From: Greg Kroah-Hartman Date: Sun, 24 Feb 2019 13:59:34 +0000 (+0100) Subject: 4.20-stable patches X-Git-Tag: v4.9.161~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=71841db97a5bc6342df557895d9a850da3b502ca;p=thirdparty%2Fkernel%2Fstable-queue.git 4.20-stable patches added patches: arc-define-arch_slab_minalign-8.patch arc-u-boot-check-arguments-paranoidly.patch arcv2-enable-unaligned-access-in-early-asm-code.patch clk-at91-fix-at91sam9x5-peripheral-clock-number.patch clk-at91-fix-masterck-name.patch cpufreq-scmi-fix-use-after-free-in-scmi_cpufreq_exit.patch drm-amd-display-fix-mst-reboot-poweroff-sequence.patch drm-amdgpu-disable-bulk-moves-for-now.patch drm-amdgpu-set-dpm_flag_never_skip-when-enabling-pm-runtime.patch drm-i915-fbdev-actually-configure-untiled-displays.patch gpu-drm-radeon-set-dpm_flag_never_skip-when-enabling-pm-runtime.patch keys-always-initialize-keyring_index_key-desc_len.patch keys-user-align-the-payload-buffer.patch parisc-fix-ptrace-syscall-number-modification.patch rdma-srp-rework-scsi-device-reset-handling.patch scsi-sd_zbc-fix-sd_zbc_report_zones-buffer-allocation.patch --- diff --git a/queue-4.20/arc-define-arch_slab_minalign-8.patch b/queue-4.20/arc-define-arch_slab_minalign-8.patch new file mode 100644 index 00000000000..7449faea029 --- /dev/null +++ b/queue-4.20/arc-define-arch_slab_minalign-8.patch @@ -0,0 +1,81 @@ +From b6835ea77729e7faf4656ca637ba53f42b8ee3fd Mon Sep 17 00:00:00 2001 +From: Alexey Brodkin +Date: Fri, 8 Feb 2019 13:55:19 +0300 +Subject: ARC: define ARCH_SLAB_MINALIGN = 8 + +From: Alexey Brodkin + +commit b6835ea77729e7faf4656ca637ba53f42b8ee3fd upstream. + +The default value of ARCH_SLAB_MINALIGN in "include/linux/slab.h" is +"__alignof__(unsigned long long)" which for ARC unexpectedly turns out +to be 4. This is not a compiler bug, but as defined by ARC ABI [1] + +Thus slab allocator would allocate a struct which is 32-bit aligned, +which is generally OK even if struct has long long members. +There was however potetial problem when it had any atomic64_t which +use LLOCKD/SCONDD instructions which are required by ISA to take +64-bit addresses. This is the problem we ran into + +[ 4.015732] EXT4-fs (mmcblk0p2): re-mounted. Opts: (null) +[ 4.167881] Misaligned Access +[ 4.172356] Path: /bin/busybox.nosuid +[ 4.176004] CPU: 2 PID: 171 Comm: rm Not tainted 4.19.14-yocto-standard #1 +[ 4.182851] +[ 4.182851] [ECR ]: 0x000d0000 => Check Programmer's Manual +[ 4.190061] [EFA ]: 0xbeaec3fc +[ 4.190061] [BLINK ]: ext4_delete_entry+0x210/0x234 +[ 4.190061] [ERET ]: ext4_delete_entry+0x13e/0x234 +[ 4.202985] [STAT32]: 0x80080002 : IE K +[ 4.207236] BTA: 0x9009329c SP: 0xbe5b1ec4 FP: 0x00000000 +[ 4.212790] LPS: 0x9074b118 LPE: 0x9074b120 LPC: 0x00000000 +[ 4.218348] r00: 0x00000040 r01: 0x00000021 r02: 0x00000001 +... +... +[ 4.270510] Stack Trace: +[ 4.274510] ext4_delete_entry+0x13e/0x234 +[ 4.278695] ext4_rmdir+0xe0/0x238 +[ 4.282187] vfs_rmdir+0x50/0xf0 +[ 4.285492] do_rmdir+0x9e/0x154 +[ 4.288802] EV_Trap+0x110/0x114 + +The fix is to make sure slab allocations are 64-bit aligned. + +Do note that atomic64_t is __attribute__((aligned(8)) which means gcc +does generate 64-bit aligned references, relative to beginning of +container struct. However the issue is if the container itself is not +64-bit aligned, atomic64_t ends up unaligned which is what this patch +ensures. + +[1] https://github.com/foss-for-synopsys-dwc-arc-processors/toolchain/wiki/files/ARCv2_ABI.pdf + +Signed-off-by: Alexey Brodkin +Cc: # 4.8+ +Signed-off-by: Vineet Gupta +[vgupta: reworked changelog, added dependency on LL64+LLSC] +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/include/asm/cache.h | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/arch/arc/include/asm/cache.h ++++ b/arch/arc/include/asm/cache.h +@@ -52,6 +52,17 @@ + #define cache_line_size() SMP_CACHE_BYTES + #define ARCH_DMA_MINALIGN SMP_CACHE_BYTES + ++/* ++ * Make sure slab-allocated buffers are 64-bit aligned when atomic64_t uses ++ * ARCv2 64-bit atomics (LLOCKD/SCONDD). This guarantess runtime 64-bit ++ * alignment for any atomic64_t embedded in buffer. ++ * Default ARCH_SLAB_MINALIGN is __alignof__(long long) which has a relaxed ++ * value of 4 (and not 8) in ARC ABI. ++ */ ++#if defined(CONFIG_ARC_HAS_LL64) && defined(CONFIG_ARC_HAS_LLSC) ++#define ARCH_SLAB_MINALIGN 8 ++#endif ++ + extern void arc_cache_init(void); + extern char *arc_cache_mumbojumbo(int cpu_id, char *buf, int len); + extern void read_decode_cache_bcr(void); diff --git a/queue-4.20/arc-u-boot-check-arguments-paranoidly.patch b/queue-4.20/arc-u-boot-check-arguments-paranoidly.patch new file mode 100644 index 00000000000..ce159e943b6 --- /dev/null +++ b/queue-4.20/arc-u-boot-check-arguments-paranoidly.patch @@ -0,0 +1,160 @@ +From a66f2e57bd566240d8b3884eedf503928fbbe557 Mon Sep 17 00:00:00 2001 +From: Eugeniy Paltsev +Date: Thu, 14 Feb 2019 18:07:44 +0300 +Subject: ARC: U-boot: check arguments paranoidly + +From: Eugeniy Paltsev + +commit a66f2e57bd566240d8b3884eedf503928fbbe557 upstream. + +Handle U-boot arguments paranoidly: + * don't allow to pass unknown tag. + * try to use external device tree blob only if corresponding tag + (TAG_DTB) is set. + * don't check uboot_tag if kernel build with no ARC_UBOOT_SUPPORT. + +NOTE: +If U-boot args are invalid we skip them and try to use embedded device +tree blob. We can't panic on invalid U-boot args as we really pass +invalid args due to bug in U-boot code. +This happens if we don't provide external DTB to U-boot and +don't set 'bootargs' U-boot environment variable (which is default +case at least for HSDK board) In that case we will pass +{r0 = 1 (bootargs in r2); r1 = 0; r2 = 0;} to linux which is invalid. + +While I'm at it refactor U-boot arguments handling code. + +Cc: stable@vger.kernel.org +Tested-by: Corentin LABBE +Signed-off-by: Eugeniy Paltsev +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/kernel/head.S | 4 +- + arch/arc/kernel/setup.c | 89 +++++++++++++++++++++++++++++++++--------------- + 2 files changed, 65 insertions(+), 28 deletions(-) + +--- a/arch/arc/kernel/head.S ++++ b/arch/arc/kernel/head.S +@@ -103,9 +103,9 @@ ENTRY(stext) + #ifdef CONFIG_ARC_UBOOT_SUPPORT + ; Uboot - kernel ABI + ; r0 = [0] No uboot interaction, [1] cmdline in r2, [2] DTB in r2 +- ; r1 = magic number (board identity, unused as of now ++ ; r1 = magic number (always zero as of now) + ; r2 = pointer to uboot provided cmdline or external DTB in mem +- ; These are handled later in setup_arch() ++ ; These are handled later in handle_uboot_args() + st r0, [@uboot_tag] + st r2, [@uboot_arg] + #endif +--- a/arch/arc/kernel/setup.c ++++ b/arch/arc/kernel/setup.c +@@ -452,43 +452,80 @@ void setup_processor(void) + arc_chk_core_config(); + } + +-static inline int is_kernel(unsigned long addr) ++static inline bool uboot_arg_invalid(unsigned long addr) + { +- if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end) +- return 1; +- return 0; ++ /* ++ * Check that it is a untranslated address (although MMU is not enabled ++ * yet, it being a high address ensures this is not by fluke) ++ */ ++ if (addr < PAGE_OFFSET) ++ return true; ++ ++ /* Check that address doesn't clobber resident kernel image */ ++ return addr >= (unsigned long)_stext && addr <= (unsigned long)_end; + } + +-void __init setup_arch(char **cmdline_p) ++#define IGNORE_ARGS "Ignore U-boot args: " ++ ++/* uboot_tag values for U-boot - kernel ABI revision 0; see head.S */ ++#define UBOOT_TAG_NONE 0 ++#define UBOOT_TAG_CMDLINE 1 ++#define UBOOT_TAG_DTB 2 ++ ++void __init handle_uboot_args(void) + { ++ bool use_embedded_dtb = true; ++ bool append_cmdline = false; ++ + #ifdef CONFIG_ARC_UBOOT_SUPPORT +- /* make sure that uboot passed pointer to cmdline/dtb is valid */ +- if (uboot_tag && is_kernel((unsigned long)uboot_arg)) +- panic("Invalid uboot arg\n"); +- +- /* See if u-boot passed an external Device Tree blob */ +- machine_desc = setup_machine_fdt(uboot_arg); /* uboot_tag == 2 */ +- if (!machine_desc) ++ /* check that we know this tag */ ++ if (uboot_tag != UBOOT_TAG_NONE && ++ uboot_tag != UBOOT_TAG_CMDLINE && ++ uboot_tag != UBOOT_TAG_DTB) { ++ pr_warn(IGNORE_ARGS "invalid uboot tag: '%08x'\n", uboot_tag); ++ goto ignore_uboot_args; ++ } ++ ++ if (uboot_tag != UBOOT_TAG_NONE && ++ uboot_arg_invalid((unsigned long)uboot_arg)) { ++ pr_warn(IGNORE_ARGS "invalid uboot arg: '%px'\n", uboot_arg); ++ goto ignore_uboot_args; ++ } ++ ++ /* see if U-boot passed an external Device Tree blob */ ++ if (uboot_tag == UBOOT_TAG_DTB) { ++ machine_desc = setup_machine_fdt((void *)uboot_arg); ++ ++ /* external Device Tree blob is invalid - use embedded one */ ++ use_embedded_dtb = !machine_desc; ++ } ++ ++ if (uboot_tag == UBOOT_TAG_CMDLINE) ++ append_cmdline = true; ++ ++ignore_uboot_args: + #endif +- { +- /* No, so try the embedded one */ ++ ++ if (use_embedded_dtb) { + machine_desc = setup_machine_fdt(__dtb_start); + if (!machine_desc) + panic("Embedded DT invalid\n"); ++ } + +- /* +- * If we are here, it is established that @uboot_arg didn't +- * point to DT blob. Instead if u-boot says it is cmdline, +- * append to embedded DT cmdline. +- * setup_machine_fdt() would have populated @boot_command_line +- */ +- if (uboot_tag == 1) { +- /* Ensure a whitespace between the 2 cmdlines */ +- strlcat(boot_command_line, " ", COMMAND_LINE_SIZE); +- strlcat(boot_command_line, uboot_arg, +- COMMAND_LINE_SIZE); +- } ++ /* ++ * NOTE: @boot_command_line is populated by setup_machine_fdt() so this ++ * append processing can only happen after. ++ */ ++ if (append_cmdline) { ++ /* Ensure a whitespace between the 2 cmdlines */ ++ strlcat(boot_command_line, " ", COMMAND_LINE_SIZE); ++ strlcat(boot_command_line, uboot_arg, COMMAND_LINE_SIZE); + } ++} ++ ++void __init setup_arch(char **cmdline_p) ++{ ++ handle_uboot_args(); + + /* Save unparsed command line copy for /proc/cmdline */ + *cmdline_p = boot_command_line; diff --git a/queue-4.20/arcv2-enable-unaligned-access-in-early-asm-code.patch b/queue-4.20/arcv2-enable-unaligned-access-in-early-asm-code.patch new file mode 100644 index 00000000000..880ac825c26 --- /dev/null +++ b/queue-4.20/arcv2-enable-unaligned-access-in-early-asm-code.patch @@ -0,0 +1,49 @@ +From 252f6e8eae909bc075a1b1e3b9efb095ae4c0b56 Mon Sep 17 00:00:00 2001 +From: Eugeniy Paltsev +Date: Wed, 16 Jan 2019 14:29:50 +0300 +Subject: ARCv2: Enable unaligned access in early ASM code + +From: Eugeniy Paltsev + +commit 252f6e8eae909bc075a1b1e3b9efb095ae4c0b56 upstream. + +It is currently done in arc_init_IRQ() which might be too late +considering gcc 7.3.1 onwards (GNU 2018.03) generates unaligned +memory accesses by default + +Cc: stable@vger.kernel.org #4.4+ +Signed-off-by: Eugeniy Paltsev +Signed-off-by: Vineet Gupta +[vgupta: rewrote changelog] +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/kernel/head.S | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/arc/kernel/head.S ++++ b/arch/arc/kernel/head.S +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + + .macro CPU_EARLY_SETUP + +@@ -47,6 +48,15 @@ + sr r5, [ARC_REG_DC_CTRL] + + 1: ++ ++#ifdef CONFIG_ISA_ARCV2 ++ ; Unaligned access is disabled at reset, so re-enable early as ++ ; gcc 7.3.1 (ARC GNU 2018.03) onwards generates unaligned access ++ ; by default ++ lr r5, [status32] ++ bset r5, r5, STATUS_AD_BIT ++ kflag r5 ++#endif + .endm + + .section .init.text, "ax",@progbits diff --git a/queue-4.20/clk-at91-fix-at91sam9x5-peripheral-clock-number.patch b/queue-4.20/clk-at91-fix-at91sam9x5-peripheral-clock-number.patch new file mode 100644 index 00000000000..f98bf4917f0 --- /dev/null +++ b/queue-4.20/clk-at91-fix-at91sam9x5-peripheral-clock-number.patch @@ -0,0 +1,36 @@ +From 1b328a2e095a009518ebac05e937cc0fc242fede Mon Sep 17 00:00:00 2001 +From: Alexandre Belloni +Date: Tue, 19 Feb 2019 17:51:14 +0100 +Subject: clk: at91: fix at91sam9x5 peripheral clock number + +From: Alexandre Belloni + +commit 1b328a2e095a009518ebac05e937cc0fc242fede upstream. + +nck() looks at the last id in an array and unfortunately, +at91sam9x35_periphck has a sentinel, hence the id is 0 and the calculated +number of peripheral clocks is 1 instead of a maximum of 31. + +Fixes: 1eabdc2f9dd8 ("clk: at91: add at91sam9x5 PMCs driver") +Signed-off-by: Alexandre Belloni +Acked-by: Nicolas Ferre +Cc: # v4.20+ +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/at91/at91sam9x5.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/clk/at91/at91sam9x5.c ++++ b/drivers/clk/at91/at91sam9x5.c +@@ -144,8 +144,7 @@ static void __init at91sam9x5_pmc_setup( + return; + + at91sam9x5_pmc = pmc_data_allocate(PMC_MAIN + 1, +- nck(at91sam9x5_systemck), +- nck(at91sam9x35_periphck), 0); ++ nck(at91sam9x5_systemck), 31, 0); + if (!at91sam9x5_pmc) + return; + diff --git a/queue-4.20/clk-at91-fix-masterck-name.patch b/queue-4.20/clk-at91-fix-masterck-name.patch new file mode 100644 index 00000000000..b52b9891cde --- /dev/null +++ b/queue-4.20/clk-at91-fix-masterck-name.patch @@ -0,0 +1,69 @@ +From 65a91e2e597dea62a798a8b771edc44859037e7f Mon Sep 17 00:00:00 2001 +From: Alexandre Belloni +Date: Fri, 8 Feb 2019 15:40:59 +0100 +Subject: clk: at91: fix masterck name + +From: Alexandre Belloni + +commit 65a91e2e597dea62a798a8b771edc44859037e7f upstream. + +The master clock is actually named masterck earlier in the driver. Having +"mck" in the parent list means that it can never be selected. + +Fixes: 1eabdc2f9dd8 ("clk: at91: add at91sam9x5 PMCs driver") +Fixes: a2038077de9a ("clk: at91: add sama5d2 PMC driver") +Fixes: 084b696bb509 ("clk: at91: add sama5d4 pmc driver") +Signed-off-by: Alexandre Belloni +Acked-by: Nicolas Ferre +Cc: # v4.20+ +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/at91/at91sam9x5.c | 2 +- + drivers/clk/at91/sama5d2.c | 4 ++-- + drivers/clk/at91/sama5d4.c | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/clk/at91/at91sam9x5.c ++++ b/drivers/clk/at91/at91sam9x5.c +@@ -210,7 +210,7 @@ static void __init at91sam9x5_pmc_setup( + parent_names[1] = "mainck"; + parent_names[2] = "plladivck"; + parent_names[3] = "utmick"; +- parent_names[4] = "mck"; ++ parent_names[4] = "masterck"; + for (i = 0; i < 2; i++) { + char name[6]; + +--- a/drivers/clk/at91/sama5d2.c ++++ b/drivers/clk/at91/sama5d2.c +@@ -240,7 +240,7 @@ static void __init sama5d2_pmc_setup(str + parent_names[1] = "mainck"; + parent_names[2] = "plladivck"; + parent_names[3] = "utmick"; +- parent_names[4] = "mck"; ++ parent_names[4] = "masterck"; + for (i = 0; i < 3; i++) { + char name[6]; + +@@ -291,7 +291,7 @@ static void __init sama5d2_pmc_setup(str + parent_names[1] = "mainck"; + parent_names[2] = "plladivck"; + parent_names[3] = "utmick"; +- parent_names[4] = "mck"; ++ parent_names[4] = "masterck"; + parent_names[5] = "audiopll_pmcck"; + for (i = 0; i < ARRAY_SIZE(sama5d2_gck); i++) { + hw = at91_clk_register_generated(regmap, &pmc_pcr_lock, +--- a/drivers/clk/at91/sama5d4.c ++++ b/drivers/clk/at91/sama5d4.c +@@ -207,7 +207,7 @@ static void __init sama5d4_pmc_setup(str + parent_names[1] = "mainck"; + parent_names[2] = "plladivck"; + parent_names[3] = "utmick"; +- parent_names[4] = "mck"; ++ parent_names[4] = "masterck"; + for (i = 0; i < 3; i++) { + char name[6]; + diff --git a/queue-4.20/cpufreq-scmi-fix-use-after-free-in-scmi_cpufreq_exit.patch b/queue-4.20/cpufreq-scmi-fix-use-after-free-in-scmi_cpufreq_exit.patch new file mode 100644 index 00000000000..74dedfca973 --- /dev/null +++ b/queue-4.20/cpufreq-scmi-fix-use-after-free-in-scmi_cpufreq_exit.patch @@ -0,0 +1,37 @@ +From 8cbd468bdeb5ed3acac2d7a9f7494d5b77e46297 Mon Sep 17 00:00:00 2001 +From: Yangtao Li +Date: Sat, 16 Feb 2019 11:31:48 -0500 +Subject: cpufreq: scmi: Fix use-after-free in scmi_cpufreq_exit() + +From: Yangtao Li + +commit 8cbd468bdeb5ed3acac2d7a9f7494d5b77e46297 upstream. + +This issue was detected with the help of Coccinelle. So +change the order of function calls to fix it. + +Fixes: 1690d8bb91e37 (cpufreq: scpi/scmi: Fix freeing of dynamic OPPs) + +Signed-off-by: Yangtao Li +Acked-by: Viresh Kumar +Acked-by: Sudeep Holla +Cc: 4.20+ # 4.20+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/scmi-cpufreq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/cpufreq/scmi-cpufreq.c ++++ b/drivers/cpufreq/scmi-cpufreq.c +@@ -187,8 +187,8 @@ static int scmi_cpufreq_exit(struct cpuf + + cpufreq_cooling_unregister(priv->cdev); + dev_pm_opp_free_cpufreq_table(priv->cpu_dev, &policy->freq_table); +- kfree(priv); + dev_pm_opp_remove_all_dynamic(priv->cpu_dev); ++ kfree(priv); + + return 0; + } diff --git a/queue-4.20/drm-amd-display-fix-mst-reboot-poweroff-sequence.patch b/queue-4.20/drm-amd-display-fix-mst-reboot-poweroff-sequence.patch new file mode 100644 index 00000000000..64ccde70007 --- /dev/null +++ b/queue-4.20/drm-amd-display-fix-mst-reboot-poweroff-sequence.patch @@ -0,0 +1,49 @@ +From d2f0b53bda3193874f3905bc839888f895d1c0cf Mon Sep 17 00:00:00 2001 +From: "Leo (Hanghong) Ma" +Date: Thu, 24 Jan 2019 15:07:52 -0500 +Subject: drm/amd/display: Fix MST reboot/poweroff sequence + +From: Leo (Hanghong) Ma + +commit d2f0b53bda3193874f3905bc839888f895d1c0cf upstream. + +[Why] + +drm_dp_mst_topology_mgr_suspend() is added into the new reboot +sequence, which disables the UP request at the beginning. +Therefore sideband messages are blocked. + +[How] + +Finish MST sideband message transaction before UP request is +suppressed. + +Signed-off-by: Leo (Hanghong) Ma +Reviewed-by: Roman Li +Acked-by: Leo Li +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -704,12 +704,13 @@ static int dm_suspend(void *handle) + struct amdgpu_display_manager *dm = &adev->dm; + int ret = 0; + ++ WARN_ON(adev->dm.cached_state); ++ adev->dm.cached_state = drm_atomic_helper_suspend(adev->ddev); ++ + s3_handle_mst(adev->ddev, true); + + amdgpu_dm_irq_suspend(adev); + +- WARN_ON(adev->dm.cached_state); +- adev->dm.cached_state = drm_atomic_helper_suspend(adev->ddev); + + dc_set_power_state(dm->dc, DC_ACPI_CM_POWER_STATE_D3); + diff --git a/queue-4.20/drm-amdgpu-disable-bulk-moves-for-now.patch b/queue-4.20/drm-amdgpu-disable-bulk-moves-for-now.patch new file mode 100644 index 00000000000..0cb60518aaf --- /dev/null +++ b/queue-4.20/drm-amdgpu-disable-bulk-moves-for-now.patch @@ -0,0 +1,43 @@ +From a213c2c7e235cfc0e0a161a558f7fdf2fb3a624a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20K=C3=B6nig?= +Date: Wed, 20 Feb 2019 15:16:06 +0100 +Subject: drm/amdgpu: disable bulk moves for now +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian König + +commit a213c2c7e235cfc0e0a161a558f7fdf2fb3a624a upstream. + +The changes to fix those are two invasive for backporting. + +Just disable the feature in 4.20 and 5.0. + +Acked-by: Alex Deucher +Signed-off-by: Christian König +Cc: [4.20+] +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +@@ -637,12 +637,14 @@ void amdgpu_vm_move_to_lru_tail(struct a + struct ttm_bo_global *glob = adev->mman.bdev.glob; + struct amdgpu_vm_bo_base *bo_base; + ++#if 0 + if (vm->bulk_moveable) { + spin_lock(&glob->lru_lock); + ttm_bo_bulk_move_lru_tail(&vm->lru_bulk_move); + spin_unlock(&glob->lru_lock); + return; + } ++#endif + + memset(&vm->lru_bulk_move, 0, sizeof(vm->lru_bulk_move)); + diff --git a/queue-4.20/drm-amdgpu-set-dpm_flag_never_skip-when-enabling-pm-runtime.patch b/queue-4.20/drm-amdgpu-set-dpm_flag_never_skip-when-enabling-pm-runtime.patch new file mode 100644 index 00000000000..8d50179a969 --- /dev/null +++ b/queue-4.20/drm-amdgpu-set-dpm_flag_never_skip-when-enabling-pm-runtime.patch @@ -0,0 +1,37 @@ +From d33158530660bc89be3cc870a2152e4e9a76cac7 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 18 Feb 2019 17:11:38 -0500 +Subject: drm/amdgpu: Set DPM_FLAG_NEVER_SKIP when enabling PM-runtime + +From: Alex Deucher + +commit d33158530660bc89be3cc870a2152e4e9a76cac7 upstream. + +Based on a similar patch from Rafael for radeon. + +When using ATPX to control dGPU power, the state is not retained +across suspend and resume cycles by default. This can probably +be loosened for Hybrid Graphics (_PR3) laptops where I think the +state is properly retained. + +Fixes: c62ec4610c40 ("PM / core: Fix direct_complete handling for devices with no callbacks") +Cc: Rafael J. Wysocki +Acked-by: Rafael J. Wysocki +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +@@ -212,6 +212,7 @@ int amdgpu_driver_load_kms(struct drm_de + } + + if (amdgpu_device_is_px(dev)) { ++ dev_pm_set_driver_flags(dev->dev, DPM_FLAG_NEVER_SKIP); + pm_runtime_use_autosuspend(dev->dev); + pm_runtime_set_autosuspend_delay(dev->dev, 5000); + pm_runtime_set_active(dev->dev); diff --git a/queue-4.20/drm-i915-fbdev-actually-configure-untiled-displays.patch b/queue-4.20/drm-i915-fbdev-actually-configure-untiled-displays.patch new file mode 100644 index 00000000000..0079b3f6653 --- /dev/null +++ b/queue-4.20/drm-i915-fbdev-actually-configure-untiled-displays.patch @@ -0,0 +1,76 @@ +From d179b88deb3bf6fed4991a31fd6f0f2cad21fab5 Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Fri, 15 Feb 2019 12:30:19 +0000 +Subject: drm/i915/fbdev: Actually configure untiled displays + +From: Chris Wilson + +commit d179b88deb3bf6fed4991a31fd6f0f2cad21fab5 upstream. + +If we skipped all the connectors that were not part of a tile, we would +leave conn_seq=0 and conn_configured=0, convincing ourselves that we +had stagnated in our configuration attempts. Avoid this situation by +starting conn_seq=ALL_CONNECTORS, and repeating until we find no more +connectors to configure. + +Fixes: 754a76591b12 ("drm/i915/fbdev: Stop repeating tile configuration on stagnation") +Reported-by: Maarten Lankhorst +Signed-off-by: Chris Wilson +Cc: Maarten Lankhorst +Reviewed-by: Maarten Lankhorst +Link: https://patchwork.freedesktop.org/patch/msgid/20190215123019.32283-1-chris@chris-wilson.co.uk +Cc: # v3.19+ +(cherry picked from commit d9b308b1f8a1acc0c3279f443d4fe0f9f663252e) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_fbdev.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_fbdev.c ++++ b/drivers/gpu/drm/i915/intel_fbdev.c +@@ -336,8 +336,8 @@ static bool intel_fb_initial_config(stru + bool *enabled, int width, int height) + { + struct drm_i915_private *dev_priv = to_i915(fb_helper->dev); +- unsigned long conn_configured, conn_seq, mask; + unsigned int count = min(fb_helper->connector_count, BITS_PER_LONG); ++ unsigned long conn_configured, conn_seq; + int i, j; + bool *save_enabled; + bool fallback = true, ret = true; +@@ -355,10 +355,9 @@ static bool intel_fb_initial_config(stru + drm_modeset_backoff(&ctx); + + memcpy(save_enabled, enabled, count); +- mask = GENMASK(count - 1, 0); ++ conn_seq = GENMASK(count - 1, 0); + conn_configured = 0; + retry: +- conn_seq = conn_configured; + for (i = 0; i < count; i++) { + struct drm_fb_helper_connector *fb_conn; + struct drm_connector *connector; +@@ -371,7 +370,8 @@ retry: + if (conn_configured & BIT(i)) + continue; + +- if (conn_seq == 0 && !connector->has_tile) ++ /* First pass, only consider tiled connectors */ ++ if (conn_seq == GENMASK(count - 1, 0) && !connector->has_tile) + continue; + + if (connector->status == connector_status_connected) +@@ -475,8 +475,10 @@ retry: + conn_configured |= BIT(i); + } + +- if ((conn_configured & mask) != mask && conn_configured != conn_seq) ++ if (conn_configured != conn_seq) { /* repeat until no more are found */ ++ conn_seq = conn_configured; + goto retry; ++ } + + /* + * If the BIOS didn't enable everything it could, fall back to have the diff --git a/queue-4.20/gpu-drm-radeon-set-dpm_flag_never_skip-when-enabling-pm-runtime.patch b/queue-4.20/gpu-drm-radeon-set-dpm_flag_never_skip-when-enabling-pm-runtime.patch new file mode 100644 index 00000000000..71aa7882d80 --- /dev/null +++ b/queue-4.20/gpu-drm-radeon-set-dpm_flag_never_skip-when-enabling-pm-runtime.patch @@ -0,0 +1,51 @@ +From 450d007d199e632a1a4c4b91302deacd7d56815f Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Thu, 14 Feb 2019 23:46:19 +0100 +Subject: gpu: drm: radeon: Set DPM_FLAG_NEVER_SKIP when enabling PM-runtime +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafael J. Wysocki + +commit 450d007d199e632a1a4c4b91302deacd7d56815f upstream. + +On HP ProBook 4540s, if PM-runtime is enabled in the radeon driver +and the direct-complete optimization is used for the radeon device +during system-wide suspend, the system doesn't resume. + +Preventing direct-complete from being used with the radeon device by +setting the DPM_FLAG_NEVER_SKIP driver flag for it makes the problem +go away, which indicates that direct-complete is not safe for the +radeon driver in general and should not be used with it (at least +for now). + +This fixes a regression introduced by commit c62ec4610c40 +("PM / core: Fix direct_complete handling for devices with no +callbacks") which allowed direct-complete to be applied to +devices without PM callbacks (again) which in turn unlocked +direct-complete for radeon on HP ProBook 4540s. + +Fixes: c62ec4610c40 ("PM / core: Fix direct_complete handling for devices with no callbacks") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=201519 +Reported-by: Ярослав Семченко +Tested-by: Ярослав Семченко +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_kms.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/radeon/radeon_kms.c ++++ b/drivers/gpu/drm/radeon/radeon_kms.c +@@ -172,6 +172,7 @@ int radeon_driver_load_kms(struct drm_de + } + + if (radeon_is_px(dev)) { ++ dev_pm_set_driver_flags(dev->dev, DPM_FLAG_NEVER_SKIP); + pm_runtime_use_autosuspend(dev->dev); + pm_runtime_set_autosuspend_delay(dev->dev, 5000); + pm_runtime_set_active(dev->dev); diff --git a/queue-4.20/keys-always-initialize-keyring_index_key-desc_len.patch b/queue-4.20/keys-always-initialize-keyring_index_key-desc_len.patch new file mode 100644 index 00000000000..80f2017a891 --- /dev/null +++ b/queue-4.20/keys-always-initialize-keyring_index_key-desc_len.patch @@ -0,0 +1,105 @@ +From ede0fa98a900e657d1fcd80b50920efc896c1a4c Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Fri, 22 Feb 2019 15:36:18 +0000 +Subject: KEYS: always initialize keyring_index_key::desc_len + +From: Eric Biggers + +commit ede0fa98a900e657d1fcd80b50920efc896c1a4c upstream. + +syzbot hit the 'BUG_ON(index_key->desc_len == 0);' in __key_link_begin() +called from construct_alloc_key() during sys_request_key(), because the +length of the key description was never calculated. + +The problem is that we rely on ->desc_len being initialized by +search_process_keyrings(), specifically by search_nested_keyrings(). +But, if the process isn't subscribed to any keyrings that never happens. + +Fix it by always initializing keyring_index_key::desc_len as soon as the +description is set, like we already do in some places. + +The following program reproduces the BUG_ON() when it's run as root and +no session keyring has been installed. If it doesn't work, try removing +pam_keyinit.so from /etc/pam.d/login and rebooting. + + #include + #include + #include + + int main(void) + { + int id = add_key("keyring", "syz", NULL, 0, KEY_SPEC_USER_KEYRING); + + keyctl_setperm(id, KEY_OTH_WRITE); + setreuid(5000, 5000); + request_key("user", "desc", "", id); + } + +Reported-by: syzbot+ec24e95ea483de0a24da@syzkaller.appspotmail.com +Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring") +Signed-off-by: Eric Biggers +Signed-off-by: David Howells +Cc: stable@vger.kernel.org +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + security/keys/keyring.c | 4 +--- + security/keys/proc.c | 3 +-- + security/keys/request_key.c | 1 + + security/keys/request_key_auth.c | 2 +- + 4 files changed, 4 insertions(+), 6 deletions(-) + +--- a/security/keys/keyring.c ++++ b/security/keys/keyring.c +@@ -661,9 +661,6 @@ static bool search_nested_keyrings(struc + BUG_ON((ctx->flags & STATE_CHECKS) == 0 || + (ctx->flags & STATE_CHECKS) == STATE_CHECKS); + +- if (ctx->index_key.description) +- ctx->index_key.desc_len = strlen(ctx->index_key.description); +- + /* Check to see if this top-level keyring is what we are looking for + * and whether it is valid or not. + */ +@@ -914,6 +911,7 @@ key_ref_t keyring_search(key_ref_t keyri + struct keyring_search_context ctx = { + .index_key.type = type, + .index_key.description = description, ++ .index_key.desc_len = strlen(description), + .cred = current_cred(), + .match_data.cmp = key_default_cmp, + .match_data.raw_data = description, +--- a/security/keys/proc.c ++++ b/security/keys/proc.c +@@ -166,8 +166,7 @@ static int proc_keys_show(struct seq_fil + int rc; + + struct keyring_search_context ctx = { +- .index_key.type = key->type, +- .index_key.description = key->description, ++ .index_key = key->index_key, + .cred = m->file->f_cred, + .match_data.cmp = lookup_user_key_possessed, + .match_data.raw_data = key, +--- a/security/keys/request_key.c ++++ b/security/keys/request_key.c +@@ -545,6 +545,7 @@ struct key *request_key_and_link(struct + struct keyring_search_context ctx = { + .index_key.type = type, + .index_key.description = description, ++ .index_key.desc_len = strlen(description), + .cred = current_cred(), + .match_data.cmp = key_default_cmp, + .match_data.raw_data = description, +--- a/security/keys/request_key_auth.c ++++ b/security/keys/request_key_auth.c +@@ -246,7 +246,7 @@ struct key *key_get_instantiation_authke + struct key *authkey; + key_ref_t authkey_ref; + +- sprintf(description, "%x", target_id); ++ ctx.index_key.desc_len = sprintf(description, "%x", target_id); + + authkey_ref = search_process_keyrings(&ctx); + diff --git a/queue-4.20/keys-user-align-the-payload-buffer.patch b/queue-4.20/keys-user-align-the-payload-buffer.patch new file mode 100644 index 00000000000..9a5882101ea --- /dev/null +++ b/queue-4.20/keys-user-align-the-payload-buffer.patch @@ -0,0 +1,43 @@ +From cc1780fc42c76c705dd07ea123f1143dc5057630 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Wed, 20 Feb 2019 13:32:11 +0000 +Subject: KEYS: user: Align the payload buffer + +From: Eric Biggers + +commit cc1780fc42c76c705dd07ea123f1143dc5057630 upstream. + +Align the payload of "user" and "logon" keys so that users of the +keyrings service can access it as a struct that requires more than +2-byte alignment. fscrypt currently does this which results in the read +of fscrypt_key::size being misaligned as it needs 4-byte alignment. + +Align to __alignof__(u64) rather than __alignof__(long) since in the +future it's conceivable that people would use structs beginning with +u64, which on some platforms would require more than 'long' alignment. + +Reported-by: Aaro Koskinen +Fixes: 2aa349f6e37c ("[PATCH] Keys: Export user-defined keyring operations") +Fixes: 88bd6ccdcdd6 ("ext4 crypto: add encryption key management facilities") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Tested-by: Aaro Koskinen +Signed-off-by: David Howells +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + include/keys/user-type.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/keys/user-type.h ++++ b/include/keys/user-type.h +@@ -31,7 +31,7 @@ + struct user_key_payload { + struct rcu_head rcu; /* RCU destructor */ + unsigned short datalen; /* length of this data */ +- char data[0]; /* actual data */ ++ char data[0] __aligned(__alignof__(u64)); /* actual data */ + }; + + extern struct key_type key_type_user; diff --git a/queue-4.20/parisc-fix-ptrace-syscall-number-modification.patch b/queue-4.20/parisc-fix-ptrace-syscall-number-modification.patch new file mode 100644 index 00000000000..a18341c24b4 --- /dev/null +++ b/queue-4.20/parisc-fix-ptrace-syscall-number-modification.patch @@ -0,0 +1,91 @@ +From b7dc5a071ddf69c0350396b203cba32fe5bab510 Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Sat, 16 Feb 2019 16:10:39 +0300 +Subject: parisc: Fix ptrace syscall number modification + +From: Dmitry V. Levin + +commit b7dc5a071ddf69c0350396b203cba32fe5bab510 upstream. + +Commit 910cd32e552e ("parisc: Fix and enable seccomp filter support") +introduced a regression in ptrace-based syscall tampering: when tracer +changes syscall number to -1, the kernel fails to initialize %r28 with +-ENOSYS and subsequently fails to return the error code of the failed +syscall to userspace. + +This erroneous behaviour could be observed with a simple strace syscall +fault injection command which is expected to print something like this: + +$ strace -a0 -ewrite -einject=write:error=enospc echo hello +write(1, "hello\n", 6) = -1 ENOSPC (No space left on device) (INJECTED) +write(2, "echo: ", 6) = -1 ENOSPC (No space left on device) (INJECTED) +write(2, "write error", 11) = -1 ENOSPC (No space left on device) (INJECTED) +write(2, "\n", 1) = -1 ENOSPC (No space left on device) (INJECTED) ++++ exited with 1 +++ + +After commit 910cd32e552ea09caa89cdbe328e468979b030dd it loops printing +something like this instead: + +write(1, "hello\n", 6../strace: Failed to tamper with process 12345: unexpectedly got no error (return value 0, error 0) +) = 0 (INJECTED) + +This bug was found by strace test suite. + +Fixes: 910cd32e552e ("parisc: Fix and enable seccomp filter support") +Cc: stable@vger.kernel.org # v4.5+ +Signed-off-by: Dmitry V. Levin +Tested-by: Helge Deller +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/ptrace.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +--- a/arch/parisc/kernel/ptrace.c ++++ b/arch/parisc/kernel/ptrace.c +@@ -308,15 +308,29 @@ long compat_arch_ptrace(struct task_stru + + long do_syscall_trace_enter(struct pt_regs *regs) + { +- if (test_thread_flag(TIF_SYSCALL_TRACE) && +- tracehook_report_syscall_entry(regs)) { ++ if (test_thread_flag(TIF_SYSCALL_TRACE)) { ++ int rc = tracehook_report_syscall_entry(regs); ++ + /* +- * Tracing decided this syscall should not happen or the +- * debugger stored an invalid system call number. Skip +- * the system call and the system call restart handling. ++ * As tracesys_next does not set %r28 to -ENOSYS ++ * when %r20 is set to -1, initialize it here. + */ +- regs->gr[20] = -1UL; +- goto out; ++ regs->gr[28] = -ENOSYS; ++ ++ if (rc) { ++ /* ++ * A nonzero return code from ++ * tracehook_report_syscall_entry() tells us ++ * to prevent the syscall execution. Skip ++ * the syscall call and the syscall restart handling. ++ * ++ * Note that the tracer may also just change ++ * regs->gr[20] to an invalid syscall number, ++ * that is handled by tracesys_next. ++ */ ++ regs->gr[20] = -1UL; ++ return -1; ++ } + } + + /* Do the secure computing check after ptrace. */ +@@ -340,7 +354,6 @@ long do_syscall_trace_enter(struct pt_re + regs->gr[24] & 0xffffffff, + regs->gr[23] & 0xffffffff); + +-out: + /* + * Sign extend the syscall number to 64bit since it may have been + * modified by a compat ptrace call diff --git a/queue-4.20/rdma-srp-rework-scsi-device-reset-handling.patch b/queue-4.20/rdma-srp-rework-scsi-device-reset-handling.patch new file mode 100644 index 00000000000..058c0afd8a9 --- /dev/null +++ b/queue-4.20/rdma-srp-rework-scsi-device-reset-handling.patch @@ -0,0 +1,67 @@ +From 48396e80fb6526ea5ed267bd84f028bae56d2f9e Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Wed, 30 Jan 2019 14:05:55 -0800 +Subject: RDMA/srp: Rework SCSI device reset handling + +From: Bart Van Assche + +commit 48396e80fb6526ea5ed267bd84f028bae56d2f9e upstream. + +Since .scsi_done() must only be called after scsi_queue_rq() has +finished, make sure that the SRP initiator driver does not call +.scsi_done() while scsi_queue_rq() is in progress. Although +invoking sg_reset -d while I/O is in progress works fine with kernel +v4.20 and before, that is not the case with kernel v5.0-rc1. This +patch avoids that the following crash is triggered with kernel +v5.0-rc1: + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000138 +CPU: 0 PID: 360 Comm: kworker/0:1H Tainted: G B 5.0.0-rc1-dbg+ #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 +Workqueue: kblockd blk_mq_run_work_fn +RIP: 0010:blk_mq_dispatch_rq_list+0x116/0xb10 +Call Trace: + blk_mq_sched_dispatch_requests+0x2f7/0x300 + __blk_mq_run_hw_queue+0xd6/0x180 + blk_mq_run_work_fn+0x27/0x30 + process_one_work+0x4f1/0xa20 + worker_thread+0x67/0x5b0 + kthread+0x1cf/0x1f0 + ret_from_fork+0x24/0x30 + +Cc: +Fixes: 94a9174c630c ("IB/srp: reduce lock coverage of command completion") +Signed-off-by: Bart Van Assche +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srp/ib_srp.c | 10 ---------- + 1 file changed, 10 deletions(-) + +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -2942,7 +2942,6 @@ static int srp_reset_device(struct scsi_ + { + struct srp_target_port *target = host_to_target(scmnd->device->host); + struct srp_rdma_ch *ch; +- int i, j; + u8 status; + + shost_printk(KERN_ERR, target->scsi_host, "SRP reset_device called\n"); +@@ -2954,15 +2953,6 @@ static int srp_reset_device(struct scsi_ + if (status) + return FAILED; + +- for (i = 0; i < target->ch_count; i++) { +- ch = &target->ch[i]; +- for (j = 0; j < target->req_ring_size; ++j) { +- struct srp_request *req = &ch->req_ring[j]; +- +- srp_finish_req(ch, req, scmnd->device, DID_RESET << 16); +- } +- } +- + return SUCCESS; + } + diff --git a/queue-4.20/scsi-sd_zbc-fix-sd_zbc_report_zones-buffer-allocation.patch b/queue-4.20/scsi-sd_zbc-fix-sd_zbc_report_zones-buffer-allocation.patch new file mode 100644 index 00000000000..4d34a9363f1 --- /dev/null +++ b/queue-4.20/scsi-sd_zbc-fix-sd_zbc_report_zones-buffer-allocation.patch @@ -0,0 +1,60 @@ +From 515ce60613128be7a176a8b82b20c7624f3b440d Mon Sep 17 00:00:00 2001 +From: Masato Suzuki +Date: Thu, 14 Feb 2019 15:01:18 +0900 +Subject: scsi: sd_zbc: Fix sd_zbc_report_zones() buffer allocation + +From: Masato Suzuki + +commit 515ce60613128be7a176a8b82b20c7624f3b440d upstream. + +The function sd_zbc_do_report_zones() issues a REPORT ZONES command with a +buffer size calculated based on the number of zones requested by the +caller. This value should however not exceed the capabilities of the +hardware maximum command size, that is, should not exceed the +max_hw_sectors limit of the device. This problem leads to failures of +report zones commands when re-validating disks with some SAS HBAs. + +Fix this by limiting a report zone command buffer size to the minimum of +the device max_hw_sectors and calculated value based on the requested +number of zones. This does not change the semantic of the report_zones file +operation as report zones can always return less zone reports than +requested. Short reports are handled using a loop execution of the +report_zones file operation in the function blk_report_zones(). + +[Damien] +Before patch 'e76239a3748c ("block: add a report_zones method")', report +zones buffer allocation was limited to max_sectors when allocated in +blk_report_zones(). This however does not consider the actual format of the +device reply which is interface dependent. Limiting the allocation based +on the size of the expected reply format rather than the size of the array +of generic sturct blkzone passed by blk_report_zones() makes more sense. + +Fixes: e76239a3748c ("block: add a report_zones method") +Cc: stable@vger.kernel.org +Signed-off-by: Masato Suzuki +Signed-off-by: Damien Le Moal +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sd_zbc.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/sd_zbc.c ++++ b/drivers/scsi/sd_zbc.c +@@ -142,10 +142,12 @@ int sd_zbc_report_zones(struct gendisk * + return -EOPNOTSUPP; + + /* +- * Get a reply buffer for the number of requested zones plus a header. +- * For ATA, buffers must be aligned to 512B. ++ * Get a reply buffer for the number of requested zones plus a header, ++ * without exceeding the device maximum command size. For ATA disks, ++ * buffers must be aligned to 512B. + */ +- buflen = roundup((nrz + 1) * 64, 512); ++ buflen = min(queue_max_hw_sectors(disk->queue) << 9, ++ roundup((nrz + 1) * 64, 512)); + buf = kmalloc(buflen, gfp_mask); + if (!buf) + return -ENOMEM; diff --git a/queue-4.20/series b/queue-4.20/series index 97767f9fe99..e55a7d42459 100644 --- a/queue-4.20/series +++ b/queue-4.20/series @@ -142,3 +142,19 @@ net_sched-fix-a-memory-leak-in-cls_tcindex.patch net_sched-fix-two-more-memory-leaks-in-cls_tcindex.patch net-mlx5e-fpga-fix-innova-ipsec-tx-offload-data-path-performance.patch net-mlx5e-xdp-fix-redirect-resources-availability-check.patch +scsi-sd_zbc-fix-sd_zbc_report_zones-buffer-allocation.patch +rdma-srp-rework-scsi-device-reset-handling.patch +keys-user-align-the-payload-buffer.patch +keys-always-initialize-keyring_index_key-desc_len.patch +clk-at91-fix-masterck-name.patch +clk-at91-fix-at91sam9x5-peripheral-clock-number.patch +parisc-fix-ptrace-syscall-number-modification.patch +arcv2-enable-unaligned-access-in-early-asm-code.patch +arc-u-boot-check-arguments-paranoidly.patch +arc-define-arch_slab_minalign-8.patch +cpufreq-scmi-fix-use-after-free-in-scmi_cpufreq_exit.patch +drm-amdgpu-set-dpm_flag_never_skip-when-enabling-pm-runtime.patch +gpu-drm-radeon-set-dpm_flag_never_skip-when-enabling-pm-runtime.patch +drm-i915-fbdev-actually-configure-untiled-displays.patch +drm-amdgpu-disable-bulk-moves-for-now.patch +drm-amd-display-fix-mst-reboot-poweroff-sequence.patch