From: Sasha Levin Date: Sun, 15 Nov 2020 14:34:31 +0000 (-0500) Subject: Fixes for 4.9 X-Git-Tag: v4.4.244~63^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8a1845155ec03bed71e3c4fddb9f38d1a1bc6a32;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/cfg80211-regulatory-fix-inconsistent-format-argument.patch b/queue-4.9/cfg80211-regulatory-fix-inconsistent-format-argument.patch new file mode 100644 index 00000000000..dbaf911c9be --- /dev/null +++ b/queue-4.9/cfg80211-regulatory-fix-inconsistent-format-argument.patch @@ -0,0 +1,38 @@ +From de86d65d1c962782541bbeb94ef9a430aeb1a4d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Oct 2020 15:02:15 +0800 +Subject: cfg80211: regulatory: Fix inconsistent format argument + +From: Ye Bin + +[ Upstream commit db18d20d1cb0fde16d518fb5ccd38679f174bc04 ] + +Fix follow warning: +[net/wireless/reg.c:3619]: (warning) %d in format string (no. 2) +requires 'int' but the argument type is 'unsigned int'. + +Reported-by: Hulk Robot +Signed-off-by: Ye Bin +Link: https://lore.kernel.org/r/20201009070215.63695-1-yebin10@huawei.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/reg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/wireless/reg.c b/net/wireless/reg.c +index a649763b854d5..04da31c52d092 100644 +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -2759,7 +2759,7 @@ static void print_rd_rules(const struct ieee80211_regdomain *rd) + power_rule = ®_rule->power_rule; + + if (reg_rule->flags & NL80211_RRF_AUTO_BW) +- snprintf(bw, sizeof(bw), "%d KHz, %d KHz AUTO", ++ snprintf(bw, sizeof(bw), "%d KHz, %u KHz AUTO", + freq_range->max_bandwidth_khz, + reg_get_max_bandwidth(rd, reg_rule)); + else +-- +2.27.0 + diff --git a/queue-4.9/drm-amdgpu-perform-srbm-soft-reset-always-on-sdma-re.patch b/queue-4.9/drm-amdgpu-perform-srbm-soft-reset-always-on-sdma-re.patch new file mode 100644 index 00000000000..0041b949e86 --- /dev/null +++ b/queue-4.9/drm-amdgpu-perform-srbm-soft-reset-always-on-sdma-re.patch @@ -0,0 +1,63 @@ +From bc239e8077695983c71291b8f55c9725a379b3de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Oct 2020 15:29:59 +0800 +Subject: drm/amdgpu: perform srbm soft reset always on SDMA resume + +From: Evan Quan + +[ Upstream commit 253475c455eb5f8da34faa1af92709e7bb414624 ] + +This can address the random SDMA hang after pci config reset +seen on Hawaii. + +Signed-off-by: Evan Quan +Tested-by: Sandeep Raghuraman +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/cik_sdma.c | 27 ++++++++++++--------------- + 1 file changed, 12 insertions(+), 15 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/cik_sdma.c b/drivers/gpu/drm/amd/amdgpu/cik_sdma.c +index cb952acc71339..2934443fbd4dc 100644 +--- a/drivers/gpu/drm/amd/amdgpu/cik_sdma.c ++++ b/drivers/gpu/drm/amd/amdgpu/cik_sdma.c +@@ -1053,22 +1053,19 @@ static int cik_sdma_soft_reset(void *handle) + { + u32 srbm_soft_reset = 0; + struct amdgpu_device *adev = (struct amdgpu_device *)handle; +- u32 tmp = RREG32(mmSRBM_STATUS2); ++ u32 tmp; + +- if (tmp & SRBM_STATUS2__SDMA_BUSY_MASK) { +- /* sdma0 */ +- tmp = RREG32(mmSDMA0_F32_CNTL + SDMA0_REGISTER_OFFSET); +- tmp |= SDMA0_F32_CNTL__HALT_MASK; +- WREG32(mmSDMA0_F32_CNTL + SDMA0_REGISTER_OFFSET, tmp); +- srbm_soft_reset |= SRBM_SOFT_RESET__SOFT_RESET_SDMA_MASK; +- } +- if (tmp & SRBM_STATUS2__SDMA1_BUSY_MASK) { +- /* sdma1 */ +- tmp = RREG32(mmSDMA0_F32_CNTL + SDMA1_REGISTER_OFFSET); +- tmp |= SDMA0_F32_CNTL__HALT_MASK; +- WREG32(mmSDMA0_F32_CNTL + SDMA1_REGISTER_OFFSET, tmp); +- srbm_soft_reset |= SRBM_SOFT_RESET__SOFT_RESET_SDMA1_MASK; +- } ++ /* sdma0 */ ++ tmp = RREG32(mmSDMA0_F32_CNTL + SDMA0_REGISTER_OFFSET); ++ tmp |= SDMA0_F32_CNTL__HALT_MASK; ++ WREG32(mmSDMA0_F32_CNTL + SDMA0_REGISTER_OFFSET, tmp); ++ srbm_soft_reset |= SRBM_SOFT_RESET__SOFT_RESET_SDMA_MASK; ++ ++ /* sdma1 */ ++ tmp = RREG32(mmSDMA0_F32_CNTL + SDMA1_REGISTER_OFFSET); ++ tmp |= SDMA0_F32_CNTL__HALT_MASK; ++ WREG32(mmSDMA0_F32_CNTL + SDMA1_REGISTER_OFFSET, tmp); ++ srbm_soft_reset |= SRBM_SOFT_RESET__SOFT_RESET_SDMA1_MASK; + + if (srbm_soft_reset) { + tmp = RREG32(mmSRBM_SOFT_RESET); +-- +2.27.0 + diff --git a/queue-4.9/gfs2-check-for-live-vs.-read-only-file-system-in-gfs.patch b/queue-4.9/gfs2-check-for-live-vs.-read-only-file-system-in-gfs.patch new file mode 100644 index 00000000000..7c4146c0841 --- /dev/null +++ b/queue-4.9/gfs2-check-for-live-vs.-read-only-file-system-in-gfs.patch @@ -0,0 +1,49 @@ +From cf58151164a280a301744c4e82ecf3220fefde88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Oct 2020 13:42:18 -0500 +Subject: gfs2: check for live vs. read-only file system in gfs2_fitrim + +From: Bob Peterson + +[ Upstream commit c5c68724696e7d2f8db58a5fce3673208d35c485 ] + +Before this patch, gfs2_fitrim was not properly checking for a "live" file +system. If the file system had something to trim and the file system +was read-only (or spectator) it would start the trim, but when it starts +the transaction, gfs2_trans_begin returns -EROFS (read-only file system) +and it errors out. However, if the file system was already trimmed so +there's no work to do, it never called gfs2_trans_begin. That code is +bypassed so it never returns the error. Instead, it returns a good +return code with 0 work. All this makes for inconsistent behavior: +The same fstrim command can return -EROFS in one case and 0 in another. +This tripped up xfstests generic/537 which reports the error as: + + +fstrim with unrecovered metadata just ate your filesystem + +This patch adds a check for a "live" (iow, active journal, iow, RW) +file system, and if not, returns the error properly. + +Signed-off-by: Bob Peterson +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/rgrp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c +index 0958f76ada6a3..9621badb95995 100644 +--- a/fs/gfs2/rgrp.c ++++ b/fs/gfs2/rgrp.c +@@ -1371,6 +1371,9 @@ int gfs2_fitrim(struct file *filp, void __user *argp) + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + ++ if (!test_bit(SDF_JOURNAL_LIVE, &sdp->sd_flags)) ++ return -EROFS; ++ + if (!blk_queue_discard(q)) + return -EOPNOTSUPP; + +-- +2.27.0 + diff --git a/queue-4.9/gfs2-free-rd_bits-later-in-gfs2_clear_rgrpd-to-fix-u.patch b/queue-4.9/gfs2-free-rd_bits-later-in-gfs2_clear_rgrpd-to-fix-u.patch new file mode 100644 index 00000000000..68539eb2144 --- /dev/null +++ b/queue-4.9/gfs2-free-rd_bits-later-in-gfs2_clear_rgrpd-to-fix-u.patch @@ -0,0 +1,39 @@ +From f2575c0c8561c8a7ca799927599d7a1eba7fbecd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Oct 2020 10:10:01 -0500 +Subject: gfs2: Free rd_bits later in gfs2_clear_rgrpd to fix use-after-free + +From: Bob Peterson + +[ Upstream commit d0f17d3883f1e3f085d38572c2ea8edbd5150172 ] + +Function gfs2_clear_rgrpd calls kfree(rgd->rd_bits) before calling +return_all_reservations, but return_all_reservations still dereferences +rgd->rd_bits in __rs_deltree. Fix that by moving the call to kfree below the +call to return_all_reservations. + +Signed-off-by: Bob Peterson +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/rgrp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c +index 0a80f66365492..0958f76ada6a3 100644 +--- a/fs/gfs2/rgrp.c ++++ b/fs/gfs2/rgrp.c +@@ -730,9 +730,9 @@ void gfs2_clear_rgrpd(struct gfs2_sbd *sdp) + } + + gfs2_free_clones(rgd); ++ return_all_reservations(rgd); + kfree(rgd->rd_bits); + rgd->rd_bits = NULL; +- return_all_reservations(rgd); + kmem_cache_free(gfs2_rgrpd_cachep, rgd); + } + } +-- +2.27.0 + diff --git a/queue-4.9/iommu-amd-increase-interrupt-remapping-table-limit-t.patch b/queue-4.9/iommu-amd-increase-interrupt-remapping-table-limit-t.patch new file mode 100644 index 00000000000..11c3311b645 --- /dev/null +++ b/queue-4.9/iommu-amd-increase-interrupt-remapping-table-limit-t.patch @@ -0,0 +1,53 @@ +From 5c3a651d7c5afb9178384a1ad6e0aee57fc7d75b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 02:50:02 +0000 +Subject: iommu/amd: Increase interrupt remapping table limit to 512 entries + +From: Suravee Suthikulpanit + +[ Upstream commit 73db2fc595f358460ce32bcaa3be1f0cce4a2db1 ] + +Certain device drivers allocate IO queues on a per-cpu basis. +On AMD EPYC platform, which can support up-to 256 cpu threads, +this can exceed the current MAX_IRQ_PER_TABLE limit of 256, +and result in the error message: + + AMD-Vi: Failed to allocate IRTE + +This has been observed with certain NVME devices. + +AMD IOMMU hardware can actually support upto 512 interrupt +remapping table entries. Therefore, update the driver to +match the hardware limit. + +Please note that this also increases the size of interrupt remapping +table to 8KB per device when using the 128-bit IRTE format. + +Signed-off-by: Suravee Suthikulpanit +Link: https://lore.kernel.org/r/20201015025002.87997-1-suravee.suthikulpanit@amd.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu_types.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/amd_iommu_types.h b/drivers/iommu/amd_iommu_types.h +index da3fbf82d1cf4..e19c05d9e84ba 100644 +--- a/drivers/iommu/amd_iommu_types.h ++++ b/drivers/iommu/amd_iommu_types.h +@@ -383,7 +383,11 @@ extern bool amd_iommu_np_cache; + /* Only true if all IOMMUs support device IOTLBs */ + extern bool amd_iommu_iotlb_sup; + +-#define MAX_IRQS_PER_TABLE 256 ++/* ++ * AMD IOMMU hardware only support 512 IRTEs despite ++ * the architectural limitation of 2048 entries. ++ */ ++#define MAX_IRQS_PER_TABLE 512 + #define IRQ_TABLE_ALIGNMENT 128 + + struct irq_remap_table { +-- +2.27.0 + diff --git a/queue-4.9/mac80211-always-wind-down-sta-state.patch b/queue-4.9/mac80211-always-wind-down-sta-state.patch new file mode 100644 index 00000000000..8233bc7121c --- /dev/null +++ b/queue-4.9/mac80211-always-wind-down-sta-state.patch @@ -0,0 +1,64 @@ +From 6e9e508939e98e0864159eae78ff372104b75a62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Oct 2020 14:17:11 +0200 +Subject: mac80211: always wind down STA state + +From: Johannes Berg + +[ Upstream commit dcd479e10a0510522a5d88b29b8f79ea3467d501 ] + +When (for example) an IBSS station is pre-moved to AUTHORIZED +before it's inserted, and then the insertion fails, we don't +clean up the fast RX/TX states that might already have been +created, since we don't go through all the state transitions +again on the way down. + +Do that, if it hasn't been done already, when the station is +freed. I considered only freeing the fast TX/RX state there, +but we might add more state so it's more robust to wind down +the state properly. + +Note that we warn if the station was ever inserted, it should +have been properly cleaned up in that case, and the driver +will probably not like things happening out of order. + +Reported-by: syzbot+2e293dbd67de2836ba42@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20201009141710.7223b322a955.I95bd08b9ad0e039c034927cce0b75beea38e059b@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/sta_info.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index fef8d7758dae9..8a9bbcfefbca6 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -243,6 +243,24 @@ struct sta_info *sta_info_get_by_idx(struct ieee80211_sub_if_data *sdata, + */ + void sta_info_free(struct ieee80211_local *local, struct sta_info *sta) + { ++ /* ++ * If we had used sta_info_pre_move_state() then we might not ++ * have gone through the state transitions down again, so do ++ * it here now (and warn if it's inserted). ++ * ++ * This will clear state such as fast TX/RX that may have been ++ * allocated during state transitions. ++ */ ++ while (sta->sta_state > IEEE80211_STA_NONE) { ++ int ret; ++ ++ WARN_ON_ONCE(test_sta_flag(sta, WLAN_STA_INSERTED)); ++ ++ ret = sta_info_move_state(sta, sta->sta_state - 1); ++ if (WARN_ONCE(ret, "sta_info_move_state() returned %d\n", ret)) ++ break; ++ } ++ + if (sta->rate_ctrl) + rate_control_free_sta(sta); + +-- +2.27.0 + diff --git a/queue-4.9/mac80211-fix-use-of-skb-payload-instead-of-header.patch b/queue-4.9/mac80211-fix-use-of-skb-payload-instead-of-header.patch new file mode 100644 index 00000000000..01899a73454 --- /dev/null +++ b/queue-4.9/mac80211-fix-use-of-skb-payload-instead-of-header.patch @@ -0,0 +1,124 @@ +From 32857a28da5eff3b520b4ec2329e0af4e68f61fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Oct 2020 13:25:41 +0200 +Subject: mac80211: fix use of skb payload instead of header + +From: Johannes Berg + +[ Upstream commit 14f46c1e5108696ec1e5a129e838ecedf108c7bf ] + +When ieee80211_skb_resize() is called from ieee80211_build_hdr() +the skb has no 802.11 header yet, in fact it consist only of the +payload as the ethernet frame is removed. As such, we're using +the payload data for ieee80211_is_mgmt(), which is of course +completely wrong. This didn't really hurt us because these are +always data frames, so we could only have added more tailroom +than we needed if we determined it was a management frame and +sdata->crypto_tx_tailroom_needed_cnt was false. + +However, syzbot found that of course there need not be any payload, +so we're using at best uninitialized memory for the check. + +Fix this to pass explicitly the kind of frame that we have instead +of checking there, by replacing the "bool may_encrypt" argument +with an argument that can carry the three possible states - it's +not going to be encrypted, it's a management frame, or it's a data +frame (and then we check sdata->crypto_tx_tailroom_needed_cnt). + +Reported-by: syzbot+32fd1a1bfe355e93f1e2@syzkaller.appspotmail.com +Signed-off-by: Johannes Berg +Link: https://lore.kernel.org/r/20201009132538.e1fd7f802947.I799b288466ea2815f9d4c84349fae697dca2f189@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 35 +++++++++++++++++++++++------------ + 1 file changed, 23 insertions(+), 12 deletions(-) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 6216279efc468..eebbddccb47b7 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -1847,19 +1847,24 @@ static bool ieee80211_tx(struct ieee80211_sub_if_data *sdata, + + /* device xmit handlers */ + ++enum ieee80211_encrypt { ++ ENCRYPT_NO, ++ ENCRYPT_MGMT, ++ ENCRYPT_DATA, ++}; ++ + static int ieee80211_skb_resize(struct ieee80211_sub_if_data *sdata, + struct sk_buff *skb, +- int head_need, bool may_encrypt) ++ int head_need, ++ enum ieee80211_encrypt encrypt) + { + struct ieee80211_local *local = sdata->local; +- struct ieee80211_hdr *hdr; + bool enc_tailroom; + int tail_need = 0; + +- hdr = (struct ieee80211_hdr *) skb->data; +- enc_tailroom = may_encrypt && +- (sdata->crypto_tx_tailroom_needed_cnt || +- ieee80211_is_mgmt(hdr->frame_control)); ++ enc_tailroom = encrypt == ENCRYPT_MGMT || ++ (encrypt == ENCRYPT_DATA && ++ sdata->crypto_tx_tailroom_needed_cnt); + + if (enc_tailroom) { + tail_need = IEEE80211_ENCRYPT_TAILROOM; +@@ -1892,21 +1897,27 @@ void ieee80211_xmit(struct ieee80211_sub_if_data *sdata, + struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; + int headroom; +- bool may_encrypt; ++ enum ieee80211_encrypt encrypt; + +- may_encrypt = !(info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT); ++ if (info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT) ++ encrypt = ENCRYPT_NO; ++ else if (ieee80211_is_mgmt(hdr->frame_control)) ++ encrypt = ENCRYPT_MGMT; ++ else ++ encrypt = ENCRYPT_DATA; + + headroom = local->tx_headroom; +- if (may_encrypt) ++ if (encrypt != ENCRYPT_NO) + headroom += sdata->encrypt_headroom; + headroom -= skb_headroom(skb); + headroom = max_t(int, 0, headroom); + +- if (ieee80211_skb_resize(sdata, skb, headroom, may_encrypt)) { ++ if (ieee80211_skb_resize(sdata, skb, headroom, encrypt)) { + ieee80211_free_txskb(&local->hw, skb); + return; + } + ++ /* reload after potential resize */ + hdr = (struct ieee80211_hdr *) skb->data; + info->control.vif = &sdata->vif; + +@@ -2688,7 +2699,7 @@ static struct sk_buff *ieee80211_build_hdr(struct ieee80211_sub_if_data *sdata, + head_need += sdata->encrypt_headroom; + head_need += local->tx_headroom; + head_need = max_t(int, 0, head_need); +- if (ieee80211_skb_resize(sdata, skb, head_need, true)) { ++ if (ieee80211_skb_resize(sdata, skb, head_need, ENCRYPT_DATA)) { + ieee80211_free_txskb(&local->hw, skb); + skb = NULL; + return ERR_PTR(-ENOMEM); +@@ -3313,7 +3324,7 @@ static bool ieee80211_xmit_fast(struct ieee80211_sub_if_data *sdata, + if (unlikely(ieee80211_skb_resize(sdata, skb, + max_t(int, extra_head + hw_headroom - + skb_headroom(skb), 0), +- false))) { ++ ENCRYPT_NO))) { + kfree_skb(skb); + return true; + } +-- +2.27.0 + diff --git a/queue-4.9/scsi-hpsa-fix-memory-leak-in-hpsa_init_one.patch b/queue-4.9/scsi-hpsa-fix-memory-leak-in-hpsa_init_one.patch new file mode 100644 index 00000000000..ed52c8817a6 --- /dev/null +++ b/queue-4.9/scsi-hpsa-fix-memory-leak-in-hpsa_init_one.patch @@ -0,0 +1,49 @@ +From 50be43790f13fcc83bca8a9f9e59f44fb1fd4af2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Oct 2020 07:31:24 +0000 +Subject: scsi: hpsa: Fix memory leak in hpsa_init_one() + +From: Keita Suzuki + +[ Upstream commit af61bc1e33d2c0ec22612b46050f5b58ac56a962 ] + +When hpsa_scsi_add_host() fails, h->lastlogicals is leaked since it is +missing a free() in the error handler. + +Fix this by adding free() when hpsa_scsi_add_host() fails. + +Link: https://lore.kernel.org/r/20201027073125.14229-1-keitasuzuki.park@sslab.ics.keio.ac.jp +Tested-by: Don Brace +Acked-by: Don Brace +Signed-off-by: Keita Suzuki +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hpsa.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c +index b82df8cdf9626..7f1d6d52d48bd 100644 +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -8937,7 +8937,7 @@ reinit_after_soft_reset: + /* hook into SCSI subsystem */ + rc = hpsa_scsi_add_host(h); + if (rc) +- goto clean7; /* perf, sg, cmd, irq, shost, pci, lu, aer/h */ ++ goto clean8; /* lastlogicals, perf, sg, cmd, irq, shost, pci, lu, aer/h */ + + /* Monitor the controller for firmware lockups */ + h->heartbeat_sample_interval = HEARTBEAT_SAMPLE_INTERVAL; +@@ -8949,6 +8949,8 @@ reinit_after_soft_reset: + h->heartbeat_sample_interval); + return 0; + ++clean8: /* lastlogicals, perf, sg, cmd, irq, shost, pci, lu, aer/h */ ++ kfree(h->lastlogicals); + clean7: /* perf, sg, cmd, irq, shost, pci, lu, aer/h */ + hpsa_free_performant_mode(h); + h->access.set_intr_mask(h, HPSA_INTR_OFF); +-- +2.27.0 + diff --git a/queue-4.9/scsi-scsi_dh_alua-avoid-crash-during-alua_bus_detach.patch b/queue-4.9/scsi-scsi_dh_alua-avoid-crash-during-alua_bus_detach.patch new file mode 100644 index 00000000000..df09b829cce --- /dev/null +++ b/queue-4.9/scsi-scsi_dh_alua-avoid-crash-during-alua_bus_detach.patch @@ -0,0 +1,73 @@ +From 8a3cc8c8ecab314f8bcff1e204b9c2f76b6fd938 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 12:45:59 +0200 +Subject: scsi: scsi_dh_alua: Avoid crash during alua_bus_detach() + +From: Hannes Reinecke + +[ Upstream commit 5faf50e9e9fdc2117c61ff7e20da49cd6a29e0ca ] + +alua_bus_detach() might be running concurrently with alua_rtpg_work(), so +we might trip over h->sdev == NULL and call BUG_ON(). The correct way of +handling it is to not set h->sdev to NULL in alua_bus_detach(), and call +rcu_synchronize() before the final delete to ensure that all concurrent +threads have left the critical section. Then we can get rid of the +BUG_ON() and replace it with a simple if condition. + +Link: https://lore.kernel.org/r/1600167537-12509-1-git-send-email-jitendra.khasdev@oracle.com +Link: https://lore.kernel.org/r/20200924104559.26753-1-hare@suse.de +Cc: Brian Bunker +Acked-by: Brian Bunker +Tested-by: Jitendra Khasdev +Reviewed-by: Jitendra Khasdev +Signed-off-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/device_handler/scsi_dh_alua.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c +index 60c288526355a..2bc3dc6244a5e 100644 +--- a/drivers/scsi/device_handler/scsi_dh_alua.c ++++ b/drivers/scsi/device_handler/scsi_dh_alua.c +@@ -657,8 +657,8 @@ static int alua_rtpg(struct scsi_device *sdev, struct alua_port_group *pg) + rcu_read_lock(); + list_for_each_entry_rcu(h, + &tmp_pg->dh_list, node) { +- /* h->sdev should always be valid */ +- BUG_ON(!h->sdev); ++ if (!h->sdev) ++ continue; + h->sdev->access_state = desc[0]; + } + rcu_read_unlock(); +@@ -704,7 +704,8 @@ static int alua_rtpg(struct scsi_device *sdev, struct alua_port_group *pg) + pg->expiry = 0; + rcu_read_lock(); + list_for_each_entry_rcu(h, &pg->dh_list, node) { +- BUG_ON(!h->sdev); ++ if (!h->sdev) ++ continue; + h->sdev->access_state = + (pg->state & SCSI_ACCESS_STATE_MASK); + if (pg->pref) +@@ -1149,7 +1150,6 @@ static void alua_bus_detach(struct scsi_device *sdev) + spin_lock(&h->pg_lock); + pg = h->pg; + rcu_assign_pointer(h->pg, NULL); +- h->sdev = NULL; + spin_unlock(&h->pg_lock); + if (pg) { + spin_lock_irq(&pg->lock); +@@ -1158,6 +1158,7 @@ static void alua_bus_detach(struct scsi_device *sdev) + kref_put(&pg->kref, release_port_group); + } + sdev->handler_data = NULL; ++ synchronize_rcu(); + kfree(h); + } + +-- +2.27.0 + diff --git a/queue-4.9/series b/queue-4.9/series index 7e266d99647..e5560f95daa 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -23,3 +23,13 @@ i40e-fix-of-memory-leak-and-integer-truncation-in-i4.patch i40e-memory-leak-in-i40e_config_iwarp_qvlist.patch geneve-add-transport-ports-in-route-lookup-for-genev.patch ath9k_htc-use-appropriate-rs_datalen-type.patch +usb-gadget-goku_udc-fix-potential-crashes-in-probe.patch +gfs2-free-rd_bits-later-in-gfs2_clear_rgrpd-to-fix-u.patch +gfs2-check-for-live-vs.-read-only-file-system-in-gfs.patch +scsi-hpsa-fix-memory-leak-in-hpsa_init_one.patch +drm-amdgpu-perform-srbm-soft-reset-always-on-sdma-re.patch +mac80211-fix-use-of-skb-payload-instead-of-header.patch +mac80211-always-wind-down-sta-state.patch +cfg80211-regulatory-fix-inconsistent-format-argument.patch +scsi-scsi_dh_alua-avoid-crash-during-alua_bus_detach.patch +iommu-amd-increase-interrupt-remapping-table-limit-t.patch diff --git a/queue-4.9/usb-gadget-goku_udc-fix-potential-crashes-in-probe.patch b/queue-4.9/usb-gadget-goku_udc-fix-potential-crashes-in-probe.patch new file mode 100644 index 00000000000..120da5842d8 --- /dev/null +++ b/queue-4.9/usb-gadget-goku_udc-fix-potential-crashes-in-probe.patch @@ -0,0 +1,51 @@ +From f4e76bc2d3b8c4b9be9706c95bbfec967610946a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Oct 2020 18:01:55 +0300 +Subject: usb: gadget: goku_udc: fix potential crashes in probe + +From: Evgeny Novikov + +[ Upstream commit 0d66e04875c5aae876cf3d4f4be7978fa2b00523 ] + +goku_probe() goes to error label "err" and invokes goku_remove() +in case of failures of pci_enable_device(), pci_resource_start() +and ioremap(). goku_remove() gets a device from +pci_get_drvdata(pdev) and works with it without any checks, in +particular it dereferences a corresponding pointer. But +goku_probe() did not set this device yet. So, one can expect +various crashes. The patch moves setting the device just after +allocation of memory for it. + +Found by Linux Driver Verification project (linuxtesting.org). + +Reported-by: Pavel Andrianov +Signed-off-by: Evgeny Novikov +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/goku_udc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/goku_udc.c b/drivers/usb/gadget/udc/goku_udc.c +index 5107987bd3538..d363224dce6f5 100644 +--- a/drivers/usb/gadget/udc/goku_udc.c ++++ b/drivers/usb/gadget/udc/goku_udc.c +@@ -1772,6 +1772,7 @@ static int goku_probe(struct pci_dev *pdev, const struct pci_device_id *id) + goto err; + } + ++ pci_set_drvdata(pdev, dev); + spin_lock_init(&dev->lock); + dev->pdev = pdev; + dev->gadget.ops = &goku_ops; +@@ -1805,7 +1806,6 @@ static int goku_probe(struct pci_dev *pdev, const struct pci_device_id *id) + } + dev->regs = (struct goku_udc_regs __iomem *) base; + +- pci_set_drvdata(pdev, dev); + INFO(dev, "%s\n", driver_desc); + INFO(dev, "version: " DRIVER_VERSION " %s\n", dmastr()); + INFO(dev, "irq %d, pci mem %p\n", pdev->irq, base); +-- +2.27.0 +