From: Sasha Levin Date: Fri, 6 Sep 2019 11:18:06 +0000 (-0400) Subject: fixes for 4.4 X-Git-Tag: v4.4.192~21 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bb3b79c45ccbb87b722d34bd5e56e2746992ac55;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/bluetooth-btqca-add-a-short-delay-before-downloading.patch b/queue-4.4/bluetooth-btqca-add-a-short-delay-before-downloading.patch new file mode 100644 index 00000000000..0a769451470 --- /dev/null +++ b/queue-4.4/bluetooth-btqca-add-a-short-delay-before-downloading.patch @@ -0,0 +1,42 @@ +From 048222fb4cc4ead060272f58791e5bb4b883cc95 Mon Sep 17 00:00:00 2001 +From: Matthias Kaehlcke +Date: Tue, 9 Jul 2019 15:44:50 -0700 +Subject: Bluetooth: btqca: Add a short delay before downloading the NVM + +[ Upstream commit 8059ba0bd0e4694e51c2ee6438a77b325f06c0d5 ] + +On WCN3990 downloading the NVM sometimes fails with a "TLV response +size mismatch" error: + +[ 174.949955] Bluetooth: btqca.c:qca_download_firmware() hci0: QCA Downloading qca/crnv21.bin +[ 174.958718] Bluetooth: btqca.c:qca_tlv_send_segment() hci0: QCA TLV response size mismatch + +It seems the controller needs a short time after downloading the +firmware before it is ready for the NVM. A delay as short as 1 ms +seems sufficient, make it 10 ms just in case. No event is received +during the delay, hence we don't just silently drop an extra event. + +Signed-off-by: Matthias Kaehlcke +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btqca.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index 4a62081688501..593fc2a5be0f9 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -363,6 +363,9 @@ int qca_uart_setup_rome(struct hci_dev *hdev, uint8_t baudrate) + return err; + } + ++ /* Give the controller some time to get ready to receive the NVM */ ++ msleep(10); ++ + /* Download NVM configuration */ + config.type = TLV_TYPE_NVM; + snprintf(config.fwname, sizeof(config.fwname), "qca/nvm_%08x.bin", +-- +2.20.1 + diff --git a/queue-4.4/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-__.patch b/queue-4.4/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-__.patch new file mode 100644 index 00000000000..d8d00f32741 --- /dev/null +++ b/queue-4.4/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-__.patch @@ -0,0 +1,91 @@ +From ace0bc88a174b1ff753d54f49dd07417f926546b Mon Sep 17 00:00:00 2001 +From: Luis Henriques +Date: Fri, 19 Jul 2019 15:32:20 +0100 +Subject: ceph: fix buffer free while holding i_ceph_lock in __ceph_setxattr() + +[ Upstream commit 86968ef21596515958d5f0a40233d02be78ecec0 ] + +Calling ceph_buffer_put() in __ceph_setxattr() may end up freeing the +i_xattrs.prealloc_blob buffer while holding the i_ceph_lock. This can be +fixed by postponing the call until later, when the lock is released. + +The following backtrace was triggered by fstests generic/117. + + BUG: sleeping function called from invalid context at mm/vmalloc.c:2283 + in_atomic(): 1, irqs_disabled(): 0, pid: 650, name: fsstress + 3 locks held by fsstress/650: + #0: 00000000870a0fe8 (sb_writers#8){.+.+}, at: mnt_want_write+0x20/0x50 + #1: 00000000ba0c4c74 (&type->i_mutex_dir_key#6){++++}, at: vfs_setxattr+0x55/0xa0 + #2: 000000008dfbb3f2 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: __ceph_setxattr+0x297/0x810 + CPU: 1 PID: 650 Comm: fsstress Not tainted 5.2.0+ #437 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014 + Call Trace: + dump_stack+0x67/0x90 + ___might_sleep.cold+0x9f/0xb1 + vfree+0x4b/0x60 + ceph_buffer_release+0x1b/0x60 + __ceph_setxattr+0x2b4/0x810 + __vfs_setxattr+0x66/0x80 + __vfs_setxattr_noperm+0x59/0xf0 + vfs_setxattr+0x81/0xa0 + setxattr+0x115/0x230 + ? filename_lookup+0xc9/0x140 + ? rcu_read_lock_sched_held+0x74/0x80 + ? rcu_sync_lockdep_assert+0x2e/0x60 + ? __sb_start_write+0x142/0x1a0 + ? mnt_want_write+0x20/0x50 + path_setxattr+0xba/0xd0 + __x64_sys_lsetxattr+0x24/0x30 + do_syscall_64+0x50/0x1c0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + RIP: 0033:0x7ff23514359a + +Signed-off-by: Luis Henriques +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/xattr.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c +index b24275ef97f74..22e5f3432abbf 100644 +--- a/fs/ceph/xattr.c ++++ b/fs/ceph/xattr.c +@@ -916,6 +916,7 @@ int __ceph_setxattr(struct dentry *dentry, const char *name, + struct ceph_inode_info *ci = ceph_inode(inode); + struct ceph_mds_client *mdsc = ceph_sb_to_client(dentry->d_sb)->mdsc; + struct ceph_cap_flush *prealloc_cf = NULL; ++ struct ceph_buffer *old_blob = NULL; + int issued; + int err; + int dirty = 0; +@@ -984,13 +985,15 @@ retry: + struct ceph_buffer *blob; + + spin_unlock(&ci->i_ceph_lock); +- dout(" preaallocating new blob size=%d\n", required_blob_size); ++ ceph_buffer_put(old_blob); /* Shouldn't be required */ ++ dout(" pre-allocating new blob size=%d\n", required_blob_size); + blob = ceph_buffer_new(required_blob_size, GFP_NOFS); + if (!blob) + goto do_sync_unlocked; + spin_lock(&ci->i_ceph_lock); ++ /* prealloc_blob can't be released while holding i_ceph_lock */ + if (ci->i_xattrs.prealloc_blob) +- ceph_buffer_put(ci->i_xattrs.prealloc_blob); ++ old_blob = ci->i_xattrs.prealloc_blob; + ci->i_xattrs.prealloc_blob = blob; + goto retry; + } +@@ -1006,6 +1009,7 @@ retry: + } + + spin_unlock(&ci->i_ceph_lock); ++ ceph_buffer_put(old_blob); + if (lock_snap_rwsem) + up_read(&mdsc->snap_rwsem); + if (dirty) +-- +2.20.1 + diff --git a/queue-4.4/cx82310_eth-fix-a-memory-leak-bug.patch b/queue-4.4/cx82310_eth-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..d641aed8199 --- /dev/null +++ b/queue-4.4/cx82310_eth-fix-a-memory-leak-bug.patch @@ -0,0 +1,38 @@ +From 2b64fcee91ce375f7f420098cf4cb5cc1760d33f Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Wed, 14 Aug 2019 13:03:38 -0500 +Subject: cx82310_eth: fix a memory leak bug + +[ Upstream commit 1eca92eef18719027d394bf1a2d276f43e7cf886 ] + +In cx82310_bind(), 'dev->partial_data' is allocated through kmalloc(). +Then, the execution waits for the firmware to become ready. If the firmware +is not ready in time, the execution is terminated. However, the allocated +'dev->partial_data' is not deallocated on this path, leading to a memory +leak bug. To fix this issue, free 'dev->partial_data' before returning the +error. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cx82310_eth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/cx82310_eth.c b/drivers/net/usb/cx82310_eth.c +index 947bea81d9241..dfbdea22fbad9 100644 +--- a/drivers/net/usb/cx82310_eth.c ++++ b/drivers/net/usb/cx82310_eth.c +@@ -175,7 +175,8 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf) + } + if (!timeout) { + dev_err(&udev->dev, "firmware not ready in time\n"); +- return -ETIMEDOUT; ++ ret = -ETIMEDOUT; ++ goto err; + } + + /* enable ethernet mode (?) */ +-- +2.20.1 + diff --git a/queue-4.4/cxgb4-fix-a-memory-leak-bug.patch b/queue-4.4/cxgb4-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..fca6d990e60 --- /dev/null +++ b/queue-4.4/cxgb4-fix-a-memory-leak-bug.patch @@ -0,0 +1,37 @@ +From e1b98bf49540165d964a8f95b318970c11962114 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Tue, 13 Aug 2019 04:18:52 -0500 +Subject: cxgb4: fix a memory leak bug + +[ Upstream commit c554336efa9bbc28d6ec14efbee3c7d63c61a34f ] + +In blocked_fl_write(), 't' is not deallocated if bitmap_parse_user() fails, +leading to a memory leak bug. To fix this issue, free t before returning +the error. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c +index 4269944c5db53..129d6095749a4 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c +@@ -2673,8 +2673,10 @@ static ssize_t blocked_fl_write(struct file *filp, const char __user *ubuf, + return -ENOMEM; + + err = bitmap_parse_user(ubuf, count, t, adap->sge.egr_sz); +- if (err) ++ if (err) { ++ kvfree(t); + return err; ++ } + + bitmap_copy(adap->sge.blocked_fl, t, adap->sge.egr_sz); + t4_free_mem(t); +-- +2.20.1 + diff --git a/queue-4.4/gpio-fix-build-error-of-function-redefinition.patch b/queue-4.4/gpio-fix-build-error-of-function-redefinition.patch new file mode 100644 index 00000000000..f6f1165d70e --- /dev/null +++ b/queue-4.4/gpio-fix-build-error-of-function-redefinition.patch @@ -0,0 +1,66 @@ +From 901028d57fa82d0887aa290e43fac9573b11d6c0 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Wed, 31 Jul 2019 20:38:14 +0800 +Subject: gpio: Fix build error of function redefinition + +[ Upstream commit 68e03b85474a51ec1921b4d13204782594ef7223 ] + +when do randbuilding, I got this error: + +In file included from drivers/hwmon/pmbus/ucd9000.c:19:0: +./include/linux/gpio/driver.h:576:1: error: redefinition of gpiochip_add_pin_range + gpiochip_add_pin_range(struct gpio_chip *chip, const char *pinctl_name, + ^~~~~~~~~~~~~~~~~~~~~~ +In file included from drivers/hwmon/pmbus/ucd9000.c:18:0: +./include/linux/gpio.h:245:1: note: previous definition of gpiochip_add_pin_range was here + gpiochip_add_pin_range(struct gpio_chip *chip, const char *pinctl_name, + ^~~~~~~~~~~~~~~~~~~~~~ + +Reported-by: Hulk Robot +Fixes: 964cb341882f ("gpio: move pincontrol calls to ") +Signed-off-by: YueHaibing +Link: https://lore.kernel.org/r/20190731123814.46624-1-yuehaibing@huawei.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + include/linux/gpio.h | 24 ------------------------ + 1 file changed, 24 deletions(-) + +diff --git a/include/linux/gpio.h b/include/linux/gpio.h +index d12b5d566e4b1..11555bd821b73 100644 +--- a/include/linux/gpio.h ++++ b/include/linux/gpio.h +@@ -229,30 +229,6 @@ static inline int irq_to_gpio(unsigned irq) + return -EINVAL; + } + +-static inline int +-gpiochip_add_pin_range(struct gpio_chip *chip, const char *pinctl_name, +- unsigned int gpio_offset, unsigned int pin_offset, +- unsigned int npins) +-{ +- WARN_ON(1); +- return -EINVAL; +-} +- +-static inline int +-gpiochip_add_pingroup_range(struct gpio_chip *chip, +- struct pinctrl_dev *pctldev, +- unsigned int gpio_offset, const char *pin_group) +-{ +- WARN_ON(1); +- return -EINVAL; +-} +- +-static inline void +-gpiochip_remove_pin_ranges(struct gpio_chip *chip) +-{ +- WARN_ON(1); +-} +- + static inline int devm_gpio_request(struct device *dev, unsigned gpio, + const char *label) + { +-- +2.20.1 + diff --git a/queue-4.4/ib-mlx4-fix-memory-leaks.patch b/queue-4.4/ib-mlx4-fix-memory-leaks.patch new file mode 100644 index 00000000000..e9670a8ced7 --- /dev/null +++ b/queue-4.4/ib-mlx4-fix-memory-leaks.patch @@ -0,0 +1,46 @@ +From cb199d1b9d22aa8fb5abdf66151b0b34a9629cfc Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Sun, 18 Aug 2019 15:23:01 -0500 +Subject: IB/mlx4: Fix memory leaks + +[ Upstream commit 5c1baaa82cea2c815a5180ded402a7cd455d1810 ] + +In mlx4_ib_alloc_pv_bufs(), 'tun_qp->tx_ring' is allocated through +kcalloc(). However, it is not always deallocated in the following execution +if an error occurs, leading to memory leaks. To fix this issue, free +'tun_qp->tx_ring' whenever an error occurs. + +Signed-off-by: Wenwen Wang +Acked-by: Leon Romanovsky +Link: https://lore.kernel.org/r/1566159781-4642-1-git-send-email-wenwen@cs.uga.edu +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx4/mad.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c +index 199a9cdd0d12a..531c985f6fd71 100644 +--- a/drivers/infiniband/hw/mlx4/mad.c ++++ b/drivers/infiniband/hw/mlx4/mad.c +@@ -1526,8 +1526,6 @@ tx_err: + tx_buf_size, DMA_TO_DEVICE); + kfree(tun_qp->tx_ring[i].buf.addr); + } +- kfree(tun_qp->tx_ring); +- tun_qp->tx_ring = NULL; + i = MLX4_NUM_TUNNEL_BUFS; + err: + while (i > 0) { +@@ -1536,6 +1534,8 @@ err: + rx_buf_size, DMA_FROM_DEVICE); + kfree(tun_qp->ring[i].addr); + } ++ kfree(tun_qp->tx_ring); ++ tun_qp->tx_ring = NULL; + kfree(tun_qp->ring); + tun_qp->ring = NULL; + return -ENOMEM; +-- +2.20.1 + diff --git a/queue-4.4/ibmveth-convert-multicast-list-size-for-little-endia.patch b/queue-4.4/ibmveth-convert-multicast-list-size-for-little-endia.patch new file mode 100644 index 00000000000..7bef8c3a517 --- /dev/null +++ b/queue-4.4/ibmveth-convert-multicast-list-size-for-little-endia.patch @@ -0,0 +1,59 @@ +From a7b6b9ffa046798d24cddfd9e0ae3a1b7c9fd117 Mon Sep 17 00:00:00 2001 +From: Thomas Falcon +Date: Mon, 12 Aug 2019 16:13:06 -0500 +Subject: ibmveth: Convert multicast list size for little-endian system + +[ Upstream commit 66cf4710b23ab2adda11155684a2c8826f4fe732 ] + +The ibm,mac-address-filters property defines the maximum number of +addresses the hypervisor's multicast filter list can support. It is +encoded as a big-endian integer in the OF device tree, but the virtual +ethernet driver does not convert it for use by little-endian systems. +As a result, the driver is not behaving as it should on affected systems +when a large number of multicast addresses are assigned to the device. + +Reported-by: Hangbin Liu +Signed-off-by: Thomas Falcon +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmveth.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c +index 70b3253e7ed5e..b46fc37c1a947 100644 +--- a/drivers/net/ethernet/ibm/ibmveth.c ++++ b/drivers/net/ethernet/ibm/ibmveth.c +@@ -1555,7 +1555,7 @@ static int ibmveth_probe(struct vio_dev *dev, const struct vio_device_id *id) + struct net_device *netdev; + struct ibmveth_adapter *adapter; + unsigned char *mac_addr_p; +- unsigned int *mcastFilterSize_p; ++ __be32 *mcastFilterSize_p; + long ret; + unsigned long ret_attr; + +@@ -1577,8 +1577,9 @@ static int ibmveth_probe(struct vio_dev *dev, const struct vio_device_id *id) + return -EINVAL; + } + +- mcastFilterSize_p = (unsigned int *)vio_get_attribute(dev, +- VETH_MCAST_FILTER_SIZE, NULL); ++ mcastFilterSize_p = (__be32 *)vio_get_attribute(dev, ++ VETH_MCAST_FILTER_SIZE, ++ NULL); + if (!mcastFilterSize_p) { + dev_err(&dev->dev, "Can't find VETH_MCAST_FILTER_SIZE " + "attribute\n"); +@@ -1595,7 +1596,7 @@ static int ibmveth_probe(struct vio_dev *dev, const struct vio_device_id *id) + + adapter->vdev = dev; + adapter->netdev = netdev; +- adapter->mcastFilterSize = *mcastFilterSize_p; ++ adapter->mcastFilterSize = be32_to_cpu(*mcastFilterSize_p); + adapter->pool_config = 0; + + netif_napi_add(netdev, &adapter->napi, ibmveth_poll, 16); +-- +2.20.1 + diff --git a/queue-4.4/kvm-arm-arm64-only-skip-mmio-insn-once.patch b/queue-4.4/kvm-arm-arm64-only-skip-mmio-insn-once.patch new file mode 100644 index 00000000000..81586dd9ca7 --- /dev/null +++ b/queue-4.4/kvm-arm-arm64-only-skip-mmio-insn-once.patch @@ -0,0 +1,56 @@ +From 0b3f2bacaf2fef24b84f87045d7b3d6ffb9a6767 Mon Sep 17 00:00:00 2001 +From: Andrew Jones +Date: Thu, 22 Aug 2019 13:03:05 +0200 +Subject: KVM: arm/arm64: Only skip MMIO insn once + +[ Upstream commit 2113c5f62b7423e4a72b890bd479704aa85c81ba ] + +If after an MMIO exit to userspace a VCPU is immediately run with an +immediate_exit request, such as when a signal is delivered or an MMIO +emulation completion is needed, then the VCPU completes the MMIO +emulation and immediately returns to userspace. As the exit_reason +does not get changed from KVM_EXIT_MMIO in these cases we have to +be careful not to complete the MMIO emulation again, when the VCPU is +eventually run again, because the emulation does an instruction skip +(and doing too many skips would be a waste of guest code :-) We need +to use additional VCPU state to track if the emulation is complete. +As luck would have it, we already have 'mmio_needed', which even +appears to be used in this way by other architectures already. + +Fixes: 0d640732dbeb ("arm64: KVM: Skip MMIO insn after emulation") +Acked-by: Mark Rutland +Signed-off-by: Andrew Jones +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + arch/arm/kvm/mmio.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/arch/arm/kvm/mmio.c b/arch/arm/kvm/mmio.c +index ae61e2ea7255b..d2efc033ef8b4 100644 +--- a/arch/arm/kvm/mmio.c ++++ b/arch/arm/kvm/mmio.c +@@ -98,6 +98,12 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run) + unsigned int len; + int mask; + ++ /* Detect an already handled MMIO return */ ++ if (unlikely(!vcpu->mmio_needed)) ++ return 0; ++ ++ vcpu->mmio_needed = 0; ++ + if (!run->mmio.is_write) { + len = run->mmio.len; + if (len > sizeof(unsigned long)) +@@ -206,6 +212,7 @@ int io_mem_abort(struct kvm_vcpu *vcpu, struct kvm_run *run, + run->mmio.is_write = is_write; + run->mmio.phys_addr = fault_ipa; + run->mmio.len = len; ++ vcpu->mmio_needed = 1; + + if (!ret) { + /* We handled the access successfully in the kernel. */ +-- +2.20.1 + diff --git a/queue-4.4/libceph-allow-ceph_buffer_put-to-receive-a-null-ceph.patch b/queue-4.4/libceph-allow-ceph_buffer_put-to-receive-a-null-ceph.patch new file mode 100644 index 00000000000..2aaa9ac4dcd --- /dev/null +++ b/queue-4.4/libceph-allow-ceph_buffer_put-to-receive-a-null-ceph.patch @@ -0,0 +1,32 @@ +From eca252198c03092ad934b9d1e0c68cbfd229f261 Mon Sep 17 00:00:00 2001 +From: Luis Henriques +Date: Fri, 19 Jul 2019 15:32:19 +0100 +Subject: libceph: allow ceph_buffer_put() to receive a NULL ceph_buffer + +[ Upstream commit 5c498950f730aa17c5f8a2cdcb903524e4002ed2 ] + +Signed-off-by: Luis Henriques +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + include/linux/ceph/buffer.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/linux/ceph/buffer.h b/include/linux/ceph/buffer.h +index 07ca15e761001..dada47a4360ff 100644 +--- a/include/linux/ceph/buffer.h ++++ b/include/linux/ceph/buffer.h +@@ -29,7 +29,8 @@ static inline struct ceph_buffer *ceph_buffer_get(struct ceph_buffer *b) + + static inline void ceph_buffer_put(struct ceph_buffer *b) + { +- kref_put(&b->kref, ceph_buffer_release); ++ if (b) ++ kref_put(&b->kref, ceph_buffer_release); + } + + extern int ceph_decode_buffer(struct ceph_buffer **b, void **p, void *end); +-- +2.20.1 + diff --git a/queue-4.4/net-kalmia-fix-memory-leaks.patch b/queue-4.4/net-kalmia-fix-memory-leaks.patch new file mode 100644 index 00000000000..6c2bd4d6c63 --- /dev/null +++ b/queue-4.4/net-kalmia-fix-memory-leaks.patch @@ -0,0 +1,46 @@ +From 637b1d581bbcbeb717aca91a3c10a2e6d3c331b3 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Wed, 14 Aug 2019 13:56:43 -0500 +Subject: net: kalmia: fix memory leaks + +[ Upstream commit f1472cb09f11ddb41d4be84f0650835cb65a9073 ] + +In kalmia_init_and_get_ethernet_addr(), 'usb_buf' is allocated through +kmalloc(). In the following execution, if the 'status' returned by +kalmia_send_init_packet() is not 0, 'usb_buf' is not deallocated, leading +to memory leaks. To fix this issue, add the 'out' label to free 'usb_buf'. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/kalmia.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/usb/kalmia.c b/drivers/net/usb/kalmia.c +index 5662babf05832..d385b67258c79 100644 +--- a/drivers/net/usb/kalmia.c ++++ b/drivers/net/usb/kalmia.c +@@ -117,16 +117,16 @@ kalmia_init_and_get_ethernet_addr(struct usbnet *dev, u8 *ethernet_addr) + status = kalmia_send_init_packet(dev, usb_buf, sizeof(init_msg_1) + / sizeof(init_msg_1[0]), usb_buf, 24); + if (status != 0) +- return status; ++ goto out; + + memcpy(usb_buf, init_msg_2, 12); + status = kalmia_send_init_packet(dev, usb_buf, sizeof(init_msg_2) + / sizeof(init_msg_2[0]), usb_buf, 28); + if (status != 0) +- return status; ++ goto out; + + memcpy(ethernet_addr, usb_buf + 10, ETH_ALEN); +- ++out: + kfree(usb_buf); + return status; + } +-- +2.20.1 + diff --git a/queue-4.4/net-myri10ge-fix-memory-leaks.patch b/queue-4.4/net-myri10ge-fix-memory-leaks.patch new file mode 100644 index 00000000000..bd4ccdd2a9e --- /dev/null +++ b/queue-4.4/net-myri10ge-fix-memory-leaks.patch @@ -0,0 +1,36 @@ +From 82df64706958b3af565b699817947ae51b128681 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Wed, 14 Aug 2019 01:38:39 -0500 +Subject: net: myri10ge: fix memory leaks + +[ Upstream commit 20fb7c7a39b5c719e2e619673b5f5729ee7d2306 ] + +In myri10ge_probe(), myri10ge_alloc_slices() is invoked to allocate slices +related structures. Later on, myri10ge_request_irq() is used to get an irq. +However, if this process fails, the allocated slices related structures are +not deallocated, leading to memory leaks. To fix this issue, revise the +target label of the goto statement to 'abort_with_slices'. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/myricom/myri10ge/myri10ge.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c +index 83651ac8ddb9d..8ebf3611aba3c 100644 +--- a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c ++++ b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c +@@ -4114,7 +4114,7 @@ static int myri10ge_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + * setup (if available). */ + status = myri10ge_request_irq(mgp); + if (status != 0) +- goto abort_with_firmware; ++ goto abort_with_slices; + myri10ge_free_irq(mgp); + + /* Save configuration space to be restored if the +-- +2.20.1 + diff --git a/queue-4.4/net-tc35815-explicitly-check-net_ip_align-is-not-zer.patch b/queue-4.4/net-tc35815-explicitly-check-net_ip_align-is-not-zer.patch new file mode 100644 index 00000000000..47c3473aac4 --- /dev/null +++ b/queue-4.4/net-tc35815-explicitly-check-net_ip_align-is-not-zer.patch @@ -0,0 +1,54 @@ +From 09813874f48b0c088f62df67c14057029f5cd21b Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Sun, 11 Aug 2019 20:13:45 -0700 +Subject: net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx + +[ Upstream commit 125b7e0949d4e72b15c2b1a1590f8cece985a918 ] + +clang warns: + +drivers/net/ethernet/toshiba/tc35815.c:1507:30: warning: use of logical +'&&' with constant operand [-Wconstant-logical-operand] + if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN) + ^ ~~~~~~~~~~~~ +drivers/net/ethernet/toshiba/tc35815.c:1507:30: note: use '&' for a +bitwise operation + if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN) + ^~ + & +drivers/net/ethernet/toshiba/tc35815.c:1507:30: note: remove constant to +silence this warning + if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN) + ~^~~~~~~~~~~~~~~ +1 warning generated. + +Explicitly check that NET_IP_ALIGN is not zero, which matches how this +is checked in other parts of the tree. Because NET_IP_ALIGN is a build +time constant, this check will be constant folded away during +optimization. + +Fixes: 82a9928db560 ("tc35815: Enable StripCRC feature") +Link: https://github.com/ClangBuiltLinux/linux/issues/608 +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/toshiba/tc35815.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/toshiba/tc35815.c b/drivers/net/ethernet/toshiba/tc35815.c +index 45ac38d29ed83..868fb6306df02 100644 +--- a/drivers/net/ethernet/toshiba/tc35815.c ++++ b/drivers/net/ethernet/toshiba/tc35815.c +@@ -1528,7 +1528,7 @@ tc35815_rx(struct net_device *dev, int limit) + pci_unmap_single(lp->pci_dev, + lp->rx_skbs[cur_bd].skb_dma, + RX_BUF_SIZE, PCI_DMA_FROMDEVICE); +- if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN) ++ if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN != 0) + memmove(skb->data, skb->data - NET_IP_ALIGN, + pkt_len); + data = skb_put(skb, pkt_len); +-- +2.20.1 + diff --git a/queue-4.4/net-tundra-tsi108-use-spin_lock_irqsave-instead-of-s.patch b/queue-4.4/net-tundra-tsi108-use-spin_lock_irqsave-instead-of-s.patch new file mode 100644 index 00000000000..9593a8f9279 --- /dev/null +++ b/queue-4.4/net-tundra-tsi108-use-spin_lock_irqsave-instead-of-s.patch @@ -0,0 +1,49 @@ +From a3afacf29bd1626507cd256fcf706b0bbeb9edb9 Mon Sep 17 00:00:00 2001 +From: Fuqian Huang +Date: Fri, 9 Aug 2019 13:35:39 +0800 +Subject: net: tundra: tsi108: use spin_lock_irqsave instead of spin_lock_irq + in IRQ context + +[ Upstream commit 8c25d0887a8bd0e1ca2074ac0c6dff173787a83b ] + +As spin_unlock_irq will enable interrupts. +Function tsi108_stat_carry is called from interrupt handler tsi108_irq. +Interrupts are enabled in interrupt handler. +Use spin_lock_irqsave/spin_unlock_irqrestore instead of spin_(un)lock_irq +in IRQ context to avoid this. + +Signed-off-by: Fuqian Huang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/tundra/tsi108_eth.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/tundra/tsi108_eth.c b/drivers/net/ethernet/tundra/tsi108_eth.c +index 520cf50a3d5a1..93fe0da0f15ea 100644 +--- a/drivers/net/ethernet/tundra/tsi108_eth.c ++++ b/drivers/net/ethernet/tundra/tsi108_eth.c +@@ -379,9 +379,10 @@ tsi108_stat_carry_one(int carry, int carry_bit, int carry_shift, + static void tsi108_stat_carry(struct net_device *dev) + { + struct tsi108_prv_data *data = netdev_priv(dev); ++ unsigned long flags; + u32 carry1, carry2; + +- spin_lock_irq(&data->misclock); ++ spin_lock_irqsave(&data->misclock, flags); + + carry1 = TSI_READ(TSI108_STAT_CARRY1); + carry2 = TSI_READ(TSI108_STAT_CARRY2); +@@ -449,7 +450,7 @@ static void tsi108_stat_carry(struct net_device *dev) + TSI108_STAT_TXPAUSEDROP_CARRY, + &data->tx_pause_drop); + +- spin_unlock_irq(&data->misclock); ++ spin_unlock_irqrestore(&data->misclock, flags); + } + + /* Read a stat counter atomically with respect to carries. +-- +2.20.1 + diff --git a/queue-4.4/ravb-fix-use-after-free-ravb_tstamp_skb.patch b/queue-4.4/ravb-fix-use-after-free-ravb_tstamp_skb.patch new file mode 100644 index 00000000000..9a7535b1d26 --- /dev/null +++ b/queue-4.4/ravb-fix-use-after-free-ravb_tstamp_skb.patch @@ -0,0 +1,69 @@ +From 56091a026f94da28a4a6291119a5b27ab4c5586d Mon Sep 17 00:00:00 2001 +From: Tho Vu +Date: Fri, 16 Aug 2019 17:17:02 +0200 +Subject: ravb: Fix use-after-free ravb_tstamp_skb + +[ Upstream commit cfef46d692efd852a0da6803f920cc756eea2855 ] + +When a Tx timestamp is requested, a pointer to the skb is stored in the +ravb_tstamp_skb struct. This was done without an skb_get. There exists +the possibility that the skb could be freed by ravb_tx_free (when +ravb_tx_free is called from ravb_start_xmit) before the timestamp was +processed, leading to a use-after-free bug. + +Use skb_get when filling a ravb_tstamp_skb struct, and add appropriate +frees/consumes when a ravb_tstamp_skb struct is freed. + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Signed-off-by: Tho Vu +Signed-off-by: Kazuya Mizuguchi +Signed-off-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 29d31eb995d7f..fedfd94699cb8 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -1,6 +1,6 @@ + /* Renesas Ethernet AVB device driver + * +- * Copyright (C) 2014-2015 Renesas Electronics Corporation ++ * Copyright (C) 2014-2019 Renesas Electronics Corporation + * Copyright (C) 2015 Renesas Solutions Corp. + * Copyright (C) 2015 Cogent Embedded, Inc. + * +@@ -501,7 +501,10 @@ static void ravb_get_tx_tstamp(struct net_device *ndev) + kfree(ts_skb); + if (tag == tfa_tag) { + skb_tstamp_tx(skb, &shhwtstamps); ++ dev_consume_skb_any(skb); + break; ++ } else { ++ dev_kfree_skb_any(skb); + } + } + ravb_write(ndev, ravb_read(ndev, TCCR) | TCCR_TFR, TCCR); +@@ -1382,7 +1385,7 @@ static netdev_tx_t ravb_start_xmit(struct sk_buff *skb, struct net_device *ndev) + DMA_TO_DEVICE); + goto unmap; + } +- ts_skb->skb = skb; ++ ts_skb->skb = skb_get(skb); + ts_skb->tag = priv->ts_skb_tag++; + priv->ts_skb_tag &= 0x3ff; + list_add_tail(&ts_skb->list, &priv->ts_skb_list); +@@ -1514,6 +1517,7 @@ static int ravb_close(struct net_device *ndev) + /* Clear the timestamp list */ + list_for_each_entry_safe(ts_skb, ts_skb2, &priv->ts_skb_list, list) { + list_del(&ts_skb->list); ++ kfree_skb(ts_skb->skb); + kfree(ts_skb); + } + +-- +2.20.1 + diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..153611661f2 --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,16 @@ +net-tundra-tsi108-use-spin_lock_irqsave-instead-of-s.patch +net-tc35815-explicitly-check-net_ip_align-is-not-zer.patch +bluetooth-btqca-add-a-short-delay-before-downloading.patch +ibmveth-convert-multicast-list-size-for-little-endia.patch +gpio-fix-build-error-of-function-redefinition.patch +cxgb4-fix-a-memory-leak-bug.patch +net-myri10ge-fix-memory-leaks.patch +cx82310_eth-fix-a-memory-leak-bug.patch +net-kalmia-fix-memory-leaks.patch +wimax-i2400m-fix-a-memory-leak-bug.patch +ravb-fix-use-after-free-ravb_tstamp_skb.patch +tools-hv-kvp-eliminate-may-be-used-uninitialized-war.patch +ib-mlx4-fix-memory-leaks.patch +ceph-fix-buffer-free-while-holding-i_ceph_lock-in-__.patch +kvm-arm-arm64-only-skip-mmio-insn-once.patch +libceph-allow-ceph_buffer_put-to-receive-a-null-ceph.patch diff --git a/queue-4.4/tools-hv-kvp-eliminate-may-be-used-uninitialized-war.patch b/queue-4.4/tools-hv-kvp-eliminate-may-be-used-uninitialized-war.patch new file mode 100644 index 00000000000..6b54bc16b10 --- /dev/null +++ b/queue-4.4/tools-hv-kvp-eliminate-may-be-used-uninitialized-war.patch @@ -0,0 +1,43 @@ +From db7586d94897183f48af8f1dc8ed5fc5886dacd3 Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Mon, 19 Aug 2019 16:44:09 +0200 +Subject: Tools: hv: kvp: eliminate 'may be used uninitialized' warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 89eb4d8d25722a0a0194cf7fa47ba602e32a6da7 ] + +When building hv_kvp_daemon GCC-8.3 complains: + +hv_kvp_daemon.c: In function ‘kvp_get_ip_info.constprop’: +hv_kvp_daemon.c:812:30: warning: ‘ip_buffer’ may be used uninitialized in this function [-Wmaybe-uninitialized] + struct hv_kvp_ipaddr_value *ip_buffer; + +this seems to be a false positive: we only use ip_buffer when +op == KVP_OP_GET_IP_INFO and it is only unset when op == KVP_OP_ENUMERATE. + +Silence the warning by initializing ip_buffer to NULL. + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Sasha Levin +--- + tools/hv/hv_kvp_daemon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/hv/hv_kvp_daemon.c b/tools/hv/hv_kvp_daemon.c +index fffc7c4184599..834008639c4bb 100644 +--- a/tools/hv/hv_kvp_daemon.c ++++ b/tools/hv/hv_kvp_daemon.c +@@ -878,7 +878,7 @@ kvp_get_ip_info(int family, char *if_name, int op, + int sn_offset = 0; + int error = 0; + char *buffer; +- struct hv_kvp_ipaddr_value *ip_buffer; ++ struct hv_kvp_ipaddr_value *ip_buffer = NULL; + char cidr_mask[5]; /* /xyz */ + int weight; + int i; +-- +2.20.1 + diff --git a/queue-4.4/wimax-i2400m-fix-a-memory-leak-bug.patch b/queue-4.4/wimax-i2400m-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..77b96ff66bc --- /dev/null +++ b/queue-4.4/wimax-i2400m-fix-a-memory-leak-bug.patch @@ -0,0 +1,44 @@ +From 085df794b5d6206b88abaf4590a74cd14b731fa4 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Thu, 15 Aug 2019 15:29:51 -0500 +Subject: wimax/i2400m: fix a memory leak bug + +[ Upstream commit 44ef3a03252844a8753479b0cea7f29e4a804bdc ] + +In i2400m_barker_db_init(), 'options_orig' is allocated through kstrdup() +to hold the original command line options. Then, the options are parsed. +However, if an error occurs during the parsing process, 'options_orig' is +not deallocated, leading to a memory leak bug. To fix this issue, free +'options_orig' before returning the error. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wimax/i2400m/fw.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wimax/i2400m/fw.c b/drivers/net/wimax/i2400m/fw.c +index c9c711dcd0e6b..0e6c665a4de82 100644 +--- a/drivers/net/wimax/i2400m/fw.c ++++ b/drivers/net/wimax/i2400m/fw.c +@@ -351,13 +351,15 @@ int i2400m_barker_db_init(const char *_options) + } + result = i2400m_barker_db_add(barker); + if (result < 0) +- goto error_add; ++ goto error_parse_add; + } + kfree(options_orig); + } + return 0; + ++error_parse_add: + error_parse: ++ kfree(options_orig); + error_add: + kfree(i2400m_barker_db); + return result; +-- +2.20.1 +