From: Greg Kroah-Hartman Date: Thu, 18 Oct 2018 09:50:48 +0000 (+0200) Subject: 4.18-stable patches X-Git-Tag: v4.18.16~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=59f43ba05058d3294fc009bbac0fc2d7bc6f0012;p=thirdparty%2Fkernel%2Fstable-queue.git 4.18-stable patches added patches: batman-adv-avoid-probe-elp-information-leak.patch batman-adv-fix-backbone_gw-refcount-on-queue_work-failure.patch batman-adv-fix-hardif_neigh-refcount-on-queue_work-failure.patch batman-adv-fix-segfault-when-writing-to-sysfs-elp_interval.patch batman-adv-fix-segfault-when-writing-to-throughput_override.patch batman-adv-prevent-duplicated-gateway_node-entry.patch batman-adv-prevent-duplicated-global-tt-entry.patch batman-adv-prevent-duplicated-nc_node-entry.patch batman-adv-prevent-duplicated-softif_vlan-entry.patch batman-adv-prevent-duplicated-tvlv-handler.patch bpf-sockmap-fix-transition-through-disconnect-without-close.patch bpf-sockmap-only-allow-established-sock-state.patch bpf-test_maps-only-support-established-socks.patch clocksource-drivers-fttmr010-fix-set_next_event-handler.patch clocksource-drivers-ti-32k-add-clock_source_suspend_nonstop-flag-for-non-am43-socs.patch cxgb4-fix-abort_req_rss6-struct.patch drm-mali-dp-call-drm_crtc_vblank_reset-on-device-init.patch input-atakbd-fix-atari-capslock-behaviour.patch input-atakbd-fix-atari-keymap.patch intel_th-pci-add-ice-lake-pch-support.patch iommu-amd-return-devid-as-alias-for-acpi-hid-devices.patch iommu-rockchip-free-irqs-in-shutdown-handler.patch media-af9035-prevent-buffer-overflow-on-write.patch net-emac-fix-fixed-link-setup-for-the-rtl8363sb-switch.patch net-mlx4-use-cpumask_available-for-eq-affinity_mask.patch net-smc-fix-non-blocking-connect-problem.patch net-smc-fix-sizeof-to-int-comparison.patch pci-dwc-fix-scheduling-while-atomic-issues.patch pinctrl-amd-poll-interruptenable-bits-in-amd_gpio_irq_set_type.patch powerpc-numa-use-associativity-if-vphn-hcall-is-successful.patch powerpc-tm-avoid-possible-userspace-r1-corruption-on-reclaim.patch powerpc-tm-fix-userspace-r13-corruption.patch qed-do-not-add-vlan-0-tag-to-untagged-frames-in-multi-function-mode.patch qed-fix-populating-the-invalid-stag-value-in-multi-function-mode.patch ravb-do-not-write-1-to-reserved-bits.patch rdma-bnxt_re-fix-system-crash-during-rdma-resource-initialization.patch rdma-uverbs-fix-validity-check-for-modify-qp.patch risc-v-include-linux-ftrace.h-in-asm-prototypes.h.patch scsi-ibmvscsis-ensure-partition-name-is-properly-nul-terminated.patch scsi-ibmvscsis-fix-a-stringop-overflow-warning.patch scsi-ipr-system-hung-while-dlpar-adding-primary-ipr-adapter-back.patch scsi-lpfc-synchronize-access-to-remoteport-via-rport.patch scsi-sd-don-t-crash-the-host-on-invalid-commands.patch selftests-pmtu-properly-redirect-stderr-to-dev-null.patch soundwire-fix-acquiring-bus-lock-twice-during-master-release.patch soundwire-fix-duplicate-stream-state-assignment.patch soundwire-fix-incorrect-exit-after-configuring-stream.patch spi-gpio-fix-copy-and-paste-error.patch x86-boot-fix-kexec-booting-failure-in-the-sev-bit-detection-code.patch --- diff --git a/queue-4.18/batman-adv-avoid-probe-elp-information-leak.patch b/queue-4.18/batman-adv-avoid-probe-elp-information-leak.patch new file mode 100644 index 00000000000..be4c71928e3 --- /dev/null +++ b/queue-4.18/batman-adv-avoid-probe-elp-information-leak.patch @@ -0,0 +1,39 @@ +From foo@baz Thu Oct 18 11:08:34 CEST 2018 +From: Sven Eckelmann +Date: Fri, 31 Aug 2018 15:08:44 +0200 +Subject: batman-adv: Avoid probe ELP information leak + +From: Sven Eckelmann + +[ Upstream commit 88d0895d0ea9d4431507d576c963f2ff9918144d ] + +The probe ELPs for WiFi interfaces are expanded to contain at least +BATADV_ELP_MIN_PROBE_SIZE bytes. This is usually a lot more than the +number of bytes which the template ELP packet requires. + +These extra padding bytes were not initialized and thus could contain data +which were previously stored at the same location. It is therefore required +to set it to some predefined or random values to avoid leaking private +information from the system transmitting these kind of packets. + +Fixes: e4623c913508 ("batman-adv: Avoid probe ELP information leak") +Signed-off-by: Sven Eckelmann +Acked-by: Antonio Quartulli +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_v_elp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/batman-adv/bat_v_elp.c ++++ b/net/batman-adv/bat_v_elp.c +@@ -241,7 +241,7 @@ batadv_v_elp_wifi_neigh_probe(struct bat + * the packet to be exactly of that size to make the link + * throughput estimation effective. + */ +- skb_put(skb, probe_len - hard_iface->bat_v.elp_skb->len); ++ skb_put_zero(skb, probe_len - hard_iface->bat_v.elp_skb->len); + + batadv_dbg(BATADV_DBG_BATMAN, bat_priv, + "Sending unicast (probe) ELP packet on interface %s to %pM\n", diff --git a/queue-4.18/batman-adv-fix-backbone_gw-refcount-on-queue_work-failure.patch b/queue-4.18/batman-adv-fix-backbone_gw-refcount-on-queue_work-failure.patch new file mode 100644 index 00000000000..d4fcc4770b5 --- /dev/null +++ b/queue-4.18/batman-adv-fix-backbone_gw-refcount-on-queue_work-failure.patch @@ -0,0 +1,49 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Marek Lindner +Date: Fri, 7 Sep 2018 05:45:54 +0800 +Subject: batman-adv: fix backbone_gw refcount on queue_work() failure + +From: Marek Lindner + +[ Upstream commit 5af96b9c59c72fb2af2d19c5cc2f3cdcee391dff ] + +The backbone_gw refcounter is to be decreased by the queued work and +currently is never decreased if the queue_work() call fails. +Fix by checking the queue_work() return value and decrease refcount +if necessary. + +Signed-off-by: Marek Lindner +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bridge_loop_avoidance.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -1772,6 +1772,7 @@ batadv_bla_loopdetect_check(struct batad + { + struct batadv_bla_backbone_gw *backbone_gw; + struct ethhdr *ethhdr; ++ bool ret; + + ethhdr = eth_hdr(skb); + +@@ -1795,8 +1796,13 @@ batadv_bla_loopdetect_check(struct batad + if (unlikely(!backbone_gw)) + return true; + +- queue_work(batadv_event_workqueue, &backbone_gw->report_work); +- /* backbone_gw is unreferenced in the report work function function */ ++ ret = queue_work(batadv_event_workqueue, &backbone_gw->report_work); ++ ++ /* backbone_gw is unreferenced in the report work function function ++ * if queue_work() call was successful ++ */ ++ if (!ret) ++ batadv_backbone_gw_put(backbone_gw); + + return true; + } diff --git a/queue-4.18/batman-adv-fix-hardif_neigh-refcount-on-queue_work-failure.patch b/queue-4.18/batman-adv-fix-hardif_neigh-refcount-on-queue_work-failure.patch new file mode 100644 index 00000000000..223fb856068 --- /dev/null +++ b/queue-4.18/batman-adv-fix-hardif_neigh-refcount-on-queue_work-failure.patch @@ -0,0 +1,47 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Marek Lindner +Date: Fri, 7 Sep 2018 05:45:55 +0800 +Subject: batman-adv: fix hardif_neigh refcount on queue_work() failure + +From: Marek Lindner + +[ Upstream commit 4c4af6900844ab04c9434c972021d7b48610e06a ] + +The hardif_neigh refcounter is to be decreased by the queued work and +currently is never decreased if the queue_work() call fails. +Fix by checking the queue_work() return value and decrease refcount +if necessary. + +Signed-off-by: Marek Lindner +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_v_elp.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/bat_v_elp.c ++++ b/net/batman-adv/bat_v_elp.c +@@ -268,6 +268,7 @@ static void batadv_v_elp_periodic_work(s + struct batadv_priv *bat_priv; + struct sk_buff *skb; + u32 elp_interval; ++ bool ret; + + bat_v = container_of(work, struct batadv_hard_iface_bat_v, elp_wq.work); + hard_iface = container_of(bat_v, struct batadv_hard_iface, bat_v); +@@ -329,8 +330,11 @@ static void batadv_v_elp_periodic_work(s + * may sleep and that is not allowed in an rcu protected + * context. Therefore schedule a task for that. + */ +- queue_work(batadv_event_workqueue, +- &hardif_neigh->bat_v.metric_work); ++ ret = queue_work(batadv_event_workqueue, ++ &hardif_neigh->bat_v.metric_work); ++ ++ if (!ret) ++ batadv_hardif_neigh_put(hardif_neigh); + } + rcu_read_unlock(); + diff --git a/queue-4.18/batman-adv-fix-segfault-when-writing-to-sysfs-elp_interval.patch b/queue-4.18/batman-adv-fix-segfault-when-writing-to-sysfs-elp_interval.patch new file mode 100644 index 00000000000..6d524e4fa3c --- /dev/null +++ b/queue-4.18/batman-adv-fix-segfault-when-writing-to-sysfs-elp_interval.patch @@ -0,0 +1,112 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Sven Eckelmann +Date: Fri, 31 Aug 2018 16:56:29 +0200 +Subject: batman-adv: Fix segfault when writing to sysfs elp_interval + +From: Sven Eckelmann + +[ Upstream commit a25bab9d723a08bd0bdafb1529faf9094c690b70 ] + +The per hardif sysfs file "batman_adv/elp_interval" is using the generic +functions to store/show uint values. The helper __batadv_store_uint_attr +requires the softif net_device as parameter to print the resulting change +as info text when the users writes to this file. It uses the helper +function batadv_info to add it at the same time to the kernel ring buffer +and to the batman-adv debug log (when CONFIG_BATMAN_ADV_DEBUG is enabled). + +The function batadv_info requires as first parameter the batman-adv softif +net_device. This parameter is then used to find the private buffer which +contains the debug log for this batman-adv interface. But +batadv_store_throughput_override used as first argument the slave +net_device. This slave device doesn't have the batadv_priv private data +which is access by batadv_info. + +Writing to this file with CONFIG_BATMAN_ADV_DEBUG enabled can either lead +to a segfault or to memory corruption. + +Fixes: 0744ff8fa8fa ("batman-adv: Add hard_iface specific sysfs wrapper macros for UINT") +Signed-off-by: Sven Eckelmann +Acked-by: Marek Lindner +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/sysfs.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +--- a/net/batman-adv/sysfs.c ++++ b/net/batman-adv/sysfs.c +@@ -188,7 +188,8 @@ ssize_t batadv_store_##_name(struct kobj + \ + return __batadv_store_uint_attr(buff, count, _min, _max, \ + _post_func, attr, \ +- &bat_priv->_var, net_dev); \ ++ &bat_priv->_var, net_dev, \ ++ NULL); \ + } + + #define BATADV_ATTR_SIF_SHOW_UINT(_name, _var) \ +@@ -262,7 +263,9 @@ ssize_t batadv_store_##_name(struct kobj + \ + length = __batadv_store_uint_attr(buff, count, _min, _max, \ + _post_func, attr, \ +- &hard_iface->_var, net_dev); \ ++ &hard_iface->_var, \ ++ hard_iface->soft_iface, \ ++ net_dev); \ + \ + batadv_hardif_put(hard_iface); \ + return length; \ +@@ -356,10 +359,12 @@ __batadv_store_bool_attr(char *buff, siz + + static int batadv_store_uint_attr(const char *buff, size_t count, + struct net_device *net_dev, ++ struct net_device *slave_dev, + const char *attr_name, + unsigned int min, unsigned int max, + atomic_t *attr) + { ++ char ifname[IFNAMSIZ + 3] = ""; + unsigned long uint_val; + int ret; + +@@ -385,8 +390,11 @@ static int batadv_store_uint_attr(const + if (atomic_read(attr) == uint_val) + return count; + +- batadv_info(net_dev, "%s: Changing from: %i to: %lu\n", +- attr_name, atomic_read(attr), uint_val); ++ if (slave_dev) ++ snprintf(ifname, sizeof(ifname), "%s: ", slave_dev->name); ++ ++ batadv_info(net_dev, "%s: %sChanging from: %i to: %lu\n", ++ attr_name, ifname, atomic_read(attr), uint_val); + + atomic_set(attr, uint_val); + return count; +@@ -397,12 +405,13 @@ static ssize_t __batadv_store_uint_attr( + void (*post_func)(struct net_device *), + const struct attribute *attr, + atomic_t *attr_store, +- struct net_device *net_dev) ++ struct net_device *net_dev, ++ struct net_device *slave_dev) + { + int ret; + +- ret = batadv_store_uint_attr(buff, count, net_dev, attr->name, min, max, +- attr_store); ++ ret = batadv_store_uint_attr(buff, count, net_dev, slave_dev, ++ attr->name, min, max, attr_store); + if (post_func && ret) + post_func(net_dev); + +@@ -571,7 +580,7 @@ static ssize_t batadv_store_gw_sel_class + return __batadv_store_uint_attr(buff, count, 1, BATADV_TQ_MAX_VALUE, + batadv_post_gw_reselect, attr, + &bat_priv->gw.sel_class, +- bat_priv->soft_iface); ++ bat_priv->soft_iface, NULL); + } + + static ssize_t batadv_show_gw_bwidth(struct kobject *kobj, diff --git a/queue-4.18/batman-adv-fix-segfault-when-writing-to-throughput_override.patch b/queue-4.18/batman-adv-fix-segfault-when-writing-to-throughput_override.patch new file mode 100644 index 00000000000..8f6bc82a6b8 --- /dev/null +++ b/queue-4.18/batman-adv-fix-segfault-when-writing-to-throughput_override.patch @@ -0,0 +1,49 @@ +From foo@baz Thu Oct 18 11:08:34 CEST 2018 +From: Sven Eckelmann +Date: Fri, 31 Aug 2018 16:46:47 +0200 +Subject: batman-adv: Fix segfault when writing to throughput_override + +From: Sven Eckelmann + +[ Upstream commit b9fd14c20871e6189f635e49b32d7789e430b3c8 ] + +The per hardif sysfs file "batman_adv/throughput_override" prints the +resulting change as info text when the users writes to this file. It uses +the helper function batadv_info to add it at the same time to the kernel +ring buffer and to the batman-adv debug log (when CONFIG_BATMAN_ADV_DEBUG +is enabled). + +The function batadv_info requires as first parameter the batman-adv softif +net_device. This parameter is then used to find the private buffer which +contains the debug log for this batman-adv interface. But +batadv_store_throughput_override used as first argument the slave +net_device. This slave device doesn't have the batadv_priv private data +which is access by batadv_info. + +Writing to this file with CONFIG_BATMAN_ADV_DEBUG enabled can either lead +to a segfault or to memory corruption. + +Fixes: 0b5ecc6811bd ("batman-adv: add throughput override attribute to hard_ifaces") +Signed-off-by: Sven Eckelmann +Acked-by: Marek Lindner +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/sysfs.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/sysfs.c ++++ b/net/batman-adv/sysfs.c +@@ -1090,8 +1090,9 @@ static ssize_t batadv_store_throughput_o + if (old_tp_override == tp_override) + goto out; + +- batadv_info(net_dev, "%s: Changing from: %u.%u MBit to: %u.%u MBit\n", +- "throughput_override", ++ batadv_info(hard_iface->soft_iface, ++ "%s: %s: Changing from: %u.%u MBit to: %u.%u MBit\n", ++ "throughput_override", net_dev->name, + old_tp_override / 10, old_tp_override % 10, + tp_override / 10, tp_override % 10); + diff --git a/queue-4.18/batman-adv-prevent-duplicated-gateway_node-entry.patch b/queue-4.18/batman-adv-prevent-duplicated-gateway_node-entry.patch new file mode 100644 index 00000000000..479ba6cb5dc --- /dev/null +++ b/queue-4.18/batman-adv-prevent-duplicated-gateway_node-entry.patch @@ -0,0 +1,85 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Sven Eckelmann +Date: Sun, 12 Aug 2018 21:04:41 +0200 +Subject: batman-adv: Prevent duplicated gateway_node entry + +From: Sven Eckelmann + +[ Upstream commit dff9bc42ab0b2d38c5e90ddd79b238fed5b4c7ad ] + +The function batadv_gw_node_add is responsible for adding new gw_node to +the gateway_list. It is expecting that the caller already checked that +there is not already an entry with the same key or not. + +But the lock for the list is only held when the list is really modified. +This could lead to duplicated entries because another context could create +an entry with the same key between the check and the list manipulation. + +The check and the manipulation of the list must therefore be in the same +locked code section. + +Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") +Signed-off-by: Sven Eckelmann +Acked-by: Marek Lindner +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/gateway_client.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/gateway_client.c ++++ b/net/batman-adv/gateway_client.c +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -348,6 +349,9 @@ out: + * @bat_priv: the bat priv with all the soft interface information + * @orig_node: originator announcing gateway capabilities + * @gateway: announced bandwidth information ++ * ++ * Has to be called with the appropriate locks being acquired ++ * (gw.list_lock). + */ + static void batadv_gw_node_add(struct batadv_priv *bat_priv, + struct batadv_orig_node *orig_node, +@@ -355,6 +359,8 @@ static void batadv_gw_node_add(struct ba + { + struct batadv_gw_node *gw_node; + ++ lockdep_assert_held(&bat_priv->gw.list_lock); ++ + if (gateway->bandwidth_down == 0) + return; + +@@ -369,10 +375,8 @@ static void batadv_gw_node_add(struct ba + gw_node->bandwidth_down = ntohl(gateway->bandwidth_down); + gw_node->bandwidth_up = ntohl(gateway->bandwidth_up); + +- spin_lock_bh(&bat_priv->gw.list_lock); + kref_get(&gw_node->refcount); + hlist_add_head_rcu(&gw_node->list, &bat_priv->gw.gateway_list); +- spin_unlock_bh(&bat_priv->gw.list_lock); + + batadv_dbg(BATADV_DBG_BATMAN, bat_priv, + "Found new gateway %pM -> gw bandwidth: %u.%u/%u.%u MBit\n", +@@ -428,11 +432,14 @@ void batadv_gw_node_update(struct batadv + { + struct batadv_gw_node *gw_node, *curr_gw = NULL; + ++ spin_lock_bh(&bat_priv->gw.list_lock); + gw_node = batadv_gw_node_get(bat_priv, orig_node); + if (!gw_node) { + batadv_gw_node_add(bat_priv, orig_node, gateway); ++ spin_unlock_bh(&bat_priv->gw.list_lock); + goto out; + } ++ spin_unlock_bh(&bat_priv->gw.list_lock); + + if (gw_node->bandwidth_down == ntohl(gateway->bandwidth_down) && + gw_node->bandwidth_up == ntohl(gateway->bandwidth_up)) diff --git a/queue-4.18/batman-adv-prevent-duplicated-global-tt-entry.patch b/queue-4.18/batman-adv-prevent-duplicated-global-tt-entry.patch new file mode 100644 index 00000000000..032470ff14a --- /dev/null +++ b/queue-4.18/batman-adv-prevent-duplicated-global-tt-entry.patch @@ -0,0 +1,62 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Sven Eckelmann +Date: Sun, 12 Aug 2018 21:04:44 +0200 +Subject: batman-adv: Prevent duplicated global TT entry + +From: Sven Eckelmann + +[ Upstream commit e7136e48ffdfb9f37b0820f619380485eb407361 ] + +The function batadv_tt_global_orig_entry_add is responsible for adding new +tt_orig_list_entry to the orig_list. It first checks whether the entry +already is in the list or not. If it is, then the creation of a new entry +is aborted. + +But the lock for the list is only held when the list is really modified. +This could lead to duplicated entries because another context could create +an entry with the same key between the check and the list manipulation. + +The check and the manipulation of the list must therefore be in the same +locked code section. + +Fixes: d657e621a0f5 ("batman-adv: add reference counting for type batadv_tt_orig_list_entry") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/translation-table.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -1613,6 +1613,8 @@ batadv_tt_global_orig_entry_add(struct b + { + struct batadv_tt_orig_list_entry *orig_entry; + ++ spin_lock_bh(&tt_global->list_lock); ++ + orig_entry = batadv_tt_global_orig_entry_find(tt_global, orig_node); + if (orig_entry) { + /* refresh the ttvn: the current value could be a bogus one that +@@ -1635,11 +1637,9 @@ batadv_tt_global_orig_entry_add(struct b + orig_entry->flags = flags; + kref_init(&orig_entry->refcount); + +- spin_lock_bh(&tt_global->list_lock); + kref_get(&orig_entry->refcount); + hlist_add_head_rcu(&orig_entry->list, + &tt_global->orig_list); +- spin_unlock_bh(&tt_global->list_lock); + atomic_inc(&tt_global->orig_list_count); + + sync_flags: +@@ -1647,6 +1647,8 @@ sync_flags: + out: + if (orig_entry) + batadv_tt_orig_list_entry_put(orig_entry); ++ ++ spin_unlock_bh(&tt_global->list_lock); + } + + /** diff --git a/queue-4.18/batman-adv-prevent-duplicated-nc_node-entry.patch b/queue-4.18/batman-adv-prevent-duplicated-nc_node-entry.patch new file mode 100644 index 00000000000..02975d6e3c7 --- /dev/null +++ b/queue-4.18/batman-adv-prevent-duplicated-nc_node-entry.patch @@ -0,0 +1,88 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Sven Eckelmann +Date: Sun, 12 Aug 2018 21:04:42 +0200 +Subject: batman-adv: Prevent duplicated nc_node entry + +From: Sven Eckelmann + +[ Upstream commit fa122fec8640eb7186ce5a41b83a4c1744ceef8f ] + +The function batadv_nc_get_nc_node is responsible for adding new nc_nodes +to the in_coding_list and out_coding_list. It first checks whether the +entry already is in the list or not. If it is, then the creation of a new +entry is aborted. + +But the lock for the list is only held when the list is really modified. +This could lead to duplicated entries because another context could create +an entry with the same key between the check and the list manipulation. + +The check and the manipulation of the list must therefore be in the same +locked code section. + +Fixes: d56b1705e28c ("batman-adv: network coding - detect coding nodes and remove these after timeout") +Signed-off-by: Sven Eckelmann +Acked-by: Marek Lindner +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/network-coding.c | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +--- a/net/batman-adv/network-coding.c ++++ b/net/batman-adv/network-coding.c +@@ -854,16 +854,27 @@ batadv_nc_get_nc_node(struct batadv_priv + spinlock_t *lock; /* Used to lock list selected by "int in_coding" */ + struct list_head *list; + ++ /* Select ingoing or outgoing coding node */ ++ if (in_coding) { ++ lock = &orig_neigh_node->in_coding_list_lock; ++ list = &orig_neigh_node->in_coding_list; ++ } else { ++ lock = &orig_neigh_node->out_coding_list_lock; ++ list = &orig_neigh_node->out_coding_list; ++ } ++ ++ spin_lock_bh(lock); ++ + /* Check if nc_node is already added */ + nc_node = batadv_nc_find_nc_node(orig_node, orig_neigh_node, in_coding); + + /* Node found */ + if (nc_node) +- return nc_node; ++ goto unlock; + + nc_node = kzalloc(sizeof(*nc_node), GFP_ATOMIC); + if (!nc_node) +- return NULL; ++ goto unlock; + + /* Initialize nc_node */ + INIT_LIST_HEAD(&nc_node->list); +@@ -872,22 +883,14 @@ batadv_nc_get_nc_node(struct batadv_priv + kref_get(&orig_neigh_node->refcount); + nc_node->orig_node = orig_neigh_node; + +- /* Select ingoing or outgoing coding node */ +- if (in_coding) { +- lock = &orig_neigh_node->in_coding_list_lock; +- list = &orig_neigh_node->in_coding_list; +- } else { +- lock = &orig_neigh_node->out_coding_list_lock; +- list = &orig_neigh_node->out_coding_list; +- } +- + batadv_dbg(BATADV_DBG_NC, bat_priv, "Adding nc_node %pM -> %pM\n", + nc_node->addr, nc_node->orig_node->orig); + + /* Add nc_node to orig_node */ +- spin_lock_bh(lock); + kref_get(&nc_node->refcount); + list_add_tail_rcu(&nc_node->list, list); ++ ++unlock: + spin_unlock_bh(lock); + + return nc_node; diff --git a/queue-4.18/batman-adv-prevent-duplicated-softif_vlan-entry.patch b/queue-4.18/batman-adv-prevent-duplicated-softif_vlan-entry.patch new file mode 100644 index 00000000000..58b34ad9323 --- /dev/null +++ b/queue-4.18/batman-adv-prevent-duplicated-softif_vlan-entry.patch @@ -0,0 +1,84 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Sven Eckelmann +Date: Sun, 12 Aug 2018 21:04:43 +0200 +Subject: batman-adv: Prevent duplicated softif_vlan entry + +From: Sven Eckelmann + +[ Upstream commit 94cb82f594ed86be303398d6dfc7640a6f1d45d4 ] + +The function batadv_softif_vlan_get is responsible for adding new +softif_vlan to the softif_vlan_list. It first checks whether the entry +already is in the list or not. If it is, then the creation of a new entry +is aborted. + +But the lock for the list is only held when the list is really modified. +This could lead to duplicated entries because another context could create +an entry with the same key between the check and the list manipulation. + +The check and the manipulation of the list must therefore be in the same +locked code section. + +Fixes: 5d2c05b21337 ("batman-adv: add per VLAN interface attribute framework") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/soft-interface.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -574,15 +574,20 @@ int batadv_softif_create_vlan(struct bat + struct batadv_softif_vlan *vlan; + int err; + ++ spin_lock_bh(&bat_priv->softif_vlan_list_lock); ++ + vlan = batadv_softif_vlan_get(bat_priv, vid); + if (vlan) { + batadv_softif_vlan_put(vlan); ++ spin_unlock_bh(&bat_priv->softif_vlan_list_lock); + return -EEXIST; + } + + vlan = kzalloc(sizeof(*vlan), GFP_ATOMIC); +- if (!vlan) ++ if (!vlan) { ++ spin_unlock_bh(&bat_priv->softif_vlan_list_lock); + return -ENOMEM; ++ } + + vlan->bat_priv = bat_priv; + vlan->vid = vid; +@@ -590,17 +595,23 @@ int batadv_softif_create_vlan(struct bat + + atomic_set(&vlan->ap_isolation, 0); + ++ kref_get(&vlan->refcount); ++ hlist_add_head_rcu(&vlan->list, &bat_priv->softif_vlan_list); ++ spin_unlock_bh(&bat_priv->softif_vlan_list_lock); ++ ++ /* batadv_sysfs_add_vlan cannot be in the spinlock section due to the ++ * sleeping behavior of the sysfs functions and the fs_reclaim lock ++ */ + err = batadv_sysfs_add_vlan(bat_priv->soft_iface, vlan); + if (err) { +- kfree(vlan); ++ /* ref for the function */ ++ batadv_softif_vlan_put(vlan); ++ ++ /* ref for the list */ ++ batadv_softif_vlan_put(vlan); + return err; + } + +- spin_lock_bh(&bat_priv->softif_vlan_list_lock); +- kref_get(&vlan->refcount); +- hlist_add_head_rcu(&vlan->list, &bat_priv->softif_vlan_list); +- spin_unlock_bh(&bat_priv->softif_vlan_list_lock); +- + /* add a new TT local entry. This one will be marked with the NOPURGE + * flag + */ diff --git a/queue-4.18/batman-adv-prevent-duplicated-tvlv-handler.patch b/queue-4.18/batman-adv-prevent-duplicated-tvlv-handler.patch new file mode 100644 index 00000000000..a338d3028a1 --- /dev/null +++ b/queue-4.18/batman-adv-prevent-duplicated-tvlv-handler.patch @@ -0,0 +1,62 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Sven Eckelmann +Date: Sun, 12 Aug 2018 21:04:45 +0200 +Subject: batman-adv: Prevent duplicated tvlv handler + +From: Sven Eckelmann + +[ Upstream commit ae3cdc97dc10c7a3b31f297dab429bfb774c9ccb ] + +The function batadv_tvlv_handler_register is responsible for adding new +tvlv_handler to the handler_list. It first checks whether the entry +already is in the list or not. If it is, then the creation of a new entry +is aborted. + +But the lock for the list is only held when the list is really modified. +This could lead to duplicated entries because another context could create +an entry with the same key between the check and the list manipulation. + +The check and the manipulation of the list must therefore be in the same +locked code section. + +Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/tvlv.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/tvlv.c ++++ b/net/batman-adv/tvlv.c +@@ -529,15 +529,20 @@ void batadv_tvlv_handler_register(struct + { + struct batadv_tvlv_handler *tvlv_handler; + ++ spin_lock_bh(&bat_priv->tvlv.handler_list_lock); ++ + tvlv_handler = batadv_tvlv_handler_get(bat_priv, type, version); + if (tvlv_handler) { ++ spin_unlock_bh(&bat_priv->tvlv.handler_list_lock); + batadv_tvlv_handler_put(tvlv_handler); + return; + } + + tvlv_handler = kzalloc(sizeof(*tvlv_handler), GFP_ATOMIC); +- if (!tvlv_handler) ++ if (!tvlv_handler) { ++ spin_unlock_bh(&bat_priv->tvlv.handler_list_lock); + return; ++ } + + tvlv_handler->ogm_handler = optr; + tvlv_handler->unicast_handler = uptr; +@@ -547,7 +552,6 @@ void batadv_tvlv_handler_register(struct + kref_init(&tvlv_handler->refcount); + INIT_HLIST_NODE(&tvlv_handler->list); + +- spin_lock_bh(&bat_priv->tvlv.handler_list_lock); + kref_get(&tvlv_handler->refcount); + hlist_add_head_rcu(&tvlv_handler->list, &bat_priv->tvlv.handler_list); + spin_unlock_bh(&bat_priv->tvlv.handler_list_lock); diff --git a/queue-4.18/bpf-sockmap-fix-transition-through-disconnect-without-close.patch b/queue-4.18/bpf-sockmap-fix-transition-through-disconnect-without-close.patch new file mode 100644 index 00000000000..865bc2cdd9c --- /dev/null +++ b/queue-4.18/bpf-sockmap-fix-transition-through-disconnect-without-close.patch @@ -0,0 +1,138 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: John Fastabend +Date: Tue, 18 Sep 2018 09:01:49 -0700 +Subject: bpf: sockmap, fix transition through disconnect without close + +From: John Fastabend + +[ Upstream commit b05545e15e1ff1d6a6a8593971275f9cc3e6b92b ] + +It is possible (via shutdown()) for TCP socks to go trough TCP_CLOSE +state via tcp_disconnect() without actually calling tcp_close which +would then call our bpf_tcp_close() callback. Because of this a user +could disconnect a socket then put it in a LISTEN state which would +break our assumptions about sockets always being ESTABLISHED state. + +To resolve this rely on the unhash hook, which is called in the +disconnect case, to remove the sock from the sockmap. + +Reported-by: Eric Dumazet +Fixes: 1aa12bdf1bfb ("bpf: sockmap, add sock close() hook to remove socks") +Signed-off-by: John Fastabend +Acked-by: Yonghong Song +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/sockmap.c | 60 ++++++++++++++++++++++++++++++++++----------------- + 1 file changed, 41 insertions(+), 19 deletions(-) + +--- a/kernel/bpf/sockmap.c ++++ b/kernel/bpf/sockmap.c +@@ -132,6 +132,7 @@ struct smap_psock { + struct work_struct gc_work; + + struct proto *sk_proto; ++ void (*save_unhash)(struct sock *sk); + void (*save_close)(struct sock *sk, long timeout); + void (*save_data_ready)(struct sock *sk); + void (*save_write_space)(struct sock *sk); +@@ -143,6 +144,7 @@ static int bpf_tcp_recvmsg(struct sock * + static int bpf_tcp_sendmsg(struct sock *sk, struct msghdr *msg, size_t size); + static int bpf_tcp_sendpage(struct sock *sk, struct page *page, + int offset, size_t size, int flags); ++static void bpf_tcp_unhash(struct sock *sk); + static void bpf_tcp_close(struct sock *sk, long timeout); + + static inline struct smap_psock *smap_psock_sk(const struct sock *sk) +@@ -184,6 +186,7 @@ static void build_protos(struct proto pr + struct proto *base) + { + prot[SOCKMAP_BASE] = *base; ++ prot[SOCKMAP_BASE].unhash = bpf_tcp_unhash; + prot[SOCKMAP_BASE].close = bpf_tcp_close; + prot[SOCKMAP_BASE].recvmsg = bpf_tcp_recvmsg; + prot[SOCKMAP_BASE].stream_memory_read = bpf_tcp_stream_read; +@@ -217,6 +220,7 @@ static int bpf_tcp_init(struct sock *sk) + return -EBUSY; + } + ++ psock->save_unhash = sk->sk_prot->unhash; + psock->save_close = sk->sk_prot->close; + psock->sk_proto = sk->sk_prot; + +@@ -305,30 +309,12 @@ static struct smap_psock_map_entry *psoc + return e; + } + +-static void bpf_tcp_close(struct sock *sk, long timeout) ++static void bpf_tcp_remove(struct sock *sk, struct smap_psock *psock) + { +- void (*close_fun)(struct sock *sk, long timeout); + struct smap_psock_map_entry *e; + struct sk_msg_buff *md, *mtmp; +- struct smap_psock *psock; + struct sock *osk; + +- lock_sock(sk); +- rcu_read_lock(); +- psock = smap_psock_sk(sk); +- if (unlikely(!psock)) { +- rcu_read_unlock(); +- release_sock(sk); +- return sk->sk_prot->close(sk, timeout); +- } +- +- /* The psock may be destroyed anytime after exiting the RCU critial +- * section so by the time we use close_fun the psock may no longer +- * be valid. However, bpf_tcp_close is called with the sock lock +- * held so the close hook and sk are still valid. +- */ +- close_fun = psock->save_close; +- + if (psock->cork) { + free_start_sg(psock->sock, psock->cork, true); + kfree(psock->cork); +@@ -379,6 +365,42 @@ static void bpf_tcp_close(struct sock *s + kfree(e); + e = psock_map_pop(sk, psock); + } ++} ++ ++static void bpf_tcp_unhash(struct sock *sk) ++{ ++ void (*unhash_fun)(struct sock *sk); ++ struct smap_psock *psock; ++ ++ rcu_read_lock(); ++ psock = smap_psock_sk(sk); ++ if (unlikely(!psock)) { ++ rcu_read_unlock(); ++ if (sk->sk_prot->unhash) ++ sk->sk_prot->unhash(sk); ++ return; ++ } ++ unhash_fun = psock->save_unhash; ++ bpf_tcp_remove(sk, psock); ++ rcu_read_unlock(); ++ unhash_fun(sk); ++} ++ ++static void bpf_tcp_close(struct sock *sk, long timeout) ++{ ++ void (*close_fun)(struct sock *sk, long timeout); ++ struct smap_psock *psock; ++ ++ lock_sock(sk); ++ rcu_read_lock(); ++ psock = smap_psock_sk(sk); ++ if (unlikely(!psock)) { ++ rcu_read_unlock(); ++ release_sock(sk); ++ return sk->sk_prot->close(sk, timeout); ++ } ++ close_fun = psock->save_close; ++ bpf_tcp_remove(sk, psock); + rcu_read_unlock(); + release_sock(sk); + close_fun(sk, timeout); diff --git a/queue-4.18/bpf-sockmap-only-allow-established-sock-state.patch b/queue-4.18/bpf-sockmap-only-allow-established-sock-state.patch new file mode 100644 index 00000000000..c34e54f88a6 --- /dev/null +++ b/queue-4.18/bpf-sockmap-only-allow-established-sock-state.patch @@ -0,0 +1,95 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: John Fastabend +Date: Tue, 18 Sep 2018 09:01:44 -0700 +Subject: bpf: sockmap only allow ESTABLISHED sock state + +From: John Fastabend + +[ Upstream commit 5607fff303636d48b88414c6be353d9fed700af2 ] + +After this patch we only allow socks that are in ESTABLISHED state or +are being added via a sock_ops event that is transitioning into an +ESTABLISHED state. By allowing sock_ops events we allow users to +manage sockmaps directly from sock ops programs. The two supported +sock_ops ops are BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB and +BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB. + +Similar to TLS ULP this ensures sk_user_data is correct. + +Reported-by: Eric Dumazet +Fixes: 1aa12bdf1bfb ("bpf: sockmap, add sock close() hook to remove socks") +Signed-off-by: John Fastabend +Acked-by: Yonghong Song +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/sockmap.c | 31 ++++++++++++++++++++++++++++++- + 1 file changed, 30 insertions(+), 1 deletion(-) + +--- a/kernel/bpf/sockmap.c ++++ b/kernel/bpf/sockmap.c +@@ -2100,8 +2100,12 @@ static int sock_map_update_elem(struct b + return -EINVAL; + } + ++ /* ULPs are currently supported only for TCP sockets in ESTABLISHED ++ * state. ++ */ + if (skops.sk->sk_type != SOCK_STREAM || +- skops.sk->sk_protocol != IPPROTO_TCP) { ++ skops.sk->sk_protocol != IPPROTO_TCP || ++ skops.sk->sk_state != TCP_ESTABLISHED) { + fput(socket->file); + return -EOPNOTSUPP; + } +@@ -2456,6 +2460,16 @@ static int sock_hash_update_elem(struct + return -EINVAL; + } + ++ /* ULPs are currently supported only for TCP sockets in ESTABLISHED ++ * state. ++ */ ++ if (skops.sk->sk_type != SOCK_STREAM || ++ skops.sk->sk_protocol != IPPROTO_TCP || ++ skops.sk->sk_state != TCP_ESTABLISHED) { ++ fput(socket->file); ++ return -EOPNOTSUPP; ++ } ++ + lock_sock(skops.sk); + preempt_disable(); + rcu_read_lock(); +@@ -2544,10 +2558,22 @@ const struct bpf_map_ops sock_hash_ops = + .map_release_uref = sock_map_release, + }; + ++static bool bpf_is_valid_sock_op(struct bpf_sock_ops_kern *ops) ++{ ++ return ops->op == BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB || ++ ops->op == BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB; ++} + BPF_CALL_4(bpf_sock_map_update, struct bpf_sock_ops_kern *, bpf_sock, + struct bpf_map *, map, void *, key, u64, flags) + { + WARN_ON_ONCE(!rcu_read_lock_held()); ++ ++ /* ULPs are currently supported only for TCP sockets in ESTABLISHED ++ * state. This checks that the sock ops triggering the update is ++ * one indicating we are (or will be soon) in an ESTABLISHED state. ++ */ ++ if (!bpf_is_valid_sock_op(bpf_sock)) ++ return -EOPNOTSUPP; + return sock_map_ctx_update_elem(bpf_sock, map, key, flags); + } + +@@ -2566,6 +2592,9 @@ BPF_CALL_4(bpf_sock_hash_update, struct + struct bpf_map *, map, void *, key, u64, flags) + { + WARN_ON_ONCE(!rcu_read_lock_held()); ++ ++ if (!bpf_is_valid_sock_op(bpf_sock)) ++ return -EOPNOTSUPP; + return sock_hash_ctx_update_elem(bpf_sock, map, key, flags); + } + diff --git a/queue-4.18/bpf-test_maps-only-support-established-socks.patch b/queue-4.18/bpf-test_maps-only-support-established-socks.patch new file mode 100644 index 00000000000..d5375605331 --- /dev/null +++ b/queue-4.18/bpf-test_maps-only-support-established-socks.patch @@ -0,0 +1,55 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: John Fastabend +Date: Tue, 18 Sep 2018 09:01:54 -0700 +Subject: bpf: test_maps, only support ESTABLISHED socks + +From: John Fastabend + +[ Upstream commit 5028027844cfc6168e39650abecd817ba64c9d98 ] + +Ensure that sockets added to a sock{map|hash} that is not in the +ESTABLISHED state is rejected. + +Fixes: 1aa12bdf1bfb ("bpf: sockmap, add sock close() hook to remove socks") +Signed-off-by: John Fastabend +Acked-by: Yonghong Song +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/test_maps.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/tools/testing/selftests/bpf/test_maps.c ++++ b/tools/testing/selftests/bpf/test_maps.c +@@ -566,7 +566,11 @@ static void test_sockmap(int tasks, void + /* Test update without programs */ + for (i = 0; i < 6; i++) { + err = bpf_map_update_elem(fd, &i, &sfd[i], BPF_ANY); +- if (err) { ++ if (i < 2 && !err) { ++ printf("Allowed update sockmap '%i:%i' not in ESTABLISHED\n", ++ i, sfd[i]); ++ goto out_sockmap; ++ } else if (i >= 2 && err) { + printf("Failed noprog update sockmap '%i:%i'\n", + i, sfd[i]); + goto out_sockmap; +@@ -727,7 +731,7 @@ static void test_sockmap(int tasks, void + } + + /* Test map update elem afterwards fd lives in fd and map_fd */ +- for (i = 0; i < 6; i++) { ++ for (i = 2; i < 6; i++) { + err = bpf_map_update_elem(map_fd_rx, &i, &sfd[i], BPF_ANY); + if (err) { + printf("Failed map_fd_rx update sockmap %i '%i:%i'\n", +@@ -831,7 +835,7 @@ static void test_sockmap(int tasks, void + } + + /* Delete the elems without programs */ +- for (i = 0; i < 6; i++) { ++ for (i = 2; i < 6; i++) { + err = bpf_map_delete_elem(fd, &i); + if (err) { + printf("Failed delete sockmap %i '%i:%i'\n", diff --git a/queue-4.18/clocksource-drivers-fttmr010-fix-set_next_event-handler.patch b/queue-4.18/clocksource-drivers-fttmr010-fix-set_next_event-handler.patch new file mode 100644 index 00000000000..437ad4ae26b --- /dev/null +++ b/queue-4.18/clocksource-drivers-fttmr010-fix-set_next_event-handler.patch @@ -0,0 +1,65 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Tao Ren +Date: Wed, 19 Sep 2018 15:13:31 -0700 +Subject: clocksource/drivers/fttmr010: Fix set_next_event handler + +From: Tao Ren + +[ Upstream commit 4451d3f59f2a6f95e5d205c2d04ea072955d080d ] + +Currently, the aspeed MATCH1 register is updated to in set_next_event handler, with the assumption that COUNT +register value is preserved when the timer is disabled and it continues +decrementing after the timer is enabled. But the assumption is wrong: +RELOAD register is loaded into COUNT register when the aspeed timer is +enabled, which means the next event may be delayed because timer +interrupt won't be generated until <0xFFFFFFFF - current_count + +cycles>. + +The problem can be fixed by updating RELOAD register to , and +COUNT register will be re-loaded when the timer is enabled and interrupt +is generated when COUNT register overflows. + +The test result on Facebook Backpack-CMM BMC hardware (AST2500) shows +the issue is fixed: without the patch, usleep(100) suspends the process +for several milliseconds (and sometimes even over 40 milliseconds); +after applying the fix, usleep(100) takes averagely 240 microseconds to +return under the same workload level. + +Signed-off-by: Tao Ren +Reviewed-by: Linus Walleij +Tested-by: Lei YU +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clocksource/timer-fttmr010.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +--- a/drivers/clocksource/timer-fttmr010.c ++++ b/drivers/clocksource/timer-fttmr010.c +@@ -130,13 +130,17 @@ static int fttmr010_timer_set_next_event + cr &= ~fttmr010->t1_enable_val; + writel(cr, fttmr010->base + TIMER_CR); + +- /* Setup the match register forward/backward in time */ +- cr = readl(fttmr010->base + TIMER1_COUNT); +- if (fttmr010->count_down) +- cr -= cycles; +- else +- cr += cycles; +- writel(cr, fttmr010->base + TIMER1_MATCH1); ++ if (fttmr010->count_down) { ++ /* ++ * ASPEED Timer Controller will load TIMER1_LOAD register ++ * into TIMER1_COUNT register when the timer is re-enabled. ++ */ ++ writel(cycles, fttmr010->base + TIMER1_LOAD); ++ } else { ++ /* Setup the match register forward in time */ ++ cr = readl(fttmr010->base + TIMER1_COUNT); ++ writel(cr + cycles, fttmr010->base + TIMER1_MATCH1); ++ } + + /* Start */ + cr = readl(fttmr010->base + TIMER_CR); diff --git a/queue-4.18/clocksource-drivers-ti-32k-add-clock_source_suspend_nonstop-flag-for-non-am43-socs.patch b/queue-4.18/clocksource-drivers-ti-32k-add-clock_source_suspend_nonstop-flag-for-non-am43-socs.patch new file mode 100644 index 00000000000..345bd139845 --- /dev/null +++ b/queue-4.18/clocksource-drivers-ti-32k-add-clock_source_suspend_nonstop-flag-for-non-am43-socs.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Keerthy +Date: Wed, 8 Aug 2018 18:44:59 +0530 +Subject: clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP flag for non-am43 SoCs + +From: Keerthy + +[ Upstream commit 3b7d96a0dbb6b630878597a1838fc39f808b761b ] + +The 32k clocksource is NONSTOP for non-am43 SoCs. Hence +add the flag for all the other SoCs. + +Reported-by: Tony Lindgren +Signed-off-by: Keerthy +Acked-by: Tony Lindgren +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clocksource/timer-ti-32k.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/clocksource/timer-ti-32k.c ++++ b/drivers/clocksource/timer-ti-32k.c +@@ -98,6 +98,9 @@ static int __init ti_32k_timer_init(stru + return -ENXIO; + } + ++ if (!of_machine_is_compatible("ti,am43")) ++ ti_32k_timer.cs.flags |= CLOCK_SOURCE_SUSPEND_NONSTOP; ++ + ti_32k_timer.counter = ti_32k_timer.base; + + /* diff --git a/queue-4.18/cxgb4-fix-abort_req_rss6-struct.patch b/queue-4.18/cxgb4-fix-abort_req_rss6-struct.patch new file mode 100644 index 00000000000..c943e000371 --- /dev/null +++ b/queue-4.18/cxgb4-fix-abort_req_rss6-struct.patch @@ -0,0 +1,31 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Steve Wise +Date: Fri, 31 Aug 2018 11:52:00 -0700 +Subject: cxgb4: fix abort_req_rss6 struct + +From: Steve Wise + +[ Upstream commit 9f34519a82356f6cf0ccb8480ee0ed99b3d0af75 ] + +Remove the incorrect WR_HDR field which can cause a misinterpretation +of ABORT CPL by ULDs, such as iw_cxgb4. + +Fixes: a3cdaa69e4ae ("cxgb4: Adds CPL support for Shared Receive Queues") +Signed-off-by: Steve Wise +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/t4_msg.h | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/t4_msg.h ++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_msg.h +@@ -753,7 +753,6 @@ struct cpl_abort_req_rss { + }; + + struct cpl_abort_req_rss6 { +- WR_HDR; + union opcode_tid ot; + __u32 srqidx_status; + }; diff --git a/queue-4.18/drm-mali-dp-call-drm_crtc_vblank_reset-on-device-init.patch b/queue-4.18/drm-mali-dp-call-drm_crtc_vblank_reset-on-device-init.patch new file mode 100644 index 00000000000..91a052d3a59 --- /dev/null +++ b/queue-4.18/drm-mali-dp-call-drm_crtc_vblank_reset-on-device-init.patch @@ -0,0 +1,36 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Alexandru Gheorghe +Date: Mon, 16 Jul 2018 11:07:07 +0100 +Subject: drm: mali-dp: Call drm_crtc_vblank_reset on device init + +From: Alexandru Gheorghe + +[ Upstream commit 69be1984ded00a11b1ed0888c6d8e4f35370372f ] + +Currently, if userspace calls drm_wait_vblank before the crtc is +activated the crtc vblank_enable hook is called, which in case of +malidp driver triggers some warninngs. This happens because on +device init we don't inform the drm core about the vblank state +by calling drm_crtc_vblank_on/off/reset which together with +drm_vblank_get have some magic that prevents calling drm_vblank_enable +when crtc is off. + +Signed-off-by: Alexandru Gheorghe +Acked-by: Liviu Dudau +Signed-off-by: Liviu Dudau +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/arm/malidp_drv.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/arm/malidp_drv.c ++++ b/drivers/gpu/drm/arm/malidp_drv.c +@@ -615,6 +615,7 @@ static int malidp_bind(struct device *de + drm->irq_enabled = true; + + ret = drm_vblank_init(drm, drm->mode_config.num_crtc); ++ drm_crtc_vblank_reset(&malidp->crtc); + if (ret < 0) { + DRM_ERROR("failed to initialise vblank\n"); + goto vblank_fail; diff --git a/queue-4.18/input-atakbd-fix-atari-capslock-behaviour.patch b/queue-4.18/input-atakbd-fix-atari-capslock-behaviour.patch new file mode 100644 index 00000000000..124063b5966 --- /dev/null +++ b/queue-4.18/input-atakbd-fix-atari-capslock-behaviour.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Michael Schmitz +Date: Mon, 17 Sep 2018 15:27:49 -0700 +Subject: Input: atakbd - fix Atari CapsLock behaviour + +From: Michael Schmitz + +[ Upstream commit 52d2c7bf7c90217fbe875d2d76f310979c48eb83 ] + +The CapsLock key on Atari keyboards is not a toggle, it does send the +normal make and break scancodes. + +Drop the CapsLock toggle handling code, which did cause the CapsLock +key to merely act as a Shift key. + +Tested-by: Michael Schmitz +Signed-off-by: Michael Schmitz +Signed-off-by: Andreas Schwab +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/keyboard/atakbd.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +--- a/drivers/input/keyboard/atakbd.c ++++ b/drivers/input/keyboard/atakbd.c +@@ -189,14 +189,8 @@ static void atakbd_interrupt(unsigned ch + + scancode = atakbd_keycode[scancode]; + +- if (scancode == KEY_CAPSLOCK) { /* CapsLock is a toggle switch key on Amiga */ +- input_report_key(atakbd_dev, scancode, 1); +- input_report_key(atakbd_dev, scancode, 0); +- input_sync(atakbd_dev); +- } else { +- input_report_key(atakbd_dev, scancode, down); +- input_sync(atakbd_dev); +- } ++ input_report_key(atakbd_dev, scancode, down); ++ input_sync(atakbd_dev); + } else /* scancodes >= 0xf3 are mouse data, most likely */ + printk(KERN_INFO "atakbd: unhandled scancode %x\n", scancode); + diff --git a/queue-4.18/input-atakbd-fix-atari-keymap.patch b/queue-4.18/input-atakbd-fix-atari-keymap.patch new file mode 100644 index 00000000000..16989223618 --- /dev/null +++ b/queue-4.18/input-atakbd-fix-atari-keymap.patch @@ -0,0 +1,133 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Andreas Schwab +Date: Mon, 17 Sep 2018 12:43:34 -0700 +Subject: Input: atakbd - fix Atari keymap + +From: Andreas Schwab + +[ Upstream commit 9e62df51be993035c577371ffee5477697a56aad ] + +Fix errors in Atari keymap (mostly in keypad, help and undo keys). + +Patch provided on debian-68k ML by Andreas Schwab , +keymap array size and unhandled scancode limit adjusted to 0x73 by me. + +Tested-by: Michael Schmitz +Signed-off-by: Michael Schmitz +Signed-off-by: Andreas Schwab +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/keyboard/atakbd.c | 64 ++++++++++++++++------------------------ + 1 file changed, 26 insertions(+), 38 deletions(-) + +--- a/drivers/input/keyboard/atakbd.c ++++ b/drivers/input/keyboard/atakbd.c +@@ -79,8 +79,7 @@ MODULE_LICENSE("GPL"); + */ + + +-static unsigned char atakbd_keycode[0x72] = { /* American layout */ +- [0] = KEY_GRAVE, ++static unsigned char atakbd_keycode[0x73] = { /* American layout */ + [1] = KEY_ESC, + [2] = KEY_1, + [3] = KEY_2, +@@ -121,9 +120,9 @@ static unsigned char atakbd_keycode[0x72 + [38] = KEY_L, + [39] = KEY_SEMICOLON, + [40] = KEY_APOSTROPHE, +- [41] = KEY_BACKSLASH, /* FIXME, '#' */ ++ [41] = KEY_GRAVE, + [42] = KEY_LEFTSHIFT, +- [43] = KEY_GRAVE, /* FIXME: '~' */ ++ [43] = KEY_BACKSLASH, + [44] = KEY_Z, + [45] = KEY_X, + [46] = KEY_C, +@@ -149,45 +148,34 @@ static unsigned char atakbd_keycode[0x72 + [66] = KEY_F8, + [67] = KEY_F9, + [68] = KEY_F10, +- [69] = KEY_ESC, +- [70] = KEY_DELETE, +- [71] = KEY_KP7, +- [72] = KEY_KP8, +- [73] = KEY_KP9, ++ [71] = KEY_HOME, ++ [72] = KEY_UP, + [74] = KEY_KPMINUS, +- [75] = KEY_KP4, +- [76] = KEY_KP5, +- [77] = KEY_KP6, ++ [75] = KEY_LEFT, ++ [77] = KEY_RIGHT, + [78] = KEY_KPPLUS, +- [79] = KEY_KP1, +- [80] = KEY_KP2, +- [81] = KEY_KP3, +- [82] = KEY_KP0, +- [83] = KEY_KPDOT, +- [90] = KEY_KPLEFTPAREN, +- [91] = KEY_KPRIGHTPAREN, +- [92] = KEY_KPASTERISK, /* FIXME */ +- [93] = KEY_KPASTERISK, +- [94] = KEY_KPPLUS, +- [95] = KEY_HELP, ++ [80] = KEY_DOWN, ++ [82] = KEY_INSERT, ++ [83] = KEY_DELETE, + [96] = KEY_102ND, +- [97] = KEY_KPASTERISK, /* FIXME */ +- [98] = KEY_KPSLASH, ++ [97] = KEY_UNDO, ++ [98] = KEY_HELP, + [99] = KEY_KPLEFTPAREN, + [100] = KEY_KPRIGHTPAREN, + [101] = KEY_KPSLASH, + [102] = KEY_KPASTERISK, +- [103] = KEY_UP, +- [104] = KEY_KPASTERISK, /* FIXME */ +- [105] = KEY_LEFT, +- [106] = KEY_RIGHT, +- [107] = KEY_KPASTERISK, /* FIXME */ +- [108] = KEY_DOWN, +- [109] = KEY_KPASTERISK, /* FIXME */ +- [110] = KEY_KPASTERISK, /* FIXME */ +- [111] = KEY_KPASTERISK, /* FIXME */ +- [112] = KEY_KPASTERISK, /* FIXME */ +- [113] = KEY_KPASTERISK /* FIXME */ ++ [103] = KEY_KP7, ++ [104] = KEY_KP8, ++ [105] = KEY_KP9, ++ [106] = KEY_KP4, ++ [107] = KEY_KP5, ++ [108] = KEY_KP6, ++ [109] = KEY_KP1, ++ [110] = KEY_KP2, ++ [111] = KEY_KP3, ++ [112] = KEY_KP0, ++ [113] = KEY_KPDOT, ++ [114] = KEY_KPENTER, + }; + + static struct input_dev *atakbd_dev; +@@ -195,7 +183,7 @@ static struct input_dev *atakbd_dev; + static void atakbd_interrupt(unsigned char scancode, char down) + { + +- if (scancode < 0x72) { /* scancodes < 0xf2 are keys */ ++ if (scancode < 0x73) { /* scancodes < 0xf3 are keys */ + + // report raw events here? + +@@ -209,7 +197,7 @@ static void atakbd_interrupt(unsigned ch + input_report_key(atakbd_dev, scancode, down); + input_sync(atakbd_dev); + } +- } else /* scancodes >= 0xf2 are mouse data, most likely */ ++ } else /* scancodes >= 0xf3 are mouse data, most likely */ + printk(KERN_INFO "atakbd: unhandled scancode %x\n", scancode); + + return; diff --git a/queue-4.18/intel_th-pci-add-ice-lake-pch-support.patch b/queue-4.18/intel_th-pci-add-ice-lake-pch-support.patch new file mode 100644 index 00000000000..3157ff14ce3 --- /dev/null +++ b/queue-4.18/intel_th-pci-add-ice-lake-pch-support.patch @@ -0,0 +1,33 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Alexander Shishkin +Date: Tue, 18 Sep 2018 16:10:49 +0300 +Subject: intel_th: pci: Add Ice Lake PCH support + +From: Alexander Shishkin + +[ Upstream commit 59d08d00d43c644ee2011d7ff1807bdd69f31fe0 ] + +This adds Intel(R) Trace Hub PCI ID for Ice Lake PCH. + +Signed-off-by: Alexander Shishkin +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -160,6 +160,11 @@ static const struct pci_device_id intel_ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x18e1), + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, ++ { ++ /* Ice Lake PCH */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x34a6), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, + { 0 }, + }; + diff --git a/queue-4.18/iommu-amd-return-devid-as-alias-for-acpi-hid-devices.patch b/queue-4.18/iommu-amd-return-devid-as-alias-for-acpi-hid-devices.patch new file mode 100644 index 00000000000..f07c606d316 --- /dev/null +++ b/queue-4.18/iommu-amd-return-devid-as-alias-for-acpi-hid-devices.patch @@ -0,0 +1,41 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Arindam Nath +Date: Tue, 18 Sep 2018 15:40:58 +0530 +Subject: iommu/amd: Return devid as alias for ACPI HID devices + +From: Arindam Nath + +[ Upstream commit 5ebb1bc2d63d90dd204169e21fd7a0b4bb8c776e ] + +ACPI HID devices do not actually have an alias for +them in the IVRS. But dev_data->alias is still used +for indexing into the IOMMU device table for devices +being handled by the IOMMU. So for ACPI HID devices, +we simply return the corresponding devid as an alias, +as parsed from IVRS table. + +Signed-off-by: Arindam Nath +Fixes: 2bf9a0a12749 ('iommu/amd: Add iommu support for ACPI HID devices') +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/amd_iommu.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -246,7 +246,13 @@ static u16 get_alias(struct device *dev) + + /* The callers make sure that get_device_id() does not fail here */ + devid = get_device_id(dev); ++ ++ /* For ACPI HID devices, we simply return the devid as such */ ++ if (!dev_is_pci(dev)) ++ return devid; ++ + ivrs_alias = amd_iommu_alias_table[devid]; ++ + pci_for_each_dma_alias(pdev, __last_alias, &pci_alias); + + if (ivrs_alias == pci_alias) diff --git a/queue-4.18/iommu-rockchip-free-irqs-in-shutdown-handler.patch b/queue-4.18/iommu-rockchip-free-irqs-in-shutdown-handler.patch new file mode 100644 index 00000000000..ad624b1d9f9 --- /dev/null +++ b/queue-4.18/iommu-rockchip-free-irqs-in-shutdown-handler.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Heiko Stuebner +Date: Mon, 27 Aug 2018 12:56:24 +0200 +Subject: iommu/rockchip: Free irqs in shutdown handler + +From: Heiko Stuebner + +[ Upstream commit 74bc2abca7603c956d1e331e8b9bee7b874c1eec ] + +In the iommu's shutdown handler we disable runtime-pm which could +result in the irq-handler running unclocked and since commit + 3fc7c5c0cff3 ("iommu/rockchip: Handle errors returned from PM framework") +we warn about that fact. + +This can cause warnings on shutdown on some Rockchip machines, so +free the irqs in the shutdown handler before we disable runtime-pm. + +Reported-by: Enric Balletbo i Serra +Fixes: 3fc7c5c0cff3 ("iommu/rockchip: Handle errors returned from PM framework") +Signed-off-by: Heiko Stuebner +Tested-by: Enric Balletbo i Serra +Acked-by: Marc Zyngier +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/rockchip-iommu.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/iommu/rockchip-iommu.c ++++ b/drivers/iommu/rockchip-iommu.c +@@ -1242,6 +1242,12 @@ err_unprepare_clocks: + + static void rk_iommu_shutdown(struct platform_device *pdev) + { ++ struct rk_iommu *iommu = platform_get_drvdata(pdev); ++ int i = 0, irq; ++ ++ while ((irq = platform_get_irq(pdev, i++)) != -ENXIO) ++ devm_free_irq(iommu->dev, irq, iommu); ++ + pm_runtime_force_suspend(&pdev->dev); + } + diff --git a/queue-4.18/media-af9035-prevent-buffer-overflow-on-write.patch b/queue-4.18/media-af9035-prevent-buffer-overflow-on-write.patch new file mode 100644 index 00000000000..065ae5ca476 --- /dev/null +++ b/queue-4.18/media-af9035-prevent-buffer-overflow-on-write.patch @@ -0,0 +1,40 @@ +From foo@baz Thu Oct 18 11:08:34 CEST 2018 +From: Jozef Balga +Date: Tue, 21 Aug 2018 05:01:04 -0400 +Subject: media: af9035: prevent buffer overflow on write + +From: Jozef Balga + +[ Upstream commit 312f73b648626a0526a3aceebb0a3192aaba05ce ] + +When less than 3 bytes are written to the device, memcpy is called with +negative array size which leads to buffer overflow and kernel panic. This +patch adds a condition and returns -EOPNOTSUPP instead. +Fixes bugzilla issue 64871 + +[mchehab+samsung@kernel.org: fix a merge conflict and changed the + condition to match the patch's comment, e. g. len == 3 could + also be valid] +Signed-off-by: Jozef Balga +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/dvb-usb-v2/af9035.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/dvb-usb-v2/af9035.c ++++ b/drivers/media/usb/dvb-usb-v2/af9035.c +@@ -402,8 +402,10 @@ static int af9035_i2c_master_xfer(struct + if (msg[0].addr == state->af9033_i2c_addr[1]) + reg |= 0x100000; + +- ret = af9035_wr_regs(d, reg, &msg[0].buf[3], +- msg[0].len - 3); ++ ret = (msg[0].len >= 3) ? af9035_wr_regs(d, reg, ++ &msg[0].buf[3], ++ msg[0].len - 3) ++ : -EOPNOTSUPP; + } else { + /* I2C write */ + u8 buf[MAX_XFER_SIZE]; diff --git a/queue-4.18/net-emac-fix-fixed-link-setup-for-the-rtl8363sb-switch.patch b/queue-4.18/net-emac-fix-fixed-link-setup-for-the-rtl8363sb-switch.patch new file mode 100644 index 00000000000..e228451aef4 --- /dev/null +++ b/queue-4.18/net-emac-fix-fixed-link-setup-for-the-rtl8363sb-switch.patch @@ -0,0 +1,54 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Christian Lamparter +Date: Mon, 17 Sep 2018 17:22:40 +0200 +Subject: net: emac: fix fixed-link setup for the RTL8363SB switch + +From: Christian Lamparter + +[ Upstream commit 08e39982ef64f800fd1f9b9b92968d14d5fafa82 ] + +On the Netgear WNDAP620, the emac ethernet isn't receiving nor +xmitting any frames from/to the RTL8363SB (identifies itself +as a RTL8367RB). + +This is caused by the emac hardware not knowing the forced link +parameters for speed, duplex, pause, etc. + +This begs the question, how this was working on the original +driver code, when it was necessary to set the phy_address and +phy_map to 0xffffffff. But I guess without access to the old +PPC405/440/460 hardware, it's not possible to know. + +Signed-off-by: Christian Lamparter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/emac/core.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/ibm/emac/core.c ++++ b/drivers/net/ethernet/ibm/emac/core.c +@@ -2677,12 +2677,17 @@ static int emac_init_phy(struct emac_ins + if (of_phy_is_fixed_link(np)) { + int res = emac_dt_mdio_probe(dev); + +- if (!res) { +- res = of_phy_register_fixed_link(np); +- if (res) +- mdiobus_unregister(dev->mii_bus); ++ if (res) ++ return res; ++ ++ res = of_phy_register_fixed_link(np); ++ dev->phy_dev = of_phy_find_device(np); ++ if (res || !dev->phy_dev) { ++ mdiobus_unregister(dev->mii_bus); ++ return res ? res : -EINVAL; + } +- return res; ++ emac_adjust_link(dev->ndev); ++ put_device(&dev->phy_dev->mdio.dev); + } + return 0; + } diff --git a/queue-4.18/net-mlx4-use-cpumask_available-for-eq-affinity_mask.patch b/queue-4.18/net-mlx4-use-cpumask_available-for-eq-affinity_mask.patch new file mode 100644 index 00000000000..e6f15c529bf --- /dev/null +++ b/queue-4.18/net-mlx4-use-cpumask_available-for-eq-affinity_mask.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Nathan Chancellor +Date: Fri, 21 Sep 2018 02:44:12 -0700 +Subject: net/mlx4: Use cpumask_available for eq->affinity_mask + +From: Nathan Chancellor + +[ Upstream commit 8ac1ee6f4d62e781e3b3fd8b9c42b70371427669 ] + +Clang warns that the address of a pointer will always evaluated as true +in a boolean context: + +drivers/net/ethernet/mellanox/mlx4/eq.c:243:11: warning: address of +array 'eq->affinity_mask' will always evaluate to 'true' +[-Wpointer-bool-conversion] + if (!eq->affinity_mask || cpumask_empty(eq->affinity_mask)) + ~~~~~^~~~~~~~~~~~~ +1 warning generated. + +Use cpumask_available, introduced in commit f7e30f01a9e2 ("cpumask: Add +helper cpumask_available()"), which does the proper checking and avoids +this warning. + +Link: https://github.com/ClangBuiltLinux/linux/issues/86 +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/eq.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/eq.c ++++ b/drivers/net/ethernet/mellanox/mlx4/eq.c +@@ -240,7 +240,8 @@ static void mlx4_set_eq_affinity_hint(st + struct mlx4_dev *dev = &priv->dev; + struct mlx4_eq *eq = &priv->eq_table.eq[vec]; + +- if (!eq->affinity_mask || cpumask_empty(eq->affinity_mask)) ++ if (!cpumask_available(eq->affinity_mask) || ++ cpumask_empty(eq->affinity_mask)) + return; + + hint_err = irq_set_affinity_hint(eq->irq, eq->affinity_mask); diff --git a/queue-4.18/net-smc-fix-non-blocking-connect-problem.patch b/queue-4.18/net-smc-fix-non-blocking-connect-problem.patch new file mode 100644 index 00000000000..ac599d474be --- /dev/null +++ b/queue-4.18/net-smc-fix-non-blocking-connect-problem.patch @@ -0,0 +1,48 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Ursula Braun +Date: Tue, 18 Sep 2018 15:46:34 +0200 +Subject: net/smc: fix non-blocking connect problem + +From: Ursula Braun + +[ Upstream commit 648a5a7aed346c3b8fe7c32a835edfb0dfbf4451 ] + +In state SMC_INIT smc_poll() delegates polling to the internal +CLC socket. This means, once the connect worker has finished +its kernel_connect() step, the poll wake-up may occur. This is not +intended. The wake-up should occur from the wake up call in +smc_connect_work() after __smc_connect() has finished. +Thus in state SMC_INIT this patch now calls sock_poll_wait() on the +main SMC socket. + +Signed-off-by: Ursula Braun +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/af_smc.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -612,7 +612,10 @@ static void smc_connect_work(struct work + smc->sk.sk_err = -rc; + + out: +- smc->sk.sk_state_change(&smc->sk); ++ if (smc->sk.sk_err) ++ smc->sk.sk_state_change(&smc->sk); ++ else ++ smc->sk.sk_write_space(&smc->sk); + kfree(smc->connect_info); + smc->connect_info = NULL; + release_sock(&smc->sk); +@@ -1345,7 +1348,7 @@ static __poll_t smc_poll(struct file *fi + return EPOLLNVAL; + + smc = smc_sk(sock->sk); +- if ((sk->sk_state == SMC_INIT) || smc->use_fallback) { ++ if (smc->use_fallback) { + /* delegate to CLC child sock */ + mask = smc->clcsock->ops->poll(file, smc->clcsock, wait); + sk->sk_err = smc->clcsock->sk->sk_err; diff --git a/queue-4.18/net-smc-fix-sizeof-to-int-comparison.patch b/queue-4.18/net-smc-fix-sizeof-to-int-comparison.patch new file mode 100644 index 00000000000..82e33883c2a --- /dev/null +++ b/queue-4.18/net-smc-fix-sizeof-to-int-comparison.patch @@ -0,0 +1,45 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: YueHaibing +Date: Tue, 18 Sep 2018 15:46:38 +0200 +Subject: net/smc: fix sizeof to int comparison + +From: YueHaibing + +[ Upstream commit 381897798a94065ffcad0772eecdc6b04a7ff23d ] + +Comparing an int to a size, which is unsigned, causes the int to become +unsigned, giving the wrong result. kernel_sendmsg can return a negative +error code. + +Signed-off-by: YueHaibing +Signed-off-by: Ursula Braun +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/smc_clc.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +--- a/net/smc/smc_clc.c ++++ b/net/smc/smc_clc.c +@@ -405,14 +405,12 @@ int smc_clc_send_proposal(struct smc_soc + vec[i++].iov_len = sizeof(trl); + /* due to the few bytes needed for clc-handshake this cannot block */ + len = kernel_sendmsg(smc->clcsock, &msg, vec, i, plen); +- if (len < sizeof(pclc)) { +- if (len >= 0) { +- reason_code = -ENETUNREACH; +- smc->sk.sk_err = -reason_code; +- } else { +- smc->sk.sk_err = smc->clcsock->sk->sk_err; +- reason_code = -smc->sk.sk_err; +- } ++ if (len < 0) { ++ smc->sk.sk_err = smc->clcsock->sk->sk_err; ++ reason_code = -smc->sk.sk_err; ++ } else if (len < (int)sizeof(pclc)) { ++ reason_code = -ENETUNREACH; ++ smc->sk.sk_err = -reason_code; + } + + return reason_code; diff --git a/queue-4.18/pci-dwc-fix-scheduling-while-atomic-issues.patch b/queue-4.18/pci-dwc-fix-scheduling-while-atomic-issues.patch new file mode 100644 index 00000000000..7ba6e888a72 --- /dev/null +++ b/queue-4.18/pci-dwc-fix-scheduling-while-atomic-issues.patch @@ -0,0 +1,89 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Jisheng Zhang +Date: Thu, 20 Sep 2018 16:32:52 -0500 +Subject: PCI: dwc: Fix scheduling while atomic issues + +From: Jisheng Zhang + +[ Upstream commit 9024143e700f89d74b8cdaf316a3499d74fc56fe ] + +When programming the inbound/outbound ATUs, we call usleep_range() after +each checking PCIE_ATU_ENABLE bit. Unfortunately, the ATU programming +can be executed in atomic context: + +inbound ATU programming could be called through +pci_epc_write_header() + =>dw_pcie_ep_write_header() + =>dw_pcie_prog_inbound_atu() + +outbound ATU programming could be called through +pci_bus_read_config_dword() + =>dw_pcie_rd_conf() + =>dw_pcie_prog_outbound_atu() + +Fix this issue by calling mdelay() instead. + +Fixes: f8aed6ec624f ("PCI: dwc: designware: Add EP mode support") +Fixes: d8bbeb39fbf3 ("PCI: designware: Wait for iATU enable") +Signed-off-by: Jisheng Zhang +[lorenzo.pieralisi@arm.com: commit log update] +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Bjorn Helgaas +Acked-by: Gustavo Pimentel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pcie-designware.c | 8 ++++---- + drivers/pci/controller/dwc/pcie-designware.h | 3 +-- + 2 files changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/pci/controller/dwc/pcie-designware.c ++++ b/drivers/pci/controller/dwc/pcie-designware.c +@@ -135,7 +135,7 @@ static void dw_pcie_prog_outbound_atu_un + if (val & PCIE_ATU_ENABLE) + return; + +- usleep_range(LINK_WAIT_IATU_MIN, LINK_WAIT_IATU_MAX); ++ mdelay(LINK_WAIT_IATU); + } + dev_err(pci->dev, "Outbound iATU is not being enabled\n"); + } +@@ -178,7 +178,7 @@ void dw_pcie_prog_outbound_atu(struct dw + if (val & PCIE_ATU_ENABLE) + return; + +- usleep_range(LINK_WAIT_IATU_MIN, LINK_WAIT_IATU_MAX); ++ mdelay(LINK_WAIT_IATU); + } + dev_err(pci->dev, "Outbound iATU is not being enabled\n"); + } +@@ -236,7 +236,7 @@ static int dw_pcie_prog_inbound_atu_unro + if (val & PCIE_ATU_ENABLE) + return 0; + +- usleep_range(LINK_WAIT_IATU_MIN, LINK_WAIT_IATU_MAX); ++ mdelay(LINK_WAIT_IATU); + } + dev_err(pci->dev, "Inbound iATU is not being enabled\n"); + +@@ -282,7 +282,7 @@ int dw_pcie_prog_inbound_atu(struct dw_p + if (val & PCIE_ATU_ENABLE) + return 0; + +- usleep_range(LINK_WAIT_IATU_MIN, LINK_WAIT_IATU_MAX); ++ mdelay(LINK_WAIT_IATU); + } + dev_err(pci->dev, "Inbound iATU is not being enabled\n"); + +--- a/drivers/pci/controller/dwc/pcie-designware.h ++++ b/drivers/pci/controller/dwc/pcie-designware.h +@@ -26,8 +26,7 @@ + + /* Parameters for the waiting for iATU enabled routine */ + #define LINK_WAIT_MAX_IATU_RETRIES 5 +-#define LINK_WAIT_IATU_MIN 9000 +-#define LINK_WAIT_IATU_MAX 10000 ++#define LINK_WAIT_IATU 9 + + /* Synopsys-specific PCIe configuration registers */ + #define PCIE_PORT_LINK_CONTROL 0x710 diff --git a/queue-4.18/pinctrl-amd-poll-interruptenable-bits-in-amd_gpio_irq_set_type.patch b/queue-4.18/pinctrl-amd-poll-interruptenable-bits-in-amd_gpio_irq_set_type.patch new file mode 100644 index 00000000000..fbc16cfa47c --- /dev/null +++ b/queue-4.18/pinctrl-amd-poll-interruptenable-bits-in-amd_gpio_irq_set_type.patch @@ -0,0 +1,98 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Daniel Kurtz +Date: Sat, 22 Sep 2018 13:58:26 -0600 +Subject: pinctrl/amd: poll InterruptEnable bits in amd_gpio_irq_set_type + +From: Daniel Kurtz + +[ Upstream commit b85bfa246efd24ea3fdb5ee949c28e3110c6d299 ] + +>From the AMD BKDG, if WAKE_INT_MASTER_REG.MaskStsEn is set, a software +write to the debounce registers of *any* gpio will block wake/interrupt +status generation for *all* gpios for a length of time that depends on +WAKE_INT_MASTER_REG.MaskStsLength[11:0]. During this period the Interrupt +Delivery bit (INTERRUPT_ENABLE) will read as 0. + +In commit 4c1de0414a1340 ("pinctrl/amd: poll InterruptEnable bits in +enable_irq") we tried to fix this same "gpio Interrupts are blocked +immediately after writing debounce registers" problem, but incorrectly +assumed it only affected the gpio whose debounce was being configured +and not ALL gpios. + +To solve this for all gpios, we move the polling loop from +amd_gpio_irq_enable() to amd_gpio_irq_set_type(), while holding the gpio +spinlock. This ensures that another gpio operation (e.g. +amd_gpio_irq_unmask()) can read a temporarily disabled IRQ and +incorrectly disable it while trying to modify some other register bits. + +Fixes: 4c1de0414a1340 pinctrl/amd: poll InterruptEnable bits in enable_irq +Signed-off-by: Daniel Kurtz +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-amd.c | 33 +++++++++++++++++++++++---------- + 1 file changed, 23 insertions(+), 10 deletions(-) + +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -348,21 +348,12 @@ static void amd_gpio_irq_enable(struct i + unsigned long flags; + struct gpio_chip *gc = irq_data_get_irq_chip_data(d); + struct amd_gpio *gpio_dev = gpiochip_get_data(gc); +- u32 mask = BIT(INTERRUPT_ENABLE_OFF) | BIT(INTERRUPT_MASK_OFF); + + raw_spin_lock_irqsave(&gpio_dev->lock, flags); + pin_reg = readl(gpio_dev->base + (d->hwirq)*4); + pin_reg |= BIT(INTERRUPT_ENABLE_OFF); + pin_reg |= BIT(INTERRUPT_MASK_OFF); + writel(pin_reg, gpio_dev->base + (d->hwirq)*4); +- /* +- * When debounce logic is enabled it takes ~900 us before interrupts +- * can be enabled. During this "debounce warm up" period the +- * "INTERRUPT_ENABLE" bit will read as 0. Poll the bit here until it +- * reads back as 1, signaling that interrupts are now enabled. +- */ +- while ((readl(gpio_dev->base + (d->hwirq)*4) & mask) != mask) +- continue; + raw_spin_unlock_irqrestore(&gpio_dev->lock, flags); + } + +@@ -426,7 +417,7 @@ static void amd_gpio_irq_eoi(struct irq_ + static int amd_gpio_irq_set_type(struct irq_data *d, unsigned int type) + { + int ret = 0; +- u32 pin_reg; ++ u32 pin_reg, pin_reg_irq_en, mask; + unsigned long flags, irq_flags; + struct gpio_chip *gc = irq_data_get_irq_chip_data(d); + struct amd_gpio *gpio_dev = gpiochip_get_data(gc); +@@ -495,6 +486,28 @@ static int amd_gpio_irq_set_type(struct + } + + pin_reg |= CLR_INTR_STAT << INTERRUPT_STS_OFF; ++ /* ++ * If WAKE_INT_MASTER_REG.MaskStsEn is set, a software write to the ++ * debounce registers of any GPIO will block wake/interrupt status ++ * generation for *all* GPIOs for a lenght of time that depends on ++ * WAKE_INT_MASTER_REG.MaskStsLength[11:0]. During this period the ++ * INTERRUPT_ENABLE bit will read as 0. ++ * ++ * We temporarily enable irq for the GPIO whose configuration is ++ * changing, and then wait for it to read back as 1 to know when ++ * debounce has settled and then disable the irq again. ++ * We do this polling with the spinlock held to ensure other GPIO ++ * access routines do not read an incorrect value for the irq enable ++ * bit of other GPIOs. We keep the GPIO masked while polling to avoid ++ * spurious irqs, and disable the irq again after polling. ++ */ ++ mask = BIT(INTERRUPT_ENABLE_OFF); ++ pin_reg_irq_en = pin_reg; ++ pin_reg_irq_en |= mask; ++ pin_reg_irq_en &= ~BIT(INTERRUPT_MASK_OFF); ++ writel(pin_reg_irq_en, gpio_dev->base + (d->hwirq)*4); ++ while ((readl(gpio_dev->base + (d->hwirq)*4) & mask) != mask) ++ continue; + writel(pin_reg, gpio_dev->base + (d->hwirq)*4); + raw_spin_unlock_irqrestore(&gpio_dev->lock, flags); + diff --git a/queue-4.18/powerpc-numa-use-associativity-if-vphn-hcall-is-successful.patch b/queue-4.18/powerpc-numa-use-associativity-if-vphn-hcall-is-successful.patch new file mode 100644 index 00000000000..4496f298440 --- /dev/null +++ b/queue-4.18/powerpc-numa-use-associativity-if-vphn-hcall-is-successful.patch @@ -0,0 +1,88 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Srikar Dronamraju +Date: Tue, 25 Sep 2018 17:55:15 +0530 +Subject: powerpc/numa: Use associativity if VPHN hcall is successful + +From: Srikar Dronamraju + +[ Upstream commit 2483ef056f6e42f61cd266452e2841165dfe1b5c ] + +Currently associativity is used to lookup node-id even if the +preceding VPHN hcall failed. However this can cause CPU to be made +part of the wrong node, (most likely to be node 0). This is because +VPHN is not enabled on KVM guests. + +With 2ea6263 ("powerpc/topology: Get topology for shared processors at +boot"), associativity is used to set to the wrong node. Hence KVM +guest topology is broken. + +For example : A 4 node KVM guest before would have reported. + + [root@localhost ~]# numactl -H + available: 4 nodes (0-3) + node 0 cpus: 0 1 2 3 + node 0 size: 1746 MB + node 0 free: 1604 MB + node 1 cpus: 4 5 6 7 + node 1 size: 2044 MB + node 1 free: 1765 MB + node 2 cpus: 8 9 10 11 + node 2 size: 2044 MB + node 2 free: 1837 MB + node 3 cpus: 12 13 14 15 + node 3 size: 2044 MB + node 3 free: 1903 MB + node distances: + node 0 1 2 3 + 0: 10 40 40 40 + 1: 40 10 40 40 + 2: 40 40 10 40 + 3: 40 40 40 10 + +Would now report: + + [root@localhost ~]# numactl -H + available: 4 nodes (0-3) + node 0 cpus: 0 2 3 4 5 6 7 8 9 10 11 12 13 14 15 + node 0 size: 1746 MB + node 0 free: 1244 MB + node 1 cpus: + node 1 size: 2044 MB + node 1 free: 2032 MB + node 2 cpus: 1 + node 2 size: 2044 MB + node 2 free: 2028 MB + node 3 cpus: + node 3 size: 2044 MB + node 3 free: 2032 MB + node distances: + node 0 1 2 3 + 0: 10 40 40 40 + 1: 40 10 40 40 + 2: 40 40 10 40 + 3: 40 40 40 10 + +Fix this by skipping associativity lookup if the VPHN hcall failed. + +Fixes: 2ea626306810 ("powerpc/topology: Get topology for shared processors at boot") +Signed-off-by: Srikar Dronamraju +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/mm/numa.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/mm/numa.c ++++ b/arch/powerpc/mm/numa.c +@@ -1204,7 +1204,9 @@ int find_and_online_cpu_nid(int cpu) + int new_nid; + + /* Use associativity from first thread for all siblings */ +- vphn_get_associativity(cpu, associativity); ++ if (vphn_get_associativity(cpu, associativity)) ++ return cpu_to_node(cpu); ++ + new_nid = associativity_to_nid(associativity); + if (new_nid < 0 || !node_possible(new_nid)) + new_nid = first_online_node; diff --git a/queue-4.18/powerpc-tm-avoid-possible-userspace-r1-corruption-on-reclaim.patch b/queue-4.18/powerpc-tm-avoid-possible-userspace-r1-corruption-on-reclaim.patch new file mode 100644 index 00000000000..6a5034dcf15 --- /dev/null +++ b/queue-4.18/powerpc-tm-avoid-possible-userspace-r1-corruption-on-reclaim.patch @@ -0,0 +1,59 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Michael Neuling +Date: Tue, 25 Sep 2018 19:36:47 +1000 +Subject: powerpc/tm: Avoid possible userspace r1 corruption on reclaim + +From: Michael Neuling + +[ Upstream commit 96dc89d526ef77604376f06220e3d2931a0bfd58 ] + +Current we store the userspace r1 to PACATMSCRATCH before finally +saving it to the thread struct. + +In theory an exception could be taken here (like a machine check or +SLB miss) that could write PACATMSCRATCH and hence corrupt the +userspace r1. The SLB fault currently doesn't touch PACATMSCRATCH, but +others do. + +We've never actually seen this happen but it's theoretically +possible. Either way, the code is fragile as it is. + +This patch saves r1 to the kernel stack (which can't fault) before we +turn MSR[RI] back on. PACATMSCRATCH is still used but only with +MSR[RI] off. We then copy r1 from the kernel stack to the thread +struct once we have MSR[RI] back on. + +Suggested-by: Breno Leitao +Signed-off-by: Michael Neuling +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/tm.S | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/tm.S ++++ b/arch/powerpc/kernel/tm.S +@@ -178,6 +178,13 @@ _GLOBAL(tm_reclaim) + std r11, GPR11(r1) /* Temporary stash */ + + /* ++ * Move the saved user r1 to the kernel stack in case PACATMSCRATCH is ++ * clobbered by an exception once we turn on MSR_RI below. ++ */ ++ ld r11, PACATMSCRATCH(r13) ++ std r11, GPR1(r1) ++ ++ /* + * Store r13 away so we can free up the scratch SPR for the SLB fault + * handler (needed once we start accessing the thread_struct). + */ +@@ -213,7 +220,7 @@ _GLOBAL(tm_reclaim) + SAVE_GPR(8, r7) /* user r8 */ + SAVE_GPR(9, r7) /* user r9 */ + SAVE_GPR(10, r7) /* user r10 */ +- ld r3, PACATMSCRATCH(r13) /* user r1 */ ++ ld r3, GPR1(r1) /* user r1 */ + ld r4, GPR7(r1) /* user r7 */ + ld r5, GPR11(r1) /* user r11 */ + ld r6, GPR12(r1) /* user r12 */ diff --git a/queue-4.18/powerpc-tm-fix-userspace-r13-corruption.patch b/queue-4.18/powerpc-tm-fix-userspace-r13-corruption.patch new file mode 100644 index 00000000000..49e4b9db772 --- /dev/null +++ b/queue-4.18/powerpc-tm-fix-userspace-r13-corruption.patch @@ -0,0 +1,64 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Michael Neuling +Date: Mon, 24 Sep 2018 17:27:04 +1000 +Subject: powerpc/tm: Fix userspace r13 corruption + +From: Michael Neuling + +[ Upstream commit cf13435b730a502e814c63c84d93db131e563f5f ] + +When we treclaim we store the userspace checkpointed r13 to a scratch +SPR and then later save the scratch SPR to the user thread struct. + +Unfortunately, this doesn't work as accessing the user thread struct +can take an SLB fault and the SLB fault handler will write the same +scratch SPRG that now contains the userspace r13. + +To fix this, we store r13 to the kernel stack (which can't fault) +before we access the user thread struct. + +Found by running P8 guest + powervm + disable_1tb_segments + TM. Seen +as a random userspace segfault with r13 looking like a kernel address. + +Signed-off-by: Michael Neuling +Reviewed-by: Breno Leitao +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/tm.S | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/tm.S ++++ b/arch/powerpc/kernel/tm.S +@@ -175,13 +175,20 @@ _GLOBAL(tm_reclaim) + std r1, PACATMSCRATCH(r13) + ld r1, PACAR1(r13) + +- /* Store the PPR in r11 and reset to decent value */ + std r11, GPR11(r1) /* Temporary stash */ + ++ /* ++ * Store r13 away so we can free up the scratch SPR for the SLB fault ++ * handler (needed once we start accessing the thread_struct). ++ */ ++ GET_SCRATCH0(r11) ++ std r11, GPR13(r1) ++ + /* Reset MSR RI so we can take SLB faults again */ + li r11, MSR_RI + mtmsrd r11, 1 + ++ /* Store the PPR in r11 and reset to decent value */ + mfspr r11, SPRN_PPR + HMT_MEDIUM + +@@ -210,7 +217,7 @@ _GLOBAL(tm_reclaim) + ld r4, GPR7(r1) /* user r7 */ + ld r5, GPR11(r1) /* user r11 */ + ld r6, GPR12(r1) /* user r12 */ +- GET_SCRATCH0(8) /* user r13 */ ++ ld r8, GPR13(r1) /* user r13 */ + std r3, GPR1(r7) + std r4, GPR7(r7) + std r5, GPR11(r7) diff --git a/queue-4.18/qed-do-not-add-vlan-0-tag-to-untagged-frames-in-multi-function-mode.patch b/queue-4.18/qed-do-not-add-vlan-0-tag-to-untagged-frames-in-multi-function-mode.patch new file mode 100644 index 00000000000..79ff4378784 --- /dev/null +++ b/queue-4.18/qed-do-not-add-vlan-0-tag-to-untagged-frames-in-multi-function-mode.patch @@ -0,0 +1,74 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Sudarsana Reddy Kalluru +Date: Wed, 19 Sep 2018 21:59:11 -0700 +Subject: qed: Do not add VLAN 0 tag to untagged frames in multi-function mode. + +From: Sudarsana Reddy Kalluru + +[ Upstream commit 0216da9413afa546627a1b0d319dfd17fef34050 ] + +In certain multi-function switch dependent modes, firmware adds vlan tag 0 +to the untagged frames. This leads to double tagging for the traffic +if the dcbx is enabled, which is not the desired behavior. To avoid this, +driver needs to set "dcb_dont_add_vlan0" flag. + +Fixes: cac6f691 ("qed: Add support for Unified Fabric Port") +Signed-off-by: Sudarsana Reddy Kalluru +Signed-off-by: Tomer Tayar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qed/qed_dcbx.c | 9 ++++++++- + drivers/net/ethernet/qlogic/qed/qed_dcbx.h | 1 + + 2 files changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c +@@ -190,6 +190,7 @@ qed_dcbx_dp_protocol(struct qed_hwfn *p_ + + static void + qed_dcbx_set_params(struct qed_dcbx_results *p_data, ++ struct qed_hwfn *p_hwfn, + struct qed_hw_info *p_info, + bool enable, + u8 prio, +@@ -206,6 +207,11 @@ qed_dcbx_set_params(struct qed_dcbx_resu + else + p_data->arr[type].update = DONT_UPDATE_DCB_DSCP; + ++ /* Do not add vlan tag 0 when DCB is enabled and port in UFP/OV mode */ ++ if ((test_bit(QED_MF_8021Q_TAGGING, &p_hwfn->cdev->mf_bits) || ++ test_bit(QED_MF_8021AD_TAGGING, &p_hwfn->cdev->mf_bits))) ++ p_data->arr[type].dont_add_vlan0 = true; ++ + /* QM reconf data */ + if (p_info->personality == personality) + p_info->offload_tc = tc; +@@ -233,7 +239,7 @@ qed_dcbx_update_app_info(struct qed_dcbx + personality = qed_dcbx_app_update[i].personality; + name = qed_dcbx_app_update[i].name; + +- qed_dcbx_set_params(p_data, p_info, enable, ++ qed_dcbx_set_params(p_data, p_hwfn, p_info, enable, + prio, tc, type, personality); + } + } +@@ -956,6 +962,7 @@ static void qed_dcbx_update_protocol_dat + p_data->dcb_enable_flag = p_src->arr[type].enable; + p_data->dcb_priority = p_src->arr[type].priority; + p_data->dcb_tc = p_src->arr[type].tc; ++ p_data->dcb_dont_add_vlan0 = p_src->arr[type].dont_add_vlan0; + } + + /* Set pf update ramrod command params */ +--- a/drivers/net/ethernet/qlogic/qed/qed_dcbx.h ++++ b/drivers/net/ethernet/qlogic/qed/qed_dcbx.h +@@ -55,6 +55,7 @@ struct qed_dcbx_app_data { + u8 update; /* Update indication */ + u8 priority; /* Priority */ + u8 tc; /* Traffic Class */ ++ bool dont_add_vlan0; /* Do not insert a vlan tag with id 0 */ + }; + + #define QED_DCBX_VERSION_DISABLED 0 diff --git a/queue-4.18/qed-fix-populating-the-invalid-stag-value-in-multi-function-mode.patch b/queue-4.18/qed-fix-populating-the-invalid-stag-value-in-multi-function-mode.patch new file mode 100644 index 00000000000..64815b1ded8 --- /dev/null +++ b/queue-4.18/qed-fix-populating-the-invalid-stag-value-in-multi-function-mode.patch @@ -0,0 +1,77 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Sudarsana Reddy Kalluru +Date: Wed, 19 Sep 2018 21:59:10 -0700 +Subject: qed: Fix populating the invalid stag value in multi function mode. + +From: Sudarsana Reddy Kalluru + +[ Upstream commit 50fdf60181b01b7383b85d4b9acbb842263d96a2 ] + +In multi-function mode, driver receives the stag value (outer vlan) +for a PF from management FW (MFW). If the stag value is negotiated prior to +the driver load, then the stag is not notified to the driver and hence +driver will have the invalid stag value. +The fix is to request the MFW for STAG value during the driver load time. + +Fixes: cac6f691 ("qed: Add support for Unified Fabric Port") +Signed-off-by: Sudarsana Reddy Kalluru +Signed-off-by: Tomer Tayar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qed/qed_dev.c | 15 ++++++++++++++- + drivers/net/ethernet/qlogic/qed/qed_hsi.h | 4 ++++ + 2 files changed, 18 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c +@@ -1636,7 +1636,7 @@ static int qed_vf_start(struct qed_hwfn + int qed_hw_init(struct qed_dev *cdev, struct qed_hw_init_params *p_params) + { + struct qed_load_req_params load_req_params; +- u32 load_code, param, drv_mb_param; ++ u32 load_code, resp, param, drv_mb_param; + bool b_default_mtu = true; + struct qed_hwfn *p_hwfn; + int rc = 0, mfw_rc, i; +@@ -1782,6 +1782,19 @@ int qed_hw_init(struct qed_dev *cdev, st + + if (IS_PF(cdev)) { + p_hwfn = QED_LEADING_HWFN(cdev); ++ ++ /* Get pre-negotiated values for stag, bandwidth etc. */ ++ DP_VERBOSE(p_hwfn, ++ QED_MSG_SPQ, ++ "Sending GET_OEM_UPDATES command to trigger stag/bandwidth attention handling\n"); ++ drv_mb_param = 1 << DRV_MB_PARAM_DUMMY_OEM_UPDATES_OFFSET; ++ rc = qed_mcp_cmd(p_hwfn, p_hwfn->p_main_ptt, ++ DRV_MSG_CODE_GET_OEM_UPDATES, ++ drv_mb_param, &resp, ¶m); ++ if (rc) ++ DP_NOTICE(p_hwfn, ++ "Failed to send GET_OEM_UPDATES attention request\n"); ++ + drv_mb_param = STORM_FW_VERSION; + rc = qed_mcp_cmd(p_hwfn, p_hwfn->p_main_ptt, + DRV_MSG_CODE_OV_UPDATE_STORM_FW_VER, +--- a/drivers/net/ethernet/qlogic/qed/qed_hsi.h ++++ b/drivers/net/ethernet/qlogic/qed/qed_hsi.h +@@ -12415,6 +12415,7 @@ struct public_drv_mb { + #define DRV_MSG_SET_RESOURCE_VALUE_MSG 0x35000000 + #define DRV_MSG_CODE_OV_UPDATE_WOL 0x38000000 + #define DRV_MSG_CODE_OV_UPDATE_ESWITCH_MODE 0x39000000 ++#define DRV_MSG_CODE_GET_OEM_UPDATES 0x41000000 + + #define DRV_MSG_CODE_BW_UPDATE_ACK 0x32000000 + #define DRV_MSG_CODE_NIG_DRAIN 0x30000000 +@@ -12540,6 +12541,9 @@ struct public_drv_mb { + #define DRV_MB_PARAM_ESWITCH_MODE_VEB 0x1 + #define DRV_MB_PARAM_ESWITCH_MODE_VEPA 0x2 + ++#define DRV_MB_PARAM_DUMMY_OEM_UPDATES_MASK 0x1 ++#define DRV_MB_PARAM_DUMMY_OEM_UPDATES_OFFSET 0 ++ + #define DRV_MB_PARAM_SET_LED_MODE_OPER 0x0 + #define DRV_MB_PARAM_SET_LED_MODE_ON 0x1 + #define DRV_MB_PARAM_SET_LED_MODE_OFF 0x2 diff --git a/queue-4.18/ravb-do-not-write-1-to-reserved-bits.patch b/queue-4.18/ravb-do-not-write-1-to-reserved-bits.patch new file mode 100644 index 00000000000..75351577f0d --- /dev/null +++ b/queue-4.18/ravb-do-not-write-1-to-reserved-bits.patch @@ -0,0 +1,128 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Kazuya Mizuguchi +Date: Tue, 18 Sep 2018 12:22:26 +0200 +Subject: ravb: do not write 1 to reserved bits + +From: Kazuya Mizuguchi + +[ Upstream commit 2fe397a3959de8a472f165e6d152f64cb77fa2cc ] + +EtherAVB hardware requires 0 to be written to status register bits in +order to clear them, however, care must be taken not to: + +1. Clear other bits, by writing zero to them +2. Write one to reserved bits + +This patch corrects the ravb driver with respect to the second point above. +This is done by defining reserved bit masks for the affected registers and, +after auditing the code, ensure all sites that may write a one to a +reserved bit use are suitably masked. + +Signed-off-by: Kazuya Mizuguchi +Signed-off-by: Simon Horman +Reviewed-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/ravb.h | 5 +++++ + drivers/net/ethernet/renesas/ravb_main.c | 11 ++++++----- + drivers/net/ethernet/renesas/ravb_ptp.c | 2 +- + 3 files changed, 12 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/renesas/ravb.h ++++ b/drivers/net/ethernet/renesas/ravb.h +@@ -431,6 +431,7 @@ enum EIS_BIT { + EIS_CULF1 = 0x00000080, + EIS_TFFF = 0x00000100, + EIS_QFS = 0x00010000, ++ EIS_RESERVED = (GENMASK(31, 17) | GENMASK(15, 11)), + }; + + /* RIC0 */ +@@ -475,6 +476,7 @@ enum RIS0_BIT { + RIS0_FRF15 = 0x00008000, + RIS0_FRF16 = 0x00010000, + RIS0_FRF17 = 0x00020000, ++ RIS0_RESERVED = GENMASK(31, 18), + }; + + /* RIC1 */ +@@ -531,6 +533,7 @@ enum RIS2_BIT { + RIS2_QFF16 = 0x00010000, + RIS2_QFF17 = 0x00020000, + RIS2_RFFF = 0x80000000, ++ RIS2_RESERVED = GENMASK(30, 18), + }; + + /* TIC */ +@@ -547,6 +550,7 @@ enum TIS_BIT { + TIS_FTF1 = 0x00000002, /* Undocumented? */ + TIS_TFUF = 0x00000100, + TIS_TFWF = 0x00000200, ++ TIS_RESERVED = (GENMASK(31, 20) | GENMASK(15, 12) | GENMASK(7, 4)) + }; + + /* ISS */ +@@ -620,6 +624,7 @@ enum GIC_BIT { + enum GIS_BIT { + GIS_PTCF = 0x00000001, /* Undocumented? */ + GIS_PTMF = 0x00000004, ++ GIS_RESERVED = GENMASK(15, 10), + }; + + /* GIE (R-Car Gen3 only) */ +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -742,10 +742,11 @@ static void ravb_error_interrupt(struct + u32 eis, ris2; + + eis = ravb_read(ndev, EIS); +- ravb_write(ndev, ~EIS_QFS, EIS); ++ ravb_write(ndev, ~(EIS_QFS | EIS_RESERVED), EIS); + if (eis & EIS_QFS) { + ris2 = ravb_read(ndev, RIS2); +- ravb_write(ndev, ~(RIS2_QFF0 | RIS2_RFFF), RIS2); ++ ravb_write(ndev, ~(RIS2_QFF0 | RIS2_RFFF | RIS2_RESERVED), ++ RIS2); + + /* Receive Descriptor Empty int */ + if (ris2 & RIS2_QFF0) +@@ -798,7 +799,7 @@ static bool ravb_timestamp_interrupt(str + u32 tis = ravb_read(ndev, TIS); + + if (tis & TIS_TFUF) { +- ravb_write(ndev, ~TIS_TFUF, TIS); ++ ravb_write(ndev, ~(TIS_TFUF | TIS_RESERVED), TIS); + ravb_get_tx_tstamp(ndev); + return true; + } +@@ -933,7 +934,7 @@ static int ravb_poll(struct napi_struct + /* Processing RX Descriptor Ring */ + if (ris0 & mask) { + /* Clear RX interrupt */ +- ravb_write(ndev, ~mask, RIS0); ++ ravb_write(ndev, ~(mask | RIS0_RESERVED), RIS0); + if (ravb_rx(ndev, "a, q)) + goto out; + } +@@ -941,7 +942,7 @@ static int ravb_poll(struct napi_struct + if (tis & mask) { + spin_lock_irqsave(&priv->lock, flags); + /* Clear TX interrupt */ +- ravb_write(ndev, ~mask, TIS); ++ ravb_write(ndev, ~(mask | TIS_RESERVED), TIS); + ravb_tx_free(ndev, q, true); + netif_wake_subqueue(ndev, q); + mmiowb(); +--- a/drivers/net/ethernet/renesas/ravb_ptp.c ++++ b/drivers/net/ethernet/renesas/ravb_ptp.c +@@ -319,7 +319,7 @@ void ravb_ptp_interrupt(struct net_devic + } + } + +- ravb_write(ndev, ~gis, GIS); ++ ravb_write(ndev, ~(gis | GIS_RESERVED), GIS); + } + + void ravb_ptp_init(struct net_device *ndev, struct platform_device *pdev) diff --git a/queue-4.18/rdma-bnxt_re-fix-system-crash-during-rdma-resource-initialization.patch b/queue-4.18/rdma-bnxt_re-fix-system-crash-during-rdma-resource-initialization.patch new file mode 100644 index 00000000000..bd8e8543d51 --- /dev/null +++ b/queue-4.18/rdma-bnxt_re-fix-system-crash-during-rdma-resource-initialization.patch @@ -0,0 +1,415 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Selvin Xavier +Date: Thu, 20 Sep 2018 22:33:00 -0700 +Subject: RDMA/bnxt_re: Fix system crash during RDMA resource initialization + +From: Selvin Xavier + +[ Upstream commit de5c95d0f518537f59ee5aef762abc46f868c377 ] + +bnxt_re_ib_reg acquires and releases the rtnl lock whenever it accesses +the L2 driver. + +The following sequence can trigger a crash + +Acquires the rtnl_lock -> + Registers roce driver callback with L2 driver -> + release the rtnl lock +bnxt_re acquires the rtnl_lock -> + Request for MSIx vectors -> + release the rtnl_lock + +Issue happens when bnxt_re proceeds with remaining part of initialization +and L2 driver invokes bnxt_ulp_irq_stop as a part of bnxt_open_nic. + +The crash is in bnxt_qplib_nq_stop_irq as the NQ structures are +not initialized yet, + + +[ 3551.726647] BUG: unable to handle kernel NULL pointer dereference at (null) +[ 3551.726656] IP: [] bnxt_qplib_nq_stop_irq+0x59/0xb0 [bnxt_re] +[ 3551.726674] PGD 0 +[ 3551.726679] Oops: 0002 1 SMP +... +[ 3551.726822] Hardware name: Dell Inc. PowerEdge R720/08RW36, BIOS 2.4.3 07/09/2014 +[ 3551.726826] task: ffff97e30eec5ee0 ti: ffff97e3173bc000 task.ti: ffff97e3173bc000 +[ 3551.726829] RIP: 0010:[] [] +bnxt_qplib_nq_stop_irq+0x59/0xb0 [bnxt_re] +... +[ 3551.726872] Call Trace: +[ 3551.726886] [] bnxt_re_stop_irq+0x4e/0x70 [bnxt_re] +[ 3551.726899] [] bnxt_ulp_irq_stop+0x43/0x70 [bnxt_en] +[ 3551.726908] [] bnxt_reserve_rings+0x174/0x1e0 [bnxt_en] +[ 3551.726917] [] __bnxt_open_nic+0x368/0x9a0 [bnxt_en] +[ 3551.726925] [] bnxt_open_nic+0x1b/0x50 [bnxt_en] +[ 3551.726934] [] bnxt_setup_mq_tc+0x11f/0x260 [bnxt_en] +[ 3551.726943] [] bnxt_dcbnl_ieee_setets+0xb8/0x1f0 [bnxt_en] +[ 3551.726954] [] dcbnl_ieee_set+0x9a/0x250 +[ 3551.726966] [] ? __alloc_skb+0xa1/0x2d0 +[ 3551.726972] [] dcb_doit+0x13a/0x210 +[ 3551.726981] [] rtnetlink_rcv_msg+0xa7/0x260 +[ 3551.726989] [] ? rtnl_unicast+0x20/0x30 +[ 3551.726996] [] ? __kmalloc_node_track_caller+0x58/0x290 +[ 3551.727002] [] ? dcb_doit+0x166/0x210 +[ 3551.727007] [] ? __alloc_skb+0x8d/0x2d0 +[ 3551.727012] [] ? rtnl_newlink+0x880/0x880 +... +[ 3551.727104] [] system_call_fastpath+0x1c/0x21 +... +[ 3551.727164] RIP [] bnxt_qplib_nq_stop_irq+0x59/0xb0 [bnxt_re] +[ 3551.727175] RSP +[ 3551.727177] CR2: 0000000000000000 + +Avoid this inconsistent state and system crash by acquiring +the rtnl lock for the entire duration of device initialization. +Re-factor the code to remove the rtnl lock from the individual function +and acquire and release it from the caller. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Fixes: 6e04b1035689 ("RDMA/bnxt_re: Fix broken RoCE driver due to recent L2 driver changes") +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/bnxt_re/main.c | 93 ++++++++++++++--------------------- + 1 file changed, 38 insertions(+), 55 deletions(-) + +--- a/drivers/infiniband/hw/bnxt_re/main.c ++++ b/drivers/infiniband/hw/bnxt_re/main.c +@@ -78,7 +78,7 @@ static struct list_head bnxt_re_dev_list + /* Mutex to protect the list of bnxt_re devices added */ + static DEFINE_MUTEX(bnxt_re_dev_lock); + static struct workqueue_struct *bnxt_re_wq; +-static void bnxt_re_ib_unreg(struct bnxt_re_dev *rdev, bool lock_wait); ++static void bnxt_re_ib_unreg(struct bnxt_re_dev *rdev); + + /* SR-IOV helper functions */ + +@@ -182,7 +182,7 @@ static void bnxt_re_shutdown(void *p) + if (!rdev) + return; + +- bnxt_re_ib_unreg(rdev, false); ++ bnxt_re_ib_unreg(rdev); + } + + static void bnxt_re_stop_irq(void *handle) +@@ -251,7 +251,7 @@ static struct bnxt_ulp_ops bnxt_re_ulp_o + /* Driver registration routines used to let the networking driver (bnxt_en) + * to know that the RoCE driver is now installed + */ +-static int bnxt_re_unregister_netdev(struct bnxt_re_dev *rdev, bool lock_wait) ++static int bnxt_re_unregister_netdev(struct bnxt_re_dev *rdev) + { + struct bnxt_en_dev *en_dev; + int rc; +@@ -260,14 +260,9 @@ static int bnxt_re_unregister_netdev(str + return -EINVAL; + + en_dev = rdev->en_dev; +- /* Acquire rtnl lock if it is not invokded from netdev event */ +- if (lock_wait) +- rtnl_lock(); + + rc = en_dev->en_ops->bnxt_unregister_device(rdev->en_dev, + BNXT_ROCE_ULP); +- if (lock_wait) +- rtnl_unlock(); + return rc; + } + +@@ -281,14 +276,12 @@ static int bnxt_re_register_netdev(struc + + en_dev = rdev->en_dev; + +- rtnl_lock(); + rc = en_dev->en_ops->bnxt_register_device(en_dev, BNXT_ROCE_ULP, + &bnxt_re_ulp_ops, rdev); +- rtnl_unlock(); + return rc; + } + +-static int bnxt_re_free_msix(struct bnxt_re_dev *rdev, bool lock_wait) ++static int bnxt_re_free_msix(struct bnxt_re_dev *rdev) + { + struct bnxt_en_dev *en_dev; + int rc; +@@ -298,13 +291,9 @@ static int bnxt_re_free_msix(struct bnxt + + en_dev = rdev->en_dev; + +- if (lock_wait) +- rtnl_lock(); + + rc = en_dev->en_ops->bnxt_free_msix(rdev->en_dev, BNXT_ROCE_ULP); + +- if (lock_wait) +- rtnl_unlock(); + return rc; + } + +@@ -320,7 +309,6 @@ static int bnxt_re_request_msix(struct b + + num_msix_want = min_t(u32, BNXT_RE_MAX_MSIX, num_online_cpus()); + +- rtnl_lock(); + num_msix_got = en_dev->en_ops->bnxt_request_msix(en_dev, BNXT_ROCE_ULP, + rdev->msix_entries, + num_msix_want); +@@ -335,7 +323,6 @@ static int bnxt_re_request_msix(struct b + } + rdev->num_msix = num_msix_got; + done: +- rtnl_unlock(); + return rc; + } + +@@ -358,24 +345,18 @@ static void bnxt_re_fill_fw_msg(struct b + fw_msg->timeout = timeout; + } + +-static int bnxt_re_net_ring_free(struct bnxt_re_dev *rdev, u16 fw_ring_id, +- bool lock_wait) ++static int bnxt_re_net_ring_free(struct bnxt_re_dev *rdev, u16 fw_ring_id) + { + struct bnxt_en_dev *en_dev = rdev->en_dev; + struct hwrm_ring_free_input req = {0}; + struct hwrm_ring_free_output resp; + struct bnxt_fw_msg fw_msg; +- bool do_unlock = false; + int rc = -EINVAL; + + if (!en_dev) + return rc; + + memset(&fw_msg, 0, sizeof(fw_msg)); +- if (lock_wait) { +- rtnl_lock(); +- do_unlock = true; +- } + + bnxt_re_init_hwrm_hdr(rdev, (void *)&req, HWRM_RING_FREE, -1, -1); + req.ring_type = RING_ALLOC_REQ_RING_TYPE_L2_CMPL; +@@ -386,8 +367,6 @@ static int bnxt_re_net_ring_free(struct + if (rc) + dev_err(rdev_to_dev(rdev), + "Failed to free HW ring:%d :%#x", req.ring_id, rc); +- if (do_unlock) +- rtnl_unlock(); + return rc; + } + +@@ -405,7 +384,6 @@ static int bnxt_re_net_ring_alloc(struct + return rc; + + memset(&fw_msg, 0, sizeof(fw_msg)); +- rtnl_lock(); + bnxt_re_init_hwrm_hdr(rdev, (void *)&req, HWRM_RING_ALLOC, -1, -1); + req.enables = 0; + req.page_tbl_addr = cpu_to_le64(dma_arr[0]); +@@ -426,27 +404,21 @@ static int bnxt_re_net_ring_alloc(struct + if (!rc) + *fw_ring_id = le16_to_cpu(resp.ring_id); + +- rtnl_unlock(); + return rc; + } + + static int bnxt_re_net_stats_ctx_free(struct bnxt_re_dev *rdev, +- u32 fw_stats_ctx_id, bool lock_wait) ++ u32 fw_stats_ctx_id) + { + struct bnxt_en_dev *en_dev = rdev->en_dev; + struct hwrm_stat_ctx_free_input req = {0}; + struct bnxt_fw_msg fw_msg; +- bool do_unlock = false; + int rc = -EINVAL; + + if (!en_dev) + return rc; + + memset(&fw_msg, 0, sizeof(fw_msg)); +- if (lock_wait) { +- rtnl_lock(); +- do_unlock = true; +- } + + bnxt_re_init_hwrm_hdr(rdev, (void *)&req, HWRM_STAT_CTX_FREE, -1, -1); + req.stat_ctx_id = cpu_to_le32(fw_stats_ctx_id); +@@ -457,8 +429,6 @@ static int bnxt_re_net_stats_ctx_free(st + dev_err(rdev_to_dev(rdev), + "Failed to free HW stats context %#x", rc); + +- if (do_unlock) +- rtnl_unlock(); + return rc; + } + +@@ -478,7 +448,6 @@ static int bnxt_re_net_stats_ctx_alloc(s + return rc; + + memset(&fw_msg, 0, sizeof(fw_msg)); +- rtnl_lock(); + + bnxt_re_init_hwrm_hdr(rdev, (void *)&req, HWRM_STAT_CTX_ALLOC, -1, -1); + req.update_period_ms = cpu_to_le32(1000); +@@ -490,7 +459,6 @@ static int bnxt_re_net_stats_ctx_alloc(s + if (!rc) + *fw_stats_ctx_id = le32_to_cpu(resp.stat_ctx_id); + +- rtnl_unlock(); + return rc; + } + +@@ -929,19 +897,19 @@ fail: + return rc; + } + +-static void bnxt_re_free_nq_res(struct bnxt_re_dev *rdev, bool lock_wait) ++static void bnxt_re_free_nq_res(struct bnxt_re_dev *rdev) + { + int i; + + for (i = 0; i < rdev->num_msix - 1; i++) { +- bnxt_re_net_ring_free(rdev, rdev->nq[i].ring_id, lock_wait); ++ bnxt_re_net_ring_free(rdev, rdev->nq[i].ring_id); + bnxt_qplib_free_nq(&rdev->nq[i]); + } + } + +-static void bnxt_re_free_res(struct bnxt_re_dev *rdev, bool lock_wait) ++static void bnxt_re_free_res(struct bnxt_re_dev *rdev) + { +- bnxt_re_free_nq_res(rdev, lock_wait); ++ bnxt_re_free_nq_res(rdev); + + if (rdev->qplib_res.dpi_tbl.max) { + bnxt_qplib_dealloc_dpi(&rdev->qplib_res, +@@ -1219,7 +1187,7 @@ static int bnxt_re_setup_qos(struct bnxt + return 0; + } + +-static void bnxt_re_ib_unreg(struct bnxt_re_dev *rdev, bool lock_wait) ++static void bnxt_re_ib_unreg(struct bnxt_re_dev *rdev) + { + int i, rc; + +@@ -1234,28 +1202,27 @@ static void bnxt_re_ib_unreg(struct bnxt + cancel_delayed_work(&rdev->worker); + + bnxt_re_cleanup_res(rdev); +- bnxt_re_free_res(rdev, lock_wait); ++ bnxt_re_free_res(rdev); + + if (test_and_clear_bit(BNXT_RE_FLAG_RCFW_CHANNEL_EN, &rdev->flags)) { + rc = bnxt_qplib_deinit_rcfw(&rdev->rcfw); + if (rc) + dev_warn(rdev_to_dev(rdev), + "Failed to deinitialize RCFW: %#x", rc); +- bnxt_re_net_stats_ctx_free(rdev, rdev->qplib_ctx.stats.fw_id, +- lock_wait); ++ bnxt_re_net_stats_ctx_free(rdev, rdev->qplib_ctx.stats.fw_id); + bnxt_qplib_free_ctx(rdev->en_dev->pdev, &rdev->qplib_ctx); + bnxt_qplib_disable_rcfw_channel(&rdev->rcfw); +- bnxt_re_net_ring_free(rdev, rdev->rcfw.creq_ring_id, lock_wait); ++ bnxt_re_net_ring_free(rdev, rdev->rcfw.creq_ring_id); + bnxt_qplib_free_rcfw_channel(&rdev->rcfw); + } + if (test_and_clear_bit(BNXT_RE_FLAG_GOT_MSIX, &rdev->flags)) { +- rc = bnxt_re_free_msix(rdev, lock_wait); ++ rc = bnxt_re_free_msix(rdev); + if (rc) + dev_warn(rdev_to_dev(rdev), + "Failed to free MSI-X vectors: %#x", rc); + } + if (test_and_clear_bit(BNXT_RE_FLAG_NETDEV_REGISTERED, &rdev->flags)) { +- rc = bnxt_re_unregister_netdev(rdev, lock_wait); ++ rc = bnxt_re_unregister_netdev(rdev); + if (rc) + dev_warn(rdev_to_dev(rdev), + "Failed to unregister with netdev: %#x", rc); +@@ -1276,6 +1243,12 @@ static int bnxt_re_ib_reg(struct bnxt_re + { + int i, j, rc; + ++ bool locked; ++ ++ /* Acquire rtnl lock through out this function */ ++ rtnl_lock(); ++ locked = true; ++ + /* Registered a new RoCE device instance to netdev */ + rc = bnxt_re_register_netdev(rdev); + if (rc) { +@@ -1374,12 +1347,16 @@ static int bnxt_re_ib_reg(struct bnxt_re + schedule_delayed_work(&rdev->worker, msecs_to_jiffies(30000)); + } + ++ rtnl_unlock(); ++ locked = false; ++ + /* Register ib dev */ + rc = bnxt_re_register_ib(rdev); + if (rc) { + pr_err("Failed to register with IB: %#x\n", rc); + goto fail; + } ++ set_bit(BNXT_RE_FLAG_IBDEV_REGISTERED, &rdev->flags); + dev_info(rdev_to_dev(rdev), "Device registered successfully"); + for (i = 0; i < ARRAY_SIZE(bnxt_re_attributes); i++) { + rc = device_create_file(&rdev->ibdev.dev, +@@ -1395,7 +1372,6 @@ static int bnxt_re_ib_reg(struct bnxt_re + goto fail; + } + } +- set_bit(BNXT_RE_FLAG_IBDEV_REGISTERED, &rdev->flags); + ib_get_eth_speed(&rdev->ibdev, 1, &rdev->active_speed, + &rdev->active_width); + set_bit(BNXT_RE_FLAG_ISSUE_ROCE_STATS, &rdev->flags); +@@ -1404,17 +1380,21 @@ static int bnxt_re_ib_reg(struct bnxt_re + + return 0; + free_sctx: +- bnxt_re_net_stats_ctx_free(rdev, rdev->qplib_ctx.stats.fw_id, true); ++ bnxt_re_net_stats_ctx_free(rdev, rdev->qplib_ctx.stats.fw_id); + free_ctx: + bnxt_qplib_free_ctx(rdev->en_dev->pdev, &rdev->qplib_ctx); + disable_rcfw: + bnxt_qplib_disable_rcfw_channel(&rdev->rcfw); + free_ring: +- bnxt_re_net_ring_free(rdev, rdev->rcfw.creq_ring_id, true); ++ bnxt_re_net_ring_free(rdev, rdev->rcfw.creq_ring_id); + free_rcfw: + bnxt_qplib_free_rcfw_channel(&rdev->rcfw); + fail: +- bnxt_re_ib_unreg(rdev, true); ++ if (!locked) ++ rtnl_lock(); ++ bnxt_re_ib_unreg(rdev); ++ rtnl_unlock(); ++ + return rc; + } + +@@ -1567,7 +1547,7 @@ static int bnxt_re_netdev_event(struct n + */ + if (atomic_read(&rdev->sched_count) > 0) + goto exit; +- bnxt_re_ib_unreg(rdev, false); ++ bnxt_re_ib_unreg(rdev); + bnxt_re_remove_one(rdev); + bnxt_re_dev_unreg(rdev); + break; +@@ -1646,7 +1626,10 @@ static void __exit bnxt_re_mod_exit(void + */ + flush_workqueue(bnxt_re_wq); + bnxt_re_dev_stop(rdev); +- bnxt_re_ib_unreg(rdev, true); ++ /* Acquire the rtnl_lock as the L2 resources are freed here */ ++ rtnl_lock(); ++ bnxt_re_ib_unreg(rdev); ++ rtnl_unlock(); + bnxt_re_remove_one(rdev); + bnxt_re_dev_unreg(rdev); + } diff --git a/queue-4.18/rdma-uverbs-fix-validity-check-for-modify-qp.patch b/queue-4.18/rdma-uverbs-fix-validity-check-for-modify-qp.patch new file mode 100644 index 00000000000..2ca082c8451 --- /dev/null +++ b/queue-4.18/rdma-uverbs-fix-validity-check-for-modify-qp.patch @@ -0,0 +1,108 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Majd Dibbiny +Date: Tue, 18 Sep 2018 10:51:37 +0300 +Subject: RDMA/uverbs: Fix validity check for modify QP + +From: Majd Dibbiny + +[ Upstream commit 4eeed3686981ff887bbdd7254139e2eca276534c ] + +Uverbs shouldn't enforce QP state in the command unless the user set the QP +state bit in the attribute mask. + +In addition, only copy qp attr fields which have the corresponding bit set +in the attribute mask over to the internal attr structure. + +Fixes: 88de869bbe4f ("RDMA/uverbs: Ensure validity of current QP state value") +Fixes: bc38a6abdd5a ("[PATCH] IB uverbs: core implementation") +Signed-off-by: Majd Dibbiny +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/uverbs_cmd.c | 68 +++++++++++++++++++++++------------ + 1 file changed, 45 insertions(+), 23 deletions(-) + +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -2048,33 +2048,55 @@ static int modify_qp(struct ib_uverbs_fi + + if ((cmd->base.attr_mask & IB_QP_CUR_STATE && + cmd->base.cur_qp_state > IB_QPS_ERR) || +- cmd->base.qp_state > IB_QPS_ERR) { ++ (cmd->base.attr_mask & IB_QP_STATE && ++ cmd->base.qp_state > IB_QPS_ERR)) { + ret = -EINVAL; + goto release_qp; + } + +- attr->qp_state = cmd->base.qp_state; +- attr->cur_qp_state = cmd->base.cur_qp_state; +- attr->path_mtu = cmd->base.path_mtu; +- attr->path_mig_state = cmd->base.path_mig_state; +- attr->qkey = cmd->base.qkey; +- attr->rq_psn = cmd->base.rq_psn; +- attr->sq_psn = cmd->base.sq_psn; +- attr->dest_qp_num = cmd->base.dest_qp_num; +- attr->qp_access_flags = cmd->base.qp_access_flags; +- attr->pkey_index = cmd->base.pkey_index; +- attr->alt_pkey_index = cmd->base.alt_pkey_index; +- attr->en_sqd_async_notify = cmd->base.en_sqd_async_notify; +- attr->max_rd_atomic = cmd->base.max_rd_atomic; +- attr->max_dest_rd_atomic = cmd->base.max_dest_rd_atomic; +- attr->min_rnr_timer = cmd->base.min_rnr_timer; +- attr->port_num = cmd->base.port_num; +- attr->timeout = cmd->base.timeout; +- attr->retry_cnt = cmd->base.retry_cnt; +- attr->rnr_retry = cmd->base.rnr_retry; +- attr->alt_port_num = cmd->base.alt_port_num; +- attr->alt_timeout = cmd->base.alt_timeout; +- attr->rate_limit = cmd->rate_limit; ++ if (cmd->base.attr_mask & IB_QP_STATE) ++ attr->qp_state = cmd->base.qp_state; ++ if (cmd->base.attr_mask & IB_QP_CUR_STATE) ++ attr->cur_qp_state = cmd->base.cur_qp_state; ++ if (cmd->base.attr_mask & IB_QP_PATH_MTU) ++ attr->path_mtu = cmd->base.path_mtu; ++ if (cmd->base.attr_mask & IB_QP_PATH_MIG_STATE) ++ attr->path_mig_state = cmd->base.path_mig_state; ++ if (cmd->base.attr_mask & IB_QP_QKEY) ++ attr->qkey = cmd->base.qkey; ++ if (cmd->base.attr_mask & IB_QP_RQ_PSN) ++ attr->rq_psn = cmd->base.rq_psn; ++ if (cmd->base.attr_mask & IB_QP_SQ_PSN) ++ attr->sq_psn = cmd->base.sq_psn; ++ if (cmd->base.attr_mask & IB_QP_DEST_QPN) ++ attr->dest_qp_num = cmd->base.dest_qp_num; ++ if (cmd->base.attr_mask & IB_QP_ACCESS_FLAGS) ++ attr->qp_access_flags = cmd->base.qp_access_flags; ++ if (cmd->base.attr_mask & IB_QP_PKEY_INDEX) ++ attr->pkey_index = cmd->base.pkey_index; ++ if (cmd->base.attr_mask & IB_QP_EN_SQD_ASYNC_NOTIFY) ++ attr->en_sqd_async_notify = cmd->base.en_sqd_async_notify; ++ if (cmd->base.attr_mask & IB_QP_MAX_QP_RD_ATOMIC) ++ attr->max_rd_atomic = cmd->base.max_rd_atomic; ++ if (cmd->base.attr_mask & IB_QP_MAX_DEST_RD_ATOMIC) ++ attr->max_dest_rd_atomic = cmd->base.max_dest_rd_atomic; ++ if (cmd->base.attr_mask & IB_QP_MIN_RNR_TIMER) ++ attr->min_rnr_timer = cmd->base.min_rnr_timer; ++ if (cmd->base.attr_mask & IB_QP_PORT) ++ attr->port_num = cmd->base.port_num; ++ if (cmd->base.attr_mask & IB_QP_TIMEOUT) ++ attr->timeout = cmd->base.timeout; ++ if (cmd->base.attr_mask & IB_QP_RETRY_CNT) ++ attr->retry_cnt = cmd->base.retry_cnt; ++ if (cmd->base.attr_mask & IB_QP_RNR_RETRY) ++ attr->rnr_retry = cmd->base.rnr_retry; ++ if (cmd->base.attr_mask & IB_QP_ALT_PATH) { ++ attr->alt_port_num = cmd->base.alt_port_num; ++ attr->alt_timeout = cmd->base.alt_timeout; ++ attr->alt_pkey_index = cmd->base.alt_pkey_index; ++ } ++ if (cmd->base.attr_mask & IB_QP_RATE_LIMIT) ++ attr->rate_limit = cmd->rate_limit; + + if (cmd->base.attr_mask & IB_QP_AV) + copy_ah_attr_from_uverbs(qp->device, &attr->ah_attr, diff --git a/queue-4.18/risc-v-include-linux-ftrace.h-in-asm-prototypes.h.patch b/queue-4.18/risc-v-include-linux-ftrace.h-in-asm-prototypes.h.patch new file mode 100644 index 00000000000..a7c33bdbbf5 --- /dev/null +++ b/queue-4.18/risc-v-include-linux-ftrace.h-in-asm-prototypes.h.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: James Cowgill +Date: Thu, 6 Sep 2018 22:57:56 +0100 +Subject: RISC-V: include linux/ftrace.h in asm-prototypes.h + +From: James Cowgill + +[ Upstream commit 57a489786de9ec37d6e25ef1305dc337047f0236 ] + +Building a riscv kernel with CONFIG_FUNCTION_TRACER and +CONFIG_MODVERSIONS enabled results in these two warnings: + + MODPOST vmlinux.o +WARNING: EXPORT symbol "return_to_handler" [vmlinux] version generation failed, symbol will not be versioned. +WARNING: EXPORT symbol "_mcount" [vmlinux] version generation failed, symbol will not be versioned. + +When exporting symbols from an assembly file, the MODVERSIONS code +requires their prototypes to be defined in asm-prototypes.h (see +scripts/Makefile.build). Since both of these symbols have prototypes +defined in linux/ftrace.h, include this header from RISC-V's +asm-prototypes.h. + +Reported-by: Karsten Merker +Signed-off-by: James Cowgill +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/asm-prototypes.h | 7 +++++++ + 1 file changed, 7 insertions(+) + create mode 100644 arch/riscv/include/asm/asm-prototypes.h + +--- /dev/null ++++ b/arch/riscv/include/asm/asm-prototypes.h +@@ -0,0 +1,7 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef _ASM_RISCV_PROTOTYPES_H ++ ++#include ++#include ++ ++#endif /* _ASM_RISCV_PROTOTYPES_H */ diff --git a/queue-4.18/scsi-ibmvscsis-ensure-partition-name-is-properly-nul-terminated.patch b/queue-4.18/scsi-ibmvscsis-ensure-partition-name-is-properly-nul-terminated.patch new file mode 100644 index 00000000000..f928f898d1a --- /dev/null +++ b/queue-4.18/scsi-ibmvscsis-ensure-partition-name-is-properly-nul-terminated.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Laura Abbott +Date: Tue, 11 Sep 2018 12:22:26 -0700 +Subject: scsi: ibmvscsis: Ensure partition name is properly NUL terminated + +From: Laura Abbott + +[ Upstream commit adad633af7b970bfa5dd1b624a4afc83cac9b235 ] + +While reviewing another part of the code, Kees noticed that the strncpy of the +partition name might not always be NUL terminated. Switch to using strscpy +which does this safely. + +Reported-by: Kees Cook +Signed-off-by: Laura Abbott +Reviewed-by: Kees Cook +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c ++++ b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c +@@ -3478,7 +3478,7 @@ static int ibmvscsis_probe(struct vio_de + snprintf(vscsi->eye, sizeof(vscsi->eye), "VSCSI %s", vdev->name); + + vscsi->dds.unit_id = vdev->unit_address; +- strncpy(vscsi->dds.partition_name, partition_name, ++ strscpy(vscsi->dds.partition_name, partition_name, + sizeof(vscsi->dds.partition_name)); + vscsi->dds.partition_num = partition_number; + diff --git a/queue-4.18/scsi-ibmvscsis-fix-a-stringop-overflow-warning.patch b/queue-4.18/scsi-ibmvscsis-fix-a-stringop-overflow-warning.patch new file mode 100644 index 00000000000..216345343e9 --- /dev/null +++ b/queue-4.18/scsi-ibmvscsis-fix-a-stringop-overflow-warning.patch @@ -0,0 +1,41 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Laura Abbott +Date: Tue, 11 Sep 2018 12:22:25 -0700 +Subject: scsi: ibmvscsis: Fix a stringop-overflow warning + +From: Laura Abbott + +[ Upstream commit d792d4c4fc866ae224b0b0ca2aabd87d23b4d6cc ] + +There's currently a warning about string overflow with strncat: + +drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c: In function 'ibmvscsis_probe': +drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c:3479:2: error: 'strncat' specified +bound 64 equals destination size [-Werror=stringop-overflow=] + strncat(vscsi->eye, vdev->name, MAX_EYE); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Switch to a single snprintf instead of a strcpy + strcat to handle this +cleanly. + +Signed-off-by: Laura Abbott +Suggested-by: Kees Cook +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c ++++ b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c +@@ -3475,8 +3475,7 @@ static int ibmvscsis_probe(struct vio_de + vscsi->dds.window[LOCAL].liobn, + vscsi->dds.window[REMOTE].liobn); + +- strcpy(vscsi->eye, "VSCSI "); +- strncat(vscsi->eye, vdev->name, MAX_EYE); ++ snprintf(vscsi->eye, sizeof(vscsi->eye), "VSCSI %s", vdev->name); + + vscsi->dds.unit_id = vdev->unit_address; + strncpy(vscsi->dds.partition_name, partition_name, diff --git a/queue-4.18/scsi-ipr-system-hung-while-dlpar-adding-primary-ipr-adapter-back.patch b/queue-4.18/scsi-ipr-system-hung-while-dlpar-adding-primary-ipr-adapter-back.patch new file mode 100644 index 00000000000..26e2c95d8c7 --- /dev/null +++ b/queue-4.18/scsi-ipr-system-hung-while-dlpar-adding-primary-ipr-adapter-back.patch @@ -0,0 +1,181 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Wen Xiong +Date: Thu, 20 Sep 2018 19:32:12 -0500 +Subject: scsi: ipr: System hung while dlpar adding primary ipr adapter back + +From: Wen Xiong + +[ Upstream commit 318ddb34b2052f838aa243d07173e2badf3e630e ] + +While dlpar adding primary ipr adapter back, driver goes through adapter +initialization then schedule ipr_worker_thread to start te disk scan by +dropping the host lock, calling scsi_add_device. Then get the adapter reset +request again, so driver does scsi_block_requests, this will cause the +scsi_add_device get hung until we unblock. But we can't run ipr_worker_thread +to do the unblock because its stuck in scsi_add_device. + +This patch fixes the issue. + +[mkp: typo and whitespace fixes] + +Signed-off-by: Wen Xiong +Acked-by: Brian King +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ipr.c | 106 ++++++++++++++++++++++++++++++----------------------- + drivers/scsi/ipr.h | 1 + 2 files changed, 62 insertions(+), 45 deletions(-) + +--- a/drivers/scsi/ipr.c ++++ b/drivers/scsi/ipr.c +@@ -3310,6 +3310,65 @@ static void ipr_release_dump(struct kref + LEAVE; + } + ++static void ipr_add_remove_thread(struct work_struct *work) ++{ ++ unsigned long lock_flags; ++ struct ipr_resource_entry *res; ++ struct scsi_device *sdev; ++ struct ipr_ioa_cfg *ioa_cfg = ++ container_of(work, struct ipr_ioa_cfg, scsi_add_work_q); ++ u8 bus, target, lun; ++ int did_work; ++ ++ ENTER; ++ spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags); ++ ++restart: ++ do { ++ did_work = 0; ++ if (!ioa_cfg->hrrq[IPR_INIT_HRRQ].allow_cmds) { ++ spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags); ++ return; ++ } ++ ++ list_for_each_entry(res, &ioa_cfg->used_res_q, queue) { ++ if (res->del_from_ml && res->sdev) { ++ did_work = 1; ++ sdev = res->sdev; ++ if (!scsi_device_get(sdev)) { ++ if (!res->add_to_ml) ++ list_move_tail(&res->queue, &ioa_cfg->free_res_q); ++ else ++ res->del_from_ml = 0; ++ spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags); ++ scsi_remove_device(sdev); ++ scsi_device_put(sdev); ++ spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags); ++ } ++ break; ++ } ++ } ++ } while (did_work); ++ ++ list_for_each_entry(res, &ioa_cfg->used_res_q, queue) { ++ if (res->add_to_ml) { ++ bus = res->bus; ++ target = res->target; ++ lun = res->lun; ++ res->add_to_ml = 0; ++ spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags); ++ scsi_add_device(ioa_cfg->host, bus, target, lun); ++ spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags); ++ goto restart; ++ } ++ } ++ ++ ioa_cfg->scan_done = 1; ++ spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags); ++ kobject_uevent(&ioa_cfg->host->shost_dev.kobj, KOBJ_CHANGE); ++ LEAVE; ++} ++ + /** + * ipr_worker_thread - Worker thread + * @work: ioa config struct +@@ -3324,13 +3383,9 @@ static void ipr_release_dump(struct kref + static void ipr_worker_thread(struct work_struct *work) + { + unsigned long lock_flags; +- struct ipr_resource_entry *res; +- struct scsi_device *sdev; + struct ipr_dump *dump; + struct ipr_ioa_cfg *ioa_cfg = + container_of(work, struct ipr_ioa_cfg, work_q); +- u8 bus, target, lun; +- int did_work; + + ENTER; + spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags); +@@ -3368,49 +3423,9 @@ static void ipr_worker_thread(struct wor + return; + } + +-restart: +- do { +- did_work = 0; +- if (!ioa_cfg->hrrq[IPR_INIT_HRRQ].allow_cmds) { +- spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags); +- return; +- } ++ schedule_work(&ioa_cfg->scsi_add_work_q); + +- list_for_each_entry(res, &ioa_cfg->used_res_q, queue) { +- if (res->del_from_ml && res->sdev) { +- did_work = 1; +- sdev = res->sdev; +- if (!scsi_device_get(sdev)) { +- if (!res->add_to_ml) +- list_move_tail(&res->queue, &ioa_cfg->free_res_q); +- else +- res->del_from_ml = 0; +- spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags); +- scsi_remove_device(sdev); +- scsi_device_put(sdev); +- spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags); +- } +- break; +- } +- } +- } while (did_work); +- +- list_for_each_entry(res, &ioa_cfg->used_res_q, queue) { +- if (res->add_to_ml) { +- bus = res->bus; +- target = res->target; +- lun = res->lun; +- res->add_to_ml = 0; +- spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags); +- scsi_add_device(ioa_cfg->host, bus, target, lun); +- spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags); +- goto restart; +- } +- } +- +- ioa_cfg->scan_done = 1; + spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags); +- kobject_uevent(&ioa_cfg->host->shost_dev.kobj, KOBJ_CHANGE); + LEAVE; + } + +@@ -9908,6 +9923,7 @@ static void ipr_init_ioa_cfg(struct ipr_ + INIT_LIST_HEAD(&ioa_cfg->free_res_q); + INIT_LIST_HEAD(&ioa_cfg->used_res_q); + INIT_WORK(&ioa_cfg->work_q, ipr_worker_thread); ++ INIT_WORK(&ioa_cfg->scsi_add_work_q, ipr_add_remove_thread); + init_waitqueue_head(&ioa_cfg->reset_wait_q); + init_waitqueue_head(&ioa_cfg->msi_wait_q); + init_waitqueue_head(&ioa_cfg->eeh_wait_q); +--- a/drivers/scsi/ipr.h ++++ b/drivers/scsi/ipr.h +@@ -1568,6 +1568,7 @@ struct ipr_ioa_cfg { + u8 saved_mode_page_len; + + struct work_struct work_q; ++ struct work_struct scsi_add_work_q; + struct workqueue_struct *reset_work_q; + + wait_queue_head_t reset_wait_q; diff --git a/queue-4.18/scsi-lpfc-synchronize-access-to-remoteport-via-rport.patch b/queue-4.18/scsi-lpfc-synchronize-access-to-remoteport-via-rport.patch new file mode 100644 index 00000000000..ccf654c7ae3 --- /dev/null +++ b/queue-4.18/scsi-lpfc-synchronize-access-to-remoteport-via-rport.patch @@ -0,0 +1,133 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: James Smart +Date: Thu, 13 Sep 2018 15:41:10 -0700 +Subject: scsi: lpfc: Synchronize access to remoteport via rport + +From: James Smart + +[ Upstream commit 9e210178267b80c4eeb832fade7e146a18c84915 ] + +The driver currently uses the ndlp to get the local rport which is then used +to get the nvme transport remoteport pointer. There can be cases where a stale +remoteport pointer is obtained as synchronization isn't done through the +different dereferences. + +Correct by using locks to synchronize the dereferences. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_attr.c | 15 ++++++++++----- + drivers/scsi/lpfc/lpfc_debugfs.c | 10 +++++----- + drivers/scsi/lpfc/lpfc_nvme.c | 11 ++++++++--- + 3 files changed, 23 insertions(+), 13 deletions(-) + +--- a/drivers/scsi/lpfc/lpfc_attr.c ++++ b/drivers/scsi/lpfc/lpfc_attr.c +@@ -320,12 +320,12 @@ lpfc_nvme_info_show(struct device *dev, + localport->port_id, statep); + + list_for_each_entry(ndlp, &vport->fc_nodes, nlp_listp) { ++ nrport = NULL; ++ spin_lock(&vport->phba->hbalock); + rport = lpfc_ndlp_get_nrport(ndlp); +- if (!rport) +- continue; +- +- /* local short-hand pointer. */ +- nrport = rport->remoteport; ++ if (rport) ++ nrport = rport->remoteport; ++ spin_unlock(&vport->phba->hbalock); + if (!nrport) + continue; + +@@ -3304,6 +3304,7 @@ lpfc_update_rport_devloss_tmo(struct lpf + struct lpfc_nodelist *ndlp; + #if (IS_ENABLED(CONFIG_NVME_FC)) + struct lpfc_nvme_rport *rport; ++ struct nvme_fc_remote_port *remoteport = NULL; + #endif + + shost = lpfc_shost_from_vport(vport); +@@ -3314,8 +3315,12 @@ lpfc_update_rport_devloss_tmo(struct lpf + if (ndlp->rport) + ndlp->rport->dev_loss_tmo = vport->cfg_devloss_tmo; + #if (IS_ENABLED(CONFIG_NVME_FC)) ++ spin_lock(&vport->phba->hbalock); + rport = lpfc_ndlp_get_nrport(ndlp); + if (rport) ++ remoteport = rport->remoteport; ++ spin_unlock(&vport->phba->hbalock); ++ if (remoteport) + nvme_fc_set_remoteport_devloss(rport->remoteport, + vport->cfg_devloss_tmo); + #endif +--- a/drivers/scsi/lpfc/lpfc_debugfs.c ++++ b/drivers/scsi/lpfc/lpfc_debugfs.c +@@ -551,7 +551,7 @@ lpfc_debugfs_nodelist_data(struct lpfc_v + unsigned char *statep; + struct nvme_fc_local_port *localport; + struct lpfc_nvmet_tgtport *tgtp; +- struct nvme_fc_remote_port *nrport; ++ struct nvme_fc_remote_port *nrport = NULL; + struct lpfc_nvme_rport *rport; + + cnt = (LPFC_NODELIST_SIZE / LPFC_NODELIST_ENTRY_SIZE); +@@ -696,11 +696,11 @@ lpfc_debugfs_nodelist_data(struct lpfc_v + len += snprintf(buf + len, size - len, "\tRport List:\n"); + list_for_each_entry(ndlp, &vport->fc_nodes, nlp_listp) { + /* local short-hand pointer. */ ++ spin_lock(&phba->hbalock); + rport = lpfc_ndlp_get_nrport(ndlp); +- if (!rport) +- continue; +- +- nrport = rport->remoteport; ++ if (rport) ++ nrport = rport->remoteport; ++ spin_unlock(&phba->hbalock); + if (!nrport) + continue; + +--- a/drivers/scsi/lpfc/lpfc_nvme.c ++++ b/drivers/scsi/lpfc/lpfc_nvme.c +@@ -2718,7 +2718,9 @@ lpfc_nvme_register_port(struct lpfc_vpor + rpinfo.port_name = wwn_to_u64(ndlp->nlp_portname.u.wwn); + rpinfo.node_name = wwn_to_u64(ndlp->nlp_nodename.u.wwn); + ++ spin_lock_irq(&vport->phba->hbalock); + oldrport = lpfc_ndlp_get_nrport(ndlp); ++ spin_unlock_irq(&vport->phba->hbalock); + if (!oldrport) + lpfc_nlp_get(ndlp); + +@@ -2833,7 +2835,7 @@ lpfc_nvme_unregister_port(struct lpfc_vp + struct nvme_fc_local_port *localport; + struct lpfc_nvme_lport *lport; + struct lpfc_nvme_rport *rport; +- struct nvme_fc_remote_port *remoteport; ++ struct nvme_fc_remote_port *remoteport = NULL; + + localport = vport->localport; + +@@ -2847,11 +2849,14 @@ lpfc_nvme_unregister_port(struct lpfc_vp + if (!lport) + goto input_err; + ++ spin_lock_irq(&vport->phba->hbalock); + rport = lpfc_ndlp_get_nrport(ndlp); +- if (!rport) ++ if (rport) ++ remoteport = rport->remoteport; ++ spin_unlock_irq(&vport->phba->hbalock); ++ if (!remoteport) + goto input_err; + +- remoteport = rport->remoteport; + lpfc_printf_vlog(vport, KERN_INFO, LOG_NVME_DISC, + "6033 Unreg nvme remoteport %p, portname x%llx, " + "port_id x%06x, portstate x%x port type x%x\n", diff --git a/queue-4.18/scsi-sd-don-t-crash-the-host-on-invalid-commands.patch b/queue-4.18/scsi-sd-don-t-crash-the-host-on-invalid-commands.patch new file mode 100644 index 00000000000..741f540aa67 --- /dev/null +++ b/queue-4.18/scsi-sd-don-t-crash-the-host-on-invalid-commands.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Johannes Thumshirn +Date: Fri, 21 Sep 2018 09:01:01 +0200 +Subject: scsi: sd: don't crash the host on invalid commands + +From: Johannes Thumshirn + +[ Upstream commit f1f1fadacaf08b7cf11714c0c29f8fa4d4ef68a9 ] + +When sd_init_command() get's a command with a unknown req_op() it crashes the +system via BUG(). + +This makes debugging the actual reason for the broken request cmd_flags pretty +hard as the system is down before it's able to write out debugging data on the +serial console or the trace buffer. + +Change the BUG() to a WARN_ON() and return BLKPREP_KILL to fail gracefully and +return an I/O error to the producer of the request. + +Signed-off-by: Johannes Thumshirn +Cc: Hannes Reinecke +Cc: Bart Van Assche +Cc: Christoph Hellwig +Reviewed-by: Christoph Hellwig +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -1277,7 +1277,8 @@ static int sd_init_command(struct scsi_c + case REQ_OP_ZONE_RESET: + return sd_zbc_setup_reset_cmnd(cmd); + default: +- BUG(); ++ WARN_ON_ONCE(1); ++ return BLKPREP_KILL; + } + } + diff --git a/queue-4.18/selftests-pmtu-properly-redirect-stderr-to-dev-null.patch b/queue-4.18/selftests-pmtu-properly-redirect-stderr-to-dev-null.patch new file mode 100644 index 00000000000..abc2ba2a2bc --- /dev/null +++ b/queue-4.18/selftests-pmtu-properly-redirect-stderr-to-dev-null.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Sabrina Dubroca +Date: Mon, 17 Sep 2018 15:30:06 +0200 +Subject: selftests: pmtu: properly redirect stderr to /dev/null + +From: Sabrina Dubroca + +[ Upstream commit 0a286afee5a1e8dca86d824209dbd3200294f86f ] + +The cleanup function uses "$CMD 2 > /dev/null", which doesn't actually +send stderr to /dev/null, so when the netns doesn't exist, the error +message is shown. Use "2> /dev/null" instead, so that those messages +disappear, as was intended. + +Fixes: d1f1b9cbf34c ("selftests: net: Introduce first PMTU test") +Signed-off-by: Sabrina Dubroca +Acked-by: Stefano Brivio +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/pmtu.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/net/pmtu.sh ++++ b/tools/testing/selftests/net/pmtu.sh +@@ -178,8 +178,8 @@ setup() { + + cleanup() { + [ ${cleanup_done} -eq 1 ] && return +- ip netns del ${NS_A} 2 > /dev/null +- ip netns del ${NS_B} 2 > /dev/null ++ ip netns del ${NS_A} 2> /dev/null ++ ip netns del ${NS_B} 2> /dev/null + cleanup_done=1 + } + diff --git a/queue-4.18/soundwire-fix-acquiring-bus-lock-twice-during-master-release.patch b/queue-4.18/soundwire-fix-acquiring-bus-lock-twice-during-master-release.patch new file mode 100644 index 00000000000..5e6b6a8e78d --- /dev/null +++ b/queue-4.18/soundwire-fix-acquiring-bus-lock-twice-during-master-release.patch @@ -0,0 +1,41 @@ +From foo@baz Thu Oct 18 11:08:34 CEST 2018 +From: Sanyog Kale +Date: Fri, 27 Jul 2018 14:44:10 +0530 +Subject: soundwire: Fix acquiring bus lock twice during master release + +From: Sanyog Kale + +[ Upstream commit 8d6ccf5cebbc7ed1dee9986e36853a78dfb64084 ] + +As part of sdw_stream_remove_master(), sdw_stream_remove_slave() is called +which results in bus lock being acquired twice. + +So, fix it by performing specific Slave remove operations in +sdw_release_master_stream() instead of calling sdw_stream_remove_slave(). + +Signed-off-by: Sanyog Kale +Signed-off-by: Shreyas NC +Acked-by: Pierre-Louis Bossart +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soundwire/stream.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/soundwire/stream.c ++++ b/drivers/soundwire/stream.c +@@ -899,9 +899,10 @@ static void sdw_release_master_stream(st + struct sdw_master_runtime *m_rt = stream->m_rt; + struct sdw_slave_runtime *s_rt, *_s_rt; + +- list_for_each_entry_safe(s_rt, _s_rt, +- &m_rt->slave_rt_list, m_rt_node) +- sdw_stream_remove_slave(s_rt->slave, stream); ++ list_for_each_entry_safe(s_rt, _s_rt, &m_rt->slave_rt_list, m_rt_node) { ++ sdw_slave_port_release(s_rt->slave->bus, s_rt->slave, stream); ++ sdw_release_slave_stream(s_rt->slave, stream); ++ } + + list_del(&m_rt->bus_node); + } diff --git a/queue-4.18/soundwire-fix-duplicate-stream-state-assignment.patch b/queue-4.18/soundwire-fix-duplicate-stream-state-assignment.patch new file mode 100644 index 00000000000..0f068e9905e --- /dev/null +++ b/queue-4.18/soundwire-fix-duplicate-stream-state-assignment.patch @@ -0,0 +1,60 @@ +From foo@baz Thu Oct 18 11:08:34 CEST 2018 +From: Shreyas NC +Date: Fri, 27 Jul 2018 14:44:08 +0530 +Subject: soundwire: Fix duplicate stream state assignment + +From: Shreyas NC + +[ Upstream commit 0aebe40bae6cf5652fdc3d05ecee15fbf5748194 ] + +For a SoundWire stream it is expected that a Slave is added to the +stream before Master is added. + +So, move the stream state to CONFIGURED after the first Slave is +added and remove the stream state assignment for Master add. +Along with these changes, add additional comments to explain the same. + +Signed-off-by: Shreyas NC +Acked-by: Pierre-Louis Bossart +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soundwire/stream.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/soundwire/stream.c ++++ b/drivers/soundwire/stream.c +@@ -1123,8 +1123,6 @@ int sdw_stream_add_master(struct sdw_bus + if (ret) + goto stream_error; + +- stream->state = SDW_STREAM_CONFIGURED; +- + stream_error: + sdw_release_master_stream(stream); + error: +@@ -1141,6 +1139,10 @@ EXPORT_SYMBOL(sdw_stream_add_master); + * @stream: SoundWire stream + * @port_config: Port configuration for audio stream + * @num_ports: Number of ports ++ * ++ * It is expected that Slave is added before adding Master ++ * to the Stream. ++ * + */ + int sdw_stream_add_slave(struct sdw_slave *slave, + struct sdw_stream_config *stream_config, +@@ -1186,6 +1188,12 @@ int sdw_stream_add_slave(struct sdw_slav + if (ret) + goto stream_error; + ++ /* ++ * Change stream state to CONFIGURED on first Slave add. ++ * Bus is not aware of number of Slave(s) in a stream at this ++ * point so cannot depend on all Slave(s) to be added in order to ++ * change stream state to CONFIGURED. ++ */ + stream->state = SDW_STREAM_CONFIGURED; + goto error; + diff --git a/queue-4.18/soundwire-fix-incorrect-exit-after-configuring-stream.patch b/queue-4.18/soundwire-fix-incorrect-exit-after-configuring-stream.patch new file mode 100644 index 00000000000..7bdbabe1f19 --- /dev/null +++ b/queue-4.18/soundwire-fix-incorrect-exit-after-configuring-stream.patch @@ -0,0 +1,49 @@ +From foo@baz Thu Oct 18 11:08:34 CEST 2018 +From: Shreyas NC +Date: Fri, 27 Jul 2018 14:44:09 +0530 +Subject: soundwire: Fix incorrect exit after configuring stream + +From: Shreyas NC + +[ Upstream commit 3fef1a2259c556cce34df2791688cb3001f81c92 ] + +In sdw_stream_add_master() after the Master ports are configured, +the stream is released incorrectly. + +So, fix it by avoiding stream release after configuring the Master +for the stream. +While at it, rename the label appropriately. + +Signed-off-by: Shreyas NC +Acked-by: Pierre-Louis Bossart +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soundwire/stream.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/soundwire/stream.c ++++ b/drivers/soundwire/stream.c +@@ -1112,7 +1112,7 @@ int sdw_stream_add_master(struct sdw_bus + "Master runtime config failed for stream:%s", + stream->name); + ret = -ENOMEM; +- goto error; ++ goto unlock; + } + + ret = sdw_config_stream(bus->dev, stream, stream_config, false); +@@ -1123,9 +1123,11 @@ int sdw_stream_add_master(struct sdw_bus + if (ret) + goto stream_error; + ++ goto unlock; ++ + stream_error: + sdw_release_master_stream(stream); +-error: ++unlock: + mutex_unlock(&bus->bus_lock); + return ret; + } diff --git a/queue-4.18/spi-gpio-fix-copy-and-paste-error.patch b/queue-4.18/spi-gpio-fix-copy-and-paste-error.patch new file mode 100644 index 00000000000..70c3af0fe2b --- /dev/null +++ b/queue-4.18/spi-gpio-fix-copy-and-paste-error.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Oct 18 11:08:34 CEST 2018 +From: Linus Walleij +Date: Tue, 4 Sep 2018 15:39:30 +0200 +Subject: spi: gpio: Fix copy-and-paste error + +From: Linus Walleij + +[ Upstream commit 1723c3155f117ee6e00f28fadf6e9eda4fc85806 ] + +This fixes an embarrassing copy-and-paste error in the +errorpath of spi_gpio_request(): we were checking the wrong +struct member for error code right after retrieveing the +sck GPIO. + +Fixes: 9b00bc7b901ff672 ("spi: spi-gpio: Rewrite to use GPIO descriptors") +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Linus Walleij +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-gpio.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/spi/spi-gpio.c ++++ b/drivers/spi/spi-gpio.c +@@ -287,8 +287,8 @@ static int spi_gpio_request(struct devic + *mflags |= SPI_MASTER_NO_RX; + + spi_gpio->sck = devm_gpiod_get(dev, "sck", GPIOD_OUT_LOW); +- if (IS_ERR(spi_gpio->mosi)) +- return PTR_ERR(spi_gpio->mosi); ++ if (IS_ERR(spi_gpio->sck)) ++ return PTR_ERR(spi_gpio->sck); + + for (i = 0; i < num_chipselects; i++) { + spi_gpio->cs_gpios[i] = devm_gpiod_get_index(dev, "cs", diff --git a/queue-4.18/x86-boot-fix-kexec-booting-failure-in-the-sev-bit-detection-code.patch b/queue-4.18/x86-boot-fix-kexec-booting-failure-in-the-sev-bit-detection-code.patch new file mode 100644 index 00000000000..b3da0fbebc5 --- /dev/null +++ b/queue-4.18/x86-boot-fix-kexec-booting-failure-in-the-sev-bit-detection-code.patch @@ -0,0 +1,100 @@ +From foo@baz Thu Oct 18 11:08:35 CEST 2018 +From: Kairui Song +Date: Thu, 27 Sep 2018 20:38:45 +0800 +Subject: x86/boot: Fix kexec booting failure in the SEV bit detection code + +From: Kairui Song + +[ Upstream commit bdec8d7fa55e6f5314ed72e5a0b435d90ff90548 ] + +Commit + + 1958b5fc4010 ("x86/boot: Add early boot support when running with SEV active") + +can occasionally cause system resets when kexec-ing a second kernel even +if SEV is not active. + +That's because get_sev_encryption_bit() uses 32-bit rIP-relative +addressing to read the value of enc_bit - a variable which caches a +previously detected encryption bit position - but kexec may allocate +the early boot code to a higher location, beyond the 32-bit addressing +limit. + +In this case, garbage will be read and get_sev_encryption_bit() will +return the wrong value, leading to accessing memory with the wrong +encryption setting. + +Therefore, remove enc_bit, and thus get rid of the need to do 32-bit +rIP-relative addressing in the first place. + + [ bp: massage commit message heavily. ] + +Fixes: 1958b5fc4010 ("x86/boot: Add early boot support when running with SEV active") +Suggested-by: Borislav Petkov +Signed-off-by: Kairui Song +Signed-off-by: Borislav Petkov +Reviewed-by: Tom Lendacky +Cc: linux-kernel@vger.kernel.org +Cc: tglx@linutronix.de +Cc: mingo@redhat.com +Cc: hpa@zytor.com +Cc: brijesh.singh@amd.com +Cc: kexec@lists.infradead.org +Cc: dyoung@redhat.com +Cc: bhe@redhat.com +Cc: ghook@redhat.com +Link: https://lkml.kernel.org/r/20180927123845.32052-1-kasong@redhat.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/boot/compressed/mem_encrypt.S | 19 ------------------- + 1 file changed, 19 deletions(-) + +--- a/arch/x86/boot/compressed/mem_encrypt.S ++++ b/arch/x86/boot/compressed/mem_encrypt.S +@@ -25,20 +25,6 @@ ENTRY(get_sev_encryption_bit) + push %ebx + push %ecx + push %edx +- push %edi +- +- /* +- * RIP-relative addressing is needed to access the encryption bit +- * variable. Since we are running in 32-bit mode we need this call/pop +- * sequence to get the proper relative addressing. +- */ +- call 1f +-1: popl %edi +- subl $1b, %edi +- +- movl enc_bit(%edi), %eax +- cmpl $0, %eax +- jge .Lsev_exit + + /* Check if running under a hypervisor */ + movl $1, %eax +@@ -69,15 +55,12 @@ ENTRY(get_sev_encryption_bit) + + movl %ebx, %eax + andl $0x3f, %eax /* Return the encryption bit location */ +- movl %eax, enc_bit(%edi) + jmp .Lsev_exit + + .Lno_sev: + xor %eax, %eax +- movl %eax, enc_bit(%edi) + + .Lsev_exit: +- pop %edi + pop %edx + pop %ecx + pop %ebx +@@ -113,8 +96,6 @@ ENTRY(set_sev_encryption_mask) + ENDPROC(set_sev_encryption_mask) + + .data +-enc_bit: +- .int 0xffffffff + + #ifdef CONFIG_AMD_MEM_ENCRYPT + .balign 8