From e4dd0d0a22078bb69da2100586052b094bbda793 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 6 Feb 2022 13:56:31 +0100 Subject: [PATCH] 4.14-stable patches added patches: asoc-fsl-add-missing-error-handling-in-pcm030_fabric_probe.patch drm-i915-overlay-prevent-divide-by-zero-bugs-in-scaling.patch iommu-amd-fix-loop-timeout-issue-in-iommu_ga_log_enable.patch iommu-vt-d-fix-potential-memory-leak-in-intel_setup_irq_remapping.patch net-ieee802154-ca8210-stop-leaking-skb-s.patch net-ieee802154-return-meaningful-error-codes-from-the-netlink-helpers.patch net-macsec-verify-that-send_sci-is-on-when-setting-tx-sci-explicitly.patch nfsd-nfsd4_setclientid_confirm-mistakenly-expires-confirmed-client.patch rdma-mlx4-don-t-continue-event-handler-after-memory-allocation-failure.patch scsi-bnx2fc-make-bnx2fc_recv_frame-mp-safe.patch selftests-futex-use-variable-make-instead-of-make.patch spi-bcm-qspi-check-for-valid-cs-before-applying-chip-select.patch spi-mediatek-avoid-null-pointer-crash-in-interrupt.patch spi-meson-spicc-add-irq-check-in-meson_spicc_probe.patch --- ...rror-handling-in-pcm030_fabric_probe.patch | 48 ++++++++++ ...event-divide-by-zero-bugs-in-scaling.patch | 44 +++++++++ ...timeout-issue-in-iommu_ga_log_enable.patch | 45 +++++++++ ...ry-leak-in-intel_setup_irq_remapping.patch | 69 ++++++++++++++ ...ieee802154-ca8210-stop-leaking-skb-s.patch | 35 +++++++ ...error-codes-from-the-netlink-helpers.patch | 61 ++++++++++++ ...is-on-when-setting-tx-sci-explicitly.patch | 47 ++++++++++ ...-mistakenly-expires-confirmed-client.patch | 45 +++++++++ ...dler-after-memory-allocation-failure.patch | 40 ++++++++ ...nx2fc-make-bnx2fc_recv_frame-mp-safe.patch | 92 +++++++++++++++++++ ...ex-use-variable-make-instead-of-make.patch | 46 ++++++++++ queue-4.14/series | 14 +++ ...valid-cs-before-applying-chip-select.patch | 36 ++++++++ ...void-null-pointer-crash-in-interrupt.patch | 34 +++++++ ...c-add-irq-check-in-meson_spicc_probe.patch | 37 ++++++++ 15 files changed, 693 insertions(+) create mode 100644 queue-4.14/asoc-fsl-add-missing-error-handling-in-pcm030_fabric_probe.patch create mode 100644 queue-4.14/drm-i915-overlay-prevent-divide-by-zero-bugs-in-scaling.patch create mode 100644 queue-4.14/iommu-amd-fix-loop-timeout-issue-in-iommu_ga_log_enable.patch create mode 100644 queue-4.14/iommu-vt-d-fix-potential-memory-leak-in-intel_setup_irq_remapping.patch create mode 100644 queue-4.14/net-ieee802154-ca8210-stop-leaking-skb-s.patch create mode 100644 queue-4.14/net-ieee802154-return-meaningful-error-codes-from-the-netlink-helpers.patch create mode 100644 queue-4.14/net-macsec-verify-that-send_sci-is-on-when-setting-tx-sci-explicitly.patch create mode 100644 queue-4.14/nfsd-nfsd4_setclientid_confirm-mistakenly-expires-confirmed-client.patch create mode 100644 queue-4.14/rdma-mlx4-don-t-continue-event-handler-after-memory-allocation-failure.patch create mode 100644 queue-4.14/scsi-bnx2fc-make-bnx2fc_recv_frame-mp-safe.patch create mode 100644 queue-4.14/selftests-futex-use-variable-make-instead-of-make.patch create mode 100644 queue-4.14/spi-bcm-qspi-check-for-valid-cs-before-applying-chip-select.patch create mode 100644 queue-4.14/spi-mediatek-avoid-null-pointer-crash-in-interrupt.patch create mode 100644 queue-4.14/spi-meson-spicc-add-irq-check-in-meson_spicc_probe.patch diff --git a/queue-4.14/asoc-fsl-add-missing-error-handling-in-pcm030_fabric_probe.patch b/queue-4.14/asoc-fsl-add-missing-error-handling-in-pcm030_fabric_probe.patch new file mode 100644 index 00000000000..7dc860885d2 --- /dev/null +++ b/queue-4.14/asoc-fsl-add-missing-error-handling-in-pcm030_fabric_probe.patch @@ -0,0 +1,48 @@ +From fb25621da5702c104ce0a48de5b174ced09e5b4e Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Thu, 27 Jan 2022 13:13:34 +0000 +Subject: ASoC: fsl: Add missing error handling in pcm030_fabric_probe + +From: Miaoqian Lin + +commit fb25621da5702c104ce0a48de5b174ced09e5b4e upstream. + +Add the missing platform_device_put() and platform_device_del() +before return from pcm030_fabric_probe in the error handling case. + +Fixes: c912fa913446 ("ASoC: fsl: register the wm9712-codec") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220127131336.30214-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/fsl/pcm030-audio-fabric.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/sound/soc/fsl/pcm030-audio-fabric.c ++++ b/sound/soc/fsl/pcm030-audio-fabric.c +@@ -90,16 +90,21 @@ static int pcm030_fabric_probe(struct pl + dev_err(&op->dev, "platform_device_alloc() failed\n"); + + ret = platform_device_add(pdata->codec_device); +- if (ret) ++ if (ret) { + dev_err(&op->dev, "platform_device_add() failed: %d\n", ret); ++ platform_device_put(pdata->codec_device); ++ } + + ret = snd_soc_register_card(card); +- if (ret) ++ if (ret) { + dev_err(&op->dev, "snd_soc_register_card() failed: %d\n", ret); ++ platform_device_del(pdata->codec_device); ++ platform_device_put(pdata->codec_device); ++ } + + platform_set_drvdata(op, pdata); +- + return ret; ++ + } + + static int pcm030_fabric_remove(struct platform_device *op) diff --git a/queue-4.14/drm-i915-overlay-prevent-divide-by-zero-bugs-in-scaling.patch b/queue-4.14/drm-i915-overlay-prevent-divide-by-zero-bugs-in-scaling.patch new file mode 100644 index 00000000000..f2c80a7cd6b --- /dev/null +++ b/queue-4.14/drm-i915-overlay-prevent-divide-by-zero-bugs-in-scaling.patch @@ -0,0 +1,44 @@ +From 90a3d22ff02b196d5884e111f39271a1d4ee8e3e Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 24 Jan 2022 15:24:09 +0300 +Subject: drm/i915/overlay: Prevent divide by zero bugs in scaling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Carpenter + +commit 90a3d22ff02b196d5884e111f39271a1d4ee8e3e upstream. + +Smatch detected a divide by zero bug in check_overlay_scaling(). + + drivers/gpu/drm/i915/display/intel_overlay.c:976 check_overlay_scaling() + error: potential divide by zero bug '/ rec->dst_height'. + drivers/gpu/drm/i915/display/intel_overlay.c:980 check_overlay_scaling() + error: potential divide by zero bug '/ rec->dst_width'. + +Prevent this by ensuring that the dst height and width are non-zero. + +Fixes: 02e792fbaadb ("drm/i915: implement drmmode overlay support v4") +Signed-off-by: Dan Carpenter +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20220124122409.GA31673@kili +(cherry picked from commit cf5b64f7f10b28bebb9b7c9d25e7aee5cbe43918) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/intel_overlay.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/i915/intel_overlay.c ++++ b/drivers/gpu/drm/i915/intel_overlay.c +@@ -965,6 +965,9 @@ static int check_overlay_dst(struct inte + const struct intel_crtc_state *pipe_config = + overlay->crtc->config; + ++ if (rec->dst_height == 0 || rec->dst_width == 0) ++ return -EINVAL; ++ + if (rec->dst_x < pipe_config->pipe_src_w && + rec->dst_x + rec->dst_width <= pipe_config->pipe_src_w && + rec->dst_y < pipe_config->pipe_src_h && diff --git a/queue-4.14/iommu-amd-fix-loop-timeout-issue-in-iommu_ga_log_enable.patch b/queue-4.14/iommu-amd-fix-loop-timeout-issue-in-iommu_ga_log_enable.patch new file mode 100644 index 00000000000..8d77bb7f05e --- /dev/null +++ b/queue-4.14/iommu-amd-fix-loop-timeout-issue-in-iommu_ga_log_enable.patch @@ -0,0 +1,45 @@ +From 9b45a7738eec52bf0f5d8d3d54e822962781c5f2 Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Fri, 4 Feb 2022 12:55:37 +0100 +Subject: iommu/amd: Fix loop timeout issue in iommu_ga_log_enable() + +From: Joerg Roedel + +commit 9b45a7738eec52bf0f5d8d3d54e822962781c5f2 upstream. + +The polling loop for the register change in iommu_ga_log_enable() needs +to have a udelay() in it. Otherwise the CPU might be faster than the +IOMMU hardware and wrongly trigger the WARN_ON() further down the code +stream. Use a 10us for udelay(), has there is some hardware where +activation of the GA log can take more than a 100ms. + +A future optimization should move the activation check of the GA log +to the point where it gets used for the first time. But that is a +bigger change and not suitable for a fix. + +Fixes: 8bda0cfbdc1a ("iommu/amd: Detect and initialize guest vAPIC log") +Signed-off-by: Joerg Roedel +Link: https://lore.kernel.org/r/20220204115537.3894-1-joro@8bytes.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/amd_iommu_init.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iommu/amd_iommu_init.c ++++ b/drivers/iommu/amd_iommu_init.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -770,6 +771,7 @@ static int iommu_ga_log_enable(struct am + status = readl(iommu->mmio_base + MMIO_STATUS_OFFSET); + if (status & (MMIO_STATUS_GALOG_RUN_MASK)) + break; ++ udelay(10); + } + + if (i >= LOOP_TIMEOUT) diff --git a/queue-4.14/iommu-vt-d-fix-potential-memory-leak-in-intel_setup_irq_remapping.patch b/queue-4.14/iommu-vt-d-fix-potential-memory-leak-in-intel_setup_irq_remapping.patch new file mode 100644 index 00000000000..2a7dc0b4ade --- /dev/null +++ b/queue-4.14/iommu-vt-d-fix-potential-memory-leak-in-intel_setup_irq_remapping.patch @@ -0,0 +1,69 @@ +From 99e675d473eb8cf2deac1376a0f840222fc1adcf Mon Sep 17 00:00:00 2001 +From: Guoqing Jiang +Date: Fri, 28 Jan 2022 11:10:02 +0800 +Subject: iommu/vt-d: Fix potential memory leak in intel_setup_irq_remapping() + +From: Guoqing Jiang + +commit 99e675d473eb8cf2deac1376a0f840222fc1adcf upstream. + +After commit e3beca48a45b ("irqdomain/treewide: Keep firmware node +unconditionally allocated"). For tear down scenario, fn is only freed +after fail to allocate ir_domain, though it also should be freed in case +dmar_enable_qi returns error. + +Besides free fn, irq_domain and ir_msi_domain need to be removed as well +if intel_setup_irq_remapping fails to enable queued invalidation. + +Improve the rewinding path by add out_free_ir_domain and out_free_fwnode +lables per Baolu's suggestion. + +Fixes: e3beca48a45b ("irqdomain/treewide: Keep firmware node unconditionally allocated") +Suggested-by: Lu Baolu +Signed-off-by: Guoqing Jiang +Link: https://lore.kernel.org/r/20220119063640.16864-1-guoqing.jiang@linux.dev +Signed-off-by: Lu Baolu +Link: https://lore.kernel.org/r/20220128031002.2219155-3-baolu.lu@linux.intel.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/intel_irq_remapping.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/iommu/intel_irq_remapping.c ++++ b/drivers/iommu/intel_irq_remapping.c +@@ -543,9 +543,8 @@ static int intel_setup_irq_remapping(str + fn, &intel_ir_domain_ops, + iommu); + if (!iommu->ir_domain) { +- irq_domain_free_fwnode(fn); + pr_err("IR%d: failed to allocate irqdomain\n", iommu->seq_id); +- goto out_free_bitmap; ++ goto out_free_fwnode; + } + iommu->ir_msi_domain = + arch_create_remap_msi_irq_domain(iommu->ir_domain, +@@ -569,7 +568,7 @@ static int intel_setup_irq_remapping(str + + if (dmar_enable_qi(iommu)) { + pr_err("Failed to enable queued invalidation\n"); +- goto out_free_bitmap; ++ goto out_free_ir_domain; + } + } + +@@ -593,6 +592,14 @@ static int intel_setup_irq_remapping(str + + return 0; + ++out_free_ir_domain: ++ if (iommu->ir_msi_domain) ++ irq_domain_remove(iommu->ir_msi_domain); ++ iommu->ir_msi_domain = NULL; ++ irq_domain_remove(iommu->ir_domain); ++ iommu->ir_domain = NULL; ++out_free_fwnode: ++ irq_domain_free_fwnode(fn); + out_free_bitmap: + kfree(bitmap); + out_free_pages: diff --git a/queue-4.14/net-ieee802154-ca8210-stop-leaking-skb-s.patch b/queue-4.14/net-ieee802154-ca8210-stop-leaking-skb-s.patch new file mode 100644 index 00000000000..68737ed1d7d --- /dev/null +++ b/queue-4.14/net-ieee802154-ca8210-stop-leaking-skb-s.patch @@ -0,0 +1,35 @@ +From 621b24b09eb61c63f262da0c9c5f0e93348897e5 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Tue, 25 Jan 2022 13:14:24 +0100 +Subject: net: ieee802154: ca8210: Stop leaking skb's + +From: Miquel Raynal + +commit 621b24b09eb61c63f262da0c9c5f0e93348897e5 upstream. + +Upon error the ieee802154_xmit_complete() helper is not called. Only +ieee802154_wake_queue() is called manually. We then leak the skb +structure. + +Free the skb structure upon error before returning. + +Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") +Signed-off-by: Miquel Raynal +Acked-by: Alexander Aring +Link: https://lore.kernel.org/r/20220125121426.848337-5-miquel.raynal@bootlin.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ieee802154/ca8210.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -1770,6 +1770,7 @@ static int ca8210_async_xmit_complete( + status + ); + if (status != MAC_TRANSACTION_OVERFLOW) { ++ dev_kfree_skb_any(priv->tx_skb); + ieee802154_wake_queue(priv->hw); + return 0; + } diff --git a/queue-4.14/net-ieee802154-return-meaningful-error-codes-from-the-netlink-helpers.patch b/queue-4.14/net-ieee802154-return-meaningful-error-codes-from-the-netlink-helpers.patch new file mode 100644 index 00000000000..30bdc88b92f --- /dev/null +++ b/queue-4.14/net-ieee802154-return-meaningful-error-codes-from-the-netlink-helpers.patch @@ -0,0 +1,61 @@ +From 79c37ca73a6e9a33f7b2b7783ba6af07a448c8a9 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Tue, 25 Jan 2022 13:14:25 +0100 +Subject: net: ieee802154: Return meaningful error codes from the netlink helpers + +From: Miquel Raynal + +commit 79c37ca73a6e9a33f7b2b7783ba6af07a448c8a9 upstream. + +Returning -1 does not indicate anything useful. + +Use a standard and meaningful error code instead. + +Fixes: a26c5fd7622d ("nl802154: add support for security layer") +Signed-off-by: Miquel Raynal +Acked-by: Alexander Aring +Link: https://lore.kernel.org/r/20220125121426.848337-6-miquel.raynal@bootlin.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + net/ieee802154/nl802154.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/ieee802154/nl802154.c ++++ b/net/ieee802154/nl802154.c +@@ -1459,7 +1459,7 @@ static int nl802154_send_key(struct sk_b + + hdr = nl802154hdr_put(msg, portid, seq, flags, cmd); + if (!hdr) +- return -1; ++ return -ENOBUFS; + + if (nla_put_u32(msg, NL802154_ATTR_IFINDEX, dev->ifindex)) + goto nla_put_failure; +@@ -1650,7 +1650,7 @@ static int nl802154_send_device(struct s + + hdr = nl802154hdr_put(msg, portid, seq, flags, cmd); + if (!hdr) +- return -1; ++ return -ENOBUFS; + + if (nla_put_u32(msg, NL802154_ATTR_IFINDEX, dev->ifindex)) + goto nla_put_failure; +@@ -1828,7 +1828,7 @@ static int nl802154_send_devkey(struct s + + hdr = nl802154hdr_put(msg, portid, seq, flags, cmd); + if (!hdr) +- return -1; ++ return -ENOBUFS; + + if (nla_put_u32(msg, NL802154_ATTR_IFINDEX, dev->ifindex)) + goto nla_put_failure; +@@ -2005,7 +2005,7 @@ static int nl802154_send_seclevel(struct + + hdr = nl802154hdr_put(msg, portid, seq, flags, cmd); + if (!hdr) +- return -1; ++ return -ENOBUFS; + + if (nla_put_u32(msg, NL802154_ATTR_IFINDEX, dev->ifindex)) + goto nla_put_failure; diff --git a/queue-4.14/net-macsec-verify-that-send_sci-is-on-when-setting-tx-sci-explicitly.patch b/queue-4.14/net-macsec-verify-that-send_sci-is-on-when-setting-tx-sci-explicitly.patch new file mode 100644 index 00000000000..e36fec2fb3f --- /dev/null +++ b/queue-4.14/net-macsec-verify-that-send_sci-is-on-when-setting-tx-sci-explicitly.patch @@ -0,0 +1,47 @@ +From d0cfa548dbde354de986911d3913897b5448faad Mon Sep 17 00:00:00 2001 +From: Lior Nahmanson +Date: Sun, 30 Jan 2022 13:37:52 +0200 +Subject: net: macsec: Verify that send_sci is on when setting Tx sci explicitly + +From: Lior Nahmanson + +commit d0cfa548dbde354de986911d3913897b5448faad upstream. + +When setting Tx sci explicit, the Rx side is expected to use this +sci and not recalculate it from the packet.However, in case of Tx sci +is explicit and send_sci is off, the receiver is wrongly recalculate +the sci from the source MAC address which most likely be different +than the explicit sci. + +Fix by preventing such configuration when macsec newlink is established +and return EINVAL error code on such cases. + +Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver") +Signed-off-by: Lior Nahmanson +Reviewed-by: Raed Salem +Signed-off-by: Raed Salem +Link: https://lore.kernel.org/r/1643542672-29403-1-git-send-email-raeds@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macsec.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -3230,6 +3230,15 @@ static int macsec_newlink(struct net *ne + + macsec->real_dev = real_dev; + ++ /* send_sci must be set to true when transmit sci explicitly is set */ ++ if ((data && data[IFLA_MACSEC_SCI]) && ++ (data && data[IFLA_MACSEC_INC_SCI])) { ++ u8 send_sci = !!nla_get_u8(data[IFLA_MACSEC_INC_SCI]); ++ ++ if (!send_sci) ++ return -EINVAL; ++ } ++ + if (data && data[IFLA_MACSEC_ICV_LEN]) + icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]); + mtu = real_dev->mtu - icv_len - macsec_extra_len(true); diff --git a/queue-4.14/nfsd-nfsd4_setclientid_confirm-mistakenly-expires-confirmed-client.patch b/queue-4.14/nfsd-nfsd4_setclientid_confirm-mistakenly-expires-confirmed-client.patch new file mode 100644 index 00000000000..14628ee4b5d --- /dev/null +++ b/queue-4.14/nfsd-nfsd4_setclientid_confirm-mistakenly-expires-confirmed-client.patch @@ -0,0 +1,45 @@ +From ab451ea952fe9d7afefae55ddb28943a148247fe Mon Sep 17 00:00:00 2001 +From: Dai Ngo +Date: Wed, 26 Jan 2022 13:13:38 -0800 +Subject: nfsd: nfsd4_setclientid_confirm mistakenly expires confirmed client. + +From: Dai Ngo + +commit ab451ea952fe9d7afefae55ddb28943a148247fe upstream. + +From RFC 7530 Section 16.34.5: + +o The server has not recorded an unconfirmed { v, x, c, *, * } and + has recorded a confirmed { v, x, c, *, s }. If the principals of + the record and of SETCLIENTID_CONFIRM do not match, the server + returns NFS4ERR_CLID_INUSE without removing any relevant leased + client state, and without changing recorded callback and + callback_ident values for client { x }. + +The current code intends to do what the spec describes above but +it forgot to set 'old' to NULL resulting to the confirmed client +to be expired. + +Fixes: 2b63482185e6 ("nfsd: fix clid_inuse on mount with security change") +Signed-off-by: Dai Ngo +Signed-off-by: Chuck Lever +Reviewed-by: Bruce Fields +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -3423,8 +3423,10 @@ nfsd4_setclientid_confirm(struct svc_rqs + status = nfserr_clid_inuse; + if (client_has_state(old) + && !same_creds(&unconf->cl_cred, +- &old->cl_cred)) ++ &old->cl_cred)) { ++ old = NULL; + goto out; ++ } + status = mark_client_expired_locked(old); + if (status) { + old = NULL; diff --git a/queue-4.14/rdma-mlx4-don-t-continue-event-handler-after-memory-allocation-failure.patch b/queue-4.14/rdma-mlx4-don-t-continue-event-handler-after-memory-allocation-failure.patch new file mode 100644 index 00000000000..11b76fdac9a --- /dev/null +++ b/queue-4.14/rdma-mlx4-don-t-continue-event-handler-after-memory-allocation-failure.patch @@ -0,0 +1,40 @@ +From f3136c4ce7acf64bee43135971ca52a880572e32 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Mon, 31 Jan 2022 11:45:26 +0200 +Subject: RDMA/mlx4: Don't continue event handler after memory allocation failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Leon Romanovsky + +commit f3136c4ce7acf64bee43135971ca52a880572e32 upstream. + +The failure to allocate memory during MLX4_DEV_EVENT_PORT_MGMT_CHANGE +event handler will cause skip the assignment logic, but +ib_dispatch_event() will be called anyway. + +Fix it by calling to return instead of break after memory allocation +failure. + +Fixes: 00f5ce99dc6e ("mlx4: Use port management change event instead of smp_snoop") +Link: https://lore.kernel.org/r/12a0e83f18cfad4b5f62654f141e240d04915e10.1643622264.git.leonro@nvidia.com +Signed-off-by: Leon Romanovsky +Reviewed-by: Håkon Bugge +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx4/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx4/main.c ++++ b/drivers/infiniband/hw/mlx4/main.c +@@ -3346,7 +3346,7 @@ static void mlx4_ib_event(struct mlx4_de + case MLX4_DEV_EVENT_PORT_MGMT_CHANGE: + ew = kmalloc(sizeof *ew, GFP_ATOMIC); + if (!ew) +- break; ++ return; + + INIT_WORK(&ew->work, handle_port_mgmt_change_event); + memcpy(&ew->ib_eqe, eqe, sizeof *eqe); diff --git a/queue-4.14/scsi-bnx2fc-make-bnx2fc_recv_frame-mp-safe.patch b/queue-4.14/scsi-bnx2fc-make-bnx2fc_recv_frame-mp-safe.patch new file mode 100644 index 00000000000..d419fcafff8 --- /dev/null +++ b/queue-4.14/scsi-bnx2fc-make-bnx2fc_recv_frame-mp-safe.patch @@ -0,0 +1,92 @@ +From 936bd03405fc83ba039d42bc93ffd4b88418f1d3 Mon Sep 17 00:00:00 2001 +From: John Meneghini +Date: Mon, 24 Jan 2022 09:51:10 -0500 +Subject: scsi: bnx2fc: Make bnx2fc_recv_frame() mp safe + +From: John Meneghini + +commit 936bd03405fc83ba039d42bc93ffd4b88418f1d3 upstream. + +Running tests with a debug kernel shows that bnx2fc_recv_frame() is +modifying the per_cpu lport stats counters in a non-mpsafe way. Just boot +a debug kernel and run the bnx2fc driver with the hardware enabled. + +[ 1391.699147] BUG: using smp_processor_id() in preemptible [00000000] code: bnx2fc_ +[ 1391.699160] caller is bnx2fc_recv_frame+0xbf9/0x1760 [bnx2fc] +[ 1391.699174] CPU: 2 PID: 4355 Comm: bnx2fc_l2_threa Kdump: loaded Tainted: G B +[ 1391.699180] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013 +[ 1391.699183] Call Trace: +[ 1391.699188] dump_stack_lvl+0x57/0x7d +[ 1391.699198] check_preemption_disabled+0xc8/0xd0 +[ 1391.699205] bnx2fc_recv_frame+0xbf9/0x1760 [bnx2fc] +[ 1391.699215] ? do_raw_spin_trylock+0xb5/0x180 +[ 1391.699221] ? bnx2fc_npiv_create_vports.isra.0+0x4e0/0x4e0 [bnx2fc] +[ 1391.699229] ? bnx2fc_l2_rcv_thread+0xb7/0x3a0 [bnx2fc] +[ 1391.699240] bnx2fc_l2_rcv_thread+0x1af/0x3a0 [bnx2fc] +[ 1391.699250] ? bnx2fc_ulp_init+0xc0/0xc0 [bnx2fc] +[ 1391.699258] kthread+0x364/0x420 +[ 1391.699263] ? _raw_spin_unlock_irq+0x24/0x50 +[ 1391.699268] ? set_kthread_struct+0x100/0x100 +[ 1391.699273] ret_from_fork+0x22/0x30 + +Restore the old get_cpu/put_cpu code with some modifications to reduce the +size of the critical section. + +Link: https://lore.kernel.org/r/20220124145110.442335-1-jmeneghi@redhat.com +Fixes: d576a5e80cd0 ("bnx2fc: Improve stats update mechanism") +Tested-by: Guangwu Zhang +Acked-by: Saurav Kashyap +Signed-off-by: John Meneghini +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c ++++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c +@@ -515,7 +515,8 @@ static int bnx2fc_l2_rcv_thread(void *ar + + static void bnx2fc_recv_frame(struct sk_buff *skb) + { +- u32 fr_len; ++ u64 crc_err; ++ u32 fr_len, fr_crc; + struct fc_lport *lport; + struct fcoe_rcv_info *fr; + struct fc_stats *stats; +@@ -549,6 +550,11 @@ static void bnx2fc_recv_frame(struct sk_ + skb_pull(skb, sizeof(struct fcoe_hdr)); + fr_len = skb->len - sizeof(struct fcoe_crc_eof); + ++ stats = per_cpu_ptr(lport->stats, get_cpu()); ++ stats->RxFrames++; ++ stats->RxWords += fr_len / FCOE_WORD_TO_BYTE; ++ put_cpu(); ++ + fp = (struct fc_frame *)skb; + fc_frame_init(fp); + fr_dev(fp) = lport; +@@ -631,16 +637,15 @@ static void bnx2fc_recv_frame(struct sk_ + return; + } + +- stats = per_cpu_ptr(lport->stats, smp_processor_id()); +- stats->RxFrames++; +- stats->RxWords += fr_len / FCOE_WORD_TO_BYTE; ++ fr_crc = le32_to_cpu(fr_crc(fp)); + +- if (le32_to_cpu(fr_crc(fp)) != +- ~crc32(~0, skb->data, fr_len)) { +- if (stats->InvalidCRCCount < 5) ++ if (unlikely(fr_crc != ~crc32(~0, skb->data, fr_len))) { ++ stats = per_cpu_ptr(lport->stats, get_cpu()); ++ crc_err = (stats->InvalidCRCCount++); ++ put_cpu(); ++ if (crc_err < 5) + printk(KERN_WARNING PFX "dropping frame with " + "CRC error\n"); +- stats->InvalidCRCCount++; + kfree_skb(skb); + return; + } diff --git a/queue-4.14/selftests-futex-use-variable-make-instead-of-make.patch b/queue-4.14/selftests-futex-use-variable-make-instead-of-make.patch new file mode 100644 index 00000000000..4dfeabb2319 --- /dev/null +++ b/queue-4.14/selftests-futex-use-variable-make-instead-of-make.patch @@ -0,0 +1,46 @@ +From b9199181a9ef8252e47e207be8c23e1f50662620 Mon Sep 17 00:00:00 2001 +From: Muhammad Usama Anjum +Date: Thu, 27 Jan 2022 22:44:46 +0500 +Subject: selftests: futex: Use variable MAKE instead of make +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Muhammad Usama Anjum + +commit b9199181a9ef8252e47e207be8c23e1f50662620 upstream. + +Recursive make commands should always use the variable MAKE, not the +explicit command name ‘make’. This has benefits and removes the +following warning when multiple jobs are used for the build: + +make[2]: warning: jobserver unavailable: using -j1. Add '+' to parent make rule. + +Fixes: a8ba798bc8ec ("selftests: enable O and KBUILD_OUTPUT") +Signed-off-by: Muhammad Usama Anjum +Reviewed-by: André Almeida +Signed-off-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/futex/Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/futex/Makefile ++++ b/tools/testing/selftests/futex/Makefile +@@ -11,7 +11,7 @@ all: + @for DIR in $(SUBDIRS); do \ + BUILD_TARGET=$(OUTPUT)/$$DIR; \ + mkdir $$BUILD_TARGET -p; \ +- make OUTPUT=$$BUILD_TARGET -C $$DIR $@;\ ++ $(MAKE) OUTPUT=$$BUILD_TARGET -C $$DIR $@;\ + if [ -e $$DIR/$(TEST_PROGS) ]; then \ + rsync -a $$DIR/$(TEST_PROGS) $$BUILD_TARGET/; \ + fi \ +@@ -40,6 +40,6 @@ override define CLEAN + @for DIR in $(SUBDIRS); do \ + BUILD_TARGET=$(OUTPUT)/$$DIR; \ + mkdir $$BUILD_TARGET -p; \ +- make OUTPUT=$$BUILD_TARGET -C $$DIR $@;\ ++ $(MAKE) OUTPUT=$$BUILD_TARGET -C $$DIR $@;\ + done + endef diff --git a/queue-4.14/series b/queue-4.14/series index 9232690a9b5..6ed821a7d13 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -49,3 +49,17 @@ asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw_sx.patch asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_xr_sx.patch drm-nouveau-fix-off-by-one-in-bios-boundary-checking.patch block-bio-integrity-advance-seed-correctly-for-larger-interval-sizes.patch +rdma-mlx4-don-t-continue-event-handler-after-memory-allocation-failure.patch +iommu-vt-d-fix-potential-memory-leak-in-intel_setup_irq_remapping.patch +iommu-amd-fix-loop-timeout-issue-in-iommu_ga_log_enable.patch +spi-bcm-qspi-check-for-valid-cs-before-applying-chip-select.patch +spi-mediatek-avoid-null-pointer-crash-in-interrupt.patch +spi-meson-spicc-add-irq-check-in-meson_spicc_probe.patch +net-ieee802154-ca8210-stop-leaking-skb-s.patch +net-ieee802154-return-meaningful-error-codes-from-the-netlink-helpers.patch +net-macsec-verify-that-send_sci-is-on-when-setting-tx-sci-explicitly.patch +drm-i915-overlay-prevent-divide-by-zero-bugs-in-scaling.patch +asoc-fsl-add-missing-error-handling-in-pcm030_fabric_probe.patch +scsi-bnx2fc-make-bnx2fc_recv_frame-mp-safe.patch +nfsd-nfsd4_setclientid_confirm-mistakenly-expires-confirmed-client.patch +selftests-futex-use-variable-make-instead-of-make.patch diff --git a/queue-4.14/spi-bcm-qspi-check-for-valid-cs-before-applying-chip-select.patch b/queue-4.14/spi-bcm-qspi-check-for-valid-cs-before-applying-chip-select.patch new file mode 100644 index 00000000000..bf12bc1f698 --- /dev/null +++ b/queue-4.14/spi-bcm-qspi-check-for-valid-cs-before-applying-chip-select.patch @@ -0,0 +1,36 @@ +From 2cbd27267ffe020af1442b95ec57f59a157ba85c Mon Sep 17 00:00:00 2001 +From: Kamal Dasu +Date: Thu, 27 Jan 2022 13:53:59 -0500 +Subject: spi: bcm-qspi: check for valid cs before applying chip select + +From: Kamal Dasu + +commit 2cbd27267ffe020af1442b95ec57f59a157ba85c upstream. + +Apply only valid chip select value. This change fixes case where chip +select is set to initial value of '-1' during probe and PM supend and +subsequent resume can try to use the value with undefined behaviour. +Also in case where gpio based chip select, the check in +bcm_qspi_chip_select() shall prevent undefined behaviour on resume. + +Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver") +Signed-off-by: Kamal Dasu +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220127185359.27322-1-kdasu.kdev@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-bcm-qspi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-bcm-qspi.c ++++ b/drivers/spi/spi-bcm-qspi.c +@@ -522,7 +522,7 @@ static void bcm_qspi_chip_select(struct + u32 rd = 0; + u32 wr = 0; + +- if (qspi->base[CHIP_SELECT]) { ++ if (cs >= 0 && qspi->base[CHIP_SELECT]) { + rd = bcm_qspi_read(qspi, CHIP_SELECT, 0); + wr = (rd & ~0xff) | (1 << cs); + if (rd == wr) diff --git a/queue-4.14/spi-mediatek-avoid-null-pointer-crash-in-interrupt.patch b/queue-4.14/spi-mediatek-avoid-null-pointer-crash-in-interrupt.patch new file mode 100644 index 00000000000..7ebaca557f6 --- /dev/null +++ b/queue-4.14/spi-mediatek-avoid-null-pointer-crash-in-interrupt.patch @@ -0,0 +1,34 @@ +From f83a96e5f033fbbd21764705cb9c04234b96218e Mon Sep 17 00:00:00 2001 +From: Benjamin Gaignard +Date: Mon, 31 Jan 2022 15:17:08 +0100 +Subject: spi: mediatek: Avoid NULL pointer crash in interrupt + +From: Benjamin Gaignard + +commit f83a96e5f033fbbd21764705cb9c04234b96218e upstream. + +In some case, like after a transfer timeout, master->cur_msg pointer +is NULL which led to a kernel crash when trying to use master->cur_msg->spi. +mtk_spi_can_dma(), pointed by master->can_dma, doesn't use this parameter +avoid the problem by setting NULL as second parameter. + +Fixes: a568231f46322 ("spi: mediatek: Add spi bus for Mediatek MT8173") +Signed-off-by: Benjamin Gaignard +Link: https://lore.kernel.org/r/20220131141708.888710-1-benjamin.gaignard@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-mt65xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-mt65xx.c ++++ b/drivers/spi/spi-mt65xx.c +@@ -498,7 +498,7 @@ static irqreturn_t mtk_spi_interrupt(int + else + mdata->state = MTK_SPI_IDLE; + +- if (!master->can_dma(master, master->cur_msg->spi, trans)) { ++ if (!master->can_dma(master, NULL, trans)) { + if (trans->rx_buf) { + cnt = mdata->xfer_len / 4; + ioread32_rep(mdata->base + SPI_RX_DATA_REG, diff --git a/queue-4.14/spi-meson-spicc-add-irq-check-in-meson_spicc_probe.patch b/queue-4.14/spi-meson-spicc-add-irq-check-in-meson_spicc_probe.patch new file mode 100644 index 00000000000..69784526bb7 --- /dev/null +++ b/queue-4.14/spi-meson-spicc-add-irq-check-in-meson_spicc_probe.patch @@ -0,0 +1,37 @@ +From e937440f7fc444a3e3f1fb75ea65292d6f433a44 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Wed, 26 Jan 2022 11:04:47 +0000 +Subject: spi: meson-spicc: add IRQ check in meson_spicc_probe + +From: Miaoqian Lin + +commit e937440f7fc444a3e3f1fb75ea65292d6f433a44 upstream. + +This check misses checking for platform_get_irq()'s call and may passes +the negative error codes to devm_request_irq(), which takes unsigned IRQ #, +causing it to fail with -EINVAL, overriding an original error code. +Stop calling devm_request_irq() with invalid IRQ #s. + +Fixes: 454fa271bc4e ("spi: Add Meson SPICC driver") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220126110447.24549-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-meson-spicc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/spi/spi-meson-spicc.c ++++ b/drivers/spi/spi-meson-spicc.c +@@ -529,6 +529,11 @@ static int meson_spicc_probe(struct plat + writel_relaxed(0, spicc->base + SPICC_INTREG); + + irq = platform_get_irq(pdev, 0); ++ if (irq < 0) { ++ ret = irq; ++ goto out_master; ++ } ++ + ret = devm_request_irq(&pdev->dev, irq, meson_spicc_irq, + 0, NULL, spicc); + if (ret) { -- 2.47.3