From: Greg Kroah-Hartman Date: Thu, 27 Feb 2020 10:14:23 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.4.215~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1febf13fc1ac9e424945be5beab14e0eea6b847f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: ecryptfs-replace-bug_on-with-error-handling-code.patch scsi-revert-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch scsi-revert-target-iscsi-wait-for-all-commands-to-finish-before-freeing-a-session.patch staging-greybus-use-after-free-in-gb_audio_manager_remove_all.patch usb-gadget-composite-fix-bmaxpower-for-superspeedplus.patch --- diff --git a/queue-4.9/ecryptfs-replace-bug_on-with-error-handling-code.patch b/queue-4.9/ecryptfs-replace-bug_on-with-error-handling-code.patch new file mode 100644 index 00000000000..5c75d25ffcf --- /dev/null +++ b/queue-4.9/ecryptfs-replace-bug_on-with-error-handling-code.patch @@ -0,0 +1,39 @@ +From 2c2a7552dd6465e8fde6bc9cccf8d66ed1c1eb72 Mon Sep 17 00:00:00 2001 +From: Aditya Pakki +Date: Fri, 14 Feb 2020 12:21:01 -0600 +Subject: ecryptfs: replace BUG_ON with error handling code + +From: Aditya Pakki + +commit 2c2a7552dd6465e8fde6bc9cccf8d66ed1c1eb72 upstream. + +In crypt_scatterlist, if the crypt_stat argument is not set up +correctly, the kernel crashes. Instead, by returning an error code +upstream, the error is handled safely. + +The issue is detected via a static analysis tool written by us. + +Fixes: 237fead619984 (ecryptfs: fs/Makefile and fs/Kconfig) +Signed-off-by: Aditya Pakki +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/crypto.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/ecryptfs/crypto.c ++++ b/fs/ecryptfs/crypto.c +@@ -339,8 +339,10 @@ static int crypt_scatterlist(struct ecry + struct extent_crypt_result ecr; + int rc = 0; + +- BUG_ON(!crypt_stat || !crypt_stat->tfm +- || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED)); ++ if (!crypt_stat || !crypt_stat->tfm ++ || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED)) ++ return -EINVAL; ++ + if (unlikely(ecryptfs_verbosity > 0)) { + ecryptfs_printk(KERN_DEBUG, "Key size [%zd]; key:\n", + crypt_stat->key_size); diff --git a/queue-4.9/scsi-revert-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch b/queue-4.9/scsi-revert-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch new file mode 100644 index 00000000000..f383b5627ca --- /dev/null +++ b/queue-4.9/scsi-revert-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch @@ -0,0 +1,77 @@ +From 76261ada16dcc3be610396a46d35acc3efbda682 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Wed, 12 Feb 2020 21:08:59 -0800 +Subject: scsi: Revert "RDMA/isert: Fix a recently introduced regression related to logout" + +From: Bart Van Assche + +commit 76261ada16dcc3be610396a46d35acc3efbda682 upstream. + +Since commit 04060db41178 introduces soft lockups when toggling network +interfaces, revert it. + +Link: https://marc.info/?l=target-devel&m=158157054906196 +Cc: Rahul Kundu +Cc: Mike Marciniszyn +Cc: Sagi Grimberg +Reported-by: Dakshaja Uppalapati +Fixes: 04060db41178 ("scsi: RDMA/isert: Fix a recently introduced regression related to logout") +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/isert/ib_isert.c | 12 ++++++++++++ + drivers/target/iscsi/iscsi_target.c | 6 +++--- + 2 files changed, 15 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -2555,6 +2555,17 @@ isert_wait4logout(struct isert_conn *ise + } + } + ++static void ++isert_wait4cmds(struct iscsi_conn *conn) ++{ ++ isert_info("iscsi_conn %p\n", conn); ++ ++ if (conn->sess) { ++ target_sess_cmd_list_set_waiting(conn->sess->se_sess); ++ target_wait_for_sess_cmds(conn->sess->se_sess); ++ } ++} ++ + /** + * isert_put_unsol_pending_cmds() - Drop commands waiting for + * unsolicitate dataout +@@ -2602,6 +2613,7 @@ static void isert_wait_conn(struct iscsi + + ib_drain_qp(isert_conn->qp); + isert_put_unsol_pending_cmds(conn); ++ isert_wait4cmds(conn); + isert_wait4logout(isert_conn); + + queue_work(isert_release_wq, &isert_conn->release_work); +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -4162,6 +4162,9 @@ int iscsit_close_connection( + iscsit_stop_nopin_response_timer(conn); + iscsit_stop_nopin_timer(conn); + ++ if (conn->conn_transport->iscsit_wait_conn) ++ conn->conn_transport->iscsit_wait_conn(conn); ++ + /* + * During Connection recovery drop unacknowledged out of order + * commands for this connection, and prepare the other commands +@@ -4247,9 +4250,6 @@ int iscsit_close_connection( + target_sess_cmd_list_set_waiting(sess->se_sess); + target_wait_for_sess_cmds(sess->se_sess); + +- if (conn->conn_transport->iscsit_wait_conn) +- conn->conn_transport->iscsit_wait_conn(conn); +- + ahash_request_free(conn->conn_tx_hash); + if (conn->conn_rx_hash) { + struct crypto_ahash *tfm; diff --git a/queue-4.9/scsi-revert-target-iscsi-wait-for-all-commands-to-finish-before-freeing-a-session.patch b/queue-4.9/scsi-revert-target-iscsi-wait-for-all-commands-to-finish-before-freeing-a-session.patch new file mode 100644 index 00000000000..6938f913a60 --- /dev/null +++ b/queue-4.9/scsi-revert-target-iscsi-wait-for-all-commands-to-finish-before-freeing-a-session.patch @@ -0,0 +1,70 @@ +From 807b9515b7d044cf77df31f1af9d842a76ecd5cb Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Wed, 12 Feb 2020 21:09:00 -0800 +Subject: scsi: Revert "target: iscsi: Wait for all commands to finish before freeing a session" + +From: Bart Van Assche + +commit 807b9515b7d044cf77df31f1af9d842a76ecd5cb upstream. + +Since commit e9d3009cb936 introduced a regression and since the fix for +that regression was not perfect, revert this commit. + +Link: https://marc.info/?l=target-devel&m=158157054906195 +Cc: Rahul Kundu +Cc: Mike Marciniszyn +Cc: Sagi Grimberg +Reported-by: Dakshaja Uppalapati +Fixes: e9d3009cb936 ("scsi: target: iscsi: Wait for all commands to finish before freeing a session") +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target.c | 10 ++-------- + include/scsi/iscsi_proto.h | 1 - + 2 files changed, 2 insertions(+), 9 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -1168,9 +1168,7 @@ int iscsit_setup_scsi_cmd(struct iscsi_c + hdr->cmdsn, be32_to_cpu(hdr->data_length), payload_length, + conn->cid); + +- if (target_get_sess_cmd(&cmd->se_cmd, true) < 0) +- return iscsit_add_reject_cmd(cmd, +- ISCSI_REASON_WAITING_FOR_LOGOUT, buf); ++ target_get_sess_cmd(&cmd->se_cmd, true); + + cmd->sense_reason = transport_lookup_cmd_lun(&cmd->se_cmd, + scsilun_to_int(&hdr->lun)); +@@ -1988,9 +1986,7 @@ iscsit_handle_task_mgt_cmd(struct iscsi_ + conn->sess->se_sess, 0, DMA_NONE, + TCM_SIMPLE_TAG, cmd->sense_buffer + 2); + +- if (target_get_sess_cmd(&cmd->se_cmd, true) < 0) +- return iscsit_add_reject_cmd(cmd, +- ISCSI_REASON_WAITING_FOR_LOGOUT, buf); ++ target_get_sess_cmd(&cmd->se_cmd, true); + + /* + * TASK_REASSIGN for ERL=2 / connection stays inside of +@@ -4247,8 +4243,6 @@ int iscsit_close_connection( + * must wait until they have completed. + */ + iscsit_check_conn_usage_count(conn); +- target_sess_cmd_list_set_waiting(sess->se_sess); +- target_wait_for_sess_cmds(sess->se_sess); + + ahash_request_free(conn->conn_tx_hash); + if (conn->conn_rx_hash) { +--- a/include/scsi/iscsi_proto.h ++++ b/include/scsi/iscsi_proto.h +@@ -638,7 +638,6 @@ struct iscsi_reject { + #define ISCSI_REASON_BOOKMARK_INVALID 9 + #define ISCSI_REASON_BOOKMARK_NO_RESOURCES 10 + #define ISCSI_REASON_NEGOTIATION_RESET 11 +-#define ISCSI_REASON_WAITING_FOR_LOGOUT 12 + + /* Max. number of Key=Value pairs in a text message */ + #define MAX_KEY_VALUE_PAIRS 8192 diff --git a/queue-4.9/series b/queue-4.9/series index 71b8acc4116..c8fd786ad02 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -151,4 +151,9 @@ kvm-nvmx-refactor-io-bitmap-checks-into-helper-function.patch kvm-nvmx-check-io-instruction-vm-exit-conditions.patch kvm-apic-avoid-calculating-pending-eoi-from-an-uninitialized-val.patch btrfs-fix-btrfs_wait_ordered_range-so-that-it-waits-for-all-ordered-extents.patch +scsi-revert-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch +scsi-revert-target-iscsi-wait-for-all-commands-to-finish-before-freeing-a-session.patch +usb-gadget-composite-fix-bmaxpower-for-superspeedplus.patch +staging-greybus-use-after-free-in-gb_audio_manager_remove_all.patch +ecryptfs-replace-bug_on-with-error-handling-code.patch kvm-nvmx-handle-nested-posted-interrupts-when-apicv-is-disabled-for-l1.patch diff --git a/queue-4.9/staging-greybus-use-after-free-in-gb_audio_manager_remove_all.patch b/queue-4.9/staging-greybus-use-after-free-in-gb_audio_manager_remove_all.patch new file mode 100644 index 00000000000..9b3ef2a62f5 --- /dev/null +++ b/queue-4.9/staging-greybus-use-after-free-in-gb_audio_manager_remove_all.patch @@ -0,0 +1,36 @@ +From b7db58105b80fa9232719c8329b995b3addfab55 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 5 Feb 2020 15:32:17 +0300 +Subject: staging: greybus: use after free in gb_audio_manager_remove_all() + +From: Dan Carpenter + +commit b7db58105b80fa9232719c8329b995b3addfab55 upstream. + +When we call kobject_put() and it's the last reference to the kobject +then it calls gb_audio_module_release() and frees module. We dereference +"module" on the next line which is a use after free. + +Fixes: c77f85bbc91a ("greybus: audio: Fix incorrect counting of 'ida'") +Signed-off-by: Dan Carpenter +Acked-by: Viresh Kumar +Reviewed-by: Vaibhav Agarwal +Link: https://lore.kernel.org/r/20200205123217.jreendkyxulqsool@kili.mountain +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/greybus/audio_manager.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/greybus/audio_manager.c ++++ b/drivers/staging/greybus/audio_manager.c +@@ -90,8 +90,8 @@ void gb_audio_manager_remove_all(void) + + list_for_each_entry_safe(module, next, &modules_list, list) { + list_del(&module->list); +- kobject_put(&module->kobj); + ida_simple_remove(&module_id, module->id); ++ kobject_put(&module->kobj); + } + + is_empty = list_empty(&modules_list); diff --git a/queue-4.9/usb-gadget-composite-fix-bmaxpower-for-superspeedplus.patch b/queue-4.9/usb-gadget-composite-fix-bmaxpower-for-superspeedplus.patch new file mode 100644 index 00000000000..55fbbe9379f --- /dev/null +++ b/queue-4.9/usb-gadget-composite-fix-bmaxpower-for-superspeedplus.patch @@ -0,0 +1,43 @@ +From c724417baf162bd3e035659e22cdf990cfb0d917 Mon Sep 17 00:00:00 2001 +From: Jack Pham +Date: Thu, 30 Jan 2020 19:10:35 -0800 +Subject: usb: gadget: composite: Fix bMaxPower for SuperSpeedPlus + +From: Jack Pham + +commit c724417baf162bd3e035659e22cdf990cfb0d917 upstream. + +SuperSpeedPlus peripherals must report their bMaxPower of the +configuration descriptor in units of 8mA as per the USB 3.2 +specification. The current switch statement in encode_bMaxPower() +only checks for USB_SPEED_SUPER but not USB_SPEED_SUPER_PLUS so +the latter falls back to USB 2.0 encoding which uses 2mA units. +Replace the switch with a simple if/else. + +Fixes: eae5820b852f ("usb: gadget: composite: Write SuperSpeedPlus config descriptors") +Signed-off-by: Jack Pham +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/composite.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -437,12 +437,10 @@ static u8 encode_bMaxPower(enum usb_devi + val = CONFIG_USB_GADGET_VBUS_DRAW; + if (!val) + return 0; +- switch (speed) { +- case USB_SPEED_SUPER: +- return DIV_ROUND_UP(val, 8); +- default: ++ if (speed < USB_SPEED_SUPER) + return DIV_ROUND_UP(val, 2); +- } ++ else ++ return DIV_ROUND_UP(val, 8); + } + + static int config_buf(struct usb_configuration *config,