From 42042f4cc96da92812f579a94a47cb1786e60fcf Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 27 Feb 2020 11:15:03 +0100 Subject: [PATCH] 4.19-stable patches added patches: bpf-offload-replace-bitwise-and-by-logical-and-in-bpf_prog_offload_info_fill.patch ecryptfs-replace-bug_on-with-error-handling-code.patch genirq-proc-reject-invalid-affinity-masks-again.patch iommu-vt-d-fix-compile-warning-from-intel-svm.h.patch revert-dmaengine-imx-sdma-fix-memory-leak.patch scsi-revert-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch scsi-revert-target-iscsi-wait-for-all-commands-to-finish-before-freeing-a-session.patch staging-greybus-use-after-free-in-gb_audio_manager_remove_all.patch staging-rtl8723bs-fix-copy-of-overlapping-memory.patch usb-dwc2-fix-in-isoc-request-length-checking.patch usb-gadget-composite-fix-bmaxpower-for-superspeedplus.patch --- ...al-and-in-bpf_prog_offload_info_fill.patch | 37 +++++ ...lace-bug_on-with-error-handling-code.patch | 39 ++++++ ...-reject-invalid-affinity-masks-again.patch | 128 ++++++++++++++++++ ...fix-compile-warning-from-intel-svm.h.patch | 41 ++++++ ...only-when-apicv-is-globally-disabled.patch | 122 ----------------- ...t-dmaengine-imx-sdma-fix-memory-leak.patch | 70 ++++++++++ ...roduced-regression-related-to-logout.patch | 77 +++++++++++ ...s-to-finish-before-freeing-a-session.patch | 70 ++++++++++ queue-4.19/series | 12 +- ...-free-in-gb_audio_manager_remove_all.patch | 36 +++++ ...723bs-fix-copy-of-overlapping-memory.patch | 45 ++++++ ...-fix-in-isoc-request-length-checking.patch | 49 +++++++ ...ite-fix-bmaxpower-for-superspeedplus.patch | 43 ++++++ 13 files changed, 646 insertions(+), 123 deletions(-) create mode 100644 queue-4.19/bpf-offload-replace-bitwise-and-by-logical-and-in-bpf_prog_offload_info_fill.patch create mode 100644 queue-4.19/ecryptfs-replace-bug_on-with-error-handling-code.patch create mode 100644 queue-4.19/genirq-proc-reject-invalid-affinity-masks-again.patch create mode 100644 queue-4.19/iommu-vt-d-fix-compile-warning-from-intel-svm.h.patch delete mode 100644 queue-4.19/kvm-nvmx-clear-pin_based_posted_intr-from-nested-pinbased_ctls-only-when-apicv-is-globally-disabled.patch create mode 100644 queue-4.19/revert-dmaengine-imx-sdma-fix-memory-leak.patch create mode 100644 queue-4.19/scsi-revert-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch create mode 100644 queue-4.19/scsi-revert-target-iscsi-wait-for-all-commands-to-finish-before-freeing-a-session.patch create mode 100644 queue-4.19/staging-greybus-use-after-free-in-gb_audio_manager_remove_all.patch create mode 100644 queue-4.19/staging-rtl8723bs-fix-copy-of-overlapping-memory.patch create mode 100644 queue-4.19/usb-dwc2-fix-in-isoc-request-length-checking.patch create mode 100644 queue-4.19/usb-gadget-composite-fix-bmaxpower-for-superspeedplus.patch diff --git a/queue-4.19/bpf-offload-replace-bitwise-and-by-logical-and-in-bpf_prog_offload_info_fill.patch b/queue-4.19/bpf-offload-replace-bitwise-and-by-logical-and-in-bpf_prog_offload_info_fill.patch new file mode 100644 index 00000000000..7b5abd967cd --- /dev/null +++ b/queue-4.19/bpf-offload-replace-bitwise-and-by-logical-and-in-bpf_prog_offload_info_fill.patch @@ -0,0 +1,37 @@ +From e20d3a055a457a10a4c748ce5b7c2ed3173a1324 Mon Sep 17 00:00:00 2001 +From: Johannes Krude +Date: Wed, 12 Feb 2020 20:32:27 +0100 +Subject: bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill + +From: Johannes Krude + +commit e20d3a055a457a10a4c748ce5b7c2ed3173a1324 upstream. + +This if guards whether user-space wants a copy of the offload-jited +bytecode and whether this bytecode exists. By erroneously doing a bitwise +AND instead of a logical AND on user- and kernel-space buffer-size can lead +to no data being copied to user-space especially when user-space size is a +power of two and bigger then the kernel-space buffer. + +Fixes: fcfb126defda ("bpf: add new jited info fields in bpf_dev_offload and bpf_prog_info") +Signed-off-by: Johannes Krude +Signed-off-by: Daniel Borkmann +Acked-by: Jakub Kicinski +Link: https://lore.kernel.org/bpf/20200212193227.GA3769@phlox.h.transitiv.net +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/bpf/offload.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/bpf/offload.c ++++ b/kernel/bpf/offload.c +@@ -289,7 +289,7 @@ int bpf_prog_offload_info_fill(struct bp + + ulen = info->jited_prog_len; + info->jited_prog_len = aux->offload->jited_len; +- if (info->jited_prog_len & ulen) { ++ if (info->jited_prog_len && ulen) { + uinsns = u64_to_user_ptr(info->jited_prog_insns); + ulen = min_t(u32, info->jited_prog_len, ulen); + if (copy_to_user(uinsns, aux->offload->jited_image, ulen)) { diff --git a/queue-4.19/ecryptfs-replace-bug_on-with-error-handling-code.patch b/queue-4.19/ecryptfs-replace-bug_on-with-error-handling-code.patch new file mode 100644 index 00000000000..46bd4335155 --- /dev/null +++ b/queue-4.19/ecryptfs-replace-bug_on-with-error-handling-code.patch @@ -0,0 +1,39 @@ +From 2c2a7552dd6465e8fde6bc9cccf8d66ed1c1eb72 Mon Sep 17 00:00:00 2001 +From: Aditya Pakki +Date: Fri, 14 Feb 2020 12:21:01 -0600 +Subject: ecryptfs: replace BUG_ON with error handling code + +From: Aditya Pakki + +commit 2c2a7552dd6465e8fde6bc9cccf8d66ed1c1eb72 upstream. + +In crypt_scatterlist, if the crypt_stat argument is not set up +correctly, the kernel crashes. Instead, by returning an error code +upstream, the error is handled safely. + +The issue is detected via a static analysis tool written by us. + +Fixes: 237fead619984 (ecryptfs: fs/Makefile and fs/Kconfig) +Signed-off-by: Aditya Pakki +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/crypto.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/ecryptfs/crypto.c ++++ b/fs/ecryptfs/crypto.c +@@ -325,8 +325,10 @@ static int crypt_scatterlist(struct ecry + struct extent_crypt_result ecr; + int rc = 0; + +- BUG_ON(!crypt_stat || !crypt_stat->tfm +- || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED)); ++ if (!crypt_stat || !crypt_stat->tfm ++ || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED)) ++ return -EINVAL; ++ + if (unlikely(ecryptfs_verbosity > 0)) { + ecryptfs_printk(KERN_DEBUG, "Key size [%zd]; key:\n", + crypt_stat->key_size); diff --git a/queue-4.19/genirq-proc-reject-invalid-affinity-masks-again.patch b/queue-4.19/genirq-proc-reject-invalid-affinity-masks-again.patch new file mode 100644 index 00000000000..d7d59605e6a --- /dev/null +++ b/queue-4.19/genirq-proc-reject-invalid-affinity-masks-again.patch @@ -0,0 +1,128 @@ +From cba6437a1854fde5934098ec3bd0ee83af3129f5 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Wed, 12 Feb 2020 12:19:41 +0100 +Subject: genirq/proc: Reject invalid affinity masks (again) + +From: Thomas Gleixner + +commit cba6437a1854fde5934098ec3bd0ee83af3129f5 upstream. + +Qian Cai reported that the WARN_ON() in the x86/msi affinity setting code, +which catches cases where the affinity setting is not done on the CPU which +is the current target of the interrupt, triggers during CPU hotplug stress +testing. + +It turns out that the warning which was added with the commit addressing +the MSI affinity race unearthed yet another long standing bug. + +If user space writes a bogus affinity mask, i.e. it contains no online CPUs, +then it calls irq_select_affinity_usr(). This was introduced for ALPHA in + + eee45269b0f5 ("[PATCH] Alpha: convert to generic irq framework (generic part)") + +and subsequently made available for all architectures in + + 18404756765c ("genirq: Expose default irq affinity mask (take 3)") + +which introduced the circumvention of the affinity setting restrictions for +interrupt which cannot be moved in process context. + +The whole exercise is bogus in various aspects: + + 1) If the interrupt is already started up then there is absolutely + no point to honour a bogus interrupt affinity setting from user + space. The interrupt is already assigned to an online CPU and it + does not make any sense to reassign it to some other randomly + chosen online CPU. + + 2) If the interupt is not yet started up then there is no point + either. A subsequent startup of the interrupt will invoke + irq_setup_affinity() anyway which will chose a valid target CPU. + +So the only correct solution is to just return -EINVAL in case user space +wrote an affinity mask which does not contain any online CPUs, except for +ALPHA which has it's own magic sauce for this. + +Fixes: 18404756765c ("genirq: Expose default irq affinity mask (take 3)") +Reported-by: Qian Cai +Signed-off-by: Thomas Gleixner +Tested-by: Qian Cai +Link: https://lkml.kernel.org/r/878sl8xdbm.fsf@nanos.tec.linutronix.de +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/irq/internals.h | 2 -- + kernel/irq/manage.c | 18 ++---------------- + kernel/irq/proc.c | 22 ++++++++++++++++++++++ + 3 files changed, 24 insertions(+), 18 deletions(-) + +--- a/kernel/irq/internals.h ++++ b/kernel/irq/internals.h +@@ -126,8 +126,6 @@ static inline void unregister_handler_pr + + extern bool irq_can_set_affinity_usr(unsigned int irq); + +-extern int irq_select_affinity_usr(unsigned int irq); +- + extern void irq_set_thread_affinity(struct irq_desc *desc); + + extern int irq_do_set_affinity(struct irq_data *data, +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -441,23 +441,9 @@ int irq_setup_affinity(struct irq_desc * + { + return irq_select_affinity(irq_desc_get_irq(desc)); + } +-#endif ++#endif /* CONFIG_AUTO_IRQ_AFFINITY */ ++#endif /* CONFIG_SMP */ + +-/* +- * Called when a bogus affinity is set via /proc/irq +- */ +-int irq_select_affinity_usr(unsigned int irq) +-{ +- struct irq_desc *desc = irq_to_desc(irq); +- unsigned long flags; +- int ret; +- +- raw_spin_lock_irqsave(&desc->lock, flags); +- ret = irq_setup_affinity(desc); +- raw_spin_unlock_irqrestore(&desc->lock, flags); +- return ret; +-} +-#endif + + /** + * irq_set_vcpu_affinity - Set vcpu affinity for the interrupt +--- a/kernel/irq/proc.c ++++ b/kernel/irq/proc.c +@@ -115,6 +115,28 @@ static int irq_affinity_list_proc_show(s + return show_irq_affinity(AFFINITY_LIST, m); + } + ++#ifndef CONFIG_AUTO_IRQ_AFFINITY ++static inline int irq_select_affinity_usr(unsigned int irq) ++{ ++ /* ++ * If the interrupt is started up already then this fails. The ++ * interrupt is assigned to an online CPU already. There is no ++ * point to move it around randomly. Tell user space that the ++ * selected mask is bogus. ++ * ++ * If not then any change to the affinity is pointless because the ++ * startup code invokes irq_setup_affinity() which will select ++ * a online CPU anyway. ++ */ ++ return -EINVAL; ++} ++#else ++/* ALPHA magic affinity auto selector. Keep it for historical reasons. */ ++static inline int irq_select_affinity_usr(unsigned int irq) ++{ ++ return irq_select_affinity(irq); ++} ++#endif + + static ssize_t write_irq_affinity(int type, struct file *file, + const char __user *buffer, size_t count, loff_t *pos) diff --git a/queue-4.19/iommu-vt-d-fix-compile-warning-from-intel-svm.h.patch b/queue-4.19/iommu-vt-d-fix-compile-warning-from-intel-svm.h.patch new file mode 100644 index 00000000000..53df956074f --- /dev/null +++ b/queue-4.19/iommu-vt-d-fix-compile-warning-from-intel-svm.h.patch @@ -0,0 +1,41 @@ +From e7598fac323aad0e502415edeffd567315994dd6 Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Mon, 10 Feb 2020 10:36:56 +0100 +Subject: iommu/vt-d: Fix compile warning from intel-svm.h +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Joerg Roedel + +commit e7598fac323aad0e502415edeffd567315994dd6 upstream. + +The intel_svm_is_pasid_valid() needs to be marked inline, otherwise it +causes the compile warning below: + + CC [M] drivers/dma/idxd/cdev.o +In file included from drivers/dma/idxd/cdev.c:9:0: +./include/linux/intel-svm.h:125:12: warning: ‘intel_svm_is_pasid_valid’ defined but not used [-Wunused-function] + static int intel_svm_is_pasid_valid(struct device *dev, int pasid) + ^~~~~~~~~~~~~~~~~~~~~~~~ + +Reported-by: Borislav Petkov +Fixes: 15060aba71711 ('iommu/vt-d: Helper function to query if a pasid has any active users') +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/intel-svm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/intel-svm.h ++++ b/include/linux/intel-svm.h +@@ -130,7 +130,7 @@ static inline int intel_svm_unbind_mm(st + BUG(); + } + +-static int intel_svm_is_pasid_valid(struct device *dev, int pasid) ++static inline int intel_svm_is_pasid_valid(struct device *dev, int pasid) + { + return -EINVAL; + } diff --git a/queue-4.19/kvm-nvmx-clear-pin_based_posted_intr-from-nested-pinbased_ctls-only-when-apicv-is-globally-disabled.patch b/queue-4.19/kvm-nvmx-clear-pin_based_posted_intr-from-nested-pinbased_ctls-only-when-apicv-is-globally-disabled.patch deleted file mode 100644 index 122351d347f..00000000000 --- a/queue-4.19/kvm-nvmx-clear-pin_based_posted_intr-from-nested-pinbased_ctls-only-when-apicv-is-globally-disabled.patch +++ /dev/null @@ -1,122 +0,0 @@ -From a4443267800af240072280c44521caab61924e55 Mon Sep 17 00:00:00 2001 -From: Vitaly Kuznetsov -Date: Thu, 20 Feb 2020 18:22:04 +0100 -Subject: KVM: nVMX: clear PIN_BASED_POSTED_INTR from nested pinbased_ctls only when apicv is globally disabled - -From: Vitaly Kuznetsov - -commit a4443267800af240072280c44521caab61924e55 upstream. - -When apicv is disabled on a vCPU (e.g. by enabling KVM_CAP_HYPERV_SYNIC*), -nothing happens to VMX MSRs on the already existing vCPUs, however, all new -ones are created with PIN_BASED_POSTED_INTR filtered out. This is very -confusing and results in the following picture inside the guest: - -$ rdmsr -ax 0x48d -ff00000016 -7f00000016 -7f00000016 -7f00000016 - -This is observed with QEMU and 4-vCPU guest: QEMU creates vCPU0, does -KVM_CAP_HYPERV_SYNIC2 and then creates the remaining three. - -L1 hypervisor may only check CPU0's controls to find out what features -are available and it will be very confused later. Switch to setting -PIN_BASED_POSTED_INTR control based on global 'enable_apicv' setting. - -Signed-off-by: Vitaly Kuznetsov -Cc: stable@vger.kernel.org -Signed-off-by: Paolo Bonzini -Signed-off-by: Greg Kroah-Hartman - ---- - arch/x86/kvm/vmx/capabilities.h | 1 + - arch/x86/kvm/vmx/nested.c | 5 ++--- - arch/x86/kvm/vmx/nested.h | 3 +-- - arch/x86/kvm/vmx/vmx.c | 10 ++++------ - 4 files changed, 8 insertions(+), 11 deletions(-) - ---- a/arch/x86/kvm/vmx/capabilities.h -+++ b/arch/x86/kvm/vmx/capabilities.h -@@ -12,6 +12,7 @@ extern bool __read_mostly enable_ept; - extern bool __read_mostly enable_unrestricted_guest; - extern bool __read_mostly enable_ept_ad_bits; - extern bool __read_mostly enable_pml; -+extern bool __read_mostly enable_apicv; - extern int __read_mostly pt_mode; - - #define PT_MODE_SYSTEM 0 ---- a/arch/x86/kvm/vmx/nested.c -+++ b/arch/x86/kvm/vmx/nested.c -@@ -5979,8 +5979,7 @@ void nested_vmx_set_vmcs_shadowing_bitma - * bit in the high half is on if the corresponding bit in the control field - * may be on. See also vmx_control_verify(). - */ --void nested_vmx_setup_ctls_msrs(struct nested_vmx_msrs *msrs, u32 ept_caps, -- bool apicv) -+void nested_vmx_setup_ctls_msrs(struct nested_vmx_msrs *msrs, u32 ept_caps) - { - /* - * Note that as a general rule, the high half of the MSRs (bits in -@@ -6007,7 +6006,7 @@ void nested_vmx_setup_ctls_msrs(struct n - PIN_BASED_EXT_INTR_MASK | - PIN_BASED_NMI_EXITING | - PIN_BASED_VIRTUAL_NMIS | -- (apicv ? PIN_BASED_POSTED_INTR : 0); -+ (enable_apicv ? PIN_BASED_POSTED_INTR : 0); - msrs->pinbased_ctls_high |= - PIN_BASED_ALWAYSON_WITHOUT_TRUE_MSR | - PIN_BASED_VMX_PREEMPTION_TIMER; ---- a/arch/x86/kvm/vmx/nested.h -+++ b/arch/x86/kvm/vmx/nested.h -@@ -17,8 +17,7 @@ enum nvmx_vmentry_status { - }; - - void vmx_leave_nested(struct kvm_vcpu *vcpu); --void nested_vmx_setup_ctls_msrs(struct nested_vmx_msrs *msrs, u32 ept_caps, -- bool apicv); -+void nested_vmx_setup_ctls_msrs(struct nested_vmx_msrs *msrs, u32 ept_caps); - void nested_vmx_hardware_unsetup(void); - __init int nested_vmx_hardware_setup(int (*exit_handlers[])(struct kvm_vcpu *)); - void nested_vmx_set_vmcs_shadowing_bitmap(void); ---- a/arch/x86/kvm/vmx/vmx.c -+++ b/arch/x86/kvm/vmx/vmx.c -@@ -95,7 +95,7 @@ module_param(emulate_invalid_guest_state - static bool __read_mostly fasteoi = 1; - module_param(fasteoi, bool, S_IRUGO); - --static bool __read_mostly enable_apicv = 1; -+bool __read_mostly enable_apicv = 1; - module_param(enable_apicv, bool, S_IRUGO); - - /* -@@ -6803,8 +6803,7 @@ static struct kvm_vcpu *vmx_create_vcpu( - - if (nested) - nested_vmx_setup_ctls_msrs(&vmx->nested.msrs, -- vmx_capability.ept, -- kvm_vcpu_apicv_active(&vmx->vcpu)); -+ vmx_capability.ept); - else - memset(&vmx->nested.msrs, 0, sizeof(vmx->nested.msrs)); - -@@ -6884,8 +6883,7 @@ static int __init vmx_check_processor_co - if (setup_vmcs_config(&vmcs_conf, &vmx_cap) < 0) - return -EIO; - if (nested) -- nested_vmx_setup_ctls_msrs(&vmcs_conf.nested, vmx_cap.ept, -- enable_apicv); -+ nested_vmx_setup_ctls_msrs(&vmcs_conf.nested, vmx_cap.ept); - if (memcmp(&vmcs_config, &vmcs_conf, sizeof(struct vmcs_config)) != 0) { - printk(KERN_ERR "kvm: CPU %d feature inconsistency!\n", - smp_processor_id()); -@@ -7792,7 +7790,7 @@ static __init int hardware_setup(void) - - if (nested) { - nested_vmx_setup_ctls_msrs(&vmcs_config.nested, -- vmx_capability.ept, enable_apicv); -+ vmx_capability.ept); - - r = nested_vmx_hardware_setup(kvm_vmx_exit_handlers); - if (r) diff --git a/queue-4.19/revert-dmaengine-imx-sdma-fix-memory-leak.patch b/queue-4.19/revert-dmaengine-imx-sdma-fix-memory-leak.patch new file mode 100644 index 00000000000..509d2d3978d --- /dev/null +++ b/queue-4.19/revert-dmaengine-imx-sdma-fix-memory-leak.patch @@ -0,0 +1,70 @@ +From 495d2bbb11d2842917951961abb06e6ba45af6ae Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 27 Feb 2020 10:45:54 +0100 +Subject: Revert "dmaengine: imx-sdma: Fix memory leak" + +From: Greg Kroah-Hartman + +This reverts commit af8eca600b408a0e59d2848dfcfad60413f626a9 which is +commit 02939cd167095f16328a1bd5cab5a90b550606df upstream. + +Andreas writes: + This patch breaks our imx6 board with the attached trace. + Reverting the patch makes it boot again. + +Reported-by: Andreas Tobler +Cc: Sascha Hauer +Cc: Robin Gong +Cc: Vinod Koul +Cc: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/imx-sdma.c | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +--- a/drivers/dma/imx-sdma.c ++++ b/drivers/dma/imx-sdma.c +@@ -738,8 +738,12 @@ static void sdma_start_desc(struct sdma_ + return; + } + sdmac->desc = desc = to_sdma_desc(&vd->tx); +- +- list_del(&vd->node); ++ /* ++ * Do not delete the node in desc_issued list in cyclic mode, otherwise ++ * the desc allocated will never be freed in vchan_dma_desc_free_list ++ */ ++ if (!(sdmac->flags & IMX_DMA_SG_LOOP)) ++ list_del(&vd->node); + + sdma->channel_control[channel].base_bd_ptr = desc->bd_phys; + sdma->channel_control[channel].current_bd_ptr = desc->bd_phys; +@@ -1040,6 +1044,7 @@ static void sdma_channel_terminate_work( + + spin_lock_irqsave(&sdmac->vc.lock, flags); + vchan_get_all_descriptors(&sdmac->vc, &head); ++ sdmac->desc = NULL; + spin_unlock_irqrestore(&sdmac->vc.lock, flags); + vchan_dma_desc_free_list(&sdmac->vc, &head); + } +@@ -1047,19 +1052,11 @@ static void sdma_channel_terminate_work( + static int sdma_disable_channel_async(struct dma_chan *chan) + { + struct sdma_channel *sdmac = to_sdma_chan(chan); +- unsigned long flags; +- +- spin_lock_irqsave(&sdmac->vc.lock, flags); + + sdma_disable_channel(chan); + +- if (sdmac->desc) { +- vchan_terminate_vdesc(&sdmac->desc->vd); +- sdmac->desc = NULL; ++ if (sdmac->desc) + schedule_work(&sdmac->terminate_worker); +- } +- +- spin_unlock_irqrestore(&sdmac->vc.lock, flags); + + return 0; + } diff --git a/queue-4.19/scsi-revert-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch b/queue-4.19/scsi-revert-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch new file mode 100644 index 00000000000..e2c8235b2ab --- /dev/null +++ b/queue-4.19/scsi-revert-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch @@ -0,0 +1,77 @@ +From 76261ada16dcc3be610396a46d35acc3efbda682 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Wed, 12 Feb 2020 21:08:59 -0800 +Subject: scsi: Revert "RDMA/isert: Fix a recently introduced regression related to logout" + +From: Bart Van Assche + +commit 76261ada16dcc3be610396a46d35acc3efbda682 upstream. + +Since commit 04060db41178 introduces soft lockups when toggling network +interfaces, revert it. + +Link: https://marc.info/?l=target-devel&m=158157054906196 +Cc: Rahul Kundu +Cc: Mike Marciniszyn +Cc: Sagi Grimberg +Reported-by: Dakshaja Uppalapati +Fixes: 04060db41178 ("scsi: RDMA/isert: Fix a recently introduced regression related to logout") +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/isert/ib_isert.c | 12 ++++++++++++ + drivers/target/iscsi/iscsi_target.c | 6 +++--- + 2 files changed, 15 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -2584,6 +2584,17 @@ isert_wait4logout(struct isert_conn *ise + } + } + ++static void ++isert_wait4cmds(struct iscsi_conn *conn) ++{ ++ isert_info("iscsi_conn %p\n", conn); ++ ++ if (conn->sess) { ++ target_sess_cmd_list_set_waiting(conn->sess->se_sess); ++ target_wait_for_sess_cmds(conn->sess->se_sess); ++ } ++} ++ + /** + * isert_put_unsol_pending_cmds() - Drop commands waiting for + * unsolicitate dataout +@@ -2631,6 +2642,7 @@ static void isert_wait_conn(struct iscsi + + ib_drain_qp(isert_conn->qp); + isert_put_unsol_pending_cmds(conn); ++ isert_wait4cmds(conn); + isert_wait4logout(isert_conn); + + queue_work(isert_release_wq, &isert_conn->release_work); +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -4123,6 +4123,9 @@ int iscsit_close_connection( + iscsit_stop_nopin_response_timer(conn); + iscsit_stop_nopin_timer(conn); + ++ if (conn->conn_transport->iscsit_wait_conn) ++ conn->conn_transport->iscsit_wait_conn(conn); ++ + /* + * During Connection recovery drop unacknowledged out of order + * commands for this connection, and prepare the other commands +@@ -4208,9 +4211,6 @@ int iscsit_close_connection( + target_sess_cmd_list_set_waiting(sess->se_sess); + target_wait_for_sess_cmds(sess->se_sess); + +- if (conn->conn_transport->iscsit_wait_conn) +- conn->conn_transport->iscsit_wait_conn(conn); +- + ahash_request_free(conn->conn_tx_hash); + if (conn->conn_rx_hash) { + struct crypto_ahash *tfm; diff --git a/queue-4.19/scsi-revert-target-iscsi-wait-for-all-commands-to-finish-before-freeing-a-session.patch b/queue-4.19/scsi-revert-target-iscsi-wait-for-all-commands-to-finish-before-freeing-a-session.patch new file mode 100644 index 00000000000..8df16914257 --- /dev/null +++ b/queue-4.19/scsi-revert-target-iscsi-wait-for-all-commands-to-finish-before-freeing-a-session.patch @@ -0,0 +1,70 @@ +From 807b9515b7d044cf77df31f1af9d842a76ecd5cb Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Wed, 12 Feb 2020 21:09:00 -0800 +Subject: scsi: Revert "target: iscsi: Wait for all commands to finish before freeing a session" + +From: Bart Van Assche + +commit 807b9515b7d044cf77df31f1af9d842a76ecd5cb upstream. + +Since commit e9d3009cb936 introduced a regression and since the fix for +that regression was not perfect, revert this commit. + +Link: https://marc.info/?l=target-devel&m=158157054906195 +Cc: Rahul Kundu +Cc: Mike Marciniszyn +Cc: Sagi Grimberg +Reported-by: Dakshaja Uppalapati +Fixes: e9d3009cb936 ("scsi: target: iscsi: Wait for all commands to finish before freeing a session") +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target.c | 10 ++-------- + include/scsi/iscsi_proto.h | 1 - + 2 files changed, 2 insertions(+), 9 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -1157,9 +1157,7 @@ int iscsit_setup_scsi_cmd(struct iscsi_c + hdr->cmdsn, be32_to_cpu(hdr->data_length), payload_length, + conn->cid); + +- if (target_get_sess_cmd(&cmd->se_cmd, true) < 0) +- return iscsit_add_reject_cmd(cmd, +- ISCSI_REASON_WAITING_FOR_LOGOUT, buf); ++ target_get_sess_cmd(&cmd->se_cmd, true); + + cmd->sense_reason = transport_lookup_cmd_lun(&cmd->se_cmd, + scsilun_to_int(&hdr->lun)); +@@ -2000,9 +1998,7 @@ iscsit_handle_task_mgt_cmd(struct iscsi_ + conn->sess->se_sess, 0, DMA_NONE, + TCM_SIMPLE_TAG, cmd->sense_buffer + 2); + +- if (target_get_sess_cmd(&cmd->se_cmd, true) < 0) +- return iscsit_add_reject_cmd(cmd, +- ISCSI_REASON_WAITING_FOR_LOGOUT, buf); ++ target_get_sess_cmd(&cmd->se_cmd, true); + + /* + * TASK_REASSIGN for ERL=2 / connection stays inside of +@@ -4208,8 +4204,6 @@ int iscsit_close_connection( + * must wait until they have completed. + */ + iscsit_check_conn_usage_count(conn); +- target_sess_cmd_list_set_waiting(sess->se_sess); +- target_wait_for_sess_cmds(sess->se_sess); + + ahash_request_free(conn->conn_tx_hash); + if (conn->conn_rx_hash) { +--- a/include/scsi/iscsi_proto.h ++++ b/include/scsi/iscsi_proto.h +@@ -638,7 +638,6 @@ struct iscsi_reject { + #define ISCSI_REASON_BOOKMARK_INVALID 9 + #define ISCSI_REASON_BOOKMARK_NO_RESOURCES 10 + #define ISCSI_REASON_NEGOTIATION_RESET 11 +-#define ISCSI_REASON_WAITING_FOR_LOGOUT 12 + + /* Max. number of Key=Value pairs in a text message */ + #define MAX_KEY_VALUE_PAIRS 8192 diff --git a/queue-4.19/series b/queue-4.19/series index ca76de3ce57..5a78ebf76ab 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -76,4 +76,14 @@ btrfs-fix-bytes_may_use-underflow-in-prealloc-error-condtition.patch btrfs-reset-fs_root-to-null-on-error-in-open_ctree.patch btrfs-do-not-check-delayed-items-are-empty-for-single-transaction-cleanup.patch btrfs-fix-btrfs_wait_ordered_range-so-that-it-waits-for-all-ordered-extents.patch -kvm-nvmx-clear-pin_based_posted_intr-from-nested-pinbased_ctls-only-when-apicv-is-globally-disabled.patch +revert-dmaengine-imx-sdma-fix-memory-leak.patch +scsi-revert-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch +scsi-revert-target-iscsi-wait-for-all-commands-to-finish-before-freeing-a-session.patch +usb-gadget-composite-fix-bmaxpower-for-superspeedplus.patch +usb-dwc2-fix-in-isoc-request-length-checking.patch +staging-rtl8723bs-fix-copy-of-overlapping-memory.patch +staging-greybus-use-after-free-in-gb_audio_manager_remove_all.patch +ecryptfs-replace-bug_on-with-error-handling-code.patch +iommu-vt-d-fix-compile-warning-from-intel-svm.h.patch +genirq-proc-reject-invalid-affinity-masks-again.patch +bpf-offload-replace-bitwise-and-by-logical-and-in-bpf_prog_offload_info_fill.patch diff --git a/queue-4.19/staging-greybus-use-after-free-in-gb_audio_manager_remove_all.patch b/queue-4.19/staging-greybus-use-after-free-in-gb_audio_manager_remove_all.patch new file mode 100644 index 00000000000..44352fe8435 --- /dev/null +++ b/queue-4.19/staging-greybus-use-after-free-in-gb_audio_manager_remove_all.patch @@ -0,0 +1,36 @@ +From b7db58105b80fa9232719c8329b995b3addfab55 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 5 Feb 2020 15:32:17 +0300 +Subject: staging: greybus: use after free in gb_audio_manager_remove_all() + +From: Dan Carpenter + +commit b7db58105b80fa9232719c8329b995b3addfab55 upstream. + +When we call kobject_put() and it's the last reference to the kobject +then it calls gb_audio_module_release() and frees module. We dereference +"module" on the next line which is a use after free. + +Fixes: c77f85bbc91a ("greybus: audio: Fix incorrect counting of 'ida'") +Signed-off-by: Dan Carpenter +Acked-by: Viresh Kumar +Reviewed-by: Vaibhav Agarwal +Link: https://lore.kernel.org/r/20200205123217.jreendkyxulqsool@kili.mountain +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/greybus/audio_manager.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/greybus/audio_manager.c ++++ b/drivers/staging/greybus/audio_manager.c +@@ -89,8 +89,8 @@ void gb_audio_manager_remove_all(void) + + list_for_each_entry_safe(module, next, &modules_list, list) { + list_del(&module->list); +- kobject_put(&module->kobj); + ida_simple_remove(&module_id, module->id); ++ kobject_put(&module->kobj); + } + + is_empty = list_empty(&modules_list); diff --git a/queue-4.19/staging-rtl8723bs-fix-copy-of-overlapping-memory.patch b/queue-4.19/staging-rtl8723bs-fix-copy-of-overlapping-memory.patch new file mode 100644 index 00000000000..ef255c15b72 --- /dev/null +++ b/queue-4.19/staging-rtl8723bs-fix-copy-of-overlapping-memory.patch @@ -0,0 +1,45 @@ +From 8ae9a588ca35eb9c32dc03299c5e1f4a1e9a9617 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Sun, 26 Jan 2020 22:05:49 +0000 +Subject: staging: rtl8723bs: fix copy of overlapping memory + +From: Colin Ian King + +commit 8ae9a588ca35eb9c32dc03299c5e1f4a1e9a9617 upstream. + +Currently the rtw_sprintf prints the contents of thread_name +onto thread_name and this can lead to a potential copy of a +string over itself. Avoid this by printing the literal string RTWHALXT +instread of the contents of thread_name. + +Addresses-Coverity: ("copy of overlapping memory") +Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") +Signed-off-by: Colin Ian King +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20200126220549.9849-1-colin.king@canonical.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8723bs/hal/rtl8723bs_xmit.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/staging/rtl8723bs/hal/rtl8723bs_xmit.c ++++ b/drivers/staging/rtl8723bs/hal/rtl8723bs_xmit.c +@@ -478,14 +478,13 @@ int rtl8723bs_xmit_thread(void *context) + s32 ret; + struct adapter *padapter; + struct xmit_priv *pxmitpriv; +- u8 thread_name[20] = "RTWHALXT"; +- ++ u8 thread_name[20]; + + ret = _SUCCESS; + padapter = context; + pxmitpriv = &padapter->xmitpriv; + +- rtw_sprintf(thread_name, 20, "%s-"ADPT_FMT, thread_name, ADPT_ARG(padapter)); ++ rtw_sprintf(thread_name, 20, "RTWHALXT-" ADPT_FMT, ADPT_ARG(padapter)); + thread_enter(thread_name); + + DBG_871X("start "FUNC_ADPT_FMT"\n", FUNC_ADPT_ARG(padapter)); diff --git a/queue-4.19/usb-dwc2-fix-in-isoc-request-length-checking.patch b/queue-4.19/usb-dwc2-fix-in-isoc-request-length-checking.patch new file mode 100644 index 00000000000..7333a0a6889 --- /dev/null +++ b/queue-4.19/usb-dwc2-fix-in-isoc-request-length-checking.patch @@ -0,0 +1,49 @@ +From 860ef6cd3f90b84a1832f8a6485c90c34d3b588b Mon Sep 17 00:00:00 2001 +From: Minas Harutyunyan +Date: Tue, 21 Jan 2020 14:24:04 +0400 +Subject: usb: dwc2: Fix in ISOC request length checking + +From: Minas Harutyunyan + +commit 860ef6cd3f90b84a1832f8a6485c90c34d3b588b upstream. + +Moved ISOC request length checking from dwc2_hsotg_start_req() function to +dwc2_hsotg_ep_queue(). + +Fixes: 4fca54aa58293 ("usb: gadget: s3c-hsotg: add multi count support") +Signed-off-by: Minas Harutyunyan +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc2/gadget.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/usb/dwc2/gadget.c ++++ b/drivers/usb/dwc2/gadget.c +@@ -1004,11 +1004,6 @@ static void dwc2_hsotg_start_req(struct + else + packets = 1; /* send one packet if length is zero. */ + +- if (hs_ep->isochronous && length > (hs_ep->mc * hs_ep->ep.maxpacket)) { +- dev_err(hsotg->dev, "req length > maxpacket*mc\n"); +- return; +- } +- + if (dir_in && index != 0) + if (hs_ep->isochronous) + epsize = DXEPTSIZ_MC(packets); +@@ -1312,6 +1307,13 @@ static int dwc2_hsotg_ep_queue(struct us + req->actual = 0; + req->status = -EINPROGRESS; + ++ /* Don't queue ISOC request if length greater than mps*mc */ ++ if (hs_ep->isochronous && ++ req->length > (hs_ep->mc * hs_ep->ep.maxpacket)) { ++ dev_err(hs->dev, "req length > maxpacket*mc\n"); ++ return -EINVAL; ++ } ++ + /* In DDMA mode for ISOC's don't queue request if length greater + * than descriptor limits. + */ diff --git a/queue-4.19/usb-gadget-composite-fix-bmaxpower-for-superspeedplus.patch b/queue-4.19/usb-gadget-composite-fix-bmaxpower-for-superspeedplus.patch new file mode 100644 index 00000000000..55fbbe9379f --- /dev/null +++ b/queue-4.19/usb-gadget-composite-fix-bmaxpower-for-superspeedplus.patch @@ -0,0 +1,43 @@ +From c724417baf162bd3e035659e22cdf990cfb0d917 Mon Sep 17 00:00:00 2001 +From: Jack Pham +Date: Thu, 30 Jan 2020 19:10:35 -0800 +Subject: usb: gadget: composite: Fix bMaxPower for SuperSpeedPlus + +From: Jack Pham + +commit c724417baf162bd3e035659e22cdf990cfb0d917 upstream. + +SuperSpeedPlus peripherals must report their bMaxPower of the +configuration descriptor in units of 8mA as per the USB 3.2 +specification. The current switch statement in encode_bMaxPower() +only checks for USB_SPEED_SUPER but not USB_SPEED_SUPER_PLUS so +the latter falls back to USB 2.0 encoding which uses 2mA units. +Replace the switch with a simple if/else. + +Fixes: eae5820b852f ("usb: gadget: composite: Write SuperSpeedPlus config descriptors") +Signed-off-by: Jack Pham +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/composite.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -437,12 +437,10 @@ static u8 encode_bMaxPower(enum usb_devi + val = CONFIG_USB_GADGET_VBUS_DRAW; + if (!val) + return 0; +- switch (speed) { +- case USB_SPEED_SUPER: +- return DIV_ROUND_UP(val, 8); +- default: ++ if (speed < USB_SPEED_SUPER) + return DIV_ROUND_UP(val, 2); +- } ++ else ++ return DIV_ROUND_UP(val, 8); + } + + static int config_buf(struct usb_configuration *config, -- 2.47.3