5.7-stable patches

added patches:
	ib-hfi1-fix-module-use-count-flaw-due-to-leftover-module-put-calls.patch
	ib-mad-fix-use-after-free-when-destroying-mad-agent.patch

diff --git a/queue-5.7/ib-hfi1-fix-module-use-count-flaw-due-to-leftover-module-put-calls.patch b/queue-5.7/ib-hfi1-fix-module-use-count-flaw-due-to-leftover-module-put-calls.patch
new file mode 100644 (file)
index 0000000..e2e93e1
--- /dev/null
+++ b/queue-5.7/ib-hfi1-fix-module-use-count-flaw-due-to-leftover-module-put-calls.patch
@@ -0,0 +1,82 @@
+From 822fbd37410639acdae368ea55477ddd3498651d Mon Sep 17 00:00:00 2001
+From: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Date: Tue, 23 Jun 2020 16:32:30 -0400
+Subject: IB/hfi1: Fix module use count flaw due to leftover module put calls
+
+From: Dennis Dalessandro <dennis.dalessandro@intel.com>
+
+commit 822fbd37410639acdae368ea55477ddd3498651d upstream.
+
+When the try_module_get calls were removed from opening and closing of the
+i2c debugfs file, the corresponding module_put calls were missed.  This
+results in an inaccurate module use count that requires a power cycle to
+fix.
+
+Fixes: 09fbca8e6240 ("IB/hfi1: No need to use try_module_get for debugfs")
+Link: https://lore.kernel.org/r/20200623203230.106975.76240.stgit@awfm-01.aw.intel.com
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Kaike Wan <kaike.wan@intel.com>
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/debugfs.c |   19 ++-----------------
+ 1 file changed, 2 insertions(+), 17 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/debugfs.c
++++ b/drivers/infiniband/hw/hfi1/debugfs.c
+@@ -985,15 +985,10 @@ static ssize_t qsfp2_debugfs_read(struct
+ static int __i2c_debugfs_open(struct inode *in, struct file *fp, u32 target)
+ {
+       struct hfi1_pportdata *ppd;
+-      int ret;
+ 
+       ppd = private2ppd(fp);
+ 
+-      ret = acquire_chip_resource(ppd->dd, i2c_target(target), 0);
+-      if (ret) /* failed - release the module */
+-              module_put(THIS_MODULE);
+-
+-      return ret;
++      return acquire_chip_resource(ppd->dd, i2c_target(target), 0);
+ }
+ 
+ static int i2c1_debugfs_open(struct inode *in, struct file *fp)
+@@ -1013,7 +1008,6 @@ static int __i2c_debugfs_release(struct
+       ppd = private2ppd(fp);
+ 
+       release_chip_resource(ppd->dd, i2c_target(target));
+-      module_put(THIS_MODULE);
+ 
+       return 0;
+ }
+@@ -1031,18 +1025,10 @@ static int i2c2_debugfs_release(struct i
+ static int __qsfp_debugfs_open(struct inode *in, struct file *fp, u32 target)
+ {
+       struct hfi1_pportdata *ppd;
+-      int ret;
+-
+-      if (!try_module_get(THIS_MODULE))
+-              return -ENODEV;
+ 
+       ppd = private2ppd(fp);
+ 
+-      ret = acquire_chip_resource(ppd->dd, i2c_target(target), 0);
+-      if (ret) /* failed - release the module */
+-              module_put(THIS_MODULE);
+-
+-      return ret;
++      return acquire_chip_resource(ppd->dd, i2c_target(target), 0);
+ }
+ 
+ static int qsfp1_debugfs_open(struct inode *in, struct file *fp)
+@@ -1062,7 +1048,6 @@ static int __qsfp_debugfs_release(struct
+       ppd = private2ppd(fp);
+ 
+       release_chip_resource(ppd->dd, i2c_target(target));
+-      module_put(THIS_MODULE);
+ 
+       return 0;
+ }

diff --git a/queue-5.7/ib-mad-fix-use-after-free-when-destroying-mad-agent.patch b/queue-5.7/ib-mad-fix-use-after-free-when-destroying-mad-agent.patch
new file mode 100644 (file)
index 0000000..31af7d0
--- /dev/null
+++ b/queue-5.7/ib-mad-fix-use-after-free-when-destroying-mad-agent.patch
@@ -0,0 +1,59 @@
+From 116a1b9f1cb769b83e5adff323f977a62b1dcb2e Mon Sep 17 00:00:00 2001
+From: Shay Drory <shayd@mellanox.com>
+Date: Sun, 21 Jun 2020 13:47:35 +0300
+Subject: IB/mad: Fix use after free when destroying MAD agent
+
+From: Shay Drory <shayd@mellanox.com>
+
+commit 116a1b9f1cb769b83e5adff323f977a62b1dcb2e upstream.
+
+Currently, when RMPP MADs are processed while the MAD agent is destroyed,
+it could result in use after free of rmpp_recv, as decribed below:
+
+       cpu-0                                           cpu-1
+       -----                                           -----
+ib_mad_recv_done()
+ ib_mad_complete_recv()
+  ib_process_rmpp_recv_wc()
+                                               unregister_mad_agent()
+                                                ib_cancel_rmpp_recvs()
+                                                 cancel_delayed_work()
+   process_rmpp_data()
+    start_rmpp()
+     queue_delayed_work(rmpp_recv->cleanup_work)
+                                                 destroy_rmpp_recv()
+                                                  free_rmpp_recv()
+     cleanup_work()[1]
+      spin_lock_irqsave(&rmpp_recv->agent->lock) <-- use after free
+
+[1] cleanup_work() == recv_cleanup_handler
+
+Fix it by waiting for the MAD agent reference count becoming zero before
+calling to ib_cancel_rmpp_recvs().
+
+Fixes: 9a41e38a467c ("IB/mad: Use IDR for agent IDs")
+Link: https://lore.kernel.org/r/20200621104738.54850-2-leon@kernel.org
+Signed-off-by: Shay Drory <shayd@mellanox.com>
+Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/mad.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/mad.c
++++ b/drivers/infiniband/core/mad.c
+@@ -639,10 +639,10 @@ static void unregister_mad_agent(struct
+       xa_erase(&ib_mad_clients, mad_agent_priv->agent.hi_tid);
+ 
+       flush_workqueue(port_priv->wq);
+-      ib_cancel_rmpp_recvs(mad_agent_priv);
+ 
+       deref_mad_agent(mad_agent_priv);
+       wait_for_completion(&mad_agent_priv->comp);
++      ib_cancel_rmpp_recvs(mad_agent_priv);
+ 
+       ib_mad_agent_security_cleanup(&mad_agent_priv->agent);
+ 

diff --git a/queue-5.7/loop-replace-kill_bdev-with-invalidate_bdev.patch b/queue-5.7/loop-replace-kill_bdev-with-invalidate_bdev.patch
index 7c662c013c939834194479f3105a7dd6014fa52a..3e540f8d65110f3781195510dd71ecc52706bc6a 100644 (file)
--- a/queue-5.7/loop-replace-kill_bdev-with-invalidate_bdev.patch
+++ b/queue-5.7/loop-replace-kill_bdev-with-invalidate_bdev.patch
@@ -33,28 +33,22 @@ Reviewed-by: Bart Van Assche <bvanassche@acm.org>
 Signed-off-by: Jens Axboe <axboe@kernel.dk>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 
-diff --git a/drivers/block/loop.c b/drivers/block/loop.c
-index c33bbbfd1bd9..475e1a738560 100644
+---
+ drivers/block/loop.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
 --- a/drivers/block/loop.c
 +++ b/drivers/block/loop.c
-@@ -1368,14 +1368,14 @@ loop_set_status(struct loop_device *lo, const struct loop_info64 *info)
+@@ -1289,7 +1289,7 @@ loop_set_status(struct loop_device *lo,
+       if (lo->lo_offset != info->lo_offset ||
            lo->lo_sizelimit != info->lo_sizelimit) {
-               size_changed = true;
                sync_blockdev(lo->lo_device);
 -              kill_bdev(lo->lo_device);
 +              invalidate_bdev(lo->lo_device);
        }
  
        /* I/O need to be drained during transfer transition */
-       blk_mq_freeze_queue(lo->lo_queue);
- 
-       if (size_changed && lo->lo_device->bd_inode->i_mapping->nrpages) {
--              /* If any pages were dirtied after kill_bdev(), try again */
-+              /* If any pages were dirtied after invalidate_bdev(), try again */
-               err = -EAGAIN;
-               pr_warn("%s: loop%d (%s) has still dirty pages (nrpages=%lu)\n",
-                       __func__, lo->lo_number, lo->lo_file_name,
-@@ -1615,11 +1615,11 @@ static int loop_set_block_size(struct loop_device *lo, unsigned long arg)
+@@ -1565,11 +1565,11 @@ static int loop_set_block_size(struct lo
                return 0;
  
        sync_blockdev(lo->lo_device);

diff --git a/queue-5.7/series b/queue-5.7/series
index c4a53a9d00098cb2a522e4788d946ed8aefe9eb4..00aa7b81b3f6fe67f8130489250d1dd407ffae18 100644 (file)
--- a/queue-5.7/series
+++ b/queue-5.7/series
@@ -89,3 +89,5 @@ xhci-return-if-xhci-doesn-t-support-lpm.patch
 cdc-acm-add-disable_echo-quirk-for-microchip-smsc-chip.patch
 risc-v-acquire-mmap-lock-before-invoking-walk_page_range.patch
 loop-replace-kill_bdev-with-invalidate_bdev.patch
+ib-mad-fix-use-after-free-when-destroying-mad-agent.patch
+ib-hfi1-fix-module-use-count-flaw-due-to-leftover-module-put-calls.patch