4.14-stable patches

added patches:
	net-don-t-call-update_pmtu-unconditionally.patch
	powerpc-eeh-fix-race-with-driver-un-bind.patch

diff --git a/queue-4.14/net-don-t-call-update_pmtu-unconditionally.patch b/queue-4.14/net-don-t-call-update_pmtu-unconditionally.patch
new file mode 100644 (file)
index 0000000..41d46d7
--- /dev/null
+++ b/queue-4.14/net-don-t-call-update_pmtu-unconditionally.patch
@@ -0,0 +1,152 @@
+From f15ca723c1ebe6c1a06bc95fda6b62cd87b44559 Mon Sep 17 00:00:00 2001
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Thu, 25 Jan 2018 19:03:03 +0100
+Subject: net: don't call update_pmtu unconditionally
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+commit f15ca723c1ebe6c1a06bc95fda6b62cd87b44559 upstream.
+
+Some dst_ops (e.g. md_dst_ops)) doesn't set this handler. It may result to:
+"BUG: unable to handle kernel NULL pointer dereference at           (null)"
+
+Let's add a helper to check if update_pmtu is available before calling it.
+
+Fixes: 52a589d51f10 ("geneve: update skb dst pmtu on tx path")
+Fixes: a93bf0ff4490 ("vxlan: update skb dst pmtu on tx path")
+CC: Roman Kapl <code@rkapl.cz>
+CC: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[backport to 4.14.y by thomas]
+Cc: Thomas Deutschmann <whissi@gentoo.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/ipoib/ipoib_cm.c |    3 +--
+ drivers/net/vxlan.c                     |    6 ++----
+ include/net/dst.h                       |    8 ++++++++
+ net/ipv4/ip_tunnel.c                    |    3 +--
+ net/ipv4/ip_vti.c                       |    2 +-
+ net/ipv6/ip6_tunnel.c                   |    5 ++---
+ net/ipv6/ip6_vti.c                      |    2 +-
+ net/ipv6/sit.c                          |    4 ++--
+ 8 files changed, 18 insertions(+), 15 deletions(-)
+
+--- a/drivers/infiniband/ulp/ipoib/ipoib_cm.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
+@@ -1447,8 +1447,7 @@ void ipoib_cm_skb_too_long(struct net_de
+       struct ipoib_dev_priv *priv = ipoib_priv(dev);
+       int e = skb_queue_empty(&priv->cm.skb_queue);
+ 
+-      if (skb_dst(skb))
+-              skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, skb, mtu);
++      skb_dst_update_pmtu(skb, mtu);
+ 
+       skb_queue_tail(&priv->cm.skb_queue, skb);
+       if (e)
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -2158,8 +2158,7 @@ static void vxlan_xmit_one(struct sk_buf
+               if (skb_dst(skb)) {
+                       int mtu = dst_mtu(ndst) - VXLAN_HEADROOM;
+ 
+-                      skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL,
+-                                                     skb, mtu);
++                      skb_dst_update_pmtu(skb, mtu);
+               }
+ 
+               tos = ip_tunnel_ecn_encap(tos, old_iph, skb);
+@@ -2200,8 +2199,7 @@ static void vxlan_xmit_one(struct sk_buf
+               if (skb_dst(skb)) {
+                       int mtu = dst_mtu(ndst) - VXLAN6_HEADROOM;
+ 
+-                      skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL,
+-                                                     skb, mtu);
++                      skb_dst_update_pmtu(skb, mtu);
+               }
+ 
+               tos = ip_tunnel_ecn_encap(tos, old_iph, skb);
+--- a/include/net/dst.h
++++ b/include/net/dst.h
+@@ -520,4 +520,12 @@ static inline struct xfrm_state *dst_xfr
+ }
+ #endif
+ 
++static inline void skb_dst_update_pmtu(struct sk_buff *skb, u32 mtu)
++{
++      struct dst_entry *dst = skb_dst(skb);
++
++      if (dst && dst->ops->update_pmtu)
++              dst->ops->update_pmtu(dst, NULL, skb, mtu);
++}
++
+ #endif /* _NET_DST_H */
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -521,8 +521,7 @@ static int tnl_update_pmtu(struct net_de
+       else
+               mtu = skb_dst(skb) ? dst_mtu(skb_dst(skb)) : dev->mtu;
+ 
+-      if (skb_dst(skb))
+-              skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, skb, mtu);
++      skb_dst_update_pmtu(skb, mtu);
+ 
+       if (skb->protocol == htons(ETH_P_IP)) {
+               if (!skb_is_gso(skb) &&
+--- a/net/ipv4/ip_vti.c
++++ b/net/ipv4/ip_vti.c
+@@ -209,7 +209,7 @@ static netdev_tx_t vti_xmit(struct sk_bu
+ 
+       mtu = dst_mtu(dst);
+       if (skb->len > mtu) {
+-              skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, skb, mtu);
++              skb_dst_update_pmtu(skb, mtu);
+               if (skb->protocol == htons(ETH_P_IP)) {
+                       icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
+                                 htonl(mtu));
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -652,7 +652,7 @@ ip4ip6_err(struct sk_buff *skb, struct i
+               if (rel_info > dst_mtu(skb_dst(skb2)))
+                       goto out;
+ 
+-              skb_dst(skb2)->ops->update_pmtu(skb_dst(skb2), NULL, skb2, rel_info);
++              skb_dst_update_pmtu(skb2, rel_info);
+       }
+       if (rel_type == ICMP_REDIRECT)
+               skb_dst(skb2)->ops->redirect(skb_dst(skb2), NULL, skb2);
+@@ -1141,8 +1141,7 @@ route_lookup:
+               mtu = 576;
+       }
+ 
+-      if (skb_dst(skb) && !t->parms.collect_md)
+-              skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, skb, mtu);
++      skb_dst_update_pmtu(skb, mtu);
+       if (skb->len - t->tun_hlen - eth_hlen > mtu && !skb_is_gso(skb)) {
+               *pmtu = mtu;
+               err = -EMSGSIZE;
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -486,7 +486,7 @@ vti6_xmit(struct sk_buff *skb, struct ne
+ 
+       mtu = dst_mtu(dst);
+       if (!skb->ignore_df && skb->len > mtu) {
+-              skb_dst(skb)->ops->update_pmtu(dst, NULL, skb, mtu);
++              skb_dst_update_pmtu(skb, mtu);
+ 
+               if (skb->protocol == htons(ETH_P_IPV6)) {
+                       if (mtu < IPV6_MIN_MTU)
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -925,8 +925,8 @@ static netdev_tx_t ipip6_tunnel_xmit(str
+                       df = 0;
+               }
+ 
+-              if (tunnel->parms.iph.daddr && skb_dst(skb))
+-                      skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, skb, mtu);
++              if (tunnel->parms.iph.daddr)
++                      skb_dst_update_pmtu(skb, mtu);
+ 
+               if (skb->len > mtu && !skb_is_gso(skb)) {
+                       icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);

diff --git a/queue-4.14/powerpc-eeh-fix-race-with-driver-un-bind.patch b/queue-4.14/powerpc-eeh-fix-race-with-driver-un-bind.patch
new file mode 100644 (file)
index 0000000..992b279
--- /dev/null
+++ b/queue-4.14/powerpc-eeh-fix-race-with-driver-un-bind.patch
@@ -0,0 +1,247 @@
+From f0295e047fcf52ccb42561fb7de6942f5201b676 Mon Sep 17 00:00:00 2001
+From: Michael Neuling <mikey@neuling.org>
+Date: Mon, 26 Mar 2018 15:17:07 +1100
+Subject: powerpc/eeh: Fix race with driver un/bind
+
+From: Michael Neuling <mikey@neuling.org>
+
+commit f0295e047fcf52ccb42561fb7de6942f5201b676 upstream.
+
+The current EEH callbacks can race with a driver unbind. This can
+result in a backtraces like this:
+
+  EEH: Frozen PHB#0-PE#1fc detected
+  EEH: PE location: S000009, PHB location: N/A
+  CPU: 2 PID: 2312 Comm: kworker/u258:3 Not tainted 4.15.6-openpower1 #2
+  Workqueue: nvme-wq nvme_reset_work [nvme]
+  Call Trace:
+    dump_stack+0x9c/0xd0 (unreliable)
+    eeh_dev_check_failure+0x420/0x470
+    eeh_check_failure+0xa0/0xa4
+    nvme_reset_work+0x138/0x1414 [nvme]
+    process_one_work+0x1ec/0x328
+    worker_thread+0x2e4/0x3a8
+    kthread+0x14c/0x154
+    ret_from_kernel_thread+0x5c/0xc8
+  nvme nvme1: Removing after probe failure status: -19
+  <snip>
+  cpu 0x23: Vector: 300 (Data Access) at [c000000ff50f3800]
+      pc: c0080000089a0eb0: nvme_error_detected+0x4c/0x90 [nvme]
+      lr: c000000000026564: eeh_report_error+0xe0/0x110
+      sp: c000000ff50f3a80
+     msr: 9000000000009033
+     dar: 400
+   dsisr: 40000000
+    current = 0xc000000ff507c000
+    paca    = 0xc00000000fdc9d80   softe: 0        irq_happened: 0x01
+      pid   = 782, comm = eehd
+  Linux version 4.15.6-openpower1 (smc@smc-desktop) (gcc version 6.4.0 (Buildroot 2017.11.2-00008-g4b6188e)) #2 SM                                             P Tue Feb 27 12:33:27 PST 2018
+  enter ? for help
+    eeh_report_error+0xe0/0x110
+    eeh_pe_dev_traverse+0xc0/0xdc
+    eeh_handle_normal_event+0x184/0x4c4
+    eeh_handle_event+0x30/0x288
+    eeh_event_handler+0x124/0x170
+    kthread+0x14c/0x154
+    ret_from_kernel_thread+0x5c/0xc8
+
+The first part is an EEH (on boot), the second half is the resulting
+crash. nvme probe starts the nvme_reset_work() worker thread. This
+worker thread starts touching the device which see a device error
+(EEH) and hence queues up an event in the powerpc EEH worker
+thread. nvme_reset_work() then continues and runs
+nvme_remove_dead_ctrl_work() which results in unbinding the driver
+from the device and hence releases all resources. At the same time,
+the EEH worker thread starts doing the EEH .error_detected() driver
+callback, which no longer works since the resources have been freed.
+
+This fixes the problem in the same way the generic PCIe AER code (in
+drivers/pci/pcie/aer/aerdrv_core.c) does. It makes the EEH code hold
+the device_lock() while performing the driver EEH callbacks and
+associated code. This ensures either the callbacks are no longer
+register, or if they are registered the driver will not be removed
+from underneath us.
+
+This has been broken forever. The EEH call backs were first introduced
+in 2005 (in 77bd7415610) but it's not clear if a lock was needed back
+then.
+
+Fixes: 77bd74156101 ("[PATCH] powerpc: PCI Error Recovery: PPC64 core recovery routines")
+Cc: stable@vger.kernel.org # v2.6.16+
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Reviewed-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/eeh_driver.c |   61 ++++++++++++++++++++++++---------------
+ 1 file changed, 38 insertions(+), 23 deletions(-)
+
+--- a/arch/powerpc/kernel/eeh_driver.c
++++ b/arch/powerpc/kernel/eeh_driver.c
+@@ -207,18 +207,18 @@ static void *eeh_report_error(void *data
+ 
+       if (!dev || eeh_dev_removed(edev) || eeh_pe_passed(edev->pe))
+               return NULL;
++
++      device_lock(&dev->dev);
+       dev->error_state = pci_channel_io_frozen;
+ 
+       driver = eeh_pcid_get(dev);
+-      if (!driver) return NULL;
++      if (!driver) goto out_no_dev;
+ 
+       eeh_disable_irq(dev);
+ 
+       if (!driver->err_handler ||
+-          !driver->err_handler->error_detected) {
+-              eeh_pcid_put(dev);
+-              return NULL;
+-      }
++          !driver->err_handler->error_detected)
++              goto out;
+ 
+       rc = driver->err_handler->error_detected(dev, pci_channel_io_frozen);
+ 
+@@ -227,7 +227,10 @@ static void *eeh_report_error(void *data
+       if (*res == PCI_ERS_RESULT_NONE) *res = rc;
+ 
+       edev->in_error = true;
++out:
+       eeh_pcid_put(dev);
++out_no_dev:
++      device_unlock(&dev->dev);
+       return NULL;
+ }
+ 
+@@ -250,15 +253,14 @@ static void *eeh_report_mmio_enabled(voi
+       if (!dev || eeh_dev_removed(edev) || eeh_pe_passed(edev->pe))
+               return NULL;
+ 
++      device_lock(&dev->dev);
+       driver = eeh_pcid_get(dev);
+-      if (!driver) return NULL;
++      if (!driver) goto out_no_dev;
+ 
+       if (!driver->err_handler ||
+           !driver->err_handler->mmio_enabled ||
+-          (edev->mode & EEH_DEV_NO_HANDLER)) {
+-              eeh_pcid_put(dev);
+-              return NULL;
+-      }
++          (edev->mode & EEH_DEV_NO_HANDLER))
++              goto out;
+ 
+       rc = driver->err_handler->mmio_enabled(dev);
+ 
+@@ -266,7 +268,10 @@ static void *eeh_report_mmio_enabled(voi
+       if (rc == PCI_ERS_RESULT_NEED_RESET) *res = rc;
+       if (*res == PCI_ERS_RESULT_NONE) *res = rc;
+ 
++out:
+       eeh_pcid_put(dev);
++out_no_dev:
++      device_unlock(&dev->dev);
+       return NULL;
+ }
+ 
+@@ -289,20 +294,20 @@ static void *eeh_report_reset(void *data
+ 
+       if (!dev || eeh_dev_removed(edev) || eeh_pe_passed(edev->pe))
+               return NULL;
++
++      device_lock(&dev->dev);
+       dev->error_state = pci_channel_io_normal;
+ 
+       driver = eeh_pcid_get(dev);
+-      if (!driver) return NULL;
++      if (!driver) goto out_no_dev;
+ 
+       eeh_enable_irq(dev);
+ 
+       if (!driver->err_handler ||
+           !driver->err_handler->slot_reset ||
+           (edev->mode & EEH_DEV_NO_HANDLER) ||
+-          (!edev->in_error)) {
+-              eeh_pcid_put(dev);
+-              return NULL;
+-      }
++          (!edev->in_error))
++              goto out;
+ 
+       rc = driver->err_handler->slot_reset(dev);
+       if ((*res == PCI_ERS_RESULT_NONE) ||
+@@ -310,7 +315,10 @@ static void *eeh_report_reset(void *data
+       if (*res == PCI_ERS_RESULT_DISCONNECT &&
+            rc == PCI_ERS_RESULT_NEED_RESET) *res = rc;
+ 
++out:
+       eeh_pcid_put(dev);
++out_no_dev:
++      device_unlock(&dev->dev);
+       return NULL;
+ }
+ 
+@@ -361,10 +369,12 @@ static void *eeh_report_resume(void *dat
+ 
+       if (!dev || eeh_dev_removed(edev) || eeh_pe_passed(edev->pe))
+               return NULL;
++
++      device_lock(&dev->dev);
+       dev->error_state = pci_channel_io_normal;
+ 
+       driver = eeh_pcid_get(dev);
+-      if (!driver) return NULL;
++      if (!driver) goto out_no_dev;
+ 
+       was_in_error = edev->in_error;
+       edev->in_error = false;
+@@ -374,13 +384,15 @@ static void *eeh_report_resume(void *dat
+           !driver->err_handler->resume ||
+           (edev->mode & EEH_DEV_NO_HANDLER) || !was_in_error) {
+               edev->mode &= ~EEH_DEV_NO_HANDLER;
+-              eeh_pcid_put(dev);
+-              return NULL;
++              goto out;
+       }
+ 
+       driver->err_handler->resume(dev);
+ 
++out:
+       eeh_pcid_put(dev);
++out_no_dev:
++      device_unlock(&dev->dev);
+       return NULL;
+ }
+ 
+@@ -400,22 +412,25 @@ static void *eeh_report_failure(void *da
+ 
+       if (!dev || eeh_dev_removed(edev) || eeh_pe_passed(edev->pe))
+               return NULL;
++
++      device_lock(&dev->dev);
+       dev->error_state = pci_channel_io_perm_failure;
+ 
+       driver = eeh_pcid_get(dev);
+-      if (!driver) return NULL;
++      if (!driver) goto out_no_dev;
+ 
+       eeh_disable_irq(dev);
+ 
+       if (!driver->err_handler ||
+-          !driver->err_handler->error_detected) {
+-              eeh_pcid_put(dev);
+-              return NULL;
+-      }
++          !driver->err_handler->error_detected)
++              goto out;
+ 
+       driver->err_handler->error_detected(dev, pci_channel_io_perm_failure);
+ 
++out:
+       eeh_pcid_put(dev);
++out_no_dev:
++      device_unlock(&dev->dev);
+       return NULL;
+ }
+ 

diff --git a/queue-4.14/series b/queue-4.14/series
index 239a864cd4964fd45bfabe59ce140150c2f3e375..405da929ad52c6735293e991c31a5b5d6540391d 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -87,3 +87,5 @@ x86-microcode-intel-save-microcode-patch-unconditionally.patch
 x86-microcode-do-not-exit-early-from-__reload_late.patch
 tick-sched-do-not-mess-with-an-enqueued-hrtimer.patch
 arm-arm64-kvm-add-psci-version-selection-api.patch
+powerpc-eeh-fix-race-with-driver-un-bind.patch
+net-don-t-call-update_pmtu-unconditionally.patch