From: Sasha Levin Date: Sat, 13 Mar 2021 04:07:14 +0000 (-0500) Subject: Fixes for 4.9 X-Git-Tag: v4.4.262~65 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6f6f504f2bd9ec5c318399ce0a0da93f7316858e;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/mmc-mediatek-fix-race-condition-between-msdc_request.patch b/queue-4.9/mmc-mediatek-fix-race-condition-between-msdc_request.patch new file mode 100644 index 00000000000..c44fb8dfd00 --- /dev/null +++ b/queue-4.9/mmc-mediatek-fix-race-condition-between-msdc_request.patch @@ -0,0 +1,85 @@ +From 315bf82e295dd2095c4209f7f191ac5f755379df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Dec 2020 15:16:11 +0800 +Subject: mmc: mediatek: fix race condition between msdc_request_timeout and + irq + +From: Chaotian Jing + +[ Upstream commit 0354ca6edd464a2cf332f390581977b8699ed081 ] + +when get request SW timeout, if CMD/DAT xfer done irq coming right now, +then there is race between the msdc_request_timeout work and irq handler, +and the host->cmd and host->data may set to NULL in irq handler. also, +current flow ensure that only one path can go to msdc_request_done(), so +no need check the return value of cancel_delayed_work(). + +Signed-off-by: Chaotian Jing +Link: https://lore.kernel.org/r/20201218071611.12276-1-chaotian.jing@mediatek.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/mtk-sd.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c +index 7fc6ce381142..125c06a10455 100644 +--- a/drivers/mmc/host/mtk-sd.c ++++ b/drivers/mmc/host/mtk-sd.c +@@ -741,13 +741,13 @@ static void msdc_track_cmd_data(struct msdc_host *host, + static void msdc_request_done(struct msdc_host *host, struct mmc_request *mrq) + { + unsigned long flags; +- bool ret; + +- ret = cancel_delayed_work(&host->req_timeout); +- if (!ret) { +- /* delay work already running */ +- return; +- } ++ /* ++ * No need check the return value of cancel_delayed_work, as only ONE ++ * path will go here! ++ */ ++ cancel_delayed_work(&host->req_timeout); ++ + spin_lock_irqsave(&host->lock, flags); + host->mrq = NULL; + spin_unlock_irqrestore(&host->lock, flags); +@@ -765,7 +765,7 @@ static bool msdc_cmd_done(struct msdc_host *host, int events, + bool done = false; + bool sbc_error; + unsigned long flags; +- u32 *rsp = cmd->resp; ++ u32 *rsp; + + if (mrq->sbc && cmd == mrq->cmd && + (events & (MSDC_INT_ACMDRDY | MSDC_INT_ACMDCRCERR +@@ -786,6 +786,7 @@ static bool msdc_cmd_done(struct msdc_host *host, int events, + + if (done) + return true; ++ rsp = cmd->resp; + + sdr_clr_bits(host->base + MSDC_INTEN, cmd_ints_mask); + +@@ -968,7 +969,7 @@ static void msdc_data_xfer_next(struct msdc_host *host, + static bool msdc_data_xfer_done(struct msdc_host *host, u32 events, + struct mmc_request *mrq, struct mmc_data *data) + { +- struct mmc_command *stop = data->stop; ++ struct mmc_command *stop; + unsigned long flags; + bool done; + unsigned int check_data = events & +@@ -984,6 +985,7 @@ static bool msdc_data_xfer_done(struct msdc_host *host, u32 events, + + if (done) + return true; ++ stop = data->stop; + + if (check_data || (stop && stop->error)) { + dev_dbg(host->dev, "DMA status: 0x%8X\n", +-- +2.30.1 + diff --git a/queue-4.9/mmc-mxs-mmc-fix-a-resource-leak-in-an-error-handling.patch b/queue-4.9/mmc-mxs-mmc-fix-a-resource-leak-in-an-error-handling.patch new file mode 100644 index 00000000000..c14f921c333 --- /dev/null +++ b/queue-4.9/mmc-mxs-mmc-fix-a-resource-leak-in-an-error-handling.patch @@ -0,0 +1,37 @@ +From 5ecf56b59a5df94bc9b2ecac06a8057901446d5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Dec 2020 21:35:27 +0100 +Subject: mmc: mxs-mmc: Fix a resource leak in an error handling path in + 'mxs_mmc_probe()' + +From: Christophe JAILLET + +[ Upstream commit 0bb7e560f821c7770973a94e346654c4bdccd42c ] + +If 'mmc_of_parse()' fails, we must undo the previous 'dma_request_chan()' +call. + +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/20201208203527.49262-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/mxs-mmc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/mxs-mmc.c b/drivers/mmc/host/mxs-mmc.c +index c8b8ac66ff7e..687fd68fbbcd 100644 +--- a/drivers/mmc/host/mxs-mmc.c ++++ b/drivers/mmc/host/mxs-mmc.c +@@ -651,7 +651,7 @@ static int mxs_mmc_probe(struct platform_device *pdev) + + ret = mmc_of_parse(mmc); + if (ret) +- goto out_clk_disable; ++ goto out_free_dma; + + mmc->ocr_avail = MMC_VDD_32_33 | MMC_VDD_33_34; + +-- +2.30.1 + diff --git a/queue-4.9/pci-xgene-msi-fix-race-in-installing-chained-irq-han.patch b/queue-4.9/pci-xgene-msi-fix-race-in-installing-chained-irq-han.patch new file mode 100644 index 00000000000..b09c3271b36 --- /dev/null +++ b/queue-4.9/pci-xgene-msi-fix-race-in-installing-chained-irq-han.patch @@ -0,0 +1,50 @@ +From 0a422af87364e125e51e5b7e8223035a55291054 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jan 2021 22:24:35 +0100 +Subject: PCI: xgene-msi: Fix race in installing chained irq handler + +From: Martin Kaiser + +[ Upstream commit a93c00e5f975f23592895b7e83f35de2d36b7633 ] + +Fix a race where a pending interrupt could be received and the handler +called before the handler's data has been setup, by converting to +irq_set_chained_handler_and_data(). + +See also 2cf5a03cb29d ("PCI/keystone: Fix race in installing chained IRQ +handler"). + +Based on the mail discussion, it seems ok to drop the error handling. + +Link: https://lore.kernel.org/r/20210115212435.19940-3-martin@kaiser.cx +Signed-off-by: Martin Kaiser +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Sasha Levin +--- + drivers/pci/host/pci-xgene-msi.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/drivers/pci/host/pci-xgene-msi.c b/drivers/pci/host/pci-xgene-msi.c +index a6456b578269..b6a099371ad2 100644 +--- a/drivers/pci/host/pci-xgene-msi.c ++++ b/drivers/pci/host/pci-xgene-msi.c +@@ -393,13 +393,9 @@ static int xgene_msi_hwirq_alloc(unsigned int cpu) + if (!msi_group->gic_irq) + continue; + +- irq_set_chained_handler(msi_group->gic_irq, +- xgene_msi_isr); +- err = irq_set_handler_data(msi_group->gic_irq, msi_group); +- if (err) { +- pr_err("failed to register GIC IRQ handler\n"); +- return -EINVAL; +- } ++ irq_set_chained_handler_and_data(msi_group->gic_irq, ++ xgene_msi_isr, msi_group); ++ + /* + * Statically allocate MSI GIC IRQs to each CPU core. + * With 8-core X-Gene v1, 2 MSI GIC IRQs are allocated +-- +2.30.1 + diff --git a/queue-4.9/powerpc-perf-record-counter-overflow-always-if-sampl.patch b/queue-4.9/powerpc-perf-record-counter-overflow-always-if-sampl.patch new file mode 100644 index 00000000000..5c9d05fba23 --- /dev/null +++ b/queue-4.9/powerpc-perf-record-counter-overflow-always-if-sampl.patch @@ -0,0 +1,80 @@ +From 76c0c04f945d356977a2bc56790ae91e88364508 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Feb 2021 04:14:52 -0500 +Subject: powerpc/perf: Record counter overflow always if SAMPLE_IP is unset + +From: Athira Rajeev + +[ Upstream commit d137845c973147a22622cc76c7b0bc16f6206323 ] + +While sampling for marked events, currently we record the sample only +if the SIAR valid bit of Sampled Instruction Event Register (SIER) is +set. SIAR_VALID bit is used for fetching the instruction address from +Sampled Instruction Address Register(SIAR). But there are some +usecases, where the user is interested only in the PMU stats at each +counter overflow and the exact IP of the overflow event is not +required. Dropping SIAR invalid samples will fail to record some of +the counter overflows in such cases. + +Example of such usecase is dumping the PMU stats (event counts) after +some regular amount of instructions/events from the userspace (ex: via +ptrace). Here counter overflow is indicated to userspace via signal +handler, and captured by monitoring and enabling I/O signaling on the +event file descriptor. In these cases, we expect to get +sample/overflow indication after each specified sample_period. + +Perf event attribute will not have PERF_SAMPLE_IP set in the +sample_type if exact IP of the overflow event is not requested. So +while profiling if SAMPLE_IP is not set, just record the counter +overflow irrespective of SIAR_VALID check. + +Suggested-by: Michael Ellerman +Signed-off-by: Athira Rajeev +[mpe: Reflow comment and if formatting] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1612516492-1428-1-git-send-email-atrajeev@linux.vnet.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/core-book3s.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c +index 1f1ac446ace9..f2d8f35c181f 100644 +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -2010,7 +2010,17 @@ static void record_and_restart(struct perf_event *event, unsigned long val, + left += period; + if (left <= 0) + left = period; +- record = siar_valid(regs); ++ ++ /* ++ * If address is not requested in the sample via ++ * PERF_SAMPLE_IP, just record that sample irrespective ++ * of SIAR valid check. ++ */ ++ if (event->attr.sample_type & PERF_SAMPLE_IP) ++ record = siar_valid(regs); ++ else ++ record = 1; ++ + event->hw.last_period = event->hw.sample_period; + } + if (left < 0x80000000LL) +@@ -2028,9 +2038,10 @@ static void record_and_restart(struct perf_event *event, unsigned long val, + * MMCR2. Check attr.exclude_kernel and address to drop the sample in + * these cases. + */ +- if (event->attr.exclude_kernel && record) +- if (is_kernel_addr(mfspr(SPRN_SIAR))) +- record = 0; ++ if (event->attr.exclude_kernel && ++ (event->attr.sample_type & PERF_SAMPLE_IP) && ++ is_kernel_addr(mfspr(SPRN_SIAR))) ++ record = 0; + + /* + * Finally record data if requested. +-- +2.30.1 + diff --git a/queue-4.9/s390-smp-__smp_rescan_cpus-move-cpumask-away-from-st.patch b/queue-4.9/s390-smp-__smp_rescan_cpus-move-cpumask-away-from-st.patch new file mode 100644 index 00000000000..810e4ac354b --- /dev/null +++ b/queue-4.9/s390-smp-__smp_rescan_cpus-move-cpumask-away-from-st.patch @@ -0,0 +1,36 @@ +From 309029564c48e9cbed6c6e67daa18649a2881aa9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Feb 2021 07:13:02 +0100 +Subject: s390/smp: __smp_rescan_cpus() - move cpumask away from stack + +From: Heiko Carstens + +[ Upstream commit 62c8dca9e194326802b43c60763f856d782b225c ] + +Avoid a potentially large stack frame and overflow by making +"cpumask_t avail" a static variable. There is no concurrent +access due to the existing locking. + +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/smp.c b/arch/s390/kernel/smp.c +index cba8e56cd63d..54eb8fe95212 100644 +--- a/arch/s390/kernel/smp.c ++++ b/arch/s390/kernel/smp.c +@@ -727,7 +727,7 @@ static int smp_add_core(struct sclp_core_entry *core, cpumask_t *avail, + static int __smp_rescan_cpus(struct sclp_core_info *info, bool early) + { + struct sclp_core_entry *core; +- cpumask_t avail; ++ static cpumask_t avail; + bool configured; + u16 core_id; + int nr, i; +-- +2.30.1 + diff --git a/queue-4.9/scsi-libiscsi-fix-iscsi_prep_scsi_cmd_pdu-error-hand.patch b/queue-4.9/scsi-libiscsi-fix-iscsi_prep_scsi_cmd_pdu-error-hand.patch new file mode 100644 index 00000000000..2b481a03917 --- /dev/null +++ b/queue-4.9/scsi-libiscsi-fix-iscsi_prep_scsi_cmd_pdu-error-hand.patch @@ -0,0 +1,50 @@ +From a61d03cebc1d73f9ac4addf7d842f1e139c42864 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Feb 2021 22:46:00 -0600 +Subject: scsi: libiscsi: Fix iscsi_prep_scsi_cmd_pdu() error handling + +From: Mike Christie + +[ Upstream commit d28d48c699779973ab9a3bd0e5acfa112bd4fdef ] + +If iscsi_prep_scsi_cmd_pdu() fails we try to add it back to the cmdqueue, +but we leave it partially setup. We don't have functions that can undo the +pdu and init task setup. We only have cleanup_task which can clean up both +parts. So this has us just fail the cmd and go through the standard cleanup +routine and then have the SCSI midlayer retry it like is done when it fails +in the queuecommand path. + +Link: https://lore.kernel.org/r/20210207044608.27585-2-michael.christie@oracle.com +Reviewed-by: Lee Duncan +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libiscsi.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c +index b9c924bb6e3d..50e2943c3337 100644 +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -1568,14 +1568,9 @@ static int iscsi_data_xmit(struct iscsi_conn *conn) + } + rc = iscsi_prep_scsi_cmd_pdu(conn->task); + if (rc) { +- if (rc == -ENOMEM || rc == -EACCES) { +- spin_lock_bh(&conn->taskqueuelock); +- list_add_tail(&conn->task->running, +- &conn->cmdqueue); +- conn->task = NULL; +- spin_unlock_bh(&conn->taskqueuelock); +- goto done; +- } else ++ if (rc == -ENOMEM || rc == -EACCES) ++ fail_scsi_task(conn->task, DID_IMM_RETRY); ++ else + fail_scsi_task(conn->task, DID_ABORT); + spin_lock_bh(&conn->taskqueuelock); + continue; +-- +2.30.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 79522ecd50e..54ca373f6cd 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -15,3 +15,10 @@ net-lapbether-remove-netif_start_queue-netif_stop_queue.patch net-davicom-fix-regulator-not-turned-off-on-failed-probe.patch net-davicom-fix-regulator-not-turned-off-on-driver-removal.patch media-usbtv-fix-deadlock-on-suspend.patch +udf-fix-silent-aed-taglocation-corruption.patch +mmc-mxs-mmc-fix-a-resource-leak-in-an-error-handling.patch +mmc-mediatek-fix-race-condition-between-msdc_request.patch +powerpc-perf-record-counter-overflow-always-if-sampl.patch +pci-xgene-msi-fix-race-in-installing-chained-irq-han.patch +s390-smp-__smp_rescan_cpus-move-cpumask-away-from-st.patch +scsi-libiscsi-fix-iscsi_prep_scsi_cmd_pdu-error-hand.patch diff --git a/queue-4.9/udf-fix-silent-aed-taglocation-corruption.patch b/queue-4.9/udf-fix-silent-aed-taglocation-corruption.patch new file mode 100644 index 00000000000..58dd3ff4cca --- /dev/null +++ b/queue-4.9/udf-fix-silent-aed-taglocation-corruption.patch @@ -0,0 +1,53 @@ +From 731970a532d3bcf2d3b6c52ed4f5e57cf0b48271 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jan 2021 17:41:16 -0600 +Subject: udf: fix silent AED tagLocation corruption + +From: Steven J. Magnani + +[ Upstream commit 63c9e47a1642fc817654a1bc18a6ec4bbcc0f056 ] + +When extending a file, udf_do_extend_file() may enter following empty +indirect extent. At the end of udf_do_extend_file() we revert prev_epos +to point to the last written extent. However if we end up not adding any +further extent in udf_do_extend_file(), the reverting points prev_epos +into the header area of the AED and following updates of the extents +(in udf_update_extents()) will corrupt the header. + +Make sure that we do not follow indirect extent if we are not going to +add any more extents so that returning back to the last written extent +works correctly. + +Link: https://lore.kernel.org/r/20210107234116.6190-2-magnani@ieee.org +Signed-off-by: Steven J. Magnani +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/inode.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index 149baf5f3d19..50607673a6a9 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -548,11 +548,14 @@ static int udf_do_extend_file(struct inode *inode, + + udf_write_aext(inode, last_pos, &last_ext->extLocation, + last_ext->extLength, 1); ++ + /* +- * We've rewritten the last extent but there may be empty +- * indirect extent after it - enter it. ++ * We've rewritten the last extent. If we are going to add ++ * more extents, we may need to enter possible following ++ * empty indirect extent. + */ +- udf_next_aext(inode, last_pos, &tmploc, &tmplen, 0); ++ if (new_block_bytes || prealloc_len) ++ udf_next_aext(inode, last_pos, &tmploc, &tmplen, 0); + } + + /* Managed to do everything necessary? */ +-- +2.30.1 +