From: Greg Kroah-Hartman Date: Tue, 6 Sep 2022 12:06:04 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.10.142~8 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a1efc3c72c9fad17f6ecc7b6563f1ad2faacb0cb;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: alsa-hda-realtek-add-speaker-amp-init-for-samsung-laptops-with-alc298.patch alsa-seq-fix-data-race-at-module-auto-loading.patch alsa-seq-oss-fix-data-race-for-max_midi_devs-access.patch btrfs-harden-identification-of-a-stale-device.patch drm-i915-glk-ecs-liva-q2-needs-glk-hdmi-port-timing-quirk.patch ip-fix-triggering-of-icmp-redirect.patch mmc-core-fix-uhs-i-sd-1.8v-workaround-branch.patch net-mac802154-fix-a-condition-in-the-receive-path.patch net-use-u64_stats_fetch_begin_irq-for-stats-fetch.patch wifi-mac80211-don-t-finalize-csa-in-ibss-mode-if-state-is-disconnected.patch wifi-mac80211-fix-uaf-in-ieee80211_scan_rx.patch --- diff --git a/queue-5.10/alsa-hda-realtek-add-speaker-amp-init-for-samsung-laptops-with-alc298.patch b/queue-5.10/alsa-hda-realtek-add-speaker-amp-init-for-samsung-laptops-with-alc298.patch new file mode 100644 index 00000000000..14381c3e8cb --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-add-speaker-amp-init-for-samsung-laptops-with-alc298.patch @@ -0,0 +1,129 @@ +From a2d57ebec1e15f0ac256eb8397e82b07adfaaacc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= +Date: Sat, 27 Aug 2022 22:33:28 +0200 +Subject: ALSA: hda/realtek: Add speaker AMP init for Samsung laptops with ALC298 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kacper Michajłow + +commit a2d57ebec1e15f0ac256eb8397e82b07adfaaacc upstream. + +Magic initialization sequence was extracted from Windows driver and +cleaned up manually. + +Fixes internal speakers output. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=207423 +Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1851518 +Signed-off-by: Kacper Michajłow +Cc: +Link: https://lore.kernel.org/r/20220827203328.30363-1-kasper93@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 63 +++++++++++++++++++++++++++++++++++++----- + 1 file changed, 56 insertions(+), 7 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4628,6 +4628,48 @@ static void alc236_fixup_hp_mute_led_mic + alc236_fixup_hp_micmute_led_vref(codec, fix, action); + } + ++static inline void alc298_samsung_write_coef_pack(struct hda_codec *codec, ++ const unsigned short coefs[2]) ++{ ++ alc_write_coef_idx(codec, 0x23, coefs[0]); ++ alc_write_coef_idx(codec, 0x25, coefs[1]); ++ alc_write_coef_idx(codec, 0x26, 0xb011); ++} ++ ++struct alc298_samsung_amp_desc { ++ unsigned char nid; ++ unsigned short init_seq[2][2]; ++}; ++ ++static void alc298_fixup_samsung_amp(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ int i, j; ++ static const unsigned short init_seq[][2] = { ++ { 0x19, 0x00 }, { 0x20, 0xc0 }, { 0x22, 0x44 }, { 0x23, 0x08 }, ++ { 0x24, 0x85 }, { 0x25, 0x41 }, { 0x35, 0x40 }, { 0x36, 0x01 }, ++ { 0x38, 0x81 }, { 0x3a, 0x03 }, { 0x3b, 0x81 }, { 0x40, 0x3e }, ++ { 0x41, 0x07 }, { 0x400, 0x1 } ++ }; ++ static const struct alc298_samsung_amp_desc amps[] = { ++ { 0x3a, { { 0x18, 0x1 }, { 0x26, 0x0 } } }, ++ { 0x39, { { 0x18, 0x2 }, { 0x26, 0x1 } } } ++ }; ++ ++ if (action != HDA_FIXUP_ACT_INIT) ++ return; ++ ++ for (i = 0; i < ARRAY_SIZE(amps); i++) { ++ alc_write_coef_idx(codec, 0x22, amps[i].nid); ++ ++ for (j = 0; j < ARRAY_SIZE(amps[i].init_seq); j++) ++ alc298_samsung_write_coef_pack(codec, amps[i].init_seq[j]); ++ ++ for (j = 0; j < ARRAY_SIZE(init_seq); j++) ++ alc298_samsung_write_coef_pack(codec, init_seq[j]); ++ } ++} ++ + #if IS_REACHABLE(CONFIG_INPUT) + static void gpio2_mic_hotkey_event(struct hda_codec *codec, + struct hda_jack_callback *event) +@@ -6787,6 +6829,7 @@ enum { + ALC236_FIXUP_HP_GPIO_LED, + ALC236_FIXUP_HP_MUTE_LED, + ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF, ++ ALC298_FIXUP_SAMSUNG_AMP, + ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET, + ALC256_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET, + ALC295_FIXUP_ASUS_MIC_NO_PRESENCE, +@@ -8140,6 +8183,12 @@ static const struct hda_fixup alc269_fix + .type = HDA_FIXUP_FUNC, + .v.func = alc236_fixup_hp_mute_led_micmute_vref, + }, ++ [ALC298_FIXUP_SAMSUNG_AMP] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc298_fixup_samsung_amp, ++ .chained = true, ++ .chain_id = ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET ++ }, + [ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET] = { + .type = HDA_FIXUP_VERBS, + .v.verbs = (const struct hda_verb[]) { +@@ -8914,13 +8963,13 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x10ec, 0x1254, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK), + SND_PCI_QUIRK(0x10f7, 0x8338, "Panasonic CF-SZ6", ALC269_FIXUP_HEADSET_MODE), + SND_PCI_QUIRK(0x144d, 0xc109, "Samsung Ativ book 9 (NP900X3G)", ALC269_FIXUP_INV_DMIC), +- SND_PCI_QUIRK(0x144d, 0xc169, "Samsung Notebook 9 Pen (NP930SBE-K01US)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), +- SND_PCI_QUIRK(0x144d, 0xc176, "Samsung Notebook 9 Pro (NP930MBE-K04US)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), +- SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Flex Book (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), +- SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), ++ SND_PCI_QUIRK(0x144d, 0xc169, "Samsung Notebook 9 Pen (NP930SBE-K01US)", ALC298_FIXUP_SAMSUNG_AMP), ++ SND_PCI_QUIRK(0x144d, 0xc176, "Samsung Notebook 9 Pro (NP930MBE-K04US)", ALC298_FIXUP_SAMSUNG_AMP), ++ SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Flex Book (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_AMP), ++ SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc740, "Samsung Ativ book 8 (NP870Z5G)", ALC269_FIXUP_ATIV_BOOK_8), +- SND_PCI_QUIRK(0x144d, 0xc812, "Samsung Notebook Pen S (NT950SBE-X58)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), +- SND_PCI_QUIRK(0x144d, 0xc830, "Samsung Galaxy Book Ion (NT950XCJ-X716A)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), ++ SND_PCI_QUIRK(0x144d, 0xc812, "Samsung Notebook Pen S (NT950SBE-X58)", ALC298_FIXUP_SAMSUNG_AMP), ++ SND_PCI_QUIRK(0x144d, 0xc830, "Samsung Galaxy Book Ion (NT950XCJ-X716A)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc832, "Samsung Galaxy Book Flex Alpha (NP730QCJ)", ALC256_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), + SND_PCI_QUIRK(0x1458, 0xfa53, "Gigabyte BXBT-2807", ALC283_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x1462, 0xb120, "MSI Cubi MS-B120", ALC283_FIXUP_HEADSET_MIC), +@@ -9280,7 +9329,7 @@ static const struct hda_model_fixup alc2 + {.id = ALC299_FIXUP_PREDATOR_SPK, .name = "predator-spk"}, + {.id = ALC298_FIXUP_HUAWEI_MBX_STEREO, .name = "huawei-mbx-stereo"}, + {.id = ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE, .name = "alc256-medion-headset"}, +- {.id = ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET, .name = "alc298-samsung-headphone"}, ++ {.id = ALC298_FIXUP_SAMSUNG_AMP, .name = "alc298-samsung-amp"}, + {.id = ALC256_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET, .name = "alc256-samsung-headphone"}, + {.id = ALC255_FIXUP_XIAOMI_HEADSET_MIC, .name = "alc255-xiaomi-headset"}, + {.id = ALC274_FIXUP_HP_MIC, .name = "alc274-hp-mic-detect"}, diff --git a/queue-5.10/alsa-seq-fix-data-race-at-module-auto-loading.patch b/queue-5.10/alsa-seq-fix-data-race-at-module-auto-loading.patch new file mode 100644 index 00000000000..4c18623b81d --- /dev/null +++ b/queue-5.10/alsa-seq-fix-data-race-at-module-auto-loading.patch @@ -0,0 +1,62 @@ +From 3e7e04b747adea36f349715d9f0998eeebf15d72 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 23 Aug 2022 09:27:17 +0200 +Subject: ALSA: seq: Fix data-race at module auto-loading + +From: Takashi Iwai + +commit 3e7e04b747adea36f349715d9f0998eeebf15d72 upstream. + +It's been reported that there is a possible data-race accessing to the +global card_requested[] array at ALSA sequencer core, which is used +for determining whether to call request_module() for the card or not. +This data race itself is almost harmless, as it might end up with one +extra request_module() call for the already loaded module at most. +But it's still better to fix. + +This patch addresses the possible data race of card_requested[] and +client_requested[] arrays by replacing them with bitmask. +It's an atomic operation and can work without locks. + +Reported-by: Abhishek Shah +Cc: +Link: https://lore.kernel.org/r/CAEHB24_ay6YzARpA1zgCsE7=H9CSJJzux618E=Ka4h0YdKn=qA@mail.gmail.com +Link: https://lore.kernel.org/r/20220823072717.1706-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/seq/seq_clientmgr.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -121,13 +121,13 @@ struct snd_seq_client *snd_seq_client_us + spin_unlock_irqrestore(&clients_lock, flags); + #ifdef CONFIG_MODULES + if (!in_interrupt()) { +- static char client_requested[SNDRV_SEQ_GLOBAL_CLIENTS]; +- static char card_requested[SNDRV_CARDS]; ++ static DECLARE_BITMAP(client_requested, SNDRV_SEQ_GLOBAL_CLIENTS); ++ static DECLARE_BITMAP(card_requested, SNDRV_CARDS); ++ + if (clientid < SNDRV_SEQ_GLOBAL_CLIENTS) { + int idx; + +- if (!client_requested[clientid]) { +- client_requested[clientid] = 1; ++ if (!test_and_set_bit(clientid, client_requested)) { + for (idx = 0; idx < 15; idx++) { + if (seq_client_load[idx] < 0) + break; +@@ -142,10 +142,8 @@ struct snd_seq_client *snd_seq_client_us + int card = (clientid - SNDRV_SEQ_GLOBAL_CLIENTS) / + SNDRV_SEQ_CLIENTS_PER_CARD; + if (card < snd_ecards_limit) { +- if (! card_requested[card]) { +- card_requested[card] = 1; ++ if (!test_and_set_bit(card, card_requested)) + snd_request_card(card); +- } + snd_seq_device_load_drivers(); + } + } diff --git a/queue-5.10/alsa-seq-oss-fix-data-race-for-max_midi_devs-access.patch b/queue-5.10/alsa-seq-oss-fix-data-race-for-max_midi_devs-access.patch new file mode 100644 index 00000000000..def666a7dbc --- /dev/null +++ b/queue-5.10/alsa-seq-oss-fix-data-race-for-max_midi_devs-access.patch @@ -0,0 +1,44 @@ +From 22dec134dbfa825b963f8a1807ad19b943e46a56 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 23 Aug 2022 09:27:16 +0200 +Subject: ALSA: seq: oss: Fix data-race for max_midi_devs access + +From: Takashi Iwai + +commit 22dec134dbfa825b963f8a1807ad19b943e46a56 upstream. + +ALSA OSS sequencer refers to a global variable max_midi_devs at +creating a new port, storing it to its own field. Meanwhile this +variable may be changed by other sequencer events at +snd_seq_oss_midi_check_exit_port() in parallel, which may cause a data +race. + +OTOH, this data race itself is almost harmless, as the access to the +MIDI device is done via get_mdev() and it's protected with a refcount, +hence its presence is guaranteed. + +Though, it's sill better to address the data-race from the code sanity +POV, and this patch adds the proper spinlock for the protection. + +Reported-by: Abhishek Shah +Cc: +Link: https://lore.kernel.org/r/CAEHB2493pZRXs863w58QWnUTtv3HHfg85aYhLn5HJHCwxqtHQg@mail.gmail.com +Link: https://lore.kernel.org/r/20220823072717.1706-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/seq/oss/seq_oss_midi.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/core/seq/oss/seq_oss_midi.c ++++ b/sound/core/seq/oss/seq_oss_midi.c +@@ -267,7 +267,9 @@ snd_seq_oss_midi_clear_all(void) + void + snd_seq_oss_midi_setup(struct seq_oss_devinfo *dp) + { ++ spin_lock_irq(®ister_lock); + dp->max_mididev = max_midi_devs; ++ spin_unlock_irq(®ister_lock); + } + + /* diff --git a/queue-5.10/btrfs-harden-identification-of-a-stale-device.patch b/queue-5.10/btrfs-harden-identification-of-a-stale-device.patch new file mode 100644 index 00000000000..7e8ae4a49bd --- /dev/null +++ b/queue-5.10/btrfs-harden-identification-of-a-stale-device.patch @@ -0,0 +1,95 @@ +From 770c79fb65506fc7c16459855c3839429f46cb32 Mon Sep 17 00:00:00 2001 +From: Anand Jain +Date: Wed, 12 Jan 2022 13:05:59 +0800 +Subject: btrfs: harden identification of a stale device + +From: Anand Jain + +commit 770c79fb65506fc7c16459855c3839429f46cb32 upstream. + +Identifying and removing the stale device from the fs_uuids list is done +by btrfs_free_stale_devices(). btrfs_free_stale_devices() in turn +depends on device_path_matched() to check if the device appears in more +than one btrfs_device structure. + +The matching of the device happens by its path, the device path. However, +when device mapper is in use, the dm device paths are nothing but a link +to the actual block device, which leads to the device_path_matched() +failing to match. + +Fix this by matching the dev_t as provided by lookup_bdev() instead of +plain string compare of the device paths. + +Reported-by: Josef Bacik +Signed-off-by: Anand Jain +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 44 +++++++++++++++++++++++++++++++++++++------- + 1 file changed, 37 insertions(+), 7 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -540,15 +540,47 @@ error: + return ret; + } + +-static bool device_path_matched(const char *path, struct btrfs_device *device) ++/* ++ * Check if the device in the path matches the device in the given struct device. ++ * ++ * Returns: ++ * true If it is the same device. ++ * false If it is not the same device or on error. ++ */ ++static bool device_matched(const struct btrfs_device *device, const char *path) + { +- int found; ++ char *device_name; ++ struct block_device *bdev_old; ++ struct block_device *bdev_new; ++ ++ /* ++ * If we are looking for a device with the matching dev_t, then skip ++ * device without a name (a missing device). ++ */ ++ if (!device->name) ++ return false; ++ ++ device_name = kzalloc(BTRFS_PATH_NAME_MAX, GFP_KERNEL); ++ if (!device_name) ++ return false; + + rcu_read_lock(); +- found = strcmp(rcu_str_deref(device->name), path); ++ scnprintf(device_name, BTRFS_PATH_NAME_MAX, "%s", rcu_str_deref(device->name)); + rcu_read_unlock(); + +- return found == 0; ++ bdev_old = lookup_bdev(device_name); ++ kfree(device_name); ++ if (IS_ERR(bdev_old)) ++ return false; ++ ++ bdev_new = lookup_bdev(path); ++ if (IS_ERR(bdev_new)) ++ return false; ++ ++ if (bdev_old == bdev_new) ++ return true; ++ ++ return false; + } + + /* +@@ -581,9 +613,7 @@ static int btrfs_free_stale_devices(cons + &fs_devices->devices, dev_list) { + if (skip_device && skip_device == device) + continue; +- if (path && !device->name) +- continue; +- if (path && !device_path_matched(path, device)) ++ if (path && !device_matched(device, path)) + continue; + if (fs_devices->opened) { + /* for an already deleted device return 0 */ diff --git a/queue-5.10/drm-i915-glk-ecs-liva-q2-needs-glk-hdmi-port-timing-quirk.patch b/queue-5.10/drm-i915-glk-ecs-liva-q2-needs-glk-hdmi-port-timing-quirk.patch new file mode 100644 index 00000000000..6fb5a98df3d --- /dev/null +++ b/queue-5.10/drm-i915-glk-ecs-liva-q2-needs-glk-hdmi-port-timing-quirk.patch @@ -0,0 +1,44 @@ +From 919bef7a106ade2bda73681bbc2f3678198f44fc Mon Sep 17 00:00:00 2001 +From: Diego Santa Cruz +Date: Thu, 16 Jun 2022 15:41:37 +0300 +Subject: drm/i915/glk: ECS Liva Q2 needs GLK HDMI port timing quirk +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Diego Santa Cruz + +commit 919bef7a106ade2bda73681bbc2f3678198f44fc upstream. + +The quirk added in upstream commit 90c3e2198777 ("drm/i915/glk: Add +Quirk for GLK NUC HDMI port issues.") is also required on the ECS Liva +Q2. + +Note: Would be nicer to figure out the extra delay required for the +retimer without quirks, however don't know how to check for that. + +Cc: stable@vger.kernel.org +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/1326 +Signed-off-by: Diego Santa Cruz +Reviewed-by: Ville Syrjälä +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20220616124137.3184371-1-jani.nikula@intel.com +(cherry picked from commit 08e9505fa8f9aa00072a47b6f234d89b6b27a89c) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/i915/display/intel_quirks.c ++++ b/drivers/gpu/drm/i915/display/intel_quirks.c +@@ -156,6 +156,9 @@ static struct intel_quirk intel_quirks[] + /* ASRock ITX*/ + { 0x3185, 0x1849, 0x2212, quirk_increase_ddi_disabled_time }, + { 0x3184, 0x1849, 0x2212, quirk_increase_ddi_disabled_time }, ++ /* ECS Liva Q2 */ ++ { 0x3185, 0x1019, 0xa94d, quirk_increase_ddi_disabled_time }, ++ { 0x3184, 0x1019, 0xa94d, quirk_increase_ddi_disabled_time }, + }; + + void intel_init_quirks(struct drm_i915_private *i915) diff --git a/queue-5.10/ip-fix-triggering-of-icmp-redirect.patch b/queue-5.10/ip-fix-triggering-of-icmp-redirect.patch new file mode 100644 index 00000000000..2a125e656ef --- /dev/null +++ b/queue-5.10/ip-fix-triggering-of-icmp-redirect.patch @@ -0,0 +1,55 @@ +From eb55dc09b5dd040232d5de32812cc83001a23da6 Mon Sep 17 00:00:00 2001 +From: Nicolas Dichtel +Date: Mon, 29 Aug 2022 12:01:21 +0200 +Subject: ip: fix triggering of 'icmp redirect' + +From: Nicolas Dichtel + +commit eb55dc09b5dd040232d5de32812cc83001a23da6 upstream. + +__mkroute_input() uses fib_validate_source() to trigger an icmp redirect. +My understanding is that fib_validate_source() is used to know if the src +address and the gateway address are on the same link. For that, +fib_validate_source() returns 1 (same link) or 0 (not the same network). +__mkroute_input() is the only user of these positive values, all other +callers only look if the returned value is negative. + +Since the below patch, fib_validate_source() didn't return anymore 1 when +both addresses are on the same network, because the route lookup returns +RT_SCOPE_LINK instead of RT_SCOPE_HOST. But this is, in fact, right. +Let's adapat the test to return 1 again when both addresses are on the same +link. + +CC: stable@vger.kernel.org +Fixes: 747c14307214 ("ip: fix dflt addr selection for connected nexthop") +Reported-by: kernel test robot +Reported-by: Heng Qi +Signed-off-by: Nicolas Dichtel +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20220829100121.3821-1-nicolas.dichtel@6wind.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fib_frontend.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -389,7 +389,7 @@ static int __fib_validate_source(struct + dev_match = dev_match || (res.type == RTN_LOCAL && + dev == net->loopback_dev); + if (dev_match) { +- ret = FIB_RES_NHC(res)->nhc_scope >= RT_SCOPE_HOST; ++ ret = FIB_RES_NHC(res)->nhc_scope >= RT_SCOPE_LINK; + return ret; + } + if (no_addr) +@@ -401,7 +401,7 @@ static int __fib_validate_source(struct + ret = 0; + if (fib_lookup(net, &fl4, &res, FIB_LOOKUP_IGNORE_LINKSTATE) == 0) { + if (res.type == RTN_UNICAST) +- ret = FIB_RES_NHC(res)->nhc_scope >= RT_SCOPE_HOST; ++ ret = FIB_RES_NHC(res)->nhc_scope >= RT_SCOPE_LINK; + } + return ret; + diff --git a/queue-5.10/mmc-core-fix-uhs-i-sd-1.8v-workaround-branch.patch b/queue-5.10/mmc-core-fix-uhs-i-sd-1.8v-workaround-branch.patch new file mode 100644 index 00000000000..1e5132418c2 --- /dev/null +++ b/queue-5.10/mmc-core-fix-uhs-i-sd-1.8v-workaround-branch.patch @@ -0,0 +1,58 @@ +From 15c56208c79c340686869c31595c209d1431c5e8 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Mon, 15 Aug 2022 10:33:20 +0300 +Subject: mmc: core: Fix UHS-I SD 1.8V workaround branch + +From: Adrian Hunter + +commit 15c56208c79c340686869c31595c209d1431c5e8 upstream. + +When introduced, upon success, the 1.8V fixup workaround in +mmc_sd_init_card() would branch to practically the end of the function, to +a label named "done". Unfortunately, perhaps due to the label name, over +time new code has been added that really should have come after "done" not +before it. Let's fix the problem by moving the label to the correct place +and rename it "cont". + +Fixes: 045d705dc1fb ("mmc: core: Enable the MMC host software queue for the SD card") +Signed-off-by: Adrian Hunter +Reviewed-by: Seunghui Lee +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220815073321.63382-2-adrian.hunter@intel.com +Signed-off-by: Ulf Hansson +[Backport to 5.10] +Signed-off-by: Adrian Hunter +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/sd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/mmc/core/sd.c ++++ b/drivers/mmc/core/sd.c +@@ -1107,7 +1107,7 @@ retry: + mmc_remove_card(card); + goto retry; + } +- goto done; ++ goto cont; + } + } + +@@ -1143,7 +1143,7 @@ retry: + mmc_set_bus_width(host, MMC_BUS_WIDTH_4); + } + } +- ++cont: + if (host->cqe_ops && !host->cqe_enabled) { + err = host->cqe_ops->cqe_enable(host, card); + if (!err) { +@@ -1161,7 +1161,7 @@ retry: + err = -EINVAL; + goto free_card; + } +-done: ++ + host->card = card; + return 0; + diff --git a/queue-5.10/net-mac802154-fix-a-condition-in-the-receive-path.patch b/queue-5.10/net-mac802154-fix-a-condition-in-the-receive-path.patch new file mode 100644 index 00000000000..cf630a81e60 --- /dev/null +++ b/queue-5.10/net-mac802154-fix-a-condition-in-the-receive-path.patch @@ -0,0 +1,45 @@ +From f0da47118c7e93cdbbc6fb403dd729a5f2c90ee3 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Fri, 26 Aug 2022 16:29:54 +0200 +Subject: net: mac802154: Fix a condition in the receive path + +From: Miquel Raynal + +commit f0da47118c7e93cdbbc6fb403dd729a5f2c90ee3 upstream. + +Upon reception, a packet must be categorized, either it's destination is +the host, or it is another host. A packet with no destination addressing +fields may be valid in two situations: +- the packet has no source field: only ACKs are built like that, we + consider the host as the destination. +- the packet has a valid source field: it is directed to the PAN + coordinator, as for know we don't have this information we consider we + are not the PAN coordinator. + +There was likely a copy/paste error made during a previous cleanup +because the if clause is now containing exactly the same condition as in +the switch case, which can never be true. In the past the destination +address was used in the switch and the source address was used in the +if, which matches what the spec says. + +Cc: stable@vger.kernel.org +Fixes: ae531b9475f6 ("ieee802154: use ieee802154_addr instead of *_sa variants") +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/r/20220826142954.254853-1-miquel.raynal@bootlin.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + net/mac802154/rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac802154/rx.c ++++ b/net/mac802154/rx.c +@@ -44,7 +44,7 @@ ieee802154_subif_frame(struct ieee802154 + + switch (mac_cb(skb)->dest.mode) { + case IEEE802154_ADDR_NONE: +- if (mac_cb(skb)->dest.mode != IEEE802154_ADDR_NONE) ++ if (hdr->source.mode != IEEE802154_ADDR_NONE) + /* FIXME: check if we are PAN coordinator */ + skb->pkt_type = PACKET_OTHERHOST; + else diff --git a/queue-5.10/net-use-u64_stats_fetch_begin_irq-for-stats-fetch.patch b/queue-5.10/net-use-u64_stats_fetch_begin_irq-for-stats-fetch.patch new file mode 100644 index 00000000000..fc2f5e2ea32 --- /dev/null +++ b/queue-5.10/net-use-u64_stats_fetch_begin_irq-for-stats-fetch.patch @@ -0,0 +1,398 @@ +From 278d3ba61563ceed3cb248383ced19e14ec7bc1f Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior +Date: Thu, 25 Aug 2022 13:36:45 +0200 +Subject: net: Use u64_stats_fetch_begin_irq() for stats fetch. + +From: Sebastian Andrzej Siewior + +commit 278d3ba61563ceed3cb248383ced19e14ec7bc1f upstream. + +On 32bit-UP u64_stats_fetch_begin() disables only preemption. If the +reader is in preemptible context and the writer side +(u64_stats_update_begin*()) runs in an interrupt context (IRQ or +softirq) then the writer can update the stats during the read operation. +This update remains undetected. + +Use u64_stats_fetch_begin_irq() to ensure the stats fetch on 32bit-UP +are not interrupted by a writer. 32bit-SMP remains unaffected by this +change. + +Cc: "David S. Miller" +Cc: Catherine Sullivan +Cc: David Awogbemila +Cc: Dimitris Michailidis +Cc: Eric Dumazet +Cc: Hans Ulli Kroll +Cc: Jakub Kicinski +Cc: Jeroen de Borst +Cc: Johannes Berg +Cc: Linus Walleij +Cc: Paolo Abeni +Cc: Simon Horman +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-wireless@vger.kernel.org +Cc: netdev@vger.kernel.org +Cc: oss-drivers@corigine.com +Cc: stable@vger.kernel.org +Signed-off-by: Sebastian Andrzej Siewior +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cortina/gemini.c | 24 +++++++++---------- + drivers/net/ethernet/google/gve/gve_ethtool.c | 16 ++++++------ + drivers/net/ethernet/google/gve/gve_main.c | 12 ++++----- + drivers/net/ethernet/huawei/hinic/hinic_rx.c | 4 +-- + drivers/net/ethernet/huawei/hinic/hinic_tx.c | 4 +-- + drivers/net/ethernet/netronome/nfp/nfp_net_common.c | 8 +++--- + drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 8 +++--- + drivers/net/netdevsim/netdev.c | 4 +-- + net/mac80211/sta_info.c | 8 +++--- + net/mpls/af_mpls.c | 4 +-- + 10 files changed, 46 insertions(+), 46 deletions(-) + +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -1920,7 +1920,7 @@ static void gmac_get_stats64(struct net_ + + /* Racing with RX NAPI */ + do { +- start = u64_stats_fetch_begin(&port->rx_stats_syncp); ++ start = u64_stats_fetch_begin_irq(&port->rx_stats_syncp); + + stats->rx_packets = port->stats.rx_packets; + stats->rx_bytes = port->stats.rx_bytes; +@@ -1932,11 +1932,11 @@ static void gmac_get_stats64(struct net_ + stats->rx_crc_errors = port->stats.rx_crc_errors; + stats->rx_frame_errors = port->stats.rx_frame_errors; + +- } while (u64_stats_fetch_retry(&port->rx_stats_syncp, start)); ++ } while (u64_stats_fetch_retry_irq(&port->rx_stats_syncp, start)); + + /* Racing with MIB and TX completion interrupts */ + do { +- start = u64_stats_fetch_begin(&port->ir_stats_syncp); ++ start = u64_stats_fetch_begin_irq(&port->ir_stats_syncp); + + stats->tx_errors = port->stats.tx_errors; + stats->tx_packets = port->stats.tx_packets; +@@ -1946,15 +1946,15 @@ static void gmac_get_stats64(struct net_ + stats->rx_missed_errors = port->stats.rx_missed_errors; + stats->rx_fifo_errors = port->stats.rx_fifo_errors; + +- } while (u64_stats_fetch_retry(&port->ir_stats_syncp, start)); ++ } while (u64_stats_fetch_retry_irq(&port->ir_stats_syncp, start)); + + /* Racing with hard_start_xmit */ + do { +- start = u64_stats_fetch_begin(&port->tx_stats_syncp); ++ start = u64_stats_fetch_begin_irq(&port->tx_stats_syncp); + + stats->tx_dropped = port->stats.tx_dropped; + +- } while (u64_stats_fetch_retry(&port->tx_stats_syncp, start)); ++ } while (u64_stats_fetch_retry_irq(&port->tx_stats_syncp, start)); + + stats->rx_dropped += stats->rx_missed_errors; + } +@@ -2032,18 +2032,18 @@ static void gmac_get_ethtool_stats(struc + /* Racing with MIB interrupt */ + do { + p = values; +- start = u64_stats_fetch_begin(&port->ir_stats_syncp); ++ start = u64_stats_fetch_begin_irq(&port->ir_stats_syncp); + + for (i = 0; i < RX_STATS_NUM; i++) + *p++ = port->hw_stats[i]; + +- } while (u64_stats_fetch_retry(&port->ir_stats_syncp, start)); ++ } while (u64_stats_fetch_retry_irq(&port->ir_stats_syncp, start)); + values = p; + + /* Racing with RX NAPI */ + do { + p = values; +- start = u64_stats_fetch_begin(&port->rx_stats_syncp); ++ start = u64_stats_fetch_begin_irq(&port->rx_stats_syncp); + + for (i = 0; i < RX_STATUS_NUM; i++) + *p++ = port->rx_stats[i]; +@@ -2051,13 +2051,13 @@ static void gmac_get_ethtool_stats(struc + *p++ = port->rx_csum_stats[i]; + *p++ = port->rx_napi_exits; + +- } while (u64_stats_fetch_retry(&port->rx_stats_syncp, start)); ++ } while (u64_stats_fetch_retry_irq(&port->rx_stats_syncp, start)); + values = p; + + /* Racing with TX start_xmit */ + do { + p = values; +- start = u64_stats_fetch_begin(&port->tx_stats_syncp); ++ start = u64_stats_fetch_begin_irq(&port->tx_stats_syncp); + + for (i = 0; i < TX_MAX_FRAGS; i++) { + *values++ = port->tx_frag_stats[i]; +@@ -2066,7 +2066,7 @@ static void gmac_get_ethtool_stats(struc + *values++ = port->tx_frags_linearized; + *values++ = port->tx_hw_csummed; + +- } while (u64_stats_fetch_retry(&port->tx_stats_syncp, start)); ++ } while (u64_stats_fetch_retry_irq(&port->tx_stats_syncp, start)); + } + + static int gmac_get_ksettings(struct net_device *netdev, +--- a/drivers/net/ethernet/google/gve/gve_ethtool.c ++++ b/drivers/net/ethernet/google/gve/gve_ethtool.c +@@ -172,14 +172,14 @@ gve_get_ethtool_stats(struct net_device + struct gve_rx_ring *rx = &priv->rx[ring]; + + start = +- u64_stats_fetch_begin(&priv->rx[ring].statss); ++ u64_stats_fetch_begin_irq(&priv->rx[ring].statss); + tmp_rx_pkts = rx->rpackets; + tmp_rx_bytes = rx->rbytes; + tmp_rx_skb_alloc_fail = rx->rx_skb_alloc_fail; + tmp_rx_buf_alloc_fail = rx->rx_buf_alloc_fail; + tmp_rx_desc_err_dropped_pkt = + rx->rx_desc_err_dropped_pkt; +- } while (u64_stats_fetch_retry(&priv->rx[ring].statss, ++ } while (u64_stats_fetch_retry_irq(&priv->rx[ring].statss, + start)); + rx_pkts += tmp_rx_pkts; + rx_bytes += tmp_rx_bytes; +@@ -193,10 +193,10 @@ gve_get_ethtool_stats(struct net_device + if (priv->tx) { + do { + start = +- u64_stats_fetch_begin(&priv->tx[ring].statss); ++ u64_stats_fetch_begin_irq(&priv->tx[ring].statss); + tmp_tx_pkts = priv->tx[ring].pkt_done; + tmp_tx_bytes = priv->tx[ring].bytes_done; +- } while (u64_stats_fetch_retry(&priv->tx[ring].statss, ++ } while (u64_stats_fetch_retry_irq(&priv->tx[ring].statss, + start)); + tx_pkts += tmp_tx_pkts; + tx_bytes += tmp_tx_bytes; +@@ -254,13 +254,13 @@ gve_get_ethtool_stats(struct net_device + data[i++] = rx->cnt; + do { + start = +- u64_stats_fetch_begin(&priv->rx[ring].statss); ++ u64_stats_fetch_begin_irq(&priv->rx[ring].statss); + tmp_rx_bytes = rx->rbytes; + tmp_rx_skb_alloc_fail = rx->rx_skb_alloc_fail; + tmp_rx_buf_alloc_fail = rx->rx_buf_alloc_fail; + tmp_rx_desc_err_dropped_pkt = + rx->rx_desc_err_dropped_pkt; +- } while (u64_stats_fetch_retry(&priv->rx[ring].statss, ++ } while (u64_stats_fetch_retry_irq(&priv->rx[ring].statss, + start)); + data[i++] = tmp_rx_bytes; + /* rx dropped packets */ +@@ -313,9 +313,9 @@ gve_get_ethtool_stats(struct net_device + data[i++] = tx->done; + do { + start = +- u64_stats_fetch_begin(&priv->tx[ring].statss); ++ u64_stats_fetch_begin_irq(&priv->tx[ring].statss); + tmp_tx_bytes = tx->bytes_done; +- } while (u64_stats_fetch_retry(&priv->tx[ring].statss, ++ } while (u64_stats_fetch_retry_irq(&priv->tx[ring].statss, + start)); + data[i++] = tmp_tx_bytes; + data[i++] = tx->wake_queue; +--- a/drivers/net/ethernet/google/gve/gve_main.c ++++ b/drivers/net/ethernet/google/gve/gve_main.c +@@ -40,10 +40,10 @@ static void gve_get_stats(struct net_dev + for (ring = 0; ring < priv->rx_cfg.num_queues; ring++) { + do { + start = +- u64_stats_fetch_begin(&priv->rx[ring].statss); ++ u64_stats_fetch_begin_irq(&priv->rx[ring].statss); + packets = priv->rx[ring].rpackets; + bytes = priv->rx[ring].rbytes; +- } while (u64_stats_fetch_retry(&priv->rx[ring].statss, ++ } while (u64_stats_fetch_retry_irq(&priv->rx[ring].statss, + start)); + s->rx_packets += packets; + s->rx_bytes += bytes; +@@ -53,10 +53,10 @@ static void gve_get_stats(struct net_dev + for (ring = 0; ring < priv->tx_cfg.num_queues; ring++) { + do { + start = +- u64_stats_fetch_begin(&priv->tx[ring].statss); ++ u64_stats_fetch_begin_irq(&priv->tx[ring].statss); + packets = priv->tx[ring].pkt_done; + bytes = priv->tx[ring].bytes_done; +- } while (u64_stats_fetch_retry(&priv->tx[ring].statss, ++ } while (u64_stats_fetch_retry_irq(&priv->tx[ring].statss, + start)); + s->tx_packets += packets; + s->tx_bytes += bytes; +@@ -1041,9 +1041,9 @@ void gve_handle_report_stats(struct gve_ + if (priv->tx) { + for (idx = 0; idx < priv->tx_cfg.num_queues; idx++) { + do { +- start = u64_stats_fetch_begin(&priv->tx[idx].statss); ++ start = u64_stats_fetch_begin_irq(&priv->tx[idx].statss); + tx_bytes = priv->tx[idx].bytes_done; +- } while (u64_stats_fetch_retry(&priv->tx[idx].statss, start)); ++ } while (u64_stats_fetch_retry_irq(&priv->tx[idx].statss, start)); + stats[stats_idx++] = (struct stats) { + .stat_name = cpu_to_be32(TX_WAKE_CNT), + .value = cpu_to_be64(priv->tx[idx].wake_queue), +--- a/drivers/net/ethernet/huawei/hinic/hinic_rx.c ++++ b/drivers/net/ethernet/huawei/hinic/hinic_rx.c +@@ -74,14 +74,14 @@ void hinic_rxq_get_stats(struct hinic_rx + unsigned int start; + + do { +- start = u64_stats_fetch_begin(&rxq_stats->syncp); ++ start = u64_stats_fetch_begin_irq(&rxq_stats->syncp); + stats->pkts = rxq_stats->pkts; + stats->bytes = rxq_stats->bytes; + stats->errors = rxq_stats->csum_errors + + rxq_stats->other_errors; + stats->csum_errors = rxq_stats->csum_errors; + stats->other_errors = rxq_stats->other_errors; +- } while (u64_stats_fetch_retry(&rxq_stats->syncp, start)); ++ } while (u64_stats_fetch_retry_irq(&rxq_stats->syncp, start)); + } + + /** +--- a/drivers/net/ethernet/huawei/hinic/hinic_tx.c ++++ b/drivers/net/ethernet/huawei/hinic/hinic_tx.c +@@ -98,14 +98,14 @@ void hinic_txq_get_stats(struct hinic_tx + unsigned int start; + + do { +- start = u64_stats_fetch_begin(&txq_stats->syncp); ++ start = u64_stats_fetch_begin_irq(&txq_stats->syncp); + stats->pkts = txq_stats->pkts; + stats->bytes = txq_stats->bytes; + stats->tx_busy = txq_stats->tx_busy; + stats->tx_wake = txq_stats->tx_wake; + stats->tx_dropped = txq_stats->tx_dropped; + stats->big_frags_pkts = txq_stats->big_frags_pkts; +- } while (u64_stats_fetch_retry(&txq_stats->syncp, start)); ++ } while (u64_stats_fetch_retry_irq(&txq_stats->syncp, start)); + } + + /** +--- a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c +@@ -3373,21 +3373,21 @@ static void nfp_net_stat64(struct net_de + unsigned int start; + + do { +- start = u64_stats_fetch_begin(&r_vec->rx_sync); ++ start = u64_stats_fetch_begin_irq(&r_vec->rx_sync); + data[0] = r_vec->rx_pkts; + data[1] = r_vec->rx_bytes; + data[2] = r_vec->rx_drops; +- } while (u64_stats_fetch_retry(&r_vec->rx_sync, start)); ++ } while (u64_stats_fetch_retry_irq(&r_vec->rx_sync, start)); + stats->rx_packets += data[0]; + stats->rx_bytes += data[1]; + stats->rx_dropped += data[2]; + + do { +- start = u64_stats_fetch_begin(&r_vec->tx_sync); ++ start = u64_stats_fetch_begin_irq(&r_vec->tx_sync); + data[0] = r_vec->tx_pkts; + data[1] = r_vec->tx_bytes; + data[2] = r_vec->tx_errors; +- } while (u64_stats_fetch_retry(&r_vec->tx_sync, start)); ++ } while (u64_stats_fetch_retry_irq(&r_vec->tx_sync, start)); + stats->tx_packets += data[0]; + stats->tx_bytes += data[1]; + stats->tx_errors += data[2]; +--- a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c +@@ -494,7 +494,7 @@ static u64 *nfp_vnic_get_sw_stats(struct + unsigned int start; + + do { +- start = u64_stats_fetch_begin(&nn->r_vecs[i].rx_sync); ++ start = u64_stats_fetch_begin_irq(&nn->r_vecs[i].rx_sync); + data[0] = nn->r_vecs[i].rx_pkts; + tmp[0] = nn->r_vecs[i].hw_csum_rx_ok; + tmp[1] = nn->r_vecs[i].hw_csum_rx_inner_ok; +@@ -502,10 +502,10 @@ static u64 *nfp_vnic_get_sw_stats(struct + tmp[3] = nn->r_vecs[i].hw_csum_rx_error; + tmp[4] = nn->r_vecs[i].rx_replace_buf_alloc_fail; + tmp[5] = nn->r_vecs[i].hw_tls_rx; +- } while (u64_stats_fetch_retry(&nn->r_vecs[i].rx_sync, start)); ++ } while (u64_stats_fetch_retry_irq(&nn->r_vecs[i].rx_sync, start)); + + do { +- start = u64_stats_fetch_begin(&nn->r_vecs[i].tx_sync); ++ start = u64_stats_fetch_begin_irq(&nn->r_vecs[i].tx_sync); + data[1] = nn->r_vecs[i].tx_pkts; + data[2] = nn->r_vecs[i].tx_busy; + tmp[6] = nn->r_vecs[i].hw_csum_tx; +@@ -515,7 +515,7 @@ static u64 *nfp_vnic_get_sw_stats(struct + tmp[10] = nn->r_vecs[i].hw_tls_tx; + tmp[11] = nn->r_vecs[i].tls_tx_fallback; + tmp[12] = nn->r_vecs[i].tls_tx_no_fallback; +- } while (u64_stats_fetch_retry(&nn->r_vecs[i].tx_sync, start)); ++ } while (u64_stats_fetch_retry_irq(&nn->r_vecs[i].tx_sync, start)); + + data += NN_RVEC_PER_Q_STATS; + +--- a/drivers/net/netdevsim/netdev.c ++++ b/drivers/net/netdevsim/netdev.c +@@ -67,10 +67,10 @@ nsim_get_stats64(struct net_device *dev, + unsigned int start; + + do { +- start = u64_stats_fetch_begin(&ns->syncp); ++ start = u64_stats_fetch_begin_irq(&ns->syncp); + stats->tx_bytes = ns->tx_bytes; + stats->tx_packets = ns->tx_packets; +- } while (u64_stats_fetch_retry(&ns->syncp, start)); ++ } while (u64_stats_fetch_retry_irq(&ns->syncp, start)); + } + + static int +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -2175,9 +2175,9 @@ static inline u64 sta_get_tidstats_msdu( + u64 value; + + do { +- start = u64_stats_fetch_begin(&rxstats->syncp); ++ start = u64_stats_fetch_begin_irq(&rxstats->syncp); + value = rxstats->msdu[tid]; +- } while (u64_stats_fetch_retry(&rxstats->syncp, start)); ++ } while (u64_stats_fetch_retry_irq(&rxstats->syncp, start)); + + return value; + } +@@ -2241,9 +2241,9 @@ static inline u64 sta_get_stats_bytes(st + u64 value; + + do { +- start = u64_stats_fetch_begin(&rxstats->syncp); ++ start = u64_stats_fetch_begin_irq(&rxstats->syncp); + value = rxstats->bytes; +- } while (u64_stats_fetch_retry(&rxstats->syncp, start)); ++ } while (u64_stats_fetch_retry_irq(&rxstats->syncp, start)); + + return value; + } +--- a/net/mpls/af_mpls.c ++++ b/net/mpls/af_mpls.c +@@ -1078,9 +1078,9 @@ static void mpls_get_stats(struct mpls_d + + p = per_cpu_ptr(mdev->stats, i); + do { +- start = u64_stats_fetch_begin(&p->syncp); ++ start = u64_stats_fetch_begin_irq(&p->syncp); + local = p->stats; +- } while (u64_stats_fetch_retry(&p->syncp, start)); ++ } while (u64_stats_fetch_retry_irq(&p->syncp, start)); + + stats->rx_packets += local.rx_packets; + stats->rx_bytes += local.rx_bytes; diff --git a/queue-5.10/series b/queue-5.10/series index b6d3ae44161..797dab42196 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -62,3 +62,14 @@ s390-fix-nospec-table-alignments.patch usb-core-prevent-nested-device-reset-calls.patch usb-gadget-mass_storage-fix-cdrom-data-transfers-on-mac-os.patch driver-core-don-t-probe-devices-after-bus_type.match-probe-deferral.patch +wifi-mac80211-don-t-finalize-csa-in-ibss-mode-if-state-is-disconnected.patch +wifi-mac80211-fix-uaf-in-ieee80211_scan_rx.patch +ip-fix-triggering-of-icmp-redirect.patch +net-use-u64_stats_fetch_begin_irq-for-stats-fetch.patch +net-mac802154-fix-a-condition-in-the-receive-path.patch +alsa-hda-realtek-add-speaker-amp-init-for-samsung-laptops-with-alc298.patch +alsa-seq-oss-fix-data-race-for-max_midi_devs-access.patch +alsa-seq-fix-data-race-at-module-auto-loading.patch +drm-i915-glk-ecs-liva-q2-needs-glk-hdmi-port-timing-quirk.patch +btrfs-harden-identification-of-a-stale-device.patch +mmc-core-fix-uhs-i-sd-1.8v-workaround-branch.patch diff --git a/queue-5.10/wifi-mac80211-don-t-finalize-csa-in-ibss-mode-if-state-is-disconnected.patch b/queue-5.10/wifi-mac80211-don-t-finalize-csa-in-ibss-mode-if-state-is-disconnected.patch new file mode 100644 index 00000000000..90cd8b8cb6f --- /dev/null +++ b/queue-5.10/wifi-mac80211-don-t-finalize-csa-in-ibss-mode-if-state-is-disconnected.patch @@ -0,0 +1,48 @@ +From 15bc8966b6d3a5b9bfe4c9facfa02f2b69b1e5f0 Mon Sep 17 00:00:00 2001 +From: Siddh Raman Pant +Date: Sun, 14 Aug 2022 20:45:12 +0530 +Subject: wifi: mac80211: Don't finalize CSA in IBSS mode if state is disconnected + +From: Siddh Raman Pant + +commit 15bc8966b6d3a5b9bfe4c9facfa02f2b69b1e5f0 upstream. + +When we are not connected to a channel, sending channel "switch" +announcement doesn't make any sense. + +The BSS list is empty in that case. This causes the for loop in +cfg80211_get_bss() to be bypassed, so the function returns NULL +(check line 1424 of net/wireless/scan.c), causing the WARN_ON() +in ieee80211_ibss_csa_beacon() to get triggered (check line 500 +of net/mac80211/ibss.c), which was consequently reported on the +syzkaller dashboard. + +Thus, check if we have an existing connection before generating +the CSA beacon in ieee80211_ibss_finish_csa(). + +Cc: stable@vger.kernel.org +Fixes: cd7760e62c2a ("mac80211: add support for CSA in IBSS mode") +Link: https://syzkaller.appspot.com/bug?id=05603ef4ae8926761b678d2939a3b2ad28ab9ca6 +Reported-by: syzbot+b6c9fe29aefe68e4ad34@syzkaller.appspotmail.com +Signed-off-by: Siddh Raman Pant +Tested-by: syzbot+b6c9fe29aefe68e4ad34@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20220814151512.9985-1-code@siddh.me +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/ibss.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/mac80211/ibss.c ++++ b/net/mac80211/ibss.c +@@ -541,6 +541,10 @@ int ieee80211_ibss_finish_csa(struct iee + + sdata_assert_lock(sdata); + ++ /* When not connected/joined, sending CSA doesn't make sense. */ ++ if (ifibss->state != IEEE80211_IBSS_MLME_JOINED) ++ return -ENOLINK; ++ + /* update cfg80211 bss information with the new channel */ + if (!is_zero_ether_addr(ifibss->bssid)) { + cbss = cfg80211_get_bss(sdata->local->hw.wiphy, diff --git a/queue-5.10/wifi-mac80211-fix-uaf-in-ieee80211_scan_rx.patch b/queue-5.10/wifi-mac80211-fix-uaf-in-ieee80211_scan_rx.patch new file mode 100644 index 00000000000..b7ab2e59b1f --- /dev/null +++ b/queue-5.10/wifi-mac80211-fix-uaf-in-ieee80211_scan_rx.patch @@ -0,0 +1,57 @@ +From 60deb9f10eec5c6a20252ed36238b55d8b614a2c Mon Sep 17 00:00:00 2001 +From: Siddh Raman Pant +Date: Sat, 20 Aug 2022 01:33:40 +0530 +Subject: wifi: mac80211: Fix UAF in ieee80211_scan_rx() + +From: Siddh Raman Pant + +commit 60deb9f10eec5c6a20252ed36238b55d8b614a2c upstream. + +ieee80211_scan_rx() tries to access scan_req->flags after a +null check, but a UAF is observed when the scan is completed +and __ieee80211_scan_completed() executes, which then calls +cfg80211_scan_done() leading to the freeing of scan_req. + +Since scan_req is rcu_dereference()'d, prevent the racing in +__ieee80211_scan_completed() by ensuring that from mac80211's +POV it is no longer accessed from an RCU read critical section +before we call cfg80211_scan_done(). + +Cc: stable@vger.kernel.org +Link: https://syzkaller.appspot.com/bug?extid=f9acff9bf08a845f225d +Reported-by: syzbot+f9acff9bf08a845f225d@syzkaller.appspotmail.com +Suggested-by: Johannes Berg +Signed-off-by: Siddh Raman Pant +Link: https://lore.kernel.org/r/20220819200340.34826-1-code@siddh.me +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/scan.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/mac80211/scan.c ++++ b/net/mac80211/scan.c +@@ -461,16 +461,19 @@ static void __ieee80211_scan_completed(s + scan_req = rcu_dereference_protected(local->scan_req, + lockdep_is_held(&local->mtx)); + +- if (scan_req != local->int_scan_req) { +- local->scan_info.aborted = aborted; +- cfg80211_scan_done(scan_req, &local->scan_info); +- } + RCU_INIT_POINTER(local->scan_req, NULL); + RCU_INIT_POINTER(local->scan_sdata, NULL); + + local->scanning = 0; + local->scan_chandef.chan = NULL; + ++ synchronize_rcu(); ++ ++ if (scan_req != local->int_scan_req) { ++ local->scan_info.aborted = aborted; ++ cfg80211_scan_done(scan_req, &local->scan_info); ++ } ++ + /* Set power back to normal operating levels. */ + ieee80211_hw_config(local, 0); +