From 87a4c908ae28f79231c061013a1b44845bfed42e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 29 Jun 2020 08:58:56 +0200 Subject: [PATCH] 5.7-stable patches added patches: ib-hfi1-fix-module-use-count-flaw-due-to-leftover-module-put-calls.patch ib-mad-fix-use-after-free-when-destroying-mad-agent.patch --- ...law-due-to-leftover-module-put-calls.patch | 82 +++++++++++++++++++ ...after-free-when-destroying-mad-agent.patch | 59 +++++++++++++ ...place-kill_bdev-with-invalidate_bdev.patch | 20 ++--- queue-5.7/series | 2 + 4 files changed, 150 insertions(+), 13 deletions(-) create mode 100644 queue-5.7/ib-hfi1-fix-module-use-count-flaw-due-to-leftover-module-put-calls.patch create mode 100644 queue-5.7/ib-mad-fix-use-after-free-when-destroying-mad-agent.patch diff --git a/queue-5.7/ib-hfi1-fix-module-use-count-flaw-due-to-leftover-module-put-calls.patch b/queue-5.7/ib-hfi1-fix-module-use-count-flaw-due-to-leftover-module-put-calls.patch new file mode 100644 index 00000000000..e2e93e158bf --- /dev/null +++ b/queue-5.7/ib-hfi1-fix-module-use-count-flaw-due-to-leftover-module-put-calls.patch @@ -0,0 +1,82 @@ +From 822fbd37410639acdae368ea55477ddd3498651d Mon Sep 17 00:00:00 2001 +From: Dennis Dalessandro +Date: Tue, 23 Jun 2020 16:32:30 -0400 +Subject: IB/hfi1: Fix module use count flaw due to leftover module put calls + +From: Dennis Dalessandro + +commit 822fbd37410639acdae368ea55477ddd3498651d upstream. + +When the try_module_get calls were removed from opening and closing of the +i2c debugfs file, the corresponding module_put calls were missed. This +results in an inaccurate module use count that requires a power cycle to +fix. + +Fixes: 09fbca8e6240 ("IB/hfi1: No need to use try_module_get for debugfs") +Link: https://lore.kernel.org/r/20200623203230.106975.76240.stgit@awfm-01.aw.intel.com +Cc: +Reviewed-by: Kaike Wan +Reviewed-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/debugfs.c | 19 ++----------------- + 1 file changed, 2 insertions(+), 17 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/debugfs.c ++++ b/drivers/infiniband/hw/hfi1/debugfs.c +@@ -985,15 +985,10 @@ static ssize_t qsfp2_debugfs_read(struct + static int __i2c_debugfs_open(struct inode *in, struct file *fp, u32 target) + { + struct hfi1_pportdata *ppd; +- int ret; + + ppd = private2ppd(fp); + +- ret = acquire_chip_resource(ppd->dd, i2c_target(target), 0); +- if (ret) /* failed - release the module */ +- module_put(THIS_MODULE); +- +- return ret; ++ return acquire_chip_resource(ppd->dd, i2c_target(target), 0); + } + + static int i2c1_debugfs_open(struct inode *in, struct file *fp) +@@ -1013,7 +1008,6 @@ static int __i2c_debugfs_release(struct + ppd = private2ppd(fp); + + release_chip_resource(ppd->dd, i2c_target(target)); +- module_put(THIS_MODULE); + + return 0; + } +@@ -1031,18 +1025,10 @@ static int i2c2_debugfs_release(struct i + static int __qsfp_debugfs_open(struct inode *in, struct file *fp, u32 target) + { + struct hfi1_pportdata *ppd; +- int ret; +- +- if (!try_module_get(THIS_MODULE)) +- return -ENODEV; + + ppd = private2ppd(fp); + +- ret = acquire_chip_resource(ppd->dd, i2c_target(target), 0); +- if (ret) /* failed - release the module */ +- module_put(THIS_MODULE); +- +- return ret; ++ return acquire_chip_resource(ppd->dd, i2c_target(target), 0); + } + + static int qsfp1_debugfs_open(struct inode *in, struct file *fp) +@@ -1062,7 +1048,6 @@ static int __qsfp_debugfs_release(struct + ppd = private2ppd(fp); + + release_chip_resource(ppd->dd, i2c_target(target)); +- module_put(THIS_MODULE); + + return 0; + } diff --git a/queue-5.7/ib-mad-fix-use-after-free-when-destroying-mad-agent.patch b/queue-5.7/ib-mad-fix-use-after-free-when-destroying-mad-agent.patch new file mode 100644 index 00000000000..31af7d0b017 --- /dev/null +++ b/queue-5.7/ib-mad-fix-use-after-free-when-destroying-mad-agent.patch @@ -0,0 +1,59 @@ +From 116a1b9f1cb769b83e5adff323f977a62b1dcb2e Mon Sep 17 00:00:00 2001 +From: Shay Drory +Date: Sun, 21 Jun 2020 13:47:35 +0300 +Subject: IB/mad: Fix use after free when destroying MAD agent + +From: Shay Drory + +commit 116a1b9f1cb769b83e5adff323f977a62b1dcb2e upstream. + +Currently, when RMPP MADs are processed while the MAD agent is destroyed, +it could result in use after free of rmpp_recv, as decribed below: + + cpu-0 cpu-1 + ----- ----- +ib_mad_recv_done() + ib_mad_complete_recv() + ib_process_rmpp_recv_wc() + unregister_mad_agent() + ib_cancel_rmpp_recvs() + cancel_delayed_work() + process_rmpp_data() + start_rmpp() + queue_delayed_work(rmpp_recv->cleanup_work) + destroy_rmpp_recv() + free_rmpp_recv() + cleanup_work()[1] + spin_lock_irqsave(&rmpp_recv->agent->lock) <-- use after free + +[1] cleanup_work() == recv_cleanup_handler + +Fix it by waiting for the MAD agent reference count becoming zero before +calling to ib_cancel_rmpp_recvs(). + +Fixes: 9a41e38a467c ("IB/mad: Use IDR for agent IDs") +Link: https://lore.kernel.org/r/20200621104738.54850-2-leon@kernel.org +Signed-off-by: Shay Drory +Reviewed-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/mad.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/core/mad.c ++++ b/drivers/infiniband/core/mad.c +@@ -639,10 +639,10 @@ static void unregister_mad_agent(struct + xa_erase(&ib_mad_clients, mad_agent_priv->agent.hi_tid); + + flush_workqueue(port_priv->wq); +- ib_cancel_rmpp_recvs(mad_agent_priv); + + deref_mad_agent(mad_agent_priv); + wait_for_completion(&mad_agent_priv->comp); ++ ib_cancel_rmpp_recvs(mad_agent_priv); + + ib_mad_agent_security_cleanup(&mad_agent_priv->agent); + diff --git a/queue-5.7/loop-replace-kill_bdev-with-invalidate_bdev.patch b/queue-5.7/loop-replace-kill_bdev-with-invalidate_bdev.patch index 7c662c013c9..3e540f8d651 100644 --- a/queue-5.7/loop-replace-kill_bdev-with-invalidate_bdev.patch +++ b/queue-5.7/loop-replace-kill_bdev-with-invalidate_bdev.patch @@ -33,28 +33,22 @@ Reviewed-by: Bart Van Assche Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman -diff --git a/drivers/block/loop.c b/drivers/block/loop.c -index c33bbbfd1bd9..475e1a738560 100644 +--- + drivers/block/loop.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + --- a/drivers/block/loop.c +++ b/drivers/block/loop.c -@@ -1368,14 +1368,14 @@ loop_set_status(struct loop_device *lo, const struct loop_info64 *info) +@@ -1289,7 +1289,7 @@ loop_set_status(struct loop_device *lo, + if (lo->lo_offset != info->lo_offset || lo->lo_sizelimit != info->lo_sizelimit) { - size_changed = true; sync_blockdev(lo->lo_device); - kill_bdev(lo->lo_device); + invalidate_bdev(lo->lo_device); } /* I/O need to be drained during transfer transition */ - blk_mq_freeze_queue(lo->lo_queue); - - if (size_changed && lo->lo_device->bd_inode->i_mapping->nrpages) { -- /* If any pages were dirtied after kill_bdev(), try again */ -+ /* If any pages were dirtied after invalidate_bdev(), try again */ - err = -EAGAIN; - pr_warn("%s: loop%d (%s) has still dirty pages (nrpages=%lu)\n", - __func__, lo->lo_number, lo->lo_file_name, -@@ -1615,11 +1615,11 @@ static int loop_set_block_size(struct loop_device *lo, unsigned long arg) +@@ -1565,11 +1565,11 @@ static int loop_set_block_size(struct lo return 0; sync_blockdev(lo->lo_device); diff --git a/queue-5.7/series b/queue-5.7/series index c4a53a9d000..00aa7b81b3f 100644 --- a/queue-5.7/series +++ b/queue-5.7/series @@ -89,3 +89,5 @@ xhci-return-if-xhci-doesn-t-support-lpm.patch cdc-acm-add-disable_echo-quirk-for-microchip-smsc-chip.patch risc-v-acquire-mmap-lock-before-invoking-walk_page_range.patch loop-replace-kill_bdev-with-invalidate_bdev.patch +ib-mad-fix-use-after-free-when-destroying-mad-agent.patch +ib-hfi1-fix-module-use-count-flaw-due-to-leftover-module-put-calls.patch -- 2.47.3