From: Sasha Levin Date: Fri, 10 Jul 2020 00:37:25 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v5.7.9~43 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6c9a062aa2c72ecfd199997be0c733b5dedf6eff;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/arm-dts-omap4-droid4-fix-spi-configuration-and-incre.patch b/queue-4.14/arm-dts-omap4-droid4-fix-spi-configuration-and-incre.patch new file mode 100644 index 00000000000..b026903b75b --- /dev/null +++ b/queue-4.14/arm-dts-omap4-droid4-fix-spi-configuration-and-incre.patch @@ -0,0 +1,52 @@ +From e2d3e697492d9fc9df26a2db71f31591e2447768 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jun 2020 17:18:56 -0700 +Subject: ARM: dts: omap4-droid4: Fix spi configuration and increase rate + +From: Tony Lindgren + +[ Upstream commit 0df12a01f4857495816b05f048c4c31439446e35 ] + +We can currently sometimes get "RXS timed out" errors and "EOT timed out" +errors with spi transfers. + +These errors can be made easy to reproduce by reading the cpcap iio +values in a loop while keeping the CPUs busy by also reading /dev/urandom. + +The "RXS timed out" errors we can fix by adding spi-cpol and spi-cpha +in addition to the spi-cs-high property we already have. + +The "EOT timed out" errors we can fix by increasing the spi clock rate +to 9.6 MHz. Looks similar MC13783 PMIC says it works at spi clock rates +up to 20 MHz, so let's assume we can pick any rate up to 20 MHz also +for cpcap. + +Cc: maemo-leste@lists.dyne.org +Cc: Merlijn Wajer +Cc: Pavel Machek +Cc: Sebastian Reichel +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/motorola-cpcap-mapphone.dtsi | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/motorola-cpcap-mapphone.dtsi b/arch/arm/boot/dts/motorola-cpcap-mapphone.dtsi +index bcced922b2807..b4779b0ece96d 100644 +--- a/arch/arm/boot/dts/motorola-cpcap-mapphone.dtsi ++++ b/arch/arm/boot/dts/motorola-cpcap-mapphone.dtsi +@@ -16,8 +16,10 @@ + #interrupt-cells = <2>; + #address-cells = <1>; + #size-cells = <0>; +- spi-max-frequency = <3000000>; ++ spi-max-frequency = <9600000>; + spi-cs-high; ++ spi-cpol; ++ spi-cpha; + + cpcap_adc: adc { + compatible = "motorola,mapphone-cpcap-adc"; +-- +2.25.1 + diff --git a/queue-4.14/arm-imx6-add-missing-put_device-call-in-imx6q_suspen.patch b/queue-4.14/arm-imx6-add-missing-put_device-call-in-imx6q_suspen.patch new file mode 100644 index 00000000000..9b0724dbc0f --- /dev/null +++ b/queue-4.14/arm-imx6-add-missing-put_device-call-in-imx6q_suspen.patch @@ -0,0 +1,71 @@ +From 71a5c39727e1a4b8e0f8ce8d6f7cddb9d1529e05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 20:54:49 +0800 +Subject: ARM: imx6: add missing put_device() call in imx6q_suspend_init() + +From: yu kuai + +[ Upstream commit 4845446036fc9c13f43b54a65c9b757c14f5141b ] + +if of_find_device_by_node() succeed, imx6q_suspend_init() doesn't have a +corresponding put_device(). Thus add a jump target to fix the exception +handling for this function implementation. + +Signed-off-by: yu kuai +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/mach-imx/pm-imx6.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/mach-imx/pm-imx6.c b/arch/arm/mach-imx/pm-imx6.c +index 6078bcc9f594a..c7dcb0b207301 100644 +--- a/arch/arm/mach-imx/pm-imx6.c ++++ b/arch/arm/mach-imx/pm-imx6.c +@@ -483,14 +483,14 @@ static int __init imx6q_suspend_init(const struct imx6_pm_socdata *socdata) + if (!ocram_pool) { + pr_warn("%s: ocram pool unavailable!\n", __func__); + ret = -ENODEV; +- goto put_node; ++ goto put_device; + } + + ocram_base = gen_pool_alloc(ocram_pool, MX6Q_SUSPEND_OCRAM_SIZE); + if (!ocram_base) { + pr_warn("%s: unable to alloc ocram!\n", __func__); + ret = -ENOMEM; +- goto put_node; ++ goto put_device; + } + + ocram_pbase = gen_pool_virt_to_phys(ocram_pool, ocram_base); +@@ -513,7 +513,7 @@ static int __init imx6q_suspend_init(const struct imx6_pm_socdata *socdata) + ret = imx6_pm_get_base(&pm_info->mmdc_base, socdata->mmdc_compat); + if (ret) { + pr_warn("%s: failed to get mmdc base %d!\n", __func__, ret); +- goto put_node; ++ goto put_device; + } + + ret = imx6_pm_get_base(&pm_info->src_base, socdata->src_compat); +@@ -560,7 +560,7 @@ static int __init imx6q_suspend_init(const struct imx6_pm_socdata *socdata) + &imx6_suspend, + MX6Q_SUSPEND_OCRAM_SIZE - sizeof(*pm_info)); + +- goto put_node; ++ goto put_device; + + pl310_cache_map_failed: + iounmap(pm_info->gpc_base.vbase); +@@ -570,6 +570,8 @@ iomuxc_map_failed: + iounmap(pm_info->src_base.vbase); + src_map_failed: + iounmap(pm_info->mmdc_base.vbase); ++put_device: ++ put_device(&pdev->dev); + put_node: + of_node_put(node); + +-- +2.25.1 + diff --git a/queue-4.14/arm64-entry-place-an-sb-sequence-following-an-eret-i.patch b/queue-4.14/arm64-entry-place-an-sb-sequence-following-an-eret-i.patch new file mode 100644 index 00000000000..f53d50307b5 --- /dev/null +++ b/queue-4.14/arm64-entry-place-an-sb-sequence-following-an-eret-i.patch @@ -0,0 +1,97 @@ +From e65825fd4c33fba63f4b221058b060b697afbf9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Jun 2018 11:23:38 +0100 +Subject: arm64: entry: Place an SB sequence following an ERET instruction + +From: Will Deacon + +[ Upstream commit 679db70801da9fda91d26caf13bf5b5ccc74e8e8 ] + +Some CPUs can speculate past an ERET instruction and potentially perform +speculative accesses to memory before processing the exception return. +Since the register state is often controlled by a lower privilege level +at the point of an ERET, this could potentially be used as part of a +side-channel attack. + +This patch emits an SB sequence after each ERET so that speculation is +held up on exception return. + +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/entry.S | 2 ++ + arch/arm64/kvm/hyp/entry.S | 1 + + arch/arm64/kvm/hyp/hyp-entry.S | 4 ++++ + 3 files changed, 7 insertions(+) + +diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S +index c1ffa95c0ad24..f70e0893ba518 100644 +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -367,6 +367,7 @@ alternative_insn eret, nop, ARM64_UNMAP_KERNEL_AT_EL0 + .else + eret + .endif ++ sb + .endm + + .macro irq_stack_entry +@@ -1046,6 +1047,7 @@ alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003 + mrs x30, far_el1 + .endif + eret ++ sb + .endm + + .align 11 +diff --git a/arch/arm64/kvm/hyp/entry.S b/arch/arm64/kvm/hyp/entry.S +index a360ac6e89e9d..bc5c6cdb8538d 100644 +--- a/arch/arm64/kvm/hyp/entry.S ++++ b/arch/arm64/kvm/hyp/entry.S +@@ -83,6 +83,7 @@ ENTRY(__guest_enter) + + // Do not touch any register after this! + eret ++ sb + ENDPROC(__guest_enter) + + ENTRY(__guest_exit) +diff --git a/arch/arm64/kvm/hyp/hyp-entry.S b/arch/arm64/kvm/hyp/hyp-entry.S +index 3c283fd8c8f5a..b4d6a6c6c6ce5 100644 +--- a/arch/arm64/kvm/hyp/hyp-entry.S ++++ b/arch/arm64/kvm/hyp/hyp-entry.S +@@ -96,6 +96,7 @@ el1_sync: // Guest trapped into EL2 + do_el2_call + + eret ++ sb + + el1_hvc_guest: + /* +@@ -146,6 +147,7 @@ wa_epilogue: + mov x0, xzr + add sp, sp, #16 + eret ++ sb + + el1_trap: + get_vcpu_ptr x1, x0 +@@ -204,6 +206,7 @@ el2_error: + b.ne __hyp_panic + mov x0, #(1 << ARM_EXIT_WITH_SERROR_BIT) + eret ++ sb + + ENTRY(__hyp_do_panic) + mov lr, #(PSR_F_BIT | PSR_I_BIT | PSR_A_BIT | PSR_D_BIT |\ +@@ -212,6 +215,7 @@ ENTRY(__hyp_do_panic) + ldr lr, =panic + msr elr_el2, lr + eret ++ sb + ENDPROC(__hyp_do_panic) + + ENTRY(__hyp_panic) +-- +2.25.1 + diff --git a/queue-4.14/cifs-update-ctime-and-mtime-during-truncate.patch b/queue-4.14/cifs-update-ctime-and-mtime-during-truncate.patch new file mode 100644 index 00000000000..a2a0874b1e5 --- /dev/null +++ b/queue-4.14/cifs-update-ctime-and-mtime-during-truncate.patch @@ -0,0 +1,49 @@ +From 50e28a9d6799bd2e46ed3caa58c26aa3fbff00ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jun 2020 22:51:29 -0400 +Subject: cifs: update ctime and mtime during truncate + +From: Zhang Xiaoxu + +[ Upstream commit 5618303d8516f8ac5ecfe53ee8e8bc9a40eaf066 ] + +As the man description of the truncate, if the size changed, +then the st_ctime and st_mtime fields should be updated. But +in cifs, we doesn't do it. + +It lead the xfstests generic/313 failed. + +So, add the ATTR_MTIME|ATTR_CTIME flags on attrs when change +the file size + +Reported-by: Hulk Robot +Signed-off-by: Zhang Xiaoxu +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/inode.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c +index 528fe225b65a9..d0d295a28b6e4 100644 +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -2216,6 +2216,15 @@ set_size_out: + if (rc == 0) { + cifsInode->server_eof = attrs->ia_size; + cifs_setsize(inode, attrs->ia_size); ++ ++ /* ++ * The man page of truncate says if the size changed, ++ * then the st_ctime and st_mtime fields for the file ++ * are updated. ++ */ ++ attrs->ia_ctime = attrs->ia_mtime = current_time(inode); ++ attrs->ia_valid |= ATTR_CTIME | ATTR_MTIME; ++ + cifs_truncate_page(inode->i_mapping, inode->i_size); + } + +-- +2.25.1 + diff --git a/queue-4.14/gpu-host1x-detach-driver-on-unregister.patch b/queue-4.14/gpu-host1x-detach-driver-on-unregister.patch new file mode 100644 index 00000000000..403cd2f9b97 --- /dev/null +++ b/queue-4.14/gpu-host1x-detach-driver-on-unregister.patch @@ -0,0 +1,55 @@ +From b5b7c36b6514e63667622938e9371c10f27d7dfa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Apr 2020 19:38:02 +0200 +Subject: gpu: host1x: Detach driver on unregister + +From: Thierry Reding + +[ Upstream commit d9a0a05bf8c76e6dc79230669a8b5d685b168c30 ] + +Currently when a host1x device driver is unregistered, it is not +detached from the host1x controller, which means that the device +will stay around and when the driver is registered again, it may +bind to the old, stale device rather than the new one that was +created from scratch upon driver registration. This in turn can +cause various weird crashes within the driver core because it is +confronted with a device that was already deleted. + +Fix this by detaching the driver from the host1x controller when +it is unregistered. This ensures that the deleted device also is +no longer present in the device list that drivers will bind to. + +Reported-by: Sowjanya Komatineni +Signed-off-by: Thierry Reding +Tested-by: Sowjanya Komatineni +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/gpu/host1x/bus.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/gpu/host1x/bus.c b/drivers/gpu/host1x/bus.c +index f9cde03030fd9..c2a9dcf6f4907 100644 +--- a/drivers/gpu/host1x/bus.c ++++ b/drivers/gpu/host1x/bus.c +@@ -615,8 +615,17 @@ EXPORT_SYMBOL(host1x_driver_register_full); + */ + void host1x_driver_unregister(struct host1x_driver *driver) + { ++ struct host1x *host1x; ++ + driver_unregister(&driver->driver); + ++ mutex_lock(&devices_lock); ++ ++ list_for_each_entry(host1x, &devices, list) ++ host1x_detach_driver(host1x, driver); ++ ++ mutex_unlock(&devices_lock); ++ + mutex_lock(&drivers_lock); + list_del_init(&driver->list); + mutex_unlock(&drivers_lock); +-- +2.25.1 + diff --git a/queue-4.14/ixgbe-protect-ring-accesses-with-read-and-write_once.patch b/queue-4.14/ixgbe-protect-ring-accesses-with-read-and-write_once.patch new file mode 100644 index 00000000000..030f9ff9607 --- /dev/null +++ b/queue-4.14/ixgbe-protect-ring-accesses-with-read-and-write_once.patch @@ -0,0 +1,112 @@ +From 54eed098499e3d2df8c846d22ec5ef067689e173 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jun 2020 13:19:43 +0000 +Subject: ixgbe: protect ring accesses with READ- and WRITE_ONCE + +From: Ciara Loftus + +[ Upstream commit f140ad9fe2ae16f385f8fe4dc9cf67bb4c51d794 ] + +READ_ONCE should be used when reading rings prior to accessing the +statistics pointer. Introduce this as well as the corresponding WRITE_ONCE +usage when allocating and freeing the rings, to ensure protected access. + +Signed-off-by: Ciara Loftus +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c | 12 ++++++------ + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 14 +++++++++++--- + 2 files changed, 17 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c +index f1bfae0c41d0c..3cf8b3ea43b08 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c +@@ -917,7 +917,7 @@ static int ixgbe_alloc_q_vector(struct ixgbe_adapter *adapter, + ring->queue_index = txr_idx; + + /* assign ring to adapter */ +- adapter->tx_ring[txr_idx] = ring; ++ WRITE_ONCE(adapter->tx_ring[txr_idx], ring); + + /* update count and index */ + txr_count--; +@@ -944,7 +944,7 @@ static int ixgbe_alloc_q_vector(struct ixgbe_adapter *adapter, + set_ring_xdp(ring); + + /* assign ring to adapter */ +- adapter->xdp_ring[xdp_idx] = ring; ++ WRITE_ONCE(adapter->xdp_ring[xdp_idx], ring); + + /* update count and index */ + xdp_count--; +@@ -991,7 +991,7 @@ static int ixgbe_alloc_q_vector(struct ixgbe_adapter *adapter, + ring->queue_index = rxr_idx; + + /* assign ring to adapter */ +- adapter->rx_ring[rxr_idx] = ring; ++ WRITE_ONCE(adapter->rx_ring[rxr_idx], ring); + + /* update count and index */ + rxr_count--; +@@ -1020,13 +1020,13 @@ static void ixgbe_free_q_vector(struct ixgbe_adapter *adapter, int v_idx) + + ixgbe_for_each_ring(ring, q_vector->tx) { + if (ring_is_xdp(ring)) +- adapter->xdp_ring[ring->queue_index] = NULL; ++ WRITE_ONCE(adapter->xdp_ring[ring->queue_index], NULL); + else +- adapter->tx_ring[ring->queue_index] = NULL; ++ WRITE_ONCE(adapter->tx_ring[ring->queue_index], NULL); + } + + ixgbe_for_each_ring(ring, q_vector->rx) +- adapter->rx_ring[ring->queue_index] = NULL; ++ WRITE_ONCE(adapter->rx_ring[ring->queue_index], NULL); + + adapter->q_vector[v_idx] = NULL; + napi_hash_del(&q_vector->napi); +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +index 64ee45b6680a0..9c3fa0b555519 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -6842,7 +6842,10 @@ void ixgbe_update_stats(struct ixgbe_adapter *adapter) + } + + for (i = 0; i < adapter->num_rx_queues; i++) { +- struct ixgbe_ring *rx_ring = adapter->rx_ring[i]; ++ struct ixgbe_ring *rx_ring = READ_ONCE(adapter->rx_ring[i]); ++ ++ if (!rx_ring) ++ continue; + non_eop_descs += rx_ring->rx_stats.non_eop_descs; + alloc_rx_page_failed += rx_ring->rx_stats.alloc_rx_page_failed; + alloc_rx_buff_failed += rx_ring->rx_stats.alloc_rx_buff_failed; +@@ -6861,15 +6864,20 @@ void ixgbe_update_stats(struct ixgbe_adapter *adapter) + packets = 0; + /* gather some stats to the adapter struct that are per queue */ + for (i = 0; i < adapter->num_tx_queues; i++) { +- struct ixgbe_ring *tx_ring = adapter->tx_ring[i]; ++ struct ixgbe_ring *tx_ring = READ_ONCE(adapter->tx_ring[i]); ++ ++ if (!tx_ring) ++ continue; + restart_queue += tx_ring->tx_stats.restart_queue; + tx_busy += tx_ring->tx_stats.tx_busy; + bytes += tx_ring->stats.bytes; + packets += tx_ring->stats.packets; + } + for (i = 0; i < adapter->num_xdp_queues; i++) { +- struct ixgbe_ring *xdp_ring = adapter->xdp_ring[i]; ++ struct ixgbe_ring *xdp_ring = READ_ONCE(adapter->xdp_ring[i]); + ++ if (!xdp_ring) ++ continue; + restart_queue += xdp_ring->tx_stats.restart_queue; + tx_busy += xdp_ring->tx_stats.tx_busy; + bytes += xdp_ring->stats.bytes; +-- +2.25.1 + diff --git a/queue-4.14/nvme-rdma-assign-completion-vector-correctly.patch b/queue-4.14/nvme-rdma-assign-completion-vector-correctly.patch new file mode 100644 index 00000000000..c64bd0a737b --- /dev/null +++ b/queue-4.14/nvme-rdma-assign-completion-vector-correctly.patch @@ -0,0 +1,40 @@ +From 1e651df0804a21ff25cbd15ad58cc2d9e10b8753 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jun 2020 17:55:25 +0300 +Subject: nvme-rdma: assign completion vector correctly + +From: Max Gurtovoy + +[ Upstream commit 032a9966a22a3596addf81dacf0c1736dfedc32a ] + +The completion vector index that is given during CQ creation can't +exceed the number of support vectors by the underlying RDMA device. This +violation currently can accure, for example, in case one will try to +connect with N regular read/write queues and M poll queues and the sum +of N + M > num_supported_vectors. This will lead to failure in establish +a connection to remote target. Instead, in that case, share a completion +vector between queues. + +Signed-off-by: Max Gurtovoy +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/rdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c +index 9fffe41ead500..c91bfd839cabe 100644 +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -470,7 +470,7 @@ static int nvme_rdma_create_queue_ib(struct nvme_rdma_queue *queue) + * Spread I/O queues completion vectors according their queue index. + * Admin queues can always go on completion vector 0. + */ +- comp_vector = idx == 0 ? idx : idx - 1; ++ comp_vector = (idx == 0 ? idx : idx - 1) % ibdev->num_comp_vectors; + + /* +1 for ib_stop_cq */ + queue->ib_cq = ib_alloc_cq(ibdev, queue, +-- +2.25.1 + diff --git a/queue-4.14/s390-kasan-fix-early-pgm-check-handler-execution.patch b/queue-4.14/s390-kasan-fix-early-pgm-check-handler-execution.patch new file mode 100644 index 00000000000..a5cfe94fb0e --- /dev/null +++ b/queue-4.14/s390-kasan-fix-early-pgm-check-handler-execution.patch @@ -0,0 +1,42 @@ +From db206edbbcbe8b661a7070cad3aa090624583551 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jun 2020 15:05:49 +0200 +Subject: s390/kasan: fix early pgm check handler execution + +From: Vasily Gorbik + +[ Upstream commit 998f5bbe3dbdab81c1cfb1aef7c3892f5d24f6c7 ] + +Currently if early_pgm_check_handler is called it ends up in pgm check +loop. The problem is that early_pgm_check_handler is instrumented by +KASAN but executed without DAT flag enabled which leads to addressing +exception when KASAN checks try to access shadow memory. + +Fix that by executing early handlers with DAT flag on under KASAN as +expected. + +Reported-and-tested-by: Alexander Egorenkov +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/early.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/s390/kernel/early.c b/arch/s390/kernel/early.c +index 4ba5ad44a21a2..73045142febf0 100644 +--- a/arch/s390/kernel/early.c ++++ b/arch/s390/kernel/early.c +@@ -317,6 +317,8 @@ static noinline __init void setup_lowcore_early(void) + psw_t psw; + + psw.mask = PSW_MASK_BASE | PSW_DEFAULT_KEY | PSW_MASK_EA | PSW_MASK_BA; ++ if (IS_ENABLED(CONFIG_KASAN)) ++ psw.mask |= PSW_MASK_DAT; + psw.addr = (unsigned long) s390_base_ext_handler; + S390_lowcore.external_new_psw = psw; + psw.addr = (unsigned long) s390_base_pgm_handler; +-- +2.25.1 + diff --git a/queue-4.14/scsi-mptscsih-fix-read-sense-data-size.patch b/queue-4.14/scsi-mptscsih-fix-read-sense-data-size.patch new file mode 100644 index 00000000000..acceb91ae8d --- /dev/null +++ b/queue-4.14/scsi-mptscsih-fix-read-sense-data-size.patch @@ -0,0 +1,50 @@ +From 680bc5fff53bc3b52d9368719bd7e176eb954e18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jun 2020 17:04:46 +0200 +Subject: scsi: mptscsih: Fix read sense data size + +From: Tomas Henzl + +[ Upstream commit afe89f115e84edbc76d316759e206580a06c6973 ] + +The sense data buffer in sense_buf_pool is allocated with size of +MPT_SENSE_BUFFER_ALLOC(64) (multiplied by req_depth) while SNS_LEN(sc)(96) +is used when reading the data. That may lead to a read from unallocated +area, sometimes from another (unallocated) page. To fix this, limit the +read size to MPT_SENSE_BUFFER_ALLOC. + +Link: https://lore.kernel.org/r/20200616150446.4840-1-thenzl@redhat.com +Co-developed-by: Stanislav Saner +Signed-off-by: Stanislav Saner +Signed-off-by: Tomas Henzl +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/message/fusion/mptscsih.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/message/fusion/mptscsih.c b/drivers/message/fusion/mptscsih.c +index 6ba07c7feb92b..2af7ae13449d3 100644 +--- a/drivers/message/fusion/mptscsih.c ++++ b/drivers/message/fusion/mptscsih.c +@@ -118,8 +118,6 @@ int mptscsih_suspend(struct pci_dev *pdev, pm_message_t state); + int mptscsih_resume(struct pci_dev *pdev); + #endif + +-#define SNS_LEN(scp) SCSI_SENSE_BUFFERSIZE +- + + /*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/ + /* +@@ -2420,7 +2418,7 @@ mptscsih_copy_sense_data(struct scsi_cmnd *sc, MPT_SCSI_HOST *hd, MPT_FRAME_HDR + /* Copy the sense received into the scsi command block. */ + req_index = le16_to_cpu(mf->u.frame.hwhdr.msgctxu.fld.req_idx); + sense_data = ((u8 *)ioc->sense_buf_pool + (req_index * MPT_SENSE_BUFFER_ALLOC)); +- memcpy(sc->sense_buffer, sense_data, SNS_LEN(sc)); ++ memcpy(sc->sense_buffer, sense_data, MPT_SENSE_BUFFER_ALLOC); + + /* Log SMART data (asc = 0x5D, non-IM case only) if required. + */ +-- +2.25.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 253dba996b6..5bfa9665431 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -3,3 +3,15 @@ spi-spi-fsl-dspi-adding-shutdown-hook.patch spi-spi-fsl-dspi-fix-lockup-if-device-is-removed-dur.patch spi-spi-fsl-dspi-use-irqf_shared-mode-to-request-irq.patch spi-spi-fsl-dspi-fix-external-abort-on-interrupt-in-.patch +arm64-entry-place-an-sb-sequence-following-an-eret-i.patch +arm-dts-omap4-droid4-fix-spi-configuration-and-incre.patch +gpu-host1x-detach-driver-on-unregister.patch +spi-spidev-fix-a-race-between-spidev_release-and-spi.patch +spi-spidev-fix-a-potential-use-after-free-in-spidev_.patch +ixgbe-protect-ring-accesses-with-read-and-write_once.patch +s390-kasan-fix-early-pgm-check-handler-execution.patch +cifs-update-ctime-and-mtime-during-truncate.patch +arm-imx6-add-missing-put_device-call-in-imx6q_suspen.patch +scsi-mptscsih-fix-read-sense-data-size.patch +nvme-rdma-assign-completion-vector-correctly.patch +x86-entry-increase-entry_stack-size-to-a-full-page.patch diff --git a/queue-4.14/spi-spidev-fix-a-potential-use-after-free-in-spidev_.patch b/queue-4.14/spi-spidev-fix-a-potential-use-after-free-in-spidev_.patch new file mode 100644 index 00000000000..7789313ff9a --- /dev/null +++ b/queue-4.14/spi-spidev-fix-a-potential-use-after-free-in-spidev_.patch @@ -0,0 +1,76 @@ +From 02b87e77f1f6de41df2e7f76ef329c25e665850f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jun 2020 11:21:25 +0800 +Subject: spi: spidev: fix a potential use-after-free in spidev_release() + +From: Zhenzhong Duan + +[ Upstream commit 06096cc6c5a84ced929634b0d79376b94c65a4bd ] + +If an spi device is unbounded from the driver before the release +process, there will be an NULL pointer reference when it's +referenced in spi_slave_abort(). + +Fix it by checking it's already freed before reference. + +Signed-off-by: Zhenzhong Duan +Link: https://lore.kernel.org/r/20200618032125.4650-2-zhenzhong.duan@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spidev.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c +index 5edf4029a3486..167047760d79a 100644 +--- a/drivers/spi/spidev.c ++++ b/drivers/spi/spidev.c +@@ -607,15 +607,20 @@ err_find_dev: + static int spidev_release(struct inode *inode, struct file *filp) + { + struct spidev_data *spidev; ++ int dofree; + + mutex_lock(&device_list_lock); + spidev = filp->private_data; + filp->private_data = NULL; + ++ spin_lock_irq(&spidev->spi_lock); ++ /* ... after we unbound from the underlying device? */ ++ dofree = (spidev->spi == NULL); ++ spin_unlock_irq(&spidev->spi_lock); ++ + /* last close? */ + spidev->users--; + if (!spidev->users) { +- int dofree; + + kfree(spidev->tx_buffer); + spidev->tx_buffer = NULL; +@@ -623,19 +628,14 @@ static int spidev_release(struct inode *inode, struct file *filp) + kfree(spidev->rx_buffer); + spidev->rx_buffer = NULL; + +- spin_lock_irq(&spidev->spi_lock); +- if (spidev->spi) +- spidev->speed_hz = spidev->spi->max_speed_hz; +- +- /* ... after we unbound from the underlying device? */ +- dofree = (spidev->spi == NULL); +- spin_unlock_irq(&spidev->spi_lock); +- + if (dofree) + kfree(spidev); ++ else ++ spidev->speed_hz = spidev->spi->max_speed_hz; + } + #ifdef CONFIG_SPI_SLAVE +- spi_slave_abort(spidev->spi); ++ if (!dofree) ++ spi_slave_abort(spidev->spi); + #endif + mutex_unlock(&device_list_lock); + +-- +2.25.1 + diff --git a/queue-4.14/spi-spidev-fix-a-race-between-spidev_release-and-spi.patch b/queue-4.14/spi-spidev-fix-a-race-between-spidev_release-and-spi.patch new file mode 100644 index 00000000000..73324a96397 --- /dev/null +++ b/queue-4.14/spi-spidev-fix-a-race-between-spidev_release-and-spi.patch @@ -0,0 +1,62 @@ +From 0a5fa72d56f04520648977cf603a8731607a1f89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jun 2020 11:21:24 +0800 +Subject: spi: spidev: fix a race between spidev_release and spidev_remove + +From: Zhenzhong Duan + +[ Upstream commit abd42781c3d2155868821f1b947ae45bbc33330d ] + +Imagine below scene, spidev is referenced after it's freed. + +spidev_release() spidev_remove() +... + spin_lock_irq(&spidev->spi_lock); + spidev->spi = NULL; + spin_unlock_irq(&spidev->spi_lock); +mutex_lock(&device_list_lock); +dofree = (spidev->spi == NULL); +if (dofree) + kfree(spidev); +mutex_unlock(&device_list_lock); + mutex_lock(&device_list_lock); + list_del(&spidev->device_entry); + device_destroy(spidev_class, spidev->devt); + clear_bit(MINOR(spidev->devt), minors); + if (spidev->users == 0) + kfree(spidev); + mutex_unlock(&device_list_lock); + +Fix it by resetting spidev->spi in device_list_lock's protection. + +Signed-off-by: Zhenzhong Duan +Link: https://lore.kernel.org/r/20200618032125.4650-1-zhenzhong.duan@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spidev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c +index 028725573e632..5edf4029a3486 100644 +--- a/drivers/spi/spidev.c ++++ b/drivers/spi/spidev.c +@@ -782,13 +782,13 @@ static int spidev_remove(struct spi_device *spi) + { + struct spidev_data *spidev = spi_get_drvdata(spi); + ++ /* prevent new opens */ ++ mutex_lock(&device_list_lock); + /* make sure ops on existing fds can abort cleanly */ + spin_lock_irq(&spidev->spi_lock); + spidev->spi = NULL; + spin_unlock_irq(&spidev->spi_lock); + +- /* prevent new opens */ +- mutex_lock(&device_list_lock); + list_del(&spidev->device_entry); + device_destroy(spidev_class, spidev->devt); + clear_bit(MINOR(spidev->devt), minors); +-- +2.25.1 + diff --git a/queue-4.14/x86-entry-increase-entry_stack-size-to-a-full-page.patch b/queue-4.14/x86-entry-increase-entry_stack-size-to-a-full-page.patch new file mode 100644 index 00000000000..38885e63b30 --- /dev/null +++ b/queue-4.14/x86-entry-increase-entry_stack-size-to-a-full-page.patch @@ -0,0 +1,40 @@ +From 545c79297eb22d9bb9522c1de423695d56868ba4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jun 2020 18:25:57 +0200 +Subject: x86/entry: Increase entry_stack size to a full page + +From: Peter Zijlstra + +[ Upstream commit c7aadc09321d8f9a1d3bd1e6d8a47222ecddf6c5 ] + +Marco crashed in bad_iret with a Clang11/KCSAN build due to +overflowing the stack. Now that we run C code on it, expand it to a +full page. + +Suggested-by: Andy Lutomirski +Reported-by: Marco Elver +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Lai Jiangshan +Tested-by: Marco Elver +Link: https://lkml.kernel.org/r/20200618144801.819246178@infradead.org +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/processor.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h +index 6a87eda9691e4..56a89519dc144 100644 +--- a/arch/x86/include/asm/processor.h ++++ b/arch/x86/include/asm/processor.h +@@ -344,7 +344,7 @@ struct x86_hw_tss { + #define INVALID_IO_BITMAP_OFFSET 0x8000 + + struct entry_stack { +- unsigned long words[64]; ++ char stack[PAGE_SIZE]; + }; + + struct entry_stack_page { +-- +2.25.1 +