From patchwork Wed Nov 28 17:29:00 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amit Pundir <amit.pundir@linaro.org>
X-Patchwork-Id: 152330
Delivered-To: patch@linaro.org
Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp1364877ljp;
 Wed, 28 Nov 2018 09:29:18 -0800 (PST)
X-Google-Smtp-Source: AFSGD/V//kDEFE6hqLizWyq0DidYIT4qJUdtE5yJc4t/nwrPUbTfJvyJcTy7xMPVxSC4CRIJ4GBy
X-Received: by 2002:a62:1e87:: with SMTP id
 e129mr25360671pfe.221.1543426158450; 
 Wed, 28 Nov 2018 09:29:18 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543426158; cv=none;
 d=google.com; s=arc-20160816;
 b=X9XX9iPNdNf8Og8PJv9+OJiaEW5/WVJvx/x2U27N/a0OZogHLSipTRPXSyTlkROKUv
 3wTwSFC7YIKAJgrf7pWCyGPPg/5m93PkiqCQ145Vj4TOKQLcQPDaAhNZxdSFXcNcYR3x
 IDBYgAivs2X6E/HuMCNItJjUTcJRcmUvJeo1nGiDfuyOSf5dFMtQsPz2cvwi/sJ3wa0+
 kcp2YQlpy09oeqqcfyPr0Souw3qMxNBsQkLqadqoRBY45rhs9xjfu7zxvTJwHI87pLpL
 /2z/UrOFyY6KJZT+A7Dli4oZYSx+pfOScNHF/HvDTdZGWW20DE7ljVe0HARrP8Pr6nHk
 2hKQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:references:in-reply-to:message-id:date
 :subject:cc:to:from:dkim-signature;
 bh=HXbDkzvHACxxFWuSdEtN8zJk4C1wiKAxQmF16lEZPok=;
 b=ll6VbZwihVf9dzeCqA0sLOK/u0ImCQEosE9Ps7jCjZ32f99B+miQT9v9n2suaj4y0S
 zggS8RuOpTiHALPqFGZiWXnSXRIttMsxpFFukBfW1Ek9WA4SojI1XHdU8afjutc77Aj+
 NzMzm99FkT9pzBSUtxDdZiAVhkXMmuTwOq8XBcnntro6bQqkgkId7oHDVgsKMTIxbbL/
 b44WD/sCPvsjpgCjbuLNpH9SGdH86uD9ppnVknM1J+pxZqtgxiW0YIdZHfvWwcAQL9iW
 OXmz08Wjqcl6M+3I6pZ8zpMaFsYZMloMBkZbKLxHhQsM2EDBNSs0LOjrjWpJAR7wQrwy
 Z5Kg==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=VnA9xtHg;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <stable-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id
 v16si4555330plo.182.2018.11.28.09.29.18; 
 Wed, 28 Nov 2018 09:29:18 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=VnA9xtHg;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1728569AbeK2Ebk (ORCPT <rfc822;dave.long@linaro.org>
 + 15 others); Wed, 28 Nov 2018 23:31:40 -0500
Received: from mail-pg1-f194.google.com ([209.85.215.194]:45065 "EHLO
 mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1727867AbeK2Ebj (ORCPT
 <rfc822;stable@vger.kernel.org>); Wed, 28 Nov 2018 23:31:39 -0500
Received: by mail-pg1-f194.google.com with SMTP id y4so9787658pgc.12
 for <stable@vger.kernel.org>; Wed, 28 Nov 2018 09:29:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=HXbDkzvHACxxFWuSdEtN8zJk4C1wiKAxQmF16lEZPok=;
 b=VnA9xtHgOeqDsB83PH6kqzyGqTXgoYRZTgm6zjGRHE9wCybnmDM00GfpLcNPZ2DyZf
 yFR3lq1fewqwqbyOxiP1upIZwOChX9aenll6MSNSvoTvrYoJBp/QCl+OPSY1I9es6rTy
 h5QS9IXnNxjr8rosmca98Vrpl30tlUxGEEDrY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=HXbDkzvHACxxFWuSdEtN8zJk4C1wiKAxQmF16lEZPok=;
 b=nQQyAh0EyPTaOclV0SaFL2fIZpTLFJ9/2HgHkIiIC602AUIWWr2B1+QF6H2GtcLhFm
 k70hWa5WKUeQVLe0XL9c/I+I1MHgFYi64iYlLideIZjMNZqVM0ENJz6wNFZQ05lso+Ro
 +ftSTC/lu/+/C6eBD2RcCQnBTUT+k/4nLOPzhBZDGMOG0I3/iV9sN8eT99Kn6lTkPEDn
 WxgKUuY8mCvp9M6/krcf2eILyoYIER0F/K5d4c6Q+thrJltDhhGV4fzniuTHqki1VDZJ
 m70/5PfSqEqNFw0nHyI1NyLh7dN2uaMbNP/ATV+k8fGz1GZZ7agP6uvBcEyQr+38+ECs
 IR2g==
X-Gm-Message-State: AA+aEWZFd9ygBDhwv0mkutVBG+8bEwERd/a/NTJE+zJuRtq/SrgZPczh
 yZeVpGhNyzDaQ7l+qPe+mLRckg==
X-Received: by 2002:a63:8c2:: with SMTP id 185mr34484159pgi.26.1543426155979; 
 Wed, 28 Nov 2018 09:29:15 -0800 (PST)
Received: from localhost.localdomain ([49.207.53.6])
 by smtp.gmail.com with ESMTPSA id
 84sm13624360pfk.134.2018.11.28.09.29.13
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Wed, 28 Nov 2018 09:29:15 -0800 (PST)
From: Amit Pundir <amit.pundir@linaro.org>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Stable <stable@vger.kernel.org>,
 Vasanthakumar Thiagarajan <vthiagar@qti.qualcomm.com>,
 Kalle Valo <kvalo@qca.qualcomm.com>
Subject: [PATCH for-4.4.y 01/10] ath10k: fix kernel panic due to race in
 accessing arvif list
Date: Wed, 28 Nov 2018 22:59:00 +0530
Message-Id: <1543426149-7269-2-git-send-email-amit.pundir@linaro.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1543426149-7269-1-git-send-email-amit.pundir@linaro.org>
References: <1543426149-7269-1-git-send-email-amit.pundir@linaro.org>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Vasanthakumar Thiagarajan <vthiagar@qti.qualcomm.com>

commit ebaa4b1620bf69f2bc43cb45ea85fbafdaec23c3 upstream.

arvifs list is traversed within data_lock spin_lock in tasklet
context to fill channel information from the corresponding vif.
This means any access to arvifs list for add/del operations
should also be protected with the same spin_lock to avoid the
race. Fix this by performing list add/del on arvfis within the
data_lock. This could fix kernel panic something like the below.

 LR is at ath10k_htt_rx_pktlog_completion_handler+0x100/0xb6c [ath10k_core]
 PC is at ath10k_htt_rx_pktlog_completion_handler+0x1c0/0xb6c [ath10k_core]
 Internal error: Oops: 17 [#1] PREEMPT SMP ARM
 [<bf4857f4>] (ath10k_htt_rx_pktlog_completion_handler+0x2f4/0xb6c [ath10k_core])
 [<bf487540>] (ath10k_htt_txrx_compl_task+0x8b4/0x1188 [ath10k_core])
 [<c00312d4>] (tasklet_action+0x8c/0xec)
 [<c00309a8>] (__do_softirq+0xdc/0x208)
 [<c0030d6c>] (irq_exit+0x84/0xe0)
 [<c005db04>] (__handle_domain_irq+0x80/0xa0)
 [<c00085c4>] (gic_handle_irq+0x38/0x5c)
 [<c0009640>] (__irq_svc+0x40/0x74)

(gdb) list *(ath10k_htt_rx_pktlog_completion_handler+0x1c0)
0x136c0 is in ath10k_htt_rx_h_channel (drivers/net/wireless/ath/ath10k/htt_rx.c:769)
764		struct cfg80211_chan_def def;
765
766		lockdep_assert_held(&ar->data_lock);
767
768		list_for_each_entry(arvif, &ar->arvifs, list) {
769			if (arvif->vdev_id == vdev_id &&
770			    ath10k_mac_vif_chan(arvif->vif, &def) == 0)
771				return def.chan;
772		}
773

Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@qti.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
---
 drivers/net/wireless/ath/ath10k/mac.c | 6 ++++++
 1 file changed, 6 insertions(+)

-- 
2.7.4

diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
index 4644357d291a..398068ad0b62 100644
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -4470,7 +4470,9 @@ static int ath10k_add_interface(struct ieee80211_hw *hw,
 	}
 
 	ar->free_vdev_map &= ~(1LL << arvif->vdev_id);
+	spin_lock_bh(&ar->data_lock);
 	list_add(&arvif->list, &ar->arvifs);
+	spin_unlock_bh(&ar->data_lock);
 
 	/* It makes no sense to have firmware do keepalives. mac80211 already
 	 * takes care of this with idle connection polling.
@@ -4603,7 +4605,9 @@ err_peer_delete:
 err_vdev_delete:
 	ath10k_wmi_vdev_delete(ar, arvif->vdev_id);
 	ar->free_vdev_map |= 1LL << arvif->vdev_id;
+	spin_lock_bh(&ar->data_lock);
 	list_del(&arvif->list);
+	spin_unlock_bh(&ar->data_lock);
 
 err:
 	if (arvif->beacon_buf) {
@@ -4647,7 +4651,9 @@ static void ath10k_remove_interface(struct ieee80211_hw *hw,
 			    arvif->vdev_id, ret);
 
 	ar->free_vdev_map |= 1LL << arvif->vdev_id;
+	spin_lock_bh(&ar->data_lock);
 	list_del(&arvif->list);
+	spin_unlock_bh(&ar->data_lock);
 
 	if (arvif->vdev_type == WMI_VDEV_TYPE_AP ||
 	    arvif->vdev_type == WMI_VDEV_TYPE_IBSS) {

From patchwork Wed Nov 28 17:29:01 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amit Pundir <amit.pundir@linaro.org>
X-Patchwork-Id: 152339
Delivered-To: patch@linaro.org
Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp1365680ljp;
 Wed, 28 Nov 2018 09:30:04 -0800 (PST)
X-Google-Smtp-Source: AFSGD/XtO9yxWAxIVhJQjv+Td7GywF8KYIedND3U808TKkt/P+l/tGWb2yoDV+UTPYFWXK4gfe/X
X-Received: by 2002:a17:902:f01:: with SMTP id
 1mr33520928ply.143.1543426203933; 
 Wed, 28 Nov 2018 09:30:03 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543426203; cv=none;
 d=google.com; s=arc-20160816;
 b=xdydzpAYDxsUhxcjTmBECOa03DShLR02KSFk0fcXAQ4kg059KmXOA/OJdAi2PfsYaP
 gWPOr+2iNXnfxy/qJgKEvSPXyKZWHdicw0tWarUlQwJ+Is8q3Bpvkw7bY/ItphRPd2EE
 vfopfRWLNW/3RadT7Qy9Cx1V0VK/KrhFQ6eGcyD/E8boVIgDqW3idfuUPBTyw2vsRy0K
 zXBR4UPjqqEfWFa+1HuwGnAx7xoRImctVwNAfnSN4mdn+O6tCcjc2XXZAVEWNo9JUPv9
 ljCNDb2LN1uBN7GxufNgxVmx5WDY3WkxJG3LcQzawa8LaY2Wy8DfVqUJyjwVDp4whMSd
 ZMTw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:references:in-reply-to:message-id:date
 :subject:cc:to:from:dkim-signature;
 bh=hoskUs06Z7Cn4GIR2unwyyDYZ5YY9jhp9H+S4bJ6pbo=;
 b=MnyQ0kCzjDfL/M1Y9nfEj6M3QmXVq+mNKVQtQaCaw4IIwaDvynlm/qKFhNmokL48Om
 Fl56Ots48ajoH3FWZlRxunealkSDa+f7DCbtUmkwYzptbPgwkiDXn7UnGQ/03QkiGMlb
 tHKDV5DFRLCWcsaU8rI8d420FPPK/osQZPYTeKbT2FlYhc67xlMczgx98Qz1lgIgfrZW
 plYej2dz7Op37ol4Y9jctRyDqd5RYPvpJ38ooLHDDTniQPL9HC4iWbGUhR1UQdDPYFe5
 3sPN9FvLBq+5arZk7nDDh7hfDYTrOqaCwJ8Kyhi2rrGJ3tlQtMAhBYj970T5juEO1sNI
 2FvQ==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=eJ67b21K;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <stable-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id 44si8357481plb.57.2018.11.28.09.30.01; 
 Wed, 28 Nov 2018 09:30:03 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=eJ67b21K;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1728446AbeK2Ebm (ORCPT <rfc822;dave.long@linaro.org>
 + 15 others); Wed, 28 Nov 2018 23:31:42 -0500
Received: from mail-pl1-f195.google.com ([209.85.214.195]:42090 "EHLO
 mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1728654AbeK2Ebl (ORCPT
 <rfc822;stable@vger.kernel.org>); Wed, 28 Nov 2018 23:31:41 -0500
Received: by mail-pl1-f195.google.com with SMTP id x21-v6so17697338pln.9
 for <stable@vger.kernel.org>; Wed, 28 Nov 2018 09:29:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=hoskUs06Z7Cn4GIR2unwyyDYZ5YY9jhp9H+S4bJ6pbo=;
 b=eJ67b21KR4X5djMVW+BdjD3jBYiiJrYBg61j7D7szmJOd4WHpIoOrUVxvGNGCyLBRR
 gau8MbN5cgW/C/HJRtt5F0xPX0GYhQPXX+qvxLKDlxYBekn1u2sPj5sn/ayHZiqS9bUL
 ljezB5Dofl4P/8Mm39VWdoIc/irHsUKx6LBxI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=hoskUs06Z7Cn4GIR2unwyyDYZ5YY9jhp9H+S4bJ6pbo=;
 b=cUzj4lLq/CqpBBn5l+AKLbg6tQyztADNcYIN0REhdDERotyNKzRauKZv7POULFmTqA
 CD/X8+LSbMXSjUluQAJM33088drsvi4/DsMc5Fm7fytZZVsBJ5DCMeyNqRwiAnuwujJG
 XA30+kkll+d0ZF4NDKLxdYazOZOAU21GQXomOr+yB4xC2wuiK5VKyhNObCO6txsMJHpS
 0ASyPxVhqCMV18P9qibvSX1r0x2T0X5dbhEvvIezmokXJuJBDn2kdzuNryNfqK0HAHWl
 6fv3Gyrw5opilFwWTmjlVWNXHvIXNrfeuOV6BFKux1PUXR4x7sM6H4dqOUIGzMHtEJ+N
 10/Q==
X-Gm-Message-State: AA+aEWan8katRaFVFHNLKpwxvI++/YZYk2mmpFfeeFYsBgdSqBEGZx3x
 jU3eumgVm04m9Vh03IhHNUNqoA==
X-Received: by 2002:a17:902:2904:: with SMTP id
 g4mr37546854plb.39.1543426158697; 
 Wed, 28 Nov 2018 09:29:18 -0800 (PST)
Received: from localhost.localdomain ([49.207.53.6])
 by smtp.gmail.com with ESMTPSA id
 84sm13624360pfk.134.2018.11.28.09.29.16
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Wed, 28 Nov 2018 09:29:17 -0800 (PST)
From: Amit Pundir <amit.pundir@linaro.org>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Stable <stable@vger.kernel.org>, Johannes Thumshirn <jthumshirn@suse.de>, 
 Johannes Berg <johannes@sipsolutions.net>,
 Kalle Valo <kvalo@codeaurora.org>
Subject: [PATCH for-4.4.y 02/10] cw1200: Don't leak memory if krealloc failes
Date: Wed, 28 Nov 2018 22:59:01 +0530
Message-Id: <1543426149-7269-3-git-send-email-amit.pundir@linaro.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1543426149-7269-1-git-send-email-amit.pundir@linaro.org>
References: <1543426149-7269-1-git-send-email-amit.pundir@linaro.org>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Johannes Thumshirn <jthumshirn@suse.de>

commit 9afdd6128c39f42398041bb2e017d8df0dcebcd1 upstream.

The call to krealloc() in wsm_buf_reserve() directly assigns the newly
returned memory to buf->begin. This is all fine except when krealloc()
failes we loose the ability to free the old memory pointed to by
buf->begin. If we just create a temporary variable to assign memory to
and assign the memory to it we can mitigate the memory leak.

Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Cc: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

[AmitP: Refactored to fix driver file path in linux-4.4.y]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
---
 drivers/net/wireless/cw1200/wsm.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

-- 
2.7.4

diff --git a/drivers/net/wireless/cw1200/wsm.c b/drivers/net/wireless/cw1200/wsm.c
index 3dd46c78c1cc..5a595f9f47ff 100644
--- a/drivers/net/wireless/cw1200/wsm.c
+++ b/drivers/net/wireless/cw1200/wsm.c
@@ -1805,16 +1805,18 @@ static int wsm_buf_reserve(struct wsm_buf *buf, size_t extra_size)
 {
 	size_t pos = buf->data - buf->begin;
 	size_t size = pos + extra_size;
+	u8 *tmp;
 
 	size = round_up(size, FWLOAD_BLOCK_SIZE);
 
-	buf->begin = krealloc(buf->begin, size, GFP_KERNEL | GFP_DMA);
-	if (buf->begin) {
-		buf->data = &buf->begin[pos];
-		buf->end = &buf->begin[size];
-		return 0;
-	} else {
-		buf->end = buf->data = buf->begin;
+	tmp = krealloc(buf->begin, size, GFP_KERNEL | GFP_DMA);
+	if (!tmp) {
+		wsm_buf_deinit(buf);
 		return -ENOMEM;
 	}
+
+	buf->begin = tmp;
+	buf->data = &buf->begin[pos];
+	buf->end = &buf->begin[size];
+	return 0;
 }

From patchwork Wed Nov 28 17:29:02 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amit Pundir <amit.pundir@linaro.org>
X-Patchwork-Id: 152337
Delivered-To: patch@linaro.org
Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp1365579ljp;
 Wed, 28 Nov 2018 09:29:59 -0800 (PST)
X-Google-Smtp-Source: AJdET5fzfjxU9vTEyGiMZhn/t781i0QYdlNsFP2msWc/f2P4WqwbYHQfh9s4AeCPtu2MeDV25aqh
X-Received: by 2002:a62:11c7:: with SMTP id 68mr38138252pfr.21.1543426199635; 
 Wed, 28 Nov 2018 09:29:59 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543426199; cv=none;
 d=google.com; s=arc-20160816;
 b=s1MhfuD29YLJoA1Z9dFinDaZIqYz1RYM0qfd36QetH6/tfluKWLdgPmZ7+3jC1Tf9M
 mE2BGFdnWh+4c7xBakXvj4ulcrzX7xVQaF18wv6N+ztu9H82eNzsVcfn28ANkv+fAFu6
 2ASnYFtZZUc4r52VugRsvSKriM6LSXTm/ZDbpdQrqs6ahbise/HceF/ZATIVGGGJHVN2
 Jh0mUFuYJFIQDLJDamDWSQKPomwysFN/Wcq5agIg2LQoO392LhG3pxjDsDArGyclqpcD
 lhoIpFRU9zmnLQm7ViLc6D3zs2Hu8J3Sy1v4GaXBCbWS+yuVYzM66DiXh92rvJWBzC0t
 xoMQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:references:in-reply-to:message-id:date
 :subject:cc:to:from:dkim-signature;
 bh=C1rOqshDY+v2g7d1Z+TrKygKn6IvxZ+JtAdXXsgB/Go=;
 b=vi7mra4ZihtcCfR11KdI4Th77X9WtF6hh6rreDNhTIuz7ziKr+PjaVbdrfGe/r04Z4
 /23Ev5xlwCbqsNFIJEmaINQ/fiWB2XjuaNzkqD9fRLsiQolGu1V8uBDyrZZv8VTqLJyS
 UD+bF5te6mx4q6SxpzVX7C2F1acafe7Y2QEu3pFaJwOSFTH4b9r0m4SHuh4iOLLh6GNn
 8NULio4C3puOp6Tkd6iJq0cNuvcn6My8Onxu/9pX50wf9uRzsFmTZ4/7vocGEyMzgGrI
 h8bDP/BRc+gVQrj1MEn0jh5GdM0VAFucr9AM0DAmE1hEatDdrODRxlS2M+L/RTFdktK4
 W/Uw==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=bGKx5dph;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <stable-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id 44si8357481plb.57.2018.11.28.09.29.57; 
 Wed, 28 Nov 2018 09:29:59 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=bGKx5dph;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1729269AbeK2EcD (ORCPT <rfc822;dave.long@linaro.org>
 + 15 others); Wed, 28 Nov 2018 23:32:03 -0500
Received: from mail-pg1-f193.google.com ([209.85.215.193]:37456 "EHLO
 mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1729147AbeK2Ebo (ORCPT
 <rfc822;stable@vger.kernel.org>); Wed, 28 Nov 2018 23:31:44 -0500
Received: by mail-pg1-f193.google.com with SMTP id 80so9804394pge.4
 for <stable@vger.kernel.org>; Wed, 28 Nov 2018 09:29:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=C1rOqshDY+v2g7d1Z+TrKygKn6IvxZ+JtAdXXsgB/Go=;
 b=bGKx5dphHGP+r8N2G0QRW/BZk9TfrnGf4OrVIDMXi/1cf7Op7StK7dyw5ccMGegVK4
 Orn2/ylrgT7gzRTasEvQjK19iBP9EhIku7EJf/eueQ5yhRc8lk3B24r4B1tTDY4S1TXw
 z4VbBnXUn7lZf1jXbaTMnY/VyC5FWiP9T6QI4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=C1rOqshDY+v2g7d1Z+TrKygKn6IvxZ+JtAdXXsgB/Go=;
 b=cYRdWtDGLFhIRi39lANJjpFt+ysLBSOv7U5q0oBwr73oVnqkOvIRhgmA/kiTK80MYE
 JK5/+X1Yvmdmep18XxU8Emlxyfjf9coXt/3lqtAOz0pZN3aG7xcBOlpKXkVA/NcaRMSn
 bsQ8zJe4HcIsgasRmL46ug4yN+k/ZtbV35gOcK00TswLRs9lx/MbYzzS2rH+bYMaYVLX
 LjWSKnG2QOj1MnemxLLG/ILl8gg0iGXq3VY7SA5cRy+rHZLOGrAJc5M2ubMbWmmwsZlR
 ndN2SoHLWrN5MnIIh50+//xT4gfXrlGlEzD9YfoXtlFM9nyWeIiXumnci+a54wSMqy0R
 c1Sg==
X-Gm-Message-State: AGRZ1gK8VTJi6TujyWg5TFnCvHAa11kwEpMq3ir6rRTpObgLb9fG0W6n
 WOxkhopO7LsIpOdIejH9bZvEKoCpBkM=
X-Received: by 2002:a62:1541:: with SMTP id 62mr38458416pfv.230.1543426161344; 
 Wed, 28 Nov 2018 09:29:21 -0800 (PST)
Received: from localhost.localdomain ([49.207.53.6])
 by smtp.gmail.com with ESMTPSA id
 84sm13624360pfk.134.2018.11.28.09.29.18
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Wed, 28 Nov 2018 09:29:20 -0800 (PST)
From: Amit Pundir <amit.pundir@linaro.org>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Stable <stable@vger.kernel.org>, Amitkumar Karwar <akarwar@marvell.com>,
 Kalle Valo <kvalo@codeaurora.org>
Subject: [PATCH for-4.4.y 03/10] mwifiex: Fix NULL pointer dereference in
 skb_dequeue()
Date: Wed, 28 Nov 2018 22:59:02 +0530
Message-Id: <1543426149-7269-4-git-send-email-amit.pundir@linaro.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1543426149-7269-1-git-send-email-amit.pundir@linaro.org>
References: <1543426149-7269-1-git-send-email-amit.pundir@linaro.org>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Amitkumar Karwar <akarwar@marvell.com>

commit c44c040300d7afd79294710313a4989683e2afb1 upstream.

At couple of places in cleanup path, we are just going through the
skb queue and freeing them without unlinking. This leads to a crash
when other thread tries to do skb_dequeue() and use already freed node.

The problem is freed by unlinking skb before freeing it.

Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

[AmitP: Refactored to fix driver file path in linux-4.4.y]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
---
 drivers/net/wireless/mwifiex/cfg80211.c |  4 +++-
 drivers/net/wireless/mwifiex/wmm.c      | 12 +++++++++---
 2 files changed, 12 insertions(+), 4 deletions(-)

-- 
2.7.4

diff --git a/drivers/net/wireless/mwifiex/cfg80211.c b/drivers/net/wireless/mwifiex/cfg80211.c
index 9a8982f581c5..6fcaa949b14a 100644
--- a/drivers/net/wireless/mwifiex/cfg80211.c
+++ b/drivers/net/wireless/mwifiex/cfg80211.c
@@ -2839,8 +2839,10 @@ int mwifiex_del_virtual_intf(struct wiphy *wiphy, struct wireless_dev *wdev)
 
 	mwifiex_stop_net_dev_queue(priv->netdev, adapter);
 
-	skb_queue_walk_safe(&priv->bypass_txq, skb, tmp)
+	skb_queue_walk_safe(&priv->bypass_txq, skb, tmp) {
+		skb_unlink(skb, &priv->bypass_txq);
 		mwifiex_write_data_complete(priv->adapter, skb, 0, -1);
+	}
 
 	if (netif_carrier_ok(priv->netdev))
 		netif_carrier_off(priv->netdev);
diff --git a/drivers/net/wireless/mwifiex/wmm.c b/drivers/net/wireless/mwifiex/wmm.c
index acccd6734e3b..ed8b69d1d65c 100644
--- a/drivers/net/wireless/mwifiex/wmm.c
+++ b/drivers/net/wireless/mwifiex/wmm.c
@@ -501,8 +501,10 @@ mwifiex_wmm_del_pkts_in_ralist_node(struct mwifiex_private *priv,
 	struct mwifiex_adapter *adapter = priv->adapter;
 	struct sk_buff *skb, *tmp;
 
-	skb_queue_walk_safe(&ra_list->skb_head, skb, tmp)
+	skb_queue_walk_safe(&ra_list->skb_head, skb, tmp) {
+		skb_unlink(skb, &ra_list->skb_head);
 		mwifiex_write_data_complete(adapter, skb, 0, -1);
+	}
 }
 
 /*
@@ -598,11 +600,15 @@ mwifiex_clean_txrx(struct mwifiex_private *priv)
 		priv->adapter->if_ops.clean_pcie_ring(priv->adapter);
 	spin_unlock_irqrestore(&priv->wmm.ra_list_spinlock, flags);
 
-	skb_queue_walk_safe(&priv->tdls_txq, skb, tmp)
+	skb_queue_walk_safe(&priv->tdls_txq, skb, tmp) {
+		skb_unlink(skb, &priv->tdls_txq);
 		mwifiex_write_data_complete(priv->adapter, skb, 0, -1);
+	}
 
-	skb_queue_walk_safe(&priv->bypass_txq, skb, tmp)
+	skb_queue_walk_safe(&priv->bypass_txq, skb, tmp) {
+		skb_unlink(skb, &priv->bypass_txq);
 		mwifiex_write_data_complete(priv->adapter, skb, 0, -1);
+	}
 	atomic_set(&priv->adapter->bypass_tx_pending, 0);
 
 	idr_for_each(&priv->ack_status_frames, mwifiex_free_ack_frame, NULL);

From patchwork Wed Nov 28 17:29:03 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amit Pundir <amit.pundir@linaro.org>
X-Patchwork-Id: 152331
Delivered-To: patch@linaro.org
Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp1365139ljp;
 Wed, 28 Nov 2018 09:29:34 -0800 (PST)
X-Google-Smtp-Source: AFSGD/VpPwFb5GGJrkxAz9f9QllZz5oq/jElshidDcn38BWkNAilDpiBWyrRqs2crBBY3DbRzAUG
X-Received: by 2002:a17:902:4827:: with SMTP id
 s36mr36553062pld.168.1543426174242; 
 Wed, 28 Nov 2018 09:29:34 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543426174; cv=none;
 d=google.com; s=arc-20160816;
 b=pX9ZkH8oaI5c9Hfa9kHa3PAruIlsLPDCuWCKq50sw6iOhSrQCXHUFd98WV3sryHaBj
 Wo8TDDXrty9In0L6t0EBBv8QSwLDIAi3wfIWoxuvSWwIvD5JBb7kQqjWlZwHKPeuagev
 1hRsbD1V7tN7HtXS/LymOBKTXGTR7XirZ679sLOTktT2ehwCyh0tLN65zlciucCMAQkc
 7lxJPzap+eUnCFqb1HFFj3t/A5ls0a+Qod2lr7F4LPdvUUKUNexEu6axhDvaEDhGZo08
 kYGNWvJ3V9UOvxh1tjARpexqnMWU8Rf1tVAwMkJHiuWPw7qW3vISgoxRSTX4ItV/PK/o
 CZPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:references:in-reply-to:message-id:date
 :subject:cc:to:from:dkim-signature;
 bh=mDqA/ivhvdtvBtGYw++tkGHIok22fxyQ+MKhF2uc9NM=;
 b=SyRmd7ibs/XXY5OUggGFA9dGkY+V7c4+e6484+h1hzB7+k5o9v9woi+RgPB7YPSfdT
 B7qdxrYZ7q8G+tZGWIKulznIkaHSdDmMEBrv4sU8FxBBO/msq80Ima7N1cLMuoGv+mS+
 QopgwwGlMrc2T6suqHogpKwnzxGw4GiIh0ZyAH0HJz5KtyRzZC0cu2bwE6ZeZeHPUL+0
 kj21+XfvEeL69dI7M/zfc23uxl0Bc6ZBFgBoFNjsM2JMB/1xV8oBEGj16w2EOPyFm3AE
 tIMcmFttlfx8DhNrYfx1UCIyV3gP4QcWjEDiFqXymjS9v9H484QZYXRBj+3umZERnVo0
 hY5Q==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=dfzlDW1W;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <stable-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id 44si8357481plb.57.2018.11.28.09.29.32; 
 Wed, 28 Nov 2018 09:29:34 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=dfzlDW1W;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1729212AbeK2Ebr (ORCPT <rfc822;dave.long@linaro.org>
 + 15 others); Wed, 28 Nov 2018 23:31:47 -0500
Received: from mail-pl1-f194.google.com ([209.85.214.194]:42099 "EHLO
 mail-pl1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1729050AbeK2Ebr (ORCPT
 <rfc822;stable@vger.kernel.org>); Wed, 28 Nov 2018 23:31:47 -0500
Received: by mail-pl1-f194.google.com with SMTP id x21-v6so17697489pln.9
 for <stable@vger.kernel.org>; Wed, 28 Nov 2018 09:29:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=mDqA/ivhvdtvBtGYw++tkGHIok22fxyQ+MKhF2uc9NM=;
 b=dfzlDW1WipnJF94ZjeKZvLJXI5x9e5lTkjYhAJ2JgOBTpmiuztsZlM9LHuv9p43Wer
 gexb8qGQxGOtWqraPHcp5m9Jc1qnh0YF1LYJZ3D0QTCAqJpXEB/5a6krPHh2Fk/QYCjK
 a/1htc0SkGPT5hyXjJ4sONxK4366TyFmkmWBE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=mDqA/ivhvdtvBtGYw++tkGHIok22fxyQ+MKhF2uc9NM=;
 b=aNgsS65vCNwqR44QmH6l3Ds7/Q66OatY/ur9SRAoqR7FqbmoVkDJqVUqwIAcrGP7/1
 9P/p7RuF08QK7qUCtX9JuKHjvfUVpjlc6CHWuazrvEouCIeK6nmh30dwZJqvr12cid0W
 TIo3GknZ4AbS7QzkJFZOg3fgwf072ZD1TL0JtsnJ/X3Y1+q4gh3fCSqqi+YWGlhWqgwl
 pYtlOtJFdLVGQm8fN15/0hNp7lub2s8yT1qto6EijyQn2KsReL9KaOyRm7slSSwMa4VA
 1FJB3x++y9uraNwFObx84LaHdgAIAZr57wHFH/0RpaEjBEjjqnLfSZQ6JptWjITYjPaQ
 he8Q==
X-Gm-Message-State: AA+aEWaKtg5p+aqBMPAknrEzculOtqr1dPYwNB60ypeLWE2dEso21hMw
 NU3CC4WdnEj+WUTobkUUCJvoL09/sM8=
X-Received: by 2002:a17:902:14b:: with SMTP id
 69mr38326666plb.52.1543426164320; 
 Wed, 28 Nov 2018 09:29:24 -0800 (PST)
Received: from localhost.localdomain ([49.207.53.6])
 by smtp.gmail.com with ESMTPSA id
 84sm13624360pfk.134.2018.11.28.09.29.21
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Wed, 28 Nov 2018 09:29:23 -0800 (PST)
From: Amit Pundir <amit.pundir@linaro.org>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Stable <stable@vger.kernel.org>, Karthik D A <karthida@marvell.com>,
 Amitkumar Karwar <akarwar@marvell.com>, Kalle Valo <kvalo@codeaurora.org>
Subject: [PATCH for-4.4.y 04/10] mwifiex: fix p2p device doesn't find in
 scan problem
Date: Wed, 28 Nov 2018 22:59:03 +0530
Message-Id: <1543426149-7269-5-git-send-email-amit.pundir@linaro.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1543426149-7269-1-git-send-email-amit.pundir@linaro.org>
References: <1543426149-7269-1-git-send-email-amit.pundir@linaro.org>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Karthik D A <karthida@marvell.com>

commit 3d8bd85c2c9e47ed2c82348aa5b6029ed48376ae upstream.

Marvell p2p device disappears from the list of p2p peers on the other
p2p device after disconnection.

It happens due to a bug in driver. When interface is changed from p2p
to station, certain variables(bss_type, bss_role etc.) aren't correctly
updated. This patch corrects them to fix the issue.

Signed-off-by: Karthik D A <karthida@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

[AmitP: Refactored to fix driver file path in linux-4.4.y]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
---
 drivers/net/wireless/mwifiex/cfg80211.c | 6 ++++++
 1 file changed, 6 insertions(+)

-- 
2.7.4

diff --git a/drivers/net/wireless/mwifiex/cfg80211.c b/drivers/net/wireless/mwifiex/cfg80211.c
index 6fcaa949b14a..1e074eaf613d 100644
--- a/drivers/net/wireless/mwifiex/cfg80211.c
+++ b/drivers/net/wireless/mwifiex/cfg80211.c
@@ -1150,6 +1150,12 @@ mwifiex_cfg80211_change_virtual_intf(struct wiphy *wiphy,
 			priv->adapter->curr_iface_comb.p2p_intf--;
 			priv->adapter->curr_iface_comb.sta_intf++;
 			dev->ieee80211_ptr->iftype = type;
+			if (mwifiex_deinit_priv_params(priv))
+				return -1;
+			if (mwifiex_init_new_priv_params(priv, dev, type))
+				return -1;
+			if (mwifiex_sta_init_cmd(priv, false, false))
+				return -1;
 			break;
 		case NL80211_IFTYPE_ADHOC:
 			if (mwifiex_cfg80211_deinit_p2p(priv))

From patchwork Wed Nov 28 17:29:04 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amit Pundir <amit.pundir@linaro.org>
X-Patchwork-Id: 152332
Delivered-To: patch@linaro.org
Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp1365249ljp;
 Wed, 28 Nov 2018 09:29:40 -0800 (PST)
X-Google-Smtp-Source: AFSGD/XdUYLstCxuN0m2eZk3x2WKmEz+RNkBYvubL+VALhDvPg98wVNZvEUVQkV+dnkMIJ3TWQYO
X-Received: by 2002:a62:b511:: with SMTP id
 y17mr16149498pfe.199.1543426180727; 
 Wed, 28 Nov 2018 09:29:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543426180; cv=none;
 d=google.com; s=arc-20160816;
 b=rAizNBN9+l/zq0zo7Wm3dILNR9IQeF++0p+PoZeYk40tMSokL5JhJK8Te53TYJG/7P
 vtHdOK/ZgZk5rdiudBujEmdAoW2Oh/Y7rOaHbRsE0Hfb8N5ExJ3pj0qJ1JTo0uT1cQbt
 CXV4fscoragWHQK8xJeaRwE7IDHnQ625zzOQXGfBbeeQIpMVO/Xf1nGc+4Ct4ofy3pWE
 y7Z0tWoDKcvVRrKmkBD3cJUwhPDNdILHePgTcx/I7VLjKIx5WNffPOr7IiQWU95shvQk
 TM7k0CDiehGvUNKeWCmziwJPdI/x3SAwDmBdjN9gw7FRCEDiabN2n/aUhe36IAtSrgXX
 9vYw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:references:in-reply-to:message-id:date
 :subject:cc:to:from:dkim-signature;
 bh=5iqaxsLDLybvVYVXmsKBWOon7Y0B0MItaK3FQ7fOqzo=;
 b=TVJaDXksyA6XznSO2niHAtoTeoiMu2kunfktQW3Hu2RkYWzaltJ97l/0uieYBPal7f
 vaVqcUmTpgfrry09skbi2jPWGWCXqVWZ8JFXidjUmlI0HHdKLZGHYLQJ9KVH5HMYRmwZ
 jzabK+gItG9HpepKktWrr0V3v+Cmpn4qkwS+hVNxv7HpQ93Az+4CEr7hJI8YSdeVspod
 WokQ9M93S9+HP47OE+hD+Z1aAsGlf6Eko20POQRNPyu1HgjEKVAgHL1c6MLOcbwZAxJ2
 sdwuyv6HbWOUbLZpSpoyHxzaj5AAffvu2w4ZxE8fr2XJoFkeASn32ihhe0lyWoY4zbgZ
 Oz9w==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=RlFFLXoG;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <stable-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id 44si8357481plb.57.2018.11.28.09.29.38; 
 Wed, 28 Nov 2018 09:29:40 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=RlFFLXoG;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1729239AbeK2Ebu (ORCPT <rfc822;dave.long@linaro.org>
 + 15 others); Wed, 28 Nov 2018 23:31:50 -0500
Received: from mail-pl1-f193.google.com ([209.85.214.193]:35755 "EHLO
 mail-pl1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1729146AbeK2Ebu (ORCPT
 <rfc822;stable@vger.kernel.org>); Wed, 28 Nov 2018 23:31:50 -0500
Received: by mail-pl1-f193.google.com with SMTP id p8so7426105plo.2
 for <stable@vger.kernel.org>; Wed, 28 Nov 2018 09:29:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=5iqaxsLDLybvVYVXmsKBWOon7Y0B0MItaK3FQ7fOqzo=;
 b=RlFFLXoGnf5dtBAx49UMkKpTP1TjMkBQWSxKEv+Rx+cvAzwHqBgCBpUR6Dd0vTSnr/
 fNbQv+Vkmsuv/iSWa5jftMMC9K38rgnqLMGPesUyNdJfpvr6zgSrLiAnoPmygv4imGOE
 RfRnn3wfDwE1oV3BdoGCik1kl3gJRBhR9TWhc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=5iqaxsLDLybvVYVXmsKBWOon7Y0B0MItaK3FQ7fOqzo=;
 b=PkrogHGQc4FLvtEaK2hYPrJGUEzIKI774fa0BWNd+LVP0Idj31S0X5O7/ChpPQu4rV
 shzEwEatReeHUhmrXd0WpiR/Qem5r2QmnCfvJuBWHbJPN9vLF0gP0nr1cH13Jz7aTXPM
 zdgzUxV5NpJhkSlWiq8oR2AYUQNcPp2msLHdM/mQMP1Hlze+VlMq5MZrkgVXVpSuUZIP
 kjz8VK+yAyPkfgCkILjlmrC9a3WBhtJESE7wWr+q+PGymcshIyEgQPZLNMQcr0sz7lYy
 ipI0EHe8N/V3/eO0nz2noC2bsglmVabFo1OMxUfhykgDwdcniWwnl7PhjnbjW70/D7/p
 08vg==
X-Gm-Message-State: AA+aEWa0dxDHSMlfPT46IuH2S3mzMs5WAmihAcIs5t/RgfZUO7flVWyI
 f6y8j/JarZLYSPiBh/dfwKkOzg==
X-Received: by 2002:a17:902:bb05:: with SMTP id
 l5mr21802583pls.230.1543426167237; 
 Wed, 28 Nov 2018 09:29:27 -0800 (PST)
Received: from localhost.localdomain ([49.207.53.6])
 by smtp.gmail.com with ESMTPSA id
 84sm13624360pfk.134.2018.11.28.09.29.24
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Wed, 28 Nov 2018 09:29:26 -0800 (PST)
From: Amit Pundir <amit.pundir@linaro.org>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Stable <stable@vger.kernel.org>, Yaniv Gardi <ygardi@codeaurora.org>,
 Subhash Jadavani <subhashj@codeaurora.org>,
 "Martin K . Petersen" <martin.petersen@oracle.com>
Subject: [PATCH for-4.4.y 05/10] scsi: ufs: fix bugs related to null pointer
 access and array size
Date: Wed, 28 Nov 2018 22:59:04 +0530
Message-Id: <1543426149-7269-6-git-send-email-amit.pundir@linaro.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1543426149-7269-1-git-send-email-amit.pundir@linaro.org>
References: <1543426149-7269-1-git-send-email-amit.pundir@linaro.org>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Yaniv Gardi <ygardi@codeaurora.org>

commit e3ce73d69aff44421d7899b235fec5ac2c306ff4 upstream.

In this change there are a few fixes of possible NULL pointer access and
possible access to index that exceeds array boundaries.

Signed-off-by: Yaniv Gardi <ygardi@codeaurora.org>
Signed-off-by: Subhash Jadavani <subhashj@codeaurora.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

[AmitP: Rebased for linux-4.4.y]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
---
 drivers/scsi/ufs/ufs.h    |  3 ++-
 drivers/scsi/ufs/ufshcd.c | 25 +++++++++++++++++++------
 2 files changed, 21 insertions(+), 7 deletions(-)

-- 
2.7.4

diff --git a/drivers/scsi/ufs/ufs.h b/drivers/scsi/ufs/ufs.h
index 42c459a9d3fe..ce5234555cc9 100644
--- a/drivers/scsi/ufs/ufs.h
+++ b/drivers/scsi/ufs/ufs.h
@@ -45,6 +45,7 @@
 #define QUERY_DESC_MIN_SIZE       2
 #define QUERY_OSF_SIZE            (GENERAL_UPIU_REQUEST_SIZE - \
 					(sizeof(struct utp_upiu_header)))
+#define RESPONSE_UPIU_SENSE_DATA_LENGTH	18
 
 #define UPIU_HEADER_DWORD(byte3, byte2, byte1, byte0)\
 			cpu_to_be32((byte3 << 24) | (byte2 << 16) |\
@@ -383,7 +384,7 @@ struct utp_cmd_rsp {
 	__be32 residual_transfer_count;
 	__be32 reserved[4];
 	__be16 sense_data_len;
-	u8 sense_data[18];
+	u8 sense_data[RESPONSE_UPIU_SENSE_DATA_LENGTH];
 };
 
 /**
diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index 8c58adadb728..0663cd6a19d3 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -813,10 +813,14 @@ static inline void ufshcd_copy_sense_data(struct ufshcd_lrb *lrbp)
 	int len;
 	if (lrbp->sense_buffer &&
 	    ufshcd_get_rsp_upiu_data_seg_len(lrbp->ucd_rsp_ptr)) {
+		int len_to_copy;
+
 		len = be16_to_cpu(lrbp->ucd_rsp_ptr->sr.sense_data_len);
+		len_to_copy = min_t(int, RESPONSE_UPIU_SENSE_DATA_LENGTH, len);
+
 		memcpy(lrbp->sense_buffer,
 			lrbp->ucd_rsp_ptr->sr.sense_data,
-			min_t(int, len, SCSI_SENSE_BUFFERSIZE));
+			min_t(int, len_to_copy, SCSI_SENSE_BUFFERSIZE));
 	}
 }
 
@@ -5251,7 +5255,10 @@ EXPORT_SYMBOL(ufshcd_system_suspend);
 
 int ufshcd_system_resume(struct ufs_hba *hba)
 {
-	if (!hba || !hba->is_powered || pm_runtime_suspended(hba->dev))
+	if (!hba)
+		return -EINVAL;
+
+	if (!hba->is_powered || pm_runtime_suspended(hba->dev))
 		/*
 		 * Let the runtime resume take care of resuming
 		 * if runtime suspended.
@@ -5272,7 +5279,10 @@ EXPORT_SYMBOL(ufshcd_system_resume);
  */
 int ufshcd_runtime_suspend(struct ufs_hba *hba)
 {
-	if (!hba || !hba->is_powered)
+	if (!hba)
+		return -EINVAL;
+
+	if (!hba->is_powered)
 		return 0;
 
 	return ufshcd_suspend(hba, UFS_RUNTIME_PM);
@@ -5302,10 +5312,13 @@ EXPORT_SYMBOL(ufshcd_runtime_suspend);
  */
 int ufshcd_runtime_resume(struct ufs_hba *hba)
 {
-	if (!hba || !hba->is_powered)
+	if (!hba)
+		return -EINVAL;
+
+	if (!hba->is_powered)
 		return 0;
-	else
-		return ufshcd_resume(hba, UFS_RUNTIME_PM);
+
+	return ufshcd_resume(hba, UFS_RUNTIME_PM);
 }
 EXPORT_SYMBOL(ufshcd_runtime_resume);
 

From patchwork Wed Nov 28 17:29:05 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amit Pundir <amit.pundir@linaro.org>
X-Patchwork-Id: 152333
Delivered-To: patch@linaro.org
Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp1365284ljp;
 Wed, 28 Nov 2018 09:29:43 -0800 (PST)
X-Google-Smtp-Source: AFSGD/UPEML6HbWpqtBB/biBbSEF/mr9ZLDdZN6SbMmVWb353qZHKL+35p5Vn5k1u0OKcZVULSmR
X-Received: by 2002:a17:902:24a2:: with SMTP id
 w31mr29891891pla.216.1543426182897; 
 Wed, 28 Nov 2018 09:29:42 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543426182; cv=none;
 d=google.com; s=arc-20160816;
 b=f0kQZ1IALMJ0828Ne1Ayh1Fh/KHwL9YHmuIvsZNUcblMkZ5k6pXIp843e7D/8P/dZD
 Y7986UrhgxPy6aQeBpExmAWEbhFPX4YZNuMt/WcKz68O2H6f8pvnWgE0celtuAGWieWe
 9QZ2O33oeE5c5Y5kHtii/DFoxKg5oy1J1IhsTHQN2tkp4OpYsp6f7OgShMzsqTaTk2NY
 NbH8ivIjHZYXfe5YkBGF0uqHndqEsION0UvbcHBy7UkQ4/Uv/GNh0gQIQEgTSMpPwLu9
 OkI8juAH1AdR3kQoz0fYunrDsJnHI4kamjplmQ0PHwpbowKyxqVz7J9WegE80OjzHNrF
 Je2g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:references:in-reply-to:message-id:date
 :subject:cc:to:from:dkim-signature;
 bh=N3egUvauHlEBQ9wo5Dw6ioaQObaRoP202KZWqV+44oI=;
 b=egsnGHyGo3Nk7JA4JkzEHO09VSU0ogsINimnx5/ftXwQWz9ozrkb8zu4Z3lrFsCpMe
 NskIyREGu3FJphxFOkd2dx/M5H9wXOB0Uf8TIUW0tJ7Ib1xl/6DeYCQ9GZCFPESJ/ieS
 fULDtqMKkMQxBuTe5xL4p9DaxFo6uAdOr55RVeX5eGaXq6K6+Tc4m6r3DgZFZNozgj5U
 a77zme2+I2gg7YBigmumHqmnLFZGfyy4TlsQwfPm4Ddq6TitUREHm2p1PO6sOPix5EPG
 TPUuYulEZF/8CFLQbeTMkhaaqFTtZBQb6DHf9Av3iV7ej2hxw3alzPYHYJAVNUQRW6oB
 2MAA==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=Le7XyBZx;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <stable-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id 44si8357481plb.57.2018.11.28.09.29.40; 
 Wed, 28 Nov 2018 09:29:42 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=Le7XyBZx;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1729242AbeK2Ebx (ORCPT <rfc822;dave.long@linaro.org>
 + 15 others); Wed, 28 Nov 2018 23:31:53 -0500
Received: from mail-pg1-f195.google.com ([209.85.215.195]:37473 "EHLO
 mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1729146AbeK2Ebx (ORCPT
 <rfc822;stable@vger.kernel.org>); Wed, 28 Nov 2018 23:31:53 -0500
Received: by mail-pg1-f195.google.com with SMTP id 80so9804589pge.4
 for <stable@vger.kernel.org>; Wed, 28 Nov 2018 09:29:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=N3egUvauHlEBQ9wo5Dw6ioaQObaRoP202KZWqV+44oI=;
 b=Le7XyBZxvrpVG1JoFi8+s61JFzXVLszWYilUZyazfh00LrmtfhnH5qiNDIKw4tLuNZ
 HxKXvz8OGfQRxlvKrSf63+a24w6zOulOcPKlrhXCVF+8cWxkh64NTk1iUY+pvf+kPxC2
 YMEuLvzGZ0e7PoUpqgKAEb5amDr9Xefx6pK2A=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=N3egUvauHlEBQ9wo5Dw6ioaQObaRoP202KZWqV+44oI=;
 b=ugFZM0xP76uCN6A9q9KZzV8Edo1mOs6D4mj/Zz3VZyP1BHOTNKnMEUd7pbSbyegNrl
 CJpsTlfBxx5O6aV+hIuG6KKhVmMjBTPmQFCf6eBHBVDBSeVmrAwt7G4+AOynavx0C+Zm
 5O6kBOAPaGBHhlFnOGRzGVfC2vi+IitY4+Eanv5Nqf7blXd22dz8dg37bUl6ZChoqaiX
 pvdTDIweVzFlL9LkTg4IHmGVH83zornj/sxZBW15XB+W1Q9ygVNKYUBfXuMpf5KZGuhU
 iSQ3nseO1rIrp+9arIzSLrcqUkSjKWQGx2Lc/Ow85Vk8tROv3/WwzwMWubeuDTs8tuvj
 tUmg==
X-Gm-Message-State: AGRZ1gL8DcdXU3LOFdMgnIrkNmK5LHXiXQirRFynq6aO1GDwllgCzcCf
 FbRzHd+lagQORhRqZGkM3q9Z7g==
X-Received: by 2002:a62:f54f:: with SMTP id n76mr38370778pfh.59.1543426170026; 
 Wed, 28 Nov 2018 09:29:30 -0800 (PST)
Received: from localhost.localdomain ([49.207.53.6])
 by smtp.gmail.com with ESMTPSA id
 84sm13624360pfk.134.2018.11.28.09.29.27
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Wed, 28 Nov 2018 09:29:29 -0800 (PST)
From: Amit Pundir <amit.pundir@linaro.org>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Stable <stable@vger.kernel.org>,
 Venkat Gopalakrishnan <venkatg@codeaurora.org>,
 Subhash Jadavani <subhashj@codeaurora.org>,
 "Martin K . Petersen" <martin.petersen@oracle.com>
Subject: [PATCH for-4.4.y 06/10] scsi: ufshcd: Fix race between clk scaling
 and ungate work
Date: Wed, 28 Nov 2018 22:59:05 +0530
Message-Id: <1543426149-7269-7-git-send-email-amit.pundir@linaro.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1543426149-7269-1-git-send-email-amit.pundir@linaro.org>
References: <1543426149-7269-1-git-send-email-amit.pundir@linaro.org>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Venkat Gopalakrishnan <venkatg@codeaurora.org>

commit f2a785ac23125fa0774327d39e837e45cf28fe92 upstream.

The ungate work turns on the clock before it exits hibern8, if the link
was put in hibern8 during clock gating work.  There occurs a race
condition when clock scaling work calls ufshcd_hold() to make sure low
power states cannot be entered, but that returns by checking only
whether the clocks are on.  This causes the clock scaling work to issue
UIC commands when the link is in hibern8 causing failures. Make sure we
exit hibern8 state before returning from ufshcd_hold().

Callstacks for race condition:

 ufshcd_scale_gear
 ufshcd_devfreq_scale
 ufshcd_devfreq_target
 update_devfreq
 devfreq_monitor
 process_one_work
 worker_thread
 kthread
 ret_from_fork

 ufshcd_uic_hibern8_exit
 ufshcd_ungate_work
 process_one_work
 worker_thread
 kthread
 ret_from_fork

Signed-off-by: Venkat Gopalakrishnan <venkatg@codeaurora.org>
Signed-off-by: Subhash Jadavani <subhashj@codeaurora.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
---
 drivers/scsi/ufs/ufshcd.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

-- 
2.7.4

diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index 0663cd6a19d3..e4c940981eef 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -585,6 +585,21 @@ int ufshcd_hold(struct ufs_hba *hba, bool async)
 start:
 	switch (hba->clk_gating.state) {
 	case CLKS_ON:
+		/*
+		 * Wait for the ungate work to complete if in progress.
+		 * Though the clocks may be in ON state, the link could
+		 * still be in hibner8 state if hibern8 is allowed
+		 * during clock gating.
+		 * Make sure we exit hibern8 state also in addition to
+		 * clocks being ON.
+		 */
+		if (ufshcd_can_hibern8_during_gating(hba) &&
+		    ufshcd_is_link_hibern8(hba)) {
+			spin_unlock_irqrestore(hba->host->host_lock, flags);
+			flush_work(&hba->clk_gating.ungate_work);
+			spin_lock_irqsave(hba->host->host_lock, flags);
+			goto start;
+		}
 		break;
 	case REQ_CLKS_OFF:
 		if (cancel_delayed_work(&hba->clk_gating.gate_work)) {

From patchwork Wed Nov 28 17:29:06 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amit Pundir <amit.pundir@linaro.org>
X-Patchwork-Id: 152334
Delivered-To: patch@linaro.org
Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp1365319ljp;
 Wed, 28 Nov 2018 09:29:45 -0800 (PST)
X-Google-Smtp-Source: AFSGD/VtRdfw8jOF99wEOO06ugpSajY7ZfcjF5HsOQOZ0B4KYFykhCbZ+/D2cWEZgj32JkiC7bxj
X-Received: by 2002:a63:1848:: with SMTP id 8mr33446603pgy.81.1543426184862; 
 Wed, 28 Nov 2018 09:29:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543426184; cv=none;
 d=google.com; s=arc-20160816;
 b=B8FwenRJfDnPR0lpJK51JY29IEBeTGo1Nc4OKvzkEgDquiDnfYtA4s270mK3IcwSKq
 1ZD2N75z1SXv0peTyTFTM2fCzbo13KmzBzk5ItiU2u8/54TK3nRbOdj/HLcEtZJ3Dbuv
 ZVQZ0wJMRpwBFIZz0R1lhuRDLoCd0VFCvbmOjVS+Rmwy9H2zEgR0JKSPjfMrTbQo+Owq
 g0SPaTyotxAFkyoTaxBHDjD3MnytZfNho69Cc53neQtJQYW3H7bMqRspsVjGvKqij3nU
 J206s3wBfgvu/qzqFAaAV90oc8fA904ZaD14oizCDhf3QCXojquQJBy7qO8Obffea+XE
 TCRw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:references:in-reply-to:message-id:date
 :subject:cc:to:from:dkim-signature;
 bh=LuYV04xf2VaeiAbwYrHwiwyRFNXi/572nwcB8vYvZDI=;
 b=v+Q3QAlfM8hxRoYJ8jt23vBI9gUfBsoCzWMz2pJrSru/vV/45VOSYRvIk6TgdU/1DM
 j+B6XQ6zALZakP8YA2zeD/h0ipjYuA5XFLH82aJ7ne81vNM1qxkuwd8VY/14IE/d/qEQ
 uUQ282WLH7sQV5/YcaplCriO/tpnxQQ4QRZBnJ0A2fpfmRiJeU10H3tnUidSdl7C3e6e
 AIt5d+oYpTWwLUsCNCEucY1crZ/WaUbsK4VqgSIcTXB683JFRZSbOwy6gWXNwpqFx1r3
 oJC25Eg95g7/DeNRppeAQrW1DhyyksPDGW1wWYcqHydNLC+Kr77MG5QWCuQfhlXEudMd
 hNrQ==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=PHakFSM7;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <stable-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id 44si8357481plb.57.2018.11.28.09.29.42; 
 Wed, 28 Nov 2018 09:29:44 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=PHakFSM7;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1727867AbeK2Eb4 (ORCPT <rfc822;dave.long@linaro.org>
 + 15 others); Wed, 28 Nov 2018 23:31:56 -0500
Received: from mail-pg1-f193.google.com ([209.85.215.193]:41223 "EHLO
 mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1728851AbeK2Ebz (ORCPT
 <rfc822;stable@vger.kernel.org>); Wed, 28 Nov 2018 23:31:55 -0500
Received: by mail-pg1-f193.google.com with SMTP id 70so9787663pgh.8
 for <stable@vger.kernel.org>; Wed, 28 Nov 2018 09:29:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=LuYV04xf2VaeiAbwYrHwiwyRFNXi/572nwcB8vYvZDI=;
 b=PHakFSM7VqELLGvrCqaSNcgCExuqbf9bFtwkUDMBfGW7UfKq1Q6sOVxszocWeRDVLh
 HMMxEQg4tfdvBDLMVYRfxVmIHFePC/bUiLva6XazdIaMj9yzZW3GZDVVpVNnwyS9CDg/
 vJ3XvhqK4aHwXG5Nej1Ra/R6aoXxwj3GgJxiA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=LuYV04xf2VaeiAbwYrHwiwyRFNXi/572nwcB8vYvZDI=;
 b=qubU3k2EHgb/M2B0cRGWYt1k+lb8oE1wIJYz8Hml+W4LuOOuH5QMS0LNAsAZHMmVYP
 /msVd319sAFqm1DMJSkmeDQTfYodYTfzxKx7E9B9DSFZjGBWYEnN8fzVuOeoh2kz3azs
 2SkC9VsoWCBn3hnCbW36+yKLBRE8ZHFX0/tLpg5WAjZZdqcGV+yVwZ4gE2zu55KbgY5F
 SXgo0ffAGH52rRDGyf+iRY4z+wpe1TfcITIGNvkMrQEaXz0xIcOw+c8T+gFLjoXOSmyW
 Qro4XjXQ3tq88nOF2h+iOZEYNMlKhkOHnEWHJ6AAhlgQFsDiGkgUrTlLXmCoN4rPHT+f
 VsIw==
X-Gm-Message-State: AGRZ1gKsENlNfnKDen+mOAekfW3YYHG/WF9ND5c1U0hy7nSpuyGH6Uy2
 RR8o0R2YQuh+wL0AinvqE6pMJLKnBkQ=
X-Received: by 2002:a62:e30d:: with SMTP id
 g13mr38065519pfh.151.1543426172599; 
 Wed, 28 Nov 2018 09:29:32 -0800 (PST)
Received: from localhost.localdomain ([49.207.53.6])
 by smtp.gmail.com with ESMTPSA id
 84sm13624360pfk.134.2018.11.28.09.29.30
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Wed, 28 Nov 2018 09:29:31 -0800 (PST)
From: Amit Pundir <amit.pundir@linaro.org>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Stable <stable@vger.kernel.org>,
 Subhash Jadavani <subhashj@codeaurora.org>,
 "Martin K . Petersen" <martin.petersen@oracle.com>
Subject: [PATCH for-4.4.y 07/10] scsi: ufs: fix race between clock gating
 and devfreq scaling work
Date: Wed, 28 Nov 2018 22:59:06 +0530
Message-Id: <1543426149-7269-8-git-send-email-amit.pundir@linaro.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1543426149-7269-1-git-send-email-amit.pundir@linaro.org>
References: <1543426149-7269-1-git-send-email-amit.pundir@linaro.org>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Subhash Jadavani <subhashj@codeaurora.org>

commit 30fc33f1ef475480dc5bea4fe1bda84b003b992c upstream.

UFS devfreq clock scaling work may require clocks to be ON if it need to
execute some UFS commands hence it may request for clock hold before
issuing the command. But if UFS clock gating work is already running in
parallel, ungate work would end up waiting for the clock gating work to
finish and as clock gating work would also wait for the clock scaling
work to finish, we would enter in deadlock state. Here is the call trace
during this deadlock state:

Workqueue: devfreq_wq devfreq_monitor
	__switch_to
	__schedule
	schedule
	schedule_timeout
	wait_for_common
	wait_for_completion
	flush_work
	ufshcd_hold
	ufshcd_send_uic_cmd
	ufshcd_dme_get_attr
	ufs_qcom_set_dme_vs_core_clk_ctrl_clear_div
	ufs_qcom_clk_scale_notify
	ufshcd_scale_clks
	ufshcd_devfreq_target
	update_devfreq
	devfreq_monitor
	process_one_work
	worker_thread
	kthread
	ret_from_fork

Workqueue: events ufshcd_gate_work
	__switch_to
	__schedule
	schedule
	schedule_preempt_disabled
	__mutex_lock_slowpath
	mutex_lock
	devfreq_monitor_suspend
	devfreq_simple_ondemand_handler
	devfreq_suspend_device
	ufshcd_gate_work
	process_one_work
	worker_thread
	kthread
	ret_from_fork

Workqueue: events ufshcd_ungate_work
	__switch_to
	__schedule
	schedule
	schedule_timeout
	wait_for_common
	wait_for_completion
	flush_work
	__cancel_work_timer
	cancel_delayed_work_sync
	ufshcd_ungate_work
	process_one_work
	worker_thread
	kthread
	ret_from_fork

This change fixes this deadlock by doing this in devfreq work (devfreq_wq):
Try cancelling clock gating work. If we are able to cancel gating work
or it wasn't scheduled, hold the clock reference count until scaling is
in progress. If gate work is already running in parallel, let's skip
the frequecy scaling at this time and it will be retried once next scaling
window expires.

Reviewed-by: Sahitya Tummala <stummala@codeaurora.org>
Signed-off-by: Subhash Jadavani <subhashj@codeaurora.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
---
 drivers/scsi/ufs/ufshcd.c | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

-- 
2.7.4

diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index e4c940981eef..7e6ba17d61f8 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -5511,15 +5511,47 @@ static int ufshcd_devfreq_target(struct device *dev,
 {
 	int err = 0;
 	struct ufs_hba *hba = dev_get_drvdata(dev);
+	bool release_clk_hold = false;
+	unsigned long irq_flags;
 
 	if (!ufshcd_is_clkscaling_enabled(hba))
 		return -EINVAL;
 
+	spin_lock_irqsave(hba->host->host_lock, irq_flags);
+	if (ufshcd_eh_in_progress(hba)) {
+		spin_unlock_irqrestore(hba->host->host_lock, irq_flags);
+		return 0;
+	}
+
+	if (ufshcd_is_clkgating_allowed(hba) &&
+	    (hba->clk_gating.state != CLKS_ON)) {
+		if (cancel_delayed_work(&hba->clk_gating.gate_work)) {
+			/* hold the vote until the scaling work is completed */
+			hba->clk_gating.active_reqs++;
+			release_clk_hold = true;
+			hba->clk_gating.state = CLKS_ON;
+		} else {
+			/*
+			 * Clock gating work seems to be running in parallel
+			 * hence skip scaling work to avoid deadlock between
+			 * current scaling work and gating work.
+			 */
+			spin_unlock_irqrestore(hba->host->host_lock, irq_flags);
+			return 0;
+		}
+	}
+	spin_unlock_irqrestore(hba->host->host_lock, irq_flags);
+
 	if (*freq == UINT_MAX)
 		err = ufshcd_scale_clks(hba, true);
 	else if (*freq == 0)
 		err = ufshcd_scale_clks(hba, false);
 
+	spin_lock_irqsave(hba->host->host_lock, irq_flags);
+	if (release_clk_hold)
+		__ufshcd_release(hba);
+	spin_unlock_irqrestore(hba->host->host_lock, irq_flags);
+
 	return err;
 }
 

From patchwork Wed Nov 28 17:29:07 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amit Pundir <amit.pundir@linaro.org>
X-Patchwork-Id: 152335
Delivered-To: patch@linaro.org
Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp1365438ljp;
 Wed, 28 Nov 2018 09:29:51 -0800 (PST)
X-Google-Smtp-Source: AJdET5dcqLTL1UsjQa+fLygtKZp38HJ5pDot8HonrGixGqe3PldAZ4c225evzuEjarlW+OsYKndb
X-Received: by 2002:a62:1bd7:: with SMTP id
 b206mr38206324pfb.213.1543426191332; 
 Wed, 28 Nov 2018 09:29:51 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543426191; cv=none;
 d=google.com; s=arc-20160816;
 b=hEfombqF6VHmbz668M7K6sOKCBFBoPs2Ns9fuy3+KBbRmFRf89O3VaowiuXIiokbbO
 3BrANEW3Y0gV+sg0AceU2uaCRZcAuPqBBAbkKti3FOIaUiqL0sE4bWnOv+5bQCCqjWwS
 jkXgaOdQzLRa7jFXlE7Mfc7P/KJZEt68EPog6sKGrv37BcUztjNLlWD0takc+6TjP93x
 tN4vVYMbzecIhJGxUL7eYxf1NncVDiLPiOc7lvNe2f2dlgbBgYlonWtMhOPj4oNBuAmJ
 fOVa4LngnfLIgUBMcL+DMiiRF81a5rwJE6CSyY9bIOVwA/OGWZ+k19LWAR+RKhWDzguQ
 /BgA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:references:in-reply-to:message-id:date
 :subject:cc:to:from:dkim-signature;
 bh=oNfle6BJJL/abhwvbAjuPo0YAKVv6bEVgWcrMpvab24=;
 b=GT2+gjMKLg00JVErqwv6lJH5BSgh1qBnbZ9xN5BkoVMODMoQDhhdP65dgI+LZkBygC
 RZdDsvZlT1MAB3GrZR41Pa6zkkpoKpuRqTuJky+xRONA3VfZA0A700gMBKhmHl/NdBif
 vmMZKjXpwTLPAlo/f/RtvSItnjgUPQuFH4kmzz91A7EKoQZkhDOz6/R9jUFVchldBRin
 rti7gDKzNUwYLhiHaem6M4EtJyAHAESoDk+yADMZZkgokqp88uzVoYvgBfy4nBigF01I
 vu4pwdZ2Qxwe691HSQMPlHm6M5vaPXEZnuomghUl+e/grNbm92nT2LS3C0dHTSvZ1aqv
 tq7A==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=NwPrWMn2;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <stable-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id 44si8357481plb.57.2018.11.28.09.29.49; 
 Wed, 28 Nov 2018 09:29:51 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=NwPrWMn2;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1729263AbeK2Eb7 (ORCPT <rfc822;dave.long@linaro.org>
 + 15 others); Wed, 28 Nov 2018 23:31:59 -0500
Received: from mail-pg1-f195.google.com ([209.85.215.195]:43808 "EHLO
 mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1728851AbeK2Eb6 (ORCPT
 <rfc822;stable@vger.kernel.org>); Wed, 28 Nov 2018 23:31:58 -0500
Received: by mail-pg1-f195.google.com with SMTP id v28so9785962pgk.10
 for <stable@vger.kernel.org>; Wed, 28 Nov 2018 09:29:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=oNfle6BJJL/abhwvbAjuPo0YAKVv6bEVgWcrMpvab24=;
 b=NwPrWMn2Itq4uIjI4cCgsOmopK9HygdkwogSYSMmetqASCV1F17MwgHz4Fh3xnF2Lc
 V2rc/cSwfkBxToDe+tEjYctdqpHWfpQTZM2SG4zfFe+ZE2q9YgyLgWev2kJXJsFuENCx
 YzdcfdLhueGSWf9RXSvfCU6BJMyHr4+/BB05k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=oNfle6BJJL/abhwvbAjuPo0YAKVv6bEVgWcrMpvab24=;
 b=GcvLZXJ5B+uvXcyOpCqAELd+4S1GzsjTkXYr5ajAa/M2oOk8XPiYZAiD7cK1dcmSRc
 ElkauyCJGd/28uIsL2kZMnbK6kM6FiG6T0mah9y5KImYf3L5QPfReBTnW6O7xsNXaiTl
 ZTLZteTCfl7Dj/B1bhDXU72k4WmPscu7plo/I2IIabA93Cpdannxvf4chjdhZMaCggnQ
 8YJGCK/+nIiuT5s/DFiruTwhZO2OSY7mmwr4NPWIMIF7vxcPiFn2uFO7Y+1umHaDO3G3
 7S8+y/3UFM6gB+nInzJp7IBA/3WRjzwobx3Xf4p1E2C/gYrY8W8yNsku3VlnlP21yyzG
 dOtA==
X-Gm-Message-State: AA+aEWZ1DGqR+H1RSANU6b5qitP7AOxYVm39UaVtUQcC3kmAj04gSqTo
 uPPt+RwDfAh0B16N6B2JeGJiIg==
X-Received: by 2002:a63:680a:: with SMTP id
 d10mr34279888pgc.396.1543426175145; 
 Wed, 28 Nov 2018 09:29:35 -0800 (PST)
Received: from localhost.localdomain ([49.207.53.6])
 by smtp.gmail.com with ESMTPSA id
 84sm13624360pfk.134.2018.11.28.09.29.32
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Wed, 28 Nov 2018 09:29:34 -0800 (PST)
From: Amit Pundir <amit.pundir@linaro.org>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Stable <stable@vger.kernel.org>,
 Subhash Jadavani <subhashj@codeaurora.org>,
 "Martin K . Petersen" <martin.petersen@oracle.com>
Subject: [PATCH for-4.4.y 08/10] scsi: ufshcd: release resources if probe fails
Date: Wed, 28 Nov 2018 22:59:07 +0530
Message-Id: <1543426149-7269-9-git-send-email-amit.pundir@linaro.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1543426149-7269-1-git-send-email-amit.pundir@linaro.org>
References: <1543426149-7269-1-git-send-email-amit.pundir@linaro.org>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Subhash Jadavani <subhashj@codeaurora.org>

commit afa3dfd42d205b106787476647735aa1de1a5d02 upstream.

If ufshcd pltfrm/pci driver's probe fails for some reason then ensure
that scsi host is released to avoid memory leak but managed memory
allocations (via devm_* calls) need not to be freed explicitly on probe
failure as memory allocated with these functions is automatically freed
on driver detach.

Reviewed-by: Sahitya Tummala <stummala@codeaurora.org>
Signed-off-by: Subhash Jadavani <subhashj@codeaurora.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

[AmitP: Rebased for linux-4.4.y]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
---
 drivers/scsi/ufs/ufshcd-pci.c    | 2 ++
 drivers/scsi/ufs/ufshcd-pltfrm.c | 5 +----
 drivers/scsi/ufs/ufshcd.c        | 3 ---
 3 files changed, 3 insertions(+), 7 deletions(-)

-- 
2.7.4

diff --git a/drivers/scsi/ufs/ufshcd-pci.c b/drivers/scsi/ufs/ufshcd-pci.c
index d15eaa466c59..52b546fb509b 100644
--- a/drivers/scsi/ufs/ufshcd-pci.c
+++ b/drivers/scsi/ufs/ufshcd-pci.c
@@ -104,6 +104,7 @@ static void ufshcd_pci_remove(struct pci_dev *pdev)
 	pm_runtime_forbid(&pdev->dev);
 	pm_runtime_get_noresume(&pdev->dev);
 	ufshcd_remove(hba);
+	ufshcd_dealloc_host(hba);
 }
 
 /**
@@ -147,6 +148,7 @@ ufshcd_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
 	err = ufshcd_init(hba, mmio_base, pdev->irq);
 	if (err) {
 		dev_err(&pdev->dev, "Initialization failed\n");
+		ufshcd_dealloc_host(hba);
 		return err;
 	}
 
diff --git a/drivers/scsi/ufs/ufshcd-pltfrm.c b/drivers/scsi/ufs/ufshcd-pltfrm.c
index 9714f2a8b329..f58abfcdfe81 100644
--- a/drivers/scsi/ufs/ufshcd-pltfrm.c
+++ b/drivers/scsi/ufs/ufshcd-pltfrm.c
@@ -161,7 +161,7 @@ static int ufshcd_populate_vreg(struct device *dev, const char *name,
 	if (ret) {
 		dev_err(dev, "%s: unable to find %s err %d\n",
 				__func__, prop_name, ret);
-		goto out_free;
+		goto out;
 	}
 
 	vreg->min_uA = 0;
@@ -183,9 +183,6 @@ static int ufshcd_populate_vreg(struct device *dev, const char *name,
 
 	goto out;
 
-out_free:
-	devm_kfree(dev, vreg);
-	vreg = NULL;
 out:
 	if (!ret)
 		*out_vreg = vreg;
diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index 7e6ba17d61f8..c94d465de941 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -5385,8 +5385,6 @@ void ufshcd_remove(struct ufs_hba *hba)
 	ufshcd_disable_intr(hba, hba->intr_mask);
 	ufshcd_hba_stop(hba);
 
-	scsi_host_put(hba->host);
-
 	ufshcd_exit_clk_gating(hba);
 	if (ufshcd_is_clkscaling_enabled(hba))
 		devfreq_remove_device(hba->devfreq);
@@ -5733,7 +5731,6 @@ exit_gating:
 	ufshcd_exit_clk_gating(hba);
 out_disable:
 	hba->is_irq_enabled = false;
-	scsi_host_put(host);
 	ufshcd_hba_exit(hba);
 out_error:
 	return err;

From patchwork Wed Nov 28 17:29:08 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amit Pundir <amit.pundir@linaro.org>
X-Patchwork-Id: 152336
Delivered-To: patch@linaro.org
Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp1365473ljp;
 Wed, 28 Nov 2018 09:29:53 -0800 (PST)
X-Google-Smtp-Source: AFSGD/X7iRtd2PsfjISuvHkg6qQ40eA2II8wGJVO+2C1ynK9Nzviv2OknQWcAIR9omyrRQeb36g4
X-Received: by 2002:a17:902:a98c:: with SMTP id
 bh12mr1504332plb.31.1543426193454; 
 Wed, 28 Nov 2018 09:29:53 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543426193; cv=none;
 d=google.com; s=arc-20160816;
 b=KPv3W0UkwwoloMFPWvz3jvnjo9DvdwuV/aca2UYQwtBi5Az19zcJ1ePFzHqTdVjjfZ
 xdZZXnGZm1EPXz8ci9qicHr5yLkfsYVH5jKDF/KEdbBcMD0xeJuSmDSxbRFF9Mn1MDUd
 Yyor+/liNEn0v0nORVEk1utvXrEyi4DlPs7nbMXCNf6jBNE4wmLJuS0bTWMTvrgPpy7m
 pXeJ8V9nuCiDcf93MD27AAZDgkGVEB5SZXWkBnKO/0W3Q3z/Viq3Iz4asri3GWJAdaIb
 WL2KRdG5WKTrmDviq4RX8u9ND6qG9KDaLUGlVg4+OJpIez+O7gMLOiz1wuj1Dt0TP/FP
 dLvA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:references:in-reply-to:message-id:date
 :subject:cc:to:from:dkim-signature;
 bh=Tv+VMU/fdIkd9+az64ZS9UaXO8LTOU3YtYa3BKSR1yY=;
 b=qUTyMnfggsIJTWx//pZppLEq871JhdfmNtRTtK/kVbD9X+4XGgIGhFUtsvxcBHHVDr
 cMv5zl/SpWk1DTNSr/pWA2obyBYC/ljKAG//H1p0tzS/vX8ZK60cMzRv2lsxImWUcfMk
 7P9U/hPjm1yMiWAIVkz1h9KaIz7E1NPOm8IL6c4hll5z28kaLhHixGPQsy7KMq0HBa8b
 pZK9MIy+dVfHCjMTlAw2M6c6YxDoKGLLzwOCxZmeqGdWKrI6nz1Val1ky2dqg9ElTCX/
 bzKI2uW0kaRmlIwdxbiGdvPmHuThxVuuSc5rBNA0Cphfw78wks7GLVFVrBsqXHTAXOvD
 iaOA==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=ZU23Vr0i;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <stable-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id 44si8357481plb.57.2018.11.28.09.29.51; 
 Wed, 28 Nov 2018 09:29:53 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=ZU23Vr0i;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1729264AbeK2EcB (ORCPT <rfc822;dave.long@linaro.org>
 + 15 others); Wed, 28 Nov 2018 23:32:01 -0500
Received: from mail-pg1-f195.google.com ([209.85.215.195]:42240 "EHLO
 mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1728851AbeK2EcA (ORCPT
 <rfc822;stable@vger.kernel.org>); Wed, 28 Nov 2018 23:32:00 -0500
Received: by mail-pg1-f195.google.com with SMTP id d72so9785863pga.9
 for <stable@vger.kernel.org>; Wed, 28 Nov 2018 09:29:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=Tv+VMU/fdIkd9+az64ZS9UaXO8LTOU3YtYa3BKSR1yY=;
 b=ZU23Vr0i897xMZd6BysUfqCtfPVHY2y2N7aLkLaifz5c+V1CyrTNMI2Q6tQXUfFsFC
 voO317m2v/XATPEc+qnRv/NTTg66RXA41FNQ6R70SAE5yQFM9mj9EYrJXk6slSZOGPDe
 aWwqr5qBXwLtobZf45nvt7Fvc21nDub8jaRZg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=Tv+VMU/fdIkd9+az64ZS9UaXO8LTOU3YtYa3BKSR1yY=;
 b=Qa89sh9q8j+rA18frXi3vUiMouUQC9YSW5WdFLewF1y06cDDGVUmmF7QfxekX78hdf
 0EkBrW4Amauj1IO/37qdPAm0MAAg1O81LJT2xCFGlrJKw9WV6iDm+LObFx50+HbsvSqk
 eG1Jd1xB7liLUGg5FSpZCfvu+S6Lo0iCzLK4ypnKHoTp7sI0dpLKX0q/DUxXdznsUus4
 qXZfNgCO5RbjKk4GjExbdhoZW75TlKp2JLdWRdx4pWzkbo26L9rOLbnT1a2dOFn+SzrS
 iIoRSS7Rn5Ys7G3adSoIxIsQE6Vx8wOyYKR5woQ/oqTQuEDRuP3wDOo11EWXbcQwzgpB
 FCgA==
X-Gm-Message-State: AGRZ1gJiWc1WSso1DPS6Rg01assByiHQcD0j8noaH5IyedW8A4ZTo3xj
 1HnX/r3a3dJKvw0Qu6pe36Aasg==
X-Received: by 2002:a62:8a51:: with SMTP id y78mr37900029pfd.35.1543426177631; 
 Wed, 28 Nov 2018 09:29:37 -0800 (PST)
Received: from localhost.localdomain ([49.207.53.6])
 by smtp.gmail.com with ESMTPSA id
 84sm13624360pfk.134.2018.11.28.09.29.35
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Wed, 28 Nov 2018 09:29:36 -0800 (PST)
From: Amit Pundir <amit.pundir@linaro.org>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Stable <stable@vger.kernel.org>,
 Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>,
 "Martin K . Petersen" <martin.petersen@oracle.com>
Subject: [PATCH for-4.4.y 09/10] scsi: qla2xxx: do not queue commands when
 unloading
Date: Wed, 28 Nov 2018 22:59:08 +0530
Message-Id: <1543426149-7269-10-git-send-email-amit.pundir@linaro.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1543426149-7269-1-git-send-email-amit.pundir@linaro.org>
References: <1543426149-7269-1-git-send-email-amit.pundir@linaro.org>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>

commit 04dfaa53a0b6e66b328a5bc549e3af8f8b6eac02 upstream.

When the driver is unloading, in qla2x00_remove_one(), there is a single
call/point in time to abort ongoing commands, qla2x00_abort_all_cmds(),
which is still several steps away from the call to scsi_remove_host().

If more commands continue to arrive and be processed during that
interval, when the driver is tearing down and releasing its structures,
it might potentially hit an oops due to invalid memory access:

    Unable to handle kernel paging request for data at address 0x00000138
    <...>
    NIP [d000000004700a40] qla2xxx_queuecommand+0x80/0x3f0 [qla2xxx]
    LR [d000000004700a10] qla2xxx_queuecommand+0x50/0x3f0 [qla2xxx]

So, fail commands in qla2xxx_queuecommand() if the UNLOADING bit is set.

Signed-off-by: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
---
 drivers/scsi/qla2xxx/qla_os.c | 5 +++++
 1 file changed, 5 insertions(+)

-- 
2.7.4

diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
index 18b19744398a..ff5df33fc740 100644
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -685,6 +685,11 @@ qla2xxx_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd)
 	srb_t *sp;
 	int rval;
 
+	if (unlikely(test_bit(UNLOADING, &base_vha->dpc_flags))) {
+		cmd->result = DID_NO_CONNECT << 16;
+		goto qc24_fail_command;
+	}
+
 	if (ha->flags.eeh_busy) {
 		if (ha->flags.pci_channel_io_perm_failure) {
 			ql_dbg(ql_dbg_aer, vha, 0x9010,

From patchwork Wed Nov 28 17:29:09 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amit Pundir <amit.pundir@linaro.org>
X-Patchwork-Id: 152338
Delivered-To: patch@linaro.org
Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp1365628ljp;
 Wed, 28 Nov 2018 09:30:01 -0800 (PST)
X-Google-Smtp-Source: AFSGD/X0Oz0ZyKv+fZz+vBB0eyuy4IdpjprnBX7oGaXosEDTK1dInU6fMUt6n5ZU/IBt23g4O91Q
X-Received: by 2002:a17:902:d905:: with SMTP id
 c5mr36922103plz.43.1543426201749; 
 Wed, 28 Nov 2018 09:30:01 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543426201; cv=none;
 d=google.com; s=arc-20160816;
 b=uf12OVnwcnAyiDCk3CDRo0RfjqV2PNzkxDqsohv0cwHX/uJCxH8+mwWYWfeyGrXwt4
 KeHJw6PjfAWfMhYu0jEoVsv8pNk/gbYI9psUa3A4NfvdvC3WiOGZhRzPB+kwsRsXQ3yd
 1TGuuYKqtsEnTro1Bg5mCEMB12gigcMMzBodpl/S8W9rE/rSFwASpjDCp/6LMWq5PzXS
 7nNbheWGAuInKbHqbFplCWt0ZstWYitUqKxLBYjlZsQeTMw13SPYozCL5gQ2MeVW5z2a
 89mA15u9pM2NT7B2SO4zBwD0dZCnxAwEhbToV88o6UNHjpy6h1u50I6FhoFLq2uA28XB
 5spg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:references:in-reply-to:message-id:date
 :subject:cc:to:from:dkim-signature;
 bh=zMptgWvoWBDT5xd4Smq4zptpv7pmug6afHEw0JXldMc=;
 b=j6BGw9T2BDpAZAHVl0gHB38Ob83fnAdhZXdYX6L7tLct+4GCRI58hfvX2GREN2I1ri
 584pUMvDPa+C8o/D3UsOO17B7S1NZHUXrgeHXGOz8WLlZqA7ZmBo5F3FVUWy60z2chB6
 kITLAY1QuUyaqQiZwbp1COhbMnl/X9WPRLtiUJCL5ZUektk1A59aznC0ubgf77PE+Igi
 fteTnlo4fYBXU2bMp7eCU9PKxgx5nyJR+PmbF3hMp+FPZHh2kgLxcV1ry3p4SubtGIQR
 WmN76NYUG1X/1mYpQMhURoSWE+hTNBetl2pK86/Qew7Tnfr+BrcCWVwJZlVfx3qGndlY
 pGKA==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=fwgXja0u;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <stable-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id 44si8357481plb.57.2018.11.28.09.29.59; 
 Wed, 28 Nov 2018 09:30:01 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=fwgXja0u;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1728851AbeK2EcE (ORCPT <rfc822;dave.long@linaro.org>
 + 15 others); Wed, 28 Nov 2018 23:32:04 -0500
Received: from mail-pl1-f193.google.com ([209.85.214.193]:38123 "EHLO
 mail-pl1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1728743AbeK2EcD (ORCPT
 <rfc822;stable@vger.kernel.org>); Wed, 28 Nov 2018 23:32:03 -0500
Received: by mail-pl1-f193.google.com with SMTP id e5so17710868plb.5
 for <stable@vger.kernel.org>; Wed, 28 Nov 2018 09:29:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=zMptgWvoWBDT5xd4Smq4zptpv7pmug6afHEw0JXldMc=;
 b=fwgXja0uMzZ5YXFKTCl5E7D0YOyuHAxCqWEpLRfT0TiGuxdweuofDW81wHMqasY9dc
 WaV/UEDHtXyTHW17Gu14jJAoeb4DC9HxiguQx0E8lIrnayAW4aLIrnZFyVyTLlnD2/uX
 V8yVWilLDsuToC7M3asjcopfRSXrdZp0teQRo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=zMptgWvoWBDT5xd4Smq4zptpv7pmug6afHEw0JXldMc=;
 b=bVg/o/789JGsyqkVRSaF247XjAQMLMcei7iOKNUu+fRhOCSSuFQZ56n8fE2dFrpHXY
 WmCDUz4nfhHjmoPncVIpI7TKuft5qOkyhdY0rlCFDYMpQDFuZzMxSz06DqXpBcwQU/vQ
 Rqm15a5KE+s17MizGdd1jwbY8KXGc8wZmCYJmfJTXM6H3Xt8QZ8fycEeEBTs6/+xXq5x
 kfAsMof8fCj30NE9AixFZ4qokUScUa3kWRl+Kmsy/6pu3DqwK7o3gR+45zl9RUlMwgBj
 i5wXWgWWyNesL2f03iJRfQ7YqMbvYtdE2lns+V/CGIw9Fx/npW+rhkepFNQHvw3PsHHh
 G7cw==
X-Gm-Message-State: AA+aEWb6Pdh/66Np6c2w9ONcIXf6y+T6RG1FSl6JnuGVDIX2Sy6bSW/n
 aodYLeDmAQ17khgMm1DMjv7oJUbCfUk=
X-Received: by 2002:a17:902:b701:: with SMTP id
 d1-v6mr35981611pls.29.1543426180102; 
 Wed, 28 Nov 2018 09:29:40 -0800 (PST)
Received: from localhost.localdomain ([49.207.53.6])
 by smtp.gmail.com with ESMTPSA id
 84sm13624360pfk.134.2018.11.28.09.29.37
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Wed, 28 Nov 2018 09:29:39 -0800 (PST)
From: Amit Pundir <amit.pundir@linaro.org>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Stable <stable@vger.kernel.org>, Liping Zhang <zlpnobody@gmail.com>,
 Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH for-4.4.y 10/10] netfilter: nf_tables: fix oops when
 inserting an element into a verdict map
Date: Wed, 28 Nov 2018 22:59:09 +0530
Message-Id: <1543426149-7269-11-git-send-email-amit.pundir@linaro.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1543426149-7269-1-git-send-email-amit.pundir@linaro.org>
References: <1543426149-7269-1-git-send-email-amit.pundir@linaro.org>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Liping Zhang <zlpnobody@gmail.com>

commit 58c78e104d937c1f560fb10ed9bb2dcde0db4fcf upstream.

Dalegaard says:
 The following ruleset, when loaded with 'nft -f bad.txt'
 ----snip----
 flush ruleset
 table ip inlinenat {
   map sourcemap {
     type ipv4_addr : verdict;
   }

   chain postrouting {
     ip saddr vmap @sourcemap accept
   }
 }
 add chain inlinenat test
 add element inlinenat sourcemap { 100.123.10.2 : jump test }
 ----snip----

 results in a kernel oops:
 BUG: unable to handle kernel paging request at 0000000000001344
 IP: [<ffffffffa07bf704>] nf_tables_check_loops+0x114/0x1f0 [nf_tables]
 [...]
 Call Trace:
  [<ffffffffa07c2aae>] ? nft_data_init+0x13e/0x1a0 [nf_tables]
  [<ffffffffa07c1950>] nft_validate_register_store+0x60/0xb0 [nf_tables]
  [<ffffffffa07c74b5>] nft_add_set_elem+0x545/0x5e0 [nf_tables]
  [<ffffffffa07bfdd0>] ? nft_table_lookup+0x30/0x60 [nf_tables]
  [<ffffffff8132c630>] ? nla_strcmp+0x40/0x50
  [<ffffffffa07c766e>] nf_tables_newsetelem+0x11e/0x210 [nf_tables]
  [<ffffffff8132c400>] ? nla_validate+0x60/0x80
  [<ffffffffa030d9b4>] nfnetlink_rcv+0x354/0x5a7 [nfnetlink]

Because we forget to fill the net pointer in bind_ctx, so dereferencing
it may cause kernel crash.

Reported-by: Dalegaard <dalegaard@gmail.com>
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
---
 net/netfilter/nf_tables_api.c | 1 +
 1 file changed, 1 insertion(+)

-- 
2.7.4

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 120e9ae04db3..a7967af0da82 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3452,6 +3452,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
 		dreg = nft_type_to_reg(set->dtype);
 		list_for_each_entry(binding, &set->bindings, list) {
 			struct nft_ctx bind_ctx = {
+				.net	= ctx->net,
 				.afi	= ctx->afi,
 				.table	= ctx->table,
 				.chain	= (struct nft_chain *)binding->chain,