--- /dev/null
+From 5a07168d8d89b00fe1760120714378175b3ef992 Mon Sep 17 00:00:00 2001
+From: Chen Jie <chenjie6@huawei.com>
+Date: Fri, 15 Mar 2019 03:44:38 +0000
+Subject: futex: Ensure that futex address is aligned in handle_futex_death()
+
+From: Chen Jie <chenjie6@huawei.com>
+
+commit 5a07168d8d89b00fe1760120714378175b3ef992 upstream.
+
+The futex code requires that the user space addresses of futexes are 32bit
+aligned. sys_futex() checks this in futex_get_keys() but the robust list
+code has no alignment check in place.
+
+As a consequence the kernel crashes on architectures with strict alignment
+requirements in handle_futex_death() when trying to cmpxchg() on an
+unaligned futex address which was retrieved from the robust list.
+
+[ tglx: Rewrote changelog, proper sizeof() based alignement check and add
+ comment ]
+
+Fixes: 0771dfefc9e5 ("[PATCH] lightweight robust futexes: core")
+Signed-off-by: Chen Jie <chenjie6@huawei.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: <dvhart@infradead.org>
+Cc: <peterz@infradead.org>
+Cc: <zengweilin@huawei.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/1552621478-119787-1-git-send-email-chenjie6@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/futex.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -3450,6 +3450,10 @@ int handle_futex_death(u32 __user *uaddr
+ {
+ u32 uval, uninitialized_var(nval), mval;
+
++ /* Futex address must be 32bit aligned */
++ if ((((unsigned long)uaddr) % sizeof(*uaddr)) != 0)
++ return -1;
++
+ retry:
+ if (get_user(uval, uaddr))
+ return -1;
--- /dev/null
+From 0c671812f152b628bd87c0af49da032cc2a2c319 Mon Sep 17 00:00:00 2001
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Mon, 18 Mar 2019 19:09:38 -0500
+Subject: objtool: Move objtool_file struct off the stack
+
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+
+commit 0c671812f152b628bd87c0af49da032cc2a2c319 upstream.
+
+Objtool uses over 512k of stack, thanks to the hash table embedded in
+the objtool_file struct. This causes an unnecessarily large stack
+allocation and breaks users with low stack limits.
+
+Move the struct off the stack.
+
+Fixes: 042ba73fe7eb ("objtool: Add several performance improvements")
+Reported-by: Vassili Karpov <moosotc@gmail.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/df92dcbc4b84b02ffa252f46876df125fb56e2d7.1552954176.git.jpoimboe@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/objtool/check.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/tools/objtool/check.c
++++ b/tools/objtool/check.c
+@@ -2132,9 +2132,10 @@ static void cleanup(struct objtool_file
+ elf_close(file->elf);
+ }
+
++static struct objtool_file file;
++
+ int check(const char *_objname, bool orc)
+ {
+- struct objtool_file file;
+ int ret, warnings = 0;
+
+ objname = _objname;
--- /dev/null
+From eaeffeb9838a7c0dec981d258666bfcc0fa6a947 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Mon, 4 Mar 2019 15:13:21 +0200
+Subject: perf probe: Fix getting the kernel map
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit eaeffeb9838a7c0dec981d258666bfcc0fa6a947 upstream.
+
+Since commit 4d99e4136580 ("perf machine: Workaround missing maps for
+x86 PTI entry trampolines"), perf tools has been creating more than one
+kernel map, however 'perf probe' assumed there could be only one.
+
+Fix by using machine__kernel_map() to get the main kernel map.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Tested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Cc: Xu Yu <xuyu@linux.alibaba.com>
+Fixes: 4d99e4136580 ("perf machine: Workaround missing maps for x86 PTI entry trampolines")
+Fixes: d83212d5dd67 ("kallsyms, x86: Export addresses of PTI entry trampolines")
+Link: http://lkml.kernel.org/r/2ed432de-e904-85d2-5c36-5897ddc5b23b@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/probe-event.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/tools/perf/util/probe-event.c
++++ b/tools/perf/util/probe-event.c
+@@ -169,8 +169,10 @@ static struct map *kernel_get_module_map
+ if (module && strchr(module, '/'))
+ return dso__new_map(module);
+
+- if (!module)
+- module = "kernel";
++ if (!module) {
++ pos = machine__kernel_map(host_machine);
++ return map__get(pos);
++ }
+
+ for (pos = maps__first(maps); pos; pos = map__next(pos)) {
+ /* short_name is "[module]" */
--- /dev/null
+From 7f5203c13ba8a7b7f9f6ecfe5a4d5567188d7835 Mon Sep 17 00:00:00 2001
+From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Date: Wed, 20 Mar 2019 13:41:51 -0500
+Subject: scsi: ibmvscsi: Fix empty event pool access during host removal
+
+From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+
+commit 7f5203c13ba8a7b7f9f6ecfe5a4d5567188d7835 upstream.
+
+The event pool used for queueing commands is destroyed fairly early in the
+ibmvscsi_remove() code path. Since, this happens prior to the call so
+scsi_remove_host() it is possible for further calls to queuecommand to be
+processed which manifest as a panic due to a NULL pointer dereference as
+seen here:
+
+PANIC: "Unable to handle kernel paging request for data at address
+0x00000000"
+
+Context process backtrace:
+
+DSISR: 0000000042000000 ????Syscall Result: 0000000000000000
+4 [c000000002cb3820] memcpy_power7 at c000000000064204
+[Link Register] [c000000002cb3820] ibmvscsi_send_srp_event at d000000003ed14a4
+5 [c000000002cb3920] ibmvscsi_send_srp_event at d000000003ed14a4 [ibmvscsi] ?(unreliable)
+6 [c000000002cb39c0] ibmvscsi_queuecommand at d000000003ed2388 [ibmvscsi]
+7 [c000000002cb3a70] scsi_dispatch_cmd at d00000000395c2d8 [scsi_mod]
+8 [c000000002cb3af0] scsi_request_fn at d00000000395ef88 [scsi_mod]
+9 [c000000002cb3be0] __blk_run_queue at c000000000429860
+10 [c000000002cb3c10] blk_delay_work at c00000000042a0ec
+11 [c000000002cb3c40] process_one_work at c0000000000dac30
+12 [c000000002cb3cd0] worker_thread at c0000000000db110
+13 [c000000002cb3d80] kthread at c0000000000e3378
+14 [c000000002cb3e30] ret_from_kernel_thread at c00000000000982c
+
+The kernel buffer log is overfilled with this log:
+
+[11261.952732] ibmvscsi: found no event struct in pool!
+
+This patch reorders the operations during host teardown. Start by calling
+the SRP transport and Scsi_Host remove functions to flush any outstanding
+work and set the host offline. LLDD teardown follows including destruction
+of the event pool, freeing the Command Response Queue (CRQ), and unmapping
+any persistent buffers. The event pool destruction is protected by the
+scsi_host lock, and the pool is purged prior of any requests for which we
+never received a response. Finally, move the removal of the scsi host from
+our global list to the end so that the host is easily locatable for
+debugging purposes during teardown.
+
+Cc: <stable@vger.kernel.org> # v2.6.12+
+Signed-off-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/ibmvscsi/ibmvscsi.c | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+--- a/drivers/scsi/ibmvscsi/ibmvscsi.c
++++ b/drivers/scsi/ibmvscsi/ibmvscsi.c
+@@ -2299,17 +2299,27 @@ static int ibmvscsi_probe(struct vio_dev
+ static int ibmvscsi_remove(struct vio_dev *vdev)
+ {
+ struct ibmvscsi_host_data *hostdata = dev_get_drvdata(&vdev->dev);
+- spin_lock(&ibmvscsi_driver_lock);
+- list_del(&hostdata->host_list);
+- spin_unlock(&ibmvscsi_driver_lock);
+- unmap_persist_bufs(hostdata);
++ unsigned long flags;
++
++ srp_remove_host(hostdata->host);
++ scsi_remove_host(hostdata->host);
++
++ purge_requests(hostdata, DID_ERROR);
++
++ spin_lock_irqsave(hostdata->host->host_lock, flags);
+ release_event_pool(&hostdata->pool, hostdata);
++ spin_unlock_irqrestore(hostdata->host->host_lock, flags);
++
+ ibmvscsi_release_crq_queue(&hostdata->queue, hostdata,
+ max_events);
+
+ kthread_stop(hostdata->work_thread);
+- srp_remove_host(hostdata->host);
+- scsi_remove_host(hostdata->host);
++ unmap_persist_bufs(hostdata);
++
++ spin_lock(&ibmvscsi_driver_lock);
++ list_del(&hostdata->host_list);
++ spin_unlock(&ibmvscsi_driver_lock);
++
+ scsi_host_put(hostdata->host);
+
+ return 0;
--- /dev/null
+From 7205981e045e752ccf96cf6ddd703a98c59d4339 Mon Sep 17 00:00:00 2001
+From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Date: Wed, 20 Mar 2019 13:41:50 -0500
+Subject: scsi: ibmvscsi: Protect ibmvscsi_head from concurrent modificaiton
+
+From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+
+commit 7205981e045e752ccf96cf6ddd703a98c59d4339 upstream.
+
+For each ibmvscsi host created during a probe or destroyed during a remove
+we either add or remove that host to/from the global ibmvscsi_head
+list. This runs the risk of concurrent modification.
+
+This patch adds a simple spinlock around the list modification calls to
+prevent concurrent updates as is done similarly in the ibmvfc driver and
+ipr driver.
+
+Fixes: 32d6e4b6e4ea ("scsi: ibmvscsi: add vscsi hosts to global list_head")
+Cc: <stable@vger.kernel.org> # v4.10+
+Signed-off-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/ibmvscsi/ibmvscsi.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/scsi/ibmvscsi/ibmvscsi.c
++++ b/drivers/scsi/ibmvscsi/ibmvscsi.c
+@@ -96,6 +96,7 @@ static int client_reserve = 1;
+ static char partition_name[96] = "UNKNOWN";
+ static unsigned int partition_number = -1;
+ static LIST_HEAD(ibmvscsi_head);
++static DEFINE_SPINLOCK(ibmvscsi_driver_lock);
+
+ static struct scsi_transport_template *ibmvscsi_transport_template;
+
+@@ -2274,7 +2275,9 @@ static int ibmvscsi_probe(struct vio_dev
+ }
+
+ dev_set_drvdata(&vdev->dev, hostdata);
++ spin_lock(&ibmvscsi_driver_lock);
+ list_add_tail(&hostdata->host_list, &ibmvscsi_head);
++ spin_unlock(&ibmvscsi_driver_lock);
+ return 0;
+
+ add_srp_port_failed:
+@@ -2296,7 +2299,9 @@ static int ibmvscsi_probe(struct vio_dev
+ static int ibmvscsi_remove(struct vio_dev *vdev)
+ {
+ struct ibmvscsi_host_data *hostdata = dev_get_drvdata(&vdev->dev);
++ spin_lock(&ibmvscsi_driver_lock);
+ list_del(&hostdata->host_list);
++ spin_unlock(&ibmvscsi_driver_lock);
+ unmap_persist_bufs(hostdata);
+ release_event_pool(&hostdata->pool, hostdata);
+ ibmvscsi_release_crq_queue(&hostdata->queue, hostdata,
mips-loongson64-lemote-2f-add-irqf_no_suspend-to-cascade-irqaction.patch
mips-ensure-elf-appended-dtb-is-relocated.patch
mips-fix-kernel-crash-for-r6-in-jump-label-branch-function.patch
+scsi-ibmvscsi-protect-ibmvscsi_head-from-concurrent-modificaiton.patch
+scsi-ibmvscsi-fix-empty-event-pool-access-during-host-removal.patch
+futex-ensure-that-futex-address-is-aligned-in-handle_futex_death.patch
+perf-probe-fix-getting-the-kernel-map.patch
+objtool-move-objtool_file-struct-off-the-stack.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
