From d927d41d3556fc0ba4d0f5a54c3c704bcf0c8008 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 25 Apr 2021 21:04:01 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...-dts-fix-swapped-mmc-order-for-omap3.patch | 42 +++++ ...vium-liquidio-fix-duplicate-argument.patch | 40 +++++ ...or-return-code-in-alps_input_configu.patch | 35 ++++ queue-4.19/hid-google-add-don-usb-id.patch | 47 ++++++ ...gn-boolean-values-to-a-bool-variable.patch | 38 +++++ ...4-fix-discontig.c-section-mismatches.patch | 73 ++++++++ ...e-duplicate-definition-of-ia64_mf-on.patch | 59 +++++++ ...fix-ordering-in-queued_write_lock_sl.patch | 85 ++++++++++ ...-skb-is-large-enough-for-ipv4-ipv6-h.patch | 52 ++++++ ...ncore-remove-uncore-extra-pci-dev-hs.patch | 159 ++++++++++++++++++ ...90-entry-save-the-caller-of-psw_idle.patch | 62 +++++++ queue-4.19/series | 12 ++ ...k-for-hotplug-status-existence-befor.patch | 66 ++++++++ 13 files changed, 770 insertions(+) create mode 100644 queue-4.19/arm-dts-fix-swapped-mmc-order-for-omap3.patch create mode 100644 queue-4.19/cavium-liquidio-fix-duplicate-argument.patch create mode 100644 queue-4.19/hid-alps-fix-error-return-code-in-alps_input_configu.patch create mode 100644 queue-4.19/hid-google-add-don-usb-id.patch create mode 100644 queue-4.19/hid-wacom-assign-boolean-values-to-a-bool-variable.patch create mode 100644 queue-4.19/ia64-fix-discontig.c-section-mismatches.patch create mode 100644 queue-4.19/ia64-tools-remove-duplicate-definition-of-ia64_mf-on.patch create mode 100644 queue-4.19/locking-qrwlock-fix-ordering-in-queued_write_lock_sl.patch create mode 100644 queue-4.19/net-geneve-check-skb-is-large-enough-for-ipv4-ipv6-h.patch create mode 100644 queue-4.19/perf-x86-intel-uncore-remove-uncore-extra-pci-dev-hs.patch create mode 100644 queue-4.19/s390-entry-save-the-caller-of-psw_idle.patch create mode 100644 queue-4.19/xen-netback-check-for-hotplug-status-existence-befor.patch diff --git a/queue-4.19/arm-dts-fix-swapped-mmc-order-for-omap3.patch b/queue-4.19/arm-dts-fix-swapped-mmc-order-for-omap3.patch new file mode 100644 index 00000000000..7ec08b6c15a --- /dev/null +++ b/queue-4.19/arm-dts-fix-swapped-mmc-order-for-omap3.patch @@ -0,0 +1,42 @@ +From edbbde3562ad2834e09ef207feaf4db98fe345db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Mar 2021 15:10:32 +0200 +Subject: ARM: dts: Fix swapped mmc order for omap3 + +From: Tony Lindgren + +[ Upstream commit a1ebdb3741993f853865d1bd8f77881916ad53a7 ] + +Also some omap3 devices like n900 seem to have eMMC and micro-sd swapped +around with commit 21b2cec61c04 ("mmc: Set PROBE_PREFER_ASYNCHRONOUS for +drivers that existed in v4.4"). + +Let's fix the issue with aliases as discussed on the mailing lists. While +the mmc aliases should be board specific, let's first fix the issue with +minimal changes. + +Cc: Aaro Koskinen +Cc: Peter Ujfalusi +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/omap3.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/boot/dts/omap3.dtsi b/arch/arm/boot/dts/omap3.dtsi +index 4043ecb38016..0c8fcfb292bf 100644 +--- a/arch/arm/boot/dts/omap3.dtsi ++++ b/arch/arm/boot/dts/omap3.dtsi +@@ -23,6 +23,9 @@ + i2c0 = &i2c1; + i2c1 = &i2c2; + i2c2 = &i2c3; ++ mmc0 = &mmc1; ++ mmc1 = &mmc2; ++ mmc2 = &mmc3; + serial0 = &uart1; + serial1 = &uart2; + serial2 = &uart3; +-- +2.30.2 + diff --git a/queue-4.19/cavium-liquidio-fix-duplicate-argument.patch b/queue-4.19/cavium-liquidio-fix-duplicate-argument.patch new file mode 100644 index 00000000000..c9e3a40a342 --- /dev/null +++ b/queue-4.19/cavium-liquidio-fix-duplicate-argument.patch @@ -0,0 +1,40 @@ +From d70deee9da678f6a80811d9aa47ed6c880a0d088 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Apr 2021 19:31:48 +0800 +Subject: cavium/liquidio: Fix duplicate argument + +From: Wan Jiabing + +[ Upstream commit 416dcc5ce9d2a810477171c62ffa061a98f87367 ] + +Fix the following coccicheck warning: + +./drivers/net/ethernet/cavium/liquidio/cn66xx_regs.h:413:6-28: +duplicated argument to & or | + +The CN6XXX_INTR_M1UPB0_ERR here is duplicate. +Here should be CN6XXX_INTR_M1UNB0_ERR. + +Signed-off-by: Wan Jiabing +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/cn66xx_regs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/cn66xx_regs.h b/drivers/net/ethernet/cavium/liquidio/cn66xx_regs.h +index b248966837b4..7aad40b2aa73 100644 +--- a/drivers/net/ethernet/cavium/liquidio/cn66xx_regs.h ++++ b/drivers/net/ethernet/cavium/liquidio/cn66xx_regs.h +@@ -412,7 +412,7 @@ + | CN6XXX_INTR_M0UNWI_ERR \ + | CN6XXX_INTR_M1UPB0_ERR \ + | CN6XXX_INTR_M1UPWI_ERR \ +- | CN6XXX_INTR_M1UPB0_ERR \ ++ | CN6XXX_INTR_M1UNB0_ERR \ + | CN6XXX_INTR_M1UNWI_ERR \ + | CN6XXX_INTR_INSTR_DB_OF_ERR \ + | CN6XXX_INTR_SLIST_DB_OF_ERR \ +-- +2.30.2 + diff --git a/queue-4.19/hid-alps-fix-error-return-code-in-alps_input_configu.patch b/queue-4.19/hid-alps-fix-error-return-code-in-alps_input_configu.patch new file mode 100644 index 00000000000..b4ddd7a3d74 --- /dev/null +++ b/queue-4.19/hid-alps-fix-error-return-code-in-alps_input_configu.patch @@ -0,0 +1,35 @@ +From 039d1950d05968c1190bf8f6e09c1330dbb3c17a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Mar 2021 05:19:57 -0800 +Subject: HID: alps: fix error return code in alps_input_configured() + +From: Jia-Ju Bai + +[ Upstream commit fa8ba6e5dc0e78e409e503ddcfceef5dd96527f4 ] + +When input_register_device() fails, no error return code is assigned. +To fix this bug, ret is assigned with -ENOENT as error return code. + +Reported-by: TOTE Robot +Signed-off-by: Jia-Ju Bai +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-alps.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/hid-alps.c b/drivers/hid/hid-alps.c +index f4cf541d13e0..3eddd8f73b57 100644 +--- a/drivers/hid/hid-alps.c ++++ b/drivers/hid/hid-alps.c +@@ -766,6 +766,7 @@ static int alps_input_configured(struct hid_device *hdev, struct hid_input *hi) + + if (input_register_device(data->input2)) { + input_free_device(input2); ++ ret = -ENOENT; + goto exit; + } + } +-- +2.30.2 + diff --git a/queue-4.19/hid-google-add-don-usb-id.patch b/queue-4.19/hid-google-add-don-usb-id.patch new file mode 100644 index 00000000000..274cea9de2b --- /dev/null +++ b/queue-4.19/hid-google-add-don-usb-id.patch @@ -0,0 +1,47 @@ +From 5a4d61682529e1372bb75bb1368ce2f4e5a745c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Mar 2021 11:58:01 +0800 +Subject: HID: google: add don USB id + +From: Shou-Chieh Hsu + +[ Upstream commit 36b87cf302a4f13f8b4344bcf98f67405a145e2f ] + +Add 1 additional hammer-like device. + +Signed-off-by: Shou-Chieh Hsu +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-google-hammer.c | 2 ++ + drivers/hid/hid-ids.h | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/drivers/hid/hid-google-hammer.c b/drivers/hid/hid-google-hammer.c +index fab8fd7082e0..3e58d4c3cf2c 100644 +--- a/drivers/hid/hid-google-hammer.c ++++ b/drivers/hid/hid-google-hammer.c +@@ -118,6 +118,8 @@ static int hammer_input_configured(struct hid_device *hdev, + } + + static const struct hid_device_id hammer_devices[] = { ++ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, ++ USB_VENDOR_ID_GOOGLE, USB_DEVICE_ID_GOOGLE_DON) }, + { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, + USB_VENDOR_ID_GOOGLE, USB_DEVICE_ID_GOOGLE_HAMMER) }, + { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 2f1516b32837..68908dac5835 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -478,6 +478,7 @@ + #define USB_DEVICE_ID_GOOGLE_MASTERBALL 0x503c + #define USB_DEVICE_ID_GOOGLE_MAGNEMITE 0x503d + #define USB_DEVICE_ID_GOOGLE_MOONBALL 0x5044 ++#define USB_DEVICE_ID_GOOGLE_DON 0x5050 + + #define USB_VENDOR_ID_GOTOP 0x08f2 + #define USB_DEVICE_ID_SUPER_Q2 0x007f +-- +2.30.2 + diff --git a/queue-4.19/hid-wacom-assign-boolean-values-to-a-bool-variable.patch b/queue-4.19/hid-wacom-assign-boolean-values-to-a-bool-variable.patch new file mode 100644 index 00000000000..6b7de98c4d7 --- /dev/null +++ b/queue-4.19/hid-wacom-assign-boolean-values-to-a-bool-variable.patch @@ -0,0 +1,38 @@ +From 7935fcb0f32f310a1680bfb4e035f5c038c26323 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jan 2021 15:34:30 +0800 +Subject: HID: wacom: Assign boolean values to a bool variable + +From: Jiapeng Zhong + +[ Upstream commit e29c62ffb008829dc8bcc0a2ec438adc25a8255e ] + +Fix the following coccicheck warnings: + +./drivers/hid/wacom_wac.c:2536:2-6: WARNING: Assignment of +0/1 to bool variable. + +Reported-by: Abaci Robot +Signed-off-by: Jiapeng Zhong +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/wacom_wac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c +index db8ee5020d90..10524c93f8b6 100644 +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -2496,7 +2496,7 @@ static void wacom_wac_finger_slot(struct wacom_wac *wacom_wac, + !wacom_wac->shared->is_touch_on) { + if (!wacom_wac->shared->touch_down) + return; +- prox = 0; ++ prox = false; + } + + wacom_wac->hid_data.num_received++; +-- +2.30.2 + diff --git a/queue-4.19/ia64-fix-discontig.c-section-mismatches.patch b/queue-4.19/ia64-fix-discontig.c-section-mismatches.patch new file mode 100644 index 00000000000..407606f46e9 --- /dev/null +++ b/queue-4.19/ia64-fix-discontig.c-section-mismatches.patch @@ -0,0 +1,73 @@ +From d7b15e33e681e2ccc74bd27a27a7543987ed47e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Apr 2021 15:46:09 -0700 +Subject: ia64: fix discontig.c section mismatches + +From: Randy Dunlap + +[ Upstream commit e2af9da4f867a1a54f1252bf3abc1a5c63951778 ] + +Fix IA64 discontig.c Section mismatch warnings. + +When CONFIG_SPARSEMEM=y and CONFIG_MEMORY_HOTPLUG=y, the functions +computer_pernodesize() and scatter_node_data() should not be marked as +__meminit because they are needed after init, on any memory hotplug +event. Also, early_nr_cpus_node() is called by compute_pernodesize(), +so early_nr_cpus_node() cannot be __meminit either. + + WARNING: modpost: vmlinux.o(.text.unlikely+0x1612): Section mismatch in reference from the function arch_alloc_nodedata() to the function .meminit.text:compute_pernodesize() + The function arch_alloc_nodedata() references the function __meminit compute_pernodesize(). + This is often because arch_alloc_nodedata lacks a __meminit annotation or the annotation of compute_pernodesize is wrong. + + WARNING: modpost: vmlinux.o(.text.unlikely+0x1692): Section mismatch in reference from the function arch_refresh_nodedata() to the function .meminit.text:scatter_node_data() + The function arch_refresh_nodedata() references the function __meminit scatter_node_data(). + This is often because arch_refresh_nodedata lacks a __meminit annotation or the annotation of scatter_node_data is wrong. + + WARNING: modpost: vmlinux.o(.text.unlikely+0x1502): Section mismatch in reference from the function compute_pernodesize() to the function .meminit.text:early_nr_cpus_node() + The function compute_pernodesize() references the function __meminit early_nr_cpus_node(). + This is often because compute_pernodesize lacks a __meminit annotation or the annotation of early_nr_cpus_node is wrong. + +Link: https://lkml.kernel.org/r/20210411001201.3069-1-rdunlap@infradead.org +Signed-off-by: Randy Dunlap +Cc: Mike Rapoport +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/ia64/mm/discontig.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/ia64/mm/discontig.c b/arch/ia64/mm/discontig.c +index 1928d5719e41..db3104c9fac5 100644 +--- a/arch/ia64/mm/discontig.c ++++ b/arch/ia64/mm/discontig.c +@@ -96,7 +96,7 @@ static int __init build_node_maps(unsigned long start, unsigned long len, + * acpi_boot_init() (which builds the node_to_cpu_mask array) hasn't been + * called yet. Note that node 0 will also count all non-existent cpus. + */ +-static int __meminit early_nr_cpus_node(int node) ++static int early_nr_cpus_node(int node) + { + int cpu, n = 0; + +@@ -111,7 +111,7 @@ static int __meminit early_nr_cpus_node(int node) + * compute_pernodesize - compute size of pernode data + * @node: the node id. + */ +-static unsigned long __meminit compute_pernodesize(int node) ++static unsigned long compute_pernodesize(int node) + { + unsigned long pernodesize = 0, cpus; + +@@ -371,7 +371,7 @@ static void __init reserve_pernode_space(void) + } + } + +-static void __meminit scatter_node_data(void) ++static void scatter_node_data(void) + { + pg_data_t **dst; + int node; +-- +2.30.2 + diff --git a/queue-4.19/ia64-tools-remove-duplicate-definition-of-ia64_mf-on.patch b/queue-4.19/ia64-tools-remove-duplicate-definition-of-ia64_mf-on.patch new file mode 100644 index 00000000000..5203fddeb70 --- /dev/null +++ b/queue-4.19/ia64-tools-remove-duplicate-definition-of-ia64_mf-on.patch @@ -0,0 +1,59 @@ +From 8731a406461d9ac9ccbc3a4c29fb49daf91d5133 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Apr 2021 15:46:15 -0700 +Subject: ia64: tools: remove duplicate definition of ia64_mf() on ia64 + +From: John Paul Adrian Glaubitz + +[ Upstream commit f4bf09dc3aaa4b07cd15630f2023f68cb2668809 ] + +The ia64_mf() macro defined in tools/arch/ia64/include/asm/barrier.h is +already defined in on ia64 which causes libbpf +failing to build: + + CC /usr/src/linux/tools/bpf/bpftool//libbpf/staticobjs/libbpf.o + In file included from /usr/src/linux/tools/include/asm/barrier.h:24, + from /usr/src/linux/tools/include/linux/ring_buffer.h:4, + from libbpf.c:37: + /usr/src/linux/tools/include/asm/../../arch/ia64/include/asm/barrier.h:43: error: "ia64_mf" redefined [-Werror] + 43 | #define ia64_mf() asm volatile ("mf" ::: "memory") + | + In file included from /usr/include/ia64-linux-gnu/asm/intrinsics.h:20, + from /usr/include/ia64-linux-gnu/asm/swab.h:11, + from /usr/include/linux/swab.h:8, + from /usr/include/linux/byteorder/little_endian.h:13, + from /usr/include/ia64-linux-gnu/asm/byteorder.h:5, + from /usr/src/linux/tools/include/uapi/linux/perf_event.h:20, + from libbpf.c:36: + /usr/include/ia64-linux-gnu/asm/gcc_intrin.h:382: note: this is the location of the previous definition + 382 | #define ia64_mf() __asm__ volatile ("mf" ::: "memory") + | + cc1: all warnings being treated as errors + +Thus, remove the definition from tools/arch/ia64/include/asm/barrier.h. + +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + tools/arch/ia64/include/asm/barrier.h | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/tools/arch/ia64/include/asm/barrier.h b/tools/arch/ia64/include/asm/barrier.h +index d808ee0e77b5..90f8bbd9aede 100644 +--- a/tools/arch/ia64/include/asm/barrier.h ++++ b/tools/arch/ia64/include/asm/barrier.h +@@ -39,9 +39,6 @@ + * sequential memory pages only. + */ + +-/* XXX From arch/ia64/include/uapi/asm/gcc_intrin.h */ +-#define ia64_mf() asm volatile ("mf" ::: "memory") +- + #define mb() ia64_mf() + #define rmb() mb() + #define wmb() mb() +-- +2.30.2 + diff --git a/queue-4.19/locking-qrwlock-fix-ordering-in-queued_write_lock_sl.patch b/queue-4.19/locking-qrwlock-fix-ordering-in-queued_write_lock_sl.patch new file mode 100644 index 00000000000..e842dd318ee --- /dev/null +++ b/queue-4.19/locking-qrwlock-fix-ordering-in-queued_write_lock_sl.patch @@ -0,0 +1,85 @@ +From e34a81864a001843c316b293b59b746530342d40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Apr 2021 17:27:11 +0000 +Subject: locking/qrwlock: Fix ordering in queued_write_lock_slowpath() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ali Saidi + +[ Upstream commit 84a24bf8c52e66b7ac89ada5e3cfbe72d65c1896 ] + +While this code is executed with the wait_lock held, a reader can +acquire the lock without holding wait_lock. The writer side loops +checking the value with the atomic_cond_read_acquire(), but only truly +acquires the lock when the compare-and-exchange is completed +successfully which isn’t ordered. This exposes the window between the +acquire and the cmpxchg to an A-B-A problem which allows reads +following the lock acquisition to observe values speculatively before +the write lock is truly acquired. + +We've seen a problem in epoll where the reader does a xchg while +holding the read lock, but the writer can see a value change out from +under it. + + Writer | Reader + -------------------------------------------------------------------------------- + ep_scan_ready_list() | + |- write_lock_irq() | + |- queued_write_lock_slowpath() | + |- atomic_cond_read_acquire() | + | read_lock_irqsave(&ep->lock, flags); + --> (observes value before unlock) | chain_epi_lockless() + | | epi->next = xchg(&ep->ovflist, epi); + | | read_unlock_irqrestore(&ep->lock, flags); + | | + | atomic_cmpxchg_relaxed() | + |-- READ_ONCE(ep->ovflist); | + +A core can order the read of the ovflist ahead of the +atomic_cmpxchg_relaxed(). Switching the cmpxchg to use acquire +semantics addresses this issue at which point the atomic_cond_read can +be switched to use relaxed semantics. + +Fixes: b519b56e378ee ("locking/qrwlock: Use atomic_cond_read_acquire() when spinning in qrwlock") +Signed-off-by: Ali Saidi +[peterz: use try_cmpxchg()] +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Steve Capper +Acked-by: Will Deacon +Acked-by: Waiman Long +Tested-by: Steve Capper +Signed-off-by: Sasha Levin +--- + kernel/locking/qrwlock.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/kernel/locking/qrwlock.c b/kernel/locking/qrwlock.c +index c7471c3fb798..16c09cda3b02 100644 +--- a/kernel/locking/qrwlock.c ++++ b/kernel/locking/qrwlock.c +@@ -70,6 +70,8 @@ EXPORT_SYMBOL(queued_read_lock_slowpath); + */ + void queued_write_lock_slowpath(struct qrwlock *lock) + { ++ int cnts; ++ + /* Put the writer into the wait queue */ + arch_spin_lock(&lock->wait_lock); + +@@ -83,9 +85,8 @@ void queued_write_lock_slowpath(struct qrwlock *lock) + + /* When no more readers or writers, set the locked flag */ + do { +- atomic_cond_read_acquire(&lock->cnts, VAL == _QW_WAITING); +- } while (atomic_cmpxchg_relaxed(&lock->cnts, _QW_WAITING, +- _QW_LOCKED) != _QW_WAITING); ++ cnts = atomic_cond_read_relaxed(&lock->cnts, VAL == _QW_WAITING); ++ } while (!atomic_try_cmpxchg_acquire(&lock->cnts, &cnts, _QW_LOCKED)); + unlock: + arch_spin_unlock(&lock->wait_lock); + } +-- +2.30.2 + diff --git a/queue-4.19/net-geneve-check-skb-is-large-enough-for-ipv4-ipv6-h.patch b/queue-4.19/net-geneve-check-skb-is-large-enough-for-ipv4-ipv6-h.patch new file mode 100644 index 00000000000..3f1ffd99c47 --- /dev/null +++ b/queue-4.19/net-geneve-check-skb-is-large-enough-for-ipv4-ipv6-h.patch @@ -0,0 +1,52 @@ +From 48029142b54bc9723a0e7161bcb48754f5e704aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Apr 2021 12:28:24 +0100 +Subject: net: geneve: check skb is large enough for IPv4/IPv6 header + +From: Phillip Potter + +[ Upstream commit 6628ddfec7580882f11fdc5c194a8ea781fdadfa ] + +Check within geneve_xmit_skb/geneve6_xmit_skb that sk_buff structure +is large enough to include IPv4 or IPv6 header, and reject if not. The +geneve_xmit_skb portion and overall idea was contributed by Eric Dumazet. +Fixes a KMSAN-found uninit-value bug reported by syzbot at: +https://syzkaller.appspot.com/bug?id=abe95dc3e3e9667fc23b8d81f29ecad95c6f106f + +Suggested-by: Eric Dumazet +Reported-by: syzbot+2e406a9ac75bb71d4b7a@syzkaller.appspotmail.com +Signed-off-by: Phillip Potter +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/geneve.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c +index 2e2afc824a6a..ce6fecf421f8 100644 +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -839,6 +839,9 @@ static int geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev, + __be16 df; + int err; + ++ if (!pskb_network_may_pull(skb, sizeof(struct iphdr))) ++ return -EINVAL; ++ + sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info, + geneve->info.key.tp_dst, sport); +@@ -882,6 +885,9 @@ static int geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev, + __be16 sport; + int err; + ++ if (!pskb_network_may_pull(skb, sizeof(struct ipv6hdr))) ++ return -EINVAL; ++ + sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + dst = geneve_get_v6_dst(skb, dev, gs6, &fl6, info, + geneve->info.key.tp_dst, sport); +-- +2.30.2 + diff --git a/queue-4.19/perf-x86-intel-uncore-remove-uncore-extra-pci-dev-hs.patch b/queue-4.19/perf-x86-intel-uncore-remove-uncore-extra-pci-dev-hs.patch new file mode 100644 index 00000000000..d5dd53a177e --- /dev/null +++ b/queue-4.19/perf-x86-intel-uncore-remove-uncore-extra-pci-dev-hs.patch @@ -0,0 +1,159 @@ +From 8c3016af2268285f3b6b26b0a1f6749474365e5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Apr 2021 14:22:43 -0700 +Subject: perf/x86/intel/uncore: Remove uncore extra PCI dev HSWEP_PCI_PCU_3 + +From: Kan Liang + +[ Upstream commit 9d480158ee86ad606d3a8baaf81e6b71acbfd7d5 ] + +There may be a kernel panic on the Haswell server and the Broadwell +server, if the snbep_pci2phy_map_init() return error. + +The uncore_extra_pci_dev[HSWEP_PCI_PCU_3] is used in the cpu_init() to +detect the existence of the SBOX, which is a MSR type of PMON unit. +The uncore_extra_pci_dev is allocated in the uncore_pci_init(). If the +snbep_pci2phy_map_init() returns error, perf doesn't initialize the +PCI type of the PMON units, so the uncore_extra_pci_dev will not be +allocated. But perf may continue initializing the MSR type of PMON +units. A null dereference kernel panic will be triggered. + +The sockets in a Haswell server or a Broadwell server are identical. +Only need to detect the existence of the SBOX once. +Current perf probes all available PCU devices and stores them into the +uncore_extra_pci_dev. It's unnecessary. +Use the pci_get_device() to replace the uncore_extra_pci_dev. Only +detect the existence of the SBOX on the first available PCU device once. + +Factor out hswep_has_limit_sbox(), since the Haswell server and the +Broadwell server uses the same way to detect the existence of the SBOX. + +Add some macros to replace the magic number. + +Fixes: 5306c31c5733 ("perf/x86/uncore/hsw-ep: Handle systems with only two SBOXes") +Reported-by: Steve Wahl +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Steve Wahl +Link: https://lkml.kernel.org/r/1618521764-100923-1-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/uncore_snbep.c | 61 ++++++++++++---------------- + 1 file changed, 26 insertions(+), 35 deletions(-) + +diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c +index 8e4e8e423839..c06074b847fa 100644 +--- a/arch/x86/events/intel/uncore_snbep.c ++++ b/arch/x86/events/intel/uncore_snbep.c +@@ -1030,7 +1030,6 @@ enum { + SNBEP_PCI_QPI_PORT0_FILTER, + SNBEP_PCI_QPI_PORT1_FILTER, + BDX_PCI_QPI_PORT2_FILTER, +- HSWEP_PCI_PCU_3, + }; + + static int snbep_qpi_hw_config(struct intel_uncore_box *box, struct perf_event *event) +@@ -2687,22 +2686,33 @@ static struct intel_uncore_type *hswep_msr_uncores[] = { + NULL, + }; + +-void hswep_uncore_cpu_init(void) ++#define HSWEP_PCU_DID 0x2fc0 ++#define HSWEP_PCU_CAPID4_OFFET 0x94 ++#define hswep_get_chop(_cap) (((_cap) >> 6) & 0x3) ++ ++static bool hswep_has_limit_sbox(unsigned int device) + { +- int pkg = boot_cpu_data.logical_proc_id; ++ struct pci_dev *dev = pci_get_device(PCI_VENDOR_ID_INTEL, device, NULL); ++ u32 capid4; ++ ++ if (!dev) ++ return false; ++ ++ pci_read_config_dword(dev, HSWEP_PCU_CAPID4_OFFET, &capid4); ++ if (!hswep_get_chop(capid4)) ++ return true; + ++ return false; ++} ++ ++void hswep_uncore_cpu_init(void) ++{ + if (hswep_uncore_cbox.num_boxes > boot_cpu_data.x86_max_cores) + hswep_uncore_cbox.num_boxes = boot_cpu_data.x86_max_cores; + + /* Detect 6-8 core systems with only two SBOXes */ +- if (uncore_extra_pci_dev[pkg].dev[HSWEP_PCI_PCU_3]) { +- u32 capid4; +- +- pci_read_config_dword(uncore_extra_pci_dev[pkg].dev[HSWEP_PCI_PCU_3], +- 0x94, &capid4); +- if (((capid4 >> 6) & 0x3) == 0) +- hswep_uncore_sbox.num_boxes = 2; +- } ++ if (hswep_has_limit_sbox(HSWEP_PCU_DID)) ++ hswep_uncore_sbox.num_boxes = 2; + + uncore_msr_uncores = hswep_msr_uncores; + } +@@ -2965,11 +2975,6 @@ static const struct pci_device_id hswep_uncore_pci_ids[] = { + .driver_data = UNCORE_PCI_DEV_DATA(UNCORE_EXTRA_PCI_DEV, + SNBEP_PCI_QPI_PORT1_FILTER), + }, +- { /* PCU.3 (for Capability registers) */ +- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x2fc0), +- .driver_data = UNCORE_PCI_DEV_DATA(UNCORE_EXTRA_PCI_DEV, +- HSWEP_PCI_PCU_3), +- }, + { /* end: all zeroes */ } + }; + +@@ -3061,27 +3066,18 @@ static struct event_constraint bdx_uncore_pcu_constraints[] = { + EVENT_CONSTRAINT_END + }; + ++#define BDX_PCU_DID 0x6fc0 ++ + void bdx_uncore_cpu_init(void) + { +- int pkg = topology_phys_to_logical_pkg(boot_cpu_data.phys_proc_id); +- + if (bdx_uncore_cbox.num_boxes > boot_cpu_data.x86_max_cores) + bdx_uncore_cbox.num_boxes = boot_cpu_data.x86_max_cores; + uncore_msr_uncores = bdx_msr_uncores; + +- /* BDX-DE doesn't have SBOX */ +- if (boot_cpu_data.x86_model == 86) { +- uncore_msr_uncores[BDX_MSR_UNCORE_SBOX] = NULL; + /* Detect systems with no SBOXes */ +- } else if (uncore_extra_pci_dev[pkg].dev[HSWEP_PCI_PCU_3]) { +- struct pci_dev *pdev; +- u32 capid4; +- +- pdev = uncore_extra_pci_dev[pkg].dev[HSWEP_PCI_PCU_3]; +- pci_read_config_dword(pdev, 0x94, &capid4); +- if (((capid4 >> 6) & 0x3) == 0) +- bdx_msr_uncores[BDX_MSR_UNCORE_SBOX] = NULL; +- } ++ if ((boot_cpu_data.x86_model == 86) || hswep_has_limit_sbox(BDX_PCU_DID)) ++ uncore_msr_uncores[BDX_MSR_UNCORE_SBOX] = NULL; ++ + hswep_uncore_pcu.constraints = bdx_uncore_pcu_constraints; + } + +@@ -3302,11 +3298,6 @@ static const struct pci_device_id bdx_uncore_pci_ids[] = { + .driver_data = UNCORE_PCI_DEV_DATA(UNCORE_EXTRA_PCI_DEV, + BDX_PCI_QPI_PORT2_FILTER), + }, +- { /* PCU.3 (for Capability registers) */ +- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x6fc0), +- .driver_data = UNCORE_PCI_DEV_DATA(UNCORE_EXTRA_PCI_DEV, +- HSWEP_PCI_PCU_3), +- }, + { /* end: all zeroes */ } + }; + +-- +2.30.2 + diff --git a/queue-4.19/s390-entry-save-the-caller-of-psw_idle.patch b/queue-4.19/s390-entry-save-the-caller-of-psw_idle.patch new file mode 100644 index 00000000000..632bab43716 --- /dev/null +++ b/queue-4.19/s390-entry-save-the-caller-of-psw_idle.patch @@ -0,0 +1,62 @@ +From e36c871dfe05e90d1154dc58ca7100c6a4293385 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Apr 2021 00:15:21 +0200 +Subject: s390/entry: save the caller of psw_idle + +From: Vasily Gorbik + +[ Upstream commit a994eddb947ea9ebb7b14d9a1267001699f0a136 ] + +Currently psw_idle does not allocate a stack frame and does not +save its r14 and r15 into the save area. Even though this is valid from +call ABI point of view, because psw_idle does not make any calls +explicitly, in reality psw_idle is an entry point for controlled +transition into serving interrupts. So, in practice, psw_idle stack +frame is analyzed during stack unwinding. Depending on build options +that r14 slot in the save area of psw_idle might either contain a value +saved by previous sibling call or complete garbage. + + [task 0000038000003c28] do_ext_irq+0xd6/0x160 + [task 0000038000003c78] ext_int_handler+0xba/0xe8 + [task *0000038000003dd8] psw_idle_exit+0x0/0x8 <-- pt_regs + ([task 0000038000003dd8] 0x0) + [task 0000038000003e10] default_idle_call+0x42/0x148 + [task 0000038000003e30] do_idle+0xce/0x160 + [task 0000038000003e70] cpu_startup_entry+0x36/0x40 + [task 0000038000003ea0] arch_call_rest_init+0x76/0x80 + +So, to make a stacktrace nicer and actually point for the real caller of +psw_idle in this frequently occurring case, make psw_idle save its r14. + + [task 0000038000003c28] do_ext_irq+0xd6/0x160 + [task 0000038000003c78] ext_int_handler+0xba/0xe8 + [task *0000038000003dd8] psw_idle_exit+0x0/0x6 <-- pt_regs + ([task 0000038000003dd8] arch_cpu_idle+0x3c/0xd0) + [task 0000038000003e10] default_idle_call+0x42/0x148 + [task 0000038000003e30] do_idle+0xce/0x160 + [task 0000038000003e70] cpu_startup_entry+0x36/0x40 + [task 0000038000003ea0] arch_call_rest_init+0x76/0x80 + +Reviewed-by: Sven Schnelle +Signed-off-by: Vasily Gorbik +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/entry.S | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S +index 150130c897c3..7e6a9cf863c7 100644 +--- a/arch/s390/kernel/entry.S ++++ b/arch/s390/kernel/entry.S +@@ -949,6 +949,7 @@ ENTRY(ext_int_handler) + * Load idle PSW. The second "half" of this function is in .Lcleanup_idle. + */ + ENTRY(psw_idle) ++ stg %r14,(__SF_GPRS+8*8)(%r15) + stg %r3,__SF_EMPTY(%r15) + larl %r1,.Lpsw_idle_lpsw+4 + stg %r1,__SF_EMPTY+8(%r15) +-- +2.30.2 + diff --git a/queue-4.19/series b/queue-4.19/series index e79dd9b3748..8816c89c616 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -42,3 +42,15 @@ arm-9071-1-uprobes-don-t-hook-on-thumb-instructions.patch net-phy-marvell-fix-detection-of-phy-on-topaz-switches.patch gup-document-and-work-around-cow-can-break-either-way-issue.patch pinctrl-lewisburg-update-number-of-pins-in-community.patch +locking-qrwlock-fix-ordering-in-queued_write_lock_sl.patch +perf-x86-intel-uncore-remove-uncore-extra-pci-dev-hs.patch +hid-google-add-don-usb-id.patch +hid-alps-fix-error-return-code-in-alps_input_configu.patch +hid-wacom-assign-boolean-values-to-a-bool-variable.patch +arm-dts-fix-swapped-mmc-order-for-omap3.patch +net-geneve-check-skb-is-large-enough-for-ipv4-ipv6-h.patch +s390-entry-save-the-caller-of-psw_idle.patch +xen-netback-check-for-hotplug-status-existence-befor.patch +cavium-liquidio-fix-duplicate-argument.patch +ia64-fix-discontig.c-section-mismatches.patch +ia64-tools-remove-duplicate-definition-of-ia64_mf-on.patch diff --git a/queue-4.19/xen-netback-check-for-hotplug-status-existence-befor.patch b/queue-4.19/xen-netback-check-for-hotplug-status-existence-befor.patch new file mode 100644 index 00000000000..f95b2bade3f --- /dev/null +++ b/queue-4.19/xen-netback-check-for-hotplug-status-existence-befor.patch @@ -0,0 +1,66 @@ +From ef42b9c9a52de5d93f4d2dcd8b3ec3b811b990d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Apr 2021 16:25:12 +0100 +Subject: xen-netback: Check for hotplug-status existence before watching + +From: Michael Brown + +[ Upstream commit 2afeec08ab5c86ae21952151f726bfe184f6b23d ] + +The logic in connect() is currently written with the assumption that +xenbus_watch_pathfmt() will return an error for a node that does not +exist. This assumption is incorrect: xenstore does allow a watch to +be registered for a nonexistent node (and will send notifications +should the node be subsequently created). + +As of commit 1f2565780 ("xen-netback: remove 'hotplug-status' once it +has served its purpose"), this leads to a failure when a domU +transitions into XenbusStateConnected more than once. On the first +domU transition into Connected state, the "hotplug-status" node will +be deleted by the hotplug_status_changed() callback in dom0. On the +second or subsequent domU transition into Connected state, the +hotplug_status_changed() callback will therefore never be invoked, and +so the backend will remain stuck in InitWait. + +This failure prevents scenarios such as reloading the xen-netfront +module within a domU, or booting a domU via iPXE. There is +unfortunately no way for the domU to work around this dom0 bug. + +Fix by explicitly checking for existence of the "hotplug-status" node, +thereby creating the behaviour that was previously assumed to exist. + +Signed-off-by: Michael Brown +Reviewed-by: Paul Durrant +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netback/xenbus.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c +index 107bbd4ae825..78c56149559c 100644 +--- a/drivers/net/xen-netback/xenbus.c ++++ b/drivers/net/xen-netback/xenbus.c +@@ -1043,11 +1043,15 @@ static void connect(struct backend_info *be) + xenvif_carrier_on(be->vif); + + unregister_hotplug_status_watch(be); +- err = xenbus_watch_pathfmt(dev, &be->hotplug_status_watch, NULL, +- hotplug_status_changed, +- "%s/%s", dev->nodename, "hotplug-status"); +- if (!err) ++ if (xenbus_exists(XBT_NIL, dev->nodename, "hotplug-status")) { ++ err = xenbus_watch_pathfmt(dev, &be->hotplug_status_watch, ++ NULL, hotplug_status_changed, ++ "%s/%s", dev->nodename, ++ "hotplug-status"); ++ if (err) ++ goto err; + be->have_hotplug_status_watch = 1; ++ } + + netif_tx_wake_all_queues(be->vif->dev); + +-- +2.30.2 + -- 2.47.3