/tools/perf/util/lzma.c +@@ -64,7 +64,7 @@ int lzma_decompress_to_file(const char *input, int output_fd) + + if (ferror(infile)) { + pr_err("lzma: read error: %s\n", strerror(errno)); +- goto err_fclose; ++ goto err_lzma_end; + } + + if (feof(infile)) +@@ -78,7 +78,7 @@ int lzma_decompress_to_file(const char *input, int output_fd) + + if (writen(output_fd, buf_out, write_size) != write_size) { + pr_err("lzma: write error: %s\n", strerror(errno)); +- goto err_fclose; ++ goto err_lzma_end; + } + + strm.next_out = buf_out; +@@ -90,11 +90,13 @@ int lzma_decompress_to_file(const char *input, int output_fd) + break; + + pr_err("lzma: failed %s\n", lzma_strerror(ret)); +- goto err_fclose; ++ goto err_lzma_end; + } + } + + err = 0; ++err_lzma_end: ++ lzma_end(&strm); + err_fclose: + fclose(infile); + return err; +-- +2.30.2 + diff --git a/queue-4.14/perf-map-fix-dso-nsinfo-refcounting.patch b/queue-4.14/perf-map-fix-dso-nsinfo-refcounting.patch new file mode 100644 index 00000000000..83cf842c81d --- /dev/null +++ b/queue-4.14/perf-map-fix-dso-nsinfo-refcounting.patch @@ -0,0 +1,51 @@ +From 24c9f11fa5be82a806ebc6b48f483070a1ffaef0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:06 +0200 +Subject: perf map: Fix dso->nsinfo refcounting + +From: Riccardo Mancini + +[ Upstream commit 2d6b74baa7147251c30a46c4996e8cc224aa2dc5 ] + +ASan reports a memory leak of nsinfo during the execution of + + # perf test "31: Lookup mmap thread" + +The leak is caused by a refcounted variable being replaced without +dropping the refcount. + +This patch makes sure that the refcnt of nsinfo is decreased whenever a +refcounted variable is replaced with a new value. + +Signed-off-by: Riccardo Mancini +Fixes: bf2e710b3cb8445c ("perf maps: Lookup maps in both intitial mountns and inner mountns.") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Krister Johansen +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/55223bc8821b34ccb01f92ef1401c02b6a32e61f.1626343282.git.rickyman7@gmail.com +[ Split from a larger patch ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/map.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/perf/util/map.c b/tools/perf/util/map.c +index 9d42a2821ecb..d7c34feef58e 100644 +--- a/tools/perf/util/map.c ++++ b/tools/perf/util/map.c +@@ -216,6 +216,8 @@ struct map *map__new(struct machine *machine, u64 start, u64 len, + if (type != MAP__FUNCTION) + dso__set_loaded(dso, map->type); + } ++ ++ nsinfo__put(dso->nsinfo); + dso->nsinfo = nsi; + dso__put(dso); + } +-- +2.30.2 + diff --git a/queue-4.14/perf-probe-file-delete-namelist-in-del_events-on-the.patch b/queue-4.14/perf-probe-file-delete-namelist-in-del_events-on-the.patch new file mode 100644 index 00000000000..aff9ac361e5 --- /dev/null +++ b/queue-4.14/perf-probe-file-delete-namelist-in-del_events-on-the.patch @@ -0,0 +1,54 @@ +From 2c109eebf3729d401ee37a7951139aab816044e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:25 +0200 +Subject: perf probe-file: Delete namelist in del_events() on the error path + +From: Riccardo Mancini + +[ Upstream commit e0fa7ab42232e742dcb3de9f3c1f6127b5adc019 ] + +ASan reports some memory leaks when running: + + # perf test "42: BPF filter" + +This second leak is caused by a strlist not being dellocated on error +inside probe_file__del_events. + +This patch adds a goto label before the deallocation and makes the error +path jump to it. + +Signed-off-by: Riccardo Mancini +Fixes: e7895e422e4da63d ("perf probe: Split del_perf_probe_events()") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/174963c587ae77fa108af794669998e4ae558338.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/probe-file.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/probe-file.c b/tools/perf/util/probe-file.c +index 6ab9230ce8ee..4de93df73c4c 100644 +--- a/tools/perf/util/probe-file.c ++++ b/tools/perf/util/probe-file.c +@@ -342,11 +342,11 @@ int probe_file__del_events(int fd, struct strfilter *filter) + + ret = probe_file__get_events(fd, filter, namelist); + if (ret < 0) +- return ret; ++ goto out; + + ret = probe_file__del_strlist(fd, namelist); ++out: + strlist__delete(namelist); +- + return ret; + } + +-- +2.30.2 + diff --git a/queue-4.14/perf-probe-fix-dso-nsinfo-refcounting.patch b/queue-4.14/perf-probe-fix-dso-nsinfo-refcounting.patch new file mode 100644 index 00000000000..afc4b0a14fe --- /dev/null +++ b/queue-4.14/perf-probe-fix-dso-nsinfo-refcounting.patch @@ -0,0 +1,54 @@ +From 1c3a36af50501af0efa4ba7c35932084dd5a2a71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:06 +0200 +Subject: perf probe: Fix dso->nsinfo refcounting + +From: Riccardo Mancini + +[ Upstream commit dedeb4be203b382ba7245d13079bc3b0f6d40c65 ] + +ASan reports a memory leak of nsinfo during the execution of: + + # perf test "31: Lookup mmap thread". + +The leak is caused by a refcounted variable being replaced without +dropping the refcount. + +This patch makes sure that the refcnt of nsinfo is decreased whenever +a refcounted variable is replaced with a new value. + +Signed-off-by: Riccardo Mancini +Fixes: 544abd44c7064c8a ("perf probe: Allow placing uprobes in alternate namespaces.") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Krister Johansen +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/55223bc8821b34ccb01f92ef1401c02b6a32e61f.1626343282.git.rickyman7@gmail.com +[ Split from a larger patch ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/probe-event.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/probe-event.c b/tools/perf/util/probe-event.c +index 7c286756c34b..a0597e417ca3 100644 +--- a/tools/perf/util/probe-event.c ++++ b/tools/perf/util/probe-event.c +@@ -197,8 +197,10 @@ struct map *get_target_map(const char *target, struct nsinfo *nsi, bool user) + struct map *map; + + map = dso__new_map(target); +- if (map && map->dso) ++ if (map && map->dso) { ++ nsinfo__put(map->dso->nsinfo); + map->dso->nsinfo = nsinfo__get(nsi); ++ } + return map; + } else { + return kernel_get_module_map(target); +-- +2.30.2 + diff --git a/queue-4.14/perf-test-bpf-free-obj_buf.patch b/queue-4.14/perf-test-bpf-free-obj_buf.patch new file mode 100644 index 00000000000..0a1d159df7d --- /dev/null +++ b/queue-4.14/perf-test-bpf-free-obj_buf.patch @@ -0,0 +1,56 @@ +From 1d4c5c6208bb2aec117661b7dbeb0cee4d70ecdd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:24 +0200 +Subject: perf test bpf: Free obj_buf + +From: Riccardo Mancini + +[ Upstream commit 937654ce497fb6e977a8c52baee5f7d9616302d9 ] + +ASan reports some memory leaks when running: + + # perf test "42: BPF filter" + +The first of these leaks is caused by obj_buf never being deallocated in +__test__bpf. + +This patch adds the missing free. + +Signed-off-by: Riccardo Mancini +Fixes: ba1fae431e74bb42 ("perf test: Add 'perf test BPF'") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Wang Nan +Link: http://lore.kernel.org/lkml/60f3ca935fe6672e7e866276ce6264c9e26e4c87.1626343282.git.rickyman7@gmail.com +[ Added missing stdlib.h include ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/bpf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/perf/tests/bpf.c b/tools/perf/tests/bpf.c +index 34c22cdf4d5d..3fc7fd779c27 100644 +--- a/tools/perf/tests/bpf.c ++++ b/tools/perf/tests/bpf.c +@@ -1,5 +1,6 @@ + #include + #include ++#include + #include + #include + #include +@@ -275,6 +276,7 @@ static int __test__bpf(int idx) + } + + out: ++ free(obj_buf); + bpf__clear(); + return ret; + } +-- +2.30.2 + diff --git a/queue-4.14/perf-test-session_topology-delete-session-evlist.patch b/queue-4.14/perf-test-session_topology-delete-session-evlist.patch new file mode 100644 index 00000000000..4afef022cc2 --- /dev/null +++ b/queue-4.14/perf-test-session_topology-delete-session-evlist.patch @@ -0,0 +1,48 @@ +From 33e76eefae501f236f1203058c3481f750a8bc12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:08 +0200 +Subject: perf test session_topology: Delete session->evlist + +From: Riccardo Mancini + +[ Upstream commit 233f2dc1c284337286f9a64c0152236779a42f6c ] + +ASan reports a memory leak related to session->evlist while running: + + # perf test "41: Session topology". + +When perf_data is in write mode, session->evlist is owned by the caller, +which should also take care of deleting it. + +This patch adds the missing evlist__delete(). + +Signed-off-by: Riccardo Mancini +Fixes: c84974ed9fb67293 ("perf test: Add entry to test cpu topology") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/822f741f06eb25250fb60686cf30a35f447e9e91.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/topology.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/tests/topology.c b/tools/perf/tests/topology.c +index 4e9dad8c9763..f03c26b369c7 100644 +--- a/tools/perf/tests/topology.c ++++ b/tools/perf/tests/topology.c +@@ -50,6 +50,7 @@ static int session_write_header(char *path) + TEST_ASSERT_VAL("failed to write header", + !perf_session__write_header(session, session->evlist, file.fd, true)); + ++ evlist__delete(session->evlist); + perf_session__delete(session); + + return 0; +-- +2.30.2 + diff --git a/queue-4.14/proc-avoid-mixing-integer-types-in-mem_rw.patch b/queue-4.14/proc-avoid-mixing-integer-types-in-mem_rw.patch new file mode 100644 index 00000000000..6093e99232d --- /dev/null +++ b/queue-4.14/proc-avoid-mixing-integer-types-in-mem_rw.patch @@ -0,0 +1,52 @@ +From 6e8f95c425fdb9305c55aab5fb1b4503b9edf032 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jun 2021 18:54:38 -0700 +Subject: proc: Avoid mixing integer types in mem_rw() + +From: Marcelo Henrique Cerri + +[ Upstream commit d238692b4b9f2c36e35af4c6e6f6da36184aeb3e ] + +Use size_t when capping the count argument received by mem_rw(). Since +count is size_t, using min_t(int, ...) can lead to a negative value +that will later be passed to access_remote_vm(), which can cause +unexpected behavior. + +Since we are capping the value to at maximum PAGE_SIZE, the conversion +from size_t to int when passing it to access_remote_vm() as "len" +shouldn't be a problem. + +Link: https://lkml.kernel.org/r/20210512125215.3348316-1-marcelo.cerri@canonical.com +Reviewed-by: David Disseldorp +Signed-off-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Marcelo Henrique Cerri +Cc: Alexey Dobriyan +Cc: Souza Cascardo +Cc: Christian Brauner +Cc: Michel Lespinasse +Cc: Helge Deller +Cc: Oleg Nesterov +Cc: Lorenzo Stoakes +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/proc/base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/proc/base.c b/fs/proc/base.c +index 005d4cb2347e..5f68454cf421 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -841,7 +841,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf, + flags = FOLL_FORCE | (write ? FOLL_WRITE : 0); + + while (count > 0) { +- int this_len = min_t(int, count, PAGE_SIZE); ++ size_t this_len = min_t(size_t, count, PAGE_SIZE); + + if (write && copy_from_user(page, buf, this_len)) { + copied = -EFAULT; +-- +2.30.2 + diff --git a/queue-4.14/revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch b/queue-4.14/revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch new file mode 100644 index 00000000000..2fc8889be43 --- /dev/null +++ b/queue-4.14/revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch @@ -0,0 +1,56 @@ +From 0840c6671065ba9c2df9fd2660cac7bf1e318c51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 11:25:16 +0200 +Subject: Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE + modem" + +From: Vincent Palatin + +[ Upstream commit f3a1a937f7b240be623d989c8553a6d01465d04f ] + +This reverts commit 0bd860493f81eb2a46173f6f5e44cc38331c8dbd. + +While the patch was working as stated,ie preventing the L850-GL LTE modem +from crashing on some U3 wake-ups due to a race condition between the +host wake-up and the modem-side wake-up, when using the MBIM interface, +this would force disabling the USB runtime PM on the device. + +The increased power consumption is significant for LTE laptops, +and given that with decently recent modem firmwares, when the modem hits +the bug, it automatically recovers (ie it drops from the bus, but +automatically re-enumerates after less than half a second, rather than being +stuck until a power cycle as it was doing with ancient firmware), for +most people, the trade-off now seems in favor of re-enabling it by +default. + +For people with access to the platform code, the bug can also be worked-around +successfully by changing the USB3 LFPM polling off-time for the XHCI +controller in the BIOS code. + +Signed-off-by: Vincent Palatin +Link: https://lore.kernel.org/r/20210721092516.2775971-1-vpalatin@chromium.org +Fixes: 0bd860493f81 ("USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem") +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/quirks.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index 3dfd584a1ef3..2ca6ed207e26 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -325,10 +325,6 @@ static const struct usb_device_id usb_quirk_list[] = { + /* DJI CineSSD */ + { USB_DEVICE(0x2ca3, 0x0031), .driver_info = USB_QUIRK_NO_LPM }, + +- /* Fibocom L850-GL LTE Modem */ +- { USB_DEVICE(0x2cb7, 0x0007), .driver_info = +- USB_QUIRK_IGNORE_REMOTE_WAKEUP }, +- + /* INTEL VALUE SSD */ + { USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME }, + +-- +2.30.2 + diff --git a/queue-4.14/s390-bpf-perform-r1-range-checking-before-accessing-.patch b/queue-4.14/s390-bpf-perform-r1-range-checking-before-accessing-.patch new file mode 100644 index 00000000000..f873fe1c7d6 --- /dev/null +++ b/queue-4.14/s390-bpf-perform-r1-range-checking-before-accessing-.patch @@ -0,0 +1,44 @@ +From 339a5264f71dde55a73fb7f0bc6e370116ba150d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 13:57:12 +0100 +Subject: s390/bpf: Perform r1 range checking before accessing + jit->seen_reg[r1] + +From: Colin Ian King + +[ Upstream commit 91091656252f5d6d8c476e0c92776ce9fae7b445 ] + +Currently array jit->seen_reg[r1] is being accessed before the range +checking of index r1. The range changing on r1 should be performed +first since it will avoid any potential out-of-range accesses on the +array seen_reg[] and also it is more optimal to perform checks on r1 +before fetching data from the array. Fix this by swapping the order +of the checks before the array access. + +Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend") +Signed-off-by: Colin Ian King +Signed-off-by: Daniel Borkmann +Tested-by: Ilya Leoshkevich +Acked-by: Ilya Leoshkevich +Link: https://lore.kernel.org/bpf/20210715125712.24690-1-colin.king@canonical.com +Signed-off-by: Sasha Levin +--- + arch/s390/net/bpf_jit_comp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c +index b8bd84104843..bb3710e7ad9c 100644 +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -117,7 +117,7 @@ static inline void reg_set_seen(struct bpf_jit *jit, u32 b1) + { + u32 r1 = reg2hex[b1]; + +- if (!jit->seen_reg[r1] && r1 >= 6 && r1 <= 15) ++ if (r1 >= 6 && r1 <= 15 && !jit->seen_reg[r1]) + jit->seen_reg[r1] = 1; + } + +-- +2.30.2 + diff --git a/queue-4.14/scsi-iscsi-fix-iface-sysfs-attr-detection.patch b/queue-4.14/scsi-iscsi-fix-iface-sysfs-attr-detection.patch new file mode 100644 index 00000000000..f7b0a1d4668 --- /dev/null +++ b/queue-4.14/scsi-iscsi-fix-iface-sysfs-attr-detection.patch @@ -0,0 +1,146 @@ +From 30e588ffdbb0039365bac797f1f670ee67c3eb4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jun 2021 19:25:59 -0500 +Subject: scsi: iscsi: Fix iface sysfs attr detection + +From: Mike Christie + +[ Upstream commit e746f3451ec7f91dcc9fd67a631239c715850a34 ] + +A ISCSI_IFACE_PARAM can have the same value as a ISCSI_NET_PARAM so when +iscsi_iface_attr_is_visible tries to figure out the type by just checking +the value, we can collide and return the wrong type. When we call into the +driver we might not match and return that we don't want attr visible in +sysfs. The patch fixes this by setting the type when we figure out what the +param is. + +Link: https://lore.kernel.org/r/20210701002559.89533-1-michael.christie@oracle.com +Fixes: 3e0f65b34cc9 ("[SCSI] iscsi_transport: Additional parameters for network settings") +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 90 +++++++++++------------------ + 1 file changed, 34 insertions(+), 56 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 95c61fb4b81b..064c941e5483 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -427,39 +427,10 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + struct device *dev = container_of(kobj, struct device, kobj); + struct iscsi_iface *iface = iscsi_dev_to_iface(dev); + struct iscsi_transport *t = iface->transport; +- int param; +- int param_type; ++ int param = -1; + + if (attr == &dev_attr_iface_enabled.attr) + param = ISCSI_NET_PARAM_IFACE_ENABLE; +- else if (attr == &dev_attr_iface_vlan_id.attr) +- param = ISCSI_NET_PARAM_VLAN_ID; +- else if (attr == &dev_attr_iface_vlan_priority.attr) +- param = ISCSI_NET_PARAM_VLAN_PRIORITY; +- else if (attr == &dev_attr_iface_vlan_enabled.attr) +- param = ISCSI_NET_PARAM_VLAN_ENABLED; +- else if (attr == &dev_attr_iface_mtu.attr) +- param = ISCSI_NET_PARAM_MTU; +- else if (attr == &dev_attr_iface_port.attr) +- param = ISCSI_NET_PARAM_PORT; +- else if (attr == &dev_attr_iface_ipaddress_state.attr) +- param = ISCSI_NET_PARAM_IPADDR_STATE; +- else if (attr == &dev_attr_iface_delayed_ack_en.attr) +- param = ISCSI_NET_PARAM_DELAYED_ACK_EN; +- else if (attr == &dev_attr_iface_tcp_nagle_disable.attr) +- param = ISCSI_NET_PARAM_TCP_NAGLE_DISABLE; +- else if (attr == &dev_attr_iface_tcp_wsf_disable.attr) +- param = ISCSI_NET_PARAM_TCP_WSF_DISABLE; +- else if (attr == &dev_attr_iface_tcp_wsf.attr) +- param = ISCSI_NET_PARAM_TCP_WSF; +- else if (attr == &dev_attr_iface_tcp_timer_scale.attr) +- param = ISCSI_NET_PARAM_TCP_TIMER_SCALE; +- else if (attr == &dev_attr_iface_tcp_timestamp_en.attr) +- param = ISCSI_NET_PARAM_TCP_TIMESTAMP_EN; +- else if (attr == &dev_attr_iface_cache_id.attr) +- param = ISCSI_NET_PARAM_CACHE_ID; +- else if (attr == &dev_attr_iface_redirect_en.attr) +- param = ISCSI_NET_PARAM_REDIRECT_EN; + else if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr) + param = ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO; + else if (attr == &dev_attr_iface_header_digest.attr) +@@ -496,6 +467,38 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + param = ISCSI_IFACE_PARAM_STRICT_LOGIN_COMP_EN; + else if (attr == &dev_attr_iface_initiator_name.attr) + param = ISCSI_IFACE_PARAM_INITIATOR_NAME; ++ ++ if (param != -1) ++ return t->attr_is_visible(ISCSI_IFACE_PARAM, param); ++ ++ if (attr == &dev_attr_iface_vlan_id.attr) ++ param = ISCSI_NET_PARAM_VLAN_ID; ++ else if (attr == &dev_attr_iface_vlan_priority.attr) ++ param = ISCSI_NET_PARAM_VLAN_PRIORITY; ++ else if (attr == &dev_attr_iface_vlan_enabled.attr) ++ param = ISCSI_NET_PARAM_VLAN_ENABLED; ++ else if (attr == &dev_attr_iface_mtu.attr) ++ param = ISCSI_NET_PARAM_MTU; ++ else if (attr == &dev_attr_iface_port.attr) ++ param = ISCSI_NET_PARAM_PORT; ++ else if (attr == &dev_attr_iface_ipaddress_state.attr) ++ param = ISCSI_NET_PARAM_IPADDR_STATE; ++ else if (attr == &dev_attr_iface_delayed_ack_en.attr) ++ param = ISCSI_NET_PARAM_DELAYED_ACK_EN; ++ else if (attr == &dev_attr_iface_tcp_nagle_disable.attr) ++ param = ISCSI_NET_PARAM_TCP_NAGLE_DISABLE; ++ else if (attr == &dev_attr_iface_tcp_wsf_disable.attr) ++ param = ISCSI_NET_PARAM_TCP_WSF_DISABLE; ++ else if (attr == &dev_attr_iface_tcp_wsf.attr) ++ param = ISCSI_NET_PARAM_TCP_WSF; ++ else if (attr == &dev_attr_iface_tcp_timer_scale.attr) ++ param = ISCSI_NET_PARAM_TCP_TIMER_SCALE; ++ else if (attr == &dev_attr_iface_tcp_timestamp_en.attr) ++ param = ISCSI_NET_PARAM_TCP_TIMESTAMP_EN; ++ else if (attr == &dev_attr_iface_cache_id.attr) ++ param = ISCSI_NET_PARAM_CACHE_ID; ++ else if (attr == &dev_attr_iface_redirect_en.attr) ++ param = ISCSI_NET_PARAM_REDIRECT_EN; + else if (iface->iface_type == ISCSI_IFACE_TYPE_IPV4) { + if (attr == &dev_attr_ipv4_iface_ipaddress.attr) + param = ISCSI_NET_PARAM_IPV4_ADDR; +@@ -586,32 +589,7 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + return 0; + } + +- switch (param) { +- case ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO: +- case ISCSI_IFACE_PARAM_HDRDGST_EN: +- case ISCSI_IFACE_PARAM_DATADGST_EN: +- case ISCSI_IFACE_PARAM_IMM_DATA_EN: +- case ISCSI_IFACE_PARAM_INITIAL_R2T_EN: +- case ISCSI_IFACE_PARAM_DATASEQ_INORDER_EN: +- case ISCSI_IFACE_PARAM_PDU_INORDER_EN: +- case ISCSI_IFACE_PARAM_ERL: +- case ISCSI_IFACE_PARAM_MAX_RECV_DLENGTH: +- case ISCSI_IFACE_PARAM_FIRST_BURST: +- case ISCSI_IFACE_PARAM_MAX_R2T: +- case ISCSI_IFACE_PARAM_MAX_BURST: +- case ISCSI_IFACE_PARAM_CHAP_AUTH_EN: +- case ISCSI_IFACE_PARAM_BIDI_CHAP_EN: +- case ISCSI_IFACE_PARAM_DISCOVERY_AUTH_OPTIONAL: +- case ISCSI_IFACE_PARAM_DISCOVERY_LOGOUT_EN: +- case ISCSI_IFACE_PARAM_STRICT_LOGIN_COMP_EN: +- case ISCSI_IFACE_PARAM_INITIATOR_NAME: +- param_type = ISCSI_IFACE_PARAM; +- break; +- default: +- param_type = ISCSI_NET_PARAM; +- } +- +- return t->attr_is_visible(param_type, param); ++ return t->attr_is_visible(ISCSI_NET_PARAM, param); + } + + static struct attribute *iscsi_iface_attrs[] = { +-- +2.30.2 + diff --git a/queue-4.14/scsi-target-fix-protect-handling-in-write-same-32.patch b/queue-4.14/scsi-target-fix-protect-handling-in-write-same-32.patch new file mode 100644 index 00000000000..525566a4072 --- /dev/null +++ b/queue-4.14/scsi-target-fix-protect-handling-in-write-same-32.patch @@ -0,0 +1,183 @@ +From 3c1e2bb35fa6755ce2c3f2fe192b6dacfb276365 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jul 2021 12:16:55 +0300 +Subject: scsi: target: Fix protect handling in WRITE SAME(32) + +From: Dmitry Bogdanov + +[ Upstream commit 6d8e7e7c932162bccd06872362751b0e1d76f5af ] + +WRITE SAME(32) command handling reads WRPROTECT at the wrong offset in 1st +byte instead of 10th byte. + +Link: https://lore.kernel.org/r/20210702091655.22818-1-d.bogdanov@yadro.com +Fixes: afd73f1b60fc ("target: Perform PROTECT sanity checks for WRITE_SAME") +Signed-off-by: Dmitry Bogdanov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_sbc.c | 35 ++++++++++++++++---------------- + 1 file changed, 17 insertions(+), 18 deletions(-) + +diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c +index 750a04ed0e93..bf05701f78b3 100644 +--- a/drivers/target/target_core_sbc.c ++++ b/drivers/target/target_core_sbc.c +@@ -38,7 +38,7 @@ + #include "target_core_alua.h" + + static sense_reason_t +-sbc_check_prot(struct se_device *, struct se_cmd *, unsigned char *, u32, bool); ++sbc_check_prot(struct se_device *, struct se_cmd *, unsigned char, u32, bool); + static sense_reason_t sbc_execute_unmap(struct se_cmd *cmd); + + static sense_reason_t +@@ -292,14 +292,14 @@ static inline unsigned long long transport_lba_64_ext(unsigned char *cdb) + } + + static sense_reason_t +-sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *ops) ++sbc_setup_write_same(struct se_cmd *cmd, unsigned char flags, struct sbc_ops *ops) + { + struct se_device *dev = cmd->se_dev; + sector_t end_lba = dev->transport->get_blocks(dev) + 1; + unsigned int sectors = sbc_get_write_same_sectors(cmd); + sense_reason_t ret; + +- if ((flags[0] & 0x04) || (flags[0] & 0x02)) { ++ if ((flags & 0x04) || (flags & 0x02)) { + pr_err("WRITE_SAME PBDATA and LBDATA" + " bits not supported for Block Discard" + " Emulation\n"); +@@ -321,7 +321,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o + } + + /* We always have ANC_SUP == 0 so setting ANCHOR is always an error */ +- if (flags[0] & 0x10) { ++ if (flags & 0x10) { + pr_warn("WRITE SAME with ANCHOR not supported\n"); + return TCM_INVALID_CDB_FIELD; + } +@@ -329,7 +329,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o + * Special case for WRITE_SAME w/ UNMAP=1 that ends up getting + * translated into block discard requests within backend code. + */ +- if (flags[0] & 0x08) { ++ if (flags & 0x08) { + if (!ops->execute_unmap) + return TCM_UNSUPPORTED_SCSI_OPCODE; + +@@ -344,7 +344,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o + if (!ops->execute_write_same) + return TCM_UNSUPPORTED_SCSI_OPCODE; + +- ret = sbc_check_prot(dev, cmd, &cmd->t_task_cdb[0], sectors, true); ++ ret = sbc_check_prot(dev, cmd, flags >> 5, sectors, true); + if (ret) + return ret; + +@@ -702,10 +702,9 @@ sbc_set_prot_op_checks(u8 protect, bool fabric_prot, enum target_prot_type prot_ + } + + static sense_reason_t +-sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char *cdb, ++sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char protect, + u32 sectors, bool is_write) + { +- u8 protect = cdb[1] >> 5; + int sp_ops = cmd->se_sess->sup_prot_ops; + int pi_prot_type = dev->dev_attrib.pi_prot_type; + bool fabric_prot = false; +@@ -753,7 +752,7 @@ sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char *cdb, + /* Fallthrough */ + default: + pr_err("Unable to determine pi_prot_type for CDB: 0x%02x " +- "PROTECT: 0x%02x\n", cdb[0], protect); ++ "PROTECT: 0x%02x\n", cmd->t_task_cdb[0], protect); + return TCM_INVALID_CDB_FIELD; + } + +@@ -828,7 +827,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, false); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false); + if (ret) + return ret; + +@@ -842,7 +841,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, false); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false); + if (ret) + return ret; + +@@ -856,7 +855,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, false); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false); + if (ret) + return ret; + +@@ -877,7 +876,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, true); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true); + if (ret) + return ret; + +@@ -891,7 +890,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, true); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true); + if (ret) + return ret; + +@@ -906,7 +905,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, true); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true); + if (ret) + return ret; + +@@ -965,7 +964,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + size = sbc_get_size(cmd, 1); + cmd->t_task_lba = get_unaligned_be64(&cdb[12]); + +- ret = sbc_setup_write_same(cmd, &cdb[10], ops); ++ ret = sbc_setup_write_same(cmd, cdb[10], ops); + if (ret) + return ret; + break; +@@ -1063,7 +1062,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + size = sbc_get_size(cmd, 1); + cmd->t_task_lba = get_unaligned_be64(&cdb[2]); + +- ret = sbc_setup_write_same(cmd, &cdb[1], ops); ++ ret = sbc_setup_write_same(cmd, cdb[1], ops); + if (ret) + return ret; + break; +@@ -1081,7 +1080,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + * Follow sbcr26 with WRITE_SAME (10) and check for the existence + * of byte 1 bit 3 UNMAP instead of original reserved field + */ +- ret = sbc_setup_write_same(cmd, &cdb[1], ops); ++ ret = sbc_setup_write_same(cmd, cdb[1], ops); + if (ret) + return ret; + break; +-- +2.30.2 + diff --git a/queue-4.14/series b/queue-4.14/series index 55cb18d39e8..6a31c685fb6 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -32,3 +32,27 @@ net-validate-lwtstate-data-before-returning-from-skb_tunnel_info.patch dma-buf-sync_file-don-t-leak-fences-on-merge-failure.patch tcp-annotate-data-races-around-tp-mtu_info.patch ipv6-tcp-drop-silly-icmpv6-packet-too-big-messages.patch +igb-fix-use-after-free-error-during-reset.patch +ixgbe-fix-an-error-handling-path-in-ixgbe_probe.patch +igb-fix-an-error-handling-path-in-igb_probe.patch +fm10k-fix-an-error-handling-path-in-fm10k_probe.patch +e1000e-fix-an-error-handling-path-in-e1000_probe.patch +iavf-fix-an-error-handling-path-in-iavf_probe.patch +igb-check-if-num-of-q_vectors-is-smaller-than-max-be.patch +perf-map-fix-dso-nsinfo-refcounting.patch +perf-probe-fix-dso-nsinfo-refcounting.patch +perf-test-session_topology-delete-session-evlist.patch +perf-lzma-close-lzma-stream-on-exit.patch +perf-test-bpf-free-obj_buf.patch +perf-probe-file-delete-namelist-in-del_events-on-the.patch +spi-mediatek-fix-fifo-rx-mode.patch +liquidio-fix-unintentional-sign-extension-issue-on-l.patch +s390-bpf-perform-r1-range-checking-before-accessing-.patch +net-fix-uninit-value-in-caif_seqpkt_sendmsg.patch +net-decnet-fix-sleeping-inside-in-af_decnet.patch +netrom-decrease-sock-refcount-when-sock-timers-expir.patch +scsi-iscsi-fix-iface-sysfs-attr-detection.patch +scsi-target-fix-protect-handling-in-write-same-32.patch +spi-cadence-correct-initialisation-of-runtime-pm-aga.patch +revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch +proc-avoid-mixing-integer-types-in-mem_rw.patch diff --git a/queue-4.14/spi-cadence-correct-initialisation-of-runtime-pm-aga.patch b/queue-4.14/spi-cadence-correct-initialisation-of-runtime-pm-aga.patch new file mode 100644 index 00000000000..eec57d07ffc --- /dev/null +++ b/queue-4.14/spi-cadence-correct-initialisation-of-runtime-pm-aga.patch @@ -0,0 +1,74 @@ +From 2de7630c0d946a2bd0dcdc5434dedbd2bca9435c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 20:21:33 +0200 +Subject: spi: cadence: Correct initialisation of runtime PM again + +From: Marek Vasut + +[ Upstream commit 56912da7a68c8356df6a6740476237441b0b792a ] + +The original implementation of RPM handling in probe() was mostly +correct, except it failed to call pm_runtime_get_*() to activate the +hardware. The subsequent fix, 734882a8bf98 ("spi: cadence: Correct +initialisation of runtime PM"), breaks the implementation further, +to the point where the system using this hard IP on ZynqMP hangs on +boot, because it accesses hardware which is gated off. + +Undo 734882a8bf98 ("spi: cadence: Correct initialisation of runtime +PM") and instead add missing pm_runtime_get_noresume() and move the +RPM disabling all the way to the end of probe(). That makes ZynqMP +not hang on boot yet again. + +Fixes: 734882a8bf98 ("spi: cadence: Correct initialisation of runtime PM") +Signed-off-by: Marek Vasut +Cc: Charles Keepax +Cc: Mark Brown +Link: https://lore.kernel.org/r/20210716182133.218640-1-marex@denx.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-cadence.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/spi/spi-cadence.c b/drivers/spi/spi-cadence.c +index 9ed5f0010e44..d9aeb9efa7aa 100644 +--- a/drivers/spi/spi-cadence.c ++++ b/drivers/spi/spi-cadence.c +@@ -585,6 +585,12 @@ static int cdns_spi_probe(struct platform_device *pdev) + goto clk_dis_apb; + } + ++ pm_runtime_use_autosuspend(&pdev->dev); ++ pm_runtime_set_autosuspend_delay(&pdev->dev, SPI_AUTOSUSPEND_TIMEOUT); ++ pm_runtime_get_noresume(&pdev->dev); ++ pm_runtime_set_active(&pdev->dev); ++ pm_runtime_enable(&pdev->dev); ++ + ret = of_property_read_u32(pdev->dev.of_node, "num-cs", &num_cs); + if (ret < 0) + master->num_chipselect = CDNS_SPI_DEFAULT_NUM_CS; +@@ -599,11 +605,6 @@ static int cdns_spi_probe(struct platform_device *pdev) + /* SPI controller initializations */ + cdns_spi_init_hw(xspi); + +- pm_runtime_set_active(&pdev->dev); +- pm_runtime_enable(&pdev->dev); +- pm_runtime_use_autosuspend(&pdev->dev); +- pm_runtime_set_autosuspend_delay(&pdev->dev, SPI_AUTOSUSPEND_TIMEOUT); +- + irq = platform_get_irq(pdev, 0); + if (irq <= 0) { + ret = -ENXIO; +@@ -636,6 +637,9 @@ static int cdns_spi_probe(struct platform_device *pdev) + + master->bits_per_word_mask = SPI_BPW_MASK(8); + ++ pm_runtime_mark_last_busy(&pdev->dev); ++ pm_runtime_put_autosuspend(&pdev->dev); ++ + ret = spi_register_master(master); + if (ret) { + dev_err(&pdev->dev, "spi_register_master failed\n"); +-- +2.30.2 + diff --git a/queue-4.14/spi-mediatek-fix-fifo-rx-mode.patch b/queue-4.14/spi-mediatek-fix-fifo-rx-mode.patch new file mode 100644 index 00000000000..b5c4e9bff0a --- /dev/null +++ b/queue-4.14/spi-mediatek-fix-fifo-rx-mode.patch @@ -0,0 +1,59 @@ +From a25a8d31ca117316a833ada805fd4919f2b793ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jul 2021 14:16:09 +0200 +Subject: spi: mediatek: fix fifo rx mode + +From: Peter Hess + +[ Upstream commit 3a70dd2d050331ee4cf5ad9d5c0a32d83ead9a43 ] + +In FIFO mode were two problems: +- RX mode was never handled and +- in this case the tx_buf pointer was NULL and caused an exception + +fix this by handling RX mode in mtk_spi_fifo_transfer + +Fixes: a568231f4632 ("spi: mediatek: Add spi bus for Mediatek MT8173") +Signed-off-by: Peter Hess +Signed-off-by: Frank Wunderlich +Link: https://lore.kernel.org/r/20210706121609.680534-1-linux@fw-web.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-mt65xx.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c +index da28c52c9da1..e2b171057b3b 100644 +--- a/drivers/spi/spi-mt65xx.c ++++ b/drivers/spi/spi-mt65xx.c +@@ -392,13 +392,23 @@ static int mtk_spi_fifo_transfer(struct spi_master *master, + mtk_spi_setup_packet(master); + + cnt = xfer->len / 4; +- iowrite32_rep(mdata->base + SPI_TX_DATA_REG, xfer->tx_buf, cnt); ++ if (xfer->tx_buf) ++ iowrite32_rep(mdata->base + SPI_TX_DATA_REG, xfer->tx_buf, cnt); ++ ++ if (xfer->rx_buf) ++ ioread32_rep(mdata->base + SPI_RX_DATA_REG, xfer->rx_buf, cnt); + + remainder = xfer->len % 4; + if (remainder > 0) { + reg_val = 0; +- memcpy(®_val, xfer->tx_buf + (cnt * 4), remainder); +- writel(reg_val, mdata->base + SPI_TX_DATA_REG); ++ if (xfer->tx_buf) { ++ memcpy(®_val, xfer->tx_buf + (cnt * 4), remainder); ++ writel(reg_val, mdata->base + SPI_TX_DATA_REG); ++ } ++ if (xfer->rx_buf) { ++ reg_val = readl(mdata->base + SPI_RX_DATA_REG); ++ memcpy(xfer->rx_buf + (cnt * 4), ®_val, remainder); ++ } + } + + mtk_spi_enable_transfer(master); +-- +2.30.2 +