From: Sasha Levin Date: Mon, 26 Jul 2021 02:40:53 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v4.4.277~79 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e0f525e0d62cac216b71fb9e408be14c286908c7;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/bpftool-check-malloc-return-value-in-mount_bpffs_for.patch b/queue-4.19/bpftool-check-malloc-return-value-in-mount_bpffs_for.patch new file mode 100644 index 00000000000..5f8fdfe74e2 --- /dev/null +++ b/queue-4.19/bpftool-check-malloc-return-value-in-mount_bpffs_for.patch @@ -0,0 +1,41 @@ +From e5f13b283754ea047cb9eeeace00b602ebff15ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 13:06:09 +0200 +Subject: bpftool: Check malloc return value in mount_bpffs_for_pin + +From: Tobias Klauser + +[ Upstream commit d444b06e40855219ef38b5e9286db16d435f06dc ] + +Fix and add a missing NULL check for the prior malloc() call. + +Fixes: 49a086c201a9 ("bpftool: implement prog load command") +Signed-off-by: Tobias Klauser +Signed-off-by: Daniel Borkmann +Reviewed-by: Quentin Monnet +Acked-by: Roman Gushchin +Link: https://lore.kernel.org/bpf/20210715110609.29364-1-tklauser@distanz.ch +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/common.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tools/bpf/bpftool/common.c b/tools/bpf/bpftool/common.c +index 158469f57461..7faf24ef3c80 100644 +--- a/tools/bpf/bpftool/common.c ++++ b/tools/bpf/bpftool/common.c +@@ -182,6 +182,11 @@ int do_pin_fd(int fd, const char *name) + goto out; + + file = malloc(strlen(name) + 1); ++ if (!file) { ++ p_err("mem alloc failed"); ++ return -1; ++ } ++ + strcpy(file, name); + dir = dirname(file); + +-- +2.30.2 + diff --git a/queue-4.19/drm-panel-raspberrypi-touchscreen-prevent-double-fre.patch b/queue-4.19/drm-panel-raspberrypi-touchscreen-prevent-double-fre.patch new file mode 100644 index 00000000000..6be444d4ced --- /dev/null +++ b/queue-4.19/drm-panel-raspberrypi-touchscreen-prevent-double-fre.patch @@ -0,0 +1,36 @@ +From b77190df5d1cd2391e0ba9938cc4b8fc3c8845ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 15:45:23 +0200 +Subject: drm/panel: raspberrypi-touchscreen: Prevent double-free + +From: Maxime Ripard + +[ Upstream commit 7bbcb919e32d776ca8ddce08abb391ab92eef6a9 ] + +The mipi_dsi_device allocated by mipi_dsi_device_register_full() is +already free'd on release. + +Fixes: 2f733d6194bd ("drm/panel: Add support for the Raspberry Pi 7" Touchscreen.") +Signed-off-by: Maxime Ripard +Reviewed-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20210720134525.563936-9-maxime@cerno.tech +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c b/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c +index aab6a70ece7f..06bd03915973 100644 +--- a/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c ++++ b/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c +@@ -454,7 +454,6 @@ static int rpi_touchscreen_remove(struct i2c_client *i2c) + drm_panel_remove(&ts->base); + + mipi_dsi_device_unregister(ts->dsi); +- kfree(ts->dsi); + + return 0; + } +-- +2.30.2 + diff --git a/queue-4.19/e1000e-fix-an-error-handling-path-in-e1000_probe.patch b/queue-4.19/e1000e-fix-an-error-handling-path-in-e1000_probe.patch new file mode 100644 index 00000000000..fdaac5b1d41 --- /dev/null +++ b/queue-4.19/e1000e-fix-an-error-handling-path-in-e1000_probe.patch @@ -0,0 +1,38 @@ +From a2e834c03a418cd8f75230bd100d7d92a88c5391 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 07:05:53 +0200 +Subject: e1000e: Fix an error handling path in 'e1000_probe()' + +From: Christophe JAILLET + +[ Upstream commit 4589075608420bc49fcef6e98279324bf2bb91ae ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 111b9dc5c981 ("e1000e: add aer support") +Signed-off-by: Christophe JAILLET +Acked-by: Sasha Neftin +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index 6bbe7afdf30c..398f5951d11c 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -7369,6 +7369,7 @@ err_flashmap: + err_ioremap: + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-4.19/fm10k-fix-an-error-handling-path-in-fm10k_probe.patch b/queue-4.19/fm10k-fix-an-error-handling-path-in-fm10k_probe.patch new file mode 100644 index 00000000000..9f77b2c67b5 --- /dev/null +++ b/queue-4.19/fm10k-fix-an-error-handling-path-in-fm10k_probe.patch @@ -0,0 +1,36 @@ +From a31e0cd458f7a4dd2a29c151a941c25e24886bdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 07:00:36 +0200 +Subject: fm10k: Fix an error handling path in 'fm10k_probe()' + +From: Christophe JAILLET + +[ Upstream commit e85e14d68f517ef12a5fb8123fff65526b35b6cd ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 19ae1b3fb99c ("fm10k: Add support for PCI power management and error handling") +Signed-off-by: Christophe JAILLET +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/fm10k/fm10k_pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_pci.c b/drivers/net/ethernet/intel/fm10k/fm10k_pci.c +index c859ababeed5..6e888874010e 100644 +--- a/drivers/net/ethernet/intel/fm10k/fm10k_pci.c ++++ b/drivers/net/ethernet/intel/fm10k/fm10k_pci.c +@@ -2228,6 +2228,7 @@ err_sw_init: + err_ioremap: + free_netdev(netdev); + err_alloc_netdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-4.19/iavf-fix-an-error-handling-path-in-iavf_probe.patch b/queue-4.19/iavf-fix-an-error-handling-path-in-iavf_probe.patch new file mode 100644 index 00000000000..355863ac099 --- /dev/null +++ b/queue-4.19/iavf-fix-an-error-handling-path-in-iavf_probe.patch @@ -0,0 +1,36 @@ +From 17bed2ab8fea21c3dcdd642b4a312c03911d4dec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 07:53:02 +0200 +Subject: iavf: Fix an error handling path in 'iavf_probe()' + +From: Christophe JAILLET + +[ Upstream commit af30cbd2f4d6d66a9b6094e0aa32420bc8b20e08 ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 5eae00c57f5e ("i40evf: main driver core") +Signed-off-by: Christophe JAILLET +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40evf/i40evf_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/i40evf/i40evf_main.c b/drivers/net/ethernet/intel/i40evf/i40evf_main.c +index f50c19b83368..ac5709624c7a 100644 +--- a/drivers/net/ethernet/intel/i40evf/i40evf_main.c ++++ b/drivers/net/ethernet/intel/i40evf/i40evf_main.c +@@ -3735,6 +3735,7 @@ static int i40evf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + err_ioremap: + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-4.19/igb-check-if-num-of-q_vectors-is-smaller-than-max-be.patch b/queue-4.19/igb-check-if-num-of-q_vectors-is-smaller-than-max-be.patch new file mode 100644 index 00000000000..397a638f9e3 --- /dev/null +++ b/queue-4.19/igb-check-if-num-of-q_vectors-is-smaller-than-max-be.patch @@ -0,0 +1,59 @@ +From cc025d23575797ee96008d4c80fbab5bccc7f017 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Apr 2021 10:19:23 +0000 +Subject: igb: Check if num of q_vectors is smaller than max before array + access + +From: Aleksandr Loktionov + +[ Upstream commit 6c19d772618fea40d9681f259368f284a330fd90 ] + +Ensure that the adapter->q_vector[MAX_Q_VECTORS] array isn't accessed +beyond its size. It was fixed by using a local variable num_q_vectors +as a limit for loop index, and ensure that num_q_vectors is not bigger +than MAX_Q_VECTORS. + +Fixes: 047e0030f1e6 ("igb: add new data structure for handling interrupts and NAPI") +Signed-off-by: Aleksandr Loktionov +Reviewed-by: Grzegorz Siwik +Reviewed-by: Arkadiusz Kubalewski +Reviewed-by: Slawomir Laba +Reviewed-by: Sylwester Dziedziuch +Reviewed-by: Mateusz Palczewski +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 8558d2e4ec18..243e304c35cd 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -938,6 +938,7 @@ static void igb_configure_msix(struct igb_adapter *adapter) + **/ + static int igb_request_msix(struct igb_adapter *adapter) + { ++ unsigned int num_q_vectors = adapter->num_q_vectors; + struct net_device *netdev = adapter->netdev; + int i, err = 0, vector = 0, free_vector = 0; + +@@ -946,7 +947,13 @@ static int igb_request_msix(struct igb_adapter *adapter) + if (err) + goto err_out; + +- for (i = 0; i < adapter->num_q_vectors; i++) { ++ if (num_q_vectors > MAX_Q_VECTORS) { ++ num_q_vectors = MAX_Q_VECTORS; ++ dev_warn(&adapter->pdev->dev, ++ "The number of queue vectors (%d) is higher than max allowed (%d)\n", ++ adapter->num_q_vectors, MAX_Q_VECTORS); ++ } ++ for (i = 0; i < num_q_vectors; i++) { + struct igb_q_vector *q_vector = adapter->q_vector[i]; + + vector++; +-- +2.30.2 + diff --git a/queue-4.19/igb-fix-an-error-handling-path-in-igb_probe.patch b/queue-4.19/igb-fix-an-error-handling-path-in-igb_probe.patch new file mode 100644 index 00000000000..b5f01bc8a2d --- /dev/null +++ b/queue-4.19/igb-fix-an-error-handling-path-in-igb_probe.patch @@ -0,0 +1,37 @@ +From c1001bb86518525a356e4dc03b96a97366ae2e97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 22:08:33 +0200 +Subject: igb: Fix an error handling path in 'igb_probe()' + +From: Christophe JAILLET + +[ Upstream commit fea03b1cebd653cd095f2e9a58cfe1c85661c363 ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 40a914fa72ab ("igb: Add support for pci-e Advanced Error Reporting") +Signed-off-by: Christophe JAILLET +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index cee5baa6d646..8558d2e4ec18 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -3495,6 +3495,7 @@ err_sw_init: + err_ioremap: + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-4.19/igb-fix-position-of-assignment-to-ring.patch b/queue-4.19/igb-fix-position-of-assignment-to-ring.patch new file mode 100644 index 00000000000..0ca4be12347 --- /dev/null +++ b/queue-4.19/igb-fix-position-of-assignment-to-ring.patch @@ -0,0 +1,46 @@ +From 526ed6628da6682cb061d173d3c07c491d8343f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 22:42:17 +0000 +Subject: igb: Fix position of assignment to *ring + +From: Jedrzej Jagielski + +[ Upstream commit 382a7c20d9253bcd5715789b8179528d0f3de72c ] + +Assignment to *ring should be done after correctness check of the +argument queue. + +Fixes: 91db364236c8 ("igb: Refactor igb_configure_cbs()") +Signed-off-by: Jedrzej Jagielski +Acked-by: Vinicius Costa Gomes +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 243e304c35cd..6221dafc76b9 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -1692,14 +1692,15 @@ static bool is_any_txtime_enabled(struct igb_adapter *adapter) + **/ + static void igb_config_tx_modes(struct igb_adapter *adapter, int queue) + { +- struct igb_ring *ring = adapter->tx_ring[queue]; + struct net_device *netdev = adapter->netdev; + struct e1000_hw *hw = &adapter->hw; ++ struct igb_ring *ring; + u32 tqavcc, tqavctrl; + u16 value; + + WARN_ON(hw->mac.type != e1000_i210); + WARN_ON(queue < 0 || queue > 1); ++ ring = adapter->tx_ring[queue]; + + /* If any of the Qav features is enabled, configure queues as SR and + * with HIGH PRIO. If none is, then configure them with LOW PRIO and +-- +2.30.2 + diff --git a/queue-4.19/igb-fix-use-after-free-error-during-reset.patch b/queue-4.19/igb-fix-use-after-free-error-during-reset.patch new file mode 100644 index 00000000000..57a4258e4dc --- /dev/null +++ b/queue-4.19/igb-fix-use-after-free-error-during-reset.patch @@ -0,0 +1,45 @@ +From f9e6dc7c36bdf14f294d5ee0d4f44c5094cf046d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 May 2021 17:31:04 -0700 +Subject: igb: Fix use-after-free error during reset + +From: Vinicius Costa Gomes + +[ Upstream commit 7b292608db23ccbbfbfa50cdb155d01725d7a52e ] + +Cleans the next descriptor to watch (next_to_watch) when cleaning the +TX ring. + +Failure to do so can cause invalid memory accesses. If igb_poll() runs +while the controller is reset this can lead to the driver try to free +a skb that was already freed. + +(The crash is harder to reproduce with the igb driver, but the same +potential problem exists as the code is identical to igc) + +Fixes: 7cc6fd4c60f2 ("igb: Don't bother clearing Tx buffer_info in igb_clean_tx_ring") +Signed-off-by: Vinicius Costa Gomes +Reported-by: Erez Geva +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index d85eb80d8249..cee5baa6d646 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -4684,6 +4684,8 @@ static void igb_clean_tx_ring(struct igb_ring *tx_ring) + DMA_TO_DEVICE); + } + ++ tx_buffer->next_to_watch = NULL; ++ + /* move us one more past the eop_desc for start of next pkt */ + tx_buffer++; + i++; +-- +2.30.2 + diff --git a/queue-4.19/ipv6-fix-disable_policy-for-fwd-packets.patch b/queue-4.19/ipv6-fix-disable_policy-for-fwd-packets.patch new file mode 100644 index 00000000000..4a9c1175de4 --- /dev/null +++ b/queue-4.19/ipv6-fix-disable_policy-for-fwd-packets.patch @@ -0,0 +1,51 @@ +From ca54356ddbb695d8e7c085248ca6dfb5ff0be9eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jul 2021 11:13:35 +0200 +Subject: ipv6: fix 'disable_policy' for fwd packets + +From: Nicolas Dichtel + +[ Upstream commit ccd27f05ae7b8ebc40af5b004e94517a919aa862 ] + +The goal of commit df789fe75206 ("ipv6: Provide ipv6 version of +"disable_policy" sysctl") was to have the disable_policy from ipv4 +available on ipv6. +However, it's not exactly the same mechanism. On IPv4, all packets coming +from an interface, which has disable_policy set, bypass the policy check. +For ipv6, this is done only for local packets, ie for packets destinated to +an address configured on the incoming interface. + +Let's align ipv6 with ipv4 so that the 'disable_policy' sysctl has the same +effect for both protocols. + +My first approach was to create a new kind of route cache entries, to be +able to set DST_NOPOLICY without modifying routes. This would have added a +lot of code. Because the local delivery path is already handled, I choose +to focus on the forwarding path to minimize code churn. + +Fixes: df789fe75206 ("ipv6: Provide ipv6 version of "disable_policy" sysctl") +Signed-off-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_output.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index aa8f19f852cc..fc36f3b0dceb 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -459,7 +459,9 @@ int ip6_forward(struct sk_buff *skb) + if (skb_warn_if_lro(skb)) + goto drop; + +- if (!xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) { ++ if (!net->ipv6.devconf_all->disable_policy && ++ !idev->cnf.disable_policy && ++ !xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) { + __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS); + goto drop; + } +-- +2.30.2 + diff --git a/queue-4.19/ixgbe-fix-an-error-handling-path-in-ixgbe_probe.patch b/queue-4.19/ixgbe-fix-an-error-handling-path-in-ixgbe_probe.patch new file mode 100644 index 00000000000..1005a571cde --- /dev/null +++ b/queue-4.19/ixgbe-fix-an-error-handling-path-in-ixgbe_probe.patch @@ -0,0 +1,37 @@ +From 047a5d9d41bf07ea426fd68998771a4e0990361e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 15:46:09 +0200 +Subject: ixgbe: Fix an error handling path in 'ixgbe_probe()' + +From: Christophe JAILLET + +[ Upstream commit dd2aefcd5e37989ae5f90afdae44bbbf3a2990da ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 6fabd715e6d8 ("ixgbe: Implement PCIe AER support") +Signed-off-by: Christophe JAILLET +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +index 8fcd3ffb43e0..4d9d97e0b6c4 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -10925,6 +10925,7 @@ err_ioremap: + disable_dev = !test_and_set_bit(__IXGBE_DISABLED, &adapter->state); + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-4.19/kvm-ppc-fix-kvm_arch_vcpu_ioctl-vcpu_load-leak.patch b/queue-4.19/kvm-ppc-fix-kvm_arch_vcpu_ioctl-vcpu_load-leak.patch new file mode 100644 index 00000000000..ee81754990e --- /dev/null +++ b/queue-4.19/kvm-ppc-fix-kvm_arch_vcpu_ioctl-vcpu_load-leak.patch @@ -0,0 +1,51 @@ +From 17b8dd5d9404fa42c949a627d874fdbdf47ad8cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 12:43:10 +1000 +Subject: KVM: PPC: Fix kvm_arch_vcpu_ioctl vcpu_load leak + +From: Nicholas Piggin + +[ Upstream commit bc4188a2f56e821ea057aca6bf444e138d06c252 ] + +vcpu_put is not called if the user copy fails. This can result in preempt +notifier corruption and crashes, among other issues. + +Fixes: b3cebfe8c1ca ("KVM: PPC: Move vcpu_load/vcpu_put down to each ioctl case in kvm_arch_vcpu_ioctl") +Reported-by: Alexey Kardashevskiy +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210716024310.164448-2-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/powerpc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c +index 7c8354dfe80e..ad5a871a6cbf 100644 +--- a/arch/powerpc/kvm/powerpc.c ++++ b/arch/powerpc/kvm/powerpc.c +@@ -1995,9 +1995,9 @@ long kvm_arch_vcpu_ioctl(struct file *filp, + { + struct kvm_enable_cap cap; + r = -EFAULT; +- vcpu_load(vcpu); + if (copy_from_user(&cap, argp, sizeof(cap))) + goto out; ++ vcpu_load(vcpu); + r = kvm_vcpu_ioctl_enable_cap(vcpu, &cap); + vcpu_put(vcpu); + break; +@@ -2021,9 +2021,9 @@ long kvm_arch_vcpu_ioctl(struct file *filp, + case KVM_DIRTY_TLB: { + struct kvm_dirty_tlb dirty; + r = -EFAULT; +- vcpu_load(vcpu); + if (copy_from_user(&dirty, argp, sizeof(dirty))) + goto out; ++ vcpu_load(vcpu); + r = kvm_vcpu_ioctl_dirty_tlb(vcpu, &dirty); + vcpu_put(vcpu); + break; +-- +2.30.2 + diff --git a/queue-4.19/liquidio-fix-unintentional-sign-extension-issue-on-l.patch b/queue-4.19/liquidio-fix-unintentional-sign-extension-issue-on-l.patch new file mode 100644 index 00000000000..ffb62c3c2ee --- /dev/null +++ b/queue-4.19/liquidio-fix-unintentional-sign-extension-issue-on-l.patch @@ -0,0 +1,43 @@ +From efcc096758cf5b01ac8a647416ca6b589d1e33c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jul 2021 16:23:43 +0100 +Subject: liquidio: Fix unintentional sign extension issue on left shift of u16 + +From: Colin Ian King + +[ Upstream commit e7efc2ce3d0789cd7c21b70ff00cd7838d382639 ] + +Shifting the u16 integer oct->pcie_port by CN23XX_PKT_INPUT_CTL_MAC_NUM_POS +(29) bits will be promoted to a 32 bit signed int and then sign-extended +to a u64. In the cases where oct->pcie_port where bit 2 is set (e.g. 3..7) +the shifted value will be sign extended and the top 32 bits of the result +will be set. + +Fix this by casting the u16 values to a u64 before the 29 bit left shift. + +Addresses-Coverity: ("Unintended sign extension") + +Fixes: 3451b97cce2d ("liquidio: CN23XX register setup") +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c +index 55fe80ca10d3..9e447983d0aa 100644 +--- a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c ++++ b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c +@@ -420,7 +420,7 @@ static int cn23xx_pf_setup_global_input_regs(struct octeon_device *oct) + * bits 32:47 indicate the PVF num. + */ + for (q_no = 0; q_no < ern; q_no++) { +- reg_val = oct->pcie_port << CN23XX_PKT_INPUT_CTL_MAC_NUM_POS; ++ reg_val = (u64)oct->pcie_port << CN23XX_PKT_INPUT_CTL_MAC_NUM_POS; + + /* for VF assigned queues. */ + if (q_no < oct->sriov_info.pf_srn) { +-- +2.30.2 + diff --git a/queue-4.19/net-decnet-fix-sleeping-inside-in-af_decnet.patch b/queue-4.19/net-decnet-fix-sleeping-inside-in-af_decnet.patch new file mode 100644 index 00000000000..9a7ad8e5ecc --- /dev/null +++ b/queue-4.19/net-decnet-fix-sleeping-inside-in-af_decnet.patch @@ -0,0 +1,126 @@ +From 7bf48961bf86b202963e0f51b60c1730e85b86d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jul 2021 17:13:20 +0800 +Subject: net: decnet: Fix sleeping inside in af_decnet + +From: Yajun Deng + +[ Upstream commit 5f119ba1d5771bbf46d57cff7417dcd84d3084ba ] + +The release_sock() is blocking function, it would change the state +after sleeping. use wait_woken() instead. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yajun Deng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/decnet/af_decnet.c | 27 ++++++++++++--------------- + 1 file changed, 12 insertions(+), 15 deletions(-) + +diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c +index 0e6f32defd67..cc7077105969 100644 +--- a/net/decnet/af_decnet.c ++++ b/net/decnet/af_decnet.c +@@ -823,7 +823,7 @@ static int dn_auto_bind(struct socket *sock) + static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation) + { + struct dn_scp *scp = DN_SK(sk); +- DEFINE_WAIT(wait); ++ DEFINE_WAIT_FUNC(wait, woken_wake_function); + int err; + + if (scp->state != DN_CR) +@@ -833,11 +833,11 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation) + scp->segsize_loc = dst_metric_advmss(__sk_dst_get(sk)); + dn_send_conn_conf(sk, allocation); + +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); ++ add_wait_queue(sk_sleep(sk), &wait); + for(;;) { + release_sock(sk); + if (scp->state == DN_CC) +- *timeo = schedule_timeout(*timeo); ++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo); + lock_sock(sk); + err = 0; + if (scp->state == DN_RUN) +@@ -851,9 +851,8 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation) + err = -EAGAIN; + if (!*timeo) + break; +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + } +- finish_wait(sk_sleep(sk), &wait); ++ remove_wait_queue(sk_sleep(sk), &wait); + if (err == 0) { + sk->sk_socket->state = SS_CONNECTED; + } else if (scp->state != DN_CC) { +@@ -865,7 +864,7 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation) + static int dn_wait_run(struct sock *sk, long *timeo) + { + struct dn_scp *scp = DN_SK(sk); +- DEFINE_WAIT(wait); ++ DEFINE_WAIT_FUNC(wait, woken_wake_function); + int err = 0; + + if (scp->state == DN_RUN) +@@ -874,11 +873,11 @@ static int dn_wait_run(struct sock *sk, long *timeo) + if (!*timeo) + return -EALREADY; + +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); ++ add_wait_queue(sk_sleep(sk), &wait); + for(;;) { + release_sock(sk); + if (scp->state == DN_CI || scp->state == DN_CC) +- *timeo = schedule_timeout(*timeo); ++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo); + lock_sock(sk); + err = 0; + if (scp->state == DN_RUN) +@@ -892,9 +891,8 @@ static int dn_wait_run(struct sock *sk, long *timeo) + err = -ETIMEDOUT; + if (!*timeo) + break; +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + } +- finish_wait(sk_sleep(sk), &wait); ++ remove_wait_queue(sk_sleep(sk), &wait); + out: + if (err == 0) { + sk->sk_socket->state = SS_CONNECTED; +@@ -1039,16 +1037,16 @@ static void dn_user_copy(struct sk_buff *skb, struct optdata_dn *opt) + + static struct sk_buff *dn_wait_for_connect(struct sock *sk, long *timeo) + { +- DEFINE_WAIT(wait); ++ DEFINE_WAIT_FUNC(wait, woken_wake_function); + struct sk_buff *skb = NULL; + int err = 0; + +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); ++ add_wait_queue(sk_sleep(sk), &wait); + for(;;) { + release_sock(sk); + skb = skb_dequeue(&sk->sk_receive_queue); + if (skb == NULL) { +- *timeo = schedule_timeout(*timeo); ++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo); + skb = skb_dequeue(&sk->sk_receive_queue); + } + lock_sock(sk); +@@ -1063,9 +1061,8 @@ static struct sk_buff *dn_wait_for_connect(struct sock *sk, long *timeo) + err = -EAGAIN; + if (!*timeo) + break; +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + } +- finish_wait(sk_sleep(sk), &wait); ++ remove_wait_queue(sk_sleep(sk), &wait); + + return skb == NULL ? ERR_PTR(err) : skb; + } +-- +2.30.2 + diff --git a/queue-4.19/net-fix-uninit-value-in-caif_seqpkt_sendmsg.patch b/queue-4.19/net-fix-uninit-value-in-caif_seqpkt_sendmsg.patch new file mode 100644 index 00000000000..faee4fb5703 --- /dev/null +++ b/queue-4.19/net-fix-uninit-value-in-caif_seqpkt_sendmsg.patch @@ -0,0 +1,57 @@ +From f035cff6794e736190d6e08ec652b6237f1aa361 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 20:22:04 +0800 +Subject: net: fix uninit-value in caif_seqpkt_sendmsg + +From: Ziyang Xuan + +[ Upstream commit 991e634360f2622a683b48dfe44fe6d9cb765a09 ] + +When nr_segs equal to zero in iovec_from_user, the object +msg->msg_iter.iov is uninit stack memory in caif_seqpkt_sendmsg +which is defined in ___sys_sendmsg. So we cann't just judge +msg->msg_iter.iov->base directlly. We can use nr_segs to judge +msg in caif_seqpkt_sendmsg whether has data buffers. + +===================================================== +BUG: KMSAN: uninit-value in caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 + caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg net/socket.c:672 [inline] + ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2343 + ___sys_sendmsg net/socket.c:2397 [inline] + __sys_sendmmsg+0x808/0xc90 net/socket.c:2480 + __compat_sys_sendmmsg net/compat.c:656 [inline] + +Reported-by: syzbot+09a5d591c1f98cf5efcb@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=1ace85e8fc9b0d5a45c08c2656c3e91762daa9b8 +Fixes: bece7b2398d0 ("caif: Rewritten socket implementation") +Signed-off-by: Ziyang Xuan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/caif/caif_socket.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c +index 4b31f0aaa96d..348b8cb0bc24 100644 +--- a/net/caif/caif_socket.c ++++ b/net/caif/caif_socket.c +@@ -539,7 +539,8 @@ static int caif_seqpkt_sendmsg(struct socket *sock, struct msghdr *msg, + goto err; + + ret = -EINVAL; +- if (unlikely(msg->msg_iter.iov->iov_base == NULL)) ++ if (unlikely(msg->msg_iter.nr_segs == 0) || ++ unlikely(msg->msg_iter.iov->iov_base == NULL)) + goto err; + noblock = msg->msg_flags & MSG_DONTWAIT; + +-- +2.30.2 + diff --git a/queue-4.19/net-sched-act_skbmod-skip-non-ethernet-packets.patch b/queue-4.19/net-sched-act_skbmod-skip-non-ethernet-packets.patch new file mode 100644 index 00000000000..61502cc6244 --- /dev/null +++ b/queue-4.19/net-sched-act_skbmod-skip-non-ethernet-packets.patch @@ -0,0 +1,70 @@ +From 520a75f52bd6b3a13eb06e1aab7fec3a77cfc82a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jul 2021 16:41:24 -0700 +Subject: net/sched: act_skbmod: Skip non-Ethernet packets + +From: Peilin Ye + +[ Upstream commit 727d6a8b7ef3d25080fad228b2c4a1d4da5999c6 ] + +Currently tcf_skbmod_act() assumes that packets use Ethernet as their L2 +protocol, which is not always the case. As an example, for CAN devices: + + $ ip link add dev vcan0 type vcan + $ ip link set up vcan0 + $ tc qdisc add dev vcan0 root handle 1: htb + $ tc filter add dev vcan0 parent 1: protocol ip prio 10 \ + matchall action skbmod swap mac + +Doing the above silently corrupts all the packets. Do not perform skbmod +actions for non-Ethernet packets. + +Fixes: 86da71b57383 ("net_sched: Introduce skbmod action") +Reviewed-by: Cong Wang +Signed-off-by: Peilin Ye +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/act_skbmod.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/sched/act_skbmod.c b/net/sched/act_skbmod.c +index 21d195296121..03a272af664a 100644 +--- a/net/sched/act_skbmod.c ++++ b/net/sched/act_skbmod.c +@@ -10,6 +10,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -36,6 +37,13 @@ static int tcf_skbmod_act(struct sk_buff *skb, const struct tc_action *a, + tcf_lastuse_update(&d->tcf_tm); + bstats_cpu_update(this_cpu_ptr(d->common.cpu_bstats), skb); + ++ action = READ_ONCE(d->tcf_action); ++ if (unlikely(action == TC_ACT_SHOT)) ++ goto drop; ++ ++ if (!skb->dev || skb->dev->type != ARPHRD_ETHER) ++ return action; ++ + /* XXX: if you are going to edit more fields beyond ethernet header + * (example when you add IP header replacement or vlan swap) + * then MAX_EDIT_LEN needs to change appropriately +@@ -44,10 +52,6 @@ static int tcf_skbmod_act(struct sk_buff *skb, const struct tc_action *a, + if (unlikely(err)) /* best policy is to drop on the floor */ + goto drop; + +- action = READ_ONCE(d->tcf_action); +- if (unlikely(action == TC_ACT_SHOT)) +- goto drop; +- + p = rcu_dereference_bh(d->skbmod_p); + flags = p->flags; + if (flags & SKBMOD_F_DMAC) +-- +2.30.2 + diff --git a/queue-4.19/net-sched-cls_api-fix-the-the-wrong-parameter.patch b/queue-4.19/net-sched-cls_api-fix-the-the-wrong-parameter.patch new file mode 100644 index 00000000000..0d4526c9d1a --- /dev/null +++ b/queue-4.19/net-sched-cls_api-fix-the-the-wrong-parameter.patch @@ -0,0 +1,36 @@ +From 045a51feedc6b3ba8c3ab1312925e16437318c6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jul 2021 11:23:43 +0800 +Subject: net: sched: cls_api: Fix the the wrong parameter + +From: Yajun Deng + +[ Upstream commit 9d85a6f44bd5585761947f40f7821c9cd78a1bbe ] + +The 4th parameter in tc_chain_notify() should be flags rather than seq. +Let's change it back correctly. + +Fixes: 32a4f5ecd738 ("net: sched: introduce chain object to uapi") +Signed-off-by: Yajun Deng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c +index 184c20b86393..4413aa8d4e82 100644 +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -1918,7 +1918,7 @@ replay: + break; + case RTM_GETCHAIN: + err = tc_chain_notify(chain, skb, n->nlmsg_seq, +- n->nlmsg_seq, n->nlmsg_type, true); ++ n->nlmsg_flags, n->nlmsg_type, true); + if (err < 0) + NL_SET_ERR_MSG(extack, "Failed to send chain notify message"); + break; +-- +2.30.2 + diff --git a/queue-4.19/net-tcp_fastopen-fix-data-races-around-tfo_active_di.patch b/queue-4.19/net-tcp_fastopen-fix-data-races-around-tfo_active_di.patch new file mode 100644 index 00000000000..ecb52b9f52d --- /dev/null +++ b/queue-4.19/net-tcp_fastopen-fix-data-races-around-tfo_active_di.patch @@ -0,0 +1,72 @@ +From f1bc05176c14590a3e89eccc4d40ef8d06799d66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jul 2021 02:12:18 -0700 +Subject: net/tcp_fastopen: fix data races around tfo_active_disable_stamp + +From: Eric Dumazet + +[ Upstream commit 6f20c8adb1813467ea52c1296d52c4e95978cb2f ] + +tfo_active_disable_stamp is read and written locklessly. +We need to annotate these accesses appropriately. + +Then, we need to perform the atomic_inc(tfo_active_disable_times) +after the timestamp has been updated, and thus add barriers +to make sure tcp_fastopen_active_should_disable() wont read +a stale timestamp. + +Fixes: cf1ef3f0719b ("net/tcp_fastopen: Disable active side TFO in certain scenarios") +Signed-off-by: Eric Dumazet +Cc: Wei Wang +Cc: Yuchung Cheng +Cc: Neal Cardwell +Acked-by: Wei Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_fastopen.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c +index 018a48477355..2ab371f55525 100644 +--- a/net/ipv4/tcp_fastopen.c ++++ b/net/ipv4/tcp_fastopen.c +@@ -454,8 +454,15 @@ void tcp_fastopen_active_disable(struct sock *sk) + { + struct net *net = sock_net(sk); + ++ /* Paired with READ_ONCE() in tcp_fastopen_active_should_disable() */ ++ WRITE_ONCE(net->ipv4.tfo_active_disable_stamp, jiffies); ++ ++ /* Paired with smp_rmb() in tcp_fastopen_active_should_disable(). ++ * We want net->ipv4.tfo_active_disable_stamp to be updated first. ++ */ ++ smp_mb__before_atomic(); + atomic_inc(&net->ipv4.tfo_active_disable_times); +- net->ipv4.tfo_active_disable_stamp = jiffies; ++ + NET_INC_STATS(net, LINUX_MIB_TCPFASTOPENBLACKHOLE); + } + +@@ -473,10 +480,16 @@ bool tcp_fastopen_active_should_disable(struct sock *sk) + if (!tfo_da_times) + return false; + ++ /* Paired with smp_mb__before_atomic() in tcp_fastopen_active_disable() */ ++ smp_rmb(); ++ + /* Limit timout to max: 2^6 * initial timeout */ + multiplier = 1 << min(tfo_da_times - 1, 6); +- timeout = multiplier * tfo_bh_timeout * HZ; +- if (time_before(jiffies, sock_net(sk)->ipv4.tfo_active_disable_stamp + timeout)) ++ ++ /* Paired with the WRITE_ONCE() in tcp_fastopen_active_disable(). */ ++ timeout = READ_ONCE(sock_net(sk)->ipv4.tfo_active_disable_stamp) + ++ multiplier * tfo_bh_timeout * HZ; ++ if (time_before(jiffies, timeout)) + return true; + + /* Mark check bit so we can check for successful active TFO +-- +2.30.2 + diff --git a/queue-4.19/netrom-decrease-sock-refcount-when-sock-timers-expir.patch b/queue-4.19/netrom-decrease-sock-refcount-when-sock-timers-expir.patch new file mode 100644 index 00000000000..c52441e8e6d --- /dev/null +++ b/queue-4.19/netrom-decrease-sock-refcount-when-sock-timers-expir.patch @@ -0,0 +1,118 @@ +From 5403c267e82cc1041bdd89951f6c24d2908e8136 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 22:40:13 +0800 +Subject: netrom: Decrease sock refcount when sock timers expire + +From: Nguyen Dinh Phi + +[ Upstream commit 517a16b1a88bdb6b530f48d5d153478b2552d9a8 ] + +Commit 63346650c1a9 ("netrom: switch to sock timer API") switched to use +sock timer API. It replaces mod_timer() by sk_reset_timer(), and +del_timer() by sk_stop_timer(). + +Function sk_reset_timer() will increase the refcount of sock if it is +called on an inactive timer, hence, in case the timer expires, we need to +decrease the refcount ourselves in the handler, otherwise, the sock +refcount will be unbalanced and the sock will never be freed. + +Signed-off-by: Nguyen Dinh Phi +Reported-by: syzbot+10f1194569953b72f1ae@syzkaller.appspotmail.com +Fixes: 63346650c1a9 ("netrom: switch to sock timer API") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netrom/nr_timer.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/net/netrom/nr_timer.c b/net/netrom/nr_timer.c +index 908e53ab47a4..426d49609524 100644 +--- a/net/netrom/nr_timer.c ++++ b/net/netrom/nr_timer.c +@@ -124,11 +124,9 @@ static void nr_heartbeat_expiry(struct timer_list *t) + is accepted() it isn't 'dead' so doesn't get removed. */ + if (sock_flag(sk, SOCK_DESTROY) || + (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) { +- sock_hold(sk); + bh_unlock_sock(sk); + nr_destroy_socket(sk); +- sock_put(sk); +- return; ++ goto out; + } + break; + +@@ -149,6 +147,8 @@ static void nr_heartbeat_expiry(struct timer_list *t) + + nr_start_heartbeat(sk); + bh_unlock_sock(sk); ++out: ++ sock_put(sk); + } + + static void nr_t2timer_expiry(struct timer_list *t) +@@ -162,6 +162,7 @@ static void nr_t2timer_expiry(struct timer_list *t) + nr_enquiry_response(sk); + } + bh_unlock_sock(sk); ++ sock_put(sk); + } + + static void nr_t4timer_expiry(struct timer_list *t) +@@ -172,6 +173,7 @@ static void nr_t4timer_expiry(struct timer_list *t) + bh_lock_sock(sk); + nr_sk(sk)->condition &= ~NR_COND_PEER_RX_BUSY; + bh_unlock_sock(sk); ++ sock_put(sk); + } + + static void nr_idletimer_expiry(struct timer_list *t) +@@ -200,6 +202,7 @@ static void nr_idletimer_expiry(struct timer_list *t) + sock_set_flag(sk, SOCK_DEAD); + } + bh_unlock_sock(sk); ++ sock_put(sk); + } + + static void nr_t1timer_expiry(struct timer_list *t) +@@ -212,8 +215,7 @@ static void nr_t1timer_expiry(struct timer_list *t) + case NR_STATE_1: + if (nr->n2count == nr->n2) { + nr_disconnect(sk, ETIMEDOUT); +- bh_unlock_sock(sk); +- return; ++ goto out; + } else { + nr->n2count++; + nr_write_internal(sk, NR_CONNREQ); +@@ -223,8 +225,7 @@ static void nr_t1timer_expiry(struct timer_list *t) + case NR_STATE_2: + if (nr->n2count == nr->n2) { + nr_disconnect(sk, ETIMEDOUT); +- bh_unlock_sock(sk); +- return; ++ goto out; + } else { + nr->n2count++; + nr_write_internal(sk, NR_DISCREQ); +@@ -234,8 +235,7 @@ static void nr_t1timer_expiry(struct timer_list *t) + case NR_STATE_3: + if (nr->n2count == nr->n2) { + nr_disconnect(sk, ETIMEDOUT); +- bh_unlock_sock(sk); +- return; ++ goto out; + } else { + nr->n2count++; + nr_requeue_frames(sk); +@@ -244,5 +244,7 @@ static void nr_t1timer_expiry(struct timer_list *t) + } + + nr_start_t1timer(sk); ++out: + bh_unlock_sock(sk); ++ sock_put(sk); + } +-- +2.30.2 + diff --git a/queue-4.19/nvme-pci-do-not-call-nvme_dev_remove_admin-from-nvme.patch b/queue-4.19/nvme-pci-do-not-call-nvme_dev_remove_admin-from-nvme.patch new file mode 100644 index 00000000000..e658284a177 --- /dev/null +++ b/queue-4.19/nvme-pci-do-not-call-nvme_dev_remove_admin-from-nvme.patch @@ -0,0 +1,44 @@ +From d8159921fac2af5273e20e17cb14abadca1a9754 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 14:14:32 -0700 +Subject: nvme-pci: do not call nvme_dev_remove_admin from nvme_remove + +From: Casey Chen + +[ Upstream commit 251ef6f71be2adfd09546a26643426fe62585173 ] + +nvme_dev_remove_admin could free dev->admin_q and the admin_tagset +while they are being accessed by nvme_dev_disable(), which can be called +by nvme_reset_work via nvme_remove_dead_ctrl. + +Commit cb4bfda62afa ("nvme-pci: fix hot removal during error handling") +intended to avoid requests being stuck on a removed controller by killing +the admin queue. But the later fix c8e9e9b7646e ("nvme-pci: unquiesce +admin queue on shutdown"), together with nvme_dev_disable(dev, true) +right before nvme_dev_remove_admin() could help dispatch requests and +fail them early, so we don't need nvme_dev_remove_admin() any more. + +Fixes: cb4bfda62afa ("nvme-pci: fix hot removal during error handling") +Signed-off-by: Casey Chen +Reviewed-by: Keith Busch +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 82d87d2e280c..8f1f10fa0dd6 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2605,7 +2605,6 @@ static void nvme_remove(struct pci_dev *pdev) + if (!pci_device_is_present(pdev)) { + nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DEAD); + nvme_dev_disable(dev, true); +- nvme_dev_remove_admin(dev); + } + + flush_work(&dev->ctrl.reset_work); +-- +2.30.2 + diff --git a/queue-4.19/nvme-pci-don-t-warn_on-in-nvme_reset_work-if-ctrl.st.patch b/queue-4.19/nvme-pci-don-t-warn_on-in-nvme_reset_work-if-ctrl.st.patch new file mode 100644 index 00000000000..87fdc75772f --- /dev/null +++ b/queue-4.19/nvme-pci-don-t-warn_on-in-nvme_reset_work-if-ctrl.st.patch @@ -0,0 +1,81 @@ +From 0f8fde288fb955b5b98d3550d792d5641b73dc17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 21:38:29 +0800 +Subject: nvme-pci: don't WARN_ON in nvme_reset_work if ctrl.state is not + RESETTING + +From: Zhihao Cheng + +[ Upstream commit 7764656b108cd308c39e9a8554353b8f9ca232a3 ] + +Followling process: +nvme_probe + nvme_reset_ctrl + nvme_change_ctrl_state(ctrl, NVME_CTRL_RESETTING) + queue_work(nvme_reset_wq, &ctrl->reset_work) + +--------------> nvme_remove + nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DELETING) +worker_thread + process_one_work + nvme_reset_work + WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING) + +, which will trigger WARN_ON in nvme_reset_work(): +[ 127.534298] WARNING: CPU: 0 PID: 139 at drivers/nvme/host/pci.c:2594 +[ 127.536161] CPU: 0 PID: 139 Comm: kworker/u8:7 Not tainted 5.13.0 +[ 127.552518] Call Trace: +[ 127.552840] ? kvm_sched_clock_read+0x25/0x40 +[ 127.553936] ? native_send_call_func_single_ipi+0x1c/0x30 +[ 127.555117] ? send_call_function_single_ipi+0x9b/0x130 +[ 127.556263] ? __smp_call_single_queue+0x48/0x60 +[ 127.557278] ? ttwu_queue_wakelist+0xfa/0x1c0 +[ 127.558231] ? try_to_wake_up+0x265/0x9d0 +[ 127.559120] ? ext4_end_io_rsv_work+0x160/0x290 +[ 127.560118] process_one_work+0x28c/0x640 +[ 127.561002] worker_thread+0x39a/0x700 +[ 127.561833] ? rescuer_thread+0x580/0x580 +[ 127.562714] kthread+0x18c/0x1e0 +[ 127.563444] ? set_kthread_struct+0x70/0x70 +[ 127.564347] ret_from_fork+0x1f/0x30 + +The preceding problem can be easily reproduced by executing following +script (based on blktests suite): +test() { + pdev="$(_get_pci_dev_from_blkdev)" + sysfs="/sys/bus/pci/devices/${pdev}" + for ((i = 0; i < 10; i++)); do + echo 1 > "$sysfs/remove" + echo 1 > /sys/bus/pci/rescan + done +} + +Since the device ctrl could be updated as an non-RESETTING state by +repeating probe/remove in userspace (which is a normal situation), we +can replace stack dumping WARN_ON with a warnning message. + +Fixes: 82b057caefaff ("nvme-pci: fix multiple ctrl removal schedulin") +Signed-off-by: Zhihao Cheng +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 8f1f10fa0dd6..d7cf3202cdd3 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2273,7 +2273,9 @@ static void nvme_reset_work(struct work_struct *work) + int result; + enum nvme_ctrl_state new_state = NVME_CTRL_LIVE; + +- if (WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING)) { ++ if (dev->ctrl.state != NVME_CTRL_RESETTING) { ++ dev_warn(dev->ctrl.device, "ctrl state %d is not RESETTING\n", ++ dev->ctrl.state); + result = -ENODEV; + goto out; + } +-- +2.30.2 + diff --git a/queue-4.19/perf-dso-fix-memory-leak-in-dso__new_map.patch b/queue-4.19/perf-dso-fix-memory-leak-in-dso__new_map.patch new file mode 100644 index 00000000000..dee98479cf4 --- /dev/null +++ b/queue-4.19/perf-dso-fix-memory-leak-in-dso__new_map.patch @@ -0,0 +1,54 @@ +From 1c12dcd6715446aaa9cc565ae70c809a046bc5c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:11 +0200 +Subject: perf dso: Fix memory leak in dso__new_map() + +From: Riccardo Mancini + +[ Upstream commit 581e295a0f6b5c2931d280259fbbfff56959faa9 ] + +ASan reports a memory leak when running: + + # perf test "65: maps__merge_in". + +The causes of the leaks are two, this patch addresses only the first +one, which is related to dso__new_map(). + +The bug is that dso__new_map() creates a new dso but never decreases the +refcount it gets from creating it. + +This patch adds the missing dso__put(). + +Signed-off-by: Riccardo Mancini +Fixes: d3a7c489c7fd2463 ("perf tools: Reference count struct dso") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/60bfe0cd06e89e2ca33646eb8468d7f5de2ee597.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/dso.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/dso.c b/tools/perf/util/dso.c +index 56f86317694d..1231f3181041 100644 +--- a/tools/perf/util/dso.c ++++ b/tools/perf/util/dso.c +@@ -1025,8 +1025,10 @@ struct map *dso__new_map(const char *name) + struct map *map = NULL; + struct dso *dso = dso__new(name); + +- if (dso) ++ if (dso) { + map = map__new2(0, dso); ++ dso__put(dso); ++ } + + return map; + } +-- +2.30.2 + diff --git a/queue-4.19/perf-lzma-close-lzma-stream-on-exit.patch b/queue-4.19/perf-lzma-close-lzma-stream-on-exit.patch new file mode 100644 index 00000000000..d5cedf0eaf8 --- /dev/null +++ b/queue-4.19/perf-lzma-close-lzma-stream-on-exit.patch @@ -0,0 +1,72 @@ +From 6244f544c63f5073db63f6debe21a4b881e88be4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:19 +0200 +Subject: perf lzma: Close lzma stream on exit + +From: Riccardo Mancini + +[ Upstream commit f8cbb0f926ae1e1fb5f9e51614e5437560ed4039 ] + +ASan reports memory leaks when running: + + # perf test "88: Check open filename arg using perf trace + vfs_getname" + +One of these is caused by the lzma stream never being closed inside +lzma_decompress_to_file(). + +This patch adds the missing lzma_end(). + +Signed-off-by: Riccardo Mancini +Fixes: 80a32e5b498a7547 ("perf tools: Add lzma decompression support for kernel module") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/aaf50bdce7afe996cfc06e1bbb36e4a2a9b9db93.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/lzma.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/util/lzma.c b/tools/perf/util/lzma.c +index b1dd29a9d915..6c844110fc25 100644 +--- a/tools/perf/util/lzma.c ++++ b/tools/perf/util/lzma.c +@@ -68,7 +68,7 @@ int lzma_decompress_to_file(const char *input, int output_fd) + + if (ferror(infile)) { + pr_err("lzma: read error: %s\n", strerror(errno)); +- goto err_fclose; ++ goto err_lzma_end; + } + + if (feof(infile)) +@@ -82,7 +82,7 @@ int lzma_decompress_to_file(const char *input, int output_fd) + + if (writen(output_fd, buf_out, write_size) != write_size) { + pr_err("lzma: write error: %s\n", strerror(errno)); +- goto err_fclose; ++ goto err_lzma_end; + } + + strm.next_out = buf_out; +@@ -94,11 +94,13 @@ int lzma_decompress_to_file(const char *input, int output_fd) + break; + + pr_err("lzma: failed %s\n", lzma_strerror(ret)); +- goto err_fclose; ++ goto err_lzma_end; + } + } + + err = 0; ++err_lzma_end: ++ lzma_end(&strm); + err_fclose: + fclose(infile); + return err; +-- +2.30.2 + diff --git a/queue-4.19/perf-map-fix-dso-nsinfo-refcounting.patch b/queue-4.19/perf-map-fix-dso-nsinfo-refcounting.patch new file mode 100644 index 00000000000..0edac31e0a2 --- /dev/null +++ b/queue-4.19/perf-map-fix-dso-nsinfo-refcounting.patch @@ -0,0 +1,51 @@ +From 1fb1e147340bfc55d4ad273d65aaabf0061a4057 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:06 +0200 +Subject: perf map: Fix dso->nsinfo refcounting + +From: Riccardo Mancini + +[ Upstream commit 2d6b74baa7147251c30a46c4996e8cc224aa2dc5 ] + +ASan reports a memory leak of nsinfo during the execution of + + # perf test "31: Lookup mmap thread" + +The leak is caused by a refcounted variable being replaced without +dropping the refcount. + +This patch makes sure that the refcnt of nsinfo is decreased whenever a +refcounted variable is replaced with a new value. + +Signed-off-by: Riccardo Mancini +Fixes: bf2e710b3cb8445c ("perf maps: Lookup maps in both intitial mountns and inner mountns.") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Krister Johansen +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/55223bc8821b34ccb01f92ef1401c02b6a32e61f.1626343282.git.rickyman7@gmail.com +[ Split from a larger patch ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/map.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/perf/util/map.c b/tools/perf/util/map.c +index 769d11575a7b..603086692290 100644 +--- a/tools/perf/util/map.c ++++ b/tools/perf/util/map.c +@@ -209,6 +209,8 @@ struct map *map__new(struct machine *machine, u64 start, u64 len, + if (!(prot & PROT_EXEC)) + dso__set_loaded(dso); + } ++ ++ nsinfo__put(dso->nsinfo); + dso->nsinfo = nsi; + dso__put(dso); + } +-- +2.30.2 + diff --git a/queue-4.19/perf-probe-file-delete-namelist-in-del_events-on-the.patch b/queue-4.19/perf-probe-file-delete-namelist-in-del_events-on-the.patch new file mode 100644 index 00000000000..32a7a961dfc --- /dev/null +++ b/queue-4.19/perf-probe-file-delete-namelist-in-del_events-on-the.patch @@ -0,0 +1,54 @@ +From 007a4796bdf2e8b726af4adf059d8cfccdc6c502 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:25 +0200 +Subject: perf probe-file: Delete namelist in del_events() on the error path + +From: Riccardo Mancini + +[ Upstream commit e0fa7ab42232e742dcb3de9f3c1f6127b5adc019 ] + +ASan reports some memory leaks when running: + + # perf test "42: BPF filter" + +This second leak is caused by a strlist not being dellocated on error +inside probe_file__del_events. + +This patch adds a goto label before the deallocation and makes the error +path jump to it. + +Signed-off-by: Riccardo Mancini +Fixes: e7895e422e4da63d ("perf probe: Split del_perf_probe_events()") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/174963c587ae77fa108af794669998e4ae558338.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/probe-file.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/probe-file.c b/tools/perf/util/probe-file.c +index 6a6548890d5a..b67ae3b8d996 100644 +--- a/tools/perf/util/probe-file.c ++++ b/tools/perf/util/probe-file.c +@@ -342,11 +342,11 @@ int probe_file__del_events(int fd, struct strfilter *filter) + + ret = probe_file__get_events(fd, filter, namelist); + if (ret < 0) +- return ret; ++ goto out; + + ret = probe_file__del_strlist(fd, namelist); ++out: + strlist__delete(namelist); +- + return ret; + } + +-- +2.30.2 + diff --git a/queue-4.19/perf-probe-fix-dso-nsinfo-refcounting.patch b/queue-4.19/perf-probe-fix-dso-nsinfo-refcounting.patch new file mode 100644 index 00000000000..40dc57214f6 --- /dev/null +++ b/queue-4.19/perf-probe-fix-dso-nsinfo-refcounting.patch @@ -0,0 +1,54 @@ +From 6c6242b07f507b3f5444f8e95b3b931d1221afb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:06 +0200 +Subject: perf probe: Fix dso->nsinfo refcounting + +From: Riccardo Mancini + +[ Upstream commit dedeb4be203b382ba7245d13079bc3b0f6d40c65 ] + +ASan reports a memory leak of nsinfo during the execution of: + + # perf test "31: Lookup mmap thread". + +The leak is caused by a refcounted variable being replaced without +dropping the refcount. + +This patch makes sure that the refcnt of nsinfo is decreased whenever +a refcounted variable is replaced with a new value. + +Signed-off-by: Riccardo Mancini +Fixes: 544abd44c7064c8a ("perf probe: Allow placing uprobes in alternate namespaces.") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Krister Johansen +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/55223bc8821b34ccb01f92ef1401c02b6a32e61f.1626343282.git.rickyman7@gmail.com +[ Split from a larger patch ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/probe-event.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/probe-event.c b/tools/perf/util/probe-event.c +index 4ac3c89bfac8..633fa5425fd9 100644 +--- a/tools/perf/util/probe-event.c ++++ b/tools/perf/util/probe-event.c +@@ -184,8 +184,10 @@ struct map *get_target_map(const char *target, struct nsinfo *nsi, bool user) + struct map *map; + + map = dso__new_map(target); +- if (map && map->dso) ++ if (map && map->dso) { ++ nsinfo__put(map->dso->nsinfo); + map->dso->nsinfo = nsinfo__get(nsi); ++ } + return map; + } else { + return kernel_get_module_map(target); +-- +2.30.2 + diff --git a/queue-4.19/perf-script-fix-memory-threads-and-cpus-leaks-on-exi.patch b/queue-4.19/perf-script-fix-memory-threads-and-cpus-leaks-on-exi.patch new file mode 100644 index 00000000000..2f40a9ff13a --- /dev/null +++ b/queue-4.19/perf-script-fix-memory-threads-and-cpus-leaks-on-exi.patch @@ -0,0 +1,64 @@ +From 7acf0058cce8d835d61faa2be62da52e43fed751 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:18 +0200 +Subject: perf script: Fix memory 'threads' and 'cpus' leaks on exit + +From: Riccardo Mancini + +[ Upstream commit faf3ac305d61341c74e5cdd9e41daecce7f67bfe ] + +ASan reports several memory leaks while running: + + # perf test "82: Use vfs_getname probe to get syscall args filenames" + +Two of these are caused by some refcounts not being decreased on +perf-script exit, namely script.threads and script.cpus. + +This patch adds the missing __put calls in a new perf_script__exit +function, which is called at the end of cmd_script. + +This patch concludes the fixes of all remaining memory leaks in perf +test "82: Use vfs_getname probe to get syscall args filenames". + +Signed-off-by: Riccardo Mancini +Fixes: cfc8874a48599249 ("perf script: Process cpu/threads maps") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/5ee73b19791c6fa9d24c4d57f4ac1a23609400d7.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-script.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c +index 1200973c77cb..5f369d4b08f7 100644 +--- a/tools/perf/builtin-script.c ++++ b/tools/perf/builtin-script.c +@@ -2207,6 +2207,12 @@ static void perf_script__exit_per_event_dump_stats(struct perf_script *script) + } + } + ++static void perf_script__exit(struct perf_script *script) ++{ ++ perf_thread_map__put(script->threads); ++ perf_cpu_map__put(script->cpus); ++} ++ + static int __cmd_script(struct perf_script *script) + { + int ret; +@@ -3534,6 +3540,7 @@ out_delete: + + perf_evlist__free_stats(session->evlist); + perf_session__delete(session); ++ perf_script__exit(&script); + + if (script_started) + cleanup_scripting(); +-- +2.30.2 + diff --git a/queue-4.19/perf-test-bpf-free-obj_buf.patch b/queue-4.19/perf-test-bpf-free-obj_buf.patch new file mode 100644 index 00000000000..eee03e21595 --- /dev/null +++ b/queue-4.19/perf-test-bpf-free-obj_buf.patch @@ -0,0 +1,56 @@ +From 05dc5096c61999a8815260420879a6124e3e1457 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:24 +0200 +Subject: perf test bpf: Free obj_buf + +From: Riccardo Mancini + +[ Upstream commit 937654ce497fb6e977a8c52baee5f7d9616302d9 ] + +ASan reports some memory leaks when running: + + # perf test "42: BPF filter" + +The first of these leaks is caused by obj_buf never being deallocated in +__test__bpf. + +This patch adds the missing free. + +Signed-off-by: Riccardo Mancini +Fixes: ba1fae431e74bb42 ("perf test: Add 'perf test BPF'") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Wang Nan +Link: http://lore.kernel.org/lkml/60f3ca935fe6672e7e866276ce6264c9e26e4c87.1626343282.git.rickyman7@gmail.com +[ Added missing stdlib.h include ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/bpf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/perf/tests/bpf.c b/tools/perf/tests/bpf.c +index 79b54f8ddebf..df478f67b6b6 100644 +--- a/tools/perf/tests/bpf.c ++++ b/tools/perf/tests/bpf.c +@@ -1,5 +1,6 @@ + #include + #include ++#include + #include + #include + #include +@@ -277,6 +278,7 @@ static int __test__bpf(int idx) + } + + out: ++ free(obj_buf); + bpf__clear(); + return ret; + } +-- +2.30.2 + diff --git a/queue-4.19/perf-test-session_topology-delete-session-evlist.patch b/queue-4.19/perf-test-session_topology-delete-session-evlist.patch new file mode 100644 index 00000000000..35f36fafce6 --- /dev/null +++ b/queue-4.19/perf-test-session_topology-delete-session-evlist.patch @@ -0,0 +1,48 @@ +From 6df97b58f5d003c3451f5531e650fb73dc11971a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:08 +0200 +Subject: perf test session_topology: Delete session->evlist + +From: Riccardo Mancini + +[ Upstream commit 233f2dc1c284337286f9a64c0152236779a42f6c ] + +ASan reports a memory leak related to session->evlist while running: + + # perf test "41: Session topology". + +When perf_data is in write mode, session->evlist is owned by the caller, +which should also take care of deleting it. + +This patch adds the missing evlist__delete(). + +Signed-off-by: Riccardo Mancini +Fixes: c84974ed9fb67293 ("perf test: Add entry to test cpu topology") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/822f741f06eb25250fb60686cf30a35f447e9e91.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/topology.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/tests/topology.c b/tools/perf/tests/topology.c +index 9497d02f69e6..bed53ed82af7 100644 +--- a/tools/perf/tests/topology.c ++++ b/tools/perf/tests/topology.c +@@ -52,6 +52,7 @@ static int session_write_header(char *path) + TEST_ASSERT_VAL("failed to write header", + !perf_session__write_header(session, session->evlist, data.file.fd, true)); + ++ evlist__delete(session->evlist); + perf_session__delete(session); + + return 0; +-- +2.30.2 + diff --git a/queue-4.19/proc-avoid-mixing-integer-types-in-mem_rw.patch b/queue-4.19/proc-avoid-mixing-integer-types-in-mem_rw.patch new file mode 100644 index 00000000000..8d92c6e603f --- /dev/null +++ b/queue-4.19/proc-avoid-mixing-integer-types-in-mem_rw.patch @@ -0,0 +1,52 @@ +From b996b1b8420756280eaa8501cfffbdc525aa7ce4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jun 2021 18:54:38 -0700 +Subject: proc: Avoid mixing integer types in mem_rw() + +From: Marcelo Henrique Cerri + +[ Upstream commit d238692b4b9f2c36e35af4c6e6f6da36184aeb3e ] + +Use size_t when capping the count argument received by mem_rw(). Since +count is size_t, using min_t(int, ...) can lead to a negative value +that will later be passed to access_remote_vm(), which can cause +unexpected behavior. + +Since we are capping the value to at maximum PAGE_SIZE, the conversion +from size_t to int when passing it to access_remote_vm() as "len" +shouldn't be a problem. + +Link: https://lkml.kernel.org/r/20210512125215.3348316-1-marcelo.cerri@canonical.com +Reviewed-by: David Disseldorp +Signed-off-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Marcelo Henrique Cerri +Cc: Alexey Dobriyan +Cc: Souza Cascardo +Cc: Christian Brauner +Cc: Michel Lespinasse +Cc: Helge Deller +Cc: Oleg Nesterov +Cc: Lorenzo Stoakes +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/proc/base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/proc/base.c b/fs/proc/base.c +index 317a0762fc5f..e3f10c110b74 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -835,7 +835,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf, + flags = FOLL_FORCE | (write ? FOLL_WRITE : 0); + + while (count > 0) { +- int this_len = min_t(int, count, PAGE_SIZE); ++ size_t this_len = min_t(size_t, count, PAGE_SIZE); + + if (write && copy_from_user(page, buf, this_len)) { + copied = -EFAULT; +-- +2.30.2 + diff --git a/queue-4.19/revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch b/queue-4.19/revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch new file mode 100644 index 00000000000..18c71cc8537 --- /dev/null +++ b/queue-4.19/revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch @@ -0,0 +1,56 @@ +From 8b7487b4b0a561596f4e269c5ee708b91f34a2ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 11:25:16 +0200 +Subject: Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE + modem" + +From: Vincent Palatin + +[ Upstream commit f3a1a937f7b240be623d989c8553a6d01465d04f ] + +This reverts commit 0bd860493f81eb2a46173f6f5e44cc38331c8dbd. + +While the patch was working as stated,ie preventing the L850-GL LTE modem +from crashing on some U3 wake-ups due to a race condition between the +host wake-up and the modem-side wake-up, when using the MBIM interface, +this would force disabling the USB runtime PM on the device. + +The increased power consumption is significant for LTE laptops, +and given that with decently recent modem firmwares, when the modem hits +the bug, it automatically recovers (ie it drops from the bus, but +automatically re-enumerates after less than half a second, rather than being +stuck until a power cycle as it was doing with ancient firmware), for +most people, the trade-off now seems in favor of re-enabling it by +default. + +For people with access to the platform code, the bug can also be worked-around +successfully by changing the USB3 LFPM polling off-time for the XHCI +controller in the BIOS code. + +Signed-off-by: Vincent Palatin +Link: https://lore.kernel.org/r/20210721092516.2775971-1-vpalatin@chromium.org +Fixes: 0bd860493f81 ("USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem") +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/quirks.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index f6a6c54cba35..d97544fd339b 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -502,10 +502,6 @@ static const struct usb_device_id usb_quirk_list[] = { + /* DJI CineSSD */ + { USB_DEVICE(0x2ca3, 0x0031), .driver_info = USB_QUIRK_NO_LPM }, + +- /* Fibocom L850-GL LTE Modem */ +- { USB_DEVICE(0x2cb7, 0x0007), .driver_info = +- USB_QUIRK_IGNORE_REMOTE_WAKEUP }, +- + /* INTEL VALUE SSD */ + { USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME }, + +-- +2.30.2 + diff --git a/queue-4.19/s390-bpf-perform-r1-range-checking-before-accessing-.patch b/queue-4.19/s390-bpf-perform-r1-range-checking-before-accessing-.patch new file mode 100644 index 00000000000..1def8c8bcf3 --- /dev/null +++ b/queue-4.19/s390-bpf-perform-r1-range-checking-before-accessing-.patch @@ -0,0 +1,44 @@ +From 30e18b4fb29739e154448a4e754e2bb4184861d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 13:57:12 +0100 +Subject: s390/bpf: Perform r1 range checking before accessing + jit->seen_reg[r1] + +From: Colin Ian King + +[ Upstream commit 91091656252f5d6d8c476e0c92776ce9fae7b445 ] + +Currently array jit->seen_reg[r1] is being accessed before the range +checking of index r1. The range changing on r1 should be performed +first since it will avoid any potential out-of-range accesses on the +array seen_reg[] and also it is more optimal to perform checks on r1 +before fetching data from the array. Fix this by swapping the order +of the checks before the array access. + +Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend") +Signed-off-by: Colin Ian King +Signed-off-by: Daniel Borkmann +Tested-by: Ilya Leoshkevich +Acked-by: Ilya Leoshkevich +Link: https://lore.kernel.org/bpf/20210715125712.24690-1-colin.king@canonical.com +Signed-off-by: Sasha Levin +--- + arch/s390/net/bpf_jit_comp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c +index 2617e426c792..e42354b15e0b 100644 +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -113,7 +113,7 @@ static inline void reg_set_seen(struct bpf_jit *jit, u32 b1) + { + u32 r1 = reg2hex[b1]; + +- if (!jit->seen_reg[r1] && r1 >= 6 && r1 <= 15) ++ if (r1 >= 6 && r1 <= 15 && !jit->seen_reg[r1]) + jit->seen_reg[r1] = 1; + } + +-- +2.30.2 + diff --git a/queue-4.19/scsi-iscsi-fix-iface-sysfs-attr-detection.patch b/queue-4.19/scsi-iscsi-fix-iface-sysfs-attr-detection.patch new file mode 100644 index 00000000000..c241dae7525 --- /dev/null +++ b/queue-4.19/scsi-iscsi-fix-iface-sysfs-attr-detection.patch @@ -0,0 +1,146 @@ +From 8266ddf25b4291ba130967a88a04304f4d06a0a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jun 2021 19:25:59 -0500 +Subject: scsi: iscsi: Fix iface sysfs attr detection + +From: Mike Christie + +[ Upstream commit e746f3451ec7f91dcc9fd67a631239c715850a34 ] + +A ISCSI_IFACE_PARAM can have the same value as a ISCSI_NET_PARAM so when +iscsi_iface_attr_is_visible tries to figure out the type by just checking +the value, we can collide and return the wrong type. When we call into the +driver we might not match and return that we don't want attr visible in +sysfs. The patch fixes this by setting the type when we figure out what the +param is. + +Link: https://lore.kernel.org/r/20210701002559.89533-1-michael.christie@oracle.com +Fixes: 3e0f65b34cc9 ("[SCSI] iscsi_transport: Additional parameters for network settings") +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 90 +++++++++++------------------ + 1 file changed, 34 insertions(+), 56 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 2aaa5a2bd613..20e69052161e 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -427,39 +427,10 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + struct device *dev = container_of(kobj, struct device, kobj); + struct iscsi_iface *iface = iscsi_dev_to_iface(dev); + struct iscsi_transport *t = iface->transport; +- int param; +- int param_type; ++ int param = -1; + + if (attr == &dev_attr_iface_enabled.attr) + param = ISCSI_NET_PARAM_IFACE_ENABLE; +- else if (attr == &dev_attr_iface_vlan_id.attr) +- param = ISCSI_NET_PARAM_VLAN_ID; +- else if (attr == &dev_attr_iface_vlan_priority.attr) +- param = ISCSI_NET_PARAM_VLAN_PRIORITY; +- else if (attr == &dev_attr_iface_vlan_enabled.attr) +- param = ISCSI_NET_PARAM_VLAN_ENABLED; +- else if (attr == &dev_attr_iface_mtu.attr) +- param = ISCSI_NET_PARAM_MTU; +- else if (attr == &dev_attr_iface_port.attr) +- param = ISCSI_NET_PARAM_PORT; +- else if (attr == &dev_attr_iface_ipaddress_state.attr) +- param = ISCSI_NET_PARAM_IPADDR_STATE; +- else if (attr == &dev_attr_iface_delayed_ack_en.attr) +- param = ISCSI_NET_PARAM_DELAYED_ACK_EN; +- else if (attr == &dev_attr_iface_tcp_nagle_disable.attr) +- param = ISCSI_NET_PARAM_TCP_NAGLE_DISABLE; +- else if (attr == &dev_attr_iface_tcp_wsf_disable.attr) +- param = ISCSI_NET_PARAM_TCP_WSF_DISABLE; +- else if (attr == &dev_attr_iface_tcp_wsf.attr) +- param = ISCSI_NET_PARAM_TCP_WSF; +- else if (attr == &dev_attr_iface_tcp_timer_scale.attr) +- param = ISCSI_NET_PARAM_TCP_TIMER_SCALE; +- else if (attr == &dev_attr_iface_tcp_timestamp_en.attr) +- param = ISCSI_NET_PARAM_TCP_TIMESTAMP_EN; +- else if (attr == &dev_attr_iface_cache_id.attr) +- param = ISCSI_NET_PARAM_CACHE_ID; +- else if (attr == &dev_attr_iface_redirect_en.attr) +- param = ISCSI_NET_PARAM_REDIRECT_EN; + else if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr) + param = ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO; + else if (attr == &dev_attr_iface_header_digest.attr) +@@ -496,6 +467,38 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + param = ISCSI_IFACE_PARAM_STRICT_LOGIN_COMP_EN; + else if (attr == &dev_attr_iface_initiator_name.attr) + param = ISCSI_IFACE_PARAM_INITIATOR_NAME; ++ ++ if (param != -1) ++ return t->attr_is_visible(ISCSI_IFACE_PARAM, param); ++ ++ if (attr == &dev_attr_iface_vlan_id.attr) ++ param = ISCSI_NET_PARAM_VLAN_ID; ++ else if (attr == &dev_attr_iface_vlan_priority.attr) ++ param = ISCSI_NET_PARAM_VLAN_PRIORITY; ++ else if (attr == &dev_attr_iface_vlan_enabled.attr) ++ param = ISCSI_NET_PARAM_VLAN_ENABLED; ++ else if (attr == &dev_attr_iface_mtu.attr) ++ param = ISCSI_NET_PARAM_MTU; ++ else if (attr == &dev_attr_iface_port.attr) ++ param = ISCSI_NET_PARAM_PORT; ++ else if (attr == &dev_attr_iface_ipaddress_state.attr) ++ param = ISCSI_NET_PARAM_IPADDR_STATE; ++ else if (attr == &dev_attr_iface_delayed_ack_en.attr) ++ param = ISCSI_NET_PARAM_DELAYED_ACK_EN; ++ else if (attr == &dev_attr_iface_tcp_nagle_disable.attr) ++ param = ISCSI_NET_PARAM_TCP_NAGLE_DISABLE; ++ else if (attr == &dev_attr_iface_tcp_wsf_disable.attr) ++ param = ISCSI_NET_PARAM_TCP_WSF_DISABLE; ++ else if (attr == &dev_attr_iface_tcp_wsf.attr) ++ param = ISCSI_NET_PARAM_TCP_WSF; ++ else if (attr == &dev_attr_iface_tcp_timer_scale.attr) ++ param = ISCSI_NET_PARAM_TCP_TIMER_SCALE; ++ else if (attr == &dev_attr_iface_tcp_timestamp_en.attr) ++ param = ISCSI_NET_PARAM_TCP_TIMESTAMP_EN; ++ else if (attr == &dev_attr_iface_cache_id.attr) ++ param = ISCSI_NET_PARAM_CACHE_ID; ++ else if (attr == &dev_attr_iface_redirect_en.attr) ++ param = ISCSI_NET_PARAM_REDIRECT_EN; + else if (iface->iface_type == ISCSI_IFACE_TYPE_IPV4) { + if (attr == &dev_attr_ipv4_iface_ipaddress.attr) + param = ISCSI_NET_PARAM_IPV4_ADDR; +@@ -586,32 +589,7 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + return 0; + } + +- switch (param) { +- case ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO: +- case ISCSI_IFACE_PARAM_HDRDGST_EN: +- case ISCSI_IFACE_PARAM_DATADGST_EN: +- case ISCSI_IFACE_PARAM_IMM_DATA_EN: +- case ISCSI_IFACE_PARAM_INITIAL_R2T_EN: +- case ISCSI_IFACE_PARAM_DATASEQ_INORDER_EN: +- case ISCSI_IFACE_PARAM_PDU_INORDER_EN: +- case ISCSI_IFACE_PARAM_ERL: +- case ISCSI_IFACE_PARAM_MAX_RECV_DLENGTH: +- case ISCSI_IFACE_PARAM_FIRST_BURST: +- case ISCSI_IFACE_PARAM_MAX_R2T: +- case ISCSI_IFACE_PARAM_MAX_BURST: +- case ISCSI_IFACE_PARAM_CHAP_AUTH_EN: +- case ISCSI_IFACE_PARAM_BIDI_CHAP_EN: +- case ISCSI_IFACE_PARAM_DISCOVERY_AUTH_OPTIONAL: +- case ISCSI_IFACE_PARAM_DISCOVERY_LOGOUT_EN: +- case ISCSI_IFACE_PARAM_STRICT_LOGIN_COMP_EN: +- case ISCSI_IFACE_PARAM_INITIATOR_NAME: +- param_type = ISCSI_IFACE_PARAM; +- break; +- default: +- param_type = ISCSI_NET_PARAM; +- } +- +- return t->attr_is_visible(param_type, param); ++ return t->attr_is_visible(ISCSI_NET_PARAM, param); + } + + static struct attribute *iscsi_iface_attrs[] = { +-- +2.30.2 + diff --git a/queue-4.19/scsi-target-fix-protect-handling-in-write-same-32.patch b/queue-4.19/scsi-target-fix-protect-handling-in-write-same-32.patch new file mode 100644 index 00000000000..0538c5ebfda --- /dev/null +++ b/queue-4.19/scsi-target-fix-protect-handling-in-write-same-32.patch @@ -0,0 +1,183 @@ +From 9f53d40b1c9cdb7e67dba1f99d285dc9f90578bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jul 2021 12:16:55 +0300 +Subject: scsi: target: Fix protect handling in WRITE SAME(32) + +From: Dmitry Bogdanov + +[ Upstream commit 6d8e7e7c932162bccd06872362751b0e1d76f5af ] + +WRITE SAME(32) command handling reads WRPROTECT at the wrong offset in 1st +byte instead of 10th byte. + +Link: https://lore.kernel.org/r/20210702091655.22818-1-d.bogdanov@yadro.com +Fixes: afd73f1b60fc ("target: Perform PROTECT sanity checks for WRITE_SAME") +Signed-off-by: Dmitry Bogdanov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_sbc.c | 35 ++++++++++++++++---------------- + 1 file changed, 17 insertions(+), 18 deletions(-) + +diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c +index ebac2b49b9c6..af9b038da3ba 100644 +--- a/drivers/target/target_core_sbc.c ++++ b/drivers/target/target_core_sbc.c +@@ -38,7 +38,7 @@ + #include "target_core_alua.h" + + static sense_reason_t +-sbc_check_prot(struct se_device *, struct se_cmd *, unsigned char *, u32, bool); ++sbc_check_prot(struct se_device *, struct se_cmd *, unsigned char, u32, bool); + static sense_reason_t sbc_execute_unmap(struct se_cmd *cmd); + + static sense_reason_t +@@ -292,14 +292,14 @@ static inline unsigned long long transport_lba_64_ext(unsigned char *cdb) + } + + static sense_reason_t +-sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *ops) ++sbc_setup_write_same(struct se_cmd *cmd, unsigned char flags, struct sbc_ops *ops) + { + struct se_device *dev = cmd->se_dev; + sector_t end_lba = dev->transport->get_blocks(dev) + 1; + unsigned int sectors = sbc_get_write_same_sectors(cmd); + sense_reason_t ret; + +- if ((flags[0] & 0x04) || (flags[0] & 0x02)) { ++ if ((flags & 0x04) || (flags & 0x02)) { + pr_err("WRITE_SAME PBDATA and LBDATA" + " bits not supported for Block Discard" + " Emulation\n"); +@@ -321,7 +321,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o + } + + /* We always have ANC_SUP == 0 so setting ANCHOR is always an error */ +- if (flags[0] & 0x10) { ++ if (flags & 0x10) { + pr_warn("WRITE SAME with ANCHOR not supported\n"); + return TCM_INVALID_CDB_FIELD; + } +@@ -329,7 +329,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o + * Special case for WRITE_SAME w/ UNMAP=1 that ends up getting + * translated into block discard requests within backend code. + */ +- if (flags[0] & 0x08) { ++ if (flags & 0x08) { + if (!ops->execute_unmap) + return TCM_UNSUPPORTED_SCSI_OPCODE; + +@@ -344,7 +344,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o + if (!ops->execute_write_same) + return TCM_UNSUPPORTED_SCSI_OPCODE; + +- ret = sbc_check_prot(dev, cmd, &cmd->t_task_cdb[0], sectors, true); ++ ret = sbc_check_prot(dev, cmd, flags >> 5, sectors, true); + if (ret) + return ret; + +@@ -702,10 +702,9 @@ sbc_set_prot_op_checks(u8 protect, bool fabric_prot, enum target_prot_type prot_ + } + + static sense_reason_t +-sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char *cdb, ++sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char protect, + u32 sectors, bool is_write) + { +- u8 protect = cdb[1] >> 5; + int sp_ops = cmd->se_sess->sup_prot_ops; + int pi_prot_type = dev->dev_attrib.pi_prot_type; + bool fabric_prot = false; +@@ -753,7 +752,7 @@ sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char *cdb, + /* Fallthrough */ + default: + pr_err("Unable to determine pi_prot_type for CDB: 0x%02x " +- "PROTECT: 0x%02x\n", cdb[0], protect); ++ "PROTECT: 0x%02x\n", cmd->t_task_cdb[0], protect); + return TCM_INVALID_CDB_FIELD; + } + +@@ -828,7 +827,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, false); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false); + if (ret) + return ret; + +@@ -842,7 +841,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, false); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false); + if (ret) + return ret; + +@@ -856,7 +855,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, false); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false); + if (ret) + return ret; + +@@ -877,7 +876,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, true); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true); + if (ret) + return ret; + +@@ -891,7 +890,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, true); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true); + if (ret) + return ret; + +@@ -906,7 +905,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, true); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true); + if (ret) + return ret; + +@@ -965,7 +964,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + size = sbc_get_size(cmd, 1); + cmd->t_task_lba = get_unaligned_be64(&cdb[12]); + +- ret = sbc_setup_write_same(cmd, &cdb[10], ops); ++ ret = sbc_setup_write_same(cmd, cdb[10], ops); + if (ret) + return ret; + break; +@@ -1064,7 +1063,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + size = sbc_get_size(cmd, 1); + cmd->t_task_lba = get_unaligned_be64(&cdb[2]); + +- ret = sbc_setup_write_same(cmd, &cdb[1], ops); ++ ret = sbc_setup_write_same(cmd, cdb[1], ops); + if (ret) + return ret; + break; +@@ -1082,7 +1081,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + * Follow sbcr26 with WRITE_SAME (10) and check for the existence + * of byte 1 bit 3 UNMAP instead of original reserved field + */ +- ret = sbc_setup_write_same(cmd, &cdb[1], ops); ++ ret = sbc_setup_write_same(cmd, cdb[1], ops); + if (ret) + return ret; + break; +-- +2.30.2 + diff --git a/queue-4.19/sctp-update-active_key-for-asoc-when-old-key-is-bein.patch b/queue-4.19/sctp-update-active_key-for-asoc-when-old-key-is-bein.patch new file mode 100644 index 00000000000..38d4ad6605a --- /dev/null +++ b/queue-4.19/sctp-update-active_key-for-asoc-when-old-key-is-bein.patch @@ -0,0 +1,55 @@ +From ac9addef1d7f7594ee48f5926ee11ab7f8554dc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 16:07:01 -0400 +Subject: sctp: update active_key for asoc when old key is being replaced + +From: Xin Long + +[ Upstream commit 58acd10092268831e49de279446c314727101292 ] + +syzbot reported a call trace: + + BUG: KASAN: use-after-free in sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112 + Call Trace: + sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112 + sctp_set_owner_w net/sctp/socket.c:131 [inline] + sctp_sendmsg_to_asoc+0x152e/0x2180 net/sctp/socket.c:1865 + sctp_sendmsg+0x103b/0x1d30 net/sctp/socket.c:2027 + inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:821 + sock_sendmsg_nosec net/socket.c:703 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:723 + +This is an use-after-free issue caused by not updating asoc->shkey after +it was replaced in the key list asoc->endpoint_shared_keys, and the old +key was freed. + +This patch is to fix by also updating active_key for asoc when old key is +being replaced with a new one. Note that this issue doesn't exist in +sctp_auth_del_key_id(), as it's not allowed to delete the active_key +from the asoc. + +Fixes: 1b1e0bc99474 ("sctp: add refcnt support for sh_key") +Reported-by: syzbot+b774577370208727d12b@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/auth.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/sctp/auth.c b/net/sctp/auth.c +index 2bd8c80bd85f..b2ca66c4a21d 100644 +--- a/net/sctp/auth.c ++++ b/net/sctp/auth.c +@@ -883,6 +883,8 @@ int sctp_auth_set_key(struct sctp_endpoint *ep, + if (replace) { + list_del_init(&shkey->key_list); + sctp_auth_shkey_release(shkey); ++ if (asoc && asoc->active_key_id == auth_key->sca_keynumber) ++ sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL); + } + list_add(&cur_key->key_list, sh_keys); + +-- +2.30.2 + diff --git a/queue-4.19/series b/queue-4.19/series index 2801b20f7c3..425891de98a 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -50,3 +50,40 @@ ipv6-tcp-drop-silly-icmpv6-packet-too-big-messages.patch bpftool-properly-close-va_list-ap-by-va_end-on-error.patch udp-annotate-data-races-around-unix_sk-sk-gso_size.patch net-ip_tunnel-fix-mtu-calculation-for-ether-tunnel-devices.patch +igb-fix-use-after-free-error-during-reset.patch +ixgbe-fix-an-error-handling-path-in-ixgbe_probe.patch +igb-fix-an-error-handling-path-in-igb_probe.patch +fm10k-fix-an-error-handling-path-in-fm10k_probe.patch +e1000e-fix-an-error-handling-path-in-e1000_probe.patch +iavf-fix-an-error-handling-path-in-iavf_probe.patch +igb-check-if-num-of-q_vectors-is-smaller-than-max-be.patch +igb-fix-position-of-assignment-to-ring.patch +ipv6-fix-disable_policy-for-fwd-packets.patch +nvme-pci-do-not-call-nvme_dev_remove_admin-from-nvme.patch +perf-map-fix-dso-nsinfo-refcounting.patch +perf-probe-fix-dso-nsinfo-refcounting.patch +perf-test-session_topology-delete-session-evlist.patch +perf-dso-fix-memory-leak-in-dso__new_map.patch +perf-script-fix-memory-threads-and-cpus-leaks-on-exi.patch +perf-lzma-close-lzma-stream-on-exit.patch +perf-test-bpf-free-obj_buf.patch +perf-probe-file-delete-namelist-in-del_events-on-the.patch +spi-mediatek-fix-fifo-rx-mode.patch +liquidio-fix-unintentional-sign-extension-issue-on-l.patch +s390-bpf-perform-r1-range-checking-before-accessing-.patch +bpftool-check-malloc-return-value-in-mount_bpffs_for.patch +net-fix-uninit-value-in-caif_seqpkt_sendmsg.patch +net-decnet-fix-sleeping-inside-in-af_decnet.patch +kvm-ppc-fix-kvm_arch_vcpu_ioctl-vcpu_load-leak.patch +netrom-decrease-sock-refcount-when-sock-timers-expir.patch +scsi-iscsi-fix-iface-sysfs-attr-detection.patch +scsi-target-fix-protect-handling-in-write-same-32.patch +spi-cadence-correct-initialisation-of-runtime-pm-aga.patch +net-tcp_fastopen-fix-data-races-around-tfo_active_di.patch +net-sched-act_skbmod-skip-non-ethernet-packets.patch +nvme-pci-don-t-warn_on-in-nvme_reset_work-if-ctrl.st.patch +revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch +sctp-update-active_key-for-asoc-when-old-key-is-bein.patch +net-sched-cls_api-fix-the-the-wrong-parameter.patch +drm-panel-raspberrypi-touchscreen-prevent-double-fre.patch +proc-avoid-mixing-integer-types-in-mem_rw.patch diff --git a/queue-4.19/spi-cadence-correct-initialisation-of-runtime-pm-aga.patch b/queue-4.19/spi-cadence-correct-initialisation-of-runtime-pm-aga.patch new file mode 100644 index 00000000000..4197c59684d --- /dev/null +++ b/queue-4.19/spi-cadence-correct-initialisation-of-runtime-pm-aga.patch @@ -0,0 +1,74 @@ +From eb6077f9255d36cc88818158311b1434914367df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 20:21:33 +0200 +Subject: spi: cadence: Correct initialisation of runtime PM again + +From: Marek Vasut + +[ Upstream commit 56912da7a68c8356df6a6740476237441b0b792a ] + +The original implementation of RPM handling in probe() was mostly +correct, except it failed to call pm_runtime_get_*() to activate the +hardware. The subsequent fix, 734882a8bf98 ("spi: cadence: Correct +initialisation of runtime PM"), breaks the implementation further, +to the point where the system using this hard IP on ZynqMP hangs on +boot, because it accesses hardware which is gated off. + +Undo 734882a8bf98 ("spi: cadence: Correct initialisation of runtime +PM") and instead add missing pm_runtime_get_noresume() and move the +RPM disabling all the way to the end of probe(). That makes ZynqMP +not hang on boot yet again. + +Fixes: 734882a8bf98 ("spi: cadence: Correct initialisation of runtime PM") +Signed-off-by: Marek Vasut +Cc: Charles Keepax +Cc: Mark Brown +Link: https://lore.kernel.org/r/20210716182133.218640-1-marex@denx.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-cadence.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/spi/spi-cadence.c b/drivers/spi/spi-cadence.c +index f5055ceb7529..91f83683c15a 100644 +--- a/drivers/spi/spi-cadence.c ++++ b/drivers/spi/spi-cadence.c +@@ -585,6 +585,12 @@ static int cdns_spi_probe(struct platform_device *pdev) + goto clk_dis_apb; + } + ++ pm_runtime_use_autosuspend(&pdev->dev); ++ pm_runtime_set_autosuspend_delay(&pdev->dev, SPI_AUTOSUSPEND_TIMEOUT); ++ pm_runtime_get_noresume(&pdev->dev); ++ pm_runtime_set_active(&pdev->dev); ++ pm_runtime_enable(&pdev->dev); ++ + ret = of_property_read_u32(pdev->dev.of_node, "num-cs", &num_cs); + if (ret < 0) + master->num_chipselect = CDNS_SPI_DEFAULT_NUM_CS; +@@ -599,11 +605,6 @@ static int cdns_spi_probe(struct platform_device *pdev) + /* SPI controller initializations */ + cdns_spi_init_hw(xspi); + +- pm_runtime_set_active(&pdev->dev); +- pm_runtime_enable(&pdev->dev); +- pm_runtime_use_autosuspend(&pdev->dev); +- pm_runtime_set_autosuspend_delay(&pdev->dev, SPI_AUTOSUSPEND_TIMEOUT); +- + irq = platform_get_irq(pdev, 0); + if (irq <= 0) { + ret = -ENXIO; +@@ -636,6 +637,9 @@ static int cdns_spi_probe(struct platform_device *pdev) + + master->bits_per_word_mask = SPI_BPW_MASK(8); + ++ pm_runtime_mark_last_busy(&pdev->dev); ++ pm_runtime_put_autosuspend(&pdev->dev); ++ + ret = spi_register_master(master); + if (ret) { + dev_err(&pdev->dev, "spi_register_master failed\n"); +-- +2.30.2 + diff --git a/queue-4.19/spi-mediatek-fix-fifo-rx-mode.patch b/queue-4.19/spi-mediatek-fix-fifo-rx-mode.patch new file mode 100644 index 00000000000..06c63ac7410 --- /dev/null +++ b/queue-4.19/spi-mediatek-fix-fifo-rx-mode.patch @@ -0,0 +1,59 @@ +From 132c36cfa0c2ea8edeb929b48d57698b38f87bb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jul 2021 14:16:09 +0200 +Subject: spi: mediatek: fix fifo rx mode + +From: Peter Hess + +[ Upstream commit 3a70dd2d050331ee4cf5ad9d5c0a32d83ead9a43 ] + +In FIFO mode were two problems: +- RX mode was never handled and +- in this case the tx_buf pointer was NULL and caused an exception + +fix this by handling RX mode in mtk_spi_fifo_transfer + +Fixes: a568231f4632 ("spi: mediatek: Add spi bus for Mediatek MT8173") +Signed-off-by: Peter Hess +Signed-off-by: Frank Wunderlich +Link: https://lore.kernel.org/r/20210706121609.680534-1-linux@fw-web.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-mt65xx.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c +index da28c52c9da1..e2b171057b3b 100644 +--- a/drivers/spi/spi-mt65xx.c ++++ b/drivers/spi/spi-mt65xx.c +@@ -392,13 +392,23 @@ static int mtk_spi_fifo_transfer(struct spi_master *master, + mtk_spi_setup_packet(master); + + cnt = xfer->len / 4; +- iowrite32_rep(mdata->base + SPI_TX_DATA_REG, xfer->tx_buf, cnt); ++ if (xfer->tx_buf) ++ iowrite32_rep(mdata->base + SPI_TX_DATA_REG, xfer->tx_buf, cnt); ++ ++ if (xfer->rx_buf) ++ ioread32_rep(mdata->base + SPI_RX_DATA_REG, xfer->rx_buf, cnt); + + remainder = xfer->len % 4; + if (remainder > 0) { + reg_val = 0; +- memcpy(®_val, xfer->tx_buf + (cnt * 4), remainder); +- writel(reg_val, mdata->base + SPI_TX_DATA_REG); ++ if (xfer->tx_buf) { ++ memcpy(®_val, xfer->tx_buf + (cnt * 4), remainder); ++ writel(reg_val, mdata->base + SPI_TX_DATA_REG); ++ } ++ if (xfer->rx_buf) { ++ reg_val = readl(mdata->base + SPI_RX_DATA_REG); ++ memcpy(xfer->rx_buf + (cnt * 4), ®_val, remainder); ++ } + } + + mtk_spi_enable_transfer(master); +-- +2.30.2 +