From: Sasha Levin Date: Mon, 22 Jul 2019 00:55:27 +0000 (-0400) Subject: fixes for 5.1 X-Git-Tag: v5.2.3~77 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=126708745f154c6f6b1a986399342424a3f53fee;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 5.1 Signed-off-by: Sasha Levin --- diff --git a/queue-5.1/acpi-arm64-ignore-5.1-fadts-that-are-reported-as-5.0.patch b/queue-5.1/acpi-arm64-ignore-5.1-fadts-that-are-reported-as-5.0.patch new file mode 100644 index 00000000000..208e2a4feef --- /dev/null +++ b/queue-5.1/acpi-arm64-ignore-5.1-fadts-that-are-reported-as-5.0.patch @@ -0,0 +1,52 @@ +From 1ed050c90faf9b9db99e2b0923811d52bcf02e05 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 19 Jun 2019 14:18:31 +0200 +Subject: acpi/arm64: ignore 5.1 FADTs that are reported as 5.0 + +[ Upstream commit 2af22f3ec3ca452f1e79b967f634708ff01ced8a ] + +Some Qualcomm Snapdragon based laptops built to run Microsoft Windows +are clearly ACPI 5.1 based, given that that is the first ACPI revision +that supports ARM, and introduced the FADT 'arm_boot_flags' field, +which has a non-zero field on those systems. + +So in these cases, infer from the ARM boot flags that the FADT must be +5.1 or later, and treat it as 5.1. + +Acked-by: Sudeep Holla +Tested-by: Lee Jones +Reviewed-by: Graeme Gregory +Acked-by: Lorenzo Pieralisi +Acked-by: Hanjun Guo +Signed-off-by: Ard Biesheuvel +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/acpi.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/kernel/acpi.c b/arch/arm64/kernel/acpi.c +index 803f0494dd3e..7722e85fb69c 100644 +--- a/arch/arm64/kernel/acpi.c ++++ b/arch/arm64/kernel/acpi.c +@@ -155,10 +155,14 @@ static int __init acpi_fadt_sanity_check(void) + */ + if (table->revision < 5 || + (table->revision == 5 && fadt->minor_revision < 1)) { +- pr_err("Unsupported FADT revision %d.%d, should be 5.1+\n", ++ pr_err(FW_BUG "Unsupported FADT revision %d.%d, should be 5.1+\n", + table->revision, fadt->minor_revision); +- ret = -EINVAL; +- goto out; ++ ++ if (!fadt->arm_boot_flags) { ++ ret = -EINVAL; ++ goto out; ++ } ++ pr_err("FADT has ARM boot flags set, assuming 5.1\n"); + } + + if (!(fadt->flags & ACPI_FADT_HW_REDUCED)) { +-- +2.20.1 + diff --git a/queue-5.1/acpica-clear-status-of-gpes-on-first-direct-enable.patch b/queue-5.1/acpica-clear-status-of-gpes-on-first-direct-enable.patch new file mode 100644 index 00000000000..d161b0abf83 --- /dev/null +++ b/queue-5.1/acpica-clear-status-of-gpes-on-first-direct-enable.patch @@ -0,0 +1,133 @@ +From f17b8533c6ea992545ad1c31b82c92914166b932 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Mon, 17 Jun 2019 13:31:45 +0200 +Subject: ACPICA: Clear status of GPEs on first direct enable + +[ Upstream commit 44758bafa53602f2581a6857bb20b55d4d8ad5b2 ] + +ACPI GPEs (other than the EC one) can be enabled in two situations. +First, the GPEs with existing _Lxx and _Exx methods are enabled +implicitly by ACPICA during system initialization. Second, the +GPEs without these methods (like GPEs listed by _PRW objects for +wakeup devices) need to be enabled directly by the code that is +going to use them (e.g. ACPI power management or device drivers). + +In the former case, if the status of a given GPE is set to start +with, its handler method (either _Lxx or _Exx) needs to be invoked +to take care of the events (possibly) signaled before the GPE was +enabled. In the latter case, however, the first caller of +acpi_enable_gpe() for a given GPE should not be expected to care +about any events that might be signaled through it earlier. In +that case, it is better to clear the status of the GPE before +enabling it, to prevent stale events from triggering unwanted +actions (like spurious system resume, for example). + +For this reason, modify acpi_ev_add_gpe_reference() to take an +additional boolean argument indicating whether or not the GPE +status needs to be cleared when its reference counter changes from +zero to one and make acpi_enable_gpe() pass TRUE to it through +that new argument. + +Fixes: 18996f2db918 ("ACPICA: Events: Stop unconditionally clearing ACPI IRQs during suspend/resume") +Reported-by: Furquan Shaikh +Tested-by: Furquan Shaikh +Tested-by: Mika Westerberg +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/acevents.h | 3 ++- + drivers/acpi/acpica/evgpe.c | 8 +++++++- + drivers/acpi/acpica/evgpeblk.c | 2 +- + drivers/acpi/acpica/evxface.c | 2 +- + drivers/acpi/acpica/evxfgpe.c | 2 +- + 5 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/drivers/acpi/acpica/acevents.h b/drivers/acpi/acpica/acevents.h +index 831660179662..c8652f91054e 100644 +--- a/drivers/acpi/acpica/acevents.h ++++ b/drivers/acpi/acpica/acevents.h +@@ -69,7 +69,8 @@ acpi_status + acpi_ev_mask_gpe(struct acpi_gpe_event_info *gpe_event_info, u8 is_masked); + + acpi_status +-acpi_ev_add_gpe_reference(struct acpi_gpe_event_info *gpe_event_info); ++acpi_ev_add_gpe_reference(struct acpi_gpe_event_info *gpe_event_info, ++ u8 clear_on_enable); + + acpi_status + acpi_ev_remove_gpe_reference(struct acpi_gpe_event_info *gpe_event_info); +diff --git a/drivers/acpi/acpica/evgpe.c b/drivers/acpi/acpica/evgpe.c +index 62d3aa74277b..344feba29063 100644 +--- a/drivers/acpi/acpica/evgpe.c ++++ b/drivers/acpi/acpica/evgpe.c +@@ -146,6 +146,7 @@ acpi_ev_mask_gpe(struct acpi_gpe_event_info *gpe_event_info, u8 is_masked) + * FUNCTION: acpi_ev_add_gpe_reference + * + * PARAMETERS: gpe_event_info - Add a reference to this GPE ++ * clear_on_enable - Clear GPE status before enabling it + * + * RETURN: Status + * +@@ -155,7 +156,8 @@ acpi_ev_mask_gpe(struct acpi_gpe_event_info *gpe_event_info, u8 is_masked) + ******************************************************************************/ + + acpi_status +-acpi_ev_add_gpe_reference(struct acpi_gpe_event_info *gpe_event_info) ++acpi_ev_add_gpe_reference(struct acpi_gpe_event_info *gpe_event_info, ++ u8 clear_on_enable) + { + acpi_status status = AE_OK; + +@@ -170,6 +172,10 @@ acpi_ev_add_gpe_reference(struct acpi_gpe_event_info *gpe_event_info) + + /* Enable on first reference */ + ++ if (clear_on_enable) { ++ (void)acpi_hw_clear_gpe(gpe_event_info); ++ } ++ + status = acpi_ev_update_gpe_enable_mask(gpe_event_info); + if (ACPI_SUCCESS(status)) { + status = acpi_ev_enable_gpe(gpe_event_info); +diff --git a/drivers/acpi/acpica/evgpeblk.c b/drivers/acpi/acpica/evgpeblk.c +index 328d1d6123ad..fb15e9e2373b 100644 +--- a/drivers/acpi/acpica/evgpeblk.c ++++ b/drivers/acpi/acpica/evgpeblk.c +@@ -453,7 +453,7 @@ acpi_ev_initialize_gpe_block(struct acpi_gpe_xrupt_info *gpe_xrupt_info, + continue; + } + +- status = acpi_ev_add_gpe_reference(gpe_event_info); ++ status = acpi_ev_add_gpe_reference(gpe_event_info, FALSE); + if (ACPI_FAILURE(status)) { + ACPI_EXCEPTION((AE_INFO, status, + "Could not enable GPE 0x%02X", +diff --git a/drivers/acpi/acpica/evxface.c b/drivers/acpi/acpica/evxface.c +index 3df00eb6621b..279ef0557aa3 100644 +--- a/drivers/acpi/acpica/evxface.c ++++ b/drivers/acpi/acpica/evxface.c +@@ -971,7 +971,7 @@ acpi_remove_gpe_handler(acpi_handle gpe_device, + ACPI_GPE_DISPATCH_METHOD) || + (ACPI_GPE_DISPATCH_TYPE(handler->original_flags) == + ACPI_GPE_DISPATCH_NOTIFY)) && handler->originally_enabled) { +- (void)acpi_ev_add_gpe_reference(gpe_event_info); ++ (void)acpi_ev_add_gpe_reference(gpe_event_info, FALSE); + if (ACPI_GPE_IS_POLLING_NEEDED(gpe_event_info)) { + + /* Poll edge triggered GPEs to handle existing events */ +diff --git a/drivers/acpi/acpica/evxfgpe.c b/drivers/acpi/acpica/evxfgpe.c +index 30a083902f52..710488ec59e9 100644 +--- a/drivers/acpi/acpica/evxfgpe.c ++++ b/drivers/acpi/acpica/evxfgpe.c +@@ -108,7 +108,7 @@ acpi_status acpi_enable_gpe(acpi_handle gpe_device, u32 gpe_number) + if (gpe_event_info) { + if (ACPI_GPE_DISPATCH_TYPE(gpe_event_info->flags) != + ACPI_GPE_DISPATCH_NONE) { +- status = acpi_ev_add_gpe_reference(gpe_event_info); ++ status = acpi_ev_add_gpe_reference(gpe_event_info, TRUE); + if (ACPI_SUCCESS(status) && + ACPI_GPE_IS_POLLING_NEEDED(gpe_event_info)) { + +-- +2.20.1 + diff --git a/queue-5.1/af_key-fix-leaks-in-key_pol_get_resp-and-dump_sp.patch b/queue-5.1/af_key-fix-leaks-in-key_pol_get_resp-and-dump_sp.patch new file mode 100644 index 00000000000..beff1f18c6c --- /dev/null +++ b/queue-5.1/af_key-fix-leaks-in-key_pol_get_resp-and-dump_sp.patch @@ -0,0 +1,50 @@ +From 0c42a41ff1e16c9970e849d14aea4938926a52e7 Mon Sep 17 00:00:00 2001 +From: Jeremy Sowden +Date: Sat, 25 May 2019 19:09:35 +0100 +Subject: af_key: fix leaks in key_pol_get_resp and dump_sp. + +[ Upstream commit 7c80eb1c7e2b8420477fbc998971d62a648035d9 ] + +In both functions, if pfkey_xfrm_policy2msg failed we leaked the newly +allocated sk_buff. Free it on error. + +Fixes: 55569ce256ce ("Fix conversion between IPSEC_MODE_xxx and XFRM_MODE_xxx.") +Reported-by: syzbot+4f0529365f7f2208d9f0@syzkaller.appspotmail.com +Signed-off-by: Jeremy Sowden +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 4af1e1d60b9f..51c0f10bb131 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -2442,8 +2442,10 @@ static int key_pol_get_resp(struct sock *sk, struct xfrm_policy *xp, const struc + goto out; + } + err = pfkey_xfrm_policy2msg(out_skb, xp, dir); +- if (err < 0) ++ if (err < 0) { ++ kfree_skb(out_skb); + goto out; ++ } + + out_hdr = (struct sadb_msg *) out_skb->data; + out_hdr->sadb_msg_version = hdr->sadb_msg_version; +@@ -2694,8 +2696,10 @@ static int dump_sp(struct xfrm_policy *xp, int dir, int count, void *ptr) + return PTR_ERR(out_skb); + + err = pfkey_xfrm_policy2msg(out_skb, xp, dir); +- if (err < 0) ++ if (err < 0) { ++ kfree_skb(out_skb); + return err; ++ } + + out_hdr = (struct sadb_msg *) out_skb->data; + out_hdr->sadb_msg_version = pfk->dump.msg_version; +-- +2.20.1 + diff --git a/queue-5.1/alsa-hda-fix-a-headphone-detection-issue-when-using-.patch b/queue-5.1/alsa-hda-fix-a-headphone-detection-issue-when-using-.patch new file mode 100644 index 00000000000..4baa62d8c2b --- /dev/null +++ b/queue-5.1/alsa-hda-fix-a-headphone-detection-issue-when-using-.patch @@ -0,0 +1,57 @@ +From b9a3120ce67e0be41699b5ad297da7cd66ff51c3 Mon Sep 17 00:00:00 2001 +From: Rander Wang +Date: Mon, 1 Jul 2019 15:46:30 +0800 +Subject: ALSA: hda: Fix a headphone detection issue when using SOF + +[ Upstream commit 7c2b3629d09ddec810dc4c1d3a6657c32def8f71 ] + +To save power, the hda hdmi driver in ASoC invokes snd_hdac_ext_bus_link_put +to disable CORB/RIRB buffers DMA if there is no user of bus and invokes +snd_hdac_ext_bus_link_get to set up CORB/RIRB buffers when it is used. +Unsolicited responses is disabled in snd_hdac_bus_stop_cmd_io called by +snd_hdac_ext_bus_link_put , but it is not enabled in snd_hdac_bus_init_cmd_io +called by snd_hdac_ext_bus_link_get. So for put-get sequence, Unsolicited +responses is disabled and headphone can't be detected by hda codecs. + +Now unsolicited responses is only enabled in snd_hdac_bus_reset_link +which resets controller. The function is only called for setup of +controller. This patch enables Unsolicited responses after RIRB is +initialized in snd_hdac_bus_init_cmd_io which works together with +snd_hdac_bus_reset_link to set up controller. + +Tested legacy hda driver and SOF driver on intel whiskeylake. + +Reviewed-by: Takashi Iwai +Signed-off-by: Rander Wang +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/hdac_controller.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/sound/hda/hdac_controller.c b/sound/hda/hdac_controller.c +index b2e9454f5816..6a190f0d2803 100644 +--- a/sound/hda/hdac_controller.c ++++ b/sound/hda/hdac_controller.c +@@ -78,6 +78,8 @@ void snd_hdac_bus_init_cmd_io(struct hdac_bus *bus) + snd_hdac_chip_writew(bus, RINTCNT, 1); + /* enable rirb dma and response irq */ + snd_hdac_chip_writeb(bus, RIRBCTL, AZX_RBCTL_DMA_EN | AZX_RBCTL_IRQ_EN); ++ /* Accept unsolicited responses */ ++ snd_hdac_chip_updatel(bus, GCTL, AZX_GCTL_UNSOL, AZX_GCTL_UNSOL); + spin_unlock_irq(&bus->reg_lock); + } + EXPORT_SYMBOL_GPL(snd_hdac_bus_init_cmd_io); +@@ -414,9 +416,6 @@ int snd_hdac_bus_reset_link(struct hdac_bus *bus, bool full_reset) + return -EBUSY; + } + +- /* Accept unsolicited responses */ +- snd_hdac_chip_updatel(bus, GCTL, AZX_GCTL_UNSOL, AZX_GCTL_UNSOL); +- + /* detect codecs */ + if (!bus->codec_mask) { + bus->codec_mask = snd_hdac_chip_readw(bus, STATESTS); +-- +2.20.1 + diff --git a/queue-5.1/arm64-do-not-enable-irqs-for-ct_user_exit.patch b/queue-5.1/arm64-do-not-enable-irqs-for-ct_user_exit.patch new file mode 100644 index 00000000000..812f8aa4c0c --- /dev/null +++ b/queue-5.1/arm64-do-not-enable-irqs-for-ct_user_exit.patch @@ -0,0 +1,56 @@ +From d25577c17329dd70590363d75c9ada4ac98c8c8e Mon Sep 17 00:00:00 2001 +From: Julien Thierry +Date: Tue, 11 Jun 2019 10:38:06 +0100 +Subject: arm64: Do not enable IRQs for ct_user_exit + +[ Upstream commit 9034f6251572a4744597c51dea5ab73a55f2b938 ] + +For el0_dbg and el0_error, DAIF bits get explicitly cleared before +calling ct_user_exit. + +When context tracking is disabled, DAIF gets set (almost) immediately +after. When context tracking is enabled, among the first things done +is disabling IRQs. + +What is actually needed is: +- PSR.D = 0 so the system can be debugged (should be already the case) +- PSR.A = 0 so async error can be handled during context tracking + +Do not clear PSR.I in those two locations. + +Reviewed-by: Marc Zyngier +Acked-by: Mark Rutland +Reviewed-by: James Morse +Cc: Will Deacon +Signed-off-by: Julien Thierry +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/entry.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S +index c50a7a75f2e0..6a3890393963 100644 +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -855,7 +855,7 @@ el0_dbg: + mov x1, x25 + mov x2, sp + bl do_debug_exception +- enable_daif ++ enable_da_f + ct_user_exit + b ret_to_user + el0_inv: +@@ -907,7 +907,7 @@ el0_error_naked: + enable_dbg + mov x0, sp + bl do_serror +- enable_daif ++ enable_da_f + ct_user_exit + b ret_to_user + ENDPROC(el0_error) +-- +2.20.1 + diff --git a/queue-5.1/arm64-efi-mark-__efistub_stext_offset-as-an-absolute.patch b/queue-5.1/arm64-efi-mark-__efistub_stext_offset-as-an-absolute.patch new file mode 100644 index 00000000000..c5cd0f37001 --- /dev/null +++ b/queue-5.1/arm64-efi-mark-__efistub_stext_offset-as-an-absolute.patch @@ -0,0 +1,61 @@ +From 96e47de80e8621c163195767943783c185aa893d Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Tue, 25 Jun 2019 21:20:17 -0700 +Subject: arm64/efi: Mark __efistub_stext_offset as an absolute symbol + explicitly + +[ Upstream commit aa69fb62bea15126e744af2e02acc0d6cf3ed4da ] + +After r363059 and r363928 in LLVM, a build using ld.lld as the linker +with CONFIG_RANDOMIZE_BASE enabled fails like so: + +ld.lld: error: relocation R_AARCH64_ABS32 cannot be used against symbol +__efistub_stext_offset; recompile with -fPIC + +Fangrui and Peter figured out that ld.lld is incorrectly considering +__efistub_stext_offset as a relative symbol because of the order in +which symbols are evaluated. _text is treated as an absolute symbol +and stext is a relative symbol, making __efistub_stext_offset a +relative symbol. + +Adding ABSOLUTE will force ld.lld to evalute this expression in the +right context and does not change ld.bfd's behavior. ld.lld will +need to be fixed but the developers do not see a quick or simple fix +without some research (see the linked issue for further explanation). +Add this simple workaround so that ld.lld can continue to link kernels. + +Link: https://github.com/ClangBuiltLinux/linux/issues/561 +Link: https://github.com/llvm/llvm-project/commit/025a815d75d2356f2944136269aa5874721ec236 +Link: https://github.com/llvm/llvm-project/commit/249fde85832c33f8b06c6b4ac65d1c4b96d23b83 +Acked-by: Ard Biesheuvel +Debugged-by: Fangrui Song +Debugged-by: Peter Smith +Suggested-by: Fangrui Song +Signed-off-by: Nathan Chancellor +[will: add comment] +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/image.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/image.h b/arch/arm64/kernel/image.h +index 33f14e484040..b22e8ad071b1 100644 +--- a/arch/arm64/kernel/image.h ++++ b/arch/arm64/kernel/image.h +@@ -78,7 +78,11 @@ + + #ifdef CONFIG_EFI + +-__efistub_stext_offset = stext - _text; ++/* ++ * Use ABSOLUTE() to avoid ld.lld treating this as a relative symbol: ++ * https://github.com/ClangBuiltLinux/linux/issues/561 ++ */ ++__efistub_stext_offset = ABSOLUTE(stext - _text); + + /* + * The EFI stub has its own symbol namespace prefixed by __efistub_, to +-- +2.20.1 + diff --git a/queue-5.1/arm64-mm-make-config_zone_dma32-configurable.patch b/queue-5.1/arm64-mm-make-config_zone_dma32-configurable.patch new file mode 100644 index 00000000000..ffb340a7b1c --- /dev/null +++ b/queue-5.1/arm64-mm-make-config_zone_dma32-configurable.patch @@ -0,0 +1,66 @@ +From ee5bacb5f7081a0aaa9dff8f8b4f432e6f2c1ae7 Mon Sep 17 00:00:00 2001 +From: Miles Chen +Date: Wed, 29 May 2019 00:08:20 +0800 +Subject: arm64: mm: make CONFIG_ZONE_DMA32 configurable + +[ Upstream commit 0c1f14ed12262f45a3af1d588e4d7bd12438b8f5 ] + +This change makes CONFIG_ZONE_DMA32 defuly y and allows users +to overwrite it only when CONFIG_EXPERT=y. + +For the SoCs that do not need CONFIG_ZONE_DMA32, this is the +first step to manage all available memory by a single +zone(normal zone) to reduce the overhead of multiple zones. + +The change also fixes a build error when CONFIG_NUMA=y and +CONFIG_ZONE_DMA32=n. + +arch/arm64/mm/init.c:195:17: error: use of undeclared identifier 'ZONE_DMA32' + max_zone_pfns[ZONE_DMA32] = PFN_DOWN(max_zone_dma_phys()); + +Change since v1: +1. only expose CONFIG_ZONE_DMA32 when CONFIG_EXPERT=y +2. remove redundant IS_ENABLED(CONFIG_ZONE_DMA32) + +Cc: Robin Murphy +Signed-off-by: Miles Chen +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/Kconfig | 3 ++- + arch/arm64/mm/init.c | 5 +++-- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index d218729ec852..dc3e62a18b62 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -258,7 +258,8 @@ config GENERIC_CALIBRATE_DELAY + def_bool y + + config ZONE_DMA32 +- def_bool y ++ bool "Support DMA32 zone" if EXPERT ++ default y + + config HAVE_GENERIC_GUP + def_bool y +diff --git a/arch/arm64/mm/init.c b/arch/arm64/mm/init.c +index 7cae155e81a5..fff8c61ff608 100644 +--- a/arch/arm64/mm/init.c ++++ b/arch/arm64/mm/init.c +@@ -191,8 +191,9 @@ static void __init zone_sizes_init(unsigned long min, unsigned long max) + { + unsigned long max_zone_pfns[MAX_NR_ZONES] = {0}; + +- if (IS_ENABLED(CONFIG_ZONE_DMA32)) +- max_zone_pfns[ZONE_DMA32] = PFN_DOWN(max_zone_dma_phys()); ++#ifdef CONFIG_ZONE_DMA32 ++ max_zone_pfns[ZONE_DMA32] = PFN_DOWN(max_zone_dma_phys()); ++#endif + max_zone_pfns[ZONE_NORMAL] = max; + + free_area_init_nodes(max_zone_pfns); +-- +2.20.1 + diff --git a/queue-5.1/asoc-audio-graph-card-fix-use-after-free-in-graph_fo.patch b/queue-5.1/asoc-audio-graph-card-fix-use-after-free-in-graph_fo.patch new file mode 100644 index 00000000000..8e43229719d --- /dev/null +++ b/queue-5.1/asoc-audio-graph-card-fix-use-after-free-in-graph_fo.patch @@ -0,0 +1,54 @@ +From 1358c6dcb00d25f86f751ef757d6557ace2d3e3f Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Thu, 4 Jul 2019 16:38:50 +0800 +Subject: ASoC: audio-graph-card: fix use-after-free in graph_for_each_link + +[ Upstream commit 1bcc1fd64e4dd903f4d868a9e053986e3b102713 ] + +After calling of_node_put() on the codec_ep and codec_port variables, +they are still being used, which may result in use-after-free. +We fix this issue by calling of_node_put() after the last usage. + +Fixes: fce9b90c1ab7 ("ASoC: audio-graph-card: cleanup DAI link loop method - step2") +Signed-off-by: Wen Yang +Cc: Liam Girdwood +Cc: Mark Brown +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Cc: Kuninori Morimoto +Cc: alsa-devel@alsa-project.org +Cc: linux-kernel@vger.kernel.org +Link: https://lore.kernel.org/r/1562229530-8121-1-git-send-email-wen.yang99@zte.com.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/generic/audio-graph-card.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/generic/audio-graph-card.c b/sound/soc/generic/audio-graph-card.c +index 69bc4848d787..f730830fb36c 100644 +--- a/sound/soc/generic/audio-graph-card.c ++++ b/sound/soc/generic/audio-graph-card.c +@@ -460,9 +460,6 @@ static int graph_for_each_link(struct graph_priv *priv, + codec_ep = of_graph_get_remote_endpoint(cpu_ep); + codec_port = of_get_parent(codec_ep); + +- of_node_put(codec_ep); +- of_node_put(codec_port); +- + /* get convert-xxx property */ + memset(&adata, 0, sizeof(adata)); + graph_get_conversion(dev, codec_ep, &adata); +@@ -482,6 +479,9 @@ static int graph_for_each_link(struct graph_priv *priv, + else + ret = func_noml(priv, cpu_ep, codec_ep, li); + ++ of_node_put(codec_ep); ++ of_node_put(codec_port); ++ + if (ret < 0) + return ret; + +-- +2.20.1 + diff --git a/queue-5.1/asoc-intel-hdac_hdmi-set-ops-to-null-on-remove.patch b/queue-5.1/asoc-intel-hdac_hdmi-set-ops-to-null-on-remove.patch new file mode 100644 index 00000000000..9c4587ffc3c --- /dev/null +++ b/queue-5.1/asoc-intel-hdac_hdmi-set-ops-to-null-on-remove.patch @@ -0,0 +1,44 @@ +From 9696c9f943c2a486414e3257fab55268deeb7c80 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?= + +Date: Mon, 17 Jun 2019 13:36:42 +0200 +Subject: ASoC: Intel: hdac_hdmi: Set ops to NULL on remove +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 0f6ff78540bd1b4df1e0f17806b0ce2e1dff0d78 ] + +When we unload Skylake driver we may end up calling +hdac_component_master_unbind(), it uses acomp->audio_ops, which we set +in hdmi_codec_probe(), so we need to set it to NULL in hdmi_codec_remove(), +otherwise we will dereference no longer existing pointer. + +Signed-off-by: Amadeusz Sławiński +Reviewed-by: Pierre-Louis Bossart +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/hdac_hdmi.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/sound/soc/codecs/hdac_hdmi.c b/sound/soc/codecs/hdac_hdmi.c +index 4de1fbfa8827..65177ca64827 100644 +--- a/sound/soc/codecs/hdac_hdmi.c ++++ b/sound/soc/codecs/hdac_hdmi.c +@@ -1880,6 +1880,12 @@ static void hdmi_codec_remove(struct snd_soc_component *component) + { + struct hdac_hdmi_priv *hdmi = snd_soc_component_get_drvdata(component); + struct hdac_device *hdev = hdmi->hdev; ++ int ret; ++ ++ ret = snd_hdac_acomp_register_notifier(hdev->bus, NULL); ++ if (ret < 0) ++ dev_err(&hdev->dev, "notifier unregister failed: err: %d\n", ++ ret); + + pm_runtime_disable(&hdev->dev); + } +-- +2.20.1 + diff --git a/queue-5.1/asoc-meson-axg-tdm-fix-sample-clock-inversion.patch b/queue-5.1/asoc-meson-axg-tdm-fix-sample-clock-inversion.patch new file mode 100644 index 00000000000..d49c638eb26 --- /dev/null +++ b/queue-5.1/asoc-meson-axg-tdm-fix-sample-clock-inversion.patch @@ -0,0 +1,38 @@ +From 1c76791e2c3d88fe13c183e0f81b646fc7ba6658 Mon Sep 17 00:00:00 2001 +From: Jerome Brunet +Date: Thu, 13 Jun 2019 13:42:32 +0200 +Subject: ASoC: meson: axg-tdm: fix sample clock inversion + +[ Upstream commit cb36ff785e868992e96e8b9e5a0c2822b680a9e2 ] + +The content of SND_SOC_DAIFMT_FORMAT_MASK is a number, not a bitfield, +so the test to check if the format is i2s is wrong. Because of this the +clock setting may be wrong. For example, the sample clock gets inverted +in DSP B mode, when it should not. + +Fix the lrclk invert helper function + +Fixes: 1a11d88f499c ("ASoC: meson: add tdm formatter base driver") +Signed-off-by: Jerome Brunet +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/meson/axg-tdm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/meson/axg-tdm.h b/sound/soc/meson/axg-tdm.h +index e578b6f40a07..5774ce0916d4 100644 +--- a/sound/soc/meson/axg-tdm.h ++++ b/sound/soc/meson/axg-tdm.h +@@ -40,7 +40,7 @@ struct axg_tdm_iface { + + static inline bool axg_tdm_lrclk_invert(unsigned int fmt) + { +- return (fmt & SND_SOC_DAIFMT_I2S) ^ ++ return ((fmt & SND_SOC_DAIFMT_FORMAT_MASK) == SND_SOC_DAIFMT_I2S) ^ + !!(fmt & (SND_SOC_DAIFMT_IB_IF | SND_SOC_DAIFMT_NB_IF)); + } + +-- +2.20.1 + diff --git a/queue-5.1/asoc-rsnd-fixup-mod-id-calculation-in-rsnd_ctu_probe.patch b/queue-5.1/asoc-rsnd-fixup-mod-id-calculation-in-rsnd_ctu_probe.patch new file mode 100644 index 00000000000..0669982584a --- /dev/null +++ b/queue-5.1/asoc-rsnd-fixup-mod-id-calculation-in-rsnd_ctu_probe.patch @@ -0,0 +1,46 @@ +From 3f531206323823b6df1e15d6665e698151daa2c5 Mon Sep 17 00:00:00 2001 +From: Nilkanth Ahirrao +Date: Tue, 18 Jun 2019 14:19:53 +0900 +Subject: ASoC: rsnd: fixup mod ID calculation in rsnd_ctu_probe_ + +[ Upstream commit ac28ec07ae1c5c1e18ed6855eb105a328418da88 ] + +commit c16015f36cc1 ("ASoC: rsnd: add .get_id/.get_id_sub") +introduces rsnd_ctu_id which calcualates and gives +the main Device id of the CTU by dividing the id by 4. +rsnd_mod_id uses this interface to get the CTU main +Device id. But this commit forgets to revert the main +Device id calcution previously done in rsnd_ctu_probe_ +which also divides the id by 4. This path corrects the +same to get the correct main Device id. + +The issue is observered when rsnd_ctu_probe_ is done for CTU1 + +Fixes: c16015f36cc1 ("ASoC: rsnd: add .get_id/.get_id_sub") + +Signed-off-by: Nilkanth Ahirrao +Signed-off-by: Suresh Udipi +Signed-off-by: Jiada Wang +Acked-by: Kuninori Morimoto +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sh/rcar/ctu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/sh/rcar/ctu.c b/sound/soc/sh/rcar/ctu.c +index 8cb06dab234e..7647b3d4c0ba 100644 +--- a/sound/soc/sh/rcar/ctu.c ++++ b/sound/soc/sh/rcar/ctu.c +@@ -108,7 +108,7 @@ static int rsnd_ctu_probe_(struct rsnd_mod *mod, + struct rsnd_dai_stream *io, + struct rsnd_priv *priv) + { +- return rsnd_cmd_attach(io, rsnd_mod_id(mod) / 4); ++ return rsnd_cmd_attach(io, rsnd_mod_id(mod)); + } + + static void rsnd_ctu_value_init(struct rsnd_dai_stream *io, +-- +2.20.1 + diff --git a/queue-5.1/asoc-soc-core-call-snd_soc_unbind_card-under-mutex_l.patch b/queue-5.1/asoc-soc-core-call-snd_soc_unbind_card-under-mutex_l.patch new file mode 100644 index 00000000000..f7b4e817d30 --- /dev/null +++ b/queue-5.1/asoc-soc-core-call-snd_soc_unbind_card-under-mutex_l.patch @@ -0,0 +1,82 @@ +From edcb4e1ac7555597f9ba27335859ec2efe8732c3 Mon Sep 17 00:00:00 2001 +From: Kuninori Morimoto +Date: Wed, 19 Jun 2019 10:07:19 +0900 +Subject: ASoC: soc-core: call snd_soc_unbind_card() under mutex_lock; + +[ Upstream commit b545542a0b866f7975254e41c595836e9bc0ff2f ] + +commit 34ac3c3eb8f0c07 ("ASoC: core: lock client_mutex while removing +link components") added mutex_lock() at soc_remove_link_components(). + +Is is called from snd_soc_unbind_card() + + snd_soc_unbind_card() +=> soc_remove_link_components() + soc_cleanup_card_resources() + soc_remove_dai_links() +=> soc_remove_link_components() + +And, there are 2 way to call it. + +(1) + snd_soc_unregister_component() +** mutex_lock() + snd_soc_component_del_unlocked() +=> snd_soc_unbind_card() +** mutex_unlock() + +(2) + snd_soc_unregister_card() +=> snd_soc_unbind_card() + +(1) case is already using mutex_lock() when it calles +snd_soc_unbind_card(), thus, we will get lockdep warning. + +commit 495f926c68ddb90 ("ASoC: core: Fix deadlock in +snd_soc_instantiate_card()") tried to fixup it, but still not +enough. We still have lockdep warning when we try unbind/bind. + +We need mutex_lock() under snd_soc_unregister_card() +instead of snd_remove_link_components()/snd_soc_unbind_card(). + +Fixes: 34ac3c3eb8f0c07 ("ASoC: core: lock client_mutex while removing link components") +Fixes: 495f926c68ddb90 ("ASoC: core: Fix deadlock in snd_soc_instantiate_card()") +Signed-off-by: Kuninori Morimoto +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index c010cc864cf3..f05a5c0a8aff 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -2834,14 +2834,12 @@ static void snd_soc_unbind_card(struct snd_soc_card *card, bool unregister) + snd_soc_dapm_shutdown(card); + snd_soc_flush_all_delayed_work(card); + +- mutex_lock(&client_mutex); + /* remove all components used by DAI links on this card */ + for_each_comp_order(order) { + for_each_card_rtds(card, rtd) { + soc_remove_link_components(card, rtd, order); + } + } +- mutex_unlock(&client_mutex); + + soc_cleanup_card_resources(card); + if (!unregister) +@@ -2860,7 +2858,9 @@ static void snd_soc_unbind_card(struct snd_soc_card *card, bool unregister) + */ + int snd_soc_unregister_card(struct snd_soc_card *card) + { ++ mutex_lock(&client_mutex); + snd_soc_unbind_card(card, true); ++ mutex_unlock(&client_mutex); + dev_dbg(card->dev, "ASoC: Unregistered card '%s'\n", card->name); + + return 0; +-- +2.20.1 + diff --git a/queue-5.1/ath-dfs-jp-domain-w56-fixed-pulse-type-3-radar-detec.patch b/queue-5.1/ath-dfs-jp-domain-w56-fixed-pulse-type-3-radar-detec.patch new file mode 100644 index 00000000000..933c9388818 --- /dev/null +++ b/queue-5.1/ath-dfs-jp-domain-w56-fixed-pulse-type-3-radar-detec.patch @@ -0,0 +1,44 @@ +From d5f69294bf5ccd603be93cbfdd6a742b346eacd9 Mon Sep 17 00:00:00 2001 +From: Anilkumar Kolli +Date: Wed, 6 Mar 2019 23:06:11 +0530 +Subject: ath: DFS JP domain W56 fixed pulse type 3 RADAR detection + +[ Upstream commit d8792393a783158cbb2c39939cb897dc5e5299b6 ] + +Increase pulse width range from 1-2usec to 0-4usec. +During data traffic HW occasionally fails detecting radar pulses, +so that SW cannot get enough radar reports to achieve the success rate. + +Tested ath10k hw and fw: + * QCA9888(10.4-3.5.1-00052) + * QCA4019(10.4-3.2.1.1-00017) + * QCA9984(10.4-3.6-00104) + * QCA988X(10.2.4-1.0-00041) + +Tested ath9k hw: AR9300 + +Tested-by: Tamizh chelvam +Signed-off-by: Tamizh chelvam +Signed-off-by: Anilkumar Kolli +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/dfs_pattern_detector.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/dfs_pattern_detector.c b/drivers/net/wireless/ath/dfs_pattern_detector.c +index d52b31b45df7..a274eb0d1968 100644 +--- a/drivers/net/wireless/ath/dfs_pattern_detector.c ++++ b/drivers/net/wireless/ath/dfs_pattern_detector.c +@@ -111,7 +111,7 @@ static const struct radar_detector_specs jp_radar_ref_types[] = { + JP_PATTERN(0, 0, 1, 1428, 1428, 1, 18, 29, false), + JP_PATTERN(1, 2, 3, 3846, 3846, 1, 18, 29, false), + JP_PATTERN(2, 0, 1, 1388, 1388, 1, 18, 50, false), +- JP_PATTERN(3, 1, 2, 4000, 4000, 1, 18, 50, false), ++ JP_PATTERN(3, 0, 4, 4000, 4000, 1, 18, 50, false), + JP_PATTERN(4, 0, 5, 150, 230, 1, 23, 50, false), + JP_PATTERN(5, 6, 10, 200, 500, 1, 16, 50, false), + JP_PATTERN(6, 11, 20, 200, 500, 1, 12, 50, false), +-- +2.20.1 + diff --git a/queue-5.1/ath10k-add-missing-error-handling.patch b/queue-5.1/ath10k-add-missing-error-handling.patch new file mode 100644 index 00000000000..b665465b1ef --- /dev/null +++ b/queue-5.1/ath10k-add-missing-error-handling.patch @@ -0,0 +1,46 @@ +From 6663538318243d0c6011799f024c1f795343815b Mon Sep 17 00:00:00 2001 +From: Claire Chang +Date: Thu, 23 May 2019 15:15:34 +0800 +Subject: ath10k: add missing error handling + +[ Upstream commit 4b553f3ca4cbde67399aa3a756c37eb92145b8a1 ] + +In function ath10k_sdio_mbox_rx_alloc() [sdio.c], +ath10k_sdio_mbox_alloc_rx_pkt() is called without handling the error cases. +This will make the driver think the allocation for skb is successful and +try to access the skb. If we enable failslab, system will easily crash with +NULL pointer dereferencing. + +Call trace of CONFIG_FAILSLAB: +ath10k_sdio_irq_handler+0x570/0xa88 [ath10k_sdio] +process_sdio_pending_irqs+0x4c/0x174 +sdio_run_irqs+0x3c/0x64 +sdio_irq_work+0x1c/0x28 + +Fixes: d96db25d2025 ("ath10k: add initial SDIO support") +Signed-off-by: Claire Chang +Reviewed-by: Brian Norris +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/sdio.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c +index fae56c67766f..73ef3e75d199 100644 +--- a/drivers/net/wireless/ath/ath10k/sdio.c ++++ b/drivers/net/wireless/ath/ath10k/sdio.c +@@ -602,6 +602,10 @@ static int ath10k_sdio_mbox_rx_alloc(struct ath10k *ar, + full_len, + last_in_bundle, + last_in_bundle); ++ if (ret) { ++ ath10k_warn(ar, "alloc_rx_pkt error %d\n", ret); ++ goto err; ++ } + } + + ar_sdio->n_rx_pkts = i; +-- +2.20.1 + diff --git a/queue-5.1/ath10k-add-peer-id-check-in-ath10k_peer_find_by_id.patch b/queue-5.1/ath10k-add-peer-id-check-in-ath10k_peer_find_by_id.patch new file mode 100644 index 00000000000..1dbd1ea3ccd --- /dev/null +++ b/queue-5.1/ath10k-add-peer-id-check-in-ath10k_peer_find_by_id.patch @@ -0,0 +1,67 @@ +From c4825aa0c26b12ed868e3f5a5dbf69b3ddaa5e1f Mon Sep 17 00:00:00 2001 +From: Wen Gong +Date: Mon, 29 Apr 2019 19:17:12 +0800 +Subject: ath10k: add peer id check in ath10k_peer_find_by_id + +[ Upstream commit 49ed34b835e231aa941257394716bc689bc98d9f ] + +For some SDIO chip, the peer id is 65535 for MPDU with error status, +then test_bit will trigger buffer overflow for peer's memory, if kasan +enabled, it will report error. + +Reason is when station is in disconnecting status, firmware do not delete +the peer info since it not disconnected completely, meanwhile some AP will +still send data packet to station, then hardware will receive the packet +and send to firmware, firmware's logic will report peer id of 65535 for +MPDU with error status. + +Add check for overflow the size of peer's peer_ids will avoid the buffer +overflow access. + +Call trace of kasan: +dump_backtrace+0x0/0x2ec +show_stack+0x20/0x2c +__dump_stack+0x20/0x28 +dump_stack+0xc8/0xec +print_address_description+0x74/0x240 +kasan_report+0x250/0x26c +__asan_report_load8_noabort+0x20/0x2c +ath10k_peer_find_by_id+0x180/0x1e4 [ath10k_core] +ath10k_htt_t2h_msg_handler+0x100c/0x2fd4 [ath10k_core] +ath10k_htt_htc_t2h_msg_handler+0x20/0x34 [ath10k_core] +ath10k_sdio_irq_handler+0xcc8/0x1678 [ath10k_sdio] +process_sdio_pending_irqs+0xec/0x370 +sdio_run_irqs+0x68/0xe4 +sdio_irq_work+0x1c/0x28 +process_one_work+0x3d8/0x8b0 +worker_thread+0x508/0x7cc +kthread+0x24c/0x264 +ret_from_fork+0x10/0x18 + +Tested with QCA6174 SDIO with firmware +WLAN.RMH.4.4.1-00007-QCARMSWP-1. + +Signed-off-by: Wen Gong +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/txrx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/txrx.c b/drivers/net/wireless/ath/ath10k/txrx.c +index c5818d28f55a..4102df016931 100644 +--- a/drivers/net/wireless/ath/ath10k/txrx.c ++++ b/drivers/net/wireless/ath/ath10k/txrx.c +@@ -150,6 +150,9 @@ struct ath10k_peer *ath10k_peer_find_by_id(struct ath10k *ar, int peer_id) + { + struct ath10k_peer *peer; + ++ if (peer_id >= BITS_PER_TYPE(peer->peer_ids)) ++ return NULL; ++ + lockdep_assert_held(&ar->data_lock); + + list_for_each_entry(peer, &ar->peers, list) +-- +2.20.1 + diff --git a/queue-5.1/ath10k-check-tx_stats-before-use-it.patch b/queue-5.1/ath10k-check-tx_stats-before-use-it.patch new file mode 100644 index 00000000000..7b9faa001f6 --- /dev/null +++ b/queue-5.1/ath10k-check-tx_stats-before-use-it.patch @@ -0,0 +1,40 @@ +From 2834931206a7868a666e996474d4b0e2cea2ab68 Mon Sep 17 00:00:00 2001 +From: Yingying Tang +Date: Thu, 2 May 2019 21:36:50 +0800 +Subject: ath10k: Check tx_stats before use it + +[ Upstream commit 9e7251fa38978b85108c44743e1436d48e8d0d76 ] + +tx_stats will be freed and set to NULL before debugfs_sta node is +removed in station disconnetion process. So if read the debugfs_sta +node there may be NULL pointer error. Add check for tx_stats before +use it to resove this issue. + +Signed-off-by: Yingying Tang +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/debugfs_sta.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/debugfs_sta.c b/drivers/net/wireless/ath/ath10k/debugfs_sta.c +index c704ae371c4d..42931a669b02 100644 +--- a/drivers/net/wireless/ath/ath10k/debugfs_sta.c ++++ b/drivers/net/wireless/ath/ath10k/debugfs_sta.c +@@ -663,6 +663,13 @@ static ssize_t ath10k_dbg_sta_dump_tx_stats(struct file *file, + + mutex_lock(&ar->conf_mutex); + ++ if (!arsta->tx_stats) { ++ ath10k_warn(ar, "failed to get tx stats"); ++ mutex_unlock(&ar->conf_mutex); ++ kfree(buf); ++ return 0; ++ } ++ + spin_lock_bh(&ar->data_lock); + for (k = 0; k < ATH10K_STATS_TYPE_MAX; k++) { + for (j = 0; j < ATH10K_COUNTER_TYPE_MAX; j++) { +-- +2.20.1 + diff --git a/queue-5.1/ath10k-destroy-sdio-workqueue-while-remove-sdio-modu.patch b/queue-5.1/ath10k-destroy-sdio-workqueue-while-remove-sdio-modu.patch new file mode 100644 index 00000000000..1ff378dc1a0 --- /dev/null +++ b/queue-5.1/ath10k-destroy-sdio-workqueue-while-remove-sdio-modu.patch @@ -0,0 +1,38 @@ +From e901d12033fdc6e3481feadafe68aeba1e6c091b Mon Sep 17 00:00:00 2001 +From: Wen Gong +Date: Thu, 27 Jun 2019 21:21:51 +0300 +Subject: ath10k: destroy sdio workqueue while remove sdio module + +[ Upstream commit 3ed39f8e747a7aafeec07bb244f2c3a1bdca5730 ] + +The workqueue need to flush and destory while remove sdio module, +otherwise it will have thread which is not destory after remove +sdio modules. + +Tested with QCA6174 SDIO with firmware +WLAN.RMH.4.4.1-00007-QCARMSWP-1. + +Signed-off-by: Wen Gong +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/sdio.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c +index 73ef3e75d199..28bdf0212538 100644 +--- a/drivers/net/wireless/ath/ath10k/sdio.c ++++ b/drivers/net/wireless/ath/ath10k/sdio.c +@@ -2081,6 +2081,9 @@ static void ath10k_sdio_remove(struct sdio_func *func) + cancel_work_sync(&ar_sdio->wr_async_work); + ath10k_core_unregister(ar); + ath10k_core_destroy(ar); ++ ++ flush_workqueue(ar_sdio->workqueue); ++ destroy_workqueue(ar_sdio->workqueue); + } + + static const struct sdio_device_id ath10k_sdio_devices[] = { +-- +2.20.1 + diff --git a/queue-5.1/ath10k-do-not-send-probe-response-template-for-mesh.patch b/queue-5.1/ath10k-do-not-send-probe-response-template-for-mesh.patch new file mode 100644 index 00000000000..2df59e440f7 --- /dev/null +++ b/queue-5.1/ath10k-do-not-send-probe-response-template-for-mesh.patch @@ -0,0 +1,43 @@ +From 730259cbb61bed76f447b3bd379463e6d8c62aa7 Mon Sep 17 00:00:00 2001 +From: Surabhi Vishnoi +Date: Wed, 17 Apr 2019 14:01:46 +0530 +Subject: ath10k: Do not send probe response template for mesh + +[ Upstream commit 97354f2c432788e3163134df6bb144f4b6289d87 ] + +Currently mac80211 do not support probe response template for +mesh point. When WMI_SERVICE_BEACON_OFFLOAD is enabled, host +driver tries to configure probe response template for mesh, but +it fails because the interface type is not NL80211_IFTYPE_AP but +NL80211_IFTYPE_MESH_POINT. + +To avoid this failure, skip sending probe response template to +firmware for mesh point. + +Tested HW: WCN3990/QCA6174/QCA9984 + +Signed-off-by: Surabhi Vishnoi +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/mac.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index e8997e22ceec..b500fd427595 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -1630,6 +1630,10 @@ static int ath10k_mac_setup_prb_tmpl(struct ath10k_vif *arvif) + if (arvif->vdev_type != WMI_VDEV_TYPE_AP) + return 0; + ++ /* For mesh, probe response and beacon share the same template */ ++ if (ieee80211_vif_is_mesh(vif)) ++ return 0; ++ + prb = ieee80211_proberesp_get(hw, vif); + if (!prb) { + ath10k_warn(ar, "failed to get probe resp template from mac80211\n"); +-- +2.20.1 + diff --git a/queue-5.1/ath10k-fix-encoding-for-protected-management-frames.patch b/queue-5.1/ath10k-fix-encoding-for-protected-management-frames.patch new file mode 100644 index 00000000000..8429f397b3e --- /dev/null +++ b/queue-5.1/ath10k-fix-encoding-for-protected-management-frames.patch @@ -0,0 +1,46 @@ +From ce5177d8f83a2d0eab563d99388110abc300e7e3 Mon Sep 17 00:00:00 2001 +From: Rakesh Pillai +Date: Tue, 2 Apr 2019 18:12:50 +0530 +Subject: ath10k: Fix encoding for protected management frames + +[ Upstream commit 42f1bc43e6a97b9ddbe976eba9bd05306c990c75 ] + +Currently the protected management frames are +not appended with the MIC_LEN which results in +the protected management frames being encoded +incorrectly. + +Add the extra space at the end of the protected +management frames to fix this encoding error for +the protected management frames. + +Tested HW: WCN3990 +Tested FW: WLAN.HL.3.1-00784-QCAHLSWMTPLZ-1 + +Fixes: 1807da49733e ("ath10k: wmi: add management tx by reference support over wmi") +Signed-off-by: Rakesh Pillai +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/wmi-tlv.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c +index 582fb11f648a..02709fc99034 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c ++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c +@@ -2840,8 +2840,10 @@ ath10k_wmi_tlv_op_gen_mgmt_tx_send(struct ath10k *ar, struct sk_buff *msdu, + if ((ieee80211_is_action(hdr->frame_control) || + ieee80211_is_deauth(hdr->frame_control) || + ieee80211_is_disassoc(hdr->frame_control)) && +- ieee80211_has_protected(hdr->frame_control)) ++ ieee80211_has_protected(hdr->frame_control)) { ++ skb_put(msdu, IEEE80211_CCMP_MIC_LEN); + buf_len += IEEE80211_CCMP_MIC_LEN; ++ } + + buf_len = min_t(u32, buf_len, WMI_TLV_MGMT_TX_FRAME_MAX_LEN); + buf_len = round_up(buf_len, 4); +-- +2.20.1 + diff --git a/queue-5.1/ath10k-fix-fw-crash-by-moving-chip-reset-after-napi-.patch b/queue-5.1/ath10k-fix-fw-crash-by-moving-chip-reset-after-napi-.patch new file mode 100644 index 00000000000..07512ccf53a --- /dev/null +++ b/queue-5.1/ath10k-fix-fw-crash-by-moving-chip-reset-after-napi-.patch @@ -0,0 +1,72 @@ +From bc74e76aa282c7b07321b349722544a9e9572572 Mon Sep 17 00:00:00 2001 +From: Miaoqing Pan +Date: Fri, 24 May 2019 11:16:22 +0800 +Subject: ath10k: fix fw crash by moving chip reset after napi disabled + +[ Upstream commit 08d80e4cd27ba19f9bee9e5f788f9a9fc440a22f ] + +On SMP platform, when continuously running wifi up/down, the napi +poll can be scheduled during chip reset, which will call +ath10k_pci_has_fw_crashed() to check the fw status. But in the reset +period, the value from FW_INDICATOR_ADDRESS register will return +0xdeadbeef, which also be treated as fw crash. Fix the issue by +moving chip reset after napi disabled. + +ath10k_pci 0000:01:00.0: firmware crashed! (guid 73b30611-5b1e-4bdd-90b4-64c81eb947b6) +ath10k_pci 0000:01:00.0: qca9984/qca9994 hw1.0 target 0x01000000 chip_id 0x00000000 sub 168c:cafe +ath10k_pci 0000:01:00.0: htt-ver 2.2 wmi-op 6 htt-op 4 cal otp max-sta 512 raw 0 hwcrypto 1 +ath10k_pci 0000:01:00.0: failed to get memcpy hi address for firmware address 4: -16 +ath10k_pci 0000:01:00.0: failed to read firmware dump area: -16 +ath10k_pci 0000:01:00.0: Copy Engine register dump: +ath10k_pci 0000:01:00.0: [00]: 0x0004a000 0 0 0 0 +ath10k_pci 0000:01:00.0: [01]: 0x0004a400 0 0 0 0 +ath10k_pci 0000:01:00.0: [02]: 0x0004a800 0 0 0 0 +ath10k_pci 0000:01:00.0: [03]: 0x0004ac00 0 0 0 0 +ath10k_pci 0000:01:00.0: [04]: 0x0004b000 0 0 0 0 +ath10k_pci 0000:01:00.0: [05]: 0x0004b400 0 0 0 0 +ath10k_pci 0000:01:00.0: [06]: 0x0004b800 0 0 0 0 +ath10k_pci 0000:01:00.0: [07]: 0x0004bc00 1 0 1 0 +ath10k_pci 0000:01:00.0: [08]: 0x0004c000 0 0 0 0 +ath10k_pci 0000:01:00.0: [09]: 0x0004c400 0 0 0 0 +ath10k_pci 0000:01:00.0: [10]: 0x0004c800 0 0 0 0 +ath10k_pci 0000:01:00.0: [11]: 0x0004cc00 0 0 0 0 + +Tested HW: QCA9984,QCA9887,WCN3990 + +Signed-off-by: Miaoqing Pan +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/pci.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c +index 2c27f407a851..6e5f7ae00253 100644 +--- a/drivers/net/wireless/ath/ath10k/pci.c ++++ b/drivers/net/wireless/ath/ath10k/pci.c +@@ -2059,6 +2059,11 @@ static void ath10k_pci_hif_stop(struct ath10k *ar) + + ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot hif stop\n"); + ++ ath10k_pci_irq_disable(ar); ++ ath10k_pci_irq_sync(ar); ++ napi_synchronize(&ar->napi); ++ napi_disable(&ar->napi); ++ + /* Most likely the device has HTT Rx ring configured. The only way to + * prevent the device from accessing (and possible corrupting) host + * memory is to reset the chip now. +@@ -2072,10 +2077,6 @@ static void ath10k_pci_hif_stop(struct ath10k *ar) + */ + ath10k_pci_safe_chip_reset(ar); + +- ath10k_pci_irq_disable(ar); +- ath10k_pci_irq_sync(ar); +- napi_synchronize(&ar->napi); +- napi_disable(&ar->napi); + ath10k_pci_flush(ar); + + spin_lock_irqsave(&ar_pci->ps_lock, flags); +-- +2.20.1 + diff --git a/queue-5.1/ath10k-fix-incorrect-multicast-broadcast-rate-settin.patch b/queue-5.1/ath10k-fix-incorrect-multicast-broadcast-rate-settin.patch new file mode 100644 index 00000000000..2bac98ed38e --- /dev/null +++ b/queue-5.1/ath10k-fix-incorrect-multicast-broadcast-rate-settin.patch @@ -0,0 +1,58 @@ +From 09a21c0ee388a2ebeda0297a5f668f101e5bf557 Mon Sep 17 00:00:00 2001 +From: Pradeep kumar Chitrapu +Date: Tue, 23 Apr 2019 16:43:28 +0300 +Subject: ath10k: fix incorrect multicast/broadcast rate setting + +[ Upstream commit 93ee3d108fc77e19efeac3ec5aa7d5886711bfef ] + +Invalid rate code is sent to firmware when multicast rate value of 0 is +sent to driver indicating disabled case, causing broken mesh path. +so fix that. + +Tested on QCA9984 with firmware 10.4-3.6.1-00827 + +Sven tested on IPQ4019 with 10.4-3.5.3-00057 and QCA9888 with 10.4-3.5.3-00053 +(ath10k-firmware) and 10.4-3.6-00140 (linux-firmware 2018-12-16-211de167). + +Fixes: cd93b83ad92 ("ath10k: support for multicast rate control") +Co-developed-by: Zhi Chen +Signed-off-by: Zhi Chen +Signed-off-by: Pradeep Kumar Chitrapu +Tested-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/mac.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index 9c703d287333..e8997e22ceec 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -5588,8 +5588,8 @@ static void ath10k_bss_info_changed(struct ieee80211_hw *hw, + struct cfg80211_chan_def def; + u32 vdev_param, pdev_param, slottime, preamble; + u16 bitrate, hw_value; +- u8 rate, basic_rate_idx; +- int rateidx, ret = 0, hw_rate_code; ++ u8 rate, basic_rate_idx, rateidx; ++ int ret = 0, hw_rate_code, mcast_rate; + enum nl80211_band band; + const struct ieee80211_supported_band *sband; + +@@ -5776,7 +5776,11 @@ static void ath10k_bss_info_changed(struct ieee80211_hw *hw, + if (changed & BSS_CHANGED_MCAST_RATE && + !ath10k_mac_vif_chan(arvif->vif, &def)) { + band = def.chan->band; +- rateidx = vif->bss_conf.mcast_rate[band] - 1; ++ mcast_rate = vif->bss_conf.mcast_rate[band]; ++ if (mcast_rate > 0) ++ rateidx = mcast_rate - 1; ++ else ++ rateidx = ffs(vif->bss_conf.basic_rates) - 1; + + if (ar->phy_capability & WHAL_WLAN_11A_CAPABILITY) + rateidx += ATH10K_MAC_FIRST_OFDM_RATE_IDX; +-- +2.20.1 + diff --git a/queue-5.1/ath10k-fix-memory-leak-in-qmi.patch b/queue-5.1/ath10k-fix-memory-leak-in-qmi.patch new file mode 100644 index 00000000000..806816cd1ad --- /dev/null +++ b/queue-5.1/ath10k-fix-memory-leak-in-qmi.patch @@ -0,0 +1,39 @@ +From de211948f1294adce21e6ca6fa9b8a5f03eb9df5 Mon Sep 17 00:00:00 2001 +From: Dundi Raviteja +Date: Tue, 25 Jun 2019 19:55:48 +0530 +Subject: ath10k: Fix memory leak in qmi + +[ Upstream commit c709df58832c5f575f0255bea4b09ad477fc62ea ] + +Currently the memory allocated for qmi handle is +not being freed during de-init which leads to memory leak. + +Free the allocated qmi memory in qmi deinit +to avoid memory leak. + +Tested HW: WCN3990 +Tested FW: WLAN.HL.3.1-01040-QCAHLSWMTPLZ-1 + +Fixes: fda6fee0001e ("ath10k: add QMI message handshake for wcn3990 client") +Signed-off-by: Dundi Raviteja +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/qmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath10k/qmi.c b/drivers/net/wireless/ath/ath10k/qmi.c +index a7bc2c70d076..8f8f717a23ee 100644 +--- a/drivers/net/wireless/ath/ath10k/qmi.c ++++ b/drivers/net/wireless/ath/ath10k/qmi.c +@@ -1002,6 +1002,7 @@ int ath10k_qmi_deinit(struct ath10k *ar) + qmi_handle_release(&qmi->qmi_hdl); + cancel_work_sync(&qmi->event_work); + destroy_workqueue(qmi->event_wq); ++ kfree(qmi); + ar_snoc->qmi = NULL; + + return 0; +-- +2.20.1 + diff --git a/queue-5.1/ath10k-fix-pcie-device-wake-up-failed.patch b/queue-5.1/ath10k-fix-pcie-device-wake-up-failed.patch new file mode 100644 index 00000000000..66556a07a15 --- /dev/null +++ b/queue-5.1/ath10k-fix-pcie-device-wake-up-failed.patch @@ -0,0 +1,49 @@ +From 9220ec127a72b491082a6537c54b677a7970abb0 Mon Sep 17 00:00:00 2001 +From: Miaoqing Pan +Date: Thu, 30 May 2019 09:49:20 +0800 +Subject: ath10k: fix PCIE device wake up failed + +[ Upstream commit 011d4111c8c602ea829fa4917af1818eb0500a90 ] + +Observed PCIE device wake up failed after ~120 iterations of +soft-reboot test. The error message is +"ath10k_pci 0000:01:00.0: failed to wake up device : -110" + +The call trace as below: +ath10k_pci_probe -> ath10k_pci_force_wake -> ath10k_pci_wake_wait -> +ath10k_pci_is_awake + +Once trigger the device to wake up, we will continuously check the RTC +state until it returns RTC_STATE_V_ON or timeout. + +But for QCA99x0 chips, we use wrong value for RTC_STATE_V_ON. +Occasionally, we get 0x7 on the fist read, we thought as a failure +case, but actually is the right value, also verified with the spec. +So fix the issue by changing RTC_STATE_V_ON from 0x5 to 0x7, passed +~2000 iterations. + +Tested HW: QCA9984 + +Signed-off-by: Miaoqing Pan +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/hw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/hw.c b/drivers/net/wireless/ath/ath10k/hw.c +index ad082b7d7643..b242085c3c16 100644 +--- a/drivers/net/wireless/ath/ath10k/hw.c ++++ b/drivers/net/wireless/ath/ath10k/hw.c +@@ -158,7 +158,7 @@ const struct ath10k_hw_values qca6174_values = { + }; + + const struct ath10k_hw_values qca99x0_values = { +- .rtc_state_val_on = 5, ++ .rtc_state_val_on = 7, + .ce_count = 12, + .msi_assign_ce_max = 12, + .num_target_ce_config_wlan = 10, +-- +2.20.1 + diff --git a/queue-5.1/ath10k-fix-the-wrong-value-of-enums-for-wmi-tlv-stat.patch b/queue-5.1/ath10k-fix-the-wrong-value-of-enums-for-wmi-tlv-stat.patch new file mode 100644 index 00000000000..9a81662c507 --- /dev/null +++ b/queue-5.1/ath10k-fix-the-wrong-value-of-enums-for-wmi-tlv-stat.patch @@ -0,0 +1,46 @@ +From 7c8a15ee44176bc8cacb459c7d29137331257f93 Mon Sep 17 00:00:00 2001 +From: Surabhi Vishnoi +Date: Tue, 9 Apr 2019 12:13:13 +0530 +Subject: ath10k: Fix the wrong value of enums for wmi tlv stats id + +[ Upstream commit 9280f4fc06f44d0b4dc9e831f72d97b3d7cd35d3 ] + +The enum value for WMI_TLV_STAT_PDEV, WMI_TLV_STAT_VDEV +and WMI_TLV_STAT_PEER is wrong, due to which the vdev stats +are not received from firmware in wmi_update_stats event. + +Fix the enum values for above stats to receive all stats +from firmware in WMI_TLV_UPDATE_STATS_EVENTID. + +Tested HW: WCN3990 +Tested FW: WLAN.HL.3.1-00784-QCAHLSWMTPLZ-1 + +Fixes: f40a307eb92c ("ath10k: Fill rx duration for each peer in fw_stats for WCN3990) +Signed-off-by: Surabhi Vishnoi +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/wmi.h | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/wmi.h b/drivers/net/wireless/ath/ath10k/wmi.h +index e1c40bb69932..12f57f9adbba 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi.h ++++ b/drivers/net/wireless/ath/ath10k/wmi.h +@@ -4535,9 +4535,10 @@ enum wmi_10_4_stats_id { + }; + + enum wmi_tlv_stats_id { +- WMI_TLV_STAT_PDEV = BIT(0), +- WMI_TLV_STAT_VDEV = BIT(1), +- WMI_TLV_STAT_PEER = BIT(2), ++ WMI_TLV_STAT_PEER = BIT(0), ++ WMI_TLV_STAT_AP = BIT(1), ++ WMI_TLV_STAT_PDEV = BIT(2), ++ WMI_TLV_STAT_VDEV = BIT(3), + WMI_TLV_STAT_PEER_EXTD = BIT(10), + }; + +-- +2.20.1 + diff --git a/queue-5.1/ath10k-htt-don-t-use-txdone_fifo-with-sdio.patch b/queue-5.1/ath10k-htt-don-t-use-txdone_fifo-with-sdio.patch new file mode 100644 index 00000000000..b1938be0b75 --- /dev/null +++ b/queue-5.1/ath10k-htt-don-t-use-txdone_fifo-with-sdio.patch @@ -0,0 +1,42 @@ +From dce7492c230d092be2ffb9e11158732050618517 Mon Sep 17 00:00:00 2001 +From: Alagu Sankar +Date: Fri, 19 Apr 2019 10:28:49 +0300 +Subject: ath10k: htt: don't use txdone_fifo with SDIO + +[ Upstream commit e2a6b711282a371c5153239e0468a48254f17ca6 ] + +HTT High Latency (ATH10K_DEV_TYPE_HL) does not use txdone_fifo at all, we don't +even initialise it by skipping ath10k_htt_tx_alloc_buf() in +ath10k_htt_tx_start(). Because of this using QCA6174 SDIO +ath10k_htt_rx_tx_compl_ind() will crash when it accesses unitialised +txdone_fifo. So skip txdone_fifo when using High Latency mode. + +Tested with QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00007-QCARMSWP-1. + +Co-developed-by: Wen Gong +Signed-off-by: Alagu Sankar +Signed-off-by: Wen Gong +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/htt_rx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c +index 1acc622d2183..f22840bbc389 100644 +--- a/drivers/net/wireless/ath/ath10k/htt_rx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c +@@ -2277,7 +2277,9 @@ static void ath10k_htt_rx_tx_compl_ind(struct ath10k *ar, + * Note that with only one concurrent reader and one concurrent + * writer, you don't need extra locking to use these macro. + */ +- if (!kfifo_put(&htt->txdone_fifo, tx_done)) { ++ if (ar->bus_param.dev_type == ATH10K_DEV_TYPE_HL) { ++ ath10k_txrx_tx_unref(htt, &tx_done); ++ } else if (!kfifo_put(&htt->txdone_fifo, tx_done)) { + ath10k_warn(ar, "txdone fifo overrun, msdu_id %d status %d\n", + tx_done.msdu_id, tx_done.status); + ath10k_txrx_tx_unref(htt, &tx_done); +-- +2.20.1 + diff --git a/queue-5.1/ath6kl-add-some-bounds-checking.patch b/queue-5.1/ath6kl-add-some-bounds-checking.patch new file mode 100644 index 00000000000..14ebb551723 --- /dev/null +++ b/queue-5.1/ath6kl-add-some-bounds-checking.patch @@ -0,0 +1,62 @@ +From 1fdc18fcbc8a017238e4996d160fe4c82ff635db Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 4 Apr 2019 11:56:51 +0300 +Subject: ath6kl: add some bounds checking + +[ Upstream commit 5d6751eaff672ea77642e74e92e6c0ac7f9709ab ] + +The "ev->traffic_class" and "reply->ac" variables come from the network +and they're used as an offset into the wmi->stream_exist_for_ac[] array. +Those variables are u8 so they can be 0-255 but the stream_exist_for_ac[] +array only has WMM_NUM_AC (4) elements. We need to add a couple bounds +checks to prevent array overflows. + +I also modified one existing check from "if (traffic_class > 3) {" to +"if (traffic_class >= WMM_NUM_AC) {" just to make them all consistent. + +Fixes: bdcd81707973 (" Add ath6kl cleaned up driver") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath6kl/wmi.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c +index 68854c45d0a4..9ab6aa9ded5c 100644 +--- a/drivers/net/wireless/ath/ath6kl/wmi.c ++++ b/drivers/net/wireless/ath/ath6kl/wmi.c +@@ -1176,6 +1176,10 @@ static int ath6kl_wmi_pstream_timeout_event_rx(struct wmi *wmi, u8 *datap, + return -EINVAL; + + ev = (struct wmi_pstream_timeout_event *) datap; ++ if (ev->traffic_class >= WMM_NUM_AC) { ++ ath6kl_err("invalid traffic class: %d\n", ev->traffic_class); ++ return -EINVAL; ++ } + + /* + * When the pstream (fat pipe == AC) timesout, it means there were +@@ -1517,6 +1521,10 @@ static int ath6kl_wmi_cac_event_rx(struct wmi *wmi, u8 *datap, int len, + return -EINVAL; + + reply = (struct wmi_cac_event *) datap; ++ if (reply->ac >= WMM_NUM_AC) { ++ ath6kl_err("invalid AC: %d\n", reply->ac); ++ return -EINVAL; ++ } + + if ((reply->cac_indication == CAC_INDICATION_ADMISSION_RESP) && + (reply->status_code != IEEE80211_TSPEC_STATUS_ADMISS_ACCEPTED)) { +@@ -2633,7 +2641,7 @@ int ath6kl_wmi_delete_pstream_cmd(struct wmi *wmi, u8 if_idx, u8 traffic_class, + u16 active_tsids = 0; + int ret; + +- if (traffic_class > 3) { ++ if (traffic_class >= WMM_NUM_AC) { + ath6kl_err("invalid traffic class: %d\n", traffic_class); + return -EINVAL; + } +-- +2.20.1 + diff --git a/queue-5.1/ath9k-check-for-errors-when-reading-srev-register.patch b/queue-5.1/ath9k-check-for-errors-when-reading-srev-register.patch new file mode 100644 index 00000000000..e49d52854e2 --- /dev/null +++ b/queue-5.1/ath9k-check-for-errors-when-reading-srev-register.patch @@ -0,0 +1,121 @@ +From a3f3c4c15261cd214c9c8e028e86af491c772ed4 Mon Sep 17 00:00:00 2001 +From: Tim Schumacher +Date: Mon, 18 Mar 2019 20:05:57 +0100 +Subject: ath9k: Check for errors when reading SREV register + +[ Upstream commit 2f90c7e5d09437a4d8d5546feaae9f1cf48cfbe1 ] + +Right now, if an error is encountered during the SREV register +read (i.e. an EIO in ath9k_regread()), that error code gets +passed all the way to __ath9k_hw_init(), where it is visible +during the "Chip rev not supported" message. + + ath9k_htc 1-1.4:1.0: ath9k_htc: HTC initialized with 33 credits + ath: phy2: Mac Chip Rev 0x0f.3 is not supported by this driver + ath: phy2: Unable to initialize hardware; initialization status: -95 + ath: phy2: Unable to initialize hardware; initialization status: -95 + ath9k_htc: Failed to initialize the device + +Check for -EIO explicitly in ath9k_hw_read_revisions() and return +a boolean based on the success of the operation. Check for that in +__ath9k_hw_init() and abort with a more debugging-friendly message +if reading the revisions wasn't successful. + + ath9k_htc 1-1.4:1.0: ath9k_htc: HTC initialized with 33 credits + ath: phy2: Failed to read SREV register + ath: phy2: Could not read hardware revision + ath: phy2: Unable to initialize hardware; initialization status: -95 + ath: phy2: Unable to initialize hardware; initialization status: -95 + ath9k_htc: Failed to initialize the device + +This helps when debugging by directly showing the first point of +failure and it could prevent possible errors if a 0x0f.3 revision +is ever supported. + +Signed-off-by: Tim Schumacher +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hw.c | 32 +++++++++++++++++++++-------- + 1 file changed, 23 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c +index 8581d917635a..b6773d613f0c 100644 +--- a/drivers/net/wireless/ath/ath9k/hw.c ++++ b/drivers/net/wireless/ath/ath9k/hw.c +@@ -252,8 +252,9 @@ void ath9k_hw_get_channel_centers(struct ath_hw *ah, + /* Chip Revisions */ + /******************/ + +-static void ath9k_hw_read_revisions(struct ath_hw *ah) ++static bool ath9k_hw_read_revisions(struct ath_hw *ah) + { ++ u32 srev; + u32 val; + + if (ah->get_mac_revision) +@@ -269,25 +270,33 @@ static void ath9k_hw_read_revisions(struct ath_hw *ah) + val = REG_READ(ah, AR_SREV); + ah->hw_version.macRev = MS(val, AR_SREV_REVISION2); + } +- return; ++ return true; + case AR9300_DEVID_AR9340: + ah->hw_version.macVersion = AR_SREV_VERSION_9340; +- return; ++ return true; + case AR9300_DEVID_QCA955X: + ah->hw_version.macVersion = AR_SREV_VERSION_9550; +- return; ++ return true; + case AR9300_DEVID_AR953X: + ah->hw_version.macVersion = AR_SREV_VERSION_9531; +- return; ++ return true; + case AR9300_DEVID_QCA956X: + ah->hw_version.macVersion = AR_SREV_VERSION_9561; +- return; ++ return true; + } + +- val = REG_READ(ah, AR_SREV) & AR_SREV_ID; ++ srev = REG_READ(ah, AR_SREV); ++ ++ if (srev == -EIO) { ++ ath_err(ath9k_hw_common(ah), ++ "Failed to read SREV register"); ++ return false; ++ } ++ ++ val = srev & AR_SREV_ID; + + if (val == 0xFF) { +- val = REG_READ(ah, AR_SREV); ++ val = srev; + ah->hw_version.macVersion = + (val & AR_SREV_VERSION2) >> AR_SREV_TYPE2_S; + ah->hw_version.macRev = MS(val, AR_SREV_REVISION2); +@@ -306,6 +315,8 @@ static void ath9k_hw_read_revisions(struct ath_hw *ah) + if (ah->hw_version.macVersion == AR_SREV_VERSION_5416_PCIE) + ah->is_pciexpress = true; + } ++ ++ return true; + } + + /************************************/ +@@ -559,7 +570,10 @@ static int __ath9k_hw_init(struct ath_hw *ah) + struct ath_common *common = ath9k_hw_common(ah); + int r = 0; + +- ath9k_hw_read_revisions(ah); ++ if (!ath9k_hw_read_revisions(ah)) { ++ ath_err(common, "Could not read hardware revisions"); ++ return -EOPNOTSUPP; ++ } + + switch (ah->hw_version.macVersion) { + case AR_SREV_VERSION_5416_PCI: +-- +2.20.1 + diff --git a/queue-5.1/ath9k-correctly-handle-short-radar-pulses.patch b/queue-5.1/ath9k-correctly-handle-short-radar-pulses.patch new file mode 100644 index 00000000000..b1486b8087f --- /dev/null +++ b/queue-5.1/ath9k-correctly-handle-short-radar-pulses.patch @@ -0,0 +1,58 @@ +From e191a858984b863c37bd2514828d43e91d9f6704 Mon Sep 17 00:00:00 2001 +From: Zefir Kurtisi +Date: Tue, 11 Jun 2019 15:36:56 +0200 +Subject: ath9k: correctly handle short radar pulses + +[ Upstream commit df5c4150501ee7e86383be88f6490d970adcf157 ] + +In commit 3c0efb745a17 ("ath9k: discard undersized packets") +the lower bound of RX packets was set to 10 (min ACK size) to +filter those that would otherwise be treated as invalid at +mac80211. + +Alas, short radar pulses are reported as PHY_ERROR frames +with length set to 3. Therefore their detection stopped +working after that commit. + +NOTE: ath9k drivers built thereafter will not pass DFS +certification. + +This extends the criteria for short packets to explicitly +handle PHY_ERROR frames. + +Fixes: 3c0efb745a17 ("ath9k: discard undersized packets") +Signed-off-by: Zefir Kurtisi +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/recv.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/recv.c b/drivers/net/wireless/ath/ath9k/recv.c +index 4e97f7f3b2a3..06e660858766 100644 +--- a/drivers/net/wireless/ath/ath9k/recv.c ++++ b/drivers/net/wireless/ath/ath9k/recv.c +@@ -815,6 +815,7 @@ static int ath9k_rx_skb_preprocess(struct ath_softc *sc, + struct ath_common *common = ath9k_hw_common(ah); + struct ieee80211_hdr *hdr; + bool discard_current = sc->rx.discard_next; ++ bool is_phyerr; + + /* + * Discard corrupt descriptors which are marked in +@@ -827,8 +828,11 @@ static int ath9k_rx_skb_preprocess(struct ath_softc *sc, + + /* + * Discard zero-length packets and packets smaller than an ACK ++ * which are not PHY_ERROR (short radar pulses have a length of 3) + */ +- if (rx_stats->rs_datalen < 10) { ++ is_phyerr = rx_stats->rs_status & ATH9K_RXERR_PHY; ++ if (!rx_stats->rs_datalen || ++ (rx_stats->rs_datalen < 10 && !is_phyerr)) { + RX_STAT_INC(sc, rx_len_err); + goto corrupt; + } +-- +2.20.1 + diff --git a/queue-5.1/ath9k-don-t-trust-tx-status-tid-number-when-reportin.patch b/queue-5.1/ath9k-don-t-trust-tx-status-tid-number-when-reportin.patch new file mode 100644 index 00000000000..acc0f93dbf6 --- /dev/null +++ b/queue-5.1/ath9k-don-t-trust-tx-status-tid-number-when-reportin.patch @@ -0,0 +1,62 @@ +From cca335ea6b3e6d872acbd75a523219205599f1d7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= +Date: Thu, 7 Mar 2019 19:39:44 +0100 +Subject: ath9k: Don't trust TX status TID number when reporting airtime +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 389b72e58259336c2d56d58b660b79cf4b9e0dcb ] + +As already noted a comment in ath_tx_complete_aggr(), the hardware will +occasionally send a TX status with the wrong tid number. If we trust the +value, airtime usage will be reported to the wrong AC, which can cause the +deficit on that AC to become very low, blocking subsequent attempts to +transmit. + +To fix this, account airtime usage to the TID number from the original skb, +instead of the one in the hardware TX status report. + +Reported-by: Miguel Catalan Cid +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/xmit.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c +index b17e1ca40995..3be0aeedb9b5 100644 +--- a/drivers/net/wireless/ath/ath9k/xmit.c ++++ b/drivers/net/wireless/ath/ath9k/xmit.c +@@ -668,7 +668,8 @@ static bool bf_is_ampdu_not_probing(struct ath_buf *bf) + static void ath_tx_count_airtime(struct ath_softc *sc, + struct ieee80211_sta *sta, + struct ath_buf *bf, +- struct ath_tx_status *ts) ++ struct ath_tx_status *ts, ++ u8 tid) + { + u32 airtime = 0; + int i; +@@ -679,7 +680,7 @@ static void ath_tx_count_airtime(struct ath_softc *sc, + airtime += rate_dur * bf->rates[i].count; + } + +- ieee80211_sta_register_airtime(sta, ts->tid, airtime, 0); ++ ieee80211_sta_register_airtime(sta, tid, airtime, 0); + } + + static void ath_tx_process_buffer(struct ath_softc *sc, struct ath_txq *txq, +@@ -709,7 +710,7 @@ static void ath_tx_process_buffer(struct ath_softc *sc, struct ath_txq *txq, + if (sta) { + struct ath_node *an = (struct ath_node *)sta->drv_priv; + tid = ath_get_skb_tid(sc, an, bf->bf_mpdu); +- ath_tx_count_airtime(sc, sta, bf, ts); ++ ath_tx_count_airtime(sc, sta, bf, ts, tid->tidno); + if (ts->ts_status & (ATH9K_TXERR_FILT | ATH9K_TXERR_XRETRY)) + tid->clear_ps_filter = true; + } +-- +2.20.1 + diff --git a/queue-5.1/batman-adv-fix-duplicated-ogms-on-netdev_up.patch b/queue-5.1/batman-adv-fix-duplicated-ogms-on-netdev_up.patch new file mode 100644 index 00000000000..9b2177d5cbd --- /dev/null +++ b/queue-5.1/batman-adv-fix-duplicated-ogms-on-netdev_up.patch @@ -0,0 +1,93 @@ +From df9fff42380ced70ff1a4ee6299862e5dae3482a Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Sun, 2 Jun 2019 10:57:31 +0200 +Subject: batman-adv: Fix duplicated OGMs on NETDEV_UP +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 9e6b5648bbc4cd48fab62cecbb81e9cc3c6e7e88 ] + +The state of slave interfaces are handled differently depending on whether +the interface is up or not. All active interfaces (IFF_UP) will transmit +OGMs. But for B.A.T.M.A.N. IV, also non-active interfaces are scheduling +(low TTL) OGMs on active interfaces. The code which setups and schedules +the OGMs must therefore already be called when the interfaces gets added as +slave interface and the transmit function must then check whether it has to +send out the OGM or not on the specific slave interface. + +But the commit f0d97253fb5f ("batman-adv: remove ogm_emit and ogm_schedule +API calls") moved the setup code from the enable function to the activate +function. The latter is called either when the added slave was already up +when batadv_hardif_enable_interface processed the new interface or when a +NETDEV_UP event was received for this slave interfac. As result, each +NETDEV_UP would schedule a new OGM worker for the interface and thus OGMs +would be send a lot more than expected. + +Fixes: f0d97253fb5f ("batman-adv: remove ogm_emit and ogm_schedule API calls") +Reported-by: Linus Lüssing +Tested-by: Linus Lüssing +Acked-by: Marek Lindner +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/bat_iv_ogm.c | 4 ++-- + net/batman-adv/hard-interface.c | 3 +++ + net/batman-adv/types.h | 3 +++ + 3 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c +index de61091af666..267418b6129a 100644 +--- a/net/batman-adv/bat_iv_ogm.c ++++ b/net/batman-adv/bat_iv_ogm.c +@@ -2349,7 +2349,7 @@ batadv_iv_ogm_neigh_is_sob(struct batadv_neigh_node *neigh1, + return ret; + } + +-static void batadv_iv_iface_activate(struct batadv_hard_iface *hard_iface) ++static void batadv_iv_iface_enabled(struct batadv_hard_iface *hard_iface) + { + /* begin scheduling originator messages on that interface */ + batadv_iv_ogm_schedule(hard_iface); +@@ -2695,8 +2695,8 @@ static void batadv_iv_gw_dump(struct sk_buff *msg, struct netlink_callback *cb, + static struct batadv_algo_ops batadv_batman_iv __read_mostly = { + .name = "BATMAN_IV", + .iface = { +- .activate = batadv_iv_iface_activate, + .enable = batadv_iv_ogm_iface_enable, ++ .enabled = batadv_iv_iface_enabled, + .disable = batadv_iv_ogm_iface_disable, + .update_mac = batadv_iv_ogm_iface_update_mac, + .primary_set = batadv_iv_ogm_primary_iface_set, +diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c +index 96ef7c70b4d9..9072392e43cd 100644 +--- a/net/batman-adv/hard-interface.c ++++ b/net/batman-adv/hard-interface.c +@@ -807,6 +807,9 @@ int batadv_hardif_enable_interface(struct batadv_hard_iface *hard_iface, + + batadv_hardif_recalc_extra_skbroom(soft_iface); + ++ if (bat_priv->algo_ops->iface.enabled) ++ bat_priv->algo_ops->iface.enabled(hard_iface); ++ + out: + return 0; + +diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h +index ed0f6a519de5..3c83c8b4f1e1 100644 +--- a/net/batman-adv/types.h ++++ b/net/batman-adv/types.h +@@ -2135,6 +2135,9 @@ struct batadv_algo_iface_ops { + /** @enable: init routing info when hard-interface is enabled */ + int (*enable)(struct batadv_hard_iface *hard_iface); + ++ /** @enabled: notification when hard-interface was enabled (optional) */ ++ void (*enabled)(struct batadv_hard_iface *hard_iface); ++ + /** @disable: de-init routing info when hard-interface is disabled */ + void (*disable)(struct batadv_hard_iface *hard_iface); + +-- +2.20.1 + diff --git a/queue-5.1/batman-adv-fix-for-leaked-tvlv-handler.patch b/queue-5.1/batman-adv-fix-for-leaked-tvlv-handler.patch new file mode 100644 index 00000000000..1ba3302d774 --- /dev/null +++ b/queue-5.1/batman-adv-fix-for-leaked-tvlv-handler.patch @@ -0,0 +1,37 @@ +From b7279b26c2bede80f82469c59a1d46a4feed9709 Mon Sep 17 00:00:00 2001 +From: Jeremy Sowden +Date: Tue, 21 May 2019 20:58:57 +0100 +Subject: batman-adv: fix for leaked TVLV handler. + +[ Upstream commit 17f78dd1bd624a4dd78ed5db3284a63ee807fcc3 ] + +A handler for BATADV_TVLV_ROAM was being registered when the +translation-table was initialized, but not unregistered when the +translation-table was freed. Unregister it. + +Fixes: 122edaa05940 ("batman-adv: tvlv - convert roaming adv packet to use tvlv unicast packets") +Reported-by: syzbot+d454a826e670502484b8@syzkaller.appspotmail.com +Signed-off-by: Jeremy Sowden +Signed-off-by: Sven Eckelmann +Signed-off-by: Sasha Levin +--- + net/batman-adv/translation-table.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c +index 26c4e2493ddf..abad64eb7dc4 100644 +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -3826,6 +3826,8 @@ static void batadv_tt_purge(struct work_struct *work) + */ + void batadv_tt_free(struct batadv_priv *bat_priv) + { ++ batadv_tvlv_handler_unregister(bat_priv, BATADV_TVLV_ROAM, 1); ++ + batadv_tvlv_container_unregister(bat_priv, BATADV_TVLV_TT, 1); + batadv_tvlv_handler_unregister(bat_priv, BATADV_TVLV_TT, 1); + +-- +2.20.1 + diff --git a/queue-5.1/bcache-acquire-bch_register_lock-later-in-cached_dev.patch b/queue-5.1/bcache-acquire-bch_register_lock-later-in-cached_dev.patch new file mode 100644 index 00000000000..25d7cbf18c7 --- /dev/null +++ b/queue-5.1/bcache-acquire-bch_register_lock-later-in-cached_dev.patch @@ -0,0 +1,163 @@ +From 150df1029309a3aa8980b6f6690f1efafdb8d4eb Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Fri, 28 Jun 2019 19:59:48 +0800 +Subject: bcache: acquire bch_register_lock later in cached_dev_free() + +[ Upstream commit 80265d8dfd77792e133793cef44a21323aac2908 ] + +When enable lockdep engine, a lockdep warning can be observed when +reboot or shutdown system, + +[ 3142.764557][ T1] bcache: bcache_reboot() Stopping all devices: +[ 3142.776265][ T2649] +[ 3142.777159][ T2649] ====================================================== +[ 3142.780039][ T2649] WARNING: possible circular locking dependency detected +[ 3142.782869][ T2649] 5.2.0-rc4-lp151.20-default+ #1 Tainted: G W +[ 3142.785684][ T2649] ------------------------------------------------------ +[ 3142.788479][ T2649] kworker/3:67/2649 is trying to acquire lock: +[ 3142.790738][ T2649] 00000000aaf02291 ((wq_completion)bcache_writeback_wq){+.+.}, at: flush_workqueue+0x87/0x4c0 +[ 3142.794678][ T2649] +[ 3142.794678][ T2649] but task is already holding lock: +[ 3142.797402][ T2649] 000000004fcf89c5 (&bch_register_lock){+.+.}, at: cached_dev_free+0x17/0x120 [bcache] +[ 3142.801462][ T2649] +[ 3142.801462][ T2649] which lock already depends on the new lock. +[ 3142.801462][ T2649] +[ 3142.805277][ T2649] +[ 3142.805277][ T2649] the existing dependency chain (in reverse order) is: +[ 3142.808902][ T2649] +[ 3142.808902][ T2649] -> #2 (&bch_register_lock){+.+.}: +[ 3142.812396][ T2649] __mutex_lock+0x7a/0x9d0 +[ 3142.814184][ T2649] cached_dev_free+0x17/0x120 [bcache] +[ 3142.816415][ T2649] process_one_work+0x2a4/0x640 +[ 3142.818413][ T2649] worker_thread+0x39/0x3f0 +[ 3142.820276][ T2649] kthread+0x125/0x140 +[ 3142.822061][ T2649] ret_from_fork+0x3a/0x50 +[ 3142.823965][ T2649] +[ 3142.823965][ T2649] -> #1 ((work_completion)(&cl->work)#2){+.+.}: +[ 3142.827244][ T2649] process_one_work+0x277/0x640 +[ 3142.829160][ T2649] worker_thread+0x39/0x3f0 +[ 3142.830958][ T2649] kthread+0x125/0x140 +[ 3142.832674][ T2649] ret_from_fork+0x3a/0x50 +[ 3142.834915][ T2649] +[ 3142.834915][ T2649] -> #0 ((wq_completion)bcache_writeback_wq){+.+.}: +[ 3142.838121][ T2649] lock_acquire+0xb4/0x1c0 +[ 3142.840025][ T2649] flush_workqueue+0xae/0x4c0 +[ 3142.842035][ T2649] drain_workqueue+0xa9/0x180 +[ 3142.844042][ T2649] destroy_workqueue+0x17/0x250 +[ 3142.846142][ T2649] cached_dev_free+0x52/0x120 [bcache] +[ 3142.848530][ T2649] process_one_work+0x2a4/0x640 +[ 3142.850663][ T2649] worker_thread+0x39/0x3f0 +[ 3142.852464][ T2649] kthread+0x125/0x140 +[ 3142.854106][ T2649] ret_from_fork+0x3a/0x50 +[ 3142.855880][ T2649] +[ 3142.855880][ T2649] other info that might help us debug this: +[ 3142.855880][ T2649] +[ 3142.859663][ T2649] Chain exists of: +[ 3142.859663][ T2649] (wq_completion)bcache_writeback_wq --> (work_completion)(&cl->work)#2 --> &bch_register_lock +[ 3142.859663][ T2649] +[ 3142.865424][ T2649] Possible unsafe locking scenario: +[ 3142.865424][ T2649] +[ 3142.868022][ T2649] CPU0 CPU1 +[ 3142.869885][ T2649] ---- ---- +[ 3142.871751][ T2649] lock(&bch_register_lock); +[ 3142.873379][ T2649] lock((work_completion)(&cl->work)#2); +[ 3142.876399][ T2649] lock(&bch_register_lock); +[ 3142.879727][ T2649] lock((wq_completion)bcache_writeback_wq); +[ 3142.882064][ T2649] +[ 3142.882064][ T2649] *** DEADLOCK *** +[ 3142.882064][ T2649] +[ 3142.885060][ T2649] 3 locks held by kworker/3:67/2649: +[ 3142.887245][ T2649] #0: 00000000e774cdd0 ((wq_completion)events){+.+.}, at: process_one_work+0x21e/0x640 +[ 3142.890815][ T2649] #1: 00000000f7df89da ((work_completion)(&cl->work)#2){+.+.}, at: process_one_work+0x21e/0x640 +[ 3142.894884][ T2649] #2: 000000004fcf89c5 (&bch_register_lock){+.+.}, at: cached_dev_free+0x17/0x120 [bcache] +[ 3142.898797][ T2649] +[ 3142.898797][ T2649] stack backtrace: +[ 3142.900961][ T2649] CPU: 3 PID: 2649 Comm: kworker/3:67 Tainted: G W 5.2.0-rc4-lp151.20-default+ #1 +[ 3142.904789][ T2649] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/13/2018 +[ 3142.909168][ T2649] Workqueue: events cached_dev_free [bcache] +[ 3142.911422][ T2649] Call Trace: +[ 3142.912656][ T2649] dump_stack+0x85/0xcb +[ 3142.914181][ T2649] print_circular_bug+0x19a/0x1f0 +[ 3142.916193][ T2649] __lock_acquire+0x16cd/0x1850 +[ 3142.917936][ T2649] ? __lock_acquire+0x6a8/0x1850 +[ 3142.919704][ T2649] ? lock_acquire+0xb4/0x1c0 +[ 3142.921335][ T2649] ? find_held_lock+0x34/0xa0 +[ 3142.923052][ T2649] lock_acquire+0xb4/0x1c0 +[ 3142.924635][ T2649] ? flush_workqueue+0x87/0x4c0 +[ 3142.926375][ T2649] flush_workqueue+0xae/0x4c0 +[ 3142.928047][ T2649] ? flush_workqueue+0x87/0x4c0 +[ 3142.929824][ T2649] ? drain_workqueue+0xa9/0x180 +[ 3142.931686][ T2649] drain_workqueue+0xa9/0x180 +[ 3142.933534][ T2649] destroy_workqueue+0x17/0x250 +[ 3142.935787][ T2649] cached_dev_free+0x52/0x120 [bcache] +[ 3142.937795][ T2649] process_one_work+0x2a4/0x640 +[ 3142.939803][ T2649] worker_thread+0x39/0x3f0 +[ 3142.941487][ T2649] ? process_one_work+0x640/0x640 +[ 3142.943389][ T2649] kthread+0x125/0x140 +[ 3142.944894][ T2649] ? kthread_create_worker_on_cpu+0x70/0x70 +[ 3142.947744][ T2649] ret_from_fork+0x3a/0x50 +[ 3142.970358][ T2649] bcache: bcache_device_free() bcache0 stopped + +Here is how the deadlock happens. +1) bcache_reboot() calls bcache_device_stop(), then inside + bcache_device_stop() BCACHE_DEV_CLOSING bit is set on d->flags. + Then closure_queue(&d->cl) is called to invoke cached_dev_flush(). +2) In cached_dev_flush(), cached_dev_free() is called by continu_at(). +3) In cached_dev_free(), when stopping the writeback kthread of the + cached device by kthread_stop(), dc->writeback_thread will be waken + up to quite the kthread while-loop, then cached_dev_put() is called + in bch_writeback_thread(). +4) Calling cached_dev_put() in writeback kthread may drop dc->count to + 0, then dc->detach kworker is scheduled, which is initialized as + cached_dev_detach_finish(). +5) Inside cached_dev_detach_finish(), the last line of code is to call + closure_put(&dc->disk.cl), which drops the last reference counter of + closrure dc->disk.cl, then the callback cached_dev_flush() gets + called. +Now cached_dev_flush() is called for second time in the code path, the +first time is in step 2). And again bch_register_lock will be acquired +again, and a A-A lock (lockdep terminology) is happening. + +The root cause of the above A-A lock is in cached_dev_free(), mutex +bch_register_lock is held before stopping writeback kthread and other +kworkers. Fortunately now we have variable 'bcache_is_reboot', which may +prevent device registration or unregistration during reboot/shutdown +time, so it is unncessary to hold bch_register_lock such early now. + +This is how this patch fixes the reboot/shutdown time A-A lock issue: +After moving mutex_lock(&bch_register_lock) to a later location where +before atomic_read(&dc->running) in cached_dev_free(), such A-A lock +problem can be solved without any reboot time registration race. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/super.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index e489d2459569..cbde1cc1d2bd 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1186,8 +1186,6 @@ static void cached_dev_free(struct closure *cl) + { + struct cached_dev *dc = container_of(cl, struct cached_dev, disk.cl); + +- mutex_lock(&bch_register_lock); +- + if (test_and_clear_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags)) + cancel_writeback_rate_update_dwork(dc); + +@@ -1198,6 +1196,8 @@ static void cached_dev_free(struct closure *cl) + if (!IS_ERR_OR_NULL(dc->status_update_thread)) + kthread_stop(dc->status_update_thread); + ++ mutex_lock(&bch_register_lock); ++ + if (atomic_read(&dc->running)) + bd_unlink_disk_holder(dc->bdev, dc->disk.disk); + bcache_device_free(&dc->disk); +-- +2.20.1 + diff --git a/queue-5.1/bcache-check-c-gc_thread-by-is_err_or_null-in-cache_.patch b/queue-5.1/bcache-check-c-gc_thread-by-is_err_or_null-in-cache_.patch new file mode 100644 index 00000000000..bc40d5046bd --- /dev/null +++ b/queue-5.1/bcache-check-c-gc_thread-by-is_err_or_null-in-cache_.patch @@ -0,0 +1,128 @@ +From b6462f3f08e3e057ff3872b814c7c670aed6d24b Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Fri, 28 Jun 2019 19:59:25 +0800 +Subject: bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush() + +[ Upstream commit b387e9b58679c60f5b1e4313939bd4878204fc37 ] + +When system memory is in heavy pressure, bch_gc_thread_start() from +run_cache_set() may fail due to out of memory. In such condition, +c->gc_thread is assigned to -ENOMEM, not NULL pointer. Then in following +failure code path bch_cache_set_error(), when cache_set_flush() gets +called, the code piece to stop c->gc_thread is broken, + if (!IS_ERR_OR_NULL(c->gc_thread)) + kthread_stop(c->gc_thread); + +And KASAN catches such NULL pointer deference problem, with the warning +information: + +[ 561.207881] ================================================================== +[ 561.207900] BUG: KASAN: null-ptr-deref in kthread_stop+0x3b/0x440 +[ 561.207904] Write of size 4 at addr 000000000000001c by task kworker/15:1/313 + +[ 561.207913] CPU: 15 PID: 313 Comm: kworker/15:1 Tainted: G W 5.0.0-vanilla+ #3 +[ 561.207916] Hardware name: Lenovo ThinkSystem SR650 -[7X05CTO1WW]-/-[7X05CTO1WW]-, BIOS -[IVE136T-2.10]- 03/22/2019 +[ 561.207935] Workqueue: events cache_set_flush [bcache] +[ 561.207940] Call Trace: +[ 561.207948] dump_stack+0x9a/0xeb +[ 561.207955] ? kthread_stop+0x3b/0x440 +[ 561.207960] ? kthread_stop+0x3b/0x440 +[ 561.207965] kasan_report+0x176/0x192 +[ 561.207973] ? kthread_stop+0x3b/0x440 +[ 561.207981] kthread_stop+0x3b/0x440 +[ 561.207995] cache_set_flush+0xd4/0x6d0 [bcache] +[ 561.208008] process_one_work+0x856/0x1620 +[ 561.208015] ? find_held_lock+0x39/0x1d0 +[ 561.208028] ? drain_workqueue+0x380/0x380 +[ 561.208048] worker_thread+0x87/0xb80 +[ 561.208058] ? __kthread_parkme+0xb6/0x180 +[ 561.208067] ? process_one_work+0x1620/0x1620 +[ 561.208072] kthread+0x326/0x3e0 +[ 561.208079] ? kthread_create_worker_on_cpu+0xc0/0xc0 +[ 561.208090] ret_from_fork+0x3a/0x50 +[ 561.208110] ================================================================== +[ 561.208113] Disabling lock debugging due to kernel taint +[ 561.208115] irq event stamp: 11800231 +[ 561.208126] hardirqs last enabled at (11800231): [] do_syscall_64+0x18/0x410 +[ 561.208127] BUG: unable to handle kernel NULL pointer dereference at 000000000000001c +[ 561.208129] #PF error: [WRITE] +[ 561.312253] hardirqs last disabled at (11800230): [] trace_hardirqs_off_thunk+0x1a/0x1c +[ 561.312259] softirqs last enabled at (11799832): [] __do_softirq+0x5c7/0x8c3 +[ 561.405975] PGD 0 P4D 0 +[ 561.442494] softirqs last disabled at (11799821): [] irq_exit+0x1ac/0x1e0 +[ 561.791359] Oops: 0002 [#1] SMP KASAN NOPTI +[ 561.791362] CPU: 15 PID: 313 Comm: kworker/15:1 Tainted: G B W 5.0.0-vanilla+ #3 +[ 561.791363] Hardware name: Lenovo ThinkSystem SR650 -[7X05CTO1WW]-/-[7X05CTO1WW]-, BIOS -[IVE136T-2.10]- 03/22/2019 +[ 561.791371] Workqueue: events cache_set_flush [bcache] +[ 561.791374] RIP: 0010:kthread_stop+0x3b/0x440 +[ 561.791376] Code: 00 00 65 8b 05 26 d5 e0 7c 89 c0 48 0f a3 05 ec aa df 02 0f 82 dc 02 00 00 4c 8d 63 20 be 04 00 00 00 4c 89 e7 e8 65 c5 53 00 ff 43 20 48 8d 7b 24 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 +[ 561.791377] RSP: 0018:ffff88872fc8fd10 EFLAGS: 00010286 +[ 561.838895] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 561.838916] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 561.838934] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 561.838948] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 561.838966] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 561.838979] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 561.838996] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 563.067028] RAX: 0000000000000000 RBX: fffffffffffffffc RCX: ffffffff832dd314 +[ 563.067030] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000297 +[ 563.067032] RBP: ffff88872fc8fe88 R08: fffffbfff0b8213d R09: fffffbfff0b8213d +[ 563.067034] R10: 0000000000000001 R11: fffffbfff0b8213c R12: 000000000000001c +[ 563.408618] R13: ffff88dc61cc0f68 R14: ffff888102b94900 R15: ffff88dc61cc0f68 +[ 563.408620] FS: 0000000000000000(0000) GS:ffff888f7dc00000(0000) knlGS:0000000000000000 +[ 563.408622] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 563.408623] CR2: 000000000000001c CR3: 0000000f48a1a004 CR4: 00000000007606e0 +[ 563.408625] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 563.408627] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 563.904795] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 563.915796] PKRU: 55555554 +[ 563.915797] Call Trace: +[ 563.915807] cache_set_flush+0xd4/0x6d0 [bcache] +[ 563.915812] process_one_work+0x856/0x1620 +[ 564.001226] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 564.033563] ? find_held_lock+0x39/0x1d0 +[ 564.033567] ? drain_workqueue+0x380/0x380 +[ 564.033574] worker_thread+0x87/0xb80 +[ 564.062823] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 564.118042] ? __kthread_parkme+0xb6/0x180 +[ 564.118046] ? process_one_work+0x1620/0x1620 +[ 564.118048] kthread+0x326/0x3e0 +[ 564.118050] ? kthread_create_worker_on_cpu+0xc0/0xc0 +[ 564.167066] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 564.252441] ret_from_fork+0x3a/0x50 +[ 564.252447] Modules linked in: msr rpcrdma sunrpc rdma_ucm ib_iser ib_umad rdma_cm ib_ipoib i40iw configfs iw_cm ib_cm libiscsi scsi_transport_iscsi mlx4_ib ib_uverbs mlx4_en ib_core nls_iso8859_1 nls_cp437 vfat fat intel_rapl skx_edac x86_pkg_temp_thermal coretemp iTCO_wdt iTCO_vendor_support crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel ses raid0 aesni_intel cdc_ether enclosure usbnet ipmi_ssif joydev aes_x86_64 i40e scsi_transport_sas mii bcache md_mod crypto_simd mei_me ioatdma crc64 ptp cryptd pcspkr i2c_i801 mlx4_core glue_helper pps_core mei lpc_ich dca wmi ipmi_si ipmi_devintf nd_pmem dax_pmem nd_btt ipmi_msghandler device_dax pcc_cpufreq button hid_generic usbhid mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect xhci_pci sysimgblt fb_sys_fops xhci_hcd ttm megaraid_sas drm usbcore nfit libnvdimm sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua efivarfs +[ 564.299390] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 564.348360] CR2: 000000000000001c +[ 564.348362] ---[ end trace b7f0e5cc7b2103b0 ]--- + +Therefore, it is not enough to only check whether c->gc_thread is NULL, +we should use IS_ERR_OR_NULL() to check both NULL pointer and error +value. + +This patch changes the above buggy code piece in this way, + if (!IS_ERR_OR_NULL(c->gc_thread)) + kthread_stop(c->gc_thread); + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index cbde1cc1d2bd..dd36e3dfd00f 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1557,7 +1557,7 @@ static void cache_set_flush(struct closure *cl) + kobject_put(&c->internal); + kobject_del(&c->kobj); + +- if (c->gc_thread) ++ if (!IS_ERR_OR_NULL(c->gc_thread)) + kthread_stop(c->gc_thread); + + if (!IS_ERR_OR_NULL(c->root)) +-- +2.20.1 + diff --git a/queue-5.1/bcache-check-cache_set_io_disable-bit-in-bch_journal.patch b/queue-5.1/bcache-check-cache_set_io_disable-bit-in-bch_journal.patch new file mode 100644 index 00000000000..a0c66fcd096 --- /dev/null +++ b/queue-5.1/bcache-check-cache_set_io_disable-bit-in-bch_journal.patch @@ -0,0 +1,43 @@ +From 812049b7a4978f11b148f35fbbd95c5960b45b3a Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Fri, 28 Jun 2019 19:59:36 +0800 +Subject: bcache: check CACHE_SET_IO_DISABLE bit in bch_journal() + +[ Upstream commit 383ff2183ad16a8842d1fbd9dd3e1cbd66813e64 ] + +When too many I/O errors happen on cache set and CACHE_SET_IO_DISABLE +bit is set, bch_journal() may continue to work because the journaling +bkey might be still in write set yet. The caller of bch_journal() may +believe the journal still work but the truth is in-memory journal write +set won't be written into cache device any more. This behavior may +introduce potential inconsistent metadata status. + +This patch checks CACHE_SET_IO_DISABLE bit at the head of bch_journal(), +if the bit is set, bch_journal() returns NULL immediately to notice +caller to know journal does not work. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/journal.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/md/bcache/journal.c b/drivers/md/bcache/journal.c +index 6c94fa007796..ac3cec56ec19 100644 +--- a/drivers/md/bcache/journal.c ++++ b/drivers/md/bcache/journal.c +@@ -810,6 +810,10 @@ atomic_t *bch_journal(struct cache_set *c, + struct journal_write *w; + atomic_t *ret; + ++ /* No journaling if CACHE_SET_IO_DISABLE set already */ ++ if (unlikely(test_bit(CACHE_SET_IO_DISABLE, &c->flags))) ++ return NULL; ++ + if (!CACHE_SYNC(&c->sb)) + return NULL; + +-- +2.20.1 + diff --git a/queue-5.1/bcache-check-cache_set_io_disable-in-allocator-code.patch b/queue-5.1/bcache-check-cache_set_io_disable-in-allocator-code.patch new file mode 100644 index 00000000000..98b3afb37d7 --- /dev/null +++ b/queue-5.1/bcache-check-cache_set_io_disable-in-allocator-code.patch @@ -0,0 +1,56 @@ +From a3760250dccc975b3ffb5de445bdeaba2d64f85f Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Fri, 28 Jun 2019 19:59:35 +0800 +Subject: bcache: check CACHE_SET_IO_DISABLE in allocator code + +[ Upstream commit e775339e1ae1205b47d94881db124c11385e597c ] + +If CACHE_SET_IO_DISABLE of a cache set flag is set by too many I/O +errors, currently allocator routines can still continue allocate +space which may introduce inconsistent metadata state. + +This patch checkes CACHE_SET_IO_DISABLE bit in following allocator +routines, +- bch_bucket_alloc() +- __bch_bucket_alloc_set() +Once CACHE_SET_IO_DISABLE is set on cache set, the allocator routines +may reject allocation request earlier to avoid potential inconsistent +metadata. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/alloc.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/md/bcache/alloc.c b/drivers/md/bcache/alloc.c +index f8986effcb50..6f776823b9ba 100644 +--- a/drivers/md/bcache/alloc.c ++++ b/drivers/md/bcache/alloc.c +@@ -393,6 +393,11 @@ long bch_bucket_alloc(struct cache *ca, unsigned int reserve, bool wait) + struct bucket *b; + long r; + ++ ++ /* No allocation if CACHE_SET_IO_DISABLE bit is set */ ++ if (unlikely(test_bit(CACHE_SET_IO_DISABLE, &ca->set->flags))) ++ return -1; ++ + /* fastpath */ + if (fifo_pop(&ca->free[RESERVE_NONE], r) || + fifo_pop(&ca->free[reserve], r)) +@@ -484,6 +489,10 @@ int __bch_bucket_alloc_set(struct cache_set *c, unsigned int reserve, + { + int i; + ++ /* No allocation if CACHE_SET_IO_DISABLE bit is set */ ++ if (unlikely(test_bit(CACHE_SET_IO_DISABLE, &c->flags))) ++ return -1; ++ + lockdep_assert_held(&c->bucket_lock); + BUG_ON(!n || n > c->caches_loaded || n > MAX_CACHES_PER_SET); + +-- +2.20.1 + diff --git a/queue-5.1/bcache-fix-potential-deadlock-in-cached_def_free.patch b/queue-5.1/bcache-fix-potential-deadlock-in-cached_def_free.patch new file mode 100644 index 00000000000..45696adc4f4 --- /dev/null +++ b/queue-5.1/bcache-fix-potential-deadlock-in-cached_def_free.patch @@ -0,0 +1,172 @@ +From 17ffcc53f207857629e4d99614af7fe441e37de3 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Fri, 28 Jun 2019 19:59:49 +0800 +Subject: bcache: fix potential deadlock in cached_def_free() + +[ Upstream commit 7e865eba00a3df2dc8c4746173a8ca1c1c7f042e ] + +When enable lockdep and reboot system with a writeback mode bcache +device, the following potential deadlock warning is reported by lockdep +engine. + +[ 101.536569][ T401] kworker/2:2/401 is trying to acquire lock: +[ 101.538575][ T401] 00000000bbf6e6c7 ((wq_completion)bcache_writeback_wq){+.+.}, at: flush_workqueue+0x87/0x4c0 +[ 101.542054][ T401] +[ 101.542054][ T401] but task is already holding lock: +[ 101.544587][ T401] 00000000f5f305b3 ((work_completion)(&cl->work)#2){+.+.}, at: process_one_work+0x21e/0x640 +[ 101.548386][ T401] +[ 101.548386][ T401] which lock already depends on the new lock. +[ 101.548386][ T401] +[ 101.551874][ T401] +[ 101.551874][ T401] the existing dependency chain (in reverse order) is: +[ 101.555000][ T401] +[ 101.555000][ T401] -> #1 ((work_completion)(&cl->work)#2){+.+.}: +[ 101.557860][ T401] process_one_work+0x277/0x640 +[ 101.559661][ T401] worker_thread+0x39/0x3f0 +[ 101.561340][ T401] kthread+0x125/0x140 +[ 101.562963][ T401] ret_from_fork+0x3a/0x50 +[ 101.564718][ T401] +[ 101.564718][ T401] -> #0 ((wq_completion)bcache_writeback_wq){+.+.}: +[ 101.567701][ T401] lock_acquire+0xb4/0x1c0 +[ 101.569651][ T401] flush_workqueue+0xae/0x4c0 +[ 101.571494][ T401] drain_workqueue+0xa9/0x180 +[ 101.573234][ T401] destroy_workqueue+0x17/0x250 +[ 101.575109][ T401] cached_dev_free+0x44/0x120 [bcache] +[ 101.577304][ T401] process_one_work+0x2a4/0x640 +[ 101.579357][ T401] worker_thread+0x39/0x3f0 +[ 101.581055][ T401] kthread+0x125/0x140 +[ 101.582709][ T401] ret_from_fork+0x3a/0x50 +[ 101.584592][ T401] +[ 101.584592][ T401] other info that might help us debug this: +[ 101.584592][ T401] +[ 101.588355][ T401] Possible unsafe locking scenario: +[ 101.588355][ T401] +[ 101.590974][ T401] CPU0 CPU1 +[ 101.592889][ T401] ---- ---- +[ 101.594743][ T401] lock((work_completion)(&cl->work)#2); +[ 101.596785][ T401] lock((wq_completion)bcache_writeback_wq); +[ 101.600072][ T401] lock((work_completion)(&cl->work)#2); +[ 101.602971][ T401] lock((wq_completion)bcache_writeback_wq); +[ 101.605255][ T401] +[ 101.605255][ T401] *** DEADLOCK *** +[ 101.605255][ T401] +[ 101.608310][ T401] 2 locks held by kworker/2:2/401: +[ 101.610208][ T401] #0: 00000000cf2c7d17 ((wq_completion)events){+.+.}, at: process_one_work+0x21e/0x640 +[ 101.613709][ T401] #1: 00000000f5f305b3 ((work_completion)(&cl->work)#2){+.+.}, at: process_one_work+0x21e/0x640 +[ 101.617480][ T401] +[ 101.617480][ T401] stack backtrace: +[ 101.619539][ T401] CPU: 2 PID: 401 Comm: kworker/2:2 Tainted: G W 5.2.0-rc4-lp151.20-default+ #1 +[ 101.623225][ T401] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/13/2018 +[ 101.627210][ T401] Workqueue: events cached_dev_free [bcache] +[ 101.629239][ T401] Call Trace: +[ 101.630360][ T401] dump_stack+0x85/0xcb +[ 101.631777][ T401] print_circular_bug+0x19a/0x1f0 +[ 101.633485][ T401] __lock_acquire+0x16cd/0x1850 +[ 101.635184][ T401] ? __lock_acquire+0x6a8/0x1850 +[ 101.636863][ T401] ? lock_acquire+0xb4/0x1c0 +[ 101.638421][ T401] ? find_held_lock+0x34/0xa0 +[ 101.640015][ T401] lock_acquire+0xb4/0x1c0 +[ 101.641513][ T401] ? flush_workqueue+0x87/0x4c0 +[ 101.643248][ T401] flush_workqueue+0xae/0x4c0 +[ 101.644832][ T401] ? flush_workqueue+0x87/0x4c0 +[ 101.646476][ T401] ? drain_workqueue+0xa9/0x180 +[ 101.648303][ T401] drain_workqueue+0xa9/0x180 +[ 101.649867][ T401] destroy_workqueue+0x17/0x250 +[ 101.651503][ T401] cached_dev_free+0x44/0x120 [bcache] +[ 101.653328][ T401] process_one_work+0x2a4/0x640 +[ 101.655029][ T401] worker_thread+0x39/0x3f0 +[ 101.656693][ T401] ? process_one_work+0x640/0x640 +[ 101.658501][ T401] kthread+0x125/0x140 +[ 101.660012][ T401] ? kthread_create_worker_on_cpu+0x70/0x70 +[ 101.661985][ T401] ret_from_fork+0x3a/0x50 +[ 101.691318][ T401] bcache: bcache_device_free() bcache0 stopped + +Here is how the above potential deadlock may happen in reboot/shutdown +code path, +1) bcache_reboot() is called firstly in the reboot/shutdown code path, + then in bcache_reboot(), bcache_device_stop() is called. +2) bcache_device_stop() sets BCACHE_DEV_CLOSING on d->falgs, then call + closure_queue(&d->cl) to invoke cached_dev_flush(). And in turn + cached_dev_flush() calls cached_dev_free() via closure_at() +3) In cached_dev_free(), after stopped writebach kthread + dc->writeback_thread, the kwork dc->writeback_write_wq is stopping by + destroy_workqueue(). +4) Inside destroy_workqueue(), drain_workqueue() is called. Inside + drain_workqueue(), flush_workqueue() is called. Then wq->lockdep_map + is acquired by lock_map_acquire() in flush_workqueue(). After the + lock acquired the rest part of flush_workqueue() just wait for the + workqueue to complete. +5) Now we look back at writeback thread routine bch_writeback_thread(), + in the main while-loop, write_dirty() is called via continue_at() in + read_dirty_submit(), which is called via continue_at() in while-loop + level called function read_dirty(). Inside write_dirty() it may be + re-called on workqueeu dc->writeback_write_wq via continue_at(). + It means when the writeback kthread is stopped in cached_dev_free() + there might be still one kworker queued on dc->writeback_write_wq + to execute write_dirty() again. +6) Now this kworker is scheduled on dc->writeback_write_wq to run by + process_one_work() (which is called by worker_thread()). Before + calling the kwork routine, wq->lockdep_map is acquired. +7) But wq->lockdep_map is acquired already in step 4), so a A-A lock + (lockdep terminology) scenario happens. + +Indeed on multiple cores syatem, the above deadlock is very rare to +happen, just as the code comments in process_one_work() says, +2263 * AFAICT there is no possible deadlock scenario between the +2264 * flush_work() and complete() primitives (except for + single-threaded +2265 * workqueues), so hiding them isn't a problem. + +But it is still good to fix such lockdep warning, even no one running +bcache on single core system. + +The fix is simple. This patch solves the above potential deadlock by, +- Do not destroy workqueue dc->writeback_write_wq in cached_dev_free(). +- Flush and destroy dc->writeback_write_wq in writebach kthread routine + bch_writeback_thread(), where after quit the thread main while-loop + and before cached_dev_put() is called. + +By this fix, dc->writeback_write_wq will be stopped and destroy before +the writeback kthread stopped, so the chance for a A-A locking on +wq->lockdep_map is disappeared, such A-A deadlock won't happen +any more. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/super.c | 2 -- + drivers/md/bcache/writeback.c | 4 ++++ + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index dd36e3dfd00f..91252107b10c 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1191,8 +1191,6 @@ static void cached_dev_free(struct closure *cl) + + if (!IS_ERR_OR_NULL(dc->writeback_thread)) + kthread_stop(dc->writeback_thread); +- if (dc->writeback_write_wq) +- destroy_workqueue(dc->writeback_write_wq); + if (!IS_ERR_OR_NULL(dc->status_update_thread)) + kthread_stop(dc->status_update_thread); + +diff --git a/drivers/md/bcache/writeback.c b/drivers/md/bcache/writeback.c +index 73f0efac2b9f..df0f4e5a051a 100644 +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -735,6 +735,10 @@ static int bch_writeback_thread(void *arg) + } + } + ++ if (dc->writeback_write_wq) { ++ flush_workqueue(dc->writeback_write_wq); ++ destroy_workqueue(dc->writeback_write_wq); ++ } + cached_dev_put(dc); + wait_for_kthread_stop(); + +-- +2.20.1 + diff --git a/queue-5.1/blk-iolatency-fix-sts_again-handling.patch b/queue-5.1/blk-iolatency-fix-sts_again-handling.patch new file mode 100644 index 00000000000..b3be9f15fae --- /dev/null +++ b/queue-5.1/blk-iolatency-fix-sts_again-handling.patch @@ -0,0 +1,123 @@ +From 1f6c63033f385dd5b36b3640d50015e19edaa1c7 Mon Sep 17 00:00:00 2001 +From: Dennis Zhou +Date: Fri, 5 Jul 2019 17:09:09 -0400 +Subject: blk-iolatency: fix STS_AGAIN handling + +[ Upstream commit c9b3007feca018d3f7061f5d5a14cb00766ffe9b ] + +The iolatency controller is based on rq_qos. It increments on +rq_qos_throttle() and decrements on either rq_qos_cleanup() or +rq_qos_done_bio(). a3fb01ba5af0 fixes the double accounting issue where +blk_mq_make_request() may call both rq_qos_cleanup() and +rq_qos_done_bio() on REQ_NO_WAIT. So checking STS_AGAIN prevents the +double decrement. + +The above works upstream as the only way we can get STS_AGAIN is from +blk_mq_get_request() failing. The STS_AGAIN handling isn't a real +problem as bio_endio() skipping only happens on reserved tag allocation +failures which can only be caused by driver bugs and already triggers +WARN. + +However, the fix creates a not so great dependency on how STS_AGAIN can +be propagated. Internally, we (Facebook) carry a patch that kills read +ahead if a cgroup is io congested or a fatal signal is pending. This +combined with chained bios progagate their bi_status to the parent is +not already set can can cause the parent bio to not clean up properly +even though it was successful. This consequently leaks the inflight +counter and can hang all IOs under that blkg. + +To nip the adverse interaction early, this removes the rq_qos_cleanup() +callback in iolatency in favor of cleaning up always on the +rq_qos_done_bio() path. + +Fixes: a3fb01ba5af0 ("blk-iolatency: only account submitted bios") +Debugged-by: Tejun Heo +Debugged-by: Josef Bacik +Signed-off-by: Dennis Zhou +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-iolatency.c | 51 ++++++++++++------------------------------- + 1 file changed, 14 insertions(+), 37 deletions(-) + +diff --git a/block/blk-iolatency.c b/block/blk-iolatency.c +index 58bac44ba78a..072e1edcf83d 100644 +--- a/block/blk-iolatency.c ++++ b/block/blk-iolatency.c +@@ -599,10 +599,6 @@ static void blkcg_iolatency_done_bio(struct rq_qos *rqos, struct bio *bio) + if (!blkg || !bio_flagged(bio, BIO_TRACKED)) + return; + +- /* We didn't actually submit this bio, don't account it. */ +- if (bio->bi_status == BLK_STS_AGAIN) +- return; +- + iolat = blkg_to_lat(bio->bi_blkg); + if (!iolat) + return; +@@ -621,40 +617,22 @@ static void blkcg_iolatency_done_bio(struct rq_qos *rqos, struct bio *bio) + + inflight = atomic_dec_return(&rqw->inflight); + WARN_ON_ONCE(inflight < 0); +- if (iolat->min_lat_nsec == 0) +- goto next; +- iolatency_record_time(iolat, &bio->bi_issue, now, +- issue_as_root); +- window_start = atomic64_read(&iolat->window_start); +- if (now > window_start && +- (now - window_start) >= iolat->cur_win_nsec) { +- if (atomic64_cmpxchg(&iolat->window_start, +- window_start, now) == window_start) +- iolatency_check_latencies(iolat, now); ++ /* ++ * If bi_status is BLK_STS_AGAIN, the bio wasn't actually ++ * submitted, so do not account for it. ++ */ ++ if (iolat->min_lat_nsec && bio->bi_status != BLK_STS_AGAIN) { ++ iolatency_record_time(iolat, &bio->bi_issue, now, ++ issue_as_root); ++ window_start = atomic64_read(&iolat->window_start); ++ if (now > window_start && ++ (now - window_start) >= iolat->cur_win_nsec) { ++ if (atomic64_cmpxchg(&iolat->window_start, ++ window_start, now) == window_start) ++ iolatency_check_latencies(iolat, now); ++ } + } +-next: +- wake_up(&rqw->wait); +- blkg = blkg->parent; +- } +-} +- +-static void blkcg_iolatency_cleanup(struct rq_qos *rqos, struct bio *bio) +-{ +- struct blkcg_gq *blkg; +- +- blkg = bio->bi_blkg; +- while (blkg && blkg->parent) { +- struct rq_wait *rqw; +- struct iolatency_grp *iolat; +- +- iolat = blkg_to_lat(blkg); +- if (!iolat) +- goto next; +- +- rqw = &iolat->rq_wait; +- atomic_dec(&rqw->inflight); + wake_up(&rqw->wait); +-next: + blkg = blkg->parent; + } + } +@@ -670,7 +648,6 @@ static void blkcg_iolatency_exit(struct rq_qos *rqos) + + static struct rq_qos_ops blkcg_iolatency_ops = { + .throttle = blkcg_iolatency_throttle, +- .cleanup = blkcg_iolatency_cleanup, + .done_bio = blkcg_iolatency_done_bio, + .exit = blkcg_iolatency_exit, + }; +-- +2.20.1 + diff --git a/queue-5.1/blk-iolatency-only-account-submitted-bios.patch b/queue-5.1/blk-iolatency-only-account-submitted-bios.patch new file mode 100644 index 00000000000..adee1c1125c --- /dev/null +++ b/queue-5.1/blk-iolatency-only-account-submitted-bios.patch @@ -0,0 +1,39 @@ +From 4a74e8512fd88db6a940239f03e930b297b5aa9b Mon Sep 17 00:00:00 2001 +From: Dennis Zhou +Date: Thu, 23 May 2019 16:10:18 -0400 +Subject: blk-iolatency: only account submitted bios + +[ Upstream commit a3fb01ba5af066521f3f3421839e501bb2c71805 ] + +As is, iolatency recognizes done_bio and cleanup as ending paths. If a +request is marked REQ_NOWAIT and fails to get a request, the bio is +cleaned up via rq_qos_cleanup() and ended in bio_wouldblock_error(). +This results in underflowing the inflight counter. Fix this by only +accounting bios that were actually submitted. + +Signed-off-by: Dennis Zhou +Cc: Josef Bacik +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-iolatency.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/block/blk-iolatency.c b/block/blk-iolatency.c +index 507212d75ee2..58bac44ba78a 100644 +--- a/block/blk-iolatency.c ++++ b/block/blk-iolatency.c +@@ -599,6 +599,10 @@ static void blkcg_iolatency_done_bio(struct rq_qos *rqos, struct bio *bio) + if (!blkg || !bio_flagged(bio, BIO_TRACKED)) + return; + ++ /* We didn't actually submit this bio, don't account it. */ ++ if (bio->bi_status == BLK_STS_AGAIN) ++ return; ++ + iolat = blkg_to_lat(bio->bi_blkg); + if (!iolat) + return; +-- +2.20.1 + diff --git a/queue-5.1/blkcg-writeback-dead-memcgs-shouldn-t-contribute-to-.patch b/queue-5.1/blkcg-writeback-dead-memcgs-shouldn-t-contribute-to-.patch new file mode 100644 index 00000000000..5c49d25ccb8 --- /dev/null +++ b/queue-5.1/blkcg-writeback-dead-memcgs-shouldn-t-contribute-to-.patch @@ -0,0 +1,55 @@ +From 049ce64faa1770c577eb232e9178630672d41e2f Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Thu, 13 Jun 2019 15:30:41 -0700 +Subject: blkcg, writeback: dead memcgs shouldn't contribute to writeback + ownership arbitration + +[ Upstream commit 6631142229005e1b1c311a09efe9fb3cfdac8559 ] + +wbc_account_io() collects information on cgroup ownership of writeback +pages to determine which cgroup should own the inode. Pages can stay +associated with dead memcgs but we want to avoid attributing IOs to +dead blkcgs as much as possible as the association is likely to be +stale. However, currently, pages associated with dead memcgs +contribute to the accounting delaying and/or confusing the +arbitration. + +Fix it by ignoring pages associated with dead memcgs. + +Signed-off-by: Tejun Heo +Cc: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/fs-writeback.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c +index b16645b417d9..bd9474e82f38 100644 +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -714,6 +714,7 @@ void wbc_detach_inode(struct writeback_control *wbc) + void wbc_account_io(struct writeback_control *wbc, struct page *page, + size_t bytes) + { ++ struct cgroup_subsys_state *css; + int id; + + /* +@@ -725,7 +726,12 @@ void wbc_account_io(struct writeback_control *wbc, struct page *page, + if (!wbc->wb) + return; + +- id = mem_cgroup_css_from_page(page)->id; ++ css = mem_cgroup_css_from_page(page); ++ /* dead cgroups shouldn't contribute to inode ownership arbitration */ ++ if (!(css->flags & CSS_ONLINE)) ++ return; ++ ++ id = css->id; + + if (id == wbc->wb_id) { + wbc->wb_bytes += bytes; +-- +2.20.1 + diff --git a/queue-5.1/block-null_blk-fix-race-condition-for-null_del_dev.patch b/queue-5.1/block-null_blk-fix-race-condition-for-null_del_dev.patch new file mode 100644 index 00000000000..9b7f3dd27e4 --- /dev/null +++ b/queue-5.1/block-null_blk-fix-race-condition-for-null_del_dev.patch @@ -0,0 +1,90 @@ +From 49bf72190ef32a573abc99862abd5d9f37fbd592 Mon Sep 17 00:00:00 2001 +From: Bob Liu +Date: Sat, 15 Jun 2019 01:43:48 -0600 +Subject: block: null_blk: fix race condition for null_del_dev + +[ Upstream commit 7602843fd873cae43a444b83b14dfdd114a9659c ] + +Dulicate call of null_del_dev() will trigger null pointer error like below. +The reason is a race condition between nullb_device_power_store() and +nullb_group_drop_item(). + + CPU#0 CPU#1 + ---------------- ----------------- + do_rmdir() + >configfs_rmdir() + >client_drop_item() + >nullb_group_drop_item() + nullb_device_power_store() + >null_del_dev() + + >test_and_clear_bit(NULLB_DEV_FL_UP + >null_del_dev() + ^^^^^ + Duplicated null_dev_dev() triger null pointer error + + >clear_bit(NULLB_DEV_FL_UP + +The fix could be keep the sequnce of clear NULLB_DEV_FL_UP and null_del_dev(). + +[ 698.613600] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 +[ 698.613608] #PF error: [normal kernel read fault] +[ 698.613611] PGD 0 P4D 0 +[ 698.613619] Oops: 0000 [#1] SMP PTI +[ 698.613627] CPU: 3 PID: 6382 Comm: rmdir Not tainted 5.0.0+ #35 +[ 698.613631] Hardware name: LENOVO 20LJS2EV08/20LJS2EV08, BIOS R0SET33W (1.17 ) 07/18/2018 +[ 698.613644] RIP: 0010:null_del_dev+0xc/0x110 [null_blk] +[ 698.613649] Code: 00 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b eb 97 e8 47 bb 2a e8 0f 1f 80 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 54 53 <8b> 77 18 48 89 fb 4c 8b 27 48 c7 c7 40 57 1e c1 e8 bf c7 cb e8 48 +[ 698.613654] RSP: 0018:ffffb887888bfde0 EFLAGS: 00010286 +[ 698.613659] RAX: 0000000000000000 RBX: ffff9d436d92bc00 RCX: ffff9d43a9184681 +[ 698.613663] RDX: ffffffffc11e5c30 RSI: 0000000068be6540 RDI: 0000000000000000 +[ 698.613667] RBP: ffffb887888bfdf0 R08: 0000000000000001 R09: 0000000000000000 +[ 698.613671] R10: ffffb887888bfdd8 R11: 0000000000000f16 R12: ffff9d436d92bc08 +[ 698.613675] R13: ffff9d436d94e630 R14: ffffffffc11e5088 R15: ffffffffc11e5000 +[ 698.613680] FS: 00007faa68be6540(0000) GS:ffff9d43d14c0000(0000) knlGS:0000000000000000 +[ 698.613685] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 698.613689] CR2: 0000000000000018 CR3: 000000042f70c002 CR4: 00000000003606e0 +[ 698.613693] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 698.613697] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 698.613700] Call Trace: +[ 698.613712] nullb_group_drop_item+0x50/0x70 [null_blk] +[ 698.613722] client_drop_item+0x29/0x40 +[ 698.613728] configfs_rmdir+0x1ed/0x300 +[ 698.613738] vfs_rmdir+0xb2/0x130 +[ 698.613743] do_rmdir+0x1c7/0x1e0 +[ 698.613750] __x64_sys_rmdir+0x17/0x20 +[ 698.613759] do_syscall_64+0x5a/0x110 +[ 698.613768] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Signed-off-by: Bob Liu +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/null_blk_main.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/block/null_blk_main.c b/drivers/block/null_blk_main.c +index d7ac09c092f2..21d0b651b335 100644 +--- a/drivers/block/null_blk_main.c ++++ b/drivers/block/null_blk_main.c +@@ -326,11 +326,12 @@ static ssize_t nullb_device_power_store(struct config_item *item, + set_bit(NULLB_DEV_FL_CONFIGURED, &dev->flags); + dev->power = newp; + } else if (dev->power && !newp) { +- mutex_lock(&lock); +- dev->power = newp; +- null_del_dev(dev->nullb); +- mutex_unlock(&lock); +- clear_bit(NULLB_DEV_FL_UP, &dev->flags); ++ if (test_and_clear_bit(NULLB_DEV_FL_UP, &dev->flags)) { ++ mutex_lock(&lock); ++ dev->power = newp; ++ null_del_dev(dev->nullb); ++ mutex_unlock(&lock); ++ } + clear_bit(NULLB_DEV_FL_CONFIGURED, &dev->flags); + } + +-- +2.20.1 + diff --git a/queue-5.1/bluetooth-6lowpan-search-for-destination-address-in-.patch b/queue-5.1/bluetooth-6lowpan-search-for-destination-address-in-.patch new file mode 100644 index 00000000000..48c97470f3d --- /dev/null +++ b/queue-5.1/bluetooth-6lowpan-search-for-destination-address-in-.patch @@ -0,0 +1,57 @@ +From 39cded5341cc4b70b95c7d372bfebbd248a455a4 Mon Sep 17 00:00:00 2001 +From: Josua Mayer +Date: Sat, 6 Jul 2019 17:54:46 +0200 +Subject: Bluetooth: 6lowpan: search for destination address in all peers + +[ Upstream commit b188b03270b7f8568fc714101ce82fbf5e811c5a ] + +Handle overlooked case where the target address is assigned to a peer +and neither route nor gateway exist. + +For one peer, no checks are performed to see if it is meant to receive +packets for a given address. + +As soon as there is a second peer however, checks are performed +to deal with routes and gateways for handling complex setups with +multiple hops to a target address. +This logic assumed that no route and no gateway imply that the +destination address can not be reached, which is false in case of a +direct peer. + +Acked-by: Jukka Rissanen +Tested-by: Michael Scott +Signed-off-by: Josua Mayer +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/6lowpan.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c +index a7cd23f00bde..50530561da98 100644 +--- a/net/bluetooth/6lowpan.c ++++ b/net/bluetooth/6lowpan.c +@@ -187,10 +187,16 @@ static inline struct lowpan_peer *peer_lookup_dst(struct lowpan_btle_dev *dev, + } + + if (!rt) { +- nexthop = &lowpan_cb(skb)->gw; +- +- if (ipv6_addr_any(nexthop)) +- return NULL; ++ if (ipv6_addr_any(&lowpan_cb(skb)->gw)) { ++ /* There is neither route nor gateway, ++ * probably the destination is a direct peer. ++ */ ++ nexthop = daddr; ++ } else { ++ /* There is a known gateway ++ */ ++ nexthop = &lowpan_cb(skb)->gw; ++ } + } else { + nexthop = rt6_nexthop(rt, daddr); + +-- +2.20.1 + diff --git a/queue-5.1/bluetooth-add-new-13d3-3491-qca_rome-device.patch b/queue-5.1/bluetooth-add-new-13d3-3491-qca_rome-device.patch new file mode 100644 index 00000000000..22ead943383 --- /dev/null +++ b/queue-5.1/bluetooth-add-new-13d3-3491-qca_rome-device.patch @@ -0,0 +1,42 @@ +From 51b188df5a65aac73b674bd4ed07943e40a435af Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jo=C3=A3o=20Paulo=20Rechi=20Vita?= +Date: Thu, 23 May 2019 13:32:01 -0700 +Subject: Bluetooth: Add new 13d3:3491 QCA_ROME device +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 44d34af2e4cfd0c5357182f8b43f3e0a1fe30a2e ] + +Without the QCA ROME setup routine this adapter fails to establish a SCO +connection. + +T: Bus=01 Lev=01 Prnt=01 Port=08 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=13d3 ProdID=3491 Rev=00.01 +C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I: If#=0x0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +I: If#=0x1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + +Signed-off-by: João Paulo Rechi Vita +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 7db48ae65cd2..0e2c86da6479 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -279,6 +279,7 @@ static const struct usb_device_id blacklist_table[] = { + { USB_DEVICE(0x04ca, 0x3015), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x04ca, 0x3016), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x04ca, 0x301a), .driver_info = BTUSB_QCA_ROME }, ++ { USB_DEVICE(0x13d3, 0x3491), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x13d3, 0x3496), .driver_info = BTUSB_QCA_ROME }, + + /* Broadcom BCM2035 */ +-- +2.20.1 + diff --git a/queue-5.1/bluetooth-add-new-13d3-3501-qca_rome-device.patch b/queue-5.1/bluetooth-add-new-13d3-3501-qca_rome-device.patch new file mode 100644 index 00000000000..61d017f6839 --- /dev/null +++ b/queue-5.1/bluetooth-add-new-13d3-3501-qca_rome-device.patch @@ -0,0 +1,42 @@ +From 09790f8308f9a798c3fa6225118d04bdc97f29b6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jo=C3=A3o=20Paulo=20Rechi=20Vita?= +Date: Thu, 23 May 2019 13:32:02 -0700 +Subject: Bluetooth: Add new 13d3:3501 QCA_ROME device +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 881cec4f6b4da78e54b73c046a60f39315964c7d ] + +Without the QCA ROME setup routine this adapter fails to establish a SCO +connection. + +T: Bus=01 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=13d3 ProdID=3501 Rev=00.01 +C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I: If#=0x0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +I: If#=0x1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + +Signed-off-by: João Paulo Rechi Vita +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 0e2c86da6479..4c9f11766e82 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -281,6 +281,7 @@ static const struct usb_device_id blacklist_table[] = { + { USB_DEVICE(0x04ca, 0x301a), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x13d3, 0x3491), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x13d3, 0x3496), .driver_info = BTUSB_QCA_ROME }, ++ { USB_DEVICE(0x13d3, 0x3501), .driver_info = BTUSB_QCA_ROME }, + + /* Broadcom BCM2035 */ + { USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 }, +-- +2.20.1 + diff --git a/queue-5.1/bluetooth-check-state-in-l2cap_disconnect_rsp.patch b/queue-5.1/bluetooth-check-state-in-l2cap_disconnect_rsp.patch new file mode 100644 index 00000000000..d0ad8f93480 --- /dev/null +++ b/queue-5.1/bluetooth-check-state-in-l2cap_disconnect_rsp.patch @@ -0,0 +1,220 @@ +From dd9962952426972667a522ffbc4e35b9a2f8b9cb Mon Sep 17 00:00:00 2001 +From: Matias Karhumaa +Date: Tue, 21 May 2019 13:07:22 +0300 +Subject: Bluetooth: Check state in l2cap_disconnect_rsp + +[ Upstream commit 28261da8a26f4915aa257d12d506c6ba179d961f ] + +Because of both sides doing L2CAP disconnection at the same time, it +was possible to receive L2CAP Disconnection Response with CID that was +already freed. That caused problems if CID was already reused and L2CAP +Connection Request with same CID was sent out. Before this patch kernel +deleted channel context regardless of the state of the channel. + +Example where leftover Disconnection Response (frame #402) causes local +device to delete L2CAP channel which was not yet connected. This in +turn confuses remote device's stack because same CID is re-used without +properly disconnecting. + +Btmon capture before patch: +** snip ** +> ACL Data RX: Handle 43 flags 0x02 dlen 8 #394 [hci1] 10.748949 + Channel: 65 len 4 [PSM 3 mode 0] {chan 2} + RFCOMM: Disconnect (DISC) (0x43) + Address: 0x03 cr 1 dlci 0x00 + Control: 0x53 poll/final 1 + Length: 0 + FCS: 0xfd +< ACL Data TX: Handle 43 flags 0x00 dlen 8 #395 [hci1] 10.749062 + Channel: 65 len 4 [PSM 3 mode 0] {chan 2} + RFCOMM: Unnumbered Ack (UA) (0x63) + Address: 0x03 cr 1 dlci 0x00 + Control: 0x73 poll/final 1 + Length: 0 + FCS: 0xd7 +< ACL Data TX: Handle 43 flags 0x00 dlen 12 #396 [hci1] 10.749073 + L2CAP: Disconnection Request (0x06) ident 17 len 4 + Destination CID: 65 + Source CID: 65 +> HCI Event: Number of Completed Packets (0x13) plen 5 #397 [hci1] 10.752391 + Num handles: 1 + Handle: 43 + Count: 1 +> HCI Event: Number of Completed Packets (0x13) plen 5 #398 [hci1] 10.753394 + Num handles: 1 + Handle: 43 + Count: 1 +> ACL Data RX: Handle 43 flags 0x02 dlen 12 #399 [hci1] 10.756499 + L2CAP: Disconnection Request (0x06) ident 26 len 4 + Destination CID: 65 + Source CID: 65 +< ACL Data TX: Handle 43 flags 0x00 dlen 12 #400 [hci1] 10.756548 + L2CAP: Disconnection Response (0x07) ident 26 len 4 + Destination CID: 65 + Source CID: 65 +< ACL Data TX: Handle 43 flags 0x00 dlen 12 #401 [hci1] 10.757459 + L2CAP: Connection Request (0x02) ident 18 len 4 + PSM: 1 (0x0001) + Source CID: 65 +> ACL Data RX: Handle 43 flags 0x02 dlen 12 #402 [hci1] 10.759148 + L2CAP: Disconnection Response (0x07) ident 17 len 4 + Destination CID: 65 + Source CID: 65 += bluetoothd: 00:1E:AB:4C:56:54: error updating services: Input/o.. 10.759447 +> HCI Event: Number of Completed Packets (0x13) plen 5 #403 [hci1] 10.759386 + Num handles: 1 + Handle: 43 + Count: 1 +> ACL Data RX: Handle 43 flags 0x02 dlen 12 #404 [hci1] 10.760397 + L2CAP: Connection Request (0x02) ident 27 len 4 + PSM: 3 (0x0003) + Source CID: 65 +< ACL Data TX: Handle 43 flags 0x00 dlen 16 #405 [hci1] 10.760441 + L2CAP: Connection Response (0x03) ident 27 len 8 + Destination CID: 65 + Source CID: 65 + Result: Connection successful (0x0000) + Status: No further information available (0x0000) +< ACL Data TX: Handle 43 flags 0x00 dlen 27 #406 [hci1] 10.760449 + L2CAP: Configure Request (0x04) ident 19 len 19 + Destination CID: 65 + Flags: 0x0000 + Option: Maximum Transmission Unit (0x01) [mandatory] + MTU: 1013 + Option: Retransmission and Flow Control (0x04) [mandatory] + Mode: Basic (0x00) + TX window size: 0 + Max transmit: 0 + Retransmission timeout: 0 + Monitor timeout: 0 + Maximum PDU size: 0 +> HCI Event: Number of Completed Packets (0x13) plen 5 #407 [hci1] 10.761399 + Num handles: 1 + Handle: 43 + Count: 1 +> ACL Data RX: Handle 43 flags 0x02 dlen 16 #408 [hci1] 10.762942 + L2CAP: Connection Response (0x03) ident 18 len 8 + Destination CID: 66 + Source CID: 65 + Result: Connection successful (0x0000) + Status: No further information available (0x0000) +*snip* + +Similar case after the patch: +*snip* +> ACL Data RX: Handle 43 flags 0x02 dlen 8 #22702 [hci0] 1664.411056 + Channel: 65 len 4 [PSM 3 mode 0] {chan 3} + RFCOMM: Disconnect (DISC) (0x43) + Address: 0x03 cr 1 dlci 0x00 + Control: 0x53 poll/final 1 + Length: 0 + FCS: 0xfd +< ACL Data TX: Handle 43 flags 0x00 dlen 8 #22703 [hci0] 1664.411136 + Channel: 65 len 4 [PSM 3 mode 0] {chan 3} + RFCOMM: Unnumbered Ack (UA) (0x63) + Address: 0x03 cr 1 dlci 0x00 + Control: 0x73 poll/final 1 + Length: 0 + FCS: 0xd7 +< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22704 [hci0] 1664.411143 + L2CAP: Disconnection Request (0x06) ident 11 len 4 + Destination CID: 65 + Source CID: 65 +> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22705 [hci0] 1664.414009 + Num handles: 1 + Handle: 43 + Count: 1 +> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22706 [hci0] 1664.415007 + Num handles: 1 + Handle: 43 + Count: 1 +> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22707 [hci0] 1664.418674 + L2CAP: Disconnection Request (0x06) ident 17 len 4 + Destination CID: 65 + Source CID: 65 +< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22708 [hci0] 1664.418762 + L2CAP: Disconnection Response (0x07) ident 17 len 4 + Destination CID: 65 + Source CID: 65 +< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22709 [hci0] 1664.421073 + L2CAP: Connection Request (0x02) ident 12 len 4 + PSM: 1 (0x0001) + Source CID: 65 +> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22710 [hci0] 1664.421371 + L2CAP: Disconnection Response (0x07) ident 11 len 4 + Destination CID: 65 + Source CID: 65 +> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22711 [hci0] 1664.424082 + Num handles: 1 + Handle: 43 + Count: 1 +> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22712 [hci0] 1664.425040 + Num handles: 1 + Handle: 43 + Count: 1 +> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22713 [hci0] 1664.426103 + L2CAP: Connection Request (0x02) ident 18 len 4 + PSM: 3 (0x0003) + Source CID: 65 +< ACL Data TX: Handle 43 flags 0x00 dlen 16 #22714 [hci0] 1664.426186 + L2CAP: Connection Response (0x03) ident 18 len 8 + Destination CID: 66 + Source CID: 65 + Result: Connection successful (0x0000) + Status: No further information available (0x0000) +< ACL Data TX: Handle 43 flags 0x00 dlen 27 #22715 [hci0] 1664.426196 + L2CAP: Configure Request (0x04) ident 13 len 19 + Destination CID: 65 + Flags: 0x0000 + Option: Maximum Transmission Unit (0x01) [mandatory] + MTU: 1013 + Option: Retransmission and Flow Control (0x04) [mandatory] + Mode: Basic (0x00) + TX window size: 0 + Max transmit: 0 + Retransmission timeout: 0 + Monitor timeout: 0 + Maximum PDU size: 0 +> ACL Data RX: Handle 43 flags 0x02 dlen 16 #22716 [hci0] 1664.428804 + L2CAP: Connection Response (0x03) ident 12 len 8 + Destination CID: 66 + Source CID: 65 + Result: Connection successful (0x0000) + Status: No further information available (0x0000) +*snip* + +Fix is to check that channel is in state BT_DISCONN before deleting the +channel. + +This bug was found while fuzzing Bluez's OBEX implementation using +Synopsys Defensics. + +Reported-by: Matti Kamunen +Reported-by: Ari Timonen +Signed-off-by: Matias Karhumaa +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 5406d7cd46ad..771e3e17bb6a 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4394,6 +4394,12 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, + + l2cap_chan_lock(chan); + ++ if (chan->state != BT_DISCONN) { ++ l2cap_chan_unlock(chan); ++ mutex_unlock(&conn->chan_lock); ++ return 0; ++ } ++ + l2cap_chan_hold(chan); + l2cap_chan_del(chan, 0); + +-- +2.20.1 + diff --git a/queue-5.1/bluetooth-hci_bcsp-fix-memory-leak-in-rx_skb.patch b/queue-5.1/bluetooth-hci_bcsp-fix-memory-leak-in-rx_skb.patch new file mode 100644 index 00000000000..7b86a6b1765 --- /dev/null +++ b/queue-5.1/bluetooth-hci_bcsp-fix-memory-leak-in-rx_skb.patch @@ -0,0 +1,39 @@ +From 53a356988afed8e2e295862c5aa090c8113d7ae1 Mon Sep 17 00:00:00 2001 +From: Tomas Bortoli +Date: Tue, 28 May 2019 15:42:58 +0200 +Subject: Bluetooth: hci_bcsp: Fix memory leak in rx_skb + +[ Upstream commit 4ce9146e0370fcd573f0372d9b4e5a211112567c ] + +Syzkaller found that it is possible to provoke a memory leak by +never freeing rx_skb in struct bcsp_struct. + +Fix by freeing in bcsp_close() + +Signed-off-by: Tomas Bortoli +Reported-by: syzbot+98162c885993b72f19c4@syzkaller.appspotmail.com +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_bcsp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c +index 1a7f0c82fb36..66fe1e6dc631 100644 +--- a/drivers/bluetooth/hci_bcsp.c ++++ b/drivers/bluetooth/hci_bcsp.c +@@ -759,6 +759,11 @@ static int bcsp_close(struct hci_uart *hu) + skb_queue_purge(&bcsp->rel); + skb_queue_purge(&bcsp->unrel); + ++ if (bcsp->rx_skb) { ++ kfree_skb(bcsp->rx_skb); ++ bcsp->rx_skb = NULL; ++ } ++ + kfree(bcsp); + return 0; + } +-- +2.20.1 + diff --git a/queue-5.1/bluetooth-hidp-nul-terminate-a-string-in-the-compat-.patch b/queue-5.1/bluetooth-hidp-nul-terminate-a-string-in-the-compat-.patch new file mode 100644 index 00000000000..a5d62c3bb1b --- /dev/null +++ b/queue-5.1/bluetooth-hidp-nul-terminate-a-string-in-the-compat-.patch @@ -0,0 +1,52 @@ +From 072b68f0a2a876a9d61ff9c447f94c09258d5788 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 16 May 2019 21:24:00 +0300 +Subject: Bluetooth: hidp: NUL terminate a string in the compat ioctl + +[ Upstream commit dcae9052ebb0c5b2614de620323d615fcbfda7f8 ] + +This change is similar to commit a1616a5ac99e ("Bluetooth: hidp: fix +buffer overflow") but for the compat ioctl. We take a string from the +user and forgot to ensure that it's NUL terminated. + +I have also changed the strncpy() in to strscpy() in hidp_setup_hid(). +The difference is the strncpy() doesn't necessarily NUL terminate the +destination string. Either change would fix the problem but it's nice +to take a belt and suspenders approach and do both. + +Signed-off-by: Dan Carpenter +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hidp/core.c | 2 +- + net/bluetooth/hidp/sock.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c +index a442e21f3894..5abd423b55fa 100644 +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -775,7 +775,7 @@ static int hidp_setup_hid(struct hidp_session *session, + hid->version = req->version; + hid->country = req->country; + +- strncpy(hid->name, req->name, sizeof(hid->name)); ++ strscpy(hid->name, req->name, sizeof(hid->name)); + + snprintf(hid->phys, sizeof(hid->phys), "%pMR", + &l2cap_pi(session->ctrl_sock->sk)->chan->src); +diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c +index 2151913892ce..03be6a4baef3 100644 +--- a/net/bluetooth/hidp/sock.c ++++ b/net/bluetooth/hidp/sock.c +@@ -192,6 +192,7 @@ static int hidp_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigne + ca.version = ca32.version; + ca.flags = ca32.flags; + ca.idle_to = ca32.idle_to; ++ ca32.name[sizeof(ca32.name) - 1] = '\0'; + memcpy(ca.name, ca32.name, 128); + + csock = sockfd_lookup(ca.ctrl_sock, &err); +-- +2.20.1 + diff --git a/queue-5.1/bluetooth-validate-ble-connection-interval-updates.patch b/queue-5.1/bluetooth-validate-ble-connection-interval-updates.patch new file mode 100644 index 00000000000..81a05ada60a --- /dev/null +++ b/queue-5.1/bluetooth-validate-ble-connection-interval-updates.patch @@ -0,0 +1,92 @@ +From 5feed62d7f2803f39c1f676471017eed64b53bfa Mon Sep 17 00:00:00 2001 +From: csonsino +Date: Wed, 12 Jun 2019 15:00:52 -0600 +Subject: Bluetooth: validate BLE connection interval updates + +[ Upstream commit c49a8682fc5d298d44e8d911f4fa14690ea9485e ] + +Problem: The Linux Bluetooth stack yields complete control over the BLE +connection interval to the remote device. + +The Linux Bluetooth stack provides access to the BLE connection interval +min and max values through /sys/kernel/debug/bluetooth/hci0/ +conn_min_interval and /sys/kernel/debug/bluetooth/hci0/conn_max_interval. +These values are used for initial BLE connections, but the remote device +has the ability to request a connection parameter update. In the event +that the remote side requests to change the connection interval, the Linux +kernel currently only validates that the desired value is within the +acceptable range in the Bluetooth specification (6 - 3200, corresponding to +7.5ms - 4000ms). There is currently no validation that the desired value +requested by the remote device is within the min/max limits specified in +the conn_min_interval/conn_max_interval configurations. This essentially +leads to Linux yielding complete control over the connection interval to +the remote device. + +The proposed patch adds a verification step to the connection parameter +update mechanism, ensuring that the desired value is within the min/max +bounds of the current connection. If the desired value is outside of the +current connection min/max values, then the connection parameter update +request is rejected and the negative response is returned to the remote +device. Recall that the initial connection is established using the local +conn_min_interval/conn_max_interval values, so this allows the Linux +administrator to retain control over the BLE connection interval. + +The one downside that I see is that the current default Linux values for +conn_min_interval and conn_max_interval typically correspond to 30ms and +50ms respectively. If this change were accepted, then it is feasible that +some devices would no longer be able to negotiate to their desired +connection interval values. This might be remedied by setting the default +Linux conn_min_interval and conn_max_interval values to the widest +supported range (6 - 3200 / 7.5ms - 4000ms). This could lead to the same +behavior as the current implementation, where the remote device could +request to change the connection interval value to any value that is +permitted by the Bluetooth specification, and Linux would accept the +desired value. + +Signed-off-by: Carey Sonsino +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 5 +++++ + net/bluetooth/l2cap_core.c | 9 ++++++++- + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 8b893baf9bbe..31eb0449479b 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -5588,6 +5588,11 @@ static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, + return send_conn_param_neg_reply(hdev, handle, + HCI_ERROR_UNKNOWN_CONN_ID); + ++ if (min < hcon->le_conn_min_interval || ++ max > hcon->le_conn_max_interval) ++ return send_conn_param_neg_reply(hdev, handle, ++ HCI_ERROR_INVALID_LL_PARAMS); ++ + if (hci_check_conn_params(min, max, latency, timeout)) + return send_conn_param_neg_reply(hdev, handle, + HCI_ERROR_INVALID_LL_PARAMS); +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 771e3e17bb6a..32d2be9d6858 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -5297,7 +5297,14 @@ static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn, + + memset(&rsp, 0, sizeof(rsp)); + +- err = hci_check_conn_params(min, max, latency, to_multiplier); ++ if (min < hcon->le_conn_min_interval || ++ max > hcon->le_conn_max_interval) { ++ BT_DBG("requested connection interval exceeds current bounds."); ++ err = -EINVAL; ++ } else { ++ err = hci_check_conn_params(min, max, latency, to_multiplier); ++ } ++ + if (err) + rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED); + else +-- +2.20.1 + diff --git a/queue-5.1/bnx2x-prevent-ptp_task-to-be-rescheduled-indefinitel.patch b/queue-5.1/bnx2x-prevent-ptp_task-to-be-rescheduled-indefinitel.patch new file mode 100644 index 00000000000..51dd585a450 --- /dev/null +++ b/queue-5.1/bnx2x-prevent-ptp_task-to-be-rescheduled-indefinitel.patch @@ -0,0 +1,153 @@ +From 1c7936b0981ae1612872fe73528128973c3ebafe Mon Sep 17 00:00:00 2001 +From: "Guilherme G. Piccoli" +Date: Thu, 27 Jun 2019 13:31:33 -0300 +Subject: bnx2x: Prevent ptp_task to be rescheduled indefinitely + +[ Upstream commit 3c91f25c2f72ba6001775a5932857c1d2131c531 ] + +Currently bnx2x ptp worker tries to read a register with timestamp +information in case of TX packet timestamping and in case it fails, +the routine reschedules itself indefinitely. This was reported as a +kworker always at 100% of CPU usage, which was narrowed down to be +bnx2x ptp_task. + +By following the ioctl handler, we could narrow down the problem to +an NTP tool (chrony) requesting HW timestamping from bnx2x NIC with +RX filter zeroed; this isn't reproducible for example with ptp4l +(from linuxptp) since this tool requests a supported RX filter. +It seems NIC FW timestamp mechanism cannot work well with +RX_FILTER_NONE - driver's PTP filter init routine skips a register +write to the adapter if there's not a supported filter request. + +This patch addresses the problem of bnx2x ptp thread's everlasting +reschedule by retrying the register read 10 times; between the read +attempts the thread sleeps for an increasing amount of time starting +in 1ms to give FW some time to perform the timestamping. If it still +fails after all retries, we bail out in order to prevent an unbound +resource consumption from bnx2x. + +The patch also adds an ethtool statistic for accounting the skipped +TX timestamp packets and it reduces the priority of timestamping +error messages to prevent log flooding. The code was tested using +both linuxptp and chrony. + +Reported-and-tested-by: Przemyslaw Hausman +Suggested-by: Sudarsana Reddy Kalluru +Signed-off-by: Guilherme G. Piccoli +Acked-by: Sudarsana Reddy Kalluru +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 5 ++- + .../ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 4 ++- + .../net/ethernet/broadcom/bnx2x/bnx2x_main.c | 33 ++++++++++++++----- + .../net/ethernet/broadcom/bnx2x/bnx2x_stats.h | 3 ++ + 4 files changed, 34 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +index ecb1bd7eb508..78a01880931c 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -3858,9 +3858,12 @@ netdev_tx_t bnx2x_start_xmit(struct sk_buff *skb, struct net_device *dev) + + if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP)) { + if (!(bp->flags & TX_TIMESTAMPING_EN)) { ++ bp->eth_stats.ptp_skip_tx_ts++; + BNX2X_ERR("Tx timestamping was not enabled, this packet will not be timestamped\n"); + } else if (bp->ptp_tx_skb) { +- BNX2X_ERR("The device supports only a single outstanding packet to timestamp, this packet will not be timestamped\n"); ++ bp->eth_stats.ptp_skip_tx_ts++; ++ netdev_err_once(bp->dev, ++ "Device supports only a single outstanding packet to timestamp, this packet won't be timestamped\n"); + } else { + skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS; + /* schedule check for Tx timestamp */ +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c +index 59f227fcc68b..0e1b884a5344 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c +@@ -182,7 +182,9 @@ static const struct { + { STATS_OFFSET32(driver_filtered_tx_pkt), + 4, false, "driver_filtered_tx_pkt" }, + { STATS_OFFSET32(eee_tx_lpi), +- 4, true, "Tx LPI entry count"} ++ 4, true, "Tx LPI entry count"}, ++ { STATS_OFFSET32(ptp_skip_tx_ts), ++ 4, false, "ptp_skipped_tx_tstamp" }, + }; + + #define BNX2X_NUM_STATS ARRAY_SIZE(bnx2x_stats_arr) +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +index 626b491f7674..7a075f1f1242 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +@@ -15243,11 +15243,24 @@ static void bnx2x_ptp_task(struct work_struct *work) + u32 val_seq; + u64 timestamp, ns; + struct skb_shared_hwtstamps shhwtstamps; ++ bool bail = true; ++ int i; ++ ++ /* FW may take a while to complete timestamping; try a bit and if it's ++ * still not complete, may indicate an error state - bail out then. ++ */ ++ for (i = 0; i < 10; i++) { ++ /* Read Tx timestamp registers */ ++ val_seq = REG_RD(bp, port ? NIG_REG_P1_TLLH_PTP_BUF_SEQID : ++ NIG_REG_P0_TLLH_PTP_BUF_SEQID); ++ if (val_seq & 0x10000) { ++ bail = false; ++ break; ++ } ++ msleep(1 << i); ++ } + +- /* Read Tx timestamp registers */ +- val_seq = REG_RD(bp, port ? NIG_REG_P1_TLLH_PTP_BUF_SEQID : +- NIG_REG_P0_TLLH_PTP_BUF_SEQID); +- if (val_seq & 0x10000) { ++ if (!bail) { + /* There is a valid timestamp value */ + timestamp = REG_RD(bp, port ? NIG_REG_P1_TLLH_PTP_BUF_TS_MSB : + NIG_REG_P0_TLLH_PTP_BUF_TS_MSB); +@@ -15262,16 +15275,18 @@ static void bnx2x_ptp_task(struct work_struct *work) + memset(&shhwtstamps, 0, sizeof(shhwtstamps)); + shhwtstamps.hwtstamp = ns_to_ktime(ns); + skb_tstamp_tx(bp->ptp_tx_skb, &shhwtstamps); +- dev_kfree_skb_any(bp->ptp_tx_skb); +- bp->ptp_tx_skb = NULL; + + DP(BNX2X_MSG_PTP, "Tx timestamp, timestamp cycles = %llu, ns = %llu\n", + timestamp, ns); + } else { +- DP(BNX2X_MSG_PTP, "There is no valid Tx timestamp yet\n"); +- /* Reschedule to keep checking for a valid timestamp value */ +- schedule_work(&bp->ptp_task); ++ DP(BNX2X_MSG_PTP, ++ "Tx timestamp is not recorded (register read=%u)\n", ++ val_seq); ++ bp->eth_stats.ptp_skip_tx_ts++; + } ++ ++ dev_kfree_skb_any(bp->ptp_tx_skb); ++ bp->ptp_tx_skb = NULL; + } + + void bnx2x_set_rx_ts(struct bnx2x *bp, struct sk_buff *skb) +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.h +index b2644ed13d06..d55e63692cf3 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.h ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.h +@@ -207,6 +207,9 @@ struct bnx2x_eth_stats { + u32 driver_filtered_tx_pkt; + /* src: Clear-on-Read register; Will not survive PMF Migration */ + u32 eee_tx_lpi; ++ ++ /* PTP */ ++ u32 ptp_skip_tx_ts; + }; + + struct bnx2x_eth_q_stats { +-- +2.20.1 + diff --git a/queue-5.1/bnxt_en-disable-bus-master-during-pci-shutdown-and-d.patch b/queue-5.1/bnxt_en-disable-bus-master-during-pci-shutdown-and-d.patch new file mode 100644 index 00000000000..ed03f3efff6 --- /dev/null +++ b/queue-5.1/bnxt_en-disable-bus-master-during-pci-shutdown-and-d.patch @@ -0,0 +1,50 @@ +From 8897789379d0c8a44e1521a6943f97ed4cfb5e8a Mon Sep 17 00:00:00 2001 +From: Michael Chan +Date: Sat, 29 Jun 2019 11:16:44 -0400 +Subject: bnxt_en: Disable bus master during PCI shutdown and driver unload. + +[ Upstream commit c20dc142dd7b2884b8570eeab323bcd4a84294fa ] + +Some chips with older firmware can continue to perform DMA read from +context memory even after the memory has been freed. In the PCI shutdown +method, we need to call pci_disable_device() to shutdown DMA to prevent +this DMA before we put the device into D3hot. DMA memory request in +D3hot state will generate PCI fatal error. Similarly, in the driver +remove method, the context memory should only be freed after DMA has +been shutdown for correctness. + +Fixes: 98f04cf0f1fc ("bnxt_en: Check context memory requirements from firmware.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 30cafe4cdb6e..bf1fd513fa02 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -10165,10 +10165,10 @@ static void bnxt_remove_one(struct pci_dev *pdev) + bnxt_dcb_free(bp); + kfree(bp->edev); + bp->edev = NULL; ++ bnxt_cleanup_pci(bp); + bnxt_free_ctx_mem(bp); + kfree(bp->ctx); + bp->ctx = NULL; +- bnxt_cleanup_pci(bp); + bnxt_free_port_stats(bp); + free_netdev(dev); + } +@@ -10730,6 +10730,7 @@ static void bnxt_shutdown(struct pci_dev *pdev) + + if (system_state == SYSTEM_POWER_OFF) { + bnxt_clear_int_mode(bp); ++ pci_disable_device(pdev); + pci_wake_from_d3(pdev, bp->wol); + pci_set_power_state(pdev, PCI_D3hot); + } +-- +2.20.1 + diff --git a/queue-5.1/bnxt_en-fix-statistics-context-reservation-logic-for.patch b/queue-5.1/bnxt_en-fix-statistics-context-reservation-logic-for.patch new file mode 100644 index 00000000000..82ee5597005 --- /dev/null +++ b/queue-5.1/bnxt_en-fix-statistics-context-reservation-logic-for.patch @@ -0,0 +1,60 @@ +From 74b4684aef3e1692d4794cb995613dcdb350dc0f Mon Sep 17 00:00:00 2001 +From: Michael Chan +Date: Sat, 29 Jun 2019 11:16:46 -0400 +Subject: bnxt_en: Fix statistics context reservation logic for RDMA driver. + +[ Upstream commit d77b1ad8e87dc5a6cd0d9158b097a4817946ca3b ] + +The current logic assumes that the RDMA driver uses one statistics +context adjacent to the ones used by the network driver. This +assumption is not true and the statistics context used by the +RDMA driver is tied to its MSIX base vector. This wrong assumption +can cause RDMA driver failure after changing ethtool rings on the +network side. Fix the statistics reservation logic accordingly. + +Fixes: 780baad44f0f ("bnxt_en: Reserve 1 stat_ctx for RDMA driver.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index bf1fd513fa02..09557bf49bb0 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -5481,7 +5481,16 @@ static int bnxt_cp_rings_in_use(struct bnxt *bp) + + static int bnxt_get_func_stat_ctxs(struct bnxt *bp) + { +- return bp->cp_nr_rings + bnxt_get_ulp_stat_ctxs(bp); ++ int ulp_stat = bnxt_get_ulp_stat_ctxs(bp); ++ int cp = bp->cp_nr_rings; ++ ++ if (!ulp_stat) ++ return cp; ++ ++ if (bnxt_nq_rings_in_use(bp) > cp + bnxt_get_ulp_msix_num(bp)) ++ return bnxt_get_ulp_msix_base(bp) + ulp_stat; ++ ++ return cp + ulp_stat; + } + + static bool bnxt_need_reserve_rings(struct bnxt *bp) +@@ -7373,11 +7382,7 @@ unsigned int bnxt_get_avail_cp_rings_for_en(struct bnxt *bp) + + unsigned int bnxt_get_avail_stat_ctxs_for_en(struct bnxt *bp) + { +- unsigned int stat; +- +- stat = bnxt_get_max_func_stat_ctxs(bp) - bnxt_get_ulp_stat_ctxs(bp); +- stat -= bp->cp_nr_rings; +- return stat; ++ return bnxt_get_max_func_stat_ctxs(bp) - bnxt_get_func_stat_ctxs(bp); + } + + int bnxt_get_avail_msix(struct bnxt *bp, int num) +-- +2.20.1 + diff --git a/queue-5.1/bonding-validate-ip-header-before-check-ipproto_igmp.patch b/queue-5.1/bonding-validate-ip-header-before-check-ipproto_igmp.patch new file mode 100644 index 00000000000..796a2e28144 --- /dev/null +++ b/queue-5.1/bonding-validate-ip-header-before-check-ipproto_igmp.patch @@ -0,0 +1,88 @@ +From aab8869ead1f917190e3a2492f6441362e3cea49 Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Mon, 1 Jul 2019 20:40:24 -0700 +Subject: bonding: validate ip header before check IPPROTO_IGMP + +[ Upstream commit 9d1bc24b52fb8c5d859f9a47084bf1179470e04c ] + +bond_xmit_roundrobin() checks for IGMP packets but it parses +the IP header even before checking skb->protocol. + +We should validate the IP header with pskb_may_pull() before +using iph->protocol. + +Reported-and-tested-by: syzbot+e5be16aa39ad6e755391@syzkaller.appspotmail.com +Fixes: a2fd940f4cff ("bonding: fix broken multicast with round-robin mode") +Cc: Jay Vosburgh +Cc: Veaceslav Falico +Cc: Andy Gospodarek +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 37 ++++++++++++++++++++------------- + 1 file changed, 23 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 59e919b92873..7b9a18e36a93 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3866,8 +3866,8 @@ static netdev_tx_t bond_xmit_roundrobin(struct sk_buff *skb, + struct net_device *bond_dev) + { + struct bonding *bond = netdev_priv(bond_dev); +- struct iphdr *iph = ip_hdr(skb); + struct slave *slave; ++ int slave_cnt; + u32 slave_id; + + /* Start with the curr_active_slave that joined the bond as the +@@ -3876,23 +3876,32 @@ static netdev_tx_t bond_xmit_roundrobin(struct sk_buff *skb, + * send the join/membership reports. The curr_active_slave found + * will send all of this type of traffic. + */ +- if (iph->protocol == IPPROTO_IGMP && skb->protocol == htons(ETH_P_IP)) { +- slave = rcu_dereference(bond->curr_active_slave); +- if (slave) +- bond_dev_queue_xmit(bond, skb, slave->dev); +- else +- bond_xmit_slave_id(bond, skb, 0); +- } else { +- int slave_cnt = READ_ONCE(bond->slave_cnt); ++ if (skb->protocol == htons(ETH_P_IP)) { ++ int noff = skb_network_offset(skb); ++ struct iphdr *iph; + +- if (likely(slave_cnt)) { +- slave_id = bond_rr_gen_slave_id(bond); +- bond_xmit_slave_id(bond, skb, slave_id % slave_cnt); +- } else { +- bond_tx_drop(bond_dev, skb); ++ if (unlikely(!pskb_may_pull(skb, noff + sizeof(*iph)))) ++ goto non_igmp; ++ ++ iph = ip_hdr(skb); ++ if (iph->protocol == IPPROTO_IGMP) { ++ slave = rcu_dereference(bond->curr_active_slave); ++ if (slave) ++ bond_dev_queue_xmit(bond, skb, slave->dev); ++ else ++ bond_xmit_slave_id(bond, skb, 0); ++ return NETDEV_TX_OK; + } + } + ++non_igmp: ++ slave_cnt = READ_ONCE(bond->slave_cnt); ++ if (likely(slave_cnt)) { ++ slave_id = bond_rr_gen_slave_id(bond); ++ bond_xmit_slave_id(bond, skb, slave_id % slave_cnt); ++ } else { ++ bond_tx_drop(bond_dev, skb); ++ } + return NETDEV_TX_OK; + } + +-- +2.20.1 + diff --git a/queue-5.1/bpf-fix-bpf_alu32-bpf_arsh-on-be-arches.patch b/queue-5.1/bpf-fix-bpf_alu32-bpf_arsh-on-be-arches.patch new file mode 100644 index 00000000000..6b4c187ef92 --- /dev/null +++ b/queue-5.1/bpf-fix-bpf_alu32-bpf_arsh-on-be-arches.patch @@ -0,0 +1,56 @@ +From 00d03c89346e6fe89454d539da38032900a52c72 Mon Sep 17 00:00:00 2001 +From: Jiong Wang +Date: Tue, 25 Jun 2019 17:41:50 +0100 +Subject: bpf: fix BPF_ALU32 | BPF_ARSH on BE arches + +[ Upstream commit 75672dda27bd00109a84cd975c17949ad9c45663 ] + +Yauheni reported the following code do not work correctly on BE arches: + + ALU_ARSH_X: + DST = (u64) (u32) ((*(s32 *) &DST) >> SRC); + CONT; + ALU_ARSH_K: + DST = (u64) (u32) ((*(s32 *) &DST) >> IMM); + CONT; + +and are causing failure of test_verifier test 'arsh32 on imm 2' on BE +arches. + +The code is taking address and interpreting memory directly, so is not +endianness neutral. We should instead perform standard C type casting on +the variable. A u64 to s32 conversion will drop the high 32-bit and reserve +the low 32-bit as signed integer, this is all we want. + +Fixes: 2dc6b100f928 ("bpf: interpreter support BPF_ALU | BPF_ARSH") +Reported-by: Yauheni Kaliuta +Reviewed-by: Jakub Kicinski +Reviewed-by: Quentin Monnet +Signed-off-by: Jiong Wang +Acked-by: Song Liu +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + kernel/bpf/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index 06ba9c5f156b..932fd3fa5a5a 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -1367,10 +1367,10 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn, u64 *stack) + insn++; + CONT; + ALU_ARSH_X: +- DST = (u64) (u32) ((*(s32 *) &DST) >> SRC); ++ DST = (u64) (u32) (((s32) DST) >> SRC); + CONT; + ALU_ARSH_K: +- DST = (u64) (u32) ((*(s32 *) &DST) >> IMM); ++ DST = (u64) (u32) (((s32) DST) >> IMM); + CONT; + ALU64_ARSH_X: + (*(s64 *) &DST) >>= SRC; +-- +2.20.1 + diff --git a/queue-5.1/bpf-fix-callees-pruning-callers.patch b/queue-5.1/bpf-fix-callees-pruning-callers.patch new file mode 100644 index 00000000000..78ce4f1f866 --- /dev/null +++ b/queue-5.1/bpf-fix-callees-pruning-callers.patch @@ -0,0 +1,62 @@ +From ab62d6899637b68408d9670110c1b3adaee92af7 Mon Sep 17 00:00:00 2001 +From: Alexei Starovoitov +Date: Sat, 15 Jun 2019 12:12:21 -0700 +Subject: bpf: fix callees pruning callers + +[ Upstream commit eea1c227b9e9bad295e8ef984004a9acf12bb68c ] + +The commit 7640ead93924 partially resolved the issue of callees +incorrectly pruning the callers. +With introduction of bounded loops and jmps_processed heuristic +single verifier state may contain multiple branches and calls. +It's possible that new verifier state (for future pruning) will be +allocated inside callee. Then callee will exit (still within the same +verifier state). It will go back to the caller and there R6-R9 registers +will be read and will trigger mark_reg_read. But the reg->live for all frames +but the top frame is not set to LIVE_NONE. Hence mark_reg_read will fail +to propagate liveness into parent and future walking will incorrectly +conclude that the states are equivalent because LIVE_READ is not set. +In other words the rule for parent/live should be: +whenever register parentage chain is set the reg->live should be set to LIVE_NONE. +is_state_visited logic already follows this rule for spilled registers. + +Fixes: 7640ead93924 ("bpf: verifier: make sure callees don't prune with caller differences") +Fixes: f4d7e40a5b71 ("bpf: introduce function calls (verification)") +Signed-off-by: Alexei Starovoitov +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 4ff130ddfbf6..cbc03f051598 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -6197,17 +6197,18 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx) + * the state of the call instruction (with WRITTEN set), and r0 comes + * from callee with its full parentage chain, anyway. + */ +- for (j = 0; j <= cur->curframe; j++) +- for (i = j < cur->curframe ? BPF_REG_6 : 0; i < BPF_REG_FP; i++) +- cur->frame[j]->regs[i].parent = &new->frame[j]->regs[i]; + /* clear write marks in current state: the writes we did are not writes + * our child did, so they don't screen off its reads from us. + * (There are no read marks in current state, because reads always mark + * their parent and current state never has children yet. Only + * explored_states can get read marks.) + */ +- for (i = 0; i < BPF_REG_FP; i++) +- cur->frame[cur->curframe]->regs[i].live = REG_LIVE_NONE; ++ for (j = 0; j <= cur->curframe; j++) { ++ for (i = j < cur->curframe ? BPF_REG_6 : 0; i < BPF_REG_FP; i++) ++ cur->frame[j]->regs[i].parent = &new->frame[j]->regs[i]; ++ for (i = 0; i < BPF_REG_FP; i++) ++ cur->frame[j]->regs[i].live = REG_LIVE_NONE; ++ } + + /* all stack frames are accessible from callee, clear them all */ + for (j = 0; j <= cur->curframe; j++) { +-- +2.20.1 + diff --git a/queue-5.1/bpf-fix-uapi-bpf_prog_info-fields-alignment.patch b/queue-5.1/bpf-fix-uapi-bpf_prog_info-fields-alignment.patch new file mode 100644 index 00000000000..15014a8234e --- /dev/null +++ b/queue-5.1/bpf-fix-uapi-bpf_prog_info-fields-alignment.patch @@ -0,0 +1,58 @@ +From 761f8dc3f8d0f12695d4e9048719fbf52ae1df55 Mon Sep 17 00:00:00 2001 +From: Baruch Siach +Date: Fri, 28 Jun 2019 07:08:45 +0300 +Subject: bpf: fix uapi bpf_prog_info fields alignment + +[ Upstream commit 0472301a28f6cf53a6bc5783e48a2d0bbff4682f ] + +Merge commit 1c8c5a9d38f60 ("Merge +git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next") undid the +fix from commit 36f9814a494 ("bpf: fix uapi hole for 32 bit compat +applications") by taking the gpl_compatible 1-bit field definition from +commit b85fab0e67b162 ("bpf: Add gpl_compatible flag to struct +bpf_prog_info") as is. That breaks architectures with 16-bit alignment +like m68k. Add 31-bit pad after gpl_compatible to restore alignment of +following fields. + +Thanks to Dmitry V. Levin his analysis of this bug history. + +Signed-off-by: Baruch Siach +Acked-by: Song Liu +Cc: Jiri Olsa +Cc: Daniel Borkmann +Cc: Geert Uytterhoeven +Cc: Linus Torvalds +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + include/uapi/linux/bpf.h | 1 + + tools/include/uapi/linux/bpf.h | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h +index 9d01f4788d3e..9ae3f28ca469 100644 +--- a/include/uapi/linux/bpf.h ++++ b/include/uapi/linux/bpf.h +@@ -2871,6 +2871,7 @@ struct bpf_prog_info { + char name[BPF_OBJ_NAME_LEN]; + __u32 ifindex; + __u32 gpl_compatible:1; ++ __u32 :31; /* alignment pad */ + __u64 netns_dev; + __u64 netns_ino; + __u32 nr_jited_ksyms; +diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h +index 929c8e537a14..f6ce794c0f36 100644 +--- a/tools/include/uapi/linux/bpf.h ++++ b/tools/include/uapi/linux/bpf.h +@@ -2869,6 +2869,7 @@ struct bpf_prog_info { + char name[BPF_OBJ_NAME_LEN]; + __u32 ifindex; + __u32 gpl_compatible:1; ++ __u32 :31; /* alignment pad */ + __u64 netns_dev; + __u64 netns_ino; + __u32 nr_jited_ksyms; +-- +2.20.1 + diff --git a/queue-5.1/bpf-libbpf-smatch-fix-potential-null-pointer-derefer.patch b/queue-5.1/bpf-libbpf-smatch-fix-potential-null-pointer-derefer.patch new file mode 100644 index 00000000000..007fad60af8 --- /dev/null +++ b/queue-5.1/bpf-libbpf-smatch-fix-potential-null-pointer-derefer.patch @@ -0,0 +1,64 @@ +From e814520a343214a7bad7886a4e2fb4177dd5aed8 Mon Sep 17 00:00:00 2001 +From: Leo Yan +Date: Tue, 2 Jul 2019 18:25:31 +0800 +Subject: bpf, libbpf, smatch: Fix potential NULL pointer dereference + +[ Upstream commit 33bae185f74d49a0d7b1bfaafb8e959efce0f243 ] + +Based on the following report from Smatch, fix the potential NULL +pointer dereference check: + + tools/lib/bpf/libbpf.c:3493 + bpf_prog_load_xattr() warn: variable dereferenced before check 'attr' + (see line 3483) + + 3479 int bpf_prog_load_xattr(const struct bpf_prog_load_attr *attr, + 3480 struct bpf_object **pobj, int *prog_fd) + 3481 { + 3482 struct bpf_object_open_attr open_attr = { + 3483 .file = attr->file, + 3484 .prog_type = attr->prog_type, + ^^^^^^ + 3485 }; + +At the head of function, it directly access 'attr' without checking +if it's NULL pointer. This patch moves the values assignment after +validating 'attr' and 'attr->file'. + +Signed-off-by: Leo Yan +Acked-by: Yonghong Song +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index 11c25d9ea431..43dc8a8e9105 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -2897,10 +2897,7 @@ int bpf_prog_load(const char *file, enum bpf_prog_type type, + int bpf_prog_load_xattr(const struct bpf_prog_load_attr *attr, + struct bpf_object **pobj, int *prog_fd) + { +- struct bpf_object_open_attr open_attr = { +- .file = attr->file, +- .prog_type = attr->prog_type, +- }; ++ struct bpf_object_open_attr open_attr = {}; + struct bpf_program *prog, *first_prog = NULL; + enum bpf_attach_type expected_attach_type; + enum bpf_prog_type prog_type; +@@ -2913,6 +2910,9 @@ int bpf_prog_load_xattr(const struct bpf_prog_load_attr *attr, + if (!attr->file) + return -EINVAL; + ++ open_attr.file = attr->file; ++ open_attr.prog_type = attr->prog_type; ++ + obj = bpf_object__open_xattr(&open_attr); + if (IS_ERR_OR_NULL(obj)) + return -ENOENT; +-- +2.20.1 + diff --git a/queue-5.1/bpf-silence-warning-messages-in-core.patch b/queue-5.1/bpf-silence-warning-messages-in-core.patch new file mode 100644 index 00000000000..977dc4cbd73 --- /dev/null +++ b/queue-5.1/bpf-silence-warning-messages-in-core.patch @@ -0,0 +1,56 @@ +From f9212a4421f93d02a8326c781ca05b76f8a20758 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Valdis=20Kl=C4=93tnieks?= +Date: Thu, 6 Jun 2019 22:39:27 -0400 +Subject: bpf: silence warning messages in core + +[ Upstream commit aee450cbe482a8c2f6fa5b05b178ef8b8ff107ca ] + +Compiling kernel/bpf/core.c with W=1 causes a flood of warnings: + +kernel/bpf/core.c:1198:65: warning: initialized field overwritten [-Woverride-init] + 1198 | #define BPF_INSN_3_TBL(x, y, z) [BPF_##x | BPF_##y | BPF_##z] = true + | ^~~~ +kernel/bpf/core.c:1087:2: note: in expansion of macro 'BPF_INSN_3_TBL' + 1087 | INSN_3(ALU, ADD, X), \ + | ^~~~~~ +kernel/bpf/core.c:1202:3: note: in expansion of macro 'BPF_INSN_MAP' + 1202 | BPF_INSN_MAP(BPF_INSN_2_TBL, BPF_INSN_3_TBL), + | ^~~~~~~~~~~~ +kernel/bpf/core.c:1198:65: note: (near initialization for 'public_insntable[12]') + 1198 | #define BPF_INSN_3_TBL(x, y, z) [BPF_##x | BPF_##y | BPF_##z] = true + | ^~~~ +kernel/bpf/core.c:1087:2: note: in expansion of macro 'BPF_INSN_3_TBL' + 1087 | INSN_3(ALU, ADD, X), \ + | ^~~~~~ +kernel/bpf/core.c:1202:3: note: in expansion of macro 'BPF_INSN_MAP' + 1202 | BPF_INSN_MAP(BPF_INSN_2_TBL, BPF_INSN_3_TBL), + | ^~~~~~~~~~~~ + +98 copies of the above. + +The attached patch silences the warnings, because we *know* we're overwriting +the default initializer. That leaves bpf/core.c with only 6 other warnings, +which become more visible in comparison. + +Signed-off-by: Valdis Kletnieks +Acked-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + kernel/bpf/Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/bpf/Makefile b/kernel/bpf/Makefile +index 4c2fa3ac56f6..29d781061cd5 100644 +--- a/kernel/bpf/Makefile ++++ b/kernel/bpf/Makefile +@@ -1,5 +1,6 @@ + # SPDX-License-Identifier: GPL-2.0 + obj-y := core.o ++CFLAGS_core.o += $(call cc-disable-warning, override-init) + + obj-$(CONFIG_BPF_SYSCALL) += syscall.o verifier.o inode.o helpers.o tnum.o + obj-$(CONFIG_BPF_SYSCALL) += hashtab.o arraymap.o percpu_freelist.o bpf_lru_list.o lpm_trie.o map_in_map.o +-- +2.20.1 + diff --git a/queue-5.1/clocksource-drivers-exynos_mct-increase-priority-ove.patch b/queue-5.1/clocksource-drivers-exynos_mct-increase-priority-ove.patch new file mode 100644 index 00000000000..2a3f52d4af3 --- /dev/null +++ b/queue-5.1/clocksource-drivers-exynos_mct-increase-priority-ove.patch @@ -0,0 +1,76 @@ +From 0517cac7fb661d1839bd42d30eb5ebaa3648fb75 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Thu, 30 May 2019 12:50:43 +0200 +Subject: clocksource/drivers/exynos_mct: Increase priority over ARM arch timer + +[ Upstream commit 6282edb72bed5324352522d732080d4c1b9dfed6 ] + +Exynos SoCs based on CA7/CA15 have 2 timer interfaces: custom Exynos MCT +(Multi Core Timer) and standard ARM Architected Timers. + +There are use cases, where both timer interfaces are used simultanously. +One of such examples is using Exynos MCT for the main system timer and +ARM Architected Timers for the KVM and virtualized guests (KVM requires +arch timers). + +Exynos Multi-Core Timer driver (exynos_mct) must be however started +before ARM Architected Timers (arch_timer), because they both share some +common hardware blocks (global system counter) and turning on MCT is +needed to get ARM Architected Timer working properly. + +To ensure selecting Exynos MCT as the main system timer, increase MCT +timer rating. To ensure proper starting order of both timers during +suspend/resume cycle, increase MCT hotplug priority over ARM Archictected +Timers. + +Signed-off-by: Marek Szyprowski +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Chanwoo Choi +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/clocksource/exynos_mct.c | 4 ++-- + include/linux/cpuhotplug.h | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/clocksource/exynos_mct.c b/drivers/clocksource/exynos_mct.c +index 34bd250d46c6..6aa10cbc1d59 100644 +--- a/drivers/clocksource/exynos_mct.c ++++ b/drivers/clocksource/exynos_mct.c +@@ -209,7 +209,7 @@ static void exynos4_frc_resume(struct clocksource *cs) + + static struct clocksource mct_frc = { + .name = "mct-frc", +- .rating = 400, ++ .rating = 450, /* use value higher than ARM arch timer */ + .read = exynos4_frc_read, + .mask = CLOCKSOURCE_MASK(32), + .flags = CLOCK_SOURCE_IS_CONTINUOUS, +@@ -464,7 +464,7 @@ static int exynos4_mct_starting_cpu(unsigned int cpu) + evt->set_state_oneshot_stopped = set_state_shutdown; + evt->tick_resume = set_state_shutdown; + evt->features = CLOCK_EVT_FEAT_PERIODIC | CLOCK_EVT_FEAT_ONESHOT; +- evt->rating = 450; ++ evt->rating = 500; /* use value higher than ARM arch timer */ + + exynos4_mct_write(TICK_BASE_CNT, mevt->base + MCT_L_TCNTB_OFFSET); + +diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h +index dec95654f3ae..04c4a478323b 100644 +--- a/include/linux/cpuhotplug.h ++++ b/include/linux/cpuhotplug.h +@@ -116,10 +116,10 @@ enum cpuhp_state { + CPUHP_AP_PERF_ARM_ACPI_STARTING, + CPUHP_AP_PERF_ARM_STARTING, + CPUHP_AP_ARM_L2X0_STARTING, ++ CPUHP_AP_EXYNOS4_MCT_TIMER_STARTING, + CPUHP_AP_ARM_ARCH_TIMER_STARTING, + CPUHP_AP_ARM_GLOBAL_TIMER_STARTING, + CPUHP_AP_JCORE_TIMER_STARTING, +- CPUHP_AP_EXYNOS4_MCT_TIMER_STARTING, + CPUHP_AP_ARM_TWD_STARTING, + CPUHP_AP_QCOM_TIMER_STARTING, + CPUHP_AP_TEGRA_TIMER_STARTING, +-- +2.20.1 + diff --git a/queue-5.1/clocksource-drivers-tegra-release-all-irq-s-on-reque.patch b/queue-5.1/clocksource-drivers-tegra-release-all-irq-s-on-reque.patch new file mode 100644 index 00000000000..563db3788b4 --- /dev/null +++ b/queue-5.1/clocksource-drivers-tegra-release-all-irq-s-on-reque.patch @@ -0,0 +1,44 @@ +From c16b5e9c0a229fb31f18167c06e84ae9e0e8d00f Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Mon, 3 Jun 2019 21:59:43 +0300 +Subject: clocksource/drivers/tegra: Release all IRQ's on request_irq() error + +[ Upstream commit 7a3916706e858ad0bc3b5629c68168e1449de26a ] + +Release all requested IRQ's on the request error to properly clean up +allocated resources. + +Signed-off-by: Dmitry Osipenko +Acked-By: Peter De Schrijver +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-tegra20.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/clocksource/timer-tegra20.c b/drivers/clocksource/timer-tegra20.c +index fdb3d795a409..cc18bb135a17 100644 +--- a/drivers/clocksource/timer-tegra20.c ++++ b/drivers/clocksource/timer-tegra20.c +@@ -310,7 +310,7 @@ static int __init tegra_init_timer(struct device_node *np) + pr_err("%s: can't map IRQ for CPU%d\n", + __func__, cpu); + ret = -EINVAL; +- goto out; ++ goto out_irq; + } + + irq_set_status_flags(cpu_to->clkevt.irq, IRQ_NOAUTOEN); +@@ -320,7 +320,8 @@ static int __init tegra_init_timer(struct device_node *np) + if (ret) { + pr_err("%s: cannot setup irq %d for CPU%d\n", + __func__, cpu_to->clkevt.irq, cpu); +- ret = -EINVAL; ++ irq_dispose_mapping(cpu_to->clkevt.irq); ++ cpu_to->clkevt.irq = 0; + goto out_irq; + } + } +-- +2.20.1 + diff --git a/queue-5.1/clocksource-drivers-tegra-restore-base-address-befor.patch b/queue-5.1/clocksource-drivers-tegra-restore-base-address-befor.patch new file mode 100644 index 00000000000..b67d1832141 --- /dev/null +++ b/queue-5.1/clocksource-drivers-tegra-restore-base-address-befor.patch @@ -0,0 +1,37 @@ +From 180d63b3258f556eeb2bcb042699cb3a02b48bde Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Tue, 18 Jun 2019 17:03:56 +0300 +Subject: clocksource/drivers/tegra: Restore base address before cleanup + +[ Upstream commit fc9babc2574691d3bbf0428f007b22261fed55c6 ] + +We're adjusting the timer's base for each per-CPU timer to point to the +actual start of the timer since device-tree defines a compound registers +range that includes all of the timers. In this case the original base +need to be restore before calling iounmap to unmap the proper address. + +Signed-off-by: Dmitry Osipenko +Acked-by: Jon Hunter +Acked-by: Thierry Reding +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-tegra20.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/clocksource/timer-tegra20.c b/drivers/clocksource/timer-tegra20.c +index cc18bb135a17..84adfff59fb0 100644 +--- a/drivers/clocksource/timer-tegra20.c ++++ b/drivers/clocksource/timer-tegra20.c +@@ -341,6 +341,8 @@ static int __init tegra_init_timer(struct device_node *np) + irq_dispose_mapping(cpu_to->clkevt.irq); + } + } ++ ++ to->of_base.base = timer_reg_base; + out: + timer_of_cleanup(to); + return ret; +-- +2.20.1 + diff --git a/queue-5.1/cpupower-frequency-set-r-option-misses-the-last-cpu-.patch b/queue-5.1/cpupower-frequency-set-r-option-misses-the-last-cpu-.patch new file mode 100644 index 00000000000..51be870f8bc --- /dev/null +++ b/queue-5.1/cpupower-frequency-set-r-option-misses-the-last-cpu-.patch @@ -0,0 +1,41 @@ +From 91c9ce69f1fac3ab81f978aeebddc17f672f1e02 Mon Sep 17 00:00:00 2001 +From: Abhishek Goel +Date: Wed, 29 May 2019 04:30:33 -0500 +Subject: cpupower : frequency-set -r option misses the last cpu in related cpu + list + +[ Upstream commit 04507c0a9385cc8280f794a36bfff567c8cc1042 ] + +To set frequency on specific cpus using cpupower, following syntax can +be used : +cpupower -c #i frequency-set -f #f -r + +While setting frequency using cpupower frequency-set command, if we use +'-r' option, it is expected to set frequency for all cpus related to +cpu #i. But it is observed to be missing the last cpu in related cpu +list. This patch fixes the problem. + +Signed-off-by: Abhishek Goel +Reviewed-by: Thomas Renninger +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/power/cpupower/utils/cpufreq-set.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/power/cpupower/utils/cpufreq-set.c b/tools/power/cpupower/utils/cpufreq-set.c +index 1eef0aed6423..08a405593a79 100644 +--- a/tools/power/cpupower/utils/cpufreq-set.c ++++ b/tools/power/cpupower/utils/cpufreq-set.c +@@ -306,6 +306,8 @@ int cmd_freq_set(int argc, char **argv) + bitmask_setbit(cpus_chosen, cpus->cpu); + cpus = cpus->next; + } ++ /* Set the last cpu in related cpus list */ ++ bitmask_setbit(cpus_chosen, cpus->cpu); + cpufreq_put_related_cpus(cpus); + } + } +-- +2.20.1 + diff --git a/queue-5.1/crypto-asymmetric_keys-select-crypto_hash-where-need.patch b/queue-5.1/crypto-asymmetric_keys-select-crypto_hash-where-need.patch new file mode 100644 index 00000000000..7a7c4ab5c9b --- /dev/null +++ b/queue-5.1/crypto-asymmetric_keys-select-crypto_hash-where-need.patch @@ -0,0 +1,60 @@ +From 3acd0e42169a5b65c119bf6ae8051254d2aa3737 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 18 Jun 2019 14:13:47 +0200 +Subject: crypto: asymmetric_keys - select CRYPTO_HASH where needed + +[ Upstream commit 90acc0653d2bee203174e66d519fbaaa513502de ] + +Build testing with some core crypto options disabled revealed +a few modules that are missing CRYPTO_HASH: + +crypto/asymmetric_keys/x509_public_key.o: In function `x509_get_sig_params': +x509_public_key.c:(.text+0x4c7): undefined reference to `crypto_alloc_shash' +x509_public_key.c:(.text+0x5e5): undefined reference to `crypto_shash_digest' +crypto/asymmetric_keys/pkcs7_verify.o: In function `pkcs7_digest.isra.0': +pkcs7_verify.c:(.text+0xab): undefined reference to `crypto_alloc_shash' +pkcs7_verify.c:(.text+0x1b2): undefined reference to `crypto_shash_digest' +pkcs7_verify.c:(.text+0x3c1): undefined reference to `crypto_shash_update' +pkcs7_verify.c:(.text+0x411): undefined reference to `crypto_shash_finup' + +This normally doesn't show up in randconfig tests because there is +a large number of other options that select CRYPTO_HASH. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/asymmetric_keys/Kconfig | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig +index be70ca6c85d3..1f1f004dc757 100644 +--- a/crypto/asymmetric_keys/Kconfig ++++ b/crypto/asymmetric_keys/Kconfig +@@ -15,6 +15,7 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select MPILIB + select CRYPTO_HASH_INFO + select CRYPTO_AKCIPHER ++ select CRYPTO_HASH + help + This option provides support for asymmetric public key type handling. + If signature generation and/or verification are to be used, +@@ -65,6 +66,7 @@ config TPM_KEY_PARSER + config PKCS7_MESSAGE_PARSER + tristate "PKCS#7 message parser" + depends on X509_CERTIFICATE_PARSER ++ select CRYPTO_HASH + select ASN1 + select OID_REGISTRY + help +@@ -87,6 +89,7 @@ config SIGNED_PE_FILE_VERIFICATION + bool "Support for PE file signature verification" + depends on PKCS7_MESSAGE_PARSER=y + depends on SYSTEM_DATA_VERIFICATION ++ select CRYPTO_HASH + select ASN1 + select OID_REGISTRY + help +-- +2.20.1 + diff --git a/queue-5.1/crypto-caam-avoid-s-g-table-fetching-for-aead-zero-l.patch b/queue-5.1/crypto-caam-avoid-s-g-table-fetching-for-aead-zero-l.patch new file mode 100644 index 00000000000..4e39be3e93b --- /dev/null +++ b/queue-5.1/crypto-caam-avoid-s-g-table-fetching-for-aead-zero-l.patch @@ -0,0 +1,137 @@ +From 881bf5c7178a9b7420bb6507d2bd8d171444084d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Fri, 3 May 2019 17:17:37 +0300 +Subject: crypto: caam - avoid S/G table fetching for AEAD zero-length output +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit dcd9c76e5a183af4f793beb5141efcd260b8d09f ] + +When enabling IOMMU support, the following issue becomes visible +in the AEAD zero-length case. + +Even though the output sequence length is set to zero, the crypto engine +tries to prefetch 4 S/G table entries (since SGF bit is set +in SEQ OUT PTR command - which is either generated in SW in case of +caam/jr or in HW in case of caam/qi, caam/qi2). +The DMA read operation will trigger an IOMMU fault since the address in +the SEQ OUT PTR is "dummy" (set to zero / not obtained via DMA API +mapping). + +1. In case of caam/jr, avoid the IOMMU fault by clearing the SGF bit +in SEQ OUT PTR command. + +2. In case of caam/qi - setting address, bpid, length to zero for output +entry in the compound frame has a special meaning (cf. CAAM RM): +"Output frame = Unspecified, Input address = Y. A unspecified frame is +indicated by an unused SGT entry (an entry in which the Address, Length, +and BPID fields are all zero). SEC obtains output buffers from BMan as +prescribed by the preheader." + +Since no output buffers are needed, modify the preheader by setting +(ABS = 1, ADDBUF = 0): +-"ABS = 1 means obtain the number of buffers in ADDBUF (0 or 1) from +the pool POOL ID" +-ADDBUF: "If ABS is set, ADD BUF specifies whether to allocate +a buffer or not" + +3. In case of caam/qi2, since engine: +-does not support FLE[FMT]=2'b11 ("unused" entry) mentioned in DPAA2 RM +-requires output entry to be present, even if not used +the solution chosen is to leave output frame list entry zeroized. + +Fixes: 763069ba49d3 ("crypto: caam - handle zero-length AEAD output") +Signed-off-by: Horia Geantă +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/caam/caamalg.c | 1 + + drivers/crypto/caam/caamalg_qi.c | 2 +- + drivers/crypto/caam/caamalg_qi2.c | 9 +++++++++ + drivers/crypto/caam/qi.c | 3 +++ + 4 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/caam/caamalg.c b/drivers/crypto/caam/caamalg.c +index 579578498deb..00e72847ed9e 100644 +--- a/drivers/crypto/caam/caamalg.c ++++ b/drivers/crypto/caam/caamalg.c +@@ -1072,6 +1072,7 @@ static void init_aead_job(struct aead_request *req, + if (unlikely(req->src != req->dst)) { + if (!edesc->mapped_dst_nents) { + dst_dma = 0; ++ out_options = 0; + } else if (edesc->mapped_dst_nents == 1) { + dst_dma = sg_dma_address(req->dst); + out_options = 0; +diff --git a/drivers/crypto/caam/caamalg_qi.c b/drivers/crypto/caam/caamalg_qi.c +index c61921d32489..96d1a9647b01 100644 +--- a/drivers/crypto/caam/caamalg_qi.c ++++ b/drivers/crypto/caam/caamalg_qi.c +@@ -1068,7 +1068,7 @@ static struct aead_edesc *aead_edesc_alloc(struct aead_request *req, + dma_to_qm_sg_one_ext(&fd_sgt[0], qm_sg_dma + + (1 + !!ivsize) * sizeof(*sg_table), + out_len, 0); +- } else if (mapped_dst_nents == 1) { ++ } else if (mapped_dst_nents <= 1) { + dma_to_qm_sg_one(&fd_sgt[0], sg_dma_address(req->dst), out_len, + 0); + } else { +diff --git a/drivers/crypto/caam/caamalg_qi2.c b/drivers/crypto/caam/caamalg_qi2.c +index 0a72c96708c4..faf238db153c 100644 +--- a/drivers/crypto/caam/caamalg_qi2.c ++++ b/drivers/crypto/caam/caamalg_qi2.c +@@ -525,6 +525,14 @@ static struct aead_edesc *aead_edesc_alloc(struct aead_request *req, + dpaa2_fl_set_addr(out_fle, qm_sg_dma + + (1 + !!ivsize) * sizeof(*sg_table)); + } ++ } else if (!mapped_dst_nents) { ++ /* ++ * crypto engine requires the output entry to be present when ++ * "frame list" FD is used. ++ * Since engine does not support FMT=2'b11 (unused entry type), ++ * leaving out_fle zeroized is the best option. ++ */ ++ goto skip_out_fle; + } else if (mapped_dst_nents == 1) { + dpaa2_fl_set_format(out_fle, dpaa2_fl_single); + dpaa2_fl_set_addr(out_fle, sg_dma_address(req->dst)); +@@ -536,6 +544,7 @@ static struct aead_edesc *aead_edesc_alloc(struct aead_request *req, + + dpaa2_fl_set_len(out_fle, out_len); + ++skip_out_fle: + return edesc; + } + +diff --git a/drivers/crypto/caam/qi.c b/drivers/crypto/caam/qi.c +index 7cb8b1755e57..976aa9b3b264 100644 +--- a/drivers/crypto/caam/qi.c ++++ b/drivers/crypto/caam/qi.c +@@ -18,6 +18,7 @@ + #include "desc_constr.h" + + #define PREHDR_RSLS_SHIFT 31 ++#define PREHDR_ABS BIT(25) + + /* + * Use a reasonable backlog of frames (per CPU) as congestion threshold, +@@ -346,6 +347,7 @@ int caam_drv_ctx_update(struct caam_drv_ctx *drv_ctx, u32 *sh_desc) + */ + drv_ctx->prehdr[0] = cpu_to_caam32((1 << PREHDR_RSLS_SHIFT) | + num_words); ++ drv_ctx->prehdr[1] = cpu_to_caam32(PREHDR_ABS); + memcpy(drv_ctx->sh_desc, sh_desc, desc_bytes(sh_desc)); + dma_sync_single_for_device(qidev, drv_ctx->context_a, + sizeof(drv_ctx->sh_desc) + +@@ -401,6 +403,7 @@ struct caam_drv_ctx *caam_drv_ctx_init(struct device *qidev, + */ + drv_ctx->prehdr[0] = cpu_to_caam32((1 << PREHDR_RSLS_SHIFT) | + num_words); ++ drv_ctx->prehdr[1] = cpu_to_caam32(PREHDR_ABS); + memcpy(drv_ctx->sh_desc, sh_desc, desc_bytes(sh_desc)); + size = sizeof(drv_ctx->prehdr) + sizeof(drv_ctx->sh_desc); + hwdesc = dma_map_single(qidev, drv_ctx->prehdr, size, +-- +2.20.1 + diff --git a/queue-5.1/crypto-inside-secure-do-not-rely-on-the-hardware-las.patch b/queue-5.1/crypto-inside-secure-do-not-rely-on-the-hardware-las.patch new file mode 100644 index 00000000000..3da4193c70e --- /dev/null +++ b/queue-5.1/crypto-inside-secure-do-not-rely-on-the-hardware-las.patch @@ -0,0 +1,130 @@ +From 3225c12996c18160b72d41911ffe66201f3e676a Mon Sep 17 00:00:00 2001 +From: Antoine Tenart +Date: Mon, 27 May 2019 16:51:06 +0200 +Subject: crypto: inside-secure - do not rely on the hardware last bit for + result descriptors + +[ Upstream commit 89332590427235680236b9470e851afc49b3caa1 ] + +When performing a transformation the hardware is given result +descriptors to save the result data. Those result descriptors are +batched using a 'first' and a 'last' bit. There are cases were more +descriptors than needed are given to the engine, leading to the engine +only using some of them, and not setting the last bit on the last +descriptor we gave. This causes issues were the driver and the hardware +aren't in sync anymore about the number of result descriptors given (as +the driver do not give a pool of descriptor to use for any +transformation, but a pool of descriptors to use *per* transformation). + +This patch fixes it by attaching the number of given result descriptors +to the requests, and by using this number instead of the 'last' bit +found on the descriptors to process them. + +Signed-off-by: Antoine Tenart +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + .../crypto/inside-secure/safexcel_cipher.c | 24 ++++++++++++++----- + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/drivers/crypto/inside-secure/safexcel_cipher.c b/drivers/crypto/inside-secure/safexcel_cipher.c +index 7ef30a98cb24..23fb85f4b3cc 100644 +--- a/drivers/crypto/inside-secure/safexcel_cipher.c ++++ b/drivers/crypto/inside-secure/safexcel_cipher.c +@@ -51,6 +51,8 @@ struct safexcel_cipher_ctx { + + struct safexcel_cipher_req { + enum safexcel_cipher_direction direction; ++ /* Number of result descriptors associated to the request */ ++ unsigned int rdescs; + bool needs_inv; + }; + +@@ -333,7 +335,10 @@ static int safexcel_handle_req_result(struct safexcel_crypto_priv *priv, int rin + + *ret = 0; + +- do { ++ if (unlikely(!sreq->rdescs)) ++ return 0; ++ ++ while (sreq->rdescs--) { + rdesc = safexcel_ring_next_rptr(priv, &priv->ring[ring].rdr); + if (IS_ERR(rdesc)) { + dev_err(priv->dev, +@@ -346,7 +351,7 @@ static int safexcel_handle_req_result(struct safexcel_crypto_priv *priv, int rin + *ret = safexcel_rdesc_check_errors(priv, rdesc); + + ndesc++; +- } while (!rdesc->last_seg); ++ } + + safexcel_complete(priv, ring); + +@@ -501,6 +506,7 @@ static int safexcel_send_req(struct crypto_async_request *base, int ring, + static int safexcel_handle_inv_result(struct safexcel_crypto_priv *priv, + int ring, + struct crypto_async_request *base, ++ struct safexcel_cipher_req *sreq, + bool *should_complete, int *ret) + { + struct safexcel_cipher_ctx *ctx = crypto_tfm_ctx(base->tfm); +@@ -509,7 +515,10 @@ static int safexcel_handle_inv_result(struct safexcel_crypto_priv *priv, + + *ret = 0; + +- do { ++ if (unlikely(!sreq->rdescs)) ++ return 0; ++ ++ while (sreq->rdescs--) { + rdesc = safexcel_ring_next_rptr(priv, &priv->ring[ring].rdr); + if (IS_ERR(rdesc)) { + dev_err(priv->dev, +@@ -522,7 +531,7 @@ static int safexcel_handle_inv_result(struct safexcel_crypto_priv *priv, + *ret = safexcel_rdesc_check_errors(priv, rdesc); + + ndesc++; +- } while (!rdesc->last_seg); ++ } + + safexcel_complete(priv, ring); + +@@ -564,7 +573,7 @@ static int safexcel_skcipher_handle_result(struct safexcel_crypto_priv *priv, + + if (sreq->needs_inv) { + sreq->needs_inv = false; +- err = safexcel_handle_inv_result(priv, ring, async, ++ err = safexcel_handle_inv_result(priv, ring, async, sreq, + should_complete, ret); + } else { + err = safexcel_handle_req_result(priv, ring, async, req->src, +@@ -587,7 +596,7 @@ static int safexcel_aead_handle_result(struct safexcel_crypto_priv *priv, + + if (sreq->needs_inv) { + sreq->needs_inv = false; +- err = safexcel_handle_inv_result(priv, ring, async, ++ err = safexcel_handle_inv_result(priv, ring, async, sreq, + should_complete, ret); + } else { + err = safexcel_handle_req_result(priv, ring, async, req->src, +@@ -633,6 +642,8 @@ static int safexcel_skcipher_send(struct crypto_async_request *async, int ring, + ret = safexcel_send_req(async, ring, sreq, req->src, + req->dst, req->cryptlen, 0, 0, req->iv, + commands, results); ++ ++ sreq->rdescs = *results; + return ret; + } + +@@ -655,6 +666,7 @@ static int safexcel_aead_send(struct crypto_async_request *async, int ring, + req->cryptlen, req->assoclen, + crypto_aead_authsize(tfm), req->iv, + commands, results); ++ sreq->rdescs = *results; + return ret; + } + +-- +2.20.1 + diff --git a/queue-5.1/crypto-serpent-mark-__serpent_setkey_sbox-noinline.patch b/queue-5.1/crypto-serpent-mark-__serpent_setkey_sbox-noinline.patch new file mode 100644 index 00000000000..fb09eba8a29 --- /dev/null +++ b/queue-5.1/crypto-serpent-mark-__serpent_setkey_sbox-noinline.patch @@ -0,0 +1,47 @@ +From 6f31ddedb270d7460a5d176f4a4e8b9bfbc9964e Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 18 Jun 2019 13:19:42 +0200 +Subject: crypto: serpent - mark __serpent_setkey_sbox noinline + +[ Upstream commit 473971187d6727609951858c63bf12b0307ef015 ] + +The same bug that gcc hit in the past is apparently now showing +up with clang, which decides to inline __serpent_setkey_sbox: + +crypto/serpent_generic.c:268:5: error: stack frame size of 2112 bytes in function '__serpent_setkey' [-Werror,-Wframe-larger-than=] + +Marking it 'noinline' reduces the stack usage from 2112 bytes to +192 and 96 bytes, respectively, and seems to generate more +useful object code. + +Fixes: c871c10e4ea7 ("crypto: serpent - improve __serpent_setkey with UBSAN") +Signed-off-by: Arnd Bergmann +Reviewed-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/serpent_generic.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/crypto/serpent_generic.c b/crypto/serpent_generic.c +index 7c3382facc82..600bd288881d 100644 +--- a/crypto/serpent_generic.c ++++ b/crypto/serpent_generic.c +@@ -229,7 +229,13 @@ + x4 ^= x2; \ + }) + +-static void __serpent_setkey_sbox(u32 r0, u32 r1, u32 r2, u32 r3, u32 r4, u32 *k) ++/* ++ * both gcc and clang have misoptimized this function in the past, ++ * producing horrible object code from spilling temporary variables ++ * on the stack. Forcing this part out of line avoids that. ++ */ ++static noinline void __serpent_setkey_sbox(u32 r0, u32 r1, u32 r2, ++ u32 r3, u32 r4, u32 *k) + { + k += 100; + S3(r3, r4, r0, r1, r2); store_and_load_keys(r1, r2, r4, r3, 28, 24); +-- +2.20.1 + diff --git a/queue-5.1/crypto-talitos-align-sec1-accesses-to-32-bits-bounda.patch b/queue-5.1/crypto-talitos-align-sec1-accesses-to-32-bits-bounda.patch new file mode 100644 index 00000000000..23379ec1757 --- /dev/null +++ b/queue-5.1/crypto-talitos-align-sec1-accesses-to-32-bits-bounda.patch @@ -0,0 +1,42 @@ +From 53dbd7028dee8c50f63f0ca0e96b82f47888a4a6 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Tue, 21 May 2019 13:34:18 +0000 +Subject: crypto: talitos - Align SEC1 accesses to 32 bits boundaries. + +[ Upstream commit c9cca7034b34a2d82e9a03b757de2485c294851c ] + +The MPC885 reference manual states: + +SEC Lite-initiated 8xx writes can occur only on 32-bit-word boundaries, but +reads can occur on any byte boundary. Writing back a header read from a +non-32-bit-word boundary will yield unpredictable results. + +In order to ensure that, cra_alignmask is set to 3 for SEC1. + +Signed-off-by: Christophe Leroy +Fixes: 9c4a79653b35 ("crypto: talitos - Freescale integrated security engine (SEC) driver") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/talitos.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c +index 657cf739ee40..82d3625667cd 100644 +--- a/drivers/crypto/talitos.c ++++ b/drivers/crypto/talitos.c +@@ -3192,7 +3192,10 @@ static struct talitos_crypto_alg *talitos_alg_alloc(struct device *dev, + alg->cra_priority = t_alg->algt.priority; + else + alg->cra_priority = TALITOS_CRA_PRIORITY; +- alg->cra_alignmask = 0; ++ if (has_ftr_sec1(priv)) ++ alg->cra_alignmask = 3; ++ else ++ alg->cra_alignmask = 0; + alg->cra_ctxsize = sizeof(struct talitos_ctx); + alg->cra_flags |= CRYPTO_ALG_KERN_DRIVER_ONLY; + +-- +2.20.1 + diff --git a/queue-5.1/crypto-talitos-fix-skcipher-failure-due-to-wrong-out.patch b/queue-5.1/crypto-talitos-fix-skcipher-failure-due-to-wrong-out.patch new file mode 100644 index 00000000000..fb571f70901 --- /dev/null +++ b/queue-5.1/crypto-talitos-fix-skcipher-failure-due-to-wrong-out.patch @@ -0,0 +1,55 @@ +From 40c83bd48fb7e3e1b2df25faeef35b506eb6894f Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Wed, 15 May 2019 12:29:03 +0000 +Subject: crypto: talitos - fix skcipher failure due to wrong output IV +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 3e03e792865ae48b8cfc69a0b4d65f02f467389f ] + +Selftests report the following: + +[ 2.984845] alg: skcipher: cbc-aes-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place" +[ 2.995377] 00000000: 3d af ba 42 9d 9e b4 30 b4 22 da 80 2c 9f ac 41 +[ 3.032673] alg: skcipher: cbc-des-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place" +[ 3.043185] 00000000: fe dc ba 98 76 54 32 10 +[ 3.063238] alg: skcipher: cbc-3des-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place" +[ 3.073818] 00000000: 7d 33 88 93 0f 93 b2 42 + +This above dumps show that the actual output IV is indeed the input IV. +This is due to the IV not being copied back into the request. + +This patch fixes that. + +Signed-off-by: Christophe Leroy +Reviewed-by: Horia Geantă +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/talitos.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c +index becc654e0cd3..6ef41114e0fc 100644 +--- a/drivers/crypto/talitos.c ++++ b/drivers/crypto/talitos.c +@@ -1553,11 +1553,15 @@ static void ablkcipher_done(struct device *dev, + int err) + { + struct ablkcipher_request *areq = context; ++ struct crypto_ablkcipher *cipher = crypto_ablkcipher_reqtfm(areq); ++ struct talitos_ctx *ctx = crypto_ablkcipher_ctx(cipher); ++ unsigned int ivsize = crypto_ablkcipher_ivsize(cipher); + struct talitos_edesc *edesc; + + edesc = container_of(desc, struct talitos_edesc, desc); + + common_nonsnoop_unmap(dev, edesc, areq); ++ memcpy(areq->info, ctx->iv, ivsize); + + kfree(edesc); + +-- +2.20.1 + diff --git a/queue-5.1/crypto-talitos-properly-handle-split-icv.patch b/queue-5.1/crypto-talitos-properly-handle-split-icv.patch new file mode 100644 index 00000000000..19b5a224843 --- /dev/null +++ b/queue-5.1/crypto-talitos-properly-handle-split-icv.patch @@ -0,0 +1,97 @@ +From bcef6812ec934508289d5a5b767588e2eb3f0756 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Tue, 21 May 2019 13:34:17 +0000 +Subject: crypto: talitos - properly handle split ICV. + +[ Upstream commit eae55a586c3c8b50982bad3c3426e9c9dd7a0075 ] + +The driver assumes that the ICV is as a single piece in the last +element of the scatterlist. This assumption is wrong. + +This patch ensures that the ICV is properly handled regardless of +the scatterlist layout. + +Fixes: 9c4a79653b35 ("crypto: talitos - Freescale integrated security engine (SEC) driver") +Signed-off-by: Christophe Leroy +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/talitos.c | 26 +++++++++++++++----------- + 1 file changed, 15 insertions(+), 11 deletions(-) + +diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c +index 6ef41114e0fc..657cf739ee40 100644 +--- a/drivers/crypto/talitos.c ++++ b/drivers/crypto/talitos.c +@@ -1001,7 +1001,6 @@ static void ipsec_esp_encrypt_done(struct device *dev, + unsigned int authsize = crypto_aead_authsize(authenc); + unsigned int ivsize = crypto_aead_ivsize(authenc); + struct talitos_edesc *edesc; +- struct scatterlist *sg; + void *icvdata; + + edesc = container_of(desc, struct talitos_edesc, desc); +@@ -1015,9 +1014,8 @@ static void ipsec_esp_encrypt_done(struct device *dev, + else + icvdata = &edesc->link_tbl[edesc->src_nents + + edesc->dst_nents + 2]; +- sg = sg_last(areq->dst, edesc->dst_nents); +- memcpy((char *)sg_virt(sg) + sg->length - authsize, +- icvdata, authsize); ++ sg_pcopy_from_buffer(areq->dst, edesc->dst_nents ? : 1, icvdata, ++ authsize, areq->assoclen + areq->cryptlen); + } + + dma_unmap_single(dev, edesc->iv_dma, ivsize, DMA_TO_DEVICE); +@@ -1035,7 +1033,6 @@ static void ipsec_esp_decrypt_swauth_done(struct device *dev, + struct crypto_aead *authenc = crypto_aead_reqtfm(req); + unsigned int authsize = crypto_aead_authsize(authenc); + struct talitos_edesc *edesc; +- struct scatterlist *sg; + char *oicv, *icv; + struct talitos_private *priv = dev_get_drvdata(dev); + bool is_sec1 = has_ftr_sec1(priv); +@@ -1045,9 +1042,18 @@ static void ipsec_esp_decrypt_swauth_done(struct device *dev, + ipsec_esp_unmap(dev, edesc, req); + + if (!err) { ++ char icvdata[SHA512_DIGEST_SIZE]; ++ int nents = edesc->dst_nents ? : 1; ++ unsigned int len = req->assoclen + req->cryptlen; ++ + /* auth check */ +- sg = sg_last(req->dst, edesc->dst_nents ? : 1); +- icv = (char *)sg_virt(sg) + sg->length - authsize; ++ if (nents > 1) { ++ sg_pcopy_to_buffer(req->dst, nents, icvdata, authsize, ++ len - authsize); ++ icv = icvdata; ++ } else { ++ icv = (char *)sg_virt(req->dst) + len - authsize; ++ } + + if (edesc->dma_len) { + if (is_sec1) +@@ -1463,7 +1469,6 @@ static int aead_decrypt(struct aead_request *req) + struct talitos_ctx *ctx = crypto_aead_ctx(authenc); + struct talitos_private *priv = dev_get_drvdata(ctx->dev); + struct talitos_edesc *edesc; +- struct scatterlist *sg; + void *icvdata; + + req->cryptlen -= authsize; +@@ -1497,9 +1502,8 @@ static int aead_decrypt(struct aead_request *req) + else + icvdata = &edesc->link_tbl[0]; + +- sg = sg_last(req->src, edesc->src_nents ? : 1); +- +- memcpy(icvdata, (char *)sg_virt(sg) + sg->length - authsize, authsize); ++ sg_pcopy_to_buffer(req->src, edesc->src_nents ? : 1, icvdata, authsize, ++ req->assoclen + req->cryptlen - authsize); + + return ipsec_esp(edesc, req, ipsec_esp_decrypt_swauth_done); + } +-- +2.20.1 + diff --git a/queue-5.1/crypto-testmgr-add-some-more-preemption-points.patch b/queue-5.1/crypto-testmgr-add-some-more-preemption-points.patch new file mode 100644 index 00000000000..ef46e124f0e --- /dev/null +++ b/queue-5.1/crypto-testmgr-add-some-more-preemption-points.patch @@ -0,0 +1,76 @@ +From c4d6a54a91f58fcad59701bccab9a1e15a1f001d Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sun, 2 Jun 2019 22:42:33 -0700 +Subject: crypto: testmgr - add some more preemption points + +[ Upstream commit e63e1b0dd0003dc31f73d875907432be3a2abe5d ] + +Call cond_resched() after each fuzz test iteration. This avoids stall +warnings if fuzz_iterations is set very high for testing purposes. + +While we're at it, also call cond_resched() after finishing testing each +test vector. + +Signed-off-by: Eric Biggers +Acked-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/testmgr.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/crypto/testmgr.c b/crypto/testmgr.c +index 8386038d67c7..51540dbee23b 100644 +--- a/crypto/testmgr.c ++++ b/crypto/testmgr.c +@@ -1050,6 +1050,7 @@ static int test_hash_vec(const char *driver, const struct hash_testvec *vec, + req, tsgl, hashstate); + if (err) + return err; ++ cond_resched(); + } + } + #endif +@@ -1105,6 +1106,7 @@ static int __alg_test_hash(const struct hash_testvec *vecs, + err = test_hash_vec(driver, &vecs[i], i, req, tsgl, hashstate); + if (err) + goto out; ++ cond_resched(); + } + err = 0; + out: +@@ -1346,6 +1348,7 @@ static int test_aead_vec(const char *driver, int enc, + &cfg, req, tsgls); + if (err) + return err; ++ cond_resched(); + } + } + #endif +@@ -1365,6 +1368,7 @@ static int test_aead(const char *driver, int enc, + tsgls); + if (err) + return err; ++ cond_resched(); + } + return 0; + } +@@ -1679,6 +1683,7 @@ static int test_skcipher_vec(const char *driver, int enc, + &cfg, req, tsgls); + if (err) + return err; ++ cond_resched(); + } + } + #endif +@@ -1698,6 +1703,7 @@ static int test_skcipher(const char *driver, int enc, + tsgls); + if (err) + return err; ++ cond_resched(); + } + return 0; + } +-- +2.20.1 + diff --git a/queue-5.1/dmaengine-imx-sdma-fix-use-after-free-on-probe-error.patch b/queue-5.1/dmaengine-imx-sdma-fix-use-after-free-on-probe-error.patch new file mode 100644 index 00000000000..2c3eb30ebd6 --- /dev/null +++ b/queue-5.1/dmaengine-imx-sdma-fix-use-after-free-on-probe-error.patch @@ -0,0 +1,107 @@ +From 7195a238eee300e64f3135e8be30e52c7fa3cb04 Mon Sep 17 00:00:00 2001 +From: Sven Van Asbroeck +Date: Mon, 24 Jun 2019 10:07:31 -0400 +Subject: dmaengine: imx-sdma: fix use-after-free on probe error path + +[ Upstream commit 2b8066c3deb9140fdf258417a51479b2aeaa7622 ] + +If probe() fails anywhere beyond the point where +sdma_get_firmware() is called, then a kernel oops may occur. + +Problematic sequence of events: +1. probe() calls sdma_get_firmware(), which schedules the + firmware callback to run when firmware becomes available, + using the sdma instance structure as the context +2. probe() encounters an error, which deallocates the + sdma instance structure +3. firmware becomes available, firmware callback is + called with deallocated sdma instance structure +4. use after free - kernel oops ! + +Solution: only attempt to load firmware when we're certain +that probe() will succeed. This guarantees that the firmware +callback's context will remain valid. + +Note that the remove() path is unaffected by this issue: the +firmware loader will increment the driver module's use count, +ensuring that the module cannot be unloaded while the +firmware callback is pending or running. + +Signed-off-by: Sven Van Asbroeck +Reviewed-by: Robin Gong +[vkoul: fixed braces for if condition] +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/imx-sdma.c | 48 ++++++++++++++++++++++++------------------ + 1 file changed, 27 insertions(+), 21 deletions(-) + +diff --git a/drivers/dma/imx-sdma.c b/drivers/dma/imx-sdma.c +index 248c440c10f2..4ec84a633bd3 100644 +--- a/drivers/dma/imx-sdma.c ++++ b/drivers/dma/imx-sdma.c +@@ -2096,27 +2096,6 @@ static int sdma_probe(struct platform_device *pdev) + if (pdata && pdata->script_addrs) + sdma_add_scripts(sdma, pdata->script_addrs); + +- if (pdata) { +- ret = sdma_get_firmware(sdma, pdata->fw_name); +- if (ret) +- dev_warn(&pdev->dev, "failed to get firmware from platform data\n"); +- } else { +- /* +- * Because that device tree does not encode ROM script address, +- * the RAM script in firmware is mandatory for device tree +- * probe, otherwise it fails. +- */ +- ret = of_property_read_string(np, "fsl,sdma-ram-script-name", +- &fw_name); +- if (ret) +- dev_warn(&pdev->dev, "failed to get firmware name\n"); +- else { +- ret = sdma_get_firmware(sdma, fw_name); +- if (ret) +- dev_warn(&pdev->dev, "failed to get firmware from device tree\n"); +- } +- } +- + sdma->dma_device.dev = &pdev->dev; + + sdma->dma_device.device_alloc_chan_resources = sdma_alloc_chan_resources; +@@ -2161,6 +2140,33 @@ static int sdma_probe(struct platform_device *pdev) + of_node_put(spba_bus); + } + ++ /* ++ * Kick off firmware loading as the very last step: ++ * attempt to load firmware only if we're not on the error path, because ++ * the firmware callback requires a fully functional and allocated sdma ++ * instance. ++ */ ++ if (pdata) { ++ ret = sdma_get_firmware(sdma, pdata->fw_name); ++ if (ret) ++ dev_warn(&pdev->dev, "failed to get firmware from platform data\n"); ++ } else { ++ /* ++ * Because that device tree does not encode ROM script address, ++ * the RAM script in firmware is mandatory for device tree ++ * probe, otherwise it fails. ++ */ ++ ret = of_property_read_string(np, "fsl,sdma-ram-script-name", ++ &fw_name); ++ if (ret) { ++ dev_warn(&pdev->dev, "failed to get firmware name\n"); ++ } else { ++ ret = sdma_get_firmware(sdma, fw_name); ++ if (ret) ++ dev_warn(&pdev->dev, "failed to get firmware from device tree\n"); ++ } ++ } ++ + return 0; + + err_register: +-- +2.20.1 + diff --git a/queue-5.1/edac-fix-global-out-of-bounds-write-when-setting-eda.patch b/queue-5.1/edac-fix-global-out-of-bounds-write-when-setting-eda.patch new file mode 100644 index 00000000000..fb923ecaa98 --- /dev/null +++ b/queue-5.1/edac-fix-global-out-of-bounds-write-when-setting-eda.patch @@ -0,0 +1,159 @@ +From 21075081fb1f301846f712298d1d046957cc3f52 Mon Sep 17 00:00:00 2001 +From: Eiichi Tsukata +Date: Wed, 26 Jun 2019 14:40:11 +0900 +Subject: EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec + +[ Upstream commit d8655e7630dafa88bc37f101640e39c736399771 ] + +Commit 9da21b1509d8 ("EDAC: Poll timeout cannot be zero, p2") assumes +edac_mc_poll_msec to be unsigned long, but the type of the variable still +remained as int. Setting edac_mc_poll_msec can trigger out-of-bounds +write. + +Reproducer: + + # echo 1001 > /sys/module/edac_core/parameters/edac_mc_poll_msec + +KASAN report: + + BUG: KASAN: global-out-of-bounds in edac_set_poll_msec+0x140/0x150 + Write of size 8 at addr ffffffffb91b2d00 by task bash/1996 + + CPU: 1 PID: 1996 Comm: bash Not tainted 5.2.0-rc6+ #23 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014 + Call Trace: + dump_stack+0xca/0x13e + print_address_description.cold+0x5/0x246 + __kasan_report.cold+0x75/0x9a + ? edac_set_poll_msec+0x140/0x150 + kasan_report+0xe/0x20 + edac_set_poll_msec+0x140/0x150 + ? dimmdev_location_show+0x30/0x30 + ? vfs_lock_file+0xe0/0xe0 + ? _raw_spin_lock+0x87/0xe0 + param_attr_store+0x1b5/0x310 + ? param_array_set+0x4f0/0x4f0 + module_attr_store+0x58/0x80 + ? module_attr_show+0x80/0x80 + sysfs_kf_write+0x13d/0x1a0 + kernfs_fop_write+0x2bc/0x460 + ? sysfs_kf_bin_read+0x270/0x270 + ? kernfs_notify+0x1f0/0x1f0 + __vfs_write+0x81/0x100 + vfs_write+0x1e1/0x560 + ksys_write+0x126/0x250 + ? __ia32_sys_read+0xb0/0xb0 + ? do_syscall_64+0x1f/0x390 + do_syscall_64+0xc1/0x390 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + RIP: 0033:0x7fa7caa5e970 + Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 04 + RSP: 002b:00007fff6acfdfe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 + RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa7caa5e970 + RDX: 0000000000000005 RSI: 0000000000e95c08 RDI: 0000000000000001 + RBP: 0000000000e95c08 R08: 00007fa7cad1e760 R09: 00007fa7cb36a700 + R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000005 + R13: 0000000000000001 R14: 00007fa7cad1d600 R15: 0000000000000005 + + The buggy address belongs to the variable: + edac_mc_poll_msec+0x0/0x40 + + Memory state around the buggy address: + ffffffffb91b2c00: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa + ffffffffb91b2c80: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa + >ffffffffb91b2d00: 04 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa + ^ + ffffffffb91b2d80: 04 fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 + ffffffffb91b2e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + +Fix it by changing the type of edac_mc_poll_msec to unsigned int. +The reason why this patch adopts unsigned int rather than unsigned long +is msecs_to_jiffies() assumes arg to be unsigned int. We can avoid +integer conversion bugs and unsigned int will be large enough for +edac_mc_poll_msec. + +Reviewed-by: James Morse +Fixes: 9da21b1509d8 ("EDAC: Poll timeout cannot be zero, p2") +Signed-off-by: Eiichi Tsukata +Signed-off-by: Tony Luck +Signed-off-by: Sasha Levin +--- + drivers/edac/edac_mc_sysfs.c | 16 ++++++++-------- + drivers/edac/edac_module.h | 2 +- + 2 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c +index 7c01e1cc030c..4386ea4b9b5a 100644 +--- a/drivers/edac/edac_mc_sysfs.c ++++ b/drivers/edac/edac_mc_sysfs.c +@@ -26,7 +26,7 @@ + static int edac_mc_log_ue = 1; + static int edac_mc_log_ce = 1; + static int edac_mc_panic_on_ue; +-static int edac_mc_poll_msec = 1000; ++static unsigned int edac_mc_poll_msec = 1000; + + /* Getter functions for above */ + int edac_mc_get_log_ue(void) +@@ -45,30 +45,30 @@ int edac_mc_get_panic_on_ue(void) + } + + /* this is temporary */ +-int edac_mc_get_poll_msec(void) ++unsigned int edac_mc_get_poll_msec(void) + { + return edac_mc_poll_msec; + } + + static int edac_set_poll_msec(const char *val, const struct kernel_param *kp) + { +- unsigned long l; ++ unsigned int i; + int ret; + + if (!val) + return -EINVAL; + +- ret = kstrtoul(val, 0, &l); ++ ret = kstrtouint(val, 0, &i); + if (ret) + return ret; + +- if (l < 1000) ++ if (i < 1000) + return -EINVAL; + +- *((unsigned long *)kp->arg) = l; ++ *((unsigned int *)kp->arg) = i; + + /* notify edac_mc engine to reset the poll period */ +- edac_mc_reset_delay_period(l); ++ edac_mc_reset_delay_period(i); + + return 0; + } +@@ -82,7 +82,7 @@ MODULE_PARM_DESC(edac_mc_log_ue, + module_param(edac_mc_log_ce, int, 0644); + MODULE_PARM_DESC(edac_mc_log_ce, + "Log correctable error to console: 0=off 1=on"); +-module_param_call(edac_mc_poll_msec, edac_set_poll_msec, param_get_int, ++module_param_call(edac_mc_poll_msec, edac_set_poll_msec, param_get_uint, + &edac_mc_poll_msec, 0644); + MODULE_PARM_DESC(edac_mc_poll_msec, "Polling period in milliseconds"); + +diff --git a/drivers/edac/edac_module.h b/drivers/edac/edac_module.h +index dd7d0b509aa3..75528f07abd5 100644 +--- a/drivers/edac/edac_module.h ++++ b/drivers/edac/edac_module.h +@@ -36,7 +36,7 @@ extern int edac_mc_get_log_ue(void); + extern int edac_mc_get_log_ce(void); + extern int edac_mc_get_panic_on_ue(void); + extern int edac_get_poll_msec(void); +-extern int edac_mc_get_poll_msec(void); ++extern unsigned int edac_mc_get_poll_msec(void); + + unsigned edac_dimm_info_location(struct dimm_info *dimm, char *buf, + unsigned len); +-- +2.20.1 + diff --git a/queue-5.1/edac-sysfs-drop-device-references-properly.patch b/queue-5.1/edac-sysfs-drop-device-references-properly.patch new file mode 100644 index 00000000000..af98af87732 --- /dev/null +++ b/queue-5.1/edac-sysfs-drop-device-references-properly.patch @@ -0,0 +1,59 @@ +From b886b6f39fe81d171322792135784ed760a76911 Mon Sep 17 00:00:00 2001 +From: Greg KH +Date: Wed, 8 May 2019 12:40:42 +0200 +Subject: EDAC/sysfs: Drop device references properly + +[ Upstream commit 7adc05d2dc3af95e4e1534841d58f736262142cd ] + +Do put_device() if device_add() fails. + + [ bp: do device_del() for the successfully created devices in + edac_create_csrow_objects(), on the unwind path. ] + +Signed-off-by: Greg KH +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20190427214925.GE16338@kroah.com +Signed-off-by: Sasha Levin +--- + drivers/edac/edac_mc_sysfs.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c +index 464174685589..bf9273437e3f 100644 +--- a/drivers/edac/edac_mc_sysfs.c ++++ b/drivers/edac/edac_mc_sysfs.c +@@ -443,7 +443,8 @@ static int edac_create_csrow_objects(struct mem_ctl_info *mci) + csrow = mci->csrows[i]; + if (!nr_pages_per_csrow(csrow)) + continue; +- put_device(&mci->csrows[i]->dev); ++ ++ device_del(&mci->csrows[i]->dev); + } + + return err; +@@ -645,9 +646,11 @@ static int edac_create_dimm_object(struct mem_ctl_info *mci, + dev_set_drvdata(&dimm->dev, dimm); + pm_runtime_forbid(&mci->dev); + +- err = device_add(&dimm->dev); ++ err = device_add(&dimm->dev); ++ if (err) ++ put_device(&dimm->dev); + +- edac_dbg(0, "creating rank/dimm device %s\n", dev_name(&dimm->dev)); ++ edac_dbg(0, "created rank/dimm device %s\n", dev_name(&dimm->dev)); + + return err; + } +@@ -928,6 +931,7 @@ int edac_create_sysfs_mci_device(struct mem_ctl_info *mci, + err = device_add(&mci->dev); + if (err < 0) { + edac_dbg(1, "failure: create device %s\n", dev_name(&mci->dev)); ++ put_device(&mci->dev); + goto out; + } + +-- +2.20.1 + diff --git a/queue-5.1/edac-sysfs-fix-memory-leak-when-creating-a-csrow-obj.patch b/queue-5.1/edac-sysfs-fix-memory-leak-when-creating-a-csrow-obj.patch new file mode 100644 index 00000000000..ed8f5f29428 --- /dev/null +++ b/queue-5.1/edac-sysfs-fix-memory-leak-when-creating-a-csrow-obj.patch @@ -0,0 +1,52 @@ +From 033c687e6019591191187e54caf15fde79d4b5ba Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Thu, 18 Apr 2019 10:27:18 +0800 +Subject: EDAC/sysfs: Fix memory leak when creating a csrow object + +[ Upstream commit 585fb3d93d32dbe89e718b85009f9c322cc554cd ] + +In edac_create_csrow_object(), the reference to the object is not +released when adding the device to the device hierarchy fails +(device_add()). This may result in a memory leak. + +Signed-off-by: Pan Bian +Signed-off-by: Borislav Petkov +Reviewed-by: Greg Kroah-Hartman +Cc: James Morse +Cc: Mauro Carvalho Chehab +Cc: linux-edac +Link: https://lkml.kernel.org/r/1555554438-103953-1-git-send-email-bianpan2016@163.com +Signed-off-by: Sasha Levin +--- + drivers/edac/edac_mc_sysfs.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c +index bf9273437e3f..7c01e1cc030c 100644 +--- a/drivers/edac/edac_mc_sysfs.c ++++ b/drivers/edac/edac_mc_sysfs.c +@@ -404,6 +404,8 @@ static inline int nr_pages_per_csrow(struct csrow_info *csrow) + static int edac_create_csrow_object(struct mem_ctl_info *mci, + struct csrow_info *csrow, int index) + { ++ int err; ++ + csrow->dev.type = &csrow_attr_type; + csrow->dev.groups = csrow_dev_groups; + device_initialize(&csrow->dev); +@@ -415,7 +417,11 @@ static int edac_create_csrow_object(struct mem_ctl_info *mci, + edac_dbg(0, "creating (virtual) csrow node %s\n", + dev_name(&csrow->dev)); + +- return device_add(&csrow->dev); ++ err = device_add(&csrow->dev); ++ if (err) ++ put_device(&csrow->dev); ++ ++ return err; + } + + /* Create a CSROW object under specifed edac_mc_device */ +-- +2.20.1 + diff --git a/queue-5.1/floppy-fix-div-by-zero-in-setup_format_params.patch b/queue-5.1/floppy-fix-div-by-zero-in-setup_format_params.patch new file mode 100644 index 00000000000..9aee8a4a1dc --- /dev/null +++ b/queue-5.1/floppy-fix-div-by-zero-in-setup_format_params.patch @@ -0,0 +1,61 @@ +From a531938a1d72d3e95ec4b4f2a60aae2589ff3395 Mon Sep 17 00:00:00 2001 +From: Denis Efremov +Date: Fri, 12 Jul 2019 21:55:20 +0300 +Subject: floppy: fix div-by-zero in setup_format_params + +[ Upstream commit f3554aeb991214cbfafd17d55e2bfddb50282e32 ] + +This fixes a divide by zero error in the setup_format_params function of +the floppy driver. + +Two consecutive ioctls can trigger the bug: The first one should set the +drive geometry with such .sect and .rate values for the F_SECT_PER_TRACK +to become zero. Next, the floppy format operation should be called. + +A floppy disk is not required to be inserted. An unprivileged user +could trigger the bug if the device is accessible. + +The patch checks F_SECT_PER_TRACK for a non-zero value in the +set_geometry function. The proper check should involve a reasonable +upper limit for the .sect and .rate fields, but it could change the +UAPI. + +The patch also checks F_SECT_PER_TRACK in the setup_format_params, and +cancels the formatting operation in case of zero. + +The bug was found by syzkaller. + +Signed-off-by: Denis Efremov +Tested-by: Willy Tarreau +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/block/floppy.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index 95f608d1a098..e2f742e17683 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -2119,6 +2119,9 @@ static void setup_format_params(int track) + raw_cmd->kernel_data = floppy_track_buffer; + raw_cmd->length = 4 * F_SECT_PER_TRACK; + ++ if (!F_SECT_PER_TRACK) ++ return; ++ + /* allow for about 30ms for data transport per track */ + head_shift = (F_SECT_PER_TRACK + 5) / 6; + +@@ -3231,6 +3234,8 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g, + /* sanity checking for parameters. */ + if (g->sect <= 0 || + g->head <= 0 || ++ /* check for zero in F_SECT_PER_TRACK */ ++ (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 || + g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) || + /* check if reserved bits are set */ + (g->stretch & ~(FD_STRETCH | FD_SWAPSIDES | FD_SECTBASEMASK)) != 0) +-- +2.20.1 + diff --git a/queue-5.1/floppy-fix-invalid-pointer-dereference-in-drive_name.patch b/queue-5.1/floppy-fix-invalid-pointer-dereference-in-drive_name.patch new file mode 100644 index 00000000000..8fab8917050 --- /dev/null +++ b/queue-5.1/floppy-fix-invalid-pointer-dereference-in-drive_name.patch @@ -0,0 +1,81 @@ +From 1b97413a7a80456de284c4bd34d13dde2cc71797 Mon Sep 17 00:00:00 2001 +From: Denis Efremov +Date: Fri, 12 Jul 2019 21:55:22 +0300 +Subject: floppy: fix invalid pointer dereference in drive_name + +[ Upstream commit 9b04609b784027968348796a18f601aed9db3789 ] + +This fixes the invalid pointer dereference in the drive_name function of +the floppy driver. + +The native_format field of the struct floppy_drive_params is used as +floppy_type array index in the drive_name function. Thus, the field +should be checked the same way as the autodetect field. + +To trigger the bug, one could use a value out of range and set the drive +parameters with the FDSETDRVPRM ioctl. Next, FDGETDRVTYP ioctl should +be used to call the drive_name. A floppy disk is not required to be +inserted. + +CAP_SYS_ADMIN is required to call FDSETDRVPRM. + +The patch adds the check for a value of the native_format field to be in +the '0 <= x < ARRAY_SIZE(floppy_type)' range of the floppy_type array +indices. + +The bug was found by syzkaller. + +Signed-off-by: Denis Efremov +Tested-by: Willy Tarreau +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/block/floppy.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index 77c527db5134..8b443ee1d005 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3379,7 +3379,8 @@ static int fd_getgeo(struct block_device *bdev, struct hd_geometry *geo) + return 0; + } + +-static bool valid_floppy_drive_params(const short autodetect[8]) ++static bool valid_floppy_drive_params(const short autodetect[8], ++ int native_format) + { + size_t floppy_type_size = ARRAY_SIZE(floppy_type); + size_t i = 0; +@@ -3390,6 +3391,9 @@ static bool valid_floppy_drive_params(const short autodetect[8]) + return false; + } + ++ if (native_format < 0 || native_format >= floppy_type_size) ++ return false; ++ + return true; + } + +@@ -3519,7 +3523,8 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int + SUPBOUND(size, strlen((const char *)outparam) + 1); + break; + case FDSETDRVPRM: +- if (!valid_floppy_drive_params(inparam.dp.autodetect)) ++ if (!valid_floppy_drive_params(inparam.dp.autodetect, ++ inparam.dp.native_format)) + return -EINVAL; + *UDP = inparam.dp; + break; +@@ -3718,7 +3723,7 @@ static int compat_setdrvprm(int drive, + return -EPERM; + if (copy_from_user(&v, arg, sizeof(struct compat_floppy_drive_params))) + return -EFAULT; +- if (!valid_floppy_drive_params(v.autodetect)) ++ if (!valid_floppy_drive_params(v.autodetect, v.native_format)) + return -EINVAL; + mutex_lock(&floppy_mutex); + UDP->cmos = v.cmos; +-- +2.20.1 + diff --git a/queue-5.1/floppy-fix-out-of-bounds-read-in-copy_buffer.patch b/queue-5.1/floppy-fix-out-of-bounds-read-in-copy_buffer.patch new file mode 100644 index 00000000000..67695fee5f5 --- /dev/null +++ b/queue-5.1/floppy-fix-out-of-bounds-read-in-copy_buffer.patch @@ -0,0 +1,52 @@ +From 3ab75421723c70fe5302a1d90346949ccc463471 Mon Sep 17 00:00:00 2001 +From: Denis Efremov +Date: Fri, 12 Jul 2019 21:55:23 +0300 +Subject: floppy: fix out-of-bounds read in copy_buffer + +[ Upstream commit da99466ac243f15fbba65bd261bfc75ffa1532b6 ] + +This fixes a global out-of-bounds read access in the copy_buffer +function of the floppy driver. + +The FDDEFPRM ioctl allows one to set the geometry of a disk. The sect +and head fields (unsigned int) of the floppy_drive structure are used to +compute the max_sector (int) in the make_raw_rw_request function. It is +possible to overflow the max_sector. Next, max_sector is passed to the +copy_buffer function and used in one of the memcpy calls. + +An unprivileged user could trigger the bug if the device is accessible, +but requires a floppy disk to be inserted. + +The patch adds the check for the .sect * .head multiplication for not +overflowing in the set_geometry function. + +The bug was found by syzkaller. + +Signed-off-by: Denis Efremov +Tested-by: Willy Tarreau +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/block/floppy.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index 8b443ee1d005..38e5811a045e 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3232,8 +3232,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g, + int cnt; + + /* sanity checking for parameters. */ +- if (g->sect <= 0 || +- g->head <= 0 || ++ if ((int)g->sect <= 0 || ++ (int)g->head <= 0 || ++ /* check for overflow in max_sector */ ++ (int)(g->sect * g->head) <= 0 || + /* check for zero in F_SECT_PER_TRACK */ + (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 || + g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) || +-- +2.20.1 + diff --git a/queue-5.1/floppy-fix-out-of-bounds-read-in-next_valid_format.patch b/queue-5.1/floppy-fix-out-of-bounds-read-in-next_valid_format.patch new file mode 100644 index 00000000000..896eee25569 --- /dev/null +++ b/queue-5.1/floppy-fix-out-of-bounds-read-in-next_valid_format.patch @@ -0,0 +1,79 @@ +From 18c3e243fc359878ba665189de0d16343deca152 Mon Sep 17 00:00:00 2001 +From: Denis Efremov +Date: Fri, 12 Jul 2019 21:55:21 +0300 +Subject: floppy: fix out-of-bounds read in next_valid_format + +[ Upstream commit 5635f897ed83fd539df78e98ba69ee91592f9bb8 ] + +This fixes a global out-of-bounds read access in the next_valid_format +function of the floppy driver. + +The values from autodetect field of the struct floppy_drive_params are +used as indices for the floppy_type array in the next_valid_format +function 'floppy_type[DP->autodetect[probed_format]].sect'. + +To trigger the bug, one could use a value out of range and set the drive +parameters with the FDSETDRVPRM ioctl. A floppy disk is not required to +be inserted. + +CAP_SYS_ADMIN is required to call FDSETDRVPRM. + +The patch adds the check for values of the autodetect field to be in the +'0 <= x < ARRAY_SIZE(floppy_type)' range of the floppy_type array indices. + +The bug was found by syzkaller. + +Signed-off-by: Denis Efremov +Tested-by: Willy Tarreau +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/block/floppy.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index e2f742e17683..77c527db5134 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3379,6 +3379,20 @@ static int fd_getgeo(struct block_device *bdev, struct hd_geometry *geo) + return 0; + } + ++static bool valid_floppy_drive_params(const short autodetect[8]) ++{ ++ size_t floppy_type_size = ARRAY_SIZE(floppy_type); ++ size_t i = 0; ++ ++ for (i = 0; i < 8; ++i) { ++ if (autodetect[i] < 0 || ++ autodetect[i] >= floppy_type_size) ++ return false; ++ } ++ ++ return true; ++} ++ + static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int cmd, + unsigned long param) + { +@@ -3505,6 +3519,8 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int + SUPBOUND(size, strlen((const char *)outparam) + 1); + break; + case FDSETDRVPRM: ++ if (!valid_floppy_drive_params(inparam.dp.autodetect)) ++ return -EINVAL; + *UDP = inparam.dp; + break; + case FDGETDRVPRM: +@@ -3702,6 +3718,8 @@ static int compat_setdrvprm(int drive, + return -EPERM; + if (copy_from_user(&v, arg, sizeof(struct compat_floppy_drive_params))) + return -EFAULT; ++ if (!valid_floppy_drive_params(v.autodetect)) ++ return -EINVAL; + mutex_lock(&floppy_mutex); + UDP->cmos = v.cmos; + UDP->max_dtr = v.max_dtr; +-- +2.20.1 + diff --git a/queue-5.1/fscrypt-clean-up-some-bug_on-s-in-block-encryption-d.patch b/queue-5.1/fscrypt-clean-up-some-bug_on-s-in-block-encryption-d.patch new file mode 100644 index 00000000000..37454343a78 --- /dev/null +++ b/queue-5.1/fscrypt-clean-up-some-bug_on-s-in-block-encryption-d.patch @@ -0,0 +1,69 @@ +From 45436417caa3efb000260dc82ce741ff50b058a9 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 20 May 2019 09:29:42 -0700 +Subject: fscrypt: clean up some BUG_ON()s in block encryption/decryption + +[ Upstream commit eeacfdc68a104967162dfcba60f53f6f5b62a334 ] + +Replace some BUG_ON()s with WARN_ON_ONCE() and returning an error code, +and move the check for len divisible by FS_CRYPTO_BLOCK_SIZE into +fscrypt_crypt_block() so that it's done for both encryption and +decryption, not just encryption. + +Reviewed-by: Chandan Rajendra +Signed-off-by: Eric Biggers +Signed-off-by: Sasha Levin +--- + fs/crypto/crypto.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/fs/crypto/crypto.c b/fs/crypto/crypto.c +index fe38b5306045..5b3d525aa213 100644 +--- a/fs/crypto/crypto.c ++++ b/fs/crypto/crypto.c +@@ -159,7 +159,10 @@ int fscrypt_do_page_crypto(const struct inode *inode, fscrypt_direction_t rw, + struct crypto_skcipher *tfm = ci->ci_ctfm; + int res = 0; + +- BUG_ON(len == 0); ++ if (WARN_ON_ONCE(len <= 0)) ++ return -EINVAL; ++ if (WARN_ON_ONCE(len % FS_CRYPTO_BLOCK_SIZE != 0)) ++ return -EINVAL; + + fscrypt_generate_iv(&iv, lblk_num, ci); + +@@ -243,8 +246,6 @@ struct page *fscrypt_encrypt_page(const struct inode *inode, + struct page *ciphertext_page = page; + int err; + +- BUG_ON(len % FS_CRYPTO_BLOCK_SIZE != 0); +- + if (inode->i_sb->s_cop->flags & FS_CFLG_OWN_PAGES) { + /* with inplace-encryption we just encrypt the page */ + err = fscrypt_do_page_crypto(inode, FS_ENCRYPT, lblk_num, page, +@@ -256,7 +257,8 @@ struct page *fscrypt_encrypt_page(const struct inode *inode, + return ciphertext_page; + } + +- BUG_ON(!PageLocked(page)); ++ if (WARN_ON_ONCE(!PageLocked(page))) ++ return ERR_PTR(-EINVAL); + + ctx = fscrypt_get_ctx(inode, gfp_flags); + if (IS_ERR(ctx)) +@@ -304,8 +306,9 @@ EXPORT_SYMBOL(fscrypt_encrypt_page); + int fscrypt_decrypt_page(const struct inode *inode, struct page *page, + unsigned int len, unsigned int offs, u64 lblk_num) + { +- if (!(inode->i_sb->s_cop->flags & FS_CFLG_OWN_PAGES)) +- BUG_ON(!PageLocked(page)); ++ if (WARN_ON_ONCE(!PageLocked(page) && ++ !(inode->i_sb->s_cop->flags & FS_CFLG_OWN_PAGES))) ++ return -EINVAL; + + return fscrypt_do_page_crypto(inode, FS_DECRYPT, lblk_num, page, page, + len, offs, GFP_NOFS); +-- +2.20.1 + diff --git a/queue-5.1/genirq-update-irq-stats-from-nmi-handlers.patch b/queue-5.1/genirq-update-irq-stats-from-nmi-handlers.patch new file mode 100644 index 00000000000..47f86409658 --- /dev/null +++ b/queue-5.1/genirq-update-irq-stats-from-nmi-handlers.patch @@ -0,0 +1,78 @@ +From 616a0224200f08a2f8ad8525edbd75e29f013630 Mon Sep 17 00:00:00 2001 +From: Shijith Thotton +Date: Fri, 5 Jul 2019 07:56:20 +0000 +Subject: genirq: Update irq stats from NMI handlers + +[ Upstream commit c09cb1293523dd786ae54a12fd88001542cba2f6 ] + +The NMI handlers handle_percpu_devid_fasteoi_nmi() and handle_fasteoi_nmi() +do not update the interrupt counts. Due to that the NMI interrupt count +does not show up correctly in /proc/interrupts. + +Add the statistics and treat the NMI handlers in the same way as per cpu +interrupts and prevent them from updating irq_desc::tot_count as this might +be corrupted due to concurrency. + +[ tglx: Massaged changelog ] + +Fixes: 2dcf1fbcad35 ("genirq: Provide NMI handlers") +Signed-off-by: Shijith Thotton +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/1562313336-11888-1-git-send-email-sthotton@marvell.com +Signed-off-by: Sasha Levin +--- + kernel/irq/chip.c | 4 ++++ + kernel/irq/irqdesc.c | 8 +++++++- + 2 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/kernel/irq/chip.c b/kernel/irq/chip.c +index 04fe4f989bd8..bfac4d6761b3 100644 +--- a/kernel/irq/chip.c ++++ b/kernel/irq/chip.c +@@ -754,6 +754,8 @@ void handle_fasteoi_nmi(struct irq_desc *desc) + unsigned int irq = irq_desc_get_irq(desc); + irqreturn_t res; + ++ __kstat_incr_irqs_this_cpu(desc); ++ + trace_irq_handler_entry(irq, action); + /* + * NMIs cannot be shared, there is only one action. +@@ -968,6 +970,8 @@ void handle_percpu_devid_fasteoi_nmi(struct irq_desc *desc) + unsigned int irq = irq_desc_get_irq(desc); + irqreturn_t res; + ++ __kstat_incr_irqs_this_cpu(desc); ++ + trace_irq_handler_entry(irq, action); + res = action->handler(irq, raw_cpu_ptr(action->percpu_dev_id)); + trace_irq_handler_exit(irq, action, res); +diff --git a/kernel/irq/irqdesc.c b/kernel/irq/irqdesc.c +index 9f8a709337cf..8a93df71673d 100644 +--- a/kernel/irq/irqdesc.c ++++ b/kernel/irq/irqdesc.c +@@ -945,6 +945,11 @@ unsigned int kstat_irqs_cpu(unsigned int irq, int cpu) + *per_cpu_ptr(desc->kstat_irqs, cpu) : 0; + } + ++static bool irq_is_nmi(struct irq_desc *desc) ++{ ++ return desc->istate & IRQS_NMI; ++} ++ + /** + * kstat_irqs - Get the statistics for an interrupt + * @irq: The interrupt number +@@ -962,7 +967,8 @@ unsigned int kstat_irqs(unsigned int irq) + if (!desc || !desc->kstat_irqs) + return 0; + if (!irq_settings_is_per_cpu_devid(desc) && +- !irq_settings_is_per_cpu(desc)) ++ !irq_settings_is_per_cpu(desc) && ++ !irq_is_nmi(desc)) + return desc->tot_count; + + for_each_possible_cpu(cpu) +-- +2.20.1 + diff --git a/queue-5.1/gpio-fix-return-value-mismatch-of-function-gpiod_get.patch b/queue-5.1/gpio-fix-return-value-mismatch-of-function-gpiod_get.patch new file mode 100644 index 00000000000..2c47ccd5223 --- /dev/null +++ b/queue-5.1/gpio-fix-return-value-mismatch-of-function-gpiod_get.patch @@ -0,0 +1,128 @@ +From 2d2eab95557fa76a0e5687348054463d44ab4055 Mon Sep 17 00:00:00 2001 +From: Waibel Georg +Date: Thu, 20 Jun 2019 21:37:08 +0000 +Subject: gpio: Fix return value mismatch of function gpiod_get_from_of_node() + +[ Upstream commit 025bf37725f1929542361eef2245df30badf242e ] + +In case the requested gpio property is not found in the device tree, some +callers of gpiod_get_from_of_node() expect a return value of NULL, others +expect -ENOENT. +In particular devm_fwnode_get_index_gpiod_from_child() expects -ENOENT. +Currently it gets a NULL, which breaks the loop that tries all +gpio_suffixes. The result is that a gpio property is not found, even +though it is there. + +This patch changes gpiod_get_from_of_node() to return -ENOENT instead +of NULL when the requested gpio property is not found in the device +tree. Additionally it modifies all calling functions to properly +evaluate the return value. + +Another approach would be to leave the return value of +gpiod_get_from_of_node() as is and fix the bug in +devm_fwnode_get_index_gpiod_from_child(). Other callers would still need +to be reworked. The effort would be the same as with the chosen solution. + +Signed-off-by: Georg Waibel +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Linus Walleij +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib.c | 6 +----- + drivers/regulator/da9211-regulator.c | 2 ++ + drivers/regulator/s2mps11.c | 4 +++- + drivers/regulator/s5m8767.c | 4 +++- + drivers/regulator/tps65090-regulator.c | 7 ++++--- + 5 files changed, 13 insertions(+), 10 deletions(-) + +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index bca3e7740ef6..fd1344056e1d 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -4232,8 +4232,7 @@ EXPORT_SYMBOL_GPL(gpiod_get_index); + * + * Returns: + * On successful request the GPIO pin is configured in accordance with +- * provided @dflags. If the node does not have the requested GPIO +- * property, NULL is returned. ++ * provided @dflags. + * + * In case of error an ERR_PTR() is returned. + */ +@@ -4255,9 +4254,6 @@ struct gpio_desc *gpiod_get_from_of_node(struct device_node *node, + index, &flags); + + if (!desc || IS_ERR(desc)) { +- /* If it is not there, just return NULL */ +- if (PTR_ERR(desc) == -ENOENT) +- return NULL; + return desc; + } + +diff --git a/drivers/regulator/da9211-regulator.c b/drivers/regulator/da9211-regulator.c +index 4d7fe4819c1c..4e95e3d0fcd5 100644 +--- a/drivers/regulator/da9211-regulator.c ++++ b/drivers/regulator/da9211-regulator.c +@@ -299,6 +299,8 @@ static struct da9211_pdata *da9211_parse_regulators_dt( + 0, + GPIOD_OUT_HIGH | GPIOD_FLAGS_BIT_NONEXCLUSIVE, + "da9211-enable"); ++ if (IS_ERR(pdata->gpiod_ren[n])) ++ pdata->gpiod_ren[n] = NULL; + n++; + } + +diff --git a/drivers/regulator/s2mps11.c b/drivers/regulator/s2mps11.c +index 134c62db36c5..b518a81f75a3 100644 +--- a/drivers/regulator/s2mps11.c ++++ b/drivers/regulator/s2mps11.c +@@ -821,7 +821,9 @@ static void s2mps14_pmic_dt_parse_ext_control_gpio(struct platform_device *pdev, + 0, + GPIOD_OUT_HIGH | GPIOD_FLAGS_BIT_NONEXCLUSIVE, + "s2mps11-regulator"); +- if (IS_ERR(gpio[reg])) { ++ if (PTR_ERR(gpio[reg]) == -ENOENT) ++ gpio[reg] = NULL; ++ else if (IS_ERR(gpio[reg])) { + dev_err(&pdev->dev, "Failed to get control GPIO for %d/%s\n", + reg, rdata[reg].name); + continue; +diff --git a/drivers/regulator/s5m8767.c b/drivers/regulator/s5m8767.c +index bb9d1a083299..6ca27e9d5ef7 100644 +--- a/drivers/regulator/s5m8767.c ++++ b/drivers/regulator/s5m8767.c +@@ -574,7 +574,9 @@ static int s5m8767_pmic_dt_parse_pdata(struct platform_device *pdev, + 0, + GPIOD_OUT_HIGH | GPIOD_FLAGS_BIT_NONEXCLUSIVE, + "s5m8767"); +- if (IS_ERR(rdata->ext_control_gpiod)) ++ if (PTR_ERR(rdata->ext_control_gpiod) == -ENOENT) ++ rdata->ext_control_gpiod = NULL; ++ else if (IS_ERR(rdata->ext_control_gpiod)) + return PTR_ERR(rdata->ext_control_gpiod); + + rdata->id = i; +diff --git a/drivers/regulator/tps65090-regulator.c b/drivers/regulator/tps65090-regulator.c +index 0614551796a1..f6466db57900 100644 +--- a/drivers/regulator/tps65090-regulator.c ++++ b/drivers/regulator/tps65090-regulator.c +@@ -381,11 +381,12 @@ static struct tps65090_platform_data *tps65090_parse_dt_reg_data( + "dcdc-ext-control-gpios", 0, + gflags, + "tps65090"); +- if (IS_ERR(rpdata->gpiod)) +- return ERR_CAST(rpdata->gpiod); +- if (!rpdata->gpiod) ++ if (PTR_ERR(rpdata->gpiod) == -ENOENT) { + dev_err(&pdev->dev, + "could not find DCDC external control GPIO\n"); ++ rpdata->gpiod = NULL; ++ } else if (IS_ERR(rpdata->gpiod)) ++ return ERR_CAST(rpdata->gpiod); + } + + if (of_property_read_u32(tps65090_matches[idx].of_node, +-- +2.20.1 + diff --git a/queue-5.1/gpio-omap-ensure-irq-is-enabled-before-wakeup.patch b/queue-5.1/gpio-omap-ensure-irq-is-enabled-before-wakeup.patch new file mode 100644 index 00000000000..af9b1e9fe6a --- /dev/null +++ b/queue-5.1/gpio-omap-ensure-irq-is-enabled-before-wakeup.patch @@ -0,0 +1,85 @@ +From 59081d8c1f5e3cbb0df94fa33c65e11db5e111e1 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Mon, 10 Jun 2019 20:10:44 +0300 +Subject: gpio: omap: ensure irq is enabled before wakeup + +[ Upstream commit c859e0d479b3b4f6132fc12637c51e01492f31f6 ] + +Documentation states: + + NOTE: There must be a correlation between the wake-up enable and + interrupt-enable registers. If a GPIO pin has a wake-up configured + on it, it must also have the corresponding interrupt enabled (on + one of the two interrupt lines). + +Ensure that this condition is always satisfied by enabling the detection +events after enabling the interrupt, and disabling the detection before +disabling the interrupt. This ensures interrupt/wakeup events can not +happen until both the wakeup and interrupt enables correlate. + +If we do any clearing, clear between the interrupt enable/disable and +trigger setting. + +Signed-off-by: Russell King +Signed-off-by: Grygorii Strashko +Tested-by: Tony Lindgren +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-omap.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c +index 0708e50a27f0..233245bc693c 100644 +--- a/drivers/gpio/gpio-omap.c ++++ b/drivers/gpio/gpio-omap.c +@@ -838,9 +838,9 @@ static void omap_gpio_irq_shutdown(struct irq_data *d) + + raw_spin_lock_irqsave(&bank->lock, flags); + bank->irq_usage &= ~(BIT(offset)); +- omap_set_gpio_irqenable(bank, offset, 0); +- omap_clear_gpio_irqstatus(bank, offset); + omap_set_gpio_triggering(bank, offset, IRQ_TYPE_NONE); ++ omap_clear_gpio_irqstatus(bank, offset); ++ omap_set_gpio_irqenable(bank, offset, 0); + if (!LINE_USED(bank->mod_usage, offset)) + omap_clear_gpio_debounce(bank, offset); + omap_disable_gpio_module(bank, offset); +@@ -876,8 +876,8 @@ static void omap_gpio_mask_irq(struct irq_data *d) + unsigned long flags; + + raw_spin_lock_irqsave(&bank->lock, flags); +- omap_set_gpio_irqenable(bank, offset, 0); + omap_set_gpio_triggering(bank, offset, IRQ_TYPE_NONE); ++ omap_set_gpio_irqenable(bank, offset, 0); + raw_spin_unlock_irqrestore(&bank->lock, flags); + } + +@@ -889,9 +889,6 @@ static void omap_gpio_unmask_irq(struct irq_data *d) + unsigned long flags; + + raw_spin_lock_irqsave(&bank->lock, flags); +- if (trigger) +- omap_set_gpio_triggering(bank, offset, trigger); +- + omap_set_gpio_irqenable(bank, offset, 1); + + /* +@@ -899,9 +896,13 @@ static void omap_gpio_unmask_irq(struct irq_data *d) + * is cleared, thus after the handler has run. OMAP4 needs this done + * after enabing the interrupt to clear the wakeup status. + */ +- if (bank->level_mask & BIT(offset)) ++ if (bank->regs->leveldetect0 && bank->regs->wkup_en && ++ trigger & (IRQ_TYPE_LEVEL_HIGH | IRQ_TYPE_LEVEL_LOW)) + omap_clear_gpio_irqstatus(bank, offset); + ++ if (trigger) ++ omap_set_gpio_triggering(bank, offset, trigger); ++ + raw_spin_unlock_irqrestore(&bank->lock, flags); + } + +-- +2.20.1 + diff --git a/queue-5.1/gpio-omap-fix-lack-of-irqstatus_raw0-for-omap4.patch b/queue-5.1/gpio-omap-fix-lack-of-irqstatus_raw0-for-omap4.patch new file mode 100644 index 00000000000..abd646b905a --- /dev/null +++ b/queue-5.1/gpio-omap-fix-lack-of-irqstatus_raw0-for-omap4.patch @@ -0,0 +1,43 @@ +From c9aaf4ad3cebb86881cb5b75c2cb4d8aef9349ff Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Mon, 10 Jun 2019 20:10:45 +0300 +Subject: gpio: omap: fix lack of irqstatus_raw0 for OMAP4 + +[ Upstream commit 64ea3e9094a1f13b96c33244a3fb3a0f45690bd2 ] + +Commit 384ebe1c2849 ("gpio/omap: Add DT support to GPIO driver") added +the register definition tables to the gpio-omap driver. Subsequently to +that commit, commit 4e962e8998cc ("gpio/omap: remove cpu_is_omapxxxx() +checks from *_runtime_resume()") added definitions for irqstatus_raw* +registers to the legacy OMAP4 definitions, but missed the DT +definitions. + +This causes an unintentional change of behaviour for the 1.101 errata +workaround on OMAP4 platforms. Fix this oversight. + +Fixes: 4e962e8998cc ("gpio/omap: remove cpu_is_omapxxxx() checks from *_runtime_resume()") +Signed-off-by: Russell King +Signed-off-by: Grygorii Strashko +Tested-by: Tony Lindgren +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-omap.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c +index fafd79438bbf..0708e50a27f0 100644 +--- a/drivers/gpio/gpio-omap.c ++++ b/drivers/gpio/gpio-omap.c +@@ -1728,6 +1728,8 @@ static struct omap_gpio_reg_offs omap4_gpio_regs = { + .clr_dataout = OMAP4_GPIO_CLEARDATAOUT, + .irqstatus = OMAP4_GPIO_IRQSTATUS0, + .irqstatus2 = OMAP4_GPIO_IRQSTATUS1, ++ .irqstatus_raw0 = OMAP4_GPIO_IRQSTATUSRAW0, ++ .irqstatus_raw1 = OMAP4_GPIO_IRQSTATUSRAW1, + .irqenable = OMAP4_GPIO_IRQSTATUSSET0, + .irqenable2 = OMAP4_GPIO_IRQSTATUSSET1, + .set_irqenable = OMAP4_GPIO_IRQSTATUSSET0, +-- +2.20.1 + diff --git a/queue-5.1/gpio-omap-fix-lost-edge-wake-up-interrupts.patch b/queue-5.1/gpio-omap-fix-lost-edge-wake-up-interrupts.patch new file mode 100644 index 00000000000..be8bc66dbe7 --- /dev/null +++ b/queue-5.1/gpio-omap-fix-lost-edge-wake-up-interrupts.patch @@ -0,0 +1,80 @@ +From 829d311c35028827a41518abe620c3182b104155 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Tue, 11 Jun 2019 23:33:52 -0700 +Subject: gpio: omap: Fix lost edge wake-up interrupts + +[ Upstream commit a522f1d0c381c42f3ace13b8bbeeccabdd6d2e5c ] + +If an edge interrupt triggers while entering idle just before we save +GPIO datain register to saved_datain, the triggered GPIO will not be +noticed on wake-up. This is because the saved_datain and GPIO datain +are the same on wake-up in omap_gpio_unidle(). Let's fix this by +ignoring any pending edge interrupts for saved_datain. + +This issue affects only idle states where the GPIO module internal +wake-up path is operational. For deeper idle states where the GPIO +module gets powered off, Linux generic wakeirqs must be used for +the padconf wake-up events with pinctrl-single driver. For examples, +please see "interrupts-extended" dts usage in many drivers. + +This issue can be somewhat easily reproduced by pinging an idle system +with smsc911x Ethernet interface configured IRQ_TYPE_EDGE_FALLING. At +some point the smsc911x interrupts will just stop triggering. Also if +WLCORE WLAN is used with EDGE interrupt like it's documentation specifies, +we can see lost interrupts without this patch. + +Note that in the long run we may be able to cancel entering idle by +returning an error in gpio_omap_cpu_notifier() on pending interrupts. +But let's fix the bug first. + +Also note that because of the recent clean-up efforts this patch does +not apply directly to older kernels. This does fix a long term issue +though, and can be backported as needed. + +Cc: Aaro Koskinen +Cc: Grygorii Strashko +Cc: Keerthy +Cc: Ladislav Michl +Cc: Peter Ujfalusi +Cc: Russell King +Cc: Tero Kristo +Signed-off-by: Tony Lindgren +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-omap.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c +index 233245bc693c..1ddc872b4e4b 100644 +--- a/drivers/gpio/gpio-omap.c ++++ b/drivers/gpio/gpio-omap.c +@@ -1455,7 +1455,7 @@ static void omap_gpio_idle(struct gpio_bank *bank, bool may_lose_context) + { + struct device *dev = bank->chip.parent; + void __iomem *base = bank->base; +- u32 nowake; ++ u32 mask, nowake; + + bank->saved_datain = readl_relaxed(base + bank->regs->datain); + +@@ -1465,6 +1465,16 @@ static void omap_gpio_idle(struct gpio_bank *bank, bool may_lose_context) + if (!bank->enabled_non_wakeup_gpios) + goto update_gpio_context_count; + ++ /* Check for pending EDGE_FALLING, ignore EDGE_BOTH */ ++ mask = bank->enabled_non_wakeup_gpios & bank->context.fallingdetect; ++ mask &= ~bank->context.risingdetect; ++ bank->saved_datain |= mask; ++ ++ /* Check for pending EDGE_RISING, ignore EDGE_BOTH */ ++ mask = bank->enabled_non_wakeup_gpios & bank->context.risingdetect; ++ mask &= ~bank->context.fallingdetect; ++ bank->saved_datain &= ~mask; ++ + if (!may_lose_context) + goto update_gpio_context_count; + +-- +2.20.1 + diff --git a/queue-5.1/gpiolib-fix-references-to-gpiod_-gs-et_-value_cansle.patch b/queue-5.1/gpiolib-fix-references-to-gpiod_-gs-et_-value_cansle.patch new file mode 100644 index 00000000000..77f7e6da7d6 --- /dev/null +++ b/queue-5.1/gpiolib-fix-references-to-gpiod_-gs-et_-value_cansle.patch @@ -0,0 +1,66 @@ +From 49008596b89ad2f2058bbaef64cd2b2a2b31e296 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 1 Jul 2019 16:27:38 +0200 +Subject: gpiolib: Fix references to gpiod_[gs]et_*value_cansleep() variants + +[ Upstream commit 3285170f28a850638794cdfe712eb6d93e51e706 ] + +Commit 372e722ea4dd4ca1 ("gpiolib: use descriptors internally") renamed +the functions to use a "gpiod" prefix, and commit 79a9becda8940deb +("gpiolib: export descriptor-based GPIO interface") introduced the "raw" +variants, but both changes forgot to update the comments. + +Readd a similar reference to gpiod_set_value(), which was accidentally +removed by commit 1e77fc82110ac36f ("gpio: Add missing open drain/source +handling to gpiod_set_value_cansleep()"). + +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20190701142738.25219-1-geert+renesas@glider.be +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index fd1344056e1d..b8a5c1e3b99d 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -3012,7 +3012,7 @@ int gpiod_get_array_value_complex(bool raw, bool can_sleep, + int gpiod_get_raw_value(const struct gpio_desc *desc) + { + VALIDATE_DESC(desc); +- /* Should be using gpio_get_value_cansleep() */ ++ /* Should be using gpiod_get_raw_value_cansleep() */ + WARN_ON(desc->gdev->chip->can_sleep); + return gpiod_get_raw_value_commit(desc); + } +@@ -3033,7 +3033,7 @@ int gpiod_get_value(const struct gpio_desc *desc) + int value; + + VALIDATE_DESC(desc); +- /* Should be using gpio_get_value_cansleep() */ ++ /* Should be using gpiod_get_value_cansleep() */ + WARN_ON(desc->gdev->chip->can_sleep); + + value = gpiod_get_raw_value_commit(desc); +@@ -3304,7 +3304,7 @@ int gpiod_set_array_value_complex(bool raw, bool can_sleep, + void gpiod_set_raw_value(struct gpio_desc *desc, int value) + { + VALIDATE_DESC_VOID(desc); +- /* Should be using gpiod_set_value_cansleep() */ ++ /* Should be using gpiod_set_raw_value_cansleep() */ + WARN_ON(desc->gdev->chip->can_sleep); + gpiod_set_raw_value_commit(desc, value); + } +@@ -3345,6 +3345,7 @@ static void gpiod_set_value_nocheck(struct gpio_desc *desc, int value) + void gpiod_set_value(struct gpio_desc *desc, int value) + { + VALIDATE_DESC_VOID(desc); ++ /* Should be using gpiod_set_value_cansleep() */ + WARN_ON(desc->gdev->chip->can_sleep); + gpiod_set_value_nocheck(desc, value); + } +-- +2.20.1 + diff --git a/queue-5.1/gtp-add-missing-gtp_encap_disable_sock-in-gtp_encap_.patch b/queue-5.1/gtp-add-missing-gtp_encap_disable_sock-in-gtp_encap_.patch new file mode 100644 index 00000000000..c7a3b49e095 --- /dev/null +++ b/queue-5.1/gtp-add-missing-gtp_encap_disable_sock-in-gtp_encap_.patch @@ -0,0 +1,41 @@ +From 4fededaf3fc5a1b1167f0b1316d956fcb425ab2a Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Wed, 3 Jul 2019 00:24:04 +0900 +Subject: gtp: add missing gtp_encap_disable_sock() in gtp_encap_enable() + +[ Upstream commit e30155fd23c9c141cbe7d99b786e10a83a328837 ] + +If an invalid role is sent from user space, gtp_encap_enable() will fail. +Then, it should call gtp_encap_disable_sock() but current code doesn't. +It makes memory leak. + +Fixes: 91ed81f9abc7 ("gtp: support SGSN-side tunnels") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index 7a145172d503..83488f2bf7a0 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -847,8 +847,13 @@ static int gtp_encap_enable(struct gtp_dev *gtp, struct nlattr *data[]) + + if (data[IFLA_GTP_ROLE]) { + role = nla_get_u32(data[IFLA_GTP_ROLE]); +- if (role > GTP_ROLE_SGSN) ++ if (role > GTP_ROLE_SGSN) { ++ if (sk0) ++ gtp_encap_disable_sock(sk0); ++ if (sk1u) ++ gtp_encap_disable_sock(sk1u); + return -EINVAL; ++ } + } + + gtp->sk0 = sk0; +-- +2.20.1 + diff --git a/queue-5.1/gtp-fix-illegal-context-switch-in-rcu-read-side-crit.patch b/queue-5.1/gtp-fix-illegal-context-switch-in-rcu-read-side-crit.patch new file mode 100644 index 00000000000..ea8948b0ea8 --- /dev/null +++ b/queue-5.1/gtp-fix-illegal-context-switch-in-rcu-read-side-crit.patch @@ -0,0 +1,71 @@ +From fdc30856ece2725cc19e807e19fdc5c0e864c9c7 Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Wed, 3 Jul 2019 00:23:13 +0900 +Subject: gtp: fix Illegal context switch in RCU read-side critical section. + +[ Upstream commit 3f167e1921865b379a9becf03828e7202c7b4917 ] + +ipv4_pdp_add() is called in RCU read-side critical section. +So GFP_KERNEL should not be used in the function. +This patch make ipv4_pdp_add() to use GFP_ATOMIC instead of GFP_KERNEL. + +Test commands: +gtp-link add gtp1 & +gtp-tunnel add gtp1 v1 100 200 1.1.1.1 2.2.2.2 + +Splat looks like: +[ 130.618881] ============================= +[ 130.626382] WARNING: suspicious RCU usage +[ 130.626994] 5.2.0-rc6+ #50 Not tainted +[ 130.627622] ----------------------------- +[ 130.628223] ./include/linux/rcupdate.h:266 Illegal context switch in RCU read-side critical section! +[ 130.629684] +[ 130.629684] other info that might help us debug this: +[ 130.629684] +[ 130.631022] +[ 130.631022] rcu_scheduler_active = 2, debug_locks = 1 +[ 130.632136] 4 locks held by gtp-tunnel/1025: +[ 130.632925] #0: 000000002b93c8b7 (cb_lock){++++}, at: genl_rcv+0x15/0x40 +[ 130.634159] #1: 00000000f17bc999 (genl_mutex){+.+.}, at: genl_rcv_msg+0xfb/0x130 +[ 130.635487] #2: 00000000c644ed8e (rtnl_mutex){+.+.}, at: gtp_genl_new_pdp+0x18c/0x1150 [gtp] +[ 130.636936] #3: 0000000007a1cde7 (rcu_read_lock){....}, at: gtp_genl_new_pdp+0x187/0x1150 [gtp] +[ 130.638348] +[ 130.638348] stack backtrace: +[ 130.639062] CPU: 1 PID: 1025 Comm: gtp-tunnel Not tainted 5.2.0-rc6+ #50 +[ 130.641318] Call Trace: +[ 130.641707] dump_stack+0x7c/0xbb +[ 130.642252] ___might_sleep+0x2c0/0x3b0 +[ 130.642862] kmem_cache_alloc_trace+0x1cd/0x2b0 +[ 130.643591] gtp_genl_new_pdp+0x6c5/0x1150 [gtp] +[ 130.644371] genl_family_rcv_msg+0x63a/0x1030 +[ 130.645074] ? mutex_lock_io_nested+0x1090/0x1090 +[ 130.645845] ? genl_unregister_family+0x630/0x630 +[ 130.646592] ? debug_show_all_locks+0x2d0/0x2d0 +[ 130.647293] ? check_flags.part.40+0x440/0x440 +[ 130.648099] genl_rcv_msg+0xa3/0x130 +[ ... ] + +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index f45a806b6c06..6f1ad7ccaea6 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -958,7 +958,7 @@ static int ipv4_pdp_add(struct gtp_dev *gtp, struct sock *sk, + + } + +- pctx = kmalloc(sizeof(struct pdp_ctx), GFP_KERNEL); ++ pctx = kmalloc(sizeof(*pctx), GFP_ATOMIC); + if (pctx == NULL) + return -ENOMEM; + +-- +2.20.1 + diff --git a/queue-5.1/gtp-fix-suspicious-rcu-usage.patch b/queue-5.1/gtp-fix-suspicious-rcu-usage.patch new file mode 100644 index 00000000000..af82a7f3ece --- /dev/null +++ b/queue-5.1/gtp-fix-suspicious-rcu-usage.patch @@ -0,0 +1,92 @@ +From 12ab5d78863ecc087eca0732059148b24c6c5c55 Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Wed, 3 Jul 2019 00:20:51 +0900 +Subject: gtp: fix suspicious RCU usage + +[ Upstream commit e198987e7dd7d3645a53875151cd6f8fc425b706 ] + +gtp_encap_enable_socket() and gtp_encap_destroy() are not protected +by rcu_read_lock(). and it's not safe to write sk->sk_user_data. +This patch make these functions to use lock_sock() instead of +rcu_dereference_sk_user_data(). + +Test commands: + gtp-link add gtp1 + +Splat looks like: +[ 83.238315] ============================= +[ 83.239127] WARNING: suspicious RCU usage +[ 83.239702] 5.2.0-rc6+ #49 Not tainted +[ 83.240268] ----------------------------- +[ 83.241205] drivers/net/gtp.c:799 suspicious rcu_dereference_check() usage! +[ 83.243828] +[ 83.243828] other info that might help us debug this: +[ 83.243828] +[ 83.246325] +[ 83.246325] rcu_scheduler_active = 2, debug_locks = 1 +[ 83.247314] 1 lock held by gtp-link/1008: +[ 83.248523] #0: 0000000017772c7f (rtnl_mutex){+.+.}, at: __rtnl_newlink+0x5f5/0x11b0 +[ 83.251503] +[ 83.251503] stack backtrace: +[ 83.252173] CPU: 0 PID: 1008 Comm: gtp-link Not tainted 5.2.0-rc6+ #49 +[ 83.253271] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +[ 83.254562] Call Trace: +[ 83.254995] dump_stack+0x7c/0xbb +[ 83.255567] gtp_encap_enable_socket+0x2df/0x360 [gtp] +[ 83.256415] ? gtp_find_dev+0x1a0/0x1a0 [gtp] +[ 83.257161] ? memset+0x1f/0x40 +[ 83.257843] gtp_newlink+0x90/0xa21 [gtp] +[ 83.258497] ? __netlink_ns_capable+0xc3/0xf0 +[ 83.259260] __rtnl_newlink+0xb9f/0x11b0 +[ 83.260022] ? rtnl_link_unregister+0x230/0x230 +[ ... ] + +Fixes: 1e3a3abd8b28 ("gtp: make GTP sockets in gtp_newlink optional") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index 83488f2bf7a0..f45a806b6c06 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -293,12 +293,14 @@ static void gtp_encap_destroy(struct sock *sk) + { + struct gtp_dev *gtp; + +- gtp = rcu_dereference_sk_user_data(sk); ++ lock_sock(sk); ++ gtp = sk->sk_user_data; + if (gtp) { + udp_sk(sk)->encap_type = 0; + rcu_assign_sk_user_data(sk, NULL); + sock_put(sk); + } ++ release_sock(sk); + } + + static void gtp_encap_disable_sock(struct sock *sk) +@@ -800,7 +802,8 @@ static struct sock *gtp_encap_enable_socket(int fd, int type, + goto out_sock; + } + +- if (rcu_dereference_sk_user_data(sock->sk)) { ++ lock_sock(sock->sk); ++ if (sock->sk->sk_user_data) { + sk = ERR_PTR(-EBUSY); + goto out_sock; + } +@@ -816,6 +819,7 @@ static struct sock *gtp_encap_enable_socket(int fd, int type, + setup_udp_tunnel_sock(sock_net(sock->sk), sock, &tuncfg); + + out_sock: ++ release_sock(sock->sk); + sockfd_put(sock); + return sk; + } +-- +2.20.1 + diff --git a/queue-5.1/gtp-fix-use-after-free-in-gtp_encap_destroy.patch b/queue-5.1/gtp-fix-use-after-free-in-gtp_encap_destroy.patch new file mode 100644 index 00000000000..f76519c0ede --- /dev/null +++ b/queue-5.1/gtp-fix-use-after-free-in-gtp_encap_destroy.patch @@ -0,0 +1,131 @@ +From bf2f6fb879399c981fce123b3e629468ff0d5802 Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Wed, 3 Jul 2019 00:22:25 +0900 +Subject: gtp: fix use-after-free in gtp_encap_destroy() + +[ Upstream commit 1788b8569f5de27da09087fa3f6580d2aa04cc75 ] + +gtp_encap_destroy() is called twice. +1. When interface is deleted. +2. When udp socket is destroyed. +either gtp->sk0 or gtp->sk1u could be freed by sock_put() in +gtp_encap_destroy(). so, when gtp_encap_destroy() is called again, +it would uses freed sk pointer. + +patch makes gtp_encap_destroy() to set either gtp->sk0 or gtp->sk1u to +null. in addition, both gtp->sk0 and gtp->sk1u pointer are protected +by rtnl_lock. so, rtnl_lock() is added. + +Test command: + gtp-link add gtp1 & + killall gtp-link + ip link del gtp1 + +Splat looks like: +[ 83.182767] BUG: KASAN: use-after-free in __lock_acquire+0x3a20/0x46a0 +[ 83.184128] Read of size 8 at addr ffff8880cc7d5360 by task ip/1008 +[ 83.185567] CPU: 1 PID: 1008 Comm: ip Not tainted 5.2.0-rc6+ #50 +[ 83.188469] Call Trace: +[ ... ] +[ 83.200126] lock_acquire+0x141/0x380 +[ 83.200575] ? lock_sock_nested+0x3a/0xf0 +[ 83.201069] _raw_spin_lock_bh+0x38/0x70 +[ 83.201551] ? lock_sock_nested+0x3a/0xf0 +[ 83.202044] lock_sock_nested+0x3a/0xf0 +[ 83.202520] gtp_encap_destroy+0x18/0xe0 [gtp] +[ 83.203065] gtp_encap_disable.isra.14+0x13/0x50 [gtp] +[ 83.203687] gtp_dellink+0x56/0x170 [gtp] +[ 83.204190] rtnl_delete_link+0xb4/0x100 +[ ... ] +[ 83.236513] Allocated by task 976: +[ 83.236925] save_stack+0x19/0x80 +[ 83.237332] __kasan_kmalloc.constprop.3+0xa0/0xd0 +[ 83.237894] kmem_cache_alloc+0xd8/0x280 +[ 83.238360] sk_prot_alloc.isra.42+0x50/0x200 +[ 83.238874] sk_alloc+0x32/0x940 +[ 83.239264] inet_create+0x283/0xc20 +[ 83.239684] __sock_create+0x2dd/0x540 +[ 83.240136] __sys_socket+0xca/0x1a0 +[ 83.240550] __x64_sys_socket+0x6f/0xb0 +[ 83.240998] do_syscall_64+0x9c/0x450 +[ 83.241466] entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 83.242061] +[ 83.242249] Freed by task 0: +[ 83.242616] save_stack+0x19/0x80 +[ 83.243013] __kasan_slab_free+0x111/0x150 +[ 83.243498] kmem_cache_free+0x89/0x250 +[ 83.244444] __sk_destruct+0x38f/0x5a0 +[ 83.245366] rcu_core+0x7e9/0x1c20 +[ 83.245766] __do_softirq+0x213/0x8fa + +Fixes: 1e3a3abd8b28 ("gtp: make GTP sockets in gtp_newlink optional") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index 6f1ad7ccaea6..61e9b288d2dc 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -289,13 +289,17 @@ static int gtp1u_udp_encap_recv(struct gtp_dev *gtp, struct sk_buff *skb) + return gtp_rx(pctx, skb, hdrlen, gtp->role); + } + +-static void gtp_encap_destroy(struct sock *sk) ++static void __gtp_encap_destroy(struct sock *sk) + { + struct gtp_dev *gtp; + + lock_sock(sk); + gtp = sk->sk_user_data; + if (gtp) { ++ if (gtp->sk0 == sk) ++ gtp->sk0 = NULL; ++ else ++ gtp->sk1u = NULL; + udp_sk(sk)->encap_type = 0; + rcu_assign_sk_user_data(sk, NULL); + sock_put(sk); +@@ -303,12 +307,19 @@ static void gtp_encap_destroy(struct sock *sk) + release_sock(sk); + } + ++static void gtp_encap_destroy(struct sock *sk) ++{ ++ rtnl_lock(); ++ __gtp_encap_destroy(sk); ++ rtnl_unlock(); ++} ++ + static void gtp_encap_disable_sock(struct sock *sk) + { + if (!sk) + return; + +- gtp_encap_destroy(sk); ++ __gtp_encap_destroy(sk); + } + + static void gtp_encap_disable(struct gtp_dev *gtp) +@@ -1047,6 +1058,7 @@ static int gtp_genl_new_pdp(struct sk_buff *skb, struct genl_info *info) + return -EINVAL; + } + ++ rtnl_lock(); + rcu_read_lock(); + + gtp = gtp_find_dev(sock_net(skb->sk), info->attrs); +@@ -1071,6 +1083,7 @@ static int gtp_genl_new_pdp(struct sk_buff *skb, struct genl_info *info) + + out_unlock: + rcu_read_unlock(); ++ rtnl_unlock(); + return err; + } + +-- +2.20.1 + diff --git a/queue-5.1/gtp-fix-use-after-free-in-gtp_newlink.patch b/queue-5.1/gtp-fix-use-after-free-in-gtp_newlink.patch new file mode 100644 index 00000000000..d607ffdacf5 --- /dev/null +++ b/queue-5.1/gtp-fix-use-after-free-in-gtp_newlink.patch @@ -0,0 +1,109 @@ +From c1777489f37c43042483fe427ac06a510f30e2f4 Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Wed, 3 Jul 2019 00:23:42 +0900 +Subject: gtp: fix use-after-free in gtp_newlink() + +[ Upstream commit a2bed90704c68d3763bf24decb1b781a45395de8 ] + +Current gtp_newlink() could be called after unregister_pernet_subsys(). +gtp_newlink() uses gtp_net but it can be destroyed by +unregister_pernet_subsys(). +So unregister_pernet_subsys() should be called after +rtnl_link_unregister(). + +Test commands: + #SHELL 1 + while : + do + for i in {1..5} + do + ./gtp-link add gtp$i & + done + killall gtp-link + done + + #SHELL 2 + while : + do + modprobe -rv gtp + done + +Splat looks like: +[ 753.176631] BUG: KASAN: use-after-free in gtp_newlink+0x9b4/0xa5c [gtp] +[ 753.177722] Read of size 8 at addr ffff8880d48f2458 by task gtp-link/7126 +[ 753.179082] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G W 5.2.0-rc6+ #50 +[ 753.185801] Call Trace: +[ 753.186264] dump_stack+0x7c/0xbb +[ 753.186863] ? gtp_newlink+0x9b4/0xa5c [gtp] +[ 753.187583] print_address_description+0xc7/0x240 +[ 753.188382] ? gtp_newlink+0x9b4/0xa5c [gtp] +[ 753.189097] ? gtp_newlink+0x9b4/0xa5c [gtp] +[ 753.189846] __kasan_report+0x12a/0x16f +[ 753.190542] ? gtp_newlink+0x9b4/0xa5c [gtp] +[ 753.191298] kasan_report+0xe/0x20 +[ 753.191893] gtp_newlink+0x9b4/0xa5c [gtp] +[ 753.192580] ? __netlink_ns_capable+0xc3/0xf0 +[ 753.193370] __rtnl_newlink+0xb9f/0x11b0 +[ ... ] +[ 753.241201] Allocated by task 7186: +[ 753.241844] save_stack+0x19/0x80 +[ 753.242399] __kasan_kmalloc.constprop.3+0xa0/0xd0 +[ 753.243192] __kmalloc+0x13e/0x300 +[ 753.243764] ops_init+0xd6/0x350 +[ 753.244314] register_pernet_operations+0x249/0x6f0 +[ ... ] +[ 753.251770] Freed by task 7178: +[ 753.252288] save_stack+0x19/0x80 +[ 753.252833] __kasan_slab_free+0x111/0x150 +[ 753.253962] kfree+0xc7/0x280 +[ 753.254509] ops_free_list.part.11+0x1c4/0x2d0 +[ 753.255241] unregister_pernet_operations+0x262/0x390 +[ ... ] +[ 753.285883] list_add corruption. next->prev should be prev (ffff8880d48f2458), but was ffff8880d497d878. (next. +[ 753.287241] ------------[ cut here ]------------ +[ 753.287794] kernel BUG at lib/list_debug.c:25! +[ 753.288364] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI +[ 753.289099] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G B W 5.2.0-rc6+ #50 +[ 753.291036] RIP: 0010:__list_add_valid+0x74/0xd0 +[ 753.291589] Code: 48 39 da 75 27 48 39 f5 74 36 48 39 dd 74 31 48 83 c4 08 b8 01 00 00 00 5b 5d c3 48 89 d9 48b +[ 753.293779] RSP: 0018:ffff8880cae8f398 EFLAGS: 00010286 +[ 753.294401] RAX: 0000000000000075 RBX: ffff8880d497d878 RCX: 0000000000000000 +[ 753.296260] RDX: 0000000000000075 RSI: 0000000000000008 RDI: ffffed10195d1e69 +[ 753.297070] RBP: ffff8880cd250ae0 R08: ffffed101b4bff21 R09: ffffed101b4bff21 +[ 753.297899] R10: 0000000000000001 R11: ffffed101b4bff20 R12: ffff8880d497d878 +[ 753.298703] R13: 0000000000000000 R14: ffff8880cd250ae0 R15: ffff8880d48f2458 +[ 753.299564] FS: 00007f5f79805740(0000) GS:ffff8880da400000(0000) knlGS:0000000000000000 +[ 753.300533] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 753.301231] CR2: 00007fe8c7ef4f10 CR3: 00000000b71a6006 CR4: 00000000000606f0 +[ 753.302183] Call Trace: +[ 753.302530] gtp_newlink+0x5f6/0xa5c [gtp] +[ 753.303037] ? __netlink_ns_capable+0xc3/0xf0 +[ 753.303576] __rtnl_newlink+0xb9f/0x11b0 +[ 753.304092] ? rtnl_link_unregister+0x230/0x230 + +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index 61e9b288d2dc..d178d5bad7e4 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -1385,9 +1385,9 @@ late_initcall(gtp_init); + + static void __exit gtp_fini(void) + { +- unregister_pernet_subsys(>p_net_ops); + genl_unregister_family(>p_genl_family); + rtnl_link_unregister(>p_link_ops); ++ unregister_pernet_subsys(>p_net_ops); + + pr_info("GTP module unloaded\n"); + } +-- +2.20.1 + diff --git a/queue-5.1/iavf-allow-null-rx-descriptors.patch b/queue-5.1/iavf-allow-null-rx-descriptors.patch new file mode 100644 index 00000000000..aef20a7e736 --- /dev/null +++ b/queue-5.1/iavf-allow-null-rx-descriptors.patch @@ -0,0 +1,104 @@ +From a183ef21a0be2f67556020d59e4ecb89433098aa Mon Sep 17 00:00:00 2001 +From: Mitch Williams +Date: Tue, 14 May 2019 10:37:09 -0700 +Subject: iavf: allow null RX descriptors + +[ Upstream commit efa14c3985828da3163f5372137cb64d992b0f79 ] + +In some circumstances, the hardware can hand us a null receive +descriptor, with no data attached but otherwise valid. Unfortunately, +the driver was ill-equipped to handle such an event, and would stop +processing packets at that point. + +To fix this, use the Descriptor Done bit instead of the size to +determine whether or not a descriptor is ready to be processed. Add some +checks to allow for unused buffers. + +Signed-off-by: Mitch Williams +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_txrx.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.c b/drivers/net/ethernet/intel/iavf/iavf_txrx.c +index 9b4d7cec2e18..9cc2a617c9f3 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_txrx.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.c +@@ -1236,6 +1236,9 @@ static void iavf_add_rx_frag(struct iavf_ring *rx_ring, + unsigned int truesize = SKB_DATA_ALIGN(size + iavf_rx_offset(rx_ring)); + #endif + ++ if (!size) ++ return; ++ + skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, rx_buffer->page, + rx_buffer->page_offset, size, truesize); + +@@ -1260,6 +1263,9 @@ static struct iavf_rx_buffer *iavf_get_rx_buffer(struct iavf_ring *rx_ring, + { + struct iavf_rx_buffer *rx_buffer; + ++ if (!size) ++ return NULL; ++ + rx_buffer = &rx_ring->rx_bi[rx_ring->next_to_clean]; + prefetchw(rx_buffer->page); + +@@ -1299,6 +1305,8 @@ static struct sk_buff *iavf_construct_skb(struct iavf_ring *rx_ring, + unsigned int headlen; + struct sk_buff *skb; + ++ if (!rx_buffer) ++ return NULL; + /* prefetch first cache line of first page */ + prefetch(va); + #if L1_CACHE_BYTES < 128 +@@ -1363,6 +1371,8 @@ static struct sk_buff *iavf_build_skb(struct iavf_ring *rx_ring, + #endif + struct sk_buff *skb; + ++ if (!rx_buffer) ++ return NULL; + /* prefetch first cache line of first page */ + prefetch(va); + #if L1_CACHE_BYTES < 128 +@@ -1398,6 +1408,9 @@ static struct sk_buff *iavf_build_skb(struct iavf_ring *rx_ring, + static void iavf_put_rx_buffer(struct iavf_ring *rx_ring, + struct iavf_rx_buffer *rx_buffer) + { ++ if (!rx_buffer) ++ return; ++ + if (iavf_can_reuse_rx_page(rx_buffer)) { + /* hand second half of page back to the ring */ + iavf_reuse_rx_page(rx_ring, rx_buffer); +@@ -1496,11 +1509,12 @@ static int iavf_clean_rx_irq(struct iavf_ring *rx_ring, int budget) + * verified the descriptor has been written back. + */ + dma_rmb(); ++#define IAVF_RXD_DD BIT(IAVF_RX_DESC_STATUS_DD_SHIFT) ++ if (!iavf_test_staterr(rx_desc, IAVF_RXD_DD)) ++ break; + + size = (qword & IAVF_RXD_QW1_LENGTH_PBUF_MASK) >> + IAVF_RXD_QW1_LENGTH_PBUF_SHIFT; +- if (!size) +- break; + + iavf_trace(clean_rx_irq, rx_ring, rx_desc, skb); + rx_buffer = iavf_get_rx_buffer(rx_ring, size); +@@ -1516,7 +1530,8 @@ static int iavf_clean_rx_irq(struct iavf_ring *rx_ring, int budget) + /* exit if we failed to retrieve a buffer */ + if (!skb) { + rx_ring->rx_stats.alloc_buff_failed++; +- rx_buffer->pagecnt_bias++; ++ if (rx_buffer) ++ rx_buffer->pagecnt_bias++; + break; + } + +-- +2.20.1 + diff --git a/queue-5.1/iavf-fix-dereference-of-null-rx_buffer-pointer.patch b/queue-5.1/iavf-fix-dereference-of-null-rx_buffer-pointer.patch new file mode 100644 index 00000000000..7d170706298 --- /dev/null +++ b/queue-5.1/iavf-fix-dereference-of-null-rx_buffer-pointer.patch @@ -0,0 +1,63 @@ +From 4d82232b69e8d0a7145a1b7e68b14a88a45a8ad2 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Wed, 19 Jun 2019 15:30:44 +0100 +Subject: iavf: fix dereference of null rx_buffer pointer + +[ Upstream commit 9fe06a51287b2d41baef7ece94df34b5abf19b90 ] + +A recent commit efa14c3985828d ("iavf: allow null RX descriptors") added +a null pointer sanity check on rx_buffer, however, rx_buffer is being +dereferenced before that check, which implies a null pointer dereference +bug can potentially occur. Fix this by only dereferencing rx_buffer +until after the null pointer check. + +Addresses-Coverity: ("Dereference before null check") +Signed-off-by: Colin Ian King +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_txrx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.c b/drivers/net/ethernet/intel/iavf/iavf_txrx.c +index 9cc2a617c9f3..2a261d849d5a 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_txrx.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.c +@@ -1296,7 +1296,7 @@ static struct sk_buff *iavf_construct_skb(struct iavf_ring *rx_ring, + struct iavf_rx_buffer *rx_buffer, + unsigned int size) + { +- void *va = page_address(rx_buffer->page) + rx_buffer->page_offset; ++ void *va; + #if (PAGE_SIZE < 8192) + unsigned int truesize = iavf_rx_pg_size(rx_ring) / 2; + #else +@@ -1308,6 +1308,7 @@ static struct sk_buff *iavf_construct_skb(struct iavf_ring *rx_ring, + if (!rx_buffer) + return NULL; + /* prefetch first cache line of first page */ ++ va = page_address(rx_buffer->page) + rx_buffer->page_offset; + prefetch(va); + #if L1_CACHE_BYTES < 128 + prefetch(va + L1_CACHE_BYTES); +@@ -1362,7 +1363,7 @@ static struct sk_buff *iavf_build_skb(struct iavf_ring *rx_ring, + struct iavf_rx_buffer *rx_buffer, + unsigned int size) + { +- void *va = page_address(rx_buffer->page) + rx_buffer->page_offset; ++ void *va; + #if (PAGE_SIZE < 8192) + unsigned int truesize = iavf_rx_pg_size(rx_ring) / 2; + #else +@@ -1374,6 +1375,7 @@ static struct sk_buff *iavf_build_skb(struct iavf_ring *rx_ring, + if (!rx_buffer) + return NULL; + /* prefetch first cache line of first page */ ++ va = page_address(rx_buffer->page) + rx_buffer->page_offset; + prefetch(va); + #if L1_CACHE_BYTES < 128 + prefetch(va + L1_CACHE_BYTES); +-- +2.20.1 + diff --git a/queue-5.1/igb-clear-out-skb-tstamp-after-reading-the-txtime.patch b/queue-5.1/igb-clear-out-skb-tstamp-after-reading-the-txtime.patch new file mode 100644 index 00000000000..9a6dbbf498e --- /dev/null +++ b/queue-5.1/igb-clear-out-skb-tstamp-after-reading-the-txtime.patch @@ -0,0 +1,46 @@ +From 519b55c0baeaf75677de2087a233c6ec2bb8a56e Mon Sep 17 00:00:00 2001 +From: Vedang Patel +Date: Tue, 25 Jun 2019 15:07:12 -0700 +Subject: igb: clear out skb->tstamp after reading the txtime + +[ Upstream commit 1e08511d5d01884a3c9070afd52a47799312074a ] + +If a packet which is utilizing the launchtime feature (via SO_TXTIME socket +option) also requests the hardware transmit timestamp, the hardware +timestamp is not delivered to the userspace. This is because the value in +skb->tstamp is mistaken as the software timestamp. + +Applications, like ptp4l, request a hardware timestamp by setting the +SOF_TIMESTAMPING_TX_HARDWARE socket option. Whenever a new timestamp is +detected by the driver (this work is done in igb_ptp_tx_work() which calls +igb_ptp_tx_hwtstamps() in igb_ptp.c[1]), it will queue the timestamp in the +ERR_QUEUE for the userspace to read. When the userspace is ready, it will +issue a recvmsg() call to collect this timestamp. The problem is in this +recvmsg() call. If the skb->tstamp is not cleared out, it will be +interpreted as a software timestamp and the hardware tx timestamp will not +be successfully sent to the userspace. Look at skb_is_swtx_tstamp() and the +callee function __sock_recv_timestamp() in net/socket.c for more details. + +Signed-off-by: Vedang Patel +Tested-by: Aaron Brown +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 580d14b49fda..a725dc709632 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -5687,6 +5687,7 @@ static void igb_tx_ctxtdesc(struct igb_ring *tx_ring, + */ + if (tx_ring->launchtime_enable) { + ts = ns_to_timespec64(first->skb->tstamp); ++ first->skb->tstamp = 0; + context_desc->seqnum_seed = cpu_to_le32(ts.tv_nsec / 32); + } else { + context_desc->seqnum_seed = 0; +-- +2.20.1 + diff --git a/queue-5.1/integrity-fix-__integrity_init_keyring-section-misma.patch b/queue-5.1/integrity-fix-__integrity_init_keyring-section-misma.patch new file mode 100644 index 00000000000..dd887c959d5 --- /dev/null +++ b/queue-5.1/integrity-fix-__integrity_init_keyring-section-misma.patch @@ -0,0 +1,49 @@ +From cba3212bf4993d6a45e64c53e7108e3c131bdb8c Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 17 Jun 2019 09:44:52 +0200 +Subject: integrity: Fix __integrity_init_keyring() section mismatch + +[ Upstream commit 8c655784e2cf59cb6140759b8b546d98261d1ad9 ] + +With gcc-4.6.3: + + WARNING: vmlinux.o(.text.unlikely+0x24c64): Section mismatch in reference from the function __integrity_init_keyring() to the function .init.text:set_platform_trusted_keys() + The function __integrity_init_keyring() references + the function __init set_platform_trusted_keys(). + This is often because __integrity_init_keyring lacks a __init + annotation or the annotation of set_platform_trusted_keys is wrong. + +Indeed, if the compiler decides not to inline __integrity_init_keyring(), +a warning is issued. + +Fix this by adding the missing __init annotation. + +Fixes: 9dc92c45177ab70e ("integrity: Define a trusted platform keyring") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Nayna Jain +Reviewed-by: James Morris +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/digsig.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c +index e19c2eb72c51..37869214c243 100644 +--- a/security/integrity/digsig.c ++++ b/security/integrity/digsig.c +@@ -73,8 +73,9 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, + return -EOPNOTSUPP; + } + +-static int __integrity_init_keyring(const unsigned int id, key_perm_t perm, +- struct key_restriction *restriction) ++static int __init __integrity_init_keyring(const unsigned int id, ++ key_perm_t perm, ++ struct key_restriction *restriction) + { + const struct cred *cred = current_cred(); + int err = 0; +-- +2.20.1 + diff --git a/queue-5.1/iommu-fix-a-leak-in-iommu_insert_resv_region.patch b/queue-5.1/iommu-fix-a-leak-in-iommu_insert_resv_region.patch new file mode 100644 index 00000000000..565cdd8ae09 --- /dev/null +++ b/queue-5.1/iommu-fix-a-leak-in-iommu_insert_resv_region.patch @@ -0,0 +1,60 @@ +From 34cc5c08256ac9bd86053769f7dad14c8b71b559 Mon Sep 17 00:00:00 2001 +From: Eric Auger +Date: Mon, 3 Jun 2019 08:53:30 +0200 +Subject: iommu: Fix a leak in iommu_insert_resv_region + +[ Upstream commit ad0834dedaa15c3a176f783c0373f836e44b4700 ] + +In case we expand an existing region, we unlink +this latter and insert the larger one. In +that case we should free the original region after +the insertion. Also we can immediately return. + +Fixes: 6c65fb318e8b ("iommu: iommu_get_group_resv_regions") + +Signed-off-by: Eric Auger +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/iommu.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c +index 109de67d5d72..2d06c507fbed 100644 +--- a/drivers/iommu/iommu.c ++++ b/drivers/iommu/iommu.c +@@ -241,18 +241,21 @@ static int iommu_insert_resv_region(struct iommu_resv_region *new, + pos = pos->next; + } else if ((start >= a) && (end <= b)) { + if (new->type == type) +- goto done; ++ return 0; + else + pos = pos->next; + } else { + if (new->type == type) { + phys_addr_t new_start = min(a, start); + phys_addr_t new_end = max(b, end); ++ int ret; + + list_del(&entry->list); + entry->start = new_start; + entry->length = new_end - new_start + 1; +- iommu_insert_resv_region(entry, regions); ++ ret = iommu_insert_resv_region(entry, regions); ++ kfree(entry); ++ return ret; + } else { + pos = pos->next; + } +@@ -265,7 +268,6 @@ static int iommu_insert_resv_region(struct iommu_resv_region *new, + return -ENOMEM; + + list_add_tail(®ion->list, pos); +-done: + return 0; + } + +-- +2.20.1 + diff --git a/queue-5.1/ipoib-correcly-show-a-vf-hardware-address.patch b/queue-5.1/ipoib-correcly-show-a-vf-hardware-address.patch new file mode 100644 index 00000000000..019de8e262b --- /dev/null +++ b/queue-5.1/ipoib-correcly-show-a-vf-hardware-address.patch @@ -0,0 +1,57 @@ +From e937ca8131b8798ec40c37f9d70ec9cc9e6125bd Mon Sep 17 00:00:00 2001 +From: Denis Kirjanov +Date: Mon, 17 Jun 2019 10:53:40 +0200 +Subject: ipoib: correcly show a VF hardware address + +[ Upstream commit 64d701c608fea362881e823b666327f5d28d7ffd ] + +in the case of IPoIB with SRIOV enabled hardware +ip link show command incorrecly prints +0 instead of a VF hardware address. + +Before: +11: ib1: mtu 2044 qdisc pfifo_fast +state UP mode DEFAULT group default qlen 256 + link/infiniband +80:00:00:66:fe:80:00:00:00:00:00:00:24:8a:07:03:00:a4:3e:7c brd +00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff + vf 0 MAC 00:00:00:00:00:00, spoof checking off, link-state disable, +trust off, query_rss off +... +After: +11: ib1: mtu 2044 qdisc pfifo_fast +state UP mode DEFAULT group default qlen 256 + link/infiniband +80:00:00:66:fe:80:00:00:00:00:00:00:24:8a:07:03:00:a4:3e:7c brd +00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff + vf 0 link/infiniband +80:00:00:66:fe:80:00:00:00:00:00:00:24:8a:07:03:00:a4:3e:7c brd +00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff, spoof +checking off, link-state disable, trust off, query_rss off + +v1->v2: just copy an address without modifing ifla_vf_mac +v2->v3: update the changelog + +Signed-off-by: Denis Kirjanov +Acked-by: Doug Ledford +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/ipoib/ipoib_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c +index 9b5e11d3fb85..04ea7db08e87 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c +@@ -1998,6 +1998,7 @@ static int ipoib_get_vf_config(struct net_device *dev, int vf, + return err; + + ivf->vf = vf; ++ memcpy(ivf->mac, dev->dev_addr, dev->addr_len); + + return 0; + } +-- +2.20.1 + diff --git a/queue-5.1/ipsec-select-crypto-ciphers-for-xfrm_algo.patch b/queue-5.1/ipsec-select-crypto-ciphers-for-xfrm_algo.patch new file mode 100644 index 00000000000..15a409e6b6c --- /dev/null +++ b/queue-5.1/ipsec-select-crypto-ciphers-for-xfrm_algo.patch @@ -0,0 +1,43 @@ +From b76812cd6d176ff0965c4d0121d08acc735869d8 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 18 Jun 2019 13:22:13 +0200 +Subject: ipsec: select crypto ciphers for xfrm_algo + +[ Upstream commit 597179b0ba550bd83fab1a9d57c42a9343c58514 ] + +kernelci.org reports failed builds on arc because of what looks +like an old missed 'select' statement: + +net/xfrm/xfrm_algo.o: In function `xfrm_probe_algs': +xfrm_algo.c:(.text+0x1e8): undefined reference to `crypto_has_ahash' + +I don't see this in randconfig builds on other architectures, but +it's fairly clear we want to select the hash code for it, like we +do for all its other users. As Herbert points out, CRYPTO_BLKCIPHER +is also required even though it has not popped up in build tests. + +Fixes: 17bc19702221 ("ipsec: Use skcipher and ahash when probing algorithms") +Signed-off-by: Arnd Bergmann +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/xfrm/Kconfig b/net/xfrm/Kconfig +index 5d43aaa17027..831668ee8229 100644 +--- a/net/xfrm/Kconfig ++++ b/net/xfrm/Kconfig +@@ -14,6 +14,8 @@ config XFRM_ALGO + tristate + select XFRM + select CRYPTO ++ select CRYPTO_HASH ++ select CRYPTO_BLKCIPHER + + config XFRM_USER + tristate "Transformation user configuration interface" +-- +2.20.1 + diff --git a/queue-5.1/ipset-fix-memory-accounting-for-hash-types-on-resize.patch b/queue-5.1/ipset-fix-memory-accounting-for-hash-types-on-resize.patch new file mode 100644 index 00000000000..43f24e185cc --- /dev/null +++ b/queue-5.1/ipset-fix-memory-accounting-for-hash-types-on-resize.patch @@ -0,0 +1,82 @@ +From bddfe991cccfe441d9675d98b540aa3c17ea690f Mon Sep 17 00:00:00 2001 +From: Stefano Brivio +Date: Sun, 26 May 2019 23:14:06 +0200 +Subject: ipset: Fix memory accounting for hash types on resize + +[ Upstream commit 11921796f4799ca9c61c4b22cc54d84aa69f8a35 ] + +If a fresh array block is allocated during resize, the current in-memory +set size should be increased by the size of the block, not replaced by it. + +Before the fix, adding entries to a hash set type, leading to a table +resize, caused an inconsistent memory size to be reported. This becomes +more obvious when swapping sets with similar sizes: + + # cat hash_ip_size.sh + #!/bin/sh + FAIL_RETRIES=10 + + tries=0 + while [ ${tries} -lt ${FAIL_RETRIES} ]; do + ipset create t1 hash:ip + for i in `seq 1 4345`; do + ipset add t1 1.2.$((i / 255)).$((i % 255)) + done + t1_init="$(ipset list t1|sed -n 's/Size in memory: \(.*\)/\1/p')" + + ipset create t2 hash:ip + for i in `seq 1 4360`; do + ipset add t2 1.2.$((i / 255)).$((i % 255)) + done + t2_init="$(ipset list t2|sed -n 's/Size in memory: \(.*\)/\1/p')" + + ipset swap t1 t2 + t1_swap="$(ipset list t1|sed -n 's/Size in memory: \(.*\)/\1/p')" + t2_swap="$(ipset list t2|sed -n 's/Size in memory: \(.*\)/\1/p')" + + ipset destroy t1 + ipset destroy t2 + tries=$((tries + 1)) + + if [ ${t1_init} -lt 10000 ] || [ ${t2_init} -lt 10000 ]; then + echo "FAIL after ${tries} tries:" + echo "T1 size ${t1_init}, after swap ${t1_swap}" + echo "T2 size ${t2_init}, after swap ${t2_swap}" + exit 1 + fi + done + echo "PASS" + # echo -n 'func hash_ip4_resize +p' > /sys/kernel/debug/dynamic_debug/control + # ./hash_ip_size.sh + [ 2035.018673] attempt to resize set t1 from 10 to 11, t 00000000fe6551fa + [ 2035.078583] set t1 resized from 10 (00000000fe6551fa) to 11 (00000000172a0163) + [ 2035.080353] Table destroy by resize 00000000fe6551fa + FAIL after 4 tries: + T1 size 9064, after swap 71128 + T2 size 71128, after swap 9064 + +Reported-by: NOYB +Fixes: 9e41f26a505c ("netfilter: ipset: Count non-static extension memory for userspace") +Signed-off-by: Stefano Brivio +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_hash_gen.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h +index 2c9609929c71..455804456008 100644 +--- a/net/netfilter/ipset/ip_set_hash_gen.h ++++ b/net/netfilter/ipset/ip_set_hash_gen.h +@@ -625,7 +625,7 @@ mtype_resize(struct ip_set *set, bool retried) + goto cleanup; + } + m->size = AHASH_INIT_SIZE; +- extsize = ext_size(AHASH_INIT_SIZE, dsize); ++ extsize += ext_size(AHASH_INIT_SIZE, dsize); + RCU_INIT_POINTER(hbucket(t, key), m); + } else if (m->pos >= m->size) { + struct hbucket *ht; +-- +2.20.1 + diff --git a/queue-5.1/ipvs-defer-hook-registration-to-avoid-leaks.patch b/queue-5.1/ipvs-defer-hook-registration-to-avoid-leaks.patch new file mode 100644 index 00000000000..18b76a149fb --- /dev/null +++ b/queue-5.1/ipvs-defer-hook-registration-to-avoid-leaks.patch @@ -0,0 +1,118 @@ +From d6c6f15a532ab04ddc527979ef2967567e7c67e8 Mon Sep 17 00:00:00 2001 +From: Julian Anastasov +Date: Tue, 4 Jun 2019 21:56:35 +0300 +Subject: ipvs: defer hook registration to avoid leaks + +[ Upstream commit cf47a0b882a4e5f6b34c7949d7b293e9287f1972 ] + +syzkaller reports for memory leak when registering hooks [1] + +As we moved the nf_unregister_net_hooks() call into +__ip_vs_dev_cleanup(), defer the nf_register_net_hooks() +call, so that hooks are allocated and freed from same +pernet_operations (ipvs_core_dev_ops). + +[1] +BUG: memory leak +unreferenced object 0xffff88810acd8a80 (size 96): + comm "syz-executor073", pid 7254, jiffies 4294950560 (age 22.250s) + hex dump (first 32 bytes): + 02 00 00 00 00 00 00 00 50 8b bb 82 ff ff ff ff ........P....... + 00 00 00 00 00 00 00 00 00 77 bb 82 ff ff ff ff .........w...... + backtrace: + [<0000000013db61f1>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] + [<0000000013db61f1>] slab_post_alloc_hook mm/slab.h:439 [inline] + [<0000000013db61f1>] slab_alloc_node mm/slab.c:3269 [inline] + [<0000000013db61f1>] kmem_cache_alloc_node_trace+0x15b/0x2a0 mm/slab.c:3597 + [<000000001a27307d>] __do_kmalloc_node mm/slab.c:3619 [inline] + [<000000001a27307d>] __kmalloc_node+0x38/0x50 mm/slab.c:3627 + [<0000000025054add>] kmalloc_node include/linux/slab.h:590 [inline] + [<0000000025054add>] kvmalloc_node+0x4a/0xd0 mm/util.c:431 + [<0000000050d1bc00>] kvmalloc include/linux/mm.h:637 [inline] + [<0000000050d1bc00>] kvzalloc include/linux/mm.h:645 [inline] + [<0000000050d1bc00>] allocate_hook_entries_size+0x3b/0x60 net/netfilter/core.c:61 + [<00000000e8abe142>] nf_hook_entries_grow+0xae/0x270 net/netfilter/core.c:128 + [<000000004b94797c>] __nf_register_net_hook+0x9a/0x170 net/netfilter/core.c:337 + [<00000000d1545cbc>] nf_register_net_hook+0x34/0xc0 net/netfilter/core.c:464 + [<00000000876c9b55>] nf_register_net_hooks+0x53/0xc0 net/netfilter/core.c:480 + [<000000002ea868e0>] __ip_vs_init+0xe8/0x170 net/netfilter/ipvs/ip_vs_core.c:2280 + [<000000002eb2d451>] ops_init+0x4c/0x140 net/core/net_namespace.c:130 + [<000000000284ec48>] setup_net+0xde/0x230 net/core/net_namespace.c:316 + [<00000000a70600fa>] copy_net_ns+0xf0/0x1e0 net/core/net_namespace.c:439 + [<00000000ff26c15e>] create_new_namespaces+0x141/0x2a0 kernel/nsproxy.c:107 + [<00000000b103dc79>] copy_namespaces+0xa1/0xe0 kernel/nsproxy.c:165 + [<000000007cc008a2>] copy_process.part.0+0x11fd/0x2150 kernel/fork.c:2035 + [<00000000c344af7c>] copy_process kernel/fork.c:1800 [inline] + [<00000000c344af7c>] _do_fork+0x121/0x4f0 kernel/fork.c:2369 + +Reported-by: syzbot+722da59ccb264bc19910@syzkaller.appspotmail.com +Fixes: 719c7d563c17 ("ipvs: Fix use-after-free in ip_vs_in") +Signed-off-by: Julian Anastasov +Acked-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_core.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c +index 8ebf21149ec3..e72b51157cbb 100644 +--- a/net/netfilter/ipvs/ip_vs_core.c ++++ b/net/netfilter/ipvs/ip_vs_core.c +@@ -2250,7 +2250,6 @@ static const struct nf_hook_ops ip_vs_ops[] = { + static int __net_init __ip_vs_init(struct net *net) + { + struct netns_ipvs *ipvs; +- int ret; + + ipvs = net_generic(net, ip_vs_net_id); + if (ipvs == NULL) +@@ -2282,17 +2281,11 @@ static int __net_init __ip_vs_init(struct net *net) + if (ip_vs_sync_net_init(ipvs) < 0) + goto sync_fail; + +- ret = nf_register_net_hooks(net, ip_vs_ops, ARRAY_SIZE(ip_vs_ops)); +- if (ret < 0) +- goto hook_fail; +- + return 0; + /* + * Error handling + */ + +-hook_fail: +- ip_vs_sync_net_cleanup(ipvs); + sync_fail: + ip_vs_conn_net_cleanup(ipvs); + conn_fail: +@@ -2322,6 +2315,19 @@ static void __net_exit __ip_vs_cleanup(struct net *net) + net->ipvs = NULL; + } + ++static int __net_init __ip_vs_dev_init(struct net *net) ++{ ++ int ret; ++ ++ ret = nf_register_net_hooks(net, ip_vs_ops, ARRAY_SIZE(ip_vs_ops)); ++ if (ret < 0) ++ goto hook_fail; ++ return 0; ++ ++hook_fail: ++ return ret; ++} ++ + static void __net_exit __ip_vs_dev_cleanup(struct net *net) + { + struct netns_ipvs *ipvs = net_ipvs(net); +@@ -2341,6 +2347,7 @@ static struct pernet_operations ipvs_core_ops = { + }; + + static struct pernet_operations ipvs_core_dev_ops = { ++ .init = __ip_vs_dev_init, + .exit = __ip_vs_dev_cleanup, + }; + +-- +2.20.1 + diff --git a/queue-5.1/ipvs-fix-tinfo-memory-leak-in-start_sync_thread.patch b/queue-5.1/ipvs-fix-tinfo-memory-leak-in-start_sync_thread.patch new file mode 100644 index 00000000000..b5ccf3da0ca --- /dev/null +++ b/queue-5.1/ipvs-fix-tinfo-memory-leak-in-start_sync_thread.patch @@ -0,0 +1,399 @@ +From 4572cd2511ada1acaabc9a011da5f8be996e41f9 Mon Sep 17 00:00:00 2001 +From: Julian Anastasov +Date: Tue, 18 Jun 2019 23:07:36 +0300 +Subject: ipvs: fix tinfo memory leak in start_sync_thread + +[ Upstream commit 5db7c8b9f9fc2aeec671ae3ca6375752c162e0e7 ] + +syzkaller reports for memory leak in start_sync_thread [1] + +As Eric points out, kthread may start and stop before the +threadfn function is called, so there is no chance the +data (tinfo in our case) to be released in thread. + +Fix this by releasing tinfo in the controlling code instead. + +[1] +BUG: memory leak +unreferenced object 0xffff8881206bf700 (size 32): + comm "syz-executor761", pid 7268, jiffies 4294943441 (age 20.470s) + hex dump (first 32 bytes): + 00 40 7c 09 81 88 ff ff 80 45 b8 21 81 88 ff ff .@|......E.!.... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<0000000057619e23>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] + [<0000000057619e23>] slab_post_alloc_hook mm/slab.h:439 [inline] + [<0000000057619e23>] slab_alloc mm/slab.c:3326 [inline] + [<0000000057619e23>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 + [<0000000086ce5479>] kmalloc include/linux/slab.h:547 [inline] + [<0000000086ce5479>] start_sync_thread+0x5d2/0xe10 net/netfilter/ipvs/ip_vs_sync.c:1862 + [<000000001a9229cc>] do_ip_vs_set_ctl+0x4c5/0x780 net/netfilter/ipvs/ip_vs_ctl.c:2402 + [<00000000ece457c8>] nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] + [<00000000ece457c8>] nf_setsockopt+0x4c/0x80 net/netfilter/nf_sockopt.c:115 + [<00000000942f62d4>] ip_setsockopt net/ipv4/ip_sockglue.c:1258 [inline] + [<00000000942f62d4>] ip_setsockopt+0x9b/0xb0 net/ipv4/ip_sockglue.c:1238 + [<00000000a56a8ffd>] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2616 + [<00000000fa895401>] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3130 + [<0000000095eef4cf>] __sys_setsockopt+0x98/0x120 net/socket.c:2078 + [<000000009747cf88>] __do_sys_setsockopt net/socket.c:2089 [inline] + [<000000009747cf88>] __se_sys_setsockopt net/socket.c:2086 [inline] + [<000000009747cf88>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2086 + [<00000000ded8ba80>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301 + [<00000000893b4ac8>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Reported-by: syzbot+7e2e50c8adfccd2e5041@syzkaller.appspotmail.com +Suggested-by: Eric Biggers +Fixes: 998e7a76804b ("ipvs: Use kthread_run() instead of doing a double-fork via kernel_thread()") +Signed-off-by: Julian Anastasov +Acked-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/ip_vs.h | 6 +- + net/netfilter/ipvs/ip_vs_ctl.c | 4 - + net/netfilter/ipvs/ip_vs_sync.c | 134 +++++++++++++++++--------------- + 3 files changed, 76 insertions(+), 68 deletions(-) + +diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h +index 047f9a5ccaad..1790bb41c964 100644 +--- a/include/net/ip_vs.h ++++ b/include/net/ip_vs.h +@@ -803,11 +803,12 @@ struct ipvs_master_sync_state { + struct ip_vs_sync_buff *sync_buff; + unsigned long sync_queue_len; + unsigned int sync_queue_delay; +- struct task_struct *master_thread; + struct delayed_work master_wakeup_work; + struct netns_ipvs *ipvs; + }; + ++struct ip_vs_sync_thread_data; ++ + /* How much time to keep dests in trash */ + #define IP_VS_DEST_TRASH_PERIOD (120 * HZ) + +@@ -938,7 +939,8 @@ struct netns_ipvs { + spinlock_t sync_lock; + struct ipvs_master_sync_state *ms; + spinlock_t sync_buff_lock; +- struct task_struct **backup_threads; ++ struct ip_vs_sync_thread_data *master_tinfo; ++ struct ip_vs_sync_thread_data *backup_tinfo; + int threads_mask; + volatile int sync_state; + struct mutex sync_mutex; +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 053cd96b9c76..179e9d11e41b 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -2382,9 +2382,7 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) + cfg.syncid = dm->syncid; + ret = start_sync_thread(ipvs, &cfg, dm->state); + } else { +- mutex_lock(&ipvs->sync_mutex); + ret = stop_sync_thread(ipvs, dm->state); +- mutex_unlock(&ipvs->sync_mutex); + } + goto out_dec; + } +@@ -3490,10 +3488,8 @@ static int ip_vs_genl_del_daemon(struct netns_ipvs *ipvs, struct nlattr **attrs) + if (!attrs[IPVS_DAEMON_ATTR_STATE]) + return -EINVAL; + +- mutex_lock(&ipvs->sync_mutex); + ret = stop_sync_thread(ipvs, + nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE])); +- mutex_unlock(&ipvs->sync_mutex); + return ret; + } + +diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c +index 2526be6b3d90..a4a78c4b06de 100644 +--- a/net/netfilter/ipvs/ip_vs_sync.c ++++ b/net/netfilter/ipvs/ip_vs_sync.c +@@ -195,6 +195,7 @@ union ip_vs_sync_conn { + #define IPVS_OPT_F_PARAM (1 << (IPVS_OPT_PARAM-1)) + + struct ip_vs_sync_thread_data { ++ struct task_struct *task; + struct netns_ipvs *ipvs; + struct socket *sock; + char *buf; +@@ -374,8 +375,11 @@ static inline void sb_queue_tail(struct netns_ipvs *ipvs, + max(IPVS_SYNC_SEND_DELAY, 1)); + ms->sync_queue_len++; + list_add_tail(&sb->list, &ms->sync_queue); +- if ((++ms->sync_queue_delay) == IPVS_SYNC_WAKEUP_RATE) +- wake_up_process(ms->master_thread); ++ if ((++ms->sync_queue_delay) == IPVS_SYNC_WAKEUP_RATE) { ++ int id = (int)(ms - ipvs->ms); ++ ++ wake_up_process(ipvs->master_tinfo[id].task); ++ } + } else + ip_vs_sync_buff_release(sb); + spin_unlock(&ipvs->sync_lock); +@@ -1636,8 +1640,10 @@ static void master_wakeup_work_handler(struct work_struct *work) + spin_lock_bh(&ipvs->sync_lock); + if (ms->sync_queue_len && + ms->sync_queue_delay < IPVS_SYNC_WAKEUP_RATE) { ++ int id = (int)(ms - ipvs->ms); ++ + ms->sync_queue_delay = IPVS_SYNC_WAKEUP_RATE; +- wake_up_process(ms->master_thread); ++ wake_up_process(ipvs->master_tinfo[id].task); + } + spin_unlock_bh(&ipvs->sync_lock); + } +@@ -1703,10 +1709,6 @@ static int sync_thread_master(void *data) + if (sb) + ip_vs_sync_buff_release(sb); + +- /* release the sending multicast socket */ +- sock_release(tinfo->sock); +- kfree(tinfo); +- + return 0; + } + +@@ -1740,11 +1742,6 @@ static int sync_thread_backup(void *data) + } + } + +- /* release the sending multicast socket */ +- sock_release(tinfo->sock); +- kfree(tinfo->buf); +- kfree(tinfo); +- + return 0; + } + +@@ -1752,8 +1749,8 @@ static int sync_thread_backup(void *data) + int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, + int state) + { +- struct ip_vs_sync_thread_data *tinfo = NULL; +- struct task_struct **array = NULL, *task; ++ struct ip_vs_sync_thread_data *ti = NULL, *tinfo; ++ struct task_struct *task; + struct net_device *dev; + char *name; + int (*threadfn)(void *data); +@@ -1822,7 +1819,7 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, + threadfn = sync_thread_master; + } else if (state == IP_VS_STATE_BACKUP) { + result = -EEXIST; +- if (ipvs->backup_threads) ++ if (ipvs->backup_tinfo) + goto out_early; + + ipvs->bcfg = *c; +@@ -1849,28 +1846,22 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, + master_wakeup_work_handler); + ms->ipvs = ipvs; + } +- } else { +- array = kcalloc(count, sizeof(struct task_struct *), +- GFP_KERNEL); +- result = -ENOMEM; +- if (!array) +- goto out; + } ++ result = -ENOMEM; ++ ti = kcalloc(count, sizeof(struct ip_vs_sync_thread_data), ++ GFP_KERNEL); ++ if (!ti) ++ goto out; + + for (id = 0; id < count; id++) { +- result = -ENOMEM; +- tinfo = kmalloc(sizeof(*tinfo), GFP_KERNEL); +- if (!tinfo) +- goto out; ++ tinfo = &ti[id]; + tinfo->ipvs = ipvs; +- tinfo->sock = NULL; + if (state == IP_VS_STATE_BACKUP) { ++ result = -ENOMEM; + tinfo->buf = kmalloc(ipvs->bcfg.sync_maxlen, + GFP_KERNEL); + if (!tinfo->buf) + goto out; +- } else { +- tinfo->buf = NULL; + } + tinfo->id = id; + if (state == IP_VS_STATE_MASTER) +@@ -1885,17 +1876,15 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, + result = PTR_ERR(task); + goto out; + } +- tinfo = NULL; +- if (state == IP_VS_STATE_MASTER) +- ipvs->ms[id].master_thread = task; +- else +- array[id] = task; ++ tinfo->task = task; + } + + /* mark as active */ + +- if (state == IP_VS_STATE_BACKUP) +- ipvs->backup_threads = array; ++ if (state == IP_VS_STATE_MASTER) ++ ipvs->master_tinfo = ti; ++ else ++ ipvs->backup_tinfo = ti; + spin_lock_bh(&ipvs->sync_buff_lock); + ipvs->sync_state |= state; + spin_unlock_bh(&ipvs->sync_buff_lock); +@@ -1910,29 +1899,31 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, + + out: + /* We do not need RTNL lock anymore, release it here so that +- * sock_release below and in the kthreads can use rtnl_lock +- * to leave the mcast group. ++ * sock_release below can use rtnl_lock to leave the mcast group. + */ + rtnl_unlock(); +- count = id; +- while (count-- > 0) { +- if (state == IP_VS_STATE_MASTER) +- kthread_stop(ipvs->ms[count].master_thread); +- else +- kthread_stop(array[count]); ++ id = min(id, count - 1); ++ if (ti) { ++ for (tinfo = ti + id; tinfo >= ti; tinfo--) { ++ if (tinfo->task) ++ kthread_stop(tinfo->task); ++ } + } + if (!(ipvs->sync_state & IP_VS_STATE_MASTER)) { + kfree(ipvs->ms); + ipvs->ms = NULL; + } + mutex_unlock(&ipvs->sync_mutex); +- if (tinfo) { +- if (tinfo->sock) +- sock_release(tinfo->sock); +- kfree(tinfo->buf); +- kfree(tinfo); ++ ++ /* No more mutexes, release socks */ ++ if (ti) { ++ for (tinfo = ti + id; tinfo >= ti; tinfo--) { ++ if (tinfo->sock) ++ sock_release(tinfo->sock); ++ kfree(tinfo->buf); ++ } ++ kfree(ti); + } +- kfree(array); + return result; + + out_early: +@@ -1944,15 +1935,18 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, + + int stop_sync_thread(struct netns_ipvs *ipvs, int state) + { +- struct task_struct **array; ++ struct ip_vs_sync_thread_data *ti, *tinfo; + int id; + int retc = -EINVAL; + + IP_VS_DBG(7, "%s(): pid %d\n", __func__, task_pid_nr(current)); + ++ mutex_lock(&ipvs->sync_mutex); + if (state == IP_VS_STATE_MASTER) { ++ retc = -ESRCH; + if (!ipvs->ms) +- return -ESRCH; ++ goto err; ++ ti = ipvs->master_tinfo; + + /* + * The lock synchronizes with sb_queue_tail(), so that we don't +@@ -1971,38 +1965,56 @@ int stop_sync_thread(struct netns_ipvs *ipvs, int state) + struct ipvs_master_sync_state *ms = &ipvs->ms[id]; + int ret; + ++ tinfo = &ti[id]; + pr_info("stopping master sync thread %d ...\n", +- task_pid_nr(ms->master_thread)); ++ task_pid_nr(tinfo->task)); + cancel_delayed_work_sync(&ms->master_wakeup_work); +- ret = kthread_stop(ms->master_thread); ++ ret = kthread_stop(tinfo->task); + if (retc >= 0) + retc = ret; + } + kfree(ipvs->ms); + ipvs->ms = NULL; ++ ipvs->master_tinfo = NULL; + } else if (state == IP_VS_STATE_BACKUP) { +- if (!ipvs->backup_threads) +- return -ESRCH; ++ retc = -ESRCH; ++ if (!ipvs->backup_tinfo) ++ goto err; ++ ti = ipvs->backup_tinfo; + + ipvs->sync_state &= ~IP_VS_STATE_BACKUP; +- array = ipvs->backup_threads; + retc = 0; + for (id = ipvs->threads_mask; id >= 0; id--) { + int ret; + ++ tinfo = &ti[id]; + pr_info("stopping backup sync thread %d ...\n", +- task_pid_nr(array[id])); +- ret = kthread_stop(array[id]); ++ task_pid_nr(tinfo->task)); ++ ret = kthread_stop(tinfo->task); + if (retc >= 0) + retc = ret; + } +- kfree(array); +- ipvs->backup_threads = NULL; ++ ipvs->backup_tinfo = NULL; ++ } else { ++ goto err; + } ++ id = ipvs->threads_mask; ++ mutex_unlock(&ipvs->sync_mutex); ++ ++ /* No more mutexes, release socks */ ++ for (tinfo = ti + id; tinfo >= ti; tinfo--) { ++ if (tinfo->sock) ++ sock_release(tinfo->sock); ++ kfree(tinfo->buf); ++ } ++ kfree(ti); + + /* decrease the module use count */ + ip_vs_use_count_dec(); ++ return retc; + ++err: ++ mutex_unlock(&ipvs->sync_mutex); + return retc; + } + +@@ -2021,7 +2033,6 @@ void ip_vs_sync_net_cleanup(struct netns_ipvs *ipvs) + { + int retc; + +- mutex_lock(&ipvs->sync_mutex); + retc = stop_sync_thread(ipvs, IP_VS_STATE_MASTER); + if (retc && retc != -ESRCH) + pr_err("Failed to stop Master Daemon\n"); +@@ -2029,5 +2040,4 @@ void ip_vs_sync_net_cleanup(struct netns_ipvs *ipvs) + retc = stop_sync_thread(ipvs, IP_VS_STATE_BACKUP); + if (retc && retc != -ESRCH) + pr_err("Failed to stop Backup Daemon\n"); +- mutex_unlock(&ipvs->sync_mutex); + } +-- +2.20.1 + diff --git a/queue-5.1/irqchip-meson-gpio-add-support-for-meson-g12a-soc.patch b/queue-5.1/irqchip-meson-gpio-add-support-for-meson-g12a-soc.patch new file mode 100644 index 00000000000..fa4a1af5bae --- /dev/null +++ b/queue-5.1/irqchip-meson-gpio-add-support-for-meson-g12a-soc.patch @@ -0,0 +1,44 @@ +From 338d3bc4bc0dcefce45a13a4041d170138314ecd Mon Sep 17 00:00:00 2001 +From: Xingyu Chen +Date: Sat, 8 Jun 2019 21:04:10 +0200 +Subject: irqchip/meson-gpio: Add support for Meson-G12A SoC + +[ Upstream commit c64a9e804ccf86eb202bfd1c6a8c5233c75a0431 ] + +The Meson-G12A SoC uses the same GPIO interrupt controller IP block as the +other Meson SoCs, A totle of 100 pins can be spied on, which is the sum of: + +- 223:100 undefined (no interrupt) +- 99:97 3 pins on bank GPIOE +- 96:77 20 pins on bank GPIOX +- 76:61 16 pins on bank GPIOA +- 60:53 8 pins on bank GPIOC +- 52:37 16 pins on bank BOOT +- 36:28 9 pins on bank GPIOH +- 27:12 16 pins on bank GPIOZ +- 11:0 12 pins in the AO domain + +Signed-off-by: Xingyu Chen +Signed-off-by: Jianxin Pan +Signed-off-by: Martin Blumenstingl +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-meson-gpio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/irqchip/irq-meson-gpio.c b/drivers/irqchip/irq-meson-gpio.c +index 7b531fd075b8..7599b10ecf09 100644 +--- a/drivers/irqchip/irq-meson-gpio.c ++++ b/drivers/irqchip/irq-meson-gpio.c +@@ -73,6 +73,7 @@ static const struct of_device_id meson_irq_gpio_matches[] = { + { .compatible = "amlogic,meson-gxbb-gpio-intc", .data = &gxbb_params }, + { .compatible = "amlogic,meson-gxl-gpio-intc", .data = &gxl_params }, + { .compatible = "amlogic,meson-axg-gpio-intc", .data = &axg_params }, ++ { .compatible = "amlogic,meson-g12a-gpio-intc", .data = &axg_params }, + { } + }; + +-- +2.20.1 + diff --git a/queue-5.1/iwlwifi-dbg-fix-debug-monitor-stop-and-restart-delay.patch b/queue-5.1/iwlwifi-dbg-fix-debug-monitor-stop-and-restart-delay.patch new file mode 100644 index 00000000000..161d2b58f98 --- /dev/null +++ b/queue-5.1/iwlwifi-dbg-fix-debug-monitor-stop-and-restart-delay.patch @@ -0,0 +1,67 @@ +From 733defbe41ff136edb916829520acc61c5586012 Mon Sep 17 00:00:00 2001 +From: Shahar S Matityahu +Date: Thu, 16 May 2019 10:31:17 +0300 +Subject: iwlwifi: dbg: fix debug monitor stop and restart delays + +[ Upstream commit fc838c775f35e272e5cc7ef43853f0b55babbe37 ] + +The driver should delay only in recording stop flow between writing to +DBGC_IN_SAMPLE register and DBGC_OUT_CTRL register. Any other delay is +not needed. + +Change the following: +1. Remove any unnecessary delays in the flow +2. Increase the delay in the stop recording flow since 100 micro is + not enough +3. Use usleep_range instead of delay since the driver is allowed to + sleep in this flow. + +Signed-off-by: Shahar S Matityahu +Fixes: 5cfe79c8d92a ("iwlwifi: fw: stop and start debugging using host command") +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 2 -- + drivers/net/wireless/intel/iwlwifi/fw/dbg.h | 6 ++++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c +index d7380016f1c0..c30f626b1602 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c +@@ -2146,8 +2146,6 @@ void iwl_fw_dbg_collect_sync(struct iwl_fw_runtime *fwrt) + /* start recording again if the firmware is not crashed */ + if (!test_bit(STATUS_FW_ERROR, &fwrt->trans->status) && + fwrt->fw->dbg.dest_tlv) { +- /* wait before we collect the data till the DBGC stop */ +- udelay(500); + iwl_fw_dbg_restart_recording(fwrt, ¶ms); + } + } +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.h b/drivers/net/wireless/intel/iwlwifi/fw/dbg.h +index a199056234d3..97fcd57e17d8 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.h ++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.h +@@ -297,7 +297,10 @@ _iwl_fw_dbg_stop_recording(struct iwl_trans *trans, + } + + iwl_write_umac_prph(trans, DBGC_IN_SAMPLE, 0); +- udelay(100); ++ /* wait for the DBGC to finish writing the internal buffer to DRAM to ++ * avoid halting the HW while writing ++ */ ++ usleep_range(700, 1000); + iwl_write_umac_prph(trans, DBGC_OUT_CTRL, 0); + #ifdef CONFIG_IWLWIFI_DEBUGFS + trans->dbg_rec_on = false; +@@ -327,7 +330,6 @@ _iwl_fw_dbg_restart_recording(struct iwl_trans *trans, + iwl_set_bits_prph(trans, MON_BUFF_SAMPLE_CTL, 0x1); + } else { + iwl_write_umac_prph(trans, DBGC_IN_SAMPLE, params->in_sample); +- udelay(100); + iwl_write_umac_prph(trans, DBGC_OUT_CTRL, params->out_ctrl); + } + } +-- +2.20.1 + diff --git a/queue-5.1/iwlwifi-mvm-drop-large-non-sta-frames.patch b/queue-5.1/iwlwifi-mvm-drop-large-non-sta-frames.patch new file mode 100644 index 00000000000..27d54edfd6b --- /dev/null +++ b/queue-5.1/iwlwifi-mvm-drop-large-non-sta-frames.patch @@ -0,0 +1,39 @@ +From 395860ef8dcb1795355c61aae36dd9818f6dbedc Mon Sep 17 00:00:00 2001 +From: Andrei Otcheretianski +Date: Mon, 15 Apr 2019 16:45:04 +0300 +Subject: iwlwifi: mvm: Drop large non sta frames + +[ Upstream commit ac70499ee97231a418dc1a4d6c9dc102e8f64631 ] + +In some buggy scenarios we could possible attempt to transmit frames larger +than maximum MSDU size. Since our devices don't know how to handle this, +it may result in asserts, hangs etc. +This can happen, for example, when we receive a large multicast frame +and try to transmit it back to the air in AP mode. +Since in a legal scenario this should never happen, drop such frames and +warn about it. + +Signed-off-by: Andrei Otcheretianski +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +index 0c2aabc842f9..96f8d38ea321 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +@@ -726,6 +726,9 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mvm *mvm, struct sk_buff *skb) + + memcpy(&info, skb->cb, sizeof(info)); + ++ if (WARN_ON_ONCE(skb->len > IEEE80211_MAX_DATA_LEN + hdrlen)) ++ return -1; ++ + if (WARN_ON_ONCE(info.flags & IEEE80211_TX_CTL_AMPDU)) + return -1; + +-- +2.20.1 + diff --git a/queue-5.1/ixgbe-avoid-null-pointer-dereference-with-vf-on-non-.patch b/queue-5.1/ixgbe-avoid-null-pointer-dereference-with-vf-on-non-.patch new file mode 100644 index 00000000000..e11244489b4 --- /dev/null +++ b/queue-5.1/ixgbe-avoid-null-pointer-dereference-with-vf-on-non-.patch @@ -0,0 +1,91 @@ +From c62995b6486ee157b05d2f3907d4378e3e7d7e89 Mon Sep 17 00:00:00 2001 +From: Dann Frazier +Date: Wed, 22 May 2019 17:22:58 -0600 +Subject: ixgbe: Avoid NULL pointer dereference with VF on non-IPsec hw + +[ Upstream commit 92924064106e410cdc015f1dbfc0499309f9f5b1 ] + +An ipsec structure will not be allocated if the hardware does not support +offload. Fixes the following Oops: + +[ 191.045452] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 +[ 191.054232] Mem abort info: +[ 191.057014] ESR = 0x96000004 +[ 191.060057] Exception class = DABT (current EL), IL = 32 bits +[ 191.065963] SET = 0, FnV = 0 +[ 191.069004] EA = 0, S1PTW = 0 +[ 191.072132] Data abort info: +[ 191.074999] ISV = 0, ISS = 0x00000004 +[ 191.078822] CM = 0, WnR = 0 +[ 191.081780] user pgtable: 4k pages, 48-bit VAs, pgdp = 0000000043d9e467 +[ 191.088382] [0000000000000000] pgd=0000000000000000 +[ 191.093252] Internal error: Oops: 96000004 [#1] SMP +[ 191.098119] Modules linked in: vhost_net vhost tap vfio_pci vfio_virqfd vfio_iommu_type1 vfio xt_CHECKSUM iptable_mangle ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge stp llc ebtable_filter devlink ebtables ip6table_filter ip6_tables iptable_filter bpfilter ipmi_ssif nls_iso8859_1 input_leds joydev ipmi_si hns_roce_hw_v2 ipmi_devintf hns_roce ipmi_msghandler cppc_cpufreq sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 ses enclosure btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor hid_generic usbhid hid raid6_pq libcrc32c raid1 raid0 multipath linear ixgbevf hibmc_drm ttm +[ 191.168607] drm_kms_helper aes_ce_blk aes_ce_cipher syscopyarea crct10dif_ce sysfillrect ghash_ce qla2xxx sysimgblt sha2_ce sha256_arm64 hisi_sas_v3_hw fb_sys_fops sha1_ce uas nvme_fc mpt3sas ixgbe drm hisi_sas_main nvme_fabrics usb_storage hclge scsi_transport_fc ahci libsas hnae3 raid_class libahci xfrm_algo scsi_transport_sas mdio aes_neon_bs aes_neon_blk crypto_simd cryptd aes_arm64 +[ 191.202952] CPU: 94 PID: 0 Comm: swapper/94 Not tainted 4.19.0-rc1+ #11 +[ 191.209553] Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.20.01 04/26/2019 +[ 191.218064] pstate: 20400089 (nzCv daIf +PAN -UAO) +[ 191.222873] pc : ixgbe_ipsec_vf_clear+0x60/0xd0 [ixgbe] +[ 191.228093] lr : ixgbe_msg_task+0x2d0/0x1088 [ixgbe] +[ 191.233044] sp : ffff000009b3bcd0 +[ 191.236346] x29: ffff000009b3bcd0 x28: 0000000000000000 +[ 191.241647] x27: ffff000009628000 x26: 0000000000000000 +[ 191.246946] x25: ffff803f652d7600 x24: 0000000000000004 +[ 191.252246] x23: ffff803f6a718900 x22: 0000000000000000 +[ 191.257546] x21: 0000000000000000 x20: 0000000000000000 +[ 191.262845] x19: 0000000000000000 x18: 0000000000000000 +[ 191.268144] x17: 0000000000000000 x16: 0000000000000000 +[ 191.273443] x15: 0000000000000000 x14: 0000000100000026 +[ 191.278742] x13: 0000000100000025 x12: ffff8a5f7fbe0df0 +[ 191.284042] x11: 000000010000000b x10: 0000000000000040 +[ 191.289341] x9 : 0000000000001100 x8 : ffff803f6a824fd8 +[ 191.294640] x7 : ffff803f6a825098 x6 : 0000000000000001 +[ 191.299939] x5 : ffff000000f0ffc0 x4 : 0000000000000000 +[ 191.305238] x3 : ffff000028c00000 x2 : ffff803f652d7600 +[ 191.310538] x1 : 0000000000000000 x0 : ffff000000f205f0 +[ 191.315838] Process swapper/94 (pid: 0, stack limit = 0x00000000addfed5a) +[ 191.322613] Call trace: +[ 191.325055] ixgbe_ipsec_vf_clear+0x60/0xd0 [ixgbe] +[ 191.329927] ixgbe_msg_task+0x2d0/0x1088 [ixgbe] +[ 191.334536] ixgbe_msix_other+0x274/0x330 [ixgbe] +[ 191.339233] __handle_irq_event_percpu+0x78/0x270 +[ 191.343924] handle_irq_event_percpu+0x40/0x98 +[ 191.348355] handle_irq_event+0x50/0xa8 +[ 191.352180] handle_fasteoi_irq+0xbc/0x148 +[ 191.356263] generic_handle_irq+0x34/0x50 +[ 191.360259] __handle_domain_irq+0x68/0xc0 +[ 191.364343] gic_handle_irq+0x84/0x180 +[ 191.368079] el1_irq+0xe8/0x180 +[ 191.371208] arch_cpu_idle+0x30/0x1a8 +[ 191.374860] do_idle+0x1dc/0x2a0 +[ 191.378077] cpu_startup_entry+0x2c/0x30 +[ 191.381988] secondary_start_kernel+0x150/0x1e0 +[ 191.386506] Code: 6b15003f 54000320 f1404a9f 54000060 (79400260) + +Fixes: eda0333ac2930 ("ixgbe: add VF IPsec management") +Signed-off-by: Dann Frazier +Acked-by: Shannon Nelson +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c +index ff85ce5791a3..31629fc7e820 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c +@@ -842,6 +842,9 @@ void ixgbe_ipsec_vf_clear(struct ixgbe_adapter *adapter, u32 vf) + struct ixgbe_ipsec *ipsec = adapter->ipsec; + int i; + ++ if (!ipsec) ++ return; ++ + /* search rx sa table */ + for (i = 0; i < IXGBE_IPSEC_MAX_SA_COUNT && ipsec->num_rx_sa; i++) { + if (!ipsec->rx_tbl[i].used) +-- +2.20.1 + diff --git a/queue-5.1/ixgbe-check-ddm-existence-in-transceiver-before-acce.patch b/queue-5.1/ixgbe-check-ddm-existence-in-transceiver-before-acce.patch new file mode 100644 index 00000000000..9a0f4d8595b --- /dev/null +++ b/queue-5.1/ixgbe-check-ddm-existence-in-transceiver-before-acce.patch @@ -0,0 +1,63 @@ +From ec126b552e561f9c239b518b67f2272e47391119 Mon Sep 17 00:00:00 2001 +From: "Mauro S. M. Rodrigues" +Date: Thu, 23 May 2019 16:11:12 -0300 +Subject: ixgbe: Check DDM existence in transceiver before access + +[ Upstream commit 655c91414579d7bb115a4f7898ee726fc18e0984 ] + +Some transceivers may comply with SFF-8472 but not implement the Digital +Diagnostic Monitoring (DDM) interface described in it. The existence of +such area is specified by bit 6 of byte 92, set to 1 if implemented. + +Currently, due to not checking this bit ixgbe fails trying to read SFP +module's eeprom with the follow message: + +ethtool -m enP51p1s0f0 +Cannot get Module EEPROM data: Input/output error + +Because it fails to read the additional 256 bytes in which it was assumed +to exist the DDM data. + +This issue was noticed using a Mellanox Passive DAC PN 01FT738. The eeprom +data was confirmed by Mellanox as correct and present in other Passive +DACs in from other manufacturers. + +Signed-off-by: "Mauro S. M. Rodrigues" +Reviewed-by: Jesse Brandeburg +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 3 ++- + drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c +index acba067cc15a..7c52ae8ac005 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c +@@ -3226,7 +3226,8 @@ static int ixgbe_get_module_info(struct net_device *dev, + page_swap = true; + } + +- if (sff8472_rev == IXGBE_SFF_SFF_8472_UNSUP || page_swap) { ++ if (sff8472_rev == IXGBE_SFF_SFF_8472_UNSUP || page_swap || ++ !(addr_mode & IXGBE_SFF_DDM_IMPLEMENTED)) { + /* We have a SFP, but it does not support SFF-8472 */ + modinfo->type = ETH_MODULE_SFF_8079; + modinfo->eeprom_len = ETH_MODULE_SFF_8079_LEN; +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h b/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h +index 214b01085718..6544c4539c0d 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h +@@ -45,6 +45,7 @@ + #define IXGBE_SFF_SOFT_RS_SELECT_10G 0x8 + #define IXGBE_SFF_SOFT_RS_SELECT_1G 0x0 + #define IXGBE_SFF_ADDRESSING_MODE 0x4 ++#define IXGBE_SFF_DDM_IMPLEMENTED 0x40 + #define IXGBE_SFF_QSFP_DA_ACTIVE_CABLE 0x1 + #define IXGBE_SFF_QSFP_DA_PASSIVE_CABLE 0x8 + #define IXGBE_SFF_QSFP_CONNECTOR_NOT_SEPARABLE 0x23 +-- +2.20.1 + diff --git a/queue-5.1/libata-don-t-request-sense-data-on-zac-ata-devices.patch b/queue-5.1/libata-don-t-request-sense-data-on-zac-ata-devices.patch new file mode 100644 index 00000000000..3da9a71470a --- /dev/null +++ b/queue-5.1/libata-don-t-request-sense-data-on-zac-ata-devices.patch @@ -0,0 +1,68 @@ +From 8bfee76824fa879f7441f23c72831bc3df707107 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Mon, 24 Jun 2019 09:32:50 -0700 +Subject: libata: don't request sense data on !ZAC ATA devices + +[ Upstream commit ca156e006add67e4beea7896be395160735e09b0 ] + +ZAC support added sense data requesting on error for both ZAC and ATA +devices. This seems to cause erratic error handling behaviors on some +SSDs where the device reports sense data availability and then +delivers the wrong content making EH take the wrong actions. The +failure mode was sporadic on a LITE-ON ssd and couldn't be reliably +reproduced. + +There is no value in requesting sense data from non-ZAC ATA devices +while there's a significant risk of introducing EH misbehaviors which +are difficult to reproduce and fix. Let's do the sense data dancing +only for ZAC devices. + +Reviewed-by: Hannes Reinecke +Tested-by: Masato Suzuki +Reviewed-by: Damien Le Moal +Signed-off-by: Tejun Heo +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-eh.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c +index 938ed513b070..6215680418c4 100644 +--- a/drivers/ata/libata-eh.c ++++ b/drivers/ata/libata-eh.c +@@ -1486,7 +1486,7 @@ static int ata_eh_read_log_10h(struct ata_device *dev, + tf->hob_lbah = buf[10]; + tf->nsect = buf[12]; + tf->hob_nsect = buf[13]; +- if (ata_id_has_ncq_autosense(dev->id)) ++ if (dev->class == ATA_DEV_ZAC && ata_id_has_ncq_autosense(dev->id)) + tf->auxiliary = buf[14] << 16 | buf[15] << 8 | buf[16]; + + return 0; +@@ -1733,7 +1733,8 @@ void ata_eh_analyze_ncq_error(struct ata_link *link) + memcpy(&qc->result_tf, &tf, sizeof(tf)); + qc->result_tf.flags = ATA_TFLAG_ISADDR | ATA_TFLAG_LBA | ATA_TFLAG_LBA48; + qc->err_mask |= AC_ERR_DEV | AC_ERR_NCQ; +- if ((qc->result_tf.command & ATA_SENSE) || qc->result_tf.auxiliary) { ++ if (dev->class == ATA_DEV_ZAC && ++ ((qc->result_tf.command & ATA_SENSE) || qc->result_tf.auxiliary)) { + char sense_key, asc, ascq; + + sense_key = (qc->result_tf.auxiliary >> 16) & 0xff; +@@ -1787,10 +1788,11 @@ static unsigned int ata_eh_analyze_tf(struct ata_queued_cmd *qc, + } + + switch (qc->dev->class) { +- case ATA_DEV_ATA: + case ATA_DEV_ZAC: + if (stat & ATA_SENSE) + ata_eh_request_sense(qc, qc->scsicmd); ++ /* fall through */ ++ case ATA_DEV_ATA: + if (err & ATA_ICRC) + qc->err_mask |= AC_ERR_ATA_BUS; + if (err & (ATA_UNC | ATA_AMNF)) +-- +2.20.1 + diff --git a/queue-5.1/libbpf-fix-another-gcc8-warning-for-strncpy.patch b/queue-5.1/libbpf-fix-another-gcc8-warning-for-strncpy.patch new file mode 100644 index 00000000000..973c3735048 --- /dev/null +++ b/queue-5.1/libbpf-fix-another-gcc8-warning-for-strncpy.patch @@ -0,0 +1,36 @@ +From e4b9384774c282f4ee8fa556d2fdb508824d4803 Mon Sep 17 00:00:00 2001 +From: Andrii Nakryiko +Date: Mon, 15 Jul 2019 20:57:03 -0700 +Subject: libbpf: fix another GCC8 warning for strncpy + +[ Upstream commit 763ff0e7d9c72e7094b31e7fb84a859be9325635 ] + +Similar issue was fixed in cdfc7f888c2a ("libbpf: fix GCC8 warning for +strncpy") already. This one was missed. Fixing now. + +Cc: Magnus Karlsson +Signed-off-by: Andrii Nakryiko +Acked-by: Magnus Karlsson +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/xsk.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/xsk.c b/tools/lib/bpf/xsk.c +index 1fe0e1eec738..4ecd33ff46ec 100644 +--- a/tools/lib/bpf/xsk.c ++++ b/tools/lib/bpf/xsk.c +@@ -560,7 +560,8 @@ int xsk_socket__create(struct xsk_socket **xsk_ptr, const char *ifname, + err = -errno; + goto out_socket; + } +- strncpy(xsk->ifname, ifname, IFNAMSIZ); ++ strncpy(xsk->ifname, ifname, IFNAMSIZ - 1); ++ xsk->ifname[IFNAMSIZ - 1] = '\0'; + + err = xsk_set_xdp_socket_config(&xsk->config, usr_config); + if (err) +-- +2.20.1 + diff --git a/queue-5.1/libbpf-fix-gcc8-warning-for-strncpy.patch b/queue-5.1/libbpf-fix-gcc8-warning-for-strncpy.patch new file mode 100644 index 00000000000..40c53ad3120 --- /dev/null +++ b/queue-5.1/libbpf-fix-gcc8-warning-for-strncpy.patch @@ -0,0 +1,39 @@ +From 7bad00c613405abad45bbf8e204c010221785fb5 Mon Sep 17 00:00:00 2001 +From: Andrii Nakryiko +Date: Tue, 2 Jul 2019 08:16:20 -0700 +Subject: libbpf: fix GCC8 warning for strncpy + +[ Upstream commit cdfc7f888c2a355b01308e97c6df108f1c2b64e8 ] + +GCC8 started emitting warning about using strncpy with number of bytes +exactly equal destination size, which is generally unsafe, as can lead +to non-zero terminated string being copied. Use IFNAMSIZ - 1 as number +of bytes to ensure name is always zero-terminated. + +Signed-off-by: Andrii Nakryiko +Cc: Magnus Karlsson +Acked-by: Yonghong Song +Acked-by: Magnus Karlsson +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/xsk.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/xsk.c b/tools/lib/bpf/xsk.c +index af5f310ecca1..1fe0e1eec738 100644 +--- a/tools/lib/bpf/xsk.c ++++ b/tools/lib/bpf/xsk.c +@@ -336,7 +336,8 @@ static int xsk_get_max_queues(struct xsk_socket *xsk) + + channels.cmd = ETHTOOL_GCHANNELS; + ifr.ifr_data = (void *)&channels; +- strncpy(ifr.ifr_name, xsk->ifname, IFNAMSIZ); ++ strncpy(ifr.ifr_name, xsk->ifname, IFNAMSIZ - 1); ++ ifr.ifr_name[IFNAMSIZ - 1] = '\0'; + err = ioctl(fd, SIOCETHTOOL, &ifr); + if (err && errno != EOPNOTSUPP) { + ret = -errno; +-- +2.20.1 + diff --git a/queue-5.1/lightnvm-pblk-fix-freeing-of-merged-pages.patch b/queue-5.1/lightnvm-pblk-fix-freeing-of-merged-pages.patch new file mode 100644 index 00000000000..954e10dc4f5 --- /dev/null +++ b/queue-5.1/lightnvm-pblk-fix-freeing-of-merged-pages.patch @@ -0,0 +1,54 @@ +From e1120ebb50c8b94c41204a0c012cbaecab0ecb80 Mon Sep 17 00:00:00 2001 +From: Heiner Litz +Date: Fri, 21 Jun 2019 11:11:59 +0200 +Subject: lightnvm: pblk: fix freeing of merged pages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 510fd8ea98fcb586c01aef93d87c060a159ac30a ] + +bio_add_pc_page() may merge pages when a bio is padded due to a flush. +Fix iteration over the bio to free the correct pages in case of a merge. + +Signed-off-by: Heiner Litz +Reviewed-by: Javier González +Signed-off-by: Matias Bjørling +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/lightnvm/pblk-core.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/lightnvm/pblk-core.c b/drivers/lightnvm/pblk-core.c +index 6ca868868fee..7393d64757a1 100644 +--- a/drivers/lightnvm/pblk-core.c ++++ b/drivers/lightnvm/pblk-core.c +@@ -323,14 +323,16 @@ void pblk_free_rqd(struct pblk *pblk, struct nvm_rq *rqd, int type) + void pblk_bio_free_pages(struct pblk *pblk, struct bio *bio, int off, + int nr_pages) + { +- struct bio_vec bv; +- int i; +- +- WARN_ON(off + nr_pages != bio->bi_vcnt); +- +- for (i = off; i < nr_pages + off; i++) { +- bv = bio->bi_io_vec[i]; +- mempool_free(bv.bv_page, &pblk->page_bio_pool); ++ struct bio_vec *bv; ++ struct page *page; ++ int i, e, nbv = 0; ++ ++ for (i = 0; i < bio->bi_vcnt; i++) { ++ bv = &bio->bi_io_vec[i]; ++ page = bv->bv_page; ++ for (e = 0; e < bv->bv_len; e += PBLK_EXPOSED_PAGE_SIZE, nbv++) ++ if (nbv >= off) ++ mempool_free(page++, &pblk->page_bio_pool); + } + } + +-- +2.20.1 + diff --git a/queue-5.1/locking-lockdep-fix-merging-of-hlocks-with-non-zero-.patch b/queue-5.1/locking-lockdep-fix-merging-of-hlocks-with-non-zero-.patch new file mode 100644 index 00000000000..cdf7d1b2578 --- /dev/null +++ b/queue-5.1/locking-lockdep-fix-merging-of-hlocks-with-non-zero-.patch @@ -0,0 +1,102 @@ +From d3e69d2d7d5c1567ff4f3106a9da5bbd47c61c04 Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Fri, 24 May 2019 23:15:09 +0300 +Subject: locking/lockdep: Fix merging of hlocks with non-zero references + +[ Upstream commit d9349850e188b8b59e5322fda17ff389a1c0cd7d ] + +The sequence + + static DEFINE_WW_CLASS(test_ww_class); + + struct ww_acquire_ctx ww_ctx; + struct ww_mutex ww_lock_a; + struct ww_mutex ww_lock_b; + struct ww_mutex ww_lock_c; + struct mutex lock_c; + + ww_acquire_init(&ww_ctx, &test_ww_class); + + ww_mutex_init(&ww_lock_a, &test_ww_class); + ww_mutex_init(&ww_lock_b, &test_ww_class); + ww_mutex_init(&ww_lock_c, &test_ww_class); + + mutex_init(&lock_c); + + ww_mutex_lock(&ww_lock_a, &ww_ctx); + + mutex_lock(&lock_c); + + ww_mutex_lock(&ww_lock_b, &ww_ctx); + ww_mutex_lock(&ww_lock_c, &ww_ctx); + + mutex_unlock(&lock_c); (*) + + ww_mutex_unlock(&ww_lock_c); + ww_mutex_unlock(&ww_lock_b); + ww_mutex_unlock(&ww_lock_a); + + ww_acquire_fini(&ww_ctx); (**) + +will trigger the following error in __lock_release() when calling +mutex_release() at **: + + DEBUG_LOCKS_WARN_ON(depth <= 0) + +The problem is that the hlock merging happening at * updates the +references for test_ww_class incorrectly to 3 whereas it should've +updated it to 4 (representing all the instances for ww_ctx and +ww_lock_[abc]). + +Fix this by updating the references during merging correctly taking into +account that we can have non-zero references (both for the hlock that we +merge into another hlock or for the hlock we are merging into). + +Signed-off-by: Imre Deak +Signed-off-by: Peter Zijlstra (Intel) +Cc: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Will Deacon +Link: https://lkml.kernel.org/r/20190524201509.9199-2-imre.deak@intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/locking/lockdep.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c +index 2ecc12cd11d0..89b3f38a57f3 100644 +--- a/kernel/locking/lockdep.c ++++ b/kernel/locking/lockdep.c +@@ -3611,17 +3611,17 @@ static int __lock_acquire(struct lockdep_map *lock, unsigned int subclass, + if (depth) { + hlock = curr->held_locks + depth - 1; + if (hlock->class_idx == class_idx && nest_lock) { +- if (hlock->references) { +- /* +- * Check: unsigned int references:12, overflow. +- */ +- if (DEBUG_LOCKS_WARN_ON(hlock->references == (1 << 12)-1)) +- return 0; ++ if (!references) ++ references++; + ++ if (!hlock->references) + hlock->references++; +- } else { +- hlock->references = 2; +- } ++ ++ hlock->references += references; ++ ++ /* Overflow */ ++ if (DEBUG_LOCKS_WARN_ON(hlock->references < references)) ++ return 0; + + return 2; + } +-- +2.20.1 + diff --git a/queue-5.1/locking-lockdep-fix-ooo-unlock-when-hlocks-need-merg.patch b/queue-5.1/locking-lockdep-fix-ooo-unlock-when-hlocks-need-merg.patch new file mode 100644 index 00000000000..665f7399288 --- /dev/null +++ b/queue-5.1/locking-lockdep-fix-ooo-unlock-when-hlocks-need-merg.patch @@ -0,0 +1,234 @@ +From 4e129b0b10a94f11f3bfb07653539eb00ca9a44e Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Fri, 24 May 2019 23:15:08 +0300 +Subject: locking/lockdep: Fix OOO unlock when hlocks need merging + +[ Upstream commit 8c8889d8eaf4501ae4aaf870b6f8f55db5d5109a ] + +The sequence + + static DEFINE_WW_CLASS(test_ww_class); + + struct ww_acquire_ctx ww_ctx; + struct ww_mutex ww_lock_a; + struct ww_mutex ww_lock_b; + struct mutex lock_c; + struct mutex lock_d; + + ww_acquire_init(&ww_ctx, &test_ww_class); + + ww_mutex_init(&ww_lock_a, &test_ww_class); + ww_mutex_init(&ww_lock_b, &test_ww_class); + + mutex_init(&lock_c); + + ww_mutex_lock(&ww_lock_a, &ww_ctx); + + mutex_lock(&lock_c); + + ww_mutex_lock(&ww_lock_b, &ww_ctx); + + mutex_unlock(&lock_c); (*) + + ww_mutex_unlock(&ww_lock_b); + ww_mutex_unlock(&ww_lock_a); + + ww_acquire_fini(&ww_ctx); + +triggers the following WARN in __lock_release() when doing the unlock at *: + + DEBUG_LOCKS_WARN_ON(curr->lockdep_depth != depth - 1); + +The problem is that the WARN check doesn't take into account the merging +of ww_lock_a and ww_lock_b which results in decreasing curr->lockdep_depth +by 2 not only 1. + +Note that the following sequence doesn't trigger the WARN, since there +won't be any hlock merging. + + ww_acquire_init(&ww_ctx, &test_ww_class); + + ww_mutex_init(&ww_lock_a, &test_ww_class); + ww_mutex_init(&ww_lock_b, &test_ww_class); + + mutex_init(&lock_c); + mutex_init(&lock_d); + + ww_mutex_lock(&ww_lock_a, &ww_ctx); + + mutex_lock(&lock_c); + mutex_lock(&lock_d); + + ww_mutex_lock(&ww_lock_b, &ww_ctx); + + mutex_unlock(&lock_d); + + ww_mutex_unlock(&ww_lock_b); + ww_mutex_unlock(&ww_lock_a); + + mutex_unlock(&lock_c); + + ww_acquire_fini(&ww_ctx); + +In general both of the above two sequences are valid and shouldn't +trigger any lockdep warning. + +Fix this by taking the decrement due to the hlock merging into account +during lock release and hlock class re-setting. Merging can't happen +during lock downgrading since there won't be a new possibility to merge +hlocks in that case, so add a WARN if merging still happens then. + +Signed-off-by: Imre Deak +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Will Deacon +Cc: ville.syrjala@linux.intel.com +Link: https://lkml.kernel.org/r/20190524201509.9199-1-imre.deak@intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/locking/lockdep.c | 41 ++++++++++++++++++++++++++++------------ + 1 file changed, 29 insertions(+), 12 deletions(-) + +diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c +index e221be724fe8..2ecc12cd11d0 100644 +--- a/kernel/locking/lockdep.c ++++ b/kernel/locking/lockdep.c +@@ -3623,7 +3623,7 @@ static int __lock_acquire(struct lockdep_map *lock, unsigned int subclass, + hlock->references = 2; + } + +- return 1; ++ return 2; + } + } + +@@ -3829,22 +3829,33 @@ static struct held_lock *find_held_lock(struct task_struct *curr, + } + + static int reacquire_held_locks(struct task_struct *curr, unsigned int depth, +- int idx) ++ int idx, unsigned int *merged) + { + struct held_lock *hlock; ++ int first_idx = idx; + + if (DEBUG_LOCKS_WARN_ON(!irqs_disabled())) + return 0; + + for (hlock = curr->held_locks + idx; idx < depth; idx++, hlock++) { +- if (!__lock_acquire(hlock->instance, ++ switch (__lock_acquire(hlock->instance, + hlock_class(hlock)->subclass, + hlock->trylock, + hlock->read, hlock->check, + hlock->hardirqs_off, + hlock->nest_lock, hlock->acquire_ip, +- hlock->references, hlock->pin_count)) ++ hlock->references, hlock->pin_count)) { ++ case 0: + return 1; ++ case 1: ++ break; ++ case 2: ++ *merged += (idx == first_idx); ++ break; ++ default: ++ WARN_ON(1); ++ return 0; ++ } + } + return 0; + } +@@ -3855,9 +3866,9 @@ __lock_set_class(struct lockdep_map *lock, const char *name, + unsigned long ip) + { + struct task_struct *curr = current; ++ unsigned int depth, merged = 0; + struct held_lock *hlock; + struct lock_class *class; +- unsigned int depth; + int i; + + if (unlikely(!debug_locks)) +@@ -3882,14 +3893,14 @@ __lock_set_class(struct lockdep_map *lock, const char *name, + curr->lockdep_depth = i; + curr->curr_chain_key = hlock->prev_chain_key; + +- if (reacquire_held_locks(curr, depth, i)) ++ if (reacquire_held_locks(curr, depth, i, &merged)) + return 0; + + /* + * I took it apart and put it back together again, except now I have + * these 'spare' parts.. where shall I put them. + */ +- if (DEBUG_LOCKS_WARN_ON(curr->lockdep_depth != depth)) ++ if (DEBUG_LOCKS_WARN_ON(curr->lockdep_depth != depth - merged)) + return 0; + return 1; + } +@@ -3897,8 +3908,8 @@ __lock_set_class(struct lockdep_map *lock, const char *name, + static int __lock_downgrade(struct lockdep_map *lock, unsigned long ip) + { + struct task_struct *curr = current; ++ unsigned int depth, merged = 0; + struct held_lock *hlock; +- unsigned int depth; + int i; + + if (unlikely(!debug_locks)) +@@ -3923,7 +3934,11 @@ static int __lock_downgrade(struct lockdep_map *lock, unsigned long ip) + hlock->read = 1; + hlock->acquire_ip = ip; + +- if (reacquire_held_locks(curr, depth, i)) ++ if (reacquire_held_locks(curr, depth, i, &merged)) ++ return 0; ++ ++ /* Merging can't happen with unchanged classes.. */ ++ if (DEBUG_LOCKS_WARN_ON(merged)) + return 0; + + /* +@@ -3932,6 +3947,7 @@ static int __lock_downgrade(struct lockdep_map *lock, unsigned long ip) + */ + if (DEBUG_LOCKS_WARN_ON(curr->lockdep_depth != depth)) + return 0; ++ + return 1; + } + +@@ -3946,8 +3962,8 @@ static int + __lock_release(struct lockdep_map *lock, int nested, unsigned long ip) + { + struct task_struct *curr = current; ++ unsigned int depth, merged = 1; + struct held_lock *hlock; +- unsigned int depth; + int i; + + if (unlikely(!debug_locks)) +@@ -4002,14 +4018,15 @@ __lock_release(struct lockdep_map *lock, int nested, unsigned long ip) + if (i == depth-1) + return 1; + +- if (reacquire_held_locks(curr, depth, i + 1)) ++ if (reacquire_held_locks(curr, depth, i + 1, &merged)) + return 0; + + /* + * We had N bottles of beer on the wall, we drank one, but now + * there's not N-1 bottles of beer left on the wall... ++ * Pouring two of the bottles together is acceptable. + */ +- DEBUG_LOCKS_WARN_ON(curr->lockdep_depth != depth-1); ++ DEBUG_LOCKS_WARN_ON(curr->lockdep_depth != depth - merged); + + /* + * Since reacquire_held_locks() would have called check_chain_key() +-- +2.20.1 + diff --git a/queue-5.1/media-aspeed-change-irq-to-threaded-irq.patch b/queue-5.1/media-aspeed-change-irq-to-threaded-irq.patch new file mode 100644 index 00000000000..be56b8faafb --- /dev/null +++ b/queue-5.1/media-aspeed-change-irq-to-threaded-irq.patch @@ -0,0 +1,43 @@ +From f6ca78fee432d72689ebc7abc968025c9142f366 Mon Sep 17 00:00:00 2001 +From: Jae Hyun Yoo +Date: Fri, 31 May 2019 18:15:41 -0400 +Subject: media: aspeed: change irq to threaded irq + +[ Upstream commit 12ae1c1bf5db2f33fcd9092a96f630291c4b181a ] + +Differently from other Aspeed drivers, this driver calls clock +control APIs in interrupt context. Since ECLK is coupled with a +reset bit in clk-aspeed module, aspeed_clk_enable will make 10ms of +busy waiting delay for triggering the reset and it will eventually +disturb other drivers' interrupt handling. To fix this issue, this +commit changes this driver's irq to threaded irq so that the delay +can be happened in a thread context. + +Signed-off-by: Jae Hyun Yoo +Reviewed-by: Eddie James +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/aspeed-video.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/aspeed-video.c b/drivers/media/platform/aspeed-video.c +index 692e08ef38c0..668d8827e281 100644 +--- a/drivers/media/platform/aspeed-video.c ++++ b/drivers/media/platform/aspeed-video.c +@@ -1600,8 +1600,9 @@ static int aspeed_video_init(struct aspeed_video *video) + return -ENODEV; + } + +- rc = devm_request_irq(dev, irq, aspeed_video_irq, IRQF_SHARED, +- DEVICE_NAME, video); ++ rc = devm_request_threaded_irq(dev, irq, NULL, aspeed_video_irq, ++ IRQF_ONESHOT | IRQF_SHARED, DEVICE_NAME, ++ video); + if (rc < 0) { + dev_err(dev, "Unable to request IRQ %d\n", irq); + return rc; +-- +2.20.1 + diff --git a/queue-5.1/media-coda-fix-last-buffer-handling-in-v4l2_enc_cmd_.patch b/queue-5.1/media-coda-fix-last-buffer-handling-in-v4l2_enc_cmd_.patch new file mode 100644 index 00000000000..b81a639fac2 --- /dev/null +++ b/queue-5.1/media-coda-fix-last-buffer-handling-in-v4l2_enc_cmd_.patch @@ -0,0 +1,46 @@ +From 7b5379fea6c27a886d47e6b1b429b9dfa95ad04d Mon Sep 17 00:00:00 2001 +From: Marco Felsch +Date: Tue, 18 Jun 2019 12:45:11 -0400 +Subject: media: coda: fix last buffer handling in V4L2_ENC_CMD_STOP + +[ Upstream commit f3775f89852d167990b0d718587774cf00d22ac2 ] + +coda_encoder_cmd() is racy, as the last scheduled picture run worker can +still be in-flight while the ENC_CMD_STOP command is issued. Depending +on the exact timing the sequence numbers might already be changed, but +the last buffer might not have been put on the destination queue yet. + +In this case the current implementation would prematurely wake the +destination queue with last_buffer_dequeued=true, causing userspace to +call streamoff before the last buffer is handled. + +Close this race window by synchronizing with the pic_run_worker before +doing the sequence check. + +Signed-off-by: Marco Felsch +[l.stach@pengutronix.de: switch to flush_work, reword commit message] +Signed-off-by: Lucas Stach +Signed-off-by: Philipp Zabel +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/coda/coda-common.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/platform/coda/coda-common.c b/drivers/media/platform/coda/coda-common.c +index fa0b22fb7991..9bf2116ffc76 100644 +--- a/drivers/media/platform/coda/coda-common.c ++++ b/drivers/media/platform/coda/coda-common.c +@@ -1007,6 +1007,8 @@ static int coda_encoder_cmd(struct file *file, void *fh, + /* Set the stream-end flag on this context */ + ctx->bit_stream_param |= CODA_BIT_STREAM_END_FLAG; + ++ flush_work(&ctx->pic_run_work); ++ + /* If there is no buffer in flight, wake up */ + if (!ctx->streamon_out || ctx->qsequence == ctx->osequence) { + dst_vq = v4l2_m2m_get_vq(ctx->fh.m2m_ctx, +-- +2.20.1 + diff --git a/queue-5.1/media-coda-fix-mpeg2-sequence-number-handling.patch b/queue-5.1/media-coda-fix-mpeg2-sequence-number-handling.patch new file mode 100644 index 00000000000..aaec168839e --- /dev/null +++ b/queue-5.1/media-coda-fix-mpeg2-sequence-number-handling.patch @@ -0,0 +1,46 @@ +From 48c5255ced3a0a15e006e1cb8dab7de20f74894c Mon Sep 17 00:00:00 2001 +From: Philipp Zabel +Date: Tue, 18 Jun 2019 12:45:10 -0400 +Subject: media: coda: fix mpeg2 sequence number handling + +[ Upstream commit 56d159a4ec6d8da7313aac6fcbb95d8fffe689ba ] + +Sequence number handling assumed that the BIT processor frame number +starts counting at 1, but this is not true for the MPEG-2 decoder, +which starts at 0. Fix the sequence counter offset detection to handle +this. + +Signed-off-by: Philipp Zabel +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/coda/coda-bit.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c +index eaa86737fa04..5eb93ac060d5 100644 +--- a/drivers/media/platform/coda/coda-bit.c ++++ b/drivers/media/platform/coda/coda-bit.c +@@ -1743,6 +1743,7 @@ static int __coda_start_decoding(struct coda_ctx *ctx) + v4l2_err(&dev->v4l2_dev, "CODA_COMMAND_SEQ_INIT timeout\n"); + return ret; + } ++ ctx->sequence_offset = ~0U; + ctx->initialized = 1; + + /* Update kfifo out pointer from coda bitstream read pointer */ +@@ -2155,7 +2156,9 @@ static void coda_finish_decode(struct coda_ctx *ctx) + v4l2_err(&dev->v4l2_dev, + "decoded frame index out of range: %d\n", decoded_idx); + } else { +- val = coda_read(dev, CODA_RET_DEC_PIC_FRAME_NUM) - 1; ++ val = coda_read(dev, CODA_RET_DEC_PIC_FRAME_NUM); ++ if (ctx->sequence_offset == -1) ++ ctx->sequence_offset = val; + val -= ctx->sequence_offset; + spin_lock(&ctx->buffer_meta_lock); + if (!list_empty(&ctx->buffer_meta_list)) { +-- +2.20.1 + diff --git a/queue-5.1/media-coda-increment-sequence-offset-for-the-last-re.patch b/queue-5.1/media-coda-increment-sequence-offset-for-the-last-re.patch new file mode 100644 index 00000000000..e1028a9e34f --- /dev/null +++ b/queue-5.1/media-coda-increment-sequence-offset-for-the-last-re.patch @@ -0,0 +1,37 @@ +From eef9feb64c9ccbba33f0053ff40daabcb8b0071b Mon Sep 17 00:00:00 2001 +From: Philipp Zabel +Date: Tue, 18 Jun 2019 12:45:22 -0400 +Subject: media: coda: increment sequence offset for the last returned frame + +[ Upstream commit b3b7d96817cdb8b6fc353867705275dce8f41ccc ] + +If no more frames are decoded in bitstream end mode, and a previously +decoded frame has been returned, the firmware still increments the frame +number. To avoid a sequence number mismatch after decoder restart, +increment the sequence_offset correction parameter. + +Signed-off-by: Philipp Zabel +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/coda/coda-bit.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c +index 5eb93ac060d5..8648a6bd8809 100644 +--- a/drivers/media/platform/coda/coda-bit.c ++++ b/drivers/media/platform/coda/coda-bit.c +@@ -2151,6 +2151,9 @@ static void coda_finish_decode(struct coda_ctx *ctx) + else if (ctx->display_idx < 0) + ctx->hold = true; + } else if (decoded_idx == -2) { ++ if (ctx->display_idx >= 0 && ++ ctx->display_idx < ctx->num_internal_frames) ++ ctx->sequence_offset++; + /* no frame was decoded, we still return remaining buffers */ + } else if (decoded_idx < 0 || decoded_idx >= ctx->num_internal_frames) { + v4l2_err(&dev->v4l2_dev, +-- +2.20.1 + diff --git a/queue-5.1/media-davinci-vpif_capture-fix-memory-leak-in-vpif_p.patch b/queue-5.1/media-davinci-vpif_capture-fix-memory-leak-in-vpif_p.patch new file mode 100644 index 00000000000..ea8e188ead0 --- /dev/null +++ b/queue-5.1/media-davinci-vpif_capture-fix-memory-leak-in-vpif_p.patch @@ -0,0 +1,73 @@ +From 86428bc4663f39a347c6d6e06d706e25592ca92c Mon Sep 17 00:00:00 2001 +From: Young Xiao <92siuyang@gmail.com> +Date: Tue, 4 Jun 2019 08:26:33 -0400 +Subject: media: davinci: vpif_capture: fix memory leak in vpif_probe() + +[ Upstream commit 64f883cd98c6d43013fb0cea788b63e50ebc068c ] + +If vpif_probe() fails on v4l2_device_register() and vpif_probe_complete(), +then memory allocated at initialize_vpif() for global vpif_obj.dev[i] +become unreleased. + +The patch adds deallocation of vpif_obj.dev[i] on the error path. + +Signed-off-by: Young Xiao <92siuyang@gmail.com> +Acked-by: Lad, Prabhakar +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/davinci/vpif_capture.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/davinci/vpif_capture.c b/drivers/media/platform/davinci/vpif_capture.c +index 6216b7ac6875..a20cb6fff2ec 100644 +--- a/drivers/media/platform/davinci/vpif_capture.c ++++ b/drivers/media/platform/davinci/vpif_capture.c +@@ -1384,6 +1384,14 @@ static int initialize_vpif(void) + return err; + } + ++static inline void free_vpif_objs(void) ++{ ++ int i; ++ ++ for (i = 0; i < VPIF_CAPTURE_MAX_DEVICES; i++) ++ kfree(vpif_obj.dev[i]); ++} ++ + static int vpif_async_bound(struct v4l2_async_notifier *notifier, + struct v4l2_subdev *subdev, + struct v4l2_async_subdev *asd) +@@ -1653,7 +1661,7 @@ static __init int vpif_probe(struct platform_device *pdev) + err = v4l2_device_register(vpif_dev, &vpif_obj.v4l2_dev); + if (err) { + v4l2_err(vpif_dev->driver, "Error registering v4l2 device\n"); +- goto cleanup; ++ goto vpif_free; + } + + while ((res = platform_get_resource(pdev, IORESOURCE_IRQ, res_idx))) { +@@ -1700,7 +1708,9 @@ static __init int vpif_probe(struct platform_device *pdev) + "registered sub device %s\n", + subdevdata->name); + } +- vpif_probe_complete(); ++ err = vpif_probe_complete(); ++ if (err) ++ goto probe_subdev_out; + } else { + vpif_obj.notifier.ops = &vpif_async_ops; + err = v4l2_async_notifier_register(&vpif_obj.v4l2_dev, +@@ -1719,6 +1729,8 @@ static __init int vpif_probe(struct platform_device *pdev) + kfree(vpif_obj.sd); + vpif_unregister: + v4l2_device_unregister(&vpif_obj.v4l2_dev); ++vpif_free: ++ free_vpif_objs(); + cleanup: + v4l2_async_notifier_cleanup(&vpif_obj.notifier); + +-- +2.20.1 + diff --git a/queue-5.1/media-dvb-usb-fix-use-after-free-in-dvb_usb_device_e.patch b/queue-5.1/media-dvb-usb-fix-use-after-free-in-dvb_usb_device_e.patch new file mode 100644 index 00000000000..8a5fdcfab5c --- /dev/null +++ b/queue-5.1/media-dvb-usb-fix-use-after-free-in-dvb_usb_device_e.patch @@ -0,0 +1,44 @@ +From 7e2b24374cc9896ee87a277663d98a6cc3f06a0a Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 30 Apr 2019 09:07:36 -0400 +Subject: media: dvb: usb: fix use after free in dvb_usb_device_exit + +[ Upstream commit 6cf97230cd5f36b7665099083272595c55d72be7 ] + +dvb_usb_device_exit() frees and uses the device name in that order. +Fix by storing the name in a buffer before freeing it. + +Signed-off-by: Oliver Neukum +Reported-by: syzbot+26ec41e9f788b3eba396@syzkaller.appspotmail.com +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/dvb-usb-init.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c +index 99951e02a880..dd063a736df5 100644 +--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c ++++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c +@@ -287,12 +287,15 @@ EXPORT_SYMBOL(dvb_usb_device_init); + void dvb_usb_device_exit(struct usb_interface *intf) + { + struct dvb_usb_device *d = usb_get_intfdata(intf); +- const char *name = "generic DVB-USB module"; ++ const char *default_name = "generic DVB-USB module"; ++ char name[40]; + + usb_set_intfdata(intf, NULL); + if (d != NULL && d->desc != NULL) { +- name = d->desc->name; ++ strscpy(name, d->desc->name, sizeof(name)); + dvb_usb_exit(d); ++ } else { ++ strscpy(name, default_name, sizeof(name)); + } + info("%s successfully deinitialized and disconnected.", name); + +-- +2.20.1 + diff --git a/queue-5.1/media-fdp1-support-m3n-and-e3-platforms.patch b/queue-5.1/media-fdp1-support-m3n-and-e3-platforms.patch new file mode 100644 index 00000000000..e240c26f095 --- /dev/null +++ b/queue-5.1/media-fdp1-support-m3n-and-e3-platforms.patch @@ -0,0 +1,51 @@ +From f3c15107e6121bbeac30e769c0a8122df239c0ab Mon Sep 17 00:00:00 2001 +From: Kieran Bingham +Date: Wed, 15 May 2019 11:39:12 -0400 +Subject: media: fdp1: Support M3N and E3 platforms + +[ Upstream commit 4e8c120de9268fc26f583268b9d22e7d37c4595f ] + +New Gen3 R-Car platforms incorporate the FDP1 with an updated version +register. No code change is required to support these targets, but they +will currently report an error stating that the device can not be +identified. + +Update the driver to match against the new device types. + +Signed-off-by: Kieran Bingham +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rcar_fdp1.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/media/platform/rcar_fdp1.c b/drivers/media/platform/rcar_fdp1.c +index 6bda1eee9170..4f103be215d3 100644 +--- a/drivers/media/platform/rcar_fdp1.c ++++ b/drivers/media/platform/rcar_fdp1.c +@@ -257,6 +257,8 @@ MODULE_PARM_DESC(debug, "activate debug info"); + #define FD1_IP_H3_ES1 0x02010101 + #define FD1_IP_M3W 0x02010202 + #define FD1_IP_H3 0x02010203 ++#define FD1_IP_M3N 0x02010204 ++#define FD1_IP_E3 0x02010205 + + /* LUTs */ + #define FD1_LUT_DIF_ADJ 0x1000 +@@ -2365,6 +2367,12 @@ static int fdp1_probe(struct platform_device *pdev) + case FD1_IP_H3: + dprintk(fdp1, "FDP1 Version R-Car H3\n"); + break; ++ case FD1_IP_M3N: ++ dprintk(fdp1, "FDP1 Version R-Car M3N\n"); ++ break; ++ case FD1_IP_E3: ++ dprintk(fdp1, "FDP1 Version R-Car E3\n"); ++ break; + default: + dev_err(fdp1->dev, "FDP1 Unidentifiable (0x%08x)\n", + hw_version); +-- +2.20.1 + diff --git a/queue-5.1/media-hdpvr-fix-locking-and-a-missing-msleep.patch b/queue-5.1/media-hdpvr-fix-locking-and-a-missing-msleep.patch new file mode 100644 index 00000000000..ca4793f68e2 --- /dev/null +++ b/queue-5.1/media-hdpvr-fix-locking-and-a-missing-msleep.patch @@ -0,0 +1,81 @@ +From 996f008001b1ed1bacc94f1ef43a92491928a385 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Thu, 20 Jun 2019 07:43:41 -0400 +Subject: media: hdpvr: fix locking and a missing msleep + +[ Upstream commit 6bc5a4a1927556ff9adce1aa95ea408c95453225 ] + +This driver has three locking issues: + +- The wait_event_interruptible() condition calls hdpvr_get_next_buffer(dev) + which uses a mutex, which is not allowed. Rewrite with list_empty_careful() + that doesn't need locking. + +- In hdpvr_read() the call to hdpvr_stop_streaming() didn't lock io_mutex, + but it should have since stop_streaming expects that. + +- In hdpvr_device_release() io_mutex was locked when calling flush_work(), + but there it shouldn't take that mutex since the work done by flush_work() + also wants to lock that mutex. + +There are also two other changes (suggested by Keith): + +- msecs_to_jiffies(4000); (a NOP) should have been msleep(4000). +- Change v4l2_dbg to v4l2_info to always log if streaming had to be restarted. + +Reported-by: Keith Pyle +Suggested-by: Keith Pyle +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/hdpvr/hdpvr-video.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/drivers/media/usb/hdpvr/hdpvr-video.c b/drivers/media/usb/hdpvr/hdpvr-video.c +index e082086428a4..ae6609716347 100644 +--- a/drivers/media/usb/hdpvr/hdpvr-video.c ++++ b/drivers/media/usb/hdpvr/hdpvr-video.c +@@ -439,7 +439,7 @@ static ssize_t hdpvr_read(struct file *file, char __user *buffer, size_t count, + /* wait for the first buffer */ + if (!(file->f_flags & O_NONBLOCK)) { + if (wait_event_interruptible(dev->wait_data, +- hdpvr_get_next_buffer(dev))) ++ !list_empty_careful(&dev->rec_buff_list))) + return -ERESTARTSYS; + } + +@@ -465,10 +465,17 @@ static ssize_t hdpvr_read(struct file *file, char __user *buffer, size_t count, + goto err; + } + if (!err) { +- v4l2_dbg(MSG_INFO, hdpvr_debug, &dev->v4l2_dev, +- "timeout: restart streaming\n"); ++ v4l2_info(&dev->v4l2_dev, ++ "timeout: restart streaming\n"); ++ mutex_lock(&dev->io_mutex); + hdpvr_stop_streaming(dev); +- msecs_to_jiffies(4000); ++ mutex_unlock(&dev->io_mutex); ++ /* ++ * The FW needs about 4 seconds after streaming ++ * stopped before it is ready to restart ++ * streaming. ++ */ ++ msleep(4000); + err = hdpvr_start_streaming(dev); + if (err) { + ret = err; +@@ -1133,9 +1140,7 @@ static void hdpvr_device_release(struct video_device *vdev) + struct hdpvr_device *dev = video_get_drvdata(vdev); + + hdpvr_delete(dev); +- mutex_lock(&dev->io_mutex); + flush_work(&dev->worker); +- mutex_unlock(&dev->io_mutex); + + v4l2_device_unregister(&dev->v4l2_dev); + v4l2_ctrl_handler_free(&dev->hdl); +-- +2.20.1 + diff --git a/queue-5.1/media-i2c-fix-warning-same-module-names.patch b/queue-5.1/media-i2c-fix-warning-same-module-names.patch new file mode 100644 index 00000000000..42666522079 --- /dev/null +++ b/queue-5.1/media-i2c-fix-warning-same-module-names.patch @@ -0,0 +1,60 @@ +From bb382d1f79efa3ccb00e69074f80a73962a7f18f Mon Sep 17 00:00:00 2001 +From: Anders Roxell +Date: Wed, 12 Jun 2019 12:19:35 -0400 +Subject: media: i2c: fix warning same module names + +[ Upstream commit b2ce5617dad254230551feda3599f2cc68e53ad8 ] + +When building with CONFIG_VIDEO_ADV7511 and CONFIG_DRM_I2C_ADV7511 +enabled as loadable modules, we see the following warning: + + drivers/gpu/drm/bridge/adv7511/adv7511.ko + drivers/media/i2c/adv7511.ko + +Rework so that the file is named adv7511-v4l2.c. + +Signed-off-by: Anders Roxell +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/Makefile | 2 +- + drivers/media/i2c/{adv7511.c => adv7511-v4l2.c} | 5 +++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + rename drivers/media/i2c/{adv7511.c => adv7511-v4l2.c} (99%) + +diff --git a/drivers/media/i2c/Makefile b/drivers/media/i2c/Makefile +index a64fca82e0c4..55a3a2dee2de 100644 +--- a/drivers/media/i2c/Makefile ++++ b/drivers/media/i2c/Makefile +@@ -35,7 +35,7 @@ obj-$(CONFIG_VIDEO_ADV748X) += adv748x/ + obj-$(CONFIG_VIDEO_ADV7604) += adv7604.o + obj-$(CONFIG_VIDEO_ADV7842) += adv7842.o + obj-$(CONFIG_VIDEO_AD9389B) += ad9389b.o +-obj-$(CONFIG_VIDEO_ADV7511) += adv7511.o ++obj-$(CONFIG_VIDEO_ADV7511) += adv7511-v4l2.o + obj-$(CONFIG_VIDEO_VPX3220) += vpx3220.o + obj-$(CONFIG_VIDEO_VS6624) += vs6624.o + obj-$(CONFIG_VIDEO_BT819) += bt819.o +diff --git a/drivers/media/i2c/adv7511.c b/drivers/media/i2c/adv7511-v4l2.c +similarity index 99% +rename from drivers/media/i2c/adv7511.c +rename to drivers/media/i2c/adv7511-v4l2.c +index cec5ebb1c9e6..2ad6bdf1a9fc 100644 +--- a/drivers/media/i2c/adv7511.c ++++ b/drivers/media/i2c/adv7511-v4l2.c +@@ -5,6 +5,11 @@ + * Copyright 2013 Cisco Systems, Inc. and/or its affiliates. All rights reserved. + */ + ++/* ++ * This file is named adv7511-v4l2.c so it doesn't conflict with the Analog ++ * Device ADV7511 (config fragment CONFIG_DRM_I2C_ADV7511). ++ */ ++ + + #include + #include +-- +2.20.1 + diff --git a/queue-5.1/media-imx7-mipi-csis-propagate-the-error-if-clock-en.patch b/queue-5.1/media-imx7-mipi-csis-propagate-the-error-if-clock-en.patch new file mode 100644 index 00000000000..daa5dc0a8e1 --- /dev/null +++ b/queue-5.1/media-imx7-mipi-csis-propagate-the-error-if-clock-en.patch @@ -0,0 +1,58 @@ +From 93c3d0163f307adab86df9a96a1f2c18103c6e36 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Fri, 31 May 2019 13:45:04 -0400 +Subject: media: imx7-mipi-csis: Propagate the error if clock enabling fails + +[ Upstream commit 2b393f91c651c16d5c09f5c7aa689e58a79df34e ] + +Currently the return value from clk_bulk_prepare_enable() is checked, +but it is not propagate it in the case of failure. + +Fix it and also move the error message to the caller of +mipi_csis_clk_enable(). + +Signed-off-by: Fabio Estevam +Reviewed-by: Rui Miguel Silva +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/imx/imx7-mipi-csis.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/staging/media/imx/imx7-mipi-csis.c b/drivers/staging/media/imx/imx7-mipi-csis.c +index 2ddcc42ab8ff..e9d621e19d6d 100644 +--- a/drivers/staging/media/imx/imx7-mipi-csis.c ++++ b/drivers/staging/media/imx/imx7-mipi-csis.c +@@ -455,13 +455,9 @@ static void mipi_csis_set_params(struct csi_state *state) + MIPI_CSIS_CMN_CTRL_UPDATE_SHADOW_CTRL); + } + +-static void mipi_csis_clk_enable(struct csi_state *state) ++static int mipi_csis_clk_enable(struct csi_state *state) + { +- int ret; +- +- ret = clk_bulk_prepare_enable(state->num_clks, state->clks); +- if (ret < 0) +- dev_err(state->dev, "failed to enable clocks\n"); ++ return clk_bulk_prepare_enable(state->num_clks, state->clks); + } + + static void mipi_csis_clk_disable(struct csi_state *state) +@@ -985,7 +981,11 @@ static int mipi_csis_probe(struct platform_device *pdev) + if (ret < 0) + return ret; + +- mipi_csis_clk_enable(state); ++ ret = mipi_csis_clk_enable(state); ++ if (ret < 0) { ++ dev_err(state->dev, "failed to enable clocks: %d\n", ret); ++ return ret; ++ } + + ret = devm_request_irq(dev, state->irq, mipi_csis_irq_handler, + 0, dev_name(dev), state); +-- +2.20.1 + diff --git a/queue-5.1/media-marvell-ccic-fix-dma-s-g-desc-number-calculati.patch b/queue-5.1/media-marvell-ccic-fix-dma-s-g-desc-number-calculati.patch new file mode 100644 index 00000000000..22d579db016 --- /dev/null +++ b/queue-5.1/media-marvell-ccic-fix-dma-s-g-desc-number-calculati.patch @@ -0,0 +1,64 @@ +From 5ad684c3474e79f1a7b8af16b1870f8e4b16c0bc Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Sun, 5 May 2019 10:00:23 -0400 +Subject: media: marvell-ccic: fix DMA s/g desc number calculation + +[ Upstream commit 0c7aa32966dab0b8a7424e1b34c7f206817953ec ] + +The commit d790b7eda953 ("[media] vb2-dma-sg: move dma_(un)map_sg here") +left dma_desc_nent unset. It previously contained the number of DMA +descriptors as returned from dma_map_sg(). + +We can now (since the commit referred to above) obtain the same value from +the sg_table and drop dma_desc_nent altogether. + +Tested on OLPC XO-1.75 machine. Doesn't affect the OLPC XO-1's Cafe +driver, since that one doesn't do DMA. + +[mchehab+samsung@kernel.org: fix a checkpatch warning] + +Fixes: d790b7eda953 ("[media] vb2-dma-sg: move dma_(un)map_sg here") +Signed-off-by: Lubomir Rintel +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/marvell-ccic/mcam-core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/marvell-ccic/mcam-core.c b/drivers/media/platform/marvell-ccic/mcam-core.c +index f1b301810260..0a6411b877e9 100644 +--- a/drivers/media/platform/marvell-ccic/mcam-core.c ++++ b/drivers/media/platform/marvell-ccic/mcam-core.c +@@ -200,7 +200,6 @@ struct mcam_vb_buffer { + struct list_head queue; + struct mcam_dma_desc *dma_desc; /* Descriptor virtual address */ + dma_addr_t dma_desc_pa; /* Descriptor physical address */ +- int dma_desc_nent; /* Number of mapped descriptors */ + }; + + static inline struct mcam_vb_buffer *vb_to_mvb(struct vb2_v4l2_buffer *vb) +@@ -608,9 +607,11 @@ static void mcam_dma_contig_done(struct mcam_camera *cam, int frame) + static void mcam_sg_next_buffer(struct mcam_camera *cam) + { + struct mcam_vb_buffer *buf; ++ struct sg_table *sg_table; + + buf = list_first_entry(&cam->buffers, struct mcam_vb_buffer, queue); + list_del_init(&buf->queue); ++ sg_table = vb2_dma_sg_plane_desc(&buf->vb_buf.vb2_buf, 0); + /* + * Very Bad Not Good Things happen if you don't clear + * C1_DESC_ENA before making any descriptor changes. +@@ -618,7 +619,7 @@ static void mcam_sg_next_buffer(struct mcam_camera *cam) + mcam_reg_clear_bit(cam, REG_CTRL1, C1_DESC_ENA); + mcam_reg_write(cam, REG_DMA_DESC_Y, buf->dma_desc_pa); + mcam_reg_write(cam, REG_DESC_LEN_Y, +- buf->dma_desc_nent*sizeof(struct mcam_dma_desc)); ++ sg_table->nents * sizeof(struct mcam_dma_desc)); + mcam_reg_write(cam, REG_DESC_LEN_U, 0); + mcam_reg_write(cam, REG_DESC_LEN_V, 0); + mcam_reg_set_bit(cam, REG_CTRL1, C1_DESC_ENA); +-- +2.20.1 + diff --git a/queue-5.1/media-mc-device.c-don-t-memset-__user-pointer-conten.patch b/queue-5.1/media-mc-device.c-don-t-memset-__user-pointer-conten.patch new file mode 100644 index 00000000000..f1273204991 --- /dev/null +++ b/queue-5.1/media-mc-device.c-don-t-memset-__user-pointer-conten.patch @@ -0,0 +1,43 @@ +From bf9e193c744c494ad78e3d1df803121e3b2448db Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Mon, 27 May 2019 05:31:13 -0400 +Subject: media: mc-device.c: don't memset __user pointer contents + +[ Upstream commit 518fa4e0e0da97ea2e17c95ab57647ce748a96e2 ] + +You can't memset the contents of a __user pointer. Instead, call copy_to_user to +copy links.reserved (which is zeroed) to the user memory. + +This fixes this sparse warning: + +SPARSE:drivers/media/mc/mc-device.c drivers/media/mc/mc-device.c:521:16: warning: incorrect type in argument 1 (different address spaces) + +Fixes: f49308878d720 ("media: media_device_enum_links32: clean a reserved field") + +Signed-off-by: Hans Verkuil +Reviewed-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/media-device.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c +index 6893843edada..8e2a66493e62 100644 +--- a/drivers/media/media-device.c ++++ b/drivers/media/media-device.c +@@ -518,8 +518,9 @@ static long media_device_enum_links32(struct media_device *mdev, + if (ret) + return ret; + +- memset(ulinks->reserved, 0, sizeof(ulinks->reserved)); +- ++ if (copy_to_user(ulinks->reserved, links.reserved, ++ sizeof(ulinks->reserved))) ++ return -EFAULT; + return 0; + } + +-- +2.20.1 + diff --git a/queue-5.1/media-media_device_enum_links32-clean-a-reserved-fie.patch b/queue-5.1/media-media_device_enum_links32-clean-a-reserved-fie.patch new file mode 100644 index 00000000000..3f62afeb089 --- /dev/null +++ b/queue-5.1/media-media_device_enum_links32-clean-a-reserved-fie.patch @@ -0,0 +1,55 @@ +From 5f8f90e5420f5cfd94361bcd76fb14915847a7b0 Mon Sep 17 00:00:00 2001 +From: Jungo Lin +Date: Tue, 2 Apr 2019 21:44:27 -0400 +Subject: media: media_device_enum_links32: clean a reserved field + +[ Upstream commit f49308878d7202e07d8761238e01bd0e5fce2750 ] + +In v4l2-compliance utility, test MEDIA_IOC_ENUM_ENTITIES +will check whether reserved field of media_links_enum filled +with zero. + +However, for 32 bit program, the reserved field is missing +copy from kernel space to user space in media_device_enum_links32 +function. + +This patch adds the cleaning a reserved field logic in +media_device_enum_links32 function. + +Signed-off-by: Jungo Lin +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/media-device.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c +index b8ec88612df7..6893843edada 100644 +--- a/drivers/media/media-device.c ++++ b/drivers/media/media-device.c +@@ -502,6 +502,7 @@ static long media_device_enum_links32(struct media_device *mdev, + { + struct media_links_enum links; + compat_uptr_t pads_ptr, links_ptr; ++ int ret; + + memset(&links, 0, sizeof(links)); + +@@ -513,7 +514,13 @@ static long media_device_enum_links32(struct media_device *mdev, + links.pads = compat_ptr(pads_ptr); + links.links = compat_ptr(links_ptr); + +- return media_device_enum_links(mdev, &links); ++ ret = media_device_enum_links(mdev, &links); ++ if (ret) ++ return ret; ++ ++ memset(ulinks->reserved, 0, sizeof(ulinks->reserved)); ++ ++ return 0; + } + + #define MEDIA_IOC_ENUM_LINKS32 _IOWR('|', 0x02, struct media_links_enum32) +-- +2.20.1 + diff --git a/queue-5.1/media-mt9m111-fix-fw-node-refactoring.patch b/queue-5.1/media-mt9m111-fix-fw-node-refactoring.patch new file mode 100644 index 00000000000..b092f86dcc9 --- /dev/null +++ b/queue-5.1/media-mt9m111-fix-fw-node-refactoring.patch @@ -0,0 +1,48 @@ +From cbd64a1586ff809dbd4f8a6725898d16666647e5 Mon Sep 17 00:00:00 2001 +From: Robert Jarzmik +Date: Mon, 3 Jun 2019 16:01:55 -0400 +Subject: media: mt9m111: fix fw-node refactoring + +[ Upstream commit 8d4e29a51a954b43e06d916772fa4f50b7e5bbd6 ] + +In the patch refactoring the fw-node, the mt9m111 was broken for all +platform_data based platforms, which were the first aim of this +driver. Only the devicetree platform are still functional, probably +because the testing was done on these. + +The result is that -EINVAL is systematically return for such platforms, +what this patch fixes. + +[Sakari Ailus: Rework this to resolve a merge conflict and use dev_fwnode] + +Fixes: 98480d65c48c ("media: mt9m111: allow to setup pixclk polarity") +Signed-off-by: Robert Jarzmik +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/mt9m111.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/i2c/mt9m111.c b/drivers/media/i2c/mt9m111.c +index 5168bb5880c4..3a543e435e61 100644 +--- a/drivers/media/i2c/mt9m111.c ++++ b/drivers/media/i2c/mt9m111.c +@@ -1248,9 +1248,11 @@ static int mt9m111_probe(struct i2c_client *client, + if (!mt9m111) + return -ENOMEM; + +- ret = mt9m111_probe_fw(client, mt9m111); +- if (ret) +- return ret; ++ if (dev_fwnode(&client->dev)) { ++ ret = mt9m111_probe_fw(client, mt9m111); ++ if (ret) ++ return ret; ++ } + + mt9m111->clk = v4l2_clk_get(&client->dev, "mclk"); + if (IS_ERR(mt9m111->clk)) +-- +2.20.1 + diff --git a/queue-5.1/media-ov7740-avoid-invalid-framesize-setting.patch b/queue-5.1/media-ov7740-avoid-invalid-framesize-setting.patch new file mode 100644 index 00000000000..1bc931b6a68 --- /dev/null +++ b/queue-5.1/media-ov7740-avoid-invalid-framesize-setting.patch @@ -0,0 +1,43 @@ +From aec9d044de35e1d12487bdfbeb2a522cbabd8870 Mon Sep 17 00:00:00 2001 +From: Akinobu Mita +Date: Wed, 17 Apr 2019 10:06:39 -0400 +Subject: media: ov7740: avoid invalid framesize setting + +[ Upstream commit 6e4ab830ac6d6a0d7cd7f87dc5d6536369bf24a8 ] + +If the requested framesize by VIDIOC_SUBDEV_S_FMT is larger than supported +framesizes, it causes an out of bounds array access and the resulting +framesize is unexpected. + +Avoid out of bounds array access and select the default framesize. + +Cc: Wenyou Yang +Cc: Eugen Hristev +Signed-off-by: Akinobu Mita +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov7740.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/ov7740.c b/drivers/media/i2c/ov7740.c +index dfece91ce96b..8207e7cf9923 100644 +--- a/drivers/media/i2c/ov7740.c ++++ b/drivers/media/i2c/ov7740.c +@@ -761,7 +761,11 @@ static int ov7740_try_fmt_internal(struct v4l2_subdev *sd, + + fsize++; + } +- ++ if (i >= ARRAY_SIZE(ov7740_framesizes)) { ++ fsize = &ov7740_framesizes[0]; ++ fmt->width = fsize->width; ++ fmt->height = fsize->height; ++ } + if (ret_frmsize != NULL) + *ret_frmsize = fsize; + +-- +2.20.1 + diff --git a/queue-5.1/media-s5p-mfc-fix-reading-min-scratch-buffer-size-on.patch b/queue-5.1/media-s5p-mfc-fix-reading-min-scratch-buffer-size-on.patch new file mode 100644 index 00000000000..58659663252 --- /dev/null +++ b/queue-5.1/media-s5p-mfc-fix-reading-min-scratch-buffer-size-on.patch @@ -0,0 +1,74 @@ +From fea2c4b59149f935c1e498108f520cadad0b2de5 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Wed, 12 Jun 2019 09:57:57 -0400 +Subject: media: s5p-mfc: fix reading min scratch buffer size on MFC v6/v7 + +[ Upstream commit be22203aec440c1761ce8542c2636ac6c8951e3a ] + +MFC v6 and v7 has no register to read min scratch buffer size, so it has +to be read conditionally only if hardware supports it. This fixes following +NULL pointer exception on SoCs with MFC v6/v7: + +8<--- cut here --- +Unable to handle kernel NULL pointer dereference at virtual address 00000000 +pgd = f25837f9 +[00000000] *pgd=bd93d835 +Internal error: Oops: 17 [#1] PREEMPT SMP ARM +Modules linked in: btmrvl_sdio btmrvl bluetooth mwifiex_sdio mwifiex ecdh_generic ecc +Hardware name: SAMSUNG EXYNOS (Flattened Device Tree) +PC is at s5p_mfc_get_min_scratch_buf_size+0x30/0x3c +LR is at s5p_mfc_get_min_scratch_buf_size+0x28/0x3c +... +[] (s5p_mfc_get_min_scratch_buf_size) from [] (s5p_mfc_irq+0x814/0xa5c) +[] (s5p_mfc_irq) from [] (__handle_irq_event_percpu+0x64/0x3f8) +[] (__handle_irq_event_percpu) from [] (handle_irq_event_percpu+0x2c/0x7c) +[] (handle_irq_event_percpu) from [] (handle_irq_event+0x38/0x5c) +[] (handle_irq_event) from [] (handle_fasteoi_irq+0xc4/0x180) +[] (handle_fasteoi_irq) from [] (generic_handle_irq+0x24/0x34) +[] (generic_handle_irq) from [] (__handle_domain_irq+0x7c/0xec) +[] (__handle_domain_irq) from [] (gic_handle_irq+0x58/0x9c) +[] (gic_handle_irq) from [] (__irq_svc+0x70/0xb0) +Exception stack(0xe73ddc60 to 0xe73ddca8) +... +[] (__irq_svc) from [] (console_unlock+0x5a8/0x6a8) +[] (console_unlock) from [] (vprintk_emit+0x118/0x2d8) +[] (vprintk_emit) from [] (vprintk_default+0x20/0x28) +[] (vprintk_default) from [] (printk+0x30/0x54) +[] (printk) from [] (s5p_mfc_init_decode_v6+0x1d4/0x284) +[] (s5p_mfc_init_decode_v6) from [] (vb2_start_streaming+0x24/0x150) +[] (vb2_start_streaming) from [] (vb2_core_streamon+0x11c/0x15c) +[] (vb2_core_streamon) from [] (vidioc_streamon+0x64/0xa0) +[] (vidioc_streamon) from [] (__video_do_ioctl+0x28c/0x45c) +[] (__video_do_ioctl) from [] (video_usercopy+0x260/0x8a4) +[] (video_usercopy) from [] (do_vfs_ioctl+0xb0/0x9fc) +[] (do_vfs_ioctl) from [] (ksys_ioctl+0x34/0x58) +[] (ksys_ioctl) from [] (ret_fast_syscall+0x0/0x28) +Exception stack(0xe73ddfa8 to 0xe73ddff0) +... +---[ end trace 376cf5ba6e0bee93 ]--- + +Signed-off-by: Marek Szyprowski +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s5p-mfc/s5p_mfc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc.c b/drivers/media/platform/s5p-mfc/s5p_mfc.c +index 9a53d3908b52..2504fe9761bf 100644 +--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c +@@ -527,7 +527,8 @@ static void s5p_mfc_handle_seq_done(struct s5p_mfc_ctx *ctx, + dev); + ctx->mv_count = s5p_mfc_hw_call(dev->mfc_ops, get_mv_count, + dev); +- ctx->scratch_buf_size = s5p_mfc_hw_call(dev->mfc_ops, ++ if (FW_HAS_E_MIN_SCRATCH_BUF(dev)) ++ ctx->scratch_buf_size = s5p_mfc_hw_call(dev->mfc_ops, + get_min_scratch_buf_size, dev); + if (ctx->img_width == 0 || ctx->img_height == 0) + ctx->state = MFCINST_ERROR; +-- +2.20.1 + diff --git a/queue-5.1/media-s5p-mfc-make-additional-clocks-optional.patch b/queue-5.1/media-s5p-mfc-make-additional-clocks-optional.patch new file mode 100644 index 00000000000..fbdaf035f8d --- /dev/null +++ b/queue-5.1/media-s5p-mfc-make-additional-clocks-optional.patch @@ -0,0 +1,44 @@ +From 0d2639816a21b5228785ee87ad1ffea3c538c636 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Thu, 13 Jun 2019 06:48:34 -0400 +Subject: media: s5p-mfc: Make additional clocks optional + +[ Upstream commit e08efef8fe7db87206314c19b341612c719f891a ] + +Since the beginning the second clock ('special', 'sclk') was optional and +it is not available on some variants of Exynos SoCs (i.e. Exynos5420 with +v7 of MFC hardware). + +However commit 1bce6fb3edf1 ("[media] s5p-mfc: Rework clock handling") +made handling of all specified clocks mandatory. This patch restores +original behavior of the driver and fixes its operation on +Exynos5420 SoCs. + +Fixes: 1bce6fb3edf1 ("[media] s5p-mfc: Rework clock handling") +Signed-off-by: Marek Szyprowski +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s5p-mfc/s5p_mfc_pm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c b/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c +index eb85cedc5ef3..5e080f32b0e8 100644 +--- a/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c +@@ -38,6 +38,11 @@ int s5p_mfc_init_pm(struct s5p_mfc_dev *dev) + for (i = 0; i < pm->num_clocks; i++) { + pm->clocks[i] = devm_clk_get(pm->device, pm->clk_names[i]); + if (IS_ERR(pm->clocks[i])) { ++ /* additional clocks are optional */ ++ if (i && PTR_ERR(pm->clocks[i]) == -ENOENT) { ++ pm->clocks[i] = NULL; ++ continue; ++ } + mfc_err("Failed to get clock: %s\n", + pm->clk_names[i]); + return PTR_ERR(pm->clocks[i]); +-- +2.20.1 + diff --git a/queue-5.1/media-saa7164-fix-remove_proc_entry-warning.patch b/queue-5.1/media-saa7164-fix-remove_proc_entry-warning.patch new file mode 100644 index 00000000000..ae6e1143c26 --- /dev/null +++ b/queue-5.1/media-saa7164-fix-remove_proc_entry-warning.patch @@ -0,0 +1,104 @@ +From f7a1f227b251aae380d18b5145aab447772cf57f Mon Sep 17 00:00:00 2001 +From: Kefeng Wang +Date: Mon, 27 May 2019 08:14:55 -0400 +Subject: media: saa7164: fix remove_proc_entry warning + +[ Upstream commit 50710eeefbc1ed25375942aad0c4d1eb4af0f330 ] + +if saa7164_proc_create() fails, saa7164_fini() will trigger a warning, + +name 'saa7164' +WARNING: CPU: 1 PID: 6311 at fs/proc/generic.c:672 remove_proc_entry+0x1e8/0x3a0 + ? remove_proc_entry+0x1e8/0x3a0 + ? try_stop_module+0x7b/0x240 + ? proc_readdir+0x70/0x70 + ? rcu_read_lock_sched_held+0xd7/0x100 + saa7164_fini+0x13/0x1f [saa7164] + __x64_sys_delete_module+0x30c/0x480 + ? __ia32_sys_delete_module+0x480/0x480 + ? __x64_sys_clock_gettime+0x11e/0x1c0 + ? __x64_sys_timer_create+0x1a0/0x1a0 + ? trace_hardirqs_off_caller+0x40/0x180 + ? do_syscall_64+0x18/0x450 + do_syscall_64+0x9f/0x450 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fix it by checking the return of proc_create_single() before +calling remove_proc_entry(). + +Signed-off-by: Kefeng Wang +Signed-off-by: Hans Verkuil +[hverkuil-cisco@xs4all.nl: use 0444 instead of S_IRUGO] +[hverkuil-cisco@xs4all.nl: use pr_info instead of KERN_INFO] +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/saa7164/saa7164-core.c | 33 ++++++++++++++++-------- + 1 file changed, 22 insertions(+), 11 deletions(-) + +diff --git a/drivers/media/pci/saa7164/saa7164-core.c b/drivers/media/pci/saa7164/saa7164-core.c +index 05f25c9bb308..f5ad3cf207d3 100644 +--- a/drivers/media/pci/saa7164/saa7164-core.c ++++ b/drivers/media/pci/saa7164/saa7164-core.c +@@ -1122,16 +1122,25 @@ static int saa7164_proc_show(struct seq_file *m, void *v) + return 0; + } + ++static struct proc_dir_entry *saa7164_pe; ++ + static int saa7164_proc_create(void) + { +- struct proc_dir_entry *pe; +- +- pe = proc_create_single("saa7164", S_IRUGO, NULL, saa7164_proc_show); +- if (!pe) ++ saa7164_pe = proc_create_single("saa7164", 0444, NULL, saa7164_proc_show); ++ if (!saa7164_pe) + return -ENOMEM; + + return 0; + } ++ ++static void saa7164_proc_destroy(void) ++{ ++ if (saa7164_pe) ++ remove_proc_entry("saa7164", NULL); ++} ++#else ++static int saa7164_proc_create(void) { return 0; } ++static void saa7164_proc_destroy(void) {} + #endif + + static int saa7164_thread_function(void *data) +@@ -1503,19 +1512,21 @@ static struct pci_driver saa7164_pci_driver = { + + static int __init saa7164_init(void) + { +- printk(KERN_INFO "saa7164 driver loaded\n"); ++ int ret = pci_register_driver(&saa7164_pci_driver); ++ ++ if (ret) ++ return ret; + +-#ifdef CONFIG_PROC_FS + saa7164_proc_create(); +-#endif +- return pci_register_driver(&saa7164_pci_driver); ++ ++ pr_info("saa7164 driver loaded\n"); ++ ++ return 0; + } + + static void __exit saa7164_fini(void) + { +-#ifdef CONFIG_PROC_FS +- remove_proc_entry("saa7164", NULL); +-#endif ++ saa7164_proc_destroy(); + pci_unregister_driver(&saa7164_pci_driver); + } + +-- +2.20.1 + diff --git a/queue-5.1/media-spi-ir-led-add-missing-of-table-registration.patch b/queue-5.1/media-spi-ir-led-add-missing-of-table-registration.patch new file mode 100644 index 00000000000..01d9def181e --- /dev/null +++ b/queue-5.1/media-spi-ir-led-add-missing-of-table-registration.patch @@ -0,0 +1,42 @@ +From f458662619174e8a995e40103cdce4b21f8b9a10 Mon Sep 17 00:00:00 2001 +From: Daniel Gomez +Date: Mon, 22 Apr 2019 15:10:20 -0400 +Subject: media: spi: IR LED: add missing of table registration + +[ Upstream commit 24e4cf770371df6ad49ed873f21618d9878f64c8 ] + +MODULE_DEVICE_TABLE(of, should be called to complete DT +OF mathing mechanism and register it. + +Before this patch: +modinfo drivers/media/rc/ir-spi.ko | grep alias + +After this patch: +modinfo drivers/media/rc/ir-spi.ko | grep alias +alias: of:N*T*Cir-spi-ledC* +alias: of:N*T*Cir-spi-led + +Reported-by: Javier Martinez Canillas +Signed-off-by: Daniel Gomez +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/rc/ir-spi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/rc/ir-spi.c b/drivers/media/rc/ir-spi.c +index 66334e8d63ba..c58f2d38a458 100644 +--- a/drivers/media/rc/ir-spi.c ++++ b/drivers/media/rc/ir-spi.c +@@ -161,6 +161,7 @@ static const struct of_device_id ir_spi_of_match[] = { + { .compatible = "ir-spi-led" }, + {}, + }; ++MODULE_DEVICE_TABLE(of, ir_spi_of_match); + + static struct spi_driver ir_spi_driver = { + .probe = ir_spi_probe, +-- +2.20.1 + diff --git a/queue-5.1/media-staging-media-davinci_vpfe-fix-for-memory-leak.patch b/queue-5.1/media-staging-media-davinci_vpfe-fix-for-memory-leak.patch new file mode 100644 index 00000000000..a37fb5ceb77 --- /dev/null +++ b/queue-5.1/media-staging-media-davinci_vpfe-fix-for-memory-leak.patch @@ -0,0 +1,36 @@ +From af0d0c1086290209a590bc4891c28123e96f561c Mon Sep 17 00:00:00 2001 +From: Shailendra Verma +Date: Thu, 24 Nov 2016 23:57:34 -0500 +Subject: media: staging: media: davinci_vpfe: - Fix for memory leak if decoder + initialization fails. + +[ Upstream commit 6995a659101bd4effa41cebb067f9dc18d77520d ] + +Fix to avoid possible memory leak if the decoder initialization +got failed.Free the allocated memory for file handle object +before return in case decoder initialization fails. + +Signed-off-by: Shailendra Verma +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/davinci_vpfe/vpfe_video.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/staging/media/davinci_vpfe/vpfe_video.c b/drivers/staging/media/davinci_vpfe/vpfe_video.c +index 510202a3b091..84cca18e3e9d 100644 +--- a/drivers/staging/media/davinci_vpfe/vpfe_video.c ++++ b/drivers/staging/media/davinci_vpfe/vpfe_video.c +@@ -419,6 +419,9 @@ static int vpfe_open(struct file *file) + /* If decoder is not initialized. initialize it */ + if (!video->initialized && vpfe_update_pipe_state(video)) { + mutex_unlock(&video->lock); ++ v4l2_fh_del(&handle->vfh); ++ v4l2_fh_exit(&handle->vfh); ++ kfree(handle); + return -ENODEV; + } + /* Increment device users counter */ +-- +2.20.1 + diff --git a/queue-5.1/media-usb-zr364xx-fix-kasan-null-ptr-deref-read-in-z.patch b/queue-5.1/media-usb-zr364xx-fix-kasan-null-ptr-deref-read-in-z.patch new file mode 100644 index 00000000000..ca7008ba728 --- /dev/null +++ b/queue-5.1/media-usb-zr364xx-fix-kasan-null-ptr-deref-read-in-z.patch @@ -0,0 +1,82 @@ +From 84973b3b0590ff89ebb44e6f9b69a140c1a90d65 Mon Sep 17 00:00:00 2001 +From: Vandana BN +Date: Wed, 22 May 2019 04:34:15 -0400 +Subject: media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in + zr364xx_vidioc_querycap + +[ Upstream commit 5d2e73a5f80a5b5aff3caf1ec6d39b5b3f54b26e ] + +SyzKaller hit the null pointer deref while reading from uninitialized +udev->product in zr364xx_vidioc_querycap(). + +================================================================== +BUG: KASAN: null-ptr-deref in read_word_at_a_time+0xe/0x20 +include/linux/compiler.h:274 +Read of size 1 at addr 0000000000000000 by task v4l_id/5287 + +CPU: 1 PID: 5287 Comm: v4l_id Not tainted 5.1.0-rc3-319004-g43151d6 #6 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xe8/0x16e lib/dump_stack.c:113 + kasan_report.cold+0x5/0x3c mm/kasan/report.c:321 + read_word_at_a_time+0xe/0x20 include/linux/compiler.h:274 + strscpy+0x8a/0x280 lib/string.c:207 + zr364xx_vidioc_querycap+0xb5/0x210 drivers/media/usb/zr364xx/zr364xx.c:706 + v4l_querycap+0x12b/0x340 drivers/media/v4l2-core/v4l2-ioctl.c:1062 + __video_do_ioctl+0x5bb/0xb40 drivers/media/v4l2-core/v4l2-ioctl.c:2874 + video_usercopy+0x44e/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3056 + v4l2_ioctl+0x14e/0x1a0 drivers/media/v4l2-core/v4l2-dev.c:364 + vfs_ioctl fs/ioctl.c:46 [inline] + file_ioctl fs/ioctl.c:509 [inline] + do_vfs_ioctl+0xced/0x12f0 fs/ioctl.c:696 + ksys_ioctl+0xa0/0xc0 fs/ioctl.c:713 + __do_sys_ioctl fs/ioctl.c:720 [inline] + __se_sys_ioctl fs/ioctl.c:718 [inline] + __x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:718 + do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x7f3b56d8b347 +Code: 90 90 90 48 8b 05 f1 fa 2a 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff +ff c3 90 90 90 90 90 90 90 90 90 90 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff +ff 73 01 c3 48 8b 0d c1 fa 2a 00 31 d2 48 29 c2 64 +RSP: 002b:00007ffe005d5d68 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f3b56d8b347 +RDX: 00007ffe005d5d70 RSI: 0000000080685600 RDI: 0000000000000003 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400884 +R13: 00007ffe005d5ec0 R14: 0000000000000000 R15: 0000000000000000 +================================================================== + +For this device udev->product is not initialized and accessing it causes a NULL pointer deref. + +The fix is to check for NULL before strscpy() and copy empty string, if +product is NULL + +Reported-by: syzbot+66010012fd4c531a1a96@syzkaller.appspotmail.com +Signed-off-by: Vandana BN +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/zr364xx/zr364xx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/zr364xx/zr364xx.c b/drivers/media/usb/zr364xx/zr364xx.c +index 96fee8d5b865..cd2bc9ed0cd9 100644 +--- a/drivers/media/usb/zr364xx/zr364xx.c ++++ b/drivers/media/usb/zr364xx/zr364xx.c +@@ -703,7 +703,8 @@ static int zr364xx_vidioc_querycap(struct file *file, void *priv, + struct zr364xx_camera *cam = video_drvdata(file); + + strscpy(cap->driver, DRIVER_DESC, sizeof(cap->driver)); +- strscpy(cap->card, cam->udev->product, sizeof(cap->card)); ++ if (cam->udev->product) ++ strscpy(cap->card, cam->udev->product, sizeof(cap->card)); + strscpy(cap->bus_info, dev_name(&cam->udev->dev), + sizeof(cap->bus_info)); + cap->device_caps = V4L2_CAP_VIDEO_CAPTURE | +-- +2.20.1 + diff --git a/queue-5.1/media-uvcvideo-fix-access-to-uninitialized-fields-on.patch b/queue-5.1/media-uvcvideo-fix-access-to-uninitialized-fields-on.patch new file mode 100644 index 00000000000..114d1d1748f --- /dev/null +++ b/queue-5.1/media-uvcvideo-fix-access-to-uninitialized-fields-on.patch @@ -0,0 +1,37 @@ +From b365c2831ab267fff88286b621fb3b22bad85460 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 30 Apr 2019 08:28:14 -0400 +Subject: media: uvcvideo: Fix access to uninitialized fields on probe error + +[ Upstream commit 11a087f484bf15ff65f0a9f277aa5a61fd07ed2a ] + +We need to check whether this work we are canceling actually is +initialized. + +Signed-off-by: Oliver Neukum +Reported-by: syzbot+2e1ef9188251d9cc7944@syzkaller.appspotmail.com +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_ctrl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c +index 14cff91b7aea..aa021498036a 100644 +--- a/drivers/media/usb/uvc/uvc_ctrl.c ++++ b/drivers/media/usb/uvc/uvc_ctrl.c +@@ -2350,7 +2350,9 @@ void uvc_ctrl_cleanup_device(struct uvc_device *dev) + struct uvc_entity *entity; + unsigned int i; + +- cancel_work_sync(&dev->async_ctrl.work); ++ /* Can be uninitialized if we are aborting on probe error. */ ++ if (dev->async_ctrl.work.func) ++ cancel_work_sync(&dev->async_ctrl.work); + + /* Free controls and control mappings for all entities. */ + list_for_each_entry(entity, &dev->entities, list) { +-- +2.20.1 + diff --git a/queue-5.1/media-v4l2-core-fix-use-after-free-error.patch b/queue-5.1/media-v4l2-core-fix-use-after-free-error.patch new file mode 100644 index 00000000000..c86c9fc6a36 --- /dev/null +++ b/queue-5.1/media-v4l2-core-fix-use-after-free-error.patch @@ -0,0 +1,91 @@ +From 192531324d47612cd3530e432c1632b5c26fa0e3 Mon Sep 17 00:00:00 2001 +From: sumitg +Date: Fri, 17 May 2019 09:53:42 -0400 +Subject: media: v4l2-core: fix use-after-free error + +[ Upstream commit 3e0f724346e96daae7792262c6767449795ac3b5 ] + +Fixing use-after-free within __v4l2_ctrl_handler_setup(). +Memory is being freed with kfree(new_ref) for duplicate +control reference entry but ctrl->cluster pointer is still +referring to freed duplicate entry resulting in error on +access. Change done to update cluster pointer only when new +control reference is added. + + ================================================================== + BUG: KASAN: use-after-free in __v4l2_ctrl_handler_setup+0x388/0x428 + Read of size 8 at addr ffffffc324e78618 by task systemd-udevd/312 + + Allocated by task 312: + + Freed by task 312: + + The buggy address belongs to the object at ffffffc324e78600 + which belongs to the cache kmalloc-64 of size 64 + The buggy address is located 24 bytes inside of + 64-byte region [ffffffc324e78600, ffffffc324e78640) + The buggy address belongs to the page: + page:ffffffbf0c939e00 count:1 mapcount:0 mapping: + (null) index:0xffffffc324e78f80 + flags: 0x4000000000000100(slab) + raw: 4000000000000100 0000000000000000 ffffffc324e78f80 000000018020001a + raw: 0000000000000000 0000000100000001 ffffffc37040fb80 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffffffc324e78500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + ffffffc324e78580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + >ffffffc324e78600: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + ^ + ffffffc324e78680: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc + ffffffc324e78700: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc + ================================================================== + +Suggested-by: Hans Verkuil +Signed-off-by: Sumit Gupta +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/v4l2-core/v4l2-ctrls.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/media/v4l2-core/v4l2-ctrls.c b/drivers/media/v4l2-core/v4l2-ctrls.c +index 54d66dbc2a31..fd18923ccc14 100644 +--- a/drivers/media/v4l2-core/v4l2-ctrls.c ++++ b/drivers/media/v4l2-core/v4l2-ctrls.c +@@ -2148,15 +2148,6 @@ static int handler_new_ref(struct v4l2_ctrl_handler *hdl, + if (size_extra_req) + new_ref->p_req.p = &new_ref[1]; + +- if (ctrl->handler == hdl) { +- /* By default each control starts in a cluster of its own. +- new_ref->ctrl is basically a cluster array with one +- element, so that's perfect to use as the cluster pointer. +- But only do this for the handler that owns the control. */ +- ctrl->cluster = &new_ref->ctrl; +- ctrl->ncontrols = 1; +- } +- + INIT_LIST_HEAD(&new_ref->node); + + mutex_lock(hdl->lock); +@@ -2189,6 +2180,15 @@ static int handler_new_ref(struct v4l2_ctrl_handler *hdl, + hdl->buckets[bucket] = new_ref; + if (ctrl_ref) + *ctrl_ref = new_ref; ++ if (ctrl->handler == hdl) { ++ /* By default each control starts in a cluster of its own. ++ * new_ref->ctrl is basically a cluster array with one ++ * element, so that's perfect to use as the cluster pointer. ++ * But only do this for the handler that owns the control. ++ */ ++ ctrl->cluster = &new_ref->ctrl; ++ ctrl->ncontrols = 1; ++ } + + unlock: + mutex_unlock(hdl->lock); +-- +2.20.1 + diff --git a/queue-5.1/media-venus-firmware-fix-leaked-of_node-references.patch b/queue-5.1/media-venus-firmware-fix-leaked-of_node-references.patch new file mode 100644 index 00000000000..2c646f2c016 --- /dev/null +++ b/queue-5.1/media-venus-firmware-fix-leaked-of_node-references.patch @@ -0,0 +1,54 @@ +From 6ac7dd3a73d83b71b57b74d2fcee9ff4d6b5a716 Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Mon, 6 May 2019 03:05:15 -0400 +Subject: media: venus: firmware: fix leaked of_node references + +[ Upstream commit 2c41cc0be07b5ee2f1167f41cd8a86fc5b53d82c ] + +The call to of_parse_phandle returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: +drivers/media/platform/qcom/venus/firmware.c:90:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 82, but without a corresponding object release within this function. +drivers/media/platform/qcom/venus/firmware.c:94:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 82, but without a corresponding object release within this function. +drivers/media/platform/qcom/venus/firmware.c:128:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 82, but without a corresponding object release within this function. + +Signed-off-by: Wen Yang +Acked-by: Stanimir Varbanov +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/venus/firmware.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/qcom/venus/firmware.c b/drivers/media/platform/qcom/venus/firmware.c +index 6cfa8021721e..f81449b400c4 100644 +--- a/drivers/media/platform/qcom/venus/firmware.c ++++ b/drivers/media/platform/qcom/venus/firmware.c +@@ -87,11 +87,11 @@ static int venus_load_fw(struct venus_core *core, const char *fwname, + + ret = of_address_to_resource(node, 0, &r); + if (ret) +- return ret; ++ goto err_put_node; + + ret = request_firmware(&mdt, fwname, dev); + if (ret < 0) +- return ret; ++ goto err_put_node; + + fw_size = qcom_mdt_get_size(mdt); + if (fw_size < 0) { +@@ -125,6 +125,8 @@ static int venus_load_fw(struct venus_core *core, const char *fwname, + memunmap(mem_va); + err_release_fw: + release_firmware(mdt); ++err_put_node: ++ of_node_put(node); + return ret; + } + +-- +2.20.1 + diff --git a/queue-5.1/media-vim2m-fix-two-double-free-issues.patch b/queue-5.1/media-vim2m-fix-two-double-free-issues.patch new file mode 100644 index 00000000000..f5556850b9e --- /dev/null +++ b/queue-5.1/media-vim2m-fix-two-double-free-issues.patch @@ -0,0 +1,57 @@ +From 112acb50653bf619a5c97614e950a7d702643f51 Mon Sep 17 00:00:00 2001 +From: Kefeng Wang +Date: Mon, 13 May 2019 03:18:29 -0400 +Subject: media: vim2m: fix two double-free issues + +[ Upstream commit 20059cbbf981ca954be56f7963ae494d18e2dda1 ] + +vim2m_device_release() will be called by video_unregister_device() to release +various objects. + +There are two double-free issue, +1. dev->m2m_dev will be freed twice in error_m2m path/vim2m_device_release +2. the error_v4l2 and error_free path in vim2m_probe() will release + same objects, since vim2m_device_release has done. + +Fixes: ea6c7e34f3b2 ("media: vim2m: replace devm_kzalloc by kzalloc") + +Cc: Laurent Pinchart +Reported-by: Hulk Robot +Signed-off-by: Kefeng Wang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/vim2m.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/platform/vim2m.c b/drivers/media/platform/vim2m.c +index dd47821fc661..240327d2a3ad 100644 +--- a/drivers/media/platform/vim2m.c ++++ b/drivers/media/platform/vim2m.c +@@ -1355,7 +1355,7 @@ static int vim2m_probe(struct platform_device *pdev) + MEDIA_ENT_F_PROC_VIDEO_SCALER); + if (ret) { + v4l2_err(&dev->v4l2_dev, "Failed to init mem2mem media controller\n"); +- goto error_m2m; ++ goto error_dev; + } + + ret = media_device_register(&dev->mdev); +@@ -1369,11 +1369,11 @@ static int vim2m_probe(struct platform_device *pdev) + #ifdef CONFIG_MEDIA_CONTROLLER + error_m2m_mc: + v4l2_m2m_unregister_media_controller(dev->m2m_dev); +-error_m2m: +- v4l2_m2m_release(dev->m2m_dev); + #endif + error_dev: + video_unregister_device(&dev->vfd); ++ /* vim2m_device_release called by video_unregister_device to release various objects */ ++ return ret; + error_v4l2: + v4l2_device_unregister(&dev->v4l2_dev); + error_free: +-- +2.20.1 + diff --git a/queue-5.1/media-vimc-cap-check-v4l2_fill_pixfmt-return-value.patch b/queue-5.1/media-vimc-cap-check-v4l2_fill_pixfmt-return-value.patch new file mode 100644 index 00000000000..efe4d41deee --- /dev/null +++ b/queue-5.1/media-vimc-cap-check-v4l2_fill_pixfmt-return-value.patch @@ -0,0 +1,49 @@ +From c5378cc27dcb98d5edf74cd95927d2e7efbf204f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Andr=C3=A9=20Almeida?= +Date: Mon, 17 Jun 2019 12:28:02 -0400 +Subject: media: vimc: cap: check v4l2_fill_pixfmt return value +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 77ae46e11df5c96bb4582633851f838f5d954df4 ] + +v4l2_fill_pixfmt() returns -EINVAL if the pixelformat used as parameter is +invalid or if the user is trying to use a multiplanar format with the +singleplanar API. Currently, the vimc_cap_try_fmt_vid_cap() returns such +value, but vimc_cap_s_fmt_vid_cap() is ignoring it. Fix that and returns +an error value if vimc_cap_try_fmt_vid_cap() has failed. + +Signed-off-by: André Almeida +Suggested-by: Helen Koike +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/vimc/vimc-capture.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/vimc/vimc-capture.c b/drivers/media/platform/vimc/vimc-capture.c +index ea869631a3f6..bbc16072ec16 100644 +--- a/drivers/media/platform/vimc/vimc-capture.c ++++ b/drivers/media/platform/vimc/vimc-capture.c +@@ -130,12 +130,15 @@ static int vimc_cap_s_fmt_vid_cap(struct file *file, void *priv, + struct v4l2_format *f) + { + struct vimc_cap_device *vcap = video_drvdata(file); ++ int ret; + + /* Do not change the format while stream is on */ + if (vb2_is_busy(&vcap->queue)) + return -EBUSY; + +- vimc_cap_try_fmt_vid_cap(file, priv, f); ++ ret = vimc_cap_try_fmt_vid_cap(file, priv, f); ++ if (ret) ++ return ret; + + dev_dbg(vcap->dev, "%s: format update: " + "old:%dx%d (0x%x, %d, %d, %d, %d) " +-- +2.20.1 + diff --git a/queue-5.1/media-vpss-fix-a-potential-null-pointer-dereference.patch b/queue-5.1/media-vpss-fix-a-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..264a35d2df7 --- /dev/null +++ b/queue-5.1/media-vpss-fix-a-potential-null-pointer-dereference.patch @@ -0,0 +1,38 @@ +From 31eb30109d9e679ffe162845905846d37cd34593 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Fri, 22 Mar 2019 22:51:06 -0400 +Subject: media: vpss: fix a potential NULL pointer dereference + +[ Upstream commit e08f0761234def47961d3252eac09ccedfe4c6a0 ] + +In case ioremap fails, the fix returns -ENOMEM to avoid NULL +pointer dereference. + +Signed-off-by: Kangjie Lu +Acked-by: Lad, Prabhakar +Reviewed-by: Mukesh Ojha +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/davinci/vpss.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/media/platform/davinci/vpss.c b/drivers/media/platform/davinci/vpss.c +index 19cf6853411e..89a86c19579b 100644 +--- a/drivers/media/platform/davinci/vpss.c ++++ b/drivers/media/platform/davinci/vpss.c +@@ -518,6 +518,11 @@ static int __init vpss_init(void) + return -EBUSY; + + oper_cfg.vpss_regs_base2 = ioremap(VPSS_CLK_CTRL, 4); ++ if (unlikely(!oper_cfg.vpss_regs_base2)) { ++ release_mem_region(VPSS_CLK_CTRL, 4); ++ return -ENOMEM; ++ } ++ + writel(VPSS_CLK_CTRL_VENCCLKEN | + VPSS_CLK_CTRL_DACCLKEN, oper_cfg.vpss_regs_base2); + +-- +2.20.1 + diff --git a/queue-5.1/media-wl128x-fix-some-error-handling-in-fm_v4l2_init.patch b/queue-5.1/media-wl128x-fix-some-error-handling-in-fm_v4l2_init.patch new file mode 100644 index 00000000000..ede887df307 --- /dev/null +++ b/queue-5.1/media-wl128x-fix-some-error-handling-in-fm_v4l2_init.patch @@ -0,0 +1,100 @@ +From 12c9aa0b3502b5e2c3703d9fc0902228cf9a38cc Mon Sep 17 00:00:00 2001 +From: Kefeng Wang +Date: Thu, 30 May 2019 03:25:49 -0400 +Subject: media: wl128x: Fix some error handling in fm_v4l2_init_video_device() + +[ Upstream commit 69fbb3f47327d959830c94bf31893972b8c8f700 ] + +X-Originating-IP: [10.175.113.25] +X-CFilter-Loop: Reflected +The fm_v4l2_init_video_device() forget to unregister v4l2/video device +in the error path, it could lead to UAF issue, eg, + + BUG: KASAN: use-after-free in atomic64_read include/asm-generic/atomic-instrumented.h:836 [inline] + BUG: KASAN: use-after-free in atomic_long_read include/asm-generic/atomic-long.h:28 [inline] + BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0x92/0x690 kernel/locking/mutex.c:1206 + Read of size 8 at addr ffff8881e84a7c70 by task v4l_id/3659 + + CPU: 1 PID: 3659 Comm: v4l_id Not tainted 5.1.0 #8 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 + Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xa9/0x10e lib/dump_stack.c:113 + print_address_description+0x65/0x270 mm/kasan/report.c:187 + kasan_report+0x149/0x18d mm/kasan/report.c:317 + atomic64_read include/asm-generic/atomic-instrumented.h:836 [inline] + atomic_long_read include/asm-generic/atomic-long.h:28 [inline] + __mutex_unlock_slowpath+0x92/0x690 kernel/locking/mutex.c:1206 + fm_v4l2_fops_open+0xac/0x120 [fm_drv] + v4l2_open+0x191/0x390 [videodev] + chrdev_open+0x20d/0x570 fs/char_dev.c:417 + do_dentry_open+0x700/0xf30 fs/open.c:777 + do_last fs/namei.c:3416 [inline] + path_openat+0x7c4/0x2a90 fs/namei.c:3532 + do_filp_open+0x1a5/0x2b0 fs/namei.c:3563 + do_sys_open+0x302/0x490 fs/open.c:1069 + do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + RIP: 0033:0x7f8180c17c8e + ... + Allocated by task 3642: + set_track mm/kasan/common.c:87 [inline] + __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:497 + fm_drv_init+0x13/0x1000 [fm_drv] + do_one_initcall+0xbc/0x47d init/main.c:901 + do_init_module+0x1b5/0x547 kernel/module.c:3456 + load_module+0x6405/0x8c10 kernel/module.c:3804 + __do_sys_finit_module+0x162/0x190 kernel/module.c:3898 + do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + + Freed by task 3642: + set_track mm/kasan/common.c:87 [inline] + __kasan_slab_free+0x130/0x180 mm/kasan/common.c:459 + slab_free_hook mm/slub.c:1429 [inline] + slab_free_freelist_hook mm/slub.c:1456 [inline] + slab_free mm/slub.c:3003 [inline] + kfree+0xe1/0x270 mm/slub.c:3958 + fm_drv_init+0x1e6/0x1000 [fm_drv] + do_one_initcall+0xbc/0x47d init/main.c:901 + do_init_module+0x1b5/0x547 kernel/module.c:3456 + load_module+0x6405/0x8c10 kernel/module.c:3804 + __do_sys_finit_module+0x162/0x190 kernel/module.c:3898 + do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Add relevant unregister functions to fix it. + +Cc: Hans Verkuil +Reported-by: Hulk Robot +Signed-off-by: Kefeng Wang +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/radio/wl128x/fmdrv_v4l2.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/radio/wl128x/fmdrv_v4l2.c b/drivers/media/radio/wl128x/fmdrv_v4l2.c +index e25fd4d4d280..a1eaea19a81c 100644 +--- a/drivers/media/radio/wl128x/fmdrv_v4l2.c ++++ b/drivers/media/radio/wl128x/fmdrv_v4l2.c +@@ -550,6 +550,7 @@ int fm_v4l2_init_video_device(struct fmdev *fmdev, int radio_nr) + + /* Register with V4L2 subsystem as RADIO device */ + if (video_register_device(&gradio_dev, VFL_TYPE_RADIO, radio_nr)) { ++ v4l2_device_unregister(&fmdev->v4l2_dev); + fmerr("Could not register video device\n"); + return -ENOMEM; + } +@@ -563,6 +564,8 @@ int fm_v4l2_init_video_device(struct fmdev *fmdev, int radio_nr) + if (ret < 0) { + fmerr("(fmdev): Can't init ctrl handler\n"); + v4l2_ctrl_handler_free(&fmdev->ctrl_handler); ++ video_unregister_device(fmdev->radio_dev); ++ v4l2_device_unregister(&fmdev->v4l2_dev); + return -EBUSY; + } + +-- +2.20.1 + diff --git a/queue-5.1/mips-ath79-fix-ar933x-uart-parity-mode.patch b/queue-5.1/mips-ath79-fix-ar933x-uart-parity-mode.patch new file mode 100644 index 00000000000..5b15d61d45c --- /dev/null +++ b/queue-5.1/mips-ath79-fix-ar933x-uart-parity-mode.patch @@ -0,0 +1,40 @@ +From 99d98ee36795aa215003c374c943c6dcd6cbf1ce Mon Sep 17 00:00:00 2001 +From: Stefan Hellermann +Date: Mon, 17 Jun 2019 15:43:59 +0200 +Subject: MIPS: ath79: fix ar933x uart parity mode + +[ Upstream commit db13a5ba2732755cf13320f3987b77cf2a71e790 ] + +While trying to get the uart with parity working I found setting even +parity enabled odd parity insted. Fix the register settings to match +the datasheet of AR9331. + +A similar patch was created by 8devices, but not sent upstream. +https://github.com/8devices/openwrt-8devices/commit/77c5586ade3bb72cda010afad3f209ed0c98ea7c + +Signed-off-by: Stefan Hellermann +Signed-off-by: Paul Burton +Cc: linux-mips@vger.kernel.org +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/mach-ath79/ar933x_uart.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/include/asm/mach-ath79/ar933x_uart.h b/arch/mips/include/asm/mach-ath79/ar933x_uart.h +index c2917b39966b..bba2c8837951 100644 +--- a/arch/mips/include/asm/mach-ath79/ar933x_uart.h ++++ b/arch/mips/include/asm/mach-ath79/ar933x_uart.h +@@ -27,8 +27,8 @@ + #define AR933X_UART_CS_PARITY_S 0 + #define AR933X_UART_CS_PARITY_M 0x3 + #define AR933X_UART_CS_PARITY_NONE 0 +-#define AR933X_UART_CS_PARITY_ODD 1 +-#define AR933X_UART_CS_PARITY_EVEN 2 ++#define AR933X_UART_CS_PARITY_ODD 2 ++#define AR933X_UART_CS_PARITY_EVEN 3 + #define AR933X_UART_CS_IF_MODE_S 2 + #define AR933X_UART_CS_IF_MODE_M 0x3 + #define AR933X_UART_CS_IF_MODE_NONE 0 +-- +2.20.1 + diff --git a/queue-5.1/mips-fix-build-on-non-linux-hosts.patch b/queue-5.1/mips-fix-build-on-non-linux-hosts.patch new file mode 100644 index 00000000000..60e58b48688 --- /dev/null +++ b/queue-5.1/mips-fix-build-on-non-linux-hosts.patch @@ -0,0 +1,67 @@ +From 04d1f278c4511d439ae7682ffe11e031c5a7b877 Mon Sep 17 00:00:00 2001 +From: Kevin Darbyshire-Bryant +Date: Wed, 19 Jun 2019 15:08:18 +0100 +Subject: MIPS: fix build on non-linux hosts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 1196364f21ffe5d1e6d83cafd6a2edb89404a3ae ] + +calc_vmlinuz_load_addr.c requires SZ_64K to be defined for alignment +purposes. It included "../../../../include/linux/sizes.h" to define +that size, however "sizes.h" tries to include which +assumes linux system headers. These may not exist eg. the following +error was encountered when building Linux for OpenWrt under macOS: + +In file included from arch/mips/boot/compressed/calc_vmlinuz_load_addr.c:16: +arch/mips/boot/compressed/../../../../include/linux/sizes.h:11:10: fatal error: 'linux/const.h' file not found + ^~~~~~~~~~ + +Change makefile to force building on local linux headers instead of +system headers. Also change eye-watering relative reference in include +file spec. + +Thanks to Jo-Philip Wich & Petr Å tetiar for assistance in tracking this +down & fixing. + +Suggested-by: Jo-Philipp Wich +Signed-off-by: Petr Å tetiar +Signed-off-by: Kevin Darbyshire-Bryant +Signed-off-by: Paul Burton +Cc: linux-mips@vger.kernel.org +Signed-off-by: Sasha Levin +--- + arch/mips/boot/compressed/Makefile | 2 ++ + arch/mips/boot/compressed/calc_vmlinuz_load_addr.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/mips/boot/compressed/Makefile b/arch/mips/boot/compressed/Makefile +index 3c453a1f1ff1..172801ed35b8 100644 +--- a/arch/mips/boot/compressed/Makefile ++++ b/arch/mips/boot/compressed/Makefile +@@ -78,6 +78,8 @@ OBJCOPYFLAGS_piggy.o := --add-section=.image=$(obj)/vmlinux.bin.z \ + $(obj)/piggy.o: $(obj)/dummy.o $(obj)/vmlinux.bin.z FORCE + $(call if_changed,objcopy) + ++HOSTCFLAGS_calc_vmlinuz_load_addr.o += $(LINUXINCLUDE) ++ + # Calculate the load address of the compressed kernel image + hostprogs-y := calc_vmlinuz_load_addr + +diff --git a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c +index 542c3ede9722..d14f75ec8273 100644 +--- a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c ++++ b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c +@@ -13,7 +13,7 @@ + #include + #include + #include +-#include "../../../../include/linux/sizes.h" ++#include + + int main(int argc, char *argv[]) + { +-- +2.20.1 + diff --git a/queue-5.1/mt7601u-do-not-schedule-rx_tasklet-when-the-device-h.patch b/queue-5.1/mt7601u-do-not-schedule-rx_tasklet-when-the-device-h.patch new file mode 100644 index 00000000000..1b55552afdf --- /dev/null +++ b/queue-5.1/mt7601u-do-not-schedule-rx_tasklet-when-the-device-h.patch @@ -0,0 +1,114 @@ +From 40ad86a3f21b40bc43fe3d59dccf45ad11669588 Mon Sep 17 00:00:00 2001 +From: Lorenzo Bianconi +Date: Fri, 7 Jun 2019 13:48:09 +0200 +Subject: mt7601u: do not schedule rx_tasklet when the device has been + disconnected + +[ Upstream commit 4079e8ccabc3b6d1b503f2376123cb515d14921f ] + +Do not schedule rx_tasklet when the usb dongle is disconnected. +Moreover do not grub rx_lock in mt7601u_kill_rx since usb_poison_urb +can run concurrently with urb completion and we can unlink urbs from rx +ring in any order. +This patch fixes the common kernel warning reported when +the device is removed. + +[ 24.921354] usb 3-14: USB disconnect, device number 7 +[ 24.921593] ------------[ cut here ]------------ +[ 24.921594] RX urb mismatch +[ 24.921675] WARNING: CPU: 4 PID: 163 at drivers/net/wireless/mediatek/mt7601u/dma.c:200 mt7601u_complete_rx+0xcb/0xd0 [mt7601u] +[ 24.921769] CPU: 4 PID: 163 Comm: kworker/4:2 Tainted: G OE 4.19.31-041931-generic #201903231635 +[ 24.921770] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z97 Extreme4, BIOS P1.30 05/23/2014 +[ 24.921782] Workqueue: usb_hub_wq hub_event +[ 24.921797] RIP: 0010:mt7601u_complete_rx+0xcb/0xd0 [mt7601u] +[ 24.921800] RSP: 0018:ffff9bd9cfd03d08 EFLAGS: 00010086 +[ 24.921802] RAX: 0000000000000000 RBX: ffff9bd9bf043540 RCX: 0000000000000006 +[ 24.921803] RDX: 0000000000000007 RSI: 0000000000000096 RDI: ffff9bd9cfd16420 +[ 24.921804] RBP: ffff9bd9cfd03d28 R08: 0000000000000002 R09: 00000000000003a8 +[ 24.921805] R10: 0000002f485fca34 R11: 0000000000000000 R12: ffff9bd9bf043c1c +[ 24.921806] R13: ffff9bd9c62fa3c0 R14: 0000000000000082 R15: 0000000000000000 +[ 24.921807] FS: 0000000000000000(0000) GS:ffff9bd9cfd00000(0000) knlGS:0000000000000000 +[ 24.921808] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 24.921808] CR2: 00007fb2648b0000 CR3: 0000000142c0a004 CR4: 00000000001606e0 +[ 24.921809] Call Trace: +[ 24.921812] +[ 24.921819] __usb_hcd_giveback_urb+0x8b/0x140 +[ 24.921821] usb_hcd_giveback_urb+0xca/0xe0 +[ 24.921828] xhci_giveback_urb_in_irq.isra.42+0x82/0xf0 +[ 24.921834] handle_cmd_completion+0xe02/0x10d0 +[ 24.921837] xhci_irq+0x274/0x4a0 +[ 24.921838] xhci_msi_irq+0x11/0x20 +[ 24.921851] __handle_irq_event_percpu+0x44/0x190 +[ 24.921856] handle_irq_event_percpu+0x32/0x80 +[ 24.921861] handle_irq_event+0x3b/0x5a +[ 24.921867] handle_edge_irq+0x80/0x190 +[ 24.921874] handle_irq+0x20/0x30 +[ 24.921889] do_IRQ+0x4e/0xe0 +[ 24.921891] common_interrupt+0xf/0xf +[ 24.921892] +[ 24.921900] RIP: 0010:usb_hcd_flush_endpoint+0x78/0x180 +[ 24.921354] usb 3-14: USB disconnect, device number 7 + +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt7601u/dma.c | 33 +++++++++++---------- + 1 file changed, 18 insertions(+), 15 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt7601u/dma.c b/drivers/net/wireless/mediatek/mt7601u/dma.c +index f7edeffb2b19..134f8a5bb5d4 100644 +--- a/drivers/net/wireless/mediatek/mt7601u/dma.c ++++ b/drivers/net/wireless/mediatek/mt7601u/dma.c +@@ -193,10 +193,23 @@ static void mt7601u_complete_rx(struct urb *urb) + struct mt7601u_rx_queue *q = &dev->rx_q; + unsigned long flags; + +- spin_lock_irqsave(&dev->rx_lock, flags); ++ /* do no schedule rx tasklet if urb has been unlinked ++ * or the device has been removed ++ */ ++ switch (urb->status) { ++ case -ECONNRESET: ++ case -ESHUTDOWN: ++ case -ENOENT: ++ return; ++ default: ++ dev_err_ratelimited(dev->dev, "rx urb failed: %d\n", ++ urb->status); ++ /* fall through */ ++ case 0: ++ break; ++ } + +- if (mt7601u_urb_has_error(urb)) +- dev_err(dev->dev, "Error: RX urb failed:%d\n", urb->status); ++ spin_lock_irqsave(&dev->rx_lock, flags); + if (WARN_ONCE(q->e[q->end].urb != urb, "RX urb mismatch")) + goto out; + +@@ -363,19 +376,9 @@ int mt7601u_dma_enqueue_tx(struct mt7601u_dev *dev, struct sk_buff *skb, + static void mt7601u_kill_rx(struct mt7601u_dev *dev) + { + int i; +- unsigned long flags; + +- spin_lock_irqsave(&dev->rx_lock, flags); +- +- for (i = 0; i < dev->rx_q.entries; i++) { +- int next = dev->rx_q.end; +- +- spin_unlock_irqrestore(&dev->rx_lock, flags); +- usb_poison_urb(dev->rx_q.e[next].urb); +- spin_lock_irqsave(&dev->rx_lock, flags); +- } +- +- spin_unlock_irqrestore(&dev->rx_lock, flags); ++ for (i = 0; i < dev->rx_q.entries; i++) ++ usb_poison_urb(dev->rx_q.e[i].urb); + } + + static int mt7601u_submit_rx_buf(struct mt7601u_dev *dev, +-- +2.20.1 + diff --git a/queue-5.1/mt7601u-fix-possible-memory-leak-when-the-device-is-.patch b/queue-5.1/mt7601u-fix-possible-memory-leak-when-the-device-is-.patch new file mode 100644 index 00000000000..b463e40e256 --- /dev/null +++ b/queue-5.1/mt7601u-fix-possible-memory-leak-when-the-device-is-.patch @@ -0,0 +1,125 @@ +From 88bf10f777263c120777a4a0e74a70561a7140c1 Mon Sep 17 00:00:00 2001 +From: Lorenzo Bianconi +Date: Fri, 7 Jun 2019 13:48:10 +0200 +Subject: mt7601u: fix possible memory leak when the device is disconnected + +[ Upstream commit 23377c200b2eb48a60d0f228b2a2e75ed6ee6060 ] + +When the device is disconnected while passing traffic it is possible +to receive out of order urbs causing a memory leak since the skb linked +to the current tx urb is not removed. Fix the issue deallocating the skb +cleaning up the tx ring. Moreover this patch fixes the following kernel +warning + +[ 57.480771] usb 1-1: USB disconnect, device number 2 +[ 57.483451] ------------[ cut here ]------------ +[ 57.483462] TX urb mismatch +[ 57.483481] WARNING: CPU: 1 PID: 32 at drivers/net/wireless/mediatek/mt7601u/dma.c:245 mt7601u_complete_tx+0x165/00 +[ 57.483483] Modules linked in: +[ 57.483496] CPU: 1 PID: 32 Comm: kworker/1:1 Not tainted 5.2.0-rc1+ #72 +[ 57.483498] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-2.fc30 04/01/2014 +[ 57.483502] Workqueue: usb_hub_wq hub_event +[ 57.483507] RIP: 0010:mt7601u_complete_tx+0x165/0x1e0 +[ 57.483510] Code: 8b b5 10 04 00 00 8b 8d 14 04 00 00 eb 8b 80 3d b1 cb e1 00 00 75 9e 48 c7 c7 a4 ea 05 82 c6 05 f +[ 57.483513] RSP: 0000:ffffc900000a0d28 EFLAGS: 00010092 +[ 57.483516] RAX: 000000000000000f RBX: ffff88802c0a62c0 RCX: ffffc900000a0c2c +[ 57.483518] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff810a8371 +[ 57.483520] RBP: ffff88803ced6858 R08: 0000000000000000 R09: 0000000000000001 +[ 57.483540] R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000046 +[ 57.483542] R13: ffff88802c0a6c88 R14: ffff88803baab540 R15: ffff88803a0cc078 +[ 57.483548] FS: 0000000000000000(0000) GS:ffff88803eb00000(0000) knlGS:0000000000000000 +[ 57.483550] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 57.483552] CR2: 000055e7f6780100 CR3: 0000000028c86000 CR4: 00000000000006a0 +[ 57.483554] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 57.483556] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 57.483559] Call Trace: +[ 57.483561] +[ 57.483565] __usb_hcd_giveback_urb+0x77/0xe0 +[ 57.483570] xhci_giveback_urb_in_irq.isra.0+0x8b/0x140 +[ 57.483574] handle_cmd_completion+0xf5b/0x12c0 +[ 57.483577] xhci_irq+0x1f6/0x1810 +[ 57.483581] ? lockdep_hardirqs_on+0x9e/0x180 +[ 57.483584] ? _raw_spin_unlock_irq+0x24/0x30 +[ 57.483588] __handle_irq_event_percpu+0x3a/0x260 +[ 57.483592] handle_irq_event_percpu+0x1c/0x60 +[ 57.483595] handle_irq_event+0x2f/0x4c +[ 57.483599] handle_edge_irq+0x7e/0x1a0 +[ 57.483603] handle_irq+0x17/0x20 +[ 57.483607] do_IRQ+0x54/0x110 +[ 57.483610] common_interrupt+0xf/0xf +[ 57.483612] + +Acked-by: Jakub Kicinski +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt7601u/dma.c | 21 ++++++++++++++++----- + drivers/net/wireless/mediatek/mt7601u/tx.c | 4 ++-- + 2 files changed, 18 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt7601u/dma.c b/drivers/net/wireless/mediatek/mt7601u/dma.c +index 134f8a5bb5d4..401444f36402 100644 +--- a/drivers/net/wireless/mediatek/mt7601u/dma.c ++++ b/drivers/net/wireless/mediatek/mt7601u/dma.c +@@ -241,14 +241,25 @@ static void mt7601u_complete_tx(struct urb *urb) + struct sk_buff *skb; + unsigned long flags; + +- spin_lock_irqsave(&dev->tx_lock, flags); ++ switch (urb->status) { ++ case -ECONNRESET: ++ case -ESHUTDOWN: ++ case -ENOENT: ++ return; ++ default: ++ dev_err_ratelimited(dev->dev, "tx urb failed: %d\n", ++ urb->status); ++ /* fall through */ ++ case 0: ++ break; ++ } + +- if (mt7601u_urb_has_error(urb)) +- dev_err(dev->dev, "Error: TX urb failed:%d\n", urb->status); ++ spin_lock_irqsave(&dev->tx_lock, flags); + if (WARN_ONCE(q->e[q->start].urb != urb, "TX urb mismatch")) + goto out; + + skb = q->e[q->start].skb; ++ q->e[q->start].skb = NULL; + trace_mt_tx_dma_done(dev, skb); + + __skb_queue_tail(&dev->tx_skb_done, skb); +@@ -448,10 +459,10 @@ static void mt7601u_free_tx_queue(struct mt7601u_tx_queue *q) + { + int i; + +- WARN_ON(q->used); +- + for (i = 0; i < q->entries; i++) { + usb_poison_urb(q->e[i].urb); ++ if (q->e[i].skb) ++ mt7601u_tx_status(q->dev, q->e[i].skb); + usb_free_urb(q->e[i].urb); + } + } +diff --git a/drivers/net/wireless/mediatek/mt7601u/tx.c b/drivers/net/wireless/mediatek/mt7601u/tx.c +index 3600e911a63e..4d81c45722fb 100644 +--- a/drivers/net/wireless/mediatek/mt7601u/tx.c ++++ b/drivers/net/wireless/mediatek/mt7601u/tx.c +@@ -117,9 +117,9 @@ void mt7601u_tx_status(struct mt7601u_dev *dev, struct sk_buff *skb) + info->status.rates[0].idx = -1; + info->flags |= IEEE80211_TX_STAT_ACK; + +- spin_lock(&dev->mac_lock); ++ spin_lock_bh(&dev->mac_lock); + ieee80211_tx_status(dev->hw, skb); +- spin_unlock(&dev->mac_lock); ++ spin_unlock_bh(&dev->mac_lock); + } + + static int mt7601u_skb_rooms(struct mt7601u_dev *dev, struct sk_buff *skb) +-- +2.20.1 + diff --git a/queue-5.1/net-axienet-fix-race-condition-causing-tx-hang.patch b/queue-5.1/net-axienet-fix-race-condition-causing-tx-hang.patch new file mode 100644 index 00000000000..41dd445170b --- /dev/null +++ b/queue-5.1/net-axienet-fix-race-condition-causing-tx-hang.patch @@ -0,0 +1,64 @@ +From 00f5bbf3658006903ba3dc2a2c04de61b5d80632 Mon Sep 17 00:00:00 2001 +From: Robert Hancock +Date: Thu, 6 Jun 2019 16:28:17 -0600 +Subject: net: axienet: Fix race condition causing TX hang + +[ Upstream commit 7de44285c1f69ccfbe8be1d6a16fcd956681fee6 ] + +It is possible that the interrupt handler fires and frees up space in +the TX ring in between checking for sufficient TX ring space and +stopping the TX queue in axienet_start_xmit. If this happens, the +queue wake from the interrupt handler will occur before the queue is +stopped, causing a lost wakeup and the adapter's transmit hanging. + +To avoid this, after stopping the queue, check again whether there is +sufficient space in the TX ring. If so, wake up the queue again. + +Signed-off-by: Robert Hancock +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/xilinx/xilinx_axienet_main.c | 20 ++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index 4041c75997ba..38a8ef194e05 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -614,6 +614,10 @@ static void axienet_start_xmit_done(struct net_device *ndev) + + ndev->stats.tx_packets += packets; + ndev->stats.tx_bytes += size; ++ ++ /* Matches barrier in axienet_start_xmit */ ++ smp_mb(); ++ + netif_wake_queue(ndev); + } + +@@ -669,9 +673,19 @@ axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev) + cur_p = &lp->tx_bd_v[lp->tx_bd_tail]; + + if (axienet_check_tx_bd_space(lp, num_frag)) { +- if (!netif_queue_stopped(ndev)) +- netif_stop_queue(ndev); +- return NETDEV_TX_BUSY; ++ if (netif_queue_stopped(ndev)) ++ return NETDEV_TX_BUSY; ++ ++ netif_stop_queue(ndev); ++ ++ /* Matches barrier in axienet_start_xmit_done */ ++ smp_mb(); ++ ++ /* Space might have just been freed - check again */ ++ if (axienet_check_tx_bd_space(lp, num_frag)) ++ return NETDEV_TX_BUSY; ++ ++ netif_wake_queue(ndev); + } + + if (skb->ip_summed == CHECKSUM_PARTIAL) { +-- +2.20.1 + diff --git a/queue-5.1/net-fec-do-not-use-netdev-messages-too-early.patch b/queue-5.1/net-fec-do-not-use-netdev-messages-too-early.patch new file mode 100644 index 00000000000..77a59dec9f0 --- /dev/null +++ b/queue-5.1/net-fec-do-not-use-netdev-messages-too-early.patch @@ -0,0 +1,50 @@ +From 8ec1bf7dca7a5a48eb0af2049ca323f7adecd66c Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Thu, 6 Jun 2019 09:40:33 -0300 +Subject: net: fec: Do not use netdev messages too early + +[ Upstream commit a19a0582363b9a5f8ba812f34f1b8df394898780 ] + +When a valid MAC address is not found the current messages +are shown: + +fec 2188000.ethernet (unnamed net_device) (uninitialized): Invalid MAC address: 00:00:00:00:00:00 +fec 2188000.ethernet (unnamed net_device) (uninitialized): Using random MAC address: aa:9f:25:eb:7e:aa + +Since the network device has not been registered at this point, it is better +to use dev_err()/dev_info() instead, which will provide cleaner log +messages like these: + +fec 2188000.ethernet: Invalid MAC address: 00:00:00:00:00:00 +fec 2188000.ethernet: Using random MAC address: aa:9f:25:eb:7e:aa + +Tested on a imx6dl-pico-pi board. + +Signed-off-by: Fabio Estevam +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 878ccce1dfcd..87a9c5716958 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -1689,10 +1689,10 @@ static void fec_get_mac(struct net_device *ndev) + */ + if (!is_valid_ether_addr(iap)) { + /* Report it and use a random ethernet address instead */ +- netdev_err(ndev, "Invalid MAC address: %pM\n", iap); ++ dev_err(&fep->pdev->dev, "Invalid MAC address: %pM\n", iap); + eth_hw_addr_random(ndev); +- netdev_info(ndev, "Using random MAC address: %pM\n", +- ndev->dev_addr); ++ dev_info(&fep->pdev->dev, "Using random MAC address: %pM\n", ++ ndev->dev_addr); + return; + } + +-- +2.20.1 + diff --git a/queue-5.1/net-hns3-add-a-check-to-pointer-in-error_detected-an.patch b/queue-5.1/net-hns3-add-a-check-to-pointer-in-error_detected-an.patch new file mode 100644 index 00000000000..836b05dd360 --- /dev/null +++ b/queue-5.1/net-hns3-add-a-check-to-pointer-in-error_detected-an.patch @@ -0,0 +1,53 @@ +From c3fb496ee43262731b2feb071203be941757d9d5 Mon Sep 17 00:00:00 2001 +From: Weihang Li +Date: Mon, 3 Jun 2019 10:09:17 +0800 +Subject: net: hns3: add a check to pointer in error_detected and slot_reset + +[ Upstream commit 661262bc3e0ecc9a1aed39c6b2a99766da2c22e2 ] + +If we add a VF without loading hclgevf.ko and then there is a RAS error +occurs, PCIe AER will call error_detected and slot_reset of all functions, +and will get a NULL pointer when we check ad_dev->ops->handle_hw_ras_error. +This will cause a call trace and failures on handling of follow-up RAS +errors. + +This patch check ae_dev and ad_dev->ops at first to solve above issues. + +Signed-off-by: Weihang Li +Signed-off-by: Peng Li +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index 5e41ed4954f9..cac17152157d 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -1847,9 +1847,9 @@ static pci_ers_result_t hns3_error_detected(struct pci_dev *pdev, + if (state == pci_channel_io_perm_failure) + return PCI_ERS_RESULT_DISCONNECT; + +- if (!ae_dev) { ++ if (!ae_dev || !ae_dev->ops) { + dev_err(&pdev->dev, +- "Can't recover - error happened during device init\n"); ++ "Can't recover - error happened before device initialized\n"); + return PCI_ERS_RESULT_NONE; + } + +@@ -1868,6 +1868,9 @@ static pci_ers_result_t hns3_slot_reset(struct pci_dev *pdev) + + dev_info(dev, "requesting reset due to PCI error\n"); + ++ if (!ae_dev || !ae_dev->ops) ++ return PCI_ERS_RESULT_NONE; ++ + /* request the reset */ + if (ae_dev->ops->reset_event) { + if (!ae_dev->override_pci_need_reset) +-- +2.20.1 + diff --git a/queue-5.1/net-hns3-add-asym-pause-support-to-fix-autoneg-probl.patch b/queue-5.1/net-hns3-add-asym-pause-support-to-fix-autoneg-probl.patch new file mode 100644 index 00000000000..8f7bd5b79ea --- /dev/null +++ b/queue-5.1/net-hns3-add-asym-pause-support-to-fix-autoneg-probl.patch @@ -0,0 +1,92 @@ +From 7701d2e2db4a7f6628a70b60120f1b988f85018e Mon Sep 17 00:00:00 2001 +From: Yonglong Liu +Date: Fri, 28 Jun 2019 19:50:12 +0800 +Subject: net: hns3: add Asym Pause support to fix autoneg problem + +[ Upstream commit bc3781edcea017aa1a29abd953b776cdba298ce2 ] + +Local device and link partner config auto-negotiation on both, +local device config pause frame use as: rx on/tx off, +link partner config pause frame use as: rx off/tx on. + +We except the result is: +Local device: +Autonegotiate: on +RX: on +TX: off +RX negotiated: on +TX negotiated: off + +Link partner: +Autonegotiate: on +RX: off +TX: on +RX negotiated: off +TX negotiated: on + +But actually, the result of Local device and link partner is both: +Autonegotiate: on +RX: off +TX: off +RX negotiated: off +TX negotiated: off + +The root cause is that the supported flag is has only Pause, +reference to the function genphy_config_advert(): +static int genphy_config_advert(struct phy_device *phydev) +{ + ... + linkmode_and(phydev->advertising, phydev->advertising, + phydev->supported); + ... +} +The pause frame use of link partner is rx off/tx on, so its +advertising only set the bit Asym_Pause, and the supported is +only set the bit Pause, so the result of linkmode_and(), is +rx off/tx off. + +This patch adds Asym_Pause to the supported flag to fix it. + +Signed-off-by: Yonglong Liu +Signed-off-by: Peng Li +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 1 + + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 7 +++++++ + 2 files changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index 563eefa20003..14d37c26196b 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -889,6 +889,7 @@ static void hclge_parse_copper_link_mode(struct hclge_dev *hdev, + linkmode_set_bit(ETHTOOL_LINK_MODE_Autoneg_BIT, supported); + linkmode_set_bit(ETHTOOL_LINK_MODE_TP_BIT, supported); + linkmode_set_bit(ETHTOOL_LINK_MODE_Pause_BIT, supported); ++ linkmode_set_bit(ETHTOOL_LINK_MODE_Asym_Pause_BIT, supported); + } + + static void hclge_parse_link_mode(struct hclge_dev *hdev, u8 speed_ability) +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c +index 48eda2c6fdae..71a6f7c734b6 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c +@@ -215,6 +215,13 @@ int hclge_mac_connect_phy(struct hnae3_handle *handle) + linkmode_and(phydev->supported, phydev->supported, mask); + linkmode_copy(phydev->advertising, phydev->supported); + ++ /* supported flag is Pause and Asym Pause, but default advertising ++ * should be rx on, tx on, so need clear Asym Pause in advertising ++ * flag ++ */ ++ linkmode_clear_bit(ETHTOOL_LINK_MODE_Asym_Pause_BIT, ++ phydev->advertising); ++ + return 0; + } + +-- +2.20.1 + diff --git a/queue-5.1/net-hns3-add-some-error-checking-in-hclge_tm-module.patch b/queue-5.1/net-hns3-add-some-error-checking-in-hclge_tm-module.patch new file mode 100644 index 00000000000..a5c882296f9 --- /dev/null +++ b/queue-5.1/net-hns3-add-some-error-checking-in-hclge_tm-module.patch @@ -0,0 +1,54 @@ +From 087a9443dcfb4664ed0d53e259487edf5d3b172d Mon Sep 17 00:00:00 2001 +From: Yunsheng Lin +Date: Fri, 28 Jun 2019 19:50:10 +0800 +Subject: net: hns3: add some error checking in hclge_tm module + +[ Upstream commit 04f25edb48c441fc278ecc154c270f16966cbb90 ] + +When hdev->tx_sch_mode is HCLGE_FLAG_VNET_BASE_SCH_MODE, the +hclge_tm_schd_mode_vnet_base_cfg calls hclge_tm_pri_schd_mode_cfg +with vport->vport_id as pri_id, which is used as index for +hdev->tm_info.tc_info, it will cause out of bound access issue +if vport_id is equal to or larger than HNAE3_MAX_TC. + +Also hardware only support maximum speed of HCLGE_ETHER_MAX_RATE. + +So this patch adds two checks for above cases. + +Fixes: 848440544b41 ("net: hns3: Add support of TX Scheduler & Shaper to HNS3 driver") +Signed-off-by: Yunsheng Lin +Signed-off-by: Peng Li +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c +index a7bbb6d3091a..0d53062f7bb5 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c +@@ -54,7 +54,8 @@ static int hclge_shaper_para_calc(u32 ir, u8 shaper_level, + u32 tick; + + /* Calc tick */ +- if (shaper_level >= HCLGE_SHAPER_LVL_CNT) ++ if (shaper_level >= HCLGE_SHAPER_LVL_CNT || ++ ir > HCLGE_ETHER_MAX_RATE) + return -EINVAL; + + tick = tick_array[shaper_level]; +@@ -1124,6 +1125,9 @@ static int hclge_tm_schd_mode_vnet_base_cfg(struct hclge_vport *vport) + int ret; + u8 i; + ++ if (vport->vport_id >= HNAE3_MAX_TC) ++ return -EINVAL; ++ + ret = hclge_tm_pri_schd_mode_cfg(hdev, vport->vport_id); + if (ret) + return ret; +-- +2.20.1 + diff --git a/queue-5.1/net-hns3-delay-ring-buffer-clearing-during-reset.patch b/queue-5.1/net-hns3-delay-ring-buffer-clearing-during-reset.patch new file mode 100644 index 00000000000..3a444e99fc5 --- /dev/null +++ b/queue-5.1/net-hns3-delay-ring-buffer-clearing-during-reset.patch @@ -0,0 +1,93 @@ +From 0533d387a645097b7570b86e0aebdf6dbb491670 Mon Sep 17 00:00:00 2001 +From: Yunsheng Lin +Date: Thu, 13 Jun 2019 17:12:31 +0800 +Subject: net: hns3: delay ring buffer clearing during reset + +[ Upstream commit 3a30964a2eef6aabd3ab18b979ea0eacf1147731 ] + +The driver may not be able to disable the ring through firmware +when downing the netdev during reset process, which may cause +hardware accessing freed buffer problem. + +This patch delays the ring buffer clearing to reset uninit +process because hardware will not access the ring buffer after +hardware reset is completed. + +Fixes: bb6b94a896d4 ("net: hns3: Add reset interface implementation in client") +Signed-off-by: Yunsheng Lin +Signed-off-by: Peng Li +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/hisilicon/hns3/hns3_enet.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index 6afdd376bc03..7e7c10513d2c 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -28,7 +28,7 @@ + #define hns3_tx_bd_count(S) DIV_ROUND_UP(S, HNS3_MAX_BD_SIZE) + + static void hns3_clear_all_ring(struct hnae3_handle *h); +-static void hns3_force_clear_all_rx_ring(struct hnae3_handle *h); ++static void hns3_force_clear_all_ring(struct hnae3_handle *h); + static void hns3_remove_hw_addr(struct net_device *netdev); + + static const char hns3_driver_name[] = "hns3"; +@@ -484,7 +484,12 @@ static void hns3_nic_net_down(struct net_device *netdev) + /* free irq resources */ + hns3_nic_uninit_irq(priv); + +- hns3_clear_all_ring(priv->ae_handle); ++ /* delay ring buffer clearing to hns3_reset_notify_uninit_enet ++ * during reset process, because driver may not be able ++ * to disable the ring through firmware when downing the netdev. ++ */ ++ if (!hns3_nic_resetting(netdev)) ++ hns3_clear_all_ring(priv->ae_handle); + } + + static int hns3_nic_net_stop(struct net_device *netdev) +@@ -3737,7 +3742,7 @@ static void hns3_client_uninit(struct hnae3_handle *handle, bool reset) + + hns3_del_all_fd_rules(netdev, true); + +- hns3_force_clear_all_rx_ring(handle); ++ hns3_force_clear_all_ring(handle); + + hns3_uninit_phy(netdev); + +@@ -3909,7 +3914,7 @@ static void hns3_force_clear_rx_ring(struct hns3_enet_ring *ring) + } + } + +-static void hns3_force_clear_all_rx_ring(struct hnae3_handle *h) ++static void hns3_force_clear_all_ring(struct hnae3_handle *h) + { + struct net_device *ndev = h->kinfo.netdev; + struct hns3_nic_priv *priv = netdev_priv(ndev); +@@ -3917,6 +3922,9 @@ static void hns3_force_clear_all_rx_ring(struct hnae3_handle *h) + u32 i; + + for (i = 0; i < h->kinfo.num_tqps; i++) { ++ ring = priv->ring_data[i].ring; ++ hns3_clear_tx_ring(ring); ++ + ring = priv->ring_data[i + h->kinfo.num_tqps].ring; + hns3_force_clear_rx_ring(ring); + } +@@ -4145,7 +4153,8 @@ static int hns3_reset_notify_uninit_enet(struct hnae3_handle *handle) + return 0; + } + +- hns3_force_clear_all_rx_ring(handle); ++ hns3_clear_all_ring(handle); ++ hns3_force_clear_all_ring(handle); + + hns3_nic_uninit_vector_data(priv); + +-- +2.20.1 + diff --git a/queue-5.1/net-hns3-enable-broadcast-promisc-mode-when-initiali.patch b/queue-5.1/net-hns3-enable-broadcast-promisc-mode-when-initiali.patch new file mode 100644 index 00000000000..2900808f82f --- /dev/null +++ b/queue-5.1/net-hns3-enable-broadcast-promisc-mode-when-initiali.patch @@ -0,0 +1,59 @@ +From bcd582ab3e8be3d634870c590c2d4b4498a3fd88 Mon Sep 17 00:00:00 2001 +From: Jian Shen +Date: Thu, 4 Jul 2019 22:04:20 +0800 +Subject: net: hns3: enable broadcast promisc mode when initializing VF + +[ Upstream commit 2d5066fc175ea77a733d84df9ef414b34f311641 ] + +For revision 0x20, the broadcast promisc is enabled by firmware, +it's unnecessary to enable it when initializing VF. + +For revision 0x21, it's necessary to enable broadcast promisc mode +when initializing or re-initializing VF, otherwise, it will be +unable to send and receive promisc packets. + +Fixes: f01f5559cac8 ("net: hns3: don't allow vf to enable promisc mode") +Signed-off-by: Jian Shen +Signed-off-by: Peng Li +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +index 8dd7fef863f6..d7a15d5b6b61 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +@@ -2425,6 +2425,12 @@ static int hclgevf_reset_hdev(struct hclgevf_dev *hdev) + return ret; + } + ++ if (pdev->revision >= 0x21) { ++ ret = hclgevf_set_promisc_mode(hdev, true); ++ if (ret) ++ return ret; ++ } ++ + dev_info(&hdev->pdev->dev, "Reset done\n"); + + return 0; +@@ -2504,9 +2510,11 @@ static int hclgevf_init_hdev(struct hclgevf_dev *hdev) + * firmware makes sure broadcast packets can be accepted. + * For revision 0x21, default to enable broadcast promisc mode. + */ +- ret = hclgevf_set_promisc_mode(hdev, true); +- if (ret) +- goto err_config; ++ if (pdev->revision >= 0x21) { ++ ret = hclgevf_set_promisc_mode(hdev, true); ++ if (ret) ++ goto err_config; ++ } + + /* Initialize RSS for this VF */ + ret = hclgevf_rss_init_hw(hdev); +-- +2.20.1 + diff --git a/queue-5.1/net-hns3-fix-__queue_state_stack_xoff-not-cleared-is.patch b/queue-5.1/net-hns3-fix-__queue_state_stack_xoff-not-cleared-is.patch new file mode 100644 index 00000000000..6cd6ad7754d --- /dev/null +++ b/queue-5.1/net-hns3-fix-__queue_state_stack_xoff-not-cleared-is.patch @@ -0,0 +1,143 @@ +From b069643f38c75730c9c33bc8701143af9168cfdd Mon Sep 17 00:00:00 2001 +From: Huazhong Tan +Date: Fri, 28 Jun 2019 19:50:07 +0800 +Subject: net: hns3: fix __QUEUE_STATE_STACK_XOFF not cleared issue + +[ Upstream commit f96315f2f17e7b2580d2fec7c4d6a706a131d904 ] + +When change MTU or other operations, which just calling .reset_notify +to do HNAE3_DOWN_CLIENT and HNAE3_UP_CLIENT, then +the netdev_tx_reset_queue() in the hns3_clear_all_ring() will be +ignored. So the dev_watchdog() may misdiagnose a TX timeout. + +This patch separates netdev_tx_reset_queue() from +hns3_clear_all_ring(), and unifies hns3_clear_all_ring() and +hns3_force_clear_all_ring into one, since they are doing +similar things. + +Fixes: 3a30964a2eef ("net: hns3: delay ring buffer clearing during reset") +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/hisilicon/hns3/hns3_enet.c | 54 +++++++++---------- + 1 file changed, 26 insertions(+), 28 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index 7e7c10513d2c..ecf6ad5bdc2d 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -27,8 +27,7 @@ + #define hns3_set_field(origin, shift, val) ((origin) |= ((val) << (shift))) + #define hns3_tx_bd_count(S) DIV_ROUND_UP(S, HNS3_MAX_BD_SIZE) + +-static void hns3_clear_all_ring(struct hnae3_handle *h); +-static void hns3_force_clear_all_ring(struct hnae3_handle *h); ++static void hns3_clear_all_ring(struct hnae3_handle *h, bool force); + static void hns3_remove_hw_addr(struct net_device *netdev); + + static const char hns3_driver_name[] = "hns3"; +@@ -459,6 +458,20 @@ static int hns3_nic_net_open(struct net_device *netdev) + return 0; + } + ++static void hns3_reset_tx_queue(struct hnae3_handle *h) ++{ ++ struct net_device *ndev = h->kinfo.netdev; ++ struct hns3_nic_priv *priv = netdev_priv(ndev); ++ struct netdev_queue *dev_queue; ++ u32 i; ++ ++ for (i = 0; i < h->kinfo.num_tqps; i++) { ++ dev_queue = netdev_get_tx_queue(ndev, ++ priv->ring_data[i].queue_index); ++ netdev_tx_reset_queue(dev_queue); ++ } ++} ++ + static void hns3_nic_net_down(struct net_device *netdev) + { + struct hns3_nic_priv *priv = netdev_priv(netdev); +@@ -489,7 +502,9 @@ static void hns3_nic_net_down(struct net_device *netdev) + * to disable the ring through firmware when downing the netdev. + */ + if (!hns3_nic_resetting(netdev)) +- hns3_clear_all_ring(priv->ae_handle); ++ hns3_clear_all_ring(priv->ae_handle, false); ++ ++ hns3_reset_tx_queue(priv->ae_handle); + } + + static int hns3_nic_net_stop(struct net_device *netdev) +@@ -3742,7 +3757,7 @@ static void hns3_client_uninit(struct hnae3_handle *handle, bool reset) + + hns3_del_all_fd_rules(netdev, true); + +- hns3_force_clear_all_ring(handle); ++ hns3_clear_all_ring(handle, true); + + hns3_uninit_phy(netdev); + +@@ -3914,43 +3929,26 @@ static void hns3_force_clear_rx_ring(struct hns3_enet_ring *ring) + } + } + +-static void hns3_force_clear_all_ring(struct hnae3_handle *h) +-{ +- struct net_device *ndev = h->kinfo.netdev; +- struct hns3_nic_priv *priv = netdev_priv(ndev); +- struct hns3_enet_ring *ring; +- u32 i; +- +- for (i = 0; i < h->kinfo.num_tqps; i++) { +- ring = priv->ring_data[i].ring; +- hns3_clear_tx_ring(ring); +- +- ring = priv->ring_data[i + h->kinfo.num_tqps].ring; +- hns3_force_clear_rx_ring(ring); +- } +-} +- +-static void hns3_clear_all_ring(struct hnae3_handle *h) ++static void hns3_clear_all_ring(struct hnae3_handle *h, bool force) + { + struct net_device *ndev = h->kinfo.netdev; + struct hns3_nic_priv *priv = netdev_priv(ndev); + u32 i; + + for (i = 0; i < h->kinfo.num_tqps; i++) { +- struct netdev_queue *dev_queue; + struct hns3_enet_ring *ring; + + ring = priv->ring_data[i].ring; + hns3_clear_tx_ring(ring); +- dev_queue = netdev_get_tx_queue(ndev, +- priv->ring_data[i].queue_index); +- netdev_tx_reset_queue(dev_queue); + + ring = priv->ring_data[i + h->kinfo.num_tqps].ring; + /* Continue to clear other rings even if clearing some + * rings failed. + */ +- hns3_clear_rx_ring(ring); ++ if (force) ++ hns3_force_clear_rx_ring(ring); ++ else ++ hns3_clear_rx_ring(ring); + } + } + +@@ -4153,8 +4151,8 @@ static int hns3_reset_notify_uninit_enet(struct hnae3_handle *handle) + return 0; + } + +- hns3_clear_all_ring(handle); +- hns3_force_clear_all_ring(handle); ++ hns3_clear_all_ring(handle, true); ++ hns3_reset_tx_queue(priv->ae_handle); + + hns3_nic_uninit_vector_data(priv); + +-- +2.20.1 + diff --git a/queue-5.1/net-hns3-fix-a-wformat-nonliteral-compile-warning.patch b/queue-5.1/net-hns3-fix-a-wformat-nonliteral-compile-warning.patch new file mode 100644 index 00000000000..ba7d80c947b --- /dev/null +++ b/queue-5.1/net-hns3-fix-a-wformat-nonliteral-compile-warning.patch @@ -0,0 +1,44 @@ +From f40e00d4774f188edc34eb0047350fb09bc34cac Mon Sep 17 00:00:00 2001 +From: Yonglong Liu +Date: Fri, 28 Jun 2019 19:50:11 +0800 +Subject: net: hns3: fix a -Wformat-nonliteral compile warning + +[ Upstream commit 18d219b783da61a6cc77581f55fc4af2fa16bc36 ] + +When setting -Wformat=2, there is a compiler warning like this: + +hclge_main.c:xxx:x: warning: format not a string literal and no +format arguments [-Wformat-nonliteral] +strs[i].desc); +^~~~ + +This patch adds missing format parameter "%s" to snprintf() to +fix it. + +Fixes: 46a3df9f9718 ("Add HNS3 Acceleration Engine & Compatibility Layer Support") +Signed-off-by: Yonglong Liu +Signed-off-by: Peng Li +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index 6d4d5a470163..563eefa20003 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -550,8 +550,7 @@ static u8 *hclge_comm_get_strings(u32 stringset, + return buff; + + for (i = 0; i < size; i++) { +- snprintf(buff, ETH_GSTRING_LEN, +- strs[i].desc); ++ snprintf(buff, ETH_GSTRING_LEN, "%s", strs[i].desc); + buff = buff + ETH_GSTRING_LEN; + } + +-- +2.20.1 + diff --git a/queue-5.1/net-hns3-fix-for-dereferencing-before-null-checking.patch b/queue-5.1/net-hns3-fix-for-dereferencing-before-null-checking.patch new file mode 100644 index 00000000000..447c66583f1 --- /dev/null +++ b/queue-5.1/net-hns3-fix-for-dereferencing-before-null-checking.patch @@ -0,0 +1,55 @@ +From 704a0a18e037aef812d0a5b6a4dbe81e1682318b Mon Sep 17 00:00:00 2001 +From: Yunsheng Lin +Date: Thu, 13 Jun 2019 17:12:29 +0800 +Subject: net: hns3: fix for dereferencing before null checking + +[ Upstream commit 757188005f905664b0186b88cf26a7e844190a63 ] + +The netdev is dereferenced before null checking in the function +hns3_setup_tc. + +This patch moves the dereferencing after the null checking. + +Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC") + +Signed-off-by: Yunsheng Lin +Signed-off-by: Peng Li +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index cac17152157d..6afdd376bc03 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -1497,12 +1497,12 @@ static void hns3_nic_get_stats64(struct net_device *netdev, + static int hns3_setup_tc(struct net_device *netdev, void *type_data) + { + struct tc_mqprio_qopt_offload *mqprio_qopt = type_data; +- struct hnae3_handle *h = hns3_get_handle(netdev); +- struct hnae3_knic_private_info *kinfo = &h->kinfo; + u8 *prio_tc = mqprio_qopt->qopt.prio_tc_map; ++ struct hnae3_knic_private_info *kinfo; + u8 tc = mqprio_qopt->qopt.num_tc; + u16 mode = mqprio_qopt->mode; + u8 hw = mqprio_qopt->qopt.hw; ++ struct hnae3_handle *h; + + if (!((hw == TC_MQPRIO_HW_OFFLOAD_TCS && + mode == TC_MQPRIO_MODE_CHANNEL) || (!hw && tc == 0))) +@@ -1514,6 +1514,9 @@ static int hns3_setup_tc(struct net_device *netdev, void *type_data) + if (!netdev) + return -EINVAL; + ++ h = hns3_get_handle(netdev); ++ kinfo = &h->kinfo; ++ + return (kinfo->dcb_ops && kinfo->dcb_ops->setup_tc) ? + kinfo->dcb_ops->setup_tc(h, tc, prio_tc) : -EOPNOTSUPP; + } +-- +2.20.1 + diff --git a/queue-5.1/net-hns3-fix-for-skb-leak-when-doing-selftest.patch b/queue-5.1/net-hns3-fix-for-skb-leak-when-doing-selftest.patch new file mode 100644 index 00000000000..463bc027bef --- /dev/null +++ b/queue-5.1/net-hns3-fix-for-skb-leak-when-doing-selftest.patch @@ -0,0 +1,48 @@ +From bcce53bc0267064a304fc5ed9f6b4333da69b7e1 Mon Sep 17 00:00:00 2001 +From: Yunsheng Lin +Date: Thu, 13 Jun 2019 17:12:30 +0800 +Subject: net: hns3: fix for skb leak when doing selftest + +[ Upstream commit 8f9eed1a8791b83eb1c54c261d68424717e4111e ] + +If hns3_nic_net_xmit does not return NETDEV_TX_BUSY when doing +a loopback selftest, the skb is not freed in hns3_clean_tx_ring +or hns3_nic_net_xmit, which causes skb not freed problem. + +This patch fixes it by freeing skb when hns3_nic_net_xmit does +not return NETDEV_TX_OK. + +Fixes: c39c4d98dc65 ("net: hns3: Add mac loopback selftest support in hns3 driver") + +Signed-off-by: Yunsheng Lin +Signed-off-by: Peng Li +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c +index ea94b5152963..cf20fa6768d7 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c +@@ -241,11 +241,13 @@ static int hns3_lp_run_test(struct net_device *ndev, enum hnae3_loop mode) + + skb_get(skb); + tx_ret = hns3_nic_net_xmit(skb, ndev); +- if (tx_ret == NETDEV_TX_OK) ++ if (tx_ret == NETDEV_TX_OK) { + good_cnt++; +- else ++ } else { ++ kfree_skb(skb); + netdev_err(ndev, "hns3_lb_run_test xmit failed: %d\n", + tx_ret); ++ } + } + if (good_cnt != HNS3_NIC_LB_TEST_PKT_NUM) { + ret_val = HNS3_NIC_LB_TEST_TX_CNT_ERR; +-- +2.20.1 + diff --git a/queue-5.1/net-hns3-initialize-cpu-reverse-mapping.patch b/queue-5.1/net-hns3-initialize-cpu-reverse-mapping.patch new file mode 100644 index 00000000000..15baf46b4df --- /dev/null +++ b/queue-5.1/net-hns3-initialize-cpu-reverse-mapping.patch @@ -0,0 +1,175 @@ +From d1aa0f75435e455fdbe8919d0e64c1a424036077 Mon Sep 17 00:00:00 2001 +From: Jian Shen +Date: Fri, 24 May 2019 19:19:45 +0800 +Subject: net: hns3: initialize CPU reverse mapping + +[ Upstream commit ffab9691bcb2fe2594f4c38bfceb4d9685b93b87 ] + +Allocate CPU rmap and add entry for each irq. CPU rmap is +used in aRFS to get the queue number of the rx completion +interrupts. + +In additional, remove the calling of +irq_set_affinity_notifier() in hns3_nic_init_irq(), because +we have registered notifier in irq_cpu_rmap_add() for each +vector, otherwise it may cause use-after-free issue. + +Signed-off-by: Jian Shen +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/hisilicon/hns3/hns3_enet.c | 77 ++++++++++++------- + 1 file changed, 48 insertions(+), 29 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index c7d310903319..5e41ed4954f9 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -4,6 +4,9 @@ + #include + #include + #include ++#ifdef CONFIG_RFS_ACCEL ++#include ++#endif + #include + #include + #include +@@ -72,23 +75,6 @@ static irqreturn_t hns3_irq_handle(int irq, void *vector) + return IRQ_HANDLED; + } + +-/* This callback function is used to set affinity changes to the irq affinity +- * masks when the irq_set_affinity_notifier function is used. +- */ +-static void hns3_nic_irq_affinity_notify(struct irq_affinity_notify *notify, +- const cpumask_t *mask) +-{ +- struct hns3_enet_tqp_vector *tqp_vectors = +- container_of(notify, struct hns3_enet_tqp_vector, +- affinity_notify); +- +- tqp_vectors->affinity_mask = *mask; +-} +- +-static void hns3_nic_irq_affinity_release(struct kref *ref) +-{ +-} +- + static void hns3_nic_uninit_irq(struct hns3_nic_priv *priv) + { + struct hns3_enet_tqp_vector *tqp_vectors; +@@ -100,8 +86,7 @@ static void hns3_nic_uninit_irq(struct hns3_nic_priv *priv) + if (tqp_vectors->irq_init_flag != HNS3_VECTOR_INITED) + continue; + +- /* clear the affinity notifier and affinity mask */ +- irq_set_affinity_notifier(tqp_vectors->vector_irq, NULL); ++ /* clear the affinity mask */ + irq_set_affinity_hint(tqp_vectors->vector_irq, NULL); + + /* release the irq resource */ +@@ -154,12 +139,6 @@ static int hns3_nic_init_irq(struct hns3_nic_priv *priv) + return ret; + } + +- tqp_vectors->affinity_notify.notify = +- hns3_nic_irq_affinity_notify; +- tqp_vectors->affinity_notify.release = +- hns3_nic_irq_affinity_release; +- irq_set_affinity_notifier(tqp_vectors->vector_irq, +- &tqp_vectors->affinity_notify); + irq_set_affinity_hint(tqp_vectors->vector_irq, + &tqp_vectors->affinity_mask); + +@@ -333,6 +312,40 @@ static void hns3_tqp_disable(struct hnae3_queue *tqp) + hns3_write_dev(tqp, HNS3_RING_EN_REG, rcb_reg); + } + ++static void hns3_free_rx_cpu_rmap(struct net_device *netdev) ++{ ++#ifdef CONFIG_RFS_ACCEL ++ free_irq_cpu_rmap(netdev->rx_cpu_rmap); ++ netdev->rx_cpu_rmap = NULL; ++#endif ++} ++ ++static int hns3_set_rx_cpu_rmap(struct net_device *netdev) ++{ ++#ifdef CONFIG_RFS_ACCEL ++ struct hns3_nic_priv *priv = netdev_priv(netdev); ++ struct hns3_enet_tqp_vector *tqp_vector; ++ int i, ret; ++ ++ if (!netdev->rx_cpu_rmap) { ++ netdev->rx_cpu_rmap = alloc_irq_cpu_rmap(priv->vector_num); ++ if (!netdev->rx_cpu_rmap) ++ return -ENOMEM; ++ } ++ ++ for (i = 0; i < priv->vector_num; i++) { ++ tqp_vector = &priv->tqp_vector[i]; ++ ret = irq_cpu_rmap_add(netdev->rx_cpu_rmap, ++ tqp_vector->vector_irq); ++ if (ret) { ++ hns3_free_rx_cpu_rmap(netdev); ++ return ret; ++ } ++ } ++#endif ++ return 0; ++} ++ + static int hns3_nic_net_up(struct net_device *netdev) + { + struct hns3_nic_priv *priv = netdev_priv(netdev); +@@ -344,11 +357,16 @@ static int hns3_nic_net_up(struct net_device *netdev) + if (ret) + return ret; + ++ /* the device can work without cpu rmap, only aRFS needs it */ ++ ret = hns3_set_rx_cpu_rmap(netdev); ++ if (ret) ++ netdev_warn(netdev, "set rx cpu rmap fail, ret=%d!\n", ret); ++ + /* get irq resource for all vectors */ + ret = hns3_nic_init_irq(priv); + if (ret) { + netdev_err(netdev, "hns init irq failed! ret=%d\n", ret); +- return ret; ++ goto free_rmap; + } + + clear_bit(HNS3_NIC_STATE_DOWN, &priv->state); +@@ -377,7 +395,8 @@ static int hns3_nic_net_up(struct net_device *netdev) + hns3_vector_disable(&priv->tqp_vector[j]); + + hns3_nic_uninit_irq(priv); +- ++free_rmap: ++ hns3_free_rx_cpu_rmap(netdev); + return ret; + } + +@@ -460,6 +479,8 @@ static void hns3_nic_net_down(struct net_device *netdev) + if (ops->stop) + ops->stop(priv->ae_handle); + ++ hns3_free_rx_cpu_rmap(netdev); ++ + /* free irq resources */ + hns3_nic_uninit_irq(priv); + +@@ -3198,8 +3219,6 @@ static void hns3_nic_uninit_vector_data(struct hns3_nic_priv *priv) + hns3_free_vector_ring_chain(tqp_vector, &vector_ring_chain); + + if (tqp_vector->irq_init_flag == HNS3_VECTOR_INITED) { +- irq_set_affinity_notifier(tqp_vector->vector_irq, +- NULL); + irq_set_affinity_hint(tqp_vector->vector_irq, NULL); + free_irq(tqp_vector->vector_irq, tqp_vector); + tqp_vector->irq_init_flag = HNS3_VECTOR_NOT_INITED; +-- +2.20.1 + diff --git a/queue-5.1/net-hns3-set-ops-to-null-when-unregister-ad_dev.patch b/queue-5.1/net-hns3-set-ops-to-null-when-unregister-ad_dev.patch new file mode 100644 index 00000000000..e55af88637c --- /dev/null +++ b/queue-5.1/net-hns3-set-ops-to-null-when-unregister-ad_dev.patch @@ -0,0 +1,44 @@ +From a77276fcc913113a689b77d1858677e2a6d90b7e Mon Sep 17 00:00:00 2001 +From: Weihang Li +Date: Mon, 3 Jun 2019 10:09:18 +0800 +Subject: net: hns3: set ops to null when unregister ad_dev + +[ Upstream commit 594a81b39525f0a17e92c2e0b167ae1400650380 ] + +The hclge/hclgevf and hns3 module can be unloaded independently, +when hclge/hclgevf unloaded firstly, the ops of ae_dev should +be set to NULL, otherwise it will cause an use-after-free problem. + +Fixes: 38caee9d3ee8 ("net: hns3: Add support of the HNAE3 framework") +Signed-off-by: Weihang Li +Signed-off-by: Peng Li +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hnae3.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hnae3.c b/drivers/net/ethernet/hisilicon/hns3/hnae3.c +index 17ab4f4af6ad..0da814618565 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hnae3.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hnae3.c +@@ -247,6 +247,7 @@ void hnae3_unregister_ae_algo(struct hnae3_ae_algo *ae_algo) + + ae_algo->ops->uninit_ae_dev(ae_dev); + hnae3_set_bit(ae_dev->flag, HNAE3_DEV_INITED_B, 0); ++ ae_dev->ops = NULL; + } + + list_del(&ae_algo->node); +@@ -347,6 +348,7 @@ void hnae3_unregister_ae_dev(struct hnae3_ae_dev *ae_dev) + + ae_algo->ops->uninit_ae_dev(ae_dev); + hnae3_set_bit(ae_dev->flag, HNAE3_DEV_INITED_B, 0); ++ ae_dev->ops = NULL; + } + + list_del(&ae_dev->node); +-- +2.20.1 + diff --git a/queue-5.1/net-mlx5-get-vport-acl-namespace-by-vport-index.patch b/queue-5.1/net-mlx5-get-vport-acl-namespace-by-vport-index.patch new file mode 100644 index 00000000000..7cbcbc12547 --- /dev/null +++ b/queue-5.1/net-mlx5-get-vport-acl-namespace-by-vport-index.patch @@ -0,0 +1,49 @@ +From 0cb5b74b564ff5dacf7a997a27988afc62fb087b Mon Sep 17 00:00:00 2001 +From: Jianbo Liu +Date: Tue, 25 Jun 2019 17:47:52 +0000 +Subject: net/mlx5: Get vport ACL namespace by vport index + +[ Upstream commit f53297d67800feb5fafd94abd926c889aefee690 ] + +The ingress and egress ACL root namespaces are created per vport and +stored into arrays. However, the vport number is not the same as the +index. Passing the array index, instead of vport number, to get the +correct ingress and egress acl namespace. + +Fixes: 9b93ab981e3b ("net/mlx5: Separate ingress/egress namespaces for each vport") +Signed-off-by: Jianbo Liu +Reviewed-by: Oz Shlomo +Reviewed-by: Eli Britstein +Reviewed-by: Roi Dayan +Reviewed-by: Mark Bloch +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index 8a67fd197b79..16ed6ebd31ee 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -950,7 +950,7 @@ static int esw_vport_enable_egress_acl(struct mlx5_eswitch *esw, + vport->vport, MLX5_CAP_ESW_EGRESS_ACL(dev, log_max_ft_size)); + + root_ns = mlx5_get_flow_vport_acl_namespace(dev, MLX5_FLOW_NAMESPACE_ESW_EGRESS, +- vport->vport); ++ mlx5_eswitch_vport_num_to_index(esw, vport->vport)); + if (!root_ns) { + esw_warn(dev, "Failed to get E-Switch egress flow namespace for vport (%d)\n", vport->vport); + return -EOPNOTSUPP; +@@ -1068,7 +1068,7 @@ static int esw_vport_enable_ingress_acl(struct mlx5_eswitch *esw, + vport->vport, MLX5_CAP_ESW_INGRESS_ACL(dev, log_max_ft_size)); + + root_ns = mlx5_get_flow_vport_acl_namespace(dev, MLX5_FLOW_NAMESPACE_ESW_INGRESS, +- vport->vport); ++ mlx5_eswitch_vport_num_to_index(esw, vport->vport)); + if (!root_ns) { + esw_warn(dev, "Failed to get E-Switch ingress flow namespace for vport (%d)\n", vport->vport); + return -EOPNOTSUPP; +-- +2.20.1 + diff --git a/queue-5.1/net-mvmdio-defer-probe-of-orion-mdio-if-a-clock-is-n.patch b/queue-5.1/net-mvmdio-defer-probe-of-orion-mdio-if-a-clock-is-n.patch new file mode 100644 index 00000000000..a17728b23b0 --- /dev/null +++ b/queue-5.1/net-mvmdio-defer-probe-of-orion-mdio-if-a-clock-is-n.patch @@ -0,0 +1,45 @@ +From cd953cdefa8cc9762d4b04da36969826da636f12 Mon Sep 17 00:00:00 2001 +From: Josua Mayer +Date: Tue, 9 Jul 2019 15:01:01 +0200 +Subject: net: mvmdio: defer probe of orion-mdio if a clock is not ready + +[ Upstream commit 433a06d7d74e677c40b1148c70c48677ff62fb6b ] + +Defer probing of the orion-mdio interface when getting a clock returns +EPROBE_DEFER. This avoids locking up the Armada 8k SoC when mdio is used +before all clocks have been enabled. + +Signed-off-by: Josua Mayer +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvmdio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/mvmdio.c b/drivers/net/ethernet/marvell/mvmdio.c +index c5dac6bd2be4..903836e334d8 100644 +--- a/drivers/net/ethernet/marvell/mvmdio.c ++++ b/drivers/net/ethernet/marvell/mvmdio.c +@@ -321,6 +321,10 @@ static int orion_mdio_probe(struct platform_device *pdev) + + for (i = 0; i < ARRAY_SIZE(dev->clk); i++) { + dev->clk[i] = of_clk_get(pdev->dev.of_node, i); ++ if (PTR_ERR(dev->clk[i]) == -EPROBE_DEFER) { ++ ret = -EPROBE_DEFER; ++ goto out_clk; ++ } + if (IS_ERR(dev->clk[i])) + break; + clk_prepare_enable(dev->clk[i]); +@@ -362,6 +366,7 @@ static int orion_mdio_probe(struct platform_device *pdev) + if (dev->err_interrupt > 0) + writel(0, dev->regs + MVMDIO_ERR_INT_MASK); + ++out_clk: + for (i = 0; i < ARRAY_SIZE(dev->clk); i++) { + if (IS_ERR(dev->clk[i])) + break; +-- +2.20.1 + diff --git a/queue-5.1/net-mvpp2-prs-don-t-override-the-sign-bit-in-sram-pa.patch b/queue-5.1/net-mvpp2-prs-don-t-override-the-sign-bit-in-sram-pa.patch new file mode 100644 index 00000000000..3461bd64141 --- /dev/null +++ b/queue-5.1/net-mvpp2-prs-don-t-override-the-sign-bit-in-sram-pa.patch @@ -0,0 +1,46 @@ +From 8fd667bd3189293efda92cdb5af274437fbac876 Mon Sep 17 00:00:00 2001 +From: Maxime Chevallier +Date: Thu, 20 Jun 2019 11:42:45 +0200 +Subject: net: mvpp2: prs: Don't override the sign bit in SRAM parser shift + +[ Upstream commit 8ec3ede559956f8ad58db7b57d25ac724bab69e9 ] + +The Header Parser allows identifying various fields in the packet +headers, used for various kind of filtering and classification +steps. + +This is a re-entrant process, where the offset in the packet header +depends on the previous lookup results. This offset is represented in +the SRAM results of the TCAM, as a shift to be operated. + +This shift can be negative in some cases, such as in IPv6 parsing. + +This commit prevents overriding the sign bit when setting the shift +value, which could cause instabilities when parsing IPv6 flows. + +Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit") +Suggested-by: Alan Winkowski +Signed-off-by: Maxime Chevallier +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +index ae2240074d8e..5692c6087bbb 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +@@ -312,7 +312,8 @@ static void mvpp2_prs_sram_shift_set(struct mvpp2_prs_entry *pe, int shift, + } + + /* Set value */ +- pe->sram[MVPP2_BIT_TO_WORD(MVPP2_PRS_SRAM_SHIFT_OFFS)] = shift & MVPP2_PRS_SRAM_SHIFT_MASK; ++ pe->sram[MVPP2_BIT_TO_WORD(MVPP2_PRS_SRAM_SHIFT_OFFS)] |= ++ shift & MVPP2_PRS_SRAM_SHIFT_MASK; + + /* Reset and set operation */ + mvpp2_prs_sram_bits_clear(pe, MVPP2_PRS_SRAM_OP_SEL_SHIFT_OFFS, +-- +2.20.1 + diff --git a/queue-5.1/net-netsec-initialize-tx-ring-on-ndo_open.patch b/queue-5.1/net-netsec-initialize-tx-ring-on-ndo_open.patch new file mode 100644 index 00000000000..4260f1c5730 --- /dev/null +++ b/queue-5.1/net-netsec-initialize-tx-ring-on-ndo_open.patch @@ -0,0 +1,92 @@ +From b41c95e7bf6a4c35b8ae63ac59a0c4c8566df6b0 Mon Sep 17 00:00:00 2001 +From: Ilias Apalodimas +Date: Wed, 19 Jun 2019 13:04:00 +0300 +Subject: net: netsec: initialize tx ring on ndo_open + +[ Upstream commit 39e3622edeffa63c2871153d8743c5825b139968 ] + +Since we changed the Tx ring handling and now depends on bit31 to figure +out the owner of the descriptor, we should initialize this every time +the device goes down-up instead of doing it once on driver init. If the +value is not correctly initialized the device won't have any available +descriptors + +Changes since v1: +- Typo fixes + +Fixes: 35e07d234739 ("net: socionext: remove mmio reads on Tx") +Signed-off-by: Ilias Apalodimas +Acked-by: Ard Biesheuvel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/socionext/netsec.c | 32 ++++++++++++++----------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/socionext/netsec.c b/drivers/net/ethernet/socionext/netsec.c +index cba5881b2746..a10ef700f16d 100644 +--- a/drivers/net/ethernet/socionext/netsec.c ++++ b/drivers/net/ethernet/socionext/netsec.c +@@ -1029,7 +1029,6 @@ static void netsec_free_dring(struct netsec_priv *priv, int id) + static int netsec_alloc_dring(struct netsec_priv *priv, enum ring_id id) + { + struct netsec_desc_ring *dring = &priv->desc_ring[id]; +- int i; + + dring->vaddr = dma_alloc_coherent(priv->dev, DESC_SZ * DESC_NUM, + &dring->desc_dma, GFP_KERNEL); +@@ -1040,19 +1039,6 @@ static int netsec_alloc_dring(struct netsec_priv *priv, enum ring_id id) + if (!dring->desc) + goto err; + +- if (id == NETSEC_RING_TX) { +- for (i = 0; i < DESC_NUM; i++) { +- struct netsec_de *de; +- +- de = dring->vaddr + (DESC_SZ * i); +- /* de->attr is not going to be accessed by the NIC +- * until netsec_set_tx_de() is called. +- * No need for a dma_wmb() here +- */ +- de->attr = 1U << NETSEC_TX_SHIFT_OWN_FIELD; +- } +- } +- + return 0; + err: + netsec_free_dring(priv, id); +@@ -1060,6 +1046,23 @@ static int netsec_alloc_dring(struct netsec_priv *priv, enum ring_id id) + return -ENOMEM; + } + ++static void netsec_setup_tx_dring(struct netsec_priv *priv) ++{ ++ struct netsec_desc_ring *dring = &priv->desc_ring[NETSEC_RING_TX]; ++ int i; ++ ++ for (i = 0; i < DESC_NUM; i++) { ++ struct netsec_de *de; ++ ++ de = dring->vaddr + (DESC_SZ * i); ++ /* de->attr is not going to be accessed by the NIC ++ * until netsec_set_tx_de() is called. ++ * No need for a dma_wmb() here ++ */ ++ de->attr = 1U << NETSEC_TX_SHIFT_OWN_FIELD; ++ } ++} ++ + static int netsec_setup_rx_dring(struct netsec_priv *priv) + { + struct netsec_desc_ring *dring = &priv->desc_ring[NETSEC_RING_RX]; +@@ -1361,6 +1364,7 @@ static int netsec_netdev_open(struct net_device *ndev) + + pm_runtime_get_sync(priv->dev); + ++ netsec_setup_tx_dring(priv); + ret = netsec_setup_rx_dring(priv); + if (ret) { + netif_err(priv, probe, priv->ndev, +-- +2.20.1 + diff --git a/queue-5.1/net-phy-check-against-net_device-being-null.patch b/queue-5.1/net-phy-check-against-net_device-being-null.patch new file mode 100644 index 00000000000..a4f4d893449 --- /dev/null +++ b/queue-5.1/net-phy-check-against-net_device-being-null.patch @@ -0,0 +1,48 @@ +From 23aa0e6cfe8714129fbf845fd43213f7d8ca4e27 Mon Sep 17 00:00:00 2001 +From: Ioana Ciornei +Date: Tue, 28 May 2019 20:38:09 +0300 +Subject: net: phy: Check against net_device being NULL + +[ Upstream commit 82c76aca81187b3d28a6fb3062f6916450ce955e ] + +In general, we don't want MAC drivers calling phy_attach_direct with the +net_device being NULL. Add checks against this in all the functions +calling it: phy_attach() and phy_connect_direct(). + +Signed-off-by: Ioana Ciornei +Suggested-by: Andrew Lunn +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_device.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index f6a6cc5bf118..e748aee82033 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -948,6 +948,9 @@ int phy_connect_direct(struct net_device *dev, struct phy_device *phydev, + { + int rc; + ++ if (!dev) ++ return -EINVAL; ++ + rc = phy_attach_direct(dev, phydev, phydev->dev_flags, interface); + if (rc) + return rc; +@@ -1290,6 +1293,9 @@ struct phy_device *phy_attach(struct net_device *dev, const char *bus_id, + struct device *d; + int rc; + ++ if (!dev) ++ return ERR_PTR(-EINVAL); ++ + /* Search the list of PHY devices on the mdio bus for the + * PHY with the requested name + */ +-- +2.20.1 + diff --git a/queue-5.1/net-sfp-add-mutex-to-prevent-concurrent-state-checks.patch b/queue-5.1/net-sfp-add-mutex-to-prevent-concurrent-state-checks.patch new file mode 100644 index 00000000000..d46b8ec0016 --- /dev/null +++ b/queue-5.1/net-sfp-add-mutex-to-prevent-concurrent-state-checks.patch @@ -0,0 +1,65 @@ +From 66a9c08d1621a504d5be38a7e05ef764620c017f Mon Sep 17 00:00:00 2001 +From: Robert Hancock +Date: Fri, 7 Jun 2019 10:42:36 -0600 +Subject: net: sfp: add mutex to prevent concurrent state checks + +[ Upstream commit 2158e856f56bb762ef90f3ec244d41a519826f75 ] + +sfp_check_state can potentially be called by both a threaded IRQ handler +and delayed work. If it is concurrently called, it could result in +incorrect state management. Add a st_mutex to protect the state - this +lock gets taken outside of code that checks and handle state changes, and +the existing sm_mutex nests inside of it. + +Suggested-by: Russell King +Signed-off-by: Robert Hancock +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/sfp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c +index 71812be0ac64..b6efd2d41dce 100644 +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -186,10 +186,11 @@ struct sfp { + struct gpio_desc *gpio[GPIO_MAX]; + + bool attached; ++ struct mutex st_mutex; /* Protects state */ + unsigned int state; + struct delayed_work poll; + struct delayed_work timeout; +- struct mutex sm_mutex; ++ struct mutex sm_mutex; /* Protects state machine */ + unsigned char sm_mod_state; + unsigned char sm_dev_state; + unsigned short sm_state; +@@ -1719,6 +1720,7 @@ static void sfp_check_state(struct sfp *sfp) + { + unsigned int state, i, changed; + ++ mutex_lock(&sfp->st_mutex); + state = sfp_get_state(sfp); + changed = state ^ sfp->state; + changed &= SFP_F_PRESENT | SFP_F_LOS | SFP_F_TX_FAULT; +@@ -1744,6 +1746,7 @@ static void sfp_check_state(struct sfp *sfp) + sfp_sm_event(sfp, state & SFP_F_LOS ? + SFP_E_LOS_HIGH : SFP_E_LOS_LOW); + rtnl_unlock(); ++ mutex_unlock(&sfp->st_mutex); + } + + static irqreturn_t sfp_irq(int irq, void *data) +@@ -1774,6 +1777,7 @@ static struct sfp *sfp_alloc(struct device *dev) + sfp->dev = dev; + + mutex_init(&sfp->sm_mutex); ++ mutex_init(&sfp->st_mutex); + INIT_DELAYED_WORK(&sfp->poll, sfp_poll); + INIT_DELAYED_WORK(&sfp->timeout, sfp_timeout); + +-- +2.20.1 + diff --git a/queue-5.1/net-stmmac-dwmac1000-clear-unused-address-entries.patch b/queue-5.1/net-stmmac-dwmac1000-clear-unused-address-entries.patch new file mode 100644 index 00000000000..fe7125f3794 --- /dev/null +++ b/queue-5.1/net-stmmac-dwmac1000-clear-unused-address-entries.patch @@ -0,0 +1,43 @@ +From a76612731d361c4641c341c408d4e1d25f102666 Mon Sep 17 00:00:00 2001 +From: Jose Abreu +Date: Fri, 24 May 2019 10:20:21 +0200 +Subject: net: stmmac: dwmac1000: Clear unused address entries + +[ Upstream commit 9463c445590091202659cdfdd44b236acadfbd84 ] + +In case we don't use a given address entry we need to clear it because +it could contain previous values that are no longer valid. + +Found out while running stmmac selftests. + +Signed-off-by: Jose Abreu +Cc: Joao Pinto +Cc: David S. Miller +Cc: Giuseppe Cavallaro +Cc: Alexandre Torgue +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c +index 0877bde6e860..21d131347e2e 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c +@@ -216,6 +216,12 @@ static void dwmac1000_set_filter(struct mac_device_info *hw, + GMAC_ADDR_LOW(reg)); + reg++; + } ++ ++ while (reg <= perfect_addr_number) { ++ writel(0, ioaddr + GMAC_ADDR_HIGH(reg)); ++ writel(0, ioaddr + GMAC_ADDR_LOW(reg)); ++ reg++; ++ } + } + + #ifdef FRAME_FILTER_DEBUG +-- +2.20.1 + diff --git a/queue-5.1/net-stmmac-dwmac4-5-clear-unused-address-entries.patch b/queue-5.1/net-stmmac-dwmac4-5-clear-unused-address-entries.patch new file mode 100644 index 00000000000..ba25b717395 --- /dev/null +++ b/queue-5.1/net-stmmac-dwmac4-5-clear-unused-address-entries.patch @@ -0,0 +1,53 @@ +From 32bb63191e679cc926e83b4c06113dd1e01f6352 Mon Sep 17 00:00:00 2001 +From: Jose Abreu +Date: Fri, 24 May 2019 10:20:25 +0200 +Subject: net: stmmac: dwmac4/5: Clear unused address entries + +[ Upstream commit 0620ec6c62a5a07625b65f699adc5d1b90394ee6 ] + +In case we don't use a given address entry we need to clear it because +it could contain previous values that are no longer valid. + +Found out while running stmmac selftests. + +Signed-off-by: Jose Abreu +Cc: Joao Pinto +Cc: David S. Miller +Cc: Giuseppe Cavallaro +Cc: Alexandre Torgue +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +index 7e5d5db0d516..a2f3db39221e 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +@@ -444,14 +444,20 @@ static void dwmac4_set_filter(struct mac_device_info *hw, + * are required + */ + value |= GMAC_PACKET_FILTER_PR; +- } else if (!netdev_uc_empty(dev)) { +- int reg = 1; ++ } else { + struct netdev_hw_addr *ha; ++ int reg = 1; + + netdev_for_each_uc_addr(ha, dev) { + dwmac4_set_umac_addr(hw, ha->addr, reg); + reg++; + } ++ ++ while (reg <= GMAC_MAX_PERFECT_ADDRESSES) { ++ writel(0, ioaddr + GMAC_ADDR_HIGH(reg)); ++ writel(0, ioaddr + GMAC_ADDR_LOW(reg)); ++ reg++; ++ } + } + + writel(value, ioaddr + GMAC_PACKET_FILTER); +-- +2.20.1 + diff --git a/queue-5.1/net-stmmac-dwmac4-fix-flow-control-issue.patch b/queue-5.1/net-stmmac-dwmac4-fix-flow-control-issue.patch new file mode 100644 index 00000000000..823634d92b5 --- /dev/null +++ b/queue-5.1/net-stmmac-dwmac4-fix-flow-control-issue.patch @@ -0,0 +1,57 @@ +From 568d1580d9faf364ffdf05ba162e2e39636698a3 Mon Sep 17 00:00:00 2001 +From: Biao Huang +Date: Mon, 3 Jun 2019 09:58:06 +0800 +Subject: net: stmmac: dwmac4: fix flow control issue + +[ Upstream commit ee326fd01e79dfa42014d55931260b68b9fa3273 ] + +Current dwmac4_flow_ctrl will not clear +GMAC_RX_FLOW_CTRL_RFE/GMAC_RX_FLOW_CTRL_RFE bits, +so MAC hw will keep flow control on although expecting +flow control off by ethtool. Add codes to fix it. + +Fixes: 477286b53f55 ("stmmac: add GMAC4 core support") +Signed-off-by: Biao Huang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +index a2f3db39221e..d0e6e1503581 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +@@ -475,8 +475,9 @@ static void dwmac4_flow_ctrl(struct mac_device_info *hw, unsigned int duplex, + if (fc & FLOW_RX) { + pr_debug("\tReceive Flow-Control ON\n"); + flow |= GMAC_RX_FLOW_CTRL_RFE; +- writel(flow, ioaddr + GMAC_RX_FLOW_CTRL); + } ++ writel(flow, ioaddr + GMAC_RX_FLOW_CTRL); ++ + if (fc & FLOW_TX) { + pr_debug("\tTransmit Flow-Control ON\n"); + +@@ -484,7 +485,7 @@ static void dwmac4_flow_ctrl(struct mac_device_info *hw, unsigned int duplex, + pr_debug("\tduplex mode: PAUSE %d\n", pause_time); + + for (queue = 0; queue < tx_cnt; queue++) { +- flow |= GMAC_TX_FLOW_CTRL_TFE; ++ flow = GMAC_TX_FLOW_CTRL_TFE; + + if (duplex) + flow |= +@@ -492,6 +493,9 @@ static void dwmac4_flow_ctrl(struct mac_device_info *hw, unsigned int duplex, + + writel(flow, ioaddr + GMAC_QX_TX_FLOW_CTRL(queue)); + } ++ } else { ++ for (queue = 0; queue < tx_cnt; queue++) ++ writel(0, ioaddr + GMAC_QX_TX_FLOW_CTRL(queue)); + } + } + +-- +2.20.1 + diff --git a/queue-5.1/net-stmmac-modify-default-value-of-tx-frames.patch b/queue-5.1/net-stmmac-modify-default-value-of-tx-frames.patch new file mode 100644 index 00000000000..9717bc64e6a --- /dev/null +++ b/queue-5.1/net-stmmac-modify-default-value-of-tx-frames.patch @@ -0,0 +1,49 @@ +From f16c56236028b56fa5bbd672ee2e23f7f6f24949 Mon Sep 17 00:00:00 2001 +From: Biao Huang +Date: Mon, 3 Jun 2019 09:58:05 +0800 +Subject: net: stmmac: modify default value of tx-frames + +[ Upstream commit d2facb4b3983425f6776c24dd678a82dbe673773 ] + +the default value of tx-frames is 25, it's too late when +passing tstamp to stack, then the ptp4l will fail: + +ptp4l -i eth0 -f gPTP.cfg -m +ptp4l: selected /dev/ptp0 as PTP clock +ptp4l: port 1: INITIALIZING to LISTENING on INITIALIZE +ptp4l: port 0: INITIALIZING to LISTENING on INITIALIZE +ptp4l: port 1: link up +ptp4l: timed out while polling for tx timestamp +ptp4l: increasing tx_timestamp_timeout may correct this issue, + but it is likely caused by a driver bug +ptp4l: port 1: send peer delay response failed +ptp4l: port 1: LISTENING to FAULTY on FAULT_DETECTED (FT_UNSPECIFIED) + +ptp4l tests pass when changing the tx-frames from 25 to 1 with +ethtool -C option. +It should be fine to set tx-frames default value to 1, so ptp4l will pass +by default. + +Signed-off-by: Biao Huang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/common.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/common.h b/drivers/net/ethernet/stmicro/stmmac/common.h +index 272b9ca66314..b069b3a2453b 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/common.h ++++ b/drivers/net/ethernet/stmicro/stmmac/common.h +@@ -261,7 +261,7 @@ struct stmmac_safety_stats { + #define STMMAC_COAL_TX_TIMER 1000 + #define STMMAC_MAX_COAL_TX_TICK 100000 + #define STMMAC_TX_MAX_FRAMES 256 +-#define STMMAC_TX_FRAMES 25 ++#define STMMAC_TX_FRAMES 1 + + /* Packets types */ + enum packets_types { +-- +2.20.1 + diff --git a/queue-5.1/net-stmmac-prevent-missing-interrupts-when-running-n.patch b/queue-5.1/net-stmmac-prevent-missing-interrupts-when-running-n.patch new file mode 100644 index 00000000000..63333bcc398 --- /dev/null +++ b/queue-5.1/net-stmmac-prevent-missing-interrupts-when-running-n.patch @@ -0,0 +1,42 @@ +From 582924287bc60976720b747869901da30c72fd5c Mon Sep 17 00:00:00 2001 +From: Jose Abreu +Date: Fri, 24 May 2019 10:20:26 +0200 +Subject: net: stmmac: Prevent missing interrupts when running NAPI + +[ Upstream commit a976ca79e23f13bff79c14e7266cea4a0ea51e67 ] + +When we trigger NAPI we are disabling interrupts but in case we receive +or send a packet in the meantime, as interrupts are disabled, we will +miss this event. + +Trigger both NAPI instances (RX and TX) when at least one event happens +so that we don't miss any interrupts. + +Signed-off-by: Jose Abreu +Cc: Joao Pinto +Cc: David S. Miller +Cc: Giuseppe Cavallaro +Cc: Alexandre Torgue +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index a634054dcb11..f3735d0458eb 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -2058,6 +2058,9 @@ static int stmmac_napi_check(struct stmmac_priv *priv, u32 chan) + &priv->xstats, chan); + struct stmmac_channel *ch = &priv->channel[chan]; + ++ if (status) ++ status |= handle_rx | handle_tx; ++ + if ((status & handle_rx) && (chan < priv->plat->rx_queues_to_use)) { + stmmac_disable_dma_irq(priv, priv->ioaddr, chan); + napi_schedule_irqoff(&ch->rx_napi); +-- +2.20.1 + diff --git a/queue-5.1/net-stmmac-sun8i-force-select-external-phy-when-no-i.patch b/queue-5.1/net-stmmac-sun8i-force-select-external-phy-when-no-i.patch new file mode 100644 index 00000000000..1551e85c833 --- /dev/null +++ b/queue-5.1/net-stmmac-sun8i-force-select-external-phy-when-no-i.patch @@ -0,0 +1,45 @@ +From b118ad14f525eaa048998a95f14aeca79df341fd Mon Sep 17 00:00:00 2001 +From: Icenowy Zheng +Date: Thu, 20 Jun 2019 15:47:44 +0200 +Subject: net: stmmac: sun8i: force select external PHY when no internal one + +[ Upstream commit 0fec7e72ae1391bb2d7527efb54fe6ae88acabce ] + +The PHY selection bit also exists on SoCs without an internal PHY; if it's +set to 1 (internal PHY, default value) then the MAC will not make use of +any PHY on such SoCs. + +This problem appears when adapting for H6, which has no real internal PHY +(the "internal PHY" on H6 is not on-die, but on a co-packaged AC200 chip, +connected via RMII interface at GPIO bank A). + +Force the PHY selection bit to 0 when the SOC doesn't have an internal PHY, +to address the problem of a wrong default value. + +Signed-off-by: Icenowy Zheng +Signed-off-by: Ondrej Jirman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c +index ba124a4da793..8325e6499739 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c +@@ -893,6 +893,11 @@ static int sun8i_dwmac_set_syscon(struct stmmac_priv *priv) + * address. No need to mask it again. + */ + reg |= 1 << H3_EPHY_ADDR_SHIFT; ++ } else { ++ /* For SoCs without internal PHY the PHY selection bit should be ++ * set to 0 (external PHY). ++ */ ++ reg &= ~H3_EPHY_SELECT; + } + + if (!of_property_read_u32(node, "allwinner,tx-delay-ps", &val)) { +-- +2.20.1 + diff --git a/queue-5.1/net-usb-asix-init-mac-address-buffers.patch b/queue-5.1/net-usb-asix-init-mac-address-buffers.patch new file mode 100644 index 00000000000..700c4efb2a0 --- /dev/null +++ b/queue-5.1/net-usb-asix-init-mac-address-buffers.patch @@ -0,0 +1,121 @@ +From 16aadfd933f11bb6364f7ae7908503bdf1b2fb36 Mon Sep 17 00:00:00 2001 +From: Phong Tran +Date: Tue, 2 Jul 2019 07:10:08 +0700 +Subject: net: usb: asix: init MAC address buffers + +[ Upstream commit 78226f6eaac80bf30256a33a4926c194ceefdf36 ] + +This is for fixing bug KMSAN: uninit-value in ax88772_bind + +Tested by +https://groups.google.com/d/msg/syzkaller-bugs/aFQurGotng4/eB_HlNhhCwAJ + +Reported-by: syzbot+8a3fc6674bbc3978ed4e@syzkaller.appspotmail.com + +syzbot found the following crash on: + +HEAD commit: f75e4cfe kmsan: use kmsan_handle_urb() in urb.c +git tree: kmsan +console output: https://syzkaller.appspot.com/x/log.txt?x=136d720ea00000 +kernel config: +https://syzkaller.appspot.com/x/.config?x=602468164ccdc30a +dashboard link: +https://syzkaller.appspot.com/bug?extid=8a3fc6674bbc3978ed4e +compiler: clang version 9.0.0 (/home/glider/llvm/clang +06d00afa61eef8f7f501ebdb4e8612ea43ec2d78) +syz repro: +https://syzkaller.appspot.com/x/repro.syz?x=12788316a00000 +C reproducer: https://syzkaller.appspot.com/x/repro.c?x=120359aaa00000 + +================================================================== +BUG: KMSAN: uninit-value in is_valid_ether_addr +include/linux/etherdevice.h:200 [inline] +BUG: KMSAN: uninit-value in asix_set_netdev_dev_addr +drivers/net/usb/asix_devices.c:73 [inline] +BUG: KMSAN: uninit-value in ax88772_bind+0x93d/0x11e0 +drivers/net/usb/asix_devices.c:724 +CPU: 0 PID: 3348 Comm: kworker/0:2 Not tainted 5.1.0+ #1 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Workqueue: usb_hub_wq hub_event +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x191/0x1f0 lib/dump_stack.c:113 + kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622 + __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310 + is_valid_ether_addr include/linux/etherdevice.h:200 [inline] + asix_set_netdev_dev_addr drivers/net/usb/asix_devices.c:73 [inline] + ax88772_bind+0x93d/0x11e0 drivers/net/usb/asix_devices.c:724 + usbnet_probe+0x10f5/0x3940 drivers/net/usb/usbnet.c:1728 + usb_probe_interface+0xd66/0x1320 drivers/usb/core/driver.c:361 + really_probe+0xdae/0x1d80 drivers/base/dd.c:513 + driver_probe_device+0x1b3/0x4f0 drivers/base/dd.c:671 + __device_attach_driver+0x5b8/0x790 drivers/base/dd.c:778 + bus_for_each_drv+0x28e/0x3b0 drivers/base/bus.c:454 + __device_attach+0x454/0x730 drivers/base/dd.c:844 + device_initial_probe+0x4a/0x60 drivers/base/dd.c:891 + bus_probe_device+0x137/0x390 drivers/base/bus.c:514 + device_add+0x288d/0x30e0 drivers/base/core.c:2106 + usb_set_configuration+0x30dc/0x3750 drivers/usb/core/message.c:2027 + generic_probe+0xe7/0x280 drivers/usb/core/generic.c:210 + usb_probe_device+0x14c/0x200 drivers/usb/core/driver.c:266 + really_probe+0xdae/0x1d80 drivers/base/dd.c:513 + driver_probe_device+0x1b3/0x4f0 drivers/base/dd.c:671 + __device_attach_driver+0x5b8/0x790 drivers/base/dd.c:778 + bus_for_each_drv+0x28e/0x3b0 drivers/base/bus.c:454 + __device_attach+0x454/0x730 drivers/base/dd.c:844 + device_initial_probe+0x4a/0x60 drivers/base/dd.c:891 + bus_probe_device+0x137/0x390 drivers/base/bus.c:514 + device_add+0x288d/0x30e0 drivers/base/core.c:2106 + usb_new_device+0x23e5/0x2ff0 drivers/usb/core/hub.c:2534 + hub_port_connect drivers/usb/core/hub.c:5089 [inline] + hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] + port_event drivers/usb/core/hub.c:5350 [inline] + hub_event+0x48d1/0x7290 drivers/usb/core/hub.c:5432 + process_one_work+0x1572/0x1f00 kernel/workqueue.c:2269 + process_scheduled_works kernel/workqueue.c:2331 [inline] + worker_thread+0x189c/0x2460 kernel/workqueue.c:2417 + kthread+0x4b5/0x4f0 kernel/kthread.c:254 + ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355 + +Signed-off-by: Phong Tran +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/asix_devices.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c +index 3d93993e74da..2eca4168af2f 100644 +--- a/drivers/net/usb/asix_devices.c ++++ b/drivers/net/usb/asix_devices.c +@@ -238,7 +238,7 @@ static void asix_phy_reset(struct usbnet *dev, unsigned int reset_bits) + static int ax88172_bind(struct usbnet *dev, struct usb_interface *intf) + { + int ret = 0; +- u8 buf[ETH_ALEN]; ++ u8 buf[ETH_ALEN] = {0}; + int i; + unsigned long gpio_bits = dev->driver_info->data; + +@@ -689,7 +689,7 @@ static int asix_resume(struct usb_interface *intf) + static int ax88772_bind(struct usbnet *dev, struct usb_interface *intf) + { + int ret, i; +- u8 buf[ETH_ALEN], chipcode = 0; ++ u8 buf[ETH_ALEN] = {0}, chipcode = 0; + u32 phyid; + struct asix_common_private *priv; + +@@ -1073,7 +1073,7 @@ static const struct net_device_ops ax88178_netdev_ops = { + static int ax88178_bind(struct usbnet *dev, struct usb_interface *intf) + { + int ret; +- u8 buf[ETH_ALEN]; ++ u8 buf[ETH_ALEN] = {0}; + + usbnet_get_endpoints(dev,intf); + +-- +2.20.1 + diff --git a/queue-5.1/netfilter-ctnetlink-fix-regression-in-conntrack-entr.patch b/queue-5.1/netfilter-ctnetlink-fix-regression-in-conntrack-entr.patch new file mode 100644 index 00000000000..1dc0434e9f4 --- /dev/null +++ b/queue-5.1/netfilter-ctnetlink-fix-regression-in-conntrack-entr.patch @@ -0,0 +1,64 @@ +From 17332b0b7827e46b260b4e39fdf90d51cd29fd10 Mon Sep 17 00:00:00 2001 +From: Felix Kaechele +Date: Tue, 25 Jun 2019 16:48:59 -0400 +Subject: netfilter: ctnetlink: Fix regression in conntrack entry deletion + +[ Upstream commit e7600865db32b69deb0109b8254244dca592adcf ] + +Commit f8e608982022 ("netfilter: ctnetlink: Resolve conntrack +L3-protocol flush regression") introduced a regression in which deletion +of conntrack entries would fail because the L3 protocol information +is replaced by AF_UNSPEC. As a result the search for the entry to be +deleted would turn up empty due to the tuple used to perform the search +is now different from the tuple used to initially set up the entry. + +For flushing the conntrack table we do however want to keep the option +for nfgenmsg->version to have a non-zero value to allow for newer +user-space tools to request treatment under the new behavior. With that +it is possible to independently flush tables for a defined L3 protocol. +This was introduced with the enhancements in in commit 59c08c69c278 +("netfilter: ctnetlink: Support L3 protocol-filter on flush"). + +Older user-space tools will retain the behavior of flushing all tables +regardless of defined L3 protocol. + +Fixes: f8e608982022 ("netfilter: ctnetlink: Resolve conntrack L3-protocol flush regression") +Suggested-by: Pablo Neira Ayuso +Signed-off-by: Felix Kaechele +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index d2715b4d2e72..061bdab37b1a 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -1254,7 +1254,6 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl, + struct nf_conntrack_tuple tuple; + struct nf_conn *ct; + struct nfgenmsg *nfmsg = nlmsg_data(nlh); +- u_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC; + struct nf_conntrack_zone zone; + int err; + +@@ -1264,11 +1263,13 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl, + + if (cda[CTA_TUPLE_ORIG]) + err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, +- u3, &zone); ++ nfmsg->nfgen_family, &zone); + else if (cda[CTA_TUPLE_REPLY]) + err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, +- u3, &zone); ++ nfmsg->nfgen_family, &zone); + else { ++ u_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC; ++ + return ctnetlink_flush_conntrack(net, cda, + NETLINK_CB(skb).portid, + nlmsg_report(nlh), u3); +-- +2.20.1 + diff --git a/queue-5.1/netfilter-fix-remainder-of-pseudo-header-protocol-0.patch b/queue-5.1/netfilter-fix-remainder-of-pseudo-header-protocol-0.patch new file mode 100644 index 00000000000..b7161d07b2b --- /dev/null +++ b/queue-5.1/netfilter-fix-remainder-of-pseudo-header-protocol-0.patch @@ -0,0 +1,95 @@ +From 35a99e086a5b6b921a54e22479530967d0aa9977 Mon Sep 17 00:00:00 2001 +From: He Zhe +Date: Mon, 24 Jun 2019 11:17:38 +0800 +Subject: netfilter: Fix remainder of pseudo-header protocol 0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 5d1549847c76b1ffcf8e388ef4d0f229bdd1d7e8 ] + +Since v5.1-rc1, some types of packets do not get unreachable reply with the +following iptables setting. Fox example, + +$ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT +$ ping 127.0.0.1 -c 1 +PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. +— 127.0.0.1 ping statistics — +1 packets transmitted, 0 received, 100% packet loss, time 0ms + +We should have got the following reply from command line, but we did not. +From 127.0.0.1 icmp_seq=1 Destination Port Unreachable + +Yi Zhao reported it and narrowed it down to: +7fc38225363d ("netfilter: reject: skip csum verification for protocols that don't support it"), + +This is because nf_ip_checksum still expects pseudo-header protocol type 0 for +packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly +treated as TCP/UDP. + +This patch corrects the conditions in nf_ip_checksum and all other places that +still call it with protocol 0. + +Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for protocols that don't support it") +Reported-by: Yi Zhao +Signed-off-by: He Zhe +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_proto_icmp.c | 2 +- + net/netfilter/nf_nat_proto.c | 2 +- + net/netfilter/utils.c | 5 +++-- + 3 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_proto_icmp.c b/net/netfilter/nf_conntrack_proto_icmp.c +index 9becac953587..71a84a0517f3 100644 +--- a/net/netfilter/nf_conntrack_proto_icmp.c ++++ b/net/netfilter/nf_conntrack_proto_icmp.c +@@ -221,7 +221,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl, + /* See ip_conntrack_proto_tcp.c */ + if (state->net->ct.sysctl_checksum && + state->hook == NF_INET_PRE_ROUTING && +- nf_ip_checksum(skb, state->hook, dataoff, 0)) { ++ nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) { + icmp_error_log(skb, state, "bad hw icmp checksum"); + return -NF_ACCEPT; + } +diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c +index 62743da3004f..0b0efbb953bf 100644 +--- a/net/netfilter/nf_nat_proto.c ++++ b/net/netfilter/nf_nat_proto.c +@@ -567,7 +567,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb, + + if (!skb_make_writable(skb, hdrlen + sizeof(*inside))) + return 0; +- if (nf_ip_checksum(skb, hooknum, hdrlen, 0)) ++ if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP)) + return 0; + + inside = (void *)skb->data + hdrlen; +diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c +index 06dc55590441..51b454d8fa9c 100644 +--- a/net/netfilter/utils.c ++++ b/net/netfilter/utils.c +@@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook, + case CHECKSUM_COMPLETE: + if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN) + break; +- if ((protocol == 0 && !csum_fold(skb->csum)) || ++ if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP && ++ !csum_fold(skb->csum)) || + !csum_tcpudp_magic(iph->saddr, iph->daddr, + skb->len - dataoff, protocol, + skb->csum)) { +@@ -26,7 +27,7 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook, + } + /* fall through */ + case CHECKSUM_NONE: +- if (protocol == 0) ++ if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP) + skb->csum = 0; + else + skb->csum = csum_tcpudp_nofold(iph->saddr, iph->daddr, +-- +2.20.1 + diff --git a/queue-5.1/ntp-limit-tai-utc-offset.patch b/queue-5.1/ntp-limit-tai-utc-offset.patch new file mode 100644 index 00000000000..168e7a987bd --- /dev/null +++ b/queue-5.1/ntp-limit-tai-utc-offset.patch @@ -0,0 +1,55 @@ +From 73d62a38038a3fdf8f279cb768925f2ffe0ce4a5 Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar +Date: Tue, 18 Jun 2019 17:47:13 +0200 +Subject: ntp: Limit TAI-UTC offset + +[ Upstream commit d897a4ab11dc8a9fda50d2eccc081a96a6385998 ] + +Don't allow the TAI-UTC offset of the system clock to be set by adjtimex() +to a value larger than 100000 seconds. + +This prevents an overflow in the conversion to int, prevents the CLOCK_TAI +clock from getting too far ahead of the CLOCK_REALTIME clock, and it is +still large enough to allow leap seconds to be inserted at the maximum rate +currently supported by the kernel (once per day) for the next ~270 years, +however unlikely it is that someone can survive a catastrophic event which +slowed down the rotation of the Earth so much. + +Reported-by: Weikang shi +Signed-off-by: Miroslav Lichvar +Signed-off-by: Thomas Gleixner +Cc: John Stultz +Cc: Prarit Bhargava +Cc: Richard Cochran +Cc: Stephen Boyd +Link: https://lkml.kernel.org/r/20190618154713.20929-1-mlichvar@redhat.com +Signed-off-by: Sasha Levin +--- + kernel/time/ntp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c +index f43d47c8c3b6..98b3678fd48e 100644 +--- a/kernel/time/ntp.c ++++ b/kernel/time/ntp.c +@@ -42,6 +42,7 @@ static u64 tick_length_base; + #define MAX_TICKADJ 500LL /* usecs */ + #define MAX_TICKADJ_SCALED \ + (((MAX_TICKADJ * NSEC_PER_USEC) << NTP_SCALE_SHIFT) / NTP_INTERVAL_FREQ) ++#define MAX_TAI_OFFSET 100000 + + /* + * phase-lock loop variables +@@ -690,7 +691,8 @@ static inline void process_adjtimex_modes(const struct __kernel_timex *txc, + time_constant = max(time_constant, 0l); + } + +- if (txc->modes & ADJ_TAI && txc->constant >= 0) ++ if (txc->modes & ADJ_TAI && ++ txc->constant >= 0 && txc->constant <= MAX_TAI_OFFSET) + *time_tai = txc->constant; + + if (txc->modes & ADJ_OFFSET) +-- +2.20.1 + diff --git a/queue-5.1/nvme-fix-possible-io-failures-when-removing-multipat.patch b/queue-5.1/nvme-fix-possible-io-failures-when-removing-multipat.patch new file mode 100644 index 00000000000..43eae41b291 --- /dev/null +++ b/queue-5.1/nvme-fix-possible-io-failures-when-removing-multipat.patch @@ -0,0 +1,69 @@ +From c2da2e421d23789d84b7f783481f944e9763f256 Mon Sep 17 00:00:00 2001 +From: Anton Eidelman +Date: Thu, 20 Jun 2019 08:48:10 +0200 +Subject: nvme: fix possible io failures when removing multipathed ns + +[ Upstream commit 2181e455612a8db2761eabbf126640552a451e96 ] + +When a shared namespace is removed, we call blk_cleanup_queue() +when the device can still be accessed as the current path and this can +result in submission to a dying queue. Hence, direct_make_request() +called by our mpath device may fail (propagating the failure to userspace). +Instead, we want to failover this I/O to a different path if one exists. +Thus, before we cleanup the request queue, we make sure that the device is +cleared from the current path nor it can be selected again as such. + +Fix this by: +- clear the ns from the head->list and synchronize rcu to make sure there is + no concurrent path search that restores it as the current path +- clear the mpath current path in order to trigger a subsequent path search + and sync srcu to wait for any ongoing request submissions +- safely continue to namespace removal and blk_cleanup_queue + +Signed-off-by: Anton Eidelman +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 3a390b2c7540..cbbdd3dae5a1 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -3341,6 +3341,14 @@ static void nvme_ns_remove(struct nvme_ns *ns) + return; + + nvme_fault_inject_fini(ns); ++ ++ mutex_lock(&ns->ctrl->subsys->lock); ++ list_del_rcu(&ns->siblings); ++ mutex_unlock(&ns->ctrl->subsys->lock); ++ synchronize_rcu(); /* guarantee not available in head->list */ ++ nvme_mpath_clear_current_path(ns); ++ synchronize_srcu(&ns->head->srcu); /* wait for concurrent submissions */ ++ + if (ns->disk && ns->disk->flags & GENHD_FL_UP) { + del_gendisk(ns->disk); + blk_cleanup_queue(ns->queue); +@@ -3348,16 +3356,10 @@ static void nvme_ns_remove(struct nvme_ns *ns) + blk_integrity_unregister(ns->disk); + } + +- mutex_lock(&ns->ctrl->subsys->lock); +- list_del_rcu(&ns->siblings); +- nvme_mpath_clear_current_path(ns); +- mutex_unlock(&ns->ctrl->subsys->lock); +- + down_write(&ns->ctrl->namespaces_rwsem); + list_del_init(&ns->list); + up_write(&ns->ctrl->namespaces_rwsem); + +- synchronize_srcu(&ns->head->srcu); + nvme_mpath_check_last_path(ns); + nvme_put_ns(ns); + } +-- +2.20.1 + diff --git a/queue-5.1/nvme-pci-adjust-irq-max_vector-using-num_possible_cp.patch b/queue-5.1/nvme-pci-adjust-irq-max_vector-using-num_possible_cp.patch new file mode 100644 index 00000000000..86d07f69ba2 --- /dev/null +++ b/queue-5.1/nvme-pci-adjust-irq-max_vector-using-num_possible_cp.patch @@ -0,0 +1,97 @@ +From 86107670f3d8032e83b0302d8fcc4543121e6193 Mon Sep 17 00:00:00 2001 +From: Minwoo Im +Date: Sun, 9 Jun 2019 03:02:19 +0900 +Subject: nvme-pci: adjust irq max_vector using num_possible_cpus() + +[ Upstream commit dad77d63903e91a2e97a0c984cabe5d36e91ba60 ] + +If the "irq_queues" are greater than num_possible_cpus(), +nvme_calc_irq_sets() can have irq set_size for HCTX_TYPE_DEFAULT greater +than it can be afforded. +2039 affd->set_size[HCTX_TYPE_DEFAULT] = nrirqs - nr_read_queues; + +It might cause a WARN() from the irq_build_affinity_masks() like [1]: +220 if (nr_present < numvecs) +221 WARN_ON(nr_present + nr_others < numvecs); + +This patch prevents it from the WARN() by adjusting the max_vector value +from the nvme_setup_irqs(). + +[1] WARN messages when modprobe nvme write_queues=32 poll_queues=0: +root@target:~/nvme# nproc +8 +root@target:~/nvme# modprobe nvme write_queues=32 poll_queues=0 +[ 17.925326] nvme nvme0: pci function 0000:00:04.0 +[ 17.940601] WARNING: CPU: 3 PID: 1030 at kernel/irq/affinity.c:221 irq_create_affinity_masks+0x222/0x330 +[ 17.940602] Modules linked in: nvme nvme_core [last unloaded: nvme] +[ 17.940605] CPU: 3 PID: 1030 Comm: kworker/u17:4 Tainted: G W 5.1.0+ #156 +[ 17.940605] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 +[ 17.940608] Workqueue: nvme-reset-wq nvme_reset_work [nvme] +[ 17.940609] RIP: 0010:irq_create_affinity_masks+0x222/0x330 +[ 17.940611] Code: 4c 8d 4c 24 28 4c 8d 44 24 30 e8 c9 fa ff ff 89 44 24 18 e8 c0 38 fa ff 8b 44 24 18 44 8b 54 24 1c 5a 44 01 d0 41 39 c4 76 02 <0f> 0b 48 89 df 44 01 e5 e8 f1 ce 10 00 48 8b 34 24 44 89 f0 44 01 +[ 17.940611] RSP: 0018:ffffc90002277c50 EFLAGS: 00010216 +[ 17.940612] RAX: 0000000000000008 RBX: ffff88807ca48860 RCX: 0000000000000000 +[ 17.940612] RDX: ffff88807bc03800 RSI: 0000000000000020 RDI: 0000000000000000 +[ 17.940613] RBP: 0000000000000001 R08: ffffc90002277c78 R09: ffffc90002277c70 +[ 17.940613] R10: 0000000000000008 R11: 0000000000000001 R12: 0000000000000020 +[ 17.940614] R13: 0000000000025d08 R14: 0000000000000001 R15: ffff88807bc03800 +[ 17.940614] FS: 0000000000000000(0000) GS:ffff88807db80000(0000) knlGS:0000000000000000 +[ 17.940616] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 17.940617] CR2: 00005635e583f790 CR3: 000000000240a000 CR4: 00000000000006e0 +[ 17.940617] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 17.940618] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 17.940618] Call Trace: +[ 17.940622] __pci_enable_msix_range+0x215/0x540 +[ 17.940623] ? kernfs_put+0x117/0x160 +[ 17.940625] pci_alloc_irq_vectors_affinity+0x74/0x110 +[ 17.940626] nvme_reset_work+0xc30/0x1397 [nvme] +[ 17.940628] ? __switch_to_asm+0x34/0x70 +[ 17.940628] ? __switch_to_asm+0x40/0x70 +[ 17.940629] ? __switch_to_asm+0x34/0x70 +[ 17.940630] ? __switch_to_asm+0x40/0x70 +[ 17.940630] ? __switch_to_asm+0x34/0x70 +[ 17.940631] ? __switch_to_asm+0x40/0x70 +[ 17.940632] ? nvme_irq_check+0x30/0x30 [nvme] +[ 17.940633] process_one_work+0x20b/0x3e0 +[ 17.940634] worker_thread+0x1f9/0x3d0 +[ 17.940635] ? cancel_delayed_work+0xa0/0xa0 +[ 17.940636] kthread+0x117/0x120 +[ 17.940637] ? kthread_stop+0xf0/0xf0 +[ 17.940638] ret_from_fork+0x3a/0x50 +[ 17.940639] ---[ end trace aca8a131361cd42a ]--- +[ 17.942124] nvme nvme0: 7/1/0 default/read/poll queues + +Signed-off-by: Minwoo Im +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 9c956ff5344d..914eea2ea557 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2085,6 +2085,7 @@ static int nvme_setup_irqs(struct nvme_dev *dev, unsigned int nr_io_queues) + .priv = dev, + }; + unsigned int irq_queues, this_p_queues; ++ unsigned int nr_cpus = num_possible_cpus(); + + /* + * Poll queues don't need interrupts, but we need at least one IO +@@ -2095,7 +2096,10 @@ static int nvme_setup_irqs(struct nvme_dev *dev, unsigned int nr_io_queues) + this_p_queues = nr_io_queues - 1; + irq_queues = 1; + } else { +- irq_queues = nr_io_queues - this_p_queues + 1; ++ if (nr_cpus < nr_io_queues - this_p_queues) ++ irq_queues = nr_cpus + 1; ++ else ++ irq_queues = nr_io_queues - this_p_queues + 1; + } + dev->io_queues[HCTX_TYPE_POLL] = this_p_queues; + +-- +2.20.1 + diff --git a/queue-5.1/nvme-pci-properly-report-state-change-failure-in-nvm.patch b/queue-5.1/nvme-pci-properly-report-state-change-failure-in-nvm.patch new file mode 100644 index 00000000000..63d76c9ff36 --- /dev/null +++ b/queue-5.1/nvme-pci-properly-report-state-change-failure-in-nvm.patch @@ -0,0 +1,47 @@ +From cb624a8fc86d4d9c3e47b6d322d3bd0af98ee9e5 Mon Sep 17 00:00:00 2001 +From: Minwoo Im +Date: Sun, 9 Jun 2019 03:35:20 +0900 +Subject: nvme-pci: properly report state change failure in nvme_reset_work + +[ Upstream commit cee6c269b016ba89c62e34d6bccb103ee2c7de4f ] + +If the state change to NVME_CTRL_CONNECTING fails, the dmesg is going to +be like: + + [ 293.689160] nvme nvme0: failed to mark controller CONNECTING + [ 293.689160] nvme nvme0: Removing after probe failure status: 0 + +Even it prints the first line to indicate the situation, the second line +is not proper because the status is 0 which means normally success of +the previous operation. + +This patch makes it indicate the proper error value when it fails. + [ 25.932367] nvme nvme0: failed to mark controller CONNECTING + [ 25.932369] nvme nvme0: Removing after probe failure status: -16 + +This situation is able to be easily reproduced by: + root@target:~# rmmod nvme && modprobe nvme && rmmod nvme + +Signed-off-by: Minwoo Im +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 693f2a856200..21a51a0ff4d7 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2545,6 +2545,7 @@ static void nvme_reset_work(struct work_struct *work) + if (!nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_CONNECTING)) { + dev_warn(dev->ctrl.device, + "failed to mark controller CONNECTING\n"); ++ result = -EBUSY; + goto out; + } + +-- +2.20.1 + diff --git a/queue-5.1/nvme-pci-set-the-errno-on-ctrl-state-change-error.patch b/queue-5.1/nvme-pci-set-the-errno-on-ctrl-state-change-error.patch new file mode 100644 index 00000000000..c1a384d54b9 --- /dev/null +++ b/queue-5.1/nvme-pci-set-the-errno-on-ctrl-state-change-error.patch @@ -0,0 +1,54 @@ +From 7ec805ad6c5f1a0e5fa0a85241a55979b1653688 Mon Sep 17 00:00:00 2001 +From: Chaitanya Kulkarni +Date: Sat, 8 Jun 2019 13:01:02 -0700 +Subject: nvme-pci: set the errno on ctrl state change error + +[ Upstream commit e71afda49335620e3d9adf56015676db33a3bd86 ] + +This patch removes the confusing assignment of the variable result at +the time of declaration and sets the value in error cases next to the +places where the actual error is happening. + +Here we also set the result value to -ENODEV when we fail at the final +ctrl state transition in nvme_reset_work(). Without this assignment +result will hold 0 from nvme_setup_io_queue() and on failure 0 will be +passed to he nvme_remove_dead_ctrl() from final state transition. + +Signed-off-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 21a51a0ff4d7..9c956ff5344d 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2504,11 +2504,13 @@ static void nvme_reset_work(struct work_struct *work) + struct nvme_dev *dev = + container_of(work, struct nvme_dev, ctrl.reset_work); + bool was_suspend = !!(dev->ctrl.ctrl_config & NVME_CC_SHN_NORMAL); +- int result = -ENODEV; ++ int result; + enum nvme_ctrl_state new_state = NVME_CTRL_LIVE; + +- if (WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING)) ++ if (WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING)) { ++ result = -ENODEV; + goto out; ++ } + + /* + * If we're called to reset a live controller first shut it down before +@@ -2606,6 +2608,7 @@ static void nvme_reset_work(struct work_struct *work) + if (!nvme_change_ctrl_state(&dev->ctrl, new_state)) { + dev_warn(dev->ctrl.device, + "failed to mark controller state %d\n", new_state); ++ result = -ENODEV; + goto out; + } + +-- +2.20.1 + diff --git a/queue-5.1/pci-add-missing-link-delays-required-by-the-pcie-spe.patch b/queue-5.1/pci-add-missing-link-delays-required-by-the-pcie-spe.patch new file mode 100644 index 00000000000..7f31e69db13 --- /dev/null +++ b/queue-5.1/pci-add-missing-link-delays-required-by-the-pcie-spe.patch @@ -0,0 +1,343 @@ +From 14db74adac444788d13da1f9b4084a6e761ca771 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 12 Jun 2019 13:57:38 +0300 +Subject: PCI: Add missing link delays required by the PCIe spec + +[ Upstream commit c2bf1fc212f7e6f25ace1af8f0b3ac061ea48ba5 ] + +Currently Linux does not follow PCIe spec regarding the required delays +after reset. A concrete example is a Thunderbolt add-in-card that +consists of a PCIe switch and two PCIe endpoints: + + +-1b.0-[01-6b]----00.0-[02-6b]--+-00.0-[03]----00.0 TBT controller + +-01.0-[04-36]-- DS hotplug port + +-02.0-[37]----00.0 xHCI controller + \-04.0-[38-6b]-- DS hotplug port + +The root port (1b.0) and the PCIe switch downstream ports are all PCIe +gen3 so they support 8GT/s link speeds. + +We wait for the PCIe hierarchy to enter D3cold (runtime): + + pcieport 0000:00:1b.0: power state changed by ACPI to D3cold + +When it wakes up from D3cold, according to the PCIe 4.0 section 5.8 the +PCIe switch is put to reset and its power is re-applied. This means that +we must follow the rules in PCIe 4.0 section 6.6.1. + +For the PCIe gen3 ports we are dealing with here, the following applies: + + With a Downstream Port that supports Link speeds greater than 5.0 + GT/s, software must wait a minimum of 100 ms after Link training + completes before sending a Configuration Request to the device + immediately below that Port. Software can determine when Link training + completes by polling the Data Link Layer Link Active bit or by setting + up an associated interrupt (see Section 6.7.3.3). + +Translating this into the above topology we would need to do this (DLLLA +stands for Data Link Layer Link Active): + + pcieport 0000:00:1b.0: wait for 100ms after DLLLA is set before access to 0000:01:00.0 + pcieport 0000:02:00.0: wait for 100ms after DLLLA is set before access to 0000:03:00.0 + pcieport 0000:02:02.0: wait for 100ms after DLLLA is set before access to 0000:37:00.0 + +I've instrumented the kernel with additional logging so we can see the +actual delays the kernel performs: + + pcieport 0000:00:1b.0: power state changed by ACPI to D0 + pcieport 0000:00:1b.0: waiting for D3cold delay of 100 ms + pcieport 0000:00:1b.0: waking up bus + pcieport 0000:00:1b.0: waiting for D3hot delay of 10 ms + pcieport 0000:00:1b.0: restoring config space at offset 0x2c (was 0x60, writing 0x60) + ... + pcieport 0000:00:1b.0: PME# disabled + pcieport 0000:01:00.0: restoring config space at offset 0x3c (was 0x1ff, writing 0x201ff) + ... + pcieport 0000:01:00.0: PME# disabled + pcieport 0000:02:00.0: restoring config space at offset 0x3c (was 0x1ff, writing 0x201ff) + ... + pcieport 0000:02:00.0: PME# disabled + pcieport 0000:02:01.0: restoring config space at offset 0x3c (was 0x1ff, writing 0x201ff) + ... + pcieport 0000:02:01.0: restoring config space at offset 0x4 (was 0x100000, writing 0x100407) + pcieport 0000:02:01.0: PME# disabled + pcieport 0000:02:02.0: restoring config space at offset 0x3c (was 0x1ff, writing 0x201ff) + ... + pcieport 0000:02:02.0: PME# disabled + pcieport 0000:02:04.0: restoring config space at offset 0x3c (was 0x1ff, writing 0x201ff) + ... + pcieport 0000:02:04.0: PME# disabled + pcieport 0000:02:01.0: PME# enabled + pcieport 0000:02:01.0: waiting for D3hot delay of 10 ms + pcieport 0000:02:04.0: PME# enabled + pcieport 0000:02:04.0: waiting for D3hot delay of 10 ms + thunderbolt 0000:03:00.0: restoring config space at offset 0x14 (was 0x0, writing 0x8a040000) + ... + thunderbolt 0000:03:00.0: PME# disabled + xhci_hcd 0000:37:00.0: restoring config space at offset 0x10 (was 0x0, writing 0x73f00000) + ... + xhci_hcd 0000:37:00.0: PME# disabled + +For the switch upstream port (01:00.0) we wait for 100ms but not taking +into account the DLLLA requirement. We then wait 10ms for D3hot -> D0 +transition of the root port and the two downstream hotplug ports. This +means that we deviate from what the spec requires. + +Performing the same check for system sleep (s2idle) transitions we can +see following when resuming from s2idle: + + pcieport 0000:00:1b.0: power state changed by ACPI to D0 + pcieport 0000:00:1b.0: restoring config space at offset 0x2c (was 0x60, writing 0x60) + ... + pcieport 0000:01:00.0: restoring config space at offset 0x3c (was 0x1ff, writing 0x201ff) + ... + pcieport 0000:02:02.0: restoring config space at offset 0x3c (was 0x1ff, writing 0x201ff) + pcieport 0000:02:02.0: restoring config space at offset 0x2c (was 0x0, writing 0x0) + pcieport 0000:02:01.0: restoring config space at offset 0x3c (was 0x1ff, writing 0x201ff) + pcieport 0000:02:04.0: restoring config space at offset 0x3c (was 0x1ff, writing 0x201ff) + pcieport 0000:02:02.0: restoring config space at offset 0x28 (was 0x0, writing 0x0) + pcieport 0000:02:00.0: restoring config space at offset 0x3c (was 0x1ff, writing 0x201ff) + pcieport 0000:02:02.0: restoring config space at offset 0x24 (was 0x10001, writing 0x1fff1) + pcieport 0000:02:01.0: restoring config space at offset 0x2c (was 0x0, writing 0x60) + pcieport 0000:02:02.0: restoring config space at offset 0x20 (was 0x0, writing 0x73f073f0) + pcieport 0000:02:04.0: restoring config space at offset 0x2c (was 0x0, writing 0x60) + pcieport 0000:02:01.0: restoring config space at offset 0x28 (was 0x0, writing 0x60) + pcieport 0000:02:00.0: restoring config space at offset 0x2c (was 0x0, writing 0x0) + pcieport 0000:02:02.0: restoring config space at offset 0x1c (was 0x101, writing 0x1f1) + pcieport 0000:02:04.0: restoring config space at offset 0x28 (was 0x0, writing 0x60) + pcieport 0000:02:01.0: restoring config space at offset 0x24 (was 0x10001, writing 0x1ff10001) + pcieport 0000:02:00.0: restoring config space at offset 0x28 (was 0x0, writing 0x0) + pcieport 0000:02:02.0: restoring config space at offset 0x18 (was 0x0, writing 0x373702) + pcieport 0000:02:04.0: restoring config space at offset 0x24 (was 0x10001, writing 0x49f12001) + pcieport 0000:02:01.0: restoring config space at offset 0x20 (was 0x0, writing 0x73e05c00) + pcieport 0000:02:00.0: restoring config space at offset 0x24 (was 0x10001, writing 0x1fff1) + pcieport 0000:02:04.0: restoring config space at offset 0x20 (was 0x0, writing 0x89f07400) + pcieport 0000:02:01.0: restoring config space at offset 0x1c (was 0x101, writing 0x5151) + pcieport 0000:02:00.0: restoring config space at offset 0x20 (was 0x0, writing 0x8a008a00) + pcieport 0000:02:02.0: restoring config space at offset 0xc (was 0x10000, writing 0x10020) + pcieport 0000:02:04.0: restoring config space at offset 0x1c (was 0x101, writing 0x6161) + pcieport 0000:02:01.0: restoring config space at offset 0x18 (was 0x0, writing 0x360402) + pcieport 0000:02:00.0: restoring config space at offset 0x1c (was 0x101, writing 0x1f1) + pcieport 0000:02:04.0: restoring config space at offset 0x18 (was 0x0, writing 0x6b3802) + pcieport 0000:02:02.0: restoring config space at offset 0x4 (was 0x100000, writing 0x100407) + pcieport 0000:02:00.0: restoring config space at offset 0x18 (was 0x0, writing 0x30302) + pcieport 0000:02:01.0: restoring config space at offset 0xc (was 0x10000, writing 0x10020) + pcieport 0000:02:04.0: restoring config space at offset 0xc (was 0x10000, writing 0x10020) + pcieport 0000:02:00.0: restoring config space at offset 0xc (was 0x10000, writing 0x10020) + pcieport 0000:02:01.0: restoring config space at offset 0x4 (was 0x100000, writing 0x100407) + pcieport 0000:02:04.0: restoring config space at offset 0x4 (was 0x100000, writing 0x100407) + pcieport 0000:02:00.0: restoring config space at offset 0x4 (was 0x100000, writing 0x100407) + xhci_hcd 0000:37:00.0: restoring config space at offset 0x10 (was 0x0, writing 0x73f00000) + ... + thunderbolt 0000:03:00.0: restoring config space at offset 0x14 (was 0x0, writing 0x8a040000) + +This is even worse. None of the mandatory delays are performed. If this +would be S3 instead of s2idle then according to PCI FW spec 3.2 section +4.6.8. there is a specific _DSM that allows the OS to skip the delays +but this platform does not provide the _DSM and does not go to S3 anyway +so no firmware is involved that could already handle these delays. + +In this particular Intel Coffee Lake platform these delays are not +actually needed because there is an additional delay as part of the ACPI +power resource that is used to turn on power to the hierarchy but since +that additional delay is not required by any of standards (PCIe, ACPI) +it is not present in the Intel Ice Lake, for example where missing the +mandatory delays causes pciehp to start tearing down the stack too early +(links are not yet trained). + +For this reason, change the PCIe portdrv PM resume hooks so that they +perform the mandatory delays before the downstream component gets +resumed. We perform the delays before port services are resumed because +otherwise pciehp might find that the link is not up (even if it is just +training) and tears-down the hierarchy. + +Signed-off-by: Mika Westerberg +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 29 ++++++++++----- + drivers/pci/pci.h | 1 + + drivers/pci/pcie/portdrv_core.c | 66 +++++++++++++++++++++++++++++++++ + 3 files changed, 86 insertions(+), 10 deletions(-) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 766f5779db92..12013ebc3ebb 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -999,15 +999,10 @@ static void __pci_start_power_transition(struct pci_dev *dev, pci_power_t state) + if (state == PCI_D0) { + pci_platform_power_transition(dev, PCI_D0); + /* +- * Mandatory power management transition delays, see +- * PCI Express Base Specification Revision 2.0 Section +- * 6.6.1: Conventional Reset. Do not delay for +- * devices powered on/off by corresponding bridge, +- * because have already delayed for the bridge. ++ * Mandatory power management transition delays are ++ * handled in the PCIe portdrv resume hooks. + */ + if (dev->runtime_d3cold) { +- if (dev->d3cold_delay && !dev->imm_ready) +- msleep(dev->d3cold_delay); + /* + * When powering on a bridge from D3cold, the + * whole hierarchy may be powered on into +@@ -4581,14 +4576,16 @@ static int pci_pm_reset(struct pci_dev *dev, int probe) + + return pci_dev_wait(dev, "PM D3->D0", PCIE_RESET_READY_POLL_MS); + } ++ + /** +- * pcie_wait_for_link - Wait until link is active or inactive ++ * pcie_wait_for_link_delay - Wait until link is active or inactive + * @pdev: Bridge device + * @active: waiting for active or inactive? ++ * @delay: Delay to wait after link has become active (in ms) + * + * Use this to wait till link becomes active or inactive. + */ +-bool pcie_wait_for_link(struct pci_dev *pdev, bool active) ++bool pcie_wait_for_link_delay(struct pci_dev *pdev, bool active, int delay) + { + int timeout = 1000; + bool ret; +@@ -4625,13 +4622,25 @@ bool pcie_wait_for_link(struct pci_dev *pdev, bool active) + timeout -= 10; + } + if (active && ret) +- msleep(100); ++ msleep(delay); + else if (ret != active) + pci_info(pdev, "Data Link Layer Link Active not %s in 1000 msec\n", + active ? "set" : "cleared"); + return ret == active; + } + ++/** ++ * pcie_wait_for_link - Wait until link is active or inactive ++ * @pdev: Bridge device ++ * @active: waiting for active or inactive? ++ * ++ * Use this to wait till link becomes active or inactive. ++ */ ++bool pcie_wait_for_link(struct pci_dev *pdev, bool active) ++{ ++ return pcie_wait_for_link_delay(pdev, active, 100); ++} ++ + void pci_reset_secondary_bus(struct pci_dev *dev) + { + u16 ctrl; +diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h +index 9cb99380c61e..59802b3def4b 100644 +--- a/drivers/pci/pci.h ++++ b/drivers/pci/pci.h +@@ -493,6 +493,7 @@ static inline int pci_dev_specific_disable_acs_redir(struct pci_dev *dev) + void pcie_do_recovery(struct pci_dev *dev, enum pci_channel_state state, + u32 service); + ++bool pcie_wait_for_link_delay(struct pci_dev *pdev, bool active, int delay); + bool pcie_wait_for_link(struct pci_dev *pdev, bool active); + #ifdef CONFIG_PCIEASPM + void pcie_aspm_init_link_state(struct pci_dev *pdev); +diff --git a/drivers/pci/pcie/portdrv_core.c b/drivers/pci/pcie/portdrv_core.c +index 1b330129089f..308c3e0c4a34 100644 +--- a/drivers/pci/pcie/portdrv_core.c ++++ b/drivers/pci/pcie/portdrv_core.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -378,6 +379,67 @@ static int pm_iter(struct device *dev, void *data) + return 0; + } + ++static int get_downstream_delay(struct pci_bus *bus) ++{ ++ struct pci_dev *pdev; ++ int min_delay = 100; ++ int max_delay = 0; ++ ++ list_for_each_entry(pdev, &bus->devices, bus_list) { ++ if (!pdev->imm_ready) ++ min_delay = 0; ++ else if (pdev->d3cold_delay < min_delay) ++ min_delay = pdev->d3cold_delay; ++ if (pdev->d3cold_delay > max_delay) ++ max_delay = pdev->d3cold_delay; ++ } ++ ++ return max(min_delay, max_delay); ++} ++ ++/* ++ * wait_for_downstream_link - Wait for downstream link to establish ++ * @pdev: PCIe port whose downstream link is waited ++ * ++ * Handle delays according to PCIe 4.0 section 6.6.1 before configuration ++ * access to the downstream component is permitted. ++ * ++ * This blocks PCI core resume of the hierarchy below this port until the ++ * link is trained. Should be called before resuming port services to ++ * prevent pciehp from starting to tear-down the hierarchy too soon. ++ */ ++static void wait_for_downstream_link(struct pci_dev *pdev) ++{ ++ int delay; ++ ++ if (pci_pcie_type(pdev) != PCI_EXP_TYPE_ROOT_PORT && ++ pci_pcie_type(pdev) != PCI_EXP_TYPE_DOWNSTREAM) ++ return; ++ ++ if (pci_dev_is_disconnected(pdev)) ++ return; ++ ++ if (!pdev->subordinate || list_empty(&pdev->subordinate->devices) || ++ !pdev->bridge_d3) ++ return; ++ ++ delay = get_downstream_delay(pdev->subordinate); ++ if (!delay) ++ return; ++ ++ dev_dbg(&pdev->dev, "waiting downstream link for %d ms\n", delay); ++ ++ /* ++ * If downstream port does not support speeds greater than 5 GT/s ++ * need to wait 100ms. For higher speeds (gen3) we need to wait ++ * first for the data link layer to become active. ++ */ ++ if (pcie_get_speed_cap(pdev) <= PCIE_SPEED_5_0GT) ++ msleep(delay); ++ else ++ pcie_wait_for_link_delay(pdev, true, delay); ++} ++ + /** + * pcie_port_device_suspend - suspend port services associated with a PCIe port + * @dev: PCI Express port to handle +@@ -391,6 +453,8 @@ int pcie_port_device_suspend(struct device *dev) + int pcie_port_device_resume_noirq(struct device *dev) + { + size_t off = offsetof(struct pcie_port_service_driver, resume_noirq); ++ ++ wait_for_downstream_link(to_pci_dev(dev)); + return device_for_each_child(dev, &off, pm_iter); + } + +@@ -421,6 +485,8 @@ int pcie_port_device_runtime_suspend(struct device *dev) + int pcie_port_device_runtime_resume(struct device *dev) + { + size_t off = offsetof(struct pcie_port_service_driver, runtime_resume); ++ ++ wait_for_downstream_link(to_pci_dev(dev)); + return device_for_each_child(dev, &off, pm_iter); + } + #endif /* PM */ +-- +2.20.1 + diff --git a/queue-5.1/perf-annotate-tui-browser-do-not-use-member-from-var.patch b/queue-5.1/perf-annotate-tui-browser-do-not-use-member-from-var.patch new file mode 100644 index 00000000000..dfad1efbc0d --- /dev/null +++ b/queue-5.1/perf-annotate-tui-browser-do-not-use-member-from-var.patch @@ -0,0 +1,60 @@ +From d23365e3ad723b8d08d0cee1eb4a438c8970496a Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Tue, 28 May 2019 16:02:56 -0300 +Subject: perf annotate TUI browser: Do not use member from variable within its + own initialization + +[ Upstream commit da2019633f0b5c105ce658aada333422d8cb28fe ] + +Some compilers will complain when using a member of a struct to +initialize another member, in the same struct initialization. + +For instance: + + debian:8 Debian clang version 3.5.0-10 (tags/RELEASE_350/final) (based on LLVM 3.5.0) + oraclelinux:7 clang version 3.4.2 (tags/RELEASE_34/dot2-final) + +Produce: + + ui/browsers/annotate.c:104:12: error: variable 'ops' is uninitialized when used within its own initialization [-Werror,-Wuninitialized] + (!ops.current_entry || + ^~~ + 1 error generated. + +So use an extra variable, initialized just before that struct, to have +the value used in the expressions used to init two of the struct +members. + +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Namhyung Kim +Fixes: c298304bd747 ("perf annotate: Use a ops table for annotation_line__write()") +Link: https://lkml.kernel.org/n/tip-f9nexro58q62l3o9hez8hr0i@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/ui/browsers/annotate.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/ui/browsers/annotate.c b/tools/perf/ui/browsers/annotate.c +index 98d934a36d86..b0d089a95dac 100644 +--- a/tools/perf/ui/browsers/annotate.c ++++ b/tools/perf/ui/browsers/annotate.c +@@ -97,11 +97,12 @@ static void annotate_browser__write(struct ui_browser *browser, void *entry, int + struct annotate_browser *ab = container_of(browser, struct annotate_browser, b); + struct annotation *notes = browser__annotation(browser); + struct annotation_line *al = list_entry(entry, struct annotation_line, node); ++ const bool is_current_entry = ui_browser__is_current_entry(browser, row); + struct annotation_write_ops ops = { + .first_line = row == 0, +- .current_entry = ui_browser__is_current_entry(browser, row), ++ .current_entry = is_current_entry, + .change_color = (!notes->options->hide_src_code && +- (!ops.current_entry || ++ (!is_current_entry || + (browser->use_navkeypressed && + !browser->navkeypressed))), + .width = browser->width, +-- +2.20.1 + diff --git a/queue-5.1/perf-cs-etm-properly-set-the-value-of-old-and-head-i.patch b/queue-5.1/perf-cs-etm-properly-set-the-value-of-old-and-head-i.patch new file mode 100644 index 00000000000..ba3c8f2fcfa --- /dev/null +++ b/queue-5.1/perf-cs-etm-properly-set-the-value-of-old-and-head-i.patch @@ -0,0 +1,206 @@ +From 3bf3fc654b257c49241d80367d2d32c1dd9bc1fe Mon Sep 17 00:00:00 2001 +From: Mathieu Poirier +Date: Wed, 5 Jun 2019 10:16:33 -0600 +Subject: perf cs-etm: Properly set the value of 'old' and 'head' in snapshot + mode + +[ Upstream commit e45c48a9a4d20ebc7b639a62c3ef8f4b08007027 ] + +This patch adds the necessary intelligence to properly compute the value +of 'old' and 'head' when operating in snapshot mode. That way we can +get the latest information in the AUX buffer and be compatible with the +generic AUX ring buffer mechanic. + +Tester notes: + +> Leo, have you had the chance to test/review this one? Suzuki? + +Sure. I applied this patch on the perf/core branch (with latest +commit 3e4fbf36c1e3 'perf augmented_raw_syscalls: Move reading +filename to the loop') and passed testing with below steps: + + # perf record -e cs_etm/@tmc_etr0/ -S -m,64 --per-thread ./sort & + [1] 19097 + Bubble sorting array of 30000 elements + + # kill -USR2 19097 + # kill -USR2 19097 + # kill -USR2 19097 + [ perf record: Woken up 4 times to write data ] + [ perf record: Captured and wrote 0.753 MB perf.data ] + +Signed-off-by: Mathieu Poirier +Tested-by: Leo Yan +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Peter Zijlstra +Cc: Suzuki Poulouse +Cc: linux-arm-kernel@lists.infradead.org +Link: http://lkml.kernel.org/r/20190605161633.12245-1-mathieu.poirier@linaro.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/arch/arm/util/cs-etm.c | 127 +++++++++++++++++++++++++++++- + 1 file changed, 123 insertions(+), 4 deletions(-) + +diff --git a/tools/perf/arch/arm/util/cs-etm.c b/tools/perf/arch/arm/util/cs-etm.c +index 911426721170..0a278bbcaba6 100644 +--- a/tools/perf/arch/arm/util/cs-etm.c ++++ b/tools/perf/arch/arm/util/cs-etm.c +@@ -31,6 +31,8 @@ struct cs_etm_recording { + struct auxtrace_record itr; + struct perf_pmu *cs_etm_pmu; + struct perf_evlist *evlist; ++ int wrapped_cnt; ++ bool *wrapped; + bool snapshot_mode; + size_t snapshot_size; + }; +@@ -536,16 +538,131 @@ static int cs_etm_info_fill(struct auxtrace_record *itr, + return 0; + } + +-static int cs_etm_find_snapshot(struct auxtrace_record *itr __maybe_unused, ++static int cs_etm_alloc_wrapped_array(struct cs_etm_recording *ptr, int idx) ++{ ++ bool *wrapped; ++ int cnt = ptr->wrapped_cnt; ++ ++ /* Make @ptr->wrapped as big as @idx */ ++ while (cnt <= idx) ++ cnt++; ++ ++ /* ++ * Free'ed in cs_etm_recording_free(). Using realloc() to avoid ++ * cross compilation problems where the host's system supports ++ * reallocarray() but not the target. ++ */ ++ wrapped = realloc(ptr->wrapped, cnt * sizeof(bool)); ++ if (!wrapped) ++ return -ENOMEM; ++ ++ wrapped[cnt - 1] = false; ++ ptr->wrapped_cnt = cnt; ++ ptr->wrapped = wrapped; ++ ++ return 0; ++} ++ ++static bool cs_etm_buffer_has_wrapped(unsigned char *buffer, ++ size_t buffer_size, u64 head) ++{ ++ u64 i, watermark; ++ u64 *buf = (u64 *)buffer; ++ size_t buf_size = buffer_size; ++ ++ /* ++ * We want to look the very last 512 byte (chosen arbitrarily) in ++ * the ring buffer. ++ */ ++ watermark = buf_size - 512; ++ ++ /* ++ * @head is continuously increasing - if its value is equal or greater ++ * than the size of the ring buffer, it has wrapped around. ++ */ ++ if (head >= buffer_size) ++ return true; ++ ++ /* ++ * The value of @head is somewhere within the size of the ring buffer. ++ * This can be that there hasn't been enough data to fill the ring ++ * buffer yet or the trace time was so long that @head has numerically ++ * wrapped around. To find we need to check if we have data at the very ++ * end of the ring buffer. We can reliably do this because mmap'ed ++ * pages are zeroed out and there is a fresh mapping with every new ++ * session. ++ */ ++ ++ /* @head is less than 512 byte from the end of the ring buffer */ ++ if (head > watermark) ++ watermark = head; ++ ++ /* ++ * Speed things up by using 64 bit transactions (see "u64 *buf" above) ++ */ ++ watermark >>= 3; ++ buf_size >>= 3; ++ ++ /* ++ * If we find trace data at the end of the ring buffer, @head has ++ * been there and has numerically wrapped around at least once. ++ */ ++ for (i = watermark; i < buf_size; i++) ++ if (buf[i]) ++ return true; ++ ++ return false; ++} ++ ++static int cs_etm_find_snapshot(struct auxtrace_record *itr, + int idx, struct auxtrace_mmap *mm, +- unsigned char *data __maybe_unused, ++ unsigned char *data, + u64 *head, u64 *old) + { ++ int err; ++ bool wrapped; ++ struct cs_etm_recording *ptr = ++ container_of(itr, struct cs_etm_recording, itr); ++ ++ /* ++ * Allocate memory to keep track of wrapping if this is the first ++ * time we deal with this *mm. ++ */ ++ if (idx >= ptr->wrapped_cnt) { ++ err = cs_etm_alloc_wrapped_array(ptr, idx); ++ if (err) ++ return err; ++ } ++ ++ /* ++ * Check to see if *head has wrapped around. If it hasn't only the ++ * amount of data between *head and *old is snapshot'ed to avoid ++ * bloating the perf.data file with zeros. But as soon as *head has ++ * wrapped around the entire size of the AUX ring buffer it taken. ++ */ ++ wrapped = ptr->wrapped[idx]; ++ if (!wrapped && cs_etm_buffer_has_wrapped(data, mm->len, *head)) { ++ wrapped = true; ++ ptr->wrapped[idx] = true; ++ } ++ + pr_debug3("%s: mmap index %d old head %zu new head %zu size %zu\n", + __func__, idx, (size_t)*old, (size_t)*head, mm->len); + +- *old = *head; +- *head += mm->len; ++ /* No wrap has occurred, we can just use *head and *old. */ ++ if (!wrapped) ++ return 0; ++ ++ /* ++ * *head has wrapped around - adjust *head and *old to pickup the ++ * entire content of the AUX buffer. ++ */ ++ if (*head >= mm->len) { ++ *old = *head - mm->len; ++ } else { ++ *head += mm->len; ++ *old = *head - mm->len; ++ } + + return 0; + } +@@ -586,6 +703,8 @@ static void cs_etm_recording_free(struct auxtrace_record *itr) + { + struct cs_etm_recording *ptr = + container_of(itr, struct cs_etm_recording, itr); ++ ++ zfree(&ptr->wrapped); + free(ptr); + } + +-- +2.20.1 + diff --git a/queue-5.1/perf-evsel-make-perf_evsel__name-accept-a-null-argum.patch b/queue-5.1/perf-evsel-make-perf_evsel__name-accept-a-null-argum.patch new file mode 100644 index 00000000000..6277b5949f1 --- /dev/null +++ b/queue-5.1/perf-evsel-make-perf_evsel__name-accept-a-null-argum.patch @@ -0,0 +1,54 @@ +From 8153f9efc4fb4a839ddcf78b5baa3f383cfbf46d Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Mon, 17 Jun 2019 14:32:53 -0300 +Subject: perf evsel: Make perf_evsel__name() accept a NULL argument + +[ Upstream commit fdbdd7e8580eac9bdafa532746c865644d125e34 ] + +In which case it simply returns "unknown", like when it can't figure out +the evsel->name value. + +This makes this code more robust and fixes a problem in 'perf trace' +where a NULL evsel was being passed to a routine that only used the +evsel for printing its name when a invalid syscall id was passed. + +Reported-by: Leo Yan +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: https://lkml.kernel.org/n/tip-f30ztaasku3z935cn3ak3h53@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/evsel.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c +index 966360844fff..7ca79cfe1aea 100644 +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -584,6 +584,9 @@ const char *perf_evsel__name(struct perf_evsel *evsel) + { + char bf[128]; + ++ if (!evsel) ++ goto out_unknown; ++ + if (evsel->name) + return evsel->name; + +@@ -620,7 +623,10 @@ const char *perf_evsel__name(struct perf_evsel *evsel) + + evsel->name = strdup(bf); + +- return evsel->name ?: "unknown"; ++ if (evsel->name) ++ return evsel->name; ++out_unknown: ++ return "unknown"; + } + + const char *perf_evsel__group_name(struct perf_evsel *evsel) +-- +2.20.1 + diff --git a/queue-5.1/perf-jvmti-address-gcc-string-overflow-warning-for-s.patch b/queue-5.1/perf-jvmti-address-gcc-string-overflow-warning-for-s.patch new file mode 100644 index 00000000000..171c7c0b248 --- /dev/null +++ b/queue-5.1/perf-jvmti-address-gcc-string-overflow-warning-for-s.patch @@ -0,0 +1,67 @@ +From 2e934c620538c6ac72b6cfeaa87f3395aba4387a Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Fri, 31 May 2019 15:13:21 +0200 +Subject: perf jvmti: Address gcc string overflow warning for strncpy() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 279ab04dbea1370d2eac0f854270369ccaef8a44 ] + +We are getting false positive gcc warning when we compile with gcc9 (9.1.1): + + CC jvmti/libjvmti.o + In file included from /usr/include/string.h:494, + from jvmti/libjvmti.c:5: + In function ‘strncpy’, + inlined from ‘copy_class_filename.constprop’ at jvmti/libjvmti.c:166:3: + /usr/include/bits/string_fortified.h:106:10: error: ‘__builtin_strncpy’ specified bound depends on the length of the source argument [-Werror=stringop-overflow=] + 106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest)); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + jvmti/libjvmti.c: In function ‘copy_class_filename.constprop’: + jvmti/libjvmti.c:165:26: note: length computed here + 165 | size_t file_name_len = strlen(file_name); + | ^~~~~~~~~~~~~~~~~ + cc1: all warnings being treated as errors + +As per Arnaldo's suggestion use strlcpy(), which does the same thing and keeps +gcc silent. + +Suggested-by: Arnaldo Carvalho de Melo +Signed-off-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Ben Gainey +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Link: http://lkml.kernel.org/r/20190531131321.GB1281@krava +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/jvmti/libjvmti.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/jvmti/libjvmti.c b/tools/perf/jvmti/libjvmti.c +index aea7b1fe85aa..c441a34cb1c0 100644 +--- a/tools/perf/jvmti/libjvmti.c ++++ b/tools/perf/jvmti/libjvmti.c +@@ -1,5 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0 + #include ++#include + #include + #include + #include +@@ -162,8 +163,7 @@ copy_class_filename(const char * class_sign, const char * file_name, char * resu + result[i] = '\0'; + } else { + /* fallback case */ +- size_t file_name_len = strlen(file_name); +- strncpy(result, file_name, file_name_len < max_length ? file_name_len : max_length); ++ strlcpy(result, file_name, max_length); + } + } + +-- +2.20.1 + diff --git a/queue-5.1/perf-report-fix-oom-error-in-tui-mode-on-s390.patch b/queue-5.1/perf-report-fix-oom-error-in-tui-mode-on-s390.patch new file mode 100644 index 00000000000..fa60e3de8a3 --- /dev/null +++ b/queue-5.1/perf-report-fix-oom-error-in-tui-mode-on-s390.patch @@ -0,0 +1,118 @@ +From bc88a0134ca9809f7954c96e89bfa85a08d8b59e Mon Sep 17 00:00:00 2001 +From: Thomas Richter +Date: Thu, 23 May 2019 10:25:21 +0200 +Subject: perf report: Fix OOM error in TUI mode on s390 + +[ Upstream commit 8a07aa4e9b7b0222129c07afff81634a884b2866 ] + +Debugging a OOM error using the TUI interface revealed this issue +on s390: + +[tmricht@m83lp54 perf]$ cat /proc/kallsyms |sort +.... +00000001119b7158 B radix_tree_node_cachep +00000001119b8000 B __bss_stop +00000001119b8000 B _end +000003ff80002850 t autofs_mount [autofs4] +000003ff80002868 t autofs_show_options [autofs4] +000003ff80002a98 t autofs_evict_inode [autofs4] +.... + +There is a huge gap between the last kernel symbol +__bss_stop/_end and the first kernel module symbol +autofs_mount (from autofs4 module). + +After reading the kernel symbol table via functions: + + dso__load() + +--> dso__load_kernel_sym() + +--> dso__load_kallsyms() + +--> __dso_load_kallsyms() + +--> symbols__fixup_end() + +the symbol __bss_stop has a start address of 1119b8000 and +an end address of 3ff80002850, as can be seen by this debug statement: + + symbols__fixup_end __bss_stop start:0x1119b8000 end:0x3ff80002850 + +The size of symbol __bss_stop is 0x3fe6e64a850 bytes! +It is the last kernel symbol and fills up the space until +the first kernel module symbol. + +This size kills the TUI interface when executing the following +code: + + process_sample_event() + hist_entry_iter__add() + hist_iter__report_callback() + hist_entry__inc_addr_samples() + symbol__inc_addr_samples(symbol = __bss_stop) + symbol__cycles_hist() + annotated_source__alloc_histograms(..., + symbol__size(sym), + ...) + +This function allocates memory to save sample histograms. +The symbol_size() marco is defined as sym->end - sym->start, which +results in above value of 0x3fe6e64a850 bytes and +the call to calloc() in annotated_source__alloc_histograms() fails. + +The histgram memory allocation might fail, make this failure +no-fatal and continue processing. + +Output before: +[tmricht@m83lp54 perf]$ ./perf --debug stderr=1 report -vvvvv \ + -i ~/slow.data 2>/tmp/2 +[tmricht@m83lp54 perf]$ tail -5 /tmp/2 + __symbol__inc_addr_samples(875): ENOMEM! sym->name=__bss_stop, + start=0x1119b8000, addr=0x2aa0005eb08, end=0x3ff80002850, + func: 0 +problem adding hist entry, skipping event +0x938b8 [0x8]: failed to process type: 68 [Cannot allocate memory] +[tmricht@m83lp54 perf]$ + +Output after: +[tmricht@m83lp54 perf]$ ./perf --debug stderr=1 report -vvvvv \ + -i ~/slow.data 2>/tmp/2 +[tmricht@m83lp54 perf]$ tail -5 /tmp/2 + symbol__inc_addr_samples map:0x1597830 start:0x110730000 end:0x3ff80002850 + symbol__hists notes->src:0x2aa2a70 nr_hists:1 + symbol__inc_addr_samples sym:unlink_anon_vmas src:0x2aa2a70 + __symbol__inc_addr_samples: addr=0x11094c69e + 0x11094c670 unlink_anon_vmas: period++ [addr: 0x11094c69e, 0x2e, evidx=0] + => nr_samples: 1, period: 526008 +[tmricht@m83lp54 perf]$ + +There is no error about failed memory allocation and the TUI interface +shows all entries. + +Signed-off-by: Thomas Richter +Reviewed-by: Hendrik Brueckner +Cc: Heiko Carstens +Cc: Hendrik Brueckner +Link: http://lkml.kernel.org/r/90cb5607-3e12-5167-682d-978eba7dafa8@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/annotate.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c +index 09762985c713..0c43c5a0d9d9 100644 +--- a/tools/perf/util/annotate.c ++++ b/tools/perf/util/annotate.c +@@ -932,9 +932,8 @@ static int symbol__inc_addr_samples(struct symbol *sym, struct map *map, + if (sym == NULL) + return 0; + src = symbol__hists(sym, evsel->evlist->nr_entries); +- if (src == NULL) +- return -ENOMEM; +- return __symbol__inc_addr_samples(sym, map, src, evsel->idx, addr, sample); ++ return (src) ? __symbol__inc_addr_samples(sym, map, src, evsel->idx, ++ addr, sample) : 0; + } + + static int symbol__account_cycles(u64 addr, u64 start, +-- +2.20.1 + diff --git a/queue-5.1/perf-stat-don-t-merge-events-in-the-same-pmu.patch b/queue-5.1/perf-stat-don-t-merge-events-in-the-same-pmu.patch new file mode 100644 index 00000000000..1e13dd97811 --- /dev/null +++ b/queue-5.1/perf-stat-don-t-merge-events-in-the-same-pmu.patch @@ -0,0 +1,53 @@ +From 70832f2ac3b4e7e08a554e1f16d28a98adf0cd1a Mon Sep 17 00:00:00 2001 +From: Andi Kleen +Date: Mon, 24 Jun 2019 12:37:09 -0700 +Subject: perf stat: Don't merge events in the same PMU + +[ Upstream commit 6c5f4e5cb35b4694dc035d91092d23f596ecd06a ] + +Event merging is mainly to collapse similar events in lots of different +duplicated PMUs. + +It can break metric displaying. It's possible for two metrics to have +the same event, and when the two events happen in a row the second +wouldn't be displayed. This would also not show the second metric. + +To avoid this don't merge events in the same PMU. This makes sense, if +we have multiple events in the same PMU there is likely some reason for +it (e.g. using multiple groups) and we better not merge them. + +While in theory it would be possible to construct metrics that have +events with the same name in different PMU no current metrics have this +problem. + +This is the fix for perf stat -M UPI,IPC (needs also another bug fix to +completely work) + +Signed-off-by: Andi Kleen +Acked-by: Jiri Olsa +Cc: Kan Liang +Fixes: 430daf2dc7af ("perf stat: Collapse identically named events") +Link: http://lkml.kernel.org/r/20190624193711.35241-3-andi@firstfloor.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/stat-display.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/stat-display.c b/tools/perf/util/stat-display.c +index 6d043c78f3c2..9c940242dcbe 100644 +--- a/tools/perf/util/stat-display.c ++++ b/tools/perf/util/stat-display.c +@@ -539,7 +539,8 @@ static void collect_all_aliases(struct perf_stat_config *config, struct perf_evs + alias->scale != counter->scale || + alias->cgrp != counter->cgrp || + strcmp(alias->unit, counter->unit) || +- perf_evsel__is_clock(alias) != perf_evsel__is_clock(counter)) ++ perf_evsel__is_clock(alias) != perf_evsel__is_clock(counter) || ++ !strcmp(alias->pmu_name, counter->pmu_name)) + break; + alias->merged_stat = true; + cb(config, alias, data, false); +-- +2.20.1 + diff --git a/queue-5.1/perf-stat-fix-group-lookup-for-metric-group.patch b/queue-5.1/perf-stat-fix-group-lookup-for-metric-group.patch new file mode 100644 index 00000000000..e81dc6845d1 --- /dev/null +++ b/queue-5.1/perf-stat-fix-group-lookup-for-metric-group.patch @@ -0,0 +1,124 @@ +From da13a6f8d736fc289d740f1b3e69c982de925125 Mon Sep 17 00:00:00 2001 +From: Andi Kleen +Date: Mon, 24 Jun 2019 12:37:10 -0700 +Subject: perf stat: Fix group lookup for metric group + +[ Upstream commit 2f87f33f4226523df9c9cc28f9874ea02fcc3d3f ] + +The metric group code tries to find a group it added earlier in the +evlist. Fix the lookup to handle groups with partially overlaps +correctly. When a sub string match fails and we reset the match, we have +to compare the first element again. + +I also renamed the find_evsel function to find_evsel_group to make its +purpose clearer. + +With the earlier changes this fixes: + +Before: + + % perf stat -M UPI,IPC sleep 1 + ... + 1,032,922 uops_retired.retire_slots # 1.1 UPI + 1,896,096 inst_retired.any + 1,896,096 inst_retired.any + 1,177,254 cpu_clk_unhalted.thread + +After: + + % perf stat -M UPI,IPC sleep 1 + ... + 1,013,193 uops_retired.retire_slots # 1.1 UPI + 932,033 inst_retired.any + 932,033 inst_retired.any # 0.9 IPC + 1,091,245 cpu_clk_unhalted.thread + +Signed-off-by: Andi Kleen +Acked-by: Jiri Olsa +Cc: Kan Liang +Fixes: b18f3e365019 ("perf stat: Support JSON metrics in perf stat") +Link: http://lkml.kernel.org/r/20190624193711.35241-4-andi@firstfloor.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/metricgroup.c | 47 ++++++++++++++++++++++++++--------- + 1 file changed, 35 insertions(+), 12 deletions(-) + +diff --git a/tools/perf/util/metricgroup.c b/tools/perf/util/metricgroup.c +index b8d864ed4afe..a48895c4324a 100644 +--- a/tools/perf/util/metricgroup.c ++++ b/tools/perf/util/metricgroup.c +@@ -94,26 +94,49 @@ struct egroup { + const char *metric_expr; + }; + +-static struct perf_evsel *find_evsel(struct perf_evlist *perf_evlist, +- const char **ids, +- int idnum, +- struct perf_evsel **metric_events) ++static bool record_evsel(int *ind, struct perf_evsel **start, ++ int idnum, ++ struct perf_evsel **metric_events, ++ struct perf_evsel *ev) ++{ ++ metric_events[*ind] = ev; ++ if (*ind == 0) ++ *start = ev; ++ if (++*ind == idnum) { ++ metric_events[*ind] = NULL; ++ return true; ++ } ++ return false; ++} ++ ++static struct perf_evsel *find_evsel_group(struct perf_evlist *perf_evlist, ++ const char **ids, ++ int idnum, ++ struct perf_evsel **metric_events) + { + struct perf_evsel *ev, *start = NULL; + int ind = 0; + + evlist__for_each_entry (perf_evlist, ev) { ++ if (ev->collect_stat) ++ continue; + if (!strcmp(ev->name, ids[ind])) { +- metric_events[ind] = ev; +- if (ind == 0) +- start = ev; +- if (++ind == idnum) { +- metric_events[ind] = NULL; ++ if (record_evsel(&ind, &start, idnum, ++ metric_events, ev)) + return start; +- } + } else { ++ /* ++ * We saw some other event that is not ++ * in our list of events. Discard ++ * the whole match and start again. ++ */ + ind = 0; + start = NULL; ++ if (!strcmp(ev->name, ids[ind])) { ++ if (record_evsel(&ind, &start, idnum, ++ metric_events, ev)) ++ return start; ++ } + } + } + /* +@@ -143,8 +166,8 @@ static int metricgroup__setup_events(struct list_head *groups, + ret = -ENOMEM; + break; + } +- evsel = find_evsel(perf_evlist, eg->ids, eg->idnum, +- metric_events); ++ evsel = find_evsel_group(perf_evlist, eg->ids, eg->idnum, ++ metric_events); + if (!evsel) { + pr_debug("Cannot resolve %s: %s\n", + eg->metric_name, eg->metric_expr); +-- +2.20.1 + diff --git a/queue-5.1/perf-stat-fix-metrics-with-no-merge.patch b/queue-5.1/perf-stat-fix-metrics-with-no-merge.patch new file mode 100644 index 00000000000..c12529227e7 --- /dev/null +++ b/queue-5.1/perf-stat-fix-metrics-with-no-merge.patch @@ -0,0 +1,74 @@ +From 48c99e7ddcd5af9e6fd29964ab54c45ce5bc399d Mon Sep 17 00:00:00 2001 +From: Andi Kleen +Date: Mon, 24 Jun 2019 12:37:11 -0700 +Subject: perf stat: Fix metrics with --no-merge + +[ Upstream commit e3a9427323a53ceee540276a74af7706f350d052 ] + +Since Fixes: 8c5421c016a4 ("perf pmu: Display pmu name when printing +unmerged events in stat") using --no-merge adds the PMU name to the +evsel name. + +This breaks the metric value lookup because the parser doesn't know +about this. + +Remove the extra postfixes for the metric evaluation. + +Signed-off-by: Andi Kleen +Acked-by: Jiri Olsa +Cc: Agustin Vega-Frias +Cc: Kan Liang +Fixes: 8c5421c016a4 ("perf pmu: Display pmu name when printing unmerged events in stat") +Link: http://lkml.kernel.org/r/20190624193711.35241-5-andi@firstfloor.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/stat-shadow.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/stat-shadow.c b/tools/perf/util/stat-shadow.c +index e545e2a8ae71..0ef98e991ade 100644 +--- a/tools/perf/util/stat-shadow.c ++++ b/tools/perf/util/stat-shadow.c +@@ -723,6 +723,7 @@ static void generic_metric(struct perf_stat_config *config, + double ratio; + int i; + void *ctxp = out->ctx; ++ char *n, *pn; + + expr__ctx_init(&pctx); + expr__add_id(&pctx, name, avg); +@@ -742,7 +743,19 @@ static void generic_metric(struct perf_stat_config *config, + stats = &v->stats; + scale = 1.0; + } +- expr__add_id(&pctx, metric_events[i]->name, avg_stats(stats)*scale); ++ ++ n = strdup(metric_events[i]->name); ++ if (!n) ++ return; ++ /* ++ * This display code with --no-merge adds [cpu] postfixes. ++ * These are not supported by the parser. Remove everything ++ * after the space. ++ */ ++ pn = strchr(n, ' '); ++ if (pn) ++ *pn = 0; ++ expr__add_id(&pctx, n, avg_stats(stats)*scale); + } + if (!metric_events[i]) { + const char *p = metric_expr; +@@ -759,6 +772,9 @@ static void generic_metric(struct perf_stat_config *config, + (metric_name ? metric_name : name) : "", 0); + } else + print_metric(config, ctxp, NULL, NULL, "", 0); ++ ++ for (i = 1; i < pctx.num_ids; i++) ++ free((void *)pctx.ids[i].name); + } + + void perf_stat__print_shadow_stats(struct perf_stat_config *config, +-- +2.20.1 + diff --git a/queue-5.1/perf-stat-make-metric-event-lookup-more-robust.patch b/queue-5.1/perf-stat-make-metric-event-lookup-more-robust.patch new file mode 100644 index 00000000000..4de0bfe68ff --- /dev/null +++ b/queue-5.1/perf-stat-make-metric-event-lookup-more-robust.patch @@ -0,0 +1,51 @@ +From c9a71f56dccd8f3a54f8fccf24aae889ef45dd91 Mon Sep 17 00:00:00 2001 +From: Andi Kleen +Date: Mon, 24 Jun 2019 12:37:08 -0700 +Subject: perf stat: Make metric event lookup more robust + +[ Upstream commit 145c407c808352acd625be793396fd4f33c794f8 ] + +After setting up metric groups through the event parser, the metricgroup +code looks them up again in the event list. + +Make sure we only look up events that haven't been used by some other +metric. The data structures currently cannot handle more than one metric +per event. This avoids problems with multiple events partially +overlapping. + +Signed-off-by: Andi Kleen +Acked-by: Jiri Olsa +Cc: Kan Liang +Link: http://lkml.kernel.org/r/20190624193711.35241-2-andi@firstfloor.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/stat-shadow.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/stat-shadow.c b/tools/perf/util/stat-shadow.c +index 83d8094be4fe..e545e2a8ae71 100644 +--- a/tools/perf/util/stat-shadow.c ++++ b/tools/perf/util/stat-shadow.c +@@ -303,7 +303,7 @@ static struct perf_evsel *perf_stat__find_event(struct perf_evlist *evsel_list, + struct perf_evsel *c2; + + evlist__for_each_entry (evsel_list, c2) { +- if (!strcasecmp(c2->name, name)) ++ if (!strcasecmp(c2->name, name) && !c2->collect_stat) + return c2; + } + return NULL; +@@ -342,7 +342,8 @@ void perf_stat__collect_metric_expr(struct perf_evlist *evsel_list) + if (leader) { + /* Search in group */ + for_each_group_member (oc, leader) { +- if (!strcasecmp(oc->name, metric_names[i])) { ++ if (!strcasecmp(oc->name, metric_names[i]) && ++ !oc->collect_stat) { + found = true; + break; + } +-- +2.20.1 + diff --git a/queue-5.1/perf-test-6-fix-missing-kvm-module-load-for-s390.patch b/queue-5.1/perf-test-6-fix-missing-kvm-module-load-for-s390.patch new file mode 100644 index 00000000000..c2dd63637af --- /dev/null +++ b/queue-5.1/perf-test-6-fix-missing-kvm-module-load-for-s390.patch @@ -0,0 +1,87 @@ +From aec13c1b1c69c0b7f55e5e93e6a8f27ff9f696d5 Mon Sep 17 00:00:00 2001 +From: Thomas Richter +Date: Tue, 4 Jun 2019 07:35:04 +0200 +Subject: perf test 6: Fix missing kvm module load for s390 + +[ Upstream commit 53fe307dfd309e425b171f6272d64296a54f4dff ] + +Command + + # perf test -Fv 6 + +fails with error + + running test 100 'kvm-s390:kvm_s390_create_vm' failed to parse + event 'kvm-s390:kvm_s390_create_vm', err -1, str 'unknown tracepoint' + event syntax error: 'kvm-s390:kvm_s390_create_vm' + \___ unknown tracepoint + +when the kvm module is not loaded or not built in. + +Fix this by adding a valid function which tests if the module +is loaded. Loaded modules (or builtin KVM support) have a +directory named + /sys/kernel/debug/tracing/events/kvm-s390 +for this tracepoint. + +Check for existence of this directory. + +Signed-off-by: Thomas Richter +Reviewed-by: Christian Borntraeger +Cc: Heiko Carstens +Cc: Hendrik Brueckner +Link: http://lkml.kernel.org/r/20190604053504.43073-1-tmricht@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/parse-events.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/tools/perf/tests/parse-events.c b/tools/perf/tests/parse-events.c +index 4a69c07f4101..8f3c80e13584 100644 +--- a/tools/perf/tests/parse-events.c ++++ b/tools/perf/tests/parse-events.c +@@ -18,6 +18,32 @@ + #define PERF_TP_SAMPLE_TYPE (PERF_SAMPLE_RAW | PERF_SAMPLE_TIME | \ + PERF_SAMPLE_CPU | PERF_SAMPLE_PERIOD) + ++#if defined(__s390x__) ++/* Return true if kvm module is available and loaded. Test this ++ * and retun success when trace point kvm_s390_create_vm ++ * exists. Otherwise this test always fails. ++ */ ++static bool kvm_s390_create_vm_valid(void) ++{ ++ char *eventfile; ++ bool rc = false; ++ ++ eventfile = get_events_file("kvm-s390"); ++ ++ if (eventfile) { ++ DIR *mydir = opendir(eventfile); ++ ++ if (mydir) { ++ rc = true; ++ closedir(mydir); ++ } ++ put_events_file(eventfile); ++ } ++ ++ return rc; ++} ++#endif ++ + static int test__checkevent_tracepoint(struct perf_evlist *evlist) + { + struct perf_evsel *evsel = perf_evlist__first(evlist); +@@ -1642,6 +1668,7 @@ static struct evlist_test test__events[] = { + { + .name = "kvm-s390:kvm_s390_create_vm", + .check = test__checkevent_tracepoint, ++ .valid = kvm_s390_create_vm_valid, + .id = 100, + }, + #endif +-- +2.20.1 + diff --git a/queue-5.1/perf-tests-fix-record-probe_libc_inet_pton.sh-for-po.patch b/queue-5.1/perf-tests-fix-record-probe_libc_inet_pton.sh-for-po.patch new file mode 100644 index 00000000000..7c23092f7a4 --- /dev/null +++ b/queue-5.1/perf-tests-fix-record-probe_libc_inet_pton.sh-for-po.patch @@ -0,0 +1,82 @@ +From ba36db5b29d873f4414b856e20dd728c25d880a8 Mon Sep 17 00:00:00 2001 +From: Seeteena Thoufeek +Date: Thu, 27 Jun 2019 15:46:54 +0530 +Subject: perf tests: Fix record+probe_libc_inet_pton.sh for powerpc64 + +[ Upstream commit bff5a556c149804de29347a88a884d25e4e4e3a2 ] + +'probe libc's inet_pton & backtrace it with ping' testcase sometimes +fails on powerpc because distro ping binary does not have symbol +information and thus it prints "[unknown]" function name in the +backtrace. + +Accept "[unknown]" as valid function name for powerpc as well. + + # perf test -v "probe libc's inet_pton & backtrace it with ping" + +Before: + + 59: probe libc's inet_pton & backtrace it with ping : + --- start --- + test child forked, pid 79695 + ping 79718 [077] 96483.787025: probe_libc:inet_pton: (7fff83a754c8) + 7fff83a754c8 __GI___inet_pton+0x8 (/usr/lib64/power9/libc-2.28.so) + 7fff83a2b7a0 gaih_inet.constprop.7+0x1020 + (/usr/lib64/power9/libc-2.28.so) + 7fff83a2c170 getaddrinfo+0x160 (/usr/lib64/power9/libc-2.28.so) + 1171830f4 [unknown] (/usr/bin/ping) + FAIL: expected backtrace entry + ".*\+0x[[:xdigit:]]+[[:space:]]\(.*/bin/ping.*\)$" + got "1171830f4 [unknown] (/usr/bin/ping)" + test child finished with -1 + ---- end ---- + probe libc's inet_pton & backtrace it with ping: FAILED! + +After: + + 59: probe libc's inet_pton & backtrace it with ping : + --- start --- + test child forked, pid 79085 + ping 79108 [045] 96400.214177: probe_libc:inet_pton: (7fffbb9654c8) + 7fffbb9654c8 __GI___inet_pton+0x8 (/usr/lib64/power9/libc-2.28.so) + 7fffbb91b7a0 gaih_inet.constprop.7+0x1020 + (/usr/lib64/power9/libc-2.28.so) + 7fffbb91c170 getaddrinfo+0x160 (/usr/lib64/power9/libc-2.28.so) + 132e830f4 [unknown] (/usr/bin/ping) + test child finished with 0 + ---- end ---- + probe libc's inet_pton & backtrace it with ping: Ok + +Signed-off-by: Seeteena Thoufeek +Reviewed-by: Kim Phillips +Cc: Alexander Shishkin +Cc: Hendrik Brueckner +Cc: Jiri Olsa +Cc: Michael Petlan +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Sandipan Das +Fixes: 1632936480a5 ("perf tests: Fix record+probe_libc_inet_pton.sh without ping's debuginfo") +Link: http://lkml.kernel.org/r/1561630614-3216-1-git-send-email-s1seetee@linux.vnet.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/shell/record+probe_libc_inet_pton.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/tests/shell/record+probe_libc_inet_pton.sh b/tools/perf/tests/shell/record+probe_libc_inet_pton.sh +index 61c9f8fc6fa1..58a99a292930 100755 +--- a/tools/perf/tests/shell/record+probe_libc_inet_pton.sh ++++ b/tools/perf/tests/shell/record+probe_libc_inet_pton.sh +@@ -44,7 +44,7 @@ trace_libc_inet_pton_backtrace() { + eventattr='max-stack=4' + echo "gaih_inet.*\+0x[[:xdigit:]]+[[:space:]]\($libc\)$" >> $expected + echo "getaddrinfo\+0x[[:xdigit:]]+[[:space:]]\($libc\)$" >> $expected +- echo ".*\+0x[[:xdigit:]]+[[:space:]]\(.*/bin/ping.*\)$" >> $expected ++ echo ".*(\+0x[[:xdigit:]]+|\[unknown\])[[:space:]]\(.*/bin/ping.*\)$" >> $expected + ;; + *) + eventattr='max-stack=3' +-- +2.20.1 + diff --git a/queue-5.1/perf-tools-increase-max_nr_cpus-and-max_caches.patch b/queue-5.1/perf-tools-increase-max_nr_cpus-and-max_caches.patch new file mode 100644 index 00000000000..5cca43ddd3d --- /dev/null +++ b/queue-5.1/perf-tools-increase-max_nr_cpus-and-max_caches.patch @@ -0,0 +1,70 @@ +From 99efcf19ade99cc7b85ec92f7959ff2f8c43b387 Mon Sep 17 00:00:00 2001 +From: Kyle Meyer +Date: Thu, 20 Jun 2019 14:36:30 -0500 +Subject: perf tools: Increase MAX_NR_CPUS and MAX_CACHES + +[ Upstream commit 9f94c7f947e919c343b30f080285af53d0fa9902 ] + +Attempting to profile 1024 or more CPUs with perf causes two errors: + + perf record -a + [ perf record: Woken up X times to write data ] + way too many cpu caches.. + [ perf record: Captured and wrote X MB perf.data (X samples) ] + + perf report -C 1024 + Error: failed to set cpu bitmap + Requested CPU 1024 too large. Consider raising MAX_NR_CPUS + + Increasing MAX_NR_CPUS from 1024 to 2048 and redefining MAX_CACHES as + MAX_NR_CPUS * 4 returns normal functionality to perf: + + perf record -a + [ perf record: Woken up X times to write data ] + [ perf record: Captured and wrote X MB perf.data (X samples) ] + + perf report -C 1024 + ... + +Signed-off-by: Kyle Meyer +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20190620193630.154025-1-meyerk@stormcage.eag.rdlabs.hpecorp.net +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/perf.h | 2 +- + tools/perf/util/header.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/perf.h b/tools/perf/perf.h +index c59743def8d3..b86ecc7afdd7 100644 +--- a/tools/perf/perf.h ++++ b/tools/perf/perf.h +@@ -26,7 +26,7 @@ static inline unsigned long long rdclock(void) + } + + #ifndef MAX_NR_CPUS +-#define MAX_NR_CPUS 1024 ++#define MAX_NR_CPUS 2048 + #endif + + extern const char *input_name; +diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c +index 682e3d524d3c..df608cfaa03c 100644 +--- a/tools/perf/util/header.c ++++ b/tools/perf/util/header.c +@@ -1100,7 +1100,7 @@ static int build_caches(struct cpu_cache_level caches[], u32 size, u32 *cntp) + return 0; + } + +-#define MAX_CACHES 2000 ++#define MAX_CACHES (MAX_NR_CPUS * 4) + + static int write_cache(struct feat_fd *ff, + struct perf_evlist *evlist __maybe_unused) +-- +2.20.1 + diff --git a/queue-5.1/perf-x86-intel-disable-check_msr-for-real-hw.patch b/queue-5.1/perf-x86-intel-disable-check_msr-for-real-hw.patch new file mode 100644 index 00000000000..7783d7f1b9a --- /dev/null +++ b/queue-5.1/perf-x86-intel-disable-check_msr-for-real-hw.patch @@ -0,0 +1,62 @@ +From ad095d45f1b348a1ff942c1fe0f3ac2edebc1077 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Sun, 16 Jun 2019 16:13:13 +0200 +Subject: perf/x86/intel: Disable check_msr for real HW + +[ Upstream commit d0e1a507bdc761a14906f03399d933ea639a1756 ] + +Tom Vaden reported false failure of the check_msr() function, because +some servers can do POST tracing and enable LBR tracing during +bootup. + +Kan confirmed that check_msr patch was to fix a bug report in +guest, so it's ok to disable it for real HW. + +Reported-by: Tom Vaden +Signed-off-by: Jiri Olsa +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Tom Vaden +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Liang Kan +Cc: Linus Torvalds +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: https://lkml.kernel.org/r/20190616141313.GD2500@krava +[ Readability edits. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/core.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c +index 82dad001d1ea..a50e182c38b6 100644 +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + + #include "../perf_event.h" + +@@ -3927,6 +3928,13 @@ static bool check_msr(unsigned long msr, u64 mask) + { + u64 val_old, val_new, val_tmp; + ++ /* ++ * Disable the check for real HW, so we don't ++ * mess with potentionaly enabled registers: ++ */ ++ if (hypervisor_is_type(X86_HYPER_NATIVE)) ++ return true; ++ + /* + * Read the current value, change it and read it back to see if it + * matches, this is needed to detect certain hardware emulators +-- +2.20.1 + diff --git a/queue-5.1/perf-x86-intel-uncore-handle-invalid-event-coding-fo.patch b/queue-5.1/perf-x86-intel-uncore-handle-invalid-event-coding-fo.patch new file mode 100644 index 00000000000..e18925b54a9 --- /dev/null +++ b/queue-5.1/perf-x86-intel-uncore-handle-invalid-event-coding-fo.patch @@ -0,0 +1,70 @@ +From ac59839a34c3859a68311b9284045bdfedcadcf7 Mon Sep 17 00:00:00 2001 +From: Kan Liang +Date: Tue, 30 Apr 2019 17:53:43 -0700 +Subject: perf/x86/intel/uncore: Handle invalid event coding for free-running + counter + +[ Upstream commit 543ac280b3576c0009e8c0fcd4d6bfc9978d7bd0 ] + +Counting with invalid event coding for free-running counter may cause +OOPs, e.g. uncore_iio_free_running_0/event=1/. + +Current code only validate the event with free-running event format, +event=0xff,umask=0xXY. Non-free-running event format never be checked +for the PMU with free-running counters. + +Add generic hw_config() to check and reject the invalid event coding +for free-running PMU. + +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: acme@kernel.org +Cc: eranian@google.com +Fixes: 0f519f0352e3 ("perf/x86/intel/uncore: Support IIO free-running counters on SKX") +Link: https://lkml.kernel.org/r/1556672028-119221-2-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/uncore.h | 10 ++++++++++ + arch/x86/events/intel/uncore_snbep.c | 1 + + 2 files changed, 11 insertions(+) + +diff --git a/arch/x86/events/intel/uncore.h b/arch/x86/events/intel/uncore.h +index 853a49a8ccf6..b24da63459c4 100644 +--- a/arch/x86/events/intel/uncore.h ++++ b/arch/x86/events/intel/uncore.h +@@ -419,6 +419,16 @@ static inline bool is_freerunning_event(struct perf_event *event) + (((cfg >> 8) & 0xff) >= UNCORE_FREERUNNING_UMASK_START); + } + ++/* Check and reject invalid config */ ++static inline int uncore_freerunning_hw_config(struct intel_uncore_box *box, ++ struct perf_event *event) ++{ ++ if (is_freerunning_event(event)) ++ return 0; ++ ++ return -EINVAL; ++} ++ + static inline void uncore_disable_box(struct intel_uncore_box *box) + { + if (box->pmu->type->ops->disable_box) +diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c +index b10e04387f38..8e4e8e423839 100644 +--- a/arch/x86/events/intel/uncore_snbep.c ++++ b/arch/x86/events/intel/uncore_snbep.c +@@ -3585,6 +3585,7 @@ static struct uncore_event_desc skx_uncore_iio_freerunning_events[] = { + + static struct intel_uncore_ops skx_uncore_iio_freerunning_ops = { + .read_counter = uncore_msr_read_counter, ++ .hw_config = uncore_freerunning_hw_config, + }; + + static struct attribute *skx_uncore_iio_freerunning_formats_attr[] = { +-- +2.20.1 + diff --git a/queue-5.1/qed-iwarp-fix-tc-for-mpa-ll2-connection.patch b/queue-5.1/qed-iwarp-fix-tc-for-mpa-ll2-connection.patch new file mode 100644 index 00000000000..09e77003f37 --- /dev/null +++ b/queue-5.1/qed-iwarp-fix-tc-for-mpa-ll2-connection.patch @@ -0,0 +1,36 @@ +From a57fc63a7d2ac36b9a99d43788601ead1e2cfe1a Mon Sep 17 00:00:00 2001 +From: Michal Kalderon +Date: Thu, 13 Jun 2019 11:29:42 +0300 +Subject: qed: iWARP - Fix tc for MPA ll2 connection + +[ Upstream commit cb94d52b93c74fe1f2595734fabeda9f8ae891ee ] + +The driver needs to assign a lossless traffic class for the MPA ll2 +connection to ensure no packets are dropped when returning from the +driver as they will never be re-transmitted by the peer. + +Fixes: ae3488ff37dc ("qed: Add ll2 connection for processing unaligned MPA packets") +Signed-off-by: Ariel Elior +Signed-off-by: Michal Kalderon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_iwarp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_iwarp.c b/drivers/net/ethernet/qlogic/qed/qed_iwarp.c +index ded556b7bab5..eeea8683d99b 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_iwarp.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_iwarp.c +@@ -2708,6 +2708,8 @@ qed_iwarp_ll2_start(struct qed_hwfn *p_hwfn, + data.input.rx_num_desc = n_ooo_bufs * 2; + data.input.tx_num_desc = data.input.rx_num_desc; + data.input.tx_max_bds_per_packet = QED_IWARP_MAX_BDS_PER_FPDU; ++ data.input.tx_tc = PKT_LB_TC; ++ data.input.tx_dest = QED_LL2_TX_DEST_LB; + data.p_connection_handle = &iwarp_info->ll2_mpa_handle; + data.input.secondary_queue = true; + data.cbs = &cbs; +-- +2.20.1 + diff --git a/queue-5.1/qed-set-the-doorbell-address-correctly.patch b/queue-5.1/qed-set-the-doorbell-address-correctly.patch new file mode 100644 index 00000000000..4f3cf02be20 --- /dev/null +++ b/queue-5.1/qed-set-the-doorbell-address-correctly.patch @@ -0,0 +1,104 @@ +From c2f7316ac0446cd1920d55db00b4c2d30968dc5c Mon Sep 17 00:00:00 2001 +From: Michal Kalderon +Date: Sun, 26 May 2019 15:22:25 +0300 +Subject: qed: Set the doorbell address correctly + +[ Upstream commit 8366d520019f366fabd6c7a13032bdcd837e18d4 ] + +In 100g mode the doorbell bar is united for both engines. Set +the correct offset in the hwfn so that the doorbell returned +for RoCE is in the affined hwfn. + +Signed-off-by: Ariel Elior +Signed-off-by: Denis Bolotin +Signed-off-by: Michal Kalderon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_dev.c | 29 ++++++++++++++-------- + drivers/net/ethernet/qlogic/qed/qed_rdma.c | 2 +- + 2 files changed, 19 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c +index 866cdc86a3f2..08045fd69fad 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c +@@ -3441,6 +3441,7 @@ static void qed_nvm_info_free(struct qed_hwfn *p_hwfn) + static int qed_hw_prepare_single(struct qed_hwfn *p_hwfn, + void __iomem *p_regview, + void __iomem *p_doorbells, ++ u64 db_phys_addr, + enum qed_pci_personality personality) + { + struct qed_dev *cdev = p_hwfn->cdev; +@@ -3449,6 +3450,7 @@ static int qed_hw_prepare_single(struct qed_hwfn *p_hwfn, + /* Split PCI bars evenly between hwfns */ + p_hwfn->regview = p_regview; + p_hwfn->doorbells = p_doorbells; ++ p_hwfn->db_phys_addr = db_phys_addr; + + if (IS_VF(p_hwfn->cdev)) + return qed_vf_hw_prepare(p_hwfn); +@@ -3544,7 +3546,9 @@ int qed_hw_prepare(struct qed_dev *cdev, + /* Initialize the first hwfn - will learn number of hwfns */ + rc = qed_hw_prepare_single(p_hwfn, + cdev->regview, +- cdev->doorbells, personality); ++ cdev->doorbells, ++ cdev->db_phys_addr, ++ personality); + if (rc) + return rc; + +@@ -3553,22 +3557,25 @@ int qed_hw_prepare(struct qed_dev *cdev, + /* Initialize the rest of the hwfns */ + if (cdev->num_hwfns > 1) { + void __iomem *p_regview, *p_doorbell; +- u8 __iomem *addr; ++ u64 db_phys_addr; ++ u32 offset; + + /* adjust bar offset for second engine */ +- addr = cdev->regview + +- qed_hw_bar_size(p_hwfn, p_hwfn->p_main_ptt, +- BAR_ID_0) / 2; +- p_regview = addr; ++ offset = qed_hw_bar_size(p_hwfn, p_hwfn->p_main_ptt, ++ BAR_ID_0) / 2; ++ p_regview = cdev->regview + offset; + +- addr = cdev->doorbells + +- qed_hw_bar_size(p_hwfn, p_hwfn->p_main_ptt, +- BAR_ID_1) / 2; +- p_doorbell = addr; ++ offset = qed_hw_bar_size(p_hwfn, p_hwfn->p_main_ptt, ++ BAR_ID_1) / 2; ++ ++ p_doorbell = cdev->doorbells + offset; ++ ++ db_phys_addr = cdev->db_phys_addr + offset; + + /* prepare second hw function */ + rc = qed_hw_prepare_single(&cdev->hwfns[1], p_regview, +- p_doorbell, personality); ++ p_doorbell, db_phys_addr, ++ personality); + + /* in case of error, need to free the previously + * initiliazed hwfn 0. +diff --git a/drivers/net/ethernet/qlogic/qed/qed_rdma.c b/drivers/net/ethernet/qlogic/qed/qed_rdma.c +index 7873d6dfd91f..13802b825d65 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_rdma.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_rdma.c +@@ -803,7 +803,7 @@ static int qed_rdma_add_user(void *rdma_cxt, + dpi_start_offset + + ((out_params->dpi) * p_hwfn->dpi_size)); + +- out_params->dpi_phys_addr = p_hwfn->cdev->db_phys_addr + ++ out_params->dpi_phys_addr = p_hwfn->db_phys_addr + + dpi_start_offset + + ((out_params->dpi) * p_hwfn->dpi_size); + +-- +2.20.1 + diff --git a/queue-5.1/ras-cec-fix-pfn-insertion.patch b/queue-5.1/ras-cec-fix-pfn-insertion.patch new file mode 100644 index 00000000000..7f02249e2b1 --- /dev/null +++ b/queue-5.1/ras-cec-fix-pfn-insertion.patch @@ -0,0 +1,56 @@ +From 6316b43647ebd37f386e781120e510818ebc8304 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Sat, 20 Apr 2019 12:53:05 +0200 +Subject: RAS/CEC: Fix pfn insertion + +[ Upstream commit 6d8e294bf5f0e85c34e8b14b064e2965f53f38b0 ] + +When inserting random PFNs for debugging the CEC through +(debugfs)/ras/cec/pfn, depending on the return value of pfn_set(), +multiple values get inserted per a single write. + +That is because simple_attr_write() interprets a retval of 0 as +success and claims the whole input. However, pfn_set() returns the +cec_add_elem() value, which, if > 0 and smaller than the whole input +length, makes glibc continue issuing the write syscall until there's +input left: + + pfn_set + simple_attr_write + debugfs_attr_write + full_proxy_write + vfs_write + ksys_write + do_syscall_64 + entry_SYSCALL_64_after_hwframe + +leading to those repeated calls. + +Return 0 to fix that. + +Signed-off-by: Borislav Petkov +Cc: Tony Luck +Cc: linux-edac +Signed-off-by: Sasha Levin +--- + drivers/ras/cec.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/ras/cec.c b/drivers/ras/cec.c +index f85d6b7a1984..5d2b2c02cbbe 100644 +--- a/drivers/ras/cec.c ++++ b/drivers/ras/cec.c +@@ -369,7 +369,9 @@ static int pfn_set(void *data, u64 val) + { + *(u64 *)data = val; + +- return cec_add_elem(val); ++ cec_add_elem(val); ++ ++ return 0; + } + + DEFINE_DEBUGFS_ATTRIBUTE(pfn_ops, u64_get, pfn_set, "0x%llx\n"); +-- +2.20.1 + diff --git a/queue-5.1/rcu-force-inlining-of-rcu_read_lock.patch b/queue-5.1/rcu-force-inlining-of-rcu_read_lock.patch new file mode 100644 index 00000000000..8d6081568a6 --- /dev/null +++ b/queue-5.1/rcu-force-inlining-of-rcu_read_lock.patch @@ -0,0 +1,55 @@ +From 351d52d7e79003ea812dd12e101e4a3de9a62936 Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Tue, 21 May 2019 16:48:43 -0400 +Subject: rcu: Force inlining of rcu_read_lock() + +[ Upstream commit 6da9f775175e516fc7229ceaa9b54f8f56aa7924 ] + +When debugging options are turned on, the rcu_read_lock() function +might not be inlined. This results in lockdep's print_lock() function +printing "rcu_read_lock+0x0/0x70" instead of rcu_read_lock()'s caller. +For example: + +[ 10.579995] ============================= +[ 10.584033] WARNING: suspicious RCU usage +[ 10.588074] 4.18.0.memcg_v2+ #1 Not tainted +[ 10.593162] ----------------------------- +[ 10.597203] include/linux/rcupdate.h:281 Illegal context switch in +RCU read-side critical section! +[ 10.606220] +[ 10.606220] other info that might help us debug this: +[ 10.606220] +[ 10.614280] +[ 10.614280] rcu_scheduler_active = 2, debug_locks = 1 +[ 10.620853] 3 locks held by systemd/1: +[ 10.624632] #0: (____ptrval____) (&type->i_mutex_dir_key#5){.+.+}, at: lookup_slow+0x42/0x70 +[ 10.633232] #1: (____ptrval____) (rcu_read_lock){....}, at: rcu_read_lock+0x0/0x70 +[ 10.640954] #2: (____ptrval____) (rcu_read_lock){....}, at: rcu_read_lock+0x0/0x70 + +These "rcu_read_lock+0x0/0x70" strings are not providing any useful +information. This commit therefore forces inlining of the rcu_read_lock() +function so that rcu_read_lock()'s caller is instead shown. + +Signed-off-by: Waiman Long +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + include/linux/rcupdate.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h +index b25d20822e75..3508f4508a11 100644 +--- a/include/linux/rcupdate.h ++++ b/include/linux/rcupdate.h +@@ -586,7 +586,7 @@ static inline void rcu_preempt_sleep_check(void) { } + * read-side critical sections may be preempted and they may also block, but + * only when acquiring spinlocks that are subject to priority inheritance. + */ +-static inline void rcu_read_lock(void) ++static __always_inline void rcu_read_lock(void) + { + __rcu_read_lock(); + __acquire(RCU); +-- +2.20.1 + diff --git a/queue-5.1/regmap-debugfs-fix-memory-leak-in-regmap_debugfs_ini.patch b/queue-5.1/regmap-debugfs-fix-memory-leak-in-regmap_debugfs_ini.patch new file mode 100644 index 00000000000..2680860cd20 --- /dev/null +++ b/queue-5.1/regmap-debugfs-fix-memory-leak-in-regmap_debugfs_ini.patch @@ -0,0 +1,55 @@ +From 2b6e0a0904b69a81017abe41500ddf73f77460ea Mon Sep 17 00:00:00 2001 +From: Daniel Baluta +Date: Fri, 17 May 2019 13:23:49 +0000 +Subject: regmap: debugfs: Fix memory leak in regmap_debugfs_init + +[ Upstream commit 2899872b627e99b7586fe3b6c9f861da1b4d5072 ] + +As detected by kmemleak running on i.MX6ULL board: + +nreferenced object 0xd8366600 (size 64): + comm "swapper/0", pid 1, jiffies 4294937370 (age 933.220s) + hex dump (first 32 bytes): + 64 75 6d 6d 79 2d 69 6f 6d 75 78 63 2d 67 70 72 dummy-iomuxc-gpr + 40 32 30 65 34 30 30 30 00 e3 f3 ab fe d1 1b dd @20e4000........ + backtrace: + [] kasprintf+0x2c/0x54 + [] regmap_debugfs_init+0x7c/0x31c + [<9c8d91fa>] __regmap_init+0xb5c/0xcf4 + [<5b1c3d2a>] of_syscon_register+0x164/0x2c4 + [<596a5d80>] syscon_node_to_regmap+0x64/0x90 + [<49bd597b>] imx6ul_init_machine+0x34/0xa0 + [<250a4dac>] customize_machine+0x1c/0x30 + [<2d19fdaf>] do_one_initcall+0x7c/0x398 + [] kernel_init_freeable+0x328/0x448 + [<168c9101>] kernel_init+0x8/0x114 + [<913268aa>] ret_from_fork+0x14/0x20 + [] 0x0 + +Root cause is that map->debugfs_name is allocated using kasprintf +and then the pointer is lost by assigning it other memory address. + +Reported-by: Stefan Wahren +Signed-off-by: Daniel Baluta +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regmap-debugfs.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/base/regmap/regmap-debugfs.c b/drivers/base/regmap/regmap-debugfs.c +index 19eb454f26c3..df2893d4626b 100644 +--- a/drivers/base/regmap/regmap-debugfs.c ++++ b/drivers/base/regmap/regmap-debugfs.c +@@ -565,6 +565,8 @@ void regmap_debugfs_init(struct regmap *map, const char *name) + } + + if (!strcmp(name, "dummy")) { ++ kfree(map->debugfs_name); ++ + map->debugfs_name = kasprintf(GFP_KERNEL, "dummy%d", + dummy_index); + name = map->debugfs_name; +-- +2.20.1 + diff --git a/queue-5.1/regmap-fix-bulk-writes-on-paged-registers.patch b/queue-5.1/regmap-fix-bulk-writes-on-paged-registers.patch new file mode 100644 index 00000000000..303f58db219 --- /dev/null +++ b/queue-5.1/regmap-fix-bulk-writes-on-paged-registers.patch @@ -0,0 +1,42 @@ +From a2ad744cf80c3944f187a72e29d70b984adc76fb Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Wed, 12 Jun 2019 12:03:43 +0100 +Subject: regmap: fix bulk writes on paged registers + +[ Upstream commit db057679de3e9e6a03c1bcd5aee09b0d25fd9f5b ] + +On buses like SlimBus and SoundWire which does not support +gather_writes yet in regmap, A bulk write on paged register +would be silently ignored after programming page. +This is because local variable 'ret' value in regmap_raw_write_impl() +gets reset to 0 once page register is written successfully and the +code below checks for 'ret' value to be -ENOTSUPP before linearising +the write buffer to send to bus->write(). + +Fix this by resetting the 'ret' value to -ENOTSUPP in cases where +gather_writes() is not supported or single register write is +not possible. + +Signed-off-by: Srinivas Kandagatla +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regmap.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index 4f822e087def..61d1a0864dea 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -1642,6 +1642,8 @@ static int _regmap_raw_write_impl(struct regmap *map, unsigned int reg, + map->format.reg_bytes + + map->format.pad_bytes, + val, val_len); ++ else ++ ret = -ENOTSUPP; + + /* If that didn't work fall back on linearising by hand. */ + if (ret == -ENOTSUPP) { +-- +2.20.1 + diff --git a/queue-5.1/rslib-fix-decoding-of-shortened-codes.patch b/queue-5.1/rslib-fix-decoding-of-shortened-codes.patch new file mode 100644 index 00000000000..57b9e48b73f --- /dev/null +++ b/queue-5.1/rslib-fix-decoding-of-shortened-codes.patch @@ -0,0 +1,44 @@ +From 7da9a861dd867af1cc4fcd803a4579ba0c96d8a2 Mon Sep 17 00:00:00 2001 +From: Ferdinand Blomqvist +Date: Thu, 20 Jun 2019 17:10:34 +0300 +Subject: rslib: Fix decoding of shortened codes + +[ Upstream commit 2034a42d1747fc1e1eeef2c6f1789c4d0762cb9c ] + +The decoding of shortenend codes is broken. It only works as expected if +there are no erasures. + +When decoding with erasures, Lambda (the error and erasure locator +polynomial) is initialized from the given erasure positions. The pad +parameter is not accounted for by the initialisation code, and hence +Lambda is initialized from incorrect erasure positions. + +The fix is to adjust the erasure positions by the supplied pad. + +Signed-off-by: Ferdinand Blomqvist +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/20190620141039.9874-3-ferdinand.blomqvist@gmail.com +Signed-off-by: Sasha Levin +--- + lib/reed_solomon/decode_rs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/reed_solomon/decode_rs.c b/lib/reed_solomon/decode_rs.c +index 1db74eb098d0..3313bf944ff1 100644 +--- a/lib/reed_solomon/decode_rs.c ++++ b/lib/reed_solomon/decode_rs.c +@@ -99,9 +99,9 @@ + if (no_eras > 0) { + /* Init lambda to be the erasure locator polynomial */ + lambda[1] = alpha_to[rs_modnn(rs, +- prim * (nn - 1 - eras_pos[0]))]; ++ prim * (nn - 1 - (eras_pos[0] + pad)))]; + for (i = 1; i < no_eras; i++) { +- u = rs_modnn(rs, prim * (nn - 1 - eras_pos[i])); ++ u = rs_modnn(rs, prim * (nn - 1 - (eras_pos[i] + pad))); + for (j = i + 1; j > 0; j--) { + tmp = index_of[lambda[j - 1]]; + if (tmp != nn) { +-- +2.20.1 + diff --git a/queue-5.1/rslib-fix-handling-of-of-caller-provided-syndrome.patch b/queue-5.1/rslib-fix-handling-of-of-caller-provided-syndrome.patch new file mode 100644 index 00000000000..25204d4341a --- /dev/null +++ b/queue-5.1/rslib-fix-handling-of-of-caller-provided-syndrome.patch @@ -0,0 +1,46 @@ +From 92fe9305b8dc45b9c670acfa1db53ee8d00fb196 Mon Sep 17 00:00:00 2001 +From: Ferdinand Blomqvist +Date: Thu, 20 Jun 2019 17:10:37 +0300 +Subject: rslib: Fix handling of of caller provided syndrome + +[ Upstream commit ef4d6a8556b637ad27c8c2a2cff1dda3da38e9a9 ] + +Check if the syndrome provided by the caller is zero, and act +accordingly. + +Signed-off-by: Ferdinand Blomqvist +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/20190620141039.9874-6-ferdinand.blomqvist@gmail.com +Signed-off-by: Sasha Levin +--- + lib/reed_solomon/decode_rs.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/lib/reed_solomon/decode_rs.c b/lib/reed_solomon/decode_rs.c +index 3313bf944ff1..121beb2f0930 100644 +--- a/lib/reed_solomon/decode_rs.c ++++ b/lib/reed_solomon/decode_rs.c +@@ -42,8 +42,18 @@ + BUG_ON(pad < 0 || pad >= nn); + + /* Does the caller provide the syndrome ? */ +- if (s != NULL) +- goto decode; ++ if (s != NULL) { ++ for (i = 0; i < nroots; i++) { ++ /* The syndrome is in index form, ++ * so nn represents zero ++ */ ++ if (s[i] != nn) ++ goto decode; ++ } ++ ++ /* syndrome is zero, no errors to correct */ ++ return 0; ++ } + + /* form the syndromes; i.e., evaluate data(x) at roots of + * g(x) */ +-- +2.20.1 + diff --git a/queue-5.1/rtlwifi-rtl8192cu-fix-error-handle-when-usb-probe-fa.patch b/queue-5.1/rtlwifi-rtl8192cu-fix-error-handle-when-usb-probe-fa.patch new file mode 100644 index 00000000000..d6ea2e72e12 --- /dev/null +++ b/queue-5.1/rtlwifi-rtl8192cu-fix-error-handle-when-usb-probe-fa.patch @@ -0,0 +1,104 @@ +From 8d550acffb6f9be9a3cba4523c042f185ae39e04 Mon Sep 17 00:00:00 2001 +From: Ping-Ke Shih +Date: Wed, 29 May 2019 14:57:30 +0800 +Subject: rtlwifi: rtl8192cu: fix error handle when usb probe failed + +[ Upstream commit 6c0ed66f1a5b84e2a812c7c2d6571a5621bf3396 ] + +rtl_usb_probe() must do error handle rtl_deinit_core() only if +rtl_init_core() is done, otherwise goto error_out2. + +| usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 +| rtl_usb: reg 0xf0, usbctrl_vendorreq TimeOut! status:0xffffffb9 value=0x0 +| rtl8192cu: Chip version 0x10 +| rtl_usb: reg 0xa, usbctrl_vendorreq TimeOut! status:0xffffffb9 value=0x0 +| rtl_usb: Too few input end points found +| INFO: trying to register non-static key. +| the code is fine but needs lockdep annotation. +| turning off the locking correctness validator. +| CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3 +| Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +| Google 01/01/2011 +| Workqueue: usb_hub_wq hub_event +| Call Trace: +| __dump_stack lib/dump_stack.c:77 [inline] +| dump_stack+0xe8/0x16e lib/dump_stack.c:113 +| assign_lock_key kernel/locking/lockdep.c:786 [inline] +| register_lock_class+0x11b8/0x1250 kernel/locking/lockdep.c:1095 +| __lock_acquire+0xfb/0x37c0 kernel/locking/lockdep.c:3582 +| lock_acquire+0x10d/0x2f0 kernel/locking/lockdep.c:4211 +| __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] +| _raw_spin_lock_irqsave+0x44/0x60 kernel/locking/spinlock.c:152 +| rtl_c2hcmd_launcher+0xd1/0x390 +| drivers/net/wireless/realtek/rtlwifi/base.c:2344 +| rtl_deinit_core+0x25/0x2d0 drivers/net/wireless/realtek/rtlwifi/base.c:574 +| rtl_usb_probe.cold+0x861/0xa70 +| drivers/net/wireless/realtek/rtlwifi/usb.c:1093 +| usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361 +| really_probe+0x2da/0xb10 drivers/base/dd.c:509 +| driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 +| __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 +| bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 +| __device_attach+0x223/0x3a0 drivers/base/dd.c:844 +| bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 +| device_add+0xad2/0x16e0 drivers/base/core.c:2106 +| usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021 +| generic_probe+0xa2/0xda drivers/usb/core/generic.c:210 +| usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266 +| really_probe+0x2da/0xb10 drivers/base/dd.c:509 +| driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 +| __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 +| bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 +| __device_attach+0x223/0x3a0 drivers/base/dd.c:844 +| bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 +| device_add+0xad2/0x16e0 drivers/base/core.c:2106 +| usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534 +| hub_port_connect drivers/usb/core/hub.c:5089 [inline] +| hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] +| port_event drivers/usb/core/hub.c:5350 [inline] +| hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432 +| process_one_work+0x90f/0x1580 kernel/workqueue.c:2269 +| worker_thread+0x9b/0xe20 kernel/workqueue.c:2415 +| kthread+0x313/0x420 kernel/kthread.c:253 +| ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 + +Reported-by: syzbot+1fcc5ef45175fc774231@syzkaller.appspotmail.com +Signed-off-by: Ping-Ke Shih +Acked-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/usb.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c +index e24fda5e9087..34d68dbf4b4c 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/usb.c ++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c +@@ -1064,13 +1064,13 @@ int rtl_usb_probe(struct usb_interface *intf, + rtlpriv->cfg->ops->read_eeprom_info(hw); + err = _rtl_usb_init(hw); + if (err) +- goto error_out; ++ goto error_out2; + rtl_usb_init_sw(hw); + /* Init mac80211 sw */ + err = rtl_init_core(hw); + if (err) { + pr_err("Can't allocate sw for mac80211\n"); +- goto error_out; ++ goto error_out2; + } + if (rtlpriv->cfg->ops->init_sw_vars(hw)) { + pr_err("Can't init_sw_vars\n"); +@@ -1091,6 +1091,7 @@ int rtl_usb_probe(struct usb_interface *intf, + + error_out: + rtl_deinit_core(hw); ++error_out2: + _rtl_usb_io_handler_release(hw); + usb_put_dev(udev); + complete(&rtlpriv->firmware_loading_complete); +-- +2.20.1 + diff --git a/queue-5.1/rxrpc-fix-oops-in-tracepoint.patch b/queue-5.1/rxrpc-fix-oops-in-tracepoint.patch new file mode 100644 index 00000000000..c919252dc85 --- /dev/null +++ b/queue-5.1/rxrpc-fix-oops-in-tracepoint.patch @@ -0,0 +1,106 @@ +From 60dc0f908bd3743cead7ffe4da24c722501e38aa Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Tue, 2 Jul 2019 16:04:19 +0100 +Subject: rxrpc: Fix oops in tracepoint + +[ Upstream commit 99f0eae653b2db64917d0b58099eb51e300b311d ] + +If the rxrpc_eproto tracepoint is enabled, an oops will be cause by the +trace line that rxrpc_extract_header() tries to emit when a protocol error +occurs (typically because the packet is short) because the call argument is +NULL. + +Fix this by using ?: to assume 0 as the debug_id if call is NULL. + +This can then be induced by: + + echo -e '\0\0\0\0\0\0\0\0' | ncat -4u --send-only 20001 + +where addr has the following program running on it: + + #include + #include + #include + #include + #include + #include + #include + int main(void) + { + struct sockaddr_rxrpc srx; + int fd; + memset(&srx, 0, sizeof(srx)); + srx.srx_family = AF_RXRPC; + srx.srx_service = 0; + srx.transport_type = AF_INET; + srx.transport_len = sizeof(srx.transport.sin); + srx.transport.sin.sin_family = AF_INET; + srx.transport.sin.sin_port = htons(0x4e21); + fd = socket(AF_RXRPC, SOCK_DGRAM, AF_INET6); + bind(fd, (struct sockaddr *)&srx, sizeof(srx)); + sleep(20); + return 0; + } + +It results in the following oops. + + BUG: kernel NULL pointer dereference, address: 0000000000000340 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + ... + RIP: 0010:trace_event_raw_event_rxrpc_rx_eproto+0x47/0xac + ... + Call Trace: + + rxrpc_extract_header+0x86/0x171 + ? rcu_read_lock_sched_held+0x5d/0x63 + ? rxrpc_new_skb+0xd4/0x109 + rxrpc_input_packet+0xef/0x14fc + ? rxrpc_input_data+0x986/0x986 + udp_queue_rcv_one_skb+0xbf/0x3d0 + udp_unicast_rcv_skb.isra.8+0x64/0x71 + ip_protocol_deliver_rcu+0xe4/0x1b4 + ip_local_deliver+0xf0/0x154 + __netif_receive_skb_one_core+0x50/0x6c + netif_receive_skb_internal+0x26b/0x2e9 + napi_gro_receive+0xf8/0x1da + rtl8169_poll+0x303/0x4c4 + net_rx_action+0x10e/0x333 + __do_softirq+0x1a5/0x38f + irq_exit+0x54/0xc4 + do_IRQ+0xda/0xf8 + common_interrupt+0xf/0xf + + ... + ? cpuidle_enter_state+0x23c/0x34d + cpuidle_enter+0x2a/0x36 + do_idle+0x163/0x1ea + cpu_startup_entry+0x1d/0x1f + start_secondary+0x157/0x172 + secondary_startup_64+0xa4/0xb0 + +Fixes: a25e21f0bcd2 ("rxrpc, afs: Use debug_ids rather than pointers in traces") +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/trace/events/rxrpc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h +index 7b60fd186cfe..77bc53ce419f 100644 +--- a/include/trace/events/rxrpc.h ++++ b/include/trace/events/rxrpc.h +@@ -1383,7 +1383,7 @@ TRACE_EVENT(rxrpc_rx_eproto, + ), + + TP_fast_assign( +- __entry->call = call->debug_id; ++ __entry->call = call ? call->debug_id : 0; + __entry->serial = serial; + __entry->why = why; + ), +-- +2.20.1 + diff --git a/queue-5.1/s390-qdio-handle-pending-state-for-qebsm-devices.patch b/queue-5.1/s390-qdio-handle-pending-state-for-qebsm-devices.patch new file mode 100644 index 00000000000..693d4215a52 --- /dev/null +++ b/queue-5.1/s390-qdio-handle-pending-state-for-qebsm-devices.patch @@ -0,0 +1,39 @@ +From b5d0b67972f9656af0c3e9b654453cea03962236 Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann +Date: Mon, 3 Jun 2019 07:47:04 +0200 +Subject: s390/qdio: handle PENDING state for QEBSM devices + +[ Upstream commit 04310324c6f482921c071444833e70fe861b73d9 ] + +When a CQ-enabled device uses QEBSM for SBAL state inspection, +get_buf_states() can return the PENDING state for an Output Queue. +get_outbound_buffer_frontier() isn't prepared for this, and any PENDING +buffer will permanently stall all further completion processing on this +Queue. + +This isn't a concern for non-QEBSM devices, as get_buf_states() for such +devices will manually turn PENDING buffers into EMPTY ones. + +Fixes: 104ea556ee7f ("qdio: support asynchronous delivery of storage blocks") +Signed-off-by: Julian Wiedmann +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/qdio_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/s390/cio/qdio_main.c b/drivers/s390/cio/qdio_main.c +index 9537e656e927..06b94b2ee199 100644 +--- a/drivers/s390/cio/qdio_main.c ++++ b/drivers/s390/cio/qdio_main.c +@@ -738,6 +738,7 @@ static int get_outbound_buffer_frontier(struct qdio_q *q) + + switch (state) { + case SLSB_P_OUTPUT_EMPTY: ++ case SLSB_P_OUTPUT_PENDING: + /* the adapter got it */ + DBF_DEV_EVENT(DBF_INFO, q->irq_ptr, + "out empty:%1d %02x", q->nr, count); +-- +2.20.1 + diff --git a/queue-5.1/sched-core-add-__sched-tag-for-io_schedule.patch b/queue-5.1/sched-core-add-__sched-tag-for-io_schedule.patch new file mode 100644 index 00000000000..6e540c3e11c --- /dev/null +++ b/queue-5.1/sched-core-add-__sched-tag-for-io_schedule.patch @@ -0,0 +1,47 @@ +From 307335ef92c150cd1f33d74cf44145be95a9e020 Mon Sep 17 00:00:00 2001 +From: Gao Xiang +Date: Mon, 3 Jun 2019 17:13:38 +0800 +Subject: sched/core: Add __sched tag for io_schedule() + +[ Upstream commit e3b929b0a184edb35531153c5afcaebb09014f9d ] + +Non-inline io_schedule() was introduced in: + + commit 10ab56434f2f ("sched/core: Separate out io_schedule_prepare() and io_schedule_finish()") + +Keep in line with io_schedule_timeout(), otherwise "/proc//wchan" will +report io_schedule() rather than its callers when waiting for IO. + +Reported-by: Jilong Kou +Signed-off-by: Gao Xiang +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Tejun Heo +Cc: Andrew Morton +Cc: Linus Torvalds +Cc: Miao Xie +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 10ab56434f2f ("sched/core: Separate out io_schedule_prepare() and io_schedule_finish()") +Link: https://lkml.kernel.org/r/20190603091338.2695-1-gaoxiang25@huawei.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/sched/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index a75ad50b5e2f..242233490a49 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -5175,7 +5175,7 @@ long __sched io_schedule_timeout(long timeout) + } + EXPORT_SYMBOL(io_schedule_timeout); + +-void io_schedule(void) ++void __sched io_schedule(void) + { + int token; + +-- +2.20.1 + diff --git a/queue-5.1/sched-fair-fix-runnable_avg_yn_inv-not-used-warnings.patch b/queue-5.1/sched-fair-fix-runnable_avg_yn_inv-not-used-warnings.patch new file mode 100644 index 00000000000..cbd0281a343 --- /dev/null +++ b/queue-5.1/sched-fair-fix-runnable_avg_yn_inv-not-used-warnings.patch @@ -0,0 +1,64 @@ +From 2d0bba5b9e029cef7fd56e2c18b1bd61da44791e Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Mon, 3 Jun 2019 17:11:44 -0400 +Subject: sched/fair: Fix "runnable_avg_yN_inv" not used warnings + +[ Upstream commit 509466b7d480bc5d22e90b9fbe6122ae0e2fbe39 ] + +runnable_avg_yN_inv[] is only used in kernel/sched/pelt.c but was +included in several other places because they need other macros all +came from kernel/sched/sched-pelt.h which was generated by +Documentation/scheduler/sched-pelt. As the result, it causes compilation +a lot of warnings, + + kernel/sched/sched-pelt.h:4:18: warning: 'runnable_avg_yN_inv' defined but not used [-Wunused-const-variable=] + kernel/sched/sched-pelt.h:4:18: warning: 'runnable_avg_yN_inv' defined but not used [-Wunused-const-variable=] + kernel/sched/sched-pelt.h:4:18: warning: 'runnable_avg_yN_inv' defined but not used [-Wunused-const-variable=] + ... + +Silence it by appending the __maybe_unused attribute for it, so all +generated variables and macros can still be kept in the same file. + +Signed-off-by: Qian Cai +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: https://lkml.kernel.org/r/1559596304-31581-1-git-send-email-cai@lca.pw +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + Documentation/scheduler/sched-pelt.c | 3 ++- + kernel/sched/sched-pelt.h | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/Documentation/scheduler/sched-pelt.c b/Documentation/scheduler/sched-pelt.c +index e4219139386a..7238b355919c 100644 +--- a/Documentation/scheduler/sched-pelt.c ++++ b/Documentation/scheduler/sched-pelt.c +@@ -20,7 +20,8 @@ void calc_runnable_avg_yN_inv(void) + int i; + unsigned int x; + +- printf("static const u32 runnable_avg_yN_inv[] = {"); ++ /* To silence -Wunused-but-set-variable warnings. */ ++ printf("static const u32 runnable_avg_yN_inv[] __maybe_unused = {"); + for (i = 0; i < HALFLIFE; i++) { + x = ((1UL<<32)-1)*pow(y, i); + +diff --git a/kernel/sched/sched-pelt.h b/kernel/sched/sched-pelt.h +index a26473674fb7..c529706bed11 100644 +--- a/kernel/sched/sched-pelt.h ++++ b/kernel/sched/sched-pelt.h +@@ -1,7 +1,7 @@ + /* SPDX-License-Identifier: GPL-2.0 */ + /* Generated by Documentation/scheduler/sched-pelt; do not modify. */ + +-static const u32 runnable_avg_yN_inv[] = { ++static const u32 runnable_avg_yN_inv[] __maybe_unused = { + 0xffffffff, 0xfa83b2da, 0xf5257d14, 0xefe4b99a, 0xeac0c6e6, 0xe5b906e6, + 0xe0ccdeeb, 0xdbfbb796, 0xd744fcc9, 0xd2a81d91, 0xce248c14, 0xc9b9bd85, + 0xc5672a10, 0xc12c4cc9, 0xbd08a39e, 0xb8fbaf46, 0xb504f333, 0xb123f581, +-- +2.20.1 + diff --git a/queue-5.1/scsi-iscsi-set-auth_protocol-back-to-null-if-chap_a-.patch b/queue-5.1/scsi-iscsi-set-auth_protocol-back-to-null-if-chap_a-.patch new file mode 100644 index 00000000000..1d859a84886 --- /dev/null +++ b/queue-5.1/scsi-iscsi-set-auth_protocol-back-to-null-if-chap_a-.patch @@ -0,0 +1,78 @@ +From 275ca5cd10c0eaf32514d2c0205946039ba1445f Mon Sep 17 00:00:00 2001 +From: Maurizio Lombardi +Date: Wed, 26 Jun 2019 19:27:34 +0200 +Subject: scsi: iscsi: set auth_protocol back to NULL if CHAP_A value is not + supported + +[ Upstream commit 5dd6c49339126c2c8df2179041373222362d6e49 ] + +If the CHAP_A value is not supported, the chap_server_open() function +should free the auth_protocol pointer and set it to NULL, or we will leave +a dangling pointer around. + +[ 66.010905] Unsupported CHAP_A value +[ 66.011660] Security negotiation failed. +[ 66.012443] iSCSI Login negotiation failed. +[ 68.413924] general protection fault: 0000 [#1] SMP PTI +[ 68.414962] CPU: 0 PID: 1562 Comm: targetcli Kdump: loaded Not tainted 4.18.0-80.el8.x86_64 #1 +[ 68.416589] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 +[ 68.417677] RIP: 0010:__kmalloc_track_caller+0xc2/0x210 + +Signed-off-by: Maurizio Lombardi +Reviewed-by: Chris Leech +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target_auth.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c +index 4e680d753941..e2fa3a3bc81d 100644 +--- a/drivers/target/iscsi/iscsi_target_auth.c ++++ b/drivers/target/iscsi/iscsi_target_auth.c +@@ -89,6 +89,12 @@ static int chap_check_algorithm(const char *a_str) + return CHAP_DIGEST_UNKNOWN; + } + ++static void chap_close(struct iscsi_conn *conn) ++{ ++ kfree(conn->auth_protocol); ++ conn->auth_protocol = NULL; ++} ++ + static struct iscsi_chap *chap_server_open( + struct iscsi_conn *conn, + struct iscsi_node_auth *auth, +@@ -126,7 +132,7 @@ static struct iscsi_chap *chap_server_open( + case CHAP_DIGEST_UNKNOWN: + default: + pr_err("Unsupported CHAP_A value\n"); +- kfree(conn->auth_protocol); ++ chap_close(conn); + return NULL; + } + +@@ -141,19 +147,13 @@ static struct iscsi_chap *chap_server_open( + * Generate Challenge. + */ + if (chap_gen_challenge(conn, 1, aic_str, aic_len) < 0) { +- kfree(conn->auth_protocol); ++ chap_close(conn); + return NULL; + } + + return chap; + } + +-static void chap_close(struct iscsi_conn *conn) +-{ +- kfree(conn->auth_protocol); +- conn->auth_protocol = NULL; +-} +- + static int chap_server_compute_md5( + struct iscsi_conn *conn, + struct iscsi_node_auth *auth, +-- +2.20.1 + diff --git a/queue-5.1/selftests-bpf-fix-inlines-in-test_lwt_seg6local.patch b/queue-5.1/selftests-bpf-fix-inlines-in-test_lwt_seg6local.patch new file mode 100644 index 00000000000..beccd0a1d4e --- /dev/null +++ b/queue-5.1/selftests-bpf-fix-inlines-in-test_lwt_seg6local.patch @@ -0,0 +1,102 @@ +From b09b9e3ff35c4b45b5ad3045f71342d520d34b48 Mon Sep 17 00:00:00 2001 +From: Jiri Benc +Date: Tue, 2 Jul 2019 19:40:31 +0200 +Subject: selftests: bpf: fix inlines in test_lwt_seg6local + +[ Upstream commit 11aca65ec4db09527d3e9b6b41a0615b7da4386b ] + +Selftests are reporting this failure in test_lwt_seg6local.sh: + ++ ip netns exec ns2 ip -6 route add fb00::6 encap bpf in obj test_lwt_seg6local.o sec encap_srh dev veth2 +Error fetching program/map! +Failed to parse eBPF program: Operation not permitted + +The problem is __attribute__((always_inline)) alone is not enough to prevent +clang from inserting those functions in .text. In that case, .text is not +marked as relocateable. + +See the output of objdump -h test_lwt_seg6local.o: + +Idx Name Size VMA LMA File off Algn + 0 .text 00003530 0000000000000000 0000000000000000 00000040 2**3 + CONTENTS, ALLOC, LOAD, READONLY, CODE + +This causes the iproute bpf loader to fail in bpf_fetch_prog_sec: +bpf_has_call_data returns true but bpf_fetch_prog_relo fails as there's no +relocateable .text section in the file. + +To fix this, convert to 'static __always_inline'. + +v2: Use 'static __always_inline' instead of 'static inline + __attribute__((always_inline))' + +Fixes: c99a84eac026 ("selftests/bpf: test for seg6local End.BPF action") +Signed-off-by: Jiri Benc +Acked-by: Yonghong Song +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + .../testing/selftests/bpf/progs/test_lwt_seg6local.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/bpf/progs/test_lwt_seg6local.c b/tools/testing/selftests/bpf/progs/test_lwt_seg6local.c +index 0575751bc1bc..e2f6ed0a583d 100644 +--- a/tools/testing/selftests/bpf/progs/test_lwt_seg6local.c ++++ b/tools/testing/selftests/bpf/progs/test_lwt_seg6local.c +@@ -61,7 +61,7 @@ struct sr6_tlv_t { + unsigned char value[0]; + } BPF_PACKET_HEADER; + +-__attribute__((always_inline)) struct ip6_srh_t *get_srh(struct __sk_buff *skb) ++static __always_inline struct ip6_srh_t *get_srh(struct __sk_buff *skb) + { + void *cursor, *data_end; + struct ip6_srh_t *srh; +@@ -95,7 +95,7 @@ __attribute__((always_inline)) struct ip6_srh_t *get_srh(struct __sk_buff *skb) + return srh; + } + +-__attribute__((always_inline)) ++static __always_inline + int update_tlv_pad(struct __sk_buff *skb, uint32_t new_pad, + uint32_t old_pad, uint32_t pad_off) + { +@@ -125,7 +125,7 @@ int update_tlv_pad(struct __sk_buff *skb, uint32_t new_pad, + return 0; + } + +-__attribute__((always_inline)) ++static __always_inline + int is_valid_tlv_boundary(struct __sk_buff *skb, struct ip6_srh_t *srh, + uint32_t *tlv_off, uint32_t *pad_size, + uint32_t *pad_off) +@@ -184,7 +184,7 @@ int is_valid_tlv_boundary(struct __sk_buff *skb, struct ip6_srh_t *srh, + return 0; + } + +-__attribute__((always_inline)) ++static __always_inline + int add_tlv(struct __sk_buff *skb, struct ip6_srh_t *srh, uint32_t tlv_off, + struct sr6_tlv_t *itlv, uint8_t tlv_size) + { +@@ -228,7 +228,7 @@ int add_tlv(struct __sk_buff *skb, struct ip6_srh_t *srh, uint32_t tlv_off, + return update_tlv_pad(skb, new_pad, pad_size, pad_off); + } + +-__attribute__((always_inline)) ++static __always_inline + int delete_tlv(struct __sk_buff *skb, struct ip6_srh_t *srh, + uint32_t tlv_off) + { +@@ -266,7 +266,7 @@ int delete_tlv(struct __sk_buff *skb, struct ip6_srh_t *srh, + return update_tlv_pad(skb, new_pad, pad_size, pad_off); + } + +-__attribute__((always_inline)) ++static __always_inline + int has_egr_tlv(struct __sk_buff *skb, struct ip6_srh_t *srh) + { + int tlv_offset = sizeof(struct ip6_t) + sizeof(struct ip6_srh_t) + +-- +2.20.1 + diff --git a/queue-5.1/selinux-fix-empty-write-to-keycreate-file.patch b/queue-5.1/selinux-fix-empty-write-to-keycreate-file.patch new file mode 100644 index 00000000000..a2d4d86f9bb --- /dev/null +++ b/queue-5.1/selinux-fix-empty-write-to-keycreate-file.patch @@ -0,0 +1,53 @@ +From b1cc842f7e8e0b9d8b6a7b27ff444146c7197d03 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Wed, 12 Jun 2019 10:12:26 +0200 +Subject: selinux: fix empty write to keycreate file + +[ Upstream commit 464c258aa45b09f16aa0f05847ed8895873262d9 ] + +When sid == 0 (we are resetting keycreate_sid to the default value), we +should skip the KEY__CREATE check. + +Before this patch, doing a zero-sized write to /proc/self/keycreate +would check if the current task can create unlabeled keys (which would +usually fail with -EACCESS and generate an AVC). Now it skips the check +and correctly sets the task's keycreate_sid to 0. + +Bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1719067 + +Tested using the reproducer from the report above. + +Fixes: 4eb582cf1fbd ("[PATCH] keys: add a way to store the appropriate context for newly-created keys") +Reported-by: Kir Kolyshkin +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + security/selinux/hooks.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 614bc753822c..bf37bdce9918 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -6269,11 +6269,12 @@ static int selinux_setprocattr(const char *name, void *value, size_t size) + } else if (!strcmp(name, "fscreate")) { + tsec->create_sid = sid; + } else if (!strcmp(name, "keycreate")) { +- error = avc_has_perm(&selinux_state, +- mysid, sid, SECCLASS_KEY, KEY__CREATE, +- NULL); +- if (error) +- goto abort_change; ++ if (sid) { ++ error = avc_has_perm(&selinux_state, mysid, sid, ++ SECCLASS_KEY, KEY__CREATE, NULL); ++ if (error) ++ goto abort_change; ++ } + tsec->keycreate_sid = sid; + } else if (!strcmp(name, "sockcreate")) { + tsec->sockcreate_sid = sid; +-- +2.20.1 + diff --git a/queue-5.1/series b/queue-5.1/series new file mode 100644 index 00000000000..5c84b94d117 --- /dev/null +++ b/queue-5.1/series @@ -0,0 +1,227 @@ +mips-ath79-fix-ar933x-uart-parity-mode.patch +mips-fix-build-on-non-linux-hosts.patch +arm64-efi-mark-__efistub_stext_offset-as-an-absolute.patch +scsi-iscsi-set-auth_protocol-back-to-null-if-chap_a-.patch +dmaengine-imx-sdma-fix-use-after-free-on-probe-error.patch +ath10k-check-tx_stats-before-use-it.patch +ath10k-htt-don-t-use-txdone_fifo-with-sdio.patch +ath10k-fix-incorrect-multicast-broadcast-rate-settin.patch +ath9k-don-t-trust-tx-status-tid-number-when-reportin.patch +wil6210-fix-potential-out-of-bounds-read.patch +ath10k-do-not-send-probe-response-template-for-mesh.patch +spi-rockchip-turn-down-tx-dma-bursts.patch +ath9k-check-for-errors-when-reading-srev-register.patch +ath10k-fix-the-wrong-value-of-enums-for-wmi-tlv-stat.patch +wil6210-fix-missed-misc-mbox-interrupt.patch +ath6kl-add-some-bounds-checking.patch +ath10k-add-peer-id-check-in-ath10k_peer_find_by_id.patch +wil6210-fix-spurious-interrupts-in-3-msi.patch +ath-dfs-jp-domain-w56-fixed-pulse-type-3-radar-detec.patch +ath10k-fix-encoding-for-protected-management-frames.patch +regmap-debugfs-fix-memory-leak-in-regmap_debugfs_ini.patch +batman-adv-fix-for-leaked-tvlv-handler.patch +media-dvb-usb-fix-use-after-free-in-dvb_usb_device_e.patch +media-spi-ir-led-add-missing-of-table-registration.patch +crypto-talitos-fix-skcipher-failure-due-to-wrong-out.patch +media-ov7740-avoid-invalid-framesize-setting.patch +media-marvell-ccic-fix-dma-s-g-desc-number-calculati.patch +media-vpss-fix-a-potential-null-pointer-dereference.patch +media-media_device_enum_links32-clean-a-reserved-fie.patch +media-venus-firmware-fix-leaked-of_node-references.patch +crypto-caam-avoid-s-g-table-fetching-for-aead-zero-l.patch +net-stmmac-dwmac1000-clear-unused-address-entries.patch +net-stmmac-dwmac4-5-clear-unused-address-entries.patch +net-stmmac-prevent-missing-interrupts-when-running-n.patch +net-hns3-initialize-cpu-reverse-mapping.patch +qed-set-the-doorbell-address-correctly.patch +signal-pid_namespace-fix-reboot_pid_ns-to-use-send_s.patch +signal-cifs-fix-cifs_put_tcp_session-to-call-send_si.patch +af_key-fix-leaks-in-key_pol_get_resp-and-dump_sp.patch +xfrm-fix-xfrm-sel-prefix-length-validation.patch +media-vim2m-fix-two-double-free-issues.patch +media-v4l2-core-fix-use-after-free-error.patch +fscrypt-clean-up-some-bug_on-s-in-block-encryption-d.patch +media-usb-zr364xx-fix-kasan-null-ptr-deref-read-in-z.patch +perf-annotate-tui-browser-do-not-use-member-from-var.patch +media-mc-device.c-don-t-memset-__user-pointer-conten.patch +media-saa7164-fix-remove_proc_entry-warning.patch +media-staging-media-davinci_vpfe-fix-for-memory-leak.patch +net-phy-check-against-net_device-being-null.patch +crypto-talitos-properly-handle-split-icv.patch +crypto-talitos-align-sec1-accesses-to-32-bits-bounda.patch +tua6100-avoid-build-warnings.patch +batman-adv-fix-duplicated-ogms-on-netdev_up.patch +locking-lockdep-fix-ooo-unlock-when-hlocks-need-merg.patch +locking-lockdep-fix-merging-of-hlocks-with-non-zero-.patch +media-wl128x-fix-some-error-handling-in-fm_v4l2_init.patch +net-hns3-add-a-check-to-pointer-in-error_detected-an.patch +net-hns3-set-ops-to-null-when-unregister-ad_dev.patch +cpupower-frequency-set-r-option-misses-the-last-cpu-.patch +arm64-mm-make-config_zone_dma32-configurable.patch +media-imx7-mipi-csis-propagate-the-error-if-clock-en.patch +perf-jvmti-address-gcc-string-overflow-warning-for-s.patch +media-aspeed-change-irq-to-threaded-irq.patch +net-stmmac-dwmac4-fix-flow-control-issue.patch +net-stmmac-modify-default-value-of-tx-frames.patch +crypto-inside-secure-do-not-rely-on-the-hardware-las.patch +net-fec-do-not-use-netdev-messages-too-early.patch +net-axienet-fix-race-condition-causing-tx-hang.patch +s390-qdio-handle-pending-state-for-qebsm-devices.patch +ras-cec-fix-pfn-insertion.patch +net-sfp-add-mutex-to-prevent-concurrent-state-checks.patch +ipset-fix-memory-accounting-for-hash-types-on-resize.patch +perf-cs-etm-properly-set-the-value-of-old-and-head-i.patch +perf-test-6-fix-missing-kvm-module-load-for-s390.patch +perf-report-fix-oom-error-in-tui-mode-on-s390.patch +irqchip-meson-gpio-add-support-for-meson-g12a-soc.patch +media-uvcvideo-fix-access-to-uninitialized-fields-on.patch +media-fdp1-support-m3n-and-e3-platforms.patch +iommu-fix-a-leak-in-iommu_insert_resv_region.patch +gpio-omap-fix-lack-of-irqstatus_raw0-for-omap4.patch +gpio-omap-ensure-irq-is-enabled-before-wakeup.patch +regmap-fix-bulk-writes-on-paged-registers.patch +gpio-omap-fix-lost-edge-wake-up-interrupts.patch +media-davinci-vpif_capture-fix-memory-leak-in-vpif_p.patch +bpf-silence-warning-messages-in-core.patch +media-s5p-mfc-fix-reading-min-scratch-buffer-size-on.patch +selinux-fix-empty-write-to-keycreate-file.patch +crypto-testmgr-add-some-more-preemption-points.patch +x86-cpu-add-ice-lake-nnpi-to-intel-family.patch +asoc-meson-axg-tdm-fix-sample-clock-inversion.patch +rcu-force-inlining-of-rcu_read_lock.patch +x86-cpufeatures-add-fdp_excptn_only-and-zero_fcs_fds.patch +qed-iwarp-fix-tc-for-mpa-ll2-connection.patch +net-hns3-fix-for-dereferencing-before-null-checking.patch +net-hns3-fix-for-skb-leak-when-doing-selftest.patch +net-hns3-delay-ring-buffer-clearing-during-reset.patch +block-null_blk-fix-race-condition-for-null_del_dev.patch +blkcg-writeback-dead-memcgs-shouldn-t-contribute-to-.patch +xfrm-fix-sa-selector-validation.patch +sched-core-add-__sched-tag-for-io_schedule.patch +sched-fair-fix-runnable_avg_yn_inv-not-used-warnings.patch +perf-x86-intel-disable-check_msr-for-real-hw.patch +perf-x86-intel-uncore-handle-invalid-event-coding-fo.patch +integrity-fix-__integrity_init_keyring-section-misma.patch +x86-atomic-fix-smp_mb__-before-after-_atomic.patch +perf-evsel-make-perf_evsel__name-accept-a-null-argum.patch +vhost_net-disable-zerocopy-by-default.patch +iavf-allow-null-rx-descriptors.patch +ipoib-correcly-show-a-vf-hardware-address.patch +asoc-rsnd-fixup-mod-id-calculation-in-rsnd_ctu_probe.patch +bpf-fix-callees-pruning-callers.patch +pci-add-missing-link-delays-required-by-the-pcie-spe.patch +net-netsec-initialize-tx-ring-on-ndo_open.patch +x86-cacheinfo-fix-a-wtype-limits-warning.patch +blk-iolatency-only-account-submitted-bios.patch +acpica-clear-status-of-gpes-on-first-direct-enable.patch +spi-fix-ctrl-num_chipselect-constraint.patch +edac-sysfs-drop-device-references-properly.patch +edac-sysfs-fix-memory-leak-when-creating-a-csrow-obj.patch +nvme-fix-possible-io-failures-when-removing-multipat.patch +nvme-pci-properly-report-state-change-failure-in-nvm.patch +nvme-pci-set-the-errno-on-ctrl-state-change-error.patch +lightnvm-pblk-fix-freeing-of-merged-pages.patch +nvme-pci-adjust-irq-max_vector-using-num_possible_cp.patch +arm64-do-not-enable-irqs-for-ct_user_exit.patch +ipsec-select-crypto-ciphers-for-xfrm_algo.patch +ipvs-defer-hook-registration-to-avoid-leaks.patch +media-s5p-mfc-make-additional-clocks-optional.patch +media-i2c-fix-warning-same-module-names.patch +ntp-limit-tai-utc-offset.patch +timer_list-guard-procfs-specific-code.patch +media-mt9m111-fix-fw-node-refactoring.patch +asoc-soc-core-call-snd_soc_unbind_card-under-mutex_l.patch +acpi-arm64-ignore-5.1-fadts-that-are-reported-as-5.0.patch +media-coda-fix-mpeg2-sequence-number-handling.patch +media-coda-fix-last-buffer-handling-in-v4l2_enc_cmd_.patch +media-coda-increment-sequence-offset-for-the-last-re.patch +media-vimc-cap-check-v4l2_fill_pixfmt-return-value.patch +media-hdpvr-fix-locking-and-a-missing-msleep.patch +net-stmmac-sun8i-force-select-external-phy-when-no-i.patch +rtlwifi-rtl8192cu-fix-error-handle-when-usb-probe-fa.patch +mt7601u-do-not-schedule-rx_tasklet-when-the-device-h.patch +x86-build-add-set-e-to-mkcapflags.sh-to-delete-broke.patch +mt7601u-fix-possible-memory-leak-when-the-device-is-.patch +ipvs-fix-tinfo-memory-leak-in-start_sync_thread.patch +ath10k-add-missing-error-handling.patch +ath10k-fix-fw-crash-by-moving-chip-reset-after-napi-.patch +ath10k-fix-pcie-device-wake-up-failed.patch +perf-tools-increase-max_nr_cpus-and-max_caches.patch +asoc-intel-hdac_hdmi-set-ops-to-null-on-remove.patch +clocksource-drivers-tegra-release-all-irq-s-on-reque.patch +libata-don-t-request-sense-data-on-zac-ata-devices.patch +clocksource-drivers-tegra-restore-base-address-befor.patch +clocksource-drivers-exynos_mct-increase-priority-ove.patch +netfilter-ctnetlink-fix-regression-in-conntrack-entr.patch +xsk-properly-terminate-assignment-in-xskq_produce_fl.patch +rslib-fix-decoding-of-shortened-codes.patch +bpf-fix-bpf_alu32-bpf_arsh-on-be-arches.patch +rslib-fix-handling-of-of-caller-provided-syndrome.patch +gpio-fix-return-value-mismatch-of-function-gpiod_get.patch +net-mlx5-get-vport-acl-namespace-by-vport-index.patch +ixgbe-check-ddm-existence-in-transceiver-before-acce.patch +crypto-serpent-mark-__serpent_setkey_sbox-noinline.patch +crypto-asymmetric_keys-select-crypto_hash-where-need.patch +ath9k-correctly-handle-short-radar-pulses.patch +wil6210-drop-old-event-after-wmi_call-timeout.patch +edac-fix-global-out-of-bounds-write-when-setting-eda.patch +bcache-check-cache_set_io_disable-in-allocator-code.patch +bcache-check-cache_set_io_disable-bit-in-bch_journal.patch +bcache-acquire-bch_register_lock-later-in-cached_dev.patch +bcache-check-c-gc_thread-by-is_err_or_null-in-cache_.patch +bcache-fix-potential-deadlock-in-cached_def_free.patch +net-hns3-fix-a-wformat-nonliteral-compile-warning.patch +net-hns3-add-some-error-checking-in-hclge_tm-module.patch +ath10k-fix-memory-leak-in-qmi.patch +ath10k-destroy-sdio-workqueue-while-remove-sdio-modu.patch +net-mvpp2-prs-don-t-override-the-sign-bit-in-sram-pa.patch +igb-clear-out-skb-tstamp-after-reading-the-txtime.patch +net-hns3-add-asym-pause-support-to-fix-autoneg-probl.patch +ixgbe-avoid-null-pointer-dereference-with-vf-on-non-.patch +iwlwifi-mvm-drop-large-non-sta-frames.patch +bpf-fix-uapi-bpf_prog_info-fields-alignment.patch +netfilter-fix-remainder-of-pseudo-header-protocol-0.patch +iwlwifi-dbg-fix-debug-monitor-stop-and-restart-delay.patch +bnxt_en-disable-bus-master-during-pci-shutdown-and-d.patch +bnxt_en-fix-statistics-context-reservation-logic-for.patch +alsa-hda-fix-a-headphone-detection-issue-when-using-.patch +perf-stat-make-metric-event-lookup-more-robust.patch +perf-stat-fix-metrics-with-no-merge.patch +perf-stat-don-t-merge-events-in-the-same-pmu.patch +perf-stat-fix-group-lookup-for-metric-group.patch +vxlan-do-not-destroy-fdb-if-register_netdevice-is-fa.patch +bnx2x-prevent-ptp_task-to-be-rescheduled-indefinitel.patch +net-usb-asix-init-mac-address-buffers.patch +rxrpc-fix-oops-in-tracepoint.patch +libbpf-fix-gcc8-warning-for-strncpy.patch +bpf-libbpf-smatch-fix-potential-null-pointer-derefer.patch +selftests-bpf-fix-inlines-in-test_lwt_seg6local.patch +bonding-validate-ip-header-before-check-ipproto_igmp.patch +gpiolib-fix-references-to-gpiod_-gs-et_-value_cansle.patch +asoc-audio-graph-card-fix-use-after-free-in-graph_fo.patch +tools-bpftool-fix-json-dump-crash-on-powerpc.patch +net-hns3-enable-broadcast-promisc-mode-when-initiali.patch +bluetooth-hci_bcsp-fix-memory-leak-in-rx_skb.patch +bluetooth-add-new-13d3-3491-qca_rome-device.patch +bluetooth-add-new-13d3-3501-qca_rome-device.patch +bluetooth-6lowpan-search-for-destination-address-in-.patch +genirq-update-irq-stats-from-nmi-handlers.patch +perf-tests-fix-record-probe_libc_inet_pton.sh-for-po.patch +bluetooth-check-state-in-l2cap_disconnect_rsp.patch +bluetooth-hidp-nul-terminate-a-string-in-the-compat-.patch +gtp-add-missing-gtp_encap_disable_sock-in-gtp_encap_.patch +bluetooth-validate-ble-connection-interval-updates.patch +gtp-fix-suspicious-rcu-usage.patch +gtp-fix-illegal-context-switch-in-rcu-read-side-crit.patch +gtp-fix-use-after-free-in-gtp_encap_destroy.patch +gtp-fix-use-after-free-in-gtp_newlink.patch +xdp-fix-race-on-generic-receive-path.patch +net-mvmdio-defer-probe-of-orion-mdio-if-a-clock-is-n.patch +net-hns3-fix-__queue_state_stack_xoff-not-cleared-is.patch +iavf-fix-dereference-of-null-rx_buffer-pointer.patch +blk-iolatency-fix-sts_again-handling.patch +libbpf-fix-another-gcc8-warning-for-strncpy.patch +floppy-fix-div-by-zero-in-setup_format_params.patch +floppy-fix-out-of-bounds-read-in-next_valid_format.patch +floppy-fix-invalid-pointer-dereference-in-drive_name.patch +floppy-fix-out-of-bounds-read-in-copy_buffer.patch diff --git a/queue-5.1/signal-cifs-fix-cifs_put_tcp_session-to-call-send_si.patch b/queue-5.1/signal-cifs-fix-cifs_put_tcp_session-to-call-send_si.patch new file mode 100644 index 00000000000..832729f7310 --- /dev/null +++ b/queue-5.1/signal-cifs-fix-cifs_put_tcp_session-to-call-send_si.patch @@ -0,0 +1,52 @@ +From ed1468091c28abd7d8f31f81259dcf08fa8f8497 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Wed, 15 May 2019 12:33:50 -0500 +Subject: signal/cifs: Fix cifs_put_tcp_session to call send_sig instead of + force_sig + +[ Upstream commit 72abe3bcf0911d69b46c1e8bdb5612675e0ac42c ] + +The locking in force_sig_info is not prepared to deal with a task that +exits or execs (as sighand may change). The is not a locking problem +in force_sig as force_sig is only built to handle synchronous +exceptions. + +Further the function force_sig_info changes the signal state if the +signal is ignored, or blocked or if SIGNAL_UNKILLABLE will prevent the +delivery of the signal. The signal SIGKILL can not be ignored and can +not be blocked and SIGNAL_UNKILLABLE won't prevent it from being +delivered. + +So using force_sig rather than send_sig for SIGKILL is confusing +and pointless. + +Because it won't impact the sending of the signal and and because +using force_sig is wrong, replace force_sig with send_sig. + +Cc: Namjae Jeon +Cc: Jeff Layton +Cc: Steve French +Fixes: a5c3e1c725af ("Revert "cifs: No need to send SIGKILL to demux_thread during umount"") +Fixes: e7ddee9037e7 ("cifs: disable sharing session and tcon and add new TCP sharing code") +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Sasha Levin +--- + fs/cifs/connect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index e9507fba0b36..10851bb74253 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -2625,7 +2625,7 @@ cifs_put_tcp_session(struct TCP_Server_Info *server, int from_reconnect) + + task = xchg(&server->tsk, NULL); + if (task) +- force_sig(SIGKILL, task); ++ send_sig(SIGKILL, task, 1); + } + + static struct TCP_Server_Info * +-- +2.20.1 + diff --git a/queue-5.1/signal-pid_namespace-fix-reboot_pid_ns-to-use-send_s.patch b/queue-5.1/signal-pid_namespace-fix-reboot_pid_ns-to-use-send_s.patch new file mode 100644 index 00000000000..9c12b887818 --- /dev/null +++ b/queue-5.1/signal-pid_namespace-fix-reboot_pid_ns-to-use-send_s.patch @@ -0,0 +1,50 @@ +From da495a033c5853389ae985982e9cadc55117631b Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Wed, 15 May 2019 12:29:52 -0500 +Subject: signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig + +[ Upstream commit f9070dc94542093fd516ae4ccea17ef46a4362c5 ] + +The locking in force_sig_info is not prepared to deal with a task that +exits or execs (as sighand may change). The is not a locking problem +in force_sig as force_sig is only built to handle synchronous +exceptions. + +Further the function force_sig_info changes the signal state if the +signal is ignored, or blocked or if SIGNAL_UNKILLABLE will prevent the +delivery of the signal. The signal SIGKILL can not be ignored and can +not be blocked and SIGNAL_UNKILLABLE won't prevent it from being +delivered. + +So using force_sig rather than send_sig for SIGKILL is confusing +and pointless. + +Because it won't impact the sending of the signal and and because +using force_sig is wrong, replace force_sig with send_sig. + +Cc: Daniel Lezcano +Cc: Serge Hallyn +Cc: Oleg Nesterov +Fixes: cf3f89214ef6 ("pidns: add reboot_pid_ns() to handle the reboot syscall") +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Sasha Levin +--- + kernel/pid_namespace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c +index aa6e72fb7c08..098233ebe589 100644 +--- a/kernel/pid_namespace.c ++++ b/kernel/pid_namespace.c +@@ -325,7 +325,7 @@ int reboot_pid_ns(struct pid_namespace *pid_ns, int cmd) + } + + read_lock(&tasklist_lock); +- force_sig(SIGKILL, pid_ns->child_reaper); ++ send_sig(SIGKILL, pid_ns->child_reaper, 1); + read_unlock(&tasklist_lock); + + do_exit(0); +-- +2.20.1 + diff --git a/queue-5.1/spi-fix-ctrl-num_chipselect-constraint.patch b/queue-5.1/spi-fix-ctrl-num_chipselect-constraint.patch new file mode 100644 index 00000000000..3530de47c5d --- /dev/null +++ b/queue-5.1/spi-fix-ctrl-num_chipselect-constraint.patch @@ -0,0 +1,65 @@ +From 9a85beb0ef581cbcd8e8f17a9c38c713d41e5421 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Wed, 19 Jun 2019 14:38:28 +0000 +Subject: spi: fix ctrl->num_chipselect constraint + +[ Upstream commit f9481b08220d7dc1ff21e296a330ee8b721b44e4 ] + +at91sam9g25ek showed the following error at probe: +atmel_spi f0000000.spi: Using dma0chan2 (tx) and dma0chan3 (rx) +for DMA transfers +atmel_spi: probe of f0000000.spi failed with error -22 + +Commit 0a919ae49223 ("spi: Don't call spi_get_gpio_descs() before device name is set") +moved the calling of spi_get_gpio_descs() after ctrl->dev is set, +but didn't move the !ctrl->num_chipselect check. When there are +chip selects in the device tree, the spi-atmel driver lets the +SPI core discover them when registering the SPI master. +The ctrl->num_chipselect is thus expected to be set by +spi_get_gpio_descs(). + +Move the !ctlr->num_chipselect after spi_get_gpio_descs() as it was +before the aforementioned commit. While touching this block, get rid +of the explicit comparison with 0 and update the commenting style. + +Fixes: 0a919ae49223 ("spi: Don't call spi_get_gpio_descs() before device name is set") +Signed-off-by: Tudor Ambarus +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c +index a83fcddf1dad..7f6fb383d7a7 100644 +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -2281,11 +2281,6 @@ int spi_register_controller(struct spi_controller *ctlr) + if (status) + return status; + +- /* even if it's just one always-selected device, there must +- * be at least one chipselect +- */ +- if (ctlr->num_chipselect == 0) +- return -EINVAL; + if (ctlr->bus_num >= 0) { + /* devices with a fixed bus num must check-in with the num */ + mutex_lock(&board_lock); +@@ -2356,6 +2351,13 @@ int spi_register_controller(struct spi_controller *ctlr) + } + } + ++ /* ++ * Even if it's just one always-selected device, there must ++ * be at least one chipselect. ++ */ ++ if (!ctlr->num_chipselect) ++ return -EINVAL; ++ + status = device_add(&ctlr->dev); + if (status < 0) { + /* free bus id */ +-- +2.20.1 + diff --git a/queue-5.1/spi-rockchip-turn-down-tx-dma-bursts.patch b/queue-5.1/spi-rockchip-turn-down-tx-dma-bursts.patch new file mode 100644 index 00000000000..e1a29d2d2ee --- /dev/null +++ b/queue-5.1/spi-rockchip-turn-down-tx-dma-bursts.patch @@ -0,0 +1,58 @@ +From b83efd7597cc5632847b664cc28ea7c0eea9a31d Mon Sep 17 00:00:00 2001 +From: Emil Renner Berthing +Date: Fri, 12 Apr 2019 12:53:20 +0200 +Subject: spi: rockchip: turn down tx dma bursts + +[ Upstream commit 47300728fb213486a830565d2af49da967c9d16a ] + +This fixes tx and bi-directional dma transfers on rk3399-gru-kevin. + +It seems the SPI fifo must have room for 2 bursts when the dma_tx_req +signal is generated or it might skip some words. This in turn makes +the rx dma channel never complete for bi-directional transfers. + +Fix it by setting tx burst length to fifo_len / 4 and the dma +watermark to fifo_len / 2. + +However the rk3399 TRM says (sic): +"DMAC support incrementing-address burst and fixed-address burst. But in +the case of access SPI and UART at byte or halfword size, DMAC only +support fixed-address burst and the address must be aligned to word." + +So this relies on fifo_len being a multiple of 16 such that the +burst length (= fifo_len / 4) is a multiple of 4 and the addresses +will be word-aligned. + +Fixes: dcfc861d24ec ("spi: rockchip: adjust dma watermark and burstlen") +Signed-off-by: Emil Renner Berthing +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-rockchip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-rockchip.c b/drivers/spi/spi-rockchip.c +index 3912526ead66..19f6a76f1c07 100644 +--- a/drivers/spi/spi-rockchip.c ++++ b/drivers/spi/spi-rockchip.c +@@ -425,7 +425,7 @@ static int rockchip_spi_prepare_dma(struct rockchip_spi *rs, + .direction = DMA_MEM_TO_DEV, + .dst_addr = rs->dma_addr_tx, + .dst_addr_width = rs->n_bytes, +- .dst_maxburst = rs->fifo_len / 2, ++ .dst_maxburst = rs->fifo_len / 4, + }; + + dmaengine_slave_config(master->dma_tx, &txconf); +@@ -526,7 +526,7 @@ static void rockchip_spi_config(struct rockchip_spi *rs, + else + writel_relaxed(rs->fifo_len / 2 - 1, rs->regs + ROCKCHIP_SPI_RXFTLR); + +- writel_relaxed(rs->fifo_len / 2 - 1, rs->regs + ROCKCHIP_SPI_DMATDLR); ++ writel_relaxed(rs->fifo_len / 2, rs->regs + ROCKCHIP_SPI_DMATDLR); + writel_relaxed(0, rs->regs + ROCKCHIP_SPI_DMARDLR); + writel_relaxed(dmacr, rs->regs + ROCKCHIP_SPI_DMACR); + +-- +2.20.1 + diff --git a/queue-5.1/timer_list-guard-procfs-specific-code.patch b/queue-5.1/timer_list-guard-procfs-specific-code.patch new file mode 100644 index 00000000000..09e334605e4 --- /dev/null +++ b/queue-5.1/timer_list-guard-procfs-specific-code.patch @@ -0,0 +1,89 @@ +From a72132d0474c77834d47e38ac8ba10df27bd3f94 Mon Sep 17 00:00:00 2001 +From: Nathan Huckleberry +Date: Fri, 14 Jun 2019 11:16:04 -0700 +Subject: timer_list: Guard procfs specific code + +[ Upstream commit a9314773a91a1d3b36270085246a6715a326ff00 ] + +With CONFIG_PROC_FS=n the following warning is emitted: + +kernel/time/timer_list.c:361:36: warning: unused variable +'timer_list_sops' [-Wunused-const-variable] + static const struct seq_operations timer_list_sops = { + +Add #ifdef guard around procfs specific code. + +Signed-off-by: Nathan Huckleberry +Signed-off-by: Thomas Gleixner +Reviewed-by: Nick Desaulniers +Cc: john.stultz@linaro.org +Cc: sboyd@kernel.org +Cc: clang-built-linux@googlegroups.com +Link: https://github.com/ClangBuiltLinux/linux/issues/534 +Link: https://lkml.kernel.org/r/20190614181604.112297-1-nhuck@google.com +Signed-off-by: Sasha Levin +--- + kernel/time/timer_list.c | 36 +++++++++++++++++++----------------- + 1 file changed, 19 insertions(+), 17 deletions(-) + +diff --git a/kernel/time/timer_list.c b/kernel/time/timer_list.c +index 98ba50dcb1b2..acb326f5f50a 100644 +--- a/kernel/time/timer_list.c ++++ b/kernel/time/timer_list.c +@@ -282,23 +282,6 @@ static inline void timer_list_header(struct seq_file *m, u64 now) + SEQ_printf(m, "\n"); + } + +-static int timer_list_show(struct seq_file *m, void *v) +-{ +- struct timer_list_iter *iter = v; +- +- if (iter->cpu == -1 && !iter->second_pass) +- timer_list_header(m, iter->now); +- else if (!iter->second_pass) +- print_cpu(m, iter->cpu, iter->now); +-#ifdef CONFIG_GENERIC_CLOCKEVENTS +- else if (iter->cpu == -1 && iter->second_pass) +- timer_list_show_tickdevices_header(m); +- else +- print_tickdevice(m, tick_get_device(iter->cpu), iter->cpu); +-#endif +- return 0; +-} +- + void sysrq_timer_list_show(void) + { + u64 now = ktime_to_ns(ktime_get()); +@@ -317,6 +300,24 @@ void sysrq_timer_list_show(void) + return; + } + ++#ifdef CONFIG_PROC_FS ++static int timer_list_show(struct seq_file *m, void *v) ++{ ++ struct timer_list_iter *iter = v; ++ ++ if (iter->cpu == -1 && !iter->second_pass) ++ timer_list_header(m, iter->now); ++ else if (!iter->second_pass) ++ print_cpu(m, iter->cpu, iter->now); ++#ifdef CONFIG_GENERIC_CLOCKEVENTS ++ else if (iter->cpu == -1 && iter->second_pass) ++ timer_list_show_tickdevices_header(m); ++ else ++ print_tickdevice(m, tick_get_device(iter->cpu), iter->cpu); ++#endif ++ return 0; ++} ++ + static void *move_iter(struct timer_list_iter *iter, loff_t offset) + { + for (; offset; offset--) { +@@ -376,3 +377,4 @@ static int __init init_timer_list_procfs(void) + return 0; + } + __initcall(init_timer_list_procfs); ++#endif +-- +2.20.1 + diff --git a/queue-5.1/tools-bpftool-fix-json-dump-crash-on-powerpc.patch b/queue-5.1/tools-bpftool-fix-json-dump-crash-on-powerpc.patch new file mode 100644 index 00000000000..6dfb2c4b2d0 --- /dev/null +++ b/queue-5.1/tools-bpftool-fix-json-dump-crash-on-powerpc.patch @@ -0,0 +1,91 @@ +From bb49173852cfc550319dcc4e69bb8a03fb79a72b Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Fri, 5 Jul 2019 14:10:31 +0200 +Subject: tools: bpftool: Fix json dump crash on powerpc + +[ Upstream commit aa52bcbe0e72fac36b1862db08b9c09c4caefae3 ] + +Michael reported crash with by bpf program in json mode on powerpc: + + # bpftool prog -p dump jited id 14 + [{ + "name": "0xd00000000a9aa760", + "insns": [{ + "pc": "0x0", + "operation": "nop", + "operands": [null + ] + },{ + "pc": "0x4", + "operation": "nop", + "operands": [null + ] + },{ + "pc": "0x8", + "operation": "mflr", + Segmentation fault (core dumped) + +The code is assuming char pointers in format, which is not always +true at least for powerpc. Fixing this by dumping the whole string +into buffer based on its format. + +Please note that libopcodes code does not check return values from +fprintf callback, but as per Jakub suggestion returning -1 on allocation +failure so we do the best effort to propagate the error. + +Fixes: 107f041212c1 ("tools: bpftool: add JSON output for `bpftool prog dump jited *` command") +Reported-by: Michael Petlan +Signed-off-by: Jiri Olsa +Reviewed-by: Quentin Monnet +Reviewed-by: Jakub Kicinski +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/jit_disasm.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/tools/bpf/bpftool/jit_disasm.c b/tools/bpf/bpftool/jit_disasm.c +index 3ef3093560ba..bfed711258ce 100644 +--- a/tools/bpf/bpftool/jit_disasm.c ++++ b/tools/bpf/bpftool/jit_disasm.c +@@ -11,6 +11,8 @@ + * Licensed under the GNU General Public License, version 2.0 (GPLv2) + */ + ++#define _GNU_SOURCE ++#include + #include + #include + #include +@@ -44,11 +46,13 @@ static int fprintf_json(void *out, const char *fmt, ...) + char *s; + + va_start(ap, fmt); ++ if (vasprintf(&s, fmt, ap) < 0) ++ return -1; ++ va_end(ap); ++ + if (!oper_count) { + int i; + +- s = va_arg(ap, char *); +- + /* Strip trailing spaces */ + i = strlen(s) - 1; + while (s[i] == ' ') +@@ -61,11 +65,10 @@ static int fprintf_json(void *out, const char *fmt, ...) + } else if (!strcmp(fmt, ",")) { + /* Skip */ + } else { +- s = va_arg(ap, char *); + jsonw_string(json_wtr, s); + oper_count++; + } +- va_end(ap); ++ free(s); + return 0; + } + +-- +2.20.1 + diff --git a/queue-5.1/tua6100-avoid-build-warnings.patch b/queue-5.1/tua6100-avoid-build-warnings.patch new file mode 100644 index 00000000000..cb9dd8c591b --- /dev/null +++ b/queue-5.1/tua6100-avoid-build-warnings.patch @@ -0,0 +1,94 @@ +From 99fb52ff9104ea13292ead59a512e8de7a446b1f Mon Sep 17 00:00:00 2001 +From: "David S. Miller" +Date: Thu, 30 May 2019 11:36:15 -0700 +Subject: tua6100: Avoid build warnings. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 621ccc6cc5f8d6730b740d31d4818227866c93c9 ] + +Rename _P to _P_VAL and _R to _R_VAL to avoid global +namespace conflicts: + +drivers/media/dvb-frontends/tua6100.c: In function ‘tua6100_set_params’: +drivers/media/dvb-frontends/tua6100.c:79: warning: "_P" redefined + #define _P 32 + +In file included from ./include/acpi/platform/aclinux.h:54, + from ./include/acpi/platform/acenv.h:152, + from ./include/acpi/acpi.h:22, + from ./include/linux/acpi.h:34, + from ./include/linux/i2c.h:17, + from drivers/media/dvb-frontends/tua6100.h:30, + from drivers/media/dvb-frontends/tua6100.c:32: +./include/linux/ctype.h:14: note: this is the location of the previous definition + #define _P 0x10 /* punct */ + +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/tua6100.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/drivers/media/dvb-frontends/tua6100.c b/drivers/media/dvb-frontends/tua6100.c +index b233b7be0b84..e6aaf4973aef 100644 +--- a/drivers/media/dvb-frontends/tua6100.c ++++ b/drivers/media/dvb-frontends/tua6100.c +@@ -75,8 +75,8 @@ static int tua6100_set_params(struct dvb_frontend *fe) + struct i2c_msg msg1 = { .addr = priv->i2c_address, .flags = 0, .buf = reg1, .len = 4 }; + struct i2c_msg msg2 = { .addr = priv->i2c_address, .flags = 0, .buf = reg2, .len = 3 }; + +-#define _R 4 +-#define _P 32 ++#define _R_VAL 4 ++#define _P_VAL 32 + #define _ri 4000000 + + // setup register 0 +@@ -91,14 +91,14 @@ static int tua6100_set_params(struct dvb_frontend *fe) + else + reg1[1] = 0x0c; + +- if (_P == 64) ++ if (_P_VAL == 64) + reg1[1] |= 0x40; + if (c->frequency >= 1525000) + reg1[1] |= 0x80; + + // register 2 +- reg2[1] = (_R >> 8) & 0x03; +- reg2[2] = _R; ++ reg2[1] = (_R_VAL >> 8) & 0x03; ++ reg2[2] = _R_VAL; + if (c->frequency < 1455000) + reg2[1] |= 0x1c; + else if (c->frequency < 1630000) +@@ -110,18 +110,18 @@ static int tua6100_set_params(struct dvb_frontend *fe) + * The N divisor ratio (note: c->frequency is in kHz, but we + * need it in Hz) + */ +- prediv = (c->frequency * _R) / (_ri / 1000); +- div = prediv / _P; ++ prediv = (c->frequency * _R_VAL) / (_ri / 1000); ++ div = prediv / _P_VAL; + reg1[1] |= (div >> 9) & 0x03; + reg1[2] = div >> 1; + reg1[3] = (div << 7); +- priv->frequency = ((div * _P) * (_ri / 1000)) / _R; ++ priv->frequency = ((div * _P_VAL) * (_ri / 1000)) / _R_VAL; + + // Finally, calculate and store the value for A +- reg1[3] |= (prediv - (div*_P)) & 0x7f; ++ reg1[3] |= (prediv - (div*_P_VAL)) & 0x7f; + +-#undef _R +-#undef _P ++#undef _R_VAL ++#undef _P_VAL + #undef _ri + + if (fe->ops.i2c_gate_ctrl) +-- +2.20.1 + diff --git a/queue-5.1/vhost_net-disable-zerocopy-by-default.patch b/queue-5.1/vhost_net-disable-zerocopy-by-default.patch new file mode 100644 index 00000000000..4c0524afff3 --- /dev/null +++ b/queue-5.1/vhost_net-disable-zerocopy-by-default.patch @@ -0,0 +1,43 @@ +From 3312aa9f38a506024e4322e4e48e24e41669403a Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Mon, 17 Jun 2019 05:20:54 -0400 +Subject: vhost_net: disable zerocopy by default + +[ Upstream commit 098eadce3c622c07b328d0a43dda379b38cf7c5e ] + +Vhost_net was known to suffer from HOL[1] issues which is not easy to +fix. Several downstream disable the feature by default. What's more, +the datapath was split and datacopy path got the support of batching +and XDP support recently which makes it faster than zerocopy part for +small packets transmission. + +It looks to me that disable zerocopy by default is more +appropriate. It cold be enabled by default again in the future if we +fix the above issues. + +[1] https://patchwork.kernel.org/patch/3787671/ + +Signed-off-by: Jason Wang +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/vhost/net.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c +index df51a35cf537..8beacbee2553 100644 +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -36,7 +36,7 @@ + + #include "vhost.h" + +-static int experimental_zcopytx = 1; ++static int experimental_zcopytx = 0; + module_param(experimental_zcopytx, int, 0444); + MODULE_PARM_DESC(experimental_zcopytx, "Enable Zero Copy TX;" + " 1 -Enable; 0 - Disable"); +-- +2.20.1 + diff --git a/queue-5.1/vxlan-do-not-destroy-fdb-if-register_netdevice-is-fa.patch b/queue-5.1/vxlan-do-not-destroy-fdb-if-register_netdevice-is-fa.patch new file mode 100644 index 00000000000..ab9284f75f2 --- /dev/null +++ b/queue-5.1/vxlan-do-not-destroy-fdb-if-register_netdevice-is-fa.patch @@ -0,0 +1,159 @@ +From 273216dfe7b7716d7cf2cef0ca94212281ba95e4 Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Fri, 28 Jun 2019 14:07:25 +0900 +Subject: vxlan: do not destroy fdb if register_netdevice() is failed + +[ Upstream commit 7c31e54aeee517d1318dfc0bde9fa7de75893dc6 ] + +__vxlan_dev_create() destroys FDB using specific pointer which indicates +a fdb when error occurs. +But that pointer should not be used when register_netdevice() fails because +register_netdevice() internally destroys fdb when error occurs. + +This patch makes vxlan_fdb_create() to do not link fdb entry to vxlan dev +internally. +Instead, a new function vxlan_fdb_insert() is added to link fdb to vxlan +dev. + +vxlan_fdb_insert() is called after calling register_netdevice(). +This routine can avoid situation that ->ndo_uninit() destroys fdb entry +in error path of register_netdevice(). +Hence, error path of __vxlan_dev_create() routine can have an opportunity +to destroy default fdb entry by hand. + +Test command + ip link add bonding_masters type vxlan id 0 group 239.1.1.1 \ + dev enp0s9 dstport 4789 + +Splat looks like: +[ 213.392816] kasan: GPF could be caused by NULL-ptr deref or user memory access +[ 213.401257] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI +[ 213.402178] CPU: 0 PID: 1414 Comm: ip Not tainted 5.2.0-rc5+ #256 +[ 213.402178] RIP: 0010:vxlan_fdb_destroy+0x120/0x220 [vxlan] +[ 213.402178] Code: df 48 8b 2b 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 06 01 00 00 4c 8b 63 08 48 b8 00 00 00 00 00 fc d +[ 213.402178] RSP: 0018:ffff88810cb9f0a0 EFLAGS: 00010202 +[ 213.402178] RAX: dffffc0000000000 RBX: ffff888101d4a8c8 RCX: 0000000000000000 +[ 213.402178] RDX: 1bd5a00000000040 RSI: ffff888101d4a8c8 RDI: ffff888101d4a8d0 +[ 213.402178] RBP: 0000000000000000 R08: fffffbfff22b72d9 R09: 0000000000000000 +[ 213.402178] R10: 00000000ffffffef R11: 0000000000000000 R12: dead000000000200 +[ 213.402178] R13: ffff88810cb9f1f8 R14: ffff88810efccda0 R15: ffff88810efccda0 +[ 213.402178] FS: 00007f7f6621a0c0(0000) GS:ffff88811b000000(0000) knlGS:0000000000000000 +[ 213.402178] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 213.402178] CR2: 000055746f0807d0 CR3: 00000001123e0000 CR4: 00000000001006f0 +[ 213.402178] Call Trace: +[ 213.402178] __vxlan_dev_create+0x3a9/0x7d0 [vxlan] +[ 213.402178] ? vxlan_changelink+0x740/0x740 [vxlan] +[ 213.402178] ? rcu_read_unlock+0x60/0x60 [vxlan] +[ 213.402178] ? __kasan_kmalloc.constprop.3+0xa0/0xd0 +[ 213.402178] vxlan_newlink+0x8d/0xc0 [vxlan] +[ 213.402178] ? __vxlan_dev_create+0x7d0/0x7d0 [vxlan] +[ 213.554119] ? __netlink_ns_capable+0xc3/0xf0 +[ 213.554119] __rtnl_newlink+0xb75/0x1180 +[ 213.554119] ? rtnl_link_unregister+0x230/0x230 +[ ... ] + +Fixes: 0241b836732f ("vxlan: fix default fdb entry netlink notify ordering during netdev create") +Suggested-by: Roopa Prabhu +Signed-off-by: Taehee Yoo +Acked-by: Roopa Prabhu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan.c | 37 +++++++++++++++++++++++++++---------- + 1 file changed, 27 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c +index 38ecb66fb3e9..82c25f07261f 100644 +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -806,6 +806,14 @@ static struct vxlan_fdb *vxlan_fdb_alloc(struct vxlan_dev *vxlan, + return f; + } + ++static void vxlan_fdb_insert(struct vxlan_dev *vxlan, const u8 *mac, ++ __be32 src_vni, struct vxlan_fdb *f) ++{ ++ ++vxlan->addrcnt; ++ hlist_add_head_rcu(&f->hlist, ++ vxlan_fdb_head(vxlan, mac, src_vni)); ++} ++ + static int vxlan_fdb_create(struct vxlan_dev *vxlan, + const u8 *mac, union vxlan_addr *ip, + __u16 state, __be16 port, __be32 src_vni, +@@ -831,18 +839,13 @@ static int vxlan_fdb_create(struct vxlan_dev *vxlan, + return rc; + } + +- ++vxlan->addrcnt; +- hlist_add_head_rcu(&f->hlist, +- vxlan_fdb_head(vxlan, mac, src_vni)); +- + *fdb = f; + + return 0; + } + +-static void vxlan_fdb_free(struct rcu_head *head) ++static void __vxlan_fdb_free(struct vxlan_fdb *f) + { +- struct vxlan_fdb *f = container_of(head, struct vxlan_fdb, rcu); + struct vxlan_rdst *rd, *nd; + + list_for_each_entry_safe(rd, nd, &f->remotes, list) { +@@ -852,6 +855,13 @@ static void vxlan_fdb_free(struct rcu_head *head) + kfree(f); + } + ++static void vxlan_fdb_free(struct rcu_head *head) ++{ ++ struct vxlan_fdb *f = container_of(head, struct vxlan_fdb, rcu); ++ ++ __vxlan_fdb_free(f); ++} ++ + static void vxlan_fdb_destroy(struct vxlan_dev *vxlan, struct vxlan_fdb *f, + bool do_notify, bool swdev_notify) + { +@@ -979,6 +989,7 @@ static int vxlan_fdb_update_create(struct vxlan_dev *vxlan, + if (rc < 0) + return rc; + ++ vxlan_fdb_insert(vxlan, mac, src_vni, f); + rc = vxlan_fdb_notify(vxlan, f, first_remote_rtnl(f), RTM_NEWNEIGH, + swdev_notify, extack); + if (rc) +@@ -3573,12 +3584,17 @@ static int __vxlan_dev_create(struct net *net, struct net_device *dev, + if (err) + goto errout; + +- /* notify default fdb entry */ + if (f) { ++ vxlan_fdb_insert(vxlan, all_zeros_mac, ++ vxlan->default_dst.remote_vni, f); ++ ++ /* notify default fdb entry */ + err = vxlan_fdb_notify(vxlan, f, first_remote_rtnl(f), + RTM_NEWNEIGH, true, extack); +- if (err) +- goto errout; ++ if (err) { ++ vxlan_fdb_destroy(vxlan, f, false, false); ++ goto unregister; ++ } + } + + list_add(&vxlan->next, &vn->vxlan_list); +@@ -3590,7 +3606,8 @@ static int __vxlan_dev_create(struct net *net, struct net_device *dev, + * destroy the entry by hand here. + */ + if (f) +- vxlan_fdb_destroy(vxlan, f, false, false); ++ __vxlan_fdb_free(f); ++unregister: + if (unregister) + unregister_netdevice(dev); + return err; +-- +2.20.1 + diff --git a/queue-5.1/wil6210-drop-old-event-after-wmi_call-timeout.patch b/queue-5.1/wil6210-drop-old-event-after-wmi_call-timeout.patch new file mode 100644 index 00000000000..f35542f5e32 --- /dev/null +++ b/queue-5.1/wil6210-drop-old-event-after-wmi_call-timeout.patch @@ -0,0 +1,56 @@ +From 76902f9940a6bb78a033a5421cbe58b4fb63b1fa Mon Sep 17 00:00:00 2001 +From: Ahmad Masri +Date: Sun, 16 Jun 2019 10:26:07 +0300 +Subject: wil6210: drop old event after wmi_call timeout + +[ Upstream commit 1a276003111c0404f6bfeffe924c5a21f482428b ] + +This change fixes a rare race condition of handling WMI events after +wmi_call expires. + +wmi_recv_cmd immediately handles an event when reply_buf is defined and +a wmi_call is waiting for the event. +However, in case the wmi_call has already timed-out, there will be no +waiting/running wmi_call and the event will be queued in WMI queue and +will be handled later in wmi_event_handle. +Meanwhile, a new similar wmi_call for the same command and event may +be issued. In this case, when handling the queued event we got WARN_ON +printed. + +Fixing this case as a valid timeout and drop the unexpected event. + +Signed-off-by: Ahmad Masri +Signed-off-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wil6210/wmi.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/wil6210/wmi.c b/drivers/net/wireless/ath/wil6210/wmi.c +index 63116f4b62c7..de52e532c105 100644 +--- a/drivers/net/wireless/ath/wil6210/wmi.c ++++ b/drivers/net/wireless/ath/wil6210/wmi.c +@@ -3211,7 +3211,18 @@ static void wmi_event_handle(struct wil6210_priv *wil, + /* check if someone waits for this event */ + if (wil->reply_id && wil->reply_id == id && + wil->reply_mid == mid) { +- WARN_ON(wil->reply_buf); ++ if (wil->reply_buf) { ++ /* event received while wmi_call is waiting ++ * with a buffer. Such event should be handled ++ * in wmi_recv_cmd function. Handling the event ++ * here means a previous wmi_call was timeout. ++ * Drop the event and do not handle it. ++ */ ++ wil_err(wil, ++ "Old event (%d, %s) while wmi_call is waiting. Drop it and Continue waiting\n", ++ id, eventid2name(id)); ++ return; ++ } + + wmi_evt_call_handler(vif, id, evt_data, + len - sizeof(*wmi)); +-- +2.20.1 + diff --git a/queue-5.1/wil6210-fix-missed-misc-mbox-interrupt.patch b/queue-5.1/wil6210-fix-missed-misc-mbox-interrupt.patch new file mode 100644 index 00000000000..cd4ad92cd1b --- /dev/null +++ b/queue-5.1/wil6210-fix-missed-misc-mbox-interrupt.patch @@ -0,0 +1,43 @@ +From 153435e1e8af46280cea89d8d3bb9afb61566921 Mon Sep 17 00:00:00 2001 +From: Maya Erez +Date: Fri, 26 Apr 2019 18:43:35 +0300 +Subject: wil6210: fix missed MISC mbox interrupt + +[ Upstream commit 7441be71ba7e07791fd4fa2b07c932dff14ff4d9 ] + +When MISC interrupt is triggered due to HALP bit, in parallel +to mbox events handling by the MISC threaded IRQ, new mbox +interrupt can be missed in the following scenario: +1. MISC ICR is read in the IRQ handler +2. Threaded IRQ is completed and all MISC interrupts are unmasked +3. mbox interrupt is set by FW +4. HALP is masked +The mbox interrupt in step 3 can be missed due to constant high level +of ICM. +Masking all MISC IRQs instead of masking only HALP bit in step 4 +will guarantee that ICM will drop to 0 and interrupt will be triggered +once MISC interrupts will be unmasked. + +Signed-off-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wil6210/interrupt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/wil6210/interrupt.c b/drivers/net/wireless/ath/wil6210/interrupt.c +index 3f5bd177d55f..e41ba24011d8 100644 +--- a/drivers/net/wireless/ath/wil6210/interrupt.c ++++ b/drivers/net/wireless/ath/wil6210/interrupt.c +@@ -580,7 +580,7 @@ static irqreturn_t wil6210_irq_misc(int irq, void *cookie) + /* no need to handle HALP ICRs until next vote */ + wil->halp.handle_icr = false; + wil_dbg_irq(wil, "irq_misc: HALP IRQ invoked\n"); +- wil6210_mask_halp(wil); ++ wil6210_mask_irq_misc(wil, true); + complete(&wil->halp.comp); + } + } +-- +2.20.1 + diff --git a/queue-5.1/wil6210-fix-potential-out-of-bounds-read.patch b/queue-5.1/wil6210-fix-potential-out-of-bounds-read.patch new file mode 100644 index 00000000000..891a8300b87 --- /dev/null +++ b/queue-5.1/wil6210-fix-potential-out-of-bounds-read.patch @@ -0,0 +1,52 @@ +From f0ed5823cfcac3a37e7be264ab572a178bb82d37 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Mon, 15 Apr 2019 09:56:46 -0500 +Subject: wil6210: fix potential out-of-bounds read + +[ Upstream commit bfabdd6997323adbedccb13a3fed1967fb8cf8f5 ] + +Notice that *rc* can evaluate to up to 5, include/linux/netdevice.h: + +enum gro_result { + GRO_MERGED, + GRO_MERGED_FREE, + GRO_HELD, + GRO_NORMAL, + GRO_DROP, + GRO_CONSUMED, +}; +typedef enum gro_result gro_result_t; + +In case *rc* evaluates to 5, we end up having an out-of-bounds read +at drivers/net/wireless/ath/wil6210/txrx.c:821: + + wil_dbg_txrx(wil, "Rx complete %d bytes => %s\n", + len, gro_res_str[rc]); + +Fix this by adding element "GRO_CONSUMED" to array gro_res_str. + +Addresses-Coverity-ID: 1444666 ("Out-of-bounds read") +Fixes: 194b482b5055 ("wil6210: Debug print GRO Rx result") +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wil6210/txrx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/wil6210/txrx.c b/drivers/net/wireless/ath/wil6210/txrx.c +index 4ccfd1404458..d74837cce67f 100644 +--- a/drivers/net/wireless/ath/wil6210/txrx.c ++++ b/drivers/net/wireless/ath/wil6210/txrx.c +@@ -750,6 +750,7 @@ void wil_netif_rx_any(struct sk_buff *skb, struct net_device *ndev) + [GRO_HELD] = "GRO_HELD", + [GRO_NORMAL] = "GRO_NORMAL", + [GRO_DROP] = "GRO_DROP", ++ [GRO_CONSUMED] = "GRO_CONSUMED", + }; + + wil->txrx_ops.get_netif_rx_params(skb, &cid, &security); +-- +2.20.1 + diff --git a/queue-5.1/wil6210-fix-spurious-interrupts-in-3-msi.patch b/queue-5.1/wil6210-fix-spurious-interrupts-in-3-msi.patch new file mode 100644 index 00000000000..f0f263218a5 --- /dev/null +++ b/queue-5.1/wil6210-fix-spurious-interrupts-in-3-msi.patch @@ -0,0 +1,180 @@ +From 2459c6a9de863d08aa77c6cab30b35c49dab66a7 Mon Sep 17 00:00:00 2001 +From: Maya Erez +Date: Fri, 26 Apr 2019 18:43:29 +0300 +Subject: wil6210: fix spurious interrupts in 3-msi + +[ Upstream commit e10b0eddd5235aa5aef4e40b970e34e735611a80 ] + +Interrupt is set in ICM (ICR & ~IMV) rising trigger. +As the driver masks the IRQ after clearing it, there can +be a race where an additional spurious interrupt is triggered +when the driver unmask the IRQ. +This can happen in case HW triggers an interrupt after the clear +and before the mask. + +To prevent the second spurious interrupt the driver needs to mask the +IRQ before reading and clearing it. + +Signed-off-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wil6210/interrupt.c | 65 ++++++++++++-------- + 1 file changed, 40 insertions(+), 25 deletions(-) + +diff --git a/drivers/net/wireless/ath/wil6210/interrupt.c b/drivers/net/wireless/ath/wil6210/interrupt.c +index e41ba24011d8..b00a13d6d530 100644 +--- a/drivers/net/wireless/ath/wil6210/interrupt.c ++++ b/drivers/net/wireless/ath/wil6210/interrupt.c +@@ -296,21 +296,24 @@ void wil_configure_interrupt_moderation(struct wil6210_priv *wil) + static irqreturn_t wil6210_irq_rx(int irq, void *cookie) + { + struct wil6210_priv *wil = cookie; +- u32 isr = wil_ioread32_and_clear(wil->csr + +- HOSTADDR(RGF_DMA_EP_RX_ICR) + +- offsetof(struct RGF_ICR, ICR)); ++ u32 isr; + bool need_unmask = true; + ++ wil6210_mask_irq_rx(wil); ++ ++ isr = wil_ioread32_and_clear(wil->csr + ++ HOSTADDR(RGF_DMA_EP_RX_ICR) + ++ offsetof(struct RGF_ICR, ICR)); ++ + trace_wil6210_irq_rx(isr); + wil_dbg_irq(wil, "ISR RX 0x%08x\n", isr); + + if (unlikely(!isr)) { + wil_err_ratelimited(wil, "spurious IRQ: RX\n"); ++ wil6210_unmask_irq_rx(wil); + return IRQ_NONE; + } + +- wil6210_mask_irq_rx(wil); +- + /* RX_DONE and RX_HTRSH interrupts are the same if interrupt + * moderation is not used. Interrupt moderation may cause RX + * buffer overflow while RX_DONE is delayed. The required +@@ -355,21 +358,24 @@ static irqreturn_t wil6210_irq_rx(int irq, void *cookie) + static irqreturn_t wil6210_irq_rx_edma(int irq, void *cookie) + { + struct wil6210_priv *wil = cookie; +- u32 isr = wil_ioread32_and_clear(wil->csr + +- HOSTADDR(RGF_INT_GEN_RX_ICR) + +- offsetof(struct RGF_ICR, ICR)); ++ u32 isr; + bool need_unmask = true; + ++ wil6210_mask_irq_rx_edma(wil); ++ ++ isr = wil_ioread32_and_clear(wil->csr + ++ HOSTADDR(RGF_INT_GEN_RX_ICR) + ++ offsetof(struct RGF_ICR, ICR)); ++ + trace_wil6210_irq_rx(isr); + wil_dbg_irq(wil, "ISR RX 0x%08x\n", isr); + + if (unlikely(!isr)) { + wil_err(wil, "spurious IRQ: RX\n"); ++ wil6210_unmask_irq_rx_edma(wil); + return IRQ_NONE; + } + +- wil6210_mask_irq_rx_edma(wil); +- + if (likely(isr & BIT_RX_STATUS_IRQ)) { + wil_dbg_irq(wil, "RX status ring\n"); + isr &= ~BIT_RX_STATUS_IRQ; +@@ -403,21 +409,24 @@ static irqreturn_t wil6210_irq_rx_edma(int irq, void *cookie) + static irqreturn_t wil6210_irq_tx_edma(int irq, void *cookie) + { + struct wil6210_priv *wil = cookie; +- u32 isr = wil_ioread32_and_clear(wil->csr + +- HOSTADDR(RGF_INT_GEN_TX_ICR) + +- offsetof(struct RGF_ICR, ICR)); ++ u32 isr; + bool need_unmask = true; + ++ wil6210_mask_irq_tx_edma(wil); ++ ++ isr = wil_ioread32_and_clear(wil->csr + ++ HOSTADDR(RGF_INT_GEN_TX_ICR) + ++ offsetof(struct RGF_ICR, ICR)); ++ + trace_wil6210_irq_tx(isr); + wil_dbg_irq(wil, "ISR TX 0x%08x\n", isr); + + if (unlikely(!isr)) { + wil_err(wil, "spurious IRQ: TX\n"); ++ wil6210_unmask_irq_tx_edma(wil); + return IRQ_NONE; + } + +- wil6210_mask_irq_tx_edma(wil); +- + if (likely(isr & BIT_TX_STATUS_IRQ)) { + wil_dbg_irq(wil, "TX status ring\n"); + isr &= ~BIT_TX_STATUS_IRQ; +@@ -446,21 +455,24 @@ static irqreturn_t wil6210_irq_tx_edma(int irq, void *cookie) + static irqreturn_t wil6210_irq_tx(int irq, void *cookie) + { + struct wil6210_priv *wil = cookie; +- u32 isr = wil_ioread32_and_clear(wil->csr + +- HOSTADDR(RGF_DMA_EP_TX_ICR) + +- offsetof(struct RGF_ICR, ICR)); ++ u32 isr; + bool need_unmask = true; + ++ wil6210_mask_irq_tx(wil); ++ ++ isr = wil_ioread32_and_clear(wil->csr + ++ HOSTADDR(RGF_DMA_EP_TX_ICR) + ++ offsetof(struct RGF_ICR, ICR)); ++ + trace_wil6210_irq_tx(isr); + wil_dbg_irq(wil, "ISR TX 0x%08x\n", isr); + + if (unlikely(!isr)) { + wil_err_ratelimited(wil, "spurious IRQ: TX\n"); ++ wil6210_unmask_irq_tx(wil); + return IRQ_NONE; + } + +- wil6210_mask_irq_tx(wil); +- + if (likely(isr & BIT_DMA_EP_TX_ICR_TX_DONE)) { + wil_dbg_irq(wil, "TX done\n"); + isr &= ~BIT_DMA_EP_TX_ICR_TX_DONE; +@@ -532,20 +544,23 @@ static bool wil_validate_mbox_regs(struct wil6210_priv *wil) + static irqreturn_t wil6210_irq_misc(int irq, void *cookie) + { + struct wil6210_priv *wil = cookie; +- u32 isr = wil_ioread32_and_clear(wil->csr + +- HOSTADDR(RGF_DMA_EP_MISC_ICR) + +- offsetof(struct RGF_ICR, ICR)); ++ u32 isr; ++ ++ wil6210_mask_irq_misc(wil, false); ++ ++ isr = wil_ioread32_and_clear(wil->csr + ++ HOSTADDR(RGF_DMA_EP_MISC_ICR) + ++ offsetof(struct RGF_ICR, ICR)); + + trace_wil6210_irq_misc(isr); + wil_dbg_irq(wil, "ISR MISC 0x%08x\n", isr); + + if (!isr) { + wil_err(wil, "spurious IRQ: MISC\n"); ++ wil6210_unmask_irq_misc(wil, false); + return IRQ_NONE; + } + +- wil6210_mask_irq_misc(wil, false); +- + if (isr & ISR_MISC_FW_ERROR) { + u32 fw_assert_code = wil_r(wil, wil->rgf_fw_assert_code_addr); + u32 ucode_assert_code = +-- +2.20.1 + diff --git a/queue-5.1/x86-atomic-fix-smp_mb__-before-after-_atomic.patch b/queue-5.1/x86-atomic-fix-smp_mb__-before-after-_atomic.patch new file mode 100644 index 00000000000..444a03dfed3 --- /dev/null +++ b/queue-5.1/x86-atomic-fix-smp_mb__-before-after-_atomic.patch @@ -0,0 +1,164 @@ +From f27cc2bc73d19d5b15936307c2699bd7688e2732 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Wed, 24 Apr 2019 13:38:23 +0200 +Subject: x86/atomic: Fix smp_mb__{before,after}_atomic() + +[ Upstream commit 69d927bba39517d0980462efc051875b7f4db185 ] + +Recent probing at the Linux Kernel Memory Model uncovered a +'surprise'. Strongly ordered architectures where the atomic RmW +primitive implies full memory ordering and +smp_mb__{before,after}_atomic() are a simple barrier() (such as x86) +fail for: + + *x = 1; + atomic_inc(u); + smp_mb__after_atomic(); + r0 = *y; + +Because, while the atomic_inc() implies memory order, it +(surprisingly) does not provide a compiler barrier. This then allows +the compiler to re-order like so: + + atomic_inc(u); + *x = 1; + smp_mb__after_atomic(); + r0 = *y; + +Which the CPU is then allowed to re-order (under TSO rules) like: + + atomic_inc(u); + r0 = *y; + *x = 1; + +And this very much was not intended. Therefore strengthen the atomic +RmW ops to include a compiler barrier. + +NOTE: atomic_{or,and,xor} and the bitops already had the compiler +barrier. + +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + Documentation/atomic_t.txt | 3 +++ + arch/x86/include/asm/atomic.h | 8 ++++---- + arch/x86/include/asm/atomic64_64.h | 8 ++++---- + arch/x86/include/asm/barrier.h | 4 ++-- + 4 files changed, 13 insertions(+), 10 deletions(-) + +diff --git a/Documentation/atomic_t.txt b/Documentation/atomic_t.txt +index 913396ac5824..ed0d814df7e0 100644 +--- a/Documentation/atomic_t.txt ++++ b/Documentation/atomic_t.txt +@@ -177,6 +177,9 @@ These helper barriers exist because architectures have varying implicit + ordering on their SMP atomic primitives. For example our TSO architectures + provide full ordered atomics and these barriers are no-ops. + ++NOTE: when the atomic RmW ops are fully ordered, they should also imply a ++compiler barrier. ++ + Thus: + + atomic_fetch_add(); +diff --git a/arch/x86/include/asm/atomic.h b/arch/x86/include/asm/atomic.h +index ea3d95275b43..115127c7ad28 100644 +--- a/arch/x86/include/asm/atomic.h ++++ b/arch/x86/include/asm/atomic.h +@@ -54,7 +54,7 @@ static __always_inline void arch_atomic_add(int i, atomic_t *v) + { + asm volatile(LOCK_PREFIX "addl %1,%0" + : "+m" (v->counter) +- : "ir" (i)); ++ : "ir" (i) : "memory"); + } + + /** +@@ -68,7 +68,7 @@ static __always_inline void arch_atomic_sub(int i, atomic_t *v) + { + asm volatile(LOCK_PREFIX "subl %1,%0" + : "+m" (v->counter) +- : "ir" (i)); ++ : "ir" (i) : "memory"); + } + + /** +@@ -95,7 +95,7 @@ static __always_inline bool arch_atomic_sub_and_test(int i, atomic_t *v) + static __always_inline void arch_atomic_inc(atomic_t *v) + { + asm volatile(LOCK_PREFIX "incl %0" +- : "+m" (v->counter)); ++ : "+m" (v->counter) :: "memory"); + } + #define arch_atomic_inc arch_atomic_inc + +@@ -108,7 +108,7 @@ static __always_inline void arch_atomic_inc(atomic_t *v) + static __always_inline void arch_atomic_dec(atomic_t *v) + { + asm volatile(LOCK_PREFIX "decl %0" +- : "+m" (v->counter)); ++ : "+m" (v->counter) :: "memory"); + } + #define arch_atomic_dec arch_atomic_dec + +diff --git a/arch/x86/include/asm/atomic64_64.h b/arch/x86/include/asm/atomic64_64.h +index dadc20adba21..5e86c0d68ac1 100644 +--- a/arch/x86/include/asm/atomic64_64.h ++++ b/arch/x86/include/asm/atomic64_64.h +@@ -45,7 +45,7 @@ static __always_inline void arch_atomic64_add(long i, atomic64_t *v) + { + asm volatile(LOCK_PREFIX "addq %1,%0" + : "=m" (v->counter) +- : "er" (i), "m" (v->counter)); ++ : "er" (i), "m" (v->counter) : "memory"); + } + + /** +@@ -59,7 +59,7 @@ static inline void arch_atomic64_sub(long i, atomic64_t *v) + { + asm volatile(LOCK_PREFIX "subq %1,%0" + : "=m" (v->counter) +- : "er" (i), "m" (v->counter)); ++ : "er" (i), "m" (v->counter) : "memory"); + } + + /** +@@ -87,7 +87,7 @@ static __always_inline void arch_atomic64_inc(atomic64_t *v) + { + asm volatile(LOCK_PREFIX "incq %0" + : "=m" (v->counter) +- : "m" (v->counter)); ++ : "m" (v->counter) : "memory"); + } + #define arch_atomic64_inc arch_atomic64_inc + +@@ -101,7 +101,7 @@ static __always_inline void arch_atomic64_dec(atomic64_t *v) + { + asm volatile(LOCK_PREFIX "decq %0" + : "=m" (v->counter) +- : "m" (v->counter)); ++ : "m" (v->counter) : "memory"); + } + #define arch_atomic64_dec arch_atomic64_dec + +diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h +index 14de0432d288..84f848c2541a 100644 +--- a/arch/x86/include/asm/barrier.h ++++ b/arch/x86/include/asm/barrier.h +@@ -80,8 +80,8 @@ do { \ + }) + + /* Atomic operations are already serializing on x86 */ +-#define __smp_mb__before_atomic() barrier() +-#define __smp_mb__after_atomic() barrier() ++#define __smp_mb__before_atomic() do { } while (0) ++#define __smp_mb__after_atomic() do { } while (0) + + #include + +-- +2.20.1 + diff --git a/queue-5.1/x86-build-add-set-e-to-mkcapflags.sh-to-delete-broke.patch b/queue-5.1/x86-build-add-set-e-to-mkcapflags.sh-to-delete-broke.patch new file mode 100644 index 00000000000..b175513b838 --- /dev/null +++ b/queue-5.1/x86-build-add-set-e-to-mkcapflags.sh-to-delete-broke.patch @@ -0,0 +1,52 @@ +From e6da25892023edb12d9076480ca5b9132b132c56 Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Tue, 25 Jun 2019 16:26:22 +0900 +Subject: x86/build: Add 'set -e' to mkcapflags.sh to delete broken capflags.c + +[ Upstream commit bc53d3d777f81385c1bb08b07bd1c06450ecc2c1 ] + +Without 'set -e', shell scripts continue running even after any +error occurs. The missed 'set -e' is a typical bug in shell scripting. + +For example, when a disk space shortage occurs while this script is +running, it actually ends up with generating a truncated capflags.c. + +Yet, mkcapflags.sh continues running and exits with 0. So, the build +system assumes it has succeeded. + +It will not be re-generated in the next invocation of Make since its +timestamp is newer than that of any of the source files. + +Add 'set -e' so that any error in this script is caught and propagated +to the build system. + +Since 9c2af1c7377a ("kbuild: add .DELETE_ON_ERROR special target"), +make automatically deletes the target on any failure. So, the broken +capflags.c will be deleted automatically. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Thomas Gleixner +Cc: "H. Peter Anvin" +Cc: Borislav Petkov +Link: https://lkml.kernel.org/r/20190625072622.17679-1-yamada.masahiro@socionext.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/mkcapflags.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/kernel/cpu/mkcapflags.sh b/arch/x86/kernel/cpu/mkcapflags.sh +index d0dfb892c72f..aed45b8895d5 100644 +--- a/arch/x86/kernel/cpu/mkcapflags.sh ++++ b/arch/x86/kernel/cpu/mkcapflags.sh +@@ -4,6 +4,8 @@ + # Generate the x86_cap/bug_flags[] arrays from include/asm/cpufeatures.h + # + ++set -e ++ + IN=$1 + OUT=$2 + +-- +2.20.1 + diff --git a/queue-5.1/x86-cacheinfo-fix-a-wtype-limits-warning.patch b/queue-5.1/x86-cacheinfo-fix-a-wtype-limits-warning.patch new file mode 100644 index 00000000000..6d385f3bd07 --- /dev/null +++ b/queue-5.1/x86-cacheinfo-fix-a-wtype-limits-warning.patch @@ -0,0 +1,53 @@ +From 5a82bdb48f04ee83d08b0d82d057ebbda44b3c0d Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Wed, 19 Jun 2019 10:32:53 -0400 +Subject: x86/cacheinfo: Fix a -Wtype-limits warning + +[ Upstream commit 1b7aebf0487613033aff26420e32fa2076d52846 ] + +cpuinfo_x86.x86_model is an unsigned type, so comparing against zero +will generate a compilation warning: + + arch/x86/kernel/cpu/cacheinfo.c: In function 'cacheinfo_amd_init_llc_id': + arch/x86/kernel/cpu/cacheinfo.c:662:19: warning: comparison is always true \ + due to limited range of data type [-Wtype-limits] + +Remove the unnecessary lower bound check. + + [ bp: Massage. ] + +Fixes: 68091ee7ac3c ("x86/CPU/AMD: Calculate last level cache ID from number of sharing threads") +Signed-off-by: Qian Cai +Signed-off-by: Borislav Petkov +Reviewed-by: Sean Christopherson +Cc: "Gustavo A. R. Silva" +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Masami Hiramatsu +Cc: Pu Wen +Cc: Suravee Suthikulpanit +Cc: Thomas Gleixner +Cc: x86-ml +Link: https://lkml.kernel.org/r/1560954773-11967-1-git-send-email-cai@lca.pw +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/cacheinfo.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/cpu/cacheinfo.c b/arch/x86/kernel/cpu/cacheinfo.c +index 395d46f78582..c7503be92f35 100644 +--- a/arch/x86/kernel/cpu/cacheinfo.c ++++ b/arch/x86/kernel/cpu/cacheinfo.c +@@ -658,8 +658,7 @@ void cacheinfo_amd_init_llc_id(struct cpuinfo_x86 *c, int cpu, u8 node_id) + if (c->x86 < 0x17) { + /* LLC is at the node level. */ + per_cpu(cpu_llc_id, cpu) = node_id; +- } else if (c->x86 == 0x17 && +- c->x86_model >= 0 && c->x86_model <= 0x1F) { ++ } else if (c->x86 == 0x17 && c->x86_model <= 0x1F) { + /* + * LLC is at the core complex level. + * Core complex ID is ApicId[3] for these processors. +-- +2.20.1 + diff --git a/queue-5.1/x86-cpu-add-ice-lake-nnpi-to-intel-family.patch b/queue-5.1/x86-cpu-add-ice-lake-nnpi-to-intel-family.patch new file mode 100644 index 00000000000..5f8b54389a0 --- /dev/null +++ b/queue-5.1/x86-cpu-add-ice-lake-nnpi-to-intel-family.patch @@ -0,0 +1,47 @@ +From 8868de0e95df3bd619b0c7c8f893c85abd4d9377 Mon Sep 17 00:00:00 2001 +From: Rajneesh Bhardwaj +Date: Thu, 6 Jun 2019 06:54:19 +0530 +Subject: x86/cpu: Add Ice Lake NNPI to Intel family + +[ Upstream commit e32d045cd4ba06b59878323e434bad010e78e658 ] + +Add the CPUID model number of Ice Lake Neural Network Processor for Deep +Learning Inference (ICL-NNPI) to the Intel family list. Ice Lake NNPI uses +model number 0x9D and this will be documented in a future version of Intel +Software Development Manual. + +Signed-off-by: Rajneesh Bhardwaj +Signed-off-by: Thomas Gleixner +Cc: bp@suse.de +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: Andy Shevchenko +Cc: "H. Peter Anvin" +Cc: Kan Liang +Cc: Peter Zijlstra +Cc: platform-driver-x86@vger.kernel.org +Cc: Qiuxu Zhuo +Cc: Srinivas Pandruvada +Cc: Len Brown +Cc: Linux PM +Link: https://lkml.kernel.org/r/20190606012419.13250-1-rajneesh.bhardwaj@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/intel-family.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/include/asm/intel-family.h b/arch/x86/include/asm/intel-family.h +index 310118805f57..f60ddd655c78 100644 +--- a/arch/x86/include/asm/intel-family.h ++++ b/arch/x86/include/asm/intel-family.h +@@ -56,6 +56,7 @@ + #define INTEL_FAM6_ICELAKE_XEON_D 0x6C + #define INTEL_FAM6_ICELAKE_DESKTOP 0x7D + #define INTEL_FAM6_ICELAKE_MOBILE 0x7E ++#define INTEL_FAM6_ICELAKE_NNPI 0x9D + + /* "Small Core" Processors (Atom) */ + +-- +2.20.1 + diff --git a/queue-5.1/x86-cpufeatures-add-fdp_excptn_only-and-zero_fcs_fds.patch b/queue-5.1/x86-cpufeatures-add-fdp_excptn_only-and-zero_fcs_fds.patch new file mode 100644 index 00000000000..a4fb47f8213 --- /dev/null +++ b/queue-5.1/x86-cpufeatures-add-fdp_excptn_only-and-zero_fcs_fds.patch @@ -0,0 +1,60 @@ +From 9acdc34c89f4d6669e598980ba929d6274097781 Mon Sep 17 00:00:00 2001 +From: Aaron Lewis +Date: Wed, 5 Jun 2019 15:02:52 -0700 +Subject: x86/cpufeatures: Add FDP_EXCPTN_ONLY and ZERO_FCS_FDS + +[ Upstream commit cbb99c0f588737ec98c333558922ce47e9a95827 ] + +Add the CPUID enumeration for Intel's de-feature bits to accommodate +passing these de-features through to kvm guests. + +These de-features are (from SDM vol 1, section 8.1.8): + - X86_FEATURE_FDP_EXCPTN_ONLY: If CPUID.(EAX=07H,ECX=0H):EBX[bit 6] = 1, the + data pointer (FDP) is updated only for the x87 non-control instructions that + incur unmasked x87 exceptions. + - X86_FEATURE_ZERO_FCS_FDS: If CPUID.(EAX=07H,ECX=0H):EBX[bit 13] = 1, the + processor deprecates FCS and FDS; it saves each as 0000H. + +Signed-off-by: Aaron Lewis +Signed-off-by: Borislav Petkov +Reviewed-by: Jim Mattson +Cc: Fenghua Yu +Cc: Frederic Weisbecker +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Konrad Rzeszutek Wilk +Cc: marcorr@google.com +Cc: Peter Feiner +Cc: pshier@google.com +Cc: Robert Hoo +Cc: Thomas Gleixner +Cc: Thomas Lendacky +Cc: x86-ml +Link: https://lkml.kernel.org/r/20190605220252.103406-1-aaronlewis@google.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/cpufeatures.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h +index 75f27ee2c263..1017b9c7dfe0 100644 +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -239,12 +239,14 @@ + #define X86_FEATURE_BMI1 ( 9*32+ 3) /* 1st group bit manipulation extensions */ + #define X86_FEATURE_HLE ( 9*32+ 4) /* Hardware Lock Elision */ + #define X86_FEATURE_AVX2 ( 9*32+ 5) /* AVX2 instructions */ ++#define X86_FEATURE_FDP_EXCPTN_ONLY ( 9*32+ 6) /* "" FPU data pointer updated only on x87 exceptions */ + #define X86_FEATURE_SMEP ( 9*32+ 7) /* Supervisor Mode Execution Protection */ + #define X86_FEATURE_BMI2 ( 9*32+ 8) /* 2nd group bit manipulation extensions */ + #define X86_FEATURE_ERMS ( 9*32+ 9) /* Enhanced REP MOVSB/STOSB instructions */ + #define X86_FEATURE_INVPCID ( 9*32+10) /* Invalidate Processor Context ID */ + #define X86_FEATURE_RTM ( 9*32+11) /* Restricted Transactional Memory */ + #define X86_FEATURE_CQM ( 9*32+12) /* Cache QoS Monitoring */ ++#define X86_FEATURE_ZERO_FCS_FDS ( 9*32+13) /* "" Zero out FPU CS and FPU DS */ + #define X86_FEATURE_MPX ( 9*32+14) /* Memory Protection Extension */ + #define X86_FEATURE_RDT_A ( 9*32+15) /* Resource Director Technology Allocation */ + #define X86_FEATURE_AVX512F ( 9*32+16) /* AVX-512 Foundation */ +-- +2.20.1 + diff --git a/queue-5.1/xdp-fix-race-on-generic-receive-path.patch b/queue-5.1/xdp-fix-race-on-generic-receive-path.patch new file mode 100644 index 00000000000..b65a4d47a69 --- /dev/null +++ b/queue-5.1/xdp-fix-race-on-generic-receive-path.patch @@ -0,0 +1,104 @@ +From 68064fbf83f2575ff9d52a47713df39e93054a69 Mon Sep 17 00:00:00 2001 +From: Ilya Maximets +Date: Wed, 3 Jul 2019 15:09:16 +0300 +Subject: xdp: fix race on generic receive path + +[ Upstream commit bf0bdd1343efbbf65b4d53aef1fce14acbd79d50 ] + +Unlike driver mode, generic xdp receive could be triggered +by different threads on different CPU cores at the same time +leading to the fill and rx queue breakage. For example, this +could happen while sending packets from two processes to the +first interface of veth pair while the second part of it is +open with AF_XDP socket. + +Need to take a lock for each generic receive to avoid race. + +Fixes: c497176cb2e4 ("xsk: add Rx receive functions and poll support") +Signed-off-by: Ilya Maximets +Acked-by: Magnus Karlsson +Tested-by: William Tu +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + include/net/xdp_sock.h | 2 ++ + net/xdp/xsk.c | 31 ++++++++++++++++++++++--------- + 2 files changed, 24 insertions(+), 9 deletions(-) + +diff --git a/include/net/xdp_sock.h b/include/net/xdp_sock.h +index d074b6d60f8a..ac3c047d058c 100644 +--- a/include/net/xdp_sock.h ++++ b/include/net/xdp_sock.h +@@ -67,6 +67,8 @@ struct xdp_sock { + * in the SKB destructor callback. + */ + spinlock_t tx_completion_lock; ++ /* Protects generic receive. */ ++ spinlock_t rx_lock; + u64 rx_dropped; + }; + +diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c +index a14e8864e4fa..5e0637db92ea 100644 +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -123,13 +123,17 @@ int xsk_generic_rcv(struct xdp_sock *xs, struct xdp_buff *xdp) + u64 addr; + int err; + +- if (xs->dev != xdp->rxq->dev || xs->queue_id != xdp->rxq->queue_index) +- return -EINVAL; ++ spin_lock_bh(&xs->rx_lock); ++ ++ if (xs->dev != xdp->rxq->dev || xs->queue_id != xdp->rxq->queue_index) { ++ err = -EINVAL; ++ goto out_unlock; ++ } + + if (!xskq_peek_addr(xs->umem->fq, &addr) || + len > xs->umem->chunk_size_nohr - XDP_PACKET_HEADROOM) { +- xs->rx_dropped++; +- return -ENOSPC; ++ err = -ENOSPC; ++ goto out_drop; + } + + addr += xs->umem->headroom; +@@ -138,13 +142,21 @@ int xsk_generic_rcv(struct xdp_sock *xs, struct xdp_buff *xdp) + memcpy(buffer, xdp->data_meta, len + metalen); + addr += metalen; + err = xskq_produce_batch_desc(xs->rx, addr, len); +- if (!err) { +- xskq_discard_addr(xs->umem->fq); +- xsk_flush(xs); +- return 0; +- } ++ if (err) ++ goto out_drop; ++ ++ xskq_discard_addr(xs->umem->fq); ++ xskq_produce_flush_desc(xs->rx); + ++ spin_unlock_bh(&xs->rx_lock); ++ ++ xs->sk.sk_data_ready(&xs->sk); ++ return 0; ++ ++out_drop: + xs->rx_dropped++; ++out_unlock: ++ spin_unlock_bh(&xs->rx_lock); + return err; + } + +@@ -765,6 +777,7 @@ static int xsk_create(struct net *net, struct socket *sock, int protocol, + + xs = xdp_sk(sk); + mutex_init(&xs->mutex); ++ spin_lock_init(&xs->rx_lock); + spin_lock_init(&xs->tx_completion_lock); + + mutex_lock(&net->xdp.lock); +-- +2.20.1 + diff --git a/queue-5.1/xfrm-fix-sa-selector-validation.patch b/queue-5.1/xfrm-fix-sa-selector-validation.patch new file mode 100644 index 00000000000..469cab8d9cb --- /dev/null +++ b/queue-5.1/xfrm-fix-sa-selector-validation.patch @@ -0,0 +1,42 @@ +From 5e2cae1706f578c2ac5432f23b374ca7854fc400 Mon Sep 17 00:00:00 2001 +From: Nicolas Dichtel +Date: Fri, 14 Jun 2019 11:13:55 +0200 +Subject: xfrm: fix sa selector validation + +[ Upstream commit b8d6d0079757cbd1b69724cfd1c08e2171c68cee ] + +After commit b38ff4075a80, the following command does not work anymore: +$ ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 34 reqid 1 \ + mode tunnel enc 'cbc(aes)' 0xb0abdba8b782ad9d364ec81e3a7d82a1 auth-trunc \ + 'hmac(sha1)' 0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6 96 flag align4 + +In fact, the selector is not mandatory, allow the user to provide an empty +selector. + +Fixes: b38ff4075a80 ("xfrm: Fix xfrm sel prefix length validation") +CC: Anirudh Gupta +Signed-off-by: Nicolas Dichtel +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index ee91f939903e..6abf9625a401 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -166,6 +166,9 @@ static int verify_newsa_info(struct xfrm_usersa_info *p, + } + + switch (p->sel.family) { ++ case AF_UNSPEC: ++ break; ++ + case AF_INET: + if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) + goto out; +-- +2.20.1 + diff --git a/queue-5.1/xfrm-fix-xfrm-sel-prefix-length-validation.patch b/queue-5.1/xfrm-fix-xfrm-sel-prefix-length-validation.patch new file mode 100644 index 00000000000..e4df25106e9 --- /dev/null +++ b/queue-5.1/xfrm-fix-xfrm-sel-prefix-length-validation.patch @@ -0,0 +1,56 @@ +From 72f7d1a05d00da1cc1fca2c155e2bf059ffb62f2 Mon Sep 17 00:00:00 2001 +From: Anirudh Gupta +Date: Tue, 21 May 2019 20:59:47 +0530 +Subject: xfrm: Fix xfrm sel prefix length validation + +[ Upstream commit b38ff4075a80b4da5cb2202d7965332ca0efb213 ] + +Family of src/dst can be different from family of selector src/dst. +Use xfrm selector family to validate address prefix length, +while verifying new sa from userspace. + +Validated patch with this command: +ip xfrm state add src 1.1.6.1 dst 1.1.6.2 proto esp spi 4260196 \ +reqid 20004 mode tunnel aead "rfc4106(gcm(aes))" \ +0x1111016400000000000000000000000044440001 128 \ +sel src 1011:1:4::2/128 sel dst 1021:1:4::2/128 dev Port5 + +Fixes: 07bf7908950a ("xfrm: Validate address prefix lengths in the xfrm selector.") +Signed-off-by: Anirudh Gupta +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 6916931b1de1..ee91f939903e 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -150,6 +150,22 @@ static int verify_newsa_info(struct xfrm_usersa_info *p, + + err = -EINVAL; + switch (p->family) { ++ case AF_INET: ++ break; ++ ++ case AF_INET6: ++#if IS_ENABLED(CONFIG_IPV6) ++ break; ++#else ++ err = -EAFNOSUPPORT; ++ goto out; ++#endif ++ ++ default: ++ goto out; ++ } ++ ++ switch (p->sel.family) { + case AF_INET: + if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) + goto out; +-- +2.20.1 + diff --git a/queue-5.1/xsk-properly-terminate-assignment-in-xskq_produce_fl.patch b/queue-5.1/xsk-properly-terminate-assignment-in-xskq_produce_fl.patch new file mode 100644 index 00000000000..d3a6591fefc --- /dev/null +++ b/queue-5.1/xsk-properly-terminate-assignment-in-xskq_produce_fl.patch @@ -0,0 +1,54 @@ +From 8845b16f86b6f784d0073b776c9193778772ffff Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Tue, 25 Jun 2019 11:23:52 -0700 +Subject: xsk: Properly terminate assignment in xskq_produce_flush_desc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit f7019b7b0ad14bde732b8953161994edfc384953 ] + +Clang warns: + +In file included from net/xdp/xsk_queue.c:10: +net/xdp/xsk_queue.h:292:2: warning: expression result unused +[-Wunused-value] + WRITE_ONCE(q->ring->producer, q->prod_tail); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +include/linux/compiler.h:284:6: note: expanded from macro 'WRITE_ONCE' + __u.__val; \ + ~~~ ^~~~~ +1 warning generated. + +The q->prod_tail assignment has a comma at the end, not a semi-colon. +Fix that so clang no longer warns and everything works as expected. + +Fixes: c497176cb2e4 ("xsk: add Rx receive functions and poll support") +Link: https://github.com/ClangBuiltLinux/linux/issues/544 +Signed-off-by: Nathan Chancellor +Acked-by: Nick Desaulniers +Acked-by: Jonathan Lemon +Acked-by: Björn Töpel +Acked-by: Song Liu +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + net/xdp/xsk_queue.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/xdp/xsk_queue.h b/net/xdp/xsk_queue.h +index 610c0bdc0c2b..cd333701f4bf 100644 +--- a/net/xdp/xsk_queue.h ++++ b/net/xdp/xsk_queue.h +@@ -240,7 +240,7 @@ static inline void xskq_produce_flush_desc(struct xsk_queue *q) + /* Order producer and data */ + smp_wmb(); + +- q->prod_tail = q->prod_head, ++ q->prod_tail = q->prod_head; + WRITE_ONCE(q->ring->producer, q->prod_tail); + } + +-- +2.20.1 +