--- /dev/null
+From 574d356b7a02c7e1b01a1d9cba8a26b3c2888f45 Mon Sep 17 00:00:00 2001
+From: Dominique Martinet <dominique.martinet@cea.fr>
+Date: Mon, 5 Nov 2018 09:52:48 +0100
+Subject: 9p/net: put a lower bound on msize
+
+From: Dominique Martinet <dominique.martinet@cea.fr>
+
+commit 574d356b7a02c7e1b01a1d9cba8a26b3c2888f45 upstream.
+
+If the requested msize is too small (either from command line argument
+or from the server version reply), we won't get any work done.
+If it's *really* too small, nothing will work, and this got caught by
+syzbot recently (on a new kmem_cache_create_usercopy() call)
+
+Just set a minimum msize to 4k in both code paths, until someone
+complains they have a use-case for a smaller msize.
+
+We need to check in both mount option and server reply individually
+because the msize for the first version request would be unchecked
+with just a global check on clnt->msize.
+
+Link: http://lkml.kernel.org/r/1541407968-31350-1-git-send-email-asmadeus@codewreck.org
+Reported-by: syzbot+0c1d61e4db7db94102ca@syzkaller.appspotmail.com
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Cc: Eric Van Hensbergen <ericvh@gmail.com>
+Cc: Latchesar Ionkov <lucho@ionkov.net>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/9p/client.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/net/9p/client.c
++++ b/net/9p/client.c
+@@ -181,6 +181,12 @@ static int parse_opts(char *opts, struct
+ ret = r;
+ continue;
+ }
++ if (option < 4096) {
++ p9_debug(P9_DEBUG_ERROR,
++ "msize should be at least 4k\n");
++ ret = -EINVAL;
++ continue;
++ }
+ clnt->msize = option;
+ break;
+ case Opt_trans:
+@@ -993,10 +999,18 @@ static int p9_client_version(struct p9_c
+ else if (!strncmp(version, "9P2000", 6))
+ c->proto_version = p9_proto_legacy;
+ else {
++ p9_debug(P9_DEBUG_ERROR,
++ "server returned an unknown version: %s\n", version);
+ err = -EREMOTEIO;
+ goto error;
+ }
+
++ if (msize < 4096) {
++ p9_debug(P9_DEBUG_ERROR,
++ "server returned a msize < 4096: %d\n", msize);
++ err = -EREMOTEIO;
++ goto error;
++ }
+ if (msize < c->msize)
+ c->msize = msize;
+
+@@ -1055,6 +1069,13 @@ struct p9_client *p9_client_create(const
+ if (clnt->msize > clnt->trans_mod->maxsize)
+ clnt->msize = clnt->trans_mod->maxsize;
+
++ if (clnt->msize < 4096) {
++ p9_debug(P9_DEBUG_ERROR,
++ "Please specify a msize of at least 4k\n");
++ err = -EINVAL;
++ goto free_client;
++ }
++
+ err = p9_client_version(clnt);
+ if (err)
+ goto close_trans;
--- /dev/null
+From 0e76df5c978338f3051e5126fc0c4245c57a307a Mon Sep 17 00:00:00 2001
+From: Mircea Caprioru <mircea.caprioru@analog.com>
+Date: Thu, 6 Dec 2018 15:53:15 +0200
+Subject: iio: dac: ad5686: fix bit shift read register
+
+From: Mircea Caprioru <mircea.caprioru@analog.com>
+
+commit 0e76df5c978338f3051e5126fc0c4245c57a307a upstream.
+
+This patch solves the register readback issue with the bit shift. When the
+dac resolution was lower than the register size (ex. 12 bits out of 16
+bits) the readback value was not shifted with the difference in bits and
+the value was higher. Also a mask is applied on the read value in order to
+get the value relative to the actual bit size.
+
+Fixes: 0357e488b8 ("iio:dac:ad5686: Refactor the driver")
+Signed-off-by: Mircea Caprioru <mircea.caprioru@analog.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/dac/ad5686.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/dac/ad5686.c
++++ b/drivers/iio/dac/ad5686.c
+@@ -124,7 +124,8 @@ static int ad5686_read_raw(struct iio_de
+ mutex_unlock(&indio_dev->mlock);
+ if (ret < 0)
+ return ret;
+- *val = ret;
++ *val = (ret >> chan->scan_type.shift) &
++ GENMASK(chan->scan_type.realbits - 1, 0);
+ return IIO_VAL_INT;
+ case IIO_CHAN_INFO_SCALE:
+ *val = st->vref_mv;
--- /dev/null
+From ed041919f0d23c109d52cde8da6ddc211c52d67e Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Mon, 17 Dec 2018 13:20:40 -0800
+Subject: RDMA/srpt: Fix a use-after-free in the channel release code
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit ed041919f0d23c109d52cde8da6ddc211c52d67e upstream.
+
+This patch avoids that KASAN sporadically reports the following:
+
+BUG: KASAN: use-after-free in rxe_run_task+0x1e/0x60 [rdma_rxe]
+Read of size 1 at addr ffff88801c50d8f4 by task check/24830
+
+CPU: 4 PID: 24830 Comm: check Not tainted 4.20.0-rc6-dbg+ #3
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
+Call Trace:
+ dump_stack+0x86/0xca
+ print_address_description+0x71/0x239
+ kasan_report.cold.5+0x242/0x301
+ __asan_load1+0x47/0x50
+ rxe_run_task+0x1e/0x60 [rdma_rxe]
+ rxe_post_send+0x4bd/0x8d0 [rdma_rxe]
+ srpt_zerolength_write+0xe1/0x160 [ib_srpt]
+ srpt_close_ch+0x8b/0xe0 [ib_srpt]
+ srpt_set_enabled+0xe7/0x150 [ib_srpt]
+ srpt_tpg_enable_store+0xc0/0x100 [ib_srpt]
+ configfs_write_file+0x157/0x1d0
+ __vfs_write+0xd7/0x3d0
+ vfs_write+0x102/0x290
+ ksys_write+0xab/0x130
+ __x64_sys_write+0x43/0x50
+ do_syscall_64+0x71/0x210
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Allocated by task 13856:
+ save_stack+0x43/0xd0
+ kasan_kmalloc+0xc7/0xe0
+ kasan_slab_alloc+0x11/0x20
+ kmem_cache_alloc+0x105/0x320
+ rxe_alloc+0xff/0x1f0 [rdma_rxe]
+ rxe_create_qp+0x9f/0x160 [rdma_rxe]
+ ib_create_qp+0xf5/0x690 [ib_core]
+ rdma_create_qp+0x6a/0x140 [rdma_cm]
+ srpt_cm_req_recv.cold.59+0x1588/0x237b [ib_srpt]
+ srpt_rdma_cm_req_recv.isra.35+0x1d5/0x220 [ib_srpt]
+ srpt_rdma_cm_handler+0x6f/0x100 [ib_srpt]
+ cma_listen_handler+0x59/0x60 [rdma_cm]
+ cma_ib_req_handler+0xd5b/0x2570 [rdma_cm]
+ cm_process_work+0x2e/0x110 [ib_cm]
+ cm_work_handler+0x2aae/0x502b [ib_cm]
+ process_one_work+0x481/0x9e0
+ worker_thread+0x67/0x5b0
+ kthread+0x1cf/0x1f0
+ ret_from_fork+0x24/0x30
+
+Freed by task 3440:
+ save_stack+0x43/0xd0
+ __kasan_slab_free+0x139/0x190
+ kasan_slab_free+0xe/0x10
+ kmem_cache_free+0xbc/0x330
+ rxe_elem_release+0x66/0xe0 [rdma_rxe]
+ rxe_destroy_qp+0x3f/0x50 [rdma_rxe]
+ ib_destroy_qp+0x140/0x360 [ib_core]
+ srpt_release_channel_work+0xdc/0x310 [ib_srpt]
+ process_one_work+0x481/0x9e0
+ worker_thread+0x67/0x5b0
+ kthread+0x1cf/0x1f0
+ ret_from_fork+0x24/0x30
+
+Cc: Sergey Gorenko <sergeygo@mellanox.com>
+Cc: Max Gurtovoy <maxg@mellanox.com>
+Cc: Laurence Oberman <loberman@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -2009,6 +2009,14 @@ static void srpt_free_ch(struct kref *kr
+ kfree_rcu(ch, rcu);
+ }
+
++/*
++ * Shut down the SCSI target session, tell the connection manager to
++ * disconnect the associated RDMA channel, transition the QP to the error
++ * state and remove the channel from the channel list. This function is
++ * typically called from inside srpt_zerolength_write_done(). Concurrent
++ * srpt_zerolength_write() calls from inside srpt_close_ch() are possible
++ * as long as the channel is on sport->nexus_list.
++ */
+ static void srpt_release_channel_work(struct work_struct *w)
+ {
+ struct srpt_rdma_ch *ch;
+@@ -2036,6 +2044,11 @@ static void srpt_release_channel_work(st
+ else
+ ib_destroy_cm_id(ch->ib_cm.cm_id);
+
++ sport = ch->sport;
++ mutex_lock(&sport->mutex);
++ list_del_rcu(&ch->list);
++ mutex_unlock(&sport->mutex);
++
+ srpt_destroy_ch_ib(ch);
+
+ srpt_free_ioctx_ring((struct srpt_ioctx **)ch->ioctx_ring,
+@@ -2046,11 +2059,6 @@ static void srpt_release_channel_work(st
+ sdev, ch->rq_size,
+ srp_max_req_size, DMA_FROM_DEVICE);
+
+- sport = ch->sport;
+- mutex_lock(&sport->mutex);
+- list_del_rcu(&ch->list);
+- mutex_unlock(&sport->mutex);
+-
+ wake_up(&sport->ch_releaseQ);
+
+ kref_put(&ch->kref, srpt_free_ch);
--- /dev/null
+From e48d8ed9c6193502d849b35767fd18e20bbd7ba2 Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Thu, 25 Oct 2018 12:40:57 -0700
+Subject: rxe: fix error completion wr_id and qp_num
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+commit e48d8ed9c6193502d849b35767fd18e20bbd7ba2 upstream.
+
+Error completions must still contain a valid wr_id and
+qp_num such that the consumer can rely on. Correctly
+fill these fields in receive error completions.
+
+Reported-by: Walker Benjamin <benjamin.walker@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Zhu Yanjun <yanjun.zhu@oracle.com>
+Tested-by: Zhu Yanjun <yanjun.zhu@oracle.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/sw/rxe/rxe_resp.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/infiniband/sw/rxe/rxe_resp.c
++++ b/drivers/infiniband/sw/rxe/rxe_resp.c
+@@ -844,11 +844,16 @@ static enum resp_states do_complete(stru
+
+ memset(&cqe, 0, sizeof(cqe));
+
+- wc->wr_id = wqe->wr_id;
+- wc->status = qp->resp.status;
+- wc->qp = &qp->ibqp;
++ if (qp->rcq->is_user) {
++ uwc->status = qp->resp.status;
++ uwc->qp_num = qp->ibqp.qp_num;
++ uwc->wr_id = wqe->wr_id;
++ } else {
++ wc->status = qp->resp.status;
++ wc->qp = &qp->ibqp;
++ wc->wr_id = wqe->wr_id;
++ }
+
+- /* fields after status are not required for errors */
+ if (wc->status == IB_WC_SUCCESS) {
+ wc->opcode = (pkt->mask & RXE_IMMDT_MASK &&
+ pkt->mask & RXE_WRITE_MASK) ?
leds-pwm-silently-error-out-on-eprobe_defer.patch
revert-powerpc-tm-unset-msr-if-not-recheckpointing.patch
powerpc-tm-set-msr-just-prior-to-recheckpoint.patch
+iio-dac-ad5686-fix-bit-shift-read-register.patch
+9p-net-put-a-lower-bound-on-msize.patch
+rxe-fix-error-completion-wr_id-and-qp_num.patch
+rdma-srpt-fix-a-use-after-free-in-the-channel-release-code.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
