From: Sasha Levin Date: Fri, 6 Sep 2019 11:18:05 +0000 (-0400) Subject: fixes for 4.14 X-Git-Tag: v4.4.192~23 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c5630e4573d5c22ece8fc9fd73def933184b068e;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/bluetooth-btqca-add-a-short-delay-before-downloading.patch b/queue-4.14/bluetooth-btqca-add-a-short-delay-before-downloading.patch new file mode 100644 index 00000000000..fab15f3b848 --- /dev/null +++ b/queue-4.14/bluetooth-btqca-add-a-short-delay-before-downloading.patch @@ -0,0 +1,42 @@ +From 69e2ee73bed7fb58b4c782a0f80fd8142346c1e3 Mon Sep 17 00:00:00 2001 +From: Matthias Kaehlcke +Date: Tue, 9 Jul 2019 15:44:50 -0700 +Subject: Bluetooth: btqca: Add a short delay before downloading the NVM + +[ Upstream commit 8059ba0bd0e4694e51c2ee6438a77b325f06c0d5 ] + +On WCN3990 downloading the NVM sometimes fails with a "TLV response +size mismatch" error: + +[ 174.949955] Bluetooth: btqca.c:qca_download_firmware() hci0: QCA Downloading qca/crnv21.bin +[ 174.958718] Bluetooth: btqca.c:qca_tlv_send_segment() hci0: QCA TLV response size mismatch + +It seems the controller needs a short time after downloading the +firmware before it is ready for the NVM. A delay as short as 1 ms +seems sufficient, make it 10 ms just in case. No event is received +during the delay, hence we don't just silently drop an extra event. + +Signed-off-by: Matthias Kaehlcke +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btqca.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index 0bbdfcef2aa84..a48a61f22f823 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -363,6 +363,9 @@ int qca_uart_setup_rome(struct hci_dev *hdev, uint8_t baudrate) + return err; + } + ++ /* Give the controller some time to get ready to receive the NVM */ ++ msleep(10); ++ + /* Download NVM configuration */ + config.type = TLV_TYPE_NVM; + snprintf(config.fwname, sizeof(config.fwname), "qca/nvm_%08x.bin", +-- +2.20.1 + diff --git a/queue-4.14/bluetooth-hidp-let-hidp_send_message-return-number-o.patch b/queue-4.14/bluetooth-hidp-let-hidp_send_message-return-number-o.patch new file mode 100644 index 00000000000..ffe431df782 --- /dev/null +++ b/queue-4.14/bluetooth-hidp-let-hidp_send_message-return-number-o.patch @@ -0,0 +1,59 @@ +From 123b79c331482d3fa1b0efc2c7421e06c5630c5d Mon Sep 17 00:00:00 2001 +From: Fabian Henneke +Date: Mon, 15 Jul 2019 19:40:56 +0200 +Subject: Bluetooth: hidp: Let hidp_send_message return number of queued bytes + +[ Upstream commit 48d9cc9d85dde37c87abb7ac9bbec6598ba44b56 ] + +Let hidp_send_message return the number of successfully queued bytes +instead of an unconditional 0. + +With the return value fixed to 0, other drivers relying on hidp, such as +hidraw, can not return meaningful values from their respective +implementations of write(). In particular, with the current behavior, a +hidraw device's write() will have different return values depending on +whether the device is connected via USB or Bluetooth, which makes it +harder to abstract away the transport layer. + +Signed-off-by: Fabian Henneke +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hidp/core.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c +index b21fcc838784d..f6bffb3a95116 100644 +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -101,6 +101,7 @@ static int hidp_send_message(struct hidp_session *session, struct socket *sock, + { + struct sk_buff *skb; + struct sock *sk = sock->sk; ++ int ret; + + BT_DBG("session %p data %p size %d", session, data, size); + +@@ -114,13 +115,17 @@ static int hidp_send_message(struct hidp_session *session, struct socket *sock, + } + + skb_put_u8(skb, hdr); +- if (data && size > 0) ++ if (data && size > 0) { + skb_put_data(skb, data, size); ++ ret = size; ++ } else { ++ ret = 0; ++ } + + skb_queue_tail(transmit, skb); + wake_up_interruptible(sk_sleep(sk)); + +- return 0; ++ return ret; + } + + static int hidp_send_ctrl_message(struct hidp_session *session, +-- +2.20.1 + diff --git a/queue-4.14/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-__.patch b/queue-4.14/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-__.patch new file mode 100644 index 00000000000..5424113a989 --- /dev/null +++ b/queue-4.14/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-__.patch @@ -0,0 +1,91 @@ +From 689f220518df4fcf846d5dcf68fcb45b06a47a51 Mon Sep 17 00:00:00 2001 +From: Luis Henriques +Date: Fri, 19 Jul 2019 15:32:20 +0100 +Subject: ceph: fix buffer free while holding i_ceph_lock in __ceph_setxattr() + +[ Upstream commit 86968ef21596515958d5f0a40233d02be78ecec0 ] + +Calling ceph_buffer_put() in __ceph_setxattr() may end up freeing the +i_xattrs.prealloc_blob buffer while holding the i_ceph_lock. This can be +fixed by postponing the call until later, when the lock is released. + +The following backtrace was triggered by fstests generic/117. + + BUG: sleeping function called from invalid context at mm/vmalloc.c:2283 + in_atomic(): 1, irqs_disabled(): 0, pid: 650, name: fsstress + 3 locks held by fsstress/650: + #0: 00000000870a0fe8 (sb_writers#8){.+.+}, at: mnt_want_write+0x20/0x50 + #1: 00000000ba0c4c74 (&type->i_mutex_dir_key#6){++++}, at: vfs_setxattr+0x55/0xa0 + #2: 000000008dfbb3f2 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: __ceph_setxattr+0x297/0x810 + CPU: 1 PID: 650 Comm: fsstress Not tainted 5.2.0+ #437 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014 + Call Trace: + dump_stack+0x67/0x90 + ___might_sleep.cold+0x9f/0xb1 + vfree+0x4b/0x60 + ceph_buffer_release+0x1b/0x60 + __ceph_setxattr+0x2b4/0x810 + __vfs_setxattr+0x66/0x80 + __vfs_setxattr_noperm+0x59/0xf0 + vfs_setxattr+0x81/0xa0 + setxattr+0x115/0x230 + ? filename_lookup+0xc9/0x140 + ? rcu_read_lock_sched_held+0x74/0x80 + ? rcu_sync_lockdep_assert+0x2e/0x60 + ? __sb_start_write+0x142/0x1a0 + ? mnt_want_write+0x20/0x50 + path_setxattr+0xba/0xd0 + __x64_sys_lsetxattr+0x24/0x30 + do_syscall_64+0x50/0x1c0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + RIP: 0033:0x7ff23514359a + +Signed-off-by: Luis Henriques +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/xattr.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c +index 0376db8a74f85..932c6cdc22d66 100644 +--- a/fs/ceph/xattr.c ++++ b/fs/ceph/xattr.c +@@ -955,6 +955,7 @@ int __ceph_setxattr(struct inode *inode, const char *name, + struct ceph_inode_info *ci = ceph_inode(inode); + struct ceph_mds_client *mdsc = ceph_sb_to_client(inode->i_sb)->mdsc; + struct ceph_cap_flush *prealloc_cf = NULL; ++ struct ceph_buffer *old_blob = NULL; + int issued; + int err; + int dirty = 0; +@@ -1023,13 +1024,15 @@ retry: + struct ceph_buffer *blob; + + spin_unlock(&ci->i_ceph_lock); +- dout(" preaallocating new blob size=%d\n", required_blob_size); ++ ceph_buffer_put(old_blob); /* Shouldn't be required */ ++ dout(" pre-allocating new blob size=%d\n", required_blob_size); + blob = ceph_buffer_new(required_blob_size, GFP_NOFS); + if (!blob) + goto do_sync_unlocked; + spin_lock(&ci->i_ceph_lock); ++ /* prealloc_blob can't be released while holding i_ceph_lock */ + if (ci->i_xattrs.prealloc_blob) +- ceph_buffer_put(ci->i_xattrs.prealloc_blob); ++ old_blob = ci->i_xattrs.prealloc_blob; + ci->i_xattrs.prealloc_blob = blob; + goto retry; + } +@@ -1045,6 +1048,7 @@ retry: + } + + spin_unlock(&ci->i_ceph_lock); ++ ceph_buffer_put(old_blob); + if (lock_snap_rwsem) + up_read(&mdsc->snap_rwsem); + if (dirty) +-- +2.20.1 + diff --git a/queue-4.14/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-__.patch-14468 b/queue-4.14/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-__.patch-14468 new file mode 100644 index 00000000000..72b68f3a164 --- /dev/null +++ b/queue-4.14/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-__.patch-14468 @@ -0,0 +1,169 @@ +From d786e441b9f25853a4396bb609b4f4c7df0849e7 Mon Sep 17 00:00:00 2001 +From: Luis Henriques +Date: Fri, 19 Jul 2019 15:32:21 +0100 +Subject: ceph: fix buffer free while holding i_ceph_lock in + __ceph_build_xattrs_blob() + +[ Upstream commit 12fe3dda7ed89c95cc0ef7abc001ad1ad3e092f8 ] + +Calling ceph_buffer_put() in __ceph_build_xattrs_blob() may result in +freeing the i_xattrs.blob buffer while holding the i_ceph_lock. This can +be fixed by having this function returning the old blob buffer and have +the callers of this function freeing it when the lock is released. + +The following backtrace was triggered by fstests generic/117. + + BUG: sleeping function called from invalid context at mm/vmalloc.c:2283 + in_atomic(): 1, irqs_disabled(): 0, pid: 649, name: fsstress + 4 locks held by fsstress/649: + #0: 00000000a7478e7e (&type->s_umount_key#19){++++}, at: iterate_supers+0x77/0xf0 + #1: 00000000f8de1423 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: ceph_check_caps+0x7b/0xc60 + #2: 00000000562f2b27 (&s->s_mutex){+.+.}, at: ceph_check_caps+0x3bd/0xc60 + #3: 00000000f83ce16a (&mdsc->snap_rwsem){++++}, at: ceph_check_caps+0x3ed/0xc60 + CPU: 1 PID: 649 Comm: fsstress Not tainted 5.2.0+ #439 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014 + Call Trace: + dump_stack+0x67/0x90 + ___might_sleep.cold+0x9f/0xb1 + vfree+0x4b/0x60 + ceph_buffer_release+0x1b/0x60 + __ceph_build_xattrs_blob+0x12b/0x170 + __send_cap+0x302/0x540 + ? __lock_acquire+0x23c/0x1e40 + ? __mark_caps_flushing+0x15c/0x280 + ? _raw_spin_unlock+0x24/0x30 + ceph_check_caps+0x5f0/0xc60 + ceph_flush_dirty_caps+0x7c/0x150 + ? __ia32_sys_fdatasync+0x20/0x20 + ceph_sync_fs+0x5a/0x130 + iterate_supers+0x8f/0xf0 + ksys_sync+0x4f/0xb0 + __ia32_sys_sync+0xa/0x10 + do_syscall_64+0x50/0x1c0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + RIP: 0033:0x7fc6409ab617 + +Signed-off-by: Luis Henriques +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/caps.c | 5 ++++- + fs/ceph/snap.c | 4 +++- + fs/ceph/super.h | 2 +- + fs/ceph/xattr.c | 11 ++++++++--- + 4 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c +index 238d24348a98a..df95e39ccd45b 100644 +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -1162,6 +1162,7 @@ static int __send_cap(struct ceph_mds_client *mdsc, struct ceph_cap *cap, + { + struct ceph_inode_info *ci = cap->ci; + struct inode *inode = &ci->vfs_inode; ++ struct ceph_buffer *old_blob = NULL; + struct cap_msg_args arg; + int held, revoking, dropping; + int wake = 0; +@@ -1227,7 +1228,7 @@ static int __send_cap(struct ceph_mds_client *mdsc, struct ceph_cap *cap, + ci->i_requested_max_size = arg.max_size; + + if (flushing & CEPH_CAP_XATTR_EXCL) { +- __ceph_build_xattrs_blob(ci); ++ old_blob = __ceph_build_xattrs_blob(ci); + arg.xattr_version = ci->i_xattrs.version; + arg.xattr_buf = ci->i_xattrs.blob; + } else { +@@ -1262,6 +1263,8 @@ static int __send_cap(struct ceph_mds_client *mdsc, struct ceph_cap *cap, + + spin_unlock(&ci->i_ceph_lock); + ++ ceph_buffer_put(old_blob); ++ + ret = send_cap_msg(&arg); + if (ret < 0) { + dout("error sending cap msg, must requeue %p\n", inode); +diff --git a/fs/ceph/snap.c b/fs/ceph/snap.c +index a7e763dac0385..29ed1688a1d3a 100644 +--- a/fs/ceph/snap.c ++++ b/fs/ceph/snap.c +@@ -460,6 +460,7 @@ void ceph_queue_cap_snap(struct ceph_inode_info *ci) + struct inode *inode = &ci->vfs_inode; + struct ceph_cap_snap *capsnap; + struct ceph_snap_context *old_snapc, *new_snapc; ++ struct ceph_buffer *old_blob = NULL; + int used, dirty; + + capsnap = kzalloc(sizeof(*capsnap), GFP_NOFS); +@@ -536,7 +537,7 @@ void ceph_queue_cap_snap(struct ceph_inode_info *ci) + capsnap->gid = inode->i_gid; + + if (dirty & CEPH_CAP_XATTR_EXCL) { +- __ceph_build_xattrs_blob(ci); ++ old_blob = __ceph_build_xattrs_blob(ci); + capsnap->xattr_blob = + ceph_buffer_get(ci->i_xattrs.blob); + capsnap->xattr_version = ci->i_xattrs.version; +@@ -579,6 +580,7 @@ update_snapc: + } + spin_unlock(&ci->i_ceph_lock); + ++ ceph_buffer_put(old_blob); + kfree(capsnap); + ceph_put_snap_context(old_snapc); + } +diff --git a/fs/ceph/super.h b/fs/ceph/super.h +index 60b70f0985f67..46f600107cb5b 100644 +--- a/fs/ceph/super.h ++++ b/fs/ceph/super.h +@@ -835,7 +835,7 @@ extern int ceph_getattr(const struct path *path, struct kstat *stat, + int __ceph_setxattr(struct inode *, const char *, const void *, size_t, int); + ssize_t __ceph_getxattr(struct inode *, const char *, void *, size_t); + extern ssize_t ceph_listxattr(struct dentry *, char *, size_t); +-extern void __ceph_build_xattrs_blob(struct ceph_inode_info *ci); ++extern struct ceph_buffer *__ceph_build_xattrs_blob(struct ceph_inode_info *ci); + extern void __ceph_destroy_xattrs(struct ceph_inode_info *ci); + extern void __init ceph_xattr_init(void); + extern void ceph_xattr_exit(void); +diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c +index 932c6cdc22d66..3a166f860b6cf 100644 +--- a/fs/ceph/xattr.c ++++ b/fs/ceph/xattr.c +@@ -681,12 +681,15 @@ static int __get_required_blob_size(struct ceph_inode_info *ci, int name_size, + + /* + * If there are dirty xattrs, reencode xattrs into the prealloc_blob +- * and swap into place. ++ * and swap into place. It returns the old i_xattrs.blob (or NULL) so ++ * that it can be freed by the caller as the i_ceph_lock is likely to be ++ * held. + */ +-void __ceph_build_xattrs_blob(struct ceph_inode_info *ci) ++struct ceph_buffer *__ceph_build_xattrs_blob(struct ceph_inode_info *ci) + { + struct rb_node *p; + struct ceph_inode_xattr *xattr = NULL; ++ struct ceph_buffer *old_blob = NULL; + void *dest; + + dout("__build_xattrs_blob %p\n", &ci->vfs_inode); +@@ -717,12 +720,14 @@ void __ceph_build_xattrs_blob(struct ceph_inode_info *ci) + dest - ci->i_xattrs.prealloc_blob->vec.iov_base; + + if (ci->i_xattrs.blob) +- ceph_buffer_put(ci->i_xattrs.blob); ++ old_blob = ci->i_xattrs.blob; + ci->i_xattrs.blob = ci->i_xattrs.prealloc_blob; + ci->i_xattrs.prealloc_blob = NULL; + ci->i_xattrs.dirty = false; + ci->i_xattrs.version++; + } ++ ++ return old_blob; + } + + static inline int __get_request_mask(struct inode *in) { +-- +2.20.1 + diff --git a/queue-4.14/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-fi.patch b/queue-4.14/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-fi.patch new file mode 100644 index 00000000000..9a4cf0ab859 --- /dev/null +++ b/queue-4.14/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-fi.patch @@ -0,0 +1,87 @@ +From 46569d9b25ab5994b2cc7234f63564a7e3f1550a Mon Sep 17 00:00:00 2001 +From: Luis Henriques +Date: Fri, 19 Jul 2019 15:32:22 +0100 +Subject: ceph: fix buffer free while holding i_ceph_lock in fill_inode() + +[ Upstream commit af8a85a41734f37b67ba8ce69d56b685bee4ac48 ] + +Calling ceph_buffer_put() in fill_inode() may result in freeing the +i_xattrs.blob buffer while holding the i_ceph_lock. This can be fixed by +postponing the call until later, when the lock is released. + +The following backtrace was triggered by fstests generic/070. + + BUG: sleeping function called from invalid context at mm/vmalloc.c:2283 + in_atomic(): 1, irqs_disabled(): 0, pid: 3852, name: kworker/0:4 + 6 locks held by kworker/0:4/3852: + #0: 000000004270f6bb ((wq_completion)ceph-msgr){+.+.}, at: process_one_work+0x1b8/0x5f0 + #1: 00000000eb420803 ((work_completion)(&(&con->work)->work)){+.+.}, at: process_one_work+0x1b8/0x5f0 + #2: 00000000be1c53a4 (&s->s_mutex){+.+.}, at: dispatch+0x288/0x1476 + #3: 00000000559cb958 (&mdsc->snap_rwsem){++++}, at: dispatch+0x2eb/0x1476 + #4: 000000000d5ebbae (&req->r_fill_mutex){+.+.}, at: dispatch+0x2fc/0x1476 + #5: 00000000a83d0514 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: fill_inode.isra.0+0xf8/0xf70 + CPU: 0 PID: 3852 Comm: kworker/0:4 Not tainted 5.2.0+ #441 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014 + Workqueue: ceph-msgr ceph_con_workfn + Call Trace: + dump_stack+0x67/0x90 + ___might_sleep.cold+0x9f/0xb1 + vfree+0x4b/0x60 + ceph_buffer_release+0x1b/0x60 + fill_inode.isra.0+0xa9b/0xf70 + ceph_fill_trace+0x13b/0xc70 + ? dispatch+0x2eb/0x1476 + dispatch+0x320/0x1476 + ? __mutex_unlock_slowpath+0x4d/0x2a0 + ceph_con_workfn+0xc97/0x2ec0 + ? process_one_work+0x1b8/0x5f0 + process_one_work+0x244/0x5f0 + worker_thread+0x4d/0x3e0 + kthread+0x105/0x140 + ? process_one_work+0x5f0/0x5f0 + ? kthread_park+0x90/0x90 + ret_from_fork+0x3a/0x50 + +Signed-off-by: Luis Henriques +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/inode.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c +index f2b722f0df5d0..9bda8c7a80a05 100644 +--- a/fs/ceph/inode.c ++++ b/fs/ceph/inode.c +@@ -730,6 +730,7 @@ static int fill_inode(struct inode *inode, struct page *locked_page, + int issued = 0, implemented, new_issued; + struct timespec mtime, atime, ctime; + struct ceph_buffer *xattr_blob = NULL; ++ struct ceph_buffer *old_blob = NULL; + struct ceph_string *pool_ns = NULL; + struct ceph_cap *new_cap = NULL; + int err = 0; +@@ -847,7 +848,7 @@ static int fill_inode(struct inode *inode, struct page *locked_page, + if ((ci->i_xattrs.version == 0 || !(issued & CEPH_CAP_XATTR_EXCL)) && + le64_to_cpu(info->xattr_version) > ci->i_xattrs.version) { + if (ci->i_xattrs.blob) +- ceph_buffer_put(ci->i_xattrs.blob); ++ old_blob = ci->i_xattrs.blob; + ci->i_xattrs.blob = xattr_blob; + if (xattr_blob) + memcpy(ci->i_xattrs.blob->vec.iov_base, +@@ -993,8 +994,8 @@ static int fill_inode(struct inode *inode, struct page *locked_page, + out: + if (new_cap) + ceph_put_cap(mdsc, new_cap); +- if (xattr_blob) +- ceph_buffer_put(xattr_blob); ++ ceph_buffer_put(old_blob); ++ ceph_buffer_put(xattr_blob); + ceph_put_string(pool_ns); + return err; + } +-- +2.20.1 + diff --git a/queue-4.14/cx82310_eth-fix-a-memory-leak-bug.patch b/queue-4.14/cx82310_eth-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..ff8b9b0f6c1 --- /dev/null +++ b/queue-4.14/cx82310_eth-fix-a-memory-leak-bug.patch @@ -0,0 +1,38 @@ +From e3ff8a4d600ed4560a382ecf8f32517204544ea6 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Wed, 14 Aug 2019 13:03:38 -0500 +Subject: cx82310_eth: fix a memory leak bug + +[ Upstream commit 1eca92eef18719027d394bf1a2d276f43e7cf886 ] + +In cx82310_bind(), 'dev->partial_data' is allocated through kmalloc(). +Then, the execution waits for the firmware to become ready. If the firmware +is not ready in time, the execution is terminated. However, the allocated +'dev->partial_data' is not deallocated on this path, leading to a memory +leak bug. To fix this issue, free 'dev->partial_data' before returning the +error. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cx82310_eth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/cx82310_eth.c b/drivers/net/usb/cx82310_eth.c +index 947bea81d9241..dfbdea22fbad9 100644 +--- a/drivers/net/usb/cx82310_eth.c ++++ b/drivers/net/usb/cx82310_eth.c +@@ -175,7 +175,8 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf) + } + if (!timeout) { + dev_err(&udev->dev, "firmware not ready in time\n"); +- return -ETIMEDOUT; ++ ret = -ETIMEDOUT; ++ goto err; + } + + /* enable ethernet mode (?) */ +-- +2.20.1 + diff --git a/queue-4.14/cxgb4-fix-a-memory-leak-bug.patch b/queue-4.14/cxgb4-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..19e74e45b4f --- /dev/null +++ b/queue-4.14/cxgb4-fix-a-memory-leak-bug.patch @@ -0,0 +1,37 @@ +From eead8b6d632d47ec0c1d467d7696a6fd7bda6489 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Tue, 13 Aug 2019 04:18:52 -0500 +Subject: cxgb4: fix a memory leak bug + +[ Upstream commit c554336efa9bbc28d6ec14efbee3c7d63c61a34f ] + +In blocked_fl_write(), 't' is not deallocated if bitmap_parse_user() fails, +leading to a memory leak bug. To fix this issue, free t before returning +the error. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c +index 76540b0e082d3..9e5cd18e7358c 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c +@@ -2777,8 +2777,10 @@ static ssize_t blocked_fl_write(struct file *filp, const char __user *ubuf, + return -ENOMEM; + + err = bitmap_parse_user(ubuf, count, t, adap->sge.egr_sz); +- if (err) ++ if (err) { ++ kvfree(t); + return err; ++ } + + bitmap_copy(adap->sge.blocked_fl, t, adap->sge.egr_sz); + kvfree(t); +-- +2.20.1 + diff --git a/queue-4.14/drm-mediatek-set-dma-max-segment-size.patch b/queue-4.14/drm-mediatek-set-dma-max-segment-size.patch new file mode 100644 index 00000000000..d79eb3c3515 --- /dev/null +++ b/queue-4.14/drm-mediatek-set-dma-max-segment-size.patch @@ -0,0 +1,112 @@ +From dec00efaad8c15569d854146d2f2292bb0ae1bf7 Mon Sep 17 00:00:00 2001 +From: Alexandre Courbot +Date: Mon, 29 Jul 2019 14:33:35 +0900 +Subject: drm/mediatek: set DMA max segment size + +[ Upstream commit 070955558e820b9a89c570b91b1f21762f62b288 ] + +This driver requires imported PRIME buffers to appear contiguously in +its IO address space. Make sure this is the case by setting the maximum +DMA segment size to a more suitable value than the default 64KB. + +Signed-off-by: Alexandre Courbot +Reviewed-by: Tomasz Figa +Signed-off-by: CK Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_drv.c | 35 ++++++++++++++++++++++++-- + drivers/gpu/drm/mediatek/mtk_drm_drv.h | 2 ++ + 2 files changed, 35 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c +index 4a89cd2e4f1c5..034b50080304f 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c +@@ -185,6 +185,7 @@ static int mtk_drm_kms_init(struct drm_device *drm) + struct mtk_drm_private *private = drm->dev_private; + struct platform_device *pdev; + struct device_node *np; ++ struct device *dma_dev; + int ret; + + if (!iommu_present(&platform_bus_type)) +@@ -242,7 +243,29 @@ static int mtk_drm_kms_init(struct drm_device *drm) + goto err_component_unbind; + } + +- private->dma_dev = &pdev->dev; ++ dma_dev = &pdev->dev; ++ private->dma_dev = dma_dev; ++ ++ /* ++ * Configure the DMA segment size to make sure we get contiguous IOVA ++ * when importing PRIME buffers. ++ */ ++ if (!dma_dev->dma_parms) { ++ private->dma_parms_allocated = true; ++ dma_dev->dma_parms = ++ devm_kzalloc(drm->dev, sizeof(*dma_dev->dma_parms), ++ GFP_KERNEL); ++ } ++ if (!dma_dev->dma_parms) { ++ ret = -ENOMEM; ++ goto err_component_unbind; ++ } ++ ++ ret = dma_set_max_seg_size(dma_dev, (unsigned int)DMA_BIT_MASK(32)); ++ if (ret) { ++ dev_err(dma_dev, "Failed to set DMA segment size\n"); ++ goto err_unset_dma_parms; ++ } + + /* + * We don't use the drm_irq_install() helpers provided by the DRM +@@ -252,13 +275,16 @@ static int mtk_drm_kms_init(struct drm_device *drm) + drm->irq_enabled = true; + ret = drm_vblank_init(drm, MAX_CRTC); + if (ret < 0) +- goto err_component_unbind; ++ goto err_unset_dma_parms; + + drm_kms_helper_poll_init(drm); + drm_mode_config_reset(drm); + + return 0; + ++err_unset_dma_parms: ++ if (private->dma_parms_allocated) ++ dma_dev->dma_parms = NULL; + err_component_unbind: + component_unbind_all(drm->dev, drm); + err_config_cleanup: +@@ -269,9 +295,14 @@ err_config_cleanup: + + static void mtk_drm_kms_deinit(struct drm_device *drm) + { ++ struct mtk_drm_private *private = drm->dev_private; ++ + drm_kms_helper_poll_fini(drm); + drm_atomic_helper_shutdown(drm); + ++ if (private->dma_parms_allocated) ++ private->dma_dev->dma_parms = NULL; ++ + component_unbind_all(drm->dev, drm); + drm_mode_config_cleanup(drm); + } +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.h b/drivers/gpu/drm/mediatek/mtk_drm_drv.h +index c3378c452c0a0..445dd45e65ebc 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.h ++++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.h +@@ -56,6 +56,8 @@ struct mtk_drm_private { + } commit; + + struct drm_atomic_state *suspend_state; ++ ++ bool dma_parms_allocated; + }; + + extern struct platform_driver mtk_ddp_driver; +-- +2.20.1 + diff --git a/queue-4.14/drm-mediatek-use-correct-device-to-import-prime-buff.patch b/queue-4.14/drm-mediatek-use-correct-device-to-import-prime-buff.patch new file mode 100644 index 00000000000..3903c7aa07d --- /dev/null +++ b/queue-4.14/drm-mediatek-use-correct-device-to-import-prime-buff.patch @@ -0,0 +1,54 @@ +From 968eddfac10a06bcfca1bfa710b1433f6b59fa84 Mon Sep 17 00:00:00 2001 +From: Alexandre Courbot +Date: Mon, 29 Jul 2019 14:33:34 +0900 +Subject: drm/mediatek: use correct device to import PRIME buffers + +[ Upstream commit 4c6f3196e6ea111c456c6086dc3f57d4706b0b2d ] + +PRIME buffers should be imported using the DMA device. To this end, use +a custom import function that mimics drm_gem_prime_import_dev(), but +passes the correct device. + +Fixes: 119f5173628aa ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") +Signed-off-by: Alexandre Courbot +Signed-off-by: CK Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_drv.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c +index cada1c75c41cd..4a89cd2e4f1c5 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c +@@ -287,6 +287,18 @@ static const struct file_operations mtk_drm_fops = { + .compat_ioctl = drm_compat_ioctl, + }; + ++/* ++ * We need to override this because the device used to import the memory is ++ * not dev->dev, as drm_gem_prime_import() expects. ++ */ ++struct drm_gem_object *mtk_drm_gem_prime_import(struct drm_device *dev, ++ struct dma_buf *dma_buf) ++{ ++ struct mtk_drm_private *private = dev->dev_private; ++ ++ return drm_gem_prime_import_dev(dev, dma_buf, private->dma_dev); ++} ++ + static struct drm_driver mtk_drm_driver = { + .driver_features = DRIVER_MODESET | DRIVER_GEM | DRIVER_PRIME | + DRIVER_ATOMIC, +@@ -298,7 +310,7 @@ static struct drm_driver mtk_drm_driver = { + .prime_handle_to_fd = drm_gem_prime_handle_to_fd, + .prime_fd_to_handle = drm_gem_prime_fd_to_handle, + .gem_prime_export = drm_gem_prime_export, +- .gem_prime_import = drm_gem_prime_import, ++ .gem_prime_import = mtk_drm_gem_prime_import, + .gem_prime_get_sg_table = mtk_gem_prime_get_sg_table, + .gem_prime_import_sg_table = mtk_gem_prime_import_sg_table, + .gem_prime_mmap = mtk_drm_gem_mmap_buf, +-- +2.20.1 + diff --git a/queue-4.14/gpio-fix-build-error-of-function-redefinition.patch b/queue-4.14/gpio-fix-build-error-of-function-redefinition.patch new file mode 100644 index 00000000000..a75a1f3f423 --- /dev/null +++ b/queue-4.14/gpio-fix-build-error-of-function-redefinition.patch @@ -0,0 +1,66 @@ +From 16241bea3753c2627d26a596b23c3372d9a591a0 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Wed, 31 Jul 2019 20:38:14 +0800 +Subject: gpio: Fix build error of function redefinition + +[ Upstream commit 68e03b85474a51ec1921b4d13204782594ef7223 ] + +when do randbuilding, I got this error: + +In file included from drivers/hwmon/pmbus/ucd9000.c:19:0: +./include/linux/gpio/driver.h:576:1: error: redefinition of gpiochip_add_pin_range + gpiochip_add_pin_range(struct gpio_chip *chip, const char *pinctl_name, + ^~~~~~~~~~~~~~~~~~~~~~ +In file included from drivers/hwmon/pmbus/ucd9000.c:18:0: +./include/linux/gpio.h:245:1: note: previous definition of gpiochip_add_pin_range was here + gpiochip_add_pin_range(struct gpio_chip *chip, const char *pinctl_name, + ^~~~~~~~~~~~~~~~~~~~~~ + +Reported-by: Hulk Robot +Fixes: 964cb341882f ("gpio: move pincontrol calls to ") +Signed-off-by: YueHaibing +Link: https://lore.kernel.org/r/20190731123814.46624-1-yuehaibing@huawei.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + include/linux/gpio.h | 24 ------------------------ + 1 file changed, 24 deletions(-) + +diff --git a/include/linux/gpio.h b/include/linux/gpio.h +index 8ef7fc0ce0f0c..b2f103b170a97 100644 +--- a/include/linux/gpio.h ++++ b/include/linux/gpio.h +@@ -230,30 +230,6 @@ static inline int irq_to_gpio(unsigned irq) + return -EINVAL; + } + +-static inline int +-gpiochip_add_pin_range(struct gpio_chip *chip, const char *pinctl_name, +- unsigned int gpio_offset, unsigned int pin_offset, +- unsigned int npins) +-{ +- WARN_ON(1); +- return -EINVAL; +-} +- +-static inline int +-gpiochip_add_pingroup_range(struct gpio_chip *chip, +- struct pinctrl_dev *pctldev, +- unsigned int gpio_offset, const char *pin_group) +-{ +- WARN_ON(1); +- return -EINVAL; +-} +- +-static inline void +-gpiochip_remove_pin_ranges(struct gpio_chip *chip) +-{ +- WARN_ON(1); +-} +- + static inline int devm_gpio_request(struct device *dev, unsigned gpio, + const char *label) + { +-- +2.20.1 + diff --git a/queue-4.14/hid-cp2112-prevent-sleeping-function-called-from-inv.patch b/queue-4.14/hid-cp2112-prevent-sleeping-function-called-from-inv.patch new file mode 100644 index 00000000000..c07465931dc --- /dev/null +++ b/queue-4.14/hid-cp2112-prevent-sleeping-function-called-from-inv.patch @@ -0,0 +1,52 @@ +From fe592e2e59e92a8c9db31111343172552a77abab Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Mon, 12 Aug 2019 18:04:44 +0200 +Subject: HID: cp2112: prevent sleeping function called from invalid context + +[ Upstream commit 2d05dba2b25ecb0f8fc3a0b4eb2232da6454a47b ] + +When calling request_threaded_irq() with a CP2112, the function +cp2112_gpio_irq_startup() is called in a IRQ context. + +Therefore we can not sleep, and we can not call +cp2112_gpio_direction_input() there. + +Move the call to cp2112_gpio_direction_input() earlier to have a working +driver. + +Signed-off-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-cp2112.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-cp2112.c b/drivers/hid/hid-cp2112.c +index 4e940a096b2ac..abf1079457664 100644 +--- a/drivers/hid/hid-cp2112.c ++++ b/drivers/hid/hid-cp2112.c +@@ -1149,8 +1149,6 @@ static unsigned int cp2112_gpio_irq_startup(struct irq_data *d) + + INIT_DELAYED_WORK(&dev->gpio_poll_worker, cp2112_gpio_poll_callback); + +- cp2112_gpio_direction_input(gc, d->hwirq); +- + if (!dev->gpio_poll) { + dev->gpio_poll = true; + schedule_delayed_work(&dev->gpio_poll_worker, 0); +@@ -1198,6 +1196,12 @@ static int __maybe_unused cp2112_allocate_irq(struct cp2112_device *dev, + return PTR_ERR(dev->desc[pin]); + } + ++ ret = cp2112_gpio_direction_input(&dev->gc, pin); ++ if (ret < 0) { ++ dev_err(dev->gc.parent, "Failed to set GPIO to input dir\n"); ++ goto err_desc; ++ } ++ + ret = gpiochip_lock_as_irq(&dev->gc, pin); + if (ret) { + dev_err(dev->gc.parent, "Failed to lock GPIO as interrupt\n"); +-- +2.20.1 + diff --git a/queue-4.14/hv_netvsc-fix-a-warning-of-suspicious-rcu-usage.patch b/queue-4.14/hv_netvsc-fix-a-warning-of-suspicious-rcu-usage.patch new file mode 100644 index 00000000000..85541abef3d --- /dev/null +++ b/queue-4.14/hv_netvsc-fix-a-warning-of-suspicious-rcu-usage.patch @@ -0,0 +1,52 @@ +From 4357e7f3330f7563865ccd1d1302cb81ca2d858a Mon Sep 17 00:00:00 2001 +From: Dexuan Cui +Date: Fri, 9 Aug 2019 01:58:08 +0000 +Subject: hv_netvsc: Fix a warning of suspicious RCU usage + +[ Upstream commit 6d0d779dca73cd5acb649c54f81401f93098b298 ] + +This fixes a warning of "suspicious rcu_dereference_check() usage" +when nload runs. + +Fixes: 776e726bfb34 ("netvsc: fix RCU warning in get_stats") +Signed-off-by: Dexuan Cui +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hyperv/netvsc_drv.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c +index eb92720dd1c4a..33c1f6548fb79 100644 +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -1170,12 +1170,15 @@ static void netvsc_get_stats64(struct net_device *net, + struct rtnl_link_stats64 *t) + { + struct net_device_context *ndev_ctx = netdev_priv(net); +- struct netvsc_device *nvdev = rcu_dereference_rtnl(ndev_ctx->nvdev); ++ struct netvsc_device *nvdev; + struct netvsc_vf_pcpu_stats vf_tot; + int i; + ++ rcu_read_lock(); ++ ++ nvdev = rcu_dereference(ndev_ctx->nvdev); + if (!nvdev) +- return; ++ goto out; + + netdev_stats_to_stats64(t, &net->stats); + +@@ -1214,6 +1217,8 @@ static void netvsc_get_stats64(struct net_device *net, + t->rx_packets += packets; + t->multicast += multicast; + } ++out: ++ rcu_read_unlock(); + } + + static int netvsc_set_mac_addr(struct net_device *ndev, void *p) +-- +2.20.1 + diff --git a/queue-4.14/ib-mlx4-fix-memory-leaks.patch b/queue-4.14/ib-mlx4-fix-memory-leaks.patch new file mode 100644 index 00000000000..071ca890bf2 --- /dev/null +++ b/queue-4.14/ib-mlx4-fix-memory-leaks.patch @@ -0,0 +1,46 @@ +From cf9770f20fd1802c998b560aa28da0ea7d0e5863 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Sun, 18 Aug 2019 15:23:01 -0500 +Subject: IB/mlx4: Fix memory leaks + +[ Upstream commit 5c1baaa82cea2c815a5180ded402a7cd455d1810 ] + +In mlx4_ib_alloc_pv_bufs(), 'tun_qp->tx_ring' is allocated through +kcalloc(). However, it is not always deallocated in the following execution +if an error occurs, leading to memory leaks. To fix this issue, free +'tun_qp->tx_ring' whenever an error occurs. + +Signed-off-by: Wenwen Wang +Acked-by: Leon Romanovsky +Link: https://lore.kernel.org/r/1566159781-4642-1-git-send-email-wenwen@cs.uga.edu +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx4/mad.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c +index d604b3d5aa3e4..c69158ccab822 100644 +--- a/drivers/infiniband/hw/mlx4/mad.c ++++ b/drivers/infiniband/hw/mlx4/mad.c +@@ -1680,8 +1680,6 @@ tx_err: + tx_buf_size, DMA_TO_DEVICE); + kfree(tun_qp->tx_ring[i].buf.addr); + } +- kfree(tun_qp->tx_ring); +- tun_qp->tx_ring = NULL; + i = MLX4_NUM_TUNNEL_BUFS; + err: + while (i > 0) { +@@ -1690,6 +1688,8 @@ err: + rx_buf_size, DMA_FROM_DEVICE); + kfree(tun_qp->ring[i].addr); + } ++ kfree(tun_qp->tx_ring); ++ tun_qp->tx_ring = NULL; + kfree(tun_qp->ring); + tun_qp->ring = NULL; + return -ENOMEM; +-- +2.20.1 + diff --git a/queue-4.14/ibmveth-convert-multicast-list-size-for-little-endia.patch b/queue-4.14/ibmveth-convert-multicast-list-size-for-little-endia.patch new file mode 100644 index 00000000000..82639efb4b0 --- /dev/null +++ b/queue-4.14/ibmveth-convert-multicast-list-size-for-little-endia.patch @@ -0,0 +1,59 @@ +From 052eef3a5cc5c172c49e8f8382c4f3e57ac34471 Mon Sep 17 00:00:00 2001 +From: Thomas Falcon +Date: Mon, 12 Aug 2019 16:13:06 -0500 +Subject: ibmveth: Convert multicast list size for little-endian system + +[ Upstream commit 66cf4710b23ab2adda11155684a2c8826f4fe732 ] + +The ibm,mac-address-filters property defines the maximum number of +addresses the hypervisor's multicast filter list can support. It is +encoded as a big-endian integer in the OF device tree, but the virtual +ethernet driver does not convert it for use by little-endian systems. +As a result, the driver is not behaving as it should on affected systems +when a large number of multicast addresses are assigned to the device. + +Reported-by: Hangbin Liu +Signed-off-by: Thomas Falcon +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmveth.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c +index 754dff4c1771e..880d925438c17 100644 +--- a/drivers/net/ethernet/ibm/ibmveth.c ++++ b/drivers/net/ethernet/ibm/ibmveth.c +@@ -1618,7 +1618,7 @@ static int ibmveth_probe(struct vio_dev *dev, const struct vio_device_id *id) + struct net_device *netdev; + struct ibmveth_adapter *adapter; + unsigned char *mac_addr_p; +- unsigned int *mcastFilterSize_p; ++ __be32 *mcastFilterSize_p; + long ret; + unsigned long ret_attr; + +@@ -1640,8 +1640,9 @@ static int ibmveth_probe(struct vio_dev *dev, const struct vio_device_id *id) + return -EINVAL; + } + +- mcastFilterSize_p = (unsigned int *)vio_get_attribute(dev, +- VETH_MCAST_FILTER_SIZE, NULL); ++ mcastFilterSize_p = (__be32 *)vio_get_attribute(dev, ++ VETH_MCAST_FILTER_SIZE, ++ NULL); + if (!mcastFilterSize_p) { + dev_err(&dev->dev, "Can't find VETH_MCAST_FILTER_SIZE " + "attribute\n"); +@@ -1658,7 +1659,7 @@ static int ibmveth_probe(struct vio_dev *dev, const struct vio_device_id *id) + + adapter->vdev = dev; + adapter->netdev = netdev; +- adapter->mcastFilterSize = *mcastFilterSize_p; ++ adapter->mcastFilterSize = be32_to_cpu(*mcastFilterSize_p); + adapter->pool_config = 0; + + netif_napi_add(netdev, &adapter->napi, ibmveth_poll, 16); +-- +2.20.1 + diff --git a/queue-4.14/input-hyperv-keyboard-use-in-place-iterator-api-in-t.patch b/queue-4.14/input-hyperv-keyboard-use-in-place-iterator-api-in-t.patch new file mode 100644 index 00000000000..ce57fda391a --- /dev/null +++ b/queue-4.14/input-hyperv-keyboard-use-in-place-iterator-api-in-t.patch @@ -0,0 +1,74 @@ +From 8a31856b83b00ab77ee5cd9f68896f33bc671645 Mon Sep 17 00:00:00 2001 +From: Dexuan Cui +Date: Tue, 20 Aug 2019 03:01:23 +0000 +Subject: Input: hyperv-keyboard: Use in-place iterator API in the channel + callback + +[ Upstream commit d09bc83640d524b8467a660db7b1d15e6562a1de ] + +Simplify the ring buffer handling with the in-place API. + +Also avoid the dynamic allocation and the memory leak in the channel +callback function. + +Signed-off-by: Dexuan Cui +Acked-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/serio/hyperv-keyboard.c | 35 +++++---------------------- + 1 file changed, 6 insertions(+), 29 deletions(-) + +diff --git a/drivers/input/serio/hyperv-keyboard.c b/drivers/input/serio/hyperv-keyboard.c +index 55288a026e4e2..c137ffa6fdec8 100644 +--- a/drivers/input/serio/hyperv-keyboard.c ++++ b/drivers/input/serio/hyperv-keyboard.c +@@ -245,40 +245,17 @@ static void hv_kbd_handle_received_packet(struct hv_device *hv_dev, + + static void hv_kbd_on_channel_callback(void *context) + { ++ struct vmpacket_descriptor *desc; + struct hv_device *hv_dev = context; +- void *buffer; +- int bufferlen = 0x100; /* Start with sensible size */ + u32 bytes_recvd; + u64 req_id; +- int error; + +- buffer = kmalloc(bufferlen, GFP_ATOMIC); +- if (!buffer) +- return; +- +- while (1) { +- error = vmbus_recvpacket_raw(hv_dev->channel, buffer, bufferlen, +- &bytes_recvd, &req_id); +- switch (error) { +- case 0: +- if (bytes_recvd == 0) { +- kfree(buffer); +- return; +- } +- +- hv_kbd_handle_received_packet(hv_dev, buffer, +- bytes_recvd, req_id); +- break; ++ foreach_vmbus_pkt(desc, hv_dev->channel) { ++ bytes_recvd = desc->len8 * 8; ++ req_id = desc->trans_id; + +- case -ENOBUFS: +- kfree(buffer); +- /* Handle large packet */ +- bufferlen = bytes_recvd; +- buffer = kmalloc(bytes_recvd, GFP_ATOMIC); +- if (!buffer) +- return; +- break; +- } ++ hv_kbd_handle_received_packet(hv_dev, desc, bytes_recvd, ++ req_id); + } + } + +-- +2.20.1 + diff --git a/queue-4.14/kprobes-fix-potential-deadlock-in-kprobe_optimizer.patch b/queue-4.14/kprobes-fix-potential-deadlock-in-kprobe_optimizer.patch new file mode 100644 index 00000000000..debe1a42e24 --- /dev/null +++ b/queue-4.14/kprobes-fix-potential-deadlock-in-kprobe_optimizer.patch @@ -0,0 +1,159 @@ +From b33cfd15b7f55d5e8d1f4f1820153b0bc1a8e1a9 Mon Sep 17 00:00:00 2001 +From: Andrea Righi +Date: Mon, 12 Aug 2019 20:43:02 +0200 +Subject: kprobes: Fix potential deadlock in kprobe_optimizer() + +[ Upstream commit f1c6ece23729257fb46562ff9224cf5f61b818da ] + +lockdep reports the following deadlock scenario: + + WARNING: possible circular locking dependency detected + + kworker/1:1/48 is trying to acquire lock: + 000000008d7a62b2 (text_mutex){+.+.}, at: kprobe_optimizer+0x163/0x290 + + but task is already holding lock: + 00000000850b5e2d (module_mutex){+.+.}, at: kprobe_optimizer+0x31/0x290 + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #1 (module_mutex){+.+.}: + __mutex_lock+0xac/0x9f0 + mutex_lock_nested+0x1b/0x20 + set_all_modules_text_rw+0x22/0x90 + ftrace_arch_code_modify_prepare+0x1c/0x20 + ftrace_run_update_code+0xe/0x30 + ftrace_startup_enable+0x2e/0x50 + ftrace_startup+0xa7/0x100 + register_ftrace_function+0x27/0x70 + arm_kprobe+0xb3/0x130 + enable_kprobe+0x83/0xa0 + enable_trace_kprobe.part.0+0x2e/0x80 + kprobe_register+0x6f/0xc0 + perf_trace_event_init+0x16b/0x270 + perf_kprobe_init+0xa7/0xe0 + perf_kprobe_event_init+0x3e/0x70 + perf_try_init_event+0x4a/0x140 + perf_event_alloc+0x93a/0xde0 + __do_sys_perf_event_open+0x19f/0xf30 + __x64_sys_perf_event_open+0x20/0x30 + do_syscall_64+0x65/0x1d0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + + -> #0 (text_mutex){+.+.}: + __lock_acquire+0xfcb/0x1b60 + lock_acquire+0xca/0x1d0 + __mutex_lock+0xac/0x9f0 + mutex_lock_nested+0x1b/0x20 + kprobe_optimizer+0x163/0x290 + process_one_work+0x22b/0x560 + worker_thread+0x50/0x3c0 + kthread+0x112/0x150 + ret_from_fork+0x3a/0x50 + + other info that might help us debug this: + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(module_mutex); + lock(text_mutex); + lock(module_mutex); + lock(text_mutex); + + *** DEADLOCK *** + +As a reproducer I've been using bcc's funccount.py +(https://github.com/iovisor/bcc/blob/master/tools/funccount.py), +for example: + + # ./funccount.py '*interrupt*' + +That immediately triggers the lockdep splat. + +Fix by acquiring text_mutex before module_mutex in kprobe_optimizer(). + +Signed-off-by: Andrea Righi +Acked-by: Masami Hiramatsu +Cc: Anil S Keshavamurthy +Cc: David S. Miller +Cc: Linus Torvalds +Cc: Naveen N. Rao +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: d5b844a2cf50 ("ftrace/x86: Remove possible deadlock between register_kprobe() and ftrace_run_update_code()") +Link: http://lkml.kernel.org/r/20190812184302.GA7010@xps-13 +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/kprobes.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/kernel/kprobes.c b/kernel/kprobes.c +index ec11bb986a8b4..c43bc2bc5b2ca 100644 +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -483,6 +483,7 @@ static DECLARE_DELAYED_WORK(optimizing_work, kprobe_optimizer); + */ + static void do_optimize_kprobes(void) + { ++ lockdep_assert_held(&text_mutex); + /* + * The optimization/unoptimization refers online_cpus via + * stop_machine() and cpu-hotplug modifies online_cpus. +@@ -500,9 +501,7 @@ static void do_optimize_kprobes(void) + list_empty(&optimizing_list)) + return; + +- mutex_lock(&text_mutex); + arch_optimize_kprobes(&optimizing_list); +- mutex_unlock(&text_mutex); + } + + /* +@@ -513,6 +512,7 @@ static void do_unoptimize_kprobes(void) + { + struct optimized_kprobe *op, *tmp; + ++ lockdep_assert_held(&text_mutex); + /* See comment in do_optimize_kprobes() */ + lockdep_assert_cpus_held(); + +@@ -520,7 +520,6 @@ static void do_unoptimize_kprobes(void) + if (list_empty(&unoptimizing_list)) + return; + +- mutex_lock(&text_mutex); + arch_unoptimize_kprobes(&unoptimizing_list, &freeing_list); + /* Loop free_list for disarming */ + list_for_each_entry_safe(op, tmp, &freeing_list, list) { +@@ -537,7 +536,6 @@ static void do_unoptimize_kprobes(void) + } else + list_del_init(&op->list); + } +- mutex_unlock(&text_mutex); + } + + /* Reclaim all kprobes on the free_list */ +@@ -563,6 +561,7 @@ static void kprobe_optimizer(struct work_struct *work) + { + mutex_lock(&kprobe_mutex); + cpus_read_lock(); ++ mutex_lock(&text_mutex); + /* Lock modules while optimizing kprobes */ + mutex_lock(&module_mutex); + +@@ -590,6 +589,7 @@ static void kprobe_optimizer(struct work_struct *work) + do_free_cleaned_kprobes(); + + mutex_unlock(&module_mutex); ++ mutex_unlock(&text_mutex); + cpus_read_unlock(); + mutex_unlock(&kprobe_mutex); + +-- +2.20.1 + diff --git a/queue-4.14/kvm-arm-arm64-only-skip-mmio-insn-once.patch b/queue-4.14/kvm-arm-arm64-only-skip-mmio-insn-once.patch new file mode 100644 index 00000000000..bd7cfd80405 --- /dev/null +++ b/queue-4.14/kvm-arm-arm64-only-skip-mmio-insn-once.patch @@ -0,0 +1,56 @@ +From 7dc25d862ff8f32cd2ddbdf809ae07e78f3ab96c Mon Sep 17 00:00:00 2001 +From: Andrew Jones +Date: Thu, 22 Aug 2019 13:03:05 +0200 +Subject: KVM: arm/arm64: Only skip MMIO insn once + +[ Upstream commit 2113c5f62b7423e4a72b890bd479704aa85c81ba ] + +If after an MMIO exit to userspace a VCPU is immediately run with an +immediate_exit request, such as when a signal is delivered or an MMIO +emulation completion is needed, then the VCPU completes the MMIO +emulation and immediately returns to userspace. As the exit_reason +does not get changed from KVM_EXIT_MMIO in these cases we have to +be careful not to complete the MMIO emulation again, when the VCPU is +eventually run again, because the emulation does an instruction skip +(and doing too many skips would be a waste of guest code :-) We need +to use additional VCPU state to track if the emulation is complete. +As luck would have it, we already have 'mmio_needed', which even +appears to be used in this way by other architectures already. + +Fixes: 0d640732dbeb ("arm64: KVM: Skip MMIO insn after emulation") +Acked-by: Mark Rutland +Signed-off-by: Andrew Jones +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + virt/kvm/arm/mmio.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/virt/kvm/arm/mmio.c b/virt/kvm/arm/mmio.c +index 08443a15e6be8..3caee91bca089 100644 +--- a/virt/kvm/arm/mmio.c ++++ b/virt/kvm/arm/mmio.c +@@ -98,6 +98,12 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run) + unsigned int len; + int mask; + ++ /* Detect an already handled MMIO return */ ++ if (unlikely(!vcpu->mmio_needed)) ++ return 0; ++ ++ vcpu->mmio_needed = 0; ++ + if (!run->mmio.is_write) { + len = run->mmio.len; + if (len > sizeof(unsigned long)) +@@ -200,6 +206,7 @@ int io_mem_abort(struct kvm_vcpu *vcpu, struct kvm_run *run, + run->mmio.is_write = is_write; + run->mmio.phys_addr = fault_ipa; + run->mmio.len = len; ++ vcpu->mmio_needed = 1; + + if (!ret) { + /* We handled the access successfully in the kernel. */ +-- +2.20.1 + diff --git a/queue-4.14/lan78xx-fix-memory-leaks.patch b/queue-4.14/lan78xx-fix-memory-leaks.patch new file mode 100644 index 00000000000..59f14811321 --- /dev/null +++ b/queue-4.14/lan78xx-fix-memory-leaks.patch @@ -0,0 +1,53 @@ +From fdbeee8ae5f7c7735122ffdb682d0ef801ea6fb7 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Wed, 14 Aug 2019 11:23:13 -0500 +Subject: lan78xx: Fix memory leaks + +[ Upstream commit b9cbf8a64865b50fd0f4a3915fa00ac7365cdf8f ] + +In lan78xx_probe(), a new urb is allocated through usb_alloc_urb() and +saved to 'dev->urb_intr'. However, in the following execution, if an error +occurs, 'dev->urb_intr' is not deallocated, leading to memory leaks. To fix +this issue, invoke usb_free_urb() to free the allocated urb before +returning from the function. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/lan78xx.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index b62c41114e34e..24b994c68bccd 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -3645,7 +3645,7 @@ static int lan78xx_probe(struct usb_interface *intf, + ret = register_netdev(netdev); + if (ret != 0) { + netif_err(dev, probe, netdev, "couldn't register the device\n"); +- goto out3; ++ goto out4; + } + + usb_set_intfdata(intf, dev); +@@ -3660,12 +3660,14 @@ static int lan78xx_probe(struct usb_interface *intf, + + ret = lan78xx_phy_init(dev); + if (ret < 0) +- goto out4; ++ goto out5; + + return 0; + +-out4: ++out5: + unregister_netdev(netdev); ++out4: ++ usb_free_urb(dev->urb_intr); + out3: + lan78xx_unbind(dev, intf); + out2: +-- +2.20.1 + diff --git a/queue-4.14/libceph-allow-ceph_buffer_put-to-receive-a-null-ceph.patch b/queue-4.14/libceph-allow-ceph_buffer_put-to-receive-a-null-ceph.patch new file mode 100644 index 00000000000..fc77904110f --- /dev/null +++ b/queue-4.14/libceph-allow-ceph_buffer_put-to-receive-a-null-ceph.patch @@ -0,0 +1,32 @@ +From 399b98cb4716cbdc2e7cf126a2b683b0707be115 Mon Sep 17 00:00:00 2001 +From: Luis Henriques +Date: Fri, 19 Jul 2019 15:32:19 +0100 +Subject: libceph: allow ceph_buffer_put() to receive a NULL ceph_buffer + +[ Upstream commit 5c498950f730aa17c5f8a2cdcb903524e4002ed2 ] + +Signed-off-by: Luis Henriques +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + include/linux/ceph/buffer.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/linux/ceph/buffer.h b/include/linux/ceph/buffer.h +index 5e58bb29b1a36..11cdc7c60480f 100644 +--- a/include/linux/ceph/buffer.h ++++ b/include/linux/ceph/buffer.h +@@ -30,7 +30,8 @@ static inline struct ceph_buffer *ceph_buffer_get(struct ceph_buffer *b) + + static inline void ceph_buffer_put(struct ceph_buffer *b) + { +- kref_put(&b->kref, ceph_buffer_release); ++ if (b) ++ kref_put(&b->kref, ceph_buffer_release); + } + + extern int ceph_decode_buffer(struct ceph_buffer **b, void **p, void *end); +-- +2.20.1 + diff --git a/queue-4.14/liquidio-add-cleanup-in-octeon_setup_iq.patch b/queue-4.14/liquidio-add-cleanup-in-octeon_setup_iq.patch new file mode 100644 index 00000000000..013cd531132 --- /dev/null +++ b/queue-4.14/liquidio-add-cleanup-in-octeon_setup_iq.patch @@ -0,0 +1,37 @@ +From e56d3d3e27c5f47ff7329430476feafffe545c5c Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Wed, 14 Aug 2019 00:14:49 -0500 +Subject: liquidio: add cleanup in octeon_setup_iq() + +[ Upstream commit 6f967f8b1be7001b31c46429f2ee7d275af2190f ] + +If oct->fn_list.enable_io_queues() fails, no cleanup is executed, leading +to memory/resource leaks. To fix this issue, invoke +octeon_delete_instr_queue() before returning from the function. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/request_manager.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/request_manager.c b/drivers/net/ethernet/cavium/liquidio/request_manager.c +index 1e0fbce86d608..55e8731264634 100644 +--- a/drivers/net/ethernet/cavium/liquidio/request_manager.c ++++ b/drivers/net/ethernet/cavium/liquidio/request_manager.c +@@ -232,8 +232,10 @@ int octeon_setup_iq(struct octeon_device *oct, + } + + oct->num_iqs++; +- if (oct->fn_list.enable_io_queues(oct)) ++ if (oct->fn_list.enable_io_queues(oct)) { ++ octeon_delete_instr_queue(oct, iq_no); + return 1; ++ } + + return 0; + } +-- +2.20.1 + diff --git a/queue-4.14/net-kalmia-fix-memory-leaks.patch b/queue-4.14/net-kalmia-fix-memory-leaks.patch new file mode 100644 index 00000000000..bce729a51d4 --- /dev/null +++ b/queue-4.14/net-kalmia-fix-memory-leaks.patch @@ -0,0 +1,46 @@ +From 6bc25851ebf0d587cce1b4bf1c166097c4363a0d Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Wed, 14 Aug 2019 13:56:43 -0500 +Subject: net: kalmia: fix memory leaks + +[ Upstream commit f1472cb09f11ddb41d4be84f0650835cb65a9073 ] + +In kalmia_init_and_get_ethernet_addr(), 'usb_buf' is allocated through +kmalloc(). In the following execution, if the 'status' returned by +kalmia_send_init_packet() is not 0, 'usb_buf' is not deallocated, leading +to memory leaks. To fix this issue, add the 'out' label to free 'usb_buf'. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/kalmia.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/usb/kalmia.c b/drivers/net/usb/kalmia.c +index ce0b0b4e3a57c..c677ec2bae183 100644 +--- a/drivers/net/usb/kalmia.c ++++ b/drivers/net/usb/kalmia.c +@@ -117,16 +117,16 @@ kalmia_init_and_get_ethernet_addr(struct usbnet *dev, u8 *ethernet_addr) + status = kalmia_send_init_packet(dev, usb_buf, sizeof(init_msg_1) + / sizeof(init_msg_1[0]), usb_buf, 24); + if (status != 0) +- return status; ++ goto out; + + memcpy(usb_buf, init_msg_2, 12); + status = kalmia_send_init_packet(dev, usb_buf, sizeof(init_msg_2) + / sizeof(init_msg_2[0]), usb_buf, 28); + if (status != 0) +- return status; ++ goto out; + + memcpy(ethernet_addr, usb_buf + 10, ETH_ALEN); +- ++out: + kfree(usb_buf); + return status; + } +-- +2.20.1 + diff --git a/queue-4.14/net-myri10ge-fix-memory-leaks.patch b/queue-4.14/net-myri10ge-fix-memory-leaks.patch new file mode 100644 index 00000000000..8189c9ae1d3 --- /dev/null +++ b/queue-4.14/net-myri10ge-fix-memory-leaks.patch @@ -0,0 +1,36 @@ +From 692ea5838ce7026e8ef7d90cf5f2c909966b35ff Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Wed, 14 Aug 2019 01:38:39 -0500 +Subject: net: myri10ge: fix memory leaks + +[ Upstream commit 20fb7c7a39b5c719e2e619673b5f5729ee7d2306 ] + +In myri10ge_probe(), myri10ge_alloc_slices() is invoked to allocate slices +related structures. Later on, myri10ge_request_irq() is used to get an irq. +However, if this process fails, the allocated slices related structures are +not deallocated, leading to memory leaks. To fix this issue, revise the +target label of the goto statement to 'abort_with_slices'. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/myricom/myri10ge/myri10ge.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c +index b171ed2015fe4..a0a555052d8ca 100644 +--- a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c ++++ b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c +@@ -3922,7 +3922,7 @@ static int myri10ge_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + * setup (if available). */ + status = myri10ge_request_irq(mgp); + if (status != 0) +- goto abort_with_firmware; ++ goto abort_with_slices; + myri10ge_free_irq(mgp); + + /* Save configuration space to be restored if the +-- +2.20.1 + diff --git a/queue-4.14/net-tc35815-explicitly-check-net_ip_align-is-not-zer.patch b/queue-4.14/net-tc35815-explicitly-check-net_ip_align-is-not-zer.patch new file mode 100644 index 00000000000..1de5e66fb5f --- /dev/null +++ b/queue-4.14/net-tc35815-explicitly-check-net_ip_align-is-not-zer.patch @@ -0,0 +1,54 @@ +From 78dd4925401b59343d3499bbc9a220c137e2b8aa Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Sun, 11 Aug 2019 20:13:45 -0700 +Subject: net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx + +[ Upstream commit 125b7e0949d4e72b15c2b1a1590f8cece985a918 ] + +clang warns: + +drivers/net/ethernet/toshiba/tc35815.c:1507:30: warning: use of logical +'&&' with constant operand [-Wconstant-logical-operand] + if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN) + ^ ~~~~~~~~~~~~ +drivers/net/ethernet/toshiba/tc35815.c:1507:30: note: use '&' for a +bitwise operation + if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN) + ^~ + & +drivers/net/ethernet/toshiba/tc35815.c:1507:30: note: remove constant to +silence this warning + if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN) + ~^~~~~~~~~~~~~~~ +1 warning generated. + +Explicitly check that NET_IP_ALIGN is not zero, which matches how this +is checked in other parts of the tree. Because NET_IP_ALIGN is a build +time constant, this check will be constant folded away during +optimization. + +Fixes: 82a9928db560 ("tc35815: Enable StripCRC feature") +Link: https://github.com/ClangBuiltLinux/linux/issues/608 +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/toshiba/tc35815.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/toshiba/tc35815.c b/drivers/net/ethernet/toshiba/tc35815.c +index cce9c9ed46aa9..9146068979d2c 100644 +--- a/drivers/net/ethernet/toshiba/tc35815.c ++++ b/drivers/net/ethernet/toshiba/tc35815.c +@@ -1497,7 +1497,7 @@ tc35815_rx(struct net_device *dev, int limit) + pci_unmap_single(lp->pci_dev, + lp->rx_skbs[cur_bd].skb_dma, + RX_BUF_SIZE, PCI_DMA_FROMDEVICE); +- if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN) ++ if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN != 0) + memmove(skb->data, skb->data - NET_IP_ALIGN, + pkt_len); + data = skb_put(skb, pkt_len); +-- +2.20.1 + diff --git a/queue-4.14/net-tundra-tsi108-use-spin_lock_irqsave-instead-of-s.patch b/queue-4.14/net-tundra-tsi108-use-spin_lock_irqsave-instead-of-s.patch new file mode 100644 index 00000000000..2b6525ac0ea --- /dev/null +++ b/queue-4.14/net-tundra-tsi108-use-spin_lock_irqsave-instead-of-s.patch @@ -0,0 +1,49 @@ +From 6af17a09477284cc51f54e4b10a01187f8a79316 Mon Sep 17 00:00:00 2001 +From: Fuqian Huang +Date: Fri, 9 Aug 2019 13:35:39 +0800 +Subject: net: tundra: tsi108: use spin_lock_irqsave instead of spin_lock_irq + in IRQ context + +[ Upstream commit 8c25d0887a8bd0e1ca2074ac0c6dff173787a83b ] + +As spin_unlock_irq will enable interrupts. +Function tsi108_stat_carry is called from interrupt handler tsi108_irq. +Interrupts are enabled in interrupt handler. +Use spin_lock_irqsave/spin_unlock_irqrestore instead of spin_(un)lock_irq +in IRQ context to avoid this. + +Signed-off-by: Fuqian Huang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/tundra/tsi108_eth.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/tundra/tsi108_eth.c b/drivers/net/ethernet/tundra/tsi108_eth.c +index c2d15d9c0c33b..455979e47424c 100644 +--- a/drivers/net/ethernet/tundra/tsi108_eth.c ++++ b/drivers/net/ethernet/tundra/tsi108_eth.c +@@ -381,9 +381,10 @@ tsi108_stat_carry_one(int carry, int carry_bit, int carry_shift, + static void tsi108_stat_carry(struct net_device *dev) + { + struct tsi108_prv_data *data = netdev_priv(dev); ++ unsigned long flags; + u32 carry1, carry2; + +- spin_lock_irq(&data->misclock); ++ spin_lock_irqsave(&data->misclock, flags); + + carry1 = TSI_READ(TSI108_STAT_CARRY1); + carry2 = TSI_READ(TSI108_STAT_CARRY2); +@@ -451,7 +452,7 @@ static void tsi108_stat_carry(struct net_device *dev) + TSI108_STAT_TXPAUSEDROP_CARRY, + &data->tx_pause_drop); + +- spin_unlock_irq(&data->misclock); ++ spin_unlock_irqrestore(&data->misclock, flags); + } + + /* Read a stat counter atomically with respect to carries. +-- +2.20.1 + diff --git a/queue-4.14/ravb-fix-use-after-free-ravb_tstamp_skb.patch b/queue-4.14/ravb-fix-use-after-free-ravb_tstamp_skb.patch new file mode 100644 index 00000000000..e1d5de6d8f2 --- /dev/null +++ b/queue-4.14/ravb-fix-use-after-free-ravb_tstamp_skb.patch @@ -0,0 +1,69 @@ +From ca09fdcd4a9b0f7ff2a802eea7916216f18bcf6a Mon Sep 17 00:00:00 2001 +From: Tho Vu +Date: Fri, 16 Aug 2019 17:17:02 +0200 +Subject: ravb: Fix use-after-free ravb_tstamp_skb + +[ Upstream commit cfef46d692efd852a0da6803f920cc756eea2855 ] + +When a Tx timestamp is requested, a pointer to the skb is stored in the +ravb_tstamp_skb struct. This was done without an skb_get. There exists +the possibility that the skb could be freed by ravb_tx_free (when +ravb_tx_free is called from ravb_start_xmit) before the timestamp was +processed, leading to a use-after-free bug. + +Use skb_get when filling a ravb_tstamp_skb struct, and add appropriate +frees/consumes when a ravb_tstamp_skb struct is freed. + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Signed-off-by: Tho Vu +Signed-off-by: Kazuya Mizuguchi +Signed-off-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index ce79af4a7f6fb..d73617cc3b159 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -1,6 +1,6 @@ + /* Renesas Ethernet AVB device driver + * +- * Copyright (C) 2014-2015 Renesas Electronics Corporation ++ * Copyright (C) 2014-2019 Renesas Electronics Corporation + * Copyright (C) 2015 Renesas Solutions Corp. + * Copyright (C) 2015-2016 Cogent Embedded, Inc. + * +@@ -513,7 +513,10 @@ static void ravb_get_tx_tstamp(struct net_device *ndev) + kfree(ts_skb); + if (tag == tfa_tag) { + skb_tstamp_tx(skb, &shhwtstamps); ++ dev_consume_skb_any(skb); + break; ++ } else { ++ dev_kfree_skb_any(skb); + } + } + ravb_modify(ndev, TCCR, TCCR_TFR, TCCR_TFR); +@@ -1576,7 +1579,7 @@ static netdev_tx_t ravb_start_xmit(struct sk_buff *skb, struct net_device *ndev) + DMA_TO_DEVICE); + goto unmap; + } +- ts_skb->skb = skb; ++ ts_skb->skb = skb_get(skb); + ts_skb->tag = priv->ts_skb_tag++; + priv->ts_skb_tag &= 0x3ff; + list_add_tail(&ts_skb->list, &priv->ts_skb_list); +@@ -1704,6 +1707,7 @@ static int ravb_close(struct net_device *ndev) + /* Clear the timestamp list */ + list_for_each_entry_safe(ts_skb, ts_skb2, &priv->ts_skb_list, list) { + list_del(&ts_skb->list); ++ kfree_skb(ts_skb->skb); + kfree(ts_skb); + } + +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..97392233cc0 --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,28 @@ +net-tundra-tsi108-use-spin_lock_irqsave-instead-of-s.patch +hv_netvsc-fix-a-warning-of-suspicious-rcu-usage.patch +net-tc35815-explicitly-check-net_ip_align-is-not-zer.patch +bluetooth-btqca-add-a-short-delay-before-downloading.patch +bluetooth-hidp-let-hidp_send_message-return-number-o.patch +ibmveth-convert-multicast-list-size-for-little-endia.patch +gpio-fix-build-error-of-function-redefinition.patch +drm-mediatek-use-correct-device-to-import-prime-buff.patch +drm-mediatek-set-dma-max-segment-size.patch +cxgb4-fix-a-memory-leak-bug.patch +liquidio-add-cleanup-in-octeon_setup_iq.patch +net-myri10ge-fix-memory-leaks.patch +lan78xx-fix-memory-leaks.patch +vfs-fix-page-locking-deadlocks-when-deduping-files.patch +cx82310_eth-fix-a-memory-leak-bug.patch +net-kalmia-fix-memory-leaks.patch +wimax-i2400m-fix-a-memory-leak-bug.patch +ravb-fix-use-after-free-ravb_tstamp_skb.patch +kprobes-fix-potential-deadlock-in-kprobe_optimizer.patch +hid-cp2112-prevent-sleeping-function-called-from-inv.patch +input-hyperv-keyboard-use-in-place-iterator-api-in-t.patch +tools-hv-kvp-eliminate-may-be-used-uninitialized-war.patch +ib-mlx4-fix-memory-leaks.patch +ceph-fix-buffer-free-while-holding-i_ceph_lock-in-__.patch +ceph-fix-buffer-free-while-holding-i_ceph_lock-in-__.patch-14468 +ceph-fix-buffer-free-while-holding-i_ceph_lock-in-fi.patch +kvm-arm-arm64-only-skip-mmio-insn-once.patch +libceph-allow-ceph_buffer_put-to-receive-a-null-ceph.patch diff --git a/queue-4.14/tools-hv-kvp-eliminate-may-be-used-uninitialized-war.patch b/queue-4.14/tools-hv-kvp-eliminate-may-be-used-uninitialized-war.patch new file mode 100644 index 00000000000..fb4fd934e96 --- /dev/null +++ b/queue-4.14/tools-hv-kvp-eliminate-may-be-used-uninitialized-war.patch @@ -0,0 +1,43 @@ +From f5992961535679a288a54578e6f1bd38fd06bcd6 Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Mon, 19 Aug 2019 16:44:09 +0200 +Subject: Tools: hv: kvp: eliminate 'may be used uninitialized' warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 89eb4d8d25722a0a0194cf7fa47ba602e32a6da7 ] + +When building hv_kvp_daemon GCC-8.3 complains: + +hv_kvp_daemon.c: In function ‘kvp_get_ip_info.constprop’: +hv_kvp_daemon.c:812:30: warning: ‘ip_buffer’ may be used uninitialized in this function [-Wmaybe-uninitialized] + struct hv_kvp_ipaddr_value *ip_buffer; + +this seems to be a false positive: we only use ip_buffer when +op == KVP_OP_GET_IP_INFO and it is only unset when op == KVP_OP_ENUMERATE. + +Silence the warning by initializing ip_buffer to NULL. + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Sasha Levin +--- + tools/hv/hv_kvp_daemon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/hv/hv_kvp_daemon.c b/tools/hv/hv_kvp_daemon.c +index 0ef215061fb50..1b917eaffad8d 100644 +--- a/tools/hv/hv_kvp_daemon.c ++++ b/tools/hv/hv_kvp_daemon.c +@@ -867,7 +867,7 @@ kvp_get_ip_info(int family, char *if_name, int op, + int sn_offset = 0; + int error = 0; + char *buffer; +- struct hv_kvp_ipaddr_value *ip_buffer; ++ struct hv_kvp_ipaddr_value *ip_buffer = NULL; + char cidr_mask[5]; /* /xyz */ + int weight; + int i; +-- +2.20.1 + diff --git a/queue-4.14/vfs-fix-page-locking-deadlocks-when-deduping-files.patch b/queue-4.14/vfs-fix-page-locking-deadlocks-when-deduping-files.patch new file mode 100644 index 00000000000..6e41cfce4b4 --- /dev/null +++ b/queue-4.14/vfs-fix-page-locking-deadlocks-when-deduping-files.patch @@ -0,0 +1,114 @@ +From 433d89a19f6a726fe742cde3596181e8d5c6dba1 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Sun, 11 Aug 2019 15:52:25 -0700 +Subject: vfs: fix page locking deadlocks when deduping files + +[ Upstream commit edc58dd0123b552453a74369bd0c8d890b497b4b ] + +When dedupe wants to use the page cache to compare parts of two files +for dedupe, we must be very careful to handle locking correctly. The +current code doesn't do this. It must lock and unlock the page only +once if the two pages are the same, since the overlapping range check +doesn't catch this when blocksize < pagesize. If the pages are distinct +but from the same file, we must observe page locking order and lock them +in order of increasing offset to avoid clashing with writeback locking. + +Fixes: 876bec6f9bbfcb3 ("vfs: refactor clone/dedupe_file_range common functions") +Signed-off-by: Darrick J. Wong +Reviewed-by: Bill O'Donnell +Reviewed-by: Matthew Wilcox (Oracle) +Signed-off-by: Sasha Levin +--- + fs/read_write.c | 49 +++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 41 insertions(+), 8 deletions(-) + +diff --git a/fs/read_write.c b/fs/read_write.c +index d6f8bfb0f7942..38a8bcccf0dd0 100644 +--- a/fs/read_write.c ++++ b/fs/read_write.c +@@ -1882,10 +1882,7 @@ int vfs_clone_file_range(struct file *file_in, loff_t pos_in, + } + EXPORT_SYMBOL(vfs_clone_file_range); + +-/* +- * Read a page's worth of file data into the page cache. Return the page +- * locked. +- */ ++/* Read a page's worth of file data into the page cache. */ + static struct page *vfs_dedupe_get_page(struct inode *inode, loff_t offset) + { + struct address_space *mapping; +@@ -1901,10 +1898,32 @@ static struct page *vfs_dedupe_get_page(struct inode *inode, loff_t offset) + put_page(page); + return ERR_PTR(-EIO); + } +- lock_page(page); + return page; + } + ++/* ++ * Lock two pages, ensuring that we lock in offset order if the pages are from ++ * the same file. ++ */ ++static void vfs_lock_two_pages(struct page *page1, struct page *page2) ++{ ++ /* Always lock in order of increasing index. */ ++ if (page1->index > page2->index) ++ swap(page1, page2); ++ ++ lock_page(page1); ++ if (page1 != page2) ++ lock_page(page2); ++} ++ ++/* Unlock two pages, being careful not to unlock the same page twice. */ ++static void vfs_unlock_two_pages(struct page *page1, struct page *page2) ++{ ++ unlock_page(page1); ++ if (page1 != page2) ++ unlock_page(page2); ++} ++ + /* + * Compare extents of two files to see if they are the same. + * Caller must have locked both inodes to prevent write races. +@@ -1942,10 +1961,24 @@ int vfs_dedupe_file_range_compare(struct inode *src, loff_t srcoff, + dest_page = vfs_dedupe_get_page(dest, destoff); + if (IS_ERR(dest_page)) { + error = PTR_ERR(dest_page); +- unlock_page(src_page); + put_page(src_page); + goto out_error; + } ++ ++ vfs_lock_two_pages(src_page, dest_page); ++ ++ /* ++ * Now that we've locked both pages, make sure they're still ++ * mapped to the file data we're interested in. If not, ++ * someone is invalidating pages on us and we lose. ++ */ ++ if (!PageUptodate(src_page) || !PageUptodate(dest_page) || ++ src_page->mapping != src->i_mapping || ++ dest_page->mapping != dest->i_mapping) { ++ same = false; ++ goto unlock; ++ } ++ + src_addr = kmap_atomic(src_page); + dest_addr = kmap_atomic(dest_page); + +@@ -1957,8 +1990,8 @@ int vfs_dedupe_file_range_compare(struct inode *src, loff_t srcoff, + + kunmap_atomic(dest_addr); + kunmap_atomic(src_addr); +- unlock_page(dest_page); +- unlock_page(src_page); ++unlock: ++ vfs_unlock_two_pages(src_page, dest_page); + put_page(dest_page); + put_page(src_page); + +-- +2.20.1 + diff --git a/queue-4.14/wimax-i2400m-fix-a-memory-leak-bug.patch b/queue-4.14/wimax-i2400m-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..8e24ab99d84 --- /dev/null +++ b/queue-4.14/wimax-i2400m-fix-a-memory-leak-bug.patch @@ -0,0 +1,44 @@ +From fa620c986214ad9878ae31a61941f73267106c43 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Thu, 15 Aug 2019 15:29:51 -0500 +Subject: wimax/i2400m: fix a memory leak bug + +[ Upstream commit 44ef3a03252844a8753479b0cea7f29e4a804bdc ] + +In i2400m_barker_db_init(), 'options_orig' is allocated through kstrdup() +to hold the original command line options. Then, the options are parsed. +However, if an error occurs during the parsing process, 'options_orig' is +not deallocated, leading to a memory leak bug. To fix this issue, free +'options_orig' before returning the error. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wimax/i2400m/fw.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wimax/i2400m/fw.c b/drivers/net/wimax/i2400m/fw.c +index a89b5685e68b3..4577ee5bbddd6 100644 +--- a/drivers/net/wimax/i2400m/fw.c ++++ b/drivers/net/wimax/i2400m/fw.c +@@ -351,13 +351,15 @@ int i2400m_barker_db_init(const char *_options) + } + result = i2400m_barker_db_add(barker); + if (result < 0) +- goto error_add; ++ goto error_parse_add; + } + kfree(options_orig); + } + return 0; + ++error_parse_add: + error_parse: ++ kfree(options_orig); + error_add: + kfree(i2400m_barker_db); + return result; +-- +2.20.1 +