From: Sasha Levin Date: Thu, 24 Sep 2020 23:38:17 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v4.19.148~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=158cdda20f8c3db480596130193585af4f2fceae;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/kprobes-fix-kill-kprobe-which-has-been-marked-as-gon.patch b/queue-4.14/kprobes-fix-kill-kprobe-which-has-been-marked-as-gon.patch new file mode 100644 index 00000000000..ed7d2a9676d --- /dev/null +++ b/queue-4.14/kprobes-fix-kill-kprobe-which-has-been-marked-as-gon.patch @@ -0,0 +1,70 @@ +From b3bc5f16a17e087822ea3c23b014f90deafb5f1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 21:20:21 -0700 +Subject: kprobes: fix kill kprobe which has been marked as gone + +From: Muchun Song + +[ Upstream commit b0399092ccebd9feef68d4ceb8d6219a8c0caa05 ] + +If a kprobe is marked as gone, we should not kill it again. Otherwise, we +can disarm the kprobe more than once. In that case, the statistics of +kprobe_ftrace_enabled can unbalance which can lead to that kprobe do not +work. + +Fixes: e8386a0cb22f ("kprobes: support probing module __exit function") +Co-developed-by: Chengming Zhou +Signed-off-by: Muchun Song +Signed-off-by: Chengming Zhou +Signed-off-by: Andrew Morton +Acked-by: Masami Hiramatsu +Cc: "Naveen N . Rao" +Cc: Anil S Keshavamurthy +Cc: David S. Miller +Cc: Song Liu +Cc: Steven Rostedt +Cc: +Link: https://lkml.kernel.org/r/20200822030055.32383-1-songmuchun@bytedance.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/kprobes.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/kernel/kprobes.c b/kernel/kprobes.c +index 7b3a5c35904a0..836a2e0226269 100644 +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -2117,6 +2117,9 @@ static void kill_kprobe(struct kprobe *p) + { + struct kprobe *kp; + ++ if (WARN_ON_ONCE(kprobe_gone(p))) ++ return; ++ + p->flags |= KPROBE_FLAG_GONE; + if (kprobe_aggrprobe(p)) { + /* +@@ -2259,7 +2262,10 @@ static int kprobes_module_callback(struct notifier_block *nb, + mutex_lock(&kprobe_mutex); + for (i = 0; i < KPROBE_TABLE_SIZE; i++) { + head = &kprobe_table[i]; +- hlist_for_each_entry_rcu(p, head, hlist) ++ hlist_for_each_entry_rcu(p, head, hlist) { ++ if (kprobe_gone(p)) ++ continue; ++ + if (within_module_init((unsigned long)p->addr, mod) || + (checkcore && + within_module_core((unsigned long)p->addr, mod))) { +@@ -2276,6 +2282,7 @@ static int kprobes_module_callback(struct notifier_block *nb, + */ + kill_kprobe(p); + } ++ } + } + mutex_unlock(&kprobe_mutex); + return NOTIFY_DONE; +-- +2.25.1 + diff --git a/queue-4.14/kvm-fix-memory-leak-in-kvm_io_bus_unregister_dev.patch b/queue-4.14/kvm-fix-memory-leak-in-kvm_io_bus_unregister_dev.patch new file mode 100644 index 00000000000..b87a85f30c8 --- /dev/null +++ b/queue-4.14/kvm-fix-memory-leak-in-kvm_io_bus_unregister_dev.patch @@ -0,0 +1,71 @@ +From f88b41a313cefd6b2a569682c5fe871689c5a606 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 11:55:35 -0700 +Subject: KVM: fix memory leak in kvm_io_bus_unregister_dev() + +From: Rustam Kovhaev + +[ Upstream commit f65886606c2d3b562716de030706dfe1bea4ed5e ] + +when kmalloc() fails in kvm_io_bus_unregister_dev(), before removing +the bus, we should iterate over all other devices linked to it and call +kvm_iodevice_destructor() for them + +Fixes: 90db10434b16 ("KVM: kvm_io_bus_unregister_dev() should never fail") +Cc: stable@vger.kernel.org +Reported-and-tested-by: syzbot+f196caa45793d6374707@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=f196caa45793d6374707 +Signed-off-by: Rustam Kovhaev +Reviewed-by: Vitaly Kuznetsov +Message-Id: <20200907185535.233114-1-rkovhaev@gmail.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + virt/kvm/kvm_main.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index 71f77ae6c2a66..1e30f8706349e 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -3688,7 +3688,7 @@ int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr, + void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, + struct kvm_io_device *dev) + { +- int i; ++ int i, j; + struct kvm_io_bus *new_bus, *bus; + + bus = kvm_get_bus(kvm, bus_idx); +@@ -3705,17 +3705,20 @@ void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, + + new_bus = kmalloc(sizeof(*bus) + ((bus->dev_count - 1) * + sizeof(struct kvm_io_range)), GFP_KERNEL); +- if (!new_bus) { ++ if (new_bus) { ++ memcpy(new_bus, bus, sizeof(*bus) + i * sizeof(struct kvm_io_range)); ++ new_bus->dev_count--; ++ memcpy(new_bus->range + i, bus->range + i + 1, ++ (new_bus->dev_count - i) * sizeof(struct kvm_io_range)); ++ } else { + pr_err("kvm: failed to shrink bus, removing it completely\n"); +- goto broken; ++ for (j = 0; j < bus->dev_count; j++) { ++ if (j == i) ++ continue; ++ kvm_iodevice_destructor(bus->range[j].dev); ++ } + } + +- memcpy(new_bus, bus, sizeof(*bus) + i * sizeof(struct kvm_io_range)); +- new_bus->dev_count--; +- memcpy(new_bus->range + i, bus->range + i + 1, +- (new_bus->dev_count - i) * sizeof(struct kvm_io_range)); +- +-broken: + rcu_assign_pointer(kvm->buses[bus_idx], new_bus); + synchronize_srcu_expedited(&kvm->srcu); + kfree(bus); +-- +2.25.1 + diff --git a/queue-4.14/mm-thp-fix-__split_huge_pmd_locked-for-migration-pmd.patch b/queue-4.14/mm-thp-fix-__split_huge_pmd_locked-for-migration-pmd.patch new file mode 100644 index 00000000000..4050df5c358 --- /dev/null +++ b/queue-4.14/mm-thp-fix-__split_huge_pmd_locked-for-migration-pmd.patch @@ -0,0 +1,110 @@ +From f37b3c639d951de6bb059e6881d92a384318ecab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 21:20:24 -0700 +Subject: mm/thp: fix __split_huge_pmd_locked() for migration PMD + +From: Ralph Campbell + +[ Upstream commit ec0abae6dcdf7ef88607c869bf35a4b63ce1b370 ] + +A migrating transparent huge page has to already be unmapped. Otherwise, +the page could be modified while it is being copied to a new page and data +could be lost. The function __split_huge_pmd() checks for a PMD migration +entry before calling __split_huge_pmd_locked() leading one to think that +__split_huge_pmd_locked() can handle splitting a migrating PMD. + +However, the code always increments the page->_mapcount and adjusts the +memory control group accounting assuming the page is mapped. + +Also, if the PMD entry is a migration PMD entry, the call to +is_huge_zero_pmd(*pmd) is incorrect because it calls pmd_pfn(pmd) instead +of migration_entry_to_pfn(pmd_to_swp_entry(pmd)). Fix these problems by +checking for a PMD migration entry. + +Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path") +Signed-off-by: Ralph Campbell +Signed-off-by: Andrew Morton +Reviewed-by: Yang Shi +Reviewed-by: Zi Yan +Cc: Jerome Glisse +Cc: John Hubbard +Cc: Alistair Popple +Cc: Christoph Hellwig +Cc: Jason Gunthorpe +Cc: Bharata B Rao +Cc: Ben Skeggs +Cc: Shuah Khan +Cc: [4.14+] +Link: https://lkml.kernel.org/r/20200903183140.19055-1-rcampbell@nvidia.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/huge_memory.c | 40 +++++++++++++++++++++++----------------- + 1 file changed, 23 insertions(+), 17 deletions(-) + +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index 9f3d4f84032bc..51068ef1dff5a 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -2078,7 +2078,7 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, + put_page(page); + add_mm_counter(mm, MM_FILEPAGES, -HPAGE_PMD_NR); + return; +- } else if (is_huge_zero_pmd(*pmd)) { ++ } else if (pmd_trans_huge(*pmd) && is_huge_zero_pmd(*pmd)) { + return __split_huge_zero_page_pmd(vma, haddr, pmd); + } + +@@ -2131,27 +2131,33 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, + pte = pte_offset_map(&_pmd, addr); + BUG_ON(!pte_none(*pte)); + set_pte_at(mm, addr, pte, entry); +- atomic_inc(&page[i]._mapcount); +- pte_unmap(pte); +- } +- +- /* +- * Set PG_double_map before dropping compound_mapcount to avoid +- * false-negative page_mapped(). +- */ +- if (compound_mapcount(page) > 1 && !TestSetPageDoubleMap(page)) { +- for (i = 0; i < HPAGE_PMD_NR; i++) ++ if (!pmd_migration) + atomic_inc(&page[i]._mapcount); ++ pte_unmap(pte); + } + +- if (atomic_add_negative(-1, compound_mapcount_ptr(page))) { +- /* Last compound_mapcount is gone. */ +- __dec_node_page_state(page, NR_ANON_THPS); +- if (TestClearPageDoubleMap(page)) { +- /* No need in mapcount reference anymore */ ++ if (!pmd_migration) { ++ /* ++ * Set PG_double_map before dropping compound_mapcount to avoid ++ * false-negative page_mapped(). ++ */ ++ if (compound_mapcount(page) > 1 && ++ !TestSetPageDoubleMap(page)) { + for (i = 0; i < HPAGE_PMD_NR; i++) +- atomic_dec(&page[i]._mapcount); ++ atomic_inc(&page[i]._mapcount); ++ } ++ ++ lock_page_memcg(page); ++ if (atomic_add_negative(-1, compound_mapcount_ptr(page))) { ++ /* Last compound_mapcount is gone. */ ++ __dec_lruvec_page_state(page, NR_ANON_THPS); ++ if (TestClearPageDoubleMap(page)) { ++ /* No need in mapcount reference anymore */ ++ for (i = 0; i < HPAGE_PMD_NR; i++) ++ atomic_dec(&page[i]._mapcount); ++ } + } ++ unlock_page_memcg(page); + } + + smp_wmb(); /* make pte visible before pmd */ +-- +2.25.1 + diff --git a/queue-4.14/phy-qcom-qmp-use-correct-values-for-ipq8074-pcie-gen.patch b/queue-4.14/phy-qcom-qmp-use-correct-values-for-ipq8074-pcie-gen.patch new file mode 100644 index 00000000000..66adc875b28 --- /dev/null +++ b/queue-4.14/phy-qcom-qmp-use-correct-values-for-ipq8074-pcie-gen.patch @@ -0,0 +1,112 @@ +From ad02ac4f6abc1eac14b3074e9fb81da979c70a25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jul 2020 21:00:03 +0530 +Subject: phy: qcom-qmp: Use correct values for ipq8074 PCIe Gen2 PHY init + +From: Sivaprakash Murugesan + +[ Upstream commit afd55e6d1bd35b4b36847869011447a83a81c8e0 ] + +There were some problem in ipq8074 Gen2 PCIe phy init sequence. + +1. Few register values were wrongly updated in the phy init sequence. +2. The register QSERDES_RX_SIGDET_CNTRL is a RX tuning parameter + register which is added in serdes table causing the wrong register + was getting updated. +3. Clocks and resets were not added in the phy init. + +Fix these to make Gen2 PCIe port on ipq8074 devices to work. + +Fixes: eef243d04b2b6 ("phy: qcom-qmp: Add support for IPQ8074") +Cc: stable@vger.kernel.org +Co-developed-by: Selvam Sathappan Periakaruppan +Signed-off-by: Selvam Sathappan Periakaruppan +Signed-off-by: Sivaprakash Murugesan +Link: https://lore.kernel.org/r/1596036607-11877-4-git-send-email-sivaprak@codeaurora.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-qmp.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-qmp.c b/drivers/phy/qualcomm/phy-qcom-qmp.c +index 2526971f99299..3eeaf57e6d939 100644 +--- a/drivers/phy/qualcomm/phy-qcom-qmp.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp.c +@@ -102,6 +102,8 @@ + #define QSERDES_COM_CORECLK_DIV_MODE1 0x1bc + + /* QMP PHY TX registers */ ++#define QSERDES_TX_EMP_POST1_LVL 0x018 ++#define QSERDES_TX_SLEW_CNTL 0x040 + #define QSERDES_TX_RES_CODE_LANE_OFFSET 0x054 + #define QSERDES_TX_DEBUG_BUS_SEL 0x064 + #define QSERDES_TX_HIGHZ_TRANSCEIVEREN_BIAS_DRVR_EN 0x068 +@@ -394,8 +396,8 @@ static const struct qmp_phy_init_tbl ipq8074_pcie_serdes_tbl[] = { + QMP_PHY_INIT_CFG(QSERDES_COM_BG_TRIM, 0xf), + QMP_PHY_INIT_CFG(QSERDES_COM_LOCK_CMP_EN, 0x1), + QMP_PHY_INIT_CFG(QSERDES_COM_VCO_TUNE_MAP, 0x0), +- QMP_PHY_INIT_CFG(QSERDES_COM_VCO_TUNE_TIMER1, 0x1f), +- QMP_PHY_INIT_CFG(QSERDES_COM_VCO_TUNE_TIMER2, 0x3f), ++ QMP_PHY_INIT_CFG(QSERDES_COM_VCO_TUNE_TIMER1, 0xff), ++ QMP_PHY_INIT_CFG(QSERDES_COM_VCO_TUNE_TIMER2, 0x1f), + QMP_PHY_INIT_CFG(QSERDES_COM_CMN_CONFIG, 0x6), + QMP_PHY_INIT_CFG(QSERDES_COM_PLL_IVCO, 0xf), + QMP_PHY_INIT_CFG(QSERDES_COM_HSCLK_SEL, 0x0), +@@ -421,7 +423,6 @@ static const struct qmp_phy_init_tbl ipq8074_pcie_serdes_tbl[] = { + QMP_PHY_INIT_CFG(QSERDES_COM_INTEGLOOP_GAIN1_MODE0, 0x0), + QMP_PHY_INIT_CFG(QSERDES_COM_INTEGLOOP_GAIN0_MODE0, 0x80), + QMP_PHY_INIT_CFG(QSERDES_COM_BIAS_EN_CTRL_BY_PSM, 0x1), +- QMP_PHY_INIT_CFG(QSERDES_COM_VCO_TUNE_CTRL, 0xa), + QMP_PHY_INIT_CFG(QSERDES_COM_SSC_EN_CENTER, 0x1), + QMP_PHY_INIT_CFG(QSERDES_COM_SSC_PER1, 0x31), + QMP_PHY_INIT_CFG(QSERDES_COM_SSC_PER2, 0x1), +@@ -430,7 +431,6 @@ static const struct qmp_phy_init_tbl ipq8074_pcie_serdes_tbl[] = { + QMP_PHY_INIT_CFG(QSERDES_COM_SSC_STEP_SIZE1, 0x2f), + QMP_PHY_INIT_CFG(QSERDES_COM_SSC_STEP_SIZE2, 0x19), + QMP_PHY_INIT_CFG(QSERDES_COM_CLK_EP_DIV, 0x19), +- QMP_PHY_INIT_CFG(QSERDES_RX_SIGDET_CNTRL, 0x7), + }; + + static const struct qmp_phy_init_tbl ipq8074_pcie_tx_tbl[] = { +@@ -438,6 +438,8 @@ static const struct qmp_phy_init_tbl ipq8074_pcie_tx_tbl[] = { + QMP_PHY_INIT_CFG(QSERDES_TX_LANE_MODE, 0x6), + QMP_PHY_INIT_CFG(QSERDES_TX_RES_CODE_LANE_OFFSET, 0x2), + QMP_PHY_INIT_CFG(QSERDES_TX_RCV_DETECT_LVL_2, 0x12), ++ QMP_PHY_INIT_CFG(QSERDES_TX_EMP_POST1_LVL, 0x36), ++ QMP_PHY_INIT_CFG(QSERDES_TX_SLEW_CNTL, 0x0a), + }; + + static const struct qmp_phy_init_tbl ipq8074_pcie_rx_tbl[] = { +@@ -448,7 +450,6 @@ static const struct qmp_phy_init_tbl ipq8074_pcie_rx_tbl[] = { + QMP_PHY_INIT_CFG(QSERDES_RX_RX_EQU_ADAPTOR_CNTRL4, 0xdb), + QMP_PHY_INIT_CFG(QSERDES_RX_UCDR_SO_SATURATION_AND_ENABLE, 0x4b), + QMP_PHY_INIT_CFG(QSERDES_RX_UCDR_SO_GAIN, 0x4), +- QMP_PHY_INIT_CFG(QSERDES_RX_UCDR_SO_GAIN_HALF, 0x4), + }; + + static const struct qmp_phy_init_tbl ipq8074_pcie_pcs_tbl[] = { +@@ -665,6 +666,9 @@ static const struct qmp_phy_cfg msm8996_usb3phy_cfg = { + .mask_pcs_ready = PHYSTATUS, + }; + ++static const char * const ipq8074_pciephy_clk_l[] = { ++ "aux", "cfg_ahb", ++}; + /* list of resets */ + static const char * const ipq8074_pciephy_reset_l[] = { + "phy", "common", +@@ -682,8 +686,8 @@ static const struct qmp_phy_cfg ipq8074_pciephy_cfg = { + .rx_tbl_num = ARRAY_SIZE(ipq8074_pcie_rx_tbl), + .pcs_tbl = ipq8074_pcie_pcs_tbl, + .pcs_tbl_num = ARRAY_SIZE(ipq8074_pcie_pcs_tbl), +- .clk_list = NULL, +- .num_clks = 0, ++ .clk_list = ipq8074_pciephy_clk_l, ++ .num_clks = ARRAY_SIZE(ipq8074_pciephy_clk_l), + .reset_list = ipq8074_pciephy_reset_l, + .num_resets = ARRAY_SIZE(ipq8074_pciephy_reset_l), + .vreg_list = NULL, +-- +2.25.1 + diff --git a/queue-4.14/rdma-ucma-ucma_context-reference-leak-in-error-path.patch b/queue-4.14/rdma-ucma-ucma_context-reference-leak-in-error-path.patch new file mode 100644 index 00000000000..bf20a4d545b --- /dev/null +++ b/queue-4.14/rdma-ucma-ucma_context-reference-leak-in-error-path.patch @@ -0,0 +1,47 @@ +From bec7e54c0d5d12acf8fd632c153e625183e8bbb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 18:24:49 +0900 +Subject: RDMA/ucma: ucma_context reference leak in error path + +From: Shamir Rabinovitch + +commit ef95a90ae6f4f21990e1f7ced6719784a409e811 upstream. + +Validating input parameters should be done before getting the cm_id +otherwise it can leak a cm_id reference. + +Fixes: 6a21dfc0d0db ("RDMA/ucma: Limit possible option size") +Signed-off-by: Shamir Rabinovitch +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +[iwamatsu: Backported to 4.4, 4.9 and 4.14: adjust context] +Signed-off-by: Nobuhiro Iwamatsu (CIP) +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/ucma.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c +index c3e5f921da12e..4002a8ddf6d0a 100644 +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1315,13 +1315,13 @@ static ssize_t ucma_set_option(struct ucma_file *file, const char __user *inbuf, + if (copy_from_user(&cmd, inbuf, sizeof(cmd))) + return -EFAULT; + ++ if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE)) ++ return -EINVAL; ++ + ctx = ucma_get_ctx(file, cmd.id); + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + +- if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE)) +- return -EINVAL; +- + optval = memdup_user((void __user *) (unsigned long) cmd.optval, + cmd.optlen); + if (IS_ERR(optval)) { +-- +2.25.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 421138f841e..8c7dbef9385 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -1 +1,6 @@ af_key-pfkey_dump-needs-parameter-validation.patch +phy-qcom-qmp-use-correct-values-for-ipq8074-pcie-gen.patch +kvm-fix-memory-leak-in-kvm_io_bus_unregister_dev.patch +kprobes-fix-kill-kprobe-which-has-been-marked-as-gon.patch +mm-thp-fix-__split_huge_pmd_locked-for-migration-pmd.patch +rdma-ucma-ucma_context-reference-leak-in-error-path.patch