From: Sasha Levin Date: Tue, 17 Dec 2019 15:29:46 +0000 (-0500) Subject: fixes for 5.4 X-Git-Tag: v5.4.4~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e10addfbcc3eec7939e306ae4184a571eeed5901;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/edac-ghes-do-not-warn-when-incrementing-refcount-on-.patch b/queue-5.4/edac-ghes-do-not-warn-when-incrementing-refcount-on-.patch new file mode 100644 index 00000000000..f5db5a0fbf9 --- /dev/null +++ b/queue-5.4/edac-ghes-do-not-warn-when-incrementing-refcount-on-.patch @@ -0,0 +1,75 @@ +From 690a32e5298ee4fc3344cc594ea46584b6e00baf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2019 21:36:57 +0000 +Subject: EDAC/ghes: Do not warn when incrementing refcount on 0 + +From: Robert Richter + +[ Upstream commit 16214bd9e43a31683a7073664b000029bba00354 ] + +The following warning from the refcount framework is seen during ghes +initialization: + + EDAC MC0: Giving out device to module ghes_edac.c controller ghes_edac: DEV ghes (INTERRUPT) + ------------[ cut here ]------------ + refcount_t: increment on 0; use-after-free. + WARNING: CPU: 36 PID: 1 at lib/refcount.c:156 refcount_inc_checked + [...] + Call trace: + refcount_inc_checked + ghes_edac_register + ghes_probe + ... + +It warns if the refcount is incremented from zero. This warning is +reasonable as a kernel object is typically created with a refcount of +one and freed once the refcount is zero. Afterwards the object would be +"used-after-free". + +For GHES, the refcount is initialized with zero, and that is why this +message is seen when initializing the first instance. However, whenever +the refcount is zero, the device will be allocated and registered. Since +the ghes_reg_mutex protects the refcount and serializes allocation and +freeing of ghes devices, a use-after-free cannot happen here. + +Instead of using refcount_inc() for the first instance, use +refcount_set(). This can be used here because the refcount is zero at +this point and can not change due to its protection by the mutex. + +Fixes: 23f61b9fc5cc ("EDAC/ghes: Fix locking and memory barrier issues") +Reported-by: John Garry +Signed-off-by: Robert Richter +Signed-off-by: Borislav Petkov +Tested-by: John Garry +Cc: +Cc: James Morse +Cc: +Cc: linux-edac +Cc: Mauro Carvalho Chehab +Cc: +Cc: Tony Luck +Cc: +Link: https://lkml.kernel.org/r/20191121213628.21244-1-rrichter@marvell.com +Signed-off-by: Sasha Levin +--- + drivers/edac/ghes_edac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/edac/ghes_edac.c b/drivers/edac/ghes_edac.c +index f6f6a688c009d..296e714bf5532 100644 +--- a/drivers/edac/ghes_edac.c ++++ b/drivers/edac/ghes_edac.c +@@ -566,8 +566,8 @@ int ghes_edac_register(struct ghes *ghes, struct device *dev) + ghes_pvt = pvt; + spin_unlock_irqrestore(&ghes_lock, flags); + +- /* only increment on success */ +- refcount_inc(&ghes_refcount); ++ /* only set on success */ ++ refcount_set(&ghes_refcount, 1); + + unlock: + mutex_unlock(&ghes_reg_mutex); +-- +2.20.1 + diff --git a/queue-5.4/r8169-fix-rtl_hw_jumbo_disable-for-rtl8168evl.patch b/queue-5.4/r8169-fix-rtl_hw_jumbo_disable-for-rtl8168evl.patch new file mode 100644 index 00000000000..a29fc87789d --- /dev/null +++ b/queue-5.4/r8169-fix-rtl_hw_jumbo_disable-for-rtl8168evl.patch @@ -0,0 +1,39 @@ +From c0236499dd287d9c649b8294ef2fbdc417701982 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Dec 2019 22:21:52 +0100 +Subject: r8169: fix rtl_hw_jumbo_disable for RTL8168evl + +From: Heiner Kallweit + +[ Upstream commit 0fc75219fe9a3c90631453e9870e4f6d956f0ebc ] + +In referenced fix we removed the RTL8168e-specific jumbo config for +RTL8168evl in rtl_hw_jumbo_enable(). We have to do the same in +rtl_hw_jumbo_disable(). + +v2: fix referenced commit id + +Fixes: 14012c9f3bb9 ("r8169: fix jumbo configuration for RTL8168evl") +Signed-off-by: Heiner Kallweit +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index 1d67eeeab79d6..235d51ea4d397 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -4145,7 +4145,7 @@ static void rtl_hw_jumbo_disable(struct rtl8169_private *tp) + case RTL_GIGA_MAC_VER_27 ... RTL_GIGA_MAC_VER_28: + r8168dp_hw_jumbo_disable(tp); + break; +- case RTL_GIGA_MAC_VER_31 ... RTL_GIGA_MAC_VER_34: ++ case RTL_GIGA_MAC_VER_31 ... RTL_GIGA_MAC_VER_33: + r8168e_hw_jumbo_disable(tp); + break; + default: +-- +2.20.1 + diff --git a/queue-5.4/series b/queue-5.4/series index ac294b435a0..70f2c31a6e6 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -177,3 +177,5 @@ ext4-fix-a-bug-in-ext4_wait_for_tail_page_commit.patch ext4-fix-leak-of-quota-reservations.patch blk-mq-make-sure-that-line-break-can-be-printed.patch workqueue-fix-missing-kfree-rescuer-in-destroy_workqueue.patch +r8169-fix-rtl_hw_jumbo_disable-for-rtl8168evl.patch +edac-ghes-do-not-warn-when-incrementing-refcount-on-.patch