From: Greg Kroah-Hartman Date: Tue, 1 Oct 2019 18:06:36 +0000 (+0200) Subject: 5.3-stable patches X-Git-Tag: v4.4.195~64 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6edd007324519d9f83f71e9e45b8244e6fa133e7;p=thirdparty%2Fkernel%2Fstable-queue.git 5.3-stable patches added patches: alsa-firewire-tascam-check-intermediate-state-of-clock-status-and-retry.patch alsa-firewire-tascam-handle-error-code-when-getting-current-source-of-clock.patch arm-dts-logicpd-torpedo-baseboard-fix-missing-video.patch arm-omap2plus_defconfig-fix-missing-video.patch ib-hfi1-define-variables-as-unsigned-long-to-fix-kasan-warning.patch ib-hfi1-do-not-update-hcrc-for-a-kdeth-packet-during-fault-injection.patch ib-mlx5-free-mpi-in-mp_slave-mode.patch iwlwifi-fw-don-t-send-geo_tx_power_limit-command-to-fw-version-36.patch printk-do-not-lose-last-line-in-kmsg-buffer-dump.patch randstruct-check-member-structs-in-is_pure_ops_struct.patch rdma-fix-double-free-in-srq-creation-error-flow.patch scsi-implement-.cleanup_rq-callback.patch scsi-qla2xxx-fix-relogin-to-prevent-modifying-scan_state-flag.patch scsi-scsi_dh_rdac-zero-cdb-in-send_mode_select.patch --- diff --git a/queue-5.3/alsa-firewire-tascam-check-intermediate-state-of-clock-status-and-retry.patch b/queue-5.3/alsa-firewire-tascam-check-intermediate-state-of-clock-status-and-retry.patch new file mode 100644 index 00000000000..d1de1b758e8 --- /dev/null +++ b/queue-5.3/alsa-firewire-tascam-check-intermediate-state-of-clock-status-and-retry.patch @@ -0,0 +1,110 @@ +From e1a00b5b253a4f97216b9a33199a863987075162 Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Tue, 10 Sep 2019 22:51:52 +0900 +Subject: ALSA: firewire-tascam: check intermediate state of clock status and retry + +From: Takashi Sakamoto + +commit e1a00b5b253a4f97216b9a33199a863987075162 upstream. + +2 bytes in MSB of register for clock status is zero during intermediate +state after changing status of sampling clock in models of TASCAM FireWire +series. The duration of this state differs depending on cases. During the +state, it's better to retry reading the register for current status of +the clock. + +In current implementation, the intermediate state is checked only when +getting current sampling transmission frequency, then retry reading. +This care is required for the other operations to read the register. + +This commit moves the codes of check and retry into helper function +commonly used for operations to read the register. + +Fixes: e453df44f0d6 ("ALSA: firewire-tascam: add PCM functionality") +Cc: # v4.4+ +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20190910135152.29800-3-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/tascam/tascam-stream.c | 42 ++++++++++++++++++++++------------ + 1 file changed, 28 insertions(+), 14 deletions(-) + +--- a/sound/firewire/tascam/tascam-stream.c ++++ b/sound/firewire/tascam/tascam-stream.c +@@ -8,20 +8,37 @@ + #include + #include "tascam.h" + ++#define CLOCK_STATUS_MASK 0xffff0000 ++#define CLOCK_CONFIG_MASK 0x0000ffff ++ + #define CALLBACK_TIMEOUT 500 + + static int get_clock(struct snd_tscm *tscm, u32 *data) + { ++ int trial = 0; + __be32 reg; + int err; + +- err = snd_fw_transaction(tscm->unit, TCODE_READ_QUADLET_REQUEST, +- TSCM_ADDR_BASE + TSCM_OFFSET_CLOCK_STATUS, +- ®, sizeof(reg), 0); +- if (err >= 0) ++ while (trial++ < 5) { ++ err = snd_fw_transaction(tscm->unit, TCODE_READ_QUADLET_REQUEST, ++ TSCM_ADDR_BASE + TSCM_OFFSET_CLOCK_STATUS, ++ ®, sizeof(reg), 0); ++ if (err < 0) ++ return err; ++ + *data = be32_to_cpu(reg); ++ if (*data & CLOCK_STATUS_MASK) ++ break; ++ ++ // In intermediate state after changing clock status. ++ msleep(50); ++ } + +- return err; ++ // Still in the intermediate state. ++ if (trial >= 5) ++ return -EAGAIN; ++ ++ return 0; + } + + static int set_clock(struct snd_tscm *tscm, unsigned int rate, +@@ -34,7 +51,7 @@ static int set_clock(struct snd_tscm *ts + err = get_clock(tscm, &data); + if (err < 0) + return err; +- data &= 0x0000ffff; ++ data &= CLOCK_CONFIG_MASK; + + if (rate > 0) { + data &= 0x000000ff; +@@ -79,17 +96,14 @@ static int set_clock(struct snd_tscm *ts + + int snd_tscm_stream_get_rate(struct snd_tscm *tscm, unsigned int *rate) + { +- u32 data = 0x0; +- unsigned int trials = 0; ++ u32 data; + int err; + +- while (data == 0x0 || trials++ < 5) { +- err = get_clock(tscm, &data); +- if (err < 0) +- return err; ++ err = get_clock(tscm, &data); ++ if (err < 0) ++ return err; + +- data = (data & 0xff000000) >> 24; +- } ++ data = (data & 0xff000000) >> 24; + + /* Check base rate. */ + if ((data & 0x0f) == 0x01) diff --git a/queue-5.3/alsa-firewire-tascam-handle-error-code-when-getting-current-source-of-clock.patch b/queue-5.3/alsa-firewire-tascam-handle-error-code-when-getting-current-source-of-clock.patch new file mode 100644 index 00000000000..3fb985cade4 --- /dev/null +++ b/queue-5.3/alsa-firewire-tascam-handle-error-code-when-getting-current-source-of-clock.patch @@ -0,0 +1,35 @@ +From 2617120f4de6d0423384e0e86b14c78b9de84d5a Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Tue, 10 Sep 2019 22:51:51 +0900 +Subject: ALSA: firewire-tascam: handle error code when getting current source of clock + +From: Takashi Sakamoto + +commit 2617120f4de6d0423384e0e86b14c78b9de84d5a upstream. + +The return value of snd_tscm_stream_get_clock() is ignored. This commit +checks the value and handle error. + +Fixes: e453df44f0d6 ("ALSA: firewire-tascam: add PCM functionality") +Cc: # v4.4+ +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20190910135152.29800-2-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/tascam/tascam-pcm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/firewire/tascam/tascam-pcm.c ++++ b/sound/firewire/tascam/tascam-pcm.c +@@ -56,6 +56,9 @@ static int pcm_open(struct snd_pcm_subst + goto err_locked; + + err = snd_tscm_stream_get_clock(tscm, &clock); ++ if (err < 0) ++ goto err_locked; ++ + if (clock != SND_TSCM_CLOCK_INTERNAL || + amdtp_stream_pcm_running(&tscm->rx_stream) || + amdtp_stream_pcm_running(&tscm->tx_stream)) { diff --git a/queue-5.3/arm-dts-logicpd-torpedo-baseboard-fix-missing-video.patch b/queue-5.3/arm-dts-logicpd-torpedo-baseboard-fix-missing-video.patch new file mode 100644 index 00000000000..79320da912a --- /dev/null +++ b/queue-5.3/arm-dts-logicpd-torpedo-baseboard-fix-missing-video.patch @@ -0,0 +1,86 @@ +From f9f5518a38684e031d913f40482721ff553f5ba2 Mon Sep 17 00:00:00 2001 +From: Adam Ford +Date: Wed, 28 Aug 2019 13:33:50 -0500 +Subject: ARM: dts: logicpd-torpedo-baseboard: Fix missing video + +From: Adam Ford + +commit f9f5518a38684e031d913f40482721ff553f5ba2 upstream. + +A previous commit removed the panel-dpi driver, which made the +Torpedo video stop working because it relied on the dpi driver +for setting video timings. Now that the simple-panel driver is +available in omap2plus, this patch migrates the Torpedo dev kits +to use a similar panel and remove the manual timing requirements. + +Fixes: 8bf4b1621178 ("drm/omap: Remove panel-dpi driver") + +Signed-off-by: Adam Ford +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/logicpd-torpedo-baseboard.dtsi | 37 +++-------------------- + 1 file changed, 6 insertions(+), 31 deletions(-) + +--- a/arch/arm/boot/dts/logicpd-torpedo-baseboard.dtsi ++++ b/arch/arm/boot/dts/logicpd-torpedo-baseboard.dtsi +@@ -108,7 +108,6 @@ + &dss { + status = "ok"; + vdds_dsi-supply = <&vpll2>; +- vdda_video-supply = <&video_reg>; + pinctrl-names = "default"; + pinctrl-0 = <&dss_dpi_pins1>; + port { +@@ -124,44 +123,20 @@ + display0 = &lcd0; + }; + +- video_reg: video_reg { +- pinctrl-names = "default"; +- pinctrl-0 = <&panel_pwr_pins>; +- compatible = "regulator-fixed"; +- regulator-name = "fixed-supply"; +- regulator-min-microvolt = <3300000>; +- regulator-max-microvolt = <3300000>; +- gpio = <&gpio5 27 GPIO_ACTIVE_HIGH>; /* gpio155, lcd INI */ +- }; +- + lcd0: display { +- compatible = "panel-dpi"; ++ /* This isn't the exact LCD, but the timings meet spec */ ++ /* To make it work, set CONFIG_OMAP2_DSS_MIN_FCK_PER_PCK=4 */ ++ compatible = "newhaven,nhd-4.3-480272ef-atxl"; + label = "15"; +- status = "okay"; +- /* default-on; */ + pinctrl-names = "default"; +- ++ pinctrl-0 = <&panel_pwr_pins>; ++ backlight = <&bl>; ++ enable-gpios = <&gpio5 27 GPIO_ACTIVE_HIGH>; + port { + lcd_in: endpoint { + remote-endpoint = <&dpi_out>; + }; + }; +- +- panel-timing { +- clock-frequency = <9000000>; +- hactive = <480>; +- vactive = <272>; +- hfront-porch = <3>; +- hback-porch = <2>; +- hsync-len = <42>; +- vback-porch = <3>; +- vfront-porch = <4>; +- vsync-len = <11>; +- hsync-active = <0>; +- vsync-active = <0>; +- de-active = <1>; +- pixelclk-active = <1>; +- }; + }; + + bl: backlight { diff --git a/queue-5.3/arm-omap2plus_defconfig-fix-missing-video.patch b/queue-5.3/arm-omap2plus_defconfig-fix-missing-video.patch new file mode 100644 index 00000000000..64d260f04eb --- /dev/null +++ b/queue-5.3/arm-omap2plus_defconfig-fix-missing-video.patch @@ -0,0 +1,37 @@ +From 4957eccf979b025286b39388fd1a60cde601a10a Mon Sep 17 00:00:00 2001 +From: Adam Ford +Date: Wed, 28 Aug 2019 13:33:49 -0500 +Subject: ARM: omap2plus_defconfig: Fix missing video + +From: Adam Ford + +commit 4957eccf979b025286b39388fd1a60cde601a10a upstream. + +When the panel-dpi driver was removed, the simple-panels driver +was never enabled, so anyone who used the panel-dpi driver lost +video, and those who used it inconjunction with simple-panels +would have to manually enable CONFIG_DRM_PANEL_SIMPLE. + +This patch makes CONFIG_DRM_PANEL_SIMPLE a module in the same +way the deprecated panel-dpi was. + +Fixes: 8bf4b1621178 ("drm/omap: Remove panel-dpi driver") + +Signed-off-by: Adam Ford +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/configs/omap2plus_defconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/configs/omap2plus_defconfig ++++ b/arch/arm/configs/omap2plus_defconfig +@@ -363,6 +363,7 @@ CONFIG_DRM_OMAP_PANEL_TPO_TD028TTEC1=m + CONFIG_DRM_OMAP_PANEL_TPO_TD043MTEA1=m + CONFIG_DRM_OMAP_PANEL_NEC_NL8048HL11=m + CONFIG_DRM_TILCDC=m ++CONFIG_DRM_PANEL_SIMPLE=m + CONFIG_FB=y + CONFIG_FIRMWARE_EDID=y + CONFIG_FB_MODE_HELPERS=y diff --git a/queue-5.3/ib-hfi1-define-variables-as-unsigned-long-to-fix-kasan-warning.patch b/queue-5.3/ib-hfi1-define-variables-as-unsigned-long-to-fix-kasan-warning.patch new file mode 100644 index 00000000000..09ee022738a --- /dev/null +++ b/queue-5.3/ib-hfi1-define-variables-as-unsigned-long-to-fix-kasan-warning.patch @@ -0,0 +1,255 @@ +From f8659d68e2bee5b86a1beaf7be42d942e1fc81f4 Mon Sep 17 00:00:00 2001 +From: Ira Weiny +Date: Wed, 11 Sep 2019 07:30:53 -0400 +Subject: IB/hfi1: Define variables as unsigned long to fix KASAN warning + +From: Ira Weiny + +commit f8659d68e2bee5b86a1beaf7be42d942e1fc81f4 upstream. + +Define the working variables to be unsigned long to be compatible with +for_each_set_bit and change types as needed. + +While we are at it remove unused variables from a couple of functions. + +This was found because of the following KASAN warning: + ================================================================== + BUG: KASAN: stack-out-of-bounds in find_first_bit+0x19/0x70 + Read of size 8 at addr ffff888362d778d0 by task kworker/u308:2/1889 + + CPU: 21 PID: 1889 Comm: kworker/u308:2 Tainted: G W 5.3.0-rc2-mm1+ #2 + Hardware name: Intel Corporation W2600CR/W2600CR, BIOS SE5C600.86B.02.04.0003.102320141138 10/23/2014 + Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core] + Call Trace: + dump_stack+0x9a/0xf0 + ? find_first_bit+0x19/0x70 + print_address_description+0x6c/0x332 + ? find_first_bit+0x19/0x70 + ? find_first_bit+0x19/0x70 + __kasan_report.cold.6+0x1a/0x3b + ? find_first_bit+0x19/0x70 + kasan_report+0xe/0x12 + find_first_bit+0x19/0x70 + pma_get_opa_portstatus+0x5cc/0xa80 [hfi1] + ? ret_from_fork+0x3a/0x50 + ? pma_get_opa_port_ectrs+0x200/0x200 [hfi1] + ? stack_trace_consume_entry+0x80/0x80 + hfi1_process_mad+0x39b/0x26c0 [hfi1] + ? __lock_acquire+0x65e/0x21b0 + ? clear_linkup_counters+0xb0/0xb0 [hfi1] + ? check_chain_key+0x1d7/0x2e0 + ? lock_downgrade+0x3a0/0x3a0 + ? match_held_lock+0x2e/0x250 + ib_mad_recv_done+0x698/0x15e0 [ib_core] + ? clear_linkup_counters+0xb0/0xb0 [hfi1] + ? ib_mad_send_done+0xc80/0xc80 [ib_core] + ? mark_held_locks+0x79/0xa0 + ? _raw_spin_unlock_irqrestore+0x44/0x60 + ? rvt_poll_cq+0x1e1/0x340 [rdmavt] + __ib_process_cq+0x97/0x100 [ib_core] + ib_cq_poll_work+0x31/0xb0 [ib_core] + process_one_work+0x4ee/0xa00 + ? pwq_dec_nr_in_flight+0x110/0x110 + ? do_raw_spin_lock+0x113/0x1d0 + worker_thread+0x57/0x5a0 + ? process_one_work+0xa00/0xa00 + kthread+0x1bb/0x1e0 + ? kthread_create_on_node+0xc0/0xc0 + ret_from_fork+0x3a/0x50 + + The buggy address belongs to the page: + page:ffffea000d8b5dc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 + flags: 0x17ffffc0000000() + raw: 0017ffffc0000000 0000000000000000 ffffea000d8b5dc8 0000000000000000 + raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + + addr ffff888362d778d0 is located in stack of task kworker/u308:2/1889 at offset 32 in frame: + pma_get_opa_portstatus+0x0/0xa80 [hfi1] + + this frame has 1 object: + [32, 36) 'vl_select_mask' + + Memory state around the buggy address: + ffff888362d77780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff888362d77800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + >ffff888362d77880: 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 00 00 + ^ + ffff888362d77900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff888362d77980: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 + + ================================================================== + +Cc: +Fixes: 7724105686e7 ("IB/hfi1: add driver files") +Link: https://lore.kernel.org/r/20190911113053.126040.47327.stgit@awfm-01.aw.intel.com +Reviewed-by: Mike Marciniszyn +Signed-off-by: Ira Weiny +Signed-off-by: Kaike Wan +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/mad.c | 45 ++++++++++++++++----------------------- + 1 file changed, 19 insertions(+), 26 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/mad.c ++++ b/drivers/infiniband/hw/hfi1/mad.c +@@ -2326,7 +2326,7 @@ struct opa_port_status_req { + __be32 vl_select_mask; + }; + +-#define VL_MASK_ALL 0x000080ff ++#define VL_MASK_ALL 0x00000000000080ffUL + + struct opa_port_status_rsp { + __u8 port_num; +@@ -2625,15 +2625,14 @@ static int pma_get_opa_classportinfo(str + } + + static void a0_portstatus(struct hfi1_pportdata *ppd, +- struct opa_port_status_rsp *rsp, u32 vl_select_mask) ++ struct opa_port_status_rsp *rsp) + { + if (!is_bx(ppd->dd)) { + unsigned long vl; + u64 sum_vl_xmit_wait = 0; +- u32 vl_all_mask = VL_MASK_ALL; ++ unsigned long vl_all_mask = VL_MASK_ALL; + +- for_each_set_bit(vl, (unsigned long *)&(vl_all_mask), +- 8 * sizeof(vl_all_mask)) { ++ for_each_set_bit(vl, &vl_all_mask, BITS_PER_LONG) { + u64 tmp = sum_vl_xmit_wait + + read_port_cntr(ppd, C_TX_WAIT_VL, + idx_from_vl(vl)); +@@ -2730,12 +2729,12 @@ static int pma_get_opa_portstatus(struct + (struct opa_port_status_req *)pmp->data; + struct hfi1_devdata *dd = dd_from_ibdev(ibdev); + struct opa_port_status_rsp *rsp; +- u32 vl_select_mask = be32_to_cpu(req->vl_select_mask); ++ unsigned long vl_select_mask = be32_to_cpu(req->vl_select_mask); + unsigned long vl; + size_t response_data_size; + u32 nports = be32_to_cpu(pmp->mad_hdr.attr_mod) >> 24; + u8 port_num = req->port_num; +- u8 num_vls = hweight32(vl_select_mask); ++ u8 num_vls = hweight64(vl_select_mask); + struct _vls_pctrs *vlinfo; + struct hfi1_ibport *ibp = to_iport(ibdev, port); + struct hfi1_pportdata *ppd = ppd_from_ibp(ibp); +@@ -2770,7 +2769,7 @@ static int pma_get_opa_portstatus(struct + + hfi1_read_link_quality(dd, &rsp->link_quality_indicator); + +- rsp->vl_select_mask = cpu_to_be32(vl_select_mask); ++ rsp->vl_select_mask = cpu_to_be32((u32)vl_select_mask); + rsp->port_xmit_data = cpu_to_be64(read_dev_cntr(dd, C_DC_XMIT_FLITS, + CNTR_INVALID_VL)); + rsp->port_rcv_data = cpu_to_be64(read_dev_cntr(dd, C_DC_RCV_FLITS, +@@ -2841,8 +2840,7 @@ static int pma_get_opa_portstatus(struct + * So in the for_each_set_bit() loop below, we don't need + * any additional checks for vl. + */ +- for_each_set_bit(vl, (unsigned long *)&(vl_select_mask), +- 8 * sizeof(vl_select_mask)) { ++ for_each_set_bit(vl, &vl_select_mask, BITS_PER_LONG) { + memset(vlinfo, 0, sizeof(*vlinfo)); + + tmp = read_dev_cntr(dd, C_DC_RX_FLIT_VL, idx_from_vl(vl)); +@@ -2883,7 +2881,7 @@ static int pma_get_opa_portstatus(struct + vfi++; + } + +- a0_portstatus(ppd, rsp, vl_select_mask); ++ a0_portstatus(ppd, rsp); + + if (resp_len) + *resp_len += response_data_size; +@@ -2930,16 +2928,14 @@ static u64 get_error_counter_summary(str + return error_counter_summary; + } + +-static void a0_datacounters(struct hfi1_pportdata *ppd, struct _port_dctrs *rsp, +- u32 vl_select_mask) ++static void a0_datacounters(struct hfi1_pportdata *ppd, struct _port_dctrs *rsp) + { + if (!is_bx(ppd->dd)) { + unsigned long vl; + u64 sum_vl_xmit_wait = 0; +- u32 vl_all_mask = VL_MASK_ALL; ++ unsigned long vl_all_mask = VL_MASK_ALL; + +- for_each_set_bit(vl, (unsigned long *)&(vl_all_mask), +- 8 * sizeof(vl_all_mask)) { ++ for_each_set_bit(vl, &vl_all_mask, BITS_PER_LONG) { + u64 tmp = sum_vl_xmit_wait + + read_port_cntr(ppd, C_TX_WAIT_VL, + idx_from_vl(vl)); +@@ -2994,7 +2990,7 @@ static int pma_get_opa_datacounters(stru + u64 port_mask; + u8 port_num; + unsigned long vl; +- u32 vl_select_mask; ++ unsigned long vl_select_mask; + int vfi; + u16 link_width; + u16 link_speed; +@@ -3071,8 +3067,7 @@ static int pma_get_opa_datacounters(stru + * So in the for_each_set_bit() loop below, we don't need + * any additional checks for vl. + */ +- for_each_set_bit(vl, (unsigned long *)&(vl_select_mask), +- 8 * sizeof(req->vl_select_mask)) { ++ for_each_set_bit(vl, &vl_select_mask, BITS_PER_LONG) { + memset(vlinfo, 0, sizeof(*vlinfo)); + + rsp->vls[vfi].port_vl_xmit_data = +@@ -3120,7 +3115,7 @@ static int pma_get_opa_datacounters(stru + vfi++; + } + +- a0_datacounters(ppd, rsp, vl_select_mask); ++ a0_datacounters(ppd, rsp); + + if (resp_len) + *resp_len += response_data_size; +@@ -3215,7 +3210,7 @@ static int pma_get_opa_porterrors(struct + struct _vls_ectrs *vlinfo; + unsigned long vl; + u64 port_mask, tmp; +- u32 vl_select_mask; ++ unsigned long vl_select_mask; + int vfi; + + req = (struct opa_port_error_counters64_msg *)pmp->data; +@@ -3273,8 +3268,7 @@ static int pma_get_opa_porterrors(struct + vlinfo = &rsp->vls[0]; + vfi = 0; + vl_select_mask = be32_to_cpu(req->vl_select_mask); +- for_each_set_bit(vl, (unsigned long *)&(vl_select_mask), +- 8 * sizeof(req->vl_select_mask)) { ++ for_each_set_bit(vl, &vl_select_mask, BITS_PER_LONG) { + memset(vlinfo, 0, sizeof(*vlinfo)); + rsp->vls[vfi].port_vl_xmit_discards = + cpu_to_be64(read_port_cntr(ppd, C_SW_XMIT_DSCD_VL, +@@ -3485,7 +3479,7 @@ static int pma_set_opa_portstatus(struct + u32 nports = be32_to_cpu(pmp->mad_hdr.attr_mod) >> 24; + u64 portn = be64_to_cpu(req->port_select_mask[3]); + u32 counter_select = be32_to_cpu(req->counter_select_mask); +- u32 vl_select_mask = VL_MASK_ALL; /* clear all per-vl cnts */ ++ unsigned long vl_select_mask = VL_MASK_ALL; /* clear all per-vl cnts */ + unsigned long vl; + + if ((nports != 1) || (portn != 1 << port)) { +@@ -3579,8 +3573,7 @@ static int pma_set_opa_portstatus(struct + if (counter_select & CS_UNCORRECTABLE_ERRORS) + write_dev_cntr(dd, C_DC_UNC_ERR, CNTR_INVALID_VL, 0); + +- for_each_set_bit(vl, (unsigned long *)&(vl_select_mask), +- 8 * sizeof(vl_select_mask)) { ++ for_each_set_bit(vl, &vl_select_mask, BITS_PER_LONG) { + if (counter_select & CS_PORT_XMIT_DATA) + write_port_cntr(ppd, C_TX_FLIT_VL, idx_from_vl(vl), 0); + diff --git a/queue-5.3/ib-hfi1-do-not-update-hcrc-for-a-kdeth-packet-during-fault-injection.patch b/queue-5.3/ib-hfi1-do-not-update-hcrc-for-a-kdeth-packet-during-fault-injection.patch new file mode 100644 index 00000000000..63ca2263fcc --- /dev/null +++ b/queue-5.3/ib-hfi1-do-not-update-hcrc-for-a-kdeth-packet-during-fault-injection.patch @@ -0,0 +1,73 @@ +From b2590bdd0b1dfb91737e6cb07ebb47bd74957f7e Mon Sep 17 00:00:00 2001 +From: Kaike Wan +Date: Mon, 15 Jul 2019 12:45:46 -0400 +Subject: IB/hfi1: Do not update hcrc for a KDETH packet during fault injection + +From: Kaike Wan + +commit b2590bdd0b1dfb91737e6cb07ebb47bd74957f7e upstream. + +When a KDETH packet is subject to fault injection during transmission, +HCRC is supposed to be omitted from the packet so that the hardware on the +receiver side would drop the packet. When creating pbc, the PbcInsertHcrc +field is set to be PBC_IHCRC_NONE if the KDETH packet is subject to fault +injection, but overwritten with PBC_IHCRC_LKDETH when update_hcrc() is +called later. + +This problem is fixed by not calling update_hcrc() when the packet is +subject to fault injection. + +Fixes: 6b6cf9357f78 ("IB/hfi1: Set PbcInsertHcrc for TID RDMA packets") +Cc: +Link: https://lore.kernel.org/r/20190715164546.74174.99296.stgit@awfm-01.aw.intel.com +Reviewed-by: Mike Marciniszyn +Signed-off-by: Kaike Wan +Signed-off-by: Mike Marciniszyn +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/verbs.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/verbs.c ++++ b/drivers/infiniband/hw/hfi1/verbs.c +@@ -874,16 +874,17 @@ int hfi1_verbs_send_dma(struct rvt_qp *q + else + pbc |= (ib_is_sc5(sc5) << PBC_DC_INFO_SHIFT); + +- if (unlikely(hfi1_dbg_should_fault_tx(qp, ps->opcode))) +- pbc = hfi1_fault_tx(qp, ps->opcode, pbc); + pbc = create_pbc(ppd, + pbc, + qp->srate_mbps, + vl, + plen); + +- /* Update HCRC based on packet opcode */ +- pbc = update_hcrc(ps->opcode, pbc); ++ if (unlikely(hfi1_dbg_should_fault_tx(qp, ps->opcode))) ++ pbc = hfi1_fault_tx(qp, ps->opcode, pbc); ++ else ++ /* Update HCRC based on packet opcode */ ++ pbc = update_hcrc(ps->opcode, pbc); + } + tx->wqe = qp->s_wqe; + ret = build_verbs_tx_desc(tx->sde, len, tx, ahg_info, pbc); +@@ -1030,12 +1031,12 @@ int hfi1_verbs_send_pio(struct rvt_qp *q + else + pbc |= (ib_is_sc5(sc5) << PBC_DC_INFO_SHIFT); + ++ pbc = create_pbc(ppd, pbc, qp->srate_mbps, vl, plen); + if (unlikely(hfi1_dbg_should_fault_tx(qp, ps->opcode))) + pbc = hfi1_fault_tx(qp, ps->opcode, pbc); +- pbc = create_pbc(ppd, pbc, qp->srate_mbps, vl, plen); +- +- /* Update HCRC based on packet opcode */ +- pbc = update_hcrc(ps->opcode, pbc); ++ else ++ /* Update HCRC based on packet opcode */ ++ pbc = update_hcrc(ps->opcode, pbc); + } + if (cb) + iowait_pio_inc(&priv->s_iowait); diff --git a/queue-5.3/ib-mlx5-free-mpi-in-mp_slave-mode.patch b/queue-5.3/ib-mlx5-free-mpi-in-mp_slave-mode.patch new file mode 100644 index 00000000000..f49587bd8a3 --- /dev/null +++ b/queue-5.3/ib-mlx5-free-mpi-in-mp_slave-mode.patch @@ -0,0 +1,34 @@ +From 5d44adebbb7e785939df3db36ac360f5e8b73e44 Mon Sep 17 00:00:00 2001 +From: Danit Goldberg +Date: Mon, 16 Sep 2019 09:48:18 +0300 +Subject: IB/mlx5: Free mpi in mp_slave mode + +From: Danit Goldberg + +commit 5d44adebbb7e785939df3db36ac360f5e8b73e44 upstream. + +ib_add_slave_port() allocates a multiport struct but never frees it. +Don't leak memory, free the allocated mpi struct during driver unload. + +Cc: +Fixes: 32f69e4be269 ("{net, IB}/mlx5: Manage port association for multiport RoCE") +Link: https://lore.kernel.org/r/20190916064818.19823-3-leon@kernel.org +Signed-off-by: Danit Goldberg +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -6959,6 +6959,7 @@ static void mlx5_ib_remove(struct mlx5_c + mlx5_ib_unbind_slave_port(mpi->ibdev, mpi); + list_del(&mpi->list); + mutex_unlock(&mlx5_ib_multiport_mutex); ++ kfree(mpi); + return; + } + diff --git a/queue-5.3/iwlwifi-fw-don-t-send-geo_tx_power_limit-command-to-fw-version-36.patch b/queue-5.3/iwlwifi-fw-don-t-send-geo_tx_power_limit-command-to-fw-version-36.patch new file mode 100644 index 00000000000..df33e50d658 --- /dev/null +++ b/queue-5.3/iwlwifi-fw-don-t-send-geo_tx_power_limit-command-to-fw-version-36.patch @@ -0,0 +1,45 @@ +From fddbfeece9c7882cc47754c7da460fe427e3e85b Mon Sep 17 00:00:00 2001 +From: Luca Coelho +Date: Tue, 24 Sep 2019 13:30:57 +0300 +Subject: iwlwifi: fw: don't send GEO_TX_POWER_LIMIT command to FW version 36 + +From: Luca Coelho + +commit fddbfeece9c7882cc47754c7da460fe427e3e85b upstream. + +The intention was to have the GEO_TX_POWER_LIMIT command in FW version +36 as well, but not all 8000 family got this feature enabled. The +8000 family is the only one using version 36, so skip this version +entirely. If we try to send this command to the firmwares that do not +support it, we get a BAD_COMMAND response from the firmware. + +This fixes https://bugzilla.kernel.org/show_bug.cgi?id=204151. + +Cc: stable@vger.kernel.org # 4.19+ +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +@@ -887,11 +887,13 @@ static bool iwl_mvm_sar_geo_support(stru + * firmware versions. Unfortunately, we don't have a TLV API + * flag to rely on, so rely on the major version which is in + * the first byte of ucode_ver. This was implemented +- * initially on version 38 and then backported to 36, 29 and +- * 17. ++ * initially on version 38 and then backported to29 and 17. ++ * The intention was to have it in 36 as well, but not all ++ * 8000 family got this feature enabled. The 8000 family is ++ * the only one using version 36, so skip this version ++ * entirely. + */ + return IWL_UCODE_SERIAL(mvm->fw->ucode_ver) >= 38 || +- IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 36 || + IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 29 || + IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 17; + } diff --git a/queue-5.3/printk-do-not-lose-last-line-in-kmsg-buffer-dump.patch b/queue-5.3/printk-do-not-lose-last-line-in-kmsg-buffer-dump.patch new file mode 100644 index 00000000000..f0f302d55eb --- /dev/null +++ b/queue-5.3/printk-do-not-lose-last-line-in-kmsg-buffer-dump.patch @@ -0,0 +1,70 @@ +From c9dccacfccc72c32692eedff4a27a4b0833a2afd Mon Sep 17 00:00:00 2001 +From: Vincent Whitchurch +Date: Thu, 11 Jul 2019 16:29:37 +0200 +Subject: printk: Do not lose last line in kmsg buffer dump + +From: Vincent Whitchurch + +commit c9dccacfccc72c32692eedff4a27a4b0833a2afd upstream. + +kmsg_dump_get_buffer() is supposed to select all the youngest log +messages which fit into the provided buffer. It determines the correct +start index by using msg_print_text() with a NULL buffer to calculate +the size of each entry. However, when performing the actual writes, +msg_print_text() only writes the entry to the buffer if the written len +is lesser than the size of the buffer. So if the lengths of the +selected youngest log messages happen to precisely fill up the provided +buffer, the last log message is not included. + +We don't want to modify msg_print_text() to fill up the buffer and start +returning a length which is equal to the size of the buffer, since +callers of its other users, such as kmsg_dump_get_line(), depend upon +the current behaviour. + +Instead, fix kmsg_dump_get_buffer() to compensate for this. + +For example, with the following two final prints: + +[ 6.427502] AAAAAAAAAAAAA +[ 6.427769] BBBBBBBB12345 + +A dump of a 64-byte buffer filled by kmsg_dump_get_buffer(), before this +patch: + + 00000000: 3c 30 3e 5b 20 20 20 20 36 2e 35 32 32 31 39 37 <0>[ 6.522197 + 00000010: 5d 20 41 41 41 41 41 41 41 41 41 41 41 41 41 0a ] AAAAAAAAAAAAA. + 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + +After this patch: + + 00000000: 3c 30 3e 5b 20 20 20 20 36 2e 34 35 36 36 37 38 <0>[ 6.456678 + 00000010: 5d 20 42 42 42 42 42 42 42 42 31 32 33 34 35 0a ] BBBBBBBB12345. + 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + +Link: http://lkml.kernel.org/r/20190711142937.4083-1-vincent.whitchurch@axis.com +Fixes: e2ae715d66bf4bec ("kmsg - kmsg_dump() use iterator to receive log buffer content") +To: rostedt@goodmis.org +Cc: linux-kernel@vger.kernel.org +Cc: # v3.5+ +Signed-off-by: Vincent Whitchurch +Reviewed-by: Sergey Senozhatsky +Signed-off-by: Petr Mladek +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/printk/printk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -3274,7 +3274,7 @@ bool kmsg_dump_get_buffer(struct kmsg_du + /* move first record forward until length fits into the buffer */ + seq = dumper->cur_seq; + idx = dumper->cur_idx; +- while (l > size && seq < dumper->next_seq) { ++ while (l >= size && seq < dumper->next_seq) { + struct printk_log *msg = log_from_idx(idx); + + l -= msg_print_text(msg, true, time, NULL, 0); diff --git a/queue-5.3/randstruct-check-member-structs-in-is_pure_ops_struct.patch b/queue-5.3/randstruct-check-member-structs-in-is_pure_ops_struct.patch new file mode 100644 index 00000000000..0b3784b80c2 --- /dev/null +++ b/queue-5.3/randstruct-check-member-structs-in-is_pure_ops_struct.patch @@ -0,0 +1,45 @@ +From 60f2c82ed20bde57c362e66f796cf9e0e38a6dbb Mon Sep 17 00:00:00 2001 +From: Joonwon Kang +Date: Sun, 28 Jul 2019 00:58:41 +0900 +Subject: randstruct: Check member structs in is_pure_ops_struct() + +From: Joonwon Kang + +commit 60f2c82ed20bde57c362e66f796cf9e0e38a6dbb upstream. + +While no uses in the kernel triggered this case, it was possible to have +a false negative where a struct contains other structs which contain only +function pointers because of unreachable code in is_pure_ops_struct(). + +Signed-off-by: Joonwon Kang +Link: https://lore.kernel.org/r/20190727155841.GA13586@host +Fixes: 313dd1b62921 ("gcc-plugins: Add the randstruct plugin") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/gcc-plugins/randomize_layout_plugin.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/scripts/gcc-plugins/randomize_layout_plugin.c ++++ b/scripts/gcc-plugins/randomize_layout_plugin.c +@@ -443,13 +443,13 @@ static int is_pure_ops_struct(const_tree + if (node == fieldtype) + continue; + +- if (!is_fptr(fieldtype)) +- return 0; +- +- if (code != RECORD_TYPE && code != UNION_TYPE) ++ if (code == RECORD_TYPE || code == UNION_TYPE) { ++ if (!is_pure_ops_struct(fieldtype)) ++ return 0; + continue; ++ } + +- if (!is_pure_ops_struct(fieldtype)) ++ if (!is_fptr(fieldtype)) + return 0; + } + diff --git a/queue-5.3/rdma-fix-double-free-in-srq-creation-error-flow.patch b/queue-5.3/rdma-fix-double-free-in-srq-creation-error-flow.patch new file mode 100644 index 00000000000..8987f2ece77 --- /dev/null +++ b/queue-5.3/rdma-fix-double-free-in-srq-creation-error-flow.patch @@ -0,0 +1,43 @@ +From 3eca7fc2d8d1275d9cf0c709f0937becbfcf6d96 Mon Sep 17 00:00:00 2001 +From: Jack Morgenstein +Date: Mon, 16 Sep 2019 10:11:54 +0300 +Subject: RDMA: Fix double-free in srq creation error flow + +From: Jack Morgenstein + +commit 3eca7fc2d8d1275d9cf0c709f0937becbfcf6d96 upstream. + +The cited commit introduced a double-free of the srq buffer in the error +flow of procedure __uverbs_create_xsrq(). + +The problem is that ib_destroy_srq_user() called in the error flow also +frees the srq buffer. + +Thus, if uverbs_response() fails in __uverbs_create_srq(), the srq buffer +will be freed twice. + +Cc: +Fixes: 68e326dea1db ("RDMA: Handle SRQ allocations by IB/core") +Link: https://lore.kernel.org/r/20190916071154.20383-5-leon@kernel.org +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/uverbs_cmd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -3484,7 +3484,8 @@ static int __uverbs_create_xsrq(struct u + + err_copy: + ib_destroy_srq_user(srq, uverbs_get_cleared_udata(attrs)); +- ++ /* It was released in ib_destroy_srq_user */ ++ srq = NULL; + err_free: + kfree(srq); + err_put: diff --git a/queue-5.3/scsi-implement-.cleanup_rq-callback.patch b/queue-5.3/scsi-implement-.cleanup_rq-callback.patch new file mode 100644 index 00000000000..5e970c6d3ff --- /dev/null +++ b/queue-5.3/scsi-implement-.cleanup_rq-callback.patch @@ -0,0 +1,58 @@ +From b7e9e1fb7a9227be34ad4a5e778022c3164494cf Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Thu, 25 Jul 2019 10:05:00 +0800 +Subject: scsi: implement .cleanup_rq callback + +From: Ming Lei + +commit b7e9e1fb7a9227be34ad4a5e778022c3164494cf upstream. + +Implement .cleanup_rq() callback for freeing driver private part +of the request. Then we can avoid to leak this part if the request isn't +completed by SCSI, and freed by blk-mq or upper layer(such as dm-rq) finally. + +Cc: Ewan D. Milne +Cc: Bart Van Assche +Cc: Hannes Reinecke +Cc: Christoph Hellwig +Cc: Mike Snitzer +Cc: dm-devel@redhat.com +Cc: +Fixes: 396eaf21ee17 ("blk-mq: improve DM's blk-mq IO merging via blk_insert_cloned_request feedback") +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_lib.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -1089,6 +1089,18 @@ static void scsi_initialize_rq(struct re + cmd->retries = 0; + } + ++/* ++ * Only called when the request isn't completed by SCSI, and not freed by ++ * SCSI ++ */ ++static void scsi_cleanup_rq(struct request *rq) ++{ ++ if (rq->rq_flags & RQF_DONTPREP) { ++ scsi_mq_uninit_cmd(blk_mq_rq_to_pdu(rq)); ++ rq->rq_flags &= ~RQF_DONTPREP; ++ } ++} ++ + /* Add a command to the list used by the aacraid and dpt_i2o drivers */ + void scsi_add_cmd_to_list(struct scsi_cmnd *cmd) + { +@@ -1821,6 +1833,7 @@ static const struct blk_mq_ops scsi_mq_o + .init_request = scsi_mq_init_request, + .exit_request = scsi_mq_exit_request, + .initialize_rq_fn = scsi_initialize_rq, ++ .cleanup_rq = scsi_cleanup_rq, + .busy = scsi_mq_lld_busy, + .map_queues = scsi_map_queues, + }; diff --git a/queue-5.3/scsi-qla2xxx-fix-relogin-to-prevent-modifying-scan_state-flag.patch b/queue-5.3/scsi-qla2xxx-fix-relogin-to-prevent-modifying-scan_state-flag.patch new file mode 100644 index 00000000000..50e1b2fb765 --- /dev/null +++ b/queue-5.3/scsi-qla2xxx-fix-relogin-to-prevent-modifying-scan_state-flag.patch @@ -0,0 +1,106 @@ +From 8b5292bcfcacf15182a77a973a98d310e76fd58b Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Fri, 26 Jul 2019 09:07:32 -0700 +Subject: scsi: qla2xxx: Fix Relogin to prevent modifying scan_state flag + +From: Quinn Tran + +commit 8b5292bcfcacf15182a77a973a98d310e76fd58b upstream. + +Relogin fails to move forward due to scan_state flag indicating device is +not there. Before relogin process, Session delete process accidently +modified the scan_state flag. + +[mkp: typos plus corrected Fixes: sha as reported by sfr] + +Fixes: 2dee5521028c ("scsi: qla2xxx: Fix login state machine freeze") +Cc: stable@vger.kernel.org +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_init.c | 25 ++++++++++++++++++++----- + drivers/scsi/qla2xxx/qla_os.c | 1 + + drivers/scsi/qla2xxx/qla_target.c | 1 - + 3 files changed, 21 insertions(+), 6 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -289,8 +289,13 @@ qla2x00_async_login(struct scsi_qla_host + struct srb_iocb *lio; + int rval = QLA_FUNCTION_FAILED; + +- if (!vha->flags.online) +- goto done; ++ if (!vha->flags.online || (fcport->flags & FCF_ASYNC_SENT) || ++ fcport->loop_id == FC_NO_LOOP_ID) { ++ ql_log(ql_log_warn, vha, 0xffff, ++ "%s: %8phC - not sending command.\n", ++ __func__, fcport->port_name); ++ return rval; ++ } + + sp = qla2x00_get_sp(vha, fcport, GFP_KERNEL); + if (!sp) +@@ -1262,8 +1267,13 @@ int qla24xx_async_gpdb(struct scsi_qla_h + struct port_database_24xx *pd; + struct qla_hw_data *ha = vha->hw; + +- if (!vha->flags.online || (fcport->flags & FCF_ASYNC_SENT)) ++ if (!vha->flags.online || (fcport->flags & FCF_ASYNC_SENT) || ++ fcport->loop_id == FC_NO_LOOP_ID) { ++ ql_log(ql_log_warn, vha, 0xffff, ++ "%s: %8phC - not sending command.\n", ++ __func__, fcport->port_name); + return rval; ++ } + + fcport->disc_state = DSC_GPDB; + +@@ -1953,8 +1963,11 @@ qla24xx_handle_plogi_done_event(struct s + return; + } + +- if (fcport->disc_state == DSC_DELETE_PEND) ++ if ((fcport->disc_state == DSC_DELETE_PEND) || ++ (fcport->disc_state == DSC_DELETED)) { ++ set_bit(RELOGIN_NEEDED, &vha->dpc_flags); + return; ++ } + + if (ea->sp->gen2 != fcport->login_gen) { + /* target side must have changed it. */ +@@ -6698,8 +6711,10 @@ qla2x00_abort_isp_cleanup(scsi_qla_host_ + } + + /* Clear all async request states across all VPs. */ +- list_for_each_entry(fcport, &vha->vp_fcports, list) ++ list_for_each_entry(fcport, &vha->vp_fcports, list) { + fcport->flags &= ~(FCF_LOGIN_NEEDED | FCF_ASYNC_SENT); ++ fcport->scan_state = 0; ++ } + spin_lock_irqsave(&ha->vport_slock, flags); + list_for_each_entry(vp, &ha->vp_list, list) { + atomic_inc(&vp->vref_count); +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -5086,6 +5086,7 @@ void qla24xx_create_new_sess(struct scsi + if (fcport) { + fcport->id_changed = 1; + fcport->scan_state = QLA_FCPORT_FOUND; ++ fcport->chip_reset = vha->hw->base_qpair->chip_reset; + memcpy(fcport->node_name, e->u.new_sess.node_name, WWN_SIZE); + + if (pla) { +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -1209,7 +1209,6 @@ static void qla24xx_chk_fcp_state(struct + sess->logout_on_delete = 0; + sess->logo_ack_needed = 0; + sess->fw_login_state = DSC_LS_PORT_UNAVAIL; +- sess->scan_state = 0; + } + } + diff --git a/queue-5.3/scsi-scsi_dh_rdac-zero-cdb-in-send_mode_select.patch b/queue-5.3/scsi-scsi_dh_rdac-zero-cdb-in-send_mode_select.patch new file mode 100644 index 00000000000..ff3e100b59b --- /dev/null +++ b/queue-5.3/scsi-scsi_dh_rdac-zero-cdb-in-send_mode_select.patch @@ -0,0 +1,43 @@ +From 57adf5d4cfd3198aa480e7c94a101fc8c4e6109d Mon Sep 17 00:00:00 2001 +From: Martin Wilck +Date: Wed, 4 Sep 2019 15:52:29 +0000 +Subject: scsi: scsi_dh_rdac: zero cdb in send_mode_select() + +From: Martin Wilck + +commit 57adf5d4cfd3198aa480e7c94a101fc8c4e6109d upstream. + +cdb in send_mode_select() is not zeroed and is only partially filled in +rdac_failover_get(), which leads to some random data getting to the +device. Users have reported storage responding to such commands with +INVALID FIELD IN CDB. Code before commit 327825574132 was not affected, as +it called blk_rq_set_block_pc(). + +Fix this by zeroing out the cdb first. + +Identified & fix proposed by HPE. + +Fixes: 327825574132 ("scsi_dh_rdac: switch to scsi_execute_req_flags()") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20190904155205.1666-1-martin.wilck@suse.com +Signed-off-by: Martin Wilck +Acked-by: Ales Novak +Reviewed-by: Shane Seymour +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/device_handler/scsi_dh_rdac.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/device_handler/scsi_dh_rdac.c ++++ b/drivers/scsi/device_handler/scsi_dh_rdac.c +@@ -546,6 +546,8 @@ static void send_mode_select(struct work + spin_unlock(&ctlr->ms_lock); + + retry: ++ memset(cdb, 0, sizeof(cdb)); ++ + data_size = rdac_failover_get(ctlr, &list, cdb); + + RDAC_LOG(RDAC_LOG_FAILOVER, sdev, "array %s, ctlr %d, " diff --git a/queue-5.3/series b/queue-5.3/series index daf70b0904f..9fddee55fab 100644 --- a/queue-5.3/series +++ b/queue-5.3/series @@ -35,3 +35,17 @@ appletalk-enforce-cap_net_raw-for-raw-sockets.patch ax25-enforce-cap_net_raw-for-raw-sockets.patch ieee802154-enforce-cap_net_raw-for-raw-sockets.patch nfc-enforce-cap_net_raw-for-raw-sockets.patch +arm-dts-logicpd-torpedo-baseboard-fix-missing-video.patch +arm-omap2plus_defconfig-fix-missing-video.patch +iwlwifi-fw-don-t-send-geo_tx_power_limit-command-to-fw-version-36.patch +alsa-firewire-tascam-handle-error-code-when-getting-current-source-of-clock.patch +alsa-firewire-tascam-check-intermediate-state-of-clock-status-and-retry.patch +scsi-implement-.cleanup_rq-callback.patch +scsi-scsi_dh_rdac-zero-cdb-in-send_mode_select.patch +scsi-qla2xxx-fix-relogin-to-prevent-modifying-scan_state-flag.patch +printk-do-not-lose-last-line-in-kmsg-buffer-dump.patch +ib-mlx5-free-mpi-in-mp_slave-mode.patch +ib-hfi1-define-variables-as-unsigned-long-to-fix-kasan-warning.patch +ib-hfi1-do-not-update-hcrc-for-a-kdeth-packet-during-fault-injection.patch +rdma-fix-double-free-in-srq-creation-error-flow.patch +randstruct-check-member-structs-in-is_pure_ops_struct.patch