--- /dev/null
+From 212253367dc7b49ed3fc194ce71b0992eacaecf2 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@cjr.nz>
+Date: Sat, 28 Nov 2020 16:54:02 -0300
+Subject: cifs: fix potential use-after-free in cifs_echo_request()
+
+From: Paulo Alcantara <pc@cjr.nz>
+
+commit 212253367dc7b49ed3fc194ce71b0992eacaecf2 upstream.
+
+This patch fixes a potential use-after-free bug in
+cifs_echo_request().
+
+For instance,
+
+ thread 1
+ --------
+ cifs_demultiplex_thread()
+ clean_demultiplex_info()
+ kfree(server)
+
+ thread 2 (workqueue)
+ --------
+ apic_timer_interrupt()
+ smp_apic_timer_interrupt()
+ irq_exit()
+ __do_softirq()
+ run_timer_softirq()
+ call_timer_fn()
+ cifs_echo_request() <- use-after-free in server ptr
+
+Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+CC: Stable <stable@vger.kernel.org>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/connect.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -777,6 +777,8 @@ static void clean_demultiplex_info(struc
+ list_del_init(&server->tcp_ses_list);
+ spin_unlock(&cifs_tcp_ses_lock);
+
++ cancel_delayed_work_sync(&server->echo);
++
+ spin_lock(&GlobalMid_Lock);
+ server->tcpStatus = CifsExiting;
+ spin_unlock(&GlobalMid_Lock);
--- /dev/null
+From bde3808bc8c2741ad3d804f84720409aee0c2972 Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Fri, 4 Dec 2020 15:25:18 -0500
+Subject: dm: remove invalid sparse __acquires and __releases annotations
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit bde3808bc8c2741ad3d804f84720409aee0c2972 upstream.
+
+Fixes sparse warnings:
+drivers/md/dm.c:508:12: warning: context imbalance in 'dm_prepare_ioctl' - wrong count at exit
+drivers/md/dm.c:543:13: warning: context imbalance in 'dm_unprepare_ioctl' - wrong count at exit
+
+Fixes: 971888c46993f ("dm: hold DM table for duration of ioctl rather than use blkdev_get")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -462,7 +462,6 @@ static int dm_blk_getgeo(struct block_de
+
+ static int dm_prepare_ioctl(struct mapped_device *md, int *srcu_idx,
+ struct block_device **bdev)
+- __acquires(md->io_barrier)
+ {
+ struct dm_target *tgt;
+ struct dm_table *map;
+@@ -496,7 +495,6 @@ retry:
+ }
+
+ static void dm_unprepare_ioctl(struct mapped_device *md, int srcu_idx)
+- __releases(md->io_barrier)
+ {
+ dm_put_live_table(md, srcu_idx);
+ }
--- /dev/null
+From 67aa3ec3dbc43d6e34401d9b2a40040ff7bb57af Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 10 Nov 2020 07:45:13 -0500
+Subject: dm writecache: fix the maximum number of arguments
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 67aa3ec3dbc43d6e34401d9b2a40040ff7bb57af upstream.
+
+Advance the maximum number of arguments to 16.
+This fixes issue where certain operations, combined with table
+configured args, exceed 10 arguments.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Fixes: 48debafe4f2f ("dm: add writecache target")
+Cc: stable@vger.kernel.org # v4.18+
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-writecache.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-writecache.c
++++ b/drivers/md/dm-writecache.c
+@@ -1883,7 +1883,7 @@ static int writecache_ctr(struct dm_targ
+ struct wc_memory_superblock s;
+
+ static struct dm_arg _args[] = {
+- {0, 10, "Invalid number of feature args"},
++ {0, 16, "Invalid number of feature args"},
+ };
+
+ as.argc = argc;
--- /dev/null
+From 4c75b0ff4e4bf7a45b5aef9639799719c28d0073 Mon Sep 17 00:00:00 2001
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+Date: Thu, 26 Nov 2020 23:38:38 +0530
+Subject: ftrace: Fix updating FTRACE_FL_TRAMP
+
+From: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+
+commit 4c75b0ff4e4bf7a45b5aef9639799719c28d0073 upstream.
+
+On powerpc, kprobe-direct.tc triggered FTRACE_WARN_ON() in
+ftrace_get_addr_new() followed by the below message:
+ Bad trampoline accounting at: 000000004222522f (wake_up_process+0xc/0x20) (f0000001)
+
+The set of steps leading to this involved:
+- modprobe ftrace-direct-too
+- enable_probe
+- modprobe ftrace-direct
+- rmmod ftrace-direct <-- trigger
+
+The problem turned out to be that we were not updating flags in the
+ftrace record properly. From the above message about the trampoline
+accounting being bad, it can be seen that the ftrace record still has
+FTRACE_FL_TRAMP set though ftrace-direct module is going away. This
+happens because we are checking if any ftrace_ops has the
+FTRACE_FL_TRAMP flag set _before_ updating the filter hash.
+
+The fix for this is to look for any _other_ ftrace_ops that also needs
+FTRACE_FL_TRAMP.
+
+Link: https://lkml.kernel.org/r/56c113aa9c3e10c19144a36d9684c7882bf09af5.1606412433.git.naveen.n.rao@linux.vnet.ibm.com
+
+Cc: stable@vger.kernel.org
+Fixes: a124692b698b0 ("ftrace: Enable trampoline when rec count returns back to one")
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ftrace.c | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -1650,6 +1650,8 @@ static bool test_rec_ops_needs_regs(stru
+ static struct ftrace_ops *
+ ftrace_find_tramp_ops_any(struct dyn_ftrace *rec);
+ static struct ftrace_ops *
++ftrace_find_tramp_ops_any_other(struct dyn_ftrace *rec, struct ftrace_ops *op_exclude);
++static struct ftrace_ops *
+ ftrace_find_tramp_ops_next(struct dyn_ftrace *rec, struct ftrace_ops *ops);
+
+ static bool __ftrace_hash_rec_update(struct ftrace_ops *ops,
+@@ -1787,7 +1789,7 @@ static bool __ftrace_hash_rec_update(str
+ * to it.
+ */
+ if (ftrace_rec_count(rec) == 1 &&
+- ftrace_find_tramp_ops_any(rec))
++ ftrace_find_tramp_ops_any_other(rec, ops))
+ rec->flags |= FTRACE_FL_TRAMP;
+ else
+ rec->flags &= ~FTRACE_FL_TRAMP;
+@@ -2209,6 +2211,24 @@ ftrace_find_tramp_ops_any(struct dyn_ftr
+ continue;
+
+ if (hash_contains_ip(ip, op->func_hash))
++ return op;
++ } while_for_each_ftrace_op(op);
++
++ return NULL;
++}
++
++static struct ftrace_ops *
++ftrace_find_tramp_ops_any_other(struct dyn_ftrace *rec, struct ftrace_ops *op_exclude)
++{
++ struct ftrace_ops *op;
++ unsigned long ip = rec->ip;
++
++ do_for_each_ftrace_op(op, ftrace_ops_list) {
++
++ if (op == op_exclude || !op->trampoline)
++ continue;
++
++ if (hash_contains_ip(ip, op->func_hash))
+ return op;
+ } while_for_each_ftrace_op(op);
+
--- /dev/null
+From 61e6fe59ede155881a622f5901551b1cc8748f6a Mon Sep 17 00:00:00 2001
+From: Christian Eggers <ceggers@arri.de>
+Date: Fri, 9 Oct 2020 13:03:20 +0200
+Subject: i2c: imx: Don't generate STOP condition if arbitration has been lost
+
+From: Christian Eggers <ceggers@arri.de>
+
+commit 61e6fe59ede155881a622f5901551b1cc8748f6a upstream.
+
+If arbitration is lost, the master automatically changes to slave mode.
+I2SR_IBB may or may not be reset by hardware. Raising a STOP condition
+by resetting I2CR_MSTA has no effect and will not clear I2SR_IBB.
+
+So calling i2c_imx_bus_busy() is not required and would busy-wait until
+timeout.
+
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Tested (not extensively) on Vybrid VF500 (Toradex VF50):
+Tested-by: Krzysztof Kozlowski <krzk@kernel.org>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Cc: stable@vger.kernel.org # Requires trivial backporting, simple remove
+ # the 3rd argument from the calls to
+ # i2c_imx_bus_busy().
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-imx.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-imx.c
++++ b/drivers/i2c/busses/i2c-imx.c
+@@ -557,6 +557,8 @@ static void i2c_imx_stop(struct imx_i2c_
+ /* Stop I2C transaction */
+ dev_dbg(&i2c_imx->adapter.dev, "<%s>\n", __func__);
+ temp = imx_i2c_read_reg(i2c_imx, IMX_I2C_I2CR);
++ if (!(temp & I2CR_MSTA))
++ i2c_imx->stopped = 1;
+ temp &= ~(I2CR_MSTA | I2CR_MTX);
+ if (i2c_imx->dma)
+ temp &= ~I2CR_DMAEN;
+@@ -722,9 +724,12 @@ static int i2c_imx_dma_read(struct imx_i
+ */
+ dev_dbg(dev, "<%s> clear MSTA\n", __func__);
+ temp = imx_i2c_read_reg(i2c_imx, IMX_I2C_I2CR);
++ if (!(temp & I2CR_MSTA))
++ i2c_imx->stopped = 1;
+ temp &= ~(I2CR_MSTA | I2CR_MTX);
+ imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR);
+- i2c_imx_bus_busy(i2c_imx, 0);
++ if (!i2c_imx->stopped)
++ i2c_imx_bus_busy(i2c_imx, 0);
+ } else {
+ /*
+ * For i2c master receiver repeat restart operation like:
+@@ -847,9 +852,12 @@ static int i2c_imx_read(struct imx_i2c_s
+ dev_dbg(&i2c_imx->adapter.dev,
+ "<%s> clear MSTA\n", __func__);
+ temp = imx_i2c_read_reg(i2c_imx, IMX_I2C_I2CR);
++ if (!(temp & I2CR_MSTA))
++ i2c_imx->stopped = 1;
+ temp &= ~(I2CR_MSTA | I2CR_MTX);
+ imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR);
+- i2c_imx_bus_busy(i2c_imx, 0);
++ if (!i2c_imx->stopped)
++ i2c_imx_bus_busy(i2c_imx, 0);
+ } else {
+ /*
+ * For i2c master receiver repeat restart operation like:
--- /dev/null
+From 9ea69a55b3b9a71cded9726af591949c1138f235 Mon Sep 17 00:00:00 2001
+From: Laurent Vivier <lvivier@redhat.com>
+Date: Thu, 26 Nov 2020 09:28:52 +0100
+Subject: powerpc/pseries: Pass MSI affinity to irq_create_mapping()
+
+From: Laurent Vivier <lvivier@redhat.com>
+
+commit 9ea69a55b3b9a71cded9726af591949c1138f235 upstream.
+
+With virtio multiqueue, normally each queue IRQ is mapped to a CPU.
+
+Commit 0d9f0a52c8b9f ("virtio_scsi: use virtio IRQ affinity") exposed
+an existing shortcoming of the arch code by moving virtio_scsi to
+the automatic IRQ affinity assignment.
+
+The affinity is correctly computed in msi_desc but this is not applied
+to the system IRQs.
+
+It appears the affinity is correctly passed to rtas_setup_msi_irqs() but
+lost at this point and never passed to irq_domain_alloc_descs()
+(see commit 06ee6d571f0e ("genirq: Add affinity hint to irq allocation"))
+because irq_create_mapping() doesn't take an affinity parameter.
+
+Use the new irq_create_mapping_affinity() function, which allows to forward
+the affinity setting from rtas_setup_msi_irqs() to irq_domain_alloc_descs().
+
+With this change, the virtqueues are correctly dispatched between the CPUs
+on pseries.
+
+Fixes: e75eafb9b039 ("genirq/msi: Switch to new irq spreading infrastructure")
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Acked-by: Michael Ellerman <mpe@ellerman.id.au>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20201126082852.1178497-3-lvivier@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/pseries/msi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/pseries/msi.c
++++ b/arch/powerpc/platforms/pseries/msi.c
+@@ -462,7 +462,8 @@ again:
+ return hwirq;
+ }
+
+- virq = irq_create_mapping(NULL, hwirq);
++ virq = irq_create_mapping_affinity(NULL, hwirq,
++ entry->affinity);
+
+ if (!virq) {
+ pr_debug("rtas_msi: Failed mapping hwirq %d\n", hwirq);
--- /dev/null
+From 42f687038bcc34aa919e0e4c29b04e4cda3f6a79 Mon Sep 17 00:00:00 2001
+From: Suganath Prabu S <suganath-prabu.subramani@broadcom.com>
+Date: Wed, 25 Nov 2020 15:18:38 +0530
+Subject: scsi: mpt3sas: Fix ioctl timeout
+
+From: Suganath Prabu S <suganath-prabu.subramani@broadcom.com>
+
+commit 42f687038bcc34aa919e0e4c29b04e4cda3f6a79 upstream.
+
+Commit c1a6c5ac4278 ("scsi: mpt3sas: For NVME device, issue a protocol
+level reset") modified the ioctl path 'timeout' variable type to u8 from
+unsigned long, limiting the maximum timeout value that the driver can
+support to 255 seconds.
+
+If the management application is requesting a higher value the resulting
+timeout will be zero. The operation times out immediately and the ioctl
+request fails.
+
+Change datatype back to unsigned long.
+
+Link: https://lore.kernel.org/r/20201125094838.4340-1-suganath-prabu.subramani@broadcom.com
+Fixes: c1a6c5ac4278 ("scsi: mpt3sas: For NVME device, issue a protocol level reset")
+Cc: <stable@vger.kernel.org> #v4.18+
+Signed-off-by: Suganath Prabu S <suganath-prabu.subramani@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/mpt3sas/mpt3sas_ctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
+@@ -654,7 +654,7 @@ _ctl_do_mpt_command(struct MPT3SAS_ADAPT
+ struct _pcie_device *pcie_device = NULL;
+ u32 ioc_state;
+ u16 smid;
+- u8 timeout;
++ unsigned long timeout;
+ u8 issue_reset;
+ u32 sz, sz_arg;
+ void *psge;
alsa-hda-realtek-enable-headset-of-asus-ux482eg-b9400cea-with-alc294.patch
alsa-hda-realtek-add-new-codec-supported-for-alc897.patch
alsa-hda-generic-add-option-to-enforce-preferred_dacs-pairs.patch
+ftrace-fix-updating-ftrace_fl_tramp.patch
+cifs-fix-potential-use-after-free-in-cifs_echo_request.patch
+i2c-imx-don-t-generate-stop-condition-if-arbitration-has-been-lost.patch
+scsi-mpt3sas-fix-ioctl-timeout.patch
+dm-writecache-fix-the-maximum-number-of-arguments.patch
+powerpc-pseries-pass-msi-affinity-to-irq_create_mapping.patch
+dm-remove-invalid-sparse-__acquires-and-__releases-annotations.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
