From: Sasha Levin Date: Mon, 26 Jul 2021 02:40:53 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.4.277~80 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=917aa92c122ac89636dc9762381821c1f847bc7e;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/afs-fix-tracepoint-string-placement-with-built-in-af.patch b/queue-5.4/afs-fix-tracepoint-string-placement-with-built-in-af.patch new file mode 100644 index 00000000000..9f4d359b951 --- /dev/null +++ b/queue-5.4/afs-fix-tracepoint-string-placement-with-built-in-af.patch @@ -0,0 +1,284 @@ +From 7418a35e85b98bcbc6733870ad1f3d4c4de3b913 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jun 2021 11:57:26 +0100 +Subject: afs: Fix tracepoint string placement with built-in AFS + +From: David Howells + +[ Upstream commit 6c881ca0b3040f3e724eae513117ba4ddef86057 ] + +To quote Alexey[1]: + + I was adding custom tracepoint to the kernel, grabbed full F34 kernel + .config, disabled modules and booted whole shebang as VM kernel. + + Then did + + perf record -a -e ... + + It crashed: + + general protection fault, probably for non-canonical address 0x435f5346592e4243: 0000 [#1] SMP PTI + CPU: 1 PID: 842 Comm: cat Not tainted 5.12.6+ #26 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 + RIP: 0010:t_show+0x22/0xd0 + + Then reproducer was narrowed to + + # cat /sys/kernel/tracing/printk_formats + + Original F34 kernel with modules didn't crash. + + So I started to disable options and after disabling AFS everything + started working again. + + The root cause is that AFS was placing char arrays content into a + section full of _pointers_ to strings with predictable consequences. + + Non canonical address 435f5346592e4243 is "CB.YFS_" which came from + CM_NAME macro. + + Steps to reproduce: + + CONFIG_AFS=y + CONFIG_TRACING=y + + # cat /sys/kernel/tracing/printk_formats + +Fix this by the following means: + + (1) Add enum->string translation tables in the event header with the AFS + and YFS cache/callback manager operations listed by RPC operation ID. + + (2) Modify the afs_cb_call tracepoint to print the string from the + translation table rather than using the string at the afs_call name + pointer. + + (3) Switch translation table depending on the service we're being accessed + as (AFS or YFS) in the tracepoint print clause. Will this cause + problems to userspace utilities? + + Note that the symbolic representation of the YFS service ID isn't + available to this header, so I've put it in as a number. I'm not sure + if this is the best way to do this. + + (4) Remove the name wrangling (CM_NAME) macro and put the names directly + into the afs_call_type structs in cmservice.c. + +Fixes: 8e8d7f13b6d5a9 ("afs: Add some tracepoints") +Reported-by: Alexey Dobriyan (SK hynix) +Signed-off-by: David Howells +Reviewed-by: Steven Rostedt (VMware) +Reviewed-by: Marc Dionne +cc: Andrew Morton +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/r/YLAXfvZ+rObEOdc%2F@localhost.localdomain/ [1] +Link: https://lore.kernel.org/r/643721.1623754699@warthog.procyon.org.uk/ +Link: https://lore.kernel.org/r/162430903582.2896199.6098150063997983353.stgit@warthog.procyon.org.uk/ # v1 +Link: https://lore.kernel.org/r/162609463957.3133237.15916579353149746363.stgit@warthog.procyon.org.uk/ # v1 (repost) +Link: https://lore.kernel.org/r/162610726860.3408253.445207609466288531.stgit@warthog.procyon.org.uk/ # v2 +Signed-off-by: Sasha Levin +--- + fs/afs/cmservice.c | 25 ++++---------- + include/trace/events/afs.h | 67 +++++++++++++++++++++++++++++++++++--- + 2 files changed, 69 insertions(+), 23 deletions(-) + +diff --git a/fs/afs/cmservice.c b/fs/afs/cmservice.c +index fc5eb0f89304..c2e82b84c554 100644 +--- a/fs/afs/cmservice.c ++++ b/fs/afs/cmservice.c +@@ -29,16 +29,11 @@ static void SRXAFSCB_TellMeAboutYourself(struct work_struct *); + + static int afs_deliver_yfs_cb_callback(struct afs_call *); + +-#define CM_NAME(name) \ +- char afs_SRXCB##name##_name[] __tracepoint_string = \ +- "CB." #name +- + /* + * CB.CallBack operation type + */ +-static CM_NAME(CallBack); + static const struct afs_call_type afs_SRXCBCallBack = { +- .name = afs_SRXCBCallBack_name, ++ .name = "CB.CallBack", + .deliver = afs_deliver_cb_callback, + .destructor = afs_cm_destructor, + .work = SRXAFSCB_CallBack, +@@ -47,9 +42,8 @@ static const struct afs_call_type afs_SRXCBCallBack = { + /* + * CB.InitCallBackState operation type + */ +-static CM_NAME(InitCallBackState); + static const struct afs_call_type afs_SRXCBInitCallBackState = { +- .name = afs_SRXCBInitCallBackState_name, ++ .name = "CB.InitCallBackState", + .deliver = afs_deliver_cb_init_call_back_state, + .destructor = afs_cm_destructor, + .work = SRXAFSCB_InitCallBackState, +@@ -58,9 +52,8 @@ static const struct afs_call_type afs_SRXCBInitCallBackState = { + /* + * CB.InitCallBackState3 operation type + */ +-static CM_NAME(InitCallBackState3); + static const struct afs_call_type afs_SRXCBInitCallBackState3 = { +- .name = afs_SRXCBInitCallBackState3_name, ++ .name = "CB.InitCallBackState3", + .deliver = afs_deliver_cb_init_call_back_state3, + .destructor = afs_cm_destructor, + .work = SRXAFSCB_InitCallBackState, +@@ -69,9 +62,8 @@ static const struct afs_call_type afs_SRXCBInitCallBackState3 = { + /* + * CB.Probe operation type + */ +-static CM_NAME(Probe); + static const struct afs_call_type afs_SRXCBProbe = { +- .name = afs_SRXCBProbe_name, ++ .name = "CB.Probe", + .deliver = afs_deliver_cb_probe, + .destructor = afs_cm_destructor, + .work = SRXAFSCB_Probe, +@@ -80,9 +72,8 @@ static const struct afs_call_type afs_SRXCBProbe = { + /* + * CB.ProbeUuid operation type + */ +-static CM_NAME(ProbeUuid); + static const struct afs_call_type afs_SRXCBProbeUuid = { +- .name = afs_SRXCBProbeUuid_name, ++ .name = "CB.ProbeUuid", + .deliver = afs_deliver_cb_probe_uuid, + .destructor = afs_cm_destructor, + .work = SRXAFSCB_ProbeUuid, +@@ -91,9 +82,8 @@ static const struct afs_call_type afs_SRXCBProbeUuid = { + /* + * CB.TellMeAboutYourself operation type + */ +-static CM_NAME(TellMeAboutYourself); + static const struct afs_call_type afs_SRXCBTellMeAboutYourself = { +- .name = afs_SRXCBTellMeAboutYourself_name, ++ .name = "CB.TellMeAboutYourself", + .deliver = afs_deliver_cb_tell_me_about_yourself, + .destructor = afs_cm_destructor, + .work = SRXAFSCB_TellMeAboutYourself, +@@ -102,9 +92,8 @@ static const struct afs_call_type afs_SRXCBTellMeAboutYourself = { + /* + * YFS CB.CallBack operation type + */ +-static CM_NAME(YFS_CallBack); + static const struct afs_call_type afs_SRXYFSCB_CallBack = { +- .name = afs_SRXCBYFS_CallBack_name, ++ .name = "YFSCB.CallBack", + .deliver = afs_deliver_yfs_cb_callback, + .destructor = afs_cm_destructor, + .work = SRXAFSCB_CallBack, +diff --git a/include/trace/events/afs.h b/include/trace/events/afs.h +index c612cabbc378..61af4af87119 100644 +--- a/include/trace/events/afs.h ++++ b/include/trace/events/afs.h +@@ -111,6 +111,34 @@ enum afs_vl_operation { + afs_VL_GetCapabilities = 65537, /* AFS Get VL server capabilities */ + }; + ++enum afs_cm_operation { ++ afs_CB_CallBack = 204, /* AFS break callback promises */ ++ afs_CB_InitCallBackState = 205, /* AFS initialise callback state */ ++ afs_CB_Probe = 206, /* AFS probe client */ ++ afs_CB_GetLock = 207, /* AFS get contents of CM lock table */ ++ afs_CB_GetCE = 208, /* AFS get cache file description */ ++ afs_CB_GetXStatsVersion = 209, /* AFS get version of extended statistics */ ++ afs_CB_GetXStats = 210, /* AFS get contents of extended statistics data */ ++ afs_CB_InitCallBackState3 = 213, /* AFS initialise callback state, version 3 */ ++ afs_CB_ProbeUuid = 214, /* AFS check the client hasn't rebooted */ ++}; ++ ++enum yfs_cm_operation { ++ yfs_CB_Probe = 206, /* YFS probe client */ ++ yfs_CB_GetLock = 207, /* YFS get contents of CM lock table */ ++ yfs_CB_XStatsVersion = 209, /* YFS get version of extended statistics */ ++ yfs_CB_GetXStats = 210, /* YFS get contents of extended statistics data */ ++ yfs_CB_InitCallBackState3 = 213, /* YFS initialise callback state, version 3 */ ++ yfs_CB_ProbeUuid = 214, /* YFS check the client hasn't rebooted */ ++ yfs_CB_GetServerPrefs = 215, ++ yfs_CB_GetCellServDV = 216, ++ yfs_CB_GetLocalCell = 217, ++ yfs_CB_GetCacheConfig = 218, ++ yfs_CB_GetCellByNum = 65537, ++ yfs_CB_TellMeAboutYourself = 65538, /* get client capabilities */ ++ yfs_CB_CallBack = 64204, ++}; ++ + enum afs_edit_dir_op { + afs_edit_dir_create, + afs_edit_dir_create_error, +@@ -312,6 +340,32 @@ enum afs_cb_break_reason { + EM(afs_YFSVL_GetEndpoints, "YFSVL.GetEndpoints") \ + E_(afs_VL_GetCapabilities, "VL.GetCapabilities") + ++#define afs_cm_operations \ ++ EM(afs_CB_CallBack, "CB.CallBack") \ ++ EM(afs_CB_InitCallBackState, "CB.InitCallBackState") \ ++ EM(afs_CB_Probe, "CB.Probe") \ ++ EM(afs_CB_GetLock, "CB.GetLock") \ ++ EM(afs_CB_GetCE, "CB.GetCE") \ ++ EM(afs_CB_GetXStatsVersion, "CB.GetXStatsVersion") \ ++ EM(afs_CB_GetXStats, "CB.GetXStats") \ ++ EM(afs_CB_InitCallBackState3, "CB.InitCallBackState3") \ ++ E_(afs_CB_ProbeUuid, "CB.ProbeUuid") ++ ++#define yfs_cm_operations \ ++ EM(yfs_CB_Probe, "YFSCB.Probe") \ ++ EM(yfs_CB_GetLock, "YFSCB.GetLock") \ ++ EM(yfs_CB_XStatsVersion, "YFSCB.XStatsVersion") \ ++ EM(yfs_CB_GetXStats, "YFSCB.GetXStats") \ ++ EM(yfs_CB_InitCallBackState3, "YFSCB.InitCallBackState3") \ ++ EM(yfs_CB_ProbeUuid, "YFSCB.ProbeUuid") \ ++ EM(yfs_CB_GetServerPrefs, "YFSCB.GetServerPrefs") \ ++ EM(yfs_CB_GetCellServDV, "YFSCB.GetCellServDV") \ ++ EM(yfs_CB_GetLocalCell, "YFSCB.GetLocalCell") \ ++ EM(yfs_CB_GetCacheConfig, "YFSCB.GetCacheConfig") \ ++ EM(yfs_CB_GetCellByNum, "YFSCB.GetCellByNum") \ ++ EM(yfs_CB_TellMeAboutYourself, "YFSCB.TellMeAboutYourself") \ ++ E_(yfs_CB_CallBack, "YFSCB.CallBack") ++ + #define afs_edit_dir_ops \ + EM(afs_edit_dir_create, "create") \ + EM(afs_edit_dir_create_error, "c_fail") \ +@@ -442,6 +496,8 @@ afs_call_traces; + afs_server_traces; + afs_fs_operations; + afs_vl_operations; ++afs_cm_operations; ++yfs_cm_operations; + afs_edit_dir_ops; + afs_edit_dir_reasons; + afs_eproto_causes; +@@ -522,20 +578,21 @@ TRACE_EVENT(afs_cb_call, + + TP_STRUCT__entry( + __field(unsigned int, call ) +- __field(const char *, name ) + __field(u32, op ) ++ __field(u16, service_id ) + ), + + TP_fast_assign( + __entry->call = call->debug_id; +- __entry->name = call->type->name; + __entry->op = call->operation_ID; ++ __entry->service_id = call->service_id; + ), + +- TP_printk("c=%08x %s o=%u", ++ TP_printk("c=%08x %s", + __entry->call, +- __entry->name, +- __entry->op) ++ __entry->service_id == 2501 ? ++ __print_symbolic(__entry->op, yfs_cm_operations) : ++ __print_symbolic(__entry->op, afs_cm_operations)) + ); + + TRACE_EVENT(afs_call, +-- +2.30.2 + diff --git a/queue-5.4/asoc-rt5631-fix-regcache-sync-errors-on-resume.patch b/queue-5.4/asoc-rt5631-fix-regcache-sync-errors-on-resume.patch new file mode 100644 index 00000000000..cb777a0573c --- /dev/null +++ b/queue-5.4/asoc-rt5631-fix-regcache-sync-errors-on-resume.patch @@ -0,0 +1,43 @@ +From a1622b18e309dbc6419c949e21863b87136a3026 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jul 2021 03:50:11 +0300 +Subject: ASoC: rt5631: Fix regcache sync errors on resume + +From: Maxim Schwalm + +[ Upstream commit c71f78a662611fe2c67f3155da19b0eff0f29762 ] + +The ALC5631 does not like multi-write accesses, avoid them. This fixes: + +rt5631 4-001a: Unable to sync registers 0x3a-0x3c. -121 + +errors on resume from suspend (and all registers after the registers in +the error not being synced). + +Inspired by commit 2d30e9494f1e ("ASoC: rt5651: Fix regcache sync errors +on resume") from Hans de Geode, which fixed the same errors on ALC5651. + +Signed-off-by: Maxim Schwalm +Link: https://lore.kernel.org/r/20210712005011.28536-1-digetx@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5631.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/codecs/rt5631.c b/sound/soc/codecs/rt5631.c +index f70b9f7e68bb..281957a8fa86 100644 +--- a/sound/soc/codecs/rt5631.c ++++ b/sound/soc/codecs/rt5631.c +@@ -1691,6 +1691,8 @@ static const struct regmap_config rt5631_regmap_config = { + .reg_defaults = rt5631_reg, + .num_reg_defaults = ARRAY_SIZE(rt5631_reg), + .cache_type = REGCACHE_RBTREE, ++ .use_single_read = true, ++ .use_single_write = true, + }; + + static int rt5631_i2c_probe(struct i2c_client *i2c, +-- +2.30.2 + diff --git a/queue-5.4/bnxt_en-add-missing-check-for-bnxt_state_abort_err-i.patch b/queue-5.4/bnxt_en-add-missing-check-for-bnxt_state_abort_err-i.patch new file mode 100644 index 00000000000..5f333a27068 --- /dev/null +++ b/queue-5.4/bnxt_en-add-missing-check-for-bnxt_state_abort_err-i.patch @@ -0,0 +1,40 @@ +From 910c5c4f9d8798e8b35174ed373c883dba4c6e6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 15:36:28 -0400 +Subject: bnxt_en: Add missing check for BNXT_STATE_ABORT_ERR in + bnxt_fw_rset_task() + +From: Michael Chan + +[ Upstream commit 6cd657cb3ee6f4de57e635b126ffbe0e51d00f1a ] + +In the BNXT_FW_RESET_STATE_POLL_VF state in bnxt_fw_reset_task() after all +VFs have unregistered, we need to check for BNXT_STATE_ABORT_ERR after +we acquire the rtnl_lock. If the flag is set, we need to abort. + +Fixes: 230d1f0de754 ("bnxt_en: Handle firmware reset.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index e840aae894ff..f4f63c359bdb 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -10735,6 +10735,10 @@ static void bnxt_fw_reset_task(struct work_struct *work) + } + bp->fw_reset_timestamp = jiffies; + rtnl_lock(); ++ if (test_bit(BNXT_STATE_ABORT_ERR, &bp->state)) { ++ rtnl_unlock(); ++ goto fw_reset_abort; ++ } + bnxt_fw_reset_close(bp); + if (bp->fw_cap & BNXT_FW_CAP_ERR_RECOVER_RELOAD) { + bp->fw_reset_state = BNXT_FW_RESET_STATE_POLL_FW_DOWN; +-- +2.30.2 + diff --git a/queue-5.4/bnxt_en-check-abort-error-state-in-bnxt_half_open_ni.patch b/queue-5.4/bnxt_en-check-abort-error-state-in-bnxt_half_open_ni.patch new file mode 100644 index 00000000000..89bbbcaab89 --- /dev/null +++ b/queue-5.4/bnxt_en-check-abort-error-state-in-bnxt_half_open_ni.patch @@ -0,0 +1,68 @@ +From c8ddb588aa11093fdfc3507baaa8ab2387236c11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 15:36:31 -0400 +Subject: bnxt_en: Check abort error state in bnxt_half_open_nic() + +From: Somnath Kotur + +[ Upstream commit 11a39259ff79b74bc99f8b7c44075a2d6d5e7ab1 ] + +bnxt_half_open_nic() is called during during ethtool self test and is +protected by rtnl_lock. Firmware reset can be happening at the same +time. Only critical portions of the entire firmware reset sequence +are protected by the rtnl_lock. It is possible that bnxt_half_open_nic() +can be called when the firmware reset sequence is aborting. In that +case, bnxt_half_open_nic() needs to check if the ABORT_ERR flag is set +and abort if it is. The ethtool self test will fail but the NIC will be +brought to a consistent IF_DOWN state. + +Without this patch, if bnxt_half_open_nic() were to continue in this +error state, it may crash like this: + + bnxt_en 0000:82:00.1 enp130s0f1np1: FW reset in progress during close, FW reset will be aborted + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 + ... + Process ethtool (pid: 333327, stack limit = 0x0000000046476577) + Call trace: + bnxt_alloc_mem+0x444/0xef0 [bnxt_en] + bnxt_half_open_nic+0x24/0xb8 [bnxt_en] + bnxt_self_test+0x2dc/0x390 [bnxt_en] + ethtool_self_test+0xe0/0x1f8 + dev_ethtool+0x1744/0x22d0 + dev_ioctl+0x190/0x3e0 + sock_ioctl+0x238/0x480 + do_vfs_ioctl+0xc4/0x758 + ksys_ioctl+0x84/0xb8 + __arm64_sys_ioctl+0x28/0x38 + el0_svc_handler+0xb0/0x180 + el0_svc+0x8/0xc + +Fixes: a1301f08c5ac ("bnxt_en: Check abort error state in bnxt_open_nic().") +Signed-off-by: Somnath Kotur +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index f4f63c359bdb..287ea792922a 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -9239,6 +9239,12 @@ int bnxt_half_open_nic(struct bnxt *bp) + { + int rc = 0; + ++ if (test_bit(BNXT_STATE_ABORT_ERR, &bp->state)) { ++ netdev_err(bp->dev, "A previous firmware reset has not completed, aborting half open\n"); ++ rc = -ENODEV; ++ goto half_open_err; ++ } ++ + rc = bnxt_alloc_mem(bp, false); + if (rc) { + netdev_err(bp->dev, "bnxt_alloc_mem err: %x\n", rc); +-- +2.30.2 + diff --git a/queue-5.4/bnxt_en-improve-bnxt_ulp_stop-bnxt_ulp_start-call-se.patch b/queue-5.4/bnxt_en-improve-bnxt_ulp_stop-bnxt_ulp_start-call-se.patch new file mode 100644 index 00000000000..49d4994feac --- /dev/null +++ b/queue-5.4/bnxt_en-improve-bnxt_ulp_stop-bnxt_ulp_start-call-se.patch @@ -0,0 +1,139 @@ +From 87e748cc576e343834e0b63b731395c5017e94fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2019 01:07:49 -0400 +Subject: bnxt_en: Improve bnxt_ulp_stop()/bnxt_ulp_start() call sequence. + +From: Vasundhara Volam + +[ Upstream commit aa46dffff452f7c6d907c4e6a0062e2c53a87fc0 ] + +We call bnxt_ulp_stop() to notify the RDMA driver that some error or +imminent reset is about to happen. After that we always call +some variants of bnxt_close(). + +In the next patch, we will integrate the recently added error +recovery with the RDMA driver. In response to ulp_stop, the +RDMA driver may free MSIX vectors and that will also trigger +bnxt_close(). To avoid bnxt_close() from being called twice, +we set a new flag after ulp_stop is called. If the RDMA driver +frees MSIX vectors while the new flag is set, we will not call +bnxt_close(), knowing that it will happen in due course. + +With this change, we must make sure that the bnxt_close() call +after ulp_stop will reset IRQ. Modify bnxt_reset_task() +accordingly if we call ulp_stop. + +Signed-off-by: Vasundhara Volam +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 18 ++++++++++-------- + drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 10 ++++++++-- + drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.h | 3 ++- + 3 files changed, 20 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index d1c3939b0307..e840aae894ff 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -9987,12 +9987,15 @@ static void bnxt_reset_task(struct bnxt *bp, bool silent) + if (netif_running(bp->dev)) { + int rc; + +- if (!silent) ++ if (silent) { ++ bnxt_close_nic(bp, false, false); ++ bnxt_open_nic(bp, false, false); ++ } else { + bnxt_ulp_stop(bp); +- bnxt_close_nic(bp, false, false); +- rc = bnxt_open_nic(bp, false, false); +- if (!silent && !rc) +- bnxt_ulp_start(bp); ++ bnxt_close_nic(bp, true, false); ++ rc = bnxt_open_nic(bp, true, false); ++ bnxt_ulp_start(bp, rc); ++ } + } + } + +@@ -12144,10 +12147,9 @@ static pci_ers_result_t bnxt_io_slot_reset(struct pci_dev *pdev) + if (!err && netif_running(netdev)) + err = bnxt_open(netdev); + +- if (!err) { ++ if (!err) + result = PCI_ERS_RESULT_RECOVERED; +- bnxt_ulp_start(bp); +- } ++ bnxt_ulp_start(bp, err); + } + + if (result != PCI_ERS_RESULT_RECOVERED) { +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c +index 13ef6a9afaa0..85bacaed763e 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c +@@ -186,7 +186,7 @@ static int bnxt_free_msix_vecs(struct bnxt_en_dev *edev, int ulp_id) + + edev->ulp_tbl[ulp_id].msix_requested = 0; + edev->flags &= ~BNXT_EN_FLAG_MSIX_REQUESTED; +- if (netif_running(dev)) { ++ if (netif_running(dev) && !(edev->flags & BNXT_EN_FLAG_ULP_STOPPED)) { + bnxt_close_nic(bp, true, false); + bnxt_open_nic(bp, true, false); + } +@@ -274,6 +274,7 @@ void bnxt_ulp_stop(struct bnxt *bp) + if (!edev) + return; + ++ edev->flags |= BNXT_EN_FLAG_ULP_STOPPED; + for (i = 0; i < BNXT_MAX_ULP; i++) { + struct bnxt_ulp *ulp = &edev->ulp_tbl[i]; + +@@ -284,7 +285,7 @@ void bnxt_ulp_stop(struct bnxt *bp) + } + } + +-void bnxt_ulp_start(struct bnxt *bp) ++void bnxt_ulp_start(struct bnxt *bp, int err) + { + struct bnxt_en_dev *edev = bp->edev; + struct bnxt_ulp_ops *ops; +@@ -293,6 +294,11 @@ void bnxt_ulp_start(struct bnxt *bp) + if (!edev) + return; + ++ edev->flags &= ~BNXT_EN_FLAG_ULP_STOPPED; ++ ++ if (err) ++ return; ++ + for (i = 0; i < BNXT_MAX_ULP; i++) { + struct bnxt_ulp *ulp = &edev->ulp_tbl[i]; + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.h b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.h +index cd78453d0bf0..9895406b9830 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.h +@@ -64,6 +64,7 @@ struct bnxt_en_dev { + #define BNXT_EN_FLAG_ROCE_CAP (BNXT_EN_FLAG_ROCEV1_CAP | \ + BNXT_EN_FLAG_ROCEV2_CAP) + #define BNXT_EN_FLAG_MSIX_REQUESTED 0x4 ++ #define BNXT_EN_FLAG_ULP_STOPPED 0x8 + const struct bnxt_en_ops *en_ops; + struct bnxt_ulp ulp_tbl[BNXT_MAX_ULP]; + }; +@@ -92,7 +93,7 @@ int bnxt_get_ulp_msix_num(struct bnxt *bp); + int bnxt_get_ulp_msix_base(struct bnxt *bp); + int bnxt_get_ulp_stat_ctxs(struct bnxt *bp); + void bnxt_ulp_stop(struct bnxt *bp); +-void bnxt_ulp_start(struct bnxt *bp); ++void bnxt_ulp_start(struct bnxt *bp, int err); + void bnxt_ulp_sriov_cfg(struct bnxt *bp, int num_vfs); + void bnxt_ulp_shutdown(struct bnxt *bp); + void bnxt_ulp_irq_stop(struct bnxt *bp); +-- +2.30.2 + diff --git a/queue-5.4/bnxt_en-refresh-roce-capabilities-in-bnxt_ulp_probe.patch b/queue-5.4/bnxt_en-refresh-roce-capabilities-in-bnxt_ulp_probe.patch new file mode 100644 index 00000000000..de8d5616ae6 --- /dev/null +++ b/queue-5.4/bnxt_en-refresh-roce-capabilities-in-bnxt_ulp_probe.patch @@ -0,0 +1,49 @@ +From 0b30ad4ed9b027695a5d9b33a7aa4898c9a3ac20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 15:36:27 -0400 +Subject: bnxt_en: Refresh RoCE capabilities in bnxt_ulp_probe() + +From: Michael Chan + +[ Upstream commit 2c9f046bc377efd1f5e26e74817d5f96e9506c86 ] + +The capabilities can change after firmware upgrade/downgrade, so we +should get the up-to-date RoCE capabilities everytime bnxt_ulp_probe() +is called. + +Fixes: 2151fe0830fd ("bnxt_en: Handle RESET_NOTIFY async event from firmware.") +Reviewed-by: Somnath Kotur +Reviewed-by: Edwin Peer +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c +index 85bacaed763e..b0ae180df4e6 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c +@@ -473,13 +473,14 @@ struct bnxt_en_dev *bnxt_ulp_probe(struct net_device *dev) + if (!edev) + return ERR_PTR(-ENOMEM); + edev->en_ops = &bnxt_en_ops_tbl; +- if (bp->flags & BNXT_FLAG_ROCEV1_CAP) +- edev->flags |= BNXT_EN_FLAG_ROCEV1_CAP; +- if (bp->flags & BNXT_FLAG_ROCEV2_CAP) +- edev->flags |= BNXT_EN_FLAG_ROCEV2_CAP; + edev->net = dev; + edev->pdev = bp->pdev; + bp->edev = edev; + } ++ edev->flags &= ~BNXT_EN_FLAG_ROCE_CAP; ++ if (bp->flags & BNXT_FLAG_ROCEV1_CAP) ++ edev->flags |= BNXT_EN_FLAG_ROCEV1_CAP; ++ if (bp->flags & BNXT_FLAG_ROCEV2_CAP) ++ edev->flags |= BNXT_EN_FLAG_ROCEV2_CAP; + return bp->edev; + } +-- +2.30.2 + diff --git a/queue-5.4/bpf-sockmap-tcp-sk_prot-needs-inuse_idx-set-for-proc.patch b/queue-5.4/bpf-sockmap-tcp-sk_prot-needs-inuse_idx-set-for-proc.patch new file mode 100644 index 00000000000..d0565329f27 --- /dev/null +++ b/queue-5.4/bpf-sockmap-tcp-sk_prot-needs-inuse_idx-set-for-proc.patch @@ -0,0 +1,47 @@ +From edadc7269b8588c401fbf481f3540160d06ce81c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jul 2021 12:55:46 -0700 +Subject: bpf, sockmap, tcp: sk_prot needs inuse_idx set for proc stats + +From: John Fastabend + +[ Upstream commit 228a4a7ba8e99bb9ef980b62f71e3be33f4aae69 ] + +The proc socket stats use sk_prot->inuse_idx value to record inuse sock +stats. We currently do not set this correctly from sockmap side. The +result is reading sock stats '/proc/net/sockstat' gives incorrect values. +The socket counter is incremented correctly, but because we don't set the +counter correctly when we replace sk_prot we may omit the decrement. + +To get the correct inuse_idx value move the core_initcall that initializes +the TCP proto handlers to late_initcall. This way it is initialized after +TCP has the chance to assign the inuse_idx value from the register protocol +handler. + +Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") +Suggested-by: Jakub Sitnicki +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Reviewed-by: Cong Wang +Link: https://lore.kernel.org/bpf/20210712195546.423990-3-john.fastabend@gmail.com +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_bpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c +index 819255ee4e42..6a0c4326d9cf 100644 +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -636,7 +636,7 @@ static int __init tcp_bpf_v4_build_proto(void) + tcp_bpf_rebuild_protos(tcp_bpf_prots[TCP_BPF_IPV4], &tcp_prot); + return 0; + } +-core_initcall(tcp_bpf_v4_build_proto); ++late_initcall(tcp_bpf_v4_build_proto); + + static void tcp_bpf_update_sk_prot(struct sock *sk, struct sk_psock *psock) + { +-- +2.30.2 + diff --git a/queue-5.4/bpftool-check-malloc-return-value-in-mount_bpffs_for.patch b/queue-5.4/bpftool-check-malloc-return-value-in-mount_bpffs_for.patch new file mode 100644 index 00000000000..f846158d0d2 --- /dev/null +++ b/queue-5.4/bpftool-check-malloc-return-value-in-mount_bpffs_for.patch @@ -0,0 +1,41 @@ +From 325a6809f87465e78e52e92730c02c098c2d1a0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 13:06:09 +0200 +Subject: bpftool: Check malloc return value in mount_bpffs_for_pin + +From: Tobias Klauser + +[ Upstream commit d444b06e40855219ef38b5e9286db16d435f06dc ] + +Fix and add a missing NULL check for the prior malloc() call. + +Fixes: 49a086c201a9 ("bpftool: implement prog load command") +Signed-off-by: Tobias Klauser +Signed-off-by: Daniel Borkmann +Reviewed-by: Quentin Monnet +Acked-by: Roman Gushchin +Link: https://lore.kernel.org/bpf/20210715110609.29364-1-tklauser@distanz.ch +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/common.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tools/bpf/bpftool/common.c b/tools/bpf/bpftool/common.c +index 88264abaa738..a209f53901b8 100644 +--- a/tools/bpf/bpftool/common.c ++++ b/tools/bpf/bpftool/common.c +@@ -171,6 +171,11 @@ int mount_bpffs_for_pin(const char *name) + int err = 0; + + file = malloc(strlen(name) + 1); ++ if (!file) { ++ p_err("mem alloc failed"); ++ return -1; ++ } ++ + strcpy(file, name); + dir = dirname(file); + +-- +2.30.2 + diff --git a/queue-5.4/cxgb4-fix-irq-free-race-during-driver-unload.patch b/queue-5.4/cxgb4-fix-irq-free-race-during-driver-unload.patch new file mode 100644 index 00000000000..2e55c7d5d80 --- /dev/null +++ b/queue-5.4/cxgb4-fix-irq-free-race-during-driver-unload.patch @@ -0,0 +1,89 @@ +From 90fb841ca98520447b163497e4665aae396121ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jul 2021 21:51:56 +0530 +Subject: cxgb4: fix IRQ free race during driver unload + +From: Shahjada Abul Husain + +[ Upstream commit 015fe6fd29c4b9ac0f61b8c4455ef88e6018b9cc ] + +IRQs are requested during driver's ndo_open() and then later +freed up in disable_interrupts() during driver unload. +A race exists where driver can set the CXGB4_FULL_INIT_DONE +flag in ndo_open() after the disable_interrupts() in driver +unload path checks it, and hence misses calling free_irq(). + +Fix by unregistering netdevice first and sync with driver's +ndo_open(). This ensures disable_interrupts() checks the flag +correctly and frees up the IRQs properly. + +Fixes: b37987e8db5f ("cxgb4: Disable interrupts and napi before unregistering netdev") +Signed-off-by: Shahjada Abul Husain +Signed-off-by: Raju Rangoju +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/chelsio/cxgb4/cxgb4_main.c | 18 ++++++++++-------- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c | 3 +++ + 2 files changed, 13 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +index deb1c1f30107..21414a34a5b5 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -2245,6 +2245,9 @@ static void detach_ulds(struct adapter *adap) + { + unsigned int i; + ++ if (!is_uld(adap)) ++ return; ++ + mutex_lock(&uld_mutex); + list_del(&adap->list_node); + +@@ -6152,10 +6155,13 @@ static void remove_one(struct pci_dev *pdev) + */ + destroy_workqueue(adapter->workq); + +- if (is_uld(adapter)) { +- detach_ulds(adapter); +- t4_uld_clean_up(adapter); +- } ++ detach_ulds(adapter); ++ ++ for_each_port(adapter, i) ++ if (adapter->port[i]->reg_state == NETREG_REGISTERED) ++ unregister_netdev(adapter->port[i]); ++ ++ t4_uld_clean_up(adapter); + + adap_free_hma_mem(adapter); + +@@ -6163,10 +6169,6 @@ static void remove_one(struct pci_dev *pdev) + + cxgb4_free_mps_ref_entries(adapter); + +- for_each_port(adapter, i) +- if (adapter->port[i]->reg_state == NETREG_REGISTERED) +- unregister_netdev(adapter->port[i]); +- + debugfs_remove_recursive(adapter->debugfs_root); + + if (!is_t4(adapter->params.chip)) +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c +index 86b528d8364c..971bdd70b6d6 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c +@@ -638,6 +638,9 @@ void t4_uld_clean_up(struct adapter *adap) + { + unsigned int i; + ++ if (!is_uld(adap)) ++ return; ++ + mutex_lock(&uld_mutex); + for (i = 0; i < CXGB4_ULD_MAX; i++) { + if (!adap->uld[i].handle) +-- +2.30.2 + diff --git a/queue-5.4/drm-panel-raspberrypi-touchscreen-prevent-double-fre.patch b/queue-5.4/drm-panel-raspberrypi-touchscreen-prevent-double-fre.patch new file mode 100644 index 00000000000..dea55093f9c --- /dev/null +++ b/queue-5.4/drm-panel-raspberrypi-touchscreen-prevent-double-fre.patch @@ -0,0 +1,36 @@ +From 55371e87f3f5a9d4d2bdfbb254ae7ad68aa77974 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 15:45:23 +0200 +Subject: drm/panel: raspberrypi-touchscreen: Prevent double-free + +From: Maxime Ripard + +[ Upstream commit 7bbcb919e32d776ca8ddce08abb391ab92eef6a9 ] + +The mipi_dsi_device allocated by mipi_dsi_device_register_full() is +already free'd on release. + +Fixes: 2f733d6194bd ("drm/panel: Add support for the Raspberry Pi 7" Touchscreen.") +Signed-off-by: Maxime Ripard +Reviewed-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20210720134525.563936-9-maxime@cerno.tech +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c b/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c +index 2aa89eaecf6f..bdb4d59c8127 100644 +--- a/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c ++++ b/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c +@@ -453,7 +453,6 @@ static int rpi_touchscreen_remove(struct i2c_client *i2c) + drm_panel_remove(&ts->base); + + mipi_dsi_device_unregister(ts->dsi); +- kfree(ts->dsi); + + return 0; + } +-- +2.30.2 + diff --git a/queue-5.4/e1000e-fix-an-error-handling-path-in-e1000_probe.patch b/queue-5.4/e1000e-fix-an-error-handling-path-in-e1000_probe.patch new file mode 100644 index 00000000000..aa56221b191 --- /dev/null +++ b/queue-5.4/e1000e-fix-an-error-handling-path-in-e1000_probe.patch @@ -0,0 +1,38 @@ +From e7a8d609c4616bd1b761791c49bfacc184928658 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 07:05:53 +0200 +Subject: e1000e: Fix an error handling path in 'e1000_probe()' + +From: Christophe JAILLET + +[ Upstream commit 4589075608420bc49fcef6e98279324bf2bb91ae ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 111b9dc5c981 ("e1000e: add aer support") +Signed-off-by: Christophe JAILLET +Acked-by: Sasha Neftin +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index a06d514215ed..cbd83bb5c1ac 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -7401,6 +7401,7 @@ err_flashmap: + err_ioremap: + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-5.4/efi-tpm-differentiate-missing-and-invalid-final-even.patch b/queue-5.4/efi-tpm-differentiate-missing-and-invalid-final-even.patch new file mode 100644 index 00000000000..0342e760cc0 --- /dev/null +++ b/queue-5.4/efi-tpm-differentiate-missing-and-invalid-final-even.patch @@ -0,0 +1,45 @@ +From 101af60ac02c134f46a79a869977f253dd872e94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jul 2021 11:46:54 +0200 +Subject: efi/tpm: Differentiate missing and invalid final event log table. + +From: Michal Suchanek + +[ Upstream commit 674a9f1f6815849bfb5bf385e7da8fc198aaaba9 ] + +Missing TPM final event log table is not a firmware bug. + +Clearly if providing event log in the old format makes the final event +log invalid it should not be provided at least in that case. + +Fixes: b4f1874c6216 ("tpm: check event log version before reading final events") +Signed-off-by: Michal Suchanek +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/tpm.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c +index c1955d320fec..8f665678e9e3 100644 +--- a/drivers/firmware/efi/tpm.c ++++ b/drivers/firmware/efi/tpm.c +@@ -62,9 +62,11 @@ int __init efi_tpm_eventlog_init(void) + tbl_size = sizeof(*log_tbl) + log_tbl->size; + memblock_reserve(efi.tpm_log, tbl_size); + +- if (efi.tpm_final_log == EFI_INVALID_TABLE_ADDR || +- log_tbl->version != EFI_TCG2_EVENT_LOG_FORMAT_TCG_2) { +- pr_warn(FW_BUG "TPM Final Events table missing or invalid\n"); ++ if (efi.tpm_final_log == EFI_INVALID_TABLE_ADDR) { ++ pr_info("TPM Final Events table not present\n"); ++ goto out; ++ } else if (log_tbl->version != EFI_TCG2_EVENT_LOG_FORMAT_TCG_2) { ++ pr_warn(FW_BUG "TPM Final Events table invalid\n"); + goto out; + } + +-- +2.30.2 + diff --git a/queue-5.4/fm10k-fix-an-error-handling-path-in-fm10k_probe.patch b/queue-5.4/fm10k-fix-an-error-handling-path-in-fm10k_probe.patch new file mode 100644 index 00000000000..95174e323f2 --- /dev/null +++ b/queue-5.4/fm10k-fix-an-error-handling-path-in-fm10k_probe.patch @@ -0,0 +1,36 @@ +From 226e72214d1541f3942b005c94a06788260a0783 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 07:00:36 +0200 +Subject: fm10k: Fix an error handling path in 'fm10k_probe()' + +From: Christophe JAILLET + +[ Upstream commit e85e14d68f517ef12a5fb8123fff65526b35b6cd ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 19ae1b3fb99c ("fm10k: Add support for PCI power management and error handling") +Signed-off-by: Christophe JAILLET +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/fm10k/fm10k_pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_pci.c b/drivers/net/ethernet/intel/fm10k/fm10k_pci.c +index bb236fa44048..36b016308c62 100644 +--- a/drivers/net/ethernet/intel/fm10k/fm10k_pci.c ++++ b/drivers/net/ethernet/intel/fm10k/fm10k_pci.c +@@ -2230,6 +2230,7 @@ err_sw_init: + err_ioremap: + free_netdev(netdev); + err_alloc_netdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-5.4/gve-fix-an-error-handling-path-in-gve_probe.patch b/queue-5.4/gve-fix-an-error-handling-path-in-gve_probe.patch new file mode 100644 index 00000000000..74a7370b5c3 --- /dev/null +++ b/queue-5.4/gve-fix-an-error-handling-path-in-gve_probe.patch @@ -0,0 +1,50 @@ +From 690d2e0d3d2dce9545699b63edbf35db52cc7a91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jul 2021 22:18:24 +0200 +Subject: gve: Fix an error handling path in 'gve_probe()' + +From: Christophe JAILLET + +[ Upstream commit 2342ae10d1272d411a468a85a67647dd115b344f ] + +If the 'register_netdev() call fails, we must release the resources +allocated by the previous 'gve_init_priv()' call, as already done in the +remove function. + +Add a new label and the missing 'gve_teardown_priv_resources()' in the +error handling path. + +Fixes: 893ce44df565 ("gve: Add basic driver framework for Compute Engine Virtual NIC") +Signed-off-by: Christophe JAILLET +Reviewed-by: Catherine Sullivan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c +index 1c4b35b1b359..f8dfa7501f65 100644 +--- a/drivers/net/ethernet/google/gve/gve_main.c ++++ b/drivers/net/ethernet/google/gve/gve_main.c +@@ -1170,13 +1170,16 @@ static int gve_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + err = register_netdev(dev); + if (err) +- goto abort_with_wq; ++ goto abort_with_gve_init; + + dev_info(&pdev->dev, "GVE version %s\n", gve_version_str); + gve_clear_probe_in_progress(priv); + queue_work(priv->gve_wq, &priv->service_task); + return 0; + ++abort_with_gve_init: ++ gve_teardown_priv_resources(priv); ++ + abort_with_wq: + destroy_workqueue(priv->gve_wq); + +-- +2.30.2 + diff --git a/queue-5.4/iavf-fix-an-error-handling-path-in-iavf_probe.patch b/queue-5.4/iavf-fix-an-error-handling-path-in-iavf_probe.patch new file mode 100644 index 00000000000..4d573971d30 --- /dev/null +++ b/queue-5.4/iavf-fix-an-error-handling-path-in-iavf_probe.patch @@ -0,0 +1,36 @@ +From d7efc99d747b0c5e2b2b9545d572bf18441739f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 07:53:02 +0200 +Subject: iavf: Fix an error handling path in 'iavf_probe()' + +From: Christophe JAILLET + +[ Upstream commit af30cbd2f4d6d66a9b6094e0aa32420bc8b20e08 ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 5eae00c57f5e ("i40evf: main driver core") +Signed-off-by: Christophe JAILLET +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index a97e1f9ca1ed..cda9b9a8392a 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -3765,6 +3765,7 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + err_ioremap: + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-5.4/igb-check-if-num-of-q_vectors-is-smaller-than-max-be.patch b/queue-5.4/igb-check-if-num-of-q_vectors-is-smaller-than-max-be.patch new file mode 100644 index 00000000000..5365a62fc97 --- /dev/null +++ b/queue-5.4/igb-check-if-num-of-q_vectors-is-smaller-than-max-be.patch @@ -0,0 +1,59 @@ +From e1bb54b1f0be65948bde1d8e9921a61842833a25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Apr 2021 10:19:23 +0000 +Subject: igb: Check if num of q_vectors is smaller than max before array + access + +From: Aleksandr Loktionov + +[ Upstream commit 6c19d772618fea40d9681f259368f284a330fd90 ] + +Ensure that the adapter->q_vector[MAX_Q_VECTORS] array isn't accessed +beyond its size. It was fixed by using a local variable num_q_vectors +as a limit for loop index, and ensure that num_q_vectors is not bigger +than MAX_Q_VECTORS. + +Fixes: 047e0030f1e6 ("igb: add new data structure for handling interrupts and NAPI") +Signed-off-by: Aleksandr Loktionov +Reviewed-by: Grzegorz Siwik +Reviewed-by: Arkadiusz Kubalewski +Reviewed-by: Slawomir Laba +Reviewed-by: Sylwester Dziedziuch +Reviewed-by: Mateusz Palczewski +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index bf8da4869c0f..35b096ab2893 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -940,6 +940,7 @@ static void igb_configure_msix(struct igb_adapter *adapter) + **/ + static int igb_request_msix(struct igb_adapter *adapter) + { ++ unsigned int num_q_vectors = adapter->num_q_vectors; + struct net_device *netdev = adapter->netdev; + int i, err = 0, vector = 0, free_vector = 0; + +@@ -948,7 +949,13 @@ static int igb_request_msix(struct igb_adapter *adapter) + if (err) + goto err_out; + +- for (i = 0; i < adapter->num_q_vectors; i++) { ++ if (num_q_vectors > MAX_Q_VECTORS) { ++ num_q_vectors = MAX_Q_VECTORS; ++ dev_warn(&adapter->pdev->dev, ++ "The number of queue vectors (%d) is higher than max allowed (%d)\n", ++ adapter->num_q_vectors, MAX_Q_VECTORS); ++ } ++ for (i = 0; i < num_q_vectors; i++) { + struct igb_q_vector *q_vector = adapter->q_vector[i]; + + vector++; +-- +2.30.2 + diff --git a/queue-5.4/igb-fix-an-error-handling-path-in-igb_probe.patch b/queue-5.4/igb-fix-an-error-handling-path-in-igb_probe.patch new file mode 100644 index 00000000000..1a98c309c1a --- /dev/null +++ b/queue-5.4/igb-fix-an-error-handling-path-in-igb_probe.patch @@ -0,0 +1,37 @@ +From 5a88f05a059a87fb58bf7ea0ea5328dae190894d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 22:08:33 +0200 +Subject: igb: Fix an error handling path in 'igb_probe()' + +From: Christophe JAILLET + +[ Upstream commit fea03b1cebd653cd095f2e9a58cfe1c85661c363 ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 40a914fa72ab ("igb: Add support for pci-e Advanced Error Reporting") +Signed-off-by: Christophe JAILLET +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 09f2338084e7..bf8da4869c0f 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -3469,6 +3469,7 @@ err_sw_init: + err_ioremap: + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-5.4/igb-fix-position-of-assignment-to-ring.patch b/queue-5.4/igb-fix-position-of-assignment-to-ring.patch new file mode 100644 index 00000000000..a6b86b25154 --- /dev/null +++ b/queue-5.4/igb-fix-position-of-assignment-to-ring.patch @@ -0,0 +1,46 @@ +From 576adb9264bbafa03267b92df53b823b31f59e8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 22:42:17 +0000 +Subject: igb: Fix position of assignment to *ring + +From: Jedrzej Jagielski + +[ Upstream commit 382a7c20d9253bcd5715789b8179528d0f3de72c ] + +Assignment to *ring should be done after correctness check of the +argument queue. + +Fixes: 91db364236c8 ("igb: Refactor igb_configure_cbs()") +Signed-off-by: Jedrzej Jagielski +Acked-by: Vinicius Costa Gomes +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 35b096ab2893..158feb0ab273 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -1694,14 +1694,15 @@ static bool is_any_txtime_enabled(struct igb_adapter *adapter) + **/ + static void igb_config_tx_modes(struct igb_adapter *adapter, int queue) + { +- struct igb_ring *ring = adapter->tx_ring[queue]; + struct net_device *netdev = adapter->netdev; + struct e1000_hw *hw = &adapter->hw; ++ struct igb_ring *ring; + u32 tqavcc, tqavctrl; + u16 value; + + WARN_ON(hw->mac.type != e1000_i210); + WARN_ON(queue < 0 || queue > 1); ++ ring = adapter->tx_ring[queue]; + + /* If any of the Qav features is enabled, configure queues as SR and + * with HIGH PRIO. If none is, then configure them with LOW PRIO and +-- +2.30.2 + diff --git a/queue-5.4/igb-fix-use-after-free-error-during-reset.patch b/queue-5.4/igb-fix-use-after-free-error-during-reset.patch new file mode 100644 index 00000000000..6ff9eb68f4d --- /dev/null +++ b/queue-5.4/igb-fix-use-after-free-error-during-reset.patch @@ -0,0 +1,45 @@ +From bbe06dffa0fa6c7a614cb945b8c0381ae29e1fa3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 May 2021 17:31:04 -0700 +Subject: igb: Fix use-after-free error during reset + +From: Vinicius Costa Gomes + +[ Upstream commit 7b292608db23ccbbfbfa50cdb155d01725d7a52e ] + +Cleans the next descriptor to watch (next_to_watch) when cleaning the +TX ring. + +Failure to do so can cause invalid memory accesses. If igb_poll() runs +while the controller is reset this can lead to the driver try to free +a skb that was already freed. + +(The crash is harder to reproduce with the igb driver, but the same +potential problem exists as the code is identical to igc) + +Fixes: 7cc6fd4c60f2 ("igb: Don't bother clearing Tx buffer_info in igb_clean_tx_ring") +Signed-off-by: Vinicius Costa Gomes +Reported-by: Erez Geva +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index c37f0590b3a4..09f2338084e7 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -4657,6 +4657,8 @@ static void igb_clean_tx_ring(struct igb_ring *tx_ring) + DMA_TO_DEVICE); + } + ++ tx_buffer->next_to_watch = NULL; ++ + /* move us one more past the eop_desc for start of next pkt */ + tx_buffer++; + i++; +-- +2.30.2 + diff --git a/queue-5.4/igc-change-default-return-of-igc_read_phy_reg.patch b/queue-5.4/igc-change-default-return-of-igc_read_phy_reg.patch new file mode 100644 index 00000000000..0597a83b8c5 --- /dev/null +++ b/queue-5.4/igc-change-default-return-of-igc_read_phy_reg.patch @@ -0,0 +1,45 @@ +From 323eac441c0eba4a50e35c1a21ec749778ee9a0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 May 2021 12:50:19 -0700 +Subject: igc: change default return of igc_read_phy_reg() + +From: Tom Rix + +[ Upstream commit 05682a0a61b6cbecd97a0f37f743b2cbfd516977 ] + +Static analysis reports this problem + +igc_main.c:4944:20: warning: The left operand of '&' + is a garbage value + if (!(phy_data & SR_1000T_REMOTE_RX_STATUS) && + ~~~~~~~~ ^ + +phy_data is set by the call to igc_read_phy_reg() only if +there is a read_reg() op, else it is unset and a 0 is +returned. Change the return to -EOPNOTSUPP. + +Fixes: 208983f099d9 ("igc: Add watchdog") +Signed-off-by: Tom Rix +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h +index 7e16345d836e..aec998c82b69 100644 +--- a/drivers/net/ethernet/intel/igc/igc.h ++++ b/drivers/net/ethernet/intel/igc/igc.h +@@ -504,7 +504,7 @@ static inline s32 igc_read_phy_reg(struct igc_hw *hw, u32 offset, u16 *data) + if (hw->phy.ops.read_reg) + return hw->phy.ops.read_reg(hw, offset, data); + +- return 0; ++ return -EOPNOTSUPP; + } + + /* forward declaration */ +-- +2.30.2 + diff --git a/queue-5.4/igc-fix-an-error-handling-path-in-igc_probe.patch b/queue-5.4/igc-fix-an-error-handling-path-in-igc_probe.patch new file mode 100644 index 00000000000..3c914686a60 --- /dev/null +++ b/queue-5.4/igc-fix-an-error-handling-path-in-igc_probe.patch @@ -0,0 +1,38 @@ +From dd1cf009a27df972ed30493895f67086219c28fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 22:00:05 +0200 +Subject: igc: Fix an error handling path in 'igc_probe()' + +From: Christophe JAILLET + +[ Upstream commit c6bc9e5ce5d37cb3e6b552f41b92a193db1806ab ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: c9a11c23ceb6 ("igc: Add netdev") +Signed-off-by: Christophe JAILLET +Tested-by: Dvora Fuxbrumer +Acked-by: Sasha Neftin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 606c1abafa7d..084cf4a4114a 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -4312,6 +4312,7 @@ err_sw_init: + err_ioremap: + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-5.4/igc-fix-use-after-free-error-during-reset.patch b/queue-5.4/igc-fix-use-after-free-error-during-reset.patch new file mode 100644 index 00000000000..aa8d08e1f2b --- /dev/null +++ b/queue-5.4/igc-fix-use-after-free-error-during-reset.patch @@ -0,0 +1,93 @@ +From 6668c6fb63fd54d225a426830b09296894d7ef28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 May 2021 17:31:03 -0700 +Subject: igc: Fix use-after-free error during reset + +From: Vinicius Costa Gomes + +[ Upstream commit 56ea7ed103b46970e171eb1c95916f393d64eeff ] + +Cleans the next descriptor to watch (next_to_watch) when cleaning the +TX ring. + +Failure to do so can cause invalid memory accesses. If igc_poll() runs +while the controller is being reset this can lead to the driver try to +free a skb that was already freed. + +Log message: + + [ 101.525242] refcount_t: underflow; use-after-free. + [ 101.525251] WARNING: CPU: 1 PID: 646 at lib/refcount.c:28 refcount_warn_saturate+0xab/0xf0 + [ 101.525259] Modules linked in: sch_etf(E) sch_mqprio(E) rfkill(E) intel_rapl_msr(E) intel_rapl_common(E) + x86_pkg_temp_thermal(E) intel_powerclamp(E) coretemp(E) binfmt_misc(E) kvm_intel(E) kvm(E) irqbypass(E) crc32_pclmul(E) + ghash_clmulni_intel(E) aesni_intel(E) mei_wdt(E) libaes(E) crypto_simd(E) cryptd(E) glue_helper(E) snd_hda_codec_hdmi(E) + rapl(E) intel_cstate(E) snd_hda_intel(E) snd_intel_dspcfg(E) sg(E) soundwire_intel(E) intel_uncore(E) at24(E) + soundwire_generic_allocation(E) iTCO_wdt(E) soundwire_cadence(E) intel_pmc_bxt(E) serio_raw(E) snd_hda_codec(E) + iTCO_vendor_support(E) watchdog(E) snd_hda_core(E) snd_hwdep(E) snd_soc_core(E) snd_compress(E) snd_pcsp(E) + soundwire_bus(E) snd_pcm(E) evdev(E) snd_timer(E) mei_me(E) snd(E) soundcore(E) mei(E) configfs(E) ip_tables(E) x_tables(E) + autofs4(E) ext4(E) crc32c_generic(E) crc16(E) mbcache(E) jbd2(E) sd_mod(E) t10_pi(E) crc_t10dif(E) crct10dif_generic(E) + i915(E) ahci(E) libahci(E) ehci_pci(E) igb(E) xhci_pci(E) ehci_hcd(E) + [ 101.525303] drm_kms_helper(E) dca(E) xhci_hcd(E) libata(E) crct10dif_pclmul(E) cec(E) crct10dif_common(E) tsn(E) igc(E) + e1000e(E) ptp(E) i2c_i801(E) crc32c_intel(E) psmouse(E) i2c_algo_bit(E) i2c_smbus(E) scsi_mod(E) lpc_ich(E) pps_core(E) + usbcore(E) drm(E) button(E) video(E) + [ 101.525318] CPU: 1 PID: 646 Comm: irq/37-enp7s0-T Tainted: G E 5.10.30-rt37-tsn1-rt-ipipe #ipipe + [ 101.525320] Hardware name: SIEMENS AG SIMATIC IPC427D/A5E31233588, BIOS V17.02.09 03/31/2017 + [ 101.525322] RIP: 0010:refcount_warn_saturate+0xab/0xf0 + [ 101.525325] Code: 05 31 48 44 01 01 e8 f0 c6 42 00 0f 0b c3 80 3d 1f 48 44 01 00 75 90 48 c7 c7 78 a8 f3 a6 c6 05 0f 48 + 44 01 01 e8 d1 c6 42 00 <0f> 0b c3 80 3d fe 47 44 01 00 0f 85 6d ff ff ff 48 c7 c7 d0 a8 f3 + [ 101.525327] RSP: 0018:ffffbdedc0917cb8 EFLAGS: 00010286 + [ 101.525329] RAX: 0000000000000000 RBX: ffff98fd6becbf40 RCX: 0000000000000001 + [ 101.525330] RDX: 0000000000000001 RSI: ffffffffa6f2700c RDI: 00000000ffffffff + [ 101.525332] RBP: ffff98fd6becc14c R08: ffffffffa7463d00 R09: ffffbdedc0917c50 + [ 101.525333] R10: ffffffffa74c3578 R11: 0000000000000034 R12: 00000000ffffff00 + [ 101.525335] R13: ffff98fd6b0b1000 R14: 0000000000000039 R15: ffff98fd6be35c40 + [ 101.525337] FS: 0000000000000000(0000) GS:ffff98fd6e240000(0000) knlGS:0000000000000000 + [ 101.525339] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 101.525341] CR2: 00007f34135a3a70 CR3: 0000000150210003 CR4: 00000000001706e0 + [ 101.525343] Call Trace: + [ 101.525346] sock_wfree+0x9c/0xa0 + [ 101.525353] unix_destruct_scm+0x7b/0xa0 + [ 101.525358] skb_release_head_state+0x40/0x90 + [ 101.525362] skb_release_all+0xe/0x30 + [ 101.525364] napi_consume_skb+0x57/0x160 + [ 101.525367] igc_poll+0xb7/0xc80 [igc] + [ 101.525376] ? sched_clock+0x5/0x10 + [ 101.525381] ? sched_clock_cpu+0xe/0x100 + [ 101.525385] net_rx_action+0x14c/0x410 + [ 101.525388] __do_softirq+0xe9/0x2f4 + [ 101.525391] __local_bh_enable_ip+0xe3/0x110 + [ 101.525395] ? irq_finalize_oneshot.part.47+0xe0/0xe0 + [ 101.525398] irq_forced_thread_fn+0x6a/0x80 + [ 101.525401] irq_thread+0xe8/0x180 + [ 101.525403] ? wake_threads_waitq+0x30/0x30 + [ 101.525406] ? irq_thread_check_affinity+0xd0/0xd0 + [ 101.525408] kthread+0x183/0x1a0 + [ 101.525412] ? kthread_park+0x80/0x80 + [ 101.525415] ret_from_fork+0x22/0x30 + +Fixes: 13b5b7fd6a4a ("igc: Add support for Tx/Rx rings") +Reported-by: Erez Geva +Signed-off-by: Vinicius Costa Gomes +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 6b43e1c5b1c3..8c2813963e55 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -256,6 +256,8 @@ static void igc_clean_tx_ring(struct igc_ring *tx_ring) + DMA_TO_DEVICE); + } + ++ tx_buffer->next_to_watch = NULL; ++ + /* move us one more past the eop_desc for start of next pkt */ + tx_buffer++; + i++; +-- +2.30.2 + diff --git a/queue-5.4/igc-prefer-to-use-the-pci_release_mem_regions-method.patch b/queue-5.4/igc-prefer-to-use-the-pci_release_mem_regions-method.patch new file mode 100644 index 00000000000..2765d629c15 --- /dev/null +++ b/queue-5.4/igc-prefer-to-use-the-pci_release_mem_regions-method.patch @@ -0,0 +1,37 @@ +From 35f7343ec3f78dc5316e86711164b5b0f85d43c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Nov 2019 16:05:20 +0200 +Subject: igc: Prefer to use the pci_release_mem_regions method + +From: Sasha Neftin + +[ Upstream commit faf4dd52e9e34a36254a6ad43369064b6928d504 ] + +Use the pci_release_mem_regions method instead of the +pci_release_selected_regions method + +Signed-off-by: Sasha Neftin +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 8c2813963e55..606c1abafa7d 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -4312,8 +4312,7 @@ err_sw_init: + err_ioremap: + free_netdev(netdev); + err_alloc_etherdev: +- pci_release_selected_regions(pdev, +- pci_select_bars(pdev, IORESOURCE_MEM)); ++ pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: + pci_disable_device(pdev); +-- +2.30.2 + diff --git a/queue-5.4/ipv6-fix-another-slab-out-of-bounds-in-fib6_nh_flush.patch b/queue-5.4/ipv6-fix-another-slab-out-of-bounds-in-fib6_nh_flush.patch new file mode 100644 index 00000000000..20c0ba21912 --- /dev/null +++ b/queue-5.4/ipv6-fix-another-slab-out-of-bounds-in-fib6_nh_flush.patch @@ -0,0 +1,44 @@ +From fb9773a81aa749ad82979adf5c34d581a4b2d88a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 15:08:40 +0200 +Subject: ipv6: fix another slab-out-of-bounds in fib6_nh_flush_exceptions + +From: Paolo Abeni + +[ Upstream commit 8fb4792f091e608a0a1d353dfdf07ef55a719db5 ] + +While running the self-tests on a KASAN enabled kernel, I observed a +slab-out-of-bounds splat very similar to the one reported in +commit 821bbf79fe46 ("ipv6: Fix KASAN: slab-out-of-bounds Read in + fib6_nh_flush_exceptions"). + +We additionally need to take care of fib6_metrics initialization +failure when the caller provides an nh. + +The fix is similar, explicitly free the route instead of calling +fib6_info_release on a half-initialized object. + +Fixes: f88d8ea67fbdb ("ipv6: Plumb support for nexthop object in a fib6_info") +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index b903fe28ce50..d6fc22f7d7a6 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -3655,7 +3655,7 @@ static struct fib6_info *ip6_route_info_create(struct fib6_config *cfg, + err = PTR_ERR(rt->fib6_metrics); + /* Do not leave garbage there. */ + rt->fib6_metrics = (struct dst_metrics *)&dst_default_metrics; +- goto out; ++ goto out_free; + } + + if (cfg->fc_flags & RTF_ADDRCONF) +-- +2.30.2 + diff --git a/queue-5.4/ipv6-fix-disable_policy-for-fwd-packets.patch b/queue-5.4/ipv6-fix-disable_policy-for-fwd-packets.patch new file mode 100644 index 00000000000..8b0af13d8e9 --- /dev/null +++ b/queue-5.4/ipv6-fix-disable_policy-for-fwd-packets.patch @@ -0,0 +1,51 @@ +From 76741ff30ffb3ab3b115eb6f98ab771bf3a0c4c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jul 2021 11:13:35 +0200 +Subject: ipv6: fix 'disable_policy' for fwd packets + +From: Nicolas Dichtel + +[ Upstream commit ccd27f05ae7b8ebc40af5b004e94517a919aa862 ] + +The goal of commit df789fe75206 ("ipv6: Provide ipv6 version of +"disable_policy" sysctl") was to have the disable_policy from ipv4 +available on ipv6. +However, it's not exactly the same mechanism. On IPv4, all packets coming +from an interface, which has disable_policy set, bypass the policy check. +For ipv6, this is done only for local packets, ie for packets destinated to +an address configured on the incoming interface. + +Let's align ipv6 with ipv4 so that the 'disable_policy' sysctl has the same +effect for both protocols. + +My first approach was to create a new kind of route cache entries, to be +able to set DST_NOPOLICY without modifying routes. This would have added a +lot of code. Because the local delivery path is already handled, I choose +to focus on the forwarding path to minimize code churn. + +Fixes: df789fe75206 ("ipv6: Provide ipv6 version of "disable_policy" sysctl") +Signed-off-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_output.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 4dcbb1ccab25..33444d985681 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -477,7 +477,9 @@ int ip6_forward(struct sk_buff *skb) + if (skb_warn_if_lro(skb)) + goto drop; + +- if (!xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) { ++ if (!net->ipv6.devconf_all->disable_policy && ++ !idev->cnf.disable_policy && ++ !xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) { + __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS); + goto drop; + } +-- +2.30.2 + diff --git a/queue-5.4/ixgbe-fix-an-error-handling-path-in-ixgbe_probe.patch b/queue-5.4/ixgbe-fix-an-error-handling-path-in-ixgbe_probe.patch new file mode 100644 index 00000000000..151974a7ad9 --- /dev/null +++ b/queue-5.4/ixgbe-fix-an-error-handling-path-in-ixgbe_probe.patch @@ -0,0 +1,37 @@ +From 994a5ebb24f16d6b3d8adf86c8ec5e67c4455fc6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 15:46:09 +0200 +Subject: ixgbe: Fix an error handling path in 'ixgbe_probe()' + +From: Christophe JAILLET + +[ Upstream commit dd2aefcd5e37989ae5f90afdae44bbbf3a2990da ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 6fabd715e6d8 ("ixgbe: Implement PCIe AER support") +Signed-off-by: Christophe JAILLET +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +index 1b8e70585c44..71b77ce60b07 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -11207,6 +11207,7 @@ err_ioremap: + disable_dev = !test_and_set_bit(__IXGBE_DISABLED, &adapter->state); + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-5.4/kvm-ppc-book3s-fix-config_transactional_mem-n-crash.patch b/queue-5.4/kvm-ppc-book3s-fix-config_transactional_mem-n-crash.patch new file mode 100644 index 00000000000..7d2dfe04735 --- /dev/null +++ b/queue-5.4/kvm-ppc-book3s-fix-config_transactional_mem-n-crash.patch @@ -0,0 +1,44 @@ +From 2fcabc5f4590be84256321054ddbb16bd1fa10c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 12:43:09 +1000 +Subject: KVM: PPC: Book3S: Fix CONFIG_TRANSACTIONAL_MEM=n crash + +From: Nicholas Piggin + +[ Upstream commit bd31ecf44b8e18ccb1e5f6b50f85de6922a60de3 ] + +When running CPU_FTR_P9_TM_HV_ASSIST, HFSCR[TM] is set for the guest +even if the host has CONFIG_TRANSACTIONAL_MEM=n, which causes it to be +unprepared to handle guest exits while transactional. + +Normal guests don't have a problem because the HTM capability will not +be advertised, but a rogue or buggy one could crash the host. + +Fixes: 4bb3c7a0208f ("KVM: PPC: Book3S HV: Work around transactional memory bugs in POWER9") +Reported-by: Alexey Kardashevskiy +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210716024310.164448-1-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/book3s_hv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c +index 9011857c0434..bba358f13471 100644 +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -2306,8 +2306,10 @@ static struct kvm_vcpu *kvmppc_core_vcpu_create_hv(struct kvm *kvm, + HFSCR_DSCR | HFSCR_VECVSX | HFSCR_FP; + if (cpu_has_feature(CPU_FTR_HVMODE)) { + vcpu->arch.hfscr &= mfspr(SPRN_HFSCR); ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM + if (cpu_has_feature(CPU_FTR_P9_TM_HV_ASSIST)) + vcpu->arch.hfscr |= HFSCR_TM; ++#endif + } + if (cpu_has_feature(CPU_FTR_TM_COMP)) + vcpu->arch.hfscr |= HFSCR_TM; +-- +2.30.2 + diff --git a/queue-5.4/kvm-ppc-fix-kvm_arch_vcpu_ioctl-vcpu_load-leak.patch b/queue-5.4/kvm-ppc-fix-kvm_arch_vcpu_ioctl-vcpu_load-leak.patch new file mode 100644 index 00000000000..386bfa7d05e --- /dev/null +++ b/queue-5.4/kvm-ppc-fix-kvm_arch_vcpu_ioctl-vcpu_load-leak.patch @@ -0,0 +1,51 @@ +From 1cc58fb8b6d2e16ed852f1ed5a07ae4a7e3978f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 12:43:10 +1000 +Subject: KVM: PPC: Fix kvm_arch_vcpu_ioctl vcpu_load leak + +From: Nicholas Piggin + +[ Upstream commit bc4188a2f56e821ea057aca6bf444e138d06c252 ] + +vcpu_put is not called if the user copy fails. This can result in preempt +notifier corruption and crashes, among other issues. + +Fixes: b3cebfe8c1ca ("KVM: PPC: Move vcpu_load/vcpu_put down to each ioctl case in kvm_arch_vcpu_ioctl") +Reported-by: Alexey Kardashevskiy +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210716024310.164448-2-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/powerpc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c +index e03c06471678..8dd4d2b83677 100644 +--- a/arch/powerpc/kvm/powerpc.c ++++ b/arch/powerpc/kvm/powerpc.c +@@ -2035,9 +2035,9 @@ long kvm_arch_vcpu_ioctl(struct file *filp, + { + struct kvm_enable_cap cap; + r = -EFAULT; +- vcpu_load(vcpu); + if (copy_from_user(&cap, argp, sizeof(cap))) + goto out; ++ vcpu_load(vcpu); + r = kvm_vcpu_ioctl_enable_cap(vcpu, &cap); + vcpu_put(vcpu); + break; +@@ -2061,9 +2061,9 @@ long kvm_arch_vcpu_ioctl(struct file *filp, + case KVM_DIRTY_TLB: { + struct kvm_dirty_tlb dirty; + r = -EFAULT; +- vcpu_load(vcpu); + if (copy_from_user(&dirty, argp, sizeof(dirty))) + goto out; ++ vcpu_load(vcpu); + r = kvm_vcpu_ioctl_dirty_tlb(vcpu, &dirty); + vcpu_put(vcpu); + break; +-- +2.30.2 + diff --git a/queue-5.4/liquidio-fix-unintentional-sign-extension-issue-on-l.patch b/queue-5.4/liquidio-fix-unintentional-sign-extension-issue-on-l.patch new file mode 100644 index 00000000000..1d581dcc585 --- /dev/null +++ b/queue-5.4/liquidio-fix-unintentional-sign-extension-issue-on-l.patch @@ -0,0 +1,43 @@ +From 96a5f0fb4d937011145ab119e51f0024a8414caf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jul 2021 16:23:43 +0100 +Subject: liquidio: Fix unintentional sign extension issue on left shift of u16 + +From: Colin Ian King + +[ Upstream commit e7efc2ce3d0789cd7c21b70ff00cd7838d382639 ] + +Shifting the u16 integer oct->pcie_port by CN23XX_PKT_INPUT_CTL_MAC_NUM_POS +(29) bits will be promoted to a 32 bit signed int and then sign-extended +to a u64. In the cases where oct->pcie_port where bit 2 is set (e.g. 3..7) +the shifted value will be sign extended and the top 32 bits of the result +will be set. + +Fix this by casting the u16 values to a u64 before the 29 bit left shift. + +Addresses-Coverity: ("Unintended sign extension") + +Fixes: 3451b97cce2d ("liquidio: CN23XX register setup") +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c +index 4cddd628d41b..9ed3d1ab2ca5 100644 +--- a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c ++++ b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c +@@ -420,7 +420,7 @@ static int cn23xx_pf_setup_global_input_regs(struct octeon_device *oct) + * bits 32:47 indicate the PVF num. + */ + for (q_no = 0; q_no < ern; q_no++) { +- reg_val = oct->pcie_port << CN23XX_PKT_INPUT_CTL_MAC_NUM_POS; ++ reg_val = (u64)oct->pcie_port << CN23XX_PKT_INPUT_CTL_MAC_NUM_POS; + + /* for VF assigned queues. */ + if (q_no < oct->sriov_info.pf_srn) { +-- +2.30.2 + diff --git a/queue-5.4/net-decnet-fix-sleeping-inside-in-af_decnet.patch b/queue-5.4/net-decnet-fix-sleeping-inside-in-af_decnet.patch new file mode 100644 index 00000000000..d57fb735783 --- /dev/null +++ b/queue-5.4/net-decnet-fix-sleeping-inside-in-af_decnet.patch @@ -0,0 +1,126 @@ +From d968cb80f36afcab4e19f22af50af67436940f2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jul 2021 17:13:20 +0800 +Subject: net: decnet: Fix sleeping inside in af_decnet + +From: Yajun Deng + +[ Upstream commit 5f119ba1d5771bbf46d57cff7417dcd84d3084ba ] + +The release_sock() is blocking function, it would change the state +after sleeping. use wait_woken() instead. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yajun Deng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/decnet/af_decnet.c | 27 ++++++++++++--------------- + 1 file changed, 12 insertions(+), 15 deletions(-) + +diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c +index 3349ea81f901..b9b847dc097c 100644 +--- a/net/decnet/af_decnet.c ++++ b/net/decnet/af_decnet.c +@@ -815,7 +815,7 @@ static int dn_auto_bind(struct socket *sock) + static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation) + { + struct dn_scp *scp = DN_SK(sk); +- DEFINE_WAIT(wait); ++ DEFINE_WAIT_FUNC(wait, woken_wake_function); + int err; + + if (scp->state != DN_CR) +@@ -825,11 +825,11 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation) + scp->segsize_loc = dst_metric_advmss(__sk_dst_get(sk)); + dn_send_conn_conf(sk, allocation); + +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); ++ add_wait_queue(sk_sleep(sk), &wait); + for(;;) { + release_sock(sk); + if (scp->state == DN_CC) +- *timeo = schedule_timeout(*timeo); ++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo); + lock_sock(sk); + err = 0; + if (scp->state == DN_RUN) +@@ -843,9 +843,8 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation) + err = -EAGAIN; + if (!*timeo) + break; +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + } +- finish_wait(sk_sleep(sk), &wait); ++ remove_wait_queue(sk_sleep(sk), &wait); + if (err == 0) { + sk->sk_socket->state = SS_CONNECTED; + } else if (scp->state != DN_CC) { +@@ -857,7 +856,7 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation) + static int dn_wait_run(struct sock *sk, long *timeo) + { + struct dn_scp *scp = DN_SK(sk); +- DEFINE_WAIT(wait); ++ DEFINE_WAIT_FUNC(wait, woken_wake_function); + int err = 0; + + if (scp->state == DN_RUN) +@@ -866,11 +865,11 @@ static int dn_wait_run(struct sock *sk, long *timeo) + if (!*timeo) + return -EALREADY; + +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); ++ add_wait_queue(sk_sleep(sk), &wait); + for(;;) { + release_sock(sk); + if (scp->state == DN_CI || scp->state == DN_CC) +- *timeo = schedule_timeout(*timeo); ++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo); + lock_sock(sk); + err = 0; + if (scp->state == DN_RUN) +@@ -884,9 +883,8 @@ static int dn_wait_run(struct sock *sk, long *timeo) + err = -ETIMEDOUT; + if (!*timeo) + break; +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + } +- finish_wait(sk_sleep(sk), &wait); ++ remove_wait_queue(sk_sleep(sk), &wait); + out: + if (err == 0) { + sk->sk_socket->state = SS_CONNECTED; +@@ -1031,16 +1029,16 @@ static void dn_user_copy(struct sk_buff *skb, struct optdata_dn *opt) + + static struct sk_buff *dn_wait_for_connect(struct sock *sk, long *timeo) + { +- DEFINE_WAIT(wait); ++ DEFINE_WAIT_FUNC(wait, woken_wake_function); + struct sk_buff *skb = NULL; + int err = 0; + +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); ++ add_wait_queue(sk_sleep(sk), &wait); + for(;;) { + release_sock(sk); + skb = skb_dequeue(&sk->sk_receive_queue); + if (skb == NULL) { +- *timeo = schedule_timeout(*timeo); ++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo); + skb = skb_dequeue(&sk->sk_receive_queue); + } + lock_sock(sk); +@@ -1055,9 +1053,8 @@ static struct sk_buff *dn_wait_for_connect(struct sock *sk, long *timeo) + err = -EAGAIN; + if (!*timeo) + break; +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + } +- finish_wait(sk_sleep(sk), &wait); ++ remove_wait_queue(sk_sleep(sk), &wait); + + return skb == NULL ? ERR_PTR(err) : skb; + } +-- +2.30.2 + diff --git a/queue-5.4/net-fix-uninit-value-in-caif_seqpkt_sendmsg.patch b/queue-5.4/net-fix-uninit-value-in-caif_seqpkt_sendmsg.patch new file mode 100644 index 00000000000..05789ac01c4 --- /dev/null +++ b/queue-5.4/net-fix-uninit-value-in-caif_seqpkt_sendmsg.patch @@ -0,0 +1,57 @@ +From 988f89564b140f287e777dc8af2c3e42a5577c87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 20:22:04 +0800 +Subject: net: fix uninit-value in caif_seqpkt_sendmsg + +From: Ziyang Xuan + +[ Upstream commit 991e634360f2622a683b48dfe44fe6d9cb765a09 ] + +When nr_segs equal to zero in iovec_from_user, the object +msg->msg_iter.iov is uninit stack memory in caif_seqpkt_sendmsg +which is defined in ___sys_sendmsg. So we cann't just judge +msg->msg_iter.iov->base directlly. We can use nr_segs to judge +msg in caif_seqpkt_sendmsg whether has data buffers. + +===================================================== +BUG: KMSAN: uninit-value in caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 + caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg net/socket.c:672 [inline] + ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2343 + ___sys_sendmsg net/socket.c:2397 [inline] + __sys_sendmmsg+0x808/0xc90 net/socket.c:2480 + __compat_sys_sendmmsg net/compat.c:656 [inline] + +Reported-by: syzbot+09a5d591c1f98cf5efcb@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=1ace85e8fc9b0d5a45c08c2656c3e91762daa9b8 +Fixes: bece7b2398d0 ("caif: Rewritten socket implementation") +Signed-off-by: Ziyang Xuan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/caif/caif_socket.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c +index ef14da50a981..8fa98c62c4fc 100644 +--- a/net/caif/caif_socket.c ++++ b/net/caif/caif_socket.c +@@ -539,7 +539,8 @@ static int caif_seqpkt_sendmsg(struct socket *sock, struct msghdr *msg, + goto err; + + ret = -EINVAL; +- if (unlikely(msg->msg_iter.iov->iov_base == NULL)) ++ if (unlikely(msg->msg_iter.nr_segs == 0) || ++ unlikely(msg->msg_iter.iov->iov_base == NULL)) + goto err; + noblock = msg->msg_flags & MSG_DONTWAIT; + +-- +2.30.2 + diff --git a/queue-5.4/net-hisilicon-rename-cache_line_mask-to-avoid-redefi.patch b/queue-5.4/net-hisilicon-rename-cache_line_mask-to-avoid-redefi.patch new file mode 100644 index 00000000000..18f5d63f95c --- /dev/null +++ b/queue-5.4/net-hisilicon-rename-cache_line_mask-to-avoid-redefi.patch @@ -0,0 +1,62 @@ +From 45904a88c28c8d1c66a7ac711104af8febe2f3bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 13:38:34 -0700 +Subject: net: hisilicon: rename CACHE_LINE_MASK to avoid redefinition + +From: Randy Dunlap + +[ Upstream commit b16f3299ae1aa3c327e1fb742d0379ae4d6e86f2 ] + +Building on ARCH=arc causes a "redefined" warning, so rename this +driver's CACHE_LINE_MASK to avoid the warning. + +../drivers/net/ethernet/hisilicon/hip04_eth.c:134: warning: "CACHE_LINE_MASK" redefined + 134 | #define CACHE_LINE_MASK 0x3F +In file included from ../include/linux/cache.h:6, + from ../include/linux/printk.h:9, + from ../include/linux/kernel.h:19, + from ../include/linux/list.h:9, + from ../include/linux/module.h:12, + from ../drivers/net/ethernet/hisilicon/hip04_eth.c:7: +../arch/arc/include/asm/cache.h:17: note: this is the location of the previous definition + 17 | #define CACHE_LINE_MASK (~(L1_CACHE_BYTES - 1)) + +Fixes: d413779cdd93 ("net: hisilicon: Add an tx_desc to adapt HI13X1_GMAC") +Signed-off-by: Randy Dunlap +Cc: Vineet Gupta +Cc: Jiangfeng Xiao +Cc: "David S. Miller" +Cc: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hip04_eth.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c +index 2ffe035e96d6..b5eae06dd870 100644 +--- a/drivers/net/ethernet/hisilicon/hip04_eth.c ++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c +@@ -131,7 +131,7 @@ + /* buf unit size is cache_line_size, which is 64, so the shift is 6 */ + #define PPE_BUF_SIZE_SHIFT 6 + #define PPE_TX_BUF_HOLD BIT(31) +-#define CACHE_LINE_MASK 0x3F ++#define SOC_CACHE_LINE_MASK 0x3F + #else + #define PPE_CFG_QOS_VMID_GRP_SHIFT 8 + #define PPE_CFG_RX_CTRL_ALIGN_SHIFT 11 +@@ -531,8 +531,8 @@ hip04_mac_start_xmit(struct sk_buff *skb, struct net_device *ndev) + #if defined(CONFIG_HI13X1_GMAC) + desc->cfg = (__force u32)cpu_to_be32(TX_CLEAR_WB | TX_FINISH_CACHE_INV + | TX_RELEASE_TO_PPE | priv->port << TX_POOL_SHIFT); +- desc->data_offset = (__force u32)cpu_to_be32(phys & CACHE_LINE_MASK); +- desc->send_addr = (__force u32)cpu_to_be32(phys & ~CACHE_LINE_MASK); ++ desc->data_offset = (__force u32)cpu_to_be32(phys & SOC_CACHE_LINE_MASK); ++ desc->send_addr = (__force u32)cpu_to_be32(phys & ~SOC_CACHE_LINE_MASK); + #else + desc->cfg = (__force u32)cpu_to_be32(TX_CLEAR_WB | TX_FINISH_CACHE_INV); + desc->send_addr = (__force u32)cpu_to_be32(phys); +-- +2.30.2 + diff --git a/queue-5.4/net-hns3-fix-rx-vlan-offload-state-inconsistent-issu.patch b/queue-5.4/net-hns3-fix-rx-vlan-offload-state-inconsistent-issu.patch new file mode 100644 index 00000000000..93bfc120ca3 --- /dev/null +++ b/queue-5.4/net-hns3-fix-rx-vlan-offload-state-inconsistent-issu.patch @@ -0,0 +1,50 @@ +From 6e6bbabb26489089f92958f6101a30810c253aaa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jul 2021 17:13:08 +0800 +Subject: net: hns3: fix rx VLAN offload state inconsistent issue + +From: Jian Shen + +[ Upstream commit bbfd4506f962e7e6fff8f37f017154a3c3791264 ] + +Currently, VF doesn't enable rx VLAN offload when initializating, +and PF does it for VFs. If user disable the rx VLAN offload for +VF with ethtool -K, and reload the VF driver, it may cause the +rx VLAN offload state being inconsistent between hardware and +software. + +Fixes it by enabling rx VLAN offload when VF initializing. + +Fixes: e2cb1dec9779 ("net: hns3: Add HNS3 VF HCL(Hardware Compatibility Layer) Support") +Signed-off-by: Jian Shen +Signed-off-by: Guangbin Huang +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +index fc275d4f484c..ea348ebbbf2e 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +@@ -2119,6 +2119,16 @@ static int hclgevf_rss_init_hw(struct hclgevf_dev *hdev) + + static int hclgevf_init_vlan_config(struct hclgevf_dev *hdev) + { ++ struct hnae3_handle *nic = &hdev->nic; ++ int ret; ++ ++ ret = hclgevf_en_hw_strip_rxvtag(nic, true); ++ if (ret) { ++ dev_err(&hdev->pdev->dev, ++ "failed to enable rx vlan offload, ret = %d\n", ret); ++ return ret; ++ } ++ + return hclgevf_set_vlan_filter(&hdev->nic, htons(ETH_P_8021Q), 0, + false); + } +-- +2.30.2 + diff --git a/queue-5.4/net-sched-act_skbmod-skip-non-ethernet-packets.patch b/queue-5.4/net-sched-act_skbmod-skip-non-ethernet-packets.patch new file mode 100644 index 00000000000..42f910880eb --- /dev/null +++ b/queue-5.4/net-sched-act_skbmod-skip-non-ethernet-packets.patch @@ -0,0 +1,70 @@ +From 431415b060ced239da83a7fc8b017bee493db8e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jul 2021 16:41:24 -0700 +Subject: net/sched: act_skbmod: Skip non-Ethernet packets + +From: Peilin Ye + +[ Upstream commit 727d6a8b7ef3d25080fad228b2c4a1d4da5999c6 ] + +Currently tcf_skbmod_act() assumes that packets use Ethernet as their L2 +protocol, which is not always the case. As an example, for CAN devices: + + $ ip link add dev vcan0 type vcan + $ ip link set up vcan0 + $ tc qdisc add dev vcan0 root handle 1: htb + $ tc filter add dev vcan0 parent 1: protocol ip prio 10 \ + matchall action skbmod swap mac + +Doing the above silently corrupts all the packets. Do not perform skbmod +actions for non-Ethernet packets. + +Fixes: 86da71b57383 ("net_sched: Introduce skbmod action") +Reviewed-by: Cong Wang +Signed-off-by: Peilin Ye +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/act_skbmod.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/sched/act_skbmod.c b/net/sched/act_skbmod.c +index e858a0a9c045..f60d349542b1 100644 +--- a/net/sched/act_skbmod.c ++++ b/net/sched/act_skbmod.c +@@ -6,6 +6,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -33,6 +34,13 @@ static int tcf_skbmod_act(struct sk_buff *skb, const struct tc_action *a, + tcf_lastuse_update(&d->tcf_tm); + bstats_cpu_update(this_cpu_ptr(d->common.cpu_bstats), skb); + ++ action = READ_ONCE(d->tcf_action); ++ if (unlikely(action == TC_ACT_SHOT)) ++ goto drop; ++ ++ if (!skb->dev || skb->dev->type != ARPHRD_ETHER) ++ return action; ++ + /* XXX: if you are going to edit more fields beyond ethernet header + * (example when you add IP header replacement or vlan swap) + * then MAX_EDIT_LEN needs to change appropriately +@@ -41,10 +49,6 @@ static int tcf_skbmod_act(struct sk_buff *skb, const struct tc_action *a, + if (unlikely(err)) /* best policy is to drop on the floor */ + goto drop; + +- action = READ_ONCE(d->tcf_action); +- if (unlikely(action == TC_ACT_SHOT)) +- goto drop; +- + p = rcu_dereference_bh(d->skbmod_p); + flags = p->flags; + if (flags & SKBMOD_F_DMAC) +-- +2.30.2 + diff --git a/queue-5.4/net-sched-cls_api-fix-the-the-wrong-parameter.patch b/queue-5.4/net-sched-cls_api-fix-the-the-wrong-parameter.patch new file mode 100644 index 00000000000..fc98b3fb440 --- /dev/null +++ b/queue-5.4/net-sched-cls_api-fix-the-the-wrong-parameter.patch @@ -0,0 +1,36 @@ +From b444f819372bbe6f8ca7342536cd0dd17b7c2387 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jul 2021 11:23:43 +0800 +Subject: net: sched: cls_api: Fix the the wrong parameter + +From: Yajun Deng + +[ Upstream commit 9d85a6f44bd5585761947f40f7821c9cd78a1bbe ] + +The 4th parameter in tc_chain_notify() should be flags rather than seq. +Let's change it back correctly. + +Fixes: 32a4f5ecd738 ("net: sched: introduce chain object to uapi") +Signed-off-by: Yajun Deng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c +index 83e5a8aa2fb1..7f20fd37e01e 100644 +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -2866,7 +2866,7 @@ replay: + break; + case RTM_GETCHAIN: + err = tc_chain_notify(chain, skb, n->nlmsg_seq, +- n->nlmsg_seq, n->nlmsg_type, true); ++ n->nlmsg_flags, n->nlmsg_type, true); + if (err < 0) + NL_SET_ERR_MSG(extack, "Failed to send chain notify message"); + break; +-- +2.30.2 + diff --git a/queue-5.4/net-sched-fix-memory-leak-in-tcindex_partial_destroy.patch b/queue-5.4/net-sched-fix-memory-leak-in-tcindex_partial_destroy.patch new file mode 100644 index 00000000000..d15d81e8670 --- /dev/null +++ b/queue-5.4/net-sched-fix-memory-leak-in-tcindex_partial_destroy.patch @@ -0,0 +1,52 @@ +From 0659e516a08626b35b553488ced5f81ce63fc885 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jul 2021 14:29:33 +0300 +Subject: net: sched: fix memory leak in tcindex_partial_destroy_work + +From: Pavel Skripkin + +[ Upstream commit f5051bcece50140abd1a11a2d36dc3ec5484fc32 ] + +Syzbot reported memory leak in tcindex_set_parms(). The problem was in +non-freed perfect hash in tcindex_partial_destroy_work(). + +In tcindex_set_parms() new tcindex_data is allocated and some fields from +old one are copied to new one, but not the perfect hash. Since +tcindex_partial_destroy_work() is the destroy function for old +tcindex_data, we need to free perfect hash to avoid memory leak. + +Reported-and-tested-by: syzbot+f0bbb2287b8993d4fa74@syzkaller.appspotmail.com +Fixes: 331b72922c5f ("net: sched: RCU cls_tcindex") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_tcindex.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c +index 3e81f87d0c89..684187a1fdb9 100644 +--- a/net/sched/cls_tcindex.c ++++ b/net/sched/cls_tcindex.c +@@ -278,6 +278,8 @@ static int tcindex_filter_result_init(struct tcindex_filter_result *r, + TCA_TCINDEX_POLICE); + } + ++static void tcindex_free_perfect_hash(struct tcindex_data *cp); ++ + static void tcindex_partial_destroy_work(struct work_struct *work) + { + struct tcindex_data *p = container_of(to_rcu_work(work), +@@ -285,7 +287,8 @@ static void tcindex_partial_destroy_work(struct work_struct *work) + rwork); + + rtnl_lock(); +- kfree(p->perfect); ++ if (p->perfect) ++ tcindex_free_perfect_hash(p); + kfree(p); + rtnl_unlock(); + } +-- +2.30.2 + diff --git a/queue-5.4/net-tcp_fastopen-fix-data-races-around-tfo_active_di.patch b/queue-5.4/net-tcp_fastopen-fix-data-races-around-tfo_active_di.patch new file mode 100644 index 00000000000..c3b19ed6296 --- /dev/null +++ b/queue-5.4/net-tcp_fastopen-fix-data-races-around-tfo_active_di.patch @@ -0,0 +1,72 @@ +From c940d821e2620407a77a81d4e0636b8a3b2b8ebe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jul 2021 02:12:18 -0700 +Subject: net/tcp_fastopen: fix data races around tfo_active_disable_stamp + +From: Eric Dumazet + +[ Upstream commit 6f20c8adb1813467ea52c1296d52c4e95978cb2f ] + +tfo_active_disable_stamp is read and written locklessly. +We need to annotate these accesses appropriately. + +Then, we need to perform the atomic_inc(tfo_active_disable_times) +after the timestamp has been updated, and thus add barriers +to make sure tcp_fastopen_active_should_disable() wont read +a stale timestamp. + +Fixes: cf1ef3f0719b ("net/tcp_fastopen: Disable active side TFO in certain scenarios") +Signed-off-by: Eric Dumazet +Cc: Wei Wang +Cc: Yuchung Cheng +Cc: Neal Cardwell +Acked-by: Wei Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_fastopen.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c +index a9971e41f31b..8af4fefe371f 100644 +--- a/net/ipv4/tcp_fastopen.c ++++ b/net/ipv4/tcp_fastopen.c +@@ -504,8 +504,15 @@ void tcp_fastopen_active_disable(struct sock *sk) + { + struct net *net = sock_net(sk); + ++ /* Paired with READ_ONCE() in tcp_fastopen_active_should_disable() */ ++ WRITE_ONCE(net->ipv4.tfo_active_disable_stamp, jiffies); ++ ++ /* Paired with smp_rmb() in tcp_fastopen_active_should_disable(). ++ * We want net->ipv4.tfo_active_disable_stamp to be updated first. ++ */ ++ smp_mb__before_atomic(); + atomic_inc(&net->ipv4.tfo_active_disable_times); +- net->ipv4.tfo_active_disable_stamp = jiffies; ++ + NET_INC_STATS(net, LINUX_MIB_TCPFASTOPENBLACKHOLE); + } + +@@ -523,10 +530,16 @@ bool tcp_fastopen_active_should_disable(struct sock *sk) + if (!tfo_da_times) + return false; + ++ /* Paired with smp_mb__before_atomic() in tcp_fastopen_active_disable() */ ++ smp_rmb(); ++ + /* Limit timout to max: 2^6 * initial timeout */ + multiplier = 1 << min(tfo_da_times - 1, 6); +- timeout = multiplier * tfo_bh_timeout * HZ; +- if (time_before(jiffies, sock_net(sk)->ipv4.tfo_active_disable_stamp + timeout)) ++ ++ /* Paired with the WRITE_ONCE() in tcp_fastopen_active_disable(). */ ++ timeout = READ_ONCE(sock_net(sk)->ipv4.tfo_active_disable_stamp) + ++ multiplier * tfo_bh_timeout * HZ; ++ if (time_before(jiffies, timeout)) + return true; + + /* Mark check bit so we can check for successful active TFO +-- +2.30.2 + diff --git a/queue-5.4/netrom-decrease-sock-refcount-when-sock-timers-expir.patch b/queue-5.4/netrom-decrease-sock-refcount-when-sock-timers-expir.patch new file mode 100644 index 00000000000..7eca7e16afc --- /dev/null +++ b/queue-5.4/netrom-decrease-sock-refcount-when-sock-timers-expir.patch @@ -0,0 +1,118 @@ +From 3adfa1cfee27b5bc809653e6cad040e4d75d82df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 22:40:13 +0800 +Subject: netrom: Decrease sock refcount when sock timers expire + +From: Nguyen Dinh Phi + +[ Upstream commit 517a16b1a88bdb6b530f48d5d153478b2552d9a8 ] + +Commit 63346650c1a9 ("netrom: switch to sock timer API") switched to use +sock timer API. It replaces mod_timer() by sk_reset_timer(), and +del_timer() by sk_stop_timer(). + +Function sk_reset_timer() will increase the refcount of sock if it is +called on an inactive timer, hence, in case the timer expires, we need to +decrease the refcount ourselves in the handler, otherwise, the sock +refcount will be unbalanced and the sock will never be freed. + +Signed-off-by: Nguyen Dinh Phi +Reported-by: syzbot+10f1194569953b72f1ae@syzkaller.appspotmail.com +Fixes: 63346650c1a9 ("netrom: switch to sock timer API") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netrom/nr_timer.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/net/netrom/nr_timer.c b/net/netrom/nr_timer.c +index 9115f8a7dd45..a8da88db7893 100644 +--- a/net/netrom/nr_timer.c ++++ b/net/netrom/nr_timer.c +@@ -121,11 +121,9 @@ static void nr_heartbeat_expiry(struct timer_list *t) + is accepted() it isn't 'dead' so doesn't get removed. */ + if (sock_flag(sk, SOCK_DESTROY) || + (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) { +- sock_hold(sk); + bh_unlock_sock(sk); + nr_destroy_socket(sk); +- sock_put(sk); +- return; ++ goto out; + } + break; + +@@ -146,6 +144,8 @@ static void nr_heartbeat_expiry(struct timer_list *t) + + nr_start_heartbeat(sk); + bh_unlock_sock(sk); ++out: ++ sock_put(sk); + } + + static void nr_t2timer_expiry(struct timer_list *t) +@@ -159,6 +159,7 @@ static void nr_t2timer_expiry(struct timer_list *t) + nr_enquiry_response(sk); + } + bh_unlock_sock(sk); ++ sock_put(sk); + } + + static void nr_t4timer_expiry(struct timer_list *t) +@@ -169,6 +170,7 @@ static void nr_t4timer_expiry(struct timer_list *t) + bh_lock_sock(sk); + nr_sk(sk)->condition &= ~NR_COND_PEER_RX_BUSY; + bh_unlock_sock(sk); ++ sock_put(sk); + } + + static void nr_idletimer_expiry(struct timer_list *t) +@@ -197,6 +199,7 @@ static void nr_idletimer_expiry(struct timer_list *t) + sock_set_flag(sk, SOCK_DEAD); + } + bh_unlock_sock(sk); ++ sock_put(sk); + } + + static void nr_t1timer_expiry(struct timer_list *t) +@@ -209,8 +212,7 @@ static void nr_t1timer_expiry(struct timer_list *t) + case NR_STATE_1: + if (nr->n2count == nr->n2) { + nr_disconnect(sk, ETIMEDOUT); +- bh_unlock_sock(sk); +- return; ++ goto out; + } else { + nr->n2count++; + nr_write_internal(sk, NR_CONNREQ); +@@ -220,8 +222,7 @@ static void nr_t1timer_expiry(struct timer_list *t) + case NR_STATE_2: + if (nr->n2count == nr->n2) { + nr_disconnect(sk, ETIMEDOUT); +- bh_unlock_sock(sk); +- return; ++ goto out; + } else { + nr->n2count++; + nr_write_internal(sk, NR_DISCREQ); +@@ -231,8 +232,7 @@ static void nr_t1timer_expiry(struct timer_list *t) + case NR_STATE_3: + if (nr->n2count == nr->n2) { + nr_disconnect(sk, ETIMEDOUT); +- bh_unlock_sock(sk); +- return; ++ goto out; + } else { + nr->n2count++; + nr_requeue_frames(sk); +@@ -241,5 +241,7 @@ static void nr_t1timer_expiry(struct timer_list *t) + } + + nr_start_t1timer(sk); ++out: + bh_unlock_sock(sk); ++ sock_put(sk); + } +-- +2.30.2 + diff --git a/queue-5.4/nvme-pci-do-not-call-nvme_dev_remove_admin-from-nvme.patch b/queue-5.4/nvme-pci-do-not-call-nvme_dev_remove_admin-from-nvme.patch new file mode 100644 index 00000000000..77cb0e06f6a --- /dev/null +++ b/queue-5.4/nvme-pci-do-not-call-nvme_dev_remove_admin-from-nvme.patch @@ -0,0 +1,44 @@ +From 210e746e7300a5c478108cab2b865f83db9f60f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 14:14:32 -0700 +Subject: nvme-pci: do not call nvme_dev_remove_admin from nvme_remove + +From: Casey Chen + +[ Upstream commit 251ef6f71be2adfd09546a26643426fe62585173 ] + +nvme_dev_remove_admin could free dev->admin_q and the admin_tagset +while they are being accessed by nvme_dev_disable(), which can be called +by nvme_reset_work via nvme_remove_dead_ctrl. + +Commit cb4bfda62afa ("nvme-pci: fix hot removal during error handling") +intended to avoid requests being stuck on a removed controller by killing +the admin queue. But the later fix c8e9e9b7646e ("nvme-pci: unquiesce +admin queue on shutdown"), together with nvme_dev_disable(dev, true) +right before nvme_dev_remove_admin() could help dispatch requests and +fail them early, so we don't need nvme_dev_remove_admin() any more. + +Fixes: cb4bfda62afa ("nvme-pci: fix hot removal during error handling") +Signed-off-by: Casey Chen +Reviewed-by: Keith Busch +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 2cb2ead7615b..f9dba1a3e655 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2954,7 +2954,6 @@ static void nvme_remove(struct pci_dev *pdev) + if (!pci_device_is_present(pdev)) { + nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DEAD); + nvme_dev_disable(dev, true); +- nvme_dev_remove_admin(dev); + } + + flush_work(&dev->ctrl.reset_work); +-- +2.30.2 + diff --git a/queue-5.4/nvme-pci-don-t-warn_on-in-nvme_reset_work-if-ctrl.st.patch b/queue-5.4/nvme-pci-don-t-warn_on-in-nvme_reset_work-if-ctrl.st.patch new file mode 100644 index 00000000000..8e7ec1a8e7c --- /dev/null +++ b/queue-5.4/nvme-pci-don-t-warn_on-in-nvme_reset_work-if-ctrl.st.patch @@ -0,0 +1,81 @@ +From b58028b42d69b29c0a3c47286caf3d06e079e4c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 21:38:29 +0800 +Subject: nvme-pci: don't WARN_ON in nvme_reset_work if ctrl.state is not + RESETTING + +From: Zhihao Cheng + +[ Upstream commit 7764656b108cd308c39e9a8554353b8f9ca232a3 ] + +Followling process: +nvme_probe + nvme_reset_ctrl + nvme_change_ctrl_state(ctrl, NVME_CTRL_RESETTING) + queue_work(nvme_reset_wq, &ctrl->reset_work) + +--------------> nvme_remove + nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DELETING) +worker_thread + process_one_work + nvme_reset_work + WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING) + +, which will trigger WARN_ON in nvme_reset_work(): +[ 127.534298] WARNING: CPU: 0 PID: 139 at drivers/nvme/host/pci.c:2594 +[ 127.536161] CPU: 0 PID: 139 Comm: kworker/u8:7 Not tainted 5.13.0 +[ 127.552518] Call Trace: +[ 127.552840] ? kvm_sched_clock_read+0x25/0x40 +[ 127.553936] ? native_send_call_func_single_ipi+0x1c/0x30 +[ 127.555117] ? send_call_function_single_ipi+0x9b/0x130 +[ 127.556263] ? __smp_call_single_queue+0x48/0x60 +[ 127.557278] ? ttwu_queue_wakelist+0xfa/0x1c0 +[ 127.558231] ? try_to_wake_up+0x265/0x9d0 +[ 127.559120] ? ext4_end_io_rsv_work+0x160/0x290 +[ 127.560118] process_one_work+0x28c/0x640 +[ 127.561002] worker_thread+0x39a/0x700 +[ 127.561833] ? rescuer_thread+0x580/0x580 +[ 127.562714] kthread+0x18c/0x1e0 +[ 127.563444] ? set_kthread_struct+0x70/0x70 +[ 127.564347] ret_from_fork+0x1f/0x30 + +The preceding problem can be easily reproduced by executing following +script (based on blktests suite): +test() { + pdev="$(_get_pci_dev_from_blkdev)" + sysfs="/sys/bus/pci/devices/${pdev}" + for ((i = 0; i < 10; i++)); do + echo 1 > "$sysfs/remove" + echo 1 > /sys/bus/pci/rescan + done +} + +Since the device ctrl could be updated as an non-RESETTING state by +repeating probe/remove in userspace (which is a normal situation), we +can replace stack dumping WARN_ON with a warnning message. + +Fixes: 82b057caefaff ("nvme-pci: fix multiple ctrl removal schedulin") +Signed-off-by: Zhihao Cheng +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index f9dba1a3e655..af516c35afe6 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2590,7 +2590,9 @@ static void nvme_reset_work(struct work_struct *work) + bool was_suspend = !!(dev->ctrl.ctrl_config & NVME_CC_SHN_NORMAL); + int result; + +- if (WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING)) { ++ if (dev->ctrl.state != NVME_CTRL_RESETTING) { ++ dev_warn(dev->ctrl.device, "ctrl state %d is not RESETTING\n", ++ dev->ctrl.state); + result = -ENODEV; + goto out; + } +-- +2.30.2 + diff --git a/queue-5.4/nvme-set-the-pract-bit-when-using-write-zeroes-with-.patch b/queue-5.4/nvme-set-the-pract-bit-when-using-write-zeroes-with-.patch new file mode 100644 index 00000000000..c89aab15601 --- /dev/null +++ b/queue-5.4/nvme-set-the-pract-bit-when-using-write-zeroes-with-.patch @@ -0,0 +1,43 @@ +From 63d9158d9586e63efa9858dabf834fab7c0a36c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 10:00:11 +0200 +Subject: nvme: set the PRACT bit when using Write Zeroes with T10 PI + +From: Christoph Hellwig + +[ Upstream commit aaeb7bb061be545251606f4d9c82d710ca2a7c8e ] + +When using Write Zeroes on a namespace that has protection +information enabled they behavior without the PRACT bit +counter-intuitive and will generally lead to validation failures +when reading the written blocks. Fix this by always setting the +PRACT bit that generates matching PI data on the fly. + +Fixes: 6e02318eaea5 ("nvme: add support for the Write Zeroes command") +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Reviewed-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 710ab45eb679..a5b5a2305791 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -694,7 +694,10 @@ static inline blk_status_t nvme_setup_write_zeroes(struct nvme_ns *ns, + cpu_to_le64(nvme_sect_to_lba(ns, blk_rq_pos(req))); + cmnd->write_zeroes.length = + cpu_to_le16((blk_rq_bytes(req) >> ns->lba_shift) - 1); +- cmnd->write_zeroes.control = 0; ++ if (nvme_ns_has_pi(ns)) ++ cmnd->write_zeroes.control = cpu_to_le16(NVME_RW_PRINFO_PRACT); ++ else ++ cmnd->write_zeroes.control = 0; + return BLK_STS_OK; + } + +-- +2.30.2 + diff --git a/queue-5.4/perf-data-close-all-files-in-close_dir.patch b/queue-5.4/perf-data-close-all-files-in-close_dir.patch new file mode 100644 index 00000000000..04ef7e7f05d --- /dev/null +++ b/queue-5.4/perf-data-close-all-files-in-close_dir.patch @@ -0,0 +1,46 @@ +From d5b58c30245e9b6793856f1a3ffa9460d6e37861 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 16:11:20 +0200 +Subject: perf data: Close all files in close_dir() + +From: Riccardo Mancini + +[ Upstream commit d4b3eedce151e63932ce4a00f1d0baa340a8b907 ] + +When using 'perf report' in directory mode, the first file is not closed +on exit, causing a memory leak. + +The problem is caused by the iterating variable never reaching 0. + +Fixes: 145520631130bd64 ("perf data: Add perf_data__(create_dir|close_dir) functions") +Signed-off-by: Riccardo Mancini +Acked-by: Namhyung Kim +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Peter Zijlstra +Cc: Zhen Lei +Link: http://lore.kernel.org/lkml/20210716141122.858082-1-rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/data.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/data.c b/tools/perf/util/data.c +index 7534455ffc6a..a3f912615690 100644 +--- a/tools/perf/util/data.c ++++ b/tools/perf/util/data.c +@@ -20,7 +20,7 @@ + + static void close_dir(struct perf_data_file *files, int nr) + { +- while (--nr >= 1) { ++ while (--nr >= 0) { + close(files[nr].fd); + zfree(&files[nr].path); + } +-- +2.30.2 + diff --git a/queue-5.4/perf-dso-fix-memory-leak-in-dso__new_map.patch b/queue-5.4/perf-dso-fix-memory-leak-in-dso__new_map.patch new file mode 100644 index 00000000000..81e87cc2591 --- /dev/null +++ b/queue-5.4/perf-dso-fix-memory-leak-in-dso__new_map.patch @@ -0,0 +1,54 @@ +From 91bb9f927c3152c448d7bddf6a79aac4bf99f54d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:11 +0200 +Subject: perf dso: Fix memory leak in dso__new_map() + +From: Riccardo Mancini + +[ Upstream commit 581e295a0f6b5c2931d280259fbbfff56959faa9 ] + +ASan reports a memory leak when running: + + # perf test "65: maps__merge_in". + +The causes of the leaks are two, this patch addresses only the first +one, which is related to dso__new_map(). + +The bug is that dso__new_map() creates a new dso but never decreases the +refcount it gets from creating it. + +This patch adds the missing dso__put(). + +Signed-off-by: Riccardo Mancini +Fixes: d3a7c489c7fd2463 ("perf tools: Reference count struct dso") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/60bfe0cd06e89e2ca33646eb8468d7f5de2ee597.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/dso.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/dso.c b/tools/perf/util/dso.c +index ab2e130dc07a..7f07a5dc555f 100644 +--- a/tools/perf/util/dso.c ++++ b/tools/perf/util/dso.c +@@ -1086,8 +1086,10 @@ struct map *dso__new_map(const char *name) + struct map *map = NULL; + struct dso *dso = dso__new(name); + +- if (dso) ++ if (dso) { + map = map__new2(0, dso); ++ dso__put(dso); ++ } + + return map; + } +-- +2.30.2 + diff --git a/queue-5.4/perf-env-fix-sibling_dies-memory-leak.patch b/queue-5.4/perf-env-fix-sibling_dies-memory-leak.patch new file mode 100644 index 00000000000..4703474fc83 --- /dev/null +++ b/queue-5.4/perf-env-fix-sibling_dies-memory-leak.patch @@ -0,0 +1,46 @@ +From a7734aaa168d23234cca3f5c2db3eb9c4ba18ef4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:07 +0200 +Subject: perf env: Fix sibling_dies memory leak + +From: Riccardo Mancini + +[ Upstream commit 42db3d9ded555f7148b5695109a7dc8d66f0dde4 ] + +ASan reports a memory leak in perf_env while running: + + # perf test "41: Session topology" + +Caused by sibling_dies not being freed. + +This patch adds the required free. + +Fixes: acae8b36cded0ee6 ("perf header: Add die information in CPU topology") +Signed-off-by: Riccardo Mancini +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/2140d0b57656e4eb9021ca9772250c24c032924b.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/env.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/util/env.c b/tools/perf/util/env.c +index 018ecf7b6da9..0fafcf264d23 100644 +--- a/tools/perf/util/env.c ++++ b/tools/perf/util/env.c +@@ -175,6 +175,7 @@ void perf_env__exit(struct perf_env *env) + zfree(&env->cpuid); + zfree(&env->cmdline); + zfree(&env->cmdline_argv); ++ zfree(&env->sibling_dies); + zfree(&env->sibling_cores); + zfree(&env->sibling_threads); + zfree(&env->pmu_mappings); +-- +2.30.2 + diff --git a/queue-5.4/perf-lzma-close-lzma-stream-on-exit.patch b/queue-5.4/perf-lzma-close-lzma-stream-on-exit.patch new file mode 100644 index 00000000000..9c2007101d0 --- /dev/null +++ b/queue-5.4/perf-lzma-close-lzma-stream-on-exit.patch @@ -0,0 +1,72 @@ +From e376db665b9a752b2378c814b32869aad52347ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:19 +0200 +Subject: perf lzma: Close lzma stream on exit + +From: Riccardo Mancini + +[ Upstream commit f8cbb0f926ae1e1fb5f9e51614e5437560ed4039 ] + +ASan reports memory leaks when running: + + # perf test "88: Check open filename arg using perf trace + vfs_getname" + +One of these is caused by the lzma stream never being closed inside +lzma_decompress_to_file(). + +This patch adds the missing lzma_end(). + +Signed-off-by: Riccardo Mancini +Fixes: 80a32e5b498a7547 ("perf tools: Add lzma decompression support for kernel module") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/aaf50bdce7afe996cfc06e1bbb36e4a2a9b9db93.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/lzma.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/util/lzma.c b/tools/perf/util/lzma.c +index 39062df02629..51424cdc3b68 100644 +--- a/tools/perf/util/lzma.c ++++ b/tools/perf/util/lzma.c +@@ -69,7 +69,7 @@ int lzma_decompress_to_file(const char *input, int output_fd) + + if (ferror(infile)) { + pr_err("lzma: read error: %s\n", strerror(errno)); +- goto err_fclose; ++ goto err_lzma_end; + } + + if (feof(infile)) +@@ -83,7 +83,7 @@ int lzma_decompress_to_file(const char *input, int output_fd) + + if (writen(output_fd, buf_out, write_size) != write_size) { + pr_err("lzma: write error: %s\n", strerror(errno)); +- goto err_fclose; ++ goto err_lzma_end; + } + + strm.next_out = buf_out; +@@ -95,11 +95,13 @@ int lzma_decompress_to_file(const char *input, int output_fd) + break; + + pr_err("lzma: failed %s\n", lzma_strerror(ret)); +- goto err_fclose; ++ goto err_lzma_end; + } + } + + err = 0; ++err_lzma_end: ++ lzma_end(&strm); + err_fclose: + fclose(infile); + return err; +-- +2.30.2 + diff --git a/queue-5.4/perf-map-fix-dso-nsinfo-refcounting.patch b/queue-5.4/perf-map-fix-dso-nsinfo-refcounting.patch new file mode 100644 index 00000000000..8c53577c548 --- /dev/null +++ b/queue-5.4/perf-map-fix-dso-nsinfo-refcounting.patch @@ -0,0 +1,51 @@ +From ef2888a481a1abe9e49d86d6782fb162fba2b6db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:06 +0200 +Subject: perf map: Fix dso->nsinfo refcounting + +From: Riccardo Mancini + +[ Upstream commit 2d6b74baa7147251c30a46c4996e8cc224aa2dc5 ] + +ASan reports a memory leak of nsinfo during the execution of + + # perf test "31: Lookup mmap thread" + +The leak is caused by a refcounted variable being replaced without +dropping the refcount. + +This patch makes sure that the refcnt of nsinfo is decreased whenever a +refcounted variable is replaced with a new value. + +Signed-off-by: Riccardo Mancini +Fixes: bf2e710b3cb8445c ("perf maps: Lookup maps in both intitial mountns and inner mountns.") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Krister Johansen +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/55223bc8821b34ccb01f92ef1401c02b6a32e61f.1626343282.git.rickyman7@gmail.com +[ Split from a larger patch ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/map.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/perf/util/map.c b/tools/perf/util/map.c +index 571e99c908a0..1ae5c51a7035 100644 +--- a/tools/perf/util/map.c ++++ b/tools/perf/util/map.c +@@ -214,6 +214,8 @@ struct map *map__new(struct machine *machine, u64 start, u64 len, + if (!(prot & PROT_EXEC)) + dso__set_loaded(dso); + } ++ ++ nsinfo__put(dso->nsinfo); + dso->nsinfo = nsi; + dso__put(dso); + } +-- +2.30.2 + diff --git a/queue-5.4/perf-probe-file-delete-namelist-in-del_events-on-the.patch b/queue-5.4/perf-probe-file-delete-namelist-in-del_events-on-the.patch new file mode 100644 index 00000000000..e3e938b1f7b --- /dev/null +++ b/queue-5.4/perf-probe-file-delete-namelist-in-del_events-on-the.patch @@ -0,0 +1,54 @@ +From 369dfc4ce643b0f2a0c27b407118fa3914b98d1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:25 +0200 +Subject: perf probe-file: Delete namelist in del_events() on the error path + +From: Riccardo Mancini + +[ Upstream commit e0fa7ab42232e742dcb3de9f3c1f6127b5adc019 ] + +ASan reports some memory leaks when running: + + # perf test "42: BPF filter" + +This second leak is caused by a strlist not being dellocated on error +inside probe_file__del_events. + +This patch adds a goto label before the deallocation and makes the error +path jump to it. + +Signed-off-by: Riccardo Mancini +Fixes: e7895e422e4da63d ("perf probe: Split del_perf_probe_events()") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/174963c587ae77fa108af794669998e4ae558338.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/probe-file.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/probe-file.c b/tools/perf/util/probe-file.c +index f778f8e7e65a..5558e2adebe4 100644 +--- a/tools/perf/util/probe-file.c ++++ b/tools/perf/util/probe-file.c +@@ -337,11 +337,11 @@ int probe_file__del_events(int fd, struct strfilter *filter) + + ret = probe_file__get_events(fd, filter, namelist); + if (ret < 0) +- return ret; ++ goto out; + + ret = probe_file__del_strlist(fd, namelist); ++out: + strlist__delete(namelist); +- + return ret; + } + +-- +2.30.2 + diff --git a/queue-5.4/perf-probe-fix-dso-nsinfo-refcounting.patch b/queue-5.4/perf-probe-fix-dso-nsinfo-refcounting.patch new file mode 100644 index 00000000000..fc9cfbea601 --- /dev/null +++ b/queue-5.4/perf-probe-fix-dso-nsinfo-refcounting.patch @@ -0,0 +1,54 @@ +From aa9e5afe81a54598df3a4d2bc1112b5c657a84e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:06 +0200 +Subject: perf probe: Fix dso->nsinfo refcounting + +From: Riccardo Mancini + +[ Upstream commit dedeb4be203b382ba7245d13079bc3b0f6d40c65 ] + +ASan reports a memory leak of nsinfo during the execution of: + + # perf test "31: Lookup mmap thread". + +The leak is caused by a refcounted variable being replaced without +dropping the refcount. + +This patch makes sure that the refcnt of nsinfo is decreased whenever +a refcounted variable is replaced with a new value. + +Signed-off-by: Riccardo Mancini +Fixes: 544abd44c7064c8a ("perf probe: Allow placing uprobes in alternate namespaces.") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Krister Johansen +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/55223bc8821b34ccb01f92ef1401c02b6a32e61f.1626343282.git.rickyman7@gmail.com +[ Split from a larger patch ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/probe-event.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/probe-event.c b/tools/perf/util/probe-event.c +index a5cb1a3a1064..6357ac508ad1 100644 +--- a/tools/perf/util/probe-event.c ++++ b/tools/perf/util/probe-event.c +@@ -175,8 +175,10 @@ struct map *get_target_map(const char *target, struct nsinfo *nsi, bool user) + struct map *map; + + map = dso__new_map(target); +- if (map && map->dso) ++ if (map && map->dso) { ++ nsinfo__put(map->dso->nsinfo); + map->dso->nsinfo = nsinfo__get(nsi); ++ } + return map; + } else { + return kernel_get_module_map(target); +-- +2.30.2 + diff --git a/queue-5.4/perf-script-fix-memory-threads-and-cpus-leaks-on-exi.patch b/queue-5.4/perf-script-fix-memory-threads-and-cpus-leaks-on-exi.patch new file mode 100644 index 00000000000..705c0f7200f --- /dev/null +++ b/queue-5.4/perf-script-fix-memory-threads-and-cpus-leaks-on-exi.patch @@ -0,0 +1,64 @@ +From 58729646d5cc163459b4fc2820dd802585905c64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:18 +0200 +Subject: perf script: Fix memory 'threads' and 'cpus' leaks on exit + +From: Riccardo Mancini + +[ Upstream commit faf3ac305d61341c74e5cdd9e41daecce7f67bfe ] + +ASan reports several memory leaks while running: + + # perf test "82: Use vfs_getname probe to get syscall args filenames" + +Two of these are caused by some refcounts not being decreased on +perf-script exit, namely script.threads and script.cpus. + +This patch adds the missing __put calls in a new perf_script__exit +function, which is called at the end of cmd_script. + +This patch concludes the fixes of all remaining memory leaks in perf +test "82: Use vfs_getname probe to get syscall args filenames". + +Signed-off-by: Riccardo Mancini +Fixes: cfc8874a48599249 ("perf script: Process cpu/threads maps") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/5ee73b19791c6fa9d24c4d57f4ac1a23609400d7.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-script.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c +index da016f398aa8..f3ff825d9dd3 100644 +--- a/tools/perf/builtin-script.c ++++ b/tools/perf/builtin-script.c +@@ -2474,6 +2474,12 @@ static void perf_script__exit_per_event_dump_stats(struct perf_script *script) + } + } + ++static void perf_script__exit(struct perf_script *script) ++{ ++ perf_thread_map__put(script->threads); ++ perf_cpu_map__put(script->cpus); ++} ++ + static int __cmd_script(struct perf_script *script) + { + int ret; +@@ -3893,6 +3899,7 @@ out_delete: + + perf_evlist__free_stats(session->evlist); + perf_session__delete(session); ++ perf_script__exit(&script); + + if (script_started) + cleanup_scripting(); +-- +2.30.2 + diff --git a/queue-5.4/perf-test-event_update-fix-memory-leak-of-evlist.patch b/queue-5.4/perf-test-event_update-fix-memory-leak-of-evlist.patch new file mode 100644 index 00000000000..1fdc130d579 --- /dev/null +++ b/queue-5.4/perf-test-event_update-fix-memory-leak-of-evlist.patch @@ -0,0 +1,47 @@ +From ea77152c853d3b625762d0994f088fe423f17dca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:09 +0200 +Subject: perf test event_update: Fix memory leak of evlist + +From: Riccardo Mancini + +[ Upstream commit fc56f54f6fcd5337634f4545af6459613129b432 ] + +ASan reports a memory leak when running: + + # perf test "49: Synthesize attr update" + +Caused by evlist not being deleted. + +This patch adds the missing evlist__delete and removes the +perf_cpu_map__put since it's already being deleted by evlist__delete. + +Signed-off-by: Riccardo Mancini +Fixes: a6e5281780d1da65 ("perf tools: Add event_update event unit type") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/f7994ad63d248f7645f901132d208fadf9f2b7e4.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/event_update.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/tests/event_update.c b/tools/perf/tests/event_update.c +index c727379cf20e..195b29797acc 100644 +--- a/tools/perf/tests/event_update.c ++++ b/tools/perf/tests/event_update.c +@@ -119,6 +119,6 @@ int test__event_update(struct test *test __maybe_unused, int subtest __maybe_unu + TEST_ASSERT_VAL("failed to synthesize attr update cpus", + !perf_event__synthesize_event_update_cpus(&tmp.tool, evsel, process_event_cpus)); + +- perf_cpu_map__put(evsel->core.own_cpus); ++ evlist__delete(evlist); + return 0; + } +-- +2.30.2 + diff --git a/queue-5.4/perf-test-session_topology-delete-session-evlist.patch b/queue-5.4/perf-test-session_topology-delete-session-evlist.patch new file mode 100644 index 00000000000..607ad70d100 --- /dev/null +++ b/queue-5.4/perf-test-session_topology-delete-session-evlist.patch @@ -0,0 +1,48 @@ +From bbb57c4b2a0aeb73fda2cab8d59608e950124fb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:08 +0200 +Subject: perf test session_topology: Delete session->evlist + +From: Riccardo Mancini + +[ Upstream commit 233f2dc1c284337286f9a64c0152236779a42f6c ] + +ASan reports a memory leak related to session->evlist while running: + + # perf test "41: Session topology". + +When perf_data is in write mode, session->evlist is owned by the caller, +which should also take care of deleting it. + +This patch adds the missing evlist__delete(). + +Signed-off-by: Riccardo Mancini +Fixes: c84974ed9fb67293 ("perf test: Add entry to test cpu topology") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/822f741f06eb25250fb60686cf30a35f447e9e91.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/topology.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/tests/topology.c b/tools/perf/tests/topology.c +index 22daf2bdf5fa..f4a2c0df0954 100644 +--- a/tools/perf/tests/topology.c ++++ b/tools/perf/tests/topology.c +@@ -52,6 +52,7 @@ static int session_write_header(char *path) + TEST_ASSERT_VAL("failed to write header", + !perf_session__write_header(session, session->evlist, data.file.fd, true)); + ++ evlist__delete(session->evlist); + perf_session__delete(session); + + return 0; +-- +2.30.2 + diff --git a/queue-5.4/proc-avoid-mixing-integer-types-in-mem_rw.patch b/queue-5.4/proc-avoid-mixing-integer-types-in-mem_rw.patch new file mode 100644 index 00000000000..c6ce2685716 --- /dev/null +++ b/queue-5.4/proc-avoid-mixing-integer-types-in-mem_rw.patch @@ -0,0 +1,52 @@ +From 541a2e5e916d08d6c2e6adb4dd71531b30f33133 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jun 2021 18:54:38 -0700 +Subject: proc: Avoid mixing integer types in mem_rw() + +From: Marcelo Henrique Cerri + +[ Upstream commit d238692b4b9f2c36e35af4c6e6f6da36184aeb3e ] + +Use size_t when capping the count argument received by mem_rw(). Since +count is size_t, using min_t(int, ...) can lead to a negative value +that will later be passed to access_remote_vm(), which can cause +unexpected behavior. + +Since we are capping the value to at maximum PAGE_SIZE, the conversion +from size_t to int when passing it to access_remote_vm() as "len" +shouldn't be a problem. + +Link: https://lkml.kernel.org/r/20210512125215.3348316-1-marcelo.cerri@canonical.com +Reviewed-by: David Disseldorp +Signed-off-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Marcelo Henrique Cerri +Cc: Alexey Dobriyan +Cc: Souza Cascardo +Cc: Christian Brauner +Cc: Michel Lespinasse +Cc: Helge Deller +Cc: Oleg Nesterov +Cc: Lorenzo Stoakes +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/proc/base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/proc/base.c b/fs/proc/base.c +index 75e786684a4e..90d2f62a9672 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -836,7 +836,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf, + flags = FOLL_FORCE | (write ? FOLL_WRITE : 0); + + while (count > 0) { +- int this_len = min_t(int, count, PAGE_SIZE); ++ size_t this_len = min_t(size_t, count, PAGE_SIZE); + + if (write && copy_from_user(page, buf, this_len)) { + copied = -EFAULT; +-- +2.30.2 + diff --git a/queue-5.4/pwm-sprd-ensure-configuring-period-and-duty_cycle-is.patch b/queue-5.4/pwm-sprd-ensure-configuring-period-and-duty_cycle-is.patch new file mode 100644 index 00000000000..f176f8dfc69 --- /dev/null +++ b/queue-5.4/pwm-sprd-ensure-configuring-period-and-duty_cycle-is.patch @@ -0,0 +1,51 @@ +From 6c45739ef0330f821306705dbcfc286a6facb592 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jul 2021 10:27:51 +0200 +Subject: pwm: sprd: Ensure configuring period and duty_cycle isn't wrongly + skipped +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 65e2e6c1c20104ed19060a38f4edbf14e9f9a9a5 ] + +As the last call to sprd_pwm_apply() might have exited early if +state->enabled was false, the values for period and duty_cycle stored in +pwm->state might not have been written to hardware and it must be +ensured that they are configured before enabling the PWM. + +Fixes: 8aae4b02e8a6 ("pwm: sprd: Add Spreadtrum PWM support") +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-sprd.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/drivers/pwm/pwm-sprd.c b/drivers/pwm/pwm-sprd.c +index be2394227423..892d853d48a1 100644 +--- a/drivers/pwm/pwm-sprd.c ++++ b/drivers/pwm/pwm-sprd.c +@@ -180,13 +180,10 @@ static int sprd_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm, + } + } + +- if (state->period != cstate->period || +- state->duty_cycle != cstate->duty_cycle) { +- ret = sprd_pwm_config(spc, pwm, state->duty_cycle, +- state->period); +- if (ret) +- return ret; +- } ++ ret = sprd_pwm_config(spc, pwm, state->duty_cycle, ++ state->period); ++ if (ret) ++ return ret; + + sprd_pwm_write(spc, pwm->hwpwm, SPRD_PWM_ENABLE, 1); + } else if (cstate->enabled) { +-- +2.30.2 + diff --git a/queue-5.4/r8169-avoid-duplicate-sysfs-entry-creation-error.patch b/queue-5.4/r8169-avoid-duplicate-sysfs-entry-creation-error.patch new file mode 100644 index 00000000000..c3d1c9a9532 --- /dev/null +++ b/queue-5.4/r8169-avoid-duplicate-sysfs-entry-creation-error.patch @@ -0,0 +1,55 @@ +From 05a9f61ad78d004c592b4f09ec7d06d358ce9b04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 17:17:40 +0100 +Subject: r8169: Avoid duplicate sysfs entry creation error + +From: Sayanta Pattanayak + +[ Upstream commit e9a72f874d5b95cef0765bafc56005a50f72c5fe ] + +When registering the MDIO bus for a r8169 device, we use the PCI +bus/device specifier as a (seemingly) unique device identifier. +However the very same BDF number can be used on another PCI segment, +which makes the driver fail probing: + +[ 27.544136] r8169 0002:07:00.0: enabling device (0000 -> 0003) +[ 27.559734] sysfs: cannot create duplicate filename '/class/mdio_bus/r8169-700' +.... +[ 27.684858] libphy: mii_bus r8169-700 failed to register +[ 27.695602] r8169: probe of 0002:07:00.0 failed with error -22 + +Add the segment number to the device name to make it more unique. + +This fixes operation on ARM N1SDP boards, with two boards connected +together to form an SMP system, and all on-board devices showing up +twice, just on different PCI segments. A similar issue would occur on +large systems with many PCI slots and multiple RTL8169 NICs. + +Fixes: f1e911d5d0dfd ("r8169: add basic phylib support") +Signed-off-by: Sayanta Pattanayak +[Andre: expand commit message, use pci_domain_nr()] +Signed-off-by: Andre Przywara +Acked-by: Heiner Kallweit +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index 5969f64169e5..fb51548c57e9 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -6850,7 +6850,8 @@ static int r8169_mdio_register(struct rtl8169_private *tp) + new_bus->priv = tp; + new_bus->parent = &pdev->dev; + new_bus->irq[0] = PHY_IGNORE_INTERRUPT; +- snprintf(new_bus->id, MII_BUS_ID_SIZE, "r8169-%x", pci_dev_id(pdev)); ++ snprintf(new_bus->id, MII_BUS_ID_SIZE, "r8169-%x-%x", ++ pci_domain_nr(pdev->bus), pci_dev_id(pdev)); + + new_bus->read = r8169_mdio_read_reg; + new_bus->write = r8169_mdio_write_reg; +-- +2.30.2 + diff --git a/queue-5.4/regulator-hi6421-fix-getting-wrong-drvdata.patch b/queue-5.4/regulator-hi6421-fix-getting-wrong-drvdata.patch new file mode 100644 index 00000000000..efb5da2153c --- /dev/null +++ b/queue-5.4/regulator-hi6421-fix-getting-wrong-drvdata.patch @@ -0,0 +1,119 @@ +From 35d7160876a53d642238c5558ce8fd88c55e1e4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jun 2021 17:59:59 +0800 +Subject: regulator: hi6421: Fix getting wrong drvdata + +From: Axel Lin + +[ Upstream commit 1c73daee4bf30ccdff5e86dc400daa6f74735da5 ] + +Since config.dev = pdev->dev.parent in current code, so +dev_get_drvdata(rdev->dev.parent) call in hi6421_regulator_enable +returns the drvdata of the mfd device rather than the regulator. Fix it. + +This was broken while converting to use simplified DT parsing because the +config.dev changed from pdev->dev to pdev->dev.parent for parsing the +parent's of_node. + +Fixes: 29dc269a85ef ("regulator: hi6421: Convert to use simplified DT parsing") +Signed-off-by: Axel Lin +Link: https://lore.kernel.org/r/20210630095959.2411543-1-axel.lin@ingics.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/hi6421-regulator.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/drivers/regulator/hi6421-regulator.c b/drivers/regulator/hi6421-regulator.c +index f14cbabfa985..efc91b03a9bb 100644 +--- a/drivers/regulator/hi6421-regulator.c ++++ b/drivers/regulator/hi6421-regulator.c +@@ -366,9 +366,8 @@ static struct hi6421_regulator_info + + static int hi6421_regulator_enable(struct regulator_dev *rdev) + { +- struct hi6421_regulator_pdata *pdata; ++ struct hi6421_regulator_pdata *pdata = rdev_get_drvdata(rdev); + +- pdata = dev_get_drvdata(rdev->dev.parent); + /* hi6421 spec requires regulator enablement must be serialized: + * - Because when BUCK, LDO switching from off to on, it will have + * a huge instantaneous current; so you can not turn on two or +@@ -385,9 +384,10 @@ static int hi6421_regulator_enable(struct regulator_dev *rdev) + + static unsigned int hi6421_regulator_ldo_get_mode(struct regulator_dev *rdev) + { +- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); ++ struct hi6421_regulator_info *info; + unsigned int reg_val; + ++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc); + regmap_read(rdev->regmap, rdev->desc->enable_reg, ®_val); + if (reg_val & info->mode_mask) + return REGULATOR_MODE_IDLE; +@@ -397,9 +397,10 @@ static unsigned int hi6421_regulator_ldo_get_mode(struct regulator_dev *rdev) + + static unsigned int hi6421_regulator_buck_get_mode(struct regulator_dev *rdev) + { +- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); ++ struct hi6421_regulator_info *info; + unsigned int reg_val; + ++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc); + regmap_read(rdev->regmap, rdev->desc->enable_reg, ®_val); + if (reg_val & info->mode_mask) + return REGULATOR_MODE_STANDBY; +@@ -410,9 +411,10 @@ static unsigned int hi6421_regulator_buck_get_mode(struct regulator_dev *rdev) + static int hi6421_regulator_ldo_set_mode(struct regulator_dev *rdev, + unsigned int mode) + { +- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); ++ struct hi6421_regulator_info *info; + unsigned int new_mode; + ++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc); + switch (mode) { + case REGULATOR_MODE_NORMAL: + new_mode = 0; +@@ -434,9 +436,10 @@ static int hi6421_regulator_ldo_set_mode(struct regulator_dev *rdev, + static int hi6421_regulator_buck_set_mode(struct regulator_dev *rdev, + unsigned int mode) + { +- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); ++ struct hi6421_regulator_info *info; + unsigned int new_mode; + ++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc); + switch (mode) { + case REGULATOR_MODE_NORMAL: + new_mode = 0; +@@ -459,7 +462,9 @@ static unsigned int + hi6421_regulator_ldo_get_optimum_mode(struct regulator_dev *rdev, + int input_uV, int output_uV, int load_uA) + { +- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); ++ struct hi6421_regulator_info *info; ++ ++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc); + + if (load_uA > info->eco_microamp) + return REGULATOR_MODE_NORMAL; +@@ -543,14 +548,13 @@ static int hi6421_regulator_probe(struct platform_device *pdev) + if (!pdata) + return -ENOMEM; + mutex_init(&pdata->lock); +- platform_set_drvdata(pdev, pdata); + + for (i = 0; i < ARRAY_SIZE(hi6421_regulator_info); i++) { + /* assign per-regulator data */ + info = &hi6421_regulator_info[i]; + + config.dev = pdev->dev.parent; +- config.driver_data = info; ++ config.driver_data = pdata; + config.regmap = pmic->regmap; + + rdev = devm_regulator_register(&pdev->dev, &info->desc, +-- +2.30.2 + diff --git a/queue-5.4/regulator-hi6421-use-correct-variable-type-for-regma.patch b/queue-5.4/regulator-hi6421-use-correct-variable-type-for-regma.patch new file mode 100644 index 00000000000..0c9fb0df28c --- /dev/null +++ b/queue-5.4/regulator-hi6421-use-correct-variable-type-for-regma.patch @@ -0,0 +1,64 @@ +From bd9628fc330a99d6175a5a2a6aa039020c0da08b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Jun 2021 20:41:33 +0800 +Subject: regulator: hi6421: Use correct variable type for regmap api val + argument + +From: Axel Lin + +[ Upstream commit ae60e6a9d24e89a74e2512204ad04de94921bdd2 ] + +Use unsigned int instead of u32 for regmap_read/regmap_update_bits val +argument. + +Signed-off-by: Axel Lin +Link: https://lore.kernel.org/r/20210619124133.4096683-1-axel.lin@ingics.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/hi6421-regulator.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/regulator/hi6421-regulator.c b/drivers/regulator/hi6421-regulator.c +index 5ac3d7c29725..f14cbabfa985 100644 +--- a/drivers/regulator/hi6421-regulator.c ++++ b/drivers/regulator/hi6421-regulator.c +@@ -386,7 +386,7 @@ static int hi6421_regulator_enable(struct regulator_dev *rdev) + static unsigned int hi6421_regulator_ldo_get_mode(struct regulator_dev *rdev) + { + struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); +- u32 reg_val; ++ unsigned int reg_val; + + regmap_read(rdev->regmap, rdev->desc->enable_reg, ®_val); + if (reg_val & info->mode_mask) +@@ -398,7 +398,7 @@ static unsigned int hi6421_regulator_ldo_get_mode(struct regulator_dev *rdev) + static unsigned int hi6421_regulator_buck_get_mode(struct regulator_dev *rdev) + { + struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); +- u32 reg_val; ++ unsigned int reg_val; + + regmap_read(rdev->regmap, rdev->desc->enable_reg, ®_val); + if (reg_val & info->mode_mask) +@@ -411,7 +411,7 @@ static int hi6421_regulator_ldo_set_mode(struct regulator_dev *rdev, + unsigned int mode) + { + struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); +- u32 new_mode; ++ unsigned int new_mode; + + switch (mode) { + case REGULATOR_MODE_NORMAL: +@@ -435,7 +435,7 @@ static int hi6421_regulator_buck_set_mode(struct regulator_dev *rdev, + unsigned int mode) + { + struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); +- u32 new_mode; ++ unsigned int new_mode; + + switch (mode) { + case REGULATOR_MODE_NORMAL: +-- +2.30.2 + diff --git a/queue-5.4/revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch b/queue-5.4/revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch new file mode 100644 index 00000000000..0aeb55d3bfc --- /dev/null +++ b/queue-5.4/revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch @@ -0,0 +1,56 @@ +From f7ea913edbe08f813bd2f274ea9e82f3ee566c8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 11:25:16 +0200 +Subject: Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE + modem" + +From: Vincent Palatin + +[ Upstream commit f3a1a937f7b240be623d989c8553a6d01465d04f ] + +This reverts commit 0bd860493f81eb2a46173f6f5e44cc38331c8dbd. + +While the patch was working as stated,ie preventing the L850-GL LTE modem +from crashing on some U3 wake-ups due to a race condition between the +host wake-up and the modem-side wake-up, when using the MBIM interface, +this would force disabling the USB runtime PM on the device. + +The increased power consumption is significant for LTE laptops, +and given that with decently recent modem firmwares, when the modem hits +the bug, it automatically recovers (ie it drops from the bus, but +automatically re-enumerates after less than half a second, rather than being +stuck until a power cycle as it was doing with ancient firmware), for +most people, the trade-off now seems in favor of re-enabling it by +default. + +For people with access to the platform code, the bug can also be worked-around +successfully by changing the USB3 LFPM polling off-time for the XHCI +controller in the BIOS code. + +Signed-off-by: Vincent Palatin +Link: https://lore.kernel.org/r/20210721092516.2775971-1-vpalatin@chromium.org +Fixes: 0bd860493f81 ("USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem") +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/quirks.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index f6a6c54cba35..d97544fd339b 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -502,10 +502,6 @@ static const struct usb_device_id usb_quirk_list[] = { + /* DJI CineSSD */ + { USB_DEVICE(0x2ca3, 0x0031), .driver_info = USB_QUIRK_NO_LPM }, + +- /* Fibocom L850-GL LTE Modem */ +- { USB_DEVICE(0x2cb7, 0x0007), .driver_info = +- USB_QUIRK_IGNORE_REMOTE_WAKEUP }, +- + /* INTEL VALUE SSD */ + { USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME }, + +-- +2.30.2 + diff --git a/queue-5.4/s390-bpf-perform-r1-range-checking-before-accessing-.patch b/queue-5.4/s390-bpf-perform-r1-range-checking-before-accessing-.patch new file mode 100644 index 00000000000..536cbc9a658 --- /dev/null +++ b/queue-5.4/s390-bpf-perform-r1-range-checking-before-accessing-.patch @@ -0,0 +1,44 @@ +From a55a071f9adc0c94fd13db04ef6484d167b95940 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 13:57:12 +0100 +Subject: s390/bpf: Perform r1 range checking before accessing + jit->seen_reg[r1] + +From: Colin Ian King + +[ Upstream commit 91091656252f5d6d8c476e0c92776ce9fae7b445 ] + +Currently array jit->seen_reg[r1] is being accessed before the range +checking of index r1. The range changing on r1 should be performed +first since it will avoid any potential out-of-range accesses on the +array seen_reg[] and also it is more optimal to perform checks on r1 +before fetching data from the array. Fix this by swapping the order +of the checks before the array access. + +Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend") +Signed-off-by: Colin Ian King +Signed-off-by: Daniel Borkmann +Tested-by: Ilya Leoshkevich +Acked-by: Ilya Leoshkevich +Link: https://lore.kernel.org/bpf/20210715125712.24690-1-colin.king@canonical.com +Signed-off-by: Sasha Levin +--- + arch/s390/net/bpf_jit_comp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c +index c8c16b5eed6b..e160f4650f8e 100644 +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -114,7 +114,7 @@ static inline void reg_set_seen(struct bpf_jit *jit, u32 b1) + { + u32 r1 = reg2hex[b1]; + +- if (!jit->seen_reg[r1] && r1 >= 6 && r1 <= 15) ++ if (r1 >= 6 && r1 <= 15 && !jit->seen_reg[r1]) + jit->seen_reg[r1] = 1; + } + +-- +2.30.2 + diff --git a/queue-5.4/scsi-iscsi-fix-iface-sysfs-attr-detection.patch b/queue-5.4/scsi-iscsi-fix-iface-sysfs-attr-detection.patch new file mode 100644 index 00000000000..7f288777839 --- /dev/null +++ b/queue-5.4/scsi-iscsi-fix-iface-sysfs-attr-detection.patch @@ -0,0 +1,146 @@ +From 6e074bb29b80454961a542559fb00d1fdcc825a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jun 2021 19:25:59 -0500 +Subject: scsi: iscsi: Fix iface sysfs attr detection + +From: Mike Christie + +[ Upstream commit e746f3451ec7f91dcc9fd67a631239c715850a34 ] + +A ISCSI_IFACE_PARAM can have the same value as a ISCSI_NET_PARAM so when +iscsi_iface_attr_is_visible tries to figure out the type by just checking +the value, we can collide and return the wrong type. When we call into the +driver we might not match and return that we don't want attr visible in +sysfs. The patch fixes this by setting the type when we figure out what the +param is. + +Link: https://lore.kernel.org/r/20210701002559.89533-1-michael.christie@oracle.com +Fixes: 3e0f65b34cc9 ("[SCSI] iscsi_transport: Additional parameters for network settings") +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 90 +++++++++++------------------ + 1 file changed, 34 insertions(+), 56 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 2f1553d0a10e..77bba91b5714 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -432,39 +432,10 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + struct device *dev = container_of(kobj, struct device, kobj); + struct iscsi_iface *iface = iscsi_dev_to_iface(dev); + struct iscsi_transport *t = iface->transport; +- int param; +- int param_type; ++ int param = -1; + + if (attr == &dev_attr_iface_enabled.attr) + param = ISCSI_NET_PARAM_IFACE_ENABLE; +- else if (attr == &dev_attr_iface_vlan_id.attr) +- param = ISCSI_NET_PARAM_VLAN_ID; +- else if (attr == &dev_attr_iface_vlan_priority.attr) +- param = ISCSI_NET_PARAM_VLAN_PRIORITY; +- else if (attr == &dev_attr_iface_vlan_enabled.attr) +- param = ISCSI_NET_PARAM_VLAN_ENABLED; +- else if (attr == &dev_attr_iface_mtu.attr) +- param = ISCSI_NET_PARAM_MTU; +- else if (attr == &dev_attr_iface_port.attr) +- param = ISCSI_NET_PARAM_PORT; +- else if (attr == &dev_attr_iface_ipaddress_state.attr) +- param = ISCSI_NET_PARAM_IPADDR_STATE; +- else if (attr == &dev_attr_iface_delayed_ack_en.attr) +- param = ISCSI_NET_PARAM_DELAYED_ACK_EN; +- else if (attr == &dev_attr_iface_tcp_nagle_disable.attr) +- param = ISCSI_NET_PARAM_TCP_NAGLE_DISABLE; +- else if (attr == &dev_attr_iface_tcp_wsf_disable.attr) +- param = ISCSI_NET_PARAM_TCP_WSF_DISABLE; +- else if (attr == &dev_attr_iface_tcp_wsf.attr) +- param = ISCSI_NET_PARAM_TCP_WSF; +- else if (attr == &dev_attr_iface_tcp_timer_scale.attr) +- param = ISCSI_NET_PARAM_TCP_TIMER_SCALE; +- else if (attr == &dev_attr_iface_tcp_timestamp_en.attr) +- param = ISCSI_NET_PARAM_TCP_TIMESTAMP_EN; +- else if (attr == &dev_attr_iface_cache_id.attr) +- param = ISCSI_NET_PARAM_CACHE_ID; +- else if (attr == &dev_attr_iface_redirect_en.attr) +- param = ISCSI_NET_PARAM_REDIRECT_EN; + else if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr) + param = ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO; + else if (attr == &dev_attr_iface_header_digest.attr) +@@ -501,6 +472,38 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + param = ISCSI_IFACE_PARAM_STRICT_LOGIN_COMP_EN; + else if (attr == &dev_attr_iface_initiator_name.attr) + param = ISCSI_IFACE_PARAM_INITIATOR_NAME; ++ ++ if (param != -1) ++ return t->attr_is_visible(ISCSI_IFACE_PARAM, param); ++ ++ if (attr == &dev_attr_iface_vlan_id.attr) ++ param = ISCSI_NET_PARAM_VLAN_ID; ++ else if (attr == &dev_attr_iface_vlan_priority.attr) ++ param = ISCSI_NET_PARAM_VLAN_PRIORITY; ++ else if (attr == &dev_attr_iface_vlan_enabled.attr) ++ param = ISCSI_NET_PARAM_VLAN_ENABLED; ++ else if (attr == &dev_attr_iface_mtu.attr) ++ param = ISCSI_NET_PARAM_MTU; ++ else if (attr == &dev_attr_iface_port.attr) ++ param = ISCSI_NET_PARAM_PORT; ++ else if (attr == &dev_attr_iface_ipaddress_state.attr) ++ param = ISCSI_NET_PARAM_IPADDR_STATE; ++ else if (attr == &dev_attr_iface_delayed_ack_en.attr) ++ param = ISCSI_NET_PARAM_DELAYED_ACK_EN; ++ else if (attr == &dev_attr_iface_tcp_nagle_disable.attr) ++ param = ISCSI_NET_PARAM_TCP_NAGLE_DISABLE; ++ else if (attr == &dev_attr_iface_tcp_wsf_disable.attr) ++ param = ISCSI_NET_PARAM_TCP_WSF_DISABLE; ++ else if (attr == &dev_attr_iface_tcp_wsf.attr) ++ param = ISCSI_NET_PARAM_TCP_WSF; ++ else if (attr == &dev_attr_iface_tcp_timer_scale.attr) ++ param = ISCSI_NET_PARAM_TCP_TIMER_SCALE; ++ else if (attr == &dev_attr_iface_tcp_timestamp_en.attr) ++ param = ISCSI_NET_PARAM_TCP_TIMESTAMP_EN; ++ else if (attr == &dev_attr_iface_cache_id.attr) ++ param = ISCSI_NET_PARAM_CACHE_ID; ++ else if (attr == &dev_attr_iface_redirect_en.attr) ++ param = ISCSI_NET_PARAM_REDIRECT_EN; + else if (iface->iface_type == ISCSI_IFACE_TYPE_IPV4) { + if (attr == &dev_attr_ipv4_iface_ipaddress.attr) + param = ISCSI_NET_PARAM_IPV4_ADDR; +@@ -591,32 +594,7 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + return 0; + } + +- switch (param) { +- case ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO: +- case ISCSI_IFACE_PARAM_HDRDGST_EN: +- case ISCSI_IFACE_PARAM_DATADGST_EN: +- case ISCSI_IFACE_PARAM_IMM_DATA_EN: +- case ISCSI_IFACE_PARAM_INITIAL_R2T_EN: +- case ISCSI_IFACE_PARAM_DATASEQ_INORDER_EN: +- case ISCSI_IFACE_PARAM_PDU_INORDER_EN: +- case ISCSI_IFACE_PARAM_ERL: +- case ISCSI_IFACE_PARAM_MAX_RECV_DLENGTH: +- case ISCSI_IFACE_PARAM_FIRST_BURST: +- case ISCSI_IFACE_PARAM_MAX_R2T: +- case ISCSI_IFACE_PARAM_MAX_BURST: +- case ISCSI_IFACE_PARAM_CHAP_AUTH_EN: +- case ISCSI_IFACE_PARAM_BIDI_CHAP_EN: +- case ISCSI_IFACE_PARAM_DISCOVERY_AUTH_OPTIONAL: +- case ISCSI_IFACE_PARAM_DISCOVERY_LOGOUT_EN: +- case ISCSI_IFACE_PARAM_STRICT_LOGIN_COMP_EN: +- case ISCSI_IFACE_PARAM_INITIATOR_NAME: +- param_type = ISCSI_IFACE_PARAM; +- break; +- default: +- param_type = ISCSI_NET_PARAM; +- } +- +- return t->attr_is_visible(param_type, param); ++ return t->attr_is_visible(ISCSI_NET_PARAM, param); + } + + static struct attribute *iscsi_iface_attrs[] = { +-- +2.30.2 + diff --git a/queue-5.4/scsi-target-fix-protect-handling-in-write-same-32.patch b/queue-5.4/scsi-target-fix-protect-handling-in-write-same-32.patch new file mode 100644 index 00000000000..d341349496c --- /dev/null +++ b/queue-5.4/scsi-target-fix-protect-handling-in-write-same-32.patch @@ -0,0 +1,183 @@ +From a957bae47570bac48bda7aca89d9e388e4549fa8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jul 2021 12:16:55 +0300 +Subject: scsi: target: Fix protect handling in WRITE SAME(32) + +From: Dmitry Bogdanov + +[ Upstream commit 6d8e7e7c932162bccd06872362751b0e1d76f5af ] + +WRITE SAME(32) command handling reads WRPROTECT at the wrong offset in 1st +byte instead of 10th byte. + +Link: https://lore.kernel.org/r/20210702091655.22818-1-d.bogdanov@yadro.com +Fixes: afd73f1b60fc ("target: Perform PROTECT sanity checks for WRITE_SAME") +Signed-off-by: Dmitry Bogdanov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_sbc.c | 35 ++++++++++++++++---------------- + 1 file changed, 17 insertions(+), 18 deletions(-) + +diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c +index f1e81886122d..e63c163dba78 100644 +--- a/drivers/target/target_core_sbc.c ++++ b/drivers/target/target_core_sbc.c +@@ -25,7 +25,7 @@ + #include "target_core_alua.h" + + static sense_reason_t +-sbc_check_prot(struct se_device *, struct se_cmd *, unsigned char *, u32, bool); ++sbc_check_prot(struct se_device *, struct se_cmd *, unsigned char, u32, bool); + static sense_reason_t sbc_execute_unmap(struct se_cmd *cmd); + + static sense_reason_t +@@ -279,14 +279,14 @@ static inline unsigned long long transport_lba_64_ext(unsigned char *cdb) + } + + static sense_reason_t +-sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *ops) ++sbc_setup_write_same(struct se_cmd *cmd, unsigned char flags, struct sbc_ops *ops) + { + struct se_device *dev = cmd->se_dev; + sector_t end_lba = dev->transport->get_blocks(dev) + 1; + unsigned int sectors = sbc_get_write_same_sectors(cmd); + sense_reason_t ret; + +- if ((flags[0] & 0x04) || (flags[0] & 0x02)) { ++ if ((flags & 0x04) || (flags & 0x02)) { + pr_err("WRITE_SAME PBDATA and LBDATA" + " bits not supported for Block Discard" + " Emulation\n"); +@@ -308,7 +308,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o + } + + /* We always have ANC_SUP == 0 so setting ANCHOR is always an error */ +- if (flags[0] & 0x10) { ++ if (flags & 0x10) { + pr_warn("WRITE SAME with ANCHOR not supported\n"); + return TCM_INVALID_CDB_FIELD; + } +@@ -316,7 +316,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o + * Special case for WRITE_SAME w/ UNMAP=1 that ends up getting + * translated into block discard requests within backend code. + */ +- if (flags[0] & 0x08) { ++ if (flags & 0x08) { + if (!ops->execute_unmap) + return TCM_UNSUPPORTED_SCSI_OPCODE; + +@@ -331,7 +331,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o + if (!ops->execute_write_same) + return TCM_UNSUPPORTED_SCSI_OPCODE; + +- ret = sbc_check_prot(dev, cmd, &cmd->t_task_cdb[0], sectors, true); ++ ret = sbc_check_prot(dev, cmd, flags >> 5, sectors, true); + if (ret) + return ret; + +@@ -686,10 +686,9 @@ sbc_set_prot_op_checks(u8 protect, bool fabric_prot, enum target_prot_type prot_ + } + + static sense_reason_t +-sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char *cdb, ++sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char protect, + u32 sectors, bool is_write) + { +- u8 protect = cdb[1] >> 5; + int sp_ops = cmd->se_sess->sup_prot_ops; + int pi_prot_type = dev->dev_attrib.pi_prot_type; + bool fabric_prot = false; +@@ -737,7 +736,7 @@ sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char *cdb, + /* Fallthrough */ + default: + pr_err("Unable to determine pi_prot_type for CDB: 0x%02x " +- "PROTECT: 0x%02x\n", cdb[0], protect); ++ "PROTECT: 0x%02x\n", cmd->t_task_cdb[0], protect); + return TCM_INVALID_CDB_FIELD; + } + +@@ -812,7 +811,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, false); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false); + if (ret) + return ret; + +@@ -826,7 +825,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, false); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false); + if (ret) + return ret; + +@@ -840,7 +839,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, false); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false); + if (ret) + return ret; + +@@ -861,7 +860,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, true); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true); + if (ret) + return ret; + +@@ -875,7 +874,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, true); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true); + if (ret) + return ret; + +@@ -890,7 +889,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, true); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true); + if (ret) + return ret; + +@@ -949,7 +948,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + size = sbc_get_size(cmd, 1); + cmd->t_task_lba = get_unaligned_be64(&cdb[12]); + +- ret = sbc_setup_write_same(cmd, &cdb[10], ops); ++ ret = sbc_setup_write_same(cmd, cdb[10], ops); + if (ret) + return ret; + break; +@@ -1048,7 +1047,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + size = sbc_get_size(cmd, 1); + cmd->t_task_lba = get_unaligned_be64(&cdb[2]); + +- ret = sbc_setup_write_same(cmd, &cdb[1], ops); ++ ret = sbc_setup_write_same(cmd, cdb[1], ops); + if (ret) + return ret; + break; +@@ -1066,7 +1065,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + * Follow sbcr26 with WRITE_SAME (10) and check for the existence + * of byte 1 bit 3 UNMAP instead of original reserved field + */ +- ret = sbc_setup_write_same(cmd, &cdb[1], ops); ++ ret = sbc_setup_write_same(cmd, cdb[1], ops); + if (ret) + return ret; + break; +-- +2.30.2 + diff --git a/queue-5.4/sctp-update-active_key-for-asoc-when-old-key-is-bein.patch b/queue-5.4/sctp-update-active_key-for-asoc-when-old-key-is-bein.patch new file mode 100644 index 00000000000..a8275166616 --- /dev/null +++ b/queue-5.4/sctp-update-active_key-for-asoc-when-old-key-is-bein.patch @@ -0,0 +1,55 @@ +From 7fc6fff5e22e9284fc811077db058ff3ef1c4829 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 16:07:01 -0400 +Subject: sctp: update active_key for asoc when old key is being replaced + +From: Xin Long + +[ Upstream commit 58acd10092268831e49de279446c314727101292 ] + +syzbot reported a call trace: + + BUG: KASAN: use-after-free in sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112 + Call Trace: + sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112 + sctp_set_owner_w net/sctp/socket.c:131 [inline] + sctp_sendmsg_to_asoc+0x152e/0x2180 net/sctp/socket.c:1865 + sctp_sendmsg+0x103b/0x1d30 net/sctp/socket.c:2027 + inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:821 + sock_sendmsg_nosec net/socket.c:703 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:723 + +This is an use-after-free issue caused by not updating asoc->shkey after +it was replaced in the key list asoc->endpoint_shared_keys, and the old +key was freed. + +This patch is to fix by also updating active_key for asoc when old key is +being replaced with a new one. Note that this issue doesn't exist in +sctp_auth_del_key_id(), as it's not allowed to delete the active_key +from the asoc. + +Fixes: 1b1e0bc99474 ("sctp: add refcnt support for sh_key") +Reported-by: syzbot+b774577370208727d12b@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/auth.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/sctp/auth.c b/net/sctp/auth.c +index 1d898ee4018c..7eced1e523a5 100644 +--- a/net/sctp/auth.c ++++ b/net/sctp/auth.c +@@ -866,6 +866,8 @@ int sctp_auth_set_key(struct sctp_endpoint *ep, + if (replace) { + list_del_init(&shkey->key_list); + sctp_auth_shkey_release(shkey); ++ if (asoc && asoc->active_key_id == auth_key->sca_keynumber) ++ sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL); + } + list_add(&cur_key->key_list, sh_keys); + +-- +2.30.2 + diff --git a/queue-5.4/selftests-icmp_redirect-ipv6-pmtu-info-should-be-cle.patch b/queue-5.4/selftests-icmp_redirect-ipv6-pmtu-info-should-be-cle.patch new file mode 100644 index 00000000000..411d9dfc572 --- /dev/null +++ b/queue-5.4/selftests-icmp_redirect-ipv6-pmtu-info-should-be-cle.patch @@ -0,0 +1,45 @@ +From d5acf060433c0ab7220792741551050d000b7a40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 16:15:30 +0800 +Subject: selftests: icmp_redirect: IPv6 PMTU info should be cleared after + redirect + +From: Hangbin Liu + +[ Upstream commit 0e02bf5de46ae30074a2e1a8194a422a84482a1a ] + +After redirecting, it's already a new path. So the old PMTU info should +be cleared. The IPv6 test "mtu exception plus redirect" should only +has redirect info without old PMTU. + +The IPv4 test can not be changed because of legacy. + +Fixes: ec8105352869 ("selftests: Add redirect tests") +Signed-off-by: Hangbin Liu +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/icmp_redirect.sh | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/icmp_redirect.sh b/tools/testing/selftests/net/icmp_redirect.sh +index bfcabee50155..104a7a5f13b1 100755 +--- a/tools/testing/selftests/net/icmp_redirect.sh ++++ b/tools/testing/selftests/net/icmp_redirect.sh +@@ -309,9 +309,10 @@ check_exception() + fi + log_test $? 0 "IPv4: ${desc}" + +- if [ "$with_redirect" = "yes" ]; then ++ # No PMTU info for test "redirect" and "mtu exception plus redirect" ++ if [ "$with_redirect" = "yes" ] && [ "$desc" != "redirect exception plus mtu" ]; then + ip -netns h1 -6 ro get ${H1_VRF_ARG} ${H2_N2_IP6} | \ +- grep -q "${H2_N2_IP6} .*via ${R2_LLADDR} dev br0.*${mtu}" ++ grep -v "mtu" | grep -q "${H2_N2_IP6} .*via ${R2_LLADDR} dev br0" + elif [ -n "${mtu}" ]; then + ip -netns h1 -6 ro get ${H1_VRF_ARG} ${H2_N2_IP6} | \ + grep -q "${mtu}" +-- +2.30.2 + diff --git a/queue-5.4/selftests-icmp_redirect-remove-from-checking-for-ipv.patch b/queue-5.4/selftests-icmp_redirect-remove-from-checking-for-ipv.patch new file mode 100644 index 00000000000..1864bbf32c3 --- /dev/null +++ b/queue-5.4/selftests-icmp_redirect-remove-from-checking-for-ipv.patch @@ -0,0 +1,38 @@ +From c5b80526c540efc309da9b22d657e4de2da8690d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 16:15:29 +0800 +Subject: selftests: icmp_redirect: remove from checking for IPv6 route get + +From: Hangbin Liu + +[ Upstream commit 24b671aad4eae423e1abf5b7f08d9a5235458b8d ] + +If the kernel doesn't enable option CONFIG_IPV6_SUBTREES, the RTA_SRC +info will not be exported to userspace in rt6_fill_node(). And ip cmd will +not print "from ::" to the route output. So remove this check. + +Fixes: ec8105352869 ("selftests: Add redirect tests") +Signed-off-by: Hangbin Liu +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/icmp_redirect.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/icmp_redirect.sh b/tools/testing/selftests/net/icmp_redirect.sh +index bf361f30d6ef..bfcabee50155 100755 +--- a/tools/testing/selftests/net/icmp_redirect.sh ++++ b/tools/testing/selftests/net/icmp_redirect.sh +@@ -311,7 +311,7 @@ check_exception() + + if [ "$with_redirect" = "yes" ]; then + ip -netns h1 -6 ro get ${H1_VRF_ARG} ${H2_N2_IP6} | \ +- grep -q "${H2_N2_IP6} from :: via ${R2_LLADDR} dev br0.*${mtu}" ++ grep -q "${H2_N2_IP6} .*via ${R2_LLADDR} dev br0.*${mtu}" + elif [ -n "${mtu}" ]; then + ip -netns h1 -6 ro get ${H1_VRF_ARG} ${H2_N2_IP6} | \ + grep -q "${mtu}" +-- +2.30.2 + diff --git a/queue-5.4/series b/queue-5.4/series new file mode 100644 index 00000000000..14a9234e2e8 --- /dev/null +++ b/queue-5.4/series @@ -0,0 +1,69 @@ +igc-fix-use-after-free-error-during-reset.patch +igb-fix-use-after-free-error-during-reset.patch +igc-change-default-return-of-igc_read_phy_reg.patch +ixgbe-fix-an-error-handling-path-in-ixgbe_probe.patch +igc-prefer-to-use-the-pci_release_mem_regions-method.patch +igc-fix-an-error-handling-path-in-igc_probe.patch +igb-fix-an-error-handling-path-in-igb_probe.patch +fm10k-fix-an-error-handling-path-in-fm10k_probe.patch +e1000e-fix-an-error-handling-path-in-e1000_probe.patch +iavf-fix-an-error-handling-path-in-iavf_probe.patch +igb-check-if-num-of-q_vectors-is-smaller-than-max-be.patch +igb-fix-position-of-assignment-to-ring.patch +gve-fix-an-error-handling-path-in-gve_probe.patch +ipv6-fix-disable_policy-for-fwd-packets.patch +selftests-icmp_redirect-remove-from-checking-for-ipv.patch +selftests-icmp_redirect-ipv6-pmtu-info-should-be-cle.patch +pwm-sprd-ensure-configuring-period-and-duty_cycle-is.patch +cxgb4-fix-irq-free-race-during-driver-unload.patch +nvme-pci-do-not-call-nvme_dev_remove_admin-from-nvme.patch +perf-map-fix-dso-nsinfo-refcounting.patch +perf-probe-fix-dso-nsinfo-refcounting.patch +perf-env-fix-sibling_dies-memory-leak.patch +perf-test-session_topology-delete-session-evlist.patch +perf-test-event_update-fix-memory-leak-of-evlist.patch +perf-dso-fix-memory-leak-in-dso__new_map.patch +perf-script-fix-memory-threads-and-cpus-leaks-on-exi.patch +perf-lzma-close-lzma-stream-on-exit.patch +perf-probe-file-delete-namelist-in-del_events-on-the.patch +perf-data-close-all-files-in-close_dir.patch +spi-imx-add-a-check-for-speed_hz-before-calculating-.patch +spi-imx-mx51-ecspi-reinstate-low-speed-configreg-del.patch +spi-stm32-use-dma_request_chan-instead-dma_request_s.patch +spi-stm32-fixes-pm_runtime-calls-in-probe-remove.patch +regulator-hi6421-use-correct-variable-type-for-regma.patch +regulator-hi6421-fix-getting-wrong-drvdata.patch +spi-mediatek-fix-fifo-rx-mode.patch +asoc-rt5631-fix-regcache-sync-errors-on-resume.patch +liquidio-fix-unintentional-sign-extension-issue-on-l.patch +s390-bpf-perform-r1-range-checking-before-accessing-.patch +bpf-sockmap-tcp-sk_prot-needs-inuse_idx-set-for-proc.patch +bpftool-check-malloc-return-value-in-mount_bpffs_for.patch +net-fix-uninit-value-in-caif_seqpkt_sendmsg.patch +efi-tpm-differentiate-missing-and-invalid-final-even.patch +net-decnet-fix-sleeping-inside-in-af_decnet.patch +kvm-ppc-book3s-fix-config_transactional_mem-n-crash.patch +kvm-ppc-fix-kvm_arch_vcpu_ioctl-vcpu_load-leak.patch +net-sched-fix-memory-leak-in-tcindex_partial_destroy.patch +netrom-decrease-sock-refcount-when-sock-timers-expir.patch +scsi-iscsi-fix-iface-sysfs-attr-detection.patch +scsi-target-fix-protect-handling-in-write-same-32.patch +spi-cadence-correct-initialisation-of-runtime-pm-aga.patch +bnxt_en-improve-bnxt_ulp_stop-bnxt_ulp_start-call-se.patch +bnxt_en-refresh-roce-capabilities-in-bnxt_ulp_probe.patch +bnxt_en-add-missing-check-for-bnxt_state_abort_err-i.patch +bnxt_en-check-abort-error-state-in-bnxt_half_open_ni.patch +net-hisilicon-rename-cache_line_mask-to-avoid-redefi.patch +net-tcp_fastopen-fix-data-races-around-tfo_active_di.patch +net-hns3-fix-rx-vlan-offload-state-inconsistent-issu.patch +net-sched-act_skbmod-skip-non-ethernet-packets.patch +ipv6-fix-another-slab-out-of-bounds-in-fib6_nh_flush.patch +nvme-pci-don-t-warn_on-in-nvme_reset_work-if-ctrl.st.patch +revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch +afs-fix-tracepoint-string-placement-with-built-in-af.patch +r8169-avoid-duplicate-sysfs-entry-creation-error.patch +nvme-set-the-pract-bit-when-using-write-zeroes-with-.patch +sctp-update-active_key-for-asoc-when-old-key-is-bein.patch +net-sched-cls_api-fix-the-the-wrong-parameter.patch +drm-panel-raspberrypi-touchscreen-prevent-double-fre.patch +proc-avoid-mixing-integer-types-in-mem_rw.patch diff --git a/queue-5.4/spi-cadence-correct-initialisation-of-runtime-pm-aga.patch b/queue-5.4/spi-cadence-correct-initialisation-of-runtime-pm-aga.patch new file mode 100644 index 00000000000..aee847e67e9 --- /dev/null +++ b/queue-5.4/spi-cadence-correct-initialisation-of-runtime-pm-aga.patch @@ -0,0 +1,74 @@ +From d6ee32f52e95898374b1a34cbeb75c5956833013 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 20:21:33 +0200 +Subject: spi: cadence: Correct initialisation of runtime PM again + +From: Marek Vasut + +[ Upstream commit 56912da7a68c8356df6a6740476237441b0b792a ] + +The original implementation of RPM handling in probe() was mostly +correct, except it failed to call pm_runtime_get_*() to activate the +hardware. The subsequent fix, 734882a8bf98 ("spi: cadence: Correct +initialisation of runtime PM"), breaks the implementation further, +to the point where the system using this hard IP on ZynqMP hangs on +boot, because it accesses hardware which is gated off. + +Undo 734882a8bf98 ("spi: cadence: Correct initialisation of runtime +PM") and instead add missing pm_runtime_get_noresume() and move the +RPM disabling all the way to the end of probe(). That makes ZynqMP +not hang on boot yet again. + +Fixes: 734882a8bf98 ("spi: cadence: Correct initialisation of runtime PM") +Signed-off-by: Marek Vasut +Cc: Charles Keepax +Cc: Mark Brown +Link: https://lore.kernel.org/r/20210716182133.218640-1-marex@denx.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-cadence.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/spi/spi-cadence.c b/drivers/spi/spi-cadence.c +index 1d0c335b0bf8..5ac60d06c674 100644 +--- a/drivers/spi/spi-cadence.c ++++ b/drivers/spi/spi-cadence.c +@@ -517,6 +517,12 @@ static int cdns_spi_probe(struct platform_device *pdev) + goto clk_dis_apb; + } + ++ pm_runtime_use_autosuspend(&pdev->dev); ++ pm_runtime_set_autosuspend_delay(&pdev->dev, SPI_AUTOSUSPEND_TIMEOUT); ++ pm_runtime_get_noresume(&pdev->dev); ++ pm_runtime_set_active(&pdev->dev); ++ pm_runtime_enable(&pdev->dev); ++ + ret = of_property_read_u32(pdev->dev.of_node, "num-cs", &num_cs); + if (ret < 0) + master->num_chipselect = CDNS_SPI_DEFAULT_NUM_CS; +@@ -531,11 +537,6 @@ static int cdns_spi_probe(struct platform_device *pdev) + /* SPI controller initializations */ + cdns_spi_init_hw(xspi); + +- pm_runtime_set_active(&pdev->dev); +- pm_runtime_enable(&pdev->dev); +- pm_runtime_use_autosuspend(&pdev->dev); +- pm_runtime_set_autosuspend_delay(&pdev->dev, SPI_AUTOSUSPEND_TIMEOUT); +- + irq = platform_get_irq(pdev, 0); + if (irq <= 0) { + ret = -ENXIO; +@@ -566,6 +567,9 @@ static int cdns_spi_probe(struct platform_device *pdev) + + master->bits_per_word_mask = SPI_BPW_MASK(8); + ++ pm_runtime_mark_last_busy(&pdev->dev); ++ pm_runtime_put_autosuspend(&pdev->dev); ++ + ret = spi_register_master(master); + if (ret) { + dev_err(&pdev->dev, "spi_register_master failed\n"); +-- +2.30.2 + diff --git a/queue-5.4/spi-imx-add-a-check-for-speed_hz-before-calculating-.patch b/queue-5.4/spi-imx-add-a-check-for-speed_hz-before-calculating-.patch new file mode 100644 index 00000000000..ff5c8845db2 --- /dev/null +++ b/queue-5.4/spi-imx-add-a-check-for-speed_hz-before-calculating-.patch @@ -0,0 +1,138 @@ +From e75e7031cff012768f109db51350927f67ff01e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Apr 2021 18:33:47 +0800 +Subject: spi: imx: add a check for speed_hz before calculating the clock + +From: Clark Wang + +[ Upstream commit 4df2f5e1372e9eec8f9e1b4a3025b9be23487d36 ] + +When some drivers use spi to send data, spi_transfer->speed_hz is +not assigned. If spidev->max_speed_hz is not assigned as well, it +will cause an error in configuring the clock. +Add a check for these two values before configuring the clock. An +error will be returned when they are not assigned. + +Signed-off-by: Clark Wang +Link: https://lore.kernel.org/r/20210408103347.244313-2-xiaoning.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-imx.c | 37 +++++++++++++++++++++---------------- + 1 file changed, 21 insertions(+), 16 deletions(-) + +diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c +index 09c9a1edb2c6..e237481dbbbb 100644 +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -64,8 +64,7 @@ struct spi_imx_data; + struct spi_imx_devtype_data { + void (*intctrl)(struct spi_imx_data *, int); + int (*prepare_message)(struct spi_imx_data *, struct spi_message *); +- int (*prepare_transfer)(struct spi_imx_data *, struct spi_device *, +- struct spi_transfer *); ++ int (*prepare_transfer)(struct spi_imx_data *, struct spi_device *); + void (*trigger)(struct spi_imx_data *); + int (*rx_available)(struct spi_imx_data *); + void (*reset)(struct spi_imx_data *); +@@ -564,11 +563,10 @@ static int mx51_ecspi_prepare_message(struct spi_imx_data *spi_imx, + } + + static int mx51_ecspi_prepare_transfer(struct spi_imx_data *spi_imx, +- struct spi_device *spi, +- struct spi_transfer *t) ++ struct spi_device *spi) + { + u32 ctrl = readl(spi_imx->base + MX51_ECSPI_CTRL); +- u32 clk = t->speed_hz, delay; ++ u32 clk, delay; + + /* Clear BL field and set the right value */ + ctrl &= ~MX51_ECSPI_CTRL_BL_MASK; +@@ -582,7 +580,7 @@ static int mx51_ecspi_prepare_transfer(struct spi_imx_data *spi_imx, + /* set clock speed */ + ctrl &= ~(0xf << MX51_ECSPI_CTRL_POSTDIV_OFFSET | + 0xf << MX51_ECSPI_CTRL_PREDIV_OFFSET); +- ctrl |= mx51_ecspi_clkdiv(spi_imx, t->speed_hz, &clk); ++ ctrl |= mx51_ecspi_clkdiv(spi_imx, spi_imx->spi_bus_clk, &clk); + spi_imx->spi_bus_clk = clk; + + if (spi_imx->usedma) +@@ -694,13 +692,12 @@ static int mx31_prepare_message(struct spi_imx_data *spi_imx, + } + + static int mx31_prepare_transfer(struct spi_imx_data *spi_imx, +- struct spi_device *spi, +- struct spi_transfer *t) ++ struct spi_device *spi) + { + unsigned int reg = MX31_CSPICTRL_ENABLE | MX31_CSPICTRL_MASTER; + unsigned int clk; + +- reg |= spi_imx_clkdiv_2(spi_imx->spi_clk, t->speed_hz, &clk) << ++ reg |= spi_imx_clkdiv_2(spi_imx->spi_clk, spi_imx->spi_bus_clk, &clk) << + MX31_CSPICTRL_DR_SHIFT; + spi_imx->spi_bus_clk = clk; + +@@ -799,14 +796,13 @@ static int mx21_prepare_message(struct spi_imx_data *spi_imx, + } + + static int mx21_prepare_transfer(struct spi_imx_data *spi_imx, +- struct spi_device *spi, +- struct spi_transfer *t) ++ struct spi_device *spi) + { + unsigned int reg = MX21_CSPICTRL_ENABLE | MX21_CSPICTRL_MASTER; + unsigned int max = is_imx27_cspi(spi_imx) ? 16 : 18; + unsigned int clk; + +- reg |= spi_imx_clkdiv_1(spi_imx->spi_clk, t->speed_hz, max, &clk) ++ reg |= spi_imx_clkdiv_1(spi_imx->spi_clk, spi_imx->spi_bus_clk, max, &clk) + << MX21_CSPICTRL_DR_SHIFT; + spi_imx->spi_bus_clk = clk; + +@@ -875,13 +871,12 @@ static int mx1_prepare_message(struct spi_imx_data *spi_imx, + } + + static int mx1_prepare_transfer(struct spi_imx_data *spi_imx, +- struct spi_device *spi, +- struct spi_transfer *t) ++ struct spi_device *spi) + { + unsigned int reg = MX1_CSPICTRL_ENABLE | MX1_CSPICTRL_MASTER; + unsigned int clk; + +- reg |= spi_imx_clkdiv_2(spi_imx->spi_clk, t->speed_hz, &clk) << ++ reg |= spi_imx_clkdiv_2(spi_imx->spi_clk, spi_imx->spi_bus_clk, &clk) << + MX1_CSPICTRL_DR_SHIFT; + spi_imx->spi_bus_clk = clk; + +@@ -1199,6 +1194,16 @@ static int spi_imx_setupxfer(struct spi_device *spi, + if (!t) + return 0; + ++ if (!t->speed_hz) { ++ if (!spi->max_speed_hz) { ++ dev_err(&spi->dev, "no speed_hz provided!\n"); ++ return -EINVAL; ++ } ++ dev_dbg(&spi->dev, "using spi->max_speed_hz!\n"); ++ spi_imx->spi_bus_clk = spi->max_speed_hz; ++ } else ++ spi_imx->spi_bus_clk = t->speed_hz; ++ + spi_imx->bits_per_word = t->bits_per_word; + + /* +@@ -1240,7 +1245,7 @@ static int spi_imx_setupxfer(struct spi_device *spi, + spi_imx->slave_burst = t->len; + } + +- spi_imx->devtype_data->prepare_transfer(spi_imx, spi, t); ++ spi_imx->devtype_data->prepare_transfer(spi_imx, spi); + + return 0; + } +-- +2.30.2 + diff --git a/queue-5.4/spi-imx-mx51-ecspi-reinstate-low-speed-configreg-del.patch b/queue-5.4/spi-imx-mx51-ecspi-reinstate-low-speed-configreg-del.patch new file mode 100644 index 00000000000..c50c27cfa76 --- /dev/null +++ b/queue-5.4/spi-imx-mx51-ecspi-reinstate-low-speed-configreg-del.patch @@ -0,0 +1,107 @@ +From c715400ead6cd65dacd39ce130619f02cfbb262d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Jul 2021 04:23:00 +0200 +Subject: spi: imx: mx51-ecspi: Reinstate low-speed CONFIGREG delay +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Vasut + +[ Upstream commit 135cbd378eab336da15de9c84bbb22bf743b38a5 ] + +Since 00b80ac935539 ("spi: imx: mx51-ecspi: Move some initialisation to +prepare_message hook."), the MX51_ECSPI_CONFIG write no longer happens +in prepare_transfer hook, but rather in prepare_message hook, however +the MX51_ECSPI_CONFIG delay is still left in prepare_transfer hook and +thus has no effect. This leads to low bus frequency operation problems +described in 6fd8b8503a0dc ("spi: spi-imx: Fix out-of-order CS/SCLK +operation at low speeds") again. + +Move the MX51_ECSPI_CONFIG write delay into the prepare_message hook +as well, thus reinstating the low bus frequency fix. + +Fixes: 00b80ac935539 ("spi: imx: mx51-ecspi: Move some initialisation to prepare_message hook.") +Signed-off-by: Marek Vasut +Cc: Uwe Kleine-König +Cc: Mark Brown +Link: https://lore.kernel.org/r/20210703022300.296114-1-marex@denx.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-imx.c | 38 +++++++++++++++++++------------------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c +index e237481dbbbb..14cebcda0ccc 100644 +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -498,7 +498,7 @@ static int mx51_ecspi_prepare_message(struct spi_imx_data *spi_imx, + { + struct spi_device *spi = msg->spi; + u32 ctrl = MX51_ECSPI_CTRL_ENABLE; +- u32 testreg; ++ u32 testreg, delay; + u32 cfg = readl(spi_imx->base + MX51_ECSPI_CONFIG); + + /* set Master or Slave mode */ +@@ -559,6 +559,23 @@ static int mx51_ecspi_prepare_message(struct spi_imx_data *spi_imx, + + writel(cfg, spi_imx->base + MX51_ECSPI_CONFIG); + ++ /* ++ * Wait until the changes in the configuration register CONFIGREG ++ * propagate into the hardware. It takes exactly one tick of the ++ * SCLK clock, but we will wait two SCLK clock just to be sure. The ++ * effect of the delay it takes for the hardware to apply changes ++ * is noticable if the SCLK clock run very slow. In such a case, if ++ * the polarity of SCLK should be inverted, the GPIO ChipSelect might ++ * be asserted before the SCLK polarity changes, which would disrupt ++ * the SPI communication as the device on the other end would consider ++ * the change of SCLK polarity as a clock tick already. ++ */ ++ delay = (2 * 1000000) / spi_imx->spi_bus_clk; ++ if (likely(delay < 10)) /* SCLK is faster than 100 kHz */ ++ udelay(delay); ++ else /* SCLK is _very_ slow */ ++ usleep_range(delay, delay + 10); ++ + return 0; + } + +@@ -566,7 +583,7 @@ static int mx51_ecspi_prepare_transfer(struct spi_imx_data *spi_imx, + struct spi_device *spi) + { + u32 ctrl = readl(spi_imx->base + MX51_ECSPI_CTRL); +- u32 clk, delay; ++ u32 clk; + + /* Clear BL field and set the right value */ + ctrl &= ~MX51_ECSPI_CTRL_BL_MASK; +@@ -588,23 +605,6 @@ static int mx51_ecspi_prepare_transfer(struct spi_imx_data *spi_imx, + + writel(ctrl, spi_imx->base + MX51_ECSPI_CTRL); + +- /* +- * Wait until the changes in the configuration register CONFIGREG +- * propagate into the hardware. It takes exactly one tick of the +- * SCLK clock, but we will wait two SCLK clock just to be sure. The +- * effect of the delay it takes for the hardware to apply changes +- * is noticable if the SCLK clock run very slow. In such a case, if +- * the polarity of SCLK should be inverted, the GPIO ChipSelect might +- * be asserted before the SCLK polarity changes, which would disrupt +- * the SPI communication as the device on the other end would consider +- * the change of SCLK polarity as a clock tick already. +- */ +- delay = (2 * 1000000) / clk; +- if (likely(delay < 10)) /* SCLK is faster than 100 kHz */ +- udelay(delay); +- else /* SCLK is _very_ slow */ +- usleep_range(delay, delay + 10); +- + return 0; + } + +-- +2.30.2 + diff --git a/queue-5.4/spi-mediatek-fix-fifo-rx-mode.patch b/queue-5.4/spi-mediatek-fix-fifo-rx-mode.patch new file mode 100644 index 00000000000..d22304d4534 --- /dev/null +++ b/queue-5.4/spi-mediatek-fix-fifo-rx-mode.patch @@ -0,0 +1,59 @@ +From cedcc84f2261b017ff7cc3914037b45bfa9c3c7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jul 2021 14:16:09 +0200 +Subject: spi: mediatek: fix fifo rx mode + +From: Peter Hess + +[ Upstream commit 3a70dd2d050331ee4cf5ad9d5c0a32d83ead9a43 ] + +In FIFO mode were two problems: +- RX mode was never handled and +- in this case the tx_buf pointer was NULL and caused an exception + +fix this by handling RX mode in mtk_spi_fifo_transfer + +Fixes: a568231f4632 ("spi: mediatek: Add spi bus for Mediatek MT8173") +Signed-off-by: Peter Hess +Signed-off-by: Frank Wunderlich +Link: https://lore.kernel.org/r/20210706121609.680534-1-linux@fw-web.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-mt65xx.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c +index 8acf24f7c5d4..81eac9fbd08c 100644 +--- a/drivers/spi/spi-mt65xx.c ++++ b/drivers/spi/spi-mt65xx.c +@@ -427,13 +427,23 @@ static int mtk_spi_fifo_transfer(struct spi_master *master, + mtk_spi_setup_packet(master); + + cnt = xfer->len / 4; +- iowrite32_rep(mdata->base + SPI_TX_DATA_REG, xfer->tx_buf, cnt); ++ if (xfer->tx_buf) ++ iowrite32_rep(mdata->base + SPI_TX_DATA_REG, xfer->tx_buf, cnt); ++ ++ if (xfer->rx_buf) ++ ioread32_rep(mdata->base + SPI_RX_DATA_REG, xfer->rx_buf, cnt); + + remainder = xfer->len % 4; + if (remainder > 0) { + reg_val = 0; +- memcpy(®_val, xfer->tx_buf + (cnt * 4), remainder); +- writel(reg_val, mdata->base + SPI_TX_DATA_REG); ++ if (xfer->tx_buf) { ++ memcpy(®_val, xfer->tx_buf + (cnt * 4), remainder); ++ writel(reg_val, mdata->base + SPI_TX_DATA_REG); ++ } ++ if (xfer->rx_buf) { ++ reg_val = readl(mdata->base + SPI_RX_DATA_REG); ++ memcpy(xfer->rx_buf + (cnt * 4), ®_val, remainder); ++ } + } + + mtk_spi_enable_transfer(master); +-- +2.30.2 + diff --git a/queue-5.4/spi-stm32-fixes-pm_runtime-calls-in-probe-remove.patch b/queue-5.4/spi-stm32-fixes-pm_runtime-calls-in-probe-remove.patch new file mode 100644 index 00000000000..2382cd798f8 --- /dev/null +++ b/queue-5.4/spi-stm32-fixes-pm_runtime-calls-in-probe-remove.patch @@ -0,0 +1,76 @@ +From 34aaab281b4eae1729df956467e7958a17a41ea4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 10:27:00 +0200 +Subject: spi: stm32: fixes pm_runtime calls in probe/remove + +From: Alain Volmat + +[ Upstream commit 7999d2555c9f879d006ea8469d74db9cdb038af0 ] + +Add pm_runtime calls in probe/probe error path and remove +in order to be consistent in all places in ordering and +ensure that pm_runtime is disabled prior to resources used +by the SPI controller. + +This patch also fixes the 2 following warnings on driver remove: +WARNING: CPU: 0 PID: 743 at drivers/clk/clk.c:594 clk_core_disable_lock+0x18/0x24 +WARNING: CPU: 0 PID: 743 at drivers/clk/clk.c:476 clk_unprepare+0x24/0x2c + +Fixes: 038ac869c9d2 ("spi: stm32: add runtime PM support") + +Signed-off-by: Amelie Delaunay +Signed-off-by: Alain Volmat +Link: https://lore.kernel.org/r/1625646426-5826-2-git-send-email-alain.volmat@foss.st.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-stm32.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-stm32.c b/drivers/spi/spi-stm32.c +index 8c308279c535..e9d48e94f5ed 100644 +--- a/drivers/spi/spi-stm32.c ++++ b/drivers/spi/spi-stm32.c +@@ -1936,6 +1936,7 @@ static int stm32_spi_probe(struct platform_device *pdev) + master->can_dma = stm32_spi_can_dma; + + pm_runtime_set_active(&pdev->dev); ++ pm_runtime_get_noresume(&pdev->dev); + pm_runtime_enable(&pdev->dev); + + ret = spi_register_master(master); +@@ -1974,6 +1975,8 @@ static int stm32_spi_probe(struct platform_device *pdev) + + err_pm_disable: + pm_runtime_disable(&pdev->dev); ++ pm_runtime_put_noidle(&pdev->dev); ++ pm_runtime_set_suspended(&pdev->dev); + err_dma_release: + if (spi->dma_tx) + dma_release_channel(spi->dma_tx); +@@ -1992,9 +1995,14 @@ static int stm32_spi_remove(struct platform_device *pdev) + struct spi_master *master = platform_get_drvdata(pdev); + struct stm32_spi *spi = spi_master_get_devdata(master); + ++ pm_runtime_get_sync(&pdev->dev); ++ + spi_unregister_master(master); + spi->cfg->disable(spi); + ++ pm_runtime_disable(&pdev->dev); ++ pm_runtime_put_noidle(&pdev->dev); ++ pm_runtime_set_suspended(&pdev->dev); + if (master->dma_tx) + dma_release_channel(master->dma_tx); + if (master->dma_rx) +@@ -2002,7 +2010,6 @@ static int stm32_spi_remove(struct platform_device *pdev) + + clk_disable_unprepare(spi->clk); + +- pm_runtime_disable(&pdev->dev); + + pinctrl_pm_select_sleep_state(&pdev->dev); + +-- +2.30.2 + diff --git a/queue-5.4/spi-stm32-use-dma_request_chan-instead-dma_request_s.patch b/queue-5.4/spi-stm32-use-dma_request_chan-instead-dma_request_s.patch new file mode 100644 index 00000000000..45b6b117668 --- /dev/null +++ b/queue-5.4/spi-stm32-use-dma_request_chan-instead-dma_request_s.patch @@ -0,0 +1,99 @@ +From 3b743e481d611fce17e3ee7241d6bd09a47a42cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2019 15:55:50 +0200 +Subject: spi: stm32: Use dma_request_chan() instead + dma_request_slave_channel() + +From: Peter Ujfalusi + +[ Upstream commit 0a454258febb73e4c60d7f5d9a02d1a8c64fdfb8 ] + +dma_request_slave_channel() is a wrapper on top of dma_request_chan() +eating up the error code. + +By using dma_request_chan() directly the driver can support deferred +probing against DMA. + +Signed-off-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20191212135550.4634-10-peter.ujfalusi@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-stm32.c | 32 ++++++++++++++++++++++---------- + 1 file changed, 22 insertions(+), 10 deletions(-) + +diff --git a/drivers/spi/spi-stm32.c b/drivers/spi/spi-stm32.c +index 3af6a5a3a4b2..8c308279c535 100644 +--- a/drivers/spi/spi-stm32.c ++++ b/drivers/spi/spi-stm32.c +@@ -1908,17 +1908,29 @@ static int stm32_spi_probe(struct platform_device *pdev) + master->transfer_one = stm32_spi_transfer_one; + master->unprepare_message = stm32_spi_unprepare_msg; + +- spi->dma_tx = dma_request_slave_channel(spi->dev, "tx"); +- if (!spi->dma_tx) ++ spi->dma_tx = dma_request_chan(spi->dev, "tx"); ++ if (IS_ERR(spi->dma_tx)) { ++ ret = PTR_ERR(spi->dma_tx); ++ spi->dma_tx = NULL; ++ if (ret == -EPROBE_DEFER) ++ goto err_clk_disable; ++ + dev_warn(&pdev->dev, "failed to request tx dma channel\n"); +- else ++ } else { + master->dma_tx = spi->dma_tx; ++ } ++ ++ spi->dma_rx = dma_request_chan(spi->dev, "rx"); ++ if (IS_ERR(spi->dma_rx)) { ++ ret = PTR_ERR(spi->dma_rx); ++ spi->dma_rx = NULL; ++ if (ret == -EPROBE_DEFER) ++ goto err_dma_release; + +- spi->dma_rx = dma_request_slave_channel(spi->dev, "rx"); +- if (!spi->dma_rx) + dev_warn(&pdev->dev, "failed to request rx dma channel\n"); +- else ++ } else { + master->dma_rx = spi->dma_rx; ++ } + + if (spi->dma_tx || spi->dma_rx) + master->can_dma = stm32_spi_can_dma; +@@ -1930,13 +1942,13 @@ static int stm32_spi_probe(struct platform_device *pdev) + if (ret) { + dev_err(&pdev->dev, "spi master registration failed: %d\n", + ret); +- goto err_dma_release; ++ goto err_pm_disable; + } + + if (!master->cs_gpios) { + dev_err(&pdev->dev, "no CS gpios available\n"); + ret = -EINVAL; +- goto err_dma_release; ++ goto err_pm_disable; + } + + for (i = 0; i < master->num_chipselect; i++) { +@@ -1960,13 +1972,13 @@ static int stm32_spi_probe(struct platform_device *pdev) + + return 0; + ++err_pm_disable: ++ pm_runtime_disable(&pdev->dev); + err_dma_release: + if (spi->dma_tx) + dma_release_channel(spi->dma_tx); + if (spi->dma_rx) + dma_release_channel(spi->dma_rx); +- +- pm_runtime_disable(&pdev->dev); + err_clk_disable: + clk_disable_unprepare(spi->clk); + err_master_put: +-- +2.30.2 +