From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 7 Feb 2020 09:45:14 +0000 (+0100)
Subject: 4.14-stable patches
X-Git-Tag: v4.19.103~102
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e50b927b8b146849bbb2312c32f7930645852c4e;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	crypto-api-check-spawn-alg-under-lock-in-crypto_drop_spawn.patch
	hv_balloon-balloon-up-according-to-request-page-number.patch
	power-supply-ltc2941-battery-gauge-fix-use-after-free.patch
	scsi-qla2xxx-fix-mtcp-dump-collection-failure.patch
---

diff --git a/queue-4.14/crypto-api-check-spawn-alg-under-lock-in-crypto_drop_spawn.patch b/queue-4.14/crypto-api-check-spawn-alg-under-lock-in-crypto_drop_spawn.patch
new file mode 100644
index 00000000000..b2b28959cf2
--- /dev/null
+++ b/queue-4.14/crypto-api-check-spawn-alg-under-lock-in-crypto_drop_spawn.patch
@@ -0,0 +1,39 @@
+From 7db3b61b6bba4310f454588c2ca6faf2958ad79f Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Fri, 6 Dec 2019 13:55:17 +0800
+Subject: crypto: api - Check spawn->alg under lock in crypto_drop_spawn
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 7db3b61b6bba4310f454588c2ca6faf2958ad79f upstream.
+
+We need to check whether spawn->alg is NULL under lock as otherwise
+the algorithm could be removed from under us after we have checked
+it and found it to be non-NULL.  This could cause us to remove the
+spawn from a non-existent list.
+
+Fixes: 7ede5a5ba55a ("crypto: api - Fix crypto_drop_spawn crash...")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/algapi.c |    6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/crypto/algapi.c
++++ b/crypto/algapi.c
+@@ -652,11 +652,9 @@ EXPORT_SYMBOL_GPL(crypto_grab_spawn);
+ 
+ void crypto_drop_spawn(struct crypto_spawn *spawn)
+ {
+-	if (!spawn->alg)
+-		return;
+-
+ 	down_write(&crypto_alg_sem);
+-	list_del(&spawn->list);
++	if (spawn->alg)
++		list_del(&spawn->list);
+ 	up_write(&crypto_alg_sem);
+ }
+ EXPORT_SYMBOL_GPL(crypto_drop_spawn);
diff --git a/queue-4.14/hv_balloon-balloon-up-according-to-request-page-number.patch b/queue-4.14/hv_balloon-balloon-up-according-to-request-page-number.patch
new file mode 100644
index 00000000000..afc171fd3dd
--- /dev/null
+++ b/queue-4.14/hv_balloon-balloon-up-according-to-request-page-number.patch
@@ -0,0 +1,77 @@
+From d33c240d47dab4fd15123d9e73fc8810cbc6ed6a Mon Sep 17 00:00:00 2001
+From: Tianyu Lan <Tianyu.Lan@microsoft.com>
+Date: Sat, 25 Jan 2020 16:50:47 -0500
+Subject: hv_balloon: Balloon up according to request page number
+
+From: Tianyu Lan <Tianyu.Lan@microsoft.com>
+
+commit d33c240d47dab4fd15123d9e73fc8810cbc6ed6a upstream.
+
+Current code has assumption that balloon request memory size aligns
+with 2MB. But actually Hyper-V doesn't guarantee such alignment. When
+balloon driver receives non-aligned balloon request, it produces warning
+and balloon up more memory than requested in order to keep 2MB alignment.
+Remove the warning and balloon up memory according to actual requested
+memory size.
+
+Fixes: f6712238471a ("hv: hv_balloon: avoid memory leak on alloc_error of 2MB memory block")
+Cc: stable@vger.kernel.org
+Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Tianyu Lan <Tianyu.Lan@microsoft.com>
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/hv_balloon.c |   13 +++----------
+ 1 file changed, 3 insertions(+), 10 deletions(-)
+
+--- a/drivers/hv/hv_balloon.c
++++ b/drivers/hv/hv_balloon.c
+@@ -1170,10 +1170,7 @@ static unsigned int alloc_balloon_pages(
+ 	unsigned int i = 0;
+ 	struct page *pg;
+ 
+-	if (num_pages < alloc_unit)
+-		return 0;
+-
+-	for (i = 0; (i * alloc_unit) < num_pages; i++) {
++	for (i = 0; i < num_pages / alloc_unit; i++) {
+ 		if (bl_resp->hdr.size + sizeof(union dm_mem_page_range) >
+ 			PAGE_SIZE)
+ 			return i * alloc_unit;
+@@ -1207,7 +1204,7 @@ static unsigned int alloc_balloon_pages(
+ 
+ 	}
+ 
+-	return num_pages;
++	return i * alloc_unit;
+ }
+ 
+ static void balloon_up(struct work_struct *dummy)
+@@ -1222,9 +1219,6 @@ static void balloon_up(struct work_struc
+ 	long avail_pages;
+ 	unsigned long floor;
+ 
+-	/* The host balloons pages in 2M granularity. */
+-	WARN_ON_ONCE(num_pages % PAGES_IN_2M != 0);
+-
+ 	/*
+ 	 * We will attempt 2M allocations. However, if we fail to
+ 	 * allocate 2M chunks, we will go back to 4k allocations.
+@@ -1234,14 +1228,13 @@ static void balloon_up(struct work_struc
+ 	avail_pages = si_mem_available();
+ 	floor = compute_balloon_floor();
+ 
+-	/* Refuse to balloon below the floor, keep the 2M granularity. */
++	/* Refuse to balloon below the floor. */
+ 	if (avail_pages < num_pages || avail_pages - num_pages < floor) {
+ 		pr_warn("Balloon request will be partially fulfilled. %s\n",
+ 			avail_pages < num_pages ? "Not enough memory." :
+ 			"Balloon floor reached.");
+ 
+ 		num_pages = avail_pages > floor ? (avail_pages - floor) : 0;
+-		num_pages -= num_pages % PAGES_IN_2M;
+ 	}
+ 
+ 	while (!done) {
diff --git a/queue-4.14/power-supply-ltc2941-battery-gauge-fix-use-after-free.patch b/queue-4.14/power-supply-ltc2941-battery-gauge-fix-use-after-free.patch
new file mode 100644
index 00000000000..f086ef779d0
--- /dev/null
+++ b/queue-4.14/power-supply-ltc2941-battery-gauge-fix-use-after-free.patch
@@ -0,0 +1,41 @@
+From a60ec78d306c6548d4adbc7918b587a723c555cc Mon Sep 17 00:00:00 2001
+From: Sven Van Asbroeck <thesven73@gmail.com>
+Date: Thu, 19 Sep 2019 11:11:37 -0400
+Subject: power: supply: ltc2941-battery-gauge: fix use-after-free
+
+From: Sven Van Asbroeck <thesven73@gmail.com>
+
+commit a60ec78d306c6548d4adbc7918b587a723c555cc upstream.
+
+This driver's remove path calls cancel_delayed_work().
+However, that function does not wait until the work function
+finishes. This could mean that the work function is still
+running after the driver's remove function has finished,
+which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+that the work is properly cancelled, no longer running, and
+unable to re-schedule itself.
+
+This issue was detected with the help of Coccinelle.
+
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/supply/ltc2941-battery-gauge.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/power/supply/ltc2941-battery-gauge.c
++++ b/drivers/power/supply/ltc2941-battery-gauge.c
+@@ -406,7 +406,7 @@ static int ltc294x_i2c_remove(struct i2c
+ {
+ 	struct ltc294x_info *info = i2c_get_clientdata(client);
+ 
+-	cancel_delayed_work(&info->work);
++	cancel_delayed_work_sync(&info->work);
+ 	power_supply_unregister(info->supply);
+ 	return 0;
+ }
diff --git a/queue-4.14/scsi-qla2xxx-fix-mtcp-dump-collection-failure.patch b/queue-4.14/scsi-qla2xxx-fix-mtcp-dump-collection-failure.patch
new file mode 100644
index 00000000000..cd22f513ca5
--- /dev/null
+++ b/queue-4.14/scsi-qla2xxx-fix-mtcp-dump-collection-failure.patch
@@ -0,0 +1,37 @@
+From 641e0efddcbde52461e017136acd3ce7f2ef0c14 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <qutran@marvell.com>
+Date: Tue, 17 Dec 2019 14:06:16 -0800
+Subject: scsi: qla2xxx: Fix mtcp dump collection failure
+
+From: Quinn Tran <qutran@marvell.com>
+
+commit 641e0efddcbde52461e017136acd3ce7f2ef0c14 upstream.
+
+MTCP dump failed due to MB Reg 10 was picking garbage data from stack
+memory.
+
+Fixes: 81178772b636a ("[SCSI] qla2xxx: Implemetation of mctp.")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20191217220617.28084-14-hmadhani@marvell.com
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_mbx.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_mbx.c
++++ b/drivers/scsi/qla2xxx/qla_mbx.c
+@@ -5853,9 +5853,8 @@ qla2x00_dump_mctp_data(scsi_qla_host_t *
+ 	mcp->mb[7] = LSW(MSD(req_dma));
+ 	mcp->mb[8] = MSW(addr);
+ 	/* Setting RAM ID to valid */
+-	mcp->mb[10] |= BIT_7;
+ 	/* For MCTP RAM ID is 0x40 */
+-	mcp->mb[10] |= 0x40;
++	mcp->mb[10] = BIT_7 | 0x40;
+ 
+ 	mcp->out_mb |= MBX_10|MBX_8|MBX_7|MBX_6|MBX_5|MBX_4|MBX_3|MBX_2|MBX_1|
+ 	    MBX_0;
diff --git a/queue-4.14/series b/queue-4.14/series
index da58823a6d0..1417c3ebd33 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -42,3 +42,7 @@ ubifs-fix-deadlock-in-concurrent-bulk-read-and-writepage.patch
 pci-keystone-fix-link-training-retries-initiation.patch
 mmc-sdhci-of-at91-fix-memleak-on-clk_get-failure.patch
 ubifs-don-t-trigger-assertion-on-invalid-no-key-file.patch
+hv_balloon-balloon-up-according-to-request-page-number.patch
+crypto-api-check-spawn-alg-under-lock-in-crypto_drop_spawn.patch
+scsi-qla2xxx-fix-mtcp-dump-collection-failure.patch
+power-supply-ltc2941-battery-gauge-fix-use-after-free.patch