diff options
author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2020-08-26 13:50:25 -0400 |
---|---|---|
committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2020-08-28 08:15:53 -0400 |
commit | f391d4ea73d372558adc3f0d443bf60dfb71fb21 (patch) | |
tree | bb8e024ac9b6ab467ed15937a782cbd65707c1f4 | |
parent | 777bd1f01e3c93d72913aa58f1404577190482f2 (diff) | |
download | longterm-queue-5.2-f391d4ea73d372558adc3f0d443bf60dfb71fb21.tar.gz |
drop all previously applied commits
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
10 files changed, 0 insertions, 727 deletions
diff --git a/queue/ALSA-usb-audio-fix-overeager-device-match-for-MacroS.patch b/queue/ALSA-usb-audio-fix-overeager-device-match-for-MacroS.patch deleted file mode 100644 index 04e0be9a..00000000 --- a/queue/ALSA-usb-audio-fix-overeager-device-match-for-MacroS.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 14a720dc1f5332f3bdf30a23a3bc549e81be974c Mon Sep 17 00:00:00 2001 -From: Hector Martin <marcan@marcan.st> -Date: Mon, 10 Aug 2020 13:53:19 +0900 -Subject: [PATCH] ALSA: usb-audio: fix overeager device match for MacroSilicon - MS2109 - -commit 14a720dc1f5332f3bdf30a23a3bc549e81be974c upstream. - -Matching by device matches all interfaces, which breaks the video/HID -portions of the device depending on module load order. - -Fixes: e337bf19f6af ("ALSA: usb-audio: add quirk for MacroSilicon MS2109") -Cc: stable@vger.kernel.org -Signed-off-by: Hector Martin <marcan@marcan.st> -Link: https://lore.kernel.org/r/20200810045319.128745-1-marcan@marcan.st -Signed-off-by: Takashi Iwai <tiwai@suse.de> - -diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h -index adb3b62afed4..9c3c03dc96d3 100644 ---- a/sound/usb/quirks-table.h -+++ b/sound/usb/quirks-table.h -@@ -3662,7 +3662,13 @@ ALC1220_VB_DESKTOP(0x26ce, 0x0a01), /* Asrock TRX40 Creator */ - * with. - */ - { -- USB_DEVICE(0x534d, 0x2109), -+ .match_flags = USB_DEVICE_ID_MATCH_DEVICE | -+ USB_DEVICE_ID_MATCH_INT_CLASS | -+ USB_DEVICE_ID_MATCH_INT_SUBCLASS, -+ .idVendor = 0x534d, -+ .idProduct = 0x2109, -+ .bInterfaceClass = USB_CLASS_AUDIO, -+ .bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL, - .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { - .vendor_name = "MacroSilicon", - .product_name = "MS2109", --- -2.27.0 - diff --git a/queue/SUNRPC-Fix-SUNRPC-Add-len-parameter-to-gss_unwrap.patch b/queue/SUNRPC-Fix-SUNRPC-Add-len-parameter-to-gss_unwrap.patch deleted file mode 100644 index 1a0e6b33..00000000 --- a/queue/SUNRPC-Fix-SUNRPC-Add-len-parameter-to-gss_unwrap.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 986a4b63d3bc5f2c0eb4083b05aff2bf883b7b2f Mon Sep 17 00:00:00 2001 -From: Chuck Lever <chuck.lever@oracle.com> -Date: Fri, 24 Jul 2020 17:08:57 -0400 -Subject: [PATCH] SUNRPC: Fix ("SUNRPC: Add "@len" parameter to gss_unwrap()") - -commit 986a4b63d3bc5f2c0eb4083b05aff2bf883b7b2f upstream. - -Braino when converting "buf->len -=" to "buf->len = len -". - -The result is under-estimation of the ralign and rslack values. On -krb5p mounts, this has caused READDIR to fail with EIO, and KASAN -splats when decoding READLINK replies. - -As a result of fixing this oversight, the gss_unwrap method now -returns a buf->len that can be shorter than priv_len for small -RPC messages. The additional adjustment done in unwrap_priv_data() -can underflow buf->len. This causes the nfsd_request_too_large -check to fail during some NFSv3 operations. - -Reported-by: Marian Rainer-Harbach -Reported-by: Pierre Sauter <pierre.sauter@stwm.de> -BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886277 -Fixes: 31c9590ae468 ("SUNRPC: Add "@len" parameter to gss_unwrap()") -Reviewed-by: J. Bruce Fields <bfields@redhat.com> -Signed-off-by: Chuck Lever <chuck.lever@oracle.com> - -diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c -index cf0fd170ac18..90b8329fef82 100644 ---- a/net/sunrpc/auth_gss/gss_krb5_wrap.c -+++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c -@@ -584,7 +584,7 @@ gss_unwrap_kerberos_v2(struct krb5_ctx *kctx, int offset, int len, - buf->head[0].iov_len); - memmove(ptr, ptr + GSS_KRB5_TOK_HDR_LEN + headskip, movelen); - buf->head[0].iov_len -= GSS_KRB5_TOK_HDR_LEN + headskip; -- buf->len = len - GSS_KRB5_TOK_HDR_LEN + headskip; -+ buf->len = len - (GSS_KRB5_TOK_HDR_LEN + headskip); - - /* Trim off the trailing "extra count" and checksum blob */ - xdr_buf_trim(buf, ec + GSS_KRB5_TOK_HDR_LEN + tailskip); -diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c -index 7d83f54aaaa6..258b04372f85 100644 ---- a/net/sunrpc/auth_gss/svcauth_gss.c -+++ b/net/sunrpc/auth_gss/svcauth_gss.c -@@ -990,7 +990,6 @@ unwrap_priv_data(struct svc_rqst *rqstp, struct xdr_buf *buf, u32 seq, struct gs - - maj_stat = gss_unwrap(ctx, 0, priv_len, buf); - pad = priv_len - buf->len; -- buf->len -= pad; - /* The upper layers assume the buffer is aligned on 4-byte boundaries. - * In the krb5p case, at least, the data ends up offset, so we need to - * move it around. */ --- -2.27.0 - diff --git a/queue/blktrace-fix-debugfs-use-after-free.patch b/queue/blktrace-fix-debugfs-use-after-free.patch deleted file mode 100644 index 926d9298..00000000 --- a/queue/blktrace-fix-debugfs-use-after-free.patch +++ /dev/null @@ -1,212 +0,0 @@ -From bad8e64fb19d3a0de5e564d9a7271c31bd684369 Mon Sep 17 00:00:00 2001 -From: Luis Chamberlain <mcgrof@kernel.org> -Date: Fri, 19 Jun 2020 20:47:28 +0000 -Subject: [PATCH] blktrace: fix debugfs use after free - -commit bad8e64fb19d3a0de5e564d9a7271c31bd684369 upstream. - -On commit 6ac93117ab00 ("blktrace: use existing disk debugfs directory") -merged on v4.12 Omar fixed the original blktrace code for request-based -drivers (multiqueue). This however left in place a possible crash, if you -happen to abuse blktrace while racing to remove / add a device. - -We used to use asynchronous removal of the request_queue, and with that -the issue was easier to reproduce. Now that we have reverted to -synchronous removal of the request_queue, the issue is still possible to -reproduce, its however just a bit more difficult. - -We essentially run two instances of break-blktrace which add/remove -a loop device, and setup a blktrace and just never tear the blktrace -down. We do this twice in parallel. This is easily reproduced with the -script run_0004.sh from break-blktrace [0]. - -We can end up with two types of panics each reflecting where we -race, one a failed blktrace setup: - -[ 252.426751] debugfs: Directory 'loop0' with parent 'block' already present! -[ 252.432265] BUG: kernel NULL pointer dereference, address: 00000000000000a0 -[ 252.436592] #PF: supervisor write access in kernel mode -[ 252.439822] #PF: error_code(0x0002) - not-present page -[ 252.442967] PGD 0 P4D 0 -[ 252.444656] Oops: 0002 [#1] SMP NOPTI -[ 252.446972] CPU: 10 PID: 1153 Comm: break-blktrace Tainted: G E 5.7.0-rc2-next-20200420+ #164 -[ 252.452673] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014 -[ 252.456343] RIP: 0010:down_write+0x15/0x40 -[ 252.458146] Code: eb ca e8 ae 22 8d ff cc cc cc cc cc cc cc cc cc cc cc cc - cc cc 0f 1f 44 00 00 55 48 89 fd e8 52 db ff ff 31 c0 ba 01 00 - 00 00 <f0> 48 0f b1 55 00 75 0f 48 8b 04 25 c0 8b 01 00 48 89 - 45 08 5d -[ 252.463638] RSP: 0018:ffffa626415abcc8 EFLAGS: 00010246 -[ 252.464950] RAX: 0000000000000000 RBX: ffff958c25f0f5c0 RCX: ffffff8100000000 -[ 252.466727] RDX: 0000000000000001 RSI: ffffff8100000000 RDI: 00000000000000a0 -[ 252.468482] RBP: 00000000000000a0 R08: 0000000000000000 R09: 0000000000000001 -[ 252.470014] R10: 0000000000000000 R11: ffff958d1f9227ff R12: 0000000000000000 -[ 252.471473] R13: ffff958c25ea5380 R14: ffffffff8cce15f1 R15: 00000000000000a0 -[ 252.473346] FS: 00007f2e69dee540(0000) GS:ffff958c2fc80000(0000) knlGS:0000000000000000 -[ 252.475225] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 252.476267] CR2: 00000000000000a0 CR3: 0000000427d10004 CR4: 0000000000360ee0 -[ 252.477526] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -[ 252.478776] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -[ 252.479866] Call Trace: -[ 252.480322] simple_recursive_removal+0x4e/0x2e0 -[ 252.481078] ? debugfs_remove+0x60/0x60 -[ 252.481725] ? relay_destroy_buf+0x77/0xb0 -[ 252.482662] debugfs_remove+0x40/0x60 -[ 252.483518] blk_remove_buf_file_callback+0x5/0x10 -[ 252.484328] relay_close_buf+0x2e/0x60 -[ 252.484930] relay_open+0x1ce/0x2c0 -[ 252.485520] do_blk_trace_setup+0x14f/0x2b0 -[ 252.486187] __blk_trace_setup+0x54/0xb0 -[ 252.486803] blk_trace_ioctl+0x90/0x140 -[ 252.487423] ? do_sys_openat2+0x1ab/0x2d0 -[ 252.488053] blkdev_ioctl+0x4d/0x260 -[ 252.488636] block_ioctl+0x39/0x40 -[ 252.489139] ksys_ioctl+0x87/0xc0 -[ 252.489675] __x64_sys_ioctl+0x16/0x20 -[ 252.490380] do_syscall_64+0x52/0x180 -[ 252.491032] entry_SYSCALL_64_after_hwframe+0x44/0xa9 - -And the other on the device removal: - -[ 128.528940] debugfs: Directory 'loop0' with parent 'block' already present! -[ 128.615325] BUG: kernel NULL pointer dereference, address: 00000000000000a0 -[ 128.619537] #PF: supervisor write access in kernel mode -[ 128.622700] #PF: error_code(0x0002) - not-present page -[ 128.625842] PGD 0 P4D 0 -[ 128.627585] Oops: 0002 [#1] SMP NOPTI -[ 128.629871] CPU: 12 PID: 544 Comm: break-blktrace Tainted: G E 5.7.0-rc2-next-20200420+ #164 -[ 128.635595] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014 -[ 128.640471] RIP: 0010:down_write+0x15/0x40 -[ 128.643041] Code: eb ca e8 ae 22 8d ff cc cc cc cc cc cc cc cc cc cc cc cc - cc cc 0f 1f 44 00 00 55 48 89 fd e8 52 db ff ff 31 c0 ba 01 00 - 00 00 <f0> 48 0f b1 55 00 75 0f 65 48 8b 04 25 c0 8b 01 00 48 89 - 45 08 5d -[ 128.650180] RSP: 0018:ffffa9c3c05ebd78 EFLAGS: 00010246 -[ 128.651820] RAX: 0000000000000000 RBX: ffff8ae9a6370240 RCX: ffffff8100000000 -[ 128.653942] RDX: 0000000000000001 RSI: ffffff8100000000 RDI: 00000000000000a0 -[ 128.655720] RBP: 00000000000000a0 R08: 0000000000000002 R09: ffff8ae9afd2d3d0 -[ 128.657400] R10: 0000000000000056 R11: 0000000000000000 R12: 0000000000000000 -[ 128.659099] R13: 0000000000000000 R14: 0000000000000003 R15: 00000000000000a0 -[ 128.660500] FS: 00007febfd995540(0000) GS:ffff8ae9afd00000(0000) knlGS:0000000000000000 -[ 128.662204] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 128.663426] CR2: 00000000000000a0 CR3: 0000000420042003 CR4: 0000000000360ee0 -[ 128.664776] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -[ 128.666022] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -[ 128.667282] Call Trace: -[ 128.667801] simple_recursive_removal+0x4e/0x2e0 -[ 128.668663] ? debugfs_remove+0x60/0x60 -[ 128.669368] debugfs_remove+0x40/0x60 -[ 128.669985] blk_trace_free+0xd/0x50 -[ 128.670593] __blk_trace_remove+0x27/0x40 -[ 128.671274] blk_trace_shutdown+0x30/0x40 -[ 128.671935] blk_release_queue+0x95/0xf0 -[ 128.672589] kobject_put+0xa5/0x1b0 -[ 128.673188] disk_release+0xa2/0xc0 -[ 128.673786] device_release+0x28/0x80 -[ 128.674376] kobject_put+0xa5/0x1b0 -[ 128.674915] loop_remove+0x39/0x50 [loop] -[ 128.675511] loop_control_ioctl+0x113/0x130 [loop] -[ 128.676199] ksys_ioctl+0x87/0xc0 -[ 128.676708] __x64_sys_ioctl+0x16/0x20 -[ 128.677274] do_syscall_64+0x52/0x180 -[ 128.677823] entry_SYSCALL_64_after_hwframe+0x44/0xa9 - -The common theme here is: - -debugfs: Directory 'loop0' with parent 'block' already present - -This crash happens because of how blktrace uses the debugfs directory -where it places its files. Upon init we always create the same directory -which would be needed by blktrace but we only do this for make_request -drivers (multiqueue) block drivers. When you race a removal of these -devices with a blktrace setup you end up in a situation where the -make_request recursive debugfs removal will sweep away the blktrace -files and then later blktrace will also try to remove individual -dentries which are already NULL. The inverse is also possible and hence -the two types of use after frees. - -We don't create the block debugfs directory on init for these types of -block devices: - - * request-based block driver block devices - * every possible partition - * scsi-generic - -And so, this race should in theory only be possible with make_request -drivers. - -We can fix the UAF by simply re-using the debugfs directory for -make_request drivers (multiqueue) and only creating the ephemeral -directory for the other type of block devices. The new clarifications -on relying on the q->blk_trace_mutex *and* also checking for q->blk_trace -*prior* to processing a blktrace ensures the debugfs directories are -only created if no possible directory name clashes are possible. - -This goes tested with: - - o nvme partitions - o ISCSI with tgt, and blktracing against scsi-generic with: - o block - o tape - o cdrom - o media changer - o blktests - -This patch is part of the work which disputes the severity of -CVE-2019-19770 which shows this issue is not a core debugfs issue, but -a misuse of debugfs within blktace. - -Fixes: 6ac93117ab00 ("blktrace: use existing disk debugfs directory") -Reported-by: syzbot+603294af2d01acfdd6da@syzkaller.appspotmail.com -Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> -Reviewed-by: Christoph Hellwig <hch@lst.de> -Cc: Bart Van Assche <bvanassche@acm.org> -Cc: Omar Sandoval <osandov@fb.com> -Cc: Hannes Reinecke <hare@suse.com> -Cc: Nicolai Stange <nstange@suse.de> -Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Cc: Michal Hocko <mhocko@kernel.org> -Cc: "Martin K. Petersen" <martin.petersen@oracle.com> -Cc: "James E.J. Bottomley" <jejb@linux.ibm.com> -Cc: yu kuai <yukuai3@huawei.com> -Signed-off-by: Jens Axboe <axboe@kernel.dk> - -diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c -index 5a88a6b55933..e27dee345d81 100644 ---- a/kernel/trace/blktrace.c -+++ b/kernel/trace/blktrace.c -@@ -524,10 +524,18 @@ static int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev, - if (!bt->msg_data) - goto err; - -- ret = -ENOENT; -- -- dir = debugfs_lookup(buts->name, blk_debugfs_root); -- if (!dir) -+#ifdef CONFIG_BLK_DEBUG_FS -+ /* -+ * When tracing whole make_request drivers (multiqueue) block devices, -+ * reuse the existing debugfs directory created by the block layer on -+ * init. For request-based block devices, all partitions block devices, -+ * and scsi-generic block devices we create a temporary new debugfs -+ * directory that will be removed once the trace ends. -+ */ -+ if (queue_is_mq(q) && bdev && bdev == bdev->bd_contains) -+ dir = q->debugfs_dir; -+ else -+#endif - bt->dir = dir = debugfs_create_dir(buts->name, blk_debugfs_root); - - bt->dev = dev; -@@ -565,8 +573,6 @@ static int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev, - - ret = 0; - err: -- if (dir && !bt->dir) -- dput(dir); - if (ret) - blk_trace_free(bt); - return ret; --- -2.27.0 - diff --git a/queue/nvme-rdma-fix-controller-reset-hang-during-traffic.patch b/queue/nvme-rdma-fix-controller-reset-hang-during-traffic.patch deleted file mode 100644 index 5a6b3f39..00000000 --- a/queue/nvme-rdma-fix-controller-reset-hang-during-traffic.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 9f98772ba307dd89a3d17dc2589f213d3972fc64 Mon Sep 17 00:00:00 2001 -From: Sagi Grimberg <sagi@grimberg.me> -Date: Mon, 27 Jul 2020 17:32:09 -0700 -Subject: [PATCH] nvme-rdma: fix controller reset hang during traffic - -commit 9f98772ba307dd89a3d17dc2589f213d3972fc64 upstream. - -commit fe35ec58f0d3 ("block: update hctx map when use multiple maps") -exposed an issue where we may hang trying to wait for queue freeze -during I/O. We call blk_mq_update_nr_hw_queues which in case of multiple -queue maps (which we have now for default/read/poll) is attempting to -freeze the queue. However we never started queue freeze when starting the -reset, which means that we have inflight pending requests that entered the -queue that we will not complete once the queue is quiesced. - -So start a freeze before we quiesce the queue, and unfreeze the queue -after we successfully connected the I/O queues (and make sure to call -blk_mq_update_nr_hw_queues only after we are sure that the queue was -already frozen). - -This follows to how the pci driver handles resets. - -Fixes: fe35ec58f0d3 ("block: update hctx map when use multiple maps") -Signed-off-by: Sagi Grimberg <sagi@grimberg.me> -Signed-off-by: Christoph Hellwig <hch@lst.de> - -diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c -index 5c3848974ccb..44c76ffbb264 100644 ---- a/drivers/nvme/host/rdma.c -+++ b/drivers/nvme/host/rdma.c -@@ -967,15 +967,20 @@ static int nvme_rdma_configure_io_queues(struct nvme_rdma_ctrl *ctrl, bool new) - ret = PTR_ERR(ctrl->ctrl.connect_q); - goto out_free_tag_set; - } -- } else { -- blk_mq_update_nr_hw_queues(&ctrl->tag_set, -- ctrl->ctrl.queue_count - 1); - } - - ret = nvme_rdma_start_io_queues(ctrl); - if (ret) - goto out_cleanup_connect_q; - -+ if (!new) { -+ nvme_start_queues(&ctrl->ctrl); -+ nvme_wait_freeze(&ctrl->ctrl); -+ blk_mq_update_nr_hw_queues(ctrl->ctrl.tagset, -+ ctrl->ctrl.queue_count - 1); -+ nvme_unfreeze(&ctrl->ctrl); -+ } -+ - return 0; - - out_cleanup_connect_q: -@@ -1008,6 +1013,7 @@ static void nvme_rdma_teardown_io_queues(struct nvme_rdma_ctrl *ctrl, - bool remove) - { - if (ctrl->ctrl.queue_count > 1) { -+ nvme_start_freeze(&ctrl->ctrl); - nvme_stop_queues(&ctrl->ctrl); - nvme_rdma_stop_io_queues(ctrl); - if (ctrl->ctrl.tagset) { --- -2.27.0 - diff --git a/queue/nvme-tcp-fix-controller-reset-hang-during-traffic.patch b/queue/nvme-tcp-fix-controller-reset-hang-during-traffic.patch deleted file mode 100644 index 55278900..00000000 --- a/queue/nvme-tcp-fix-controller-reset-hang-during-traffic.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 2875b0aecabe2f081a8432e2bc85b85df0529490 Mon Sep 17 00:00:00 2001 -From: Sagi Grimberg <sagi@grimberg.me> -Date: Fri, 24 Jul 2020 15:10:12 -0700 -Subject: [PATCH] nvme-tcp: fix controller reset hang during traffic - -commit 2875b0aecabe2f081a8432e2bc85b85df0529490 upstream. - -commit fe35ec58f0d3 ("block: update hctx map when use multiple maps") -exposed an issue where we may hang trying to wait for queue freeze -during I/O. We call blk_mq_update_nr_hw_queues which in case of multiple -queue maps (which we have now for default/read/poll) is attempting to -freeze the queue. However we never started queue freeze when starting the -reset, which means that we have inflight pending requests that entered the -queue that we will not complete once the queue is quiesced. - -So start a freeze before we quiesce the queue, and unfreeze the queue -after we successfully connected the I/O queues (and make sure to call -blk_mq_update_nr_hw_queues only after we are sure that the queue was -already frozen). - -This follows to how the pci driver handles resets. - -Fixes: fe35ec58f0d3 ("block: update hctx map when use multiple maps") -Signed-off-by: Sagi Grimberg <sagi@grimberg.me> -Signed-off-by: Christoph Hellwig <hch@lst.de> - -diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c -index 8c8fb65ca928..378c049e0a5e 100644 ---- a/drivers/nvme/host/tcp.c -+++ b/drivers/nvme/host/tcp.c -@@ -1771,15 +1771,20 @@ static int nvme_tcp_configure_io_queues(struct nvme_ctrl *ctrl, bool new) - ret = PTR_ERR(ctrl->connect_q); - goto out_free_tag_set; - } -- } else { -- blk_mq_update_nr_hw_queues(ctrl->tagset, -- ctrl->queue_count - 1); - } - - ret = nvme_tcp_start_io_queues(ctrl); - if (ret) - goto out_cleanup_connect_q; - -+ if (!new) { -+ nvme_start_queues(ctrl); -+ nvme_wait_freeze(ctrl); -+ blk_mq_update_nr_hw_queues(ctrl->tagset, -+ ctrl->queue_count - 1); -+ nvme_unfreeze(ctrl); -+ } -+ - return 0; - - out_cleanup_connect_q: -@@ -1884,6 +1889,7 @@ static void nvme_tcp_teardown_io_queues(struct nvme_ctrl *ctrl, - { - if (ctrl->queue_count <= 1) - return; -+ nvme_start_freeze(ctrl); - nvme_stop_queues(ctrl); - nvme_tcp_stop_io_queues(ctrl); - if (ctrl->tagset) { --- -2.27.0 - diff --git a/queue/ocfs2-fix-unbalanced-locking.patch b/queue/ocfs2-fix-unbalanced-locking.patch deleted file mode 100644 index d6807335..00000000 --- a/queue/ocfs2-fix-unbalanced-locking.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 57c720d4144a9c2b88105c3e8f7b0e97e4b5cc93 Mon Sep 17 00:00:00 2001 -From: Pavel Machek <pavel@ucw.cz> -Date: Thu, 6 Aug 2020 23:18:09 -0700 -Subject: [PATCH] ocfs2: fix unbalanced locking - -commit 57c720d4144a9c2b88105c3e8f7b0e97e4b5cc93 upstream. - -Based on what fails, function can return with nfs_sync_rwlock either -locked or unlocked. That can not be right. - -Always return with lock unlocked on error. - -Fixes: 4cd9973f9ff6 ("ocfs2: avoid inode removal while nfsd is accessing it") -Signed-off-by: Pavel Machek (CIP) <pavel@denx.de> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com> -Reviewed-by: Andrew Morton <akpm@linux-foundation.org> -Cc: Mark Fasheh <mark@fasheh.com> -Cc: Joel Becker <jlbec@evilplan.org> -Cc: Junxiao Bi <junxiao.bi@oracle.com> -Cc: Changwei Ge <gechangwei@live.cn> -Cc: Gang He <ghe@suse.com> -Cc: Jun Piao <piaojun@huawei.com> -Link: http://lkml.kernel.org/r/20200724124443.GA28164@duo.ucw.cz -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> - -diff --git a/fs/ocfs2/dlmglue.c b/fs/ocfs2/dlmglue.c -index 751bc4dc7466..8e3a369086db 100644 ---- a/fs/ocfs2/dlmglue.c -+++ b/fs/ocfs2/dlmglue.c -@@ -2871,9 +2871,15 @@ int ocfs2_nfs_sync_lock(struct ocfs2_super *osb, int ex) - - status = ocfs2_cluster_lock(osb, lockres, ex ? LKM_EXMODE : LKM_PRMODE, - 0, 0); -- if (status < 0) -+ if (status < 0) { - mlog(ML_ERROR, "lock on nfs sync lock failed %d\n", status); - -+ if (ex) -+ up_write(&osb->nfs_sync_rwlock); -+ else -+ up_read(&osb->nfs_sync_rwlock); -+ } -+ - return status; - } - --- -2.27.0 - diff --git a/queue/regulator-fix-memory-leak-on-error-path-of-regulator.patch b/queue/regulator-fix-memory-leak-on-error-path-of-regulator.patch deleted file mode 100644 index e028539e..00000000 --- a/queue/regulator-fix-memory-leak-on-error-path-of-regulator.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 9177514ce34902b3adb2abd490b6ad05d1cfcb43 Mon Sep 17 00:00:00 2001 -From: Vladimir Zapolskiy <vz@mleia.com> -Date: Fri, 24 Jul 2020 03:50:13 +0300 -Subject: [PATCH] regulator: fix memory leak on error path of - regulator_register() - -commit 9177514ce34902b3adb2abd490b6ad05d1cfcb43 upstream. - -The change corrects registration and deregistration on error path -of a regulator, the problem was manifested by a reported memory -leak on deferred probe: - - as3722-regulator as3722-regulator: regulator 13 register failed -517 - - # cat /sys/kernel/debug/kmemleak - unreferenced object 0xecc43740 (size 64): - comm "swapper/0", pid 1, jiffies 4294937640 (age 712.880s) - hex dump (first 32 bytes): - 72 65 67 75 6c 61 74 6f 72 2e 32 34 00 5a 5a 5a regulator.24.ZZZ - 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ - backtrace: - [<0c4c3d1c>] __kmalloc_track_caller+0x15c/0x2c0 - [<40c0ad48>] kvasprintf+0x64/0xd4 - [<109abd29>] kvasprintf_const+0x70/0x84 - [<c4215946>] kobject_set_name_vargs+0x34/0xa8 - [<62282ea2>] dev_set_name+0x40/0x64 - [<a39b6757>] regulator_register+0x3a4/0x1344 - [<16a9543f>] devm_regulator_register+0x4c/0x84 - [<51a4c6a1>] as3722_regulator_probe+0x294/0x754 - ... - -The memory leak problem was introduced as a side ef another fix in -regulator_register() error path, I believe that the proper fix is -to decouple device_register() function into its two compounds and -initialize a struct device before assigning any values to its fields -and then using it before actual registration of a device happens. - -This lets to call put_device() safely after initialization, and, since -now a release callback is called, kfree(rdev->constraints) shall be -removed to exclude a double free condition. - -Fixes: a3cde9534ebd ("regulator: core: fix regulator_register() error paths to properly release rdev") -Signed-off-by: Vladimir Zapolskiy <vz@mleia.com> -Cc: Wen Yang <wenyang@linux.alibaba.com> -Link: https://lore.kernel.org/r/20200724005013.23278-1-vz@mleia.com -Signed-off-by: Mark Brown <broonie@kernel.org> - -diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c -index 196e344a84d3..75ff7c563c5d 100644 ---- a/drivers/regulator/core.c -+++ b/drivers/regulator/core.c -@@ -5092,7 +5092,6 @@ regulator_register(const struct regulator_desc *regulator_desc, - struct regulator_dev *rdev; - bool dangling_cfg_gpiod = false; - bool dangling_of_gpiod = false; -- bool reg_device_fail = false; - struct device *dev; - int ret, i; - -@@ -5221,10 +5220,12 @@ regulator_register(const struct regulator_desc *regulator_desc, - } - - /* register with sysfs */ -+ device_initialize(&rdev->dev); - rdev->dev.class = ®ulator_class; - rdev->dev.parent = dev; - dev_set_name(&rdev->dev, "regulator.%lu", - (unsigned long) atomic_inc_return(®ulator_no)); -+ dev_set_drvdata(&rdev->dev, rdev); - - /* set regulator constraints */ - if (init_data) -@@ -5275,12 +5276,9 @@ regulator_register(const struct regulator_desc *regulator_desc, - !rdev->desc->fixed_uV) - rdev->is_switch = true; - -- dev_set_drvdata(&rdev->dev, rdev); -- ret = device_register(&rdev->dev); -- if (ret != 0) { -- reg_device_fail = true; -+ ret = device_add(&rdev->dev); -+ if (ret != 0) - goto unset_supplies; -- } - - rdev_init_debugfs(rdev); - -@@ -5302,17 +5300,15 @@ regulator_register(const struct regulator_desc *regulator_desc, - mutex_unlock(®ulator_list_mutex); - wash: - kfree(rdev->coupling_desc.coupled_rdevs); -- kfree(rdev->constraints); - mutex_lock(®ulator_list_mutex); - regulator_ena_gpio_free(rdev); - mutex_unlock(®ulator_list_mutex); -+ put_device(&rdev->dev); -+ rdev = NULL; - clean: - if (dangling_of_gpiod) - gpiod_put(config->ena_gpiod); -- if (reg_device_fail) -- put_device(&rdev->dev); -- else -- kfree(rdev); -+ kfree(rdev); - kfree(config); - rinse: - if (dangling_cfg_gpiod) --- -2.27.0 - diff --git a/queue/series b/queue/series index c022fe15..04c01468 100644 --- a/queue/series +++ b/queue/series @@ -10,7 +10,6 @@ arm64-dts-rockchip-fix-rk3399-puma-gmac-reset-gpio.patch EDAC-Fix-reference-count-leaks.patch crc-t10dif-Fix-potential-crypto-notify-dead-lock.patch arm64-dts-qcom-msm8916-Replace-invalid-bias-pull-non.patch -blktrace-fix-debugfs-use-after-free.patch crypto-ccree-fix-resource-leak-on-error-path.patch ARM-exynos-MCPM-Restore-big.LITTLE-cpuidle-support.patch firmware-arm_scmi-Fix-SCMI-genpd-domain-probing.patch @@ -28,13 +27,10 @@ ARM-dts-sunxi-bananapi-m2-plus-v1.2-Fix-CPU-supply-v.patch spi-lantiq-fix-Rx-overflow-error-in-full-duplex-mode.patch tpm-Require-that-all-digests-are-present-in-TCG_PCR_.patch recordmcount-only-record-relocation-of-type-R_AARCH6.patch -regulator-fix-memory-leak-on-error-path-of-regulator.patch spi-rockchip-Fix-error-in-SPI-slave-pio-read.patch ARM-socfpga-PM-add-missing-put_device-call-in-socfpg.patch irqchip-ti-sci-inta-Fix-return-value-about-devm_iore.patch seccomp-Fix-ioctl-number-for-SECCOMP_IOCTL_NOTIF_ID_.patch -nvme-tcp-fix-controller-reset-hang-during-traffic.patch -nvme-rdma-fix-controller-reset-hang-during-traffic.patch nvme-multipath-fix-logic-for-non-optimized-paths.patch nvme-multipath-do-not-fall-back-to-__nvme_find_path-.patch drm-tilcdc-fix-leak-null-ref-in-panel_connector_get_.patch @@ -136,12 +132,10 @@ drm-imx-tve-fix-regulator_disable-error-path.patch spi-lantiq-ssc-Fix-warning-by-using-WQ_MEM_RECLAIM.patch USB-serial-iuu_phoenix-fix-led-activity-helpers.patch usb-core-fix-quirks_param_set-writing-to-a-const-poi.patch -thermal-ti-soc-thermal-Fix-reversed-condition-in-ti_.patch coresight-tmc-Fix-TMC-mode-read-in-tmc_read_unprepar.patch powerpc-perf-Fix-missing-is_sier_aviable-during-buil.patch phy-armada-38x-fix-NETA-lockup-when-repeatedly-switc.patch MIPS-OCTEON-add-missing-put_device-call-in-dwc3_octe.patch -usb-dwc2-Fix-error-path-in-gadget-registration.patch usb-gadget-f_uac2-fix-AC-Interface-Header-Descriptor.patch scsi-mesh-Fix-panic-after-host-or-bus-reset.patch net-dsa-mv88e6xxx-MV88E6097-does-not-support-jumbo-c.patch @@ -181,10 +175,8 @@ fsl-fman-check-dereferencing-null-pointer.patch fsl-fman-fix-eth-hash-table-allocation.patch net-thunderx-initialize-VF-s-mailbox-mutex-before-fi.patch dlm-Fix-kobject-memleak.patch -ocfs2-fix-unbalanced-locking.patch pinctrl-single-fix-pcs_parse_pinconf-return-value.patch svcrdma-Fix-page-leak-in-svc_rdma_recv_read_chunk.patch -SUNRPC-Fix-SUNRPC-Add-len-parameter-to-gss_unwrap.patch x86-fsgsbase-64-Fix-NULL-deref-in-86_fsgsbase_read_t.patch crypto-aesni-add-compatibility-with-IAS.patch drivers-net-wan-lapbether-Added-needed_headroom-and-.patch @@ -198,7 +190,6 @@ USB-serial-cp210x-re-enable-auto-RTS-on-open.patch USB-serial-cp210x-enable-usb-generic-throttle-unthro.patch ALSA-hda-fix-the-micmute-led-status-for-Lenovo-Think.patch ALSA-usb-audio-Creative-USB-X-Fi-Pro-SB1095-volume-k.patch -ALSA-usb-audio-fix-overeager-device-match-for-MacroS.patch ALSA-usb-audio-work-around-streaming-quirk-for-Macro.patch 9p-Fix-memory-leak-in-v9fs_mount.patch media-media-request-Fix-crash-if-memory-allocation-f.patch diff --git a/queue/thermal-ti-soc-thermal-Fix-reversed-condition-in-ti_.patch b/queue/thermal-ti-soc-thermal-Fix-reversed-condition-in-ti_.patch deleted file mode 100644 index f78acc15..00000000 --- a/queue/thermal-ti-soc-thermal-Fix-reversed-condition-in-ti_.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 0f348db01fdf128813fdd659fcc339038fb421a4 Mon Sep 17 00:00:00 2001 -From: Dan Carpenter <dan.carpenter@oracle.com> -Date: Tue, 16 Jun 2020 12:19:49 +0300 -Subject: [PATCH] thermal: ti-soc-thermal: Fix reversed condition in - ti_thermal_expose_sensor() - -commit 0f348db01fdf128813fdd659fcc339038fb421a4 upstream. - -This condition is reversed and will cause breakage. - -Fixes: 7440f518dad9 ("thermal/drivers/ti-soc-thermal: Avoid dereferencing ERR_PTR") -Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> -Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org> -Link: https://lore.kernel.org/r/20200616091949.GA11940@mwanda - -diff --git a/drivers/thermal/ti-soc-thermal/ti-thermal-common.c b/drivers/thermal/ti-soc-thermal/ti-thermal-common.c -index 85776db4bf34..2ce4b19f312a 100644 ---- a/drivers/thermal/ti-soc-thermal/ti-thermal-common.c -+++ b/drivers/thermal/ti-soc-thermal/ti-thermal-common.c -@@ -169,7 +169,7 @@ int ti_thermal_expose_sensor(struct ti_bandgap *bgp, int id, - - data = ti_bandgap_get_sensor_data(bgp, id); - -- if (!IS_ERR_OR_NULL(data)) -+ if (IS_ERR_OR_NULL(data)) - data = ti_thermal_build_data(bgp, id); - - if (!data) --- -2.27.0 - diff --git a/queue/usb-dwc2-Fix-error-path-in-gadget-registration.patch b/queue/usb-dwc2-Fix-error-path-in-gadget-registration.patch deleted file mode 100644 index 94cd7d14..00000000 --- a/queue/usb-dwc2-Fix-error-path-in-gadget-registration.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 33a06f1300a79cfd461cea0268f05e969d4f34ec Mon Sep 17 00:00:00 2001 -From: Marek Szyprowski <m.szyprowski@samsung.com> -Date: Thu, 16 Jul 2020 14:09:48 +0200 -Subject: [PATCH] usb: dwc2: Fix error path in gadget registration - -commit 33a06f1300a79cfd461cea0268f05e969d4f34ec upstream. - -When gadget registration fails, one should not call usb_del_gadget_udc(). -Ensure this by setting gadget->udc to NULL. Also in case of a failure -there is no need to disable low-level hardware, so return immiedetly -instead of jumping to error_init label. - -This fixes the following kernel NULL ptr dereference on gadget failure -(can be easily triggered with g_mass_storage without any module -parameters): - -dwc2 12480000.hsotg: dwc2_check_params: Invalid parameter besl=1 -dwc2 12480000.hsotg: dwc2_check_params: Invalid parameter g_np_tx_fifo_size=1024 -dwc2 12480000.hsotg: EPs: 16, dedicated fifos, 7808 entries in SPRAM -Mass Storage Function, version: 2009/09/11 -LUN: removable file: (no medium) -no file given for LUN0 -g_mass_storage 12480000.hsotg: failed to start g_mass_storage: -22 -8<--- cut here --- -Unable to handle kernel NULL pointer dereference at virtual address 00000104 -pgd = (ptrval) -[00000104] *pgd=00000000 -Internal error: Oops: 805 [#1] PREEMPT SMP ARM -Modules linked in: -CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.8.0-rc5 #3133 -Hardware name: Samsung Exynos (Flattened Device Tree) -Workqueue: events deferred_probe_work_func -PC is at usb_del_gadget_udc+0x38/0xc4 -LR is at __mutex_lock+0x31c/0xb18 -... -Process kworker/0:1 (pid: 12, stack limit = 0x(ptrval)) -Stack: (0xef121db0 to 0xef122000) -... -[<c076bf3c>] (usb_del_gadget_udc) from [<c0726bec>] (dwc2_hsotg_remove+0x10/0x20) -[<c0726bec>] (dwc2_hsotg_remove) from [<c0711208>] (dwc2_driver_probe+0x57c/0x69c) -[<c0711208>] (dwc2_driver_probe) from [<c06247c0>] (platform_drv_probe+0x6c/0xa4) -[<c06247c0>] (platform_drv_probe) from [<c0621df4>] (really_probe+0x200/0x48c) -[<c0621df4>] (really_probe) from [<c06221e8>] (driver_probe_device+0x78/0x1fc) -[<c06221e8>] (driver_probe_device) from [<c061fcd4>] (bus_for_each_drv+0x74/0xb8) -[<c061fcd4>] (bus_for_each_drv) from [<c0621b54>] (__device_attach+0xd4/0x16c) -[<c0621b54>] (__device_attach) from [<c0620c98>] (bus_probe_device+0x88/0x90) -[<c0620c98>] (bus_probe_device) from [<c06211b0>] (deferred_probe_work_func+0x3c/0xd0) -[<c06211b0>] (deferred_probe_work_func) from [<c0149280>] (process_one_work+0x234/0x7dc) -[<c0149280>] (process_one_work) from [<c014986c>] (worker_thread+0x44/0x51c) -[<c014986c>] (worker_thread) from [<c0150b1c>] (kthread+0x158/0x1a0) -[<c0150b1c>] (kthread) from [<c0100114>] (ret_from_fork+0x14/0x20) -Exception stack(0xef121fb0 to 0xef121ff8) -... ----[ end trace 9724c2fc7cc9c982 ]--- - -While fixing this also fix the double call to dwc2_lowlevel_hw_disable() -if dr_mode is set to USB_DR_MODE_PERIPHERAL. In such case low-level -hardware is already disabled before calling usb_add_gadget_udc(). That -function correctly preserves low-level hardware state, there is no need -for the second unconditional dwc2_lowlevel_hw_disable() call. - -Fixes: 207324a321a8 ("usb: dwc2: Postponed gadget registration to the udc class driver") -Acked-by: Minas Harutyunyan <hminas@synopsys.com> -Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> -Signed-off-by: Felipe Balbi <balbi@kernel.org> - -diff --git a/drivers/usb/dwc2/platform.c b/drivers/usb/dwc2/platform.c -index 8fea5f1f60ab..68b56b43a45e 100644 ---- a/drivers/usb/dwc2/platform.c -+++ b/drivers/usb/dwc2/platform.c -@@ -591,6 +591,7 @@ static int dwc2_driver_probe(struct platform_device *dev) - if (hsotg->gadget_enabled) { - retval = usb_add_gadget_udc(hsotg->dev, &hsotg->gadget); - if (retval) { -+ hsotg->gadget.udc = NULL; - dwc2_hsotg_remove(hsotg); - goto error_init; - } -@@ -602,7 +603,8 @@ static int dwc2_driver_probe(struct platform_device *dev) - if (hsotg->params.activate_stm_id_vb_detection) - regulator_disable(hsotg->usb33d); - error: -- dwc2_lowlevel_hw_disable(hsotg); -+ if (hsotg->dr_mode != USB_DR_MODE_PERIPHERAL) -+ dwc2_lowlevel_hw_disable(hsotg); - return retval; - } - --- -2.27.0 - |