From: Greg Kroah-Hartman Date: Mon, 7 Aug 2023 07:15:59 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v4.14.321~42 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=788a0d726e6d0fcc422b1a18cc3711cfd9c7c46f;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: arm64-dts-stratix10-fix-incorrect-i2c-property-for-scl-signal.patch bpf-disable-preemption-in-bpf_event_output.patch ceph-defer-stopping-mdsc-delayed_work.patch drm-ttm-check-null-pointer-before-accessing-when-swapping.patch exfat-release-s_lock-before-calling-dir_emit.patch exfat-use-kvmalloc_array-kvfree-instead-of-kmalloc_array-kfree.patch libceph-fix-potential-hang-in-ceph_osdc_notify.patch mtd-rawnand-meson-fix-oob-available-bytes-for-ecc.patch mtd-spinand-toshiba-fix-ecc_get_status.patch net-tap_open-set-sk_uid-from-current_fsuid.patch net-tun_chr_open-set-sk_uid-from-current_fsuid.patch open-make-resolve_cached-correctly-test-for-o_tmpfile.patch scsi-zfcp-defer-fc_rport-blocking-until-after-adisc-response.patch usb-zaurus-add-id-for-a-300-b-500-c-700.patch --- diff --git a/queue-5.10/arm64-dts-stratix10-fix-incorrect-i2c-property-for-scl-signal.patch b/queue-5.10/arm64-dts-stratix10-fix-incorrect-i2c-property-for-scl-signal.patch new file mode 100644 index 00000000000..f795907e475 --- /dev/null +++ b/queue-5.10/arm64-dts-stratix10-fix-incorrect-i2c-property-for-scl-signal.patch @@ -0,0 +1,43 @@ +From db66795f61354c373ecdadbdae1ed253a96c47cb Mon Sep 17 00:00:00 2001 +From: Dinh Nguyen +Date: Tue, 11 Jul 2023 15:44:30 -0500 +Subject: arm64: dts: stratix10: fix incorrect I2C property for SCL signal + +From: Dinh Nguyen + +commit db66795f61354c373ecdadbdae1ed253a96c47cb upstream. + +The correct dts property for the SCL falling time is +"i2c-scl-falling-time-ns". + +Fixes: c8da1d15b8a4 ("arm64: dts: stratix10: i2c clock running out of spec") +Cc: stable@vger.kernel.org +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/altera/socfpga_stratix10_socdk.dts | 2 +- + arch/arm64/boot/dts/altera/socfpga_stratix10_socdk_nand.dts | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/altera/socfpga_stratix10_socdk.dts ++++ b/arch/arm64/boot/dts/altera/socfpga_stratix10_socdk.dts +@@ -129,7 +129,7 @@ + status = "okay"; + clock-frequency = <100000>; + i2c-sda-falling-time-ns = <890>; /* hcnt */ +- i2c-sdl-falling-time-ns = <890>; /* lcnt */ ++ i2c-scl-falling-time-ns = <890>; /* lcnt */ + + adc@14 { + compatible = "lltc,ltc2497"; +--- a/arch/arm64/boot/dts/altera/socfpga_stratix10_socdk_nand.dts ++++ b/arch/arm64/boot/dts/altera/socfpga_stratix10_socdk_nand.dts +@@ -162,7 +162,7 @@ + status = "okay"; + clock-frequency = <100000>; + i2c-sda-falling-time-ns = <890>; /* hcnt */ +- i2c-sdl-falling-time-ns = <890>; /* lcnt */ ++ i2c-scl-falling-time-ns = <890>; /* lcnt */ + + adc@14 { + compatible = "lltc,ltc2497"; diff --git a/queue-5.10/bpf-disable-preemption-in-bpf_event_output.patch b/queue-5.10/bpf-disable-preemption-in-bpf_event_output.patch new file mode 100644 index 00000000000..13a642b26e3 --- /dev/null +++ b/queue-5.10/bpf-disable-preemption-in-bpf_event_output.patch @@ -0,0 +1,91 @@ +From d62cc390c2e99ae267ffe4b8d7e2e08b6c758c32 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Tue, 25 Jul 2023 10:42:06 +0200 +Subject: bpf: Disable preemption in bpf_event_output + +From: Jiri Olsa + +commit d62cc390c2e99ae267ffe4b8d7e2e08b6c758c32 upstream. + +We received report [1] of kernel crash, which is caused by +using nesting protection without disabled preemption. + +The bpf_event_output can be called by programs executed by +bpf_prog_run_array_cg function that disabled migration but +keeps preemption enabled. + +This can cause task to be preempted by another one inside the +nesting protection and lead eventually to two tasks using same +perf_sample_data buffer and cause crashes like: + + BUG: kernel NULL pointer dereference, address: 0000000000000001 + #PF: supervisor instruction fetch in kernel mode + #PF: error_code(0x0010) - not-present page + ... + ? perf_output_sample+0x12a/0x9a0 + ? finish_task_switch.isra.0+0x81/0x280 + ? perf_event_output+0x66/0xa0 + ? bpf_event_output+0x13a/0x190 + ? bpf_event_output_data+0x22/0x40 + ? bpf_prog_dfc84bbde731b257_cil_sock4_connect+0x40a/0xacb + ? xa_load+0x87/0xe0 + ? __cgroup_bpf_run_filter_sock_addr+0xc1/0x1a0 + ? release_sock+0x3e/0x90 + ? sk_setsockopt+0x1a1/0x12f0 + ? udp_pre_connect+0x36/0x50 + ? inet_dgram_connect+0x93/0xa0 + ? __sys_connect+0xb4/0xe0 + ? udp_setsockopt+0x27/0x40 + ? __pfx_udp_push_pending_frames+0x10/0x10 + ? __sys_setsockopt+0xdf/0x1a0 + ? __x64_sys_connect+0xf/0x20 + ? do_syscall_64+0x3a/0x90 + ? entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Fixing this by disabling preemption in bpf_event_output. + +[1] https://github.com/cilium/cilium/issues/26756 +Cc: stable@vger.kernel.org +Reported-by: Oleg "livelace" Popov +Closes: https://github.com/cilium/cilium/issues/26756 +Fixes: 2a916f2f546c ("bpf: Use migrate_disable/enable in array macros and cgroup/lirc code.") +Acked-by: Hou Tao +Signed-off-by: Jiri Olsa +Link: https://lore.kernel.org/r/20230725084206.580930-3-jolsa@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/bpf_trace.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -970,7 +970,6 @@ static DEFINE_PER_CPU(struct bpf_trace_s + u64 bpf_event_output(struct bpf_map *map, u64 flags, void *meta, u64 meta_size, + void *ctx, u64 ctx_size, bpf_ctx_copy_t ctx_copy) + { +- int nest_level = this_cpu_inc_return(bpf_event_output_nest_level); + struct perf_raw_frag frag = { + .copy = ctx_copy, + .size = ctx_size, +@@ -987,8 +986,12 @@ u64 bpf_event_output(struct bpf_map *map + }; + struct perf_sample_data *sd; + struct pt_regs *regs; ++ int nest_level; + u64 ret; + ++ preempt_disable(); ++ nest_level = this_cpu_inc_return(bpf_event_output_nest_level); ++ + if (WARN_ON_ONCE(nest_level > ARRAY_SIZE(bpf_misc_sds.sds))) { + ret = -EBUSY; + goto out; +@@ -1003,6 +1006,7 @@ u64 bpf_event_output(struct bpf_map *map + ret = __bpf_perf_event_output(regs, map, flags, sd); + out: + this_cpu_dec(bpf_event_output_nest_level); ++ preempt_enable(); + return ret; + } + diff --git a/queue-5.10/ceph-defer-stopping-mdsc-delayed_work.patch b/queue-5.10/ceph-defer-stopping-mdsc-delayed_work.patch new file mode 100644 index 00000000000..bb9bc6d464d --- /dev/null +++ b/queue-5.10/ceph-defer-stopping-mdsc-delayed_work.patch @@ -0,0 +1,79 @@ +From e7e607bd00481745550389a29ecabe33e13d67cf Mon Sep 17 00:00:00 2001 +From: Xiubo Li +Date: Tue, 25 Jul 2023 12:03:59 +0800 +Subject: ceph: defer stopping mdsc delayed_work + +From: Xiubo Li + +commit e7e607bd00481745550389a29ecabe33e13d67cf upstream. + +Flushing the dirty buffer may take a long time if the cluster is +overloaded or if there is network issue. So we should ping the +MDSs periodically to keep alive, else the MDS will blocklist +the kclient. + +Cc: stable@vger.kernel.org +Link: https://tracker.ceph.com/issues/61843 +Signed-off-by: Xiubo Li +Reviewed-by: Milind Changire +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/mds_client.c | 4 ++-- + fs/ceph/mds_client.h | 5 +++++ + fs/ceph/super.c | 10 ++++++++++ + 3 files changed, 17 insertions(+), 2 deletions(-) + +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -4511,7 +4511,7 @@ static void delayed_work(struct work_str + + dout("mdsc delayed_work\n"); + +- if (mdsc->stopping) ++ if (mdsc->stopping >= CEPH_MDSC_STOPPING_FLUSHED) + return; + + mutex_lock(&mdsc->mutex); +@@ -4701,7 +4701,7 @@ void send_flush_mdlog(struct ceph_mds_se + void ceph_mdsc_pre_umount(struct ceph_mds_client *mdsc) + { + dout("pre_umount\n"); +- mdsc->stopping = 1; ++ mdsc->stopping = CEPH_MDSC_STOPPING_BEGIN; + + ceph_mdsc_iterate_sessions(mdsc, send_flush_mdlog, true); + ceph_mdsc_iterate_sessions(mdsc, lock_unlock_session, false); +--- a/fs/ceph/mds_client.h ++++ b/fs/ceph/mds_client.h +@@ -372,6 +372,11 @@ struct cap_wait { + int want; + }; + ++enum { ++ CEPH_MDSC_STOPPING_BEGIN = 1, ++ CEPH_MDSC_STOPPING_FLUSHED = 2, ++}; ++ + /* + * mds client state + */ +--- a/fs/ceph/super.c ++++ b/fs/ceph/super.c +@@ -1222,6 +1222,16 @@ static void ceph_kill_sb(struct super_bl + ceph_mdsc_pre_umount(fsc->mdsc); + flush_fs_workqueues(fsc); + ++ /* ++ * Though the kill_anon_super() will finally trigger the ++ * sync_filesystem() anyway, we still need to do it here ++ * and then bump the stage of shutdown to stop the work ++ * queue as earlier as possible. ++ */ ++ sync_filesystem(s); ++ ++ fsc->mdsc->stopping = CEPH_MDSC_STOPPING_FLUSHED; ++ + kill_anon_super(s); + + fsc->client->extra_mon_dispatch = NULL; diff --git a/queue-5.10/drm-ttm-check-null-pointer-before-accessing-when-swapping.patch b/queue-5.10/drm-ttm-check-null-pointer-before-accessing-when-swapping.patch new file mode 100644 index 00000000000..79f911bdca0 --- /dev/null +++ b/queue-5.10/drm-ttm-check-null-pointer-before-accessing-when-swapping.patch @@ -0,0 +1,71 @@ +From 2dedcf414bb01b8d966eb445db1d181d92304fb2 Mon Sep 17 00:00:00 2001 +From: Guchun Chen +Date: Mon, 24 Jul 2023 10:42:29 +0800 +Subject: drm/ttm: check null pointer before accessing when swapping +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Guchun Chen + +commit 2dedcf414bb01b8d966eb445db1d181d92304fb2 upstream. + +Add a check to avoid null pointer dereference as below: + +[ 90.002283] general protection fault, probably for non-canonical +address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI +[ 90.002292] KASAN: null-ptr-deref in range +[0x0000000000000000-0x0000000000000007] +[ 90.002346] ? exc_general_protection+0x159/0x240 +[ 90.002352] ? asm_exc_general_protection+0x26/0x30 +[ 90.002357] ? ttm_bo_evict_swapout_allowable+0x322/0x5e0 [ttm] +[ 90.002365] ? ttm_bo_evict_swapout_allowable+0x42e/0x5e0 [ttm] +[ 90.002373] ttm_bo_swapout+0x134/0x7f0 [ttm] +[ 90.002383] ? __pfx_ttm_bo_swapout+0x10/0x10 [ttm] +[ 90.002391] ? lock_acquire+0x44d/0x4f0 +[ 90.002398] ? ttm_device_swapout+0xa5/0x260 [ttm] +[ 90.002412] ? lock_acquired+0x355/0xa00 +[ 90.002416] ? do_raw_spin_trylock+0xb6/0x190 +[ 90.002421] ? __pfx_lock_acquired+0x10/0x10 +[ 90.002426] ? ttm_global_swapout+0x25/0x210 [ttm] +[ 90.002442] ttm_device_swapout+0x198/0x260 [ttm] +[ 90.002456] ? __pfx_ttm_device_swapout+0x10/0x10 [ttm] +[ 90.002472] ttm_global_swapout+0x75/0x210 [ttm] +[ 90.002486] ttm_tt_populate+0x187/0x3f0 [ttm] +[ 90.002501] ttm_bo_handle_move_mem+0x437/0x590 [ttm] +[ 90.002517] ttm_bo_validate+0x275/0x430 [ttm] +[ 90.002530] ? __pfx_ttm_bo_validate+0x10/0x10 [ttm] +[ 90.002544] ? kasan_save_stack+0x33/0x60 +[ 90.002550] ? kasan_set_track+0x25/0x30 +[ 90.002554] ? __kasan_kmalloc+0x8f/0xa0 +[ 90.002558] ? amdgpu_gtt_mgr_new+0x81/0x420 [amdgpu] +[ 90.003023] ? ttm_resource_alloc+0xf6/0x220 [ttm] +[ 90.003038] amdgpu_bo_pin_restricted+0x2dd/0x8b0 [amdgpu] +[ 90.003210] ? __x64_sys_ioctl+0x131/0x1a0 +[ 90.003210] ? do_syscall_64+0x60/0x90 + +Fixes: a2848d08742c ("drm/ttm: never consider pinned BOs for eviction&swap") +Tested-by: Mikhail Gavrilov +Signed-off-by: Guchun Chen +Reviewed-by: Alex Deucher +Reviewed-by: Christian König +Cc: stable@vger.kernel.org +Link: https://patchwork.freedesktop.org/patch/msgid/20230724024229.1118444-1-guchun.chen@amd.com +Signed-off-by: Christian König +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/ttm/ttm_bo.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/ttm/ttm_bo.c ++++ b/drivers/gpu/drm/ttm/ttm_bo.c +@@ -674,7 +674,8 @@ static bool ttm_bo_evict_swapout_allowab + + if (bo->pin_count) { + *locked = false; +- *busy = false; ++ if (busy) ++ *busy = false; + return false; + } + diff --git a/queue-5.10/exfat-release-s_lock-before-calling-dir_emit.patch b/queue-5.10/exfat-release-s_lock-before-calling-dir_emit.patch new file mode 100644 index 00000000000..19beee44251 --- /dev/null +++ b/queue-5.10/exfat-release-s_lock-before-calling-dir_emit.patch @@ -0,0 +1,129 @@ +From ff84772fd45d486e4fc78c82e2f70ce5333543e6 Mon Sep 17 00:00:00 2001 +From: Sungjong Seo +Date: Fri, 14 Jul 2023 17:43:54 +0900 +Subject: exfat: release s_lock before calling dir_emit() + +From: Sungjong Seo + +commit ff84772fd45d486e4fc78c82e2f70ce5333543e6 upstream. + +There is a potential deadlock reported by syzbot as below: + +====================================================== +WARNING: possible circular locking dependency detected +6.4.0-next-20230707-syzkaller #0 Not tainted +------------------------------------------------------ +syz-executor330/5073 is trying to acquire lock: +ffff8880218527a0 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock_killable include/linux/mmap_lock.h:151 [inline] +ffff8880218527a0 (&mm->mmap_lock){++++}-{3:3}, at: get_mmap_lock_carefully mm/memory.c:5293 [inline] +ffff8880218527a0 (&mm->mmap_lock){++++}-{3:3}, at: lock_mm_and_find_vma+0x369/0x510 mm/memory.c:5344 +but task is already holding lock: +ffff888019f760e0 (&sbi->s_lock){+.+.}-{3:3}, at: exfat_iterate+0x117/0xb50 fs/exfat/dir.c:232 + +which lock already depends on the new lock. + +Chain exists of: + &mm->mmap_lock --> mapping.invalidate_lock#3 --> &sbi->s_lock + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&sbi->s_lock); + lock(mapping.invalidate_lock#3); + lock(&sbi->s_lock); + rlock(&mm->mmap_lock); + +Let's try to avoid above potential deadlock condition by moving dir_emit*() +out of sbi->s_lock coverage. + +Fixes: ca06197382bd ("exfat: add directory operations") +Cc: stable@vger.kernel.org #v5.7+ +Reported-by: syzbot+1741a5d9b79989c10bdc@syzkaller.appspotmail.com +Link: https://lore.kernel.org/lkml/00000000000078ee7e060066270b@google.com/T/#u +Tested-by: syzbot+1741a5d9b79989c10bdc@syzkaller.appspotmail.com +Signed-off-by: Sungjong Seo +Signed-off-by: Namjae Jeon +Signed-off-by: Greg Kroah-Hartman +--- + fs/exfat/dir.c | 27 ++++++++++++--------------- + 1 file changed, 12 insertions(+), 15 deletions(-) + +--- a/fs/exfat/dir.c ++++ b/fs/exfat/dir.c +@@ -210,7 +210,10 @@ static void exfat_free_namebuf(struct ex + exfat_init_namebuf(nb); + } + +-/* skip iterating emit_dots when dir is empty */ ++/* ++ * Before calling dir_emit*(), sbi->s_lock should be released ++ * because page fault can occur in dir_emit*(). ++ */ + #define ITER_POS_FILLED_DOTS (2) + static int exfat_iterate(struct file *filp, struct dir_context *ctx) + { +@@ -225,11 +228,10 @@ static int exfat_iterate(struct file *fi + int err = 0, fake_offset = 0; + + exfat_init_namebuf(nb); +- mutex_lock(&EXFAT_SB(sb)->s_lock); + + cpos = ctx->pos; + if (!dir_emit_dots(filp, ctx)) +- goto unlock; ++ goto out; + + if (ctx->pos == ITER_POS_FILLED_DOTS) { + cpos = 0; +@@ -241,16 +243,18 @@ static int exfat_iterate(struct file *fi + /* name buffer should be allocated before use */ + err = exfat_alloc_namebuf(nb); + if (err) +- goto unlock; ++ goto out; + get_new: ++ mutex_lock(&EXFAT_SB(sb)->s_lock); ++ + if (ei->flags == ALLOC_NO_FAT_CHAIN && cpos >= i_size_read(inode)) + goto end_of_dir; + + err = exfat_readdir(inode, &cpos, &de); + if (err) { + /* +- * At least we tried to read a sector. Move cpos to next sector +- * position (should be aligned). ++ * At least we tried to read a sector. ++ * Move cpos to next sector position (should be aligned). + */ + if (err == -EIO) { + cpos += 1 << (sb->s_blocksize_bits); +@@ -273,16 +277,10 @@ get_new: + inum = iunique(sb, EXFAT_ROOT_INO); + } + +- /* +- * Before calling dir_emit(), sb_lock should be released. +- * Because page fault can occur in dir_emit() when the size +- * of buffer given from user is larger than one page size. +- */ + mutex_unlock(&EXFAT_SB(sb)->s_lock); + if (!dir_emit(ctx, nb->lfn, strlen(nb->lfn), inum, + (de.attr & ATTR_SUBDIR) ? DT_DIR : DT_REG)) +- goto out_unlocked; +- mutex_lock(&EXFAT_SB(sb)->s_lock); ++ goto out; + ctx->pos = cpos; + goto get_new; + +@@ -290,9 +288,8 @@ end_of_dir: + if (!cpos && fake_offset) + cpos = ITER_POS_FILLED_DOTS; + ctx->pos = cpos; +-unlock: + mutex_unlock(&EXFAT_SB(sb)->s_lock); +-out_unlocked: ++out: + /* + * To improve performance, free namebuf after unlock sb_lock. + * If namebuf is not allocated, this function do nothing diff --git a/queue-5.10/exfat-use-kvmalloc_array-kvfree-instead-of-kmalloc_array-kfree.patch b/queue-5.10/exfat-use-kvmalloc_array-kvfree-instead-of-kmalloc_array-kfree.patch new file mode 100644 index 00000000000..60c0fa5ac38 --- /dev/null +++ b/queue-5.10/exfat-use-kvmalloc_array-kvfree-instead-of-kmalloc_array-kfree.patch @@ -0,0 +1,81 @@ +From daf60d6cca26e50d65dac374db92e58de745ad26 Mon Sep 17 00:00:00 2001 +From: gaoming +Date: Wed, 5 Jul 2023 15:15:15 +0800 +Subject: exfat: use kvmalloc_array/kvfree instead of kmalloc_array/kfree + +From: gaoming + +commit daf60d6cca26e50d65dac374db92e58de745ad26 upstream. + +The call stack shown below is a scenario in the Linux 4.19 kernel. +Allocating memory failed where exfat fs use kmalloc_array due to +system memory fragmentation, while the u-disk was inserted without +recognition. +Devices such as u-disk using the exfat file system are pluggable and +may be insert into the system at any time. +However, long-term running systems cannot guarantee the continuity of +physical memory. Therefore, it's necessary to address this issue. + +Binder:2632_6: page allocation failure: order:4, + mode:0x6040c0(GFP_KERNEL|__GFP_COMP), nodemask=(null) +Call trace: +[242178.097582] dump_backtrace+0x0/0x4 +[242178.097589] dump_stack+0xf4/0x134 +[242178.097598] warn_alloc+0xd8/0x144 +[242178.097603] __alloc_pages_nodemask+0x1364/0x1384 +[242178.097608] kmalloc_order+0x2c/0x510 +[242178.097612] kmalloc_order_trace+0x40/0x16c +[242178.097618] __kmalloc+0x360/0x408 +[242178.097624] load_alloc_bitmap+0x160/0x284 +[242178.097628] exfat_fill_super+0xa3c/0xe7c +[242178.097635] mount_bdev+0x2e8/0x3a0 +[242178.097638] exfat_fs_mount+0x40/0x50 +[242178.097643] mount_fs+0x138/0x2e8 +[242178.097649] vfs_kern_mount+0x90/0x270 +[242178.097655] do_mount+0x798/0x173c +[242178.097659] ksys_mount+0x114/0x1ac +[242178.097665] __arm64_sys_mount+0x24/0x34 +[242178.097671] el0_svc_common+0xb8/0x1b8 +[242178.097676] el0_svc_handler+0x74/0x90 +[242178.097681] el0_svc+0x8/0x340 + +By analyzing the exfat code,we found that continuous physical memory +is not required here,so kvmalloc_array is used can solve this problem. + +Cc: stable@vger.kernel.org +Signed-off-by: gaoming +Signed-off-by: Namjae Jeon +Signed-off-by: Greg Kroah-Hartman +--- + fs/exfat/balloc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/exfat/balloc.c ++++ b/fs/exfat/balloc.c +@@ -69,7 +69,7 @@ static int exfat_allocate_bitmap(struct + } + sbi->map_sectors = ((need_map_size - 1) >> + (sb->s_blocksize_bits)) + 1; +- sbi->vol_amap = kmalloc_array(sbi->map_sectors, ++ sbi->vol_amap = kvmalloc_array(sbi->map_sectors, + sizeof(struct buffer_head *), GFP_KERNEL); + if (!sbi->vol_amap) + return -ENOMEM; +@@ -84,7 +84,7 @@ static int exfat_allocate_bitmap(struct + while (j < i) + brelse(sbi->vol_amap[j++]); + +- kfree(sbi->vol_amap); ++ kvfree(sbi->vol_amap); + sbi->vol_amap = NULL; + return -EIO; + } +@@ -138,7 +138,7 @@ void exfat_free_bitmap(struct exfat_sb_i + for (i = 0; i < sbi->map_sectors; i++) + __brelse(sbi->vol_amap[i]); + +- kfree(sbi->vol_amap); ++ kvfree(sbi->vol_amap); + } + + int exfat_set_bitmap(struct inode *inode, unsigned int clu) diff --git a/queue-5.10/libceph-fix-potential-hang-in-ceph_osdc_notify.patch b/queue-5.10/libceph-fix-potential-hang-in-ceph_osdc_notify.patch new file mode 100644 index 00000000000..264d5b98b71 --- /dev/null +++ b/queue-5.10/libceph-fix-potential-hang-in-ceph_osdc_notify.patch @@ -0,0 +1,69 @@ +From e6e2843230799230fc5deb8279728a7218b0d63c Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Tue, 1 Aug 2023 19:14:24 +0200 +Subject: libceph: fix potential hang in ceph_osdc_notify() + +From: Ilya Dryomov + +commit e6e2843230799230fc5deb8279728a7218b0d63c upstream. + +If the cluster becomes unavailable, ceph_osdc_notify() may hang even +with osd_request_timeout option set because linger_notify_finish_wait() +waits for MWatchNotify NOTIFY_COMPLETE message with no associated OSD +request in flight -- it's completely asynchronous. + +Introduce an additional timeout, derived from the specified notify +timeout. While at it, switch both waits to killable which is more +correct. + +Cc: stable@vger.kernel.org +Signed-off-by: Ilya Dryomov +Reviewed-by: Dongsheng Yang +Reviewed-by: Xiubo Li +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/osd_client.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/net/ceph/osd_client.c ++++ b/net/ceph/osd_client.c +@@ -3330,17 +3330,24 @@ static int linger_reg_commit_wait(struct + int ret; + + dout("%s lreq %p linger_id %llu\n", __func__, lreq, lreq->linger_id); +- ret = wait_for_completion_interruptible(&lreq->reg_commit_wait); ++ ret = wait_for_completion_killable(&lreq->reg_commit_wait); + return ret ?: lreq->reg_commit_error; + } + +-static int linger_notify_finish_wait(struct ceph_osd_linger_request *lreq) ++static int linger_notify_finish_wait(struct ceph_osd_linger_request *lreq, ++ unsigned long timeout) + { +- int ret; ++ long left; + + dout("%s lreq %p linger_id %llu\n", __func__, lreq, lreq->linger_id); +- ret = wait_for_completion_interruptible(&lreq->notify_finish_wait); +- return ret ?: lreq->notify_finish_error; ++ left = wait_for_completion_killable_timeout(&lreq->notify_finish_wait, ++ ceph_timeout_jiffies(timeout)); ++ if (left <= 0) ++ left = left ?: -ETIMEDOUT; ++ else ++ left = lreq->notify_finish_error; /* completed */ ++ ++ return left; + } + + /* +@@ -4888,7 +4895,8 @@ int ceph_osdc_notify(struct ceph_osd_cli + linger_submit(lreq); + ret = linger_reg_commit_wait(lreq); + if (!ret) +- ret = linger_notify_finish_wait(lreq); ++ ret = linger_notify_finish_wait(lreq, ++ msecs_to_jiffies(2 * timeout * MSEC_PER_SEC)); + else + dout("lreq %p failed to initiate notify %d\n", lreq, ret); + diff --git a/queue-5.10/mtd-rawnand-meson-fix-oob-available-bytes-for-ecc.patch b/queue-5.10/mtd-rawnand-meson-fix-oob-available-bytes-for-ecc.patch new file mode 100644 index 00000000000..303a7fd3837 --- /dev/null +++ b/queue-5.10/mtd-rawnand-meson-fix-oob-available-bytes-for-ecc.patch @@ -0,0 +1,44 @@ +From 7e6b04f9238eab0f684fafd158c1f32ea65b9eaa Mon Sep 17 00:00:00 2001 +From: Arseniy Krasnov +Date: Wed, 5 Jul 2023 09:52:10 +0300 +Subject: mtd: rawnand: meson: fix OOB available bytes for ECC + +From: Arseniy Krasnov + +commit 7e6b04f9238eab0f684fafd158c1f32ea65b9eaa upstream. + +It is incorrect to calculate number of OOB bytes for ECC engine using +some "already known" ECC step size (1024 bytes here). Number of such +bytes for ECC engine must be whole OOB except 2 bytes for bad block +marker, while proper ECC step size and strength will be selected by +ECC logic. + +Fixes: 8fae856c5350 ("mtd: rawnand: meson: add support for Amlogic NAND flash controller") +Cc: +Signed-off-by: Arseniy Krasnov +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20230705065211.293500-1-AVKrasnov@sberdevices.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/meson_nand.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/mtd/nand/raw/meson_nand.c ++++ b/drivers/mtd/nand/raw/meson_nand.c +@@ -1180,7 +1180,6 @@ static int meson_nand_attach_chip(struct + struct meson_nfc *nfc = nand_get_controller_data(nand); + struct meson_nfc_nand_chip *meson_chip = to_meson_nand(nand); + struct mtd_info *mtd = nand_to_mtd(nand); +- int nsectors = mtd->writesize / 1024; + int ret; + + if (!mtd->name) { +@@ -1198,7 +1197,7 @@ static int meson_nand_attach_chip(struct + nand->options |= NAND_NO_SUBPAGE_WRITE; + + ret = nand_ecc_choose_conf(nand, nfc->data->ecc_caps, +- mtd->oobsize - 2 * nsectors); ++ mtd->oobsize - 2); + if (ret) { + dev_err(nfc->dev, "failed to ECC init\n"); + return -EINVAL; diff --git a/queue-5.10/mtd-spinand-toshiba-fix-ecc_get_status.patch b/queue-5.10/mtd-spinand-toshiba-fix-ecc_get_status.patch new file mode 100644 index 00000000000..be66e6f2176 --- /dev/null +++ b/queue-5.10/mtd-spinand-toshiba-fix-ecc_get_status.patch @@ -0,0 +1,54 @@ +From 8544cda94dae6be3f1359539079c68bb731428b1 Mon Sep 17 00:00:00 2001 +From: Olivier Maignial +Date: Fri, 23 Jun 2023 17:33:36 +0200 +Subject: mtd: spinand: toshiba: Fix ecc_get_status + +From: Olivier Maignial + +commit 8544cda94dae6be3f1359539079c68bb731428b1 upstream. + +Reading ECC status is failing. + +tx58cxgxsxraix_ecc_get_status() is using on-stack buffer +for SPINAND_GET_FEATURE_OP() output. It is not suitable +for DMA needs of spi-mem. + +Fix this by using the spi-mem operations dedicated buffer +spinand->scratchbuf. + +See +spinand->scratchbuf: +https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/mtd/spinand.h?h=v6.3#n418 +spi_mem_check_op(): +https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/spi/spi-mem.c?h=v6.3#n199 + +Fixes: 10949af1681d ("mtd: spinand: Add initial support for Toshiba TC58CVG2S0H") +Cc: stable@vger.kernel.org +Signed-off-by: Olivier Maignial +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/DB4P250MB1032553D05FBE36DEE0D311EFE23A@DB4P250MB1032.EURP250.PROD.OUTLOOK.COM +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/spi/toshiba.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/nand/spi/toshiba.c ++++ b/drivers/mtd/nand/spi/toshiba.c +@@ -73,7 +73,7 @@ static int tx58cxgxsxraix_ecc_get_status + { + struct nand_device *nand = spinand_to_nand(spinand); + u8 mbf = 0; +- struct spi_mem_op op = SPINAND_GET_FEATURE_OP(0x30, &mbf); ++ struct spi_mem_op op = SPINAND_GET_FEATURE_OP(0x30, spinand->scratchbuf); + + switch (status & STATUS_ECC_MASK) { + case STATUS_ECC_NO_BITFLIPS: +@@ -92,7 +92,7 @@ static int tx58cxgxsxraix_ecc_get_status + if (spi_mem_exec_op(spinand->spimem, &op)) + return nanddev_get_ecc_requirements(nand)->strength; + +- mbf >>= 4; ++ mbf = *(spinand->scratchbuf) >> 4; + + if (WARN_ON(mbf > nanddev_get_ecc_requirements(nand)->strength || !mbf)) + return nanddev_get_ecc_requirements(nand)->strength; diff --git a/queue-5.10/net-tap_open-set-sk_uid-from-current_fsuid.patch b/queue-5.10/net-tap_open-set-sk_uid-from-current_fsuid.patch new file mode 100644 index 00000000000..6a76454b473 --- /dev/null +++ b/queue-5.10/net-tap_open-set-sk_uid-from-current_fsuid.patch @@ -0,0 +1,55 @@ +From 5c9241f3ceab3257abe2923a59950db0dc8bb737 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Mon, 31 Jul 2023 18:42:37 +0200 +Subject: net: tap_open(): set sk_uid from current_fsuid() + +From: Laszlo Ersek + +commit 5c9241f3ceab3257abe2923a59950db0dc8bb737 upstream. + +Commit 66b2c338adce initializes the "sk_uid" field in the protocol socket +(struct sock) from the "/dev/tapX" device node's owner UID. Per original +commit 86741ec25462 ("net: core: Add a UID field to struct sock.", +2016-11-04), that's wrong: the idea is to cache the UID of the userspace +process that creates the socket. Commit 86741ec25462 mentions socket() and +accept(); with "tap", the action that creates the socket is +open("/dev/tapX"). + +Therefore the device node's owner UID is irrelevant. In most cases, +"/dev/tapX" will be owned by root, so in practice, commit 66b2c338adce has +no observable effect: + +- before, "sk_uid" would be zero, due to undefined behavior + (CVE-2023-1076), + +- after, "sk_uid" would be zero, due to "/dev/tapX" being owned by root. + +What matters is the (fs)UID of the process performing the open(), so cache +that in "sk_uid". + +Cc: Eric Dumazet +Cc: Lorenzo Colitti +Cc: Paolo Abeni +Cc: Pietro Borrello +Cc: netdev@vger.kernel.org +Cc: stable@vger.kernel.org +Fixes: 66b2c338adce ("tap: tap_open(): correctly initialize socket uid") +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2173435 +Signed-off-by: Laszlo Ersek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/tap.c ++++ b/drivers/net/tap.c +@@ -523,7 +523,7 @@ static int tap_open(struct inode *inode, + q->sock.state = SS_CONNECTED; + q->sock.file = file; + q->sock.ops = &tap_socket_ops; +- sock_init_data_uid(&q->sock, &q->sk, inode->i_uid); ++ sock_init_data_uid(&q->sock, &q->sk, current_fsuid()); + q->sk.sk_write_space = tap_sock_write_space; + q->sk.sk_destruct = tap_sock_destruct; + q->flags = IFF_VNET_HDR | IFF_NO_PI | IFF_TAP; diff --git a/queue-5.10/net-tun_chr_open-set-sk_uid-from-current_fsuid.patch b/queue-5.10/net-tun_chr_open-set-sk_uid-from-current_fsuid.patch new file mode 100644 index 00000000000..01faba4872c --- /dev/null +++ b/queue-5.10/net-tun_chr_open-set-sk_uid-from-current_fsuid.patch @@ -0,0 +1,55 @@ +From 9bc3047374d5bec163e83e743709e23753376f0c Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Mon, 31 Jul 2023 18:42:36 +0200 +Subject: net: tun_chr_open(): set sk_uid from current_fsuid() + +From: Laszlo Ersek + +commit 9bc3047374d5bec163e83e743709e23753376f0c upstream. + +Commit a096ccca6e50 initializes the "sk_uid" field in the protocol socket +(struct sock) from the "/dev/net/tun" device node's owner UID. Per +original commit 86741ec25462 ("net: core: Add a UID field to struct +sock.", 2016-11-04), that's wrong: the idea is to cache the UID of the +userspace process that creates the socket. Commit 86741ec25462 mentions +socket() and accept(); with "tun", the action that creates the socket is +open("/dev/net/tun"). + +Therefore the device node's owner UID is irrelevant. In most cases, +"/dev/net/tun" will be owned by root, so in practice, commit a096ccca6e50 +has no observable effect: + +- before, "sk_uid" would be zero, due to undefined behavior + (CVE-2023-1076), + +- after, "sk_uid" would be zero, due to "/dev/net/tun" being owned by root. + +What matters is the (fs)UID of the process performing the open(), so cache +that in "sk_uid". + +Cc: Eric Dumazet +Cc: Lorenzo Colitti +Cc: Paolo Abeni +Cc: Pietro Borrello +Cc: netdev@vger.kernel.org +Cc: stable@vger.kernel.org +Fixes: a096ccca6e50 ("tun: tun_chr_open(): correctly initialize socket uid") +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2173435 +Signed-off-by: Laszlo Ersek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -3457,7 +3457,7 @@ static int tun_chr_open(struct inode *in + tfile->socket.file = file; + tfile->socket.ops = &tun_socket_ops; + +- sock_init_data_uid(&tfile->socket, &tfile->sk, inode->i_uid); ++ sock_init_data_uid(&tfile->socket, &tfile->sk, current_fsuid()); + + tfile->sk.sk_write_space = tun_sock_write_space; + tfile->sk.sk_sndbuf = INT_MAX; diff --git a/queue-5.10/open-make-resolve_cached-correctly-test-for-o_tmpfile.patch b/queue-5.10/open-make-resolve_cached-correctly-test-for-o_tmpfile.patch new file mode 100644 index 00000000000..61bf1fbd2a9 --- /dev/null +++ b/queue-5.10/open-make-resolve_cached-correctly-test-for-o_tmpfile.patch @@ -0,0 +1,35 @@ +From a0fc452a5d7fed986205539259df1d60546f536c Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Sun, 6 Aug 2023 02:11:58 +1000 +Subject: open: make RESOLVE_CACHED correctly test for O_TMPFILE + +From: Aleksa Sarai + +commit a0fc452a5d7fed986205539259df1d60546f536c upstream. + +O_TMPFILE is actually __O_TMPFILE|O_DIRECTORY. This means that the old +fast-path check for RESOLVE_CACHED would reject all users passing +O_DIRECTORY with -EAGAIN, when in fact the intended test was to check +for __O_TMPFILE. + +Cc: stable@vger.kernel.org # v5.12+ +Fixes: 99668f618062 ("fs: expose LOOKUP_CACHED through openat2() RESOLVE_CACHED") +Signed-off-by: Aleksa Sarai +Message-Id: <20230806-resolve_cached-o_tmpfile-v1-1-7ba16308465e@cyphar.com> +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/open.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/open.c ++++ b/fs/open.c +@@ -1101,7 +1101,7 @@ inline int build_open_flags(const struct + lookup_flags |= LOOKUP_IN_ROOT; + if (how->resolve & RESOLVE_CACHED) { + /* Don't bother even trying for create/truncate/tmpfile open */ +- if (flags & (O_TRUNC | O_CREAT | O_TMPFILE)) ++ if (flags & (O_TRUNC | O_CREAT | __O_TMPFILE)) + return -EAGAIN; + lookup_flags |= LOOKUP_CACHED; + } diff --git a/queue-5.10/scsi-zfcp-defer-fc_rport-blocking-until-after-adisc-response.patch b/queue-5.10/scsi-zfcp-defer-fc_rport-blocking-until-after-adisc-response.patch new file mode 100644 index 00000000000..ef46422244a --- /dev/null +++ b/queue-5.10/scsi-zfcp-defer-fc_rport-blocking-until-after-adisc-response.patch @@ -0,0 +1,60 @@ +From e65851989001c0c9ba9177564b13b38201c0854c Mon Sep 17 00:00:00 2001 +From: Steffen Maier +Date: Mon, 24 Jul 2023 16:51:56 +0200 +Subject: scsi: zfcp: Defer fc_rport blocking until after ADISC response + +From: Steffen Maier + +commit e65851989001c0c9ba9177564b13b38201c0854c upstream. + +Storage devices are free to send RSCNs, e.g. for internal state changes. If +this happens on all connected paths, zfcp risks temporarily losing all +paths at the same time. This has strong requirements on multipath +configuration such as "no_path_retry queue". + +Avoid such situations by deferring fc_rport blocking until after the ADISC +response, when any actual state change of the remote port became clear. +The already existing port recovery triggers explicitly block the fc_rport. +The triggers are: on ADISC reject or timeout (typical cable pull case), and +on ADISC indicating that the remote port has changed its WWPN or +the port is meanwhile no longer open. + +As a side effect, this also removes a confusing direct function call to +another work item function zfcp_scsi_rport_work() instead of scheduling +that other work item. It was probably done that way to have the rport block +side effect immediate and synchronous to the caller. + +Fixes: a2fa0aede07c ("[SCSI] zfcp: Block FC transport rports early on errors") +Cc: stable@vger.kernel.org #v2.6.30+ +Reviewed-by: Benjamin Block +Reviewed-by: Fedor Loshakov +Signed-off-by: Steffen Maier +Link: https://lore.kernel.org/r/20230724145156.3920244-1-maier@linux.ibm.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/scsi/zfcp_fc.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/s390/scsi/zfcp_fc.c ++++ b/drivers/s390/scsi/zfcp_fc.c +@@ -534,8 +534,7 @@ static void zfcp_fc_adisc_handler(void * + + /* re-init to undo drop from zfcp_fc_adisc() */ + port->d_id = ntoh24(adisc_resp->adisc_port_id); +- /* port is good, unblock rport without going through erp */ +- zfcp_scsi_schedule_rport_register(port); ++ /* port is still good, nothing to do */ + out: + atomic_andnot(ZFCP_STATUS_PORT_LINK_TEST, &port->status); + put_device(&port->dev); +@@ -595,9 +594,6 @@ void zfcp_fc_link_test_work(struct work_ + int retval; + + set_worker_desc("zadisc%16llx", port->wwpn); /* < WORKER_DESC_LEN=24 */ +- get_device(&port->dev); +- port->rport_task = RPORT_DEL; +- zfcp_scsi_rport_work(&port->rport_work); + + /* only issue one test command at one time per port */ + if (atomic_read(&port->status) & ZFCP_STATUS_PORT_LINK_TEST) diff --git a/queue-5.10/series b/queue-5.10/series index 921dd078131..37d3b13e5c0 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -159,3 +159,17 @@ tcp_metrics-annotate-data-races-around-tm-tcpm_lock.patch tcp_metrics-annotate-data-races-around-tm-tcpm_vals.patch tcp_metrics-annotate-data-races-around-tm-tcpm_net.patch tcp_metrics-fix-data-race-in-tcpm_suck_dst-vs-fastop.patch +scsi-zfcp-defer-fc_rport-blocking-until-after-adisc-response.patch +libceph-fix-potential-hang-in-ceph_osdc_notify.patch +usb-zaurus-add-id-for-a-300-b-500-c-700.patch +ceph-defer-stopping-mdsc-delayed_work.patch +exfat-use-kvmalloc_array-kvfree-instead-of-kmalloc_array-kfree.patch +exfat-release-s_lock-before-calling-dir_emit.patch +mtd-spinand-toshiba-fix-ecc_get_status.patch +mtd-rawnand-meson-fix-oob-available-bytes-for-ecc.patch +arm64-dts-stratix10-fix-incorrect-i2c-property-for-scl-signal.patch +net-tun_chr_open-set-sk_uid-from-current_fsuid.patch +net-tap_open-set-sk_uid-from-current_fsuid.patch +bpf-disable-preemption-in-bpf_event_output.patch +open-make-resolve_cached-correctly-test-for-o_tmpfile.patch +drm-ttm-check-null-pointer-before-accessing-when-swapping.patch diff --git a/queue-5.10/usb-zaurus-add-id-for-a-300-b-500-c-700.patch b/queue-5.10/usb-zaurus-add-id-for-a-300-b-500-c-700.patch new file mode 100644 index 00000000000..84f0e408583 --- /dev/null +++ b/queue-5.10/usb-zaurus-add-id-for-a-300-b-500-c-700.patch @@ -0,0 +1,111 @@ +From b99225b4fe297d07400f9e2332ecd7347b224f8d Mon Sep 17 00:00:00 2001 +From: Ross Maynard +Date: Mon, 31 Jul 2023 15:42:04 +1000 +Subject: USB: zaurus: Add ID for A-300/B-500/C-700 + +From: Ross Maynard + +commit b99225b4fe297d07400f9e2332ecd7347b224f8d upstream. + +The SL-A300, B500/5600, and C700 devices no longer auto-load because of +"usbnet: Remove over-broad module alias from zaurus." +This patch adds IDs for those 3 devices. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217632 +Fixes: 16adf5d07987 ("usbnet: Remove over-broad module alias from zaurus.") +Signed-off-by: Ross Maynard +Cc: stable@vger.kernel.org +Acked-by: Greg Kroah-Hartman +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/69b5423b-2013-9fc9-9569-58e707d9bafb@bigpond.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cdc_ether.c | 21 +++++++++++++++++++++ + drivers/net/usb/zaurus.c | 21 +++++++++++++++++++++ + 2 files changed, 42 insertions(+) + +--- a/drivers/net/usb/cdc_ether.c ++++ b/drivers/net/usb/cdc_ether.c +@@ -604,6 +604,13 @@ static const struct usb_device_id produc + .match_flags = USB_DEVICE_ID_MATCH_INT_INFO + | USB_DEVICE_ID_MATCH_DEVICE, + .idVendor = 0x04DD, ++ .idProduct = 0x8005, /* A-300 */ ++ ZAURUS_FAKE_INTERFACE, ++ .driver_info = 0, ++}, { ++ .match_flags = USB_DEVICE_ID_MATCH_INT_INFO ++ | USB_DEVICE_ID_MATCH_DEVICE, ++ .idVendor = 0x04DD, + .idProduct = 0x8006, /* B-500/SL-5600 */ + ZAURUS_MASTER_INTERFACE, + .driver_info = 0, +@@ -611,11 +618,25 @@ static const struct usb_device_id produc + .match_flags = USB_DEVICE_ID_MATCH_INT_INFO + | USB_DEVICE_ID_MATCH_DEVICE, + .idVendor = 0x04DD, ++ .idProduct = 0x8006, /* B-500/SL-5600 */ ++ ZAURUS_FAKE_INTERFACE, ++ .driver_info = 0, ++}, { ++ .match_flags = USB_DEVICE_ID_MATCH_INT_INFO ++ | USB_DEVICE_ID_MATCH_DEVICE, ++ .idVendor = 0x04DD, + .idProduct = 0x8007, /* C-700 */ + ZAURUS_MASTER_INTERFACE, + .driver_info = 0, + }, { + .match_flags = USB_DEVICE_ID_MATCH_INT_INFO ++ | USB_DEVICE_ID_MATCH_DEVICE, ++ .idVendor = 0x04DD, ++ .idProduct = 0x8007, /* C-700 */ ++ ZAURUS_FAKE_INTERFACE, ++ .driver_info = 0, ++}, { ++ .match_flags = USB_DEVICE_ID_MATCH_INT_INFO + | USB_DEVICE_ID_MATCH_DEVICE, + .idVendor = 0x04DD, + .idProduct = 0x9031, /* C-750 C-760 */ +--- a/drivers/net/usb/zaurus.c ++++ b/drivers/net/usb/zaurus.c +@@ -289,11 +289,25 @@ static const struct usb_device_id produc + .match_flags = USB_DEVICE_ID_MATCH_INT_INFO + | USB_DEVICE_ID_MATCH_DEVICE, + .idVendor = 0x04DD, ++ .idProduct = 0x8005, /* A-300 */ ++ ZAURUS_FAKE_INTERFACE, ++ .driver_info = (unsigned long)&bogus_mdlm_info, ++}, { ++ .match_flags = USB_DEVICE_ID_MATCH_INT_INFO ++ | USB_DEVICE_ID_MATCH_DEVICE, ++ .idVendor = 0x04DD, + .idProduct = 0x8006, /* B-500/SL-5600 */ + ZAURUS_MASTER_INTERFACE, + .driver_info = ZAURUS_PXA_INFO, + }, { + .match_flags = USB_DEVICE_ID_MATCH_INT_INFO ++ | USB_DEVICE_ID_MATCH_DEVICE, ++ .idVendor = 0x04DD, ++ .idProduct = 0x8006, /* B-500/SL-5600 */ ++ ZAURUS_FAKE_INTERFACE, ++ .driver_info = (unsigned long)&bogus_mdlm_info, ++}, { ++ .match_flags = USB_DEVICE_ID_MATCH_INT_INFO + | USB_DEVICE_ID_MATCH_DEVICE, + .idVendor = 0x04DD, + .idProduct = 0x8007, /* C-700 */ +@@ -301,6 +315,13 @@ static const struct usb_device_id produc + .driver_info = ZAURUS_PXA_INFO, + }, { + .match_flags = USB_DEVICE_ID_MATCH_INT_INFO ++ | USB_DEVICE_ID_MATCH_DEVICE, ++ .idVendor = 0x04DD, ++ .idProduct = 0x8007, /* C-700 */ ++ ZAURUS_FAKE_INTERFACE, ++ .driver_info = (unsigned long)&bogus_mdlm_info, ++}, { ++ .match_flags = USB_DEVICE_ID_MATCH_INT_INFO + | USB_DEVICE_ID_MATCH_DEVICE, + .idVendor = 0x04DD, + .idProduct = 0x9031, /* C-750 C-760 */