From 75408b4e9ee1ed89541e075c268f6e041622ab5a Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Thu, 16 Apr 2020 23:43:39 -0400 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- .../asoc-stm32-sai-add-missing-cleanup.patch | 46 +++++ ...m-constraints-for-32-bit-comparisons.patch | 194 ++++++++++++++++++ ...-deletion-of-variables-in-mixed-mode.patch | 50 +++++ ...n2-fix-sanity-checking-for-endpoints.patch | 61 ++++++ ...lining-of-lpfc_sli4_cleanup_poll_lis.patch | 56 +++++ queue-5.4/series | 5 + 6 files changed, 412 insertions(+) create mode 100644 queue-5.4/asoc-stm32-sai-add-missing-cleanup.patch create mode 100644 queue-5.4/bpf-fix-tnum-constraints-for-32-bit-comparisons.patch create mode 100644 queue-5.4/efi-x86-fix-the-deletion-of-variables-in-mixed-mode.patch create mode 100644 queue-5.4/mfd-dln2-fix-sanity-checking-for-endpoints.patch create mode 100644 queue-5.4/scsi-lpfc-fix-inlining-of-lpfc_sli4_cleanup_poll_lis.patch diff --git a/queue-5.4/asoc-stm32-sai-add-missing-cleanup.patch b/queue-5.4/asoc-stm32-sai-add-missing-cleanup.patch new file mode 100644 index 00000000000..76ea3a226b9 --- /dev/null +++ b/queue-5.4/asoc-stm32-sai-add-missing-cleanup.patch @@ -0,0 +1,46 @@ +From be1e1e076f6e4251b8a3e5d29e53f7865fd13334 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Apr 2020 17:03:48 +0200 +Subject: ASoC: stm32: sai: Add missing cleanup + +From: Julia Lawall + +[ Upstream commit 7506baeed8d05fc164254c64af14cfed2ac14446 ] + +The commit 0d6defc7e0e4 ("ASoC: stm32: sai: manage rebind issue") +converts some function calls to their non-devm equivalents. The +appropriate cleanup code was added to the remove function, but not +to the probe function. Add a call to snd_dmaengine_pcm_unregister +to compensate for the call to snd_dmaengine_pcm_register in case +of subsequent failure. + +Fixes: commit 0d6defc7e0e4 ("ASoC: stm32: sai: manage rebind issue") +Signed-off-by: Julia Lawall + +Acked-by: Olivier Moysan +Link: https://lore.kernel.org/r/1586099028-5104-1-git-send-email-Julia.Lawall@inria.fr +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/stm/stm32_sai_sub.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/stm/stm32_sai_sub.c b/sound/soc/stm/stm32_sai_sub.c +index 10eb4b8e8e7ee..d3259de43712b 100644 +--- a/sound/soc/stm/stm32_sai_sub.c ++++ b/sound/soc/stm/stm32_sai_sub.c +@@ -1551,8 +1551,10 @@ static int stm32_sai_sub_probe(struct platform_device *pdev) + + ret = snd_soc_register_component(&pdev->dev, &stm32_component, + &sai->cpu_dai_drv, 1); +- if (ret) ++ if (ret) { ++ snd_dmaengine_pcm_unregister(&pdev->dev); + return ret; ++ } + + if (STM_SAI_PROTOCOL_IS_SPDIF(sai)) + conf = &stm32_sai_pcm_config_spdif; +-- +2.20.1 + diff --git a/queue-5.4/bpf-fix-tnum-constraints-for-32-bit-comparisons.patch b/queue-5.4/bpf-fix-tnum-constraints-for-32-bit-comparisons.patch new file mode 100644 index 00000000000..9faae6cc670 --- /dev/null +++ b/queue-5.4/bpf-fix-tnum-constraints-for-32-bit-comparisons.patch @@ -0,0 +1,194 @@ +From f4738e0ba1bd82a797ac2fce5bec35db55005520 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2020 18:03:23 +0200 +Subject: bpf: Fix tnum constraints for 32-bit comparisons + +From: Jann Horn + +[ Upstream commit 604dca5e3af1db98bd123b7bfc02b017af99e3a0 ] + +The BPF verifier tried to track values based on 32-bit comparisons by +(ab)using the tnum state via 581738a681b6 ("bpf: Provide better register +bounds after jmp32 instructions"). The idea is that after a check like +this: + + if ((u32)r0 > 3) + exit + +We can't meaningfully constrain the arithmetic-range-based tracking, but +we can update the tnum state to (value=0,mask=0xffff'ffff'0000'0003). +However, the implementation from 581738a681b6 didn't compute the tnum +constraint based on the fixed operand, but instead derives it from the +arithmetic-range-based tracking. This means that after the following +sequence of operations: + + if (r0 >= 0x1'0000'0001) + exit + if ((u32)r0 > 7) + exit + +The verifier assumed that the lower half of r0 is in the range (0, 0) +and apply the tnum constraint (value=0,mask=0xffff'ffff'0000'0000) thus +causing the overall tnum to be (value=0,mask=0x1'0000'0000), which was +incorrect. Provide a fixed implementation. + +Fixes: 581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions") +Signed-off-by: Jann Horn +Signed-off-by: Daniel Borkmann +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20200330160324.15259-3-daniel@iogearbox.net +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 108 ++++++++++++++++++++++++++++-------------- + 1 file changed, 72 insertions(+), 36 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index a0b76b360d6f7..013780ef0bd7d 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -5325,6 +5325,70 @@ static bool cmp_val_with_extended_s64(s64 sval, struct bpf_reg_state *reg) + reg->smax_value <= 0 && reg->smin_value >= S32_MIN); + } + ++/* Constrain the possible values of @reg with unsigned upper bound @bound. ++ * If @is_exclusive, @bound is an exclusive limit, otherwise it is inclusive. ++ * If @is_jmp32, @bound is a 32-bit value that only constrains the low 32 bits ++ * of @reg. ++ */ ++static void set_upper_bound(struct bpf_reg_state *reg, u64 bound, bool is_jmp32, ++ bool is_exclusive) ++{ ++ if (is_exclusive) { ++ /* There are no values for `reg` that make `reg<0` true. */ ++ if (bound == 0) ++ return; ++ bound--; ++ } ++ if (is_jmp32) { ++ /* Constrain the register's value in the tnum representation. ++ * For 64-bit comparisons this happens later in ++ * __reg_bound_offset(), but for 32-bit comparisons, we can be ++ * more precise than what can be derived from the updated ++ * numeric bounds. ++ */ ++ struct tnum t = tnum_range(0, bound); ++ ++ t.mask |= ~0xffffffffULL; /* upper half is unknown */ ++ reg->var_off = tnum_intersect(reg->var_off, t); ++ ++ /* Compute the 64-bit bound from the 32-bit bound. */ ++ bound += gen_hi_max(reg->var_off); ++ } ++ reg->umax_value = min(reg->umax_value, bound); ++} ++ ++/* Constrain the possible values of @reg with unsigned lower bound @bound. ++ * If @is_exclusive, @bound is an exclusive limit, otherwise it is inclusive. ++ * If @is_jmp32, @bound is a 32-bit value that only constrains the low 32 bits ++ * of @reg. ++ */ ++static void set_lower_bound(struct bpf_reg_state *reg, u64 bound, bool is_jmp32, ++ bool is_exclusive) ++{ ++ if (is_exclusive) { ++ /* There are no values for `reg` that make `reg>MAX` true. */ ++ if (bound == (is_jmp32 ? U32_MAX : U64_MAX)) ++ return; ++ bound++; ++ } ++ if (is_jmp32) { ++ /* Constrain the register's value in the tnum representation. ++ * For 64-bit comparisons this happens later in ++ * __reg_bound_offset(), but for 32-bit comparisons, we can be ++ * more precise than what can be derived from the updated ++ * numeric bounds. ++ */ ++ struct tnum t = tnum_range(bound, U32_MAX); ++ ++ t.mask |= ~0xffffffffULL; /* upper half is unknown */ ++ reg->var_off = tnum_intersect(reg->var_off, t); ++ ++ /* Compute the 64-bit bound from the 32-bit bound. */ ++ bound += gen_hi_min(reg->var_off); ++ } ++ reg->umin_value = max(reg->umin_value, bound); ++} ++ + /* Adjusts the register min/max values in the case that the dst_reg is the + * variable register that we are working on, and src_reg is a constant or we're + * simply doing a BPF_K check. +@@ -5380,15 +5444,8 @@ static void reg_set_min_max(struct bpf_reg_state *true_reg, + case BPF_JGE: + case BPF_JGT: + { +- u64 false_umax = opcode == BPF_JGT ? val : val - 1; +- u64 true_umin = opcode == BPF_JGT ? val + 1 : val; +- +- if (is_jmp32) { +- false_umax += gen_hi_max(false_reg->var_off); +- true_umin += gen_hi_min(true_reg->var_off); +- } +- false_reg->umax_value = min(false_reg->umax_value, false_umax); +- true_reg->umin_value = max(true_reg->umin_value, true_umin); ++ set_upper_bound(false_reg, val, is_jmp32, opcode == BPF_JGE); ++ set_lower_bound(true_reg, val, is_jmp32, opcode == BPF_JGT); + break; + } + case BPF_JSGE: +@@ -5409,15 +5466,8 @@ static void reg_set_min_max(struct bpf_reg_state *true_reg, + case BPF_JLE: + case BPF_JLT: + { +- u64 false_umin = opcode == BPF_JLT ? val : val + 1; +- u64 true_umax = opcode == BPF_JLT ? val - 1 : val; +- +- if (is_jmp32) { +- false_umin += gen_hi_min(false_reg->var_off); +- true_umax += gen_hi_max(true_reg->var_off); +- } +- false_reg->umin_value = max(false_reg->umin_value, false_umin); +- true_reg->umax_value = min(true_reg->umax_value, true_umax); ++ set_lower_bound(false_reg, val, is_jmp32, opcode == BPF_JLE); ++ set_upper_bound(true_reg, val, is_jmp32, opcode == BPF_JLT); + break; + } + case BPF_JSLE: +@@ -5492,15 +5542,8 @@ static void reg_set_min_max_inv(struct bpf_reg_state *true_reg, + case BPF_JGE: + case BPF_JGT: + { +- u64 false_umin = opcode == BPF_JGT ? val : val + 1; +- u64 true_umax = opcode == BPF_JGT ? val - 1 : val; +- +- if (is_jmp32) { +- false_umin += gen_hi_min(false_reg->var_off); +- true_umax += gen_hi_max(true_reg->var_off); +- } +- false_reg->umin_value = max(false_reg->umin_value, false_umin); +- true_reg->umax_value = min(true_reg->umax_value, true_umax); ++ set_lower_bound(false_reg, val, is_jmp32, opcode == BPF_JGE); ++ set_upper_bound(true_reg, val, is_jmp32, opcode == BPF_JGT); + break; + } + case BPF_JSGE: +@@ -5518,15 +5561,8 @@ static void reg_set_min_max_inv(struct bpf_reg_state *true_reg, + case BPF_JLE: + case BPF_JLT: + { +- u64 false_umax = opcode == BPF_JLT ? val : val - 1; +- u64 true_umin = opcode == BPF_JLT ? val + 1 : val; +- +- if (is_jmp32) { +- false_umax += gen_hi_max(false_reg->var_off); +- true_umin += gen_hi_min(true_reg->var_off); +- } +- false_reg->umax_value = min(false_reg->umax_value, false_umax); +- true_reg->umin_value = max(true_reg->umin_value, true_umin); ++ set_upper_bound(false_reg, val, is_jmp32, opcode == BPF_JLE); ++ set_lower_bound(true_reg, val, is_jmp32, opcode == BPF_JLT); + break; + } + case BPF_JSLE: +-- +2.20.1 + diff --git a/queue-5.4/efi-x86-fix-the-deletion-of-variables-in-mixed-mode.patch b/queue-5.4/efi-x86-fix-the-deletion-of-variables-in-mixed-mode.patch new file mode 100644 index 00000000000..45e9db0d288 --- /dev/null +++ b/queue-5.4/efi-x86-fix-the-deletion-of-variables-in-mixed-mode.patch @@ -0,0 +1,50 @@ +From 8534dcff395176ff6badfa5695b2a1c5f615ee5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Apr 2020 15:04:33 +0200 +Subject: efi/x86: Fix the deletion of variables in mixed mode + +From: Gary Lin + +[ Upstream commit a4b81ccfd4caba017d2b84720b6de4edd16911a0 ] + +efi_thunk_set_variable() treated the NULL "data" pointer as an invalid +parameter, and this broke the deletion of variables in mixed mode. +This commit fixes the check of data so that the userspace program can +delete a variable in mixed mode. + +Fixes: 8319e9d5ad98ffcc ("efi/x86: Handle by-ref arguments covering multiple pages in mixed mode") +Signed-off-by: Gary Lin +Signed-off-by: Ard Biesheuvel +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20200408081606.1504-1-glin@suse.com +Link: https://lore.kernel.org/r/20200409130434.6736-9-ardb@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/platform/efi/efi_64.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c +index fe0e647411daf..e39c930cfbd1e 100644 +--- a/arch/x86/platform/efi/efi_64.c ++++ b/arch/x86/platform/efi/efi_64.c +@@ -834,7 +834,7 @@ efi_thunk_set_variable(efi_char16_t *name, efi_guid_t *vendor, + phys_vendor = virt_to_phys_or_null(vnd); + phys_data = virt_to_phys_or_null_size(data, data_size); + +- if (!phys_name || !phys_data) ++ if (!phys_name || (data && !phys_data)) + status = EFI_INVALID_PARAMETER; + else + status = efi_thunk(set_variable, phys_name, phys_vendor, +@@ -865,7 +865,7 @@ efi_thunk_set_variable_nonblocking(efi_char16_t *name, efi_guid_t *vendor, + phys_vendor = virt_to_phys_or_null(vnd); + phys_data = virt_to_phys_or_null_size(data, data_size); + +- if (!phys_name || !phys_data) ++ if (!phys_name || (data && !phys_data)) + status = EFI_INVALID_PARAMETER; + else + status = efi_thunk(set_variable, phys_name, phys_vendor, +-- +2.20.1 + diff --git a/queue-5.4/mfd-dln2-fix-sanity-checking-for-endpoints.patch b/queue-5.4/mfd-dln2-fix-sanity-checking-for-endpoints.patch new file mode 100644 index 00000000000..347cfc778f4 --- /dev/null +++ b/queue-5.4/mfd-dln2-fix-sanity-checking-for-endpoints.patch @@ -0,0 +1,61 @@ +From 15b03676d52046a26a6863ec74a8719827e96b00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Feb 2020 16:51:58 +0200 +Subject: mfd: dln2: Fix sanity checking for endpoints + +From: Andy Shevchenko + +[ Upstream commit fb945c95a482200876993977008b67ea658bd938 ] + +While the commit 2b8bd606b1e6 ("mfd: dln2: More sanity checking for endpoints") +tries to harden the sanity checks it made at the same time a regression, +i.e. mixed in and out endpoints. Obviously it should have been not tested on +real hardware at that time, but unluckily it didn't happen. + +So, fix above mentioned typo and make device being enumerated again. + +While here, introduce an enumerator for magic values to prevent similar issue +to happen in the future. + +Fixes: 2b8bd606b1e6 ("mfd: dln2: More sanity checking for endpoints") +Cc: Oliver Neukum +Cc: Greg Kroah-Hartman +Signed-off-by: Andy Shevchenko +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/dln2.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/mfd/dln2.c b/drivers/mfd/dln2.c +index 7841c11411d08..4faa8d2e5d045 100644 +--- a/drivers/mfd/dln2.c ++++ b/drivers/mfd/dln2.c +@@ -90,6 +90,11 @@ struct dln2_mod_rx_slots { + spinlock_t lock; + }; + ++enum dln2_endpoint { ++ DLN2_EP_OUT = 0, ++ DLN2_EP_IN = 1, ++}; ++ + struct dln2_dev { + struct usb_device *usb_dev; + struct usb_interface *interface; +@@ -733,10 +738,10 @@ static int dln2_probe(struct usb_interface *interface, + hostif->desc.bNumEndpoints < 2) + return -ENODEV; + +- epin = &hostif->endpoint[0].desc; +- epout = &hostif->endpoint[1].desc; ++ epout = &hostif->endpoint[DLN2_EP_OUT].desc; + if (!usb_endpoint_is_bulk_out(epout)) + return -ENODEV; ++ epin = &hostif->endpoint[DLN2_EP_IN].desc; + if (!usb_endpoint_is_bulk_in(epin)) + return -ENODEV; + +-- +2.20.1 + diff --git a/queue-5.4/scsi-lpfc-fix-inlining-of-lpfc_sli4_cleanup_poll_lis.patch b/queue-5.4/scsi-lpfc-fix-inlining-of-lpfc_sli4_cleanup_poll_lis.patch new file mode 100644 index 00000000000..61bc9bf9375 --- /dev/null +++ b/queue-5.4/scsi-lpfc-fix-inlining-of-lpfc_sli4_cleanup_poll_lis.patch @@ -0,0 +1,56 @@ +From acaffb5b05c47518e638baa9a06d6773cee33057 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Nov 2019 15:03:58 -0800 +Subject: scsi: lpfc: fix inlining of lpfc_sli4_cleanup_poll_list() + +From: James Smart + +[ Upstream commit d480e57809a043333a3b9e755c0bdd43e10a9f12 ] + +Compilation can fail due to having an inline function reference where the +function body is not present. + +Fix by removing the inline tag. + +Fixes: 93a4d6f40198 ("scsi: lpfc: Add registration for CPU Offline/Online events") + +Link: https://lore.kernel.org/r/20191111230401.12958-4-jsmart2021@gmail.com +Reviewed-by: Ewan D. Milne +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_crtn.h | 2 +- + drivers/scsi/lpfc/lpfc_sli.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_crtn.h b/drivers/scsi/lpfc/lpfc_crtn.h +index a03efe9ad2a42..0f019e889ba6b 100644 +--- a/drivers/scsi/lpfc/lpfc_crtn.h ++++ b/drivers/scsi/lpfc/lpfc_crtn.h +@@ -215,7 +215,7 @@ irqreturn_t lpfc_sli_fp_intr_handler(int, void *); + irqreturn_t lpfc_sli4_intr_handler(int, void *); + irqreturn_t lpfc_sli4_hba_intr_handler(int, void *); + +-inline void lpfc_sli4_cleanup_poll_list(struct lpfc_hba *phba); ++void lpfc_sli4_cleanup_poll_list(struct lpfc_hba *phba); + int lpfc_sli4_poll_eq(struct lpfc_queue *q, uint8_t path); + void lpfc_sli4_poll_hbtimer(struct timer_list *t); + void lpfc_sli4_start_polling(struct lpfc_queue *q); +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index fb2b0dc52d9bc..0717e850bcbfd 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -14384,7 +14384,7 @@ static inline void lpfc_sli4_remove_from_poll_list(struct lpfc_queue *eq) + del_timer_sync(&phba->cpuhp_poll_timer); + } + +-inline void lpfc_sli4_cleanup_poll_list(struct lpfc_hba *phba) ++void lpfc_sli4_cleanup_poll_list(struct lpfc_hba *phba) + { + struct lpfc_queue *eq, *next; + +-- +2.20.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 6717b883f94..9936b661cf0 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -230,3 +230,8 @@ drm-i915-icl-don-t-enable-ddi-io-power-on-a-typec-po.patch powerpc-kasan-fix-kasan_remap_early_shadow_ro.patch mmc-sdhci-convert-sdhci_set_timeout_irq-to-non-stati.patch mmc-sdhci-refactor-sdhci_set_timeout.patch +bpf-fix-tnum-constraints-for-32-bit-comparisons.patch +mfd-dln2-fix-sanity-checking-for-endpoints.patch +efi-x86-fix-the-deletion-of-variables-in-mixed-mode.patch +asoc-stm32-sai-add-missing-cleanup.patch +scsi-lpfc-fix-inlining-of-lpfc_sli4_cleanup_poll_lis.patch -- 2.47.3