From: Greg Kroah-Hartman Date: Sat, 31 Oct 2020 10:23:36 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v5.4.74~15 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8cd7f274340125244d75cd1e1ebd7cf57c7803a5;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: arch-x86-amd-ibs-fix-re-arming-ibs-fetch.patch ata-sata_rcar-fix-dma-boundary-mask.patch fuse-fix-page-dereference-after-free.patch mtd-lpddr-fix-bad-logic-in-print_drs_error.patch p54-avoid-accessing-the-data-mapped-to-streaming-dma.patch --- diff --git a/queue-4.9/arch-x86-amd-ibs-fix-re-arming-ibs-fetch.patch b/queue-4.9/arch-x86-amd-ibs-fix-re-arming-ibs-fetch.patch new file mode 100644 index 00000000000..ca3f7de65e1 --- /dev/null +++ b/queue-4.9/arch-x86-amd-ibs-fix-re-arming-ibs-fetch.patch @@ -0,0 +1,76 @@ +From 221bfce5ebbdf72ff08b3bf2510ae81058ee568b Mon Sep 17 00:00:00 2001 +From: Kim Phillips +Date: Tue, 8 Sep 2020 16:47:36 -0500 +Subject: arch/x86/amd/ibs: Fix re-arming IBS Fetch + +From: Kim Phillips + +commit 221bfce5ebbdf72ff08b3bf2510ae81058ee568b upstream. + +Stephane Eranian found a bug in that IBS' current Fetch counter was not +being reset when the driver would write the new value to clear it along +with the enable bit set, and found that adding an MSR write that would +first disable IBS Fetch would make IBS Fetch reset its current count. + +Indeed, the PPR for AMD Family 17h Model 31h B0 55803 Rev 0.54 - Sep 12, +2019 states "The periodic fetch counter is set to IbsFetchCnt [...] when +IbsFetchEn is changed from 0 to 1." + +Explicitly set IbsFetchEn to 0 and then to 1 when re-enabling IBS Fetch, +so the driver properly resets the internal counter to 0 and IBS +Fetch starts counting again. + +A family 15h machine tested does not have this problem, and the extra +wrmsr is also not needed on Family 19h, so only do the extra wrmsr on +families 16h through 18h. + +Reported-by: Stephane Eranian +Signed-off-by: Kim Phillips +[peterz: optimized] +Signed-off-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Link: https://bugzilla.kernel.org/show_bug.cgi?id=206537 +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/amd/ibs.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/arch/x86/events/amd/ibs.c ++++ b/arch/x86/events/amd/ibs.c +@@ -88,6 +88,7 @@ struct perf_ibs { + u64 max_period; + unsigned long offset_mask[1]; + int offset_max; ++ unsigned int fetch_count_reset_broken : 1; + struct cpu_perf_ibs __percpu *pcpu; + + struct attribute **format_attrs; +@@ -374,7 +375,12 @@ perf_ibs_event_update(struct perf_ibs *p + static inline void perf_ibs_enable_event(struct perf_ibs *perf_ibs, + struct hw_perf_event *hwc, u64 config) + { +- wrmsrl(hwc->config_base, hwc->config | config | perf_ibs->enable_mask); ++ u64 tmp = hwc->config | config; ++ ++ if (perf_ibs->fetch_count_reset_broken) ++ wrmsrl(hwc->config_base, tmp & ~perf_ibs->enable_mask); ++ ++ wrmsrl(hwc->config_base, tmp | perf_ibs->enable_mask); + } + + /* +@@ -743,6 +749,13 @@ static __init void perf_event_ibs_init(v + { + struct attribute **attr = ibs_op_format_attrs; + ++ /* ++ * Some chips fail to reset the fetch count when it is written; instead ++ * they need a 0-1 transition of IbsFetchEn. ++ */ ++ if (boot_cpu_data.x86 >= 0x16 && boot_cpu_data.x86 <= 0x18) ++ perf_ibs_fetch.fetch_count_reset_broken = 1; ++ + perf_ibs_pmu_init(&perf_ibs_fetch, "ibs_fetch"); + + if (ibs_caps & IBS_CAPS_OPCNT) { diff --git a/queue-4.9/ata-sata_rcar-fix-dma-boundary-mask.patch b/queue-4.9/ata-sata_rcar-fix-dma-boundary-mask.patch new file mode 100644 index 00000000000..7282da15249 --- /dev/null +++ b/queue-4.9/ata-sata_rcar-fix-dma-boundary-mask.patch @@ -0,0 +1,70 @@ +From df9c590986fdb6db9d5636d6cd93bc919c01b451 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Thu, 17 Sep 2020 15:09:20 +0200 +Subject: ata: sata_rcar: Fix DMA boundary mask + +From: Geert Uytterhoeven + +commit df9c590986fdb6db9d5636d6cd93bc919c01b451 upstream. + +Before commit 9495b7e92f716ab2 ("driver core: platform: Initialize +dma_parms for platform devices"), the R-Car SATA device didn't have DMA +parameters. Hence the DMA boundary mask supplied by its driver was +silently ignored, as __scsi_init_queue() doesn't check the return value +of dma_set_seg_boundary(), and the default value of 0xffffffff was used. + +Now the device has gained DMA parameters, the driver-supplied value is +used, and the following warning is printed on Salvator-XS: + + DMA-API: sata_rcar ee300000.sata: mapping sg segment across boundary [start=0x00000000ffffe000] [end=0x00000000ffffefff] [boundary=0x000000001ffffffe] + WARNING: CPU: 5 PID: 38 at kernel/dma/debug.c:1233 debug_dma_map_sg+0x298/0x300 + +(the range of start/end values depend on whether IOMMU support is + enabled or not) + +The issue here is that SATA_RCAR_DMA_BOUNDARY doesn't have bit 0 set, so +any typical end value, which is odd, will trigger the check. + +Fix this by increasing the DMA boundary value by 1. + +This also fixes the following WRITE DMA EXT timeout issue: + + # dd if=/dev/urandom of=/mnt/de1/file1-1024M bs=1M count=1024 + ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen + ata1.00: failed command: WRITE DMA EXT + ata1.00: cmd 35/00:00:00:e6:0c/00:0a:00:00:00/e0 tag 0 dma 1310720 out + res 40/00:01:00:00:00/00:00:00:00:00/00 Emask 0x4 (timeout) + ata1.00: status: { DRDY } + +as seen by Shimoda-san since commit 429120f3df2dba2b ("block: fix +splitting segments on boundary masks"). + +Fixes: 8bfbeed58665dbbf ("sata_rcar: correct 'sata_rcar_sht'") +Fixes: 9495b7e92f716ab2 ("driver core: platform: Initialize dma_parms for platform devices") +Fixes: 429120f3df2dba2b ("block: fix splitting segments on boundary masks") +Signed-off-by: Geert Uytterhoeven +Tested-by: Lad Prabhakar +Tested-by: Yoshihiro Shimoda +Reviewed-by: Christoph Hellwig +Reviewed-by: Greg Kroah-Hartman +Reviewed-by: Sergei Shtylyov +Reviewed-by: Ulf Hansson +Cc: stable +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/sata_rcar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/sata_rcar.c ++++ b/drivers/ata/sata_rcar.c +@@ -122,7 +122,7 @@ + /* Descriptor table word 0 bit (when DTA32M = 1) */ + #define SATA_RCAR_DTEND BIT(0) + +-#define SATA_RCAR_DMA_BOUNDARY 0x1FFFFFFEUL ++#define SATA_RCAR_DMA_BOUNDARY 0x1FFFFFFFUL + + /* Gen2 Physical Layer Control Registers */ + #define RCAR_GEN2_PHY_CTL1_REG 0x1704 diff --git a/queue-4.9/fuse-fix-page-dereference-after-free.patch b/queue-4.9/fuse-fix-page-dereference-after-free.patch new file mode 100644 index 00000000000..6e9cd707bb6 --- /dev/null +++ b/queue-4.9/fuse-fix-page-dereference-after-free.patch @@ -0,0 +1,111 @@ +From d78092e4937de9ce55edcb4ee4c5e3c707be0190 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Fri, 18 Sep 2020 10:36:50 +0200 +Subject: fuse: fix page dereference after free + +From: Miklos Szeredi + +commit d78092e4937de9ce55edcb4ee4c5e3c707be0190 upstream. + +After unlock_request() pages from the ap->pages[] array may be put (e.g. by +aborting the connection) and the pages can be freed. + +Prevent use after free by grabbing a reference to the page before calling +unlock_request(). + +The original patch was created by Pradeep P V K. + +Reported-by: Pradeep P V K +Cc: +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/dev.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -846,15 +846,16 @@ static int fuse_try_move_page(struct fus + struct page *newpage; + struct pipe_buffer *buf = cs->pipebufs; + ++ get_page(oldpage); + err = unlock_request(cs->req); + if (err) +- return err; ++ goto out_put_old; + + fuse_copy_finish(cs); + + err = pipe_buf_confirm(cs->pipe, buf); + if (err) +- return err; ++ goto out_put_old; + + BUG_ON(!cs->nr_segs); + cs->currbuf = buf; +@@ -894,7 +895,7 @@ static int fuse_try_move_page(struct fus + err = replace_page_cache_page(oldpage, newpage, GFP_KERNEL); + if (err) { + unlock_page(newpage); +- return err; ++ goto out_put_old; + } + + get_page(newpage); +@@ -913,14 +914,19 @@ static int fuse_try_move_page(struct fus + if (err) { + unlock_page(newpage); + put_page(newpage); +- return err; ++ goto out_put_old; + } + + unlock_page(oldpage); ++ /* Drop ref for ap->pages[] array */ + put_page(oldpage); + cs->len = 0; + +- return 0; ++ err = 0; ++out_put_old: ++ /* Drop ref obtained in this function */ ++ put_page(oldpage); ++ return err; + + out_fallback_unlock: + unlock_page(newpage); +@@ -929,10 +935,10 @@ out_fallback: + cs->offset = buf->offset; + + err = lock_request(cs->req); +- if (err) +- return err; ++ if (!err) ++ err = 1; + +- return 1; ++ goto out_put_old; + } + + static int fuse_ref_page(struct fuse_copy_state *cs, struct page *page, +@@ -944,14 +950,16 @@ static int fuse_ref_page(struct fuse_cop + if (cs->nr_segs == cs->pipe->buffers) + return -EIO; + ++ get_page(page); + err = unlock_request(cs->req); +- if (err) ++ if (err) { ++ put_page(page); + return err; ++ } + + fuse_copy_finish(cs); + + buf = cs->pipebufs; +- get_page(page); + buf->page = page; + buf->offset = offset; + buf->len = count; diff --git a/queue-4.9/mtd-lpddr-fix-bad-logic-in-print_drs_error.patch b/queue-4.9/mtd-lpddr-fix-bad-logic-in-print_drs_error.patch new file mode 100644 index 00000000000..9245c390205 --- /dev/null +++ b/queue-4.9/mtd-lpddr-fix-bad-logic-in-print_drs_error.patch @@ -0,0 +1,51 @@ +From 1c9c02bb22684f6949d2e7ddc0a3ff364fd5a6fc Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Mon, 27 Apr 2020 14:50:37 -0500 +Subject: mtd: lpddr: Fix bad logic in print_drs_error + +From: Gustavo A. R. Silva + +commit 1c9c02bb22684f6949d2e7ddc0a3ff364fd5a6fc upstream. + +Update logic for broken test. Use a more common logging style. + +It appears the logic in this function is broken for the +consecutive tests of + + if (prog_status & 0x3) + ... + else if (prog_status & 0x2) + ... + else (prog_status & 0x1) + ... + +Likely the first test should be + + if ((prog_status & 0x3) == 0x3) + +Found by inspection of include files using printk. + +Fixes: eb3db27507f7 ("[MTD] LPDDR PFOW definition") +Cc: stable@vger.kernel.org +Reported-by: Joe Perches +Signed-off-by: Gustavo A. R. Silva +Acked-by: Miquel Raynal +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/3fb0e29f5b601db8be2938a01d974b00c8788501.1588016644.git.gustavo@embeddedor.com +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/mtd/pfow.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/mtd/pfow.h ++++ b/include/linux/mtd/pfow.h +@@ -127,7 +127,7 @@ static inline void print_drs_error(unsig + + if (!(dsr & DSR_AVAILABLE)) + printk(KERN_NOTICE"DSR.15: (0) Device not Available\n"); +- if (prog_status & 0x03) ++ if ((prog_status & 0x03) == 0x03) + printk(KERN_NOTICE"DSR.9,8: (11) Attempt to program invalid " + "half with 41h command\n"); + else if (prog_status & 0x02) diff --git a/queue-4.9/p54-avoid-accessing-the-data-mapped-to-streaming-dma.patch b/queue-4.9/p54-avoid-accessing-the-data-mapped-to-streaming-dma.patch new file mode 100644 index 00000000000..a23a228c253 --- /dev/null +++ b/queue-4.9/p54-avoid-accessing-the-data-mapped-to-streaming-dma.patch @@ -0,0 +1,56 @@ +From 478762855b5ae9f68fa6ead1edf7abada70fcd5f Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Sun, 2 Aug 2020 21:29:49 +0800 +Subject: p54: avoid accessing the data mapped to streaming DMA + +From: Jia-Ju Bai + +commit 478762855b5ae9f68fa6ead1edf7abada70fcd5f upstream. + +In p54p_tx(), skb->data is mapped to streaming DMA on line 337: + mapping = pci_map_single(..., skb->data, ...); + +Then skb->data is accessed on line 349: + desc->device_addr = ((struct p54_hdr *)skb->data)->req_id; + +This access may cause data inconsistency between CPU cache and hardware. + +To fix this problem, ((struct p54_hdr *)skb->data)->req_id is stored in +a local variable before DMA mapping, and then the driver accesses this +local variable instead of skb->data. + +Cc: +Signed-off-by: Jia-Ju Bai +Acked-by: Christian Lamparter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200802132949.26788-1-baijiaju@tsinghua.edu.cn +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intersil/p54/p54pci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/intersil/p54/p54pci.c ++++ b/drivers/net/wireless/intersil/p54/p54pci.c +@@ -332,10 +332,12 @@ static void p54p_tx(struct ieee80211_hw + struct p54p_desc *desc; + dma_addr_t mapping; + u32 idx, i; ++ __le32 device_addr; + + spin_lock_irqsave(&priv->lock, flags); + idx = le32_to_cpu(ring_control->host_idx[1]); + i = idx % ARRAY_SIZE(ring_control->tx_data); ++ device_addr = ((struct p54_hdr *)skb->data)->req_id; + + mapping = pci_map_single(priv->pdev, skb->data, skb->len, + PCI_DMA_TODEVICE); +@@ -349,7 +351,7 @@ static void p54p_tx(struct ieee80211_hw + + desc = &ring_control->tx_data[i]; + desc->host_addr = cpu_to_le32(mapping); +- desc->device_addr = ((struct p54_hdr *)skb->data)->req_id; ++ desc->device_addr = device_addr; + desc->len = cpu_to_le16(skb->len); + desc->flags = 0; + diff --git a/queue-4.9/series b/queue-4.9/series index 068533b2184..2cafdd82dda 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -4,3 +4,8 @@ powerpc-powernv-opal-dump-use-irq_handled-instead-of-numbers-in-interrupt-handle efivarfs-replace-invalid-slashes-with-exclamation-marks-in-dentries.patch ravb-fix-bit-fields-checking-in-ravb_hwtstamp_get.patch tipc-fix-memory-leak-caused-by-tipc_buf_append.patch +arch-x86-amd-ibs-fix-re-arming-ibs-fetch.patch +fuse-fix-page-dereference-after-free.patch +p54-avoid-accessing-the-data-mapped-to-streaming-dma.patch +mtd-lpddr-fix-bad-logic-in-print_drs_error.patch +ata-sata_rcar-fix-dma-boundary-mask.patch