From: Sasha Levin Date: Sun, 27 Sep 2020 17:51:42 +0000 (-0400) Subject: Fixes for 4.4 X-Git-Tag: v4.4.238~45 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=979c99ac756b22b32c0bbd4e95166a98ec71330a;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/acpi-ec-reference-count-query-handlers-under-lock.patch b/queue-4.4/acpi-ec-reference-count-query-handlers-under-lock.patch new file mode 100644 index 00000000000..009cf2a27e4 --- /dev/null +++ b/queue-4.4/acpi-ec-reference-count-query-handlers-under-lock.patch @@ -0,0 +1,65 @@ +From 9bf1e4fbabda503cacaa9cc189c2ab7236e3506e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Dec 2019 11:04:21 +0100 +Subject: ACPI: EC: Reference count query handlers under lock + +From: Rafael J. Wysocki + +[ Upstream commit 3df663a147fe077a6ee8444ec626738946e65547 ] + +There is a race condition in acpi_ec_get_query_handler() +theoretically allowing query handlers to go away before refernce +counting them. + +In order to avoid it, call kref_get() on query handlers under +ec->mutex. + +Also simplify the code a bit while at it. + +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/ec.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c +index 43f20328f830e..3096c087b7328 100644 +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -943,29 +943,21 @@ void acpi_ec_unblock_transactions_early(void) + /* -------------------------------------------------------------------------- + Event Management + -------------------------------------------------------------------------- */ +-static struct acpi_ec_query_handler * +-acpi_ec_get_query_handler(struct acpi_ec_query_handler *handler) +-{ +- if (handler) +- kref_get(&handler->kref); +- return handler; +-} +- + static struct acpi_ec_query_handler * + acpi_ec_get_query_handler_by_value(struct acpi_ec *ec, u8 value) + { + struct acpi_ec_query_handler *handler; +- bool found = false; + + mutex_lock(&ec->mutex); + list_for_each_entry(handler, &ec->list, node) { + if (value == handler->query_bit) { +- found = true; +- break; ++ kref_get(&handler->kref); ++ mutex_unlock(&ec->mutex); ++ return handler; + } + } + mutex_unlock(&ec->mutex); +- return found ? acpi_ec_get_query_handler(handler) : NULL; ++ return NULL; + } + + static void acpi_ec_query_handler_release(struct kref *kref) +-- +2.25.1 + diff --git a/queue-4.4/alsa-hda-fix-potential-race-in-unsol-event-handler.patch b/queue-4.4/alsa-hda-fix-potential-race-in-unsol-event-handler.patch new file mode 100644 index 00000000000..8487fb1d223 --- /dev/null +++ b/queue-4.4/alsa-hda-fix-potential-race-in-unsol-event-handler.patch @@ -0,0 +1,55 @@ +From a57e1f585738b9b896172252ae51571d4ebe0fe2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 May 2020 08:25:56 +0200 +Subject: ALSA: hda: Fix potential race in unsol event handler + +From: Takashi Iwai + +[ Upstream commit c637fa151259c0f74665fde7cba5b7eac1417ae5 ] + +The unsol event handling code has a loop retrieving the read/write +indices and the arrays without locking while the append to the array +may happen concurrently. This may lead to some inconsistency. +Although there hasn't been any proof of this bad results, it's still +safer to protect the racy accesses. + +This patch adds the spinlock protection around the unsol handling loop +for addressing it. Here we take bus->reg_lock as the writer side +snd_hdac_bus_queue_event() is also protected by that lock. + +Link: https://lore.kernel.org/r/20200516062556.30951-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/hdac_bus.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/hda/hdac_bus.c b/sound/hda/hdac_bus.c +index 0e81ea89a5965..e3f68a76d90eb 100644 +--- a/sound/hda/hdac_bus.c ++++ b/sound/hda/hdac_bus.c +@@ -155,6 +155,7 @@ static void process_unsol_events(struct work_struct *work) + struct hdac_driver *drv; + unsigned int rp, caddr, res; + ++ spin_lock_irq(&bus->reg_lock); + while (bus->unsol_rp != bus->unsol_wp) { + rp = (bus->unsol_rp + 1) % HDA_UNSOL_QUEUE_SIZE; + bus->unsol_rp = rp; +@@ -166,10 +167,13 @@ static void process_unsol_events(struct work_struct *work) + codec = bus->caddr_tbl[caddr & 0x0f]; + if (!codec || !codec->dev.driver) + continue; ++ spin_unlock_irq(&bus->reg_lock); + drv = drv_to_hdac_driver(codec->dev.driver); + if (drv->unsol_event) + drv->unsol_event(codec, res); ++ spin_lock_irq(&bus->reg_lock); + } ++ spin_unlock_irq(&bus->reg_lock); + } + + /** +-- +2.25.1 + diff --git a/queue-4.4/alsa-usb-audio-fix-case-when-usb-midi-interface-has-.patch b/queue-4.4/alsa-usb-audio-fix-case-when-usb-midi-interface-has-.patch new file mode 100644 index 00000000000..42ab2916ff9 --- /dev/null +++ b/queue-4.4/alsa-usb-audio-fix-case-when-usb-midi-interface-has-.patch @@ -0,0 +1,81 @@ +From e0f10a7694e13a2dfcaf83604e43a71b086e7475 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Mar 2020 14:25:54 +0200 +Subject: ALSA: usb-audio: Fix case when USB MIDI interface has more than one + extra endpoint descriptor + +From: Andreas Steinmetz + +[ Upstream commit 5c6cd7021a05a02fcf37f360592d7c18d4d807fb ] + +The Miditech MIDIFACE 16x16 (USB ID 1290:1749) has more than one extra +endpoint descriptor. + +The first extra descriptor is: 0x06 0x30 0x00 0x00 0x00 0x00 + +As the code in snd_usbmidi_get_ms_info() looks only at the +first extra descriptor to find USB_DT_CS_ENDPOINT the device +as such is recognized but there is neither input nor output +configured. + +The patch iterates through the extra descriptors to find the +proper one. With this patch the device is correctly configured. + +Signed-off-by: Andreas Steinmetz +Link: https://lore.kernel.org/r/1c3b431a86f69e1d60745b6110cdb93c299f120b.camel@domdv.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/midi.c | 29 ++++++++++++++++++++++++----- + 1 file changed, 24 insertions(+), 5 deletions(-) + +diff --git a/sound/usb/midi.c b/sound/usb/midi.c +index 5c4a3d6c42341..934540042bc2e 100644 +--- a/sound/usb/midi.c ++++ b/sound/usb/midi.c +@@ -1803,6 +1803,28 @@ static int snd_usbmidi_create_endpoints(struct snd_usb_midi *umidi, + return 0; + } + ++static struct usb_ms_endpoint_descriptor *find_usb_ms_endpoint_descriptor( ++ struct usb_host_endpoint *hostep) ++{ ++ unsigned char *extra = hostep->extra; ++ int extralen = hostep->extralen; ++ ++ while (extralen > 3) { ++ struct usb_ms_endpoint_descriptor *ms_ep = ++ (struct usb_ms_endpoint_descriptor *)extra; ++ ++ if (ms_ep->bLength > 3 && ++ ms_ep->bDescriptorType == USB_DT_CS_ENDPOINT && ++ ms_ep->bDescriptorSubtype == UAC_MS_GENERAL) ++ return ms_ep; ++ if (!extra[0]) ++ break; ++ extralen -= extra[0]; ++ extra += extra[0]; ++ } ++ return NULL; ++} ++ + /* + * Returns MIDIStreaming device capabilities. + */ +@@ -1840,11 +1862,8 @@ static int snd_usbmidi_get_ms_info(struct snd_usb_midi *umidi, + ep = get_ep_desc(hostep); + if (!usb_endpoint_xfer_bulk(ep) && !usb_endpoint_xfer_int(ep)) + continue; +- ms_ep = (struct usb_ms_endpoint_descriptor *)hostep->extra; +- if (hostep->extralen < 4 || +- ms_ep->bLength < 4 || +- ms_ep->bDescriptorType != USB_DT_CS_ENDPOINT || +- ms_ep->bDescriptorSubtype != UAC_MS_GENERAL) ++ ms_ep = find_usb_ms_endpoint_descriptor(hostep); ++ if (!ms_ep) + continue; + if (usb_endpoint_dir_out(ep)) { + if (endpoints[epidx].out_ep) { +-- +2.25.1 + diff --git a/queue-4.4/ar5523-add-usb-id-of-smcwusbt-g2-wireless-adapter.patch b/queue-4.4/ar5523-add-usb-id-of-smcwusbt-g2-wireless-adapter.patch new file mode 100644 index 00000000000..87afeacae7c --- /dev/null +++ b/queue-4.4/ar5523-add-usb-id-of-smcwusbt-g2-wireless-adapter.patch @@ -0,0 +1,40 @@ +From acf93e76dcadd444f2425580aeaa3c5d932f2630 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jan 2020 14:11:25 +0300 +Subject: ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter + +From: Mert Dirik + +[ Upstream commit 5b362498a79631f283578b64bf6f4d15ed4cc19a ] + +Add the required USB ID for running SMCWUSBT-G2 wireless adapter (SMC +"EZ Connect g"). + +This device uses ar5523 chipset and requires firmware to be loaded. Even +though pid of the device is 4507, this patch adds it as 4506 so that +AR5523_DEVICE_UG macro can set the AR5523_FLAG_PRE_FIRMWARE flag for pid +4507. + +Signed-off-by: Mert Dirik +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ar5523/ar5523.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c +index 5bf22057459e6..bc6330b437958 100644 +--- a/drivers/net/wireless/ath/ar5523/ar5523.c ++++ b/drivers/net/wireless/ath/ar5523/ar5523.c +@@ -1774,6 +1774,8 @@ static struct usb_device_id ar5523_id_table[] = { + AR5523_DEVICE_UX(0x0846, 0x4300), /* Netgear / WG111U */ + AR5523_DEVICE_UG(0x0846, 0x4250), /* Netgear / WG111T */ + AR5523_DEVICE_UG(0x0846, 0x5f00), /* Netgear / WPN111 */ ++ AR5523_DEVICE_UG(0x083a, 0x4506), /* SMC / EZ Connect ++ SMCWUSBT-G2 */ + AR5523_DEVICE_UG(0x157e, 0x3006), /* Umedia / AR5523_1 */ + AR5523_DEVICE_UX(0x157e, 0x3205), /* Umedia / AR5523_2 */ + AR5523_DEVICE_UG(0x157e, 0x3006), /* Umedia / TEW444UBEU */ +-- +2.25.1 + diff --git a/queue-4.4/asoc-kirkwood-fix-irq-error-handling.patch b/queue-4.4/asoc-kirkwood-fix-irq-error-handling.patch new file mode 100644 index 00000000000..e5393089568 --- /dev/null +++ b/queue-4.4/asoc-kirkwood-fix-irq-error-handling.patch @@ -0,0 +1,36 @@ +From 2667bfefdecce073e2d0b594cf15f9f8072066d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Oct 2019 16:46:59 +0100 +Subject: ASoC: kirkwood: fix IRQ error handling + +From: Russell King + +[ Upstream commit 175fc928198236037174e5c5c066fe3c4691903e ] + +Propagate the error code from request_irq(), rather than returning +-EBUSY. + +Signed-off-by: Russell King +Link: https://lore.kernel.org/r/E1iNIqh-0000tW-EZ@rmk-PC.armlinux.org.uk +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/kirkwood/kirkwood-dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/kirkwood/kirkwood-dma.c b/sound/soc/kirkwood/kirkwood-dma.c +index dbfdfe99c69df..231c7d97333c7 100644 +--- a/sound/soc/kirkwood/kirkwood-dma.c ++++ b/sound/soc/kirkwood/kirkwood-dma.c +@@ -136,7 +136,7 @@ static int kirkwood_dma_open(struct snd_pcm_substream *substream) + err = request_irq(priv->irq, kirkwood_dma_irq, IRQF_SHARED, + "kirkwood-i2s", priv); + if (err) +- return -EBUSY; ++ return err; + + /* + * Enable Error interrupts. We're only ack'ing them but +-- +2.25.1 + diff --git a/queue-4.4/ata-sata_mv-avoid-trigerrable-bug_on.patch b/queue-4.4/ata-sata_mv-avoid-trigerrable-bug_on.patch new file mode 100644 index 00000000000..56addb94c4c --- /dev/null +++ b/queue-4.4/ata-sata_mv-avoid-trigerrable-bug_on.patch @@ -0,0 +1,57 @@ +From 4b308d858a1a34dae1e38948f2c0497161d9ddd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2019 10:59:46 +0100 +Subject: ata: sata_mv, avoid trigerrable BUG_ON + +From: Jiri Slaby + +[ Upstream commit e9f691d899188679746eeb96e6cb520459eda9b4 ] + +There are several reports that the BUG_ON on unsupported command in +mv_qc_prep can be triggered under some circumstances: +https://bugzilla.suse.com/show_bug.cgi?id=1110252 +https://serverfault.com/questions/888897/raid-problems-after-power-outage +https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1652185 +https://bugs.centos.org/view.php?id=14998 + +Let sata_mv handle the failure gracefully: warn about that incl. the +failed command number and return an AC_ERR_INVALID error. We can do that +now thanks to the previous patch. + +Remove also the long-standing FIXME. + +[v2] use %.2x as commands are defined as hexa. + +Signed-off-by: Jiri Slaby +Cc: Jens Axboe +Cc: linux-ide@vger.kernel.org +Cc: Sergei Shtylyov +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/sata_mv.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/ata/sata_mv.c b/drivers/ata/sata_mv.c +index 729f26322095e..c24bbdb3f76c8 100644 +--- a/drivers/ata/sata_mv.c ++++ b/drivers/ata/sata_mv.c +@@ -2113,12 +2113,10 @@ static void mv_qc_prep(struct ata_queued_cmd *qc) + * non-NCQ mode are: [RW] STREAM DMA and W DMA FUA EXT, none + * of which are defined/used by Linux. If we get here, this + * driver needs work. +- * +- * FIXME: modify libata to give qc_prep a return value and +- * return error here. + */ +- BUG_ON(tf->command); +- break; ++ ata_port_err(ap, "%s: unsupported command: %.2x\n", __func__, ++ tf->command); ++ return AC_ERR_INVALID; + } + mv_crqb_pack_cmd(cw++, tf->nsect, ATA_REG_NSECT, 0); + mv_crqb_pack_cmd(cw++, tf->hob_lbal, ATA_REG_LBAL, 0); +-- +2.25.1 + diff --git a/queue-4.4/atm-fix-a-memory-leak-of-vcc-user_back.patch b/queue-4.4/atm-fix-a-memory-leak-of-vcc-user_back.patch new file mode 100644 index 00000000000..807acb6f3be --- /dev/null +++ b/queue-4.4/atm-fix-a-memory-leak-of-vcc-user_back.patch @@ -0,0 +1,59 @@ +From bbd8974f0e8474e91942ca8c56bc5d91ad6112e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 May 2020 11:11:09 -0700 +Subject: atm: fix a memory leak of vcc->user_back + +From: Cong Wang + +[ Upstream commit 8d9f73c0ad2f20e9fed5380de0a3097825859d03 ] + +In lec_arp_clear_vccs() only entry->vcc is freed, but vcc +could be installed on entry->recv_vcc too in lec_vcc_added(). + +This fixes the following memory leak: + +unreferenced object 0xffff8880d9266b90 (size 16): + comm "atm2", pid 425, jiffies 4294907980 (age 23.488s) + hex dump (first 16 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 6b 6b 6b a5 ............kkk. + backtrace: + [<(____ptrval____)>] kmem_cache_alloc_trace+0x10e/0x151 + [<(____ptrval____)>] lane_ioctl+0x4b3/0x569 + [<(____ptrval____)>] do_vcc_ioctl+0x1ea/0x236 + [<(____ptrval____)>] svc_ioctl+0x17d/0x198 + [<(____ptrval____)>] sock_do_ioctl+0x47/0x12f + [<(____ptrval____)>] sock_ioctl+0x2f9/0x322 + [<(____ptrval____)>] vfs_ioctl+0x1e/0x2b + [<(____ptrval____)>] ksys_ioctl+0x61/0x80 + [<(____ptrval____)>] __x64_sys_ioctl+0x16/0x19 + [<(____ptrval____)>] do_syscall_64+0x57/0x65 + [<(____ptrval____)>] entry_SYSCALL_64_after_hwframe+0x49/0xb3 + +Cc: Gengming Liu +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/atm/lec.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/atm/lec.c b/net/atm/lec.c +index e4afac94ff158..a38680e194436 100644 +--- a/net/atm/lec.c ++++ b/net/atm/lec.c +@@ -1290,6 +1290,12 @@ static void lec_arp_clear_vccs(struct lec_arp_table *entry) + entry->vcc = NULL; + } + if (entry->recv_vcc) { ++ struct atm_vcc *vcc = entry->recv_vcc; ++ struct lec_vcc_priv *vpriv = LEC_VCC_PRIV(vcc); ++ ++ kfree(vpriv); ++ vcc->user_back = NULL; ++ + entry->recv_vcc->push = entry->old_recv_push; + vcc_release_async(entry->recv_vcc, -EPIPE); + entry->recv_vcc = NULL; +-- +2.25.1 + diff --git a/queue-4.4/audit-config_change-don-t-log-internal-bookkeeping-a.patch b/queue-4.4/audit-config_change-don-t-log-internal-bookkeeping-a.patch new file mode 100644 index 00000000000..96fa888119a --- /dev/null +++ b/queue-4.4/audit-config_change-don-t-log-internal-bookkeeping-a.patch @@ -0,0 +1,49 @@ +From ba42c15015767887843d88bd8798b564b1ee7c1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jan 2020 17:29:16 -0500 +Subject: audit: CONFIG_CHANGE don't log internal bookkeeping as an event + +From: Steve Grubb + +[ Upstream commit 70b3eeed49e8190d97139806f6fbaf8964306cdb ] + +Common Criteria calls out for any action that modifies the audit trail to +be recorded. That usually is interpreted to mean insertion or removal of +rules. It is not required to log modification of the inode information +since the watch is still in effect. Additionally, if the rule is a never +rule and the underlying file is one they do not want events for, they +get an event for this bookkeeping update against their wishes. + +Since no device/inode info is logged at insertion and no device/inode +information is logged on update, there is nothing meaningful being +communicated to the admin by the CONFIG_CHANGE updated_rules event. One +can assume that the rule was not "modified" because it is still watching +the intended target. If the device or inode cannot be resolved, then +audit_panic is called which is sufficient. + +The correct resolution is to drop logging config_update events since +the watch is still in effect but just on another unknown inode. + +Signed-off-by: Steve Grubb +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + kernel/audit_watch.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c +index f45a9a5d3e47a..af453f3c2b3dd 100644 +--- a/kernel/audit_watch.c ++++ b/kernel/audit_watch.c +@@ -316,8 +316,6 @@ static void audit_update_watch(struct audit_parent *parent, + if (oentry->rule.exe) + audit_remove_mark(oentry->rule.exe); + +- audit_watch_log_rule_change(r, owatch, "updated_rules"); +- + call_rcu(&oentry->rcu, audit_free_rule_rcu); + } + +-- +2.25.1 + diff --git a/queue-4.4/bcache-fix-a-lost-wake-up-problem-caused-by-mca_cann.patch b/queue-4.4/bcache-fix-a-lost-wake-up-problem-caused-by-mca_cann.patch new file mode 100644 index 00000000000..6ff5bbb230b --- /dev/null +++ b/queue-4.4/bcache-fix-a-lost-wake-up-problem-caused-by-mca_cann.patch @@ -0,0 +1,97 @@ +From 4ff7a025bec9fd630276d00df76b5b86e28b19c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2019 16:03:16 +0800 +Subject: bcache: fix a lost wake-up problem caused by mca_cannibalize_lock + +From: Guoju Fang + +[ Upstream commit 34cf78bf34d48dddddfeeadb44f9841d7864997a ] + +This patch fix a lost wake-up problem caused by the race between +mca_cannibalize_lock and bch_cannibalize_unlock. + +Consider two processes, A and B. Process A is executing +mca_cannibalize_lock, while process B takes c->btree_cache_alloc_lock +and is executing bch_cannibalize_unlock. The problem happens that after +process A executes cmpxchg and will execute prepare_to_wait. In this +timeslice process B executes wake_up, but after that process A executes +prepare_to_wait and set the state to TASK_INTERRUPTIBLE. Then process A +goes to sleep but no one will wake up it. This problem may cause bcache +device to dead. + +Signed-off-by: Guoju Fang +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/bcache.h | 1 + + drivers/md/bcache/btree.c | 12 ++++++++---- + drivers/md/bcache/super.c | 1 + + 3 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/md/bcache/bcache.h b/drivers/md/bcache/bcache.h +index 7fe7df56fa334..f0939fc1cfe55 100644 +--- a/drivers/md/bcache/bcache.h ++++ b/drivers/md/bcache/bcache.h +@@ -547,6 +547,7 @@ struct cache_set { + */ + wait_queue_head_t btree_cache_wait; + struct task_struct *btree_cache_alloc_lock; ++ spinlock_t btree_cannibalize_lock; + + /* + * When we free a btree node, we increment the gen of the bucket the +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c +index 122d975220945..bdf6071c1b184 100644 +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -841,15 +841,17 @@ out: + + static int mca_cannibalize_lock(struct cache_set *c, struct btree_op *op) + { +- struct task_struct *old; +- +- old = cmpxchg(&c->btree_cache_alloc_lock, NULL, current); +- if (old && old != current) { ++ spin_lock(&c->btree_cannibalize_lock); ++ if (likely(c->btree_cache_alloc_lock == NULL)) { ++ c->btree_cache_alloc_lock = current; ++ } else if (c->btree_cache_alloc_lock != current) { + if (op) + prepare_to_wait(&c->btree_cache_wait, &op->wait, + TASK_UNINTERRUPTIBLE); ++ spin_unlock(&c->btree_cannibalize_lock); + return -EINTR; + } ++ spin_unlock(&c->btree_cannibalize_lock); + + return 0; + } +@@ -884,10 +886,12 @@ static struct btree *mca_cannibalize(struct cache_set *c, struct btree_op *op, + */ + static void bch_cannibalize_unlock(struct cache_set *c) + { ++ spin_lock(&c->btree_cannibalize_lock); + if (c->btree_cache_alloc_lock == current) { + c->btree_cache_alloc_lock = NULL; + wake_up(&c->btree_cache_wait); + } ++ spin_unlock(&c->btree_cannibalize_lock); + } + + static struct btree *mca_alloc(struct cache_set *c, struct btree_op *op, +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index f7f8fb079d2a9..d73f9ea776861 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1511,6 +1511,7 @@ struct cache_set *bch_cache_set_alloc(struct cache_sb *sb) + sema_init(&c->sb_write_mutex, 1); + mutex_init(&c->bucket_lock); + init_waitqueue_head(&c->btree_cache_wait); ++ spin_lock_init(&c->btree_cannibalize_lock); + init_waitqueue_head(&c->bucket_wait); + init_waitqueue_head(&c->gc_wait); + sema_init(&c->uuid_write_mutex, 1); +-- +2.25.1 + diff --git a/queue-4.4/bdev-reduce-time-holding-bd_mutex-in-sync-in-blkdev_.patch b/queue-4.4/bdev-reduce-time-holding-bd_mutex-in-sync-in-blkdev_.patch new file mode 100644 index 00000000000..68521f85594 --- /dev/null +++ b/queue-4.4/bdev-reduce-time-holding-bd_mutex-in-sync-in-blkdev_.patch @@ -0,0 +1,126 @@ +From dacd81709e035b0777ddd283a27e16b8ee01d099 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Mar 2020 14:48:27 -0700 +Subject: bdev: Reduce time holding bd_mutex in sync in blkdev_close() + +From: Douglas Anderson + +[ Upstream commit b849dd84b6ccfe32622988b79b7b073861fcf9f7 ] + +While trying to "dd" to the block device for a USB stick, I +encountered a hung task warning (blocked for > 120 seconds). I +managed to come up with an easy way to reproduce this on my system +(where /dev/sdb is the block device for my USB stick) with: + + while true; do dd if=/dev/zero of=/dev/sdb bs=4M; done + +With my reproduction here are the relevant bits from the hung task +detector: + + INFO: task udevd:294 blocked for more than 122 seconds. + ... + udevd D 0 294 1 0x00400008 + Call trace: + ... + mutex_lock_nested+0x40/0x50 + __blkdev_get+0x7c/0x3d4 + blkdev_get+0x118/0x138 + blkdev_open+0x94/0xa8 + do_dentry_open+0x268/0x3a0 + vfs_open+0x34/0x40 + path_openat+0x39c/0xdf4 + do_filp_open+0x90/0x10c + do_sys_open+0x150/0x3c8 + ... + + ... + Showing all locks held in the system: + ... + 1 lock held by dd/2798: + #0: ffffff814ac1a3b8 (&bdev->bd_mutex){+.+.}, at: __blkdev_put+0x50/0x204 + ... + dd D 0 2798 2764 0x00400208 + Call trace: + ... + schedule+0x8c/0xbc + io_schedule+0x1c/0x40 + wait_on_page_bit_common+0x238/0x338 + __lock_page+0x5c/0x68 + write_cache_pages+0x194/0x500 + generic_writepages+0x64/0xa4 + blkdev_writepages+0x24/0x30 + do_writepages+0x48/0xa8 + __filemap_fdatawrite_range+0xac/0xd8 + filemap_write_and_wait+0x30/0x84 + __blkdev_put+0x88/0x204 + blkdev_put+0xc4/0xe4 + blkdev_close+0x28/0x38 + __fput+0xe0/0x238 + ____fput+0x1c/0x28 + task_work_run+0xb0/0xe4 + do_notify_resume+0xfc0/0x14bc + work_pending+0x8/0x14 + +The problem appears related to the fact that my USB disk is terribly +slow and that I have a lot of RAM in my system to cache things. +Specifically my writes seem to be happening at ~15 MB/s and I've got +~4 GB of RAM in my system that can be used for buffering. To write 4 +GB of buffer to disk thus takes ~4000 MB / ~15 MB/s = ~267 seconds. + +The 267 second number is a problem because in __blkdev_put() we call +sync_blockdev() while holding the bd_mutex. Any other callers who +want the bd_mutex will be blocked for the whole time. + +The problem is made worse because I believe blkdev_put() specifically +tells other tasks (namely udev) to go try to access the device at right +around the same time we're going to hold the mutex for a long time. + +Putting some traces around this (after disabling the hung task detector), +I could confirm: + dd: 437.608600: __blkdev_put() right before sync_blockdev() for sdb + udevd: 437.623901: blkdev_open() right before blkdev_get() for sdb + dd: 661.468451: __blkdev_put() right after sync_blockdev() for sdb + udevd: 663.820426: blkdev_open() right after blkdev_get() for sdb + +A simple fix for this is to realize that sync_blockdev() works fine if +you're not holding the mutex. Also, it's not the end of the world if +you sync a little early (though it can have performance impacts). +Thus we can make a guess that we're going to need to do the sync and +then do it without holding the mutex. We still do one last sync with +the mutex but it should be much, much faster. + +With this, my hung task warnings for my test case are gone. + +Signed-off-by: Douglas Anderson +Reviewed-by: Guenter Roeck +Reviewed-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/block_dev.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/block_dev.c b/fs/block_dev.c +index b2ebfd96785b7..a71d442ef7d0e 100644 +--- a/fs/block_dev.c ++++ b/fs/block_dev.c +@@ -1515,6 +1515,16 @@ static void __blkdev_put(struct block_device *bdev, fmode_t mode, int for_part) + struct gendisk *disk = bdev->bd_disk; + struct block_device *victim = NULL; + ++ /* ++ * Sync early if it looks like we're the last one. If someone else ++ * opens the block device between now and the decrement of bd_openers ++ * then we did a sync that we didn't need to, but that's not the end ++ * of the world and we want to avoid long (could be several minute) ++ * syncs while holding the mutex. ++ */ ++ if (bdev->bd_openers == 1) ++ sync_blockdev(bdev); ++ + mutex_lock_nested(&bdev->bd_mutex, for_part); + if (for_part) + bdev->bd_part_count--; +-- +2.25.1 + diff --git a/queue-4.4/bluetooth-fix-refcount-use-after-free-issue.patch b/queue-4.4/bluetooth-fix-refcount-use-after-free-issue.patch new file mode 100644 index 00000000000..f1f96509651 --- /dev/null +++ b/queue-4.4/bluetooth-fix-refcount-use-after-free-issue.patch @@ -0,0 +1,203 @@ +From f71f9b785f73c0e3664880ceceb1a25f91387546 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jan 2020 10:54:14 -0800 +Subject: Bluetooth: Fix refcount use-after-free issue + +From: Manish Mandlik + +[ Upstream commit 6c08fc896b60893c5d673764b0668015d76df462 ] + +There is no lock preventing both l2cap_sock_release() and +chan->ops->close() from running at the same time. + +If we consider Thread A running l2cap_chan_timeout() and Thread B running +l2cap_sock_release(), expected behavior is: + A::l2cap_chan_timeout()->l2cap_chan_close()->l2cap_sock_teardown_cb() + A::l2cap_chan_timeout()->l2cap_sock_close_cb()->l2cap_sock_kill() + B::l2cap_sock_release()->sock_orphan() + B::l2cap_sock_release()->l2cap_sock_kill() + +where, +sock_orphan() clears "sk->sk_socket" and l2cap_sock_teardown_cb() marks +socket as SOCK_ZAPPED. + +In l2cap_sock_kill(), there is an "if-statement" that checks if both +sock_orphan() and sock_teardown() has been run i.e. sk->sk_socket is NULL +and socket is marked as SOCK_ZAPPED. Socket is killed if the condition is +satisfied. + +In the race condition, following occurs: + A::l2cap_chan_timeout()->l2cap_chan_close()->l2cap_sock_teardown_cb() + B::l2cap_sock_release()->sock_orphan() + B::l2cap_sock_release()->l2cap_sock_kill() + A::l2cap_chan_timeout()->l2cap_sock_close_cb()->l2cap_sock_kill() + +In this scenario, "if-statement" is true in both B::l2cap_sock_kill() and +A::l2cap_sock_kill() and we hit "refcount: underflow; use-after-free" bug. + +Similar condition occurs at other places where teardown/sock_kill is +happening: + l2cap_disconnect_rsp()->l2cap_chan_del()->l2cap_sock_teardown_cb() + l2cap_disconnect_rsp()->l2cap_sock_close_cb()->l2cap_sock_kill() + + l2cap_conn_del()->l2cap_chan_del()->l2cap_sock_teardown_cb() + l2cap_conn_del()->l2cap_sock_close_cb()->l2cap_sock_kill() + + l2cap_disconnect_req()->l2cap_chan_del()->l2cap_sock_teardown_cb() + l2cap_disconnect_req()->l2cap_sock_close_cb()->l2cap_sock_kill() + + l2cap_sock_cleanup_listen()->l2cap_chan_close()->l2cap_sock_teardown_cb() + l2cap_sock_cleanup_listen()->l2cap_sock_kill() + +Protect teardown/sock_kill and orphan/sock_kill by adding hold_lock on +l2cap channel to ensure that the socket is killed only after marked as +zapped and orphan. + +Signed-off-by: Manish Mandlik +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 26 +++++++++++++++----------- + net/bluetooth/l2cap_sock.c | 16 +++++++++++++--- + 2 files changed, 28 insertions(+), 14 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 0e31bbe1256cd..f6112f495a36c 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -403,6 +403,9 @@ static void l2cap_chan_timeout(struct work_struct *work) + BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); + + mutex_lock(&conn->chan_lock); ++ /* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling ++ * this work. No need to call l2cap_chan_hold(chan) here again. ++ */ + l2cap_chan_lock(chan); + + if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG) +@@ -415,12 +418,12 @@ static void l2cap_chan_timeout(struct work_struct *work) + + l2cap_chan_close(chan, reason); + +- l2cap_chan_unlock(chan); +- + chan->ops->close(chan); +- mutex_unlock(&conn->chan_lock); + ++ l2cap_chan_unlock(chan); + l2cap_chan_put(chan); ++ ++ mutex_unlock(&conn->chan_lock); + } + + struct l2cap_chan *l2cap_chan_create(void) +@@ -1714,9 +1717,9 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err) + + l2cap_chan_del(chan, err); + +- l2cap_chan_unlock(chan); +- + chan->ops->close(chan); ++ ++ l2cap_chan_unlock(chan); + l2cap_chan_put(chan); + } + +@@ -4316,6 +4319,7 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, + return 0; + } + ++ l2cap_chan_hold(chan); + l2cap_chan_lock(chan); + + rsp.dcid = cpu_to_le16(chan->scid); +@@ -4324,12 +4328,11 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, + + chan->ops->set_shutdown(chan); + +- l2cap_chan_hold(chan); + l2cap_chan_del(chan, ECONNRESET); + +- l2cap_chan_unlock(chan); +- + chan->ops->close(chan); ++ ++ l2cap_chan_unlock(chan); + l2cap_chan_put(chan); + + mutex_unlock(&conn->chan_lock); +@@ -4361,20 +4364,21 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, + return 0; + } + ++ l2cap_chan_hold(chan); + l2cap_chan_lock(chan); + + if (chan->state != BT_DISCONN) { + l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); + mutex_unlock(&conn->chan_lock); + return 0; + } + +- l2cap_chan_hold(chan); + l2cap_chan_del(chan, 0); + +- l2cap_chan_unlock(chan); +- + chan->ops->close(chan); ++ ++ l2cap_chan_unlock(chan); + l2cap_chan_put(chan); + + mutex_unlock(&conn->chan_lock); +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index d9bbbded49ef8..cb024c25530a3 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1038,7 +1038,7 @@ done: + } + + /* Kill socket (only if zapped and orphan) +- * Must be called on unlocked socket. ++ * Must be called on unlocked socket, with l2cap channel lock. + */ + static void l2cap_sock_kill(struct sock *sk) + { +@@ -1199,8 +1199,15 @@ static int l2cap_sock_release(struct socket *sock) + + err = l2cap_sock_shutdown(sock, 2); + ++ l2cap_chan_hold(l2cap_pi(sk)->chan); ++ l2cap_chan_lock(l2cap_pi(sk)->chan); ++ + sock_orphan(sk); + l2cap_sock_kill(sk); ++ ++ l2cap_chan_unlock(l2cap_pi(sk)->chan); ++ l2cap_chan_put(l2cap_pi(sk)->chan); ++ + return err; + } + +@@ -1218,12 +1225,15 @@ static void l2cap_sock_cleanup_listen(struct sock *parent) + BT_DBG("child chan %p state %s", chan, + state_to_string(chan->state)); + ++ l2cap_chan_hold(chan); + l2cap_chan_lock(chan); ++ + __clear_chan_timer(chan); + l2cap_chan_close(chan, ECONNRESET); +- l2cap_chan_unlock(chan); +- + l2cap_sock_kill(sk); ++ ++ l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); + } + } + +-- +2.25.1 + diff --git a/queue-4.4/bluetooth-guard-against-controllers-sending-zero-d-e.patch b/queue-4.4/bluetooth-guard-against-controllers-sending-zero-d-e.patch new file mode 100644 index 00000000000..9e12b3c27d4 --- /dev/null +++ b/queue-4.4/bluetooth-guard-against-controllers-sending-zero-d-e.patch @@ -0,0 +1,47 @@ +From b2cabe0d3f60625d14cc71d22791142e1168ec63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2020 15:55:34 +0000 +Subject: Bluetooth: guard against controllers sending zero'd events + +From: Alain Michaud + +[ Upstream commit 08bb4da90150e2a225f35e0f642cdc463958d696 ] + +Some controllers have been observed to send zero'd events under some +conditions. This change guards against this condition as well as adding +a trace to facilitate diagnosability of this condition. + +Signed-off-by: Alain Michaud +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 16cf5633eae3e..04c77747a768d 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -5230,6 +5230,11 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) + u8 status = 0, event = hdr->evt, req_evt = 0; + u16 opcode = HCI_OP_NOP; + ++ if (!event) { ++ bt_dev_warn(hdev, "Received unexpected HCI Event 00000000"); ++ goto done; ++ } ++ + if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) { + struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data; + opcode = __le16_to_cpu(cmd_hdr->opcode); +@@ -5441,6 +5446,7 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) + req_complete_skb(hdev, status, opcode, orig_skb); + } + ++done: + kfree_skb(orig_skb); + kfree_skb(skb); + hdev->stat.evt_rx++; +-- +2.25.1 + diff --git a/queue-4.4/bluetooth-handle-inquiry-cancel-error-after-inquiry-.patch b/queue-4.4/bluetooth-handle-inquiry-cancel-error-after-inquiry-.patch new file mode 100644 index 00000000000..d62975dc34d --- /dev/null +++ b/queue-4.4/bluetooth-handle-inquiry-cancel-error-after-inquiry-.patch @@ -0,0 +1,77 @@ +From 585860719644d13d54eb2d898158250011d2476c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 May 2020 12:55:03 -0700 +Subject: Bluetooth: Handle Inquiry Cancel error after Inquiry Complete + +From: Sonny Sasaka + +[ Upstream commit adf1d6926444029396861413aba8a0f2a805742a ] + +After sending Inquiry Cancel command to the controller, it is possible +that Inquiry Complete event comes before Inquiry Cancel command complete +event. In this case the Inquiry Cancel command will have status of +Command Disallowed since there is no Inquiry session to be cancelled. +This case should not be treated as error, otherwise we can reach an +inconsistent state. + +Example of a btmon trace when this happened: + +< HCI Command: Inquiry Cancel (0x01|0x0002) plen 0 +> HCI Event: Inquiry Complete (0x01) plen 1 + Status: Success (0x00) +> HCI Event: Command Complete (0x0e) plen 4 + Inquiry Cancel (0x01|0x0002) ncmd 1 + Status: Command Disallowed (0x0c) + +Signed-off-by: Sonny Sasaka +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 04c77747a768d..03319ab8a7c6e 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -41,12 +41,27 @@ + + /* Handle HCI Event packets */ + +-static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb) ++static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb, ++ u8 *new_status) + { + __u8 status = *((__u8 *) skb->data); + + BT_DBG("%s status 0x%2.2x", hdev->name, status); + ++ /* It is possible that we receive Inquiry Complete event right ++ * before we receive Inquiry Cancel Command Complete event, in ++ * which case the latter event should have status of Command ++ * Disallowed (0x0c). This should not be treated as error, since ++ * we actually achieve what Inquiry Cancel wants to achieve, ++ * which is to end the last Inquiry session. ++ */ ++ if (status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) { ++ bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command"); ++ status = 0x00; ++ } ++ ++ *new_status = status; ++ + if (status) + return; + +@@ -2758,7 +2773,7 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb, + + switch (*opcode) { + case HCI_OP_INQUIRY_CANCEL: +- hci_cc_inquiry_cancel(hdev, skb); ++ hci_cc_inquiry_cancel(hdev, skb, status); + break; + + case HCI_OP_PERIODIC_INQ: +-- +2.25.1 + diff --git a/queue-4.4/bluetooth-l2cap-handle-l2cap-config-request-during-o.patch b/queue-4.4/bluetooth-l2cap-handle-l2cap-config-request-during-o.patch new file mode 100644 index 00000000000..5e57b50dce7 --- /dev/null +++ b/queue-4.4/bluetooth-l2cap-handle-l2cap-config-request-during-o.patch @@ -0,0 +1,175 @@ +From 2dc573e16d2725b2dbb84366ccabdaccc5560ed4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2020 12:35:27 +0800 +Subject: Bluetooth: L2CAP: handle l2cap config request during open state + +From: Howard Chung + +[ Upstream commit 96298f640104e4cd9a913a6e50b0b981829b94ff ] + +According to Core Spec Version 5.2 | Vol 3, Part A 6.1.5, +the incoming L2CAP_ConfigReq should be handled during +OPEN state. + +The section below shows the btmon trace when running +L2CAP/COS/CFD/BV-12-C before and after this change. + +=== Before === +... +> ACL Data RX: Handle 256 flags 0x02 dlen 12 #22 + L2CAP: Connection Request (0x02) ident 2 len 4 + PSM: 1 (0x0001) + Source CID: 65 +< ACL Data TX: Handle 256 flags 0x00 dlen 16 #23 + L2CAP: Connection Response (0x03) ident 2 len 8 + Destination CID: 64 + Source CID: 65 + Result: Connection successful (0x0000) + Status: No further information available (0x0000) +< ACL Data TX: Handle 256 flags 0x00 dlen 12 #24 + L2CAP: Configure Request (0x04) ident 2 len 4 + Destination CID: 65 + Flags: 0x0000 +> HCI Event: Number of Completed Packets (0x13) plen 5 #25 + Num handles: 1 + Handle: 256 + Count: 1 +> HCI Event: Number of Completed Packets (0x13) plen 5 #26 + Num handles: 1 + Handle: 256 + Count: 1 +> ACL Data RX: Handle 256 flags 0x02 dlen 16 #27 + L2CAP: Configure Request (0x04) ident 3 len 8 + Destination CID: 64 + Flags: 0x0000 + Option: Unknown (0x10) [hint] + 01 00 .. +< ACL Data TX: Handle 256 flags 0x00 dlen 18 #28 + L2CAP: Configure Response (0x05) ident 3 len 10 + Source CID: 65 + Flags: 0x0000 + Result: Success (0x0000) + Option: Maximum Transmission Unit (0x01) [mandatory] + MTU: 672 +> HCI Event: Number of Completed Packets (0x13) plen 5 #29 + Num handles: 1 + Handle: 256 + Count: 1 +> ACL Data RX: Handle 256 flags 0x02 dlen 14 #30 + L2CAP: Configure Response (0x05) ident 2 len 6 + Source CID: 64 + Flags: 0x0000 + Result: Success (0x0000) +> ACL Data RX: Handle 256 flags 0x02 dlen 20 #31 + L2CAP: Configure Request (0x04) ident 3 len 12 + Destination CID: 64 + Flags: 0x0000 + Option: Unknown (0x10) [hint] + 01 00 91 02 11 11 ...... +< ACL Data TX: Handle 256 flags 0x00 dlen 14 #32 + L2CAP: Command Reject (0x01) ident 3 len 6 + Reason: Invalid CID in request (0x0002) + Destination CID: 64 + Source CID: 65 +> HCI Event: Number of Completed Packets (0x13) plen 5 #33 + Num handles: 1 + Handle: 256 + Count: 1 +... +=== After === +... +> ACL Data RX: Handle 256 flags 0x02 dlen 12 #22 + L2CAP: Connection Request (0x02) ident 2 len 4 + PSM: 1 (0x0001) + Source CID: 65 +< ACL Data TX: Handle 256 flags 0x00 dlen 16 #23 + L2CAP: Connection Response (0x03) ident 2 len 8 + Destination CID: 64 + Source CID: 65 + Result: Connection successful (0x0000) + Status: No further information available (0x0000) +< ACL Data TX: Handle 256 flags 0x00 dlen 12 #24 + L2CAP: Configure Request (0x04) ident 2 len 4 + Destination CID: 65 + Flags: 0x0000 +> HCI Event: Number of Completed Packets (0x13) plen 5 #25 + Num handles: 1 + Handle: 256 + Count: 1 +> HCI Event: Number of Completed Packets (0x13) plen 5 #26 + Num handles: 1 + Handle: 256 + Count: 1 +> ACL Data RX: Handle 256 flags 0x02 dlen 16 #27 + L2CAP: Configure Request (0x04) ident 3 len 8 + Destination CID: 64 + Flags: 0x0000 + Option: Unknown (0x10) [hint] + 01 00 .. +< ACL Data TX: Handle 256 flags 0x00 dlen 18 #28 + L2CAP: Configure Response (0x05) ident 3 len 10 + Source CID: 65 + Flags: 0x0000 + Result: Success (0x0000) + Option: Maximum Transmission Unit (0x01) [mandatory] + MTU: 672 +> HCI Event: Number of Completed Packets (0x13) plen 5 #29 + Num handles: 1 + Handle: 256 + Count: 1 +> ACL Data RX: Handle 256 flags 0x02 dlen 14 #30 + L2CAP: Configure Response (0x05) ident 2 len 6 + Source CID: 64 + Flags: 0x0000 + Result: Success (0x0000) +> ACL Data RX: Handle 256 flags 0x02 dlen 20 #31 + L2CAP: Configure Request (0x04) ident 3 len 12 + Destination CID: 64 + Flags: 0x0000 + Option: Unknown (0x10) [hint] + 01 00 91 02 11 11 ..... +< ACL Data TX: Handle 256 flags 0x00 dlen 18 #32 + L2CAP: Configure Response (0x05) ident 3 len 10 + Source CID: 65 + Flags: 0x0000 + Result: Success (0x0000) + Option: Maximum Transmission Unit (0x01) [mandatory] + MTU: 672 +< ACL Data TX: Handle 256 flags 0x00 dlen 12 #33 + L2CAP: Configure Request (0x04) ident 3 len 4 + Destination CID: 65 + Flags: 0x0000 +> HCI Event: Number of Completed Packets (0x13) plen 5 #34 + Num handles: 1 + Handle: 256 + Count: 1 +> HCI Event: Number of Completed Packets (0x13) plen 5 #35 + Num handles: 1 + Handle: 256 + Count: 1 +... + +Signed-off-by: Howard Chung +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index f6112f495a36c..f2db50da8ce2e 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4096,7 +4096,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, + return 0; + } + +- if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) { ++ if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 && ++ chan->state != BT_CONNECTED) { + cmd_reject_invalid_cid(conn, cmd->ident, chan->scid, + chan->dcid); + goto unlock; +-- +2.25.1 + diff --git a/queue-4.4/bluetooth-prefetch-channel-before-killing-sock.patch b/queue-4.4/bluetooth-prefetch-channel-before-killing-sock.patch new file mode 100644 index 00000000000..cf39fea7582 --- /dev/null +++ b/queue-4.4/bluetooth-prefetch-channel-before-killing-sock.patch @@ -0,0 +1,60 @@ +From c6c547ed908a9f5b8a294f7ba0742992bc241777 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Feb 2020 10:31:59 +0800 +Subject: Bluetooth: prefetch channel before killing sock + +From: Hillf Danton + +[ Upstream commit 2a154903cec20fb64ff4d7d617ca53c16f8fd53a ] + +Prefetch channel before killing sock in order to fix UAF like + + BUG: KASAN: use-after-free in l2cap_sock_release+0x24c/0x290 net/bluetooth/l2cap_sock.c:1212 + Read of size 8 at addr ffff8880944904a0 by task syz-fuzzer/9751 + +Reported-by: syzbot+c3c5bdea7863886115dc@syzkaller.appspotmail.com +Fixes: 6c08fc896b60 ("Bluetooth: Fix refcount use-after-free issue") +Cc: Manish Mandlik +Signed-off-by: Hillf Danton +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index cb024c25530a3..e562385d9440e 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1189,6 +1189,7 @@ static int l2cap_sock_release(struct socket *sock) + { + struct sock *sk = sock->sk; + int err; ++ struct l2cap_chan *chan; + + BT_DBG("sock %p, sk %p", sock, sk); + +@@ -1198,15 +1199,16 @@ static int l2cap_sock_release(struct socket *sock) + bt_sock_unlink(&l2cap_sk_list, sk); + + err = l2cap_sock_shutdown(sock, 2); ++ chan = l2cap_pi(sk)->chan; + +- l2cap_chan_hold(l2cap_pi(sk)->chan); +- l2cap_chan_lock(l2cap_pi(sk)->chan); ++ l2cap_chan_hold(chan); ++ l2cap_chan_lock(chan); + + sock_orphan(sk); + l2cap_sock_kill(sk); + +- l2cap_chan_unlock(l2cap_pi(sk)->chan); +- l2cap_chan_put(l2cap_pi(sk)->chan); ++ l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); + + return err; + } +-- +2.25.1 + diff --git a/queue-4.4/ceph-fix-potential-race-in-ceph_check_caps.patch b/queue-4.4/ceph-fix-potential-race-in-ceph_check_caps.patch new file mode 100644 index 00000000000..01a9e22753e --- /dev/null +++ b/queue-4.4/ceph-fix-potential-race-in-ceph_check_caps.patch @@ -0,0 +1,55 @@ +From 79f57e48e19e27d50d80ea008715af153b5ba4f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Mar 2020 16:45:45 -0400 +Subject: ceph: fix potential race in ceph_check_caps + +From: Jeff Layton + +[ Upstream commit dc3da0461cc4b76f2d0c5b12247fcb3b520edbbf ] + +Nothing ensures that session will still be valid by the time we +dereference the pointer. Take and put a reference. + +In principle, we should always be able to get a reference here, but +throw a warning if that's ever not the case. + +Signed-off-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/caps.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c +index 3d0497421e62b..49e693232916f 100644 +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -1777,12 +1777,24 @@ ack: + if (mutex_trylock(&session->s_mutex) == 0) { + dout("inverting session/ino locks on %p\n", + session); ++ session = ceph_get_mds_session(session); + spin_unlock(&ci->i_ceph_lock); + if (took_snap_rwsem) { + up_read(&mdsc->snap_rwsem); + took_snap_rwsem = 0; + } +- mutex_lock(&session->s_mutex); ++ if (session) { ++ mutex_lock(&session->s_mutex); ++ ceph_put_mds_session(session); ++ } else { ++ /* ++ * Because we take the reference while ++ * holding the i_ceph_lock, it should ++ * never be NULL. Throw a warning if it ++ * ever is. ++ */ ++ WARN_ON_ONCE(true); ++ } + goto retry; + } + } +-- +2.25.1 + diff --git a/queue-4.4/dmaengine-tegra-apb-prevent-race-conditions-on-chann.patch b/queue-4.4/dmaengine-tegra-apb-prevent-race-conditions-on-chann.patch new file mode 100644 index 00000000000..b3ea5d58341 --- /dev/null +++ b/queue-4.4/dmaengine-tegra-apb-prevent-race-conditions-on-chann.patch @@ -0,0 +1,39 @@ +From 6ebd24e3b1651360c37508ec02be061e92377c57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Feb 2020 19:33:41 +0300 +Subject: dmaengine: tegra-apb: Prevent race conditions on channel's freeing + +From: Dmitry Osipenko + +[ Upstream commit 8e84172e372bdca20c305d92d51d33640d2da431 ] + +It's incorrect to check the channel's "busy" state without taking a lock. +That shouldn't cause any real troubles, nevertheless it's always better +not to have any race conditions in the code. + +Signed-off-by: Dmitry Osipenko +Acked-by: Jon Hunter +Link: https://lore.kernel.org/r/20200209163356.6439-5-digetx@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/tegra20-apb-dma.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/dma/tegra20-apb-dma.c b/drivers/dma/tegra20-apb-dma.c +index b5cf5d36de2b4..68c460a2b16ea 100644 +--- a/drivers/dma/tegra20-apb-dma.c ++++ b/drivers/dma/tegra20-apb-dma.c +@@ -1207,8 +1207,7 @@ static void tegra_dma_free_chan_resources(struct dma_chan *dc) + + dev_dbg(tdc2dev(tdc), "Freeing channel %d\n", tdc->id); + +- if (tdc->busy) +- tegra_dma_terminate_all(dc); ++ tegra_dma_terminate_all(dc); + + spin_lock_irqsave(&tdc->lock, flags); + list_splice_init(&tdc->pending_sg_req, &sg_req_list); +-- +2.25.1 + diff --git a/queue-4.4/drivers-char-tlclk.c-avoid-data-race-between-init-an.patch b/queue-4.4/drivers-char-tlclk.c-avoid-data-race-between-init-an.patch new file mode 100644 index 00000000000..5b06e2867e3 --- /dev/null +++ b/queue-4.4/drivers-char-tlclk.c-avoid-data-race-between-init-an.patch @@ -0,0 +1,78 @@ +From dd85cf605fe974b8f7faa0a97deb64a1b05b246e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Apr 2020 21:04:51 +0530 +Subject: drivers: char: tlclk.c: Avoid data race between init and interrupt + handler + +From: Madhuparna Bhowmik + +[ Upstream commit 44b8fb6eaa7c3fb770bf1e37619cdb3902cca1fc ] + +After registering character device the file operation callbacks can be +called. The open callback registers interrupt handler. +Therefore interrupt handler can execute in parallel with rest of the init +function. To avoid such data race initialize telclk_interrupt variable +and struct alarm_events before registering character device. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Madhuparna Bhowmik +Link: https://lore.kernel.org/r/20200417153451.1551-1-madhuparnabhowmik10@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/char/tlclk.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/drivers/char/tlclk.c b/drivers/char/tlclk.c +index 100cd1de9939d..59e1e94d12c01 100644 +--- a/drivers/char/tlclk.c ++++ b/drivers/char/tlclk.c +@@ -777,17 +777,21 @@ static int __init tlclk_init(void) + { + int ret; + ++ telclk_interrupt = (inb(TLCLK_REG7) & 0x0f); ++ ++ alarm_events = kzalloc( sizeof(struct tlclk_alarms), GFP_KERNEL); ++ if (!alarm_events) { ++ ret = -ENOMEM; ++ goto out1; ++ } ++ + ret = register_chrdev(tlclk_major, "telco_clock", &tlclk_fops); + if (ret < 0) { + printk(KERN_ERR "tlclk: can't get major %d.\n", tlclk_major); ++ kfree(alarm_events); + return ret; + } + tlclk_major = ret; +- alarm_events = kzalloc( sizeof(struct tlclk_alarms), GFP_KERNEL); +- if (!alarm_events) { +- ret = -ENOMEM; +- goto out1; +- } + + /* Read telecom clock IRQ number (Set by BIOS) */ + if (!request_region(TLCLK_BASE, 8, "telco_clock")) { +@@ -796,7 +800,6 @@ static int __init tlclk_init(void) + ret = -EBUSY; + goto out2; + } +- telclk_interrupt = (inb(TLCLK_REG7) & 0x0f); + + if (0x0F == telclk_interrupt ) { /* not MCPBL0010 ? */ + printk(KERN_ERR "telclk_interrupt = 0x%x non-mcpbl0010 hw.\n", +@@ -837,8 +840,8 @@ out3: + release_region(TLCLK_BASE, 8); + out2: + kfree(alarm_events); +-out1: + unregister_chrdev(tlclk_major, "telco_clock"); ++out1: + return ret; + } + +-- +2.25.1 + diff --git a/queue-4.4/drm-amdgpu-increase-atombios-cmd-timeout.patch b/queue-4.4/drm-amdgpu-increase-atombios-cmd-timeout.patch new file mode 100644 index 00000000000..b15e1f704b1 --- /dev/null +++ b/queue-4.4/drm-amdgpu-increase-atombios-cmd-timeout.patch @@ -0,0 +1,37 @@ +From 43e13eb6be4a545d336b7005a00af3581523c312 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2020 17:48:56 +0800 +Subject: drm/amdgpu: increase atombios cmd timeout + +From: John Clements + +[ Upstream commit 1b3460a8b19688ad3033b75237d40fa580a5a953 ] + +mitigates race condition on BACO reset between GPU bootcode and driver reload + +Reviewed-by: Hawking Zhang +Signed-off-by: John Clements +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/atom.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/atom.c b/drivers/gpu/drm/amd/amdgpu/atom.c +index 1b50e6c13fb3f..5fbf99d600587 100644 +--- a/drivers/gpu/drm/amd/amdgpu/atom.c ++++ b/drivers/gpu/drm/amd/amdgpu/atom.c +@@ -748,8 +748,8 @@ static void atom_op_jump(atom_exec_context *ctx, int *ptr, int arg) + cjiffies = jiffies; + if (time_after(cjiffies, ctx->last_jump_jiffies)) { + cjiffies -= ctx->last_jump_jiffies; +- if ((jiffies_to_msecs(cjiffies) > 5000)) { +- DRM_ERROR("atombios stuck in loop for more than 5secs aborting\n"); ++ if ((jiffies_to_msecs(cjiffies) > 10000)) { ++ DRM_ERROR("atombios stuck in loop for more than 10secs aborting\n"); + ctx->abort = true; + } + } else { +-- +2.25.1 + diff --git a/queue-4.4/drm-omap-fix-possible-object-reference-leak.patch b/queue-4.4/drm-omap-fix-possible-object-reference-leak.patch new file mode 100644 index 00000000000..72f6dc192b8 --- /dev/null +++ b/queue-4.4/drm-omap-fix-possible-object-reference-leak.patch @@ -0,0 +1,60 @@ +From 73108685b8432374b9f9be4990befb5fdad5427a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2019 10:58:32 +0800 +Subject: drm/omap: fix possible object reference leak + +From: Wen Yang + +[ Upstream commit 47340e46f34a3b1d80e40b43ae3d7a8da34a3541 ] + +The call to of_find_matching_node returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: +drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c:212:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 209, but without a corresponding object release within this function. +drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c:237:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 209, but without a corresponding object release within this function. + +Signed-off-by: Wen Yang +Reviewed-by: Laurent Pinchart +Reviewed-by: Mukesh Ojha +Cc: Tomi Valkeinen +Cc: David Airlie +Cc: Daniel Vetter +Cc: Sebastian Reichel +Cc: Laurent Pinchart +Cc: dri-devel@lists.freedesktop.org +Cc: linux-kernel@vger.kernel.org +Cc: Markus Elfring +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/1554692313-28882-2-git-send-email-wen.yang99@zte.com.cn +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/omap2/dss/omapdss-boot-init.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/omap2/dss/omapdss-boot-init.c b/drivers/video/fbdev/omap2/dss/omapdss-boot-init.c +index 8b6f6d5fdd68b..43186fa8a13c9 100644 +--- a/drivers/video/fbdev/omap2/dss/omapdss-boot-init.c ++++ b/drivers/video/fbdev/omap2/dss/omapdss-boot-init.c +@@ -194,7 +194,7 @@ static int __init omapdss_boot_init(void) + dss = of_find_matching_node(NULL, omapdss_of_match); + + if (dss == NULL || !of_device_is_available(dss)) +- return 0; ++ goto put_node; + + omapdss_walk_device(dss, true); + +@@ -221,6 +221,8 @@ static int __init omapdss_boot_init(void) + kfree(n); + } + ++put_node: ++ of_node_put(dss); + return 0; + } + +-- +2.25.1 + diff --git a/queue-4.4/dt-bindings-sound-wm8994-correct-required-supplies-b.patch b/queue-4.4/dt-bindings-sound-wm8994-correct-required-supplies-b.patch new file mode 100644 index 00000000000..c693fc504c3 --- /dev/null +++ b/queue-4.4/dt-bindings-sound-wm8994-correct-required-supplies-b.patch @@ -0,0 +1,65 @@ +From 72593680591584db34c94561e65f95398a07c831 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 May 2020 15:35:34 +0200 +Subject: dt-bindings: sound: wm8994: Correct required supplies based on actual + implementaion + +From: Krzysztof Kozlowski + +[ Upstream commit 8c149b7d75e53be47648742f40fc90d9fc6fa63a ] + +The required supplies in bindings were actually not matching +implementation making the bindings incorrect and misleading. The Linux +kernel driver requires all supplies to be present. Also for wlf,wm8994 +uses just DBVDD-supply instead of DBVDDn-supply (n: <1,3>). + +Reported-by: Jonathan Bakker +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20200501133534.6706-1-krzk@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + .../devicetree/bindings/sound/wm8994.txt | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/Documentation/devicetree/bindings/sound/wm8994.txt b/Documentation/devicetree/bindings/sound/wm8994.txt +index e045e90a0924b..0f03b8228d080 100644 +--- a/Documentation/devicetree/bindings/sound/wm8994.txt ++++ b/Documentation/devicetree/bindings/sound/wm8994.txt +@@ -14,9 +14,15 @@ Required properties: + - #gpio-cells : Must be 2. The first cell is the pin number and the + second cell is used to specify optional parameters (currently unused). + +- - AVDD2-supply, DBVDD1-supply, DBVDD2-supply, DBVDD3-supply, CPVDD-supply, +- SPKVDD1-supply, SPKVDD2-supply : power supplies for the device, as covered +- in Documentation/devicetree/bindings/regulator/regulator.txt ++ - power supplies for the device, as covered in ++ Documentation/devicetree/bindings/regulator/regulator.txt, depending ++ on compatible: ++ - for wlf,wm1811 and wlf,wm8958: ++ AVDD1-supply, AVDD2-supply, DBVDD1-supply, DBVDD2-supply, DBVDD3-supply, ++ DCVDD-supply, CPVDD-supply, SPKVDD1-supply, SPKVDD2-supply ++ - for wlf,wm8994: ++ AVDD1-supply, AVDD2-supply, DBVDD-supply, DCVDD-supply, CPVDD-supply, ++ SPKVDD1-supply, SPKVDD2-supply + + Optional properties: + +@@ -68,11 +74,11 @@ codec: wm8994@1a { + + lineout1-se; + ++ AVDD1-supply = <®ulator>; + AVDD2-supply = <®ulator>; + CPVDD-supply = <®ulator>; +- DBVDD1-supply = <®ulator>; +- DBVDD2-supply = <®ulator>; +- DBVDD3-supply = <®ulator>; ++ DBVDD-supply = <®ulator>; ++ DCVDD-supply = <®ulator>; + SPKVDD1-supply = <®ulator>; + SPKVDD2-supply = <®ulator>; + }; +-- +2.25.1 + diff --git a/queue-4.4/e1000-do-not-perform-reset-in-reset_task-if-we-are-a.patch b/queue-4.4/e1000-do-not-perform-reset-in-reset_task-if-we-are-a.patch new file mode 100644 index 00000000000..e65addbedc5 --- /dev/null +++ b/queue-4.4/e1000-do-not-perform-reset-in-reset_task-if-we-are-a.patch @@ -0,0 +1,69 @@ +From 9d592ef0b59cfdd14cdcb1b3b700e6f6494a583c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Apr 2020 09:35:31 -0700 +Subject: e1000: Do not perform reset in reset_task if we are already down + +From: Alexander Duyck + +[ Upstream commit 49ee3c2ab5234757bfb56a0b3a3cb422f427e3a3 ] + +We are seeing a deadlock in e1000 down when NAPI is being disabled. Looking +over the kernel function trace of the system it appears that the interface +is being closed and then a reset is hitting which deadlocks the interface +as the NAPI interface is already disabled. + +To prevent this from happening I am disabling the reset task when +__E1000_DOWN is already set. In addition code has been added so that we set +the __E1000_DOWN while holding the __E1000_RESET flag in e1000_close in +order to guarantee that the reset task will not run after we have started +the close call. + +Signed-off-by: Alexander Duyck +Tested-by: Maxim Zhukov +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000/e1000_main.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c +index f958188207fd6..e57aca6239f8e 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_main.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c +@@ -568,8 +568,13 @@ void e1000_reinit_locked(struct e1000_adapter *adapter) + WARN_ON(in_interrupt()); + while (test_and_set_bit(__E1000_RESETTING, &adapter->flags)) + msleep(1); +- e1000_down(adapter); +- e1000_up(adapter); ++ ++ /* only run the task if not already down */ ++ if (!test_bit(__E1000_DOWN, &adapter->flags)) { ++ e1000_down(adapter); ++ e1000_up(adapter); ++ } ++ + clear_bit(__E1000_RESETTING, &adapter->flags); + } + +@@ -1456,10 +1461,15 @@ static int e1000_close(struct net_device *netdev) + struct e1000_hw *hw = &adapter->hw; + int count = E1000_CHECK_RESET_COUNT; + +- while (test_bit(__E1000_RESETTING, &adapter->flags) && count--) ++ while (test_and_set_bit(__E1000_RESETTING, &adapter->flags) && count--) + usleep_range(10000, 20000); + +- WARN_ON(test_bit(__E1000_RESETTING, &adapter->flags)); ++ WARN_ON(count < 0); ++ ++ /* signal that we're down so that the reset task will no longer run */ ++ set_bit(__E1000_DOWN, &adapter->flags); ++ clear_bit(__E1000_RESETTING, &adapter->flags); ++ + e1000_down(adapter); + e1000_power_down_phy(adapter); + e1000_free_irq(adapter); +-- +2.25.1 + diff --git a/queue-4.4/ext4-make-dioread_nolock-the-default.patch b/queue-4.4/ext4-make-dioread_nolock-the-default.patch new file mode 100644 index 00000000000..0c3bb2efca1 --- /dev/null +++ b/queue-4.4/ext4-make-dioread_nolock-the-default.patch @@ -0,0 +1,54 @@ +From f1abc231226fc15da88d47a87a2dfbf6d7a486f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jan 2020 12:23:17 -0500 +Subject: ext4: make dioread_nolock the default + +From: Theodore Ts'o + +[ Upstream commit 244adf6426ee31a83f397b700d964cff12a247d3 ] + +This fixes the direct I/O versus writeback race which can reveal stale +data, and it improves the tail latency of commits on slow devices. + +Link: https://lore.kernel.org/r/20200125022254.1101588-1-tytso@mit.edu +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/super.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index aca086a25b2ef..5a623ea954882 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1251,6 +1251,7 @@ static const match_table_t tokens = { + {Opt_auto_da_alloc, "auto_da_alloc"}, + {Opt_noauto_da_alloc, "noauto_da_alloc"}, + {Opt_dioread_nolock, "dioread_nolock"}, ++ {Opt_dioread_lock, "nodioread_nolock"}, + {Opt_dioread_lock, "dioread_lock"}, + {Opt_discard, "discard"}, + {Opt_nodiscard, "nodiscard"}, +@@ -3380,6 +3381,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + set_opt(sb, NO_UID32); + /* xattr user namespace & acls are now defaulted on */ + set_opt(sb, XATTR_USER); ++ set_opt(sb, DIOREAD_NOLOCK); + #ifdef CONFIG_EXT4_FS_POSIX_ACL + set_opt(sb, POSIX_ACL); + #endif +@@ -3448,9 +3450,8 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + goto failed_mount; + + if (test_opt(sb, DATA_FLAGS) == EXT4_MOUNT_JOURNAL_DATA) { +- printk_once(KERN_WARNING "EXT4-fs: Warning: mounting " +- "with data=journal disables delayed " +- "allocation and O_DIRECT support!\n"); ++ printk_once(KERN_WARNING "EXT4-fs: Warning: mounting with data=journal disables delayed allocation, dioread_nolock, and O_DIRECT support!\n"); ++ clear_opt(sb, DIOREAD_NOLOCK); + if (test_opt2(sb, EXPLICIT_DELALLOC)) { + ext4_msg(sb, KERN_ERR, "can't mount with " + "both data=journal and delalloc"); +-- +2.25.1 + diff --git a/queue-4.4/fuse-don-t-check-refcount-after-stealing-page.patch b/queue-4.4/fuse-don-t-check-refcount-after-stealing-page.patch new file mode 100644 index 00000000000..d2c9ee7e137 --- /dev/null +++ b/queue-4.4/fuse-don-t-check-refcount-after-stealing-page.patch @@ -0,0 +1,35 @@ +From 118aeaefe1b94bc4101ae6406e64dee851799651 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 May 2020 14:50:37 +0200 +Subject: fuse: don't check refcount after stealing page + +From: Miklos Szeredi + +[ Upstream commit 32f98877c57bee6bc27f443a96f49678a2cd6a50 ] + +page_count() is unstable. Unless there has been an RCU grace period +between when the page was removed from the page cache and now, a +speculative reference may exist from the page cache. + +Reported-by: Matthew Wilcox +Signed-off-by: Miklos Szeredi +Signed-off-by: Sasha Levin +--- + fs/fuse/dev.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c +index 8142f6bf3d310..fc265f4b839ae 100644 +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -850,7 +850,6 @@ static int fuse_check_page(struct page *page) + { + if (page_mapcount(page) || + page->mapping != NULL || +- page_count(page) != 1 || + (page->flags & PAGE_FLAGS_CHECK_AT_PREP & + ~(1 << PG_locked | + 1 << PG_referenced | +-- +2.25.1 + diff --git a/queue-4.4/gma-gma500-fix-a-memory-disclosure-bug-due-to-uninit.patch b/queue-4.4/gma-gma500-fix-a-memory-disclosure-bug-due-to-uninit.patch new file mode 100644 index 00000000000..b8e9fe7b787 --- /dev/null +++ b/queue-4.4/gma-gma500-fix-a-memory-disclosure-bug-due-to-uninit.patch @@ -0,0 +1,37 @@ +From 2ddca328d6f3ad174cc0f8e4b6b47a3c062871fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Oct 2019 23:29:53 -0500 +Subject: gma/gma500: fix a memory disclosure bug due to uninitialized bytes + +From: Kangjie Lu + +[ Upstream commit 57a25a5f754ce27da2cfa6f413cfd366f878db76 ] + +`best_clock` is an object that may be sent out. Object `clock` +contains uninitialized bytes that are copied to `best_clock`, +which leads to memory disclosure and information leak. + +Signed-off-by: Kangjie Lu +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20191018042953.31099-1-kjlu@umn.edu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/gma500/cdv_intel_display.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/gma500/cdv_intel_display.c b/drivers/gpu/drm/gma500/cdv_intel_display.c +index 7d47b3d5cc0d0..54d554d720004 100644 +--- a/drivers/gpu/drm/gma500/cdv_intel_display.c ++++ b/drivers/gpu/drm/gma500/cdv_intel_display.c +@@ -415,6 +415,8 @@ static bool cdv_intel_find_dp_pll(const struct gma_limit_t *limit, + struct gma_crtc *gma_crtc = to_gma_crtc(crtc); + struct gma_clock_t clock; + ++ memset(&clock, 0, sizeof(clock)); ++ + switch (refclk) { + case 27000: + if (target < 200000) { +-- +2.25.1 + diff --git a/queue-4.4/kernel-sys.c-avoid-copying-possible-padding-bytes-in.patch b/queue-4.4/kernel-sys.c-avoid-copying-possible-padding-bytes-in.patch new file mode 100644 index 00000000000..c319895e4fa --- /dev/null +++ b/queue-4.4/kernel-sys.c-avoid-copying-possible-padding-bytes-in.patch @@ -0,0 +1,48 @@ +From cd90cd023aad8f482bbdf17791229698f5959493 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2019 16:50:53 -0800 +Subject: kernel/sys.c: avoid copying possible padding bytes in copy_to_user + +From: Joe Perches + +[ Upstream commit 5e1aada08cd19ea652b2d32a250501d09b02ff2e ] + +Initialization is not guaranteed to zero padding bytes so use an +explicit memset instead to avoid leaking any kernel content in any +possible padding bytes. + +Link: http://lkml.kernel.org/r/dfa331c00881d61c8ee51577a082d8bebd61805c.camel@perches.com +Signed-off-by: Joe Perches +Cc: Dan Carpenter +Cc: Julia Lawall +Cc: Thomas Gleixner +Cc: Kees Cook +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/sys.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/sys.c b/kernel/sys.c +index 1855f1bf113e4..e98664039cb23 100644 +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -1183,11 +1183,13 @@ SYSCALL_DEFINE1(uname, struct old_utsname __user *, name) + + SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name) + { +- struct oldold_utsname tmp = {}; ++ struct oldold_utsname tmp; + + if (!name) + return -EFAULT; + ++ memset(&tmp, 0, sizeof(tmp)); ++ + down_read(&uts_sem); + memcpy(&tmp.sysname, &utsname()->sysname, __OLD_UTS_LEN); + memcpy(&tmp.nodename, &utsname()->nodename, __OLD_UTS_LEN); +-- +2.25.1 + diff --git a/queue-4.4/kvm-remove-create_irqchip-set_pit2-race.patch b/queue-4.4/kvm-remove-create_irqchip-set_pit2-race.patch new file mode 100644 index 00000000000..1e89bbecd39 --- /dev/null +++ b/queue-4.4/kvm-remove-create_irqchip-set_pit2-race.patch @@ -0,0 +1,64 @@ +From 89af94b6ae85b33c27ec064dc24c1fbc1ee6007f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Apr 2020 12:11:52 -0700 +Subject: KVM: Remove CREATE_IRQCHIP/SET_PIT2 race + +From: Steve Rutherford + +[ Upstream commit 7289fdb5dcdbc5155b5531529c44105868a762f2 ] + +Fixes a NULL pointer dereference, caused by the PIT firing an interrupt +before the interrupt table has been initialized. + +SET_PIT2 can race with the creation of the IRQchip. In particular, +if SET_PIT2 is called with a low PIT timer period (after the creation of +the IOAPIC, but before the instantiation of the irq routes), the PIT can +fire an interrupt at an uninitialized table. + +Signed-off-by: Steve Rutherford +Signed-off-by: Jon Cargille +Reviewed-by: Jim Mattson +Message-Id: <20200416191152.259434-1-jcargill@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/x86.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 61fc92f92e0a0..ef920da075184 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4013,10 +4013,13 @@ long kvm_arch_vm_ioctl(struct file *filp, + r = -EFAULT; + if (copy_from_user(&u.ps, argp, sizeof u.ps)) + goto out; ++ mutex_lock(&kvm->lock); + r = -ENXIO; + if (!kvm->arch.vpit) +- goto out; ++ goto set_pit_out; + r = kvm_vm_ioctl_set_pit(kvm, &u.ps); ++set_pit_out: ++ mutex_unlock(&kvm->lock); + break; + } + case KVM_GET_PIT2: { +@@ -4036,10 +4039,13 @@ long kvm_arch_vm_ioctl(struct file *filp, + r = -EFAULT; + if (copy_from_user(&u.ps2, argp, sizeof(u.ps2))) + goto out; ++ mutex_lock(&kvm->lock); + r = -ENXIO; + if (!kvm->arch.vpit) +- goto out; ++ goto set_pit2_out; + r = kvm_vm_ioctl_set_pit2(kvm, &u.ps2); ++set_pit2_out: ++ mutex_unlock(&kvm->lock); + break; + } + case KVM_REINJECT_CONTROL: { +-- +2.25.1 + diff --git a/queue-4.4/m68k-q40-fix-info-leak-in-rtc_ioctl.patch b/queue-4.4/m68k-q40-fix-info-leak-in-rtc_ioctl.patch new file mode 100644 index 00000000000..cd723f3d01f --- /dev/null +++ b/queue-4.4/m68k-q40-fix-info-leak-in-rtc_ioctl.patch @@ -0,0 +1,40 @@ +From c57364e6edd536b565457d7c72663bdad6f388b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2019 20:15:44 +0800 +Subject: m68k: q40: Fix info-leak in rtc_ioctl + +From: Fuqian Huang + +[ Upstream commit 7cf78b6b12fd5550545e4b73b35dca18bd46b44c ] + +When the option is RTC_PLL_GET, pll will be copied to userland +via copy_to_user. pll is initialized using mach_get_rtc_pll indirect +call and mach_get_rtc_pll is only assigned with function +q40_get_rtc_pll in arch/m68k/q40/config.c. +In function q40_get_rtc_pll, the field pll_ctrl is not initialized. +This will leak uninitialized stack content to userland. +Fix this by zeroing the uninitialized field. + +Signed-off-by: Fuqian Huang +Link: https://lore.kernel.org/r/20190927121544.7650-1-huangfq.daxian@gmail.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/q40/config.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/m68k/q40/config.c b/arch/m68k/q40/config.c +index e90fe903613ea..4e5f04d333188 100644 +--- a/arch/m68k/q40/config.c ++++ b/arch/m68k/q40/config.c +@@ -303,6 +303,7 @@ static int q40_get_rtc_pll(struct rtc_pll_info *pll) + { + int tmp = Q40_RTC_CTRL; + ++ pll->pll_ctrl = 0; + pll->pll_value = tmp & Q40_RTC_PLL_MASK; + if (tmp & Q40_RTC_PLL_SIGN) + pll->pll_value = -pll->pll_value; +-- +2.25.1 + diff --git a/queue-4.4/media-go7007-fix-urb-type-for-interrupt-handling.patch b/queue-4.4/media-go7007-fix-urb-type-for-interrupt-handling.patch new file mode 100644 index 00000000000..0329b6c3abd --- /dev/null +++ b/queue-4.4/media-go7007-fix-urb-type-for-interrupt-handling.patch @@ -0,0 +1,58 @@ +From 9555cdf62bf7c7a07b385328e650231b0719e8e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Feb 2020 16:45:27 +0100 +Subject: media: go7007: Fix URB type for interrupt handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Takashi Iwai + +[ Upstream commit a3ea410cac41b19a5490aad7fe6d9a9a772e646e ] + +Josef reported that his old-and-good Plextor ConvertX M402U video +converter spews lots of WARNINGs on the recent kernels, and it turned +out that the device uses a bulk endpoint for interrupt handling just +like 2250 board. + +For fixing it, generalize the check with the proper verification of +the endpoint instead of hard-coded board type check. + +Fixes: 7e5219d18e93 ("[media] go7007: Fix 2250 urb type") +Reported-and-tested-by: Josef Möllers +BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1162583 +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=206427 + +Signed-off-by: Takashi Iwai +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/go7007/go7007-usb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/go7007/go7007-usb.c b/drivers/media/usb/go7007/go7007-usb.c +index 4857c467e76cd..4490786936a02 100644 +--- a/drivers/media/usb/go7007/go7007-usb.c ++++ b/drivers/media/usb/go7007/go7007-usb.c +@@ -1052,6 +1052,7 @@ static int go7007_usb_probe(struct usb_interface *intf, + struct go7007_usb *usb; + const struct go7007_usb_board *board; + struct usb_device *usbdev = interface_to_usbdev(intf); ++ struct usb_host_endpoint *ep; + unsigned num_i2c_devs; + char *name; + int video_pipe, i, v_urb_len; +@@ -1147,7 +1148,8 @@ static int go7007_usb_probe(struct usb_interface *intf, + if (usb->intr_urb->transfer_buffer == NULL) + goto allocfail; + +- if (go->board_id == GO7007_BOARDID_SENSORAY_2250) ++ ep = usb->usbdev->ep_in[4]; ++ if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK) + usb_fill_bulk_urb(usb->intr_urb, usb->usbdev, + usb_rcvbulkpipe(usb->usbdev, 4), + usb->intr_urb->transfer_buffer, 2*sizeof(u16), +-- +2.25.1 + diff --git a/queue-4.4/media-tda10071-fix-unsigned-sign-extension-overflow.patch b/queue-4.4/media-tda10071-fix-unsigned-sign-extension-overflow.patch new file mode 100644 index 00000000000..6c5ac8fd412 --- /dev/null +++ b/queue-4.4/media-tda10071-fix-unsigned-sign-extension-overflow.patch @@ -0,0 +1,52 @@ +From f2fbb2ff74218352905b7d1a8328fe6990e73847 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Feb 2020 15:26:46 +0100 +Subject: media: tda10071: fix unsigned sign extension overflow + +From: Colin Ian King + +[ Upstream commit a7463e2dc698075132de9905b89f495df888bb79 ] + +The shifting of buf[3] by 24 bits to the left will be promoted to +a 32 bit signed int and then sign-extended to an unsigned long. In +the unlikely event that the the top bit of buf[3] is set then all +then all the upper bits end up as also being set because of +the sign-extension and this affect the ev->post_bit_error sum. +Fix this by using the temporary u32 variable bit_error to avoid +the sign-extension promotion. This also removes the need to do the +computation twice. + +Addresses-Coverity: ("Unintended sign extension") + +Fixes: 267897a4708f ("[media] tda10071: implement DVBv5 statistics") +Signed-off-by: Colin Ian King +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/tda10071.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/dvb-frontends/tda10071.c b/drivers/media/dvb-frontends/tda10071.c +index 119d47596ac81..b81887c4f72a9 100644 +--- a/drivers/media/dvb-frontends/tda10071.c ++++ b/drivers/media/dvb-frontends/tda10071.c +@@ -483,10 +483,11 @@ static int tda10071_read_status(struct dvb_frontend *fe, enum fe_status *status) + goto error; + + if (dev->delivery_system == SYS_DVBS) { +- dev->dvbv3_ber = buf[0] << 24 | buf[1] << 16 | +- buf[2] << 8 | buf[3] << 0; +- dev->post_bit_error += buf[0] << 24 | buf[1] << 16 | +- buf[2] << 8 | buf[3] << 0; ++ u32 bit_error = buf[0] << 24 | buf[1] << 16 | ++ buf[2] << 8 | buf[3] << 0; ++ ++ dev->dvbv3_ber = bit_error; ++ dev->post_bit_error += bit_error; + c->post_bit_error.stat[0].scale = FE_SCALE_COUNTER; + c->post_bit_error.stat[0].uvalue = dev->post_bit_error; + dev->block_error += buf[4] << 8 | buf[5] << 0; +-- +2.25.1 + diff --git a/queue-4.4/mfd-mfd-core-protect-against-null-call-back-function.patch b/queue-4.4/mfd-mfd-core-protect-against-null-call-back-function.patch new file mode 100644 index 00000000000..b188f2edb0b --- /dev/null +++ b/queue-4.4/mfd-mfd-core-protect-against-null-call-back-function.patch @@ -0,0 +1,52 @@ +From 95f73d3fdee6611bd75d2a7cf45785c67baf9ee8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2019 10:16:34 +0100 +Subject: mfd: mfd-core: Protect against NULL call-back function pointer + +From: Lee Jones + +[ Upstream commit b195e101580db390f50b0d587b7f66f241d2bc88 ] + +If a child device calls mfd_cell_{en,dis}able() without an appropriate +call-back being set, we are likely to encounter a panic. Avoid this +by adding suitable checking. + +Signed-off-by: Lee Jones +Reviewed-by: Daniel Thompson +Reviewed-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/mfd/mfd-core.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c +index 215bb5eeb5acf..c57e375fad6ed 100644 +--- a/drivers/mfd/mfd-core.c ++++ b/drivers/mfd/mfd-core.c +@@ -31,6 +31,11 @@ int mfd_cell_enable(struct platform_device *pdev) + const struct mfd_cell *cell = mfd_get_cell(pdev); + int err = 0; + ++ if (!cell->enable) { ++ dev_dbg(&pdev->dev, "No .enable() call-back registered\n"); ++ return 0; ++ } ++ + /* only call enable hook if the cell wasn't previously enabled */ + if (atomic_inc_return(cell->usage_count) == 1) + err = cell->enable(pdev); +@@ -48,6 +53,11 @@ int mfd_cell_disable(struct platform_device *pdev) + const struct mfd_cell *cell = mfd_get_cell(pdev); + int err = 0; + ++ if (!cell->disable) { ++ dev_dbg(&pdev->dev, "No .disable() call-back registered\n"); ++ return 0; ++ } ++ + /* only disable if no other clients are using it */ + if (atomic_dec_return(cell->usage_count) == 0) + err = cell->disable(pdev); +-- +2.25.1 + diff --git a/queue-4.4/mm-filemap.c-clear-page-error-before-actual-read.patch b/queue-4.4/mm-filemap.c-clear-page-error-before-actual-read.patch new file mode 100644 index 00000000000..9fe7a117411 --- /dev/null +++ b/queue-4.4/mm-filemap.c-clear-page-error-before-actual-read.patch @@ -0,0 +1,147 @@ +From 299f4dcb13914eba29aa19afe80ce1e168bf90b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2020 21:04:47 -0700 +Subject: mm/filemap.c: clear page error before actual read + +From: Xianting Tian + +[ Upstream commit faffdfa04fa11ccf048cebdde73db41ede0679e0 ] + +Mount failure issue happens under the scenario: Application forked dozens +of threads to mount the same number of cramfs images separately in docker, +but several mounts failed with high probability. Mount failed due to the +checking result of the page(read from the superblock of loop dev) is not +uptodate after wait_on_page_locked(page) returned in function cramfs_read: + + wait_on_page_locked(page); + if (!PageUptodate(page)) { + ... + } + +The reason of the checking result of the page not uptodate: systemd-udevd +read the loopX dev before mount, because the status of loopX is Lo_unbound +at this time, so loop_make_request directly trigger the calling of io_end +handler end_buffer_async_read, which called SetPageError(page). So It +caused the page can't be set to uptodate in function +end_buffer_async_read: + + if(page_uptodate && !PageError(page)) { + SetPageUptodate(page); + } + +Then mount operation is performed, it used the same page which is just +accessed by systemd-udevd above, Because this page is not uptodate, it +will launch a actual read via submit_bh, then wait on this page by calling +wait_on_page_locked(page). When the I/O of the page done, io_end handler +end_buffer_async_read is called, because no one cleared the page +error(during the whole read path of mount), which is caused by +systemd-udevd reading, so this page is still in "PageError" status, which +can't be set to uptodate in function end_buffer_async_read, then caused +mount failure. + +But sometimes mount succeed even through systemd-udeved read loopX dev +just before, The reason is systemd-udevd launched other loopX read just +between step 3.1 and 3.2, the steps as below: + +1, loopX dev default status is Lo_unbound; +2, systemd-udved read loopX dev (page is set to PageError); +3, mount operation + 1) set loopX status to Lo_bound; + ==>systemd-udevd read loopX dev<== + 2) read loopX dev(page has no error) + 3) mount succeed + +As the loopX dev status is set to Lo_bound after step 3.1, so the other +loopX dev read by systemd-udevd will go through the whole I/O stack, part +of the call trace as below: + + SYS_read + vfs_read + do_sync_read + blkdev_aio_read + generic_file_aio_read + do_generic_file_read: + ClearPageError(page); + mapping->a_ops->readpage(filp, page); + +here, mapping->a_ops->readpage() is blkdev_readpage. In latest kernel, +some function name changed, the call trace as below: + + blkdev_read_iter + generic_file_read_iter + generic_file_buffered_read: + /* + * A previous I/O error may have been due to temporary + * failures, eg. mutipath errors. + * Pg_error will be set again if readpage fails. + */ + ClearPageError(page); + /* Start the actual read. The read will unlock the page*/ + error=mapping->a_ops->readpage(flip, page); + +We can see ClearPageError(page) is called before the actual read, +then the read in step 3.2 succeed. + +This patch is to add the calling of ClearPageError just before the actual +read of read path of cramfs mount. Without the patch, the call trace as +below when performing cramfs mount: + + do_mount + cramfs_read + cramfs_blkdev_read + read_cache_page + do_read_cache_page: + filler(data, page); + or + mapping->a_ops->readpage(data, page); + +With the patch, the call trace as below when performing mount: + + do_mount + cramfs_read + cramfs_blkdev_read + read_cache_page: + do_read_cache_page: + ClearPageError(page); <== new add + filler(data, page); + or + mapping->a_ops->readpage(data, page); + +With the patch, mount operation trigger the calling of +ClearPageError(page) before the actual read, the page has no error if no +additional page error happen when I/O done. + +Signed-off-by: Xianting Tian +Signed-off-by: Andrew Morton +Reviewed-by: Matthew Wilcox (Oracle) +Cc: Jan Kara +Cc: +Link: http://lkml.kernel.org/r/1583318844-22971-1-git-send-email-xianting_tian@126.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/filemap.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/mm/filemap.c b/mm/filemap.c +index f217120973ebe..3d0a0e409cbf5 100644 +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -2313,6 +2313,14 @@ filler: + unlock_page(page); + goto out; + } ++ ++ /* ++ * A previous I/O error may have been due to temporary ++ * failures. ++ * Clear page error before actual read, PG_error will be ++ * set again if read page fails. ++ */ ++ ClearPageError(page); + goto filler; + + out: +-- +2.25.1 + diff --git a/queue-4.4/mm-mmap.c-initialize-align_offset-explicitly-for-vm_.patch b/queue-4.4/mm-mmap.c-initialize-align_offset-explicitly-for-vm_.patch new file mode 100644 index 00000000000..2e985853ddd --- /dev/null +++ b/queue-4.4/mm-mmap.c-initialize-align_offset-explicitly-for-vm_.patch @@ -0,0 +1,62 @@ +From efaec2b7d1cc8d52dd3ba9b01b311fd5f04269e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Apr 2020 14:32:48 -0700 +Subject: mm/mmap.c: initialize align_offset explicitly for vm_unmapped_area + +From: Jaewon Kim + +[ Upstream commit 09ef5283fd96ac424ef0e569626f359bf9ab86c9 ] + +On passing requirement to vm_unmapped_area, arch_get_unmapped_area and +arch_get_unmapped_area_topdown did not set align_offset. Internally on +both unmapped_area and unmapped_area_topdown, if info->align_mask is 0, +then info->align_offset was meaningless. + +But commit df529cabb7a2 ("mm: mmap: add trace point of +vm_unmapped_area") always prints info->align_offset even though it is +uninitialized. + +Fix this uninitialized value issue by setting it to 0 explicitly. + +Before: + vm_unmapped_area: addr=0x755b155000 err=0 total_vm=0x15aaf0 flags=0x1 len=0x109000 lo=0x8000 hi=0x75eed48000 mask=0x0 ofs=0x4022 + +After: + vm_unmapped_area: addr=0x74a4ca1000 err=0 total_vm=0x168ab1 flags=0x1 len=0x9000 lo=0x8000 hi=0x753d94b000 mask=0x0 ofs=0x0 + +Signed-off-by: Jaewon Kim +Signed-off-by: Andrew Morton +Reviewed-by: Andrew Morton +Cc: Matthew Wilcox (Oracle) +Cc: Michel Lespinasse +Cc: Borislav Petkov +Link: http://lkml.kernel.org/r/20200409094035.19457-1-jaewon31.kim@samsung.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/mmap.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/mm/mmap.c b/mm/mmap.c +index 135cccce41f88..d48a654cbd237 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -1993,6 +1993,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, + info.low_limit = mm->mmap_base; + info.high_limit = TASK_SIZE; + info.align_mask = 0; ++ info.align_offset = 0; + return vm_unmapped_area(&info); + } + #endif +@@ -2034,6 +2035,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + info.low_limit = max(PAGE_SIZE, mmap_min_addr); + info.high_limit = mm->mmap_base; + info.align_mask = 0; ++ info.align_offset = 0; + addr = vm_unmapped_area(&info); + + /* +-- +2.25.1 + diff --git a/queue-4.4/mm-pagewalk-fix-termination-condition-in-walk_pte_ra.patch b/queue-4.4/mm-pagewalk-fix-termination-condition-in-walk_pte_ra.patch new file mode 100644 index 00000000000..f62eba49a07 --- /dev/null +++ b/queue-4.4/mm-pagewalk-fix-termination-condition-in-walk_pte_ra.patch @@ -0,0 +1,73 @@ +From 0d0c5e27cd2378f14bad866495e89b134c79a48b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Feb 2020 17:35:58 -0800 +Subject: mm: pagewalk: fix termination condition in walk_pte_range() + +From: Steven Price + +[ Upstream commit c02a98753e0a36ba65a05818626fa6adeb4e7c97 ] + +If walk_pte_range() is called with a 'end' argument that is beyond the +last page of memory (e.g. ~0UL) then the comparison between 'addr' and +'end' will always fail and the loop will be infinite. Instead change the +comparison to >= while accounting for overflow. + +Link: http://lkml.kernel.org/r/20191218162402.45610-15-steven.price@arm.com +Signed-off-by: Steven Price +Cc: Albert Ou +Cc: Alexandre Ghiti +Cc: Andy Lutomirski +Cc: Ard Biesheuvel +Cc: Arnd Bergmann +Cc: Benjamin Herrenschmidt +Cc: Borislav Petkov +Cc: Catalin Marinas +Cc: Christian Borntraeger +Cc: Dave Hansen +Cc: David S. Miller +Cc: Heiko Carstens +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: James Hogan +Cc: James Morse +Cc: Jerome Glisse +Cc: "Liang, Kan" +Cc: Mark Rutland +Cc: Michael Ellerman +Cc: Paul Burton +Cc: Paul Mackerras +Cc: Paul Walmsley +Cc: Peter Zijlstra +Cc: Ralf Baechle +Cc: Russell King +Cc: Thomas Gleixner +Cc: Vasily Gorbik +Cc: Vineet Gupta +Cc: Will Deacon +Cc: Zong Li +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/pagewalk.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mm/pagewalk.c b/mm/pagewalk.c +index c2cbd26201696..a024667a9c041 100644 +--- a/mm/pagewalk.c ++++ b/mm/pagewalk.c +@@ -14,9 +14,9 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end, + err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, walk); + if (err) + break; +- addr += PAGE_SIZE; +- if (addr == end) ++ if (addr >= end - PAGE_SIZE) + break; ++ addr += PAGE_SIZE; + pte++; + } + +-- +2.25.1 + diff --git a/queue-4.4/mtd-cfi_cmdset_0002-don-t-free-cfi-cfiq-in-error-pat.patch b/queue-4.4/mtd-cfi_cmdset_0002-don-t-free-cfi-cfiq-in-error-pat.patch new file mode 100644 index 00000000000..e7b5e1b8073 --- /dev/null +++ b/queue-4.4/mtd-cfi_cmdset_0002-don-t-free-cfi-cfiq-in-error-pat.patch @@ -0,0 +1,37 @@ +From 18376914943a18a9f3c643a16b946603b39e0b0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2019 10:36:37 +0800 +Subject: mtd: cfi_cmdset_0002: don't free cfi->cfiq in error path of + cfi_amdstd_setup() + +From: Hou Tao + +[ Upstream commit 03976af89e3bd9489d542582a325892e6a8cacc0 ] + +Else there may be a double-free problem, because cfi->cfiq will +be freed by mtd_do_chip_probe() if both the two invocations of +check_cmd_set() return failure. + +Signed-off-by: Hou Tao +Reviewed-by: Richard Weinberger +Signed-off-by: Vignesh Raghavendra +Signed-off-by: Sasha Levin +--- + drivers/mtd/chips/cfi_cmdset_0002.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c +index 972935f1b2f7e..3a3da0eeef1fb 100644 +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -724,7 +724,6 @@ static struct mtd_info *cfi_amdstd_setup(struct mtd_info *mtd) + kfree(mtd->eraseregions); + kfree(mtd); + kfree(cfi->cmdset_priv); +- kfree(cfi->cfiq); + return NULL; + } + +-- +2.25.1 + diff --git a/queue-4.4/mtd-parser-cmdline-support-mtd-names-containing-one-.patch b/queue-4.4/mtd-parser-cmdline-support-mtd-names-containing-one-.patch new file mode 100644 index 00000000000..a9db670862e --- /dev/null +++ b/queue-4.4/mtd-parser-cmdline-support-mtd-names-containing-one-.patch @@ -0,0 +1,63 @@ +From 240775152835286d4b04fc3183b9e0b37c4c8564 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Apr 2020 09:53:47 -0700 +Subject: mtd: parser: cmdline: Support MTD names containing one or more colons + +From: Boris Brezillon + +[ Upstream commit eb13fa0227417e84aecc3bd9c029d376e33474d3 ] + +Looks like some drivers define MTD names with a colon in it, thus +making mtdpart= parsing impossible. Let's fix the parser to gracefully +handle that case: the last ':' in a partition definition sequence is +considered instead of the first one. + +Signed-off-by: Boris Brezillon +Signed-off-by: Ron Minnich +Tested-by: Ron Minnich +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + drivers/mtd/cmdlinepart.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +diff --git a/drivers/mtd/cmdlinepart.c b/drivers/mtd/cmdlinepart.c +index 08f62987cc37c..ffbc9b304beb2 100644 +--- a/drivers/mtd/cmdlinepart.c ++++ b/drivers/mtd/cmdlinepart.c +@@ -228,12 +228,29 @@ static int mtdpart_setup_real(char *s) + struct cmdline_mtd_partition *this_mtd; + struct mtd_partition *parts; + int mtd_id_len, num_parts; +- char *p, *mtd_id; ++ char *p, *mtd_id, *semicol; ++ ++ /* ++ * Replace the first ';' by a NULL char so strrchr can work ++ * properly. ++ */ ++ semicol = strchr(s, ';'); ++ if (semicol) ++ *semicol = '\0'; + + mtd_id = s; + +- /* fetch */ +- p = strchr(s, ':'); ++ /* ++ * fetch . We use strrchr to ignore all ':' that could ++ * be present in the MTD name, only the last one is interpreted ++ * as an / separator. ++ */ ++ p = strrchr(s, ':'); ++ ++ /* Restore the ';' now. */ ++ if (semicol) ++ *semicol = ';'; ++ + if (!p) { + pr_err("no mtd-id\n"); + return -EINVAL; +-- +2.25.1 + diff --git a/queue-4.4/mtd-rawnand-omap_elm-fix-runtime-pm-imbalance-on-err.patch b/queue-4.4/mtd-rawnand-omap_elm-fix-runtime-pm-imbalance-on-err.patch new file mode 100644 index 00000000000..05261e6e122 --- /dev/null +++ b/queue-4.4/mtd-rawnand-omap_elm-fix-runtime-pm-imbalance-on-err.patch @@ -0,0 +1,36 @@ +From 3e256d50db07c72cc92ccdf189c1b49fea08017e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 May 2020 18:40:06 +0800 +Subject: mtd: rawnand: omap_elm: Fix runtime PM imbalance on error + +From: Dinghao Liu + +[ Upstream commit 37f7212148cf1d796135cdf8d0c7fee13067674b ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code. Thus a pairing decrement is needed on +the error handling path to keep the counter balanced. + +Signed-off-by: Dinghao Liu +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20200522104008.28340-1-dinghao.liu@zju.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/omap_elm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mtd/nand/omap_elm.c b/drivers/mtd/nand/omap_elm.c +index 235ec7992b4cf..e46b11847082a 100644 +--- a/drivers/mtd/nand/omap_elm.c ++++ b/drivers/mtd/nand/omap_elm.c +@@ -421,6 +421,7 @@ static int elm_probe(struct platform_device *pdev) + pm_runtime_enable(&pdev->dev); + if (pm_runtime_get_sync(&pdev->dev) < 0) { + ret = -EINVAL; ++ pm_runtime_put_sync(&pdev->dev); + pm_runtime_disable(&pdev->dev); + dev_err(&pdev->dev, "can't enable clock\n"); + return ret; +-- +2.25.1 + diff --git a/queue-4.4/neigh_stat_seq_next-should-increase-position-index.patch b/queue-4.4/neigh_stat_seq_next-should-increase-position-index.patch new file mode 100644 index 00000000000..7fd918cfc63 --- /dev/null +++ b/queue-4.4/neigh_stat_seq_next-should-increase-position-index.patch @@ -0,0 +1,35 @@ +From 8bb1f06a76d6618aff2e1fc29213099a98d743ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jan 2020 10:11:28 +0300 +Subject: neigh_stat_seq_next() should increase position index + +From: Vasily Averin + +[ Upstream commit 1e3f9f073c47bee7c23e77316b07bc12338c5bba ] + +if seq_file .next fuction does not change position index, +read after some lseek can generate unexpected output. + +https://bugzilla.kernel.org/show_bug.cgi?id=206283 +Signed-off-by: Vasily Averin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/neighbour.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 9849f1f4cf4f7..40d33431bc585 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -2798,6 +2798,7 @@ static void *neigh_stat_seq_next(struct seq_file *seq, void *v, loff_t *pos) + *pos = cpu+1; + return per_cpu_ptr(tbl->stats, cpu); + } ++ (*pos)++; + return NULL; + } + +-- +2.25.1 + diff --git a/queue-4.4/perf-kcore_copy-fix-module-map-when-there-are-no-mod.patch b/queue-4.4/perf-kcore_copy-fix-module-map-when-there-are-no-mod.patch new file mode 100644 index 00000000000..b3d771bcb00 --- /dev/null +++ b/queue-4.4/perf-kcore_copy-fix-module-map-when-there-are-no-mod.patch @@ -0,0 +1,68 @@ +From 71e5e77bda082f4c77ea6a98af31805fa9859dec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 May 2020 15:19:16 +0300 +Subject: perf kcore_copy: Fix module map when there are no modules loaded + +From: Adrian Hunter + +[ Upstream commit 61f82e3fb697a8e85f22fdec786528af73dc36d1 ] + +In the absence of any modules, no "modules" map is created, but there +are other executable pages to map, due to eBPF JIT, kprobe or ftrace. +Map them by recognizing that the first "module" symbol is not +necessarily from a module, and adjust the map accordingly. + +Signed-off-by: Adrian Hunter +Cc: Alexander Shishkin +Cc: Borislav Petkov +Cc: H. Peter Anvin +Cc: Jiri Olsa +Cc: Leo Yan +Cc: Mark Rutland +Cc: Masami Hiramatsu +Cc: Mathieu Poirier +Cc: Peter Zijlstra +Cc: Steven Rostedt (VMware) +Cc: x86@kernel.org +Link: http://lore.kernel.org/lkml/20200512121922.8997-10-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/symbol-elf.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c +index 2070c02de3af5..ea55cb6b614f4 100644 +--- a/tools/perf/util/symbol-elf.c ++++ b/tools/perf/util/symbol-elf.c +@@ -1390,6 +1390,7 @@ struct kcore_copy_info { + u64 first_symbol; + u64 last_symbol; + u64 first_module; ++ u64 first_module_symbol; + u64 last_module_symbol; + struct phdr_data kernel_map; + struct phdr_data modules_map; +@@ -1404,6 +1405,8 @@ static int kcore_copy__process_kallsyms(void *arg, const char *name, char type, + return 0; + + if (strchr(name, '[')) { ++ if (!kci->first_module_symbol || start < kci->first_module_symbol) ++ kci->first_module_symbol = start; + if (start > kci->last_module_symbol) + kci->last_module_symbol = start; + return 0; +@@ -1528,6 +1531,10 @@ static int kcore_copy__calc_maps(struct kcore_copy_info *kci, const char *dir, + kci->etext += page_size; + } + ++ if (kci->first_module_symbol && ++ (!kci->first_module || kci->first_module_symbol < kci->first_module)) ++ kci->first_module = kci->first_module_symbol; ++ + kci->first_module = round_down(kci->first_module, page_size); + + if (kci->last_module_symbol) { +-- +2.25.1 + diff --git a/queue-4.4/phy-samsung-s5pv210-usb2-add-delay-after-reset.patch b/queue-4.4/phy-samsung-s5pv210-usb2-add-delay-after-reset.patch new file mode 100644 index 00000000000..4fe86856a67 --- /dev/null +++ b/queue-4.4/phy-samsung-s5pv210-usb2-add-delay-after-reset.patch @@ -0,0 +1,43 @@ +From 1555123163296a8127ba729bdeacd11571ecd9a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Apr 2020 10:36:33 -0700 +Subject: phy: samsung: s5pv210-usb2: Add delay after reset + +From: Jonathan Bakker + +[ Upstream commit 05942b8c36c7eb5d3fc5e375d4b0d0c49562e85d ] + +The USB phy takes some time to reset, so make sure we give it to it. The +delay length was taken from the 4x12 phy driver. + +This manifested in issues with the DWC2 driver since commit fe369e1826b3 +("usb: dwc2: Make dwc2_readl/writel functions endianness-agnostic.") +where the endianness check would read the DWC ID as 0 due to the phy still +resetting, resulting in the wrong endian mode being chosen. + +Signed-off-by: Jonathan Bakker +Link: https://lore.kernel.org/r/BN6PR04MB06605D52502816E500683553A3D10@BN6PR04MB0660.namprd04.prod.outlook.com +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Sasha Levin +--- + drivers/phy/phy-s5pv210-usb2.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/phy/phy-s5pv210-usb2.c b/drivers/phy/phy-s5pv210-usb2.c +index 004d320767e4d..bb36cfd4e3e90 100644 +--- a/drivers/phy/phy-s5pv210-usb2.c ++++ b/drivers/phy/phy-s5pv210-usb2.c +@@ -142,6 +142,10 @@ static void s5pv210_phy_pwr(struct samsung_usb2_phy_instance *inst, bool on) + udelay(10); + rst &= ~rstbits; + writel(rst, drv->reg_phy + S5PV210_UPHYRST); ++ /* The following delay is necessary for the reset sequence to be ++ * completed ++ */ ++ udelay(80); + } else { + pwr = readl(drv->reg_phy + S5PV210_UPHYPWR); + pwr |= phypwr; +-- +2.25.1 + diff --git a/queue-4.4/pm-devfreq-tegra30-fix-integer-overflow-on-cpu-s-fre.patch b/queue-4.4/pm-devfreq-tegra30-fix-integer-overflow-on-cpu-s-fre.patch new file mode 100644 index 00000000000..93c2485f593 --- /dev/null +++ b/queue-4.4/pm-devfreq-tegra30-fix-integer-overflow-on-cpu-s-fre.patch @@ -0,0 +1,47 @@ +From 5018626a1cff29088e22bda3895694905faa7627 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2019 00:56:03 +0300 +Subject: PM / devfreq: tegra30: Fix integer overflow on CPU's freq max out + +From: Dmitry Osipenko + +[ Upstream commit 53b4b2aeee26f42cde5ff2a16dd0d8590c51a55a ] + +There is another kHz-conversion bug in the code, resulting in integer +overflow. Although, this time the resulting value is 4294966296 and it's +close to ULONG_MAX, which is okay in this case. + +Reviewed-by: Chanwoo Choi +Tested-by: Peter Geis +Signed-off-by: Dmitry Osipenko +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/devfreq/tegra-devfreq.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/devfreq/tegra-devfreq.c b/drivers/devfreq/tegra-devfreq.c +index 64a2e02b87d78..0b0de6a049afb 100644 +--- a/drivers/devfreq/tegra-devfreq.c ++++ b/drivers/devfreq/tegra-devfreq.c +@@ -79,6 +79,8 @@ + + #define KHZ 1000 + ++#define KHZ_MAX (ULONG_MAX / KHZ) ++ + /* Assume that the bus is saturated if the utilization is 25% */ + #define BUS_SATURATION_RATIO 25 + +@@ -179,7 +181,7 @@ struct tegra_actmon_emc_ratio { + }; + + static struct tegra_actmon_emc_ratio actmon_emc_ratios[] = { +- { 1400000, ULONG_MAX }, ++ { 1400000, KHZ_MAX }, + { 1200000, 750000 }, + { 1100000, 600000 }, + { 1000000, 500000 }, +-- +2.25.1 + diff --git a/queue-4.4/printk-handle-blank-console-arguments-passed-in.patch b/queue-4.4/printk-handle-blank-console-arguments-passed-in.patch new file mode 100644 index 00000000000..c8e1d1b93aa --- /dev/null +++ b/queue-4.4/printk-handle-blank-console-arguments-passed-in.patch @@ -0,0 +1,45 @@ +From 377b90dfb577105a1308a83c9d8c3b4c8c9e7eca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 May 2020 16:53:06 +1000 +Subject: printk: handle blank console arguments passed in. + +From: Shreyas Joshi + +[ Upstream commit 48021f98130880dd74286459a1ef48b5e9bc374f ] + +If uboot passes a blank string to console_setup then it results in +a trashed memory. Ultimately, the kernel crashes during freeing up +the memory. + +This fix checks if there is a blank parameter being +passed to console_setup from uboot. In case it detects that +the console parameter is blank then it doesn't setup the serial +device and it gracefully exits. + +Link: https://lore.kernel.org/r/20200522065306.83-1-shreyas.joshi@biamp.com +Signed-off-by: Shreyas Joshi +Acked-by: Sergey Senozhatsky +[pmladek@suse.com: Better format the commit message and code, remove unnecessary brackets.] +Signed-off-by: Petr Mladek +Signed-off-by: Sasha Levin +--- + kernel/printk/printk.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c +index e53a976ca28ea..b55dfb3e801f9 100644 +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -2032,6 +2032,9 @@ static int __init console_setup(char *str) + char *s, *options, *brl_options = NULL; + int idx; + ++ if (str[0] == 0) ++ return 1; ++ + if (_braille_console_setup(&str, &brl_options)) + return 1; + +-- +2.25.1 + diff --git a/queue-4.4/rt_cpu_seq_next-should-increase-position-index.patch b/queue-4.4/rt_cpu_seq_next-should-increase-position-index.patch new file mode 100644 index 00000000000..2790d92f2b4 --- /dev/null +++ b/queue-4.4/rt_cpu_seq_next-should-increase-position-index.patch @@ -0,0 +1,35 @@ +From c5cb2636cd4642cd36977eb7429b55ade4941ab6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jan 2020 10:11:35 +0300 +Subject: rt_cpu_seq_next should increase position index + +From: Vasily Averin + +[ Upstream commit a3ea86739f1bc7e121d921842f0f4a8ab1af94d9 ] + +if seq_file .next fuction does not change position index, +read after some lseek can generate unexpected output. + +https://bugzilla.kernel.org/show_bug.cgi?id=206283 +Signed-off-by: Vasily Averin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/route.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 542f6e0f438f1..ea1c319100a5d 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -271,6 +271,7 @@ static void *rt_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos) + *pos = cpu+1; + return &per_cpu(rt_cache_stat, cpu); + } ++ (*pos)++; + return NULL; + + } +-- +2.25.1 + diff --git a/queue-4.4/s390-init-add-missing-__init-annotations.patch b/queue-4.4/s390-init-add-missing-__init-annotations.patch new file mode 100644 index 00000000000..bff25b718bd --- /dev/null +++ b/queue-4.4/s390-init-add-missing-__init-annotations.patch @@ -0,0 +1,55 @@ +From 0d2b88c981099e89cd6bf22b19347d373b7d599d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 14:27:25 +0200 +Subject: s390/init: add missing __init annotations + +From: Ilya Leoshkevich + +[ Upstream commit fcb2b70cdb194157678fb1a75f9ff499aeba3d2a ] + +Add __init to reserve_memory_end, reserve_oldmem and remove_oldmem. +Sometimes these functions are not inlined, and then the build +complains about section mismatch. + +Signed-off-by: Ilya Leoshkevich +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/setup.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c +index 47692c78d09c5..fdc5e76e1f6b0 100644 +--- a/arch/s390/kernel/setup.c ++++ b/arch/s390/kernel/setup.c +@@ -513,7 +513,7 @@ static struct notifier_block kdump_mem_nb = { + /* + * Make sure that the area behind memory_end is protected + */ +-static void reserve_memory_end(void) ++static void __init reserve_memory_end(void) + { + #ifdef CONFIG_CRASH_DUMP + if (ipl_info.type == IPL_TYPE_FCP_DUMP && +@@ -531,7 +531,7 @@ static void reserve_memory_end(void) + /* + * Make sure that oldmem, where the dump is stored, is protected + */ +-static void reserve_oldmem(void) ++static void __init reserve_oldmem(void) + { + #ifdef CONFIG_CRASH_DUMP + if (OLDMEM_BASE) +@@ -543,7 +543,7 @@ static void reserve_oldmem(void) + /* + * Make sure that oldmem, where the dump is stored, is protected + */ +-static void remove_oldmem(void) ++static void __init remove_oldmem(void) + { + #ifdef CONFIG_CRASH_DUMP + if (OLDMEM_BASE) +-- +2.25.1 + diff --git a/queue-4.4/scsi-aacraid-fix-illegal-io-beyond-last-lba.patch b/queue-4.4/scsi-aacraid-fix-illegal-io-beyond-last-lba.patch new file mode 100644 index 00000000000..4f85d811fe4 --- /dev/null +++ b/queue-4.4/scsi-aacraid-fix-illegal-io-beyond-last-lba.patch @@ -0,0 +1,59 @@ +From 74054702c89ab8d9e3a1b6b37d91c34fc534cbb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2019 11:51:58 +0530 +Subject: scsi: aacraid: fix illegal IO beyond last LBA + +From: Balsundar P + +[ Upstream commit c86fbe484c10b2cd1e770770db2d6b2c88801c1d ] + +The driver fails to handle data when read or written beyond device reported +LBA, which triggers kernel panic + +Link: https://lore.kernel.org/r/1571120524-6037-2-git-send-email-balsundar.p@microsemi.com +Signed-off-by: Balsundar P +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/aacraid/aachba.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/aacraid/aachba.c b/drivers/scsi/aacraid/aachba.c +index de33801ca31ea..0614d05a990a6 100644 +--- a/drivers/scsi/aacraid/aachba.c ++++ b/drivers/scsi/aacraid/aachba.c +@@ -1938,13 +1938,13 @@ static int aac_read(struct scsi_cmnd * scsicmd) + scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 | + SAM_STAT_CHECK_CONDITION; + set_sense(&dev->fsa_dev[cid].sense_data, +- HARDWARE_ERROR, SENCODE_INTERNAL_TARGET_FAILURE, ++ ILLEGAL_REQUEST, SENCODE_LBA_OUT_OF_RANGE, + ASENCODE_INTERNAL_TARGET_FAILURE, 0, 0); + memcpy(scsicmd->sense_buffer, &dev->fsa_dev[cid].sense_data, + min_t(size_t, sizeof(dev->fsa_dev[cid].sense_data), + SCSI_SENSE_BUFFERSIZE)); + scsicmd->scsi_done(scsicmd); +- return 1; ++ return 0; + } + + dprintk((KERN_DEBUG "aac_read[cpu %d]: lba = %llu, t = %ld.\n", +@@ -2035,13 +2035,13 @@ static int aac_write(struct scsi_cmnd * scsicmd) + scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 | + SAM_STAT_CHECK_CONDITION; + set_sense(&dev->fsa_dev[cid].sense_data, +- HARDWARE_ERROR, SENCODE_INTERNAL_TARGET_FAILURE, ++ ILLEGAL_REQUEST, SENCODE_LBA_OUT_OF_RANGE, + ASENCODE_INTERNAL_TARGET_FAILURE, 0, 0); + memcpy(scsicmd->sense_buffer, &dev->fsa_dev[cid].sense_data, + min_t(size_t, sizeof(dev->fsa_dev[cid].sense_data), + SCSI_SENSE_BUFFERSIZE)); + scsicmd->scsi_done(scsicmd); +- return 1; ++ return 0; + } + + dprintk((KERN_DEBUG "aac_write[cpu %d]: lba = %llu, t = %ld.\n", +-- +2.25.1 + diff --git a/queue-4.4/scsi-lpfc-fix-rq-buffer-leakage-when-no-iocbs-availa.patch b/queue-4.4/scsi-lpfc-fix-rq-buffer-leakage-when-no-iocbs-availa.patch new file mode 100644 index 00000000000..ba67f0e7094 --- /dev/null +++ b/queue-4.4/scsi-lpfc-fix-rq-buffer-leakage-when-no-iocbs-availa.patch @@ -0,0 +1,58 @@ +From e77f9fe26faf94f5f9078b79b8eb5d7f9e3f9722 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jan 2020 16:23:01 -0800 +Subject: scsi: lpfc: Fix RQ buffer leakage when no IOCBs available + +From: James Smart + +[ Upstream commit 39c4f1a965a9244c3ba60695e8ff8da065ec6ac4 ] + +The driver is occasionally seeing the following SLI Port error, requiring +reset and reinit: + + Port Status Event: ... error 1=0x52004a01, error 2=0x218 + +The failure means an RQ timeout. That is, the adapter had received +asynchronous receive frames, ran out of buffer slots to place the frames, +and the driver did not replenish the buffer slots before a timeout +occurred. The driver should not be so slow in replenishing buffers that a +timeout can occur. + +When the driver received all the frames of a sequence, it allocates an IOCB +to put the frames in. In a situation where there was no IOCB available for +the frame of a sequence, the RQ buffer corresponding to the first frame of +the sequence was not returned to the FW. Eventually, with enough traffic +encountering the situation, the timeout occurred. + +Fix by releasing the buffer back to firmware whenever there is no IOCB for +the first frame. + +[mkp: typo] + +Link: https://lore.kernel.org/r/20200128002312.16346-2-jsmart2021@gmail.com +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_sli.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 7a94c2d352390..97c0d79a2601f 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -15445,6 +15445,10 @@ lpfc_prep_seq(struct lpfc_vport *vport, struct hbq_dmabuf *seq_dmabuf) + list_add_tail(&iocbq->list, &first_iocbq->list); + } + } ++ /* Free the sequence's header buffer */ ++ if (!first_iocbq) ++ lpfc_in_buf_free(vport->phba, &seq_dmabuf->dbuf); ++ + return first_iocbq; + } + +-- +2.25.1 + diff --git a/queue-4.4/selinux-sel_avc_get_stat_idx-should-increase-positio.patch b/queue-4.4/selinux-sel_avc_get_stat_idx-should-increase-positio.patch new file mode 100644 index 00000000000..2906bdb9b5f --- /dev/null +++ b/queue-4.4/selinux-sel_avc_get_stat_idx-should-increase-positio.patch @@ -0,0 +1,64 @@ +From d6312af486887bfdd16a76af028465634f4775e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Feb 2020 10:47:47 +0300 +Subject: selinux: sel_avc_get_stat_idx should increase position index + +From: Vasily Averin + +[ Upstream commit 8d269a8e2a8f0bca89022f4ec98de460acb90365 ] + +If seq_file .next function does not change position index, +read after some lseek can generate unexpected output. + +$ dd if=/sys/fs/selinux/avc/cache_stats # usual output +lookups hits misses allocations reclaims frees +817223 810034 7189 7189 6992 7037 +1934894 1926896 7998 7998 7632 7683 +1322812 1317176 5636 5636 5456 5507 +1560571 1551548 9023 9023 9056 9115 +0+1 records in +0+1 records out +189 bytes copied, 5,1564e-05 s, 3,7 MB/s + +$# read after lseek to midle of last line +$ dd if=/sys/fs/selinux/avc/cache_stats bs=180 skip=1 +dd: /sys/fs/selinux/avc/cache_stats: cannot skip to specified offset +056 9115 <<<< end of last line +1560571 1551548 9023 9023 9056 9115 <<< whole last line once again +0+1 records in +0+1 records out +45 bytes copied, 8,7221e-05 s, 516 kB/s + +$# read after lseek beyond end of of file +$ dd if=/sys/fs/selinux/avc/cache_stats bs=1000 skip=1 +dd: /sys/fs/selinux/avc/cache_stats: cannot skip to specified offset +1560571 1551548 9023 9023 9056 9115 <<<< generates whole last line +0+1 records in +0+1 records out +36 bytes copied, 9,0934e-05 s, 396 kB/s + +https://bugzilla.kernel.org/show_bug.cgi?id=206283 + +Signed-off-by: Vasily Averin +Acked-by: Stephen Smalley +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + security/selinux/selinuxfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c +index c02da25d7b631..7778e28cce9d7 100644 +--- a/security/selinux/selinuxfs.c ++++ b/security/selinux/selinuxfs.c +@@ -1370,6 +1370,7 @@ static struct avc_cache_stats *sel_avc_get_stat_idx(loff_t *idx) + *idx = cpu + 1; + return &per_cpu(avc_cache_stats, cpu); + } ++ (*idx)++; + return NULL; + } + +-- +2.25.1 + diff --git a/queue-4.4/seqlock-require-write_once-surrounding-raw_seqcount_.patch b/queue-4.4/seqlock-require-write_once-surrounding-raw_seqcount_.patch new file mode 100644 index 00000000000..9e3c3eed591 --- /dev/null +++ b/queue-4.4/seqlock-require-write_once-surrounding-raw_seqcount_.patch @@ -0,0 +1,67 @@ +From 9c82f24ffae4a4e2e7838b12f745a568aad068b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 19:03:00 +0100 +Subject: seqlock: Require WRITE_ONCE surrounding raw_seqcount_barrier + +From: Marco Elver + +[ Upstream commit bf07132f96d426bcbf2098227fb680915cf44498 ] + +This patch proposes to require marked atomic accesses surrounding +raw_write_seqcount_barrier. We reason that otherwise there is no way to +guarantee propagation nor atomicity of writes before/after the barrier +[1]. For example, consider the compiler tears stores either before or +after the barrier; in this case, readers may observe a partial value, +and because readers are unaware that writes are going on (writes are not +in a seq-writer critical section), will complete the seq-reader critical +section while having observed some partial state. +[1] https://lwn.net/Articles/793253/ + +This came up when designing and implementing KCSAN, because KCSAN would +flag these accesses as data-races. After careful analysis, our reasoning +as above led us to conclude that the best thing to do is to propose an +amendment to the raw_seqcount_barrier usage. + +Signed-off-by: Marco Elver +Acked-by: Paul E. McKenney +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + include/linux/seqlock.h | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/include/linux/seqlock.h b/include/linux/seqlock.h +index e0582106ef4fa..a10f363784178 100644 +--- a/include/linux/seqlock.h ++++ b/include/linux/seqlock.h +@@ -242,6 +242,13 @@ static inline void raw_write_seqcount_end(seqcount_t *s) + * usual consistency guarantee. It is one wmb cheaper, because we can + * collapse the two back-to-back wmb()s. + * ++ * Note that, writes surrounding the barrier should be declared atomic (e.g. ++ * via WRITE_ONCE): a) to ensure the writes become visible to other threads ++ * atomically, avoiding compiler optimizations; b) to document which writes are ++ * meant to propagate to the reader critical section. This is necessary because ++ * neither writes before and after the barrier are enclosed in a seq-writer ++ * critical section that would ensure readers are aware of ongoing writes. ++ * + * seqcount_t seq; + * bool X = true, Y = false; + * +@@ -261,11 +268,11 @@ static inline void raw_write_seqcount_end(seqcount_t *s) + * + * void write(void) + * { +- * Y = true; ++ * WRITE_ONCE(Y, true); + * + * raw_write_seqcount_barrier(seq); + * +- * X = false; ++ * WRITE_ONCE(X, false); + * } + */ + static inline void raw_write_seqcount_barrier(seqcount_t *s) +-- +2.25.1 + diff --git a/queue-4.4/serial-8250_omap-fix-sleeping-function-called-from-i.patch b/queue-4.4/serial-8250_omap-fix-sleeping-function-called-from-i.patch new file mode 100644 index 00000000000..6ada9828c45 --- /dev/null +++ b/queue-4.4/serial-8250_omap-fix-sleeping-function-called-from-i.patch @@ -0,0 +1,88 @@ +From 0078b11829cd8f11c59c415843118142bf9f269c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Mar 2020 14:52:00 +0200 +Subject: serial: 8250_omap: Fix sleeping function called from invalid context + during probe + +From: Peter Ujfalusi + +[ Upstream commit 4ce35a3617c0ac758c61122b2218b6c8c9ac9398 ] + +When booting j721e the following bug is printed: + +[ 1.154821] BUG: sleeping function called from invalid context at kernel/sched/completion.c:99 +[ 1.154827] in_atomic(): 0, irqs_disabled(): 128, non_block: 0, pid: 12, name: kworker/0:1 +[ 1.154832] 3 locks held by kworker/0:1/12: +[ 1.154836] #0: ffff000840030728 ((wq_completion)events){+.+.}, at: process_one_work+0x1d4/0x6e8 +[ 1.154852] #1: ffff80001214fdd8 (deferred_probe_work){+.+.}, at: process_one_work+0x1d4/0x6e8 +[ 1.154860] #2: ffff00084060b170 (&dev->mutex){....}, at: __device_attach+0x38/0x138 +[ 1.154872] irq event stamp: 63096 +[ 1.154881] hardirqs last enabled at (63095): [] _raw_spin_unlock_irqrestore+0x70/0x78 +[ 1.154887] hardirqs last disabled at (63096): [] _raw_spin_lock_irqsave+0x28/0x80 +[ 1.154893] softirqs last enabled at (62254): [] _stext+0x488/0x564 +[ 1.154899] softirqs last disabled at (62247): [] irq_exit+0x114/0x140 +[ 1.154906] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.6.0-rc6-next-20200318-00094-g45e4089b0bd3 #221 +[ 1.154911] Hardware name: Texas Instruments K3 J721E SoC (DT) +[ 1.154917] Workqueue: events deferred_probe_work_func +[ 1.154923] Call trace: +[ 1.154928] dump_backtrace+0x0/0x190 +[ 1.154933] show_stack+0x14/0x20 +[ 1.154940] dump_stack+0xe0/0x148 +[ 1.154946] ___might_sleep+0x150/0x1f0 +[ 1.154952] __might_sleep+0x4c/0x80 +[ 1.154957] wait_for_completion_timeout+0x40/0x140 +[ 1.154964] ti_sci_set_device_state+0xa0/0x158 +[ 1.154969] ti_sci_cmd_get_device_exclusive+0x14/0x20 +[ 1.154977] ti_sci_dev_start+0x34/0x50 +[ 1.154984] genpd_runtime_resume+0x78/0x1f8 +[ 1.154991] __rpm_callback+0x3c/0x140 +[ 1.154996] rpm_callback+0x20/0x80 +[ 1.155001] rpm_resume+0x568/0x758 +[ 1.155007] __pm_runtime_resume+0x44/0xb0 +[ 1.155013] omap8250_probe+0x2b4/0x508 +[ 1.155019] platform_drv_probe+0x50/0xa0 +[ 1.155023] really_probe+0xd4/0x318 +[ 1.155028] driver_probe_device+0x54/0xe8 +[ 1.155033] __device_attach_driver+0x80/0xb8 +[ 1.155039] bus_for_each_drv+0x74/0xc0 +[ 1.155044] __device_attach+0xdc/0x138 +[ 1.155049] device_initial_probe+0x10/0x18 +[ 1.155053] bus_probe_device+0x98/0xa0 +[ 1.155058] deferred_probe_work_func+0x74/0xb0 +[ 1.155063] process_one_work+0x280/0x6e8 +[ 1.155068] worker_thread+0x48/0x430 +[ 1.155073] kthread+0x108/0x138 +[ 1.155079] ret_from_fork+0x10/0x18 + +To fix the bug we need to first call pm_runtime_enable() prior to any +pm_runtime calls. + +Reported-by: Tomi Valkeinen +Signed-off-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20200320125200.6772-1-peter.ujfalusi@ti.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_omap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c +index c4383573cf668..0377b35d62b80 100644 +--- a/drivers/tty/serial/8250/8250_omap.c ++++ b/drivers/tty/serial/8250/8250_omap.c +@@ -1188,11 +1188,11 @@ static int omap8250_probe(struct platform_device *pdev) + spin_lock_init(&priv->rx_dma_lock); + + device_init_wakeup(&pdev->dev, true); ++ pm_runtime_enable(&pdev->dev); + pm_runtime_use_autosuspend(&pdev->dev); + pm_runtime_set_autosuspend_delay(&pdev->dev, -1); + + pm_runtime_irq_safe(&pdev->dev); +- pm_runtime_enable(&pdev->dev); + + pm_runtime_get_sync(&pdev->dev); + +-- +2.25.1 + diff --git a/queue-4.4/serial-uartps-wait-for-tx_empty-in-console-setup.patch b/queue-4.4/serial-uartps-wait-for-tx_empty-in-console-setup.patch new file mode 100644 index 00000000000..da66332ed23 --- /dev/null +++ b/queue-4.4/serial-uartps-wait-for-tx_empty-in-console-setup.patch @@ -0,0 +1,54 @@ +From fa47da5df18e10b9a3aecee4ca9e3980e53c5ffa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Apr 2020 11:56:02 +0530 +Subject: serial: uartps: Wait for tx_empty in console setup + +From: Raviteja Narayanam + +[ Upstream commit 42e11948ddf68b9f799cad8c0ddeab0a39da33e8 ] + +On some platforms, the log is corrupted while console is being +registered. It is observed that when set_termios is called, there +are still some bytes in the FIFO to be transmitted. + +So, wait for tx_empty inside cdns_uart_console_setup before calling +set_termios. + +Signed-off-by: Raviteja Narayanam +Reviewed-by: Shubhrajyoti Datta +Link: https://lore.kernel.org/r/1586413563-29125-2-git-send-email-raviteja.narayanam@xilinx.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/xilinx_uartps.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c +index 06efcef1b4953..5b4469098888a 100644 +--- a/drivers/tty/serial/xilinx_uartps.c ++++ b/drivers/tty/serial/xilinx_uartps.c +@@ -1152,6 +1152,7 @@ static int cdns_uart_console_setup(struct console *co, char *options) + int bits = 8; + int parity = 'n'; + int flow = 'n'; ++ unsigned long time_out; + + if (co->index < 0 || co->index >= CDNS_UART_NR_PORTS) + return -EINVAL; +@@ -1165,6 +1166,13 @@ static int cdns_uart_console_setup(struct console *co, char *options) + if (options) + uart_parse_options(options, &baud, &parity, &bits, &flow); + ++ /* Wait for tx_empty before setting up the console */ ++ time_out = jiffies + usecs_to_jiffies(TX_TIMEOUT); ++ ++ while (time_before(jiffies, time_out) && ++ cdns_uart_tx_empty(port) != TIOCSER_TEMT) ++ cpu_relax(); ++ + return uart_set_options(port, co, baud, parity, bits, flow); + } + +-- +2.25.1 + diff --git a/queue-4.4/series b/queue-4.4/series index 144b71b7f7e..5279467d38f 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -9,3 +9,68 @@ tipc-use-skb_unshare-instead-in-tipc_buf_append.patch net-add-__must_check-to-skb_put_padto.patch ip-fix-tos-reflection-in-ack-and-reset-packets.patch serial-8250-avoid-error-message-on-reprobe.patch +scsi-aacraid-fix-illegal-io-beyond-last-lba.patch +m68k-q40-fix-info-leak-in-rtc_ioctl.patch +gma-gma500-fix-a-memory-disclosure-bug-due-to-uninit.patch +asoc-kirkwood-fix-irq-error-handling.patch +ata-sata_mv-avoid-trigerrable-bug_on.patch +pm-devfreq-tegra30-fix-integer-overflow-on-cpu-s-fre.patch +mtd-cfi_cmdset_0002-don-t-free-cfi-cfiq-in-error-pat.patch +mfd-mfd-core-protect-against-null-call-back-function.patch +tracing-adding-null-checks-for-trace_array-descripto.patch +bcache-fix-a-lost-wake-up-problem-caused-by-mca_cann.patch +xfs-fix-attr-leaf-header-freemap.size-underflow.patch +kernel-sys.c-avoid-copying-possible-padding-bytes-in.patch +neigh_stat_seq_next-should-increase-position-index.patch +rt_cpu_seq_next-should-increase-position-index.patch +seqlock-require-write_once-surrounding-raw_seqcount_.patch +acpi-ec-reference-count-query-handlers-under-lock.patch +tracing-set-kernel_stack-s-caller-size-properly.patch +ext4-make-dioread_nolock-the-default.patch +ar5523-add-usb-id-of-smcwusbt-g2-wireless-adapter.patch +bluetooth-fix-refcount-use-after-free-issue.patch +mm-pagewalk-fix-termination-condition-in-walk_pte_ra.patch +bluetooth-prefetch-channel-before-killing-sock.patch +skbuff-fix-a-data-race-in-skb_queue_len.patch +audit-config_change-don-t-log-internal-bookkeeping-a.patch +selinux-sel_avc_get_stat_idx-should-increase-positio.patch +scsi-lpfc-fix-rq-buffer-leakage-when-no-iocbs-availa.patch +drm-omap-fix-possible-object-reference-leak.patch +dmaengine-tegra-apb-prevent-race-conditions-on-chann.patch +media-go7007-fix-urb-type-for-interrupt-handling.patch +bluetooth-guard-against-controllers-sending-zero-d-e.patch +drm-amdgpu-increase-atombios-cmd-timeout.patch +bluetooth-l2cap-handle-l2cap-config-request-during-o.patch +media-tda10071-fix-unsigned-sign-extension-overflow.patch +tpm-ibmvtpm-wait-for-buffer-to-be-set-before-proceed.patch +tracing-use-address-of-operator-on-section-symbols.patch +serial-8250_omap-fix-sleeping-function-called-from-i.patch +sunrpc-fix-a-potential-buffer-overflow-in-svc_print_.patch +ubifs-fix-out-of-bounds-memory-access-caused-by-abno.patch +alsa-usb-audio-fix-case-when-usb-midi-interface-has-.patch +mm-filemap.c-clear-page-error-before-actual-read.patch +mm-mmap.c-initialize-align_offset-explicitly-for-vm_.patch +serial-uartps-wait-for-tx_empty-in-console-setup.patch +kvm-remove-create_irqchip-set_pit2-race.patch +bdev-reduce-time-holding-bd_mutex-in-sync-in-blkdev_.patch +drivers-char-tlclk.c-avoid-data-race-between-init-an.patch +dt-bindings-sound-wm8994-correct-required-supplies-b.patch +atm-fix-a-memory-leak-of-vcc-user_back.patch +phy-samsung-s5pv210-usb2-add-delay-after-reset.patch +bluetooth-handle-inquiry-cancel-error-after-inquiry-.patch +usb-ehci-ehci-mv-fix-error-handling-in-mv_ehci_probe.patch +tty-serial-samsung-correct-clock-selection-logic.patch +alsa-hda-fix-potential-race-in-unsol-event-handler.patch +fuse-don-t-check-refcount-after-stealing-page.patch +usb-ehci-ehci-mv-fix-less-than-zero-comparison-of-an.patch +e1000-do-not-perform-reset-in-reset_task-if-we-are-a.patch +printk-handle-blank-console-arguments-passed-in.patch +vfio-pci-fix-memory-leaks-of-eventfd-ctx.patch +perf-kcore_copy-fix-module-map-when-there-are-no-mod.patch +mtd-rawnand-omap_elm-fix-runtime-pm-imbalance-on-err.patch +ceph-fix-potential-race-in-ceph_check_caps.patch +mtd-parser-cmdline-support-mtd-names-containing-one-.patch +x86-speculation-mds-mark-mds_user_clear_cpu_buffers-.patch +vfio-pci-clear-error-and-request-eventfd-ctx-after-r.patch +vfio-pci-fix-racy-on-error-and-request-eventfd-ctx.patch +s390-init-add-missing-__init-annotations.patch diff --git a/queue-4.4/skbuff-fix-a-data-race-in-skb_queue_len.patch b/queue-4.4/skbuff-fix-a-data-race-in-skb_queue_len.patch new file mode 100644 index 00000000000..1d3eae94b42 --- /dev/null +++ b/queue-4.4/skbuff-fix-a-data-race-in-skb_queue_len.patch @@ -0,0 +1,116 @@ +From 705200fa32c9e884c2bf12191e45c21a12111d49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Feb 2020 13:40:29 -0500 +Subject: skbuff: fix a data race in skb_queue_len() + +From: Qian Cai + +[ Upstream commit 86b18aaa2b5b5bb48e609cd591b3d2d0fdbe0442 ] + +sk_buff.qlen can be accessed concurrently as noticed by KCSAN, + + BUG: KCSAN: data-race in __skb_try_recv_from_queue / unix_dgram_sendmsg + + read to 0xffff8a1b1d8a81c0 of 4 bytes by task 5371 on cpu 96: + unix_dgram_sendmsg+0x9a9/0xb70 include/linux/skbuff.h:1821 + net/unix/af_unix.c:1761 + ____sys_sendmsg+0x33e/0x370 + ___sys_sendmsg+0xa6/0xf0 + __sys_sendmsg+0x69/0xf0 + __x64_sys_sendmsg+0x51/0x70 + do_syscall_64+0x91/0xb47 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + + write to 0xffff8a1b1d8a81c0 of 4 bytes by task 1 on cpu 99: + __skb_try_recv_from_queue+0x327/0x410 include/linux/skbuff.h:2029 + __skb_try_recv_datagram+0xbe/0x220 + unix_dgram_recvmsg+0xee/0x850 + ____sys_recvmsg+0x1fb/0x210 + ___sys_recvmsg+0xa2/0xf0 + __sys_recvmsg+0x66/0xf0 + __x64_sys_recvmsg+0x51/0x70 + do_syscall_64+0x91/0xb47 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Since only the read is operating as lockless, it could introduce a logic +bug in unix_recvq_full() due to the load tearing. Fix it by adding +a lockless variant of skb_queue_len() and unix_recvq_full() where +READ_ONCE() is on the read while WRITE_ONCE() is on the write similar to +the commit d7d16a89350a ("net: add skb_queue_empty_lockless()"). + +Signed-off-by: Qian Cai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/skbuff.h | 14 +++++++++++++- + net/unix/af_unix.c | 11 +++++++++-- + 2 files changed, 22 insertions(+), 3 deletions(-) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index 2528f712b8c0b..95feb153fe9a8 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -1438,6 +1438,18 @@ static inline __u32 skb_queue_len(const struct sk_buff_head *list_) + return list_->qlen; + } + ++/** ++ * skb_queue_len_lockless - get queue length ++ * @list_: list to measure ++ * ++ * Return the length of an &sk_buff queue. ++ * This variant can be used in lockless contexts. ++ */ ++static inline __u32 skb_queue_len_lockless(const struct sk_buff_head *list_) ++{ ++ return READ_ONCE(list_->qlen); ++} ++ + /** + * __skb_queue_head_init - initialize non-spinlock portions of sk_buff_head + * @list: queue to initialize +@@ -1641,7 +1653,7 @@ static inline void __skb_unlink(struct sk_buff *skb, struct sk_buff_head *list) + { + struct sk_buff *next, *prev; + +- list->qlen--; ++ WRITE_ONCE(list->qlen, list->qlen - 1); + next = skb->next; + prev = skb->prev; + skb->next = skb->prev = NULL; +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index b5e2ef242efe7..ac78c5ac82846 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -191,11 +191,17 @@ static inline int unix_may_send(struct sock *sk, struct sock *osk) + return unix_peer(osk) == NULL || unix_our_peer(sk, osk); + } + +-static inline int unix_recvq_full(struct sock const *sk) ++static inline int unix_recvq_full(const struct sock *sk) + { + return skb_queue_len(&sk->sk_receive_queue) > sk->sk_max_ack_backlog; + } + ++static inline int unix_recvq_full_lockless(const struct sock *sk) ++{ ++ return skb_queue_len_lockless(&sk->sk_receive_queue) > ++ READ_ONCE(sk->sk_max_ack_backlog); ++} ++ + struct sock *unix_peer_get(struct sock *s) + { + struct sock *peer; +@@ -1792,7 +1798,8 @@ restart_locked: + * - unix_peer(sk) == sk by time of get but disconnected before lock + */ + if (other != sk && +- unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { ++ unlikely(unix_peer(other) != sk && ++ unix_recvq_full_lockless(other))) { + if (timeo) { + timeo = unix_wait_for_peer(other, timeo); + +-- +2.25.1 + diff --git a/queue-4.4/sunrpc-fix-a-potential-buffer-overflow-in-svc_print_.patch b/queue-4.4/sunrpc-fix-a-potential-buffer-overflow-in-svc_print_.patch new file mode 100644 index 00000000000..b374f69f743 --- /dev/null +++ b/queue-4.4/sunrpc-fix-a-potential-buffer-overflow-in-svc_print_.patch @@ -0,0 +1,75 @@ +From f1a4b8980c3a1aac7fa2dd06b4ab883880aa65fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Mar 2020 17:15:39 +0100 +Subject: SUNRPC: Fix a potential buffer overflow in 'svc_print_xprts()' + +From: Christophe JAILLET + +[ Upstream commit b25b60d7bfb02a74bc3c2d998e09aab159df8059 ] + +'maxlen' is the total size of the destination buffer. There is only one +caller and this value is 256. + +When we compute the size already used and what we would like to add in +the buffer, the trailling NULL character is not taken into account. +However, this trailling character will be added by the 'strcat' once we +have checked that we have enough place. + +So, there is a off-by-one issue and 1 byte of the stack could be +erroneously overwridden. + +Take into account the trailling NULL, when checking if there is enough +place in the destination buffer. + +While at it, also replace a 'sprintf' by a safer 'snprintf', check for +output truncation and avoid a superfluous 'strlen'. + +Fixes: dc9a16e49dbba ("svc: Add /proc/sys/sunrpc/transport files") +Signed-off-by: Christophe JAILLET +[ cel: very minor fix to documenting comment +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/svc_xprt.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c +index 2b8e80c721db1..a7cd031656801 100644 +--- a/net/sunrpc/svc_xprt.c ++++ b/net/sunrpc/svc_xprt.c +@@ -97,8 +97,17 @@ void svc_unreg_xprt_class(struct svc_xprt_class *xcl) + } + EXPORT_SYMBOL_GPL(svc_unreg_xprt_class); + +-/* +- * Format the transport list for printing ++/** ++ * svc_print_xprts - Format the transport list for printing ++ * @buf: target buffer for formatted address ++ * @maxlen: length of target buffer ++ * ++ * Fills in @buf with a string containing a list of transport names, each name ++ * terminated with '\n'. If the buffer is too small, some entries may be ++ * missing, but it is guaranteed that all lines in the output buffer are ++ * complete. ++ * ++ * Returns positive length of the filled-in string. + */ + int svc_print_xprts(char *buf, int maxlen) + { +@@ -111,9 +120,9 @@ int svc_print_xprts(char *buf, int maxlen) + list_for_each_entry(xcl, &svc_xprt_class_list, xcl_list) { + int slen; + +- sprintf(tmpstr, "%s %d\n", xcl->xcl_name, xcl->xcl_max_payload); +- slen = strlen(tmpstr); +- if (len + slen > maxlen) ++ slen = snprintf(tmpstr, sizeof(tmpstr), "%s %d\n", ++ xcl->xcl_name, xcl->xcl_max_payload); ++ if (slen >= sizeof(tmpstr) || len + slen >= maxlen) + break; + len += slen; + strcat(buf, tmpstr); +-- +2.25.1 + diff --git a/queue-4.4/tpm-ibmvtpm-wait-for-buffer-to-be-set-before-proceed.patch b/queue-4.4/tpm-ibmvtpm-wait-for-buffer-to-be-set-before-proceed.patch new file mode 100644 index 00000000000..52062107148 --- /dev/null +++ b/queue-4.4/tpm-ibmvtpm-wait-for-buffer-to-be-set-before-proceed.patch @@ -0,0 +1,79 @@ +From 75927944f0933006bc9ccc775260eac00ae873bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2020 11:53:31 -0400 +Subject: tpm: ibmvtpm: Wait for buffer to be set before proceeding + +From: Stefan Berger + +[ Upstream commit d8d74ea3c00214aee1e1826ca18e77944812b9b4 ] + +Synchronize with the results from the CRQs before continuing with +the initialization. This avoids trying to send TPM commands while +the rtce buffer has not been allocated, yet. + +This patch fixes an existing race condition that may occurr if the +hypervisor does not quickly respond to the VTPM_GET_RTCE_BUFFER_SIZE +request sent during initialization and therefore the ibmvtpm->rtce_buf +has not been allocated at the time the first TPM command is sent. + +Fixes: 132f76294744 ("drivers/char/tpm: Add new device driver to support IBM vTPM") +Signed-off-by: Stefan Berger +Acked-by: Nayna Jain +Tested-by: Nayna Jain +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + drivers/char/tpm/tpm_ibmvtpm.c | 9 +++++++++ + drivers/char/tpm/tpm_ibmvtpm.h | 1 + + 2 files changed, 10 insertions(+) + +diff --git a/drivers/char/tpm/tpm_ibmvtpm.c b/drivers/char/tpm/tpm_ibmvtpm.c +index 3e6a22658b63b..d4cc1a1ac1f73 100644 +--- a/drivers/char/tpm/tpm_ibmvtpm.c ++++ b/drivers/char/tpm/tpm_ibmvtpm.c +@@ -543,6 +543,7 @@ static irqreturn_t ibmvtpm_interrupt(int irq, void *vtpm_instance) + */ + while ((crq = ibmvtpm_crq_get_next(ibmvtpm)) != NULL) { + ibmvtpm_crq_process(crq, ibmvtpm); ++ wake_up_interruptible(&ibmvtpm->crq_queue.wq); + crq->valid = 0; + smp_wmb(); + } +@@ -589,6 +590,7 @@ static int tpm_ibmvtpm_probe(struct vio_dev *vio_dev, + } + + crq_q->num_entry = CRQ_RES_BUF_SIZE / sizeof(*crq_q->crq_addr); ++ init_waitqueue_head(&crq_q->wq); + ibmvtpm->crq_dma_handle = dma_map_single(dev, crq_q->crq_addr, + CRQ_RES_BUF_SIZE, + DMA_BIDIRECTIONAL); +@@ -641,6 +643,13 @@ static int tpm_ibmvtpm_probe(struct vio_dev *vio_dev, + if (rc) + goto init_irq_cleanup; + ++ if (!wait_event_timeout(ibmvtpm->crq_queue.wq, ++ ibmvtpm->rtce_buf != NULL, ++ HZ)) { ++ dev_err(dev, "CRQ response timed out\n"); ++ goto init_irq_cleanup; ++ } ++ + return tpm_chip_register(chip); + init_irq_cleanup: + do { +diff --git a/drivers/char/tpm/tpm_ibmvtpm.h b/drivers/char/tpm/tpm_ibmvtpm.h +index 6af92890518f8..1a8c3b698f104 100644 +--- a/drivers/char/tpm/tpm_ibmvtpm.h ++++ b/drivers/char/tpm/tpm_ibmvtpm.h +@@ -31,6 +31,7 @@ struct ibmvtpm_crq_queue { + struct ibmvtpm_crq *crq_addr; + u32 index; + u32 num_entry; ++ wait_queue_head_t wq; + }; + + struct ibmvtpm_dev { +-- +2.25.1 + diff --git a/queue-4.4/tracing-adding-null-checks-for-trace_array-descripto.patch b/queue-4.4/tracing-adding-null-checks-for-trace_array-descripto.patch new file mode 100644 index 00000000000..d88cd347107 --- /dev/null +++ b/queue-4.4/tracing-adding-null-checks-for-trace_array-descripto.patch @@ -0,0 +1,53 @@ +From 22f5e753abe4591c1283c6d466e59a2cd1af10bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Aug 2019 10:55:25 -0700 +Subject: tracing: Adding NULL checks for trace_array descriptor pointer + +From: Divya Indi + +[ Upstream commit 953ae45a0c25e09428d4a03d7654f97ab8a36647 ] + +As part of commit f45d1225adb0 ("tracing: Kernel access to Ftrace +instances") we exported certain functions. Here, we are adding some additional +NULL checks to ensure safe usage by users of these APIs. + +Link: http://lkml.kernel.org/r/1565805327-579-4-git-send-email-divya.indi@oracle.com + +Signed-off-by: Divya Indi +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.c | 3 +++ + kernel/trace/trace_events.c | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 06efd18bf3e38..17ea5f9d36b48 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -2271,6 +2271,9 @@ int trace_array_printk(struct trace_array *tr, + if (!(global_trace.trace_flags & TRACE_ITER_PRINTK)) + return 0; + ++ if (!tr) ++ return -ENOENT; ++ + va_start(ap, fmt); + ret = trace_array_vprintk(tr, ip, fmt, ap); + va_end(ap); +diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c +index bd4c0bb61ad72..9d6e755d17546 100644 +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -755,6 +755,8 @@ static int ftrace_set_clr_event(struct trace_array *tr, char *buf, int set) + char *event = NULL, *sub = NULL, *match; + int ret; + ++ if (!tr) ++ return -ENOENT; + /* + * The buf format can be : + * *: means any event by that name. +-- +2.25.1 + diff --git a/queue-4.4/tracing-set-kernel_stack-s-caller-size-properly.patch b/queue-4.4/tracing-set-kernel_stack-s-caller-size-properly.patch new file mode 100644 index 00000000000..89d077f489d --- /dev/null +++ b/queue-4.4/tracing-set-kernel_stack-s-caller-size-properly.patch @@ -0,0 +1,43 @@ +From f1a6f5254d802171fdadc2e5531d4a239b8abf56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Sep 2014 16:14:12 -0400 +Subject: tracing: Set kernel_stack's caller size properly + +From: Josef Bacik + +[ Upstream commit cbc3b92ce037f5e7536f6db157d185cd8b8f615c ] + +I noticed when trying to use the trace-cmd python interface that reading the raw +buffer wasn't working for kernel_stack events. This is because it uses a +stubbed version of __dynamic_array that doesn't do the __data_loc trick and +encode the length of the array into the field. Instead it just shows up as a +size of 0. So change this to __array and set the len to FTRACE_STACK_ENTRIES +since this is what we actually do in practice and matches how user_stack_trace +works. + +Link: http://lkml.kernel.org/r/1411589652-1318-1-git-send-email-jbacik@fb.com + +Signed-off-by: Josef Bacik +[ Pulled from the archeological digging of my INBOX ] +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_entries.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_entries.h b/kernel/trace/trace_entries.h +index ee7b94a4810af..246db27dbdc99 100644 +--- a/kernel/trace/trace_entries.h ++++ b/kernel/trace/trace_entries.h +@@ -178,7 +178,7 @@ FTRACE_ENTRY(kernel_stack, stack_entry, + + F_STRUCT( + __field( int, size ) +- __dynamic_array(unsigned long, caller ) ++ __array( unsigned long, caller, FTRACE_STACK_ENTRIES ) + ), + + F_printk("\t=> (" IP_FMT ")\n\t=> (" IP_FMT ")\n\t=> (" IP_FMT ")\n" +-- +2.25.1 + diff --git a/queue-4.4/tracing-use-address-of-operator-on-section-symbols.patch b/queue-4.4/tracing-use-address-of-operator-on-section-symbols.patch new file mode 100644 index 00000000000..fd3d7177bb0 --- /dev/null +++ b/queue-4.4/tracing-use-address-of-operator-on-section-symbols.patch @@ -0,0 +1,49 @@ +From ad1b58cfc2e4c5272e6f0dbd11df0891e9edd017 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Feb 2020 22:10:12 -0700 +Subject: tracing: Use address-of operator on section symbols + +From: Nathan Chancellor + +[ Upstream commit bf2cbe044da275021b2de5917240411a19e5c50d ] + +Clang warns: + +../kernel/trace/trace.c:9335:33: warning: array comparison always +evaluates to true [-Wtautological-compare] + if (__stop___trace_bprintk_fmt != __start___trace_bprintk_fmt) + ^ +1 warning generated. + +These are not true arrays, they are linker defined symbols, which are +just addresses. Using the address of operator silences the warning and +does not change the runtime result of the check (tested with some print +statements compiled in with clang + ld.lld and gcc + ld.bfd in QEMU). + +Link: http://lkml.kernel.org/r/20200220051011.26113-1-natechancellor@gmail.com + +Link: https://github.com/ClangBuiltLinux/linux/issues/893 +Suggested-by: Nick Desaulniers +Signed-off-by: Nathan Chancellor +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 17ea5f9d36b48..e4a0c0308b507 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -7263,7 +7263,7 @@ __init static int tracer_alloc_buffers(void) + goto out_free_buffer_mask; + + /* Only allocate trace_printk buffers if a trace_printk exists */ +- if (__stop___trace_bprintk_fmt != __start___trace_bprintk_fmt) ++ if (&__stop___trace_bprintk_fmt != &__start___trace_bprintk_fmt) + /* Must be called before global_trace.buffer is allocated */ + trace_printk_init_buffers(); + +-- +2.25.1 + diff --git a/queue-4.4/tty-serial-samsung-correct-clock-selection-logic.patch b/queue-4.4/tty-serial-samsung-correct-clock-selection-logic.patch new file mode 100644 index 00000000000..cdca0fccfc3 --- /dev/null +++ b/queue-4.4/tty-serial-samsung-correct-clock-selection-logic.patch @@ -0,0 +1,54 @@ +From f611b970942b26952c32c82f4a0c33232b588fb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 May 2020 18:34:33 -0700 +Subject: tty: serial: samsung: Correct clock selection logic + +From: Jonathan Bakker + +[ Upstream commit 7d31676a8d91dd18e08853efd1cb26961a38c6a6 ] + +Some variants of the samsung tty driver can pick which clock +to use for their baud rate generation. In the DT conversion, +a default clock was selected to be used if a specific one wasn't +assigned and then a comparison of which clock rate worked better +was done. Unfortunately, the comparison was implemented in such +a way that only the default clock was ever actually compared. +Fix this by iterating through all possible clocks, except when a +specific clock has already been picked via clk_sel (which is +only possible via board files). + +Signed-off-by: Jonathan Bakker +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/BN6PR04MB06604E63833EA41837EBF77BA3A30@BN6PR04MB0660.namprd04.prod.outlook.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/samsung.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c +index 70a51d0bc6044..42aa37515e9bd 100644 +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -1151,14 +1151,14 @@ static unsigned int s3c24xx_serial_getclk(struct s3c24xx_uart_port *ourport, + struct s3c24xx_uart_info *info = ourport->info; + struct clk *clk; + unsigned long rate; +- unsigned int cnt, baud, quot, clk_sel, best_quot = 0; ++ unsigned int cnt, baud, quot, best_quot = 0; + char clkname[MAX_CLK_NAME_LENGTH]; + int calc_deviation, deviation = (1 << 30) - 1; + +- clk_sel = (ourport->cfg->clk_sel) ? ourport->cfg->clk_sel : +- ourport->info->def_clk_sel; + for (cnt = 0; cnt < info->num_clks; cnt++) { +- if (!(clk_sel & (1 << cnt))) ++ /* Keep selected clock if provided */ ++ if (ourport->cfg->clk_sel && ++ !(ourport->cfg->clk_sel & (1 << cnt))) + continue; + + sprintf(clkname, "clk_uart_baud%d", cnt); +-- +2.25.1 + diff --git a/queue-4.4/ubifs-fix-out-of-bounds-memory-access-caused-by-abno.patch b/queue-4.4/ubifs-fix-out-of-bounds-memory-access-caused-by-abno.patch new file mode 100644 index 00000000000..3cd55ecf6bc --- /dev/null +++ b/queue-4.4/ubifs-fix-out-of-bounds-memory-access-caused-by-abno.patch @@ -0,0 +1,71 @@ +From d625bc4c1452d1d7141b7335989df548280525ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jan 2020 23:36:07 +0800 +Subject: ubifs: Fix out-of-bounds memory access caused by abnormal value of + node_len +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Liu Song + +[ Upstream commit acc5af3efa303d5f36cc8c0f61716161f6ca1384 ] + +In “ubifs_check_node”, when the value of "node_len" is abnormal, +the code will goto label of "out_len" for execution. Then, in the +following "ubifs_dump_node", if inode type is "UBIFS_DATA_NODE", +in "print_hex_dump", an out-of-bounds access may occur due to the +wrong "ch->len". + +Therefore, when the value of "node_len" is abnormal, data length +should to be adjusted to a reasonable safe range. At this time, +structured data is not credible, so dump the corrupted data directly +for analysis. + +Signed-off-by: Liu Song +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/ubifs/io.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/fs/ubifs/io.c b/fs/ubifs/io.c +index 97be412153328..9213a9e046ae0 100644 +--- a/fs/ubifs/io.c ++++ b/fs/ubifs/io.c +@@ -237,7 +237,7 @@ int ubifs_is_mapped(const struct ubifs_info *c, int lnum) + int ubifs_check_node(const struct ubifs_info *c, const void *buf, int lnum, + int offs, int quiet, int must_chk_crc) + { +- int err = -EINVAL, type, node_len; ++ int err = -EINVAL, type, node_len, dump_node = 1; + uint32_t crc, node_crc, magic; + const struct ubifs_ch *ch = buf; + +@@ -290,10 +290,22 @@ int ubifs_check_node(const struct ubifs_info *c, const void *buf, int lnum, + out_len: + if (!quiet) + ubifs_err(c, "bad node length %d", node_len); ++ if (type == UBIFS_DATA_NODE && node_len > UBIFS_DATA_NODE_SZ) ++ dump_node = 0; + out: + if (!quiet) { + ubifs_err(c, "bad node at LEB %d:%d", lnum, offs); +- ubifs_dump_node(c, buf); ++ if (dump_node) { ++ ubifs_dump_node(c, buf); ++ } else { ++ int safe_len = min3(node_len, c->leb_size - offs, ++ (int)UBIFS_MAX_DATA_NODE_SZ); ++ pr_err("\tprevent out-of-bounds memory access\n"); ++ pr_err("\ttruncated data node length %d\n", safe_len); ++ pr_err("\tcorrupted data node:\n"); ++ print_hex_dump(KERN_ERR, "\t", DUMP_PREFIX_OFFSET, 32, 1, ++ buf, safe_len, 0); ++ } + dump_stack(); + } + return err; +-- +2.25.1 + diff --git a/queue-4.4/usb-ehci-ehci-mv-fix-error-handling-in-mv_ehci_probe.patch b/queue-4.4/usb-ehci-ehci-mv-fix-error-handling-in-mv_ehci_probe.patch new file mode 100644 index 00000000000..79042103a2b --- /dev/null +++ b/queue-4.4/usb-ehci-ehci-mv-fix-error-handling-in-mv_ehci_probe.patch @@ -0,0 +1,43 @@ +From 289499c239b9e0f3936a71ac4fbbcbd0d608b2df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 May 2020 19:43:05 +0800 +Subject: USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe() + +From: Tang Bin + +[ Upstream commit c856b4b0fdb5044bca4c0acf9a66f3b5cc01a37a ] + +If the function platform_get_irq() failed, the negative value +returned will not be detected here. So fix error handling in +mv_ehci_probe(). And when get irq failed, the function +platform_get_irq() logs an error message, so remove redundant +message here. + +Signed-off-by: Zhang Shengju +Signed-off-by: Tang Bin +Link: https://lore.kernel.org/r/20200508114305.15740-1-tangbin@cmss.chinamobile.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ehci-mv.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/host/ehci-mv.c b/drivers/usb/host/ehci-mv.c +index 849806a75f1ce..273736e1d33fa 100644 +--- a/drivers/usb/host/ehci-mv.c ++++ b/drivers/usb/host/ehci-mv.c +@@ -197,9 +197,8 @@ static int mv_ehci_probe(struct platform_device *pdev) + hcd->regs = ehci_mv->op_regs; + + hcd->irq = platform_get_irq(pdev, 0); +- if (!hcd->irq) { +- dev_err(&pdev->dev, "Cannot get irq."); +- retval = -ENODEV; ++ if (hcd->irq < 0) { ++ retval = hcd->irq; + goto err_disable_clk; + } + +-- +2.25.1 + diff --git a/queue-4.4/usb-ehci-ehci-mv-fix-less-than-zero-comparison-of-an.patch b/queue-4.4/usb-ehci-ehci-mv-fix-less-than-zero-comparison-of-an.patch new file mode 100644 index 00000000000..612083c7657 --- /dev/null +++ b/queue-4.4/usb-ehci-ehci-mv-fix-less-than-zero-comparison-of-an.patch @@ -0,0 +1,46 @@ +From ae39701058a63a0a0d6bd0a77d600817b618bf96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 May 2020 17:54:53 +0100 +Subject: USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int + +From: Colin Ian King + +[ Upstream commit a7f40c233a6b0540d28743267560df9cfb571ca9 ] + +The comparison of hcd->irq to less than zero for an error check will +never be true because hcd->irq is an unsigned int. Fix this by +assigning the int retval to the return of platform_get_irq and checking +this for the -ve error condition and assigning hcd->irq to retval. + +Addresses-Coverity: ("Unsigned compared against 0") +Fixes: c856b4b0fdb5 ("USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe()") +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20200515165453.104028-1-colin.king@canonical.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ehci-mv.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/host/ehci-mv.c b/drivers/usb/host/ehci-mv.c +index 273736e1d33fa..b29610899c9f6 100644 +--- a/drivers/usb/host/ehci-mv.c ++++ b/drivers/usb/host/ehci-mv.c +@@ -196,11 +196,10 @@ static int mv_ehci_probe(struct platform_device *pdev) + hcd->rsrc_len = resource_size(r); + hcd->regs = ehci_mv->op_regs; + +- hcd->irq = platform_get_irq(pdev, 0); +- if (hcd->irq < 0) { +- retval = hcd->irq; ++ retval = platform_get_irq(pdev, 0); ++ if (retval < 0) + goto err_disable_clk; +- } ++ hcd->irq = retval; + + ehci = hcd_to_ehci(hcd); + ehci->caps = (struct ehci_caps *) ehci_mv->cap_regs; +-- +2.25.1 + diff --git a/queue-4.4/vfio-pci-clear-error-and-request-eventfd-ctx-after-r.patch b/queue-4.4/vfio-pci-clear-error-and-request-eventfd-ctx-after-r.patch new file mode 100644 index 00000000000..c612196bd75 --- /dev/null +++ b/queue-4.4/vfio-pci-clear-error-and-request-eventfd-ctx-after-r.patch @@ -0,0 +1,47 @@ +From 97052c13db44e207da64a826bfcf2c45cf4c25a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jun 2020 15:26:36 -0600 +Subject: vfio/pci: Clear error and request eventfd ctx after releasing + +From: Alex Williamson + +[ Upstream commit 5c5866c593bbd444d0339ede6a8fb5f14ff66d72 ] + +The next use of the device will generate an underflow from the +stale reference. + +Cc: Qian Cai +Fixes: 1518ac272e78 ("vfio/pci: fix memory leaks of eventfd ctx") +Reported-by: Daniel Wagner +Reviewed-by: Cornelia Huck +Tested-by: Daniel Wagner +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c +index ab765770e8dd6..662ea7ec82926 100644 +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -255,10 +255,14 @@ static void vfio_pci_release(void *device_data) + if (!(--vdev->refcnt)) { + vfio_spapr_pci_eeh_release(vdev->pdev); + vfio_pci_disable(vdev); +- if (vdev->err_trigger) ++ if (vdev->err_trigger) { + eventfd_ctx_put(vdev->err_trigger); +- if (vdev->req_trigger) ++ vdev->err_trigger = NULL; ++ } ++ if (vdev->req_trigger) { + eventfd_ctx_put(vdev->req_trigger); ++ vdev->req_trigger = NULL; ++ } + } + + mutex_unlock(&driver_lock); +-- +2.25.1 + diff --git a/queue-4.4/vfio-pci-fix-memory-leaks-of-eventfd-ctx.patch b/queue-4.4/vfio-pci-fix-memory-leaks-of-eventfd-ctx.patch new file mode 100644 index 00000000000..0d09d6e7e02 --- /dev/null +++ b/queue-4.4/vfio-pci-fix-memory-leaks-of-eventfd-ctx.patch @@ -0,0 +1,67 @@ +From 9674757912996936e2af56e73619190f7f088575 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 May 2020 00:34:50 -0400 +Subject: vfio/pci: fix memory leaks of eventfd ctx + +From: Qian Cai + +[ Upstream commit 1518ac272e789cae8c555d69951b032a275b7602 ] + +Finished a qemu-kvm (-device vfio-pci,host=0001:01:00.0) triggers a few +memory leaks after a while because vfio_pci_set_ctx_trigger_single() +calls eventfd_ctx_fdget() without the matching eventfd_ctx_put() later. +Fix it by calling eventfd_ctx_put() for those memory in +vfio_pci_release() before vfio_device_release(). + +unreferenced object 0xebff008981cc2b00 (size 128): + comm "qemu-kvm", pid 4043, jiffies 4294994816 (age 9796.310s) + hex dump (first 32 bytes): + 01 00 00 00 6b 6b 6b 6b 00 00 00 00 ad 4e ad de ....kkkk.....N.. + ff ff ff ff 6b 6b 6b 6b ff ff ff ff ff ff ff ff ....kkkk........ + backtrace: + [<00000000917e8f8d>] slab_post_alloc_hook+0x74/0x9c + [<00000000df0f2aa2>] kmem_cache_alloc_trace+0x2b4/0x3d4 + [<000000005fcec025>] do_eventfd+0x54/0x1ac + [<0000000082791a69>] __arm64_sys_eventfd2+0x34/0x44 + [<00000000b819758c>] do_el0_svc+0x128/0x1dc + [<00000000b244e810>] el0_sync_handler+0xd0/0x268 + [<00000000d495ef94>] el0_sync+0x164/0x180 +unreferenced object 0x29ff008981cc4180 (size 128): + comm "qemu-kvm", pid 4043, jiffies 4294994818 (age 9796.290s) + hex dump (first 32 bytes): + 01 00 00 00 6b 6b 6b 6b 00 00 00 00 ad 4e ad de ....kkkk.....N.. + ff ff ff ff 6b 6b 6b 6b ff ff ff ff ff ff ff ff ....kkkk........ + backtrace: + [<00000000917e8f8d>] slab_post_alloc_hook+0x74/0x9c + [<00000000df0f2aa2>] kmem_cache_alloc_trace+0x2b4/0x3d4 + [<000000005fcec025>] do_eventfd+0x54/0x1ac + [<0000000082791a69>] __arm64_sys_eventfd2+0x34/0x44 + [<00000000b819758c>] do_el0_svc+0x128/0x1dc + [<00000000b244e810>] el0_sync_handler+0xd0/0x268 + [<00000000d495ef94>] el0_sync+0x164/0x180 + +Signed-off-by: Qian Cai +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c +index 7a82735d53087..ab765770e8dd6 100644 +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -255,6 +255,10 @@ static void vfio_pci_release(void *device_data) + if (!(--vdev->refcnt)) { + vfio_spapr_pci_eeh_release(vdev->pdev); + vfio_pci_disable(vdev); ++ if (vdev->err_trigger) ++ eventfd_ctx_put(vdev->err_trigger); ++ if (vdev->req_trigger) ++ eventfd_ctx_put(vdev->req_trigger); + } + + mutex_unlock(&driver_lock); +-- +2.25.1 + diff --git a/queue-4.4/vfio-pci-fix-racy-on-error-and-request-eventfd-ctx.patch b/queue-4.4/vfio-pci-fix-racy-on-error-and-request-eventfd-ctx.patch new file mode 100644 index 00000000000..1048df40705 --- /dev/null +++ b/queue-4.4/vfio-pci-fix-racy-on-error-and-request-eventfd-ctx.patch @@ -0,0 +1,122 @@ +From 32b7ddf8b5b042908454780900433b377ee0b8b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jul 2020 15:34:41 +0800 +Subject: vfio/pci: fix racy on error and request eventfd ctx + +From: Zeng Tao + +[ Upstream commit b872d0640840018669032b20b6375a478ed1f923 ] + +The vfio_pci_release call will free and clear the error and request +eventfd ctx while these ctx could be in use at the same time in the +function like vfio_pci_request, and it's expected to protect them under +the vdev->igate mutex, which is missing in vfio_pci_release. + +This issue is introduced since commit 1518ac272e78 ("vfio/pci: fix memory +leaks of eventfd ctx"),and since commit 5c5866c593bb ("vfio/pci: Clear +error and request eventfd ctx after releasing"), it's very easily to +trigger the kernel panic like this: + +[ 9513.904346] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 +[ 9513.913091] Mem abort info: +[ 9513.915871] ESR = 0x96000006 +[ 9513.918912] EC = 0x25: DABT (current EL), IL = 32 bits +[ 9513.924198] SET = 0, FnV = 0 +[ 9513.927238] EA = 0, S1PTW = 0 +[ 9513.930364] Data abort info: +[ 9513.933231] ISV = 0, ISS = 0x00000006 +[ 9513.937048] CM = 0, WnR = 0 +[ 9513.940003] user pgtable: 4k pages, 48-bit VAs, pgdp=0000007ec7d12000 +[ 9513.946414] [0000000000000008] pgd=0000007ec7d13003, p4d=0000007ec7d13003, pud=0000007ec728c003, pmd=0000000000000000 +[ 9513.956975] Internal error: Oops: 96000006 [#1] PREEMPT SMP +[ 9513.962521] Modules linked in: vfio_pci vfio_virqfd vfio_iommu_type1 vfio hclge hns3 hnae3 [last unloaded: vfio_pci] +[ 9513.972998] CPU: 4 PID: 1327 Comm: bash Tainted: G W 5.8.0-rc4+ #3 +[ 9513.980443] Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V3.B270.01 05/08/2020 +[ 9513.989274] pstate: 80400089 (Nzcv daIf +PAN -UAO BTYPE=--) +[ 9513.994827] pc : _raw_spin_lock_irqsave+0x48/0x88 +[ 9513.999515] lr : eventfd_signal+0x6c/0x1b0 +[ 9514.003591] sp : ffff800038a0b960 +[ 9514.006889] x29: ffff800038a0b960 x28: ffff007ef7f4da10 +[ 9514.012175] x27: ffff207eefbbfc80 x26: ffffbb7903457000 +[ 9514.017462] x25: ffffbb7912191000 x24: ffff007ef7f4d400 +[ 9514.022747] x23: ffff20be6e0e4c00 x22: 0000000000000008 +[ 9514.028033] x21: 0000000000000000 x20: 0000000000000000 +[ 9514.033321] x19: 0000000000000008 x18: 0000000000000000 +[ 9514.038606] x17: 0000000000000000 x16: ffffbb7910029328 +[ 9514.043893] x15: 0000000000000000 x14: 0000000000000001 +[ 9514.049179] x13: 0000000000000000 x12: 0000000000000002 +[ 9514.054466] x11: 0000000000000000 x10: 0000000000000a00 +[ 9514.059752] x9 : ffff800038a0b840 x8 : ffff007ef7f4de60 +[ 9514.065038] x7 : ffff007fffc96690 x6 : fffffe01faffb748 +[ 9514.070324] x5 : 0000000000000000 x4 : 0000000000000000 +[ 9514.075609] x3 : 0000000000000000 x2 : 0000000000000001 +[ 9514.080895] x1 : ffff007ef7f4d400 x0 : 0000000000000000 +[ 9514.086181] Call trace: +[ 9514.088618] _raw_spin_lock_irqsave+0x48/0x88 +[ 9514.092954] eventfd_signal+0x6c/0x1b0 +[ 9514.096691] vfio_pci_request+0x84/0xd0 [vfio_pci] +[ 9514.101464] vfio_del_group_dev+0x150/0x290 [vfio] +[ 9514.106234] vfio_pci_remove+0x30/0x128 [vfio_pci] +[ 9514.111007] pci_device_remove+0x48/0x108 +[ 9514.115001] device_release_driver_internal+0x100/0x1b8 +[ 9514.120200] device_release_driver+0x28/0x38 +[ 9514.124452] pci_stop_bus_device+0x68/0xa8 +[ 9514.128528] pci_stop_and_remove_bus_device+0x20/0x38 +[ 9514.133557] pci_iov_remove_virtfn+0xb4/0x128 +[ 9514.137893] sriov_disable+0x3c/0x108 +[ 9514.141538] pci_disable_sriov+0x28/0x38 +[ 9514.145445] hns3_pci_sriov_configure+0x48/0xb8 [hns3] +[ 9514.150558] sriov_numvfs_store+0x110/0x198 +[ 9514.154724] dev_attr_store+0x44/0x60 +[ 9514.158373] sysfs_kf_write+0x5c/0x78 +[ 9514.162018] kernfs_fop_write+0x104/0x210 +[ 9514.166010] __vfs_write+0x48/0x90 +[ 9514.169395] vfs_write+0xbc/0x1c0 +[ 9514.172694] ksys_write+0x74/0x100 +[ 9514.176079] __arm64_sys_write+0x24/0x30 +[ 9514.179987] el0_svc_common.constprop.4+0x110/0x200 +[ 9514.184842] do_el0_svc+0x34/0x98 +[ 9514.188144] el0_svc+0x14/0x40 +[ 9514.191185] el0_sync_handler+0xb0/0x2d0 +[ 9514.195088] el0_sync+0x140/0x180 +[ 9514.198389] Code: b9001020 d2800000 52800022 f9800271 (885ffe61) +[ 9514.204455] ---[ end trace 648de00c8406465f ]--- +[ 9514.212308] note: bash[1327] exited with preempt_count 1 + +Cc: Qian Cai +Cc: Alex Williamson +Fixes: 1518ac272e78 ("vfio/pci: fix memory leaks of eventfd ctx") +Signed-off-by: Zeng Tao +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c +index 662ea7ec82926..8276ef7f3e834 100644 +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -255,14 +255,19 @@ static void vfio_pci_release(void *device_data) + if (!(--vdev->refcnt)) { + vfio_spapr_pci_eeh_release(vdev->pdev); + vfio_pci_disable(vdev); ++ mutex_lock(&vdev->igate); + if (vdev->err_trigger) { + eventfd_ctx_put(vdev->err_trigger); + vdev->err_trigger = NULL; + } ++ mutex_unlock(&vdev->igate); ++ ++ mutex_lock(&vdev->igate); + if (vdev->req_trigger) { + eventfd_ctx_put(vdev->req_trigger); + vdev->req_trigger = NULL; + } ++ mutex_unlock(&vdev->igate); + } + + mutex_unlock(&driver_lock); +-- +2.25.1 + diff --git a/queue-4.4/x86-speculation-mds-mark-mds_user_clear_cpu_buffers-.patch b/queue-4.4/x86-speculation-mds-mark-mds_user_clear_cpu_buffers-.patch new file mode 100644 index 00000000000..503576b035c --- /dev/null +++ b/queue-4.4/x86-speculation-mds-mark-mds_user_clear_cpu_buffers-.patch @@ -0,0 +1,48 @@ +From ec4a01b2716d70e1a09599810361f618f9bea29e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2020 12:49:18 +0100 +Subject: x86/speculation/mds: Mark mds_user_clear_cpu_buffers() + __always_inline + +From: Thomas Gleixner + +[ Upstream commit a7ef9ba986b5fae9d80f8a7b31db0423687efe4e ] + +Prevent the compiler from uninlining and creating traceable/probable +functions as this is invoked _after_ context tracking switched to +CONTEXT_USER and rcu idle. + +Signed-off-by: Thomas Gleixner +Reviewed-by: Alexandre Chartre +Acked-by: Peter Zijlstra +Link: https://lkml.kernel.org/r/20200505134340.902709267@linutronix.de +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/nospec-branch.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h +index 664e8505ccd63..2f84887e8934c 100644 +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -275,7 +275,7 @@ DECLARE_STATIC_KEY_FALSE(mds_idle_clear); + * combination with microcode which triggers a CPU buffer flush when the + * instruction is executed. + */ +-static inline void mds_clear_cpu_buffers(void) ++static __always_inline void mds_clear_cpu_buffers(void) + { + static const u16 ds = __KERNEL_DS; + +@@ -296,7 +296,7 @@ static inline void mds_clear_cpu_buffers(void) + * + * Clear CPU buffers if the corresponding static key is enabled + */ +-static inline void mds_user_clear_cpu_buffers(void) ++static __always_inline void mds_user_clear_cpu_buffers(void) + { + if (static_branch_likely(&mds_user_clear)) + mds_clear_cpu_buffers(); +-- +2.25.1 + diff --git a/queue-4.4/xfs-fix-attr-leaf-header-freemap.size-underflow.patch b/queue-4.4/xfs-fix-attr-leaf-header-freemap.size-underflow.patch new file mode 100644 index 00000000000..5a1856ed5d7 --- /dev/null +++ b/queue-4.4/xfs-fix-attr-leaf-header-freemap.size-underflow.patch @@ -0,0 +1,59 @@ +From 89f6704c8abcb2df40328af3f173de3b79583b56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2019 21:15:08 -0800 +Subject: xfs: fix attr leaf header freemap.size underflow + +From: Brian Foster + +[ Upstream commit 2a2b5932db67586bacc560cc065d62faece5b996 ] + +The leaf format xattr addition helper xfs_attr3_leaf_add_work() +adjusts the block freemap in a couple places. The first update drops +the size of the freemap that the caller had already selected to +place the xattr name/value data. Before the function returns, it +also checks whether the entries array has encroached on a freemap +range by virtue of the new entry addition. This is necessary because +the entries array grows from the start of the block (but end of the +block header) towards the end of the block while the name/value data +grows from the end of the block in the opposite direction. If the +associated freemap is already empty, however, size is zero and the +subtraction underflows the field and causes corruption. + +This is reproduced rarely by generic/070. The observed behavior is +that a smaller sized freemap is aligned to the end of the entries +list, several subsequent xattr additions land in larger freemaps and +the entries list expands into the smaller freemap until it is fully +consumed and then underflows. Note that it is not otherwise a +corruption for the entries array to consume an empty freemap because +the nameval list (i.e. the firstused pointer in the xattr header) +starts beyond the end of the corrupted freemap. + +Update the freemap size modification to account for the fact that +the freemap entry can be empty and thus stale. + +Signed-off-by: Brian Foster +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +--- + fs/xfs/libxfs/xfs_attr_leaf.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c +index da8747b870df3..4539ff4d351f9 100644 +--- a/fs/xfs/libxfs/xfs_attr_leaf.c ++++ b/fs/xfs/libxfs/xfs_attr_leaf.c +@@ -1326,7 +1326,9 @@ xfs_attr3_leaf_add_work( + for (i = 0; i < XFS_ATTR_LEAF_MAPSIZE; i++) { + if (ichdr->freemap[i].base == tmp) { + ichdr->freemap[i].base += sizeof(xfs_attr_leaf_entry_t); +- ichdr->freemap[i].size -= sizeof(xfs_attr_leaf_entry_t); ++ ichdr->freemap[i].size -= ++ min_t(uint16_t, ichdr->freemap[i].size, ++ sizeof(xfs_attr_leaf_entry_t)); + } + } + ichdr->usedbytes += xfs_attr_leaf_entsize(leaf, args->index); +-- +2.25.1 +