From: Sasha Levin Date: Mon, 29 Jun 2020 04:36:07 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v5.7.7~39^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2c9e3398d7d64ca859aa7d6e0e080e8467fbd29e;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/arm-dts-nsp-correct-fa2-mailbox-node.patch b/queue-4.14/arm-dts-nsp-correct-fa2-mailbox-node.patch new file mode 100644 index 00000000000..79460ee4c04 --- /dev/null +++ b/queue-4.14/arm-dts-nsp-correct-fa2-mailbox-node.patch @@ -0,0 +1,42 @@ +From f2f3b0b8df8af0d087cbe71b1fb43a87a5a474d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 15:19:00 -0700 +Subject: ARM: dts: NSP: Correct FA2 mailbox node + +From: Matthew Hagan + +[ Upstream commit ac4e106d8934a5894811fc263f4b03fc8ed0fb7a ] + +The FA2 mailbox is specified at 0x18025000 but should actually be +0x18025c00, length 0x400 according to socregs_nsp.h and board_bu.c. Also +the interrupt was off by one and should be GIC SPI 151 instead of 150. + +Fixes: 17d517172300 ("ARM: dts: NSP: Add mailbox (PDC) to NSP") +Signed-off-by: Matthew Hagan +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm-nsp.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/bcm-nsp.dtsi b/arch/arm/boot/dts/bcm-nsp.dtsi +index 1792192001a22..e975f9cabe84b 100644 +--- a/arch/arm/boot/dts/bcm-nsp.dtsi ++++ b/arch/arm/boot/dts/bcm-nsp.dtsi +@@ -249,10 +249,10 @@ amac2: ethernet@24000 { + status = "disabled"; + }; + +- mailbox: mailbox@25000 { ++ mailbox: mailbox@25c00 { + compatible = "brcm,iproc-fa2-mbox"; +- reg = <0x25000 0x445>; +- interrupts = ; ++ reg = <0x25c00 0x400>; ++ interrupts = ; + #mbox-cells = <1>; + brcm,rx-status-len = <32>; + brcm,use-bcm-hdr; +-- +2.25.1 + diff --git a/queue-4.14/arm-imx5-add-missing-put_device-call-in-imx_suspend_.patch b/queue-4.14/arm-imx5-add-missing-put_device-call-in-imx_suspend_.patch new file mode 100644 index 00000000000..d198dc8f925 --- /dev/null +++ b/queue-4.14/arm-imx5-add-missing-put_device-call-in-imx_suspend_.patch @@ -0,0 +1,54 @@ +From 3da42b6dfb5881c7a7856423bca1000e30eb30fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 20:42:06 +0800 +Subject: ARM: imx5: add missing put_device() call in imx_suspend_alloc_ocram() + +From: yu kuai + +[ Upstream commit 586745f1598ccf71b0a5a6df2222dee0a865954e ] + +if of_find_device_by_node() succeed, imx_suspend_alloc_ocram() doesn't +have a corresponding put_device(). Thus add a jump target to fix the +exception handling for this function implementation. + +Fixes: 1579c7b9fe01 ("ARM: imx53: Set DDR pins to high impedance when in suspend to RAM.") +Signed-off-by: yu kuai +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/mach-imx/pm-imx5.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/mach-imx/pm-imx5.c b/arch/arm/mach-imx/pm-imx5.c +index 868781fd460c7..14c630c899c5d 100644 +--- a/arch/arm/mach-imx/pm-imx5.c ++++ b/arch/arm/mach-imx/pm-imx5.c +@@ -301,14 +301,14 @@ static int __init imx_suspend_alloc_ocram( + if (!ocram_pool) { + pr_warn("%s: ocram pool unavailable!\n", __func__); + ret = -ENODEV; +- goto put_node; ++ goto put_device; + } + + ocram_base = gen_pool_alloc(ocram_pool, size); + if (!ocram_base) { + pr_warn("%s: unable to alloc ocram!\n", __func__); + ret = -ENOMEM; +- goto put_node; ++ goto put_device; + } + + phys = gen_pool_virt_to_phys(ocram_pool, ocram_base); +@@ -318,6 +318,8 @@ static int __init imx_suspend_alloc_ocram( + if (virt_out) + *virt_out = virt; + ++put_device: ++ put_device(&pdev->dev); + put_node: + of_node_put(node); + +-- +2.25.1 + diff --git a/queue-4.14/asoc-rockchip-fix-a-reference-count-leak.patch b/queue-4.14/asoc-rockchip-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..f6be7a015ed --- /dev/null +++ b/queue-4.14/asoc-rockchip-fix-a-reference-count-leak.patch @@ -0,0 +1,42 @@ +From 284ba43166752ae3279f092b921f1f704a178306 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 15:51:58 -0500 +Subject: ASoC: rockchip: Fix a reference count leak. + +From: Qiushi Wu + +[ Upstream commit f141a422159a199f4c8dedb7e0df55b3b2cf16cd ] + +Calling pm_runtime_get_sync increments the counter even in case of +failure, causing incorrect ref count if pm_runtime_put is not called in +error handling paths. Call pm_runtime_put if pm_runtime_get_sync fails. + +Fixes: fc05a5b22253 ("ASoC: rockchip: add support for pdm controller") +Signed-off-by: Qiushi Wu +Reviewed-by: Heiko Stuebner +Link: https://lore.kernel.org/r/20200613205158.27296-1-wu000273@umn.edu +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/rockchip/rockchip_pdm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/rockchip/rockchip_pdm.c b/sound/soc/rockchip/rockchip_pdm.c +index 8a2e3bbce3a16..ad16c8310dd38 100644 +--- a/sound/soc/rockchip/rockchip_pdm.c ++++ b/sound/soc/rockchip/rockchip_pdm.c +@@ -478,8 +478,10 @@ static int rockchip_pdm_resume(struct device *dev) + int ret; + + ret = pm_runtime_get_sync(dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put(dev); + return ret; ++ } + + ret = regcache_sync(pdm->regmap); + +-- +2.25.1 + diff --git a/queue-4.14/ata-libata-fix-usage-of-page-address-by-page_address.patch b/queue-4.14/ata-libata-fix-usage-of-page-address-by-page_address.patch new file mode 100644 index 00000000000..bf6306e5380 --- /dev/null +++ b/queue-4.14/ata-libata-fix-usage-of-page-address-by-page_address.patch @@ -0,0 +1,182 @@ +From 4765808f6c9f036f2b133a2591359f038a31da06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2020 09:41:49 +0800 +Subject: ata/libata: Fix usage of page address by page_address in + ata_scsi_mode_select_xlat function + +From: Ye Bin + +[ Upstream commit f650ef61e040bcb175dd8762164b00a5d627f20e ] + +BUG: KASAN: use-after-free in ata_scsi_mode_select_xlat+0x10bd/0x10f0 +drivers/ata/libata-scsi.c:4045 +Read of size 1 at addr ffff88803b8cd003 by task syz-executor.6/12621 + +CPU: 1 PID: 12621 Comm: syz-executor.6 Not tainted 4.19.95 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +1.10.2-1ubuntu1 04/01/2014 +Call Trace: +__dump_stack lib/dump_stack.c:77 [inline] +dump_stack+0xac/0xee lib/dump_stack.c:118 +print_address_description+0x60/0x223 mm/kasan/report.c:253 +kasan_report_error mm/kasan/report.c:351 [inline] +kasan_report mm/kasan/report.c:409 [inline] +kasan_report.cold+0xae/0x2d8 mm/kasan/report.c:393 +ata_scsi_mode_select_xlat+0x10bd/0x10f0 drivers/ata/libata-scsi.c:4045 +ata_scsi_translate+0x2da/0x680 drivers/ata/libata-scsi.c:2035 +__ata_scsi_queuecmd drivers/ata/libata-scsi.c:4360 [inline] +ata_scsi_queuecmd+0x2e4/0x790 drivers/ata/libata-scsi.c:4409 +scsi_dispatch_cmd+0x2ee/0x6c0 drivers/scsi/scsi_lib.c:1867 +scsi_queue_rq+0xfd7/0x1990 drivers/scsi/scsi_lib.c:2170 +blk_mq_dispatch_rq_list+0x1e1/0x19a0 block/blk-mq.c:1186 +blk_mq_do_dispatch_sched+0x147/0x3d0 block/blk-mq-sched.c:108 +blk_mq_sched_dispatch_requests+0x427/0x680 block/blk-mq-sched.c:204 +__blk_mq_run_hw_queue+0xbc/0x200 block/blk-mq.c:1308 +__blk_mq_delay_run_hw_queue+0x3c0/0x460 block/blk-mq.c:1376 +blk_mq_run_hw_queue+0x152/0x310 block/blk-mq.c:1413 +blk_mq_sched_insert_request+0x337/0x6c0 block/blk-mq-sched.c:397 +blk_execute_rq_nowait+0x124/0x320 block/blk-exec.c:64 +blk_execute_rq+0xc5/0x112 block/blk-exec.c:101 +sg_scsi_ioctl+0x3b0/0x6a0 block/scsi_ioctl.c:507 +sg_ioctl+0xd37/0x23f0 drivers/scsi/sg.c:1106 +vfs_ioctl fs/ioctl.c:46 [inline] +file_ioctl fs/ioctl.c:501 [inline] +do_vfs_ioctl+0xae6/0x1030 fs/ioctl.c:688 +ksys_ioctl+0x76/0xa0 fs/ioctl.c:705 +__do_sys_ioctl fs/ioctl.c:712 [inline] +__se_sys_ioctl fs/ioctl.c:710 [inline] +__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710 +do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293 +entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x45c479 +Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 +f7 48 +89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff +ff 0f +83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007fb0e9602c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007fb0e96036d4 RCX: 000000000045c479 +RDX: 0000000020000040 RSI: 0000000000000001 RDI: 0000000000000003 +RBP: 000000000076bfc0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff +R13: 000000000000046d R14: 00000000004c6e1a R15: 000000000076bfcc + +Allocated by task 12577: +set_track mm/kasan/kasan.c:460 [inline] +kasan_kmalloc mm/kasan/kasan.c:553 [inline] +kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531 +__kmalloc+0xf3/0x1e0 mm/slub.c:3749 +kmalloc include/linux/slab.h:520 [inline] +load_elf_phdrs+0x118/0x1b0 fs/binfmt_elf.c:441 +load_elf_binary+0x2de/0x4610 fs/binfmt_elf.c:737 +search_binary_handler fs/exec.c:1654 [inline] +search_binary_handler+0x15c/0x4e0 fs/exec.c:1632 +exec_binprm fs/exec.c:1696 [inline] +__do_execve_file.isra.0+0xf52/0x1a90 fs/exec.c:1820 +do_execveat_common fs/exec.c:1866 [inline] +do_execve fs/exec.c:1883 [inline] +__do_sys_execve fs/exec.c:1964 [inline] +__se_sys_execve fs/exec.c:1959 [inline] +__x64_sys_execve+0x8a/0xb0 fs/exec.c:1959 +do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293 +entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Freed by task 12577: +set_track mm/kasan/kasan.c:460 [inline] +__kasan_slab_free+0x129/0x170 mm/kasan/kasan.c:521 +slab_free_hook mm/slub.c:1370 [inline] +slab_free_freelist_hook mm/slub.c:1397 [inline] +slab_free mm/slub.c:2952 [inline] +kfree+0x8b/0x1a0 mm/slub.c:3904 +load_elf_binary+0x1be7/0x4610 fs/binfmt_elf.c:1118 +search_binary_handler fs/exec.c:1654 [inline] +search_binary_handler+0x15c/0x4e0 fs/exec.c:1632 +exec_binprm fs/exec.c:1696 [inline] +__do_execve_file.isra.0+0xf52/0x1a90 fs/exec.c:1820 +do_execveat_common fs/exec.c:1866 [inline] +do_execve fs/exec.c:1883 [inline] +__do_sys_execve fs/exec.c:1964 [inline] +__se_sys_execve fs/exec.c:1959 [inline] +__x64_sys_execve+0x8a/0xb0 fs/exec.c:1959 +do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293 +entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The buggy address belongs to the object at ffff88803b8ccf00 +which belongs to the cache kmalloc-512 of size 512 +The buggy address is located 259 bytes inside of +512-byte region [ffff88803b8ccf00, ffff88803b8cd100) +The buggy address belongs to the page: +page:ffffea0000ee3300 count:1 mapcount:0 mapping:ffff88806cc03080 +index:0xffff88803b8cc780 compound_mapcount: 0 +flags: 0x100000000008100(slab|head) +raw: 0100000000008100 ffffea0001104080 0000000200000002 ffff88806cc03080 +raw: ffff88803b8cc780 00000000800c000b 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: +ffff88803b8ccf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +ffff88803b8ccf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff88803b8cd000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +^ +ffff88803b8cd080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +ffff88803b8cd100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + +You can refer to "https://www.lkml.org/lkml/2019/1/17/474" reproduce +this error. + +The exception code is "bd_len = p[3];", "p" value is ffff88803b8cd000 +which belongs to the cache kmalloc-512 of size 512. The "page_address(sg_page(scsi_sglist(scmd)))" +maybe from sg_scsi_ioctl function "buffer" which allocated by kzalloc, so "buffer" +may not page aligned. +This also looks completely buggy on highmem systems and really needs to use a +kmap_atomic. --Christoph Hellwig +To address above bugs, Paolo Bonzini advise to simpler to just make a char array +of size CACHE_MPAGE_LEN+8+8+4-2(or just 64 to make it easy), use sg_copy_to_buffer +to copy from the sglist into the buffer, and workthere. + +Signed-off-by: Ye Bin +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-scsi.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c +index 2f81d65342709..bc2c27f0493fc 100644 +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -3996,12 +3996,13 @@ static unsigned int ata_scsi_mode_select_xlat(struct ata_queued_cmd *qc) + { + struct scsi_cmnd *scmd = qc->scsicmd; + const u8 *cdb = scmd->cmnd; +- const u8 *p; + u8 pg, spg; + unsigned six_byte, pg_len, hdr_len, bd_len; + int len; + u16 fp = (u16)-1; + u8 bp = 0xff; ++ u8 buffer[64]; ++ const u8 *p = buffer; + + VPRINTK("ENTER\n"); + +@@ -4035,12 +4036,14 @@ static unsigned int ata_scsi_mode_select_xlat(struct ata_queued_cmd *qc) + if (!scsi_sg_count(scmd) || scsi_sglist(scmd)->length < len) + goto invalid_param_len; + +- p = page_address(sg_page(scsi_sglist(scmd))); +- + /* Move past header and block descriptors. */ + if (len < hdr_len) + goto invalid_param_len; + ++ if (!sg_copy_to_buffer(scsi_sglist(scmd), scsi_sg_count(scmd), ++ buffer, sizeof(buffer))) ++ goto invalid_param_len; ++ + if (six_byte) + bd_len = p[3]; + else +-- +2.25.1 + diff --git a/queue-4.14/blktrace-break-out-of-blktrace-setup-on-concurrent-c.patch b/queue-4.14/blktrace-break-out-of-blktrace-setup-on-concurrent-c.patch new file mode 100644 index 00000000000..18dd977a52d --- /dev/null +++ b/queue-4.14/blktrace-break-out-of-blktrace-setup-on-concurrent-c.patch @@ -0,0 +1,93 @@ +From 66ac9d124f4a86f850c00317ddb83d3bf139256c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2020 16:58:36 +0200 +Subject: blktrace: break out of blktrace setup on concurrent calls + +From: Luis Chamberlain + +[ Upstream commit 1b0b283648163dae2a214ca28ed5a99f62a77319 ] + +We use one blktrace per request_queue, that means one per the entire +disk. So we cannot run one blktrace on say /dev/vda and then /dev/vda1, +or just two calls on /dev/vda. + +We check for concurrent setup only at the very end of the blktrace setup though. + +If we try to run two concurrent blktraces on the same block device the +second one will fail, and the first one seems to go on. However when +one tries to kill the first one one will see things like this: + +The kernel will show these: + +``` +debugfs: File 'dropped' in directory 'nvme1n1' already present! +debugfs: File 'msg' in directory 'nvme1n1' already present! +debugfs: File 'trace0' in directory 'nvme1n1' already present! +`` + +And userspace just sees this error message for the second call: + +``` +blktrace /dev/nvme1n1 +BLKTRACESETUP(2) /dev/nvme1n1 failed: 5/Input/output error +``` + +The first userspace process #1 will also claim that the files +were taken underneath their nose as well. The files are taken +away form the first process given that when the second blktrace +fails, it will follow up with a BLKTRACESTOP and BLKTRACETEARDOWN. +This means that even if go-happy process #1 is waiting for blktrace +data, we *have* been asked to take teardown the blktrace. + +This can easily be reproduced with break-blktrace [0] run_0005.sh test. + +Just break out early if we know we're already going to fail, this will +prevent trying to create the files all over again, which we know still +exist. + +[0] https://github.com/mcgrof/break-blktrace + +Signed-off-by: Luis Chamberlain +Signed-off-by: Jan Kara +Reviewed-by: Bart Van Assche +Reviewed-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + kernel/trace/blktrace.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c +index 304a164f5e7e7..9a55c5bc52434 100644 +--- a/kernel/trace/blktrace.c ++++ b/kernel/trace/blktrace.c +@@ -15,6 +15,9 @@ + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + * + */ ++ ++#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt ++ + #include + #include + #include +@@ -504,6 +507,16 @@ static int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev, + */ + strreplace(buts->name, '/', '_'); + ++ /* ++ * bdev can be NULL, as with scsi-generic, this is a helpful as ++ * we can be. ++ */ ++ if (q->blk_trace) { ++ pr_warn("Concurrent blktraces are not allowed on %s\n", ++ buts->name); ++ return -EBUSY; ++ } ++ + bt = kzalloc(sizeof(*bt), GFP_KERNEL); + if (!bt) + return -ENOMEM; +-- +2.25.1 + diff --git a/queue-4.14/efi-esrt-fix-reference-count-leak-in-esre_create_sys.patch b/queue-4.14/efi-esrt-fix-reference-count-leak-in-esre_create_sys.patch new file mode 100644 index 00000000000..23822c8d63e --- /dev/null +++ b/queue-4.14/efi-esrt-fix-reference-count-leak-in-esre_create_sys.patch @@ -0,0 +1,39 @@ +From f9b9b467f4c920d5753030581d4116dcba546c01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 May 2020 13:38:04 -0500 +Subject: efi/esrt: Fix reference count leak in esre_create_sysfs_entry. + +From: Qiushi Wu + +[ Upstream commit 4ddf4739be6e375116c375f0a68bf3893ffcee21 ] + +kobject_init_and_add() takes reference even when it fails. +If this function returns an error, kobject_put() must be called to +properly clean up the memory associated with the object. Previous +commit "b8eb718348b8" fixed a similar problem. + +Fixes: 0bb549052d33 ("efi: Add esrt support") +Signed-off-by: Qiushi Wu +Link: https://lore.kernel.org/r/20200528183804.4497-1-wu000273@umn.edu +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/esrt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/efi/esrt.c b/drivers/firmware/efi/esrt.c +index f3c28777b8c6f..deb1d8f3bdc8c 100644 +--- a/drivers/firmware/efi/esrt.c ++++ b/drivers/firmware/efi/esrt.c +@@ -180,7 +180,7 @@ static int esre_create_sysfs_entry(void *esre, int entry_num) + rc = kobject_init_and_add(&entry->kobj, &esre1_ktype, NULL, + "entry%d", entry_num); + if (rc) { +- kfree(entry); ++ kobject_put(&entry->kobj); + return rc; + } + } +-- +2.25.1 + diff --git a/queue-4.14/kbuild-improve-cc-option-to-clean-up-all-temporary-f.patch b/queue-4.14/kbuild-improve-cc-option-to-clean-up-all-temporary-f.patch new file mode 100644 index 00000000000..9e3eca2f407 --- /dev/null +++ b/queue-4.14/kbuild-improve-cc-option-to-clean-up-all-temporary-f.patch @@ -0,0 +1,72 @@ +From bc435745f4cd4140ffedbdf14f93f60a5e8fc86c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 23:43:40 +0900 +Subject: kbuild: improve cc-option to clean up all temporary files + +From: Masahiro Yamada + +[ Upstream commit f2f02ebd8f3833626642688b2d2c6a7b3c141fa9 ] + +When cc-option and friends evaluate compiler flags, the temporary file +$$TMP is created as an output object, and automatically cleaned up. +The actual file path of $$TMP is ..tmp, here is the process +ID of $(shell ...) invoked from cc-option. (Please note $$$$ is the +escape sequence of $$). + +Such garbage files are cleaned up in most cases, but some compiler flags +create additional output files. + +For example, -gsplit-dwarf creates a .dwo file. + +When CONFIG_DEBUG_INFO_SPLIT=y, you will see a bunch of ..dwo files +left in the top of build directories. You may not notice them unless you +do 'ls -a', but the garbage files will increase every time you run 'make'. + +This commit changes the temporary object path to .tmp_/tmp, and +removes .tmp_ directory when exiting. Separate build artifacts such +as *.dwo will be cleaned up all together because their file paths are +usually determined based on the base name of the object. + +Another example is -ftest-coverage, which outputs the coverage data into +.gcno + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/Kbuild.include | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/scripts/Kbuild.include b/scripts/Kbuild.include +index a33fa1a918731..28bfb4378dbd8 100644 +--- a/scripts/Kbuild.include ++++ b/scripts/Kbuild.include +@@ -82,20 +82,21 @@ cc-cross-prefix = \ + fi))) + + # output directory for tests below +-TMPOUT := $(if $(KBUILD_EXTMOD),$(firstword $(KBUILD_EXTMOD))/) ++TMPOUT = $(if $(KBUILD_EXTMOD),$(firstword $(KBUILD_EXTMOD))/).tmp_$$$$ + + # try-run + # Usage: option = $(call try-run, $(CC)...-o "$$TMP",option-ok,otherwise) + # Exit code chooses option. "$$TMP" serves as a temporary file and is + # automatically cleaned up. + try-run = $(shell set -e; \ +- TMP="$(TMPOUT).$$$$.tmp"; \ +- TMPO="$(TMPOUT).$$$$.o"; \ ++ TMP=$(TMPOUT)/tmp; \ ++ TMPO=$(TMPOUT)/tmp.o; \ ++ mkdir -p $(TMPOUT); \ ++ trap "rm -rf $(TMPOUT)" EXIT; \ + if ($(1)) >/dev/null 2>&1; \ + then echo "$(2)"; \ + else echo "$(3)"; \ +- fi; \ +- rm -f "$$TMP" "$$TMPO") ++ fi) + + # as-option + # Usage: cflags-y += $(call as-option,-Wa$(comma)-isa=foo,) +-- +2.25.1 + diff --git a/queue-4.14/net-alx-fix-race-condition-in-alx_remove.patch b/queue-4.14/net-alx-fix-race-condition-in-alx_remove.patch new file mode 100644 index 00000000000..b877a4f826b --- /dev/null +++ b/queue-4.14/net-alx-fix-race-condition-in-alx_remove.patch @@ -0,0 +1,59 @@ +From 3547ca79db19cfa230ad12a966e0c1f2b2dfe417 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 11:50:29 -0400 +Subject: net: alx: fix race condition in alx_remove + +From: Zekun Shen + +[ Upstream commit e89df5c4322c1bf495f62d74745895b5fd2a4393 ] + +There is a race condition exist during termination. The path is +alx_stop and then alx_remove. An alx_schedule_link_check could be called +before alx_stop by interrupt handler and invoke alx_link_check later. +Alx_stop frees the napis, and alx_remove cancels any pending works. +If any of the work is scheduled before termination and invoked before +alx_remove, a null-ptr-deref occurs because both expect alx->napis[i]. + +This patch fix the race condition by moving cancel_work_sync functions +before alx_free_napis inside alx_stop. Because interrupt handler can call +alx_schedule_link_check again, alx_free_irq is moved before +cancel_work_sync calls too. + +Signed-off-by: Zekun Shen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/atheros/alx/main.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c +index 5e5022fa1d047..85029d43da758 100644 +--- a/drivers/net/ethernet/atheros/alx/main.c ++++ b/drivers/net/ethernet/atheros/alx/main.c +@@ -1250,8 +1250,12 @@ static int __alx_open(struct alx_priv *alx, bool resume) + + static void __alx_stop(struct alx_priv *alx) + { +- alx_halt(alx); + alx_free_irq(alx); ++ ++ cancel_work_sync(&alx->link_check_wk); ++ cancel_work_sync(&alx->reset_wk); ++ ++ alx_halt(alx); + alx_free_rings(alx); + alx_free_napis(alx); + } +@@ -1863,9 +1867,6 @@ static void alx_remove(struct pci_dev *pdev) + struct alx_priv *alx = pci_get_drvdata(pdev); + struct alx_hw *hw = &alx->hw; + +- cancel_work_sync(&alx->link_check_wk); +- cancel_work_sync(&alx->reset_wk); +- + /* restore permanent mac address */ + alx_set_macaddr(hw, hw->perm_addr); + +-- +2.25.1 + diff --git a/queue-4.14/net-bcmgenet-use-hardware-padding-of-runt-frames.patch b/queue-4.14/net-bcmgenet-use-hardware-padding-of-runt-frames.patch new file mode 100644 index 00000000000..78ef53e4b13 --- /dev/null +++ b/queue-4.14/net-bcmgenet-use-hardware-padding-of-runt-frames.patch @@ -0,0 +1,65 @@ +From b1a3e52de4425c89e00ab137f57272523e814bfc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jun 2020 18:14:55 -0700 +Subject: net: bcmgenet: use hardware padding of runt frames + +From: Doug Berger + +[ Upstream commit 20d1f2d1b024f6be199a3bedf1578a1d21592bc5 ] + +When commit 474ea9cafc45 ("net: bcmgenet: correctly pad short +packets") added the call to skb_padto() it should have been +located before the nr_frags parameter was read since that value +could be changed when padding packets with lengths between 55 +and 59 bytes (inclusive). + +The use of a stale nr_frags value can cause corruption of the +pad data when tx-scatter-gather is enabled. This corruption of +the pad can cause invalid checksum computation when hardware +offload of tx-checksum is also enabled. + +Since the original reason for the padding was corrected by +commit 7dd399130efb ("net: bcmgenet: fix skb_len in +bcmgenet_xmit_single()") we can remove the software padding all +together and make use of hardware padding of short frames as +long as the hardware also always appends the FCS value to the +frame. + +Fixes: 474ea9cafc45 ("net: bcmgenet: correctly pad short packets") +Signed-off-by: Doug Berger +Acked-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index 7d3cbbd88a005..8bfa2523e2533 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -1567,11 +1567,6 @@ static netdev_tx_t bcmgenet_xmit(struct sk_buff *skb, struct net_device *dev) + goto out; + } + +- if (skb_padto(skb, ETH_ZLEN)) { +- ret = NETDEV_TX_OK; +- goto out; +- } +- + /* Retain how many bytes will be sent on the wire, without TSB inserted + * by transmit checksum offload + */ +@@ -1621,6 +1616,9 @@ static netdev_tx_t bcmgenet_xmit(struct sk_buff *skb, struct net_device *dev) + len_stat = (size << DMA_BUFLENGTH_SHIFT) | + (priv->hw_params->qtag_mask << DMA_TX_QTAG_SHIFT); + ++ /* Note: if we ever change from DMA_TX_APPEND_CRC below we ++ * will need to restore software padding of "runt" packets ++ */ + if (!i) { + len_stat |= DMA_TX_APPEND_CRC | DMA_SOP; + if (skb->ip_summed == CHECKSUM_PARTIAL) +-- +2.25.1 + diff --git a/queue-4.14/net-qed-fix-excessive-qm-ilt-lines-consumption.patch b/queue-4.14/net-qed-fix-excessive-qm-ilt-lines-consumption.patch new file mode 100644 index 00000000000..5159f1b828b --- /dev/null +++ b/queue-4.14/net-qed-fix-excessive-qm-ilt-lines-consumption.patch @@ -0,0 +1,40 @@ +From c63ec50bbe19104459eed745b729a534f5bbb67b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jun 2020 16:51:33 +0300 +Subject: net: qed: fix excessive QM ILT lines consumption + +From: Alexander Lobakin + +[ Upstream commit d434d02f7e7c24c721365fd594ed781acb18e0da ] + +This is likely a copy'n'paste mistake. The amount of ILT lines to +reserve for a single VF was being multiplied by the total VFs count. +This led to a huge redundancy in reservation and potential lines +drainouts. + +Fixes: 1408cc1fa48c ("qed: Introduce VFs") +Signed-off-by: Alexander Lobakin +Signed-off-by: Igor Russkikh +Signed-off-by: Michal Kalderon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_cxt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_cxt.c b/drivers/net/ethernet/qlogic/qed/qed_cxt.c +index 27ba476f761d4..4fc3468f6f38b 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c +@@ -396,7 +396,7 @@ static void qed_cxt_qm_iids(struct qed_hwfn *p_hwfn, + vf_tids += segs[NUM_TASK_PF_SEGMENTS].count; + } + +- iids->vf_cids += vf_cids * p_mngr->vf_count; ++ iids->vf_cids = vf_cids; + iids->tids += vf_tids * p_mngr->vf_count; + + DP_VERBOSE(p_hwfn, QED_MSG_ILT, +-- +2.25.1 + diff --git a/queue-4.14/net-qed-fix-left-elements-count-calculation.patch b/queue-4.14/net-qed-fix-left-elements-count-calculation.patch new file mode 100644 index 00000000000..71e540f380d --- /dev/null +++ b/queue-4.14/net-qed-fix-left-elements-count-calculation.patch @@ -0,0 +1,80 @@ +From 97ac11e85c63482d68ce6f24fc58b2c73b523524 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jun 2020 16:51:29 +0300 +Subject: net: qed: fix left elements count calculation + +From: Alexander Lobakin + +[ Upstream commit 97dd1abd026ae4e6a82fa68645928404ad483409 ] + +qed_chain_get_element_left{,_u32} returned 0 when the difference +between producer and consumer page count was equal to the total +page count. +Fix this by conditional expanding of producer value (vs +unconditional). This allowed to eliminate normalizaton against +total page count, which was the cause of this bug. + +Misc: replace open-coded constants with common defines. + +Fixes: a91eb52abb50 ("qed: Revisit chain implementation") +Signed-off-by: Alexander Lobakin +Signed-off-by: Igor Russkikh +Signed-off-by: Michal Kalderon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/qed/qed_chain.h | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +diff --git a/include/linux/qed/qed_chain.h b/include/linux/qed/qed_chain.h +index 733fad7dfbed9..6d15040c642cb 100644 +--- a/include/linux/qed/qed_chain.h ++++ b/include/linux/qed/qed_chain.h +@@ -207,28 +207,34 @@ static inline u32 qed_chain_get_cons_idx_u32(struct qed_chain *p_chain) + + static inline u16 qed_chain_get_elem_left(struct qed_chain *p_chain) + { ++ u16 elem_per_page = p_chain->elem_per_page; ++ u32 prod = p_chain->u.chain16.prod_idx; ++ u32 cons = p_chain->u.chain16.cons_idx; + u16 used; + +- used = (u16) (((u32)0x10000 + +- (u32)p_chain->u.chain16.prod_idx) - +- (u32)p_chain->u.chain16.cons_idx); ++ if (prod < cons) ++ prod += (u32)U16_MAX + 1; ++ ++ used = (u16)(prod - cons); + if (p_chain->mode == QED_CHAIN_MODE_NEXT_PTR) +- used -= p_chain->u.chain16.prod_idx / p_chain->elem_per_page - +- p_chain->u.chain16.cons_idx / p_chain->elem_per_page; ++ used -= prod / elem_per_page - cons / elem_per_page; + + return (u16)(p_chain->capacity - used); + } + + static inline u32 qed_chain_get_elem_left_u32(struct qed_chain *p_chain) + { ++ u16 elem_per_page = p_chain->elem_per_page; ++ u64 prod = p_chain->u.chain32.prod_idx; ++ u64 cons = p_chain->u.chain32.cons_idx; + u32 used; + +- used = (u32) (((u64)0x100000000ULL + +- (u64)p_chain->u.chain32.prod_idx) - +- (u64)p_chain->u.chain32.cons_idx); ++ if (prod < cons) ++ prod += (u64)U32_MAX + 1; ++ ++ used = (u32)(prod - cons); + if (p_chain->mode == QED_CHAIN_MODE_NEXT_PTR) +- used -= p_chain->u.chain32.prod_idx / p_chain->elem_per_page - +- p_chain->u.chain32.cons_idx / p_chain->elem_per_page; ++ used -= (u32)(prod / elem_per_page - cons / elem_per_page); + + return p_chain->capacity - used; + } +-- +2.25.1 + diff --git a/queue-4.14/net-qed-fix-nvme-login-fails-over-vfs.patch b/queue-4.14/net-qed-fix-nvme-login-fails-over-vfs.patch new file mode 100644 index 00000000000..ed7dd1ad885 --- /dev/null +++ b/queue-4.14/net-qed-fix-nvme-login-fails-over-vfs.patch @@ -0,0 +1,80 @@ +From 431d5053f91c3727b91a8b5e687cf923243af7e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jun 2020 16:51:32 +0300 +Subject: net: qed: fix NVMe login fails over VFs + +From: Alexander Lobakin + +[ Upstream commit ccd7c7ce167a21dbf2b698ffcf00f11d96d44f9b ] + +25ms sleep cycles in waiting for PF response are excessive and may lead +to different timeout failures. + +Start to wait with short udelays, and in most cases polling will end +here. If the time was not sufficient, switch to msleeps. +usleep_range() may go far beyond 100us depending on platform and tick +configuration, hence atomic udelays for consistency. + +Also add explicit DMA barriers since 'done' always comes from a shared +request-response DMA pool, and note that in the comment nearby. + +Fixes: 1408cc1fa48c ("qed: Introduce VFs") +Signed-off-by: Alexander Lobakin +Signed-off-by: Igor Russkikh +Signed-off-by: Michal Kalderon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_vf.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_vf.c b/drivers/net/ethernet/qlogic/qed/qed_vf.c +index a2a9921b467b1..693f2a0393835 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_vf.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_vf.c +@@ -81,12 +81,17 @@ static void qed_vf_pf_req_end(struct qed_hwfn *p_hwfn, int req_status) + mutex_unlock(&(p_hwfn->vf_iov_info->mutex)); + } + ++#define QED_VF_CHANNEL_USLEEP_ITERATIONS 90 ++#define QED_VF_CHANNEL_USLEEP_DELAY 100 ++#define QED_VF_CHANNEL_MSLEEP_ITERATIONS 10 ++#define QED_VF_CHANNEL_MSLEEP_DELAY 25 ++ + static int qed_send_msg2pf(struct qed_hwfn *p_hwfn, u8 *done, u32 resp_size) + { + union vfpf_tlvs *p_req = p_hwfn->vf_iov_info->vf2pf_request; + struct ustorm_trigger_vf_zone trigger; + struct ustorm_vf_zone *zone_data; +- int rc = 0, time = 100; ++ int iter, rc = 0; + + zone_data = (struct ustorm_vf_zone *)PXP_VF_BAR0_START_USDM_ZONE_B; + +@@ -126,11 +131,19 @@ static int qed_send_msg2pf(struct qed_hwfn *p_hwfn, u8 *done, u32 resp_size) + REG_WR(p_hwfn, (uintptr_t)&zone_data->trigger, *((u32 *)&trigger)); + + /* When PF would be done with the response, it would write back to the +- * `done' address. Poll until then. ++ * `done' address from a coherent DMA zone. Poll until then. + */ +- while ((!*done) && time) { +- msleep(25); +- time--; ++ ++ iter = QED_VF_CHANNEL_USLEEP_ITERATIONS; ++ while (!*done && iter--) { ++ udelay(QED_VF_CHANNEL_USLEEP_DELAY); ++ dma_rmb(); ++ } ++ ++ iter = QED_VF_CHANNEL_MSLEEP_ITERATIONS; ++ while (!*done && iter--) { ++ msleep(QED_VF_CHANNEL_MSLEEP_DELAY); ++ dma_rmb(); + } + + if (!*done) { +-- +2.25.1 + diff --git a/queue-4.14/netfilter-ipset-fix-unaligned-atomic-access.patch b/queue-4.14/netfilter-ipset-fix-unaligned-atomic-access.patch new file mode 100644 index 00000000000..77fb1a7650c --- /dev/null +++ b/queue-4.14/netfilter-ipset-fix-unaligned-atomic-access.patch @@ -0,0 +1,57 @@ +From ed555aace5a858e187d7798f293a096ea116cfcd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jun 2020 21:51:11 +0100 +Subject: netfilter: ipset: fix unaligned atomic access + +From: Russell King + +[ Upstream commit 715028460082d07a7ec6fcd87b14b46784346a72 ] + +When using ip_set with counters and comment, traffic causes the kernel +to panic on 32-bit ARM: + +Alignment trap: not handling instruction e1b82f9f at [] +Unhandled fault: alignment exception (0x221) at 0xea08133c +PC is at ip_set_match_extensions+0xe0/0x224 [ip_set] + +The problem occurs when we try to update the 64-bit counters - the +faulting address above is not 64-bit aligned. The problem occurs +due to the way elements are allocated, for example: + + set->dsize = ip_set_elem_len(set, tb, 0, 0); + map = ip_set_alloc(sizeof(*map) + elements * set->dsize); + +If the element has a requirement for a member to be 64-bit aligned, +and set->dsize is not a multiple of 8, but is a multiple of four, +then every odd numbered elements will be misaligned - and hitting +an atomic64_add() on that element will cause the kernel to panic. + +ip_set_elem_len() must return a size that is rounded to the maximum +alignment of any extension field stored in the element. This change +ensures that is the case. + +Fixes: 95ad1f4a9358 ("netfilter: ipset: Fix extension alignment") +Signed-off-by: Russell King +Acked-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c +index c2b21c9c12295..5c59bbad8d193 100644 +--- a/net/netfilter/ipset/ip_set_core.c ++++ b/net/netfilter/ipset/ip_set_core.c +@@ -381,6 +381,8 @@ ip_set_elem_len(struct ip_set *set, struct nlattr *tb[], size_t len, + for (id = 0; id < IPSET_EXT_ID_MAX; id++) { + if (!add_extension(id, cadt_flags, tb)) + continue; ++ if (align < ip_set_extensions[id].align) ++ align = ip_set_extensions[id].align; + len = ALIGN(len, ip_set_extensions[id].align); + set->offset[id] = len; + set->extensions |= ip_set_extensions[id].type; +-- +2.25.1 + diff --git a/queue-4.14/rdma-cma-protect-bind_list-and-listen_list-while-fin.patch b/queue-4.14/rdma-cma-protect-bind_list-and-listen_list-while-fin.patch new file mode 100644 index 00000000000..8d7c6e76320 --- /dev/null +++ b/queue-4.14/rdma-cma-protect-bind_list-and-listen_list-while-fin.patch @@ -0,0 +1,162 @@ +From 01b440e44079eab73943f450af5efb26924c46d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jun 2020 13:43:04 +0300 +Subject: RDMA/cma: Protect bind_list and listen_list while finding matching cm + id + +From: Mark Zhang + +[ Upstream commit 730c8912484186d4623d0c76509066d285c3a755 ] + +The bind_list and listen_list must be accessed under a lock, add the +missing locking around the access in cm_ib_id_from_event() + +In addition add lockdep asserts to make it clearer what the locking +semantic is here. + + general protection fault: 0000 [#1] SMP NOPTI + CPU: 226 PID: 126135 Comm: kworker/226:1 Tainted: G OE 4.12.14-150.47-default #1 SLE15 + Hardware name: Cray Inc. Windom/Windom, BIOS 0.8.7 01-10-2020 + Workqueue: ib_cm cm_work_handler [ib_cm] + task: ffff9c5a60a1d2c0 task.stack: ffffc1d91f554000 + RIP: 0010:cma_ib_req_handler+0x3f1/0x11b0 [rdma_cm] + RSP: 0018:ffffc1d91f557b40 EFLAGS: 00010286 + RAX: deacffffffffff30 RBX: 0000000000000001 RCX: ffff9c2af5bb6000 + RDX: 00000000000000a9 RSI: ffff9c5aa4ed2f10 RDI: ffffc1d91f557b08 + RBP: ffffc1d91f557d90 R08: ffff9c340cc80000 R09: ffff9c2c0f901900 + R10: 0000000000000000 R11: 0000000000000001 R12: deacffffffffff30 + R13: ffff9c5a48aeec00 R14: ffffc1d91f557c30 R15: ffff9c5c2eea3688 + FS: 0000000000000000(0000) GS:ffff9c5c2fa80000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00002b5cc03fa320 CR3: 0000003f8500a000 CR4: 00000000003406e0 + Call Trace: + ? rdma_addr_cancel+0xa0/0xa0 [ib_core] + ? cm_process_work+0x28/0x140 [ib_cm] + cm_process_work+0x28/0x140 [ib_cm] + ? cm_get_bth_pkey.isra.44+0x34/0xa0 [ib_cm] + cm_work_handler+0xa06/0x1a6f [ib_cm] + ? __switch_to_asm+0x34/0x70 + ? __switch_to_asm+0x34/0x70 + ? __switch_to_asm+0x40/0x70 + ? __switch_to_asm+0x34/0x70 + ? __switch_to_asm+0x40/0x70 + ? __switch_to_asm+0x34/0x70 + ? __switch_to_asm+0x40/0x70 + ? __switch_to+0x7c/0x4b0 + ? __switch_to_asm+0x40/0x70 + ? __switch_to_asm+0x34/0x70 + process_one_work+0x1da/0x400 + worker_thread+0x2b/0x3f0 + ? process_one_work+0x400/0x400 + kthread+0x118/0x140 + ? kthread_create_on_node+0x40/0x40 + ret_from_fork+0x22/0x40 + Code: 00 66 83 f8 02 0f 84 ca 05 00 00 49 8b 84 24 d0 01 00 00 48 85 c0 0f 84 68 07 00 00 48 2d d0 01 + 00 00 49 89 c4 0f 84 59 07 00 00 <41> 0f b7 44 24 20 49 8b 77 50 66 83 f8 0a 75 9e 49 8b 7c 24 28 + +Fixes: 4c21b5bcef73 ("IB/cma: Add net_dev and private data checks to RDMA CM") +Link: https://lore.kernel.org/r/20200616104304.2426081-1-leon@kernel.org +Signed-off-by: Mark Zhang +Reviewed-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index d901591db9c8e..6e8af2b914929 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -1482,6 +1482,8 @@ static struct rdma_id_private *cma_find_listener( + { + struct rdma_id_private *id_priv, *id_priv_dev; + ++ lockdep_assert_held(&lock); ++ + if (!bind_list) + return ERR_PTR(-EINVAL); + +@@ -1530,6 +1532,7 @@ static struct rdma_id_private *cma_id_from_event(struct ib_cm_id *cm_id, + } + } + ++ mutex_lock(&lock); + /* + * Net namespace might be getting deleted while route lookup, + * cm_id lookup is in progress. Therefore, perform netdevice +@@ -1571,6 +1574,7 @@ static struct rdma_id_private *cma_id_from_event(struct ib_cm_id *cm_id, + id_priv = cma_find_listener(bind_list, cm_id, ib_event, &req, *net_dev); + err: + rcu_read_unlock(); ++ mutex_unlock(&lock); + if (IS_ERR(id_priv) && *net_dev) { + dev_put(*net_dev); + *net_dev = NULL; +@@ -2287,6 +2291,8 @@ static void cma_listen_on_dev(struct rdma_id_private *id_priv, + struct net *net = id_priv->id.route.addr.dev_addr.net; + int ret; + ++ lockdep_assert_held(&lock); ++ + if (cma_family(id_priv) == AF_IB && !rdma_cap_ib_cm(cma_dev->device, 1)) + return; + +@@ -2993,6 +2999,8 @@ static void cma_bind_port(struct rdma_bind_list *bind_list, + u64 sid, mask; + __be16 port; + ++ lockdep_assert_held(&lock); ++ + addr = cma_src_addr(id_priv); + port = htons(bind_list->port); + +@@ -3021,6 +3029,8 @@ static int cma_alloc_port(enum rdma_port_space ps, + struct rdma_bind_list *bind_list; + int ret; + ++ lockdep_assert_held(&lock); ++ + bind_list = kzalloc(sizeof *bind_list, GFP_KERNEL); + if (!bind_list) + return -ENOMEM; +@@ -3047,6 +3057,8 @@ static int cma_port_is_unique(struct rdma_bind_list *bind_list, + struct sockaddr *saddr = cma_src_addr(id_priv); + __be16 dport = cma_port(daddr); + ++ lockdep_assert_held(&lock); ++ + hlist_for_each_entry(cur_id, &bind_list->owners, node) { + struct sockaddr *cur_daddr = cma_dst_addr(cur_id); + struct sockaddr *cur_saddr = cma_src_addr(cur_id); +@@ -3086,6 +3098,8 @@ static int cma_alloc_any_port(enum rdma_port_space ps, + unsigned int rover; + struct net *net = id_priv->id.route.addr.dev_addr.net; + ++ lockdep_assert_held(&lock); ++ + inet_get_local_port_range(net, &low, &high); + remaining = (high - low) + 1; + rover = prandom_u32() % remaining + low; +@@ -3133,6 +3147,8 @@ static int cma_check_port(struct rdma_bind_list *bind_list, + struct rdma_id_private *cur_id; + struct sockaddr *addr, *cur_addr; + ++ lockdep_assert_held(&lock); ++ + addr = cma_src_addr(id_priv); + hlist_for_each_entry(cur_id, &bind_list->owners, node) { + if (id_priv == cur_id) +@@ -3163,6 +3179,8 @@ static int cma_use_port(enum rdma_port_space ps, + unsigned short snum; + int ret; + ++ lockdep_assert_held(&lock); ++ + snum = ntohs(cma_port(cma_src_addr(id_priv))); + if (snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE)) + return -EACCES; +-- +2.25.1 + diff --git a/queue-4.14/rdma-mad-fix-possible-memory-leak-in-ib_mad_post_rec.patch b/queue-4.14/rdma-mad-fix-possible-memory-leak-in-ib_mad_post_rec.patch new file mode 100644 index 00000000000..1bb602ac4bb --- /dev/null +++ b/queue-4.14/rdma-mad-fix-possible-memory-leak-in-ib_mad_post_rec.patch @@ -0,0 +1,38 @@ +From e76ef17dba6b8d5018e542a0c7fcc89e414a547d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jun 2020 14:38:24 +0800 +Subject: RDMA/mad: Fix possible memory leak in ib_mad_post_receive_mads() + +From: Fan Guo + +[ Upstream commit a17f4bed811c60712d8131883cdba11a105d0161 ] + +If ib_dma_mapping_error() returns non-zero value, +ib_mad_post_receive_mads() will jump out of loops and return -ENOMEM +without freeing mad_priv. Fix this memory-leak problem by freeing mad_priv +in this case. + +Fixes: 2c34e68f4261 ("IB/mad: Check and handle potential DMA mapping errors") +Link: https://lore.kernel.org/r/20200612063824.180611-1-guofan5@huawei.com +Signed-off-by: Fan Guo +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/mad.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c +index 6072ac7023cb7..08d2e9cc28eb4 100644 +--- a/drivers/infiniband/core/mad.c ++++ b/drivers/infiniband/core/mad.c +@@ -2907,6 +2907,7 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info, + DMA_FROM_DEVICE); + if (unlikely(ib_dma_mapping_error(qp_info->port_priv->device, + sg_list.addr))) { ++ kfree(mad_priv); + ret = -ENOMEM; + break; + } +-- +2.25.1 + diff --git a/queue-4.14/rxrpc-fix-handling-of-rwind-from-an-ack-packet.patch b/queue-4.14/rxrpc-fix-handling-of-rwind-from-an-ack-packet.patch new file mode 100644 index 00000000000..c2b66643862 --- /dev/null +++ b/queue-4.14/rxrpc-fix-handling-of-rwind-from-an-ack-packet.patch @@ -0,0 +1,53 @@ +From 189e1b846122251689e0a40ea1be95d032bd6494 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jun 2020 23:01:23 +0100 +Subject: rxrpc: Fix handling of rwind from an ACK packet + +From: David Howells + +[ Upstream commit a2ad7c21ad8cf1ce4ad65e13df1c2a1c29b38ac5 ] + +The handling of the receive window size (rwind) from a received ACK packet +is not correct. The rxrpc_input_ackinfo() function currently checks the +current Tx window size against the rwind from the ACK to see if it has +changed, but then limits the rwind size before storing it in the tx_winsize +member and, if it increased, wake up the transmitting process. This means +that if rwind > RXRPC_RXTX_BUFF_SIZE - 1, this path will always be +followed. + +Fix this by limiting rwind before we compare it to tx_winsize. + +The effect of this can be seen by enabling the rxrpc_rx_rwind_change +tracepoint. + +Fixes: 702f2ac87a9a ("rxrpc: Wake up the transmitter if Rx window size increases on the peer") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/input.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c +index 18ce6f97462b6..98285b117a7c0 100644 +--- a/net/rxrpc/input.c ++++ b/net/rxrpc/input.c +@@ -664,13 +664,12 @@ static void rxrpc_input_ackinfo(struct rxrpc_call *call, struct sk_buff *skb, + ntohl(ackinfo->rxMTU), ntohl(ackinfo->maxMTU), + rwind, ntohl(ackinfo->jumbo_max)); + ++ if (rwind > RXRPC_RXTX_BUFF_SIZE - 1) ++ rwind = RXRPC_RXTX_BUFF_SIZE - 1; + if (call->tx_winsize != rwind) { +- if (rwind > RXRPC_RXTX_BUFF_SIZE - 1) +- rwind = RXRPC_RXTX_BUFF_SIZE - 1; + if (rwind > call->tx_winsize) + wake = true; +- trace_rxrpc_rx_rwind_change(call, sp->hdr.serial, +- ntohl(ackinfo->rwind), wake); ++ trace_rxrpc_rx_rwind_change(call, sp->hdr.serial, rwind, wake); + call->tx_winsize = rwind; + } + +-- +2.25.1 + diff --git a/queue-4.14/s390-ptrace-fix-setting-syscall-number.patch b/queue-4.14/s390-ptrace-fix-setting-syscall-number.patch new file mode 100644 index 00000000000..4be969d6598 --- /dev/null +++ b/queue-4.14/s390-ptrace-fix-setting-syscall-number.patch @@ -0,0 +1,92 @@ +From f965e272ee73fbb4f91eeee0789560350b2b9cb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2020 16:44:50 +0100 +Subject: s390/ptrace: fix setting syscall number + +From: Sven Schnelle + +[ Upstream commit 873e5a763d604c32988c4a78913a8dab3862d2f9 ] + +When strace wants to update the syscall number, it sets GPR2 +to the desired number and updates the GPR via PTRACE_SETREGSET. +It doesn't update regs->int_code which would cause the old syscall +executed on syscall restart. As we cannot change the ptrace ABI and +don't have a field for the interruption code, check whether the tracee +is in a syscall and the last instruction was svc. In that case assume +that the tracer wants to update the syscall number and copy the GPR2 +value to regs->int_code. + +Signed-off-by: Sven Schnelle +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/ptrace.c | 31 ++++++++++++++++++++++++++++++- + 1 file changed, 30 insertions(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c +index 56e0190d6e651..42e4cd20fbbed 100644 +--- a/arch/s390/kernel/ptrace.c ++++ b/arch/s390/kernel/ptrace.c +@@ -322,6 +322,25 @@ static inline void __poke_user_per(struct task_struct *child, + child->thread.per_user.end = data; + } + ++static void fixup_int_code(struct task_struct *child, addr_t data) ++{ ++ struct pt_regs *regs = task_pt_regs(child); ++ int ilc = regs->int_code >> 16; ++ u16 insn; ++ ++ if (ilc > 6) ++ return; ++ ++ if (ptrace_access_vm(child, regs->psw.addr - (regs->int_code >> 16), ++ &insn, sizeof(insn), FOLL_FORCE) != sizeof(insn)) ++ return; ++ ++ /* double check that tracee stopped on svc instruction */ ++ if ((insn >> 8) != 0xa) ++ return; ++ ++ regs->int_code = 0x20000 | (data & 0xffff); ++} + /* + * Write a word to the user area of a process at location addr. This + * operation does have an additional problem compared to peek_user. +@@ -333,7 +352,9 @@ static int __poke_user(struct task_struct *child, addr_t addr, addr_t data) + struct user *dummy = NULL; + addr_t offset; + ++ + if (addr < (addr_t) &dummy->regs.acrs) { ++ struct pt_regs *regs = task_pt_regs(child); + /* + * psw and gprs are stored on the stack + */ +@@ -351,7 +372,11 @@ static int __poke_user(struct task_struct *child, addr_t addr, addr_t data) + /* Invalid addressing mode bits */ + return -EINVAL; + } +- *(addr_t *)((addr_t) &task_pt_regs(child)->psw + addr) = data; ++ ++ if (test_pt_regs_flag(regs, PIF_SYSCALL) && ++ addr == offsetof(struct user, regs.gprs[2])) ++ fixup_int_code(child, data); ++ *(addr_t *)((addr_t) ®s->psw + addr) = data; + + } else if (addr < (addr_t) (&dummy->regs.orig_gpr2)) { + /* +@@ -717,6 +742,10 @@ static int __poke_user_compat(struct task_struct *child, + regs->psw.mask = (regs->psw.mask & ~PSW_MASK_BA) | + (__u64)(tmp & PSW32_ADDR_AMODE); + } else { ++ ++ if (test_pt_regs_flag(regs, PIF_SYSCALL) && ++ addr == offsetof(struct compat_user, regs.gprs[2])) ++ fixup_int_code(child, data); + /* gpr 0-15 */ + *(__u32*)((addr_t) ®s->psw + addr*2 + 4) = tmp; + } +-- +2.25.1 + diff --git a/queue-4.14/sched-core-fix-pi-boosting-between-rt-and-deadline-t.patch b/queue-4.14/sched-core-fix-pi-boosting-between-rt-and-deadline-t.patch new file mode 100644 index 00000000000..19c9bc3cf9b --- /dev/null +++ b/queue-4.14/sched-core-fix-pi-boosting-between-rt-and-deadline-t.patch @@ -0,0 +1,75 @@ +From 2323e06e3d1a90e1c56af06416e34aa0362c0605 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Nov 2018 16:32:01 +0100 +Subject: sched/core: Fix PI boosting between RT and DEADLINE tasks + +From: Juri Lelli + +[ Upstream commit 740797ce3a124b7dd22b7fb832d87bc8fba1cf6f ] + +syzbot reported the following warning: + + WARNING: CPU: 1 PID: 6351 at kernel/sched/deadline.c:628 + enqueue_task_dl+0x22da/0x38a0 kernel/sched/deadline.c:1504 + +At deadline.c:628 we have: + + 623 static inline void setup_new_dl_entity(struct sched_dl_entity *dl_se) + 624 { + 625 struct dl_rq *dl_rq = dl_rq_of_se(dl_se); + 626 struct rq *rq = rq_of_dl_rq(dl_rq); + 627 + 628 WARN_ON(dl_se->dl_boosted); + 629 WARN_ON(dl_time_before(rq_clock(rq), dl_se->deadline)); + [...] + } + +Which means that setup_new_dl_entity() has been called on a task +currently boosted. This shouldn't happen though, as setup_new_dl_entity() +is only called when the 'dynamic' deadline of the new entity +is in the past w.r.t. rq_clock and boosted tasks shouldn't verify this +condition. + +Digging through the PI code I noticed that what above might in fact happen +if an RT tasks blocks on an rt_mutex hold by a DEADLINE task. In the +first branch of boosting conditions we check only if a pi_task 'dynamic' +deadline is earlier than mutex holder's and in this case we set mutex +holder to be dl_boosted. However, since RT 'dynamic' deadlines are only +initialized if such tasks get boosted at some point (or if they become +DEADLINE of course), in general RT 'dynamic' deadlines are usually equal +to 0 and this verifies the aforementioned condition. + +Fix it by checking that the potential donor task is actually (even if +temporary because in turn boosted) running at DEADLINE priority before +using its 'dynamic' deadline value. + +Fixes: 2d3d891d3344 ("sched/deadline: Add SCHED_DEADLINE inheritance logic") +Reported-by: syzbot+119ba87189432ead09b4@syzkaller.appspotmail.com +Signed-off-by: Juri Lelli +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Reviewed-by: Daniel Bristot de Oliveira +Tested-by: Daniel Wagner +Link: https://lkml.kernel.org/r/20181119153201.GB2119@localhost.localdomain +Signed-off-by: Sasha Levin +--- + kernel/sched/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 97a27726ea217..c5599174e7450 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -3731,7 +3731,8 @@ void rt_mutex_setprio(struct task_struct *p, struct task_struct *pi_task) + */ + if (dl_prio(prio)) { + if (!dl_prio(p->normal_prio) || +- (pi_task && dl_entity_preempt(&pi_task->dl, &p->dl))) { ++ (pi_task && dl_prio(pi_task->prio) && ++ dl_entity_preempt(&pi_task->dl, &p->dl))) { + p->dl.dl_boosted = 1; + queue_flag |= ENQUEUE_REPLENISH; + } else +-- +2.25.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 255ed484014..c41169bd541 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -36,3 +36,22 @@ alsa-usb-audio-fix-oob-access-of-mixer-element-list.patch xhci-poll-for-u0-after-disabling-usb2-lpm.patch cifs-smb3-fix-data-inconsistent-when-punch-hole.patch cifs-smb3-fix-data-inconsistent-when-zero-file-range.patch +efi-esrt-fix-reference-count-leak-in-esre_create_sys.patch +arm-dts-nsp-correct-fa2-mailbox-node.patch +rxrpc-fix-handling-of-rwind-from-an-ack-packet.patch +rdma-cma-protect-bind_list-and-listen_list-while-fin.patch +asoc-rockchip-fix-a-reference-count-leak.patch +rdma-mad-fix-possible-memory-leak-in-ib_mad_post_rec.patch +net-qed-fix-left-elements-count-calculation.patch +net-qed-fix-nvme-login-fails-over-vfs.patch +net-qed-fix-excessive-qm-ilt-lines-consumption.patch +arm-imx5-add-missing-put_device-call-in-imx_suspend_.patch +usb-gadget-udc-potential-oops-in-error-handling-code.patch +netfilter-ipset-fix-unaligned-atomic-access.patch +net-bcmgenet-use-hardware-padding-of-runt-frames.patch +sched-core-fix-pi-boosting-between-rt-and-deadline-t.patch +ata-libata-fix-usage-of-page-address-by-page_address.patch +net-alx-fix-race-condition-in-alx_remove.patch +s390-ptrace-fix-setting-syscall-number.patch +kbuild-improve-cc-option-to-clean-up-all-temporary-f.patch +blktrace-break-out-of-blktrace-setup-on-concurrent-c.patch diff --git a/queue-4.14/usb-gadget-udc-potential-oops-in-error-handling-code.patch b/queue-4.14/usb-gadget-udc-potential-oops-in-error-handling-code.patch new file mode 100644 index 00000000000..4bc46b51b73 --- /dev/null +++ b/queue-4.14/usb-gadget-udc-potential-oops-in-error-handling-code.patch @@ -0,0 +1,38 @@ +From 89ce0020dd4880a30789682ea8fd979fa700d933 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 14:27:19 +0300 +Subject: usb: gadget: udc: Potential Oops in error handling code + +From: Dan Carpenter + +[ Upstream commit e55f3c37cb8d31c7e301f46396b2ac6a19eb3a7c ] + +If this is in "transceiver" mode the the ->qwork isn't required and is +a NULL pointer. This can lead to a NULL dereference when we call +destroy_workqueue(udc->qwork). + +Fixes: 3517c31a8ece ("usb: gadget: mv_udc: use devm_xxx for probe") +Signed-off-by: Dan Carpenter +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/mv_udc_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/mv_udc_core.c b/drivers/usb/gadget/udc/mv_udc_core.c +index 4103bf7cf52ab..62fad60d0c061 100644 +--- a/drivers/usb/gadget/udc/mv_udc_core.c ++++ b/drivers/usb/gadget/udc/mv_udc_core.c +@@ -2317,7 +2317,8 @@ static int mv_udc_probe(struct platform_device *pdev) + return 0; + + err_create_workqueue: +- destroy_workqueue(udc->qwork); ++ if (udc->qwork) ++ destroy_workqueue(udc->qwork); + err_destroy_dma: + dma_pool_destroy(udc->dtd_pool); + err_free_dma: +-- +2.25.1 +