From: Sasha Levin Date: Sun, 27 Sep 2020 17:51:42 +0000 (-0400) Subject: Fixes for 4.9 X-Git-Tag: v4.4.238~46 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2766e16acc4c1cf13d275875fae660dffe1d4627;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/acpi-ec-reference-count-query-handlers-under-lock.patch b/queue-4.9/acpi-ec-reference-count-query-handlers-under-lock.patch new file mode 100644 index 00000000000..76d677354a2 --- /dev/null +++ b/queue-4.9/acpi-ec-reference-count-query-handlers-under-lock.patch @@ -0,0 +1,65 @@ +From 72d2f86d0cb611249fd1dde55ce50ab0119c60dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Dec 2019 11:04:21 +0100 +Subject: ACPI: EC: Reference count query handlers under lock + +From: Rafael J. Wysocki + +[ Upstream commit 3df663a147fe077a6ee8444ec626738946e65547 ] + +There is a race condition in acpi_ec_get_query_handler() +theoretically allowing query handlers to go away before refernce +counting them. + +In order to avoid it, call kref_get() on query handlers under +ec->mutex. + +Also simplify the code a bit while at it. + +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/ec.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c +index 307b3e28f34ce..8781b5dc97f1c 100644 +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -1049,29 +1049,21 @@ void acpi_ec_unblock_transactions(void) + /* -------------------------------------------------------------------------- + Event Management + -------------------------------------------------------------------------- */ +-static struct acpi_ec_query_handler * +-acpi_ec_get_query_handler(struct acpi_ec_query_handler *handler) +-{ +- if (handler) +- kref_get(&handler->kref); +- return handler; +-} +- + static struct acpi_ec_query_handler * + acpi_ec_get_query_handler_by_value(struct acpi_ec *ec, u8 value) + { + struct acpi_ec_query_handler *handler; +- bool found = false; + + mutex_lock(&ec->mutex); + list_for_each_entry(handler, &ec->list, node) { + if (value == handler->query_bit) { +- found = true; +- break; ++ kref_get(&handler->kref); ++ mutex_unlock(&ec->mutex); ++ return handler; + } + } + mutex_unlock(&ec->mutex); +- return found ? acpi_ec_get_query_handler(handler) : NULL; ++ return NULL; + } + + static void acpi_ec_query_handler_release(struct kref *kref) +-- +2.25.1 + diff --git a/queue-4.9/alsa-hda-clear-rirb-status-before-reading-wp.patch b/queue-4.9/alsa-hda-clear-rirb-status-before-reading-wp.patch new file mode 100644 index 00000000000..0c971ebb11b --- /dev/null +++ b/queue-4.9/alsa-hda-clear-rirb-status-before-reading-wp.patch @@ -0,0 +1,57 @@ +From a8d0e0067bd5677a0e76fe9a206fc7edef27f4a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Feb 2020 15:40:53 +0530 +Subject: ALSA: hda: Clear RIRB status before reading WP + +From: Mohan Kumar + +[ Upstream commit 6d011d5057ff88ee556c000ac6fe0be23bdfcd72 ] + +RIRB interrupt status getting cleared after the write pointer is read +causes a race condition, where last response(s) into RIRB may remain +unserviced by IRQ, eventually causing azx_rirb_get_response to fall +back to polling mode. Clearing the RIRB interrupt status ahead of +write pointer access ensures that this condition is avoided. + +Signed-off-by: Mohan Kumar +Signed-off-by: Viswanath L +Link: https://lore.kernel.org/r/1580983853-351-1-git-send-email-viswanathl@nvidia.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_controller.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c +index bd0e4710d15d7..79043b481d7b6 100644 +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -1158,16 +1158,23 @@ irqreturn_t azx_interrupt(int irq, void *dev_id) + if (snd_hdac_bus_handle_stream_irq(bus, status, stream_update)) + active = true; + +- /* clear rirb int */ + status = azx_readb(chip, RIRBSTS); + if (status & RIRB_INT_MASK) { ++ /* ++ * Clearing the interrupt status here ensures that no ++ * interrupt gets masked after the RIRB wp is read in ++ * snd_hdac_bus_update_rirb. This avoids a possible ++ * race condition where codec response in RIRB may ++ * remain unserviced by IRQ, eventually falling back ++ * to polling mode in azx_rirb_get_response. ++ */ ++ azx_writeb(chip, RIRBSTS, RIRB_INT_MASK); + active = true; + if (status & RIRB_INT_RESPONSE) { + if (chip->driver_caps & AZX_DCAPS_CTX_WORKAROUND) + udelay(80); + snd_hdac_bus_update_rirb(bus); + } +- azx_writeb(chip, RIRBSTS, RIRB_INT_MASK); + } + } while (active && ++repeat < 10); + +-- +2.25.1 + diff --git a/queue-4.9/alsa-hda-fix-potential-race-in-unsol-event-handler.patch b/queue-4.9/alsa-hda-fix-potential-race-in-unsol-event-handler.patch new file mode 100644 index 00000000000..51e8c397ef1 --- /dev/null +++ b/queue-4.9/alsa-hda-fix-potential-race-in-unsol-event-handler.patch @@ -0,0 +1,55 @@ +From f179b6c2ccbde7e1dd0734a1ebb5484778195988 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 May 2020 08:25:56 +0200 +Subject: ALSA: hda: Fix potential race in unsol event handler + +From: Takashi Iwai + +[ Upstream commit c637fa151259c0f74665fde7cba5b7eac1417ae5 ] + +The unsol event handling code has a loop retrieving the read/write +indices and the arrays without locking while the append to the array +may happen concurrently. This may lead to some inconsistency. +Although there hasn't been any proof of this bad results, it's still +safer to protect the racy accesses. + +This patch adds the spinlock protection around the unsol handling loop +for addressing it. Here we take bus->reg_lock as the writer side +snd_hdac_bus_queue_event() is also protected by that lock. + +Link: https://lore.kernel.org/r/20200516062556.30951-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/hdac_bus.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/hda/hdac_bus.c b/sound/hda/hdac_bus.c +index 0e81ea89a5965..e3f68a76d90eb 100644 +--- a/sound/hda/hdac_bus.c ++++ b/sound/hda/hdac_bus.c +@@ -155,6 +155,7 @@ static void process_unsol_events(struct work_struct *work) + struct hdac_driver *drv; + unsigned int rp, caddr, res; + ++ spin_lock_irq(&bus->reg_lock); + while (bus->unsol_rp != bus->unsol_wp) { + rp = (bus->unsol_rp + 1) % HDA_UNSOL_QUEUE_SIZE; + bus->unsol_rp = rp; +@@ -166,10 +167,13 @@ static void process_unsol_events(struct work_struct *work) + codec = bus->caddr_tbl[caddr & 0x0f]; + if (!codec || !codec->dev.driver) + continue; ++ spin_unlock_irq(&bus->reg_lock); + drv = drv_to_hdac_driver(codec->dev.driver); + if (drv->unsol_event) + drv->unsol_event(codec, res); ++ spin_lock_irq(&bus->reg_lock); + } ++ spin_unlock_irq(&bus->reg_lock); + } + + /** +-- +2.25.1 + diff --git a/queue-4.9/alsa-usb-audio-fix-case-when-usb-midi-interface-has-.patch b/queue-4.9/alsa-usb-audio-fix-case-when-usb-midi-interface-has-.patch new file mode 100644 index 00000000000..b326edac628 --- /dev/null +++ b/queue-4.9/alsa-usb-audio-fix-case-when-usb-midi-interface-has-.patch @@ -0,0 +1,81 @@ +From 84f1b2ce877f2dff1f852546ffaf976b36c0f6e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Mar 2020 14:25:54 +0200 +Subject: ALSA: usb-audio: Fix case when USB MIDI interface has more than one + extra endpoint descriptor + +From: Andreas Steinmetz + +[ Upstream commit 5c6cd7021a05a02fcf37f360592d7c18d4d807fb ] + +The Miditech MIDIFACE 16x16 (USB ID 1290:1749) has more than one extra +endpoint descriptor. + +The first extra descriptor is: 0x06 0x30 0x00 0x00 0x00 0x00 + +As the code in snd_usbmidi_get_ms_info() looks only at the +first extra descriptor to find USB_DT_CS_ENDPOINT the device +as such is recognized but there is neither input nor output +configured. + +The patch iterates through the extra descriptors to find the +proper one. With this patch the device is correctly configured. + +Signed-off-by: Andreas Steinmetz +Link: https://lore.kernel.org/r/1c3b431a86f69e1d60745b6110cdb93c299f120b.camel@domdv.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/midi.c | 29 ++++++++++++++++++++++++----- + 1 file changed, 24 insertions(+), 5 deletions(-) + +diff --git a/sound/usb/midi.c b/sound/usb/midi.c +index 0676e7d485def..b8d4b5b3e54a1 100644 +--- a/sound/usb/midi.c ++++ b/sound/usb/midi.c +@@ -1805,6 +1805,28 @@ static int snd_usbmidi_create_endpoints(struct snd_usb_midi *umidi, + return 0; + } + ++static struct usb_ms_endpoint_descriptor *find_usb_ms_endpoint_descriptor( ++ struct usb_host_endpoint *hostep) ++{ ++ unsigned char *extra = hostep->extra; ++ int extralen = hostep->extralen; ++ ++ while (extralen > 3) { ++ struct usb_ms_endpoint_descriptor *ms_ep = ++ (struct usb_ms_endpoint_descriptor *)extra; ++ ++ if (ms_ep->bLength > 3 && ++ ms_ep->bDescriptorType == USB_DT_CS_ENDPOINT && ++ ms_ep->bDescriptorSubtype == UAC_MS_GENERAL) ++ return ms_ep; ++ if (!extra[0]) ++ break; ++ extralen -= extra[0]; ++ extra += extra[0]; ++ } ++ return NULL; ++} ++ + /* + * Returns MIDIStreaming device capabilities. + */ +@@ -1842,11 +1864,8 @@ static int snd_usbmidi_get_ms_info(struct snd_usb_midi *umidi, + ep = get_ep_desc(hostep); + if (!usb_endpoint_xfer_bulk(ep) && !usb_endpoint_xfer_int(ep)) + continue; +- ms_ep = (struct usb_ms_endpoint_descriptor *)hostep->extra; +- if (hostep->extralen < 4 || +- ms_ep->bLength < 4 || +- ms_ep->bDescriptorType != USB_DT_CS_ENDPOINT || +- ms_ep->bDescriptorSubtype != UAC_MS_GENERAL) ++ ms_ep = find_usb_ms_endpoint_descriptor(hostep); ++ if (!ms_ep) + continue; + if (usb_endpoint_dir_out(ep)) { + if (endpoints[epidx].out_ep) { +-- +2.25.1 + diff --git a/queue-4.9/ar5523-add-usb-id-of-smcwusbt-g2-wireless-adapter.patch b/queue-4.9/ar5523-add-usb-id-of-smcwusbt-g2-wireless-adapter.patch new file mode 100644 index 00000000000..73bb684f926 --- /dev/null +++ b/queue-4.9/ar5523-add-usb-id-of-smcwusbt-g2-wireless-adapter.patch @@ -0,0 +1,40 @@ +From bf7bd61194da3fc7ab2f11cd84004400c3769606 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jan 2020 14:11:25 +0300 +Subject: ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter + +From: Mert Dirik + +[ Upstream commit 5b362498a79631f283578b64bf6f4d15ed4cc19a ] + +Add the required USB ID for running SMCWUSBT-G2 wireless adapter (SMC +"EZ Connect g"). + +This device uses ar5523 chipset and requires firmware to be loaded. Even +though pid of the device is 4507, this patch adds it as 4506 so that +AR5523_DEVICE_UG macro can set the AR5523_FLAG_PRE_FIRMWARE flag for pid +4507. + +Signed-off-by: Mert Dirik +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ar5523/ar5523.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c +index e492c7f0d311a..9f4ee1d125b68 100644 +--- a/drivers/net/wireless/ath/ar5523/ar5523.c ++++ b/drivers/net/wireless/ath/ar5523/ar5523.c +@@ -1769,6 +1769,8 @@ static struct usb_device_id ar5523_id_table[] = { + AR5523_DEVICE_UX(0x0846, 0x4300), /* Netgear / WG111U */ + AR5523_DEVICE_UG(0x0846, 0x4250), /* Netgear / WG111T */ + AR5523_DEVICE_UG(0x0846, 0x5f00), /* Netgear / WPN111 */ ++ AR5523_DEVICE_UG(0x083a, 0x4506), /* SMC / EZ Connect ++ SMCWUSBT-G2 */ + AR5523_DEVICE_UG(0x157e, 0x3006), /* Umedia / AR5523_1 */ + AR5523_DEVICE_UX(0x157e, 0x3205), /* Umedia / AR5523_2 */ + AR5523_DEVICE_UG(0x157e, 0x3006), /* Umedia / TEW444UBEU */ +-- +2.25.1 + diff --git a/queue-4.9/asoc-kirkwood-fix-irq-error-handling.patch b/queue-4.9/asoc-kirkwood-fix-irq-error-handling.patch new file mode 100644 index 00000000000..6c110c19bf6 --- /dev/null +++ b/queue-4.9/asoc-kirkwood-fix-irq-error-handling.patch @@ -0,0 +1,36 @@ +From 2ff5fd733973450d9c381bd202f1f60be53f25bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Oct 2019 16:46:59 +0100 +Subject: ASoC: kirkwood: fix IRQ error handling + +From: Russell King + +[ Upstream commit 175fc928198236037174e5c5c066fe3c4691903e ] + +Propagate the error code from request_irq(), rather than returning +-EBUSY. + +Signed-off-by: Russell King +Link: https://lore.kernel.org/r/E1iNIqh-0000tW-EZ@rmk-PC.armlinux.org.uk +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/kirkwood/kirkwood-dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/kirkwood/kirkwood-dma.c b/sound/soc/kirkwood/kirkwood-dma.c +index dafd22e874e99..e655425e4819e 100644 +--- a/sound/soc/kirkwood/kirkwood-dma.c ++++ b/sound/soc/kirkwood/kirkwood-dma.c +@@ -136,7 +136,7 @@ static int kirkwood_dma_open(struct snd_pcm_substream *substream) + err = request_irq(priv->irq, kirkwood_dma_irq, IRQF_SHARED, + "kirkwood-i2s", priv); + if (err) +- return -EBUSY; ++ return err; + + /* + * Enable Error interrupts. We're only ack'ing them but +-- +2.25.1 + diff --git a/queue-4.9/ata-sata_mv-avoid-trigerrable-bug_on.patch b/queue-4.9/ata-sata_mv-avoid-trigerrable-bug_on.patch new file mode 100644 index 00000000000..6a2a2f41c09 --- /dev/null +++ b/queue-4.9/ata-sata_mv-avoid-trigerrable-bug_on.patch @@ -0,0 +1,57 @@ +From cc18040f7cd32540b8bcc6dcd8e78ef34af267a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2019 10:59:46 +0100 +Subject: ata: sata_mv, avoid trigerrable BUG_ON + +From: Jiri Slaby + +[ Upstream commit e9f691d899188679746eeb96e6cb520459eda9b4 ] + +There are several reports that the BUG_ON on unsupported command in +mv_qc_prep can be triggered under some circumstances: +https://bugzilla.suse.com/show_bug.cgi?id=1110252 +https://serverfault.com/questions/888897/raid-problems-after-power-outage +https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1652185 +https://bugs.centos.org/view.php?id=14998 + +Let sata_mv handle the failure gracefully: warn about that incl. the +failed command number and return an AC_ERR_INVALID error. We can do that +now thanks to the previous patch. + +Remove also the long-standing FIXME. + +[v2] use %.2x as commands are defined as hexa. + +Signed-off-by: Jiri Slaby +Cc: Jens Axboe +Cc: linux-ide@vger.kernel.org +Cc: Sergei Shtylyov +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/sata_mv.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/ata/sata_mv.c b/drivers/ata/sata_mv.c +index 2f32782cea6d9..2ec37a038eda8 100644 +--- a/drivers/ata/sata_mv.c ++++ b/drivers/ata/sata_mv.c +@@ -2111,12 +2111,10 @@ static void mv_qc_prep(struct ata_queued_cmd *qc) + * non-NCQ mode are: [RW] STREAM DMA and W DMA FUA EXT, none + * of which are defined/used by Linux. If we get here, this + * driver needs work. +- * +- * FIXME: modify libata to give qc_prep a return value and +- * return error here. + */ +- BUG_ON(tf->command); +- break; ++ ata_port_err(ap, "%s: unsupported command: %.2x\n", __func__, ++ tf->command); ++ return AC_ERR_INVALID; + } + mv_crqb_pack_cmd(cw++, tf->nsect, ATA_REG_NSECT, 0); + mv_crqb_pack_cmd(cw++, tf->hob_lbal, ATA_REG_LBAL, 0); +-- +2.25.1 + diff --git a/queue-4.9/atm-fix-a-memory-leak-of-vcc-user_back.patch b/queue-4.9/atm-fix-a-memory-leak-of-vcc-user_back.patch new file mode 100644 index 00000000000..bd28252e995 --- /dev/null +++ b/queue-4.9/atm-fix-a-memory-leak-of-vcc-user_back.patch @@ -0,0 +1,59 @@ +From fdcce669717db3b94506389fce22c7b0f6bc966c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 May 2020 11:11:09 -0700 +Subject: atm: fix a memory leak of vcc->user_back + +From: Cong Wang + +[ Upstream commit 8d9f73c0ad2f20e9fed5380de0a3097825859d03 ] + +In lec_arp_clear_vccs() only entry->vcc is freed, but vcc +could be installed on entry->recv_vcc too in lec_vcc_added(). + +This fixes the following memory leak: + +unreferenced object 0xffff8880d9266b90 (size 16): + comm "atm2", pid 425, jiffies 4294907980 (age 23.488s) + hex dump (first 16 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 6b 6b 6b a5 ............kkk. + backtrace: + [<(____ptrval____)>] kmem_cache_alloc_trace+0x10e/0x151 + [<(____ptrval____)>] lane_ioctl+0x4b3/0x569 + [<(____ptrval____)>] do_vcc_ioctl+0x1ea/0x236 + [<(____ptrval____)>] svc_ioctl+0x17d/0x198 + [<(____ptrval____)>] sock_do_ioctl+0x47/0x12f + [<(____ptrval____)>] sock_ioctl+0x2f9/0x322 + [<(____ptrval____)>] vfs_ioctl+0x1e/0x2b + [<(____ptrval____)>] ksys_ioctl+0x61/0x80 + [<(____ptrval____)>] __x64_sys_ioctl+0x16/0x19 + [<(____ptrval____)>] do_syscall_64+0x57/0x65 + [<(____ptrval____)>] entry_SYSCALL_64_after_hwframe+0x49/0xb3 + +Cc: Gengming Liu +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/atm/lec.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/atm/lec.c b/net/atm/lec.c +index 704892d79bf19..756429c95e859 100644 +--- a/net/atm/lec.c ++++ b/net/atm/lec.c +@@ -1290,6 +1290,12 @@ static void lec_arp_clear_vccs(struct lec_arp_table *entry) + entry->vcc = NULL; + } + if (entry->recv_vcc) { ++ struct atm_vcc *vcc = entry->recv_vcc; ++ struct lec_vcc_priv *vpriv = LEC_VCC_PRIV(vcc); ++ ++ kfree(vpriv); ++ vcc->user_back = NULL; ++ + entry->recv_vcc->push = entry->old_recv_push; + vcc_release_async(entry->recv_vcc, -EPIPE); + entry->recv_vcc = NULL; +-- +2.25.1 + diff --git a/queue-4.9/audit-config_change-don-t-log-internal-bookkeeping-a.patch b/queue-4.9/audit-config_change-don-t-log-internal-bookkeeping-a.patch new file mode 100644 index 00000000000..f39d18525bb --- /dev/null +++ b/queue-4.9/audit-config_change-don-t-log-internal-bookkeeping-a.patch @@ -0,0 +1,49 @@ +From 50eb714dedc8a6943a7c8e7e26afc933e711027a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jan 2020 17:29:16 -0500 +Subject: audit: CONFIG_CHANGE don't log internal bookkeeping as an event + +From: Steve Grubb + +[ Upstream commit 70b3eeed49e8190d97139806f6fbaf8964306cdb ] + +Common Criteria calls out for any action that modifies the audit trail to +be recorded. That usually is interpreted to mean insertion or removal of +rules. It is not required to log modification of the inode information +since the watch is still in effect. Additionally, if the rule is a never +rule and the underlying file is one they do not want events for, they +get an event for this bookkeeping update against their wishes. + +Since no device/inode info is logged at insertion and no device/inode +information is logged on update, there is nothing meaningful being +communicated to the admin by the CONFIG_CHANGE updated_rules event. One +can assume that the rule was not "modified" because it is still watching +the intended target. If the device or inode cannot be resolved, then +audit_panic is called which is sufficient. + +The correct resolution is to drop logging config_update events since +the watch is still in effect but just on another unknown inode. + +Signed-off-by: Steve Grubb +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + kernel/audit_watch.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c +index 712469a3103ac..54b30c9bd8b13 100644 +--- a/kernel/audit_watch.c ++++ b/kernel/audit_watch.c +@@ -316,8 +316,6 @@ static void audit_update_watch(struct audit_parent *parent, + if (oentry->rule.exe) + audit_remove_mark(oentry->rule.exe); + +- audit_watch_log_rule_change(r, owatch, "updated_rules"); +- + call_rcu(&oentry->rcu, audit_free_rule_rcu); + } + +-- +2.25.1 + diff --git a/queue-4.9/bcache-fix-a-lost-wake-up-problem-caused-by-mca_cann.patch b/queue-4.9/bcache-fix-a-lost-wake-up-problem-caused-by-mca_cann.patch new file mode 100644 index 00000000000..86034318b4b --- /dev/null +++ b/queue-4.9/bcache-fix-a-lost-wake-up-problem-caused-by-mca_cann.patch @@ -0,0 +1,97 @@ +From 8f0edc56edde0a3eb7a9475e25408d5a63a50f34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2019 16:03:16 +0800 +Subject: bcache: fix a lost wake-up problem caused by mca_cannibalize_lock + +From: Guoju Fang + +[ Upstream commit 34cf78bf34d48dddddfeeadb44f9841d7864997a ] + +This patch fix a lost wake-up problem caused by the race between +mca_cannibalize_lock and bch_cannibalize_unlock. + +Consider two processes, A and B. Process A is executing +mca_cannibalize_lock, while process B takes c->btree_cache_alloc_lock +and is executing bch_cannibalize_unlock. The problem happens that after +process A executes cmpxchg and will execute prepare_to_wait. In this +timeslice process B executes wake_up, but after that process A executes +prepare_to_wait and set the state to TASK_INTERRUPTIBLE. Then process A +goes to sleep but no one will wake up it. This problem may cause bcache +device to dead. + +Signed-off-by: Guoju Fang +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/bcache.h | 1 + + drivers/md/bcache/btree.c | 12 ++++++++---- + drivers/md/bcache/super.c | 1 + + 3 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/md/bcache/bcache.h b/drivers/md/bcache/bcache.h +index 7fe7df56fa334..f0939fc1cfe55 100644 +--- a/drivers/md/bcache/bcache.h ++++ b/drivers/md/bcache/bcache.h +@@ -547,6 +547,7 @@ struct cache_set { + */ + wait_queue_head_t btree_cache_wait; + struct task_struct *btree_cache_alloc_lock; ++ spinlock_t btree_cannibalize_lock; + + /* + * When we free a btree node, we increment the gen of the bucket the +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c +index 764d519a7f1c6..26e56a9952d09 100644 +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -836,15 +836,17 @@ out: + + static int mca_cannibalize_lock(struct cache_set *c, struct btree_op *op) + { +- struct task_struct *old; +- +- old = cmpxchg(&c->btree_cache_alloc_lock, NULL, current); +- if (old && old != current) { ++ spin_lock(&c->btree_cannibalize_lock); ++ if (likely(c->btree_cache_alloc_lock == NULL)) { ++ c->btree_cache_alloc_lock = current; ++ } else if (c->btree_cache_alloc_lock != current) { + if (op) + prepare_to_wait(&c->btree_cache_wait, &op->wait, + TASK_UNINTERRUPTIBLE); ++ spin_unlock(&c->btree_cannibalize_lock); + return -EINTR; + } ++ spin_unlock(&c->btree_cannibalize_lock); + + return 0; + } +@@ -879,10 +881,12 @@ static struct btree *mca_cannibalize(struct cache_set *c, struct btree_op *op, + */ + static void bch_cannibalize_unlock(struct cache_set *c) + { ++ spin_lock(&c->btree_cannibalize_lock); + if (c->btree_cache_alloc_lock == current) { + c->btree_cache_alloc_lock = NULL; + wake_up(&c->btree_cache_wait); + } ++ spin_unlock(&c->btree_cannibalize_lock); + } + + static struct btree *mca_alloc(struct cache_set *c, struct btree_op *op, +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 95e9a33de06a2..263c0d987929e 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1510,6 +1510,7 @@ struct cache_set *bch_cache_set_alloc(struct cache_sb *sb) + sema_init(&c->sb_write_mutex, 1); + mutex_init(&c->bucket_lock); + init_waitqueue_head(&c->btree_cache_wait); ++ spin_lock_init(&c->btree_cannibalize_lock); + init_waitqueue_head(&c->bucket_wait); + init_waitqueue_head(&c->gc_wait); + sema_init(&c->uuid_write_mutex, 1); +-- +2.25.1 + diff --git a/queue-4.9/bdev-reduce-time-holding-bd_mutex-in-sync-in-blkdev_.patch b/queue-4.9/bdev-reduce-time-holding-bd_mutex-in-sync-in-blkdev_.patch new file mode 100644 index 00000000000..835537df7d9 --- /dev/null +++ b/queue-4.9/bdev-reduce-time-holding-bd_mutex-in-sync-in-blkdev_.patch @@ -0,0 +1,126 @@ +From 5bac406893210b093fc5e37e298644c265ada4fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Mar 2020 14:48:27 -0700 +Subject: bdev: Reduce time holding bd_mutex in sync in blkdev_close() + +From: Douglas Anderson + +[ Upstream commit b849dd84b6ccfe32622988b79b7b073861fcf9f7 ] + +While trying to "dd" to the block device for a USB stick, I +encountered a hung task warning (blocked for > 120 seconds). I +managed to come up with an easy way to reproduce this on my system +(where /dev/sdb is the block device for my USB stick) with: + + while true; do dd if=/dev/zero of=/dev/sdb bs=4M; done + +With my reproduction here are the relevant bits from the hung task +detector: + + INFO: task udevd:294 blocked for more than 122 seconds. + ... + udevd D 0 294 1 0x00400008 + Call trace: + ... + mutex_lock_nested+0x40/0x50 + __blkdev_get+0x7c/0x3d4 + blkdev_get+0x118/0x138 + blkdev_open+0x94/0xa8 + do_dentry_open+0x268/0x3a0 + vfs_open+0x34/0x40 + path_openat+0x39c/0xdf4 + do_filp_open+0x90/0x10c + do_sys_open+0x150/0x3c8 + ... + + ... + Showing all locks held in the system: + ... + 1 lock held by dd/2798: + #0: ffffff814ac1a3b8 (&bdev->bd_mutex){+.+.}, at: __blkdev_put+0x50/0x204 + ... + dd D 0 2798 2764 0x00400208 + Call trace: + ... + schedule+0x8c/0xbc + io_schedule+0x1c/0x40 + wait_on_page_bit_common+0x238/0x338 + __lock_page+0x5c/0x68 + write_cache_pages+0x194/0x500 + generic_writepages+0x64/0xa4 + blkdev_writepages+0x24/0x30 + do_writepages+0x48/0xa8 + __filemap_fdatawrite_range+0xac/0xd8 + filemap_write_and_wait+0x30/0x84 + __blkdev_put+0x88/0x204 + blkdev_put+0xc4/0xe4 + blkdev_close+0x28/0x38 + __fput+0xe0/0x238 + ____fput+0x1c/0x28 + task_work_run+0xb0/0xe4 + do_notify_resume+0xfc0/0x14bc + work_pending+0x8/0x14 + +The problem appears related to the fact that my USB disk is terribly +slow and that I have a lot of RAM in my system to cache things. +Specifically my writes seem to be happening at ~15 MB/s and I've got +~4 GB of RAM in my system that can be used for buffering. To write 4 +GB of buffer to disk thus takes ~4000 MB / ~15 MB/s = ~267 seconds. + +The 267 second number is a problem because in __blkdev_put() we call +sync_blockdev() while holding the bd_mutex. Any other callers who +want the bd_mutex will be blocked for the whole time. + +The problem is made worse because I believe blkdev_put() specifically +tells other tasks (namely udev) to go try to access the device at right +around the same time we're going to hold the mutex for a long time. + +Putting some traces around this (after disabling the hung task detector), +I could confirm: + dd: 437.608600: __blkdev_put() right before sync_blockdev() for sdb + udevd: 437.623901: blkdev_open() right before blkdev_get() for sdb + dd: 661.468451: __blkdev_put() right after sync_blockdev() for sdb + udevd: 663.820426: blkdev_open() right after blkdev_get() for sdb + +A simple fix for this is to realize that sync_blockdev() works fine if +you're not holding the mutex. Also, it's not the end of the world if +you sync a little early (though it can have performance impacts). +Thus we can make a guess that we're going to need to do the sync and +then do it without holding the mutex. We still do one last sync with +the mutex but it should be much, much faster. + +With this, my hung task warnings for my test case are gone. + +Signed-off-by: Douglas Anderson +Reviewed-by: Guenter Roeck +Reviewed-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/block_dev.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/block_dev.c b/fs/block_dev.c +index 06f7cbe201326..98b37e77683d3 100644 +--- a/fs/block_dev.c ++++ b/fs/block_dev.c +@@ -1586,6 +1586,16 @@ static void __blkdev_put(struct block_device *bdev, fmode_t mode, int for_part) + struct gendisk *disk = bdev->bd_disk; + struct block_device *victim = NULL; + ++ /* ++ * Sync early if it looks like we're the last one. If someone else ++ * opens the block device between now and the decrement of bd_openers ++ * then we did a sync that we didn't need to, but that's not the end ++ * of the world and we want to avoid long (could be several minute) ++ * syncs while holding the mutex. ++ */ ++ if (bdev->bd_openers == 1) ++ sync_blockdev(bdev); ++ + mutex_lock_nested(&bdev->bd_mutex, for_part); + if (for_part) + bdev->bd_part_count--; +-- +2.25.1 + diff --git a/queue-4.9/bluetooth-fix-refcount-use-after-free-issue.patch b/queue-4.9/bluetooth-fix-refcount-use-after-free-issue.patch new file mode 100644 index 00000000000..bf8cb8dd6a6 --- /dev/null +++ b/queue-4.9/bluetooth-fix-refcount-use-after-free-issue.patch @@ -0,0 +1,203 @@ +From 9e8a2d44e3269a23350cde68ff4e19f5822d0f3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jan 2020 10:54:14 -0800 +Subject: Bluetooth: Fix refcount use-after-free issue + +From: Manish Mandlik + +[ Upstream commit 6c08fc896b60893c5d673764b0668015d76df462 ] + +There is no lock preventing both l2cap_sock_release() and +chan->ops->close() from running at the same time. + +If we consider Thread A running l2cap_chan_timeout() and Thread B running +l2cap_sock_release(), expected behavior is: + A::l2cap_chan_timeout()->l2cap_chan_close()->l2cap_sock_teardown_cb() + A::l2cap_chan_timeout()->l2cap_sock_close_cb()->l2cap_sock_kill() + B::l2cap_sock_release()->sock_orphan() + B::l2cap_sock_release()->l2cap_sock_kill() + +where, +sock_orphan() clears "sk->sk_socket" and l2cap_sock_teardown_cb() marks +socket as SOCK_ZAPPED. + +In l2cap_sock_kill(), there is an "if-statement" that checks if both +sock_orphan() and sock_teardown() has been run i.e. sk->sk_socket is NULL +and socket is marked as SOCK_ZAPPED. Socket is killed if the condition is +satisfied. + +In the race condition, following occurs: + A::l2cap_chan_timeout()->l2cap_chan_close()->l2cap_sock_teardown_cb() + B::l2cap_sock_release()->sock_orphan() + B::l2cap_sock_release()->l2cap_sock_kill() + A::l2cap_chan_timeout()->l2cap_sock_close_cb()->l2cap_sock_kill() + +In this scenario, "if-statement" is true in both B::l2cap_sock_kill() and +A::l2cap_sock_kill() and we hit "refcount: underflow; use-after-free" bug. + +Similar condition occurs at other places where teardown/sock_kill is +happening: + l2cap_disconnect_rsp()->l2cap_chan_del()->l2cap_sock_teardown_cb() + l2cap_disconnect_rsp()->l2cap_sock_close_cb()->l2cap_sock_kill() + + l2cap_conn_del()->l2cap_chan_del()->l2cap_sock_teardown_cb() + l2cap_conn_del()->l2cap_sock_close_cb()->l2cap_sock_kill() + + l2cap_disconnect_req()->l2cap_chan_del()->l2cap_sock_teardown_cb() + l2cap_disconnect_req()->l2cap_sock_close_cb()->l2cap_sock_kill() + + l2cap_sock_cleanup_listen()->l2cap_chan_close()->l2cap_sock_teardown_cb() + l2cap_sock_cleanup_listen()->l2cap_sock_kill() + +Protect teardown/sock_kill and orphan/sock_kill by adding hold_lock on +l2cap channel to ensure that the socket is killed only after marked as +zapped and orphan. + +Signed-off-by: Manish Mandlik +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 26 +++++++++++++++----------- + net/bluetooth/l2cap_sock.c | 16 +++++++++++++--- + 2 files changed, 28 insertions(+), 14 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 11012a5090708..de085947c19c2 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -414,6 +414,9 @@ static void l2cap_chan_timeout(struct work_struct *work) + BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); + + mutex_lock(&conn->chan_lock); ++ /* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling ++ * this work. No need to call l2cap_chan_hold(chan) here again. ++ */ + l2cap_chan_lock(chan); + + if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG) +@@ -426,12 +429,12 @@ static void l2cap_chan_timeout(struct work_struct *work) + + l2cap_chan_close(chan, reason); + +- l2cap_chan_unlock(chan); +- + chan->ops->close(chan); +- mutex_unlock(&conn->chan_lock); + ++ l2cap_chan_unlock(chan); + l2cap_chan_put(chan); ++ ++ mutex_unlock(&conn->chan_lock); + } + + struct l2cap_chan *l2cap_chan_create(void) +@@ -1725,9 +1728,9 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err) + + l2cap_chan_del(chan, err); + +- l2cap_chan_unlock(chan); +- + chan->ops->close(chan); ++ ++ l2cap_chan_unlock(chan); + l2cap_chan_put(chan); + } + +@@ -4327,6 +4330,7 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, + return 0; + } + ++ l2cap_chan_hold(chan); + l2cap_chan_lock(chan); + + rsp.dcid = cpu_to_le16(chan->scid); +@@ -4335,12 +4339,11 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, + + chan->ops->set_shutdown(chan); + +- l2cap_chan_hold(chan); + l2cap_chan_del(chan, ECONNRESET); + +- l2cap_chan_unlock(chan); +- + chan->ops->close(chan); ++ ++ l2cap_chan_unlock(chan); + l2cap_chan_put(chan); + + mutex_unlock(&conn->chan_lock); +@@ -4372,20 +4375,21 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, + return 0; + } + ++ l2cap_chan_hold(chan); + l2cap_chan_lock(chan); + + if (chan->state != BT_DISCONN) { + l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); + mutex_unlock(&conn->chan_lock); + return 0; + } + +- l2cap_chan_hold(chan); + l2cap_chan_del(chan, 0); + +- l2cap_chan_unlock(chan); +- + chan->ops->close(chan); ++ ++ l2cap_chan_unlock(chan); + l2cap_chan_put(chan); + + mutex_unlock(&conn->chan_lock); +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index a8ba752732c98..3db8cfebd069a 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1038,7 +1038,7 @@ done: + } + + /* Kill socket (only if zapped and orphan) +- * Must be called on unlocked socket. ++ * Must be called on unlocked socket, with l2cap channel lock. + */ + static void l2cap_sock_kill(struct sock *sk) + { +@@ -1199,8 +1199,15 @@ static int l2cap_sock_release(struct socket *sock) + + err = l2cap_sock_shutdown(sock, 2); + ++ l2cap_chan_hold(l2cap_pi(sk)->chan); ++ l2cap_chan_lock(l2cap_pi(sk)->chan); ++ + sock_orphan(sk); + l2cap_sock_kill(sk); ++ ++ l2cap_chan_unlock(l2cap_pi(sk)->chan); ++ l2cap_chan_put(l2cap_pi(sk)->chan); ++ + return err; + } + +@@ -1218,12 +1225,15 @@ static void l2cap_sock_cleanup_listen(struct sock *parent) + BT_DBG("child chan %p state %s", chan, + state_to_string(chan->state)); + ++ l2cap_chan_hold(chan); + l2cap_chan_lock(chan); ++ + __clear_chan_timer(chan); + l2cap_chan_close(chan, ECONNRESET); +- l2cap_chan_unlock(chan); +- + l2cap_sock_kill(sk); ++ ++ l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); + } + } + +-- +2.25.1 + diff --git a/queue-4.9/bluetooth-guard-against-controllers-sending-zero-d-e.patch b/queue-4.9/bluetooth-guard-against-controllers-sending-zero-d-e.patch new file mode 100644 index 00000000000..0ab9c01db5b --- /dev/null +++ b/queue-4.9/bluetooth-guard-against-controllers-sending-zero-d-e.patch @@ -0,0 +1,47 @@ +From bf59fdcf8470e2b59d133209d0ac9357085bcefd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2020 15:55:34 +0000 +Subject: Bluetooth: guard against controllers sending zero'd events + +From: Alain Michaud + +[ Upstream commit 08bb4da90150e2a225f35e0f642cdc463958d696 ] + +Some controllers have been observed to send zero'd events under some +conditions. This change guards against this condition as well as adding +a trace to facilitate diagnosability of this condition. + +Signed-off-by: Alain Michaud +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 757977c54d9ef..700a2eb161490 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -5257,6 +5257,11 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) + u8 status = 0, event = hdr->evt, req_evt = 0; + u16 opcode = HCI_OP_NOP; + ++ if (!event) { ++ bt_dev_warn(hdev, "Received unexpected HCI Event 00000000"); ++ goto done; ++ } ++ + if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) { + struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data; + opcode = __le16_to_cpu(cmd_hdr->opcode); +@@ -5468,6 +5473,7 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) + req_complete_skb(hdev, status, opcode, orig_skb); + } + ++done: + kfree_skb(orig_skb); + kfree_skb(skb); + hdev->stat.evt_rx++; +-- +2.25.1 + diff --git a/queue-4.9/bluetooth-handle-inquiry-cancel-error-after-inquiry-.patch b/queue-4.9/bluetooth-handle-inquiry-cancel-error-after-inquiry-.patch new file mode 100644 index 00000000000..054b3f17f73 --- /dev/null +++ b/queue-4.9/bluetooth-handle-inquiry-cancel-error-after-inquiry-.patch @@ -0,0 +1,77 @@ +From 9f7713ea1eda37ee27bdc50d325acf7c68f9c9bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 May 2020 12:55:03 -0700 +Subject: Bluetooth: Handle Inquiry Cancel error after Inquiry Complete + +From: Sonny Sasaka + +[ Upstream commit adf1d6926444029396861413aba8a0f2a805742a ] + +After sending Inquiry Cancel command to the controller, it is possible +that Inquiry Complete event comes before Inquiry Cancel command complete +event. In this case the Inquiry Cancel command will have status of +Command Disallowed since there is no Inquiry session to be cancelled. +This case should not be treated as error, otherwise we can reach an +inconsistent state. + +Example of a btmon trace when this happened: + +< HCI Command: Inquiry Cancel (0x01|0x0002) plen 0 +> HCI Event: Inquiry Complete (0x01) plen 1 + Status: Success (0x00) +> HCI Event: Command Complete (0x0e) plen 4 + Inquiry Cancel (0x01|0x0002) ncmd 1 + Status: Command Disallowed (0x0c) + +Signed-off-by: Sonny Sasaka +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 700a2eb161490..d6da119f5082e 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -41,12 +41,27 @@ + + /* Handle HCI Event packets */ + +-static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb) ++static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb, ++ u8 *new_status) + { + __u8 status = *((__u8 *) skb->data); + + BT_DBG("%s status 0x%2.2x", hdev->name, status); + ++ /* It is possible that we receive Inquiry Complete event right ++ * before we receive Inquiry Cancel Command Complete event, in ++ * which case the latter event should have status of Command ++ * Disallowed (0x0c). This should not be treated as error, since ++ * we actually achieve what Inquiry Cancel wants to achieve, ++ * which is to end the last Inquiry session. ++ */ ++ if (status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) { ++ bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command"); ++ status = 0x00; ++ } ++ ++ *new_status = status; ++ + if (status) + return; + +@@ -2772,7 +2787,7 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb, + + switch (*opcode) { + case HCI_OP_INQUIRY_CANCEL: +- hci_cc_inquiry_cancel(hdev, skb); ++ hci_cc_inquiry_cancel(hdev, skb, status); + break; + + case HCI_OP_PERIODIC_INQ: +-- +2.25.1 + diff --git a/queue-4.9/bluetooth-l2cap-handle-l2cap-config-request-during-o.patch b/queue-4.9/bluetooth-l2cap-handle-l2cap-config-request-during-o.patch new file mode 100644 index 00000000000..0a4e6795a82 --- /dev/null +++ b/queue-4.9/bluetooth-l2cap-handle-l2cap-config-request-during-o.patch @@ -0,0 +1,175 @@ +From 17378447f79d3cff1ba494a3be7fd31f2611a928 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2020 12:35:27 +0800 +Subject: Bluetooth: L2CAP: handle l2cap config request during open state + +From: Howard Chung + +[ Upstream commit 96298f640104e4cd9a913a6e50b0b981829b94ff ] + +According to Core Spec Version 5.2 | Vol 3, Part A 6.1.5, +the incoming L2CAP_ConfigReq should be handled during +OPEN state. + +The section below shows the btmon trace when running +L2CAP/COS/CFD/BV-12-C before and after this change. + +=== Before === +... +> ACL Data RX: Handle 256 flags 0x02 dlen 12 #22 + L2CAP: Connection Request (0x02) ident 2 len 4 + PSM: 1 (0x0001) + Source CID: 65 +< ACL Data TX: Handle 256 flags 0x00 dlen 16 #23 + L2CAP: Connection Response (0x03) ident 2 len 8 + Destination CID: 64 + Source CID: 65 + Result: Connection successful (0x0000) + Status: No further information available (0x0000) +< ACL Data TX: Handle 256 flags 0x00 dlen 12 #24 + L2CAP: Configure Request (0x04) ident 2 len 4 + Destination CID: 65 + Flags: 0x0000 +> HCI Event: Number of Completed Packets (0x13) plen 5 #25 + Num handles: 1 + Handle: 256 + Count: 1 +> HCI Event: Number of Completed Packets (0x13) plen 5 #26 + Num handles: 1 + Handle: 256 + Count: 1 +> ACL Data RX: Handle 256 flags 0x02 dlen 16 #27 + L2CAP: Configure Request (0x04) ident 3 len 8 + Destination CID: 64 + Flags: 0x0000 + Option: Unknown (0x10) [hint] + 01 00 .. +< ACL Data TX: Handle 256 flags 0x00 dlen 18 #28 + L2CAP: Configure Response (0x05) ident 3 len 10 + Source CID: 65 + Flags: 0x0000 + Result: Success (0x0000) + Option: Maximum Transmission Unit (0x01) [mandatory] + MTU: 672 +> HCI Event: Number of Completed Packets (0x13) plen 5 #29 + Num handles: 1 + Handle: 256 + Count: 1 +> ACL Data RX: Handle 256 flags 0x02 dlen 14 #30 + L2CAP: Configure Response (0x05) ident 2 len 6 + Source CID: 64 + Flags: 0x0000 + Result: Success (0x0000) +> ACL Data RX: Handle 256 flags 0x02 dlen 20 #31 + L2CAP: Configure Request (0x04) ident 3 len 12 + Destination CID: 64 + Flags: 0x0000 + Option: Unknown (0x10) [hint] + 01 00 91 02 11 11 ...... +< ACL Data TX: Handle 256 flags 0x00 dlen 14 #32 + L2CAP: Command Reject (0x01) ident 3 len 6 + Reason: Invalid CID in request (0x0002) + Destination CID: 64 + Source CID: 65 +> HCI Event: Number of Completed Packets (0x13) plen 5 #33 + Num handles: 1 + Handle: 256 + Count: 1 +... +=== After === +... +> ACL Data RX: Handle 256 flags 0x02 dlen 12 #22 + L2CAP: Connection Request (0x02) ident 2 len 4 + PSM: 1 (0x0001) + Source CID: 65 +< ACL Data TX: Handle 256 flags 0x00 dlen 16 #23 + L2CAP: Connection Response (0x03) ident 2 len 8 + Destination CID: 64 + Source CID: 65 + Result: Connection successful (0x0000) + Status: No further information available (0x0000) +< ACL Data TX: Handle 256 flags 0x00 dlen 12 #24 + L2CAP: Configure Request (0x04) ident 2 len 4 + Destination CID: 65 + Flags: 0x0000 +> HCI Event: Number of Completed Packets (0x13) plen 5 #25 + Num handles: 1 + Handle: 256 + Count: 1 +> HCI Event: Number of Completed Packets (0x13) plen 5 #26 + Num handles: 1 + Handle: 256 + Count: 1 +> ACL Data RX: Handle 256 flags 0x02 dlen 16 #27 + L2CAP: Configure Request (0x04) ident 3 len 8 + Destination CID: 64 + Flags: 0x0000 + Option: Unknown (0x10) [hint] + 01 00 .. +< ACL Data TX: Handle 256 flags 0x00 dlen 18 #28 + L2CAP: Configure Response (0x05) ident 3 len 10 + Source CID: 65 + Flags: 0x0000 + Result: Success (0x0000) + Option: Maximum Transmission Unit (0x01) [mandatory] + MTU: 672 +> HCI Event: Number of Completed Packets (0x13) plen 5 #29 + Num handles: 1 + Handle: 256 + Count: 1 +> ACL Data RX: Handle 256 flags 0x02 dlen 14 #30 + L2CAP: Configure Response (0x05) ident 2 len 6 + Source CID: 64 + Flags: 0x0000 + Result: Success (0x0000) +> ACL Data RX: Handle 256 flags 0x02 dlen 20 #31 + L2CAP: Configure Request (0x04) ident 3 len 12 + Destination CID: 64 + Flags: 0x0000 + Option: Unknown (0x10) [hint] + 01 00 91 02 11 11 ..... +< ACL Data TX: Handle 256 flags 0x00 dlen 18 #32 + L2CAP: Configure Response (0x05) ident 3 len 10 + Source CID: 65 + Flags: 0x0000 + Result: Success (0x0000) + Option: Maximum Transmission Unit (0x01) [mandatory] + MTU: 672 +< ACL Data TX: Handle 256 flags 0x00 dlen 12 #33 + L2CAP: Configure Request (0x04) ident 3 len 4 + Destination CID: 65 + Flags: 0x0000 +> HCI Event: Number of Completed Packets (0x13) plen 5 #34 + Num handles: 1 + Handle: 256 + Count: 1 +> HCI Event: Number of Completed Packets (0x13) plen 5 #35 + Num handles: 1 + Handle: 256 + Count: 1 +... + +Signed-off-by: Howard Chung +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index de085947c19c2..5e3f5c1ba07d6 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4107,7 +4107,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, + return 0; + } + +- if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) { ++ if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 && ++ chan->state != BT_CONNECTED) { + cmd_reject_invalid_cid(conn, cmd->ident, chan->scid, + chan->dcid); + goto unlock; +-- +2.25.1 + diff --git a/queue-4.9/bluetooth-prefetch-channel-before-killing-sock.patch b/queue-4.9/bluetooth-prefetch-channel-before-killing-sock.patch new file mode 100644 index 00000000000..d205399444c --- /dev/null +++ b/queue-4.9/bluetooth-prefetch-channel-before-killing-sock.patch @@ -0,0 +1,60 @@ +From 930af4b3663065299b14c7495d092a5c71e23535 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Feb 2020 10:31:59 +0800 +Subject: Bluetooth: prefetch channel before killing sock + +From: Hillf Danton + +[ Upstream commit 2a154903cec20fb64ff4d7d617ca53c16f8fd53a ] + +Prefetch channel before killing sock in order to fix UAF like + + BUG: KASAN: use-after-free in l2cap_sock_release+0x24c/0x290 net/bluetooth/l2cap_sock.c:1212 + Read of size 8 at addr ffff8880944904a0 by task syz-fuzzer/9751 + +Reported-by: syzbot+c3c5bdea7863886115dc@syzkaller.appspotmail.com +Fixes: 6c08fc896b60 ("Bluetooth: Fix refcount use-after-free issue") +Cc: Manish Mandlik +Signed-off-by: Hillf Danton +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 3db8cfebd069a..bbf08c6092f4a 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1189,6 +1189,7 @@ static int l2cap_sock_release(struct socket *sock) + { + struct sock *sk = sock->sk; + int err; ++ struct l2cap_chan *chan; + + BT_DBG("sock %p, sk %p", sock, sk); + +@@ -1198,15 +1199,16 @@ static int l2cap_sock_release(struct socket *sock) + bt_sock_unlink(&l2cap_sk_list, sk); + + err = l2cap_sock_shutdown(sock, 2); ++ chan = l2cap_pi(sk)->chan; + +- l2cap_chan_hold(l2cap_pi(sk)->chan); +- l2cap_chan_lock(l2cap_pi(sk)->chan); ++ l2cap_chan_hold(chan); ++ l2cap_chan_lock(chan); + + sock_orphan(sk); + l2cap_sock_kill(sk); + +- l2cap_chan_unlock(l2cap_pi(sk)->chan); +- l2cap_chan_put(l2cap_pi(sk)->chan); ++ l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); + + return err; + } +-- +2.25.1 + diff --git a/queue-4.9/bpf-remove-recursion-prevention-from-rcu-free-callba.patch b/queue-4.9/bpf-remove-recursion-prevention-from-rcu-free-callba.patch new file mode 100644 index 00000000000..986c283fb29 --- /dev/null +++ b/queue-4.9/bpf-remove-recursion-prevention-from-rcu-free-callba.patch @@ -0,0 +1,45 @@ +From 52176f12505259bc930bf5c7b7ff482183094a18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Feb 2020 15:01:39 +0100 +Subject: bpf: Remove recursion prevention from rcu free callback + +From: Thomas Gleixner + +[ Upstream commit 8a37963c7ac9ecb7f86f8ebda020e3f8d6d7b8a0 ] + +If an element is freed via RCU then recursion into BPF instrumentation +functions is not a concern. The element is already detached from the map +and the RCU callback does not hold any locks on which a kprobe, perf event +or tracepoint attached BPF program could deadlock. + +Signed-off-by: Thomas Gleixner +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20200224145643.259118710@linutronix.de +Signed-off-by: Sasha Levin +--- + kernel/bpf/hashtab.c | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c +index 8648d7d297081..1253261fdb3ba 100644 +--- a/kernel/bpf/hashtab.c ++++ b/kernel/bpf/hashtab.c +@@ -427,15 +427,7 @@ static void htab_elem_free_rcu(struct rcu_head *head) + struct htab_elem *l = container_of(head, struct htab_elem, rcu); + struct bpf_htab *htab = l->htab; + +- /* must increment bpf_prog_active to avoid kprobe+bpf triggering while +- * we're calling kfree, otherwise deadlock is possible if kprobes +- * are placed somewhere inside of slub +- */ +- preempt_disable(); +- __this_cpu_inc(bpf_prog_active); + htab_elem_free(htab, l); +- __this_cpu_dec(bpf_prog_active); +- preempt_enable(); + } + + static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l) +-- +2.25.1 + diff --git a/queue-4.9/btrfs-don-t-force-read-only-after-error-in-drop-snap.patch b/queue-4.9/btrfs-don-t-force-read-only-after-error-in-drop-snap.patch new file mode 100644 index 00000000000..21ceff74605 --- /dev/null +++ b/queue-4.9/btrfs-don-t-force-read-only-after-error-in-drop-snap.patch @@ -0,0 +1,45 @@ +From 4a5de7fbfe79165bfca9921dfab7b56b62c6033b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2020 15:05:53 +0100 +Subject: btrfs: don't force read-only after error in drop snapshot + +From: David Sterba + +[ Upstream commit 7c09c03091ac562ddca2b393e5d65c1d37da79f1 ] + +Deleting a subvolume on a full filesystem leads to ENOSPC followed by a +forced read-only. This is not a transaction abort and the filesystem is +otherwise ok, so the error should be just propagated to the callers. + +This is caused by unnecessary call to btrfs_handle_fs_error for all +errors, except EAGAIN. This does not make sense as the standard +transaction abort mechanism is in btrfs_drop_snapshot so all relevant +failures are handled. + +Originally in commit cb1b69f4508a ("Btrfs: forced readonly when +btrfs_drop_snapshot() fails") there was no return value at all, so the +btrfs_std_error made some sense but once the error handling and +propagation has been implemented we don't need it anymore. + +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent-tree.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index c0033a0d00787..b5bff1e760a34 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -9435,8 +9435,6 @@ out: + */ + if (!for_reloc && root_dropped == false) + btrfs_add_dead_root(root); +- if (err && err != -EAGAIN) +- btrfs_handle_fs_error(fs_info, err, NULL); + return err; + } + +-- +2.25.1 + diff --git a/queue-4.9/ceph-fix-potential-race-in-ceph_check_caps.patch b/queue-4.9/ceph-fix-potential-race-in-ceph_check_caps.patch new file mode 100644 index 00000000000..22bc821f4e8 --- /dev/null +++ b/queue-4.9/ceph-fix-potential-race-in-ceph_check_caps.patch @@ -0,0 +1,55 @@ +From f1536765e92998b508b1cb6cf736a8bbcdd09c46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Mar 2020 16:45:45 -0400 +Subject: ceph: fix potential race in ceph_check_caps + +From: Jeff Layton + +[ Upstream commit dc3da0461cc4b76f2d0c5b12247fcb3b520edbbf ] + +Nothing ensures that session will still be valid by the time we +dereference the pointer. Take and put a reference. + +In principle, we should always be able to get a reference here, but +throw a warning if that's ever not the case. + +Signed-off-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/caps.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c +index e11aacb35d6b5..cbd92dd89de16 100644 +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -1807,12 +1807,24 @@ ack: + if (mutex_trylock(&session->s_mutex) == 0) { + dout("inverting session/ino locks on %p\n", + session); ++ session = ceph_get_mds_session(session); + spin_unlock(&ci->i_ceph_lock); + if (took_snap_rwsem) { + up_read(&mdsc->snap_rwsem); + took_snap_rwsem = 0; + } +- mutex_lock(&session->s_mutex); ++ if (session) { ++ mutex_lock(&session->s_mutex); ++ ceph_put_mds_session(session); ++ } else { ++ /* ++ * Because we take the reference while ++ * holding the i_ceph_lock, it should ++ * never be NULL. Throw a warning if it ++ * ever is. ++ */ ++ WARN_ON_ONCE(true); ++ } + goto retry; + } + } +-- +2.25.1 + diff --git a/queue-4.9/cifs-fix-double-add-page-to-memcg-when-cifs_readpage.patch b/queue-4.9/cifs-fix-double-add-page-to-memcg-when-cifs_readpage.patch new file mode 100644 index 00000000000..543f23fb059 --- /dev/null +++ b/queue-4.9/cifs-fix-double-add-page-to-memcg-when-cifs_readpage.patch @@ -0,0 +1,145 @@ +From 88571000341c70cc554c17b1f78d08493fdfaa36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jun 2020 05:30:19 -0400 +Subject: cifs: Fix double add page to memcg when cifs_readpages + +From: Zhang Xiaoxu + +[ Upstream commit 95a3d8f3af9b0d63b43f221b630beaab9739d13a ] + +When xfstests generic/451, there is an BUG at mm/memcontrol.c: + page:ffffea000560f2c0 refcount:2 mapcount:0 mapping:000000008544e0ea + index:0xf + mapping->aops:cifs_addr_ops dentry name:"tst-aio-dio-cycle-write.451" + flags: 0x2fffff80000001(locked) + raw: 002fffff80000001 ffffc90002023c50 ffffea0005280088 ffff88815cda0210 + raw: 000000000000000f 0000000000000000 00000002ffffffff ffff88817287d000 + page dumped because: VM_BUG_ON_PAGE(page->mem_cgroup) + page->mem_cgroup:ffff88817287d000 + ------------[ cut here ]------------ + kernel BUG at mm/memcontrol.c:2659! + invalid opcode: 0000 [#1] SMP + CPU: 2 PID: 2038 Comm: xfs_io Not tainted 5.8.0-rc1 #44 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_ + 073836-buildvm-ppc64le-16.ppc.4 + RIP: 0010:commit_charge+0x35/0x50 + Code: 0d 48 83 05 54 b2 02 05 01 48 89 77 38 c3 48 c7 + c6 78 4a ea ba 48 83 05 38 b2 02 05 01 e8 63 0d9 + RSP: 0018:ffffc90002023a50 EFLAGS: 00010202 + RAX: 0000000000000000 RBX: ffff88817287d000 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: ffff88817ac97ea0 RDI: ffff88817ac97ea0 + RBP: ffffea000560f2c0 R08: 0000000000000203 R09: 0000000000000005 + R10: 0000000000000030 R11: ffffc900020237a8 R12: 0000000000000000 + R13: 0000000000000001 R14: 0000000000000001 R15: ffff88815a1272c0 + FS: 00007f5071ab0800(0000) GS:ffff88817ac80000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000055efcd5ca000 CR3: 000000015d312000 CR4: 00000000000006e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + mem_cgroup_charge+0x166/0x4f0 + __add_to_page_cache_locked+0x4a9/0x710 + add_to_page_cache_locked+0x15/0x20 + cifs_readpages+0x217/0x1270 + read_pages+0x29a/0x670 + page_cache_readahead_unbounded+0x24f/0x390 + __do_page_cache_readahead+0x3f/0x60 + ondemand_readahead+0x1f1/0x470 + page_cache_async_readahead+0x14c/0x170 + generic_file_buffered_read+0x5df/0x1100 + generic_file_read_iter+0x10c/0x1d0 + cifs_strict_readv+0x139/0x170 + new_sync_read+0x164/0x250 + __vfs_read+0x39/0x60 + vfs_read+0xb5/0x1e0 + ksys_pread64+0x85/0xf0 + __x64_sys_pread64+0x22/0x30 + do_syscall_64+0x69/0x150 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x7f5071fcb1af + Code: Bad RIP value. + RSP: 002b:00007ffde2cdb8e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000011 + RAX: ffffffffffffffda RBX: 00007ffde2cdb990 RCX: 00007f5071fcb1af + RDX: 0000000000001000 RSI: 000055efcd5ca000 RDI: 0000000000000003 + RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000001000 R11: 0000000000000293 R12: 0000000000000001 + R13: 000000000009f000 R14: 0000000000000000 R15: 0000000000001000 + Modules linked in: + ---[ end trace 725fa14a3e1af65c ]--- + +Since commit 3fea5a499d57 ("mm: memcontrol: convert page cache to a new +mem_cgroup_charge() API") not cancel the page charge, the pages maybe +double add to pagecache: +thread1 | thread2 +cifs_readpages +readpages_get_pages + add_to_page_cache_locked(head,index=n)=0 + | readpages_get_pages + | add_to_page_cache_locked(head,index=n+1)=0 + add_to_page_cache_locked(head, index=n+1)=-EEXIST + then, will next loop with list head page's + index=n+1 and the page->mapping not NULL +readpages_get_pages +add_to_page_cache_locked(head, index=n+1) + commit_charge + VM_BUG_ON_PAGE + +So, we should not do the next loop when any page add to page cache +failed. + +Reported-by: Hulk Robot +Signed-off-by: Zhang Xiaoxu +Signed-off-by: Steve French +Acked-by: Ronnie Sahlberg +Signed-off-by: Sasha Levin +--- + fs/cifs/file.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index dca78b6e9ea32..24508b69e78b7 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -3531,7 +3531,8 @@ readpages_get_pages(struct address_space *mapping, struct list_head *page_list, + break; + + __SetPageLocked(page); +- if (add_to_page_cache_locked(page, mapping, page->index, gfp)) { ++ rc = add_to_page_cache_locked(page, mapping, page->index, gfp); ++ if (rc) { + __ClearPageLocked(page); + break; + } +@@ -3547,6 +3548,7 @@ static int cifs_readpages(struct file *file, struct address_space *mapping, + struct list_head *page_list, unsigned num_pages) + { + int rc; ++ int err = 0; + struct list_head tmplist; + struct cifsFileInfo *open_file = file->private_data; + struct cifs_sb_info *cifs_sb = CIFS_FILE_SB(file); +@@ -3587,7 +3589,7 @@ static int cifs_readpages(struct file *file, struct address_space *mapping, + * the order of declining indexes. When we put the pages in + * the rdata->pages, then we want them in increasing order. + */ +- while (!list_empty(page_list)) { ++ while (!list_empty(page_list) && !err) { + unsigned int i, nr_pages, bytes, rsize; + loff_t offset; + struct page *page, *tpage; +@@ -3610,9 +3612,10 @@ static int cifs_readpages(struct file *file, struct address_space *mapping, + return 0; + } + +- rc = readpages_get_pages(mapping, page_list, rsize, &tmplist, ++ nr_pages = 0; ++ err = readpages_get_pages(mapping, page_list, rsize, &tmplist, + &nr_pages, &offset, &bytes); +- if (rc) { ++ if (!nr_pages) { + add_credits_and_wake_if(server, credits, 0); + break; + } +-- +2.25.1 + diff --git a/queue-4.9/cifs-properly-process-smb3-lease-breaks.patch b/queue-4.9/cifs-properly-process-smb3-lease-breaks.patch new file mode 100644 index 00000000000..eba5b3fb8e4 --- /dev/null +++ b/queue-4.9/cifs-properly-process-smb3-lease-breaks.patch @@ -0,0 +1,322 @@ +From 3a1671eb7ca38cfdb4a5bb758a31c5d06ff82bfe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2019 16:51:19 -0700 +Subject: CIFS: Properly process SMB3 lease breaks + +From: Pavel Shilovsky + +[ Upstream commit 9bd4540836684013aaad6070a65d6fcdd9006625 ] + +Currenly we doesn't assume that a server may break a lease +from RWH to RW which causes us setting a wrong lease state +on a file and thus mistakenly flushing data and byte-range +locks and purging cached data on the client. This leads to +performance degradation because subsequent IOs go directly +to the server. + +Fix this by propagating new lease state and epoch values +to the oplock break handler through cifsFileInfo structure +and removing the use of cifsInodeInfo flags for that. It +allows to avoid some races of several lease/oplock breaks +using those flags in parallel. + +Signed-off-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/cifsglob.h | 9 ++++++--- + fs/cifs/file.c | 10 +++++++--- + fs/cifs/misc.c | 17 +++-------------- + fs/cifs/smb1ops.c | 8 +++----- + fs/cifs/smb2misc.c | 32 +++++++------------------------- + fs/cifs/smb2ops.c | 44 ++++++++++++++++++++++++++++++-------------- + fs/cifs/smb2pdu.h | 2 +- + 7 files changed, 57 insertions(+), 65 deletions(-) + +diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h +index 7ae21ad420fbf..a12258c32e8a3 100644 +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -242,8 +242,9 @@ struct smb_version_operations { + int (*check_message)(char *, unsigned int, struct TCP_Server_Info *); + bool (*is_oplock_break)(char *, struct TCP_Server_Info *); + int (*handle_cancelled_mid)(char *, struct TCP_Server_Info *); +- void (*downgrade_oplock)(struct TCP_Server_Info *, +- struct cifsInodeInfo *, bool); ++ void (*downgrade_oplock)(struct TCP_Server_Info *server, ++ struct cifsInodeInfo *cinode, __u32 oplock, ++ unsigned int epoch, bool *purge_cache); + /* process transaction2 response */ + bool (*check_trans2)(struct mid_q_entry *, struct TCP_Server_Info *, + char *, int); +@@ -1080,6 +1081,8 @@ struct cifsFileInfo { + unsigned int f_flags; + bool invalidHandle:1; /* file closed via session abend */ + bool oplock_break_cancelled:1; ++ unsigned int oplock_epoch; /* epoch from the lease break */ ++ __u32 oplock_level; /* oplock/lease level from the lease break */ + int count; + spinlock_t file_info_lock; /* protects four flag/count fields above */ + struct mutex fh_mutex; /* prevents reopen race after dead ses*/ +@@ -1191,7 +1194,7 @@ struct cifsInodeInfo { + unsigned int epoch; /* used to track lease state changes */ + #define CIFS_INODE_PENDING_OPLOCK_BREAK (0) /* oplock break in progress */ + #define CIFS_INODE_PENDING_WRITERS (1) /* Writes in progress */ +-#define CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2 (2) /* Downgrade oplock to L2 */ ++#define CIFS_INODE_FLAG_UNUSED (2) /* Unused flag */ + #define CIFS_INO_DELETE_PENDING (3) /* delete pending on server */ + #define CIFS_INO_INVALID_MAPPING (4) /* pagecache is invalid */ + #define CIFS_INO_LOCK (5) /* lock bit for synchronization */ +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index b2919166855f5..dca78b6e9ea32 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -3912,12 +3912,13 @@ void cifs_oplock_break(struct work_struct *work) + struct cifs_tcon *tcon = tlink_tcon(cfile->tlink); + struct TCP_Server_Info *server = tcon->ses->server; + int rc = 0; ++ bool purge_cache = false; + + wait_on_bit(&cinode->flags, CIFS_INODE_PENDING_WRITERS, + TASK_UNINTERRUPTIBLE); + +- server->ops->downgrade_oplock(server, cinode, +- test_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, &cinode->flags)); ++ server->ops->downgrade_oplock(server, cinode, cfile->oplock_level, ++ cfile->oplock_epoch, &purge_cache); + + if (!CIFS_CACHE_WRITE(cinode) && CIFS_CACHE_READ(cinode) && + cifs_has_mand_locks(cinode)) { +@@ -3932,18 +3933,21 @@ void cifs_oplock_break(struct work_struct *work) + else + break_lease(inode, O_WRONLY); + rc = filemap_fdatawrite(inode->i_mapping); +- if (!CIFS_CACHE_READ(cinode)) { ++ if (!CIFS_CACHE_READ(cinode) || purge_cache) { + rc = filemap_fdatawait(inode->i_mapping); + mapping_set_error(inode->i_mapping, rc); + cifs_zap_mapping(inode); + } + cifs_dbg(FYI, "Oplock flush inode %p rc %d\n", inode, rc); ++ if (CIFS_CACHE_WRITE(cinode)) ++ goto oplock_break_ack; + } + + rc = cifs_push_locks(cfile); + if (rc) + cifs_dbg(VFS, "Push locks rc = %d\n", rc); + ++oplock_break_ack: + /* + * releasing stale oplock after recent reconnect of smb session using + * a now incorrect file handle is not a data integrity issue but do +diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c +index 5e75df69062d8..bdf151e949166 100644 +--- a/fs/cifs/misc.c ++++ b/fs/cifs/misc.c +@@ -481,21 +481,10 @@ is_valid_oplock_break(char *buffer, struct TCP_Server_Info *srv) + set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, + &pCifsInode->flags); + +- /* +- * Set flag if the server downgrades the oplock +- * to L2 else clear. +- */ +- if (pSMB->OplockLevel) +- set_bit( +- CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, +- &pCifsInode->flags); +- else +- clear_bit( +- CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, +- &pCifsInode->flags); +- +- cifs_queue_oplock_break(netfile); ++ netfile->oplock_epoch = 0; ++ netfile->oplock_level = pSMB->OplockLevel; + netfile->oplock_break_cancelled = false; ++ cifs_queue_oplock_break(netfile); + + spin_unlock(&tcon->open_file_lock); + spin_unlock(&cifs_tcp_ses_lock); +diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c +index 6f5d78b172bac..9a1f01c2f0209 100644 +--- a/fs/cifs/smb1ops.c ++++ b/fs/cifs/smb1ops.c +@@ -378,12 +378,10 @@ coalesce_t2(char *second_buf, struct smb_hdr *target_hdr) + + static void + cifs_downgrade_oplock(struct TCP_Server_Info *server, +- struct cifsInodeInfo *cinode, bool set_level2) ++ struct cifsInodeInfo *cinode, __u32 oplock, ++ unsigned int epoch, bool *purge_cache) + { +- if (set_level2) +- cifs_set_oplock_level(cinode, OPLOCK_READ); +- else +- cifs_set_oplock_level(cinode, 0); ++ cifs_set_oplock_level(cinode, oplock); + } + + static bool +diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c +index 7b7b47e26dbd4..bddb2d7b39824 100644 +--- a/fs/cifs/smb2misc.c ++++ b/fs/cifs/smb2misc.c +@@ -491,7 +491,7 @@ smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp, + + cifs_dbg(FYI, "found in the open list\n"); + cifs_dbg(FYI, "lease key match, lease break 0x%x\n", +- le32_to_cpu(rsp->NewLeaseState)); ++ lease_state); + + if (ack_req) + cfile->oplock_break_cancelled = false; +@@ -500,17 +500,8 @@ smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp, + + set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags); + +- /* +- * Set or clear flags depending on the lease state being READ. +- * HANDLE caching flag should be added when the client starts +- * to defer closing remote file handles with HANDLE leases. +- */ +- if (lease_state & SMB2_LEASE_READ_CACHING_HE) +- set_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, +- &cinode->flags); +- else +- clear_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, +- &cinode->flags); ++ cfile->oplock_epoch = le16_to_cpu(rsp->Epoch); ++ cfile->oplock_level = lease_state; + + cifs_queue_oplock_break(cfile); + kfree(lw); +@@ -533,7 +524,7 @@ smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp, + + cifs_dbg(FYI, "found in the pending open list\n"); + cifs_dbg(FYI, "lease key match, lease break 0x%x\n", +- le32_to_cpu(rsp->NewLeaseState)); ++ lease_state); + + open->oplock = lease_state; + } +@@ -645,18 +636,9 @@ smb2_is_valid_oplock_break(char *buffer, struct TCP_Server_Info *server) + set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, + &cinode->flags); + +- /* +- * Set flag if the server downgrades the oplock +- * to L2 else clear. +- */ +- if (rsp->OplockLevel) +- set_bit( +- CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, +- &cinode->flags); +- else +- clear_bit( +- CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, +- &cinode->flags); ++ cfile->oplock_epoch = 0; ++ cfile->oplock_level = rsp->OplockLevel; ++ + spin_unlock(&cfile->file_info_lock); + + cifs_queue_oplock_break(cfile); +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index edd4c7292be00..67edd6e03f803 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -1379,22 +1379,38 @@ static long smb3_fallocate(struct file *file, struct cifs_tcon *tcon, int mode, + + static void + smb2_downgrade_oplock(struct TCP_Server_Info *server, +- struct cifsInodeInfo *cinode, bool set_level2) ++ struct cifsInodeInfo *cinode, __u32 oplock, ++ unsigned int epoch, bool *purge_cache) + { +- if (set_level2) +- server->ops->set_oplock_level(cinode, SMB2_OPLOCK_LEVEL_II, +- 0, NULL); +- else +- server->ops->set_oplock_level(cinode, 0, 0, NULL); ++ server->ops->set_oplock_level(cinode, oplock, 0, NULL); + } + + static void +-smb21_downgrade_oplock(struct TCP_Server_Info *server, +- struct cifsInodeInfo *cinode, bool set_level2) ++smb21_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock, ++ unsigned int epoch, bool *purge_cache); ++ ++static void ++smb3_downgrade_oplock(struct TCP_Server_Info *server, ++ struct cifsInodeInfo *cinode, __u32 oplock, ++ unsigned int epoch, bool *purge_cache) + { +- server->ops->set_oplock_level(cinode, +- set_level2 ? SMB2_LEASE_READ_CACHING_HE : +- 0, 0, NULL); ++ unsigned int old_state = cinode->oplock; ++ unsigned int old_epoch = cinode->epoch; ++ unsigned int new_state; ++ ++ if (epoch > old_epoch) { ++ smb21_set_oplock_level(cinode, oplock, 0, NULL); ++ cinode->epoch = epoch; ++ } ++ ++ new_state = cinode->oplock; ++ *purge_cache = false; ++ ++ if ((old_state & CIFS_CACHE_READ_FLG) != 0 && ++ (new_state & CIFS_CACHE_READ_FLG) == 0) ++ *purge_cache = true; ++ else if (old_state == new_state && (epoch - old_epoch > 1)) ++ *purge_cache = true; + } + + static void +@@ -1709,7 +1725,7 @@ struct smb_version_operations smb21_operations = { + .print_stats = smb2_print_stats, + .is_oplock_break = smb2_is_valid_oplock_break, + .handle_cancelled_mid = smb2_handle_cancelled_mid, +- .downgrade_oplock = smb21_downgrade_oplock, ++ .downgrade_oplock = smb2_downgrade_oplock, + .need_neg = smb2_need_neg, + .negotiate = smb2_negotiate, + .negotiate_wsize = smb2_negotiate_wsize, +@@ -1793,7 +1809,7 @@ struct smb_version_operations smb30_operations = { + .dump_share_caps = smb2_dump_share_caps, + .is_oplock_break = smb2_is_valid_oplock_break, + .handle_cancelled_mid = smb2_handle_cancelled_mid, +- .downgrade_oplock = smb21_downgrade_oplock, ++ .downgrade_oplock = smb3_downgrade_oplock, + .need_neg = smb2_need_neg, + .negotiate = smb2_negotiate, + .negotiate_wsize = smb2_negotiate_wsize, +@@ -1883,7 +1899,7 @@ struct smb_version_operations smb311_operations = { + .dump_share_caps = smb2_dump_share_caps, + .is_oplock_break = smb2_is_valid_oplock_break, + .handle_cancelled_mid = smb2_handle_cancelled_mid, +- .downgrade_oplock = smb21_downgrade_oplock, ++ .downgrade_oplock = smb3_downgrade_oplock, + .need_neg = smb2_need_neg, + .negotiate = smb2_negotiate, + .negotiate_wsize = smb2_negotiate_wsize, +diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h +index 1af7afae3ad18..1a0c480745738 100644 +--- a/fs/cifs/smb2pdu.h ++++ b/fs/cifs/smb2pdu.h +@@ -1025,7 +1025,7 @@ struct smb2_oplock_break { + struct smb2_lease_break { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 44 */ +- __le16 Reserved; ++ __le16 Epoch; + __le32 Flags; + __u8 LeaseKey[16]; + __le32 CurrentLeaseState; +-- +2.25.1 + diff --git a/queue-4.9/clk-ti-adpll-allocate-room-for-terminating-null.patch b/queue-4.9/clk-ti-adpll-allocate-room-for-terminating-null.patch new file mode 100644 index 00000000000..f6b4e747091 --- /dev/null +++ b/queue-4.9/clk-ti-adpll-allocate-room-for-terminating-null.patch @@ -0,0 +1,47 @@ +From c15f3f152075ad7c10b884d212604763c5edc6aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Oct 2019 16:06:34 +0200 +Subject: clk/ti/adpll: allocate room for terminating null + +From: Stephen Kitt + +[ Upstream commit 7f6ac72946b88b89ee44c1c527aa8591ac5ffcbe ] + +The buffer allocated in ti_adpll_clk_get_name doesn't account for the +terminating null. This patch switches to devm_kasprintf to avoid +overflowing. + +Signed-off-by: Stephen Kitt +Link: https://lkml.kernel.org/r/20191019140634.15596-1-steve@sk2.org +Acked-by: Tony Lindgren +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/ti/adpll.c | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +diff --git a/drivers/clk/ti/adpll.c b/drivers/clk/ti/adpll.c +index 255cafb18336a..9345eaf00938e 100644 +--- a/drivers/clk/ti/adpll.c ++++ b/drivers/clk/ti/adpll.c +@@ -193,15 +193,8 @@ static const char *ti_adpll_clk_get_name(struct ti_adpll_data *d, + if (err) + return NULL; + } else { +- const char *base_name = "adpll"; +- char *buf; +- +- buf = devm_kzalloc(d->dev, 8 + 1 + strlen(base_name) + 1 + +- strlen(postfix), GFP_KERNEL); +- if (!buf) +- return NULL; +- sprintf(buf, "%08lx.%s.%s", d->pa, base_name, postfix); +- name = buf; ++ name = devm_kasprintf(d->dev, GFP_KERNEL, "%08lx.adpll.%s", ++ d->pa, postfix); + } + + return name; +-- +2.25.1 + diff --git a/queue-4.9/cpufreq-powernv-fix-frame-size-overflow-in-powernv_c.patch b/queue-4.9/cpufreq-powernv-fix-frame-size-overflow-in-powernv_c.patch new file mode 100644 index 00000000000..154e07f4243 --- /dev/null +++ b/queue-4.9/cpufreq-powernv-fix-frame-size-overflow-in-powernv_c.patch @@ -0,0 +1,57 @@ +From 5a311fefc4d0ab787c1a9c6b9e328b518dd08294 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2020 19:27:43 +0530 +Subject: cpufreq: powernv: Fix frame-size-overflow in powernv_cpufreq_work_fn + +From: Pratik Rajesh Sampat + +[ Upstream commit d95fe371ecd28901f11256c610b988ed44e36ee2 ] + +The patch avoids allocating cpufreq_policy on stack hence fixing frame +size overflow in 'powernv_cpufreq_work_fn' + +Fixes: 227942809b52 ("cpufreq: powernv: Restore cpu frequency to policy->cur on unthrottling") +Signed-off-by: Pratik Rajesh Sampat +Reviewed-by: Daniel Axtens +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200316135743.57735-1-psampat@linux.ibm.com +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/powernv-cpufreq.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/cpufreq/powernv-cpufreq.c b/drivers/cpufreq/powernv-cpufreq.c +index b4fc65512aad3..c3b05676e0dbe 100644 +--- a/drivers/cpufreq/powernv-cpufreq.c ++++ b/drivers/cpufreq/powernv-cpufreq.c +@@ -802,6 +802,7 @@ static struct notifier_block powernv_cpufreq_reboot_nb = { + void powernv_cpufreq_work_fn(struct work_struct *work) + { + struct chip *chip = container_of(work, struct chip, throttle); ++ struct cpufreq_policy *policy; + unsigned int cpu; + cpumask_t mask; + +@@ -816,12 +817,14 @@ void powernv_cpufreq_work_fn(struct work_struct *work) + chip->restore = false; + for_each_cpu(cpu, &mask) { + int index; +- struct cpufreq_policy policy; + +- cpufreq_get_policy(&policy, cpu); +- index = cpufreq_table_find_index_c(&policy, policy.cur); +- powernv_cpufreq_target_index(&policy, index); +- cpumask_andnot(&mask, &mask, policy.cpus); ++ policy = cpufreq_cpu_get(cpu); ++ if (!policy) ++ continue; ++ index = cpufreq_table_find_index_c(policy, policy->cur); ++ powernv_cpufreq_target_index(policy, index); ++ cpumask_andnot(&mask, &mask, policy->cpus); ++ cpufreq_cpu_put(policy); + } + out: + put_online_cpus(); +-- +2.25.1 + diff --git a/queue-4.9/debugfs-fix-debug_fs-debugfs_create_automount.patch b/queue-4.9/debugfs-fix-debug_fs-debugfs_create_automount.patch new file mode 100644 index 00000000000..e818952c755 --- /dev/null +++ b/queue-4.9/debugfs-fix-debug_fs-debugfs_create_automount.patch @@ -0,0 +1,63 @@ +From 095ee29ffc72eeb4712fd4b93897c084450ec86d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2019 19:20:21 +0900 +Subject: debugfs: Fix !DEBUG_FS debugfs_create_automount + +From: Kusanagi Kouichi + +[ Upstream commit 4250b047039d324e0ff65267c8beb5bad5052a86 ] + +If DEBUG_FS=n, compile fails with the following error: + +kernel/trace/trace.c: In function 'tracing_init_dentry': +kernel/trace/trace.c:8658:9: error: passing argument 3 of 'debugfs_create_automount' from incompatible pointer type [-Werror=incompatible-pointer-types] + 8658 | trace_automount, NULL); + | ^~~~~~~~~~~~~~~ + | | + | struct vfsmount * (*)(struct dentry *, void *) +In file included from kernel/trace/trace.c:24: +./include/linux/debugfs.h:206:25: note: expected 'struct vfsmount * (*)(void *)' but argument is of type 'struct vfsmount * (*)(struct dentry *, void *)' + 206 | struct vfsmount *(*f)(void *), + | ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~ + +Signed-off-by: Kusanagi Kouichi +Link: https://lore.kernel.org/r/20191121102021787.MLMY.25002.ppp.dion.ne.jp@dmta0003.auone-net.jp +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + include/linux/debugfs.h | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/include/linux/debugfs.h b/include/linux/debugfs.h +index b20a0945b5500..7aea750538840 100644 +--- a/include/linux/debugfs.h ++++ b/include/linux/debugfs.h +@@ -77,6 +77,8 @@ static const struct file_operations __fops = { \ + .llseek = generic_file_llseek, \ + } + ++typedef struct vfsmount *(*debugfs_automount_t)(struct dentry *, void *); ++ + #if defined(CONFIG_DEBUG_FS) + + struct dentry *debugfs_create_file(const char *name, umode_t mode, +@@ -96,7 +98,6 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent); + struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent, + const char *dest); + +-typedef struct vfsmount *(*debugfs_automount_t)(struct dentry *, void *); + struct dentry *debugfs_create_automount(const char *name, + struct dentry *parent, + debugfs_automount_t f, +@@ -211,7 +212,7 @@ static inline struct dentry *debugfs_create_symlink(const char *name, + + static inline struct dentry *debugfs_create_automount(const char *name, + struct dentry *parent, +- struct vfsmount *(*f)(void *), ++ debugfs_automount_t f, + void *data) + { + return ERR_PTR(-ENODEV); +-- +2.25.1 + diff --git a/queue-4.9/dmaengine-tegra-apb-prevent-race-conditions-on-chann.patch b/queue-4.9/dmaengine-tegra-apb-prevent-race-conditions-on-chann.patch new file mode 100644 index 00000000000..2676c353f40 --- /dev/null +++ b/queue-4.9/dmaengine-tegra-apb-prevent-race-conditions-on-chann.patch @@ -0,0 +1,39 @@ +From d3b48dc2a11154867a0b48d49cc83bb13422a902 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Feb 2020 19:33:41 +0300 +Subject: dmaengine: tegra-apb: Prevent race conditions on channel's freeing + +From: Dmitry Osipenko + +[ Upstream commit 8e84172e372bdca20c305d92d51d33640d2da431 ] + +It's incorrect to check the channel's "busy" state without taking a lock. +That shouldn't cause any real troubles, nevertheless it's always better +not to have any race conditions in the code. + +Signed-off-by: Dmitry Osipenko +Acked-by: Jon Hunter +Link: https://lore.kernel.org/r/20200209163356.6439-5-digetx@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/tegra20-apb-dma.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/dma/tegra20-apb-dma.c b/drivers/dma/tegra20-apb-dma.c +index 4eaf92b2b8868..909739426f78c 100644 +--- a/drivers/dma/tegra20-apb-dma.c ++++ b/drivers/dma/tegra20-apb-dma.c +@@ -1208,8 +1208,7 @@ static void tegra_dma_free_chan_resources(struct dma_chan *dc) + + dev_dbg(tdc2dev(tdc), "Freeing channel %d\n", tdc->id); + +- if (tdc->busy) +- tegra_dma_terminate_all(dc); ++ tegra_dma_terminate_all(dc); + + spin_lock_irqsave(&tdc->lock, flags); + list_splice_init(&tdc->pending_sg_req, &sg_req_list); +-- +2.25.1 + diff --git a/queue-4.9/dmaengine-zynqmp_dma-fix-burst-length-configuration.patch b/queue-4.9/dmaengine-zynqmp_dma-fix-burst-length-configuration.patch new file mode 100644 index 00000000000..6a95e96d8c0 --- /dev/null +++ b/queue-4.9/dmaengine-zynqmp_dma-fix-burst-length-configuration.patch @@ -0,0 +1,91 @@ +From 2291590189c7c08045d4f3b7107713c9416b2c08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2020 11:22:49 +0100 +Subject: dmaengine: zynqmp_dma: fix burst length configuration + +From: Matthias Fend + +[ Upstream commit cc88525ebffc757e00cc5a5d61da6271646c7f5f ] + +Since the dma engine expects the burst length register content as +power of 2 value, the burst length needs to be converted first. +Additionally add a burst length range check to avoid corrupting unrelated +register bits. + +Signed-off-by: Matthias Fend +Link: https://lore.kernel.org/r/20200115102249.24398-1-matthias.fend@wolfvision.net +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/zynqmp_dma.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +diff --git a/drivers/dma/xilinx/zynqmp_dma.c b/drivers/dma/xilinx/zynqmp_dma.c +index 9069fb8543196..514763dcc3758 100644 +--- a/drivers/dma/xilinx/zynqmp_dma.c ++++ b/drivers/dma/xilinx/zynqmp_dma.c +@@ -125,10 +125,12 @@ + /* Max transfer size per descriptor */ + #define ZYNQMP_DMA_MAX_TRANS_LEN 0x40000000 + ++/* Max burst lengths */ ++#define ZYNQMP_DMA_MAX_DST_BURST_LEN 32768U ++#define ZYNQMP_DMA_MAX_SRC_BURST_LEN 32768U ++ + /* Reset values for data attributes */ + #define ZYNQMP_DMA_AXCACHE_VAL 0xF +-#define ZYNQMP_DMA_ARLEN_RST_VAL 0xF +-#define ZYNQMP_DMA_AWLEN_RST_VAL 0xF + + #define ZYNQMP_DMA_SRC_ISSUE_RST_VAL 0x1F + +@@ -527,17 +529,19 @@ static void zynqmp_dma_handle_ovfl_int(struct zynqmp_dma_chan *chan, u32 status) + + static void zynqmp_dma_config(struct zynqmp_dma_chan *chan) + { +- u32 val; ++ u32 val, burst_val; + + val = readl(chan->regs + ZYNQMP_DMA_CTRL0); + val |= ZYNQMP_DMA_POINT_TYPE_SG; + writel(val, chan->regs + ZYNQMP_DMA_CTRL0); + + val = readl(chan->regs + ZYNQMP_DMA_DATA_ATTR); ++ burst_val = __ilog2_u32(chan->src_burst_len); + val = (val & ~ZYNQMP_DMA_ARLEN) | +- (chan->src_burst_len << ZYNQMP_DMA_ARLEN_OFST); ++ ((burst_val << ZYNQMP_DMA_ARLEN_OFST) & ZYNQMP_DMA_ARLEN); ++ burst_val = __ilog2_u32(chan->dst_burst_len); + val = (val & ~ZYNQMP_DMA_AWLEN) | +- (chan->dst_burst_len << ZYNQMP_DMA_AWLEN_OFST); ++ ((burst_val << ZYNQMP_DMA_AWLEN_OFST) & ZYNQMP_DMA_AWLEN); + writel(val, chan->regs + ZYNQMP_DMA_DATA_ATTR); + } + +@@ -551,8 +555,10 @@ static int zynqmp_dma_device_config(struct dma_chan *dchan, + { + struct zynqmp_dma_chan *chan = to_chan(dchan); + +- chan->src_burst_len = config->src_maxburst; +- chan->dst_burst_len = config->dst_maxburst; ++ chan->src_burst_len = clamp(config->src_maxburst, 1U, ++ ZYNQMP_DMA_MAX_SRC_BURST_LEN); ++ chan->dst_burst_len = clamp(config->dst_maxburst, 1U, ++ ZYNQMP_DMA_MAX_DST_BURST_LEN); + + return 0; + } +@@ -968,8 +974,8 @@ static int zynqmp_dma_chan_probe(struct zynqmp_dma_device *zdev, + return PTR_ERR(chan->regs); + + chan->bus_width = ZYNQMP_DMA_BUS_WIDTH_64; +- chan->dst_burst_len = ZYNQMP_DMA_AWLEN_RST_VAL; +- chan->src_burst_len = ZYNQMP_DMA_ARLEN_RST_VAL; ++ chan->dst_burst_len = ZYNQMP_DMA_MAX_DST_BURST_LEN; ++ chan->src_burst_len = ZYNQMP_DMA_MAX_SRC_BURST_LEN; + err = of_property_read_u32(node, "xlnx,bus-width", &chan->bus_width); + if (err < 0) { + dev_err(&pdev->dev, "missing xlnx,bus-width property\n"); +-- +2.25.1 + diff --git a/queue-4.9/drivers-char-tlclk.c-avoid-data-race-between-init-an.patch b/queue-4.9/drivers-char-tlclk.c-avoid-data-race-between-init-an.patch new file mode 100644 index 00000000000..3e42087274e --- /dev/null +++ b/queue-4.9/drivers-char-tlclk.c-avoid-data-race-between-init-an.patch @@ -0,0 +1,78 @@ +From 4e8ab7f6e5469ab2a36cc9b433499d4622752c63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Apr 2020 21:04:51 +0530 +Subject: drivers: char: tlclk.c: Avoid data race between init and interrupt + handler + +From: Madhuparna Bhowmik + +[ Upstream commit 44b8fb6eaa7c3fb770bf1e37619cdb3902cca1fc ] + +After registering character device the file operation callbacks can be +called. The open callback registers interrupt handler. +Therefore interrupt handler can execute in parallel with rest of the init +function. To avoid such data race initialize telclk_interrupt variable +and struct alarm_events before registering character device. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Madhuparna Bhowmik +Link: https://lore.kernel.org/r/20200417153451.1551-1-madhuparnabhowmik10@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/char/tlclk.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/drivers/char/tlclk.c b/drivers/char/tlclk.c +index 100cd1de9939d..59e1e94d12c01 100644 +--- a/drivers/char/tlclk.c ++++ b/drivers/char/tlclk.c +@@ -777,17 +777,21 @@ static int __init tlclk_init(void) + { + int ret; + ++ telclk_interrupt = (inb(TLCLK_REG7) & 0x0f); ++ ++ alarm_events = kzalloc( sizeof(struct tlclk_alarms), GFP_KERNEL); ++ if (!alarm_events) { ++ ret = -ENOMEM; ++ goto out1; ++ } ++ + ret = register_chrdev(tlclk_major, "telco_clock", &tlclk_fops); + if (ret < 0) { + printk(KERN_ERR "tlclk: can't get major %d.\n", tlclk_major); ++ kfree(alarm_events); + return ret; + } + tlclk_major = ret; +- alarm_events = kzalloc( sizeof(struct tlclk_alarms), GFP_KERNEL); +- if (!alarm_events) { +- ret = -ENOMEM; +- goto out1; +- } + + /* Read telecom clock IRQ number (Set by BIOS) */ + if (!request_region(TLCLK_BASE, 8, "telco_clock")) { +@@ -796,7 +800,6 @@ static int __init tlclk_init(void) + ret = -EBUSY; + goto out2; + } +- telclk_interrupt = (inb(TLCLK_REG7) & 0x0f); + + if (0x0F == telclk_interrupt ) { /* not MCPBL0010 ? */ + printk(KERN_ERR "telclk_interrupt = 0x%x non-mcpbl0010 hw.\n", +@@ -837,8 +840,8 @@ out3: + release_region(TLCLK_BASE, 8); + out2: + kfree(alarm_events); +-out1: + unregister_chrdev(tlclk_major, "telco_clock"); ++out1: + return ret; + } + +-- +2.25.1 + diff --git a/queue-4.9/drm-amdgpu-increase-atombios-cmd-timeout.patch b/queue-4.9/drm-amdgpu-increase-atombios-cmd-timeout.patch new file mode 100644 index 00000000000..18e41296258 --- /dev/null +++ b/queue-4.9/drm-amdgpu-increase-atombios-cmd-timeout.patch @@ -0,0 +1,37 @@ +From 4967d0f08e33be581693807c5be3b2af787e903a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2020 17:48:56 +0800 +Subject: drm/amdgpu: increase atombios cmd timeout + +From: John Clements + +[ Upstream commit 1b3460a8b19688ad3033b75237d40fa580a5a953 ] + +mitigates race condition on BACO reset between GPU bootcode and driver reload + +Reviewed-by: Hawking Zhang +Signed-off-by: John Clements +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/atom.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/atom.c b/drivers/gpu/drm/amd/amdgpu/atom.c +index 1b50e6c13fb3f..5fbf99d600587 100644 +--- a/drivers/gpu/drm/amd/amdgpu/atom.c ++++ b/drivers/gpu/drm/amd/amdgpu/atom.c +@@ -748,8 +748,8 @@ static void atom_op_jump(atom_exec_context *ctx, int *ptr, int arg) + cjiffies = jiffies; + if (time_after(cjiffies, ctx->last_jump_jiffies)) { + cjiffies -= ctx->last_jump_jiffies; +- if ((jiffies_to_msecs(cjiffies) > 5000)) { +- DRM_ERROR("atombios stuck in loop for more than 5secs aborting\n"); ++ if ((jiffies_to_msecs(cjiffies) > 10000)) { ++ DRM_ERROR("atombios stuck in loop for more than 10secs aborting\n"); + ctx->abort = true; + } + } else { +-- +2.25.1 + diff --git a/queue-4.9/drm-omap-fix-possible-object-reference-leak.patch b/queue-4.9/drm-omap-fix-possible-object-reference-leak.patch new file mode 100644 index 00000000000..0ec2a404afe --- /dev/null +++ b/queue-4.9/drm-omap-fix-possible-object-reference-leak.patch @@ -0,0 +1,60 @@ +From 3efb8a6b932f37934ee0f1361238a655b5a7e37f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2019 10:58:32 +0800 +Subject: drm/omap: fix possible object reference leak + +From: Wen Yang + +[ Upstream commit 47340e46f34a3b1d80e40b43ae3d7a8da34a3541 ] + +The call to of_find_matching_node returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: +drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c:212:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 209, but without a corresponding object release within this function. +drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c:237:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 209, but without a corresponding object release within this function. + +Signed-off-by: Wen Yang +Reviewed-by: Laurent Pinchart +Reviewed-by: Mukesh Ojha +Cc: Tomi Valkeinen +Cc: David Airlie +Cc: Daniel Vetter +Cc: Sebastian Reichel +Cc: Laurent Pinchart +Cc: dri-devel@lists.freedesktop.org +Cc: linux-kernel@vger.kernel.org +Cc: Markus Elfring +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/1554692313-28882-2-git-send-email-wen.yang99@zte.com.cn +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c b/drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c +index 136d30484d023..46111e9ee9a25 100644 +--- a/drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c ++++ b/drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c +@@ -194,7 +194,7 @@ static int __init omapdss_boot_init(void) + dss = of_find_matching_node(NULL, omapdss_of_match); + + if (dss == NULL || !of_device_is_available(dss)) +- return 0; ++ goto put_node; + + omapdss_walk_device(dss, true); + +@@ -219,6 +219,8 @@ static int __init omapdss_boot_init(void) + kfree(n); + } + ++put_node: ++ of_node_put(dss); + return 0; + } + +-- +2.25.1 + diff --git a/queue-4.9/dt-bindings-sound-wm8994-correct-required-supplies-b.patch b/queue-4.9/dt-bindings-sound-wm8994-correct-required-supplies-b.patch new file mode 100644 index 00000000000..68c159e0bb1 --- /dev/null +++ b/queue-4.9/dt-bindings-sound-wm8994-correct-required-supplies-b.patch @@ -0,0 +1,65 @@ +From f0e853cbe95306add2aa7bedd47735b9e8f55a8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 May 2020 15:35:34 +0200 +Subject: dt-bindings: sound: wm8994: Correct required supplies based on actual + implementaion + +From: Krzysztof Kozlowski + +[ Upstream commit 8c149b7d75e53be47648742f40fc90d9fc6fa63a ] + +The required supplies in bindings were actually not matching +implementation making the bindings incorrect and misleading. The Linux +kernel driver requires all supplies to be present. Also for wlf,wm8994 +uses just DBVDD-supply instead of DBVDDn-supply (n: <1,3>). + +Reported-by: Jonathan Bakker +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20200501133534.6706-1-krzk@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + .../devicetree/bindings/sound/wm8994.txt | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/Documentation/devicetree/bindings/sound/wm8994.txt b/Documentation/devicetree/bindings/sound/wm8994.txt +index 68c4e8d96bed6..b309de00cd836 100644 +--- a/Documentation/devicetree/bindings/sound/wm8994.txt ++++ b/Documentation/devicetree/bindings/sound/wm8994.txt +@@ -14,9 +14,15 @@ Required properties: + - #gpio-cells : Must be 2. The first cell is the pin number and the + second cell is used to specify optional parameters (currently unused). + +- - AVDD2-supply, DBVDD1-supply, DBVDD2-supply, DBVDD3-supply, CPVDD-supply, +- SPKVDD1-supply, SPKVDD2-supply : power supplies for the device, as covered +- in Documentation/devicetree/bindings/regulator/regulator.txt ++ - power supplies for the device, as covered in ++ Documentation/devicetree/bindings/regulator/regulator.txt, depending ++ on compatible: ++ - for wlf,wm1811 and wlf,wm8958: ++ AVDD1-supply, AVDD2-supply, DBVDD1-supply, DBVDD2-supply, DBVDD3-supply, ++ DCVDD-supply, CPVDD-supply, SPKVDD1-supply, SPKVDD2-supply ++ - for wlf,wm8994: ++ AVDD1-supply, AVDD2-supply, DBVDD-supply, DCVDD-supply, CPVDD-supply, ++ SPKVDD1-supply, SPKVDD2-supply + + Optional properties: + +@@ -68,11 +74,11 @@ codec: wm8994@1a { + + lineout1-se; + ++ AVDD1-supply = <®ulator>; + AVDD2-supply = <®ulator>; + CPVDD-supply = <®ulator>; +- DBVDD1-supply = <®ulator>; +- DBVDD2-supply = <®ulator>; +- DBVDD3-supply = <®ulator>; ++ DBVDD-supply = <®ulator>; ++ DCVDD-supply = <®ulator>; + SPKVDD1-supply = <®ulator>; + SPKVDD2-supply = <®ulator>; + }; +-- +2.25.1 + diff --git a/queue-4.9/e1000-do-not-perform-reset-in-reset_task-if-we-are-a.patch b/queue-4.9/e1000-do-not-perform-reset-in-reset_task-if-we-are-a.patch new file mode 100644 index 00000000000..05d6e424fa0 --- /dev/null +++ b/queue-4.9/e1000-do-not-perform-reset-in-reset_task-if-we-are-a.patch @@ -0,0 +1,69 @@ +From 2978aced7e8aa5c458e69756c871e0e5cc560071 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Apr 2020 09:35:31 -0700 +Subject: e1000: Do not perform reset in reset_task if we are already down + +From: Alexander Duyck + +[ Upstream commit 49ee3c2ab5234757bfb56a0b3a3cb422f427e3a3 ] + +We are seeing a deadlock in e1000 down when NAPI is being disabled. Looking +over the kernel function trace of the system it appears that the interface +is being closed and then a reset is hitting which deadlocks the interface +as the NAPI interface is already disabled. + +To prevent this from happening I am disabling the reset task when +__E1000_DOWN is already set. In addition code has been added so that we set +the __E1000_DOWN while holding the __E1000_RESET flag in e1000_close in +order to guarantee that the reset task will not run after we have started +the close call. + +Signed-off-by: Alexander Duyck +Tested-by: Maxim Zhukov +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000/e1000_main.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c +index 3b16ee0de246e..c30792b761ee3 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_main.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c +@@ -568,8 +568,13 @@ void e1000_reinit_locked(struct e1000_adapter *adapter) + WARN_ON(in_interrupt()); + while (test_and_set_bit(__E1000_RESETTING, &adapter->flags)) + msleep(1); +- e1000_down(adapter); +- e1000_up(adapter); ++ ++ /* only run the task if not already down */ ++ if (!test_bit(__E1000_DOWN, &adapter->flags)) { ++ e1000_down(adapter); ++ e1000_up(adapter); ++ } ++ + clear_bit(__E1000_RESETTING, &adapter->flags); + } + +@@ -1456,10 +1461,15 @@ int e1000_close(struct net_device *netdev) + struct e1000_hw *hw = &adapter->hw; + int count = E1000_CHECK_RESET_COUNT; + +- while (test_bit(__E1000_RESETTING, &adapter->flags) && count--) ++ while (test_and_set_bit(__E1000_RESETTING, &adapter->flags) && count--) + usleep_range(10000, 20000); + +- WARN_ON(test_bit(__E1000_RESETTING, &adapter->flags)); ++ WARN_ON(count < 0); ++ ++ /* signal that we're down so that the reset task will no longer run */ ++ set_bit(__E1000_DOWN, &adapter->flags); ++ clear_bit(__E1000_RESETTING, &adapter->flags); ++ + e1000_down(adapter); + e1000_power_down_phy(adapter); + e1000_free_irq(adapter); +-- +2.25.1 + diff --git a/queue-4.9/ext4-make-dioread_nolock-the-default.patch b/queue-4.9/ext4-make-dioread_nolock-the-default.patch new file mode 100644 index 00000000000..429bf026b7b --- /dev/null +++ b/queue-4.9/ext4-make-dioread_nolock-the-default.patch @@ -0,0 +1,54 @@ +From 0d0769c52abf72aab1318637b331f2a89d0a2098 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jan 2020 12:23:17 -0500 +Subject: ext4: make dioread_nolock the default + +From: Theodore Ts'o + +[ Upstream commit 244adf6426ee31a83f397b700d964cff12a247d3 ] + +This fixes the direct I/O versus writeback race which can reveal stale +data, and it improves the tail latency of commits on slow devices. + +Link: https://lore.kernel.org/r/20200125022254.1101588-1-tytso@mit.edu +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/super.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 472fa29c6f604..b1fd544929f7e 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1367,6 +1367,7 @@ static const match_table_t tokens = { + {Opt_auto_da_alloc, "auto_da_alloc"}, + {Opt_noauto_da_alloc, "noauto_da_alloc"}, + {Opt_dioread_nolock, "dioread_nolock"}, ++ {Opt_dioread_lock, "nodioread_nolock"}, + {Opt_dioread_lock, "dioread_lock"}, + {Opt_discard, "discard"}, + {Opt_nodiscard, "nodiscard"}, +@@ -3548,6 +3549,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + set_opt(sb, NO_UID32); + /* xattr user namespace & acls are now defaulted on */ + set_opt(sb, XATTR_USER); ++ set_opt(sb, DIOREAD_NOLOCK); + #ifdef CONFIG_EXT4_FS_POSIX_ACL + set_opt(sb, POSIX_ACL); + #endif +@@ -3616,9 +3618,8 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + goto failed_mount; + + if (test_opt(sb, DATA_FLAGS) == EXT4_MOUNT_JOURNAL_DATA) { +- printk_once(KERN_WARNING "EXT4-fs: Warning: mounting " +- "with data=journal disables delayed " +- "allocation and O_DIRECT support!\n"); ++ printk_once(KERN_WARNING "EXT4-fs: Warning: mounting with data=journal disables delayed allocation, dioread_nolock, and O_DIRECT support!\n"); ++ clear_opt(sb, DIOREAD_NOLOCK); + if (test_opt2(sb, EXPLICIT_DELALLOC)) { + ext4_msg(sb, KERN_ERR, "can't mount with " + "both data=journal and delalloc"); +-- +2.25.1 + diff --git a/queue-4.9/fuse-don-t-check-refcount-after-stealing-page.patch b/queue-4.9/fuse-don-t-check-refcount-after-stealing-page.patch new file mode 100644 index 00000000000..a0abbfd95aa --- /dev/null +++ b/queue-4.9/fuse-don-t-check-refcount-after-stealing-page.patch @@ -0,0 +1,35 @@ +From 88cda0d776865e93b50604f289e45197df80dee5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 May 2020 14:50:37 +0200 +Subject: fuse: don't check refcount after stealing page + +From: Miklos Szeredi + +[ Upstream commit 32f98877c57bee6bc27f443a96f49678a2cd6a50 ] + +page_count() is unstable. Unless there has been an RCU grace period +between when the page was removed from the page cache and now, a +speculative reference may exist from the page cache. + +Reported-by: Matthew Wilcox +Signed-off-by: Miklos Szeredi +Signed-off-by: Sasha Levin +--- + fs/fuse/dev.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c +index b99225e117120..f0129c033bd66 100644 +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -825,7 +825,6 @@ static int fuse_check_page(struct page *page) + { + if (page_mapcount(page) || + page->mapping != NULL || +- page_count(page) != 1 || + (page->flags & PAGE_FLAGS_CHECK_AT_PREP & + ~(1 << PG_locked | + 1 << PG_referenced | +-- +2.25.1 + diff --git a/queue-4.9/gma-gma500-fix-a-memory-disclosure-bug-due-to-uninit.patch b/queue-4.9/gma-gma500-fix-a-memory-disclosure-bug-due-to-uninit.patch new file mode 100644 index 00000000000..7deac41e242 --- /dev/null +++ b/queue-4.9/gma-gma500-fix-a-memory-disclosure-bug-due-to-uninit.patch @@ -0,0 +1,37 @@ +From 32bae30f8a7c32d397709e83273851a858e14b14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Oct 2019 23:29:53 -0500 +Subject: gma/gma500: fix a memory disclosure bug due to uninitialized bytes + +From: Kangjie Lu + +[ Upstream commit 57a25a5f754ce27da2cfa6f413cfd366f878db76 ] + +`best_clock` is an object that may be sent out. Object `clock` +contains uninitialized bytes that are copied to `best_clock`, +which leads to memory disclosure and information leak. + +Signed-off-by: Kangjie Lu +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20191018042953.31099-1-kjlu@umn.edu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/gma500/cdv_intel_display.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/gma500/cdv_intel_display.c b/drivers/gpu/drm/gma500/cdv_intel_display.c +index 17db4b4749d5a..2e8479744ca4a 100644 +--- a/drivers/gpu/drm/gma500/cdv_intel_display.c ++++ b/drivers/gpu/drm/gma500/cdv_intel_display.c +@@ -415,6 +415,8 @@ static bool cdv_intel_find_dp_pll(const struct gma_limit_t *limit, + struct gma_crtc *gma_crtc = to_gma_crtc(crtc); + struct gma_clock_t clock; + ++ memset(&clock, 0, sizeof(clock)); ++ + switch (refclk) { + case 27000: + if (target < 200000) { +-- +2.25.1 + diff --git a/queue-4.9/i2c-core-call-i2c_acpi_install_space_handler-before-.patch b/queue-4.9/i2c-core-call-i2c_acpi_install_space_handler-before-.patch new file mode 100644 index 00000000000..ae8823dddc1 --- /dev/null +++ b/queue-4.9/i2c-core-call-i2c_acpi_install_space_handler-before-.patch @@ -0,0 +1,45 @@ +From c35cd86f26a7ae4b8504578002f0a6d2bbb3e40b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 12:32:33 +0200 +Subject: i2c: core: Call i2c_acpi_install_space_handler() before + i2c_acpi_register_devices() + +From: Hans de Goede + +[ Upstream commit 21653a4181ff292480599dad996a2b759ccf050f ] + +Some ACPI i2c-devices _STA method (which is used to detect if the device +is present) use autodetection code which probes which device is present +over i2c. This requires the I2C ACPI OpRegion handler to be registered +before we enumerate i2c-clients under the i2c-adapter. + +This fixes the i2c touchpad on the Lenovo ThinkBook 14-IIL and +ThinkBook 15 IIL not getting an i2c-client instantiated and thus not +working. + +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1842039 +Signed-off-by: Hans de Goede +Reviewed-by: Mika Westerberg +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/i2c-core.c b/drivers/i2c/i2c-core.c +index 80d82c6792d8d..4fd7bfda2f9de 100644 +--- a/drivers/i2c/i2c-core.c ++++ b/drivers/i2c/i2c-core.c +@@ -1858,8 +1858,8 @@ static int i2c_register_adapter(struct i2c_adapter *adap) + + /* create pre-declared device nodes */ + of_i2c_register_devices(adap); +- i2c_acpi_register_devices(adap); + i2c_acpi_install_space_handler(adap); ++ i2c_acpi_register_devices(adap); + + if (adap->nr < __i2c_first_dynamic_bus_num) + i2c_scan_static_board_info(adap); +-- +2.25.1 + diff --git a/queue-4.9/kernel-sys.c-avoid-copying-possible-padding-bytes-in.patch b/queue-4.9/kernel-sys.c-avoid-copying-possible-padding-bytes-in.patch new file mode 100644 index 00000000000..81d349b4b96 --- /dev/null +++ b/queue-4.9/kernel-sys.c-avoid-copying-possible-padding-bytes-in.patch @@ -0,0 +1,48 @@ +From 26982358839be56b9c21d70f986267c2147ae053 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2019 16:50:53 -0800 +Subject: kernel/sys.c: avoid copying possible padding bytes in copy_to_user + +From: Joe Perches + +[ Upstream commit 5e1aada08cd19ea652b2d32a250501d09b02ff2e ] + +Initialization is not guaranteed to zero padding bytes so use an +explicit memset instead to avoid leaking any kernel content in any +possible padding bytes. + +Link: http://lkml.kernel.org/r/dfa331c00881d61c8ee51577a082d8bebd61805c.camel@perches.com +Signed-off-by: Joe Perches +Cc: Dan Carpenter +Cc: Julia Lawall +Cc: Thomas Gleixner +Cc: Kees Cook +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/sys.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/sys.c b/kernel/sys.c +index 157277cbf83aa..546cdc911dad4 100644 +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -1183,11 +1183,13 @@ SYSCALL_DEFINE1(uname, struct old_utsname __user *, name) + + SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name) + { +- struct oldold_utsname tmp = {}; ++ struct oldold_utsname tmp; + + if (!name) + return -EFAULT; + ++ memset(&tmp, 0, sizeof(tmp)); ++ + down_read(&uts_sem); + memcpy(&tmp.sysname, &utsname()->sysname, __OLD_UTS_LEN); + memcpy(&tmp.nodename, &utsname()->nodename, __OLD_UTS_LEN); +-- +2.25.1 + diff --git a/queue-4.9/kvm-fix-overflow-of-zero-page-refcount-with-ksm-runn.patch b/queue-4.9/kvm-fix-overflow-of-zero-page-refcount-with-ksm-runn.patch new file mode 100644 index 00000000000..141f1446b28 --- /dev/null +++ b/queue-4.9/kvm-fix-overflow-of-zero-page-refcount-with-ksm-runn.patch @@ -0,0 +1,118 @@ +From ae2812f9e4db6a4a89e60a0466cb7b5dd59d8497 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Oct 2019 11:37:31 +0800 +Subject: KVM: fix overflow of zero page refcount with ksm running +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zhuang Yanying + +[ Upstream commit 7df003c85218b5f5b10a7f6418208f31e813f38f ] + +We are testing Virtual Machine with KSM on v5.4-rc2 kernel, +and found the zero_page refcount overflow. +The cause of refcount overflow is increased in try_async_pf +(get_user_page) without being decreased in mmu_set_spte() +while handling ept violation. +In kvm_release_pfn_clean(), only unreserved page will call +put_page. However, zero page is reserved. +So, as well as creating and destroy vm, the refcount of +zero page will continue to increase until it overflows. + +step1: +echo 10000 > /sys/kernel/pages_to_scan/pages_to_scan +echo 1 > /sys/kernel/pages_to_scan/run +echo 1 > /sys/kernel/pages_to_scan/use_zero_pages + +step2: +just create several normal qemu kvm vms. +And destroy it after 10s. +Repeat this action all the time. + +After a long period of time, all domains hang because +of the refcount of zero page overflow. + +Qemu print error log as follow: + … + error: kvm run failed Bad address + EAX=00006cdc EBX=00000008 ECX=80202001 EDX=078bfbfd + ESI=ffffffff EDI=00000000 EBP=00000008 ESP=00006cc4 + EIP=000efd75 EFL=00010002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0 + ES =0010 00000000 ffffffff 00c09300 DPL=0 DS [-WA] + CS =0008 00000000 ffffffff 00c09b00 DPL=0 CS32 [-RA] + SS =0010 00000000 ffffffff 00c09300 DPL=0 DS [-WA] + DS =0010 00000000 ffffffff 00c09300 DPL=0 DS [-WA] + FS =0010 00000000 ffffffff 00c09300 DPL=0 DS [-WA] + GS =0010 00000000 ffffffff 00c09300 DPL=0 DS [-WA] + LDT=0000 00000000 0000ffff 00008200 DPL=0 LDT + TR =0000 00000000 0000ffff 00008b00 DPL=0 TSS32-busy + GDT= 000f7070 00000037 + IDT= 000f70ae 00000000 + CR0=00000011 CR2=00000000 CR3=00000000 CR4=00000000 + DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 + DR6=00000000ffff0ff0 DR7=0000000000000400 + EFER=0000000000000000 + Code=00 01 00 00 00 e9 e8 00 00 00 c7 05 4c 55 0f 00 01 00 00 00 <8b> 35 00 00 01 00 8b 3d 04 00 01 00 b8 d8 d3 00 00 c1 e0 08 0c ea a3 00 00 01 00 c7 05 04 + … + +Meanwhile, a kernel warning is departed. + + [40914.836375] WARNING: CPU: 3 PID: 82067 at ./include/linux/mm.h:987 try_get_page+0x1f/0x30 + [40914.836412] CPU: 3 PID: 82067 Comm: CPU 0/KVM Kdump: loaded Tainted: G OE 5.2.0-rc2 #5 + [40914.836415] RIP: 0010:try_get_page+0x1f/0x30 + [40914.836417] Code: 40 00 c3 0f 1f 84 00 00 00 00 00 48 8b 47 08 a8 01 75 11 8b 47 34 85 c0 7e 10 f0 ff 47 34 b8 01 00 00 00 c3 48 8d 78 ff eb e9 <0f> 0b 31 c0 c3 66 90 66 2e 0f 1f 84 00 0 + 0 00 00 00 48 8b 47 08 a8 + [40914.836418] RSP: 0018:ffffb4144e523988 EFLAGS: 00010286 + [40914.836419] RAX: 0000000080000000 RBX: 0000000000000326 RCX: 0000000000000000 + [40914.836420] RDX: 0000000000000000 RSI: 00004ffdeba10000 RDI: ffffdf07093f6440 + [40914.836421] RBP: ffffdf07093f6440 R08: 800000424fd91225 R09: 0000000000000000 + [40914.836421] R10: ffff9eb41bfeebb8 R11: 0000000000000000 R12: ffffdf06bbd1e8a8 + [40914.836422] R13: 0000000000000080 R14: 800000424fd91225 R15: ffffdf07093f6440 + [40914.836423] FS: 00007fb60ffff700(0000) GS:ffff9eb4802c0000(0000) knlGS:0000000000000000 + [40914.836425] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [40914.836426] CR2: 0000000000000000 CR3: 0000002f220e6002 CR4: 00000000003626e0 + [40914.836427] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [40914.836427] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [40914.836428] Call Trace: + [40914.836433] follow_page_pte+0x302/0x47b + [40914.836437] __get_user_pages+0xf1/0x7d0 + [40914.836441] ? irq_work_queue+0x9/0x70 + [40914.836443] get_user_pages_unlocked+0x13f/0x1e0 + [40914.836469] __gfn_to_pfn_memslot+0x10e/0x400 [kvm] + [40914.836486] try_async_pf+0x87/0x240 [kvm] + [40914.836503] tdp_page_fault+0x139/0x270 [kvm] + [40914.836523] kvm_mmu_page_fault+0x76/0x5e0 [kvm] + [40914.836588] vcpu_enter_guest+0xb45/0x1570 [kvm] + [40914.836632] kvm_arch_vcpu_ioctl_run+0x35d/0x580 [kvm] + [40914.836645] kvm_vcpu_ioctl+0x26e/0x5d0 [kvm] + [40914.836650] do_vfs_ioctl+0xa9/0x620 + [40914.836653] ksys_ioctl+0x60/0x90 + [40914.836654] __x64_sys_ioctl+0x16/0x20 + [40914.836658] do_syscall_64+0x5b/0x180 + [40914.836664] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + [40914.836666] RIP: 0033:0x7fb61cb6bfc7 + +Signed-off-by: LinFeng +Signed-off-by: Zhuang Yanying +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + virt/kvm/kvm_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index 010d8aee9346b..5bddabb3de7c3 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -154,6 +154,7 @@ bool kvm_is_reserved_pfn(kvm_pfn_t pfn) + */ + if (pfn_valid(pfn)) + return PageReserved(pfn_to_page(pfn)) && ++ !is_zero_pfn(pfn) && + !kvm_is_zone_device_pfn(pfn); + + return true; +-- +2.25.1 + diff --git a/queue-4.9/kvm-remove-create_irqchip-set_pit2-race.patch b/queue-4.9/kvm-remove-create_irqchip-set_pit2-race.patch new file mode 100644 index 00000000000..5832d992ecb --- /dev/null +++ b/queue-4.9/kvm-remove-create_irqchip-set_pit2-race.patch @@ -0,0 +1,64 @@ +From 5eb9ddbe89067d64ef797065105089b0922d5ac4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Apr 2020 12:11:52 -0700 +Subject: KVM: Remove CREATE_IRQCHIP/SET_PIT2 race + +From: Steve Rutherford + +[ Upstream commit 7289fdb5dcdbc5155b5531529c44105868a762f2 ] + +Fixes a NULL pointer dereference, caused by the PIT firing an interrupt +before the interrupt table has been initialized. + +SET_PIT2 can race with the creation of the IRQchip. In particular, +if SET_PIT2 is called with a low PIT timer period (after the creation of +the IOAPIC, but before the instantiation of the irq routes), the PIT can +fire an interrupt at an uninitialized table. + +Signed-off-by: Steve Rutherford +Signed-off-by: Jon Cargille +Reviewed-by: Jim Mattson +Message-Id: <20200416191152.259434-1-jcargill@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/x86.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 6b7faa14c27bb..3c0f9be107e42 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4263,10 +4263,13 @@ long kvm_arch_vm_ioctl(struct file *filp, + r = -EFAULT; + if (copy_from_user(&u.ps, argp, sizeof u.ps)) + goto out; ++ mutex_lock(&kvm->lock); + r = -ENXIO; + if (!kvm->arch.vpit) +- goto out; ++ goto set_pit_out; + r = kvm_vm_ioctl_set_pit(kvm, &u.ps); ++set_pit_out: ++ mutex_unlock(&kvm->lock); + break; + } + case KVM_GET_PIT2: { +@@ -4286,10 +4289,13 @@ long kvm_arch_vm_ioctl(struct file *filp, + r = -EFAULT; + if (copy_from_user(&u.ps2, argp, sizeof(u.ps2))) + goto out; ++ mutex_lock(&kvm->lock); + r = -ENXIO; + if (!kvm->arch.vpit) +- goto out; ++ goto set_pit2_out; + r = kvm_vm_ioctl_set_pit2(kvm, &u.ps2); ++set_pit2_out: ++ mutex_unlock(&kvm->lock); + break; + } + case KVM_REINJECT_CONTROL: { +-- +2.25.1 + diff --git a/queue-4.9/kvm-x86-fix-incorrect-comparison-in-trace-event.patch b/queue-4.9/kvm-x86-fix-incorrect-comparison-in-trace-event.patch new file mode 100644 index 00000000000..23e9ec405a6 --- /dev/null +++ b/queue-4.9/kvm-x86-fix-incorrect-comparison-in-trace-event.patch @@ -0,0 +1,34 @@ +From 6d3d5052b79eb770b764171f250b8e94c340aaa7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Feb 2020 18:24:48 +0100 +Subject: KVM: x86: fix incorrect comparison in trace event + +From: Paolo Bonzini + +[ Upstream commit 147f1a1fe5d7e6b01b8df4d0cbd6f9eaf6b6c73b ] + +The "u" field in the event has three states, -1/0/1. Using u8 however means that +comparison with -1 will always fail, so change to signed char. + +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/mmutrace.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/mmutrace.h b/arch/x86/kvm/mmutrace.h +index 756b14ecc957a..df1076b0eabf3 100644 +--- a/arch/x86/kvm/mmutrace.h ++++ b/arch/x86/kvm/mmutrace.h +@@ -336,7 +336,7 @@ TRACE_EVENT( + /* These depend on page entry type, so compute them now. */ + __field(bool, r) + __field(bool, x) +- __field(u8, u) ++ __field(signed char, u) + ), + + TP_fast_assign( +-- +2.25.1 + diff --git a/queue-4.9/m68k-q40-fix-info-leak-in-rtc_ioctl.patch b/queue-4.9/m68k-q40-fix-info-leak-in-rtc_ioctl.patch new file mode 100644 index 00000000000..5cb5c7d381e --- /dev/null +++ b/queue-4.9/m68k-q40-fix-info-leak-in-rtc_ioctl.patch @@ -0,0 +1,40 @@ +From e3826fd76b7d572e307654d67ded15d5c9514db1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2019 20:15:44 +0800 +Subject: m68k: q40: Fix info-leak in rtc_ioctl + +From: Fuqian Huang + +[ Upstream commit 7cf78b6b12fd5550545e4b73b35dca18bd46b44c ] + +When the option is RTC_PLL_GET, pll will be copied to userland +via copy_to_user. pll is initialized using mach_get_rtc_pll indirect +call and mach_get_rtc_pll is only assigned with function +q40_get_rtc_pll in arch/m68k/q40/config.c. +In function q40_get_rtc_pll, the field pll_ctrl is not initialized. +This will leak uninitialized stack content to userland. +Fix this by zeroing the uninitialized field. + +Signed-off-by: Fuqian Huang +Link: https://lore.kernel.org/r/20190927121544.7650-1-huangfq.daxian@gmail.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/q40/config.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/m68k/q40/config.c b/arch/m68k/q40/config.c +index ea89a24f46000..cc0f924bbdd2d 100644 +--- a/arch/m68k/q40/config.c ++++ b/arch/m68k/q40/config.c +@@ -303,6 +303,7 @@ static int q40_get_rtc_pll(struct rtc_pll_info *pll) + { + int tmp = Q40_RTC_CTRL; + ++ pll->pll_ctrl = 0; + pll->pll_value = tmp & Q40_RTC_PLL_MASK; + if (tmp & Q40_RTC_PLL_SIGN) + pll->pll_value = -pll->pll_value; +-- +2.25.1 + diff --git a/queue-4.9/media-go7007-fix-urb-type-for-interrupt-handling.patch b/queue-4.9/media-go7007-fix-urb-type-for-interrupt-handling.patch new file mode 100644 index 00000000000..7489137dbeb --- /dev/null +++ b/queue-4.9/media-go7007-fix-urb-type-for-interrupt-handling.patch @@ -0,0 +1,58 @@ +From f0f57e27b686b5cf87a6a4e2de99c7a95d0f7832 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Feb 2020 16:45:27 +0100 +Subject: media: go7007: Fix URB type for interrupt handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Takashi Iwai + +[ Upstream commit a3ea410cac41b19a5490aad7fe6d9a9a772e646e ] + +Josef reported that his old-and-good Plextor ConvertX M402U video +converter spews lots of WARNINGs on the recent kernels, and it turned +out that the device uses a bulk endpoint for interrupt handling just +like 2250 board. + +For fixing it, generalize the check with the proper verification of +the endpoint instead of hard-coded board type check. + +Fixes: 7e5219d18e93 ("[media] go7007: Fix 2250 urb type") +Reported-and-tested-by: Josef Möllers +BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1162583 +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=206427 + +Signed-off-by: Takashi Iwai +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/go7007/go7007-usb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/go7007/go7007-usb.c b/drivers/media/usb/go7007/go7007-usb.c +index ed9bcaf08d5ec..ddfaabd4c0813 100644 +--- a/drivers/media/usb/go7007/go7007-usb.c ++++ b/drivers/media/usb/go7007/go7007-usb.c +@@ -1052,6 +1052,7 @@ static int go7007_usb_probe(struct usb_interface *intf, + struct go7007_usb *usb; + const struct go7007_usb_board *board; + struct usb_device *usbdev = interface_to_usbdev(intf); ++ struct usb_host_endpoint *ep; + unsigned num_i2c_devs; + char *name; + int video_pipe, i, v_urb_len; +@@ -1147,7 +1148,8 @@ static int go7007_usb_probe(struct usb_interface *intf, + if (usb->intr_urb->transfer_buffer == NULL) + goto allocfail; + +- if (go->board_id == GO7007_BOARDID_SENSORAY_2250) ++ ep = usb->usbdev->ep_in[4]; ++ if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK) + usb_fill_bulk_urb(usb->intr_urb, usb->usbdev, + usb_rcvbulkpipe(usb->usbdev, 4), + usb->intr_urb->transfer_buffer, 2*sizeof(u16), +-- +2.25.1 + diff --git a/queue-4.9/media-tda10071-fix-unsigned-sign-extension-overflow.patch b/queue-4.9/media-tda10071-fix-unsigned-sign-extension-overflow.patch new file mode 100644 index 00000000000..26d89791b93 --- /dev/null +++ b/queue-4.9/media-tda10071-fix-unsigned-sign-extension-overflow.patch @@ -0,0 +1,52 @@ +From 68da30aa2d5f655bfe85e0941e10ad727207d84d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Feb 2020 15:26:46 +0100 +Subject: media: tda10071: fix unsigned sign extension overflow + +From: Colin Ian King + +[ Upstream commit a7463e2dc698075132de9905b89f495df888bb79 ] + +The shifting of buf[3] by 24 bits to the left will be promoted to +a 32 bit signed int and then sign-extended to an unsigned long. In +the unlikely event that the the top bit of buf[3] is set then all +then all the upper bits end up as also being set because of +the sign-extension and this affect the ev->post_bit_error sum. +Fix this by using the temporary u32 variable bit_error to avoid +the sign-extension promotion. This also removes the need to do the +computation twice. + +Addresses-Coverity: ("Unintended sign extension") + +Fixes: 267897a4708f ("[media] tda10071: implement DVBv5 statistics") +Signed-off-by: Colin Ian King +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/tda10071.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/dvb-frontends/tda10071.c b/drivers/media/dvb-frontends/tda10071.c +index 37ebeef2bbd0b..43343091ea93e 100644 +--- a/drivers/media/dvb-frontends/tda10071.c ++++ b/drivers/media/dvb-frontends/tda10071.c +@@ -483,10 +483,11 @@ static int tda10071_read_status(struct dvb_frontend *fe, enum fe_status *status) + goto error; + + if (dev->delivery_system == SYS_DVBS) { +- dev->dvbv3_ber = buf[0] << 24 | buf[1] << 16 | +- buf[2] << 8 | buf[3] << 0; +- dev->post_bit_error += buf[0] << 24 | buf[1] << 16 | +- buf[2] << 8 | buf[3] << 0; ++ u32 bit_error = buf[0] << 24 | buf[1] << 16 | ++ buf[2] << 8 | buf[3] << 0; ++ ++ dev->dvbv3_ber = bit_error; ++ dev->post_bit_error += bit_error; + c->post_bit_error.stat[0].scale = FE_SCALE_COUNTER; + c->post_bit_error.stat[0].uvalue = dev->post_bit_error; + dev->block_error += buf[4] << 8 | buf[5] << 0; +-- +2.25.1 + diff --git a/queue-4.9/media-ti-vpe-cal-restrict-dma-to-avoid-memory-corrup.patch b/queue-4.9/media-ti-vpe-cal-restrict-dma-to-avoid-memory-corrup.patch new file mode 100644 index 00000000000..e411bb4aaae --- /dev/null +++ b/queue-4.9/media-ti-vpe-cal-restrict-dma-to-avoid-memory-corrup.patch @@ -0,0 +1,58 @@ +From 9ee0561501038282f22539a14376db73471f758f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Nov 2019 15:53:33 +0100 +Subject: media: ti-vpe: cal: Restrict DMA to avoid memory corruption + +From: Nikhil Devshatwar + +[ Upstream commit 6e72eab2e7b7a157d554b8f9faed7676047be7c1 ] + +When setting DMA for video capture from CSI channel, if the DMA size +is not given, it ends up writing as much data as sent by the camera. + +This may lead to overwriting the buffers causing memory corruption. +Observed green lines on the default framebuffer. + +Restrict the DMA to maximum height as specified in the S_FMT ioctl. + +Signed-off-by: Nikhil Devshatwar +Signed-off-by: Benoit Parrot +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/ti-vpe/cal.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/ti-vpe/cal.c b/drivers/media/platform/ti-vpe/cal.c +index 563b9636ab63b..803e0794ca131 100644 +--- a/drivers/media/platform/ti-vpe/cal.c ++++ b/drivers/media/platform/ti-vpe/cal.c +@@ -690,12 +690,13 @@ static void pix_proc_config(struct cal_ctx *ctx) + } + + static void cal_wr_dma_config(struct cal_ctx *ctx, +- unsigned int width) ++ unsigned int width, unsigned int height) + { + u32 val; + + val = reg_read(ctx->dev, CAL_WR_DMA_CTRL(ctx->csi2_port)); + set_field(&val, ctx->csi2_port, CAL_WR_DMA_CTRL_CPORT_MASK); ++ set_field(&val, height, CAL_WR_DMA_CTRL_YSIZE_MASK); + set_field(&val, CAL_WR_DMA_CTRL_DTAG_PIX_DAT, + CAL_WR_DMA_CTRL_DTAG_MASK); + set_field(&val, CAL_WR_DMA_CTRL_MODE_CONST, +@@ -1321,7 +1322,8 @@ static int cal_start_streaming(struct vb2_queue *vq, unsigned int count) + csi2_lane_config(ctx); + csi2_ctx_config(ctx); + pix_proc_config(ctx); +- cal_wr_dma_config(ctx, ctx->v_fmt.fmt.pix.bytesperline); ++ cal_wr_dma_config(ctx, ctx->v_fmt.fmt.pix.bytesperline, ++ ctx->v_fmt.fmt.pix.height); + cal_wr_dma_addr(ctx, addr); + csi2_ppi_enable(ctx); + +-- +2.25.1 + diff --git a/queue-4.9/mfd-mfd-core-protect-against-null-call-back-function.patch b/queue-4.9/mfd-mfd-core-protect-against-null-call-back-function.patch new file mode 100644 index 00000000000..b40bb0cb612 --- /dev/null +++ b/queue-4.9/mfd-mfd-core-protect-against-null-call-back-function.patch @@ -0,0 +1,52 @@ +From a1924f241d66df0f3db694ba79de26fd23a6c518 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2019 10:16:34 +0100 +Subject: mfd: mfd-core: Protect against NULL call-back function pointer + +From: Lee Jones + +[ Upstream commit b195e101580db390f50b0d587b7f66f241d2bc88 ] + +If a child device calls mfd_cell_{en,dis}able() without an appropriate +call-back being set, we are likely to encounter a panic. Avoid this +by adding suitable checking. + +Signed-off-by: Lee Jones +Reviewed-by: Daniel Thompson +Reviewed-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/mfd/mfd-core.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c +index 5c8ed2150c8bf..fb687368ac98c 100644 +--- a/drivers/mfd/mfd-core.c ++++ b/drivers/mfd/mfd-core.c +@@ -32,6 +32,11 @@ int mfd_cell_enable(struct platform_device *pdev) + const struct mfd_cell *cell = mfd_get_cell(pdev); + int err = 0; + ++ if (!cell->enable) { ++ dev_dbg(&pdev->dev, "No .enable() call-back registered\n"); ++ return 0; ++ } ++ + /* only call enable hook if the cell wasn't previously enabled */ + if (atomic_inc_return(cell->usage_count) == 1) + err = cell->enable(pdev); +@@ -49,6 +54,11 @@ int mfd_cell_disable(struct platform_device *pdev) + const struct mfd_cell *cell = mfd_get_cell(pdev); + int err = 0; + ++ if (!cell->disable) { ++ dev_dbg(&pdev->dev, "No .disable() call-back registered\n"); ++ return 0; ++ } ++ + /* only disable if no other clients are using it */ + if (atomic_dec_return(cell->usage_count) == 0) + err = cell->disable(pdev); +-- +2.25.1 + diff --git a/queue-4.9/mm-filemap.c-clear-page-error-before-actual-read.patch b/queue-4.9/mm-filemap.c-clear-page-error-before-actual-read.patch new file mode 100644 index 00000000000..c57855665eb --- /dev/null +++ b/queue-4.9/mm-filemap.c-clear-page-error-before-actual-read.patch @@ -0,0 +1,147 @@ +From a9e380c0bae3d57d80f5748d1fc12ec7296100cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2020 21:04:47 -0700 +Subject: mm/filemap.c: clear page error before actual read + +From: Xianting Tian + +[ Upstream commit faffdfa04fa11ccf048cebdde73db41ede0679e0 ] + +Mount failure issue happens under the scenario: Application forked dozens +of threads to mount the same number of cramfs images separately in docker, +but several mounts failed with high probability. Mount failed due to the +checking result of the page(read from the superblock of loop dev) is not +uptodate after wait_on_page_locked(page) returned in function cramfs_read: + + wait_on_page_locked(page); + if (!PageUptodate(page)) { + ... + } + +The reason of the checking result of the page not uptodate: systemd-udevd +read the loopX dev before mount, because the status of loopX is Lo_unbound +at this time, so loop_make_request directly trigger the calling of io_end +handler end_buffer_async_read, which called SetPageError(page). So It +caused the page can't be set to uptodate in function +end_buffer_async_read: + + if(page_uptodate && !PageError(page)) { + SetPageUptodate(page); + } + +Then mount operation is performed, it used the same page which is just +accessed by systemd-udevd above, Because this page is not uptodate, it +will launch a actual read via submit_bh, then wait on this page by calling +wait_on_page_locked(page). When the I/O of the page done, io_end handler +end_buffer_async_read is called, because no one cleared the page +error(during the whole read path of mount), which is caused by +systemd-udevd reading, so this page is still in "PageError" status, which +can't be set to uptodate in function end_buffer_async_read, then caused +mount failure. + +But sometimes mount succeed even through systemd-udeved read loopX dev +just before, The reason is systemd-udevd launched other loopX read just +between step 3.1 and 3.2, the steps as below: + +1, loopX dev default status is Lo_unbound; +2, systemd-udved read loopX dev (page is set to PageError); +3, mount operation + 1) set loopX status to Lo_bound; + ==>systemd-udevd read loopX dev<== + 2) read loopX dev(page has no error) + 3) mount succeed + +As the loopX dev status is set to Lo_bound after step 3.1, so the other +loopX dev read by systemd-udevd will go through the whole I/O stack, part +of the call trace as below: + + SYS_read + vfs_read + do_sync_read + blkdev_aio_read + generic_file_aio_read + do_generic_file_read: + ClearPageError(page); + mapping->a_ops->readpage(filp, page); + +here, mapping->a_ops->readpage() is blkdev_readpage. In latest kernel, +some function name changed, the call trace as below: + + blkdev_read_iter + generic_file_read_iter + generic_file_buffered_read: + /* + * A previous I/O error may have been due to temporary + * failures, eg. mutipath errors. + * Pg_error will be set again if readpage fails. + */ + ClearPageError(page); + /* Start the actual read. The read will unlock the page*/ + error=mapping->a_ops->readpage(flip, page); + +We can see ClearPageError(page) is called before the actual read, +then the read in step 3.2 succeed. + +This patch is to add the calling of ClearPageError just before the actual +read of read path of cramfs mount. Without the patch, the call trace as +below when performing cramfs mount: + + do_mount + cramfs_read + cramfs_blkdev_read + read_cache_page + do_read_cache_page: + filler(data, page); + or + mapping->a_ops->readpage(data, page); + +With the patch, the call trace as below when performing mount: + + do_mount + cramfs_read + cramfs_blkdev_read + read_cache_page: + do_read_cache_page: + ClearPageError(page); <== new add + filler(data, page); + or + mapping->a_ops->readpage(data, page); + +With the patch, mount operation trigger the calling of +ClearPageError(page) before the actual read, the page has no error if no +additional page error happen when I/O done. + +Signed-off-by: Xianting Tian +Signed-off-by: Andrew Morton +Reviewed-by: Matthew Wilcox (Oracle) +Cc: Jan Kara +Cc: +Link: http://lkml.kernel.org/r/1583318844-22971-1-git-send-email-xianting_tian@126.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/filemap.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/mm/filemap.c b/mm/filemap.c +index b046d8f147e20..05af91f495f53 100644 +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -2474,6 +2474,14 @@ filler: + unlock_page(page); + goto out; + } ++ ++ /* ++ * A previous I/O error may have been due to temporary ++ * failures. ++ * Clear page error before actual read, PG_error will be ++ * set again if read page fails. ++ */ ++ ClearPageError(page); + goto filler; + + out: +-- +2.25.1 + diff --git a/queue-4.9/mm-mmap.c-initialize-align_offset-explicitly-for-vm_.patch b/queue-4.9/mm-mmap.c-initialize-align_offset-explicitly-for-vm_.patch new file mode 100644 index 00000000000..1faae30c1ba --- /dev/null +++ b/queue-4.9/mm-mmap.c-initialize-align_offset-explicitly-for-vm_.patch @@ -0,0 +1,62 @@ +From 57c4969d12ae3e95c505e33f2f1a72a7304f66e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Apr 2020 14:32:48 -0700 +Subject: mm/mmap.c: initialize align_offset explicitly for vm_unmapped_area + +From: Jaewon Kim + +[ Upstream commit 09ef5283fd96ac424ef0e569626f359bf9ab86c9 ] + +On passing requirement to vm_unmapped_area, arch_get_unmapped_area and +arch_get_unmapped_area_topdown did not set align_offset. Internally on +both unmapped_area and unmapped_area_topdown, if info->align_mask is 0, +then info->align_offset was meaningless. + +But commit df529cabb7a2 ("mm: mmap: add trace point of +vm_unmapped_area") always prints info->align_offset even though it is +uninitialized. + +Fix this uninitialized value issue by setting it to 0 explicitly. + +Before: + vm_unmapped_area: addr=0x755b155000 err=0 total_vm=0x15aaf0 flags=0x1 len=0x109000 lo=0x8000 hi=0x75eed48000 mask=0x0 ofs=0x4022 + +After: + vm_unmapped_area: addr=0x74a4ca1000 err=0 total_vm=0x168ab1 flags=0x1 len=0x9000 lo=0x8000 hi=0x753d94b000 mask=0x0 ofs=0x0 + +Signed-off-by: Jaewon Kim +Signed-off-by: Andrew Morton +Reviewed-by: Andrew Morton +Cc: Matthew Wilcox (Oracle) +Cc: Michel Lespinasse +Cc: Borislav Petkov +Link: http://lkml.kernel.org/r/20200409094035.19457-1-jaewon31.kim@samsung.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/mmap.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/mm/mmap.c b/mm/mmap.c +index 7109f886e739e..7c8815636c482 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -2028,6 +2028,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, + info.low_limit = mm->mmap_base; + info.high_limit = TASK_SIZE; + info.align_mask = 0; ++ info.align_offset = 0; + return vm_unmapped_area(&info); + } + #endif +@@ -2069,6 +2070,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + info.low_limit = max(PAGE_SIZE, mmap_min_addr); + info.high_limit = mm->mmap_base; + info.align_mask = 0; ++ info.align_offset = 0; + addr = vm_unmapped_area(&info); + + /* +-- +2.25.1 + diff --git a/queue-4.9/mm-pagewalk-fix-termination-condition-in-walk_pte_ra.patch b/queue-4.9/mm-pagewalk-fix-termination-condition-in-walk_pte_ra.patch new file mode 100644 index 00000000000..f15ac28a899 --- /dev/null +++ b/queue-4.9/mm-pagewalk-fix-termination-condition-in-walk_pte_ra.patch @@ -0,0 +1,73 @@ +From a4b714861925c5097e69d7a3f9820b778516ed42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Feb 2020 17:35:58 -0800 +Subject: mm: pagewalk: fix termination condition in walk_pte_range() + +From: Steven Price + +[ Upstream commit c02a98753e0a36ba65a05818626fa6adeb4e7c97 ] + +If walk_pte_range() is called with a 'end' argument that is beyond the +last page of memory (e.g. ~0UL) then the comparison between 'addr' and +'end' will always fail and the loop will be infinite. Instead change the +comparison to >= while accounting for overflow. + +Link: http://lkml.kernel.org/r/20191218162402.45610-15-steven.price@arm.com +Signed-off-by: Steven Price +Cc: Albert Ou +Cc: Alexandre Ghiti +Cc: Andy Lutomirski +Cc: Ard Biesheuvel +Cc: Arnd Bergmann +Cc: Benjamin Herrenschmidt +Cc: Borislav Petkov +Cc: Catalin Marinas +Cc: Christian Borntraeger +Cc: Dave Hansen +Cc: David S. Miller +Cc: Heiko Carstens +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: James Hogan +Cc: James Morse +Cc: Jerome Glisse +Cc: "Liang, Kan" +Cc: Mark Rutland +Cc: Michael Ellerman +Cc: Paul Burton +Cc: Paul Mackerras +Cc: Paul Walmsley +Cc: Peter Zijlstra +Cc: Ralf Baechle +Cc: Russell King +Cc: Thomas Gleixner +Cc: Vasily Gorbik +Cc: Vineet Gupta +Cc: Will Deacon +Cc: Zong Li +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/pagewalk.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mm/pagewalk.c b/mm/pagewalk.c +index d95341cffc2f6..8d6290502631a 100644 +--- a/mm/pagewalk.c ++++ b/mm/pagewalk.c +@@ -14,9 +14,9 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end, + err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, walk); + if (err) + break; +- addr += PAGE_SIZE; +- if (addr == end) ++ if (addr >= end - PAGE_SIZE) + break; ++ addr += PAGE_SIZE; + pte++; + } + +-- +2.25.1 + diff --git a/queue-4.9/mtd-cfi_cmdset_0002-don-t-free-cfi-cfiq-in-error-pat.patch b/queue-4.9/mtd-cfi_cmdset_0002-don-t-free-cfi-cfiq-in-error-pat.patch new file mode 100644 index 00000000000..c82d154f06f --- /dev/null +++ b/queue-4.9/mtd-cfi_cmdset_0002-don-t-free-cfi-cfiq-in-error-pat.patch @@ -0,0 +1,37 @@ +From 68eb77ad49dbcc4dfd54e45275ca8961080e220d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2019 10:36:37 +0800 +Subject: mtd: cfi_cmdset_0002: don't free cfi->cfiq in error path of + cfi_amdstd_setup() + +From: Hou Tao + +[ Upstream commit 03976af89e3bd9489d542582a325892e6a8cacc0 ] + +Else there may be a double-free problem, because cfi->cfiq will +be freed by mtd_do_chip_probe() if both the two invocations of +check_cmd_set() return failure. + +Signed-off-by: Hou Tao +Reviewed-by: Richard Weinberger +Signed-off-by: Vignesh Raghavendra +Signed-off-by: Sasha Levin +--- + drivers/mtd/chips/cfi_cmdset_0002.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c +index 00ba09fa6f16d..3c4819a05bf03 100644 +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -722,7 +722,6 @@ static struct mtd_info *cfi_amdstd_setup(struct mtd_info *mtd) + kfree(mtd->eraseregions); + kfree(mtd); + kfree(cfi->cmdset_priv); +- kfree(cfi->cfiq); + return NULL; + } + +-- +2.25.1 + diff --git a/queue-4.9/mtd-parser-cmdline-support-mtd-names-containing-one-.patch b/queue-4.9/mtd-parser-cmdline-support-mtd-names-containing-one-.patch new file mode 100644 index 00000000000..a2b6c15ba67 --- /dev/null +++ b/queue-4.9/mtd-parser-cmdline-support-mtd-names-containing-one-.patch @@ -0,0 +1,63 @@ +From 7a7b02395e3ec16595cd473d99e15c73c4f9ffec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Apr 2020 09:53:47 -0700 +Subject: mtd: parser: cmdline: Support MTD names containing one or more colons + +From: Boris Brezillon + +[ Upstream commit eb13fa0227417e84aecc3bd9c029d376e33474d3 ] + +Looks like some drivers define MTD names with a colon in it, thus +making mtdpart= parsing impossible. Let's fix the parser to gracefully +handle that case: the last ':' in a partition definition sequence is +considered instead of the first one. + +Signed-off-by: Boris Brezillon +Signed-off-by: Ron Minnich +Tested-by: Ron Minnich +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + drivers/mtd/cmdlinepart.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +diff --git a/drivers/mtd/cmdlinepart.c b/drivers/mtd/cmdlinepart.c +index fbd5affc0acfe..04fd845de05fb 100644 +--- a/drivers/mtd/cmdlinepart.c ++++ b/drivers/mtd/cmdlinepart.c +@@ -228,12 +228,29 @@ static int mtdpart_setup_real(char *s) + struct cmdline_mtd_partition *this_mtd; + struct mtd_partition *parts; + int mtd_id_len, num_parts; +- char *p, *mtd_id; ++ char *p, *mtd_id, *semicol; ++ ++ /* ++ * Replace the first ';' by a NULL char so strrchr can work ++ * properly. ++ */ ++ semicol = strchr(s, ';'); ++ if (semicol) ++ *semicol = '\0'; + + mtd_id = s; + +- /* fetch */ +- p = strchr(s, ':'); ++ /* ++ * fetch . We use strrchr to ignore all ':' that could ++ * be present in the MTD name, only the last one is interpreted ++ * as an / separator. ++ */ ++ p = strrchr(s, ':'); ++ ++ /* Restore the ';' now. */ ++ if (semicol) ++ *semicol = ';'; ++ + if (!p) { + pr_err("no mtd-id\n"); + return -EINVAL; +-- +2.25.1 + diff --git a/queue-4.9/mtd-rawnand-omap_elm-fix-runtime-pm-imbalance-on-err.patch b/queue-4.9/mtd-rawnand-omap_elm-fix-runtime-pm-imbalance-on-err.patch new file mode 100644 index 00000000000..2800af6a10e --- /dev/null +++ b/queue-4.9/mtd-rawnand-omap_elm-fix-runtime-pm-imbalance-on-err.patch @@ -0,0 +1,36 @@ +From 2f940897238270422d67a387539248368c82f83f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 May 2020 18:40:06 +0800 +Subject: mtd: rawnand: omap_elm: Fix runtime PM imbalance on error + +From: Dinghao Liu + +[ Upstream commit 37f7212148cf1d796135cdf8d0c7fee13067674b ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code. Thus a pairing decrement is needed on +the error handling path to keep the counter balanced. + +Signed-off-by: Dinghao Liu +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20200522104008.28340-1-dinghao.liu@zju.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/omap_elm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mtd/nand/omap_elm.c b/drivers/mtd/nand/omap_elm.c +index a3f32f939cc17..6736777a41567 100644 +--- a/drivers/mtd/nand/omap_elm.c ++++ b/drivers/mtd/nand/omap_elm.c +@@ -421,6 +421,7 @@ static int elm_probe(struct platform_device *pdev) + pm_runtime_enable(&pdev->dev); + if (pm_runtime_get_sync(&pdev->dev) < 0) { + ret = -EINVAL; ++ pm_runtime_put_sync(&pdev->dev); + pm_runtime_disable(&pdev->dev); + dev_err(&pdev->dev, "can't enable clock\n"); + return ret; +-- +2.25.1 + diff --git a/queue-4.9/neigh_stat_seq_next-should-increase-position-index.patch b/queue-4.9/neigh_stat_seq_next-should-increase-position-index.patch new file mode 100644 index 00000000000..f8db2c6e0ed --- /dev/null +++ b/queue-4.9/neigh_stat_seq_next-should-increase-position-index.patch @@ -0,0 +1,35 @@ +From a5f7f234c54b2168883150d0f5f929d7f5e8979a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jan 2020 10:11:28 +0300 +Subject: neigh_stat_seq_next() should increase position index + +From: Vasily Averin + +[ Upstream commit 1e3f9f073c47bee7c23e77316b07bc12338c5bba ] + +if seq_file .next fuction does not change position index, +read after some lseek can generate unexpected output. + +https://bugzilla.kernel.org/show_bug.cgi?id=206283 +Signed-off-by: Vasily Averin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/neighbour.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 6578d1f8e6c4a..d267dc04d9f74 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -2797,6 +2797,7 @@ static void *neigh_stat_seq_next(struct seq_file *seq, void *v, loff_t *pos) + *pos = cpu+1; + return per_cpu_ptr(tbl->stats, cpu); + } ++ (*pos)++; + return NULL; + } + +-- +2.25.1 + diff --git a/queue-4.9/objtool-fix-noreturn-detection-for-ignored-functions.patch b/queue-4.9/objtool-fix-noreturn-detection-for-ignored-functions.patch new file mode 100644 index 00000000000..8a1fff8cfee --- /dev/null +++ b/queue-4.9/objtool-fix-noreturn-detection-for-ignored-functions.patch @@ -0,0 +1,57 @@ +From 4f522ecb1ec6b53b14dd0dfd7e3e06d77fadaee2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 10:24:57 -0500 +Subject: objtool: Fix noreturn detection for ignored functions + +From: Josh Poimboeuf + +[ Upstream commit db6c6a0df840e3f52c84cc302cc1a08ba11a4416 ] + +When a function is annotated with STACK_FRAME_NON_STANDARD, objtool +doesn't validate its code paths. It also skips sibling call detection +within the function. + +But sibling call detection is actually needed for the case where the +ignored function doesn't have any return instructions. Otherwise +objtool naively marks the function as implicit static noreturn, which +affects the reachability of its callers, resulting in "unreachable +instruction" warnings. + +Fix it by just enabling sibling call detection for ignored functions. +The 'insn->ignore' check in add_jump_destinations() is no longer needed +after + + e6da9567959e ("objtool: Don't use ignore flag for fake jumps"). + +Fixes the following warning: + + arch/x86/kvm/vmx/vmx.o: warning: objtool: vmx_handle_exit_irqoff()+0x142: unreachable instruction + +which triggers on an allmodconfig with CONFIG_GCOV_KERNEL unset. + +Reported-by: Linus Torvalds +Signed-off-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +Acked-by: Linus Torvalds +Link: https://lkml.kernel.org/r/5b1e2536cdbaa5246b60d7791b76130a74082c62.1599751464.git.jpoimboe@redhat.com +Signed-off-by: Sasha Levin +--- + tools/objtool/check.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/objtool/check.c b/tools/objtool/check.c +index c7399d7f4bc77..31c512f19662e 100644 +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -502,7 +502,7 @@ static int add_jump_destinations(struct objtool_file *file) + insn->type != INSN_JUMP_UNCONDITIONAL) + continue; + +- if (insn->ignore || insn->offset == FAKE_JUMP_OFFSET) ++ if (insn->offset == FAKE_JUMP_OFFSET) + continue; + + rela = find_rela_by_dest_range(insn->sec, insn->offset, +-- +2.25.1 + diff --git a/queue-4.9/perf-kcore_copy-fix-module-map-when-there-are-no-mod.patch b/queue-4.9/perf-kcore_copy-fix-module-map-when-there-are-no-mod.patch new file mode 100644 index 00000000000..50006029fdc --- /dev/null +++ b/queue-4.9/perf-kcore_copy-fix-module-map-when-there-are-no-mod.patch @@ -0,0 +1,68 @@ +From 325278eeabba8b2d8b482faa6661aeddd32593d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 May 2020 15:19:16 +0300 +Subject: perf kcore_copy: Fix module map when there are no modules loaded + +From: Adrian Hunter + +[ Upstream commit 61f82e3fb697a8e85f22fdec786528af73dc36d1 ] + +In the absence of any modules, no "modules" map is created, but there +are other executable pages to map, due to eBPF JIT, kprobe or ftrace. +Map them by recognizing that the first "module" symbol is not +necessarily from a module, and adjust the map accordingly. + +Signed-off-by: Adrian Hunter +Cc: Alexander Shishkin +Cc: Borislav Petkov +Cc: H. Peter Anvin +Cc: Jiri Olsa +Cc: Leo Yan +Cc: Mark Rutland +Cc: Masami Hiramatsu +Cc: Mathieu Poirier +Cc: Peter Zijlstra +Cc: Steven Rostedt (VMware) +Cc: x86@kernel.org +Link: http://lore.kernel.org/lkml/20200512121922.8997-10-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/symbol-elf.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c +index 5a50326c8158f..e155783c601ab 100644 +--- a/tools/perf/util/symbol-elf.c ++++ b/tools/perf/util/symbol-elf.c +@@ -1421,6 +1421,7 @@ struct kcore_copy_info { + u64 first_symbol; + u64 last_symbol; + u64 first_module; ++ u64 first_module_symbol; + u64 last_module_symbol; + struct phdr_data kernel_map; + struct phdr_data modules_map; +@@ -1435,6 +1436,8 @@ static int kcore_copy__process_kallsyms(void *arg, const char *name, char type, + return 0; + + if (strchr(name, '[')) { ++ if (!kci->first_module_symbol || start < kci->first_module_symbol) ++ kci->first_module_symbol = start; + if (start > kci->last_module_symbol) + kci->last_module_symbol = start; + return 0; +@@ -1559,6 +1562,10 @@ static int kcore_copy__calc_maps(struct kcore_copy_info *kci, const char *dir, + kci->etext += page_size; + } + ++ if (kci->first_module_symbol && ++ (!kci->first_module || kci->first_module_symbol < kci->first_module)) ++ kci->first_module = kci->first_module_symbol; ++ + kci->first_module = round_down(kci->first_module, page_size); + + if (kci->last_module_symbol) { +-- +2.25.1 + diff --git a/queue-4.9/perf-util-fix-memory-leak-of-prefix_if_not_in.patch b/queue-4.9/perf-util-fix-memory-leak-of-prefix_if_not_in.patch new file mode 100644 index 00000000000..2958d7aac1d --- /dev/null +++ b/queue-4.9/perf-util-fix-memory-leak-of-prefix_if_not_in.patch @@ -0,0 +1,42 @@ +From dd6701b6e975e66ec23c9ef4ee2dbb95f43ae99a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 21:32:17 +0800 +Subject: perf util: Fix memory leak of prefix_if_not_in + +From: Xie XiuQi + +[ Upstream commit 07e9a6f538cbeecaf5c55b6f2991416f873cdcbd ] + +Need to free "str" before return when asprintf() failed to avoid memory +leak. + +Signed-off-by: Xie XiuQi +Cc: Alexander Shishkin +Cc: Hongbo Yao +Cc: Jiri Olsa +Cc: Li Bin +Cc: Mark Rutland +Cc: Namhyung Kim +Link: http://lore.kernel.org/lkml/20200521133218.30150-4-liwei391@huawei.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/sort.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/sort.c b/tools/perf/util/sort.c +index 031e64ce71564..013e3f5102258 100644 +--- a/tools/perf/util/sort.c ++++ b/tools/perf/util/sort.c +@@ -2532,7 +2532,7 @@ static char *prefix_if_not_in(const char *pre, char *str) + return str; + + if (asprintf(&n, "%s,%s", pre, str) < 0) +- return NULL; ++ n = NULL; + + free(str); + return n; +-- +2.25.1 + diff --git a/queue-4.9/phy-samsung-s5pv210-usb2-add-delay-after-reset.patch b/queue-4.9/phy-samsung-s5pv210-usb2-add-delay-after-reset.patch new file mode 100644 index 00000000000..fb0dfb05c64 --- /dev/null +++ b/queue-4.9/phy-samsung-s5pv210-usb2-add-delay-after-reset.patch @@ -0,0 +1,43 @@ +From a60dde9aaf775735a3dcadf03200c5014db1292a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Apr 2020 10:36:33 -0700 +Subject: phy: samsung: s5pv210-usb2: Add delay after reset + +From: Jonathan Bakker + +[ Upstream commit 05942b8c36c7eb5d3fc5e375d4b0d0c49562e85d ] + +The USB phy takes some time to reset, so make sure we give it to it. The +delay length was taken from the 4x12 phy driver. + +This manifested in issues with the DWC2 driver since commit fe369e1826b3 +("usb: dwc2: Make dwc2_readl/writel functions endianness-agnostic.") +where the endianness check would read the DWC ID as 0 due to the phy still +resetting, resulting in the wrong endian mode being chosen. + +Signed-off-by: Jonathan Bakker +Link: https://lore.kernel.org/r/BN6PR04MB06605D52502816E500683553A3D10@BN6PR04MB0660.namprd04.prod.outlook.com +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Sasha Levin +--- + drivers/phy/phy-s5pv210-usb2.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/phy/phy-s5pv210-usb2.c b/drivers/phy/phy-s5pv210-usb2.c +index 004d320767e4d..bb36cfd4e3e90 100644 +--- a/drivers/phy/phy-s5pv210-usb2.c ++++ b/drivers/phy/phy-s5pv210-usb2.c +@@ -142,6 +142,10 @@ static void s5pv210_phy_pwr(struct samsung_usb2_phy_instance *inst, bool on) + udelay(10); + rst &= ~rstbits; + writel(rst, drv->reg_phy + S5PV210_UPHYRST); ++ /* The following delay is necessary for the reset sequence to be ++ * completed ++ */ ++ udelay(80); + } else { + pwr = readl(drv->reg_phy + S5PV210_UPHYPWR); + pwr |= phypwr; +-- +2.25.1 + diff --git a/queue-4.9/pm-devfreq-tegra30-fix-integer-overflow-on-cpu-s-fre.patch b/queue-4.9/pm-devfreq-tegra30-fix-integer-overflow-on-cpu-s-fre.patch new file mode 100644 index 00000000000..11fd68b5497 --- /dev/null +++ b/queue-4.9/pm-devfreq-tegra30-fix-integer-overflow-on-cpu-s-fre.patch @@ -0,0 +1,47 @@ +From f02b850a835ee820d3c1d5ca9f42053fba44a488 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2019 00:56:03 +0300 +Subject: PM / devfreq: tegra30: Fix integer overflow on CPU's freq max out + +From: Dmitry Osipenko + +[ Upstream commit 53b4b2aeee26f42cde5ff2a16dd0d8590c51a55a ] + +There is another kHz-conversion bug in the code, resulting in integer +overflow. Although, this time the resulting value is 4294966296 and it's +close to ULONG_MAX, which is okay in this case. + +Reviewed-by: Chanwoo Choi +Tested-by: Peter Geis +Signed-off-by: Dmitry Osipenko +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/devfreq/tegra-devfreq.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/devfreq/tegra-devfreq.c b/drivers/devfreq/tegra-devfreq.c +index fe9dce0245bf0..a20267d93f8a4 100644 +--- a/drivers/devfreq/tegra-devfreq.c ++++ b/drivers/devfreq/tegra-devfreq.c +@@ -79,6 +79,8 @@ + + #define KHZ 1000 + ++#define KHZ_MAX (ULONG_MAX / KHZ) ++ + /* Assume that the bus is saturated if the utilization is 25% */ + #define BUS_SATURATION_RATIO 25 + +@@ -179,7 +181,7 @@ struct tegra_actmon_emc_ratio { + }; + + static struct tegra_actmon_emc_ratio actmon_emc_ratios[] = { +- { 1400000, ULONG_MAX }, ++ { 1400000, KHZ_MAX }, + { 1200000, 750000 }, + { 1100000, 600000 }, + { 1000000, 500000 }, +-- +2.25.1 + diff --git a/queue-4.9/printk-handle-blank-console-arguments-passed-in.patch b/queue-4.9/printk-handle-blank-console-arguments-passed-in.patch new file mode 100644 index 00000000000..f449213c086 --- /dev/null +++ b/queue-4.9/printk-handle-blank-console-arguments-passed-in.patch @@ -0,0 +1,45 @@ +From 07201a37aa44ea453116f5ea12cdd91689ddf00f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 May 2020 16:53:06 +1000 +Subject: printk: handle blank console arguments passed in. + +From: Shreyas Joshi + +[ Upstream commit 48021f98130880dd74286459a1ef48b5e9bc374f ] + +If uboot passes a blank string to console_setup then it results in +a trashed memory. Ultimately, the kernel crashes during freeing up +the memory. + +This fix checks if there is a blank parameter being +passed to console_setup from uboot. In case it detects that +the console parameter is blank then it doesn't setup the serial +device and it gracefully exits. + +Link: https://lore.kernel.org/r/20200522065306.83-1-shreyas.joshi@biamp.com +Signed-off-by: Shreyas Joshi +Acked-by: Sergey Senozhatsky +[pmladek@suse.com: Better format the commit message and code, remove unnecessary brackets.] +Signed-off-by: Petr Mladek +Signed-off-by: Sasha Levin +--- + kernel/printk/printk.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c +index c1873d325ebda..7acae2f2478d9 100644 +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -2035,6 +2035,9 @@ static int __init console_setup(char *str) + char *s, *options, *brl_options = NULL; + int idx; + ++ if (str[0] == 0) ++ return 1; ++ + if (_braille_console_setup(&str, &brl_options)) + return 1; + +-- +2.25.1 + diff --git a/queue-4.9/rdma-i40iw-fix-potential-use-after-free.patch b/queue-4.9/rdma-i40iw-fix-potential-use-after-free.patch new file mode 100644 index 00000000000..d8c423ff9d1 --- /dev/null +++ b/queue-4.9/rdma-i40iw-fix-potential-use-after-free.patch @@ -0,0 +1,39 @@ +From cd14b0d29ab05bbce4bfacfe362f413c4ac2942a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Nov 2019 14:44:11 +0800 +Subject: RDMA/i40iw: Fix potential use after free + +From: Pan Bian + +[ Upstream commit da046d5f895fca18d63b15ac8faebd5bf784e23a ] + +Release variable dst after logging dst->error to avoid possible use after +free. + +Link: https://lore.kernel.org/r/1573022651-37171-1-git-send-email-bianpan2016@163.com +Signed-off-by: Pan Bian +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/i40iw/i40iw_cm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/i40iw/i40iw_cm.c b/drivers/infiniband/hw/i40iw/i40iw_cm.c +index 282a726351c81..ce1a4817ab923 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_cm.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c +@@ -2036,9 +2036,9 @@ static int i40iw_addr_resolve_neigh_ipv6(struct i40iw_device *iwdev, + dst = i40iw_get_dst_ipv6(&src_addr, &dst_addr); + if (!dst || dst->error) { + if (dst) { +- dst_release(dst); + i40iw_pr_err("ip6_route_output returned dst->error = %d\n", + dst->error); ++ dst_release(dst); + } + return rc; + } +-- +2.25.1 + diff --git a/queue-4.9/rdma-iw_cgxb4-fix-an-error-handling-path-in-c4iw_con.patch b/queue-4.9/rdma-iw_cgxb4-fix-an-error-handling-path-in-c4iw_con.patch new file mode 100644 index 00000000000..5f7f7bcf0da --- /dev/null +++ b/queue-4.9/rdma-iw_cgxb4-fix-an-error-handling-path-in-c4iw_con.patch @@ -0,0 +1,44 @@ +From 39e428c118b259cf934f9f1ce81cbb403c992582 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Sep 2019 21:07:46 +0200 +Subject: RDMA/iw_cgxb4: Fix an error handling path in 'c4iw_connect()' + +From: Christophe JAILLET + +[ Upstream commit 9067f2f0b41d7e817fc8c5259bab1f17512b0147 ] + +We should jump to fail3 in order to undo the 'xa_insert_irq()' call. + +Link: https://lore.kernel.org/r/20190923190746.10964-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Christophe JAILLET +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/cxgb4/cm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index a04a53acb24ff..a60e1c1b4b5e8 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -3245,7 +3245,7 @@ int c4iw_connect(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param) + if (raddr->sin_addr.s_addr == htonl(INADDR_ANY)) { + err = pick_local_ipaddrs(dev, cm_id); + if (err) +- goto fail2; ++ goto fail3; + } + + /* find a route */ +@@ -3267,7 +3267,7 @@ int c4iw_connect(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param) + if (ipv6_addr_type(&raddr6->sin6_addr) == IPV6_ADDR_ANY) { + err = pick_local_ip6addrs(dev, cm_id); + if (err) +- goto fail2; ++ goto fail3; + } + + /* find a route */ +-- +2.25.1 + diff --git a/queue-4.9/rdma-rxe-fix-configuration-of-atomic-queue-pair-attr.patch b/queue-4.9/rdma-rxe-fix-configuration-of-atomic-queue-pair-attr.patch new file mode 100644 index 00000000000..70399e6ef2d --- /dev/null +++ b/queue-4.9/rdma-rxe-fix-configuration-of-atomic-queue-pair-attr.patch @@ -0,0 +1,76 @@ +From ecdbb8e3d49db5b9fd8fa7b7b0532153fe74e875 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2020 12:57:14 -0800 +Subject: RDMA/rxe: Fix configuration of atomic queue pair attributes + +From: Bart Van Assche + +[ Upstream commit fb3063d31995cc4cf1d47a406bb61d6fb1b1d58d ] + +From the comment above the definition of the roundup_pow_of_two() macro: + + The result is undefined when n == 0. + +Hence only pass positive values to roundup_pow_of_two(). This patch fixes +the following UBSAN complaint: + + UBSAN: Undefined behaviour in ./include/linux/log2.h:57:13 + shift exponent 64 is too large for 64-bit type 'long unsigned int' + Call Trace: + dump_stack+0xa5/0xe6 + ubsan_epilogue+0x9/0x26 + __ubsan_handle_shift_out_of_bounds.cold+0x4c/0xf9 + rxe_qp_from_attr.cold+0x37/0x5d [rdma_rxe] + rxe_modify_qp+0x59/0x70 [rdma_rxe] + _ib_modify_qp+0x5aa/0x7c0 [ib_core] + ib_modify_qp+0x3b/0x50 [ib_core] + cma_modify_qp_rtr+0x234/0x260 [rdma_cm] + __rdma_accept+0x1a7/0x650 [rdma_cm] + nvmet_rdma_cm_handler+0x1286/0x14cd [nvmet_rdma] + cma_cm_event_handler+0x6b/0x330 [rdma_cm] + cma_ib_req_handler+0xe60/0x22d0 [rdma_cm] + cm_process_work+0x30/0x140 [ib_cm] + cm_req_handler+0x11f4/0x1cd0 [ib_cm] + cm_work_handler+0xb8/0x344e [ib_cm] + process_one_work+0x569/0xb60 + worker_thread+0x7a/0x5d0 + kthread+0x1e6/0x210 + ret_from_fork+0x24/0x30 + +Link: https://lore.kernel.org/r/20200217205714.26937-1-bvanassche@acm.org +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Signed-off-by: Bart Van Assche +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_qp.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c +index d6672127808b7..186da467060cc 100644 +--- a/drivers/infiniband/sw/rxe/rxe_qp.c ++++ b/drivers/infiniband/sw/rxe/rxe_qp.c +@@ -597,15 +597,16 @@ int rxe_qp_from_attr(struct rxe_qp *qp, struct ib_qp_attr *attr, int mask, + struct ib_gid_attr sgid_attr; + + if (mask & IB_QP_MAX_QP_RD_ATOMIC) { +- int max_rd_atomic = __roundup_pow_of_two(attr->max_rd_atomic); ++ int max_rd_atomic = attr->max_rd_atomic ? ++ roundup_pow_of_two(attr->max_rd_atomic) : 0; + + qp->attr.max_rd_atomic = max_rd_atomic; + atomic_set(&qp->req.rd_atomic, max_rd_atomic); + } + + if (mask & IB_QP_MAX_DEST_RD_ATOMIC) { +- int max_dest_rd_atomic = +- __roundup_pow_of_two(attr->max_dest_rd_atomic); ++ int max_dest_rd_atomic = attr->max_dest_rd_atomic ? ++ roundup_pow_of_two(attr->max_dest_rd_atomic) : 0; + + qp->attr.max_dest_rd_atomic = max_dest_rd_atomic; + +-- +2.25.1 + diff --git a/queue-4.9/rt_cpu_seq_next-should-increase-position-index.patch b/queue-4.9/rt_cpu_seq_next-should-increase-position-index.patch new file mode 100644 index 00000000000..a235bb2c012 --- /dev/null +++ b/queue-4.9/rt_cpu_seq_next-should-increase-position-index.patch @@ -0,0 +1,35 @@ +From f36a37fdc92abf034bf9ee9d9344cc889ce5468f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jan 2020 10:11:35 +0300 +Subject: rt_cpu_seq_next should increase position index + +From: Vasily Averin + +[ Upstream commit a3ea86739f1bc7e121d921842f0f4a8ab1af94d9 ] + +if seq_file .next fuction does not change position index, +read after some lseek can generate unexpected output. + +https://bugzilla.kernel.org/show_bug.cgi?id=206283 +Signed-off-by: Vasily Averin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/route.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index c8c51bd2d695b..e9aae4686536a 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -271,6 +271,7 @@ static void *rt_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos) + *pos = cpu+1; + return &per_cpu(rt_cache_stat, cpu); + } ++ (*pos)++; + return NULL; + + } +-- +2.25.1 + diff --git a/queue-4.9/s390-init-add-missing-__init-annotations.patch b/queue-4.9/s390-init-add-missing-__init-annotations.patch new file mode 100644 index 00000000000..73e23736bb4 --- /dev/null +++ b/queue-4.9/s390-init-add-missing-__init-annotations.patch @@ -0,0 +1,55 @@ +From f8134aee9c7e3a4affe3a275512c46c5709836d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 14:27:25 +0200 +Subject: s390/init: add missing __init annotations + +From: Ilya Leoshkevich + +[ Upstream commit fcb2b70cdb194157678fb1a75f9ff499aeba3d2a ] + +Add __init to reserve_memory_end, reserve_oldmem and remove_oldmem. +Sometimes these functions are not inlined, and then the build +complains about section mismatch. + +Signed-off-by: Ilya Leoshkevich +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/setup.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c +index a559908d180ec..ce49c2b9db7ee 100644 +--- a/arch/s390/kernel/setup.c ++++ b/arch/s390/kernel/setup.c +@@ -529,7 +529,7 @@ static struct notifier_block kdump_mem_nb = { + /* + * Make sure that the area behind memory_end is protected + */ +-static void reserve_memory_end(void) ++static void __init reserve_memory_end(void) + { + #ifdef CONFIG_CRASH_DUMP + if (ipl_info.type == IPL_TYPE_FCP_DUMP && +@@ -547,7 +547,7 @@ static void reserve_memory_end(void) + /* + * Make sure that oldmem, where the dump is stored, is protected + */ +-static void reserve_oldmem(void) ++static void __init reserve_oldmem(void) + { + #ifdef CONFIG_CRASH_DUMP + if (OLDMEM_BASE) +@@ -559,7 +559,7 @@ static void reserve_oldmem(void) + /* + * Make sure that oldmem, where the dump is stored, is protected + */ +-static void remove_oldmem(void) ++static void __init remove_oldmem(void) + { + #ifdef CONFIG_CRASH_DUMP + if (OLDMEM_BASE) +-- +2.25.1 + diff --git a/queue-4.9/scsi-aacraid-fix-illegal-io-beyond-last-lba.patch b/queue-4.9/scsi-aacraid-fix-illegal-io-beyond-last-lba.patch new file mode 100644 index 00000000000..dbf4fabfc09 --- /dev/null +++ b/queue-4.9/scsi-aacraid-fix-illegal-io-beyond-last-lba.patch @@ -0,0 +1,59 @@ +From 9283f92ae7b88d2adffa912ee4829dcbc4ee7f07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2019 11:51:58 +0530 +Subject: scsi: aacraid: fix illegal IO beyond last LBA + +From: Balsundar P + +[ Upstream commit c86fbe484c10b2cd1e770770db2d6b2c88801c1d ] + +The driver fails to handle data when read or written beyond device reported +LBA, which triggers kernel panic + +Link: https://lore.kernel.org/r/1571120524-6037-2-git-send-email-balsundar.p@microsemi.com +Signed-off-by: Balsundar P +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/aacraid/aachba.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/aacraid/aachba.c b/drivers/scsi/aacraid/aachba.c +index 065f11a1964d4..39deea8601d68 100644 +--- a/drivers/scsi/aacraid/aachba.c ++++ b/drivers/scsi/aacraid/aachba.c +@@ -1929,13 +1929,13 @@ static int aac_read(struct scsi_cmnd * scsicmd) + scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 | + SAM_STAT_CHECK_CONDITION; + set_sense(&dev->fsa_dev[cid].sense_data, +- HARDWARE_ERROR, SENCODE_INTERNAL_TARGET_FAILURE, ++ ILLEGAL_REQUEST, SENCODE_LBA_OUT_OF_RANGE, + ASENCODE_INTERNAL_TARGET_FAILURE, 0, 0); + memcpy(scsicmd->sense_buffer, &dev->fsa_dev[cid].sense_data, + min_t(size_t, sizeof(dev->fsa_dev[cid].sense_data), + SCSI_SENSE_BUFFERSIZE)); + scsicmd->scsi_done(scsicmd); +- return 1; ++ return 0; + } + + dprintk((KERN_DEBUG "aac_read[cpu %d]: lba = %llu, t = %ld.\n", +@@ -2023,13 +2023,13 @@ static int aac_write(struct scsi_cmnd * scsicmd) + scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 | + SAM_STAT_CHECK_CONDITION; + set_sense(&dev->fsa_dev[cid].sense_data, +- HARDWARE_ERROR, SENCODE_INTERNAL_TARGET_FAILURE, ++ ILLEGAL_REQUEST, SENCODE_LBA_OUT_OF_RANGE, + ASENCODE_INTERNAL_TARGET_FAILURE, 0, 0); + memcpy(scsicmd->sense_buffer, &dev->fsa_dev[cid].sense_data, + min_t(size_t, sizeof(dev->fsa_dev[cid].sense_data), + SCSI_SENSE_BUFFERSIZE)); + scsicmd->scsi_done(scsicmd); +- return 1; ++ return 0; + } + + dprintk((KERN_DEBUG "aac_write[cpu %d]: lba = %llu, t = %ld.\n", +-- +2.25.1 + diff --git a/queue-4.9/scsi-lpfc-fix-coverity-errors-in-fmdi-attribute-hand.patch b/queue-4.9/scsi-lpfc-fix-coverity-errors-in-fmdi-attribute-hand.patch new file mode 100644 index 00000000000..be4ce25738d --- /dev/null +++ b/queue-4.9/scsi-lpfc-fix-coverity-errors-in-fmdi-attribute-hand.patch @@ -0,0 +1,541 @@ +From f75506b272885da4bacf6eeb51bd92c8679d8fca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jan 2020 16:23:07 -0800 +Subject: scsi: lpfc: Fix coverity errors in fmdi attribute handling + +From: James Smart + +[ Upstream commit 4cb9e1ddaa145be9ed67b6a7de98ca705a43f998 ] + +Coverity reported a memory corruption error for the fdmi attributes +routines: + + CID 15768 [Memory Corruption] Out-of-bounds access on FDMI + +Sloppy coding of the fmdi structures. In both the lpfc_fdmi_attr_def and +lpfc_fdmi_reg_port_list structures, a field was placed at the start of +payload that may have variable content. The field was given an arbitrary +type (uint32_t). The code then uses the field name to derive an address, +which it used in things such as memset and memcpy. The memset sizes or +memcpy lengths were larger than the arbitrary type, thus coverity reported +an error. + +Fix by replacing the arbitrary fields with the real field structures +describing the payload. + +Link: https://lore.kernel.org/r/20200128002312.16346-8-jsmart2021@gmail.com +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_ct.c | 137 ++++++++++++++++++------------------ + drivers/scsi/lpfc/lpfc_hw.h | 36 +++++----- + 2 files changed, 85 insertions(+), 88 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_ct.c b/drivers/scsi/lpfc/lpfc_ct.c +index 52afbcff362f9..b7940fffca637 100644 +--- a/drivers/scsi/lpfc/lpfc_ct.c ++++ b/drivers/scsi/lpfc/lpfc_ct.c +@@ -1541,8 +1541,8 @@ lpfc_fdmi_hba_attr_wwnn(struct lpfc_vport *vport, struct lpfc_fdmi_attr_def *ad) + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, sizeof(struct lpfc_name)); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + memcpy(&ae->un.AttrWWN, &vport->fc_sparam.nodeName, + sizeof(struct lpfc_name)); +@@ -1558,8 +1558,8 @@ lpfc_fdmi_hba_attr_manufacturer(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + /* This string MUST be consistent with other FC platforms + * supported by Broadcom. +@@ -1583,8 +1583,8 @@ lpfc_fdmi_hba_attr_sn(struct lpfc_vport *vport, struct lpfc_fdmi_attr_def *ad) + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strncpy(ae->un.AttrString, phba->SerialNumber, + sizeof(ae->un.AttrString)); +@@ -1605,8 +1605,8 @@ lpfc_fdmi_hba_attr_model(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strncpy(ae->un.AttrString, phba->ModelName, + sizeof(ae->un.AttrString)); +@@ -1626,8 +1626,8 @@ lpfc_fdmi_hba_attr_description(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strncpy(ae->un.AttrString, phba->ModelDesc, + sizeof(ae->un.AttrString)); +@@ -1649,8 +1649,8 @@ lpfc_fdmi_hba_attr_hdw_ver(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t i, j, incr, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + /* Convert JEDEC ID to ascii for hardware version */ + incr = vp->rev.biuRev; +@@ -1679,8 +1679,8 @@ lpfc_fdmi_hba_attr_drvr_ver(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strncpy(ae->un.AttrString, lpfc_release_version, + sizeof(ae->un.AttrString)); +@@ -1701,8 +1701,8 @@ lpfc_fdmi_hba_attr_rom_ver(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + if (phba->sli_rev == LPFC_SLI_REV4) + lpfc_decode_firmware_rev(phba, ae->un.AttrString, 1); +@@ -1726,8 +1726,8 @@ lpfc_fdmi_hba_attr_fmw_ver(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + lpfc_decode_firmware_rev(phba, ae->un.AttrString, 1); + len = strnlen(ae->un.AttrString, +@@ -1746,8 +1746,8 @@ lpfc_fdmi_hba_attr_os_ver(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + snprintf(ae->un.AttrString, sizeof(ae->un.AttrString), "%s %s %s", + init_utsname()->sysname, +@@ -1769,7 +1769,7 @@ lpfc_fdmi_hba_attr_ct_len(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + + ae->un.AttrInt = cpu_to_be32(LPFC_MAX_CT_SIZE); + size = FOURBYTES + sizeof(uint32_t); +@@ -1785,8 +1785,8 @@ lpfc_fdmi_hba_attr_symbolic_name(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + len = lpfc_vport_symbolic_node_name(vport, + ae->un.AttrString, 256); +@@ -1804,7 +1804,7 @@ lpfc_fdmi_hba_attr_vendor_info(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + + /* Nothing is defined for this currently */ + ae->un.AttrInt = cpu_to_be32(0); +@@ -1821,7 +1821,7 @@ lpfc_fdmi_hba_attr_num_ports(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + + /* Each driver instance corresponds to a single port */ + ae->un.AttrInt = cpu_to_be32(1); +@@ -1838,8 +1838,8 @@ lpfc_fdmi_hba_attr_fabric_wwnn(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, sizeof(struct lpfc_name)); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + memcpy(&ae->un.AttrWWN, &vport->fabric_nodename, + sizeof(struct lpfc_name)); +@@ -1857,8 +1857,8 @@ lpfc_fdmi_hba_attr_bios_ver(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + lpfc_decode_firmware_rev(phba, ae->un.AttrString, 1); + len = strnlen(ae->un.AttrString, +@@ -1877,7 +1877,7 @@ lpfc_fdmi_hba_attr_bios_state(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + + /* Driver doesn't have access to this information */ + ae->un.AttrInt = cpu_to_be32(0); +@@ -1894,8 +1894,8 @@ lpfc_fdmi_hba_attr_vendor_id(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strncpy(ae->un.AttrString, "EMULEX", + sizeof(ae->un.AttrString)); +@@ -1916,8 +1916,8 @@ lpfc_fdmi_port_attr_fc4type(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 32); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + ae->un.AttrTypes[3] = 0x02; /* Type 1 - ELS */ + ae->un.AttrTypes[2] = 0x01; /* Type 8 - FCP */ +@@ -1936,7 +1936,7 @@ lpfc_fdmi_port_attr_support_speed(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + + ae->un.AttrInt = 0; + if (!(phba->hba_flag & HBA_FCOE_MODE)) { +@@ -1986,7 +1986,7 @@ lpfc_fdmi_port_attr_speed(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + + if (!(phba->hba_flag & HBA_FCOE_MODE)) { + switch (phba->fc_linkspeed) { +@@ -2050,7 +2050,7 @@ lpfc_fdmi_port_attr_max_frame(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + + hsp = (struct serv_parm *)&vport->fc_sparam; + ae->un.AttrInt = (((uint32_t) hsp->cmn.bbRcvSizeMsb) << 8) | +@@ -2070,8 +2070,8 @@ lpfc_fdmi_port_attr_os_devname(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + snprintf(ae->un.AttrString, sizeof(ae->un.AttrString), + "/sys/class/scsi_host/host%d", shost->host_no); +@@ -2091,8 +2091,8 @@ lpfc_fdmi_port_attr_host_name(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + snprintf(ae->un.AttrString, sizeof(ae->un.AttrString), "%s", + init_utsname()->nodename); +@@ -2112,8 +2112,8 @@ lpfc_fdmi_port_attr_wwnn(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, sizeof(struct lpfc_name)); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + memcpy(&ae->un.AttrWWN, &vport->fc_sparam.nodeName, + sizeof(struct lpfc_name)); +@@ -2130,8 +2130,8 @@ lpfc_fdmi_port_attr_wwpn(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, sizeof(struct lpfc_name)); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + memcpy(&ae->un.AttrWWN, &vport->fc_sparam.portName, + sizeof(struct lpfc_name)); +@@ -2148,8 +2148,8 @@ lpfc_fdmi_port_attr_symbolic_name(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + len = lpfc_vport_symbolic_port_name(vport, ae->un.AttrString, 256); + len += (len & 3) ? (4 - (len & 3)) : 4; +@@ -2167,7 +2167,7 @@ lpfc_fdmi_port_attr_port_type(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + if (phba->fc_topology == LPFC_TOPOLOGY_LOOP) + ae->un.AttrInt = cpu_to_be32(LPFC_FDMI_PORTTYPE_NLPORT); + else +@@ -2185,7 +2185,7 @@ lpfc_fdmi_port_attr_class(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + ae->un.AttrInt = cpu_to_be32(FC_COS_CLASS2 | FC_COS_CLASS3); + size = FOURBYTES + sizeof(uint32_t); + ad->AttrLen = cpu_to_be16(size); +@@ -2200,8 +2200,8 @@ lpfc_fdmi_port_attr_fabric_wwpn(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, sizeof(struct lpfc_name)); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + memcpy(&ae->un.AttrWWN, &vport->fabric_portname, + sizeof(struct lpfc_name)); +@@ -2218,8 +2218,8 @@ lpfc_fdmi_port_attr_active_fc4type(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 32); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + ae->un.AttrTypes[3] = 0x02; /* Type 1 - ELS */ + ae->un.AttrTypes[2] = 0x01; /* Type 8 - FCP */ +@@ -2237,7 +2237,7 @@ lpfc_fdmi_port_attr_port_state(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + /* Link Up - operational */ + ae->un.AttrInt = cpu_to_be32(LPFC_FDMI_PORTSTATE_ONLINE); + size = FOURBYTES + sizeof(uint32_t); +@@ -2253,7 +2253,7 @@ lpfc_fdmi_port_attr_num_disc(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + vport->fdmi_num_disc = lpfc_find_map_node(vport); + ae->un.AttrInt = cpu_to_be32(vport->fdmi_num_disc); + size = FOURBYTES + sizeof(uint32_t); +@@ -2269,7 +2269,7 @@ lpfc_fdmi_port_attr_nportid(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + ae->un.AttrInt = cpu_to_be32(vport->fc_myDID); + size = FOURBYTES + sizeof(uint32_t); + ad->AttrLen = cpu_to_be16(size); +@@ -2284,8 +2284,8 @@ lpfc_fdmi_smart_attr_service(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strncpy(ae->un.AttrString, "Smart SAN Initiator", + sizeof(ae->un.AttrString)); +@@ -2305,8 +2305,8 @@ lpfc_fdmi_smart_attr_guid(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + memcpy(&ae->un.AttrString, &vport->fc_sparam.nodeName, + sizeof(struct lpfc_name)); +@@ -2326,8 +2326,8 @@ lpfc_fdmi_smart_attr_version(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strncpy(ae->un.AttrString, "Smart SAN Version 2.0", + sizeof(ae->un.AttrString)); +@@ -2348,8 +2348,8 @@ lpfc_fdmi_smart_attr_model(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strncpy(ae->un.AttrString, phba->ModelName, + sizeof(ae->un.AttrString)); +@@ -2368,7 +2368,7 @@ lpfc_fdmi_smart_attr_port_info(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + + /* SRIOV (type 3) is not supported */ + if (vport->vpi) +@@ -2388,7 +2388,7 @@ lpfc_fdmi_smart_attr_qos(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + ae->un.AttrInt = cpu_to_be32(0); + size = FOURBYTES + sizeof(uint32_t); + ad->AttrLen = cpu_to_be16(size); +@@ -2403,7 +2403,7 @@ lpfc_fdmi_smart_attr_security(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + ae->un.AttrInt = cpu_to_be32(1); + size = FOURBYTES + sizeof(uint32_t); + ad->AttrLen = cpu_to_be16(size); +@@ -2551,7 +2551,8 @@ lpfc_fdmi_cmd(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + /* Registered Port List */ + /* One entry (port) per adapter */ + rh->rpl.EntryCnt = cpu_to_be32(1); +- memcpy(&rh->rpl.pe, &phba->pport->fc_sparam.portName, ++ memcpy(&rh->rpl.pe.PortName, ++ &phba->pport->fc_sparam.portName, + sizeof(struct lpfc_name)); + + /* point to the HBA attribute block */ +diff --git a/drivers/scsi/lpfc/lpfc_hw.h b/drivers/scsi/lpfc/lpfc_hw.h +index 3b970d3706008..daab21f940fb8 100644 +--- a/drivers/scsi/lpfc/lpfc_hw.h ++++ b/drivers/scsi/lpfc/lpfc_hw.h +@@ -1289,25 +1289,8 @@ struct fc_rdp_res_frame { + /* lpfc_sli_ct_request defines the CT_IU preamble for FDMI commands */ + #define SLI_CT_FDMI_Subtypes 0x10 /* Management Service Subtype */ + +-/* +- * Registered Port List Format +- */ +-struct lpfc_fdmi_reg_port_list { +- uint32_t EntryCnt; +- uint32_t pe; /* Variable-length array */ +-}; +- +- + /* Definitions for HBA / Port attribute entries */ + +-struct lpfc_fdmi_attr_def { /* Defined in TLV format */ +- /* Structure is in Big Endian format */ +- uint32_t AttrType:16; +- uint32_t AttrLen:16; +- uint32_t AttrValue; /* Marks start of Value (ATTRIBUTE_ENTRY) */ +-}; +- +- + /* Attribute Entry */ + struct lpfc_fdmi_attr_entry { + union { +@@ -1318,7 +1301,13 @@ struct lpfc_fdmi_attr_entry { + } un; + }; + +-#define LPFC_FDMI_MAX_AE_SIZE sizeof(struct lpfc_fdmi_attr_entry) ++struct lpfc_fdmi_attr_def { /* Defined in TLV format */ ++ /* Structure is in Big Endian format */ ++ uint32_t AttrType:16; ++ uint32_t AttrLen:16; ++ /* Marks start of Value (ATTRIBUTE_ENTRY) */ ++ struct lpfc_fdmi_attr_entry AttrValue; ++} __packed; + + /* + * HBA Attribute Block +@@ -1342,13 +1331,20 @@ struct lpfc_fdmi_hba_ident { + struct lpfc_name PortName; + }; + ++/* ++ * Registered Port List Format ++ */ ++struct lpfc_fdmi_reg_port_list { ++ uint32_t EntryCnt; ++ struct lpfc_fdmi_port_entry pe; ++} __packed; ++ + /* + * Register HBA(RHBA) + */ + struct lpfc_fdmi_reg_hba { + struct lpfc_fdmi_hba_ident hi; +- struct lpfc_fdmi_reg_port_list rpl; /* variable-length array */ +-/* struct lpfc_fdmi_attr_block ab; */ ++ struct lpfc_fdmi_reg_port_list rpl; + }; + + /* +-- +2.25.1 + diff --git a/queue-4.9/scsi-lpfc-fix-rq-buffer-leakage-when-no-iocbs-availa.patch b/queue-4.9/scsi-lpfc-fix-rq-buffer-leakage-when-no-iocbs-availa.patch new file mode 100644 index 00000000000..0d39767f211 --- /dev/null +++ b/queue-4.9/scsi-lpfc-fix-rq-buffer-leakage-when-no-iocbs-availa.patch @@ -0,0 +1,58 @@ +From 6991b13c988d90af984e4d096fe5209ab6a1cd28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jan 2020 16:23:01 -0800 +Subject: scsi: lpfc: Fix RQ buffer leakage when no IOCBs available + +From: James Smart + +[ Upstream commit 39c4f1a965a9244c3ba60695e8ff8da065ec6ac4 ] + +The driver is occasionally seeing the following SLI Port error, requiring +reset and reinit: + + Port Status Event: ... error 1=0x52004a01, error 2=0x218 + +The failure means an RQ timeout. That is, the adapter had received +asynchronous receive frames, ran out of buffer slots to place the frames, +and the driver did not replenish the buffer slots before a timeout +occurred. The driver should not be so slow in replenishing buffers that a +timeout can occur. + +When the driver received all the frames of a sequence, it allocates an IOCB +to put the frames in. In a situation where there was no IOCB available for +the frame of a sequence, the RQ buffer corresponding to the first frame of +the sequence was not returned to the FW. Eventually, with enough traffic +encountering the situation, the timeout occurred. + +Fix by releasing the buffer back to firmware whenever there is no IOCB for +the first frame. + +[mkp: typo] + +Link: https://lore.kernel.org/r/20200128002312.16346-2-jsmart2021@gmail.com +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_sli.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 1c34dc3355498..08c76c361e8dc 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -15648,6 +15648,10 @@ lpfc_prep_seq(struct lpfc_vport *vport, struct hbq_dmabuf *seq_dmabuf) + list_add_tail(&iocbq->list, &first_iocbq->list); + } + } ++ /* Free the sequence's header buffer */ ++ if (!first_iocbq) ++ lpfc_in_buf_free(vport->phba, &seq_dmabuf->dbuf); ++ + return first_iocbq; + } + +-- +2.25.1 + diff --git a/queue-4.9/selftests-x86-syscall_nt-clear-weird-flags-after-eac.patch b/queue-4.9/selftests-x86-syscall_nt-clear-weird-flags-after-eac.patch new file mode 100644 index 00000000000..06386f36f3e --- /dev/null +++ b/queue-4.9/selftests-x86-syscall_nt-clear-weird-flags-after-eac.patch @@ -0,0 +1,35 @@ +From 9b529c7e0e87e8a8e17cfbf5de5bcdce19009b63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jun 2020 10:21:15 -0700 +Subject: selftests/x86/syscall_nt: Clear weird flags after each test + +From: Andy Lutomirski + +[ Upstream commit a61fa2799ef9bf6c4f54cf7295036577cececc72 ] + +Clear the weird flags before logging to improve strace output -- +logging results while, say, TF is set does no one any favors. + +Signed-off-by: Andy Lutomirski +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/907bfa5a42d4475b8245e18b67a04b13ca51ffdb.1593191971.git.luto@kernel.org +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/x86/syscall_nt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/x86/syscall_nt.c b/tools/testing/selftests/x86/syscall_nt.c +index 43fcab367fb0a..74e6b3fc2d09e 100644 +--- a/tools/testing/selftests/x86/syscall_nt.c ++++ b/tools/testing/selftests/x86/syscall_nt.c +@@ -67,6 +67,7 @@ static void do_it(unsigned long extraflags) + set_eflags(get_eflags() | extraflags); + syscall(SYS_getpid); + flags = get_eflags(); ++ set_eflags(X86_EFLAGS_IF | X86_EFLAGS_FIXED); + if ((flags & extraflags) == extraflags) { + printf("[OK]\tThe syscall worked and flags are still set\n"); + } else { +-- +2.25.1 + diff --git a/queue-4.9/selinux-sel_avc_get_stat_idx-should-increase-positio.patch b/queue-4.9/selinux-sel_avc_get_stat_idx-should-increase-positio.patch new file mode 100644 index 00000000000..08d013ba7d4 --- /dev/null +++ b/queue-4.9/selinux-sel_avc_get_stat_idx-should-increase-positio.patch @@ -0,0 +1,64 @@ +From 40516741db65d92cd454eda0af0def6ac68aa6ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Feb 2020 10:47:47 +0300 +Subject: selinux: sel_avc_get_stat_idx should increase position index + +From: Vasily Averin + +[ Upstream commit 8d269a8e2a8f0bca89022f4ec98de460acb90365 ] + +If seq_file .next function does not change position index, +read after some lseek can generate unexpected output. + +$ dd if=/sys/fs/selinux/avc/cache_stats # usual output +lookups hits misses allocations reclaims frees +817223 810034 7189 7189 6992 7037 +1934894 1926896 7998 7998 7632 7683 +1322812 1317176 5636 5636 5456 5507 +1560571 1551548 9023 9023 9056 9115 +0+1 records in +0+1 records out +189 bytes copied, 5,1564e-05 s, 3,7 MB/s + +$# read after lseek to midle of last line +$ dd if=/sys/fs/selinux/avc/cache_stats bs=180 skip=1 +dd: /sys/fs/selinux/avc/cache_stats: cannot skip to specified offset +056 9115 <<<< end of last line +1560571 1551548 9023 9023 9056 9115 <<< whole last line once again +0+1 records in +0+1 records out +45 bytes copied, 8,7221e-05 s, 516 kB/s + +$# read after lseek beyond end of of file +$ dd if=/sys/fs/selinux/avc/cache_stats bs=1000 skip=1 +dd: /sys/fs/selinux/avc/cache_stats: cannot skip to specified offset +1560571 1551548 9023 9023 9056 9115 <<<< generates whole last line +0+1 records in +0+1 records out +36 bytes copied, 9,0934e-05 s, 396 kB/s + +https://bugzilla.kernel.org/show_bug.cgi?id=206283 + +Signed-off-by: Vasily Averin +Acked-by: Stephen Smalley +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + security/selinux/selinuxfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c +index 72c145dd799f1..ef1226c1c3add 100644 +--- a/security/selinux/selinuxfs.c ++++ b/security/selinux/selinuxfs.c +@@ -1416,6 +1416,7 @@ static struct avc_cache_stats *sel_avc_get_stat_idx(loff_t *idx) + *idx = cpu + 1; + return &per_cpu(avc_cache_stats, cpu); + } ++ (*idx)++; + return NULL; + } + +-- +2.25.1 + diff --git a/queue-4.9/seqlock-require-write_once-surrounding-raw_seqcount_.patch b/queue-4.9/seqlock-require-write_once-surrounding-raw_seqcount_.patch new file mode 100644 index 00000000000..3c51e946bbf --- /dev/null +++ b/queue-4.9/seqlock-require-write_once-surrounding-raw_seqcount_.patch @@ -0,0 +1,67 @@ +From b35daaa51055cc989a810af4a9d7624ab9119f49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 19:03:00 +0100 +Subject: seqlock: Require WRITE_ONCE surrounding raw_seqcount_barrier + +From: Marco Elver + +[ Upstream commit bf07132f96d426bcbf2098227fb680915cf44498 ] + +This patch proposes to require marked atomic accesses surrounding +raw_write_seqcount_barrier. We reason that otherwise there is no way to +guarantee propagation nor atomicity of writes before/after the barrier +[1]. For example, consider the compiler tears stores either before or +after the barrier; in this case, readers may observe a partial value, +and because readers are unaware that writes are going on (writes are not +in a seq-writer critical section), will complete the seq-reader critical +section while having observed some partial state. +[1] https://lwn.net/Articles/793253/ + +This came up when designing and implementing KCSAN, because KCSAN would +flag these accesses as data-races. After careful analysis, our reasoning +as above led us to conclude that the best thing to do is to propose an +amendment to the raw_seqcount_barrier usage. + +Signed-off-by: Marco Elver +Acked-by: Paul E. McKenney +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + include/linux/seqlock.h | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/include/linux/seqlock.h b/include/linux/seqlock.h +index ead97654c4e9a..1613fe5c668e1 100644 +--- a/include/linux/seqlock.h ++++ b/include/linux/seqlock.h +@@ -242,6 +242,13 @@ static inline void raw_write_seqcount_end(seqcount_t *s) + * usual consistency guarantee. It is one wmb cheaper, because we can + * collapse the two back-to-back wmb()s. + * ++ * Note that, writes surrounding the barrier should be declared atomic (e.g. ++ * via WRITE_ONCE): a) to ensure the writes become visible to other threads ++ * atomically, avoiding compiler optimizations; b) to document which writes are ++ * meant to propagate to the reader critical section. This is necessary because ++ * neither writes before and after the barrier are enclosed in a seq-writer ++ * critical section that would ensure readers are aware of ongoing writes. ++ * + * seqcount_t seq; + * bool X = true, Y = false; + * +@@ -261,11 +268,11 @@ static inline void raw_write_seqcount_end(seqcount_t *s) + * + * void write(void) + * { +- * Y = true; ++ * WRITE_ONCE(Y, true); + * + * raw_write_seqcount_barrier(seq); + * +- * X = false; ++ * WRITE_ONCE(X, false); + * } + */ + static inline void raw_write_seqcount_barrier(seqcount_t *s) +-- +2.25.1 + diff --git a/queue-4.9/serial-8250-8250_omap-terminate-dma-before-pushing-d.patch b/queue-4.9/serial-8250-8250_omap-terminate-dma-before-pushing-d.patch new file mode 100644 index 00000000000..e47243c8cdf --- /dev/null +++ b/queue-4.9/serial-8250-8250_omap-terminate-dma-before-pushing-d.patch @@ -0,0 +1,53 @@ +From 4b64f12a140d5342865d1aebbde5d36b5fd48d16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2020 16:33:39 +0530 +Subject: serial: 8250: 8250_omap: Terminate DMA before pushing data on RX + timeout + +From: Vignesh Raghavendra + +[ Upstream commit 7cf4df30a98175033e9849f7f16c46e96ba47f41 ] + +Terminate and flush DMA internal buffers, before pushing RX data to +higher layer. Otherwise, this will lead to data corruption, as driver +would end up pushing stale buffer data to higher layer while actual data +is still stuck inside DMA hardware and has yet not arrived at the +memory. +While at that, replace deprecated dmaengine_terminate_all() with +dmaengine_terminate_async(). + +Signed-off-by: Vignesh Raghavendra +Link: https://lore.kernel.org/r/20200319110344.21348-2-vigneshr@ti.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_omap.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c +index 7d4680ef5307d..d41be02abced2 100644 +--- a/drivers/tty/serial/8250/8250_omap.c ++++ b/drivers/tty/serial/8250/8250_omap.c +@@ -773,7 +773,10 @@ static void __dma_rx_do_complete(struct uart_8250_port *p) + dmaengine_tx_status(dma->rxchan, dma->rx_cookie, &state); + + count = dma->rx_size - state.residue; +- ++ if (count < dma->rx_size) ++ dmaengine_terminate_async(dma->rxchan); ++ if (!count) ++ goto unlock; + ret = tty_insert_flip_string(tty_port, dma->rx_buf, count); + + p->port.icount.rx += ret; +@@ -811,7 +814,6 @@ static void omap_8250_rx_dma_flush(struct uart_8250_port *p) + spin_unlock_irqrestore(&priv->rx_dma_lock, flags); + + __dma_rx_do_complete(p); +- dmaengine_terminate_all(dma->rxchan); + } + + static int omap_8250_rx_dma(struct uart_8250_port *p) +-- +2.25.1 + diff --git a/queue-4.9/serial-8250_omap-fix-sleeping-function-called-from-i.patch b/queue-4.9/serial-8250_omap-fix-sleeping-function-called-from-i.patch new file mode 100644 index 00000000000..a703aeccd91 --- /dev/null +++ b/queue-4.9/serial-8250_omap-fix-sleeping-function-called-from-i.patch @@ -0,0 +1,88 @@ +From d4efe1d5c9aaa94d26376bb49445e5f32e01d344 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Mar 2020 14:52:00 +0200 +Subject: serial: 8250_omap: Fix sleeping function called from invalid context + during probe + +From: Peter Ujfalusi + +[ Upstream commit 4ce35a3617c0ac758c61122b2218b6c8c9ac9398 ] + +When booting j721e the following bug is printed: + +[ 1.154821] BUG: sleeping function called from invalid context at kernel/sched/completion.c:99 +[ 1.154827] in_atomic(): 0, irqs_disabled(): 128, non_block: 0, pid: 12, name: kworker/0:1 +[ 1.154832] 3 locks held by kworker/0:1/12: +[ 1.154836] #0: ffff000840030728 ((wq_completion)events){+.+.}, at: process_one_work+0x1d4/0x6e8 +[ 1.154852] #1: ffff80001214fdd8 (deferred_probe_work){+.+.}, at: process_one_work+0x1d4/0x6e8 +[ 1.154860] #2: ffff00084060b170 (&dev->mutex){....}, at: __device_attach+0x38/0x138 +[ 1.154872] irq event stamp: 63096 +[ 1.154881] hardirqs last enabled at (63095): [] _raw_spin_unlock_irqrestore+0x70/0x78 +[ 1.154887] hardirqs last disabled at (63096): [] _raw_spin_lock_irqsave+0x28/0x80 +[ 1.154893] softirqs last enabled at (62254): [] _stext+0x488/0x564 +[ 1.154899] softirqs last disabled at (62247): [] irq_exit+0x114/0x140 +[ 1.154906] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.6.0-rc6-next-20200318-00094-g45e4089b0bd3 #221 +[ 1.154911] Hardware name: Texas Instruments K3 J721E SoC (DT) +[ 1.154917] Workqueue: events deferred_probe_work_func +[ 1.154923] Call trace: +[ 1.154928] dump_backtrace+0x0/0x190 +[ 1.154933] show_stack+0x14/0x20 +[ 1.154940] dump_stack+0xe0/0x148 +[ 1.154946] ___might_sleep+0x150/0x1f0 +[ 1.154952] __might_sleep+0x4c/0x80 +[ 1.154957] wait_for_completion_timeout+0x40/0x140 +[ 1.154964] ti_sci_set_device_state+0xa0/0x158 +[ 1.154969] ti_sci_cmd_get_device_exclusive+0x14/0x20 +[ 1.154977] ti_sci_dev_start+0x34/0x50 +[ 1.154984] genpd_runtime_resume+0x78/0x1f8 +[ 1.154991] __rpm_callback+0x3c/0x140 +[ 1.154996] rpm_callback+0x20/0x80 +[ 1.155001] rpm_resume+0x568/0x758 +[ 1.155007] __pm_runtime_resume+0x44/0xb0 +[ 1.155013] omap8250_probe+0x2b4/0x508 +[ 1.155019] platform_drv_probe+0x50/0xa0 +[ 1.155023] really_probe+0xd4/0x318 +[ 1.155028] driver_probe_device+0x54/0xe8 +[ 1.155033] __device_attach_driver+0x80/0xb8 +[ 1.155039] bus_for_each_drv+0x74/0xc0 +[ 1.155044] __device_attach+0xdc/0x138 +[ 1.155049] device_initial_probe+0x10/0x18 +[ 1.155053] bus_probe_device+0x98/0xa0 +[ 1.155058] deferred_probe_work_func+0x74/0xb0 +[ 1.155063] process_one_work+0x280/0x6e8 +[ 1.155068] worker_thread+0x48/0x430 +[ 1.155073] kthread+0x108/0x138 +[ 1.155079] ret_from_fork+0x10/0x18 + +To fix the bug we need to first call pm_runtime_enable() prior to any +pm_runtime calls. + +Reported-by: Tomi Valkeinen +Signed-off-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20200320125200.6772-1-peter.ujfalusi@ti.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_omap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c +index a3adf21f9dcec..7d4680ef5307d 100644 +--- a/drivers/tty/serial/8250/8250_omap.c ++++ b/drivers/tty/serial/8250/8250_omap.c +@@ -1194,11 +1194,11 @@ static int omap8250_probe(struct platform_device *pdev) + spin_lock_init(&priv->rx_dma_lock); + + device_init_wakeup(&pdev->dev, true); ++ pm_runtime_enable(&pdev->dev); + pm_runtime_use_autosuspend(&pdev->dev); + pm_runtime_set_autosuspend_delay(&pdev->dev, -1); + + pm_runtime_irq_safe(&pdev->dev); +- pm_runtime_enable(&pdev->dev); + + pm_runtime_get_sync(&pdev->dev); + +-- +2.25.1 + diff --git a/queue-4.9/serial-8250_port-don-t-service-rx-fifo-if-throttled.patch b/queue-4.9/serial-8250_port-don-t-service-rx-fifo-if-throttled.patch new file mode 100644 index 00000000000..678dfaeedf4 --- /dev/null +++ b/queue-4.9/serial-8250_port-don-t-service-rx-fifo-if-throttled.patch @@ -0,0 +1,69 @@ +From ad51c3e68d4e3b708ca429e5c8aef262b64fe282 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2020 16:02:29 +0530 +Subject: serial: 8250_port: Don't service RX FIFO if throttled + +From: Vignesh Raghavendra + +[ Upstream commit f19c3f6c8109b8bab000afd35580929958e087a9 ] + +When port's throttle callback is called, it should stop pushing any more +data into TTY buffer to avoid buffer overflow. This means driver has to +stop HW from receiving more data and assert the HW flow control. For +UARTs with auto HW flow control (such as 8250_omap) manual assertion of +flow control line is not possible and only way is to allow RX FIFO to +fill up, thus trigger auto HW flow control logic. + +Therefore make sure that 8250 generic IRQ handler does not drain data +when port is stopped (i.e UART_LSR_DR is unset in read_status_mask). Not +servicing, RX FIFO would trigger auto HW flow control when FIFO +occupancy reaches preset threshold, thus halting RX. +Since, error conditions in UART_LSR register are cleared just by reading +the register, data has to be drained in case there are FIFO errors, else +error information will lost. + +Signed-off-by: Vignesh Raghavendra +Link: https://lore.kernel.org/r/20200319103230.16867-2-vigneshr@ti.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_port.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c +index 5641b877dca53..827a641ac336e 100644 +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -1806,6 +1806,7 @@ int serial8250_handle_irq(struct uart_port *port, unsigned int iir) + unsigned char status; + unsigned long flags; + struct uart_8250_port *up = up_to_u8250p(port); ++ bool skip_rx = false; + + if (iir & UART_IIR_NO_INT) + return 0; +@@ -1814,7 +1815,20 @@ int serial8250_handle_irq(struct uart_port *port, unsigned int iir) + + status = serial_port_in(port, UART_LSR); + +- if (status & (UART_LSR_DR | UART_LSR_BI)) { ++ /* ++ * If port is stopped and there are no error conditions in the ++ * FIFO, then don't drain the FIFO, as this may lead to TTY buffer ++ * overflow. Not servicing, RX FIFO would trigger auto HW flow ++ * control when FIFO occupancy reaches preset threshold, thus ++ * halting RX. This only works when auto HW flow control is ++ * available. ++ */ ++ if (!(status & (UART_LSR_FIFOE | UART_LSR_BRK_ERROR_BITS)) && ++ (port->status & (UPSTAT_AUTOCTS | UPSTAT_AUTORTS)) && ++ !(port->read_status_mask & UART_LSR_DR)) ++ skip_rx = true; ++ ++ if (status & (UART_LSR_DR | UART_LSR_BI) && !skip_rx) { + if (!up->dma || handle_rx_dma(up, iir)) + status = serial8250_rx_chars(up, status); + } +-- +2.25.1 + diff --git a/queue-4.9/serial-uartps-wait-for-tx_empty-in-console-setup.patch b/queue-4.9/serial-uartps-wait-for-tx_empty-in-console-setup.patch new file mode 100644 index 00000000000..db78f25339f --- /dev/null +++ b/queue-4.9/serial-uartps-wait-for-tx_empty-in-console-setup.patch @@ -0,0 +1,54 @@ +From 54340d4d8bd85b2c432243ab4d6e23d954303493 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Apr 2020 11:56:02 +0530 +Subject: serial: uartps: Wait for tx_empty in console setup + +From: Raviteja Narayanam + +[ Upstream commit 42e11948ddf68b9f799cad8c0ddeab0a39da33e8 ] + +On some platforms, the log is corrupted while console is being +registered. It is observed that when set_termios is called, there +are still some bytes in the FIFO to be transmitted. + +So, wait for tx_empty inside cdns_uart_console_setup before calling +set_termios. + +Signed-off-by: Raviteja Narayanam +Reviewed-by: Shubhrajyoti Datta +Link: https://lore.kernel.org/r/1586413563-29125-2-git-send-email-raviteja.narayanam@xilinx.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/xilinx_uartps.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c +index eb61a07fcbbc3..07ea71a611678 100644 +--- a/drivers/tty/serial/xilinx_uartps.c ++++ b/drivers/tty/serial/xilinx_uartps.c +@@ -1268,6 +1268,7 @@ static int cdns_uart_console_setup(struct console *co, char *options) + int bits = 8; + int parity = 'n'; + int flow = 'n'; ++ unsigned long time_out; + + if (co->index < 0 || co->index >= CDNS_UART_NR_PORTS) + return -EINVAL; +@@ -1281,6 +1282,13 @@ static int cdns_uart_console_setup(struct console *co, char *options) + if (options) + uart_parse_options(options, &baud, &parity, &bits, &flow); + ++ /* Wait for tx_empty before setting up the console */ ++ time_out = jiffies + usecs_to_jiffies(TX_TIMEOUT); ++ ++ while (time_before(jiffies, time_out) && ++ cdns_uart_tx_empty(port) != TIOCSER_TEMT) ++ cpu_relax(); ++ + return uart_set_options(port, co, baud, parity, bits, flow); + } + +-- +2.25.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 5ce7d4fe6a8..4bc4522368a 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -11,3 +11,95 @@ net-phy-avoid-npd-upon-phy_detach-when-driver-is-unbound.patch net-hsr-check-skb_put_padto-return-value.patch net-add-__must_check-to-skb_put_padto.patch serial-8250-avoid-error-message-on-reprobe.patch +scsi-aacraid-fix-illegal-io-beyond-last-lba.patch +m68k-q40-fix-info-leak-in-rtc_ioctl.patch +gma-gma500-fix-a-memory-disclosure-bug-due-to-uninit.patch +asoc-kirkwood-fix-irq-error-handling.patch +ata-sata_mv-avoid-trigerrable-bug_on.patch +pm-devfreq-tegra30-fix-integer-overflow-on-cpu-s-fre.patch +clk-ti-adpll-allocate-room-for-terminating-null.patch +mtd-cfi_cmdset_0002-don-t-free-cfi-cfiq-in-error-pat.patch +mfd-mfd-core-protect-against-null-call-back-function.patch +tracing-adding-null-checks-for-trace_array-descripto.patch +bcache-fix-a-lost-wake-up-problem-caused-by-mca_cann.patch +rdma-i40iw-fix-potential-use-after-free.patch +xfs-fix-attr-leaf-header-freemap.size-underflow.patch +rdma-iw_cgxb4-fix-an-error-handling-path-in-c4iw_con.patch +debugfs-fix-debug_fs-debugfs_create_automount.patch +cifs-properly-process-smb3-lease-breaks.patch +kernel-sys.c-avoid-copying-possible-padding-bytes-in.patch +neigh_stat_seq_next-should-increase-position-index.patch +rt_cpu_seq_next-should-increase-position-index.patch +seqlock-require-write_once-surrounding-raw_seqcount_.patch +media-ti-vpe-cal-restrict-dma-to-avoid-memory-corrup.patch +acpi-ec-reference-count-query-handlers-under-lock.patch +dmaengine-zynqmp_dma-fix-burst-length-configuration.patch +tracing-set-kernel_stack-s-caller-size-properly.patch +ext4-make-dioread_nolock-the-default.patch +ar5523-add-usb-id-of-smcwusbt-g2-wireless-adapter.patch +bluetooth-fix-refcount-use-after-free-issue.patch +mm-pagewalk-fix-termination-condition-in-walk_pte_ra.patch +bluetooth-prefetch-channel-before-killing-sock.patch +kvm-fix-overflow-of-zero-page-refcount-with-ksm-runn.patch +alsa-hda-clear-rirb-status-before-reading-wp.patch +skbuff-fix-a-data-race-in-skb_queue_len.patch +audit-config_change-don-t-log-internal-bookkeeping-a.patch +selinux-sel_avc_get_stat_idx-should-increase-positio.patch +scsi-lpfc-fix-rq-buffer-leakage-when-no-iocbs-availa.patch +scsi-lpfc-fix-coverity-errors-in-fmdi-attribute-hand.patch +drm-omap-fix-possible-object-reference-leak.patch +rdma-rxe-fix-configuration-of-atomic-queue-pair-attr.patch +kvm-x86-fix-incorrect-comparison-in-trace-event.patch +x86-pkeys-add-check-for-pkey-overflow.patch +bpf-remove-recursion-prevention-from-rcu-free-callba.patch +dmaengine-tegra-apb-prevent-race-conditions-on-chann.patch +media-go7007-fix-urb-type-for-interrupt-handling.patch +bluetooth-guard-against-controllers-sending-zero-d-e.patch +timekeeping-prevent-32bit-truncation-in-scale64_chec.patch +drm-amdgpu-increase-atombios-cmd-timeout.patch +bluetooth-l2cap-handle-l2cap-config-request-during-o.patch +media-tda10071-fix-unsigned-sign-extension-overflow.patch +xfs-don-t-ever-return-a-stale-pointer-from-__xfs_dir.patch +tpm-ibmvtpm-wait-for-buffer-to-be-set-before-proceed.patch +tracing-use-address-of-operator-on-section-symbols.patch +serial-8250_port-don-t-service-rx-fifo-if-throttled.patch +serial-8250_omap-fix-sleeping-function-called-from-i.patch +serial-8250-8250_omap-terminate-dma-before-pushing-d.patch +cpufreq-powernv-fix-frame-size-overflow-in-powernv_c.patch +tools-gpio-hammer-avoid-potential-overflow-in-main.patch +sunrpc-fix-a-potential-buffer-overflow-in-svc_print_.patch +svcrdma-fix-leak-of-transport-addresses.patch +ubifs-fix-out-of-bounds-memory-access-caused-by-abno.patch +alsa-usb-audio-fix-case-when-usb-midi-interface-has-.patch +mm-filemap.c-clear-page-error-before-actual-read.patch +mm-mmap.c-initialize-align_offset-explicitly-for-vm_.patch +serial-uartps-wait-for-tx_empty-in-console-setup.patch +kvm-remove-create_irqchip-set_pit2-race.patch +bdev-reduce-time-holding-bd_mutex-in-sync-in-blkdev_.patch +drivers-char-tlclk.c-avoid-data-race-between-init-an.patch +dt-bindings-sound-wm8994-correct-required-supplies-b.patch +atm-fix-a-memory-leak-of-vcc-user_back.patch +phy-samsung-s5pv210-usb2-add-delay-after-reset.patch +bluetooth-handle-inquiry-cancel-error-after-inquiry-.patch +usb-ehci-ehci-mv-fix-error-handling-in-mv_ehci_probe.patch +tty-serial-samsung-correct-clock-selection-logic.patch +alsa-hda-fix-potential-race-in-unsol-event-handler.patch +fuse-don-t-check-refcount-after-stealing-page.patch +usb-ehci-ehci-mv-fix-less-than-zero-comparison-of-an.patch +e1000-do-not-perform-reset-in-reset_task-if-we-are-a.patch +printk-handle-blank-console-arguments-passed-in.patch +btrfs-don-t-force-read-only-after-error-in-drop-snap.patch +vfio-pci-fix-memory-leaks-of-eventfd-ctx.patch +perf-util-fix-memory-leak-of-prefix_if_not_in.patch +perf-kcore_copy-fix-module-map-when-there-are-no-mod.patch +mtd-rawnand-omap_elm-fix-runtime-pm-imbalance-on-err.patch +ceph-fix-potential-race-in-ceph_check_caps.patch +mtd-parser-cmdline-support-mtd-names-containing-one-.patch +x86-speculation-mds-mark-mds_user_clear_cpu_buffers-.patch +vfio-pci-clear-error-and-request-eventfd-ctx-after-r.patch +cifs-fix-double-add-page-to-memcg-when-cifs_readpage.patch +selftests-x86-syscall_nt-clear-weird-flags-after-eac.patch +vfio-pci-fix-racy-on-error-and-request-eventfd-ctx.patch +s390-init-add-missing-__init-annotations.patch +i2c-core-call-i2c_acpi_install_space_handler-before-.patch +objtool-fix-noreturn-detection-for-ignored-functions.patch diff --git a/queue-4.9/skbuff-fix-a-data-race-in-skb_queue_len.patch b/queue-4.9/skbuff-fix-a-data-race-in-skb_queue_len.patch new file mode 100644 index 00000000000..63cf1496f27 --- /dev/null +++ b/queue-4.9/skbuff-fix-a-data-race-in-skb_queue_len.patch @@ -0,0 +1,116 @@ +From 32397f71040420aa0f8f4844e2cd1e54b6044431 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Feb 2020 13:40:29 -0500 +Subject: skbuff: fix a data race in skb_queue_len() + +From: Qian Cai + +[ Upstream commit 86b18aaa2b5b5bb48e609cd591b3d2d0fdbe0442 ] + +sk_buff.qlen can be accessed concurrently as noticed by KCSAN, + + BUG: KCSAN: data-race in __skb_try_recv_from_queue / unix_dgram_sendmsg + + read to 0xffff8a1b1d8a81c0 of 4 bytes by task 5371 on cpu 96: + unix_dgram_sendmsg+0x9a9/0xb70 include/linux/skbuff.h:1821 + net/unix/af_unix.c:1761 + ____sys_sendmsg+0x33e/0x370 + ___sys_sendmsg+0xa6/0xf0 + __sys_sendmsg+0x69/0xf0 + __x64_sys_sendmsg+0x51/0x70 + do_syscall_64+0x91/0xb47 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + + write to 0xffff8a1b1d8a81c0 of 4 bytes by task 1 on cpu 99: + __skb_try_recv_from_queue+0x327/0x410 include/linux/skbuff.h:2029 + __skb_try_recv_datagram+0xbe/0x220 + unix_dgram_recvmsg+0xee/0x850 + ____sys_recvmsg+0x1fb/0x210 + ___sys_recvmsg+0xa2/0xf0 + __sys_recvmsg+0x66/0xf0 + __x64_sys_recvmsg+0x51/0x70 + do_syscall_64+0x91/0xb47 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Since only the read is operating as lockless, it could introduce a logic +bug in unix_recvq_full() due to the load tearing. Fix it by adding +a lockless variant of skb_queue_len() and unix_recvq_full() where +READ_ONCE() is on the read while WRITE_ONCE() is on the write similar to +the commit d7d16a89350a ("net: add skb_queue_empty_lockless()"). + +Signed-off-by: Qian Cai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/skbuff.h | 14 +++++++++++++- + net/unix/af_unix.c | 11 +++++++++-- + 2 files changed, 22 insertions(+), 3 deletions(-) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index fe4b7e4883431..67b798b7115d8 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -1549,6 +1549,18 @@ static inline __u32 skb_queue_len(const struct sk_buff_head *list_) + return list_->qlen; + } + ++/** ++ * skb_queue_len_lockless - get queue length ++ * @list_: list to measure ++ * ++ * Return the length of an &sk_buff queue. ++ * This variant can be used in lockless contexts. ++ */ ++static inline __u32 skb_queue_len_lockless(const struct sk_buff_head *list_) ++{ ++ return READ_ONCE(list_->qlen); ++} ++ + /** + * __skb_queue_head_init - initialize non-spinlock portions of sk_buff_head + * @list: queue to initialize +@@ -1752,7 +1764,7 @@ static inline void __skb_unlink(struct sk_buff *skb, struct sk_buff_head *list) + { + struct sk_buff *next, *prev; + +- list->qlen--; ++ WRITE_ONCE(list->qlen, list->qlen - 1); + next = skb->next; + prev = skb->prev; + skb->next = skb->prev = NULL; +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 32ae82a5596d9..bcd6ed6e7e25c 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -191,11 +191,17 @@ static inline int unix_may_send(struct sock *sk, struct sock *osk) + return unix_peer(osk) == NULL || unix_our_peer(sk, osk); + } + +-static inline int unix_recvq_full(struct sock const *sk) ++static inline int unix_recvq_full(const struct sock *sk) + { + return skb_queue_len(&sk->sk_receive_queue) > sk->sk_max_ack_backlog; + } + ++static inline int unix_recvq_full_lockless(const struct sock *sk) ++{ ++ return skb_queue_len_lockless(&sk->sk_receive_queue) > ++ READ_ONCE(sk->sk_max_ack_backlog); ++} ++ + struct sock *unix_peer_get(struct sock *s) + { + struct sock *peer; +@@ -1793,7 +1799,8 @@ restart_locked: + * - unix_peer(sk) == sk by time of get but disconnected before lock + */ + if (other != sk && +- unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { ++ unlikely(unix_peer(other) != sk && ++ unix_recvq_full_lockless(other))) { + if (timeo) { + timeo = unix_wait_for_peer(other, timeo); + +-- +2.25.1 + diff --git a/queue-4.9/sunrpc-fix-a-potential-buffer-overflow-in-svc_print_.patch b/queue-4.9/sunrpc-fix-a-potential-buffer-overflow-in-svc_print_.patch new file mode 100644 index 00000000000..f411ed570a7 --- /dev/null +++ b/queue-4.9/sunrpc-fix-a-potential-buffer-overflow-in-svc_print_.patch @@ -0,0 +1,75 @@ +From 9e5bea54c4afba85c718bcc1341dbe8cc30294ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Mar 2020 17:15:39 +0100 +Subject: SUNRPC: Fix a potential buffer overflow in 'svc_print_xprts()' + +From: Christophe JAILLET + +[ Upstream commit b25b60d7bfb02a74bc3c2d998e09aab159df8059 ] + +'maxlen' is the total size of the destination buffer. There is only one +caller and this value is 256. + +When we compute the size already used and what we would like to add in +the buffer, the trailling NULL character is not taken into account. +However, this trailling character will be added by the 'strcat' once we +have checked that we have enough place. + +So, there is a off-by-one issue and 1 byte of the stack could be +erroneously overwridden. + +Take into account the trailling NULL, when checking if there is enough +place in the destination buffer. + +While at it, also replace a 'sprintf' by a safer 'snprintf', check for +output truncation and avoid a superfluous 'strlen'. + +Fixes: dc9a16e49dbba ("svc: Add /proc/sys/sunrpc/transport files") +Signed-off-by: Christophe JAILLET +[ cel: very minor fix to documenting comment +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/svc_xprt.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c +index 42ce3ed216376..56e4ac8e2e994 100644 +--- a/net/sunrpc/svc_xprt.c ++++ b/net/sunrpc/svc_xprt.c +@@ -103,8 +103,17 @@ void svc_unreg_xprt_class(struct svc_xprt_class *xcl) + } + EXPORT_SYMBOL_GPL(svc_unreg_xprt_class); + +-/* +- * Format the transport list for printing ++/** ++ * svc_print_xprts - Format the transport list for printing ++ * @buf: target buffer for formatted address ++ * @maxlen: length of target buffer ++ * ++ * Fills in @buf with a string containing a list of transport names, each name ++ * terminated with '\n'. If the buffer is too small, some entries may be ++ * missing, but it is guaranteed that all lines in the output buffer are ++ * complete. ++ * ++ * Returns positive length of the filled-in string. + */ + int svc_print_xprts(char *buf, int maxlen) + { +@@ -117,9 +126,9 @@ int svc_print_xprts(char *buf, int maxlen) + list_for_each_entry(xcl, &svc_xprt_class_list, xcl_list) { + int slen; + +- sprintf(tmpstr, "%s %d\n", xcl->xcl_name, xcl->xcl_max_payload); +- slen = strlen(tmpstr); +- if (len + slen > maxlen) ++ slen = snprintf(tmpstr, sizeof(tmpstr), "%s %d\n", ++ xcl->xcl_name, xcl->xcl_max_payload); ++ if (slen >= sizeof(tmpstr) || len + slen >= maxlen) + break; + len += slen; + strcat(buf, tmpstr); +-- +2.25.1 + diff --git a/queue-4.9/svcrdma-fix-leak-of-transport-addresses.patch b/queue-4.9/svcrdma-fix-leak-of-transport-addresses.patch new file mode 100644 index 00000000000..2a4ad55b8ea --- /dev/null +++ b/queue-4.9/svcrdma-fix-leak-of-transport-addresses.patch @@ -0,0 +1,56 @@ +From 54ccdc2bec9b99c086dad24f1864305d57006e25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Mar 2020 16:53:59 -0400 +Subject: svcrdma: Fix leak of transport addresses + +From: Chuck Lever + +[ Upstream commit 1a33d8a284b1e85e03b8c7b1ea8fb985fccd1d71 ] + +Kernel memory leak detected: + +unreferenced object 0xffff888849cdf480 (size 8): + comm "kworker/u8:3", pid 2086, jiffies 4297898756 (age 4269.856s) + hex dump (first 8 bytes): + 30 00 cd 49 88 88 ff ff 0..I.... + backtrace: + [<00000000acfc370b>] __kmalloc_track_caller+0x137/0x183 + [<00000000a2724354>] kstrdup+0x2b/0x43 + [<0000000082964f84>] xprt_rdma_format_addresses+0x114/0x17d [rpcrdma] + [<00000000dfa6ed00>] xprt_setup_rdma_bc+0xc0/0x10c [rpcrdma] + [<0000000073051a83>] xprt_create_transport+0x3f/0x1a0 [sunrpc] + [<0000000053531a8e>] rpc_create+0x118/0x1cd [sunrpc] + [<000000003a51b5f8>] setup_callback_client+0x1a5/0x27d [nfsd] + [<000000001bd410af>] nfsd4_process_cb_update.isra.7+0x16c/0x1ac [nfsd] + [<000000007f4bbd56>] nfsd4_run_cb_work+0x4c/0xbd [nfsd] + [<0000000055c5586b>] process_one_work+0x1b2/0x2fe + [<00000000b1e3e8ef>] worker_thread+0x1a6/0x25a + [<000000005205fb78>] kthread+0xf6/0xfb + [<000000006d2dc057>] ret_from_fork+0x3a/0x50 + +Introduce a call to xprt_rdma_free_addresses() similar to the way +that the TCP backchannel releases a transport's peer address +strings. + +Fixes: 5d252f90a800 ("svcrdma: Add class for RDMA backwards direction transport") +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtrdma/svc_rdma_backchannel.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sunrpc/xprtrdma/svc_rdma_backchannel.c b/net/sunrpc/xprtrdma/svc_rdma_backchannel.c +index 6035c5a380a6b..b3d48c6243c80 100644 +--- a/net/sunrpc/xprtrdma/svc_rdma_backchannel.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_backchannel.c +@@ -277,6 +277,7 @@ xprt_rdma_bc_put(struct rpc_xprt *xprt) + { + dprintk("svcrdma: %s: xprt %p\n", __func__, xprt); + ++ xprt_rdma_free_addresses(xprt); + xprt_free(xprt); + module_put(THIS_MODULE); + } +-- +2.25.1 + diff --git a/queue-4.9/timekeeping-prevent-32bit-truncation-in-scale64_chec.patch b/queue-4.9/timekeeping-prevent-32bit-truncation-in-scale64_chec.patch new file mode 100644 index 00000000000..299bd596cd9 --- /dev/null +++ b/queue-4.9/timekeeping-prevent-32bit-truncation-in-scale64_chec.patch @@ -0,0 +1,43 @@ +From 13152aa832af0df4501f4246cc522a132c970348 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jan 2020 18:05:23 +0800 +Subject: timekeeping: Prevent 32bit truncation in scale64_check_overflow() + +From: Wen Yang + +[ Upstream commit 4cbbc3a0eeed675449b1a4d080008927121f3da3 ] + +While unlikely the divisor in scale64_check_overflow() could be >= 32bit in +scale64_check_overflow(). do_div() truncates the divisor to 32bit at least +on 32bit platforms. + +Use div64_u64() instead to avoid the truncation to 32-bit. + +[ tglx: Massaged changelog ] + +Signed-off-by: Wen Yang +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/20200120100523.45656-1-wenyang@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + kernel/time/timekeeping.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c +index e24e1f0c56906..e21b4d8b72405 100644 +--- a/kernel/time/timekeeping.c ++++ b/kernel/time/timekeeping.c +@@ -950,9 +950,8 @@ static int scale64_check_overflow(u64 mult, u64 div, u64 *base) + ((int)sizeof(u64)*8 - fls64(mult) < fls64(rem))) + return -EOVERFLOW; + tmp *= mult; +- rem *= mult; + +- do_div(rem, div); ++ rem = div64_u64(rem * mult, div); + *base = tmp + rem; + return 0; + } +-- +2.25.1 + diff --git a/queue-4.9/tools-gpio-hammer-avoid-potential-overflow-in-main.patch b/queue-4.9/tools-gpio-hammer-avoid-potential-overflow-in-main.patch new file mode 100644 index 00000000000..e7ed100e23b --- /dev/null +++ b/queue-4.9/tools-gpio-hammer-avoid-potential-overflow-in-main.patch @@ -0,0 +1,59 @@ +From 6b45df73af5ed81c1ed2141a1cb2f0d4c4696220 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2020 15:50:21 +0100 +Subject: tools: gpio-hammer: Avoid potential overflow in main + +From: Gabriel Ravier + +[ Upstream commit d1ee7e1f5c9191afb69ce46cc7752e4257340a31 ] + +If '-o' was used more than 64 times in a single invocation of gpio-hammer, +this could lead to an overflow of the 'lines' array. This commit fixes +this by avoiding the overflow and giving a proper diagnostic back to the +user + +Signed-off-by: Gabriel Ravier +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + tools/gpio/gpio-hammer.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/tools/gpio/gpio-hammer.c b/tools/gpio/gpio-hammer.c +index 37b3f141053df..85f45800f881f 100644 +--- a/tools/gpio/gpio-hammer.c ++++ b/tools/gpio/gpio-hammer.c +@@ -171,7 +171,14 @@ int main(int argc, char **argv) + device_name = optarg; + break; + case 'o': +- lines[i] = strtoul(optarg, NULL, 10); ++ /* ++ * Avoid overflow. Do not immediately error, we want to ++ * be able to accurately report on the amount of times ++ * '-o' was given to give an accurate error message ++ */ ++ if (i < GPIOHANDLES_MAX) ++ lines[i] = strtoul(optarg, NULL, 10); ++ + i++; + break; + case '?': +@@ -179,6 +186,14 @@ int main(int argc, char **argv) + return -1; + } + } ++ ++ if (i >= GPIOHANDLES_MAX) { ++ fprintf(stderr, ++ "Only %d occurences of '-o' are allowed, %d were found\n", ++ GPIOHANDLES_MAX, i + 1); ++ return -1; ++ } ++ + nlines = i; + + if (!device_name || !nlines) { +-- +2.25.1 + diff --git a/queue-4.9/tpm-ibmvtpm-wait-for-buffer-to-be-set-before-proceed.patch b/queue-4.9/tpm-ibmvtpm-wait-for-buffer-to-be-set-before-proceed.patch new file mode 100644 index 00000000000..50be89f77a2 --- /dev/null +++ b/queue-4.9/tpm-ibmvtpm-wait-for-buffer-to-be-set-before-proceed.patch @@ -0,0 +1,79 @@ +From 7cf1100787c370eb8a1a50f8b168c4d3bd760fb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2020 11:53:31 -0400 +Subject: tpm: ibmvtpm: Wait for buffer to be set before proceeding + +From: Stefan Berger + +[ Upstream commit d8d74ea3c00214aee1e1826ca18e77944812b9b4 ] + +Synchronize with the results from the CRQs before continuing with +the initialization. This avoids trying to send TPM commands while +the rtce buffer has not been allocated, yet. + +This patch fixes an existing race condition that may occurr if the +hypervisor does not quickly respond to the VTPM_GET_RTCE_BUFFER_SIZE +request sent during initialization and therefore the ibmvtpm->rtce_buf +has not been allocated at the time the first TPM command is sent. + +Fixes: 132f76294744 ("drivers/char/tpm: Add new device driver to support IBM vTPM") +Signed-off-by: Stefan Berger +Acked-by: Nayna Jain +Tested-by: Nayna Jain +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + drivers/char/tpm/tpm_ibmvtpm.c | 9 +++++++++ + drivers/char/tpm/tpm_ibmvtpm.h | 1 + + 2 files changed, 10 insertions(+) + +diff --git a/drivers/char/tpm/tpm_ibmvtpm.c b/drivers/char/tpm/tpm_ibmvtpm.c +index 84eca4f93b828..0fad6cf37bab4 100644 +--- a/drivers/char/tpm/tpm_ibmvtpm.c ++++ b/drivers/char/tpm/tpm_ibmvtpm.c +@@ -550,6 +550,7 @@ static irqreturn_t ibmvtpm_interrupt(int irq, void *vtpm_instance) + */ + while ((crq = ibmvtpm_crq_get_next(ibmvtpm)) != NULL) { + ibmvtpm_crq_process(crq, ibmvtpm); ++ wake_up_interruptible(&ibmvtpm->crq_queue.wq); + crq->valid = 0; + smp_wmb(); + } +@@ -596,6 +597,7 @@ static int tpm_ibmvtpm_probe(struct vio_dev *vio_dev, + } + + crq_q->num_entry = CRQ_RES_BUF_SIZE / sizeof(*crq_q->crq_addr); ++ init_waitqueue_head(&crq_q->wq); + ibmvtpm->crq_dma_handle = dma_map_single(dev, crq_q->crq_addr, + CRQ_RES_BUF_SIZE, + DMA_BIDIRECTIONAL); +@@ -648,6 +650,13 @@ static int tpm_ibmvtpm_probe(struct vio_dev *vio_dev, + if (rc) + goto init_irq_cleanup; + ++ if (!wait_event_timeout(ibmvtpm->crq_queue.wq, ++ ibmvtpm->rtce_buf != NULL, ++ HZ)) { ++ dev_err(dev, "CRQ response timed out\n"); ++ goto init_irq_cleanup; ++ } ++ + return tpm_chip_register(chip); + init_irq_cleanup: + do { +diff --git a/drivers/char/tpm/tpm_ibmvtpm.h b/drivers/char/tpm/tpm_ibmvtpm.h +index 91dfe766d0800..4f6a124601db4 100644 +--- a/drivers/char/tpm/tpm_ibmvtpm.h ++++ b/drivers/char/tpm/tpm_ibmvtpm.h +@@ -31,6 +31,7 @@ struct ibmvtpm_crq_queue { + struct ibmvtpm_crq *crq_addr; + u32 index; + u32 num_entry; ++ wait_queue_head_t wq; + }; + + struct ibmvtpm_dev { +-- +2.25.1 + diff --git a/queue-4.9/tracing-adding-null-checks-for-trace_array-descripto.patch b/queue-4.9/tracing-adding-null-checks-for-trace_array-descripto.patch new file mode 100644 index 00000000000..6f4cadad659 --- /dev/null +++ b/queue-4.9/tracing-adding-null-checks-for-trace_array-descripto.patch @@ -0,0 +1,53 @@ +From 8e310b89ee593b349efb51b85592939aaa34ddf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Aug 2019 10:55:25 -0700 +Subject: tracing: Adding NULL checks for trace_array descriptor pointer + +From: Divya Indi + +[ Upstream commit 953ae45a0c25e09428d4a03d7654f97ab8a36647 ] + +As part of commit f45d1225adb0 ("tracing: Kernel access to Ftrace +instances") we exported certain functions. Here, we are adding some additional +NULL checks to ensure safe usage by users of these APIs. + +Link: http://lkml.kernel.org/r/1565805327-579-4-git-send-email-divya.indi@oracle.com + +Signed-off-by: Divya Indi +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.c | 3 +++ + kernel/trace/trace_events.c | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index b2fb25aefb2fc..67cee2774a6b8 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -2600,6 +2600,9 @@ int trace_array_printk(struct trace_array *tr, + if (!(global_trace.trace_flags & TRACE_ITER_PRINTK)) + return 0; + ++ if (!tr) ++ return -ENOENT; ++ + va_start(ap, fmt); + ret = trace_array_vprintk(tr, ip, fmt, ap); + va_end(ap); +diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c +index af969f753e5e9..5bf072e437c41 100644 +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -790,6 +790,8 @@ static int ftrace_set_clr_event(struct trace_array *tr, char *buf, int set) + char *event = NULL, *sub = NULL, *match; + int ret; + ++ if (!tr) ++ return -ENOENT; + /* + * The buf format can be : + * *: means any event by that name. +-- +2.25.1 + diff --git a/queue-4.9/tracing-set-kernel_stack-s-caller-size-properly.patch b/queue-4.9/tracing-set-kernel_stack-s-caller-size-properly.patch new file mode 100644 index 00000000000..bb6107c8313 --- /dev/null +++ b/queue-4.9/tracing-set-kernel_stack-s-caller-size-properly.patch @@ -0,0 +1,43 @@ +From 35ba3fd9842738283c6d6f847aa70f65c609b0bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Sep 2014 16:14:12 -0400 +Subject: tracing: Set kernel_stack's caller size properly + +From: Josef Bacik + +[ Upstream commit cbc3b92ce037f5e7536f6db157d185cd8b8f615c ] + +I noticed when trying to use the trace-cmd python interface that reading the raw +buffer wasn't working for kernel_stack events. This is because it uses a +stubbed version of __dynamic_array that doesn't do the __data_loc trick and +encode the length of the array into the field. Instead it just shows up as a +size of 0. So change this to __array and set the len to FTRACE_STACK_ENTRIES +since this is what we actually do in practice and matches how user_stack_trace +works. + +Link: http://lkml.kernel.org/r/1411589652-1318-1-git-send-email-jbacik@fb.com + +Signed-off-by: Josef Bacik +[ Pulled from the archeological digging of my INBOX ] +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_entries.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_entries.h b/kernel/trace/trace_entries.h +index d1cc37e78f997..1430f6bbb1a07 100644 +--- a/kernel/trace/trace_entries.h ++++ b/kernel/trace/trace_entries.h +@@ -178,7 +178,7 @@ FTRACE_ENTRY(kernel_stack, stack_entry, + + F_STRUCT( + __field( int, size ) +- __dynamic_array(unsigned long, caller ) ++ __array( unsigned long, caller, FTRACE_STACK_ENTRIES ) + ), + + F_printk("\t=> (" IP_FMT ")\n\t=> (" IP_FMT ")\n\t=> (" IP_FMT ")\n" +-- +2.25.1 + diff --git a/queue-4.9/tracing-use-address-of-operator-on-section-symbols.patch b/queue-4.9/tracing-use-address-of-operator-on-section-symbols.patch new file mode 100644 index 00000000000..49649100b20 --- /dev/null +++ b/queue-4.9/tracing-use-address-of-operator-on-section-symbols.patch @@ -0,0 +1,49 @@ +From 403eb07c25c864514e0d96d03960ba0cd05b12e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Feb 2020 22:10:12 -0700 +Subject: tracing: Use address-of operator on section symbols + +From: Nathan Chancellor + +[ Upstream commit bf2cbe044da275021b2de5917240411a19e5c50d ] + +Clang warns: + +../kernel/trace/trace.c:9335:33: warning: array comparison always +evaluates to true [-Wtautological-compare] + if (__stop___trace_bprintk_fmt != __start___trace_bprintk_fmt) + ^ +1 warning generated. + +These are not true arrays, they are linker defined symbols, which are +just addresses. Using the address of operator silences the warning and +does not change the runtime result of the check (tested with some print +statements compiled in with clang + ld.lld and gcc + ld.bfd in QEMU). + +Link: http://lkml.kernel.org/r/20200220051011.26113-1-natechancellor@gmail.com + +Link: https://github.com/ClangBuiltLinux/linux/issues/893 +Suggested-by: Nick Desaulniers +Signed-off-by: Nathan Chancellor +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 67cee2774a6b8..2388fb50d1885 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -7696,7 +7696,7 @@ __init static int tracer_alloc_buffers(void) + goto out_free_buffer_mask; + + /* Only allocate trace_printk buffers if a trace_printk exists */ +- if (__stop___trace_bprintk_fmt != __start___trace_bprintk_fmt) ++ if (&__stop___trace_bprintk_fmt != &__start___trace_bprintk_fmt) + /* Must be called before global_trace.buffer is allocated */ + trace_printk_init_buffers(); + +-- +2.25.1 + diff --git a/queue-4.9/tty-serial-samsung-correct-clock-selection-logic.patch b/queue-4.9/tty-serial-samsung-correct-clock-selection-logic.patch new file mode 100644 index 00000000000..c1524d57ac5 --- /dev/null +++ b/queue-4.9/tty-serial-samsung-correct-clock-selection-logic.patch @@ -0,0 +1,54 @@ +From c714f7b388fca46926884f5cb85a8102aedf868e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 May 2020 18:34:33 -0700 +Subject: tty: serial: samsung: Correct clock selection logic + +From: Jonathan Bakker + +[ Upstream commit 7d31676a8d91dd18e08853efd1cb26961a38c6a6 ] + +Some variants of the samsung tty driver can pick which clock +to use for their baud rate generation. In the DT conversion, +a default clock was selected to be used if a specific one wasn't +assigned and then a comparison of which clock rate worked better +was done. Unfortunately, the comparison was implemented in such +a way that only the default clock was ever actually compared. +Fix this by iterating through all possible clocks, except when a +specific clock has already been picked via clk_sel (which is +only possible via board files). + +Signed-off-by: Jonathan Bakker +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/BN6PR04MB06604E63833EA41837EBF77BA3A30@BN6PR04MB0660.namprd04.prod.outlook.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/samsung.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c +index 4dfdb59061bea..8c89697c53573 100644 +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -1157,14 +1157,14 @@ static unsigned int s3c24xx_serial_getclk(struct s3c24xx_uart_port *ourport, + struct s3c24xx_uart_info *info = ourport->info; + struct clk *clk; + unsigned long rate; +- unsigned int cnt, baud, quot, clk_sel, best_quot = 0; ++ unsigned int cnt, baud, quot, best_quot = 0; + char clkname[MAX_CLK_NAME_LENGTH]; + int calc_deviation, deviation = (1 << 30) - 1; + +- clk_sel = (ourport->cfg->clk_sel) ? ourport->cfg->clk_sel : +- ourport->info->def_clk_sel; + for (cnt = 0; cnt < info->num_clks; cnt++) { +- if (!(clk_sel & (1 << cnt))) ++ /* Keep selected clock if provided */ ++ if (ourport->cfg->clk_sel && ++ !(ourport->cfg->clk_sel & (1 << cnt))) + continue; + + sprintf(clkname, "clk_uart_baud%d", cnt); +-- +2.25.1 + diff --git a/queue-4.9/ubifs-fix-out-of-bounds-memory-access-caused-by-abno.patch b/queue-4.9/ubifs-fix-out-of-bounds-memory-access-caused-by-abno.patch new file mode 100644 index 00000000000..247a3d679e7 --- /dev/null +++ b/queue-4.9/ubifs-fix-out-of-bounds-memory-access-caused-by-abno.patch @@ -0,0 +1,71 @@ +From cc880907f2c3a7838fc3ee08a186d761aa5bfca0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jan 2020 23:36:07 +0800 +Subject: ubifs: Fix out-of-bounds memory access caused by abnormal value of + node_len +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Liu Song + +[ Upstream commit acc5af3efa303d5f36cc8c0f61716161f6ca1384 ] + +In “ubifs_check_node”, when the value of "node_len" is abnormal, +the code will goto label of "out_len" for execution. Then, in the +following "ubifs_dump_node", if inode type is "UBIFS_DATA_NODE", +in "print_hex_dump", an out-of-bounds access may occur due to the +wrong "ch->len". + +Therefore, when the value of "node_len" is abnormal, data length +should to be adjusted to a reasonable safe range. At this time, +structured data is not credible, so dump the corrupted data directly +for analysis. + +Signed-off-by: Liu Song +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/ubifs/io.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/fs/ubifs/io.c b/fs/ubifs/io.c +index 97be412153328..9213a9e046ae0 100644 +--- a/fs/ubifs/io.c ++++ b/fs/ubifs/io.c +@@ -237,7 +237,7 @@ int ubifs_is_mapped(const struct ubifs_info *c, int lnum) + int ubifs_check_node(const struct ubifs_info *c, const void *buf, int lnum, + int offs, int quiet, int must_chk_crc) + { +- int err = -EINVAL, type, node_len; ++ int err = -EINVAL, type, node_len, dump_node = 1; + uint32_t crc, node_crc, magic; + const struct ubifs_ch *ch = buf; + +@@ -290,10 +290,22 @@ int ubifs_check_node(const struct ubifs_info *c, const void *buf, int lnum, + out_len: + if (!quiet) + ubifs_err(c, "bad node length %d", node_len); ++ if (type == UBIFS_DATA_NODE && node_len > UBIFS_DATA_NODE_SZ) ++ dump_node = 0; + out: + if (!quiet) { + ubifs_err(c, "bad node at LEB %d:%d", lnum, offs); +- ubifs_dump_node(c, buf); ++ if (dump_node) { ++ ubifs_dump_node(c, buf); ++ } else { ++ int safe_len = min3(node_len, c->leb_size - offs, ++ (int)UBIFS_MAX_DATA_NODE_SZ); ++ pr_err("\tprevent out-of-bounds memory access\n"); ++ pr_err("\ttruncated data node length %d\n", safe_len); ++ pr_err("\tcorrupted data node:\n"); ++ print_hex_dump(KERN_ERR, "\t", DUMP_PREFIX_OFFSET, 32, 1, ++ buf, safe_len, 0); ++ } + dump_stack(); + } + return err; +-- +2.25.1 + diff --git a/queue-4.9/usb-ehci-ehci-mv-fix-error-handling-in-mv_ehci_probe.patch b/queue-4.9/usb-ehci-ehci-mv-fix-error-handling-in-mv_ehci_probe.patch new file mode 100644 index 00000000000..fee7dc2a294 --- /dev/null +++ b/queue-4.9/usb-ehci-ehci-mv-fix-error-handling-in-mv_ehci_probe.patch @@ -0,0 +1,43 @@ +From 67300aecda1de1a105d83c25001930041966caf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 May 2020 19:43:05 +0800 +Subject: USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe() + +From: Tang Bin + +[ Upstream commit c856b4b0fdb5044bca4c0acf9a66f3b5cc01a37a ] + +If the function platform_get_irq() failed, the negative value +returned will not be detected here. So fix error handling in +mv_ehci_probe(). And when get irq failed, the function +platform_get_irq() logs an error message, so remove redundant +message here. + +Signed-off-by: Zhang Shengju +Signed-off-by: Tang Bin +Link: https://lore.kernel.org/r/20200508114305.15740-1-tangbin@cmss.chinamobile.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ehci-mv.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/host/ehci-mv.c b/drivers/usb/host/ehci-mv.c +index 849806a75f1ce..273736e1d33fa 100644 +--- a/drivers/usb/host/ehci-mv.c ++++ b/drivers/usb/host/ehci-mv.c +@@ -197,9 +197,8 @@ static int mv_ehci_probe(struct platform_device *pdev) + hcd->regs = ehci_mv->op_regs; + + hcd->irq = platform_get_irq(pdev, 0); +- if (!hcd->irq) { +- dev_err(&pdev->dev, "Cannot get irq."); +- retval = -ENODEV; ++ if (hcd->irq < 0) { ++ retval = hcd->irq; + goto err_disable_clk; + } + +-- +2.25.1 + diff --git a/queue-4.9/usb-ehci-ehci-mv-fix-less-than-zero-comparison-of-an.patch b/queue-4.9/usb-ehci-ehci-mv-fix-less-than-zero-comparison-of-an.patch new file mode 100644 index 00000000000..a411d6793aa --- /dev/null +++ b/queue-4.9/usb-ehci-ehci-mv-fix-less-than-zero-comparison-of-an.patch @@ -0,0 +1,46 @@ +From 2b242b57de93c16f707f10b210bd76fc970b3dd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 May 2020 17:54:53 +0100 +Subject: USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int + +From: Colin Ian King + +[ Upstream commit a7f40c233a6b0540d28743267560df9cfb571ca9 ] + +The comparison of hcd->irq to less than zero for an error check will +never be true because hcd->irq is an unsigned int. Fix this by +assigning the int retval to the return of platform_get_irq and checking +this for the -ve error condition and assigning hcd->irq to retval. + +Addresses-Coverity: ("Unsigned compared against 0") +Fixes: c856b4b0fdb5 ("USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe()") +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20200515165453.104028-1-colin.king@canonical.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ehci-mv.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/host/ehci-mv.c b/drivers/usb/host/ehci-mv.c +index 273736e1d33fa..b29610899c9f6 100644 +--- a/drivers/usb/host/ehci-mv.c ++++ b/drivers/usb/host/ehci-mv.c +@@ -196,11 +196,10 @@ static int mv_ehci_probe(struct platform_device *pdev) + hcd->rsrc_len = resource_size(r); + hcd->regs = ehci_mv->op_regs; + +- hcd->irq = platform_get_irq(pdev, 0); +- if (hcd->irq < 0) { +- retval = hcd->irq; ++ retval = platform_get_irq(pdev, 0); ++ if (retval < 0) + goto err_disable_clk; +- } ++ hcd->irq = retval; + + ehci = hcd_to_ehci(hcd); + ehci->caps = (struct ehci_caps *) ehci_mv->cap_regs; +-- +2.25.1 + diff --git a/queue-4.9/vfio-pci-clear-error-and-request-eventfd-ctx-after-r.patch b/queue-4.9/vfio-pci-clear-error-and-request-eventfd-ctx-after-r.patch new file mode 100644 index 00000000000..55fa2915c16 --- /dev/null +++ b/queue-4.9/vfio-pci-clear-error-and-request-eventfd-ctx-after-r.patch @@ -0,0 +1,47 @@ +From 4b942ef55bf825c61062156c8e1e2d20091e12ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jun 2020 15:26:36 -0600 +Subject: vfio/pci: Clear error and request eventfd ctx after releasing + +From: Alex Williamson + +[ Upstream commit 5c5866c593bbd444d0339ede6a8fb5f14ff66d72 ] + +The next use of the device will generate an underflow from the +stale reference. + +Cc: Qian Cai +Fixes: 1518ac272e78 ("vfio/pci: fix memory leaks of eventfd ctx") +Reported-by: Daniel Wagner +Reviewed-by: Cornelia Huck +Tested-by: Daniel Wagner +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c +index c9c0af9a571f6..c08cff0ca08df 100644 +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -392,10 +392,14 @@ static void vfio_pci_release(void *device_data) + if (!(--vdev->refcnt)) { + vfio_spapr_pci_eeh_release(vdev->pdev); + vfio_pci_disable(vdev); +- if (vdev->err_trigger) ++ if (vdev->err_trigger) { + eventfd_ctx_put(vdev->err_trigger); +- if (vdev->req_trigger) ++ vdev->err_trigger = NULL; ++ } ++ if (vdev->req_trigger) { + eventfd_ctx_put(vdev->req_trigger); ++ vdev->req_trigger = NULL; ++ } + } + + mutex_unlock(&driver_lock); +-- +2.25.1 + diff --git a/queue-4.9/vfio-pci-fix-memory-leaks-of-eventfd-ctx.patch b/queue-4.9/vfio-pci-fix-memory-leaks-of-eventfd-ctx.patch new file mode 100644 index 00000000000..46f8defb5b4 --- /dev/null +++ b/queue-4.9/vfio-pci-fix-memory-leaks-of-eventfd-ctx.patch @@ -0,0 +1,67 @@ +From e936c5cae43ce20487ef82000481a55d958907fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 May 2020 00:34:50 -0400 +Subject: vfio/pci: fix memory leaks of eventfd ctx + +From: Qian Cai + +[ Upstream commit 1518ac272e789cae8c555d69951b032a275b7602 ] + +Finished a qemu-kvm (-device vfio-pci,host=0001:01:00.0) triggers a few +memory leaks after a while because vfio_pci_set_ctx_trigger_single() +calls eventfd_ctx_fdget() without the matching eventfd_ctx_put() later. +Fix it by calling eventfd_ctx_put() for those memory in +vfio_pci_release() before vfio_device_release(). + +unreferenced object 0xebff008981cc2b00 (size 128): + comm "qemu-kvm", pid 4043, jiffies 4294994816 (age 9796.310s) + hex dump (first 32 bytes): + 01 00 00 00 6b 6b 6b 6b 00 00 00 00 ad 4e ad de ....kkkk.....N.. + ff ff ff ff 6b 6b 6b 6b ff ff ff ff ff ff ff ff ....kkkk........ + backtrace: + [<00000000917e8f8d>] slab_post_alloc_hook+0x74/0x9c + [<00000000df0f2aa2>] kmem_cache_alloc_trace+0x2b4/0x3d4 + [<000000005fcec025>] do_eventfd+0x54/0x1ac + [<0000000082791a69>] __arm64_sys_eventfd2+0x34/0x44 + [<00000000b819758c>] do_el0_svc+0x128/0x1dc + [<00000000b244e810>] el0_sync_handler+0xd0/0x268 + [<00000000d495ef94>] el0_sync+0x164/0x180 +unreferenced object 0x29ff008981cc4180 (size 128): + comm "qemu-kvm", pid 4043, jiffies 4294994818 (age 9796.290s) + hex dump (first 32 bytes): + 01 00 00 00 6b 6b 6b 6b 00 00 00 00 ad 4e ad de ....kkkk.....N.. + ff ff ff ff 6b 6b 6b 6b ff ff ff ff ff ff ff ff ....kkkk........ + backtrace: + [<00000000917e8f8d>] slab_post_alloc_hook+0x74/0x9c + [<00000000df0f2aa2>] kmem_cache_alloc_trace+0x2b4/0x3d4 + [<000000005fcec025>] do_eventfd+0x54/0x1ac + [<0000000082791a69>] __arm64_sys_eventfd2+0x34/0x44 + [<00000000b819758c>] do_el0_svc+0x128/0x1dc + [<00000000b244e810>] el0_sync_handler+0xd0/0x268 + [<00000000d495ef94>] el0_sync+0x164/0x180 + +Signed-off-by: Qian Cai +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c +index 2254c281cc766..c9c0af9a571f6 100644 +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -392,6 +392,10 @@ static void vfio_pci_release(void *device_data) + if (!(--vdev->refcnt)) { + vfio_spapr_pci_eeh_release(vdev->pdev); + vfio_pci_disable(vdev); ++ if (vdev->err_trigger) ++ eventfd_ctx_put(vdev->err_trigger); ++ if (vdev->req_trigger) ++ eventfd_ctx_put(vdev->req_trigger); + } + + mutex_unlock(&driver_lock); +-- +2.25.1 + diff --git a/queue-4.9/vfio-pci-fix-racy-on-error-and-request-eventfd-ctx.patch b/queue-4.9/vfio-pci-fix-racy-on-error-and-request-eventfd-ctx.patch new file mode 100644 index 00000000000..fd48e3f3aa2 --- /dev/null +++ b/queue-4.9/vfio-pci-fix-racy-on-error-and-request-eventfd-ctx.patch @@ -0,0 +1,122 @@ +From ccdb0e311f57f965aaf2f4efc9cae713d660d3f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jul 2020 15:34:41 +0800 +Subject: vfio/pci: fix racy on error and request eventfd ctx + +From: Zeng Tao + +[ Upstream commit b872d0640840018669032b20b6375a478ed1f923 ] + +The vfio_pci_release call will free and clear the error and request +eventfd ctx while these ctx could be in use at the same time in the +function like vfio_pci_request, and it's expected to protect them under +the vdev->igate mutex, which is missing in vfio_pci_release. + +This issue is introduced since commit 1518ac272e78 ("vfio/pci: fix memory +leaks of eventfd ctx"),and since commit 5c5866c593bb ("vfio/pci: Clear +error and request eventfd ctx after releasing"), it's very easily to +trigger the kernel panic like this: + +[ 9513.904346] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 +[ 9513.913091] Mem abort info: +[ 9513.915871] ESR = 0x96000006 +[ 9513.918912] EC = 0x25: DABT (current EL), IL = 32 bits +[ 9513.924198] SET = 0, FnV = 0 +[ 9513.927238] EA = 0, S1PTW = 0 +[ 9513.930364] Data abort info: +[ 9513.933231] ISV = 0, ISS = 0x00000006 +[ 9513.937048] CM = 0, WnR = 0 +[ 9513.940003] user pgtable: 4k pages, 48-bit VAs, pgdp=0000007ec7d12000 +[ 9513.946414] [0000000000000008] pgd=0000007ec7d13003, p4d=0000007ec7d13003, pud=0000007ec728c003, pmd=0000000000000000 +[ 9513.956975] Internal error: Oops: 96000006 [#1] PREEMPT SMP +[ 9513.962521] Modules linked in: vfio_pci vfio_virqfd vfio_iommu_type1 vfio hclge hns3 hnae3 [last unloaded: vfio_pci] +[ 9513.972998] CPU: 4 PID: 1327 Comm: bash Tainted: G W 5.8.0-rc4+ #3 +[ 9513.980443] Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V3.B270.01 05/08/2020 +[ 9513.989274] pstate: 80400089 (Nzcv daIf +PAN -UAO BTYPE=--) +[ 9513.994827] pc : _raw_spin_lock_irqsave+0x48/0x88 +[ 9513.999515] lr : eventfd_signal+0x6c/0x1b0 +[ 9514.003591] sp : ffff800038a0b960 +[ 9514.006889] x29: ffff800038a0b960 x28: ffff007ef7f4da10 +[ 9514.012175] x27: ffff207eefbbfc80 x26: ffffbb7903457000 +[ 9514.017462] x25: ffffbb7912191000 x24: ffff007ef7f4d400 +[ 9514.022747] x23: ffff20be6e0e4c00 x22: 0000000000000008 +[ 9514.028033] x21: 0000000000000000 x20: 0000000000000000 +[ 9514.033321] x19: 0000000000000008 x18: 0000000000000000 +[ 9514.038606] x17: 0000000000000000 x16: ffffbb7910029328 +[ 9514.043893] x15: 0000000000000000 x14: 0000000000000001 +[ 9514.049179] x13: 0000000000000000 x12: 0000000000000002 +[ 9514.054466] x11: 0000000000000000 x10: 0000000000000a00 +[ 9514.059752] x9 : ffff800038a0b840 x8 : ffff007ef7f4de60 +[ 9514.065038] x7 : ffff007fffc96690 x6 : fffffe01faffb748 +[ 9514.070324] x5 : 0000000000000000 x4 : 0000000000000000 +[ 9514.075609] x3 : 0000000000000000 x2 : 0000000000000001 +[ 9514.080895] x1 : ffff007ef7f4d400 x0 : 0000000000000000 +[ 9514.086181] Call trace: +[ 9514.088618] _raw_spin_lock_irqsave+0x48/0x88 +[ 9514.092954] eventfd_signal+0x6c/0x1b0 +[ 9514.096691] vfio_pci_request+0x84/0xd0 [vfio_pci] +[ 9514.101464] vfio_del_group_dev+0x150/0x290 [vfio] +[ 9514.106234] vfio_pci_remove+0x30/0x128 [vfio_pci] +[ 9514.111007] pci_device_remove+0x48/0x108 +[ 9514.115001] device_release_driver_internal+0x100/0x1b8 +[ 9514.120200] device_release_driver+0x28/0x38 +[ 9514.124452] pci_stop_bus_device+0x68/0xa8 +[ 9514.128528] pci_stop_and_remove_bus_device+0x20/0x38 +[ 9514.133557] pci_iov_remove_virtfn+0xb4/0x128 +[ 9514.137893] sriov_disable+0x3c/0x108 +[ 9514.141538] pci_disable_sriov+0x28/0x38 +[ 9514.145445] hns3_pci_sriov_configure+0x48/0xb8 [hns3] +[ 9514.150558] sriov_numvfs_store+0x110/0x198 +[ 9514.154724] dev_attr_store+0x44/0x60 +[ 9514.158373] sysfs_kf_write+0x5c/0x78 +[ 9514.162018] kernfs_fop_write+0x104/0x210 +[ 9514.166010] __vfs_write+0x48/0x90 +[ 9514.169395] vfs_write+0xbc/0x1c0 +[ 9514.172694] ksys_write+0x74/0x100 +[ 9514.176079] __arm64_sys_write+0x24/0x30 +[ 9514.179987] el0_svc_common.constprop.4+0x110/0x200 +[ 9514.184842] do_el0_svc+0x34/0x98 +[ 9514.188144] el0_svc+0x14/0x40 +[ 9514.191185] el0_sync_handler+0xb0/0x2d0 +[ 9514.195088] el0_sync+0x140/0x180 +[ 9514.198389] Code: b9001020 d2800000 52800022 f9800271 (885ffe61) +[ 9514.204455] ---[ end trace 648de00c8406465f ]--- +[ 9514.212308] note: bash[1327] exited with preempt_count 1 + +Cc: Qian Cai +Cc: Alex Williamson +Fixes: 1518ac272e78 ("vfio/pci: fix memory leaks of eventfd ctx") +Signed-off-by: Zeng Tao +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c +index c08cff0ca08df..237d5aceb302d 100644 +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -392,14 +392,19 @@ static void vfio_pci_release(void *device_data) + if (!(--vdev->refcnt)) { + vfio_spapr_pci_eeh_release(vdev->pdev); + vfio_pci_disable(vdev); ++ mutex_lock(&vdev->igate); + if (vdev->err_trigger) { + eventfd_ctx_put(vdev->err_trigger); + vdev->err_trigger = NULL; + } ++ mutex_unlock(&vdev->igate); ++ ++ mutex_lock(&vdev->igate); + if (vdev->req_trigger) { + eventfd_ctx_put(vdev->req_trigger); + vdev->req_trigger = NULL; + } ++ mutex_unlock(&vdev->igate); + } + + mutex_unlock(&driver_lock); +-- +2.25.1 + diff --git a/queue-4.9/x86-pkeys-add-check-for-pkey-overflow.patch b/queue-4.9/x86-pkeys-add-check-for-pkey-overflow.patch new file mode 100644 index 00000000000..3ab7fca4be9 --- /dev/null +++ b/queue-4.9/x86-pkeys-add-check-for-pkey-overflow.patch @@ -0,0 +1,80 @@ +From 0ddc7bf237bc43d412c8e3100f2fb4265b25889e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jan 2020 08:53:46 -0800 +Subject: x86/pkeys: Add check for pkey "overflow" + +From: Dave Hansen + +[ Upstream commit 16171bffc829272d5e6014bad48f680cb50943d9 ] + +Alex Shi reported the pkey macros above arch_set_user_pkey_access() +to be unused. They are unused, and even refer to a nonexistent +CONFIG option. + +But, they might have served a good use, which was to ensure that +the code does not try to set values that would not fit in the +PKRU register. As it stands, a too-large 'pkey' value would +be likely to silently overflow the u32 new_pkru_bits. + +Add a check to look for overflows. Also add a comment to remind +any future developer to closely examine the types used to store +pkey values if arch_max_pkey() ever changes. + +This boots and passes the x86 pkey selftests. + +Reported-by: Alex Shi +Signed-off-by: Dave Hansen +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20200122165346.AD4DA150@viggo.jf.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/pkeys.h | 5 +++++ + arch/x86/kernel/fpu/xstate.c | 9 +++++++-- + 2 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/include/asm/pkeys.h b/arch/x86/include/asm/pkeys.h +index c50d6dcf4a227..4e7273e176cb7 100644 +--- a/arch/x86/include/asm/pkeys.h ++++ b/arch/x86/include/asm/pkeys.h +@@ -3,6 +3,11 @@ + + #define ARCH_DEFAULT_PKEY 0 + ++/* ++ * If more than 16 keys are ever supported, a thorough audit ++ * will be necessary to ensure that the types that store key ++ * numbers and masks have sufficient capacity. ++ */ + #define arch_max_pkey() (boot_cpu_has(X86_FEATURE_OSPKE) ? 16 : 1) + + extern int arch_set_user_pkey_access(struct task_struct *tsk, int pkey, +diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c +index e9d7f461b7fa5..dbd396c913488 100644 +--- a/arch/x86/kernel/fpu/xstate.c ++++ b/arch/x86/kernel/fpu/xstate.c +@@ -871,8 +871,6 @@ const void *get_xsave_field_ptr(int xsave_state) + + #ifdef CONFIG_ARCH_HAS_PKEYS + +-#define NR_VALID_PKRU_BITS (CONFIG_NR_PROTECTION_KEYS * 2) +-#define PKRU_VALID_MASK (NR_VALID_PKRU_BITS - 1) + /* + * This will go out and modify PKRU register to set the access + * rights for @pkey to @init_val. +@@ -891,6 +889,13 @@ int arch_set_user_pkey_access(struct task_struct *tsk, int pkey, + if (!boot_cpu_has(X86_FEATURE_OSPKE)) + return -EINVAL; + ++ /* ++ * This code should only be called with valid 'pkey' ++ * values originating from in-kernel users. Complain ++ * if a bad value is observed. ++ */ ++ WARN_ON_ONCE(pkey >= arch_max_pkey()); ++ + /* Set the bits we need in PKRU: */ + if (init_val & PKEY_DISABLE_ACCESS) + new_pkru_bits |= PKRU_AD_BIT; +-- +2.25.1 + diff --git a/queue-4.9/x86-speculation-mds-mark-mds_user_clear_cpu_buffers-.patch b/queue-4.9/x86-speculation-mds-mark-mds_user_clear_cpu_buffers-.patch new file mode 100644 index 00000000000..388d623e4e3 --- /dev/null +++ b/queue-4.9/x86-speculation-mds-mark-mds_user_clear_cpu_buffers-.patch @@ -0,0 +1,48 @@ +From a7d74b81a9bac9ec83a1e55cb9fc0e2c9700e854 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2020 12:49:18 +0100 +Subject: x86/speculation/mds: Mark mds_user_clear_cpu_buffers() + __always_inline + +From: Thomas Gleixner + +[ Upstream commit a7ef9ba986b5fae9d80f8a7b31db0423687efe4e ] + +Prevent the compiler from uninlining and creating traceable/probable +functions as this is invoked _after_ context tracking switched to +CONTEXT_USER and rcu idle. + +Signed-off-by: Thomas Gleixner +Reviewed-by: Alexandre Chartre +Acked-by: Peter Zijlstra +Link: https://lkml.kernel.org/r/20200505134340.902709267@linutronix.de +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/nospec-branch.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h +index 4af16acc001a3..204a5ce65afda 100644 +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -321,7 +321,7 @@ DECLARE_STATIC_KEY_FALSE(mds_idle_clear); + * combination with microcode which triggers a CPU buffer flush when the + * instruction is executed. + */ +-static inline void mds_clear_cpu_buffers(void) ++static __always_inline void mds_clear_cpu_buffers(void) + { + static const u16 ds = __KERNEL_DS; + +@@ -342,7 +342,7 @@ static inline void mds_clear_cpu_buffers(void) + * + * Clear CPU buffers if the corresponding static key is enabled + */ +-static inline void mds_user_clear_cpu_buffers(void) ++static __always_inline void mds_user_clear_cpu_buffers(void) + { + if (static_branch_likely(&mds_user_clear)) + mds_clear_cpu_buffers(); +-- +2.25.1 + diff --git a/queue-4.9/xfs-don-t-ever-return-a-stale-pointer-from-__xfs_dir.patch b/queue-4.9/xfs-don-t-ever-return-a-stale-pointer-from-__xfs_dir.patch new file mode 100644 index 00000000000..57c4bfeb730 --- /dev/null +++ b/queue-4.9/xfs-don-t-ever-return-a-stale-pointer-from-__xfs_dir.patch @@ -0,0 +1,41 @@ +From 8ea274367a6a2d04427c1eb16bca442bc54f9a2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2020 10:37:55 -0700 +Subject: xfs: don't ever return a stale pointer from __xfs_dir3_free_read + +From: Darrick J. Wong + +[ Upstream commit 1cb5deb5bc095c070c09a4540c45f9c9ba24be43 ] + +If we decide that a directory free block is corrupt, we must take care +not to leak a buffer pointer to the caller. After xfs_trans_brelse +returns, the buffer can be freed or reused, which means that we have to +set *bpp back to NULL. + +Callers are supposed to notice the nonzero return value and not use the +buffer pointer, but we should code more defensively, even if all current +callers handle this situation correctly. + +Fixes: de14c5f541e7 ("xfs: verify free block header fields") +Signed-off-by: Darrick J. Wong +Reviewed-by: Dave Chinner +Signed-off-by: Sasha Levin +--- + fs/xfs/libxfs/xfs_dir2_node.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/xfs/libxfs/xfs_dir2_node.c b/fs/xfs/libxfs/xfs_dir2_node.c +index bbd1238852b3c..df7f33e60a4f6 100644 +--- a/fs/xfs/libxfs/xfs_dir2_node.c ++++ b/fs/xfs/libxfs/xfs_dir2_node.c +@@ -212,6 +212,7 @@ __xfs_dir3_free_read( + xfs_buf_ioerror(*bpp, -EFSCORRUPTED); + xfs_verifier_error(*bpp); + xfs_trans_brelse(tp, *bpp); ++ *bpp = NULL; + return -EFSCORRUPTED; + } + +-- +2.25.1 + diff --git a/queue-4.9/xfs-fix-attr-leaf-header-freemap.size-underflow.patch b/queue-4.9/xfs-fix-attr-leaf-header-freemap.size-underflow.patch new file mode 100644 index 00000000000..1506452e8fa --- /dev/null +++ b/queue-4.9/xfs-fix-attr-leaf-header-freemap.size-underflow.patch @@ -0,0 +1,59 @@ +From 7f2368ecc50fdde62b9aaa89faf43be5856b9211 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2019 21:15:08 -0800 +Subject: xfs: fix attr leaf header freemap.size underflow + +From: Brian Foster + +[ Upstream commit 2a2b5932db67586bacc560cc065d62faece5b996 ] + +The leaf format xattr addition helper xfs_attr3_leaf_add_work() +adjusts the block freemap in a couple places. The first update drops +the size of the freemap that the caller had already selected to +place the xattr name/value data. Before the function returns, it +also checks whether the entries array has encroached on a freemap +range by virtue of the new entry addition. This is necessary because +the entries array grows from the start of the block (but end of the +block header) towards the end of the block while the name/value data +grows from the end of the block in the opposite direction. If the +associated freemap is already empty, however, size is zero and the +subtraction underflows the field and causes corruption. + +This is reproduced rarely by generic/070. The observed behavior is +that a smaller sized freemap is aligned to the end of the entries +list, several subsequent xattr additions land in larger freemaps and +the entries list expands into the smaller freemap until it is fully +consumed and then underflows. Note that it is not otherwise a +corruption for the entries array to consume an empty freemap because +the nameval list (i.e. the firstused pointer in the xattr header) +starts beyond the end of the corrupted freemap. + +Update the freemap size modification to account for the fact that +the freemap entry can be empty and thus stale. + +Signed-off-by: Brian Foster +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +--- + fs/xfs/libxfs/xfs_attr_leaf.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c +index 7b9dd76403bfd..537acde2c497b 100644 +--- a/fs/xfs/libxfs/xfs_attr_leaf.c ++++ b/fs/xfs/libxfs/xfs_attr_leaf.c +@@ -1332,7 +1332,9 @@ xfs_attr3_leaf_add_work( + for (i = 0; i < XFS_ATTR_LEAF_MAPSIZE; i++) { + if (ichdr->freemap[i].base == tmp) { + ichdr->freemap[i].base += sizeof(xfs_attr_leaf_entry_t); +- ichdr->freemap[i].size -= sizeof(xfs_attr_leaf_entry_t); ++ ichdr->freemap[i].size -= ++ min_t(uint16_t, ichdr->freemap[i].size, ++ sizeof(xfs_attr_leaf_entry_t)); + } + } + ichdr->usedbytes += xfs_attr_leaf_entsize(leaf, args->index); +-- +2.25.1 +