From: Sasha Levin Date: Wed, 14 Jul 2021 20:03:46 +0000 (-0400) Subject: Fixes for 4.9 X-Git-Tag: v5.4.133~64 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6dac40bb171f09bbb03051d32335b6fc121d0007;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/atm-iphase-fix-possible-use-after-free-in-ia_module_.patch b/queue-4.9/atm-iphase-fix-possible-use-after-free-in-ia_module_.patch new file mode 100644 index 00000000000..4d568b327b9 --- /dev/null +++ b/queue-4.9/atm-iphase-fix-possible-use-after-free-in-ia_module_.patch @@ -0,0 +1,41 @@ +From 2904aafd568efa954cef61c4dc168bb52a94cd6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 May 2021 14:53:36 +0800 +Subject: atm: iphase: fix possible use-after-free in ia_module_exit() + +From: Zou Wei + +[ Upstream commit 1c72e6ab66b9598cac741ed397438a52065a8f1f ] + +This module's remove path calls del_timer(). However, that function +does not wait until the timer handler finishes. This means that the +timer handler may still be running after the driver's remove function +has finished, which would result in a use-after-free. + +Fix by calling del_timer_sync(), which makes sure the timer handler +has finished, and unable to re-schedule itself. + +Reported-by: Hulk Robot +Signed-off-by: Zou Wei +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/atm/iphase.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/atm/iphase.c b/drivers/atm/iphase.c +index fe47c924dc64..a1427cb9b9ed 100644 +--- a/drivers/atm/iphase.c ++++ b/drivers/atm/iphase.c +@@ -3301,7 +3301,7 @@ static void __exit ia_module_exit(void) + { + pci_unregister_driver(&ia_driver); + +- del_timer(&ia_timer); ++ del_timer_sync(&ia_timer); + } + + module_init(ia_module_init); +-- +2.30.2 + diff --git a/queue-4.9/atm-nicstar-fix-possible-use-after-free-in-nicstar_c.patch b/queue-4.9/atm-nicstar-fix-possible-use-after-free-in-nicstar_c.patch new file mode 100644 index 00000000000..04f2f2f57aa --- /dev/null +++ b/queue-4.9/atm-nicstar-fix-possible-use-after-free-in-nicstar_c.patch @@ -0,0 +1,41 @@ +From 571de5365d893da0a987a6678961d26fecbbef80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 May 2021 15:00:24 +0800 +Subject: atm: nicstar: Fix possible use-after-free in nicstar_cleanup() + +From: Zou Wei + +[ Upstream commit 34e7434ba4e97f4b85c1423a59b2922ba7dff2ea ] + +This module's remove path calls del_timer(). However, that function +does not wait until the timer handler finishes. This means that the +timer handler may still be running after the driver's remove function +has finished, which would result in a use-after-free. + +Fix by calling del_timer_sync(), which makes sure the timer handler +has finished, and unable to re-schedule itself. + +Reported-by: Hulk Robot +Signed-off-by: Zou Wei +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/atm/nicstar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c +index 8bcd09fb0feb..b2bae94ffe4d 100644 +--- a/drivers/atm/nicstar.c ++++ b/drivers/atm/nicstar.c +@@ -298,7 +298,7 @@ static void __exit nicstar_cleanup(void) + { + XPRINTK("nicstar: nicstar_cleanup() called.\n"); + +- del_timer(&ns_timer); ++ del_timer_sync(&ns_timer); + + pci_unregister_driver(&nicstar_driver); + +-- +2.30.2 + diff --git a/queue-4.9/atm-nicstar-register-the-interrupt-handler-in-the-ri.patch b/queue-4.9/atm-nicstar-register-the-interrupt-handler-in-the-ri.patch new file mode 100644 index 00000000000..ccb8a1ee209 --- /dev/null +++ b/queue-4.9/atm-nicstar-register-the-interrupt-handler-in-the-ri.patch @@ -0,0 +1,166 @@ +From 80688792a19272400d8d8a84193e41311b6b465d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Jun 2021 15:24:15 +0000 +Subject: atm: nicstar: register the interrupt handler in the right place + +From: Zheyu Ma + +[ Upstream commit 70b639dc41ad499384e41e106fce72e36805c9f2 ] + +Because the error handling is sequential, the application of resources +should be carried out in the order of error handling, so the operation +of registering the interrupt handler should be put in front, so as not +to free the unregistered interrupt handler during error handling. + +This log reveals it: + +[ 3.438724] Trying to free already-free IRQ 23 +[ 3.439060] WARNING: CPU: 5 PID: 1 at kernel/irq/manage.c:1825 free_irq+0xfb/0x480 +[ 3.440039] Modules linked in: +[ 3.440257] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.12.4-g70e7f0549188-dirty #142 +[ 3.440793] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +[ 3.441561] RIP: 0010:free_irq+0xfb/0x480 +[ 3.441845] Code: 6e 08 74 6f 4d 89 f4 e8 c3 78 09 00 4d 8b 74 24 18 4d 85 f6 75 e3 e8 b4 78 09 00 8b 75 c8 48 c7 c7 a0 ac d5 85 e8 95 d7 f5 ff <0f> 0b 48 8b 75 c0 4c 89 ff e8 87 c5 90 03 48 8b 43 40 4c 8b a0 80 +[ 3.443121] RSP: 0000:ffffc90000017b50 EFLAGS: 00010086 +[ 3.443483] RAX: 0000000000000000 RBX: ffff888107c6f000 RCX: 0000000000000000 +[ 3.443972] RDX: 0000000000000000 RSI: ffffffff8123f301 RDI: 00000000ffffffff +[ 3.444462] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000003 +[ 3.444950] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 +[ 3.444994] R13: ffff888107dc0000 R14: ffff888104f6bf00 R15: ffff888107c6f0a8 +[ 3.444994] FS: 0000000000000000(0000) GS:ffff88817bd40000(0000) knlGS:0000000000000000 +[ 3.444994] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 3.444994] CR2: 0000000000000000 CR3: 000000000642e000 CR4: 00000000000006e0 +[ 3.444994] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 3.444994] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 3.444994] Call Trace: +[ 3.444994] ns_init_card_error+0x18e/0x250 +[ 3.444994] nicstar_init_one+0x10d2/0x1130 +[ 3.444994] local_pci_probe+0x4a/0xb0 +[ 3.444994] pci_device_probe+0x126/0x1d0 +[ 3.444994] ? pci_device_remove+0x100/0x100 +[ 3.444994] really_probe+0x27e/0x650 +[ 3.444994] driver_probe_device+0x84/0x1d0 +[ 3.444994] ? mutex_lock_nested+0x16/0x20 +[ 3.444994] device_driver_attach+0x63/0x70 +[ 3.444994] __driver_attach+0x117/0x1a0 +[ 3.444994] ? device_driver_attach+0x70/0x70 +[ 3.444994] bus_for_each_dev+0xb6/0x110 +[ 3.444994] ? rdinit_setup+0x40/0x40 +[ 3.444994] driver_attach+0x22/0x30 +[ 3.444994] bus_add_driver+0x1e6/0x2a0 +[ 3.444994] driver_register+0xa4/0x180 +[ 3.444994] __pci_register_driver+0x77/0x80 +[ 3.444994] ? uPD98402_module_init+0xd/0xd +[ 3.444994] nicstar_init+0x1f/0x75 +[ 3.444994] do_one_initcall+0x7a/0x3d0 +[ 3.444994] ? rdinit_setup+0x40/0x40 +[ 3.444994] ? rcu_read_lock_sched_held+0x4a/0x70 +[ 3.444994] kernel_init_freeable+0x2a7/0x2f9 +[ 3.444994] ? rest_init+0x2c0/0x2c0 +[ 3.444994] kernel_init+0x13/0x180 +[ 3.444994] ? rest_init+0x2c0/0x2c0 +[ 3.444994] ? rest_init+0x2c0/0x2c0 +[ 3.444994] ret_from_fork+0x1f/0x30 +[ 3.444994] Kernel panic - not syncing: panic_on_warn set ... +[ 3.444994] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.12.4-g70e7f0549188-dirty #142 +[ 3.444994] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +[ 3.444994] Call Trace: +[ 3.444994] dump_stack+0xba/0xf5 +[ 3.444994] ? free_irq+0xfb/0x480 +[ 3.444994] panic+0x155/0x3ed +[ 3.444994] ? __warn+0xed/0x150 +[ 3.444994] ? free_irq+0xfb/0x480 +[ 3.444994] __warn+0x103/0x150 +[ 3.444994] ? free_irq+0xfb/0x480 +[ 3.444994] report_bug+0x119/0x1c0 +[ 3.444994] handle_bug+0x3b/0x80 +[ 3.444994] exc_invalid_op+0x18/0x70 +[ 3.444994] asm_exc_invalid_op+0x12/0x20 +[ 3.444994] RIP: 0010:free_irq+0xfb/0x480 +[ 3.444994] Code: 6e 08 74 6f 4d 89 f4 e8 c3 78 09 00 4d 8b 74 24 18 4d 85 f6 75 e3 e8 b4 78 09 00 8b 75 c8 48 c7 c7 a0 ac d5 85 e8 95 d7 f5 ff <0f> 0b 48 8b 75 c0 4c 89 ff e8 87 c5 90 03 48 8b 43 40 4c 8b a0 80 +[ 3.444994] RSP: 0000:ffffc90000017b50 EFLAGS: 00010086 +[ 3.444994] RAX: 0000000000000000 RBX: ffff888107c6f000 RCX: 0000000000000000 +[ 3.444994] RDX: 0000000000000000 RSI: ffffffff8123f301 RDI: 00000000ffffffff +[ 3.444994] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000003 +[ 3.444994] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 +[ 3.444994] R13: ffff888107dc0000 R14: ffff888104f6bf00 R15: ffff888107c6f0a8 +[ 3.444994] ? vprintk_func+0x71/0x110 +[ 3.444994] ns_init_card_error+0x18e/0x250 +[ 3.444994] nicstar_init_one+0x10d2/0x1130 +[ 3.444994] local_pci_probe+0x4a/0xb0 +[ 3.444994] pci_device_probe+0x126/0x1d0 +[ 3.444994] ? pci_device_remove+0x100/0x100 +[ 3.444994] really_probe+0x27e/0x650 +[ 3.444994] driver_probe_device+0x84/0x1d0 +[ 3.444994] ? mutex_lock_nested+0x16/0x20 +[ 3.444994] device_driver_attach+0x63/0x70 +[ 3.444994] __driver_attach+0x117/0x1a0 +[ 3.444994] ? device_driver_attach+0x70/0x70 +[ 3.444994] bus_for_each_dev+0xb6/0x110 +[ 3.444994] ? rdinit_setup+0x40/0x40 +[ 3.444994] driver_attach+0x22/0x30 +[ 3.444994] bus_add_driver+0x1e6/0x2a0 +[ 3.444994] driver_register+0xa4/0x180 +[ 3.444994] __pci_register_driver+0x77/0x80 +[ 3.444994] ? uPD98402_module_init+0xd/0xd +[ 3.444994] nicstar_init+0x1f/0x75 +[ 3.444994] do_one_initcall+0x7a/0x3d0 +[ 3.444994] ? rdinit_setup+0x40/0x40 +[ 3.444994] ? rcu_read_lock_sched_held+0x4a/0x70 +[ 3.444994] kernel_init_freeable+0x2a7/0x2f9 +[ 3.444994] ? rest_init+0x2c0/0x2c0 +[ 3.444994] kernel_init+0x13/0x180 +[ 3.444994] ? rest_init+0x2c0/0x2c0 +[ 3.444994] ? rest_init+0x2c0/0x2c0 +[ 3.444994] ret_from_fork+0x1f/0x30 +[ 3.444994] Dumping ftrace buffer: +[ 3.444994] (ftrace buffer empty) +[ 3.444994] Kernel Offset: disabled +[ 3.444994] Rebooting in 1 seconds.. + +Signed-off-by: Zheyu Ma +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/atm/nicstar.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c +index 7c9544ac1849..8c675c4f6d54 100644 +--- a/drivers/atm/nicstar.c ++++ b/drivers/atm/nicstar.c +@@ -526,6 +526,15 @@ static int ns_init_card(int i, struct pci_dev *pcidev) + /* Set the VPI/VCI MSb mask to zero so we can receive OAM cells */ + writel(0x00000000, card->membase + VPM); + ++ card->intcnt = 0; ++ if (request_irq ++ (pcidev->irq, &ns_irq_handler, IRQF_SHARED, "nicstar", card) != 0) { ++ pr_err("nicstar%d: can't allocate IRQ %d.\n", i, pcidev->irq); ++ error = 9; ++ ns_init_card_error(card, error); ++ return error; ++ } ++ + /* Initialize TSQ */ + card->tsq.org = dma_alloc_coherent(&card->pcidev->dev, + NS_TSQSIZE + NS_TSQ_ALIGNMENT, +@@ -752,15 +761,6 @@ static int ns_init_card(int i, struct pci_dev *pcidev) + + card->efbie = 1; + +- card->intcnt = 0; +- if (request_irq +- (pcidev->irq, &ns_irq_handler, IRQF_SHARED, "nicstar", card) != 0) { +- printk("nicstar%d: can't allocate IRQ %d.\n", i, pcidev->irq); +- error = 9; +- ns_init_card_error(card, error); +- return error; +- } +- + /* Register device */ + card->atmdev = atm_dev_register("nicstar", &card->pcidev->dev, &atm_ops, + -1, NULL); +-- +2.30.2 + diff --git a/queue-4.9/atm-nicstar-use-dma_free_coherent-instead-of-kfree.patch b/queue-4.9/atm-nicstar-use-dma_free_coherent-instead-of-kfree.patch new file mode 100644 index 00000000000..f3696c0f314 --- /dev/null +++ b/queue-4.9/atm-nicstar-use-dma_free_coherent-instead-of-kfree.patch @@ -0,0 +1,117 @@ +From 9018985d8ab511f169ccc42f56766554fdc6d2ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Jun 2021 15:24:14 +0000 +Subject: atm: nicstar: use 'dma_free_coherent' instead of 'kfree' + +From: Zheyu Ma + +[ Upstream commit 6a1e5a4af17e440dd82a58a2c5f40ff17a82b722 ] + +When 'nicstar_init_one' fails, 'ns_init_card_error' will be executed for +error handling, but the correct memory free function should be used, +otherwise it will cause an error. Since 'card->rsq.org' and +'card->tsq.org' are allocated using 'dma_alloc_coherent' function, they +should be freed using 'dma_free_coherent'. + +Fix this by using 'dma_free_coherent' instead of 'kfree' + +This log reveals it: + +[ 3.440294] kernel BUG at mm/slub.c:4206! +[ 3.441059] invalid opcode: 0000 [#1] PREEMPT SMP PTI +[ 3.441430] CPU: 2 PID: 1 Comm: swapper/0 Not tainted 5.12.4-g70e7f0549188-dirty #141 +[ 3.441986] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +[ 3.442780] RIP: 0010:kfree+0x26a/0x300 +[ 3.443065] Code: e8 3a c3 b9 ff e9 d6 fd ff ff 49 8b 45 00 31 db a9 00 00 01 00 75 4d 49 8b 45 00 a9 00 00 01 00 75 0a 49 8b 45 08 a8 01 75 02 <0f> 0b 89 d9 b8 00 10 00 00 be 06 00 00 00 48 d3 e0 f7 d8 48 63 d0 +[ 3.443396] RSP: 0000:ffffc90000017b70 EFLAGS: 00010246 +[ 3.443396] RAX: dead000000000100 RBX: 0000000000000000 RCX: 0000000000000000 +[ 3.443396] RDX: 0000000000000000 RSI: ffffffff85d3df94 RDI: ffffffff85df38e6 +[ 3.443396] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000001 +[ 3.443396] R10: 0000000000000000 R11: 0000000000000001 R12: ffff888107dc0000 +[ 3.443396] R13: ffffea00001f0100 R14: ffff888101a8bf00 R15: ffff888107dc0160 +[ 3.443396] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000 +[ 3.443396] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 3.443396] CR2: 0000000000000000 CR3: 000000000642e000 CR4: 00000000000006e0 +[ 3.443396] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 3.443396] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 3.443396] Call Trace: +[ 3.443396] ns_init_card_error+0x12c/0x220 +[ 3.443396] nicstar_init_one+0x10d2/0x1130 +[ 3.443396] local_pci_probe+0x4a/0xb0 +[ 3.443396] pci_device_probe+0x126/0x1d0 +[ 3.443396] ? pci_device_remove+0x100/0x100 +[ 3.443396] really_probe+0x27e/0x650 +[ 3.443396] driver_probe_device+0x84/0x1d0 +[ 3.443396] ? mutex_lock_nested+0x16/0x20 +[ 3.443396] device_driver_attach+0x63/0x70 +[ 3.443396] __driver_attach+0x117/0x1a0 +[ 3.443396] ? device_driver_attach+0x70/0x70 +[ 3.443396] bus_for_each_dev+0xb6/0x110 +[ 3.443396] ? rdinit_setup+0x40/0x40 +[ 3.443396] driver_attach+0x22/0x30 +[ 3.443396] bus_add_driver+0x1e6/0x2a0 +[ 3.443396] driver_register+0xa4/0x180 +[ 3.443396] __pci_register_driver+0x77/0x80 +[ 3.443396] ? uPD98402_module_init+0xd/0xd +[ 3.443396] nicstar_init+0x1f/0x75 +[ 3.443396] do_one_initcall+0x7a/0x3d0 +[ 3.443396] ? rdinit_setup+0x40/0x40 +[ 3.443396] ? rcu_read_lock_sched_held+0x4a/0x70 +[ 3.443396] kernel_init_freeable+0x2a7/0x2f9 +[ 3.443396] ? rest_init+0x2c0/0x2c0 +[ 3.443396] kernel_init+0x13/0x180 +[ 3.443396] ? rest_init+0x2c0/0x2c0 +[ 3.443396] ? rest_init+0x2c0/0x2c0 +[ 3.443396] ret_from_fork+0x1f/0x30 +[ 3.443396] Modules linked in: +[ 3.443396] Dumping ftrace buffer: +[ 3.443396] (ftrace buffer empty) +[ 3.458593] ---[ end trace 3c6f8f0d8ef59bcd ]--- +[ 3.458922] RIP: 0010:kfree+0x26a/0x300 +[ 3.459198] Code: e8 3a c3 b9 ff e9 d6 fd ff ff 49 8b 45 00 31 db a9 00 00 01 00 75 4d 49 8b 45 00 a9 00 00 01 00 75 0a 49 8b 45 08 a8 01 75 02 <0f> 0b 89 d9 b8 00 10 00 00 be 06 00 00 00 48 d3 e0 f7 d8 48 63 d0 +[ 3.460499] RSP: 0000:ffffc90000017b70 EFLAGS: 00010246 +[ 3.460870] RAX: dead000000000100 RBX: 0000000000000000 RCX: 0000000000000000 +[ 3.461371] RDX: 0000000000000000 RSI: ffffffff85d3df94 RDI: ffffffff85df38e6 +[ 3.461873] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000001 +[ 3.462372] R10: 0000000000000000 R11: 0000000000000001 R12: ffff888107dc0000 +[ 3.462871] R13: ffffea00001f0100 R14: ffff888101a8bf00 R15: ffff888107dc0160 +[ 3.463368] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000 +[ 3.463949] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 3.464356] CR2: 0000000000000000 CR3: 000000000642e000 CR4: 00000000000006e0 +[ 3.464856] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 3.465356] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 3.465860] Kernel panic - not syncing: Fatal exception +[ 3.466370] Dumping ftrace buffer: +[ 3.466616] (ftrace buffer empty) +[ 3.466871] Kernel Offset: disabled +[ 3.467122] Rebooting in 1 seconds.. + +Signed-off-by: Zheyu Ma +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/atm/nicstar.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c +index b2bae94ffe4d..7c9544ac1849 100644 +--- a/drivers/atm/nicstar.c ++++ b/drivers/atm/nicstar.c +@@ -838,10 +838,12 @@ static void ns_init_card_error(ns_dev *card, int error) + dev_kfree_skb_any(hb); + } + if (error >= 12) { +- kfree(card->rsq.org); ++ dma_free_coherent(&card->pcidev->dev, NS_RSQSIZE + NS_RSQ_ALIGNMENT, ++ card->rsq.org, card->rsq.dma); + } + if (error >= 11) { +- kfree(card->tsq.org); ++ dma_free_coherent(&card->pcidev->dev, NS_TSQSIZE + NS_TSQ_ALIGNMENT, ++ card->tsq.org, card->tsq.dma); + } + if (error >= 10) { + free_irq(card->pcidev->irq, card); +-- +2.30.2 + diff --git a/queue-4.9/bluetooth-btusb-fix-bt-fiwmare-downloading-failure-i.patch b/queue-4.9/bluetooth-btusb-fix-bt-fiwmare-downloading-failure-i.patch new file mode 100644 index 00000000000..a49a333811e --- /dev/null +++ b/queue-4.9/bluetooth-btusb-fix-bt-fiwmare-downloading-failure-i.patch @@ -0,0 +1,40 @@ +From dc13246f32631c1f36622e4ce09b7f9ebf160039 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jun 2021 17:57:10 +0800 +Subject: Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca + btsoc. + +From: Tim Jiang + +[ Upstream commit 4f00bfb372674d586c4a261bfc595cbce101fbb6 ] + +This is btsoc timing issue, after host start to downloading bt firmware, +ep2 need time to switch from function acl to function dfu, so host add +20ms delay as workaround. + +Signed-off-by: Tim Jiang +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 4e3b24a0511f..30c09b9ddbf0 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -2508,6 +2508,11 @@ static int btusb_setup_qca_download_fw(struct hci_dev *hdev, + sent += size; + count -= size; + ++ /* ep2 need time to switch from function acl to function dfu, ++ * so we add 20ms delay here. ++ */ ++ msleep(20); ++ + while (count) { + size = min_t(size_t, count, QCA_DFU_PACKET_LEN); + +-- +2.30.2 + diff --git a/queue-4.9/bluetooth-fix-the-hci-to-mgmt-status-conversion-tabl.patch b/queue-4.9/bluetooth-fix-the-hci-to-mgmt-status-conversion-tabl.patch new file mode 100644 index 00000000000..ab921ff4cd6 --- /dev/null +++ b/queue-4.9/bluetooth-fix-the-hci-to-mgmt-status-conversion-tabl.patch @@ -0,0 +1,44 @@ +From 1afaf5c3e8307e7cd118334ce2b58a1a37c9a52c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Apr 2021 16:53:30 -0700 +Subject: Bluetooth: Fix the HCI to MGMT status conversion table + +From: Yu Liu + +[ Upstream commit 4ef36a52b0e47c80bbfd69c0cce61c7ae9f541ed ] + +0x2B, 0x31 and 0x33 are reserved for future use but were not present in +the HCI to MGMT conversion table, this caused the conversion to be +incorrect for the HCI status code greater than 0x2A. + +Reviewed-by: Miao-chen Chou +Signed-off-by: Yu Liu +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/mgmt.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index fa9526712b0a..7aef6d23bc77 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -219,12 +219,15 @@ static u8 mgmt_status_table[] = { + MGMT_STATUS_TIMEOUT, /* Instant Passed */ + MGMT_STATUS_NOT_SUPPORTED, /* Pairing Not Supported */ + MGMT_STATUS_FAILED, /* Transaction Collision */ ++ MGMT_STATUS_FAILED, /* Reserved for future use */ + MGMT_STATUS_INVALID_PARAMS, /* Unacceptable Parameter */ + MGMT_STATUS_REJECTED, /* QoS Rejected */ + MGMT_STATUS_NOT_SUPPORTED, /* Classification Not Supported */ + MGMT_STATUS_REJECTED, /* Insufficient Security */ + MGMT_STATUS_INVALID_PARAMS, /* Parameter Out Of Range */ ++ MGMT_STATUS_FAILED, /* Reserved for future use */ + MGMT_STATUS_BUSY, /* Role Switch Pending */ ++ MGMT_STATUS_FAILED, /* Reserved for future use */ + MGMT_STATUS_FAILED, /* Slot Violation */ + MGMT_STATUS_FAILED, /* Role Switch Failed */ + MGMT_STATUS_INVALID_PARAMS, /* EIR Too Large */ +-- +2.30.2 + diff --git a/queue-4.9/bluetooth-shutdown-controller-after-workqueues-are-f.patch b/queue-4.9/bluetooth-shutdown-controller-after-workqueues-are-f.patch new file mode 100644 index 00000000000..d6e2d83c88a --- /dev/null +++ b/queue-4.9/bluetooth-shutdown-controller-after-workqueues-are-f.patch @@ -0,0 +1,116 @@ +From 53b2cb0953720831c942a4f5c29ca60657c3349f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 May 2021 15:14:52 +0800 +Subject: Bluetooth: Shutdown controller after workqueues are flushed or + cancelled + +From: Kai-Heng Feng + +[ Upstream commit 0ea9fd001a14ebc294f112b0361a4e601551d508 ] + +Rfkill block and unblock Intel USB Bluetooth [8087:0026] may make it +stops working: +[ 509.691509] Bluetooth: hci0: HCI reset during shutdown failed +[ 514.897584] Bluetooth: hci0: MSFT filter_enable is already on +[ 530.044751] usb 3-10: reset full-speed USB device number 5 using xhci_hcd +[ 545.660350] usb 3-10: device descriptor read/64, error -110 +[ 561.283530] usb 3-10: device descriptor read/64, error -110 +[ 561.519682] usb 3-10: reset full-speed USB device number 5 using xhci_hcd +[ 566.686650] Bluetooth: hci0: unexpected event for opcode 0x0500 +[ 568.752452] Bluetooth: hci0: urb 0000000096cd309b failed to resubmit (113) +[ 578.797955] Bluetooth: hci0: Failed to read MSFT supported features (-110) +[ 586.286565] Bluetooth: hci0: urb 00000000c522f633 failed to resubmit (113) +[ 596.215302] Bluetooth: hci0: Failed to read MSFT supported features (-110) + +Or kernel panics because other workqueues already freed skb: +[ 2048.663763] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 2048.663775] #PF: supervisor read access in kernel mode +[ 2048.663779] #PF: error_code(0x0000) - not-present page +[ 2048.663782] PGD 0 P4D 0 +[ 2048.663787] Oops: 0000 [#1] SMP NOPTI +[ 2048.663793] CPU: 3 PID: 4491 Comm: rfkill Tainted: G W 5.13.0-rc1-next-20210510+ #20 +[ 2048.663799] Hardware name: HP HP EliteBook 850 G8 Notebook PC/8846, BIOS T76 Ver. 01.01.04 12/02/2020 +[ 2048.663801] RIP: 0010:__skb_ext_put+0x6/0x50 +[ 2048.663814] Code: 8b 1b 48 85 db 75 db 5b 41 5c 5d c3 be 01 00 00 00 e8 de 13 c0 ff eb e7 be 02 00 00 00 e8 d2 13 c0 ff eb db 0f 1f 44 00 00 55 <8b> 07 48 89 e5 83 f8 01 74 14 b8 ff ff ff ff f0 0f c1 +07 83 f8 01 +[ 2048.663819] RSP: 0018:ffffc1d105b6fd80 EFLAGS: 00010286 +[ 2048.663824] RAX: 0000000000000000 RBX: ffff9d9ac5649000 RCX: 0000000000000000 +[ 2048.663827] RDX: ffffffffc0d1daf6 RSI: 0000000000000206 RDI: 0000000000000000 +[ 2048.663830] RBP: ffffc1d105b6fd98 R08: 0000000000000001 R09: ffff9d9ace8ceac0 +[ 2048.663834] R10: ffff9d9ace8ceac0 R11: 0000000000000001 R12: ffff9d9ac5649000 +[ 2048.663838] R13: 0000000000000000 R14: 00007ffe0354d650 R15: 0000000000000000 +[ 2048.663843] FS: 00007fe02ab19740(0000) GS:ffff9d9e5f8c0000(0000) knlGS:0000000000000000 +[ 2048.663849] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 2048.663853] CR2: 0000000000000000 CR3: 0000000111a52004 CR4: 0000000000770ee0 +[ 2048.663856] PKRU: 55555554 +[ 2048.663859] Call Trace: +[ 2048.663865] ? skb_release_head_state+0x5e/0x80 +[ 2048.663873] kfree_skb+0x2f/0xb0 +[ 2048.663881] btusb_shutdown_intel_new+0x36/0x60 [btusb] +[ 2048.663905] hci_dev_do_close+0x48c/0x5e0 [bluetooth] +[ 2048.663954] ? __cond_resched+0x1a/0x50 +[ 2048.663962] hci_rfkill_set_block+0x56/0xa0 [bluetooth] +[ 2048.664007] rfkill_set_block+0x98/0x170 +[ 2048.664016] rfkill_fop_write+0x136/0x1e0 +[ 2048.664022] vfs_write+0xc7/0x260 +[ 2048.664030] ksys_write+0xb1/0xe0 +[ 2048.664035] ? exit_to_user_mode_prepare+0x37/0x1c0 +[ 2048.664042] __x64_sys_write+0x1a/0x20 +[ 2048.664048] do_syscall_64+0x40/0xb0 +[ 2048.664055] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 2048.664060] RIP: 0033:0x7fe02ac23c27 +[ 2048.664066] Code: 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 +[ 2048.664070] RSP: 002b:00007ffe0354d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 2048.664075] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fe02ac23c27 +[ 2048.664078] RDX: 0000000000000008 RSI: 00007ffe0354d650 RDI: 0000000000000003 +[ 2048.664081] RBP: 0000000000000000 R08: 0000559b05998440 R09: 0000559b05998440 +[ 2048.664084] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003 +[ 2048.664086] R13: 0000000000000000 R14: ffffffff00000000 R15: 00000000ffffffff + +So move the shutdown callback to a place where workqueues are either +flushed or cancelled to resolve the issue. + +Signed-off-by: Kai-Heng Feng +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 839c534bdcdb..50b9a0bbe5df 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -1533,14 +1533,6 @@ int hci_dev_do_close(struct hci_dev *hdev) + + BT_DBG("%s %p", hdev->name, hdev); + +- if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) && +- !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) && +- test_bit(HCI_UP, &hdev->flags)) { +- /* Execute vendor specific shutdown routine */ +- if (hdev->shutdown) +- hdev->shutdown(hdev); +- } +- + cancel_delayed_work(&hdev->power_off); + + hci_request_cancel_all(hdev); +@@ -1608,6 +1600,14 @@ int hci_dev_do_close(struct hci_dev *hdev) + clear_bit(HCI_INIT, &hdev->flags); + } + ++ if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) && ++ !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) && ++ test_bit(HCI_UP, &hdev->flags)) { ++ /* Execute vendor specific shutdown routine */ ++ if (hdev->shutdown) ++ hdev->shutdown(hdev); ++ } ++ + /* flush cmd work */ + flush_work(&hdev->cmd_work); + +-- +2.30.2 + diff --git a/queue-4.9/clk-tegra-ensure-that-pllu-configuration-is-applied-.patch b/queue-4.9/clk-tegra-ensure-that-pllu-configuration-is-applied-.patch new file mode 100644 index 00000000000..735c8847b18 --- /dev/null +++ b/queue-4.9/clk-tegra-ensure-that-pllu-configuration-is-applied-.patch @@ -0,0 +1,53 @@ +From 0fe58d0cf8036169e2c778d19fb7d53b4cd7d25a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 May 2021 19:30:35 +0300 +Subject: clk: tegra: Ensure that PLLU configuration is applied properly + +From: Dmitry Osipenko + +[ Upstream commit a7196048cd5168096c2c4f44a3939d7a6dcd06b9 ] + +The PLLU (USB) consists of the PLL configuration itself and configuration +of the PLLU outputs. The PLLU programming is inconsistent on T30 vs T114, +where T114 immediately bails out if PLLU is enabled and T30 re-enables +a potentially already enabled PLL (left after bootloader) and then fully +reprograms it, which could be unsafe to do. The correct way should be to +skip enabling of the PLL if it's already enabled and then apply +configuration to the outputs. This patch doesn't fix any known problems, +it's a minor improvement. + +Acked-by: Thierry Reding +Signed-off-by: Dmitry Osipenko +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-pll.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/tegra/clk-pll.c b/drivers/clk/tegra/clk-pll.c +index 1ab36a355daf..789efad791a3 100644 +--- a/drivers/clk/tegra/clk-pll.c ++++ b/drivers/clk/tegra/clk-pll.c +@@ -1085,7 +1085,8 @@ static int clk_pllu_enable(struct clk_hw *hw) + if (pll->lock) + spin_lock_irqsave(pll->lock, flags); + +- _clk_pll_enable(hw); ++ if (!clk_pll_is_enabled(hw)) ++ _clk_pll_enable(hw); + + ret = clk_pll_wait_for_lock(pll); + if (ret < 0) +@@ -1702,7 +1703,8 @@ static int clk_pllu_tegra114_enable(struct clk_hw *hw) + if (pll->lock) + spin_lock_irqsave(pll->lock, flags); + +- _clk_pll_enable(hw); ++ if (!clk_pll_is_enabled(hw)) ++ _clk_pll_enable(hw); + + ret = clk_pll_wait_for_lock(pll); + if (ret < 0) +-- +2.30.2 + diff --git a/queue-4.9/cw1200-add-missing-module_device_table.patch b/queue-4.9/cw1200-add-missing-module_device_table.patch new file mode 100644 index 00000000000..ea3ff620432 --- /dev/null +++ b/queue-4.9/cw1200-add-missing-module_device_table.patch @@ -0,0 +1,37 @@ +From 83b564853ca1f95fc9dd23bad63a5bd53e8c41ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 May 2021 11:05:14 +0800 +Subject: cw1200: add missing MODULE_DEVICE_TABLE + +From: Zou Wei + +[ Upstream commit dd778f89225cd258e8f0fed2b7256124982c8bb5 ] + +This patch adds missing MODULE_DEVICE_TABLE definition which generates +correct modalias for automatic loading of this driver when it is built +as an external module. + +Reported-by: Hulk Robot +Signed-off-by: Zou Wei +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1620788714-14300-1-git-send-email-zou_wei@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/st/cw1200/cw1200_sdio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/st/cw1200/cw1200_sdio.c b/drivers/net/wireless/st/cw1200/cw1200_sdio.c +index d3acc85932a5..de92107549ee 100644 +--- a/drivers/net/wireless/st/cw1200/cw1200_sdio.c ++++ b/drivers/net/wireless/st/cw1200/cw1200_sdio.c +@@ -62,6 +62,7 @@ static const struct sdio_device_id cw1200_sdio_ids[] = { + { SDIO_DEVICE(SDIO_VENDOR_ID_STE, SDIO_DEVICE_ID_STE_CW1200) }, + { /* end: all zeroes */ }, + }; ++MODULE_DEVICE_TABLE(sdio, cw1200_sdio_ids); + + /* hwbus_ops implemetation */ + +-- +2.30.2 + diff --git a/queue-4.9/dm-space-maps-don-t-reset-space-map-allocation-curso.patch b/queue-4.9/dm-space-maps-don-t-reset-space-map-allocation-curso.patch new file mode 100644 index 00000000000..e0b0d919d7d --- /dev/null +++ b/queue-4.9/dm-space-maps-don-t-reset-space-map-allocation-curso.patch @@ -0,0 +1,90 @@ +From 080a67a0d19896fdd8093ae40fbeba750e9d61dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Apr 2021 09:03:49 +0100 +Subject: dm space maps: don't reset space map allocation cursor when + committing + +From: Joe Thornber + +[ Upstream commit 5faafc77f7de69147d1e818026b9a0cbf036a7b2 ] + +Current commit code resets the place where the search for free blocks +will begin back to the start of the metadata device. There are a couple +of repercussions to this: + +- The first allocation after the commit is likely to take longer than + normal as it searches for a free block in an area that is likely to + have very few free blocks (if any). + +- Any free blocks it finds will have been recently freed. Reusing them + means we have fewer old copies of the metadata to aid recovery from + hardware error. + +Fix these issues by leaving the cursor alone, only resetting when the +search hits the end of the metadata device. + +Signed-off-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/persistent-data/dm-space-map-disk.c | 9 ++++++++- + drivers/md/persistent-data/dm-space-map-metadata.c | 9 ++++++++- + 2 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/persistent-data/dm-space-map-disk.c b/drivers/md/persistent-data/dm-space-map-disk.c +index bf4c5e2ccb6f..e0acae7a3815 100644 +--- a/drivers/md/persistent-data/dm-space-map-disk.c ++++ b/drivers/md/persistent-data/dm-space-map-disk.c +@@ -171,6 +171,14 @@ static int sm_disk_new_block(struct dm_space_map *sm, dm_block_t *b) + * Any block we allocate has to be free in both the old and current ll. + */ + r = sm_ll_find_common_free_block(&smd->old_ll, &smd->ll, smd->begin, smd->ll.nr_blocks, b); ++ if (r == -ENOSPC) { ++ /* ++ * There's no free block between smd->begin and the end of the metadata device. ++ * We search before smd->begin in case something has been freed. ++ */ ++ r = sm_ll_find_common_free_block(&smd->old_ll, &smd->ll, 0, smd->begin, b); ++ } ++ + if (r) + return r; + +@@ -199,7 +207,6 @@ static int sm_disk_commit(struct dm_space_map *sm) + return r; + + memcpy(&smd->old_ll, &smd->ll, sizeof(smd->old_ll)); +- smd->begin = 0; + smd->nr_allocated_this_transaction = 0; + + r = sm_disk_get_nr_free(sm, &nr_free); +diff --git a/drivers/md/persistent-data/dm-space-map-metadata.c b/drivers/md/persistent-data/dm-space-map-metadata.c +index 967d8f2a731f..62a4d7da9bd9 100644 +--- a/drivers/md/persistent-data/dm-space-map-metadata.c ++++ b/drivers/md/persistent-data/dm-space-map-metadata.c +@@ -451,6 +451,14 @@ static int sm_metadata_new_block_(struct dm_space_map *sm, dm_block_t *b) + * Any block we allocate has to be free in both the old and current ll. + */ + r = sm_ll_find_common_free_block(&smm->old_ll, &smm->ll, smm->begin, smm->ll.nr_blocks, b); ++ if (r == -ENOSPC) { ++ /* ++ * There's no free block between smm->begin and the end of the metadata device. ++ * We search before smm->begin in case something has been freed. ++ */ ++ r = sm_ll_find_common_free_block(&smm->old_ll, &smm->ll, 0, smm->begin, b); ++ } ++ + if (r) + return r; + +@@ -502,7 +510,6 @@ static int sm_metadata_commit(struct dm_space_map *sm) + return r; + + memcpy(&smm->old_ll, &smm->ll, sizeof(smm->old_ll)); +- smm->begin = 0; + smm->allocated_this_transaction = 0; + + return 0; +-- +2.30.2 + diff --git a/queue-4.9/drm-virtio-fix-double-free-on-probe-failure.patch b/queue-4.9/drm-virtio-fix-double-free-on-probe-failure.patch new file mode 100644 index 00000000000..33785499c08 --- /dev/null +++ b/queue-4.9/drm-virtio-fix-double-free-on-probe-failure.patch @@ -0,0 +1,38 @@ +From 10fdf8b0f4cd01824e67c035d0276e94940101d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 May 2021 16:49:12 +0800 +Subject: drm/virtio: Fix double free on probe failure + +From: Xie Yongji + +[ Upstream commit cec7f1774605a5ef47c134af62afe7c75c30b0ee ] + +The virtio_gpu_init() will free vgdev and vgdev->vbufs on failure. +But such failure will be caught by virtio_gpu_probe() and then +virtio_gpu_release() will be called to do some cleanup which +will free vgdev and vgdev->vbufs again. So let's set dev->dev_private +to NULL to avoid double free. + +Signed-off-by: Xie Yongji +Link: http://patchwork.freedesktop.org/patch/msgid/20210517084913.403-2-xieyongji@bytedance.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/virtio/virtgpu_kms.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/virtio/virtgpu_kms.c b/drivers/gpu/drm/virtio/virtgpu_kms.c +index ba7855da7c7f..6058bdab5fb8 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_kms.c ++++ b/drivers/gpu/drm/virtio/virtgpu_kms.c +@@ -234,6 +234,7 @@ err_ttm: + err_vbufs: + vgdev->vdev->config->del_vqs(vgdev->vdev); + err_vqs: ++ dev->dev_private = NULL; + kfree(vgdev); + return ret; + } +-- +2.30.2 + diff --git a/queue-4.9/e100-handle-eeprom-as-little-endian.patch b/queue-4.9/e100-handle-eeprom-as-little-endian.patch new file mode 100644 index 00000000000..9ccbf202b61 --- /dev/null +++ b/queue-4.9/e100-handle-eeprom-as-little-endian.patch @@ -0,0 +1,69 @@ +From a481f81c080912d8c2e09b6d353a1e73cb8f3cfd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 17:38:24 -0700 +Subject: e100: handle eeprom as little endian + +From: Jesse Brandeburg + +[ Upstream commit d4ef55288aa2e1b76033717242728ac98ddc4721 ] + +Sparse tool was warning on some implicit conversions from +little endian data read from the EEPROM on the e100 cards. + +Fix these by being explicit about the conversions using +le16_to_cpu(). + +Signed-off-by: Jesse Brandeburg +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e100.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c +index 93c29094ceff..9035cb5fc70d 100644 +--- a/drivers/net/ethernet/intel/e100.c ++++ b/drivers/net/ethernet/intel/e100.c +@@ -1423,7 +1423,7 @@ static int e100_phy_check_without_mii(struct nic *nic) + u8 phy_type; + int without_mii; + +- phy_type = (nic->eeprom[eeprom_phy_iface] >> 8) & 0x0f; ++ phy_type = (le16_to_cpu(nic->eeprom[eeprom_phy_iface]) >> 8) & 0x0f; + + switch (phy_type) { + case NoSuchPhy: /* Non-MII PHY; UNTESTED! */ +@@ -1543,7 +1543,7 @@ static int e100_phy_init(struct nic *nic) + mdio_write(netdev, nic->mii.phy_id, MII_BMCR, bmcr); + } else if ((nic->mac >= mac_82550_D102) || ((nic->flags & ich) && + (mdio_read(netdev, nic->mii.phy_id, MII_TPISTATUS) & 0x8000) && +- (nic->eeprom[eeprom_cnfg_mdix] & eeprom_mdix_enabled))) { ++ (le16_to_cpu(nic->eeprom[eeprom_cnfg_mdix]) & eeprom_mdix_enabled))) { + /* enable/disable MDI/MDI-X auto-switching. */ + mdio_write(netdev, nic->mii.phy_id, MII_NCONFIG, + nic->mii.force_media ? 0 : NCONFIG_AUTO_SWITCH); +@@ -2298,9 +2298,9 @@ static int e100_asf(struct nic *nic) + { + /* ASF can be enabled from eeprom */ + return (nic->pdev->device >= 0x1050) && (nic->pdev->device <= 0x1057) && +- (nic->eeprom[eeprom_config_asf] & eeprom_asf) && +- !(nic->eeprom[eeprom_config_asf] & eeprom_gcl) && +- ((nic->eeprom[eeprom_smbus_addr] & 0xFF) != 0xFE); ++ (le16_to_cpu(nic->eeprom[eeprom_config_asf]) & eeprom_asf) && ++ !(le16_to_cpu(nic->eeprom[eeprom_config_asf]) & eeprom_gcl) && ++ ((le16_to_cpu(nic->eeprom[eeprom_smbus_addr]) & 0xFF) != 0xFE); + } + + static int e100_up(struct nic *nic) +@@ -2952,7 +2952,7 @@ static int e100_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + /* Wol magic packet can be enabled from eeprom */ + if ((nic->mac >= mac_82558_D101_A4) && +- (nic->eeprom[eeprom_id] & eeprom_id_wol)) { ++ (le16_to_cpu(nic->eeprom[eeprom_id]) & eeprom_id_wol)) { + nic->flags |= wol_magic; + device_set_wakeup_enable(&pdev->dev, true); + } +-- +2.30.2 + diff --git a/queue-4.9/fjes-check-return-value-after-calling-platform_get_r.patch b/queue-4.9/fjes-check-return-value-after-calling-platform_get_r.patch new file mode 100644 index 00000000000..52663758b94 --- /dev/null +++ b/queue-4.9/fjes-check-return-value-after-calling-platform_get_r.patch @@ -0,0 +1,37 @@ +From 06e889192d2bb5494cd525c5a9b1619f0d241acb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 16:02:43 +0800 +Subject: fjes: check return value after calling platform_get_resource() + +From: Yang Yingliang + +[ Upstream commit f18c11812c949553d2b2481ecaa274dd51bed1e7 ] + +It will cause null-ptr-deref if platform_get_resource() returns NULL, +we need check the return value. + +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/fjes/fjes_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/fjes/fjes_main.c b/drivers/net/fjes/fjes_main.c +index 3511d40ba3f1..440047a239f5 100644 +--- a/drivers/net/fjes/fjes_main.c ++++ b/drivers/net/fjes/fjes_main.c +@@ -1212,6 +1212,10 @@ static int fjes_probe(struct platform_device *plat_dev) + adapter->interrupt_watch_enable = false; + + res = platform_get_resource(plat_dev, IORESOURCE_MEM, 0); ++ if (!res) { ++ err = -EINVAL; ++ goto err_free_control_wq; ++ } + hw->hw_res.start = res->start; + hw->hw_res.size = resource_size(res); + hw->hw_res.irq = platform_get_irq(plat_dev, 0); +-- +2.30.2 + diff --git a/queue-4.9/hugetlb-clear-huge-pte-during-flush-function-on-mips.patch b/queue-4.9/hugetlb-clear-huge-pte-during-flush-function-on-mips.patch new file mode 100644 index 00000000000..51af15911ff --- /dev/null +++ b/queue-4.9/hugetlb-clear-huge-pte-during-flush-function-on-mips.patch @@ -0,0 +1,49 @@ +From 6d4b8892ca3eb67ba4ab06e7816d7bb92e37ad29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 21:15:32 +0800 +Subject: hugetlb: clear huge pte during flush function on mips platform + +From: Bibo Mao + +[ Upstream commit 33ae8f801ad8bec48e886d368739feb2816478f2 ] + +If multiple threads are accessing the same huge page at the same +time, hugetlb_cow will be called if one thread write the COW huge +page. And function huge_ptep_clear_flush is called to notify other +threads to clear the huge pte tlb entry. The other threads clear +the huge pte tlb entry and reload it from page table, the reload +huge pte entry may be old. + +This patch fixes this issue on mips platform, and it clears huge +pte entry before notifying other threads to flush current huge +page entry, it is similar with other architectures. + +Signed-off-by: Bibo Mao +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/hugetlb.h | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/arch/mips/include/asm/hugetlb.h b/arch/mips/include/asm/hugetlb.h +index 982bc0685330..4747a4694669 100644 +--- a/arch/mips/include/asm/hugetlb.h ++++ b/arch/mips/include/asm/hugetlb.h +@@ -67,7 +67,13 @@ static inline pte_t huge_ptep_get_and_clear(struct mm_struct *mm, + static inline void huge_ptep_clear_flush(struct vm_area_struct *vma, + unsigned long addr, pte_t *ptep) + { +- flush_tlb_page(vma, addr & huge_page_mask(hstate_vma(vma))); ++ /* ++ * clear the huge pte entry firstly, so that the other smp threads will ++ * not get old pte entry after finishing flush_tlb_page and before ++ * setting new huge pte entry ++ */ ++ huge_ptep_get_and_clear(vma->vm_mm, addr, ptep); ++ flush_tlb_page(vma, addr); + } + + static inline int huge_pte_none(pte_t pte) +-- +2.30.2 + diff --git a/queue-4.9/ipv6-use-prandom_u32-for-id-generation.patch b/queue-4.9/ipv6-use-prandom_u32-for-id-generation.patch new file mode 100644 index 00000000000..dd5183b1b52 --- /dev/null +++ b/queue-4.9/ipv6-use-prandom_u32-for-id-generation.patch @@ -0,0 +1,94 @@ +From 79bc40cc876bc4d59847fc1e2aaf1e7aca7bbea3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 May 2021 13:07:46 +0200 +Subject: ipv6: use prandom_u32() for ID generation + +From: Willy Tarreau + +[ Upstream commit 62f20e068ccc50d6ab66fdb72ba90da2b9418c99 ] + +This is a complement to commit aa6dd211e4b1 ("inet: use bigger hash +table for IP ID generation"), but focusing on some specific aspects +of IPv6. + +Contary to IPv4, IPv6 only uses packet IDs with fragments, and with a +minimum MTU of 1280, it's much less easy to force a remote peer to +produce many fragments to explore its ID sequence. In addition packet +IDs are 32-bit in IPv6, which further complicates their analysis. On +the other hand, it is often easier to choose among plenty of possible +source addresses and partially work around the bigger hash table the +commit above permits, which leaves IPv6 partially exposed to some +possibilities of remote analysis at the risk of weakening some +protocols like DNS if some IDs can be predicted with a good enough +probability. + +Given the wide range of permitted IDs, the risk of collision is extremely +low so there's no need to rely on the positive increment algorithm that +is shared with the IPv4 code via ip_idents_reserve(). We have a fast +PRNG, so let's simply call prandom_u32() and be done with it. + +Performance measurements at 10 Gbps couldn't show any difference with +the previous code, even when using a single core, because due to the +large fragments, we're limited to only ~930 kpps at 10 Gbps and the cost +of the random generation is completely offset by other operations and by +the network transfer time. In addition, this change removes the need to +update a shared entry in the idents table so it may even end up being +slightly faster on large scale systems where this matters. + +The risk of at least one collision here is about 1/80 million among +10 IDs, 1/850k among 100 IDs, and still only 1/8.5k among 1000 IDs, +which remains very low compared to IPv4 where all IDs are reused +every 4 to 80ms on a 10 Gbps flow depending on packet sizes. + +Reported-by: Amit Klein +Signed-off-by: Willy Tarreau +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20210529110746.6796-1-w@1wt.eu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/output_core.c | 28 +++++----------------------- + 1 file changed, 5 insertions(+), 23 deletions(-) + +diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c +index 6a6d01cb1ace..9c25e8b09306 100644 +--- a/net/ipv6/output_core.c ++++ b/net/ipv6/output_core.c +@@ -14,29 +14,11 @@ static u32 __ipv6_select_ident(struct net *net, + const struct in6_addr *dst, + const struct in6_addr *src) + { +- const struct { +- struct in6_addr dst; +- struct in6_addr src; +- } __aligned(SIPHASH_ALIGNMENT) combined = { +- .dst = *dst, +- .src = *src, +- }; +- u32 hash, id; +- +- /* Note the following code is not safe, but this is okay. */ +- if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key))) +- get_random_bytes(&net->ipv4.ip_id_key, +- sizeof(net->ipv4.ip_id_key)); +- +- hash = siphash(&combined, sizeof(combined), &net->ipv4.ip_id_key); +- +- /* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve, +- * set the hight order instead thus minimizing possible future +- * collisions. +- */ +- id = ip_idents_reserve(hash, 1); +- if (unlikely(!id)) +- id = 1 << 31; ++ u32 id; ++ ++ do { ++ id = prandom_u32(); ++ } while (!id); + + return id; + } +-- +2.30.2 + diff --git a/queue-4.9/mips-add-pmd-table-accounting-into-mips-pmd_alloc_on.patch b/queue-4.9/mips-add-pmd-table-accounting-into-mips-pmd_alloc_on.patch new file mode 100644 index 00000000000..8bd57eeaeed --- /dev/null +++ b/queue-4.9/mips-add-pmd-table-accounting-into-mips-pmd_alloc_on.patch @@ -0,0 +1,50 @@ +From e81d37d99293707d8334c4f3b5f120e41dc9c875 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 15:09:46 +0800 +Subject: MIPS: add PMD table accounting into MIPS'pmd_alloc_one + +From: Huang Pei + +[ Upstream commit ed914d48b6a1040d1039d371b56273d422c0081e ] + +This fixes Page Table accounting bug. + +MIPS is the ONLY arch just defining __HAVE_ARCH_PMD_ALLOC_ONE alone. +Since commit b2b29d6d011944 (mm: account PMD tables like PTE tables), +"pmd_free" in asm-generic with PMD table accounting and "pmd_alloc_one" +in MIPS without PMD table accounting causes PageTable accounting number +negative, which read by global_zone_page_state(), always returns 0. + +Signed-off-by: Huang Pei +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/pgalloc.h | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/arch/mips/include/asm/pgalloc.h b/arch/mips/include/asm/pgalloc.h +index a03e86969f78..ff982d8b62f6 100644 +--- a/arch/mips/include/asm/pgalloc.h ++++ b/arch/mips/include/asm/pgalloc.h +@@ -107,11 +107,15 @@ do { \ + + static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long address) + { +- pmd_t *pmd; ++ pmd_t *pmd = NULL; ++ struct page *pg; + +- pmd = (pmd_t *) __get_free_pages(GFP_KERNEL, PMD_ORDER); +- if (pmd) ++ pg = alloc_pages(GFP_KERNEL | __GFP_ACCOUNT, PMD_ORDER); ++ if (pg) { ++ pgtable_pmd_page_ctor(pg); ++ pmd = (pmd_t *)page_address(pg); + pmd_init((unsigned long)pmd, (unsigned long)invalid_pte_table); ++ } + return pmd; + } + +-- +2.30.2 + diff --git a/queue-4.9/misdn-fix-possible-use-after-free-in-hfc_cleanup.patch b/queue-4.9/misdn-fix-possible-use-after-free-in-hfc_cleanup.patch new file mode 100644 index 00000000000..7a570948f85 --- /dev/null +++ b/queue-4.9/misdn-fix-possible-use-after-free-in-hfc_cleanup.patch @@ -0,0 +1,41 @@ +From 365d1bce5dd2ffa36a1924bf5425310bb127f421 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 May 2021 14:58:53 +0800 +Subject: mISDN: fix possible use-after-free in HFC_cleanup() + +From: Zou Wei + +[ Upstream commit 009fc857c5f6fda81f2f7dd851b2d54193a8e733 ] + +This module's remove path calls del_timer(). However, that function +does not wait until the timer handler finishes. This means that the +timer handler may still be running after the driver's remove function +has finished, which would result in a use-after-free. + +Fix by calling del_timer_sync(), which makes sure the timer handler +has finished, and unable to re-schedule itself. + +Reported-by: Hulk Robot +Signed-off-by: Zou Wei +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/hardware/mISDN/hfcpci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/isdn/hardware/mISDN/hfcpci.c b/drivers/isdn/hardware/mISDN/hfcpci.c +index ff48da61c94c..89cf1d695a01 100644 +--- a/drivers/isdn/hardware/mISDN/hfcpci.c ++++ b/drivers/isdn/hardware/mISDN/hfcpci.c +@@ -2352,7 +2352,7 @@ static void __exit + HFC_cleanup(void) + { + if (timer_pending(&hfc_tl)) +- del_timer(&hfc_tl); ++ del_timer_sync(&hfc_tl); + + pci_unregister_driver(&hfc_driver); + } +-- +2.30.2 + diff --git a/queue-4.9/net-micrel-check-return-value-after-calling-platform.patch b/queue-4.9/net-micrel-check-return-value-after-calling-platform.patch new file mode 100644 index 00000000000..f89498a43d3 --- /dev/null +++ b/queue-4.9/net-micrel-check-return-value-after-calling-platform.patch @@ -0,0 +1,37 @@ +From d107b0ffd56861a9613d38433832a41b30c104d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jun 2021 22:55:21 +0800 +Subject: net: micrel: check return value after calling platform_get_resource() + +From: Yang Yingliang + +[ Upstream commit 20f1932e2282c58cb5ac59517585206cf5b385ae ] + +It will cause null-ptr-deref if platform_get_resource() returns NULL, +we need check the return value. + +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/micrel/ks8842.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/micrel/ks8842.c b/drivers/net/ethernet/micrel/ks8842.c +index cb0102dd7f70..d691c33dffc6 100644 +--- a/drivers/net/ethernet/micrel/ks8842.c ++++ b/drivers/net/ethernet/micrel/ks8842.c +@@ -1150,6 +1150,10 @@ static int ks8842_probe(struct platform_device *pdev) + unsigned i; + + iomem = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (!iomem) { ++ dev_err(&pdev->dev, "Invalid resource\n"); ++ return -EINVAL; ++ } + if (!request_mem_region(iomem->start, resource_size(iomem), DRV_NAME)) + goto err_mem_region; + +-- +2.30.2 + diff --git a/queue-4.9/net-moxa-use-devm_platform_get_and_ioremap_resource.patch b/queue-4.9/net-moxa-use-devm_platform_get_and_ioremap_resource.patch new file mode 100644 index 00000000000..d0ddb482204 --- /dev/null +++ b/queue-4.9/net-moxa-use-devm_platform_get_and_ioremap_resource.patch @@ -0,0 +1,43 @@ +From cd8f4d5f36e62966eb94ad2bb0d594848f775e61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jun 2021 23:02:59 +0800 +Subject: net: moxa: Use devm_platform_get_and_ioremap_resource() + +From: Yang Yingliang + +[ Upstream commit 35cba15a504bf4f585bb9d78f47b22b28a1a06b2 ] + +Use devm_platform_get_and_ioremap_resource() to simplify +code and avoid a null-ptr-deref by checking 'res' in it. + +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/moxa/moxart_ether.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/moxa/moxart_ether.c b/drivers/net/ethernet/moxa/moxart_ether.c +index 6fe61d9343cb..9673fbe16774 100644 +--- a/drivers/net/ethernet/moxa/moxart_ether.c ++++ b/drivers/net/ethernet/moxa/moxart_ether.c +@@ -487,14 +487,13 @@ static int moxart_mac_probe(struct platform_device *pdev) + priv = netdev_priv(ndev); + priv->ndev = ndev; + +- res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- ndev->base_addr = res->start; +- priv->base = devm_ioremap_resource(p_dev, res); ++ priv->base = devm_platform_get_and_ioremap_resource(pdev, 0, &res); + if (IS_ERR(priv->base)) { + dev_err(p_dev, "devm_ioremap_resource failed\n"); + ret = PTR_ERR(priv->base); + goto init_fail; + } ++ ndev->base_addr = res->start; + + spin_lock_init(&priv->txlock); + +-- +2.30.2 + diff --git a/queue-4.9/net-pch_gbe-use-proper-accessors-to-be-data-in-pch_p.patch b/queue-4.9/net-pch_gbe-use-proper-accessors-to-be-data-in-pch_p.patch new file mode 100644 index 00000000000..e281ebc5426 --- /dev/null +++ b/queue-4.9/net-pch_gbe-use-proper-accessors-to-be-data-in-pch_p.patch @@ -0,0 +1,87 @@ +From 8876f62f5822bc3e2a1c5108371b183790773b81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 May 2021 19:39:30 +0300 +Subject: net: pch_gbe: Use proper accessors to BE data in pch_ptp_match() + +From: Andy Shevchenko + +[ Upstream commit 443ef39b499cc9c6635f83238101f1bb923e9326 ] + +Sparse is not happy about handling of strict types in pch_ptp_match(): + + .../pch_gbe_main.c:158:33: warning: incorrect type in argument 2 (different base types) + .../pch_gbe_main.c:158:33: expected unsigned short [usertype] uid_hi + .../pch_gbe_main.c:158:33: got restricted __be16 [usertype] + .../pch_gbe_main.c:158:45: warning: incorrect type in argument 3 (different base types) + .../pch_gbe_main.c:158:45: expected unsigned int [usertype] uid_lo + .../pch_gbe_main.c:158:45: got restricted __be32 [usertype] + .../pch_gbe_main.c:158:56: warning: incorrect type in argument 4 (different base types) + .../pch_gbe_main.c:158:56: expected unsigned short [usertype] seqid + .../pch_gbe_main.c:158:56: got restricted __be16 [usertype] + +Fix that by switching to use proper accessors to BE data. + +Reported-by: kernel test robot +Signed-off-by: Andy Shevchenko +Tested-by: Flavio Suligoi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/oki-semi/pch_gbe/pch_gbe_main.c | 19 ++++++------------- + 1 file changed, 6 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c +index 5d39b5319d50..cd59577a0c92 100644 +--- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c ++++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c +@@ -124,7 +124,7 @@ static int pch_ptp_match(struct sk_buff *skb, u16 uid_hi, u32 uid_lo, u16 seqid) + { + u8 *data = skb->data; + unsigned int offset; +- u16 *hi, *id; ++ u16 hi, id; + u32 lo; + + if (ptp_classify_raw(skb) == PTP_CLASS_NONE) +@@ -135,14 +135,11 @@ static int pch_ptp_match(struct sk_buff *skb, u16 uid_hi, u32 uid_lo, u16 seqid) + if (skb->len < offset + OFF_PTP_SEQUENCE_ID + sizeof(seqid)) + return 0; + +- hi = (u16 *)(data + offset + OFF_PTP_SOURCE_UUID); +- id = (u16 *)(data + offset + OFF_PTP_SEQUENCE_ID); ++ hi = get_unaligned_be16(data + offset + OFF_PTP_SOURCE_UUID + 0); ++ lo = get_unaligned_be32(data + offset + OFF_PTP_SOURCE_UUID + 2); ++ id = get_unaligned_be16(data + offset + OFF_PTP_SEQUENCE_ID); + +- memcpy(&lo, &hi[1], sizeof(lo)); +- +- return (uid_hi == *hi && +- uid_lo == lo && +- seqid == *id); ++ return (uid_hi == hi && uid_lo == lo && seqid == id); + } + + static void +@@ -152,7 +149,6 @@ pch_rx_timestamp(struct pch_gbe_adapter *adapter, struct sk_buff *skb) + struct pci_dev *pdev; + u64 ns; + u32 hi, lo, val; +- u16 uid, seq; + + if (!adapter->hwts_rx_en) + return; +@@ -168,10 +164,7 @@ pch_rx_timestamp(struct pch_gbe_adapter *adapter, struct sk_buff *skb) + lo = pch_src_uuid_lo_read(pdev); + hi = pch_src_uuid_hi_read(pdev); + +- uid = hi & 0xffff; +- seq = (hi >> 16) & 0xffff; +- +- if (!pch_ptp_match(skb, htons(uid), htonl(lo), htons(seq))) ++ if (!pch_ptp_match(skb, hi, lo, hi >> 16)) + goto out; + + ns = pch_rx_snap_read(pdev); +-- +2.30.2 + diff --git a/queue-4.9/net-treat-__napi_schedule_irqoff-as-__napi_schedule-.patch b/queue-4.9/net-treat-__napi_schedule_irqoff-as-__napi_schedule-.patch new file mode 100644 index 00000000000..c6c64135abc --- /dev/null +++ b/queue-4.9/net-treat-__napi_schedule_irqoff-as-__napi_schedule-.patch @@ -0,0 +1,65 @@ +From bc136019d670c5e2bf9a7f6e7559ecc884d6a55c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 May 2021 23:43:24 +0200 +Subject: net: Treat __napi_schedule_irqoff() as __napi_schedule() on + PREEMPT_RT + +From: Sebastian Andrzej Siewior + +[ Upstream commit 8380c81d5c4fced6f4397795a5ae65758272bbfd ] + +__napi_schedule_irqoff() is an optimized version of __napi_schedule() +which can be used where it is known that interrupts are disabled, +e.g. in interrupt-handlers, spin_lock_irq() sections or hrtimer +callbacks. + +On PREEMPT_RT enabled kernels this assumptions is not true. Force- +threaded interrupt handlers and spinlocks are not disabling interrupts +and the NAPI hrtimer callback is forced into softirq context which runs +with interrupts enabled as well. + +Chasing all usage sites of __napi_schedule_irqoff() is a whack-a-mole +game so make __napi_schedule_irqoff() invoke __napi_schedule() for +PREEMPT_RT kernels. + +The callers of ____napi_schedule() in the networking core have been +audited and are correct on PREEMPT_RT kernels as well. + +Reported-by: Juri Lelli +Signed-off-by: Sebastian Andrzej Siewior +Reviewed-by: Thomas Gleixner +Reviewed-by: Juri Lelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 5b69a9a41dd5..47468fc5d0c9 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -4998,11 +4998,18 @@ EXPORT_SYMBOL(__napi_schedule); + * __napi_schedule_irqoff - schedule for receive + * @n: entry to schedule + * +- * Variant of __napi_schedule() assuming hard irqs are masked ++ * Variant of __napi_schedule() assuming hard irqs are masked. ++ * ++ * On PREEMPT_RT enabled kernels this maps to __napi_schedule() ++ * because the interrupt disabled assumption might not be true ++ * due to force-threaded interrupts and spinlock substitution. + */ + void __napi_schedule_irqoff(struct napi_struct *n) + { +- ____napi_schedule(this_cpu_ptr(&softnet_data), n); ++ if (!IS_ENABLED(CONFIG_PREEMPT_RT)) ++ ____napi_schedule(this_cpu_ptr(&softnet_data), n); ++ else ++ __napi_schedule(n); + } + EXPORT_SYMBOL(__napi_schedule_irqoff); + +-- +2.30.2 + diff --git a/queue-4.9/rdma-cma-fix-rdma_resolve_route-memory-leak.patch b/queue-4.9/rdma-cma-fix-rdma_resolve_route-memory-leak.patch new file mode 100644 index 00000000000..dd2f6f9576a --- /dev/null +++ b/queue-4.9/rdma-cma-fix-rdma_resolve_route-memory-leak.patch @@ -0,0 +1,41 @@ +From e323917a2a71e56f10909fc9f1aa79bf7885a896 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Jun 2021 11:55:31 -0700 +Subject: RDMA/cma: Fix rdma_resolve_route() memory leak + +From: Gerd Rausch + +[ Upstream commit 74f160ead74bfe5f2b38afb4fcf86189f9ff40c9 ] + +Fix a memory leak when "mda_resolve_route() is called more than once on +the same "rdma_cm_id". + +This is possible if cma_query_handler() triggers the +RDMA_CM_EVENT_ROUTE_ERROR flow which puts the state machine back and +allows rdma_resolve_route() to be called again. + +Link: https://lore.kernel.org/r/f6662b7b-bdb7-2706-1e12-47c61d3474b6@oracle.com +Signed-off-by: Gerd Rausch +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 0a6cc78ebcf7..149d210c68ab 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -2370,7 +2370,8 @@ static int cma_resolve_ib_route(struct rdma_id_private *id_priv, int timeout_ms) + work->new_state = RDMA_CM_ROUTE_RESOLVED; + work->event.event = RDMA_CM_EVENT_ROUTE_RESOLVED; + +- route->path_rec = kmalloc(sizeof *route->path_rec, GFP_KERNEL); ++ if (!route->path_rec) ++ route->path_rec = kmalloc(sizeof *route->path_rec, GFP_KERNEL); + if (!route->path_rec) { + ret = -ENOMEM; + goto err1; +-- +2.30.2 + diff --git a/queue-4.9/rdma-cxgb4-fix-missing-error-code-in-create_qp.patch b/queue-4.9/rdma-cxgb4-fix-missing-error-code-in-create_qp.patch new file mode 100644 index 00000000000..83d24619d37 --- /dev/null +++ b/queue-4.9/rdma-cxgb4-fix-missing-error-code-in-create_qp.patch @@ -0,0 +1,40 @@ +From 4ae70bbbb6eeefc8630bfd707a4bb841a8cf3eb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jun 2021 19:07:49 +0800 +Subject: RDMA/cxgb4: Fix missing error code in create_qp() + +From: Jiapeng Chong + +[ Upstream commit aeb27bb76ad8197eb47890b1ff470d5faf8ec9a5 ] + +The error code is missing in this code scenario so 0 will be returned. Add +the error code '-EINVAL' to the return value 'ret'. + +Eliminates the follow smatch warning: + +drivers/infiniband/hw/cxgb4/qp.c:298 create_qp() warn: missing error code 'ret'. + +Link: https://lore.kernel.org/r/1622545669-20625-1-git-send-email-jiapeng.chong@linux.alibaba.com +Reported-by: Abaci Robot +Signed-off-by: Jiapeng Chong +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/cxgb4/qp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c +index 36bdb04f8f01..87bc7b0db892 100644 +--- a/drivers/infiniband/hw/cxgb4/qp.c ++++ b/drivers/infiniband/hw/cxgb4/qp.c +@@ -277,6 +277,7 @@ static int create_qp(struct c4iw_rdev *rdev, struct t4_wq *wq, + if (user && (!wq->sq.bar2_pa || !wq->rq.bar2_pa)) { + pr_warn(MOD "%s: sqid %u or rqid %u not in BAR2 range.\n", + pci_name(rdev->lldi.pdev), wq->sq.qid, wq->rq.qid); ++ ret = -EINVAL; + goto free_dma; + } + +-- +2.30.2 + diff --git a/queue-4.9/rdma-rxe-don-t-overwrite-errno-from-ib_umem_get.patch b/queue-4.9/rdma-rxe-don-t-overwrite-errno-from-ib_umem_get.patch new file mode 100644 index 00000000000..58a4c9c3802 --- /dev/null +++ b/queue-4.9/rdma-rxe-don-t-overwrite-errno-from-ib_umem_get.patch @@ -0,0 +1,40 @@ +From ccda6666c1a4aa2248ea35b0e2fcb1f8a63eea3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jun 2021 15:14:56 +0800 +Subject: RDMA/rxe: Don't overwrite errno from ib_umem_get() + +From: Xiao Yang + +[ Upstream commit 20ec0a6d6016aa28b9b3299be18baef1a0f91cd2 ] + +rxe_mr_init_user() always returns the fixed -EINVAL when ib_umem_get() +fails so it's hard for user to know which actual error happens in +ib_umem_get(). For example, ib_umem_get() will return -EOPNOTSUPP when +trying to pin pages on a DAX file. + +Return actual error as mlx4/mlx5 does. + +Link: https://lore.kernel.org/r/20210621071456.4259-1-ice_yangxiao@163.com +Signed-off-by: Xiao Yang +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_mr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c +index 6d1ba75398a1..e23b322224ab 100644 +--- a/drivers/infiniband/sw/rxe/rxe_mr.c ++++ b/drivers/infiniband/sw/rxe/rxe_mr.c +@@ -175,7 +175,7 @@ int rxe_mem_init_user(struct rxe_dev *rxe, struct rxe_pd *pd, u64 start, + if (IS_ERR(umem)) { + pr_warn("err %d from rxe_umem_get\n", + (int)PTR_ERR(umem)); +- err = -EINVAL; ++ err = PTR_ERR(umem); + goto err1; + } + +-- +2.30.2 + diff --git a/queue-4.9/reiserfs-add-check-for-invalid-1st-journal-block.patch b/queue-4.9/reiserfs-add-check-for-invalid-1st-journal-block.patch new file mode 100644 index 00000000000..62ed8f80fa6 --- /dev/null +++ b/queue-4.9/reiserfs-add-check-for-invalid-1st-journal-block.patch @@ -0,0 +1,57 @@ +From 777c2a5d3c7274741c58f0ebfde765ef4f3cd8e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 May 2021 15:15:45 +0300 +Subject: reiserfs: add check for invalid 1st journal block + +From: Pavel Skripkin + +[ Upstream commit a149127be52fa7eaf5b3681a0317a2bbb772d5a9 ] + +syzbot reported divide error in reiserfs. +The problem was in incorrect journal 1st block. + +Syzbot's reproducer manualy generated wrong superblock +with incorrect 1st block. In journal_init() wasn't +any checks about this particular case. + +For example, if 1st journal block is before superblock +1st block, it can cause zeroing important superblock members +in do_journal_end(). + +Link: https://lore.kernel.org/r/20210517121545.29645-1-paskripkin@gmail.com +Reported-by: syzbot+0ba9909df31c6a36974d@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/reiserfs/journal.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/fs/reiserfs/journal.c b/fs/reiserfs/journal.c +index 2a5c4813c47d..94871f611fa8 100644 +--- a/fs/reiserfs/journal.c ++++ b/fs/reiserfs/journal.c +@@ -2766,6 +2766,20 @@ int journal_init(struct super_block *sb, const char *j_dev_name, + goto free_and_return; + } + ++ /* ++ * Sanity check to see if journal first block is correct. ++ * If journal first block is invalid it can cause ++ * zeroing important superblock members. ++ */ ++ if (!SB_ONDISK_JOURNAL_DEVICE(sb) && ++ SB_ONDISK_JOURNAL_1st_BLOCK(sb) < SB_JOURNAL_1st_RESERVED_BLOCK(sb)) { ++ reiserfs_warning(sb, "journal-1393", ++ "journal 1st super block is invalid: 1st reserved block %d, but actual 1st block is %d", ++ SB_JOURNAL_1st_RESERVED_BLOCK(sb), ++ SB_ONDISK_JOURNAL_1st_BLOCK(sb)); ++ goto free_and_return; ++ } ++ + if (journal_init_dev(sb, journal, j_dev_name) != 0) { + reiserfs_warning(sb, "sh-462", + "unable to initialize journal device"); +-- +2.30.2 + diff --git a/queue-4.9/sctp-add-size-validation-when-walking-chunks.patch b/queue-4.9/sctp-add-size-validation-when-walking-chunks.patch new file mode 100644 index 00000000000..69f9b516f6d --- /dev/null +++ b/queue-4.9/sctp-add-size-validation-when-walking-chunks.patch @@ -0,0 +1,42 @@ +From 6aac9b66e68583d00292261f3740141b2c94d0bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jun 2021 16:13:42 -0300 +Subject: sctp: add size validation when walking chunks + +From: Marcelo Ricardo Leitner + +[ Upstream commit 50619dbf8db77e98d821d615af4f634d08e22698 ] + +The first chunk in a packet is ensured to be present at the beginning of +sctp_rcv(), as a packet needs to have at least 1 chunk. But the second +one, may not be completely available and ch->length can be over +uninitialized memory. + +Fix here is by only trying to walk on the next chunk if there is enough to +hold at least the header, and then proceed with the ch->length validation +that is already there. + +Reported-by: Ilja Van Sprundel +Signed-off-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sctp/input.c b/net/sctp/input.c +index 12d821ea8a1f..8f4574c4aa6c 100644 +--- a/net/sctp/input.c ++++ b/net/sctp/input.c +@@ -1165,7 +1165,7 @@ static struct sctp_association *__sctp_rcv_walk_lookup(struct net *net, + + ch = (sctp_chunkhdr_t *) ch_end; + chunk_num++; +- } while (ch_end < skb_tail_pointer(skb)); ++ } while (ch_end + sizeof(*ch) < skb_tail_pointer(skb)); + + return asoc; + } +-- +2.30.2 + diff --git a/queue-4.9/selinux-use-__gfp_nowarn-with-gfp_nowait-in-the-avc.patch b/queue-4.9/selinux-use-__gfp_nowarn-with-gfp_nowait-in-the-avc.patch new file mode 100644 index 00000000000..55d3cd7e699 --- /dev/null +++ b/queue-4.9/selinux-use-__gfp_nowarn-with-gfp_nowait-in-the-avc.patch @@ -0,0 +1,132 @@ +From 479fd7856a07c0321db4e480388cf4809f61c5cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jun 2021 09:37:17 -0700 +Subject: selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC + +From: Minchan Kim + +[ Upstream commit 648f2c6100cfa18e7dfe43bc0b9c3b73560d623c ] + +In the field, we have seen lots of allocation failure from the call +path below. + +06-03 13:29:12.999 1010315 31557 31557 W Binder : 31542_2: page allocation failure: order:0, mode:0x800(GFP_NOWAIT), nodemask=(null),cpuset=background,mems_allowed=0 +... +... +06-03 13:29:12.999 1010315 31557 31557 W Call trace: +06-03 13:29:12.999 1010315 31557 31557 W : dump_backtrace.cfi_jt+0x0/0x8 +06-03 13:29:12.999 1010315 31557 31557 W : dump_stack+0xc8/0x14c +06-03 13:29:12.999 1010315 31557 31557 W : warn_alloc+0x158/0x1c8 +06-03 13:29:12.999 1010315 31557 31557 W : __alloc_pages_slowpath+0x9d8/0xb80 +06-03 13:29:12.999 1010315 31557 31557 W : __alloc_pages_nodemask+0x1c4/0x430 +06-03 13:29:12.999 1010315 31557 31557 W : allocate_slab+0xb4/0x390 +06-03 13:29:12.999 1010315 31557 31557 W : ___slab_alloc+0x12c/0x3a4 +06-03 13:29:12.999 1010315 31557 31557 W : kmem_cache_alloc+0x358/0x5e4 +06-03 13:29:12.999 1010315 31557 31557 W : avc_alloc_node+0x30/0x184 +06-03 13:29:12.999 1010315 31557 31557 W : avc_update_node+0x54/0x4f0 +06-03 13:29:12.999 1010315 31557 31557 W : avc_has_extended_perms+0x1a4/0x460 +06-03 13:29:12.999 1010315 31557 31557 W : selinux_file_ioctl+0x320/0x3d0 +06-03 13:29:12.999 1010315 31557 31557 W : __arm64_sys_ioctl+0xec/0x1fc +06-03 13:29:12.999 1010315 31557 31557 W : el0_svc_common+0xc0/0x24c +06-03 13:29:12.999 1010315 31557 31557 W : el0_svc+0x28/0x88 +06-03 13:29:12.999 1010315 31557 31557 W : el0_sync_handler+0x8c/0xf0 +06-03 13:29:12.999 1010315 31557 31557 W : el0_sync+0x1a4/0x1c0 +.. +.. +06-03 13:29:12.999 1010315 31557 31557 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) +06-03 13:29:12.999 1010315 31557 31557 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 +06-03 13:29:12.999 1010315 31557 31557 W node 0 : slabs: 57, objs: 2907, free: 0 +06-03 13:29:12.999 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) +06-03 13:29:12.999 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 +06-03 13:29:12.999 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0 +06-03 13:29:12.999 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) +06-03 13:29:12.999 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 +06-03 13:29:12.999 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0 +06-03 13:29:12.999 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) +06-03 13:29:12.999 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 +06-03 13:29:12.999 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0 +06-03 13:29:13.000 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) +06-03 13:29:13.000 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 +06-03 13:29:13.000 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0 +06-03 13:29:13.000 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) +06-03 13:29:13.000 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 +06-03 13:29:13.000 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0 +06-03 13:29:13.000 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) +06-03 13:29:13.000 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 +06-03 13:29:13.000 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0 +06-03 13:29:13.000 10230 30892 30892 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) +06-03 13:29:13.000 10230 30892 30892 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 +06-03 13:29:13.000 10230 30892 30892 W node 0 : slabs: 57, objs: 2907, free: 0 +06-03 13:29:13.000 10230 30892 30892 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) +06-03 13:29:13.000 10230 30892 30892 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 + +Based on [1], selinux is tolerate for failure of memory allocation. +Then, use __GFP_NOWARN together. + +[1] 476accbe2f6e ("selinux: use GFP_NOWAIT in the AVC kmem_caches") + +Signed-off-by: Minchan Kim +[PM: subj fix, line wraps, normalized commit refs] +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + security/selinux/avc.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/security/selinux/avc.c b/security/selinux/avc.c +index f3c473791b69..a16c72c2a967 100644 +--- a/security/selinux/avc.c ++++ b/security/selinux/avc.c +@@ -348,26 +348,27 @@ static struct avc_xperms_decision_node + struct avc_xperms_decision_node *xpd_node; + struct extended_perms_decision *xpd; + +- xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep, GFP_NOWAIT); ++ xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep, ++ GFP_NOWAIT | __GFP_NOWARN); + if (!xpd_node) + return NULL; + + xpd = &xpd_node->xpd; + if (which & XPERMS_ALLOWED) { + xpd->allowed = kmem_cache_zalloc(avc_xperms_data_cachep, +- GFP_NOWAIT); ++ GFP_NOWAIT | __GFP_NOWARN); + if (!xpd->allowed) + goto error; + } + if (which & XPERMS_AUDITALLOW) { + xpd->auditallow = kmem_cache_zalloc(avc_xperms_data_cachep, +- GFP_NOWAIT); ++ GFP_NOWAIT | __GFP_NOWARN); + if (!xpd->auditallow) + goto error; + } + if (which & XPERMS_DONTAUDIT) { + xpd->dontaudit = kmem_cache_zalloc(avc_xperms_data_cachep, +- GFP_NOWAIT); ++ GFP_NOWAIT | __GFP_NOWARN); + if (!xpd->dontaudit) + goto error; + } +@@ -395,7 +396,7 @@ static struct avc_xperms_node *avc_xperms_alloc(void) + { + struct avc_xperms_node *xp_node; + +- xp_node = kmem_cache_zalloc(avc_xperms_cachep, GFP_NOWAIT); ++ xp_node = kmem_cache_zalloc(avc_xperms_cachep, GFP_NOWAIT | __GFP_NOWARN); + if (!xp_node) + return xp_node; + INIT_LIST_HEAD(&xp_node->xpd_head); +@@ -548,7 +549,7 @@ static struct avc_node *avc_alloc_node(void) + { + struct avc_node *node; + +- node = kmem_cache_zalloc(avc_node_cachep, GFP_NOWAIT); ++ node = kmem_cache_zalloc(avc_node_cachep, GFP_NOWAIT | __GFP_NOWARN); + if (!node) + goto out; + +-- +2.30.2 + diff --git a/queue-4.9/series b/queue-4.9/series index 0ece7c98b57..92266834175 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -121,3 +121,37 @@ mm-huge_memory.c-don-t-discard-hugepage-if-other-pro.patch selftests-vm-pkeys-fix-alloc_random_pkey-to-make-it-.patch mmc-vub3000-fix-control-request-direction.patch scsi-core-retry-i-o-for-notify-enable-spinup-required-error.patch +net-pch_gbe-use-proper-accessors-to-be-data-in-pch_p.patch +hugetlb-clear-huge-pte-during-flush-function-on-mips.patch +atm-iphase-fix-possible-use-after-free-in-ia_module_.patch +misdn-fix-possible-use-after-free-in-hfc_cleanup.patch +atm-nicstar-fix-possible-use-after-free-in-nicstar_c.patch +net-treat-__napi_schedule_irqoff-as-__napi_schedule-.patch +reiserfs-add-check-for-invalid-1st-journal-block.patch +drm-virtio-fix-double-free-on-probe-failure.patch +udf-fix-null-pointer-dereference-in-udf_symlink-func.patch +e100-handle-eeprom-as-little-endian.patch +clk-tegra-ensure-that-pllu-configuration-is-applied-.patch +ipv6-use-prandom_u32-for-id-generation.patch +rdma-cxgb4-fix-missing-error-code-in-create_qp.patch +dm-space-maps-don-t-reset-space-map-allocation-curso.patch +net-micrel-check-return-value-after-calling-platform.patch +net-moxa-use-devm_platform_get_and_ioremap_resource.patch +fjes-check-return-value-after-calling-platform_get_r.patch +selinux-use-__gfp_nowarn-with-gfp_nowait-in-the-avc.patch +xfrm-fix-error-reporting-in-xfrm_state_construct.patch +wlcore-wl12xx-fix-wl12xx-get_mac-error-if-device-is-.patch +wl1251-fix-possible-buffer-overflow-in-wl1251_cmd_sc.patch +cw1200-add-missing-module_device_table.patch +mips-add-pmd-table-accounting-into-mips-pmd_alloc_on.patch +atm-nicstar-use-dma_free_coherent-instead-of-kfree.patch +atm-nicstar-register-the-interrupt-handler-in-the-ri.patch +rdma-rxe-don-t-overwrite-errno-from-ib_umem_get.patch +sfc-avoid-double-pci_remove-of-vfs.patch +sfc-error-code-if-sriov-cannot-be-disabled.patch +wireless-wext-spy-fix-out-of-bounds-warning.patch +rdma-cma-fix-rdma_resolve_route-memory-leak.patch +bluetooth-fix-the-hci-to-mgmt-status-conversion-tabl.patch +bluetooth-shutdown-controller-after-workqueues-are-f.patch +bluetooth-btusb-fix-bt-fiwmare-downloading-failure-i.patch +sctp-add-size-validation-when-walking-chunks.patch diff --git a/queue-4.9/sfc-avoid-double-pci_remove-of-vfs.patch b/queue-4.9/sfc-avoid-double-pci_remove-of-vfs.patch new file mode 100644 index 00000000000..c81e70ca09b --- /dev/null +++ b/queue-4.9/sfc-avoid-double-pci_remove-of-vfs.patch @@ -0,0 +1,97 @@ +From 4bd2bf03c31fd67e500173f2d75bbb4d088980f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jun 2021 17:32:35 +0200 +Subject: sfc: avoid double pci_remove of VFs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Íñigo Huguet + +[ Upstream commit 45423cff1db66cf0993e8a9bd0ac93e740149e49 ] + +If pci_remove was called for a PF with VFs, the removal of the VFs was +called twice from efx_ef10_sriov_fini: one directly with pci_driver->remove +and another implicit by calling pci_disable_sriov, which also perform +the VFs remove. This was leading to crashing the kernel on the second +attempt. + +Given that pci_disable_sriov already calls to pci remove function, get +rid of the direct call to pci_driver->remove from the driver. + +2 different ways to trigger the bug: +- Create one or more VFs, then attach the PF to a virtual machine (at + least with qemu/KVM) +- Create one or more VFs, then remove the PF with: + echo 1 > /sys/bus/pci/devices/PF_PCI_ID/remove + +Removing sfc module does not trigger the error, at least for me, because +it removes the VF first, and then the PF. + +Example of a log with the error: + list_del corruption, ffff967fd20a8ad0->next is LIST_POISON1 (dead000000000100) + ------------[ cut here ]------------ + kernel BUG at lib/list_debug.c:47! + [...trimmed...] + RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x4c + [...trimmed...] + Call Trace: + efx_dissociate+0x1f/0x140 [sfc] + efx_pci_remove+0x27/0x150 [sfc] + pci_device_remove+0x3b/0xc0 + device_release_driver_internal+0x103/0x1f0 + pci_stop_bus_device+0x69/0x90 + pci_stop_and_remove_bus_device+0xe/0x20 + pci_iov_remove_virtfn+0xba/0x120 + sriov_disable+0x2f/0xe0 + efx_ef10_pci_sriov_disable+0x52/0x80 [sfc] + ? pcie_aer_is_native+0x12/0x40 + efx_ef10_sriov_fini+0x72/0x110 [sfc] + efx_pci_remove+0x62/0x150 [sfc] + pci_device_remove+0x3b/0xc0 + device_release_driver_internal+0x103/0x1f0 + unbind_store+0xf6/0x130 + kernfs_fop_write+0x116/0x190 + vfs_write+0xa5/0x1a0 + ksys_write+0x4f/0xb0 + do_syscall_64+0x5b/0x1a0 + entry_SYSCALL_64_after_hwframe+0x65/0xca + +Signed-off-by: Íñigo Huguet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/ef10_sriov.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/sfc/ef10_sriov.c b/drivers/net/ethernet/sfc/ef10_sriov.c +index a949b9d27329..23aac3b37d6e 100644 +--- a/drivers/net/ethernet/sfc/ef10_sriov.c ++++ b/drivers/net/ethernet/sfc/ef10_sriov.c +@@ -442,7 +442,6 @@ int efx_ef10_sriov_init(struct efx_nic *efx) + void efx_ef10_sriov_fini(struct efx_nic *efx) + { + struct efx_ef10_nic_data *nic_data = efx->nic_data; +- unsigned int i; + int rc; + + if (!nic_data->vf) { +@@ -452,14 +451,7 @@ void efx_ef10_sriov_fini(struct efx_nic *efx) + return; + } + +- /* Remove any VFs in the host */ +- for (i = 0; i < efx->vf_count; ++i) { +- struct efx_nic *vf_efx = nic_data->vf[i].efx; +- +- if (vf_efx) +- vf_efx->pci_dev->driver->remove(vf_efx->pci_dev); +- } +- ++ /* Disable SRIOV and remove any VFs in the host */ + rc = efx_ef10_pci_sriov_disable(efx, true); + if (rc) + netif_dbg(efx, drv, efx->net_dev, +-- +2.30.2 + diff --git a/queue-4.9/sfc-error-code-if-sriov-cannot-be-disabled.patch b/queue-4.9/sfc-error-code-if-sriov-cannot-be-disabled.patch new file mode 100644 index 00000000000..1663ad2a6a4 --- /dev/null +++ b/queue-4.9/sfc-error-code-if-sriov-cannot-be-disabled.patch @@ -0,0 +1,74 @@ +From 3a368d9c90d078e627053a5fc161b3384776089a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jun 2021 17:32:36 +0200 +Subject: sfc: error code if SRIOV cannot be disabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Íñigo Huguet + +[ Upstream commit 1ebe4feb8b442884f5a28d2437040096723dd1ea ] + +If SRIOV cannot be disabled during device removal or module unloading, +return error code so it can be logged properly in the calling function. + +Note that this can only happen if any VF is currently attached to a +guest using Xen, but not with vfio/KVM. Despite that in that case the +VFs won't work properly with PF removed and/or the module unloaded, I +have let it as is because I don't know what side effects may have +changing it, and also it seems to be the same that other drivers are +doing in this situation. + +In the case of being called during SRIOV reconfiguration, the behavior +hasn't changed because the function is called with force=false. + +Signed-off-by: Íñigo Huguet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/ef10_sriov.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/sfc/ef10_sriov.c b/drivers/net/ethernet/sfc/ef10_sriov.c +index 23aac3b37d6e..bef23e19cbbd 100644 +--- a/drivers/net/ethernet/sfc/ef10_sriov.c ++++ b/drivers/net/ethernet/sfc/ef10_sriov.c +@@ -405,12 +405,17 @@ fail1: + return rc; + } + ++/* Disable SRIOV and remove VFs ++ * If some VFs are attached to a guest (using Xen, only) nothing is ++ * done if force=false, and vports are freed if force=true (for the non ++ * attachedc ones, only) but SRIOV is not disabled and VFs are not ++ * removed in either case. ++ */ + static int efx_ef10_pci_sriov_disable(struct efx_nic *efx, bool force) + { + struct pci_dev *dev = efx->pci_dev; +- unsigned int vfs_assigned = 0; +- +- vfs_assigned = pci_vfs_assigned(dev); ++ unsigned int vfs_assigned = pci_vfs_assigned(dev); ++ int rc = 0; + + if (vfs_assigned && !force) { + netif_info(efx, drv, efx->net_dev, "VFs are assigned to guests; " +@@ -420,10 +425,12 @@ static int efx_ef10_pci_sriov_disable(struct efx_nic *efx, bool force) + + if (!vfs_assigned) + pci_disable_sriov(dev); ++ else ++ rc = -EBUSY; + + efx_ef10_sriov_free_vf_vswitching(efx); + efx->vf_count = 0; +- return 0; ++ return rc; + } + + int efx_ef10_sriov_configure(struct efx_nic *efx, int num_vfs) +-- +2.30.2 + diff --git a/queue-4.9/udf-fix-null-pointer-dereference-in-udf_symlink-func.patch b/queue-4.9/udf-fix-null-pointer-dereference-in-udf_symlink-func.patch new file mode 100644 index 00000000000..fa561c5b51d --- /dev/null +++ b/queue-4.9/udf-fix-null-pointer-dereference-in-udf_symlink-func.patch @@ -0,0 +1,43 @@ +From 9cf85b79e85b61b009d341e8d1f89d245decde62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 May 2021 12:34:57 +0200 +Subject: udf: Fix NULL pointer dereference in udf_symlink function + +From: Arturo Giusti + +[ Upstream commit fa236c2b2d4436d9f19ee4e5d5924e90ffd7bb43 ] + +In function udf_symlink, epos.bh is assigned with the value returned +by udf_tgetblk. The function udf_tgetblk is defined in udf/misc.c +and returns the value of sb_getblk function that could be NULL. +Then, epos.bh is used without any check, causing a possible +NULL pointer dereference when sb_getblk fails. + +This fix adds a check to validate the value of epos.bh. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=213083 +Signed-off-by: Arturo Giusti +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/namei.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/udf/namei.c b/fs/udf/namei.c +index 348b922d1b6a..bfa53dead8c8 100644 +--- a/fs/udf/namei.c ++++ b/fs/udf/namei.c +@@ -956,6 +956,10 @@ static int udf_symlink(struct inode *dir, struct dentry *dentry, + iinfo->i_location.partitionReferenceNum, + 0); + epos.bh = udf_tgetblk(sb, block); ++ if (unlikely(!epos.bh)) { ++ err = -ENOMEM; ++ goto out_no_entry; ++ } + lock_buffer(epos.bh); + memset(epos.bh->b_data, 0x00, bsize); + set_buffer_uptodate(epos.bh); +-- +2.30.2 + diff --git a/queue-4.9/wireless-wext-spy-fix-out-of-bounds-warning.patch b/queue-4.9/wireless-wext-spy-fix-out-of-bounds-warning.patch new file mode 100644 index 00000000000..ceac97c918e --- /dev/null +++ b/queue-4.9/wireless-wext-spy-fix-out-of-bounds-warning.patch @@ -0,0 +1,78 @@ +From 17247698809f539b7ae650e09b8847f77c8160bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Apr 2021 15:00:32 -0500 +Subject: wireless: wext-spy: Fix out-of-bounds warning + +From: Gustavo A. R. Silva + +[ Upstream commit e93bdd78406da9ed01554c51e38b2a02c8ef8025 ] + +Fix the following out-of-bounds warning: + +net/wireless/wext-spy.c:178:2: warning: 'memcpy' offset [25, 28] from the object at 'threshold' is out of the bounds of referenced subobject 'low' with type 'struct iw_quality' at offset 20 [-Warray-bounds] + +The problem is that the original code is trying to copy data into a +couple of struct members adjacent to each other in a single call to +memcpy(). This causes a legitimate compiler warning because memcpy() +overruns the length of &threshold.low and &spydata->spy_thr_low. As +these are just a couple of struct members, fix this by using direct +assignments, instead of memcpy(). + +This helps with the ongoing efforts to globally enable -Warray-bounds +and get us closer to being able to tighten the FORTIFY_SOURCE routines +on memcpy(). + +Link: https://github.com/KSPP/linux/issues/109 +Reported-by: kernel test robot +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Kees Cook +Link: https://lore.kernel.org/r/20210422200032.GA168995@embeddedor +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/wext-spy.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/net/wireless/wext-spy.c b/net/wireless/wext-spy.c +index 33bef22e44e9..b379a0371653 100644 +--- a/net/wireless/wext-spy.c ++++ b/net/wireless/wext-spy.c +@@ -120,8 +120,8 @@ int iw_handler_set_thrspy(struct net_device * dev, + return -EOPNOTSUPP; + + /* Just do it */ +- memcpy(&(spydata->spy_thr_low), &(threshold->low), +- 2 * sizeof(struct iw_quality)); ++ spydata->spy_thr_low = threshold->low; ++ spydata->spy_thr_high = threshold->high; + + /* Clear flag */ + memset(spydata->spy_thr_under, '\0', sizeof(spydata->spy_thr_under)); +@@ -147,8 +147,8 @@ int iw_handler_get_thrspy(struct net_device * dev, + return -EOPNOTSUPP; + + /* Just do it */ +- memcpy(&(threshold->low), &(spydata->spy_thr_low), +- 2 * sizeof(struct iw_quality)); ++ threshold->low = spydata->spy_thr_low; ++ threshold->high = spydata->spy_thr_high; + + return 0; + } +@@ -173,10 +173,10 @@ static void iw_send_thrspy_event(struct net_device * dev, + memcpy(threshold.addr.sa_data, address, ETH_ALEN); + threshold.addr.sa_family = ARPHRD_ETHER; + /* Copy stats */ +- memcpy(&(threshold.qual), wstats, sizeof(struct iw_quality)); ++ threshold.qual = *wstats; + /* Copy also thresholds */ +- memcpy(&(threshold.low), &(spydata->spy_thr_low), +- 2 * sizeof(struct iw_quality)); ++ threshold.low = spydata->spy_thr_low; ++ threshold.high = spydata->spy_thr_high; + + /* Send event to user space */ + wireless_send_event(dev, SIOCGIWTHRSPY, &wrqu, (char *) &threshold); +-- +2.30.2 + diff --git a/queue-4.9/wl1251-fix-possible-buffer-overflow-in-wl1251_cmd_sc.patch b/queue-4.9/wl1251-fix-possible-buffer-overflow-in-wl1251_cmd_sc.patch new file mode 100644 index 00000000000..5e16e628a26 --- /dev/null +++ b/queue-4.9/wl1251-fix-possible-buffer-overflow-in-wl1251_cmd_sc.patch @@ -0,0 +1,43 @@ +From 1fc09bf580d03455c110708d13f40165fd10163f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Apr 2021 12:55:08 +0100 +Subject: wl1251: Fix possible buffer overflow in wl1251_cmd_scan + +From: Lee Gibson + +[ Upstream commit d10a87a3535cce2b890897914f5d0d83df669c63 ] + +Function wl1251_cmd_scan calls memcpy without checking the length. +Harden by checking the length is within the maximum allowed size. + +Signed-off-by: Lee Gibson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210428115508.25624-1-leegib@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wl1251/cmd.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ti/wl1251/cmd.c b/drivers/net/wireless/ti/wl1251/cmd.c +index ede31f048ef9..247f4310a38f 100644 +--- a/drivers/net/wireless/ti/wl1251/cmd.c ++++ b/drivers/net/wireless/ti/wl1251/cmd.c +@@ -465,9 +465,12 @@ int wl1251_cmd_scan(struct wl1251 *wl, u8 *ssid, size_t ssid_len, + cmd->channels[i].channel = channels[i]->hw_value; + } + +- cmd->params.ssid_len = ssid_len; +- if (ssid) +- memcpy(cmd->params.ssid, ssid, ssid_len); ++ if (ssid) { ++ int len = clamp_val(ssid_len, 0, IEEE80211_MAX_SSID_LEN); ++ ++ cmd->params.ssid_len = len; ++ memcpy(cmd->params.ssid, ssid, len); ++ } + + ret = wl1251_cmd_send(wl, CMD_SCAN, cmd, sizeof(*cmd)); + if (ret < 0) { +-- +2.30.2 + diff --git a/queue-4.9/wlcore-wl12xx-fix-wl12xx-get_mac-error-if-device-is-.patch b/queue-4.9/wlcore-wl12xx-fix-wl12xx-get_mac-error-if-device-is-.patch new file mode 100644 index 00000000000..dd38e719101 --- /dev/null +++ b/queue-4.9/wlcore-wl12xx-fix-wl12xx-get_mac-error-if-device-is-.patch @@ -0,0 +1,57 @@ +From 9ce0c80aea5b2b95b2734072d33b7e62cef00cd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jun 2021 09:28:14 +0300 +Subject: wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP + +From: Tony Lindgren + +[ Upstream commit 11ef6bc846dcdce838f0b00c5f6a562c57e5d43b ] + +At least on wl12xx, reading the MAC after boot can fail with a warning +at drivers/net/wireless/ti/wlcore/sdio.c:78 wl12xx_sdio_raw_read. +The failed call comes from wl12xx_get_mac() that wlcore_nvs_cb() calls +after request_firmware_work_func(). + +After the error, no wireless interface is created. Reloading the wl12xx +module makes the interface work. + +Turns out the wlan controller can be in a low-power ELP state after the +boot from the bootloader or kexec, and needs to be woken up first. + +Let's wake the hardware and add a sleep after that similar to +wl12xx_pre_boot() is already doing. + +Note that a similar issue could exist for wl18xx, but I have not seen it +so far. And a search for wl18xx_get_mac and wl12xx_sdio_raw_read did not +produce similar errors. + +Cc: Carl Philipp Klemm +Signed-off-by: Tony Lindgren +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210603062814.19464-1-tony@atomide.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wl12xx/main.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/wireless/ti/wl12xx/main.c b/drivers/net/wireless/ti/wl12xx/main.c +index 9bd635ec7827..72991d3a55f1 100644 +--- a/drivers/net/wireless/ti/wl12xx/main.c ++++ b/drivers/net/wireless/ti/wl12xx/main.c +@@ -1516,6 +1516,13 @@ static int wl12xx_get_fuse_mac(struct wl1271 *wl) + u32 mac1, mac2; + int ret; + ++ /* Device may be in ELP from the bootloader or kexec */ ++ ret = wlcore_write32(wl, WL12XX_WELP_ARM_COMMAND, WELP_ARM_COMMAND_VAL); ++ if (ret < 0) ++ goto out; ++ ++ usleep_range(500000, 700000); ++ + ret = wlcore_set_partition(wl, &wl->ptable[PART_DRPW]); + if (ret < 0) + goto out; +-- +2.30.2 + diff --git a/queue-4.9/xfrm-fix-error-reporting-in-xfrm_state_construct.patch b/queue-4.9/xfrm-fix-error-reporting-in-xfrm_state_construct.patch new file mode 100644 index 00000000000..4cc9ba8b200 --- /dev/null +++ b/queue-4.9/xfrm-fix-error-reporting-in-xfrm_state_construct.patch @@ -0,0 +1,74 @@ +From a698e1a9c3b39b47d05785ffcbd0631e5a8d0f1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jun 2021 15:21:49 +0200 +Subject: xfrm: Fix error reporting in xfrm_state_construct. + +From: Steffen Klassert + +[ Upstream commit 6fd06963fa74197103cdbb4b494763127b3f2f34 ] + +When memory allocation for XFRMA_ENCAP or XFRMA_COADDR fails, +the error will not be reported because the -ENOMEM assignment +to the err variable is overwritten before. Fix this by moving +these two in front of the function so that memory allocation +failures will be reported. + +Reported-by: Tobias Brunner +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 28 ++++++++++++++-------------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index feb24ca530f2..48139e1a0ac9 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -566,6 +566,20 @@ static struct xfrm_state *xfrm_state_construct(struct net *net, + + copy_from_user_state(x, p); + ++ if (attrs[XFRMA_ENCAP]) { ++ x->encap = kmemdup(nla_data(attrs[XFRMA_ENCAP]), ++ sizeof(*x->encap), GFP_KERNEL); ++ if (x->encap == NULL) ++ goto error; ++ } ++ ++ if (attrs[XFRMA_COADDR]) { ++ x->coaddr = kmemdup(nla_data(attrs[XFRMA_COADDR]), ++ sizeof(*x->coaddr), GFP_KERNEL); ++ if (x->coaddr == NULL) ++ goto error; ++ } ++ + if (attrs[XFRMA_SA_EXTRA_FLAGS]) + x->props.extra_flags = nla_get_u32(attrs[XFRMA_SA_EXTRA_FLAGS]); + +@@ -586,23 +600,9 @@ static struct xfrm_state *xfrm_state_construct(struct net *net, + attrs[XFRMA_ALG_COMP]))) + goto error; + +- if (attrs[XFRMA_ENCAP]) { +- x->encap = kmemdup(nla_data(attrs[XFRMA_ENCAP]), +- sizeof(*x->encap), GFP_KERNEL); +- if (x->encap == NULL) +- goto error; +- } +- + if (attrs[XFRMA_TFCPAD]) + x->tfcpad = nla_get_u32(attrs[XFRMA_TFCPAD]); + +- if (attrs[XFRMA_COADDR]) { +- x->coaddr = kmemdup(nla_data(attrs[XFRMA_COADDR]), +- sizeof(*x->coaddr), GFP_KERNEL); +- if (x->coaddr == NULL) +- goto error; +- } +- + xfrm_mark_get(attrs, &x->mark); + + err = __xfrm_init_state(x, false); +-- +2.30.2 +