--- /dev/null
+From fe2a3027e74e40a3ece3a4c1e4e51403090a907a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+Date: Thu, 1 Feb 2018 22:16:21 +0100
+Subject: KVM: x86: fix backward migration with async_PF
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Radim Krčmář <rkrcmar@redhat.com>
+
+commit fe2a3027e74e40a3ece3a4c1e4e51403090a907a upstream.
+
+Guests on new hypersiors might set KVM_ASYNC_PF_DELIVERY_AS_PF_VMEXIT
+bit when enabling async_PF, but this bit is reserved on old hypervisors,
+which results in a failure upon migration.
+
+To avoid breaking different cases, we are checking for CPUID feature bit
+before enabling the feature and nothing else.
+
+Fixes: 52a5c155cf79 ("KVM: async_pf: Let guest support delivery of async_pf from guest mode")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Wanpeng Li <wanpengli@tencent.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+[jwang: port to 4.14]
+Signed-off-by: Jack Wang <jinpu.wang@profitbricks.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/virtual/kvm/cpuid.txt | 4 ++++
+ Documentation/virtual/kvm/msr.txt | 3 ++-
+ arch/x86/include/uapi/asm/kvm_para.h | 1 +
+ arch/x86/kernel/kvm.c | 8 ++++----
+ arch/x86/kvm/cpuid.c | 3 ++-
+ 5 files changed, 13 insertions(+), 6 deletions(-)
+
+--- a/Documentation/virtual/kvm/cpuid.txt
++++ b/Documentation/virtual/kvm/cpuid.txt
+@@ -54,6 +54,10 @@ KVM_FEATURE_PV_UNHALT ||
+ || || before enabling paravirtualized
+ || || spinlock support.
+ ------------------------------------------------------------------------------
++KVM_FEATURE_ASYNC_PF_VMEXIT || 10 || paravirtualized async PF VM exit
++ || || can be enabled by setting bit 2
++ || || when writing to msr 0x4b564d02
++------------------------------------------------------------------------------
+ KVM_FEATURE_CLOCKSOURCE_STABLE_BIT || 24 || host will warn if no guest-side
+ || || per-cpu warps are expected in
+ || || kvmclock.
+--- a/Documentation/virtual/kvm/msr.txt
++++ b/Documentation/virtual/kvm/msr.txt
+@@ -170,7 +170,8 @@ MSR_KVM_ASYNC_PF_EN: 0x4b564d02
+ when asynchronous page faults are enabled on the vcpu 0 when
+ disabled. Bit 1 is 1 if asynchronous page faults can be injected
+ when vcpu is in cpl == 0. Bit 2 is 1 if asynchronous page faults
+- are delivered to L1 as #PF vmexits.
++ are delivered to L1 as #PF vmexits. Bit 2 can be set only if
++ KVM_FEATURE_ASYNC_PF_VMEXIT is present in CPUID.
+
+ First 4 byte of 64 byte memory location will be written to by
+ the hypervisor at the time of asynchronous page fault (APF)
+--- a/arch/x86/include/uapi/asm/kvm_para.h
++++ b/arch/x86/include/uapi/asm/kvm_para.h
+@@ -25,6 +25,7 @@
+ #define KVM_FEATURE_STEAL_TIME 5
+ #define KVM_FEATURE_PV_EOI 6
+ #define KVM_FEATURE_PV_UNHALT 7
++#define KVM_FEATURE_ASYNC_PF_VMEXIT 10
+
+ /* The last 8 bits are used to indicate how to interpret the flags field
+ * in pvclock structure. If no bits are set, all flags are ignored.
+--- a/arch/x86/kernel/kvm.c
++++ b/arch/x86/kernel/kvm.c
+@@ -341,10 +341,10 @@ static void kvm_guest_cpu_init(void)
+ #endif
+ pa |= KVM_ASYNC_PF_ENABLED;
+
+- /* Async page fault support for L1 hypervisor is optional */
+- if (wrmsr_safe(MSR_KVM_ASYNC_PF_EN,
+- (pa | KVM_ASYNC_PF_DELIVERY_AS_PF_VMEXIT) & 0xffffffff, pa >> 32) < 0)
+- wrmsrl(MSR_KVM_ASYNC_PF_EN, pa);
++ if (kvm_para_has_feature(KVM_FEATURE_ASYNC_PF_VMEXIT))
++ pa |= KVM_ASYNC_PF_DELIVERY_AS_PF_VMEXIT;
++
++ wrmsrl(MSR_KVM_ASYNC_PF_EN, pa);
+ __this_cpu_write(apf_reason.enabled, 1);
+ printk(KERN_INFO"KVM setup async PF for cpu %d\n",
+ smp_processor_id());
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -597,7 +597,8 @@ static inline int __do_cpuid_ent(struct
+ (1 << KVM_FEATURE_ASYNC_PF) |
+ (1 << KVM_FEATURE_PV_EOI) |
+ (1 << KVM_FEATURE_CLOCKSOURCE_STABLE_BIT) |
+- (1 << KVM_FEATURE_PV_UNHALT);
++ (1 << KVM_FEATURE_PV_UNHALT) |
++ (1 << KVM_FEATURE_ASYNC_PF_VMEXIT);
+
+ if (sched_info_on())
+ entry->eax |= (1 << KVM_FEATURE_STEAL_TIME);
--- /dev/null
+From 9ff549ffb4fb4cc9a4b24d1de9dc3e68287797c4 Mon Sep 17 00:00:00 2001
+From: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
+Date: Fri, 16 Feb 2018 20:39:57 -0200
+Subject: scsi: mpt3sas: fix oops in error handlers after shutdown/unload
+
+From: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
+
+commit 9ff549ffb4fb4cc9a4b24d1de9dc3e68287797c4 upstream.
+
+This patch adds checks for 'ioc->remove_host' in the SCSI error handlers, so
+not to access pointers/resources potentially freed in the PCI shutdown/module
+unload path. The error handlers may be invoked after shutdown/unload,
+depending on other components.
+
+This problem was observed with kexec on a system with a mpt3sas based adapter
+and an infiniband adapter which takes long enough to shutdown:
+
+The mpt3sas driver finished shutting down / disabled interrupt handling, thus
+some commands have not finished and timed out.
+
+Since the system was still running (waiting for the infiniband adapter to
+shutdown), the scsi error handler for task abort of mpt3sas was invoked, and
+hit an oops -- either in scsih_abort() because 'ioc->scsi_lookup' was NULL
+without commit dbec4c9040ed ("scsi: mpt3sas: lockless command submission"), or
+later up in scsih_host_reset() (with or without that commit), because it
+eventually called mpt3sas_base_get_iocstate().
+
+After the above commit, the oops in scsih_abort() does not occur anymore
+(_scsih_scsi_lookup_find_by_scmd() is no longer called), but that commit is
+too big and out of the scope of linux-stable, where this patch might help, so
+still go for the changes.
+
+Also, this might help to prevent similar errors in the future, in case code
+changes and possibly tries to access freed stuff.
+
+Note the fix in scsih_host_reset() is still important anyway.
+
+Signed-off-by: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
+Acked-by: Sreekanth Reddy <Sreekanth.Reddy@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/mpt3sas/mpt3sas_scsih.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+@@ -2998,7 +2998,8 @@ scsih_abort(struct scsi_cmnd *scmd)
+ _scsih_tm_display_info(ioc, scmd);
+
+ sas_device_priv_data = scmd->device->hostdata;
+- if (!sas_device_priv_data || !sas_device_priv_data->sas_target) {
++ if (!sas_device_priv_data || !sas_device_priv_data->sas_target ||
++ ioc->remove_host) {
+ sdev_printk(KERN_INFO, scmd->device,
+ "device been deleted! scmd(%p)\n", scmd);
+ scmd->result = DID_NO_CONNECT << 16;
+@@ -3060,7 +3061,8 @@ scsih_dev_reset(struct scsi_cmnd *scmd)
+ _scsih_tm_display_info(ioc, scmd);
+
+ sas_device_priv_data = scmd->device->hostdata;
+- if (!sas_device_priv_data || !sas_device_priv_data->sas_target) {
++ if (!sas_device_priv_data || !sas_device_priv_data->sas_target ||
++ ioc->remove_host) {
+ sdev_printk(KERN_INFO, scmd->device,
+ "device been deleted! scmd(%p)\n", scmd);
+ scmd->result = DID_NO_CONNECT << 16;
+@@ -3122,7 +3124,8 @@ scsih_target_reset(struct scsi_cmnd *scm
+ _scsih_tm_display_info(ioc, scmd);
+
+ sas_device_priv_data = scmd->device->hostdata;
+- if (!sas_device_priv_data || !sas_device_priv_data->sas_target) {
++ if (!sas_device_priv_data || !sas_device_priv_data->sas_target ||
++ ioc->remove_host) {
+ starget_printk(KERN_INFO, starget, "target been deleted! scmd(%p)\n",
+ scmd);
+ scmd->result = DID_NO_CONNECT << 16;
+@@ -3179,7 +3182,7 @@ scsih_host_reset(struct scsi_cmnd *scmd)
+ ioc->name, scmd);
+ scsi_print_command(scmd);
+
+- if (ioc->is_driver_loading) {
++ if (ioc->is_driver_loading || ioc->remove_host) {
+ pr_info(MPT3SAS_FMT "Blocking the host reset\n",
+ ioc->name);
+ r = FAILED;
--- /dev/null
+From c666d3be99c000bb889a33353e9be0fa5808d3de Mon Sep 17 00:00:00 2001
+From: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+Date: Fri, 16 Feb 2018 20:39:58 -0200
+Subject: scsi: mpt3sas: wait for and flush running commands on shutdown/unload
+
+From: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+
+commit c666d3be99c000bb889a33353e9be0fa5808d3de upstream.
+
+This patch finishes all outstanding SCSI IO commands (but not other commands,
+e.g., task management) in the shutdown and unload paths.
+
+It first waits for the commands to complete (this is done after setting
+'ioc->remove_host = 1 ', which prevents new commands to be queued) then it
+flushes commands that might still be running.
+
+This avoids triggering error handling (e.g., abort command) for all commands
+possibly completed by the adapter after interrupts disabled.
+
+[mauricfo: introduced something in commit message.]
+
+Signed-off-by: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+Tested-by: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
+Signed-off-by: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+[mauricfo: backport to linux-4.15.y (a few updates to context lines)]
+Signed-off-by: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_base.c | 8 ++++----
+ drivers/scsi/mpt3sas/mpt3sas_base.h | 3 +++
+ drivers/scsi/mpt3sas/mpt3sas_scsih.c | 10 +++++++++-
+ 3 files changed, 16 insertions(+), 5 deletions(-)
+
+--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
+@@ -6289,14 +6289,14 @@ _base_reset_handler(struct MPT3SAS_ADAPT
+ }
+
+ /**
+- * _wait_for_commands_to_complete - reset controller
++ * mpt3sas_wait_for_commands_to_complete - reset controller
+ * @ioc: Pointer to MPT_ADAPTER structure
+ *
+ * This function waiting(3s) for all pending commands to complete
+ * prior to putting controller in reset.
+ */
+-static void
+-_wait_for_commands_to_complete(struct MPT3SAS_ADAPTER *ioc)
++void
++mpt3sas_wait_for_commands_to_complete(struct MPT3SAS_ADAPTER *ioc)
+ {
+ u32 ioc_state;
+ unsigned long flags;
+@@ -6375,7 +6375,7 @@ mpt3sas_base_hard_reset_handler(struct M
+ is_fault = 1;
+ }
+ _base_reset_handler(ioc, MPT3_IOC_PRE_RESET);
+- _wait_for_commands_to_complete(ioc);
++ mpt3sas_wait_for_commands_to_complete(ioc);
+ _base_mask_interrupts(ioc);
+ r = _base_make_ioc_ready(ioc, type);
+ if (r)
+--- a/drivers/scsi/mpt3sas/mpt3sas_base.h
++++ b/drivers/scsi/mpt3sas/mpt3sas_base.h
+@@ -1435,6 +1435,9 @@ void mpt3sas_base_update_missing_delay(s
+
+ int mpt3sas_port_enable(struct MPT3SAS_ADAPTER *ioc);
+
++void
++mpt3sas_wait_for_commands_to_complete(struct MPT3SAS_ADAPTER *ioc);
++
+
+ /* scsih shared API */
+ u8 mpt3sas_scsih_event_callback(struct MPT3SAS_ADAPTER *ioc, u8 msix_index,
+--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+@@ -4614,7 +4614,7 @@ _scsih_flush_running_cmds(struct MPT3SAS
+ _scsih_set_satl_pending(scmd, false);
+ mpt3sas_base_free_smid(ioc, smid);
+ scsi_dma_unmap(scmd);
+- if (ioc->pci_error_recovery)
++ if (ioc->pci_error_recovery || ioc->remove_host)
+ scmd->result = DID_NO_CONNECT << 16;
+ else
+ scmd->result = DID_RESET << 16;
+@@ -9904,6 +9904,10 @@ static void scsih_remove(struct pci_dev
+ unsigned long flags;
+
+ ioc->remove_host = 1;
++
++ mpt3sas_wait_for_commands_to_complete(ioc);
++ _scsih_flush_running_cmds(ioc);
++
+ _scsih_fw_event_cleanup_queue(ioc);
+
+ spin_lock_irqsave(&ioc->fw_event_lock, flags);
+@@ -9980,6 +9984,10 @@ scsih_shutdown(struct pci_dev *pdev)
+ unsigned long flags;
+
+ ioc->remove_host = 1;
++
++ mpt3sas_wait_for_commands_to_complete(ioc);
++ _scsih_flush_running_cmds(ioc);
++
+ _scsih_fw_event_cleanup_queue(ioc);
+
+ spin_lock_irqsave(&ioc->fw_event_lock, flags);
bpf-add-schedule-points-in-percpu-arrays-management.patch
bpf-allow-xadd-only-on-aligned-memory.patch
bpf-ppc64-fix-out-of-bounds-access-in-tail-call.patch
+scsi-mpt3sas-fix-oops-in-error-handlers-after-shutdown-unload.patch
+scsi-mpt3sas-wait-for-and-flush-running-commands-on-shutdown-unload.patch
+kvm-x86-fix-backward-migration-with-async_pf.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
