diff options
| author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2020-08-21 12:05:23 -0400 |
|---|---|---|
| committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2020-08-21 12:05:23 -0400 |
| commit | 7e1fb16d1a559d904def5ea5373cd51fcf1643b4 (patch) | |
| tree | 0497842599957e644de89aa4424bcc1dff33e3ab | |
| parent | 8134c68c969417241e7edbd71d9d448c40a0bc7f (diff) | |
| download | longterm-queue-5.2-7e1fb16d1a559d904def5ea5373cd51fcf1643b4.tar.gz | |
raw import of mainline commits used in v5.4.56 for consideration
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
87 files changed, 5517 insertions, 0 deletions
diff --git a/queue/9p-trans_fd-Fix-concurrency-del-of-req_list-in-p9_fd.patch b/queue/9p-trans_fd-Fix-concurrency-del-of-req_list-in-p9_fd.patch new file mode 100644 index 00000000..8ab7b68a --- /dev/null +++ b/queue/9p-trans_fd-Fix-concurrency-del-of-req_list-in-p9_fd.patch @@ -0,0 +1,63 @@ +From 74d6a5d5662975aed7f25952f62efbb6f6dadd29 Mon Sep 17 00:00:00 2001 +From: Wang Hai <wanghai38@huawei.com> +Date: Fri, 12 Jun 2020 17:08:33 +0800 +Subject: [PATCH] 9p/trans_fd: Fix concurrency del of req_list in + p9_fd_cancelled/p9_read_work + +commit 74d6a5d5662975aed7f25952f62efbb6f6dadd29 upstream. + +p9_read_work and p9_fd_cancelled may be called concurrently. +In some cases, req->req_list may be deleted by both p9_read_work +and p9_fd_cancelled. + +We can fix it by ignoring replies associated with a cancelled +request and ignoring cancelled request if message has been received +before lock. + +Link: http://lkml.kernel.org/r/20200612090833.36149-1-wanghai38@huawei.com +Fixes: 60ff779c4abb ("9p: client: remove unused code and any reference to "cancelled" function") +Cc: <stable@vger.kernel.org> # v3.12+ +Reported-by: syzbot+77a25acfa0382e06ab23@syzkaller.appspotmail.com +Signed-off-by: Wang Hai <wanghai38@huawei.com> +Signed-off-by: Dominique Martinet <asmadeus@codewreck.org> + +diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c +index 9c9196d30a59..12ecacf0c55f 100644 +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -362,6 +362,10 @@ static void p9_read_work(struct work_struct *work) + if (m->rreq->status == REQ_STATUS_SENT) { + list_del(&m->rreq->req_list); + p9_client_cb(m->client, m->rreq, REQ_STATUS_RCVD); ++ } else if (m->rreq->status == REQ_STATUS_FLSHD) { ++ /* Ignore replies associated with a cancelled request. */ ++ p9_debug(P9_DEBUG_TRANS, ++ "Ignore replies associated with a cancelled request\n"); + } else { + spin_unlock(&m->client->lock); + p9_debug(P9_DEBUG_ERROR, +@@ -703,11 +707,20 @@ static int p9_fd_cancelled(struct p9_client *client, struct p9_req_t *req) + { + p9_debug(P9_DEBUG_TRANS, "client %p req %p\n", client, req); + ++ spin_lock(&client->lock); ++ /* Ignore cancelled request if message has been received ++ * before lock. ++ */ ++ if (req->status == REQ_STATUS_RCVD) { ++ spin_unlock(&client->lock); ++ return 0; ++ } ++ + /* we haven't received a response for oldreq, + * remove it from the list. + */ +- spin_lock(&client->lock); + list_del(&req->req_list); ++ req->status = REQ_STATUS_FLSHD; + spin_unlock(&client->lock); + p9_req_put(req); + +-- +2.27.0 + diff --git a/queue/ALSA-hda-hdmi-Fix-keep_power-assignment-for-non-comp.patch b/queue/ALSA-hda-hdmi-Fix-keep_power-assignment-for-non-comp.patch new file mode 100644 index 00000000..a8ad226a --- /dev/null +++ b/queue/ALSA-hda-hdmi-Fix-keep_power-assignment-for-non-comp.patch @@ -0,0 +1,55 @@ +From c2c3657f0aedb8736a0fb7b2b1985adfb86e7802 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai <tiwai@suse.de> +Date: Tue, 28 Jul 2020 10:20:33 +0200 +Subject: [PATCH] ALSA: hda/hdmi: Fix keep_power assignment for non-component + devices + +commit c2c3657f0aedb8736a0fb7b2b1985adfb86e7802 upstream. + +It's been reported that, when neither nouveau nor Nvidia graphics +driver is used, the screen starts flickering. And, after comparing +between the working case (stable 4.4.x) and the broken case, it turned +out that the problem comes from the audio component binding. The +Nvidia and AMD audio binding code clears the bus->keep_power flag +whenever snd_hdac_acomp_init() succeeds. But this doesn't mean that +the component is actually bound, but it merely indicates that it's +ready for binding. So, when both nouveau and Nvidia are blacklisted +or not ready, the driver keeps running without the audio component but +also with bus->keep_power = false. This made the driver runtime PM +kicked in and powering down when unused, which results in flickering +in the graphics side, as it seems. + +For fixing the bug, this patch moves the bus->keep_power flag change +into generic_acomp_notifier_set() that is the function called from the +master_bind callback of component ops; i.e. it's guaranteed that the +binding succeeded. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=208609 +Fixes: 5a858e79c911 ("ALSA: hda - Disable audio component for legacy Nvidia HDMI codecs") +Cc: <stable@vger.kernel.org> +Link: https://lore.kernel.org/r/20200728082033.23933-1-tiwai@suse.de +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index 41eaa89660c3..cd46247988e4 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -2440,6 +2440,7 @@ static void generic_acomp_notifier_set(struct drm_audio_component *acomp, + mutex_lock(&spec->bind_lock); + spec->use_acomp_notifier = use_acomp; + spec->codec->relaxed_resume = use_acomp; ++ spec->codec->bus->keep_power = 0; + /* reprogram each jack detection logic depending on the notifier */ + for (i = 0; i < spec->num_pins; i++) + reprogram_jack_detect(spec->codec, +@@ -2534,7 +2535,6 @@ static void generic_acomp_init(struct hda_codec *codec, + if (!snd_hdac_acomp_init(&codec->bus->core, &spec->drm_audio_ops, + match_bound_vga, 0)) { + spec->acomp_registered = true; +- codec->bus->keep_power = 0; + } + } + +-- +2.27.0 + diff --git a/queue/ALSA-hda-realtek-Fix-add-a-ultra_low_power-function-.patch b/queue/ALSA-hda-realtek-Fix-add-a-ultra_low_power-function-.patch new file mode 100644 index 00000000..3fdcd0f3 --- /dev/null +++ b/queue/ALSA-hda-realtek-Fix-add-a-ultra_low_power-function-.patch @@ -0,0 +1,31 @@ +From 6fa38ef1534e7e9320aa15e329eb1404ab2f70ac Mon Sep 17 00:00:00 2001 +From: PeiSen Hou <pshou@realtek.com> +Date: Mon, 27 Jul 2020 13:56:47 +0200 +Subject: [PATCH] ALSA: hda/realtek: Fix add a "ultra_low_power" function for + intel reference board (alc256) + +commit 6fa38ef1534e7e9320aa15e329eb1404ab2f70ac upstream. + +Intel requires to enable power saving mode for intel reference board (alc256) + +Signed-off-by: PeiSen Hou <pshou@realtek.com> +Cc: <stable@vger.kernel.org> +Link: https://lore.kernel.org/r/20200727115647.10967-1-tiwai@suse.de +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 3f2512942daf..0f640d99a396 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7590,7 +7590,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x10cf, 0x1629, "Lifebook U7x7", ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC), + SND_PCI_QUIRK(0x10cf, 0x1845, "Lifebook U904", ALC269_FIXUP_LIFEBOOK_EXTMIC), + SND_PCI_QUIRK(0x10ec, 0x10f2, "Intel Reference board", ALC700_FIXUP_INTEL_REFERENCE), +- SND_PCI_QUIRK(0x10ec, 0x1230, "Intel Reference board", ALC225_FIXUP_HEADSET_JACK), ++ SND_PCI_QUIRK(0x10ec, 0x1230, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK), + SND_PCI_QUIRK(0x10f7, 0x8338, "Panasonic CF-SZ6", ALC269_FIXUP_HEADSET_MODE), + SND_PCI_QUIRK(0x144d, 0xc109, "Samsung Ativ book 9 (NP900X3G)", ALC269_FIXUP_INV_DMIC), + SND_PCI_QUIRK(0x144d, 0xc169, "Samsung Notebook 9 Pen (NP930SBE-K01US)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), +-- +2.27.0 + diff --git a/queue/ALSA-hda-realtek-Fixed-HP-right-speaker-no-sound.patch b/queue/ALSA-hda-realtek-Fixed-HP-right-speaker-no-sound.patch new file mode 100644 index 00000000..bed3eeb5 --- /dev/null +++ b/queue/ALSA-hda-realtek-Fixed-HP-right-speaker-no-sound.patch @@ -0,0 +1,70 @@ +From 5649625344fe1f4695eace7c37d011e317bf66d5 Mon Sep 17 00:00:00 2001 +From: Kailang Yang <kailang@realtek.com> +Date: Wed, 29 Jul 2020 15:09:27 +0800 +Subject: [PATCH] ALSA: hda/realtek - Fixed HP right speaker no sound + +commit 5649625344fe1f4695eace7c37d011e317bf66d5 upstream. + +HP NB right speaker had no sound output. +This platform was connected to I2S Amp for speaker out.(None Realtek I2S Amp IC) +EC need to check codec GPIO1 pin to initial I2S Amp. + +Signed-off-by: Kailang Yang <kailang@realtek.com> +Cc: <stable@vger.kernel.org> +Link: https://lore.kernel.org/r/01285f623ac7447187482fb4a8ecaa7c@realtek.com +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 0f640d99a396..29f5878f0c50 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5975,6 +5975,16 @@ static void alc_fixup_disable_mic_vref(struct hda_codec *codec, + snd_hda_codec_set_pin_target(codec, 0x19, PIN_VREFHIZ); + } + ++static void alc285_fixup_hp_gpio_amp_init(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ if (action != HDA_FIXUP_ACT_INIT) ++ return; ++ ++ msleep(100); ++ alc_write_coef_idx(codec, 0x65, 0x0); ++} ++ + /* for hda_fixup_thinkpad_acpi() */ + #include "thinkpad_helper.c" + +@@ -6155,6 +6165,7 @@ enum { + ALC289_FIXUP_ASUS_GA401, + ALC289_FIXUP_ASUS_GA502, + ALC256_FIXUP_ACER_MIC_NO_PRESENCE, ++ ALC285_FIXUP_HP_GPIO_AMP_INIT, + }; + + static const struct hda_fixup alc269_fixups[] = { +@@ -7387,6 +7398,12 @@ static const struct hda_fixup alc269_fixups[] = { + .chained = true, + .chain_id = ALC256_FIXUP_ASUS_HEADSET_MODE + }, ++ [ALC285_FIXUP_HP_GPIO_AMP_INIT] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc285_fixup_hp_gpio_amp_init, ++ .chained = true, ++ .chain_id = ALC285_FIXUP_HP_GPIO_LED ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -7537,7 +7554,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x84e7, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3), + SND_PCI_QUIRK(0x103c, 0x869d, "HP", ALC236_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x8729, "HP", ALC285_FIXUP_HP_GPIO_LED), +- SND_PCI_QUIRK(0x103c, 0x8736, "HP", ALC285_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8736, "HP", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x877a, "HP", ALC285_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x877d, "HP", ALC236_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC), +-- +2.27.0 + diff --git a/queue/ALSA-hda-realtek-enable-headset-mic-of-ASUS-ROG-Zeph.patch b/queue/ALSA-hda-realtek-enable-headset-mic-of-ASUS-ROG-Zeph.patch new file mode 100644 index 00000000..3d1833fb --- /dev/null +++ b/queue/ALSA-hda-realtek-enable-headset-mic-of-ASUS-ROG-Zeph.patch @@ -0,0 +1,56 @@ +From 4b43d05a1978a93a19374c6e6b817c9c1ff4ba4b Mon Sep 17 00:00:00 2001 +From: Armas Spann <zappel@retarded.farm> +Date: Fri, 24 Jul 2020 16:06:16 +0200 +Subject: [PATCH] ALSA: hda/realtek: enable headset mic of ASUS ROG Zephyrus + G15(GA502) series with ALC289 + +commit 4b43d05a1978a93a19374c6e6b817c9c1ff4ba4b upstream. + +This patch adds support for headset mic to the ASUS ROG Zephyrus +G15(GA502) notebook series by adding the corresponding +vendor/pci_device id, as well as adding a new fixup for the used +realtek ALC289. The fixup stets the correct pin to get the headset mic +correctly recognized on audio-jack. + +Signed-off-by: Armas Spann <zappel@retarded.farm> +Cc: <stable@vger.kernel.org> +Link: https://lore.kernel.org/r/20200724140616.298892-1-zappel@retarded.farm +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 1b2d8e56390a..a2c48a7f4594 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6153,6 +6153,7 @@ enum { + ALC269VC_FIXUP_ACER_HEADSET_MIC, + ALC269VC_FIXUP_ACER_MIC_NO_PRESENCE, + ALC289_FIXUP_ASUS_G401, ++ ALC289_FIXUP_ASUS_GA502, + ALC256_FIXUP_ACER_MIC_NO_PRESENCE, + }; + +@@ -7370,6 +7371,13 @@ static const struct hda_fixup alc269_fixups[] = { + { } + }, + }, ++ [ALC289_FIXUP_ASUS_GA502] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x19, 0x03a11020 }, /* headset mic with jack detect */ ++ { } ++ }, ++ }, + [ALC256_FIXUP_ACER_MIC_NO_PRESENCE] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { +@@ -7561,6 +7569,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x1bbd, "ASUS Z550MA", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1c23, "Asus X55U", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x1043, 0x1ccd, "ASUS X555UB", ALC256_FIXUP_ASUS_MIC), ++ SND_PCI_QUIRK(0x1043, 0x1e11, "ASUS Zephyrus G15", ALC289_FIXUP_ASUS_GA502), + SND_PCI_QUIRK(0x1043, 0x1f11, "ASUS Zephyrus G14", ALC289_FIXUP_ASUS_G401), + SND_PCI_QUIRK(0x1043, 0x3030, "ASUS ZN270IE", ALC256_FIXUP_ASUS_AIO_GPIO2), + SND_PCI_QUIRK(0x1043, 0x831a, "ASUS P901", ALC269_FIXUP_STEREO_DMIC), +-- +2.27.0 + diff --git a/queue/ALSA-hda-realtek-typo_fix-enable-headset-mic-of-ASUS.patch b/queue/ALSA-hda-realtek-typo_fix-enable-headset-mic-of-ASUS.patch new file mode 100644 index 00000000..defa27d3 --- /dev/null +++ b/queue/ALSA-hda-realtek-typo_fix-enable-headset-mic-of-ASUS.patch @@ -0,0 +1,50 @@ +From 293a92c1d9913248b9987b68f3a5d6d2f0aae62b Mon Sep 17 00:00:00 2001 +From: Armas Spann <zappel@retarded.farm> +Date: Fri, 24 Jul 2020 16:08:37 +0200 +Subject: [PATCH] ALSA: hda/realtek: typo_fix: enable headset mic of ASUS ROG + Zephyrus G14(GA401) series with ALC289 + +commit 293a92c1d9913248b9987b68f3a5d6d2f0aae62b upstream. + +This patch fixes a small typo I accidently submitted with the initial patch. The board should be named GA401 not G401. + +Fixes: ff53664daff2 ("ALSA: hda/realtek: enable headset mic of ASUS ROG Zephyrus G14(G401) series with ALC289") +Signed-off-by: Armas Spann <zappel@retarded.farm> +Cc: <stable@vger.kernel.org> +Link: https://lore.kernel.org/r/20200724140837.302763-1-zappel@retarded.farm +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index a2c48a7f4594..3f2512942daf 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6152,7 +6152,7 @@ enum { + ALC269VC_FIXUP_ACER_VCOPPERBOX_PINS, + ALC269VC_FIXUP_ACER_HEADSET_MIC, + ALC269VC_FIXUP_ACER_MIC_NO_PRESENCE, +- ALC289_FIXUP_ASUS_G401, ++ ALC289_FIXUP_ASUS_GA401, + ALC289_FIXUP_ASUS_GA502, + ALC256_FIXUP_ACER_MIC_NO_PRESENCE, + }; +@@ -7364,7 +7364,7 @@ static const struct hda_fixup alc269_fixups[] = { + .chained = true, + .chain_id = ALC269_FIXUP_HEADSET_MIC + }, +- [ALC289_FIXUP_ASUS_G401] = { ++ [ALC289_FIXUP_ASUS_GA401] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { + { 0x19, 0x03a11020 }, /* headset mic with jack detect */ +@@ -7570,7 +7570,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x1c23, "Asus X55U", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x1043, 0x1ccd, "ASUS X555UB", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x1e11, "ASUS Zephyrus G15", ALC289_FIXUP_ASUS_GA502), +- SND_PCI_QUIRK(0x1043, 0x1f11, "ASUS Zephyrus G14", ALC289_FIXUP_ASUS_G401), ++ SND_PCI_QUIRK(0x1043, 0x1f11, "ASUS Zephyrus G14", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x3030, "ASUS ZN270IE", ALC256_FIXUP_ASUS_AIO_GPIO2), + SND_PCI_QUIRK(0x1043, 0x831a, "ASUS P901", ALC269_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x1043, 0x834a, "ASUS S101", ALC269_FIXUP_STEREO_DMIC), +-- +2.27.0 + diff --git a/queue/ALSA-usb-audio-Add-implicit-feedback-quirk-for-SSL2.patch b/queue/ALSA-usb-audio-Add-implicit-feedback-quirk-for-SSL2.patch new file mode 100644 index 00000000..1451e0fa --- /dev/null +++ b/queue/ALSA-usb-audio-Add-implicit-feedback-quirk-for-SSL2.patch @@ -0,0 +1,31 @@ +From 3da87ec67a491b9633a82045896c076b794bf938 Mon Sep 17 00:00:00 2001 +From: Laurence Tratt <laurie@tratt.net> +Date: Sun, 21 Jun 2020 08:50:05 +0100 +Subject: [PATCH] ALSA: usb-audio: Add implicit feedback quirk for SSL2 + +commit 3da87ec67a491b9633a82045896c076b794bf938 upstream. + +As expected, this requires the same quirk as the SSL2+ in order for the +clock to sync. This was suggested by, and tested on an SSL2, by Dmitry. + +Suggested-by: Dmitry <dpavlushko@gmail.com> +Signed-off-by: Laurence Tratt <laurie@tratt.net> +Cc: <stable@vger.kernel.org> +Link: https://lore.kernel.org/r/20200621075005.52mjjfc6dtdjnr3h@overdrive.tratt.net +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c +index 40b7cd13fed9..a69d9e75f66f 100644 +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -367,6 +367,7 @@ static int set_sync_ep_implicit_fb_quirk(struct snd_usb_substream *subs, + ifnum = 0; + goto add_sync_ep_from_ifnum; + case USB_ID(0x07fd, 0x0008): /* MOTU M Series */ ++ case USB_ID(0x31e9, 0x0001): /* Solid State Logic SSL2 */ + case USB_ID(0x31e9, 0x0002): /* Solid State Logic SSL2+ */ + case USB_ID(0x0d9a, 0x00df): /* RTX6001 */ + ep = 0x81; +-- +2.27.0 + diff --git a/queue/ARM-8986-1-hw_breakpoint-Don-t-invoke-overflow-handl.patch b/queue/ARM-8986-1-hw_breakpoint-Don-t-invoke-overflow-handl.patch new file mode 100644 index 00000000..5ca575c5 --- /dev/null +++ b/queue/ARM-8986-1-hw_breakpoint-Don-t-invoke-overflow-handl.patch @@ -0,0 +1,80 @@ +From eec13b42d41b0f3339dcf0c4da43734427c68620 Mon Sep 17 00:00:00 2001 +From: Will Deacon <will@kernel.org> +Date: Thu, 18 Jun 2020 11:16:45 +0100 +Subject: [PATCH] ARM: 8986/1: hw_breakpoint: Don't invoke overflow handler on + uaccess watchpoints + +commit eec13b42d41b0f3339dcf0c4da43734427c68620 upstream. + +Unprivileged memory accesses generated by the so-called "translated" +instructions (e.g. LDRT) in kernel mode can cause user watchpoints to fire +unexpectedly. In such cases, the hw_breakpoint logic will invoke the user +overflow handler which will typically raise a SIGTRAP back to the current +task. This is futile when returning back to the kernel because (a) the +signal won't have been delivered and (b) userspace can't handle the thing +anyway. + +Avoid invoking the user overflow handler for watchpoints triggered by +kernel uaccess routines, and instead single-step over the faulting +instruction as we would if no overflow handler had been installed. + +Cc: <stable@vger.kernel.org> +Fixes: f81ef4a920c8 ("ARM: 6356/1: hw-breakpoint: add ARM backend for the hw-breakpoint framework") +Reported-by: Luis Machado <luis.machado@linaro.org> +Tested-by: Luis Machado <luis.machado@linaro.org> +Signed-off-by: Will Deacon <will@kernel.org> +Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> + +diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c +index 02ca7adf5375..7fff88e61252 100644 +--- a/arch/arm/kernel/hw_breakpoint.c ++++ b/arch/arm/kernel/hw_breakpoint.c +@@ -683,6 +683,12 @@ static void disable_single_step(struct perf_event *bp) + arch_install_hw_breakpoint(bp); + } + ++static int watchpoint_fault_on_uaccess(struct pt_regs *regs, ++ struct arch_hw_breakpoint *info) ++{ ++ return !user_mode(regs) && info->ctrl.privilege == ARM_BREAKPOINT_USER; ++} ++ + static void watchpoint_handler(unsigned long addr, unsigned int fsr, + struct pt_regs *regs) + { +@@ -742,16 +748,27 @@ static void watchpoint_handler(unsigned long addr, unsigned int fsr, + } + + pr_debug("watchpoint fired: address = 0x%x\n", info->trigger); ++ ++ /* ++ * If we triggered a user watchpoint from a uaccess routine, ++ * then handle the stepping ourselves since userspace really ++ * can't help us with this. ++ */ ++ if (watchpoint_fault_on_uaccess(regs, info)) ++ goto step; ++ + perf_bp_event(wp, regs); + + /* +- * If no overflow handler is present, insert a temporary +- * mismatch breakpoint so we can single-step over the +- * watchpoint trigger. ++ * Defer stepping to the overflow handler if one is installed. ++ * Otherwise, insert a temporary mismatch breakpoint so that ++ * we can single-step over the watchpoint trigger. + */ +- if (is_default_overflow_handler(wp)) +- enable_single_step(wp, instruction_pointer(regs)); ++ if (!is_default_overflow_handler(wp)) ++ goto unlock; + ++step: ++ enable_single_step(wp, instruction_pointer(regs)); + unlock: + rcu_read_unlock(); + } +-- +2.27.0 + diff --git a/queue/ARM-dts-armada-38x-fix-NETA-lockup-when-repeatedly-s.patch b/queue/ARM-dts-armada-38x-fix-NETA-lockup-when-repeatedly-s.patch new file mode 100644 index 00000000..e84e7ca3 --- /dev/null +++ b/queue/ARM-dts-armada-38x-fix-NETA-lockup-when-repeatedly-s.patch @@ -0,0 +1,34 @@ +From 09781ba0395c46b1c844f47e405e3ce7856f5989 Mon Sep 17 00:00:00 2001 +From: Russell King <rmk+kernel@armlinux.org.uk> +Date: Tue, 21 Jul 2020 15:40:38 +0100 +Subject: [PATCH] ARM: dts: armada-38x: fix NETA lockup when repeatedly + switching speeds + +commit 09781ba0395c46b1c844f47e405e3ce7856f5989 upstream. + +To support the change in "phy: armada-38x: fix NETA lockup when +repeatedly switching speeds" we need to update the DT with the +additional register. + +Fixes: 14dc100b4411 ("phy: armada38x: add common phy support") +Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> +Reviewed-by: Andrew Lunn <andrew@lunn.ch> +Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com> + +diff --git a/arch/arm/boot/dts/armada-38x.dtsi b/arch/arm/boot/dts/armada-38x.dtsi +index 348116501aa2..9b1a24cc5e91 100644 +--- a/arch/arm/boot/dts/armada-38x.dtsi ++++ b/arch/arm/boot/dts/armada-38x.dtsi +@@ -342,7 +342,8 @@ gateclk: clock-gating-control@18220 { + + comphy: phy@18300 { + compatible = "marvell,armada-380-comphy"; +- reg = <0x18300 0x100>; ++ reg-names = "comphy", "conf"; ++ reg = <0x18300 0x100>, <0x18460 4>; + #address-cells = <1>; + #size-cells = <0>; + +-- +2.27.0 + diff --git a/queue/ARM-dts-imx6qdl-icore-Fix-OTG_ID-pin-and-sdcard-dete.patch b/queue/ARM-dts-imx6qdl-icore-Fix-OTG_ID-pin-and-sdcard-dete.patch new file mode 100644 index 00000000..f1f471ca --- /dev/null +++ b/queue/ARM-dts-imx6qdl-icore-Fix-OTG_ID-pin-and-sdcard-dete.patch @@ -0,0 +1,65 @@ +From 4a601da92c2a782e5c022680d476104586b74994 Mon Sep 17 00:00:00 2001 +From: Michael Trimarchi <michael@amarulasolutions.com> +Date: Fri, 17 Jul 2020 13:33:52 +0530 +Subject: [PATCH] ARM: dts: imx6qdl-icore: Fix OTG_ID pin and sdcard detect + +commit 4a601da92c2a782e5c022680d476104586b74994 upstream. + +The current pin muxing scheme muxes GPIO_1 pad for USB_OTG_ID +because of which when card is inserted, usb otg is enumerated +and the card is never detected. + +[ 64.492645] cfg80211: failed to load regulatory.db +[ 64.492657] imx-sdma 20ec000.sdma: external firmware not found, using ROM firmware +[ 76.343711] ci_hdrc ci_hdrc.0: EHCI Host Controller +[ 76.349742] ci_hdrc ci_hdrc.0: new USB bus registered, assigned bus number 2 +[ 76.388862] ci_hdrc ci_hdrc.0: USB 2.0 started, EHCI 1.00 +[ 76.396650] usb usb2: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 5.08 +[ 76.405412] usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1 +[ 76.412763] usb usb2: Product: EHCI Host Controller +[ 76.417666] usb usb2: Manufacturer: Linux 5.8.0-rc1-next-20200618 ehci_hcd +[ 76.424623] usb usb2: SerialNumber: ci_hdrc.0 +[ 76.431755] hub 2-0:1.0: USB hub found +[ 76.435862] hub 2-0:1.0: 1 port detected + +The TRM mentions GPIO_1 pad should be muxed/assigned for card detect +and ENET_RX_ER pad for USB_OTG_ID for proper operation. + +This patch fixes pin muxing as per TRM and is tested on a +i.Core 1.5 MX6 DL SOM. + +[ 22.449165] mmc0: host does not support reading read-only switch, assuming write-enable +[ 22.459992] mmc0: new high speed SDHC card at address 0001 +[ 22.469725] mmcblk0: mmc0:0001 EB1QT 29.8 GiB +[ 22.478856] mmcblk0: p1 p2 + +Fixes: 6df11287f7c9 ("ARM: dts: imx6q: Add Engicam i.CoreM6 Quad/Dual initial support") +Cc: stable@vger.kernel.org +Signed-off-by: Michael Trimarchi <michael@amarulasolutions.com> +Signed-off-by: Suniel Mahesh <sunil@amarulasolutions.com> +Signed-off-by: Shawn Guo <shawnguo@kernel.org> + +diff --git a/arch/arm/boot/dts/imx6qdl-icore.dtsi b/arch/arm/boot/dts/imx6qdl-icore.dtsi +index 756f3a9f1b4f..12997dae35d9 100644 +--- a/arch/arm/boot/dts/imx6qdl-icore.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-icore.dtsi +@@ -397,7 +397,7 @@ MX6QDL_PAD_SD4_DAT1__PWM3_OUT 0x1b0b1 + + pinctrl_usbotg: usbotggrp { + fsl,pins = < +- MX6QDL_PAD_GPIO_1__USB_OTG_ID 0x17059 ++ MX6QDL_PAD_ENET_RX_ER__USB_OTG_ID 0x17059 + >; + }; + +@@ -409,6 +409,7 @@ MX6QDL_PAD_SD1_DAT0__SD1_DATA0 0x17070 + MX6QDL_PAD_SD1_DAT1__SD1_DATA1 0x17070 + MX6QDL_PAD_SD1_DAT2__SD1_DATA2 0x17070 + MX6QDL_PAD_SD1_DAT3__SD1_DATA3 0x17070 ++ MX6QDL_PAD_GPIO_1__GPIO1_IO01 0x1b0b0 + >; + }; + +-- +2.27.0 + diff --git a/queue/ARM-dts-imx6sx-sabreauto-Fix-the-phy-mode-on-fec2.patch b/queue/ARM-dts-imx6sx-sabreauto-Fix-the-phy-mode-on-fec2.patch new file mode 100644 index 00000000..d0a3f31e --- /dev/null +++ b/queue/ARM-dts-imx6sx-sabreauto-Fix-the-phy-mode-on-fec2.patch @@ -0,0 +1,33 @@ +From d36f260718d83928e6012247a7e1b9791cdb12ff Mon Sep 17 00:00:00 2001 +From: Fabio Estevam <festevam@gmail.com> +Date: Mon, 13 Jul 2020 11:23:25 -0300 +Subject: [PATCH] ARM: dts: imx6sx-sabreauto: Fix the phy-mode on fec2 + +commit d36f260718d83928e6012247a7e1b9791cdb12ff upstream. + +Commit 0672d22a1924 ("ARM: dts: imx: Fix the AR803X phy-mode") fixed the +phy-mode for fec1, but missed to fix it for the fec2 node. + +Fix fec2 to also use "rgmii-id" as the phy-mode. + +Cc: <stable@vger.kernel.org> +Fixes: 0672d22a1924 ("ARM: dts: imx: Fix the AR803X phy-mode") +Signed-off-by: Fabio Estevam <festevam@gmail.com> +Signed-off-by: Shawn Guo <shawnguo@kernel.org> + +diff --git a/arch/arm/boot/dts/imx6sx-sabreauto.dts b/arch/arm/boot/dts/imx6sx-sabreauto.dts +index 825924448ab4..14fd1de52a68 100644 +--- a/arch/arm/boot/dts/imx6sx-sabreauto.dts ++++ b/arch/arm/boot/dts/imx6sx-sabreauto.dts +@@ -99,7 +99,7 @@ ethphy1: ethernet-phy@1 { + &fec2 { + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_enet2>; +- phy-mode = "rgmii"; ++ phy-mode = "rgmii-id"; + phy-handle = <ðphy0>; + fsl,magic-packet; + status = "okay"; +-- +2.27.0 + diff --git a/queue/ARM-dts-imx6sx-sdb-Fix-the-phy-mode-on-fec2.patch b/queue/ARM-dts-imx6sx-sdb-Fix-the-phy-mode-on-fec2.patch new file mode 100644 index 00000000..64861263 --- /dev/null +++ b/queue/ARM-dts-imx6sx-sdb-Fix-the-phy-mode-on-fec2.patch @@ -0,0 +1,33 @@ +From c696afd331be1acb39206aba53048f2386b781fc Mon Sep 17 00:00:00 2001 +From: Fabio Estevam <festevam@gmail.com> +Date: Mon, 13 Jul 2020 11:23:24 -0300 +Subject: [PATCH] ARM: dts: imx6sx-sdb: Fix the phy-mode on fec2 + +commit c696afd331be1acb39206aba53048f2386b781fc upstream. + +Commit 0672d22a1924 ("ARM: dts: imx: Fix the AR803X phy-mode") fixed the +phy-mode for fec1, but missed to fix it for the fec2 node. + +Fix fec2 to also use "rgmii-id" as the phy-mode. + +Cc: <stable@vger.kernel.org> +Fixes: 0672d22a1924 ("ARM: dts: imx: Fix the AR803X phy-mode") +Signed-off-by: Fabio Estevam <festevam@gmail.com> +Signed-off-by: Shawn Guo <shawnguo@kernel.org> + +diff --git a/arch/arm/boot/dts/imx6sx-sdb.dtsi b/arch/arm/boot/dts/imx6sx-sdb.dtsi +index 3e5fb72f21fc..c99aa273c296 100644 +--- a/arch/arm/boot/dts/imx6sx-sdb.dtsi ++++ b/arch/arm/boot/dts/imx6sx-sdb.dtsi +@@ -213,7 +213,7 @@ ethphy2: ethernet-phy@2 { + &fec2 { + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_enet2>; +- phy-mode = "rgmii"; ++ phy-mode = "rgmii-id"; + phy-handle = <ðphy2>; + status = "okay"; + }; +-- +2.27.0 + diff --git a/queue/ARM-dts-sunxi-Relax-a-bit-the-CMA-pool-allocation-ra.patch b/queue/ARM-dts-sunxi-Relax-a-bit-the-CMA-pool-allocation-ra.patch new file mode 100644 index 00000000..0e9d8ea3 --- /dev/null +++ b/queue/ARM-dts-sunxi-Relax-a-bit-the-CMA-pool-allocation-ra.patch @@ -0,0 +1,71 @@ +From 92025b90f18d45e26b7f17d68756b1abd771b9d3 Mon Sep 17 00:00:00 2001 +From: Maxime Ripard <maxime@cerno.tech> +Date: Sat, 4 Jul 2020 15:08:29 +0200 +Subject: [PATCH] ARM: dts sunxi: Relax a bit the CMA pool allocation range + +commit 92025b90f18d45e26b7f17d68756b1abd771b9d3 upstream. + +The hardware codec on the A10, A10s, A13 and A20 needs buffer in the +first 256MB of RAM. This was solved by setting the CMA pool at a fixed +address in that range. + +However, in recent kernels there's something else that comes in and +reserve some range that end up conflicting with our default pool +requirement, and thus makes its reservation fail. + +The video codec will then use buffers from the usual default pool, +outside of the range it can access, and will fail to decode anything. + +Since we're only concerned about that 256MB, we can however relax the +allocation to just specify the range that's allowed, and not try to +enforce a specific address. + +Fixes: 5949bc5602cc ("ARM: dts: sun4i-a10: Add Video Engine and reserved memory nodes") +Fixes: 960432010156 ("ARM: dts: sun5i: Add Video Engine and reserved memory nodes") +Fixes: c2a641a74850 ("ARM: dts: sun7i-a20: Add Video Engine and reserved memory nodes") +Signed-off-by: Maxime Ripard <maxime@cerno.tech> +Acked-by: Chen-Yu Tsai <wens@csie.org> +Link: https://lore.kernel.org/r/20200704130829.34297-1-maxime@cerno.tech + +diff --git a/arch/arm/boot/dts/sun4i-a10.dtsi b/arch/arm/boot/dts/sun4i-a10.dtsi +index bf531efc0610..0f95a6ef8543 100644 +--- a/arch/arm/boot/dts/sun4i-a10.dtsi ++++ b/arch/arm/boot/dts/sun4i-a10.dtsi +@@ -198,7 +198,7 @@ reserved-memory { + default-pool { + compatible = "shared-dma-pool"; + size = <0x6000000>; +- alloc-ranges = <0x4a000000 0x6000000>; ++ alloc-ranges = <0x40000000 0x10000000>; + reusable; + linux,cma-default; + }; +diff --git a/arch/arm/boot/dts/sun5i.dtsi b/arch/arm/boot/dts/sun5i.dtsi +index e6b036734a64..c2b4fbf552a3 100644 +--- a/arch/arm/boot/dts/sun5i.dtsi ++++ b/arch/arm/boot/dts/sun5i.dtsi +@@ -117,7 +117,7 @@ reserved-memory { + default-pool { + compatible = "shared-dma-pool"; + size = <0x6000000>; +- alloc-ranges = <0x4a000000 0x6000000>; ++ alloc-ranges = <0x40000000 0x10000000>; + reusable; + linux,cma-default; + }; +diff --git a/arch/arm/boot/dts/sun7i-a20.dtsi b/arch/arm/boot/dts/sun7i-a20.dtsi +index ffe1d10a1a84..6d6a37940db2 100644 +--- a/arch/arm/boot/dts/sun7i-a20.dtsi ++++ b/arch/arm/boot/dts/sun7i-a20.dtsi +@@ -181,7 +181,7 @@ reserved-memory { + default-pool { + compatible = "shared-dma-pool"; + size = <0x6000000>; +- alloc-ranges = <0x4a000000 0x6000000>; ++ alloc-ranges = <0x40000000 0x10000000>; + reusable; + linux,cma-default; + }; +-- +2.27.0 + diff --git a/queue/Bluetooth-fix-kernel-oops-in-store_pending_adv_repor.patch b/queue/Bluetooth-fix-kernel-oops-in-store_pending_adv_repor.patch new file mode 100644 index 00000000..c8ccf765 --- /dev/null +++ b/queue/Bluetooth-fix-kernel-oops-in-store_pending_adv_repor.patch @@ -0,0 +1,149 @@ +From a2ec905d1e160a33b2e210e45ad30445ef26ce0e Mon Sep 17 00:00:00 2001 +From: Alain Michaud <alainm@chromium.org> +Date: Mon, 27 Jul 2020 20:48:55 +0000 +Subject: [PATCH] Bluetooth: fix kernel oops in store_pending_adv_report + +commit a2ec905d1e160a33b2e210e45ad30445ef26ce0e upstream. + +Fix kernel oops observed when an ext adv data is larger than 31 bytes. + +This can be reproduced by setting up an advertiser with advertisement +larger than 31 bytes. The issue is not sensitive to the advertisement +content. In particular, this was reproduced with an advertisement of +229 bytes filled with 'A'. See stack trace below. + +This is fixed by not catching ext_adv as legacy adv are only cached to +be able to concatenate a scanable adv with its scan response before +sending it up through mgmt. + +With ext_adv, this is no longer necessary. + + general protection fault: 0000 [#1] SMP PTI + CPU: 6 PID: 205 Comm: kworker/u17:0 Not tainted 5.4.0-37-generic #41-Ubuntu + Hardware name: Dell Inc. XPS 15 7590/0CF6RR, BIOS 1.7.0 05/11/2020 + Workqueue: hci0 hci_rx_work [bluetooth] + RIP: 0010:hci_bdaddr_list_lookup+0x1e/0x40 [bluetooth] + Code: ff ff e9 26 ff ff ff 0f 1f 44 00 00 0f 1f 44 00 00 55 48 8b 07 48 89 e5 48 39 c7 75 0a eb 24 48 8b 00 48 39 f8 74 1c 44 8b 06 <44> 39 40 10 75 ef 44 0f b7 4e 04 66 44 39 48 14 75 e3 38 50 16 75 + RSP: 0018:ffffbc6a40493c70 EFLAGS: 00010286 + RAX: 4141414141414141 RBX: 000000000000001b RCX: 0000000000000000 + RDX: 0000000000000000 RSI: ffff9903e76c100f RDI: ffff9904289d4b28 + RBP: ffffbc6a40493c70 R08: 0000000093570362 R09: 0000000000000000 + R10: 0000000000000000 R11: ffff9904344eae38 R12: ffff9904289d4000 + R13: 0000000000000000 R14: 00000000ffffffa3 R15: ffff9903e76c100f + FS: 0000000000000000(0000) GS:ffff990434580000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007feed125a000 CR3: 00000001b860a003 CR4: 00000000003606e0 + Call Trace: + process_adv_report+0x12e/0x560 [bluetooth] + hci_le_meta_evt+0x7b2/0xba0 [bluetooth] + hci_event_packet+0x1c29/0x2a90 [bluetooth] + hci_rx_work+0x19b/0x360 [bluetooth] + process_one_work+0x1eb/0x3b0 + worker_thread+0x4d/0x400 + kthread+0x104/0x140 + +Fixes: c215e9397b00 ("Bluetooth: Process extended ADV report event") +Reported-by: Andy Nguyen <theflow@google.com> +Reported-by: Linus Torvalds <torvalds@linux-foundation.org> +Reported-by: Balakrishna Godavarthi <bgodavar@codeaurora.org> +Signed-off-by: Alain Michaud <alainm@chromium.org> +Tested-by: Sonny Sasaka <sonnysasaka@chromium.org> +Acked-by: Marcel Holtmann <marcel@holtmann.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index cfeaee347db3..af9d7f2ff8ba 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -1338,6 +1338,9 @@ static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr, + { + struct discovery_state *d = &hdev->discovery; + ++ if (len > HCI_MAX_AD_LENGTH) ++ return; ++ + bacpy(&d->last_adv_addr, bdaddr); + d->last_adv_addr_type = bdaddr_type; + d->last_adv_rssi = rssi; +@@ -5355,7 +5358,8 @@ static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev, + + static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, + u8 bdaddr_type, bdaddr_t *direct_addr, +- u8 direct_addr_type, s8 rssi, u8 *data, u8 len) ++ u8 direct_addr_type, s8 rssi, u8 *data, u8 len, ++ bool ext_adv) + { + struct discovery_state *d = &hdev->discovery; + struct smp_irk *irk; +@@ -5377,6 +5381,11 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, + return; + } + ++ if (!ext_adv && len > HCI_MAX_AD_LENGTH) { ++ bt_dev_err_ratelimited(hdev, "legacy adv larger than 31 bytes"); ++ return; ++ } ++ + /* Find the end of the data in case the report contains padded zero + * bytes at the end causing an invalid length value. + * +@@ -5437,7 +5446,7 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, + */ + conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type, + direct_addr); +- if (conn && type == LE_ADV_IND) { ++ if (!ext_adv && conn && type == LE_ADV_IND && len <= HCI_MAX_AD_LENGTH) { + /* Store report for later inclusion by + * mgmt_device_connected + */ +@@ -5491,7 +5500,7 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, + * event or send an immediate device found event if the data + * should not be stored for later. + */ +- if (!has_pending_adv_report(hdev)) { ++ if (!ext_adv && !has_pending_adv_report(hdev)) { + /* If the report will trigger a SCAN_REQ store it for + * later merging. + */ +@@ -5526,7 +5535,8 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, + /* If the new report will trigger a SCAN_REQ store it for + * later merging. + */ +- if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) { ++ if (!ext_adv && (type == LE_ADV_IND || ++ type == LE_ADV_SCAN_IND)) { + store_pending_adv_report(hdev, bdaddr, bdaddr_type, + rssi, flags, data, len); + return; +@@ -5566,7 +5576,7 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) + rssi = ev->data[ev->length]; + process_adv_report(hdev, ev->evt_type, &ev->bdaddr, + ev->bdaddr_type, NULL, 0, rssi, +- ev->data, ev->length); ++ ev->data, ev->length, false); + } else { + bt_dev_err(hdev, "Dropping invalid advertising data"); + } +@@ -5638,7 +5648,8 @@ static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) + if (legacy_evt_type != LE_ADV_INVALID) { + process_adv_report(hdev, legacy_evt_type, &ev->bdaddr, + ev->bdaddr_type, NULL, 0, ev->rssi, +- ev->data, ev->length); ++ ev->data, ev->length, ++ !(evt_type & LE_EXT_ADV_LEGACY_PDU)); + } + + ptr += sizeof(*ev) + ev->length; +@@ -5836,7 +5847,8 @@ static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, + + process_adv_report(hdev, ev->evt_type, &ev->bdaddr, + ev->bdaddr_type, &ev->direct_addr, +- ev->direct_addr_type, ev->rssi, NULL, 0); ++ ev->direct_addr_type, ev->rssi, NULL, 0, ++ false); + + ptr += sizeof(*ev); + } +-- +2.27.0 + diff --git a/queue/IB-rdmavt-Fix-RQ-counting-issues-causing-use-of-an-i.patch b/queue/IB-rdmavt-Fix-RQ-counting-issues-causing-use-of-an-i.patch new file mode 100644 index 00000000..b3e9630a --- /dev/null +++ b/queue/IB-rdmavt-Fix-RQ-counting-issues-causing-use-of-an-i.patch @@ -0,0 +1,163 @@ +From 54a485e9ec084da1a4b32dcf7749c7d760ed8aa5 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn <mike.marciniszyn@intel.com> +Date: Tue, 28 Jul 2020 14:38:48 -0400 +Subject: [PATCH] IB/rdmavt: Fix RQ counting issues causing use of an invalid + RWQE + +commit 54a485e9ec084da1a4b32dcf7749c7d760ed8aa5 upstream. + +The lookaside count is improperly initialized to the size of the +Receive Queue with the additional +1. In the traces below, the +RQ size is 384, so the count was set to 385. + +The lookaside count is then rarely refreshed. Note the high and +incorrect count in the trace below: + +rvt_get_rwqe: [hfi1_0] wqe ffffc900078e9008 wr_id 55c7206d75a0 qpn c + qpt 2 pid 3018 num_sge 1 head 1 tail 0, count 385 +rvt_get_rwqe: (hfi1_rc_rcv+0x4eb/0x1480 [hfi1] <- rvt_get_rwqe) ret=0x1 + +The head,tail indicate there is only one RWQE posted although the count +says 385 and we correctly return the element 0. + +The next call to rvt_get_rwqe with the decremented count: + +rvt_get_rwqe: [hfi1_0] wqe ffffc900078e9058 wr_id 0 qpn c + qpt 2 pid 3018 num_sge 0 head 1 tail 1, count 384 +rvt_get_rwqe: (hfi1_rc_rcv+0x4eb/0x1480 [hfi1] <- rvt_get_rwqe) ret=0x1 + +Note that the RQ is empty (head == tail) yet we return the RWQE at tail 1, +which is not valid because of the bogus high count. + +Best case, the RWQE has never been posted and the rc logic sees an RWQE +that is too small (all zeros) and puts the QP into an error state. + +In the worst case, a server slow at posting receive buffers might fool +rvt_get_rwqe() into fetching an old RWQE and corrupt memory. + +Fix by deleting the faulty initialization code and creating an +inline to fetch the posted count and convert all callers to use +new inline. + +Fixes: f592ae3c999f ("IB/rdmavt: Fracture single lock used for posting and processing RWQEs") +Link: https://lore.kernel.org/r/20200728183848.22226.29132.stgit@awfm-01.aw.intel.com +Reported-by: Zhaojuan Guo <zguo@redhat.com> +Cc: <stable@vger.kernel.org> # 5.4.x +Reviewed-by: Kaike Wan <kaike.wan@intel.com> +Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com> +Tested-by: Honggang Li <honli@redhat.com> +Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> + +diff --git a/drivers/infiniband/sw/rdmavt/qp.c b/drivers/infiniband/sw/rdmavt/qp.c +index 7db35dd6ad74..332a8ba94b81 100644 +--- a/drivers/infiniband/sw/rdmavt/qp.c ++++ b/drivers/infiniband/sw/rdmavt/qp.c +@@ -901,8 +901,6 @@ static void rvt_init_qp(struct rvt_dev_info *rdi, struct rvt_qp *qp, + qp->s_tail_ack_queue = 0; + qp->s_acked_ack_queue = 0; + qp->s_num_rd_atomic = 0; +- if (qp->r_rq.kwq) +- qp->r_rq.kwq->count = qp->r_rq.size; + qp->r_sge.num_sge = 0; + atomic_set(&qp->s_reserved_used, 0); + } +@@ -2366,31 +2364,6 @@ static int init_sge(struct rvt_qp *qp, struct rvt_rwqe *wqe) + return 0; + } + +-/** +- * get_count - count numbers of request work queue entries +- * in circular buffer +- * @rq: data structure for request queue entry +- * @tail: tail indices of the circular buffer +- * @head: head indices of the circular buffer +- * +- * Return - total number of entries in the circular buffer +- */ +-static u32 get_count(struct rvt_rq *rq, u32 tail, u32 head) +-{ +- u32 count; +- +- count = head; +- +- if (count >= rq->size) +- count = 0; +- if (count < tail) +- count += rq->size - tail; +- else +- count -= tail; +- +- return count; +-} +- + /** + * get_rvt_head - get head indices of the circular buffer + * @rq: data structure for request queue entry +@@ -2465,7 +2438,7 @@ int rvt_get_rwqe(struct rvt_qp *qp, bool wr_id_only) + + if (kwq->count < RVT_RWQ_COUNT_THRESHOLD) { + head = get_rvt_head(rq, ip); +- kwq->count = get_count(rq, tail, head); ++ kwq->count = rvt_get_rq_count(rq, head, tail); + } + if (unlikely(kwq->count == 0)) { + ret = 0; +@@ -2500,7 +2473,9 @@ int rvt_get_rwqe(struct rvt_qp *qp, bool wr_id_only) + * the number of remaining WQEs. + */ + if (kwq->count < srq->limit) { +- kwq->count = get_count(rq, tail, get_rvt_head(rq, ip)); ++ kwq->count = ++ rvt_get_rq_count(rq, ++ get_rvt_head(rq, ip), tail); + if (kwq->count < srq->limit) { + struct ib_event ev; + +diff --git a/drivers/infiniband/sw/rdmavt/rc.c b/drivers/infiniband/sw/rdmavt/rc.c +index 977906cc0d11..c58735f4c94a 100644 +--- a/drivers/infiniband/sw/rdmavt/rc.c ++++ b/drivers/infiniband/sw/rdmavt/rc.c +@@ -127,9 +127,7 @@ __be32 rvt_compute_aeth(struct rvt_qp *qp) + * not atomic, which is OK, since the fuzziness is + * resolved as further ACKs go out. + */ +- credits = head - tail; +- if ((int)credits < 0) +- credits += qp->r_rq.size; ++ credits = rvt_get_rq_count(&qp->r_rq, head, tail); + } + /* + * Binary search the credit table to find the code to +diff --git a/include/rdma/rdmavt_qp.h b/include/rdma/rdmavt_qp.h +index c4369a6c2951..2f1fc23602cb 100644 +--- a/include/rdma/rdmavt_qp.h ++++ b/include/rdma/rdmavt_qp.h +@@ -305,6 +305,25 @@ struct rvt_rq { + spinlock_t lock ____cacheline_aligned_in_smp; + }; + ++/** ++ * rvt_get_rq_count - count numbers of request work queue entries ++ * in circular buffer ++ * @rq: data structure for request queue entry ++ * @head: head indices of the circular buffer ++ * @tail: tail indices of the circular buffer ++ * ++ * Return - total number of entries in the Receive Queue ++ */ ++ ++static inline u32 rvt_get_rq_count(struct rvt_rq *rq, u32 head, u32 tail) ++{ ++ u32 count = head - tail; ++ ++ if ((s32)count < 0) ++ count += rq->size; ++ return count; ++} ++ + /* + * This structure holds the information that the send tasklet needs + * to send a RDMA read response or atomic operation. +-- +2.27.0 + diff --git a/queue/KVM-LAPIC-Prevent-setting-the-tscdeadline-timer-if-t.patch b/queue/KVM-LAPIC-Prevent-setting-the-tscdeadline-timer-if-t.patch new file mode 100644 index 00000000..e070a048 --- /dev/null +++ b/queue/KVM-LAPIC-Prevent-setting-the-tscdeadline-timer-if-t.patch @@ -0,0 +1,32 @@ +From d2286ba7d574ba3103a421a2f9ec17cb5b0d87a1 Mon Sep 17 00:00:00 2001 +From: Wanpeng Li <wanpengli@tencent.com> +Date: Fri, 31 Jul 2020 11:12:19 +0800 +Subject: [PATCH] KVM: LAPIC: Prevent setting the tscdeadline timer if the + lapic is hw disabled + +commit d2286ba7d574ba3103a421a2f9ec17cb5b0d87a1 upstream. + +Prevent setting the tscdeadline timer if the lapic is hw disabled. + +Fixes: bce87cce88 (KVM: x86: consolidate different ways to test for in-kernel LAPIC) +Cc: <stable@vger.kernel.org> +Signed-off-by: Wanpeng Li <wanpengli@tencent.com> +Message-Id: <1596165141-28874-1-git-send-email-wanpengli@tencent.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 5bf72fc86a8e..4ce2ddd26c0b 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -2195,7 +2195,7 @@ void kvm_set_lapic_tscdeadline_msr(struct kvm_vcpu *vcpu, u64 data) + { + struct kvm_lapic *apic = vcpu->arch.apic; + +- if (!lapic_in_kernel(vcpu) || apic_lvtt_oneshot(apic) || ++ if (!kvm_apic_present(vcpu) || apic_lvtt_oneshot(apic) || + apic_lvtt_period(apic)) + return; + +-- +2.27.0 + diff --git a/queue/KVM-arm64-Don-t-inherit-exec-permission-across-page-.patch b/queue/KVM-arm64-Don-t-inherit-exec-permission-across-page-.patch new file mode 100644 index 00000000..81bf528d --- /dev/null +++ b/queue/KVM-arm64-Don-t-inherit-exec-permission-across-page-.patch @@ -0,0 +1,69 @@ +From b757b47a2fcba584d4a32fd7ee68faca510ab96f Mon Sep 17 00:00:00 2001 +From: Will Deacon <will@kernel.org> +Date: Thu, 23 Jul 2020 11:17:14 +0100 +Subject: [PATCH] KVM: arm64: Don't inherit exec permission across page-table + levels + +commit b757b47a2fcba584d4a32fd7ee68faca510ab96f upstream. + +If a stage-2 page-table contains an executable, read-only mapping at the +pte level (e.g. due to dirty logging being enabled), a subsequent write +fault to the same page which tries to install a larger block mapping +(e.g. due to dirty logging having been disabled) will erroneously inherit +the exec permission and consequently skip I-cache invalidation for the +rest of the block. + +Ensure that exec permission is only inherited by write faults when the +new mapping is of the same size as the existing one. A subsequent +instruction abort will result in I-cache invalidation for the entire +block mapping. + +Signed-off-by: Will Deacon <will@kernel.org> +Signed-off-by: Marc Zyngier <maz@kernel.org> +Tested-by: Quentin Perret <qperret@google.com> +Reviewed-by: Quentin Perret <qperret@google.com> +Cc: Marc Zyngier <maz@kernel.org> +Cc: <stable@vger.kernel.org> +Link: https://lore.kernel.org/r/20200723101714.15873-1-will@kernel.org + +diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c +index 8c0035cab6b6..31058e6e7c2a 100644 +--- a/arch/arm64/kvm/mmu.c ++++ b/arch/arm64/kvm/mmu.c +@@ -1326,7 +1326,7 @@ static bool stage2_get_leaf_entry(struct kvm *kvm, phys_addr_t addr, + return true; + } + +-static bool stage2_is_exec(struct kvm *kvm, phys_addr_t addr) ++static bool stage2_is_exec(struct kvm *kvm, phys_addr_t addr, unsigned long sz) + { + pud_t *pudp; + pmd_t *pmdp; +@@ -1338,11 +1338,11 @@ static bool stage2_is_exec(struct kvm *kvm, phys_addr_t addr) + return false; + + if (pudp) +- return kvm_s2pud_exec(pudp); ++ return sz <= PUD_SIZE && kvm_s2pud_exec(pudp); + else if (pmdp) +- return kvm_s2pmd_exec(pmdp); ++ return sz <= PMD_SIZE && kvm_s2pmd_exec(pmdp); + else +- return kvm_s2pte_exec(ptep); ++ return sz == PAGE_SIZE && kvm_s2pte_exec(ptep); + } + + static int stage2_set_pte(struct kvm *kvm, struct kvm_mmu_memory_cache *cache, +@@ -1958,7 +1958,8 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa, + * execute permissions, and we preserve whatever we have. + */ + needs_exec = exec_fault || +- (fault_status == FSC_PERM && stage2_is_exec(kvm, fault_ipa)); ++ (fault_status == FSC_PERM && ++ stage2_is_exec(kvm, fault_ipa, vma_pagesize)); + + if (vma_pagesize == PUD_SIZE) { + pud_t new_pud = kvm_pfn_pud(pfn, mem_type); +-- +2.27.0 + diff --git a/queue/PCI-ASPM-Disable-ASPM-on-ASMedia-ASM1083-1085-PCIe-t.patch b/queue/PCI-ASPM-Disable-ASPM-on-ASMedia-ASM1083-1085-PCIe-t.patch new file mode 100644 index 00000000..b37e0c7a --- /dev/null +++ b/queue/PCI-ASPM-Disable-ASPM-on-ASMedia-ASM1083-1085-PCIe-t.patch @@ -0,0 +1,67 @@ +From b361663c5a40c8bc758b7f7f2239f7a192180e7c Mon Sep 17 00:00:00 2001 +From: Robert Hancock <hancockrwd@gmail.com> +Date: Tue, 21 Jul 2020 20:18:03 -0600 +Subject: [PATCH] PCI/ASPM: Disable ASPM on ASMedia ASM1083/1085 PCIe-to-PCI + bridge + +commit b361663c5a40c8bc758b7f7f2239f7a192180e7c upstream. + +Recently ASPM handling was changed to allow ASPM on PCIe-to-PCI/PCI-X +bridges. Unfortunately the ASMedia ASM1083/1085 PCIe to PCI bridge device +doesn't seem to function properly with ASPM enabled. On an Asus PRIME +H270-PRO motherboard, it causes errors like these: + + pcieport 0000:00:1c.0: AER: PCIe Bus Error: severity=Corrected, type=Data Link Layer, (Transmitter ID) + pcieport 0000:00:1c.0: AER: device [8086:a292] error status/mask=00003000/00002000 + pcieport 0000:00:1c.0: AER: [12] Timeout + pcieport 0000:00:1c.0: AER: Corrected error received: 0000:00:1c.0 + pcieport 0000:00:1c.0: AER: can't find device of ID00e0 + +In addition to flooding the kernel log, this also causes the machine to +wake up immediately after suspend is initiated. + +The device advertises ASPM L0s and L1 support in the Link Capabilities +register, but the ASMedia web page for ASM1083 [1] claims "No PCIe ASPM +support". + +Windows 10 (build 2004) enables L0s, but it also logs correctable PCIe +errors. + +Add a quirk to disable ASPM for this device. + +[1] https://www.asmedia.com.tw/eng/e_show_products.php?cate_index=169&item=114 + +[bhelgaas: commit log] +Fixes: 66ff14e59e8a ("PCI/ASPM: Allow ASPM on links to PCIe-to-PCI/PCI-X Bridges") +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=208667 +Link: https://lore.kernel.org/r/20200722021803.17958-1-hancockrwd@gmail.com +Signed-off-by: Robert Hancock <hancockrwd@gmail.com> +Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 812bfc32ecb8..2ea61abd5830 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -2330,6 +2330,19 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x10f1, quirk_disable_aspm_l0s); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x10f4, quirk_disable_aspm_l0s); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x1508, quirk_disable_aspm_l0s); + ++static void quirk_disable_aspm_l0s_l1(struct pci_dev *dev) ++{ ++ pci_info(dev, "Disabling ASPM L0s/L1\n"); ++ pci_disable_link_state(dev, PCIE_LINK_STATE_L0S | PCIE_LINK_STATE_L1); ++} ++ ++/* ++ * ASM1083/1085 PCIe-PCI bridge devices cause AER timeout errors on the ++ * upstream PCIe root port when ASPM is enabled. At least L0s mode is affected; ++ * disable both L0s and L1 for now to be safe. ++ */ ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ASMEDIA, 0x1080, quirk_disable_aspm_l0s_l1); ++ + /* + * Some Pericom PCIe-to-PCI bridges in reverse mode need the PCIe Retrain + * Link bit cleared after starting the link retrain process to allow this +-- +2.27.0 + diff --git a/queue/RISC-V-Set-maximum-number-of-mapped-pages-correctly.patch b/queue/RISC-V-Set-maximum-number-of-mapped-pages-correctly.patch new file mode 100644 index 00000000..0200ddca --- /dev/null +++ b/queue/RISC-V-Set-maximum-number-of-mapped-pages-correctly.patch @@ -0,0 +1,36 @@ +From d0d8aae64566b753c4330fbd5944b88af035f299 Mon Sep 17 00:00:00 2001 +From: Atish Patra <atish.patra@wdc.com> +Date: Wed, 15 Jul 2020 16:30:07 -0700 +Subject: [PATCH] RISC-V: Set maximum number of mapped pages correctly + +commit d0d8aae64566b753c4330fbd5944b88af035f299 upstream. + +Currently, maximum number of mapper pages are set to the pfn calculated +from the memblock size of the memblock containing kernel. This will work +until that memblock spans the entire memory. However, it will be set to +a wrong value if there are multiple memblocks defined in kernel +(e.g. with efi runtime services). + +Set the the maximum value to the pfn calculated from dram size. + +Signed-off-by: Atish Patra <atish.patra@wdc.com> +Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com> + +diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c +index f4adb3684f3d..8d22973bde40 100644 +--- a/arch/riscv/mm/init.c ++++ b/arch/riscv/mm/init.c +@@ -150,9 +150,9 @@ void __init setup_bootmem(void) + /* Reserve from the start of the kernel to the end of the kernel */ + memblock_reserve(vmlinux_start, vmlinux_end - vmlinux_start); + +- set_max_mapnr(PFN_DOWN(mem_size)); + max_pfn = PFN_DOWN(memblock_end_of_DRAM()); + max_low_pfn = max_pfn; ++ set_max_mapnr(max_low_pfn); + + #ifdef CONFIG_BLK_DEV_INITRD + setup_initrd(); +-- +2.27.0 + diff --git a/queue/Revert-drm-amdgpu-Fix-NULL-dereference-in-dpm-sysfs-.patch b/queue/Revert-drm-amdgpu-Fix-NULL-dereference-in-dpm-sysfs-.patch new file mode 100644 index 00000000..a407225e --- /dev/null +++ b/queue/Revert-drm-amdgpu-Fix-NULL-dereference-in-dpm-sysfs-.patch @@ -0,0 +1,53 @@ +From 87004abfbc27261edd15716515d89ab42198b405 Mon Sep 17 00:00:00 2001 +From: Alex Deucher <alexander.deucher@amd.com> +Date: Thu, 30 Jul 2020 11:02:30 -0400 +Subject: [PATCH] Revert "drm/amdgpu: Fix NULL dereference in dpm sysfs + handlers" + +commit 87004abfbc27261edd15716515d89ab42198b405 upstream. + +This regressed some working configurations so revert it. Will +fix this properly for 5.9 and backport then. + +This reverts commit 38e0c89a19fd13f28d2b4721035160a3e66e270b. + +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> +Cc: stable@vger.kernel.org + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c +index ebb8a28ff002..02e6f8c4dde0 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c +@@ -778,7 +778,8 @@ static ssize_t amdgpu_set_pp_od_clk_voltage(struct device *dev, + tmp_str++; + while (isspace(*++tmp_str)); + +- while ((sub_str = strsep(&tmp_str, delimiter)) != NULL) { ++ while (tmp_str[0]) { ++ sub_str = strsep(&tmp_str, delimiter); + ret = kstrtol(sub_str, 0, ¶meter[parameter_size]); + if (ret) + return -EINVAL; +@@ -1038,7 +1039,8 @@ static ssize_t amdgpu_read_mask(const char *buf, size_t count, uint32_t *mask) + memcpy(buf_cpy, buf, bytes); + buf_cpy[bytes] = '\0'; + tmp = buf_cpy; +- while ((sub_str = strsep(&tmp, delimiter)) != NULL) { ++ while (tmp[0]) { ++ sub_str = strsep(&tmp, delimiter); + if (strlen(sub_str)) { + ret = kstrtol(sub_str, 0, &level); + if (ret) +@@ -1635,7 +1637,8 @@ static ssize_t amdgpu_set_pp_power_profile_mode(struct device *dev, + i++; + memcpy(buf_cpy, buf, count-i); + tmp_str = buf_cpy; +- while ((sub_str = strsep(&tmp_str, delimiter)) != NULL) { ++ while (tmp_str[0]) { ++ sub_str = strsep(&tmp_str, delimiter); + ret = kstrtol(sub_str, 0, ¶meter[parameter_size]); + if (ret) + return -EINVAL; +-- +2.27.0 + diff --git a/queue/Revert-i2c-cadence-Fix-the-hold-bit-setting.patch b/queue/Revert-i2c-cadence-Fix-the-hold-bit-setting.patch new file mode 100644 index 00000000..33dcbaa9 --- /dev/null +++ b/queue/Revert-i2c-cadence-Fix-the-hold-bit-setting.patch @@ -0,0 +1,68 @@ +From 0db9254d6b896b587759e2c844c277fb1a6da5b9 Mon Sep 17 00:00:00 2001 +From: Raviteja Narayanam <raviteja.narayanam@xilinx.com> +Date: Fri, 3 Jul 2020 19:25:49 +0530 +Subject: [PATCH] Revert "i2c: cadence: Fix the hold bit setting" + +commit 0db9254d6b896b587759e2c844c277fb1a6da5b9 upstream. + +This reverts commit d358def706880defa4c9e87381c5bf086a97d5f9. + +There are two issues with "i2c: cadence: Fix the hold bit setting" commit. + +1. In case of combined message request from user space, when the HOLD +bit is cleared in cdns_i2c_mrecv function, a STOP condition is sent +on the bus even before the last message is started. This is because when +the HOLD bit is cleared, the FIFOS are empty and there is no pending +transfer. The STOP condition should occur only after the last message +is completed. + +2. The code added by the commit is redundant. Driver is handling the +setting/clearing of HOLD bit in right way before the commit. + +The setting of HOLD bit based on 'bus_hold_flag' is taken care in +cdns_i2c_master_xfer function even before cdns_i2c_msend/cdns_i2c_recv +functions. + +The clearing of HOLD bit is taken care at the end of cdns_i2c_msend and +cdns_i2c_recv functions based on bus_hold_flag and byte count. +Since clearing of HOLD bit is done after the slave address is written to +the register (writing to address register triggers the message transfer), +it is ensured that STOP condition occurs at the right time after +completion of the pending transfer (last message). + +Signed-off-by: Raviteja Narayanam <raviteja.narayanam@xilinx.com> +Acked-by: Michal Simek <michal.simek@xilinx.com> +Signed-off-by: Wolfram Sang <wsa@kernel.org> + +diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c +index 4b72398af505..e06960207ada 100644 +--- a/drivers/i2c/busses/i2c-cadence.c ++++ b/drivers/i2c/busses/i2c-cadence.c +@@ -594,10 +594,8 @@ static void cdns_i2c_mrecv(struct cdns_i2c *id) + * Check for the message size against FIFO depth and set the + * 'hold bus' bit if it is greater than FIFO depth. + */ +- if ((id->recv_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag) ++ if (id->recv_count > CDNS_I2C_FIFO_DEPTH) + ctrl_reg |= CDNS_I2C_CR_HOLD; +- else +- ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD; + + cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET); + +@@ -654,11 +652,8 @@ static void cdns_i2c_msend(struct cdns_i2c *id) + * Check for the message size against FIFO depth and set the + * 'hold bus' bit if it is greater than FIFO depth. + */ +- if ((id->send_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag) ++ if (id->send_count > CDNS_I2C_FIFO_DEPTH) + ctrl_reg |= CDNS_I2C_CR_HOLD; +- else +- ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD; +- + cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET); + + /* Clear the interrupts in interrupt status register. */ +-- +2.27.0 + diff --git a/queue/arm64-alternatives-move-length-validation-inside-the.patch b/queue/arm64-alternatives-move-length-validation-inside-the.patch new file mode 100644 index 00000000..33c96522 --- /dev/null +++ b/queue/arm64-alternatives-move-length-validation-inside-the.patch @@ -0,0 +1,40 @@ +From 966a0acce2fca776391823381dba95c40e03c339 Mon Sep 17 00:00:00 2001 +From: Sami Tolvanen <samitolvanen@google.com> +Date: Thu, 30 Jul 2020 08:37:01 -0700 +Subject: [PATCH] arm64/alternatives: move length validation inside the + subsection + +commit 966a0acce2fca776391823381dba95c40e03c339 upstream. + +Commit f7b93d42945c ("arm64/alternatives: use subsections for replacement +sequences") breaks LLVM's integrated assembler, because due to its +one-pass design, it cannot compute instruction sequence lengths before the +layout for the subsection has been finalized. This change fixes the build +by moving the .org directives inside the subsection, so they are processed +after the subsection layout is known. + +Fixes: f7b93d42945c ("arm64/alternatives: use subsections for replacement sequences") +Signed-off-by: Sami Tolvanen <samitolvanen@google.com> +Link: https://github.com/ClangBuiltLinux/linux/issues/1078 +Link: https://lore.kernel.org/r/20200730153701.3892953-1-samitolvanen@google.com +Signed-off-by: Will Deacon <will@kernel.org> + +diff --git a/arch/arm64/include/asm/alternative.h b/arch/arm64/include/asm/alternative.h +index 12f0eb56a1cc..619db9b4c9d5 100644 +--- a/arch/arm64/include/asm/alternative.h ++++ b/arch/arm64/include/asm/alternative.h +@@ -77,9 +77,9 @@ static inline void apply_alternatives_module(void *start, size_t length) { } + "663:\n\t" \ + newinstr "\n" \ + "664:\n\t" \ +- ".previous\n\t" \ + ".org . - (664b-663b) + (662b-661b)\n\t" \ +- ".org . - (662b-661b) + (664b-663b)\n" \ ++ ".org . - (662b-661b) + (664b-663b)\n\t" \ ++ ".previous\n" \ + ".endif\n" + + #define __ALTERNATIVE_CFG_CB(oldinstr, feature, cfg_enabled, cb) \ +-- +2.27.0 + diff --git a/queue/arm64-csum-Fix-handling-of-bad-packets.patch b/queue/arm64-csum-Fix-handling-of-bad-packets.patch new file mode 100644 index 00000000..b9cfa77a --- /dev/null +++ b/queue/arm64-csum-Fix-handling-of-bad-packets.patch @@ -0,0 +1,44 @@ +From 05fb3dbda187bbd9cc1cd0e97e5d6595af570ac6 Mon Sep 17 00:00:00 2001 +From: Robin Murphy <robin.murphy@arm.com> +Date: Thu, 30 Jul 2020 10:56:49 +0100 +Subject: [PATCH] arm64: csum: Fix handling of bad packets + +commit 05fb3dbda187bbd9cc1cd0e97e5d6595af570ac6 upstream. + +Although iph is expected to point to at least 20 bytes of valid memory, +ihl may be bogus, for example on reception of a corrupt packet. If it +happens to be less than 5, we really don't want to run away and +dereference 16GB worth of memory until it wraps back to exactly zero... + +Fixes: 0e455d8e80aa ("arm64: Implement optimised IP checksum helpers") +Reported-by: guodeqing <geffrey.guo@huawei.com> +Signed-off-by: Robin Murphy <robin.murphy@arm.com> +Signed-off-by: Will Deacon <will@kernel.org> + +diff --git a/arch/arm64/include/asm/checksum.h b/arch/arm64/include/asm/checksum.h +index b6f7bc6da5fb..93a161b3bf3f 100644 +--- a/arch/arm64/include/asm/checksum.h ++++ b/arch/arm64/include/asm/checksum.h +@@ -24,16 +24,17 @@ static inline __sum16 ip_fast_csum(const void *iph, unsigned int ihl) + { + __uint128_t tmp; + u64 sum; ++ int n = ihl; /* we want it signed */ + + tmp = *(const __uint128_t *)iph; + iph += 16; +- ihl -= 4; ++ n -= 4; + tmp += ((tmp >> 64) | (tmp << 64)); + sum = tmp >> 64; + do { + sum += *(const u32 *)iph; + iph += 4; +- } while (--ihl); ++ } while (--n > 0); + + sum += ((sum >> 32) | (sum << 32)); + return csum_fold((__force u32)(sum >> 32)); +-- +2.27.0 + diff --git a/queue/ath10k-enable-transmit-data-ack-RSSI-for-QCA9884.patch b/queue/ath10k-enable-transmit-data-ack-RSSI-for-QCA9884.patch new file mode 100644 index 00000000..4d7da69f --- /dev/null +++ b/queue/ath10k-enable-transmit-data-ack-RSSI-for-QCA9884.patch @@ -0,0 +1,36 @@ +From cc78dc3b790619aa05f22a86a9152986bd73698c Mon Sep 17 00:00:00 2001 +From: Abhishek Ambure <aambure@codeaurora.org> +Date: Thu, 3 Oct 2019 16:45:22 +0300 +Subject: [PATCH] ath10k: enable transmit data ack RSSI for QCA9884 + +commit cc78dc3b790619aa05f22a86a9152986bd73698c upstream. + +For all data packets transmitted, host gets htt tx completion event. Some QCA9984 +firmware releases support WMI_SERVICE_TX_DATA_ACK_RSSI, which gives data +ack rssi values to host through htt event of data tx completion. Data ack rssi +values are valid if A0 bit is set in HTT rx message. So enable the feature also +for QCA9884. + +Tested HW: QCA9984 +Tested FW: 10.4-3.9.0.2-00044 + +Signed-off-by: Abhishek Ambure <aambure@codeaurora.org> +Signed-off-by: Balaji Pothunoori <bpothuno@codeaurora.org> +[kvalo@codeaurora.org: improve commit log] +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> + +diff --git a/drivers/net/wireless/ath/ath10k/hw.c b/drivers/net/wireless/ath/ath10k/hw.c +index 55849173e55d..2451e0fb8ee5 100644 +--- a/drivers/net/wireless/ath/ath10k/hw.c ++++ b/drivers/net/wireless/ath/ath10k/hw.c +@@ -1148,6 +1148,7 @@ static bool ath10k_qca99x0_rx_desc_msdu_limit_error(struct htt_rx_desc *rxd) + const struct ath10k_hw_ops qca99x0_ops = { + .rx_desc_get_l3_pad_bytes = ath10k_qca99x0_rx_desc_get_l3_pad_bytes, + .rx_desc_get_msdu_limit_error = ath10k_qca99x0_rx_desc_msdu_limit_error, ++ .is_rssi_enable = ath10k_htt_tx_rssi_enable, + }; + + const struct ath10k_hw_ops qca6174_ops = { +-- +2.27.0 + diff --git a/queue/bpf-Fix-map-leak-in-HASH_OF_MAPS-map.patch b/queue/bpf-Fix-map-leak-in-HASH_OF_MAPS-map.patch new file mode 100644 index 00000000..1cf70d06 --- /dev/null +++ b/queue/bpf-Fix-map-leak-in-HASH_OF_MAPS-map.patch @@ -0,0 +1,57 @@ +From 1d4e1eab456e1ee92a94987499b211db05f900ea Mon Sep 17 00:00:00 2001 +From: Andrii Nakryiko <andriin@fb.com> +Date: Tue, 28 Jul 2020 21:09:12 -0700 +Subject: [PATCH] bpf: Fix map leak in HASH_OF_MAPS map + +commit 1d4e1eab456e1ee92a94987499b211db05f900ea upstream. + +Fix HASH_OF_MAPS bug of not putting inner map pointer on bpf_map_elem_update() +operation. This is due to per-cpu extra_elems optimization, which bypassed +free_htab_elem() logic doing proper clean ups. Make sure that inner map is put +properly in optimized case as well. + +Fixes: 8c290e60fa2a ("bpf: fix hashmap extra_elems logic") +Signed-off-by: Andrii Nakryiko <andriin@fb.com> +Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> +Acked-by: Song Liu <songliubraving@fb.com> +Link: https://lore.kernel.org/bpf/20200729040913.2815687-1-andriin@fb.com + +diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c +index b4b288a3c3c9..b32cc8ce8ff6 100644 +--- a/kernel/bpf/hashtab.c ++++ b/kernel/bpf/hashtab.c +@@ -779,15 +779,20 @@ static void htab_elem_free_rcu(struct rcu_head *head) + htab_elem_free(htab, l); + } + +-static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l) ++static void htab_put_fd_value(struct bpf_htab *htab, struct htab_elem *l) + { + struct bpf_map *map = &htab->map; ++ void *ptr; + + if (map->ops->map_fd_put_ptr) { +- void *ptr = fd_htab_map_get_ptr(map, l); +- ++ ptr = fd_htab_map_get_ptr(map, l); + map->ops->map_fd_put_ptr(ptr); + } ++} ++ ++static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l) ++{ ++ htab_put_fd_value(htab, l); + + if (htab_is_prealloc(htab)) { + __pcpu_freelist_push(&htab->freelist, &l->fnode); +@@ -839,6 +844,7 @@ static struct htab_elem *alloc_htab_elem(struct bpf_htab *htab, void *key, + */ + pl_new = this_cpu_ptr(htab->extra_elems); + l_new = *pl_new; ++ htab_put_fd_value(htab, old_elem); + *pl_new = old_elem; + } else { + struct pcpu_freelist_node *l; +-- +2.27.0 + diff --git a/queue/crypto-ccp-Release-all-allocated-memory-if-sha-type-.patch b/queue/crypto-ccp-Release-all-allocated-memory-if-sha-type-.patch new file mode 100644 index 00000000..ba68a9f4 --- /dev/null +++ b/queue/crypto-ccp-Release-all-allocated-memory-if-sha-type-.patch @@ -0,0 +1,36 @@ +From 128c66429247add5128c03dc1e144ca56f05a4e2 Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost <navid.emamdoost@gmail.com> +Date: Thu, 19 Sep 2019 11:04:48 -0500 +Subject: [PATCH] crypto: ccp - Release all allocated memory if sha type is + invalid + +commit 128c66429247add5128c03dc1e144ca56f05a4e2 upstream. + +Release all allocated memory if sha type is invalid: +In ccp_run_sha_cmd, if the type of sha is invalid, the allocated +hmac_buf should be released. + +v2: fix the goto. + +Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com> +Acked-by: Gary R Hook <gary.hook@amd.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> + +diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c +index c8da8eb160da..422193690fd4 100644 +--- a/drivers/crypto/ccp/ccp-ops.c ++++ b/drivers/crypto/ccp/ccp-ops.c +@@ -1777,8 +1777,9 @@ ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd) + LSB_ITEM_SIZE); + break; + default: ++ kfree(hmac_buf); + ret = -EINVAL; +- goto e_ctx; ++ goto e_data; + } + + memset(&hmac_cmd, 0, sizeof(hmac_cmd)); +-- +2.27.0 + diff --git a/queue/cxgb4-add-missing-release-on-skb-in-uld_send.patch b/queue/cxgb4-add-missing-release-on-skb-in-uld_send.patch new file mode 100644 index 00000000..5411114f --- /dev/null +++ b/queue/cxgb4-add-missing-release-on-skb-in-uld_send.patch @@ -0,0 +1,28 @@ +From e6827d1abdc9b061a57d7b7d3019c4e99fabea2f Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost <navid.emamdoost@gmail.com> +Date: Wed, 22 Jul 2020 21:58:39 -0500 +Subject: [PATCH] cxgb4: add missing release on skb in uld_send() + +commit e6827d1abdc9b061a57d7b7d3019c4e99fabea2f upstream. + +In the implementation of uld_send(), the skb is consumed on all +execution paths except one. Release skb when returning NET_XMIT_DROP. + +Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/sge.c b/drivers/net/ethernet/chelsio/cxgb4/sge.c +index 32a45dc51ed7..92eee66cbc84 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/sge.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/sge.c +@@ -2938,6 +2938,7 @@ static inline int uld_send(struct adapter *adap, struct sk_buff *skb, + txq_info = adap->sge.uld_txq_info[tx_uld_type]; + if (unlikely(!txq_info)) { + WARN_ON(true); ++ kfree_skb(skb); + return NET_XMIT_DROP; + } + +-- +2.27.0 + diff --git a/queue/drivers-net-wan-lapb-Corrected-the-usage-of-skb_cow.patch b/queue/drivers-net-wan-lapb-Corrected-the-usage-of-skb_cow.patch new file mode 100644 index 00000000..19e56b46 --- /dev/null +++ b/queue/drivers-net-wan-lapb-Corrected-the-usage-of-skb_cow.patch @@ -0,0 +1,76 @@ +From 8754e1379e7089516a449821f88e1fe1ebbae5e1 Mon Sep 17 00:00:00 2001 +From: Xie He <xie.he.0141@gmail.com> +Date: Fri, 24 Jul 2020 09:33:47 -0700 +Subject: [PATCH] drivers/net/wan: lapb: Corrected the usage of skb_cow + +commit 8754e1379e7089516a449821f88e1fe1ebbae5e1 upstream. + +This patch fixed 2 issues with the usage of skb_cow in LAPB drivers +"lapbether" and "hdlc_x25": + +1) After skb_cow fails, kfree_skb should be called to drop a reference +to the skb. But in both drivers, kfree_skb is not called. + +2) skb_cow should be called before skb_push so that is can ensure the +safety of skb_push. But in "lapbether", it is incorrectly called after +skb_push. + +More details about these 2 issues: + +1) The behavior of calling kfree_skb on failure is also the behavior of +netif_rx, which is called by this function with "return netif_rx(skb);". +So this function should follow this behavior, too. + +2) In "lapbether", skb_cow is called after skb_push. This results in 2 +logical issues: + a) skb_push is not protected by skb_cow; + b) An extra headroom of 1 byte is ensured after skb_push. This extra + headroom has no use in this function. It also has no use in the + upper-layer function that this function passes the skb to + (x25_lapb_receive_frame in net/x25/x25_dev.c). +So logically skb_cow should instead be called before skb_push. + +Cc: Eric Dumazet <edumazet@google.com> +Cc: Martin Schiller <ms@dev.tdt.de> +Signed-off-by: Xie He <xie.he.0141@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/wan/hdlc_x25.c b/drivers/net/wan/hdlc_x25.c +index c84536b03aa8..f70336bb6f52 100644 +--- a/drivers/net/wan/hdlc_x25.c ++++ b/drivers/net/wan/hdlc_x25.c +@@ -71,8 +71,10 @@ static int x25_data_indication(struct net_device *dev, struct sk_buff *skb) + { + unsigned char *ptr; + +- if (skb_cow(skb, 1)) ++ if (skb_cow(skb, 1)) { ++ kfree_skb(skb); + return NET_RX_DROP; ++ } + + skb_push(skb, 1); + skb_reset_network_header(skb); +diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c +index 284832314f31..b2868433718f 100644 +--- a/drivers/net/wan/lapbether.c ++++ b/drivers/net/wan/lapbether.c +@@ -128,10 +128,12 @@ static int lapbeth_data_indication(struct net_device *dev, struct sk_buff *skb) + { + unsigned char *ptr; + +- skb_push(skb, 1); +- +- if (skb_cow(skb, 1)) ++ if (skb_cow(skb, 1)) { ++ kfree_skb(skb); + return NET_RX_DROP; ++ } ++ ++ skb_push(skb, 1); + + ptr = skb->data; + *ptr = X25_IFACE_DATA; +-- +2.27.0 + diff --git a/queue/drm-amd-display-Clear-dm_state-for-fast-updates.patch b/queue/drm-amd-display-Clear-dm_state-for-fast-updates.patch new file mode 100644 index 00000000..a54b6565 --- /dev/null +++ b/queue/drm-amd-display-Clear-dm_state-for-fast-updates.patch @@ -0,0 +1,99 @@ +From fde9f39ac7f1ffd799a96ffa1e06b2051f0898f1 Mon Sep 17 00:00:00 2001 +From: Mazin Rezk <mnrzk@protonmail.com> +Date: Mon, 27 Jul 2020 05:40:46 +0000 +Subject: [PATCH] drm/amd/display: Clear dm_state for fast updates + +commit fde9f39ac7f1ffd799a96ffa1e06b2051f0898f1 upstream. + +This patch fixes a race condition that causes a use-after-free during +amdgpu_dm_atomic_commit_tail. This can occur when 2 non-blocking commits +are requested and the second one finishes before the first. Essentially, +this bug occurs when the following sequence of events happens: + +1. Non-blocking commit #1 is requested w/ a new dm_state #1 and is +deferred to the workqueue. + +2. Non-blocking commit #2 is requested w/ a new dm_state #2 and is +deferred to the workqueue. + +3. Commit #2 starts before commit #1, dm_state #1 is used in the +commit_tail and commit #2 completes, freeing dm_state #1. + +4. Commit #1 starts after commit #2 completes, uses the freed dm_state +1 and dereferences a freelist pointer while setting the context. + +Since this bug has only been spotted with fast commits, this patch fixes +the bug by clearing the dm_state instead of using the old dc_state for +fast updates. In addition, since dm_state is only used for its dc_state +and amdgpu_dm_atomic_commit_tail will retain the dc_state if none is found, +removing the dm_state should not have any consequences in fast updates. + +This use-after-free bug has existed for a while now, but only caused a +noticeable issue starting from 5.7-rc1 due to 3202fa62f ("slub: relocate +freelist pointer to middle of object") moving the freelist pointer from +dm_state->base (which was unused) to dm_state->context (which is +dereferenced). + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=207383 +Fixes: bd200d190f45 ("drm/amd/display: Don't replace the dc_state for fast updates") +Reported-by: Duncan <1i5t5.duncan@cox.net> +Signed-off-by: Mazin Rezk <mnrzk@protonmail.com> +Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com> +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> +Cc: stable@vger.kernel.org + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 86ffa0c2880f..710edc70e37e 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -8717,20 +8717,38 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev, + * the same resource. If we have a new DC context as part of + * the DM atomic state from validation we need to free it and + * retain the existing one instead. ++ * ++ * Furthermore, since the DM atomic state only contains the DC ++ * context and can safely be annulled, we can free the state ++ * and clear the associated private object now to free ++ * some memory and avoid a possible use-after-free later. + */ +- struct dm_atomic_state *new_dm_state, *old_dm_state; + +- new_dm_state = dm_atomic_get_new_state(state); +- old_dm_state = dm_atomic_get_old_state(state); ++ for (i = 0; i < state->num_private_objs; i++) { ++ struct drm_private_obj *obj = state->private_objs[i].ptr; + +- if (new_dm_state && old_dm_state) { +- if (new_dm_state->context) +- dc_release_state(new_dm_state->context); ++ if (obj->funcs == adev->dm.atomic_obj.funcs) { ++ int j = state->num_private_objs-1; + +- new_dm_state->context = old_dm_state->context; ++ dm_atomic_destroy_state(obj, ++ state->private_objs[i].state); ++ ++ /* If i is not at the end of the array then the ++ * last element needs to be moved to where i was ++ * before the array can safely be truncated. ++ */ ++ if (i != j) ++ state->private_objs[i] = ++ state->private_objs[j]; + +- if (old_dm_state->context) +- dc_retain_state(old_dm_state->context); ++ state->private_objs[j].ptr = NULL; ++ state->private_objs[j].state = NULL; ++ state->private_objs[j].old_state = NULL; ++ state->private_objs[j].new_state = NULL; ++ ++ state->num_private_objs = j; ++ break; ++ } + } + } + +-- +2.27.0 + diff --git a/queue/drm-amdgpu-Prevent-kernel-infoleak-in-amdgpu_info_io.patch b/queue/drm-amdgpu-Prevent-kernel-infoleak-in-amdgpu_info_io.patch new file mode 100644 index 00000000..14484b79 --- /dev/null +++ b/queue/drm-amdgpu-Prevent-kernel-infoleak-in-amdgpu_info_io.patch @@ -0,0 +1,45 @@ +From 543e8669ed9bfb30545fd52bc0e047ca4df7fb31 Mon Sep 17 00:00:00 2001 +From: Peilin Ye <yepeilin.cs@gmail.com> +Date: Tue, 28 Jul 2020 15:29:24 -0400 +Subject: [PATCH] drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 543e8669ed9bfb30545fd52bc0e047ca4df7fb31 upstream. + +Compiler leaves a 4-byte hole near the end of `dev_info`, causing +amdgpu_info_ioctl() to copy uninitialized kernel stack memory to userspace +when `size` is greater than 356. + +In 2015 we tried to fix this issue by doing `= {};` on `dev_info`, which +unfortunately does not initialize that 4-byte hole. Fix it by using +memset() instead. + +Cc: stable@vger.kernel.org +Fixes: c193fa91b918 ("drm/amdgpu: information leak in amdgpu_info_ioctl()") +Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") +Suggested-by: Dan Carpenter <dan.carpenter@oracle.com> +Reviewed-by: Christian König <christian.koenig@amd.com> +Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com> +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +index d7e17e34fee1..21292098bc02 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +@@ -692,9 +692,10 @@ static int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file + return n ? -EFAULT : 0; + } + case AMDGPU_INFO_DEV_INFO: { +- struct drm_amdgpu_info_device dev_info = {}; ++ struct drm_amdgpu_info_device dev_info; + uint64_t vm_size; + ++ memset(&dev_info, 0, sizeof(dev_info)); + dev_info.device_id = dev->pdev->device; + dev_info.chip_rev = adev->rev_id; + dev_info.external_rev = adev->external_rev_id; +-- +2.27.0 + diff --git a/queue/drm-dbi-Fix-SPI-Type-1-9-bit-transfer.patch b/queue/drm-dbi-Fix-SPI-Type-1-9-bit-transfer.patch new file mode 100644 index 00000000..d9e5d6ba --- /dev/null +++ b/queue/drm-dbi-Fix-SPI-Type-1-9-bit-transfer.patch @@ -0,0 +1,45 @@ +From 900ab59e2621053b009f707f80b2c19ce0af5dee Mon Sep 17 00:00:00 2001 +From: Paul Cercueil <paul@crapouillou.net> +Date: Fri, 3 Jul 2020 16:13:41 +0200 +Subject: [PATCH] drm/dbi: Fix SPI Type 1 (9-bit) transfer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 900ab59e2621053b009f707f80b2c19ce0af5dee upstream. + +The function mipi_dbi_spi1_transfer() will transfer its payload as 9-bit +data, the 9th (MSB) bit being the data/command bit. In order to do that, +it unpacks the 8-bit values into 16-bit values, then sets the 9th bit if +the byte corresponds to data, clears it otherwise. The 7 MSB are +padding. The array of now 16-bit values is then passed to the SPI core +for transfer. + +This function was broken since its introduction, as the length of the +SPI transfer was set to the payload size before its conversion, but the +payload doubled in size due to the 8-bit -> 16-bit conversion. + +Fixes: 02dd95fe3169 ("drm/tinydrm: Add MIPI DBI support") +Cc: <stable@vger.kernel.org> # 5.4+ +Signed-off-by: Paul Cercueil <paul@crapouillou.net> +Reviewed-by: Sam Ravnborg <sam@ravnborg.org> +Reviewed-by: Noralf Trønnes <noralf@tronnes.org> +Signed-off-by: Sam Ravnborg <sam@ravnborg.org> +Link: https://patchwork.freedesktop.org/patch/msgid/20200703141341.1266263-1-paul@crapouillou.net + +diff --git a/drivers/gpu/drm/drm_mipi_dbi.c b/drivers/gpu/drm/drm_mipi_dbi.c +index bb27c82757f1..bf7888ad9ad4 100644 +--- a/drivers/gpu/drm/drm_mipi_dbi.c ++++ b/drivers/gpu/drm/drm_mipi_dbi.c +@@ -923,7 +923,7 @@ static int mipi_dbi_spi1_transfer(struct mipi_dbi *dbi, int dc, + } + } + +- tr.len = chunk; ++ tr.len = chunk * 2; + len -= chunk; + + ret = spi_sync(spi, &m); +-- +2.27.0 + diff --git a/queue/drm-hold-gem-reference-until-object-is-no-longer-acc.patch b/queue/drm-hold-gem-reference-until-object-is-no-longer-acc.patch new file mode 100644 index 00000000..365c9639 --- /dev/null +++ b/queue/drm-hold-gem-reference-until-object-is-no-longer-acc.patch @@ -0,0 +1,55 @@ +From 8490d6a7e0a0a6fab5c2d82d57a3937306660864 Mon Sep 17 00:00:00 2001 +From: Steve Cohen <cohens@codeaurora.org> +Date: Mon, 20 Jul 2020 18:30:50 -0400 +Subject: [PATCH] drm: hold gem reference until object is no longer accessed + +commit 8490d6a7e0a0a6fab5c2d82d57a3937306660864 upstream. + +A use-after-free in drm_gem_open_ioctl can happen if the +GEM object handle is closed between the idr lookup and +retrieving the size from said object since a local reference +is not being held at that point. Hold the local reference +while the object can still be accessed to fix this and +plug the potential security hole. + +Signed-off-by: Steve Cohen <cohens@codeaurora.org> +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> +Link: https://patchwork.freedesktop.org/patch/msgid/1595284250-31580-1-git-send-email-cohens@codeaurora.org + +diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c +index 7bf628e13023..ee2058ad482c 100644 +--- a/drivers/gpu/drm/drm_gem.c ++++ b/drivers/gpu/drm/drm_gem.c +@@ -871,9 +871,6 @@ drm_gem_flink_ioctl(struct drm_device *dev, void *data, + * @file_priv: drm file-private structure + * + * Open an object using the global name, returning a handle and the size. +- * +- * This handle (of course) holds a reference to the object, so the object +- * will not go away until the handle is deleted. + */ + int + drm_gem_open_ioctl(struct drm_device *dev, void *data, +@@ -898,14 +895,15 @@ drm_gem_open_ioctl(struct drm_device *dev, void *data, + + /* drm_gem_handle_create_tail unlocks dev->object_name_lock. */ + ret = drm_gem_handle_create_tail(file_priv, obj, &handle); +- drm_gem_object_put_unlocked(obj); + if (ret) +- return ret; ++ goto err; + + args->handle = handle; + args->size = obj->size; + +- return 0; ++err: ++ drm_gem_object_put_unlocked(obj); ++ return ret; + } + + /** +-- +2.27.0 + diff --git a/queue/ibmvnic-Fix-IRQ-mapping-disposal-in-error-path.patch b/queue/ibmvnic-Fix-IRQ-mapping-disposal-in-error-path.patch new file mode 100644 index 00000000..4dc181cf --- /dev/null +++ b/queue/ibmvnic-Fix-IRQ-mapping-disposal-in-error-path.patch @@ -0,0 +1,31 @@ +From 27a2145d6f826d1fad9de06ac541b1016ced3427 Mon Sep 17 00:00:00 2001 +From: Thomas Falcon <tlfalcon@linux.ibm.com> +Date: Wed, 29 Jul 2020 16:36:32 -0500 +Subject: [PATCH] ibmvnic: Fix IRQ mapping disposal in error path + +commit 27a2145d6f826d1fad9de06ac541b1016ced3427 upstream. + +RX queue IRQ mappings are disposed in both the TX IRQ and RX IRQ +error paths. Fix this and dispose of TX IRQ mappings correctly in +case of an error. + +Fixes: ea22d51a7831 ("ibmvnic: simplify and improve driver probe function") +Signed-off-by: Thomas Falcon <tlfalcon@linux.ibm.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index 0fd7eae25fe9..5afb3c9c52d2 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -3206,7 +3206,7 @@ static int init_sub_crq_irqs(struct ibmvnic_adapter *adapter) + req_tx_irq_failed: + for (j = 0; j < i; j++) { + free_irq(adapter->tx_scrq[j]->irq, adapter->tx_scrq[j]); +- irq_dispose_mapping(adapter->rx_scrq[j]->irq); ++ irq_dispose_mapping(adapter->tx_scrq[j]->irq); + } + release_sub_crqs(adapter, 1); + return rc; +-- +2.27.0 + diff --git a/queue/libtraceevent-Fix-build-with-binutils-2.35.patch b/queue/libtraceevent-Fix-build-with-binutils-2.35.patch new file mode 100644 index 00000000..965288a2 --- /dev/null +++ b/queue/libtraceevent-Fix-build-with-binutils-2.35.patch @@ -0,0 +1,35 @@ +From 39efdd94e314336f4acbac4c07e0f37bdc3bef71 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings <ben@decadent.org.uk> +Date: Sat, 25 Jul 2020 02:06:23 +0100 +Subject: [PATCH] libtraceevent: Fix build with binutils 2.35 + +commit 39efdd94e314336f4acbac4c07e0f37bdc3bef71 upstream. + +In binutils 2.35, 'nm -D' changed to show symbol versions along with +symbol names, with the usual @@ separator. When generating +libtraceevent-dynamic-list we need just the names, so strip off the +version suffix if present. + +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +Tested-by: Salvatore Bonaccorso <carnil@debian.org> +Reviewed-by: Steven Rostedt <rostedt@goodmis.org> +Cc: linux-trace-devel@vger.kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> + +diff --git a/tools/lib/traceevent/plugins/Makefile b/tools/lib/traceevent/plugins/Makefile +index 349bb81482ab..680d883efe05 100644 +--- a/tools/lib/traceevent/plugins/Makefile ++++ b/tools/lib/traceevent/plugins/Makefile +@@ -197,7 +197,7 @@ define do_generate_dynamic_list_file + xargs echo "U w W" | tr 'w ' 'W\n' | sort -u | xargs echo`;\ + if [ "$$symbol_type" = "U W" ];then \ + (echo '{'; \ +- $(NM) -u -D $1 | awk 'NF>1 {print "\t"$$2";"}' | sort -u;\ ++ $(NM) -u -D $1 | awk 'NF>1 {sub("@.*", "", $$2); print "\t"$$2";"}' | sort -u;\ + echo '};'; \ + ) > $2; \ + else \ +-- +2.27.0 + diff --git a/queue/mac80211-mesh-Free-ie-data-when-leaving-mesh.patch b/queue/mac80211-mesh-Free-ie-data-when-leaving-mesh.patch new file mode 100644 index 00000000..227ba318 --- /dev/null +++ b/queue/mac80211-mesh-Free-ie-data-when-leaving-mesh.patch @@ -0,0 +1,55 @@ +From 6a01afcf8468d3ca2bd8bbb27503f60dcf643b20 Mon Sep 17 00:00:00 2001 +From: Remi Pommarel <repk@triplefau.lt> +Date: Sat, 4 Jul 2020 15:50:07 +0200 +Subject: [PATCH] mac80211: mesh: Free ie data when leaving mesh + +commit 6a01afcf8468d3ca2bd8bbb27503f60dcf643b20 upstream. + +At ieee80211_join_mesh() some ie data could have been allocated (see +copy_mesh_setup()) and need to be cleaned up when leaving the mesh. + +This fixes the following kmemleak report: + +unreferenced object 0xffff0000116bc600 (size 128): + comm "wpa_supplicant", pid 608, jiffies 4294898983 (age 293.484s) + hex dump (first 32 bytes): + 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 0............... + 00 0f ac 08 00 00 00 00 c4 65 40 00 00 00 00 00 .........e@..... + backtrace: + [<00000000bebe439d>] __kmalloc_track_caller+0x1c0/0x330 + [<00000000a349dbe1>] kmemdup+0x28/0x50 + [<0000000075d69baa>] ieee80211_join_mesh+0x6c/0x3b8 [mac80211] + [<00000000683bb98b>] __cfg80211_join_mesh+0x1e8/0x4f0 [cfg80211] + [<0000000072cb507f>] nl80211_join_mesh+0x520/0x6b8 [cfg80211] + [<0000000077e9bcf9>] genl_family_rcv_msg+0x374/0x680 + [<00000000b1bd936d>] genl_rcv_msg+0x78/0x108 + [<0000000022c53788>] netlink_rcv_skb+0xb0/0x1c0 + [<0000000011af8ec9>] genl_rcv+0x34/0x48 + [<0000000069e41f53>] netlink_unicast+0x268/0x2e8 + [<00000000a7517316>] netlink_sendmsg+0x320/0x4c0 + [<0000000069cba205>] ____sys_sendmsg+0x354/0x3a0 + [<00000000e06bab0f>] ___sys_sendmsg+0xd8/0x120 + [<0000000037340728>] __sys_sendmsg+0xa4/0xf8 + [<000000004fed9776>] __arm64_sys_sendmsg+0x44/0x58 + [<000000001c1e5647>] el0_svc_handler+0xd0/0x1a0 + +Fixes: c80d545da3f7 (mac80211: Let userspace enable and configure vendor specific path selection.) +Signed-off-by: Remi Pommarel <repk@triplefau.lt> +Link: https://lore.kernel.org/r/20200704135007.27292-1-repk@triplefau.lt +Signed-off-by: Johannes Berg <johannes.berg@intel.com> + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 9b360544ad6f..1079a07e43e4 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -2166,6 +2166,7 @@ static int ieee80211_leave_mesh(struct wiphy *wiphy, struct net_device *dev) + ieee80211_stop_mesh(sdata); + mutex_lock(&sdata->local->mtx); + ieee80211_vif_release_channel(sdata); ++ kfree(sdata->u.mesh.ie); + mutex_unlock(&sdata->local->mtx); + + return 0; +-- +2.27.0 + diff --git a/queue/mac80211-mesh-Free-pending-skb-when-destroying-a-mpa.patch b/queue/mac80211-mesh-Free-pending-skb-when-destroying-a-mpa.patch new file mode 100644 index 00000000..6ffe2bac --- /dev/null +++ b/queue/mac80211-mesh-Free-pending-skb-when-destroying-a-mpa.patch @@ -0,0 +1,68 @@ +From 5e43540c2af0a0c0a18e39579b1ad49541f87506 Mon Sep 17 00:00:00 2001 +From: Remi Pommarel <repk@triplefau.lt> +Date: Sat, 4 Jul 2020 15:54:19 +0200 +Subject: [PATCH] mac80211: mesh: Free pending skb when destroying a mpath + +commit 5e43540c2af0a0c0a18e39579b1ad49541f87506 upstream. + +A mpath object can hold reference on a list of skb that are waiting for +mpath resolution to be sent. When destroying a mpath this skb list +should be cleaned up in order to not leak memory. + +Fixing that kind of leak: + +unreferenced object 0xffff0000181c9300 (size 1088): + comm "openvpn", pid 1782, jiffies 4295071698 (age 80.416s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 f9 80 36 00 00 00 00 00 ..........6..... + 02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............ + backtrace: + [<000000004bc6a443>] kmem_cache_alloc+0x1a4/0x2f0 + [<000000002caaef13>] sk_prot_alloc.isra.39+0x34/0x178 + [<00000000ceeaa916>] sk_alloc+0x34/0x228 + [<00000000ca1f1d04>] inet_create+0x198/0x518 + [<0000000035626b1c>] __sock_create+0x134/0x328 + [<00000000a12b3a87>] __sys_socket+0xb0/0x158 + [<00000000ff859f23>] __arm64_sys_socket+0x40/0x58 + [<00000000263486ec>] el0_svc_handler+0xd0/0x1a0 + [<0000000005b5157d>] el0_svc+0x8/0xc +unreferenced object 0xffff000012973a40 (size 216): + comm "openvpn", pid 1782, jiffies 4295082137 (age 38.660s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 c0 06 16 00 00 ff ff 00 93 1c 18 00 00 ff ff ................ + backtrace: + [<000000004bc6a443>] kmem_cache_alloc+0x1a4/0x2f0 + [<0000000023c8c8f9>] __alloc_skb+0xc0/0x2b8 + [<000000007ad950bb>] alloc_skb_with_frags+0x60/0x320 + [<00000000ef90023a>] sock_alloc_send_pskb+0x388/0x3c0 + [<00000000104fb1a3>] sock_alloc_send_skb+0x1c/0x28 + [<000000006919d2dd>] __ip_append_data+0xba4/0x11f0 + [<0000000083477587>] ip_make_skb+0x14c/0x1a8 + [<0000000024f3d592>] udp_sendmsg+0xaf0/0xcf0 + [<000000005aabe255>] inet_sendmsg+0x5c/0x80 + [<000000008651ea08>] __sys_sendto+0x15c/0x218 + [<000000003505c99b>] __arm64_sys_sendto+0x74/0x90 + [<00000000263486ec>] el0_svc_handler+0xd0/0x1a0 + [<0000000005b5157d>] el0_svc+0x8/0xc + +Fixes: 2bdaf386f99c (mac80211: mesh: move path tables into if_mesh) +Signed-off-by: Remi Pommarel <repk@triplefau.lt> +Link: https://lore.kernel.org/r/20200704135419.27703-1-repk@triplefau.lt +Signed-off-by: Johannes Berg <johannes.berg@intel.com> + +diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c +index 117519bf33d6..aca608ae313f 100644 +--- a/net/mac80211/mesh_pathtbl.c ++++ b/net/mac80211/mesh_pathtbl.c +@@ -521,6 +521,7 @@ static void mesh_path_free_rcu(struct mesh_table *tbl, + del_timer_sync(&mpath->timer); + atomic_dec(&sdata->u.mesh.mpaths); + atomic_dec(&tbl->entries); ++ mesh_path_flush_pending(mpath); + kfree_rcu(mpath, rcu); + } + +-- +2.27.0 + diff --git a/queue/media-rc-prevent-memory-leak-in-cx23888_ir_probe.patch b/queue/media-rc-prevent-memory-leak-in-cx23888_ir_probe.patch new file mode 100644 index 00000000..f347f445 --- /dev/null +++ b/queue/media-rc-prevent-memory-leak-in-cx23888_ir_probe.patch @@ -0,0 +1,34 @@ +From a7b2df76b42bdd026e3106cf2ba97db41345a177 Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost <navid.emamdoost@gmail.com> +Date: Wed, 25 Sep 2019 12:02:41 -0300 +Subject: [PATCH] media: rc: prevent memory leak in cx23888_ir_probe + +commit a7b2df76b42bdd026e3106cf2ba97db41345a177 upstream. + +In cx23888_ir_probe if kfifo_alloc fails the allocated memory for state +should be released. + +Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com> +Signed-off-by: Sean Young <sean@mess.org> +Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> + +diff --git a/drivers/media/pci/cx23885/cx23888-ir.c b/drivers/media/pci/cx23885/cx23888-ir.c +index e880afe37f15..d59ca3601785 100644 +--- a/drivers/media/pci/cx23885/cx23888-ir.c ++++ b/drivers/media/pci/cx23885/cx23888-ir.c +@@ -1167,8 +1167,11 @@ int cx23888_ir_probe(struct cx23885_dev *dev) + return -ENOMEM; + + spin_lock_init(&state->rx_kfifo_lock); +- if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE, GFP_KERNEL)) ++ if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE, ++ GFP_KERNEL)) { ++ kfree(state); + return -ENOMEM; ++ } + + state->dev = dev; + sd = &state->sd; +-- +2.27.0 + diff --git a/queue/mlx4-disable-device-on-shutdown.patch b/queue/mlx4-disable-device-on-shutdown.patch new file mode 100644 index 00000000..c4db5c86 --- /dev/null +++ b/queue/mlx4-disable-device-on-shutdown.patch @@ -0,0 +1,68 @@ +From 3cab8c65525920f00d8f4997b3e9bb73aecb3a8e Mon Sep 17 00:00:00 2001 +From: Jakub Kicinski <kuba@kernel.org> +Date: Fri, 24 Jul 2020 16:15:43 -0700 +Subject: [PATCH] mlx4: disable device on shutdown + +commit 3cab8c65525920f00d8f4997b3e9bb73aecb3a8e upstream. + +It appears that not disabling a PCI device on .shutdown may lead to +a Hardware Error with particular (perhaps buggy) BIOS versions: + + mlx4_en: eth0: Close port called + mlx4_en 0000:04:00.0: removed PHC + reboot: Restarting system + {1}[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1 + {1}[Hardware Error]: event severity: fatal + {1}[Hardware Error]: Error 0, type: fatal + {1}[Hardware Error]: section_type: PCIe error + {1}[Hardware Error]: port_type: 4, root port + {1}[Hardware Error]: version: 1.16 + {1}[Hardware Error]: command: 0x4010, status: 0x0143 + {1}[Hardware Error]: device_id: 0000:00:02.2 + {1}[Hardware Error]: slot: 0 + {1}[Hardware Error]: secondary_bus: 0x04 + {1}[Hardware Error]: vendor_id: 0x8086, device_id: 0x2f06 + {1}[Hardware Error]: class_code: 000604 + {1}[Hardware Error]: bridge: secondary_status: 0x2000, control: 0x0003 + {1}[Hardware Error]: aer_uncor_status: 0x00100000, aer_uncor_mask: 0x00000000 + {1}[Hardware Error]: aer_uncor_severity: 0x00062030 + {1}[Hardware Error]: TLP Header: 40000018 040000ff 791f4080 00000000 +[hw error repeats] + Kernel panic - not syncing: Fatal hardware error! + CPU: 0 PID: 2189 Comm: reboot Kdump: loaded Not tainted 5.6.x-blabla #1 + Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 05/05/2017 + +Fix the mlx4 driver. + +This is a very similar problem to what had been fixed in: +commit 0d98ba8d70b0 ("scsi: hpsa: disable device during shutdown") +to address https://bugzilla.kernel.org/show_bug.cgi?id=199779. + +Fixes: 2ba5fbd62b25 ("net/mlx4_core: Handle AER flow properly") +Reported-by: Jake Lawrence <lawja@fb.com> +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Reviewed-by: Saeed Mahameed <saeedm@mellanox.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/mellanox/mlx4/main.c b/drivers/net/ethernet/mellanox/mlx4/main.c +index 3d9aa7da95e9..2d3e45780719 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/main.c ++++ b/drivers/net/ethernet/mellanox/mlx4/main.c +@@ -4356,12 +4356,14 @@ static void mlx4_pci_resume(struct pci_dev *pdev) + static void mlx4_shutdown(struct pci_dev *pdev) + { + struct mlx4_dev_persistent *persist = pci_get_drvdata(pdev); ++ struct mlx4_dev *dev = persist->dev; + + mlx4_info(persist->dev, "mlx4_shutdown was called\n"); + mutex_lock(&persist->interface_state_mutex); + if (persist->interface_state & MLX4_INTERFACE_STATE_UP) + mlx4_unload_one(pdev); + mutex_unlock(&persist->interface_state_mutex); ++ mlx4_pci_disable_device(dev); + } + + static const struct pci_error_handlers mlx4_err_handler = { +-- +2.27.0 + diff --git a/queue/mlxsw-core-Free-EMAD-transactions-using-kfree_rcu.patch b/queue/mlxsw-core-Free-EMAD-transactions-using-kfree_rcu.patch new file mode 100644 index 00000000..0d6bfc48 --- /dev/null +++ b/queue/mlxsw-core-Free-EMAD-transactions-using-kfree_rcu.patch @@ -0,0 +1,146 @@ +From 3c8ce24b037648a5a15b85888b259a74b05ff97d Mon Sep 17 00:00:00 2001 +From: Ido Schimmel <idosch@mellanox.com> +Date: Wed, 29 Jul 2020 12:26:46 +0300 +Subject: [PATCH] mlxsw: core: Free EMAD transactions using kfree_rcu() + +commit 3c8ce24b037648a5a15b85888b259a74b05ff97d upstream. + +The lifetime of EMAD transactions (i.e., 'struct mlxsw_reg_trans') is +managed using RCU. They are freed using kfree_rcu() once the transaction +ends. + +However, in case the transaction failed it is freed immediately after being +removed from the active transactions list. This is problematic because it is +still possible for a different CPU to dereference the transaction from an RCU +read-side critical section while traversing the active transaction list in +mlxsw_emad_rx_listener_func(). In which case, a use-after-free is triggered +[1]. + +Fix this by freeing the transaction after a grace period by calling +kfree_rcu(). + +[1] +BUG: KASAN: use-after-free in mlxsw_emad_rx_listener_func+0x969/0xac0 drivers/net/ethernet/mellanox/mlxsw/core.c:671 +Read of size 8 at addr ffff88800b7964e8 by task syz-executor.2/2881 + +CPU: 0 PID: 2881 Comm: syz-executor.2 Not tainted 5.8.0-rc4+ #44 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 +Call Trace: + <IRQ> + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xf6/0x16e lib/dump_stack.c:118 + print_address_description.constprop.0+0x1c/0x250 mm/kasan/report.c:383 + __kasan_report mm/kasan/report.c:513 [inline] + kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 + mlxsw_emad_rx_listener_func+0x969/0xac0 drivers/net/ethernet/mellanox/mlxsw/core.c:671 + mlxsw_core_skb_receive+0x571/0x700 drivers/net/ethernet/mellanox/mlxsw/core.c:2061 + mlxsw_pci_cqe_rdq_handle drivers/net/ethernet/mellanox/mlxsw/pci.c:595 [inline] + mlxsw_pci_cq_tasklet+0x12a6/0x2520 drivers/net/ethernet/mellanox/mlxsw/pci.c:651 + tasklet_action_common.isra.0+0x13f/0x3e0 kernel/softirq.c:550 + __do_softirq+0x223/0x964 kernel/softirq.c:292 + asm_call_on_stack+0x12/0x20 arch/x86/entry/entry_64.S:711 + </IRQ> + __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline] + run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline] + do_softirq_own_stack+0x109/0x140 arch/x86/kernel/irq_64.c:77 + invoke_softirq kernel/softirq.c:387 [inline] + __irq_exit_rcu kernel/softirq.c:417 [inline] + irq_exit_rcu+0x16f/0x1a0 kernel/softirq.c:429 + sysvec_apic_timer_interrupt+0x4e/0xd0 arch/x86/kernel/apic/apic.c:1091 + asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:587 +RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline] +RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline] +RIP: 0010:_raw_spin_unlock_irqrestore+0x3b/0x40 kernel/locking/spinlock.c:191 +Code: e8 2a c3 f4 fc 48 89 ef e8 12 96 f5 fc f6 c7 02 75 11 53 9d e8 d6 db 11 fd 65 ff 0d 1f 21 b3 56 5b 5d c3 e8 a7 d7 11 fd 53 9d <eb> ed 0f 1f 00 55 48 89 fd 65 ff 05 05 21 b3 56 ff 74 24 08 48 8d +RSP: 0018:ffff8880446ffd80 EFLAGS: 00000286 +RAX: 0000000000000006 RBX: 0000000000000286 RCX: 0000000000000006 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffa94ecea9 +RBP: ffff888012934408 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000001 R11: fffffbfff57be301 R12: 1ffff110088dffc1 +R13: ffff888037b817c0 R14: ffff88802442415a R15: ffff888024424000 + __do_sys_perf_event_open+0x1b5d/0x2bd0 kernel/events/core.c:11874 + do_syscall_64+0x56/0xa0 arch/x86/entry/common.c:384 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x473dbd +Code: Bad RIP value. +RSP: 002b:00007f21e5e9cc28 EFLAGS: 00000246 ORIG_RAX: 000000000000012a +RAX: ffffffffffffffda RBX: 000000000057bf00 RCX: 0000000000473dbd +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000040 +RBP: 000000000057bf00 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000003 R11: 0000000000000246 R12: 000000000057bf0c +R13: 00007ffd0493503f R14: 00000000004d0f46 R15: 00007f21e5e9cd80 + +Allocated by task 871: + save_stack+0x1b/0x40 mm/kasan/common.c:48 + set_track mm/kasan/common.c:56 [inline] + __kasan_kmalloc mm/kasan/common.c:494 [inline] + __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:467 + kmalloc include/linux/slab.h:555 [inline] + kzalloc include/linux/slab.h:669 [inline] + mlxsw_core_reg_access_emad+0x70/0x1410 drivers/net/ethernet/mellanox/mlxsw/core.c:1812 + mlxsw_core_reg_access+0xeb/0x540 drivers/net/ethernet/mellanox/mlxsw/core.c:1991 + mlxsw_sp_port_get_hw_xstats+0x335/0x7e0 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:1130 + update_stats_cache+0xf4/0x140 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:1173 + process_one_work+0xa3e/0x17a0 kernel/workqueue.c:2269 + worker_thread+0x9e/0x1050 kernel/workqueue.c:2415 + kthread+0x355/0x470 kernel/kthread.c:291 + ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:293 + +Freed by task 871: + save_stack+0x1b/0x40 mm/kasan/common.c:48 + set_track mm/kasan/common.c:56 [inline] + kasan_set_free_info mm/kasan/common.c:316 [inline] + __kasan_slab_free+0x12c/0x170 mm/kasan/common.c:455 + slab_free_hook mm/slub.c:1474 [inline] + slab_free_freelist_hook mm/slub.c:1507 [inline] + slab_free mm/slub.c:3072 [inline] + kfree+0xe6/0x320 mm/slub.c:4052 + mlxsw_core_reg_access_emad+0xd45/0x1410 drivers/net/ethernet/mellanox/mlxsw/core.c:1819 + mlxsw_core_reg_access+0xeb/0x540 drivers/net/ethernet/mellanox/mlxsw/core.c:1991 + mlxsw_sp_port_get_hw_xstats+0x335/0x7e0 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:1130 + update_stats_cache+0xf4/0x140 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:1173 + process_one_work+0xa3e/0x17a0 kernel/workqueue.c:2269 + worker_thread+0x9e/0x1050 kernel/workqueue.c:2415 + kthread+0x355/0x470 kernel/kthread.c:291 + ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:293 + +The buggy address belongs to the object at ffff88800b796400 + which belongs to the cache kmalloc-512 of size 512 +The buggy address is located 232 bytes inside of + 512-byte region [ffff88800b796400, ffff88800b796600) +The buggy address belongs to the page: +page:ffffea00002de500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea00002de500 order:2 compound_mapcount:0 compound_pincount:0 +flags: 0x100000000010200(slab|head) +raw: 0100000000010200 dead000000000100 dead000000000122 ffff88806c402500 +raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88800b796380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88800b796400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff88800b796480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff88800b796500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88800b796580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: caf7297e7ab5 ("mlxsw: core: Introduce support for asynchronous EMAD register access") +Signed-off-by: Ido Schimmel <idosch@mellanox.com> +Reviewed-by: Jiri Pirko <jiri@mellanox.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/core.c b/drivers/net/ethernet/mellanox/mlxsw/core.c +index 5e76a96a118e..71b6185b4904 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/core.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c +@@ -1814,7 +1814,7 @@ static int mlxsw_core_reg_access_emad(struct mlxsw_core *mlxsw_core, + err = mlxsw_emad_reg_access(mlxsw_core, reg, payload, type, trans, + bulk_list, cb, cb_priv, tid); + if (err) { +- kfree(trans); ++ kfree_rcu(trans, rcu); + return err; + } + return 0; +-- +2.27.0 + diff --git a/queue/mlxsw-core-Increase-scope-of-RCU-read-side-critical-.patch b/queue/mlxsw-core-Increase-scope-of-RCU-read-side-critical-.patch new file mode 100644 index 00000000..f409c0d1 --- /dev/null +++ b/queue/mlxsw-core-Increase-scope-of-RCU-read-side-critical-.patch @@ -0,0 +1,41 @@ +From 7d8e8f3433dc8d1dc87c1aabe73a154978fb4c4d Mon Sep 17 00:00:00 2001 +From: Ido Schimmel <idosch@mellanox.com> +Date: Wed, 29 Jul 2020 12:26:45 +0300 +Subject: [PATCH] mlxsw: core: Increase scope of RCU read-side critical section + +commit 7d8e8f3433dc8d1dc87c1aabe73a154978fb4c4d upstream. + +The lifetime of the Rx listener item ('rxl_item') is managed using RCU, +but is dereferenced outside of RCU read-side critical section, which can +lead to a use-after-free. + +Fix this by increasing the scope of the RCU read-side critical section. + +Fixes: 93c1edb27f9e ("mlxsw: Introduce Mellanox switch driver core") +Signed-off-by: Ido Schimmel <idosch@mellanox.com> +Reviewed-by: Jiri Pirko <jiri@mellanox.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/core.c b/drivers/net/ethernet/mellanox/mlxsw/core.c +index d6d6fe64887b..5e76a96a118e 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/core.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c +@@ -2051,11 +2051,13 @@ void mlxsw_core_skb_receive(struct mlxsw_core *mlxsw_core, struct sk_buff *skb, + break; + } + } +- rcu_read_unlock(); +- if (!found) ++ if (!found) { ++ rcu_read_unlock(); + goto drop; ++ } + + rxl->func(skb, local_port, rxl_item->priv); ++ rcu_read_unlock(); + return; + + drop: +-- +2.27.0 + diff --git a/queue/mm-filemap.c-don-t-bother-dropping-mmap_sem-for-zero.patch b/queue/mm-filemap.c-don-t-bother-dropping-mmap_sem-for-zero.patch new file mode 100644 index 00000000..d75372a1 --- /dev/null +++ b/queue/mm-filemap.c-don-t-bother-dropping-mmap_sem-for-zero.patch @@ -0,0 +1,40 @@ +From 5c72feee3e45b40a3c96c7145ec422899d0e8964 Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Wed, 1 Apr 2020 21:04:40 -0700 +Subject: [PATCH] mm/filemap.c: don't bother dropping mmap_sem for zero size + readahead + +commit 5c72feee3e45b40a3c96c7145ec422899d0e8964 upstream. + +When handling a page fault, we drop mmap_sem to start async readahead so +that we don't block on IO submission with mmap_sem held. However there's +no point to drop mmap_sem in case readahead is disabled. Handle that case +to avoid pointless dropping of mmap_sem and retrying the fault. This was +actually reported to block mlockall(MCL_CURRENT) indefinitely. + +Fixes: 6b4c9f446981 ("filemap: drop the mmap_sem for all blocking operations") +Reported-by: Minchan Kim <minchan@kernel.org> +Reported-by: Robert Stupp <snazy@gmx.de> +Signed-off-by: Jan Kara <jack@suse.cz> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Reviewed-by: Josef Bacik <josef@toxicpanda.com> +Reviewed-by: Minchan Kim <minchan@kernel.org> +Link: http://lkml.kernel.org/r/20200212101356.30759-1-jack@suse.cz +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> + +diff --git a/mm/filemap.c b/mm/filemap.c +index 1784478270e1..5bffaa2176cd 100644 +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -2416,7 +2416,7 @@ static struct file *do_async_mmap_readahead(struct vm_fault *vmf, + pgoff_t offset = vmf->pgoff; + + /* If we don't want any read-ahead, don't bother */ +- if (vmf->vma->vm_flags & VM_RAND_READ) ++ if (vmf->vma->vm_flags & VM_RAND_READ || !ra->ra_pages) + return fpin; + if (ra->mmap_miss > 0) + ra->mmap_miss--; +-- +2.27.0 + diff --git a/queue/net-ethernet-ravb-exit-if-re-initialization-fails-in.patch b/queue/net-ethernet-ravb-exit-if-re-initialization-fails-in.patch new file mode 100644 index 00000000..307103e7 --- /dev/null +++ b/queue/net-ethernet-ravb-exit-if-re-initialization-fails-in.patch @@ -0,0 +1,86 @@ +From 015c5d5e6aa3523c758a70eb87b291cece2dbbb4 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com> +Date: Tue, 21 Jul 2020 15:23:12 +0900 +Subject: [PATCH] net: ethernet: ravb: exit if re-initialization fails in tx + timeout + +commit 015c5d5e6aa3523c758a70eb87b291cece2dbbb4 upstream. + +According to the report of [1], this driver is possible to cause +the following error in ravb_tx_timeout_work(). + +ravb e6800000.ethernet ethernet: failed to switch device to config mode + +This error means that the hardware could not change the state +from "Operation" to "Configuration" while some tx and/or rx queue +are operating. After that, ravb_config() in ravb_dmac_init() will fail, +and then any descriptors will be not allocaled anymore so that NULL +pointer dereference happens after that on ravb_start_xmit(). + +To fix the issue, the ravb_tx_timeout_work() should check +the return values of ravb_stop_dma() and ravb_dmac_init(). +If ravb_stop_dma() fails, ravb_tx_timeout_work() re-enables TX and RX +and just exits. If ravb_dmac_init() fails, just exits. + +[1] +https://lore.kernel.org/linux-renesas-soc/20200518045452.2390-1-dirk.behme@de.bosch.com/ + +Reported-by: Dirk Behme <dirk.behme@de.bosch.com> +Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com> +Reviewed-by: Sergei Shtylyov <sergei.shtylyov@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index a442bcf64b9c..99f7aae102ce 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -1450,6 +1450,7 @@ static void ravb_tx_timeout_work(struct work_struct *work) + struct ravb_private *priv = container_of(work, struct ravb_private, + work); + struct net_device *ndev = priv->ndev; ++ int error; + + netif_tx_stop_all_queues(ndev); + +@@ -1458,15 +1459,36 @@ static void ravb_tx_timeout_work(struct work_struct *work) + ravb_ptp_stop(ndev); + + /* Wait for DMA stopping */ +- ravb_stop_dma(ndev); ++ if (ravb_stop_dma(ndev)) { ++ /* If ravb_stop_dma() fails, the hardware is still operating ++ * for TX and/or RX. So, this should not call the following ++ * functions because ravb_dmac_init() is possible to fail too. ++ * Also, this should not retry ravb_stop_dma() again and again ++ * here because it's possible to wait forever. So, this just ++ * re-enables the TX and RX and skip the following ++ * re-initialization procedure. ++ */ ++ ravb_rcv_snd_enable(ndev); ++ goto out; ++ } + + ravb_ring_free(ndev, RAVB_BE); + ravb_ring_free(ndev, RAVB_NC); + + /* Device init */ +- ravb_dmac_init(ndev); ++ error = ravb_dmac_init(ndev); ++ if (error) { ++ /* If ravb_dmac_init() fails, descriptors are freed. So, this ++ * should return here to avoid re-enabling the TX and RX in ++ * ravb_emac_init(). ++ */ ++ netdev_err(ndev, "%s: ravb_dmac_init() failed, error %d\n", ++ __func__, error); ++ return; ++ } + ravb_emac_init(ndev); + ++out: + /* Initialise PTP Clock driver */ + if (priv->chip_id == RCAR_GEN2) + ravb_ptp_init(ndev, priv->pdev); +-- +2.27.0 + diff --git a/queue/net-gemini-Fix-missing-clk_disable_unprepare-in-erro.patch b/queue/net-gemini-Fix-missing-clk_disable_unprepare-in-erro.patch new file mode 100644 index 00000000..e487485d --- /dev/null +++ b/queue/net-gemini-Fix-missing-clk_disable_unprepare-in-erro.patch @@ -0,0 +1,43 @@ +From 85496a29224188051b6135eb38da8afd4c584765 Mon Sep 17 00:00:00 2001 +From: Wang Hai <wanghai38@huawei.com> +Date: Thu, 30 Jul 2020 15:30:00 +0800 +Subject: [PATCH] net: gemini: Fix missing clk_disable_unprepare() in error + path of gemini_ethernet_port_probe() + +commit 85496a29224188051b6135eb38da8afd4c584765 upstream. + +Fix the missing clk_disable_unprepare() before return +from gemini_ethernet_port_probe() in the error handling case. + +Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet") +Reported-by: Hulk Robot <hulkci@huawei.com> +Signed-off-by: Wang Hai <wanghai38@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c +index 8d13ea370db1..66e67b24a887 100644 +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -2446,6 +2446,7 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev) + port->reset = devm_reset_control_get_exclusive(dev, NULL); + if (IS_ERR(port->reset)) { + dev_err(dev, "no reset\n"); ++ clk_disable_unprepare(port->pclk); + return PTR_ERR(port->reset); + } + reset_control_reset(port->reset); +@@ -2501,8 +2502,10 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev) + IRQF_SHARED, + port_names[port->id], + port); +- if (ret) ++ if (ret) { ++ clk_disable_unprepare(port->pclk); + return ret; ++ } + + ret = register_netdev(netdev); + if (!ret) { +-- +2.27.0 + diff --git a/queue/net-hns3-fix-a-TX-timeout-issue.patch b/queue/net-hns3-fix-a-TX-timeout-issue.patch new file mode 100644 index 00000000..34113467 --- /dev/null +++ b/queue/net-hns3-fix-a-TX-timeout-issue.patch @@ -0,0 +1,39 @@ +From a7e90ee5965fafc53d36e8b3205f08c88d7bc11f Mon Sep 17 00:00:00 2001 +From: Yonglong Liu <liuyonglong@huawei.com> +Date: Tue, 28 Jul 2020 10:16:49 +0800 +Subject: [PATCH] net: hns3: fix a TX timeout issue + +commit a7e90ee5965fafc53d36e8b3205f08c88d7bc11f upstream. + +When the queue depth and queue parameters are modified, there is +a low probability that TX timeout occurs. The two operations cause +the link to be down or up when the watchdog is still working. All +queues are stopped when the link is down. After the carrier is on, +all queues are woken up. If the watchdog detects the link between +the carrier on and wakeup queues, a false TX timeout occurs. + +So fix this issue by modifying the sequence of carrier on and queue +wakeup, which is symmetrical to the link down action. + +Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC") +Signed-off-by: Yonglong Liu <liuyonglong@huawei.com> +Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index 3328500c0543..71ed4c54f6d5 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -4136,8 +4136,8 @@ static void hns3_link_status_change(struct hnae3_handle *handle, bool linkup) + return; + + if (linkup) { +- netif_carrier_on(netdev); + netif_tx_wake_all_queues(netdev); ++ netif_carrier_on(netdev); + if (netif_msg_link(handle)) + netdev_info(netdev, "link up\n"); + } else { +-- +2.27.0 + diff --git a/queue/net-hns3-fix-aRFS-FD-rules-leftover-after-add-a-user.patch b/queue/net-hns3-fix-aRFS-FD-rules-leftover-after-add-a-user.patch new file mode 100644 index 00000000..c2178735 --- /dev/null +++ b/queue/net-hns3-fix-aRFS-FD-rules-leftover-after-add-a-user.patch @@ -0,0 +1,137 @@ +From efe3fa45f770f1d66e2734ee7a3523c75694ff04 Mon Sep 17 00:00:00 2001 +From: Guojia Liao <liaoguojia@huawei.com> +Date: Tue, 28 Jul 2020 10:16:51 +0800 +Subject: [PATCH] net: hns3: fix aRFS FD rules leftover after add a user FD + rule + +commit efe3fa45f770f1d66e2734ee7a3523c75694ff04 upstream. + +When user had created a FD rule, all the aRFS rules should be clear up. +HNS3 process flow as below: +1.get spin lock of fd_ruls_list +2.clear up all aRFS rules +3.release lock +4.get spin lock of fd_ruls_list +5.creat a rules +6.release lock; + +There is a short period of time between step 3 and step 4, which would +creatting some new aRFS FD rules if driver was receiving packet. +So refactor the fd_rule_lock to fix it. + +Fixes: 441228875706 ("net: hns3: refine the flow director handle") +Signed-off-by: Guojia Liao <liaoguojia@huawei.com> +Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index bb4a6327035d..cee84e7080d6 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -5806,9 +5806,9 @@ static int hclge_add_fd_entry(struct hnae3_handle *handle, + /* to avoid rule conflict, when user configure rule by ethtool, + * we need to clear all arfs rules + */ ++ spin_lock_bh(&hdev->fd_rule_lock); + hclge_clear_arfs_rules(handle); + +- spin_lock_bh(&hdev->fd_rule_lock); + ret = hclge_fd_config_rule(hdev, rule); + + spin_unlock_bh(&hdev->fd_rule_lock); +@@ -5851,6 +5851,7 @@ static int hclge_del_fd_entry(struct hnae3_handle *handle, + return ret; + } + ++/* make sure being called after lock up with fd_rule_lock */ + static void hclge_del_all_fd_entries(struct hnae3_handle *handle, + bool clear_list) + { +@@ -5863,7 +5864,6 @@ static void hclge_del_all_fd_entries(struct hnae3_handle *handle, + if (!hnae3_dev_fd_supported(hdev)) + return; + +- spin_lock_bh(&hdev->fd_rule_lock); + for_each_set_bit(location, hdev->fd_bmap, + hdev->fd_cfg.rule_num[HCLGE_FD_STAGE_1]) + hclge_fd_tcam_config(hdev, HCLGE_FD_STAGE_1, true, location, +@@ -5880,8 +5880,6 @@ static void hclge_del_all_fd_entries(struct hnae3_handle *handle, + bitmap_zero(hdev->fd_bmap, + hdev->fd_cfg.rule_num[HCLGE_FD_STAGE_1]); + } +- +- spin_unlock_bh(&hdev->fd_rule_lock); + } + + static int hclge_restore_fd_entries(struct hnae3_handle *handle) +@@ -6263,7 +6261,7 @@ static int hclge_add_fd_entry_by_arfs(struct hnae3_handle *handle, u16 queue_id, + u16 flow_id, struct flow_keys *fkeys) + { + struct hclge_vport *vport = hclge_get_vport(handle); +- struct hclge_fd_rule_tuples new_tuples; ++ struct hclge_fd_rule_tuples new_tuples = {}; + struct hclge_dev *hdev = vport->back; + struct hclge_fd_rule *rule; + u16 tmp_queue_id; +@@ -6273,19 +6271,17 @@ static int hclge_add_fd_entry_by_arfs(struct hnae3_handle *handle, u16 queue_id, + if (!hnae3_dev_fd_supported(hdev)) + return -EOPNOTSUPP; + +- memset(&new_tuples, 0, sizeof(new_tuples)); +- hclge_fd_get_flow_tuples(fkeys, &new_tuples); +- +- spin_lock_bh(&hdev->fd_rule_lock); +- + /* when there is already fd rule existed add by user, + * arfs should not work + */ ++ spin_lock_bh(&hdev->fd_rule_lock); + if (hdev->fd_active_type == HCLGE_FD_EP_ACTIVE) { + spin_unlock_bh(&hdev->fd_rule_lock); + return -EOPNOTSUPP; + } + ++ hclge_fd_get_flow_tuples(fkeys, &new_tuples); ++ + /* check is there flow director filter existed for this flow, + * if not, create a new filter for it; + * if filter exist with different queue id, modify the filter; +@@ -6368,6 +6364,7 @@ static void hclge_rfs_filter_expire(struct hclge_dev *hdev) + #endif + } + ++/* make sure being called after lock up with fd_rule_lock */ + static void hclge_clear_arfs_rules(struct hnae3_handle *handle) + { + #ifdef CONFIG_RFS_ACCEL +@@ -6420,10 +6417,14 @@ static void hclge_enable_fd(struct hnae3_handle *handle, bool enable) + + hdev->fd_en = enable; + clear = hdev->fd_active_type == HCLGE_FD_ARFS_ACTIVE; +- if (!enable) ++ ++ if (!enable) { ++ spin_lock_bh(&hdev->fd_rule_lock); + hclge_del_all_fd_entries(handle, clear); +- else ++ spin_unlock_bh(&hdev->fd_rule_lock); ++ } else { + hclge_restore_fd_entries(handle); ++ } + } + + static void hclge_cfg_mac_mode(struct hclge_dev *hdev, bool enable) +@@ -6886,8 +6887,9 @@ static void hclge_ae_stop(struct hnae3_handle *handle) + int i; + + set_bit(HCLGE_STATE_DOWN, &hdev->state); +- ++ spin_lock_bh(&hdev->fd_rule_lock); + hclge_clear_arfs_rules(handle); ++ spin_unlock_bh(&hdev->fd_rule_lock); + + /* If it is not PF reset, the firmware will disable the MAC, + * so it only need to stop phy here. +-- +2.27.0 + diff --git a/queue/net-lan78xx-add-missing-endpoint-sanity-check.patch b/queue/net-lan78xx-add-missing-endpoint-sanity-check.patch new file mode 100644 index 00000000..b7142ede --- /dev/null +++ b/queue/net-lan78xx-add-missing-endpoint-sanity-check.patch @@ -0,0 +1,39 @@ +From 8d8e95fd6d69d774013f51e5f2ee10c6e6d1fc14 Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Tue, 28 Jul 2020 14:10:29 +0200 +Subject: [PATCH] net: lan78xx: add missing endpoint sanity check + +commit 8d8e95fd6d69d774013f51e5f2ee10c6e6d1fc14 upstream. + +Add the missing endpoint sanity check to prevent a NULL-pointer +dereference should a malicious device lack the expected endpoints. + +Note that the driver has a broken endpoint-lookup helper, +lan78xx_get_endpoints(), which can end up accepting interfaces in an +altsetting without endpoints as long as *some* altsetting has a bulk-in +and a bulk-out endpoint. + +Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver") +Cc: Woojung.Huh@microchip.com <Woojung.Huh@microchip.com> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index eccbf4cd7149..d7162690e3f3 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -3759,6 +3759,11 @@ static int lan78xx_probe(struct usb_interface *intf, + netdev->max_mtu = MAX_SINGLE_PACKET_SIZE; + netif_set_gso_max_size(netdev, MAX_SINGLE_PACKET_SIZE - MAX_HEADER); + ++ if (intf->cur_altsetting->desc.bNumEndpoints < 3) { ++ ret = -ENODEV; ++ goto out3; ++ } ++ + dev->ep_blkin = (intf->cur_altsetting)->endpoint + 0; + dev->ep_blkout = (intf->cur_altsetting)->endpoint + 1; + dev->ep_intr = (intf->cur_altsetting)->endpoint + 2; +-- +2.27.0 + diff --git a/queue/net-lan78xx-fix-transfer-buffer-memory-leak.patch b/queue/net-lan78xx-fix-transfer-buffer-memory-leak.patch new file mode 100644 index 00000000..b526c272 --- /dev/null +++ b/queue/net-lan78xx-fix-transfer-buffer-memory-leak.patch @@ -0,0 +1,30 @@ +From 63634aa679ba8b5e306ad0727120309ae6ba8a8e Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Tue, 28 Jul 2020 14:10:30 +0200 +Subject: [PATCH] net: lan78xx: fix transfer-buffer memory leak + +commit 63634aa679ba8b5e306ad0727120309ae6ba8a8e upstream. + +The interrupt URB transfer-buffer was never freed on disconnect or after +probe errors. + +Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver") +Cc: Woojung.Huh@microchip.com <Woojung.Huh@microchip.com> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index d7162690e3f3..ee062b27cfa7 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -3788,6 +3788,7 @@ static int lan78xx_probe(struct usb_interface *intf, + usb_fill_int_urb(dev->urb_intr, dev->udev, + dev->pipe_intr, buf, maxp, + intr_complete, dev, period); ++ dev->urb_intr->transfer_flags |= URB_FREE_BUFFER; + } + } + +-- +2.27.0 + diff --git a/queue/net-mlx5-E-switch-Destroy-TSAR-when-fail-to-enable-t.patch b/queue/net-mlx5-E-switch-Destroy-TSAR-when-fail-to-enable-t.patch new file mode 100644 index 00000000..9400dc85 --- /dev/null +++ b/queue/net-mlx5-E-switch-Destroy-TSAR-when-fail-to-enable-t.patch @@ -0,0 +1,33 @@ +From 2b8e9c7c3fd0e31091edb1c66cc06ffe4988ca21 Mon Sep 17 00:00:00 2001 +From: Parav Pandit <parav@mellanox.com> +Date: Sat, 27 Jun 2020 13:29:28 +0300 +Subject: [PATCH] net/mlx5: E-switch, Destroy TSAR when fail to enable the mode + +commit 2b8e9c7c3fd0e31091edb1c66cc06ffe4988ca21 upstream. + +When either esw_legacy_enable() or esw_offloads_enable() fails, +code missed to destroy the created TSAR. + +Hence, add the missing call to destroy the TSAR. + +Fixes: 610090ebce92 ("net/mlx5: E-switch, Initialize TSAR Qos hardware block before its user vports") +Signed-off-by: Parav Pandit <parav@mellanox.com> +Reviewed-by: Roi Dayan <roid@mellanox.com> +Signed-off-by: Saeed Mahameed <saeedm@mellanox.com> + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index 1116ab9bea6c..9701f0f8be50 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -1608,7 +1608,7 @@ int mlx5_eswitch_enable_locked(struct mlx5_eswitch *esw, int mode, int num_vfs) + mlx5_reload_interface(esw->dev, MLX5_INTERFACE_PROTOCOL_IB); + mlx5_reload_interface(esw->dev, MLX5_INTERFACE_PROTOCOL_ETH); + } +- ++ esw_destroy_tsar(esw); + return err; + } + +-- +2.27.0 + diff --git a/queue/net-mlx5-Verify-Hardware-supports-requested-ptp-func.patch b/queue/net-mlx5-Verify-Hardware-supports-requested-ptp-func.patch new file mode 100644 index 00000000..e26040c2 --- /dev/null +++ b/queue/net-mlx5-Verify-Hardware-supports-requested-ptp-func.patch @@ -0,0 +1,56 @@ +From 071995c877a8646209d55ff8edddd2b054e7424c Mon Sep 17 00:00:00 2001 +From: Eran Ben Elisha <eranbe@mellanox.com> +Date: Wed, 8 Jul 2020 11:10:01 +0300 +Subject: [PATCH] net/mlx5: Verify Hardware supports requested ptp function on + a given pin + +commit 071995c877a8646209d55ff8edddd2b054e7424c upstream. + +Fix a bug where driver did not verify Hardware pin capabilities for +PTP functions. + +Fixes: ee7f12205abc ("net/mlx5e: Implement 1PPS support") +Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com> +Reviewed-by: Ariel Levkovich <lariel@mellanox.com> +Signed-off-by: Saeed Mahameed <saeedm@mellanox.com> + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c +index c6967e1a560b..284806e331bd 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c +@@ -408,10 +408,31 @@ static int mlx5_ptp_enable(struct ptp_clock_info *ptp, + return 0; + } + ++enum { ++ MLX5_MTPPS_REG_CAP_PIN_X_MODE_SUPPORT_PPS_IN = BIT(0), ++ MLX5_MTPPS_REG_CAP_PIN_X_MODE_SUPPORT_PPS_OUT = BIT(1), ++}; ++ + static int mlx5_ptp_verify(struct ptp_clock_info *ptp, unsigned int pin, + enum ptp_pin_function func, unsigned int chan) + { +- return (func == PTP_PF_PHYSYNC) ? -EOPNOTSUPP : 0; ++ struct mlx5_clock *clock = container_of(ptp, struct mlx5_clock, ++ ptp_info); ++ ++ switch (func) { ++ case PTP_PF_NONE: ++ return 0; ++ case PTP_PF_EXTTS: ++ return !(clock->pps_info.pin_caps[pin] & ++ MLX5_MTPPS_REG_CAP_PIN_X_MODE_SUPPORT_PPS_IN); ++ case PTP_PF_PEROUT: ++ return !(clock->pps_info.pin_caps[pin] & ++ MLX5_MTPPS_REG_CAP_PIN_X_MODE_SUPPORT_PPS_OUT); ++ default: ++ return -EOPNOTSUPP; ++ } ++ ++ return -EOPNOTSUPP; + } + + static const struct ptp_clock_info mlx5_ptp_clock_info = { +-- +2.27.0 + diff --git a/queue/net-mlx5e-Fix-error-path-of-device-attach.patch b/queue/net-mlx5e-Fix-error-path-of-device-attach.patch new file mode 100644 index 00000000..75694861 --- /dev/null +++ b/queue/net-mlx5e-Fix-error-path-of-device-attach.patch @@ -0,0 +1,36 @@ +From 5cd39b6e9a420329a9a408894be7ba8aa7dd755e Mon Sep 17 00:00:00 2001 +From: Aya Levin <ayal@mellanox.com> +Date: Wed, 1 Jul 2020 12:21:53 +0300 +Subject: [PATCH] net/mlx5e: Fix error path of device attach + +commit 5cd39b6e9a420329a9a408894be7ba8aa7dd755e upstream. + +On failure to attach the netdev, fix the rollback by re-setting the +device's state back to MLX5E_STATE_DESTROYING. + +Failing to attach doesn't stop statistics polling via .ndo_get_stats64. +In this case, although the device is not attached, it falsely continues +to query the firmware for counters. Setting the device's state back to +MLX5E_STATE_DESTROYING prevents the firmware counters query. + +Fixes: 26e59d8077a3 ("net/mlx5e: Implement mlx5e interface attach/detach callbacks") +Signed-off-by: Aya Levin <ayal@mellanox.com> +Reviewed-by: Tariq Toukan <tariqt@mellanox.com> +Signed-off-by: Saeed Mahameed <saeedm@mellanox.com> + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 081f15074cac..31f9ecae98df 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -5390,6 +5390,8 @@ int mlx5e_attach_netdev(struct mlx5e_priv *priv) + profile->cleanup_tx(priv); + + out: ++ set_bit(MLX5E_STATE_DESTROYING, &priv->state); ++ cancel_work_sync(&priv->update_stats_work); + return err; + } + +-- +2.27.0 + diff --git a/queue/net-mlx5e-Fix-kernel-crash-when-setting-vf-VLANID-on.patch b/queue/net-mlx5e-Fix-kernel-crash-when-setting-vf-VLANID-on.patch new file mode 100644 index 00000000..ff3138f3 --- /dev/null +++ b/queue/net-mlx5e-Fix-kernel-crash-when-setting-vf-VLANID-on.patch @@ -0,0 +1,108 @@ +From 350a63249d270b1f5bd05c7e2a24cd8de0f9db20 Mon Sep 17 00:00:00 2001 +From: Alaa Hleihel <alaa@mellanox.com> +Date: Wed, 15 Jul 2020 11:46:30 +0300 +Subject: [PATCH] net/mlx5e: Fix kernel crash when setting vf VLANID on a VF + dev + +commit 350a63249d270b1f5bd05c7e2a24cd8de0f9db20 upstream. + +After the cited commit, function 'mlx5_eswitch_set_vport_vlan' started +to acquire esw->state_lock. +However, esw is not defined for VF devices, hence attempting to set vf +VLANID on a VF dev will cause a kernel panic. + +Fix it by moving up the (redundant) esw validation from function +'__mlx5_eswitch_set_vport_vlan' since the rest of the callers now have +and use a valid esw. + +For example with vf device eth4: + # ip link set dev eth4 vf 0 vlan 0 + +Trace of the panic: + [ 411.409842] BUG: unable to handle page fault for address: 00000000000011b8 + [ 411.449745] #PF: supervisor read access in kernel mode + [ 411.452348] #PF: error_code(0x0000) - not-present page + [ 411.454938] PGD 80000004189c9067 P4D 80000004189c9067 PUD 41899a067 PMD 0 + [ 411.458382] Oops: 0000 [#1] SMP PTI + [ 411.460268] CPU: 4 PID: 5711 Comm: ip Not tainted 5.8.0-rc4_for_upstream_min_debug_2020_07_08_22_04 #1 + [ 411.462447] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 + [ 411.464158] RIP: 0010:__mutex_lock+0x4e/0x940 + [ 411.464928] Code: fd 41 54 49 89 f4 41 52 53 89 d3 48 83 ec 70 44 8b 1d ee 03 b0 01 65 48 8b 04 25 28 00 00 00 48 89 45 c8 31 c0 45 85 db 75 0a <48> 3b 7f 60 0f 85 7e 05 00 00 49 8d 45 68 41 56 41 b8 01 00 00 00 + [ 411.467678] RSP: 0018:ffff88841fcd74b0 EFLAGS: 00010246 + [ 411.468562] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 + [ 411.469715] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000001158 + [ 411.470812] RBP: ffff88841fcd7550 R08: ffffffffa00fa1ce R09: 0000000000000000 + [ 411.471835] R10: ffff88841fcd7570 R11: 0000000000000000 R12: 0000000000000002 + [ 411.472862] R13: 0000000000001158 R14: ffffffffa00fa1ce R15: 0000000000000000 + [ 411.474004] FS: 00007faee7ca6b80(0000) GS:ffff88846fc00000(0000) knlGS:0000000000000000 + [ 411.475237] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 411.476129] CR2: 00000000000011b8 CR3: 000000041909c006 CR4: 0000000000360ea0 + [ 411.477260] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [ 411.478340] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [ 411.479332] Call Trace: + [ 411.479760] ? __nla_validate_parse.part.6+0x57/0x8f0 + [ 411.482825] ? mlx5_eswitch_set_vport_vlan+0x3e/0xa0 [mlx5_core] + [ 411.483804] mlx5_eswitch_set_vport_vlan+0x3e/0xa0 [mlx5_core] + [ 411.484733] mlx5e_set_vf_vlan+0x41/0x50 [mlx5_core] + [ 411.485545] do_setlink+0x613/0x1000 + [ 411.486165] __rtnl_newlink+0x53d/0x8c0 + [ 411.486791] ? mark_held_locks+0x49/0x70 + [ 411.487429] ? __lock_acquire+0x8fe/0x1eb0 + [ 411.488085] ? rcu_read_lock_sched_held+0x52/0x60 + [ 411.488998] ? kmem_cache_alloc_trace+0x16d/0x2d0 + [ 411.489759] rtnl_newlink+0x47/0x70 + [ 411.490357] rtnetlink_rcv_msg+0x24e/0x450 + [ 411.490978] ? netlink_deliver_tap+0x92/0x3d0 + [ 411.491631] ? validate_linkmsg+0x330/0x330 + [ 411.492262] netlink_rcv_skb+0x47/0x110 + [ 411.492852] netlink_unicast+0x1ac/0x270 + [ 411.493551] netlink_sendmsg+0x336/0x450 + [ 411.494209] sock_sendmsg+0x30/0x40 + [ 411.494779] ____sys_sendmsg+0x1dd/0x1f0 + [ 411.495378] ? copy_msghdr_from_user+0x5c/0x90 + [ 411.496082] ___sys_sendmsg+0x87/0xd0 + [ 411.496683] ? lock_acquire+0xb9/0x3a0 + [ 411.497322] ? lru_cache_add+0x5/0x170 + [ 411.497944] ? find_held_lock+0x2d/0x90 + [ 411.498568] ? handle_mm_fault+0xe46/0x18c0 + [ 411.499205] ? __sys_sendmsg+0x51/0x90 + [ 411.499784] __sys_sendmsg+0x51/0x90 + [ 411.500341] do_syscall_64+0x59/0x2e0 + [ 411.500938] ? asm_exc_page_fault+0x8/0x30 + [ 411.501609] ? rcu_read_lock_sched_held+0x52/0x60 + [ 411.502350] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + [ 411.503093] RIP: 0033:0x7faee73b85a7 + [ 411.503654] Code: Bad RIP value. + +Fixes: 0e18134f4f9f ("net/mlx5e: Eswitch, use state_lock to synchronize vlan change") +Signed-off-by: Alaa Hleihel <alaa@mellanox.com> +Reviewed-by: Roi Dayan <roid@mellanox.com> +Reviewed-by: Vlad Buslov <vladbu@mellanox.com> +Signed-off-by: Saeed Mahameed <saeedm@mellanox.com> + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index 71d01143c455..43005caff09e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -1887,8 +1887,6 @@ int __mlx5_eswitch_set_vport_vlan(struct mlx5_eswitch *esw, + struct mlx5_vport *evport = mlx5_eswitch_get_vport(esw, vport); + int err = 0; + +- if (!ESW_ALLOWED(esw)) +- return -EPERM; + if (IS_ERR(evport)) + return PTR_ERR(evport); + if (vlan > 4095 || qos > 7) +@@ -1916,6 +1914,9 @@ int mlx5_eswitch_set_vport_vlan(struct mlx5_eswitch *esw, + u8 set_flags = 0; + int err; + ++ if (!ESW_ALLOWED(esw)) ++ return -EPERM; ++ + if (vlan || qos) + set_flags = SET_VLAN_STRIP | SET_VLAN_INSERT; + +-- +2.27.0 + diff --git a/queue/net-mlx5e-Modify-uplink-state-on-interface-up-down.patch b/queue/net-mlx5e-Modify-uplink-state-on-interface-up-down.patch new file mode 100644 index 00000000..eda67710 --- /dev/null +++ b/queue/net-mlx5e-Modify-uplink-state-on-interface-up-down.patch @@ -0,0 +1,162 @@ +From 7d0314b11cdd92bca8b89684c06953bf114605fc Mon Sep 17 00:00:00 2001 +From: Ron Diskin <rondi@mellanox.com> +Date: Sun, 5 Apr 2020 13:58:40 +0300 +Subject: [PATCH] net/mlx5e: Modify uplink state on interface up/down + +commit 7d0314b11cdd92bca8b89684c06953bf114605fc upstream. + +When setting the PF interface up/down, notify the firmware to update +uplink state via MODIFY_VPORT_STATE, when E-Switch is enabled. + +This behavior will prevent sending traffic out on uplink port when PF is +down, such as sending traffic from a VF interface which is still up. +Currently when calling mlx5e_open/close(), the driver only sends PAOS +command to notify the firmware to set the physical port state to +up/down, however, it is not sufficient. When VF is in "auto" state, it +follows the uplink state, which was not updated on mlx5e_open/close() +before this patch. + +When switchdev mode is enabled and uplink representor is first enabled, +set the uplink port state value back to its FW default "AUTO". + +Fixes: 63bfd399de55 ("net/mlx5e: Send PAOS command on interface up/down") +Signed-off-by: Ron Diskin <rondi@mellanox.com> +Reviewed-by: Roi Dayan <roid@mellanox.com> +Reviewed-by: Moshe Shemesh <moshe@mellanox.com> +Signed-off-by: Saeed Mahameed <saeedm@mellanox.com> + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 31f9ecae98df..07fdbea7ea13 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3069,6 +3069,25 @@ void mlx5e_timestamp_init(struct mlx5e_priv *priv) + priv->tstamp.rx_filter = HWTSTAMP_FILTER_NONE; + } + ++static void mlx5e_modify_admin_state(struct mlx5_core_dev *mdev, ++ enum mlx5_port_status state) ++{ ++ struct mlx5_eswitch *esw = mdev->priv.eswitch; ++ int vport_admin_state; ++ ++ mlx5_set_port_admin_status(mdev, state); ++ ++ if (!MLX5_ESWITCH_MANAGER(mdev) || mlx5_eswitch_mode(esw) == MLX5_ESWITCH_OFFLOADS) ++ return; ++ ++ if (state == MLX5_PORT_UP) ++ vport_admin_state = MLX5_VPORT_ADMIN_STATE_AUTO; ++ else ++ vport_admin_state = MLX5_VPORT_ADMIN_STATE_DOWN; ++ ++ mlx5_eswitch_set_vport_state(esw, MLX5_VPORT_UPLINK, vport_admin_state); ++} ++ + int mlx5e_open_locked(struct net_device *netdev) + { + struct mlx5e_priv *priv = netdev_priv(netdev); +@@ -3101,7 +3120,7 @@ int mlx5e_open(struct net_device *netdev) + mutex_lock(&priv->state_lock); + err = mlx5e_open_locked(netdev); + if (!err) +- mlx5_set_port_admin_status(priv->mdev, MLX5_PORT_UP); ++ mlx5e_modify_admin_state(priv->mdev, MLX5_PORT_UP); + mutex_unlock(&priv->state_lock); + + return err; +@@ -3135,7 +3154,7 @@ int mlx5e_close(struct net_device *netdev) + return -ENODEV; + + mutex_lock(&priv->state_lock); +- mlx5_set_port_admin_status(priv->mdev, MLX5_PORT_DOWN); ++ mlx5e_modify_admin_state(priv->mdev, MLX5_PORT_DOWN); + err = mlx5e_close_locked(netdev); + mutex_unlock(&priv->state_lock); + +@@ -5182,7 +5201,7 @@ static void mlx5e_nic_enable(struct mlx5e_priv *priv) + + /* Marking the link as currently not needed by the Driver */ + if (!netif_running(netdev)) +- mlx5_set_port_admin_status(mdev, MLX5_PORT_DOWN); ++ mlx5e_modify_admin_state(mdev, MLX5_PORT_DOWN); + + mlx5e_set_netdev_mtu_boundaries(priv); + mlx5e_set_dev_port_mtu(priv); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +index 8c294ab43f90..9519a61bd8ec 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -1081,6 +1081,8 @@ static void mlx5e_uplink_rep_enable(struct mlx5e_priv *priv) + + mlx5e_rep_tc_enable(priv); + ++ mlx5_modify_vport_admin_state(mdev, MLX5_VPORT_STATE_OP_MOD_UPLINK, ++ 0, 0, MLX5_VPORT_ADMIN_STATE_AUTO); + mlx5_lag_add(mdev, netdev); + priv->events_nb.notifier_call = uplink_rep_async_event; + mlx5_notifier_register(mdev, &priv->events_nb); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index d9376627584e..71d01143c455 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -1826,6 +1826,8 @@ int mlx5_eswitch_set_vport_state(struct mlx5_eswitch *esw, + u16 vport, int link_state) + { + struct mlx5_vport *evport = mlx5_eswitch_get_vport(esw, vport); ++ int opmod = MLX5_VPORT_STATE_OP_MOD_ESW_VPORT; ++ int other_vport = 1; + int err = 0; + + if (!ESW_ALLOWED(esw)) +@@ -1833,15 +1835,17 @@ int mlx5_eswitch_set_vport_state(struct mlx5_eswitch *esw, + if (IS_ERR(evport)) + return PTR_ERR(evport); + ++ if (vport == MLX5_VPORT_UPLINK) { ++ opmod = MLX5_VPORT_STATE_OP_MOD_UPLINK; ++ other_vport = 0; ++ vport = 0; ++ } + mutex_lock(&esw->state_lock); + +- err = mlx5_modify_vport_admin_state(esw->dev, +- MLX5_VPORT_STATE_OP_MOD_ESW_VPORT, +- vport, 1, link_state); ++ err = mlx5_modify_vport_admin_state(esw->dev, opmod, vport, other_vport, link_state); + if (err) { +- mlx5_core_warn(esw->dev, +- "Failed to set vport %d link state, err = %d", +- vport, err); ++ mlx5_core_warn(esw->dev, "Failed to set vport %d link state, opmod = %d, err = %d", ++ vport, opmod, err); + goto unlock; + } + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +index a5175e98c0b3..5785596f13f5 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +@@ -680,6 +680,8 @@ static inline int mlx5_eswitch_enable(struct mlx5_eswitch *esw, int num_vfs) { r + static inline void mlx5_eswitch_disable(struct mlx5_eswitch *esw, bool clear_vf) {} + static inline bool mlx5_esw_lag_prereq(struct mlx5_core_dev *dev0, struct mlx5_core_dev *dev1) { return true; } + static inline bool mlx5_eswitch_is_funcs_handler(struct mlx5_core_dev *dev) { return false; } ++static inline ++int mlx5_eswitch_set_vport_state(struct mlx5_eswitch *esw, u16 vport, int link_state) { return 0; } + static inline const u32 *mlx5_esw_query_functions(struct mlx5_core_dev *dev) + { + return ERR_PTR(-EOPNOTSUPP); +diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h +index 073b79eacc99..1340e02b14ef 100644 +--- a/include/linux/mlx5/mlx5_ifc.h ++++ b/include/linux/mlx5/mlx5_ifc.h +@@ -4381,6 +4381,7 @@ struct mlx5_ifc_query_vport_state_out_bits { + enum { + MLX5_VPORT_STATE_OP_MOD_VNIC_VPORT = 0x0, + MLX5_VPORT_STATE_OP_MOD_ESW_VPORT = 0x1, ++ MLX5_VPORT_STATE_OP_MOD_UPLINK = 0x2, + }; + + struct mlx5_ifc_arm_monitor_counter_in_bits { +-- +2.27.0 + diff --git a/queue/net-mlx5e-fix-bpf_prog-reference-count-leaks-in-mlx5.patch b/queue/net-mlx5e-fix-bpf_prog-reference-count-leaks-in-mlx5.patch new file mode 100644 index 00000000..821c3e6c --- /dev/null +++ b/queue/net-mlx5e-fix-bpf_prog-reference-count-leaks-in-mlx5.patch @@ -0,0 +1,50 @@ +From e692139e6af339a1495ef401b2d95f7f9d1c7a44 Mon Sep 17 00:00:00 2001 +From: Xin Xiong <xiongx18@fudan.edu.cn> +Date: Thu, 30 Jul 2020 18:29:41 +0800 +Subject: [PATCH] net/mlx5e: fix bpf_prog reference count leaks in + mlx5e_alloc_rq + +commit e692139e6af339a1495ef401b2d95f7f9d1c7a44 upstream. + +The function invokes bpf_prog_inc(), which increases the reference +count of a bpf_prog object "rq->xdp_prog" if the object isn't NULL. + +The refcount leak issues take place in two error handling paths. When +either mlx5_wq_ll_create() or mlx5_wq_cyc_create() fails, the function +simply returns the error code and forgets to drop the reference count +increased earlier, causing a reference count leak of "rq->xdp_prog". + +Fix this issue by jumping to the error handling path err_rq_wq_destroy +while either function fails. + +Fixes: 422d4c401edd ("net/mlx5e: RX, Split WQ objects for different RQ types") +Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn> +Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn> +Signed-off-by: Xin Tan <tanxin.ctf@gmail.com> +Signed-off-by: Saeed Mahameed <saeedm@mellanox.com> + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 07fdbea7ea13..3b892ec301b4 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -419,7 +419,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c, + err = mlx5_wq_ll_create(mdev, &rqp->wq, rqc_wq, &rq->mpwqe.wq, + &rq->wq_ctrl); + if (err) +- return err; ++ goto err_rq_wq_destroy; + + rq->mpwqe.wq.db = &rq->mpwqe.wq.db[MLX5_RCV_DBR]; + +@@ -470,7 +470,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c, + err = mlx5_wq_cyc_create(mdev, &rqp->wq, rqc_wq, &rq->wqe.wq, + &rq->wq_ctrl); + if (err) +- return err; ++ goto err_rq_wq_destroy; + + rq->wqe.wq.db = &rq->wqe.wq.db[MLX5_RCV_DBR]; + +-- +2.27.0 + diff --git a/queue/net-nixge-fix-potential-memory-leak-in-nixge_probe.patch b/queue/net-nixge-fix-potential-memory-leak-in-nixge_probe.patch new file mode 100644 index 00000000..22c4a08c --- /dev/null +++ b/queue/net-nixge-fix-potential-memory-leak-in-nixge_probe.patch @@ -0,0 +1,48 @@ +From 366228ed01f6882cc203e3d5b40010dfae0be1c3 Mon Sep 17 00:00:00 2001 +From: Lu Wei <luwei32@huawei.com> +Date: Wed, 29 Jul 2020 11:50:05 +0800 +Subject: [PATCH] net: nixge: fix potential memory leak in nixge_probe() + +commit 366228ed01f6882cc203e3d5b40010dfae0be1c3 upstream. + +If some processes in nixge_probe() fail, free_netdev(dev) +needs to be called to aviod a memory leak. + +Fixes: 87ab207981ec ("net: nixge: Separate ctrl and dma resources") +Fixes: abcd3d6fc640 ("net: nixge: Fix error path for obtaining mac address") +Reported-by: Hulk Robot <hulkci@huawei.com> +Signed-off-by: Lu Wei <luwei32@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/ni/nixge.c b/drivers/net/ethernet/ni/nixge.c +index d2708a57f2ff..4075f5e59955 100644 +--- a/drivers/net/ethernet/ni/nixge.c ++++ b/drivers/net/ethernet/ni/nixge.c +@@ -1299,19 +1299,21 @@ static int nixge_probe(struct platform_device *pdev) + netif_napi_add(ndev, &priv->napi, nixge_poll, NAPI_POLL_WEIGHT); + err = nixge_of_get_resources(pdev); + if (err) +- return err; ++ goto free_netdev; + __nixge_hw_set_mac_address(ndev); + + priv->tx_irq = platform_get_irq_byname(pdev, "tx"); + if (priv->tx_irq < 0) { + netdev_err(ndev, "could not find 'tx' irq"); +- return priv->tx_irq; ++ err = priv->tx_irq; ++ goto free_netdev; + } + + priv->rx_irq = platform_get_irq_byname(pdev, "rx"); + if (priv->rx_irq < 0) { + netdev_err(ndev, "could not find 'rx' irq"); +- return priv->rx_irq; ++ err = priv->rx_irq; ++ goto free_netdev; + } + + priv->coalesce_count_rx = XAXIDMA_DFT_RX_THRESHOLD; +-- +2.27.0 + diff --git a/queue/net-x25-Fix-null-ptr-deref-in-x25_disconnect.patch b/queue/net-x25-Fix-null-ptr-deref-in-x25_disconnect.patch new file mode 100644 index 00000000..5a7ec9a7 --- /dev/null +++ b/queue/net-x25-Fix-null-ptr-deref-in-x25_disconnect.patch @@ -0,0 +1,64 @@ +From 8999dc89497ab1c80d0718828e838c7cd5f6bffe Mon Sep 17 00:00:00 2001 +From: YueHaibing <yuehaibing@huawei.com> +Date: Tue, 28 Apr 2020 16:12:08 +0800 +Subject: [PATCH] net/x25: Fix null-ptr-deref in x25_disconnect + +commit 8999dc89497ab1c80d0718828e838c7cd5f6bffe upstream. + +We should check null before do x25_neigh_put in x25_disconnect, +otherwise may cause null-ptr-deref like this: + + #include <sys/socket.h> + #include <linux/x25.h> + + int main() { + int sck_x25; + sck_x25 = socket(AF_X25, SOCK_SEQPACKET, 0); + close(sck_x25); + return 0; + } + +BUG: kernel NULL pointer dereference, address: 00000000000000d8 +CPU: 0 PID: 4817 Comm: t2 Not tainted 5.7.0-rc3+ #159 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3- +RIP: 0010:x25_disconnect+0x91/0xe0 +Call Trace: + x25_release+0x18a/0x1b0 + __sock_release+0x3d/0xc0 + sock_close+0x13/0x20 + __fput+0x107/0x270 + ____fput+0x9/0x10 + task_work_run+0x6d/0xb0 + exit_to_usermode_loop+0x102/0x110 + do_syscall_64+0x23c/0x260 + entry_SYSCALL_64_after_hwframe+0x49/0xb3 + +Reported-by: syzbot+6db548b615e5aeefdce2@syzkaller.appspotmail.com +Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect") +Signed-off-by: YueHaibing <yuehaibing@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/x25/x25_subr.c b/net/x25/x25_subr.c +index 8b1b06cabcbf..0285aaa1e93c 100644 +--- a/net/x25/x25_subr.c ++++ b/net/x25/x25_subr.c +@@ -357,10 +357,12 @@ void x25_disconnect(struct sock *sk, int reason, unsigned char cause, + sk->sk_state_change(sk); + sock_set_flag(sk, SOCK_DEAD); + } +- read_lock_bh(&x25_list_lock); +- x25_neigh_put(x25->neighbour); +- x25->neighbour = NULL; +- read_unlock_bh(&x25_list_lock); ++ if (x25->neighbour) { ++ read_lock_bh(&x25_list_lock); ++ x25_neigh_put(x25->neighbour); ++ x25->neighbour = NULL; ++ read_unlock_bh(&x25_list_lock); ++ } + } + + /* +-- +2.27.0 + diff --git a/queue/net-x25-Fix-x25_neigh-refcnt-leak-when-x25-disconnec.patch b/queue/net-x25-Fix-x25_neigh-refcnt-leak-when-x25-disconnec.patch new file mode 100644 index 00000000..8ade099f --- /dev/null +++ b/queue/net-x25-Fix-x25_neigh-refcnt-leak-when-x25-disconnec.patch @@ -0,0 +1,43 @@ +From 4becb7ee5b3d2829ed7b9261a245a77d5b7de902 Mon Sep 17 00:00:00 2001 +From: Xiyu Yang <xiyuyang19@fudan.edu.cn> +Date: Sat, 25 Apr 2020 21:06:25 +0800 +Subject: [PATCH] net/x25: Fix x25_neigh refcnt leak when x25 disconnect + +commit 4becb7ee5b3d2829ed7b9261a245a77d5b7de902 upstream. + +x25_connect() invokes x25_get_neigh(), which returns a reference of the +specified x25_neigh object to "x25->neighbour" with increased refcnt. + +When x25 connect success and returns, the reference still be hold by +"x25->neighbour", so the refcount should be decreased in +x25_disconnect() to keep refcount balanced. + +The reference counting issue happens in x25_disconnect(), which forgets +to decrease the refcnt increased by x25_get_neigh() in x25_connect(), +causing a refcnt leak. + +Fix this issue by calling x25_neigh_put() before x25_disconnect() +returns. + +Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn> +Signed-off-by: Xin Tan <tanxin.ctf@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/x25/x25_subr.c b/net/x25/x25_subr.c +index 8aa415a38814..8b1b06cabcbf 100644 +--- a/net/x25/x25_subr.c ++++ b/net/x25/x25_subr.c +@@ -357,6 +357,10 @@ void x25_disconnect(struct sock *sk, int reason, unsigned char cause, + sk->sk_state_change(sk); + sock_set_flag(sk, SOCK_DEAD); + } ++ read_lock_bh(&x25_list_lock); ++ x25_neigh_put(x25->neighbour); ++ x25->neighbour = NULL; ++ read_unlock_bh(&x25_list_lock); + } + + /* +-- +2.27.0 + diff --git a/queue/nfc-s3fwrn5-add-missing-release-on-skb-in-s3fwrn5_re.patch b/queue/nfc-s3fwrn5-add-missing-release-on-skb-in-s3fwrn5_re.patch new file mode 100644 index 00000000..30ffab57 --- /dev/null +++ b/queue/nfc-s3fwrn5-add-missing-release-on-skb-in-s3fwrn5_re.patch @@ -0,0 +1,29 @@ +From 1e8fd3a97f2d83a7197876ceb4f37b4c2b00a0f3 Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost <navid.emamdoost@gmail.com> +Date: Sat, 18 Jul 2020 00:31:49 -0500 +Subject: [PATCH] nfc: s3fwrn5: add missing release on skb in + s3fwrn5_recv_frame + +commit 1e8fd3a97f2d83a7197876ceb4f37b4c2b00a0f3 upstream. + +The implementation of s3fwrn5_recv_frame() is supposed to consume skb on +all execution paths. Release skb before returning -ENODEV. + +Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/nfc/s3fwrn5/core.c b/drivers/nfc/s3fwrn5/core.c +index 91d4d5b28a7d..ba6c486d6465 100644 +--- a/drivers/nfc/s3fwrn5/core.c ++++ b/drivers/nfc/s3fwrn5/core.c +@@ -198,6 +198,7 @@ int s3fwrn5_recv_frame(struct nci_dev *ndev, struct sk_buff *skb, + case S3FWRN5_MODE_FW: + return s3fwrn5_fw_recv_frame(ndev, skb); + default: ++ kfree_skb(skb); + return -ENODEV; + } + } +-- +2.27.0 + diff --git a/queue/nvme-tcp-fix-possible-hang-waiting-for-icresp-respon.patch b/queue/nvme-tcp-fix-possible-hang-waiting-for-icresp-respon.patch new file mode 100644 index 00000000..d53a897a --- /dev/null +++ b/queue/nvme-tcp-fix-possible-hang-waiting-for-icresp-respon.patch @@ -0,0 +1,32 @@ +From adc99fd378398f4c58798a1c57889872967d56a6 Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg <sagi@grimberg.me> +Date: Thu, 23 Jul 2020 16:42:26 -0700 +Subject: [PATCH] nvme-tcp: fix possible hang waiting for icresp response + +commit adc99fd378398f4c58798a1c57889872967d56a6 upstream. + +If the controller died exactly when we are receiving icresp +we hang because icresp may never return. Make sure to set a +high finite limit. + +Fixes: 3f2304f8c6d6 ("nvme-tcp: add NVMe over TCP host driver") +Signed-off-by: Sagi Grimberg <sagi@grimberg.me> +Signed-off-by: Christoph Hellwig <hch@lst.de> + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index 79ef2b8e2b3c..f3a91818167b 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -1382,6 +1382,9 @@ static int nvme_tcp_alloc_queue(struct nvme_ctrl *nctrl, + if (nctrl->opts->tos >= 0) + ip_sock_set_tos(queue->sock->sk, nctrl->opts->tos); + ++ /* Set 10 seconds timeout for icresp recvmsg */ ++ queue->sock->sk->sk_rcvtimeo = 10 * HZ; ++ + queue->sock->sk->sk_allocation = GFP_ATOMIC; + nvme_tcp_set_queue_io_cpu(queue); + queue->request = NULL; +-- +2.27.0 + diff --git a/queue/parisc-add-support-for-cmpxchg-on-u8-pointers.patch b/queue/parisc-add-support-for-cmpxchg-on-u8-pointers.patch new file mode 100644 index 00000000..d72e1081 --- /dev/null +++ b/queue/parisc-add-support-for-cmpxchg-on-u8-pointers.patch @@ -0,0 +1,67 @@ +From b344d6a83d01c52fddbefa6b3b4764da5b1022a0 Mon Sep 17 00:00:00 2001 +From: Liam Beguin <liambeguin@gmail.com> +Date: Sat, 18 Jul 2020 16:10:21 -0400 +Subject: [PATCH] parisc: add support for cmpxchg on u8 pointers + +commit b344d6a83d01c52fddbefa6b3b4764da5b1022a0 upstream. + +The kernel test bot reported[1] that using set_mask_bits on a u8 causes +the following issue on parisc: + + hppa-linux-ld: drivers/phy/ti/phy-tusb1210.o: in function `tusb1210_probe': + >> (.text+0x2f4): undefined reference to `__cmpxchg_called_with_bad_pointer' + >> hppa-linux-ld: (.text+0x324): undefined reference to `__cmpxchg_called_with_bad_pointer' + hppa-linux-ld: (.text+0x354): undefined reference to `__cmpxchg_called_with_bad_pointer' + +Add support for cmpxchg on u8 pointers. + +[1] https://lore.kernel.org/patchwork/patch/1272617/#1468946 + +Reported-by: kernel test robot <lkp@intel.com> +Signed-off-by: Liam Beguin <liambeguin@gmail.com> +Tested-by: Dave Anglin <dave.anglin@bell.net> +Signed-off-by: Helge Deller <deller@gmx.de> + +diff --git a/arch/parisc/include/asm/cmpxchg.h b/arch/parisc/include/asm/cmpxchg.h +index ab5c215cf46c..068958575871 100644 +--- a/arch/parisc/include/asm/cmpxchg.h ++++ b/arch/parisc/include/asm/cmpxchg.h +@@ -60,6 +60,7 @@ extern void __cmpxchg_called_with_bad_pointer(void); + extern unsigned long __cmpxchg_u32(volatile unsigned int *m, unsigned int old, + unsigned int new_); + extern u64 __cmpxchg_u64(volatile u64 *ptr, u64 old, u64 new_); ++extern u8 __cmpxchg_u8(volatile u8 *ptr, u8 old, u8 new_); + + /* don't worry...optimizer will get rid of most of this */ + static inline unsigned long +@@ -71,6 +72,7 @@ __cmpxchg(volatile void *ptr, unsigned long old, unsigned long new_, int size) + #endif + case 4: return __cmpxchg_u32((unsigned int *)ptr, + (unsigned int)old, (unsigned int)new_); ++ case 1: return __cmpxchg_u8((u8 *)ptr, (u8)old, (u8)new_); + } + __cmpxchg_called_with_bad_pointer(); + return old; +diff --git a/arch/parisc/lib/bitops.c b/arch/parisc/lib/bitops.c +index 70ffbcf889b8..2e4d1f05a926 100644 +--- a/arch/parisc/lib/bitops.c ++++ b/arch/parisc/lib/bitops.c +@@ -79,3 +79,15 @@ unsigned long __cmpxchg_u32(volatile unsigned int *ptr, unsigned int old, unsign + _atomic_spin_unlock_irqrestore(ptr, flags); + return (unsigned long)prev; + } ++ ++u8 __cmpxchg_u8(volatile u8 *ptr, u8 old, u8 new) ++{ ++ unsigned long flags; ++ u8 prev; ++ ++ _atomic_spin_lock_irqsave(ptr, flags); ++ if ((prev = *ptr) == old) ++ *ptr = new; ++ _atomic_spin_unlock_irqrestore(ptr, flags); ++ return prev; ++} +-- +2.27.0 + diff --git a/queue/perf-bench-Share-some-global-variables-to-fix-build-.patch b/queue/perf-bench-Share-some-global-variables-to-fix-build-.patch new file mode 100644 index 00000000..b30d4c2c --- /dev/null +++ b/queue/perf-bench-Share-some-global-variables-to-fix-build-.patch @@ -0,0 +1,232 @@ +From e4d9b04b973b2dbce7b42af95ea70d07da1c936d Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo <acme@redhat.com> +Date: Mon, 2 Mar 2020 12:09:38 -0300 +Subject: [PATCH] perf bench: Share some global variables to fix build with gcc + 10 + +commit e4d9b04b973b2dbce7b42af95ea70d07da1c936d upstream. + +Noticed with gcc 10 (fedora rawhide) that those variables were not being +declared as static, so end up with: + + ld: /tmp/build/perf/bench/epoll-wait.o:/git/perf/tools/perf/bench/epoll-wait.c:93: multiple definition of `end'; /tmp/build/perf/bench/futex-hash.o:/git/perf/tools/perf/bench/futex-hash.c:40: first defined here + ld: /tmp/build/perf/bench/epoll-wait.o:/git/perf/tools/perf/bench/epoll-wait.c:93: multiple definition of `start'; /tmp/build/perf/bench/futex-hash.o:/git/perf/tools/perf/bench/futex-hash.c:40: first defined here + ld: /tmp/build/perf/bench/epoll-wait.o:/git/perf/tools/perf/bench/epoll-wait.c:93: multiple definition of `runtime'; /tmp/build/perf/bench/futex-hash.o:/git/perf/tools/perf/bench/futex-hash.c:40: first defined here + ld: /tmp/build/perf/bench/epoll-ctl.o:/git/perf/tools/perf/bench/epoll-ctl.c:38: multiple definition of `end'; /tmp/build/perf/bench/futex-hash.o:/git/perf/tools/perf/bench/futex-hash.c:40: first defined here + ld: /tmp/build/perf/bench/epoll-ctl.o:/git/perf/tools/perf/bench/epoll-ctl.c:38: multiple definition of `start'; /tmp/build/perf/bench/futex-hash.o:/git/perf/tools/perf/bench/futex-hash.c:40: first defined here + ld: /tmp/build/perf/bench/epoll-ctl.o:/git/perf/tools/perf/bench/epoll-ctl.c:38: multiple definition of `runtime'; /tmp/build/perf/bench/futex-hash.o:/git/perf/tools/perf/bench/futex-hash.c:40: first defined here + make[4]: *** [/git/perf/tools/build/Makefile.build:145: /tmp/build/perf/bench/perf-in.o] Error 1 + +Prefix those with bench__ and add them to bench/bench.h, so that we can +share those on the tools needing to access those variables from signal +handlers. + +Acked-by: Thomas Gleixner <tglx@linutronix.de> +Cc: Adrian Hunter <adrian.hunter@intel.com> +Cc: Davidlohr Bueso <dave@stgolabs.net> +Cc: Jiri Olsa <jolsa@kernel.org> +Cc: Namhyung Kim <namhyung@kernel.org> +Link: http://lore.kernel.org/lkml/20200303155811.GD13702@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> + +diff --git a/tools/perf/bench/bench.h b/tools/perf/bench/bench.h +index fddb3ced9db6..4aa6de1aa67d 100644 +--- a/tools/perf/bench/bench.h ++++ b/tools/perf/bench/bench.h +@@ -2,6 +2,10 @@ + #ifndef BENCH_H + #define BENCH_H + ++#include <sys/time.h> ++ ++extern struct timeval bench__start, bench__end, bench__runtime; ++ + /* + * The madvise transparent hugepage constants were added in glibc + * 2.13. For compatibility with older versions of glibc, define these +diff --git a/tools/perf/bench/epoll-ctl.c b/tools/perf/bench/epoll-ctl.c +index bb617e568841..a7526c05df38 100644 +--- a/tools/perf/bench/epoll-ctl.c ++++ b/tools/perf/bench/epoll-ctl.c +@@ -35,7 +35,6 @@ + + static unsigned int nthreads = 0; + static unsigned int nsecs = 8; +-struct timeval start, end, runtime; + static bool done, __verbose, randomize; + + /* +@@ -94,8 +93,8 @@ static void toggle_done(int sig __maybe_unused, + { + /* inform all threads that we're done for the day */ + done = true; +- gettimeofday(&end, NULL); +- timersub(&end, &start, &runtime); ++ gettimeofday(&bench__end, NULL); ++ timersub(&bench__end, &bench__start, &bench__runtime); + } + + static void nest_epollfd(void) +@@ -361,7 +360,7 @@ int bench_epoll_ctl(int argc, const char **argv) + + threads_starting = nthreads; + +- gettimeofday(&start, NULL); ++ gettimeofday(&bench__start, NULL); + + do_threads(worker, cpu); + +diff --git a/tools/perf/bench/epoll-wait.c b/tools/perf/bench/epoll-wait.c +index 7af694437f4e..d1c5cb526b9f 100644 +--- a/tools/perf/bench/epoll-wait.c ++++ b/tools/perf/bench/epoll-wait.c +@@ -90,7 +90,6 @@ + + static unsigned int nthreads = 0; + static unsigned int nsecs = 8; +-struct timeval start, end, runtime; + static bool wdone, done, __verbose, randomize, nonblocking; + + /* +@@ -276,8 +275,8 @@ static void toggle_done(int sig __maybe_unused, + { + /* inform all threads that we're done for the day */ + done = true; +- gettimeofday(&end, NULL); +- timersub(&end, &start, &runtime); ++ gettimeofday(&bench__end, NULL); ++ timersub(&bench__end, &bench__start, &bench__runtime); + } + + static void print_summary(void) +@@ -287,7 +286,7 @@ static void print_summary(void) + + printf("\nAveraged %ld operations/sec (+- %.2f%%), total secs = %d\n", + avg, rel_stddev_stats(stddev, avg), +- (int) runtime.tv_sec); ++ (int)bench__runtime.tv_sec); + } + + static int do_threads(struct worker *worker, struct perf_cpu_map *cpu) +@@ -479,7 +478,7 @@ int bench_epoll_wait(int argc, const char **argv) + + threads_starting = nthreads; + +- gettimeofday(&start, NULL); ++ gettimeofday(&bench__start, NULL); + + do_threads(worker, cpu); + +@@ -519,7 +518,7 @@ int bench_epoll_wait(int argc, const char **argv) + qsort(worker, nthreads, sizeof(struct worker), cmpworker); + + for (i = 0; i < nthreads; i++) { +- unsigned long t = worker[i].ops/runtime.tv_sec; ++ unsigned long t = worker[i].ops / bench__runtime.tv_sec; + + update_stats(&throughput_stats, t); + +diff --git a/tools/perf/bench/futex-hash.c b/tools/perf/bench/futex-hash.c +index 8ba0c3330a9a..21776862e940 100644 +--- a/tools/perf/bench/futex-hash.c ++++ b/tools/perf/bench/futex-hash.c +@@ -37,7 +37,7 @@ static unsigned int nfutexes = 1024; + static bool fshared = false, done = false, silent = false; + static int futex_flag = 0; + +-struct timeval start, end, runtime; ++struct timeval bench__start, bench__end, bench__runtime; + static pthread_mutex_t thread_lock; + static unsigned int threads_starting; + static struct stats throughput_stats; +@@ -103,8 +103,8 @@ static void toggle_done(int sig __maybe_unused, + { + /* inform all threads that we're done for the day */ + done = true; +- gettimeofday(&end, NULL); +- timersub(&end, &start, &runtime); ++ gettimeofday(&bench__end, NULL); ++ timersub(&bench__end, &bench__start, &bench__runtime); + } + + static void print_summary(void) +@@ -114,7 +114,7 @@ static void print_summary(void) + + printf("%sAveraged %ld operations/sec (+- %.2f%%), total secs = %d\n", + !silent ? "\n" : "", avg, rel_stddev_stats(stddev, avg), +- (int) runtime.tv_sec); ++ (int)bench__runtime.tv_sec); + } + + int bench_futex_hash(int argc, const char **argv) +@@ -161,7 +161,7 @@ int bench_futex_hash(int argc, const char **argv) + + threads_starting = nthreads; + pthread_attr_init(&thread_attr); +- gettimeofday(&start, NULL); ++ gettimeofday(&bench__start, NULL); + for (i = 0; i < nthreads; i++) { + worker[i].tid = i; + worker[i].futex = calloc(nfutexes, sizeof(*worker[i].futex)); +@@ -204,7 +204,7 @@ int bench_futex_hash(int argc, const char **argv) + pthread_mutex_destroy(&thread_lock); + + for (i = 0; i < nthreads; i++) { +- unsigned long t = worker[i].ops/runtime.tv_sec; ++ unsigned long t = worker[i].ops / bench__runtime.tv_sec; + update_stats(&throughput_stats, t); + if (!silent) { + if (nfutexes == 1) +diff --git a/tools/perf/bench/futex-lock-pi.c b/tools/perf/bench/futex-lock-pi.c +index d0cae8125423..30d97121dc4f 100644 +--- a/tools/perf/bench/futex-lock-pi.c ++++ b/tools/perf/bench/futex-lock-pi.c +@@ -37,7 +37,6 @@ static bool silent = false, multi = false; + static bool done = false, fshared = false; + static unsigned int nthreads = 0; + static int futex_flag = 0; +-struct timeval start, end, runtime; + static pthread_mutex_t thread_lock; + static unsigned int threads_starting; + static struct stats throughput_stats; +@@ -64,7 +63,7 @@ static void print_summary(void) + + printf("%sAveraged %ld operations/sec (+- %.2f%%), total secs = %d\n", + !silent ? "\n" : "", avg, rel_stddev_stats(stddev, avg), +- (int) runtime.tv_sec); ++ (int)bench__runtime.tv_sec); + } + + static void toggle_done(int sig __maybe_unused, +@@ -73,8 +72,8 @@ static void toggle_done(int sig __maybe_unused, + { + /* inform all threads that we're done for the day */ + done = true; +- gettimeofday(&end, NULL); +- timersub(&end, &start, &runtime); ++ gettimeofday(&bench__end, NULL); ++ timersub(&bench__end, &bench__start, &bench__runtime); + } + + static void *workerfn(void *arg) +@@ -185,7 +184,7 @@ int bench_futex_lock_pi(int argc, const char **argv) + + threads_starting = nthreads; + pthread_attr_init(&thread_attr); +- gettimeofday(&start, NULL); ++ gettimeofday(&bench__start, NULL); + + create_threads(worker, thread_attr, cpu); + pthread_attr_destroy(&thread_attr); +@@ -211,7 +210,7 @@ int bench_futex_lock_pi(int argc, const char **argv) + pthread_mutex_destroy(&thread_lock); + + for (i = 0; i < nthreads; i++) { +- unsigned long t = worker[i].ops/runtime.tv_sec; ++ unsigned long t = worker[i].ops / bench__runtime.tv_sec; + + update_stats(&throughput_stats, t); + if (!silent) +-- +2.27.0 + diff --git a/queue/perf-env-Do-not-return-pointers-to-local-variables.patch b/queue/perf-env-Do-not-return-pointers-to-local-variables.patch new file mode 100644 index 00000000..fb631a08 --- /dev/null +++ b/queue/perf-env-Do-not-return-pointers-to-local-variables.patch @@ -0,0 +1,47 @@ +From ebcb9464a2ae3a547e97de476575c82ece0e93e2 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo <acme@redhat.com> +Date: Mon, 2 Mar 2020 11:23:03 -0300 +Subject: [PATCH] perf env: Do not return pointers to local variables + +commit ebcb9464a2ae3a547e97de476575c82ece0e93e2 upstream. + +It is possible to return a pointer to a local variable when looking up +the architecture name for the running system and no normalization is +done on that value, i.e. we may end up returning the uts.machine local +variable. + +While this doesn't happen on most arches, as normalization takes place, +lets fix this by making that a static variable and optimize it a bit by +not always running uname(), only the first time. + +Noticed in fedora rawhide running with: + + [perfbuilder@a5ff49d6e6e4 ~]$ gcc --version + gcc (GCC) 10.0.1 20200216 (Red Hat 10.0.1-0.8) + +Reported-by: Jiri Olsa <jolsa@kernel.org> +Cc: Adrian Hunter <adrian.hunter@intel.com> +Cc: Namhyung Kim <namhyung@kernel.org> +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> + +diff --git a/tools/perf/util/env.c b/tools/perf/util/env.c +index 6242a9215df7..4154f944f474 100644 +--- a/tools/perf/util/env.c ++++ b/tools/perf/util/env.c +@@ -343,11 +343,11 @@ static const char *normalize_arch(char *arch) + + const char *perf_env__arch(struct perf_env *env) + { +- struct utsname uts; + char *arch_name; + + if (!env || !env->arch) { /* Assume local operation */ +- if (uname(&uts) < 0) ++ static struct utsname uts = { .machine[0] = '\0', }; ++ if (uts.machine[0] == '\0' && uname(&uts) < 0) + return NULL; + arch_name = uts.machine; + } else +-- +2.27.0 + diff --git a/queue/perf-tests-bp_account-Make-global-variable-static.patch b/queue/perf-tests-bp_account-Make-global-variable-static.patch new file mode 100644 index 00000000..8d601661 --- /dev/null +++ b/queue/perf-tests-bp_account-Make-global-variable-static.patch @@ -0,0 +1,39 @@ +From cff20b3151ccab690715cb6cf0f5da5cccb32adf Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo <acme@redhat.com> +Date: Mon, 2 Mar 2020 11:13:19 -0300 +Subject: [PATCH] perf tests bp_account: Make global variable static + +commit cff20b3151ccab690715cb6cf0f5da5cccb32adf upstream. + +To fix the build with newer gccs, that without this patch exit with: + + LD /tmp/build/perf/tests/perf-in.o + ld: /tmp/build/perf/tests/bp_account.o:/git/perf/tools/perf/tests/bp_account.c:22: multiple definition of `the_var'; /tmp/build/perf/tests/bp_signal.o:/git/perf/tools/perf/tests/bp_signal.c:38: first defined here + make[4]: *** [/git/perf/tools/build/Makefile.build:145: /tmp/build/perf/tests/perf-in.o] Error 1 + +First noticed in fedora:rawhide/32 with: + + [perfbuilder@a5ff49d6e6e4 ~]$ gcc --version + gcc (GCC) 10.0.1 20200216 (Red Hat 10.0.1-0.8) + +Reported-by: Jiri Olsa <jolsa@kernel.org> +Cc: Adrian Hunter <adrian.hunter@intel.com> +Cc: Namhyung Kim <namhyung@kernel.org> +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> + +diff --git a/tools/perf/tests/bp_account.c b/tools/perf/tests/bp_account.c +index d0b935356274..489b50604cf2 100644 +--- a/tools/perf/tests/bp_account.c ++++ b/tools/perf/tests/bp_account.c +@@ -19,7 +19,7 @@ + #include "../perf-sys.h" + #include "cloexec.h" + +-volatile long the_var; ++static volatile long the_var; + + static noinline int test_function(void) + { +-- +2.27.0 + diff --git a/queue/perf-tools-Fix-record-failure-when-mixed-with-ARM-SP.patch b/queue/perf-tools-Fix-record-failure-when-mixed-with-ARM-SP.patch new file mode 100644 index 00000000..db308ecd --- /dev/null +++ b/queue/perf-tools-Fix-record-failure-when-mixed-with-ARM-SP.patch @@ -0,0 +1,88 @@ +From bd3c628f8fafa6cbd6a1ca440034b841f0080160 Mon Sep 17 00:00:00 2001 +From: Wei Li <liwei391@huawei.com> +Date: Fri, 24 Jul 2020 15:11:10 +0800 +Subject: [PATCH] perf tools: Fix record failure when mixed with ARM SPE event + +commit bd3c628f8fafa6cbd6a1ca440034b841f0080160 upstream. + +When recording with cache-misses and arm_spe_x event, I found that it +will just fail without showing any error info if i put cache-misses +after 'arm_spe_x' event. + + [root@localhost 0620]# perf record -e cache-misses \ + -e arm_spe_0/ts_enable=1,pct_enable=1,pa_enable=1,load_filter=1,jitter=1,store_filter=1,min_latency=0/ sleep 1 + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 0.067 MB perf.data ] + [root@localhost 0620]# + [root@localhost 0620]# perf record -e arm_spe_0/ts_enable=1,pct_enable=1,pa_enable=1,load_filter=1,jitter=1,store_filter=1,min_latency=0/ \ + -e cache-misses sleep 1 + [root@localhost 0620]# + +The current code can only work if the only event to be traced is an +'arm_spe_x', or if it is the last event to be specified. Otherwise the +last event type will be checked against all the arm_spe_pmus[i]->types, +none will match and an out of bound 'i' index will be used in +arm_spe_recording_init(). + +We don't support concurrent multiple arm_spe_x events currently, that +is checked in arm_spe_recording_options(), and it will show the relevant +info. So add the check and record of the first found 'arm_spe_pmu' to +fix this issue here. + +Fixes: ffd3d18c20b8 ("perf tools: Add ARM Statistical Profiling Extensions (SPE) support") +Signed-off-by: Wei Li <liwei391@huawei.com> +Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org> +Tested-by-by: Leo Yan <leo.yan@linaro.org> +Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> +Cc: Hanjun Guo <guohanjun@huawei.com> +Cc: Jiri Olsa <jolsa@redhat.com> +Cc: Kim Phillips <kim.phillips@arm.com> +Cc: Mark Rutland <mark.rutland@arm.com> +Cc: Mike Leach <mike.leach@linaro.org> +Cc: Namhyung Kim <namhyung@kernel.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Suzuki Poulouse <suzuki.poulose@arm.com> +Cc: linux-arm-kernel@lists.infradead.org +Link: http://lore.kernel.org/lkml/20200724071111.35593-2-liwei391@huawei.com +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> + +diff --git a/tools/perf/arch/arm/util/auxtrace.c b/tools/perf/arch/arm/util/auxtrace.c +index 0a6e75b8777a..28a5d0c18b1d 100644 +--- a/tools/perf/arch/arm/util/auxtrace.c ++++ b/tools/perf/arch/arm/util/auxtrace.c +@@ -56,7 +56,7 @@ struct auxtrace_record + struct perf_pmu *cs_etm_pmu; + struct evsel *evsel; + bool found_etm = false; +- bool found_spe = false; ++ struct perf_pmu *found_spe = NULL; + static struct perf_pmu **arm_spe_pmus = NULL; + static int nr_spes = 0; + int i = 0; +@@ -74,12 +74,12 @@ struct auxtrace_record + evsel->core.attr.type == cs_etm_pmu->type) + found_etm = true; + +- if (!nr_spes) ++ if (!nr_spes || found_spe) + continue; + + for (i = 0; i < nr_spes; i++) { + if (evsel->core.attr.type == arm_spe_pmus[i]->type) { +- found_spe = true; ++ found_spe = arm_spe_pmus[i]; + break; + } + } +@@ -96,7 +96,7 @@ struct auxtrace_record + + #if defined(__aarch64__) + if (found_spe) +- return arm_spe_recording_init(err, arm_spe_pmus[i]); ++ return arm_spe_recording_init(err, found_spe); + #endif + + /* +-- +2.27.0 + diff --git a/queue/qed-Disable-MFW-indication-via-attention-SPAM-every-.patch b/queue/qed-Disable-MFW-indication-via-attention-SPAM-every-.patch new file mode 100644 index 00000000..1dcbfec5 --- /dev/null +++ b/queue/qed-Disable-MFW-indication-via-attention-SPAM-every-.patch @@ -0,0 +1,33 @@ +From 1d61e21852d3161f234b9656797669fe185c251b Mon Sep 17 00:00:00 2001 +From: Laurence Oberman <loberman@redhat.com> +Date: Tue, 14 Jul 2020 18:08:05 -0400 +Subject: [PATCH] qed: Disable "MFW indication via attention" SPAM every 5 + minutes + +commit 1d61e21852d3161f234b9656797669fe185c251b upstream. + +This is likely firmware causing this but its starting to annoy customers. +Change the message level to verbose to prevent the spam. +Note that this seems to only show up with ISCSI enabled on the HBA via the +qedi driver. + +Signed-off-by: Laurence Oberman <loberman@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_int.c b/drivers/net/ethernet/qlogic/qed/qed_int.c +index b7b974f0ef21..7e13a9d9b89c 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_int.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_int.c +@@ -1193,7 +1193,8 @@ static int qed_int_attentions(struct qed_hwfn *p_hwfn) + index, attn_bits, attn_acks, asserted_bits, + deasserted_bits, p_sb_attn_sw->known_attn); + } else if (asserted_bits == 0x100) { +- DP_INFO(p_hwfn, "MFW indication via attention\n"); ++ DP_VERBOSE(p_hwfn, NETIF_MSG_INTR, ++ "MFW indication via attention\n"); + } else { + DP_VERBOSE(p_hwfn, NETIF_MSG_INTR, + "MFW indication [deassertion]\n"); +-- +2.27.0 + diff --git a/queue/rds-Prevent-kernel-infoleak-in-rds_notify_queue_get.patch b/queue/rds-Prevent-kernel-infoleak-in-rds_notify_queue_get.patch new file mode 100644 index 00000000..08338920 --- /dev/null +++ b/queue/rds-Prevent-kernel-infoleak-in-rds_notify_queue_get.patch @@ -0,0 +1,45 @@ +From bbc8a99e952226c585ac17477a85ef1194501762 Mon Sep 17 00:00:00 2001 +From: Peilin Ye <yepeilin.cs@gmail.com> +Date: Thu, 30 Jul 2020 15:20:26 -0400 +Subject: [PATCH] rds: Prevent kernel-infoleak in rds_notify_queue_get() + +commit bbc8a99e952226c585ac17477a85ef1194501762 upstream. + +rds_notify_queue_get() is potentially copying uninitialized kernel stack +memory to userspace since the compiler may leave a 4-byte hole at the end +of `cmsg`. + +In 2016 we tried to fix this issue by doing `= { 0 };` on `cmsg`, which +unfortunately does not always initialize that 4-byte hole. Fix it by using +memset() instead. + +Cc: stable@vger.kernel.org +Fixes: f037590fff30 ("rds: fix a leak of kernel memory") +Fixes: bdbe6fbc6a2f ("RDS: recv.c") +Suggested-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com> +Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/rds/recv.c b/net/rds/recv.c +index c8404971d5ab..aba4afe4dfed 100644 +--- a/net/rds/recv.c ++++ b/net/rds/recv.c +@@ -450,12 +450,13 @@ static int rds_still_queued(struct rds_sock *rs, struct rds_incoming *inc, + int rds_notify_queue_get(struct rds_sock *rs, struct msghdr *msghdr) + { + struct rds_notifier *notifier; +- struct rds_rdma_notify cmsg = { 0 }; /* fill holes with zero */ ++ struct rds_rdma_notify cmsg; + unsigned int count = 0, max_messages = ~0U; + unsigned long flags; + LIST_HEAD(copy); + int err = 0; + ++ memset(&cmsg, 0, sizeof(cmsg)); /* fill holes with zero */ + + /* put_cmsg copies to user space and thus may sleep. We can't do this + * with rs_lock held, so first grab as many notifications as we can stuff +-- +2.27.0 + diff --git a/queue/rhashtable-Fix-unprotected-RCU-dereference-in-__rht_.patch b/queue/rhashtable-Fix-unprotected-RCU-dereference-in-__rht_.patch new file mode 100644 index 00000000..b5cd036b --- /dev/null +++ b/queue/rhashtable-Fix-unprotected-RCU-dereference-in-__rht_.patch @@ -0,0 +1,80 @@ +From 1748f6a2cbc4694523f16da1c892b59861045b9d Mon Sep 17 00:00:00 2001 +From: Herbert Xu <herbert@gondor.apana.org.au> +Date: Fri, 24 Jul 2020 20:12:53 +1000 +Subject: [PATCH] rhashtable: Fix unprotected RCU dereference in __rht_ptr + +commit 1748f6a2cbc4694523f16da1c892b59861045b9d upstream. + +The rcu_dereference call in rht_ptr_rcu is completely bogus because +we've already dereferenced the value in __rht_ptr and operated on it. +This causes potential double readings which could be fatal. The RCU +dereference must occur prior to the comparison in __rht_ptr. + +This patch changes the order of RCU dereference so that it is done +first and the result is then fed to __rht_ptr. The RCU marking +changes have been minimised using casts which will be removed in +a follow-up patch. + +Fixes: ba6306e3f648 ("rhashtable: Remove RCU marking from...") +Reported-by: "Gong, Sishuai" <sishuai@purdue.edu> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/include/linux/rhashtable.h b/include/linux/rhashtable.h +index d3432ee65de7..b8feb5da7c5a 100644 +--- a/include/linux/rhashtable.h ++++ b/include/linux/rhashtable.h +@@ -349,11 +349,11 @@ static inline void rht_unlock(struct bucket_table *tbl, + local_bh_enable(); + } + +-static inline struct rhash_head __rcu *__rht_ptr( +- struct rhash_lock_head *const *bkt) ++static inline struct rhash_head *__rht_ptr( ++ struct rhash_lock_head *p, struct rhash_lock_head __rcu *const *bkt) + { +- return (struct rhash_head __rcu *) +- ((unsigned long)*bkt & ~BIT(0) ?: ++ return (struct rhash_head *) ++ ((unsigned long)p & ~BIT(0) ?: + (unsigned long)RHT_NULLS_MARKER(bkt)); + } + +@@ -365,25 +365,26 @@ static inline struct rhash_head __rcu *__rht_ptr( + * access is guaranteed, such as when destroying the table. + */ + static inline struct rhash_head *rht_ptr_rcu( +- struct rhash_lock_head *const *bkt) ++ struct rhash_lock_head *const *p) + { +- struct rhash_head __rcu *p = __rht_ptr(bkt); +- +- return rcu_dereference(p); ++ struct rhash_lock_head __rcu *const *bkt = (void *)p; ++ return __rht_ptr(rcu_dereference(*bkt), bkt); + } + + static inline struct rhash_head *rht_ptr( +- struct rhash_lock_head *const *bkt, ++ struct rhash_lock_head *const *p, + struct bucket_table *tbl, + unsigned int hash) + { +- return rht_dereference_bucket(__rht_ptr(bkt), tbl, hash); ++ struct rhash_lock_head __rcu *const *bkt = (void *)p; ++ return __rht_ptr(rht_dereference_bucket(*bkt, tbl, hash), bkt); + } + + static inline struct rhash_head *rht_ptr_exclusive( +- struct rhash_lock_head *const *bkt) ++ struct rhash_lock_head *const *p) + { +- return rcu_dereference_protected(__rht_ptr(bkt), 1); ++ struct rhash_lock_head __rcu *const *bkt = (void *)p; ++ return __rht_ptr(rcu_dereference_protected(*bkt, 1), bkt); + } + + static inline void rht_assign_locked(struct rhash_lock_head **bkt, +-- +2.27.0 + diff --git a/queue/scsi-core-Run-queue-in-case-of-I-O-resource-contenti.patch b/queue/scsi-core-Run-queue-in-case-of-I-O-resource-contenti.patch new file mode 100644 index 00000000..eba866b2 --- /dev/null +++ b/queue/scsi-core-Run-queue-in-case-of-I-O-resource-contenti.patch @@ -0,0 +1,99 @@ +From 3f0dcfbcd2e162fc0a11c1f59b7acd42ee45f126 Mon Sep 17 00:00:00 2001 +From: Ming Lei <ming.lei@redhat.com> +Date: Mon, 20 Jul 2020 10:54:35 +0800 +Subject: [PATCH] scsi: core: Run queue in case of I/O resource contention + failure + +commit 3f0dcfbcd2e162fc0a11c1f59b7acd42ee45f126 upstream. + +I/O requests may be held in scheduler queue because of resource contention. +The starvation scenario was handled properly in the regular completion +path but we failed to account for it during I/O submission. This lead to +the hang captured below. Make sure we run the queue when resource +contention is encountered in the submission path. + +[ 39.054963] scsi 13:0:0:0: rejecting I/O to dead device +[ 39.058700] scsi 13:0:0:0: rejecting I/O to dead device +[ 39.087855] sd 13:0:0:1: [sdd] Synchronizing SCSI cache +[ 39.088909] scsi 13:0:0:1: rejecting I/O to dead device +[ 39.095351] scsi 13:0:0:1: rejecting I/O to dead device +[ 39.096962] scsi 13:0:0:1: rejecting I/O to dead device +[ 247.021859] INFO: task scsi-stress-rem:813 blocked for more than 122 seconds. +[ 247.023258] Not tainted 5.8.0-rc2 #8 +[ 247.024069] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +[ 247.025331] scsi-stress-rem D 0 813 802 0x00004000 +[ 247.025334] Call Trace: +[ 247.025354] __schedule+0x504/0x55f +[ 247.027987] schedule+0x72/0xa8 +[ 247.027991] blk_mq_freeze_queue_wait+0x63/0x8c +[ 247.027994] ? do_wait_intr_irq+0x7a/0x7a +[ 247.027996] blk_cleanup_queue+0x4b/0xc9 +[ 247.028000] __scsi_remove_device+0xf6/0x14e +[ 247.028002] scsi_remove_device+0x21/0x2b +[ 247.029037] sdev_store_delete+0x58/0x7c +[ 247.029041] kernfs_fop_write+0x10d/0x14f +[ 247.031281] vfs_write+0xa2/0xdf +[ 247.032670] ksys_write+0x6b/0xb3 +[ 247.032673] do_syscall_64+0x56/0x82 +[ 247.034053] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 247.034059] RIP: 0033:0x7f69f39e9008 +[ 247.036330] Code: Bad RIP value. +[ 247.036331] RSP: 002b:00007ffdd8116498 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 247.037613] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f69f39e9008 +[ 247.039714] RDX: 0000000000000002 RSI: 000055cde92a0ab0 RDI: 0000000000000001 +[ 247.039715] RBP: 000055cde92a0ab0 R08: 000000000000000a R09: 00007f69f3a79e80 +[ 247.039716] R10: 000000000000000a R11: 0000000000000246 R12: 00007f69f3abb780 +[ 247.039717] R13: 0000000000000002 R14: 00007f69f3ab6740 R15: 0000000000000002 + +Link: https://lore.kernel.org/r/20200720025435.812030-1-ming.lei@redhat.com +Cc: linux-block@vger.kernel.org +Cc: Christoph Hellwig <hch@lst.de> +Reviewed-by: Bart Van Assche <bvanassche@acm.org> +Reviewed-by: Christoph Hellwig <hch@lst.de> +Signed-off-by: Ming Lei <ming.lei@redhat.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> + +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index 0ba7a65e7c8d..06056e9ec333 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -547,6 +547,15 @@ static void scsi_mq_uninit_cmd(struct scsi_cmnd *cmd) + scsi_uninit_cmd(cmd); + } + ++static void scsi_run_queue_async(struct scsi_device *sdev) ++{ ++ if (scsi_target(sdev)->single_lun || ++ !list_empty(&sdev->host->starved_list)) ++ kblockd_schedule_work(&sdev->requeue_work); ++ else ++ blk_mq_run_hw_queues(sdev->request_queue, true); ++} ++ + /* Returns false when no more bytes to process, true if there are more */ + static bool scsi_end_request(struct request *req, blk_status_t error, + unsigned int bytes) +@@ -591,11 +600,7 @@ static bool scsi_end_request(struct request *req, blk_status_t error, + + __blk_mq_end_request(req, error); + +- if (scsi_target(sdev)->single_lun || +- !list_empty(&sdev->host->starved_list)) +- kblockd_schedule_work(&sdev->requeue_work); +- else +- blk_mq_run_hw_queues(q, true); ++ scsi_run_queue_async(sdev); + + percpu_ref_put(&q->q_usage_counter); + return false; +@@ -1702,6 +1707,7 @@ static blk_status_t scsi_queue_rq(struct blk_mq_hw_ctx *hctx, + */ + if (req->rq_flags & RQF_DONTPREP) + scsi_mq_uninit_cmd(cmd); ++ scsi_run_queue_async(sdev); + break; + } + return ret; +-- +2.27.0 + diff --git a/queue/selftests-fib_nexthop_multiprefix-fix-cleanup-netns-.patch b/queue/selftests-fib_nexthop_multiprefix-fix-cleanup-netns-.patch new file mode 100644 index 00000000..473abe28 --- /dev/null +++ b/queue/selftests-fib_nexthop_multiprefix-fix-cleanup-netns-.patch @@ -0,0 +1,61 @@ +From 651149f60376758a4759f761767965040f9e4464 Mon Sep 17 00:00:00 2001 +From: Paolo Pisati <paolo.pisati@canonical.com> +Date: Tue, 14 Jul 2020 17:40:55 +0200 +Subject: [PATCH] selftests: fib_nexthop_multiprefix: fix cleanup() netns + deletion + +commit 651149f60376758a4759f761767965040f9e4464 upstream. + +During setup(): +... + for ns in h0 r1 h1 h2 h3 + do + create_ns ${ns} + done +... + +while in cleanup(): +... + for n in h1 r1 h2 h3 h4 + do + ip netns del ${n} 2>/dev/null + done +... + +and after removing the stderr redirection in cleanup(): + +$ sudo ./fib_nexthop_multiprefix.sh +... +TEST: IPv4: host 0 to host 3, mtu 1400 [ OK ] +TEST: IPv6: host 0 to host 3, mtu 1400 [ OK ] +Cannot remove namespace file "/run/netns/h4": No such file or directory +$ echo $? +1 + +and a non-zero return code, make kselftests fail (even if the test +itself is fine): + +... +not ok 34 selftests: net: fib_nexthop_multiprefix.sh # exit=1 +... + +Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com> +Reviewed-by: David Ahern <dsahern@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/tools/testing/selftests/net/fib_nexthop_multiprefix.sh b/tools/testing/selftests/net/fib_nexthop_multiprefix.sh +index 9dc35a16e415..51df5e305855 100755 +--- a/tools/testing/selftests/net/fib_nexthop_multiprefix.sh ++++ b/tools/testing/selftests/net/fib_nexthop_multiprefix.sh +@@ -144,7 +144,7 @@ setup() + + cleanup() + { +- for n in h1 r1 h2 h3 h4 ++ for n in h0 r1 h1 h2 h3 + do + ip netns del ${n} 2>/dev/null + done +-- +2.27.0 + diff --git a/queue/selftests-net-ip_defrag-modprobe-missing-nf_defrag_i.patch b/queue/selftests-net-ip_defrag-modprobe-missing-nf_defrag_i.patch new file mode 100644 index 00000000..588110f0 --- /dev/null +++ b/queue/selftests-net-ip_defrag-modprobe-missing-nf_defrag_i.patch @@ -0,0 +1,55 @@ +From aba69d49fb49c9166596dd78926514173b7f9ab5 Mon Sep 17 00:00:00 2001 +From: Paolo Pisati <paolo.pisati@canonical.com> +Date: Thu, 16 Jul 2020 17:51:14 +0200 +Subject: [PATCH] selftests: net: ip_defrag: modprobe missing nf_defrag_ipv6 + support + +commit aba69d49fb49c9166596dd78926514173b7f9ab5 upstream. + +Fix ip_defrag.sh when CONFIG_NF_DEFRAG_IPV6=m: + +$ sudo ./ip_defrag.sh ++ set -e ++ mktemp -u XXXXXX ++ readonly NETNS=ns-rGlXcw ++ trap cleanup EXIT ++ setup ++ ip netns add ns-rGlXcw ++ ip -netns ns-rGlXcw link set lo up ++ ip netns exec ns-rGlXcw sysctl -w net.ipv4.ipfrag_high_thresh=9000000 ++ ip netns exec ns-rGlXcw sysctl -w net.ipv4.ipfrag_low_thresh=7000000 ++ ip netns exec ns-rGlXcw sysctl -w net.ipv4.ipfrag_time=1 ++ ip netns exec ns-rGlXcw sysctl -w net.ipv6.ip6frag_high_thresh=9000000 ++ ip netns exec ns-rGlXcw sysctl -w net.ipv6.ip6frag_low_thresh=7000000 ++ ip netns exec ns-rGlXcw sysctl -w net.ipv6.ip6frag_time=1 ++ ip netns exec ns-rGlXcw sysctl -w net.netfilter.nf_conntrack_frag6_high_thresh=9000000 ++ cleanup ++ ip netns del ns-rGlXcw + +$ ls -la /proc/sys/net/netfilter/nf_conntrack_frag6_high_thresh +ls: cannot access '/proc/sys/net/netfilter/nf_conntrack_frag6_high_thresh': No such file or directory + +$ sudo modprobe nf_defrag_ipv6 +$ ls -la /proc/sys/net/netfilter/nf_conntrack_frag6_high_thresh +-rw-r--r-- 1 root root 0 Jul 14 12:34 /proc/sys/net/netfilter/nf_conntrack_frag6_high_thresh + +Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com> +Reviewed-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/tools/testing/selftests/net/ip_defrag.sh b/tools/testing/selftests/net/ip_defrag.sh +index 15d3489ecd9c..ceb7ad4dbd94 100755 +--- a/tools/testing/selftests/net/ip_defrag.sh ++++ b/tools/testing/selftests/net/ip_defrag.sh +@@ -6,6 +6,8 @@ + set +x + set -e + ++modprobe -q nf_defrag_ipv6 ++ + readonly NETNS="ns-$(mktemp -u XXXXXX)" + + setup() { +-- +2.27.0 + diff --git a/queue/selftests-net-psock_fanout-fix-clang-issues-for-targ.patch b/queue/selftests-net-psock_fanout-fix-clang-issues-for-targ.patch new file mode 100644 index 00000000..d3b721ee --- /dev/null +++ b/queue/selftests-net-psock_fanout-fix-clang-issues-for-targ.patch @@ -0,0 +1,37 @@ +From 64f9ede2274980076423583683d44480909b7a40 Mon Sep 17 00:00:00 2001 +From: Tanner Love <tannerlove@google.com> +Date: Mon, 27 Jul 2020 12:25:29 -0400 +Subject: [PATCH] selftests/net: psock_fanout: fix clang issues for target arch + PowerPC + +commit 64f9ede2274980076423583683d44480909b7a40 upstream. + +Clang 9 threw: +warning: format specifies type 'unsigned short' but the argument has \ +type 'int' [-Wformat] + typeflags, PORT_BASE, PORT_BASE + port_off); + +Tested: make -C tools/testing/selftests TARGETS="net" run_tests + +Fixes: 77f65ebdca50 ("packet: packet fanout rollover during socket overload") +Signed-off-by: Tanner Love <tannerlove@google.com> +Acked-by: Willem de Bruijn <willemb@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/tools/testing/selftests/net/psock_fanout.c b/tools/testing/selftests/net/psock_fanout.c +index 8c8c7d79c38d..2c522f7a0aec 100644 +--- a/tools/testing/selftests/net/psock_fanout.c ++++ b/tools/testing/selftests/net/psock_fanout.c +@@ -350,7 +350,8 @@ static int test_datapath(uint16_t typeflags, int port_off, + int fds[2], fds_udp[2][2], ret; + + fprintf(stderr, "\ntest: datapath 0x%hx ports %hu,%hu\n", +- typeflags, PORT_BASE, PORT_BASE + port_off); ++ typeflags, (uint16_t)PORT_BASE, ++ (uint16_t)(PORT_BASE + port_off)); + + fds[0] = sock_fanout_open(typeflags, 0); + fds[1] = sock_fanout_open(typeflags, 0); +-- +2.27.0 + diff --git a/queue/selftests-net-rxtimestamp-fix-clang-issues-for-targe.patch b/queue/selftests-net-rxtimestamp-fix-clang-issues-for-targe.patch new file mode 100644 index 00000000..10ec832a --- /dev/null +++ b/queue/selftests-net-rxtimestamp-fix-clang-issues-for-targe.patch @@ -0,0 +1,38 @@ +From 955cbe91bcf782c09afe369c95a20f0a4b6dcc3c Mon Sep 17 00:00:00 2001 +From: Tanner Love <tannerlove@google.com> +Date: Mon, 27 Jul 2020 12:25:28 -0400 +Subject: [PATCH] selftests/net: rxtimestamp: fix clang issues for target arch + PowerPC + +commit 955cbe91bcf782c09afe369c95a20f0a4b6dcc3c upstream. + +The signedness of char is implementation-dependent. Some systems +(including PowerPC and ARM) use unsigned char. Clang 9 threw: +warning: result of comparison of constant -1 with expression of type \ +'char' is always true [-Wtautological-constant-out-of-range-compare] + &arg_index)) != -1) { + +Tested: make -C tools/testing/selftests TARGETS="net" run_tests + +Fixes: 16e781224198 ("selftests/net: Add a test to validate behavior of rx timestamps") +Signed-off-by: Tanner Love <tannerlove@google.com> +Acked-by: Willem de Bruijn <willemb@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/tools/testing/selftests/net/rxtimestamp.c b/tools/testing/selftests/net/rxtimestamp.c +index 422e7761254d..bcb79ba1f214 100644 +--- a/tools/testing/selftests/net/rxtimestamp.c ++++ b/tools/testing/selftests/net/rxtimestamp.c +@@ -329,8 +329,7 @@ int main(int argc, char **argv) + bool all_tests = true; + int arg_index = 0; + int failures = 0; +- int s, t; +- char opt; ++ int s, t, opt; + + while ((opt = getopt_long(argc, argv, "", long_options, + &arg_index)) != -1) { +-- +2.27.0 + diff --git a/queue/selftests-net-so_txtime-fix-clang-issues-for-target-.patch b/queue/selftests-net-so_txtime-fix-clang-issues-for-target-.patch new file mode 100644 index 00000000..7d5c9607 --- /dev/null +++ b/queue/selftests-net-so_txtime-fix-clang-issues-for-target-.patch @@ -0,0 +1,37 @@ +From b4da96ffd30bd4a305045ba5c9b0de5d4aa20dc7 Mon Sep 17 00:00:00 2001 +From: Tanner Love <tannerlove@google.com> +Date: Mon, 27 Jul 2020 12:25:30 -0400 +Subject: [PATCH] selftests/net: so_txtime: fix clang issues for target arch + PowerPC + +commit b4da96ffd30bd4a305045ba5c9b0de5d4aa20dc7 upstream. + +On powerpcle, int64_t maps to long long. Clang 9 threw: +warning: absolute value function 'labs' given an argument of type \ +'long long' but has parameter of type 'long' which may cause \ +truncation of value [-Wabsolute-value] + if (labs(tstop - texpect) > cfg_variance_us) + +Tested: make -C tools/testing/selftests TARGETS="net" run_tests + +Fixes: af5136f95045 ("selftests/net: SO_TXTIME with ETF and FQ") +Signed-off-by: Tanner Love <tannerlove@google.com> +Acked-by: Willem de Bruijn <willemb@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/tools/testing/selftests/net/so_txtime.c b/tools/testing/selftests/net/so_txtime.c +index ceaad78e9667..3155fbbf644b 100644 +--- a/tools/testing/selftests/net/so_txtime.c ++++ b/tools/testing/selftests/net/so_txtime.c +@@ -121,7 +121,7 @@ static bool do_recv_one(int fdr, struct timed_send *ts) + if (rbuf[0] != ts->data) + error(1, 0, "payload mismatch. expected %c", ts->data); + +- if (labs(tstop - texpect) > cfg_variance_us) ++ if (llabs(tstop - texpect) > cfg_variance_us) + error(1, 0, "exceeds variance (%d us)", cfg_variance_us); + + return false; +-- +2.27.0 + diff --git a/queue/series b/queue/series new file mode 100644 index 00000000..217bbd62 --- /dev/null +++ b/queue/series @@ -0,0 +1,86 @@ +crypto-ccp-Release-all-allocated-memory-if-sha-type-.patch +media-rc-prevent-memory-leak-in-cx23888_ir_probe.patch +sunrpc-check-that-domain-table-is-empty-at-module-un.patch +ath10k-enable-transmit-data-ack-RSSI-for-QCA9884.patch +PCI-ASPM-Disable-ASPM-on-ASMedia-ASM1083-1085-PCIe-t.patch +mm-filemap.c-don-t-bother-dropping-mmap_sem-for-zero.patch +ALSA-usb-audio-Add-implicit-feedback-quirk-for-SSL2.patch +ALSA-hda-realtek-enable-headset-mic-of-ASUS-ROG-Zeph.patch +ALSA-hda-realtek-typo_fix-enable-headset-mic-of-ASUS.patch +ALSA-hda-realtek-Fix-add-a-ultra_low_power-function-.patch +ALSA-hda-realtek-Fixed-HP-right-speaker-no-sound.patch +ALSA-hda-hdmi-Fix-keep_power-assignment-for-non-comp.patch +IB-rdmavt-Fix-RQ-counting-issues-causing-use-of-an-i.patch +vhost-scsi-fix-up-req-type-endian-ness.patch +9p-trans_fd-Fix-concurrency-del-of-req_list-in-p9_fd.patch +wireless-Use-offsetof-instead-of-custom-macro.patch +ARM-8986-1-hw_breakpoint-Don-t-invoke-overflow-handl.patch +ARM-dts-imx6sx-sabreauto-Fix-the-phy-mode-on-fec2.patch +ARM-dts-imx6sx-sdb-Fix-the-phy-mode-on-fec2.patch +ARM-dts-imx6qdl-icore-Fix-OTG_ID-pin-and-sdcard-dete.patch +virtio_balloon-fix-up-endian-ness-for-free-cmd-id.patch +Revert-drm-amdgpu-Fix-NULL-dereference-in-dpm-sysfs-.patch +drm-amd-display-Clear-dm_state-for-fast-updates.patch +drm-amdgpu-Prevent-kernel-infoleak-in-amdgpu_info_io.patch +drm-dbi-Fix-SPI-Type-1-9-bit-transfer.patch +drm-hold-gem-reference-until-object-is-no-longer-acc.patch +rds-Prevent-kernel-infoleak-in-rds_notify_queue_get.patch +libtraceevent-Fix-build-with-binutils-2.35.patch +net-x25-Fix-x25_neigh-refcnt-leak-when-x25-disconnec.patch +net-x25-Fix-null-ptr-deref-in-x25_disconnect.patch +xfrm-policy-match-with-both-mark-and-mask-on-user-in.patch +ARM-dts-sunxi-Relax-a-bit-the-CMA-pool-allocation-ra.patch +xfrm-Fix-crash-when-the-hold-queue-is-used.patch +ARM-dts-armada-38x-fix-NETA-lockup-when-repeatedly-s.patch +nvme-tcp-fix-possible-hang-waiting-for-icresp-respon.patch +selftests-net-rxtimestamp-fix-clang-issues-for-targe.patch +selftests-net-psock_fanout-fix-clang-issues-for-targ.patch +selftests-net-so_txtime-fix-clang-issues-for-target-.patch +sh-tlb-Fix-PGTABLE_LEVELS-2.patch +sh-Fix-validation-of-system-call-number.patch +net-hns3-fix-a-TX-timeout-issue.patch +net-hns3-fix-aRFS-FD-rules-leftover-after-add-a-user.patch +net-mlx5-E-switch-Destroy-TSAR-when-fail-to-enable-t.patch +net-mlx5e-Fix-error-path-of-device-attach.patch +net-mlx5-Verify-Hardware-supports-requested-ptp-func.patch +net-mlx5e-Modify-uplink-state-on-interface-up-down.patch +net-mlx5e-Fix-kernel-crash-when-setting-vf-VLANID-on.patch +net-lan78xx-add-missing-endpoint-sanity-check.patch +net-lan78xx-fix-transfer-buffer-memory-leak.patch +rhashtable-Fix-unprotected-RCU-dereference-in-__rht_.patch +mlx4-disable-device-on-shutdown.patch +mlxsw-core-Increase-scope-of-RCU-read-side-critical-.patch +mlxsw-core-Free-EMAD-transactions-using-kfree_rcu.patch +ibmvnic-Fix-IRQ-mapping-disposal-in-error-path.patch +bpf-Fix-map-leak-in-HASH_OF_MAPS-map.patch +mac80211-mesh-Free-ie-data-when-leaving-mesh.patch +mac80211-mesh-Free-pending-skb-when-destroying-a-mpa.patch +arm64-alternatives-move-length-validation-inside-the.patch +arm64-csum-Fix-handling-of-bad-packets.patch +Bluetooth-fix-kernel-oops-in-store_pending_adv_repor.patch +net-nixge-fix-potential-memory-leak-in-nixge_probe.patch +net-gemini-Fix-missing-clk_disable_unprepare-in-erro.patch +net-mlx5e-fix-bpf_prog-reference-count-leaks-in-mlx5.patch +perf-tools-Fix-record-failure-when-mixed-with-ARM-SP.patch +vxlan-fix-memleak-of-fdb.patch +usb-hso-Fix-debug-compile-warning-on-sparc32.patch +selftests-fib_nexthop_multiprefix-fix-cleanup-netns-.patch +qed-Disable-MFW-indication-via-attention-SPAM-every-.patch +selftests-net-ip_defrag-modprobe-missing-nf_defrag_i.patch +nfc-s3fwrn5-add-missing-release-on-skb-in-s3fwrn5_re.patch +scsi-core-Run-queue-in-case-of-I-O-resource-contenti.patch +parisc-add-support-for-cmpxchg-on-u8-pointers.patch +net-ethernet-ravb-exit-if-re-initialization-fails-in.patch +Revert-i2c-cadence-Fix-the-hold-bit-setting.patch +x86-unwind-orc-Fix-ORC-for-newly-forked-tasks.patch +x86-stacktrace-Fix-reliable-check-for-empty-user-tas.patch +cxgb4-add-missing-release-on-skb-in-uld_send.patch +xen-netfront-fix-potential-deadlock-in-xennet_remove.patch +RISC-V-Set-maximum-number-of-mapped-pages-correctly.patch +drivers-net-wan-lapb-Corrected-the-usage-of-skb_cow.patch +KVM-arm64-Don-t-inherit-exec-permission-across-page-.patch +KVM-LAPIC-Prevent-setting-the-tscdeadline-timer-if-t.patch +x86-i8259-Use-printk_deferred-to-prevent-deadlock.patch +perf-tests-bp_account-Make-global-variable-static.patch +perf-env-Do-not-return-pointers-to-local-variables.patch +perf-bench-Share-some-global-variables-to-fix-build-.patch diff --git a/queue/sh-Fix-validation-of-system-call-number.patch b/queue/sh-Fix-validation-of-system-call-number.patch new file mode 100644 index 00000000..7ccd290a --- /dev/null +++ b/queue/sh-Fix-validation-of-system-call-number.patch @@ -0,0 +1,51 @@ +From 04a8a3d0a73f51c7c2da84f494db7ec1df230e69 Mon Sep 17 00:00:00 2001 +From: Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de> +Date: Thu, 23 Jul 2020 01:13:19 +0200 +Subject: [PATCH] sh: Fix validation of system call number + +commit 04a8a3d0a73f51c7c2da84f494db7ec1df230e69 upstream. + +The slow path for traced system call entries accessed a wrong memory +location to get the number of the maximum allowed system call number. +Renumber the numbered "local" label for the correct location to avoid +collisions with actual local labels. + +Signed-off-by: Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de> +Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> +Fixes: f3a8308864f920d2 ("sh: Add a few missing irqflags tracing markers.") +Signed-off-by: Rich Felker <dalias@libc.org> + +diff --git a/arch/sh/kernel/entry-common.S b/arch/sh/kernel/entry-common.S +index 956a7a03b0c8..9bac5bbb67f3 100644 +--- a/arch/sh/kernel/entry-common.S ++++ b/arch/sh/kernel/entry-common.S +@@ -199,7 +199,7 @@ syscall_trace_entry: + mov.l @(OFF_R7,r15), r7 ! arg3 + mov.l @(OFF_R3,r15), r3 ! syscall_nr + ! +- mov.l 2f, r10 ! Number of syscalls ++ mov.l 6f, r10 ! Number of syscalls + cmp/hs r10, r3 + bf syscall_call + mov #-ENOSYS, r0 +@@ -353,7 +353,7 @@ ENTRY(system_call) + tst r9, r8 + bf syscall_trace_entry + ! +- mov.l 2f, r8 ! Number of syscalls ++ mov.l 6f, r8 ! Number of syscalls + cmp/hs r8, r3 + bt syscall_badsys + ! +@@ -392,7 +392,7 @@ syscall_exit: + #if !defined(CONFIG_CPU_SH2) + 1: .long TRA + #endif +-2: .long NR_syscalls ++6: .long NR_syscalls + 3: .long sys_call_table + 7: .long do_syscall_trace_enter + 8: .long do_syscall_trace_leave +-- +2.27.0 + diff --git a/queue/sh-tlb-Fix-PGTABLE_LEVELS-2.patch b/queue/sh-tlb-Fix-PGTABLE_LEVELS-2.patch new file mode 100644 index 00000000..2ecb361d --- /dev/null +++ b/queue/sh-tlb-Fix-PGTABLE_LEVELS-2.patch @@ -0,0 +1,51 @@ +From c7bcbc8ab9cb20536b8f50c62a48cebda965fdba Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra <peterz@infradead.org> +Date: Fri, 17 Jul 2020 13:10:07 +0200 +Subject: [PATCH] sh/tlb: Fix PGTABLE_LEVELS > 2 + +commit c7bcbc8ab9cb20536b8f50c62a48cebda965fdba upstream. + +Geert reported that his SH7722-based Migo-R board failed to boot after +commit: + + c5b27a889da9 ("sh/tlb: Convert SH to generic mmu_gather") + +That commit fell victim to copying the wrong pattern -- +__pmd_free_tlb() used to be implemented with pmd_free(). + +Fixes: c5b27a889da9 ("sh/tlb: Convert SH to generic mmu_gather") +Reported-by: Geert Uytterhoeven <geert@linux-m68k.org> +Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be> +Tested-by: Geert Uytterhoeven <geert+renesas@glider.be> +Signed-off-by: Rich Felker <dalias@libc.org> + +diff --git a/arch/sh/include/asm/pgalloc.h b/arch/sh/include/asm/pgalloc.h +index 22d968bfe9bb..d770da3f8b6f 100644 +--- a/arch/sh/include/asm/pgalloc.h ++++ b/arch/sh/include/asm/pgalloc.h +@@ -12,6 +12,7 @@ extern void pgd_free(struct mm_struct *mm, pgd_t *pgd); + extern void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd); + extern pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long address); + extern void pmd_free(struct mm_struct *mm, pmd_t *pmd); ++#define __pmd_free_tlb(tlb, pmdp, addr) pmd_free((tlb)->mm, (pmdp)) + #endif + + static inline void pmd_populate_kernel(struct mm_struct *mm, pmd_t *pmd, +@@ -33,13 +34,4 @@ do { \ + tlb_remove_page((tlb), (pte)); \ + } while (0) + +-#if CONFIG_PGTABLE_LEVELS > 2 +-#define __pmd_free_tlb(tlb, pmdp, addr) \ +-do { \ +- struct page *page = virt_to_page(pmdp); \ +- pgtable_pmd_page_dtor(page); \ +- tlb_remove_page((tlb), page); \ +-} while (0); +-#endif +- + #endif /* __ASM_SH_PGALLOC_H */ +-- +2.27.0 + diff --git a/queue/sunrpc-check-that-domain-table-is-empty-at-module-un.patch b/queue/sunrpc-check-that-domain-table-is-empty-at-module-un.patch new file mode 100644 index 00000000..8192a246 --- /dev/null +++ b/queue/sunrpc-check-that-domain-table-is-empty-at-module-un.patch @@ -0,0 +1,87 @@ +From f45db2b909c7e76f35850e78f017221f30282b8e Mon Sep 17 00:00:00 2001 +From: NeilBrown <neilb@suse.de> +Date: Fri, 22 May 2020 12:01:32 +1000 +Subject: [PATCH] sunrpc: check that domain table is empty at module unload. + +commit f45db2b909c7e76f35850e78f017221f30282b8e upstream. + +The domain table should be empty at module unload. If it isn't there is +a bug somewhere. So check and report. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=206651 +Signed-off-by: NeilBrown <neilb@suse.de> +Signed-off-by: J. Bruce Fields <bfields@redhat.com> + +diff --git a/net/sunrpc/sunrpc.h b/net/sunrpc/sunrpc.h +index 47a756503d11..f6fe2e6cd65a 100644 +--- a/net/sunrpc/sunrpc.h ++++ b/net/sunrpc/sunrpc.h +@@ -52,4 +52,5 @@ static inline int sock_is_loopback(struct sock *sk) + + int rpc_clients_notifier_register(void); + void rpc_clients_notifier_unregister(void); ++void auth_domain_cleanup(void); + #endif /* _NET_SUNRPC_SUNRPC_H */ +diff --git a/net/sunrpc/sunrpc_syms.c b/net/sunrpc/sunrpc_syms.c +index f9edaa9174a4..236fadc4a439 100644 +--- a/net/sunrpc/sunrpc_syms.c ++++ b/net/sunrpc/sunrpc_syms.c +@@ -23,6 +23,7 @@ + #include <linux/sunrpc/rpc_pipe_fs.h> + #include <linux/sunrpc/xprtsock.h> + ++#include "sunrpc.h" + #include "netns.h" + + unsigned int sunrpc_net_id; +@@ -131,6 +132,7 @@ cleanup_sunrpc(void) + unregister_rpc_pipefs(); + rpc_destroy_mempool(); + unregister_pernet_subsys(&sunrpc_net_ops); ++ auth_domain_cleanup(); + #if IS_ENABLED(CONFIG_SUNRPC_DEBUG) + rpc_unregister_sysctl(); + #endif +diff --git a/net/sunrpc/svcauth.c b/net/sunrpc/svcauth.c +index 552617e3467b..998b196b6176 100644 +--- a/net/sunrpc/svcauth.c ++++ b/net/sunrpc/svcauth.c +@@ -21,6 +21,8 @@ + + #include <trace/events/sunrpc.h> + ++#include "sunrpc.h" ++ + #define RPCDBG_FACILITY RPCDBG_AUTH + + +@@ -205,3 +207,26 @@ struct auth_domain *auth_domain_find(char *name) + return NULL; + } + EXPORT_SYMBOL_GPL(auth_domain_find); ++ ++/** ++ * auth_domain_cleanup - check that the auth_domain table is empty ++ * ++ * On module unload the auth_domain_table must be empty. To make it ++ * easier to catch bugs which don't clean up domains properly, we ++ * warn if anything remains in the table at cleanup time. ++ * ++ * Note that we cannot proactively remove the domains at this stage. ++ * The ->release() function might be in a module that has already been ++ * unloaded. ++ */ ++ ++void auth_domain_cleanup(void) ++{ ++ int h; ++ struct auth_domain *hp; ++ ++ for (h = 0; h < DN_HASHMAX; h++) ++ hlist_for_each_entry(hp, &auth_domain_table[h], hash) ++ pr_warn("svc: domain %s still present at module unload.\n", ++ hp->name); ++} +-- +2.27.0 + diff --git a/queue/usb-hso-Fix-debug-compile-warning-on-sparc32.patch b/queue/usb-hso-Fix-debug-compile-warning-on-sparc32.patch new file mode 100644 index 00000000..f163e843 --- /dev/null +++ b/queue/usb-hso-Fix-debug-compile-warning-on-sparc32.patch @@ -0,0 +1,49 @@ +From e0484010ec05191a8edf980413fc92f28050c1cc Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven <geert@linux-m68k.org> +Date: Mon, 13 Jul 2020 13:05:13 +0200 +Subject: [PATCH] usb: hso: Fix debug compile warning on sparc32 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit e0484010ec05191a8edf980413fc92f28050c1cc upstream. + +On sparc32, tcflag_t is "unsigned long", unlike on all other +architectures, where it is "unsigned int": + + drivers/net/usb/hso.c: In function ‘hso_serial_set_termios’: + include/linux/kern_levels.h:5:18: warning: format ‘%d’ expects argument of type ‘unsigned int’, but argument 4 has type ‘tcflag_t {aka long unsigned int}’ [-Wformat=] + drivers/net/usb/hso.c:1393:3: note: in expansion of macro ‘hso_dbg’ + hso_dbg(0x16, "Termios called with: cflags new[%d] - old[%d]\n", + ^~~~~~~ + include/linux/kern_levels.h:5:18: warning: format ‘%d’ expects argument of type ‘unsigned int’, but argument 5 has type ‘tcflag_t {aka long unsigned int}’ [-Wformat=] + drivers/net/usb/hso.c:1393:3: note: in expansion of macro ‘hso_dbg’ + hso_dbg(0x16, "Termios called with: cflags new[%d] - old[%d]\n", + ^~~~~~~ + +As "unsigned long" is 32-bit on sparc32, fix this by casting all tcflag_t +parameters to "unsigned int". +While at it, use "%u" to format unsigned numbers. + +Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c +index bb8c34d746ab..5f123a8cf68e 100644 +--- a/drivers/net/usb/hso.c ++++ b/drivers/net/usb/hso.c +@@ -1390,8 +1390,9 @@ static void hso_serial_set_termios(struct tty_struct *tty, struct ktermios *old) + unsigned long flags; + + if (old) +- hso_dbg(0x16, "Termios called with: cflags new[%d] - old[%d]\n", +- tty->termios.c_cflag, old->c_cflag); ++ hso_dbg(0x16, "Termios called with: cflags new[%u] - old[%u]\n", ++ (unsigned int)tty->termios.c_cflag, ++ (unsigned int)old->c_cflag); + + /* the actual setup */ + spin_lock_irqsave(&serial->serial_lock, flags); +-- +2.27.0 + diff --git a/queue/vhost-scsi-fix-up-req-type-endian-ness.patch b/queue/vhost-scsi-fix-up-req-type-endian-ness.patch new file mode 100644 index 00000000..4c191fa1 --- /dev/null +++ b/queue/vhost-scsi-fix-up-req-type-endian-ness.patch @@ -0,0 +1,34 @@ +From 295c1b9852d000580786375304a9800bd9634d15 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" <mst@redhat.com> +Date: Fri, 10 Jul 2020 06:36:16 -0400 +Subject: [PATCH] vhost/scsi: fix up req type endian-ness + +commit 295c1b9852d000580786375304a9800bd9634d15 upstream. + +vhost/scsi doesn't handle type conversion correctly +for request type when using virtio 1.0 and up for BE, +or cross-endian platforms. + +Fix it up using vhost_32_to_cpu. + +Cc: stable@vger.kernel.org +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> +Acked-by: Jason Wang <jasowang@redhat.com> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> + +diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c +index 6fb4d7ecfa19..b22adf03f584 100644 +--- a/drivers/vhost/scsi.c ++++ b/drivers/vhost/scsi.c +@@ -1215,7 +1215,7 @@ vhost_scsi_ctl_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq) + continue; + } + +- switch (v_req.type) { ++ switch (vhost32_to_cpu(vq, v_req.type)) { + case VIRTIO_SCSI_T_TMF: + vc.req = &v_req.tmf; + vc.req_size = sizeof(struct virtio_scsi_ctrl_tmf_req); +-- +2.27.0 + diff --git a/queue/virtio_balloon-fix-up-endian-ness-for-free-cmd-id.patch b/queue/virtio_balloon-fix-up-endian-ness-for-free-cmd-id.patch new file mode 100644 index 00000000..e3775645 --- /dev/null +++ b/queue/virtio_balloon-fix-up-endian-ness-for-free-cmd-id.patch @@ -0,0 +1,40 @@ +From 168c358af2f8c5a37f8b5f877ba2cc93995606ee Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" <mst@redhat.com> +Date: Mon, 27 Jul 2020 12:01:27 -0400 +Subject: [PATCH] virtio_balloon: fix up endian-ness for free cmd id + +commit 168c358af2f8c5a37f8b5f877ba2cc93995606ee upstream. + +free cmd id is read using virtio endian, spec says all fields +in balloon are LE. Fix it up. + +Fixes: 86a559787e6f ("virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT") +Cc: stable@vger.kernel.org +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> +Acked-by: Jason Wang <jasowang@redhat.com> +Reviewed-by: Wei Wang <wei.w.wang@intel.com> +Acked-by: David Hildenbrand <david@redhat.com> + +diff --git a/drivers/virtio/virtio_balloon.c b/drivers/virtio/virtio_balloon.c +index d0fd8f8dc6ed..8be02f333b7a 100644 +--- a/drivers/virtio/virtio_balloon.c ++++ b/drivers/virtio/virtio_balloon.c +@@ -578,10 +578,14 @@ static int init_vqs(struct virtio_balloon *vb) + static u32 virtio_balloon_cmd_id_received(struct virtio_balloon *vb) + { + if (test_and_clear_bit(VIRTIO_BALLOON_CONFIG_READ_CMD_ID, +- &vb->config_read_bitmap)) ++ &vb->config_read_bitmap)) { + virtio_cread(vb->vdev, struct virtio_balloon_config, + free_page_hint_cmd_id, + &vb->cmd_id_received_cache); ++ /* Legacy balloon config space is LE, unlike all other devices. */ ++ if (!virtio_has_feature(vb->vdev, VIRTIO_F_VERSION_1)) ++ vb->cmd_id_received_cache = le32_to_cpu((__force __le32)vb->cmd_id_received_cache); ++ } + + return vb->cmd_id_received_cache; + } +-- +2.27.0 + diff --git a/queue/vxlan-fix-memleak-of-fdb.patch b/queue/vxlan-fix-memleak-of-fdb.patch new file mode 100644 index 00000000..e2f8ca8c --- /dev/null +++ b/queue/vxlan-fix-memleak-of-fdb.patch @@ -0,0 +1,88 @@ +From fda2ec62cf1aa7cbee52289dc8059cd3662795da Mon Sep 17 00:00:00 2001 +From: Taehee Yoo <ap420073@gmail.com> +Date: Sat, 1 Aug 2020 07:07:50 +0000 +Subject: [PATCH] vxlan: fix memleak of fdb + +commit fda2ec62cf1aa7cbee52289dc8059cd3662795da upstream. + +When vxlan interface is deleted, all fdbs are deleted by vxlan_flush(). +vxlan_flush() flushes fdbs but it doesn't delete fdb, which contains +all-zeros-mac because it is deleted by vxlan_uninit(). +But vxlan_uninit() deletes only the fdb, which contains both all-zeros-mac +and default vni. +So, the fdb, which contains both all-zeros-mac and non-default vni +will not be deleted. + +Test commands: + ip link add vxlan0 type vxlan dstport 4789 external + ip link set vxlan0 up + bridge fdb add to 00:00:00:00:00:00 dst 172.0.0.1 dev vxlan0 via lo \ + src_vni 10000 self permanent + ip link del vxlan0 + +kmemleak reports as follows: +unreferenced object 0xffff9486b25ced88 (size 96): + comm "bridge", pid 2151, jiffies 4294701712 (age 35506.901s) + hex dump (first 32 bytes): + 02 00 00 00 ac 00 00 01 40 00 09 b1 86 94 ff ff ........@....... + 46 02 00 00 00 00 00 00 a7 03 00 00 12 b5 6a 6b F.............jk + backtrace: + [<00000000c10cf651>] vxlan_fdb_append.part.51+0x3c/0xf0 [vxlan] + [<000000006b31a8d9>] vxlan_fdb_create+0x184/0x1a0 [vxlan] + [<0000000049399045>] vxlan_fdb_update+0x12f/0x220 [vxlan] + [<0000000090b1ef00>] vxlan_fdb_add+0x12a/0x1b0 [vxlan] + [<0000000056633c2c>] rtnl_fdb_add+0x187/0x270 + [<00000000dd5dfb6b>] rtnetlink_rcv_msg+0x264/0x490 + [<00000000fc44dd54>] netlink_rcv_skb+0x4a/0x110 + [<00000000dff433e7>] netlink_unicast+0x18e/0x250 + [<00000000b87fb421>] netlink_sendmsg+0x2e9/0x400 + [<000000002ed55153>] ____sys_sendmsg+0x237/0x260 + [<00000000faa51c66>] ___sys_sendmsg+0x88/0xd0 + [<000000006c3982f1>] __sys_sendmsg+0x4e/0x80 + [<00000000a8f875d2>] do_syscall_64+0x56/0xe0 + [<000000003610eefa>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +unreferenced object 0xffff9486b1c40080 (size 128): + comm "bridge", pid 2157, jiffies 4294701754 (age 35506.866s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 f8 dc 42 b2 86 94 ff ff ..........B..... + 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk + backtrace: + [<00000000a2981b60>] vxlan_fdb_create+0x67/0x1a0 [vxlan] + [<0000000049399045>] vxlan_fdb_update+0x12f/0x220 [vxlan] + [<0000000090b1ef00>] vxlan_fdb_add+0x12a/0x1b0 [vxlan] + [<0000000056633c2c>] rtnl_fdb_add+0x187/0x270 + [<00000000dd5dfb6b>] rtnetlink_rcv_msg+0x264/0x490 + [<00000000fc44dd54>] netlink_rcv_skb+0x4a/0x110 + [<00000000dff433e7>] netlink_unicast+0x18e/0x250 + [<00000000b87fb421>] netlink_sendmsg+0x2e9/0x400 + [<000000002ed55153>] ____sys_sendmsg+0x237/0x260 + [<00000000faa51c66>] ___sys_sendmsg+0x88/0xd0 + [<000000006c3982f1>] __sys_sendmsg+0x4e/0x80 + [<00000000a8f875d2>] do_syscall_64+0x56/0xe0 + [<000000003610eefa>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 3ad7a4b141eb ("vxlan: support fdb and learning in COLLECT_METADATA mode") +Signed-off-by: Taehee Yoo <ap420073@gmail.com> +Acked-by: Roopa Prabhu <roopa@cumulusnetworks.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c +index 5efe1e28f270..a7c3939264b0 100644 +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -3076,8 +3076,10 @@ static void vxlan_flush(struct vxlan_dev *vxlan, bool do_all) + if (!do_all && (f->state & (NUD_PERMANENT | NUD_NOARP))) + continue; + /* the all_zeros_mac entry is deleted at vxlan_uninit */ +- if (!is_zero_ether_addr(f->eth_addr)) +- vxlan_fdb_destroy(vxlan, f, true, true); ++ if (is_zero_ether_addr(f->eth_addr) && ++ f->vni == vxlan->cfg.vni) ++ continue; ++ vxlan_fdb_destroy(vxlan, f, true, true); + } + spin_unlock_bh(&vxlan->hash_lock[h]); + } +-- +2.27.0 + diff --git a/queue/wireless-Use-offsetof-instead-of-custom-macro.patch b/queue/wireless-Use-offsetof-instead-of-custom-macro.patch new file mode 100644 index 00000000..cb4fe361 --- /dev/null +++ b/queue/wireless-Use-offsetof-instead-of-custom-macro.patch @@ -0,0 +1,64 @@ +From 6989310f5d4327e8595664954edd40a7f99ddd0d Mon Sep 17 00:00:00 2001 +From: Pi-Hsun Shih <pihsun@chromium.org> +Date: Wed, 4 Dec 2019 16:13:07 +0800 +Subject: [PATCH] wireless: Use offsetof instead of custom macro. + +commit 6989310f5d4327e8595664954edd40a7f99ddd0d upstream. + +Use offsetof to calculate offset of a field to take advantage of +compiler built-in version when possible, and avoid UBSAN warning when +compiling with Clang: + +================================================================== +UBSAN: Undefined behaviour in net/wireless/wext-core.c:525:14 +member access within null pointer of type 'struct iw_point' +CPU: 3 PID: 165 Comm: kworker/u16:3 Tainted: G S W 4.19.23 #43 +Workqueue: cfg80211 __cfg80211_scan_done [cfg80211] +Call trace: + dump_backtrace+0x0/0x194 + show_stack+0x20/0x2c + __dump_stack+0x20/0x28 + dump_stack+0x70/0x94 + ubsan_epilogue+0x14/0x44 + ubsan_type_mismatch_common+0xf4/0xfc + __ubsan_handle_type_mismatch_v1+0x34/0x54 + wireless_send_event+0x3cc/0x470 + ___cfg80211_scan_done+0x13c/0x220 [cfg80211] + __cfg80211_scan_done+0x28/0x34 [cfg80211] + process_one_work+0x170/0x35c + worker_thread+0x254/0x380 + kthread+0x13c/0x158 + ret_from_fork+0x10/0x18 +=================================================================== + +Signed-off-by: Pi-Hsun Shih <pihsun@chromium.org> +Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> +Link: https://lore.kernel.org/r/20191204081307.138765-1-pihsun@chromium.org +Signed-off-by: Johannes Berg <johannes.berg@intel.com> + +diff --git a/include/uapi/linux/wireless.h b/include/uapi/linux/wireless.h +index 86eca3208b6b..a2c006a364e0 100644 +--- a/include/uapi/linux/wireless.h ++++ b/include/uapi/linux/wireless.h +@@ -74,6 +74,8 @@ + #include <linux/socket.h> /* for "struct sockaddr" et al */ + #include <linux/if.h> /* for IFNAMSIZ and co... */ + ++#include <stddef.h> /* for offsetof */ ++ + /***************************** VERSION *****************************/ + /* + * This constant is used to know the availability of the wireless +@@ -1090,8 +1092,7 @@ struct iw_event { + /* iw_point events are special. First, the payload (extra data) come at + * the end of the event, so they are bigger than IW_EV_POINT_LEN. Second, + * we omit the pointer, so start at an offset. */ +-#define IW_EV_POINT_OFF (((char *) &(((struct iw_point *) NULL)->length)) - \ +- (char *) NULL) ++#define IW_EV_POINT_OFF offsetof(struct iw_point, length) + #define IW_EV_POINT_LEN (IW_EV_LCP_LEN + sizeof(struct iw_point) - \ + IW_EV_POINT_OFF) + +-- +2.27.0 + diff --git a/queue/x86-i8259-Use-printk_deferred-to-prevent-deadlock.patch b/queue/x86-i8259-Use-printk_deferred-to-prevent-deadlock.patch new file mode 100644 index 00000000..72bef064 --- /dev/null +++ b/queue/x86-i8259-Use-printk_deferred-to-prevent-deadlock.patch @@ -0,0 +1,49 @@ +From bdd65589593edd79b6a12ce86b3b7a7c6dae5208 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner <tglx@linutronix.de> +Date: Wed, 29 Jul 2020 10:53:28 +0200 +Subject: [PATCH] x86/i8259: Use printk_deferred() to prevent deadlock + +commit bdd65589593edd79b6a12ce86b3b7a7c6dae5208 upstream. + +0day reported a possible circular locking dependency: + +Chain exists of: + &irq_desc_lock_class --> console_owner --> &port_lock_key + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&port_lock_key); + lock(console_owner); + lock(&port_lock_key); + lock(&irq_desc_lock_class); + +The reason for this is a printk() in the i8259 interrupt chip driver +which is invoked with the irq descriptor lock held, which reverses the +lock operations vs. printk() from arbitrary contexts. + +Switch the printk() to printk_deferred() to avoid that. + +Reported-by: kernel test robot <lkp@intel.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/87365abt2v.fsf@nanos.tec.linutronix.de + +diff --git a/arch/x86/kernel/i8259.c b/arch/x86/kernel/i8259.c +index f3c76252247d..282b4ee1339f 100644 +--- a/arch/x86/kernel/i8259.c ++++ b/arch/x86/kernel/i8259.c +@@ -207,7 +207,7 @@ static void mask_and_ack_8259A(struct irq_data *data) + * lets ACK and report it. [once per IRQ] + */ + if (!(spurious_irq_mask & irqmask)) { +- printk(KERN_DEBUG ++ printk_deferred(KERN_DEBUG + "spurious 8259A interrupt: IRQ%d.\n", irq); + spurious_irq_mask |= irqmask; + } +-- +2.27.0 + diff --git a/queue/x86-stacktrace-Fix-reliable-check-for-empty-user-tas.patch b/queue/x86-stacktrace-Fix-reliable-check-for-empty-user-tas.patch new file mode 100644 index 00000000..db46e345 --- /dev/null +++ b/queue/x86-stacktrace-Fix-reliable-check-for-empty-user-tas.patch @@ -0,0 +1,55 @@ +From 039a7a30ec102ec866d382a66f87f6f7654f8140 Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf <jpoimboe@redhat.com> +Date: Fri, 17 Jul 2020 09:04:26 -0500 +Subject: [PATCH] x86/stacktrace: Fix reliable check for empty user task stacks + +commit 039a7a30ec102ec866d382a66f87f6f7654f8140 upstream. + +If a user task's stack is empty, or if it only has user regs, ORC +reports it as a reliable empty stack. But arch_stack_walk_reliable() +incorrectly treats it as unreliable. + +That happens because the only success path for user tasks is inside the +loop, which only iterates on non-empty stacks. Generally, a user task +must end in a user regs frame, but an empty stack is an exception to +that rule. + +Thanks to commit 71c95825289f ("x86/unwind/orc: Fix error handling in +__unwind_start()"), unwind_start() now sets state->error appropriately. +So now for both ORC and FP unwinders, unwind_done() and !unwind_error() +always means the end of the stack was successfully reached. So the +success path for kthreads is no longer needed -- it can also be used for +empty user tasks. + +Reported-by: Wang ShaoBo <bobo.shaobowang@huawei.com> +Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Tested-by: Wang ShaoBo <bobo.shaobowang@huawei.com> +Link: https://lkml.kernel.org/r/f136a4e5f019219cbc4f4da33b30c2f44fa65b84.1594994374.git.jpoimboe@redhat.com + +diff --git a/arch/x86/kernel/stacktrace.c b/arch/x86/kernel/stacktrace.c +index 6ad43fc44556..2fd698e28e4d 100644 +--- a/arch/x86/kernel/stacktrace.c ++++ b/arch/x86/kernel/stacktrace.c +@@ -58,7 +58,6 @@ int arch_stack_walk_reliable(stack_trace_consume_fn consume_entry, + * or a page fault), which can make frame pointers + * unreliable. + */ +- + if (IS_ENABLED(CONFIG_FRAME_POINTER)) + return -EINVAL; + } +@@ -81,10 +80,6 @@ int arch_stack_walk_reliable(stack_trace_consume_fn consume_entry, + if (unwind_error(&state)) + return -EINVAL; + +- /* Success path for non-user tasks, i.e. kthreads and idle tasks */ +- if (!(task->flags & (PF_KTHREAD | PF_IDLE))) +- return -EINVAL; +- + return 0; + } + +-- +2.27.0 + diff --git a/queue/x86-unwind-orc-Fix-ORC-for-newly-forked-tasks.patch b/queue/x86-unwind-orc-Fix-ORC-for-newly-forked-tasks.patch new file mode 100644 index 00000000..f9369507 --- /dev/null +++ b/queue/x86-unwind-orc-Fix-ORC-for-newly-forked-tasks.patch @@ -0,0 +1,51 @@ +From 372a8eaa05998cd45b3417d0e0ffd3a70978211a Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf <jpoimboe@redhat.com> +Date: Fri, 17 Jul 2020 09:04:25 -0500 +Subject: [PATCH] x86/unwind/orc: Fix ORC for newly forked tasks + +commit 372a8eaa05998cd45b3417d0e0ffd3a70978211a upstream. + +The ORC unwinder fails to unwind newly forked tasks which haven't yet +run on the CPU. It correctly reads the 'ret_from_fork' instruction +pointer from the stack, but it incorrectly interprets that value as a +call stack address rather than a "signal" one, so the address gets +incorrectly decremented in the call to orc_find(), resulting in bad ORC +data. + +Fix it by forcing 'ret_from_fork' frames to be signal frames. + +Reported-by: Wang ShaoBo <bobo.shaobowang@huawei.com> +Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Tested-by: Wang ShaoBo <bobo.shaobowang@huawei.com> +Link: https://lkml.kernel.org/r/f91a8778dde8aae7f71884b5df2b16d552040441.1594994374.git.jpoimboe@redhat.com + +diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c +index 7f969b2d240f..ec88bbe08a32 100644 +--- a/arch/x86/kernel/unwind_orc.c ++++ b/arch/x86/kernel/unwind_orc.c +@@ -440,8 +440,11 @@ bool unwind_next_frame(struct unwind_state *state) + /* + * Find the orc_entry associated with the text address. + * +- * Decrement call return addresses by one so they work for sibling +- * calls and calls to noreturn functions. ++ * For a call frame (as opposed to a signal frame), state->ip points to ++ * the instruction after the call. That instruction's stack layout ++ * could be different from the call instruction's layout, for example ++ * if the call was to a noreturn function. So get the ORC data for the ++ * call instruction itself. + */ + orc = orc_find(state->signal ? state->ip : state->ip - 1); + if (!orc) { +@@ -662,6 +665,7 @@ void __unwind_start(struct unwind_state *state, struct task_struct *task, + state->sp = task->thread.sp; + state->bp = READ_ONCE_NOCHECK(frame->bp); + state->ip = READ_ONCE_NOCHECK(frame->ret_addr); ++ state->signal = (void *)state->ip == ret_from_fork; + } + + if (get_stack_info((unsigned long *)state->sp, state->task, +-- +2.27.0 + diff --git a/queue/xen-netfront-fix-potential-deadlock-in-xennet_remove.patch b/queue/xen-netfront-fix-potential-deadlock-in-xennet_remove.patch new file mode 100644 index 00000000..5b42004e --- /dev/null +++ b/queue/xen-netfront-fix-potential-deadlock-in-xennet_remove.patch @@ -0,0 +1,128 @@ +From c2c633106453611be07821f53dff9e93a9d1c3f0 Mon Sep 17 00:00:00 2001 +From: Andrea Righi <andrea.righi@canonical.com> +Date: Fri, 24 Jul 2020 10:59:10 +0200 +Subject: [PATCH] xen-netfront: fix potential deadlock in xennet_remove() + +commit c2c633106453611be07821f53dff9e93a9d1c3f0 upstream. + +There's a potential race in xennet_remove(); this is what the driver is +doing upon unregistering a network device: + + 1. state = read bus state + 2. if state is not "Closed": + 3. request to set state to "Closing" + 4. wait for state to be set to "Closing" + 5. request to set state to "Closed" + 6. wait for state to be set to "Closed" + +If the state changes to "Closed" immediately after step 1 we are stuck +forever in step 4, because the state will never go back from "Closed" to +"Closing". + +Make sure to check also for state == "Closed" in step 4 to prevent the +deadlock. + +Also add a 5 sec timeout any time we wait for the bus state to change, +to avoid getting stuck forever in wait_event(). + +Signed-off-by: Andrea Righi <andrea.righi@canonical.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index 482c6c8b0fb7..88280057e032 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -63,6 +63,8 @@ module_param_named(max_queues, xennet_max_queues, uint, 0644); + MODULE_PARM_DESC(max_queues, + "Maximum number of queues per virtual interface"); + ++#define XENNET_TIMEOUT (5 * HZ) ++ + static const struct ethtool_ops xennet_ethtool_ops; + + struct netfront_cb { +@@ -1334,12 +1336,15 @@ static struct net_device *xennet_create_dev(struct xenbus_device *dev) + + netif_carrier_off(netdev); + +- xenbus_switch_state(dev, XenbusStateInitialising); +- wait_event(module_wq, +- xenbus_read_driver_state(dev->otherend) != +- XenbusStateClosed && +- xenbus_read_driver_state(dev->otherend) != +- XenbusStateUnknown); ++ do { ++ xenbus_switch_state(dev, XenbusStateInitialising); ++ err = wait_event_timeout(module_wq, ++ xenbus_read_driver_state(dev->otherend) != ++ XenbusStateClosed && ++ xenbus_read_driver_state(dev->otherend) != ++ XenbusStateUnknown, XENNET_TIMEOUT); ++ } while (!err); ++ + return netdev; + + exit: +@@ -2139,28 +2144,43 @@ static const struct attribute_group xennet_dev_group = { + }; + #endif /* CONFIG_SYSFS */ + +-static int xennet_remove(struct xenbus_device *dev) ++static void xennet_bus_close(struct xenbus_device *dev) + { +- struct netfront_info *info = dev_get_drvdata(&dev->dev); +- +- dev_dbg(&dev->dev, "%s\n", dev->nodename); ++ int ret; + +- if (xenbus_read_driver_state(dev->otherend) != XenbusStateClosed) { ++ if (xenbus_read_driver_state(dev->otherend) == XenbusStateClosed) ++ return; ++ do { + xenbus_switch_state(dev, XenbusStateClosing); +- wait_event(module_wq, +- xenbus_read_driver_state(dev->otherend) == +- XenbusStateClosing || +- xenbus_read_driver_state(dev->otherend) == +- XenbusStateUnknown); ++ ret = wait_event_timeout(module_wq, ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateClosing || ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateClosed || ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateUnknown, ++ XENNET_TIMEOUT); ++ } while (!ret); ++ ++ if (xenbus_read_driver_state(dev->otherend) == XenbusStateClosed) ++ return; + ++ do { + xenbus_switch_state(dev, XenbusStateClosed); +- wait_event(module_wq, +- xenbus_read_driver_state(dev->otherend) == +- XenbusStateClosed || +- xenbus_read_driver_state(dev->otherend) == +- XenbusStateUnknown); +- } ++ ret = wait_event_timeout(module_wq, ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateClosed || ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateUnknown, ++ XENNET_TIMEOUT); ++ } while (!ret); ++} ++ ++static int xennet_remove(struct xenbus_device *dev) ++{ ++ struct netfront_info *info = dev_get_drvdata(&dev->dev); + ++ xennet_bus_close(dev); + xennet_disconnect_backend(info); + + if (info->netdev->reg_state == NETREG_REGISTERED) +-- +2.27.0 + diff --git a/queue/xfrm-Fix-crash-when-the-hold-queue-is-used.patch b/queue/xfrm-Fix-crash-when-the-hold-queue-is-used.patch new file mode 100644 index 00000000..c95c326e --- /dev/null +++ b/queue/xfrm-Fix-crash-when-the-hold-queue-is-used.patch @@ -0,0 +1,48 @@ +From 101dde4207f1daa1fda57d714814a03835dccc3f Mon Sep 17 00:00:00 2001 +From: Steffen Klassert <steffen.klassert@secunet.com> +Date: Fri, 17 Jul 2020 10:34:27 +0200 +Subject: [PATCH] xfrm: Fix crash when the hold queue is used. + +commit 101dde4207f1daa1fda57d714814a03835dccc3f upstream. + +The commits "xfrm: Move dst->path into struct xfrm_dst" +and "net: Create and use new helper xfrm_dst_child()." +changed xfrm bundle handling under the assumption +that xdst->path and dst->child are not a NULL pointer +only if dst->xfrm is not a NULL pointer. That is true +with one exception. If the xfrm hold queue is used +to wait until a SA is installed by the key manager, +we create a dummy bundle without a valid dst->xfrm +pointer. The current xfrm bundle handling crashes +in that case. Fix this by extending the NULL check +of dst->xfrm with a test of the DST_XFRM_QUEUE flag. + +Fixes: 0f6c480f23f4 ("xfrm: Move dst->path into struct xfrm_dst") +Fixes: b92cf4aab8e6 ("net: Create and use new helper xfrm_dst_child().") +Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> + +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index 5c20953c8deb..51f65d23ebaf 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -941,7 +941,7 @@ struct xfrm_dst { + static inline struct dst_entry *xfrm_dst_path(const struct dst_entry *dst) + { + #ifdef CONFIG_XFRM +- if (dst->xfrm) { ++ if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) { + const struct xfrm_dst *xdst = (const struct xfrm_dst *) dst; + + return xdst->path; +@@ -953,7 +953,7 @@ static inline struct dst_entry *xfrm_dst_path(const struct dst_entry *dst) + static inline struct dst_entry *xfrm_dst_child(const struct dst_entry *dst) + { + #ifdef CONFIG_XFRM +- if (dst->xfrm) { ++ if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) { + struct xfrm_dst *xdst = (struct xfrm_dst *) dst; + return xdst->child; + } +-- +2.27.0 + diff --git a/queue/xfrm-policy-match-with-both-mark-and-mask-on-user-in.patch b/queue/xfrm-policy-match-with-both-mark-and-mask-on-user-in.patch new file mode 100644 index 00000000..3a4391d8 --- /dev/null +++ b/queue/xfrm-policy-match-with-both-mark-and-mask-on-user-in.patch @@ -0,0 +1,255 @@ +From 4f47e8ab6ab796b5380f74866fa5287aca4dcc58 Mon Sep 17 00:00:00 2001 +From: Xin Long <lucien.xin@gmail.com> +Date: Mon, 22 Jun 2020 16:40:29 +0800 +Subject: [PATCH] xfrm: policy: match with both mark and mask on user + interfaces + +commit 4f47e8ab6ab796b5380f74866fa5287aca4dcc58 upstream. + +In commit ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list"), +it would take 'priority' to make a policy unique, and allow duplicated +policies with different 'priority' to be added, which is not expected +by userland, as Tobias reported in strongswan. + +To fix this duplicated policies issue, and also fix the issue in +commit ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list"), +when doing add/del/get/update on user interfaces, this patch is to change +to look up a policy with both mark and mask by doing: + + mark.v == pol->mark.v && mark.m == pol->mark.m + +and leave the check: + + (mark & pol->mark.m) == pol->mark.v + +for tx/rx path only. + +As the userland expects an exact mark and mask match to manage policies. + +v1->v2: + - make xfrm_policy_mark_match inline and fix the changelog as + Tobias suggested. + +Fixes: 295fae568885 ("xfrm: Allow user space manipulation of SPD mark") +Fixes: ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list") +Reported-by: Tobias Brunner <tobias@strongswan.org> +Tested-by: Tobias Brunner <tobias@strongswan.org> +Signed-off-by: Xin Long <lucien.xin@gmail.com> +Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> + +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index c7d213c9f9d8..5c20953c8deb 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -1630,13 +1630,16 @@ int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk, + void *); + void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net); + int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl); +-struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark, u32 if_id, +- u8 type, int dir, ++struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, ++ const struct xfrm_mark *mark, ++ u32 if_id, u8 type, int dir, + struct xfrm_selector *sel, + struct xfrm_sec_ctx *ctx, int delete, + int *err); +-struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u32 if_id, u8, +- int dir, u32 id, int delete, int *err); ++struct xfrm_policy *xfrm_policy_byid(struct net *net, ++ const struct xfrm_mark *mark, u32 if_id, ++ u8 type, int dir, u32 id, int delete, ++ int *err); + int xfrm_policy_flush(struct net *net, u8 type, bool task_valid); + void xfrm_policy_hash_rebuild(struct net *net); + u32 xfrm_get_acqseq(void); +diff --git a/net/key/af_key.c b/net/key/af_key.c +index b67ed3a8486c..979c579afc63 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -2400,7 +2400,7 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, const struct sa + return err; + } + +- xp = xfrm_policy_bysel_ctx(net, DUMMY_MARK, 0, XFRM_POLICY_TYPE_MAIN, ++ xp = xfrm_policy_bysel_ctx(net, &dummy_mark, 0, XFRM_POLICY_TYPE_MAIN, + pol->sadb_x_policy_dir - 1, &sel, pol_ctx, + 1, &err); + security_xfrm_policy_free(pol_ctx); +@@ -2651,7 +2651,7 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, const struct sadb_ + return -EINVAL; + + delete = (hdr->sadb_msg_type == SADB_X_SPDDELETE2); +- xp = xfrm_policy_byid(net, DUMMY_MARK, 0, XFRM_POLICY_TYPE_MAIN, ++ xp = xfrm_policy_byid(net, &dummy_mark, 0, XFRM_POLICY_TYPE_MAIN, + dir, pol->sadb_x_policy_id, delete, &err); + if (xp == NULL) + return -ENOENT; +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 564aa6492e7c..6847b3579f54 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -1433,14 +1433,10 @@ static void xfrm_policy_requeue(struct xfrm_policy *old, + spin_unlock_bh(&pq->hold_queue.lock); + } + +-static bool xfrm_policy_mark_match(struct xfrm_policy *policy, +- struct xfrm_policy *pol) ++static inline bool xfrm_policy_mark_match(const struct xfrm_mark *mark, ++ struct xfrm_policy *pol) + { +- if (policy->mark.v == pol->mark.v && +- policy->priority == pol->priority) +- return true; +- +- return false; ++ return mark->v == pol->mark.v && mark->m == pol->mark.m; + } + + static u32 xfrm_pol_bin_key(const void *data, u32 len, u32 seed) +@@ -1503,7 +1499,7 @@ static void xfrm_policy_insert_inexact_list(struct hlist_head *chain, + if (pol->type == policy->type && + pol->if_id == policy->if_id && + !selector_cmp(&pol->selector, &policy->selector) && +- xfrm_policy_mark_match(policy, pol) && ++ xfrm_policy_mark_match(&policy->mark, pol) && + xfrm_sec_ctx_match(pol->security, policy->security) && + !WARN_ON(delpol)) { + delpol = pol; +@@ -1538,7 +1534,7 @@ static struct xfrm_policy *xfrm_policy_insert_list(struct hlist_head *chain, + if (pol->type == policy->type && + pol->if_id == policy->if_id && + !selector_cmp(&pol->selector, &policy->selector) && +- xfrm_policy_mark_match(policy, pol) && ++ xfrm_policy_mark_match(&policy->mark, pol) && + xfrm_sec_ctx_match(pol->security, policy->security) && + !WARN_ON(delpol)) { + if (excl) +@@ -1610,9 +1606,8 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl) + EXPORT_SYMBOL(xfrm_policy_insert); + + static struct xfrm_policy * +-__xfrm_policy_bysel_ctx(struct hlist_head *chain, u32 mark, u32 if_id, +- u8 type, int dir, +- struct xfrm_selector *sel, ++__xfrm_policy_bysel_ctx(struct hlist_head *chain, const struct xfrm_mark *mark, ++ u32 if_id, u8 type, int dir, struct xfrm_selector *sel, + struct xfrm_sec_ctx *ctx) + { + struct xfrm_policy *pol; +@@ -1623,7 +1618,7 @@ __xfrm_policy_bysel_ctx(struct hlist_head *chain, u32 mark, u32 if_id, + hlist_for_each_entry(pol, chain, bydst) { + if (pol->type == type && + pol->if_id == if_id && +- (mark & pol->mark.m) == pol->mark.v && ++ xfrm_policy_mark_match(mark, pol) && + !selector_cmp(sel, &pol->selector) && + xfrm_sec_ctx_match(ctx, pol->security)) + return pol; +@@ -1632,11 +1627,10 @@ __xfrm_policy_bysel_ctx(struct hlist_head *chain, u32 mark, u32 if_id, + return NULL; + } + +-struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark, u32 if_id, +- u8 type, int dir, +- struct xfrm_selector *sel, +- struct xfrm_sec_ctx *ctx, int delete, +- int *err) ++struct xfrm_policy * ++xfrm_policy_bysel_ctx(struct net *net, const struct xfrm_mark *mark, u32 if_id, ++ u8 type, int dir, struct xfrm_selector *sel, ++ struct xfrm_sec_ctx *ctx, int delete, int *err) + { + struct xfrm_pol_inexact_bin *bin = NULL; + struct xfrm_policy *pol, *ret = NULL; +@@ -1703,9 +1697,9 @@ struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark, u32 if_id, + } + EXPORT_SYMBOL(xfrm_policy_bysel_ctx); + +-struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u32 if_id, +- u8 type, int dir, u32 id, int delete, +- int *err) ++struct xfrm_policy * ++xfrm_policy_byid(struct net *net, const struct xfrm_mark *mark, u32 if_id, ++ u8 type, int dir, u32 id, int delete, int *err) + { + struct xfrm_policy *pol, *ret; + struct hlist_head *chain; +@@ -1720,8 +1714,7 @@ struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u32 if_id, + ret = NULL; + hlist_for_each_entry(pol, chain, byidx) { + if (pol->type == type && pol->index == id && +- pol->if_id == if_id && +- (mark & pol->mark.m) == pol->mark.v) { ++ pol->if_id == if_id && xfrm_policy_mark_match(mark, pol)) { + xfrm_pol_hold(pol); + if (delete) { + *err = security_xfrm_policy_delete( +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index e6cfaa680ef3..fbb7d9d06478 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1863,7 +1863,6 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, + struct km_event c; + int delete; + struct xfrm_mark m; +- u32 mark = xfrm_mark_get(attrs, &m); + u32 if_id = 0; + + p = nlmsg_data(nlh); +@@ -1880,8 +1879,11 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, + if (attrs[XFRMA_IF_ID]) + if_id = nla_get_u32(attrs[XFRMA_IF_ID]); + ++ xfrm_mark_get(attrs, &m); ++ + if (p->index) +- xp = xfrm_policy_byid(net, mark, if_id, type, p->dir, p->index, delete, &err); ++ xp = xfrm_policy_byid(net, &m, if_id, type, p->dir, ++ p->index, delete, &err); + else { + struct nlattr *rt = attrs[XFRMA_SEC_CTX]; + struct xfrm_sec_ctx *ctx; +@@ -1898,8 +1900,8 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, + if (err) + return err; + } +- xp = xfrm_policy_bysel_ctx(net, mark, if_id, type, p->dir, &p->sel, +- ctx, delete, &err); ++ xp = xfrm_policy_bysel_ctx(net, &m, if_id, type, p->dir, ++ &p->sel, ctx, delete, &err); + security_xfrm_policy_free(ctx); + } + if (xp == NULL) +@@ -2166,7 +2168,6 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, + u8 type = XFRM_POLICY_TYPE_MAIN; + int err = -ENOENT; + struct xfrm_mark m; +- u32 mark = xfrm_mark_get(attrs, &m); + u32 if_id = 0; + + err = copy_from_user_policy_type(&type, attrs); +@@ -2180,8 +2181,11 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, + if (attrs[XFRMA_IF_ID]) + if_id = nla_get_u32(attrs[XFRMA_IF_ID]); + ++ xfrm_mark_get(attrs, &m); ++ + if (p->index) +- xp = xfrm_policy_byid(net, mark, if_id, type, p->dir, p->index, 0, &err); ++ xp = xfrm_policy_byid(net, &m, if_id, type, p->dir, p->index, ++ 0, &err); + else { + struct nlattr *rt = attrs[XFRMA_SEC_CTX]; + struct xfrm_sec_ctx *ctx; +@@ -2198,7 +2202,7 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, + if (err) + return err; + } +- xp = xfrm_policy_bysel_ctx(net, mark, if_id, type, p->dir, ++ xp = xfrm_policy_bysel_ctx(net, &m, if_id, type, p->dir, + &p->sel, ctx, 0, &err); + security_xfrm_policy_free(ctx); + } +-- +2.27.0 + |