From: Greg Kroah-Hartman Date: Fri, 11 Jan 2019 10:05:43 +0000 (+0100) Subject: 4.20-stable patches X-Git-Tag: v4.20.2~21 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0797acd12a3d64c0ce979d76b06649517440735a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.20-stable patches added patches: 9p-net-put-a-lower-bound-on-msize.patch iio-adc-qcom-spmi-adc5-initialize-prescale-properly.patch iio-dac-ad5686-fix-bit-shift-read-register.patch rdma-iwcm-don-t-copy-past-the-end-of-dev_name-string.patch rdma-srpt-fix-a-use-after-free-in-the-channel-release-code.patch rxe-fix-error-completion-wr_id-and-qp_num.patch stm-class-fix-a-module-refcount-leak-in-policy-creation-error-path.patch --- diff --git a/queue-4.20/9p-net-put-a-lower-bound-on-msize.patch b/queue-4.20/9p-net-put-a-lower-bound-on-msize.patch new file mode 100644 index 00000000000..77f67c72543 --- /dev/null +++ b/queue-4.20/9p-net-put-a-lower-bound-on-msize.patch @@ -0,0 +1,81 @@ +From 574d356b7a02c7e1b01a1d9cba8a26b3c2888f45 Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Mon, 5 Nov 2018 09:52:48 +0100 +Subject: 9p/net: put a lower bound on msize + +From: Dominique Martinet + +commit 574d356b7a02c7e1b01a1d9cba8a26b3c2888f45 upstream. + +If the requested msize is too small (either from command line argument +or from the server version reply), we won't get any work done. +If it's *really* too small, nothing will work, and this got caught by +syzbot recently (on a new kmem_cache_create_usercopy() call) + +Just set a minimum msize to 4k in both code paths, until someone +complains they have a use-case for a smaller msize. + +We need to check in both mount option and server reply individually +because the msize for the first version request would be unchecked +with just a global check on clnt->msize. + +Link: http://lkml.kernel.org/r/1541407968-31350-1-git-send-email-asmadeus@codewreck.org +Reported-by: syzbot+0c1d61e4db7db94102ca@syzkaller.appspotmail.com +Signed-off-by: Dominique Martinet +Cc: Eric Van Hensbergen +Cc: Latchesar Ionkov +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + net/9p/client.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -181,6 +181,12 @@ static int parse_opts(char *opts, struct + ret = r; + continue; + } ++ if (option < 4096) { ++ p9_debug(P9_DEBUG_ERROR, ++ "msize should be at least 4k\n"); ++ ret = -EINVAL; ++ continue; ++ } + clnt->msize = option; + break; + case Opt_trans: +@@ -983,10 +989,18 @@ static int p9_client_version(struct p9_c + else if (!strncmp(version, "9P2000", 6)) + c->proto_version = p9_proto_legacy; + else { ++ p9_debug(P9_DEBUG_ERROR, ++ "server returned an unknown version: %s\n", version); + err = -EREMOTEIO; + goto error; + } + ++ if (msize < 4096) { ++ p9_debug(P9_DEBUG_ERROR, ++ "server returned a msize < 4096: %d\n", msize); ++ err = -EREMOTEIO; ++ goto error; ++ } + if (msize < c->msize) + c->msize = msize; + +@@ -1043,6 +1057,13 @@ struct p9_client *p9_client_create(const + if (clnt->msize > clnt->trans_mod->maxsize) + clnt->msize = clnt->trans_mod->maxsize; + ++ if (clnt->msize < 4096) { ++ p9_debug(P9_DEBUG_ERROR, ++ "Please specify a msize of at least 4k\n"); ++ err = -EINVAL; ++ goto free_client; ++ } ++ + err = p9_client_version(clnt); + if (err) + goto close_trans; diff --git a/queue-4.20/iio-adc-qcom-spmi-adc5-initialize-prescale-properly.patch b/queue-4.20/iio-adc-qcom-spmi-adc5-initialize-prescale-properly.patch new file mode 100644 index 00000000000..f969856ee15 --- /dev/null +++ b/queue-4.20/iio-adc-qcom-spmi-adc5-initialize-prescale-properly.patch @@ -0,0 +1,174 @@ +From db23d88756abd38e0995ea8449d0025b3de4b26b Mon Sep 17 00:00:00 2001 +From: Evan Green +Date: Tue, 4 Dec 2018 11:14:19 -0800 +Subject: iio: adc: qcom-spmi-adc5: Initialize prescale properly + +From: Evan Green + +commit db23d88756abd38e0995ea8449d0025b3de4b26b upstream. + +adc5_get_dt_data uses a local, prop, feeds it to adc5_get_dt_channel_data, +and then puts the result into adc->chan_props. The problem is +adc5_get_dt_channel_data may not initialize that structure fully, so a +garbage value is used for prescale if the optional "qcom,pre-scaling" is +not defined in DT. adc5_read_raw then uses this as an array index, +generating a crash that looks like this: + +[ 6.683186] Unable to handle kernel paging request at virtual address ffffff90e78c7964 +Call trace: +qcom_vadc_scale_code_voltage_factor+0x74/0x104 +qcom_vadc_scale_hw_calib_die_temp+0x20/0x60 +qcom_adc5_hw_scale+0x78/0xa4 +adc5_read_raw+0x3d0/0x65c +iio_channel_read+0x240/0x30c +iio_read_channel_processed+0x10c/0x150 +qpnp_tm_get_temp+0xc0/0x40c +of_thermal_get_temp+0x7c/0x98 +thermal_zone_get_temp+0xac/0xd8 +thermal_zone_device_update+0xc0/0x38c +qpnp_tm_probe+0x624/0x81c +platform_drv_probe+0xe4/0x11c +really_probe+0x188/0x3fc +driver_probe_device+0xb8/0x188 +__device_attach_driver+0x114/0x180 +bus_for_each_drv+0xd8/0x118 +__device_attach+0x180/0x27c +device_initial_probe+0x20/0x2c +bus_probe_device+0x78/0x124 +deferred_probe_work_func+0xfc/0x138 +process_one_work+0x3d8/0x8b0 +process_scheduled_works+0x48/0x6c +worker_thread+0x488/0x7cc +kthread+0x24c/0x264 +ret_from_fork+0x10/0x18 + +Unfortunately, when I went to add the initializer for this and tried to +boot it, my machine shut down immediately, complaining that it was +hotter than the sun. It appears that adc5_chans_pmic and adc5_chans_rev2 +were initializing prescale_index as if it were directly a divisor, +rather than the index into adc5_prescale_ratios that it is. + +Fix the uninitialized value, and change the static initialization to use +indices into adc5_prescale_ratios. + +Signed-off-by: Evan Green +Reviewed-by: Matthias Kaehlcke +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/qcom-spmi-adc5.c | 58 ++++++++++++++++++++------------------- + 1 file changed, 31 insertions(+), 27 deletions(-) + +--- a/drivers/iio/adc/qcom-spmi-adc5.c ++++ b/drivers/iio/adc/qcom-spmi-adc5.c +@@ -423,6 +423,7 @@ struct adc5_channels { + enum vadc_scale_fn_type scale_fn_type; + }; + ++/* In these definitions, _pre refers to an index into adc5_prescale_ratios. */ + #define ADC5_CHAN(_dname, _type, _mask, _pre, _scale) \ + { \ + .datasheet_name = _dname, \ +@@ -443,63 +444,63 @@ struct adc5_channels { + _pre, _scale) \ + + static const struct adc5_channels adc5_chans_pmic[ADC5_MAX_CHANNEL] = { +- [ADC5_REF_GND] = ADC5_CHAN_VOLT("ref_gnd", 1, ++ [ADC5_REF_GND] = ADC5_CHAN_VOLT("ref_gnd", 0, + SCALE_HW_CALIB_DEFAULT) +- [ADC5_1P25VREF] = ADC5_CHAN_VOLT("vref_1p25", 1, ++ [ADC5_1P25VREF] = ADC5_CHAN_VOLT("vref_1p25", 0, + SCALE_HW_CALIB_DEFAULT) +- [ADC5_VPH_PWR] = ADC5_CHAN_VOLT("vph_pwr", 3, ++ [ADC5_VPH_PWR] = ADC5_CHAN_VOLT("vph_pwr", 1, + SCALE_HW_CALIB_DEFAULT) +- [ADC5_VBAT_SNS] = ADC5_CHAN_VOLT("vbat_sns", 3, ++ [ADC5_VBAT_SNS] = ADC5_CHAN_VOLT("vbat_sns", 1, + SCALE_HW_CALIB_DEFAULT) +- [ADC5_DIE_TEMP] = ADC5_CHAN_TEMP("die_temp", 1, ++ [ADC5_DIE_TEMP] = ADC5_CHAN_TEMP("die_temp", 0, + SCALE_HW_CALIB_PMIC_THERM) +- [ADC5_USB_IN_I] = ADC5_CHAN_VOLT("usb_in_i_uv", 1, ++ [ADC5_USB_IN_I] = ADC5_CHAN_VOLT("usb_in_i_uv", 0, + SCALE_HW_CALIB_DEFAULT) +- [ADC5_USB_IN_V_16] = ADC5_CHAN_VOLT("usb_in_v_div_16", 16, ++ [ADC5_USB_IN_V_16] = ADC5_CHAN_VOLT("usb_in_v_div_16", 8, + SCALE_HW_CALIB_DEFAULT) +- [ADC5_CHG_TEMP] = ADC5_CHAN_TEMP("chg_temp", 1, ++ [ADC5_CHG_TEMP] = ADC5_CHAN_TEMP("chg_temp", 0, + SCALE_HW_CALIB_PM5_CHG_TEMP) + /* Charger prescales SBUx and MID_CHG to fit within 1.8V upper unit */ +- [ADC5_SBUx] = ADC5_CHAN_VOLT("chg_sbux", 3, ++ [ADC5_SBUx] = ADC5_CHAN_VOLT("chg_sbux", 1, + SCALE_HW_CALIB_DEFAULT) +- [ADC5_MID_CHG_DIV6] = ADC5_CHAN_VOLT("chg_mid_chg", 6, ++ [ADC5_MID_CHG_DIV6] = ADC5_CHAN_VOLT("chg_mid_chg", 3, + SCALE_HW_CALIB_DEFAULT) +- [ADC5_XO_THERM_100K_PU] = ADC5_CHAN_TEMP("xo_therm", 1, ++ [ADC5_XO_THERM_100K_PU] = ADC5_CHAN_TEMP("xo_therm", 0, + SCALE_HW_CALIB_XOTHERM) +- [ADC5_AMUX_THM1_100K_PU] = ADC5_CHAN_TEMP("amux_thm1_100k_pu", 1, ++ [ADC5_AMUX_THM1_100K_PU] = ADC5_CHAN_TEMP("amux_thm1_100k_pu", 0, + SCALE_HW_CALIB_THERM_100K_PULLUP) +- [ADC5_AMUX_THM2_100K_PU] = ADC5_CHAN_TEMP("amux_thm2_100k_pu", 1, ++ [ADC5_AMUX_THM2_100K_PU] = ADC5_CHAN_TEMP("amux_thm2_100k_pu", 0, + SCALE_HW_CALIB_THERM_100K_PULLUP) +- [ADC5_AMUX_THM3_100K_PU] = ADC5_CHAN_TEMP("amux_thm3_100k_pu", 1, ++ [ADC5_AMUX_THM3_100K_PU] = ADC5_CHAN_TEMP("amux_thm3_100k_pu", 0, + SCALE_HW_CALIB_THERM_100K_PULLUP) +- [ADC5_AMUX_THM2] = ADC5_CHAN_TEMP("amux_thm2", 1, ++ [ADC5_AMUX_THM2] = ADC5_CHAN_TEMP("amux_thm2", 0, + SCALE_HW_CALIB_PM5_SMB_TEMP) + }; + + static const struct adc5_channels adc5_chans_rev2[ADC5_MAX_CHANNEL] = { +- [ADC5_REF_GND] = ADC5_CHAN_VOLT("ref_gnd", 1, ++ [ADC5_REF_GND] = ADC5_CHAN_VOLT("ref_gnd", 0, + SCALE_HW_CALIB_DEFAULT) +- [ADC5_1P25VREF] = ADC5_CHAN_VOLT("vref_1p25", 1, ++ [ADC5_1P25VREF] = ADC5_CHAN_VOLT("vref_1p25", 0, + SCALE_HW_CALIB_DEFAULT) +- [ADC5_VPH_PWR] = ADC5_CHAN_VOLT("vph_pwr", 3, ++ [ADC5_VPH_PWR] = ADC5_CHAN_VOLT("vph_pwr", 1, + SCALE_HW_CALIB_DEFAULT) +- [ADC5_VBAT_SNS] = ADC5_CHAN_VOLT("vbat_sns", 3, ++ [ADC5_VBAT_SNS] = ADC5_CHAN_VOLT("vbat_sns", 1, + SCALE_HW_CALIB_DEFAULT) +- [ADC5_VCOIN] = ADC5_CHAN_VOLT("vcoin", 3, ++ [ADC5_VCOIN] = ADC5_CHAN_VOLT("vcoin", 1, + SCALE_HW_CALIB_DEFAULT) +- [ADC5_DIE_TEMP] = ADC5_CHAN_TEMP("die_temp", 1, ++ [ADC5_DIE_TEMP] = ADC5_CHAN_TEMP("die_temp", 0, + SCALE_HW_CALIB_PMIC_THERM) +- [ADC5_AMUX_THM1_100K_PU] = ADC5_CHAN_TEMP("amux_thm1_100k_pu", 1, ++ [ADC5_AMUX_THM1_100K_PU] = ADC5_CHAN_TEMP("amux_thm1_100k_pu", 0, + SCALE_HW_CALIB_THERM_100K_PULLUP) +- [ADC5_AMUX_THM2_100K_PU] = ADC5_CHAN_TEMP("amux_thm2_100k_pu", 1, ++ [ADC5_AMUX_THM2_100K_PU] = ADC5_CHAN_TEMP("amux_thm2_100k_pu", 0, + SCALE_HW_CALIB_THERM_100K_PULLUP) +- [ADC5_AMUX_THM3_100K_PU] = ADC5_CHAN_TEMP("amux_thm3_100k_pu", 1, ++ [ADC5_AMUX_THM3_100K_PU] = ADC5_CHAN_TEMP("amux_thm3_100k_pu", 0, + SCALE_HW_CALIB_THERM_100K_PULLUP) +- [ADC5_AMUX_THM4_100K_PU] = ADC5_CHAN_TEMP("amux_thm4_100k_pu", 1, ++ [ADC5_AMUX_THM4_100K_PU] = ADC5_CHAN_TEMP("amux_thm4_100k_pu", 0, + SCALE_HW_CALIB_THERM_100K_PULLUP) +- [ADC5_AMUX_THM5_100K_PU] = ADC5_CHAN_TEMP("amux_thm5_100k_pu", 1, ++ [ADC5_AMUX_THM5_100K_PU] = ADC5_CHAN_TEMP("amux_thm5_100k_pu", 0, + SCALE_HW_CALIB_THERM_100K_PULLUP) +- [ADC5_XO_THERM_100K_PU] = ADC5_CHAN_TEMP("xo_therm_100k_pu", 1, ++ [ADC5_XO_THERM_100K_PU] = ADC5_CHAN_TEMP("xo_therm_100k_pu", 0, + SCALE_HW_CALIB_THERM_100K_PULLUP) + }; + +@@ -558,6 +559,9 @@ static int adc5_get_dt_channel_data(stru + return ret; + } + prop->prescale = ret; ++ } else { ++ prop->prescale = ++ adc->data->adc_chans[prop->channel].prescale_index; + } + + ret = of_property_read_u32(node, "qcom,hw-settle-time", &value); diff --git a/queue-4.20/iio-dac-ad5686-fix-bit-shift-read-register.patch b/queue-4.20/iio-dac-ad5686-fix-bit-shift-read-register.patch new file mode 100644 index 00000000000..a30f9fe8abb --- /dev/null +++ b/queue-4.20/iio-dac-ad5686-fix-bit-shift-read-register.patch @@ -0,0 +1,37 @@ +From 0e76df5c978338f3051e5126fc0c4245c57a307a Mon Sep 17 00:00:00 2001 +From: Mircea Caprioru +Date: Thu, 6 Dec 2018 15:53:15 +0200 +Subject: iio: dac: ad5686: fix bit shift read register + +From: Mircea Caprioru + +commit 0e76df5c978338f3051e5126fc0c4245c57a307a upstream. + +This patch solves the register readback issue with the bit shift. When the +dac resolution was lower than the register size (ex. 12 bits out of 16 +bits) the readback value was not shifted with the difference in bits and +the value was higher. Also a mask is applied on the read value in order to +get the value relative to the actual bit size. + +Fixes: 0357e488b8 ("iio:dac:ad5686: Refactor the driver") +Signed-off-by: Mircea Caprioru +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/dac/ad5686.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/iio/dac/ad5686.c ++++ b/drivers/iio/dac/ad5686.c +@@ -124,7 +124,8 @@ static int ad5686_read_raw(struct iio_de + mutex_unlock(&indio_dev->mlock); + if (ret < 0) + return ret; +- *val = ret; ++ *val = (ret >> chan->scan_type.shift) & ++ GENMASK(chan->scan_type.realbits - 1, 0); + return IIO_VAL_INT; + case IIO_CHAN_INFO_SCALE: + *val = st->vref_mv; diff --git a/queue-4.20/rdma-iwcm-don-t-copy-past-the-end-of-dev_name-string.patch b/queue-4.20/rdma-iwcm-don-t-copy-past-the-end-of-dev_name-string.patch new file mode 100644 index 00000000000..9be596a5a94 --- /dev/null +++ b/queue-4.20/rdma-iwcm-don-t-copy-past-the-end-of-dev_name-string.patch @@ -0,0 +1,60 @@ +From d53ec8af56d5163f8a42e961ece3aeb5c560e79d Mon Sep 17 00:00:00 2001 +From: Steve Wise +Date: Thu, 20 Dec 2018 14:00:11 -0800 +Subject: RDMA/iwcm: Don't copy past the end of dev_name() string + +From: Steve Wise + +commit d53ec8af56d5163f8a42e961ece3aeb5c560e79d upstream. + +We now use dev_name(&ib_device->dev) instead of ib_device->name in iwpm +messages. The name field in struct device is a const char *, where as +ib_device->name is a char array of size IB_DEVICE_NAME_MAX, and it is +pre-initialized to zeros. + +Since iw_cm_map() was using memcpy() to copy in the device name, and +copying IWPM_DEVNAME_SIZE bytes, it ends up copying past the end of the +source device name string and copying random bytes. This results in iwpmd +failing the REGISTER_PID request from iwcm. Thus port mapping is broken. + +Validate the device and if names, and use strncpy() to inialize the entire +message field. + +Fixes: 896de0090a85 ("RDMA/core: Use dev_name instead of ibdev->name") +Cc: stable@vger.kernel.org +Signed-off-by: Steve Wise +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/iwcm.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/infiniband/core/iwcm.c ++++ b/drivers/infiniband/core/iwcm.c +@@ -502,17 +502,21 @@ static void iw_cm_check_wildcard(struct + */ + static int iw_cm_map(struct iw_cm_id *cm_id, bool active) + { ++ const char *devname = dev_name(&cm_id->device->dev); ++ const char *ifname = cm_id->device->iwcm->ifname; + struct iwpm_dev_data pm_reg_msg; + struct iwpm_sa_data pm_msg; + int status; + ++ if (strlen(devname) >= sizeof(pm_reg_msg.dev_name) || ++ strlen(ifname) >= sizeof(pm_reg_msg.if_name)) ++ return -EINVAL; ++ + cm_id->m_local_addr = cm_id->local_addr; + cm_id->m_remote_addr = cm_id->remote_addr; + +- memcpy(pm_reg_msg.dev_name, dev_name(&cm_id->device->dev), +- sizeof(pm_reg_msg.dev_name)); +- memcpy(pm_reg_msg.if_name, cm_id->device->iwcm->ifname, +- sizeof(pm_reg_msg.if_name)); ++ strncpy(pm_reg_msg.dev_name, devname, sizeof(pm_reg_msg.dev_name)); ++ strncpy(pm_reg_msg.if_name, ifname, sizeof(pm_reg_msg.if_name)); + + if (iwpm_register_pid(&pm_reg_msg, RDMA_NL_IWCM) || + !iwpm_valid_pid()) diff --git a/queue-4.20/rdma-srpt-fix-a-use-after-free-in-the-channel-release-code.patch b/queue-4.20/rdma-srpt-fix-a-use-after-free-in-the-channel-release-code.patch new file mode 100644 index 00000000000..a258c0a214e --- /dev/null +++ b/queue-4.20/rdma-srpt-fix-a-use-after-free-in-the-channel-release-code.patch @@ -0,0 +1,123 @@ +From ed041919f0d23c109d52cde8da6ddc211c52d67e Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Mon, 17 Dec 2018 13:20:40 -0800 +Subject: RDMA/srpt: Fix a use-after-free in the channel release code + +From: Bart Van Assche + +commit ed041919f0d23c109d52cde8da6ddc211c52d67e upstream. + +This patch avoids that KASAN sporadically reports the following: + +BUG: KASAN: use-after-free in rxe_run_task+0x1e/0x60 [rdma_rxe] +Read of size 1 at addr ffff88801c50d8f4 by task check/24830 + +CPU: 4 PID: 24830 Comm: check Not tainted 4.20.0-rc6-dbg+ #3 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 +Call Trace: + dump_stack+0x86/0xca + print_address_description+0x71/0x239 + kasan_report.cold.5+0x242/0x301 + __asan_load1+0x47/0x50 + rxe_run_task+0x1e/0x60 [rdma_rxe] + rxe_post_send+0x4bd/0x8d0 [rdma_rxe] + srpt_zerolength_write+0xe1/0x160 [ib_srpt] + srpt_close_ch+0x8b/0xe0 [ib_srpt] + srpt_set_enabled+0xe7/0x150 [ib_srpt] + srpt_tpg_enable_store+0xc0/0x100 [ib_srpt] + configfs_write_file+0x157/0x1d0 + __vfs_write+0xd7/0x3d0 + vfs_write+0x102/0x290 + ksys_write+0xab/0x130 + __x64_sys_write+0x43/0x50 + do_syscall_64+0x71/0x210 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Allocated by task 13856: + save_stack+0x43/0xd0 + kasan_kmalloc+0xc7/0xe0 + kasan_slab_alloc+0x11/0x20 + kmem_cache_alloc+0x105/0x320 + rxe_alloc+0xff/0x1f0 [rdma_rxe] + rxe_create_qp+0x9f/0x160 [rdma_rxe] + ib_create_qp+0xf5/0x690 [ib_core] + rdma_create_qp+0x6a/0x140 [rdma_cm] + srpt_cm_req_recv.cold.59+0x1588/0x237b [ib_srpt] + srpt_rdma_cm_req_recv.isra.35+0x1d5/0x220 [ib_srpt] + srpt_rdma_cm_handler+0x6f/0x100 [ib_srpt] + cma_listen_handler+0x59/0x60 [rdma_cm] + cma_ib_req_handler+0xd5b/0x2570 [rdma_cm] + cm_process_work+0x2e/0x110 [ib_cm] + cm_work_handler+0x2aae/0x502b [ib_cm] + process_one_work+0x481/0x9e0 + worker_thread+0x67/0x5b0 + kthread+0x1cf/0x1f0 + ret_from_fork+0x24/0x30 + +Freed by task 3440: + save_stack+0x43/0xd0 + __kasan_slab_free+0x139/0x190 + kasan_slab_free+0xe/0x10 + kmem_cache_free+0xbc/0x330 + rxe_elem_release+0x66/0xe0 [rdma_rxe] + rxe_destroy_qp+0x3f/0x50 [rdma_rxe] + ib_destroy_qp+0x140/0x360 [ib_core] + srpt_release_channel_work+0xdc/0x310 [ib_srpt] + process_one_work+0x481/0x9e0 + worker_thread+0x67/0x5b0 + kthread+0x1cf/0x1f0 + ret_from_fork+0x24/0x30 + +Cc: Sergey Gorenko +Cc: Max Gurtovoy +Cc: Laurence Oberman +Cc: +Signed-off-by: Bart Van Assche +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -2010,6 +2010,14 @@ static void srpt_free_ch(struct kref *kr + kfree_rcu(ch, rcu); + } + ++/* ++ * Shut down the SCSI target session, tell the connection manager to ++ * disconnect the associated RDMA channel, transition the QP to the error ++ * state and remove the channel from the channel list. This function is ++ * typically called from inside srpt_zerolength_write_done(). Concurrent ++ * srpt_zerolength_write() calls from inside srpt_close_ch() are possible ++ * as long as the channel is on sport->nexus_list. ++ */ + static void srpt_release_channel_work(struct work_struct *w) + { + struct srpt_rdma_ch *ch; +@@ -2037,6 +2045,11 @@ static void srpt_release_channel_work(st + else + ib_destroy_cm_id(ch->ib_cm.cm_id); + ++ sport = ch->sport; ++ mutex_lock(&sport->mutex); ++ list_del_rcu(&ch->list); ++ mutex_unlock(&sport->mutex); ++ + srpt_destroy_ch_ib(ch); + + srpt_free_ioctx_ring((struct srpt_ioctx **)ch->ioctx_ring, +@@ -2047,11 +2060,6 @@ static void srpt_release_channel_work(st + sdev, ch->rq_size, + srp_max_req_size, DMA_FROM_DEVICE); + +- sport = ch->sport; +- mutex_lock(&sport->mutex); +- list_del_rcu(&ch->list); +- mutex_unlock(&sport->mutex); +- + wake_up(&sport->ch_releaseQ); + + kref_put(&ch->kref, srpt_free_ch); diff --git a/queue-4.20/rxe-fix-error-completion-wr_id-and-qp_num.patch b/queue-4.20/rxe-fix-error-completion-wr_id-and-qp_num.patch new file mode 100644 index 00000000000..af3d053bd4a --- /dev/null +++ b/queue-4.20/rxe-fix-error-completion-wr_id-and-qp_num.patch @@ -0,0 +1,48 @@ +From e48d8ed9c6193502d849b35767fd18e20bbd7ba2 Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Thu, 25 Oct 2018 12:40:57 -0700 +Subject: rxe: fix error completion wr_id and qp_num + +From: Sagi Grimberg + +commit e48d8ed9c6193502d849b35767fd18e20bbd7ba2 upstream. + +Error completions must still contain a valid wr_id and +qp_num such that the consumer can rely on. Correctly +fill these fields in receive error completions. + +Reported-by: Walker Benjamin +Cc: stable@vger.kernel.org +Signed-off-by: Sagi Grimberg +Reviewed-by: Zhu Yanjun +Tested-by: Zhu Yanjun +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/sw/rxe/rxe_resp.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/infiniband/sw/rxe/rxe_resp.c ++++ b/drivers/infiniband/sw/rxe/rxe_resp.c +@@ -844,11 +844,16 @@ static enum resp_states do_complete(stru + + memset(&cqe, 0, sizeof(cqe)); + +- wc->wr_id = wqe->wr_id; +- wc->status = qp->resp.status; +- wc->qp = &qp->ibqp; ++ if (qp->rcq->is_user) { ++ uwc->status = qp->resp.status; ++ uwc->qp_num = qp->ibqp.qp_num; ++ uwc->wr_id = wqe->wr_id; ++ } else { ++ wc->status = qp->resp.status; ++ wc->qp = &qp->ibqp; ++ wc->wr_id = wqe->wr_id; ++ } + +- /* fields after status are not required for errors */ + if (wc->status == IB_WC_SUCCESS) { + wc->opcode = (pkt->mask & RXE_IMMDT_MASK && + pkt->mask & RXE_WRITE_MASK) ? diff --git a/queue-4.20/series b/queue-4.20/series index 87a839de810..7ca0e5c7a03 100644 --- a/queue-4.20/series +++ b/queue-4.20/series @@ -40,3 +40,10 @@ xprtrdma-yet-another-double-dma-unmap.patch nfsd4-zero-length-write-should-succeed.patch revert-powerpc-tm-unset-msr-if-not-recheckpointing.patch powerpc-tm-set-msr-just-prior-to-recheckpoint.patch +iio-adc-qcom-spmi-adc5-initialize-prescale-properly.patch +iio-dac-ad5686-fix-bit-shift-read-register.patch +9p-net-put-a-lower-bound-on-msize.patch +rxe-fix-error-completion-wr_id-and-qp_num.patch +stm-class-fix-a-module-refcount-leak-in-policy-creation-error-path.patch +rdma-srpt-fix-a-use-after-free-in-the-channel-release-code.patch +rdma-iwcm-don-t-copy-past-the-end-of-dev_name-string.patch diff --git a/queue-4.20/stm-class-fix-a-module-refcount-leak-in-policy-creation-error-path.patch b/queue-4.20/stm-class-fix-a-module-refcount-leak-in-policy-creation-error-path.patch new file mode 100644 index 00000000000..2ce292f37cf --- /dev/null +++ b/queue-4.20/stm-class-fix-a-module-refcount-leak-in-policy-creation-error-path.patch @@ -0,0 +1,79 @@ +From c18614a1a11276837bdd44403d84d207c9951538 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Wed, 19 Dec 2018 17:19:20 +0200 +Subject: stm class: Fix a module refcount leak in policy creation error path + +From: Alexander Shishkin + +commit c18614a1a11276837bdd44403d84d207c9951538 upstream. + +Commit c7fd62bc69d0 ("stm class: Introduce framing protocol drivers") +adds a bug into the error path of policy creation, that would do a +module_put() on a wrong module, if one tried to create a policy for +an stm device which already has a policy, using a different protocol. +IOW, + +| mkdir /config/stp-policy/dummy_stm.0:p_basic.test +| mkdir /config/stp-policy/dummy_stm.0:p_sys-t.test # puts "p_basic" +| mkdir /config/stp-policy/dummy_stm.0:p_sys-t.test # "p_basic" -> -1 + +throws: + +| general protection fault: 0000 [#1] SMP PTI +| CPU: 3 PID: 2887 Comm: mkdir +| RIP: 0010:module_put.part.31+0xe/0x90 +| Call Trace: +| module_put+0x13/0x20 +| stm_put_protocol+0x11/0x20 [stm_core] +| stp_policy_make+0xf1/0x210 [stm_core] +| ? __kmalloc+0x183/0x220 +| ? configfs_mkdir+0x10d/0x4c0 +| configfs_mkdir+0x169/0x4c0 +| vfs_mkdir+0x108/0x1c0 +| do_mkdirat+0xe8/0x110 +| __x64_sys_mkdir+0x1b/0x20 +| do_syscall_64+0x5a/0x140 +| entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Correct this sad mistake by calling calling 'put' on the correct +reference, which happens to match another error path in the same +function, so we consolidate the two at the same time. + +Signed-off-by: Alexander Shishkin +Fixes: c7fd62bc69d0 ("stm class: Introduce framing protocol drivers") +Reported-by: Ammy Yi +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/stm/policy.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/hwtracing/stm/policy.c ++++ b/drivers/hwtracing/stm/policy.c +@@ -440,10 +440,8 @@ stp_policy_make(struct config_group *gro + + stm->policy = kzalloc(sizeof(*stm->policy), GFP_KERNEL); + if (!stm->policy) { +- mutex_unlock(&stm->policy_mutex); +- stm_put_protocol(pdrv); +- stm_put_device(stm); +- return ERR_PTR(-ENOMEM); ++ ret = ERR_PTR(-ENOMEM); ++ goto unlock_policy; + } + + config_group_init_type_name(&stm->policy->group, name, +@@ -458,7 +456,11 @@ unlock_policy: + mutex_unlock(&stm->policy_mutex); + + if (IS_ERR(ret)) { +- stm_put_protocol(stm->pdrv); ++ /* ++ * pdrv and stm->pdrv at this point can be quite different, ++ * and only one of them needs to be 'put' ++ */ ++ stm_put_protocol(pdrv); + stm_put_device(stm); + } +