From: Sasha Levin Date: Fri, 6 Sep 2019 11:18:05 +0000 (-0400) Subject: fixes for 4.19 X-Git-Tag: v4.4.192~24 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2e07f43039e312bd389f24ff1cc353183625680c;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/afs-fix-leak-in-afs_lookup_cell_rcu.patch b/queue-4.19/afs-fix-leak-in-afs_lookup_cell_rcu.patch new file mode 100644 index 00000000000..99115bfed9c --- /dev/null +++ b/queue-4.19/afs-fix-leak-in-afs_lookup_cell_rcu.patch @@ -0,0 +1,66 @@ +From dc1eab87e75e951a6bb025f613e3d3aa59526a0a Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Thu, 22 Aug 2019 13:28:43 +0100 +Subject: afs: Fix leak in afs_lookup_cell_rcu() + +[ Upstream commit a5fb8e6c02d6a518fb2b1a2b8c2471fa77b69436 ] + +Fix a leak on the cell refcount in afs_lookup_cell_rcu() due to +non-clearance of the default error in the case a NULL cell name is passed +and the workstation default cell is used. + +Also put a bit at the end to make sure we don't leak a cell ref if we're +going to be returning an error. + +This leak results in an assertion like the following when the kafs module is +unloaded: + + AFS: Assertion failed + 2 == 1 is false + 0x2 == 0x1 is false + ------------[ cut here ]------------ + kernel BUG at fs/afs/cell.c:770! + ... + RIP: 0010:afs_manage_cells+0x220/0x42f [kafs] + ... + process_one_work+0x4c2/0x82c + ? pool_mayday_timeout+0x1e1/0x1e1 + ? do_raw_spin_lock+0x134/0x175 + worker_thread+0x336/0x4a6 + ? rescuer_thread+0x4af/0x4af + kthread+0x1de/0x1ee + ? kthread_park+0xd4/0xd4 + ret_from_fork+0x24/0x30 + +Fixes: 989782dcdc91 ("afs: Overhaul cell database management") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/afs/cell.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/afs/cell.c b/fs/afs/cell.c +index 6127f0fcd62c4..ee07162d35c7a 100644 +--- a/fs/afs/cell.c ++++ b/fs/afs/cell.c +@@ -76,6 +76,7 @@ struct afs_cell *afs_lookup_cell_rcu(struct afs_net *net, + cell = rcu_dereference_raw(net->ws_cell); + if (cell) { + afs_get_cell(cell); ++ ret = 0; + break; + } + ret = -EDESTADDRREQ; +@@ -110,6 +111,9 @@ struct afs_cell *afs_lookup_cell_rcu(struct afs_net *net, + + done_seqretry(&net->cells_lock, seq); + ++ if (ret != 0 && cell) ++ afs_put_cell(net, cell); ++ + return ret == 0 ? cell : ERR_PTR(ret); + } + +-- +2.20.1 + diff --git a/queue-4.19/bluetooth-btqca-add-a-short-delay-before-downloading.patch b/queue-4.19/bluetooth-btqca-add-a-short-delay-before-downloading.patch new file mode 100644 index 00000000000..22ab61efdd4 --- /dev/null +++ b/queue-4.19/bluetooth-btqca-add-a-short-delay-before-downloading.patch @@ -0,0 +1,42 @@ +From 59953e31f3088a3462e5a12f1df100360e0257e2 Mon Sep 17 00:00:00 2001 +From: Matthias Kaehlcke +Date: Tue, 9 Jul 2019 15:44:50 -0700 +Subject: Bluetooth: btqca: Add a short delay before downloading the NVM + +[ Upstream commit 8059ba0bd0e4694e51c2ee6438a77b325f06c0d5 ] + +On WCN3990 downloading the NVM sometimes fails with a "TLV response +size mismatch" error: + +[ 174.949955] Bluetooth: btqca.c:qca_download_firmware() hci0: QCA Downloading qca/crnv21.bin +[ 174.958718] Bluetooth: btqca.c:qca_tlv_send_segment() hci0: QCA TLV response size mismatch + +It seems the controller needs a short time after downloading the +firmware before it is ready for the NVM. A delay as short as 1 ms +seems sufficient, make it 10 ms just in case. No event is received +during the delay, hence we don't just silently drop an extra event. + +Signed-off-by: Matthias Kaehlcke +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btqca.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index ec9e03a6b7786..9e70f7c7e5659 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -363,6 +363,9 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + return err; + } + ++ /* Give the controller some time to get ready to receive the NVM */ ++ msleep(10); ++ + /* Download NVM configuration */ + config.type = TLV_TYPE_NVM; + if (soc_type == QCA_WCN3990) +-- +2.20.1 + diff --git a/queue-4.19/bluetooth-hidp-let-hidp_send_message-return-number-o.patch b/queue-4.19/bluetooth-hidp-let-hidp_send_message-return-number-o.patch new file mode 100644 index 00000000000..796615755a1 --- /dev/null +++ b/queue-4.19/bluetooth-hidp-let-hidp_send_message-return-number-o.patch @@ -0,0 +1,59 @@ +From c6936fdd24ff7a876c8dd71217bc135118b81113 Mon Sep 17 00:00:00 2001 +From: Fabian Henneke +Date: Mon, 15 Jul 2019 19:40:56 +0200 +Subject: Bluetooth: hidp: Let hidp_send_message return number of queued bytes + +[ Upstream commit 48d9cc9d85dde37c87abb7ac9bbec6598ba44b56 ] + +Let hidp_send_message return the number of successfully queued bytes +instead of an unconditional 0. + +With the return value fixed to 0, other drivers relying on hidp, such as +hidraw, can not return meaningful values from their respective +implementations of write(). In particular, with the current behavior, a +hidraw device's write() will have different return values depending on +whether the device is connected via USB or Bluetooth, which makes it +harder to abstract away the transport layer. + +Signed-off-by: Fabian Henneke +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hidp/core.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c +index 253975cce943e..7a31aec0c4a36 100644 +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -101,6 +101,7 @@ static int hidp_send_message(struct hidp_session *session, struct socket *sock, + { + struct sk_buff *skb; + struct sock *sk = sock->sk; ++ int ret; + + BT_DBG("session %p data %p size %d", session, data, size); + +@@ -114,13 +115,17 @@ static int hidp_send_message(struct hidp_session *session, struct socket *sock, + } + + skb_put_u8(skb, hdr); +- if (data && size > 0) ++ if (data && size > 0) { + skb_put_data(skb, data, size); ++ ret = size; ++ } else { ++ ret = 0; ++ } + + skb_queue_tail(transmit, skb); + wake_up_interruptible(sk_sleep(sk)); + +- return 0; ++ return ret; + } + + static int hidp_send_ctrl_message(struct hidp_session *session, +-- +2.20.1 + diff --git a/queue-4.19/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-__.patch b/queue-4.19/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-__.patch new file mode 100644 index 00000000000..026dc2249a1 --- /dev/null +++ b/queue-4.19/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-__.patch @@ -0,0 +1,91 @@ +From faa750dcd5270f4943a0f982ce316bc188c98a82 Mon Sep 17 00:00:00 2001 +From: Luis Henriques +Date: Fri, 19 Jul 2019 15:32:20 +0100 +Subject: ceph: fix buffer free while holding i_ceph_lock in __ceph_setxattr() + +[ Upstream commit 86968ef21596515958d5f0a40233d02be78ecec0 ] + +Calling ceph_buffer_put() in __ceph_setxattr() may end up freeing the +i_xattrs.prealloc_blob buffer while holding the i_ceph_lock. This can be +fixed by postponing the call until later, when the lock is released. + +The following backtrace was triggered by fstests generic/117. + + BUG: sleeping function called from invalid context at mm/vmalloc.c:2283 + in_atomic(): 1, irqs_disabled(): 0, pid: 650, name: fsstress + 3 locks held by fsstress/650: + #0: 00000000870a0fe8 (sb_writers#8){.+.+}, at: mnt_want_write+0x20/0x50 + #1: 00000000ba0c4c74 (&type->i_mutex_dir_key#6){++++}, at: vfs_setxattr+0x55/0xa0 + #2: 000000008dfbb3f2 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: __ceph_setxattr+0x297/0x810 + CPU: 1 PID: 650 Comm: fsstress Not tainted 5.2.0+ #437 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014 + Call Trace: + dump_stack+0x67/0x90 + ___might_sleep.cold+0x9f/0xb1 + vfree+0x4b/0x60 + ceph_buffer_release+0x1b/0x60 + __ceph_setxattr+0x2b4/0x810 + __vfs_setxattr+0x66/0x80 + __vfs_setxattr_noperm+0x59/0xf0 + vfs_setxattr+0x81/0xa0 + setxattr+0x115/0x230 + ? filename_lookup+0xc9/0x140 + ? rcu_read_lock_sched_held+0x74/0x80 + ? rcu_sync_lockdep_assert+0x2e/0x60 + ? __sb_start_write+0x142/0x1a0 + ? mnt_want_write+0x20/0x50 + path_setxattr+0xba/0xd0 + __x64_sys_lsetxattr+0x24/0x30 + do_syscall_64+0x50/0x1c0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + RIP: 0033:0x7ff23514359a + +Signed-off-by: Luis Henriques +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/xattr.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c +index 0a2d4898ee163..71ea45b0231f9 100644 +--- a/fs/ceph/xattr.c ++++ b/fs/ceph/xattr.c +@@ -1011,6 +1011,7 @@ int __ceph_setxattr(struct inode *inode, const char *name, + struct ceph_inode_info *ci = ceph_inode(inode); + struct ceph_mds_client *mdsc = ceph_sb_to_client(inode->i_sb)->mdsc; + struct ceph_cap_flush *prealloc_cf = NULL; ++ struct ceph_buffer *old_blob = NULL; + int issued; + int err; + int dirty = 0; +@@ -1084,13 +1085,15 @@ retry: + struct ceph_buffer *blob; + + spin_unlock(&ci->i_ceph_lock); +- dout(" preaallocating new blob size=%d\n", required_blob_size); ++ ceph_buffer_put(old_blob); /* Shouldn't be required */ ++ dout(" pre-allocating new blob size=%d\n", required_blob_size); + blob = ceph_buffer_new(required_blob_size, GFP_NOFS); + if (!blob) + goto do_sync_unlocked; + spin_lock(&ci->i_ceph_lock); ++ /* prealloc_blob can't be released while holding i_ceph_lock */ + if (ci->i_xattrs.prealloc_blob) +- ceph_buffer_put(ci->i_xattrs.prealloc_blob); ++ old_blob = ci->i_xattrs.prealloc_blob; + ci->i_xattrs.prealloc_blob = blob; + goto retry; + } +@@ -1106,6 +1109,7 @@ retry: + } + + spin_unlock(&ci->i_ceph_lock); ++ ceph_buffer_put(old_blob); + if (lock_snap_rwsem) + up_read(&mdsc->snap_rwsem); + if (dirty) +-- +2.20.1 + diff --git a/queue-4.19/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-__.patch-16576 b/queue-4.19/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-__.patch-16576 new file mode 100644 index 00000000000..d84f6daad33 --- /dev/null +++ b/queue-4.19/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-__.patch-16576 @@ -0,0 +1,169 @@ +From 1ee0d068992e603f481d7c5074d98e203410828d Mon Sep 17 00:00:00 2001 +From: Luis Henriques +Date: Fri, 19 Jul 2019 15:32:21 +0100 +Subject: ceph: fix buffer free while holding i_ceph_lock in + __ceph_build_xattrs_blob() + +[ Upstream commit 12fe3dda7ed89c95cc0ef7abc001ad1ad3e092f8 ] + +Calling ceph_buffer_put() in __ceph_build_xattrs_blob() may result in +freeing the i_xattrs.blob buffer while holding the i_ceph_lock. This can +be fixed by having this function returning the old blob buffer and have +the callers of this function freeing it when the lock is released. + +The following backtrace was triggered by fstests generic/117. + + BUG: sleeping function called from invalid context at mm/vmalloc.c:2283 + in_atomic(): 1, irqs_disabled(): 0, pid: 649, name: fsstress + 4 locks held by fsstress/649: + #0: 00000000a7478e7e (&type->s_umount_key#19){++++}, at: iterate_supers+0x77/0xf0 + #1: 00000000f8de1423 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: ceph_check_caps+0x7b/0xc60 + #2: 00000000562f2b27 (&s->s_mutex){+.+.}, at: ceph_check_caps+0x3bd/0xc60 + #3: 00000000f83ce16a (&mdsc->snap_rwsem){++++}, at: ceph_check_caps+0x3ed/0xc60 + CPU: 1 PID: 649 Comm: fsstress Not tainted 5.2.0+ #439 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014 + Call Trace: + dump_stack+0x67/0x90 + ___might_sleep.cold+0x9f/0xb1 + vfree+0x4b/0x60 + ceph_buffer_release+0x1b/0x60 + __ceph_build_xattrs_blob+0x12b/0x170 + __send_cap+0x302/0x540 + ? __lock_acquire+0x23c/0x1e40 + ? __mark_caps_flushing+0x15c/0x280 + ? _raw_spin_unlock+0x24/0x30 + ceph_check_caps+0x5f0/0xc60 + ceph_flush_dirty_caps+0x7c/0x150 + ? __ia32_sys_fdatasync+0x20/0x20 + ceph_sync_fs+0x5a/0x130 + iterate_supers+0x8f/0xf0 + ksys_sync+0x4f/0xb0 + __ia32_sys_sync+0xa/0x10 + do_syscall_64+0x50/0x1c0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + RIP: 0033:0x7fc6409ab617 + +Signed-off-by: Luis Henriques +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/caps.c | 5 ++++- + fs/ceph/snap.c | 4 +++- + fs/ceph/super.h | 2 +- + fs/ceph/xattr.c | 11 ++++++++--- + 4 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c +index a11fa0b6b34d5..db547af01b593 100644 +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -1280,6 +1280,7 @@ static int __send_cap(struct ceph_mds_client *mdsc, struct ceph_cap *cap, + { + struct ceph_inode_info *ci = cap->ci; + struct inode *inode = &ci->vfs_inode; ++ struct ceph_buffer *old_blob = NULL; + struct cap_msg_args arg; + int held, revoking; + int wake = 0; +@@ -1344,7 +1345,7 @@ static int __send_cap(struct ceph_mds_client *mdsc, struct ceph_cap *cap, + ci->i_requested_max_size = arg.max_size; + + if (flushing & CEPH_CAP_XATTR_EXCL) { +- __ceph_build_xattrs_blob(ci); ++ old_blob = __ceph_build_xattrs_blob(ci); + arg.xattr_version = ci->i_xattrs.version; + arg.xattr_buf = ci->i_xattrs.blob; + } else { +@@ -1379,6 +1380,8 @@ static int __send_cap(struct ceph_mds_client *mdsc, struct ceph_cap *cap, + + spin_unlock(&ci->i_ceph_lock); + ++ ceph_buffer_put(old_blob); ++ + ret = send_cap_msg(&arg); + if (ret < 0) { + dout("error sending cap msg, must requeue %p\n", inode); +diff --git a/fs/ceph/snap.c b/fs/ceph/snap.c +index 1f46b02f73149..5cf7b5f4db947 100644 +--- a/fs/ceph/snap.c ++++ b/fs/ceph/snap.c +@@ -460,6 +460,7 @@ void ceph_queue_cap_snap(struct ceph_inode_info *ci) + struct inode *inode = &ci->vfs_inode; + struct ceph_cap_snap *capsnap; + struct ceph_snap_context *old_snapc, *new_snapc; ++ struct ceph_buffer *old_blob = NULL; + int used, dirty; + + capsnap = kzalloc(sizeof(*capsnap), GFP_NOFS); +@@ -536,7 +537,7 @@ void ceph_queue_cap_snap(struct ceph_inode_info *ci) + capsnap->gid = inode->i_gid; + + if (dirty & CEPH_CAP_XATTR_EXCL) { +- __ceph_build_xattrs_blob(ci); ++ old_blob = __ceph_build_xattrs_blob(ci); + capsnap->xattr_blob = + ceph_buffer_get(ci->i_xattrs.blob); + capsnap->xattr_version = ci->i_xattrs.version; +@@ -579,6 +580,7 @@ update_snapc: + } + spin_unlock(&ci->i_ceph_lock); + ++ ceph_buffer_put(old_blob); + kfree(capsnap); + ceph_put_snap_context(old_snapc); + } +diff --git a/fs/ceph/super.h b/fs/ceph/super.h +index d8579a56e5dc2..0180193097905 100644 +--- a/fs/ceph/super.h ++++ b/fs/ceph/super.h +@@ -896,7 +896,7 @@ extern int ceph_getattr(const struct path *path, struct kstat *stat, + int __ceph_setxattr(struct inode *, const char *, const void *, size_t, int); + ssize_t __ceph_getxattr(struct inode *, const char *, void *, size_t); + extern ssize_t ceph_listxattr(struct dentry *, char *, size_t); +-extern void __ceph_build_xattrs_blob(struct ceph_inode_info *ci); ++extern struct ceph_buffer *__ceph_build_xattrs_blob(struct ceph_inode_info *ci); + extern void __ceph_destroy_xattrs(struct ceph_inode_info *ci); + extern void __init ceph_xattr_init(void); + extern void ceph_xattr_exit(void); +diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c +index 71ea45b0231f9..5e4f3f833e85e 100644 +--- a/fs/ceph/xattr.c ++++ b/fs/ceph/xattr.c +@@ -734,12 +734,15 @@ static int __get_required_blob_size(struct ceph_inode_info *ci, int name_size, + + /* + * If there are dirty xattrs, reencode xattrs into the prealloc_blob +- * and swap into place. ++ * and swap into place. It returns the old i_xattrs.blob (or NULL) so ++ * that it can be freed by the caller as the i_ceph_lock is likely to be ++ * held. + */ +-void __ceph_build_xattrs_blob(struct ceph_inode_info *ci) ++struct ceph_buffer *__ceph_build_xattrs_blob(struct ceph_inode_info *ci) + { + struct rb_node *p; + struct ceph_inode_xattr *xattr = NULL; ++ struct ceph_buffer *old_blob = NULL; + void *dest; + + dout("__build_xattrs_blob %p\n", &ci->vfs_inode); +@@ -770,12 +773,14 @@ void __ceph_build_xattrs_blob(struct ceph_inode_info *ci) + dest - ci->i_xattrs.prealloc_blob->vec.iov_base; + + if (ci->i_xattrs.blob) +- ceph_buffer_put(ci->i_xattrs.blob); ++ old_blob = ci->i_xattrs.blob; + ci->i_xattrs.blob = ci->i_xattrs.prealloc_blob; + ci->i_xattrs.prealloc_blob = NULL; + ci->i_xattrs.dirty = false; + ci->i_xattrs.version++; + } ++ ++ return old_blob; + } + + static inline int __get_request_mask(struct inode *in) { +-- +2.20.1 + diff --git a/queue-4.19/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-fi.patch b/queue-4.19/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-fi.patch new file mode 100644 index 00000000000..9f10c191337 --- /dev/null +++ b/queue-4.19/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-fi.patch @@ -0,0 +1,87 @@ +From a0a8c91697099b24d058ab141a42f9a1f7e4f490 Mon Sep 17 00:00:00 2001 +From: Luis Henriques +Date: Fri, 19 Jul 2019 15:32:22 +0100 +Subject: ceph: fix buffer free while holding i_ceph_lock in fill_inode() + +[ Upstream commit af8a85a41734f37b67ba8ce69d56b685bee4ac48 ] + +Calling ceph_buffer_put() in fill_inode() may result in freeing the +i_xattrs.blob buffer while holding the i_ceph_lock. This can be fixed by +postponing the call until later, when the lock is released. + +The following backtrace was triggered by fstests generic/070. + + BUG: sleeping function called from invalid context at mm/vmalloc.c:2283 + in_atomic(): 1, irqs_disabled(): 0, pid: 3852, name: kworker/0:4 + 6 locks held by kworker/0:4/3852: + #0: 000000004270f6bb ((wq_completion)ceph-msgr){+.+.}, at: process_one_work+0x1b8/0x5f0 + #1: 00000000eb420803 ((work_completion)(&(&con->work)->work)){+.+.}, at: process_one_work+0x1b8/0x5f0 + #2: 00000000be1c53a4 (&s->s_mutex){+.+.}, at: dispatch+0x288/0x1476 + #3: 00000000559cb958 (&mdsc->snap_rwsem){++++}, at: dispatch+0x2eb/0x1476 + #4: 000000000d5ebbae (&req->r_fill_mutex){+.+.}, at: dispatch+0x2fc/0x1476 + #5: 00000000a83d0514 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: fill_inode.isra.0+0xf8/0xf70 + CPU: 0 PID: 3852 Comm: kworker/0:4 Not tainted 5.2.0+ #441 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014 + Workqueue: ceph-msgr ceph_con_workfn + Call Trace: + dump_stack+0x67/0x90 + ___might_sleep.cold+0x9f/0xb1 + vfree+0x4b/0x60 + ceph_buffer_release+0x1b/0x60 + fill_inode.isra.0+0xa9b/0xf70 + ceph_fill_trace+0x13b/0xc70 + ? dispatch+0x2eb/0x1476 + dispatch+0x320/0x1476 + ? __mutex_unlock_slowpath+0x4d/0x2a0 + ceph_con_workfn+0xc97/0x2ec0 + ? process_one_work+0x1b8/0x5f0 + process_one_work+0x244/0x5f0 + worker_thread+0x4d/0x3e0 + kthread+0x105/0x140 + ? process_one_work+0x5f0/0x5f0 + ? kthread_park+0x90/0x90 + ret_from_fork+0x3a/0x50 + +Signed-off-by: Luis Henriques +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/inode.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c +index 3e518c2ae2bf9..11f19432a74c4 100644 +--- a/fs/ceph/inode.c ++++ b/fs/ceph/inode.c +@@ -742,6 +742,7 @@ static int fill_inode(struct inode *inode, struct page *locked_page, + int issued, new_issued, info_caps; + struct timespec64 mtime, atime, ctime; + struct ceph_buffer *xattr_blob = NULL; ++ struct ceph_buffer *old_blob = NULL; + struct ceph_string *pool_ns = NULL; + struct ceph_cap *new_cap = NULL; + int err = 0; +@@ -878,7 +879,7 @@ static int fill_inode(struct inode *inode, struct page *locked_page, + if ((ci->i_xattrs.version == 0 || !(issued & CEPH_CAP_XATTR_EXCL)) && + le64_to_cpu(info->xattr_version) > ci->i_xattrs.version) { + if (ci->i_xattrs.blob) +- ceph_buffer_put(ci->i_xattrs.blob); ++ old_blob = ci->i_xattrs.blob; + ci->i_xattrs.blob = xattr_blob; + if (xattr_blob) + memcpy(ci->i_xattrs.blob->vec.iov_base, +@@ -1017,8 +1018,8 @@ static int fill_inode(struct inode *inode, struct page *locked_page, + out: + if (new_cap) + ceph_put_cap(mdsc, new_cap); +- if (xattr_blob) +- ceph_buffer_put(xattr_blob); ++ ceph_buffer_put(old_blob); ++ ceph_buffer_put(xattr_blob); + ceph_put_string(pool_ns); + return err; + } +-- +2.20.1 + diff --git a/queue-4.19/cx82310_eth-fix-a-memory-leak-bug.patch b/queue-4.19/cx82310_eth-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..da66d5c30c6 --- /dev/null +++ b/queue-4.19/cx82310_eth-fix-a-memory-leak-bug.patch @@ -0,0 +1,38 @@ +From 3e86dfeea5207db13e479973acd5d924107799a6 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Wed, 14 Aug 2019 13:03:38 -0500 +Subject: cx82310_eth: fix a memory leak bug + +[ Upstream commit 1eca92eef18719027d394bf1a2d276f43e7cf886 ] + +In cx82310_bind(), 'dev->partial_data' is allocated through kmalloc(). +Then, the execution waits for the firmware to become ready. If the firmware +is not ready in time, the execution is terminated. However, the allocated +'dev->partial_data' is not deallocated on this path, leading to a memory +leak bug. To fix this issue, free 'dev->partial_data' before returning the +error. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cx82310_eth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/cx82310_eth.c b/drivers/net/usb/cx82310_eth.c +index 947bea81d9241..dfbdea22fbad9 100644 +--- a/drivers/net/usb/cx82310_eth.c ++++ b/drivers/net/usb/cx82310_eth.c +@@ -175,7 +175,8 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf) + } + if (!timeout) { + dev_err(&udev->dev, "firmware not ready in time\n"); +- return -ETIMEDOUT; ++ ret = -ETIMEDOUT; ++ goto err; + } + + /* enable ethernet mode (?) */ +-- +2.20.1 + diff --git a/queue-4.19/cxgb4-fix-a-memory-leak-bug.patch b/queue-4.19/cxgb4-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..e92565b0191 --- /dev/null +++ b/queue-4.19/cxgb4-fix-a-memory-leak-bug.patch @@ -0,0 +1,37 @@ +From 577887c1a9c1b43f80a9afba536bfc09fa743d5e Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Tue, 13 Aug 2019 04:18:52 -0500 +Subject: cxgb4: fix a memory leak bug + +[ Upstream commit c554336efa9bbc28d6ec14efbee3c7d63c61a34f ] + +In blocked_fl_write(), 't' is not deallocated if bitmap_parse_user() fails, +leading to a memory leak bug. To fix this issue, free t before returning +the error. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c +index 0f72f9c4ec74c..b429b726b987b 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c +@@ -3276,8 +3276,10 @@ static ssize_t blocked_fl_write(struct file *filp, const char __user *ubuf, + return -ENOMEM; + + err = bitmap_parse_user(ubuf, count, t, adap->sge.egr_sz); +- if (err) ++ if (err) { ++ kvfree(t); + return err; ++ } + + bitmap_copy(adap->sge.blocked_fl, t, adap->sge.egr_sz); + kvfree(t); +-- +2.20.1 + diff --git a/queue-4.19/drm-mediatek-set-dma-max-segment-size.patch b/queue-4.19/drm-mediatek-set-dma-max-segment-size.patch new file mode 100644 index 00000000000..7a8feb61037 --- /dev/null +++ b/queue-4.19/drm-mediatek-set-dma-max-segment-size.patch @@ -0,0 +1,112 @@ +From 80459be04e4198458c08558274dedd8793d8f4b4 Mon Sep 17 00:00:00 2001 +From: Alexandre Courbot +Date: Mon, 29 Jul 2019 14:33:35 +0900 +Subject: drm/mediatek: set DMA max segment size + +[ Upstream commit 070955558e820b9a89c570b91b1f21762f62b288 ] + +This driver requires imported PRIME buffers to appear contiguously in +its IO address space. Make sure this is the case by setting the maximum +DMA segment size to a more suitable value than the default 64KB. + +Signed-off-by: Alexandre Courbot +Reviewed-by: Tomasz Figa +Signed-off-by: CK Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_drv.c | 35 ++++++++++++++++++++++++-- + drivers/gpu/drm/mediatek/mtk_drm_drv.h | 2 ++ + 2 files changed, 35 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c +index ffb997440851d..f6389479fccb5 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c +@@ -220,6 +220,7 @@ static int mtk_drm_kms_init(struct drm_device *drm) + struct mtk_drm_private *private = drm->dev_private; + struct platform_device *pdev; + struct device_node *np; ++ struct device *dma_dev; + int ret; + + if (!iommu_present(&platform_bus_type)) +@@ -282,7 +283,29 @@ static int mtk_drm_kms_init(struct drm_device *drm) + goto err_component_unbind; + } + +- private->dma_dev = &pdev->dev; ++ dma_dev = &pdev->dev; ++ private->dma_dev = dma_dev; ++ ++ /* ++ * Configure the DMA segment size to make sure we get contiguous IOVA ++ * when importing PRIME buffers. ++ */ ++ if (!dma_dev->dma_parms) { ++ private->dma_parms_allocated = true; ++ dma_dev->dma_parms = ++ devm_kzalloc(drm->dev, sizeof(*dma_dev->dma_parms), ++ GFP_KERNEL); ++ } ++ if (!dma_dev->dma_parms) { ++ ret = -ENOMEM; ++ goto err_component_unbind; ++ } ++ ++ ret = dma_set_max_seg_size(dma_dev, (unsigned int)DMA_BIT_MASK(32)); ++ if (ret) { ++ dev_err(dma_dev, "Failed to set DMA segment size\n"); ++ goto err_unset_dma_parms; ++ } + + /* + * We don't use the drm_irq_install() helpers provided by the DRM +@@ -292,13 +315,16 @@ static int mtk_drm_kms_init(struct drm_device *drm) + drm->irq_enabled = true; + ret = drm_vblank_init(drm, MAX_CRTC); + if (ret < 0) +- goto err_component_unbind; ++ goto err_unset_dma_parms; + + drm_kms_helper_poll_init(drm); + drm_mode_config_reset(drm); + + return 0; + ++err_unset_dma_parms: ++ if (private->dma_parms_allocated) ++ dma_dev->dma_parms = NULL; + err_component_unbind: + component_unbind_all(drm->dev, drm); + err_config_cleanup: +@@ -309,9 +335,14 @@ err_config_cleanup: + + static void mtk_drm_kms_deinit(struct drm_device *drm) + { ++ struct mtk_drm_private *private = drm->dev_private; ++ + drm_kms_helper_poll_fini(drm); + drm_atomic_helper_shutdown(drm); + ++ if (private->dma_parms_allocated) ++ private->dma_dev->dma_parms = NULL; ++ + component_unbind_all(drm->dev, drm); + drm_mode_config_cleanup(drm); + } +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.h b/drivers/gpu/drm/mediatek/mtk_drm_drv.h +index ecc00ca3221da..8fa60d46f8605 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.h ++++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.h +@@ -59,6 +59,8 @@ struct mtk_drm_private { + } commit; + + struct drm_atomic_state *suspend_state; ++ ++ bool dma_parms_allocated; + }; + + extern struct platform_driver mtk_ddp_driver; +-- +2.20.1 + diff --git a/queue-4.19/drm-mediatek-use-correct-device-to-import-prime-buff.patch b/queue-4.19/drm-mediatek-use-correct-device-to-import-prime-buff.patch new file mode 100644 index 00000000000..5e57f7e3a0e --- /dev/null +++ b/queue-4.19/drm-mediatek-use-correct-device-to-import-prime-buff.patch @@ -0,0 +1,54 @@ +From 827aa4515d4fdc8acdb169d1b87d857b5875edfe Mon Sep 17 00:00:00 2001 +From: Alexandre Courbot +Date: Mon, 29 Jul 2019 14:33:34 +0900 +Subject: drm/mediatek: use correct device to import PRIME buffers + +[ Upstream commit 4c6f3196e6ea111c456c6086dc3f57d4706b0b2d ] + +PRIME buffers should be imported using the DMA device. To this end, use +a custom import function that mimics drm_gem_prime_import_dev(), but +passes the correct device. + +Fixes: 119f5173628aa ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") +Signed-off-by: Alexandre Courbot +Signed-off-by: CK Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_drv.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c +index fd83046d8376b..ffb997440851d 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c +@@ -327,6 +327,18 @@ static const struct file_operations mtk_drm_fops = { + .compat_ioctl = drm_compat_ioctl, + }; + ++/* ++ * We need to override this because the device used to import the memory is ++ * not dev->dev, as drm_gem_prime_import() expects. ++ */ ++struct drm_gem_object *mtk_drm_gem_prime_import(struct drm_device *dev, ++ struct dma_buf *dma_buf) ++{ ++ struct mtk_drm_private *private = dev->dev_private; ++ ++ return drm_gem_prime_import_dev(dev, dma_buf, private->dma_dev); ++} ++ + static struct drm_driver mtk_drm_driver = { + .driver_features = DRIVER_MODESET | DRIVER_GEM | DRIVER_PRIME | + DRIVER_ATOMIC, +@@ -338,7 +350,7 @@ static struct drm_driver mtk_drm_driver = { + .prime_handle_to_fd = drm_gem_prime_handle_to_fd, + .prime_fd_to_handle = drm_gem_prime_fd_to_handle, + .gem_prime_export = drm_gem_prime_export, +- .gem_prime_import = drm_gem_prime_import, ++ .gem_prime_import = mtk_drm_gem_prime_import, + .gem_prime_get_sg_table = mtk_gem_prime_get_sg_table, + .gem_prime_import_sg_table = mtk_gem_prime_import_sg_table, + .gem_prime_mmap = mtk_drm_gem_mmap_buf, +-- +2.20.1 + diff --git a/queue-4.19/gpio-fix-build-error-of-function-redefinition.patch b/queue-4.19/gpio-fix-build-error-of-function-redefinition.patch new file mode 100644 index 00000000000..326105231de --- /dev/null +++ b/queue-4.19/gpio-fix-build-error-of-function-redefinition.patch @@ -0,0 +1,66 @@ +From 29f3a42c1caef3ce83ce93df5f5292050fec811d Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Wed, 31 Jul 2019 20:38:14 +0800 +Subject: gpio: Fix build error of function redefinition + +[ Upstream commit 68e03b85474a51ec1921b4d13204782594ef7223 ] + +when do randbuilding, I got this error: + +In file included from drivers/hwmon/pmbus/ucd9000.c:19:0: +./include/linux/gpio/driver.h:576:1: error: redefinition of gpiochip_add_pin_range + gpiochip_add_pin_range(struct gpio_chip *chip, const char *pinctl_name, + ^~~~~~~~~~~~~~~~~~~~~~ +In file included from drivers/hwmon/pmbus/ucd9000.c:18:0: +./include/linux/gpio.h:245:1: note: previous definition of gpiochip_add_pin_range was here + gpiochip_add_pin_range(struct gpio_chip *chip, const char *pinctl_name, + ^~~~~~~~~~~~~~~~~~~~~~ + +Reported-by: Hulk Robot +Fixes: 964cb341882f ("gpio: move pincontrol calls to ") +Signed-off-by: YueHaibing +Link: https://lore.kernel.org/r/20190731123814.46624-1-yuehaibing@huawei.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + include/linux/gpio.h | 24 ------------------------ + 1 file changed, 24 deletions(-) + +diff --git a/include/linux/gpio.h b/include/linux/gpio.h +index 39745b8bdd65d..b3115d1a7d494 100644 +--- a/include/linux/gpio.h ++++ b/include/linux/gpio.h +@@ -240,30 +240,6 @@ static inline int irq_to_gpio(unsigned irq) + return -EINVAL; + } + +-static inline int +-gpiochip_add_pin_range(struct gpio_chip *chip, const char *pinctl_name, +- unsigned int gpio_offset, unsigned int pin_offset, +- unsigned int npins) +-{ +- WARN_ON(1); +- return -EINVAL; +-} +- +-static inline int +-gpiochip_add_pingroup_range(struct gpio_chip *chip, +- struct pinctrl_dev *pctldev, +- unsigned int gpio_offset, const char *pin_group) +-{ +- WARN_ON(1); +- return -EINVAL; +-} +- +-static inline void +-gpiochip_remove_pin_ranges(struct gpio_chip *chip) +-{ +- WARN_ON(1); +-} +- + static inline int devm_gpio_request(struct device *dev, unsigned gpio, + const char *label) + { +-- +2.20.1 + diff --git a/queue-4.19/hid-cp2112-prevent-sleeping-function-called-from-inv.patch b/queue-4.19/hid-cp2112-prevent-sleeping-function-called-from-inv.patch new file mode 100644 index 00000000000..a2e7f567a83 --- /dev/null +++ b/queue-4.19/hid-cp2112-prevent-sleeping-function-called-from-inv.patch @@ -0,0 +1,52 @@ +From 1ab990902fd46abf71582564770b7a9efa16b97c Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Mon, 12 Aug 2019 18:04:44 +0200 +Subject: HID: cp2112: prevent sleeping function called from invalid context + +[ Upstream commit 2d05dba2b25ecb0f8fc3a0b4eb2232da6454a47b ] + +When calling request_threaded_irq() with a CP2112, the function +cp2112_gpio_irq_startup() is called in a IRQ context. + +Therefore we can not sleep, and we can not call +cp2112_gpio_direction_input() there. + +Move the call to cp2112_gpio_direction_input() earlier to have a working +driver. + +Signed-off-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-cp2112.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-cp2112.c b/drivers/hid/hid-cp2112.c +index 271f31461da42..6f65f52572368 100644 +--- a/drivers/hid/hid-cp2112.c ++++ b/drivers/hid/hid-cp2112.c +@@ -1160,8 +1160,6 @@ static unsigned int cp2112_gpio_irq_startup(struct irq_data *d) + + INIT_DELAYED_WORK(&dev->gpio_poll_worker, cp2112_gpio_poll_callback); + +- cp2112_gpio_direction_input(gc, d->hwirq); +- + if (!dev->gpio_poll) { + dev->gpio_poll = true; + schedule_delayed_work(&dev->gpio_poll_worker, 0); +@@ -1209,6 +1207,12 @@ static int __maybe_unused cp2112_allocate_irq(struct cp2112_device *dev, + return PTR_ERR(dev->desc[pin]); + } + ++ ret = cp2112_gpio_direction_input(&dev->gc, pin); ++ if (ret < 0) { ++ dev_err(dev->gc.parent, "Failed to set GPIO to input dir\n"); ++ goto err_desc; ++ } ++ + ret = gpiochip_lock_as_irq(&dev->gc, pin); + if (ret) { + dev_err(dev->gc.parent, "Failed to lock GPIO as interrupt\n"); +-- +2.20.1 + diff --git a/queue-4.19/hv_netvsc-fix-a-warning-of-suspicious-rcu-usage.patch b/queue-4.19/hv_netvsc-fix-a-warning-of-suspicious-rcu-usage.patch new file mode 100644 index 00000000000..949d31fad60 --- /dev/null +++ b/queue-4.19/hv_netvsc-fix-a-warning-of-suspicious-rcu-usage.patch @@ -0,0 +1,52 @@ +From f14ef40f14f1dec73879aee093a6cda691dcb8b3 Mon Sep 17 00:00:00 2001 +From: Dexuan Cui +Date: Fri, 9 Aug 2019 01:58:08 +0000 +Subject: hv_netvsc: Fix a warning of suspicious RCU usage + +[ Upstream commit 6d0d779dca73cd5acb649c54f81401f93098b298 ] + +This fixes a warning of "suspicious rcu_dereference_check() usage" +when nload runs. + +Fixes: 776e726bfb34 ("netvsc: fix RCU warning in get_stats") +Signed-off-by: Dexuan Cui +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hyperv/netvsc_drv.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c +index cc60ef9634db2..6f6c0dbd91fc8 100644 +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -1248,12 +1248,15 @@ static void netvsc_get_stats64(struct net_device *net, + struct rtnl_link_stats64 *t) + { + struct net_device_context *ndev_ctx = netdev_priv(net); +- struct netvsc_device *nvdev = rcu_dereference_rtnl(ndev_ctx->nvdev); ++ struct netvsc_device *nvdev; + struct netvsc_vf_pcpu_stats vf_tot; + int i; + ++ rcu_read_lock(); ++ ++ nvdev = rcu_dereference(ndev_ctx->nvdev); + if (!nvdev) +- return; ++ goto out; + + netdev_stats_to_stats64(t, &net->stats); + +@@ -1292,6 +1295,8 @@ static void netvsc_get_stats64(struct net_device *net, + t->rx_packets += packets; + t->multicast += multicast; + } ++out: ++ rcu_read_unlock(); + } + + static int netvsc_set_mac_addr(struct net_device *ndev, void *p) +-- +2.20.1 + diff --git a/queue-4.19/ib-mlx4-fix-memory-leaks.patch b/queue-4.19/ib-mlx4-fix-memory-leaks.patch new file mode 100644 index 00000000000..063eb3d591b --- /dev/null +++ b/queue-4.19/ib-mlx4-fix-memory-leaks.patch @@ -0,0 +1,46 @@ +From a61520a8c7d7fee41f90ac7d9aafdd598f3e0880 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Sun, 18 Aug 2019 15:23:01 -0500 +Subject: IB/mlx4: Fix memory leaks + +[ Upstream commit 5c1baaa82cea2c815a5180ded402a7cd455d1810 ] + +In mlx4_ib_alloc_pv_bufs(), 'tun_qp->tx_ring' is allocated through +kcalloc(). However, it is not always deallocated in the following execution +if an error occurs, leading to memory leaks. To fix this issue, free +'tun_qp->tx_ring' whenever an error occurs. + +Signed-off-by: Wenwen Wang +Acked-by: Leon Romanovsky +Link: https://lore.kernel.org/r/1566159781-4642-1-git-send-email-wenwen@cs.uga.edu +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx4/mad.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c +index e5466d786bb1e..5aaa2a6c431b6 100644 +--- a/drivers/infiniband/hw/mlx4/mad.c ++++ b/drivers/infiniband/hw/mlx4/mad.c +@@ -1668,8 +1668,6 @@ tx_err: + tx_buf_size, DMA_TO_DEVICE); + kfree(tun_qp->tx_ring[i].buf.addr); + } +- kfree(tun_qp->tx_ring); +- tun_qp->tx_ring = NULL; + i = MLX4_NUM_TUNNEL_BUFS; + err: + while (i > 0) { +@@ -1678,6 +1676,8 @@ err: + rx_buf_size, DMA_FROM_DEVICE); + kfree(tun_qp->ring[i].addr); + } ++ kfree(tun_qp->tx_ring); ++ tun_qp->tx_ring = NULL; + kfree(tun_qp->ring); + tun_qp->ring = NULL; + return -ENOMEM; +-- +2.20.1 + diff --git a/queue-4.19/ibmveth-convert-multicast-list-size-for-little-endia.patch b/queue-4.19/ibmveth-convert-multicast-list-size-for-little-endia.patch new file mode 100644 index 00000000000..ee89844a873 --- /dev/null +++ b/queue-4.19/ibmveth-convert-multicast-list-size-for-little-endia.patch @@ -0,0 +1,59 @@ +From e14a2c2c9e108ff03f3e9c7385191004731c9df0 Mon Sep 17 00:00:00 2001 +From: Thomas Falcon +Date: Mon, 12 Aug 2019 16:13:06 -0500 +Subject: ibmveth: Convert multicast list size for little-endian system + +[ Upstream commit 66cf4710b23ab2adda11155684a2c8826f4fe732 ] + +The ibm,mac-address-filters property defines the maximum number of +addresses the hypervisor's multicast filter list can support. It is +encoded as a big-endian integer in the OF device tree, but the virtual +ethernet driver does not convert it for use by little-endian systems. +As a result, the driver is not behaving as it should on affected systems +when a large number of multicast addresses are assigned to the device. + +Reported-by: Hangbin Liu +Signed-off-by: Thomas Falcon +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmveth.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c +index f70cb4d3c6846..40ad1e5032553 100644 +--- a/drivers/net/ethernet/ibm/ibmveth.c ++++ b/drivers/net/ethernet/ibm/ibmveth.c +@@ -1618,7 +1618,7 @@ static int ibmveth_probe(struct vio_dev *dev, const struct vio_device_id *id) + struct net_device *netdev; + struct ibmveth_adapter *adapter; + unsigned char *mac_addr_p; +- unsigned int *mcastFilterSize_p; ++ __be32 *mcastFilterSize_p; + long ret; + unsigned long ret_attr; + +@@ -1640,8 +1640,9 @@ static int ibmveth_probe(struct vio_dev *dev, const struct vio_device_id *id) + return -EINVAL; + } + +- mcastFilterSize_p = (unsigned int *)vio_get_attribute(dev, +- VETH_MCAST_FILTER_SIZE, NULL); ++ mcastFilterSize_p = (__be32 *)vio_get_attribute(dev, ++ VETH_MCAST_FILTER_SIZE, ++ NULL); + if (!mcastFilterSize_p) { + dev_err(&dev->dev, "Can't find VETH_MCAST_FILTER_SIZE " + "attribute\n"); +@@ -1658,7 +1659,7 @@ static int ibmveth_probe(struct vio_dev *dev, const struct vio_device_id *id) + + adapter->vdev = dev; + adapter->netdev = netdev; +- adapter->mcastFilterSize = *mcastFilterSize_p; ++ adapter->mcastFilterSize = be32_to_cpu(*mcastFilterSize_p); + adapter->pool_config = 0; + + netif_napi_add(netdev, &adapter->napi, ibmveth_poll, 16); +-- +2.20.1 + diff --git a/queue-4.19/ibmvnic-unmap-dma-address-of-tx-descriptor-buffers-a.patch b/queue-4.19/ibmvnic-unmap-dma-address-of-tx-descriptor-buffers-a.patch new file mode 100644 index 00000000000..f20f8b2faea --- /dev/null +++ b/queue-4.19/ibmvnic-unmap-dma-address-of-tx-descriptor-buffers-a.patch @@ -0,0 +1,61 @@ +From ba68b9a34f32a48f56b789f62b989bc06ac1a728 Mon Sep 17 00:00:00 2001 +From: Thomas Falcon +Date: Wed, 14 Aug 2019 14:57:05 -0500 +Subject: ibmvnic: Unmap DMA address of TX descriptor buffers after use + +[ Upstream commit 80f0fe0934cd3daa13a5e4d48a103f469115b160 ] + +There's no need to wait until a completion is received to unmap +TX descriptor buffers that have been passed to the hypervisor. +Instead unmap it when the hypervisor call has completed. This patch +avoids the possibility that a buffer will not be unmapped because +a TX completion is lost or mishandled. + +Reported-by: Abdul Haleem +Tested-by: Devesh K. Singh +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmvnic.c | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index 0ae43d27cdcff..255de7d68cd33 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -1586,6 +1586,8 @@ static int ibmvnic_xmit(struct sk_buff *skb, struct net_device *netdev) + lpar_rc = send_subcrq_indirect(adapter, handle_array[queue_num], + (u64)tx_buff->indir_dma, + (u64)num_entries); ++ dma_unmap_single(dev, tx_buff->indir_dma, ++ sizeof(tx_buff->indir_arr), DMA_TO_DEVICE); + } else { + tx_buff->num_entries = num_entries; + lpar_rc = send_subcrq(adapter, handle_array[queue_num], +@@ -2747,7 +2749,6 @@ static int ibmvnic_complete_tx(struct ibmvnic_adapter *adapter, + union sub_crq *next; + int index; + int i, j; +- u8 *first; + + restart_loop: + while (pending_scrq(adapter, scrq)) { +@@ -2777,14 +2778,6 @@ restart_loop: + + txbuff->data_dma[j] = 0; + } +- /* if sub_crq was sent indirectly */ +- first = &txbuff->indir_arr[0].generic.first; +- if (*first == IBMVNIC_CRQ_CMD) { +- dma_unmap_single(dev, txbuff->indir_dma, +- sizeof(txbuff->indir_arr), +- DMA_TO_DEVICE); +- *first = 0; +- } + + if (txbuff->last_frag) { + dev_kfree_skb_any(txbuff->skb); +-- +2.20.1 + diff --git a/queue-4.19/infiniband-hfi1-fix-a-memory-leak-bug.patch b/queue-4.19/infiniband-hfi1-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..ac673001eb9 --- /dev/null +++ b/queue-4.19/infiniband-hfi1-fix-a-memory-leak-bug.patch @@ -0,0 +1,45 @@ +From 94d98935ea0d1db1d75b3f9aea3b36ae8346cb32 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Sun, 18 Aug 2019 14:29:31 -0500 +Subject: infiniband: hfi1: fix a memory leak bug + +[ Upstream commit b08afa064c320e5d85cdc27228426b696c4c8dae ] + +In fault_opcodes_read(), 'data' is not deallocated if debugfs_file_get() +fails, leading to a memory leak. To fix this bug, introduce the 'free_data' +label to free 'data' before returning the error. + +Signed-off-by: Wenwen Wang +Reviewed-by: Leon Romanovsky +Acked-by: Dennis Dalessandro +Link: https://lore.kernel.org/r/1566156571-4335-1-git-send-email-wenwen@cs.uga.edu +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/fault.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hfi1/fault.c b/drivers/infiniband/hw/hfi1/fault.c +index 7eaff4dcbfd77..72ca0dc5f3b59 100644 +--- a/drivers/infiniband/hw/hfi1/fault.c ++++ b/drivers/infiniband/hw/hfi1/fault.c +@@ -214,7 +214,7 @@ static ssize_t fault_opcodes_read(struct file *file, char __user *buf, + return -ENOMEM; + ret = debugfs_file_get(file->f_path.dentry); + if (unlikely(ret)) +- return ret; ++ goto free_data; + bit = find_first_bit(fault->opcodes, bitsize); + while (bit < bitsize) { + zero = find_next_zero_bit(fault->opcodes, bitsize, bit); +@@ -232,6 +232,7 @@ static ssize_t fault_opcodes_read(struct file *file, char __user *buf, + data[size - 1] = '\n'; + data[size] = '\0'; + ret = simple_read_from_buffer(buf, len, pos, data, size); ++free_data: + kfree(data); + return ret; + } +-- +2.20.1 + diff --git a/queue-4.19/infiniband-hfi1-fix-memory-leaks.patch b/queue-4.19/infiniband-hfi1-fix-memory-leaks.patch new file mode 100644 index 00000000000..768bf8f1171 --- /dev/null +++ b/queue-4.19/infiniband-hfi1-fix-memory-leaks.patch @@ -0,0 +1,55 @@ +From 208d60a90d11eabc61dbd4dceea2a57b86aa57af Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Sun, 18 Aug 2019 13:54:46 -0500 +Subject: infiniband: hfi1: fix memory leaks + +[ Upstream commit 2323d7baab2b18d87d9bc267452e387aa9f0060a ] + +In fault_opcodes_write(), 'data' is allocated through kcalloc(). However, +it is not deallocated in the following execution if an error occurs, +leading to memory leaks. To fix this issue, introduce the 'free_data' label +to free 'data' before returning the error. + +Signed-off-by: Wenwen Wang +Reviewed-by: Leon Romanovsky +Acked-by: Dennis Dalessandro +Link: https://lore.kernel.org/r/1566154486-3713-1-git-send-email-wenwen@cs.uga.edu +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/fault.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/fault.c b/drivers/infiniband/hw/hfi1/fault.c +index 72ca0dc5f3b59..5bc811b7e6cf9 100644 +--- a/drivers/infiniband/hw/hfi1/fault.c ++++ b/drivers/infiniband/hw/hfi1/fault.c +@@ -141,12 +141,14 @@ static ssize_t fault_opcodes_write(struct file *file, const char __user *buf, + if (!data) + return -ENOMEM; + copy = min(len, datalen - 1); +- if (copy_from_user(data, buf, copy)) +- return -EFAULT; ++ if (copy_from_user(data, buf, copy)) { ++ ret = -EFAULT; ++ goto free_data; ++ } + + ret = debugfs_file_get(file->f_path.dentry); + if (unlikely(ret)) +- return ret; ++ goto free_data; + ptr = data; + token = ptr; + for (ptr = data; *ptr; ptr = end + 1, token = ptr) { +@@ -195,6 +197,7 @@ static ssize_t fault_opcodes_write(struct file *file, const char __user *buf, + ret = len; + + debugfs_file_put(file->f_path.dentry); ++free_data: + kfree(data); + return ret; + } +-- +2.20.1 + diff --git a/queue-4.19/input-hyperv-keyboard-use-in-place-iterator-api-in-t.patch b/queue-4.19/input-hyperv-keyboard-use-in-place-iterator-api-in-t.patch new file mode 100644 index 00000000000..42cc3d38f9c --- /dev/null +++ b/queue-4.19/input-hyperv-keyboard-use-in-place-iterator-api-in-t.patch @@ -0,0 +1,74 @@ +From 361f69c6bcf77ccc4da56d87199612b1a38a2958 Mon Sep 17 00:00:00 2001 +From: Dexuan Cui +Date: Tue, 20 Aug 2019 03:01:23 +0000 +Subject: Input: hyperv-keyboard: Use in-place iterator API in the channel + callback + +[ Upstream commit d09bc83640d524b8467a660db7b1d15e6562a1de ] + +Simplify the ring buffer handling with the in-place API. + +Also avoid the dynamic allocation and the memory leak in the channel +callback function. + +Signed-off-by: Dexuan Cui +Acked-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/serio/hyperv-keyboard.c | 35 +++++---------------------- + 1 file changed, 6 insertions(+), 29 deletions(-) + +diff --git a/drivers/input/serio/hyperv-keyboard.c b/drivers/input/serio/hyperv-keyboard.c +index a8b9be3e28db7..7d0a5ccf57751 100644 +--- a/drivers/input/serio/hyperv-keyboard.c ++++ b/drivers/input/serio/hyperv-keyboard.c +@@ -245,40 +245,17 @@ static void hv_kbd_handle_received_packet(struct hv_device *hv_dev, + + static void hv_kbd_on_channel_callback(void *context) + { ++ struct vmpacket_descriptor *desc; + struct hv_device *hv_dev = context; +- void *buffer; +- int bufferlen = 0x100; /* Start with sensible size */ + u32 bytes_recvd; + u64 req_id; +- int error; + +- buffer = kmalloc(bufferlen, GFP_ATOMIC); +- if (!buffer) +- return; +- +- while (1) { +- error = vmbus_recvpacket_raw(hv_dev->channel, buffer, bufferlen, +- &bytes_recvd, &req_id); +- switch (error) { +- case 0: +- if (bytes_recvd == 0) { +- kfree(buffer); +- return; +- } +- +- hv_kbd_handle_received_packet(hv_dev, buffer, +- bytes_recvd, req_id); +- break; ++ foreach_vmbus_pkt(desc, hv_dev->channel) { ++ bytes_recvd = desc->len8 * 8; ++ req_id = desc->trans_id; + +- case -ENOBUFS: +- kfree(buffer); +- /* Handle large packet */ +- bufferlen = bytes_recvd; +- buffer = kmalloc(bytes_recvd, GFP_ATOMIC); +- if (!buffer) +- return; +- break; +- } ++ hv_kbd_handle_received_packet(hv_dev, desc, bytes_recvd, ++ req_id); + } + } + +-- +2.20.1 + diff --git a/queue-4.19/kprobes-fix-potential-deadlock-in-kprobe_optimizer.patch b/queue-4.19/kprobes-fix-potential-deadlock-in-kprobe_optimizer.patch new file mode 100644 index 00000000000..972115208c5 --- /dev/null +++ b/queue-4.19/kprobes-fix-potential-deadlock-in-kprobe_optimizer.patch @@ -0,0 +1,159 @@ +From af766cb674c077df9585a5dc8c737db6283bc501 Mon Sep 17 00:00:00 2001 +From: Andrea Righi +Date: Mon, 12 Aug 2019 20:43:02 +0200 +Subject: kprobes: Fix potential deadlock in kprobe_optimizer() + +[ Upstream commit f1c6ece23729257fb46562ff9224cf5f61b818da ] + +lockdep reports the following deadlock scenario: + + WARNING: possible circular locking dependency detected + + kworker/1:1/48 is trying to acquire lock: + 000000008d7a62b2 (text_mutex){+.+.}, at: kprobe_optimizer+0x163/0x290 + + but task is already holding lock: + 00000000850b5e2d (module_mutex){+.+.}, at: kprobe_optimizer+0x31/0x290 + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #1 (module_mutex){+.+.}: + __mutex_lock+0xac/0x9f0 + mutex_lock_nested+0x1b/0x20 + set_all_modules_text_rw+0x22/0x90 + ftrace_arch_code_modify_prepare+0x1c/0x20 + ftrace_run_update_code+0xe/0x30 + ftrace_startup_enable+0x2e/0x50 + ftrace_startup+0xa7/0x100 + register_ftrace_function+0x27/0x70 + arm_kprobe+0xb3/0x130 + enable_kprobe+0x83/0xa0 + enable_trace_kprobe.part.0+0x2e/0x80 + kprobe_register+0x6f/0xc0 + perf_trace_event_init+0x16b/0x270 + perf_kprobe_init+0xa7/0xe0 + perf_kprobe_event_init+0x3e/0x70 + perf_try_init_event+0x4a/0x140 + perf_event_alloc+0x93a/0xde0 + __do_sys_perf_event_open+0x19f/0xf30 + __x64_sys_perf_event_open+0x20/0x30 + do_syscall_64+0x65/0x1d0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + + -> #0 (text_mutex){+.+.}: + __lock_acquire+0xfcb/0x1b60 + lock_acquire+0xca/0x1d0 + __mutex_lock+0xac/0x9f0 + mutex_lock_nested+0x1b/0x20 + kprobe_optimizer+0x163/0x290 + process_one_work+0x22b/0x560 + worker_thread+0x50/0x3c0 + kthread+0x112/0x150 + ret_from_fork+0x3a/0x50 + + other info that might help us debug this: + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(module_mutex); + lock(text_mutex); + lock(module_mutex); + lock(text_mutex); + + *** DEADLOCK *** + +As a reproducer I've been using bcc's funccount.py +(https://github.com/iovisor/bcc/blob/master/tools/funccount.py), +for example: + + # ./funccount.py '*interrupt*' + +That immediately triggers the lockdep splat. + +Fix by acquiring text_mutex before module_mutex in kprobe_optimizer(). + +Signed-off-by: Andrea Righi +Acked-by: Masami Hiramatsu +Cc: Anil S Keshavamurthy +Cc: David S. Miller +Cc: Linus Torvalds +Cc: Naveen N. Rao +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: d5b844a2cf50 ("ftrace/x86: Remove possible deadlock between register_kprobe() and ftrace_run_update_code()") +Link: http://lkml.kernel.org/r/20190812184302.GA7010@xps-13 +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/kprobes.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/kernel/kprobes.c b/kernel/kprobes.c +index 29ff6635d2597..714d63f60460b 100644 +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -483,6 +483,7 @@ static DECLARE_DELAYED_WORK(optimizing_work, kprobe_optimizer); + */ + static void do_optimize_kprobes(void) + { ++ lockdep_assert_held(&text_mutex); + /* + * The optimization/unoptimization refers online_cpus via + * stop_machine() and cpu-hotplug modifies online_cpus. +@@ -500,9 +501,7 @@ static void do_optimize_kprobes(void) + list_empty(&optimizing_list)) + return; + +- mutex_lock(&text_mutex); + arch_optimize_kprobes(&optimizing_list); +- mutex_unlock(&text_mutex); + } + + /* +@@ -513,6 +512,7 @@ static void do_unoptimize_kprobes(void) + { + struct optimized_kprobe *op, *tmp; + ++ lockdep_assert_held(&text_mutex); + /* See comment in do_optimize_kprobes() */ + lockdep_assert_cpus_held(); + +@@ -520,7 +520,6 @@ static void do_unoptimize_kprobes(void) + if (list_empty(&unoptimizing_list)) + return; + +- mutex_lock(&text_mutex); + arch_unoptimize_kprobes(&unoptimizing_list, &freeing_list); + /* Loop free_list for disarming */ + list_for_each_entry_safe(op, tmp, &freeing_list, list) { +@@ -537,7 +536,6 @@ static void do_unoptimize_kprobes(void) + } else + list_del_init(&op->list); + } +- mutex_unlock(&text_mutex); + } + + /* Reclaim all kprobes on the free_list */ +@@ -563,6 +561,7 @@ static void kprobe_optimizer(struct work_struct *work) + { + mutex_lock(&kprobe_mutex); + cpus_read_lock(); ++ mutex_lock(&text_mutex); + /* Lock modules while optimizing kprobes */ + mutex_lock(&module_mutex); + +@@ -590,6 +589,7 @@ static void kprobe_optimizer(struct work_struct *work) + do_free_cleaned_kprobes(); + + mutex_unlock(&module_mutex); ++ mutex_unlock(&text_mutex); + cpus_read_unlock(); + mutex_unlock(&kprobe_mutex); + +-- +2.20.1 + diff --git a/queue-4.19/kvm-arm-arm64-only-skip-mmio-insn-once.patch b/queue-4.19/kvm-arm-arm64-only-skip-mmio-insn-once.patch new file mode 100644 index 00000000000..4a37a1e992c --- /dev/null +++ b/queue-4.19/kvm-arm-arm64-only-skip-mmio-insn-once.patch @@ -0,0 +1,56 @@ +From 7f6a758b4106168cfa62c95c7da18dd3673deb8e Mon Sep 17 00:00:00 2001 +From: Andrew Jones +Date: Thu, 22 Aug 2019 13:03:05 +0200 +Subject: KVM: arm/arm64: Only skip MMIO insn once + +[ Upstream commit 2113c5f62b7423e4a72b890bd479704aa85c81ba ] + +If after an MMIO exit to userspace a VCPU is immediately run with an +immediate_exit request, such as when a signal is delivered or an MMIO +emulation completion is needed, then the VCPU completes the MMIO +emulation and immediately returns to userspace. As the exit_reason +does not get changed from KVM_EXIT_MMIO in these cases we have to +be careful not to complete the MMIO emulation again, when the VCPU is +eventually run again, because the emulation does an instruction skip +(and doing too many skips would be a waste of guest code :-) We need +to use additional VCPU state to track if the emulation is complete. +As luck would have it, we already have 'mmio_needed', which even +appears to be used in this way by other architectures already. + +Fixes: 0d640732dbeb ("arm64: KVM: Skip MMIO insn after emulation") +Acked-by: Mark Rutland +Signed-off-by: Andrew Jones +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + virt/kvm/arm/mmio.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/virt/kvm/arm/mmio.c b/virt/kvm/arm/mmio.c +index 08443a15e6be8..3caee91bca089 100644 +--- a/virt/kvm/arm/mmio.c ++++ b/virt/kvm/arm/mmio.c +@@ -98,6 +98,12 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run) + unsigned int len; + int mask; + ++ /* Detect an already handled MMIO return */ ++ if (unlikely(!vcpu->mmio_needed)) ++ return 0; ++ ++ vcpu->mmio_needed = 0; ++ + if (!run->mmio.is_write) { + len = run->mmio.len; + if (len > sizeof(unsigned long)) +@@ -200,6 +206,7 @@ int io_mem_abort(struct kvm_vcpu *vcpu, struct kvm_run *run, + run->mmio.is_write = is_write; + run->mmio.phys_addr = fault_ipa; + run->mmio.len = len; ++ vcpu->mmio_needed = 1; + + if (!ret) { + /* We handled the access successfully in the kernel. */ +-- +2.20.1 + diff --git a/queue-4.19/kvm-arm-arm64-vgic-properly-initialise-private-irq-a.patch b/queue-4.19/kvm-arm-arm64-vgic-properly-initialise-private-irq-a.patch new file mode 100644 index 00000000000..5aa7080d17e --- /dev/null +++ b/queue-4.19/kvm-arm-arm64-vgic-properly-initialise-private-irq-a.patch @@ -0,0 +1,116 @@ +From 4182d4003e9bd04e0845958a288d710b707f94e5 Mon Sep 17 00:00:00 2001 +From: Andre Przywara +Date: Fri, 23 Aug 2019 11:34:16 +0100 +Subject: KVM: arm/arm64: VGIC: Properly initialise private IRQ affinity + +[ Upstream commit 2e16f3e926ed48373c98edea85c6ad0ef69425d1 ] + +At the moment we initialise the target *mask* of a virtual IRQ to the +VCPU it belongs to, even though this mask is only defined for GICv2 and +quickly runs out of bits for many GICv3 guests. +This behaviour triggers an UBSAN complaint for more than 32 VCPUs: +------ +[ 5659.462377] UBSAN: Undefined behaviour in virt/kvm/arm/vgic/vgic-init.c:223:21 +[ 5659.471689] shift exponent 32 is too large for 32-bit type 'unsigned int' +------ +Also for GICv3 guests the reporting of TARGET in the "vgic-state" debugfs +dump is wrong, due to this very same problem. + +Because there is no requirement to create the VGIC device before the +VCPUs (and QEMU actually does it the other way round), we can't safely +initialise mpidr or targets in kvm_vgic_vcpu_init(). But since we touch +every private IRQ for each VCPU anyway later (in vgic_init()), we can +just move the initialisation of those fields into there, where we +definitely know the VGIC type. + +On the way make sure we really have either a VGICv2 or a VGICv3 device, +since the existing code is just checking for "VGICv3 or not", silently +ignoring the uninitialised case. + +Signed-off-by: Andre Przywara +Reported-by: Dave Martin +Tested-by: Julien Grall +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + virt/kvm/arm/vgic/vgic-init.c | 30 ++++++++++++++++++++---------- + 1 file changed, 20 insertions(+), 10 deletions(-) + +diff --git a/virt/kvm/arm/vgic/vgic-init.c b/virt/kvm/arm/vgic/vgic-init.c +index 8196e4f8731fb..cd75df25fe140 100644 +--- a/virt/kvm/arm/vgic/vgic-init.c ++++ b/virt/kvm/arm/vgic/vgic-init.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + #include "vgic.h" + +@@ -175,12 +176,18 @@ static int kvm_vgic_dist_init(struct kvm *kvm, unsigned int nr_spis) + irq->vcpu = NULL; + irq->target_vcpu = vcpu0; + kref_init(&irq->refcount); +- if (dist->vgic_model == KVM_DEV_TYPE_ARM_VGIC_V2) { ++ switch (dist->vgic_model) { ++ case KVM_DEV_TYPE_ARM_VGIC_V2: + irq->targets = 0; + irq->group = 0; +- } else { ++ break; ++ case KVM_DEV_TYPE_ARM_VGIC_V3: + irq->mpidr = 0; + irq->group = 1; ++ break; ++ default: ++ kfree(dist->spis); ++ return -EINVAL; + } + } + return 0; +@@ -220,7 +227,6 @@ int kvm_vgic_vcpu_init(struct kvm_vcpu *vcpu) + irq->intid = i; + irq->vcpu = NULL; + irq->target_vcpu = vcpu; +- irq->targets = 1U << vcpu->vcpu_id; + kref_init(&irq->refcount); + if (vgic_irq_is_sgi(i)) { + /* SGIs */ +@@ -230,11 +236,6 @@ int kvm_vgic_vcpu_init(struct kvm_vcpu *vcpu) + /* PPIs */ + irq->config = VGIC_CONFIG_LEVEL; + } +- +- if (dist->vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3) +- irq->group = 1; +- else +- irq->group = 0; + } + + if (!irqchip_in_kernel(vcpu->kvm)) +@@ -297,10 +298,19 @@ int vgic_init(struct kvm *kvm) + + for (i = 0; i < VGIC_NR_PRIVATE_IRQS; i++) { + struct vgic_irq *irq = &vgic_cpu->private_irqs[i]; +- if (dist->vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3) ++ switch (dist->vgic_model) { ++ case KVM_DEV_TYPE_ARM_VGIC_V3: + irq->group = 1; +- else ++ irq->mpidr = kvm_vcpu_get_mpidr_aff(vcpu); ++ break; ++ case KVM_DEV_TYPE_ARM_VGIC_V2: + irq->group = 0; ++ irq->targets = 1U << idx; ++ break; ++ default: ++ ret = -EINVAL; ++ goto out; ++ } + } + } + +-- +2.20.1 + diff --git a/queue-4.19/lan78xx-fix-memory-leaks.patch b/queue-4.19/lan78xx-fix-memory-leaks.patch new file mode 100644 index 00000000000..d7613ca3042 --- /dev/null +++ b/queue-4.19/lan78xx-fix-memory-leaks.patch @@ -0,0 +1,53 @@ +From 57db682d62ce9aad906c9f8122b449714875c544 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Wed, 14 Aug 2019 11:23:13 -0500 +Subject: lan78xx: Fix memory leaks + +[ Upstream commit b9cbf8a64865b50fd0f4a3915fa00ac7365cdf8f ] + +In lan78xx_probe(), a new urb is allocated through usb_alloc_urb() and +saved to 'dev->urb_intr'. However, in the following execution, if an error +occurs, 'dev->urb_intr' is not deallocated, leading to memory leaks. To fix +this issue, invoke usb_free_urb() to free the allocated urb before +returning from the function. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/lan78xx.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index 8d140495da79d..e20266bd209e2 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -3799,7 +3799,7 @@ static int lan78xx_probe(struct usb_interface *intf, + ret = register_netdev(netdev); + if (ret != 0) { + netif_err(dev, probe, netdev, "couldn't register the device\n"); +- goto out3; ++ goto out4; + } + + usb_set_intfdata(intf, dev); +@@ -3814,12 +3814,14 @@ static int lan78xx_probe(struct usb_interface *intf, + + ret = lan78xx_phy_init(dev); + if (ret < 0) +- goto out4; ++ goto out5; + + return 0; + +-out4: ++out5: + unregister_netdev(netdev); ++out4: ++ usb_free_urb(dev->urb_intr); + out3: + lan78xx_unbind(dev, intf); + out2: +-- +2.20.1 + diff --git a/queue-4.19/libceph-allow-ceph_buffer_put-to-receive-a-null-ceph.patch b/queue-4.19/libceph-allow-ceph_buffer_put-to-receive-a-null-ceph.patch new file mode 100644 index 00000000000..9af84d4c31c --- /dev/null +++ b/queue-4.19/libceph-allow-ceph_buffer_put-to-receive-a-null-ceph.patch @@ -0,0 +1,32 @@ +From b980edf5eee2f7c5d083d0f6201dd96cca49ed64 Mon Sep 17 00:00:00 2001 +From: Luis Henriques +Date: Fri, 19 Jul 2019 15:32:19 +0100 +Subject: libceph: allow ceph_buffer_put() to receive a NULL ceph_buffer + +[ Upstream commit 5c498950f730aa17c5f8a2cdcb903524e4002ed2 ] + +Signed-off-by: Luis Henriques +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + include/linux/ceph/buffer.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/linux/ceph/buffer.h b/include/linux/ceph/buffer.h +index 5e58bb29b1a36..11cdc7c60480f 100644 +--- a/include/linux/ceph/buffer.h ++++ b/include/linux/ceph/buffer.h +@@ -30,7 +30,8 @@ static inline struct ceph_buffer *ceph_buffer_get(struct ceph_buffer *b) + + static inline void ceph_buffer_put(struct ceph_buffer *b) + { +- kref_put(&b->kref, ceph_buffer_release); ++ if (b) ++ kref_put(&b->kref, ceph_buffer_release); + } + + extern int ceph_decode_buffer(struct ceph_buffer **b, void **p, void *end); +-- +2.20.1 + diff --git a/queue-4.19/liquidio-add-cleanup-in-octeon_setup_iq.patch b/queue-4.19/liquidio-add-cleanup-in-octeon_setup_iq.patch new file mode 100644 index 00000000000..c82e73a134e --- /dev/null +++ b/queue-4.19/liquidio-add-cleanup-in-octeon_setup_iq.patch @@ -0,0 +1,37 @@ +From 0d9e1348526f7f084f9dceac339bb1637c0fff52 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Wed, 14 Aug 2019 00:14:49 -0500 +Subject: liquidio: add cleanup in octeon_setup_iq() + +[ Upstream commit 6f967f8b1be7001b31c46429f2ee7d275af2190f ] + +If oct->fn_list.enable_io_queues() fails, no cleanup is executed, leading +to memory/resource leaks. To fix this issue, invoke +octeon_delete_instr_queue() before returning from the function. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/request_manager.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/request_manager.c b/drivers/net/ethernet/cavium/liquidio/request_manager.c +index 8f746e1348d4c..3deb3c07681fd 100644 +--- a/drivers/net/ethernet/cavium/liquidio/request_manager.c ++++ b/drivers/net/ethernet/cavium/liquidio/request_manager.c +@@ -238,8 +238,10 @@ int octeon_setup_iq(struct octeon_device *oct, + } + + oct->num_iqs++; +- if (oct->fn_list.enable_io_queues(oct)) ++ if (oct->fn_list.enable_io_queues(oct)) { ++ octeon_delete_instr_queue(oct, iq_no); + return 1; ++ } + + return 0; + } +-- +2.20.1 + diff --git a/queue-4.19/net-cavium-fix-driver-name.patch b/queue-4.19/net-cavium-fix-driver-name.patch new file mode 100644 index 00000000000..1bb11c34470 --- /dev/null +++ b/queue-4.19/net-cavium-fix-driver-name.patch @@ -0,0 +1,37 @@ +From 2743a4bc01f5f68763b64661f2b0cc344339a9dd Mon Sep 17 00:00:00 2001 +From: Stephen Hemminger +Date: Thu, 15 Aug 2019 12:49:49 -0700 +Subject: net: cavium: fix driver name + +[ Upstream commit 3434341004a380f4e47c3a03d4320d43982162a0 ] + +The driver name gets exposed in sysfs under /sys/bus/pci/drivers +so it should look like other devices. Change it to be common +format (instead of "Cavium PTP"). + +This is a trivial fix that was observed by accident because +Debian kernels were building this driver into kernel (bug). + +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/common/cavium_ptp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/common/cavium_ptp.c b/drivers/net/ethernet/cavium/common/cavium_ptp.c +index 6aeb1045c302a..1ab40c97403ba 100644 +--- a/drivers/net/ethernet/cavium/common/cavium_ptp.c ++++ b/drivers/net/ethernet/cavium/common/cavium_ptp.c +@@ -10,7 +10,7 @@ + + #include "cavium_ptp.h" + +-#define DRV_NAME "Cavium PTP Driver" ++#define DRV_NAME "cavium_ptp" + + #define PCI_DEVICE_ID_CAVIUM_PTP 0xA00C + #define PCI_DEVICE_ID_CAVIUM_RST 0xA00E +-- +2.20.1 + diff --git a/queue-4.19/net-kalmia-fix-memory-leaks.patch b/queue-4.19/net-kalmia-fix-memory-leaks.patch new file mode 100644 index 00000000000..6bb7c300227 --- /dev/null +++ b/queue-4.19/net-kalmia-fix-memory-leaks.patch @@ -0,0 +1,46 @@ +From 423eb0f119443d9c8d66c7eeefce96c64c21004c Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Wed, 14 Aug 2019 13:56:43 -0500 +Subject: net: kalmia: fix memory leaks + +[ Upstream commit f1472cb09f11ddb41d4be84f0650835cb65a9073 ] + +In kalmia_init_and_get_ethernet_addr(), 'usb_buf' is allocated through +kmalloc(). In the following execution, if the 'status' returned by +kalmia_send_init_packet() is not 0, 'usb_buf' is not deallocated, leading +to memory leaks. To fix this issue, add the 'out' label to free 'usb_buf'. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/kalmia.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/usb/kalmia.c b/drivers/net/usb/kalmia.c +index bd2ba36590288..0cc6993c279a2 100644 +--- a/drivers/net/usb/kalmia.c ++++ b/drivers/net/usb/kalmia.c +@@ -117,16 +117,16 @@ kalmia_init_and_get_ethernet_addr(struct usbnet *dev, u8 *ethernet_addr) + status = kalmia_send_init_packet(dev, usb_buf, ARRAY_SIZE(init_msg_1), + usb_buf, 24); + if (status != 0) +- return status; ++ goto out; + + memcpy(usb_buf, init_msg_2, 12); + status = kalmia_send_init_packet(dev, usb_buf, ARRAY_SIZE(init_msg_2), + usb_buf, 28); + if (status != 0) +- return status; ++ goto out; + + memcpy(ethernet_addr, usb_buf + 10, ETH_ALEN); +- ++out: + kfree(usb_buf); + return status; + } +-- +2.20.1 + diff --git a/queue-4.19/net-myri10ge-fix-memory-leaks.patch b/queue-4.19/net-myri10ge-fix-memory-leaks.patch new file mode 100644 index 00000000000..5c387efabb8 --- /dev/null +++ b/queue-4.19/net-myri10ge-fix-memory-leaks.patch @@ -0,0 +1,36 @@ +From e46dc91a66d41dad4fd744fdd18ca7bf86c1bda9 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Wed, 14 Aug 2019 01:38:39 -0500 +Subject: net: myri10ge: fix memory leaks + +[ Upstream commit 20fb7c7a39b5c719e2e619673b5f5729ee7d2306 ] + +In myri10ge_probe(), myri10ge_alloc_slices() is invoked to allocate slices +related structures. Later on, myri10ge_request_irq() is used to get an irq. +However, if this process fails, the allocated slices related structures are +not deallocated, leading to memory leaks. To fix this issue, revise the +target label of the goto statement to 'abort_with_slices'. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/myricom/myri10ge/myri10ge.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c +index b2d2ec8c11e2d..6789eed78ff70 100644 +--- a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c ++++ b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c +@@ -3922,7 +3922,7 @@ static int myri10ge_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + * setup (if available). */ + status = myri10ge_request_irq(mgp); + if (status != 0) +- goto abort_with_firmware; ++ goto abort_with_slices; + myri10ge_free_irq(mgp); + + /* Save configuration space to be restored if the +-- +2.20.1 + diff --git a/queue-4.19/net-tc35815-explicitly-check-net_ip_align-is-not-zer.patch b/queue-4.19/net-tc35815-explicitly-check-net_ip_align-is-not-zer.patch new file mode 100644 index 00000000000..3817e9bcaff --- /dev/null +++ b/queue-4.19/net-tc35815-explicitly-check-net_ip_align-is-not-zer.patch @@ -0,0 +1,54 @@ +From 01d67f16741e75969fad975d9c31b9ed7659140f Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Sun, 11 Aug 2019 20:13:45 -0700 +Subject: net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx + +[ Upstream commit 125b7e0949d4e72b15c2b1a1590f8cece985a918 ] + +clang warns: + +drivers/net/ethernet/toshiba/tc35815.c:1507:30: warning: use of logical +'&&' with constant operand [-Wconstant-logical-operand] + if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN) + ^ ~~~~~~~~~~~~ +drivers/net/ethernet/toshiba/tc35815.c:1507:30: note: use '&' for a +bitwise operation + if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN) + ^~ + & +drivers/net/ethernet/toshiba/tc35815.c:1507:30: note: remove constant to +silence this warning + if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN) + ~^~~~~~~~~~~~~~~ +1 warning generated. + +Explicitly check that NET_IP_ALIGN is not zero, which matches how this +is checked in other parts of the tree. Because NET_IP_ALIGN is a build +time constant, this check will be constant folded away during +optimization. + +Fixes: 82a9928db560 ("tc35815: Enable StripCRC feature") +Link: https://github.com/ClangBuiltLinux/linux/issues/608 +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/toshiba/tc35815.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/toshiba/tc35815.c b/drivers/net/ethernet/toshiba/tc35815.c +index cce9c9ed46aa9..9146068979d2c 100644 +--- a/drivers/net/ethernet/toshiba/tc35815.c ++++ b/drivers/net/ethernet/toshiba/tc35815.c +@@ -1497,7 +1497,7 @@ tc35815_rx(struct net_device *dev, int limit) + pci_unmap_single(lp->pci_dev, + lp->rx_skbs[cur_bd].skb_dma, + RX_BUF_SIZE, PCI_DMA_FROMDEVICE); +- if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN) ++ if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN != 0) + memmove(skb->data, skb->data - NET_IP_ALIGN, + pkt_len); + data = skb_put(skb, pkt_len); +-- +2.20.1 + diff --git a/queue-4.19/net-tundra-tsi108-use-spin_lock_irqsave-instead-of-s.patch b/queue-4.19/net-tundra-tsi108-use-spin_lock_irqsave-instead-of-s.patch new file mode 100644 index 00000000000..c6b10dfc25f --- /dev/null +++ b/queue-4.19/net-tundra-tsi108-use-spin_lock_irqsave-instead-of-s.patch @@ -0,0 +1,49 @@ +From e443bfbeb536e1cf037684ba5e03af9f1d3da167 Mon Sep 17 00:00:00 2001 +From: Fuqian Huang +Date: Fri, 9 Aug 2019 13:35:39 +0800 +Subject: net: tundra: tsi108: use spin_lock_irqsave instead of spin_lock_irq + in IRQ context + +[ Upstream commit 8c25d0887a8bd0e1ca2074ac0c6dff173787a83b ] + +As spin_unlock_irq will enable interrupts. +Function tsi108_stat_carry is called from interrupt handler tsi108_irq. +Interrupts are enabled in interrupt handler. +Use spin_lock_irqsave/spin_unlock_irqrestore instead of spin_(un)lock_irq +in IRQ context to avoid this. + +Signed-off-by: Fuqian Huang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/tundra/tsi108_eth.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/tundra/tsi108_eth.c b/drivers/net/ethernet/tundra/tsi108_eth.c +index edcd1e60b30d1..f076050c8ad37 100644 +--- a/drivers/net/ethernet/tundra/tsi108_eth.c ++++ b/drivers/net/ethernet/tundra/tsi108_eth.c +@@ -383,9 +383,10 @@ tsi108_stat_carry_one(int carry, int carry_bit, int carry_shift, + static void tsi108_stat_carry(struct net_device *dev) + { + struct tsi108_prv_data *data = netdev_priv(dev); ++ unsigned long flags; + u32 carry1, carry2; + +- spin_lock_irq(&data->misclock); ++ spin_lock_irqsave(&data->misclock, flags); + + carry1 = TSI_READ(TSI108_STAT_CARRY1); + carry2 = TSI_READ(TSI108_STAT_CARRY2); +@@ -453,7 +454,7 @@ static void tsi108_stat_carry(struct net_device *dev) + TSI108_STAT_TXPAUSEDROP_CARRY, + &data->tx_pause_drop); + +- spin_unlock_irq(&data->misclock); ++ spin_unlock_irqrestore(&data->misclock, flags); + } + + /* Read a stat counter atomically with respect to carries. +-- +2.20.1 + diff --git a/queue-4.19/netfilter-nf_tables-use-after-free-in-failing-rule-w.patch b/queue-4.19/netfilter-nf_tables-use-after-free-in-failing-rule-w.patch new file mode 100644 index 00000000000..221beb9e117 --- /dev/null +++ b/queue-4.19/netfilter-nf_tables-use-after-free-in-failing-rule-w.patch @@ -0,0 +1,143 @@ +From 3516672500f2ef87f690a0d551becd004cc8f576 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Fri, 9 Aug 2019 11:01:27 +0200 +Subject: netfilter: nf_tables: use-after-free in failing rule with bound set + +[ Upstream commit 6a0a8d10a3661a036b55af695542a714c429ab7c ] + +If a rule that has already a bound anonymous set fails to be added, the +preparation phase releases the rule and the bound set. However, the +transaction object from the abort path still has a reference to the set +object that is stale, leading to a use-after-free when checking for the +set->bound field. Add a new field to the transaction that specifies if +the set is bound, so the abort path can skip releasing it since the rule +command owns it and it takes care of releasing it. After this update, +the set->bound field is removed. + +[ 24.649883] Unable to handle kernel paging request at virtual address 0000000000040434 +[ 24.657858] Mem abort info: +[ 24.660686] ESR = 0x96000004 +[ 24.663769] Exception class = DABT (current EL), IL = 32 bits +[ 24.669725] SET = 0, FnV = 0 +[ 24.672804] EA = 0, S1PTW = 0 +[ 24.675975] Data abort info: +[ 24.678880] ISV = 0, ISS = 0x00000004 +[ 24.682743] CM = 0, WnR = 0 +[ 24.685723] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000428952000 +[ 24.692207] [0000000000040434] pgd=0000000000000000 +[ 24.697119] Internal error: Oops: 96000004 [#1] SMP +[...] +[ 24.889414] Call trace: +[ 24.891870] __nf_tables_abort+0x3f0/0x7a0 +[ 24.895984] nf_tables_abort+0x20/0x40 +[ 24.899750] nfnetlink_rcv_batch+0x17c/0x588 +[ 24.904037] nfnetlink_rcv+0x13c/0x190 +[ 24.907803] netlink_unicast+0x18c/0x208 +[ 24.911742] netlink_sendmsg+0x1b0/0x350 +[ 24.915682] sock_sendmsg+0x4c/0x68 +[ 24.919185] ___sys_sendmsg+0x288/0x2c8 +[ 24.923037] __sys_sendmsg+0x7c/0xd0 +[ 24.926628] __arm64_sys_sendmsg+0x2c/0x38 +[ 24.930744] el0_svc_common.constprop.0+0x94/0x158 +[ 24.935556] el0_svc_handler+0x34/0x90 +[ 24.939322] el0_svc+0x8/0xc +[ 24.942216] Code: 37280300 f9404023 91014262 aa1703e0 (f9401863) +[ 24.948336] ---[ end trace cebbb9dcbed3b56f ]--- + +Fixes: f6ac85858976 ("netfilter: nf_tables: unbind set in rule from commit path") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables.h | 9 +++++++-- + net/netfilter/nf_tables_api.c | 15 ++++++++++----- + 2 files changed, 17 insertions(+), 7 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index f2be5d041ba3a..7685cbda9f28b 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -418,8 +418,7 @@ struct nft_set { + unsigned char *udata; + /* runtime data below here */ + const struct nft_set_ops *ops ____cacheline_aligned; +- u16 flags:13, +- bound:1, ++ u16 flags:14, + genmask:2; + u8 klen; + u8 dlen; +@@ -1337,12 +1336,15 @@ struct nft_trans_rule { + struct nft_trans_set { + struct nft_set *set; + u32 set_id; ++ bool bound; + }; + + #define nft_trans_set(trans) \ + (((struct nft_trans_set *)trans->data)->set) + #define nft_trans_set_id(trans) \ + (((struct nft_trans_set *)trans->data)->set_id) ++#define nft_trans_set_bound(trans) \ ++ (((struct nft_trans_set *)trans->data)->bound) + + struct nft_trans_chain { + bool update; +@@ -1373,12 +1375,15 @@ struct nft_trans_table { + struct nft_trans_elem { + struct nft_set *set; + struct nft_set_elem elem; ++ bool bound; + }; + + #define nft_trans_elem_set(trans) \ + (((struct nft_trans_elem *)trans->data)->set) + #define nft_trans_elem(trans) \ + (((struct nft_trans_elem *)trans->data)->elem) ++#define nft_trans_elem_set_bound(trans) \ ++ (((struct nft_trans_elem *)trans->data)->bound) + + struct nft_trans_obj { + struct nft_object *obj; +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 29ff59dd99ace..2145581d7b3dc 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -121,9 +121,14 @@ static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) + return; + + list_for_each_entry_reverse(trans, &net->nft.commit_list, list) { +- if (trans->msg_type == NFT_MSG_NEWSET && +- nft_trans_set(trans) == set) { +- set->bound = true; ++ switch (trans->msg_type) { ++ case NFT_MSG_NEWSET: ++ if (nft_trans_set(trans) == set) ++ nft_trans_set_bound(trans) = true; ++ break; ++ case NFT_MSG_NEWSETELEM: ++ if (nft_trans_elem_set(trans) == set) ++ nft_trans_elem_set_bound(trans) = true; + break; + } + } +@@ -6656,7 +6661,7 @@ static int __nf_tables_abort(struct net *net) + break; + case NFT_MSG_NEWSET: + trans->ctx.table->use--; +- if (nft_trans_set(trans)->bound) { ++ if (nft_trans_set_bound(trans)) { + nft_trans_destroy(trans); + break; + } +@@ -6668,7 +6673,7 @@ static int __nf_tables_abort(struct net *net) + nft_trans_destroy(trans); + break; + case NFT_MSG_NEWSETELEM: +- if (nft_trans_elem_set(trans)->bound) { ++ if (nft_trans_elem_set_bound(trans)) { + nft_trans_destroy(trans); + break; + } +-- +2.20.1 + diff --git a/queue-4.19/netfilter-nft_flow_offload-skip-tcp-rst-and-fin-pack.patch b/queue-4.19/netfilter-nft_flow_offload-skip-tcp-rst-and-fin-pack.patch new file mode 100644 index 00000000000..8f1482719c4 --- /dev/null +++ b/queue-4.19/netfilter-nft_flow_offload-skip-tcp-rst-and-fin-pack.patch @@ -0,0 +1,61 @@ +From 9bd2a4f0d6f70efae3eb21be81dddb8855816fb2 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Tue, 13 Aug 2019 17:41:13 +0200 +Subject: netfilter: nft_flow_offload: skip tcp rst and fin packets + +[ Upstream commit dfe42be15fde16232340b8b2a57c359f51cc10d9 ] + +TCP rst and fin packets do not qualify to place a flow into the +flowtable. Most likely there will be no more packets after connection +closure. Without this patch, this flow entry expires and connection +tracking picks up the entry in ESTABLISHED state using the fixup +timeout, which makes this look inconsistent to the user for a connection +that is actually already closed. + +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_flow_offload.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c +index 6e0c26025ab13..69decbe2c9884 100644 +--- a/net/netfilter/nft_flow_offload.c ++++ b/net/netfilter/nft_flow_offload.c +@@ -71,11 +71,11 @@ static void nft_flow_offload_eval(const struct nft_expr *expr, + { + struct nft_flow_offload *priv = nft_expr_priv(expr); + struct nf_flowtable *flowtable = &priv->flowtable->data; ++ struct tcphdr _tcph, *tcph = NULL; + enum ip_conntrack_info ctinfo; + struct nf_flow_route route; + struct flow_offload *flow; + enum ip_conntrack_dir dir; +- bool is_tcp = false; + struct nf_conn *ct; + int ret; + +@@ -88,7 +88,10 @@ static void nft_flow_offload_eval(const struct nft_expr *expr, + + switch (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum) { + case IPPROTO_TCP: +- is_tcp = true; ++ tcph = skb_header_pointer(pkt->skb, pkt->xt.thoff, ++ sizeof(_tcph), &_tcph); ++ if (unlikely(!tcph || tcph->fin || tcph->rst)) ++ goto out; + break; + case IPPROTO_UDP: + break; +@@ -115,7 +118,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr, + if (!flow) + goto err_flow_alloc; + +- if (is_tcp) { ++ if (tcph) { + ct->proto.tcp.seen[0].flags |= IP_CT_TCP_FLAG_BE_LIBERAL; + ct->proto.tcp.seen[1].flags |= IP_CT_TCP_FLAG_BE_LIBERAL; + } +-- +2.20.1 + diff --git a/queue-4.19/nvme-multipath-fix-possible-i-o-hang-when-paths-are-.patch b/queue-4.19/nvme-multipath-fix-possible-i-o-hang-when-paths-are-.patch new file mode 100644 index 00000000000..66d8b48cf9d --- /dev/null +++ b/queue-4.19/nvme-multipath-fix-possible-i-o-hang-when-paths-are-.patch @@ -0,0 +1,50 @@ +From 63115c866fadd517907a0f6f562a405d987a3b9e Mon Sep 17 00:00:00 2001 +From: Anton Eidelman +Date: Mon, 12 Aug 2019 23:00:36 +0300 +Subject: nvme-multipath: fix possible I/O hang when paths are updated + +[ Upstream commit 504db087aaccdb32af61539916409f7dca31ceb5 ] + +nvme_state_set_live() making a path available triggers requeue_work +in order to resubmit requests that ended up on requeue_list when no +paths were available. + +This requeue_work may race with concurrent nvme_ns_head_make_request() +that do not observe the live path yet. +Such concurrent requests may by made by either: +- New IO submission. +- Requeue_work triggered by nvme_failover_req() or another ana_work. + +A race may cause requeue_work capture the state of requeue_list before +more requests get onto the list. These requests will stay on the list +forever unless requeue_work is triggered again. + +In order to prevent such race, nvme_state_set_live() should +synchronize_srcu(&head->srcu) before triggering the requeue_work and +prevent nvme_ns_head_make_request referencing an old snapshot of the +path list. + +Reviewed-by: Christoph Hellwig +Signed-off-by: Anton Eidelman +Signed-off-by: Sagi Grimberg +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/multipath.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index 05d6371c7f385..f57feb8fdea45 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -323,6 +323,7 @@ static void nvme_mpath_set_live(struct nvme_ns *ns) + "failed to create id group.\n"); + } + ++ synchronize_srcu(&ns->head->srcu); + kblockd_schedule_work(&ns->head->requeue_work); + } + +-- +2.20.1 + diff --git a/queue-4.19/ravb-fix-use-after-free-ravb_tstamp_skb.patch b/queue-4.19/ravb-fix-use-after-free-ravb_tstamp_skb.patch new file mode 100644 index 00000000000..34098fc114c --- /dev/null +++ b/queue-4.19/ravb-fix-use-after-free-ravb_tstamp_skb.patch @@ -0,0 +1,70 @@ +From 98190a5259fd43f5e8f799926d13e276b25e0534 Mon Sep 17 00:00:00 2001 +From: Tho Vu +Date: Fri, 16 Aug 2019 17:17:02 +0200 +Subject: ravb: Fix use-after-free ravb_tstamp_skb + +[ Upstream commit cfef46d692efd852a0da6803f920cc756eea2855 ] + +When a Tx timestamp is requested, a pointer to the skb is stored in the +ravb_tstamp_skb struct. This was done without an skb_get. There exists +the possibility that the skb could be freed by ravb_tx_free (when +ravb_tx_free is called from ravb_start_xmit) before the timestamp was +processed, leading to a use-after-free bug. + +Use skb_get when filling a ravb_tstamp_skb struct, and add appropriate +frees/consumes when a ravb_tstamp_skb struct is freed. + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Signed-off-by: Tho Vu +Signed-off-by: Kazuya Mizuguchi +Signed-off-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 5f092bbd05148..5462d2e8a1b71 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -1,7 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0 + /* Renesas Ethernet AVB device driver + * +- * Copyright (C) 2014-2015 Renesas Electronics Corporation ++ * Copyright (C) 2014-2019 Renesas Electronics Corporation + * Copyright (C) 2015 Renesas Solutions Corp. + * Copyright (C) 2015-2016 Cogent Embedded, Inc. + * +@@ -514,7 +514,10 @@ static void ravb_get_tx_tstamp(struct net_device *ndev) + kfree(ts_skb); + if (tag == tfa_tag) { + skb_tstamp_tx(skb, &shhwtstamps); ++ dev_consume_skb_any(skb); + break; ++ } else { ++ dev_kfree_skb_any(skb); + } + } + ravb_modify(ndev, TCCR, TCCR_TFR, TCCR_TFR); +@@ -1556,7 +1559,7 @@ static netdev_tx_t ravb_start_xmit(struct sk_buff *skb, struct net_device *ndev) + DMA_TO_DEVICE); + goto unmap; + } +- ts_skb->skb = skb; ++ ts_skb->skb = skb_get(skb); + ts_skb->tag = priv->ts_skb_tag++; + priv->ts_skb_tag &= 0x3ff; + list_add_tail(&ts_skb->list, &priv->ts_skb_list); +@@ -1685,6 +1688,7 @@ static int ravb_close(struct net_device *ndev) + /* Clear the timestamp list */ + list_for_each_entry_safe(ts_skb, ts_skb2, &priv->ts_skb_list, list) { + list_del(&ts_skb->list); ++ kfree_skb(ts_skb->skb); + kfree(ts_skb); + } + +-- +2.20.1 + diff --git a/queue-4.19/scsi-qla2xxx-fix-gnl.l-memory-leak-on-adapter-init-f.patch b/queue-4.19/scsi-qla2xxx-fix-gnl.l-memory-leak-on-adapter-init-f.patch new file mode 100644 index 00000000000..dab40713e26 --- /dev/null +++ b/queue-4.19/scsi-qla2xxx-fix-gnl.l-memory-leak-on-adapter-init-f.patch @@ -0,0 +1,80 @@ +From 0e59538d6dd0faf3c5b6f2ea7531bb23a1e2191b Mon Sep 17 00:00:00 2001 +From: Bill Kuzeja +Date: Wed, 14 Aug 2019 10:24:41 -0400 +Subject: scsi: qla2xxx: Fix gnl.l memory leak on adapter init failure + +[ Upstream commit 26fa656e9a0cbccddf7db132ea020d2169dbe46e ] + +If HBA initialization fails unexpectedly (exiting via probe_failed:), we +may fail to free vha->gnl.l. So that we don't attempt to double free, set +this pointer to NULL after a free and check for NULL at probe_failed: so we +know whether or not to call dma_free_coherent. + +Signed-off-by: Bill Kuzeja +Acked-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_attr.c | 2 ++ + drivers/scsi/qla2xxx/qla_os.c | 11 ++++++++++- + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c +index f8f4d3ea67f3f..15d493f30810f 100644 +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -2191,6 +2191,8 @@ qla24xx_vport_delete(struct fc_vport *fc_vport) + dma_free_coherent(&ha->pdev->dev, vha->gnl.size, vha->gnl.l, + vha->gnl.ldma); + ++ vha->gnl.l = NULL; ++ + vfree(vha->scan.l); + + if (vha->qpair && vha->qpair->vp_idx == vha->vp_idx) { +diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c +index 42b8f0d3e580d..02fa81f122c22 100644 +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -3395,6 +3395,12 @@ skip_dpc: + return 0; + + probe_failed: ++ if (base_vha->gnl.l) { ++ dma_free_coherent(&ha->pdev->dev, base_vha->gnl.size, ++ base_vha->gnl.l, base_vha->gnl.ldma); ++ base_vha->gnl.l = NULL; ++ } ++ + if (base_vha->timer_active) + qla2x00_stop_timer(base_vha); + base_vha->flags.online = 0; +@@ -3624,7 +3630,7 @@ qla2x00_remove_one(struct pci_dev *pdev) + if (!atomic_read(&pdev->enable_cnt)) { + dma_free_coherent(&ha->pdev->dev, base_vha->gnl.size, + base_vha->gnl.l, base_vha->gnl.ldma); +- ++ base_vha->gnl.l = NULL; + scsi_host_put(base_vha->host); + kfree(ha); + pci_set_drvdata(pdev, NULL); +@@ -3663,6 +3669,8 @@ qla2x00_remove_one(struct pci_dev *pdev) + dma_free_coherent(&ha->pdev->dev, + base_vha->gnl.size, base_vha->gnl.l, base_vha->gnl.ldma); + ++ base_vha->gnl.l = NULL; ++ + vfree(base_vha->scan.l); + + if (IS_QLAFX00(ha)) +@@ -4602,6 +4610,7 @@ struct scsi_qla_host *qla2x00_create_host(struct scsi_host_template *sht, + "Alloc failed for scan database.\n"); + dma_free_coherent(&ha->pdev->dev, vha->gnl.size, + vha->gnl.l, vha->gnl.ldma); ++ vha->gnl.l = NULL; + scsi_remove_host(vha->host); + return NULL; + } +-- +2.20.1 + diff --git a/queue-4.19/scsi-target-tcmu-avoid-use-after-free-after-command-.patch b/queue-4.19/scsi-target-tcmu-avoid-use-after-free-after-command-.patch new file mode 100644 index 00000000000..c63d658af01 --- /dev/null +++ b/queue-4.19/scsi-target-tcmu-avoid-use-after-free-after-command-.patch @@ -0,0 +1,79 @@ +From 8212f0c232f0bc53e550e9ffda84ba4c5c32eb3f Mon Sep 17 00:00:00 2001 +From: Dmitry Fomichev +Date: Sun, 11 Aug 2019 11:25:10 -0700 +Subject: scsi: target: tcmu: avoid use-after-free after command timeout + +[ Upstream commit a86a75865ff4d8c05f355d1750a5250aec89ab15 ] + +In tcmu_handle_completion() function, the variable called read_len is +always initialized with a value taken from se_cmd structure. If this +function is called to complete an expired (timed out) out command, the +session command pointed by se_cmd is likely to be already deallocated by +the target core at that moment. As the result, this access triggers a +use-after-free warning from KASAN. + +This patch fixes the code not to touch se_cmd when completing timed out +TCMU commands. It also resets the pointer to se_cmd at the time when the +TCMU_CMD_BIT_EXPIRED flag is set because it is going to become invalid +after calling target_complete_cmd() later in the same function, +tcmu_check_expired_cmd(). + +Signed-off-by: Dmitry Fomichev +Acked-by: Mike Christie +Reviewed-by: Damien Le Moal +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_user.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c +index c46efa47d68a5..7159e8363b83b 100644 +--- a/drivers/target/target_core_user.c ++++ b/drivers/target/target_core_user.c +@@ -1143,14 +1143,16 @@ static void tcmu_handle_completion(struct tcmu_cmd *cmd, struct tcmu_cmd_entry * + struct se_cmd *se_cmd = cmd->se_cmd; + struct tcmu_dev *udev = cmd->tcmu_dev; + bool read_len_valid = false; +- uint32_t read_len = se_cmd->data_length; ++ uint32_t read_len; + + /* + * cmd has been completed already from timeout, just reclaim + * data area space and free cmd + */ +- if (test_bit(TCMU_CMD_BIT_EXPIRED, &cmd->flags)) ++ if (test_bit(TCMU_CMD_BIT_EXPIRED, &cmd->flags)) { ++ WARN_ON_ONCE(se_cmd); + goto out; ++ } + + list_del_init(&cmd->queue_entry); + +@@ -1163,6 +1165,7 @@ static void tcmu_handle_completion(struct tcmu_cmd *cmd, struct tcmu_cmd_entry * + goto done; + } + ++ read_len = se_cmd->data_length; + if (se_cmd->data_direction == DMA_FROM_DEVICE && + (entry->hdr.uflags & TCMU_UFLAG_READ_LEN) && entry->rsp.read_len) { + read_len_valid = true; +@@ -1318,6 +1321,7 @@ static int tcmu_check_expired_cmd(int id, void *p, void *data) + */ + scsi_status = SAM_STAT_CHECK_CONDITION; + list_del_init(&cmd->queue_entry); ++ cmd->se_cmd = NULL; + } else { + list_del_init(&cmd->queue_entry); + idr_remove(&udev->commands, id); +@@ -2036,6 +2040,7 @@ static void tcmu_reset_ring(struct tcmu_dev *udev, u8 err_level) + + idr_remove(&udev->commands, i); + if (!test_bit(TCMU_CMD_BIT_EXPIRED, &cmd->flags)) { ++ WARN_ON(!cmd->se_cmd); + list_del_init(&cmd->queue_entry); + if (err_level == 1) { + /* +-- +2.20.1 + diff --git a/queue-4.19/selftests-kvm-fix-state-save-load-on-processors-with.patch b/queue-4.19/selftests-kvm-fix-state-save-load-on-processors-with.patch new file mode 100644 index 00000000000..e0724427f4a --- /dev/null +++ b/queue-4.19/selftests-kvm-fix-state-save-load-on-processors-with.patch @@ -0,0 +1,55 @@ +From 83cb4b86df1c1aaab0371fb2ab370e490315662a Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 20 Aug 2019 17:35:52 +0200 +Subject: selftests: kvm: fix state save/load on processors without XSAVE + +[ Upstream commit 54577e5018a8c0cb79c9a0fa118a55c68715d398 ] + +state_test and smm_test are failing on older processors that do not +have xcr0. This is because on those processor KVM does provide +support for KVM_GET/SET_XSAVE (to avoid having to rely on the older +KVM_GET/SET_FPU) but not for KVM_GET/SET_XCRS. + +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kvm/lib/x86.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/kvm/lib/x86.c b/tools/testing/selftests/kvm/lib/x86.c +index a3122f1949a8e..4d35eba73dc97 100644 +--- a/tools/testing/selftests/kvm/lib/x86.c ++++ b/tools/testing/selftests/kvm/lib/x86.c +@@ -809,9 +809,11 @@ struct kvm_x86_state *vcpu_save_state(struct kvm_vm *vm, uint32_t vcpuid) + TEST_ASSERT(r == 0, "Unexpected result from KVM_GET_XSAVE, r: %i", + r); + +- r = ioctl(vcpu->fd, KVM_GET_XCRS, &state->xcrs); +- TEST_ASSERT(r == 0, "Unexpected result from KVM_GET_XCRS, r: %i", +- r); ++ if (kvm_check_cap(KVM_CAP_XCRS)) { ++ r = ioctl(vcpu->fd, KVM_GET_XCRS, &state->xcrs); ++ TEST_ASSERT(r == 0, "Unexpected result from KVM_GET_XCRS, r: %i", ++ r); ++ } + + r = ioctl(vcpu->fd, KVM_GET_SREGS, &state->sregs); + TEST_ASSERT(r == 0, "Unexpected result from KVM_GET_SREGS, r: %i", +@@ -858,9 +860,11 @@ void vcpu_load_state(struct kvm_vm *vm, uint32_t vcpuid, struct kvm_x86_state *s + TEST_ASSERT(r == 0, "Unexpected result from KVM_SET_XSAVE, r: %i", + r); + +- r = ioctl(vcpu->fd, KVM_SET_XCRS, &state->xcrs); +- TEST_ASSERT(r == 0, "Unexpected result from KVM_SET_XCRS, r: %i", +- r); ++ if (kvm_check_cap(KVM_CAP_XCRS)) { ++ r = ioctl(vcpu->fd, KVM_SET_XCRS, &state->xcrs); ++ TEST_ASSERT(r == 0, "Unexpected result from KVM_SET_XCRS, r: %i", ++ r); ++ } + + r = ioctl(vcpu->fd, KVM_SET_SREGS, &state->sregs); + TEST_ASSERT(r == 0, "Unexpected result from KVM_SET_SREGS, r: %i", +-- +2.20.1 + diff --git a/queue-4.19/selftests-kvm-make-platform_info_test-pass-on-amd.patch b/queue-4.19/selftests-kvm-make-platform_info_test-pass-on-amd.patch new file mode 100644 index 00000000000..fb88f4d7216 --- /dev/null +++ b/queue-4.19/selftests-kvm-make-platform_info_test-pass-on-amd.patch @@ -0,0 +1,36 @@ +From 44723a90c83f040ad7757e8d44e066474dbf941a Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Mon, 10 Jun 2019 19:22:55 +0200 +Subject: selftests/kvm: make platform_info_test pass on AMD + +[ Upstream commit e4427372398c31f57450565de277f861a4db5b3b ] + +test_msr_platform_info_disabled() generates EXIT_SHUTDOWN but VMCB state +is undefined after that so an attempt to launch this guest again from +test_msr_platform_info_enabled() fails. Reorder the tests to make test +pass. + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kvm/platform_info_test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/kvm/platform_info_test.c b/tools/testing/selftests/kvm/platform_info_test.c +index 3764e71212650..65db510dddc34 100644 +--- a/tools/testing/selftests/kvm/platform_info_test.c ++++ b/tools/testing/selftests/kvm/platform_info_test.c +@@ -100,8 +100,8 @@ int main(int argc, char *argv[]) + msr_platform_info = vcpu_get_msr(vm, VCPU_ID, MSR_PLATFORM_INFO); + vcpu_set_msr(vm, VCPU_ID, MSR_PLATFORM_INFO, + msr_platform_info | MSR_PLATFORM_INFO_MAX_TURBO_RATIO); +- test_msr_platform_info_disabled(vm); + test_msr_platform_info_enabled(vm); ++ test_msr_platform_info_disabled(vm); + vcpu_set_msr(vm, VCPU_ID, MSR_PLATFORM_INFO, msr_platform_info); + + kvm_vm_free(vm); +-- +2.20.1 + diff --git a/queue-4.19/tools-bpftool-fix-error-message-prog-object.patch b/queue-4.19/tools-bpftool-fix-error-message-prog-object.patch new file mode 100644 index 00000000000..e6914b0de24 --- /dev/null +++ b/queue-4.19/tools-bpftool-fix-error-message-prog-object.patch @@ -0,0 +1,35 @@ +From 5ac24972c8f41c463974aceb7d6bfd05a34a7ba0 Mon Sep 17 00:00:00 2001 +From: Jakub Kicinski +Date: Tue, 6 Aug 2019 17:19:22 -0700 +Subject: tools: bpftool: fix error message (prog -> object) + +[ Upstream commit b3e78adcbf991a4e8b2ebb23c9889e968ec76c5f ] + +Change an error message to work for any object being +pinned not just programs. + +Fixes: 71bb428fe2c1 ("tools: bpf: add bpftool") +Signed-off-by: Jakub Kicinski +Reviewed-by: Quentin Monnet +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/bpf/bpftool/common.c b/tools/bpf/bpftool/common.c +index fcaf00621102f..be7aebff0c1e5 100644 +--- a/tools/bpf/bpftool/common.c ++++ b/tools/bpf/bpftool/common.c +@@ -238,7 +238,7 @@ int do_pin_any(int argc, char **argv, int (*get_fd_by_id)(__u32)) + + fd = get_fd_by_id(id); + if (fd < 0) { +- p_err("can't get prog by id (%u): %s", id, strerror(errno)); ++ p_err("can't open object by id (%u): %s", id, strerror(errno)); + return -1; + } + +-- +2.20.1 + diff --git a/queue-4.19/tools-hv-kvp-eliminate-may-be-used-uninitialized-war.patch b/queue-4.19/tools-hv-kvp-eliminate-may-be-used-uninitialized-war.patch new file mode 100644 index 00000000000..be9cd56e42b --- /dev/null +++ b/queue-4.19/tools-hv-kvp-eliminate-may-be-used-uninitialized-war.patch @@ -0,0 +1,43 @@ +From 6e234942c7a8e807db8b66c334f7193705363dcc Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Mon, 19 Aug 2019 16:44:09 +0200 +Subject: Tools: hv: kvp: eliminate 'may be used uninitialized' warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 89eb4d8d25722a0a0194cf7fa47ba602e32a6da7 ] + +When building hv_kvp_daemon GCC-8.3 complains: + +hv_kvp_daemon.c: In function ‘kvp_get_ip_info.constprop’: +hv_kvp_daemon.c:812:30: warning: ‘ip_buffer’ may be used uninitialized in this function [-Wmaybe-uninitialized] + struct hv_kvp_ipaddr_value *ip_buffer; + +this seems to be a false positive: we only use ip_buffer when +op == KVP_OP_GET_IP_INFO and it is only unset when op == KVP_OP_ENUMERATE. + +Silence the warning by initializing ip_buffer to NULL. + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Sasha Levin +--- + tools/hv/hv_kvp_daemon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/hv/hv_kvp_daemon.c b/tools/hv/hv_kvp_daemon.c +index 0ce50c319cfd6..ef8a82f29f024 100644 +--- a/tools/hv/hv_kvp_daemon.c ++++ b/tools/hv/hv_kvp_daemon.c +@@ -809,7 +809,7 @@ kvp_get_ip_info(int family, char *if_name, int op, + int sn_offset = 0; + int error = 0; + char *buffer; +- struct hv_kvp_ipaddr_value *ip_buffer; ++ struct hv_kvp_ipaddr_value *ip_buffer = NULL; + char cidr_mask[5]; /* /xyz */ + int weight; + int i; +-- +2.20.1 + diff --git a/queue-4.19/vfs-fix-page-locking-deadlocks-when-deduping-files.patch b/queue-4.19/vfs-fix-page-locking-deadlocks-when-deduping-files.patch new file mode 100644 index 00000000000..ee998cbea36 --- /dev/null +++ b/queue-4.19/vfs-fix-page-locking-deadlocks-when-deduping-files.patch @@ -0,0 +1,114 @@ +From 1947c8b66b6846b5d2270f34db6a57c099f8401f Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Sun, 11 Aug 2019 15:52:25 -0700 +Subject: vfs: fix page locking deadlocks when deduping files + +[ Upstream commit edc58dd0123b552453a74369bd0c8d890b497b4b ] + +When dedupe wants to use the page cache to compare parts of two files +for dedupe, we must be very careful to handle locking correctly. The +current code doesn't do this. It must lock and unlock the page only +once if the two pages are the same, since the overlapping range check +doesn't catch this when blocksize < pagesize. If the pages are distinct +but from the same file, we must observe page locking order and lock them +in order of increasing offset to avoid clashing with writeback locking. + +Fixes: 876bec6f9bbfcb3 ("vfs: refactor clone/dedupe_file_range common functions") +Signed-off-by: Darrick J. Wong +Reviewed-by: Bill O'Donnell +Reviewed-by: Matthew Wilcox (Oracle) +Signed-off-by: Sasha Levin +--- + fs/read_write.c | 49 +++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 41 insertions(+), 8 deletions(-) + +diff --git a/fs/read_write.c b/fs/read_write.c +index 85fd7a8ee29eb..5fb5ee5b8cd70 100644 +--- a/fs/read_write.c ++++ b/fs/read_write.c +@@ -1888,10 +1888,7 @@ int vfs_clone_file_range(struct file *file_in, loff_t pos_in, + } + EXPORT_SYMBOL(vfs_clone_file_range); + +-/* +- * Read a page's worth of file data into the page cache. Return the page +- * locked. +- */ ++/* Read a page's worth of file data into the page cache. */ + static struct page *vfs_dedupe_get_page(struct inode *inode, loff_t offset) + { + struct address_space *mapping; +@@ -1907,10 +1904,32 @@ static struct page *vfs_dedupe_get_page(struct inode *inode, loff_t offset) + put_page(page); + return ERR_PTR(-EIO); + } +- lock_page(page); + return page; + } + ++/* ++ * Lock two pages, ensuring that we lock in offset order if the pages are from ++ * the same file. ++ */ ++static void vfs_lock_two_pages(struct page *page1, struct page *page2) ++{ ++ /* Always lock in order of increasing index. */ ++ if (page1->index > page2->index) ++ swap(page1, page2); ++ ++ lock_page(page1); ++ if (page1 != page2) ++ lock_page(page2); ++} ++ ++/* Unlock two pages, being careful not to unlock the same page twice. */ ++static void vfs_unlock_two_pages(struct page *page1, struct page *page2) ++{ ++ unlock_page(page1); ++ if (page1 != page2) ++ unlock_page(page2); ++} ++ + /* + * Compare extents of two files to see if they are the same. + * Caller must have locked both inodes to prevent write races. +@@ -1948,10 +1967,24 @@ int vfs_dedupe_file_range_compare(struct inode *src, loff_t srcoff, + dest_page = vfs_dedupe_get_page(dest, destoff); + if (IS_ERR(dest_page)) { + error = PTR_ERR(dest_page); +- unlock_page(src_page); + put_page(src_page); + goto out_error; + } ++ ++ vfs_lock_two_pages(src_page, dest_page); ++ ++ /* ++ * Now that we've locked both pages, make sure they're still ++ * mapped to the file data we're interested in. If not, ++ * someone is invalidating pages on us and we lose. ++ */ ++ if (!PageUptodate(src_page) || !PageUptodate(dest_page) || ++ src_page->mapping != src->i_mapping || ++ dest_page->mapping != dest->i_mapping) { ++ same = false; ++ goto unlock; ++ } ++ + src_addr = kmap_atomic(src_page); + dest_addr = kmap_atomic(dest_page); + +@@ -1963,8 +1996,8 @@ int vfs_dedupe_file_range_compare(struct inode *src, loff_t srcoff, + + kunmap_atomic(dest_addr); + kunmap_atomic(src_addr); +- unlock_page(dest_page); +- unlock_page(src_page); ++unlock: ++ vfs_unlock_two_pages(src_page, dest_page); + put_page(dest_page); + put_page(src_page); + +-- +2.20.1 + diff --git a/queue-4.19/wimax-i2400m-fix-a-memory-leak-bug.patch b/queue-4.19/wimax-i2400m-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..34607b0e7eb --- /dev/null +++ b/queue-4.19/wimax-i2400m-fix-a-memory-leak-bug.patch @@ -0,0 +1,44 @@ +From 9d6b95bc05e942b378f0b6163afacf33723a6ca6 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Thu, 15 Aug 2019 15:29:51 -0500 +Subject: wimax/i2400m: fix a memory leak bug + +[ Upstream commit 44ef3a03252844a8753479b0cea7f29e4a804bdc ] + +In i2400m_barker_db_init(), 'options_orig' is allocated through kstrdup() +to hold the original command line options. Then, the options are parsed. +However, if an error occurs during the parsing process, 'options_orig' is +not deallocated, leading to a memory leak bug. To fix this issue, free +'options_orig' before returning the error. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wimax/i2400m/fw.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wimax/i2400m/fw.c b/drivers/net/wimax/i2400m/fw.c +index e9fc168bb7345..489cba9b284d1 100644 +--- a/drivers/net/wimax/i2400m/fw.c ++++ b/drivers/net/wimax/i2400m/fw.c +@@ -351,13 +351,15 @@ int i2400m_barker_db_init(const char *_options) + } + result = i2400m_barker_db_add(barker); + if (result < 0) +- goto error_add; ++ goto error_parse_add; + } + kfree(options_orig); + } + return 0; + ++error_parse_add: + error_parse: ++ kfree(options_orig); + error_add: + kfree(i2400m_barker_db); + return result; +-- +2.20.1 + diff --git a/queue-4.19/x86-boot-compressed-64-fix-boot-on-machines-with-bro.patch b/queue-4.19/x86-boot-compressed-64-fix-boot-on-machines-with-bro.patch new file mode 100644 index 00000000000..2f5f20c669e --- /dev/null +++ b/queue-4.19/x86-boot-compressed-64-fix-boot-on-machines-with-bro.patch @@ -0,0 +1,74 @@ +From b67135a40dbed267ab40225e7c4fa54f359b2e8f Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Tue, 13 Aug 2019 16:16:54 +0300 +Subject: x86/boot/compressed/64: Fix boot on machines with broken E820 table + +[ Upstream commit 0a46fff2f9108c2c44218380a43a736cf4612541 ] + +BIOS on Samsung 500C Chromebook reports very rudimentary E820 table that +consists of 2 entries: + + BIOS-e820: [mem 0x0000000000000000-0x0000000000000fff] usable + BIOS-e820: [mem 0x00000000fffff000-0x00000000ffffffff] reserved + +It breaks logic in find_trampoline_placement(): bios_start lands on the +end of the first 4k page and trampoline start gets placed below 0. + +Detect underflow and don't touch bios_start for such cases. It makes +kernel ignore E820 table on machines that doesn't have two usable pages +below BIOS_START_MAX. + +Fixes: 1b3a62643660 ("x86/boot/compressed/64: Validate trampoline placement against E820") +Signed-off-by: Kirill A. Shutemov +Signed-off-by: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Thomas Gleixner +Cc: x86-ml +Link: https://bugzilla.kernel.org/show_bug.cgi?id=203463 +Link: https://lkml.kernel.org/r/20190813131654.24378-1-kirill.shutemov@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/boot/compressed/pgtable_64.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/boot/compressed/pgtable_64.c b/arch/x86/boot/compressed/pgtable_64.c +index f8debf7aeb4c1..f0537a1f7fc25 100644 +--- a/arch/x86/boot/compressed/pgtable_64.c ++++ b/arch/x86/boot/compressed/pgtable_64.c +@@ -73,6 +73,8 @@ static unsigned long find_trampoline_placement(void) + + /* Find the first usable memory region under bios_start. */ + for (i = boot_params->e820_entries - 1; i >= 0; i--) { ++ unsigned long new; ++ + entry = &boot_params->e820_table[i]; + + /* Skip all entries above bios_start. */ +@@ -85,15 +87,20 @@ static unsigned long find_trampoline_placement(void) + + /* Adjust bios_start to the end of the entry if needed. */ + if (bios_start > entry->addr + entry->size) +- bios_start = entry->addr + entry->size; ++ new = entry->addr + entry->size; + + /* Keep bios_start page-aligned. */ +- bios_start = round_down(bios_start, PAGE_SIZE); ++ new = round_down(new, PAGE_SIZE); + + /* Skip the entry if it's too small. */ +- if (bios_start - TRAMPOLINE_32BIT_SIZE < entry->addr) ++ if (new - TRAMPOLINE_32BIT_SIZE < entry->addr) + continue; + ++ /* Protect against underflow. */ ++ if (new - TRAMPOLINE_32BIT_SIZE > bios_start) ++ break; ++ ++ bios_start = new; + break; + } + +-- +2.20.1 + diff --git a/queue-4.19/x86-boot-compressed-64-fix-missing-initialization-in.patch b/queue-4.19/x86-boot-compressed-64-fix-missing-initialization-in.patch new file mode 100644 index 00000000000..0db56340fbb --- /dev/null +++ b/queue-4.19/x86-boot-compressed-64-fix-missing-initialization-in.patch @@ -0,0 +1,40 @@ +From cd39911d0b5064ecb4ce585b47d4c2f3845e1bdc Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Mon, 26 Aug 2019 16:26:01 +0300 +Subject: x86/boot/compressed/64: Fix missing initialization in + find_trampoline_placement() + +[ Upstream commit c96e8483cb2da6695c8b8d0896fe7ae272a07b54 ] + +Gustavo noticed that 'new' can be left uninitialized if 'bios_start' +happens to be less or equal to 'entry->addr + entry->size'. + +Initialize the variable at the begin of the iteration to the current value +of 'bios_start'. + +Fixes: 0a46fff2f910 ("x86/boot/compressed/64: Fix boot on machines with broken E820 table") +Reported-by: "Gustavo A. R. Silva" +Signed-off-by: Kirill A. Shutemov +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/20190826133326.7cxb4vbmiawffv2r@box +Signed-off-by: Sasha Levin +--- + arch/x86/boot/compressed/pgtable_64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/boot/compressed/pgtable_64.c b/arch/x86/boot/compressed/pgtable_64.c +index f0537a1f7fc25..76e1edf5bf12a 100644 +--- a/arch/x86/boot/compressed/pgtable_64.c ++++ b/arch/x86/boot/compressed/pgtable_64.c +@@ -73,7 +73,7 @@ static unsigned long find_trampoline_placement(void) + + /* Find the first usable memory region under bios_start. */ + for (i = boot_params->e820_entries - 1; i >= 0; i--) { +- unsigned long new; ++ unsigned long new = bios_start; + + entry = &boot_params->e820_table[i]; + +-- +2.20.1 + diff --git a/releases/5.2.13/series b/releases/5.2.13/series index 0017b27394e..c91ff2db65f 100644 --- a/releases/5.2.13/series +++ b/releases/5.2.13/series @@ -1 +1,45 @@ revert-input-elantech-enable-smbus-on-new-2018-systems.patch +net-tundra-tsi108-use-spin_lock_irqsave-instead-of-s.patch +netfilter-nf_tables-use-after-free-in-failing-rule-w.patch +tools-bpftool-fix-error-message-prog-object.patch +hv_netvsc-fix-a-warning-of-suspicious-rcu-usage.patch +net-tc35815-explicitly-check-net_ip_align-is-not-zer.patch +bluetooth-btqca-add-a-short-delay-before-downloading.patch +bluetooth-hidp-let-hidp_send_message-return-number-o.patch +ibmveth-convert-multicast-list-size-for-little-endia.patch +gpio-fix-build-error-of-function-redefinition.patch +netfilter-nft_flow_offload-skip-tcp-rst-and-fin-pack.patch +drm-mediatek-use-correct-device-to-import-prime-buff.patch +drm-mediatek-set-dma-max-segment-size.patch +scsi-qla2xxx-fix-gnl.l-memory-leak-on-adapter-init-f.patch +scsi-target-tcmu-avoid-use-after-free-after-command-.patch +cxgb4-fix-a-memory-leak-bug.patch +liquidio-add-cleanup-in-octeon_setup_iq.patch +net-myri10ge-fix-memory-leaks.patch +lan78xx-fix-memory-leaks.patch +vfs-fix-page-locking-deadlocks-when-deduping-files.patch +cx82310_eth-fix-a-memory-leak-bug.patch +net-kalmia-fix-memory-leaks.patch +ibmvnic-unmap-dma-address-of-tx-descriptor-buffers-a.patch +net-cavium-fix-driver-name.patch +wimax-i2400m-fix-a-memory-leak-bug.patch +ravb-fix-use-after-free-ravb_tstamp_skb.patch +kprobes-fix-potential-deadlock-in-kprobe_optimizer.patch +hid-cp2112-prevent-sleeping-function-called-from-inv.patch +x86-boot-compressed-64-fix-boot-on-machines-with-bro.patch +input-hyperv-keyboard-use-in-place-iterator-api-in-t.patch +tools-hv-kvp-eliminate-may-be-used-uninitialized-war.patch +nvme-multipath-fix-possible-i-o-hang-when-paths-are-.patch +ib-mlx4-fix-memory-leaks.patch +infiniband-hfi1-fix-a-memory-leak-bug.patch +infiniband-hfi1-fix-memory-leaks.patch +selftests-kvm-fix-state-save-load-on-processors-with.patch +selftests-kvm-make-platform_info_test-pass-on-amd.patch +ceph-fix-buffer-free-while-holding-i_ceph_lock-in-__.patch +ceph-fix-buffer-free-while-holding-i_ceph_lock-in-__.patch-16576 +ceph-fix-buffer-free-while-holding-i_ceph_lock-in-fi.patch +kvm-arm-arm64-only-skip-mmio-insn-once.patch +afs-fix-leak-in-afs_lookup_cell_rcu.patch +kvm-arm-arm64-vgic-properly-initialise-private-irq-a.patch +x86-boot-compressed-64-fix-missing-initialization-in.patch +libceph-allow-ceph_buffer_put-to-receive-a-null-ceph.patch