From b5e44365f5aa39ab125696a4eb9a243ffbb9bd25 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 28 Dec 2020 12:56:04 +0100 Subject: [PATCH] 4.19-stable patches added patches: clk-mvebu-a3700-fix-the-xtal-mode-pin-to-mpp1_9.patch drm-dp_aux_dev-check-aux_dev-before-use-in-drm_dp_aux_dev_get_by_minor.patch iio-adc-rockchip_saradc-fix-missing-clk_disable_unprepare-on-error-in-rockchip_saradc_resume.patch iio-buffer-fix-demux-update.patch iio-imu-bmi160-fix-too-large-a-buffer.patch iio-light-rpr0521-fix-timestamp-alignment-and-prevent-data-leak.patch iio-light-st_uvis25-fix-timestamp-alignment-and-prevent-data-leak.patch iio-pressure-mpl3115-force-alignment-of-buffer.patch jfs-fix-array-index-bounds-check-in-dbadjtree.patch libnvdimm-namespace-fix-reaping-of-invalidated-block-window-namespace-labels.patch md-cluster-block-reshape-with-remote-resync-job.patch md-cluster-fix-deadlock-when-node-is-doing-resync-job.patch mtd-parser-cmdline-fix-parsing-of-part-names-with-colons.patch mtd-rawnand-qcom-fix-dma-sync-on-flash_status-register-read.patch mtd-spinand-fix-oob-read.patch pci-fix-pci_slot_release-null-pointer-dereference.patch pinctrl-sunxi-always-call-chained_irq_-enter-exit-in-sunxi_pinctrl_irq_handler.patch platform-x86-intel-vbtn-allow-switch-events-on-acer-switch-alpha-12.patch scsi-lpfc-fix-invalid-sleeping-context-in-lpfc_sli4_nvmet_alloc.patch scsi-lpfc-re-fix-use-after-free-in-lpfc_rq_buf_free.patch soc-qcom-smp2p-safely-acquire-spinlock-without-irqs.patch spi-davinci-fix-use-after-free-on-unbind.patch spi-mt7621-fix-missing-clk_disable_unprepare-on-error-in-mt7621_spi_probe.patch spi-pic32-don-t-leak-dma-channels-in-probe-error-path.patch spi-rb4xx-don-t-leak-spi-master-in-probe-error-path.patch spi-sc18is602-don-t-leak-spi-master-in-probe-error-path.patch spi-spi-sh-fix-use-after-free-on-unbind.patch spi-st-ssc4-fix-unbalanced-pm_runtime_disable-in-probe-error-path.patch xen-blkback-set-ring-xenblkd-to-null-after-kthread_stop.patch xen-xenbus-add-will_handle-callback-support-in-xenbus_watch_path.patch xen-xenbus-allow-watches-discard-events-before-queueing.patch xen-xenbus-count-pending-messages-for-each-watch.patch xen-xenbus-xen_bus_type-support-will_handle-watch-callback.patch xenbus-xenbus_backend-disallow-pending-watch-messages.patch --- ...3700-fix-the-xtal-mode-pin-to-mpp1_9.patch | 43 +++ ...e-use-in-drm_dp_aux_dev_get_by_minor.patch | 151 +++++++++ ...e-on-error-in-rockchip_saradc_resume.patch | 36 +++ queue-4.19/iio-buffer-fix-demux-update.patch | 53 ++++ ...io-imu-bmi160-fix-too-large-a-buffer.patch | 42 +++ ...tamp-alignment-and-prevent-data-leak.patch | 82 +++++ ...tamp-alignment-and-prevent-data-leak.patch | 77 +++++ ...re-mpl3115-force-alignment-of-buffer.patch | 55 ++++ ...rray-index-bounds-check-in-dbadjtree.patch | 33 ++ ...idated-block-window-namespace-labels.patch | 65 ++++ ...block-reshape-with-remote-resync-job.patch | 78 +++++ ...adlock-when-node-is-doing-resync-job.patch | 293 ++++++++++++++++++ ...ix-parsing-of-part-names-with-colons.patch | 75 +++++ ...a-sync-on-flash_status-register-read.patch | 37 +++ queue-4.19/mtd-spinand-fix-oob-read.patch | 35 +++ ...lot_release-null-pointer-dereference.patch | 65 ++++ ...er-exit-in-sunxi_pinctrl_irq_handler.patch | 53 ++++ ...witch-events-on-acer-switch-alpha-12.patch | 44 +++ ...ing-context-in-lpfc_sli4_nvmet_alloc.patch | 102 ++++++ ...x-use-after-free-in-lpfc_rq_buf_free.patch | 46 +++ queue-4.19/series | 34 ++ ...safely-acquire-spinlock-without-irqs.patch | 55 ++++ ...davinci-fix-use-after-free-on-unbind.patch | 43 +++ ...prepare-on-error-in-mt7621_spi_probe.patch | 40 +++ ...eak-dma-channels-in-probe-error-path.patch | 35 +++ ...-leak-spi-master-in-probe-error-path.patch | 39 +++ ...-leak-spi-master-in-probe-error-path.patch | 61 ++++ ...-spi-sh-fix-use-after-free-on-unbind.patch | 78 +++++ ..._runtime_disable-in-probe-error-path.patch | 45 +++ ...g-xenblkd-to-null-after-kthread_stop.patch | 52 ++++ ...allback-support-in-xenbus_watch_path.patch | 140 +++++++++ ...tches-discard-events-before-queueing.patch | 115 +++++++ ...ount-pending-messages-for-each-watch.patch | 108 +++++++ ...e-support-will_handle-watch-callback.patch | 50 +++ ...kend-disallow-pending-watch-messages.patch | 56 ++++ 35 files changed, 2416 insertions(+) create mode 100644 queue-4.19/clk-mvebu-a3700-fix-the-xtal-mode-pin-to-mpp1_9.patch create mode 100644 queue-4.19/drm-dp_aux_dev-check-aux_dev-before-use-in-drm_dp_aux_dev_get_by_minor.patch create mode 100644 queue-4.19/iio-adc-rockchip_saradc-fix-missing-clk_disable_unprepare-on-error-in-rockchip_saradc_resume.patch create mode 100644 queue-4.19/iio-buffer-fix-demux-update.patch create mode 100644 queue-4.19/iio-imu-bmi160-fix-too-large-a-buffer.patch create mode 100644 queue-4.19/iio-light-rpr0521-fix-timestamp-alignment-and-prevent-data-leak.patch create mode 100644 queue-4.19/iio-light-st_uvis25-fix-timestamp-alignment-and-prevent-data-leak.patch create mode 100644 queue-4.19/iio-pressure-mpl3115-force-alignment-of-buffer.patch create mode 100644 queue-4.19/jfs-fix-array-index-bounds-check-in-dbadjtree.patch create mode 100644 queue-4.19/libnvdimm-namespace-fix-reaping-of-invalidated-block-window-namespace-labels.patch create mode 100644 queue-4.19/md-cluster-block-reshape-with-remote-resync-job.patch create mode 100644 queue-4.19/md-cluster-fix-deadlock-when-node-is-doing-resync-job.patch create mode 100644 queue-4.19/mtd-parser-cmdline-fix-parsing-of-part-names-with-colons.patch create mode 100644 queue-4.19/mtd-rawnand-qcom-fix-dma-sync-on-flash_status-register-read.patch create mode 100644 queue-4.19/mtd-spinand-fix-oob-read.patch create mode 100644 queue-4.19/pci-fix-pci_slot_release-null-pointer-dereference.patch create mode 100644 queue-4.19/pinctrl-sunxi-always-call-chained_irq_-enter-exit-in-sunxi_pinctrl_irq_handler.patch create mode 100644 queue-4.19/platform-x86-intel-vbtn-allow-switch-events-on-acer-switch-alpha-12.patch create mode 100644 queue-4.19/scsi-lpfc-fix-invalid-sleeping-context-in-lpfc_sli4_nvmet_alloc.patch create mode 100644 queue-4.19/scsi-lpfc-re-fix-use-after-free-in-lpfc_rq_buf_free.patch create mode 100644 queue-4.19/soc-qcom-smp2p-safely-acquire-spinlock-without-irqs.patch create mode 100644 queue-4.19/spi-davinci-fix-use-after-free-on-unbind.patch create mode 100644 queue-4.19/spi-mt7621-fix-missing-clk_disable_unprepare-on-error-in-mt7621_spi_probe.patch create mode 100644 queue-4.19/spi-pic32-don-t-leak-dma-channels-in-probe-error-path.patch create mode 100644 queue-4.19/spi-rb4xx-don-t-leak-spi-master-in-probe-error-path.patch create mode 100644 queue-4.19/spi-sc18is602-don-t-leak-spi-master-in-probe-error-path.patch create mode 100644 queue-4.19/spi-spi-sh-fix-use-after-free-on-unbind.patch create mode 100644 queue-4.19/spi-st-ssc4-fix-unbalanced-pm_runtime_disable-in-probe-error-path.patch create mode 100644 queue-4.19/xen-blkback-set-ring-xenblkd-to-null-after-kthread_stop.patch create mode 100644 queue-4.19/xen-xenbus-add-will_handle-callback-support-in-xenbus_watch_path.patch create mode 100644 queue-4.19/xen-xenbus-allow-watches-discard-events-before-queueing.patch create mode 100644 queue-4.19/xen-xenbus-count-pending-messages-for-each-watch.patch create mode 100644 queue-4.19/xen-xenbus-xen_bus_type-support-will_handle-watch-callback.patch create mode 100644 queue-4.19/xenbus-xenbus_backend-disallow-pending-watch-messages.patch diff --git a/queue-4.19/clk-mvebu-a3700-fix-the-xtal-mode-pin-to-mpp1_9.patch b/queue-4.19/clk-mvebu-a3700-fix-the-xtal-mode-pin-to-mpp1_9.patch new file mode 100644 index 00000000000..2721519c5e7 --- /dev/null +++ b/queue-4.19/clk-mvebu-a3700-fix-the-xtal-mode-pin-to-mpp1_9.patch @@ -0,0 +1,43 @@ +From 6f37689cf6b38fff96de52e7f0d3e78f22803ba0 Mon Sep 17 00:00:00 2001 +From: Terry Zhou +Date: Fri, 6 Nov 2020 11:00:39 +0100 +Subject: clk: mvebu: a3700: fix the XTAL MODE pin to MPP1_9 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Terry Zhou + +commit 6f37689cf6b38fff96de52e7f0d3e78f22803ba0 upstream. + +There is an error in the current code that the XTAL MODE +pin was set to NB MPP1_31 which should be NB MPP1_9. +The latch register of NB MPP1_9 has different offset of 0x8. + +Signed-off-by: Terry Zhou +[pali: Fix pin name in commit message] +Signed-off-by: Pali Rohár +Fixes: 7ea8250406a6 ("clk: mvebu: Add the xtal clock for Armada 3700 SoC") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20201106100039.11385-1-pali@kernel.org +Reviewed-by: Marek Behún +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/mvebu/armada-37xx-xtal.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/clk/mvebu/armada-37xx-xtal.c ++++ b/drivers/clk/mvebu/armada-37xx-xtal.c +@@ -15,8 +15,8 @@ + #include + #include + +-#define NB_GPIO1_LATCH 0xC +-#define XTAL_MODE BIT(31) ++#define NB_GPIO1_LATCH 0x8 ++#define XTAL_MODE BIT(9) + + static int armada_3700_xtal_clock_probe(struct platform_device *pdev) + { diff --git a/queue-4.19/drm-dp_aux_dev-check-aux_dev-before-use-in-drm_dp_aux_dev_get_by_minor.patch b/queue-4.19/drm-dp_aux_dev-check-aux_dev-before-use-in-drm_dp_aux_dev_get_by_minor.patch new file mode 100644 index 00000000000..c0bba0687bb --- /dev/null +++ b/queue-4.19/drm-dp_aux_dev-check-aux_dev-before-use-in-drm_dp_aux_dev_get_by_minor.patch @@ -0,0 +1,151 @@ +From 73b62cdb93b68d7e2c1d373c6a411bc00c53e702 Mon Sep 17 00:00:00 2001 +From: Zwane Mwaikambo +Date: Mon, 12 Oct 2020 22:59:14 -0700 +Subject: drm/dp_aux_dev: check aux_dev before use in drm_dp_aux_dev_get_by_minor() + +From: Zwane Mwaikambo + +commit 73b62cdb93b68d7e2c1d373c6a411bc00c53e702 upstream. + +I observed this when unplugging a DP monitor whilst a computer is asleep +and then waking it up. This left DP chardev nodes still being present on +the filesystem and accessing these device nodes caused an oops because +drm_dp_aux_dev_get_by_minor() assumes a device exists if it is opened. +This can also be reproduced by creating a device node with mknod(1) and +issuing an open(2) + +[166164.933198] BUG: kernel NULL pointer dereference, address: 0000000000000018 +[166164.933202] #PF: supervisor read access in kernel mode +[166164.933204] #PF: error_code(0x0000) - not-present page +[166164.933205] PGD 0 P4D 0 +[166164.933208] Oops: 0000 [#1] PREEMPT SMP NOPTI +[166164.933211] CPU: 4 PID: 99071 Comm: fwupd Tainted: G W +5.8.0-rc6+ #1 +[166164.933213] Hardware name: LENOVO 20RD002VUS/20RD002VUS, BIOS R16ET25W +(1.11 ) 04/21/2020 +[166164.933232] RIP: 0010:drm_dp_aux_dev_get_by_minor+0x29/0x70 +[drm_kms_helper] +[166164.933234] Code: 00 0f 1f 44 00 00 55 48 89 e5 41 54 41 89 fc 48 c7 +c7 60 01 a4 c0 e8 26 ab 30 d7 44 89 e6 48 c7 c7 80 01 a4 c0 e8 47 94 d6 d6 +<8b> 50 18 49 89 c4 48 8d 78 18 85 d2 74 33 8d 4a 01 89 d0 f0 0f b1 +[166164.933236] RSP: 0018:ffffb7d7c41cbbf0 EFLAGS: 00010246 +[166164.933237] RAX: 0000000000000000 RBX: ffff8a90001fe900 RCX: 0000000000000000 +[166164.933238] RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffffffffc0a40180 +[166164.933239] RBP: ffffb7d7c41cbbf8 R08: 0000000000000000 R09: ffff8a93e157d6d0 +[166164.933240] R10: 0000000000000000 R11: ffffffffc0a40188 R12: 0000000000000003 +[166164.933241] R13: ffff8a9402200e80 R14: ffff8a90001fe900 R15: 0000000000000000 +[166164.933244] FS: 00007f7fb041eb00(0000) GS:ffff8a9411500000(0000) +knlGS:0000000000000000 +[166164.933245] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[166164.933246] CR2: 0000000000000018 CR3: 00000000352c2003 CR4: 00000000003606e0 +[166164.933247] Call Trace: +[166164.933264] auxdev_open+0x1b/0x40 [drm_kms_helper] +[166164.933278] chrdev_open+0xa7/0x1c0 +[166164.933282] ? cdev_put.part.0+0x20/0x20 +[166164.933287] do_dentry_open+0x161/0x3c0 +[166164.933291] vfs_open+0x2d/0x30 +[166164.933297] path_openat+0xb27/0x10e0 +[166164.933306] ? atime_needs_update+0x73/0xd0 +[166164.933309] do_filp_open+0x91/0x100 +[166164.933313] ? __alloc_fd+0xb2/0x150 +[166164.933316] do_sys_openat2+0x210/0x2d0 +[166164.933318] do_sys_open+0x46/0x80 +[166164.933320] __x64_sys_openat+0x20/0x30 +[166164.933328] do_syscall_64+0x52/0xc0 +[166164.933336] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +(gdb) disassemble drm_dp_aux_dev_get_by_minor+0x29 +Dump of assembler code for function drm_dp_aux_dev_get_by_minor: + 0x0000000000017b10 <+0>: callq 0x17b15 + 0x0000000000017b15 <+5>: push %rbp + 0x0000000000017b16 <+6>: mov %rsp,%rbp + 0x0000000000017b19 <+9>: push %r12 + 0x0000000000017b1b <+11>: mov %edi,%r12d + 0x0000000000017b1e <+14>: mov $0x0,%rdi + 0x0000000000017b25 <+21>: callq 0x17b2a + 0x0000000000017b2a <+26>: mov %r12d,%esi + 0x0000000000017b2d <+29>: mov $0x0,%rdi + 0x0000000000017b34 <+36>: callq 0x17b39 + 0x0000000000017b39 <+41>: mov 0x18(%rax),%edx <========= + 0x0000000000017b3c <+44>: mov %rax,%r12 + 0x0000000000017b3f <+47>: lea 0x18(%rax),%rdi + 0x0000000000017b43 <+51>: test %edx,%edx + 0x0000000000017b45 <+53>: je 0x17b7a + 0x0000000000017b47 <+55>: lea 0x1(%rdx),%ecx + 0x0000000000017b4a <+58>: mov %edx,%eax + 0x0000000000017b4c <+60>: lock cmpxchg %ecx,(%rdi) + 0x0000000000017b50 <+64>: jne 0x17b76 + 0x0000000000017b52 <+66>: test %edx,%edx + 0x0000000000017b54 <+68>: js 0x17b6d + 0x0000000000017b56 <+70>: test %ecx,%ecx + 0x0000000000017b58 <+72>: js 0x17b6d + 0x0000000000017b5a <+74>: mov $0x0,%rdi + 0x0000000000017b61 <+81>: callq 0x17b66 + 0x0000000000017b66 <+86>: mov %r12,%rax + 0x0000000000017b69 <+89>: pop %r12 + 0x0000000000017b6b <+91>: pop %rbp + 0x0000000000017b6c <+92>: retq + 0x0000000000017b6d <+93>: xor %esi,%esi + 0x0000000000017b6f <+95>: callq 0x17b74 + 0x0000000000017b74 <+100>: jmp 0x17b5a + 0x0000000000017b76 <+102>: mov %eax,%edx + 0x0000000000017b78 <+104>: jmp 0x17b43 + 0x0000000000017b7a <+106>: xor %r12d,%r12d + 0x0000000000017b7d <+109>: jmp 0x17b5a +End of assembler dump. + +(gdb) list *drm_dp_aux_dev_get_by_minor+0x29 +0x17b39 is in drm_dp_aux_dev_get_by_minor (drivers/gpu/drm/drm_dp_aux_dev.c:65). +60 static struct drm_dp_aux_dev *drm_dp_aux_dev_get_by_minor(unsigned index) +61 { +62 struct drm_dp_aux_dev *aux_dev = NULL; +63 +64 mutex_lock(&aux_idr_mutex); +65 aux_dev = idr_find(&aux_idr, index); +66 if (!kref_get_unless_zero(&aux_dev->refcount)) +67 aux_dev = NULL; +68 mutex_unlock(&aux_idr_mutex); +69 +(gdb) p/x &((struct drm_dp_aux_dev *)(0x0))->refcount +$8 = 0x18 + +Looking at the caller, checks on the minor are pushed down to +drm_dp_aux_dev_get_by_minor() + +static int auxdev_open(struct inode *inode, struct file *file) +{ + unsigned int minor = iminor(inode); + struct drm_dp_aux_dev *aux_dev; + + aux_dev = drm_dp_aux_dev_get_by_minor(minor); <==== + if (!aux_dev) + return -ENODEV; + + file->private_data = aux_dev; + return 0; +} + +Fixes: e94cb37b34eb ("drm/dp: Add a drm_aux-dev module for reading/writing dpcd registers.") +Cc: # v4.6+ +Signed-off-by: Zwane Mwaikambo +Reviewed-by: Lyude Paul +[added Cc to stable] +Signed-off-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/alpine.DEB.2.21.2010122231070.38717@montezuma.home +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_dp_aux_dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_dp_aux_dev.c ++++ b/drivers/gpu/drm/drm_dp_aux_dev.c +@@ -60,7 +60,7 @@ static struct drm_dp_aux_dev *drm_dp_aux + + mutex_lock(&aux_idr_mutex); + aux_dev = idr_find(&aux_idr, index); +- if (!kref_get_unless_zero(&aux_dev->refcount)) ++ if (aux_dev && !kref_get_unless_zero(&aux_dev->refcount)) + aux_dev = NULL; + mutex_unlock(&aux_idr_mutex); + diff --git a/queue-4.19/iio-adc-rockchip_saradc-fix-missing-clk_disable_unprepare-on-error-in-rockchip_saradc_resume.patch b/queue-4.19/iio-adc-rockchip_saradc-fix-missing-clk_disable_unprepare-on-error-in-rockchip_saradc_resume.patch new file mode 100644 index 00000000000..d2f4d754225 --- /dev/null +++ b/queue-4.19/iio-adc-rockchip_saradc-fix-missing-clk_disable_unprepare-on-error-in-rockchip_saradc_resume.patch @@ -0,0 +1,36 @@ +From 560c6b914c6ec7d9d9a69fddbb5bf3bf71433e8b Mon Sep 17 00:00:00 2001 +From: Qinglang Miao +Date: Tue, 3 Nov 2020 20:07:43 +0800 +Subject: iio: adc: rockchip_saradc: fix missing clk_disable_unprepare() on error in rockchip_saradc_resume + +From: Qinglang Miao + +commit 560c6b914c6ec7d9d9a69fddbb5bf3bf71433e8b upstream. + +Fix the missing clk_disable_unprepare() of info->pclk +before return from rockchip_saradc_resume in the error +handling case when fails to prepare and enable info->clk. + +Suggested-by: Robin Murphy +Fixes: 44d6f2ef94f9 ("iio: adc: add driver for Rockchip saradc") +Signed-off-by: Qinglang Miao +Cc: +Link: https://lore.kernel.org/r/20201103120743.110662-1-miaoqinglang@huawei.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/rockchip_saradc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/rockchip_saradc.c ++++ b/drivers/iio/adc/rockchip_saradc.c +@@ -383,7 +383,7 @@ static int rockchip_saradc_resume(struct + + ret = clk_prepare_enable(info->clk); + if (ret) +- return ret; ++ clk_disable_unprepare(info->pclk); + + return ret; + } diff --git a/queue-4.19/iio-buffer-fix-demux-update.patch b/queue-4.19/iio-buffer-fix-demux-update.patch new file mode 100644 index 00000000000..215b9c247b1 --- /dev/null +++ b/queue-4.19/iio-buffer-fix-demux-update.patch @@ -0,0 +1,53 @@ +From 19ef7b70ca9487773c29b449adf0c70f540a0aab Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nuno=20S=C3=A1?= +Date: Thu, 12 Nov 2020 15:43:22 +0100 +Subject: iio: buffer: Fix demux update +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +commit 19ef7b70ca9487773c29b449adf0c70f540a0aab upstream. + +When updating the buffer demux, we will skip a scan element from the +device in the case `in_ind != out_ind` and we enter the while loop. +in_ind should only be refreshed with `find_next_bit()` in the end of the +loop. + +Note, to cause problems we need a situation where we are skippig over +an element (channel not enabled) that happens to not have the same size +as the next element. Whilst this is a possible situation we haven't +actually identified any cases in mainline where it happens as most drivers +have consistent channel storage sizes with the exception of the timestamp +which is the last element and hence never skipped over. + +Fixes: 5ada4ea9be16 ("staging:iio: add demux optionally to path from device to buffer") +Signed-off-by: Nuno Sá +Link: https://lore.kernel.org/r/20201112144323.28887-1-nuno.sa@analog.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/industrialio-buffer.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -850,12 +850,12 @@ static int iio_buffer_update_demux(struc + indio_dev->masklength, + in_ind + 1); + while (in_ind != out_ind) { +- in_ind = find_next_bit(indio_dev->active_scan_mask, +- indio_dev->masklength, +- in_ind + 1); + length = iio_storage_bytes_for_si(indio_dev, in_ind); + /* Make sure we are aligned */ + in_loc = roundup(in_loc, length) + length; ++ in_ind = find_next_bit(indio_dev->active_scan_mask, ++ indio_dev->masklength, ++ in_ind + 1); + } + length = iio_storage_bytes_for_si(indio_dev, in_ind); + out_loc = roundup(out_loc, length); diff --git a/queue-4.19/iio-imu-bmi160-fix-too-large-a-buffer.patch b/queue-4.19/iio-imu-bmi160-fix-too-large-a-buffer.patch new file mode 100644 index 00000000000..078e3644ab2 --- /dev/null +++ b/queue-4.19/iio-imu-bmi160-fix-too-large-a-buffer.patch @@ -0,0 +1,42 @@ +From dc7de42d6b50a07b37feeba4c6b5136290fcee81 Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Sun, 20 Sep 2020 12:27:38 +0100 +Subject: iio:imu:bmi160: Fix too large a buffer. + +From: Jonathan Cameron + +commit dc7de42d6b50a07b37feeba4c6b5136290fcee81 upstream. + +The comment implies this device has 3 sensor types, but it only +has an accelerometer and a gyroscope (both 3D). As such the +buffer does not need to be as long as stated. + +Note I've separated this from the following patch which fixes +the alignment for passing to iio_push_to_buffers_with_timestamp() +as they are different issues even if they affect the same line +of code. + +Signed-off-by: Jonathan Cameron +Reviewed-by: Alexandru Ardelean +Cc: Daniel Baluta +Cc: +Link: https://lore.kernel.org/r/20200920112742.170751-5-jic23@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/imu/bmi160/bmi160_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/imu/bmi160/bmi160_core.c ++++ b/drivers/iio/imu/bmi160/bmi160_core.c +@@ -385,8 +385,8 @@ static irqreturn_t bmi160_trigger_handle + struct iio_poll_func *pf = p; + struct iio_dev *indio_dev = pf->indio_dev; + struct bmi160_data *data = iio_priv(indio_dev); +- __le16 buf[16]; +- /* 3 sens x 3 axis x __le16 + 3 x __le16 pad + 4 x __le16 tstamp */ ++ __le16 buf[12]; ++ /* 2 sens x 3 axis x __le16 + 2 x __le16 pad + 4 x __le16 tstamp */ + int i, ret, j = 0, base = BMI160_REG_DATA_MAGN_XOUT_L; + __le16 sample; + diff --git a/queue-4.19/iio-light-rpr0521-fix-timestamp-alignment-and-prevent-data-leak.patch b/queue-4.19/iio-light-rpr0521-fix-timestamp-alignment-and-prevent-data-leak.patch new file mode 100644 index 00000000000..1a58e30fb6c --- /dev/null +++ b/queue-4.19/iio-light-rpr0521-fix-timestamp-alignment-and-prevent-data-leak.patch @@ -0,0 +1,82 @@ +From a61817216bcc755eabbcb1cf281d84ccad267ed1 Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Sun, 20 Sep 2020 12:27:35 +0100 +Subject: iio:light:rpr0521: Fix timestamp alignment and prevent data leak. + +From: Jonathan Cameron + +commit a61817216bcc755eabbcb1cf281d84ccad267ed1 upstream. + +One of a class of bugs pointed out by Lars in a recent review. +iio_push_to_buffers_with_timestamp() assumes the buffer used is aligned +to the size of the timestamp (8 bytes). This is not guaranteed in +this driver which uses an array of smaller elements on the stack. +As Lars also noted this anti pattern can involve a leak of data to +userspace and that indeed can happen here. We close both issues by +moving to a suitable structure in the iio_priv(). +This data is allocated with kzalloc() so no data can leak apart +from previous readings and in this case the status byte from the device. + +The forced alignment of ts is not necessary in this case but it +potentially makes the code less fragile. + +>From personal communications with Mikko: + +We could probably split the reading of the int register, but it +would mean a significant performance cost of 20 i2c clock cycles. + +Fixes: e12ffd241c00 ("iio: light: rpr0521 triggered buffer") +Signed-off-by: Jonathan Cameron +Reviewed-by: Alexandru Ardelean +Cc: Mikko Koivunen +Cc: +Link: https://lore.kernel.org/r/20200920112742.170751-2-jic23@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/light/rpr0521.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +--- a/drivers/iio/light/rpr0521.c ++++ b/drivers/iio/light/rpr0521.c +@@ -197,6 +197,17 @@ struct rpr0521_data { + bool pxs_need_dis; + + struct regmap *regmap; ++ ++ /* ++ * Ensure correct naturally aligned timestamp. ++ * Note that the read will put garbage data into ++ * the padding but this should not be a problem ++ */ ++ struct { ++ __le16 channels[3]; ++ u8 garbage; ++ s64 ts __aligned(8); ++ } scan; + }; + + static IIO_CONST_ATTR(in_intensity_scale_available, RPR0521_ALS_SCALE_AVAIL); +@@ -452,8 +463,6 @@ static irqreturn_t rpr0521_trigger_consu + struct rpr0521_data *data = iio_priv(indio_dev); + int err; + +- u8 buffer[16]; /* 3 16-bit channels + padding + ts */ +- + /* Use irq timestamp when reasonable. */ + if (iio_trigger_using_own(indio_dev) && data->irq_timestamp) { + pf->timestamp = data->irq_timestamp; +@@ -464,11 +473,11 @@ static irqreturn_t rpr0521_trigger_consu + pf->timestamp = iio_get_time_ns(indio_dev); + + err = regmap_bulk_read(data->regmap, RPR0521_REG_PXS_DATA, +- &buffer, ++ data->scan.channels, + (3 * 2) + 1); /* 3 * 16-bit + (discarded) int clear reg. */ + if (!err) + iio_push_to_buffers_with_timestamp(indio_dev, +- buffer, pf->timestamp); ++ &data->scan, pf->timestamp); + else + dev_err(&data->client->dev, + "Trigger consumer can't read from sensor.\n"); diff --git a/queue-4.19/iio-light-st_uvis25-fix-timestamp-alignment-and-prevent-data-leak.patch b/queue-4.19/iio-light-st_uvis25-fix-timestamp-alignment-and-prevent-data-leak.patch new file mode 100644 index 00000000000..1e9eae7ae61 --- /dev/null +++ b/queue-4.19/iio-light-st_uvis25-fix-timestamp-alignment-and-prevent-data-leak.patch @@ -0,0 +1,77 @@ +From d837a996f57c29a985177bc03b0e599082047f27 Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Sun, 20 Sep 2020 12:27:36 +0100 +Subject: iio:light:st_uvis25: Fix timestamp alignment and prevent data leak. + +From: Jonathan Cameron + +commit d837a996f57c29a985177bc03b0e599082047f27 upstream. + +One of a class of bugs pointed out by Lars in a recent review. +iio_push_to_buffers_with_timestamp() assumes the buffer used is aligned +to the size of the timestamp (8 bytes). This is not guaranteed in +this driver which uses an array of smaller elements on the stack. +As Lars also noted this anti pattern can involve a leak of data to +userspace and that indeed can happen here. We close both issues by +moving to a suitable structure in the iio_priv() + +This data is allocated with kzalloc() so no data can leak apart +from previous readings. + +A local unsigned int variable is used for the regmap call so it +is clear there is no potential issue with writing into the padding +of the structure. + +Fixes: 3025c8688c1e ("iio: light: add support for UVIS25 sensor") +Reported-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Reviewed-by: Alexandru Ardelean +Acked-by: Lorenzo Bianconi +Cc: +Link: https://lore.kernel.org/r/20200920112742.170751-3-jic23@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/light/st_uvis25.h | 5 +++++ + drivers/iio/light/st_uvis25_core.c | 8 +++++--- + 2 files changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/iio/light/st_uvis25.h ++++ b/drivers/iio/light/st_uvis25.h +@@ -28,6 +28,11 @@ struct st_uvis25_hw { + struct iio_trigger *trig; + bool enabled; + int irq; ++ /* Ensure timestamp is naturally aligned */ ++ struct { ++ u8 chan; ++ s64 ts __aligned(8); ++ } scan; + }; + + extern const struct dev_pm_ops st_uvis25_pm_ops; +--- a/drivers/iio/light/st_uvis25_core.c ++++ b/drivers/iio/light/st_uvis25_core.c +@@ -235,17 +235,19 @@ static const struct iio_buffer_setup_ops + + static irqreturn_t st_uvis25_buffer_handler_thread(int irq, void *p) + { +- u8 buffer[ALIGN(sizeof(u8), sizeof(s64)) + sizeof(s64)]; + struct iio_poll_func *pf = p; + struct iio_dev *iio_dev = pf->indio_dev; + struct st_uvis25_hw *hw = iio_priv(iio_dev); ++ unsigned int val; + int err; + +- err = regmap_read(hw->regmap, ST_UVIS25_REG_OUT_ADDR, (int *)buffer); ++ err = regmap_read(hw->regmap, ST_UVIS25_REG_OUT_ADDR, &val); + if (err < 0) + goto out; + +- iio_push_to_buffers_with_timestamp(iio_dev, buffer, ++ hw->scan.chan = val; ++ ++ iio_push_to_buffers_with_timestamp(iio_dev, &hw->scan, + iio_get_time_ns(iio_dev)); + + out: diff --git a/queue-4.19/iio-pressure-mpl3115-force-alignment-of-buffer.patch b/queue-4.19/iio-pressure-mpl3115-force-alignment-of-buffer.patch new file mode 100644 index 00000000000..41cabb80209 --- /dev/null +++ b/queue-4.19/iio-pressure-mpl3115-force-alignment-of-buffer.patch @@ -0,0 +1,55 @@ +From 198cf32f0503d2ad60d320b95ef6fb8243db857f Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Sun, 20 Sep 2020 12:27:40 +0100 +Subject: iio:pressure:mpl3115: Force alignment of buffer + +From: Jonathan Cameron + +commit 198cf32f0503d2ad60d320b95ef6fb8243db857f upstream. + +Whilst this is another case of the issue Lars reported with +an array of elements of smaller than 8 bytes being passed +to iio_push_to_buffers_with_timestamp(), the solution here is +a bit different from the other cases and relies on __aligned +working on the stack (true since 4.6?) + +This one is unusual. We have to do an explicit memset() each time +as we are reading 3 bytes into a potential 4 byte channel which +may sometimes be a 2 byte channel depending on what is enabled. +As such, moving the buffer to the heap in the iio_priv structure +doesn't save us much. We can't use a nice explicit structure +on the stack either as the data channels have different storage +sizes and are all separately controlled. + +Fixes: cc26ad455f57 ("iio: Add Freescale MPL3115A2 pressure / temperature sensor driver") +Reported-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Reviewed-by: Alexandru Ardelean +Cc: Peter Meerwald +Cc: +Link: https://lore.kernel.org/r/20200920112742.170751-7-jic23@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/pressure/mpl3115.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/iio/pressure/mpl3115.c ++++ b/drivers/iio/pressure/mpl3115.c +@@ -147,7 +147,14 @@ static irqreturn_t mpl3115_trigger_handl + struct iio_poll_func *pf = p; + struct iio_dev *indio_dev = pf->indio_dev; + struct mpl3115_data *data = iio_priv(indio_dev); +- u8 buffer[16]; /* 32-bit channel + 16-bit channel + padding + ts */ ++ /* ++ * 32-bit channel + 16-bit channel + padding + ts ++ * Note that it is possible for only one of the first 2 ++ * channels to be enabled. If that happens, the first element ++ * of the buffer may be either 16 or 32-bits. As such we cannot ++ * use a simple structure definition to express this data layout. ++ */ ++ u8 buffer[16] __aligned(8); + int ret, pos = 0; + + mutex_lock(&data->lock); diff --git a/queue-4.19/jfs-fix-array-index-bounds-check-in-dbadjtree.patch b/queue-4.19/jfs-fix-array-index-bounds-check-in-dbadjtree.patch new file mode 100644 index 00000000000..497cfac0400 --- /dev/null +++ b/queue-4.19/jfs-fix-array-index-bounds-check-in-dbadjtree.patch @@ -0,0 +1,33 @@ +From c61b3e4839007668360ed8b87d7da96d2e59fc6c Mon Sep 17 00:00:00 2001 +From: Dave Kleikamp +Date: Fri, 13 Nov 2020 14:58:46 -0600 +Subject: jfs: Fix array index bounds check in dbAdjTree + +From: Dave Kleikamp + +commit c61b3e4839007668360ed8b87d7da96d2e59fc6c upstream. + +Bounds checking tools can flag a bug in dbAdjTree() for an array index +out of bounds in dmt_stree. Since dmt_stree can refer to the stree in +both structures dmaptree and dmapctl, use the larger array to eliminate +the false positive. + +Signed-off-by: Dave Kleikamp +Reported-by: butt3rflyh4ck +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jfs/jfs_dmap.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/jfs/jfs_dmap.h ++++ b/fs/jfs/jfs_dmap.h +@@ -196,7 +196,7 @@ typedef union dmtree { + #define dmt_leafidx t1.leafidx + #define dmt_height t1.height + #define dmt_budmin t1.budmin +-#define dmt_stree t1.stree ++#define dmt_stree t2.stree + + /* + * on-disk aggregate disk allocation map descriptor. diff --git a/queue-4.19/libnvdimm-namespace-fix-reaping-of-invalidated-block-window-namespace-labels.patch b/queue-4.19/libnvdimm-namespace-fix-reaping-of-invalidated-block-window-namespace-labels.patch new file mode 100644 index 00000000000..7b654fd6bad --- /dev/null +++ b/queue-4.19/libnvdimm-namespace-fix-reaping-of-invalidated-block-window-namespace-labels.patch @@ -0,0 +1,65 @@ +From 2dd2a1740ee19cd2636d247276cf27bfa434b0e2 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Fri, 20 Nov 2020 08:50:07 -0800 +Subject: libnvdimm/namespace: Fix reaping of invalidated block-window-namespace labels + +From: Dan Williams + +commit 2dd2a1740ee19cd2636d247276cf27bfa434b0e2 upstream. + +A recent change to ndctl to attempt to reconfigure namespaces in place +uncovered a label accounting problem in block-window-type namespaces. +The ndctl "create.sh" test is able to trigger this signature: + + WARNING: CPU: 34 PID: 9167 at drivers/nvdimm/label.c:1100 __blk_label_update+0x9a3/0xbc0 [libnvdimm] + [..] + RIP: 0010:__blk_label_update+0x9a3/0xbc0 [libnvdimm] + [..] + Call Trace: + uuid_store+0x21b/0x2f0 [libnvdimm] + kernfs_fop_write+0xcf/0x1c0 + vfs_write+0xcc/0x380 + ksys_write+0x68/0xe0 + +When allocated capacity for a namespace is renamed (new UUID) the labels +with the old UUID need to be deleted. The ndctl behavior to always +destroy namespaces on reconfiguration hid this problem. + +The immediate impact of this bug is limited since block-window-type +namespaces only seem to exist in the specification and not in any +shipping products. However, the label handling code is being reused for +other technologies like CXL region labels, so there is a benefit to +making sure both vertical labels sets (block-window) and horizontal +label sets (pmem) have a functional reference implementation in +libnvdimm. + +Fixes: c4703ce11c23 ("libnvdimm/namespace: Fix label tracking error") +Cc: +Cc: Vishal Verma +Cc: Dave Jiang +Cc: Ira Weiny +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/label.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/nvdimm/label.c ++++ b/drivers/nvdimm/label.c +@@ -861,6 +861,15 @@ static int __blk_label_update(struct nd_ + } + } + ++ /* release slots associated with any invalidated UUIDs */ ++ mutex_lock(&nd_mapping->lock); ++ list_for_each_entry_safe(label_ent, e, &nd_mapping->labels, list) ++ if (test_and_clear_bit(ND_LABEL_REAP, &label_ent->flags)) { ++ reap_victim(nd_mapping, label_ent); ++ list_move(&label_ent->list, &list); ++ } ++ mutex_unlock(&nd_mapping->lock); ++ + /* + * Find the resource associated with the first label in the set + * per the v1.2 namespace specification. diff --git a/queue-4.19/md-cluster-block-reshape-with-remote-resync-job.patch b/queue-4.19/md-cluster-block-reshape-with-remote-resync-job.patch new file mode 100644 index 00000000000..ea6ad2848cb --- /dev/null +++ b/queue-4.19/md-cluster-block-reshape-with-remote-resync-job.patch @@ -0,0 +1,78 @@ +From a8da01f79c89755fad55ed0ea96e8d2103242a72 Mon Sep 17 00:00:00 2001 +From: Zhao Heming +Date: Thu, 19 Nov 2020 19:41:33 +0800 +Subject: md/cluster: block reshape with remote resync job + +From: Zhao Heming + +commit a8da01f79c89755fad55ed0ea96e8d2103242a72 upstream. + +Reshape request should be blocked with ongoing resync job. In cluster +env, a node can start resync job even if the resync cmd isn't executed +on it, e.g., user executes "mdadm --grow" on node A, sometimes node B +will start resync job. However, current update_raid_disks() only check +local recovery status, which is incomplete. As a result, we see user will +execute "mdadm --grow" successfully on local, while the remote node deny +to do reshape job when it doing resync job. The inconsistent handling +cause array enter unexpected status. If user doesn't observe this issue +and continue executing mdadm cmd, the array doesn't work at last. + +Fix this issue by blocking reshape request. When node executes "--grow" +and detects ongoing resync, it should stop and report error to user. + +The following script reproduces the issue with ~100% probability. +(two nodes share 3 iSCSI luns: sdg/sdh/sdi. Each lun size is 1GB) +``` + # on node1, node2 is the remote node. +ssh root@node2 "mdadm -S --scan" +mdadm -S --scan +for i in {g,h,i};do dd if=/dev/zero of=/dev/sd$i oflag=direct bs=1M \ +count=20; done + +mdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sdg /dev/sdh +ssh root@node2 "mdadm -A /dev/md0 /dev/sdg /dev/sdh" + +sleep 5 + +mdadm --manage --add /dev/md0 /dev/sdi +mdadm --wait /dev/md0 +mdadm --grow --raid-devices=3 /dev/md0 + +mdadm /dev/md0 --fail /dev/sdg +mdadm /dev/md0 --remove /dev/sdg +mdadm --grow --raid-devices=2 /dev/md0 +``` + +Cc: stable@vger.kernel.org +Signed-off-by: Zhao Heming +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -6895,6 +6895,7 @@ static int update_raid_disks(struct mdde + return -EINVAL; + if (mddev->sync_thread || + test_bit(MD_RECOVERY_RUNNING, &mddev->recovery) || ++ test_bit(MD_RESYNCING_REMOTE, &mddev->recovery) || + mddev->reshape_position != MaxSector) + return -EBUSY; + +@@ -9241,8 +9242,11 @@ static void check_sb_changes(struct mdde + } + } + +- if (mddev->raid_disks != le32_to_cpu(sb->raid_disks)) +- update_raid_disks(mddev, le32_to_cpu(sb->raid_disks)); ++ if (mddev->raid_disks != le32_to_cpu(sb->raid_disks)) { ++ ret = update_raid_disks(mddev, le32_to_cpu(sb->raid_disks)); ++ if (ret) ++ pr_warn("md: updating array disks failed. %d\n", ret); ++ } + + /* Finally set the event to be up to date */ + mddev->events = le64_to_cpu(sb->events); diff --git a/queue-4.19/md-cluster-fix-deadlock-when-node-is-doing-resync-job.patch b/queue-4.19/md-cluster-fix-deadlock-when-node-is-doing-resync-job.patch new file mode 100644 index 00000000000..e0eb2de0713 --- /dev/null +++ b/queue-4.19/md-cluster-fix-deadlock-when-node-is-doing-resync-job.patch @@ -0,0 +1,293 @@ +From bca5b0658020be90b6b504ca514fd80110204f71 Mon Sep 17 00:00:00 2001 +From: Zhao Heming +Date: Thu, 19 Nov 2020 19:41:34 +0800 +Subject: md/cluster: fix deadlock when node is doing resync job + +From: Zhao Heming + +commit bca5b0658020be90b6b504ca514fd80110204f71 upstream. + +md-cluster uses MD_CLUSTER_SEND_LOCK to make node can exclusively send msg. +During sending msg, node can concurrently receive msg from another node. +When node does resync job, grab token_lockres:EX may trigger a deadlock: +``` +nodeA nodeB +-------------------- -------------------- +a. +send METADATA_UPDATED +held token_lockres:EX + b. + md_do_sync + resync_info_update + send RESYNCING + + set MD_CLUSTER_SEND_LOCK + + wait for holding token_lockres:EX + + c. + mdadm /dev/md0 --remove /dev/sdg + + held reconfig_mutex + + send REMOVE + + wait_event(MD_CLUSTER_SEND_LOCK) + + d. + recv_daemon //METADATA_UPDATED from A + process_metadata_update + + (mddev_trylock(mddev) || + MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD) + //this time, both return false forever +``` +Explaination: +a. A send METADATA_UPDATED + This will block another node to send msg + +b. B does sync jobs, which will send RESYNCING at intervals. + This will be block for holding token_lockres:EX lock. + +c. B do "mdadm --remove", which will send REMOVE. + This will be blocked by step : MD_CLUSTER_SEND_LOCK is 1. + +d. B recv METADATA_UPDATED msg, which send from A in step . + This will be blocked by step : holding mddev lock, it makes + wait_event can't hold mddev lock. (btw, + MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD keep ZERO in this scenario.) + +There is a similar deadlock in commit 0ba959774e93 +("md-cluster: use sync way to handle METADATA_UPDATED msg") +In that commit, step c is "update sb". This patch step c is +"mdadm --remove". + +For fixing this issue, we can refer the solution of function: +metadata_update_start. Which does the same grab lock_token action. +lock_comm can use the same steps to avoid deadlock. By moving +MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD from lock_token to lock_comm. +It enlarge a little bit window of MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD, +but it is safe & can break deadlock. + +Repro steps (I only triggered 3 times with hundreds tests): + +two nodes share 3 iSCSI luns: sdg/sdh/sdi. Each lun size is 1GB. +``` +ssh root@node2 "mdadm -S --scan" +mdadm -S --scan +for i in {g,h,i};do dd if=/dev/zero of=/dev/sd$i oflag=direct bs=1M \ +count=20; done + +mdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sdg /dev/sdh \ + --bitmap-chunk=1M +ssh root@node2 "mdadm -A /dev/md0 /dev/sdg /dev/sdh" + +sleep 5 + +mkfs.xfs /dev/md0 +mdadm --manage --add /dev/md0 /dev/sdi +mdadm --wait /dev/md0 +mdadm --grow --raid-devices=3 /dev/md0 + +mdadm /dev/md0 --fail /dev/sdg +mdadm /dev/md0 --remove /dev/sdg +mdadm --grow --raid-devices=2 /dev/md0 +``` + +test script will hung when executing "mdadm --remove". + +``` + # dump stacks by "echo t > /proc/sysrq-trigger" +md0_cluster_rec D 0 5329 2 0x80004000 +Call Trace: + __schedule+0x1f6/0x560 + ? _cond_resched+0x2d/0x40 + ? schedule+0x4a/0xb0 + ? process_metadata_update.isra.0+0xdb/0x140 [md_cluster] + ? wait_woken+0x80/0x80 + ? process_recvd_msg+0x113/0x1d0 [md_cluster] + ? recv_daemon+0x9e/0x120 [md_cluster] + ? md_thread+0x94/0x160 [md_mod] + ? wait_woken+0x80/0x80 + ? md_congested+0x30/0x30 [md_mod] + ? kthread+0x115/0x140 + ? __kthread_bind_mask+0x60/0x60 + ? ret_from_fork+0x1f/0x40 + +mdadm D 0 5423 1 0x00004004 +Call Trace: + __schedule+0x1f6/0x560 + ? __schedule+0x1fe/0x560 + ? schedule+0x4a/0xb0 + ? lock_comm.isra.0+0x7b/0xb0 [md_cluster] + ? wait_woken+0x80/0x80 + ? remove_disk+0x4f/0x90 [md_cluster] + ? hot_remove_disk+0xb1/0x1b0 [md_mod] + ? md_ioctl+0x50c/0xba0 [md_mod] + ? wait_woken+0x80/0x80 + ? blkdev_ioctl+0xa2/0x2a0 + ? block_ioctl+0x39/0x40 + ? ksys_ioctl+0x82/0xc0 + ? __x64_sys_ioctl+0x16/0x20 + ? do_syscall_64+0x5f/0x150 + ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +md0_resync D 0 5425 2 0x80004000 +Call Trace: + __schedule+0x1f6/0x560 + ? schedule+0x4a/0xb0 + ? dlm_lock_sync+0xa1/0xd0 [md_cluster] + ? wait_woken+0x80/0x80 + ? lock_token+0x2d/0x90 [md_cluster] + ? resync_info_update+0x95/0x100 [md_cluster] + ? raid1_sync_request+0x7d3/0xa40 [raid1] + ? md_do_sync.cold+0x737/0xc8f [md_mod] + ? md_thread+0x94/0x160 [md_mod] + ? md_congested+0x30/0x30 [md_mod] + ? kthread+0x115/0x140 + ? __kthread_bind_mask+0x60/0x60 + ? ret_from_fork+0x1f/0x40 +``` + +At last, thanks for Xiao's solution. + +Cc: stable@vger.kernel.org +Signed-off-by: Zhao Heming +Suggested-by: Xiao Ni +Reviewed-by: Xiao Ni +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md-cluster.c | 67 +++++++++++++++++++++++++++--------------------- + drivers/md/md.c | 6 ++-- + 2 files changed, 42 insertions(+), 31 deletions(-) + +--- a/drivers/md/md-cluster.c ++++ b/drivers/md/md-cluster.c +@@ -669,9 +669,27 @@ out: + * Takes the lock on the TOKEN lock resource so no other + * node can communicate while the operation is underway. + */ +-static int lock_token(struct md_cluster_info *cinfo, bool mddev_locked) ++static int lock_token(struct md_cluster_info *cinfo) + { +- int error, set_bit = 0; ++ int error; ++ ++ error = dlm_lock_sync(cinfo->token_lockres, DLM_LOCK_EX); ++ if (error) { ++ pr_err("md-cluster(%s:%d): failed to get EX on TOKEN (%d)\n", ++ __func__, __LINE__, error); ++ } else { ++ /* Lock the receive sequence */ ++ mutex_lock(&cinfo->recv_mutex); ++ } ++ return error; ++} ++ ++/* lock_comm() ++ * Sets the MD_CLUSTER_SEND_LOCK bit to lock the send channel. ++ */ ++static int lock_comm(struct md_cluster_info *cinfo, bool mddev_locked) ++{ ++ int rv, set_bit = 0; + struct mddev *mddev = cinfo->mddev; + + /* +@@ -682,34 +700,19 @@ static int lock_token(struct md_cluster_ + */ + if (mddev_locked && !test_bit(MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD, + &cinfo->state)) { +- error = test_and_set_bit_lock(MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD, ++ rv = test_and_set_bit_lock(MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD, + &cinfo->state); +- WARN_ON_ONCE(error); ++ WARN_ON_ONCE(rv); + md_wakeup_thread(mddev->thread); + set_bit = 1; + } +- error = dlm_lock_sync(cinfo->token_lockres, DLM_LOCK_EX); +- if (set_bit) +- clear_bit_unlock(MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD, &cinfo->state); + +- if (error) +- pr_err("md-cluster(%s:%d): failed to get EX on TOKEN (%d)\n", +- __func__, __LINE__, error); +- +- /* Lock the receive sequence */ +- mutex_lock(&cinfo->recv_mutex); +- return error; +-} +- +-/* lock_comm() +- * Sets the MD_CLUSTER_SEND_LOCK bit to lock the send channel. +- */ +-static int lock_comm(struct md_cluster_info *cinfo, bool mddev_locked) +-{ + wait_event(cinfo->wait, + !test_and_set_bit(MD_CLUSTER_SEND_LOCK, &cinfo->state)); +- +- return lock_token(cinfo, mddev_locked); ++ rv = lock_token(cinfo); ++ if (set_bit) ++ clear_bit_unlock(MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD, &cinfo->state); ++ return rv; + } + + static void unlock_comm(struct md_cluster_info *cinfo) +@@ -789,9 +792,11 @@ static int sendmsg(struct md_cluster_inf + { + int ret; + +- lock_comm(cinfo, mddev_locked); +- ret = __sendmsg(cinfo, cmsg); +- unlock_comm(cinfo); ++ ret = lock_comm(cinfo, mddev_locked); ++ if (!ret) { ++ ret = __sendmsg(cinfo, cmsg); ++ unlock_comm(cinfo); ++ } + return ret; + } + +@@ -1063,7 +1068,7 @@ static int metadata_update_start(struct + return 0; + } + +- ret = lock_token(cinfo, 1); ++ ret = lock_token(cinfo); + clear_bit_unlock(MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD, &cinfo->state); + return ret; + } +@@ -1181,7 +1186,10 @@ static void update_size(struct mddev *md + int raid_slot = -1; + + md_update_sb(mddev, 1); +- lock_comm(cinfo, 1); ++ if (lock_comm(cinfo, 1)) { ++ pr_err("%s: lock_comm failed\n", __func__); ++ return; ++ } + + memset(&cmsg, 0, sizeof(cmsg)); + cmsg.type = cpu_to_le32(METADATA_UPDATED); +@@ -1330,7 +1338,8 @@ static int add_new_disk(struct mddev *md + cmsg.type = cpu_to_le32(NEWDISK); + memcpy(cmsg.uuid, uuid, 16); + cmsg.raid_slot = cpu_to_le32(rdev->desc_nr); +- lock_comm(cinfo, 1); ++ if (lock_comm(cinfo, 1)) ++ return -EAGAIN; + ret = __sendmsg(cinfo, &cmsg); + if (ret) { + unlock_comm(cinfo); +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -6564,8 +6564,10 @@ static int hot_remove_disk(struct mddev + goto busy; + + kick_rdev: +- if (mddev_is_clustered(mddev)) +- md_cluster_ops->remove_disk(mddev, rdev); ++ if (mddev_is_clustered(mddev)) { ++ if (md_cluster_ops->remove_disk(mddev, rdev)) ++ goto busy; ++ } + + md_kick_rdev_from_array(rdev); + set_bit(MD_SB_CHANGE_DEVS, &mddev->sb_flags); diff --git a/queue-4.19/mtd-parser-cmdline-fix-parsing-of-part-names-with-colons.patch b/queue-4.19/mtd-parser-cmdline-fix-parsing-of-part-names-with-colons.patch new file mode 100644 index 00000000000..272f1229e32 --- /dev/null +++ b/queue-4.19/mtd-parser-cmdline-fix-parsing-of-part-names-with-colons.patch @@ -0,0 +1,75 @@ +From 639a82434f16a6df0ce0e7c8595976f1293940fd Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Tue, 24 Nov 2020 07:25:06 +0100 +Subject: mtd: parser: cmdline: Fix parsing of part-names with colons + +From: Sven Eckelmann + +commit 639a82434f16a6df0ce0e7c8595976f1293940fd upstream. + +Some devices (especially QCA ones) are already using hardcoded partition +names with colons in it. The OpenMesh A62 for example provides following +mtd relevant information via cmdline: + + root=31:11 mtdparts=spi0.0:256k(0:SBL1),128k(0:MIBIB),384k(0:QSEE),64k(0:CDT),64k(0:DDRPARAMS),64k(0:APPSBLENV),512k(0:APPSBL),64k(0:ART),64k(custom),64k(0:KEYS),0x002b0000(kernel),0x00c80000(rootfs),15552k(inactive) rootfsname=rootfs rootwait + +The change to split only on the last colon between mtd-id and partitions +will cause newpart to see following string for the first partition: + + KEYS),0x002b0000(kernel),0x00c80000(rootfs),15552k(inactive) + +Such a partition list cannot be parsed and thus the device fails to boot. + +Avoid this behavior by making sure that the start of the first part-name +("(") will also be the last byte the mtd-id split algorithm is using for +its colon search. + +Fixes: eb13fa022741 ("mtd: parser: cmdline: Support MTD names containing one or more colons") +Cc: stable@vger.kernel.org +Cc: Ron Minnich +Signed-off-by: Sven Eckelmann +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20201124062506.185392-1-sven@narfation.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/cmdlinepart.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/cmdlinepart.c ++++ b/drivers/mtd/cmdlinepart.c +@@ -231,7 +231,7 @@ static int mtdpart_setup_real(char *s) + struct cmdline_mtd_partition *this_mtd; + struct mtd_partition *parts; + int mtd_id_len, num_parts; +- char *p, *mtd_id, *semicol; ++ char *p, *mtd_id, *semicol, *open_parenth; + + /* + * Replace the first ';' by a NULL char so strrchr can work +@@ -241,6 +241,14 @@ static int mtdpart_setup_real(char *s) + if (semicol) + *semicol = '\0'; + ++ /* ++ * make sure that part-names with ":" will not be handled as ++ * part of the mtd-id with an ":" ++ */ ++ open_parenth = strchr(s, '('); ++ if (open_parenth) ++ *open_parenth = '\0'; ++ + mtd_id = s; + + /* +@@ -250,6 +258,10 @@ static int mtdpart_setup_real(char *s) + */ + p = strrchr(s, ':'); + ++ /* Restore the '(' now. */ ++ if (open_parenth) ++ *open_parenth = '('; ++ + /* Restore the ';' now. */ + if (semicol) + *semicol = ';'; diff --git a/queue-4.19/mtd-rawnand-qcom-fix-dma-sync-on-flash_status-register-read.patch b/queue-4.19/mtd-rawnand-qcom-fix-dma-sync-on-flash_status-register-read.patch new file mode 100644 index 00000000000..ce12ae410b7 --- /dev/null +++ b/queue-4.19/mtd-rawnand-qcom-fix-dma-sync-on-flash_status-register-read.patch @@ -0,0 +1,37 @@ +From bc3686021122de953858a5be4cbf6e3f1d821e79 Mon Sep 17 00:00:00 2001 +From: Praveenkumar I +Date: Fri, 9 Oct 2020 13:37:52 +0530 +Subject: mtd: rawnand: qcom: Fix DMA sync on FLASH_STATUS register read + +From: Praveenkumar I + +commit bc3686021122de953858a5be4cbf6e3f1d821e79 upstream. + +After each codeword NAND_FLASH_STATUS is read for possible operational +failures. But there is no DMA sync for CPU operation before reading it +and this leads to incorrect or older copy of DMA buffer in reg_read_buf. + +This patch adds the DMA sync on reg_read_buf for CPU before reading it. + +Fixes: 5bc36b2bf6e2 ("mtd: rawnand: qcom: check for operation errors in case of raw read") +Cc: stable@vger.kernel.org +Signed-off-by: Praveenkumar I +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/1602230872-25616-1-git-send-email-ipkumar@codeaurora.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/raw/qcom_nandc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mtd/nand/raw/qcom_nandc.c ++++ b/drivers/mtd/nand/raw/qcom_nandc.c +@@ -1578,6 +1578,8 @@ static int check_flash_errors(struct qco + struct qcom_nand_controller *nandc = get_qcom_nand_controller(chip); + int i; + ++ nandc_read_buffer_sync(nandc, true); ++ + for (i = 0; i < cw_cnt; i++) { + u32 flash = le32_to_cpu(nandc->reg_read_buf[i]); + diff --git a/queue-4.19/mtd-spinand-fix-oob-read.patch b/queue-4.19/mtd-spinand-fix-oob-read.patch new file mode 100644 index 00000000000..15764e44c4c --- /dev/null +++ b/queue-4.19/mtd-spinand-fix-oob-read.patch @@ -0,0 +1,35 @@ +From 868cbe2a6dcee451bd8f87cbbb2a73cf463b57e5 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Thu, 1 Oct 2020 12:20:13 +0200 +Subject: mtd: spinand: Fix OOB read + +From: Miquel Raynal + +commit 868cbe2a6dcee451bd8f87cbbb2a73cf463b57e5 upstream. + +So far OOB have never been used in SPI-NAND, add the missing memcpy to +make it work properly. + +Fixes: 7529df465248 ("mtd: nand: Add core infrastructure to support SPI NANDs") +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20201001102014.20100-6-miquel.raynal@bootlin.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/spi/core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/mtd/nand/spi/core.c ++++ b/drivers/mtd/nand/spi/core.c +@@ -378,6 +378,10 @@ static int spinand_write_to_cache_op(str + } + } + ++ if (req->ooblen) ++ memcpy(req->oobbuf.in, spinand->oobbuf + req->ooboffs, ++ req->ooblen); ++ + return 0; + } + diff --git a/queue-4.19/pci-fix-pci_slot_release-null-pointer-dereference.patch b/queue-4.19/pci-fix-pci_slot_release-null-pointer-dereference.patch new file mode 100644 index 00000000000..d8f4cedf1e5 --- /dev/null +++ b/queue-4.19/pci-fix-pci_slot_release-null-pointer-dereference.patch @@ -0,0 +1,65 @@ +From 4684709bf81a2d98152ed6b610e3d5c403f9bced Mon Sep 17 00:00:00 2001 +From: Jubin Zhong +Date: Wed, 2 Dec 2020 10:33:42 +0800 +Subject: PCI: Fix pci_slot_release() NULL pointer dereference + +From: Jubin Zhong + +commit 4684709bf81a2d98152ed6b610e3d5c403f9bced upstream. + +If kobject_init_and_add() fails, pci_slot_release() is called to delete +slot->list from parent->slots. But slot->list hasn't been initialized +yet, so we dereference a NULL pointer: + + Unable to handle kernel NULL pointer dereference at virtual address +00000000 + ... + CPU: 10 PID: 1 Comm: swapper/0 Not tainted 4.4.240 #197 + task: ffffeb398a45ef10 task.stack: ffffeb398a470000 + PC is at __list_del_entry_valid+0x5c/0xb0 + LR is at pci_slot_release+0x84/0xe4 + ... + __list_del_entry_valid+0x5c/0xb0 + pci_slot_release+0x84/0xe4 + kobject_put+0x184/0x1c4 + pci_create_slot+0x17c/0x1b4 + __pci_hp_initialize+0x68/0xa4 + pciehp_probe+0x1a4/0x2fc + pcie_port_probe_service+0x58/0x84 + driver_probe_device+0x320/0x470 + +Initialize slot->list before calling kobject_init_and_add() to avoid this. + +Fixes: 8a94644b440e ("PCI: Fix pci_create_slot() reference count leak") +Link: https://lore.kernel.org/r/1606876422-117457-1-git-send-email-zhongjubin@huawei.com +Signed-off-by: Jubin Zhong +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org # v5.9+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/slot.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/pci/slot.c ++++ b/drivers/pci/slot.c +@@ -307,6 +307,9 @@ placeholder: + goto err; + } + ++ INIT_LIST_HEAD(&slot->list); ++ list_add(&slot->list, &parent->slots); ++ + err = kobject_init_and_add(&slot->kobj, &pci_slot_ktype, NULL, + "%s", slot_name); + if (err) { +@@ -314,9 +317,6 @@ placeholder: + goto err; + } + +- INIT_LIST_HEAD(&slot->list); +- list_add(&slot->list, &parent->slots); +- + down_read(&pci_bus_sem); + list_for_each_entry(dev, &parent->devices, bus_list) + if (PCI_SLOT(dev->devfn) == slot_nr) diff --git a/queue-4.19/pinctrl-sunxi-always-call-chained_irq_-enter-exit-in-sunxi_pinctrl_irq_handler.patch b/queue-4.19/pinctrl-sunxi-always-call-chained_irq_-enter-exit-in-sunxi_pinctrl_irq_handler.patch new file mode 100644 index 00000000000..564adc78369 --- /dev/null +++ b/queue-4.19/pinctrl-sunxi-always-call-chained_irq_-enter-exit-in-sunxi_pinctrl_irq_handler.patch @@ -0,0 +1,53 @@ +From a1158e36f876f6269978a4176e3a1d48d27fe7a1 Mon Sep 17 00:00:00 2001 +From: Yangtao Li +Date: Tue, 10 Nov 2020 14:24:40 +0800 +Subject: pinctrl: sunxi: Always call chained_irq_{enter, exit} in sunxi_pinctrl_irq_handler + +From: Yangtao Li + +commit a1158e36f876f6269978a4176e3a1d48d27fe7a1 upstream. + +It is found on many allwinner soc that there is a low probability that +the interrupt status cannot be read in sunxi_pinctrl_irq_handler. This +will cause the interrupt status of a gpio bank to always be active on +gic, preventing gic from responding to other spi interrupts correctly. + +So we should call the chained_irq_* each time enter sunxi_pinctrl_irq_handler(). + +Signed-off-by: Yangtao Li +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/85263ce8b058e80cea25c6ad6383eb256ce96cc8.1604988979.git.frank@allwinnertech.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/sunxi/pinctrl-sunxi.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/sunxi/pinctrl-sunxi.c ++++ b/drivers/pinctrl/sunxi/pinctrl-sunxi.c +@@ -1001,20 +1001,22 @@ static void sunxi_pinctrl_irq_handler(st + if (bank == pctl->desc->irq_banks) + return; + ++ chained_irq_enter(chip, desc); ++ + reg = sunxi_irq_status_reg_from_bank(pctl->desc, bank); + val = readl(pctl->membase + reg); + + if (val) { + int irqoffset; + +- chained_irq_enter(chip, desc); + for_each_set_bit(irqoffset, &val, IRQ_PER_BANK) { + int pin_irq = irq_find_mapping(pctl->domain, + bank * IRQ_PER_BANK + irqoffset); + generic_handle_irq(pin_irq); + } +- chained_irq_exit(chip, desc); + } ++ ++ chained_irq_exit(chip, desc); + } + + static int sunxi_pinctrl_add_function(struct sunxi_pinctrl *pctl, diff --git a/queue-4.19/platform-x86-intel-vbtn-allow-switch-events-on-acer-switch-alpha-12.patch b/queue-4.19/platform-x86-intel-vbtn-allow-switch-events-on-acer-switch-alpha-12.patch new file mode 100644 index 00000000000..84fdc9e54ff --- /dev/null +++ b/queue-4.19/platform-x86-intel-vbtn-allow-switch-events-on-acer-switch-alpha-12.patch @@ -0,0 +1,44 @@ +From fe6000990394639ed374cb76c313be3640714f47 Mon Sep 17 00:00:00 2001 +From: Carlos Garnacho +Date: Tue, 1 Dec 2020 14:57:27 +0100 +Subject: platform/x86: intel-vbtn: Allow switch events on Acer Switch Alpha 12 + +From: Carlos Garnacho + +commit fe6000990394639ed374cb76c313be3640714f47 upstream. + +This 2-in-1 model (Product name: Switch SA5-271) features a SW_TABLET_MODE +that works as it would be expected, both when detaching the keyboard and +when folding it behind the tablet body. + +It used to work until the introduction of the allow list at +commit 8169bd3e6e193 ("platform/x86: intel-vbtn: Switch to an allow-list +for SW_TABLET_MODE reporting"). Add this model to it, so that the Virtual +Buttons device announces the EV_SW features again. + +Fixes: 8169bd3e6e193 ("platform/x86: intel-vbtn: Switch to an allow-list for SW_TABLET_MODE reporting") +Cc: stable@vger.kernel.org +Signed-off-by: Carlos Garnacho +Link: https://lore.kernel.org/r/20201201135727.212917-1-carlosg@gnome.org +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/intel-vbtn.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/platform/x86/intel-vbtn.c ++++ b/drivers/platform/x86/intel-vbtn.c +@@ -203,6 +203,12 @@ static const struct dmi_system_id dmi_sw + DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion 13 x360 PC"), + }, + }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Switch SA5-271"), ++ }, ++ }, + {} /* Array terminator */ + }; + diff --git a/queue-4.19/scsi-lpfc-fix-invalid-sleeping-context-in-lpfc_sli4_nvmet_alloc.patch b/queue-4.19/scsi-lpfc-fix-invalid-sleeping-context-in-lpfc_sli4_nvmet_alloc.patch new file mode 100644 index 00000000000..c468eec0113 --- /dev/null +++ b/queue-4.19/scsi-lpfc-fix-invalid-sleeping-context-in-lpfc_sli4_nvmet_alloc.patch @@ -0,0 +1,102 @@ +From 62e3a931db60daf94fdb3159d685a5bc6ad4d0cf Mon Sep 17 00:00:00 2001 +From: James Smart +Date: Tue, 20 Oct 2020 13:27:11 -0700 +Subject: scsi: lpfc: Fix invalid sleeping context in lpfc_sli4_nvmet_alloc() + +From: James Smart + +commit 62e3a931db60daf94fdb3159d685a5bc6ad4d0cf upstream. + +The following calltrace was seen: + +BUG: sleeping function called from invalid context at mm/slab.h:494 +... +Call Trace: + dump_stack+0x9a/0xf0 + ___might_sleep.cold.63+0x13d/0x178 + slab_pre_alloc_hook+0x6a/0x90 + kmem_cache_alloc_trace+0x3a/0x2d0 + lpfc_sli4_nvmet_alloc+0x4c/0x280 [lpfc] + lpfc_post_rq_buffer+0x2e7/0xa60 [lpfc] + lpfc_sli4_hba_setup+0x6b4c/0xa4b0 [lpfc] + lpfc_pci_probe_one_s4.isra.15+0x14f8/0x2280 [lpfc] + lpfc_pci_probe_one+0x260/0x2880 [lpfc] + local_pci_probe+0xd4/0x180 + work_for_cpu_fn+0x51/0xa0 + process_one_work+0x8f0/0x17b0 + worker_thread+0x536/0xb50 + kthread+0x30c/0x3d0 + ret_from_fork+0x3a/0x50 + +A prior patch introduced a spin_lock_irqsave(hbalock) in the +lpfc_post_rq_buffer() routine. Call trace is seen as the hbalock is held +with interrupts disabled during a GFP_KERNEL allocation in +lpfc_sli4_nvmet_alloc(). + +Fix by reordering locking so that hbalock not held when calling +sli4_nvmet_alloc() (aka rqb_buf_list()). + +Link: https://lore.kernel.org/r/20201020202719.54726-2-james.smart@broadcom.com +Fixes: 411de511c694 ("scsi: lpfc: Fix RQ empty firmware trap") +Cc: # v4.17+ +Co-developed-by: Dick Kennedy +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/lpfc/lpfc_mem.c | 4 +--- + drivers/scsi/lpfc/lpfc_sli.c | 10 ++++++++-- + 2 files changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/scsi/lpfc/lpfc_mem.c ++++ b/drivers/scsi/lpfc/lpfc_mem.c +@@ -560,8 +560,6 @@ lpfc_els_hbq_free(struct lpfc_hba *phba, + * Description: Allocates a DMA-mapped receive buffer from the lpfc_hrb_pool PCI + * pool along a non-DMA-mapped container for it. + * +- * Notes: Not interrupt-safe. Must be called with no locks held. +- * + * Returns: + * pointer to HBQ on success + * NULL on failure +@@ -631,7 +629,7 @@ lpfc_sli4_nvmet_alloc(struct lpfc_hba *p + { + struct rqb_dmabuf *dma_buf; + +- dma_buf = kzalloc(sizeof(struct rqb_dmabuf), GFP_KERNEL); ++ dma_buf = kzalloc(sizeof(*dma_buf), GFP_KERNEL); + if (!dma_buf) + return NULL; + +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -6755,12 +6755,16 @@ lpfc_post_rq_buffer(struct lpfc_hba *phb + struct rqb_dmabuf *rqb_buffer; + LIST_HEAD(rqb_buf_list); + +- spin_lock_irqsave(&phba->hbalock, flags); + rqbp = hrq->rqbp; + for (i = 0; i < count; i++) { ++ spin_lock_irqsave(&phba->hbalock, flags); + /* IF RQ is already full, don't bother */ +- if (rqbp->buffer_count + i >= rqbp->entry_count - 1) ++ if (rqbp->buffer_count + i >= rqbp->entry_count - 1) { ++ spin_unlock_irqrestore(&phba->hbalock, flags); + break; ++ } ++ spin_unlock_irqrestore(&phba->hbalock, flags); ++ + rqb_buffer = rqbp->rqb_alloc_buffer(phba); + if (!rqb_buffer) + break; +@@ -6769,6 +6773,8 @@ lpfc_post_rq_buffer(struct lpfc_hba *phb + rqb_buffer->idx = idx; + list_add_tail(&rqb_buffer->hbuf.list, &rqb_buf_list); + } ++ ++ spin_lock_irqsave(&phba->hbalock, flags); + while (!list_empty(&rqb_buf_list)) { + list_remove_head(&rqb_buf_list, rqb_buffer, struct rqb_dmabuf, + hbuf.list); diff --git a/queue-4.19/scsi-lpfc-re-fix-use-after-free-in-lpfc_rq_buf_free.patch b/queue-4.19/scsi-lpfc-re-fix-use-after-free-in-lpfc_rq_buf_free.patch new file mode 100644 index 00000000000..42d26527005 --- /dev/null +++ b/queue-4.19/scsi-lpfc-re-fix-use-after-free-in-lpfc_rq_buf_free.patch @@ -0,0 +1,46 @@ +From e5785d3ec32f5f44dd88cd7b398e496742630469 Mon Sep 17 00:00:00 2001 +From: James Smart +Date: Tue, 20 Oct 2020 13:27:13 -0700 +Subject: scsi: lpfc: Re-fix use after free in lpfc_rq_buf_free() + +From: James Smart + +commit e5785d3ec32f5f44dd88cd7b398e496742630469 upstream. + +Commit 9816ef6ecbc1 ("scsi: lpfc: Use after free in lpfc_rq_buf_free()") +was made to correct a use after free condition in lpfc_rq_buf_free(). +Unfortunately, a subsequent patch cut on a tree without the fix +inadvertently reverted the fix. + +Put the fix back: Move the freeing of the rqb_entry to after the print +function that references it. + +Link: https://lore.kernel.org/r/20201020202719.54726-4-james.smart@broadcom.com +Fixes: 411de511c694 ("scsi: lpfc: Fix RQ empty firmware trap") +Cc: # v4.17+ +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/lpfc/lpfc_mem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/lpfc/lpfc_mem.c ++++ b/drivers/scsi/lpfc/lpfc_mem.c +@@ -752,7 +752,6 @@ lpfc_rq_buf_free(struct lpfc_hba *phba, + drqe.address_hi = putPaddrHigh(rqb_entry->dbuf.phys); + rc = lpfc_sli4_rq_put(rqb_entry->hrq, rqb_entry->drq, &hrqe, &drqe); + if (rc < 0) { +- (rqbp->rqb_free_buffer)(phba, rqb_entry); + lpfc_printf_log(phba, KERN_ERR, LOG_INIT, + "6409 Cannot post to HRQ %d: %x %x %x " + "DRQ %x %x\n", +@@ -762,6 +761,7 @@ lpfc_rq_buf_free(struct lpfc_hba *phba, + rqb_entry->hrq->entry_count, + rqb_entry->drq->host_index, + rqb_entry->drq->hba_index); ++ (rqbp->rqb_free_buffer)(phba, rqb_entry); + } else { + list_add_tail(&rqb_entry->hbuf.list, &rqbp->rqb_buffer_list); + rqbp->buffer_count++; diff --git a/queue-4.19/series b/queue-4.19/series index d80e94ac801..2691e54ac9d 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -311,3 +311,37 @@ smb3-avoid-confusing-warning-message-on-mount-to-azure.patch smb3.1.1-do-not-log-warning-message-if-server-doesn-t-populate-salt.patch ubifs-wbuf-don-t-leak-kernel-memory-to-flash.patch jffs2-fix-gc-exit-abnormally.patch +jfs-fix-array-index-bounds-check-in-dbadjtree.patch +drm-dp_aux_dev-check-aux_dev-before-use-in-drm_dp_aux_dev_get_by_minor.patch +spi-spi-sh-fix-use-after-free-on-unbind.patch +spi-davinci-fix-use-after-free-on-unbind.patch +spi-pic32-don-t-leak-dma-channels-in-probe-error-path.patch +spi-rb4xx-don-t-leak-spi-master-in-probe-error-path.patch +spi-sc18is602-don-t-leak-spi-master-in-probe-error-path.patch +spi-st-ssc4-fix-unbalanced-pm_runtime_disable-in-probe-error-path.patch +spi-mt7621-fix-missing-clk_disable_unprepare-on-error-in-mt7621_spi_probe.patch +soc-qcom-smp2p-safely-acquire-spinlock-without-irqs.patch +mtd-spinand-fix-oob-read.patch +mtd-parser-cmdline-fix-parsing-of-part-names-with-colons.patch +mtd-rawnand-qcom-fix-dma-sync-on-flash_status-register-read.patch +scsi-lpfc-fix-invalid-sleeping-context-in-lpfc_sli4_nvmet_alloc.patch +scsi-lpfc-re-fix-use-after-free-in-lpfc_rq_buf_free.patch +iio-buffer-fix-demux-update.patch +iio-adc-rockchip_saradc-fix-missing-clk_disable_unprepare-on-error-in-rockchip_saradc_resume.patch +iio-light-rpr0521-fix-timestamp-alignment-and-prevent-data-leak.patch +iio-light-st_uvis25-fix-timestamp-alignment-and-prevent-data-leak.patch +iio-pressure-mpl3115-force-alignment-of-buffer.patch +iio-imu-bmi160-fix-too-large-a-buffer.patch +md-cluster-block-reshape-with-remote-resync-job.patch +md-cluster-fix-deadlock-when-node-is-doing-resync-job.patch +pinctrl-sunxi-always-call-chained_irq_-enter-exit-in-sunxi_pinctrl_irq_handler.patch +clk-mvebu-a3700-fix-the-xtal-mode-pin-to-mpp1_9.patch +xen-blkback-set-ring-xenblkd-to-null-after-kthread_stop.patch +xen-xenbus-allow-watches-discard-events-before-queueing.patch +xen-xenbus-add-will_handle-callback-support-in-xenbus_watch_path.patch +xen-xenbus-xen_bus_type-support-will_handle-watch-callback.patch +xen-xenbus-count-pending-messages-for-each-watch.patch +xenbus-xenbus_backend-disallow-pending-watch-messages.patch +libnvdimm-namespace-fix-reaping-of-invalidated-block-window-namespace-labels.patch +platform-x86-intel-vbtn-allow-switch-events-on-acer-switch-alpha-12.patch +pci-fix-pci_slot_release-null-pointer-dereference.patch diff --git a/queue-4.19/soc-qcom-smp2p-safely-acquire-spinlock-without-irqs.patch b/queue-4.19/soc-qcom-smp2p-safely-acquire-spinlock-without-irqs.patch new file mode 100644 index 00000000000..4dfbd4c7242 --- /dev/null +++ b/queue-4.19/soc-qcom-smp2p-safely-acquire-spinlock-without-irqs.patch @@ -0,0 +1,55 @@ +From fc3e62e25c3896855b7c3d72df19ca6be3459c9f Mon Sep 17 00:00:00 2001 +From: Evan Green +Date: Tue, 29 Sep 2020 13:30:57 -0700 +Subject: soc: qcom: smp2p: Safely acquire spinlock without IRQs + +From: Evan Green + +commit fc3e62e25c3896855b7c3d72df19ca6be3459c9f upstream. + +smp2p_update_bits() should disable interrupts when it acquires its +spinlock. This is important because without the _irqsave, a priority +inversion can occur. + +This function is called both with interrupts enabled in +qcom_q6v5_request_stop(), and with interrupts disabled in +ipa_smp2p_panic_notifier(). IRQ handling of spinlocks should be +consistent to avoid the panic notifier deadlocking because it's +sitting on the thread that's already got the lock via _request_stop(). + +Found via lockdep. + +Cc: stable@vger.kernel.org +Fixes: 50e99641413e7 ("soc: qcom: smp2p: Qualcomm Shared Memory Point to Point") +Reviewed-by: Bjorn Andersson +Reviewed-by: Stephen Boyd +Signed-off-by: Evan Green +Link: https://lore.kernel.org/r/20200929133040.RESEND.1.Ideabf6dcdfc577cf39ce3d95b0e4aa1ac8b38f0c@changeid +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/soc/qcom/smp2p.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/soc/qcom/smp2p.c ++++ b/drivers/soc/qcom/smp2p.c +@@ -326,15 +326,16 @@ static int qcom_smp2p_inbound_entry(stru + static int smp2p_update_bits(void *data, u32 mask, u32 value) + { + struct smp2p_entry *entry = data; ++ unsigned long flags; + u32 orig; + u32 val; + +- spin_lock(&entry->lock); ++ spin_lock_irqsave(&entry->lock, flags); + val = orig = readl(entry->value); + val &= ~mask; + val |= value; + writel(val, entry->value); +- spin_unlock(&entry->lock); ++ spin_unlock_irqrestore(&entry->lock, flags); + + if (val != orig) + qcom_smp2p_kick(entry->smp2p); diff --git a/queue-4.19/spi-davinci-fix-use-after-free-on-unbind.patch b/queue-4.19/spi-davinci-fix-use-after-free-on-unbind.patch new file mode 100644 index 00000000000..0685fec5a6d --- /dev/null +++ b/queue-4.19/spi-davinci-fix-use-after-free-on-unbind.patch @@ -0,0 +1,43 @@ +From 373afef350a93519b4b8d636b0895da8650b714b Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Mon, 7 Dec 2020 09:17:01 +0100 +Subject: spi: davinci: Fix use-after-free on unbind + +From: Lukas Wunner + +commit 373afef350a93519b4b8d636b0895da8650b714b upstream. + +davinci_spi_remove() accesses the driver's private data after it's been +freed with spi_master_put(). + +Fix by moving the spi_master_put() to the end of the function. + +Fixes: fe5fd2540947 ("spi: davinci: Use dma_request_chan() for requesting DMA channel") +Signed-off-by: Lukas Wunner +Acked-by: Peter Ujfalusi +Cc: # v4.7+ +Link: https://lore.kernel.org/r/412f7eb1cf8990e0a3a2153f4c577298deab623e.1607286887.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-davinci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-davinci.c ++++ b/drivers/spi/spi-davinci.c +@@ -1086,13 +1086,13 @@ static int davinci_spi_remove(struct pla + spi_bitbang_stop(&dspi->bitbang); + + clk_disable_unprepare(dspi->clk); +- spi_master_put(master); + + if (dspi->dma_rx) { + dma_release_channel(dspi->dma_rx); + dma_release_channel(dspi->dma_tx); + } + ++ spi_master_put(master); + return 0; + } + diff --git a/queue-4.19/spi-mt7621-fix-missing-clk_disable_unprepare-on-error-in-mt7621_spi_probe.patch b/queue-4.19/spi-mt7621-fix-missing-clk_disable_unprepare-on-error-in-mt7621_spi_probe.patch new file mode 100644 index 00000000000..0503d260100 --- /dev/null +++ b/queue-4.19/spi-mt7621-fix-missing-clk_disable_unprepare-on-error-in-mt7621_spi_probe.patch @@ -0,0 +1,40 @@ +From 702b15cb97123cedcec56a39d9a21c5288eb9ae1 Mon Sep 17 00:00:00 2001 +From: Qinglang Miao +Date: Tue, 3 Nov 2020 15:49:12 +0800 +Subject: spi: mt7621: fix missing clk_disable_unprepare() on error in mt7621_spi_probe + +From: Qinglang Miao + +commit 702b15cb97123cedcec56a39d9a21c5288eb9ae1 upstream. + +Fix the missing clk_disable_unprepare() before return +from mt7621_spi_probe in the error handling case. + +Fixes: cbd66c626e16 ("spi: mt7621: Move SPI driver out of staging") +Signed-off-by: Qinglang Miao +Link: https://lore.kernel.org/r/20201103074912.195576-1-miaoqinglang@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/mt7621-spi/spi-mt7621.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/staging/mt7621-spi/spi-mt7621.c ++++ b/drivers/staging/mt7621-spi/spi-mt7621.c +@@ -455,6 +455,7 @@ static int mt7621_spi_probe(struct platf + master = spi_alloc_master(&pdev->dev, sizeof(*rs)); + if (master == NULL) { + dev_info(&pdev->dev, "master allocation failed\n"); ++ clk_disable_unprepare(clk); + return -ENOMEM; + } + +@@ -480,6 +481,7 @@ static int mt7621_spi_probe(struct platf + ret = device_reset(&pdev->dev); + if (ret) { + dev_err(&pdev->dev, "SPI reset failed!\n"); ++ clk_disable_unprepare(clk); + return ret; + } + diff --git a/queue-4.19/spi-pic32-don-t-leak-dma-channels-in-probe-error-path.patch b/queue-4.19/spi-pic32-don-t-leak-dma-channels-in-probe-error-path.patch new file mode 100644 index 00000000000..b8e927d6e27 --- /dev/null +++ b/queue-4.19/spi-pic32-don-t-leak-dma-channels-in-probe-error-path.patch @@ -0,0 +1,35 @@ +From c575e9113bff5e024d75481613faed5ef9d465b2 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sun, 8 Nov 2020 23:41:00 +0100 +Subject: spi: pic32: Don't leak DMA channels in probe error path + +From: Lukas Wunner + +commit c575e9113bff5e024d75481613faed5ef9d465b2 upstream. + +If the calls to devm_request_irq() or devm_spi_register_master() fail +on probe of the PIC32 SPI driver, the DMA channels requested by +pic32_spi_dma_prep() are erroneously not released. Plug the leak. + +Fixes: 1bcb9f8ceb67 ("spi: spi-pic32: Add PIC32 SPI master driver") +Signed-off-by: Lukas Wunner +Cc: # v4.7+ +Cc: Purna Chandra Mandal +Link: https://lore.kernel.org/r/9624250e3a7aa61274b38219a62375bac1def637.1604874488.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-pic32.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/spi/spi-pic32.c ++++ b/drivers/spi/spi-pic32.c +@@ -839,6 +839,7 @@ static int pic32_spi_probe(struct platfo + return 0; + + err_bailout: ++ pic32_spi_dma_unprep(pic32s); + clk_disable_unprepare(pic32s->clk); + err_master: + spi_master_put(master); diff --git a/queue-4.19/spi-rb4xx-don-t-leak-spi-master-in-probe-error-path.patch b/queue-4.19/spi-rb4xx-don-t-leak-spi-master-in-probe-error-path.patch new file mode 100644 index 00000000000..d6d3610d63a --- /dev/null +++ b/queue-4.19/spi-rb4xx-don-t-leak-spi-master-in-probe-error-path.patch @@ -0,0 +1,39 @@ +From a4729c3506c3eb1a6ca5c0289f4e7cafa4115065 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Mon, 7 Dec 2020 09:17:10 +0100 +Subject: spi: rb4xx: Don't leak SPI master in probe error path + +From: Lukas Wunner + +commit a4729c3506c3eb1a6ca5c0289f4e7cafa4115065 upstream. + +If the calls to devm_clk_get(), devm_spi_register_master() or +clk_prepare_enable() fail on probe of the Mikrotik RB4xx SPI driver, +the spi_master struct is erroneously not freed. + +Fix by switching over to the new devm_spi_alloc_master() helper. + +Fixes: 05aec357871f ("spi: Add SPI driver for Mikrotik RB4xx series boards") +Signed-off-by: Lukas Wunner +Cc: # v4.2+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation +Cc: # v4.2+ +Cc: Bert Vermeulen +Link: https://lore.kernel.org/r/369bf26d71927f60943b1d9d8f51810f00b0237d.1607286887.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-rb4xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-rb4xx.c ++++ b/drivers/spi/spi-rb4xx.c +@@ -148,7 +148,7 @@ static int rb4xx_spi_probe(struct platfo + if (IS_ERR(spi_base)) + return PTR_ERR(spi_base); + +- master = spi_alloc_master(&pdev->dev, sizeof(*rbspi)); ++ master = devm_spi_alloc_master(&pdev->dev, sizeof(*rbspi)); + if (!master) + return -ENOMEM; + diff --git a/queue-4.19/spi-sc18is602-don-t-leak-spi-master-in-probe-error-path.patch b/queue-4.19/spi-sc18is602-don-t-leak-spi-master-in-probe-error-path.patch new file mode 100644 index 00000000000..d2310f6eaec --- /dev/null +++ b/queue-4.19/spi-sc18is602-don-t-leak-spi-master-in-probe-error-path.patch @@ -0,0 +1,61 @@ +From 5b8c88462d83331dacb48aeaec8388117fef82e0 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Mon, 7 Dec 2020 09:17:11 +0100 +Subject: spi: sc18is602: Don't leak SPI master in probe error path + +From: Lukas Wunner + +commit 5b8c88462d83331dacb48aeaec8388117fef82e0 upstream. + +If the call to devm_gpiod_get_optional() fails on probe of the NXP +SC18IS602/603 SPI driver, the spi_master struct is erroneously not freed. + +Fix by switching over to the new devm_spi_alloc_master() helper. + +Fixes: f99008013e19 ("spi: sc18is602: Add reset control via gpio pin.") +Signed-off-by: Lukas Wunner +Cc: # v4.9+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation +Cc: # v4.9+ +Cc: Phil Reid +Link: https://lore.kernel.org/r/d5f715527b894b91d530fe11a86f51b3184a4e1a.1607286887.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-sc18is602.c | 13 ++----------- + 1 file changed, 2 insertions(+), 11 deletions(-) + +--- a/drivers/spi/spi-sc18is602.c ++++ b/drivers/spi/spi-sc18is602.c +@@ -248,13 +248,12 @@ static int sc18is602_probe(struct i2c_cl + struct sc18is602_platform_data *pdata = dev_get_platdata(dev); + struct sc18is602 *hw; + struct spi_master *master; +- int error; + + if (!i2c_check_functionality(client->adapter, I2C_FUNC_I2C | + I2C_FUNC_SMBUS_WRITE_BYTE_DATA)) + return -EINVAL; + +- master = spi_alloc_master(dev, sizeof(struct sc18is602)); ++ master = devm_spi_alloc_master(dev, sizeof(struct sc18is602)); + if (!master) + return -ENOMEM; + +@@ -308,15 +307,7 @@ static int sc18is602_probe(struct i2c_cl + master->min_speed_hz = hw->freq / 128; + master->max_speed_hz = hw->freq / 4; + +- error = devm_spi_register_master(dev, master); +- if (error) +- goto error_reg; +- +- return 0; +- +-error_reg: +- spi_master_put(master); +- return error; ++ return devm_spi_register_master(dev, master); + } + + static const struct i2c_device_id sc18is602_id[] = { diff --git a/queue-4.19/spi-spi-sh-fix-use-after-free-on-unbind.patch b/queue-4.19/spi-spi-sh-fix-use-after-free-on-unbind.patch new file mode 100644 index 00000000000..9381a2bf278 --- /dev/null +++ b/queue-4.19/spi-spi-sh-fix-use-after-free-on-unbind.patch @@ -0,0 +1,78 @@ +From e77df3eca12be4b17f13cf9f215cff248c57d98f Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Mon, 7 Dec 2020 09:17:04 +0100 +Subject: spi: spi-sh: Fix use-after-free on unbind + +From: Lukas Wunner + +commit e77df3eca12be4b17f13cf9f215cff248c57d98f upstream. + +spi_sh_remove() accesses the driver's private data after calling +spi_unregister_master() even though that function releases the last +reference on the spi_master and thereby frees the private data. + +Fix by switching over to the new devm_spi_alloc_master() helper which +keeps the private data accessible until the driver has unbound. + +Fixes: 680c1305e259 ("spi/spi_sh: use spi_unregister_master instead of spi_master_put in remove path") +Signed-off-by: Lukas Wunner +Cc: # v3.0+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation +Cc: # v3.0+ +Cc: Axel Lin +Link: https://lore.kernel.org/r/6d97628b536baf01d5e3e39db61108f84d44c8b2.1607286887.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-sh.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +--- a/drivers/spi/spi-sh.c ++++ b/drivers/spi/spi-sh.c +@@ -450,7 +450,7 @@ static int spi_sh_probe(struct platform_ + return irq; + } + +- master = spi_alloc_master(&pdev->dev, sizeof(struct spi_sh_data)); ++ master = devm_spi_alloc_master(&pdev->dev, sizeof(struct spi_sh_data)); + if (master == NULL) { + dev_err(&pdev->dev, "spi_alloc_master error.\n"); + return -ENOMEM; +@@ -468,16 +468,14 @@ static int spi_sh_probe(struct platform_ + break; + default: + dev_err(&pdev->dev, "No support width\n"); +- ret = -ENODEV; +- goto error1; ++ return -ENODEV; + } + ss->irq = irq; + ss->master = master; + ss->addr = devm_ioremap(&pdev->dev, res->start, resource_size(res)); + if (ss->addr == NULL) { + dev_err(&pdev->dev, "ioremap error.\n"); +- ret = -ENOMEM; +- goto error1; ++ return -ENOMEM; + } + INIT_LIST_HEAD(&ss->queue); + spin_lock_init(&ss->lock); +@@ -487,7 +485,7 @@ static int spi_sh_probe(struct platform_ + ret = request_irq(irq, spi_sh_irq, 0, "spi_sh", ss); + if (ret < 0) { + dev_err(&pdev->dev, "request_irq error\n"); +- goto error1; ++ return ret; + } + + master->num_chipselect = 2; +@@ -506,9 +504,6 @@ static int spi_sh_probe(struct platform_ + + error3: + free_irq(irq, ss); +- error1: +- spi_master_put(master); +- + return ret; + } + diff --git a/queue-4.19/spi-st-ssc4-fix-unbalanced-pm_runtime_disable-in-probe-error-path.patch b/queue-4.19/spi-st-ssc4-fix-unbalanced-pm_runtime_disable-in-probe-error-path.patch new file mode 100644 index 00000000000..5b46085f3d8 --- /dev/null +++ b/queue-4.19/spi-st-ssc4-fix-unbalanced-pm_runtime_disable-in-probe-error-path.patch @@ -0,0 +1,45 @@ +From 5ef76dac0f2c26aeae4ee79eb830280f16d5aceb Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sun, 8 Nov 2020 23:41:00 +0100 +Subject: spi: st-ssc4: Fix unbalanced pm_runtime_disable() in probe error path + +From: Lukas Wunner + +commit 5ef76dac0f2c26aeae4ee79eb830280f16d5aceb upstream. + +If the calls to devm_platform_ioremap_resource(), irq_of_parse_and_map() +or devm_request_irq() fail on probe of the ST SSC4 SPI driver, the +runtime PM disable depth is incremented even though it was not +decremented before. Fix it. + +Fixes: cd050abeba2a ("spi: st-ssc4: add missed pm_runtime_disable") +Signed-off-by: Lukas Wunner +Cc: # v5.5+ +Cc: Chuhong Yuan +Link: https://lore.kernel.org/r/fbe8768c30dc829e2d77eabe7be062ca22f84024.1604874488.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-st-ssc4.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/spi/spi-st-ssc4.c ++++ b/drivers/spi/spi-st-ssc4.c +@@ -379,13 +379,14 @@ static int spi_st_probe(struct platform_ + ret = devm_spi_register_master(&pdev->dev, master); + if (ret) { + dev_err(&pdev->dev, "Failed to register master\n"); +- goto clk_disable; ++ goto rpm_disable; + } + + return 0; + +-clk_disable: ++rpm_disable: + pm_runtime_disable(&pdev->dev); ++clk_disable: + clk_disable_unprepare(spi_st->clk); + put_master: + spi_master_put(master); diff --git a/queue-4.19/xen-blkback-set-ring-xenblkd-to-null-after-kthread_stop.patch b/queue-4.19/xen-blkback-set-ring-xenblkd-to-null-after-kthread_stop.patch new file mode 100644 index 00000000000..6365ca4452e --- /dev/null +++ b/queue-4.19/xen-blkback-set-ring-xenblkd-to-null-after-kthread_stop.patch @@ -0,0 +1,52 @@ +From 1c728719a4da6e654afb9cc047164755072ed7c9 Mon Sep 17 00:00:00 2001 +From: Pawel Wieczorkiewicz +Date: Mon, 14 Dec 2020 10:25:57 +0100 +Subject: xen-blkback: set ring->xenblkd to NULL after kthread_stop() + +From: Pawel Wieczorkiewicz + +commit 1c728719a4da6e654afb9cc047164755072ed7c9 upstream. + +When xen_blkif_disconnect() is called, the kernel thread behind the +block interface is stopped by calling kthread_stop(ring->xenblkd). +The ring->xenblkd thread pointer being non-NULL determines if the +thread has been already stopped. +Normally, the thread's function xen_blkif_schedule() sets the +ring->xenblkd to NULL, when the thread's main loop ends. + +However, when the thread has not been started yet (i.e. +wake_up_process() has not been called on it), the xen_blkif_schedule() +function would not be called yet. + +In such case the kthread_stop() call returns -EINTR and the +ring->xenblkd remains dangling. +When this happens, any consecutive call to xen_blkif_disconnect (for +example in frontend_changed() callback) leads to a kernel crash in +kthread_stop() (e.g. NULL pointer dereference in exit_creds()). + +This is XSA-350. + +Cc: # 4.12 +Fixes: a24fa22ce22a ("xen/blkback: don't use xen_blkif_get() in xen-blkback kthread") +Reported-by: Olivier Benjamin +Reported-by: Pawel Wieczorkiewicz +Signed-off-by: Pawel Wieczorkiewicz +Reviewed-by: Julien Grall +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/xen-blkback/xenbus.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/block/xen-blkback/xenbus.c ++++ b/drivers/block/xen-blkback/xenbus.c +@@ -264,6 +264,7 @@ static int xen_blkif_disconnect(struct x + + if (ring->xenblkd) { + kthread_stop(ring->xenblkd); ++ ring->xenblkd = NULL; + wake_up(&ring->shutdown_wq); + } + diff --git a/queue-4.19/xen-xenbus-add-will_handle-callback-support-in-xenbus_watch_path.patch b/queue-4.19/xen-xenbus-add-will_handle-callback-support-in-xenbus_watch_path.patch new file mode 100644 index 00000000000..8bae141a585 --- /dev/null +++ b/queue-4.19/xen-xenbus-add-will_handle-callback-support-in-xenbus_watch_path.patch @@ -0,0 +1,140 @@ +From 2e85d32b1c865bec703ce0c962221a5e955c52c2 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Mon, 14 Dec 2020 10:04:18 +0100 +Subject: xen/xenbus: Add 'will_handle' callback support in xenbus_watch_path() + +From: SeongJae Park + +commit 2e85d32b1c865bec703ce0c962221a5e955c52c2 upstream. + +Some code does not directly make 'xenbus_watch' object and call +'register_xenbus_watch()' but use 'xenbus_watch_path()' instead. This +commit adds support of 'will_handle' callback in the +'xenbus_watch_path()' and it's wrapper, 'xenbus_watch_pathfmt()'. + +This is part of XSA-349 + +Cc: stable@vger.kernel.org +Signed-off-by: SeongJae Park +Reported-by: Michael Kurth +Reported-by: Pawel Wieczorkiewicz +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/xen-blkback/xenbus.c | 3 ++- + drivers/net/xen-netback/xenbus.c | 2 +- + drivers/xen/xen-pciback/xenbus.c | 2 +- + drivers/xen/xenbus/xenbus_client.c | 9 +++++++-- + drivers/xen/xenbus/xenbus_probe.c | 2 +- + include/xen/xenbus.h | 6 +++++- + 6 files changed, 17 insertions(+), 7 deletions(-) + +--- a/drivers/block/xen-blkback/xenbus.c ++++ b/drivers/block/xen-blkback/xenbus.c +@@ -652,7 +652,8 @@ static int xen_blkbk_probe(struct xenbus + /* setup back pointer */ + be->blkif->be = be; + +- err = xenbus_watch_pathfmt(dev, &be->backend_watch, backend_changed, ++ err = xenbus_watch_pathfmt(dev, &be->backend_watch, NULL, ++ backend_changed, + "%s/%s", dev->nodename, "physical-device"); + if (err) + goto fail; +--- a/drivers/net/xen-netback/xenbus.c ++++ b/drivers/net/xen-netback/xenbus.c +@@ -1043,7 +1043,7 @@ static void connect(struct backend_info + xenvif_carrier_on(be->vif); + + unregister_hotplug_status_watch(be); +- err = xenbus_watch_pathfmt(dev, &be->hotplug_status_watch, ++ err = xenbus_watch_pathfmt(dev, &be->hotplug_status_watch, NULL, + hotplug_status_changed, + "%s/%s", dev->nodename, "hotplug-status"); + if (!err) +--- a/drivers/xen/xen-pciback/xenbus.c ++++ b/drivers/xen/xen-pciback/xenbus.c +@@ -688,7 +688,7 @@ static int xen_pcibk_xenbus_probe(struct + + /* watch the backend node for backend configuration information */ + err = xenbus_watch_path(dev, dev->nodename, &pdev->be_watch, +- xen_pcibk_be_watch); ++ NULL, xen_pcibk_be_watch); + if (err) + goto out; + +--- a/drivers/xen/xenbus/xenbus_client.c ++++ b/drivers/xen/xenbus/xenbus_client.c +@@ -114,19 +114,22 @@ EXPORT_SYMBOL_GPL(xenbus_strstate); + */ + int xenbus_watch_path(struct xenbus_device *dev, const char *path, + struct xenbus_watch *watch, ++ bool (*will_handle)(struct xenbus_watch *, ++ const char *, const char *), + void (*callback)(struct xenbus_watch *, + const char *, const char *)) + { + int err; + + watch->node = path; +- watch->will_handle = NULL; ++ watch->will_handle = will_handle; + watch->callback = callback; + + err = register_xenbus_watch(watch); + + if (err) { + watch->node = NULL; ++ watch->will_handle = NULL; + watch->callback = NULL; + xenbus_dev_fatal(dev, err, "adding watch on %s", path); + } +@@ -153,6 +156,8 @@ EXPORT_SYMBOL_GPL(xenbus_watch_path); + */ + int xenbus_watch_pathfmt(struct xenbus_device *dev, + struct xenbus_watch *watch, ++ bool (*will_handle)(struct xenbus_watch *, ++ const char *, const char *), + void (*callback)(struct xenbus_watch *, + const char *, const char *), + const char *pathfmt, ...) +@@ -169,7 +174,7 @@ int xenbus_watch_pathfmt(struct xenbus_d + xenbus_dev_fatal(dev, -ENOMEM, "allocating path for watch"); + return -ENOMEM; + } +- err = xenbus_watch_path(dev, path, watch, callback); ++ err = xenbus_watch_path(dev, path, watch, will_handle, callback); + + if (err) + kfree(path); +--- a/drivers/xen/xenbus/xenbus_probe.c ++++ b/drivers/xen/xenbus/xenbus_probe.c +@@ -136,7 +136,7 @@ static int watch_otherend(struct xenbus_ + container_of(dev->dev.bus, struct xen_bus_type, bus); + + return xenbus_watch_pathfmt(dev, &dev->otherend_watch, +- bus->otherend_changed, ++ NULL, bus->otherend_changed, + "%s/%s", dev->otherend, "state"); + } + +--- a/include/xen/xenbus.h ++++ b/include/xen/xenbus.h +@@ -199,10 +199,14 @@ void xenbus_probe(struct work_struct *); + + int xenbus_watch_path(struct xenbus_device *dev, const char *path, + struct xenbus_watch *watch, ++ bool (*will_handle)(struct xenbus_watch *, ++ const char *, const char *), + void (*callback)(struct xenbus_watch *, + const char *, const char *)); +-__printf(4, 5) ++__printf(5, 6) + int xenbus_watch_pathfmt(struct xenbus_device *dev, struct xenbus_watch *watch, ++ bool (*will_handle)(struct xenbus_watch *, ++ const char *, const char *), + void (*callback)(struct xenbus_watch *, + const char *, const char *), + const char *pathfmt, ...); diff --git a/queue-4.19/xen-xenbus-allow-watches-discard-events-before-queueing.patch b/queue-4.19/xen-xenbus-allow-watches-discard-events-before-queueing.patch new file mode 100644 index 00000000000..a8e485eb150 --- /dev/null +++ b/queue-4.19/xen-xenbus-allow-watches-discard-events-before-queueing.patch @@ -0,0 +1,115 @@ +From fed1755b118147721f2c87b37b9d66e62c39b668 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Mon, 14 Dec 2020 10:02:45 +0100 +Subject: xen/xenbus: Allow watches discard events before queueing + +From: SeongJae Park + +commit fed1755b118147721f2c87b37b9d66e62c39b668 upstream. + +If handling logics of watch events are slower than the events enqueue +logic and the events can be created from the guests, the guests could +trigger memory pressure by intensively inducing the events, because it +will create a huge number of pending events that exhausting the memory. + +Fortunately, some watch events could be ignored, depending on its +handler callback. For example, if the callback has interest in only one +single path, the watch wouldn't want multiple pending events. Or, some +watches could ignore events to same path. + +To let such watches to volutarily help avoiding the memory pressure +situation, this commit introduces new watch callback, 'will_handle'. If +it is not NULL, it will be called for each new event just before +enqueuing it. Then, if the callback returns false, the event will be +discarded. No watch is using the callback for now, though. + +This is part of XSA-349 + +Cc: stable@vger.kernel.org +Signed-off-by: SeongJae Park +Reported-by: Michael Kurth +Reported-by: Pawel Wieczorkiewicz +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/xen-netback/xenbus.c | 4 ++++ + drivers/xen/xenbus/xenbus_client.c | 1 + + drivers/xen/xenbus/xenbus_xs.c | 5 ++++- + include/xen/xenbus.h | 7 +++++++ + 4 files changed, 16 insertions(+), 1 deletion(-) + +--- a/drivers/net/xen-netback/xenbus.c ++++ b/drivers/net/xen-netback/xenbus.c +@@ -777,12 +777,14 @@ static int xen_register_credit_watch(str + return -ENOMEM; + snprintf(node, maxlen, "%s/rate", dev->nodename); + vif->credit_watch.node = node; ++ vif->credit_watch.will_handle = NULL; + vif->credit_watch.callback = xen_net_rate_changed; + err = register_xenbus_watch(&vif->credit_watch); + if (err) { + pr_err("Failed to set watcher %s\n", vif->credit_watch.node); + kfree(node); + vif->credit_watch.node = NULL; ++ vif->credit_watch.will_handle = NULL; + vif->credit_watch.callback = NULL; + } + return err; +@@ -829,6 +831,7 @@ static int xen_register_mcast_ctrl_watch + snprintf(node, maxlen, "%s/request-multicast-control", + dev->otherend); + vif->mcast_ctrl_watch.node = node; ++ vif->mcast_ctrl_watch.will_handle = NULL; + vif->mcast_ctrl_watch.callback = xen_mcast_ctrl_changed; + err = register_xenbus_watch(&vif->mcast_ctrl_watch); + if (err) { +@@ -836,6 +839,7 @@ static int xen_register_mcast_ctrl_watch + vif->mcast_ctrl_watch.node); + kfree(node); + vif->mcast_ctrl_watch.node = NULL; ++ vif->mcast_ctrl_watch.will_handle = NULL; + vif->mcast_ctrl_watch.callback = NULL; + } + return err; +--- a/drivers/xen/xenbus/xenbus_client.c ++++ b/drivers/xen/xenbus/xenbus_client.c +@@ -120,6 +120,7 @@ int xenbus_watch_path(struct xenbus_devi + int err; + + watch->node = path; ++ watch->will_handle = NULL; + watch->callback = callback; + + err = register_xenbus_watch(watch); +--- a/drivers/xen/xenbus/xenbus_xs.c ++++ b/drivers/xen/xenbus/xenbus_xs.c +@@ -705,7 +705,10 @@ int xs_watch_msg(struct xs_watch_event * + + spin_lock(&watches_lock); + event->handle = find_watch(event->token); +- if (event->handle != NULL) { ++ if (event->handle != NULL && ++ (!event->handle->will_handle || ++ event->handle->will_handle(event->handle, ++ event->path, event->token))) { + spin_lock(&watch_events_lock); + list_add_tail(&event->list, &watch_events); + wake_up(&watch_events_waitq); +--- a/include/xen/xenbus.h ++++ b/include/xen/xenbus.h +@@ -59,6 +59,13 @@ struct xenbus_watch + /* Path being watched. */ + const char *node; + ++ /* ++ * Called just before enqueing new event while a spinlock is held. ++ * The event will be discarded if this callback returns false. ++ */ ++ bool (*will_handle)(struct xenbus_watch *, ++ const char *path, const char *token); ++ + /* Callback (executed in a process context with no locks held). */ + void (*callback)(struct xenbus_watch *, + const char *path, const char *token); diff --git a/queue-4.19/xen-xenbus-count-pending-messages-for-each-watch.patch b/queue-4.19/xen-xenbus-count-pending-messages-for-each-watch.patch new file mode 100644 index 00000000000..dc33f040fd4 --- /dev/null +++ b/queue-4.19/xen-xenbus-count-pending-messages-for-each-watch.patch @@ -0,0 +1,108 @@ +From 3dc86ca6b4c8cfcba9da7996189d1b5a358a94fc Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Mon, 14 Dec 2020 10:07:13 +0100 +Subject: xen/xenbus: Count pending messages for each watch + +From: SeongJae Park + +commit 3dc86ca6b4c8cfcba9da7996189d1b5a358a94fc upstream. + +This commit adds a counter of pending messages for each watch in the +struct. It is used to skip unnecessary pending messages lookup in +'unregister_xenbus_watch()'. It could also be used in 'will_handle' +callback. + +This is part of XSA-349 + +Cc: stable@vger.kernel.org +Signed-off-by: SeongJae Park +Reported-by: Michael Kurth +Reported-by: Pawel Wieczorkiewicz +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xenbus/xenbus_xs.c | 29 ++++++++++++++++++----------- + include/xen/xenbus.h | 2 ++ + 2 files changed, 20 insertions(+), 11 deletions(-) + +--- a/drivers/xen/xenbus/xenbus_xs.c ++++ b/drivers/xen/xenbus/xenbus_xs.c +@@ -711,6 +711,7 @@ int xs_watch_msg(struct xs_watch_event * + event->path, event->token))) { + spin_lock(&watch_events_lock); + list_add_tail(&event->list, &watch_events); ++ event->handle->nr_pending++; + wake_up(&watch_events_waitq); + spin_unlock(&watch_events_lock); + } else +@@ -768,6 +769,8 @@ int register_xenbus_watch(struct xenbus_ + + sprintf(token, "%lX", (long)watch); + ++ watch->nr_pending = 0; ++ + down_read(&xs_watch_rwsem); + + spin_lock(&watches_lock); +@@ -817,11 +820,14 @@ void unregister_xenbus_watch(struct xenb + + /* Cancel pending watch events. */ + spin_lock(&watch_events_lock); +- list_for_each_entry_safe(event, tmp, &watch_events, list) { +- if (event->handle != watch) +- continue; +- list_del(&event->list); +- kfree(event); ++ if (watch->nr_pending) { ++ list_for_each_entry_safe(event, tmp, &watch_events, list) { ++ if (event->handle != watch) ++ continue; ++ list_del(&event->list); ++ kfree(event); ++ } ++ watch->nr_pending = 0; + } + spin_unlock(&watch_events_lock); + +@@ -868,7 +874,6 @@ void xs_suspend_cancel(void) + + static int xenwatch_thread(void *unused) + { +- struct list_head *ent; + struct xs_watch_event *event; + + xenwatch_pid = current->pid; +@@ -883,13 +888,15 @@ static int xenwatch_thread(void *unused) + mutex_lock(&xenwatch_mutex); + + spin_lock(&watch_events_lock); +- ent = watch_events.next; +- if (ent != &watch_events) +- list_del(ent); ++ event = list_first_entry_or_null(&watch_events, ++ struct xs_watch_event, list); ++ if (event) { ++ list_del(&event->list); ++ event->handle->nr_pending--; ++ } + spin_unlock(&watch_events_lock); + +- if (ent != &watch_events) { +- event = list_entry(ent, struct xs_watch_event, list); ++ if (event) { + event->handle->callback(event->handle, event->path, + event->token); + kfree(event); +--- a/include/xen/xenbus.h ++++ b/include/xen/xenbus.h +@@ -59,6 +59,8 @@ struct xenbus_watch + /* Path being watched. */ + const char *node; + ++ unsigned int nr_pending; ++ + /* + * Called just before enqueing new event while a spinlock is held. + * The event will be discarded if this callback returns false. diff --git a/queue-4.19/xen-xenbus-xen_bus_type-support-will_handle-watch-callback.patch b/queue-4.19/xen-xenbus-xen_bus_type-support-will_handle-watch-callback.patch new file mode 100644 index 00000000000..264d933d99a --- /dev/null +++ b/queue-4.19/xen-xenbus-xen_bus_type-support-will_handle-watch-callback.patch @@ -0,0 +1,50 @@ +From be987200fbaceaef340872841d4f7af2c5ee8dc3 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Mon, 14 Dec 2020 10:05:47 +0100 +Subject: xen/xenbus/xen_bus_type: Support will_handle watch callback + +From: SeongJae Park + +commit be987200fbaceaef340872841d4f7af2c5ee8dc3 upstream. + +This commit adds support of the 'will_handle' watch callback for +'xen_bus_type' users. + +This is part of XSA-349 + +Cc: stable@vger.kernel.org +Signed-off-by: SeongJae Park +Reported-by: Michael Kurth +Reported-by: Pawel Wieczorkiewicz +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xenbus/xenbus.h | 2 ++ + drivers/xen/xenbus/xenbus_probe.c | 3 ++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/xen/xenbus/xenbus.h ++++ b/drivers/xen/xenbus/xenbus.h +@@ -44,6 +44,8 @@ struct xen_bus_type { + int (*get_bus_id)(char bus_id[XEN_BUS_ID_SIZE], const char *nodename); + int (*probe)(struct xen_bus_type *bus, const char *type, + const char *dir); ++ bool (*otherend_will_handle)(struct xenbus_watch *watch, ++ const char *path, const char *token); + void (*otherend_changed)(struct xenbus_watch *watch, const char *path, + const char *token); + struct bus_type bus; +--- a/drivers/xen/xenbus/xenbus_probe.c ++++ b/drivers/xen/xenbus/xenbus_probe.c +@@ -136,7 +136,8 @@ static int watch_otherend(struct xenbus_ + container_of(dev->dev.bus, struct xen_bus_type, bus); + + return xenbus_watch_pathfmt(dev, &dev->otherend_watch, +- NULL, bus->otherend_changed, ++ bus->otherend_will_handle, ++ bus->otherend_changed, + "%s/%s", dev->otherend, "state"); + } + diff --git a/queue-4.19/xenbus-xenbus_backend-disallow-pending-watch-messages.patch b/queue-4.19/xenbus-xenbus_backend-disallow-pending-watch-messages.patch new file mode 100644 index 00000000000..13c6a851eeb --- /dev/null +++ b/queue-4.19/xenbus-xenbus_backend-disallow-pending-watch-messages.patch @@ -0,0 +1,56 @@ +From 9996bd494794a2fe393e97e7a982388c6249aa76 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Mon, 14 Dec 2020 10:08:40 +0100 +Subject: xenbus/xenbus_backend: Disallow pending watch messages + +From: SeongJae Park + +commit 9996bd494794a2fe393e97e7a982388c6249aa76 upstream. + +'xenbus_backend' watches 'state' of devices, which is writable by +guests. Hence, if guests intensively updates it, dom0 will have lots of +pending events that exhausting memory of dom0. In other words, guests +can trigger dom0 memory pressure. This is known as XSA-349. However, +the watch callback of it, 'frontend_changed()', reads only 'state', so +doesn't need to have the pending events. + +To avoid the problem, this commit disallows pending watch messages for +'xenbus_backend' using the 'will_handle()' watch callback. + +This is part of XSA-349 + +Cc: stable@vger.kernel.org +Signed-off-by: SeongJae Park +Reported-by: Michael Kurth +Reported-by: Pawel Wieczorkiewicz +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xenbus/xenbus_probe_backend.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/xen/xenbus/xenbus_probe_backend.c ++++ b/drivers/xen/xenbus/xenbus_probe_backend.c +@@ -180,6 +180,12 @@ static int xenbus_probe_backend(struct x + return err; + } + ++static bool frontend_will_handle(struct xenbus_watch *watch, ++ const char *path, const char *token) ++{ ++ return watch->nr_pending == 0; ++} ++ + static void frontend_changed(struct xenbus_watch *watch, + const char *path, const char *token) + { +@@ -191,6 +197,7 @@ static struct xen_bus_type xenbus_backen + .levels = 3, /* backend/type// */ + .get_bus_id = backend_bus_id, + .probe = xenbus_probe_backend, ++ .otherend_will_handle = frontend_will_handle, + .otherend_changed = frontend_changed, + .bus = { + .name = "xen-backend", -- 2.47.3