From: Sasha Levin Date: Mon, 25 Oct 2021 02:06:14 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v4.4.290~35 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f2d915ecb3047d00d3a704c941bb33246b79fa2b;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/net-hns3-fix-for-miscalculation-of-rx-unused-desc.patch b/queue-5.10/net-hns3-fix-for-miscalculation-of-rx-unused-desc.patch new file mode 100644 index 00000000000..d186cd80119 --- /dev/null +++ b/queue-5.10/net-hns3-fix-for-miscalculation-of-rx-unused-desc.patch @@ -0,0 +1,99 @@ +From 7b1df8f283cf1e326f645b662fa1c8f9e3620cc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 22:16:32 +0800 +Subject: net: hns3: fix for miscalculation of rx unused desc + +From: Yunsheng Lin + +[ Upstream commit 9f9f0f19994b42b3e5e8735d41b9c5136828a76c ] + +rx unused desc is the desc that need attatching new buffer +before refilling to hw to receive new packet, the number of +desc need attatching new buffer is calculated using next_to_use +and next_to_clean. when next_to_use == next_to_clean, currently +hns3 driver assumes that all the desc has the buffer attatched, +but 'next_to_use == next_to_clean' also means all the desc need +attatching new buffer if hw has comsumed all the desc and the +driver has not attatched any buffer to the desc yet. + +This patch adds 'refill' in desc_cb to indicate whether a new +buffer has been refilled to a desc. + +Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC") +Signed-off-by: Yunsheng Lin +Signed-off-by: Guangbin Huang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 8 ++++++++ + drivers/net/ethernet/hisilicon/hns3/hns3_enet.h | 1 + + 2 files changed, 9 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index 568ac6b321fa..ae7cd73c823b 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -2421,6 +2421,7 @@ static void hns3_buffer_detach(struct hns3_enet_ring *ring, int i) + { + hns3_unmap_buffer(ring, &ring->desc_cb[i]); + ring->desc[i].addr = 0; ++ ring->desc_cb[i].refill = 0; + } + + static void hns3_free_buffer_detach(struct hns3_enet_ring *ring, int i, +@@ -2498,6 +2499,7 @@ static int hns3_alloc_and_attach_buffer(struct hns3_enet_ring *ring, int i) + return ret; + + ring->desc[i].addr = cpu_to_le64(ring->desc_cb[i].dma); ++ ring->desc_cb[i].refill = 1; + + return 0; + } +@@ -2528,12 +2530,14 @@ static void hns3_replace_buffer(struct hns3_enet_ring *ring, int i, + hns3_unmap_buffer(ring, &ring->desc_cb[i]); + ring->desc_cb[i] = *res_cb; + ring->desc[i].addr = cpu_to_le64(ring->desc_cb[i].dma); ++ ring->desc_cb[i].refill = 1; + ring->desc[i].rx.bd_base_info = 0; + } + + static void hns3_reuse_buffer(struct hns3_enet_ring *ring, int i) + { + ring->desc_cb[i].reuse_flag = 0; ++ ring->desc_cb[i].refill = 1; + ring->desc[i].addr = cpu_to_le64(ring->desc_cb[i].dma + + ring->desc_cb[i].page_offset); + ring->desc[i].rx.bd_base_info = 0; +@@ -2631,6 +2635,9 @@ static int hns3_desc_unused(struct hns3_enet_ring *ring) + int ntc = ring->next_to_clean; + int ntu = ring->next_to_use; + ++ if (unlikely(ntc == ntu && !ring->desc_cb[ntc].refill)) ++ return ring->desc_num; ++ + return ((ntc >= ntu) ? 0 : ring->desc_num) + ntc - ntu; + } + +@@ -2907,6 +2914,7 @@ static void hns3_rx_ring_move_fw(struct hns3_enet_ring *ring) + { + ring->desc[ring->next_to_clean].rx.bd_base_info &= + cpu_to_le32(~BIT(HNS3_RXD_VLD_B)); ++ ring->desc_cb[ring->next_to_clean].refill = 0; + ring->next_to_clean += 1; + + if (unlikely(ring->next_to_clean == ring->desc_num)) +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.h b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.h +index a8ad7ccae20e..54d02ea4aaa7 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.h +@@ -283,6 +283,7 @@ struct hns3_desc_cb { + u32 length; /* length of the buffer */ + + u16 reuse_flag; ++ u16 refill; + + /* desc type, used by the ring user to mark the type of the priv data */ + u16 type; +-- +2.33.0 + diff --git a/queue-5.10/sched-scs-reset-the-shadow-stack-when-idle_task_exit.patch b/queue-5.10/sched-scs-reset-the-shadow-stack-when-idle_task_exit.patch new file mode 100644 index 00000000000..7ef8f15adb8 --- /dev/null +++ b/queue-5.10/sched-scs-reset-the-shadow-stack-when-idle_task_exit.patch @@ -0,0 +1,44 @@ +From c33d8dd3da1aab1f8a764bf889374e865a1671f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Oct 2021 16:35:21 +0800 +Subject: sched/scs: Reset the shadow stack when idle_task_exit + +From: Woody Lin + +[ Upstream commit 63acd42c0d4942f74710b11c38602fb14dea7320 ] + +Commit f1a0a376ca0c ("sched/core: Initialize the idle task with +preemption disabled") removed the init_idle() call from +idle_thread_get(). This was the sole call-path on hotplug that resets +the Shadow Call Stack (scs) Stack Pointer (sp). + +Not resetting the scs-sp leads to scs overflow after enough hotplug +cycles. Therefore add an explicit scs_task_reset() to the hotplug code +to make sure the scs-sp does get reset on hotplug. + +Fixes: f1a0a376ca0c ("sched/core: Initialize the idle task with preemption disabled") +Signed-off-by: Woody Lin +[peterz: Changelog] +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Valentin Schneider +Link: https://lore.kernel.org/r/20211012083521.973587-1-woodylin@google.com +Signed-off-by: Sasha Levin +--- + kernel/sched/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 6db20a66e8e6..e4551d1736fa 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -6677,6 +6677,7 @@ void idle_task_exit(void) + finish_arch_post_lock_switch(); + } + ++ scs_task_reset(current); + /* finish_cpu(), as ran on the BP, will clean up the active_mm state */ + } + +-- +2.33.0 + diff --git a/queue-5.10/scsi-iscsi-fix-set_param-handling.patch b/queue-5.10/scsi-iscsi-fix-set_param-handling.patch new file mode 100644 index 00000000000..e002a873d05 --- /dev/null +++ b/queue-5.10/scsi-iscsi-fix-set_param-handling.patch @@ -0,0 +1,45 @@ +From 5b0ec2be53c7f41596c801c50a6befba76c4dbf0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Oct 2021 11:19:04 -0500 +Subject: scsi: iscsi: Fix set_param() handling + +From: Mike Christie + +[ Upstream commit 187a580c9e7895978dcd1e627b9c9e7e3d13ca96 ] + +In commit 9e67600ed6b8 ("scsi: iscsi: Fix race condition between login and +sync thread") we meant to add a check where before we call ->set_param() we +make sure the iscsi_cls_connection is bound. The problem is that between +versions 4 and 5 of the patch the deletion of the unchecked set_param() +call was dropped so we ended up with 2 calls. As a result we can still hit +a crash where we access the unbound connection on the first call. + +This patch removes that first call. + +Fixes: 9e67600ed6b8 ("scsi: iscsi: Fix race condition between login and sync thread") +Link: https://lore.kernel.org/r/20211010161904.60471-1-michael.christie@oracle.com +Reviewed-by: Lee Duncan +Reviewed-by: Li Feng +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 41772b88610a..3f7fa8de3642 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -2907,8 +2907,6 @@ iscsi_set_param(struct iscsi_transport *transport, struct iscsi_uevent *ev) + session->recovery_tmo = value; + break; + default: +- err = transport->set_param(conn, ev->u.set_param.param, +- data, ev->u.set_param.len); + if ((conn->state == ISCSI_CONN_BOUND) || + (conn->state == ISCSI_CONN_UP)) { + err = transport->set_param(conn, ev->u.set_param.param, +-- +2.33.0 + diff --git a/queue-5.10/scsi-qla2xxx-fix-a-memory-leak-in-an-error-path-of-q.patch b/queue-5.10/scsi-qla2xxx-fix-a-memory-leak-in-an-error-path-of-q.patch new file mode 100644 index 00000000000..9781b76a616 --- /dev/null +++ b/queue-5.10/scsi-qla2xxx-fix-a-memory-leak-in-an-error-path-of-q.patch @@ -0,0 +1,54 @@ +From f57b3569ddf40d52e604ef8ad1359a969e18649b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Oct 2021 12:18:33 -0700 +Subject: scsi: qla2xxx: Fix a memory leak in an error path of + qla2x00_process_els() + +From: Joy Gu + +[ Upstream commit 7fb223d0ad801f633c78cbe42b1d1b55f5d163ad ] + +Commit 8c0eb596baa5 ("[SCSI] qla2xxx: Fix a memory leak in an error path of +qla2x00_process_els()"), intended to change: + + bsg_job->request->msgcode == FC_BSG_HST_ELS_NOLOGIN + +to: + + bsg_job->request->msgcode != FC_BSG_RPT_ELS + +but changed it to: + + bsg_job->request->msgcode == FC_BSG_RPT_ELS + +instead. + +Change the == to a != to avoid leaking the fcport structure or freeing +unallocated memory. + +Link: https://lore.kernel.org/r/20211012191834.90306-2-jgu@purestorage.com +Fixes: 8c0eb596baa5 ("[SCSI] qla2xxx: Fix a memory leak in an error path of qla2x00_process_els()") +Reviewed-by: Bart Van Assche +Signed-off-by: Joy Gu +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_bsg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_bsg.c b/drivers/scsi/qla2xxx/qla_bsg.c +index 7fa085969a63..1fd292a6ac88 100644 +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -414,7 +414,7 @@ done_unmap_sg: + goto done_free_fcport; + + done_free_fcport: +- if (bsg_request->msgcode == FC_BSG_RPT_ELS) ++ if (bsg_request->msgcode != FC_BSG_RPT_ELS) + qla2x00_free_fcport(fcport); + done: + return rval; +-- +2.33.0 + diff --git a/queue-5.10/series b/queue-5.10/series index ffc41820c38..89a55ad1475 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -78,3 +78,7 @@ alsa-hda-avoid-write-to-statests-if-controller-is-in.patch libperf-tests-fix-test_stat_cpu.patch perf-x86-msr-add-sapphire-rapids-cpu-support.patch input-snvs_pwrkey-add-clk-handling.patch +scsi-iscsi-fix-set_param-handling.patch +scsi-qla2xxx-fix-a-memory-leak-in-an-error-path-of-q.patch +sched-scs-reset-the-shadow-stack-when-idle_task_exit.patch +net-hns3-fix-for-miscalculation-of-rx-unused-desc.patch