From: Greg Kroah-Hartman Date: Fri, 10 Apr 2020 11:25:38 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.4.219~27 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=942cd7c41866e4c1eda31716860b8e62d6a7060a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: asoc-jz4740-i2s-fix-divider-written-at-incorrect-offset-in-register.patch ceph-canonicalize-server-path-in-place.patch ceph-remove-the-extra-slashes-in-the-server-path.patch hwrng-imx-rngc-fix-an-error-path.patch ib-hfi1-call-kobject_put-when-kobject_init_and_add-fails.patch ib-hfi1-fix-memory-leaks-in-sysfs-registration-and-unregistration.patch random-always-use-batched-entropy-for-get_random_u-32-64.patch tools-accounting-getdelays.c-fix-netlink-attribute-length.patch usb-dwc3-gadget-wrap-around-when-skip-trbs.patch --- diff --git a/queue-4.19/asoc-jz4740-i2s-fix-divider-written-at-incorrect-offset-in-register.patch b/queue-4.19/asoc-jz4740-i2s-fix-divider-written-at-incorrect-offset-in-register.patch new file mode 100644 index 00000000000..fdb12973f00 --- /dev/null +++ b/queue-4.19/asoc-jz4740-i2s-fix-divider-written-at-incorrect-offset-in-register.patch @@ -0,0 +1,34 @@ +From 9401d5aa328e64617d87abd59af1c91cace4c3e4 Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Fri, 6 Mar 2020 23:29:27 +0100 +Subject: ASoC: jz4740-i2s: Fix divider written at incorrect offset in register + +From: Paul Cercueil + +commit 9401d5aa328e64617d87abd59af1c91cace4c3e4 upstream. + +The 4-bit divider value was written at offset 8, while the jz4740 +programming manual locates it at offset 0. + +Fixes: 26b0aad80a86 ("ASoC: jz4740: Add dynamic sampling rate support to jz4740-i2s") +Signed-off-by: Paul Cercueil +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200306222931.39664-2-paul@crapouillou.net +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/jz4740/jz4740-i2s.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/jz4740/jz4740-i2s.c ++++ b/sound/soc/jz4740/jz4740-i2s.c +@@ -92,7 +92,7 @@ + #define JZ_AIC_I2S_STATUS_BUSY BIT(2) + + #define JZ_AIC_CLK_DIV_MASK 0xf +-#define I2SDIV_DV_SHIFT 8 ++#define I2SDIV_DV_SHIFT 0 + #define I2SDIV_DV_MASK (0xf << I2SDIV_DV_SHIFT) + #define I2SDIV_IDV_SHIFT 8 + #define I2SDIV_IDV_MASK (0xf << I2SDIV_IDV_SHIFT) diff --git a/queue-4.19/ceph-canonicalize-server-path-in-place.patch b/queue-4.19/ceph-canonicalize-server-path-in-place.patch new file mode 100644 index 00000000000..b90c0d1e013 --- /dev/null +++ b/queue-4.19/ceph-canonicalize-server-path-in-place.patch @@ -0,0 +1,222 @@ +From b27a939e8376a3f1ed09b9c33ef44d20f18ec3d0 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Mon, 10 Feb 2020 22:51:08 +0100 +Subject: ceph: canonicalize server path in place + +From: Ilya Dryomov + +commit b27a939e8376a3f1ed09b9c33ef44d20f18ec3d0 upstream. + +syzbot reported that 4fbc0c711b24 ("ceph: remove the extra slashes in +the server path") had caused a regression where an allocation could be +done under a spinlock -- compare_mount_options() is called by sget_fc() +with sb_lock held. + +We don't really need the supplied server path, so canonicalize it +in place and compare it directly. To make this work, the leading +slash is kept around and the logic in ceph_real_mount() to skip it +is restored. CEPH_MSG_CLIENT_SESSION now reports the same (i.e. +canonicalized) path, with the leading slash of course. + +Fixes: 4fbc0c711b24 ("ceph: remove the extra slashes in the server path") +Reported-by: syzbot+98704a51af8e3d9425a9@syzkaller.appspotmail.com +Signed-off-by: Ilya Dryomov +Reviewed-by: Jeff Layton +Signed-off-by: Luis Henriques +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/super.c | 118 ++++++++++++-------------------------------------------- + fs/ceph/super.h | 2 + 2 files changed, 28 insertions(+), 92 deletions(-) + +--- a/fs/ceph/super.c ++++ b/fs/ceph/super.c +@@ -205,6 +205,26 @@ static match_table_t fsopt_tokens = { + {-1, NULL} + }; + ++/* ++ * Remove adjacent slashes and then the trailing slash, unless it is ++ * the only remaining character. ++ * ++ * E.g. "//dir1////dir2///" --> "/dir1/dir2", "///" --> "/". ++ */ ++static void canonicalize_path(char *path) ++{ ++ int i, j = 0; ++ ++ for (i = 0; path[i] != '\0'; i++) { ++ if (path[i] != '/' || j < 1 || path[j - 1] != '/') ++ path[j++] = path[i]; ++ } ++ ++ if (j > 1 && path[j - 1] == '/') ++ j--; ++ path[j] = '\0'; ++} ++ + static int parse_fsopt_token(char *c, void *private) + { + struct ceph_mount_options *fsopt = private; +@@ -398,73 +418,6 @@ static int strcmp_null(const char *s1, c + return strcmp(s1, s2); + } + +-/** +- * path_remove_extra_slash - Remove the extra slashes in the server path +- * @server_path: the server path and could be NULL +- * +- * Return NULL if the path is NULL or only consists of "/", or a string +- * without any extra slashes including the leading slash(es) and the +- * slash(es) at the end of the server path, such as: +- * "//dir1////dir2///" --> "dir1/dir2" +- */ +-static char *path_remove_extra_slash(const char *server_path) +-{ +- const char *path = server_path; +- const char *cur, *end; +- char *buf, *p; +- int len; +- +- /* if the server path is omitted */ +- if (!path) +- return NULL; +- +- /* remove all the leading slashes */ +- while (*path == '/') +- path++; +- +- /* if the server path only consists of slashes */ +- if (*path == '\0') +- return NULL; +- +- len = strlen(path); +- +- buf = kmalloc(len + 1, GFP_KERNEL); +- if (!buf) +- return ERR_PTR(-ENOMEM); +- +- end = path + len; +- p = buf; +- do { +- cur = strchr(path, '/'); +- if (!cur) +- cur = end; +- +- len = cur - path; +- +- /* including one '/' */ +- if (cur != end) +- len += 1; +- +- memcpy(p, path, len); +- p += len; +- +- while (cur <= end && *cur == '/') +- cur++; +- path = cur; +- } while (path < end); +- +- *p = '\0'; +- +- /* +- * remove the last slash if there has and just to make sure that +- * we will get something like "dir1/dir2" +- */ +- if (*(--p) == '/') +- *p = '\0'; +- +- return buf; +-} +- + static int compare_mount_options(struct ceph_mount_options *new_fsopt, + struct ceph_options *new_opt, + struct ceph_fs_client *fsc) +@@ -472,7 +425,6 @@ static int compare_mount_options(struct + struct ceph_mount_options *fsopt1 = new_fsopt; + struct ceph_mount_options *fsopt2 = fsc->mount_options; + int ofs = offsetof(struct ceph_mount_options, snapdir_name); +- char *p1, *p2; + int ret; + + ret = memcmp(fsopt1, fsopt2, ofs); +@@ -482,21 +434,12 @@ static int compare_mount_options(struct + ret = strcmp_null(fsopt1->snapdir_name, fsopt2->snapdir_name); + if (ret) + return ret; ++ + ret = strcmp_null(fsopt1->mds_namespace, fsopt2->mds_namespace); + if (ret) + return ret; + +- p1 = path_remove_extra_slash(fsopt1->server_path); +- if (IS_ERR(p1)) +- return PTR_ERR(p1); +- p2 = path_remove_extra_slash(fsopt2->server_path); +- if (IS_ERR(p2)) { +- kfree(p1); +- return PTR_ERR(p2); +- } +- ret = strcmp_null(p1, p2); +- kfree(p1); +- kfree(p2); ++ ret = strcmp_null(fsopt1->server_path, fsopt2->server_path); + if (ret) + return ret; + +@@ -564,6 +507,8 @@ static int parse_mount_options(struct ce + err = -ENOMEM; + goto out; + } ++ ++ canonicalize_path(fsopt->server_path); + } else { + dev_name_end = dev_name + strlen(dev_name); + } +@@ -990,7 +935,9 @@ static struct dentry *ceph_real_mount(st + mutex_lock(&fsc->client->mount_mutex); + + if (!fsc->sb->s_root) { +- const char *path, *p; ++ const char *path = fsc->mount_options->server_path ? ++ fsc->mount_options->server_path + 1 : ""; ++ + err = __ceph_open_session(fsc->client, started); + if (err < 0) + goto out; +@@ -1002,16 +949,6 @@ static struct dentry *ceph_real_mount(st + goto out; + } + +- p = path_remove_extra_slash(fsc->mount_options->server_path); +- if (IS_ERR(p)) { +- err = PTR_ERR(p); +- goto out; +- } +- /* if the server path is omitted or just consists of '/' */ +- if (!p) +- path = ""; +- else +- path = p; + dout("mount opening path '%s'\n", path); + + err = ceph_fs_debugfs_init(fsc); +@@ -1019,7 +956,6 @@ static struct dentry *ceph_real_mount(st + goto out; + + root = open_root_dentry(fsc, path, started); +- kfree(p); + if (IS_ERR(root)) { + err = PTR_ERR(root); + goto out; +--- a/fs/ceph/super.h ++++ b/fs/ceph/super.h +@@ -86,7 +86,7 @@ struct ceph_mount_options { + + char *snapdir_name; /* default ".snap" */ + char *mds_namespace; /* default NULL */ +- char *server_path; /* default "/" */ ++ char *server_path; /* default NULL (means "/") */ + char *fscache_uniq; /* default NULL */ + }; + diff --git a/queue-4.19/ceph-remove-the-extra-slashes-in-the-server-path.patch b/queue-4.19/ceph-remove-the-extra-slashes-in-the-server-path.patch new file mode 100644 index 00000000000..4160f3e2d17 --- /dev/null +++ b/queue-4.19/ceph-remove-the-extra-slashes-in-the-server-path.patch @@ -0,0 +1,245 @@ +From 4fbc0c711b2464ee1551850b85002faae0b775d5 Mon Sep 17 00:00:00 2001 +From: Xiubo Li +Date: Fri, 20 Dec 2019 09:34:04 -0500 +Subject: ceph: remove the extra slashes in the server path + +From: Xiubo Li + +commit 4fbc0c711b2464ee1551850b85002faae0b775d5 upstream. + +It's possible to pass the mount helper a server path that has more +than one contiguous slash character. For example: + + $ mount -t ceph 192.168.195.165:40176:/// /mnt/cephfs/ + +In the MDS server side the extra slashes of the server path will be +treated as snap dir, and then we can get the following debug logs: + + ceph: mount opening path // + ceph: open_root_inode opening '//' + ceph: fill_trace 0000000059b8a3bc is_dentry 0 is_target 1 + ceph: alloc_inode 00000000dc4ca00b + ceph: get_inode created new inode 00000000dc4ca00b 1.ffffffffffffffff ino 1 + ceph: get_inode on 1=1.ffffffffffffffff got 00000000dc4ca00b + +And then when creating any new file or directory under the mount +point, we can hit the following BUG_ON in ceph_fill_trace(): + + BUG_ON(ceph_snap(dir) != dvino.snap); + +Have the client ignore the extra slashes in the server path when +mounting. This will also canonicalize the path, so that identical mounts +can be consilidated. + +1) "//mydir1///mydir//" +2) "/mydir1/mydir" +3) "/mydir1/mydir/" + +Regardless of the internal treatment of these paths, the kernel still +stores the original string including the leading '/' for presentation +to userland. + +URL: https://tracker.ceph.com/issues/42771 +Signed-off-by: Xiubo Li +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Luis Henriques +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/super.c | 120 +++++++++++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 101 insertions(+), 19 deletions(-) + +--- a/fs/ceph/super.c ++++ b/fs/ceph/super.c +@@ -105,7 +105,6 @@ static int ceph_statfs(struct dentry *de + return 0; + } + +- + static int ceph_sync_fs(struct super_block *sb, int wait) + { + struct ceph_fs_client *fsc = ceph_sb_to_client(sb); +@@ -399,6 +398,73 @@ static int strcmp_null(const char *s1, c + return strcmp(s1, s2); + } + ++/** ++ * path_remove_extra_slash - Remove the extra slashes in the server path ++ * @server_path: the server path and could be NULL ++ * ++ * Return NULL if the path is NULL or only consists of "/", or a string ++ * without any extra slashes including the leading slash(es) and the ++ * slash(es) at the end of the server path, such as: ++ * "//dir1////dir2///" --> "dir1/dir2" ++ */ ++static char *path_remove_extra_slash(const char *server_path) ++{ ++ const char *path = server_path; ++ const char *cur, *end; ++ char *buf, *p; ++ int len; ++ ++ /* if the server path is omitted */ ++ if (!path) ++ return NULL; ++ ++ /* remove all the leading slashes */ ++ while (*path == '/') ++ path++; ++ ++ /* if the server path only consists of slashes */ ++ if (*path == '\0') ++ return NULL; ++ ++ len = strlen(path); ++ ++ buf = kmalloc(len + 1, GFP_KERNEL); ++ if (!buf) ++ return ERR_PTR(-ENOMEM); ++ ++ end = path + len; ++ p = buf; ++ do { ++ cur = strchr(path, '/'); ++ if (!cur) ++ cur = end; ++ ++ len = cur - path; ++ ++ /* including one '/' */ ++ if (cur != end) ++ len += 1; ++ ++ memcpy(p, path, len); ++ p += len; ++ ++ while (cur <= end && *cur == '/') ++ cur++; ++ path = cur; ++ } while (path < end); ++ ++ *p = '\0'; ++ ++ /* ++ * remove the last slash if there has and just to make sure that ++ * we will get something like "dir1/dir2" ++ */ ++ if (*(--p) == '/') ++ *p = '\0'; ++ ++ return buf; ++} ++ + static int compare_mount_options(struct ceph_mount_options *new_fsopt, + struct ceph_options *new_opt, + struct ceph_fs_client *fsc) +@@ -406,6 +472,7 @@ static int compare_mount_options(struct + struct ceph_mount_options *fsopt1 = new_fsopt; + struct ceph_mount_options *fsopt2 = fsc->mount_options; + int ofs = offsetof(struct ceph_mount_options, snapdir_name); ++ char *p1, *p2; + int ret; + + ret = memcmp(fsopt1, fsopt2, ofs); +@@ -418,9 +485,21 @@ static int compare_mount_options(struct + ret = strcmp_null(fsopt1->mds_namespace, fsopt2->mds_namespace); + if (ret) + return ret; +- ret = strcmp_null(fsopt1->server_path, fsopt2->server_path); ++ ++ p1 = path_remove_extra_slash(fsopt1->server_path); ++ if (IS_ERR(p1)) ++ return PTR_ERR(p1); ++ p2 = path_remove_extra_slash(fsopt2->server_path); ++ if (IS_ERR(p2)) { ++ kfree(p1); ++ return PTR_ERR(p2); ++ } ++ ret = strcmp_null(p1, p2); ++ kfree(p1); ++ kfree(p2); + if (ret) + return ret; ++ + ret = strcmp_null(fsopt1->fscache_uniq, fsopt2->fscache_uniq); + if (ret) + return ret; +@@ -476,12 +555,14 @@ static int parse_mount_options(struct ce + */ + dev_name_end = strchr(dev_name, '/'); + if (dev_name_end) { +- if (strlen(dev_name_end) > 1) { +- fsopt->server_path = kstrdup(dev_name_end, GFP_KERNEL); +- if (!fsopt->server_path) { +- err = -ENOMEM; +- goto out; +- } ++ /* ++ * The server_path will include the whole chars from userland ++ * including the leading '/'. ++ */ ++ fsopt->server_path = kstrdup(dev_name_end, GFP_KERNEL); ++ if (!fsopt->server_path) { ++ err = -ENOMEM; ++ goto out; + } + } else { + dev_name_end = dev_name + strlen(dev_name); +@@ -810,7 +891,6 @@ static void destroy_caches(void) + ceph_fscache_unregister(); + } + +- + /* + * ceph_umount_begin - initiate forced umount. Tear down down the + * mount, skipping steps that may hang while waiting for server(s). +@@ -897,9 +977,6 @@ out: + return root; + } + +- +- +- + /* + * mount: join the ceph cluster, and open root directory. + */ +@@ -913,7 +990,7 @@ static struct dentry *ceph_real_mount(st + mutex_lock(&fsc->client->mount_mutex); + + if (!fsc->sb->s_root) { +- const char *path; ++ const char *path, *p; + err = __ceph_open_session(fsc->client, started); + if (err < 0) + goto out; +@@ -925,19 +1002,24 @@ static struct dentry *ceph_real_mount(st + goto out; + } + +- if (!fsc->mount_options->server_path) { +- path = ""; +- dout("mount opening path \\t\n"); +- } else { +- path = fsc->mount_options->server_path + 1; +- dout("mount opening path %s\n", path); ++ p = path_remove_extra_slash(fsc->mount_options->server_path); ++ if (IS_ERR(p)) { ++ err = PTR_ERR(p); ++ goto out; + } ++ /* if the server path is omitted or just consists of '/' */ ++ if (!p) ++ path = ""; ++ else ++ path = p; ++ dout("mount opening path '%s'\n", path); + + err = ceph_fs_debugfs_init(fsc); + if (err < 0) + goto out; + + root = open_root_dentry(fsc, path, started); ++ kfree(p); + if (IS_ERR(root)) { + err = PTR_ERR(root); + goto out; diff --git a/queue-4.19/hwrng-imx-rngc-fix-an-error-path.patch b/queue-4.19/hwrng-imx-rngc-fix-an-error-path.patch new file mode 100644 index 00000000000..74fe23c12b8 --- /dev/null +++ b/queue-4.19/hwrng-imx-rngc-fix-an-error-path.patch @@ -0,0 +1,38 @@ +From 47a1f8e8b3637ff5f7806587883d7d94068d9ee8 Mon Sep 17 00:00:00 2001 +From: Martin Kaiser +Date: Thu, 5 Mar 2020 21:58:20 +0100 +Subject: hwrng: imx-rngc - fix an error path + +From: Martin Kaiser + +commit 47a1f8e8b3637ff5f7806587883d7d94068d9ee8 upstream. + +Make sure that the rngc interrupt is masked if the rngc self test fails. +Self test failure means that probe fails as well. Interrupts should be +masked in this case, regardless of the error. + +Cc: stable@vger.kernel.org +Fixes: 1d5449445bd0 ("hwrng: mx-rngc - add a driver for Freescale RNGC") +Reviewed-by: PrasannaKumar Muralidharan +Signed-off-by: Martin Kaiser +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/hw_random/imx-rngc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/char/hw_random/imx-rngc.c ++++ b/drivers/char/hw_random/imx-rngc.c +@@ -111,8 +111,10 @@ static int imx_rngc_self_test(struct imx + return -ETIMEDOUT; + } + +- if (rngc->err_reg != 0) ++ if (rngc->err_reg != 0) { ++ imx_rngc_irq_mask_clear(rngc); + return -EIO; ++ } + + return 0; + } diff --git a/queue-4.19/ib-hfi1-call-kobject_put-when-kobject_init_and_add-fails.patch b/queue-4.19/ib-hfi1-call-kobject_put-when-kobject_init_and_add-fails.patch new file mode 100644 index 00000000000..69402393595 --- /dev/null +++ b/queue-4.19/ib-hfi1-call-kobject_put-when-kobject_init_and_add-fails.patch @@ -0,0 +1,78 @@ +From dfb5394f804ed4fcea1fc925be275a38d66712ab Mon Sep 17 00:00:00 2001 +From: Kaike Wan +Date: Thu, 26 Mar 2020 12:38:14 -0400 +Subject: IB/hfi1: Call kobject_put() when kobject_init_and_add() fails + +From: Kaike Wan + +commit dfb5394f804ed4fcea1fc925be275a38d66712ab upstream. + +When kobject_init_and_add() returns an error in the function +hfi1_create_port_files(), the function kobject_put() is not called for the +corresponding kobject, which potentially leads to memory leak. + +This patch fixes the issue by calling kobject_put() even if +kobject_init_and_add() fails. + +Cc: +Link: https://lore.kernel.org/r/20200326163813.21129.44280.stgit@awfm-01.aw.intel.com +Reviewed-by: Mike Marciniszyn +Signed-off-by: Kaike Wan +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/sysfs.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/sysfs.c ++++ b/drivers/infiniband/hw/hfi1/sysfs.c +@@ -670,7 +670,11 @@ int hfi1_create_port_files(struct ib_dev + dd_dev_err(dd, + "Skipping sc2vl sysfs info, (err %d) port %u\n", + ret, port_num); +- goto bail; ++ /* ++ * Based on the documentation for kobject_init_and_add(), the ++ * caller should call kobject_put even if this call fails. ++ */ ++ goto bail_sc2vl; + } + kobject_uevent(&ppd->sc2vl_kobj, KOBJ_ADD); + +@@ -680,7 +684,7 @@ int hfi1_create_port_files(struct ib_dev + dd_dev_err(dd, + "Skipping sl2sc sysfs info, (err %d) port %u\n", + ret, port_num); +- goto bail_sc2vl; ++ goto bail_sl2sc; + } + kobject_uevent(&ppd->sl2sc_kobj, KOBJ_ADD); + +@@ -690,7 +694,7 @@ int hfi1_create_port_files(struct ib_dev + dd_dev_err(dd, + "Skipping vl2mtu sysfs info, (err %d) port %u\n", + ret, port_num); +- goto bail_sl2sc; ++ goto bail_vl2mtu; + } + kobject_uevent(&ppd->vl2mtu_kobj, KOBJ_ADD); + +@@ -700,7 +704,7 @@ int hfi1_create_port_files(struct ib_dev + dd_dev_err(dd, + "Skipping Congestion Control sysfs info, (err %d) port %u\n", + ret, port_num); +- goto bail_vl2mtu; ++ goto bail_cc; + } + + kobject_uevent(&ppd->pport_cc_kobj, KOBJ_ADD); +@@ -738,7 +742,6 @@ bail_sl2sc: + kobject_put(&ppd->sl2sc_kobj); + bail_sc2vl: + kobject_put(&ppd->sc2vl_kobj); +-bail: + return ret; + } + diff --git a/queue-4.19/ib-hfi1-fix-memory-leaks-in-sysfs-registration-and-unregistration.patch b/queue-4.19/ib-hfi1-fix-memory-leaks-in-sysfs-registration-and-unregistration.patch new file mode 100644 index 00000000000..7d496468ae1 --- /dev/null +++ b/queue-4.19/ib-hfi1-fix-memory-leaks-in-sysfs-registration-and-unregistration.patch @@ -0,0 +1,81 @@ +From 5c15abc4328ad696fa61e2f3604918ed0c207755 Mon Sep 17 00:00:00 2001 +From: Kaike Wan +Date: Thu, 26 Mar 2020 12:38:07 -0400 +Subject: IB/hfi1: Fix memory leaks in sysfs registration and unregistration + +From: Kaike Wan + +commit 5c15abc4328ad696fa61e2f3604918ed0c207755 upstream. + +When the hfi1 driver is unloaded, kmemleak will report the following +issue: + +unreferenced object 0xffff8888461a4c08 (size 8): +comm "kworker/0:0", pid 5, jiffies 4298601264 (age 2047.134s) +hex dump (first 8 bytes): +73 64 6d 61 30 00 ff ff sdma0... +backtrace: +[<00000000311a6ef5>] kvasprintf+0x62/0xd0 +[<00000000ade94d9f>] kobject_set_name_vargs+0x1c/0x90 +[<0000000060657dbb>] kobject_init_and_add+0x5d/0xb0 +[<00000000346fe72b>] 0xffffffffa0c5ecba +[<000000006cfc5819>] 0xffffffffa0c866b9 +[<0000000031c65580>] 0xffffffffa0c38e87 +[<00000000e9739b3f>] local_pci_probe+0x41/0x80 +[<000000006c69911d>] work_for_cpu_fn+0x16/0x20 +[<00000000601267b5>] process_one_work+0x171/0x380 +[<0000000049a0eefa>] worker_thread+0x1d1/0x3f0 +[<00000000909cf2b9>] kthread+0xf8/0x130 +[<0000000058f5f874>] ret_from_fork+0x35/0x40 + +This patch fixes the issue by: + +- Releasing dd->per_sdma[i].kobject in hfi1_unregister_sysfs(). + - This will fix the memory leak. + +- Calling kobject_put() to unwind operations only for those entries in + dd->per_sdma[] whose operations have succeeded (including the current + one that has just failed) in hfi1_verbs_register_sysfs(). + +Cc: +Fixes: 0cb2aa690c7e ("IB/hfi1: Add sysfs interface for affinity setup") +Link: https://lore.kernel.org/r/20200326163807.21129.27371.stgit@awfm-01.aw.intel.com +Reviewed-by: Mike Marciniszyn +Signed-off-by: Kaike Wan +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/sysfs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/sysfs.c ++++ b/drivers/infiniband/hw/hfi1/sysfs.c +@@ -861,8 +861,13 @@ bail: + for (i = 0; i < ARRAY_SIZE(hfi1_attributes); ++i) + device_remove_file(&dev->dev, hfi1_attributes[i]); + +- for (i = 0; i < dd->num_sdma; i++) +- kobject_del(&dd->per_sdma[i].kobj); ++ /* ++ * The function kobject_put() will call kobject_del() if the kobject ++ * has been added successfully. The sysfs files created under the ++ * kobject directory will also be removed during the process. ++ */ ++ for (; i >= 0; i--) ++ kobject_put(&dd->per_sdma[i].kobj); + + return ret; + } +@@ -875,6 +880,10 @@ void hfi1_verbs_unregister_sysfs(struct + struct hfi1_pportdata *ppd; + int i; + ++ /* Unwind operations in hfi1_verbs_register_sysfs() */ ++ for (i = 0; i < dd->num_sdma; i++) ++ kobject_put(&dd->per_sdma[i].kobj); ++ + for (i = 0; i < dd->num_pports; i++) { + ppd = &dd->pport[i]; + diff --git a/queue-4.19/random-always-use-batched-entropy-for-get_random_u-32-64.patch b/queue-4.19/random-always-use-batched-entropy-for-get_random_u-32-64.patch new file mode 100644 index 00000000000..0e7a1291f63 --- /dev/null +++ b/queue-4.19/random-always-use-batched-entropy-for-get_random_u-32-64.patch @@ -0,0 +1,102 @@ +From 69efea712f5b0489e67d07565aad5c94e09a3e52 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Fri, 21 Feb 2020 21:10:37 +0100 +Subject: random: always use batched entropy for get_random_u{32,64} + +From: Jason A. Donenfeld + +commit 69efea712f5b0489e67d07565aad5c94e09a3e52 upstream. + +It turns out that RDRAND is pretty slow. Comparing these two +constructions: + + for (i = 0; i < CHACHA_BLOCK_SIZE; i += sizeof(ret)) + arch_get_random_long(&ret); + +and + + long buf[CHACHA_BLOCK_SIZE / sizeof(long)]; + extract_crng((u8 *)buf); + +it amortizes out to 352 cycles per long for the top one and 107 cycles +per long for the bottom one, on Coffee Lake Refresh, Intel Core i9-9880H. + +And importantly, the top one has the drawback of not benefiting from the +real rng, whereas the bottom one has all the nice benefits of using our +own chacha rng. As get_random_u{32,64} gets used in more places (perhaps +beyond what it was originally intended for when it was introduced as +get_random_{int,long} back in the md5 monstrosity era), it seems like it +might be a good thing to strengthen its posture a tiny bit. Doing this +should only be stronger and not any weaker because that pool is already +initialized with a bunch of rdrand data (when available). This way, we +get the benefits of the hardware rng as well as our own rng. + +Another benefit of this is that we no longer hit pitfalls of the recent +stream of AMD bugs in RDRAND. One often used code pattern for various +things is: + + do { + val = get_random_u32(); + } while (hash_table_contains_key(val)); + +That recent AMD bug rendered that pattern useless, whereas we're really +very certain that chacha20 output will give pretty distributed numbers, +no matter what. + +So, this simplification seems better both from a security perspective +and from a performance perspective. + +Signed-off-by: Jason A. Donenfeld +Reviewed-by: Greg Kroah-Hartman +Link: https://lore.kernel.org/r/20200221201037.30231-1-Jason@zx2c4.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 20 ++++---------------- + 1 file changed, 4 insertions(+), 16 deletions(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -2280,11 +2280,11 @@ struct batched_entropy { + + /* + * Get a random word for internal kernel use only. The quality of the random +- * number is either as good as RDRAND or as good as /dev/urandom, with the +- * goal of being quite fast and not depleting entropy. In order to ensure ++ * number is good as /dev/urandom, but there is no backtrack protection, with ++ * the goal of being quite fast and not depleting entropy. In order to ensure + * that the randomness provided by this function is okay, the function +- * wait_for_random_bytes() should be called and return 0 at least once +- * at any point prior. ++ * wait_for_random_bytes() should be called and return 0 at least once at any ++ * point prior. + */ + static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64) = { + .batch_lock = __SPIN_LOCK_UNLOCKED(batched_entropy_u64.lock), +@@ -2297,15 +2297,6 @@ u64 get_random_u64(void) + struct batched_entropy *batch; + static void *previous; + +-#if BITS_PER_LONG == 64 +- if (arch_get_random_long((unsigned long *)&ret)) +- return ret; +-#else +- if (arch_get_random_long((unsigned long *)&ret) && +- arch_get_random_long((unsigned long *)&ret + 1)) +- return ret; +-#endif +- + warn_unseeded_randomness(&previous); + + batch = raw_cpu_ptr(&batched_entropy_u64); +@@ -2330,9 +2321,6 @@ u32 get_random_u32(void) + struct batched_entropy *batch; + static void *previous; + +- if (arch_get_random_int(&ret)) +- return ret; +- + warn_unseeded_randomness(&previous); + + batch = raw_cpu_ptr(&batched_entropy_u32); diff --git a/queue-4.19/series b/queue-4.19/series index 06b1d41ca97..c42f7152e90 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -32,3 +32,12 @@ net-phy-micrel-kszphy_resume-add-delay-after-genphy_resume-before-accessing-phy- net-stmmac-dwmac1000-fix-out-of-bounds-mac-address-reg-setting.patch slcan-don-t-transmit-uninitialized-stack-data-in-padding.patch mlxsw-spectrum_flower-do-not-stop-at-flow_action_vlan_mangle.patch +random-always-use-batched-entropy-for-get_random_u-32-64.patch +usb-dwc3-gadget-wrap-around-when-skip-trbs.patch +tools-accounting-getdelays.c-fix-netlink-attribute-length.patch +hwrng-imx-rngc-fix-an-error-path.patch +asoc-jz4740-i2s-fix-divider-written-at-incorrect-offset-in-register.patch +ib-hfi1-call-kobject_put-when-kobject_init_and_add-fails.patch +ib-hfi1-fix-memory-leaks-in-sysfs-registration-and-unregistration.patch +ceph-remove-the-extra-slashes-in-the-server-path.patch +ceph-canonicalize-server-path-in-place.patch diff --git a/queue-4.19/tools-accounting-getdelays.c-fix-netlink-attribute-length.patch b/queue-4.19/tools-accounting-getdelays.c-fix-netlink-attribute-length.patch new file mode 100644 index 00000000000..dc2bac32815 --- /dev/null +++ b/queue-4.19/tools-accounting-getdelays.c-fix-netlink-attribute-length.patch @@ -0,0 +1,45 @@ +From 4054ab64e29bb05b3dfe758fff3c38a74ba753bb Mon Sep 17 00:00:00 2001 +From: David Ahern +Date: Wed, 1 Apr 2020 21:02:25 -0700 +Subject: tools/accounting/getdelays.c: fix netlink attribute length + +From: David Ahern + +commit 4054ab64e29bb05b3dfe758fff3c38a74ba753bb upstream. + +A recent change to the netlink code: 6e237d099fac ("netlink: Relax attr +validation for fixed length types") logs a warning when programs send +messages with invalid attributes (e.g., wrong length for a u32). Yafang +reported this error message for tools/accounting/getdelays.c. + +send_cmd() is wrongly adding 1 to the attribute length. As noted in +include/uapi/linux/netlink.h nla_len should be NLA_HDRLEN + payload +length, so drop the +1. + +Fixes: 9e06d3f9f6b1 ("per task delay accounting taskstats interface: documentation fix") +Reported-by: Yafang Shao +Signed-off-by: David Ahern +Signed-off-by: Andrew Morton +Tested-by: Yafang Shao +Cc: Johannes Berg +Cc: Shailabh Nagar +Cc: +Link: http://lkml.kernel.org/r/20200327173111.63922-1-dsahern@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + tools/accounting/getdelays.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/accounting/getdelays.c ++++ b/tools/accounting/getdelays.c +@@ -136,7 +136,7 @@ static int send_cmd(int sd, __u16 nlmsg_ + msg.g.version = 0x1; + na = (struct nlattr *) GENLMSG_DATA(&msg); + na->nla_type = nla_type; +- na->nla_len = nla_len + 1 + NLA_HDRLEN; ++ na->nla_len = nla_len + NLA_HDRLEN; + memcpy(NLA_DATA(na), nla_data, nla_len); + msg.n.nlmsg_len += NLMSG_ALIGN(na->nla_len); + diff --git a/queue-4.19/usb-dwc3-gadget-wrap-around-when-skip-trbs.patch b/queue-4.19/usb-dwc3-gadget-wrap-around-when-skip-trbs.patch new file mode 100644 index 00000000000..2b97da648fa --- /dev/null +++ b/queue-4.19/usb-dwc3-gadget-wrap-around-when-skip-trbs.patch @@ -0,0 +1,34 @@ +From 2dedea035ae82c5af0595637a6eda4655532b21e Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Thu, 5 Mar 2020 13:24:01 -0800 +Subject: usb: dwc3: gadget: Wrap around when skip TRBs + +From: Thinh Nguyen + +commit 2dedea035ae82c5af0595637a6eda4655532b21e upstream. + +When skipping TRBs, we need to account for wrapping around the ring +buffer and not modifying some invalid TRBs. Without this fix, dwc3 won't +be able to check for available TRBs. + +Cc: stable +Fixes: 7746a8dfb3f9 ("usb: dwc3: gadget: extract dwc3_gadget_ep_skip_trbs()") +Signed-off-by: Thinh Nguyen +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1369,7 +1369,7 @@ static void dwc3_gadget_ep_skip_trbs(str + for (i = 0; i < req->num_trbs; i++) { + struct dwc3_trb *trb; + +- trb = req->trb + i; ++ trb = &dep->trb_pool[dep->trb_dequeue]; + trb->ctrl &= ~DWC3_TRB_CTRL_HWO; + dwc3_ep_inc_deq(dep); + }