From: Sasha Levin Date: Thu, 19 Aug 2021 13:00:08 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v5.13.13~35 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fde19a404c77e121fde793177a9e36f8ab6462e9;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/arm-dts-am43x-epos-evm-reduce-i2c0-bus-speed-for-tps.patch b/queue-4.19/arm-dts-am43x-epos-evm-reduce-i2c0-bus-speed-for-tps.patch new file mode 100644 index 00000000000..b7eb3911be8 --- /dev/null +++ b/queue-4.19/arm-dts-am43x-epos-evm-reduce-i2c0-bus-speed-for-tps.patch @@ -0,0 +1,50 @@ +From 2773f79b2652dda301d7e0d0a5b68d94f12dff76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 09:07:30 -0700 +Subject: ARM: dts: am43x-epos-evm: Reduce i2c0 bus speed for tps65218 + +From: Dave Gerlach + +[ Upstream commit 20a6b3fd8e2e2c063b25fbf2ee74d86b898e5087 ] + +Based on the latest timing specifications for the TPS65218 from the data +sheet, http://www.ti.com/lit/ds/symlink/tps65218.pdf, document SLDS206 +from November 2014, we must change the i2c bus speed to better fit within +the minimum high SCL time required for proper i2c transfer. + +When running at 400khz, measurements show that SCL spends +0.8125 uS/1.666 uS high/low which violates the requirement for minimum +high period of SCL provided in datasheet Table 7.6 which is 1 uS. +Switching to 100khz gives us 5 uS/5 uS high/low which both fall above +the minimum given values for 100 khz, 4.0 uS/4.7 uS high/low. + +Without this patch occasionally a voltage set operation from the kernel +will appear to have worked but the actual voltage reflected on the PMIC +will not have updated, causing problems especially with cpufreq that may +update to a higher OPP without actually raising the voltage on DCDC2, +leading to a hang. + +Signed-off-by: Dave Gerlach +Signed-off-by: Kevin Hilman +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/am43x-epos-evm.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/am43x-epos-evm.dts b/arch/arm/boot/dts/am43x-epos-evm.dts +index 02bbdfb3f258..0cc3ac6566c6 100644 +--- a/arch/arm/boot/dts/am43x-epos-evm.dts ++++ b/arch/arm/boot/dts/am43x-epos-evm.dts +@@ -590,7 +590,7 @@ + status = "okay"; + pinctrl-names = "default"; + pinctrl-0 = <&i2c0_pins>; +- clock-frequency = <400000>; ++ clock-frequency = <100000>; + + tps65218: tps65218@24 { + reg = <0x24>; +-- +2.30.2 + diff --git a/queue-4.19/arm-dts-nomadik-fix-up-interrupt-controller-node-nam.patch b/queue-4.19/arm-dts-nomadik-fix-up-interrupt-controller-node-nam.patch new file mode 100644 index 00000000000..7fe87fb0fa7 --- /dev/null +++ b/queue-4.19/arm-dts-nomadik-fix-up-interrupt-controller-node-nam.patch @@ -0,0 +1,54 @@ +From 773ce0139e17d8a16cffadf3005fb740e00bf796 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Jun 2021 02:01:03 +0200 +Subject: ARM: dts: nomadik: Fix up interrupt controller node names + +From: Sudeep Holla + +[ Upstream commit 47091f473b364c98207c4def197a0ae386fc9af1 ] + +Once the new schema interrupt-controller/arm,vic.yaml is added, we get +the below warnings: + + arch/arm/boot/dts/ste-nomadik-nhk15.dt.yaml: + intc@10140000: $nodename:0: 'intc@10140000' does not match + '^interrupt-controller(@[0-9a-f,]+)*$' + +Fix the node names for the interrupt controller to conform +to the standard node name interrupt-controller@.. + +Signed-off-by: Sudeep Holla +Signed-off-by: Linus Walleij +Cc: Linus Walleij +Link: https://lore.kernel.org/r/20210617210825.3064367-2-sudeep.holla@arm.com +Link: https://lore.kernel.org/r/20210626000103.830184-1-linus.walleij@linaro.org' +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/ste-nomadik-stn8815.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/ste-nomadik-stn8815.dtsi b/arch/arm/boot/dts/ste-nomadik-stn8815.dtsi +index fca76a696d9d..9ba4d1630ca3 100644 +--- a/arch/arm/boot/dts/ste-nomadik-stn8815.dtsi ++++ b/arch/arm/boot/dts/ste-nomadik-stn8815.dtsi +@@ -755,14 +755,14 @@ + status = "disabled"; + }; + +- vica: intc@10140000 { ++ vica: interrupt-controller@10140000 { + compatible = "arm,versatile-vic"; + interrupt-controller; + #interrupt-cells = <1>; + reg = <0x10140000 0x20>; + }; + +- vicb: intc@10140020 { ++ vicb: interrupt-controller@10140020 { + compatible = "arm,versatile-vic"; + interrupt-controller; + #interrupt-cells = <1>; +-- +2.30.2 + diff --git a/queue-4.19/arm-ixp4xx-goramo_mlr-depends-on-old-pci-driver.patch b/queue-4.19/arm-ixp4xx-goramo_mlr-depends-on-old-pci-driver.patch new file mode 100644 index 00000000000..2d5786d968c --- /dev/null +++ b/queue-4.19/arm-ixp4xx-goramo_mlr-depends-on-old-pci-driver.patch @@ -0,0 +1,55 @@ +From 54964ecc4104980c371d55381a2337b9075e0725 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 17:16:04 +0200 +Subject: ARM: ixp4xx: goramo_mlr depends on old PCI driver + +From: Arnd Bergmann + +[ Upstream commit 796a8c85b1216618258e08b463d3bef0d7123760 ] + +When this driver is disabled, the board file fails to build, +so add a dependency: + +arch/arm/mach-ixp4xx/goramo_mlr.c: In function 'gmlr_pci_preinit': +arch/arm/mach-ixp4xx/goramo_mlr.c:472:9: error: implicit declaration of function 'ixp4xx_pci_preinit'; did you mean 'iop3xx_pci_preinit'? [-Werror=implicit-function-declaration] + 472 | ixp4xx_pci_preinit(); + | ^~~~~~~~~~~~~~~~~~ + | iop3xx_pci_preinit +arch/arm/mach-ixp4xx/goramo_mlr.c: In function 'gmlr_pci_postinit': +arch/arm/mach-ixp4xx/goramo_mlr.c:481:22: error: implicit declaration of function 'ixp4xx_pci_read' [-Werror=implicit-function-declaration] + 481 | if (!ixp4xx_pci_read(addr, NP_CMD_CONFIGREAD, &value)) { + | ^~~~~~~~~~~~~~~ +arch/arm/mach-ixp4xx/goramo_mlr.c:231:35: error: 'IXP4XX_UART1_BASE_PHYS' undeclared here (not in a function) + 231 | .start = IXP4XX_UART1_BASE_PHYS, + | ^~~~~~~~~~~~~~~~~~~~~~ +arch/arm/mach-ixp4xx/goramo_mlr.c: In function 'gmlr_init': +arch/arm/mach-ixp4xx/goramo_mlr.c:376:9: error: implicit declaration of function 'ixp4xx_sys_init' [-Werror=implicit-function-declaration] + 376 | ixp4xx_sys_init(); + | ^~~~~~~~~~~~~~~ + +Signed-off-by: Arnd Bergmann +Reviewed-by: Linus Walleij +Cc: Linus Walleij +Cc: soc@kernel.org +Link: https://lore.kernel.org/r/20210721151620.2373500-1-arnd@kernel.org' +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/mach-ixp4xx/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-ixp4xx/Kconfig b/arch/arm/mach-ixp4xx/Kconfig +index c342dc4e8a45..2489b6151ace 100644 +--- a/arch/arm/mach-ixp4xx/Kconfig ++++ b/arch/arm/mach-ixp4xx/Kconfig +@@ -76,6 +76,7 @@ config MACH_IXDP465 + + config MACH_GORAMO_MLR + bool "GORAMO Multi Link Router" ++ depends on IXP4XX_PCI_LEGACY + help + Say 'Y' here if you want your kernel to support GORAMO + MultiLink router. +-- +2.30.2 + diff --git a/queue-4.19/dmaengine-of-dma-router_xlate-to-return-eprobe_defer.patch b/queue-4.19/dmaengine-of-dma-router_xlate-to-return-eprobe_defer.patch new file mode 100644 index 00000000000..e94f2b1cc3e --- /dev/null +++ b/queue-4.19/dmaengine-of-dma-router_xlate-to-return-eprobe_defer.patch @@ -0,0 +1,63 @@ +From 890ccfe53f456dabd9b87fd6bc7912e720febc2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jul 2021 22:00:21 +0300 +Subject: dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller + is not yet available + +From: Peter Ujfalusi + +[ Upstream commit eda97cb095f2958bbad55684a6ca3e7d7af0176a ] + +If the router_xlate can not find the controller in the available DMA +devices then it should return with -EPORBE_DEFER in a same way as the +of_dma_request_slave_channel() does. + +The issue can be reproduced if the event router is registered before the +DMA controller itself and a driver would request for a channel before the +controller is registered. +In of_dma_request_slave_channel(): +1. of_dma_find_controller() would find the dma_router +2. ofdma->of_dma_xlate() would fail and returned NULL +3. -ENODEV is returned as error code + +with this patch we would return in this case the correct -EPROBE_DEFER and +the client can try to request the channel later. + +Signed-off-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20210717190021.21897-1-peter.ujfalusi@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/of-dma.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/of-dma.c b/drivers/dma/of-dma.c +index 8344a60c2131..a9d3ab94749b 100644 +--- a/drivers/dma/of-dma.c ++++ b/drivers/dma/of-dma.c +@@ -68,8 +68,12 @@ static struct dma_chan *of_dma_router_xlate(struct of_phandle_args *dma_spec, + return NULL; + + ofdma_target = of_dma_find_controller(&dma_spec_target); +- if (!ofdma_target) +- return NULL; ++ if (!ofdma_target) { ++ ofdma->dma_router->route_free(ofdma->dma_router->dev, ++ route_data); ++ chan = ERR_PTR(-EPROBE_DEFER); ++ goto err; ++ } + + chan = ofdma_target->of_dma_xlate(&dma_spec_target, ofdma_target); + if (IS_ERR_OR_NULL(chan)) { +@@ -80,6 +84,7 @@ static struct dma_chan *of_dma_router_xlate(struct of_phandle_args *dma_spec, + chan->route_data = route_data; + } + ++err: + /* + * Need to put the node back since the ofdma->of_dma_route_allocate + * has taken it for generating the new, translated dma_spec +-- +2.30.2 + diff --git a/queue-4.19/dmaengine-usb-dmac-fix-pm-reference-leak-in-usb_dmac.patch b/queue-4.19/dmaengine-usb-dmac-fix-pm-reference-leak-in-usb_dmac.patch new file mode 100644 index 00000000000..5006e678685 --- /dev/null +++ b/queue-4.19/dmaengine-usb-dmac-fix-pm-reference-leak-in-usb_dmac.patch @@ -0,0 +1,40 @@ +From f0c8adcd9c4d80bcdc0fdbb9848da06d454031b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jul 2021 20:45:21 +0800 +Subject: dmaengine: usb-dmac: Fix PM reference leak in usb_dmac_probe() + +From: Yu Kuai + +[ Upstream commit 1da569fa7ec8cb0591c74aa3050d4ea1397778b4 ] + +pm_runtime_get_sync will increment pm usage counter even it failed. +Forgetting to putting operation will result in reference leak here. +Fix it by moving the error_pm label above the pm_runtime_put() in +the error path. + +Reported-by: Hulk Robot +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20210706124521.1371901-1-yukuai3@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/sh/usb-dmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/sh/usb-dmac.c b/drivers/dma/sh/usb-dmac.c +index 6c94ed750049..d77bf325f038 100644 +--- a/drivers/dma/sh/usb-dmac.c ++++ b/drivers/dma/sh/usb-dmac.c +@@ -860,8 +860,8 @@ static int usb_dmac_probe(struct platform_device *pdev) + + error: + of_dma_controller_free(pdev->dev.of_node); +- pm_runtime_put(&pdev->dev); + error_pm: ++ pm_runtime_put(&pdev->dev); + pm_runtime_disable(&pdev->dev); + return ret; + } +-- +2.30.2 + diff --git a/queue-4.19/dmaengine-xilinx_dma-fix-read-after-free-bug-when-te.patch b/queue-4.19/dmaengine-xilinx_dma-fix-read-after-free-bug-when-te.patch new file mode 100644 index 00000000000..517d0455207 --- /dev/null +++ b/queue-4.19/dmaengine-xilinx_dma-fix-read-after-free-bug-when-te.patch @@ -0,0 +1,83 @@ +From f388e90944553c73969a4b899be2a03e7e31a587 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 00:43:38 +0100 +Subject: dmaengine: xilinx_dma: Fix read-after-free bug when terminating + transfers + +From: Adrian Larumbe + +[ Upstream commit 7dd2dd4ff9f3abda601f22b9d01441a0869d20d7 ] + +When user calls dmaengine_terminate_sync, the driver will clean up any +remaining descriptors for all the pending or active transfers that had +previously been submitted. However, this might happen whilst the tasklet is +invoking the DMA callback for the last finished transfer, so by the time it +returns and takes over the channel's spinlock, the list of completed +descriptors it was traversing is no longer valid. This leads to a +read-after-free situation. + +Fix it by signalling whether a user-triggered termination has happened by +means of a boolean variable. + +Signed-off-by: Adrian Larumbe +Link: https://lore.kernel.org/r/20210706234338.7696-3-adrian.martinezlarumbe@imgtec.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/xilinx_dma.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c +index 0c5668e897fe..d891ec05bc48 100644 +--- a/drivers/dma/xilinx/xilinx_dma.c ++++ b/drivers/dma/xilinx/xilinx_dma.c +@@ -332,6 +332,7 @@ struct xilinx_dma_tx_descriptor { + * @genlock: Support genlock mode + * @err: Channel has errors + * @idle: Check for channel idle ++ * @terminating: Check for channel being synchronized by user + * @tasklet: Cleanup work after irq + * @config: Device configuration info + * @flush_on_fsync: Flush on Frame sync +@@ -369,6 +370,7 @@ struct xilinx_dma_chan { + bool genlock; + bool err; + bool idle; ++ bool terminating; + struct tasklet_struct tasklet; + struct xilinx_vdma_config config; + bool flush_on_fsync; +@@ -843,6 +845,13 @@ static void xilinx_dma_chan_desc_cleanup(struct xilinx_dma_chan *chan) + /* Run any dependencies, then free the descriptor */ + dma_run_dependencies(&desc->async_tx); + xilinx_dma_free_tx_descriptor(chan, desc); ++ ++ /* ++ * While we ran a callback the user called a terminate function, ++ * which takes care of cleaning up any remaining descriptors ++ */ ++ if (chan->terminating) ++ break; + } + + spin_unlock_irqrestore(&chan->lock, flags); +@@ -1612,6 +1621,8 @@ static dma_cookie_t xilinx_dma_tx_submit(struct dma_async_tx_descriptor *tx) + if (desc->cyclic) + chan->cyclic = true; + ++ chan->terminating = false; ++ + spin_unlock_irqrestore(&chan->lock, flags); + + return cookie; +@@ -2068,6 +2079,7 @@ static int xilinx_dma_terminate_all(struct dma_chan *dchan) + } + + /* Remove and free all of the descriptors in the lists */ ++ chan->terminating = true; + xilinx_dma_free_descriptors(chan); + chan->idle = true; + +-- +2.30.2 + diff --git a/queue-4.19/net-usb-lan78xx-don-t-modify-phy_device-state-concur.patch b/queue-4.19/net-usb-lan78xx-don-t-modify-phy_device-state-concur.patch new file mode 100644 index 00000000000..000a47d9f6f --- /dev/null +++ b/queue-4.19/net-usb-lan78xx-don-t-modify-phy_device-state-concur.patch @@ -0,0 +1,79 @@ +From 02af63c2a320d91cbb9a924d13574c87d0119cf0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Aug 2021 11:13:39 +0300 +Subject: net: usb: lan78xx: don't modify phy_device state concurrently + +From: Ivan T. Ivanov + +[ Upstream commit 6b67d4d63edece1033972214704c04f36c5be89a ] + +Currently phy_device state could be left in inconsistent state shown +by following alert message[1]. This is because phy_read_status could +be called concurrently from lan78xx_delayedwork, phy_state_machine and +__ethtool_get_link. Fix this by making sure that phy_device state is +updated atomically. + +[1] lan78xx 1-1.1.1:1.0 eth0: No phy led trigger registered for speed(-1) + +Signed-off-by: Ivan T. Ivanov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/lan78xx.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index 5bd07cdb3e6e..ac5f72077b26 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -1172,7 +1172,7 @@ static int lan78xx_link_reset(struct lan78xx_net *dev) + { + struct phy_device *phydev = dev->net->phydev; + struct ethtool_link_ksettings ecmd; +- int ladv, radv, ret; ++ int ladv, radv, ret, link; + u32 buf; + + /* clear LAN78xx interrupt status */ +@@ -1180,9 +1180,12 @@ static int lan78xx_link_reset(struct lan78xx_net *dev) + if (unlikely(ret < 0)) + return -EIO; + ++ mutex_lock(&phydev->lock); + phy_read_status(phydev); ++ link = phydev->link; ++ mutex_unlock(&phydev->lock); + +- if (!phydev->link && dev->link_on) { ++ if (!link && dev->link_on) { + dev->link_on = false; + + /* reset MAC */ +@@ -1195,7 +1198,7 @@ static int lan78xx_link_reset(struct lan78xx_net *dev) + return -EIO; + + del_timer(&dev->stat_monitor); +- } else if (phydev->link && !dev->link_on) { ++ } else if (link && !dev->link_on) { + dev->link_on = true; + + phy_ethtool_ksettings_get(phydev, &ecmd); +@@ -1485,9 +1488,14 @@ static int lan78xx_set_eee(struct net_device *net, struct ethtool_eee *edata) + + static u32 lan78xx_get_link(struct net_device *net) + { ++ u32 link; ++ ++ mutex_lock(&net->phydev->lock); + phy_read_status(net->phydev); ++ link = net->phydev->link; ++ mutex_unlock(&net->phydev->lock); + +- return net->phydev->link; ++ return link; + } + + static void lan78xx_get_drvinfo(struct net_device *net, +-- +2.30.2 + diff --git a/queue-4.19/scsi-core-avoid-printing-an-error-if-target_alloc-re.patch b/queue-4.19/scsi-core-avoid-printing-an-error-if-target_alloc-re.patch new file mode 100644 index 00000000000..0f82c796b70 --- /dev/null +++ b/queue-4.19/scsi-core-avoid-printing-an-error-if-target_alloc-re.patch @@ -0,0 +1,45 @@ +From 144f2cb60971759d87b39909a30566d5b493f7cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jul 2021 17:24:02 +0530 +Subject: scsi: core: Avoid printing an error if target_alloc() returns -ENXIO + +From: Sreekanth Reddy + +[ Upstream commit 70edd2e6f652f67d854981fd67f9ad0f1deaea92 ] + +Avoid printing a 'target allocation failed' error if the driver +target_alloc() callback function returns -ENXIO. This return value +indicates that the corresponding H:C:T:L entry is empty. + +Removing this error reduces the scan time if the user issues SCAN_WILD_CARD +scan operation through sysfs parameter on a host with a lot of empty +H:C:T:L entries. + +Avoiding the printk on -ENXIO matches the behavior of the other callback +functions during scanning. + +Link: https://lore.kernel.org/r/20210726115402.1936-1-sreekanth.reddy@broadcom.com +Signed-off-by: Sreekanth Reddy +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_scan.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c +index 009a5b2aa3d0..149465de35b2 100644 +--- a/drivers/scsi/scsi_scan.c ++++ b/drivers/scsi/scsi_scan.c +@@ -462,7 +462,8 @@ static struct scsi_target *scsi_alloc_target(struct device *parent, + error = shost->hostt->target_alloc(starget); + + if(error) { +- dev_printk(KERN_ERR, dev, "target allocation failed, error %d\n", error); ++ if (error != -ENXIO) ++ dev_err(dev, "target allocation failed, error %d\n", error); + /* don't want scsi_target_reap to do the final + * put because it will be under the host lock */ + scsi_target_destroy(starget); +-- +2.30.2 + diff --git a/queue-4.19/scsi-megaraid_mm-fix-end-of-loop-tests-for-list_for_.patch b/queue-4.19/scsi-megaraid_mm-fix-end-of-loop-tests-for-list_for_.patch new file mode 100644 index 00000000000..e0042cd9aeb --- /dev/null +++ b/queue-4.19/scsi-megaraid_mm-fix-end-of-loop-tests-for-list_for_.patch @@ -0,0 +1,93 @@ +From 67f1f6d7763fc278e521672d583e3286feb92dd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jul 2021 13:16:42 +0530 +Subject: scsi: megaraid_mm: Fix end of loop tests for list_for_each_entry() + +From: Harshvardhan Jha + +[ Upstream commit 77541f78eadfe9fdb018a7b8b69f0f2af2cf4b82 ] + +The list_for_each_entry() iterator, "adapter" in this code, can never be +NULL. If we exit the loop without finding the correct adapter then +"adapter" points invalid memory that is an offset from the list head. This +will eventually lead to memory corruption and presumably a kernel crash. + +Link: https://lore.kernel.org/r/20210708074642.23599-1-harshvardhan.jha@oracle.com +Acked-by: Sumit Saxena +Signed-off-by: Harshvardhan Jha +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/megaraid/megaraid_mm.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/drivers/scsi/megaraid/megaraid_mm.c b/drivers/scsi/megaraid/megaraid_mm.c +index 8428247015db..81df2c94b747 100644 +--- a/drivers/scsi/megaraid/megaraid_mm.c ++++ b/drivers/scsi/megaraid/megaraid_mm.c +@@ -250,7 +250,7 @@ mraid_mm_get_adapter(mimd_t __user *umimd, int *rval) + mimd_t mimd; + uint32_t adapno; + int iterator; +- ++ bool is_found; + + if (copy_from_user(&mimd, umimd, sizeof(mimd_t))) { + *rval = -EFAULT; +@@ -266,12 +266,16 @@ mraid_mm_get_adapter(mimd_t __user *umimd, int *rval) + + adapter = NULL; + iterator = 0; ++ is_found = false; + + list_for_each_entry(adapter, &adapters_list_g, list) { +- if (iterator++ == adapno) break; ++ if (iterator++ == adapno) { ++ is_found = true; ++ break; ++ } + } + +- if (!adapter) { ++ if (!is_found) { + *rval = -ENODEV; + return NULL; + } +@@ -737,6 +741,7 @@ ioctl_done(uioc_t *kioc) + uint32_t adapno; + int iterator; + mraid_mmadp_t* adapter; ++ bool is_found; + + /* + * When the kioc returns from driver, make sure it still doesn't +@@ -759,19 +764,23 @@ ioctl_done(uioc_t *kioc) + iterator = 0; + adapter = NULL; + adapno = kioc->adapno; ++ is_found = false; + + con_log(CL_ANN, ( KERN_WARNING "megaraid cmm: completed " + "ioctl that was timedout before\n")); + + list_for_each_entry(adapter, &adapters_list_g, list) { +- if (iterator++ == adapno) break; ++ if (iterator++ == adapno) { ++ is_found = true; ++ break; ++ } + } + + kioc->timedout = 0; + +- if (adapter) { ++ if (is_found) + mraid_mm_dealloc_kioc( adapter, kioc ); +- } ++ + } + else { + wake_up(&wait_q); +-- +2.30.2 + diff --git a/queue-4.19/scsi-scsi_dh_rdac-avoid-crash-during-rdac_bus_attach.patch b/queue-4.19/scsi-scsi_dh_rdac-avoid-crash-during-rdac_bus_attach.patch new file mode 100644 index 00000000000..dbf9272b525 --- /dev/null +++ b/queue-4.19/scsi-scsi_dh_rdac-avoid-crash-during-rdac_bus_attach.patch @@ -0,0 +1,92 @@ +From 97306c42ea5742ffe8459ea52c60d86e8ad98b02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jan 2021 14:31:03 +0800 +Subject: scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach() + +From: Ye Bin + +[ Upstream commit bc546c0c9abb3bb2fb46866b3d1e6ade9695a5f6 ] + +The following BUG_ON() was observed during RDAC scan: + +[595952.944297] kernel BUG at drivers/scsi/device_handler/scsi_dh_rdac.c:427! +[595952.951143] Internal error: Oops - BUG: 0 [#1] SMP +...... +[595953.251065] Call trace: +[595953.259054] check_ownership+0xb0/0x118 +[595953.269794] rdac_bus_attach+0x1f0/0x4b0 +[595953.273787] scsi_dh_handler_attach+0x3c/0xe8 +[595953.278211] scsi_dh_add_device+0xc4/0xe8 +[595953.282291] scsi_sysfs_add_sdev+0x8c/0x2a8 +[595953.286544] scsi_probe_and_add_lun+0x9fc/0xd00 +[595953.291142] __scsi_scan_target+0x598/0x630 +[595953.295395] scsi_scan_target+0x120/0x130 +[595953.299481] fc_user_scan+0x1a0/0x1c0 [scsi_transport_fc] +[595953.304944] store_scan+0xb0/0x108 +[595953.308420] dev_attr_store+0x44/0x60 +[595953.312160] sysfs_kf_write+0x58/0x80 +[595953.315893] kernfs_fop_write+0xe8/0x1f0 +[595953.319888] __vfs_write+0x60/0x190 +[595953.323448] vfs_write+0xac/0x1c0 +[595953.326836] ksys_write+0x74/0xf0 +[595953.330221] __arm64_sys_write+0x24/0x30 + +Code is in check_ownership: + + list_for_each_entry_rcu(tmp, &h->ctlr->dh_list, node) { + /* h->sdev should always be valid */ + BUG_ON(!tmp->sdev); + tmp->sdev->access_state = access_state; + } + + rdac_bus_attach + initialize_controller + list_add_rcu(&h->node, &h->ctlr->dh_list); + h->sdev = sdev; + + rdac_bus_detach + list_del_rcu(&h->node); + h->sdev = NULL; + +Fix the race between rdac_bus_attach() and rdac_bus_detach() where h->sdev +is NULL when processing the RDAC attach. + +Link: https://lore.kernel.org/r/20210113063103.2698953-1-yebin10@huawei.com +Reviewed-by: Bart Van Assche +Signed-off-by: Ye Bin +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/device_handler/scsi_dh_rdac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/device_handler/scsi_dh_rdac.c b/drivers/scsi/device_handler/scsi_dh_rdac.c +index 6c629ef1bc4e..b3c23edd4b6c 100644 +--- a/drivers/scsi/device_handler/scsi_dh_rdac.c ++++ b/drivers/scsi/device_handler/scsi_dh_rdac.c +@@ -453,8 +453,8 @@ static int initialize_controller(struct scsi_device *sdev, + if (!h->ctlr) + err = SCSI_DH_RES_TEMP_UNAVAIL; + else { +- list_add_rcu(&h->node, &h->ctlr->dh_list); + h->sdev = sdev; ++ list_add_rcu(&h->node, &h->ctlr->dh_list); + } + spin_unlock(&list_lock); + err = SCSI_DH_OK; +@@ -779,11 +779,11 @@ static void rdac_bus_detach( struct scsi_device *sdev ) + spin_lock(&list_lock); + if (h->ctlr) { + list_del_rcu(&h->node); +- h->sdev = NULL; + kref_put(&h->ctlr->kref, release_controller); + } + spin_unlock(&list_lock); + sdev->handler_data = NULL; ++ synchronize_rcu(); + kfree(h); + } + +-- +2.30.2 + diff --git a/queue-4.19/series b/queue-4.19/series index 2ba49a6ea42..25c78324999 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -47,3 +47,13 @@ ath9k-clear-key-cache-explicitly-on-disabling-hardware.patch ath-export-ath_hw_keysetmac.patch ath-modify-ath_key_delete-to-not-need-full-key-entry.patch ath9k-postpone-key-cache-entry-deletion-for-txq-frames-reference-it.patch +dmaengine-xilinx_dma-fix-read-after-free-bug-when-te.patch +dmaengine-usb-dmac-fix-pm-reference-leak-in-usb_dmac.patch +arm-dts-am43x-epos-evm-reduce-i2c0-bus-speed-for-tps.patch +dmaengine-of-dma-router_xlate-to-return-eprobe_defer.patch +scsi-megaraid_mm-fix-end-of-loop-tests-for-list_for_.patch +scsi-scsi_dh_rdac-avoid-crash-during-rdac_bus_attach.patch +scsi-core-avoid-printing-an-error-if-target_alloc-re.patch +arm-dts-nomadik-fix-up-interrupt-controller-node-nam.patch +arm-ixp4xx-goramo_mlr-depends-on-old-pci-driver.patch +net-usb-lan78xx-don-t-modify-phy_device-state-concur.patch