From: Greg Kroah-Hartman Date: Thu, 13 Feb 2020 01:28:38 +0000 (-0800) Subject: 4.19-stable patches X-Git-Tag: v4.4.214~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=19455b61da491d6347e7dd0e750cfb690d496109;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: ath10k-pci-only-dump-ath10k_mem_region_type_ioreg-when-safe.patch ib-mlx4-fix-memory-leak-in-add_gid-error-flow.patch nfs-nfs_swap-should-depend-on-swap.patch nfs-pnfs-fix-pnfs_generic_prepare_to_resend_writes.patch nfs-revalidate-the-file-size-on-a-fatal-write-error.patch nfsv4-try-lease-recovery-on-nfs4err_expired.patch pci-don-t-disable-bridge-bars-when-assigning-bus-resources.patch pci-iov-fix-memory-leak-in-pci_iov_add_virtfn.patch pci-switchtec-fix-vep_vector_number-ioread-width.patch rdma-core-fix-locking-in-ib_uverbs_event_read.patch rdma-netlink-do-not-always-generate-an-ack-for-some-netlink-operations.patch rdma-uverbs-verify-mr-access-flags.patch scsi-ufs-fix-ufshcd_probe_hba-reture-value-in-case-ufshcd_scsi_add_wlus-fails.patch --- diff --git a/queue-4.19/ath10k-pci-only-dump-ath10k_mem_region_type_ioreg-when-safe.patch b/queue-4.19/ath10k-pci-only-dump-ath10k_mem_region_type_ioreg-when-safe.patch new file mode 100644 index 00000000000..6b94011b49f --- /dev/null +++ b/queue-4.19/ath10k-pci-only-dump-ath10k_mem_region_type_ioreg-when-safe.patch @@ -0,0 +1,69 @@ +From d239380196c4e27a26fa4bea73d2bf994c14ec2d Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Thu, 19 Dec 2019 13:15:38 +0000 +Subject: ath10k: pci: Only dump ATH10K_MEM_REGION_TYPE_IOREG when safe + +From: Bryan O'Donoghue + +commit d239380196c4e27a26fa4bea73d2bf994c14ec2d upstream. + +ath10k_pci_dump_memory_reg() will try to access memory of type +ATH10K_MEM_REGION_TYPE_IOREG however, if a hardware restart is in progress +this can crash a system. + +Individual ioread32() time has been observed to jump from 15-20 ticks to > +80k ticks followed by a secure-watchdog bite and a system reset. + +Work around this corner case by only issuing the read transaction when the +driver state is ATH10K_STATE_ON. + +Tested-on: QCA9988 PCI 10.4-3.9.0.2-00044 + +Fixes: 219cc084c6706 ("ath10k: add memory dump support QCA9984") +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath10k/pci.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/pci.c ++++ b/drivers/net/wireless/ath/ath10k/pci.c +@@ -1613,11 +1613,22 @@ static int ath10k_pci_dump_memory_reg(st + { + struct ath10k_pci *ar_pci = ath10k_pci_priv(ar); + u32 i; ++ int ret; ++ ++ mutex_lock(&ar->conf_mutex); ++ if (ar->state != ATH10K_STATE_ON) { ++ ath10k_warn(ar, "Skipping pci_dump_memory_reg invalid state\n"); ++ ret = -EIO; ++ goto done; ++ } + + for (i = 0; i < region->len; i += 4) + *(u32 *)(buf + i) = ioread32(ar_pci->mem + region->start + i); + +- return region->len; ++ ret = region->len; ++done: ++ mutex_unlock(&ar->conf_mutex); ++ return ret; + } + + /* if an error happened returns < 0, otherwise the length */ +@@ -1713,7 +1724,11 @@ static void ath10k_pci_dump_memory(struc + count = ath10k_pci_dump_memory_sram(ar, current_region, buf); + break; + case ATH10K_MEM_REGION_TYPE_IOREG: +- count = ath10k_pci_dump_memory_reg(ar, current_region, buf); ++ ret = ath10k_pci_dump_memory_reg(ar, current_region, buf); ++ if (ret < 0) ++ break; ++ ++ count = ret; + break; + default: + ret = ath10k_pci_dump_memory_generic(ar, current_region, buf); diff --git a/queue-4.19/ib-mlx4-fix-memory-leak-in-add_gid-error-flow.patch b/queue-4.19/ib-mlx4-fix-memory-leak-in-add_gid-error-flow.patch new file mode 100644 index 00000000000..57c2a1a63f8 --- /dev/null +++ b/queue-4.19/ib-mlx4-fix-memory-leak-in-add_gid-error-flow.patch @@ -0,0 +1,78 @@ +From eaad647e5cc27f7b46a27f3b85b14c4c8a64bffa Mon Sep 17 00:00:00 2001 +From: Jack Morgenstein +Date: Wed, 15 Jan 2020 10:50:50 +0200 +Subject: IB/mlx4: Fix memory leak in add_gid error flow + +From: Jack Morgenstein + +commit eaad647e5cc27f7b46a27f3b85b14c4c8a64bffa upstream. + +In procedure mlx4_ib_add_gid(), if the driver is unable to update the FW +gid table, there is a memory leak in the driver's copy of the gid table: +the gid entry's context buffer is not freed. + +If such an error occurs, free the entry's context buffer, and mark the +entry as available (by setting its context pointer to NULL). + +Fixes: e26be1bfef81 ("IB/mlx4: Implement ib_device callbacks") +Link: https://lore.kernel.org/r/20200115085050.73746-1-leon@kernel.org +Signed-off-by: Jack Morgenstein +Reviewed-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx4/main.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +--- a/drivers/infiniband/hw/mlx4/main.c ++++ b/drivers/infiniband/hw/mlx4/main.c +@@ -246,6 +246,13 @@ static int mlx4_ib_update_gids(struct gi + return mlx4_ib_update_gids_v1(gids, ibdev, port_num); + } + ++static void free_gid_entry(struct gid_entry *entry) ++{ ++ memset(&entry->gid, 0, sizeof(entry->gid)); ++ kfree(entry->ctx); ++ entry->ctx = NULL; ++} ++ + static int mlx4_ib_add_gid(const struct ib_gid_attr *attr, void **context) + { + struct mlx4_ib_dev *ibdev = to_mdev(attr->device); +@@ -306,6 +313,8 @@ static int mlx4_ib_add_gid(const struct + GFP_ATOMIC); + if (!gids) { + ret = -ENOMEM; ++ *context = NULL; ++ free_gid_entry(&port_gid_table->gids[free]); + } else { + for (i = 0; i < MLX4_MAX_PORT_GIDS; i++) { + memcpy(&gids[i].gid, &port_gid_table->gids[i].gid, sizeof(union ib_gid)); +@@ -317,6 +326,12 @@ static int mlx4_ib_add_gid(const struct + + if (!ret && hw_update) { + ret = mlx4_ib_update_gids(gids, ibdev, attr->port_num); ++ if (ret) { ++ spin_lock_bh(&iboe->lock); ++ *context = NULL; ++ free_gid_entry(&port_gid_table->gids[free]); ++ spin_unlock_bh(&iboe->lock); ++ } + kfree(gids); + } + +@@ -346,10 +361,7 @@ static int mlx4_ib_del_gid(const struct + if (!ctx->refcount) { + unsigned int real_index = ctx->real_index; + +- memset(&port_gid_table->gids[real_index].gid, 0, +- sizeof(port_gid_table->gids[real_index].gid)); +- kfree(port_gid_table->gids[real_index].ctx); +- port_gid_table->gids[real_index].ctx = NULL; ++ free_gid_entry(&port_gid_table->gids[real_index]); + hw_update = 1; + } + } diff --git a/queue-4.19/nfs-nfs_swap-should-depend-on-swap.patch b/queue-4.19/nfs-nfs_swap-should-depend-on-swap.patch new file mode 100644 index 00000000000..eaf582ee341 --- /dev/null +++ b/queue-4.19/nfs-nfs_swap-should-depend-on-swap.patch @@ -0,0 +1,38 @@ +From 474c4f306eefbb21b67ebd1de802d005c7d7ecdc Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 30 Dec 2019 16:32:38 +0100 +Subject: nfs: NFS_SWAP should depend on SWAP + +From: Geert Uytterhoeven + +commit 474c4f306eefbb21b67ebd1de802d005c7d7ecdc upstream. + +If CONFIG_SWAP=n, it does not make much sense to offer the user the +option to enable support for swapping over NFS, as that will still fail +at run time: + + # swapon /swap + swapon: /swap: swapon failed: Function not implemented + +Fix this by adding a dependency on CONFIG_SWAP. + +Fixes: a564b8f0398636ba ("nfs: enable swap on NFS") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/Kconfig ++++ b/fs/nfs/Kconfig +@@ -89,7 +89,7 @@ config NFS_V4 + config NFS_SWAP + bool "Provide swap over NFS support" + default n +- depends on NFS_FS ++ depends on NFS_FS && SWAP + select SUNRPC_SWAP + help + This option enables swapon to work on files located on NFS mounts. diff --git a/queue-4.19/nfs-pnfs-fix-pnfs_generic_prepare_to_resend_writes.patch b/queue-4.19/nfs-pnfs-fix-pnfs_generic_prepare_to_resend_writes.patch new file mode 100644 index 00000000000..b14dc1d6537 --- /dev/null +++ b/queue-4.19/nfs-pnfs-fix-pnfs_generic_prepare_to_resend_writes.patch @@ -0,0 +1,118 @@ +From 221203ce6406273cf00e5c6397257d986c003ee6 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 6 Jan 2020 15:25:04 -0500 +Subject: NFS/pnfs: Fix pnfs_generic_prepare_to_resend_writes() + +From: Trond Myklebust + +commit 221203ce6406273cf00e5c6397257d986c003ee6 upstream. + +Instead of making assumptions about the commit verifier contents, change +the commit code to ensure we always check that the verifier was set +by the XDR code. + +Fixes: f54bcf2ecee9 ("pnfs: Prepare for flexfiles by pulling out common code") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/direct.c | 4 ++-- + fs/nfs/nfs3xdr.c | 5 ++++- + fs/nfs/nfs4xdr.c | 5 ++++- + fs/nfs/pnfs_nfs.c | 7 +++---- + fs/nfs/write.c | 4 +++- + 5 files changed, 16 insertions(+), 9 deletions(-) + +--- a/fs/nfs/direct.c ++++ b/fs/nfs/direct.c +@@ -261,10 +261,10 @@ static int nfs_direct_cmp_commit_data_ve + data->ds_commit_index); + + /* verifier not set so always fail */ +- if (verfp->committed < 0) ++ if (verfp->committed < 0 || data->res.verf->committed <= NFS_UNSTABLE) + return 1; + +- return nfs_direct_cmp_verf(verfp, &data->verf); ++ return nfs_direct_cmp_verf(verfp, data->res.verf); + } + + /** +--- a/fs/nfs/nfs3xdr.c ++++ b/fs/nfs/nfs3xdr.c +@@ -2380,6 +2380,7 @@ static int nfs3_xdr_dec_commit3res(struc + void *data) + { + struct nfs_commitres *result = data; ++ struct nfs_writeverf *verf = result->verf; + enum nfs_stat status; + int error; + +@@ -2392,7 +2393,9 @@ static int nfs3_xdr_dec_commit3res(struc + result->op_status = status; + if (status != NFS3_OK) + goto out_status; +- error = decode_writeverf3(xdr, &result->verf->verifier); ++ error = decode_writeverf3(xdr, &verf->verifier); ++ if (!error) ++ verf->committed = NFS_FILE_SYNC; + out: + return error; + out_status: +--- a/fs/nfs/nfs4xdr.c ++++ b/fs/nfs/nfs4xdr.c +@@ -4439,11 +4439,14 @@ static int decode_write_verifier(struct + + static int decode_commit(struct xdr_stream *xdr, struct nfs_commitres *res) + { ++ struct nfs_writeverf *verf = res->verf; + int status; + + status = decode_op_hdr(xdr, OP_COMMIT); + if (!status) +- status = decode_write_verifier(xdr, &res->verf->verifier); ++ status = decode_write_verifier(xdr, &verf->verifier); ++ if (!status) ++ verf->committed = NFS_FILE_SYNC; + return status; + } + +--- a/fs/nfs/pnfs_nfs.c ++++ b/fs/nfs/pnfs_nfs.c +@@ -30,12 +30,11 @@ EXPORT_SYMBOL_GPL(pnfs_generic_rw_releas + /* Fake up some data that will cause nfs_commit_release to retry the writes. */ + void pnfs_generic_prepare_to_resend_writes(struct nfs_commit_data *data) + { +- struct nfs_page *first = nfs_list_entry(data->pages.next); ++ struct nfs_writeverf *verf = data->res.verf; + + data->task.tk_status = 0; +- memcpy(&data->verf.verifier, &first->wb_verf, +- sizeof(data->verf.verifier)); +- data->verf.verifier.data[0]++; /* ensure verifier mismatch */ ++ memset(&verf->verifier, 0, sizeof(verf->verifier)); ++ verf->committed = NFS_UNSTABLE; + } + EXPORT_SYMBOL_GPL(pnfs_generic_prepare_to_resend_writes); + +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -1814,6 +1814,7 @@ static void nfs_commit_done(struct rpc_t + + static void nfs_commit_release_pages(struct nfs_commit_data *data) + { ++ const struct nfs_writeverf *verf = data->res.verf; + struct nfs_page *req; + int status = data->task.tk_status; + struct nfs_commit_info cinfo; +@@ -1840,7 +1841,8 @@ static void nfs_commit_release_pages(str + + /* Okay, COMMIT succeeded, apparently. Check the verifier + * returned by the server against all stored verfs. */ +- if (!nfs_write_verifier_cmp(&req->wb_verf, &data->verf.verifier)) { ++ if (verf->committed > NFS_UNSTABLE && ++ !nfs_write_verifier_cmp(&req->wb_verf, &verf->verifier)) { + /* We have a match */ + if (req->wb_page) + nfs_inode_remove_request(req); diff --git a/queue-4.19/nfs-revalidate-the-file-size-on-a-fatal-write-error.patch b/queue-4.19/nfs-revalidate-the-file-size-on-a-fatal-write-error.patch new file mode 100644 index 00000000000..c003545a7d2 --- /dev/null +++ b/queue-4.19/nfs-revalidate-the-file-size-on-a-fatal-write-error.patch @@ -0,0 +1,40 @@ +From 0df68ced55443243951d02cc497be31fadf28173 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 6 Jan 2020 15:25:00 -0500 +Subject: NFS: Revalidate the file size on a fatal write error + +From: Trond Myklebust + +commit 0df68ced55443243951d02cc497be31fadf28173 upstream. + +If we suffer a fatal error upon writing a file, which causes us to +need to revalidate the entire mapping, then we should also revalidate +the file size. + +Fixes: d2ceb7e57086 ("NFS: Don't use page_file_mapping after removing the page") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/write.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -240,7 +240,15 @@ out: + /* A writeback failed: mark the page as bad, and invalidate the page cache */ + static void nfs_set_pageerror(struct address_space *mapping) + { ++ struct inode *inode = mapping->host; ++ + nfs_zap_mapping(mapping->host, mapping); ++ /* Force file size revalidation */ ++ spin_lock(&inode->i_lock); ++ NFS_I(inode)->cache_validity |= NFS_INO_REVAL_FORCED | ++ NFS_INO_REVAL_PAGECACHE | ++ NFS_INO_INVALID_SIZE; ++ spin_unlock(&inode->i_lock); + } + + /* diff --git a/queue-4.19/nfsv4-try-lease-recovery-on-nfs4err_expired.patch b/queue-4.19/nfsv4-try-lease-recovery-on-nfs4err_expired.patch new file mode 100644 index 00000000000..28798db39a8 --- /dev/null +++ b/queue-4.19/nfsv4-try-lease-recovery-on-nfs4err_expired.patch @@ -0,0 +1,36 @@ +From 924491f2e476f7234d722b24171a4daff61bbe13 Mon Sep 17 00:00:00 2001 +From: Robert Milkowski +Date: Tue, 28 Jan 2020 08:37:47 +0000 +Subject: NFSv4: try lease recovery on NFS4ERR_EXPIRED + +From: Robert Milkowski + +commit 924491f2e476f7234d722b24171a4daff61bbe13 upstream. + +Currently, if an nfs server returns NFS4ERR_EXPIRED to open(), +we return EIO to applications without even trying to recover. + +Fixes: 272289a3df72 ("NFSv4: nfs4_do_handle_exception() handle revoke/expiry of a single stateid") +Signed-off-by: Robert Milkowski +Reviewed-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3089,6 +3089,11 @@ static struct nfs4_state *nfs4_do_open(s + exception.retry = 1; + continue; + } ++ if (status == -NFS4ERR_EXPIRED) { ++ nfs4_schedule_lease_recovery(server->nfs_client); ++ exception.retry = 1; ++ continue; ++ } + if (status == -EAGAIN) { + /* We must have found a delegation */ + exception.retry = 1; diff --git a/queue-4.19/pci-don-t-disable-bridge-bars-when-assigning-bus-resources.patch b/queue-4.19/pci-don-t-disable-bridge-bars-when-assigning-bus-resources.patch new file mode 100644 index 00000000000..c86151d9dc0 --- /dev/null +++ b/queue-4.19/pci-don-t-disable-bridge-bars-when-assigning-bus-resources.patch @@ -0,0 +1,111 @@ +From 9db8dc6d0785225c42a37be7b44d1b07b31b8957 Mon Sep 17 00:00:00 2001 +From: Logan Gunthorpe +Date: Wed, 8 Jan 2020 14:32:08 -0700 +Subject: PCI: Don't disable bridge BARs when assigning bus resources + +From: Logan Gunthorpe + +commit 9db8dc6d0785225c42a37be7b44d1b07b31b8957 upstream. + +Some PCI bridges implement BARs in addition to bridge windows. For +example, here's a PLX switch: + + 04:00.0 PCI bridge: PLX Technology, Inc. PEX 8724 24-Lane, 6-Port PCI + Express Gen 3 (8 GT/s) Switch, 19 x 19mm FCBGA (rev ca) + (prog-if 00 [Normal decode]) + Flags: bus master, fast devsel, latency 0, IRQ 30, NUMA node 0 + Memory at 90a00000 (32-bit, non-prefetchable) [size=256K] + Bus: primary=04, secondary=05, subordinate=0a, sec-latency=0 + I/O behind bridge: 00002000-00003fff + Memory behind bridge: 90000000-909fffff + Prefetchable memory behind bridge: 0000380000800000-0000380000bfffff + +Previously, when the kernel assigned resource addresses (with the +pci=realloc command line parameter, for example) it could clear the struct +resource corresponding to the BAR. When this happened, lspci would report +this BAR as "ignored": + + Region 0: Memory at (32-bit, non-prefetchable) [size=256K] + +This is because the kernel reports a zero start address and zero flags +in the corresponding sysfs resource file and in /proc/bus/pci/devices. +Investigation with 'lspci -x', however, shows the BIOS-assigned address +will still be programmed in the device's BAR registers. + +It's clearly a bug that the kernel lost track of the BAR value, but in most +cases, this still won't result in a visible issue because nothing uses the +memory, so nothing is affected. However, when an IOMMU is in use, it will +not reserve this space in the IOVA because the kernel no longer thinks the +range is valid. (See dmar_init_reserved_ranges() for the Intel +implementation of this.) + +Without the proper reserved range, a DMA mapping may allocate an IOVA that +matches a bridge BAR, which results in DMA accesses going to the BAR +instead of the intended RAM. + +The problem was in pci_assign_unassigned_root_bus_resources(). When any +resource from a bridge device fails to get assigned, the code set the +resource's flags to zero. This makes sense for bridge windows, as they +will be re-enabled later, but for regular BARs, it makes the kernel +permanently lose track of the fact that they decode address space. + +Change pci_assign_unassigned_root_bus_resources() and +pci_assign_unassigned_bridge_resources() so they only clear "res->flags" +for bridge *windows*, not bridge BARs. + +Fixes: da7822e5ad71 ("PCI: update bridge resources to get more big ranges when allocating space (again)") +Link: https://lore.kernel.org/r/20200108213208.4612-1-logang@deltatee.com +[bhelgaas: commit log, check for pci_is_bridge()] +Reported-by: Kit Chow +Signed-off-by: Logan Gunthorpe +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/setup-bus.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +--- a/drivers/pci/setup-bus.c ++++ b/drivers/pci/setup-bus.c +@@ -1820,12 +1820,18 @@ again: + /* restore size and flags */ + list_for_each_entry(fail_res, &fail_head, list) { + struct resource *res = fail_res->res; ++ int idx; + + res->start = fail_res->start; + res->end = fail_res->end; + res->flags = fail_res->flags; +- if (fail_res->dev->subordinate) +- res->flags = 0; ++ ++ if (pci_is_bridge(fail_res->dev)) { ++ idx = res - &fail_res->dev->resource[0]; ++ if (idx >= PCI_BRIDGE_RESOURCES && ++ idx <= PCI_BRIDGE_RESOURCE_END) ++ res->flags = 0; ++ } + } + free_list(&fail_head); + +@@ -2066,12 +2072,18 @@ again: + /* restore size and flags */ + list_for_each_entry(fail_res, &fail_head, list) { + struct resource *res = fail_res->res; ++ int idx; + + res->start = fail_res->start; + res->end = fail_res->end; + res->flags = fail_res->flags; +- if (fail_res->dev->subordinate) +- res->flags = 0; ++ ++ if (pci_is_bridge(fail_res->dev)) { ++ idx = res - &fail_res->dev->resource[0]; ++ if (idx >= PCI_BRIDGE_RESOURCES && ++ idx <= PCI_BRIDGE_RESOURCE_END) ++ res->flags = 0; ++ } + } + free_list(&fail_head); + diff --git a/queue-4.19/pci-iov-fix-memory-leak-in-pci_iov_add_virtfn.patch b/queue-4.19/pci-iov-fix-memory-leak-in-pci_iov_add_virtfn.patch new file mode 100644 index 00000000000..fa6833d36b2 --- /dev/null +++ b/queue-4.19/pci-iov-fix-memory-leak-in-pci_iov_add_virtfn.patch @@ -0,0 +1,52 @@ +From 8c386cc817878588195dde38e919aa6ba9409d58 Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Mon, 25 Nov 2019 13:52:52 -0600 +Subject: PCI/IOV: Fix memory leak in pci_iov_add_virtfn() + +From: Navid Emamdoost + +commit 8c386cc817878588195dde38e919aa6ba9409d58 upstream. + +In the implementation of pci_iov_add_virtfn() the allocated virtfn is +leaked if pci_setup_device() fails. The error handling is not calling +pci_stop_and_remove_bus_device(). Change the goto label to failed2. + +Fixes: 156c55325d30 ("PCI: Check for pci_setup_device() failure in pci_iov_add_virtfn()") +Link: https://lore.kernel.org/r/20191125195255.23740-1-navid.emamdoost@gmail.com +Signed-off-by: Navid Emamdoost +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/iov.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/pci/iov.c ++++ b/drivers/pci/iov.c +@@ -188,10 +188,10 @@ int pci_iov_add_virtfn(struct pci_dev *d + sprintf(buf, "virtfn%u", id); + rc = sysfs_create_link(&dev->dev.kobj, &virtfn->dev.kobj, buf); + if (rc) +- goto failed2; ++ goto failed1; + rc = sysfs_create_link(&virtfn->dev.kobj, &dev->dev.kobj, "physfn"); + if (rc) +- goto failed3; ++ goto failed2; + + kobject_uevent(&virtfn->dev.kobj, KOBJ_CHANGE); + +@@ -199,11 +199,10 @@ int pci_iov_add_virtfn(struct pci_dev *d + + return 0; + +-failed3: +- sysfs_remove_link(&dev->dev.kobj, buf); + failed2: +- pci_stop_and_remove_bus_device(virtfn); ++ sysfs_remove_link(&dev->dev.kobj, buf); + failed1: ++ pci_stop_and_remove_bus_device(virtfn); + pci_dev_put(dev); + failed0: + virtfn_remove_bus(dev->bus, bus); diff --git a/queue-4.19/pci-switchtec-fix-vep_vector_number-ioread-width.patch b/queue-4.19/pci-switchtec-fix-vep_vector_number-ioread-width.patch new file mode 100644 index 00000000000..f551f433a8c --- /dev/null +++ b/queue-4.19/pci-switchtec-fix-vep_vector_number-ioread-width.patch @@ -0,0 +1,34 @@ +From 9375646b4cf03aee81bc6c305aa18cc80b682796 Mon Sep 17 00:00:00 2001 +From: Logan Gunthorpe +Date: Mon, 6 Jan 2020 12:03:27 -0700 +Subject: PCI/switchtec: Fix vep_vector_number ioread width + +From: Logan Gunthorpe + +commit 9375646b4cf03aee81bc6c305aa18cc80b682796 upstream. + +vep_vector_number is actually a 16 bit register which should be read with +ioread16() instead of ioread32(). + +Fixes: 080b47def5e5 ("MicroSemi Switchtec management interface driver") +Link: https://lore.kernel.org/r/20200106190337.2428-3-logang@deltatee.com +Reported-by: Doug Meyer +Signed-off-by: Logan Gunthorpe +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/switch/switchtec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/switch/switchtec.c ++++ b/drivers/pci/switch/switchtec.c +@@ -1186,7 +1186,7 @@ static int switchtec_init_isr(struct swi + if (nvecs < 0) + return nvecs; + +- event_irq = ioread32(&stdev->mmio_part_cfg->vep_vector_number); ++ event_irq = ioread16(&stdev->mmio_part_cfg->vep_vector_number); + if (event_irq < 0 || event_irq >= nvecs) + return -EFAULT; + diff --git a/queue-4.19/rdma-core-fix-locking-in-ib_uverbs_event_read.patch b/queue-4.19/rdma-core-fix-locking-in-ib_uverbs_event_read.patch new file mode 100644 index 00000000000..222f7b00ae3 --- /dev/null +++ b/queue-4.19/rdma-core-fix-locking-in-ib_uverbs_event_read.patch @@ -0,0 +1,110 @@ +From 14e23bd6d22123f6f3b2747701fa6cd4c6d05873 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Wed, 8 Jan 2020 19:22:03 +0200 +Subject: RDMA/core: Fix locking in ib_uverbs_event_read +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jason Gunthorpe + +commit 14e23bd6d22123f6f3b2747701fa6cd4c6d05873 upstream. + +This should not be using ib_dev to test for disassociation, during +disassociation is_closed is set under lock and the waitq is triggered. + +Instead check is_closed and be sure to re-obtain the lock to test the +value after the wait_event returns. + +Fixes: 036b10635739 ("IB/uverbs: Enable device removal when there are active user space applications") +Link: https://lore.kernel.org/r/1578504126-9400-12-git-send-email-yishaih@mellanox.com +Signed-off-by: Yishai Hadas +Reviewed-by: HÃ¥kon Bugge +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/uverbs_main.c | 32 ++++++++++++++------------------ + 1 file changed, 14 insertions(+), 18 deletions(-) + +--- a/drivers/infiniband/core/uverbs_main.c ++++ b/drivers/infiniband/core/uverbs_main.c +@@ -273,7 +273,6 @@ void ib_uverbs_release_file(struct kref + } + + static ssize_t ib_uverbs_event_read(struct ib_uverbs_event_queue *ev_queue, +- struct ib_uverbs_file *uverbs_file, + struct file *filp, char __user *buf, + size_t count, loff_t *pos, + size_t eventsz) +@@ -291,19 +290,16 @@ static ssize_t ib_uverbs_event_read(stru + + if (wait_event_interruptible(ev_queue->poll_wait, + (!list_empty(&ev_queue->event_list) || +- /* The barriers built into wait_event_interruptible() +- * and wake_up() guarentee this will see the null set +- * without using RCU +- */ +- !uverbs_file->device->ib_dev))) ++ ev_queue->is_closed))) + return -ERESTARTSYS; + ++ spin_lock_irq(&ev_queue->lock); ++ + /* If device was disassociated and no event exists set an error */ +- if (list_empty(&ev_queue->event_list) && +- !uverbs_file->device->ib_dev) ++ if (list_empty(&ev_queue->event_list) && ev_queue->is_closed) { ++ spin_unlock_irq(&ev_queue->lock); + return -EIO; +- +- spin_lock_irq(&ev_queue->lock); ++ } + } + + event = list_entry(ev_queue->event_list.next, struct ib_uverbs_event, list); +@@ -338,8 +334,7 @@ static ssize_t ib_uverbs_async_event_rea + { + struct ib_uverbs_async_event_file *file = filp->private_data; + +- return ib_uverbs_event_read(&file->ev_queue, file->uverbs_file, filp, +- buf, count, pos, ++ return ib_uverbs_event_read(&file->ev_queue, filp, buf, count, pos, + sizeof(struct ib_uverbs_async_event_desc)); + } + +@@ -349,9 +344,8 @@ static ssize_t ib_uverbs_comp_event_read + struct ib_uverbs_completion_event_file *comp_ev_file = + filp->private_data; + +- return ib_uverbs_event_read(&comp_ev_file->ev_queue, +- comp_ev_file->uobj.ufile, filp, +- buf, count, pos, ++ return ib_uverbs_event_read(&comp_ev_file->ev_queue, filp, buf, count, ++ pos, + sizeof(struct ib_uverbs_comp_event_desc)); + } + +@@ -374,7 +368,9 @@ static __poll_t ib_uverbs_event_poll(str + static __poll_t ib_uverbs_async_event_poll(struct file *filp, + struct poll_table_struct *wait) + { +- return ib_uverbs_event_poll(filp->private_data, filp, wait); ++ struct ib_uverbs_async_event_file *file = filp->private_data; ++ ++ return ib_uverbs_event_poll(&file->ev_queue, filp, wait); + } + + static __poll_t ib_uverbs_comp_event_poll(struct file *filp, +@@ -388,9 +384,9 @@ static __poll_t ib_uverbs_comp_event_pol + + static int ib_uverbs_async_event_fasync(int fd, struct file *filp, int on) + { +- struct ib_uverbs_event_queue *ev_queue = filp->private_data; ++ struct ib_uverbs_async_event_file *file = filp->private_data; + +- return fasync_helper(fd, filp, on, &ev_queue->async_queue); ++ return fasync_helper(fd, filp, on, &file->ev_queue.async_queue); + } + + static int ib_uverbs_comp_event_fasync(int fd, struct file *filp, int on) diff --git a/queue-4.19/rdma-netlink-do-not-always-generate-an-ack-for-some-netlink-operations.patch b/queue-4.19/rdma-netlink-do-not-always-generate-an-ack-for-some-netlink-operations.patch new file mode 100644 index 00000000000..4cf3f291168 --- /dev/null +++ b/queue-4.19/rdma-netlink-do-not-always-generate-an-ack-for-some-netlink-operations.patch @@ -0,0 +1,80 @@ +From a242c36951ecd24bc16086940dbe6b522205c461 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?H=C3=A5kon=20Bugge?= +Date: Mon, 16 Dec 2019 13:04:36 +0100 +Subject: RDMA/netlink: Do not always generate an ACK for some netlink operations +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: HÃ¥kon Bugge + +commit a242c36951ecd24bc16086940dbe6b522205c461 upstream. + +In rdma_nl_rcv_skb(), the local variable err is assigned the return value +of the supplied callback function, which could be one of +ib_nl_handle_resolve_resp(), ib_nl_handle_set_timeout(), or +ib_nl_handle_ip_res_resp(). These three functions all return skb->len on +success. + +rdma_nl_rcv_skb() is merely a copy of netlink_rcv_skb(). The callback +functions used by the latter have the convention: "Returns 0 on success or +a negative error code". + +In particular, the statement (equal for both functions): + + if (nlh->nlmsg_flags & NLM_F_ACK || err) + +implies that rdma_nl_rcv_skb() always will ack a message, independent of +the NLM_F_ACK being set in nlmsg_flags or not. + +The fix could be to change the above statement, but it is better to keep +the two *_rcv_skb() functions equal in this respect and instead change the +three callback functions in the rdma subsystem to the correct convention. + +Fixes: 2ca546b92a02 ("IB/sa: Route SA pathrecord query through netlink") +Fixes: ae43f8286730 ("IB/core: Add IP to GID netlink offload") +Link: https://lore.kernel.org/r/20191216120436.3204814-1-haakon.bugge@oracle.com +Suggested-by: Mark Haywood +Signed-off-by: HÃ¥kon Bugge +Tested-by: Mark Haywood +Reviewed-by: Leon Romanovsky +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/addr.c | 2 +- + drivers/infiniband/core/sa_query.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/core/addr.c ++++ b/drivers/infiniband/core/addr.c +@@ -136,7 +136,7 @@ int ib_nl_handle_ip_res_resp(struct sk_b + if (ib_nl_is_good_ip_resp(nlh)) + ib_nl_process_good_ip_rsep(nlh); + +- return skb->len; ++ return 0; + } + + static int ib_nl_ip_send_msg(struct rdma_dev_addr *dev_addr, +--- a/drivers/infiniband/core/sa_query.c ++++ b/drivers/infiniband/core/sa_query.c +@@ -1078,7 +1078,7 @@ int ib_nl_handle_set_timeout(struct sk_b + } + + settimeout_out: +- return skb->len; ++ return 0; + } + + static inline int ib_nl_is_good_resolve_resp(const struct nlmsghdr *nlh) +@@ -1149,7 +1149,7 @@ int ib_nl_handle_resolve_resp(struct sk_ + } + + resp_out: +- return skb->len; ++ return 0; + } + + static void free_sm_ah(struct kref *kref) diff --git a/queue-4.19/rdma-uverbs-verify-mr-access-flags.patch b/queue-4.19/rdma-uverbs-verify-mr-access-flags.patch new file mode 100644 index 00000000000..ead788c14cb --- /dev/null +++ b/queue-4.19/rdma-uverbs-verify-mr-access-flags.patch @@ -0,0 +1,35 @@ +From ca95c1411198c2d87217c19d44571052cdc94725 Mon Sep 17 00:00:00 2001 +From: Michael Guralnik +Date: Wed, 8 Jan 2020 20:05:35 +0200 +Subject: RDMA/uverbs: Verify MR access flags + +From: Michael Guralnik + +commit ca95c1411198c2d87217c19d44571052cdc94725 upstream. + +Verify that MR access flags that are passed from user are all supported +ones, otherwise an error is returned. + +Fixes: 4fca03778351 ("IB/uverbs: Move ib_access_flags and ib_read_counters_flags to uapi") +Link: https://lore.kernel.org/r/1578506740-22188-6-git-send-email-yishaih@mellanox.com +Signed-off-by: Michael Guralnik +Signed-off-by: Yishai Hadas +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + include/rdma/ib_verbs.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/include/rdma/ib_verbs.h ++++ b/include/rdma/ib_verbs.h +@@ -3864,6 +3864,9 @@ static inline int ib_check_mr_access(int + !(flags & IB_ACCESS_LOCAL_WRITE)) + return -EINVAL; + ++ if (flags & ~IB_ACCESS_SUPPORTED) ++ return -EINVAL; ++ + return 0; + } + diff --git a/queue-4.19/scsi-ufs-fix-ufshcd_probe_hba-reture-value-in-case-ufshcd_scsi_add_wlus-fails.patch b/queue-4.19/scsi-ufs-fix-ufshcd_probe_hba-reture-value-in-case-ufshcd_scsi_add_wlus-fails.patch new file mode 100644 index 00000000000..6a1f27aa628 --- /dev/null +++ b/queue-4.19/scsi-ufs-fix-ufshcd_probe_hba-reture-value-in-case-ufshcd_scsi_add_wlus-fails.patch @@ -0,0 +1,39 @@ +From b9fc5320212efdfb4e08b825aaa007815fd11d16 Mon Sep 17 00:00:00 2001 +From: Bean Huo +Date: Mon, 20 Jan 2020 14:08:13 +0100 +Subject: scsi: ufs: Fix ufshcd_probe_hba() reture value in case ufshcd_scsi_add_wlus() fails + +From: Bean Huo + +commit b9fc5320212efdfb4e08b825aaa007815fd11d16 upstream. + +A non-zero error value likely being returned by ufshcd_scsi_add_wlus() in +case of failure of adding the WLs, but ufshcd_probe_hba() doesn't use this +value, and doesn't report this failure to upper caller. This patch is to +fix this issue. + +Fixes: 2a8fa600445c ("ufs: manually add well known logical units") +Link: https://lore.kernel.org/r/20200120130820.1737-2-huobean@gmail.com +Reviewed-by: Asutosh Das +Reviewed-by: Alim Akhtar +Reviewed-by: Stanley Chu +Signed-off-by: Bean Huo +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ufs/ufshcd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -6685,7 +6685,8 @@ static int ufshcd_probe_hba(struct ufs_h + ufshcd_init_icc_levels(hba); + + /* Add required well known logical units to scsi mid layer */ +- if (ufshcd_scsi_add_wlus(hba)) ++ ret = ufshcd_scsi_add_wlus(hba); ++ if (ret) + goto out; + + /* Initialize devfreq after UFS device is detected */ diff --git a/queue-4.19/series b/queue-4.19/series index d9af5a4c81c..d6d04108ec7 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -1,2 +1,15 @@ asoc-pcm-update-fe-be-trigger-order-based-on-the-com.patch hv_sock-remove-the-accept-port-restriction.patch +ib-mlx4-fix-memory-leak-in-add_gid-error-flow.patch +rdma-netlink-do-not-always-generate-an-ack-for-some-netlink-operations.patch +rdma-core-fix-locking-in-ib_uverbs_event_read.patch +rdma-uverbs-verify-mr-access-flags.patch +scsi-ufs-fix-ufshcd_probe_hba-reture-value-in-case-ufshcd_scsi_add_wlus-fails.patch +pci-iov-fix-memory-leak-in-pci_iov_add_virtfn.patch +ath10k-pci-only-dump-ath10k_mem_region_type_ioreg-when-safe.patch +pci-switchtec-fix-vep_vector_number-ioread-width.patch +pci-don-t-disable-bridge-bars-when-assigning-bus-resources.patch +nfs-nfs_swap-should-depend-on-swap.patch +nfs-revalidate-the-file-size-on-a-fatal-write-error.patch +nfs-pnfs-fix-pnfs_generic_prepare_to_resend_writes.patch +nfsv4-try-lease-recovery-on-nfs4err_expired.patch