From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 18 Apr 2019 15:56:27 +0000 (+0200)
Subject: 5.0-stable patches
X-Git-Tag: v4.9.170~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=38151dad9e464880c087ecc74068168e82d02a9a;p=thirdparty%2Fkernel%2Fstable-queue.git

5.0-stable patches

added patches:
	ib-hfi1-failed-to-drain-send-queue-when-qp-is-put-into-error-state.patch
---

diff --git a/queue-5.0/bpf-fix-use-after-free-in-bpf_evict_inode.patch b/queue-5.0/bpf-fix-use-after-free-in-bpf_evict_inode.patch
index 51387759d56..396ef2c01ea 100644
--- a/queue-5.0/bpf-fix-use-after-free-in-bpf_evict_inode.patch
+++ b/queue-5.0/bpf-fix-use-after-free-in-bpf_evict_inode.patch
@@ -115,14 +115,12 @@ Acked-by: Al Viro <viro@zeniv.linux.org.uk>
 Link: https://lore.kernel.org/lkml/0000000000006946d2057bbd0eef@google.com/T/
 Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
 ---
- kernel/bpf/inode.c | 32 ++++++++++++++++++--------------
+ kernel/bpf/inode.c |   32 ++++++++++++++++++--------------
  1 file changed, 18 insertions(+), 14 deletions(-)
 
-diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c
-index 2ada5e21dfa6..4a8f390a2b82 100644
 --- a/kernel/bpf/inode.c
 +++ b/kernel/bpf/inode.c
-@@ -554,19 +554,6 @@ struct bpf_prog *bpf_prog_get_type_path(const char *name, enum bpf_prog_type typ
+@@ -554,19 +554,6 @@ struct bpf_prog *bpf_prog_get_type_path(
  }
  EXPORT_SYMBOL(bpf_prog_get_type_path);
  
@@ -142,7 +140,7 @@ index 2ada5e21dfa6..4a8f390a2b82 100644
  /*
   * Display the mount options in /proc/mounts.
   */
-@@ -579,11 +566,28 @@ static int bpf_show_options(struct seq_file *m, struct dentry *root)
+@@ -579,11 +566,28 @@ static int bpf_show_options(struct seq_f
  	return 0;
  }
  
@@ -172,6 +170,3 @@ index 2ada5e21dfa6..4a8f390a2b82 100644
  };
  
  enum {
--- 
-2.19.1
-
diff --git a/queue-5.0/ib-hfi1-failed-to-drain-send-queue-when-qp-is-put-into-error-state.patch b/queue-5.0/ib-hfi1-failed-to-drain-send-queue-when-qp-is-put-into-error-state.patch
new file mode 100644
index 00000000000..5d56dc4dcb2
--- /dev/null
+++ b/queue-5.0/ib-hfi1-failed-to-drain-send-queue-when-qp-is-put-into-error-state.patch
@@ -0,0 +1,62 @@
+From 662d66466637862ef955f7f6e78a286d8cf0ebef Mon Sep 17 00:00:00 2001
+From: Kaike Wan <kaike.wan@intel.com>
+Date: Mon, 18 Mar 2019 09:55:19 -0700
+Subject: IB/hfi1: Failed to drain send queue when QP is put into error state
+
+From: Kaike Wan <kaike.wan@intel.com>
+
+commit 662d66466637862ef955f7f6e78a286d8cf0ebef upstream.
+
+When a QP is put into error state, all pending requests in the send work
+queue should be drained. The following sequence of events could lead to a
+failure, causing a request to hang:
+
+(1) The QP builds a packet and tries to send through SDMA engine.
+    However, PIO engine is still busy. Consequently, this packet is put on
+    the QP's tx list and the QP is put on the PIO waiting list. The field
+    qp->s_flags is set with HFI1_S_WAIT_PIO_DRAIN;
+
+(2) The QP is put into error state by the user application and
+    notify_error_qp() is called, which removes the QP from the PIO waiting
+    list and the packet from the QP's tx list. In addition, qp->s_flags is
+    cleared of RVT_S_ANY_WAIT_IO bits, which does not include
+    HFI1_S_WAIT_PIO_DRAIN bit;
+
+(3) The hfi1_schdule_send() function is called to drain the QP's send
+    queue. Subsequently, hfi1_do_send() is called. Since the flag bit
+    HFI1_S_WAIT_PIO_DRAIN is set in qp->s_flags, hfi1_send_ok() fails.  As
+    a result, hfi1_do_send() bails out without draining any request from
+    the send queue;
+
+(4) The PIO engine completes the sending and tries to wake up any QP on
+    its waiting list. But the QP has been removed from the PIO waiting
+    list and therefore is kept in sleep forever.
+
+The fix is to clear qp->s_flags of HFI1_S_ANY_WAIT_IO bits in step (2).
+HFI1_S_ANY_WAIT_IO includes RVT_S_ANY_WAIT_IO and HFI1_S_WAIT_PIO_DRAIN.
+
+Fixes: 2e2ba09e48b7 ("IB/rdmavt, IB/hfi1: Create device dependent s_flags")
+Cc: <stable@vger.kernel.org> # 4.19.x+
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Reviewed-by: Alex Estrin <alex.estrin@intel.com>
+Signed-off-by: Kaike Wan <kaike.wan@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/infiniband/hw/hfi1/qp.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/hfi1/qp.c
++++ b/drivers/infiniband/hw/hfi1/qp.c
+@@ -833,7 +833,7 @@ void notify_error_qp(struct rvt_qp *qp)
+ 		write_seqlock(lock);
+ 		if (!list_empty(&priv->s_iowait.list) &&
+ 		    !(qp->s_flags & RVT_S_BUSY)) {
+-			qp->s_flags &= ~RVT_S_ANY_WAIT_IO;
++			qp->s_flags &= ~HFI1_S_ANY_WAIT_IO;
+ 			list_del_init(&priv->s_iowait.list);
+ 			priv->s_iowait.lock = NULL;
+ 			rvt_put_qp(qp);
diff --git a/queue-5.0/series b/queue-5.0/series
index eda872403bb..56ae054abc4 100644
--- a/queue-5.0/series
+++ b/queue-5.0/series
@@ -90,3 +90,4 @@ f2fs-fix-to-use-kvfree-instead-of-kzfree.patch
 f2fs-fix-to-add-refcount-once-page-is-tagged-pg_priv.patch
 include-linux-swap.h-use-offsetof-instead-of-custom-.patch
 bpf-fix-use-after-free-in-bpf_evict_inode.patch
+ib-hfi1-failed-to-drain-send-queue-when-qp-is-put-into-error-state.patch