From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 30 Mar 2020 11:40:57 +0000 (+0200)
Subject: 5.5-stable patches
X-Git-Tag: v5.6.1~56
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3aa1697ad9d0abb6ad821ca26e46bcb77df76ad3;p=thirdparty%2Fkernel%2Fstable-queue.git

5.5-stable patches

added patches:
	ib-rdmavt-free-kernel-completion-queue-when-done.patch
	rdma-core-fix-missing-error-check-on-dev_set_name.patch
	rdma-odp-fix-leaking-the-tgid-for-implicit-odp.patch
---

diff --git a/queue-5.5/ib-rdmavt-free-kernel-completion-queue-when-done.patch b/queue-5.5/ib-rdmavt-free-kernel-completion-queue-when-done.patch
new file mode 100644
index 00000000000..32a85d786d0
--- /dev/null
+++ b/queue-5.5/ib-rdmavt-free-kernel-completion-queue-when-done.patch
@@ -0,0 +1,63 @@
+From 941224e09483ea3428ffc6402de56a4a2e2cb6da Mon Sep 17 00:00:00 2001
+From: Kaike Wan <kaike.wan@intel.com>
+Date: Fri, 13 Mar 2020 08:39:57 -0400
+Subject: IB/rdmavt: Free kernel completion queue when done
+
+From: Kaike Wan <kaike.wan@intel.com>
+
+commit 941224e09483ea3428ffc6402de56a4a2e2cb6da upstream.
+
+When a kernel ULP requests the rdmavt to create a completion queue, it
+allocated the queue and set cq->kqueue to point to it. However, when the
+completion queue is destroyed, cq->queue is freed instead, leading to a
+memory leak:
+
+https://lore.kernel.org/r/215235485.15264050.1583334487658.JavaMail.zimbra@redhat.com
+
+ unreferenced object 0xffffc90006639000 (size 12288):
+ comm "kworker/u128:0", pid 8, jiffies 4295777598 (age 589.085s)
+    hex dump (first 32 bytes):
+      4d 00 00 00 4d 00 00 00 00 c0 08 ac 8b 88 ff ff  M...M...........
+      00 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00  ................
+    backtrace:
+      [<0000000035a3d625>] __vmalloc_node_range+0x361/0x720
+      [<000000002942ce4f>] __vmalloc_node.constprop.30+0x63/0xb0
+      [<00000000f228f784>] rvt_create_cq+0x98a/0xd80 [rdmavt]
+      [<00000000b84aec66>] __ib_alloc_cq_user+0x281/0x1260 [ib_core]
+      [<00000000ef3764be>] nvme_rdma_cm_handler+0xdb7/0x1b80 [nvme_rdma]
+      [<00000000936b401c>] cma_cm_event_handler+0xb7/0x550 [rdma_cm]
+      [<00000000d9c40b7b>] addr_handler+0x195/0x310 [rdma_cm]
+      [<00000000c7398a03>] process_one_req+0xdd/0x600 [ib_core]
+      [<000000004d29675b>] process_one_work+0x920/0x1740
+      [<00000000efedcdb5>] worker_thread+0x87/0xb40
+      [<000000005688b340>] kthread+0x327/0x3f0
+      [<0000000043a168d6>] ret_from_fork+0x3a/0x50
+
+This patch fixes the issue by freeing cq->kqueue instead.
+
+Fixes: 239b0e52d8aa ("IB/hfi1: Move rvt_cq_wc struct into uapi directory")
+Link: https://lore.kernel.org/r/20200313123957.14343.43879.stgit@awfm-01.aw.intel.com
+Cc: <stable@vger.kernel.org> # 5.4.x
+Reported-by: Yi Zhang <yi.zhang@redhat.com>
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Kaike Wan <kaike.wan@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/sw/rdmavt/cq.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/sw/rdmavt/cq.c
++++ b/drivers/infiniband/sw/rdmavt/cq.c
+@@ -327,7 +327,7 @@ void rvt_destroy_cq(struct ib_cq *ibcq,
+ 	if (cq->ip)
+ 		kref_put(&cq->ip->ref, rvt_release_mmap_info);
+ 	else
+-		vfree(cq->queue);
++		vfree(cq->kqueue);
+ }
+ 
+ /**
diff --git a/queue-5.5/rdma-core-fix-missing-error-check-on-dev_set_name.patch b/queue-5.5/rdma-core-fix-missing-error-check-on-dev_set_name.patch
new file mode 100644
index 00000000000..f1412ad3243
--- /dev/null
+++ b/queue-5.5/rdma-core-fix-missing-error-check-on-dev_set_name.patch
@@ -0,0 +1,78 @@
+From f2f2b3bbf0d9f8d090b9a019679223b2bd1c66c4 Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@ziepe.ca>
+Date: Mon, 9 Mar 2020 16:32:00 -0300
+Subject: RDMA/core: Fix missing error check on dev_set_name()
+
+From: Jason Gunthorpe <jgg@mellanox.com>
+
+commit f2f2b3bbf0d9f8d090b9a019679223b2bd1c66c4 upstream.
+
+If name memory allocation fails the name will be left empty and
+device_add_one() will crash:
+
+  kobject: (0000000004952746): attempted to be registered with empty name!
+  WARNING: CPU: 0 PID: 329 at lib/kobject.c:234 kobject_add_internal+0x7ac/0x9a0 lib/kobject.c:234
+  Kernel panic - not syncing: panic_on_warn set ...
+  CPU: 0 PID: 329 Comm: syz-executor.5 Not tainted 5.6.0-rc2-syzkaller #0
+  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+  Call Trace:
+   __dump_stack lib/dump_stack.c:77 [inline]
+   dump_stack+0x197/0x210 lib/dump_stack.c:118
+   panic+0x2e3/0x75c kernel/panic.c:221
+   __warn.cold+0x2f/0x3e kernel/panic.c:582
+   report_bug+0x289/0x300 lib/bug.c:195
+   fixup_bug arch/x86/kernel/traps.c:174 [inline]
+   fixup_bug arch/x86/kernel/traps.c:169 [inline]
+   do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:267
+   do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:286
+   invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
+  RIP: 0010:kobject_add_internal+0x7ac/0x9a0 lib/kobject.c:234
+  Code: 1a 98 ca f9 e9 f0 f8 ff ff 4c 89 f7 e8 6d 98 ca f9 e9 95 f9 ff ff e8 c3 f0 8b f9 4c 89 e6 48 c7 c7 a0 0e 1a 89 e8 e3 41 5c f9 <0f> 0b 41 bd ea ff ff ff e9 52 ff ff ff e8 a2 f0 8b f9 0f 0b e8 9b
+  RSP: 0018:ffffc90005b27908 EFLAGS: 00010286
+  RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+  RDX: 0000000000040000 RSI: ffffffff815eae46 RDI: fffff52000b64f13
+  RBP: ffffc90005b27960 R08: ffff88805aeba480 R09: ffffed1015d06659
+  R10: ffffed1015d06658 R11: ffff8880ae8332c7 R12: ffff8880a37fd000
+  R13: 0000000000000000 R14: ffff888096691780 R15: 0000000000000001
+   kobject_add_varg lib/kobject.c:390 [inline]
+   kobject_add+0x150/0x1c0 lib/kobject.c:442
+   device_add+0x3be/0x1d00 drivers/base/core.c:2412
+   add_one_compat_dev drivers/infiniband/core/device.c:901 [inline]
+   add_one_compat_dev+0x46a/0x7e0 drivers/infiniband/core/device.c:857
+   rdma_dev_init_net+0x2eb/0x490 drivers/infiniband/core/device.c:1120
+   ops_init+0xb3/0x420 net/core/net_namespace.c:137
+   setup_net+0x2d5/0x8b0 net/core/net_namespace.c:327
+   copy_net_ns+0x29e/0x5a0 net/core/net_namespace.c:468
+   create_new_namespaces+0x403/0xb50 kernel/nsproxy.c:108
+   unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:229
+   ksys_unshare+0x444/0x980 kernel/fork.c:2955
+   __do_sys_unshare kernel/fork.c:3023 [inline]
+   __se_sys_unshare kernel/fork.c:3021 [inline]
+   __x64_sys_unshare+0x31/0x40 kernel/fork.c:3021
+   do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+   entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Link: https://lore.kernel.org/r/20200309193200.GA10633@ziepe.ca
+Cc: stable@kernel.org
+Fixes: 4e0f7b907072 ("RDMA/core: Implement compat device/sysfs tree in net namespace")
+Reported-by: syzbot+ab4dae63f7d310641ded@syzkaller.appspotmail.com
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/device.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/device.c
++++ b/drivers/infiniband/core/device.c
+@@ -896,7 +896,9 @@ static int add_one_compat_dev(struct ib_
+ 	cdev->dev.parent = device->dev.parent;
+ 	rdma_init_coredev(cdev, device, read_pnet(&rnet->net));
+ 	cdev->dev.release = compatdev_release;
+-	dev_set_name(&cdev->dev, "%s", dev_name(&device->dev));
++	ret = dev_set_name(&cdev->dev, "%s", dev_name(&device->dev));
++	if (ret)
++		goto add_err;
+ 
+ 	ret = device_add(&cdev->dev);
+ 	if (ret)
diff --git a/queue-5.5/rdma-odp-fix-leaking-the-tgid-for-implicit-odp.patch b/queue-5.5/rdma-odp-fix-leaking-the-tgid-for-implicit-odp.patch
new file mode 100644
index 00000000000..0089d9e3e47
--- /dev/null
+++ b/queue-5.5/rdma-odp-fix-leaking-the-tgid-for-implicit-odp.patch
@@ -0,0 +1,37 @@
+From 0f9826f4753f74f935e18c2a640484ecbd941346 Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@ziepe.ca>
+Date: Wed, 4 Mar 2020 14:16:07 -0400
+Subject: RDMA/odp: Fix leaking the tgid for implicit ODP
+
+From: Jason Gunthorpe <jgg@mellanox.com>
+
+commit 0f9826f4753f74f935e18c2a640484ecbd941346 upstream.
+
+The tgid used to be part of ib_umem_free_notifier(), when it was reworked
+it got moved to release, but it should have been unconditional as all umem
+alloc paths get the tgid.
+
+As is, creating an implicit ODP will leak the tgid reference.
+
+Link: https://lore.kernel.org/r/20200304181607.GA22412@ziepe.ca
+Cc: stable@kernel.org
+Fixes: f25a546e6529 ("RDMA/odp: Use mmu_interval_notifier_insert()")
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/umem_odp.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/umem_odp.c
++++ b/drivers/infiniband/core/umem_odp.c
+@@ -290,8 +290,8 @@ void ib_umem_odp_release(struct ib_umem_
+ 		mmu_interval_notifier_remove(&umem_odp->notifier);
+ 		kvfree(umem_odp->dma_list);
+ 		kvfree(umem_odp->page_list);
+-		put_pid(umem_odp->tgid);
+ 	}
++	put_pid(umem_odp->tgid);
+ 	kfree(umem_odp);
+ }
+ EXPORT_SYMBOL(ib_umem_odp_release);
diff --git a/queue-5.5/series b/queue-5.5/series
index 4806d47f916..adfbdeb92aa 100644
--- a/queue-5.5/series
+++ b/queue-5.5/series
@@ -83,3 +83,6 @@ input-raydium_i2c_ts-fix-error-codes-in-raydium_i2c_boot_trigger.patch
 input-fix-stale-timestamp-on-key-autorepeat-events.patch
 input-synaptics-enable-rmi-on-hp-envy-13-ad105ng.patch
 input-avoid-bit-macro-usage-in-the-serio.h-uapi-header.patch
+ib-rdmavt-free-kernel-completion-queue-when-done.patch
+rdma-core-fix-missing-error-check-on-dev_set_name.patch
+rdma-odp-fix-leaking-the-tgid-for-implicit-odp.patch