From: Greg Kroah-Hartman Date: Mon, 30 Mar 2020 12:23:10 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v5.6.1~51 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=734284c90721de38b4859116f8515c0caed69d90;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: arm-dts-dra7-add-bus_dma_limit-for-l3-bus.patch arm-dts-omap5-add-bus_dma_limit-for-l3-bus.patch ceph-check-pool_flag_full-nearfull-in-addition-to-osdmap_full-nearfull.patch ceph-fix-memory-leak-in-ceph_cleanup_snapid_map.patch drivers-base-memory.c-indicate-all-memory-blocks-as-removable.patch gpiolib-fix-irq_disable-semantics.patch mac80211-check-port-authorization-in-the-ieee80211_tx_dequeue-case.patch mac80211-drop-data-frames-without-key-on-encrypted-links.patch mac80211-mark-station-unauthorized-before-key-removal.patch mm-sparse-fix-kernel-crash-with-pfn_section_valid-check.patch mm-swapfile.c-move-inode_lock-out-of-claim_swapfile.patch nl80211-fix-nl80211_attr_channel_width-attribute-type.patch perf-probe-do-not-depend-on-dwfl_module_addrsym.patch perf-probe-fix-to-delete-multiple-probe-event.patch rdma-mad-do-not-crash-if-the-rdma-device-does-not-have-a-umad-interface.patch rdma-nl-do-not-permit-empty-devices-names-during-rdma_nldev_cmd_newlink-set.patch rtlwifi-rtl8188ee-fix-regression-due-to-commit-d1d1a96bdb44.patch scripts-dtc-remove-redundant-yyloc-global-declaration.patch scsi-sd-fix-optimal-i-o-size-for-devices-that-change-reported-values.patch tools-let-o-makes-handle-a-relative-path-with-c-option.patch x86-ioremap-fix-config_efi-n-build.patch --- diff --git a/queue-5.4/arm-dts-dra7-add-bus_dma_limit-for-l3-bus.patch b/queue-5.4/arm-dts-dra7-add-bus_dma_limit-for-l3-bus.patch new file mode 100644 index 00000000000..c1484e39d03 --- /dev/null +++ b/queue-5.4/arm-dts-dra7-add-bus_dma_limit-for-l3-bus.patch @@ -0,0 +1,45 @@ +From cfb5d65f25959f724081bae8445a0241db606af6 Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Fri, 13 Mar 2020 11:47:17 +0200 +Subject: ARM: dts: dra7: Add bus_dma_limit for L3 bus + +From: Roger Quadros + +commit cfb5d65f25959f724081bae8445a0241db606af6 upstream. + +The L3 interconnect's memory map is from 0x0 to +0xffffffff. Out of this, System memory (SDRAM) can be +accessed from 0x80000000 to 0xffffffff (2GB) + +DRA7 does support 4GB of SDRAM but upper 2GB can only be +accessed by the MPU subsystem. + +Add the dma-ranges property to reflect the physical address limit +of the L3 bus. + +Issues ere observed only with SATA on DRA7-EVM with 4GB RAM +and CONFIG_ARM_LPAE enabled. This is because the controller +supports 64-bit DMA and its driver sets the dma_mask to 64-bit +thus resulting in DMA accesses beyond L3 limit of 2G. + +Setting the correct bus_dma_limit fixes the issue. + +Signed-off-by: Roger Quadros +Cc: stable@kernel.org +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/dra7.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/boot/dts/dra7.dtsi ++++ b/arch/arm/boot/dts/dra7.dtsi +@@ -148,6 +148,7 @@ + #address-cells = <1>; + #size-cells = <1>; + ranges = <0x0 0x0 0x0 0xc0000000>; ++ dma-ranges = <0x80000000 0x0 0x80000000 0x80000000>; + ti,hwmods = "l3_main_1", "l3_main_2"; + reg = <0x0 0x44000000 0x0 0x1000000>, + <0x0 0x45000000 0x0 0x1000>; diff --git a/queue-5.4/arm-dts-omap5-add-bus_dma_limit-for-l3-bus.patch b/queue-5.4/arm-dts-omap5-add-bus_dma_limit-for-l3-bus.patch new file mode 100644 index 00000000000..6583a8a76a7 --- /dev/null +++ b/queue-5.4/arm-dts-omap5-add-bus_dma_limit-for-l3-bus.patch @@ -0,0 +1,38 @@ +From dfa7ea303f56a3a8b1ed3b91ef35af2da67ca4ee Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Mon, 16 Mar 2020 12:27:31 +0200 +Subject: ARM: dts: omap5: Add bus_dma_limit for L3 bus + +From: Roger Quadros + +commit dfa7ea303f56a3a8b1ed3b91ef35af2da67ca4ee upstream. + +The L3 interconnect's memory map is from 0x0 to +0xffffffff. Out of this, System memory (SDRAM) can be +accessed from 0x80000000 to 0xffffffff (2GB) + +OMAP5 does support 4GB of SDRAM but upper 2GB can only be +accessed by the MPU subsystem. + +Add the dma-ranges property to reflect the physical address limit +of the L3 bus. + +Cc: stable@kernel.org +Signed-off-by: Roger Quadros +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/omap5.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/boot/dts/omap5.dtsi ++++ b/arch/arm/boot/dts/omap5.dtsi +@@ -143,6 +143,7 @@ + #address-cells = <1>; + #size-cells = <1>; + ranges = <0 0 0 0xc0000000>; ++ dma-ranges = <0x80000000 0x0 0x80000000 0x80000000>; + ti,hwmods = "l3_main_1", "l3_main_2", "l3_main_3"; + reg = <0 0x44000000 0 0x2000>, + <0 0x44800000 0 0x3000>, diff --git a/queue-5.4/ceph-check-pool_flag_full-nearfull-in-addition-to-osdmap_full-nearfull.patch b/queue-5.4/ceph-check-pool_flag_full-nearfull-in-addition-to-osdmap_full-nearfull.patch new file mode 100644 index 00000000000..62535c7401a --- /dev/null +++ b/queue-5.4/ceph-check-pool_flag_full-nearfull-in-addition-to-osdmap_full-nearfull.patch @@ -0,0 +1,134 @@ +From 7614209736fbc4927584d4387faade4f31444fce Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Mon, 9 Mar 2020 12:03:14 +0100 +Subject: ceph: check POOL_FLAG_FULL/NEARFULL in addition to OSDMAP_FULL/NEARFULL + +From: Ilya Dryomov + +commit 7614209736fbc4927584d4387faade4f31444fce upstream. + +CEPH_OSDMAP_FULL/NEARFULL aren't set since mimic, so we need to consult +per-pool flags as well. Unfortunately the backwards compatibility here +is lacking: + +- the change that deprecated OSDMAP_FULL/NEARFULL went into mimic, but + was guarded by require_osd_release >= RELEASE_LUMINOUS +- it was subsequently backported to luminous in v12.2.2, but that makes + no difference to clients that only check OSDMAP_FULL/NEARFULL because + require_osd_release is not client-facing -- it is for OSDs + +Since all kernels are affected, the best we can do here is just start +checking both map flags and pool flags and send that to stable. + +These checks are best effort, so take osdc->lock and look up pool flags +just once. Remove the FIXME, since filesystem quotas are checked above +and RADOS quotas are reflected in POOL_FLAG_FULL: when the pool reaches +its quota, both POOL_FLAG_FULL and POOL_FLAG_FULL_QUOTA are set. + +Cc: stable@vger.kernel.org +Reported-by: Yanhu Cao +Signed-off-by: Ilya Dryomov +Reviewed-by: Jeff Layton +Acked-by: Sage Weil +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/file.c | 14 +++++++++++--- + include/linux/ceph/osdmap.h | 4 ++++ + include/linux/ceph/rados.h | 6 ++++-- + net/ceph/osdmap.c | 9 +++++++++ + 4 files changed, 28 insertions(+), 5 deletions(-) + +--- a/fs/ceph/file.c ++++ b/fs/ceph/file.c +@@ -1415,10 +1415,13 @@ static ssize_t ceph_write_iter(struct ki + struct inode *inode = file_inode(file); + struct ceph_inode_info *ci = ceph_inode(inode); + struct ceph_fs_client *fsc = ceph_inode_to_client(inode); ++ struct ceph_osd_client *osdc = &fsc->client->osdc; + struct ceph_cap_flush *prealloc_cf; + ssize_t count, written = 0; + int err, want, got; + bool direct_lock = false; ++ u32 map_flags; ++ u64 pool_flags; + loff_t pos; + loff_t limit = max(i_size_read(inode), fsc->max_file_size); + +@@ -1481,8 +1484,12 @@ retry_snap: + goto out; + } + +- /* FIXME: not complete since it doesn't account for being at quota */ +- if (ceph_osdmap_flag(&fsc->client->osdc, CEPH_OSDMAP_FULL)) { ++ down_read(&osdc->lock); ++ map_flags = osdc->osdmap->flags; ++ pool_flags = ceph_pg_pool_flags(osdc->osdmap, ci->i_layout.pool_id); ++ up_read(&osdc->lock); ++ if ((map_flags & CEPH_OSDMAP_FULL) || ++ (pool_flags & CEPH_POOL_FLAG_FULL)) { + err = -ENOSPC; + goto out; + } +@@ -1575,7 +1582,8 @@ retry_snap: + } + + if (written >= 0) { +- if (ceph_osdmap_flag(&fsc->client->osdc, CEPH_OSDMAP_NEARFULL)) ++ if ((map_flags & CEPH_OSDMAP_NEARFULL) || ++ (pool_flags & CEPH_POOL_FLAG_NEARFULL)) + iocb->ki_flags |= IOCB_DSYNC; + written = generic_write_sync(iocb, written); + } +--- a/include/linux/ceph/osdmap.h ++++ b/include/linux/ceph/osdmap.h +@@ -37,6 +37,9 @@ int ceph_spg_compare(const struct ceph_s + #define CEPH_POOL_FLAG_HASHPSPOOL (1ULL << 0) /* hash pg seed and pool id + together */ + #define CEPH_POOL_FLAG_FULL (1ULL << 1) /* pool is full */ ++#define CEPH_POOL_FLAG_FULL_QUOTA (1ULL << 10) /* pool ran out of quota, ++ will set FULL too */ ++#define CEPH_POOL_FLAG_NEARFULL (1ULL << 11) /* pool is nearfull */ + + struct ceph_pg_pool_info { + struct rb_node node; +@@ -304,5 +307,6 @@ extern struct ceph_pg_pool_info *ceph_pg + + extern const char *ceph_pg_pool_name_by_id(struct ceph_osdmap *map, u64 id); + extern int ceph_pg_poolid_by_name(struct ceph_osdmap *map, const char *name); ++u64 ceph_pg_pool_flags(struct ceph_osdmap *map, u64 id); + + #endif +--- a/include/linux/ceph/rados.h ++++ b/include/linux/ceph/rados.h +@@ -143,8 +143,10 @@ extern const char *ceph_osd_state_name(i + /* + * osd map flag bits + */ +-#define CEPH_OSDMAP_NEARFULL (1<<0) /* sync writes (near ENOSPC) */ +-#define CEPH_OSDMAP_FULL (1<<1) /* no data writes (ENOSPC) */ ++#define CEPH_OSDMAP_NEARFULL (1<<0) /* sync writes (near ENOSPC), ++ not set since ~luminous */ ++#define CEPH_OSDMAP_FULL (1<<1) /* no data writes (ENOSPC), ++ not set since ~luminous */ + #define CEPH_OSDMAP_PAUSERD (1<<2) /* pause all reads */ + #define CEPH_OSDMAP_PAUSEWR (1<<3) /* pause all writes */ + #define CEPH_OSDMAP_PAUSEREC (1<<4) /* pause recovery */ +--- a/net/ceph/osdmap.c ++++ b/net/ceph/osdmap.c +@@ -710,6 +710,15 @@ int ceph_pg_poolid_by_name(struct ceph_o + } + EXPORT_SYMBOL(ceph_pg_poolid_by_name); + ++u64 ceph_pg_pool_flags(struct ceph_osdmap *map, u64 id) ++{ ++ struct ceph_pg_pool_info *pi; ++ ++ pi = __lookup_pg_pool(&map->pg_pools, id); ++ return pi ? pi->flags : 0; ++} ++EXPORT_SYMBOL(ceph_pg_pool_flags); ++ + static void __remove_pg_pool(struct rb_root *root, struct ceph_pg_pool_info *pi) + { + rb_erase(&pi->node, root); diff --git a/queue-5.4/ceph-fix-memory-leak-in-ceph_cleanup_snapid_map.patch b/queue-5.4/ceph-fix-memory-leak-in-ceph_cleanup_snapid_map.patch new file mode 100644 index 00000000000..87ec64faf86 --- /dev/null +++ b/queue-5.4/ceph-fix-memory-leak-in-ceph_cleanup_snapid_map.patch @@ -0,0 +1,50 @@ +From c8d6ee01449cd0d2f30410681cccb616a88f50b1 Mon Sep 17 00:00:00 2001 +From: Luis Henriques +Date: Thu, 19 Mar 2020 11:43:48 +0000 +Subject: ceph: fix memory leak in ceph_cleanup_snapid_map() + +From: Luis Henriques + +commit c8d6ee01449cd0d2f30410681cccb616a88f50b1 upstream. + +kmemleak reports the following memory leak: + +unreferenced object 0xffff88821feac8a0 (size 96): + comm "kworker/1:0", pid 17, jiffies 4294896362 (age 20.512s) + hex dump (first 32 bytes): + a0 c8 ea 1f 82 88 ff ff 00 c9 ea 1f 82 88 ff ff ................ + 00 00 00 00 00 00 00 00 00 01 00 00 00 00 ad de ................ + backtrace: + [<00000000b3ea77fb>] ceph_get_snapid_map+0x75/0x2a0 + [<00000000d4060942>] fill_inode+0xb26/0x1010 + [<0000000049da6206>] ceph_readdir_prepopulate+0x389/0xc40 + [<00000000e2fe2549>] dispatch+0x11ab/0x1521 + [<000000007700b894>] ceph_con_workfn+0xf3d/0x3240 + [<0000000039138a41>] process_one_work+0x24d/0x590 + [<00000000eb751f34>] worker_thread+0x4a/0x3d0 + [<000000007e8f0d42>] kthread+0xfb/0x130 + [<00000000d49bd1fa>] ret_from_fork+0x3a/0x50 + +A kfree is missing while looping the 'to_free' list of ceph_snapid_map +objects. + +Cc: stable@vger.kernel.org +Fixes: 75c9627efb72 ("ceph: map snapid to anonymous bdev ID") +Signed-off-by: Luis Henriques +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/snap.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ceph/snap.c ++++ b/fs/ceph/snap.c +@@ -1155,5 +1155,6 @@ void ceph_cleanup_snapid_map(struct ceph + pr_err("snapid map %llx -> %x still in use\n", + sm->snap, sm->dev); + } ++ kfree(sm); + } + } diff --git a/queue-5.4/drivers-base-memory.c-indicate-all-memory-blocks-as-removable.patch b/queue-5.4/drivers-base-memory.c-indicate-all-memory-blocks-as-removable.patch new file mode 100644 index 00000000000..e0745986ab3 --- /dev/null +++ b/queue-5.4/drivers-base-memory.c-indicate-all-memory-blocks-as-removable.patch @@ -0,0 +1,141 @@ +From 53cdc1cb29e87ce5a61de5bb393eb08925d14ede Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Sat, 28 Mar 2020 19:17:19 -0700 +Subject: drivers/base/memory.c: indicate all memory blocks as removable + +From: David Hildenbrand + +commit 53cdc1cb29e87ce5a61de5bb393eb08925d14ede upstream. + +We see multiple issues with the implementation/interface to compute +whether a memory block can be offlined (exposed via +/sys/devices/system/memory/memoryX/removable) and would like to simplify +it (remove the implementation). + +1. It runs basically lockless. While this might be good for performance, + we see possible races with memory offlining that will require at + least some sort of locking to fix. + +2. Nowadays, more false positives are possible. No arch-specific checks + are performed that validate if memory offlining will not be denied + right away (and such check will require locking). For example, arm64 + won't allow to offline any memory block that was added during boot - + which will imply a very high error rate. Other archs have other + constraints. + +3. The interface is inherently racy. E.g., if a memory block is detected + to be removable (and was not a false positive at that time), there is + still no guarantee that offlining will actually succeed. So any + caller already has to deal with false positives. + +4. It is unclear which performance benefit this interface actually + provides. The introducing commit 5c755e9fd813 ("memory-hotplug: add + sysfs removable attribute for hotplug memory remove") mentioned + + "A user-level agent must be able to identify which sections + of memory are likely to be removable before attempting the + potentially expensive operation." + + However, no actual performance comparison was included. + +Known users: + + - lsmem: Will group memory blocks based on the "removable" property. [1] + + - chmem: Indirect user. It has a RANGE mode where one can specify + removable ranges identified via lsmem to be offlined. However, + it also has a "SIZE" mode, which allows a sysadmin to skip the + manual "identify removable blocks" step. [2] + + - powerpc-utils: Uses the "removable" attribute to skip some memory + blocks right away when trying to find some to offline+remove. + However, with ballooning enabled, it already skips this + information completely (because it once resulted in many false + negatives). Therefore, the implementation can deal with false + positives properly already. [3] + +According to Nathan Fontenot, DLPAR on powerpc is nowadays no longer +driven from userspace via the drmgr command (powerpc-utils). Nowadays +it's managed in the kernel - including onlining/offlining of memory +blocks - triggered by drmgr writing to /sys/kernel/dlpar. So the +affected legacy userspace handling is only active on old kernels. Only +very old versions of drmgr on a new kernel (unlikely) might execute +slower - totally acceptable. + +With CONFIG_MEMORY_HOTREMOVE, always indicating "removable" should not +break any user space tool. We implement a very bad heuristic now. +Without CONFIG_MEMORY_HOTREMOVE we cannot offline anything, so report +"not removable" as before. + +Original discussion can be found in [4] ("[PATCH RFC v1] mm: +is_mem_section_removable() overhaul"). + +Other users of is_mem_section_removable() will be removed next, so that +we can remove is_mem_section_removable() completely. + +[1] http://man7.org/linux/man-pages/man1/lsmem.1.html +[2] http://man7.org/linux/man-pages/man8/chmem.8.html +[3] https://github.com/ibm-power-utilities/powerpc-utils +[4] https://lkml.kernel.org/r/20200117105759.27905-1-david@redhat.com + +Also, this patch probably fixes a crash reported by Steve. +http://lkml.kernel.org/r/CAPcyv4jpdaNvJ67SkjyUJLBnBnXXQv686BiVW042g03FUmWLXw@mail.gmail.com + +Reported-by: "Scargall, Steve" +Suggested-by: Michal Hocko +Signed-off-by: David Hildenbrand +Signed-off-by: Andrew Morton +Reviewed-by: Nathan Fontenot +Acked-by: Michal Hocko +Cc: Dan Williams +Cc: Greg Kroah-Hartman +Cc: "Rafael J. Wysocki" +Cc: Badari Pulavarty +Cc: Robert Jennings +Cc: Heiko Carstens +Cc: Karel Zak +Cc: +Link: http://lkml.kernel.org/r/20200128093542.6908-1-david@redhat.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/memory.c | 23 +++-------------------- + 1 file changed, 3 insertions(+), 20 deletions(-) + +--- a/drivers/base/memory.c ++++ b/drivers/base/memory.c +@@ -114,30 +114,13 @@ static ssize_t phys_index_show(struct de + } + + /* +- * Show whether the memory block is likely to be offlineable (or is already +- * offline). Once offline, the memory block could be removed. The return +- * value does, however, not indicate that there is a way to remove the +- * memory block. ++ * Legacy interface that we cannot remove. Always indicate "removable" ++ * with CONFIG_MEMORY_HOTREMOVE - bad heuristic. + */ + static ssize_t removable_show(struct device *dev, struct device_attribute *attr, + char *buf) + { +- struct memory_block *mem = to_memory_block(dev); +- unsigned long pfn; +- int ret = 1, i; +- +- if (mem->state != MEM_ONLINE) +- goto out; +- +- for (i = 0; i < sections_per_block; i++) { +- if (!present_section_nr(mem->start_section_nr + i)) +- continue; +- pfn = section_nr_to_pfn(mem->start_section_nr + i); +- ret &= is_mem_section_removable(pfn, PAGES_PER_SECTION); +- } +- +-out: +- return sprintf(buf, "%d\n", ret); ++ return sprintf(buf, "%d\n", (int)IS_ENABLED(CONFIG_MEMORY_HOTREMOVE)); + } + + /* diff --git a/queue-5.4/gpiolib-fix-irq_disable-semantics.patch b/queue-5.4/gpiolib-fix-irq_disable-semantics.patch new file mode 100644 index 00000000000..113f5a286eb --- /dev/null +++ b/queue-5.4/gpiolib-fix-irq_disable-semantics.patch @@ -0,0 +1,61 @@ +From 8959b304c7062889b1276092cc8590dc1ba98f65 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Fri, 6 Mar 2020 14:23:26 +0100 +Subject: gpiolib: Fix irq_disable() semantics + +From: Linus Walleij + +commit 8959b304c7062889b1276092cc8590dc1ba98f65 upstream. + +The implementation if .irq_disable() which kicks in between +the gpiolib and the driver is not properly mimicking the +expected semantics of the irqchip core: the irqchip will +call .irq_disable() if that exists, else it will call +mask_irq() which first checks if .irq_mask() is defined +before calling it. + +Since we are calling it unconditionally, we get this bug +from drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c, as it only +defines .irq_mask_ack and not .irq_mask: + + Unable to handle kernel NULL pointer dereference at virtual address 00000000 + pgd = (ptrval) + (...) + PC is at 0x0 + LR is at gpiochip_irq_disable+0x20/0x30 + +Fix this by only calling .irq_mask() if it exists. + +Cc: Brian Masney +Cc: Hans Verkuil +Cc: stable@vger.kernel.org +Reviewed-by: Bartosz Golaszewski +Fixes: 461c1a7d4733 ("gpiolib: override irq_enable/disable") +Signed-off-by: Linus Walleij +Link: https://lore.kernel.org/r/20200306132326.1329640-1-linus.walleij@linaro.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpiolib.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -2194,9 +2194,16 @@ static void gpiochip_irq_disable(struct + { + struct gpio_chip *chip = irq_data_get_irq_chip_data(d); + ++ /* ++ * Since we override .irq_disable() we need to mimic the ++ * behaviour of __irq_disable() in irq/chip.c. ++ * First call .irq_disable() if it exists, else mimic the ++ * behaviour of mask_irq() which calls .irq_mask() if ++ * it exists. ++ */ + if (chip->irq.irq_disable) + chip->irq.irq_disable(d); +- else ++ else if (chip->irq.chip->irq_mask) + chip->irq.chip->irq_mask(d); + gpiochip_disable_irq(chip, d->hwirq); + } diff --git a/queue-5.4/mac80211-check-port-authorization-in-the-ieee80211_tx_dequeue-case.patch b/queue-5.4/mac80211-check-port-authorization-in-the-ieee80211_tx_dequeue-case.patch new file mode 100644 index 00000000000..2285bdf2dfb --- /dev/null +++ b/queue-5.4/mac80211-check-port-authorization-in-the-ieee80211_tx_dequeue-case.patch @@ -0,0 +1,56 @@ +From ce2e1ca703071723ca2dd94d492a5ab6d15050da Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Thu, 26 Mar 2020 15:51:34 +0100 +Subject: mac80211: Check port authorization in the ieee80211_tx_dequeue() case + +From: Jouni Malinen + +commit ce2e1ca703071723ca2dd94d492a5ab6d15050da upstream. + +mac80211 used to check port authorization in the Data frame enqueue case +when going through start_xmit(). However, that authorization status may +change while the frame is waiting in a queue. Add a similar check in the +dequeue case to avoid sending previously accepted frames after +authorization change. This provides additional protection against +potential leaking of frames after a station has been disconnected and +the keys for it are being removed. + +Cc: stable@vger.kernel.org +Signed-off-by: Jouni Malinen +Link: https://lore.kernel.org/r/20200326155133.ced84317ea29.I34d4c47cd8cc8a4042b38a76f16a601fbcbfd9b3@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/tx.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3596,8 +3596,25 @@ begin: + tx.skb = skb; + tx.sdata = vif_to_sdata(info->control.vif); + +- if (txq->sta) ++ if (txq->sta) { + tx.sta = container_of(txq->sta, struct sta_info, sta); ++ /* ++ * Drop unicast frames to unauthorised stations unless they are ++ * EAPOL frames from the local station. ++ */ ++ if (unlikely(!ieee80211_vif_is_mesh(&tx.sdata->vif) && ++ tx.sdata->vif.type != NL80211_IFTYPE_OCB && ++ !is_multicast_ether_addr(hdr->addr1) && ++ !test_sta_flag(tx.sta, WLAN_STA_AUTHORIZED) && ++ (!(info->control.flags & ++ IEEE80211_TX_CTRL_PORT_CTRL_PROTO) || ++ !ether_addr_equal(tx.sdata->vif.addr, ++ hdr->addr2)))) { ++ I802_DEBUG_INC(local->tx_handlers_drop_unauth_port); ++ ieee80211_free_txskb(&local->hw, skb); ++ goto begin; ++ } ++ } + + /* + * The key can be removed while the packet was queued, so need to call diff --git a/queue-5.4/mac80211-drop-data-frames-without-key-on-encrypted-links.patch b/queue-5.4/mac80211-drop-data-frames-without-key-on-encrypted-links.patch new file mode 100644 index 00000000000..2d51b52b566 --- /dev/null +++ b/queue-5.4/mac80211-drop-data-frames-without-key-on-encrypted-links.patch @@ -0,0 +1,156 @@ +From a0761a301746ec2d92d7fcb82af69c0a6a4339aa Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Thu, 26 Mar 2020 15:09:42 +0200 +Subject: mac80211: drop data frames without key on encrypted links + +From: Johannes Berg + +commit a0761a301746ec2d92d7fcb82af69c0a6a4339aa upstream. + +If we know that we have an encrypted link (based on having had +a key configured for TX in the past) then drop all data frames +in the key selection handler if there's no key anymore. + +This fixes an issue with mac80211 internal TXQs - there we can +buffer frames for an encrypted link, but then if the key is no +longer there when they're dequeued, the frames are sent without +encryption. This happens if a station is disconnected while the +frames are still on the TXQ. + +Detecting that a link should be encrypted based on a first key +having been configured for TX is fine as there are no use cases +for a connection going from with encryption to no encryption. +With extended key IDs, however, there is a case of having a key +configured for only decryption, so we can't just trigger this +behaviour on a key being configured. + +Cc: stable@vger.kernel.org +Reported-by: Jouni Malinen +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20200326150855.6865c7f28a14.I9fb1d911b064262d33e33dfba730cdeef83926ca@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/debugfs_sta.c | 3 ++- + net/mac80211/key.c | 20 ++++++++++++-------- + net/mac80211/sta_info.h | 1 + + net/mac80211/tx.c | 12 +++++++++--- + 4 files changed, 24 insertions(+), 12 deletions(-) + +--- a/net/mac80211/debugfs_sta.c ++++ b/net/mac80211/debugfs_sta.c +@@ -5,7 +5,7 @@ + * Copyright 2007 Johannes Berg + * Copyright 2013-2014 Intel Mobile Communications GmbH + * Copyright(c) 2016 Intel Deutschland GmbH +- * Copyright (C) 2018 - 2019 Intel Corporation ++ * Copyright (C) 2018 - 2020 Intel Corporation + */ + + #include +@@ -78,6 +78,7 @@ static const char * const sta_flag_names + FLAG(MPSP_OWNER), + FLAG(MPSP_RECIPIENT), + FLAG(PS_DELIVER), ++ FLAG(USES_ENCRYPTION), + #undef FLAG + }; + +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -6,7 +6,7 @@ + * Copyright 2007-2008 Johannes Berg + * Copyright 2013-2014 Intel Mobile Communications GmbH + * Copyright 2015-2017 Intel Deutschland GmbH +- * Copyright 2018-2019 Intel Corporation ++ * Copyright 2018-2020 Intel Corporation + */ + + #include +@@ -262,22 +262,29 @@ static void ieee80211_key_disable_hw_acc + sta ? sta->sta.addr : bcast_addr, ret); + } + +-int ieee80211_set_tx_key(struct ieee80211_key *key) ++static int _ieee80211_set_tx_key(struct ieee80211_key *key, bool force) + { + struct sta_info *sta = key->sta; + struct ieee80211_local *local = key->local; + + assert_key_lock(local); + ++ set_sta_flag(sta, WLAN_STA_USES_ENCRYPTION); ++ + sta->ptk_idx = key->conf.keyidx; + +- if (!ieee80211_hw_check(&local->hw, AMPDU_KEYBORDER_SUPPORT)) ++ if (force || !ieee80211_hw_check(&local->hw, AMPDU_KEYBORDER_SUPPORT)) + clear_sta_flag(sta, WLAN_STA_BLOCK_BA); + ieee80211_check_fast_xmit(sta); + + return 0; + } + ++int ieee80211_set_tx_key(struct ieee80211_key *key) ++{ ++ return _ieee80211_set_tx_key(key, false); ++} ++ + static void ieee80211_pairwise_rekey(struct ieee80211_key *old, + struct ieee80211_key *new) + { +@@ -441,11 +448,8 @@ static int ieee80211_key_replace(struct + if (pairwise) { + rcu_assign_pointer(sta->ptk[idx], new); + if (new && +- !(new->conf.flags & IEEE80211_KEY_FLAG_NO_AUTO_TX)) { +- sta->ptk_idx = idx; +- clear_sta_flag(sta, WLAN_STA_BLOCK_BA); +- ieee80211_check_fast_xmit(sta); +- } ++ !(new->conf.flags & IEEE80211_KEY_FLAG_NO_AUTO_TX)) ++ _ieee80211_set_tx_key(new, true); + } else { + rcu_assign_pointer(sta->gtk[idx], new); + } +--- a/net/mac80211/sta_info.h ++++ b/net/mac80211/sta_info.h +@@ -98,6 +98,7 @@ enum ieee80211_sta_info_flags { + WLAN_STA_MPSP_OWNER, + WLAN_STA_MPSP_RECIPIENT, + WLAN_STA_PS_DELIVER, ++ WLAN_STA_USES_ENCRYPTION, + + NUM_WLAN_STA_FLAGS, + }; +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -590,10 +590,13 @@ ieee80211_tx_h_select_key(struct ieee802 + struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb); + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)tx->skb->data; + +- if (unlikely(info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT)) ++ if (unlikely(info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT)) { + tx->key = NULL; +- else if (tx->sta && +- (key = rcu_dereference(tx->sta->ptk[tx->sta->ptk_idx]))) ++ return TX_CONTINUE; ++ } ++ ++ if (tx->sta && ++ (key = rcu_dereference(tx->sta->ptk[tx->sta->ptk_idx]))) + tx->key = key; + else if (ieee80211_is_group_privacy_action(tx->skb) && + (key = rcu_dereference(tx->sdata->default_multicast_key))) +@@ -654,6 +657,9 @@ ieee80211_tx_h_select_key(struct ieee802 + if (!skip_hw && tx->key && + tx->key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE) + info->control.hw_key = &tx->key->conf; ++ } else if (!ieee80211_is_mgmt(hdr->frame_control) && tx->sta && ++ test_sta_flag(tx->sta, WLAN_STA_USES_ENCRYPTION)) { ++ return TX_DROP; + } + + return TX_CONTINUE; diff --git a/queue-5.4/mac80211-mark-station-unauthorized-before-key-removal.patch b/queue-5.4/mac80211-mark-station-unauthorized-before-key-removal.patch new file mode 100644 index 00000000000..6cef71d3579 --- /dev/null +++ b/queue-5.4/mac80211-mark-station-unauthorized-before-key-removal.patch @@ -0,0 +1,46 @@ +From b16798f5b907733966fd1a558fca823b3c67e4a1 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Thu, 26 Mar 2020 15:51:35 +0100 +Subject: mac80211: mark station unauthorized before key removal + +From: Johannes Berg + +commit b16798f5b907733966fd1a558fca823b3c67e4a1 upstream. + +If a station is still marked as authorized, mark it as no longer +so before removing its keys. This allows frames transmitted to it +to be rejected, providing additional protection against leaking +plain text data during the disconnection flow. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200326155133.ccb4fb0bb356.If48f0f0504efdcf16b8921f48c6d3bb2cb763c99@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/sta_info.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -4,7 +4,7 @@ + * Copyright 2006-2007 Jiri Benc + * Copyright 2013-2014 Intel Mobile Communications GmbH + * Copyright (C) 2015 - 2017 Intel Deutschland GmbH +- * Copyright (C) 2018-2019 Intel Corporation ++ * Copyright (C) 2018-2020 Intel Corporation + */ + + #include +@@ -1032,6 +1032,11 @@ static void __sta_info_destroy_part2(str + might_sleep(); + lockdep_assert_held(&local->sta_mtx); + ++ while (sta->sta_state == IEEE80211_STA_AUTHORIZED) { ++ ret = sta_info_move_state(sta, IEEE80211_STA_ASSOC); ++ WARN_ON_ONCE(ret); ++ } ++ + /* now keys can no longer be reached */ + ieee80211_free_sta_keys(local, sta); + diff --git a/queue-5.4/mm-sparse-fix-kernel-crash-with-pfn_section_valid-check.patch b/queue-5.4/mm-sparse-fix-kernel-crash-with-pfn_section_valid-check.patch new file mode 100644 index 00000000000..1ede33af124 --- /dev/null +++ b/queue-5.4/mm-sparse-fix-kernel-crash-with-pfn_section_valid-check.patch @@ -0,0 +1,126 @@ +From b943f045a9af9fd02f923e43fe8d7517e9961701 Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" +Date: Sat, 28 Mar 2020 19:17:29 -0700 +Subject: mm/sparse: fix kernel crash with pfn_section_valid check + +From: Aneesh Kumar K.V + +commit b943f045a9af9fd02f923e43fe8d7517e9961701 upstream. + +Fix the crash like this: + + BUG: Kernel NULL pointer dereference on read at 0x00000000 + Faulting instruction address: 0xc000000000c3447c + Oops: Kernel access of bad area, sig: 11 [#1] + LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries + CPU: 11 PID: 7519 Comm: lt-ndctl Not tainted 5.6.0-rc7-autotest #1 + ... + NIP [c000000000c3447c] vmemmap_populated+0x98/0xc0 + LR [c000000000088354] vmemmap_free+0x144/0x320 + Call Trace: + section_deactivate+0x220/0x240 + __remove_pages+0x118/0x170 + arch_remove_memory+0x3c/0x150 + memunmap_pages+0x1cc/0x2f0 + devm_action_release+0x30/0x50 + release_nodes+0x2f8/0x3e0 + device_release_driver_internal+0x168/0x270 + unbind_store+0x130/0x170 + drv_attr_store+0x44/0x60 + sysfs_kf_write+0x68/0x80 + kernfs_fop_write+0x100/0x290 + __vfs_write+0x3c/0x70 + vfs_write+0xcc/0x240 + ksys_write+0x7c/0x140 + system_call+0x5c/0x68 + +The crash is due to NULL dereference at + + test_bit(idx, ms->usage->subsection_map); + +due to ms->usage = NULL in pfn_section_valid() + +With commit d41e2f3bd546 ("mm/hotplug: fix hot remove failure in +SPARSEMEM|!VMEMMAP case") section_mem_map is set to NULL after +depopulate_section_mem(). This was done so that pfn_page() can work +correctly with kernel config that disables SPARSEMEM_VMEMMAP. With that +config pfn_to_page does + + __section_mem_map_addr(__sec) + __pfn; + +where + + static inline struct page *__section_mem_map_addr(struct mem_section *section) + { + unsigned long map = section->section_mem_map; + map &= SECTION_MAP_MASK; + return (struct page *)map; + } + +Now with SPASEMEM_VMEMAP enabled, mem_section->usage->subsection_map is +used to check the pfn validity (pfn_valid()). Since section_deactivate +release mem_section->usage if a section is fully deactivated, +pfn_valid() check after a subsection_deactivate cause a kernel crash. + + static inline int pfn_valid(unsigned long pfn) + { + ... + return early_section(ms) || pfn_section_valid(ms, pfn); + } + +where + + static inline int pfn_section_valid(struct mem_section *ms, unsigned long pfn) + { + int idx = subsection_map_index(pfn); + + return test_bit(idx, ms->usage->subsection_map); + } + +Avoid this by clearing SECTION_HAS_MEM_MAP when mem_section->usage is +freed. For architectures like ppc64 where large pages are used for +vmmemap mapping (16MB), a specific vmemmap mapping can cover multiple +sections. Hence before a vmemmap mapping page can be freed, the kernel +needs to make sure there are no valid sections within that mapping. +Clearing the section valid bit before depopulate_section_memap enables +this. + +[aneesh.kumar@linux.ibm.com: add comment] + Link: http://lkml.kernel.org/r/20200326133235.343616-1-aneesh.kumar@linux.ibm.comLink: http://lkml.kernel.org/r/20200325031914.107660-1-aneesh.kumar@linux.ibm.com +Fixes: d41e2f3bd546 ("mm/hotplug: fix hot remove failure in SPARSEMEM|!VMEMMAP case") +Reported-by: Sachin Sant +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: Andrew Morton +Tested-by: Sachin Sant +Reviewed-by: Baoquan He +Reviewed-by: Wei Yang +Acked-by: Michal Hocko +Acked-by: Pankaj Gupta +Cc: Michael Ellerman +Cc: Dan Williams +Cc: David Hildenbrand +Cc: Oscar Salvador +Cc: Mike Rapoport +Cc: +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/sparse.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/mm/sparse.c ++++ b/mm/sparse.c +@@ -789,6 +789,12 @@ static void section_deactivate(unsigned + ms->usage = NULL; + } + memmap = sparse_decode_mem_map(ms->section_mem_map, section_nr); ++ /* ++ * Mark the section invalid so that valid_section() ++ * return false. This prevents code from dereferencing ++ * ms->usage array. ++ */ ++ ms->section_mem_map &= ~SECTION_HAS_MEM_MAP; + } + + if (section_is_early && memmap) diff --git a/queue-5.4/mm-swapfile.c-move-inode_lock-out-of-claim_swapfile.patch b/queue-5.4/mm-swapfile.c-move-inode_lock-out-of-claim_swapfile.patch new file mode 100644 index 00000000000..075c4dc5a00 --- /dev/null +++ b/queue-5.4/mm-swapfile.c-move-inode_lock-out-of-claim_swapfile.patch @@ -0,0 +1,202 @@ +From d795a90e2ba024dbf2f22107ae89c210b98b08b8 Mon Sep 17 00:00:00 2001 +From: Naohiro Aota +Date: Sat, 28 Mar 2020 19:17:15 -0700 +Subject: mm/swapfile.c: move inode_lock out of claim_swapfile + +From: Naohiro Aota + +commit d795a90e2ba024dbf2f22107ae89c210b98b08b8 upstream. + +claim_swapfile() currently keeps the inode locked when it is successful, +or the file is already swapfile (with -EBUSY). And, on the other error +cases, it does not lock the inode. + +This inconsistency of the lock state and return value is quite confusing +and actually causing a bad unlock balance as below in the "bad_swap" +section of __do_sys_swapon(). + +This commit fixes this issue by moving the inode_lock() and IS_SWAPFILE +check out of claim_swapfile(). The inode is unlocked in +"bad_swap_unlock_inode" section, so that the inode is ensured to be +unlocked at "bad_swap". Thus, error handling codes after the locking now +jumps to "bad_swap_unlock_inode" instead of "bad_swap". + + ===================================== + WARNING: bad unlock balance detected! + 5.5.0-rc7+ #176 Not tainted + ------------------------------------- + swapon/4294 is trying to release lock (&sb->s_type->i_mutex_key) at: __do_sys_swapon+0x94b/0x3550 + but there are no more locks to release! + + other info that might help us debug this: + no locks held by swapon/4294. + + stack backtrace: + CPU: 5 PID: 4294 Comm: swapon Not tainted 5.5.0-rc7-BTRFS-ZNS+ #176 + Hardware name: ASUS All Series/H87-PRO, BIOS 2102 07/29/2014 + Call Trace: + dump_stack+0xa1/0xea + print_unlock_imbalance_bug.cold+0x114/0x123 + lock_release+0x562/0xed0 + up_write+0x2d/0x490 + __do_sys_swapon+0x94b/0x3550 + __x64_sys_swapon+0x54/0x80 + do_syscall_64+0xa4/0x4b0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + RIP: 0033:0x7f15da0a0dc7 + +Fixes: 1638045c3677 ("mm: set S_SWAPFILE on blockdev swap devices") +Signed-off-by: Naohiro Aota +Signed-off-by: Andrew Morton +Tested-by: Qais Youef +Reviewed-by: Andrew Morton +Reviewed-by: Darrick J. Wong +Cc: Christoph Hellwig +Cc: +Link: http://lkml.kernel.org/r/20200206090132.154869-1-naohiro.aota@wdc.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/swapfile.c | 39 +++++++++++++++++++-------------------- + 1 file changed, 19 insertions(+), 20 deletions(-) + +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -2892,10 +2892,6 @@ static int claim_swapfile(struct swap_in + p->bdev = inode->i_sb->s_bdev; + } + +- inode_lock(inode); +- if (IS_SWAPFILE(inode)) +- return -EBUSY; +- + return 0; + } + +@@ -3150,17 +3146,22 @@ SYSCALL_DEFINE2(swapon, const char __use + mapping = swap_file->f_mapping; + inode = mapping->host; + +- /* If S_ISREG(inode->i_mode) will do inode_lock(inode); */ + error = claim_swapfile(p, inode); + if (unlikely(error)) + goto bad_swap; + ++ inode_lock(inode); ++ if (IS_SWAPFILE(inode)) { ++ error = -EBUSY; ++ goto bad_swap_unlock_inode; ++ } ++ + /* + * Read the swap header. + */ + if (!mapping->a_ops->readpage) { + error = -EINVAL; +- goto bad_swap; ++ goto bad_swap_unlock_inode; + } + page = read_mapping_page(mapping, 0, swap_file); + if (IS_ERR(page)) { +@@ -3172,14 +3173,14 @@ SYSCALL_DEFINE2(swapon, const char __use + maxpages = read_swap_header(p, swap_header, inode); + if (unlikely(!maxpages)) { + error = -EINVAL; +- goto bad_swap; ++ goto bad_swap_unlock_inode; + } + + /* OK, set up the swap map and apply the bad block list */ + swap_map = vzalloc(maxpages); + if (!swap_map) { + error = -ENOMEM; +- goto bad_swap; ++ goto bad_swap_unlock_inode; + } + + if (bdi_cap_stable_pages_required(inode_to_bdi(inode))) +@@ -3204,7 +3205,7 @@ SYSCALL_DEFINE2(swapon, const char __use + GFP_KERNEL); + if (!cluster_info) { + error = -ENOMEM; +- goto bad_swap; ++ goto bad_swap_unlock_inode; + } + + for (ci = 0; ci < nr_cluster; ci++) +@@ -3213,7 +3214,7 @@ SYSCALL_DEFINE2(swapon, const char __use + p->percpu_cluster = alloc_percpu(struct percpu_cluster); + if (!p->percpu_cluster) { + error = -ENOMEM; +- goto bad_swap; ++ goto bad_swap_unlock_inode; + } + for_each_possible_cpu(cpu) { + struct percpu_cluster *cluster; +@@ -3227,13 +3228,13 @@ SYSCALL_DEFINE2(swapon, const char __use + + error = swap_cgroup_swapon(p->type, maxpages); + if (error) +- goto bad_swap; ++ goto bad_swap_unlock_inode; + + nr_extents = setup_swap_map_and_extents(p, swap_header, swap_map, + cluster_info, maxpages, &span); + if (unlikely(nr_extents < 0)) { + error = nr_extents; +- goto bad_swap; ++ goto bad_swap_unlock_inode; + } + /* frontswap enabled? set up bit-per-page map for frontswap */ + if (IS_ENABLED(CONFIG_FRONTSWAP)) +@@ -3273,7 +3274,7 @@ SYSCALL_DEFINE2(swapon, const char __use + + error = init_swap_address_space(p->type, maxpages); + if (error) +- goto bad_swap; ++ goto bad_swap_unlock_inode; + + /* + * Flush any pending IO and dirty mappings before we start using this +@@ -3283,7 +3284,7 @@ SYSCALL_DEFINE2(swapon, const char __use + error = inode_drain_writes(inode); + if (error) { + inode->i_flags &= ~S_SWAPFILE; +- goto bad_swap; ++ goto bad_swap_unlock_inode; + } + + mutex_lock(&swapon_mutex); +@@ -3308,6 +3309,8 @@ SYSCALL_DEFINE2(swapon, const char __use + + error = 0; + goto out; ++bad_swap_unlock_inode: ++ inode_unlock(inode); + bad_swap: + free_percpu(p->percpu_cluster); + p->percpu_cluster = NULL; +@@ -3315,6 +3318,7 @@ bad_swap: + set_blocksize(p->bdev, p->old_block_size); + blkdev_put(p->bdev, FMODE_READ | FMODE_WRITE | FMODE_EXCL); + } ++ inode = NULL; + destroy_swap_extents(p); + swap_cgroup_swapoff(p->type); + spin_lock(&swap_lock); +@@ -3326,13 +3330,8 @@ bad_swap: + kvfree(frontswap_map); + if (inced_nr_rotate_swap) + atomic_dec(&nr_rotate_swap); +- if (swap_file) { +- if (inode) { +- inode_unlock(inode); +- inode = NULL; +- } ++ if (swap_file) + filp_close(swap_file, NULL); +- } + out: + if (page && !IS_ERR(page)) { + kunmap(page); diff --git a/queue-5.4/nl80211-fix-nl80211_attr_channel_width-attribute-type.patch b/queue-5.4/nl80211-fix-nl80211_attr_channel_width-attribute-type.patch new file mode 100644 index 00000000000..4813908d823 --- /dev/null +++ b/queue-5.4/nl80211-fix-nl80211_attr_channel_width-attribute-type.patch @@ -0,0 +1,37 @@ +From 0016d3201753b59f3ae84b868fe66c86ad256f19 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 25 Mar 2020 09:05:32 +0100 +Subject: nl80211: fix NL80211_ATTR_CHANNEL_WIDTH attribute type + +From: Johannes Berg + +commit 0016d3201753b59f3ae84b868fe66c86ad256f19 upstream. + +The new opmode notification used this attribute with a u8, when +it's documented as a u32 and indeed used in userspace as such, +it just happens to work on little-endian systems since userspace +isn't doing any strict size validation, and the u8 goes into the +lower byte. Fix this. + +Cc: stable@vger.kernel.org +Fixes: 466b9936bf93 ("cfg80211: Add support to notify station's opmode change to userspace") +Signed-off-by: Johannes Berg +Link: https://lore.kernel.org/r/20200325090531.be124f0a11c7.Iedbf4e197a85471ebd729b186d5365c0343bf7a8@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -16407,7 +16407,7 @@ void cfg80211_sta_opmode_change_notify(s + goto nla_put_failure; + + if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) && +- nla_put_u8(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw)) ++ nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw)) + goto nla_put_failure; + + if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) && diff --git a/queue-5.4/perf-probe-do-not-depend-on-dwfl_module_addrsym.patch b/queue-5.4/perf-probe-do-not-depend-on-dwfl_module_addrsym.patch new file mode 100644 index 00000000000..4f6d9c41496 --- /dev/null +++ b/queue-5.4/perf-probe-do-not-depend-on-dwfl_module_addrsym.patch @@ -0,0 +1,63 @@ +From 1efde2754275dbd9d11c6e0132a4f09facf297ab Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Fri, 28 Feb 2020 00:42:01 +0900 +Subject: perf probe: Do not depend on dwfl_module_addrsym() + +From: Masami Hiramatsu + +commit 1efde2754275dbd9d11c6e0132a4f09facf297ab upstream. + +Do not depend on dwfl_module_addrsym() because it can fail on user-space +shared libraries. + +Actually, same bug was fixed by commit 664fee3dc379 ("perf probe: Do not +use dwfl_module_addrsym if dwarf_diename finds symbol name"), but commit +07d369857808 ("perf probe: Fix wrong address verification) reverted to +get actual symbol address from symtab. + +This fixes it again by getting symbol address from DIE, and only if the +DIE has only address range, it uses dwfl_module_addrsym(). + +Fixes: 07d369857808 ("perf probe: Fix wrong address verification) +Reported-by: Alexandre Ghiti +Signed-off-by: Masami Hiramatsu +Tested-by: Alexandre Ghiti +Cc: Alexander Shishkin +Cc: Greg Kroah-Hartman +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Sasha Levin +Link: http://lore.kernel.org/lkml/158281812176.476.14164573830975116234.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/util/probe-finder.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/tools/perf/util/probe-finder.c ++++ b/tools/perf/util/probe-finder.c +@@ -615,14 +615,19 @@ static int convert_to_trace_point(Dwarf_ + return -EINVAL; + } + +- /* Try to get actual symbol name from symtab */ +- symbol = dwfl_module_addrsym(mod, paddr, &sym, NULL); ++ if (dwarf_entrypc(sp_die, &eaddr) == 0) { ++ /* If the DIE has entrypc, use it. */ ++ symbol = dwarf_diename(sp_die); ++ } else { ++ /* Try to get actual symbol name and address from symtab */ ++ symbol = dwfl_module_addrsym(mod, paddr, &sym, NULL); ++ eaddr = sym.st_value; ++ } + if (!symbol) { + pr_warning("Failed to find symbol at 0x%lx\n", + (unsigned long)paddr); + return -ENOENT; + } +- eaddr = sym.st_value; + + tp->offset = (unsigned long)(paddr - eaddr); + tp->address = (unsigned long)paddr; diff --git a/queue-5.4/perf-probe-fix-to-delete-multiple-probe-event.patch b/queue-5.4/perf-probe-fix-to-delete-multiple-probe-event.patch new file mode 100644 index 00000000000..21ecb8b3abe --- /dev/null +++ b/queue-5.4/perf-probe-fix-to-delete-multiple-probe-event.patch @@ -0,0 +1,61 @@ +From 6b8d68f1ce9266b05a55e93c62923ff51daae4c1 Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Fri, 28 Feb 2020 16:57:42 +0900 +Subject: perf probe: Fix to delete multiple probe event + +From: Masami Hiramatsu + +commit 6b8d68f1ce9266b05a55e93c62923ff51daae4c1 upstream. + +When we put an event with multiple probes, perf-probe fails to delete +with filters. This comes from a failure to list up the event name +because of overwrapping its name. + +To fix this issue, skip to list up the event which has same name. + +Without this patch: + + # perf probe -l \* + probe_perf:map__map_ip (on perf_sample__fprintf_brstackoff:21@ + probe_perf:map__map_ip (on perf_sample__fprintf_brstackoff:25@ + probe_perf:map__map_ip (on append_inlines:12@util/machine.c in + probe_perf:map__map_ip (on unwind_entry:19@util/machine.c in / + probe_perf:map__map_ip (on map__map_ip@util/map.h in /home/mhi + probe_perf:map__map_ip (on map__map_ip@util/map.h in /home/mhi + # perf probe -d \* + "*" does not hit any event. + Error: Failed to delete events. Reason: No such file or directory (Code: -2) + +With it: + + # perf probe -d \* + Removed event: probe_perf:map__map_ip + # + +Fixes: 72363540c009 ("perf probe: Support multiprobe event") +Reported-by: Arnaldo Carvalho de Melo +Reported-by: He Zhe +Signed-off-by: Masami Hiramatsu +Tested-by: Arnaldo Carvalho de Melo +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: stable@vger.kernel.org +Link: http://lore.kernel.org/lkml/158287666197.16697.7514373548551863562.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +diff --git a/tools/perf/util/probe-file.c b/tools/perf/util/probe-file.c +index 0f5fda11675f..8c852948513e 100644 +--- a/tools/perf/util/probe-file.c ++++ b/tools/perf/util/probe-file.c +@@ -206,6 +206,9 @@ static struct strlist *__probe_file__get_namelist(int fd, bool include_group) + } else + ret = strlist__add(sl, tev.event); + clear_probe_trace_event(&tev); ++ /* Skip if there is same name multi-probe event in the list */ ++ if (ret == -EEXIST) ++ ret = 0; + if (ret < 0) + break; + } diff --git a/queue-5.4/rdma-mad-do-not-crash-if-the-rdma-device-does-not-have-a-umad-interface.patch b/queue-5.4/rdma-mad-do-not-crash-if-the-rdma-device-does-not-have-a-umad-interface.patch new file mode 100644 index 00000000000..388c1ed0d90 --- /dev/null +++ b/queue-5.4/rdma-mad-do-not-crash-if-the-rdma-device-does-not-have-a-umad-interface.patch @@ -0,0 +1,123 @@ +From 5bdfa854013ce4193de0d097931fd841382c76a7 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Tue, 10 Mar 2020 09:53:39 +0200 +Subject: RDMA/mad: Do not crash if the rdma device does not have a umad interface + +From: Jason Gunthorpe + +commit 5bdfa854013ce4193de0d097931fd841382c76a7 upstream. + +Non-IB devices do not have a umad interface and the client_data will be +left set to NULL. In this case calling get_nl_info() will try to kref a +NULL cdev causing a crash: + + general protection fault, probably for non-canonical address 0xdffffc00000000ba: 0000 [#1] PREEMPT SMP KASAN + KASAN: null-ptr-deref in range [0x00000000000005d0-0x00000000000005d7] + CPU: 0 PID: 20851 Comm: syz-executor.0 Not tainted 5.6.0-rc2-syzkaller #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + RIP: 0010:kobject_get+0x35/0x150 lib/kobject.c:640 + Code: 53 e8 3f b0 8b f9 4d 85 e4 0f 84 a2 00 00 00 e8 31 b0 8b f9 49 8d 7c 24 3c 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f b6 04 02 48 89 fa ++83 e2 07 38 d0 7f 08 84 c0 0f 85 eb 00 00 00 + RSP: 0018:ffffc9000946f1a0 EFLAGS: 00010203 + RAX: dffffc0000000000 RBX: ffffffff85bdbbb0 RCX: ffffc9000bf22000 + RDX: 00000000000000ba RSI: ffffffff87e9d78f RDI: 00000000000005d4 + RBP: ffffc9000946f1b8 R08: ffff8880581a6440 R09: ffff8880581a6cd0 + R10: fffffbfff154b838 R11: ffffffff8aa5c1c7 R12: 0000000000000598 + R13: 0000000000000000 R14: ffffc9000946f278 R15: ffff88805cb0c4d0 + FS: 00007faa9e8af700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000001b30121000 CR3: 000000004515d000 CR4: 00000000001406f0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + get_device+0x25/0x40 drivers/base/core.c:2574 + __ib_get_client_nl_info+0x205/0x2e0 drivers/infiniband/core/device.c:1861 + ib_get_client_nl_info+0x35/0x180 drivers/infiniband/core/device.c:1881 + nldev_get_chardev+0x575/0xac0 drivers/infiniband/core/nldev.c:1621 + rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:195 [inline] + rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] + rdma_nl_rcv+0x5d9/0x980 drivers/infiniband/core/netlink.c:259 + netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] + netlink_unicast+0x59e/0x7e0 net/netlink/af_netlink.c:1329 + netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1918 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg+0xd7/0x130 net/socket.c:672 + ____sys_sendmsg+0x753/0x880 net/socket.c:2343 + ___sys_sendmsg+0x100/0x170 net/socket.c:2397 + __sys_sendmsg+0x105/0x1d0 net/socket.c:2430 + __do_sys_sendmsg net/socket.c:2439 [inline] + __se_sys_sendmsg net/socket.c:2437 [inline] + __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2437 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Cc: stable@kernel.org +Fixes: 8f71bb0030b8 ("RDMA: Report available cdevs through RDMA_NLDEV_CMD_GET_CHARDEV") +Link: https://lore.kernel.org/r/20200310075339.238090-1-leon@kernel.org +Reported-by: syzbot+46fe08363dbba223dec5@syzkaller.appspotmail.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/user_mad.c | 33 ++++++++++++++++++++++----------- + 1 file changed, 22 insertions(+), 11 deletions(-) + +--- a/drivers/infiniband/core/user_mad.c ++++ b/drivers/infiniband/core/user_mad.c +@@ -1129,17 +1129,30 @@ static const struct file_operations umad + .llseek = no_llseek, + }; + ++static struct ib_umad_port *get_port(struct ib_device *ibdev, ++ struct ib_umad_device *umad_dev, ++ unsigned int port) ++{ ++ if (!umad_dev) ++ return ERR_PTR(-EOPNOTSUPP); ++ if (!rdma_is_port_valid(ibdev, port)) ++ return ERR_PTR(-EINVAL); ++ if (!rdma_cap_ib_mad(ibdev, port)) ++ return ERR_PTR(-EOPNOTSUPP); ++ ++ return &umad_dev->ports[port - rdma_start_port(ibdev)]; ++} ++ + static int ib_umad_get_nl_info(struct ib_device *ibdev, void *client_data, + struct ib_client_nl_info *res) + { +- struct ib_umad_device *umad_dev = client_data; ++ struct ib_umad_port *port = get_port(ibdev, client_data, res->port); + +- if (!rdma_is_port_valid(ibdev, res->port)) +- return -EINVAL; ++ if (IS_ERR(port)) ++ return PTR_ERR(port); + + res->abi = IB_USER_MAD_ABI_VERSION; +- res->cdev = &umad_dev->ports[res->port - rdma_start_port(ibdev)].dev; +- ++ res->cdev = &port->dev; + return 0; + } + +@@ -1154,15 +1167,13 @@ MODULE_ALIAS_RDMA_CLIENT("umad"); + static int ib_issm_get_nl_info(struct ib_device *ibdev, void *client_data, + struct ib_client_nl_info *res) + { +- struct ib_umad_device *umad_dev = +- ib_get_client_data(ibdev, &umad_client); ++ struct ib_umad_port *port = get_port(ibdev, client_data, res->port); + +- if (!rdma_is_port_valid(ibdev, res->port)) +- return -EINVAL; ++ if (IS_ERR(port)) ++ return PTR_ERR(port); + + res->abi = IB_USER_MAD_ABI_VERSION; +- res->cdev = &umad_dev->ports[res->port - rdma_start_port(ibdev)].sm_dev; +- ++ res->cdev = &port->sm_dev; + return 0; + } + diff --git a/queue-5.4/rdma-nl-do-not-permit-empty-devices-names-during-rdma_nldev_cmd_newlink-set.patch b/queue-5.4/rdma-nl-do-not-permit-empty-devices-names-during-rdma_nldev_cmd_newlink-set.patch new file mode 100644 index 00000000000..c246ec32f05 --- /dev/null +++ b/queue-5.4/rdma-nl-do-not-permit-empty-devices-names-during-rdma_nldev_cmd_newlink-set.patch @@ -0,0 +1,99 @@ +From 7aefa6237cfe4a6fcf06a8656eee988b36f8fefc Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Mon, 9 Mar 2020 16:05:15 -0300 +Subject: RDMA/nl: Do not permit empty devices names during RDMA_NLDEV_CMD_NEWLINK/SET + +From: Jason Gunthorpe + +commit 7aefa6237cfe4a6fcf06a8656eee988b36f8fefc upstream. + +Empty device names cannot be added to sysfs and crash with: + + kobject: (00000000f9de3792): attempted to be registered with empty name! + WARNING: CPU: 1 PID: 10856 at lib/kobject.c:234 kobject_add_internal+0x7ac/0x9a0 lib/kobject.c:234 + Kernel panic - not syncing: panic_on_warn set ... + CPU: 1 PID: 10856 Comm: syz-executor459 Not tainted 5.6.0-rc3-syzkaller #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x197/0x210 lib/dump_stack.c:118 + panic+0x2e3/0x75c kernel/panic.c:221 + __warn.cold+0x2f/0x3e kernel/panic.c:582 + report_bug+0x289/0x300 lib/bug.c:195 + fixup_bug arch/x86/kernel/traps.c:174 [inline] + fixup_bug arch/x86/kernel/traps.c:169 [inline] + do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:267 + do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:286 + invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027 + RIP: 0010:kobject_add_internal+0x7ac/0x9a0 lib/kobject.c:234 + Code: 7a ca ca f9 e9 f0 f8 ff ff 4c 89 f7 e8 cd ca ca f9 e9 95 f9 ff ff e8 13 25 8c f9 4c 89 e6 48 c7 c7 a0 08 1a 89 e8 a3 76 5c f9 <0f> 0b 41 bd ea ff ff ff e9 52 ff ff ff e8 f2 24 8c f9 0f 0b e8 eb + RSP: 0018:ffffc90002006eb0 EFLAGS: 00010286 + RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: ffffffff815eae46 RDI: fffff52000400dc8 + RBP: ffffc90002006f08 R08: ffff8880972ac500 R09: ffffed1015d26659 + R10: ffffed1015d26658 R11: ffff8880ae9332c7 R12: ffff888093034668 + R13: 0000000000000000 R14: ffff8880a69d7600 R15: 0000000000000001 + kobject_add_varg lib/kobject.c:390 [inline] + kobject_add+0x150/0x1c0 lib/kobject.c:442 + device_add+0x3be/0x1d00 drivers/base/core.c:2412 + ib_register_device drivers/infiniband/core/device.c:1371 [inline] + ib_register_device+0x93e/0xe40 drivers/infiniband/core/device.c:1343 + rxe_register_device+0x52e/0x655 drivers/infiniband/sw/rxe/rxe_verbs.c:1231 + rxe_add+0x122b/0x1661 drivers/infiniband/sw/rxe/rxe.c:302 + rxe_net_add+0x91/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:539 + rxe_newlink+0x39/0x90 drivers/infiniband/sw/rxe/rxe.c:318 + nldev_newlink+0x28a/0x430 drivers/infiniband/core/nldev.c:1538 + rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:195 [inline] + rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] + rdma_nl_rcv+0x5d9/0x980 drivers/infiniband/core/netlink.c:259 + netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] + netlink_unicast+0x59e/0x7e0 net/netlink/af_netlink.c:1329 + netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1918 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg+0xd7/0x130 net/socket.c:672 + ____sys_sendmsg+0x753/0x880 net/socket.c:2343 + ___sys_sendmsg+0x100/0x170 net/socket.c:2397 + __sys_sendmsg+0x105/0x1d0 net/socket.c:2430 + __do_sys_sendmsg net/socket.c:2439 [inline] + __se_sys_sendmsg net/socket.c:2437 [inline] + __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2437 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Prevent empty names when checking the name provided from userspace during +newlink and rename. + +Fixes: 3856ec4b93c9 ("RDMA/core: Add RDMA_NLDEV_CMD_NEWLINK/DELLINK support") +Fixes: 05d940d3a3ec ("RDMA/nldev: Allow IB device rename through RDMA netlink") +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20200309191648.GA30852@ziepe.ca +Reported-and-tested-by: syzbot+da615ac67d4dbea32cbc@syzkaller.appspotmail.com +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/nldev.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/nldev.c ++++ b/drivers/infiniband/core/nldev.c +@@ -863,6 +863,10 @@ static int nldev_set_doit(struct sk_buff + + nla_strlcpy(name, tb[RDMA_NLDEV_ATTR_DEV_NAME], + IB_DEVICE_NAME_MAX); ++ if (strlen(name) == 0) { ++ err = -EINVAL; ++ goto done; ++ } + err = ib_device_rename(device, name); + goto done; + } +@@ -1468,7 +1472,7 @@ static int nldev_newlink(struct sk_buff + + nla_strlcpy(ibdev_name, tb[RDMA_NLDEV_ATTR_DEV_NAME], + sizeof(ibdev_name)); +- if (strchr(ibdev_name, '%')) ++ if (strchr(ibdev_name, '%') || strlen(ibdev_name) == 0) + return -EINVAL; + + nla_strlcpy(type, tb[RDMA_NLDEV_ATTR_LINK_TYPE], sizeof(type)); diff --git a/queue-5.4/rtlwifi-rtl8188ee-fix-regression-due-to-commit-d1d1a96bdb44.patch b/queue-5.4/rtlwifi-rtl8188ee-fix-regression-due-to-commit-d1d1a96bdb44.patch new file mode 100644 index 00000000000..24e074e0949 --- /dev/null +++ b/queue-5.4/rtlwifi-rtl8188ee-fix-regression-due-to-commit-d1d1a96bdb44.patch @@ -0,0 +1,37 @@ +From c80b18cbb04b7b101af9bd14550f13d9866c646a Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Wed, 19 Feb 2020 14:00:41 -0600 +Subject: rtlwifi: rtl8188ee: Fix regression due to commit d1d1a96bdb44 + +From: Larry Finger + +commit c80b18cbb04b7b101af9bd14550f13d9866c646a upstream. + +For some unexplained reason, commit d1d1a96bdb44 ("rtlwifi: rtl8188ee: +Remove local configuration variable") broke at least one system. As +the only net effect of the change was to remove 2 bytes from the start +of struct phy_status_rpt, this patch adds 2 bytes of padding at the +beginning of the struct. + +Fixes: d1d1a96bdb44 ("rtlwifi: rtl8188ee: Remove local configuration variable") +Cc: Stable # V5.4+ +Reported-by: Ashish +Tested-by: Ashish +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/rtl8188ee/trx.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/trx.h ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/trx.h +@@ -561,6 +561,7 @@ static inline void clear_pci_tx_desc_con + rxmcs == DESC92C_RATE11M) + + struct phy_status_rpt { ++ u8 padding[2]; + u8 ch_corr[2]; + u8 cck_sig_qual_ofdm_pwdb_all; + u8 cck_agc_rpt_ofdm_cfosho_a; diff --git a/queue-5.4/scripts-dtc-remove-redundant-yyloc-global-declaration.patch b/queue-5.4/scripts-dtc-remove-redundant-yyloc-global-declaration.patch new file mode 100644 index 00000000000..068ab2dc509 --- /dev/null +++ b/queue-5.4/scripts-dtc-remove-redundant-yyloc-global-declaration.patch @@ -0,0 +1,52 @@ +From e33a814e772cdc36436c8c188d8c42d019fda639 Mon Sep 17 00:00:00 2001 +From: Dirk Mueller +Date: Tue, 14 Jan 2020 18:53:41 +0100 +Subject: scripts/dtc: Remove redundant YYLOC global declaration + +From: Dirk Mueller + +commit e33a814e772cdc36436c8c188d8c42d019fda639 upstream. + +gcc 10 will default to -fno-common, which causes this error at link +time: + + (.text+0x0): multiple definition of `yylloc'; dtc-lexer.lex.o (symbol from plugin):(.text+0x0): first defined here + +This is because both dtc-lexer as well as dtc-parser define the same +global symbol yyloc. Before with -fcommon those were merged into one +defintion. The proper solution would be to to mark this as "extern", +however that leads to: + + dtc-lexer.l:26:16: error: redundant redeclaration of 'yylloc' [-Werror=redundant-decls] + 26 | extern YYLTYPE yylloc; + | ^~~~~~ +In file included from dtc-lexer.l:24: +dtc-parser.tab.h:127:16: note: previous declaration of 'yylloc' was here + 127 | extern YYLTYPE yylloc; + | ^~~~~~ +cc1: all warnings being treated as errors + +which means the declaration is completely redundant and can just be +dropped. + +Signed-off-by: Dirk Mueller +Signed-off-by: David Gibson +[robh: cherry-pick from upstream] +Cc: stable@vger.kernel.org +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/dtc/dtc-lexer.l | 1 - + 1 file changed, 1 deletion(-) + +--- a/scripts/dtc/dtc-lexer.l ++++ b/scripts/dtc/dtc-lexer.l +@@ -23,7 +23,6 @@ LINECOMMENT "//".*\n + #include "srcpos.h" + #include "dtc-parser.tab.h" + +-YYLTYPE yylloc; + extern bool treesource_error; + + /* CAUTION: this will stop working if we ever use yyless() or yyunput() */ diff --git a/queue-5.4/scsi-sd-fix-optimal-i-o-size-for-devices-that-change-reported-values.patch b/queue-5.4/scsi-sd-fix-optimal-i-o-size-for-devices-that-change-reported-values.patch new file mode 100644 index 00000000000..ba16ac00251 --- /dev/null +++ b/queue-5.4/scsi-sd-fix-optimal-i-o-size-for-devices-that-change-reported-values.patch @@ -0,0 +1,54 @@ +From ea697a8bf5a4161e59806fab14f6e4a46dc7dcb0 Mon Sep 17 00:00:00 2001 +From: "Martin K. Petersen" +Date: Tue, 24 Mar 2020 11:16:15 -0400 +Subject: scsi: sd: Fix optimal I/O size for devices that change reported values + +From: Martin K. Petersen + +commit ea697a8bf5a4161e59806fab14f6e4a46dc7dcb0 upstream. + +Some USB bridge devices will return a default set of characteristics during +initialization. And then, once an attached drive has spun up, substitute +the actual parameters reported by the drive. According to the SCSI spec, +the device should return a UNIT ATTENTION in case any reported parameters +change. But in this case the change is made silently after a small window +where default values are reported. + +Commit a83da8a4509d ("scsi: sd: Optimal I/O size should be a multiple of +physical block size") validated the reported optimal I/O size against the +physical block size to overcome problems with devices reporting nonsensical +transfer sizes. However, this validation did not account for the fact that +aforementioned devices will return default values during a brief window +during spin-up. The subsequent change in reported characteristics would +invalidate the checking that had previously been performed. + +Unset a previously configured optimal I/O size should the sanity checking +fail on subsequent revalidate attempts. + +Link: https://lore.kernel.org/r/33fb522e-4f61-1b76-914f-c9e6a3553c9b@gmail.com +Cc: Bryan Gurney +Cc: +Reported-by: Bernhard Sulzer +Tested-by: Bernhard Sulzer +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -3171,9 +3171,11 @@ static int sd_revalidate_disk(struct gen + if (sd_validate_opt_xfer_size(sdkp, dev_max)) { + q->limits.io_opt = logical_to_bytes(sdp, sdkp->opt_xfer_blocks); + rw_max = logical_to_sectors(sdp, sdkp->opt_xfer_blocks); +- } else ++ } else { ++ q->limits.io_opt = 0; + rw_max = min_not_zero(logical_to_sectors(sdp, dev_max), + (sector_t)BLK_DEF_MAX_SECTORS); ++ } + + /* Do not exceed controller limit */ + rw_max = min(rw_max, queue_max_hw_sectors(q)); diff --git a/queue-5.4/series b/queue-5.4/series index 84d9f8197d8..c47c9abe6de 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -80,3 +80,24 @@ input-synaptics-enable-rmi-on-hp-envy-13-ad105ng.patch input-avoid-bit-macro-usage-in-the-serio.h-uapi-header.patch ib-rdmavt-free-kernel-completion-queue-when-done.patch rdma-core-fix-missing-error-check-on-dev_set_name.patch +gpiolib-fix-irq_disable-semantics.patch +rdma-nl-do-not-permit-empty-devices-names-during-rdma_nldev_cmd_newlink-set.patch +rdma-mad-do-not-crash-if-the-rdma-device-does-not-have-a-umad-interface.patch +ceph-check-pool_flag_full-nearfull-in-addition-to-osdmap_full-nearfull.patch +ceph-fix-memory-leak-in-ceph_cleanup_snapid_map.patch +arm-dts-dra7-add-bus_dma_limit-for-l3-bus.patch +arm-dts-omap5-add-bus_dma_limit-for-l3-bus.patch +x86-ioremap-fix-config_efi-n-build.patch +perf-probe-fix-to-delete-multiple-probe-event.patch +perf-probe-do-not-depend-on-dwfl_module_addrsym.patch +rtlwifi-rtl8188ee-fix-regression-due-to-commit-d1d1a96bdb44.patch +tools-let-o-makes-handle-a-relative-path-with-c-option.patch +scripts-dtc-remove-redundant-yyloc-global-declaration.patch +scsi-sd-fix-optimal-i-o-size-for-devices-that-change-reported-values.patch +nl80211-fix-nl80211_attr_channel_width-attribute-type.patch +mac80211-drop-data-frames-without-key-on-encrypted-links.patch +mac80211-check-port-authorization-in-the-ieee80211_tx_dequeue-case.patch +mac80211-mark-station-unauthorized-before-key-removal.patch +mm-swapfile.c-move-inode_lock-out-of-claim_swapfile.patch +drivers-base-memory.c-indicate-all-memory-blocks-as-removable.patch +mm-sparse-fix-kernel-crash-with-pfn_section_valid-check.patch diff --git a/queue-5.4/tools-let-o-makes-handle-a-relative-path-with-c-option.patch b/queue-5.4/tools-let-o-makes-handle-a-relative-path-with-c-option.patch new file mode 100644 index 00000000000..d8f098302ee --- /dev/null +++ b/queue-5.4/tools-let-o-makes-handle-a-relative-path-with-c-option.patch @@ -0,0 +1,72 @@ +From be40920fbf1003c38ccdc02b571e01a75d890c82 Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Sat, 7 Mar 2020 03:32:58 +0900 +Subject: tools: Let O= makes handle a relative path with -C option + +From: Masami Hiramatsu + +commit be40920fbf1003c38ccdc02b571e01a75d890c82 upstream. + +When I tried to compile tools/perf from the top directory with the -C +option, the O= option didn't work correctly if I passed a relative path: + + $ make O=BUILD -C tools/perf/ + make: Entering directory '/home/mhiramat/ksrc/linux/tools/perf' + BUILD: Doing 'make -j8' parallel build + ../scripts/Makefile.include:4: *** O=/home/mhiramat/ksrc/linux/tools/perf/BUILD does not exist. Stop. + make: *** [Makefile:70: all] Error 2 + make: Leaving directory '/home/mhiramat/ksrc/linux/tools/perf' + +The O= directory existence check failed because the check script ran in +the build target directory instead of the directory where I ran the make +command. + +To fix that, once change directory to $(PWD) and check O= directory, +since the PWD is set to where the make command runs. + +Fixes: c883122acc0d ("perf tools: Let O= makes handle relative paths") +Reported-by: Randy Dunlap +Signed-off-by: Masami Hiramatsu +Cc: Andrew Morton +Cc: Borislav Petkov +Cc: Geert Uytterhoeven +Cc: Jiri Olsa +Cc: Masahiro Yamada +Cc: Michal Marek +Cc: Peter Zijlstra +Cc: Sasha Levin +Cc: Steven Rostedt (VMware) +Cc: stable@vger.kernel.org +Link: http://lore.kernel.org/lkml/158351957799.3363.15269768530697526765.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/Makefile | 2 +- + tools/scripts/Makefile.include | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/tools/perf/Makefile ++++ b/tools/perf/Makefile +@@ -35,7 +35,7 @@ endif + # Only pass canonical directory names as the output directory: + # + ifneq ($(O),) +- FULL_O := $(shell readlink -f $(O) || echo $(O)) ++ FULL_O := $(shell cd $(PWD); readlink -f $(O) || echo $(O)) + endif + + # +--- a/tools/scripts/Makefile.include ++++ b/tools/scripts/Makefile.include +@@ -1,8 +1,8 @@ + # SPDX-License-Identifier: GPL-2.0 + ifneq ($(O),) + ifeq ($(origin O), command line) +- dummy := $(if $(shell test -d $(O) || echo $(O)),$(error O=$(O) does not exist),) +- ABSOLUTE_O := $(shell cd $(O) ; pwd) ++ dummy := $(if $(shell cd $(PWD); test -d $(O) || echo $(O)),$(error O=$(O) does not exist),) ++ ABSOLUTE_O := $(shell cd $(PWD); cd $(O) ; pwd) + OUTPUT := $(ABSOLUTE_O)/$(if $(subdir),$(subdir)/) + COMMAND_O := O=$(ABSOLUTE_O) + ifeq ($(objtree),) diff --git a/queue-5.4/x86-ioremap-fix-config_efi-n-build.patch b/queue-5.4/x86-ioremap-fix-config_efi-n-build.patch new file mode 100644 index 00000000000..1cedd40e843 --- /dev/null +++ b/queue-5.4/x86-ioremap-fix-config_efi-n-build.patch @@ -0,0 +1,39 @@ +From 870b4333a62e45b0b2000d14b301b7b8b8cad9da Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Wed, 18 Mar 2020 19:27:48 +0100 +Subject: x86/ioremap: Fix CONFIG_EFI=n build + +From: Borislav Petkov + +commit 870b4333a62e45b0b2000d14b301b7b8b8cad9da upstream. + +In order to use efi_mem_type(), one needs CONFIG_EFI enabled. Otherwise +that function is undefined. Use IS_ENABLED() to check and avoid the +ifdeffery as the compiler optimizes away the following unreachable code +then. + +Fixes: 985e537a4082 ("x86/ioremap: Map EFI runtime services data as encrypted for SEV") +Reported-by: Randy Dunlap +Signed-off-by: Borislav Petkov +Tested-by: Randy Dunlap +Cc: Tom Lendacky +Cc: +Link: https://lkml.kernel.org/r/7561e981-0d9b-d62c-0ef2-ce6007aff1ab@infradead.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/ioremap.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/mm/ioremap.c ++++ b/arch/x86/mm/ioremap.c +@@ -115,6 +115,9 @@ static void __ioremap_check_other(resour + if (!sev_active()) + return; + ++ if (!IS_ENABLED(CONFIG_EFI)) ++ return; ++ + if (efi_mem_type(addr) == EFI_RUNTIME_SERVICES_DATA) + desc->flags |= IORES_MAP_ENCRYPTED; + }