--- /dev/null
+From fd5de2721ea7d16e2b16c4049ac49f229551b290 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 3 Jul 2019 15:39:25 +0200
+Subject: ARC: hide unused function unw_hdr_alloc
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit fd5de2721ea7d16e2b16c4049ac49f229551b290 upstream.
+
+As kernelci.org reports, this function is not used in
+vdk_hs38_defconfig:
+
+arch/arc/kernel/unwind.c:188:14: warning: 'unw_hdr_alloc' defined but not used [-Wunused-function]
+
+Fixes: bc79c9a72165 ("ARC: dw2 unwind: Reinstante unwinding out of modules")
+Link: https://kernelci.org/build/id/5d1cae3f59b514300340c132/logs/
+Cc: stable@vger.kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/kernel/unwind.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/arch/arc/kernel/unwind.c
++++ b/arch/arc/kernel/unwind.c
+@@ -185,11 +185,6 @@ static void *__init unw_hdr_alloc_early(
+ MAX_DMA_ADDRESS);
+ }
+
+-static void *unw_hdr_alloc(unsigned long sz)
+-{
+- return kmalloc(sz, GFP_KERNEL);
+-}
+-
+ static void init_unwind_table(struct unwind_table *table, const char *name,
+ const void *core_start, unsigned long core_size,
+ const void *init_start, unsigned long init_size,
+@@ -370,6 +365,10 @@ ret_err:
+ }
+
+ #ifdef CONFIG_MODULES
++static void *unw_hdr_alloc(unsigned long sz)
++{
++ return kmalloc(sz, GFP_KERNEL);
++}
+
+ static struct unwind_table *last_table;
+
--- /dev/null
+From e52d484d9869eb291140545746ccbe5ffc7c9306 Mon Sep 17 00:00:00 2001
+From: Haren Myneni <haren@linux.vnet.ibm.com>
+Date: Tue, 18 Jun 2019 12:09:22 -0700
+Subject: crypto/NX: Set receive window credits to max number of CRBs in RxFIFO
+
+From: Haren Myneni <haren@linux.vnet.ibm.com>
+
+commit e52d484d9869eb291140545746ccbe5ffc7c9306 upstream.
+
+System gets checkstop if RxFIFO overruns with more requests than the
+maximum possible number of CRBs in FIFO at the same time. The max number
+of requests per window is controlled by window credits. So find max
+CRBs from FIFO size and set it to receive window credits.
+
+Fixes: b0d6c9bab5e4 ("crypto/nx: Add P9 NX support for 842 compression engine")
+CC: stable@vger.kernel.org # v4.14+
+Signed-off-by:Haren Myneni <haren@us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+
+---
+ drivers/crypto/nx/nx-842-powernv.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/crypto/nx/nx-842-powernv.c
++++ b/drivers/crypto/nx/nx-842-powernv.c
+@@ -34,8 +34,6 @@ MODULE_ALIAS_CRYPTO("842-nx");
+ #define WORKMEM_ALIGN (CRB_ALIGN)
+ #define CSB_WAIT_MAX (5000) /* ms */
+ #define VAS_RETRIES (10)
+-/* # of requests allowed per RxFIFO at a time. 0 for unlimited */
+-#define MAX_CREDITS_PER_RXFIFO (1024)
+
+ struct nx842_workmem {
+ /* Below fields must be properly aligned */
+@@ -801,7 +799,11 @@ static int __init vas_cfg_coproc_info(st
+ rxattr.lnotify_lpid = lpid;
+ rxattr.lnotify_pid = pid;
+ rxattr.lnotify_tid = tid;
+- rxattr.wcreds_max = MAX_CREDITS_PER_RXFIFO;
++ /*
++ * Maximum RX window credits can not be more than #CRBs in
++ * RxFIFO. Otherwise, can get checkstop if RxFIFO overruns.
++ */
++ rxattr.wcreds_max = fifo_size / CRB_SIZE;
+
+ /*
+ * Open a VAS receice window which is used to configure RxFIFO
--- /dev/null
+From 4f18d869ffd056c7858f3d617c71345cf19be008 Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Mon, 17 Jun 2019 14:02:41 +0200
+Subject: s390: fix stfle zero padding
+
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+
+commit 4f18d869ffd056c7858f3d617c71345cf19be008 upstream.
+
+The stfle inline assembly returns the number of double words written
+(condition code 0) or the double words it would have written
+(condition code 3), if the memory array it got as parameter would have
+been large enough.
+
+The current stfle implementation assumes that the array is always
+large enough and clears those parts of the array that have not been
+written to with a subsequent memset call.
+
+If however the array is not large enough memset will get a negative
+length parameter, which means that memset clears memory until it gets
+an exception and the kernel crashes.
+
+To fix this simply limit the maximum length. Move also the inline
+assembly to an extra function to avoid clobbering of register 0, which
+might happen because of the added min_t invocation together with code
+instrumentation.
+
+The bug was introduced with commit 14375bc4eb8d ("[S390] cleanup
+facility list handling") but was rather harmless, since it would only
+write to a rather large array. It became a potential problem with
+commit 3ab121ab1866 ("[S390] kernel: Add z/VM LGR detection"). Since
+then it writes to an array with only four double words, while some
+machines already deliver three double words. As soon as machines have
+a facility bit within the fifth double a crash on IPL would happen.
+
+Fixes: 14375bc4eb8d ("[S390] cleanup facility list handling")
+Cc: <stable@vger.kernel.org> # v2.6.37+
+Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/include/asm/facility.h | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+--- a/arch/s390/include/asm/facility.h
++++ b/arch/s390/include/asm/facility.h
+@@ -59,6 +59,18 @@ static inline int test_facility(unsigned
+ return __test_facility(nr, &S390_lowcore.stfle_fac_list);
+ }
+
++static inline unsigned long __stfle_asm(u64 *stfle_fac_list, int size)
++{
++ register unsigned long reg0 asm("0") = size - 1;
++
++ asm volatile(
++ ".insn s,0xb2b00000,0(%1)" /* stfle */
++ : "+d" (reg0)
++ : "a" (stfle_fac_list)
++ : "memory", "cc");
++ return reg0;
++}
++
+ /**
+ * stfle - Store facility list extended
+ * @stfle_fac_list: array where facility list can be stored
+@@ -76,13 +88,8 @@ static inline void stfle(u64 *stfle_fac_
+ memcpy(stfle_fac_list, &S390_lowcore.stfl_fac_list, 4);
+ if (S390_lowcore.stfl_fac_list & 0x01000000) {
+ /* More facility bits available with stfle */
+- register unsigned long reg0 asm("0") = size - 1;
+-
+- asm volatile(".insn s,0xb2b00000,0(%1)" /* stfle */
+- : "+d" (reg0)
+- : "a" (stfle_fac_list)
+- : "memory", "cc");
+- nr = (reg0 + 1) * 8; /* # bytes stored by stfle */
++ nr = __stfle_asm(stfle_fac_list, size);
++ nr = min_t(unsigned long, (nr + 1) * 8, size * 8);
+ }
+ memset((char *) stfle_fac_list + nr, 0, size * 8 - nr);
+ preempt_enable();
--- /dev/null
+From ac6639cd3db607d386616487902b4cc1850a7be5 Mon Sep 17 00:00:00 2001
+From: Julian Wiedmann <jwi@linux.ibm.com>
+Date: Tue, 18 Jun 2019 13:12:20 +0200
+Subject: s390/qdio: don't touch the dsci in tiqdio_add_input_queues()
+
+From: Julian Wiedmann <jwi@linux.ibm.com>
+
+commit ac6639cd3db607d386616487902b4cc1850a7be5 upstream.
+
+Current code sets the dsci to 0x00000080. Which doesn't make any sense,
+as the indicator area is located in the _left-most_ byte.
+
+Worse: if the dsci is the _shared_ indicator, this potentially clears
+the indication of activity for a _different_ device.
+tiqdio_thinint_handler() will then have no reason to call that device's
+IRQ handler, and the device ends up stalling.
+
+Fixes: d0c9d4a89fff ("[S390] qdio: set correct bit in dsci")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/cio/qdio_thinint.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/s390/cio/qdio_thinint.c
++++ b/drivers/s390/cio/qdio_thinint.c
+@@ -83,7 +83,6 @@ void tiqdio_add_input_queues(struct qdio
+ mutex_lock(&tiq_list_lock);
+ list_add_rcu(&irq_ptr->input_qs[0]->entry, &tiq_list);
+ mutex_unlock(&tiq_list_lock);
+- xchg(irq_ptr->dsci, 1 << 7);
+ }
+
+ void tiqdio_remove_input_queues(struct qdio_irq *irq_ptr)
--- /dev/null
+From e54e4785cb5cb4896cf4285964aeef2125612fb2 Mon Sep 17 00:00:00 2001
+From: Julian Wiedmann <jwi@linux.ibm.com>
+Date: Tue, 18 Jun 2019 11:25:59 +0200
+Subject: s390/qdio: (re-)initialize tiqdio list entries
+
+From: Julian Wiedmann <jwi@linux.ibm.com>
+
+commit e54e4785cb5cb4896cf4285964aeef2125612fb2 upstream.
+
+When tiqdio_remove_input_queues() removes a queue from the tiq_list as
+part of qdio_shutdown(), it doesn't re-initialize the queue's list entry
+and the prev/next pointers go stale.
+
+If a subsequent qdio_establish() fails while sending the ESTABLISH cmd,
+it calls qdio_shutdown() again in QDIO_IRQ_STATE_ERR state and
+tiqdio_remove_input_queues() will attempt to remove the queue entry a
+second time. This dereferences the stale pointers, and bad things ensue.
+Fix this by re-initializing the list entry after removing it from the
+list.
+
+For good practice also initialize the list entry when the queue is first
+allocated, and remove the quirky checks that papered over this omission.
+Note that prior to
+commit e521813468f7 ("s390/qdio: fix access to uninitialized qdio_q fields"),
+these checks were bogus anyway.
+
+setup_queues_misc() clears the whole queue struct, and thus needs to
+re-init the prev/next pointers as well.
+
+Fixes: 779e6e1c724d ("[S390] qdio: new qdio driver.")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/cio/qdio_setup.c | 2 ++
+ drivers/s390/cio/qdio_thinint.c | 4 ++--
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/s390/cio/qdio_setup.c
++++ b/drivers/s390/cio/qdio_setup.c
+@@ -150,6 +150,7 @@ static int __qdio_allocate_qs(struct qdi
+ return -ENOMEM;
+ }
+ irq_ptr_qs[i] = q;
++ INIT_LIST_HEAD(&q->entry);
+ }
+ return 0;
+ }
+@@ -178,6 +179,7 @@ static void setup_queues_misc(struct qdi
+ q->mask = 1 << (31 - i);
+ q->nr = i;
+ q->handler = handler;
++ INIT_LIST_HEAD(&q->entry);
+ }
+
+ static void setup_storage_lists(struct qdio_q *q, struct qdio_irq *irq_ptr,
+--- a/drivers/s390/cio/qdio_thinint.c
++++ b/drivers/s390/cio/qdio_thinint.c
+@@ -91,14 +91,14 @@ void tiqdio_remove_input_queues(struct q
+ struct qdio_q *q;
+
+ q = irq_ptr->input_qs[0];
+- /* if establish triggered an error */
+- if (!q || !q->entry.prev || !q->entry.next)
++ if (!q)
+ return;
+
+ mutex_lock(&tiq_list_lock);
+ list_del_rcu(&q->entry);
+ mutex_unlock(&tiq_list_lock);
+ synchronize_rcu();
++ INIT_LIST_HEAD(&q->entry);
+ }
+
+ static inline int has_multiple_inq_on_dsci(struct qdio_irq *irq_ptr)
x86-boot-64-fix-crash-if-kernel-image-crosses-page-t.patch
cpu-hotplug-fix-out-of-bounds-read-when-setting-fail.patch
linux-kernel.h-fix-overflow-for-div_round_up_ull.patch
+arc-hide-unused-function-unw_hdr_alloc.patch
+s390-fix-stfle-zero-padding.patch
+s390-qdio-re-initialize-tiqdio-list-entries.patch
+s390-qdio-don-t-touch-the-dsci-in-tiqdio_add_input_queues.patch
+crypto-nx-set-receive-window-credits-to-max-number-of-crbs-in-rxfifo.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
