From: Greg Kroah-Hartman Date: Wed, 22 Jan 2020 08:04:10 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.4.211~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=07573815550dde8011e5b11c339ed66634d86c77;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: arm-dts-imx6qdl-add-engicam-i.core-1.5-mx6.patch clk-sprd-use-is_err-to-validate-the-return-value-of-syscon_regmap_lookup_by_phandle.patch drm-nouveau-bar-gf100-ensure-bar-is-mapped.patch drm-nouveau-bar-nv50-check-bar1-vmm-return-value.patch drm-nouveau-mmu-qualify-vmm-during-dtor.patch hwmon-pmbus-ibm-cffps-switch-leds-to-blocking-brightness-call.patch perf-probe-fix-wrong-address-verification.patch regulator-ab8500-remove-sysclkreq-from-enum-ab8505_regulator_id.patch reiserfs-fix-handling-of-eopnotsupp-in-reiserfs_for_each_xattr.patch scsi-bnx2i-fix-potential-use-after-free.patch scsi-core-scsi_trace-use-get_unaligned_be.patch scsi-esas2r-unlock-on-error-in-esas2r_nvram_read_direct.patch scsi-qla2xxx-fix-qla2x00_request_irqs-for-msi.patch scsi-qla2xxx-fix-rports-not-being-mark-as-lost-in-sync-fabric-scan.patch scsi-qla4xxx-fix-double-free-bug.patch scsi-scsi_transport_sas-fix-memory-leak-when-removing-devices.patch scsi-target-core-fix-a-pr_debug-argument.patch --- diff --git a/queue-4.19/arm-dts-imx6qdl-add-engicam-i.core-1.5-mx6.patch b/queue-4.19/arm-dts-imx6qdl-add-engicam-i.core-1.5-mx6.patch new file mode 100644 index 00000000000..d8b3b501587 --- /dev/null +++ b/queue-4.19/arm-dts-imx6qdl-add-engicam-i.core-1.5-mx6.patch @@ -0,0 +1,64 @@ +From 37c045d25e90038682b845de0a1db43c8301694d Mon Sep 17 00:00:00 2001 +From: Jacopo Mondi +Date: Tue, 14 Aug 2018 15:21:45 +0200 +Subject: ARM: dts: imx6qdl: Add Engicam i.Core 1.5 MX6 + +From: Jacopo Mondi + +commit 37c045d25e90038682b845de0a1db43c8301694d upstream. + +The 1.5 version of Engicam's i.Core MX6 CPU module features a different clock +provider for the ethernet's PHY interface. Adjust the FEC ptp clock to +reference CLK_ENET_REF clock source, and set SION bit of +MX6QDL_PAD_GPIO_16__ENET_REF_CLK to adjust the input path of that pin. + +The newly introduced imx6ql-icore-1.5.dtsi allows to collect in a single +place differences between version '1.0' and '1.5' of the module. + +Reviewed-by: Fabio Estevam +Signed-off-by: Jacopo Mondi +Cc: Daniel Díaz +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/imx6qdl-icore-1.5.dtsi | 34 +++++++++++++++++++++++++++++++ + 1 file changed, 34 insertions(+) + +--- /dev/null ++++ b/arch/arm/boot/dts/imx6qdl-icore-1.5.dtsi +@@ -0,0 +1,34 @@ ++// SPDX-License-Identifier: GPL-2.0+ ++/* ++ * Copyright (C) 2018 Jacopo Mondi ++ */ ++ ++#include "imx6qdl-icore.dtsi" ++ ++&iomuxc { ++ pinctrl_enet: enetgrp { ++ fsl,pins = < ++ MX6QDL_PAD_ENET_CRS_DV__ENET_RX_EN 0x1b0b0 ++ MX6QDL_PAD_GPIO_16__ENET_REF_CLK 0x4001b0b0 ++ MX6QDL_PAD_ENET_TX_EN__ENET_TX_EN 0x1b0b0 ++ MX6QDL_PAD_ENET_RXD1__ENET_RX_DATA1 0x1b0b0 ++ MX6QDL_PAD_ENET_RXD0__ENET_RX_DATA0 0x1b0b0 ++ MX6QDL_PAD_ENET_TXD1__ENET_TX_DATA1 0x1b0b0 ++ MX6QDL_PAD_ENET_TXD0__ENET_TX_DATA0 0x1b0b0 ++ MX6QDL_PAD_ENET_MDC__ENET_MDC 0x1b0b0 ++ MX6QDL_PAD_ENET_MDIO__ENET_MDIO 0x1b0b0 ++ MX6QDL_PAD_GPIO_17__GPIO7_IO12 0x1b0b0 ++ >; ++ }; ++}; ++ ++&fec { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&pinctrl_enet>; ++ phy-reset-gpios = <&gpio7 12 GPIO_ACTIVE_LOW>; ++ clocks = <&clks IMX6QDL_CLK_ENET>, ++ <&clks IMX6QDL_CLK_ENET>, ++ <&clks IMX6QDL_CLK_ENET_REF>; ++ phy-mode = "rmii"; ++ status = "okay"; ++}; diff --git a/queue-4.19/clk-sprd-use-is_err-to-validate-the-return-value-of-syscon_regmap_lookup_by_phandle.patch b/queue-4.19/clk-sprd-use-is_err-to-validate-the-return-value-of-syscon_regmap_lookup_by_phandle.patch new file mode 100644 index 00000000000..41c4c0280a8 --- /dev/null +++ b/queue-4.19/clk-sprd-use-is_err-to-validate-the-return-value-of-syscon_regmap_lookup_by_phandle.patch @@ -0,0 +1,33 @@ +From 9629dbdabd1983ef53f125336e1d62d77b1620f9 Mon Sep 17 00:00:00 2001 +From: Baolin Wang +Date: Tue, 8 Oct 2019 15:41:38 +0800 +Subject: clk: sprd: Use IS_ERR() to validate the return value of syscon_regmap_lookup_by_phandle() + +From: Baolin Wang + +commit 9629dbdabd1983ef53f125336e1d62d77b1620f9 upstream. + +The syscon_regmap_lookup_by_phandle() will never return NULL, thus use +IS_ERR() to validate the return value instead of IS_ERR_OR_NULL(). + +Fixes: d41f59fd92f2 ("clk: sprd: Add common infrastructure") +Signed-off-by: Baolin Wang +Link: https://lkml.kernel.org/r/1995139bee5248ff3e9d46dc715968f212cfc4cc.1570520268.git.baolin.wang@linaro.org +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/sprd/common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/sprd/common.c ++++ b/drivers/clk/sprd/common.c +@@ -45,7 +45,7 @@ int sprd_clk_regmap_init(struct platform + + if (of_find_property(node, "sprd,syscon", NULL)) { + regmap = syscon_regmap_lookup_by_phandle(node, "sprd,syscon"); +- if (IS_ERR_OR_NULL(regmap)) { ++ if (IS_ERR(regmap)) { + pr_err("%s: failed to get syscon regmap\n", __func__); + return PTR_ERR(regmap); + } diff --git a/queue-4.19/drm-nouveau-bar-gf100-ensure-bar-is-mapped.patch b/queue-4.19/drm-nouveau-bar-gf100-ensure-bar-is-mapped.patch new file mode 100644 index 00000000000..dd0796b9a6b --- /dev/null +++ b/queue-4.19/drm-nouveau-bar-gf100-ensure-bar-is-mapped.patch @@ -0,0 +1,33 @@ +From 12e08beb32d64b6070b718630490db83dd321c8c Mon Sep 17 00:00:00 2001 +From: Jon Derrick +Date: Fri, 15 Mar 2019 18:05:17 -0600 +Subject: drm/nouveau/bar/gf100: ensure BAR is mapped + +From: Jon Derrick + +commit 12e08beb32d64b6070b718630490db83dd321c8c upstream. + +If the BAR is zero size, it indicates it was never successfully mapped. +Ensure that the BAR is valid during initialization before attempting to +use it. + +Signed-off-by: Jon Derrick +Signed-off-by: Ben Skeggs +Signed-off-by: Sushma Kalakota +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/nvkm/subdev/bar/gf100.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bar/gf100.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bar/gf100.c +@@ -94,6 +94,8 @@ gf100_bar_oneinit_bar(struct gf100_bar * + return ret; + + bar_len = device->func->resource_size(device, bar_nr); ++ if (!bar_len) ++ return -ENOMEM; + if (bar_nr == 3 && bar->bar2_halve) + bar_len >>= 1; + diff --git a/queue-4.19/drm-nouveau-bar-nv50-check-bar1-vmm-return-value.patch b/queue-4.19/drm-nouveau-bar-nv50-check-bar1-vmm-return-value.patch new file mode 100644 index 00000000000..59f44fedd90 --- /dev/null +++ b/queue-4.19/drm-nouveau-bar-nv50-check-bar1-vmm-return-value.patch @@ -0,0 +1,31 @@ +From 307a312df9c43fdea286ad17f748aaf777cc434a Mon Sep 17 00:00:00 2001 +From: Jon Derrick +Date: Fri, 15 Mar 2019 18:05:15 -0600 +Subject: drm/nouveau/bar/nv50: check bar1 vmm return value + +From: Jon Derrick + +commit 307a312df9c43fdea286ad17f748aaf777cc434a upstream. + +Check bar1's new vmm creation return value for errors. + +Signed-off-by: Jon Derrick +Signed-off-by: Ben Skeggs +Signed-off-by: Sushma Kalakota +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/nvkm/subdev/bar/nv50.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bar/nv50.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bar/nv50.c +@@ -174,6 +174,8 @@ nv50_bar_oneinit(struct nvkm_bar *base) + + ret = nvkm_vmm_new(device, start, limit-- - start, NULL, 0, + &bar1_lock, "bar1", &bar->bar1_vmm); ++ if (ret) ++ return ret; + + atomic_inc(&bar->bar1_vmm->engref[NVKM_SUBDEV_BAR]); + bar->bar1_vmm->debug = bar->base.subdev.debug; diff --git a/queue-4.19/drm-nouveau-mmu-qualify-vmm-during-dtor.patch b/queue-4.19/drm-nouveau-mmu-qualify-vmm-during-dtor.patch new file mode 100644 index 00000000000..3b8889f85bb --- /dev/null +++ b/queue-4.19/drm-nouveau-mmu-qualify-vmm-during-dtor.patch @@ -0,0 +1,33 @@ +From 15516bf9abaa41421a6ded79a5a2fee86f9594e5 Mon Sep 17 00:00:00 2001 +From: Jon Derrick +Date: Fri, 15 Mar 2019 18:05:18 -0600 +Subject: drm/nouveau/mmu: qualify vmm during dtor + +From: Jon Derrick + +commit 15516bf9abaa41421a6ded79a5a2fee86f9594e5 upstream. + +If the BAR initialization failed it may leave the vmm structure in an +unitialized state, leading to a null-pointer-dereference when the vmm is +dereferenced during teardown. + +Signed-off-by: Jon Derrick +Signed-off-by: Ben Skeggs +Signed-off-by: Sushma Kalakota +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c +@@ -1423,7 +1423,7 @@ nvkm_vmm_get(struct nvkm_vmm *vmm, u8 pa + void + nvkm_vmm_part(struct nvkm_vmm *vmm, struct nvkm_memory *inst) + { +- if (inst && vmm->func->part) { ++ if (inst && vmm && vmm->func->part) { + mutex_lock(&vmm->mutex); + vmm->func->part(vmm, inst); + mutex_unlock(&vmm->mutex); diff --git a/queue-4.19/hwmon-pmbus-ibm-cffps-switch-leds-to-blocking-brightness-call.patch b/queue-4.19/hwmon-pmbus-ibm-cffps-switch-leds-to-blocking-brightness-call.patch new file mode 100644 index 00000000000..7f031859164 --- /dev/null +++ b/queue-4.19/hwmon-pmbus-ibm-cffps-switch-leds-to-blocking-brightness-call.patch @@ -0,0 +1,58 @@ +From 9861ff954c7e83e2f738ce16fbe15f8a1e121771 Mon Sep 17 00:00:00 2001 +From: Eddie James +Date: Wed, 6 Nov 2019 14:01:05 -0600 +Subject: hwmon: (pmbus/ibm-cffps) Switch LEDs to blocking brightness call + +From: Eddie James + +commit 9861ff954c7e83e2f738ce16fbe15f8a1e121771 upstream. + +Since i2c_smbus functions can sleep, the brightness setting function +for this driver must be the blocking version to avoid scheduling while +atomic. + +Signed-off-by: Eddie James +Link: https://lore.kernel.org/r/20191106200106.29519-2-eajames@linux.ibm.com +Fixes: ef9e1cdf419a3 ("hwmon: (pmbus/cffps) Add led class device for power supply fault led") +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/pmbus/ibm-cffps.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/hwmon/pmbus/ibm-cffps.c ++++ b/drivers/hwmon/pmbus/ibm-cffps.c +@@ -269,8 +269,8 @@ static int ibm_cffps_read_word_data(stru + return rc; + } + +-static void ibm_cffps_led_brightness_set(struct led_classdev *led_cdev, +- enum led_brightness brightness) ++static int ibm_cffps_led_brightness_set(struct led_classdev *led_cdev, ++ enum led_brightness brightness) + { + int rc; + struct ibm_cffps *psu = container_of(led_cdev, struct ibm_cffps, led); +@@ -286,9 +286,11 @@ static void ibm_cffps_led_brightness_set + rc = i2c_smbus_write_byte_data(psu->client, CFFPS_SYS_CONFIG_CMD, + psu->led_state); + if (rc < 0) +- return; ++ return rc; + + led_cdev->brightness = brightness; ++ ++ return 0; + } + + static int ibm_cffps_led_blink_set(struct led_classdev *led_cdev, +@@ -324,7 +326,7 @@ static void ibm_cffps_create_led_class(s + client->addr); + psu->led.name = psu->led_name; + psu->led.max_brightness = LED_FULL; +- psu->led.brightness_set = ibm_cffps_led_brightness_set; ++ psu->led.brightness_set_blocking = ibm_cffps_led_brightness_set; + psu->led.blink_set = ibm_cffps_led_blink_set; + + rc = devm_led_classdev_register(dev, &psu->led); diff --git a/queue-4.19/perf-probe-fix-wrong-address-verification.patch b/queue-4.19/perf-probe-fix-wrong-address-verification.patch new file mode 100644 index 00000000000..d7668b29689 --- /dev/null +++ b/queue-4.19/perf-probe-fix-wrong-address-verification.patch @@ -0,0 +1,126 @@ +From 07d369857808b7e8e471bbbbb0074a6718f89b31 Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Fri, 25 Oct 2019 17:46:25 +0900 +Subject: perf probe: Fix wrong address verification + +From: Masami Hiramatsu + +commit 07d369857808b7e8e471bbbbb0074a6718f89b31 upstream. + +Since there are some DIE which has only ranges instead of the +combination of entrypc/highpc, address verification must use +dwarf_haspc() instead of dwarf_entrypc/dwarf_highpc. + +Also, the ranges only DIE will have a partial code in different section +(e.g. unlikely code will be in text.unlikely as "FUNC.cold" symbol). In +that case, we can not use dwarf_entrypc() or die_entrypc(), because the +offset from original DIE can be a minus value. + +Instead, this simply gets the symbol and offset from symtab. + +Without this patch; + + # perf probe -D clear_tasks_mm_cpumask:1 + Failed to get entry address of clear_tasks_mm_cpumask + Error: Failed to add events. + +And with this patch: + + # perf probe -D clear_tasks_mm_cpumask:1 + p:probe/clear_tasks_mm_cpumask clear_tasks_mm_cpumask+0 + p:probe/clear_tasks_mm_cpumask_1 clear_tasks_mm_cpumask+5 + p:probe/clear_tasks_mm_cpumask_2 clear_tasks_mm_cpumask+8 + p:probe/clear_tasks_mm_cpumask_3 clear_tasks_mm_cpumask+16 + p:probe/clear_tasks_mm_cpumask_4 clear_tasks_mm_cpumask+82 + +Committer testing: + +I managed to reproduce the above: + + [root@quaco ~]# perf probe -D clear_tasks_mm_cpumask:1 + p:probe/clear_tasks_mm_cpumask _text+919968 + p:probe/clear_tasks_mm_cpumask_1 _text+919973 + p:probe/clear_tasks_mm_cpumask_2 _text+919976 + [root@quaco ~]# + +But then when trying to actually put the probe in place, it fails if I +use :0 as the offset: + + [root@quaco ~]# perf probe -L clear_tasks_mm_cpumask | head -5 + + 0 void clear_tasks_mm_cpumask(int cpu) + 1 { + 2 struct task_struct *p; + + [root@quaco ~]# perf probe clear_tasks_mm_cpumask:0 + Probe point 'clear_tasks_mm_cpumask' not found. + Error: Failed to add events. + [root@quaco + +The next patch is needed to fix this case. + +Fixes: 576b523721b7 ("perf probe: Fix probing symbols with optimization suffix") +Reported-by: Arnaldo Carvalho de Melo +Tested-by: Arnaldo Carvalho de Melo +Signed-off-by: Masami Hiramatsu +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: http://lore.kernel.org/lkml/157199318513.8075.10463906803299647907.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/util/probe-finder.c | 32 ++++++++++---------------------- + 1 file changed, 10 insertions(+), 22 deletions(-) + +--- a/tools/perf/util/probe-finder.c ++++ b/tools/perf/util/probe-finder.c +@@ -612,38 +612,26 @@ static int convert_to_trace_point(Dwarf_ + const char *function, + struct probe_trace_point *tp) + { +- Dwarf_Addr eaddr, highaddr; ++ Dwarf_Addr eaddr; + GElf_Sym sym; + const char *symbol; + + /* Verify the address is correct */ +- if (dwarf_entrypc(sp_die, &eaddr) != 0) { +- pr_warning("Failed to get entry address of %s\n", +- dwarf_diename(sp_die)); +- return -ENOENT; +- } +- if (dwarf_highpc(sp_die, &highaddr) != 0) { +- pr_warning("Failed to get end address of %s\n", +- dwarf_diename(sp_die)); +- return -ENOENT; +- } +- if (paddr > highaddr) { +- pr_warning("Offset specified is greater than size of %s\n", ++ if (!dwarf_haspc(sp_die, paddr)) { ++ pr_warning("Specified offset is out of %s\n", + dwarf_diename(sp_die)); + return -EINVAL; + } + +- symbol = dwarf_diename(sp_die); ++ /* Try to get actual symbol name from symtab */ ++ symbol = dwfl_module_addrsym(mod, paddr, &sym, NULL); + if (!symbol) { +- /* Try to get the symbol name from symtab */ +- symbol = dwfl_module_addrsym(mod, paddr, &sym, NULL); +- if (!symbol) { +- pr_warning("Failed to find symbol at 0x%lx\n", +- (unsigned long)paddr); +- return -ENOENT; +- } +- eaddr = sym.st_value; ++ pr_warning("Failed to find symbol at 0x%lx\n", ++ (unsigned long)paddr); ++ return -ENOENT; + } ++ eaddr = sym.st_value; ++ + tp->offset = (unsigned long)(paddr - eaddr); + tp->address = (unsigned long)paddr; + tp->symbol = strdup(symbol); diff --git a/queue-4.19/regulator-ab8500-remove-sysclkreq-from-enum-ab8505_regulator_id.patch b/queue-4.19/regulator-ab8500-remove-sysclkreq-from-enum-ab8505_regulator_id.patch new file mode 100644 index 00000000000..91222c9baaa --- /dev/null +++ b/queue-4.19/regulator-ab8500-remove-sysclkreq-from-enum-ab8505_regulator_id.patch @@ -0,0 +1,39 @@ +From 458ea3ad033fc86e291712ce50cbe60c3428cf30 Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Wed, 6 Nov 2019 18:31:25 +0100 +Subject: regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id + +From: Stephan Gerhold + +commit 458ea3ad033fc86e291712ce50cbe60c3428cf30 upstream. + +Those regulators are not actually supported by the AB8500 regulator +driver. There is no ab8500_regulator_info for them and no entry in +ab8505_regulator_match. + +As such, they cannot be registered successfully, and looking them +up in ab8505_regulator_match causes an out-of-bounds array read. + +Fixes: 547f384f33db ("regulator: ab8500: add support for ab8505") +Cc: Linus Walleij +Signed-off-by: Stephan Gerhold +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20191106173125.14496-2-stephan@gerhold.net +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/regulator/ab8500.h | 2 -- + 1 file changed, 2 deletions(-) + +--- a/include/linux/regulator/ab8500.h ++++ b/include/linux/regulator/ab8500.h +@@ -43,8 +43,6 @@ enum ab8505_regulator_id { + AB8505_LDO_ANAMIC2, + AB8505_LDO_AUX8, + AB8505_LDO_ANA, +- AB8505_SYSCLKREQ_2, +- AB8505_SYSCLKREQ_4, + AB8505_NUM_REGULATORS, + }; + diff --git a/queue-4.19/reiserfs-fix-handling-of-eopnotsupp-in-reiserfs_for_each_xattr.patch b/queue-4.19/reiserfs-fix-handling-of-eopnotsupp-in-reiserfs_for_each_xattr.patch new file mode 100644 index 00000000000..96b2a7640ed --- /dev/null +++ b/queue-4.19/reiserfs-fix-handling-of-eopnotsupp-in-reiserfs_for_each_xattr.patch @@ -0,0 +1,51 @@ +From 394440d469413fa9b74f88a11f144d76017221f2 Mon Sep 17 00:00:00 2001 +From: Jeff Mahoney +Date: Wed, 15 Jan 2020 13:00:59 -0500 +Subject: reiserfs: fix handling of -EOPNOTSUPP in reiserfs_for_each_xattr + +From: Jeff Mahoney + +commit 394440d469413fa9b74f88a11f144d76017221f2 upstream. + +Commit 60e4cf67a58 (reiserfs: fix extended attributes on the root +directory) introduced a regression open_xa_root started returning +-EOPNOTSUPP but it was not handled properly in reiserfs_for_each_xattr. + +When the reiserfs module is built without CONFIG_REISERFS_FS_XATTR, +deleting an inode would result in a warning and chowning an inode +would also result in a warning and then fail to complete. + +With CONFIG_REISERFS_FS_XATTR enabled, the xattr root would always be +present for read-write operations. + +This commit handles -EOPNOSUPP in the same way -ENODATA is handled. + +Fixes: 60e4cf67a582 ("reiserfs: fix extended attributes on the root directory") +CC: stable@vger.kernel.org # Commit 60e4cf67a58 was picked up by stable +Link: https://lore.kernel.org/r/20200115180059.6935-1-jeffm@suse.com +Reported-by: Michael Brunnbauer +Signed-off-by: Jeff Mahoney +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/reiserfs/xattr.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/reiserfs/xattr.c ++++ b/fs/reiserfs/xattr.c +@@ -319,8 +319,12 @@ static int reiserfs_for_each_xattr(struc + out_dir: + dput(dir); + out: +- /* -ENODATA isn't an error */ +- if (err == -ENODATA) ++ /* ++ * -ENODATA: this object doesn't have any xattrs ++ * -EOPNOTSUPP: this file system doesn't have xattrs enabled on disk. ++ * Neither are errors ++ */ ++ if (err == -ENODATA || err == -EOPNOTSUPP) + err = 0; + return err; + } diff --git a/queue-4.19/scsi-bnx2i-fix-potential-use-after-free.patch b/queue-4.19/scsi-bnx2i-fix-potential-use-after-free.patch new file mode 100644 index 00000000000..450c17e0d1f --- /dev/null +++ b/queue-4.19/scsi-bnx2i-fix-potential-use-after-free.patch @@ -0,0 +1,39 @@ +From 29d28f2b8d3736ac61c28ef7e20fda63795b74d9 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Wed, 6 Nov 2019 20:32:21 +0800 +Subject: scsi: bnx2i: fix potential use after free + +From: Pan Bian + +commit 29d28f2b8d3736ac61c28ef7e20fda63795b74d9 upstream. + +The member hba->pcidev may be used after its reference is dropped. Move the +put function to where it is never used to avoid potential use after free +issues. + +Fixes: a77171806515 ("[SCSI] bnx2i: Removed the reference to the netdev->base_addr") +Link: https://lore.kernel.org/r/1573043541-19126-1-git-send-email-bianpan2016@163.com +Signed-off-by: Pan Bian +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/bnx2i/bnx2i_iscsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/bnx2i/bnx2i_iscsi.c ++++ b/drivers/scsi/bnx2i/bnx2i_iscsi.c +@@ -915,12 +915,12 @@ void bnx2i_free_hba(struct bnx2i_hba *hb + INIT_LIST_HEAD(&hba->ep_ofld_list); + INIT_LIST_HEAD(&hba->ep_active_list); + INIT_LIST_HEAD(&hba->ep_destroy_list); +- pci_dev_put(hba->pcidev); + + if (hba->regview) { + pci_iounmap(hba->pcidev, hba->regview); + hba->regview = NULL; + } ++ pci_dev_put(hba->pcidev); + bnx2i_free_mp_bdt(hba); + bnx2i_release_free_cid_que(hba); + iscsi_host_free(shost); diff --git a/queue-4.19/scsi-core-scsi_trace-use-get_unaligned_be.patch b/queue-4.19/scsi-core-scsi_trace-use-get_unaligned_be.patch new file mode 100644 index 00000000000..2c5ce5c2095 --- /dev/null +++ b/queue-4.19/scsi-core-scsi_trace-use-get_unaligned_be.patch @@ -0,0 +1,206 @@ +From b1335f5b0486f61fb66b123b40f8e7a98e49605d Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Fri, 1 Nov 2019 14:14:47 -0700 +Subject: scsi: core: scsi_trace: Use get_unaligned_be*() + +From: Bart Van Assche + +commit b1335f5b0486f61fb66b123b40f8e7a98e49605d upstream. + +This patch fixes an unintended sign extension on left shifts. From Colin +King: "Shifting a u8 left will cause the value to be promoted to an +integer. If the top bit of the u8 is set then the following conversion to +an u64 will sign extend the value causing the upper 32 bits to be set in +the result." + +Fix this by using get_unaligned_be*() instead. + +Fixes: bf8162354233 ("[SCSI] add scsi trace core functions and put trace points") +Cc: Christoph Hellwig +Cc: Hannes Reinecke +Cc: Douglas Gilbert +Link: https://lore.kernel.org/r/20191101211447.187151-1-bvanassche@acm.org +Reported-by: Colin Ian King +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_trace.c | 103 ++++++++++++---------------------------------- + 1 file changed, 28 insertions(+), 75 deletions(-) + +--- a/drivers/scsi/scsi_trace.c ++++ b/drivers/scsi/scsi_trace.c +@@ -21,7 +21,7 @@ + #include + + #define SERVICE_ACTION16(cdb) (cdb[1] & 0x1f) +-#define SERVICE_ACTION32(cdb) ((cdb[8] << 8) | cdb[9]) ++#define SERVICE_ACTION32(cdb) (get_unaligned_be16(&cdb[8])) + + static const char * + scsi_trace_misc(struct trace_seq *, unsigned char *, int); +@@ -51,17 +51,12 @@ static const char * + scsi_trace_rw10(struct trace_seq *p, unsigned char *cdb, int len) + { + const char *ret = trace_seq_buffer_ptr(p); +- sector_t lba = 0, txlen = 0; ++ u32 lba, txlen; + +- lba |= (cdb[2] << 24); +- lba |= (cdb[3] << 16); +- lba |= (cdb[4] << 8); +- lba |= cdb[5]; +- txlen |= (cdb[7] << 8); +- txlen |= cdb[8]; ++ lba = get_unaligned_be32(&cdb[2]); ++ txlen = get_unaligned_be16(&cdb[7]); + +- trace_seq_printf(p, "lba=%llu txlen=%llu protect=%u", +- (unsigned long long)lba, (unsigned long long)txlen, ++ trace_seq_printf(p, "lba=%u txlen=%u protect=%u", lba, txlen, + cdb[1] >> 5); + + if (cdb[0] == WRITE_SAME) +@@ -76,19 +71,12 @@ static const char * + scsi_trace_rw12(struct trace_seq *p, unsigned char *cdb, int len) + { + const char *ret = trace_seq_buffer_ptr(p); +- sector_t lba = 0, txlen = 0; ++ u32 lba, txlen; + +- lba |= (cdb[2] << 24); +- lba |= (cdb[3] << 16); +- lba |= (cdb[4] << 8); +- lba |= cdb[5]; +- txlen |= (cdb[6] << 24); +- txlen |= (cdb[7] << 16); +- txlen |= (cdb[8] << 8); +- txlen |= cdb[9]; ++ lba = get_unaligned_be32(&cdb[2]); ++ txlen = get_unaligned_be32(&cdb[6]); + +- trace_seq_printf(p, "lba=%llu txlen=%llu protect=%u", +- (unsigned long long)lba, (unsigned long long)txlen, ++ trace_seq_printf(p, "lba=%u txlen=%u protect=%u", lba, txlen, + cdb[1] >> 5); + trace_seq_putc(p, 0); + +@@ -99,23 +87,13 @@ static const char * + scsi_trace_rw16(struct trace_seq *p, unsigned char *cdb, int len) + { + const char *ret = trace_seq_buffer_ptr(p); +- sector_t lba = 0, txlen = 0; ++ u64 lba; ++ u32 txlen; + +- lba |= ((u64)cdb[2] << 56); +- lba |= ((u64)cdb[3] << 48); +- lba |= ((u64)cdb[4] << 40); +- lba |= ((u64)cdb[5] << 32); +- lba |= (cdb[6] << 24); +- lba |= (cdb[7] << 16); +- lba |= (cdb[8] << 8); +- lba |= cdb[9]; +- txlen |= (cdb[10] << 24); +- txlen |= (cdb[11] << 16); +- txlen |= (cdb[12] << 8); +- txlen |= cdb[13]; ++ lba = get_unaligned_be64(&cdb[2]); ++ txlen = get_unaligned_be32(&cdb[10]); + +- trace_seq_printf(p, "lba=%llu txlen=%llu protect=%u", +- (unsigned long long)lba, (unsigned long long)txlen, ++ trace_seq_printf(p, "lba=%llu txlen=%u protect=%u", lba, txlen, + cdb[1] >> 5); + + if (cdb[0] == WRITE_SAME_16) +@@ -130,8 +108,8 @@ static const char * + scsi_trace_rw32(struct trace_seq *p, unsigned char *cdb, int len) + { + const char *ret = trace_seq_buffer_ptr(p), *cmd; +- sector_t lba = 0, txlen = 0; +- u32 ei_lbrt = 0; ++ u64 lba; ++ u32 ei_lbrt, txlen; + + switch (SERVICE_ACTION32(cdb)) { + case READ_32: +@@ -151,26 +129,12 @@ scsi_trace_rw32(struct trace_seq *p, uns + goto out; + } + +- lba |= ((u64)cdb[12] << 56); +- lba |= ((u64)cdb[13] << 48); +- lba |= ((u64)cdb[14] << 40); +- lba |= ((u64)cdb[15] << 32); +- lba |= (cdb[16] << 24); +- lba |= (cdb[17] << 16); +- lba |= (cdb[18] << 8); +- lba |= cdb[19]; +- ei_lbrt |= (cdb[20] << 24); +- ei_lbrt |= (cdb[21] << 16); +- ei_lbrt |= (cdb[22] << 8); +- ei_lbrt |= cdb[23]; +- txlen |= (cdb[28] << 24); +- txlen |= (cdb[29] << 16); +- txlen |= (cdb[30] << 8); +- txlen |= cdb[31]; +- +- trace_seq_printf(p, "%s_32 lba=%llu txlen=%llu protect=%u ei_lbrt=%u", +- cmd, (unsigned long long)lba, +- (unsigned long long)txlen, cdb[10] >> 5, ei_lbrt); ++ lba = get_unaligned_be64(&cdb[12]); ++ ei_lbrt = get_unaligned_be32(&cdb[20]); ++ txlen = get_unaligned_be32(&cdb[28]); ++ ++ trace_seq_printf(p, "%s_32 lba=%llu txlen=%u protect=%u ei_lbrt=%u", ++ cmd, lba, txlen, cdb[10] >> 5, ei_lbrt); + + if (SERVICE_ACTION32(cdb) == WRITE_SAME_32) + trace_seq_printf(p, " unmap=%u", cdb[10] >> 3 & 1); +@@ -185,7 +149,7 @@ static const char * + scsi_trace_unmap(struct trace_seq *p, unsigned char *cdb, int len) + { + const char *ret = trace_seq_buffer_ptr(p); +- unsigned int regions = cdb[7] << 8 | cdb[8]; ++ unsigned int regions = get_unaligned_be16(&cdb[7]); + + trace_seq_printf(p, "regions=%u", (regions - 8) / 16); + trace_seq_putc(p, 0); +@@ -197,8 +161,8 @@ static const char * + scsi_trace_service_action_in(struct trace_seq *p, unsigned char *cdb, int len) + { + const char *ret = trace_seq_buffer_ptr(p), *cmd; +- sector_t lba = 0; +- u32 alloc_len = 0; ++ u64 lba; ++ u32 alloc_len; + + switch (SERVICE_ACTION16(cdb)) { + case SAI_READ_CAPACITY_16: +@@ -212,21 +176,10 @@ scsi_trace_service_action_in(struct trac + goto out; + } + +- lba |= ((u64)cdb[2] << 56); +- lba |= ((u64)cdb[3] << 48); +- lba |= ((u64)cdb[4] << 40); +- lba |= ((u64)cdb[5] << 32); +- lba |= (cdb[6] << 24); +- lba |= (cdb[7] << 16); +- lba |= (cdb[8] << 8); +- lba |= cdb[9]; +- alloc_len |= (cdb[10] << 24); +- alloc_len |= (cdb[11] << 16); +- alloc_len |= (cdb[12] << 8); +- alloc_len |= cdb[13]; ++ lba = get_unaligned_be64(&cdb[2]); ++ alloc_len = get_unaligned_be32(&cdb[10]); + +- trace_seq_printf(p, "%s lba=%llu alloc_len=%u", cmd, +- (unsigned long long)lba, alloc_len); ++ trace_seq_printf(p, "%s lba=%llu alloc_len=%u", cmd, lba, alloc_len); + + out: + trace_seq_putc(p, 0); diff --git a/queue-4.19/scsi-esas2r-unlock-on-error-in-esas2r_nvram_read_direct.patch b/queue-4.19/scsi-esas2r-unlock-on-error-in-esas2r_nvram_read_direct.patch new file mode 100644 index 00000000000..4aaadcdcc59 --- /dev/null +++ b/queue-4.19/scsi-esas2r-unlock-on-error-in-esas2r_nvram_read_direct.patch @@ -0,0 +1,31 @@ +From 906ca6353ac09696c1bf0892513c8edffff5e0a6 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 22 Oct 2019 13:23:24 +0300 +Subject: scsi: esas2r: unlock on error in esas2r_nvram_read_direct() + +From: Dan Carpenter + +commit 906ca6353ac09696c1bf0892513c8edffff5e0a6 upstream. + +This error path is missing an unlock. + +Fixes: 26780d9e12ed ("[SCSI] esas2r: ATTO Technology ExpressSAS 6G SAS/SATA RAID Adapter Driver") +Link: https://lore.kernel.org/r/20191022102324.GA27540@mwanda +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/esas2r/esas2r_flash.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/esas2r/esas2r_flash.c ++++ b/drivers/scsi/esas2r/esas2r_flash.c +@@ -1197,6 +1197,7 @@ bool esas2r_nvram_read_direct(struct esa + if (!esas2r_read_flash_block(a, a->nvram, FLS_OFFSET_NVR, + sizeof(struct esas2r_sas_nvram))) { + esas2r_hdebug("NVRAM read failed, using defaults"); ++ up(&a->nvram_semaphore); + return false; + } + diff --git a/queue-4.19/scsi-qla2xxx-fix-qla2x00_request_irqs-for-msi.patch b/queue-4.19/scsi-qla2xxx-fix-qla2x00_request_irqs-for-msi.patch new file mode 100644 index 00000000000..6a3fb8a18a5 --- /dev/null +++ b/queue-4.19/scsi-qla2xxx-fix-qla2x00_request_irqs-for-msi.patch @@ -0,0 +1,56 @@ +From 45dc8f2d9c94ed74a5e31e63e9136a19a7e16081 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Thu, 21 Nov 2019 13:40:47 +0800 +Subject: scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI + +From: Huacai Chen + +commit 45dc8f2d9c94ed74a5e31e63e9136a19a7e16081 upstream. + +Commit 4fa183455988 ("scsi: qla2xxx: Utilize pci_alloc_irq_vectors/ +pci_free_irq_vectors calls.") use pci_alloc_irq_vectors() to replace +pci_enable_msi() but it didn't handle the return value correctly. This bug +make qla2x00 always fail to setup MSI if MSI-X fail, so fix it. + +BTW, improve the log message of return value in qla2x00_request_irqs() to +avoid confusion. + +Fixes: 4fa183455988 ("scsi: qla2xxx: Utilize pci_alloc_irq_vectors/pci_free_irq_vectors calls.") +Cc: Michael Hernandez +Link: https://lore.kernel.org/r/1574314847-14280-1-git-send-email-chenhc@lemote.com +Signed-off-by: Huacai Chen +Acked-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_isr.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -3573,7 +3573,7 @@ qla2x00_request_irqs(struct qla_hw_data + skip_msix: + + ql_log(ql_log_info, vha, 0x0037, +- "Falling back-to MSI mode -%d.\n", ret); ++ "Falling back-to MSI mode -- ret=%d.\n", ret); + + if (!IS_QLA24XX(ha) && !IS_QLA2532(ha) && !IS_QLA8432(ha) && + !IS_QLA8001(ha) && !IS_P3P_TYPE(ha) && !IS_QLAFX00(ha) && +@@ -3581,13 +3581,13 @@ skip_msix: + goto skip_msi; + + ret = pci_alloc_irq_vectors(ha->pdev, 1, 1, PCI_IRQ_MSI); +- if (!ret) { ++ if (ret > 0) { + ql_dbg(ql_dbg_init, vha, 0x0038, + "MSI: Enabled.\n"); + ha->flags.msi_enabled = 1; + } else + ql_log(ql_log_warn, vha, 0x0039, +- "Falling back-to INTa mode -- %d.\n", ret); ++ "Falling back-to INTa mode -- ret=%d.\n", ret); + skip_msi: + + /* Skip INTx on ISP82xx. */ diff --git a/queue-4.19/scsi-qla2xxx-fix-rports-not-being-mark-as-lost-in-sync-fabric-scan.patch b/queue-4.19/scsi-qla2xxx-fix-rports-not-being-mark-as-lost-in-sync-fabric-scan.patch new file mode 100644 index 00000000000..9a6b428014a --- /dev/null +++ b/queue-4.19/scsi-qla2xxx-fix-rports-not-being-mark-as-lost-in-sync-fabric-scan.patch @@ -0,0 +1,47 @@ +From d341e9a8f2cffe4000c610225c629f62c7489c74 Mon Sep 17 00:00:00 2001 +From: Martin Wilck +Date: Fri, 22 Nov 2019 22:19:22 +0000 +Subject: scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan + +From: Martin Wilck + +commit d341e9a8f2cffe4000c610225c629f62c7489c74 upstream. + +In qla2x00_find_all_fabric_devs(), fcport->flags & FCF_LOGIN_NEEDED is a +necessary condition for logging into new rports, but not for dropping lost +ones. + +Fixes: 726b85487067 ("qla2xxx: Add framework for async fabric discovery") +Link: https://lore.kernel.org/r/20191122221912.20100-2-martin.wilck@suse.com +Tested-by: David Bond +Signed-off-by: Martin Wilck +Acked-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_init.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -5710,8 +5710,7 @@ qla2x00_find_all_fabric_devs(scsi_qla_ho + if (test_bit(LOOP_RESYNC_NEEDED, &vha->dpc_flags)) + break; + +- if ((fcport->flags & FCF_FABRIC_DEVICE) == 0 || +- (fcport->flags & FCF_LOGIN_NEEDED) == 0) ++ if ((fcport->flags & FCF_FABRIC_DEVICE) == 0) + continue; + + if (fcport->scan_state == QLA_FCPORT_SCAN) { +@@ -5734,7 +5733,8 @@ qla2x00_find_all_fabric_devs(scsi_qla_ho + } + } + +- if (fcport->scan_state == QLA_FCPORT_FOUND) ++ if (fcport->scan_state == QLA_FCPORT_FOUND && ++ (fcport->flags & FCF_LOGIN_NEEDED) != 0) + qla24xx_fcport_handle_login(vha, fcport); + } + return (rval); diff --git a/queue-4.19/scsi-qla4xxx-fix-double-free-bug.patch b/queue-4.19/scsi-qla4xxx-fix-double-free-bug.patch new file mode 100644 index 00000000000..5f346df4e9b --- /dev/null +++ b/queue-4.19/scsi-qla4xxx-fix-double-free-bug.patch @@ -0,0 +1,36 @@ +From 3fe3d2428b62822b7b030577cd612790bdd8c941 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Tue, 5 Nov 2019 17:25:27 +0800 +Subject: scsi: qla4xxx: fix double free bug + +From: Pan Bian + +commit 3fe3d2428b62822b7b030577cd612790bdd8c941 upstream. + +The variable init_fw_cb is released twice, resulting in a double free +bug. The call to the function dma_free_coherent() before goto is removed to +get rid of potential double free. + +Fixes: 2a49a78ed3c8 ("[SCSI] qla4xxx: added IPv6 support.") +Link: https://lore.kernel.org/r/1572945927-27796-1-git-send-email-bianpan2016@163.com +Signed-off-by: Pan Bian +Acked-by: Manish Rangankar +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla4xxx/ql4_mbx.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/scsi/qla4xxx/ql4_mbx.c ++++ b/drivers/scsi/qla4xxx/ql4_mbx.c +@@ -640,9 +640,6 @@ int qla4xxx_initialize_fw_cb(struct scsi + + if (qla4xxx_get_ifcb(ha, &mbox_cmd[0], &mbox_sts[0], init_fw_cb_dma) != + QLA_SUCCESS) { +- dma_free_coherent(&ha->pdev->dev, +- sizeof(struct addr_ctrl_blk), +- init_fw_cb, init_fw_cb_dma); + goto exit_init_fw_cb; + } + diff --git a/queue-4.19/scsi-scsi_transport_sas-fix-memory-leak-when-removing-devices.patch b/queue-4.19/scsi-scsi_transport_sas-fix-memory-leak-when-removing-devices.patch new file mode 100644 index 00000000000..1e892a62ac0 --- /dev/null +++ b/queue-4.19/scsi-scsi_transport_sas-fix-memory-leak-when-removing-devices.patch @@ -0,0 +1,119 @@ +From 82ea3e0e129e2ab913dd6684bab7a6e5e9896dee Mon Sep 17 00:00:00 2001 +From: John Garry +Date: Wed, 20 Nov 2019 17:39:15 +0800 +Subject: scsi: scsi_transport_sas: Fix memory leak when removing devices + +From: John Garry + +commit 82ea3e0e129e2ab913dd6684bab7a6e5e9896dee upstream. + +Removing a non-host rphy causes a memory leak: + +root@(none)$ echo 0 > /sys/devices/platform/HISI0162:01/host0/port-0:0/expander-0:0/port-0:0:10/phy-0:0:10/sas_phy/phy-0:0:10/enable +[ 79.857888] hisi_sas_v2_hw HISI0162:01: dev[7:1] is gone +root@(none)$ echo scan > /sys/kernel/debug/kmemleak +[ 131.656603] kmemleak: 3 new suspected memory leaks (see /sys/kernel/debug/kmemleak) +root@(none)$ more /sys/kernel/debug/kmemleak +unreferenced object 0xffff041da5c66000 (size 256): + comm "kworker/u128:1", pid 549, jiffies 4294898543 (age 113.728s) + hex dump (first 32 bytes): + 00 5e c6 a5 1d 04 ff ff 01 00 00 00 00 00 00 00 .^.............. + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<(____ptrval____)>] kmem_cache_alloc+0x188/0x260 + [<(____ptrval____)>] bsg_setup_queue+0x48/0x1a8 + [<(____ptrval____)>] sas_rphy_add+0x108/0x2d0 + [<(____ptrval____)>] sas_probe_devices+0x168/0x208 + [<(____ptrval____)>] sas_discover_domain+0x660/0x9c8 + [<(____ptrval____)>] process_one_work+0x3f8/0x690 + [<(____ptrval____)>] worker_thread+0x70/0x6a0 + [<(____ptrval____)>] kthread+0x1b8/0x1c0 + [<(____ptrval____)>] ret_from_fork+0x10/0x18 +unreferenced object 0xffff041d8c075400 (size 128): + comm "kworker/u128:1", pid 549, jiffies 4294898543 (age 113.728s) + hex dump (first 32 bytes): + 00 40 25 97 1d 00 ff ff 00 00 00 00 00 00 00 00 .@%............. + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<(____ptrval____)>] __kmalloc_node+0x1a8/0x2c8 + [<(____ptrval____)>] blk_mq_realloc_tag_set_tags.part.70+0x48/0xd8 + [<(____ptrval____)>] blk_mq_alloc_tag_set+0x1dc/0x530 + [<(____ptrval____)>] bsg_setup_queue+0xe8/0x1a8 + [<(____ptrval____)>] sas_rphy_add+0x108/0x2d0 + [<(____ptrval____)>] sas_probe_devices+0x168/0x208 + [<(____ptrval____)>] sas_discover_domain+0x660/0x9c8 + [<(____ptrval____)>] process_one_work+0x3f8/0x690 + [<(____ptrval____)>] worker_thread+0x70/0x6a0 + [<(____ptrval____)>] kthread+0x1b8/0x1c0 + [<(____ptrval____)>] ret_from_fork+0x10/0x18 +unreferenced object 0xffff041da5c65e00 (size 256): + comm "kworker/u128:1", pid 549, jiffies 4294898543 (age 113.728s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<(____ptrval____)>] __kmalloc_node+0x1a8/0x2c8 + [<(____ptrval____)>] blk_mq_alloc_tag_set+0x254/0x530 + [<(____ptrval____)>] bsg_setup_queue+0xe8/0x1a8 + [<(____ptrval____)>] sas_rphy_add+0x108/0x2d0 + [<(____ptrval____)>] sas_probe_devices+0x168/0x208 + [<(____ptrval____)>] sas_discover_domain+0x660/0x9c8 + [<(____ptrval____)>] process_one_work+0x3f8/0x690 + [<(____ptrval____)>] worker_thread+0x70/0x6a0 + [<(____ptrval____)>] kthread+0x1b8/0x1c0 + [<(____ptrval____)>] ret_from_fork+0x10/0x18 +root@(none)$ + +It turns out that we don't clean up the request queue fully for bsg +devices, as the blk mq tags for the request queue are not freed. + +Fix by doing the queue removal in one place - in sas_rphy_remove() - +instead of unregistering the queue in sas_rphy_remove() and finally +cleaning up the queue in calling blk_cleanup_queue() from +sas_end_device_release() or sas_expander_release(). + +Function bsg_remove_queue() can handle a NULL pointer q, so remove the +precheck in sas_rphy_remove(). + +Fixes: 651a013649943 ("scsi: scsi_transport_sas: switch to bsg-lib for SMP passthrough") +Link: https://lore.kernel.org/r/1574242755-94156-1-git-send-email-john.garry@huawei.com +Signed-off-by: John Garry +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_transport_sas.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/drivers/scsi/scsi_transport_sas.c ++++ b/drivers/scsi/scsi_transport_sas.c +@@ -1397,9 +1397,6 @@ static void sas_expander_release(struct + struct sas_rphy *rphy = dev_to_rphy(dev); + struct sas_expander_device *edev = rphy_to_expander_device(rphy); + +- if (rphy->q) +- blk_cleanup_queue(rphy->q); +- + put_device(dev->parent); + kfree(edev); + } +@@ -1409,9 +1406,6 @@ static void sas_end_device_release(struc + struct sas_rphy *rphy = dev_to_rphy(dev); + struct sas_end_device *edev = rphy_to_end_device(rphy); + +- if (rphy->q) +- blk_cleanup_queue(rphy->q); +- + put_device(dev->parent); + kfree(edev); + } +@@ -1640,8 +1634,7 @@ sas_rphy_remove(struct sas_rphy *rphy) + } + + sas_rphy_unlink(rphy); +- if (rphy->q) +- bsg_unregister_queue(rphy->q); ++ bsg_remove_queue(rphy->q); + transport_remove_device(dev); + device_del(dev); + } diff --git a/queue-4.19/scsi-target-core-fix-a-pr_debug-argument.patch b/queue-4.19/scsi-target-core-fix-a-pr_debug-argument.patch new file mode 100644 index 00000000000..ef89c331cc3 --- /dev/null +++ b/queue-4.19/scsi-target-core-fix-a-pr_debug-argument.patch @@ -0,0 +1,34 @@ +From c941e0d172605731de9b4628bd4146d35cf2e7d6 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 7 Nov 2019 13:55:25 -0800 +Subject: scsi: target: core: Fix a pr_debug() argument + +From: Bart Van Assche + +commit c941e0d172605731de9b4628bd4146d35cf2e7d6 upstream. + +Print the string for which conversion failed instead of printing the +function name twice. + +Fixes: 2650d71e244f ("target: move transport ID handling to the core") +Cc: Christoph Hellwig +Link: https://lore.kernel.org/r/20191107215525.64415-1-bvanassche@acm.org +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_fabric_lib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/target/target_core_fabric_lib.c ++++ b/drivers/target/target_core_fabric_lib.c +@@ -131,7 +131,7 @@ static int srp_get_pr_transport_id( + memset(buf + 8, 0, leading_zero_bytes); + rc = hex2bin(buf + 8 + leading_zero_bytes, p, count); + if (rc < 0) { +- pr_debug("hex2bin failed for %s: %d\n", __func__, rc); ++ pr_debug("hex2bin failed for %s: %d\n", p, rc); + return rc; + } + diff --git a/queue-4.19/series b/queue-4.19/series index f15c205591b..9bb7624b8bd 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -44,6 +44,7 @@ btrfs-fix-invalid-removal-of-root-ref.patch btrfs-do-not-delete-mismatched-root-refs.patch btrfs-fix-memory-leak-in-qgroup-accounting.patch mm-page-writeback.c-avoid-potential-division-by-zero-in-wb_min_max_ratio.patch +arm-dts-imx6qdl-add-engicam-i.core-1.5-mx6.patch arm-dts-imx6q-icore-mipi-use-1.5-version-of-i.core-mx6dl.patch arm-dts-imx7-fix-toradex-colibri-imx7s-256mb-nand-flash-support.patch net-stmmac-16kb-buffer-must-be-16-byte-aligned.patch @@ -85,3 +86,19 @@ tick-sched-annotate-lockless-access-to-last_jiffies_update.patch arm64-dts-marvell-fix-cp110-nand-controller-node-multi-line-comment-alignment.patch revert-arm64-dts-juno-add-dma-ranges-property.patch mtd-devices-fix-mchp23k256-read-and-write.patch +drm-nouveau-bar-nv50-check-bar1-vmm-return-value.patch +drm-nouveau-bar-gf100-ensure-bar-is-mapped.patch +drm-nouveau-mmu-qualify-vmm-during-dtor.patch +reiserfs-fix-handling-of-eopnotsupp-in-reiserfs_for_each_xattr.patch +scsi-esas2r-unlock-on-error-in-esas2r_nvram_read_direct.patch +scsi-qla4xxx-fix-double-free-bug.patch +scsi-bnx2i-fix-potential-use-after-free.patch +scsi-target-core-fix-a-pr_debug-argument.patch +scsi-scsi_transport_sas-fix-memory-leak-when-removing-devices.patch +scsi-qla2xxx-fix-qla2x00_request_irqs-for-msi.patch +scsi-qla2xxx-fix-rports-not-being-mark-as-lost-in-sync-fabric-scan.patch +scsi-core-scsi_trace-use-get_unaligned_be.patch +perf-probe-fix-wrong-address-verification.patch +clk-sprd-use-is_err-to-validate-the-return-value-of-syscon_regmap_lookup_by_phandle.patch +regulator-ab8500-remove-sysclkreq-from-enum-ab8505_regulator_id.patch +hwmon-pmbus-ibm-cffps-switch-leds-to-blocking-brightness-call.patch