From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 30 Apr 2020 09:46:59 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v5.4.37~53
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=28b13ab610a80b941bc3108ec545355cd09ea6af;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	fuse-fix-possibly-missed-wake-up-after-abort.patch
	mtd-cfi-fix-deadloop-in-cfi_cmdset_0002.c-do_write_buffer.patch
	sctp-use-right-member-as-the-param-of-list_for_each_entry.patch
---

diff --git a/queue-4.4/fuse-fix-possibly-missed-wake-up-after-abort.patch b/queue-4.4/fuse-fix-possibly-missed-wake-up-after-abort.patch
new file mode 100644
index 00000000000..2e497794910
--- /dev/null
+++ b/queue-4.4/fuse-fix-possibly-missed-wake-up-after-abort.patch
@@ -0,0 +1,61 @@
+From 2d84a2d19b6150c6dbac1e6ebad9c82e4c123772 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Fri, 9 Nov 2018 15:52:16 +0100
+Subject: fuse: fix possibly missed wake-up after abort
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 2d84a2d19b6150c6dbac1e6ebad9c82e4c123772 upstream.
+
+In current fuse_drop_waiting() implementation it's possible that
+fuse_wait_aborted() will not be woken up in the unlikely case that
+fuse_abort_conn() + fuse_wait_aborted() runs in between checking
+fc->connected and calling atomic_dec(&fc->num_waiting).
+
+Do the atomic_dec_and_test() unconditionally, which also provides the
+necessary barrier against reordering with the fc->connected check.
+
+The explicit smp_mb() in fuse_wait_aborted() is not actually needed, since
+the spin_unlock() in fuse_abort_conn() provides the necessary RELEASE
+barrier after resetting fc->connected.  However, this is not a performance
+sensitive path, and adding the explicit barrier makes it easier to
+document.
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: b8f95e5d13f5 ("fuse: umount should wait for all requests")
+Cc: <stable@vger.kernel.org> #v4.19
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dev.c |   12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -145,9 +145,13 @@ static bool fuse_block_alloc(struct fuse
+ 
+ static void fuse_drop_waiting(struct fuse_conn *fc)
+ {
+-	if (fc->connected) {
+-		atomic_dec(&fc->num_waiting);
+-	} else if (atomic_dec_and_test(&fc->num_waiting)) {
++	/*
++	 * lockess check of fc->connected is okay, because atomic_dec_and_test()
++	 * provides a memory barrier mached with the one in fuse_wait_aborted()
++	 * to ensure no wake-up is missed.
++	 */
++	if (atomic_dec_and_test(&fc->num_waiting) &&
++	    !READ_ONCE(fc->connected)) {
+ 		/* wake up aborters */
+ 		wake_up_all(&fc->blocked_waitq);
+ 	}
+@@ -2222,6 +2226,8 @@ EXPORT_SYMBOL_GPL(fuse_abort_conn);
+ 
+ void fuse_wait_aborted(struct fuse_conn *fc)
+ {
++	/* matches implicit memory barrier in fuse_drop_waiting() */
++	smp_mb();
+ 	wait_event(fc->blocked_waitq, atomic_read(&fc->num_waiting) == 0);
+ }
+ 
diff --git a/queue-4.4/mtd-cfi-fix-deadloop-in-cfi_cmdset_0002.c-do_write_buffer.patch b/queue-4.4/mtd-cfi-fix-deadloop-in-cfi_cmdset_0002.c-do_write_buffer.patch
new file mode 100644
index 00000000000..a563ba0d7dc
--- /dev/null
+++ b/queue-4.4/mtd-cfi-fix-deadloop-in-cfi_cmdset_0002.c-do_write_buffer.patch
@@ -0,0 +1,42 @@
+From d9b8a67b3b95a5c5aae6422b8113adc1c2485f2b Mon Sep 17 00:00:00 2001
+From: Liu Jian <liujian56@huawei.com>
+Date: Sun, 3 Mar 2019 15:04:18 +0800
+Subject: mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer
+
+From: Liu Jian <liujian56@huawei.com>
+
+commit d9b8a67b3b95a5c5aae6422b8113adc1c2485f2b upstream.
+
+In function do_write_buffer(), in the for loop, there is a case
+chip_ready() returns 1 while chip_good() returns 0, so it never
+break the loop.
+To fix this, chip_good() is enough and it should timeout if it stay
+bad for a while.
+
+Fixes: dfeae1073583("mtd: cfi_cmdset_0002: Change write buffer to check correct value")
+Signed-off-by: Yi Huaijie <yihuaijie@huawei.com>
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Reviewed-by: Tokunori Ikegami <ikegami_to@yahoo.co.jp>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/chips/cfi_cmdset_0002.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/mtd/chips/cfi_cmdset_0002.c
++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
+@@ -1881,7 +1881,11 @@ static int __xipram do_write_buffer(stru
+ 			continue;
+ 		}
+ 
+-		if (time_after(jiffies, timeo) && !chip_ready(map, adr))
++		/*
++		 * We check "time_after" and "!chip_good" before checking "chip_good" to avoid
++		 * the failure due to scheduling.
++		 */
++		if (time_after(jiffies, timeo) && !chip_good(map, adr, datum))
+ 			break;
+ 
+ 		if (chip_good(map, adr, datum)) {
diff --git a/queue-4.4/sctp-use-right-member-as-the-param-of-list_for_each_entry.patch b/queue-4.4/sctp-use-right-member-as-the-param-of-list_for_each_entry.patch
new file mode 100644
index 00000000000..cf9b4cd0c1b
--- /dev/null
+++ b/queue-4.4/sctp-use-right-member-as-the-param-of-list_for_each_entry.patch
@@ -0,0 +1,51 @@
+From a8dd397903a6e57157f6265911f7d35681364427 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 26 Nov 2017 20:56:07 +0800
+Subject: sctp: use right member as the param of list_for_each_entry
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit a8dd397903a6e57157f6265911f7d35681364427 upstream.
+
+Commit d04adf1b3551 ("sctp: reset owner sk for data chunks on out queues
+when migrating a sock") made a mistake that using 'list' as the param of
+list_for_each_entry to traverse the retransmit, sacked and abandoned
+queues, while chunks are using 'transmitted_list' to link into these
+queues.
+
+It could cause NULL dereference panic if there are chunks in any of these
+queues when peeling off one asoc.
+
+So use the chunk member 'transmitted_list' instead in this patch.
+
+Fixes: d04adf1b3551 ("sctp: reset owner sk for data chunks on out queues when migrating a sock")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sctp/socket.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -185,13 +185,13 @@ static void sctp_for_each_tx_datachunk(s
+ 		list_for_each_entry(chunk, &t->transmitted, transmitted_list)
+ 			cb(chunk);
+ 
+-	list_for_each_entry(chunk, &q->retransmit, list)
++	list_for_each_entry(chunk, &q->retransmit, transmitted_list)
+ 		cb(chunk);
+ 
+-	list_for_each_entry(chunk, &q->sacked, list)
++	list_for_each_entry(chunk, &q->sacked, transmitted_list)
+ 		cb(chunk);
+ 
+-	list_for_each_entry(chunk, &q->abandoned, list)
++	list_for_each_entry(chunk, &q->abandoned, transmitted_list)
+ 		cb(chunk);
+ 
+ 	list_for_each_entry(chunk, &q->out_chunk_list, list)
diff --git a/queue-4.4/series b/queue-4.4/series
index eabaa38f00b..3b062f050fc 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -52,3 +52,6 @@ uas-no-use-logging-any-details-in-case-of-enodev.patch
 uas-fix-deadlock-in-error-handling-and-pm-flushing-work.patch
 usb-f_fs-clear-os-extended-descriptor-counts-to-zero-in-ffs_data_reset.patch
 remoteproc-fix-wrong-rvring-index-computation.patch
+sctp-use-right-member-as-the-param-of-list_for_each_entry.patch
+fuse-fix-possibly-missed-wake-up-after-abort.patch
+mtd-cfi-fix-deadloop-in-cfi_cmdset_0002.c-do_write_buffer.patch