fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.4/edac-ghes-do-not-warn-when-incrementing-refcount-on-.patch b/queue-5.4/edac-ghes-do-not-warn-when-incrementing-refcount-on-.patch
new file mode 100644 (file)
index 0000000..f5db5a0
--- /dev/null
+++ b/queue-5.4/edac-ghes-do-not-warn-when-incrementing-refcount-on-.patch
@@ -0,0 +1,75 @@
+From 690a32e5298ee4fc3344cc594ea46584b6e00baf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Nov 2019 21:36:57 +0000
+Subject: EDAC/ghes: Do not warn when incrementing refcount on 0
+
+From: Robert Richter <rrichter@marvell.com>
+
+[ Upstream commit 16214bd9e43a31683a7073664b000029bba00354 ]
+
+The following warning from the refcount framework is seen during ghes
+initialization:
+
+  EDAC MC0: Giving out device to module ghes_edac.c controller ghes_edac: DEV ghes (INTERRUPT)
+  ------------[ cut here ]------------
+  refcount_t: increment on 0; use-after-free.
+  WARNING: CPU: 36 PID: 1 at lib/refcount.c:156 refcount_inc_checked
+ [...]
+  Call trace:
+   refcount_inc_checked
+   ghes_edac_register
+   ghes_probe
+   ...
+
+It warns if the refcount is incremented from zero. This warning is
+reasonable as a kernel object is typically created with a refcount of
+one and freed once the refcount is zero. Afterwards the object would be
+"used-after-free".
+
+For GHES, the refcount is initialized with zero, and that is why this
+message is seen when initializing the first instance. However, whenever
+the refcount is zero, the device will be allocated and registered. Since
+the ghes_reg_mutex protects the refcount and serializes allocation and
+freeing of ghes devices, a use-after-free cannot happen here.
+
+Instead of using refcount_inc() for the first instance, use
+refcount_set(). This can be used here because the refcount is zero at
+this point and can not change due to its protection by the mutex.
+
+Fixes: 23f61b9fc5cc ("EDAC/ghes: Fix locking and memory barrier issues")
+Reported-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Robert Richter <rrichter@marvell.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Tested-by: John Garry <john.garry@huawei.com>
+Cc: <huangming23@huawei.com>
+Cc: James Morse <james.morse@arm.com>
+Cc: <linuxarm@huawei.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
+Cc: <tanxiaofei@huawei.com>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: <wanghuiqiang@huawei.com>
+Link: https://lkml.kernel.org/r/20191121213628.21244-1-rrichter@marvell.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/ghes_edac.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/edac/ghes_edac.c b/drivers/edac/ghes_edac.c
+index f6f6a688c009d..296e714bf5532 100644
+--- a/drivers/edac/ghes_edac.c
++++ b/drivers/edac/ghes_edac.c
+@@ -566,8 +566,8 @@ int ghes_edac_register(struct ghes *ghes, struct device *dev)
+       ghes_pvt = pvt;
+       spin_unlock_irqrestore(&ghes_lock, flags);
+ 
+-      /* only increment on success */
+-      refcount_inc(&ghes_refcount);
++      /* only set on success */
++      refcount_set(&ghes_refcount, 1);
+ 
+ unlock:
+       mutex_unlock(&ghes_reg_mutex);
+-- 
+2.20.1
+

diff --git a/queue-5.4/r8169-fix-rtl_hw_jumbo_disable-for-rtl8168evl.patch b/queue-5.4/r8169-fix-rtl_hw_jumbo_disable-for-rtl8168evl.patch
new file mode 100644 (file)
index 0000000..a29fc87
--- /dev/null
+++ b/queue-5.4/r8169-fix-rtl_hw_jumbo_disable-for-rtl8168evl.patch
@@ -0,0 +1,39 @@
+From c0236499dd287d9c649b8294ef2fbdc417701982 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Dec 2019 22:21:52 +0100
+Subject: r8169: fix rtl_hw_jumbo_disable for RTL8168evl
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 0fc75219fe9a3c90631453e9870e4f6d956f0ebc ]
+
+In referenced fix we removed the RTL8168e-specific jumbo config for
+RTL8168evl in rtl_hw_jumbo_enable(). We have to do the same in
+rtl_hw_jumbo_disable().
+
+v2: fix referenced commit id
+
+Fixes: 14012c9f3bb9 ("r8169: fix jumbo configuration for RTL8168evl")
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/realtek/r8169_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
+index 1d67eeeab79d6..235d51ea4d397 100644
+--- a/drivers/net/ethernet/realtek/r8169_main.c
++++ b/drivers/net/ethernet/realtek/r8169_main.c
+@@ -4145,7 +4145,7 @@ static void rtl_hw_jumbo_disable(struct rtl8169_private *tp)
+       case RTL_GIGA_MAC_VER_27 ... RTL_GIGA_MAC_VER_28:
+               r8168dp_hw_jumbo_disable(tp);
+               break;
+-      case RTL_GIGA_MAC_VER_31 ... RTL_GIGA_MAC_VER_34:
++      case RTL_GIGA_MAC_VER_31 ... RTL_GIGA_MAC_VER_33:
+               r8168e_hw_jumbo_disable(tp);
+               break;
+       default:
+-- 
+2.20.1
+

diff --git a/queue-5.4/series b/queue-5.4/series
index ac294b435a04002c782872652334dd3636e2926b..70f2c31a6e6ec70d7e57c1f551e433e9ee434fb2 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -177,3 +177,5 @@ ext4-fix-a-bug-in-ext4_wait_for_tail_page_commit.patch
 ext4-fix-leak-of-quota-reservations.patch
 blk-mq-make-sure-that-line-break-can-be-printed.patch
 workqueue-fix-missing-kfree-rescuer-in-destroy_workqueue.patch
+r8169-fix-rtl_hw_jumbo_disable-for-rtl8168evl.patch
+edac-ghes-do-not-warn-when-incrementing-refcount-on-.patch