From: Greg Kroah-Hartman Date: Fri, 25 Mar 2022 13:22:59 +0000 (+0100) Subject: 5.17-stable patches X-Git-Tag: v4.9.309~32 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=79f693f71252e41933bb4e490975c98e061f7103;p=thirdparty%2Fkernel%2Fstable-queue.git 5.17-stable patches added patches: bluetooth-btusb-add-one-more-bluetooth-part-for-the-realtek-rtl8852ae.patch bluetooth-btusb-use-quirk-to-skip-hci_flt_clear_all-on-fake-csr-controllers.patch bluetooth-hci_sync-add-a-new-quirk-to-skip-hci_flt_clear_all.patch drm-virtio-ensure-that-objs-is-not-null-in-virtio_gpu_array_put_free.patch jbd2-fix-use-after-free-of-transaction_t-race.patch rcu-don-t-deboost-before-reporting-expedited-quiescent-state.patch revert-ath-add-support-for-special-0x0-regulatory-domain.patch uaccess-fix-integer-overflow-on-access_ok.patch --- diff --git a/queue-5.17/bluetooth-btusb-add-one-more-bluetooth-part-for-the-realtek-rtl8852ae.patch b/queue-5.17/bluetooth-btusb-add-one-more-bluetooth-part-for-the-realtek-rtl8852ae.patch new file mode 100644 index 00000000000..8101b534060 --- /dev/null +++ b/queue-5.17/bluetooth-btusb-add-one-more-bluetooth-part-for-the-realtek-rtl8852ae.patch @@ -0,0 +1,65 @@ +From 2e7b4a328ed6ea57d22853939e69bc86c560996d Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Wed, 19 Jan 2022 14:18:37 -0600 +Subject: Bluetooth: btusb: Add one more Bluetooth part for the Realtek RTL8852AE + +From: Larry Finger + +commit 2e7b4a328ed6ea57d22853939e69bc86c560996d upstream. + +This Realtek device has both wifi and BT components. The latter reports +a USB ID of 0bda:2852, which is not in the table. + +BT device description in /sys/kernel/debug/usb/devices contains the following entries: + +T: Bus=01 Lev=01 Prnt=01 Port=03 Cnt=02 Dev#= 3 Spd=12 MxCh= 0 +D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0bda ProdID=2852 Rev= 0.00 +S: Manufacturer=Realtek +S: Product=Bluetooth Radio +S: SerialNumber=00e04c000001 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +The missing USB_ID was reported by user trius65 at https://github.com/lwfinger/rtw89/issues/122 + +Signed-off-by: Larry Finger +Cc: stable@vger.kernel.org +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -405,6 +405,8 @@ static const struct usb_device_id blackl + BTUSB_WIDEBAND_SPEECH }, + + /* Realtek 8852AE Bluetooth devices */ ++ { USB_DEVICE(0x0bda, 0x2852), .driver_info = BTUSB_REALTEK | ++ BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x0bda, 0xc852), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x0bda, 0x385a), .driver_info = BTUSB_REALTEK | diff --git a/queue-5.17/bluetooth-btusb-use-quirk-to-skip-hci_flt_clear_all-on-fake-csr-controllers.patch b/queue-5.17/bluetooth-btusb-use-quirk-to-skip-hci_flt_clear_all-on-fake-csr-controllers.patch new file mode 100644 index 00000000000..aa7b9b8e9a3 --- /dev/null +++ b/queue-5.17/bluetooth-btusb-use-quirk-to-skip-hci_flt_clear_all-on-fake-csr-controllers.patch @@ -0,0 +1,126 @@ +From b3cf94c8b6b2f1a2b94825a025db291da2b151fd Mon Sep 17 00:00:00 2001 +From: Ismael Ferreras Morezuelas +Date: Mon, 7 Mar 2022 21:04:45 +0100 +Subject: Bluetooth: btusb: Use quirk to skip HCI_FLT_CLEAR_ALL on fake CSR controllers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ismael Ferreras Morezuelas + +commit b3cf94c8b6b2f1a2b94825a025db291da2b151fd upstream. + +Another subset of the more recent batch of Chinese clones aren't +specs-compliant and seem to lock up whenever they receive a +HCI_OP_SET_EVENT_FLT with flt_type set to zero/HCI_FLT_CLEAR_ALL, +which on Linux (until the recent HCI state-machine refactor) happened +right at BR/EDR setup. As there are other less-straightforward ways +of reaching those operations, this patch is still relevant. + +So, while all the previous efforts to wrangle the herd of fake CSRs +seem to be paying off (and these also get detected as such) we +still need to take care of this quirk; testers seem to agree +that these dongles tend to work well enough afterwards. + +From some cursory USB packet capture on Windows it seems like +that driver doesn't appear to use this clear-all functionality at all. + +This patch was tested on some really popular AliExpress-style +dongles, in my case marked as "V5.0". Chip markings: UG8413, +the backside of the PCB says "USB Dangel" (sic). + +Here is the `hciconfig -a` output; for completeness: + +hci0: Type: Primary Bus: USB + BD Address: 00:1A:7D:DA:7X:XX ACL MTU: 679:8 SCO MTU: 48:16 + UP RUNNING PSCAN ISCAN + Features: 0xbf 0x3e 0x4d 0xfa 0xdb 0x3d 0x7b 0xc7 + Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3 + Link policy: RSWITCH SNIFF + Link mode: PERIPHERAL ACCEPT + Name: 'CSR8510 A10.' + Class: 0x7c0104 + Service Classes: Rendering, Capturing, Object Transfer, Audio, Telephony + Device Class: Computer, Desktop workstation + HCI Version: 4.0 (0x6) Revision: 0x3120 + LMP Version: 4.0 (0x6) Subversion: 0x22bb + Manufacturer: Cambridge Silicon Radio (10) + +As well as the `lsusb -vv -d 0a12:0001`: + +ID 0a12:0001 Cambridge Silicon Radio, Ltd Bluetooth Dongle (HCI mode) +Device Descriptor: + bLength 18 + bDescriptorType 1 + bcdUSB 2.00 + bDeviceClass 224 Wireless + bDeviceSubClass 1 Radio Frequency + bDeviceProtocol 1 Bluetooth + bMaxPacketSize0 64 + idVendor 0x0a12 Cambridge Silicon Radio, Ltd + idProduct 0x0001 Bluetooth Dongle (HCI mode) + bcdDevice 88.91 + iManufacturer 0 + iProduct 2 BT DONGLE10 + iSerial 0 + bNumConfigurations 1 + +Also, changed the benign dmesg print that shows up whenever the +generic force-suspend fails from bt_dev_err to bt_dev_warn; +it's okay and done on a best-effort basis, not a problem +if that does not work. + +Also, swapped the HCI subver and LMP subver numbers for the Barrot +in the comment, which I copied wrong the last time around. + +Fixes: 81cac64ba258a ("Bluetooth: Deal with USB devices that are faking CSR vendor") +Fixes: cde1a8a992875 ("Bluetooth: btusb: Fix and detect most of the Chinese Bluetooth controllers") +Fixes: d74e0ae7e0303 ("Bluetooth: btusb: Fix detection of some fake CSR controllers with a bcdDevice val of 0x0134") +Fixes: 0671c0662383e ("Bluetooth: btusb: Add workaround for remote-wakeup issues with Barrot 8041a02 fake CSR controllers") +Fixes: f4292e2faf522 ("Bluetooth: btusb: Make the CSR clone chip force-suspend workaround more generic") + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=60824 +Link: https://gist.github.com/nevack/6b36b82d715dc025163d9e9124840a07 + +Cc: stable@vger.kernel.org +Cc: Hans de Goede +Tested-by: Gonzalo Tornaría +Tested-by: Mateus Lemos +Tested-by: Ismael Ferreras Morezuelas +Signed-off-by: Ismael Ferreras Morezuelas +Reviewed-by: Hans de Goede +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -2045,6 +2045,8 @@ static int btusb_setup_csr(struct hci_de + */ + set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks); + set_bit(HCI_QUIRK_BROKEN_ERR_DATA_REPORTING, &hdev->quirks); ++ set_bit(HCI_QUIRK_BROKEN_FILTER_CLEAR_ALL, &hdev->quirks); ++ set_bit(HCI_QUIRK_NO_SUSPEND_NOTIFIER, &hdev->quirks); + + /* Clear the reset quirk since this is not an actual + * early Bluetooth 1.1 device from CSR. +@@ -2055,7 +2057,7 @@ static int btusb_setup_csr(struct hci_de + /* + * Special workaround for these BT 4.0 chip clones, and potentially more: + * +- * - 0x0134: a Barrot 8041a02 (HCI rev: 0x1012 sub: 0x0810) ++ * - 0x0134: a Barrot 8041a02 (HCI rev: 0x0810 sub: 0x1012) + * - 0x7558: IC markings FR3191AHAL 749H15143 (HCI rev/sub-version: 0x0709) + * + * These controllers are really messed-up. +@@ -2084,7 +2086,7 @@ static int btusb_setup_csr(struct hci_de + if (ret >= 0) + msleep(200); + else +- bt_dev_err(hdev, "CSR: Failed to suspend the device for our Barrot 8041a02 receive-issue workaround"); ++ bt_dev_warn(hdev, "CSR: Couldn't suspend the device for our Barrot 8041a02 receive-issue workaround"); + + pm_runtime_forbid(&data->udev->dev); + diff --git a/queue-5.17/bluetooth-hci_sync-add-a-new-quirk-to-skip-hci_flt_clear_all.patch b/queue-5.17/bluetooth-hci_sync-add-a-new-quirk-to-skip-hci_flt_clear_all.patch new file mode 100644 index 00000000000..d18386dc7fe --- /dev/null +++ b/queue-5.17/bluetooth-hci_sync-add-a-new-quirk-to-skip-hci_flt_clear_all.patch @@ -0,0 +1,84 @@ +From 0eaecfb2e4814d51ab172df3823e35d7c488b6d2 Mon Sep 17 00:00:00 2001 +From: Ismael Ferreras Morezuelas +Date: Mon, 7 Mar 2022 21:04:44 +0100 +Subject: Bluetooth: hci_sync: Add a new quirk to skip HCI_FLT_CLEAR_ALL + +From: Ismael Ferreras Morezuelas + +commit 0eaecfb2e4814d51ab172df3823e35d7c488b6d2 upstream. + +Some controllers have problems with being sent a command to clear +all filtering. While the HCI code does not unconditionally +send a clear-all anymore at BR/EDR setup (after the state machine +refactor), there might be more ways of hitting these codepaths +in the future as the kernel develops. + +Cc: stable@vger.kernel.org +Cc: Hans de Goede +Signed-off-by: Ismael Ferreras Morezuelas +Reviewed-by: Hans de Goede +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman +--- + include/net/bluetooth/hci.h | 10 ++++++++++ + net/bluetooth/hci_sync.c | 16 ++++++++++++++++ + 2 files changed, 26 insertions(+) + +--- a/include/net/bluetooth/hci.h ++++ b/include/net/bluetooth/hci.h +@@ -255,6 +255,16 @@ enum { + * during the hdev->setup vendor callback. + */ + HCI_QUIRK_BROKEN_READ_TRANSMIT_POWER, ++ ++ /* When this quirk is set, HCI_OP_SET_EVENT_FLT requests with ++ * HCI_FLT_CLEAR_ALL are ignored and event filtering is ++ * completely avoided. A subset of the CSR controller ++ * clones struggle with this and instantly lock up. ++ * ++ * Note that devices using this must (separately) disable ++ * runtime suspend, because event filtering takes place there. ++ */ ++ HCI_QUIRK_BROKEN_FILTER_CLEAR_ALL, + }; + + /* HCI device flags */ +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -2806,6 +2806,9 @@ static int hci_set_event_filter_sync(str + if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) + return 0; + ++ if (test_bit(HCI_QUIRK_BROKEN_FILTER_CLEAR_ALL, &hdev->quirks)) ++ return 0; ++ + memset(&cp, 0, sizeof(cp)); + cp.flt_type = flt_type; + +@@ -2826,6 +2829,13 @@ static int hci_clear_event_filter_sync(s + if (!hci_dev_test_flag(hdev, HCI_EVENT_FILTER_CONFIGURED)) + return 0; + ++ /* In theory the state machine should not reach here unless ++ * a hci_set_event_filter_sync() call succeeds, but we do ++ * the check both for parity and as a future reminder. ++ */ ++ if (test_bit(HCI_QUIRK_BROKEN_FILTER_CLEAR_ALL, &hdev->quirks)) ++ return 0; ++ + return hci_set_event_filter_sync(hdev, HCI_FLT_CLEAR_ALL, 0x00, + BDADDR_ANY, 0x00); + } +@@ -4825,6 +4835,12 @@ static int hci_update_event_filter_sync( + if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) + return 0; + ++ /* Some fake CSR controllers lock up after setting this type of ++ * filter, so avoid sending the request altogether. ++ */ ++ if (test_bit(HCI_QUIRK_BROKEN_FILTER_CLEAR_ALL, &hdev->quirks)) ++ return 0; ++ + /* Always clear event filter when starting */ + hci_clear_event_filter_sync(hdev); + diff --git a/queue-5.17/drm-virtio-ensure-that-objs-is-not-null-in-virtio_gpu_array_put_free.patch b/queue-5.17/drm-virtio-ensure-that-objs-is-not-null-in-virtio_gpu_array_put_free.patch new file mode 100644 index 00000000000..f1a1ee6d5bc --- /dev/null +++ b/queue-5.17/drm-virtio-ensure-that-objs-is-not-null-in-virtio_gpu_array_put_free.patch @@ -0,0 +1,39 @@ +From 6b79f96f4a23846516e5e6e4dd37fc06f43a60dd Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Mon, 13 Dec 2021 19:31:22 +0100 +Subject: drm/virtio: Ensure that objs is not NULL in virtio_gpu_array_put_free() + +From: Roberto Sassu + +commit 6b79f96f4a23846516e5e6e4dd37fc06f43a60dd upstream. + +If virtio_gpu_object_shmem_init() fails (e.g. due to fault injection, as it +happened in the bug report by syzbot), virtio_gpu_array_put_free() could be +called with objs equal to NULL. + +Ensure that objs is not NULL in virtio_gpu_array_put_free(), or otherwise +return from the function. + +Cc: stable@vger.kernel.org # 5.13.x +Signed-off-by: Roberto Sassu +Reported-by: syzbot+e9072e90624a31dfa85f@syzkaller.appspotmail.com +Fixes: 377f8331d0565 ("drm/virtio: fix possible leak/unlock virtio_gpu_object_array") +Link: http://patchwork.freedesktop.org/patch/msgid/20211213183122.838119-1-roberto.sassu@huawei.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/virtio/virtgpu_gem.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/virtio/virtgpu_gem.c ++++ b/drivers/gpu/drm/virtio/virtgpu_gem.c +@@ -248,6 +248,9 @@ void virtio_gpu_array_put_free(struct vi + { + u32 i; + ++ if (!objs) ++ return; ++ + for (i = 0; i < objs->nents; i++) + drm_gem_object_put(objs->objs[i]); + virtio_gpu_array_free(objs); diff --git a/queue-5.17/jbd2-fix-use-after-free-of-transaction_t-race.patch b/queue-5.17/jbd2-fix-use-after-free-of-transaction_t-race.patch new file mode 100644 index 00000000000..9b0ecba43a2 --- /dev/null +++ b/queue-5.17/jbd2-fix-use-after-free-of-transaction_t-race.patch @@ -0,0 +1,92 @@ +From cc16eecae687912238ee6efbff71ad31e2bc414e Mon Sep 17 00:00:00 2001 +From: Ritesh Harjani +Date: Thu, 10 Feb 2022 21:07:11 +0530 +Subject: jbd2: fix use-after-free of transaction_t race + +From: Ritesh Harjani + +commit cc16eecae687912238ee6efbff71ad31e2bc414e upstream. + +jbd2_journal_wait_updates() is called with j_state_lock held. But if +there is a commit in progress, then this transaction might get committed +and freed via jbd2_journal_commit_transaction() -> +jbd2_journal_free_transaction(), when we release j_state_lock. +So check for journal->j_running_transaction everytime we release and +acquire j_state_lock to avoid use-after-free issue. + +Link: https://lore.kernel.org/r/948c2fed518ae739db6a8f7f83f1d58b504f87d0.1644497105.git.ritesh.list@gmail.com +Fixes: 4f98186848707f53 ("jbd2: refactor wait logic for transaction updates into a common function") +Cc: stable@kernel.org +Reported-and-tested-by: syzbot+afa2ca5171d93e44b348@syzkaller.appspotmail.com +Reviewed-by: Jan Kara +Signed-off-by: Ritesh Harjani +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/transaction.c | 41 +++++++++++++++++++++++++---------------- + 1 file changed, 25 insertions(+), 16 deletions(-) + +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -842,27 +842,38 @@ EXPORT_SYMBOL(jbd2_journal_restart); + */ + void jbd2_journal_wait_updates(journal_t *journal) + { +- transaction_t *commit_transaction = journal->j_running_transaction; ++ DEFINE_WAIT(wait); + +- if (!commit_transaction) +- return; ++ while (1) { ++ /* ++ * Note that the running transaction can get freed under us if ++ * this transaction is getting committed in ++ * jbd2_journal_commit_transaction() -> ++ * jbd2_journal_free_transaction(). This can only happen when we ++ * release j_state_lock -> schedule() -> acquire j_state_lock. ++ * Hence we should everytime retrieve new j_running_transaction ++ * value (after j_state_lock release acquire cycle), else it may ++ * lead to use-after-free of old freed transaction. ++ */ ++ transaction_t *transaction = journal->j_running_transaction; + +- spin_lock(&commit_transaction->t_handle_lock); +- while (atomic_read(&commit_transaction->t_updates)) { +- DEFINE_WAIT(wait); ++ if (!transaction) ++ break; + ++ spin_lock(&transaction->t_handle_lock); + prepare_to_wait(&journal->j_wait_updates, &wait, +- TASK_UNINTERRUPTIBLE); +- if (atomic_read(&commit_transaction->t_updates)) { +- spin_unlock(&commit_transaction->t_handle_lock); +- write_unlock(&journal->j_state_lock); +- schedule(); +- write_lock(&journal->j_state_lock); +- spin_lock(&commit_transaction->t_handle_lock); ++ TASK_UNINTERRUPTIBLE); ++ if (!atomic_read(&transaction->t_updates)) { ++ spin_unlock(&transaction->t_handle_lock); ++ finish_wait(&journal->j_wait_updates, &wait); ++ break; + } ++ spin_unlock(&transaction->t_handle_lock); ++ write_unlock(&journal->j_state_lock); ++ schedule(); + finish_wait(&journal->j_wait_updates, &wait); ++ write_lock(&journal->j_state_lock); + } +- spin_unlock(&commit_transaction->t_handle_lock); + } + + /** +@@ -877,8 +888,6 @@ void jbd2_journal_wait_updates(journal_t + */ + void jbd2_journal_lock_updates(journal_t *journal) + { +- DEFINE_WAIT(wait); +- + jbd2_might_wait_for_commit(journal); + + write_lock(&journal->j_state_lock); diff --git a/queue-5.17/rcu-don-t-deboost-before-reporting-expedited-quiescent-state.patch b/queue-5.17/rcu-don-t-deboost-before-reporting-expedited-quiescent-state.patch new file mode 100644 index 00000000000..ee86b4c3876 --- /dev/null +++ b/queue-5.17/rcu-don-t-deboost-before-reporting-expedited-quiescent-state.patch @@ -0,0 +1,63 @@ +From 10c535787436d62ea28156a4b91365fd89b5a432 Mon Sep 17 00:00:00 2001 +From: "Paul E. McKenney" +Date: Fri, 21 Jan 2022 12:40:08 -0800 +Subject: rcu: Don't deboost before reporting expedited quiescent state + +From: Paul E. McKenney + +commit 10c535787436d62ea28156a4b91365fd89b5a432 upstream. + +Currently rcu_preempt_deferred_qs_irqrestore() releases rnp->boost_mtx +before reporting the expedited quiescent state. Under heavy real-time +load, this can result in this function being preempted before the +quiescent state is reported, which can in turn prevent the expedited grace +period from completing. Tim Murray reports that the resulting expedited +grace periods can take hundreds of milliseconds and even more than one +second, when they should normally complete in less than a millisecond. + +This was fine given that there were no particular response-time +constraints for synchronize_rcu_expedited(), as it was designed +for throughput rather than latency. However, some users now need +sub-100-millisecond response-time constratints. + +This patch therefore follows Neeraj's suggestion (seconded by Tim and +by Uladzislau Rezki) of simply reversing the two operations. + +Reported-by: Tim Murray +Reported-by: Joel Fernandes +Reported-by: Neeraj Upadhyay +Reviewed-by: Neeraj Upadhyay +Reviewed-by: Uladzislau Rezki (Sony) +Tested-by: Tim Murray +Cc: Todd Kjos +Cc: Sandeep Patil +Cc: # 5.4.x +Signed-off-by: Paul E. McKenney +Signed-off-by: Greg Kroah-Hartman +--- + kernel/rcu/tree_plugin.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/kernel/rcu/tree_plugin.h ++++ b/kernel/rcu/tree_plugin.h +@@ -556,16 +556,16 @@ rcu_preempt_deferred_qs_irqrestore(struc + raw_spin_unlock_irqrestore_rcu_node(rnp, flags); + } + +- /* Unboost if we were boosted. */ +- if (IS_ENABLED(CONFIG_RCU_BOOST) && drop_boost_mutex) +- rt_mutex_futex_unlock(&rnp->boost_mtx.rtmutex); +- + /* + * If this was the last task on the expedited lists, + * then we need to report up the rcu_node hierarchy. + */ + if (!empty_exp && empty_exp_now) + rcu_report_exp_rnp(rnp, true); ++ ++ /* Unboost if we were boosted. */ ++ if (IS_ENABLED(CONFIG_RCU_BOOST) && drop_boost_mutex) ++ rt_mutex_futex_unlock(&rnp->boost_mtx.rtmutex); + } else { + local_irq_restore(flags); + } diff --git a/queue-5.17/revert-ath-add-support-for-special-0x0-regulatory-domain.patch b/queue-5.17/revert-ath-add-support-for-special-0x0-regulatory-domain.patch new file mode 100644 index 00000000000..f222505fca8 --- /dev/null +++ b/queue-5.17/revert-ath-add-support-for-special-0x0-regulatory-domain.patch @@ -0,0 +1,56 @@ +From 1ec7ed5163c70a0d040150d2279f932c7e7c143f Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Fri, 25 Feb 2022 11:44:32 +0200 +Subject: Revert "ath: add support for special 0x0 regulatory domain" + +From: Brian Norris + +commit 1ec7ed5163c70a0d040150d2279f932c7e7c143f upstream. + +This reverts commit 2dc016599cfa9672a147528ca26d70c3654a5423. + +Users are reporting regressions in regulatory domain detection and +channel availability. + +The problem this was trying to resolve was fixed in firmware anyway: + + QCA6174 hw3.0: sdio-4.4.1: add firmware.bin_WLAN.RMH.4.4.1-00042 + https://github.com/kvalo/ath10k-firmware/commit/4d382787f0efa77dba40394e0bc604f8eff82552 + +Link: https://bbs.archlinux.org/viewtopic.php?id=254535 +Link: http://lists.infradead.org/pipermail/ath10k/2020-April/014871.html +Link: http://lists.infradead.org/pipermail/ath10k/2020-May/015152.html +Link: https://lore.kernel.org/all/1c160dfb-6ccc-b4d6-76f6-4364e0adb6dd@reox.at/ +Fixes: 2dc016599cfa ("ath: add support for special 0x0 regulatory domain") +Cc: +Cc: Wen Gong +Signed-off-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200527165718.129307-1-briannorris@chromium.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/regd.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/ath/regd.c ++++ b/drivers/net/wireless/ath/regd.c +@@ -667,14 +667,14 @@ ath_regd_init_wiphy(struct ath_regulator + + /* + * Some users have reported their EEPROM programmed with +- * 0x8000 or 0x0 set, this is not a supported regulatory +- * domain but since we have more than one user with it we +- * need a solution for them. We default to 0x64, which is +- * the default Atheros world regulatory domain. ++ * 0x8000 set, this is not a supported regulatory domain ++ * but since we have more than one user with it we need ++ * a solution for them. We default to 0x64, which is the ++ * default Atheros world regulatory domain. + */ + static void ath_regd_sanitize(struct ath_regulatory *reg) + { +- if (reg->current_rd != COUNTRY_ERD_FLAG && reg->current_rd != 0) ++ if (reg->current_rd != COUNTRY_ERD_FLAG) + return; + printk(KERN_DEBUG "ath: EEPROM regdomain sanitized\n"); + reg->current_rd = 0x64; diff --git a/queue-5.17/series b/queue-5.17/series index 4f83fe85bfe..2fea84267a4 100644 --- a/queue-5.17/series +++ b/queue-5.17/series @@ -23,3 +23,11 @@ acpi-x86-work-around-broken-xsdt-on-advantech-dac-bj01-board.patch acpi-battery-add-device-hid-and-quirk-for-microsoft-surface-go-3.patch acpi-video-force-backlight-native-for-clevo-nl5xru-and-nl5xnu.patch crypto-qat-disable-registration-of-algorithms.patch +bluetooth-btusb-add-one-more-bluetooth-part-for-the-realtek-rtl8852ae.patch +bluetooth-hci_sync-add-a-new-quirk-to-skip-hci_flt_clear_all.patch +bluetooth-btusb-use-quirk-to-skip-hci_flt_clear_all-on-fake-csr-controllers.patch +revert-ath-add-support-for-special-0x0-regulatory-domain.patch +drm-virtio-ensure-that-objs-is-not-null-in-virtio_gpu_array_put_free.patch +jbd2-fix-use-after-free-of-transaction_t-race.patch +rcu-don-t-deboost-before-reporting-expedited-quiescent-state.patch +uaccess-fix-integer-overflow-on-access_ok.patch diff --git a/queue-5.17/uaccess-fix-integer-overflow-on-access_ok.patch b/queue-5.17/uaccess-fix-integer-overflow-on-access_ok.patch new file mode 100644 index 00000000000..1bcabb32483 --- /dev/null +++ b/queue-5.17/uaccess-fix-integer-overflow-on-access_ok.patch @@ -0,0 +1,112 @@ +From 222ca305c9fd39e5ed8104da25c09b2b79a516a8 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 10 Feb 2022 16:24:30 +0100 +Subject: uaccess: fix integer overflow on access_ok() + +From: Arnd Bergmann + +commit 222ca305c9fd39e5ed8104da25c09b2b79a516a8 upstream. + +Three architectures check the end of a user access against the +address limit without taking a possible overflow into account. +Passing a negative length or another overflow in here returns +success when it should not. + +Use the most common correct implementation here, which optimizes +for a constant 'size' argument, and turns the common case into a +single comparison. + +Cc: stable@vger.kernel.org +Fixes: da551281947c ("csky: User access") +Fixes: f663b60f5215 ("microblaze: Fix uaccess_ok macro") +Fixes: 7567746e1c0d ("Hexagon: Add user access functions") +Reported-by: David Laight +Reviewed-by: Christoph Hellwig +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + arch/csky/include/asm/uaccess.h | 7 +++---- + arch/hexagon/include/asm/uaccess.h | 18 +++++++++--------- + arch/microblaze/include/asm/uaccess.h | 19 ++++--------------- + 3 files changed, 16 insertions(+), 28 deletions(-) + +--- a/arch/csky/include/asm/uaccess.h ++++ b/arch/csky/include/asm/uaccess.h +@@ -3,14 +3,13 @@ + #ifndef __ASM_CSKY_UACCESS_H + #define __ASM_CSKY_UACCESS_H + +-#define user_addr_max() \ +- (uaccess_kernel() ? KERNEL_DS.seg : get_fs().seg) ++#define user_addr_max() (current_thread_info()->addr_limit.seg) + + static inline int __access_ok(unsigned long addr, unsigned long size) + { +- unsigned long limit = current_thread_info()->addr_limit.seg; ++ unsigned long limit = user_addr_max(); + +- return ((addr < limit) && ((addr + size) < limit)); ++ return (size <= limit) && (addr <= (limit - size)); + } + #define __access_ok __access_ok + +--- a/arch/hexagon/include/asm/uaccess.h ++++ b/arch/hexagon/include/asm/uaccess.h +@@ -25,17 +25,17 @@ + * Returns true (nonzero) if the memory block *may* be valid, false (zero) + * if it is definitely invalid. + * +- * User address space in Hexagon, like x86, goes to 0xbfffffff, so the +- * simple MSB-based tests used by MIPS won't work. Some further +- * optimization is probably possible here, but for now, keep it +- * reasonably simple and not *too* slow. After all, we've got the +- * MMU for backup. + */ ++#define uaccess_kernel() (get_fs().seg == KERNEL_DS.seg) ++#define user_addr_max() (uaccess_kernel() ? ~0UL : TASK_SIZE) + +-#define __access_ok(addr, size) \ +- ((get_fs().seg == KERNEL_DS.seg) || \ +- (((unsigned long)addr < get_fs().seg) && \ +- (unsigned long)size < (get_fs().seg - (unsigned long)addr))) ++static inline int __access_ok(unsigned long addr, unsigned long size) ++{ ++ unsigned long limit = TASK_SIZE; ++ ++ return (size <= limit) && (addr <= (limit - size)); ++} ++#define __access_ok __access_ok + + /* + * When a kernel-mode page fault is taken, the faulting instruction +--- a/arch/microblaze/include/asm/uaccess.h ++++ b/arch/microblaze/include/asm/uaccess.h +@@ -39,24 +39,13 @@ + + # define uaccess_kernel() (get_fs().seg == KERNEL_DS.seg) + +-static inline int access_ok(const void __user *addr, unsigned long size) ++static inline int __access_ok(unsigned long addr, unsigned long size) + { +- if (!size) +- goto ok; ++ unsigned long limit = user_addr_max(); + +- if ((get_fs().seg < ((unsigned long)addr)) || +- (get_fs().seg < ((unsigned long)addr + size - 1))) { +- pr_devel("ACCESS fail at 0x%08x (size 0x%x), seg 0x%08x\n", +- (__force u32)addr, (u32)size, +- (u32)get_fs().seg); +- return 0; +- } +-ok: +- pr_devel("ACCESS OK at 0x%08x (size 0x%x), seg 0x%08x\n", +- (__force u32)addr, (u32)size, +- (u32)get_fs().seg); +- return 1; ++ return (size <= limit) && (addr <= (limit - size)); + } ++#define access_ok(addr, size) __access_ok((unsigned long)addr, size) + + # define __FIXUP_SECTION ".section .fixup,\"ax\"\n" + # define __EX_TABLE_SECTION ".section __ex_table,\"a\"\n"