From: Sasha Levin Date: Thu, 19 Aug 2021 13:00:09 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v5.13.13~34 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=67deb9a31d035d53c4a2c6f29ff9b27ae072ad06;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/arm-dts-am43x-epos-evm-reduce-i2c0-bus-speed-for-tps.patch b/queue-4.14/arm-dts-am43x-epos-evm-reduce-i2c0-bus-speed-for-tps.patch new file mode 100644 index 00000000000..a22b28b3c91 --- /dev/null +++ b/queue-4.14/arm-dts-am43x-epos-evm-reduce-i2c0-bus-speed-for-tps.patch @@ -0,0 +1,50 @@ +From c5b2cc0f555d96b714fcbf0dc4069f2ddfe90226 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 09:07:30 -0700 +Subject: ARM: dts: am43x-epos-evm: Reduce i2c0 bus speed for tps65218 + +From: Dave Gerlach + +[ Upstream commit 20a6b3fd8e2e2c063b25fbf2ee74d86b898e5087 ] + +Based on the latest timing specifications for the TPS65218 from the data +sheet, http://www.ti.com/lit/ds/symlink/tps65218.pdf, document SLDS206 +from November 2014, we must change the i2c bus speed to better fit within +the minimum high SCL time required for proper i2c transfer. + +When running at 400khz, measurements show that SCL spends +0.8125 uS/1.666 uS high/low which violates the requirement for minimum +high period of SCL provided in datasheet Table 7.6 which is 1 uS. +Switching to 100khz gives us 5 uS/5 uS high/low which both fall above +the minimum given values for 100 khz, 4.0 uS/4.7 uS high/low. + +Without this patch occasionally a voltage set operation from the kernel +will appear to have worked but the actual voltage reflected on the PMIC +will not have updated, causing problems especially with cpufreq that may +update to a higher OPP without actually raising the voltage on DCDC2, +leading to a hang. + +Signed-off-by: Dave Gerlach +Signed-off-by: Kevin Hilman +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/am43x-epos-evm.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/am43x-epos-evm.dts b/arch/arm/boot/dts/am43x-epos-evm.dts +index c4279b0b9f12..437e8d2dcc70 100644 +--- a/arch/arm/boot/dts/am43x-epos-evm.dts ++++ b/arch/arm/boot/dts/am43x-epos-evm.dts +@@ -411,7 +411,7 @@ + status = "okay"; + pinctrl-names = "default"; + pinctrl-0 = <&i2c0_pins>; +- clock-frequency = <400000>; ++ clock-frequency = <100000>; + + tps65218: tps65218@24 { + reg = <0x24>; +-- +2.30.2 + diff --git a/queue-4.14/arm-dts-nomadik-fix-up-interrupt-controller-node-nam.patch b/queue-4.14/arm-dts-nomadik-fix-up-interrupt-controller-node-nam.patch new file mode 100644 index 00000000000..84948dcc4fd --- /dev/null +++ b/queue-4.14/arm-dts-nomadik-fix-up-interrupt-controller-node-nam.patch @@ -0,0 +1,54 @@ +From 6efe3e771799213c7dbabbc2fa09433412396d04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Jun 2021 02:01:03 +0200 +Subject: ARM: dts: nomadik: Fix up interrupt controller node names + +From: Sudeep Holla + +[ Upstream commit 47091f473b364c98207c4def197a0ae386fc9af1 ] + +Once the new schema interrupt-controller/arm,vic.yaml is added, we get +the below warnings: + + arch/arm/boot/dts/ste-nomadik-nhk15.dt.yaml: + intc@10140000: $nodename:0: 'intc@10140000' does not match + '^interrupt-controller(@[0-9a-f,]+)*$' + +Fix the node names for the interrupt controller to conform +to the standard node name interrupt-controller@.. + +Signed-off-by: Sudeep Holla +Signed-off-by: Linus Walleij +Cc: Linus Walleij +Link: https://lore.kernel.org/r/20210617210825.3064367-2-sudeep.holla@arm.com +Link: https://lore.kernel.org/r/20210626000103.830184-1-linus.walleij@linaro.org' +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/ste-nomadik-stn8815.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/ste-nomadik-stn8815.dtsi b/arch/arm/boot/dts/ste-nomadik-stn8815.dtsi +index 733678b75b88..ad3cdf2ca7fb 100644 +--- a/arch/arm/boot/dts/ste-nomadik-stn8815.dtsi ++++ b/arch/arm/boot/dts/ste-nomadik-stn8815.dtsi +@@ -756,14 +756,14 @@ + status = "disabled"; + }; + +- vica: intc@10140000 { ++ vica: interrupt-controller@10140000 { + compatible = "arm,versatile-vic"; + interrupt-controller; + #interrupt-cells = <1>; + reg = <0x10140000 0x20>; + }; + +- vicb: intc@10140020 { ++ vicb: interrupt-controller@10140020 { + compatible = "arm,versatile-vic"; + interrupt-controller; + #interrupt-cells = <1>; +-- +2.30.2 + diff --git a/queue-4.14/arm-ixp4xx-goramo_mlr-depends-on-old-pci-driver.patch b/queue-4.14/arm-ixp4xx-goramo_mlr-depends-on-old-pci-driver.patch new file mode 100644 index 00000000000..bbcfe16eb75 --- /dev/null +++ b/queue-4.14/arm-ixp4xx-goramo_mlr-depends-on-old-pci-driver.patch @@ -0,0 +1,55 @@ +From 9c5c660bbc401a6b042a98a8d94a635ed71e198a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 17:16:04 +0200 +Subject: ARM: ixp4xx: goramo_mlr depends on old PCI driver + +From: Arnd Bergmann + +[ Upstream commit 796a8c85b1216618258e08b463d3bef0d7123760 ] + +When this driver is disabled, the board file fails to build, +so add a dependency: + +arch/arm/mach-ixp4xx/goramo_mlr.c: In function 'gmlr_pci_preinit': +arch/arm/mach-ixp4xx/goramo_mlr.c:472:9: error: implicit declaration of function 'ixp4xx_pci_preinit'; did you mean 'iop3xx_pci_preinit'? [-Werror=implicit-function-declaration] + 472 | ixp4xx_pci_preinit(); + | ^~~~~~~~~~~~~~~~~~ + | iop3xx_pci_preinit +arch/arm/mach-ixp4xx/goramo_mlr.c: In function 'gmlr_pci_postinit': +arch/arm/mach-ixp4xx/goramo_mlr.c:481:22: error: implicit declaration of function 'ixp4xx_pci_read' [-Werror=implicit-function-declaration] + 481 | if (!ixp4xx_pci_read(addr, NP_CMD_CONFIGREAD, &value)) { + | ^~~~~~~~~~~~~~~ +arch/arm/mach-ixp4xx/goramo_mlr.c:231:35: error: 'IXP4XX_UART1_BASE_PHYS' undeclared here (not in a function) + 231 | .start = IXP4XX_UART1_BASE_PHYS, + | ^~~~~~~~~~~~~~~~~~~~~~ +arch/arm/mach-ixp4xx/goramo_mlr.c: In function 'gmlr_init': +arch/arm/mach-ixp4xx/goramo_mlr.c:376:9: error: implicit declaration of function 'ixp4xx_sys_init' [-Werror=implicit-function-declaration] + 376 | ixp4xx_sys_init(); + | ^~~~~~~~~~~~~~~ + +Signed-off-by: Arnd Bergmann +Reviewed-by: Linus Walleij +Cc: Linus Walleij +Cc: soc@kernel.org +Link: https://lore.kernel.org/r/20210721151620.2373500-1-arnd@kernel.org' +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/mach-ixp4xx/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-ixp4xx/Kconfig b/arch/arm/mach-ixp4xx/Kconfig +index c342dc4e8a45..2489b6151ace 100644 +--- a/arch/arm/mach-ixp4xx/Kconfig ++++ b/arch/arm/mach-ixp4xx/Kconfig +@@ -76,6 +76,7 @@ config MACH_IXDP465 + + config MACH_GORAMO_MLR + bool "GORAMO Multi Link Router" ++ depends on IXP4XX_PCI_LEGACY + help + Say 'Y' here if you want your kernel to support GORAMO + MultiLink router. +-- +2.30.2 + diff --git a/queue-4.14/dmaengine-of-dma-router_xlate-to-return-eprobe_defer.patch b/queue-4.14/dmaengine-of-dma-router_xlate-to-return-eprobe_defer.patch new file mode 100644 index 00000000000..018c7fd2f84 --- /dev/null +++ b/queue-4.14/dmaengine-of-dma-router_xlate-to-return-eprobe_defer.patch @@ -0,0 +1,63 @@ +From 9884e23ac8e87813ef05d541be4d4224c6f7285d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jul 2021 22:00:21 +0300 +Subject: dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller + is not yet available + +From: Peter Ujfalusi + +[ Upstream commit eda97cb095f2958bbad55684a6ca3e7d7af0176a ] + +If the router_xlate can not find the controller in the available DMA +devices then it should return with -EPORBE_DEFER in a same way as the +of_dma_request_slave_channel() does. + +The issue can be reproduced if the event router is registered before the +DMA controller itself and a driver would request for a channel before the +controller is registered. +In of_dma_request_slave_channel(): +1. of_dma_find_controller() would find the dma_router +2. ofdma->of_dma_xlate() would fail and returned NULL +3. -ENODEV is returned as error code + +with this patch we would return in this case the correct -EPROBE_DEFER and +the client can try to request the channel later. + +Signed-off-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20210717190021.21897-1-peter.ujfalusi@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/of-dma.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/of-dma.c b/drivers/dma/of-dma.c +index 8344a60c2131..a9d3ab94749b 100644 +--- a/drivers/dma/of-dma.c ++++ b/drivers/dma/of-dma.c +@@ -68,8 +68,12 @@ static struct dma_chan *of_dma_router_xlate(struct of_phandle_args *dma_spec, + return NULL; + + ofdma_target = of_dma_find_controller(&dma_spec_target); +- if (!ofdma_target) +- return NULL; ++ if (!ofdma_target) { ++ ofdma->dma_router->route_free(ofdma->dma_router->dev, ++ route_data); ++ chan = ERR_PTR(-EPROBE_DEFER); ++ goto err; ++ } + + chan = ofdma_target->of_dma_xlate(&dma_spec_target, ofdma_target); + if (IS_ERR_OR_NULL(chan)) { +@@ -80,6 +84,7 @@ static struct dma_chan *of_dma_router_xlate(struct of_phandle_args *dma_spec, + chan->route_data = route_data; + } + ++err: + /* + * Need to put the node back since the ofdma->of_dma_route_allocate + * has taken it for generating the new, translated dma_spec +-- +2.30.2 + diff --git a/queue-4.14/dmaengine-usb-dmac-fix-pm-reference-leak-in-usb_dmac.patch b/queue-4.14/dmaengine-usb-dmac-fix-pm-reference-leak-in-usb_dmac.patch new file mode 100644 index 00000000000..9d66d829a7c --- /dev/null +++ b/queue-4.14/dmaengine-usb-dmac-fix-pm-reference-leak-in-usb_dmac.patch @@ -0,0 +1,40 @@ +From 12a90f0d45fbdc54792752af8c4765e77a427085 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jul 2021 20:45:21 +0800 +Subject: dmaengine: usb-dmac: Fix PM reference leak in usb_dmac_probe() + +From: Yu Kuai + +[ Upstream commit 1da569fa7ec8cb0591c74aa3050d4ea1397778b4 ] + +pm_runtime_get_sync will increment pm usage counter even it failed. +Forgetting to putting operation will result in reference leak here. +Fix it by moving the error_pm label above the pm_runtime_put() in +the error path. + +Reported-by: Hulk Robot +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20210706124521.1371901-1-yukuai3@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/sh/usb-dmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/sh/usb-dmac.c b/drivers/dma/sh/usb-dmac.c +index 31a145154e9f..744fab9da918 100644 +--- a/drivers/dma/sh/usb-dmac.c ++++ b/drivers/dma/sh/usb-dmac.c +@@ -858,8 +858,8 @@ static int usb_dmac_probe(struct platform_device *pdev) + + error: + of_dma_controller_free(pdev->dev.of_node); +- pm_runtime_put(&pdev->dev); + error_pm: ++ pm_runtime_put(&pdev->dev); + pm_runtime_disable(&pdev->dev); + return ret; + } +-- +2.30.2 + diff --git a/queue-4.14/net-usb-lan78xx-don-t-modify-phy_device-state-concur.patch b/queue-4.14/net-usb-lan78xx-don-t-modify-phy_device-state-concur.patch new file mode 100644 index 00000000000..6caaf14f934 --- /dev/null +++ b/queue-4.14/net-usb-lan78xx-don-t-modify-phy_device-state-concur.patch @@ -0,0 +1,79 @@ +From 3574e21dcc639ed650d94b20ad1a664e9f51828f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Aug 2021 11:13:39 +0300 +Subject: net: usb: lan78xx: don't modify phy_device state concurrently + +From: Ivan T. Ivanov + +[ Upstream commit 6b67d4d63edece1033972214704c04f36c5be89a ] + +Currently phy_device state could be left in inconsistent state shown +by following alert message[1]. This is because phy_read_status could +be called concurrently from lan78xx_delayedwork, phy_state_machine and +__ethtool_get_link. Fix this by making sure that phy_device state is +updated atomically. + +[1] lan78xx 1-1.1.1:1.0 eth0: No phy led trigger registered for speed(-1) + +Signed-off-by: Ivan T. Ivanov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/lan78xx.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index 120e99914fd6..ff108611c5e4 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -1147,7 +1147,7 @@ static int lan78xx_link_reset(struct lan78xx_net *dev) + { + struct phy_device *phydev = dev->net->phydev; + struct ethtool_link_ksettings ecmd; +- int ladv, radv, ret; ++ int ladv, radv, ret, link; + u32 buf; + + /* clear LAN78xx interrupt status */ +@@ -1155,9 +1155,12 @@ static int lan78xx_link_reset(struct lan78xx_net *dev) + if (unlikely(ret < 0)) + return -EIO; + ++ mutex_lock(&phydev->lock); + phy_read_status(phydev); ++ link = phydev->link; ++ mutex_unlock(&phydev->lock); + +- if (!phydev->link && dev->link_on) { ++ if (!link && dev->link_on) { + dev->link_on = false; + + /* reset MAC */ +@@ -1170,7 +1173,7 @@ static int lan78xx_link_reset(struct lan78xx_net *dev) + return -EIO; + + del_timer(&dev->stat_monitor); +- } else if (phydev->link && !dev->link_on) { ++ } else if (link && !dev->link_on) { + dev->link_on = true; + + phy_ethtool_ksettings_get(phydev, &ecmd); +@@ -1457,9 +1460,14 @@ static int lan78xx_set_eee(struct net_device *net, struct ethtool_eee *edata) + + static u32 lan78xx_get_link(struct net_device *net) + { ++ u32 link; ++ ++ mutex_lock(&net->phydev->lock); + phy_read_status(net->phydev); ++ link = net->phydev->link; ++ mutex_unlock(&net->phydev->lock); + +- return net->phydev->link; ++ return link; + } + + static void lan78xx_get_drvinfo(struct net_device *net, +-- +2.30.2 + diff --git a/queue-4.14/scsi-core-avoid-printing-an-error-if-target_alloc-re.patch b/queue-4.14/scsi-core-avoid-printing-an-error-if-target_alloc-re.patch new file mode 100644 index 00000000000..bb381e15113 --- /dev/null +++ b/queue-4.14/scsi-core-avoid-printing-an-error-if-target_alloc-re.patch @@ -0,0 +1,45 @@ +From 52b08cc83bd925243eede530c4dea4150d1fbf8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jul 2021 17:24:02 +0530 +Subject: scsi: core: Avoid printing an error if target_alloc() returns -ENXIO + +From: Sreekanth Reddy + +[ Upstream commit 70edd2e6f652f67d854981fd67f9ad0f1deaea92 ] + +Avoid printing a 'target allocation failed' error if the driver +target_alloc() callback function returns -ENXIO. This return value +indicates that the corresponding H:C:T:L entry is empty. + +Removing this error reduces the scan time if the user issues SCAN_WILD_CARD +scan operation through sysfs parameter on a host with a lot of empty +H:C:T:L entries. + +Avoiding the printk on -ENXIO matches the behavior of the other callback +functions during scanning. + +Link: https://lore.kernel.org/r/20210726115402.1936-1-sreekanth.reddy@broadcom.com +Signed-off-by: Sreekanth Reddy +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_scan.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c +index 40acc060b655..95ca7039f493 100644 +--- a/drivers/scsi/scsi_scan.c ++++ b/drivers/scsi/scsi_scan.c +@@ -462,7 +462,8 @@ static struct scsi_target *scsi_alloc_target(struct device *parent, + error = shost->hostt->target_alloc(starget); + + if(error) { +- dev_printk(KERN_ERR, dev, "target allocation failed, error %d\n", error); ++ if (error != -ENXIO) ++ dev_err(dev, "target allocation failed, error %d\n", error); + /* don't want scsi_target_reap to do the final + * put because it will be under the host lock */ + scsi_target_destroy(starget); +-- +2.30.2 + diff --git a/queue-4.14/scsi-megaraid_mm-fix-end-of-loop-tests-for-list_for_.patch b/queue-4.14/scsi-megaraid_mm-fix-end-of-loop-tests-for-list_for_.patch new file mode 100644 index 00000000000..5c3b5acbbef --- /dev/null +++ b/queue-4.14/scsi-megaraid_mm-fix-end-of-loop-tests-for-list_for_.patch @@ -0,0 +1,93 @@ +From 8efb0da25344a911f84e6538fb88e3497fb4a10b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jul 2021 13:16:42 +0530 +Subject: scsi: megaraid_mm: Fix end of loop tests for list_for_each_entry() + +From: Harshvardhan Jha + +[ Upstream commit 77541f78eadfe9fdb018a7b8b69f0f2af2cf4b82 ] + +The list_for_each_entry() iterator, "adapter" in this code, can never be +NULL. If we exit the loop without finding the correct adapter then +"adapter" points invalid memory that is an offset from the list head. This +will eventually lead to memory corruption and presumably a kernel crash. + +Link: https://lore.kernel.org/r/20210708074642.23599-1-harshvardhan.jha@oracle.com +Acked-by: Sumit Saxena +Signed-off-by: Harshvardhan Jha +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/megaraid/megaraid_mm.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/drivers/scsi/megaraid/megaraid_mm.c b/drivers/scsi/megaraid/megaraid_mm.c +index 65b6f6ace3a5..8ec308c5970f 100644 +--- a/drivers/scsi/megaraid/megaraid_mm.c ++++ b/drivers/scsi/megaraid/megaraid_mm.c +@@ -250,7 +250,7 @@ mraid_mm_get_adapter(mimd_t __user *umimd, int *rval) + mimd_t mimd; + uint32_t adapno; + int iterator; +- ++ bool is_found; + + if (copy_from_user(&mimd, umimd, sizeof(mimd_t))) { + *rval = -EFAULT; +@@ -266,12 +266,16 @@ mraid_mm_get_adapter(mimd_t __user *umimd, int *rval) + + adapter = NULL; + iterator = 0; ++ is_found = false; + + list_for_each_entry(adapter, &adapters_list_g, list) { +- if (iterator++ == adapno) break; ++ if (iterator++ == adapno) { ++ is_found = true; ++ break; ++ } + } + +- if (!adapter) { ++ if (!is_found) { + *rval = -ENODEV; + return NULL; + } +@@ -739,6 +743,7 @@ ioctl_done(uioc_t *kioc) + uint32_t adapno; + int iterator; + mraid_mmadp_t* adapter; ++ bool is_found; + + /* + * When the kioc returns from driver, make sure it still doesn't +@@ -761,19 +766,23 @@ ioctl_done(uioc_t *kioc) + iterator = 0; + adapter = NULL; + adapno = kioc->adapno; ++ is_found = false; + + con_log(CL_ANN, ( KERN_WARNING "megaraid cmm: completed " + "ioctl that was timedout before\n")); + + list_for_each_entry(adapter, &adapters_list_g, list) { +- if (iterator++ == adapno) break; ++ if (iterator++ == adapno) { ++ is_found = true; ++ break; ++ } + } + + kioc->timedout = 0; + +- if (adapter) { ++ if (is_found) + mraid_mm_dealloc_kioc( adapter, kioc ); +- } ++ + } + else { + wake_up(&wait_q); +-- +2.30.2 + diff --git a/queue-4.14/scsi-scsi_dh_rdac-avoid-crash-during-rdac_bus_attach.patch b/queue-4.14/scsi-scsi_dh_rdac-avoid-crash-during-rdac_bus_attach.patch new file mode 100644 index 00000000000..523b7038df5 --- /dev/null +++ b/queue-4.14/scsi-scsi_dh_rdac-avoid-crash-during-rdac_bus_attach.patch @@ -0,0 +1,92 @@ +From a941afa476ea7888071f3c8dd1d648a350dbb110 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jan 2021 14:31:03 +0800 +Subject: scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach() + +From: Ye Bin + +[ Upstream commit bc546c0c9abb3bb2fb46866b3d1e6ade9695a5f6 ] + +The following BUG_ON() was observed during RDAC scan: + +[595952.944297] kernel BUG at drivers/scsi/device_handler/scsi_dh_rdac.c:427! +[595952.951143] Internal error: Oops - BUG: 0 [#1] SMP +...... +[595953.251065] Call trace: +[595953.259054] check_ownership+0xb0/0x118 +[595953.269794] rdac_bus_attach+0x1f0/0x4b0 +[595953.273787] scsi_dh_handler_attach+0x3c/0xe8 +[595953.278211] scsi_dh_add_device+0xc4/0xe8 +[595953.282291] scsi_sysfs_add_sdev+0x8c/0x2a8 +[595953.286544] scsi_probe_and_add_lun+0x9fc/0xd00 +[595953.291142] __scsi_scan_target+0x598/0x630 +[595953.295395] scsi_scan_target+0x120/0x130 +[595953.299481] fc_user_scan+0x1a0/0x1c0 [scsi_transport_fc] +[595953.304944] store_scan+0xb0/0x108 +[595953.308420] dev_attr_store+0x44/0x60 +[595953.312160] sysfs_kf_write+0x58/0x80 +[595953.315893] kernfs_fop_write+0xe8/0x1f0 +[595953.319888] __vfs_write+0x60/0x190 +[595953.323448] vfs_write+0xac/0x1c0 +[595953.326836] ksys_write+0x74/0xf0 +[595953.330221] __arm64_sys_write+0x24/0x30 + +Code is in check_ownership: + + list_for_each_entry_rcu(tmp, &h->ctlr->dh_list, node) { + /* h->sdev should always be valid */ + BUG_ON(!tmp->sdev); + tmp->sdev->access_state = access_state; + } + + rdac_bus_attach + initialize_controller + list_add_rcu(&h->node, &h->ctlr->dh_list); + h->sdev = sdev; + + rdac_bus_detach + list_del_rcu(&h->node); + h->sdev = NULL; + +Fix the race between rdac_bus_attach() and rdac_bus_detach() where h->sdev +is NULL when processing the RDAC attach. + +Link: https://lore.kernel.org/r/20210113063103.2698953-1-yebin10@huawei.com +Reviewed-by: Bart Van Assche +Signed-off-by: Ye Bin +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/device_handler/scsi_dh_rdac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/device_handler/scsi_dh_rdac.c b/drivers/scsi/device_handler/scsi_dh_rdac.c +index b92e06f75756..897449deab62 100644 +--- a/drivers/scsi/device_handler/scsi_dh_rdac.c ++++ b/drivers/scsi/device_handler/scsi_dh_rdac.c +@@ -453,8 +453,8 @@ static int initialize_controller(struct scsi_device *sdev, + if (!h->ctlr) + err = SCSI_DH_RES_TEMP_UNAVAIL; + else { +- list_add_rcu(&h->node, &h->ctlr->dh_list); + h->sdev = sdev; ++ list_add_rcu(&h->node, &h->ctlr->dh_list); + } + spin_unlock(&list_lock); + err = SCSI_DH_OK; +@@ -779,11 +779,11 @@ static void rdac_bus_detach( struct scsi_device *sdev ) + spin_lock(&list_lock); + if (h->ctlr) { + list_del_rcu(&h->node); +- h->sdev = NULL; + kref_put(&h->ctlr->kref, release_controller); + } + spin_unlock(&list_lock); + sdev->handler_data = NULL; ++ synchronize_rcu(); + kfree(h); + } + +-- +2.30.2 + diff --git a/queue-4.14/series b/queue-4.14/series index 90be4415552..4054bace2b0 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -36,3 +36,12 @@ ath9k-clear-key-cache-explicitly-on-disabling-hardware.patch ath-export-ath_hw_keysetmac.patch ath-modify-ath_key_delete-to-not-need-full-key-entry.patch ath9k-postpone-key-cache-entry-deletion-for-txq-frames-reference-it.patch +dmaengine-usb-dmac-fix-pm-reference-leak-in-usb_dmac.patch +arm-dts-am43x-epos-evm-reduce-i2c0-bus-speed-for-tps.patch +dmaengine-of-dma-router_xlate-to-return-eprobe_defer.patch +scsi-megaraid_mm-fix-end-of-loop-tests-for-list_for_.patch +scsi-scsi_dh_rdac-avoid-crash-during-rdac_bus_attach.patch +scsi-core-avoid-printing-an-error-if-target_alloc-re.patch +arm-dts-nomadik-fix-up-interrupt-controller-node-nam.patch +arm-ixp4xx-goramo_mlr-depends-on-old-pci-driver.patch +net-usb-lan78xx-don-t-modify-phy_device-state-concur.patch