From: Sasha Levin Date: Thu, 2 May 2019 13:51:57 +0000 (-0400) Subject: autosel fixes for 5.0 X-Git-Tag: v4.9.173~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0a363a7ca47c7046342876dd4c00ec287e142fa6;p=thirdparty%2Fkernel%2Fstable-queue.git autosel fixes for 5.0 Signed-off-by: Sasha Levin --- diff --git a/queue-5.0/afs-fix-storedata-op-marshalling.patch b/queue-5.0/afs-fix-storedata-op-marshalling.patch new file mode 100644 index 00000000000..10e9061a792 --- /dev/null +++ b/queue-5.0/afs-fix-storedata-op-marshalling.patch @@ -0,0 +1,117 @@ +From a925585eea738425f3d84af00de84faa282e76d4 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Wed, 27 Mar 2019 22:48:02 +0000 +Subject: afs: Fix StoreData op marshalling + +[ Upstream commit 8c7ae38d1ce12a0eaeba655df8562552b3596c7f ] + +The marshalling of AFS.StoreData, AFS.StoreData64 and YFS.StoreData64 calls +generated by ->setattr() ops for the purpose of expanding a file is +incorrect due to older documentation incorrectly describing the way the RPC +'FileLength' parameter is meant to work. + +The older documentation says that this is the length the file is meant to +end up at the end of the operation; however, it was never implemented this +way in any of the servers, but rather the file is truncated down to this +before the write operation is effected, and never expanded to it (and, +indeed, it was renamed to 'TruncPos' in 2014). + +Fix this by setting the position parameter to the new file length and doing +a zero-lengh write there. + +The bug causes Xwayland to SIGBUS due to unexpected non-expansion of a file +it then mmaps. This can be tested by giving the following test program a +filename in an AFS directory: + + #include + #include + #include + #include + #include + int main(int argc, char *argv[]) + { + char *p; + int fd; + if (argc != 2) { + fprintf(stderr, + "Format: test-trunc-mmap \n"); + exit(2); + } + fd = open(argv[1], O_RDWR | O_CREAT | O_TRUNC); + if (fd < 0) { + perror(argv[1]); + exit(1); + } + if (ftruncate(fd, 0x140008) == -1) { + perror("ftruncate"); + exit(1); + } + p = mmap(NULL, 4096, PROT_READ | PROT_WRITE, + MAP_SHARED, fd, 0); + if (p == MAP_FAILED) { + perror("mmap"); + exit(1); + } + p[0] = 'a'; + if (munmap(p, 4096) < 0) { + perror("munmap"); + exit(1); + } + if (close(fd) < 0) { + perror("close"); + exit(1); + } + exit(0); + } + +Fixes: 31143d5d515e ("AFS: implement basic file write support") +Reported-by: Jonathan Billings +Tested-by: Jonathan Billings +Signed-off-by: David Howells +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin (Microsoft) +--- + fs/afs/fsclient.c | 6 +++--- + fs/afs/yfsclient.c | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/afs/fsclient.c b/fs/afs/fsclient.c +index ca08c83168f5..0b37867b5c20 100644 +--- a/fs/afs/fsclient.c ++++ b/fs/afs/fsclient.c +@@ -1515,8 +1515,8 @@ static int afs_fs_setattr_size64(struct afs_fs_cursor *fc, struct iattr *attr) + + xdr_encode_AFS_StoreStatus(&bp, attr); + +- *bp++ = 0; /* position of start of write */ +- *bp++ = 0; ++ *bp++ = htonl(attr->ia_size >> 32); /* position of start of write */ ++ *bp++ = htonl((u32) attr->ia_size); + *bp++ = 0; /* size of write */ + *bp++ = 0; + *bp++ = htonl(attr->ia_size >> 32); /* new file length */ +@@ -1564,7 +1564,7 @@ static int afs_fs_setattr_size(struct afs_fs_cursor *fc, struct iattr *attr) + + xdr_encode_AFS_StoreStatus(&bp, attr); + +- *bp++ = 0; /* position of start of write */ ++ *bp++ = htonl(attr->ia_size); /* position of start of write */ + *bp++ = 0; /* size of write */ + *bp++ = htonl(attr->ia_size); /* new file length */ + +diff --git a/fs/afs/yfsclient.c b/fs/afs/yfsclient.c +index 5aa57929e8c2..6e97a42d24d1 100644 +--- a/fs/afs/yfsclient.c ++++ b/fs/afs/yfsclient.c +@@ -1514,7 +1514,7 @@ static int yfs_fs_setattr_size(struct afs_fs_cursor *fc, struct iattr *attr) + bp = xdr_encode_u32(bp, 0); /* RPC flags */ + bp = xdr_encode_YFSFid(bp, &vnode->fid); + bp = xdr_encode_YFS_StoreStatus(bp, attr); +- bp = xdr_encode_u64(bp, 0); /* position of start of write */ ++ bp = xdr_encode_u64(bp, attr->ia_size); /* position of start of write */ + bp = xdr_encode_u64(bp, 0); /* size of write */ + bp = xdr_encode_u64(bp, attr->ia_size); /* new file length */ + yfs_check_req(call, bp); +-- +2.19.1 + diff --git a/queue-5.0/arm-davinci-fix-build-failure-with-allnoconfig.patch b/queue-5.0/arm-davinci-fix-build-failure-with-allnoconfig.patch new file mode 100644 index 00000000000..18bb8d6a47b --- /dev/null +++ b/queue-5.0/arm-davinci-fix-build-failure-with-allnoconfig.patch @@ -0,0 +1,37 @@ +From 671622b91582a3dd21cdddb0736d1d386bfc4776 Mon Sep 17 00:00:00 2001 +From: Sekhar Nori +Date: Wed, 20 Feb 2019 16:36:52 +0530 +Subject: ARM: davinci: fix build failure with allnoconfig + +[ Upstream commit 2dbed152e2d4c3fe2442284918d14797898b1e8a ] + +allnoconfig build with just ARCH_DAVINCI enabled +fails because drivers/clk/davinci/* depends on +REGMAP being enabled. + +Fix it by selecting REGMAP_MMIO when building in +DaVinci support. + +Signed-off-by: Sekhar Nori +Reviewed-by: David Lechner +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin (Microsoft) +--- + arch/arm/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig +index 26524b75970a..e5d56d9b712c 100644 +--- a/arch/arm/Kconfig ++++ b/arch/arm/Kconfig +@@ -593,6 +593,7 @@ config ARCH_DAVINCI + select HAVE_IDE + select PM_GENERIC_DOMAINS if PM + select PM_GENERIC_DOMAINS_OF if PM && OF ++ select REGMAP_MMIO + select RESET_CONTROLLER + select USE_OF + select ZONE_DMA +-- +2.19.1 + diff --git a/queue-5.0/arm-dts-bcm283x-fix-hdmi-hpd-gpio-pull.patch b/queue-5.0/arm-dts-bcm283x-fix-hdmi-hpd-gpio-pull.patch new file mode 100644 index 00000000000..b0460f8cde3 --- /dev/null +++ b/queue-5.0/arm-dts-bcm283x-fix-hdmi-hpd-gpio-pull.patch @@ -0,0 +1,35 @@ +From 765fcdbe663cedba85d002706bea52e6fe06d0e1 Mon Sep 17 00:00:00 2001 +From: Helen Koike +Date: Mon, 4 Mar 2019 18:48:37 -0300 +Subject: ARM: dts: bcm283x: Fix hdmi hpd gpio pull + +[ Upstream commit 544e784188f1dd7c797c70b213385e67d92005b6 ] + +Raspberry pi board model B revison 2 have the hot plug detector gpio +active high (and not low as it was in the dts). + +Signed-off-by: Helen Koike +Fixes: 49ac67e0c39c ("ARM: bcm2835: Add VC4 to the device tree.") +Reviewed-by: Eric Anholt +Signed-off-by: Eric Anholt +Signed-off-by: Sasha Levin (Microsoft) +--- + arch/arm/boot/dts/bcm2835-rpi-b-rev2.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/bcm2835-rpi-b-rev2.dts b/arch/arm/boot/dts/bcm2835-rpi-b-rev2.dts +index 5641d162dfdb..28e7513ce617 100644 +--- a/arch/arm/boot/dts/bcm2835-rpi-b-rev2.dts ++++ b/arch/arm/boot/dts/bcm2835-rpi-b-rev2.dts +@@ -93,7 +93,7 @@ + }; + + &hdmi { +- hpd-gpios = <&gpio 46 GPIO_ACTIVE_LOW>; ++ hpd-gpios = <&gpio 46 GPIO_ACTIVE_HIGH>; + }; + + &pwm { +-- +2.19.1 + diff --git a/queue-5.0/arm-dts-imx6qdl-fix-typo-in-imx6qdl-icore-rqs.dtsi.patch b/queue-5.0/arm-dts-imx6qdl-fix-typo-in-imx6qdl-icore-rqs.dtsi.patch new file mode 100644 index 00000000000..a55ae4fa2ac --- /dev/null +++ b/queue-5.0/arm-dts-imx6qdl-fix-typo-in-imx6qdl-icore-rqs.dtsi.patch @@ -0,0 +1,42 @@ +From 417c91b820f4cf225906f9705a0705a91910370f Mon Sep 17 00:00:00 2001 +From: Masanari Iida +Date: Tue, 19 Mar 2019 01:30:09 +0900 +Subject: ARM: dts: imx6qdl: Fix typo in imx6qdl-icore-rqs.dtsi + +[ Upstream commit 41b37f4c0fa67185691bcbd30201cad566f2f0d1 ] + +This patch fixes a spelling typo. + +Signed-off-by: Masanari Iida +Fixes: cc42603de320 ("ARM: dts: imx6q-icore-rqs: Add Engicam IMX6 Q7 initial support") +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin (Microsoft) +--- + arch/arm/boot/dts/imx6qdl-icore-rqs.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/imx6qdl-icore-rqs.dtsi b/arch/arm/boot/dts/imx6qdl-icore-rqs.dtsi +index 1d1b4bd0670f..a4217f564a53 100644 +--- a/arch/arm/boot/dts/imx6qdl-icore-rqs.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-icore-rqs.dtsi +@@ -264,7 +264,7 @@ + pinctrl-2 = <&pinctrl_usdhc3_200mhz>; + vmcc-supply = <®_sd3_vmmc>; + cd-gpios = <&gpio1 1 GPIO_ACTIVE_LOW>; +- bus-witdh = <4>; ++ bus-width = <4>; + no-1-8-v; + status = "okay"; + }; +@@ -275,7 +275,7 @@ + pinctrl-1 = <&pinctrl_usdhc4_100mhz>; + pinctrl-2 = <&pinctrl_usdhc4_200mhz>; + vmcc-supply = <®_sd4_vmmc>; +- bus-witdh = <8>; ++ bus-width = <8>; + no-1-8-v; + non-removable; + status = "okay"; +-- +2.19.1 + diff --git a/queue-5.0/arm-dts-pfla02-increase-phy-reset-duration.patch b/queue-5.0/arm-dts-pfla02-increase-phy-reset-duration.patch new file mode 100644 index 00000000000..24624f20a9a --- /dev/null +++ b/queue-5.0/arm-dts-pfla02-increase-phy-reset-duration.patch @@ -0,0 +1,48 @@ +From 351b74913ef889eb8f16cc440df2c7c54b515f83 Mon Sep 17 00:00:00 2001 +From: Marco Felsch +Date: Mon, 4 Mar 2019 11:49:40 +0100 +Subject: ARM: dts: pfla02: increase phy reset duration + +[ Upstream commit 032f85c9360fb1a08385c584c2c4ed114b33c260 ] + +Increase the reset duration to ensure correct phy functionality. The +reset duration is taken from barebox commit 52fdd510de ("ARM: dts: +pfla02: use long enough reset for ethernet phy"): + + Use a longer reset time for ethernet phy Micrel KSZ9031RNX. Otherwise a + small percentage of modules have 'transmission timeouts' errors like + + barebox@Phytec phyFLEX-i.MX6 Quad Carrier-Board:/ ifup eth0 + warning: No MAC address set. Using random address 7e:94:4d:02:f8:f3 + eth0: 1000Mbps full duplex link detected + eth0: transmission timeout + T eth0: transmission timeout + T eth0: transmission timeout + T eth0: transmission timeout + T eth0: transmission timeout + +Cc: Stefan Christ +Cc: Christian Hemp +Signed-off-by: Marco Felsch +Fixes: 3180f956668e ("ARM: dts: Phytec imx6q pfla02 and pbab01 support") +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin (Microsoft) +--- + arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi b/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi +index 1b50b01e9bac..65d03c5d409b 100644 +--- a/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi +@@ -90,6 +90,7 @@ + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_enet>; + phy-mode = "rgmii"; ++ phy-reset-duration = <10>; /* in msecs */ + phy-reset-gpios = <&gpio3 23 GPIO_ACTIVE_LOW>; + phy-supply = <&vdd_eth_io_reg>; + status = "disabled"; +-- +2.19.1 + diff --git a/queue-5.0/arm-imx51-fix-a-leaked-reference-by-adding-missing-o.patch b/queue-5.0/arm-imx51-fix-a-leaked-reference-by-adding-missing-o.patch new file mode 100644 index 00000000000..aa956d620ca --- /dev/null +++ b/queue-5.0/arm-imx51-fix-a-leaked-reference-by-adding-missing-o.patch @@ -0,0 +1,45 @@ +From de08105c6bc6f4b4a51802246205fff7b58668a9 Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Fri, 1 Mar 2019 16:56:46 +0800 +Subject: ARM: imx51: fix a leaked reference by adding missing of_node_put + +[ Upstream commit 0c17e83fe423467e3ccf0a02f99bd050a73bbeb4 ] + +The call to of_get_next_child returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: +./arch/arm/mach-imx/mach-imx51.c:64:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 57, but without a corresponding object release within this function. + +Signed-off-by: Wen Yang +Cc: Russell King +Cc: Shawn Guo +Cc: Sascha Hauer +Cc: Pengutronix Kernel Team +Cc: Fabio Estevam +Cc: NXP Linux Team +Cc: Lucas Stach +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin (Microsoft) +--- + arch/arm/mach-imx/mach-imx51.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-imx/mach-imx51.c b/arch/arm/mach-imx/mach-imx51.c +index c7169c2f94c4..08c7892866c2 100644 +--- a/arch/arm/mach-imx/mach-imx51.c ++++ b/arch/arm/mach-imx/mach-imx51.c +@@ -59,6 +59,7 @@ static void __init imx51_m4if_setup(void) + return; + + m4if_base = of_iomap(np, 0); ++ of_node_put(np); + if (!m4if_base) { + pr_err("Unable to map M4IF registers\n"); + return; +-- +2.19.1 + diff --git a/queue-5.0/arm64-dts-renesas-r8a77990-fix-scif5-dma-channels.patch b/queue-5.0/arm64-dts-renesas-r8a77990-fix-scif5-dma-channels.patch new file mode 100644 index 00000000000..bb70ffa35d1 --- /dev/null +++ b/queue-5.0/arm64-dts-renesas-r8a77990-fix-scif5-dma-channels.patch @@ -0,0 +1,49 @@ +From d7e33284739ad0bc3c6e3f841553d1a6f79d82a3 Mon Sep 17 00:00:00 2001 +From: Takeshi Kihara +Date: Thu, 21 Feb 2019 13:59:38 +0100 +Subject: arm64: dts: renesas: r8a77990: Fix SCIF5 DMA channels + +[ Upstream commit e20119f7eaaaf6aad5b44f35155ce500429e17f6 ] + +According to the R-Car Gen3 Hardware Manual Errata for Rev 1.50 of Feb +12, 2019, the DMA channels for SCIF5 are corrected from 16..47 to 0..15 +on R-Car E3. + +Signed-off-by: Takeshi Kihara +Fixes: a5ebe5e49a862e21 ("arm64: dts: renesas: r8a77990: Add SCIF-{0,1,3,4,5} device nodes") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Fabrizio Castro +Signed-off-by: Simon Horman +Signed-off-by: Sasha Levin (Microsoft) +--- + arch/arm64/boot/dts/renesas/r8a77990.dtsi | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/renesas/r8a77990.dtsi b/arch/arm64/boot/dts/renesas/r8a77990.dtsi +index b2f606e286ce..327d12097643 100644 +--- a/arch/arm64/boot/dts/renesas/r8a77990.dtsi ++++ b/arch/arm64/boot/dts/renesas/r8a77990.dtsi +@@ -2,7 +2,7 @@ + /* + * Device Tree Source for the R-Car E3 (R8A77990) SoC + * +- * Copyright (C) 2018 Renesas Electronics Corp. ++ * Copyright (C) 2018-2019 Renesas Electronics Corp. + */ + + #include +@@ -1040,9 +1040,8 @@ + <&cpg CPG_CORE R8A77990_CLK_S3D1C>, + <&scif_clk>; + clock-names = "fck", "brg_int", "scif_clk"; +- dmas = <&dmac1 0x5b>, <&dmac1 0x5a>, +- <&dmac2 0x5b>, <&dmac2 0x5a>; +- dma-names = "tx", "rx", "tx", "rx"; ++ dmas = <&dmac0 0x5b>, <&dmac0 0x5a>; ++ dma-names = "tx", "rx"; + power-domains = <&sysc R8A77990_PD_ALWAYS_ON>; + resets = <&cpg 202>; + status = "disabled"; +-- +2.19.1 + diff --git a/queue-5.0/arm64-kvm-always-set-ich_hcr_el2.en-if-gicv4-is-enab.patch b/queue-5.0/arm64-kvm-always-set-ich_hcr_el2.en-if-gicv4-is-enab.patch new file mode 100644 index 00000000000..a91b069ebf2 --- /dev/null +++ b/queue-5.0/arm64-kvm-always-set-ich_hcr_el2.en-if-gicv4-is-enab.patch @@ -0,0 +1,77 @@ +From 6e286e733dcd8cdf1438945a06fae7b1567d9afb Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Wed, 13 Mar 2019 18:07:50 +0000 +Subject: arm64: KVM: Always set ICH_HCR_EL2.EN if GICv4 is enabled + +[ Upstream commit ca71228b42a96908eca7658861eafacd227856c9 ] + +The normal interrupt flow is not to enable the vgic when no virtual +interrupt is to be injected (i.e. the LRs are empty). But when a guest +is likely to use GICv4 for LPIs, we absolutely need to switch it on +at all times. Otherwise, VLPIs only get delivered when there is something +in the LRs, which doesn't happen very often. + +Reported-by: Nianyao Tang +Tested-by: Shameerali Kolothum Thodi +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin (Microsoft) +--- + virt/kvm/arm/hyp/vgic-v3-sr.c | 4 ++-- + virt/kvm/arm/vgic/vgic.c | 14 ++++++++++---- + 2 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/virt/kvm/arm/hyp/vgic-v3-sr.c b/virt/kvm/arm/hyp/vgic-v3-sr.c +index 9652c453480f..3c3f7cda95c7 100644 +--- a/virt/kvm/arm/hyp/vgic-v3-sr.c ++++ b/virt/kvm/arm/hyp/vgic-v3-sr.c +@@ -222,7 +222,7 @@ void __hyp_text __vgic_v3_save_state(struct kvm_vcpu *vcpu) + } + } + +- if (used_lrs) { ++ if (used_lrs || cpu_if->its_vpe.its_vm) { + int i; + u32 elrsr; + +@@ -247,7 +247,7 @@ void __hyp_text __vgic_v3_restore_state(struct kvm_vcpu *vcpu) + u64 used_lrs = vcpu->arch.vgic_cpu.used_lrs; + int i; + +- if (used_lrs) { ++ if (used_lrs || cpu_if->its_vpe.its_vm) { + write_gicreg(cpu_if->vgic_hcr, ICH_HCR_EL2); + + for (i = 0; i < used_lrs; i++) +diff --git a/virt/kvm/arm/vgic/vgic.c b/virt/kvm/arm/vgic/vgic.c +index abd9c7352677..3af69f2a3866 100644 +--- a/virt/kvm/arm/vgic/vgic.c ++++ b/virt/kvm/arm/vgic/vgic.c +@@ -867,15 +867,21 @@ void kvm_vgic_flush_hwstate(struct kvm_vcpu *vcpu) + * either observe the new interrupt before or after doing this check, + * and introducing additional synchronization mechanism doesn't change + * this. ++ * ++ * Note that we still need to go through the whole thing if anything ++ * can be directly injected (GICv4). + */ +- if (list_empty(&vcpu->arch.vgic_cpu.ap_list_head)) ++ if (list_empty(&vcpu->arch.vgic_cpu.ap_list_head) && ++ !vgic_supports_direct_msis(vcpu->kvm)) + return; + + DEBUG_SPINLOCK_BUG_ON(!irqs_disabled()); + +- raw_spin_lock(&vcpu->arch.vgic_cpu.ap_list_lock); +- vgic_flush_lr_state(vcpu); +- raw_spin_unlock(&vcpu->arch.vgic_cpu.ap_list_lock); ++ if (!list_empty(&vcpu->arch.vgic_cpu.ap_list_head)) { ++ raw_spin_lock(&vcpu->arch.vgic_cpu.ap_list_lock); ++ vgic_flush_lr_state(vcpu); ++ raw_spin_unlock(&vcpu->arch.vgic_cpu.ap_list_lock); ++ } + + if (can_access_vgic_from_kernel()) + vgic_restore_state(vcpu); +-- +2.19.1 + diff --git a/queue-5.0/btrfs-fix-file-corruption-after-snapshotting-due-to-.patch b/queue-5.0/btrfs-fix-file-corruption-after-snapshotting-due-to-.patch new file mode 100644 index 00000000000..3b03a690e44 --- /dev/null +++ b/queue-5.0/btrfs-fix-file-corruption-after-snapshotting-due-to-.patch @@ -0,0 +1,171 @@ +From 428c215918b4888176d818b2ffec83a476f7d5e2 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Wed, 27 Feb 2019 13:42:30 +0000 +Subject: Btrfs: fix file corruption after snapshotting due to mix of + buffered/DIO writes + +[ Upstream commit 609e804d771f59dc5d45a93e5ee0053c74bbe2bf ] + +When we are mixing buffered writes with direct IO writes against the same +file and snapshotting is happening concurrently, we can end up with a +corrupt file content in the snapshot. Example: + +1) Inode/file is empty. + +2) Snapshotting starts. + +2) Buffered write at offset 0 length 256Kb. This updates the i_size of the + inode to 256Kb, disk_i_size remains zero. This happens after the task + doing the snapshot flushes all existing delalloc. + +3) DIO write at offset 256Kb length 768Kb. Once the ordered extent + completes it sets the inode's disk_i_size to 1Mb (256Kb + 768Kb) and + updates the inode item in the fs tree with a size of 1Mb (which is + the value of disk_i_size). + +4) The dealloc for the range [0, 256Kb[ did not start yet. + +5) The transaction used in the DIO ordered extent completion, which updated + the inode item, is committed by the snapshotting task. + +6) Snapshot creation completes. + +7) Dealloc for the range [0, 256Kb[ is flushed. + +After that when reading the file from the snapshot we always get zeroes for +the range [0, 256Kb[, the file has a size of 1Mb and the data written by +the direct IO write is found. From an application's point of view this is +a corruption, since in the source subvolume it could never read a version +of the file that included the data from the direct IO write without the +data from the buffered write included as well. In the snapshot's tree, +file extent items are missing for the range [0, 256Kb[. + +The issue, obviously, does not happen when using the -o flushoncommit +mount option. + +Fix this by flushing delalloc for all the roots that are about to be +snapshotted when committing a transaction. This guarantees total ordering +when updating the disk_i_size of an inode since the flush for dealloc is +done when a transaction is in the TRANS_STATE_COMMIT_START state and wait +is done once no more external writers exist. This is similar to what we +do when using the flushoncommit mount option, but we do it only if the +transaction has snapshots to create and only for the roots of the +subvolumes to be snapshotted. The bulk of the dealloc is flushed in the +snapshot creation ioctl, so the flush work we do inside the transaction +is minimized. + +This issue, involving buffered and direct IO writes with snapshotting, is +often triggered by fstest btrfs/078, and got reported by fsck when not +using the NO_HOLES features, for example: + + $ cat results/btrfs/078.full + (...) + _check_btrfs_filesystem: filesystem on /dev/sdc is inconsistent + *** fsck.btrfs output *** + [1/7] checking root items + [2/7] checking extents + [3/7] checking free space cache + [4/7] checking fs roots + root 258 inode 264 errors 100, file extent discount + Found file extent holes: + start: 524288, len: 65536 + ERROR: errors found in fs roots + +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin (Microsoft) +--- + fs/btrfs/transaction.c | 49 ++++++++++++++++++++++++++++++++++++------ + 1 file changed, 43 insertions(+), 6 deletions(-) + +diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c +index 4ec2b660d014..7f3ece91a4d0 100644 +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -1886,8 +1886,10 @@ static void btrfs_cleanup_pending_block_groups(struct btrfs_trans_handle *trans) + } + } + +-static inline int btrfs_start_delalloc_flush(struct btrfs_fs_info *fs_info) ++static inline int btrfs_start_delalloc_flush(struct btrfs_trans_handle *trans) + { ++ struct btrfs_fs_info *fs_info = trans->fs_info; ++ + /* + * We use writeback_inodes_sb here because if we used + * btrfs_start_delalloc_roots we would deadlock with fs freeze. +@@ -1897,15 +1899,50 @@ static inline int btrfs_start_delalloc_flush(struct btrfs_fs_info *fs_info) + * from already being in a transaction and our join_transaction doesn't + * have to re-take the fs freeze lock. + */ +- if (btrfs_test_opt(fs_info, FLUSHONCOMMIT)) ++ if (btrfs_test_opt(fs_info, FLUSHONCOMMIT)) { + writeback_inodes_sb(fs_info->sb, WB_REASON_SYNC); ++ } else { ++ struct btrfs_pending_snapshot *pending; ++ struct list_head *head = &trans->transaction->pending_snapshots; ++ ++ /* ++ * Flush dellaloc for any root that is going to be snapshotted. ++ * This is done to avoid a corrupted version of files, in the ++ * snapshots, that had both buffered and direct IO writes (even ++ * if they were done sequentially) due to an unordered update of ++ * the inode's size on disk. ++ */ ++ list_for_each_entry(pending, head, list) { ++ int ret; ++ ++ ret = btrfs_start_delalloc_snapshot(pending->root); ++ if (ret) ++ return ret; ++ } ++ } + return 0; + } + +-static inline void btrfs_wait_delalloc_flush(struct btrfs_fs_info *fs_info) ++static inline void btrfs_wait_delalloc_flush(struct btrfs_trans_handle *trans) + { +- if (btrfs_test_opt(fs_info, FLUSHONCOMMIT)) ++ struct btrfs_fs_info *fs_info = trans->fs_info; ++ ++ if (btrfs_test_opt(fs_info, FLUSHONCOMMIT)) { + btrfs_wait_ordered_roots(fs_info, U64_MAX, 0, (u64)-1); ++ } else { ++ struct btrfs_pending_snapshot *pending; ++ struct list_head *head = &trans->transaction->pending_snapshots; ++ ++ /* ++ * Wait for any dellaloc that we started previously for the roots ++ * that are going to be snapshotted. This is to avoid a corrupted ++ * version of files in the snapshots that had both buffered and ++ * direct IO writes (even if they were done sequentially). ++ */ ++ list_for_each_entry(pending, head, list) ++ btrfs_wait_ordered_extents(pending->root, ++ U64_MAX, 0, U64_MAX); ++ } + } + + int btrfs_commit_transaction(struct btrfs_trans_handle *trans) +@@ -2024,7 +2061,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) + + extwriter_counter_dec(cur_trans, trans->type); + +- ret = btrfs_start_delalloc_flush(fs_info); ++ ret = btrfs_start_delalloc_flush(trans); + if (ret) + goto cleanup_transaction; + +@@ -2040,7 +2077,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) + if (ret) + goto cleanup_transaction; + +- btrfs_wait_delalloc_flush(fs_info); ++ btrfs_wait_delalloc_flush(trans); + + btrfs_scrub_pause(fs_info); + /* +-- +2.19.1 + diff --git a/queue-5.0/ceph-fix-use-after-free-on-symlink-traversal.patch b/queue-5.0/ceph-fix-use-after-free-on-symlink-traversal.patch new file mode 100644 index 00000000000..918237a41c2 --- /dev/null +++ b/queue-5.0/ceph-fix-use-after-free-on-symlink-traversal.patch @@ -0,0 +1,42 @@ +From 189b0c6ea881111ab4b859118993053f412d2955 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Tue, 26 Mar 2019 01:38:58 +0000 +Subject: ceph: fix use-after-free on symlink traversal + +[ Upstream commit daf5cc27eed99afdea8d96e71b89ba41f5406ef6 ] + +free the symlink body after the same RCU delay we have for freeing the +struct inode itself, so that traversal during RCU pathwalk wouldn't step +into freed memory. + +Signed-off-by: Al Viro +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin (Microsoft) +--- + fs/ceph/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c +index 9d1f34d46627..f7f9e305aaf8 100644 +--- a/fs/ceph/inode.c ++++ b/fs/ceph/inode.c +@@ -524,6 +524,7 @@ static void ceph_i_callback(struct rcu_head *head) + struct inode *inode = container_of(head, struct inode, i_rcu); + struct ceph_inode_info *ci = ceph_inode(inode); + ++ kfree(ci->i_symlink); + kmem_cache_free(ceph_inode_cachep, ci); + } + +@@ -561,7 +562,6 @@ void ceph_destroy_inode(struct inode *inode) + ceph_put_snap_realm(mdsc, realm); + } + +- kfree(ci->i_symlink); + while ((n = rb_first(&ci->i_fragtree)) != NULL) { + frag = rb_entry(n, struct ceph_inode_frag, node); + rb_erase(n, &ci->i_fragtree); +-- +2.19.1 + diff --git a/queue-5.0/drm-fix-drm_release-and-device-unplug.patch b/queue-5.0/drm-fix-drm_release-and-device-unplug.patch new file mode 100644 index 00000000000..2a40d5488f1 --- /dev/null +++ b/queue-5.0/drm-fix-drm_release-and-device-unplug.patch @@ -0,0 +1,75 @@ +From f4af58b874c994160df15b507c0ab9eeb7c1658e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= +Date: Fri, 8 Feb 2019 15:01:02 +0100 +Subject: drm: Fix drm_release() and device unplug +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 3f04e0a6cfebf48152ac64502346cdc258811f79 ] + +If userspace has open fd(s) when drm_dev_unplug() is run, it will result +in drm_dev_unregister() being called twice. First in drm_dev_unplug() and +then later in drm_release() through the call to drm_put_dev(). + +Since userspace already holds a ref on drm_device through the drm_minor, +it's not necessary to add extra ref counting based on no open file +handles. Instead just drm_dev_put() unconditionally in drm_dev_unplug(). + +We now have this: +- Userpace holds a ref on drm_device as long as there's open fd(s) +- The driver holds a ref on drm_device as long as it's bound to the + struct device + +When both sides are done with drm_device, it is released. + +Signed-off-by: Noralf Trønnes +Reviewed-by: Oleksandr Andrushchenko +Reviewed-by: Daniel Vetter +Reviewed-by: Sean Paul +Signed-off-by: Dave Airlie +Link: https://patchwork.freedesktop.org/patch/msgid/20190208140103.28919-2-noralf@tronnes.org +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/gpu/drm/drm_drv.c | 6 +----- + drivers/gpu/drm/drm_file.c | 6 ++---- + 2 files changed, 3 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c +index 12e5e2be7890..7a59b8b3ed5a 100644 +--- a/drivers/gpu/drm/drm_drv.c ++++ b/drivers/gpu/drm/drm_drv.c +@@ -381,11 +381,7 @@ void drm_dev_unplug(struct drm_device *dev) + synchronize_srcu(&drm_unplug_srcu); + + drm_dev_unregister(dev); +- +- mutex_lock(&drm_global_mutex); +- if (dev->open_count == 0) +- drm_dev_put(dev); +- mutex_unlock(&drm_global_mutex); ++ drm_dev_put(dev); + } + EXPORT_SYMBOL(drm_dev_unplug); + +diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c +index 46f48f245eb5..3f20f598cd7c 100644 +--- a/drivers/gpu/drm/drm_file.c ++++ b/drivers/gpu/drm/drm_file.c +@@ -479,11 +479,9 @@ int drm_release(struct inode *inode, struct file *filp) + + drm_file_free(file_priv); + +- if (!--dev->open_count) { ++ if (!--dev->open_count) + drm_lastclose(dev); +- if (drm_dev_is_unplugged(dev)) +- drm_put_dev(dev); +- } ++ + mutex_unlock(&drm_global_mutex); + + drm_minor_release(minor); +-- +2.19.1 + diff --git a/queue-5.0/drm-meson-fix-invalid-pointer-in-meson_drv_unbind.patch b/queue-5.0/drm-meson-fix-invalid-pointer-in-meson_drv_unbind.patch new file mode 100644 index 00000000000..c996df19ba9 --- /dev/null +++ b/queue-5.0/drm-meson-fix-invalid-pointer-in-meson_drv_unbind.patch @@ -0,0 +1,47 @@ +From 4ab9d06fbfb6718cfe25f28c275210a53e1d14cd Mon Sep 17 00:00:00 2001 +From: Jean-Philippe Brucker +Date: Fri, 22 Mar 2019 15:26:56 +0000 +Subject: drm/meson: Fix invalid pointer in meson_drv_unbind() + +[ Upstream commit 776e78677f514ecddd12dba48b9040958999bd5a ] + +meson_drv_bind() registers a meson_drm struct as the device's privdata, +but meson_drv_unbind() tries to retrieve a drm_device. This may cause a +segfault on shutdown: + +[ 5194.593429] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000197 + ... +[ 5194.788850] Call trace: +[ 5194.791349] drm_dev_unregister+0x1c/0x118 [drm] +[ 5194.795848] meson_drv_unbind+0x50/0x78 [meson_drm] + +Retrieve the right pointer in meson_drv_unbind(). + +Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") +Signed-off-by: Jean-Philippe Brucker +Acked-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20190322152657.13752-1-jean-philippe.brucker@arm.com +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/gpu/drm/meson/meson_drv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/meson/meson_drv.c b/drivers/gpu/drm/meson/meson_drv.c +index 12ff47b13668..c1115a96453f 100644 +--- a/drivers/gpu/drm/meson/meson_drv.c ++++ b/drivers/gpu/drm/meson/meson_drv.c +@@ -336,8 +336,8 @@ static int meson_drv_bind(struct device *dev) + + static void meson_drv_unbind(struct device *dev) + { +- struct drm_device *drm = dev_get_drvdata(dev); +- struct meson_drm *priv = drm->dev_private; ++ struct meson_drm *priv = dev_get_drvdata(dev); ++ struct drm_device *drm = priv->drm; + + if (priv->canvas) { + meson_canvas_free(priv->canvas, priv->canvas_id_osd1); +-- +2.19.1 + diff --git a/queue-5.0/drm-meson-uninstall-irq-handler.patch b/queue-5.0/drm-meson-uninstall-irq-handler.patch new file mode 100644 index 00000000000..b9669b10864 --- /dev/null +++ b/queue-5.0/drm-meson-uninstall-irq-handler.patch @@ -0,0 +1,58 @@ +From 1623407770632b92092fbf89a05b50af980ec408 Mon Sep 17 00:00:00 2001 +From: Jean-Philippe Brucker +Date: Fri, 22 Mar 2019 15:26:57 +0000 +Subject: drm/meson: Uninstall IRQ handler + +[ Upstream commit 2d8f92897ad816f5dda54b2ed2fd9f2d7cb1abde ] + +meson_drv_unbind() doesn't unregister the IRQ handler, which can lead to +use-after-free if the IRQ fires after unbind: + +[ 64.656876] Unable to handle kernel paging request at virtual address ffff000011706dbc +... +[ 64.662001] pc : meson_irq+0x18/0x30 [meson_drm] + +I'm assuming that a similar problem could happen on the error path of +bind(), so uninstall the IRQ handler there as well. + +Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") +Signed-off-by: Jean-Philippe Brucker +Acked-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20190322152657.13752-2-jean-philippe.brucker@arm.com +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/gpu/drm/meson/meson_drv.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/meson/meson_drv.c b/drivers/gpu/drm/meson/meson_drv.c +index c1115a96453f..a13704ab5d11 100644 +--- a/drivers/gpu/drm/meson/meson_drv.c ++++ b/drivers/gpu/drm/meson/meson_drv.c +@@ -317,12 +317,14 @@ static int meson_drv_bind_master(struct device *dev, bool has_components) + + ret = drm_dev_register(drm, 0); + if (ret) +- goto free_drm; ++ goto uninstall_irq; + + drm_fbdev_generic_setup(drm, 32); + + return 0; + ++uninstall_irq: ++ drm_irq_uninstall(drm); + free_drm: + drm_dev_put(drm); + +@@ -347,6 +349,7 @@ static void meson_drv_unbind(struct device *dev) + } + + drm_dev_unregister(drm); ++ drm_irq_uninstall(drm); + drm_kms_helper_poll_fini(drm); + drm_mode_config_cleanup(drm); + drm_dev_put(drm); +-- +2.19.1 + diff --git a/queue-5.0/drm-tegra-hub-fix-dereference-before-check.patch b/queue-5.0/drm-tegra-hub-fix-dereference-before-check.patch new file mode 100644 index 00000000000..bf03ab9b41b --- /dev/null +++ b/queue-5.0/drm-tegra-hub-fix-dereference-before-check.patch @@ -0,0 +1,39 @@ +From e226e526c6d08aeb11dc20643bb1848110baa923 Mon Sep 17 00:00:00 2001 +From: Thierry Reding +Date: Mon, 11 Feb 2019 11:51:20 +0100 +Subject: drm/tegra: hub: Fix dereference before check + +[ Upstream commit 7cf77b273a8fc51e7de622fa6691abd4436a9a6b ] + +Reported-by: Dan Carpenter +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/gpu/drm/tegra/hub.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tegra/hub.c b/drivers/gpu/drm/tegra/hub.c +index 922a48d5a483..c7c612579270 100644 +--- a/drivers/gpu/drm/tegra/hub.c ++++ b/drivers/gpu/drm/tegra/hub.c +@@ -378,14 +378,16 @@ static int tegra_shared_plane_atomic_check(struct drm_plane *plane, + static void tegra_shared_plane_atomic_disable(struct drm_plane *plane, + struct drm_plane_state *old_state) + { +- struct tegra_dc *dc = to_tegra_dc(old_state->crtc); + struct tegra_plane *p = to_tegra_plane(plane); ++ struct tegra_dc *dc; + u32 value; + + /* rien ne va plus */ + if (!old_state || !old_state->crtc) + return; + ++ dc = to_tegra_dc(old_state->crtc); ++ + /* + * XXX Legacy helpers seem to sometimes call ->atomic_disable() even + * on planes that are already disabled. Make sure we fallback to the +-- +2.19.1 + diff --git a/queue-5.0/gpio-aspeed-fix-a-potential-null-pointer-dereference.patch b/queue-5.0/gpio-aspeed-fix-a-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..83b39ad3fdc --- /dev/null +++ b/queue-5.0/gpio-aspeed-fix-a-potential-null-pointer-dereference.patch @@ -0,0 +1,34 @@ +From 53a777b5c267bd1803f9336a3eadac785a35f4ff Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Sun, 24 Mar 2019 18:10:02 -0500 +Subject: gpio: aspeed: fix a potential NULL pointer dereference + +[ Upstream commit 6cf4511e9729c00a7306cf94085f9cc3c52ee723 ] + +In case devm_kzalloc, the patch returns ENOMEM to avoid potential +NULL pointer dereference. + +Signed-off-by: Kangjie Lu +Reviewed-by: Andrew Jeffery +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/gpio/gpio-aspeed.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpio/gpio-aspeed.c b/drivers/gpio/gpio-aspeed.c +index 854bce4fb9e7..217507002dbc 100644 +--- a/drivers/gpio/gpio-aspeed.c ++++ b/drivers/gpio/gpio-aspeed.c +@@ -1224,6 +1224,8 @@ static int __init aspeed_gpio_probe(struct platform_device *pdev) + + gpio->offset_timer = + devm_kzalloc(&pdev->dev, gpio->chip.ngpio, GFP_KERNEL); ++ if (!gpio->offset_timer) ++ return -ENOMEM; + + return aspeed_gpio_setup_irqs(gpio, pdev); + } +-- +2.19.1 + diff --git a/queue-5.0/gpio-of-check-for-spi-cs-high-in-child-instead-of-pa.patch b/queue-5.0/gpio-of-check-for-spi-cs-high-in-child-instead-of-pa.patch new file mode 100644 index 00000000000..a1e93746aaf --- /dev/null +++ b/queue-5.0/gpio-of-check-for-spi-cs-high-in-child-instead-of-pa.patch @@ -0,0 +1,50 @@ +From 79368283f89737dfef8514b0d3e984ef2734946c Mon Sep 17 00:00:00 2001 +From: Andrey Smirnov +Date: Mon, 25 Mar 2019 23:32:09 -0700 +Subject: gpio: of: Check for "spi-cs-high" in child instead of parent node + +[ Upstream commit 7ce40277bf848391705011ba37eac2e377cbd9e6 ] + +"spi-cs-high" is going to be specified in child node of an SPI +controller's representing attached SPI device, so change the code to +look for it there, instead of checking parent node. + +Signed-off-by: Andrey Smirnov +Cc: Linus Walleij +Cc: Bartosz Golaszewski +Cc: Chris Healy +Cc: linux-gpio@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/gpio/gpiolib-of.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c +index 9470563f2506..f1ae28289a67 100644 +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -142,16 +142,16 @@ static void of_gpio_flags_quirks(struct device_node *np, + * conflict and the "spi-cs-high" flag will + * take precedence. + */ +- if (of_property_read_bool(np, "spi-cs-high")) { ++ if (of_property_read_bool(child, "spi-cs-high")) { + if (*flags & OF_GPIO_ACTIVE_LOW) { + pr_warn("%s GPIO handle specifies active low - ignored\n", +- of_node_full_name(np)); ++ of_node_full_name(child)); + *flags &= ~OF_GPIO_ACTIVE_LOW; + } + } else { + if (!(*flags & OF_GPIO_ACTIVE_LOW)) + pr_info("%s enforce active low on chipselect handle\n", +- of_node_full_name(np)); ++ of_node_full_name(child)); + *flags |= OF_GPIO_ACTIVE_LOW; + } + break; +-- +2.19.1 + diff --git a/queue-5.0/gpio-of-check-propname-before-applying-cs-gpios-quir.patch b/queue-5.0/gpio-of-check-propname-before-applying-cs-gpios-quir.patch new file mode 100644 index 00000000000..f06ffdde49c --- /dev/null +++ b/queue-5.0/gpio-of-check-propname-before-applying-cs-gpios-quir.patch @@ -0,0 +1,41 @@ +From 5fee7146d3a4b373e89b1f1457b9d7b3e80446b7 Mon Sep 17 00:00:00 2001 +From: Andrey Smirnov +Date: Mon, 25 Mar 2019 23:32:08 -0700 +Subject: gpio: of: Check propname before applying "cs-gpios" quirks + +[ Upstream commit e5545c94e43b8f6599ffc01df8d1aedf18ee912a ] + +SPI GPIO device has more than just "cs-gpio" property in its node and +would request those GPIOs as a part of its initialization. To avoid +applying CS-specific quirk to all of them add a check to make sure +that propname is "cs-gpios". + +Signed-off-by: Andrey Smirnov +Cc: Linus Walleij +Cc: Bartosz Golaszewski +Cc: Chris Healy +Cc: linux-gpio@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/gpio/gpiolib-of.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c +index a1dd2f1c0d02..9470563f2506 100644 +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -119,7 +119,8 @@ static void of_gpio_flags_quirks(struct device_node *np, + * to determine if the flags should have inverted semantics. + */ + if (IS_ENABLED(CONFIG_SPI_MASTER) && +- of_property_read_bool(np, "cs-gpios")) { ++ of_property_read_bool(np, "cs-gpios") && ++ !strcmp(propname, "cs-gpios")) { + struct device_node *child; + u32 cs; + int ret; +-- +2.19.1 + diff --git a/queue-5.0/gpio-of-fix-of_gpiochip_add-error-path.patch b/queue-5.0/gpio-of-fix-of_gpiochip_add-error-path.patch new file mode 100644 index 00000000000..bbaccb8faa2 --- /dev/null +++ b/queue-5.0/gpio-of-fix-of_gpiochip_add-error-path.patch @@ -0,0 +1,48 @@ +From 74c3384847591e2b1f2886d675322657d9f7b33a Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Thu, 28 Mar 2019 14:13:47 +0100 +Subject: gpio: of: Fix of_gpiochip_add() error path + +[ Upstream commit f7299d441a4da8a5088e651ea55023525a793a13 ] + +If the call to of_gpiochip_scan_gpios() in of_gpiochip_add() fails, no +error handling is performed. This lead to the need of callers to call +of_gpiochip_remove() on failure, which causes "BAD of_node_put() on ..." +if the failure happened before the call to of_node_get(). + +Fix this by adding proper error handling. + +Note that calling gpiochip_remove_pin_ranges() multiple times causes no +harm: subsequent calls are a no-op. + +Fixes: dfbd379ba9b7431e ("gpio: of: Return error if gpio hog configuration failed") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Mukesh Ojha +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/gpio/gpiolib-of.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c +index f1ae28289a67..13a402ede07a 100644 +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -712,7 +712,13 @@ int of_gpiochip_add(struct gpio_chip *chip) + + of_node_get(chip->of_node); + +- return of_gpiochip_scan_gpios(chip); ++ status = of_gpiochip_scan_gpios(chip); ++ if (status) { ++ of_node_put(chip->of_node); ++ gpiochip_remove_pin_ranges(chip); ++ } ++ ++ return status; + } + + void of_gpiochip_remove(struct gpio_chip *chip) +-- +2.19.1 + diff --git a/queue-5.0/i2c-i801-add-support-for-intel-comet-lake.patch b/queue-5.0/i2c-i801-add-support-for-intel-comet-lake.patch new file mode 100644 index 00000000000..2e7bd5a72ba --- /dev/null +++ b/queue-5.0/i2c-i801-add-support-for-intel-comet-lake.patch @@ -0,0 +1,82 @@ +From cf3cb089612c271a4b2a3b2978f3de26a38285b8 Mon Sep 17 00:00:00 2001 +From: Jarkko Nikula +Date: Fri, 15 Mar 2019 12:56:49 +0200 +Subject: i2c: i801: Add support for Intel Comet Lake + +[ Upstream commit 5cd1c56c42beb6d228cc8d4373fdc5f5ec78a5ad ] + +Add PCI ID for Intel Comet Lake PCH. + +Signed-off-by: Jarkko Nikula +Reviewed-by: Jean Delvare +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin (Microsoft) +--- + Documentation/i2c/busses/i2c-i801 | 1 + + drivers/i2c/busses/Kconfig | 1 + + drivers/i2c/busses/i2c-i801.c | 4 ++++ + 3 files changed, 6 insertions(+) + +diff --git a/Documentation/i2c/busses/i2c-i801 b/Documentation/i2c/busses/i2c-i801 +index d1ee484a787d..ee9984f35868 100644 +--- a/Documentation/i2c/busses/i2c-i801 ++++ b/Documentation/i2c/busses/i2c-i801 +@@ -36,6 +36,7 @@ Supported adapters: + * Intel Cannon Lake (PCH) + * Intel Cedar Fork (PCH) + * Intel Ice Lake (PCH) ++ * Intel Comet Lake (PCH) + Datasheets: Publicly available at the Intel website + + On Intel Patsburg and later chipsets, both the normal host SMBus controller +diff --git a/drivers/i2c/busses/Kconfig b/drivers/i2c/busses/Kconfig +index f2c681971201..f8979abb9a19 100644 +--- a/drivers/i2c/busses/Kconfig ++++ b/drivers/i2c/busses/Kconfig +@@ -131,6 +131,7 @@ config I2C_I801 + Cannon Lake (PCH) + Cedar Fork (PCH) + Ice Lake (PCH) ++ Comet Lake (PCH) + + This driver can also be built as a module. If so, the module + will be called i2c-i801. +diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c +index c91e145ef5a5..679c6c41f64b 100644 +--- a/drivers/i2c/busses/i2c-i801.c ++++ b/drivers/i2c/busses/i2c-i801.c +@@ -71,6 +71,7 @@ + * Cannon Lake-LP (PCH) 0x9da3 32 hard yes yes yes + * Cedar Fork (PCH) 0x18df 32 hard yes yes yes + * Ice Lake-LP (PCH) 0x34a3 32 hard yes yes yes ++ * Comet Lake (PCH) 0x02a3 32 hard yes yes yes + * + * Features supported by this driver: + * Software PEC no +@@ -240,6 +241,7 @@ + #define PCI_DEVICE_ID_INTEL_LEWISBURG_SSKU_SMBUS 0xa223 + #define PCI_DEVICE_ID_INTEL_KABYLAKE_PCH_H_SMBUS 0xa2a3 + #define PCI_DEVICE_ID_INTEL_CANNONLAKE_H_SMBUS 0xa323 ++#define PCI_DEVICE_ID_INTEL_COMETLAKE_SMBUS 0x02a3 + + struct i801_mux_config { + char *gpio_chip; +@@ -1038,6 +1040,7 @@ static const struct pci_device_id i801_ids[] = { + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CANNONLAKE_H_SMBUS) }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CANNONLAKE_LP_SMBUS) }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICELAKE_LP_SMBUS) }, ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_COMETLAKE_SMBUS) }, + { 0, } + }; + +@@ -1534,6 +1537,7 @@ static int i801_probe(struct pci_dev *dev, const struct pci_device_id *id) + case PCI_DEVICE_ID_INTEL_DNV_SMBUS: + case PCI_DEVICE_ID_INTEL_KABYLAKE_PCH_H_SMBUS: + case PCI_DEVICE_ID_INTEL_ICELAKE_LP_SMBUS: ++ case PCI_DEVICE_ID_INTEL_COMETLAKE_SMBUS: + priv->features |= FEATURE_I2C_BLOCK_READ; + priv->features |= FEATURE_IRQ; + priv->features |= FEATURE_SMBUS_PEC; +-- +2.19.1 + diff --git a/queue-5.0/ieee802154-hwsim-propagate-genlmsg_reply-return-code.patch b/queue-5.0/ieee802154-hwsim-propagate-genlmsg_reply-return-code.patch new file mode 100644 index 00000000000..29ed2f664c9 --- /dev/null +++ b/queue-5.0/ieee802154-hwsim-propagate-genlmsg_reply-return-code.patch @@ -0,0 +1,32 @@ +From a848f6746df71b7057961bdfbad63c2e1595593a Mon Sep 17 00:00:00 2001 +From: Li RongQing +Date: Tue, 19 Feb 2019 13:10:29 +0800 +Subject: ieee802154: hwsim: propagate genlmsg_reply return code + +[ Upstream commit 19b39a25388e71390e059906c979f87be4ef0c71 ] + +genlmsg_reply can fail, so propagate its return code + +Signed-off-by: Li RongQing +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ieee802154/mac802154_hwsim.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c +index b6743f03dce0..3b88846de31b 100644 +--- a/drivers/net/ieee802154/mac802154_hwsim.c ++++ b/drivers/net/ieee802154/mac802154_hwsim.c +@@ -324,7 +324,7 @@ static int hwsim_get_radio_nl(struct sk_buff *msg, struct genl_info *info) + goto out_err; + } + +- genlmsg_reply(skb, info); ++ res = genlmsg_reply(skb, info); + break; + } + +-- +2.19.1 + diff --git a/queue-5.0/iommu-amd-reserve-exclusion-range-in-iova-domain.patch b/queue-5.0/iommu-amd-reserve-exclusion-range-in-iova-domain.patch new file mode 100644 index 00000000000..1815c325bb3 --- /dev/null +++ b/queue-5.0/iommu-amd-reserve-exclusion-range-in-iova-domain.patch @@ -0,0 +1,98 @@ +From 3163c7f6fbea2e701ad283c6cfb39d3db245ac29 Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Thu, 28 Mar 2019 11:44:59 +0100 +Subject: iommu/amd: Reserve exclusion range in iova-domain + +[ Upstream commit 8aafaaf2212192012f5bae305bb31cdf7681d777 ] + +If a device has an exclusion range specified in the IVRS +table, this region needs to be reserved in the iova-domain +of that device. This hasn't happened until now and can cause +data corruption on data transfered with these devices. + +Treat exclusion ranges as reserved regions in the iommu-core +to fix the problem. + +Fixes: be2a022c0dd0 ('x86, AMD IOMMU: add functions to parse IOMMU memory mapping requirements for devices') +Signed-off-by: Joerg Roedel +Reviewed-by: Gary R Hook +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/iommu/amd_iommu.c | 9 ++++++--- + drivers/iommu/amd_iommu_init.c | 7 ++++--- + drivers/iommu/amd_iommu_types.h | 2 ++ + 3 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c +index e628ef23418f..55b3e4b9d5dc 100644 +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -3166,21 +3166,24 @@ static void amd_iommu_get_resv_regions(struct device *dev, + return; + + list_for_each_entry(entry, &amd_iommu_unity_map, list) { ++ int type, prot = 0; + size_t length; +- int prot = 0; + + if (devid < entry->devid_start || devid > entry->devid_end) + continue; + ++ type = IOMMU_RESV_DIRECT; + length = entry->address_end - entry->address_start; + if (entry->prot & IOMMU_PROT_IR) + prot |= IOMMU_READ; + if (entry->prot & IOMMU_PROT_IW) + prot |= IOMMU_WRITE; ++ if (entry->prot & IOMMU_UNITY_MAP_FLAG_EXCL_RANGE) ++ /* Exclusion range */ ++ type = IOMMU_RESV_RESERVED; + + region = iommu_alloc_resv_region(entry->address_start, +- length, prot, +- IOMMU_RESV_DIRECT); ++ length, prot, type); + if (!region) { + pr_err("Out of memory allocating dm-regions for %s\n", + dev_name(dev)); +diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c +index 66123b911ec8..84fa5b22371e 100644 +--- a/drivers/iommu/amd_iommu_init.c ++++ b/drivers/iommu/amd_iommu_init.c +@@ -2013,6 +2013,9 @@ static int __init init_unity_map_range(struct ivmd_header *m) + if (e == NULL) + return -ENOMEM; + ++ if (m->flags & IVMD_FLAG_EXCL_RANGE) ++ init_exclusion_range(m); ++ + switch (m->type) { + default: + kfree(e); +@@ -2059,9 +2062,7 @@ static int __init init_memory_definitions(struct acpi_table_header *table) + + while (p < end) { + m = (struct ivmd_header *)p; +- if (m->flags & IVMD_FLAG_EXCL_RANGE) +- init_exclusion_range(m); +- else if (m->flags & IVMD_FLAG_UNITY_MAP) ++ if (m->flags & (IVMD_FLAG_UNITY_MAP | IVMD_FLAG_EXCL_RANGE)) + init_unity_map_range(m); + + p += m->length; +diff --git a/drivers/iommu/amd_iommu_types.h b/drivers/iommu/amd_iommu_types.h +index eae0741f72dc..87965e4d9647 100644 +--- a/drivers/iommu/amd_iommu_types.h ++++ b/drivers/iommu/amd_iommu_types.h +@@ -374,6 +374,8 @@ + #define IOMMU_PROT_IR 0x01 + #define IOMMU_PROT_IW 0x02 + ++#define IOMMU_UNITY_MAP_FLAG_EXCL_RANGE (1 << 2) ++ + /* IOMMU capabilities */ + #define IOMMU_CAP_IOTLB 24 + #define IOMMU_CAP_NPCACHE 26 +-- +2.19.1 + diff --git a/queue-5.0/kasan-fix-variable-tag-set-but-not-used-warning.patch b/queue-5.0/kasan-fix-variable-tag-set-but-not-used-warning.patch new file mode 100644 index 00000000000..5f0941e5802 --- /dev/null +++ b/queue-5.0/kasan-fix-variable-tag-set-but-not-used-warning.patch @@ -0,0 +1,47 @@ +From 8178714baa5b31a50cae09c8b0d4cb72a4901ab0 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Thu, 28 Mar 2019 20:43:15 -0700 +Subject: kasan: fix variable 'tag' set but not used warning + +[ Upstream commit c412a769d2452161e97f163c4c4f31efc6626f06 ] + +set_tag() compiles away when CONFIG_KASAN_SW_TAGS=n, so make +arch_kasan_set_tag() a static inline function to fix warnings below. + + mm/kasan/common.c: In function '__kasan_kmalloc': + mm/kasan/common.c:475:5: warning: variable 'tag' set but not used [-Wunused-but-set-variable] + u8 tag; + ^~~ + +Link: http://lkml.kernel.org/r/20190307185244.54648-1-cai@lca.pw +Signed-off-by: Qian Cai +Reviewed-by: Andrey Konovalov +Cc: Andrey Ryabinin +Cc: Alexander Potapenko +Cc: Dmitry Vyukov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin (Microsoft) +--- + mm/kasan/kasan.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h +index ea51b2d898ec..c980ce43e3ba 100644 +--- a/mm/kasan/kasan.h ++++ b/mm/kasan/kasan.h +@@ -164,7 +164,10 @@ static inline u8 random_tag(void) + #endif + + #ifndef arch_kasan_set_tag +-#define arch_kasan_set_tag(addr, tag) ((void *)(addr)) ++static inline const void *arch_kasan_set_tag(const void *addr, u8 tag) ++{ ++ return addr; ++} + #endif + #ifndef arch_kasan_reset_tag + #define arch_kasan_reset_tag(addr) ((void *)(addr)) +-- +2.19.1 + diff --git a/queue-5.0/kbuild-skip-parsing-pre-sub-make-code-for-recursion.patch b/queue-5.0/kbuild-skip-parsing-pre-sub-make-code-for-recursion.patch new file mode 100644 index 00000000000..544df189dc4 --- /dev/null +++ b/queue-5.0/kbuild-skip-parsing-pre-sub-make-code-for-recursion.patch @@ -0,0 +1,68 @@ +From 43c9fd57fe1b6db278d8aac8a1dabab151cdadcb Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Tue, 26 Mar 2019 13:02:19 +0900 +Subject: kbuild: skip parsing pre sub-make code for recursion + +[ Upstream commit 221cc2d27ddc49b3e06d4637db02bf78e70c573c ] + +When Make recurses to the top Makefile with sub-make-done unset, +the code block surrounded by 'ifneq ($(sub-make-done),1) ... endif' +is parsed multiple times. This happens for in-tree building of +include/config/auto.conf, *-pkg, etc. with GNU Make 4.x. + +This is a slight regression by commit 688931a5ad4e ("kbuild: skip +sub-make for in-tree build with GNU Make 4.x") in terms of performance +since that code block contains one $(shell ...) invocation. + +Fix it by exporting the variable irrespective of sub-make being run. +I renamed it because GNU Make cannot properly export variables +containing hyphens. This is probably a bug of GNU Make, and the issue +in Kbuild had already been reported by commit 2bfbe7881ee0 ("kbuild: +Do not use hyphen in exported variable name"). + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin (Microsoft) +--- + Makefile | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/Makefile b/Makefile +index c3daaefa979c..12870303a029 100644 +--- a/Makefile ++++ b/Makefile +@@ -31,7 +31,7 @@ _all: + # descending is started. They are now explicitly listed as the + # prepare rule. + +-ifneq ($(sub-make-done),1) ++ifneq ($(sub_make_done),1) + + # Do not use make's built-in rules and variables + # (this increases performance and avoids hard-to-debug behaviour) +@@ -159,6 +159,8 @@ need-sub-make := 1 + $(lastword $(MAKEFILE_LIST)): ; + endif + ++export sub_make_done := 1 ++ + ifeq ($(need-sub-make),1) + + PHONY += $(MAKECMDGOALS) sub-make +@@ -168,12 +170,12 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make + + # Invoke a second make in the output directory, passing relevant variables + sub-make: +- $(Q)$(MAKE) sub-make-done=1 \ ++ $(Q)$(MAKE) \ + $(if $(KBUILD_OUTPUT),-C $(KBUILD_OUTPUT) KBUILD_SRC=$(CURDIR)) \ + -f $(CURDIR)/Makefile $(filter-out _all sub-make,$(MAKECMDGOALS)) + + endif # need-sub-make +-endif # sub-make-done ++endif # sub_make_done + + # We process the rest of the Makefile if this is the final invocation of make + ifeq ($(need-sub-make),) +-- +2.19.1 + diff --git a/queue-5.0/kconfig-mn-conf-handle-backspace-h-key.patch b/queue-5.0/kconfig-mn-conf-handle-backspace-h-key.patch new file mode 100644 index 00000000000..d8c662ab012 --- /dev/null +++ b/queue-5.0/kconfig-mn-conf-handle-backspace-h-key.patch @@ -0,0 +1,65 @@ +From 2472152a14105fcda05bee4aea838e594394e444 Mon Sep 17 00:00:00 2001 +From: Changbin Du +Date: Mon, 25 Mar 2019 15:16:47 +0000 +Subject: kconfig/[mn]conf: handle backspace (^H) key + +[ Upstream commit 9c38f1f044080392603c497ecca4d7d09876ff99 ] + +Backspace is not working on some terminal emulators which do not send the +key code defined by terminfo. Terminals either send '^H' (8) or '^?' (127). +But currently only '^?' is handled. Let's also handle '^H' for those +terminals. + +Signed-off-by: Changbin Du +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin (Microsoft) +--- + scripts/kconfig/lxdialog/inputbox.c | 3 ++- + scripts/kconfig/nconf.c | 2 +- + scripts/kconfig/nconf.gui.c | 3 ++- + 3 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/scripts/kconfig/lxdialog/inputbox.c b/scripts/kconfig/lxdialog/inputbox.c +index 611945611bf8..1dcfb288ee63 100644 +--- a/scripts/kconfig/lxdialog/inputbox.c ++++ b/scripts/kconfig/lxdialog/inputbox.c +@@ -113,7 +113,8 @@ int dialog_inputbox(const char *title, const char *prompt, int height, int width + case KEY_DOWN: + break; + case KEY_BACKSPACE: +- case 127: ++ case 8: /* ^H */ ++ case 127: /* ^? */ + if (pos) { + wattrset(dialog, dlg.inputbox.atr); + if (input_x == 0) { +diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c +index a4670f4e825a..ac92c0ded6c5 100644 +--- a/scripts/kconfig/nconf.c ++++ b/scripts/kconfig/nconf.c +@@ -1048,7 +1048,7 @@ static int do_match(int key, struct match_state *state, int *ans) + state->match_direction = FIND_NEXT_MATCH_UP; + *ans = get_mext_match(state->pattern, + state->match_direction); +- } else if (key == KEY_BACKSPACE || key == 127) { ++ } else if (key == KEY_BACKSPACE || key == 8 || key == 127) { + state->pattern[strlen(state->pattern)-1] = '\0'; + adj_match_dir(&state->match_direction); + } else +diff --git a/scripts/kconfig/nconf.gui.c b/scripts/kconfig/nconf.gui.c +index 7be620a1fcdb..77f525a8617c 100644 +--- a/scripts/kconfig/nconf.gui.c ++++ b/scripts/kconfig/nconf.gui.c +@@ -439,7 +439,8 @@ int dialog_inputbox(WINDOW *main_window, + case KEY_F(F_EXIT): + case KEY_F(F_BACK): + break; +- case 127: ++ case 8: /* ^H */ ++ case 127: /* ^? */ + case KEY_BACKSPACE: + if (cursor_position > 0) { + memmove(&result[cursor_position-1], +-- +2.19.1 + diff --git a/queue-5.0/kvm-arm-arm64-fix-handling-of-stage2-huge-mappings.patch b/queue-5.0/kvm-arm-arm64-fix-handling-of-stage2-huge-mappings.patch new file mode 100644 index 00000000000..e47fdfac567 --- /dev/null +++ b/queue-5.0/kvm-arm-arm64-fix-handling-of-stage2-huge-mappings.patch @@ -0,0 +1,156 @@ +From cb13fdb265ce62dd61b72d2b66acf1b83aaeb77a Mon Sep 17 00:00:00 2001 +From: Suzuki K Poulose +Date: Wed, 20 Mar 2019 14:57:19 +0000 +Subject: KVM: arm/arm64: Fix handling of stage2 huge mappings + +[ Upstream commit 3c3736cd32bf5197aed1410ae826d2d254a5b277 ] + +We rely on the mmu_notifier call backs to handle the split/merge +of huge pages and thus we are guaranteed that, while creating a +block mapping, either the entire block is unmapped at stage2 or it +is missing permission. + +However, we miss a case where the block mapping is split for dirty +logging case and then could later be made block mapping, if we cancel the +dirty logging. This not only creates inconsistent TLB entries for +the pages in the the block, but also leakes the table pages for +PMD level. + +Handle this corner case for the huge mappings at stage2 by +unmapping the non-huge mapping for the block. This could potentially +release the upper level table. So we need to restart the table walk +once we unmap the range. + +Fixes : ad361f093c1e31d ("KVM: ARM: Support hugetlbfs backed huge pages") +Reported-by: Zheng Xiang +Cc: Zheng Xiang +Cc: Zenghui Yu +Cc: Christoffer Dall +Signed-off-by: Suzuki K Poulose +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin (Microsoft) +--- + arch/arm/include/asm/stage2_pgtable.h | 2 + + virt/kvm/arm/mmu.c | 59 +++++++++++++++++++-------- + 2 files changed, 45 insertions(+), 16 deletions(-) + +diff --git a/arch/arm/include/asm/stage2_pgtable.h b/arch/arm/include/asm/stage2_pgtable.h +index de2089501b8b..9e11dce55e06 100644 +--- a/arch/arm/include/asm/stage2_pgtable.h ++++ b/arch/arm/include/asm/stage2_pgtable.h +@@ -75,6 +75,8 @@ static inline bool kvm_stage2_has_pud(struct kvm *kvm) + + #define S2_PMD_MASK PMD_MASK + #define S2_PMD_SIZE PMD_SIZE ++#define S2_PUD_MASK PUD_MASK ++#define S2_PUD_SIZE PUD_SIZE + + static inline bool kvm_stage2_has_pmd(struct kvm *kvm) + { +diff --git a/virt/kvm/arm/mmu.c b/virt/kvm/arm/mmu.c +index 5cc22cdaa5ba..31e22b615d99 100644 +--- a/virt/kvm/arm/mmu.c ++++ b/virt/kvm/arm/mmu.c +@@ -1060,25 +1060,43 @@ static int stage2_set_pmd_huge(struct kvm *kvm, struct kvm_mmu_memory_cache + { + pmd_t *pmd, old_pmd; + ++retry: + pmd = stage2_get_pmd(kvm, cache, addr); + VM_BUG_ON(!pmd); + + old_pmd = *pmd; ++ /* ++ * Multiple vcpus faulting on the same PMD entry, can ++ * lead to them sequentially updating the PMD with the ++ * same value. Following the break-before-make ++ * (pmd_clear() followed by tlb_flush()) process can ++ * hinder forward progress due to refaults generated ++ * on missing translations. ++ * ++ * Skip updating the page table if the entry is ++ * unchanged. ++ */ ++ if (pmd_val(old_pmd) == pmd_val(*new_pmd)) ++ return 0; ++ + if (pmd_present(old_pmd)) { + /* +- * Multiple vcpus faulting on the same PMD entry, can +- * lead to them sequentially updating the PMD with the +- * same value. Following the break-before-make +- * (pmd_clear() followed by tlb_flush()) process can +- * hinder forward progress due to refaults generated +- * on missing translations. ++ * If we already have PTE level mapping for this block, ++ * we must unmap it to avoid inconsistent TLB state and ++ * leaking the table page. We could end up in this situation ++ * if the memory slot was marked for dirty logging and was ++ * reverted, leaving PTE level mappings for the pages accessed ++ * during the period. So, unmap the PTE level mapping for this ++ * block and retry, as we could have released the upper level ++ * table in the process. + * +- * Skip updating the page table if the entry is +- * unchanged. ++ * Normal THP split/merge follows mmu_notifier callbacks and do ++ * get handled accordingly. + */ +- if (pmd_val(old_pmd) == pmd_val(*new_pmd)) +- return 0; +- ++ if (!pmd_thp_or_huge(old_pmd)) { ++ unmap_stage2_range(kvm, addr & S2_PMD_MASK, S2_PMD_SIZE); ++ goto retry; ++ } + /* + * Mapping in huge pages should only happen through a + * fault. If a page is merged into a transparent huge +@@ -1090,8 +1108,7 @@ static int stage2_set_pmd_huge(struct kvm *kvm, struct kvm_mmu_memory_cache + * should become splitting first, unmapped, merged, + * and mapped back in on-demand. + */ +- VM_BUG_ON(pmd_pfn(old_pmd) != pmd_pfn(*new_pmd)); +- ++ WARN_ON_ONCE(pmd_pfn(old_pmd) != pmd_pfn(*new_pmd)); + pmd_clear(pmd); + kvm_tlb_flush_vmid_ipa(kvm, addr); + } else { +@@ -1107,6 +1124,7 @@ static int stage2_set_pud_huge(struct kvm *kvm, struct kvm_mmu_memory_cache *cac + { + pud_t *pudp, old_pud; + ++retry: + pudp = stage2_get_pud(kvm, cache, addr); + VM_BUG_ON(!pudp); + +@@ -1114,14 +1132,23 @@ static int stage2_set_pud_huge(struct kvm *kvm, struct kvm_mmu_memory_cache *cac + + /* + * A large number of vcpus faulting on the same stage 2 entry, +- * can lead to a refault due to the +- * stage2_pud_clear()/tlb_flush(). Skip updating the page +- * tables if there is no change. ++ * can lead to a refault due to the stage2_pud_clear()/tlb_flush(). ++ * Skip updating the page tables if there is no change. + */ + if (pud_val(old_pud) == pud_val(*new_pudp)) + return 0; + + if (stage2_pud_present(kvm, old_pud)) { ++ /* ++ * If we already have table level mapping for this block, unmap ++ * the range for this block and retry. ++ */ ++ if (!stage2_pud_huge(kvm, old_pud)) { ++ unmap_stage2_range(kvm, addr & S2_PUD_MASK, S2_PUD_SIZE); ++ goto retry; ++ } ++ ++ WARN_ON_ONCE(kvm_pud_pfn(old_pud) != kvm_pud_pfn(*new_pudp)); + stage2_pud_clear(kvm, pudp); + kvm_tlb_flush_vmid_ipa(kvm, addr); + } else { +-- +2.19.1 + diff --git a/queue-5.0/kvm-arm-arm64-vgic-its-take-the-srcu-lock-when-parsi.patch b/queue-5.0/kvm-arm-arm64-vgic-its-take-the-srcu-lock-when-parsi.patch new file mode 100644 index 00000000000..cd6373f5f6a --- /dev/null +++ b/queue-5.0/kvm-arm-arm64-vgic-its-take-the-srcu-lock-when-parsi.patch @@ -0,0 +1,99 @@ +From 529c6332bd587e7b93d729c52408be8ec7c9580f Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Tue, 19 Mar 2019 12:56:23 +0000 +Subject: KVM: arm/arm64: vgic-its: Take the srcu lock when parsing the + memslots + +[ Upstream commit 7494cec6cb3ba7385a6a223b81906384f15aae34 ] + +Calling kvm_is_visible_gfn() implies that we're parsing the memslots, +and doing this without the srcu lock is frown upon: + +[12704.164532] ============================= +[12704.164544] WARNING: suspicious RCU usage +[12704.164560] 5.1.0-rc1-00008-g600025238f51-dirty #16 Tainted: G W +[12704.164573] ----------------------------- +[12704.164589] ./include/linux/kvm_host.h:605 suspicious rcu_dereference_check() usage! +[12704.164602] other info that might help us debug this: +[12704.164616] rcu_scheduler_active = 2, debug_locks = 1 +[12704.164631] 6 locks held by qemu-system-aar/13968: +[12704.164644] #0: 000000007ebdae4f (&kvm->lock){+.+.}, at: vgic_its_set_attr+0x244/0x3a0 +[12704.164691] #1: 000000007d751022 (&its->its_lock){+.+.}, at: vgic_its_set_attr+0x250/0x3a0 +[12704.164726] #2: 00000000219d2706 (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0 +[12704.164761] #3: 00000000a760aecd (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0 +[12704.164794] #4: 000000000ef8e31d (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0 +[12704.164827] #5: 000000007a872093 (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0 +[12704.164861] stack backtrace: +[12704.164878] CPU: 2 PID: 13968 Comm: qemu-system-aar Tainted: G W 5.1.0-rc1-00008-g600025238f51-dirty #16 +[12704.164887] Hardware name: rockchip evb_rk3399/evb_rk3399, BIOS 2019.04-rc3-00124-g2feec69fb1 03/15/2019 +[12704.164896] Call trace: +[12704.164910] dump_backtrace+0x0/0x138 +[12704.164920] show_stack+0x24/0x30 +[12704.164934] dump_stack+0xbc/0x104 +[12704.164946] lockdep_rcu_suspicious+0xcc/0x110 +[12704.164958] gfn_to_memslot+0x174/0x190 +[12704.164969] kvm_is_visible_gfn+0x28/0x70 +[12704.164980] vgic_its_check_id.isra.0+0xec/0x1e8 +[12704.164991] vgic_its_save_tables_v0+0x1ac/0x330 +[12704.165001] vgic_its_set_attr+0x298/0x3a0 +[12704.165012] kvm_device_ioctl_attr+0x9c/0xd8 +[12704.165022] kvm_device_ioctl+0x8c/0xf8 +[12704.165035] do_vfs_ioctl+0xc8/0x960 +[12704.165045] ksys_ioctl+0x8c/0xa0 +[12704.165055] __arm64_sys_ioctl+0x28/0x38 +[12704.165067] el0_svc_common+0xd8/0x138 +[12704.165078] el0_svc_handler+0x38/0x78 +[12704.165089] el0_svc+0x8/0xc + +Make sure the lock is taken when doing this. + +Fixes: bf308242ab98 ("KVM: arm/arm64: VGIC/ITS: protect kvm_read_guest() calls with SRCU lock") +Reviewed-by: Eric Auger +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin (Microsoft) +--- + virt/kvm/arm/vgic/vgic-its.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c +index c41e11fd841c..fcb2fceaa4a5 100644 +--- a/virt/kvm/arm/vgic/vgic-its.c ++++ b/virt/kvm/arm/vgic/vgic-its.c +@@ -754,8 +754,9 @@ static bool vgic_its_check_id(struct vgic_its *its, u64 baser, u32 id, + u64 indirect_ptr, type = GITS_BASER_TYPE(baser); + phys_addr_t base = GITS_BASER_ADDR_48_to_52(baser); + int esz = GITS_BASER_ENTRY_SIZE(baser); +- int index; ++ int index, idx; + gfn_t gfn; ++ bool ret; + + switch (type) { + case GITS_BASER_TYPE_DEVICE: +@@ -782,7 +783,8 @@ static bool vgic_its_check_id(struct vgic_its *its, u64 baser, u32 id, + + if (eaddr) + *eaddr = addr; +- return kvm_is_visible_gfn(its->dev->kvm, gfn); ++ ++ goto out; + } + + /* calculate and check the index into the 1st level */ +@@ -812,7 +814,12 @@ static bool vgic_its_check_id(struct vgic_its *its, u64 baser, u32 id, + + if (eaddr) + *eaddr = indirect_ptr; +- return kvm_is_visible_gfn(its->dev->kvm, gfn); ++ ++out: ++ idx = srcu_read_lock(&its->dev->kvm->srcu); ++ ret = kvm_is_visible_gfn(its->dev->kvm, gfn); ++ srcu_read_unlock(&its->dev->kvm->srcu, idx); ++ return ret; + } + + static int vgic_its_alloc_collection(struct vgic_its *its, +-- +2.19.1 + diff --git a/queue-5.0/kvm-arm-arm64-vgic-its-take-the-srcu-lock-when-writi.patch b/queue-5.0/kvm-arm-arm64-vgic-its-take-the-srcu-lock-when-writi.patch new file mode 100644 index 00000000000..a2e31a41cee --- /dev/null +++ b/queue-5.0/kvm-arm-arm64-vgic-its-take-the-srcu-lock-when-writi.patch @@ -0,0 +1,173 @@ +From f2a92c3a530315463cb881b408767426fe86ea9b Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Tue, 19 Mar 2019 12:47:11 +0000 +Subject: KVM: arm/arm64: vgic-its: Take the srcu lock when writing to guest + memory + +[ Upstream commit a6ecfb11bf37743c1ac49b266595582b107b61d4 ] + +When halting a guest, QEMU flushes the virtual ITS caches, which +amounts to writing to the various tables that the guest has allocated. + +When doing this, we fail to take the srcu lock, and the kernel +shouts loudly if running a lockdep kernel: + +[ 69.680416] ============================= +[ 69.680819] WARNING: suspicious RCU usage +[ 69.681526] 5.1.0-rc1-00008-g600025238f51-dirty #18 Not tainted +[ 69.682096] ----------------------------- +[ 69.682501] ./include/linux/kvm_host.h:605 suspicious rcu_dereference_check() usage! +[ 69.683225] +[ 69.683225] other info that might help us debug this: +[ 69.683225] +[ 69.683975] +[ 69.683975] rcu_scheduler_active = 2, debug_locks = 1 +[ 69.684598] 6 locks held by qemu-system-aar/4097: +[ 69.685059] #0: 0000000034196013 (&kvm->lock){+.+.}, at: vgic_its_set_attr+0x244/0x3a0 +[ 69.686087] #1: 00000000f2ed935e (&its->its_lock){+.+.}, at: vgic_its_set_attr+0x250/0x3a0 +[ 69.686919] #2: 000000005e71ea54 (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0 +[ 69.687698] #3: 00000000c17e548d (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0 +[ 69.688475] #4: 00000000ba386017 (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0 +[ 69.689978] #5: 00000000c2c3c335 (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0 +[ 69.690729] +[ 69.690729] stack backtrace: +[ 69.691151] CPU: 2 PID: 4097 Comm: qemu-system-aar Not tainted 5.1.0-rc1-00008-g600025238f51-dirty #18 +[ 69.691984] Hardware name: rockchip evb_rk3399/evb_rk3399, BIOS 2019.04-rc3-00124-g2feec69fb1 03/15/2019 +[ 69.692831] Call trace: +[ 69.694072] lockdep_rcu_suspicious+0xcc/0x110 +[ 69.694490] gfn_to_memslot+0x174/0x190 +[ 69.694853] kvm_write_guest+0x50/0xb0 +[ 69.695209] vgic_its_save_tables_v0+0x248/0x330 +[ 69.695639] vgic_its_set_attr+0x298/0x3a0 +[ 69.696024] kvm_device_ioctl_attr+0x9c/0xd8 +[ 69.696424] kvm_device_ioctl+0x8c/0xf8 +[ 69.696788] do_vfs_ioctl+0xc8/0x960 +[ 69.697128] ksys_ioctl+0x8c/0xa0 +[ 69.697445] __arm64_sys_ioctl+0x28/0x38 +[ 69.697817] el0_svc_common+0xd8/0x138 +[ 69.698173] el0_svc_handler+0x38/0x78 +[ 69.698528] el0_svc+0x8/0xc + +The fix is to obviously take the srcu lock, just like we do on the +read side of things since bf308242ab98. One wonders why this wasn't +fixed at the same time, but hey... + +Fixes: bf308242ab98 ("KVM: arm/arm64: VGIC/ITS: protect kvm_read_guest() calls with SRCU lock") +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin (Microsoft) +--- + arch/arm/include/asm/kvm_mmu.h | 11 +++++++++++ + arch/arm64/include/asm/kvm_mmu.h | 11 +++++++++++ + virt/kvm/arm/vgic/vgic-its.c | 8 ++++---- + virt/kvm/arm/vgic/vgic-v3.c | 4 ++-- + 4 files changed, 28 insertions(+), 6 deletions(-) + +diff --git a/arch/arm/include/asm/kvm_mmu.h b/arch/arm/include/asm/kvm_mmu.h +index 3a875fc1b63c..cee06509f00a 100644 +--- a/arch/arm/include/asm/kvm_mmu.h ++++ b/arch/arm/include/asm/kvm_mmu.h +@@ -381,6 +381,17 @@ static inline int kvm_read_guest_lock(struct kvm *kvm, + return ret; + } + ++static inline int kvm_write_guest_lock(struct kvm *kvm, gpa_t gpa, ++ const void *data, unsigned long len) ++{ ++ int srcu_idx = srcu_read_lock(&kvm->srcu); ++ int ret = kvm_write_guest(kvm, gpa, data, len); ++ ++ srcu_read_unlock(&kvm->srcu, srcu_idx); ++ ++ return ret; ++} ++ + static inline void *kvm_get_hyp_vector(void) + { + switch(read_cpuid_part()) { +diff --git a/arch/arm64/include/asm/kvm_mmu.h b/arch/arm64/include/asm/kvm_mmu.h +index 8af4b1befa42..c246effd1b67 100644 +--- a/arch/arm64/include/asm/kvm_mmu.h ++++ b/arch/arm64/include/asm/kvm_mmu.h +@@ -444,6 +444,17 @@ static inline int kvm_read_guest_lock(struct kvm *kvm, + return ret; + } + ++static inline int kvm_write_guest_lock(struct kvm *kvm, gpa_t gpa, ++ const void *data, unsigned long len) ++{ ++ int srcu_idx = srcu_read_lock(&kvm->srcu); ++ int ret = kvm_write_guest(kvm, gpa, data, len); ++ ++ srcu_read_unlock(&kvm->srcu, srcu_idx); ++ ++ return ret; ++} ++ + #ifdef CONFIG_KVM_INDIRECT_VECTORS + /* + * EL2 vectors can be mapped and rerouted in a number of ways, +diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c +index ab3f47745d9c..c41e11fd841c 100644 +--- a/virt/kvm/arm/vgic/vgic-its.c ++++ b/virt/kvm/arm/vgic/vgic-its.c +@@ -1919,7 +1919,7 @@ static int vgic_its_save_ite(struct vgic_its *its, struct its_device *dev, + ((u64)ite->irq->intid << KVM_ITS_ITE_PINTID_SHIFT) | + ite->collection->collection_id; + val = cpu_to_le64(val); +- return kvm_write_guest(kvm, gpa, &val, ite_esz); ++ return kvm_write_guest_lock(kvm, gpa, &val, ite_esz); + } + + /** +@@ -2066,7 +2066,7 @@ static int vgic_its_save_dte(struct vgic_its *its, struct its_device *dev, + (itt_addr_field << KVM_ITS_DTE_ITTADDR_SHIFT) | + (dev->num_eventid_bits - 1)); + val = cpu_to_le64(val); +- return kvm_write_guest(kvm, ptr, &val, dte_esz); ++ return kvm_write_guest_lock(kvm, ptr, &val, dte_esz); + } + + /** +@@ -2246,7 +2246,7 @@ static int vgic_its_save_cte(struct vgic_its *its, + ((u64)collection->target_addr << KVM_ITS_CTE_RDBASE_SHIFT) | + collection->collection_id); + val = cpu_to_le64(val); +- return kvm_write_guest(its->dev->kvm, gpa, &val, esz); ++ return kvm_write_guest_lock(its->dev->kvm, gpa, &val, esz); + } + + static int vgic_its_restore_cte(struct vgic_its *its, gpa_t gpa, int esz) +@@ -2317,7 +2317,7 @@ static int vgic_its_save_collection_table(struct vgic_its *its) + */ + val = 0; + BUG_ON(cte_esz > sizeof(val)); +- ret = kvm_write_guest(its->dev->kvm, gpa, &val, cte_esz); ++ ret = kvm_write_guest_lock(its->dev->kvm, gpa, &val, cte_esz); + return ret; + } + +diff --git a/virt/kvm/arm/vgic/vgic-v3.c b/virt/kvm/arm/vgic/vgic-v3.c +index 4ee0aeb9a905..89260964be73 100644 +--- a/virt/kvm/arm/vgic/vgic-v3.c ++++ b/virt/kvm/arm/vgic/vgic-v3.c +@@ -358,7 +358,7 @@ int vgic_v3_lpi_sync_pending_status(struct kvm *kvm, struct vgic_irq *irq) + if (status) { + /* clear consumed data */ + val &= ~(1 << bit_nr); +- ret = kvm_write_guest(kvm, ptr, &val, 1); ++ ret = kvm_write_guest_lock(kvm, ptr, &val, 1); + if (ret) + return ret; + } +@@ -409,7 +409,7 @@ int vgic_v3_save_pending_tables(struct kvm *kvm) + else + val &= ~(1 << bit_nr); + +- ret = kvm_write_guest(kvm, ptr, &val, 1); ++ ret = kvm_write_guest_lock(kvm, ptr, &val, 1); + if (ret) + return ret; + } +-- +2.19.1 + diff --git a/queue-5.0/kvm-arm64-reset-the-pmu-in-preemptible-context.patch b/queue-5.0/kvm-arm64-reset-the-pmu-in-preemptible-context.patch new file mode 100644 index 00000000000..b70f11c9199 --- /dev/null +++ b/queue-5.0/kvm-arm64-reset-the-pmu-in-preemptible-context.patch @@ -0,0 +1,54 @@ +From be363a8ca8ca4a9edf2841f89ca973ad0b5eafd4 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Mon, 4 Mar 2019 17:37:44 +0000 +Subject: KVM: arm64: Reset the PMU in preemptible context + +[ Upstream commit ebff0b0e3d3c862c16c487959db5e0d879632559 ] + +We've become very cautious to now always reset the vcpu when nothing +is loaded on the physical CPU. To do so, we now disable preemption +and do a kvm_arch_vcpu_put() to make sure we have all the state +in memory (and that it won't be loaded behind out back). + +This now causes issues with resetting the PMU, which calls into perf. +Perf itself uses mutexes, which clashes with the lack of preemption. +It is worth realizing that the PMU is fully emulated, and that +no PMU state is ever loaded on the physical CPU. This means we can +perfectly reset the PMU outside of the non-preemptible section. + +Fixes: e761a927bc9a ("KVM: arm/arm64: Reset the VCPU without preemption and vcpu state loaded") +Reported-by: Julien Grall +Tested-by: Julien Grall +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin (Microsoft) +--- + arch/arm64/kvm/reset.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/kvm/reset.c b/arch/arm64/kvm/reset.c +index f16a5f8ff2b4..e2a0500cd7a2 100644 +--- a/arch/arm64/kvm/reset.c ++++ b/arch/arm64/kvm/reset.c +@@ -123,6 +123,9 @@ int kvm_reset_vcpu(struct kvm_vcpu *vcpu) + int ret = -EINVAL; + bool loaded; + ++ /* Reset PMU outside of the non-preemptible section */ ++ kvm_pmu_vcpu_reset(vcpu); ++ + preempt_disable(); + loaded = (vcpu->cpu != -1); + if (loaded) +@@ -170,9 +173,6 @@ int kvm_reset_vcpu(struct kvm_vcpu *vcpu) + vcpu->arch.reset_state.reset = false; + } + +- /* Reset PMU */ +- kvm_pmu_vcpu_reset(vcpu); +- + /* Default workaround setup is enabled (if supported) */ + if (kvm_arm_have_ssbd() == KVM_SSBD_KERNEL) + vcpu->arch.workaround_flags |= VCPU_WORKAROUND_2_FLAG; +-- +2.19.1 + diff --git a/queue-5.0/kvm-nvmx-do-not-inherit-quadrant-and-invalid-for-the.patch b/queue-5.0/kvm-nvmx-do-not-inherit-quadrant-and-invalid-for-the.patch new file mode 100644 index 00000000000..7e8e8570b4f --- /dev/null +++ b/queue-5.0/kvm-nvmx-do-not-inherit-quadrant-and-invalid-for-the.patch @@ -0,0 +1,60 @@ +From be82a40f90829f106d3d425233b60ad2400e8231 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 7 Mar 2019 15:27:43 -0800 +Subject: KVM: nVMX: Do not inherit quadrant and invalid for the root shadow + EPT + +[ Upstream commit 552c69b1dc714854a5f4e27d37a43c6d797adf7d ] + +Explicitly zero out quadrant and invalid instead of inheriting them from +the root_mmu. Functionally, this patch is a nop as we (should) never +set quadrant for a direct mapped (EPT) root_mmu and nested EPT is only +allowed if EPT is used for L1, and the root_mmu will never be invalid at +this point. + +Explicitly setting flags sets the stage for repurposing the legacy +paging bits in role, e.g. nxe, cr0_wp, and sm{a,e}p_andnot_wp, at which +point 'smm' would be the only flag to be inherited from root_mmu. + +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin (Microsoft) +--- + arch/x86/kvm/mmu.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c +index 9ab33cab9486..acab95dcffb6 100644 +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -4915,11 +4915,15 @@ static union kvm_mmu_role + kvm_calc_shadow_ept_root_page_role(struct kvm_vcpu *vcpu, bool accessed_dirty, + bool execonly) + { +- union kvm_mmu_role role; ++ union kvm_mmu_role role = {0}; ++ union kvm_mmu_page_role root_base = vcpu->arch.root_mmu.mmu_role.base; + +- /* Base role is inherited from root_mmu */ +- role.base.word = vcpu->arch.root_mmu.mmu_role.base.word; +- role.ext = kvm_calc_mmu_role_ext(vcpu); ++ /* Legacy paging and SMM flags are inherited from root_mmu */ ++ role.base.smm = root_base.smm; ++ role.base.nxe = root_base.nxe; ++ role.base.cr0_wp = root_base.cr0_wp; ++ role.base.smep_andnot_wp = root_base.smep_andnot_wp; ++ role.base.smap_andnot_wp = root_base.smap_andnot_wp; + + role.base.level = PT64_ROOT_4LEVEL; + role.base.direct = false; +@@ -4927,6 +4931,7 @@ kvm_calc_shadow_ept_root_page_role(struct kvm_vcpu *vcpu, bool accessed_dirty, + role.base.guest_mode = true; + role.base.access = ACC_ALL; + ++ role.ext = kvm_calc_mmu_role_ext(vcpu); + role.ext.execonly = execonly; + + return role; +-- +2.19.1 + diff --git a/queue-5.0/kvm-selftests-assert-on-exit-reason-in-cr4-cpuid-syn.patch b/queue-5.0/kvm-selftests-assert-on-exit-reason-in-cr4-cpuid-syn.patch new file mode 100644 index 00000000000..c2e8e3ededa --- /dev/null +++ b/queue-5.0/kvm-selftests-assert-on-exit-reason-in-cr4-cpuid-syn.patch @@ -0,0 +1,69 @@ +From 4fa1534c83a1b7a3ea09c5ca34d975ccc1840281 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 13 Mar 2019 13:19:26 -0700 +Subject: KVM: selftests: assert on exit reason in CR4/cpuid sync test + +[ Upstream commit 8df98ae0ab2ead9a02228756eec26f8d7b17f499 ] + +...so that the test doesn't end up in an infinite loop if it fails for +whatever reason, e.g. SHUTDOWN due to gcc inserting stack canary code +into ucall() and attempting to derefence a null segment. + +Fixes: ca359066889f7 ("kvm: selftests: add cr4_cpuid_sync_test") +Cc: Wei Huang +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin (Microsoft) +--- + .../kvm/x86_64/cr4_cpuid_sync_test.c | 35 ++++++++++--------- + 1 file changed, 19 insertions(+), 16 deletions(-) + +diff --git a/tools/testing/selftests/kvm/x86_64/cr4_cpuid_sync_test.c b/tools/testing/selftests/kvm/x86_64/cr4_cpuid_sync_test.c +index d503a51fad30..7c2c4d4055a8 100644 +--- a/tools/testing/selftests/kvm/x86_64/cr4_cpuid_sync_test.c ++++ b/tools/testing/selftests/kvm/x86_64/cr4_cpuid_sync_test.c +@@ -87,22 +87,25 @@ int main(int argc, char *argv[]) + while (1) { + rc = _vcpu_run(vm, VCPU_ID); + +- if (run->exit_reason == KVM_EXIT_IO) { +- switch (get_ucall(vm, VCPU_ID, &uc)) { +- case UCALL_SYNC: +- /* emulate hypervisor clearing CR4.OSXSAVE */ +- vcpu_sregs_get(vm, VCPU_ID, &sregs); +- sregs.cr4 &= ~X86_CR4_OSXSAVE; +- vcpu_sregs_set(vm, VCPU_ID, &sregs); +- break; +- case UCALL_ABORT: +- TEST_ASSERT(false, "Guest CR4 bit (OSXSAVE) unsynchronized with CPUID bit."); +- break; +- case UCALL_DONE: +- goto done; +- default: +- TEST_ASSERT(false, "Unknown ucall 0x%x.", uc.cmd); +- } ++ TEST_ASSERT(run->exit_reason == KVM_EXIT_IO, ++ "Unexpected exit reason: %u (%s),\n", ++ run->exit_reason, ++ exit_reason_str(run->exit_reason)); ++ ++ switch (get_ucall(vm, VCPU_ID, &uc)) { ++ case UCALL_SYNC: ++ /* emulate hypervisor clearing CR4.OSXSAVE */ ++ vcpu_sregs_get(vm, VCPU_ID, &sregs); ++ sregs.cr4 &= ~X86_CR4_OSXSAVE; ++ vcpu_sregs_set(vm, VCPU_ID, &sregs); ++ break; ++ case UCALL_ABORT: ++ TEST_ASSERT(false, "Guest CR4 bit (OSXSAVE) unsynchronized with CPUID bit."); ++ break; ++ case UCALL_DONE: ++ goto done; ++ default: ++ TEST_ASSERT(false, "Unknown ucall 0x%x.", uc.cmd); + } + } + +-- +2.19.1 + diff --git a/queue-5.0/kvm-selftests-complete-io-before-migrating-guest-sta.patch b/queue-5.0/kvm-selftests-complete-io-before-migrating-guest-sta.patch new file mode 100644 index 00000000000..33ccef2b92c --- /dev/null +++ b/queue-5.0/kvm-selftests-complete-io-before-migrating-guest-sta.patch @@ -0,0 +1,126 @@ +From 6f54b5d2ce3c5e4898b040a829e570dbd9f919f0 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 13 Mar 2019 16:49:31 -0700 +Subject: KVM: selftests: complete IO before migrating guest state + +[ Upstream commit 0f73bbc851ed32d22bbd86be09e0365c460bcd2e ] + +Documentation/virtual/kvm/api.txt states: + + NOTE: For KVM_EXIT_IO, KVM_EXIT_MMIO, KVM_EXIT_OSI, KVM_EXIT_PAPR and + KVM_EXIT_EPR the corresponding operations are complete (and guest + state is consistent) only after userspace has re-entered the + kernel with KVM_RUN. The kernel side will first finish incomplete + operations and then check for pending signals. Userspace can + re-enter the guest with an unmasked signal pending to complete + pending operations. + +Because guest state may be inconsistent, starting state migration after +an IO exit without first completing IO may result in test failures, e.g. +a proposed change to KVM's handling of %rip in its fast PIO handling[1] +will cause the new VM, i.e. the post-migration VM, to have its %rip set +to the IN instruction that triggered KVM_EXIT_IO, leading to a test +assertion due to a stage mismatch. + +For simplicitly, require KVM_CAP_IMMEDIATE_EXIT to complete IO and skip +the test if it's not available. The addition of KVM_CAP_IMMEDIATE_EXIT +predates the state selftest by more than a year. + +[1] https://patchwork.kernel.org/patch/10848545/ + +Fixes: fa3899add1056 ("kvm: selftests: add basic test for state save and restore") +Reported-by: Jim Mattson +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin (Microsoft) +--- + tools/testing/selftests/kvm/include/kvm_util.h | 1 + + tools/testing/selftests/kvm/lib/kvm_util.c | 16 ++++++++++++++++ + .../testing/selftests/kvm/x86_64/state_test.c | 18 ++++++++++++++++-- + 3 files changed, 33 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/kvm/include/kvm_util.h b/tools/testing/selftests/kvm/include/kvm_util.h +index a84785b02557..07b71ad9734a 100644 +--- a/tools/testing/selftests/kvm/include/kvm_util.h ++++ b/tools/testing/selftests/kvm/include/kvm_util.h +@@ -102,6 +102,7 @@ vm_paddr_t addr_gva2gpa(struct kvm_vm *vm, vm_vaddr_t gva); + struct kvm_run *vcpu_state(struct kvm_vm *vm, uint32_t vcpuid); + void vcpu_run(struct kvm_vm *vm, uint32_t vcpuid); + int _vcpu_run(struct kvm_vm *vm, uint32_t vcpuid); ++void vcpu_run_complete_io(struct kvm_vm *vm, uint32_t vcpuid); + void vcpu_set_mp_state(struct kvm_vm *vm, uint32_t vcpuid, + struct kvm_mp_state *mp_state); + void vcpu_regs_get(struct kvm_vm *vm, uint32_t vcpuid, struct kvm_regs *regs); +diff --git a/tools/testing/selftests/kvm/lib/kvm_util.c b/tools/testing/selftests/kvm/lib/kvm_util.c +index b52cfdefecbf..efa0aad8b3c6 100644 +--- a/tools/testing/selftests/kvm/lib/kvm_util.c ++++ b/tools/testing/selftests/kvm/lib/kvm_util.c +@@ -1121,6 +1121,22 @@ int _vcpu_run(struct kvm_vm *vm, uint32_t vcpuid) + return rc; + } + ++void vcpu_run_complete_io(struct kvm_vm *vm, uint32_t vcpuid) ++{ ++ struct vcpu *vcpu = vcpu_find(vm, vcpuid); ++ int ret; ++ ++ TEST_ASSERT(vcpu != NULL, "vcpu not found, vcpuid: %u", vcpuid); ++ ++ vcpu->state->immediate_exit = 1; ++ ret = ioctl(vcpu->fd, KVM_RUN, NULL); ++ vcpu->state->immediate_exit = 0; ++ ++ TEST_ASSERT(ret == -1 && errno == EINTR, ++ "KVM_RUN IOCTL didn't exit immediately, rc: %i, errno: %i", ++ ret, errno); ++} ++ + /* + * VM VCPU Set MP State + * +diff --git a/tools/testing/selftests/kvm/x86_64/state_test.c b/tools/testing/selftests/kvm/x86_64/state_test.c +index 4b3f556265f1..30f75856cf39 100644 +--- a/tools/testing/selftests/kvm/x86_64/state_test.c ++++ b/tools/testing/selftests/kvm/x86_64/state_test.c +@@ -134,6 +134,11 @@ int main(int argc, char *argv[]) + + struct kvm_cpuid_entry2 *entry = kvm_get_supported_cpuid_entry(1); + ++ if (!kvm_check_cap(KVM_CAP_IMMEDIATE_EXIT)) { ++ fprintf(stderr, "immediate_exit not available, skipping test\n"); ++ exit(KSFT_SKIP); ++ } ++ + /* Create VM */ + vm = vm_create_default(VCPU_ID, 0, guest_code); + vcpu_set_cpuid(vm, VCPU_ID, kvm_get_supported_cpuid()); +@@ -156,8 +161,6 @@ int main(int argc, char *argv[]) + stage, run->exit_reason, + exit_reason_str(run->exit_reason)); + +- memset(®s1, 0, sizeof(regs1)); +- vcpu_regs_get(vm, VCPU_ID, ®s1); + switch (get_ucall(vm, VCPU_ID, &uc)) { + case UCALL_ABORT: + TEST_ASSERT(false, "%s at %s:%d", (const char *)uc.args[0], +@@ -176,6 +179,17 @@ int main(int argc, char *argv[]) + uc.args[1] == stage, "Unexpected register values vmexit #%lx, got %lx", + stage, (ulong)uc.args[1]); + ++ /* ++ * When KVM exits to userspace with KVM_EXIT_IO, KVM guarantees ++ * guest state is consistent only after userspace re-enters the ++ * kernel with KVM_RUN. Complete IO prior to migrating state ++ * to a new VM. ++ */ ++ vcpu_run_complete_io(vm, VCPU_ID); ++ ++ memset(®s1, 0, sizeof(regs1)); ++ vcpu_regs_get(vm, VCPU_ID, ®s1); ++ + state = vcpu_save_state(vm, VCPU_ID); + kvm_vm_release(vm); + +-- +2.19.1 + diff --git a/queue-5.0/kvm-selftests-disable-stack-protector-for-all-kvm-te.patch b/queue-5.0/kvm-selftests-disable-stack-protector-for-all-kvm-te.patch new file mode 100644 index 00000000000..858f1af3b24 --- /dev/null +++ b/queue-5.0/kvm-selftests-disable-stack-protector-for-all-kvm-te.patch @@ -0,0 +1,41 @@ +From e35279874a3cabaea532283b39f3d8fb425d7844 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 13 Mar 2019 12:43:14 -0700 +Subject: KVM: selftests: disable stack protector for all KVM tests + +[ Upstream commit ffac839d040619847217647434b2b02469926871 ] + +Since 4.8.3, gcc has enabled -fstack-protector by default. This is +problematic for the KVM selftests as they do not configure fs or gs +segments (the stack canary is pulled from fs:0x28). With the default +behavior, gcc will insert a stack canary on any function that creates +buffers of 8 bytes or more. As a result, ucall() will hit a triple +fault shutdown due to reading a bad fs segment when inserting its +stack canary, i.e. every test fails with an unexpected SHUTDOWN. + +Fixes: 14c47b7530e2d ("kvm: selftests: introduce ucall") +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin (Microsoft) +--- + tools/testing/selftests/kvm/Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/kvm/Makefile b/tools/testing/selftests/kvm/Makefile +index 212b8f0032ae..cb4a992d6dd3 100644 +--- a/tools/testing/selftests/kvm/Makefile ++++ b/tools/testing/selftests/kvm/Makefile +@@ -28,8 +28,8 @@ LIBKVM += $(LIBKVM_$(UNAME_M)) + INSTALL_HDR_PATH = $(top_srcdir)/usr + LINUX_HDR_PATH = $(INSTALL_HDR_PATH)/include/ + LINUX_TOOL_INCLUDE = $(top_srcdir)/tools/include +-CFLAGS += -O2 -g -std=gnu99 -no-pie -I$(LINUX_TOOL_INCLUDE) -I$(LINUX_HDR_PATH) -Iinclude -I$( +Date: Wed, 13 Mar 2019 16:19:30 -0700 +Subject: KVM: selftests: explicitly disable PIE for tests + +[ Upstream commit 0a3f29b5a77d6c27796d7a7adabafd199dc066d5 ] + +KVM selftests embed the guest "image" as a function in the test itself +and extract the guest code at runtime by manually parsing the elf +headers. The parsing is very simple and doesn't supporting fancy things +like position independent executables. Recent versions of gcc enable +pie by default, which results in triple fault shutdowns in the guest due +to the virtual address in the headers not matching up with the virtual +address retrieved from the function pointer. + +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin (Microsoft) +--- + tools/testing/selftests/kvm/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/kvm/Makefile b/tools/testing/selftests/kvm/Makefile +index f9a0e9938480..212b8f0032ae 100644 +--- a/tools/testing/selftests/kvm/Makefile ++++ b/tools/testing/selftests/kvm/Makefile +@@ -28,7 +28,7 @@ LIBKVM += $(LIBKVM_$(UNAME_M)) + INSTALL_HDR_PATH = $(top_srcdir)/usr + LINUX_HDR_PATH = $(INSTALL_HDR_PATH)/include/ + LINUX_TOOL_INCLUDE = $(top_srcdir)/tools/include +-CFLAGS += -O2 -g -std=gnu99 -I$(LINUX_TOOL_INCLUDE) -I$(LINUX_HDR_PATH) -Iinclude -I$( +Date: Fri, 15 Feb 2019 17:24:12 +0000 +Subject: KVM: SVM: Workaround errata#1096 (insn_len maybe zero on SMAP + violation) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 05d5a48635259e621ea26d01e8316c6feeb34190 ] + +Errata#1096: + +On a nested data page fault when CR.SMAP=1 and the guest data read +generates a SMAP violation, GuestInstrBytes field of the VMCB on a +VMEXIT will incorrectly return 0h instead the correct guest +instruction bytes . + +Recommend Workaround: + +To determine what instruction the guest was executing the hypervisor +will have to decode the instruction at the instruction pointer. + +The recommended workaround can not be implemented for the SEV +guest because guest memory is encrypted with the guest specific key, +and instruction decoder will not be able to decode the instruction +bytes. If we hit this errata in the SEV guest then log the message +and request a guest shutdown. + +Reported-by: Venkatesh Srinivas +Cc: Jim Mattson +Cc: Tom Lendacky +Cc: Borislav Petkov +Cc: Joerg Roedel +Cc: "Radim Krčmář" +Cc: Paolo Bonzini +Signed-off-by: Brijesh Singh +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin (Microsoft) +--- + arch/x86/include/asm/kvm_host.h | 2 ++ + arch/x86/kvm/mmu.c | 8 +++++--- + arch/x86/kvm/svm.c | 32 ++++++++++++++++++++++++++++++++ + arch/x86/kvm/vmx/vmx.c | 6 ++++++ + 4 files changed, 45 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h +index 71d763ad2637..9f2d890733a9 100644 +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1198,6 +1198,8 @@ struct kvm_x86_ops { + int (*nested_enable_evmcs)(struct kvm_vcpu *vcpu, + uint16_t *vmcs_version); + uint16_t (*nested_get_evmcs_version)(struct kvm_vcpu *vcpu); ++ ++ bool (*need_emulation_on_page_fault)(struct kvm_vcpu *vcpu); + }; + + struct kvm_arch_async_pf { +diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c +index acab95dcffb6..77dbb57412cc 100644 +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -5395,10 +5395,12 @@ int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u64 error_code, + * This can happen if a guest gets a page-fault on data access but the HW + * table walker is not able to read the instruction page (e.g instruction + * page is not present in memory). In those cases we simply restart the +- * guest. ++ * guest, with the exception of AMD Erratum 1096 which is unrecoverable. + */ +- if (unlikely(insn && !insn_len)) +- return 1; ++ if (unlikely(insn && !insn_len)) { ++ if (!kvm_x86_ops->need_emulation_on_page_fault(vcpu)) ++ return 1; ++ } + + er = x86_emulate_instruction(vcpu, cr2, emulation_type, insn, insn_len); + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 516c1de03d47..e544cec812f9 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -7114,6 +7114,36 @@ static int nested_enable_evmcs(struct kvm_vcpu *vcpu, + return -ENODEV; + } + ++static bool svm_need_emulation_on_page_fault(struct kvm_vcpu *vcpu) ++{ ++ bool is_user, smap; ++ ++ is_user = svm_get_cpl(vcpu) == 3; ++ smap = !kvm_read_cr4_bits(vcpu, X86_CR4_SMAP); ++ ++ /* ++ * Detect and workaround Errata 1096 Fam_17h_00_0Fh ++ * ++ * In non SEV guest, hypervisor will be able to read the guest ++ * memory to decode the instruction pointer when insn_len is zero ++ * so we return true to indicate that decoding is possible. ++ * ++ * But in the SEV guest, the guest memory is encrypted with the ++ * guest specific key and hypervisor will not be able to decode the ++ * instruction pointer so we will not able to workaround it. Lets ++ * print the error and request to kill the guest. ++ */ ++ if (is_user && smap) { ++ if (!sev_guest(vcpu->kvm)) ++ return true; ++ ++ pr_err_ratelimited("KVM: Guest triggered AMD Erratum 1096\n"); ++ kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu); ++ } ++ ++ return false; ++} ++ + static struct kvm_x86_ops svm_x86_ops __ro_after_init = { + .cpu_has_kvm_support = has_svm, + .disabled_by_bios = is_disabled, +@@ -7247,6 +7277,8 @@ static struct kvm_x86_ops svm_x86_ops __ro_after_init = { + + .nested_enable_evmcs = nested_enable_evmcs, + .nested_get_evmcs_version = nested_get_evmcs_version, ++ ++ .need_emulation_on_page_fault = svm_need_emulation_on_page_fault, + }; + + static int __init svm_init(void) +diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c +index 34499081022c..e7fe8c692362 100644 +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -7526,6 +7526,11 @@ static int enable_smi_window(struct kvm_vcpu *vcpu) + return 0; + } + ++static bool vmx_need_emulation_on_page_fault(struct kvm_vcpu *vcpu) ++{ ++ return 0; ++} ++ + static __init int hardware_setup(void) + { + unsigned long host_bndcfgs; +@@ -7828,6 +7833,7 @@ static struct kvm_x86_ops vmx_x86_ops __ro_after_init = { + .set_nested_state = NULL, + .get_vmcs12_pages = NULL, + .nested_enable_evmcs = NULL, ++ .need_emulation_on_page_fault = vmx_need_emulation_on_page_fault, + }; + + static void vmx_cleanup_l1d_flush(void) +-- +2.19.1 + diff --git a/queue-5.0/kvm-x86-move-msr_ia32_arch_capabilities-to-array-emu.patch b/queue-5.0/kvm-x86-move-msr_ia32_arch_capabilities-to-array-emu.patch new file mode 100644 index 00000000000..f63cda1649c --- /dev/null +++ b/queue-5.0/kvm-x86-move-msr_ia32_arch_capabilities-to-array-emu.patch @@ -0,0 +1,42 @@ +From 3ef7ca0381ad3f9c9c1bb40083aca0756cbc05f9 Mon Sep 17 00:00:00 2001 +From: Xiaoyao Li +Date: Fri, 8 Mar 2019 15:57:20 +0800 +Subject: kvm/x86: Move MSR_IA32_ARCH_CAPABILITIES to array emulated_msrs + +[ Upstream commit 2bdb76c015df7125783d8394d6339d181cb5bc30 ] + +Since MSR_IA32_ARCH_CAPABILITIES is emualted unconditionally even if +host doesn't suppot it. We should move it to array emulated_msrs from +arry msrs_to_save, to report to userspace that guest support this msr. + +Signed-off-by: Xiaoyao Li +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin (Microsoft) +--- + arch/x86/kvm/x86.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 2db58067bb59..8c9fb6453b2f 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1127,7 +1127,7 @@ static u32 msrs_to_save[] = { + #endif + MSR_IA32_TSC, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA, + MSR_IA32_FEATURE_CONTROL, MSR_IA32_BNDCFGS, MSR_TSC_AUX, +- MSR_IA32_SPEC_CTRL, MSR_IA32_ARCH_CAPABILITIES, ++ MSR_IA32_SPEC_CTRL, + MSR_IA32_RTIT_CTL, MSR_IA32_RTIT_STATUS, MSR_IA32_RTIT_CR3_MATCH, + MSR_IA32_RTIT_OUTPUT_BASE, MSR_IA32_RTIT_OUTPUT_MASK, + MSR_IA32_RTIT_ADDR0_A, MSR_IA32_RTIT_ADDR0_B, +@@ -1160,6 +1160,7 @@ static u32 emulated_msrs[] = { + + MSR_IA32_TSC_ADJUST, + MSR_IA32_TSCDEADLINE, ++ MSR_IA32_ARCH_CAPABILITIES, + MSR_IA32_MISC_ENABLE, + MSR_IA32_MCG_STATUS, + MSR_IA32_MCG_CTL, +-- +2.19.1 + diff --git a/queue-5.0/leds-pca9532-fix-a-potential-null-pointer-dereferenc.patch b/queue-5.0/leds-pca9532-fix-a-potential-null-pointer-dereferenc.patch new file mode 100644 index 00000000000..57b59db1f3f --- /dev/null +++ b/queue-5.0/leds-pca9532-fix-a-potential-null-pointer-dereferenc.patch @@ -0,0 +1,47 @@ +From 02376a52fa3bab6ad0ead626baa84cce4b09b77a Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Sat, 9 Mar 2019 00:04:11 -0600 +Subject: leds: pca9532: fix a potential NULL pointer dereference + +[ Upstream commit 0aab8e4df4702b31314a27ec4b0631dfad0fae0a ] + +In case of_match_device cannot find a match, return -EINVAL to avoid +NULL pointer dereference. + +Fixes: fa4191a609f2 ("leds: pca9532: Add device tree support") +Signed-off-by: Kangjie Lu +Signed-off-by: Jacek Anaszewski +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/leds/leds-pca9532.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/leds/leds-pca9532.c b/drivers/leds/leds-pca9532.c +index 7fea18b0c15d..7cb4d685a1f1 100644 +--- a/drivers/leds/leds-pca9532.c ++++ b/drivers/leds/leds-pca9532.c +@@ -513,6 +513,7 @@ static int pca9532_probe(struct i2c_client *client, + const struct i2c_device_id *id) + { + int devid; ++ const struct of_device_id *of_id; + struct pca9532_data *data = i2c_get_clientdata(client); + struct pca9532_platform_data *pca9532_pdata = + dev_get_platdata(&client->dev); +@@ -528,8 +529,11 @@ static int pca9532_probe(struct i2c_client *client, + dev_err(&client->dev, "no platform data\n"); + return -EINVAL; + } +- devid = (int)(uintptr_t)of_match_device( +- of_pca9532_leds_match, &client->dev)->data; ++ of_id = of_match_device(of_pca9532_leds_match, ++ &client->dev); ++ if (unlikely(!of_id)) ++ return -EINVAL; ++ devid = (int)(uintptr_t) of_id->data; + } else { + devid = id->driver_data; + } +-- +2.19.1 + diff --git a/queue-5.0/leds-trigger-netdev-fix-refcnt-leak-on-interface-ren.patch b/queue-5.0/leds-trigger-netdev-fix-refcnt-leak-on-interface-ren.patch new file mode 100644 index 00000000000..525dadd55cf --- /dev/null +++ b/queue-5.0/leds-trigger-netdev-fix-refcnt-leak-on-interface-ren.patch @@ -0,0 +1,77 @@ +From 673b5e9b1d8b29f3904389adef6849d8b29f7b1e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= +Date: Thu, 28 Feb 2019 22:57:33 +0100 +Subject: leds: trigger: netdev: fix refcnt leak on interface rename +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 4cb6560514fa19d556954b88128f3846fee66a03 ] + +Renaming a netdev-trigger-tracked interface was resulting in an +unbalanced dev_hold(). + +Example: +> iw phy phy0 interface add foo type __ap +> echo netdev > trigger +> echo foo > device_name +> ip link set foo name bar +> iw dev bar del +[ 237.355366] unregister_netdevice: waiting for bar to become free. Usage count = 1 +[ 247.435362] unregister_netdevice: waiting for bar to become free. Usage count = 1 +[ 257.545366] unregister_netdevice: waiting for bar to become free. Usage count = 1 + +Above problem was caused by trigger checking a dev->name which obviously +changes after renaming an interface. It meant missing all further events +including the NETDEV_UNREGISTER which is required for calling dev_put(). + +This change fixes that by: +1) Comparing device struct *address* for notification-filtering purposes +2) Dropping unneeded NETDEV_CHANGENAME code (no behavior change) + +Fixes: 06f502f57d0d ("leds: trigger: Introduce a NETDEV trigger") +Signed-off-by: Rafał Miłecki +Acked-by: Pavel Machek +Signed-off-by: Jacek Anaszewski +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/leds/trigger/ledtrig-netdev.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +diff --git a/drivers/leds/trigger/ledtrig-netdev.c b/drivers/leds/trigger/ledtrig-netdev.c +index 3dd3ed46d473..167a94c02d05 100644 +--- a/drivers/leds/trigger/ledtrig-netdev.c ++++ b/drivers/leds/trigger/ledtrig-netdev.c +@@ -301,11 +301,11 @@ static int netdev_trig_notify(struct notifier_block *nb, + container_of(nb, struct led_netdev_data, notifier); + + if (evt != NETDEV_UP && evt != NETDEV_DOWN && evt != NETDEV_CHANGE +- && evt != NETDEV_REGISTER && evt != NETDEV_UNREGISTER +- && evt != NETDEV_CHANGENAME) ++ && evt != NETDEV_REGISTER && evt != NETDEV_UNREGISTER) + return NOTIFY_DONE; + +- if (strcmp(dev->name, trigger_data->device_name)) ++ if (!(dev == trigger_data->net_dev || ++ (evt == NETDEV_REGISTER && !strcmp(dev->name, trigger_data->device_name)))) + return NOTIFY_DONE; + + cancel_delayed_work_sync(&trigger_data->work); +@@ -320,12 +320,9 @@ static int netdev_trig_notify(struct notifier_block *nb, + dev_hold(dev); + trigger_data->net_dev = dev; + break; +- case NETDEV_CHANGENAME: + case NETDEV_UNREGISTER: +- if (trigger_data->net_dev) { +- dev_put(trigger_data->net_dev); +- trigger_data->net_dev = NULL; +- } ++ dev_put(trigger_data->net_dev); ++ trigger_data->net_dev = NULL; + break; + case NETDEV_UP: + case NETDEV_CHANGE: +-- +2.19.1 + diff --git a/queue-5.0/leds-trigger-netdev-use-memcpy-in-device_name_store.patch b/queue-5.0/leds-trigger-netdev-use-memcpy-in-device_name_store.patch new file mode 100644 index 00000000000..fe3155244ca --- /dev/null +++ b/queue-5.0/leds-trigger-netdev-use-memcpy-in-device_name_store.patch @@ -0,0 +1,54 @@ +From c4eaa2ba7ec8b6c86319bc95fcc15918f891e47a Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes +Date: Thu, 14 Mar 2019 15:06:14 +0100 +Subject: leds: trigger: netdev: use memcpy in device_name_store + +[ Upstream commit 909346433064b8d840dc82af26161926b8d37558 ] + +If userspace doesn't end the input with a newline (which can easily +happen if the write happens from a C program that does write(fd, +iface, strlen(iface))), we may end up including garbage from a +previous, longer value in the device_name. For example + +# cat device_name + +# printf 'eth12' > device_name +# cat device_name +eth12 +# printf 'eth3' > device_name +# cat device_name +eth32 + +I highly doubt anybody is relying on this behaviour, so switch to +simply copying the bytes (we've already checked that size is < +IFNAMSIZ) and unconditionally zero-terminate it; of course, we also +still have to strip a trailing newline. + +This is also preparation for future patches. + +Fixes: 06f502f57d0d ("leds: trigger: Introduce a NETDEV trigger") +Signed-off-by: Rasmus Villemoes +Acked-by: Pavel Machek +Signed-off-by: Jacek Anaszewski +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/leds/trigger/ledtrig-netdev.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/leds/trigger/ledtrig-netdev.c b/drivers/leds/trigger/ledtrig-netdev.c +index 167a94c02d05..136f86a1627d 100644 +--- a/drivers/leds/trigger/ledtrig-netdev.c ++++ b/drivers/leds/trigger/ledtrig-netdev.c +@@ -122,7 +122,8 @@ static ssize_t device_name_store(struct device *dev, + trigger_data->net_dev = NULL; + } + +- strncpy(trigger_data->device_name, buf, size); ++ memcpy(trigger_data->device_name, buf, size); ++ trigger_data->device_name[size] = 0; + if (size > 0 && trigger_data->device_name[size - 1] == '\n') + trigger_data->device_name[size - 1] = 0; + +-- +2.19.1 + diff --git a/queue-5.0/libata-fix-using-dma-buffers-on-stack.patch b/queue-5.0/libata-fix-using-dma-buffers-on-stack.patch new file mode 100644 index 00000000000..cc65b648310 --- /dev/null +++ b/queue-5.0/libata-fix-using-dma-buffers-on-stack.patch @@ -0,0 +1,87 @@ +From 8f499958f7c396d367ec381430b53486af1af15b Mon Sep 17 00:00:00 2001 +From: raymond pang +Date: Thu, 28 Mar 2019 12:19:25 +0000 +Subject: libata: fix using DMA buffers on stack + +[ Upstream commit dd08a8d9a66de4b54575c294a92630299f7e0fe7 ] + +When CONFIG_VMAP_STACK=y, __pa() returns incorrect physical address for +a stack virtual address. Stack DMA buffers must be avoided. + +Signed-off-by: raymond pang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/ata/libata-zpodd.c | 34 ++++++++++++++++++++++++---------- + 1 file changed, 24 insertions(+), 10 deletions(-) + +diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c +index b3ed8f9953a8..173e6f2dd9af 100644 +--- a/drivers/ata/libata-zpodd.c ++++ b/drivers/ata/libata-zpodd.c +@@ -52,38 +52,52 @@ static int eject_tray(struct ata_device *dev) + /* Per the spec, only slot type and drawer type ODD can be supported */ + static enum odd_mech_type zpodd_get_mech_type(struct ata_device *dev) + { +- char buf[16]; ++ char *buf; + unsigned int ret; +- struct rm_feature_desc *desc = (void *)(buf + 8); ++ struct rm_feature_desc *desc; + struct ata_taskfile tf; + static const char cdb[] = { GPCMD_GET_CONFIGURATION, + 2, /* only 1 feature descriptor requested */ + 0, 3, /* 3, removable medium feature */ + 0, 0, 0,/* reserved */ +- 0, sizeof(buf), ++ 0, 16, + 0, 0, 0, + }; + ++ buf = kzalloc(16, GFP_KERNEL); ++ if (!buf) ++ return ODD_MECH_TYPE_UNSUPPORTED; ++ desc = (void *)(buf + 8); ++ + ata_tf_init(dev, &tf); + tf.flags = ATA_TFLAG_ISADDR | ATA_TFLAG_DEVICE; + tf.command = ATA_CMD_PACKET; + tf.protocol = ATAPI_PROT_PIO; +- tf.lbam = sizeof(buf); ++ tf.lbam = 16; + + ret = ata_exec_internal(dev, &tf, cdb, DMA_FROM_DEVICE, +- buf, sizeof(buf), 0); +- if (ret) ++ buf, 16, 0); ++ if (ret) { ++ kfree(buf); + return ODD_MECH_TYPE_UNSUPPORTED; ++ } + +- if (be16_to_cpu(desc->feature_code) != 3) ++ if (be16_to_cpu(desc->feature_code) != 3) { ++ kfree(buf); + return ODD_MECH_TYPE_UNSUPPORTED; ++ } + +- if (desc->mech_type == 0 && desc->load == 0 && desc->eject == 1) ++ if (desc->mech_type == 0 && desc->load == 0 && desc->eject == 1) { ++ kfree(buf); + return ODD_MECH_TYPE_SLOT; +- else if (desc->mech_type == 1 && desc->load == 0 && desc->eject == 1) ++ } else if (desc->mech_type == 1 && desc->load == 0 && ++ desc->eject == 1) { ++ kfree(buf); + return ODD_MECH_TYPE_DRAWER; +- else ++ } else { ++ kfree(buf); + return ODD_MECH_TYPE_UNSUPPORTED; ++ } + } + + /* Test if ODD is zero power ready by sense code */ +-- +2.19.1 + diff --git a/queue-5.0/mt76-mt76x2-fix-2.4-ghz-channel-gain-settings.patch b/queue-5.0/mt76-mt76x2-fix-2.4-ghz-channel-gain-settings.patch new file mode 100644 index 00000000000..d8ff0c04c0e --- /dev/null +++ b/queue-5.0/mt76-mt76x2-fix-2.4-ghz-channel-gain-settings.patch @@ -0,0 +1,67 @@ +From 227795b800ebdfeaecd720687a052eeed023c904 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Sun, 3 Mar 2019 15:12:14 +0100 +Subject: mt76: mt76x2: fix 2.4 GHz channel gain settings + +[ Upstream commit b8cfd87ac24273e36fbd3ecda631f3ba6566d493 ] + +AGC register 35, 37 override for the low gain setting should only be done +on 5 GHz. Also, 2.4 GHz needs a different value for register 35 + +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin (Microsoft) +--- + .../net/wireless/mediatek/mt76/mt76x2/phy.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76x2/phy.c b/drivers/net/wireless/mediatek/mt76/mt76x2/phy.c +index 11167b7af668..2f618536ef2a 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76x2/phy.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x2/phy.c +@@ -285,6 +285,7 @@ void mt76x2_phy_update_channel_gain(struct mt76x02_dev *dev) + { + u8 *gain = dev->cal.agc_gain_init; + u8 low_gain_delta, gain_delta; ++ u32 agc_35, agc_37; + bool gain_change; + int low_gain; + u32 val; +@@ -321,6 +322,16 @@ void mt76x2_phy_update_channel_gain(struct mt76x02_dev *dev) + else + low_gain_delta = 14; + ++ agc_37 = 0x2121262c; ++ if (dev->mt76.chandef.chan->band == NL80211_BAND_2GHZ) ++ agc_35 = 0x11111516; ++ else if (low_gain == 2) ++ agc_35 = agc_37 = 0x08080808; ++ else if (dev->mt76.chandef.width == NL80211_CHAN_WIDTH_80) ++ agc_35 = 0x10101014; ++ else ++ agc_35 = 0x11111116; ++ + if (low_gain == 2) { + mt76_wr(dev, MT_BBP(RXO, 18), 0xf000a990); + mt76_wr(dev, MT_BBP(AGC, 35), 0x08080808); +@@ -329,15 +340,13 @@ void mt76x2_phy_update_channel_gain(struct mt76x02_dev *dev) + dev->cal.agc_gain_adjust = 0; + } else { + mt76_wr(dev, MT_BBP(RXO, 18), 0xf000a991); +- if (dev->mt76.chandef.width == NL80211_CHAN_WIDTH_80) +- mt76_wr(dev, MT_BBP(AGC, 35), 0x10101014); +- else +- mt76_wr(dev, MT_BBP(AGC, 35), 0x11111116); +- mt76_wr(dev, MT_BBP(AGC, 37), 0x2121262C); + gain_delta = 0; + dev->cal.agc_gain_adjust = low_gain_delta; + } + ++ mt76_wr(dev, MT_BBP(AGC, 35), agc_35); ++ mt76_wr(dev, MT_BBP(AGC, 37), agc_37); ++ + dev->cal.agc_gain_cur[0] = gain[0] - gain_delta; + dev->cal.agc_gain_cur[1] = gain[1] - gain_delta; + mt76x2_phy_set_gain_val(dev); +-- +2.19.1 + diff --git a/queue-5.0/mt76-mt76x2-fix-external-lna-gain-settings.patch b/queue-5.0/mt76-mt76x2-fix-external-lna-gain-settings.patch new file mode 100644 index 00000000000..314a7710aa2 --- /dev/null +++ b/queue-5.0/mt76-mt76x2-fix-external-lna-gain-settings.patch @@ -0,0 +1,41 @@ +From 5e127e83c6f89694eefcf65133651b6858d328f9 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Sun, 3 Mar 2019 15:10:00 +0100 +Subject: mt76: mt76x2: fix external LNA gain settings + +[ Upstream commit 45a042e3026824a7e910db7a4dd38fef0540b902 ] + +Devices with external LNA need different values for AGC registers 8 and 9 + +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/wireless/mediatek/mt76/mt76x2/phy.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76x2/phy.c b/drivers/net/wireless/mediatek/mt76/mt76x2/phy.c +index c9634a774705..11167b7af668 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76x2/phy.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x2/phy.c +@@ -260,10 +260,15 @@ mt76x2_phy_set_gain_val(struct mt76x02_dev *dev) + gain_val[0] = dev->cal.agc_gain_cur[0] - dev->cal.agc_gain_adjust; + gain_val[1] = dev->cal.agc_gain_cur[1] - dev->cal.agc_gain_adjust; + +- if (dev->mt76.chandef.width >= NL80211_CHAN_WIDTH_40) ++ val = 0x1836 << 16; ++ if (!mt76x2_has_ext_lna(dev) && ++ dev->mt76.chandef.width >= NL80211_CHAN_WIDTH_40) + val = 0x1e42 << 16; +- else +- val = 0x1836 << 16; ++ ++ if (mt76x2_has_ext_lna(dev) && ++ dev->mt76.chandef.chan->band == NL80211_BAND_2GHZ && ++ dev->mt76.chandef.width < NL80211_CHAN_WIDTH_40) ++ val = 0x0f36 << 16; + + val |= 0xf8; + +-- +2.19.1 + diff --git a/queue-5.0/mt76x02-fix-hdr-pointer-in-write-txwi-for-usb.patch b/queue-5.0/mt76x02-fix-hdr-pointer-in-write-txwi-for-usb.patch new file mode 100644 index 00000000000..a1b03f88eb5 --- /dev/null +++ b/queue-5.0/mt76x02-fix-hdr-pointer-in-write-txwi-for-usb.patch @@ -0,0 +1,37 @@ +From 36f05f112a87c4671cb86606e99ef7bb21b6899c Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Thu, 28 Feb 2019 16:11:06 +0100 +Subject: mt76x02: fix hdr pointer in write txwi for USB + +[ Upstream commit 7b25d3b8e485c7721cba9c71b44d1c286e61c8e7 ] + +Since we add txwi at the begining of skb->data, it no longer point +to ieee80211_hdr. This breaks settings TS bit for probe response and +beacons. + +Acked-by: Lorenzo Bianconi +Signed-off-by: Stanislaw Gruszka +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/wireless/mediatek/mt76/mt76x02_usb_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76x02_usb_core.c b/drivers/net/wireless/mediatek/mt76/mt76x02_usb_core.c +index 81970cf777c0..8cafa5a749ca 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76x02_usb_core.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x02_usb_core.c +@@ -81,8 +81,9 @@ int mt76x02u_tx_prepare_skb(struct mt76_dev *mdev, void *data, + + mt76x02_insert_hdr_pad(skb); + +- txwi = skb_push(skb, sizeof(struct mt76x02_txwi)); ++ txwi = (struct mt76x02_txwi *)(skb->data - sizeof(struct mt76x02_txwi)); + mt76x02_mac_write_txwi(dev, txwi, skb, wcid, sta, len); ++ skb_push(skb, sizeof(struct mt76x02_txwi)); + + pid = mt76_tx_status_skb_add(mdev, wcid, skb); + txwi->pktid = pid; +-- +2.19.1 + diff --git a/queue-5.0/net-ethernet-ti-fix-possible-object-reference-leak.patch b/queue-5.0/net-ethernet-ti-fix-possible-object-reference-leak.patch new file mode 100644 index 00000000000..e53b65d350b --- /dev/null +++ b/queue-5.0/net-ethernet-ti-fix-possible-object-reference-leak.patch @@ -0,0 +1,53 @@ +From 5e39db30623654b036d1193cdfce09cf816d2ddf Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Fri, 22 Mar 2019 11:04:09 +0800 +Subject: net: ethernet: ti: fix possible object reference leak + +[ Upstream commit 75eac7b5f68b0a0671e795ac636457ee27cc11d8 ] + +The call to of_get_child_by_name returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: +./drivers/net/ethernet/ti/netcp_ethss.c:3661:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 3654, but without a corresponding object release within this function. +./drivers/net/ethernet/ti/netcp_ethss.c:3665:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 3654, but without a corresponding object release within this function. + +Signed-off-by: Wen Yang +Cc: Wingman Kwok +Cc: Murali Karicheri +Cc: "David S. Miller" +Cc: netdev@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/ti/netcp_ethss.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/ti/netcp_ethss.c b/drivers/net/ethernet/ti/netcp_ethss.c +index 5174d318901e..0a920c5936b2 100644 +--- a/drivers/net/ethernet/ti/netcp_ethss.c ++++ b/drivers/net/ethernet/ti/netcp_ethss.c +@@ -3657,12 +3657,16 @@ static int gbe_probe(struct netcp_device *netcp_device, struct device *dev, + + ret = netcp_txpipe_init(&gbe_dev->tx_pipe, netcp_device, + gbe_dev->dma_chan_name, gbe_dev->tx_queue_id); +- if (ret) ++ if (ret) { ++ of_node_put(interfaces); + return ret; ++ } + + ret = netcp_txpipe_open(&gbe_dev->tx_pipe); +- if (ret) ++ if (ret) { ++ of_node_put(interfaces); + return ret; ++ } + + /* Create network interfaces */ + INIT_LIST_HEAD(&gbe_dev->gbe_intf_head); +-- +2.19.1 + diff --git a/queue-5.0/net-ibm-fix-possible-object-reference-leak.patch b/queue-5.0/net-ibm-fix-possible-object-reference-leak.patch new file mode 100644 index 00000000000..83244ad82c2 --- /dev/null +++ b/queue-5.0/net-ibm-fix-possible-object-reference-leak.patch @@ -0,0 +1,40 @@ +From 0a7567b8989d1ceae6212b541d60ec7e30a7816e Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Fri, 22 Mar 2019 11:04:08 +0800 +Subject: net: ibm: fix possible object reference leak + +[ Upstream commit be693df3cf9dd113ff1d2c0d8150199efdba37f6 ] + +The call to ehea_get_eth_dn returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: +./drivers/net/ethernet/ibm/ehea/ehea_main.c:3163:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 3154, but without a corresponding object release within this function. + +Signed-off-by: Wen Yang +Cc: Douglas Miller +Cc: "David S. Miller" +Cc: netdev@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/ibm/ehea/ehea_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/ibm/ehea/ehea_main.c b/drivers/net/ethernet/ibm/ehea/ehea_main.c +index 3baabdc89726..90b62c1412c8 100644 +--- a/drivers/net/ethernet/ibm/ehea/ehea_main.c ++++ b/drivers/net/ethernet/ibm/ehea/ehea_main.c +@@ -3160,6 +3160,7 @@ static ssize_t ehea_probe_port(struct device *dev, + + if (ehea_add_adapter_mr(adapter)) { + pr_err("creating MR failed\n"); ++ of_node_put(eth_dn); + return -EIO; + } + +-- +2.19.1 + diff --git a/queue-5.0/net-ieee802154-fix-a-potential-null-pointer-derefere.patch b/queue-5.0/net-ieee802154-fix-a-potential-null-pointer-derefere.patch new file mode 100644 index 00000000000..f39ef2103a2 --- /dev/null +++ b/queue-5.0/net-ieee802154-fix-a-potential-null-pointer-derefere.patch @@ -0,0 +1,36 @@ +From 9d5b93c6c0b3ac1af71483bfaf5ceb8835c44b82 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Mon, 11 Mar 2019 02:25:17 -0500 +Subject: net: ieee802154: fix a potential NULL pointer dereference + +[ Upstream commit 2795e8c251614ac0784c9d41008551109f665716 ] + +In case alloc_ordered_workqueue fails, the fix releases +sources and returns -ENOMEM to avoid NULL pointer dereference. + +Signed-off-by: Kangjie Lu +Acked-by: Michael Hennerich +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ieee802154/adf7242.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c +index cd1d8faccca5..cd6b95e673a5 100644 +--- a/drivers/net/ieee802154/adf7242.c ++++ b/drivers/net/ieee802154/adf7242.c +@@ -1268,6 +1268,10 @@ static int adf7242_probe(struct spi_device *spi) + INIT_DELAYED_WORK(&lp->work, adf7242_rx_cal_work); + lp->wqueue = alloc_ordered_workqueue(dev_name(&spi->dev), + WQ_MEM_RECLAIM); ++ if (unlikely(!lp->wqueue)) { ++ ret = -ENOMEM; ++ goto err_hw_init; ++ } + + ret = adf7242_hw_init(lp); + if (ret) +-- +2.19.1 + diff --git a/queue-5.0/net-ks8851-delay-requesting-irq-until-opened.patch b/queue-5.0/net-ks8851-delay-requesting-irq-until-opened.patch new file mode 100644 index 00000000000..5de261f1fd8 --- /dev/null +++ b/queue-5.0/net-ks8851-delay-requesting-irq-until-opened.patch @@ -0,0 +1,94 @@ +From 5e2f5c0bb7bc3c12540e2df4ab7ceb9e3d42f0da Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Wed, 20 Mar 2019 15:02:00 +0100 +Subject: net: ks8851: Delay requesting IRQ until opened + +[ Upstream commit d268f31552794abf5b6aa5af31021643411f25f5 ] + +The ks8851 driver currently requests the IRQ before registering the +net_device. Because the net_device name is used as IRQ name and is +still "eth%d" when the IRQ is requested, it's impossibe to tell IRQs +apart if multiple ks8851 chips are present. Most other drivers delay +requesting the IRQ until the net_device is opened. Do the same. + +The driver doesn't enable interrupts on the chip before opening the +net_device and disables them when closing it, so there doesn't seem to +be a need to request the IRQ already on probe. + +Signed-off-by: Lukas Wunner +Cc: Frank Pavlic +Cc: Ben Dooks +Cc: Tristram Ha +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/micrel/ks8851.c | 24 +++++++++++------------- + 1 file changed, 11 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c +index 1633fa5c709c..c9faec4c5b25 100644 +--- a/drivers/net/ethernet/micrel/ks8851.c ++++ b/drivers/net/ethernet/micrel/ks8851.c +@@ -785,6 +785,15 @@ static void ks8851_tx_work(struct work_struct *work) + static int ks8851_net_open(struct net_device *dev) + { + struct ks8851_net *ks = netdev_priv(dev); ++ int ret; ++ ++ ret = request_threaded_irq(dev->irq, NULL, ks8851_irq, ++ IRQF_TRIGGER_LOW | IRQF_ONESHOT, ++ dev->name, ks); ++ if (ret < 0) { ++ netdev_err(dev, "failed to get irq\n"); ++ return ret; ++ } + + /* lock the card, even if we may not actually be doing anything + * else at the moment */ +@@ -899,6 +908,8 @@ static int ks8851_net_stop(struct net_device *dev) + dev_kfree_skb(txb); + } + ++ free_irq(dev->irq, ks); ++ + return 0; + } + +@@ -1529,14 +1540,6 @@ static int ks8851_probe(struct spi_device *spi) + ks8851_read_selftest(ks); + ks8851_init_mac(ks); + +- ret = request_threaded_irq(spi->irq, NULL, ks8851_irq, +- IRQF_TRIGGER_LOW | IRQF_ONESHOT, +- ndev->name, ks); +- if (ret < 0) { +- dev_err(&spi->dev, "failed to get irq\n"); +- goto err_irq; +- } +- + ret = register_netdev(ndev); + if (ret) { + dev_err(&spi->dev, "failed to register network device\n"); +@@ -1549,11 +1552,7 @@ static int ks8851_probe(struct spi_device *spi) + + return 0; + +- + err_netdev: +- free_irq(ndev->irq, ks); +- +-err_irq: + err_id: + if (gpio_is_valid(gpio)) + gpio_set_value(gpio, 0); +@@ -1574,7 +1573,6 @@ static int ks8851_remove(struct spi_device *spi) + dev_info(&spi->dev, "remove\n"); + + unregister_netdev(priv->netdev); +- free_irq(spi->irq, priv); + if (gpio_is_valid(priv->gpio)) + gpio_set_value(priv->gpio, 0); + regulator_disable(priv->vdd_reg); +-- +2.19.1 + diff --git a/queue-5.0/net-ks8851-dequeue-rx-packets-explicitly.patch b/queue-5.0/net-ks8851-dequeue-rx-packets-explicitly.patch new file mode 100644 index 00000000000..dec586ab12d --- /dev/null +++ b/queue-5.0/net-ks8851-dequeue-rx-packets-explicitly.patch @@ -0,0 +1,76 @@ +From b0b8f4a14228478fede334a0e9a3510fa95e188d Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Wed, 20 Mar 2019 15:02:00 +0100 +Subject: net: ks8851: Dequeue RX packets explicitly + +[ Upstream commit 536d3680fd2dab5c39857d62a3e084198fc74ff9 ] + +The ks8851 driver lets the chip auto-dequeue received packets once they +have been read in full. It achieves that by setting the ADRFE flag in +the RXQCR register ("Auto-Dequeue RXQ Frame Enable"). + +However if allocation of a packet's socket buffer or retrieval of the +packet over the SPI bus fails, the packet will not have been read in +full and is not auto-dequeued. Such partial retrieval of a packet +confuses the chip's RX queue management: On the next RX interrupt, +the first packet read from the queue will be the one left there +previously and this one can be retrieved without issues. But for any +newly received packets, the frame header status and byte count registers +(RXFHSR and RXFHBCR) contain bogus values, preventing their retrieval. + +The chip allows explicitly dequeueing a packet from the RX queue by +setting the RRXEF flag in the RXQCR register ("Release RX Error Frame"). +This could be used to dequeue the packet in case of an error, but if +that error is a failed SPI transfer, it is unknown if the packet was +transferred in full and was auto-dequeued or if it was only transferred +in part and requires an explicit dequeue. The safest approach is thus +to always dequeue packets explicitly and forgo auto-dequeueing. + +Without this change, I've witnessed packet retrieval break completely +when an SPI DMA transfer fails, requiring a chip reset. Explicit +dequeueing magically fixes this and makes packet retrieval absolutely +robust for me. + +The chip's documentation suggests auto-dequeuing and uses the RRXEF +flag only to dequeue error frames which the driver doesn't want to +retrieve. But that seems to be a fair-weather approach. + +Signed-off-by: Lukas Wunner +Cc: Frank Pavlic +Cc: Ben Dooks +Cc: Tristram Ha +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/micrel/ks8851.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c +index bd6e9014bc74..a93f8e842c07 100644 +--- a/drivers/net/ethernet/micrel/ks8851.c ++++ b/drivers/net/ethernet/micrel/ks8851.c +@@ -535,9 +535,8 @@ static void ks8851_rx_pkts(struct ks8851_net *ks) + /* set dma read address */ + ks8851_wrreg16(ks, KS_RXFDPR, RXFDPR_RXFPAI | 0x00); + +- /* start the packet dma process, and set auto-dequeue rx */ +- ks8851_wrreg16(ks, KS_RXQCR, +- ks->rc_rxqcr | RXQCR_SDA | RXQCR_ADRFE); ++ /* start DMA access */ ++ ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_SDA); + + if (rxlen > 4) { + unsigned int rxalign; +@@ -568,7 +567,8 @@ static void ks8851_rx_pkts(struct ks8851_net *ks) + } + } + +- ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr); ++ /* end DMA access and dequeue packet */ ++ ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_RRXEF); + } + } + +-- +2.19.1 + diff --git a/queue-5.0/net-ks8851-reassert-reset-pin-if-chip-id-check-fails.patch b/queue-5.0/net-ks8851-reassert-reset-pin-if-chip-id-check-fails.patch new file mode 100644 index 00000000000..c16c503a4c9 --- /dev/null +++ b/queue-5.0/net-ks8851-reassert-reset-pin-if-chip-id-check-fails.patch @@ -0,0 +1,45 @@ +From 0fb1d70db8e52c920d3913839882111d29b6479f Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Wed, 20 Mar 2019 15:02:00 +0100 +Subject: net: ks8851: Reassert reset pin if chip ID check fails + +[ Upstream commit 761cfa979a0c177d6c2d93ef5585cd79ae49a7d5 ] + +Commit 73fdeb82e963 ("net: ks8851: Add optional vdd_io regulator and +reset gpio") amended the ks8851 driver to briefly assert the chip's +reset pin on probe. It also amended the probe routine's error path to +reassert the reset pin if a subsequent initialization step fails. + +However the commit misplaced reassertion of the reset pin in the error +path such that it is not performed if the check of the Chip ID and +Enable Register (CIDER) fails. The error path is therefore slightly +asymmetrical to the probe routine's body. Fix it. + +Signed-off-by: Lukas Wunner +Cc: Frank Pavlic +Cc: Stephen Boyd +Cc: Nishanth Menon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/micrel/ks8851.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c +index a93f8e842c07..1633fa5c709c 100644 +--- a/drivers/net/ethernet/micrel/ks8851.c ++++ b/drivers/net/ethernet/micrel/ks8851.c +@@ -1554,9 +1554,9 @@ static int ks8851_probe(struct spi_device *spi) + free_irq(ndev->irq, ks); + + err_irq: ++err_id: + if (gpio_is_valid(gpio)) + gpio_set_value(gpio, 0); +-err_id: + regulator_disable(ks->vdd_reg); + err_reg: + regulator_disable(ks->vdd_io); +-- +2.19.1 + diff --git a/queue-5.0/net-ks8851-set-initial-carrier-state-to-down.patch b/queue-5.0/net-ks8851-set-initial-carrier-state-to-down.patch new file mode 100644 index 00000000000..191bab0f629 --- /dev/null +++ b/queue-5.0/net-ks8851-set-initial-carrier-state-to-down.patch @@ -0,0 +1,54 @@ +From 606beabdf6d07f5e364918858cf0e21b32d79bc9 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Wed, 20 Mar 2019 15:02:00 +0100 +Subject: net: ks8851: Set initial carrier state to down + +[ Upstream commit 9624bafa5f6418b9ca5b3f66d1f6a6a2e8bf6d4c ] + +The ks8851 chip's initial carrier state is down. A Link Change Interrupt +is signaled once interrupts are enabled if the carrier is up. + +The ks8851 driver has it backwards by assuming that the initial carrier +state is up. The state is therefore misrepresented if the interface is +opened with no cable attached. Fix it. + +The Link Change interrupt is sometimes not signaled unless the P1MBSR +register (which contains the Link Status bit) is read on ->ndo_open(). +This might be a hardware erratum. Read the register by calling +mii_check_link(), which has the desirable side effect of setting the +carrier state to down if the cable was detached while the interface was +closed. + +Signed-off-by: Lukas Wunner +Cc: Frank Pavlic +Cc: Ben Dooks +Cc: Tristram Ha +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/micrel/ks8851.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c +index c9faec4c5b25..b83b070a9eec 100644 +--- a/drivers/net/ethernet/micrel/ks8851.c ++++ b/drivers/net/ethernet/micrel/ks8851.c +@@ -858,6 +858,7 @@ static int ks8851_net_open(struct net_device *dev) + netif_dbg(ks, ifup, ks->netdev, "network device up\n"); + + mutex_unlock(&ks->lock); ++ mii_check_link(&ks->mii); + return 0; + } + +@@ -1519,6 +1520,7 @@ static int ks8851_probe(struct spi_device *spi) + + spi_set_drvdata(spi, ks); + ++ netif_carrier_off(ks->netdev); + ndev->if_port = IF_PORT_100BASET; + ndev->netdev_ops = &ks8851_netdev_ops; + ndev->irq = spi->irq; +-- +2.19.1 + diff --git a/queue-5.0/net-macb-add-null-check-for-pclk-and-hclk.patch b/queue-5.0/net-macb-add-null-check-for-pclk-and-hclk.patch new file mode 100644 index 00000000000..9733389522c --- /dev/null +++ b/queue-5.0/net-macb-add-null-check-for-pclk-and-hclk.patch @@ -0,0 +1,50 @@ +From 9eaccdeedff3428117e60b05db6dda59c1431e38 Mon Sep 17 00:00:00 2001 +From: Harini Katakam +Date: Wed, 20 Mar 2019 19:12:22 +0530 +Subject: net: macb: Add null check for PCLK and HCLK + +[ Upstream commit cd5afa91f078c0787be0a62b5ef90301c00b0271 ] + +Both PCLK and HCLK are "required" clocks according to macb devicetree +documentation. There is a chance that devm_clk_get doesn't return a +negative error but just a NULL clock structure instead. In such a case +the driver proceeds as usual and uses pclk value 0 to calculate MDC +divisor which is incorrect. Hence fix the same in clock initialization. + +Signed-off-by: Harini Katakam +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/cadence/macb_main.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 2b2882615e8b..6cbe515bfdeb 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -3318,14 +3318,20 @@ static int macb_clk_init(struct platform_device *pdev, struct clk **pclk, + *hclk = devm_clk_get(&pdev->dev, "hclk"); + } + +- if (IS_ERR(*pclk)) { ++ if (IS_ERR_OR_NULL(*pclk)) { + err = PTR_ERR(*pclk); ++ if (!err) ++ err = -ENODEV; ++ + dev_err(&pdev->dev, "failed to get macb_clk (%u)\n", err); + return err; + } + +- if (IS_ERR(*hclk)) { ++ if (IS_ERR_OR_NULL(*hclk)) { + err = PTR_ERR(*hclk); ++ if (!err) ++ err = -ENODEV; ++ + dev_err(&pdev->dev, "failed to get hclk (%u)\n", err); + return err; + } +-- +2.19.1 + diff --git a/queue-5.0/net-phy-add-dp83825i-to-the-dp83822-driver.patch b/queue-5.0/net-phy-add-dp83825i-to-the-dp83822-driver.patch new file mode 100644 index 00000000000..4f99bacdbd9 --- /dev/null +++ b/queue-5.0/net-phy-add-dp83825i-to-the-dp83822-driver.patch @@ -0,0 +1,84 @@ +From 03014360b5798212824c8dfb41f4a99fbda695d3 Mon Sep 17 00:00:00 2001 +From: Dan Murphy +Date: Wed, 20 Mar 2019 07:36:55 -0500 +Subject: net: phy: Add DP83825I to the DP83822 driver + +[ Upstream commit 06acc17a96215a11134114aee26532b12dc8fde1 ] + +Add the DP83825I ethernet PHY to the DP83822 driver. +These devices share the same WoL register bits and addresses. + +The phy_driver init was made into a macro as there may be future +devices appended to this driver that will share the register space. + +http://www.ti.com/lit/gpn/dp83825i + +Reviewed-by: Florian Fainelli +Signed-off-by: Dan Murphy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/phy/dp83822.c | 34 ++++++++++++++++++++-------------- + 1 file changed, 20 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/phy/dp83822.c b/drivers/net/phy/dp83822.c +index 24c7f149f3e6..e11057892f07 100644 +--- a/drivers/net/phy/dp83822.c ++++ b/drivers/net/phy/dp83822.c +@@ -23,6 +23,8 @@ + #include + + #define DP83822_PHY_ID 0x2000a240 ++#define DP83825I_PHY_ID 0x2000a150 ++ + #define DP83822_DEVADDR 0x1f + + #define MII_DP83822_PHYSCR 0x11 +@@ -312,26 +314,30 @@ static int dp83822_resume(struct phy_device *phydev) + return 0; + } + ++#define DP83822_PHY_DRIVER(_id, _name) \ ++ { \ ++ PHY_ID_MATCH_MODEL(_id), \ ++ .name = (_name), \ ++ .features = PHY_BASIC_FEATURES, \ ++ .soft_reset = dp83822_phy_reset, \ ++ .config_init = dp83822_config_init, \ ++ .get_wol = dp83822_get_wol, \ ++ .set_wol = dp83822_set_wol, \ ++ .ack_interrupt = dp83822_ack_interrupt, \ ++ .config_intr = dp83822_config_intr, \ ++ .suspend = dp83822_suspend, \ ++ .resume = dp83822_resume, \ ++ } ++ + static struct phy_driver dp83822_driver[] = { +- { +- .phy_id = DP83822_PHY_ID, +- .phy_id_mask = 0xfffffff0, +- .name = "TI DP83822", +- .features = PHY_BASIC_FEATURES, +- .config_init = dp83822_config_init, +- .soft_reset = dp83822_phy_reset, +- .get_wol = dp83822_get_wol, +- .set_wol = dp83822_set_wol, +- .ack_interrupt = dp83822_ack_interrupt, +- .config_intr = dp83822_config_intr, +- .suspend = dp83822_suspend, +- .resume = dp83822_resume, +- }, ++ DP83822_PHY_DRIVER(DP83822_PHY_ID, "TI DP83822"), ++ DP83822_PHY_DRIVER(DP83825I_PHY_ID, "TI DP83825I"), + }; + module_phy_driver(dp83822_driver); + + static struct mdio_device_id __maybe_unused dp83822_tbl[] = { + { DP83822_PHY_ID, 0xfffffff0 }, ++ { DP83825I_PHY_ID, 0xfffffff0 }, + { }, + }; + MODULE_DEVICE_TABLE(mdio, dp83822_tbl); +-- +2.19.1 + diff --git a/queue-5.0/net-sched-don-t-dereference-a-goto_chain-to-read-the.patch b/queue-5.0/net-sched-don-t-dereference-a-goto_chain-to-read-the.patch new file mode 100644 index 00000000000..942528be170 --- /dev/null +++ b/queue-5.0/net-sched-don-t-dereference-a-goto_chain-to-read-the.patch @@ -0,0 +1,39 @@ +From 9444fc9e5b17c1eb8b0c968cb6eb00b5f8950887 Mon Sep 17 00:00:00 2001 +From: Davide Caratti +Date: Wed, 20 Mar 2019 15:00:15 +0100 +Subject: net/sched: don't dereference a->goto_chain to read the chain index + +[ Upstream commit fe384e2fa36ca084a456fd30558cccc75b4b3fbd ] + +callers of tcf_gact_goto_chain_index() can potentially read an old value +of the chain index, or even dereference a NULL 'goto_chain' pointer, +because 'goto_chain' and 'tcfa_action' are read in the traffic path +without caring of concurrent write in the control path. The most recent +value of chain index can be read also from a->tcfa_action (it's encoded +there together with TC_ACT_GOTO_CHAIN bits), so we don't really need to +dereference 'goto_chain': just read the chain id from the control action. + +Fixes: e457d86ada27 ("net: sched: add couple of goto_chain helpers") +Signed-off-by: Davide Caratti +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + include/net/tc_act/tc_gact.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/tc_act/tc_gact.h b/include/net/tc_act/tc_gact.h +index ef8dd0db70ce..56935bf027a7 100644 +--- a/include/net/tc_act/tc_gact.h ++++ b/include/net/tc_act/tc_gact.h +@@ -56,7 +56,7 @@ static inline bool is_tcf_gact_goto_chain(const struct tc_action *a) + + static inline u32 tcf_gact_goto_chain_index(const struct tc_action *a) + { +- return a->goto_chain->index; ++ return READ_ONCE(a->tcfa_action) & TC_ACT_EXT_VAL_MASK; + } + + #endif /* __NET_TC_GACT_H */ +-- +2.19.1 + diff --git a/queue-5.0/net-stmmac-don-t-set-own-bit-too-early-for-jumbo-fra.patch b/queue-5.0/net-stmmac-don-t-set-own-bit-too-early-for-jumbo-fra.patch new file mode 100644 index 00000000000..8e8c6ed9cfc --- /dev/null +++ b/queue-5.0/net-stmmac-don-t-set-own-bit-too-early-for-jumbo-fra.patch @@ -0,0 +1,80 @@ +From e761ede5bbf02c3746e7967b607eb2b6743e9c86 Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Thu, 14 Mar 2019 21:43:19 +0200 +Subject: net: stmmac: don't set own bit too early for jumbo frames + +[ Upstream commit 80acbed9f8fca1db3fbe915540b756f048aa0fd7 ] + +Commit 0e80bdc9a72d ("stmmac: first frame prep at the end of xmit +routine") overlooked jumbo frames when re-ordering the code, and as a +result the own bit was not getting set anymore for the first jumbo frame +descriptor. Commit 487e2e22ab79 ("net: stmmac: Set OWN bit for jumbo +frames") tried to fix this, but now the bit is getting set too early and +the DMA may start while we are still setting up the remaining descriptors. +And with the chain mode the own bit remains still unset. + +Fix by setting the own bit at the end of xmit also with jumbo frames. + +Fixes: 0e80bdc9a72d ("stmmac: first frame prep at the end of xmit routine") +Fixes: 487e2e22ab79 ("net: stmmac: Set OWN bit for jumbo frames") +Signed-off-by: Aaro Koskinen +Acked-by: Jose Abreu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/stmicro/stmmac/ring_mode.c | 4 ++-- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 14 ++++++++------ + 2 files changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/ring_mode.c b/drivers/net/ethernet/stmicro/stmmac/ring_mode.c +index c0c75c111abb..afed0f0f4027 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/ring_mode.c ++++ b/drivers/net/ethernet/stmicro/stmmac/ring_mode.c +@@ -59,7 +59,7 @@ static int jumbo_frm(void *p, struct sk_buff *skb, int csum) + + desc->des3 = cpu_to_le32(des2 + BUF_SIZE_4KiB); + stmmac_prepare_tx_desc(priv, desc, 1, bmax, csum, +- STMMAC_RING_MODE, 1, false, skb->len); ++ STMMAC_RING_MODE, 0, false, skb->len); + tx_q->tx_skbuff[entry] = NULL; + entry = STMMAC_GET_ENTRY(entry, DMA_TX_SIZE); + +@@ -91,7 +91,7 @@ static int jumbo_frm(void *p, struct sk_buff *skb, int csum) + tx_q->tx_skbuff_dma[entry].is_jumbo = true; + desc->des3 = cpu_to_le32(des2 + BUF_SIZE_4KiB); + stmmac_prepare_tx_desc(priv, desc, 1, nopaged_len, csum, +- STMMAC_RING_MODE, 1, true, skb->len); ++ STMMAC_RING_MODE, 0, true, skb->len); + } + + tx_q->cur_tx = entry; +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 1d8d6f2ddfd6..0bc3632880b5 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -3190,14 +3190,16 @@ static netdev_tx_t stmmac_xmit(struct sk_buff *skb, struct net_device *dev) + stmmac_prepare_tx_desc(priv, first, 1, nopaged_len, + csum_insertion, priv->mode, 1, last_segment, + skb->len); +- +- /* The own bit must be the latest setting done when prepare the +- * descriptor and then barrier is needed to make sure that +- * all is coherent before granting the DMA engine. +- */ +- wmb(); ++ } else { ++ stmmac_set_tx_owner(priv, first); + } + ++ /* The own bit must be the latest setting done when prepare the ++ * descriptor and then barrier is needed to make sure that ++ * all is coherent before granting the DMA engine. ++ */ ++ wmb(); ++ + netdev_tx_sent_queue(netdev_get_tx_queue(dev, queue), skb->len); + + stmmac_enable_dma_transmission(priv, priv->ioaddr); +-- +2.19.1 + diff --git a/queue-5.0/net-stmmac-fix-jumbo-frame-sending-with-non-linear-s.patch b/queue-5.0/net-stmmac-fix-jumbo-frame-sending-with-non-linear-s.patch new file mode 100644 index 00000000000..fe71bdd9c9f --- /dev/null +++ b/queue-5.0/net-stmmac-fix-jumbo-frame-sending-with-non-linear-s.patch @@ -0,0 +1,50 @@ +From f9fdfe804faed80ca91fbd035a25863edf6f2d74 Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Thu, 14 Mar 2019 21:43:20 +0200 +Subject: net: stmmac: fix jumbo frame sending with non-linear skbs + +[ Upstream commit 58f2ce6f61615dfd8dd3cc01c9e5bb54ed35637e ] + +When sending non-linear skbs with jumbo frames, we set up the non-paged +data and mark that as a last segment, although the paged fragments are +also prepared. This will stall the TX queue and trigger a watchdog warning +(a simple reproducer is to run an iperf client mode TCP test with a large +MTU - networking fails instantly). + +Fix by checking if the skb is non-linear. + +Signed-off-by: Aaro Koskinen +Acked-by: Jose Abreu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/stmicro/stmmac/ring_mode.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/ring_mode.c b/drivers/net/ethernet/stmicro/stmmac/ring_mode.c +index afed0f0f4027..4d9bcb4d0378 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/ring_mode.c ++++ b/drivers/net/ethernet/stmicro/stmmac/ring_mode.c +@@ -79,7 +79,8 @@ static int jumbo_frm(void *p, struct sk_buff *skb, int csum) + + desc->des3 = cpu_to_le32(des2 + BUF_SIZE_4KiB); + stmmac_prepare_tx_desc(priv, desc, 0, len, csum, +- STMMAC_RING_MODE, 1, true, skb->len); ++ STMMAC_RING_MODE, 1, !skb_is_nonlinear(skb), ++ skb->len); + } else { + des2 = dma_map_single(priv->device, skb->data, + nopaged_len, DMA_TO_DEVICE); +@@ -91,7 +92,8 @@ static int jumbo_frm(void *p, struct sk_buff *skb, int csum) + tx_q->tx_skbuff_dma[entry].is_jumbo = true; + desc->des3 = cpu_to_le32(des2 + BUF_SIZE_4KiB); + stmmac_prepare_tx_desc(priv, desc, 1, nopaged_len, csum, +- STMMAC_RING_MODE, 0, true, skb->len); ++ STMMAC_RING_MODE, 0, !skb_is_nonlinear(skb), ++ skb->len); + } + + tx_q->cur_tx = entry; +-- +2.19.1 + diff --git a/queue-5.0/net-xilinx-fix-possible-object-reference-leak.patch b/queue-5.0/net-xilinx-fix-possible-object-reference-leak.patch new file mode 100644 index 00000000000..d13f6545720 --- /dev/null +++ b/queue-5.0/net-xilinx-fix-possible-object-reference-leak.patch @@ -0,0 +1,50 @@ +From 87b13e119362f4f432465133bd2f5b2992b615e9 Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Fri, 22 Mar 2019 11:04:07 +0800 +Subject: net: xilinx: fix possible object reference leak + +[ Upstream commit fa3a419d2f674b431d38748cb58fb7da17ee8949 ] + +The call to of_parse_phandle returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: +./drivers/net/ethernet/xilinx/xilinx_axienet_main.c:1624:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1569, but without a corresponding object release within this function. + +Signed-off-by: Wen Yang +Cc: Anirudha Sarangi +Cc: John Linn +Cc: "David S. Miller" +Cc: Michal Simek +Cc: netdev@vger.kernel.org +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index 0789d8af7d72..1ef56edb3918 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -1575,12 +1575,14 @@ static int axienet_probe(struct platform_device *pdev) + ret = of_address_to_resource(np, 0, &dmares); + if (ret) { + dev_err(&pdev->dev, "unable to get DMA resource\n"); ++ of_node_put(np); + goto free_netdev; + } + lp->dma_regs = devm_ioremap_resource(&pdev->dev, &dmares); + if (IS_ERR(lp->dma_regs)) { + dev_err(&pdev->dev, "could not map DMA regs\n"); + ret = PTR_ERR(lp->dma_regs); ++ of_node_put(np); + goto free_netdev; + } + lp->rx_irq = irq_of_parse_and_map(np, 1); +-- +2.19.1 + diff --git a/queue-5.0/netfilter-bridge-set-skb-transport_header-before-ent.patch b/queue-5.0/netfilter-bridge-set-skb-transport_header-before-ent.patch new file mode 100644 index 00000000000..8e3e8fe03e3 --- /dev/null +++ b/queue-5.0/netfilter-bridge-set-skb-transport_header-before-ent.patch @@ -0,0 +1,57 @@ +From 1cac12d2847d087212415dcb24a5a5c8def788d7 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Wed, 13 Mar 2019 16:33:29 +0800 +Subject: netfilter: bridge: set skb transport_header before entering + NF_INET_PRE_ROUTING + +[ Upstream commit e166e4fdaced850bee3d5ee12a5740258fb30587 ] + +Since Commit 21d1196a35f5 ("ipv4: set transport header earlier"), +skb->transport_header has been always set before entering INET +netfilter. This patch is to set skb->transport_header for bridge +before entering INET netfilter by bridge-nf-call-iptables. + +It also fixes an issue that sctp_error() couldn't compute a right +csum due to unset skb->transport_header. + +Fixes: e6d8b64b34aa ("net: sctp: fix and consolidate SCTP checksumming code") +Reported-by: Li Shuang +Suggested-by: Pablo Neira Ayuso +Signed-off-by: Xin Long +Acked-by: Neil Horman +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin (Microsoft) +--- + net/bridge/br_netfilter_hooks.c | 1 + + net/bridge/br_netfilter_ipv6.c | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 40d058378b52..fc605758323b 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -502,6 +502,7 @@ static unsigned int br_nf_pre_routing(void *priv, + nf_bridge->ipv4_daddr = ip_hdr(skb)->daddr; + + skb->protocol = htons(ETH_P_IP); ++ skb->transport_header = skb->network_header + ip_hdr(skb)->ihl * 4; + + NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->net, state->sk, skb, + skb->dev, NULL, +diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c +index 564710f88f93..e88d6641647b 100644 +--- a/net/bridge/br_netfilter_ipv6.c ++++ b/net/bridge/br_netfilter_ipv6.c +@@ -235,6 +235,8 @@ unsigned int br_nf_pre_routing_ipv6(void *priv, + nf_bridge->ipv6_daddr = ipv6_hdr(skb)->daddr; + + skb->protocol = htons(ETH_P_IPV6); ++ skb->transport_header = skb->network_header + sizeof(struct ipv6hdr); ++ + NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, state->net, state->sk, skb, + skb->dev, NULL, + br_nf_pre_routing_finish_ipv6); +-- +2.19.1 + diff --git a/queue-5.0/netfilter-fix-netfilter_xt_target_tee-dependencies.patch b/queue-5.0/netfilter-fix-netfilter_xt_target_tee-dependencies.patch new file mode 100644 index 00000000000..6395469b34a --- /dev/null +++ b/queue-5.0/netfilter-fix-netfilter_xt_target_tee-dependencies.patch @@ -0,0 +1,50 @@ +From c3a71cbc7f8884aa64472ae3e784991e4f2c5275 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 13 Mar 2019 22:15:59 +0100 +Subject: netfilter: fix NETFILTER_XT_TARGET_TEE dependencies +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit d1fa381033eb718df5c602f64b6e88676138dfc6 ] + +With NETFILTER_XT_TARGET_TEE=y and IP6_NF_IPTABLES=m, we get a link +error when referencing the NF_DUP_IPV6 module: + +net/netfilter/xt_TEE.o: In function `tee_tg6': +xt_TEE.c:(.text+0x14): undefined reference to `nf_dup_ipv6' + +The problem here is the 'select NF_DUP_IPV6 if IP6_NF_IPTABLES' +that forces NF_DUP_IPV6 to be =m as well rather than setting it +to =y as was intended here. Adding a soft dependency on +IP6_NF_IPTABLES avoids that broken configuration. + +Fixes: 5d400a4933e8 ("netfilter: Kconfig: Change select IPv6 dependencies") +Cc: Máté Eckl +Cc: Taehee Yoo +Link: https://patchwork.ozlabs.org/patch/999498/ +Link: https://lore.kernel.org/patchwork/patch/960062/ +Reported-by: Randy Dunlap +Reported-by: Stephen Rothwell +Signed-off-by: Arnd Bergmann +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin (Microsoft) +--- + net/netfilter/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig +index beb3a69ce1d4..0f0e5806bf77 100644 +--- a/net/netfilter/Kconfig ++++ b/net/netfilter/Kconfig +@@ -995,6 +995,7 @@ config NETFILTER_XT_TARGET_TEE + depends on NETFILTER_ADVANCED + depends on IPV6 || IPV6=n + depends on !NF_CONNTRACK || NF_CONNTRACK ++ depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES + select NF_DUP_IPV4 + select NF_DUP_IPV6 if IP6_NF_IPTABLES + ---help--- +-- +2.19.1 + diff --git a/queue-5.0/netfilter-ip6t_srh-fix-null-pointer-dereferences.patch b/queue-5.0/netfilter-ip6t_srh-fix-null-pointer-dereferences.patch new file mode 100644 index 00000000000..a7b4912e3e8 --- /dev/null +++ b/queue-5.0/netfilter-ip6t_srh-fix-null-pointer-dereferences.patch @@ -0,0 +1,54 @@ +From 49ded238ea28128cb638c4d4755462feadd819fa Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Thu, 14 Mar 2019 02:58:18 -0500 +Subject: netfilter: ip6t_srh: fix NULL pointer dereferences + +[ Upstream commit 6d65561f3d5ec933151939c543d006b79044e7a6 ] + +skb_header_pointer may return NULL. The current code dereference +its return values without a NULL check. + +The fix inserts the checks to avoid NULL pointer dereferences. + +Fixes: 202a8ff545cc ("netfilter: add IPv6 segment routing header 'srh' match") +Signed-off-by: Kangjie Lu +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin (Microsoft) +--- + net/ipv6/netfilter/ip6t_srh.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/ipv6/netfilter/ip6t_srh.c b/net/ipv6/netfilter/ip6t_srh.c +index 1059894a6f4c..4cb83fb69844 100644 +--- a/net/ipv6/netfilter/ip6t_srh.c ++++ b/net/ipv6/netfilter/ip6t_srh.c +@@ -210,6 +210,8 @@ static bool srh1_mt6(const struct sk_buff *skb, struct xt_action_param *par) + psidoff = srhoff + sizeof(struct ipv6_sr_hdr) + + ((srh->segments_left + 1) * sizeof(struct in6_addr)); + psid = skb_header_pointer(skb, psidoff, sizeof(_psid), &_psid); ++ if (!psid) ++ return false; + if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_PSID, + ipv6_masked_addr_cmp(psid, &srhinfo->psid_msk, + &srhinfo->psid_addr))) +@@ -223,6 +225,8 @@ static bool srh1_mt6(const struct sk_buff *skb, struct xt_action_param *par) + nsidoff = srhoff + sizeof(struct ipv6_sr_hdr) + + ((srh->segments_left - 1) * sizeof(struct in6_addr)); + nsid = skb_header_pointer(skb, nsidoff, sizeof(_nsid), &_nsid); ++ if (!nsid) ++ return false; + if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_NSID, + ipv6_masked_addr_cmp(nsid, &srhinfo->nsid_msk, + &srhinfo->nsid_addr))) +@@ -233,6 +237,8 @@ static bool srh1_mt6(const struct sk_buff *skb, struct xt_action_param *par) + if (srhinfo->mt_flags & IP6T_SRH_LSID) { + lsidoff = srhoff + sizeof(struct ipv6_sr_hdr); + lsid = skb_header_pointer(skb, lsidoff, sizeof(_lsid), &_lsid); ++ if (!lsid) ++ return false; + if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LSID, + ipv6_masked_addr_cmp(lsid, &srhinfo->lsid_msk, + &srhinfo->lsid_addr))) +-- +2.19.1 + diff --git a/queue-5.0/netfilter-nft_set_rbtree-check-for-inactive-element-.patch b/queue-5.0/netfilter-nft_set_rbtree-check-for-inactive-element-.patch new file mode 100644 index 00000000000..ccbd6e3f216 --- /dev/null +++ b/queue-5.0/netfilter-nft_set_rbtree-check-for-inactive-element-.patch @@ -0,0 +1,49 @@ +From 1f89c8986b37608f812e97b78e2c7776c849480a Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Tue, 12 Mar 2019 12:10:59 +0100 +Subject: netfilter: nft_set_rbtree: check for inactive element after flag + mismatch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 05b7639da55f5555b9866a1f4b7e8995232a6323 ] + +Otherwise, we hit bogus ENOENT when removing elements. + +Fixes: e701001e7cbe ("netfilter: nft_rbtree: allow adjacent intervals with dynamic updates") +Reported-by: Václav Zindulka +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin (Microsoft) +--- + net/netfilter/nft_set_rbtree.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c +index fa61208371f8..321a0036fdf5 100644 +--- a/net/netfilter/nft_set_rbtree.c ++++ b/net/netfilter/nft_set_rbtree.c +@@ -308,10 +308,6 @@ static void *nft_rbtree_deactivate(const struct net *net, + else if (d > 0) + parent = parent->rb_right; + else { +- if (!nft_set_elem_active(&rbe->ext, genmask)) { +- parent = parent->rb_left; +- continue; +- } + if (nft_rbtree_interval_end(rbe) && + !nft_rbtree_interval_end(this)) { + parent = parent->rb_left; +@@ -320,6 +316,9 @@ static void *nft_rbtree_deactivate(const struct net *net, + nft_rbtree_interval_end(this)) { + parent = parent->rb_right; + continue; ++ } else if (!nft_set_elem_active(&rbe->ext, genmask)) { ++ parent = parent->rb_left; ++ continue; + } + nft_rbtree_flush(net, set, rbe); + return rbe; +-- +2.19.1 + diff --git a/queue-5.0/nfs-fix-a-typo-in-nfs_init_timeout_values.patch b/queue-5.0/nfs-fix-a-typo-in-nfs_init_timeout_values.patch new file mode 100644 index 00000000000..757b1c17690 --- /dev/null +++ b/queue-5.0/nfs-fix-a-typo-in-nfs_init_timeout_values.patch @@ -0,0 +1,34 @@ +From 6199159483b5f0b8c4cb628bda0bd8adfac5b949 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Thu, 21 Mar 2019 17:57:56 -0400 +Subject: NFS: Fix a typo in nfs_init_timeout_values() + +[ Upstream commit 5a698243930c441afccec04e4d5dc8febfd2b775 ] + +Specifying a retrans=0 mount parameter to a NFS/TCP mount, is +inadvertently causing the NFS client to rewrite any specified +timeout parameter to the default of 60 seconds. + +Fixes: a956beda19a6 ("NFS: Allow the mount option retrans=0") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin (Microsoft) +--- + fs/nfs/client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/client.c b/fs/nfs/client.c +index fb1cf1a4bda2..90d71fda65ce 100644 +--- a/fs/nfs/client.c ++++ b/fs/nfs/client.c +@@ -453,7 +453,7 @@ void nfs_init_timeout_values(struct rpc_timeout *to, int proto, + case XPRT_TRANSPORT_RDMA: + if (retrans == NFS_UNSPEC_RETRANS) + to->to_retries = NFS_DEF_TCP_RETRANS; +- if (timeo == NFS_UNSPEC_TIMEO || to->to_retries == 0) ++ if (timeo == NFS_UNSPEC_TIMEO || to->to_initval == 0) + to->to_initval = NFS_DEF_TCP_TIMEO * HZ / 10; + if (to->to_initval > NFS_MAX_TCP_TIMEOUT) + to->to_initval = NFS_MAX_TCP_TIMEOUT; +-- +2.19.1 + diff --git a/queue-5.0/nvme-multipath-relax-ana-state-check.patch b/queue-5.0/nvme-multipath-relax-ana-state-check.patch new file mode 100644 index 00000000000..aacba0fdcea --- /dev/null +++ b/queue-5.0/nvme-multipath-relax-ana-state-check.patch @@ -0,0 +1,45 @@ +From 5e1fdd7f9741980139942f55281ec9660d5c3e85 Mon Sep 17 00:00:00 2001 +From: Martin George +Date: Wed, 27 Mar 2019 09:52:56 +0100 +Subject: nvme-multipath: relax ANA state check + +[ Upstream commit cc2278c413c3a06a93c23ee8722e4dd3d621de12 ] + +When undergoing state transitions I/O might be requeued, hence +we should always call nvme_mpath_set_live() to schedule requeue_work +whenever the nvme device is live, independent on whether the +old state was live or not. + +Signed-off-by: Martin George +Signed-off-by: Gargi Srinivas +Signed-off-by: Hannes Reinecke +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/nvme/host/multipath.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index b9fff3b8ed1b..23da7beadd62 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -366,15 +366,12 @@ static inline bool nvme_state_is_live(enum nvme_ana_state state) + static void nvme_update_ns_ana_state(struct nvme_ana_group_desc *desc, + struct nvme_ns *ns) + { +- enum nvme_ana_state old; +- + mutex_lock(&ns->head->lock); +- old = ns->ana_state; + ns->ana_grpid = le32_to_cpu(desc->grpid); + ns->ana_state = desc->state; + clear_bit(NVME_NS_ANA_PENDING, &ns->flags); + +- if (nvme_state_is_live(ns->ana_state) && !nvme_state_is_live(old)) ++ if (nvme_state_is_live(ns->ana_state)) + nvme_mpath_set_live(ns); + mutex_unlock(&ns->head->lock); + } +-- +2.19.1 + diff --git a/queue-5.0/nvmet-fix-building-bvec-from-sg-list.patch b/queue-5.0/nvmet-fix-building-bvec-from-sg-list.patch new file mode 100644 index 00000000000..b0821c4d6e5 --- /dev/null +++ b/queue-5.0/nvmet-fix-building-bvec-from-sg-list.patch @@ -0,0 +1,90 @@ +From 32e7b361aced933a94b3ddd1fb3cb5578e45f415 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Wed, 27 Mar 2019 17:07:22 +0800 +Subject: nvmet: fix building bvec from sg list + +[ Upstream commit 02db99548d3608a625cf481cff2bb7b626829b3f ] + +There are two mistakes for building bvec from sg list for file +backed ns: + +- use request data length to compute number of io vector, this way +doesn't consider sg->offset, and the result may be smaller than required +io vectors + +- bvec->bv_len isn't capped by sg->length + +This patch fixes this issue by building bvec from sg directly, given +the whole IO stack is ready for multi-page bvec. + +Reported-by: Yi Zhang +Fixes: 3a85a5de29ea ("nvme-loop: add a NVMe loopback host driver") + +Signed-off-by: Ming Lei +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/nvme/target/io-cmd-file.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/nvme/target/io-cmd-file.c b/drivers/nvme/target/io-cmd-file.c +index 517522305e5c..9a0fa3943ca7 100644 +--- a/drivers/nvme/target/io-cmd-file.c ++++ b/drivers/nvme/target/io-cmd-file.c +@@ -75,11 +75,11 @@ int nvmet_file_ns_enable(struct nvmet_ns *ns) + return ret; + } + +-static void nvmet_file_init_bvec(struct bio_vec *bv, struct sg_page_iter *iter) ++static void nvmet_file_init_bvec(struct bio_vec *bv, struct scatterlist *sg) + { +- bv->bv_page = sg_page_iter_page(iter); +- bv->bv_offset = iter->sg->offset; +- bv->bv_len = PAGE_SIZE - iter->sg->offset; ++ bv->bv_page = sg_page(sg); ++ bv->bv_offset = sg->offset; ++ bv->bv_len = sg->length; + } + + static ssize_t nvmet_file_submit_bvec(struct nvmet_req *req, loff_t pos, +@@ -128,14 +128,14 @@ static void nvmet_file_io_done(struct kiocb *iocb, long ret, long ret2) + + static bool nvmet_file_execute_io(struct nvmet_req *req, int ki_flags) + { +- ssize_t nr_bvec = DIV_ROUND_UP(req->data_len, PAGE_SIZE); +- struct sg_page_iter sg_pg_iter; ++ ssize_t nr_bvec = req->sg_cnt; + unsigned long bv_cnt = 0; + bool is_sync = false; + size_t len = 0, total_len = 0; + ssize_t ret = 0; + loff_t pos; +- ++ int i; ++ struct scatterlist *sg; + + if (req->f.mpool_alloc && nr_bvec > NVMET_MAX_MPOOL_BVEC) + is_sync = true; +@@ -147,8 +147,8 @@ static bool nvmet_file_execute_io(struct nvmet_req *req, int ki_flags) + } + + memset(&req->f.iocb, 0, sizeof(struct kiocb)); +- for_each_sg_page(req->sg, &sg_pg_iter, req->sg_cnt, 0) { +- nvmet_file_init_bvec(&req->f.bvec[bv_cnt], &sg_pg_iter); ++ for_each_sg(req->sg, sg, req->sg_cnt, i) { ++ nvmet_file_init_bvec(&req->f.bvec[bv_cnt], sg); + len += req->f.bvec[bv_cnt].bv_len; + total_len += req->f.bvec[bv_cnt].bv_len; + bv_cnt++; +@@ -225,7 +225,7 @@ static void nvmet_file_submit_buffered_io(struct nvmet_req *req) + + static void nvmet_file_execute_rw(struct nvmet_req *req) + { +- ssize_t nr_bvec = DIV_ROUND_UP(req->data_len, PAGE_SIZE); ++ ssize_t nr_bvec = req->sg_cnt; + + if (!req->sg_cnt || !nr_bvec) { + nvmet_req_complete(req, 0); +-- +2.19.1 + diff --git a/queue-5.0/nvmet-fix-error-flow-during-ns-enable.patch b/queue-5.0/nvmet-fix-error-flow-during-ns-enable.patch new file mode 100644 index 00000000000..e9b77325548 --- /dev/null +++ b/queue-5.0/nvmet-fix-error-flow-during-ns-enable.patch @@ -0,0 +1,43 @@ +From 9e839d40bbbde8f402e5cfff64bae885304e0177 Mon Sep 17 00:00:00 2001 +From: Max Gurtovoy +Date: Thu, 28 Mar 2019 12:54:03 +0200 +Subject: nvmet: fix error flow during ns enable + +[ Upstream commit a536b49785759bf99465fdf6e248d34322123fcd ] + +In case we fail to enable p2pmem on the current namespace, disable the +backing store device before exiting. + +Cc: Stephen Bates +Signed-off-by: Max Gurtovoy +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/nvme/target/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c +index 02c63c463222..7bad21a2283f 100644 +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -517,7 +517,7 @@ int nvmet_ns_enable(struct nvmet_ns *ns) + + ret = nvmet_p2pmem_ns_enable(ns); + if (ret) +- goto out_unlock; ++ goto out_dev_disable; + + list_for_each_entry(ctrl, &subsys->ctrls, subsys_entry) + nvmet_p2pmem_ns_add_p2p(ctrl, ns); +@@ -558,7 +558,7 @@ int nvmet_ns_enable(struct nvmet_ns *ns) + out_dev_put: + list_for_each_entry(ctrl, &subsys->ctrls, subsys_entry) + pci_dev_put(radix_tree_delete(&ctrl->p2p_ns_map, ns->nsid)); +- ++out_dev_disable: + nvmet_ns_dev_disable(ns); + goto out_unlock; + } +-- +2.19.1 + diff --git a/queue-5.0/perf-cs-etm-add-missing-case-value.patch b/queue-5.0/perf-cs-etm-add-missing-case-value.patch new file mode 100644 index 00000000000..708212d970a --- /dev/null +++ b/queue-5.0/perf-cs-etm-add-missing-case-value.patch @@ -0,0 +1,75 @@ +From e4ee39eebaa9cfdf2abf7f93ffbb313ad10db9c5 Mon Sep 17 00:00:00 2001 +From: Solomon Tan +Date: Fri, 22 Mar 2019 13:22:55 +0800 +Subject: perf cs-etm: Add missing case value +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit c8fa7a807f3c5f946bd92076fbaf7826edb650dc ] + +The following error was thrown when compiling `tools/perf` using OpenCSD +v0.11.1. This patch fixes said error. + + CC util/intel-pt-decoder/intel-pt-log.o + CC util/cs-etm-decoder/cs-etm-decoder.o + util/cs-etm-decoder/cs-etm-decoder.c: In function + ‘cs_etm_decoder__buffer_range’: + util/cs-etm-decoder/cs-etm-decoder.c:370:2: error: enumeration value + ‘OCSD_INSTR_WFI_WFE’ not handled in switch [-Werror=switch-enum] + switch (elem->last_i_type) { + ^~~~~~ + CC util/intel-pt-decoder/intel-pt-decoder.o + cc1: all warnings being treated as errors + +Because `OCSD_INSTR_WFI_WFE` case was added only in v0.11.0, the minimum +required OpenCSD library version for this patch is no longer v0.10.0. + +Signed-off-by: Solomon Tan +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Mathieu Poirier +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Robert Walker +Cc: Suzuki K Poulouse +Cc: linux-arm-kernel@lists.infradead.org +Link: http://lkml.kernel.org/r/20190322052255.GA4809@w-OptiPlex-7050 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin (Microsoft) +--- + tools/build/feature/test-libopencsd.c | 4 ++-- + tools/perf/util/cs-etm-decoder/cs-etm-decoder.c | 1 + + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/build/feature/test-libopencsd.c b/tools/build/feature/test-libopencsd.c +index d68eb4fb40cc..2b0e02c38870 100644 +--- a/tools/build/feature/test-libopencsd.c ++++ b/tools/build/feature/test-libopencsd.c +@@ -4,9 +4,9 @@ + /* + * Check OpenCSD library version is sufficient to provide required features + */ +-#define OCSD_MIN_VER ((0 << 16) | (10 << 8) | (0)) ++#define OCSD_MIN_VER ((0 << 16) | (11 << 8) | (0)) + #if !defined(OCSD_VER_NUM) || (OCSD_VER_NUM < OCSD_MIN_VER) +-#error "OpenCSD >= 0.10.0 is required" ++#error "OpenCSD >= 0.11.0 is required" + #endif + + int main(void) +diff --git a/tools/perf/util/cs-etm-decoder/cs-etm-decoder.c b/tools/perf/util/cs-etm-decoder/cs-etm-decoder.c +index 8c155575c6c5..2a8bf6b45a30 100644 +--- a/tools/perf/util/cs-etm-decoder/cs-etm-decoder.c ++++ b/tools/perf/util/cs-etm-decoder/cs-etm-decoder.c +@@ -374,6 +374,7 @@ cs_etm_decoder__buffer_range(struct cs_etm_decoder *decoder, + break; + case OCSD_INSTR_ISB: + case OCSD_INSTR_DSB_DMB: ++ case OCSD_INSTR_WFI_WFE: + case OCSD_INSTR_OTHER: + default: + packet->last_instr_taken_branch = false; +-- +2.19.1 + diff --git a/queue-5.0/perf-machine-update-kernel-map-address-and-re-order-.patch b/queue-5.0/perf-machine-update-kernel-map-address-and-re-order-.patch new file mode 100644 index 00000000000..26c822c84ce --- /dev/null +++ b/queue-5.0/perf-machine-update-kernel-map-address-and-re-order-.patch @@ -0,0 +1,135 @@ +From a0d9c301217ea2a499364ef75bde6bf7eaeb7dc8 Mon Sep 17 00:00:00 2001 +From: Wei Li +Date: Thu, 28 Feb 2019 17:20:03 +0800 +Subject: perf machine: Update kernel map address and re-order properly + +[ Upstream commit 977c7a6d1e263ff1d755f28595b99e4bc0c48a9f ] + +Since commit 1fb87b8e9599 ("perf machine: Don't search for active kernel +start in __machine__create_kernel_maps"), the __machine__create_kernel_maps() +just create a map what start and end are both zero. Though the address will be +updated later, the order of map in the rbtree may be incorrect. + +The commit ee05d21791db ("perf machine: Set main kernel end address properly") +fixed the logic in machine__create_kernel_maps(), but it's still wrong in +function machine__process_kernel_mmap_event(). + +To reproduce this issue, we need an environment which the module address +is before the kernel text segment. I tested it on an aarch64 machine with +kernel 4.19.25: + + [root@localhost hulk]# grep _stext /proc/kallsyms + ffff000008081000 T _stext + [root@localhost hulk]# grep _etext /proc/kallsyms + ffff000009780000 R _etext + [root@localhost hulk]# tail /proc/modules + hisi_sas_v2_hw 77824 0 - Live 0xffff00000191d000 + nvme_core 126976 7 nvme, Live 0xffff0000018b6000 + mdio 20480 1 ixgbe, Live 0xffff0000018ab000 + hisi_sas_main 106496 1 hisi_sas_v2_hw, Live 0xffff000001861000 + hns_mdio 20480 2 - Live 0xffff000001822000 + hnae 28672 3 hns_dsaf,hns_enet_drv, Live 0xffff000001815000 + dm_mirror 40960 0 - Live 0xffff000001804000 + dm_region_hash 32768 1 dm_mirror, Live 0xffff0000017f5000 + dm_log 32768 2 dm_mirror,dm_region_hash, Live 0xffff0000017e7000 + dm_mod 315392 17 dm_mirror,dm_log, Live 0xffff000001780000 + [root@localhost hulk]# + +Before fix: + + [root@localhost bin]# perf record sleep 3 + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 0.011 MB perf.data (9 samples) ] + [root@localhost bin]# perf buildid-list -i perf.data + 4c4e46c971ca935f781e603a09b52a92e8bdfee8 [vdso] + [root@localhost bin]# perf buildid-list -i perf.data -H + 0000000000000000000000000000000000000000 /proc/kcore + [root@localhost bin]# + +After fix: + + [root@localhost tools]# ./perf/perf record sleep 3 + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 0.011 MB perf.data (9 samples) ] + [root@localhost tools]# ./perf/perf buildid-list -i perf.data + 28a6c690262896dbd1b5e1011ed81623e6db0610 [kernel.kallsyms] + 106c14ce6e4acea3453e484dc604d66666f08a2f [vdso] + [root@localhost tools]# ./perf/perf buildid-list -i perf.data -H + 28a6c690262896dbd1b5e1011ed81623e6db0610 /proc/kcore + +Signed-off-by: Wei Li +Acked-by: Jiri Olsa +Acked-by: Namhyung Kim +Cc: Alexander Shishkin +Cc: David Ahern +Cc: Hanjun Guo +Cc: Kim Phillips +Cc: Li Bin +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20190228092003.34071-1-liwei391@huawei.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin (Microsoft) +--- + tools/perf/util/machine.c | 32 ++++++++++++++++++++------------ + 1 file changed, 20 insertions(+), 12 deletions(-) + +diff --git a/tools/perf/util/machine.c b/tools/perf/util/machine.c +index 143f7057d581..596db1daee35 100644 +--- a/tools/perf/util/machine.c ++++ b/tools/perf/util/machine.c +@@ -1358,6 +1358,20 @@ static void machine__set_kernel_mmap(struct machine *machine, + machine->vmlinux_map->end = ~0ULL; + } + ++static void machine__update_kernel_mmap(struct machine *machine, ++ u64 start, u64 end) ++{ ++ struct map *map = machine__kernel_map(machine); ++ ++ map__get(map); ++ map_groups__remove(&machine->kmaps, map); ++ ++ machine__set_kernel_mmap(machine, start, end); ++ ++ map_groups__insert(&machine->kmaps, map); ++ map__put(map); ++} ++ + int machine__create_kernel_maps(struct machine *machine) + { + struct dso *kernel = machine__get_kernel(machine); +@@ -1390,17 +1404,11 @@ int machine__create_kernel_maps(struct machine *machine) + goto out_put; + } + +- /* we have a real start address now, so re-order the kmaps */ +- map = machine__kernel_map(machine); +- +- map__get(map); +- map_groups__remove(&machine->kmaps, map); +- +- /* assume it's the last in the kmaps */ +- machine__set_kernel_mmap(machine, addr, ~0ULL); +- +- map_groups__insert(&machine->kmaps, map); +- map__put(map); ++ /* ++ * we have a real start address now, so re-order the kmaps ++ * assume it's the last in the kmaps ++ */ ++ machine__update_kernel_mmap(machine, addr, ~0ULL); + } + + if (machine__create_extra_kernel_maps(machine, kernel)) +@@ -1536,7 +1544,7 @@ static int machine__process_kernel_mmap_event(struct machine *machine, + if (strstr(kernel->long_name, "vmlinux")) + dso__set_short_name(kernel, "[kernel.vmlinux]", false); + +- machine__set_kernel_mmap(machine, event->mmap.start, ++ machine__update_kernel_mmap(machine, event->mmap.start, + event->mmap.start + event->mmap.len); + + /* +-- +2.19.1 + diff --git a/queue-5.0/ptrace-take-into-account-saved_sigmask-in-ptrace-get.patch b/queue-5.0/ptrace-take-into-account-saved_sigmask-in-ptrace-get.patch new file mode 100644 index 00000000000..615232f550a --- /dev/null +++ b/queue-5.0/ptrace-take-into-account-saved_sigmask-in-ptrace-get.patch @@ -0,0 +1,134 @@ +From 276397c581886fab98b6b4b4b4e3be7dcae38701 Mon Sep 17 00:00:00 2001 +From: Andrei Vagin +Date: Thu, 28 Mar 2019 20:44:13 -0700 +Subject: ptrace: take into account saved_sigmask in PTRACE{GET,SET}SIGMASK + +[ Upstream commit fcfc2aa0185f4a731d05a21e9f359968fdfd02e7 ] + +There are a few system calls (pselect, ppoll, etc) which replace a task +sigmask while they are running in a kernel-space + +When a task calls one of these syscalls, the kernel saves a current +sigmask in task->saved_sigmask and sets a syscall sigmask. + +On syscall-exit-stop, ptrace traps a task before restoring the +saved_sigmask, so PTRACE_GETSIGMASK returns the syscall sigmask and +PTRACE_SETSIGMASK does nothing, because its sigmask is replaced by +saved_sigmask, when the task returns to user-space. + +This patch fixes this problem. PTRACE_GETSIGMASK returns saved_sigmask +if it's set. PTRACE_SETSIGMASK drops the TIF_RESTORE_SIGMASK flag. + +Link: http://lkml.kernel.org/r/20181120060616.6043-1-avagin@gmail.com +Fixes: 29000caecbe8 ("ptrace: add ability to get/set signal-blocked mask") +Signed-off-by: Andrei Vagin +Acked-by: Oleg Nesterov +Cc: "Eric W. Biederman" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin (Microsoft) +--- + include/linux/sched/signal.h | 18 ++++++++++++++++++ + kernel/ptrace.c | 15 +++++++++++++-- + 2 files changed, 31 insertions(+), 2 deletions(-) + +diff --git a/include/linux/sched/signal.h b/include/linux/sched/signal.h +index 13789d10a50e..76b8399b17f6 100644 +--- a/include/linux/sched/signal.h ++++ b/include/linux/sched/signal.h +@@ -417,10 +417,20 @@ static inline void set_restore_sigmask(void) + set_thread_flag(TIF_RESTORE_SIGMASK); + WARN_ON(!test_thread_flag(TIF_SIGPENDING)); + } ++ ++static inline void clear_tsk_restore_sigmask(struct task_struct *tsk) ++{ ++ clear_tsk_thread_flag(tsk, TIF_RESTORE_SIGMASK); ++} ++ + static inline void clear_restore_sigmask(void) + { + clear_thread_flag(TIF_RESTORE_SIGMASK); + } ++static inline bool test_tsk_restore_sigmask(struct task_struct *tsk) ++{ ++ return test_tsk_thread_flag(tsk, TIF_RESTORE_SIGMASK); ++} + static inline bool test_restore_sigmask(void) + { + return test_thread_flag(TIF_RESTORE_SIGMASK); +@@ -438,6 +448,10 @@ static inline void set_restore_sigmask(void) + current->restore_sigmask = true; + WARN_ON(!test_thread_flag(TIF_SIGPENDING)); + } ++static inline void clear_tsk_restore_sigmask(struct task_struct *tsk) ++{ ++ tsk->restore_sigmask = false; ++} + static inline void clear_restore_sigmask(void) + { + current->restore_sigmask = false; +@@ -446,6 +460,10 @@ static inline bool test_restore_sigmask(void) + { + return current->restore_sigmask; + } ++static inline bool test_tsk_restore_sigmask(struct task_struct *tsk) ++{ ++ return tsk->restore_sigmask; ++} + static inline bool test_and_clear_restore_sigmask(void) + { + if (!current->restore_sigmask) +diff --git a/kernel/ptrace.c b/kernel/ptrace.c +index 771e93f9c43f..6f357f4fc859 100644 +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + + /* + * Access another process' address space via ptrace. +@@ -924,18 +925,26 @@ int ptrace_request(struct task_struct *child, long request, + ret = ptrace_setsiginfo(child, &siginfo); + break; + +- case PTRACE_GETSIGMASK: ++ case PTRACE_GETSIGMASK: { ++ sigset_t *mask; ++ + if (addr != sizeof(sigset_t)) { + ret = -EINVAL; + break; + } + +- if (copy_to_user(datavp, &child->blocked, sizeof(sigset_t))) ++ if (test_tsk_restore_sigmask(child)) ++ mask = &child->saved_sigmask; ++ else ++ mask = &child->blocked; ++ ++ if (copy_to_user(datavp, mask, sizeof(sigset_t))) + ret = -EFAULT; + else + ret = 0; + + break; ++ } + + case PTRACE_SETSIGMASK: { + sigset_t new_set; +@@ -961,6 +970,8 @@ int ptrace_request(struct task_struct *child, long request, + child->blocked = new_set; + spin_unlock_irq(&child->sighand->siglock); + ++ clear_tsk_restore_sigmask(child); ++ + ret = 0; + break; + } +-- +2.19.1 + diff --git a/queue-5.0/qlcnic-avoid-potential-null-pointer-dereference.patch b/queue-5.0/qlcnic-avoid-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..9a78f7428f0 --- /dev/null +++ b/queue-5.0/qlcnic-avoid-potential-null-pointer-dereference.patch @@ -0,0 +1,33 @@ +From f221162af1f5293bd2d729be5b999ddf2ffb2f68 Mon Sep 17 00:00:00 2001 +From: Aditya Pakki +Date: Thu, 14 Mar 2019 15:31:40 -0500 +Subject: qlcnic: Avoid potential NULL pointer dereference + +[ Upstream commit 5bf7295fe34a5251b1d241b9736af4697b590670 ] + +netdev_alloc_skb can fail and return a NULL pointer which is +dereferenced without a check. The patch avoids such a scenario. + +Signed-off-by: Aditya Pakki +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c +index 3b0adda7cc9c..a4cd6f2cfb86 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c +@@ -1048,6 +1048,8 @@ int qlcnic_do_lb_test(struct qlcnic_adapter *adapter, u8 mode) + + for (i = 0; i < QLCNIC_NUM_ILB_PKT; i++) { + skb = netdev_alloc_skb(adapter->netdev, QLCNIC_ILB_PKT_SIZE); ++ if (!skb) ++ break; + qlcnic_create_loopback_buff(skb->data, adapter->mac_addr); + skb_put(skb, QLCNIC_ILB_PKT_SIZE); + adapter->ahw->diag_cnt = 0; +-- +2.19.1 + diff --git a/queue-5.0/s390-limit-brk-randomization-to-32mb.patch b/queue-5.0/s390-limit-brk-randomization-to-32mb.patch new file mode 100644 index 00000000000..9aa3d431f9f --- /dev/null +++ b/queue-5.0/s390-limit-brk-randomization-to-32mb.patch @@ -0,0 +1,47 @@ +From 4cdbe1fecdf821fb5e0ed18eecd8f3a3ad7fc9e2 Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Mon, 4 Mar 2019 12:33:28 +0100 +Subject: s390: limit brk randomization to 32MB + +[ Upstream commit cd479eccd2e057116d504852814402a1e68ead80 ] + +For a 64-bit process the randomization of the program break is quite +large with 1GB. That is as big as the randomization of the anonymous +mapping base, for a test case started with '/lib/ld64.so.1 ' +it can happen that the heap is placed after the stack. To avoid +this limit the program break randomization to 32MB for 64-bit and +keep 8MB for 31-bit. + +Reported-by: Stefan Liebler +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin (Microsoft) +--- + arch/s390/include/asm/elf.h | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/arch/s390/include/asm/elf.h b/arch/s390/include/asm/elf.h +index 7d22a474a040..f74639a05f0f 100644 +--- a/arch/s390/include/asm/elf.h ++++ b/arch/s390/include/asm/elf.h +@@ -252,11 +252,14 @@ do { \ + + /* + * Cache aliasing on the latest machines calls for a mapping granularity +- * of 512KB. For 64-bit processes use a 512KB alignment and a randomization +- * of up to 1GB. For 31-bit processes the virtual address space is limited, +- * use no alignment and limit the randomization to 8MB. ++ * of 512KB for the anonymous mapping base. For 64-bit processes use a ++ * 512KB alignment and a randomization of up to 1GB. For 31-bit processes ++ * the virtual address space is limited, use no alignment and limit the ++ * randomization to 8MB. ++ * For the additional randomization of the program break use 32MB for ++ * 64-bit and 8MB for 31-bit. + */ +-#define BRK_RND_MASK (is_compat_task() ? 0x7ffUL : 0x3ffffUL) ++#define BRK_RND_MASK (is_compat_task() ? 0x7ffUL : 0x1fffUL) + #define MMAP_RND_MASK (is_compat_task() ? 0x7ffUL : 0x3ff80UL) + #define MMAP_ALIGN_MASK (is_compat_task() ? 0 : 0x7fUL) + #define STACK_RND_MASK MMAP_RND_MASK +-- +2.19.1 + diff --git a/queue-5.0/s390-qeth-fix-race-when-initializing-the-ip-address-.patch b/queue-5.0/s390-qeth-fix-race-when-initializing-the-ip-address-.patch new file mode 100644 index 00000000000..9832b74425c --- /dev/null +++ b/queue-5.0/s390-qeth-fix-race-when-initializing-the-ip-address-.patch @@ -0,0 +1,42 @@ +From f5f3ab2e9061dcb8fc03cd99a09f9956ed2b7e11 Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann +Date: Mon, 18 Mar 2019 16:40:55 +0100 +Subject: s390/qeth: fix race when initializing the IP address table + +[ Upstream commit 7221b727f0079a32aca91f657141e1de564d4b97 ] + +The ucast IP table is utilized by some of the L3-specific sysfs attributes +that qeth_l3_create_device_attributes() provides. So initialize the table +_before_ registering the attributes. + +Fixes: ebccc7397e4a ("s390/qeth: add missing hash table initializations") +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/s390/net/qeth_l3_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c +index df34bff4ac31..f73ce96e9603 100644 +--- a/drivers/s390/net/qeth_l3_main.c ++++ b/drivers/s390/net/qeth_l3_main.c +@@ -2316,12 +2316,14 @@ static int qeth_l3_probe_device(struct ccwgroup_device *gdev) + struct qeth_card *card = dev_get_drvdata(&gdev->dev); + int rc; + ++ hash_init(card->ip_htable); ++ + if (gdev->dev.type == &qeth_generic_devtype) { + rc = qeth_l3_create_device_attributes(&gdev->dev); + if (rc) + return rc; + } +- hash_init(card->ip_htable); ++ + hash_init(card->ip_mc_htable); + card->info.hwtrap = 0; + return 0; +-- +2.19.1 + diff --git a/queue-5.0/sbitmap-order-read-write-freed-instance-and-setting-.patch b/queue-5.0/sbitmap-order-read-write-freed-instance-and-setting-.patch new file mode 100644 index 00000000000..c0f4b14135f --- /dev/null +++ b/queue-5.0/sbitmap-order-read-write-freed-instance-and-setting-.patch @@ -0,0 +1,116 @@ +From 4fb529900e94d73286d6f23d7f9ec2f635797526 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Fri, 22 Mar 2019 09:13:51 +0800 +Subject: sbitmap: order READ/WRITE freed instance and setting clear bit + +[ Upstream commit e6d1fa584e0dd9bfebaf345e9feea588cf75ead2 ] + +Inside sbitmap_queue_clear(), once the clear bit is set, it will be +visiable to allocation path immediately. Meantime READ/WRITE on old +associated instance(such as request in case of blk-mq) may be +out-of-order with the setting clear bit, so race with re-allocation +may be triggered. + +Adds one memory barrier for ordering READ/WRITE of the freed associated +instance with setting clear bit for avoiding race with re-allocation. + +The following kernel oops triggerd by block/006 on aarch64 may be fixed: + +[ 142.330954] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000330 +[ 142.338794] Mem abort info: +[ 142.341554] ESR = 0x96000005 +[ 142.344632] Exception class = DABT (current EL), IL = 32 bits +[ 142.350500] SET = 0, FnV = 0 +[ 142.353544] EA = 0, S1PTW = 0 +[ 142.356678] Data abort info: +[ 142.359528] ISV = 0, ISS = 0x00000005 +[ 142.363343] CM = 0, WnR = 0 +[ 142.366305] user pgtable: 64k pages, 48-bit VAs, pgdp = 000000002a3c51c0 +[ 142.372983] [0000000000000330] pgd=0000000000000000, pud=0000000000000000 +[ 142.379777] Internal error: Oops: 96000005 [#1] SMP +[ 142.384613] Modules linked in: null_blk ib_isert iscsi_target_mod ib_srpt target_core_mod ib_srp scsi_transport_srp vfat fat rpcrdma sunrpc rdma_ucm ib_iser rdma_cm iw_cm libiscsi ib_umad scsi_transport_iscsi ib_ipoib ib_cm mlx5_ib ib_uverbs ib_core sbsa_gwdt crct10dif_ce ghash_ce ipmi_ssif sha2_ce ipmi_devintf sha256_arm64 sg sha1_ce ipmi_msghandler ip_tables xfs libcrc32c mlx5_core sdhci_acpi mlxfw ahci_platform at803x sdhci libahci_platform qcom_emac mmc_core hdma hdma_mgmt i2c_dev [last unloaded: null_blk] +[ 142.429753] CPU: 7 PID: 1983 Comm: fio Not tainted 5.0.0.cki #2 +[ 142.449458] pstate: 00400005 (nzcv daif +PAN -UAO) +[ 142.454239] pc : __blk_mq_free_request+0x4c/0xa8 +[ 142.458830] lr : blk_mq_free_request+0xec/0x118 +[ 142.463344] sp : ffff00003360f6a0 +[ 142.466646] x29: ffff00003360f6a0 x28: ffff000010e70000 +[ 142.471941] x27: ffff801729a50048 x26: 0000000000010000 +[ 142.477232] x25: ffff00003360f954 x24: ffff7bdfff021440 +[ 142.482529] x23: 0000000000000000 x22: 00000000ffffffff +[ 142.487830] x21: ffff801729810000 x20: 0000000000000000 +[ 142.493123] x19: ffff801729a50000 x18: 0000000000000000 +[ 142.498413] x17: 0000000000000000 x16: 0000000000000001 +[ 142.503709] x15: 00000000000000ff x14: ffff7fe000000000 +[ 142.509003] x13: ffff8017dcde09a0 x12: 0000000000000000 +[ 142.514308] x11: 0000000000000001 x10: 0000000000000008 +[ 142.519597] x9 : ffff8017dcde09a0 x8 : 0000000000002000 +[ 142.524889] x7 : ffff8017dcde0a00 x6 : 000000015388f9be +[ 142.530187] x5 : 0000000000000001 x4 : 0000000000000000 +[ 142.535478] x3 : 0000000000000000 x2 : 0000000000000000 +[ 142.540777] x1 : 0000000000000001 x0 : ffff00001041b194 +[ 142.546071] Process fio (pid: 1983, stack limit = 0x000000006460a0ea) +[ 142.552500] Call trace: +[ 142.554926] __blk_mq_free_request+0x4c/0xa8 +[ 142.559181] blk_mq_free_request+0xec/0x118 +[ 142.563352] blk_mq_end_request+0xfc/0x120 +[ 142.567444] end_cmd+0x3c/0xa8 [null_blk] +[ 142.571434] null_complete_rq+0x20/0x30 [null_blk] +[ 142.576194] blk_mq_complete_request+0x108/0x148 +[ 142.580797] null_handle_cmd+0x1d4/0x718 [null_blk] +[ 142.585662] null_queue_rq+0x60/0xa8 [null_blk] +[ 142.590171] blk_mq_try_issue_directly+0x148/0x280 +[ 142.594949] blk_mq_try_issue_list_directly+0x9c/0x108 +[ 142.600064] blk_mq_sched_insert_requests+0xb0/0xd0 +[ 142.604926] blk_mq_flush_plug_list+0x16c/0x2a0 +[ 142.609441] blk_flush_plug_list+0xec/0x118 +[ 142.613608] blk_finish_plug+0x3c/0x4c +[ 142.617348] blkdev_direct_IO+0x3b4/0x428 +[ 142.621336] generic_file_read_iter+0x84/0x180 +[ 142.625761] blkdev_read_iter+0x50/0x78 +[ 142.629579] aio_read.isra.6+0xf8/0x190 +[ 142.633409] __io_submit_one.isra.8+0x148/0x738 +[ 142.637912] io_submit_one.isra.9+0x88/0xb8 +[ 142.642078] __arm64_sys_io_submit+0xe0/0x238 +[ 142.646428] el0_svc_handler+0xa0/0x128 +[ 142.650238] el0_svc+0x8/0xc +[ 142.653104] Code: b9402a63 f9000a7f 3100047f 540000a0 (f9419a81) +[ 142.659202] ---[ end trace 467586bc175eb09d ]--- + +Fixes: ea86ea2cdced20057da ("sbitmap: ammortize cost of clearing bits") +Reported-and-bisected_and_tested-by: Yi Zhang +Cc: Yi Zhang +Cc: "jianchao.wang" +Reviewed-by: Omar Sandoval +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin (Microsoft) +--- + lib/sbitmap.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/lib/sbitmap.c b/lib/sbitmap.c +index 5b382c1244ed..155fe38756ec 100644 +--- a/lib/sbitmap.c ++++ b/lib/sbitmap.c +@@ -591,6 +591,17 @@ EXPORT_SYMBOL_GPL(sbitmap_queue_wake_up); + void sbitmap_queue_clear(struct sbitmap_queue *sbq, unsigned int nr, + unsigned int cpu) + { ++ /* ++ * Once the clear bit is set, the bit may be allocated out. ++ * ++ * Orders READ/WRITE on the asssociated instance(such as request ++ * of blk_mq) by this bit for avoiding race with re-allocation, ++ * and its pair is the memory barrier implied in __sbitmap_get_word. ++ * ++ * One invariant is that the clear bit has to be zero when the bit ++ * is in use. ++ */ ++ smp_mb__before_atomic(); + sbitmap_deferred_clear_bit(&sbq->sb, nr); + + /* +-- +2.19.1 + diff --git a/queue-5.0/sc16is7xx-missing-unregister-delete-driver-on-error-.patch b/queue-5.0/sc16is7xx-missing-unregister-delete-driver-on-error-.patch new file mode 100644 index 00000000000..450adf76c20 --- /dev/null +++ b/queue-5.0/sc16is7xx-missing-unregister-delete-driver-on-error-.patch @@ -0,0 +1,55 @@ +From d55976484e0c093cc4b29bcaeb9bb0f87da90fb7 Mon Sep 17 00:00:00 2001 +From: Mao Wenan +Date: Fri, 8 Mar 2019 22:08:31 +0800 +Subject: sc16is7xx: missing unregister/delete driver on error in + sc16is7xx_init() + +[ Upstream commit ac0cdb3d990108df795b676cd0d0e65ac34b2273 ] + +Add the missing uart_unregister_driver() and i2c_del_driver() before return +from sc16is7xx_init() in the error handling case. + +Signed-off-by: Mao Wenan +Reviewed-by: Vladimir Zapolskiy +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/tty/serial/sc16is7xx.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c +index 268098681856..114e94f476c6 100644 +--- a/drivers/tty/serial/sc16is7xx.c ++++ b/drivers/tty/serial/sc16is7xx.c +@@ -1509,7 +1509,7 @@ static int __init sc16is7xx_init(void) + ret = i2c_add_driver(&sc16is7xx_i2c_uart_driver); + if (ret < 0) { + pr_err("failed to init sc16is7xx i2c --> %d\n", ret); +- return ret; ++ goto err_i2c; + } + #endif + +@@ -1517,10 +1517,18 @@ static int __init sc16is7xx_init(void) + ret = spi_register_driver(&sc16is7xx_spi_uart_driver); + if (ret < 0) { + pr_err("failed to init sc16is7xx spi --> %d\n", ret); +- return ret; ++ goto err_spi; + } + #endif + return ret; ++ ++err_spi: ++#ifdef CONFIG_SERIAL_SC16IS7XX_I2C ++ i2c_del_driver(&sc16is7xx_i2c_uart_driver); ++#endif ++err_i2c: ++ uart_unregister_driver(&sc16is7xx_uart); ++ return ret; + } + module_init(sc16is7xx_init); + +-- +2.19.1 + diff --git a/queue-5.0/scsi-aacraid-insure-we-don-t-access-pcie-space-durin.patch b/queue-5.0/scsi-aacraid-insure-we-don-t-access-pcie-space-durin.patch new file mode 100644 index 00000000000..65ecc4344fe --- /dev/null +++ b/queue-5.0/scsi-aacraid-insure-we-don-t-access-pcie-space-durin.patch @@ -0,0 +1,65 @@ +From 36b0cf8bdba227d826ee61502ee72a9456fcfae7 Mon Sep 17 00:00:00 2001 +From: Dave Carroll +Date: Fri, 22 Mar 2019 12:16:03 -0600 +Subject: scsi: aacraid: Insure we don't access PCIe space during AER/EEH + +[ Upstream commit b6554cfe09e1f610aed7d57164ab7760be57acd9 ] + +There are a few windows during AER/EEH when we can access PCIe I/O mapped +registers. This will harden the access to insure we do not allow PCIe +access during errors + +Signed-off-by: Dave Carroll +Reviewed-by: Sagar Biradar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/scsi/aacraid/aacraid.h | 7 ++++++- + drivers/scsi/aacraid/commsup.c | 4 ++-- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/aacraid/aacraid.h b/drivers/scsi/aacraid/aacraid.h +index 3291d1c16864..8bd09b96ea18 100644 +--- a/drivers/scsi/aacraid/aacraid.h ++++ b/drivers/scsi/aacraid/aacraid.h +@@ -2640,9 +2640,14 @@ static inline unsigned int cap_to_cyls(sector_t capacity, unsigned divisor) + return capacity; + } + ++static inline int aac_pci_offline(struct aac_dev *dev) ++{ ++ return pci_channel_offline(dev->pdev) || dev->handle_pci_error; ++} ++ + static inline int aac_adapter_check_health(struct aac_dev *dev) + { +- if (unlikely(pci_channel_offline(dev->pdev))) ++ if (unlikely(aac_pci_offline(dev))) + return -1; + + return (dev)->a_ops.adapter_check_health(dev); +diff --git a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c +index a3adc954f40f..09367b8a3885 100644 +--- a/drivers/scsi/aacraid/commsup.c ++++ b/drivers/scsi/aacraid/commsup.c +@@ -672,7 +672,7 @@ int aac_fib_send(u16 command, struct fib *fibptr, unsigned long size, + return -ETIMEDOUT; + } + +- if (unlikely(pci_channel_offline(dev->pdev))) ++ if (unlikely(aac_pci_offline(dev))) + return -EFAULT; + + if ((blink = aac_adapter_check_health(dev)) > 0) { +@@ -772,7 +772,7 @@ int aac_hba_send(u8 command, struct fib *fibptr, fib_callback callback, + + spin_unlock_irqrestore(&fibptr->event_lock, flags); + +- if (unlikely(pci_channel_offline(dev->pdev))) ++ if (unlikely(aac_pci_offline(dev))) + return -EFAULT; + + fibptr->flags |= FIB_CONTEXT_FLAG_WAIT; +-- +2.19.1 + diff --git a/queue-5.0/scsi-mpt3sas-fix-kernel-panic-during-expander-reset.patch b/queue-5.0/scsi-mpt3sas-fix-kernel-panic-during-expander-reset.patch new file mode 100644 index 00000000000..02fc2f78a43 --- /dev/null +++ b/queue-5.0/scsi-mpt3sas-fix-kernel-panic-during-expander-reset.patch @@ -0,0 +1,102 @@ +From 47bc1316371c8d0a04b6c07eef06d1086122ed83 Mon Sep 17 00:00:00 2001 +From: Sreekanth Reddy +Date: Mon, 4 Mar 2019 07:26:35 -0500 +Subject: scsi: mpt3sas: Fix kernel panic during expander reset + +[ Upstream commit c2fe742ff6e77c5b4fe4ad273191ddf28fdea25e ] + +During expander reset handling, the driver invokes kernel function +scsi_host_find_tag() to obtain outstanding requests associated with the +scsi host managed by the driver. Driver loops from tag value zero to hba +queue depth to obtain the outstanding scmds. But when blk-mq is enabled, +the block layer may return stale entry for one or more requests. This may +lead to kernel panic if the returned value is inaccessible or the memory +pointed by the returned value is reused. + +Reference of upstream discussion: + + https://patchwork.kernel.org/patch/10734933/ + +Instead of calling scsi_host_find_tag() API for each and every smid (smid +is tag +1) from one to shost->can_queue, now driver will call this API (to +obtain the outstanding scmd) only for those smid's which are outstanding at +the driver level. + +Driver will determine whether this smid is outstanding at driver level by +looking into it's corresponding MPI request frame, if its MPI request frame +is empty, then it means that this smid is free and does not need to call +scsi_host_find_tag() for it. By doing this, driver will invoke +scsi_host_find_tag() for only those tags which are outstanding at the +driver level. + +Driver will check whether particular MPI request frame is empty or not by +looking into the "DevHandle" field. If this field is zero then it means +that this MPI request is empty. For active MPI request DevHandle must be +non-zero. + +Also driver will memset the MPI request frame once the corresponding scmd +is processed (i.e. just before calling +scmd->done function). + +Signed-off-by: Sreekanth Reddy +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/scsi/mpt3sas/mpt3sas_base.c | 6 ++++++ + drivers/scsi/mpt3sas/mpt3sas_scsih.c | 12 ++++++++++++ + 2 files changed, 18 insertions(+) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c +index 0a6cb8f0680c..c39f88100f31 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_base.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c +@@ -3281,12 +3281,18 @@ mpt3sas_base_free_smid(struct MPT3SAS_ADAPTER *ioc, u16 smid) + + if (smid < ioc->hi_priority_smid) { + struct scsiio_tracker *st; ++ void *request; + + st = _get_st_from_smid(ioc, smid); + if (!st) { + _base_recovery_check(ioc); + return; + } ++ ++ /* Clear MPI request frame */ ++ request = mpt3sas_base_get_msg_frame(ioc, smid); ++ memset(request, 0, ioc->request_sz); ++ + mpt3sas_base_clear_st(ioc, st); + _base_recovery_check(ioc); + return; +diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +index 6be39dc27103..6173c211a5e5 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +@@ -1462,11 +1462,23 @@ mpt3sas_scsih_scsi_lookup_get(struct MPT3SAS_ADAPTER *ioc, u16 smid) + { + struct scsi_cmnd *scmd = NULL; + struct scsiio_tracker *st; ++ Mpi25SCSIIORequest_t *mpi_request; + + if (smid > 0 && + smid <= ioc->scsiio_depth - INTERNAL_SCSIIO_CMDS_COUNT) { + u32 unique_tag = smid - 1; + ++ mpi_request = mpt3sas_base_get_msg_frame(ioc, smid); ++ ++ /* ++ * If SCSI IO request is outstanding at driver level then ++ * DevHandle filed must be non-zero. If DevHandle is zero ++ * then it means that this smid is free at driver level, ++ * so return NULL. ++ */ ++ if (!mpi_request->DevHandle) ++ return scmd; ++ + scmd = scsi_host_find_tag(ioc->shost, unique_tag); + if (scmd) { + st = scsi_cmd_priv(scmd); +-- +2.19.1 + diff --git a/queue-5.0/scsi-qla4xxx-fix-a-potential-null-pointer-dereferenc.patch b/queue-5.0/scsi-qla4xxx-fix-a-potential-null-pointer-dereferenc.patch new file mode 100644 index 00000000000..092eee5661d --- /dev/null +++ b/queue-5.0/scsi-qla4xxx-fix-a-potential-null-pointer-dereferenc.patch @@ -0,0 +1,35 @@ +From 27e2287eb1b75bb69b9b68b6ce52065a06128d26 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Thu, 14 Mar 2019 01:30:59 -0500 +Subject: scsi: qla4xxx: fix a potential NULL pointer dereference + +[ Upstream commit fba1bdd2a9a93f3e2181ec1936a3c2f6b37e7ed6 ] + +In case iscsi_lookup_endpoint fails, the fix returns -EINVAL to avoid NULL +pointer dereference. + +Signed-off-by: Kangjie Lu +Acked-by: Manish Rangankar +Reviewed-by: Mukesh Ojha +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/scsi/qla4xxx/ql4_os.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c +index a77bfb224248..80289c885c07 100644 +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -3203,6 +3203,8 @@ static int qla4xxx_conn_bind(struct iscsi_cls_session *cls_session, + if (iscsi_conn_bind(cls_session, cls_conn, is_leading)) + return -EINVAL; + ep = iscsi_lookup_endpoint(transport_fd); ++ if (!ep) ++ return -EINVAL; + conn = cls_conn->dd_data; + qla_conn = conn->dd_data; + qla_conn->qla_ep = ep->dd_data; +-- +2.19.1 + diff --git a/queue-5.0/scsi-zfcp-reduce-flood-of-fcrscn1-trace-records-on-m.patch b/queue-5.0/scsi-zfcp-reduce-flood-of-fcrscn1-trace-records-on-m.patch new file mode 100644 index 00000000000..03bad9f9fb9 --- /dev/null +++ b/queue-5.0/scsi-zfcp-reduce-flood-of-fcrscn1-trace-records-on-m.patch @@ -0,0 +1,112 @@ +From 5103fe6c4c2cd6fbfc4e2476d42743e2037d45ce Mon Sep 17 00:00:00 2001 +From: Steffen Maier +Date: Tue, 26 Mar 2019 14:37:00 +0100 +Subject: scsi: zfcp: reduce flood of fcrscn1 trace records on multi-element + RSCN + +[ Upstream commit c8206579175c34a2546de8a74262456278a7795a ] + +If an incoming ELS of type RSCN contains more than one element, zfcp +suboptimally causes repeated erp trigger NOP trace records for each +previously failed port. These could be ports that went away. It loops over +each RSCN element, and for each of those in an inner loop over all +zfcp_ports. + +The trigger to recover failed ports should be just the reception of some +RSCN, no matter how many elements it has. So we can loop over failed ports +separately, and only then loop over each RSCN element to handle the +non-failed ports. + +The call chain was: + + zfcp_fc_incoming_rscn + for (i = 1; i < no_entries; i++) + _zfcp_fc_incoming_rscn + list_for_each_entry(port, &adapter->port_list, list) + if (masked port->d_id match) zfcp_fc_test_link + if (!port->d_id) zfcp_erp_port_reopen "fcrscn1" <=== + +In order the reduce the "flooding" of the REC trace area in such cases, we +factor out handling the failed ports to be outside of the entries loop: + + zfcp_fc_incoming_rscn + if (no_entries > 1) <=== + list_for_each_entry(port, &adapter->port_list, list) <=== + if (!port->d_id) zfcp_erp_port_reopen "fcrscn1" <=== + for (i = 1; i < no_entries; i++) + _zfcp_fc_incoming_rscn + list_for_each_entry(port, &adapter->port_list, list) + if (masked port->d_id match) zfcp_fc_test_link + +Abbreviated example trace records before this code change: + +Tag : fcrscn1 +WWPN : 0x500507630310d327 +ERP want : 0x02 +ERP need : 0x02 + +Tag : fcrscn1 +WWPN : 0x500507630310d327 +ERP want : 0x02 +ERP need : 0x00 NOP => superfluous trace record + +The last trace entry repeats if there are more than 2 RSCN elements. + +Signed-off-by: Steffen Maier +Reviewed-by: Benjamin Block +Reviewed-by: Jens Remus +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/s390/scsi/zfcp_fc.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/drivers/s390/scsi/zfcp_fc.c b/drivers/s390/scsi/zfcp_fc.c +index db00b5e3abbe..33eddb02ee30 100644 +--- a/drivers/s390/scsi/zfcp_fc.c ++++ b/drivers/s390/scsi/zfcp_fc.c +@@ -239,10 +239,6 @@ static void _zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req, u32 range, + list_for_each_entry(port, &adapter->port_list, list) { + if ((port->d_id & range) == (ntoh24(page->rscn_fid) & range)) + zfcp_fc_test_link(port); +- if (!port->d_id) +- zfcp_erp_port_reopen(port, +- ZFCP_STATUS_COMMON_ERP_FAILED, +- "fcrscn1"); + } + read_unlock_irqrestore(&adapter->port_list_lock, flags); + } +@@ -250,6 +246,7 @@ static void _zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req, u32 range, + static void zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req) + { + struct fsf_status_read_buffer *status_buffer = (void *)fsf_req->data; ++ struct zfcp_adapter *adapter = fsf_req->adapter; + struct fc_els_rscn *head; + struct fc_els_rscn_page *page; + u16 i; +@@ -263,6 +260,22 @@ static void zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req) + no_entries = be16_to_cpu(head->rscn_plen) / + sizeof(struct fc_els_rscn_page); + ++ if (no_entries > 1) { ++ /* handle failed ports */ ++ unsigned long flags; ++ struct zfcp_port *port; ++ ++ read_lock_irqsave(&adapter->port_list_lock, flags); ++ list_for_each_entry(port, &adapter->port_list, list) { ++ if (port->d_id) ++ continue; ++ zfcp_erp_port_reopen(port, ++ ZFCP_STATUS_COMMON_ERP_FAILED, ++ "fcrscn1"); ++ } ++ read_unlock_irqrestore(&adapter->port_list_lock, flags); ++ } ++ + for (i = 1; i < no_entries; i++) { + /* skip head and start with 1st element */ + page++; +-- +2.19.1 + diff --git a/queue-5.0/serial-ar933x_uart-fix-build-failure-with-disabled-c.patch b/queue-5.0/serial-ar933x_uart-fix-build-failure-with-disabled-c.patch new file mode 100644 index 00000000000..a6107f2cadd --- /dev/null +++ b/queue-5.0/serial-ar933x_uart-fix-build-failure-with-disabled-c.patch @@ -0,0 +1,102 @@ +From 3a3547cdae954ad1ab73afd6757789229f78669b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20=C5=A0tetiar?= +Date: Wed, 6 Mar 2019 17:54:03 +0100 +Subject: serial: ar933x_uart: Fix build failure with disabled console +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 72ff51d8dd262d1fef25baedc2ac35116435be47 ] + +Andrey has reported on OpenWrt's bug tracking system[1], that he +currently can't use ar93xx_uart as pure serial UART without console +(CONFIG_SERIAL_8250_CONSOLE and CONFIG_SERIAL_AR933X_CONSOLE undefined), +because compilation ends with following error: + + ar933x_uart.c: In function 'ar933x_uart_console_write': + ar933x_uart.c:550:14: error: 'struct uart_port' has no + member named 'sysrq' + +So this patch moves all the code related to console handling behind +series of CONFIG_SERIAL_AR933X_CONSOLE ifdefs. + +1. https://bugs.openwrt.org/index.php?do=details&task_id=2152 + +Cc: Greg Kroah-Hartman +Cc: Jiri Slaby +Cc: Andrey Batyiev +Reported-by: Andrey Batyiev +Tested-by: Andrey Batyiev +Signed-off-by: Petr Å tetiar +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/tty/serial/ar933x_uart.c | 24 ++++++++---------------- + 1 file changed, 8 insertions(+), 16 deletions(-) + +diff --git a/drivers/tty/serial/ar933x_uart.c b/drivers/tty/serial/ar933x_uart.c +index db5df3d54818..3bdd56a1021b 100644 +--- a/drivers/tty/serial/ar933x_uart.c ++++ b/drivers/tty/serial/ar933x_uart.c +@@ -49,11 +49,6 @@ struct ar933x_uart_port { + struct clk *clk; + }; + +-static inline bool ar933x_uart_console_enabled(void) +-{ +- return IS_ENABLED(CONFIG_SERIAL_AR933X_CONSOLE); +-} +- + static inline unsigned int ar933x_uart_read(struct ar933x_uart_port *up, + int offset) + { +@@ -508,6 +503,7 @@ static const struct uart_ops ar933x_uart_ops = { + .verify_port = ar933x_uart_verify_port, + }; + ++#ifdef CONFIG_SERIAL_AR933X_CONSOLE + static struct ar933x_uart_port * + ar933x_console_ports[CONFIG_SERIAL_AR933X_NR_UARTS]; + +@@ -604,14 +600,7 @@ static struct console ar933x_uart_console = { + .index = -1, + .data = &ar933x_uart_driver, + }; +- +-static void ar933x_uart_add_console_port(struct ar933x_uart_port *up) +-{ +- if (!ar933x_uart_console_enabled()) +- return; +- +- ar933x_console_ports[up->port.line] = up; +-} ++#endif /* CONFIG_SERIAL_AR933X_CONSOLE */ + + static struct uart_driver ar933x_uart_driver = { + .owner = THIS_MODULE, +@@ -700,7 +689,9 @@ static int ar933x_uart_probe(struct platform_device *pdev) + baud = ar933x_uart_get_baud(port->uartclk, 0, AR933X_UART_MAX_STEP); + up->max_baud = min_t(unsigned int, baud, AR933X_UART_MAX_BAUD); + +- ar933x_uart_add_console_port(up); ++#ifdef CONFIG_SERIAL_AR933X_CONSOLE ++ ar933x_console_ports[up->port.line] = up; ++#endif + + ret = uart_add_one_port(&ar933x_uart_driver, &up->port); + if (ret) +@@ -749,8 +740,9 @@ static int __init ar933x_uart_init(void) + { + int ret; + +- if (ar933x_uart_console_enabled()) +- ar933x_uart_driver.cons = &ar933x_uart_console; ++#ifdef CONFIG_SERIAL_AR933X_CONSOLE ++ ar933x_uart_driver.cons = &ar933x_uart_console; ++#endif + + ret = uart_register_driver(&ar933x_uart_driver); + if (ret) +-- +2.19.1 + diff --git a/queue-5.0/series b/queue-5.0/series index 5a197a1d4c7..866767125d5 100644 --- a/queue-5.0/series +++ b/queue-5.0/series @@ -5,3 +5,97 @@ mm-make-page-ref-count-overflow-check-tighter-and-more-explicit.patch mm-add-try_get_page-helper-function.patch mm-prevent-get_user_pages-from-overflowing-page-refcount.patch fs-prevent-page-refcount-overflow-in-pipe_buf_get.patch +arm64-dts-renesas-r8a77990-fix-scif5-dma-channels.patch +arm-dts-bcm283x-fix-hdmi-hpd-gpio-pull.patch +s390-limit-brk-randomization-to-32mb.patch +mt76x02-fix-hdr-pointer-in-write-txwi-for-usb.patch +mt76-mt76x2-fix-external-lna-gain-settings.patch +mt76-mt76x2-fix-2.4-ghz-channel-gain-settings.patch +net-ieee802154-fix-a-potential-null-pointer-derefere.patch +ieee802154-hwsim-propagate-genlmsg_reply-return-code.patch +btrfs-fix-file-corruption-after-snapshotting-due-to-.patch +net-stmmac-don-t-set-own-bit-too-early-for-jumbo-fra.patch +net-stmmac-fix-jumbo-frame-sending-with-non-linear-s.patch +qlcnic-avoid-potential-null-pointer-dereference.patch +xsk-fix-umem-memory-leak-on-cleanup.patch +staging-axis-fifo-add-config_of-dependency.patch +staging-mt7621-pci-fix-build-without-pci-support.patch +netfilter-nft_set_rbtree-check-for-inactive-element-.patch +netfilter-bridge-set-skb-transport_header-before-ent.patch +netfilter-fix-netfilter_xt_target_tee-dependencies.patch +netfilter-ip6t_srh-fix-null-pointer-dereferences.patch +s390-qeth-fix-race-when-initializing-the-ip-address-.patch +arm-imx51-fix-a-leaked-reference-by-adding-missing-o.patch +sc16is7xx-missing-unregister-delete-driver-on-error-.patch +serial-ar933x_uart-fix-build-failure-with-disabled-c.patch +kvm-arm64-reset-the-pmu-in-preemptible-context.patch +arm64-kvm-always-set-ich_hcr_el2.en-if-gicv4-is-enab.patch +kvm-arm-arm64-vgic-its-take-the-srcu-lock-when-writi.patch +kvm-arm-arm64-vgic-its-take-the-srcu-lock-when-parsi.patch +usb-dwc3-pci-add-support-for-comet-lake-pch-id.patch +usb-gadget-net2280-fix-overrun-of-out-messages.patch +usb-gadget-net2280-fix-net2280_dequeue.patch +usb-gadget-net2272-fix-net2272_dequeue.patch +arm-dts-pfla02-increase-phy-reset-duration.patch +i2c-i801-add-support-for-intel-comet-lake.patch +kvm-arm-arm64-fix-handling-of-stage2-huge-mappings.patch +net-ks8851-dequeue-rx-packets-explicitly.patch +net-ks8851-reassert-reset-pin-if-chip-id-check-fails.patch +net-ks8851-delay-requesting-irq-until-opened.patch +net-ks8851-set-initial-carrier-state-to-down.patch +staging-rtl8188eu-fix-potential-null-pointer-derefer.patch +staging-rtlwifi-rtl8822b-fix-to-avoid-potential-null.patch +staging-rtl8712-uninitialized-memory-in-read_bbreg_h.patch +staging-rtlwifi-fix-potential-null-pointer-dereferen.patch +net-phy-add-dp83825i-to-the-dp83822-driver.patch +net-macb-add-null-check-for-pclk-and-hclk.patch +net-sched-don-t-dereference-a-goto_chain-to-read-the.patch +arm-dts-imx6qdl-fix-typo-in-imx6qdl-icore-rqs.dtsi.patch +drm-tegra-hub-fix-dereference-before-check.patch +nfs-fix-a-typo-in-nfs_init_timeout_values.patch +net-xilinx-fix-possible-object-reference-leak.patch +net-ibm-fix-possible-object-reference-leak.patch +net-ethernet-ti-fix-possible-object-reference-leak.patch +drm-fix-drm_release-and-device-unplug.patch +gpio-aspeed-fix-a-potential-null-pointer-dereference.patch +drm-meson-fix-invalid-pointer-in-meson_drv_unbind.patch +drm-meson-uninstall-irq-handler.patch +arm-davinci-fix-build-failure-with-allnoconfig.patch +sbitmap-order-read-write-freed-instance-and-setting-.patch +staging-vc04_services-fix-an-error-code-in-vchiq_pro.patch +scsi-mpt3sas-fix-kernel-panic-during-expander-reset.patch +scsi-aacraid-insure-we-don-t-access-pcie-space-durin.patch +scsi-qla4xxx-fix-a-potential-null-pointer-dereferenc.patch +usb-usb251xb-fix-to-avoid-potential-null-pointer-der.patch +leds-trigger-netdev-fix-refcnt-leak-on-interface-ren.patch +sunrpc-fix-uninitialized-variable-warning.patch +x86-realmode-don-t-leak-the-trampoline-kernel-addres.patch +usb-u132-hcd-fix-resource-leak.patch +ceph-fix-use-after-free-on-symlink-traversal.patch +scsi-zfcp-reduce-flood-of-fcrscn1-trace-records-on-m.patch +x86-mm-don-t-exceed-the-valid-physical-address-space.patch +libata-fix-using-dma-buffers-on-stack.patch +kbuild-skip-parsing-pre-sub-make-code-for-recursion.patch +afs-fix-storedata-op-marshalling.patch +gpio-of-check-propname-before-applying-cs-gpios-quir.patch +gpio-of-check-for-spi-cs-high-in-child-instead-of-pa.patch +kvm-nvmx-do-not-inherit-quadrant-and-invalid-for-the.patch +kvm-svm-workaround-errata-1096-insn_len-maybe-zero-o.patch +kvm-x86-move-msr_ia32_arch_capabilities-to-array-emu.patch +x86-kvm-hyper-v-avoid-spurious-pending-stimer-on-vcp.patch +kvm-selftests-assert-on-exit-reason-in-cr4-cpuid-syn.patch +kvm-selftests-explicitly-disable-pie-for-tests.patch +kvm-selftests-disable-stack-protector-for-all-kvm-te.patch +kvm-selftests-complete-io-before-migrating-guest-sta.patch +gpio-of-fix-of_gpiochip_add-error-path.patch +nvme-multipath-relax-ana-state-check.patch +nvmet-fix-building-bvec-from-sg-list.patch +nvmet-fix-error-flow-during-ns-enable.patch +perf-cs-etm-add-missing-case-value.patch +perf-machine-update-kernel-map-address-and-re-order-.patch +kconfig-mn-conf-handle-backspace-h-key.patch +iommu-amd-reserve-exclusion-range-in-iova-domain.patch +kasan-fix-variable-tag-set-but-not-used-warning.patch +ptrace-take-into-account-saved_sigmask-in-ptrace-get.patch +leds-pca9532-fix-a-potential-null-pointer-dereferenc.patch +leds-trigger-netdev-use-memcpy-in-device_name_store.patch diff --git a/queue-5.0/staging-axis-fifo-add-config_of-dependency.patch b/queue-5.0/staging-axis-fifo-add-config_of-dependency.patch new file mode 100644 index 00000000000..a1440895697 --- /dev/null +++ b/queue-5.0/staging-axis-fifo-add-config_of-dependency.patch @@ -0,0 +1,49 @@ +From 190538b1c35b69b537b2f22f12a38cfb574474a9 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 4 Mar 2019 20:43:00 +0100 +Subject: staging: axis-fifo: add CONFIG_OF dependency + +[ Upstream commit 1beea6204e2304dd11600791d8dad8e7350af6ad ] + +When building without CONFIG_OF, the compiler loses track of the flow +control in axis_fifo_probe(), and thinks that many variables are used +without an initialization even though we actually leave the function +before the first use: + +drivers/staging/axis-fifo/axis-fifo.c: In function 'axis_fifo_probe': +drivers/staging/axis-fifo/axis-fifo.c:900:5: error: 'rxd_tdata_width' may be used uninitialized in this function [-Werror=maybe-uninitialized] + if (rxd_tdata_width != 32) { + ^ +drivers/staging/axis-fifo/axis-fifo.c:907:5: error: 'txd_tdata_width' may be used uninitialized in this function [-Werror=maybe-uninitialized] + if (txd_tdata_width != 32) { + ^ +drivers/staging/axis-fifo/axis-fifo.c:914:5: error: 'has_tdest' may be used uninitialized in this function [-Werror=maybe-uninitialized] + if (has_tdest) { + ^ +drivers/staging/axis-fifo/axis-fifo.c:919:5: error: 'has_tid' may be used uninitialized in this function [-Werror=maybe-uninitialized] + +When CONFIG_OF is set, this does not happen, and since the driver cannot +work without it, just add that option as a Kconfig dependency. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/staging/axis-fifo/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/staging/axis-fifo/Kconfig b/drivers/staging/axis-fifo/Kconfig +index 687537203d9c..d9725888af6f 100644 +--- a/drivers/staging/axis-fifo/Kconfig ++++ b/drivers/staging/axis-fifo/Kconfig +@@ -3,6 +3,7 @@ + # + config XIL_AXIS_FIFO + tristate "Xilinx AXI-Stream FIFO IP core driver" ++ depends on OF + default n + help + This adds support for the Xilinx AXI-Stream +-- +2.19.1 + diff --git a/queue-5.0/staging-mt7621-pci-fix-build-without-pci-support.patch b/queue-5.0/staging-mt7621-pci-fix-build-without-pci-support.patch new file mode 100644 index 00000000000..f9699801db2 --- /dev/null +++ b/queue-5.0/staging-mt7621-pci-fix-build-without-pci-support.patch @@ -0,0 +1,31 @@ +From 8f922c03effcf9c9b7727afd0da36da46655c234 Mon Sep 17 00:00:00 2001 +From: Maxim Zhukov +Date: Sat, 9 Mar 2019 12:54:00 +0300 +Subject: staging, mt7621-pci: fix build without pci support + +[ Upstream commit 90cd9bed5adb3e3bd4d3ac4cbcecbc4a8028bbaf ] + +Add depends on PCI for PCI_MT7621 + +Signed-off-by: Maxim Zhukov +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/staging/mt7621-pci/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/staging/mt7621-pci/Kconfig b/drivers/staging/mt7621-pci/Kconfig +index d33533872a16..c8fa17cfa807 100644 +--- a/drivers/staging/mt7621-pci/Kconfig ++++ b/drivers/staging/mt7621-pci/Kconfig +@@ -1,6 +1,7 @@ + config PCI_MT7621 + tristate "MediaTek MT7621 PCI Controller" + depends on RALINK ++ depends on PCI + select PCI_DRIVERS_GENERIC + help + This selects a driver for the MediaTek MT7621 PCI Controller. +-- +2.19.1 + diff --git a/queue-5.0/staging-rtl8188eu-fix-potential-null-pointer-derefer.patch b/queue-5.0/staging-rtl8188eu-fix-potential-null-pointer-derefer.patch new file mode 100644 index 00000000000..02e40c7a284 --- /dev/null +++ b/queue-5.0/staging-rtl8188eu-fix-potential-null-pointer-derefer.patch @@ -0,0 +1,139 @@ +From c8ad099092fc68242ce6dd92ef3c4721c6537b63 Mon Sep 17 00:00:00 2001 +From: Aditya Pakki +Date: Wed, 20 Mar 2019 12:21:35 -0500 +Subject: staging: rtl8188eu: Fix potential NULL pointer dereference of kcalloc + +[ Upstream commit 7671ce0d92933762f469266daf43bd34d422d58c ] + +hwxmits is allocated via kcalloc and not checked for failure before its +dereference. The patch fixes this problem by returning error upstream +in rtl8723bs, rtl8188eu. + +Signed-off-by: Aditya Pakki +Acked-by: Mukesh Ojha +Reviewed-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/staging/rtl8188eu/core/rtw_xmit.c | 9 +++++++-- + drivers/staging/rtl8188eu/include/rtw_xmit.h | 2 +- + drivers/staging/rtl8723bs/core/rtw_xmit.c | 14 +++++++------- + drivers/staging/rtl8723bs/include/rtw_xmit.h | 2 +- + 4 files changed, 16 insertions(+), 11 deletions(-) + +diff --git a/drivers/staging/rtl8188eu/core/rtw_xmit.c b/drivers/staging/rtl8188eu/core/rtw_xmit.c +index 3b1ccd138c3f..6fb6ea29a8b6 100644 +--- a/drivers/staging/rtl8188eu/core/rtw_xmit.c ++++ b/drivers/staging/rtl8188eu/core/rtw_xmit.c +@@ -174,7 +174,9 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter) + + pxmitpriv->free_xmit_extbuf_cnt = num_xmit_extbuf; + +- rtw_alloc_hwxmits(padapter); ++ res = rtw_alloc_hwxmits(padapter); ++ if (res == _FAIL) ++ goto exit; + rtw_init_hwxmits(pxmitpriv->hwxmits, pxmitpriv->hwxmit_entry); + + for (i = 0; i < 4; i++) +@@ -1503,7 +1505,7 @@ s32 rtw_xmit_classifier(struct adapter *padapter, struct xmit_frame *pxmitframe) + return res; + } + +-void rtw_alloc_hwxmits(struct adapter *padapter) ++s32 rtw_alloc_hwxmits(struct adapter *padapter) + { + struct hw_xmit *hwxmits; + struct xmit_priv *pxmitpriv = &padapter->xmitpriv; +@@ -1512,6 +1514,8 @@ void rtw_alloc_hwxmits(struct adapter *padapter) + + pxmitpriv->hwxmits = kcalloc(pxmitpriv->hwxmit_entry, + sizeof(struct hw_xmit), GFP_KERNEL); ++ if (!pxmitpriv->hwxmits) ++ return _FAIL; + + hwxmits = pxmitpriv->hwxmits; + +@@ -1519,6 +1523,7 @@ void rtw_alloc_hwxmits(struct adapter *padapter) + hwxmits[1] .sta_queue = &pxmitpriv->vi_pending; + hwxmits[2] .sta_queue = &pxmitpriv->be_pending; + hwxmits[3] .sta_queue = &pxmitpriv->bk_pending; ++ return _SUCCESS; + } + + void rtw_free_hwxmits(struct adapter *padapter) +diff --git a/drivers/staging/rtl8188eu/include/rtw_xmit.h b/drivers/staging/rtl8188eu/include/rtw_xmit.h +index 788f59c74ea1..ba7e15fbde72 100644 +--- a/drivers/staging/rtl8188eu/include/rtw_xmit.h ++++ b/drivers/staging/rtl8188eu/include/rtw_xmit.h +@@ -336,7 +336,7 @@ s32 rtw_txframes_sta_ac_pending(struct adapter *padapter, + void rtw_init_hwxmits(struct hw_xmit *phwxmit, int entry); + s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter); + void _rtw_free_xmit_priv(struct xmit_priv *pxmitpriv); +-void rtw_alloc_hwxmits(struct adapter *padapter); ++s32 rtw_alloc_hwxmits(struct adapter *padapter); + void rtw_free_hwxmits(struct adapter *padapter); + s32 rtw_xmit(struct adapter *padapter, struct sk_buff **pkt); + +diff --git a/drivers/staging/rtl8723bs/core/rtw_xmit.c b/drivers/staging/rtl8723bs/core/rtw_xmit.c +index 625e67f39889..a36b2213d8ee 100644 +--- a/drivers/staging/rtl8723bs/core/rtw_xmit.c ++++ b/drivers/staging/rtl8723bs/core/rtw_xmit.c +@@ -260,7 +260,9 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter) + } + } + +- rtw_alloc_hwxmits(padapter); ++ res = rtw_alloc_hwxmits(padapter); ++ if (res == _FAIL) ++ goto exit; + rtw_init_hwxmits(pxmitpriv->hwxmits, pxmitpriv->hwxmit_entry); + + for (i = 0; i < 4; i++) { +@@ -2144,7 +2146,7 @@ s32 rtw_xmit_classifier(struct adapter *padapter, struct xmit_frame *pxmitframe) + return res; + } + +-void rtw_alloc_hwxmits(struct adapter *padapter) ++s32 rtw_alloc_hwxmits(struct adapter *padapter) + { + struct hw_xmit *hwxmits; + struct xmit_priv *pxmitpriv = &padapter->xmitpriv; +@@ -2155,10 +2157,8 @@ void rtw_alloc_hwxmits(struct adapter *padapter) + + pxmitpriv->hwxmits = rtw_zmalloc(sizeof(struct hw_xmit) * pxmitpriv->hwxmit_entry); + +- if (pxmitpriv->hwxmits == NULL) { +- DBG_871X("alloc hwxmits fail!...\n"); +- return; +- } ++ if (!pxmitpriv->hwxmits) ++ return _FAIL; + + hwxmits = pxmitpriv->hwxmits; + +@@ -2204,7 +2204,7 @@ void rtw_alloc_hwxmits(struct adapter *padapter) + + } + +- ++ return _SUCCESS; + } + + void rtw_free_hwxmits(struct adapter *padapter) +diff --git a/drivers/staging/rtl8723bs/include/rtw_xmit.h b/drivers/staging/rtl8723bs/include/rtw_xmit.h +index 1b38b9182b31..37f42b2f22f1 100644 +--- a/drivers/staging/rtl8723bs/include/rtw_xmit.h ++++ b/drivers/staging/rtl8723bs/include/rtw_xmit.h +@@ -487,7 +487,7 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter); + void _rtw_free_xmit_priv (struct xmit_priv *pxmitpriv); + + +-void rtw_alloc_hwxmits(struct adapter *padapter); ++s32 rtw_alloc_hwxmits(struct adapter *padapter); + void rtw_free_hwxmits(struct adapter *padapter); + + +-- +2.19.1 + diff --git a/queue-5.0/staging-rtl8712-uninitialized-memory-in-read_bbreg_h.patch b/queue-5.0/staging-rtl8712-uninitialized-memory-in-read_bbreg_h.patch new file mode 100644 index 00000000000..476858a354c --- /dev/null +++ b/queue-5.0/staging-rtl8712-uninitialized-memory-in-read_bbreg_h.patch @@ -0,0 +1,67 @@ +From c789a00474ded44a8950a09578fbeed972428e7f Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 21 Mar 2019 09:26:38 +0300 +Subject: staging: rtl8712: uninitialized memory in read_bbreg_hdl() + +[ Upstream commit 22c971db7dd4b0ad8dd88e99c407f7a1f4231a2e ] + +Colin King reported a bug in read_bbreg_hdl(): + + memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz); + +The problem is that "val" is uninitialized. + +This code is obviously not useful, but so far as I can tell +"pcmd->cmdcode" is never GEN_CMD_CODE(_Read_BBREG) so it's not harmful +either. For now the easiest fix is to just call r8712_free_cmd_obj() +and return. + +Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel") +Reported-by: Colin Ian King +Signed-off-by: Dan Carpenter +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/staging/rtl8712/rtl8712_cmd.c | 10 +--------- + drivers/staging/rtl8712/rtl8712_cmd.h | 2 +- + 2 files changed, 2 insertions(+), 10 deletions(-) + +diff --git a/drivers/staging/rtl8712/rtl8712_cmd.c b/drivers/staging/rtl8712/rtl8712_cmd.c +index 1920d02f7c9f..8c36acedf507 100644 +--- a/drivers/staging/rtl8712/rtl8712_cmd.c ++++ b/drivers/staging/rtl8712/rtl8712_cmd.c +@@ -147,17 +147,9 @@ static u8 write_macreg_hdl(struct _adapter *padapter, u8 *pbuf) + + static u8 read_bbreg_hdl(struct _adapter *padapter, u8 *pbuf) + { +- u32 val; +- void (*pcmd_callback)(struct _adapter *dev, struct cmd_obj *pcmd); + struct cmd_obj *pcmd = (struct cmd_obj *)pbuf; + +- if (pcmd->rsp && pcmd->rspsz > 0) +- memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz); +- pcmd_callback = cmd_callback[pcmd->cmdcode].callback; +- if (!pcmd_callback) +- r8712_free_cmd_obj(pcmd); +- else +- pcmd_callback(padapter, pcmd); ++ r8712_free_cmd_obj(pcmd); + return H2C_SUCCESS; + } + +diff --git a/drivers/staging/rtl8712/rtl8712_cmd.h b/drivers/staging/rtl8712/rtl8712_cmd.h +index 92fb77666d44..1ef86b8c592f 100644 +--- a/drivers/staging/rtl8712/rtl8712_cmd.h ++++ b/drivers/staging/rtl8712/rtl8712_cmd.h +@@ -140,7 +140,7 @@ enum rtl8712_h2c_cmd { + static struct _cmd_callback cmd_callback[] = { + {GEN_CMD_CODE(_Read_MACREG), NULL}, /*0*/ + {GEN_CMD_CODE(_Write_MACREG), NULL}, +- {GEN_CMD_CODE(_Read_BBREG), &r8712_getbbrfreg_cmdrsp_callback}, ++ {GEN_CMD_CODE(_Read_BBREG), NULL}, + {GEN_CMD_CODE(_Write_BBREG), NULL}, + {GEN_CMD_CODE(_Read_RFREG), &r8712_getbbrfreg_cmdrsp_callback}, + {GEN_CMD_CODE(_Write_RFREG), NULL}, /*5*/ +-- +2.19.1 + diff --git a/queue-5.0/staging-rtlwifi-fix-potential-null-pointer-dereferen.patch b/queue-5.0/staging-rtlwifi-fix-potential-null-pointer-dereferen.patch new file mode 100644 index 00000000000..885904fb9dc --- /dev/null +++ b/queue-5.0/staging-rtlwifi-fix-potential-null-pointer-dereferen.patch @@ -0,0 +1,35 @@ +From af7b73f10ae04711012506e7f162c187e502e135 Mon Sep 17 00:00:00 2001 +From: Aditya Pakki +Date: Wed, 20 Mar 2019 10:42:32 -0500 +Subject: staging: rtlwifi: Fix potential NULL pointer dereference of kzalloc + +[ Upstream commit 6a8ca24590a2136921439b376c926c11a6effc0e ] + +phydm.internal is allocated using kzalloc which is used multiple +times without a check for NULL pointer. This patch avoids such a +scenario by returning 0, consistent with the failure case. + +Signed-off-by: Aditya Pakki +Reviewed-by: Mukesh Ojha +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/staging/rtlwifi/phydm/rtl_phydm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/staging/rtlwifi/phydm/rtl_phydm.c b/drivers/staging/rtlwifi/phydm/rtl_phydm.c +index 9930ed954abb..4cc77b2016e1 100644 +--- a/drivers/staging/rtlwifi/phydm/rtl_phydm.c ++++ b/drivers/staging/rtlwifi/phydm/rtl_phydm.c +@@ -180,6 +180,8 @@ static int rtl_phydm_init_priv(struct rtl_priv *rtlpriv, + + rtlpriv->phydm.internal = + kzalloc(sizeof(struct phy_dm_struct), GFP_KERNEL); ++ if (!rtlpriv->phydm.internal) ++ return 0; + + _rtl_phydm_init_com_info(rtlpriv, ic, params); + +-- +2.19.1 + diff --git a/queue-5.0/staging-rtlwifi-rtl8822b-fix-to-avoid-potential-null.patch b/queue-5.0/staging-rtlwifi-rtl8822b-fix-to-avoid-potential-null.patch new file mode 100644 index 00000000000..bea326b3b28 --- /dev/null +++ b/queue-5.0/staging-rtlwifi-rtl8822b-fix-to-avoid-potential-null.patch @@ -0,0 +1,36 @@ +From 83c519ecd53e905825ed76b070abbf0f5f23a679 Mon Sep 17 00:00:00 2001 +From: Aditya Pakki +Date: Wed, 20 Mar 2019 12:02:49 -0500 +Subject: staging: rtlwifi: rtl8822b: fix to avoid potential NULL pointer + dereference + +[ Upstream commit d70d70aec9632679dd00dcc1b1e8b2517e2c7da0 ] + +skb allocated via dev_alloc_skb can fail and return a NULL pointer. +This patch avoids such a scenario and returns, consistent with other +invocations. + +Signed-off-by: Aditya Pakki +Reviewed-by: Mukesh Ojha +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/staging/rtlwifi/rtl8822be/fw.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/staging/rtlwifi/rtl8822be/fw.c b/drivers/staging/rtlwifi/rtl8822be/fw.c +index a40396614814..c1ed52df05f0 100644 +--- a/drivers/staging/rtlwifi/rtl8822be/fw.c ++++ b/drivers/staging/rtlwifi/rtl8822be/fw.c +@@ -741,6 +741,8 @@ void rtl8822be_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, bool b_dl_finished) + u1_rsvd_page_loc, 3); + + skb = dev_alloc_skb(totalpacketlen); ++ if (!skb) ++ return; + memcpy((u8 *)skb_put(skb, totalpacketlen), &reserved_page_packet, + totalpacketlen); + +-- +2.19.1 + diff --git a/queue-5.0/staging-vc04_services-fix-an-error-code-in-vchiq_pro.patch b/queue-5.0/staging-vc04_services-fix-an-error-code-in-vchiq_pro.patch new file mode 100644 index 00000000000..92eacc4f7db --- /dev/null +++ b/queue-5.0/staging-vc04_services-fix-an-error-code-in-vchiq_pro.patch @@ -0,0 +1,48 @@ +From 87ac11083972f3f8a2350b4b044832cbb0c2d75e Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 25 Mar 2019 11:56:59 +0300 +Subject: staging: vc04_services: Fix an error code in vchiq_probe() + +[ Upstream commit 9b9c87cf51783cbe7140c51472762094033cfeab ] + +We need to set "err" on this error path. + +Fixes: 187ac53e590c ("staging: vchiq_arm: rework probe and init functions") +Signed-off-by: Dan Carpenter +Acked-by: Stefan Wahren +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin (Microsoft) +--- + .../staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c +index 804daf83be35..064d0db4c51e 100644 +--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c ++++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c +@@ -3513,6 +3513,7 @@ static int vchiq_probe(struct platform_device *pdev) + struct device_node *fw_node; + const struct of_device_id *of_id; + struct vchiq_drvdata *drvdata; ++ struct device *vchiq_dev; + int err; + + of_id = of_match_node(vchiq_of_match, pdev->dev.of_node); +@@ -3547,9 +3548,12 @@ static int vchiq_probe(struct platform_device *pdev) + goto failed_platform_init; + } + +- if (IS_ERR(device_create(vchiq_class, &pdev->dev, vchiq_devid, +- NULL, "vchiq"))) ++ vchiq_dev = device_create(vchiq_class, &pdev->dev, vchiq_devid, NULL, ++ "vchiq"); ++ if (IS_ERR(vchiq_dev)) { ++ err = PTR_ERR(vchiq_dev); + goto failed_device_create; ++ } + + vchiq_debugfs_init(); + +-- +2.19.1 + diff --git a/queue-5.0/sunrpc-fix-uninitialized-variable-warning.patch b/queue-5.0/sunrpc-fix-uninitialized-variable-warning.patch new file mode 100644 index 00000000000..43447892123 --- /dev/null +++ b/queue-5.0/sunrpc-fix-uninitialized-variable-warning.patch @@ -0,0 +1,45 @@ +From 6acbebab3a823ece44985b6e44ac31b6a5eb1659 Mon Sep 17 00:00:00 2001 +From: Alakesh Haloi +Date: Tue, 26 Mar 2019 02:00:01 +0000 +Subject: SUNRPC: fix uninitialized variable warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 01f2f5b82a2b523ae76af53f2ff43c48dde10a00 ] + +Avoid following compiler warning on uninitialized variable + +net/sunrpc/xprtsock.c: In function ‘xs_read_stream_request.constprop’: +net/sunrpc/xprtsock.c:525:10: warning: ‘read’ may be used uninitialized in this function [-Wmaybe-uninitialized] + return read; + ^~~~ +net/sunrpc/xprtsock.c:529:23: warning: ‘ret’ may be used uninitialized in this function [-Wmaybe-uninitialized] + return ret < 0 ? ret : read; + ~~~~~~~~~~~~~~^~~~~~ + +Signed-off-by: Alakesh Haloi +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin (Microsoft) +--- + net/sunrpc/xprtsock.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c +index 7754aa3e434f..f88c2bd1335a 100644 +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -486,8 +486,8 @@ xs_read_stream_request(struct sock_xprt *transport, struct msghdr *msg, + int flags, struct rpc_rqst *req) + { + struct xdr_buf *buf = &req->rq_private_buf; +- size_t want, read; +- ssize_t ret; ++ size_t want, uninitialized_var(read); ++ ssize_t uninitialized_var(ret); + + xs_read_header(transport, buf); + +-- +2.19.1 + diff --git a/queue-5.0/usb-dwc3-pci-add-support-for-comet-lake-pch-id.patch b/queue-5.0/usb-dwc3-pci-add-support-for-comet-lake-pch-id.patch new file mode 100644 index 00000000000..d0fbd95e1f2 --- /dev/null +++ b/queue-5.0/usb-dwc3-pci-add-support-for-comet-lake-pch-id.patch @@ -0,0 +1,40 @@ +From fdaf6fd05eea9f3d97560b4df2f4654fdb41740f Mon Sep 17 00:00:00 2001 +From: Felipe Balbi +Date: Thu, 31 Jan 2019 11:04:19 +0200 +Subject: usb: dwc3: pci: add support for Comet Lake PCH ID + +[ Upstream commit 7ae622c978db6b2e28b4fced6ecd2a174492059d ] + +This patch simply adds a new PCI Device ID + +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/usb/dwc3/dwc3-pci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c +index fdc6e4e403e8..8cced3609e24 100644 +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -29,6 +29,7 @@ + #define PCI_DEVICE_ID_INTEL_BXT_M 0x1aaa + #define PCI_DEVICE_ID_INTEL_APL 0x5aaa + #define PCI_DEVICE_ID_INTEL_KBP 0xa2b0 ++#define PCI_DEVICE_ID_INTEL_CMLH 0x02ee + #define PCI_DEVICE_ID_INTEL_GLK 0x31aa + #define PCI_DEVICE_ID_INTEL_CNPLP 0x9dee + #define PCI_DEVICE_ID_INTEL_CNPH 0xa36e +@@ -305,6 +306,9 @@ static const struct pci_device_id dwc3_pci_id_table[] = { + { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_MRFLD), + (kernel_ulong_t) &dwc3_pci_mrfld_properties, }, + ++ { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_CMLH), ++ (kernel_ulong_t) &dwc3_pci_intel_properties, }, ++ + { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_SPTLP), + (kernel_ulong_t) &dwc3_pci_intel_properties, }, + +-- +2.19.1 + diff --git a/queue-5.0/usb-gadget-net2272-fix-net2272_dequeue.patch b/queue-5.0/usb-gadget-net2272-fix-net2272_dequeue.patch new file mode 100644 index 00000000000..8cf9f4d7fa4 --- /dev/null +++ b/queue-5.0/usb-gadget-net2272-fix-net2272_dequeue.patch @@ -0,0 +1,41 @@ +From dd31afb9968388cac057c8342aa41682530e0ae6 Mon Sep 17 00:00:00 2001 +From: Guido Kiener +Date: Mon, 18 Mar 2019 09:18:34 +0100 +Subject: usb: gadget: net2272: Fix net2272_dequeue() + +[ Upstream commit 091dacc3cc10979ab0422f0a9f7fcc27eee97e69 ] + +Restore the status of ep->stopped in function net2272_dequeue(). + +When the given request is not found in the endpoint queue +the function returns -EINVAL without restoring the state of +ep->stopped. Thus the endpoint keeps blocked and does not transfer +any data anymore. + +This fix is only compile-tested, since we do not have a +corresponding hardware. An analogous fix was tested in the sibling +driver. See "usb: gadget: net2280: Fix net2280_dequeue()" + +Acked-by: Alan Stern +Signed-off-by: Guido Kiener +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/usb/gadget/udc/net2272.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/gadget/udc/net2272.c b/drivers/usb/gadget/udc/net2272.c +index b77f3126580e..c2011cd7df8c 100644 +--- a/drivers/usb/gadget/udc/net2272.c ++++ b/drivers/usb/gadget/udc/net2272.c +@@ -945,6 +945,7 @@ net2272_dequeue(struct usb_ep *_ep, struct usb_request *_req) + break; + } + if (&req->req != _req) { ++ ep->stopped = stopped; + spin_unlock_irqrestore(&ep->dev->lock, flags); + return -EINVAL; + } +-- +2.19.1 + diff --git a/queue-5.0/usb-gadget-net2280-fix-net2280_dequeue.patch b/queue-5.0/usb-gadget-net2280-fix-net2280_dequeue.patch new file mode 100644 index 00000000000..6b9ae3e4faa --- /dev/null +++ b/queue-5.0/usb-gadget-net2280-fix-net2280_dequeue.patch @@ -0,0 +1,43 @@ +From d2cf7df452758d5100f0b6b503407396abd9747f Mon Sep 17 00:00:00 2001 +From: Guido Kiener +Date: Mon, 18 Mar 2019 09:18:33 +0100 +Subject: usb: gadget: net2280: Fix net2280_dequeue() + +[ Upstream commit f1d3fba17cd4eeea20397f1324b7b9c69a6a935c ] + +When a request must be dequeued with net2280_dequeue() e.g. due +to a device clear action and the same request is finished by the +function scan_dma_completions() then the function net2280_dequeue() +does not find the request in the following search loop and +returns the error -EINVAL without restoring the status ep->stopped. +Thus the endpoint keeps blocked and does not receive any data +anymore. +This fix restores the status and does not issue an error message. + +Acked-by: Alan Stern +Signed-off-by: Guido Kiener +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/usb/gadget/udc/net2280.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c +index dc6f5a78d124..d93cf4171953 100644 +--- a/drivers/usb/gadget/udc/net2280.c ++++ b/drivers/usb/gadget/udc/net2280.c +@@ -1273,9 +1273,9 @@ static int net2280_dequeue(struct usb_ep *_ep, struct usb_request *_req) + break; + } + if (&req->req != _req) { ++ ep->stopped = stopped; + spin_unlock_irqrestore(&ep->dev->lock, flags); +- dev_err(&ep->dev->pdev->dev, "%s: Request mismatch\n", +- __func__); ++ ep_dbg(ep->dev, "%s: Request mismatch\n", __func__); + return -EINVAL; + } + +-- +2.19.1 + diff --git a/queue-5.0/usb-gadget-net2280-fix-overrun-of-out-messages.patch b/queue-5.0/usb-gadget-net2280-fix-overrun-of-out-messages.patch new file mode 100644 index 00000000000..baff60f1fc1 --- /dev/null +++ b/queue-5.0/usb-gadget-net2280-fix-overrun-of-out-messages.patch @@ -0,0 +1,62 @@ +From 99d3a3e2cad40d22768b5abb4e2ac7f7b17374db Mon Sep 17 00:00:00 2001 +From: Guido Kiener +Date: Tue, 19 Mar 2019 19:12:03 +0100 +Subject: usb: gadget: net2280: Fix overrun of OUT messages + +[ Upstream commit 9d6a54c1430647355a5e23434881b2ca3d192b48 ] + +The OUT endpoint normally blocks (NAK) subsequent packets when a +short packet was received and returns an incomplete queue entry to +the gadget driver. Thereby the gadget driver can detect a short packet +when reading queue entries with a length that is not equal to a +multiple of packet size. + +The start_queue() function enables receiving OUT packets regardless of +the content of the OUT FIFO. This results in a race: With the current +code, it's possible that the "!ep->is_in && (readl(&ep->regs->ep_stat) +& BIT(NAK_OUT_PACKETS))" test in start_dma() will fail, then a short +packet will be received, and then start_queue() will call +stop_out_naking(). That's what we don't want (OUT naking gets turned +off while there is data in the FIFO) because then the next driver +request might receive a mixture of old and new packets. + +With the patch, this race can't occur because the FIFO's state is +tested after we know that OUT naking is already turned on, and OUT +naking is stopped only when both of the conditions are met. This +ensures that all received data is delivered to the gadget driver, +which can detect a short packet now before new packets are appended +to the last short packet. + +Acked-by: Alan Stern +Signed-off-by: Guido Kiener +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/usb/gadget/udc/net2280.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c +index e7dae5379e04..dc6f5a78d124 100644 +--- a/drivers/usb/gadget/udc/net2280.c ++++ b/drivers/usb/gadget/udc/net2280.c +@@ -866,9 +866,6 @@ static void start_queue(struct net2280_ep *ep, u32 dmactl, u32 td_dma) + (void) readl(&ep->dev->pci->pcimstctl); + + writel(BIT(DMA_START), &dma->dmastat); +- +- if (!ep->is_in) +- stop_out_naking(ep); + } + + static void start_dma(struct net2280_ep *ep, struct net2280_request *req) +@@ -907,6 +904,7 @@ static void start_dma(struct net2280_ep *ep, struct net2280_request *req) + writel(BIT(DMA_START), &dma->dmastat); + return; + } ++ stop_out_naking(ep); + } + + tmp = dmactl_default; +-- +2.19.1 + diff --git a/queue-5.0/usb-u132-hcd-fix-resource-leak.patch b/queue-5.0/usb-u132-hcd-fix-resource-leak.patch new file mode 100644 index 00000000000..615f52f7cb7 --- /dev/null +++ b/queue-5.0/usb-u132-hcd-fix-resource-leak.patch @@ -0,0 +1,34 @@ +From 8c900fe85390ea8f5e09f3aed00ffa3dfe9ef4b7 Mon Sep 17 00:00:00 2001 +From: Mukesh Ojha +Date: Tue, 26 Mar 2019 13:42:22 +0530 +Subject: usb: u132-hcd: fix resource leak + +[ Upstream commit f276e002793cdb820862e8ea8f76769d56bba575 ] + +if platform_driver_register fails, cleanup the allocated resource +gracefully. + +Signed-off-by: Mukesh Ojha +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/usb/host/u132-hcd.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/host/u132-hcd.c b/drivers/usb/host/u132-hcd.c +index 5b8a3d9530c4..5cac83aaeac3 100644 +--- a/drivers/usb/host/u132-hcd.c ++++ b/drivers/usb/host/u132-hcd.c +@@ -3202,6 +3202,9 @@ static int __init u132_hcd_init(void) + printk(KERN_INFO "driver %s\n", hcd_name); + workqueue = create_singlethread_workqueue("u132"); + retval = platform_driver_register(&u132_platform_driver); ++ if (retval) ++ destroy_workqueue(workqueue); ++ + return retval; + } + +-- +2.19.1 + diff --git a/queue-5.0/usb-usb251xb-fix-to-avoid-potential-null-pointer-der.patch b/queue-5.0/usb-usb251xb-fix-to-avoid-potential-null-pointer-der.patch new file mode 100644 index 00000000000..f36f5e47740 --- /dev/null +++ b/queue-5.0/usb-usb251xb-fix-to-avoid-potential-null-pointer-der.patch @@ -0,0 +1,34 @@ +From d6c90a5662a6de2dfd808048cf6b0061c9273375 Mon Sep 17 00:00:00 2001 +From: Aditya Pakki +Date: Wed, 20 Mar 2019 10:27:11 -0500 +Subject: usb: usb251xb: fix to avoid potential NULL pointer dereference + +[ Upstream commit 41f00e6e9e55546390031996b773e7f3c1d95928 ] + +of_match_device in usb251xb_probe can fail and returns a NULL pointer. +The patch avoids a potential NULL pointer dereference in this scenario. + +Signed-off-by: Aditya Pakki +Reviewed-by: Richard Leitner +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/usb/misc/usb251xb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/misc/usb251xb.c b/drivers/usb/misc/usb251xb.c +index a6efb9a72939..5f7734c729b1 100644 +--- a/drivers/usb/misc/usb251xb.c ++++ b/drivers/usb/misc/usb251xb.c +@@ -601,7 +601,7 @@ static int usb251xb_probe(struct usb251xb *hub) + dev); + int err; + +- if (np) { ++ if (np && of_id) { + err = usb251xb_get_ofdata(hub, + (struct usb251xb_data *)of_id->data); + if (err) { +-- +2.19.1 + diff --git a/queue-5.0/x86-kvm-hyper-v-avoid-spurious-pending-stimer-on-vcp.patch b/queue-5.0/x86-kvm-hyper-v-avoid-spurious-pending-stimer-on-vcp.patch new file mode 100644 index 00000000000..089baeb7923 --- /dev/null +++ b/queue-5.0/x86-kvm-hyper-v-avoid-spurious-pending-stimer-on-vcp.patch @@ -0,0 +1,73 @@ +From 80337dc6d1f28490f634bede626d6f6de1da677b Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Wed, 13 Mar 2019 18:13:42 +0100 +Subject: x86/kvm/hyper-v: avoid spurious pending stimer on vCPU init + +[ Upstream commit 013cc6ebbf41496ce4badedd71ea6d4a6d198c14 ] + +When userspace initializes guest vCPUs it may want to zero all supported +MSRs including Hyper-V related ones including HV_X64_MSR_STIMERn_CONFIG/ +HV_X64_MSR_STIMERn_COUNT. With commit f3b138c5d89a ("kvm/x86: Update SynIC +timers on guest entry only") we began doing stimer_mark_pending() +unconditionally on every config change. + +The issue I'm observing manifests itself as following: +- Qemu writes 0 to STIMERn_{CONFIG,COUNT} MSRs and marks all stimers as + pending in stimer_pending_bitmap, arms KVM_REQ_HV_STIMER; +- kvm_hv_has_stimer_pending() starts returning true; +- kvm_vcpu_has_events() starts returning true; +- kvm_arch_vcpu_runnable() starts returning true; +- when kvm_arch_vcpu_ioctl_run() gets into + (vcpu->arch.mp_state == KVM_MP_STATE_UNINITIALIZED) case: + - kvm_vcpu_block() gets in 'kvm_vcpu_check_block(vcpu) < 0' and returns + immediately, avoiding normal wait path; + - -EAGAIN is returned from kvm_arch_vcpu_ioctl_run() immediately forcing + userspace to retry. + +So instead of normal wait path we get a busy loop on all secondary vCPUs +before they get INIT signal. This seems to be undesirable, especially given +that this happens even when Hyper-V extensions are not used. + +Generally, it seems to be pointless to mark an stimer as pending in +stimer_pending_bitmap and arm KVM_REQ_HV_STIMER as the only thing +kvm_hv_process_stimers() will do is clear the corresponding bit. We may +just not mark disabled timers as pending instead. + +Fixes: f3b138c5d89a ("kvm/x86: Update SynIC timers on guest entry only") +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin (Microsoft) +--- + arch/x86/kvm/hyperv.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c +index 89d20ed1d2e8..371c669696d7 100644 +--- a/arch/x86/kvm/hyperv.c ++++ b/arch/x86/kvm/hyperv.c +@@ -526,7 +526,9 @@ static int stimer_set_config(struct kvm_vcpu_hv_stimer *stimer, u64 config, + new_config.enable = 0; + stimer->config.as_uint64 = new_config.as_uint64; + +- stimer_mark_pending(stimer, false); ++ if (stimer->config.enable) ++ stimer_mark_pending(stimer, false); ++ + return 0; + } + +@@ -542,7 +544,10 @@ static int stimer_set_count(struct kvm_vcpu_hv_stimer *stimer, u64 count, + stimer->config.enable = 0; + else if (stimer->config.auto_enable) + stimer->config.enable = 1; +- stimer_mark_pending(stimer, false); ++ ++ if (stimer->config.enable) ++ stimer_mark_pending(stimer, false); ++ + return 0; + } + +-- +2.19.1 + diff --git a/queue-5.0/x86-mm-don-t-exceed-the-valid-physical-address-space.patch b/queue-5.0/x86-mm-don-t-exceed-the-valid-physical-address-space.patch new file mode 100644 index 00000000000..7513b455a40 --- /dev/null +++ b/queue-5.0/x86-mm-don-t-exceed-the-valid-physical-address-space.patch @@ -0,0 +1,62 @@ +From 3cbaa17b73b11aa8bb1d415061ef1a8c6fc7be59 Mon Sep 17 00:00:00 2001 +From: Ralph Campbell +Date: Mon, 25 Mar 2019 17:18:17 -0700 +Subject: x86/mm: Don't exceed the valid physical address space + +[ Upstream commit 92c77f7c4d5dfaaf45b2ce19360e69977c264766 ] + +valid_phys_addr_range() is used to sanity check the physical address range +of an operation, e.g., access to /dev/mem. It uses __pa(high_memory) +internally. + +If memory is populated at the end of the physical address space, then +__pa(high_memory) is outside of the physical address space because: + + high_memory = (void *)__va(max_pfn * PAGE_SIZE - 1) + 1; + +For the comparison in valid_phys_addr_range() this is not an issue, but if +CONFIG_DEBUG_VIRTUAL is enabled, __pa() maps to __phys_addr(), which +verifies that the resulting physical address is within the valid physical +address space of the CPU. So in the case that memory is populated at the +end of the physical address space, this is not true and triggers a +VIRTUAL_BUG_ON(). + +Use __pa(high_memory - 1) to prevent the conversion from going beyond +the end of valid physical addresses. + +Fixes: be62a3204406 ("x86/mm: Limit mmap() of /dev/mem to valid physical addresses") +Signed-off-by: Ralph Campbell +Signed-off-by: Thomas Gleixner +Cc: Craig Bergstrom +Cc: Linus Torvalds +Cc: Boris Ostrovsky +Cc: Fengguang Wu +Cc: Greg Kroah-Hartman +Cc: Hans Verkuil +Cc: Mauro Carvalho Chehab +Cc: Peter Zijlstra +Cc: Sander Eikelenboom +Cc: Sean Young + +Link: https://lkml.kernel.org/r/20190326001817.15413-2-rcampbell@nvidia.com +Signed-off-by: Sasha Levin (Microsoft) +--- + arch/x86/mm/mmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c +index db3165714521..dc726e07d8ba 100644 +--- a/arch/x86/mm/mmap.c ++++ b/arch/x86/mm/mmap.c +@@ -230,7 +230,7 @@ bool mmap_address_hint_valid(unsigned long addr, unsigned long len) + /* Can we access it for direct reading/writing? Must be RAM: */ + int valid_phys_addr_range(phys_addr_t addr, size_t count) + { +- return addr + count <= __pa(high_memory); ++ return addr + count - 1 <= __pa(high_memory - 1); + } + + /* Can we access it through mmap? Must be a valid physical address: */ +-- +2.19.1 + diff --git a/queue-5.0/x86-realmode-don-t-leak-the-trampoline-kernel-addres.patch b/queue-5.0/x86-realmode-don-t-leak-the-trampoline-kernel-addres.patch new file mode 100644 index 00000000000..9c02692b8a0 --- /dev/null +++ b/queue-5.0/x86-realmode-don-t-leak-the-trampoline-kernel-addres.patch @@ -0,0 +1,47 @@ +From 69ddf53b13a0f38b15eff1c8a32e7dfdcbd9505b Mon Sep 17 00:00:00 2001 +From: Matteo Croce +Date: Tue, 26 Mar 2019 21:30:46 +0100 +Subject: x86/realmode: Don't leak the trampoline kernel address + +[ Upstream commit b929a500d68479163c48739d809cbf4c1335db6f ] + +Since commit + + ad67b74d2469 ("printk: hash addresses printed with %p") + +at boot "____ptrval____" is printed instead of the trampoline addresses: + + Base memory trampoline at [(____ptrval____)] 99000 size 24576 + +Remove the print as we don't want to leak kernel addresses and this +statement is not needed anymore. + +Fixes: ad67b74d2469d9b8 ("printk: hash addresses printed with %p") +Signed-off-by: Matteo Croce +Signed-off-by: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Thomas Gleixner +Cc: x86-ml +Link: https://lkml.kernel.org/r/20190326203046.20787-1-mcroce@redhat.com +Signed-off-by: Sasha Levin (Microsoft) +--- + arch/x86/realmode/init.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/arch/x86/realmode/init.c b/arch/x86/realmode/init.c +index d10105825d57..47d097946872 100644 +--- a/arch/x86/realmode/init.c ++++ b/arch/x86/realmode/init.c +@@ -20,8 +20,6 @@ void __init set_real_mode_mem(phys_addr_t mem, size_t size) + void *base = __va(mem); + + real_mode_header = (struct real_mode_header *) base; +- printk(KERN_DEBUG "Base memory trampoline at [%p] %llx size %zu\n", +- base, (unsigned long long)mem, size); + } + + void __init reserve_real_mode(void) +-- +2.19.1 + diff --git a/queue-5.0/xsk-fix-umem-memory-leak-on-cleanup.patch b/queue-5.0/xsk-fix-umem-memory-leak-on-cleanup.patch new file mode 100644 index 00000000000..da2cc0acdb8 --- /dev/null +++ b/queue-5.0/xsk-fix-umem-memory-leak-on-cleanup.patch @@ -0,0 +1,110 @@ +From e89b2d3d0262b0273d213325efadffb37f503fee Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= +Date: Wed, 13 Mar 2019 15:15:49 +0100 +Subject: xsk: fix umem memory leak on cleanup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 044175a06706d516aa42874bb44dbbfc3c4d20eb ] + +When the umem is cleaned up, the task that created it might already be +gone. If the task was gone, the xdp_umem_release function did not free +the pages member of struct xdp_umem. + +It turned out that the task lookup was not needed at all; The code was +a left-over when we moved from task accounting to user accounting [1]. + +This patch fixes the memory leak by removing the task lookup logic +completely. + +[1] https://lore.kernel.org/netdev/20180131135356.19134-3-bjorn.topel@gmail.com/ + +Link: https://lore.kernel.org/netdev/c1cb2ca8-6a14-3980-8672-f3de0bb38dfd@suse.cz/ +Fixes: c0c77d8fb787 ("xsk: add user memory registration support sockopt") +Reported-by: Jiri Slaby +Signed-off-by: Björn Töpel +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin (Microsoft) +--- + include/net/xdp_sock.h | 1 - + net/xdp/xdp_umem.c | 19 +------------------ + 2 files changed, 1 insertion(+), 19 deletions(-) + +diff --git a/include/net/xdp_sock.h b/include/net/xdp_sock.h +index 13acb9803a6d..05d39e579953 100644 +--- a/include/net/xdp_sock.h ++++ b/include/net/xdp_sock.h +@@ -36,7 +36,6 @@ struct xdp_umem { + u32 headroom; + u32 chunk_size_nohr; + struct user_struct *user; +- struct pid *pid; + unsigned long address; + refcount_t users; + struct work_struct work; +diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c +index 37e1fe180769..9c767c68ed3a 100644 +--- a/net/xdp/xdp_umem.c ++++ b/net/xdp/xdp_umem.c +@@ -189,9 +189,6 @@ static void xdp_umem_unaccount_pages(struct xdp_umem *umem) + + static void xdp_umem_release(struct xdp_umem *umem) + { +- struct task_struct *task; +- struct mm_struct *mm; +- + xdp_umem_clear_dev(umem); + + if (umem->fq) { +@@ -208,21 +205,10 @@ static void xdp_umem_release(struct xdp_umem *umem) + + xdp_umem_unpin_pages(umem); + +- task = get_pid_task(umem->pid, PIDTYPE_PID); +- put_pid(umem->pid); +- if (!task) +- goto out; +- mm = get_task_mm(task); +- put_task_struct(task); +- if (!mm) +- goto out; +- +- mmput(mm); + kfree(umem->pages); + umem->pages = NULL; + + xdp_umem_unaccount_pages(umem); +-out: + kfree(umem); + } + +@@ -351,7 +337,6 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr) + if (size_chk < 0) + return -EINVAL; + +- umem->pid = get_task_pid(current, PIDTYPE_PID); + umem->address = (unsigned long)addr; + umem->chunk_mask = ~((u64)chunk_size - 1); + umem->size = size; +@@ -367,7 +352,7 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr) + + err = xdp_umem_account_pages(umem); + if (err) +- goto out; ++ return err; + + err = xdp_umem_pin_pages(umem); + if (err) +@@ -386,8 +371,6 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr) + + out_account: + xdp_umem_unaccount_pages(umem); +-out: +- put_pid(umem->pid); + return err; + } + +-- +2.19.1 +