From: Sasha Levin Date: Thu, 27 Aug 2020 16:38:45 +0000 (-0400) Subject: Fixes for 4.9 X-Git-Tag: v4.4.235~74 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=73fa72466bcf8f3d954a84c3135abebbc9201b03;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/alsa-pci-delete-repeated-words-in-comments.patch b/queue-4.9/alsa-pci-delete-repeated-words-in-comments.patch new file mode 100644 index 00000000000..dbf1c14c69b --- /dev/null +++ b/queue-4.9/alsa-pci-delete-repeated-words-in-comments.patch @@ -0,0 +1,120 @@ +From 49f1de7fa7f04e5a0e01e15cd267cbf3b1caf764 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 19:19:26 -0700 +Subject: ALSA: pci: delete repeated words in comments + +From: Randy Dunlap + +[ Upstream commit c7fabbc51352f50cc58242a6dc3b9c1a3599849b ] + +Drop duplicated words in sound/pci/. +{and, the, at} + +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/r/20200806021926.32418-1-rdunlap@infradead.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/cs46xx/cs46xx_lib.c | 2 +- + sound/pci/cs46xx/dsp_spos_scb_lib.c | 2 +- + sound/pci/hda/hda_codec.c | 2 +- + sound/pci/hda/hda_generic.c | 2 +- + sound/pci/hda/patch_sigmatel.c | 2 +- + sound/pci/ice1712/prodigy192.c | 2 +- + sound/pci/oxygen/xonar_dg.c | 2 +- + 7 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/sound/pci/cs46xx/cs46xx_lib.c b/sound/pci/cs46xx/cs46xx_lib.c +index 528102cc2d5d0..d824ff4ae3e3b 100644 +--- a/sound/pci/cs46xx/cs46xx_lib.c ++++ b/sound/pci/cs46xx/cs46xx_lib.c +@@ -780,7 +780,7 @@ static void snd_cs46xx_set_capture_sample_rate(struct snd_cs46xx *chip, unsigned + rate = 48000 / 9; + + /* +- * We can not capture at at rate greater than the Input Rate (48000). ++ * We can not capture at a rate greater than the Input Rate (48000). + * Return an error if an attempt is made to stray outside that limit. + */ + if (rate > 48000) +diff --git a/sound/pci/cs46xx/dsp_spos_scb_lib.c b/sound/pci/cs46xx/dsp_spos_scb_lib.c +index 7488e1b7a7707..4e726d39b05d1 100644 +--- a/sound/pci/cs46xx/dsp_spos_scb_lib.c ++++ b/sound/pci/cs46xx/dsp_spos_scb_lib.c +@@ -1742,7 +1742,7 @@ int cs46xx_iec958_pre_open (struct snd_cs46xx *chip) + struct dsp_spos_instance * ins = chip->dsp_spos_instance; + + if ( ins->spdif_status_out & DSP_SPDIF_STATUS_OUTPUT_ENABLED ) { +- /* remove AsynchFGTxSCB and and PCMSerialInput_II */ ++ /* remove AsynchFGTxSCB and PCMSerialInput_II */ + cs46xx_dsp_disable_spdif_out (chip); + + /* save state */ +diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c +index cbe0248225c1c..4e67614f15f8e 100644 +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -3496,7 +3496,7 @@ EXPORT_SYMBOL_GPL(snd_hda_set_power_save); + * @nid: NID to check / update + * + * Check whether the given NID is in the amp list. If it's in the list, +- * check the current AMP status, and update the the power-status according ++ * check the current AMP status, and update the power-status according + * to the mute status. + * + * This function is supposed to be set or called from the check_power_status +diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c +index 949c90a859fab..184089c5e8cbc 100644 +--- a/sound/pci/hda/hda_generic.c ++++ b/sound/pci/hda/hda_generic.c +@@ -820,7 +820,7 @@ static void activate_amp_in(struct hda_codec *codec, struct nid_path *path, + } + } + +-/* sync power of each widget in the the given path */ ++/* sync power of each widget in the given path */ + static hda_nid_t path_power_update(struct hda_codec *codec, + struct nid_path *path, + bool allow_powerdown) +diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c +index d1a6d20ace0da..80b72d0702c5e 100644 +--- a/sound/pci/hda/patch_sigmatel.c ++++ b/sound/pci/hda/patch_sigmatel.c +@@ -862,7 +862,7 @@ static int stac_auto_create_beep_ctls(struct hda_codec *codec, + static struct snd_kcontrol_new beep_vol_ctl = + HDA_CODEC_VOLUME(NULL, 0, 0, 0); + +- /* check for mute support for the the amp */ ++ /* check for mute support for the amp */ + if ((caps & AC_AMPCAP_MUTE) >> AC_AMPCAP_MUTE_SHIFT) { + const struct snd_kcontrol_new *temp; + if (spec->anabeep_nid == nid) +diff --git a/sound/pci/ice1712/prodigy192.c b/sound/pci/ice1712/prodigy192.c +index 3919aed39ca03..5e52086d7b986 100644 +--- a/sound/pci/ice1712/prodigy192.c ++++ b/sound/pci/ice1712/prodigy192.c +@@ -31,7 +31,7 @@ + * Experimentally I found out that only a combination of + * OCKS0=1, OCKS1=1 (128fs, 64fs output) and ice1724 - + * VT1724_MT_I2S_MCLK_128X=0 (256fs input) yields correct +- * sampling rate. That means the the FPGA doubles the ++ * sampling rate. That means that the FPGA doubles the + * MCK01 rate. + * + * Copyright (c) 2003 Takashi Iwai +diff --git a/sound/pci/oxygen/xonar_dg.c b/sound/pci/oxygen/xonar_dg.c +index 4cf3200e988b0..df44135e1b0c9 100644 +--- a/sound/pci/oxygen/xonar_dg.c ++++ b/sound/pci/oxygen/xonar_dg.c +@@ -39,7 +39,7 @@ + * GPIO 4 <- headphone detect + * GPIO 5 -> enable ADC analog circuit for the left channel + * GPIO 6 -> enable ADC analog circuit for the right channel +- * GPIO 7 -> switch green rear output jack between CS4245 and and the first ++ * GPIO 7 -> switch green rear output jack between CS4245 and the first + * channel of CS4361 (mechanical relay) + * GPIO 8 -> enable output to speakers + * +-- +2.25.1 + diff --git a/queue-4.9/arm64-dts-qcom-msm8916-pull-down-pdm-gpios-during-sl.patch b/queue-4.9/arm64-dts-qcom-msm8916-pull-down-pdm-gpios-during-sl.patch new file mode 100644 index 00000000000..68edfaa0ee5 --- /dev/null +++ b/queue-4.9/arm64-dts-qcom-msm8916-pull-down-pdm-gpios-during-sl.patch @@ -0,0 +1,44 @@ +From f3629494a21cebc057542a042528a90fc23485ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2020 20:59:15 +0200 +Subject: arm64: dts: qcom: msm8916: Pull down PDM GPIOs during sleep + +From: Stephan Gerhold + +[ Upstream commit e2ee9edc282961783d519c760bbaa20fed4dec38 ] + +The original qcom kernel changed the PDM GPIOs to be pull-down +during sleep at some point. Reportedly this was done because +there was some "leakage at PDM outputs during sleep": + + https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=0f87e08c1cd3e6484a6f7fb3e74e37340bdcdee0 + +I cannot say how effective this is, but everything seems to work +fine with this change so let's apply the same to mainline just +to be sure. + +Cc: Srinivas Kandagatla +Signed-off-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20200605185916.318494-3-stephan@gerhold.net +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8916-pins.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi b/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi +index fabc0cebe2aa2..1f9ff2cea2151 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi +@@ -555,7 +555,7 @@ + pins = "gpio63", "gpio64", "gpio65", "gpio66", + "gpio67", "gpio68"; + drive-strength = <2>; +- bias-disable; ++ bias-pull-down; + }; + }; + }; +-- +2.25.1 + diff --git a/queue-4.9/asoc-tegra-fix-reference-count-leaks.patch b/queue-4.9/asoc-tegra-fix-reference-count-leaks.patch new file mode 100644 index 00000000000..29ce7b146ef --- /dev/null +++ b/queue-4.9/asoc-tegra-fix-reference-count-leaks.patch @@ -0,0 +1,58 @@ +From beee97a00905b369ba2685a1b9edab25ba1b9078 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 15:44:19 -0500 +Subject: ASoC: tegra: Fix reference count leaks. + +From: Qiushi Wu + +[ Upstream commit deca195383a6085be62cb453079e03e04d618d6e ] + +Calling pm_runtime_get_sync increments the counter even in case of +failure, causing incorrect ref count if pm_runtime_put is not called in +error handling paths. Call pm_runtime_put if pm_runtime_get_sync fails. + +Signed-off-by: Qiushi Wu +Reviewed-by: Jon Hunter +Link: https://lore.kernel.org/r/20200613204422.24484-1-wu000273@umn.edu +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/tegra/tegra30_ahub.c | 4 +++- + sound/soc/tegra/tegra30_i2s.c | 4 +++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/tegra/tegra30_ahub.c b/sound/soc/tegra/tegra30_ahub.c +index fef3b9a21a667..e441e23a37e4f 100644 +--- a/sound/soc/tegra/tegra30_ahub.c ++++ b/sound/soc/tegra/tegra30_ahub.c +@@ -656,8 +656,10 @@ static int tegra30_ahub_resume(struct device *dev) + int ret; + + ret = pm_runtime_get_sync(dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put(dev); + return ret; ++ } + ret = regcache_sync(ahub->regmap_ahub); + ret |= regcache_sync(ahub->regmap_apbif); + pm_runtime_put(dev); +diff --git a/sound/soc/tegra/tegra30_i2s.c b/sound/soc/tegra/tegra30_i2s.c +index 8e55583aa104e..516f37896092c 100644 +--- a/sound/soc/tegra/tegra30_i2s.c ++++ b/sound/soc/tegra/tegra30_i2s.c +@@ -552,8 +552,10 @@ static int tegra30_i2s_resume(struct device *dev) + int ret; + + ret = pm_runtime_get_sync(dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put(dev); + return ret; ++ } + ret = regcache_sync(i2s->regmap); + pm_runtime_put(dev); + +-- +2.25.1 + diff --git a/queue-4.9/cec-api-prevent-leaking-memory-through-hole-in-struc.patch b/queue-4.9/cec-api-prevent-leaking-memory-through-hole-in-struc.patch new file mode 100644 index 00000000000..835a6c6d15e --- /dev/null +++ b/queue-4.9/cec-api-prevent-leaking-memory-through-hole-in-struc.patch @@ -0,0 +1,43 @@ +From 74c2b3080d17203a9bba14562146fba7f9004de1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jun 2020 12:44:26 +0200 +Subject: cec-api: prevent leaking memory through hole in structure + +From: Hans Verkuil + +[ Upstream commit 6c42227c3467549ddc65efe99c869021d2f4a570 ] + +Fix this smatch warning: + +drivers/media/cec/core/cec-api.c:156 cec_adap_g_log_addrs() warn: check that 'log_addrs' doesn't leak information (struct has a hole after +'features') + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/cec/cec-api.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/media/cec/cec-api.c b/drivers/staging/media/cec/cec-api.c +index e274e2f223986..264bb7d1efcb8 100644 +--- a/drivers/staging/media/cec/cec-api.c ++++ b/drivers/staging/media/cec/cec-api.c +@@ -141,7 +141,13 @@ static long cec_adap_g_log_addrs(struct cec_adapter *adap, + struct cec_log_addrs log_addrs; + + mutex_lock(&adap->lock); +- log_addrs = adap->log_addrs; ++ /* ++ * We use memcpy here instead of assignment since there is a ++ * hole at the end of struct cec_log_addrs that an assignment ++ * might ignore. So when we do copy_to_user() we could leak ++ * one byte of memory. ++ */ ++ memcpy(&log_addrs, &adap->log_addrs, sizeof(log_addrs)); + if (!adap->is_configured) + memset(log_addrs.log_addr, CEC_LOG_ADDR_INVALID, + sizeof(log_addrs.log_addr)); +-- +2.25.1 + diff --git a/queue-4.9/ceph-fix-potential-mdsc-use-after-free-crash.patch b/queue-4.9/ceph-fix-potential-mdsc-use-after-free-crash.patch new file mode 100644 index 00000000000..0db1f1dc04d --- /dev/null +++ b/queue-4.9/ceph-fix-potential-mdsc-use-after-free-crash.patch @@ -0,0 +1,64 @@ +From c056dffcd0a1eb41aaf71444d06c5d741a86134b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jul 2020 01:52:48 -0400 +Subject: ceph: fix potential mdsc use-after-free crash + +From: Xiubo Li + +[ Upstream commit fa9967734227b44acb1b6918033f9122dc7825b9 ] + +Make sure the delayed work stopped before releasing the resources. + +cancel_delayed_work_sync() will only guarantee that the work finishes +executing if the work is already in the ->worklist. That means after +the cancel_delayed_work_sync() returns, it will leave the work requeued +if it was rearmed at the end. That can lead to a use after free once the +work struct is freed. + +Fix it by flushing the delayed work instead of trying to cancel it, and +ensure that the work doesn't rearm if the mdsc is stopping. + +URL: https://tracker.ceph.com/issues/46293 +Signed-off-by: Xiubo Li +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/mds_client.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c +index 3139fbd4c34e3..4ec5a109df82b 100644 +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -3386,6 +3386,9 @@ static void delayed_work(struct work_struct *work) + dout("mdsc delayed_work\n"); + ceph_check_delayed_caps(mdsc); + ++ if (mdsc->stopping) ++ return; ++ + mutex_lock(&mdsc->mutex); + renew_interval = mdsc->mdsmap->m_session_timeout >> 2; + renew_caps = time_after_eq(jiffies, HZ*renew_interval + +@@ -3717,7 +3720,16 @@ void ceph_mdsc_force_umount(struct ceph_mds_client *mdsc) + static void ceph_mdsc_stop(struct ceph_mds_client *mdsc) + { + dout("stop\n"); +- cancel_delayed_work_sync(&mdsc->delayed_work); /* cancel timer */ ++ /* ++ * Make sure the delayed work stopped before releasing ++ * the resources. ++ * ++ * Because the cancel_delayed_work_sync() will only ++ * guarantee that the work finishes executing. But the ++ * delayed work will re-arm itself again after that. ++ */ ++ flush_delayed_work(&mdsc->delayed_work); ++ + if (mdsc->mdsmap) + ceph_mdsmap_destroy(mdsc->mdsmap); + kfree(mdsc->sessions); +-- +2.25.1 + diff --git a/queue-4.9/drm-amd-display-fix-ref-count-leak-in-amdgpu_drm_ioc.patch b/queue-4.9/drm-amd-display-fix-ref-count-leak-in-amdgpu_drm_ioc.patch new file mode 100644 index 00000000000..4cb72d621c1 --- /dev/null +++ b/queue-4.9/drm-amd-display-fix-ref-count-leak-in-amdgpu_drm_ioc.patch @@ -0,0 +1,41 @@ +From d1ea6490b2d5e5833a29c16aa08830ee15491ab0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 02:14:50 -0500 +Subject: drm/amd/display: fix ref count leak in amdgpu_drm_ioctl + +From: Navid Emamdoost + +[ Upstream commit 5509ac65f2fe5aa3c0003237ec629ca55024307c ] + +in amdgpu_drm_ioctl the call to pm_runtime_get_sync increments the +counter even in case of failure, leading to incorrect +ref count. In case of failure, decrement the ref count before returning. + +Signed-off-by: Navid Emamdoost +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +index e0890deccb2fe..7cae10fec78de 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -633,11 +633,12 @@ long amdgpu_drm_ioctl(struct file *filp, + dev = file_priv->minor->dev; + ret = pm_runtime_get_sync(dev->dev); + if (ret < 0) +- return ret; ++ goto out; + + ret = drm_ioctl(filp, cmd, arg); + + pm_runtime_mark_last_busy(dev->dev); ++out: + pm_runtime_put_autosuspend(dev->dev); + return ret; + } +-- +2.25.1 + diff --git a/queue-4.9/drm-amdgpu-display-fix-ref-count-leak-when-pm_runtim.patch b/queue-4.9/drm-amdgpu-display-fix-ref-count-leak-when-pm_runtim.patch new file mode 100644 index 00000000000..422c1babeac --- /dev/null +++ b/queue-4.9/drm-amdgpu-display-fix-ref-count-leak-when-pm_runtim.patch @@ -0,0 +1,75 @@ +From 00d7f4bdc6e6804b6eb0ba39c5adc6ea293b6528 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 02:05:28 -0500 +Subject: drm/amdgpu/display: fix ref count leak when pm_runtime_get_sync fails + +From: Navid Emamdoost + +[ Upstream commit f79f94765f8c39db0b7dec1d335ab046aac03f20 ] + +The call to pm_runtime_get_sync increments the counter even in case of +failure, leading to incorrect ref count. +In case of failure, decrement the ref count before returning. + +Signed-off-by: Navid Emamdoost +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +index e9311eb7b8d9f..694f631d9c90d 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +@@ -734,8 +734,10 @@ amdgpu_connector_lvds_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + if (encoder) { +@@ -872,8 +874,10 @@ amdgpu_connector_vga_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + encoder = amdgpu_connector_best_single_encoder(connector); +@@ -996,8 +1000,10 @@ amdgpu_connector_dvi_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + if (!force && amdgpu_connector_check_hpd_status_unchanged(connector)) { +@@ -1371,8 +1377,10 @@ amdgpu_connector_dp_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + if (!force && amdgpu_connector_check_hpd_status_unchanged(connector)) { +-- +2.25.1 + diff --git a/queue-4.9/drm-amdgpu-fix-ref-count-leak-in-amdgpu_display_crtc.patch b/queue-4.9/drm-amdgpu-fix-ref-count-leak-in-amdgpu_display_crtc.patch new file mode 100644 index 00000000000..c33dd90c2c8 --- /dev/null +++ b/queue-4.9/drm-amdgpu-fix-ref-count-leak-in-amdgpu_display_crtc.patch @@ -0,0 +1,53 @@ +From 5f417547c014c048937db7b7dfb52805e041bdfc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 02:09:44 -0500 +Subject: drm/amdgpu: fix ref count leak in amdgpu_display_crtc_set_config + +From: Navid Emamdoost + +[ Upstream commit e008fa6fb41544b63973a529b704ef342f47cc65 ] + +in amdgpu_display_crtc_set_config, the call to pm_runtime_get_sync +increments the counter even in case of failure, leading to incorrect +ref count. In case of failure, decrement the ref count before returning. + +Signed-off-by: Navid Emamdoost +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +index 15a2d8f3725d5..fdf7a18058881 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +@@ -268,7 +268,7 @@ int amdgpu_crtc_set_config(struct drm_mode_set *set) + + ret = pm_runtime_get_sync(dev->dev); + if (ret < 0) +- return ret; ++ goto out; + + ret = drm_crtc_helper_set_config(set); + +@@ -283,7 +283,7 @@ int amdgpu_crtc_set_config(struct drm_mode_set *set) + take the current one */ + if (active && !adev->have_disp_power_ref) { + adev->have_disp_power_ref = true; +- return ret; ++ goto out; + } + /* if we have no active crtcs, then drop the power ref + we got before */ +@@ -292,6 +292,7 @@ int amdgpu_crtc_set_config(struct drm_mode_set *set) + adev->have_disp_power_ref = false; + } + ++out: + /* drop the power reference we got coming in here */ + pm_runtime_put_autosuspend(dev->dev); + return ret; +-- +2.25.1 + diff --git a/queue-4.9/drm-amdgpu-fix-ref-count-leak-in-amdgpu_driver_open_.patch b/queue-4.9/drm-amdgpu-fix-ref-count-leak-in-amdgpu_driver_open_.patch new file mode 100644 index 00000000000..ba73fae12ed --- /dev/null +++ b/queue-4.9/drm-amdgpu-fix-ref-count-leak-in-amdgpu_driver_open_.patch @@ -0,0 +1,44 @@ +From 250ffab3bcb04f1df95d7afb066b3ae9087a3524 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 02:12:29 -0500 +Subject: drm/amdgpu: fix ref count leak in amdgpu_driver_open_kms + +From: Navid Emamdoost + +[ Upstream commit 9ba8923cbbe11564dd1bf9f3602add9a9cfbb5c6 ] + +in amdgpu_driver_open_kms the call to pm_runtime_get_sync increments the +counter even in case of failure, leading to incorrect +ref count. In case of failure, decrement the ref count before returning. + +Signed-off-by: Navid Emamdoost +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +index ab5134d920d96..96fc1566f28e5 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +@@ -543,7 +543,7 @@ int amdgpu_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv) + + r = pm_runtime_get_sync(dev->dev); + if (r < 0) +- return r; ++ goto pm_put; + + fpriv = kzalloc(sizeof(*fpriv), GFP_KERNEL); + if (unlikely(!fpriv)) { +@@ -566,6 +566,7 @@ int amdgpu_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv) + + out_suspend: + pm_runtime_mark_last_busy(dev->dev); ++pm_put: + pm_runtime_put_autosuspend(dev->dev); + + return r; +-- +2.25.1 + diff --git a/queue-4.9/drm-amdkfd-fix-reference-count-leaks.patch b/queue-4.9/drm-amdkfd-fix-reference-count-leaks.patch new file mode 100644 index 00000000000..4f6b7bca625 --- /dev/null +++ b/queue-4.9/drm-amdkfd-fix-reference-count-leaks.patch @@ -0,0 +1,89 @@ +From c53a9fd5237a5e2357227d85ef17fe9ada3fb279 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 14:32:26 -0500 +Subject: drm/amdkfd: Fix reference count leaks. + +From: Qiushi Wu + +[ Upstream commit 20eca0123a35305e38b344d571cf32768854168c ] + +kobject_init_and_add() takes reference even when it fails. +If this function returns an error, kobject_put() must be called to +properly clean up the memory associated with the object. + +Signed-off-by: Qiushi Wu +Reviewed-by: Felix Kuehling +Signed-off-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c +index 8c6e47c5507fb..74221e096855d 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c +@@ -841,8 +841,10 @@ static int kfd_build_sysfs_node_entry(struct kfd_topology_device *dev, + + ret = kobject_init_and_add(dev->kobj_node, &node_type, + sys_props.kobj_nodes, "%d", id); +- if (ret < 0) ++ if (ret < 0) { ++ kobject_put(dev->kobj_node); + return ret; ++ } + + dev->kobj_mem = kobject_create_and_add("mem_banks", dev->kobj_node); + if (!dev->kobj_mem) +@@ -885,8 +887,10 @@ static int kfd_build_sysfs_node_entry(struct kfd_topology_device *dev, + return -ENOMEM; + ret = kobject_init_and_add(mem->kobj, &mem_type, + dev->kobj_mem, "%d", i); +- if (ret < 0) ++ if (ret < 0) { ++ kobject_put(mem->kobj); + return ret; ++ } + + mem->attr.name = "properties"; + mem->attr.mode = KFD_SYSFS_FILE_MODE; +@@ -904,8 +908,10 @@ static int kfd_build_sysfs_node_entry(struct kfd_topology_device *dev, + return -ENOMEM; + ret = kobject_init_and_add(cache->kobj, &cache_type, + dev->kobj_cache, "%d", i); +- if (ret < 0) ++ if (ret < 0) { ++ kobject_put(cache->kobj); + return ret; ++ } + + cache->attr.name = "properties"; + cache->attr.mode = KFD_SYSFS_FILE_MODE; +@@ -923,8 +929,10 @@ static int kfd_build_sysfs_node_entry(struct kfd_topology_device *dev, + return -ENOMEM; + ret = kobject_init_and_add(iolink->kobj, &iolink_type, + dev->kobj_iolink, "%d", i); +- if (ret < 0) ++ if (ret < 0) { ++ kobject_put(iolink->kobj); + return ret; ++ } + + iolink->attr.name = "properties"; + iolink->attr.mode = KFD_SYSFS_FILE_MODE; +@@ -976,8 +984,10 @@ static int kfd_topology_update_sysfs(void) + ret = kobject_init_and_add(sys_props.kobj_topology, + &sysprops_type, &kfd_device->kobj, + "topology"); +- if (ret < 0) ++ if (ret < 0) { ++ kobject_put(sys_props.kobj_topology); + return ret; ++ } + + sys_props.kobj_nodes = kobject_create_and_add("nodes", + sys_props.kobj_topology); +-- +2.25.1 + diff --git a/queue-4.9/drm-nouveau-drm-noveau-fix-reference-count-leak-in-n.patch b/queue-4.9/drm-nouveau-drm-noveau-fix-reference-count-leak-in-n.patch new file mode 100644 index 00000000000..b31643bbe13 --- /dev/null +++ b/queue-4.9/drm-nouveau-drm-noveau-fix-reference-count-leak-in-n.patch @@ -0,0 +1,40 @@ +From 294603e16651f0a6c1837de7d5bcc374c7420f70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 20:33:42 -0500 +Subject: drm/nouveau/drm/noveau: fix reference count leak in + nouveau_fbcon_open + +From: Aditya Pakki + +[ Upstream commit bfad51c7633325b5d4b32444efe04329d53297b2 ] + +nouveau_fbcon_open() calls calls pm_runtime_get_sync() that +increments the reference count. In case of failure, decrement the +ref count before returning the error. + +Signed-off-by: Aditya Pakki +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_fbcon.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c +index 275abc424ce25..40da9143f7220 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c ++++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c +@@ -183,8 +183,10 @@ nouveau_fbcon_open(struct fb_info *info, int user) + struct nouveau_fbdev *fbcon = info->par; + struct nouveau_drm *drm = nouveau_drm(fbcon->dev); + int ret = pm_runtime_get_sync(drm->dev->dev); +- if (ret < 0 && ret != -EACCES) ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put(drm->dev->dev); + return ret; ++ } + return 0; + } + +-- +2.25.1 + diff --git a/queue-4.9/drm-nouveau-fix-reference-count-leak-in-nouveau_conn.patch b/queue-4.9/drm-nouveau-fix-reference-count-leak-in-nouveau_conn.patch new file mode 100644 index 00000000000..da3e2366815 --- /dev/null +++ b/queue-4.9/drm-nouveau-fix-reference-count-leak-in-nouveau_conn.patch @@ -0,0 +1,39 @@ +From 42ae541c194a5cc2f410d81fbfcffe83aef8fef9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 20:22:23 -0500 +Subject: drm/nouveau: Fix reference count leak in nouveau_connector_detect + +From: Aditya Pakki + +[ Upstream commit 990a1162986e8eff7ca18cc5a0e03b4304392ae2 ] + +nouveau_connector_detect() calls pm_runtime_get_sync and in turn +increments the reference count. In case of failure, decrement the +ref count before returning the error. + +Signed-off-by: Aditya Pakki +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_connector.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c +index 5bfae1f972c74..0061deca290a4 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_connector.c ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c +@@ -281,8 +281,10 @@ nouveau_connector_detect(struct drm_connector *connector, bool force) + pm_runtime_get_noresume(dev->dev); + } else { + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0 && ret != -EACCES) ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put_autosuspend(dev->dev); + return conn_status; ++ } + } + + nv_encoder = nouveau_connector_ddc_detect(connector); +-- +2.25.1 + diff --git a/queue-4.9/drm-radeon-fix-multiple-reference-count-leak.patch b/queue-4.9/drm-radeon-fix-multiple-reference-count-leak.patch new file mode 100644 index 00000000000..9510d87bb52 --- /dev/null +++ b/queue-4.9/drm-radeon-fix-multiple-reference-count-leak.patch @@ -0,0 +1,87 @@ +From d3b13ae6f003682f06c9a6f6efc07c373315e234 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 20:55:39 -0500 +Subject: drm/radeon: fix multiple reference count leak + +From: Aditya Pakki + +[ Upstream commit 6f2e8acdb48ed166b65d47837c31b177460491ec ] + +On calling pm_runtime_get_sync() the reference count of the device +is incremented. In case of failure, decrement the +reference count before returning the error. + +Signed-off-by: Aditya Pakki +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_connectors.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c +index efa875120071a..9e6c2be0cc7d4 100644 +--- a/drivers/gpu/drm/radeon/radeon_connectors.c ++++ b/drivers/gpu/drm/radeon/radeon_connectors.c +@@ -892,8 +892,10 @@ radeon_lvds_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + if (encoder) { +@@ -1038,8 +1040,10 @@ radeon_vga_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + encoder = radeon_best_single_encoder(connector); +@@ -1176,8 +1180,10 @@ radeon_tv_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + encoder = radeon_best_single_encoder(connector); +@@ -1260,8 +1266,10 @@ radeon_dvi_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + if (radeon_connector->detected_hpd_without_ddc) { +@@ -1701,8 +1709,10 @@ radeon_dp_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + if (!force && radeon_check_hpd_status_unchanged(connector)) { +-- +2.25.1 + diff --git a/queue-4.9/edac-ie31200-fallback-if-host-bridge-device-is-alrea.patch b/queue-4.9/edac-ie31200-fallback-if-host-bridge-device-is-alrea.patch new file mode 100644 index 00000000000..8f80f646e3d --- /dev/null +++ b/queue-4.9/edac-ie31200-fallback-if-host-bridge-device-is-alrea.patch @@ -0,0 +1,127 @@ +From d0f6404e68ef5023606841dac7f593035c92a9ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jul 2020 14:25:11 -0400 +Subject: EDAC/ie31200: Fallback if host bridge device is already initialized + +From: Jason Baron + +[ Upstream commit 709ed1bcef12398ac1a35c149f3e582db04456c2 ] + +The Intel uncore driver may claim some of the pci ids from ie31200 which +means that the ie31200 edac driver will not initialize them as part of +pci_register_driver(). + +Let's add a fallback for this case to 'pci_get_device()' to get a +reference on the device such that it can still be configured. This is +similar in approach to other edac drivers. + +Signed-off-by: Jason Baron +Cc: Borislav Petkov +Cc: Mauro Carvalho Chehab +Cc: linux-edac +Signed-off-by: Tony Luck +Link: https://lore.kernel.org/r/1594923911-10885-1-git-send-email-jbaron@akamai.com +Signed-off-by: Sasha Levin +--- + drivers/edac/ie31200_edac.c | 50 ++++++++++++++++++++++++++++++++++--- + 1 file changed, 47 insertions(+), 3 deletions(-) + +diff --git a/drivers/edac/ie31200_edac.c b/drivers/edac/ie31200_edac.c +index 1c88d97074951..3438b98e60948 100644 +--- a/drivers/edac/ie31200_edac.c ++++ b/drivers/edac/ie31200_edac.c +@@ -145,6 +145,8 @@ + (n << (28 + (2 * skl) - PAGE_SHIFT)) + + static int nr_channels; ++static struct pci_dev *mci_pdev; ++static int ie31200_registered = 1; + + struct ie31200_priv { + void __iomem *window; +@@ -512,12 +514,16 @@ fail_free: + static int ie31200_init_one(struct pci_dev *pdev, + const struct pci_device_id *ent) + { +- edac_dbg(0, "MC:\n"); ++ int rc; + ++ edac_dbg(0, "MC:\n"); + if (pci_enable_device(pdev) < 0) + return -EIO; ++ rc = ie31200_probe1(pdev, ent->driver_data); ++ if (rc == 0 && !mci_pdev) ++ mci_pdev = pci_dev_get(pdev); + +- return ie31200_probe1(pdev, ent->driver_data); ++ return rc; + } + + static void ie31200_remove_one(struct pci_dev *pdev) +@@ -526,6 +532,8 @@ static void ie31200_remove_one(struct pci_dev *pdev) + struct ie31200_priv *priv; + + edac_dbg(0, "\n"); ++ pci_dev_put(mci_pdev); ++ mci_pdev = NULL; + mci = edac_mc_del_mc(&pdev->dev); + if (!mci) + return; +@@ -574,17 +582,53 @@ static struct pci_driver ie31200_driver = { + + static int __init ie31200_init(void) + { ++ int pci_rc, i; ++ + edac_dbg(3, "MC:\n"); + /* Ensure that the OPSTATE is set correctly for POLL or NMI */ + opstate_init(); + +- return pci_register_driver(&ie31200_driver); ++ pci_rc = pci_register_driver(&ie31200_driver); ++ if (pci_rc < 0) ++ goto fail0; ++ ++ if (!mci_pdev) { ++ ie31200_registered = 0; ++ for (i = 0; ie31200_pci_tbl[i].vendor != 0; i++) { ++ mci_pdev = pci_get_device(ie31200_pci_tbl[i].vendor, ++ ie31200_pci_tbl[i].device, ++ NULL); ++ if (mci_pdev) ++ break; ++ } ++ if (!mci_pdev) { ++ edac_dbg(0, "ie31200 pci_get_device fail\n"); ++ pci_rc = -ENODEV; ++ goto fail1; ++ } ++ pci_rc = ie31200_init_one(mci_pdev, &ie31200_pci_tbl[i]); ++ if (pci_rc < 0) { ++ edac_dbg(0, "ie31200 init fail\n"); ++ pci_rc = -ENODEV; ++ goto fail1; ++ } ++ } ++ return 0; ++ ++fail1: ++ pci_unregister_driver(&ie31200_driver); ++fail0: ++ pci_dev_put(mci_pdev); ++ ++ return pci_rc; + } + + static void __exit ie31200_exit(void) + { + edac_dbg(3, "MC:\n"); + pci_unregister_driver(&ie31200_driver); ++ if (!ie31200_registered) ++ ie31200_remove_one(mci_pdev); + } + + module_init(ie31200_init); +-- +2.25.1 + diff --git a/queue-4.9/iommu-iova-don-t-bug-on-invalid-pfns.patch b/queue-4.9/iommu-iova-don-t-bug-on-invalid-pfns.patch new file mode 100644 index 00000000000..40822dedc3b --- /dev/null +++ b/queue-4.9/iommu-iova-don-t-bug-on-invalid-pfns.patch @@ -0,0 +1,50 @@ +From 99a7c447a8815e85005afeb3b7a977d4d2f44609 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jun 2020 14:08:18 +0100 +Subject: iommu/iova: Don't BUG on invalid PFNs + +From: Robin Murphy + +[ Upstream commit d3e3d2be688b4b5864538de61e750721a311e4fc ] + +Unlike the other instances which represent a complete loss of +consistency within the rcache mechanism itself, or a fundamental +and obvious misconfiguration by an IOMMU driver, the BUG_ON() in +iova_magazine_free_pfns() can be provoked at more or less any time +in a "spooky action-at-a-distance" manner by any old device driver +passing nonsense to dma_unmap_*() which then propagates through to +queue_iova(). + +Not only is this well outside the IOVA layer's control, it's also +nowhere near fatal enough to justify panicking anyway - all that +really achieves is to make debugging the offending driver more +difficult. Let's simply WARN and otherwise ignore bogus PFNs. + +Reported-by: Prakash Gupta +Signed-off-by: Robin Murphy +Reviewed-by: Prakash Gupta +Link: https://lore.kernel.org/r/acbd2d092b42738a03a21b417ce64e27f8c91c86.1591103298.git.robin.murphy@arm.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/iova.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/iova.c b/drivers/iommu/iova.c +index f106fd9782bfb..99c36a5438a75 100644 +--- a/drivers/iommu/iova.c ++++ b/drivers/iommu/iova.c +@@ -676,7 +676,9 @@ iova_magazine_free_pfns(struct iova_magazine *mag, struct iova_domain *iovad) + for (i = 0 ; i < mag->size; ++i) { + struct iova *iova = private_find_iova(iovad, mag->pfns[i]); + +- BUG_ON(!iova); ++ if (WARN_ON(!iova)) ++ continue; ++ + private_free_iova(iovad, iova); + } + +-- +2.25.1 + diff --git a/queue-4.9/locking-lockdep-fix-overflow-in-presentation-of-aver.patch b/queue-4.9/locking-lockdep-fix-overflow-in-presentation-of-aver.patch new file mode 100644 index 00000000000..b261cffc5c6 --- /dev/null +++ b/queue-4.9/locking-lockdep-fix-overflow-in-presentation-of-aver.patch @@ -0,0 +1,42 @@ +From de92d704b1cad8ae3471f26569afd8a936ad3a3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Jul 2020 19:51:10 +0100 +Subject: locking/lockdep: Fix overflow in presentation of average lock-time + +From: Chris Wilson + +[ Upstream commit a7ef9b28aa8d72a1656fa6f0a01bbd1493886317 ] + +Though the number of lock-acquisitions is tracked as unsigned long, this +is passed as the divisor to div_s64() which interprets it as a s32, +giving nonsense values with more than 2 billion acquisitons. E.g. + + acquisitions holdtime-min holdtime-max holdtime-total holdtime-avg + ------------------------------------------------------------------------- + 2350439395 0.07 353.38 649647067.36 0.-32 + +Signed-off-by: Chris Wilson +Signed-off-by: Ingo Molnar +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20200725185110.11588-1-chris@chris-wilson.co.uk +Signed-off-by: Sasha Levin +--- + kernel/locking/lockdep_proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/locking/lockdep_proc.c b/kernel/locking/lockdep_proc.c +index 75d80809c48c9..09bad6cbb95cf 100644 +--- a/kernel/locking/lockdep_proc.c ++++ b/kernel/locking/lockdep_proc.c +@@ -425,7 +425,7 @@ static void seq_lock_time(struct seq_file *m, struct lock_time *lt) + seq_time(m, lt->min); + seq_time(m, lt->max); + seq_time(m, lt->total); +- seq_time(m, lt->nr ? div_s64(lt->total, lt->nr) : 0); ++ seq_time(m, lt->nr ? div64_u64(lt->total, lt->nr) : 0); + } + + static void seq_stats(struct seq_file *m, struct lock_stat_data *data) +-- +2.25.1 + diff --git a/queue-4.9/media-pci-ttpci-av7110-fix-possible-buffer-overflow-.patch b/queue-4.9/media-pci-ttpci-av7110-fix-possible-buffer-overflow-.patch new file mode 100644 index 00000000000..2494ff091df --- /dev/null +++ b/queue-4.9/media-pci-ttpci-av7110-fix-possible-buffer-overflow-.patch @@ -0,0 +1,52 @@ +From a6d5a8ade4c76866a6da5e98d243602556fe88ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 May 2020 16:42:08 +0200 +Subject: media: pci: ttpci: av7110: fix possible buffer overflow caused by bad + DMA value in debiirq() + +From: Jia-Ju Bai + +[ Upstream commit 6499a0db9b0f1e903d52f8244eacc1d4be00eea2 ] + +The value av7110->debi_virt is stored in DMA memory, and it is assigned +to data, and thus data[0] can be modified at any time by malicious +hardware. In this case, "if (data[0] < 2)" can be passed, but then +data[0] can be changed into a large number, which may cause buffer +overflow when the code "av7110->ci_slot[data[0]]" is used. + +To fix this possible bug, data[0] is assigned to a local variable, which +replaces the use of data[0]. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/ttpci/av7110.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/pci/ttpci/av7110.c b/drivers/media/pci/ttpci/av7110.c +index 382caf200ba16..c313f51688f44 100644 +--- a/drivers/media/pci/ttpci/av7110.c ++++ b/drivers/media/pci/ttpci/av7110.c +@@ -426,14 +426,15 @@ static void debiirq(unsigned long cookie) + case DATA_CI_GET: + { + u8 *data = av7110->debi_virt; ++ u8 data_0 = data[0]; + +- if ((data[0] < 2) && data[2] == 0xff) { ++ if (data_0 < 2 && data[2] == 0xff) { + int flags = 0; + if (data[5] > 0) + flags |= CA_CI_MODULE_PRESENT; + if (data[5] > 5) + flags |= CA_CI_MODULE_READY; +- av7110->ci_slot[data[0]].flags = flags; ++ av7110->ci_slot[data_0].flags = flags; + } else + ci_get_data(&av7110->ci_rbuffer, + av7110->debi_virt, +-- +2.25.1 + diff --git a/queue-4.9/mips-vdso-fix-resource-leaks-in-genvdso.c.patch b/queue-4.9/mips-vdso-fix-resource-leaks-in-genvdso.c.patch new file mode 100644 index 00000000000..1ba6bfd97f9 --- /dev/null +++ b/queue-4.9/mips-vdso-fix-resource-leaks-in-genvdso.c.patch @@ -0,0 +1,98 @@ +From b348ab2b3597d7717394b72168e452243b47f044 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jul 2020 20:30:18 +0800 +Subject: mips/vdso: Fix resource leaks in genvdso.c + +From: Peng Fan + +[ Upstream commit a859647b4e6bfeb192284d27d24b6a0c914cae1d ] + +Close "fd" before the return of map_vdso() and close "out_file" +in main(). + +Signed-off-by: Peng Fan +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/vdso/genvdso.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/mips/vdso/genvdso.c b/arch/mips/vdso/genvdso.c +index 530a36f465ced..afcc86726448e 100644 +--- a/arch/mips/vdso/genvdso.c ++++ b/arch/mips/vdso/genvdso.c +@@ -126,6 +126,7 @@ static void *map_vdso(const char *path, size_t *_size) + if (fstat(fd, &stat) != 0) { + fprintf(stderr, "%s: Failed to stat '%s': %s\n", program_name, + path, strerror(errno)); ++ close(fd); + return NULL; + } + +@@ -134,6 +135,7 @@ static void *map_vdso(const char *path, size_t *_size) + if (addr == MAP_FAILED) { + fprintf(stderr, "%s: Failed to map '%s': %s\n", program_name, + path, strerror(errno)); ++ close(fd); + return NULL; + } + +@@ -143,6 +145,7 @@ static void *map_vdso(const char *path, size_t *_size) + if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG) != 0) { + fprintf(stderr, "%s: '%s' is not an ELF file\n", program_name, + path); ++ close(fd); + return NULL; + } + +@@ -154,6 +157,7 @@ static void *map_vdso(const char *path, size_t *_size) + default: + fprintf(stderr, "%s: '%s' has invalid ELF class\n", + program_name, path); ++ close(fd); + return NULL; + } + +@@ -165,6 +169,7 @@ static void *map_vdso(const char *path, size_t *_size) + default: + fprintf(stderr, "%s: '%s' has invalid ELF data order\n", + program_name, path); ++ close(fd); + return NULL; + } + +@@ -172,15 +177,18 @@ static void *map_vdso(const char *path, size_t *_size) + fprintf(stderr, + "%s: '%s' has invalid ELF machine (expected EM_MIPS)\n", + program_name, path); ++ close(fd); + return NULL; + } else if (swap_uint16(ehdr->e_type) != ET_DYN) { + fprintf(stderr, + "%s: '%s' has invalid ELF type (expected ET_DYN)\n", + program_name, path); ++ close(fd); + return NULL; + } + + *_size = stat.st_size; ++ close(fd); + return addr; + } + +@@ -284,10 +292,12 @@ int main(int argc, char **argv) + /* Calculate and write symbol offsets to */ + if (!get_symbols(dbg_vdso_path, dbg_vdso)) { + unlink(out_path); ++ fclose(out_file); + return EXIT_FAILURE; + } + + fprintf(out_file, "};\n"); ++ fclose(out_file); + + return EXIT_SUCCESS; + } +-- +2.25.1 + diff --git a/queue-4.9/omapfb-fix-multiple-reference-count-leaks-due-to-pm_.patch b/queue-4.9/omapfb-fix-multiple-reference-count-leaks-due-to-pm_.patch new file mode 100644 index 00000000000..977961a17f4 --- /dev/null +++ b/queue-4.9/omapfb-fix-multiple-reference-count-leaks-due-to-pm_.patch @@ -0,0 +1,145 @@ +From 695fc6414981b885ec34d3956b57c80f48cd2474 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 22:05:18 -0500 +Subject: omapfb: fix multiple reference count leaks due to pm_runtime_get_sync + +From: Aditya Pakki + +[ Upstream commit 78c2ce9bde70be5be7e3615a2ae7024ed8173087 ] + +On calling pm_runtime_get_sync() the reference count of the device +is incremented. In case of failure, decrement the +reference count before returning the error. + +Signed-off-by: Aditya Pakki +Cc: kjlu@umn.edu +Cc: wu000273@umn.edu +Cc: Allison Randal +Cc: Thomas Gleixner +Cc: Enrico Weigelt +cc: "Andrew F. Davis" +Cc: Tomi Valkeinen +Cc: Alexios Zavras +Cc: Greg Kroah-Hartman +Cc: YueHaibing +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200614030528.128064-1-pakki001@umn.edu +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/omap2/omapfb/dss/dispc.c | 7 +++++-- + drivers/video/fbdev/omap2/omapfb/dss/dsi.c | 7 +++++-- + drivers/video/fbdev/omap2/omapfb/dss/dss.c | 7 +++++-- + drivers/video/fbdev/omap2/omapfb/dss/hdmi4.c | 5 +++-- + drivers/video/fbdev/omap2/omapfb/dss/hdmi5.c | 5 +++-- + drivers/video/fbdev/omap2/omapfb/dss/venc.c | 7 +++++-- + 6 files changed, 26 insertions(+), 12 deletions(-) + +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/dispc.c b/drivers/video/fbdev/omap2/omapfb/dss/dispc.c +index 7a75dfda98457..00f5a54aaf9b7 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/dispc.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/dispc.c +@@ -531,8 +531,11 @@ int dispc_runtime_get(void) + DSSDBG("dispc_runtime_get\n"); + + r = pm_runtime_get_sync(&dispc.pdev->dev); +- WARN_ON(r < 0); +- return r < 0 ? r : 0; ++ if (WARN_ON(r < 0)) { ++ pm_runtime_put_sync(&dispc.pdev->dev); ++ return r; ++ } ++ return 0; + } + EXPORT_SYMBOL(dispc_runtime_get); + +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/dsi.c b/drivers/video/fbdev/omap2/omapfb/dss/dsi.c +index 30d49f3800b33..2bfd9063cdfc3 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/dsi.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/dsi.c +@@ -1148,8 +1148,11 @@ static int dsi_runtime_get(struct platform_device *dsidev) + DSSDBG("dsi_runtime_get\n"); + + r = pm_runtime_get_sync(&dsi->pdev->dev); +- WARN_ON(r < 0); +- return r < 0 ? r : 0; ++ if (WARN_ON(r < 0)) { ++ pm_runtime_put_sync(&dsi->pdev->dev); ++ return r; ++ } ++ return 0; + } + + static void dsi_runtime_put(struct platform_device *dsidev) +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/dss.c b/drivers/video/fbdev/omap2/omapfb/dss/dss.c +index 4429ad37b64cd..acecee5b1c102 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/dss.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/dss.c +@@ -778,8 +778,11 @@ int dss_runtime_get(void) + DSSDBG("dss_runtime_get\n"); + + r = pm_runtime_get_sync(&dss.pdev->dev); +- WARN_ON(r < 0); +- return r < 0 ? r : 0; ++ if (WARN_ON(r < 0)) { ++ pm_runtime_put_sync(&dss.pdev->dev); ++ return r; ++ } ++ return 0; + } + + void dss_runtime_put(void) +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/hdmi4.c b/drivers/video/fbdev/omap2/omapfb/dss/hdmi4.c +index 156a254705ea5..ab64bf0215e82 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/hdmi4.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/hdmi4.c +@@ -50,9 +50,10 @@ static int hdmi_runtime_get(void) + DSSDBG("hdmi_runtime_get\n"); + + r = pm_runtime_get_sync(&hdmi.pdev->dev); +- WARN_ON(r < 0); +- if (r < 0) ++ if (WARN_ON(r < 0)) { ++ pm_runtime_put_sync(&hdmi.pdev->dev); + return r; ++ } + + return 0; + } +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/hdmi5.c b/drivers/video/fbdev/omap2/omapfb/dss/hdmi5.c +index 4da36bcab9779..c6efaca3235a8 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/hdmi5.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/hdmi5.c +@@ -54,9 +54,10 @@ static int hdmi_runtime_get(void) + DSSDBG("hdmi_runtime_get\n"); + + r = pm_runtime_get_sync(&hdmi.pdev->dev); +- WARN_ON(r < 0); +- if (r < 0) ++ if (WARN_ON(r < 0)) { ++ pm_runtime_put_sync(&hdmi.pdev->dev); + return r; ++ } + + return 0; + } +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/venc.c b/drivers/video/fbdev/omap2/omapfb/dss/venc.c +index 392464da12e41..96714b4596d2d 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/venc.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/venc.c +@@ -402,8 +402,11 @@ static int venc_runtime_get(void) + DSSDBG("venc_runtime_get\n"); + + r = pm_runtime_get_sync(&venc.pdev->dev); +- WARN_ON(r < 0); +- return r < 0 ? r : 0; ++ if (WARN_ON(r < 0)) { ++ pm_runtime_put_sync(&venc.pdev->dev); ++ return r; ++ } ++ return 0; + } + + static void venc_runtime_put(void) +-- +2.25.1 + diff --git a/queue-4.9/pci-fix-pci_create_slot-reference-count-leak.patch b/queue-4.9/pci-fix-pci_create_slot-reference-count-leak.patch new file mode 100644 index 00000000000..74cd7e4f5d9 --- /dev/null +++ b/queue-4.9/pci-fix-pci_create_slot-reference-count-leak.patch @@ -0,0 +1,59 @@ +From a1f660ef6c854d565f660ce8c1abd53f525565c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 May 2020 21:13:22 -0500 +Subject: PCI: Fix pci_create_slot() reference count leak + +From: Qiushi Wu + +[ Upstream commit 8a94644b440eef5a7b9c104ac8aa7a7f413e35e5 ] + +kobject_init_and_add() takes a reference even when it fails. If it returns +an error, kobject_put() must be called to clean up the memory associated +with the object. + +When kobject_init_and_add() fails, call kobject_put() instead of kfree(). + +b8eb718348b8 ("net-sysfs: Fix reference count leak in +rx|netdev_queue_add_kobject") fixed a similar problem. + +Link: https://lore.kernel.org/r/20200528021322.1984-1-wu000273@umn.edu +Signed-off-by: Qiushi Wu +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/slot.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/slot.c b/drivers/pci/slot.c +index 429d34c348b9f..01a343ad7155c 100644 +--- a/drivers/pci/slot.c ++++ b/drivers/pci/slot.c +@@ -303,13 +303,16 @@ placeholder: + slot_name = make_slot_name(name); + if (!slot_name) { + err = -ENOMEM; ++ kfree(slot); + goto err; + } + + err = kobject_init_and_add(&slot->kobj, &pci_slot_ktype, NULL, + "%s", slot_name); +- if (err) ++ if (err) { ++ kobject_put(&slot->kobj); + goto err; ++ } + + INIT_LIST_HEAD(&slot->list); + list_add(&slot->list, &parent->slots); +@@ -328,7 +331,6 @@ out: + mutex_unlock(&pci_slot_mutex); + return slot; + err: +- kfree(slot); + slot = ERR_PTR(err); + goto out; + } +-- +2.25.1 + diff --git a/queue-4.9/rtlwifi-rtl8192cu-prevent-leaking-urb.patch b/queue-4.9/rtlwifi-rtl8192cu-prevent-leaking-urb.patch new file mode 100644 index 00000000000..8f405ff46a6 --- /dev/null +++ b/queue-4.9/rtlwifi-rtl8192cu-prevent-leaking-urb.patch @@ -0,0 +1,40 @@ +From 2d39d7ae31a7659c297c71ddf06a48d169c7519d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jun 2020 15:21:12 +0200 +Subject: rtlwifi: rtl8192cu: Prevent leaking urb + +From: Reto Schneider + +[ Upstream commit 03128643eb5453a798db5770952c73dc64fcaf00 ] + +If usb_submit_urb fails the allocated urb should be unanchored and +released. + +Signed-off-by: Reto Schneider +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200622132113.14508-3-code@reto-schneider.ch +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/usb.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c +index 93b22a5b6878e..e524573aa8a09 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/usb.c ++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c +@@ -752,8 +752,11 @@ static int _rtl_usb_receive(struct ieee80211_hw *hw) + + usb_anchor_urb(urb, &rtlusb->rx_submitted); + err = usb_submit_urb(urb, GFP_KERNEL); +- if (err) ++ if (err) { ++ usb_unanchor_urb(urb); ++ usb_free_urb(urb); + goto err_out; ++ } + usb_free_urb(urb); + } + return 0; +-- +2.25.1 + diff --git a/queue-4.9/scsi-fcoe-memory-leak-fix-in-fcoe_sysfs_fcf_del.patch b/queue-4.9/scsi-fcoe-memory-leak-fix-in-fcoe_sysfs_fcf_del.patch new file mode 100644 index 00000000000..85f4d9181d9 --- /dev/null +++ b/queue-4.9/scsi-fcoe-memory-leak-fix-in-fcoe_sysfs_fcf_del.patch @@ -0,0 +1,44 @@ +From 7cfa7ca3b879d0b5ec13dbdbdada9be8a479997a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jul 2020 01:18:24 -0700 +Subject: scsi: fcoe: Memory leak fix in fcoe_sysfs_fcf_del() + +From: Javed Hasan + +[ Upstream commit e95b4789ff4380733006836d28e554dc296b2298 ] + +In fcoe_sysfs_fcf_del(), we first deleted the fcf from the list and then +freed it if ctlr_dev was not NULL. This was causing a memory leak. + +Free the fcf even if ctlr_dev is NULL. + +Link: https://lore.kernel.org/r/20200729081824.30996-3-jhasan@marvell.com +Reviewed-by: Girish Basrur +Reviewed-by: Santosh Vernekar +Reviewed-by: Saurav Kashyap +Reviewed-by: Shyam Sundar +Signed-off-by: Javed Hasan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/fcoe/fcoe_ctlr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/fcoe/fcoe_ctlr.c b/drivers/scsi/fcoe/fcoe_ctlr.c +index 3c2f34db937b6..f5f3a8113bc55 100644 +--- a/drivers/scsi/fcoe/fcoe_ctlr.c ++++ b/drivers/scsi/fcoe/fcoe_ctlr.c +@@ -267,9 +267,9 @@ static void fcoe_sysfs_fcf_del(struct fcoe_fcf *new) + WARN_ON(!fcf_dev); + new->fcf_dev = NULL; + fcoe_fcf_device_delete(fcf_dev); +- kfree(new); + mutex_unlock(&cdev->lock); + } ++ kfree(new); + } + + /** +-- +2.25.1 + diff --git a/queue-4.9/scsi-iscsi-do-not-put-host-in-iscsi_set_flashnode_pa.patch b/queue-4.9/scsi-iscsi-do-not-put-host-in-iscsi_set_flashnode_pa.patch new file mode 100644 index 00000000000..b6d58336a29 --- /dev/null +++ b/queue-4.9/scsi-iscsi-do-not-put-host-in-iscsi_set_flashnode_pa.patch @@ -0,0 +1,37 @@ +From ee33e1bc3a30f1169ed92a882f812898628cc31d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 16:12:26 +0800 +Subject: scsi: iscsi: Do not put host in iscsi_set_flashnode_param() + +From: Jing Xiangfeng + +[ Upstream commit 68e12e5f61354eb42cfffbc20a693153fc39738e ] + +If scsi_host_lookup() fails we will jump to put_host which may cause a +panic. Jump to exit_set_fnode instead. + +Link: https://lore.kernel.org/r/20200615081226.183068-1-jingxiangfeng@huawei.com +Reviewed-by: Mike Christie +Signed-off-by: Jing Xiangfeng +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 42b97f1196232..c2bce3f6eaace 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -3191,7 +3191,7 @@ static int iscsi_set_flashnode_param(struct iscsi_transport *transport, + pr_err("%s could not find host no %u\n", + __func__, ev->u.set_flashnode.host_no); + err = -ENODEV; +- goto put_host; ++ goto exit_set_fnode; + } + + idx = ev->u.set_flashnode.flashnode_idx; +-- +2.25.1 + diff --git a/queue-4.9/scsi-lpfc-fix-shost-refcount-mismatch-when-deleting-.patch b/queue-4.9/scsi-lpfc-fix-shost-refcount-mismatch-when-deleting-.patch new file mode 100644 index 00000000000..60bf31c708b --- /dev/null +++ b/queue-4.9/scsi-lpfc-fix-shost-refcount-mismatch-when-deleting-.patch @@ -0,0 +1,86 @@ +From 7993df71c334f02e5e57cebddb8ffabed34647f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jun 2020 14:49:54 -0700 +Subject: scsi: lpfc: Fix shost refcount mismatch when deleting vport + +From: Dick Kennedy + +[ Upstream commit 03dbfe0668e6692917ac278883e0586cd7f7d753 ] + +When vports are deleted, it is observed that there is memory/kthread +leakage as the vport isn't fully being released. + +There is a shost reference taken in scsi_add_host_dma that is not released +during scsi_remove_host. It was noticed that other drivers resolve this by +doing a scsi_host_put after calling scsi_remove_host. + +The vport_delete routine is taking two references one that corresponds to +an access to the scsi_host in the vport_delete routine and another that is +released after the adapter mailbox command completes that destroys the VPI +that corresponds to the vport. + +Remove one of the references taken such that the second reference that is +put will complete the missing scsi_add_host_dma reference and the shost +will be terminated. + +Link: https://lore.kernel.org/r/20200630215001.70793-8-jsmart2021@gmail.com +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_vport.c | 26 ++++++++------------------ + 1 file changed, 8 insertions(+), 18 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_vport.c b/drivers/scsi/lpfc/lpfc_vport.c +index e18bbc66e83b1..77cb16d8dfd35 100644 +--- a/drivers/scsi/lpfc/lpfc_vport.c ++++ b/drivers/scsi/lpfc/lpfc_vport.c +@@ -624,27 +624,16 @@ lpfc_vport_delete(struct fc_vport *fc_vport) + vport->port_state < LPFC_VPORT_READY) + return -EAGAIN; + } ++ + /* +- * This is a bit of a mess. We want to ensure the shost doesn't get +- * torn down until we're done with the embedded lpfc_vport structure. +- * +- * Beyond holding a reference for this function, we also need a +- * reference for outstanding I/O requests we schedule during delete +- * processing. But once we scsi_remove_host() we can no longer obtain +- * a reference through scsi_host_get(). +- * +- * So we take two references here. We release one reference at the +- * bottom of the function -- after delinking the vport. And we +- * release the other at the completion of the unreg_vpi that get's +- * initiated after we've disposed of all other resources associated +- * with the port. ++ * Take early refcount for outstanding I/O requests we schedule during ++ * delete processing for unreg_vpi. Always keep this before ++ * scsi_remove_host() as we can no longer obtain a reference through ++ * scsi_host_get() after scsi_host_remove as shost is set to SHOST_DEL. + */ + if (!scsi_host_get(shost)) + return VPORT_INVAL; +- if (!scsi_host_get(shost)) { +- scsi_host_put(shost); +- return VPORT_INVAL; +- } ++ + lpfc_free_sysfs_attr(vport); + + lpfc_debugfs_terminate(vport); +@@ -792,8 +781,9 @@ skip_logo: + if (!(vport->vpi_state & LPFC_VPI_REGISTERED) || + lpfc_mbx_unreg_vpi(vport)) + scsi_host_put(shost); +- } else ++ } else { + scsi_host_put(shost); ++ } + + lpfc_free_vpi(phba, vport->vpi); + vport->work_port_events = 0; +-- +2.25.1 + diff --git a/queue-4.9/scsi-target-tcmu-fix-crash-on-arm-during-cmd-complet.patch b/queue-4.9/scsi-target-tcmu-fix-crash-on-arm-during-cmd-complet.patch new file mode 100644 index 00000000000..8f7effe7364 --- /dev/null +++ b/queue-4.9/scsi-target-tcmu-fix-crash-on-arm-during-cmd-complet.patch @@ -0,0 +1,57 @@ +From 5aa8461d4aaee2eb7b525b5888bf1ac41e16af67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 11:37:56 +0200 +Subject: scsi: target: tcmu: Fix crash on ARM during cmd completion + +From: Bodo Stroesser + +[ Upstream commit 5a0c256d96f020e4771f6fd5524b80f89a2d3132 ] + +If tcmu_handle_completions() has to process a padding shorter than +sizeof(struct tcmu_cmd_entry), the current call to +tcmu_flush_dcache_range() with sizeof(struct tcmu_cmd_entry) as length +param is wrong and causes crashes on e.g. ARM, because +tcmu_flush_dcache_range() in this case calls +flush_dcache_page(vmalloc_to_page(start)); with start being an invalid +address above the end of the vmalloc'ed area. + +The fix is to use the minimum of remaining ring space and sizeof(struct +tcmu_cmd_entry) as the length param. + +The patch was tested on kernel 4.19.118. + +See https://bugzilla.kernel.org/show_bug.cgi?id=208045#c10 + +Link: https://lore.kernel.org/r/20200629093756.8947-1-bstroesser@ts.fujitsu.com +Tested-by: JiangYu +Acked-by: Mike Christie +Signed-off-by: Bodo Stroesser +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_user.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c +index 1a83456a65a00..693fbb2858404 100644 +--- a/drivers/target/target_core_user.c ++++ b/drivers/target/target_core_user.c +@@ -666,7 +666,14 @@ static unsigned int tcmu_handle_completions(struct tcmu_dev *udev) + struct tcmu_cmd_entry *entry = (void *) mb + CMDR_OFF + udev->cmdr_last_cleaned; + struct tcmu_cmd *cmd; + +- tcmu_flush_dcache_range(entry, sizeof(*entry)); ++ /* ++ * Flush max. up to end of cmd ring since current entry might ++ * be a padding that is shorter than sizeof(*entry) ++ */ ++ size_t ring_left = head_to_end(udev->cmdr_last_cleaned, ++ udev->cmdr_size); ++ tcmu_flush_dcache_range(entry, ring_left < sizeof(*entry) ? ++ ring_left : sizeof(*entry)); + + if (tcmu_hdr_get_op(entry->hdr.len_op) == TCMU_OP_PAD) { + UPDATE_HEAD(udev->cmdr_last_cleaned, +-- +2.25.1 + diff --git a/queue-4.9/selftests-powerpc-purge-extra-count_pmc-calls-of-ebb.patch b/queue-4.9/selftests-powerpc-purge-extra-count_pmc-calls-of-ebb.patch new file mode 100644 index 00000000000..6875a01c1f6 --- /dev/null +++ b/queue-4.9/selftests-powerpc-purge-extra-count_pmc-calls-of-ebb.patch @@ -0,0 +1,204 @@ +From c5781680080f646335b81797d454a7a75bff65b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jun 2020 13:47:37 -0300 +Subject: selftests/powerpc: Purge extra count_pmc() calls of ebb selftests + +From: Desnes A. Nunes do Rosario + +[ Upstream commit 3337bf41e0dd70b4064cdf60acdfcdc2d050066c ] + +An extra count on ebb_state.stats.pmc_count[PMC_INDEX(pmc)] is being per- +formed when count_pmc() is used to reset PMCs on a few selftests. This +extra pmc_count can occasionally invalidate results, such as the ones from +cycles_test shown hereafter. The ebb_check_count() failed with an above +the upper limit error due to the extra value on ebb_state.stats.pmc_count. + +Furthermore, this extra count is also indicated by extra PMC1 trace_log on +the output of the cycle test (as well as on pmc56_overflow_test): + +========== + ... + [21]: counter = 8 + [22]: register SPRN_MMCR0 = 0x0000000080000080 + [23]: register SPRN_PMC1 = 0x0000000080000004 + [24]: counter = 9 + [25]: register SPRN_MMCR0 = 0x0000000080000080 + [26]: register SPRN_PMC1 = 0x0000000080000004 + [27]: counter = 10 + [28]: register SPRN_MMCR0 = 0x0000000080000080 + [29]: register SPRN_PMC1 = 0x0000000080000004 +>> [30]: register SPRN_PMC1 = 0x000000004000051e +PMC1 count (0x280000546) above upper limit 0x2800003e8 (+0x15e) +[FAIL] Test FAILED on line 52 +failure: cycles +========== + +Signed-off-by: Desnes A. Nunes do Rosario +Tested-by: Sachin Sant +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200626164737.21943-1-desnesn@linux.ibm.com +Signed-off-by: Sasha Levin +--- + .../selftests/powerpc/pmu/ebb/back_to_back_ebbs_test.c | 2 -- + tools/testing/selftests/powerpc/pmu/ebb/cycles_test.c | 2 -- + .../selftests/powerpc/pmu/ebb/cycles_with_freeze_test.c | 2 -- + .../selftests/powerpc/pmu/ebb/cycles_with_mmcr2_test.c | 2 -- + tools/testing/selftests/powerpc/pmu/ebb/ebb.c | 2 -- + .../selftests/powerpc/pmu/ebb/ebb_on_willing_child_test.c | 2 -- + .../selftests/powerpc/pmu/ebb/lost_exception_test.c | 1 - + .../testing/selftests/powerpc/pmu/ebb/multi_counter_test.c | 7 ------- + .../selftests/powerpc/pmu/ebb/multi_ebb_procs_test.c | 2 -- + .../testing/selftests/powerpc/pmu/ebb/pmae_handling_test.c | 2 -- + .../selftests/powerpc/pmu/ebb/pmc56_overflow_test.c | 2 -- + 11 files changed, 26 deletions(-) + +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/back_to_back_ebbs_test.c b/tools/testing/selftests/powerpc/pmu/ebb/back_to_back_ebbs_test.c +index 94110b1dcd3d8..031baa43646fb 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/back_to_back_ebbs_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/back_to_back_ebbs_test.c +@@ -91,8 +91,6 @@ int back_to_back_ebbs(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + event_close(&event); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/cycles_test.c b/tools/testing/selftests/powerpc/pmu/ebb/cycles_test.c +index 7c57a8d79535d..361e0be9df9ae 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/cycles_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/cycles_test.c +@@ -42,8 +42,6 @@ int cycles(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + event_close(&event); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_freeze_test.c b/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_freeze_test.c +index ecf5ee3283a3e..fe7d0dc2a1a26 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_freeze_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_freeze_test.c +@@ -99,8 +99,6 @@ int cycles_with_freeze(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + printf("EBBs while frozen %d\n", ebbs_while_frozen); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_mmcr2_test.c b/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_mmcr2_test.c +index c0faba520b35c..b9b30f974b5ea 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_mmcr2_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_mmcr2_test.c +@@ -71,8 +71,6 @@ int cycles_with_mmcr2(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + event_close(&event); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/ebb.c b/tools/testing/selftests/powerpc/pmu/ebb/ebb.c +index 46681fec549b8..2694ae161a84a 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/ebb.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/ebb.c +@@ -396,8 +396,6 @@ int ebb_child(union pipe read_pipe, union pipe write_pipe) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + event_close(&event); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/ebb_on_willing_child_test.c b/tools/testing/selftests/powerpc/pmu/ebb/ebb_on_willing_child_test.c +index a991d2ea8d0a1..174e4f4dae6c0 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/ebb_on_willing_child_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/ebb_on_willing_child_test.c +@@ -38,8 +38,6 @@ static int victim_child(union pipe read_pipe, union pipe write_pipe) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + FAIL_IF(ebb_state.stats.ebb_count == 0); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/lost_exception_test.c b/tools/testing/selftests/powerpc/pmu/ebb/lost_exception_test.c +index eb8acb78bc6c1..531083accfcad 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/lost_exception_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/lost_exception_test.c +@@ -75,7 +75,6 @@ static int test_body(void) + ebb_freeze_pmcs(); + ebb_global_disable(); + +- count_pmc(4, sample_period); + mtspr(SPRN_PMC4, 0xdead); + + dump_summary_ebb_state(); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/multi_counter_test.c b/tools/testing/selftests/powerpc/pmu/ebb/multi_counter_test.c +index 6ff8c8ff27d66..035c02273cd49 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/multi_counter_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/multi_counter_test.c +@@ -70,13 +70,6 @@ int multi_counter(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- count_pmc(2, sample_period); +- count_pmc(3, sample_period); +- count_pmc(4, sample_period); +- count_pmc(5, sample_period); +- count_pmc(6, sample_period); +- + dump_ebb_state(); + + for (i = 0; i < 6; i++) +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/multi_ebb_procs_test.c b/tools/testing/selftests/powerpc/pmu/ebb/multi_ebb_procs_test.c +index 037cb6154f360..3e9d4ac965c85 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/multi_ebb_procs_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/multi_ebb_procs_test.c +@@ -61,8 +61,6 @@ static int cycles_child(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_summary_ebb_state(); + + event_close(&event); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/pmae_handling_test.c b/tools/testing/selftests/powerpc/pmu/ebb/pmae_handling_test.c +index c5fa64790c22e..d90891fe96a32 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/pmae_handling_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/pmae_handling_test.c +@@ -82,8 +82,6 @@ static int test_body(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + if (mmcr0_mismatch) +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/pmc56_overflow_test.c b/tools/testing/selftests/powerpc/pmu/ebb/pmc56_overflow_test.c +index 30e1ac62e8cb4..8ca92b9ee5b01 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/pmc56_overflow_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/pmc56_overflow_test.c +@@ -76,8 +76,6 @@ int pmc56_overflow(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(2, sample_period); +- + dump_ebb_state(); + + printf("PMC5/6 overflow %d\n", pmc56_overflowed); +-- +2.25.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 2916aea7a75..1015a6171e1 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -4,3 +4,29 @@ net-fix-potential-wrong-skb-protocol-in-skb_vlan_untag.patch tipc-fix-uninit-skb-data-in-tipc_nl_compat_dumpit.patch ipvlan-fix-device-features.patch gre6-fix-reception-with-ip6_tnl_f_rcv_dscp_copy.patch +alsa-pci-delete-repeated-words-in-comments.patch +asoc-tegra-fix-reference-count-leaks.patch +arm64-dts-qcom-msm8916-pull-down-pdm-gpios-during-sl.patch +media-pci-ttpci-av7110-fix-possible-buffer-overflow-.patch +scsi-target-tcmu-fix-crash-on-arm-during-cmd-complet.patch +iommu-iova-don-t-bug-on-invalid-pfns.patch +drm-amdkfd-fix-reference-count-leaks.patch +drm-radeon-fix-multiple-reference-count-leak.patch +drm-amdgpu-fix-ref-count-leak-in-amdgpu_driver_open_.patch +drm-amd-display-fix-ref-count-leak-in-amdgpu_drm_ioc.patch +drm-amdgpu-fix-ref-count-leak-in-amdgpu_display_crtc.patch +drm-amdgpu-display-fix-ref-count-leak-when-pm_runtim.patch +scsi-lpfc-fix-shost-refcount-mismatch-when-deleting-.patch +selftests-powerpc-purge-extra-count_pmc-calls-of-ebb.patch +omapfb-fix-multiple-reference-count-leaks-due-to-pm_.patch +pci-fix-pci_create_slot-reference-count-leak.patch +rtlwifi-rtl8192cu-prevent-leaking-urb.patch +mips-vdso-fix-resource-leaks-in-genvdso.c.patch +cec-api-prevent-leaking-memory-through-hole-in-struc.patch +drm-nouveau-drm-noveau-fix-reference-count-leak-in-n.patch +drm-nouveau-fix-reference-count-leak-in-nouveau_conn.patch +locking-lockdep-fix-overflow-in-presentation-of-aver.patch +scsi-iscsi-do-not-put-host-in-iscsi_set_flashnode_pa.patch +ceph-fix-potential-mdsc-use-after-free-crash.patch +scsi-fcoe-memory-leak-fix-in-fcoe_sysfs_fcf_del.patch +edac-ie31200-fallback-if-host-bridge-device-is-alrea.patch