From 61aebe2c78ff3cd0080a4e3a1578c7395997599f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 9 Dec 2020 09:51:48 +0100 Subject: [PATCH] 5.4-stable patches added patches: cifs-allow-syscalls-to-be-restarted-in-__smb_send_rqst.patch cifs-fix-potential-use-after-free-in-cifs_echo_request.patch coredump-fix-core_pattern-parse-error.patch dm-fix-bug-with-rcu-locking-in-dm_blk_report_zones.patch dm-remove-invalid-sparse-__acquires-and-__releases-annotations.patch dm-writecache-fix-the-maximum-number-of-arguments.patch drm-i915-gt-program-mocs-63-for-cache-eviction-on-gen9.patch ftrace-fix-updating-ftrace_fl_tramp.patch i2c-imx-don-t-generate-stop-condition-if-arbitration-has-been-lost.patch powerpc-64s-powernv-fix-memory-corruption-when-saving-slb-entries-on-mce.patch powerpc-pseries-pass-msi-affinity-to-irq_create_mapping.patch s390-pci-fix-cpu-address-in-msi-for-directed-irq.patch scsi-mpt3sas-fix-ioctl-timeout.patch thunderbolt-fix-use-after-free-in-remove_unplugged_switch.patch x86-uprobes-do-not-use-prefixes.nbytes-when-looping-over-prefixes.bytes.patch --- ...s-to-be-restarted-in-__smb_send_rqst.patch | 48 +++++++ ...-use-after-free-in-cifs_echo_request.patch | 51 ++++++++ ...oredump-fix-core_pattern-parse-error.patch | 47 +++++++ ...h-rcu-locking-in-dm_blk_report_zones.patch | 37 ++++++ ..._acquires-and-__releases-annotations.patch | 40 ++++++ ...-fix-the-maximum-number-of-arguments.patch | 34 +++++ ...m-mocs-63-for-cache-eviction-on-gen9.patch | 63 +++++++++ .../ftrace-fix-updating-ftrace_fl_tramp.patch | 86 ++++++++++++ ...ndition-if-arbitration-has-been-lost.patch | 69 ++++++++++ ...ption-when-saving-slb-entries-on-mce.patch | 45 +++++++ ...s-msi-affinity-to-irq_create_mapping.patch | 54 ++++++++ ...-cpu-address-in-msi-for-directed-irq.patch | 72 ++++++++++ .../scsi-mpt3sas-fix-ioctl-timeout.patch | 42 ++++++ queue-5.4/series | 15 +++ ...fter-free-in-remove_unplugged_switch.patch | 70 ++++++++++ ...tes-when-looping-over-prefixes.bytes.patch | 123 ++++++++++++++++++ 16 files changed, 896 insertions(+) create mode 100644 queue-5.4/cifs-allow-syscalls-to-be-restarted-in-__smb_send_rqst.patch create mode 100644 queue-5.4/cifs-fix-potential-use-after-free-in-cifs_echo_request.patch create mode 100644 queue-5.4/coredump-fix-core_pattern-parse-error.patch create mode 100644 queue-5.4/dm-fix-bug-with-rcu-locking-in-dm_blk_report_zones.patch create mode 100644 queue-5.4/dm-remove-invalid-sparse-__acquires-and-__releases-annotations.patch create mode 100644 queue-5.4/dm-writecache-fix-the-maximum-number-of-arguments.patch create mode 100644 queue-5.4/drm-i915-gt-program-mocs-63-for-cache-eviction-on-gen9.patch create mode 100644 queue-5.4/ftrace-fix-updating-ftrace_fl_tramp.patch create mode 100644 queue-5.4/i2c-imx-don-t-generate-stop-condition-if-arbitration-has-been-lost.patch create mode 100644 queue-5.4/powerpc-64s-powernv-fix-memory-corruption-when-saving-slb-entries-on-mce.patch create mode 100644 queue-5.4/powerpc-pseries-pass-msi-affinity-to-irq_create_mapping.patch create mode 100644 queue-5.4/s390-pci-fix-cpu-address-in-msi-for-directed-irq.patch create mode 100644 queue-5.4/scsi-mpt3sas-fix-ioctl-timeout.patch create mode 100644 queue-5.4/thunderbolt-fix-use-after-free-in-remove_unplugged_switch.patch create mode 100644 queue-5.4/x86-uprobes-do-not-use-prefixes.nbytes-when-looping-over-prefixes.bytes.patch diff --git a/queue-5.4/cifs-allow-syscalls-to-be-restarted-in-__smb_send_rqst.patch b/queue-5.4/cifs-allow-syscalls-to-be-restarted-in-__smb_send_rqst.patch new file mode 100644 index 00000000000..5c0eafc1e81 --- /dev/null +++ b/queue-5.4/cifs-allow-syscalls-to-be-restarted-in-__smb_send_rqst.patch @@ -0,0 +1,48 @@ +From 6988a619f5b79e4efadea6e19dcfe75fbcd350b5 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Sat, 28 Nov 2020 15:57:06 -0300 +Subject: cifs: allow syscalls to be restarted in __smb_send_rqst() + +From: Paulo Alcantara + +commit 6988a619f5b79e4efadea6e19dcfe75fbcd350b5 upstream. + +A customer has reported that several files in their multi-threaded app +were left with size of 0 because most of the read(2) calls returned +-EINTR and they assumed no bytes were read. Obviously, they could +have fixed it by simply retrying on -EINTR. + +We noticed that most of the -EINTR on read(2) were due to real-time +signals sent by glibc to process wide credential changes (SIGRT_1), +and its signal handler had been established with SA_RESTART, in which +case those calls could have been automatically restarted by the +kernel. + +Let the kernel decide to whether or not restart the syscalls when +there is a signal pending in __smb_send_rqst() by returning +-ERESTARTSYS. If it can't, it will return -EINTR anyway. + +Signed-off-by: Paulo Alcantara (SUSE) +CC: Stable +Reviewed-by: Ronnie Sahlberg +Reviewed-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/transport.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/cifs/transport.c ++++ b/fs/cifs/transport.c +@@ -340,8 +340,8 @@ __smb_send_rqst(struct TCP_Server_Info * + return -EAGAIN; + + if (signal_pending(current)) { +- cifs_dbg(FYI, "signal is pending before sending any data\n"); +- return -EINTR; ++ cifs_dbg(FYI, "signal pending before send request\n"); ++ return -ERESTARTSYS; + } + + /* cork the socket */ diff --git a/queue-5.4/cifs-fix-potential-use-after-free-in-cifs_echo_request.patch b/queue-5.4/cifs-fix-potential-use-after-free-in-cifs_echo_request.patch new file mode 100644 index 00000000000..4a3ae9ec281 --- /dev/null +++ b/queue-5.4/cifs-fix-potential-use-after-free-in-cifs_echo_request.patch @@ -0,0 +1,51 @@ +From 212253367dc7b49ed3fc194ce71b0992eacaecf2 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Sat, 28 Nov 2020 16:54:02 -0300 +Subject: cifs: fix potential use-after-free in cifs_echo_request() + +From: Paulo Alcantara + +commit 212253367dc7b49ed3fc194ce71b0992eacaecf2 upstream. + +This patch fixes a potential use-after-free bug in +cifs_echo_request(). + +For instance, + + thread 1 + -------- + cifs_demultiplex_thread() + clean_demultiplex_info() + kfree(server) + + thread 2 (workqueue) + -------- + apic_timer_interrupt() + smp_apic_timer_interrupt() + irq_exit() + __do_softirq() + run_timer_softirq() + call_timer_fn() + cifs_echo_request() <- use-after-free in server ptr + +Signed-off-by: Paulo Alcantara (SUSE) +CC: Stable +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/connect.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -975,6 +975,8 @@ static void clean_demultiplex_info(struc + list_del_init(&server->tcp_ses_list); + spin_unlock(&cifs_tcp_ses_lock); + ++ cancel_delayed_work_sync(&server->echo); ++ + spin_lock(&GlobalMid_Lock); + server->tcpStatus = CifsExiting; + spin_unlock(&GlobalMid_Lock); diff --git a/queue-5.4/coredump-fix-core_pattern-parse-error.patch b/queue-5.4/coredump-fix-core_pattern-parse-error.patch new file mode 100644 index 00000000000..bae836244f8 --- /dev/null +++ b/queue-5.4/coredump-fix-core_pattern-parse-error.patch @@ -0,0 +1,47 @@ +From 2bf509d96d84c3336d08375e8af34d1b85ee71c8 Mon Sep 17 00:00:00 2001 +From: Menglong Dong +Date: Sat, 5 Dec 2020 22:14:42 -0800 +Subject: coredump: fix core_pattern parse error + +From: Menglong Dong + +commit 2bf509d96d84c3336d08375e8af34d1b85ee71c8 upstream. + +'format_corename()' will splite 'core_pattern' on spaces when it is in +pipe mode, and take helper_argv[0] as the path to usermode executable. +It works fine in most cases. + +However, if there is a space between '|' and '/file/path', such as +'| /usr/lib/systemd/systemd-coredump %P %u %g', then helper_argv[0] will +be parsed as '', and users will get a 'Core dump to | disabled'. + +It is not friendly to users, as the pattern above was valid previously. +Fix this by ignoring the spaces between '|' and '/file/path'. + +Fixes: 315c69261dd3 ("coredump: split pipe command whitespace before expanding template") +Signed-off-by: Menglong Dong +Signed-off-by: Andrew Morton +Cc: Paul Wise +Cc: Jakub Wilk [https://bugs.debian.org/924398] +Cc: Neil Horman +Cc: +Link: https://lkml.kernel.org/r/5fb62870.1c69fb81.8ef5d.af76@mx.google.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/coredump.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/coredump.c ++++ b/fs/coredump.c +@@ -224,7 +224,8 @@ static int format_corename(struct core_n + */ + if (ispipe) { + if (isspace(*pat_ptr)) { +- was_space = true; ++ if (cn->used != 0) ++ was_space = true; + pat_ptr++; + continue; + } else if (was_space) { diff --git a/queue-5.4/dm-fix-bug-with-rcu-locking-in-dm_blk_report_zones.patch b/queue-5.4/dm-fix-bug-with-rcu-locking-in-dm_blk_report_zones.patch new file mode 100644 index 00000000000..f451f09f037 --- /dev/null +++ b/queue-5.4/dm-fix-bug-with-rcu-locking-in-dm_blk_report_zones.patch @@ -0,0 +1,37 @@ +From 89478335718c98557f10470a9bc5c555b9261c4e Mon Sep 17 00:00:00 2001 +From: Sergei Shtepa +Date: Wed, 11 Nov 2020 15:55:46 +0300 +Subject: dm: fix bug with RCU locking in dm_blk_report_zones + +From: Sergei Shtepa + +commit 89478335718c98557f10470a9bc5c555b9261c4e upstream. + +The dm_get_live_table() function makes RCU read lock so +dm_put_live_table() must be called even if dm_table map is not found. + +Fixes: e76239a3748c9 ("block: add a report_zones method") +Cc: stable@vger.kernel.org +Signed-off-by: Sergei Shtepa +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -455,8 +455,10 @@ static int dm_blk_report_zones(struct ge + return -EAGAIN; + + map = dm_get_live_table(md, &srcu_idx); +- if (!map) +- return -EIO; ++ if (!map) { ++ ret = -EIO; ++ goto out; ++ } + + tgt = dm_table_find_target(map, sector); + if (!tgt) { diff --git a/queue-5.4/dm-remove-invalid-sparse-__acquires-and-__releases-annotations.patch b/queue-5.4/dm-remove-invalid-sparse-__acquires-and-__releases-annotations.patch new file mode 100644 index 00000000000..86e6dc9d9e3 --- /dev/null +++ b/queue-5.4/dm-remove-invalid-sparse-__acquires-and-__releases-annotations.patch @@ -0,0 +1,40 @@ +From bde3808bc8c2741ad3d804f84720409aee0c2972 Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Fri, 4 Dec 2020 15:25:18 -0500 +Subject: dm: remove invalid sparse __acquires and __releases annotations + +From: Mike Snitzer + +commit bde3808bc8c2741ad3d804f84720409aee0c2972 upstream. + +Fixes sparse warnings: +drivers/md/dm.c:508:12: warning: context imbalance in 'dm_prepare_ioctl' - wrong count at exit +drivers/md/dm.c:543:13: warning: context imbalance in 'dm_unprepare_ioctl' - wrong count at exit + +Fixes: 971888c46993f ("dm: hold DM table for duration of ioctl rather than use blkdev_get") +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -495,7 +495,6 @@ out: + + static int dm_prepare_ioctl(struct mapped_device *md, int *srcu_idx, + struct block_device **bdev) +- __acquires(md->io_barrier) + { + struct dm_target *tgt; + struct dm_table *map; +@@ -529,7 +528,6 @@ retry: + } + + static void dm_unprepare_ioctl(struct mapped_device *md, int srcu_idx) +- __releases(md->io_barrier) + { + dm_put_live_table(md, srcu_idx); + } diff --git a/queue-5.4/dm-writecache-fix-the-maximum-number-of-arguments.patch b/queue-5.4/dm-writecache-fix-the-maximum-number-of-arguments.patch new file mode 100644 index 00000000000..e24e6f515e8 --- /dev/null +++ b/queue-5.4/dm-writecache-fix-the-maximum-number-of-arguments.patch @@ -0,0 +1,34 @@ +From 67aa3ec3dbc43d6e34401d9b2a40040ff7bb57af Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 10 Nov 2020 07:45:13 -0500 +Subject: dm writecache: fix the maximum number of arguments + +From: Mikulas Patocka + +commit 67aa3ec3dbc43d6e34401d9b2a40040ff7bb57af upstream. + +Advance the maximum number of arguments to 16. +This fixes issue where certain operations, combined with table +configured args, exceed 10 arguments. + +Signed-off-by: Mikulas Patocka +Fixes: 48debafe4f2f ("dm: add writecache target") +Cc: stable@vger.kernel.org # v4.18+ +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-writecache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-writecache.c ++++ b/drivers/md/dm-writecache.c +@@ -1889,7 +1889,7 @@ static int writecache_ctr(struct dm_targ + struct wc_memory_superblock s; + + static struct dm_arg _args[] = { +- {0, 10, "Invalid number of feature args"}, ++ {0, 16, "Invalid number of feature args"}, + }; + + as.argc = argc; diff --git a/queue-5.4/drm-i915-gt-program-mocs-63-for-cache-eviction-on-gen9.patch b/queue-5.4/drm-i915-gt-program-mocs-63-for-cache-eviction-on-gen9.patch new file mode 100644 index 00000000000..d6c94982db0 --- /dev/null +++ b/queue-5.4/drm-i915-gt-program-mocs-63-for-cache-eviction-on-gen9.patch @@ -0,0 +1,63 @@ +From 777a7717d60ccdc9b84f35074f848d3f746fc3bf Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Thu, 26 Nov 2020 14:08:41 +0000 +Subject: drm/i915/gt: Program mocs:63 for cache eviction on gen9 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chris Wilson + +commit 777a7717d60ccdc9b84f35074f848d3f746fc3bf upstream. + +Ville noticed that the last mocs entry is used unconditionally by the HW +when it performs cache evictions, and noted that while the value is not +meant to be writable by the driver, we should program it to a reasonable +value nevertheless. + +As it turns out, we can change the value of mocs:63 and the value we +were programming into it would cause hard hangs in conjunction with +atomic operations. + +v2: Add details from bspec about how it is used by HW + +Suggested-by: Ville Syrjälä +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/2707 +Fixes: 3bbaba0ceaa2 ("drm/i915: Added Programming of the MOCS") +Signed-off-by: Chris Wilson +Cc: Ville Syrjälä +Cc: Jason Ekstrand +Cc: # v4.3+ +Reviewed-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20201126140841.1982-1-chris@chris-wilson.co.uk +(cherry picked from commit 977933b5da7c16f39295c4c1d4259a58ece65dbe) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/gt/intel_mocs.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/gt/intel_mocs.c ++++ b/drivers/gpu/drm/i915/gt/intel_mocs.c +@@ -130,7 +130,19 @@ static const struct drm_i915_mocs_entry + GEN9_MOCS_ENTRIES, + MOCS_ENTRY(I915_MOCS_CACHED, + LE_3_WB | LE_TC_2_LLC_ELLC | LE_LRUM(3), +- L3_3_WB) ++ L3_3_WB), ++ ++ /* ++ * mocs:63 ++ * - used by the L3 for all of its evictions. ++ * Thus it is expected to allow LLC cacheability to enable coherent ++ * flows to be maintained. ++ * - used to force L3 uncachable cycles. ++ * Thus it is expected to make the surface L3 uncacheable. ++ */ ++ MOCS_ENTRY(63, ++ LE_3_WB | LE_TC_1_LLC | LE_LRUM(3), ++ L3_1_UC) + }; + + /* NOTE: the LE_TGT_CACHE is not used on Broxton */ diff --git a/queue-5.4/ftrace-fix-updating-ftrace_fl_tramp.patch b/queue-5.4/ftrace-fix-updating-ftrace_fl_tramp.patch new file mode 100644 index 00000000000..49bed35602c --- /dev/null +++ b/queue-5.4/ftrace-fix-updating-ftrace_fl_tramp.patch @@ -0,0 +1,86 @@ +From 4c75b0ff4e4bf7a45b5aef9639799719c28d0073 Mon Sep 17 00:00:00 2001 +From: "Naveen N. Rao" +Date: Thu, 26 Nov 2020 23:38:38 +0530 +Subject: ftrace: Fix updating FTRACE_FL_TRAMP + +From: Naveen N. Rao + +commit 4c75b0ff4e4bf7a45b5aef9639799719c28d0073 upstream. + +On powerpc, kprobe-direct.tc triggered FTRACE_WARN_ON() in +ftrace_get_addr_new() followed by the below message: + Bad trampoline accounting at: 000000004222522f (wake_up_process+0xc/0x20) (f0000001) + +The set of steps leading to this involved: +- modprobe ftrace-direct-too +- enable_probe +- modprobe ftrace-direct +- rmmod ftrace-direct <-- trigger + +The problem turned out to be that we were not updating flags in the +ftrace record properly. From the above message about the trampoline +accounting being bad, it can be seen that the ftrace record still has +FTRACE_FL_TRAMP set though ftrace-direct module is going away. This +happens because we are checking if any ftrace_ops has the +FTRACE_FL_TRAMP flag set _before_ updating the filter hash. + +The fix for this is to look for any _other_ ftrace_ops that also needs +FTRACE_FL_TRAMP. + +Link: https://lkml.kernel.org/r/56c113aa9c3e10c19144a36d9684c7882bf09af5.1606412433.git.naveen.n.rao@linux.vnet.ibm.com + +Cc: stable@vger.kernel.org +Fixes: a124692b698b0 ("ftrace: Enable trampoline when rec count returns back to one") +Signed-off-by: Naveen N. Rao +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ftrace.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -1626,6 +1626,8 @@ static bool test_rec_ops_needs_regs(stru + static struct ftrace_ops * + ftrace_find_tramp_ops_any(struct dyn_ftrace *rec); + static struct ftrace_ops * ++ftrace_find_tramp_ops_any_other(struct dyn_ftrace *rec, struct ftrace_ops *op_exclude); ++static struct ftrace_ops * + ftrace_find_tramp_ops_next(struct dyn_ftrace *rec, struct ftrace_ops *ops); + + static bool __ftrace_hash_rec_update(struct ftrace_ops *ops, +@@ -1763,7 +1765,7 @@ static bool __ftrace_hash_rec_update(str + * to it. + */ + if (ftrace_rec_count(rec) == 1 && +- ftrace_find_tramp_ops_any(rec)) ++ ftrace_find_tramp_ops_any_other(rec, ops)) + rec->flags |= FTRACE_FL_TRAMP; + else + rec->flags &= ~FTRACE_FL_TRAMP; +@@ -2185,6 +2187,24 @@ ftrace_find_tramp_ops_any(struct dyn_ftr + continue; + + if (hash_contains_ip(ip, op->func_hash)) ++ return op; ++ } while_for_each_ftrace_op(op); ++ ++ return NULL; ++} ++ ++static struct ftrace_ops * ++ftrace_find_tramp_ops_any_other(struct dyn_ftrace *rec, struct ftrace_ops *op_exclude) ++{ ++ struct ftrace_ops *op; ++ unsigned long ip = rec->ip; ++ ++ do_for_each_ftrace_op(op, ftrace_ops_list) { ++ ++ if (op == op_exclude || !op->trampoline) ++ continue; ++ ++ if (hash_contains_ip(ip, op->func_hash)) + return op; + } while_for_each_ftrace_op(op); + diff --git a/queue-5.4/i2c-imx-don-t-generate-stop-condition-if-arbitration-has-been-lost.patch b/queue-5.4/i2c-imx-don-t-generate-stop-condition-if-arbitration-has-been-lost.patch new file mode 100644 index 00000000000..0dca00b5993 --- /dev/null +++ b/queue-5.4/i2c-imx-don-t-generate-stop-condition-if-arbitration-has-been-lost.patch @@ -0,0 +1,69 @@ +From 61e6fe59ede155881a622f5901551b1cc8748f6a Mon Sep 17 00:00:00 2001 +From: Christian Eggers +Date: Fri, 9 Oct 2020 13:03:20 +0200 +Subject: i2c: imx: Don't generate STOP condition if arbitration has been lost + +From: Christian Eggers + +commit 61e6fe59ede155881a622f5901551b1cc8748f6a upstream. + +If arbitration is lost, the master automatically changes to slave mode. +I2SR_IBB may or may not be reset by hardware. Raising a STOP condition +by resetting I2CR_MSTA has no effect and will not clear I2SR_IBB. + +So calling i2c_imx_bus_busy() is not required and would busy-wait until +timeout. + +Signed-off-by: Christian Eggers +Tested (not extensively) on Vybrid VF500 (Toradex VF50): +Tested-by: Krzysztof Kozlowski +Acked-by: Oleksij Rempel +Cc: stable@vger.kernel.org # Requires trivial backporting, simple remove + # the 3rd argument from the calls to + # i2c_imx_bus_busy(). +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-imx.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/i2c/busses/i2c-imx.c ++++ b/drivers/i2c/busses/i2c-imx.c +@@ -567,6 +567,8 @@ static void i2c_imx_stop(struct imx_i2c_ + /* Stop I2C transaction */ + dev_dbg(&i2c_imx->adapter.dev, "<%s>\n", __func__); + temp = imx_i2c_read_reg(i2c_imx, IMX_I2C_I2CR); ++ if (!(temp & I2CR_MSTA)) ++ i2c_imx->stopped = 1; + temp &= ~(I2CR_MSTA | I2CR_MTX); + if (i2c_imx->dma) + temp &= ~I2CR_DMAEN; +@@ -732,9 +734,12 @@ static int i2c_imx_dma_read(struct imx_i + */ + dev_dbg(dev, "<%s> clear MSTA\n", __func__); + temp = imx_i2c_read_reg(i2c_imx, IMX_I2C_I2CR); ++ if (!(temp & I2CR_MSTA)) ++ i2c_imx->stopped = 1; + temp &= ~(I2CR_MSTA | I2CR_MTX); + imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR); +- i2c_imx_bus_busy(i2c_imx, 0); ++ if (!i2c_imx->stopped) ++ i2c_imx_bus_busy(i2c_imx, 0); + } else { + /* + * For i2c master receiver repeat restart operation like: +@@ -857,9 +862,12 @@ static int i2c_imx_read(struct imx_i2c_s + dev_dbg(&i2c_imx->adapter.dev, + "<%s> clear MSTA\n", __func__); + temp = imx_i2c_read_reg(i2c_imx, IMX_I2C_I2CR); ++ if (!(temp & I2CR_MSTA)) ++ i2c_imx->stopped = 1; + temp &= ~(I2CR_MSTA | I2CR_MTX); + imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR); +- i2c_imx_bus_busy(i2c_imx, 0); ++ if (!i2c_imx->stopped) ++ i2c_imx_bus_busy(i2c_imx, 0); + } else { + /* + * For i2c master receiver repeat restart operation like: diff --git a/queue-5.4/powerpc-64s-powernv-fix-memory-corruption-when-saving-slb-entries-on-mce.patch b/queue-5.4/powerpc-64s-powernv-fix-memory-corruption-when-saving-slb-entries-on-mce.patch new file mode 100644 index 00000000000..be3014ddc41 --- /dev/null +++ b/queue-5.4/powerpc-64s-powernv-fix-memory-corruption-when-saving-slb-entries-on-mce.patch @@ -0,0 +1,45 @@ +From a1ee28117077c3bf24e5ab6324c835eaab629c45 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Sat, 28 Nov 2020 17:07:21 +1000 +Subject: powerpc/64s/powernv: Fix memory corruption when saving SLB entries on MCE + +From: Nicholas Piggin + +commit a1ee28117077c3bf24e5ab6324c835eaab629c45 upstream. + +This can be hit by an HPT guest running on an HPT host and bring down +the host, so it's quite important to fix. + +Fixes: 7290f3b3d3e6 ("powerpc/64s/powernv: machine check dump SLB contents") +Cc: stable@vger.kernel.org # v5.4+ +Signed-off-by: Nicholas Piggin +Acked-by: Mahesh Salgaonkar +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201128070728.825934-2-npiggin@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/setup.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/platforms/powernv/setup.c ++++ b/arch/powerpc/platforms/powernv/setup.c +@@ -186,11 +186,16 @@ static void __init pnv_init(void) + add_preferred_console("hvc", 0, NULL); + + if (!radix_enabled()) { ++ size_t size = sizeof(struct slb_entry) * mmu_slb_size; + int i; + + /* Allocate per cpu area to save old slb contents during MCE */ +- for_each_possible_cpu(i) +- paca_ptrs[i]->mce_faulty_slbs = memblock_alloc_node(mmu_slb_size, __alignof__(*paca_ptrs[i]->mce_faulty_slbs), cpu_to_node(i)); ++ for_each_possible_cpu(i) { ++ paca_ptrs[i]->mce_faulty_slbs = ++ memblock_alloc_node(size, ++ __alignof__(struct slb_entry), ++ cpu_to_node(i)); ++ } + } + } + diff --git a/queue-5.4/powerpc-pseries-pass-msi-affinity-to-irq_create_mapping.patch b/queue-5.4/powerpc-pseries-pass-msi-affinity-to-irq_create_mapping.patch new file mode 100644 index 00000000000..7b8e70c0e79 --- /dev/null +++ b/queue-5.4/powerpc-pseries-pass-msi-affinity-to-irq_create_mapping.patch @@ -0,0 +1,54 @@ +From 9ea69a55b3b9a71cded9726af591949c1138f235 Mon Sep 17 00:00:00 2001 +From: Laurent Vivier +Date: Thu, 26 Nov 2020 09:28:52 +0100 +Subject: powerpc/pseries: Pass MSI affinity to irq_create_mapping() + +From: Laurent Vivier + +commit 9ea69a55b3b9a71cded9726af591949c1138f235 upstream. + +With virtio multiqueue, normally each queue IRQ is mapped to a CPU. + +Commit 0d9f0a52c8b9f ("virtio_scsi: use virtio IRQ affinity") exposed +an existing shortcoming of the arch code by moving virtio_scsi to +the automatic IRQ affinity assignment. + +The affinity is correctly computed in msi_desc but this is not applied +to the system IRQs. + +It appears the affinity is correctly passed to rtas_setup_msi_irqs() but +lost at this point and never passed to irq_domain_alloc_descs() +(see commit 06ee6d571f0e ("genirq: Add affinity hint to irq allocation")) +because irq_create_mapping() doesn't take an affinity parameter. + +Use the new irq_create_mapping_affinity() function, which allows to forward +the affinity setting from rtas_setup_msi_irqs() to irq_domain_alloc_descs(). + +With this change, the virtqueues are correctly dispatched between the CPUs +on pseries. + +Fixes: e75eafb9b039 ("genirq/msi: Switch to new irq spreading infrastructure") +Signed-off-by: Laurent Vivier +Signed-off-by: Thomas Gleixner +Reviewed-by: Greg Kurz +Acked-by: Michael Ellerman +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20201126082852.1178497-3-lvivier@redhat.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/pseries/msi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/pseries/msi.c ++++ b/arch/powerpc/platforms/pseries/msi.c +@@ -458,7 +458,8 @@ again: + return hwirq; + } + +- virq = irq_create_mapping(NULL, hwirq); ++ virq = irq_create_mapping_affinity(NULL, hwirq, ++ entry->affinity); + + if (!virq) { + pr_debug("rtas_msi: Failed mapping hwirq %d\n", hwirq); diff --git a/queue-5.4/s390-pci-fix-cpu-address-in-msi-for-directed-irq.patch b/queue-5.4/s390-pci-fix-cpu-address-in-msi-for-directed-irq.patch new file mode 100644 index 00000000000..e61f689443b --- /dev/null +++ b/queue-5.4/s390-pci-fix-cpu-address-in-msi-for-directed-irq.patch @@ -0,0 +1,72 @@ +From a2bd4097b3ec242f4de4924db463a9c94530e03a Mon Sep 17 00:00:00 2001 +From: Alexander Gordeev +Date: Thu, 26 Nov 2020 18:00:37 +0100 +Subject: s390/pci: fix CPU address in MSI for directed IRQ + +From: Alexander Gordeev + +commit a2bd4097b3ec242f4de4924db463a9c94530e03a upstream. + +The directed MSIs are delivered to CPUs whose address is +written to the MSI message address. The current code assumes +that a CPU logical number (as it is seen by the kernel) +is also the CPU address. + +The above assumption is not correct, as the CPU address +is rather the value returned by STAP instruction. That +value does not necessarily match the kernel logical CPU +number. + +Fixes: e979ce7bced2 ("s390/pci: provide support for CPU directed interrupts") +Cc: # v5.2+ +Signed-off-by: Alexander Gordeev +Reviewed-by: Halil Pasic +Reviewed-by: Niklas Schnelle +Signed-off-by: Niklas Schnelle +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/pci/pci_irq.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/arch/s390/pci/pci_irq.c ++++ b/arch/s390/pci/pci_irq.c +@@ -103,9 +103,10 @@ static int zpci_set_irq_affinity(struct + { + struct msi_desc *entry = irq_get_msi_desc(data->irq); + struct msi_msg msg = entry->msg; ++ int cpu_addr = smp_cpu_get_cpu_address(cpumask_first(dest)); + + msg.address_lo &= 0xff0000ff; +- msg.address_lo |= (cpumask_first(dest) << 8); ++ msg.address_lo |= (cpu_addr << 8); + pci_write_msi_msg(data->irq, &msg); + + return IRQ_SET_MASK_OK; +@@ -238,6 +239,7 @@ int arch_setup_msi_irqs(struct pci_dev * + unsigned long bit; + struct msi_desc *msi; + struct msi_msg msg; ++ int cpu_addr; + int rc, irq; + + zdev->aisb = -1UL; +@@ -287,9 +289,15 @@ int arch_setup_msi_irqs(struct pci_dev * + handle_percpu_irq); + msg.data = hwirq - bit; + if (irq_delivery == DIRECTED) { ++ if (msi->affinity) ++ cpu = cpumask_first(&msi->affinity->mask); ++ else ++ cpu = 0; ++ cpu_addr = smp_cpu_get_cpu_address(cpu); ++ + msg.address_lo = zdev->msi_addr & 0xff0000ff; +- msg.address_lo |= msi->affinity ? +- (cpumask_first(&msi->affinity->mask) << 8) : 0; ++ msg.address_lo |= (cpu_addr << 8); ++ + for_each_possible_cpu(cpu) { + airq_iv_set_data(zpci_ibv[cpu], hwirq, irq); + } diff --git a/queue-5.4/scsi-mpt3sas-fix-ioctl-timeout.patch b/queue-5.4/scsi-mpt3sas-fix-ioctl-timeout.patch new file mode 100644 index 00000000000..f6aa2d179b7 --- /dev/null +++ b/queue-5.4/scsi-mpt3sas-fix-ioctl-timeout.patch @@ -0,0 +1,42 @@ +From 42f687038bcc34aa919e0e4c29b04e4cda3f6a79 Mon Sep 17 00:00:00 2001 +From: Suganath Prabu S +Date: Wed, 25 Nov 2020 15:18:38 +0530 +Subject: scsi: mpt3sas: Fix ioctl timeout + +From: Suganath Prabu S + +commit 42f687038bcc34aa919e0e4c29b04e4cda3f6a79 upstream. + +Commit c1a6c5ac4278 ("scsi: mpt3sas: For NVME device, issue a protocol +level reset") modified the ioctl path 'timeout' variable type to u8 from +unsigned long, limiting the maximum timeout value that the driver can +support to 255 seconds. + +If the management application is requesting a higher value the resulting +timeout will be zero. The operation times out immediately and the ioctl +request fails. + +Change datatype back to unsigned long. + +Link: https://lore.kernel.org/r/20201125094838.4340-1-suganath-prabu.subramani@broadcom.com +Fixes: c1a6c5ac4278 ("scsi: mpt3sas: For NVME device, issue a protocol level reset") +Cc: #v4.18+ +Signed-off-by: Suganath Prabu S +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/mpt3sas/mpt3sas_ctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c +@@ -650,7 +650,7 @@ _ctl_do_mpt_command(struct MPT3SAS_ADAPT + Mpi26NVMeEncapsulatedRequest_t *nvme_encap_request = NULL; + struct _pcie_device *pcie_device = NULL; + u16 smid; +- u8 timeout; ++ unsigned long timeout; + u8 issue_reset; + u32 sz, sz_arg; + void *psge; diff --git a/queue-5.4/series b/queue-5.4/series index 2615f9b8e20..8b52c5c410b 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -15,3 +15,18 @@ alsa-hda-realtek-add-mute-led-quirk-to-yet-another-hp-x360-model.patch alsa-hda-realtek-enable-headset-of-asus-ux482eg-b9400cea-with-alc294.patch alsa-hda-realtek-add-new-codec-supported-for-alc897.patch alsa-hda-generic-add-option-to-enforce-preferred_dacs-pairs.patch +ftrace-fix-updating-ftrace_fl_tramp.patch +cifs-allow-syscalls-to-be-restarted-in-__smb_send_rqst.patch +cifs-fix-potential-use-after-free-in-cifs_echo_request.patch +s390-pci-fix-cpu-address-in-msi-for-directed-irq.patch +i2c-imx-don-t-generate-stop-condition-if-arbitration-has-been-lost.patch +thunderbolt-fix-use-after-free-in-remove_unplugged_switch.patch +drm-i915-gt-program-mocs-63-for-cache-eviction-on-gen9.patch +scsi-mpt3sas-fix-ioctl-timeout.patch +dm-writecache-fix-the-maximum-number-of-arguments.patch +powerpc-64s-powernv-fix-memory-corruption-when-saving-slb-entries-on-mce.patch +powerpc-pseries-pass-msi-affinity-to-irq_create_mapping.patch +dm-fix-bug-with-rcu-locking-in-dm_blk_report_zones.patch +dm-remove-invalid-sparse-__acquires-and-__releases-annotations.patch +x86-uprobes-do-not-use-prefixes.nbytes-when-looping-over-prefixes.bytes.patch +coredump-fix-core_pattern-parse-error.patch diff --git a/queue-5.4/thunderbolt-fix-use-after-free-in-remove_unplugged_switch.patch b/queue-5.4/thunderbolt-fix-use-after-free-in-remove_unplugged_switch.patch new file mode 100644 index 00000000000..b57a40b3e95 --- /dev/null +++ b/queue-5.4/thunderbolt-fix-use-after-free-in-remove_unplugged_switch.patch @@ -0,0 +1,70 @@ +From 600c0849cf86b75d86352f59745226273290986a Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 18 Nov 2020 13:08:21 +0200 +Subject: thunderbolt: Fix use-after-free in remove_unplugged_switch() + +From: Mika Westerberg + +commit 600c0849cf86b75d86352f59745226273290986a upstream. + +Paulian reported a crash that happens when a dock is unplugged during +hibernation: + +[78436.228217] thunderbolt 0-1: device disconnected +[78436.228365] BUG: kernel NULL pointer dereference, address: 00000000000001e0 +... +[78436.228397] RIP: 0010:icm_free_unplugged_children+0x109/0x1a0 +... +[78436.228432] Call Trace: +[78436.228439] icm_rescan_work+0x24/0x30 +[78436.228444] process_one_work+0x1a3/0x3a0 +[78436.228449] worker_thread+0x30/0x370 +[78436.228454] ? process_one_work+0x3a0/0x3a0 +[78436.228457] kthread+0x13d/0x160 +[78436.228461] ? kthread_park+0x90/0x90 +[78436.228465] ret_from_fork+0x1f/0x30 + +This happens because remove_unplugged_switch() calls tb_switch_remove() +that releases the memory pointed by sw so the following lines reference +to a memory that might be released already. + +Fix this by saving pointer to the parent device before calling +tb_switch_remove(). + +Reported-by: Paulian Bogdan Marinca +Fixes: 4f7c2e0d8765 ("thunderbolt: Make sure device runtime resume completes before taking domain lock") +Cc: stable@vger.kernel.org +Signed-off-by: Mika Westerberg +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/thunderbolt/icm.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/thunderbolt/icm.c ++++ b/drivers/thunderbolt/icm.c +@@ -1919,7 +1919,9 @@ static int complete_rpm(struct device *d + + static void remove_unplugged_switch(struct tb_switch *sw) + { +- pm_runtime_get_sync(sw->dev.parent); ++ struct device *parent = get_device(sw->dev.parent); ++ ++ pm_runtime_get_sync(parent); + + /* + * Signal this and switches below for rpm_complete because +@@ -1930,8 +1932,10 @@ static void remove_unplugged_switch(stru + bus_for_each_dev(&tb_bus_type, &sw->dev, NULL, complete_rpm); + tb_switch_remove(sw); + +- pm_runtime_mark_last_busy(sw->dev.parent); +- pm_runtime_put_autosuspend(sw->dev.parent); ++ pm_runtime_mark_last_busy(parent); ++ pm_runtime_put_autosuspend(parent); ++ ++ put_device(parent); + } + + static void icm_free_unplugged_children(struct tb_switch *sw) diff --git a/queue-5.4/x86-uprobes-do-not-use-prefixes.nbytes-when-looping-over-prefixes.bytes.patch b/queue-5.4/x86-uprobes-do-not-use-prefixes.nbytes-when-looping-over-prefixes.bytes.patch new file mode 100644 index 00000000000..8f60c0e5b4b --- /dev/null +++ b/queue-5.4/x86-uprobes-do-not-use-prefixes.nbytes-when-looping-over-prefixes.bytes.patch @@ -0,0 +1,123 @@ +From 4e9a5ae8df5b3365183150f6df49e49dece80d8c Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Thu, 3 Dec 2020 13:50:37 +0900 +Subject: x86/uprobes: Do not use prefixes.nbytes when looping over prefixes.bytes + +From: Masami Hiramatsu + +commit 4e9a5ae8df5b3365183150f6df49e49dece80d8c upstream. + +Since insn.prefixes.nbytes can be bigger than the size of +insn.prefixes.bytes[] when a prefix is repeated, the proper check must +be + + insn.prefixes.bytes[i] != 0 and i < 4 + +instead of using insn.prefixes.nbytes. + +Introduce a for_each_insn_prefix() macro for this purpose. Debugged by +Kees Cook . + + [ bp: Massage commit message, sync with the respective header in tools/ + and drop "we". ] + +Fixes: 2b1444983508 ("uprobes, mm, x86: Add the ability to install and remove uprobes breakpoints") +Reported-by: syzbot+9b64b619f10f19d19a7c@syzkaller.appspotmail.com +Signed-off-by: Masami Hiramatsu +Signed-off-by: Borislav Petkov +Reviewed-by: Srikar Dronamraju +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/160697103739.3146288.7437620795200799020.stgit@devnote2 +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/insn.h | 15 +++++++++++++++ + arch/x86/kernel/uprobes.c | 10 ++++++---- + tools/arch/x86/include/asm/insn.h | 15 +++++++++++++++ + 3 files changed, 36 insertions(+), 4 deletions(-) + +--- a/arch/x86/include/asm/insn.h ++++ b/arch/x86/include/asm/insn.h +@@ -195,6 +195,21 @@ static inline int insn_offset_immediate( + return insn_offset_displacement(insn) + insn->displacement.nbytes; + } + ++/** ++ * for_each_insn_prefix() -- Iterate prefixes in the instruction ++ * @insn: Pointer to struct insn. ++ * @idx: Index storage. ++ * @prefix: Prefix byte. ++ * ++ * Iterate prefix bytes of given @insn. Each prefix byte is stored in @prefix ++ * and the index is stored in @idx (note that this @idx is just for a cursor, ++ * do not change it.) ++ * Since prefixes.nbytes can be bigger than 4 if some prefixes ++ * are repeated, it cannot be used for looping over the prefixes. ++ */ ++#define for_each_insn_prefix(insn, idx, prefix) \ ++ for (idx = 0; idx < ARRAY_SIZE(insn->prefixes.bytes) && (prefix = insn->prefixes.bytes[idx]) != 0; idx++) ++ + #define POP_SS_OPCODE 0x1f + #define MOV_SREG_OPCODE 0x8e + +--- a/arch/x86/kernel/uprobes.c ++++ b/arch/x86/kernel/uprobes.c +@@ -255,12 +255,13 @@ static volatile u32 good_2byte_insns[256 + + static bool is_prefix_bad(struct insn *insn) + { ++ insn_byte_t p; + int i; + +- for (i = 0; i < insn->prefixes.nbytes; i++) { ++ for_each_insn_prefix(insn, i, p) { + insn_attr_t attr; + +- attr = inat_get_opcode_attribute(insn->prefixes.bytes[i]); ++ attr = inat_get_opcode_attribute(p); + switch (attr) { + case INAT_MAKE_PREFIX(INAT_PFX_ES): + case INAT_MAKE_PREFIX(INAT_PFX_CS): +@@ -715,6 +716,7 @@ static const struct uprobe_xol_ops push_ + static int branch_setup_xol_ops(struct arch_uprobe *auprobe, struct insn *insn) + { + u8 opc1 = OPCODE1(insn); ++ insn_byte_t p; + int i; + + switch (opc1) { +@@ -746,8 +748,8 @@ static int branch_setup_xol_ops(struct a + * Intel and AMD behavior differ in 64-bit mode: Intel ignores 66 prefix. + * No one uses these insns, reject any branch insns with such prefix. + */ +- for (i = 0; i < insn->prefixes.nbytes; i++) { +- if (insn->prefixes.bytes[i] == 0x66) ++ for_each_insn_prefix(insn, i, p) { ++ if (p == 0x66) + return -ENOTSUPP; + } + +--- a/tools/arch/x86/include/asm/insn.h ++++ b/tools/arch/x86/include/asm/insn.h +@@ -195,6 +195,21 @@ static inline int insn_offset_immediate( + return insn_offset_displacement(insn) + insn->displacement.nbytes; + } + ++/** ++ * for_each_insn_prefix() -- Iterate prefixes in the instruction ++ * @insn: Pointer to struct insn. ++ * @idx: Index storage. ++ * @prefix: Prefix byte. ++ * ++ * Iterate prefix bytes of given @insn. Each prefix byte is stored in @prefix ++ * and the index is stored in @idx (note that this @idx is just for a cursor, ++ * do not change it.) ++ * Since prefixes.nbytes can be bigger than 4 if some prefixes ++ * are repeated, it cannot be used for looping over the prefixes. ++ */ ++#define for_each_insn_prefix(insn, idx, prefix) \ ++ for (idx = 0; idx < ARRAY_SIZE(insn->prefixes.bytes) && (prefix = insn->prefixes.bytes[idx]) != 0; idx++) ++ + #define POP_SS_OPCODE 0x1f + #define MOV_SREG_OPCODE 0x8e + -- 2.47.3