From: Sasha Levin Date: Mon, 11 Nov 2019 15:39:10 +0000 (-0500) Subject: fixes for 5.3 X-Git-Tag: v4.4.201~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=80efd37022eeb8960b24164c673e5699ad428de6;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 5.3 Signed-off-by: Sasha Levin --- diff --git a/queue-5.3/arc-plat-hsdk-enable-on-board-spi-nor-flash-ic.patch b/queue-5.3/arc-plat-hsdk-enable-on-board-spi-nor-flash-ic.patch new file mode 100644 index 00000000000..222140d824e --- /dev/null +++ b/queue-5.3/arc-plat-hsdk-enable-on-board-spi-nor-flash-ic.patch @@ -0,0 +1,55 @@ +From 009a86be2b6f780ccd88967be4d0da82e38a707a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Oct 2019 14:11:25 +0300 +Subject: ARC: [plat-hsdk]: Enable on-board SPI NOR flash IC + +From: Eugeniy Paltsev + +[ Upstream commit 8ca8fa7f22dcb0a3265490a690b0c3e27de681f9 ] + +HSDK board has sst26wf016b SPI NOR flash IC installed, enable it. + +Acked-by: Alexey Brodkin +Signed-off-by: Eugeniy Paltsev +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/boot/dts/hsdk.dts | 8 ++++++++ + arch/arc/configs/hsdk_defconfig | 2 ++ + 2 files changed, 10 insertions(+) + +diff --git a/arch/arc/boot/dts/hsdk.dts b/arch/arc/boot/dts/hsdk.dts +index bfc7f5f5d6f26..9bea5daadd23f 100644 +--- a/arch/arc/boot/dts/hsdk.dts ++++ b/arch/arc/boot/dts/hsdk.dts +@@ -264,6 +264,14 @@ + clocks = <&input_clk>; + cs-gpios = <&creg_gpio 0 GPIO_ACTIVE_LOW>, + <&creg_gpio 1 GPIO_ACTIVE_LOW>; ++ ++ spi-flash@0 { ++ compatible = "sst26wf016b", "jedec,spi-nor"; ++ reg = <0>; ++ #address-cells = <1>; ++ #size-cells = <1>; ++ spi-max-frequency = <4000000>; ++ }; + }; + + creg_gpio: gpio@14b0 { +diff --git a/arch/arc/configs/hsdk_defconfig b/arch/arc/configs/hsdk_defconfig +index 403125d9c9a34..fe9de80e41ee3 100644 +--- a/arch/arc/configs/hsdk_defconfig ++++ b/arch/arc/configs/hsdk_defconfig +@@ -31,6 +31,8 @@ CONFIG_INET=y + CONFIG_DEVTMPFS=y + # CONFIG_STANDALONE is not set + # CONFIG_PREVENT_FIRMWARE_BUILD is not set ++CONFIG_MTD=y ++CONFIG_MTD_SPI_NOR=y + CONFIG_SCSI=y + CONFIG_BLK_DEV_SD=y + CONFIG_NETDEVICES=y +-- +2.20.1 + diff --git a/queue-5.3/arm64-apply-arm64_erratum_843419-workaround-for-brah.patch b/queue-5.3/arm64-apply-arm64_erratum_843419-workaround-for-brah.patch new file mode 100644 index 00000000000..6ca407dc2ed --- /dev/null +++ b/queue-5.3/arm64-apply-arm64_erratum_843419-workaround-for-brah.patch @@ -0,0 +1,84 @@ +From bd659bdac651aa9e5b80b6b14588cf1a2a573fdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2019 14:47:25 -0700 +Subject: arm64: apply ARM64_ERRATUM_843419 workaround for Brahma-B53 core + +From: Florian Fainelli + +[ Upstream commit 1cf45b8fdbb87040e1d1bd793891089f4678aa41 ] + +The Broadcom Brahma-B53 core is susceptible to the issue described by +ARM64_ERRATUM_843419 so this commit enables the workaround to be applied +when executing on that core. + +Since there are now multiple entries to match, we must convert the +existing ARM64_ERRATUM_843419 into an erratum list and use +cpucap_multi_entry_cap_matches to match our entries. + +Signed-off-by: Florian Fainelli +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + Documentation/arm64/silicon-errata.rst | 2 ++ + arch/arm64/kernel/cpu_errata.c | 23 ++++++++++++++++++++--- + 2 files changed, 22 insertions(+), 3 deletions(-) + +diff --git a/Documentation/arm64/silicon-errata.rst b/Documentation/arm64/silicon-errata.rst +index 8c87c68dcc324..d5f72a5b214f8 100644 +--- a/Documentation/arm64/silicon-errata.rst ++++ b/Documentation/arm64/silicon-errata.rst +@@ -93,6 +93,8 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | Broadcom | Brahma-B53 | N/A | ARM64_ERRATUM_845719 | + +----------------+-----------------+-----------------+-----------------------------+ ++| Broadcom | Brahma-B53 | N/A | ARM64_ERRATUM_843419 | +++----------------+-----------------+-----------------+-----------------------------+ + +----------------+-----------------+-----------------+-----------------------------+ + | Cavium | ThunderX ITS | #22375,24313 | CAVIUM_ERRATUM_22375 | + +----------------+-----------------+-----------------+-----------------------------+ +diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c +index 799d62ef7a9bd..ed4c2f28f1576 100644 +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -755,6 +755,23 @@ static const struct midr_range erratum_845719_list[] = { + }; + #endif + ++#ifdef CONFIG_ARM64_ERRATUM_843419 ++static const struct arm64_cpu_capabilities erratum_843419_list[] = { ++ { ++ /* Cortex-A53 r0p[01234] */ ++ .matches = is_affected_midr_range, ++ ERRATA_MIDR_REV_RANGE(MIDR_CORTEX_A53, 0, 0, 4), ++ MIDR_FIXED(0x4, BIT(8)), ++ }, ++ { ++ /* Brahma-B53 r0p[0] */ ++ .matches = is_affected_midr_range, ++ ERRATA_MIDR_REV(MIDR_BRAHMA_B53, 0, 0), ++ }, ++ {}, ++}; ++#endif ++ + const struct arm64_cpu_capabilities arm64_errata[] = { + #ifdef CONFIG_ARM64_WORKAROUND_CLEAN_CACHE + { +@@ -786,11 +803,11 @@ const struct arm64_cpu_capabilities arm64_errata[] = { + #endif + #ifdef CONFIG_ARM64_ERRATUM_843419 + { +- /* Cortex-A53 r0p[01234] */ + .desc = "ARM erratum 843419", + .capability = ARM64_WORKAROUND_843419, +- ERRATA_MIDR_REV_RANGE(MIDR_CORTEX_A53, 0, 0, 4), +- MIDR_FIXED(0x4, BIT(8)), ++ .type = ARM64_CPUCAP_LOCAL_CPU_ERRATUM, ++ .matches = cpucap_multi_entry_cap_matches, ++ .match_list = erratum_843419_list, + }, + #endif + #ifdef CONFIG_ARM64_ERRATUM_845719 +-- +2.20.1 + diff --git a/queue-5.3/arm64-apply-arm64_erratum_845719-workaround-for-brah.patch b/queue-5.3/arm64-apply-arm64_erratum_845719-workaround-for-brah.patch new file mode 100644 index 00000000000..11ff8ca215f --- /dev/null +++ b/queue-5.3/arm64-apply-arm64_erratum_845719-workaround-for-brah.patch @@ -0,0 +1,96 @@ +From d0258845b78cd6b15098d481ab4f4ac1d61a7cee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2019 14:47:23 -0700 +Subject: arm64: apply ARM64_ERRATUM_845719 workaround for Brahma-B53 core + +From: Doug Berger + +[ Upstream commit bfc97f9f199cb041cf897af3af096540948cc705 ] + +The Broadcom Brahma-B53 core is susceptible to the issue described by +ARM64_ERRATUM_845719 so this commit enables the workaround to be applied +when executing on that core. + +Since there are now multiple entries to match, we must convert the +existing ARM64_ERRATUM_845719 into an erratum list. + +Signed-off-by: Doug Berger +Signed-off-by: Florian Fainelli +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + Documentation/arm64/silicon-errata.rst | 3 +++ + arch/arm64/include/asm/cputype.h | 2 ++ + arch/arm64/kernel/cpu_errata.c | 13 +++++++++++-- + 3 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/Documentation/arm64/silicon-errata.rst b/Documentation/arm64/silicon-errata.rst +index 47feda6c15bcc..8c87c68dcc324 100644 +--- a/Documentation/arm64/silicon-errata.rst ++++ b/Documentation/arm64/silicon-errata.rst +@@ -91,6 +91,9 @@ stable kernels. + | ARM | MMU-500 | #841119,826419 | N/A | + +----------------+-----------------+-----------------+-----------------------------+ + +----------------+-----------------+-----------------+-----------------------------+ ++| Broadcom | Brahma-B53 | N/A | ARM64_ERRATUM_845719 | +++----------------+-----------------+-----------------+-----------------------------+ +++----------------+-----------------+-----------------+-----------------------------+ + | Cavium | ThunderX ITS | #22375,24313 | CAVIUM_ERRATUM_22375 | + +----------------+-----------------+-----------------+-----------------------------+ + | Cavium | ThunderX ITS | #23144 | CAVIUM_ERRATUM_23144 | +diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h +index b1454d117cd2c..aca07c2f6e6e3 100644 +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -79,6 +79,7 @@ + #define CAVIUM_CPU_PART_THUNDERX_83XX 0x0A3 + #define CAVIUM_CPU_PART_THUNDERX2 0x0AF + ++#define BRCM_CPU_PART_BRAHMA_B53 0x100 + #define BRCM_CPU_PART_VULCAN 0x516 + + #define QCOM_CPU_PART_FALKOR_V1 0x800 +@@ -105,6 +106,7 @@ + #define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX) + #define MIDR_THUNDERX_83XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_83XX) + #define MIDR_CAVIUM_THUNDERX2 MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX2) ++#define MIDR_BRAHMA_B53 MIDR_CPU_MODEL(ARM_CPU_IMP_BRCM, BRCM_CPU_PART_BRAHMA_B53) + #define MIDR_BRCM_VULCAN MIDR_CPU_MODEL(ARM_CPU_IMP_BRCM, BRCM_CPU_PART_VULCAN) + #define MIDR_QCOM_FALKOR_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_FALKOR_V1) + #define MIDR_QCOM_FALKOR MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_FALKOR) +diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c +index 4465be78ee466..d9da4201ba858 100644 +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -743,6 +743,16 @@ static const struct midr_range erratum_1418040_list[] = { + }; + #endif + ++#ifdef CONFIG_ARM64_ERRATUM_845719 ++static const struct midr_range erratum_845719_list[] = { ++ /* Cortex-A53 r0p[01234] */ ++ MIDR_REV_RANGE(MIDR_CORTEX_A53, 0, 0, 4), ++ /* Brahma-B53 r0p[0] */ ++ MIDR_REV(MIDR_BRAHMA_B53, 0, 0), ++ {}, ++}; ++#endif ++ + const struct arm64_cpu_capabilities arm64_errata[] = { + #ifdef CONFIG_ARM64_WORKAROUND_CLEAN_CACHE + { +@@ -783,10 +793,9 @@ const struct arm64_cpu_capabilities arm64_errata[] = { + #endif + #ifdef CONFIG_ARM64_ERRATUM_845719 + { +- /* Cortex-A53 r0p[01234] */ + .desc = "ARM erratum 845719", + .capability = ARM64_WORKAROUND_845719, +- ERRATA_MIDR_REV_RANGE(MIDR_CORTEX_A53, 0, 0, 4), ++ ERRATA_MIDR_RANGE_LIST(erratum_845719_list), + }, + #endif + #ifdef CONFIG_CAVIUM_ERRATUM_23154 +-- +2.20.1 + diff --git a/queue-5.3/arm64-brahma-b53-is-ssb-and-spectre-v2-safe.patch b/queue-5.3/arm64-brahma-b53-is-ssb-and-spectre-v2-safe.patch new file mode 100644 index 00000000000..d69c47f9eab --- /dev/null +++ b/queue-5.3/arm64-brahma-b53-is-ssb-and-spectre-v2-safe.patch @@ -0,0 +1,42 @@ +From d3f202dd87285923fadcbdc40cfae68e0ba300bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2019 14:47:24 -0700 +Subject: arm64: Brahma-B53 is SSB and spectre v2 safe + +From: Florian Fainelli + +[ Upstream commit e059770cb1cdfbcbe3f1748f76005861cc79dd1a ] + +Add the Brahma-B53 CPU (all versions) to the whitelists of CPUs for the +SSB and spectre v2 mitigations. + +Signed-off-by: Florian Fainelli +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/cpu_errata.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c +index d9da4201ba858..799d62ef7a9bd 100644 +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -489,6 +489,7 @@ static const struct midr_range arm64_ssb_cpus[] = { + MIDR_ALL_VERSIONS(MIDR_CORTEX_A35), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A53), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A55), ++ MIDR_ALL_VERSIONS(MIDR_BRAHMA_B53), + {}, + }; + +@@ -573,6 +574,7 @@ static const struct midr_range spectre_v2_safe_list[] = { + MIDR_ALL_VERSIONS(MIDR_CORTEX_A35), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A53), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A55), ++ MIDR_ALL_VERSIONS(MIDR_BRAHMA_B53), + { /* sentinel */ } + }; + +-- +2.20.1 + diff --git a/queue-5.3/arm64-cpufeature-enable-qualcomm-falkor-errata-1009-.patch b/queue-5.3/arm64-cpufeature-enable-qualcomm-falkor-errata-1009-.patch new file mode 100644 index 00000000000..98450e0a975 --- /dev/null +++ b/queue-5.3/arm64-cpufeature-enable-qualcomm-falkor-errata-1009-.patch @@ -0,0 +1,81 @@ +From 1220aa19d1b1c55929cd1bde2638f39d96d94ac0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2019 16:27:38 -0700 +Subject: arm64: cpufeature: Enable Qualcomm Falkor errata 1009 for Kryo + +From: Bjorn Andersson + +[ Upstream commit 36c602dcdd872e9f9b91aae5266b6d7d72b69b96 ] + +The Kryo cores share errata 1009 with Falkor, so add their model +definitions and enable it for them as well. + +Signed-off-by: Bjorn Andersson +[will: Update entry in silicon-errata.rst] +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + Documentation/arm64/silicon-errata.rst | 2 +- + arch/arm64/kernel/cpu_errata.c | 20 ++++++++++++++------ + 2 files changed, 15 insertions(+), 7 deletions(-) + +diff --git a/Documentation/arm64/silicon-errata.rst b/Documentation/arm64/silicon-errata.rst +index 6e52d334bc555..47feda6c15bcc 100644 +--- a/Documentation/arm64/silicon-errata.rst ++++ b/Documentation/arm64/silicon-errata.rst +@@ -124,7 +124,7 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | Qualcomm Tech. | Kryo/Falkor v1 | E1003 | QCOM_FALKOR_ERRATUM_1003 | + +----------------+-----------------+-----------------+-----------------------------+ +-| Qualcomm Tech. | Falkor v1 | E1009 | QCOM_FALKOR_ERRATUM_1009 | ++| Qualcomm Tech. | Kryo/Falkor v1 | E1009 | QCOM_FALKOR_ERRATUM_1009 | + +----------------+-----------------+-----------------+-----------------------------+ + | Qualcomm Tech. | QDF2400 ITS | E0065 | QCOM_QDF2400_ERRATUM_0065 | + +----------------+-----------------+-----------------+-----------------------------+ +diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c +index 1e0b9ae9bf7e2..4465be78ee466 100644 +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -659,17 +659,23 @@ static const struct midr_range arm64_harden_el2_vectors[] = { + #endif + + #ifdef CONFIG_ARM64_WORKAROUND_REPEAT_TLBI +- +-static const struct midr_range arm64_repeat_tlbi_cpus[] = { ++static const struct arm64_cpu_capabilities arm64_repeat_tlbi_list[] = { + #ifdef CONFIG_QCOM_FALKOR_ERRATUM_1009 +- MIDR_RANGE(MIDR_QCOM_FALKOR_V1, 0, 0, 0, 0), ++ { ++ ERRATA_MIDR_REV(MIDR_QCOM_FALKOR_V1, 0, 0) ++ }, ++ { ++ .midr_range.model = MIDR_QCOM_KRYO, ++ .matches = is_kryo_midr, ++ }, + #endif + #ifdef CONFIG_ARM64_ERRATUM_1286807 +- MIDR_RANGE(MIDR_CORTEX_A76, 0, 0, 3, 0), ++ { ++ ERRATA_MIDR_RANGE(MIDR_CORTEX_A76, 0, 0, 3, 0), ++ }, + #endif + {}, + }; +- + #endif + + #ifdef CONFIG_CAVIUM_ERRATUM_27456 +@@ -825,7 +831,9 @@ const struct arm64_cpu_capabilities arm64_errata[] = { + { + .desc = "Qualcomm erratum 1009, ARM erratum 1286807", + .capability = ARM64_WORKAROUND_REPEAT_TLBI, +- ERRATA_MIDR_RANGE_LIST(arm64_repeat_tlbi_cpus), ++ .type = ARM64_CPUCAP_LOCAL_CPU_ERRATUM, ++ .matches = cpucap_multi_entry_cap_matches, ++ .match_list = arm64_repeat_tlbi_list, + }, + #endif + #ifdef CONFIG_ARM64_ERRATUM_858921 +-- +2.20.1 + diff --git a/queue-5.3/bonding-fix-unexpected-iff_bonding-bit-unset.patch b/queue-5.3/bonding-fix-unexpected-iff_bonding-bit-unset.patch new file mode 100644 index 00000000000..51560c424c7 --- /dev/null +++ b/queue-5.3/bonding-fix-unexpected-iff_bonding-bit-unset.patch @@ -0,0 +1,100 @@ +From 5d1394035eafeb93659575fe6ddb3871e71cb195 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2019 18:47:52 +0000 +Subject: bonding: fix unexpected IFF_BONDING bit unset + +From: Taehee Yoo + +[ Upstream commit 65de65d9033750d2cf1b336c9d6e9da3a8b5cc6e ] + +The IFF_BONDING means bonding master or bonding slave device. +->ndo_add_slave() sets IFF_BONDING flag and ->ndo_del_slave() unsets +IFF_BONDING flag. + +bond0<--bond1 + +Both bond0 and bond1 are bonding device and these should keep having +IFF_BONDING flag until they are removed. +But bond1 would lose IFF_BONDING at ->ndo_del_slave() because that routine +do not check whether the slave device is the bonding type or not. +This patch adds the interface type check routine before removing +IFF_BONDING flag. + +Test commands: + ip link add bond0 type bond + ip link add bond1 type bond + ip link set bond1 master bond0 + ip link set bond1 nomaster + ip link del bond1 type bond + ip link add bond1 type bond + +Splat looks like: +[ 226.665555] proc_dir_entry 'bonding/bond1' already registered +[ 226.666440] WARNING: CPU: 0 PID: 737 at fs/proc/generic.c:361 proc_register+0x2a9/0x3e0 +[ 226.667571] Modules linked in: bonding af_packet sch_fq_codel ip_tables x_tables unix +[ 226.668662] CPU: 0 PID: 737 Comm: ip Not tainted 5.4.0-rc3+ #96 +[ 226.669508] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +[ 226.670652] RIP: 0010:proc_register+0x2a9/0x3e0 +[ 226.671612] Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 39 01 00 00 48 8b 04 24 48 89 ea 48 c7 c7 a0 0b 14 9f 48 8b b0 e +0 00 00 00 e8 07 e7 88 ff <0f> 0b 48 c7 c7 40 2d a5 9f e8 59 d6 23 01 48 8b 4c 24 10 48 b8 00 +[ 226.675007] RSP: 0018:ffff888050e17078 EFLAGS: 00010282 +[ 226.675761] RAX: dffffc0000000008 RBX: ffff88805fdd0f10 RCX: ffffffff9dd344e2 +[ 226.676757] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88806c9f6b8c +[ 226.677751] RBP: ffff8880507160f3 R08: ffffed100d940019 R09: ffffed100d940019 +[ 226.678761] R10: 0000000000000001 R11: ffffed100d940018 R12: ffff888050716008 +[ 226.679757] R13: ffff8880507160f2 R14: dffffc0000000000 R15: ffffed100a0e2c1e +[ 226.680758] FS: 00007fdc217cc0c0(0000) GS:ffff88806c800000(0000) knlGS:0000000000000000 +[ 226.681886] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 226.682719] CR2: 00007f49313424d0 CR3: 0000000050e46001 CR4: 00000000000606f0 +[ 226.683727] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 226.684725] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 226.685681] Call Trace: +[ 226.687089] proc_create_seq_private+0xb3/0xf0 +[ 226.687778] bond_create_proc_entry+0x1b3/0x3f0 [bonding] +[ 226.691458] bond_netdev_event+0x433/0x970 [bonding] +[ 226.692139] ? __module_text_address+0x13/0x140 +[ 226.692779] notifier_call_chain+0x90/0x160 +[ 226.693401] register_netdevice+0x9b3/0xd80 +[ 226.694010] ? alloc_netdev_mqs+0x854/0xc10 +[ 226.694629] ? netdev_change_features+0xa0/0xa0 +[ 226.695278] ? rtnl_create_link+0x2ed/0xad0 +[ 226.695849] bond_newlink+0x2a/0x60 [bonding] +[ 226.696422] __rtnl_newlink+0xb9f/0x11b0 +[ 226.696968] ? rtnl_link_unregister+0x220/0x220 +[ ... ] + +Fixes: 0b680e753724 ("[PATCH] bonding: Add priv_flag to avoid event mishandling") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 4edb69b1d1260..142c5126da759 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1816,7 +1816,8 @@ err_detach: + slave_disable_netpoll(new_slave); + + err_close: +- slave_dev->priv_flags &= ~IFF_BONDING; ++ if (!netif_is_bond_master(slave_dev)) ++ slave_dev->priv_flags &= ~IFF_BONDING; + dev_close(slave_dev); + + err_restore_mac: +@@ -2017,7 +2018,8 @@ static int __bond_release_one(struct net_device *bond_dev, + else + dev_set_mtu(slave_dev, slave->original_mtu); + +- slave_dev->priv_flags &= ~IFF_BONDING; ++ if (!netif_is_bond_master(slave_dev)) ++ slave_dev->priv_flags &= ~IFF_BONDING; + + bond_free_slave(slave); + +-- +2.20.1 + diff --git a/queue-5.3/bonding-use-dynamic-lockdep-key-instead-of-subclass.patch b/queue-5.3/bonding-use-dynamic-lockdep-key-instead-of-subclass.patch new file mode 100644 index 00000000000..c32f957d740 --- /dev/null +++ b/queue-5.3/bonding-use-dynamic-lockdep-key-instead-of-subclass.patch @@ -0,0 +1,140 @@ +From c03680cf98565204860731ed9ff7af9a2c401517 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2019 18:47:53 +0000 +Subject: bonding: use dynamic lockdep key instead of subclass + +From: Taehee Yoo + +[ Upstream commit 089bca2caed0d0dea7da235ce1fe245808f5ec02 ] + +All bonding device has same lockdep key and subclass is initialized with +nest_level. +But actual nest_level value can be changed when a lower device is attached. +And at this moment, the subclass should be updated but it seems to be +unsafe. +So this patch makes bonding use dynamic lockdep key instead of the +subclass. + +Test commands: + ip link add bond0 type bond + + for i in {1..5} + do + let A=$i-1 + ip link add bond$i type bond + ip link set bond$i master bond$A + done + ip link set bond5 master bond0 + +Splat looks like: +[ 307.992912] WARNING: possible recursive locking detected +[ 307.993656] 5.4.0-rc3+ #96 Tainted: G W +[ 307.994367] -------------------------------------------- +[ 307.995092] ip/761 is trying to acquire lock: +[ 307.995710] ffff8880513aac60 (&(&bond->stats_lock)->rlock#2/2){+.+.}, at: bond_get_stats+0xb8/0x500 [bonding] +[ 307.997045] + but task is already holding lock: +[ 307.997923] ffff88805fcbac60 (&(&bond->stats_lock)->rlock#2/2){+.+.}, at: bond_get_stats+0xb8/0x500 [bonding] +[ 307.999215] + other info that might help us debug this: +[ 308.000251] Possible unsafe locking scenario: + +[ 308.001137] CPU0 +[ 308.001533] ---- +[ 308.001915] lock(&(&bond->stats_lock)->rlock#2/2); +[ 308.002609] lock(&(&bond->stats_lock)->rlock#2/2); +[ 308.003302] + *** DEADLOCK *** + +[ 308.004310] May be due to missing lock nesting notation + +[ 308.005319] 3 locks held by ip/761: +[ 308.005830] #0: ffffffff9fcc42b0 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x466/0x8a0 +[ 308.006894] #1: ffff88805fcbac60 (&(&bond->stats_lock)->rlock#2/2){+.+.}, at: bond_get_stats+0xb8/0x500 [bonding] +[ 308.008243] #2: ffffffff9f9219c0 (rcu_read_lock){....}, at: bond_get_stats+0x9f/0x500 [bonding] +[ 308.009422] + stack backtrace: +[ 308.010124] CPU: 0 PID: 761 Comm: ip Tainted: G W 5.4.0-rc3+ #96 +[ 308.011097] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +[ 308.012179] Call Trace: +[ 308.012601] dump_stack+0x7c/0xbb +[ 308.013089] __lock_acquire+0x269d/0x3de0 +[ 308.013669] ? register_lock_class+0x14d0/0x14d0 +[ 308.014318] lock_acquire+0x164/0x3b0 +[ 308.014858] ? bond_get_stats+0xb8/0x500 [bonding] +[ 308.015520] _raw_spin_lock_nested+0x2e/0x60 +[ 308.016129] ? bond_get_stats+0xb8/0x500 [bonding] +[ 308.017215] bond_get_stats+0xb8/0x500 [bonding] +[ 308.018454] ? bond_arp_rcv+0xf10/0xf10 [bonding] +[ 308.019710] ? rcu_read_lock_held+0x90/0xa0 +[ 308.020605] ? rcu_read_lock_sched_held+0xc0/0xc0 +[ 308.021286] ? bond_get_stats+0x9f/0x500 [bonding] +[ 308.021953] dev_get_stats+0x1ec/0x270 +[ 308.022508] bond_get_stats+0x1d1/0x500 [bonding] + +Fixes: d3fff6c443fe ("net: add netdev_lockdep_set_classes() helper") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 10 +++++++--- + include/net/bonding.h | 1 + + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 142c5126da759..c3df99f8c3835 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3459,7 +3459,7 @@ static void bond_get_stats(struct net_device *bond_dev, + struct list_head *iter; + struct slave *slave; + +- spin_lock_nested(&bond->stats_lock, bond_get_nest_level(bond_dev)); ++ spin_lock(&bond->stats_lock); + memcpy(stats, &bond->bond_stats, sizeof(*stats)); + + rcu_read_lock(); +@@ -4297,8 +4297,6 @@ void bond_setup(struct net_device *bond_dev) + { + struct bonding *bond = netdev_priv(bond_dev); + +- spin_lock_init(&bond->mode_lock); +- spin_lock_init(&bond->stats_lock); + bond->params = bonding_defaults; + + /* Initialize pointers */ +@@ -4367,6 +4365,7 @@ static void bond_uninit(struct net_device *bond_dev) + + list_del(&bond->bond_list); + ++ lockdep_unregister_key(&bond->stats_lock_key); + bond_debug_unregister(bond); + } + +@@ -4773,6 +4772,11 @@ static int bond_init(struct net_device *bond_dev) + bond->nest_level = SINGLE_DEPTH_NESTING; + netdev_lockdep_set_classes(bond_dev); + ++ spin_lock_init(&bond->mode_lock); ++ spin_lock_init(&bond->stats_lock); ++ lockdep_register_key(&bond->stats_lock_key); ++ lockdep_set_class(&bond->stats_lock, &bond->stats_lock_key); ++ + list_add_tail(&bond->bond_list, &bn->dev_list); + + bond_prepare_sysfs_group(bond); +diff --git a/include/net/bonding.h b/include/net/bonding.h +index d416af72404b5..be404b272d6b1 100644 +--- a/include/net/bonding.h ++++ b/include/net/bonding.h +@@ -238,6 +238,7 @@ struct bonding { + struct dentry *debug_dir; + #endif /* CONFIG_DEBUG_FS */ + struct rtnl_link_stats64 bond_stats; ++ struct lock_class_key stats_lock_key; + }; + + #define bond_slave_get_rcu(dev) \ +-- +2.20.1 + diff --git a/queue-5.3/bpf-fix-use-after-free-in-bpf_get_prog_name.patch b/queue-5.3/bpf-fix-use-after-free-in-bpf_get_prog_name.patch new file mode 100644 index 00000000000..8a39a267d70 --- /dev/null +++ b/queue-5.3/bpf-fix-use-after-free-in-bpf_get_prog_name.patch @@ -0,0 +1,62 @@ +From 9086e16d1ebfa7562d29b9a38d39d987c9cc4c1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Oct 2019 23:30:38 +0200 +Subject: bpf: Fix use after free in bpf_get_prog_name + +From: Daniel Borkmann + +[ Upstream commit 3b4d9eb2ee74dd5ea7fa36cffb0ca7f5bc4924da ] + +There is one more problematic case I noticed while recently fixing BPF kallsyms +handling in cd7455f1013e ("bpf: Fix use after free in subprog's jited symbol +removal") and that is bpf_get_prog_name(). + +If BTF has been attached to the prog, then we may be able to fetch the function +signature type id in kallsyms through prog->aux->func_info[prog->aux->func_idx].type_id. +However, while the BTF object itself is torn down via RCU callback, the prog's +aux->func_info is immediately freed via kvfree(prog->aux->func_info) once the +prog's refcount either hit zero or when subprograms were already exposed via +kallsyms and we hit the error path added in 5482e9a93c83 ("bpf: Fix memleak in +aux->func_info and aux->btf"). + +This violates RCU as well since kallsyms could be walked in parallel where we +could access aux->func_info. Hence, defer kvfree() to after RCU grace period. +Looking at ba64e7d85252 ("bpf: btf: support proper non-jit func info") there +is no reason/dependency where we couldn't defer the kvfree(aux->func_info) into +the RCU callback. + +Fixes: 5482e9a93c83 ("bpf: Fix memleak in aux->func_info and aux->btf") +Fixes: ba64e7d85252 ("bpf: btf: support proper non-jit func info") +Signed-off-by: Daniel Borkmann +Signed-off-by: Alexei Starovoitov +Acked-by: Yonghong Song +Cc: Martin KaFai Lau +Link: https://lore.kernel.org/bpf/875f2906a7c1a0691f2d567b4d8e4ea2739b1e88.1571779205.git.daniel@iogearbox.net +Signed-off-by: Sasha Levin +--- + kernel/bpf/syscall.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index af5c60b07463e..aac966b32c42e 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -1316,6 +1316,7 @@ static void __bpf_prog_put_rcu(struct rcu_head *rcu) + { + struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu); + ++ kvfree(aux->func_info); + free_used_maps(aux); + bpf_prog_uncharge_memlock(aux->prog); + security_bpf_prog_free(aux); +@@ -1326,7 +1327,6 @@ static void __bpf_prog_put_noref(struct bpf_prog *prog, bool deferred) + { + bpf_prog_kallsyms_del_all(prog); + btf_put(prog->aux->btf); +- kvfree(prog->aux->func_info); + bpf_prog_free_linfo(prog); + + if (deferred) +-- +2.20.1 + diff --git a/queue-5.3/bpf-fix-use-after-free-in-subprog-s-jited-symbol-rem.patch b/queue-5.3/bpf-fix-use-after-free-in-subprog-s-jited-symbol-rem.patch new file mode 100644 index 00000000000..29eaa54d351 --- /dev/null +++ b/queue-5.3/bpf-fix-use-after-free-in-subprog-s-jited-symbol-rem.patch @@ -0,0 +1,160 @@ +From ccd62258be2ef9ae7bc4c7b56bf1cbb8a44caad3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Oct 2019 15:57:23 +0200 +Subject: bpf: Fix use after free in subprog's jited symbol removal + +From: Daniel Borkmann + +[ Upstream commit cd7455f1013ef96d5cbf5c05d2b7c06f273810a6 ] + +syzkaller managed to trigger the following crash: + + [...] + BUG: unable to handle page fault for address: ffffc90001923030 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD aa551067 P4D aa551067 PUD aa552067 PMD a572b067 PTE 80000000a1173163 + Oops: 0000 [#1] PREEMPT SMP KASAN + CPU: 0 PID: 7982 Comm: syz-executor912 Not tainted 5.4.0-rc3+ #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + RIP: 0010:bpf_jit_binary_hdr include/linux/filter.h:787 [inline] + RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:531 [inline] + RIP: 0010:bpf_tree_comp kernel/bpf/core.c:600 [inline] + RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline] + RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline] + RIP: 0010:bpf_prog_kallsyms_find kernel/bpf/core.c:674 [inline] + RIP: 0010:is_bpf_text_address+0x184/0x3b0 kernel/bpf/core.c:709 + [...] + Call Trace: + kernel_text_address kernel/extable.c:147 [inline] + __kernel_text_address+0x9a/0x110 kernel/extable.c:102 + unwind_get_return_address+0x4c/0x90 arch/x86/kernel/unwind_frame.c:19 + arch_stack_walk+0x98/0xe0 arch/x86/kernel/stacktrace.c:26 + stack_trace_save+0xb6/0x150 kernel/stacktrace.c:123 + save_stack mm/kasan/common.c:69 [inline] + set_track mm/kasan/common.c:77 [inline] + __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:510 + kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:518 + slab_post_alloc_hook mm/slab.h:584 [inline] + slab_alloc mm/slab.c:3319 [inline] + kmem_cache_alloc+0x1f5/0x2e0 mm/slab.c:3483 + getname_flags+0xba/0x640 fs/namei.c:138 + getname+0x19/0x20 fs/namei.c:209 + do_sys_open+0x261/0x560 fs/open.c:1091 + __do_sys_open fs/open.c:1115 [inline] + __se_sys_open fs/open.c:1110 [inline] + __x64_sys_open+0x87/0x90 fs/open.c:1110 + do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + [...] + +After further debugging it turns out that we walk kallsyms while in parallel +we tear down a BPF program which contains subprograms that have been JITed +though the program itself has not been fully exposed and is eventually bailing +out with error. + +The bpf_prog_kallsyms_del_subprogs() in bpf_prog_load()'s error path removes +the symbols, however, bpf_prog_free() tears down the JIT memory too early via +scheduled work. Instead, it needs to properly respect RCU grace period as the +kallsyms walk for BPF is under RCU. + +Fix it by refactoring __bpf_prog_put()'s tear down and reuse it in our error +path where we defer final destruction when we have subprogs in the program. + +Fixes: 7d1982b4e335 ("bpf: fix panic in prog load calls cleanup") +Fixes: 1c2a088a6626 ("bpf: x64: add JIT support for multi-function programs") +Reported-by: syzbot+710043c5d1d5b5013bc7@syzkaller.appspotmail.com +Signed-off-by: Daniel Borkmann +Signed-off-by: Alexei Starovoitov +Tested-by: syzbot+710043c5d1d5b5013bc7@syzkaller.appspotmail.com +Link: https://lore.kernel.org/bpf/55f6367324c2d7e9583fa9ccf5385dcbba0d7a6e.1571752452.git.daniel@iogearbox.net +Signed-off-by: Sasha Levin +--- + include/linux/filter.h | 1 - + kernel/bpf/core.c | 2 +- + kernel/bpf/syscall.c | 31 ++++++++++++++++++++----------- + 3 files changed, 21 insertions(+), 13 deletions(-) + +diff --git a/include/linux/filter.h b/include/linux/filter.h +index 92c6e31fb008e..38716f93825f4 100644 +--- a/include/linux/filter.h ++++ b/include/linux/filter.h +@@ -1099,7 +1099,6 @@ static inline void bpf_get_prog_name(const struct bpf_prog *prog, char *sym) + + #endif /* CONFIG_BPF_JIT */ + +-void bpf_prog_kallsyms_del_subprogs(struct bpf_prog *fp); + void bpf_prog_kallsyms_del_all(struct bpf_prog *fp); + + #define BPF_ANC BIT(15) +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index 66088a9e9b9e2..ef0e1e3e66f4a 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -502,7 +502,7 @@ int bpf_remove_insns(struct bpf_prog *prog, u32 off, u32 cnt) + return WARN_ON_ONCE(bpf_adj_branches(prog, off, off + cnt, off, false)); + } + +-void bpf_prog_kallsyms_del_subprogs(struct bpf_prog *fp) ++static void bpf_prog_kallsyms_del_subprogs(struct bpf_prog *fp) + { + int i; + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 272071e9112f3..af5c60b07463e 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -1322,18 +1322,26 @@ static void __bpf_prog_put_rcu(struct rcu_head *rcu) + bpf_prog_free(aux->prog); + } + ++static void __bpf_prog_put_noref(struct bpf_prog *prog, bool deferred) ++{ ++ bpf_prog_kallsyms_del_all(prog); ++ btf_put(prog->aux->btf); ++ kvfree(prog->aux->func_info); ++ bpf_prog_free_linfo(prog); ++ ++ if (deferred) ++ call_rcu(&prog->aux->rcu, __bpf_prog_put_rcu); ++ else ++ __bpf_prog_put_rcu(&prog->aux->rcu); ++} ++ + static void __bpf_prog_put(struct bpf_prog *prog, bool do_idr_lock) + { + if (atomic_dec_and_test(&prog->aux->refcnt)) { + perf_event_bpf_event(prog, PERF_BPF_EVENT_PROG_UNLOAD, 0); + /* bpf_prog_free_id() must be called first */ + bpf_prog_free_id(prog, do_idr_lock); +- bpf_prog_kallsyms_del_all(prog); +- btf_put(prog->aux->btf); +- kvfree(prog->aux->func_info); +- bpf_prog_free_linfo(prog); +- +- call_rcu(&prog->aux->rcu, __bpf_prog_put_rcu); ++ __bpf_prog_put_noref(prog, true); + } + } + +@@ -1730,11 +1738,12 @@ static int bpf_prog_load(union bpf_attr *attr, union bpf_attr __user *uattr) + return err; + + free_used_maps: +- bpf_prog_free_linfo(prog); +- kvfree(prog->aux->func_info); +- btf_put(prog->aux->btf); +- bpf_prog_kallsyms_del_subprogs(prog); +- free_used_maps(prog->aux); ++ /* In case we have subprogs, we need to wait for a grace ++ * period before we can tear down JIT memory since symbols ++ * are already exposed under kallsyms. ++ */ ++ __bpf_prog_put_noref(prog, prog->aux->func_cnt); ++ return err; + free_prog: + bpf_prog_uncharge_memlock(prog); + free_prog_sec: +-- +2.20.1 + diff --git a/queue-5.3/bpf-lwtunnel-fix-reroute-supplying-invalid-dst.patch b/queue-5.3/bpf-lwtunnel-fix-reroute-supplying-invalid-dst.patch new file mode 100644 index 00000000000..fbb3c82d0d4 --- /dev/null +++ b/queue-5.3/bpf-lwtunnel-fix-reroute-supplying-invalid-dst.patch @@ -0,0 +1,57 @@ +From d61d5b862ab8a1c6229ad30035f3328d5692abd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2019 10:31:24 +0200 +Subject: bpf: lwtunnel: Fix reroute supplying invalid dst + +From: Jiri Benc + +[ Upstream commit 9e8acd9c44a0dd52b2922eeb82398c04e356c058 ] + +The dst in bpf_input() has lwtstate field set. As it is of the +LWTUNNEL_ENCAP_BPF type, lwtstate->data is struct bpf_lwt. When the bpf +program returns BPF_LWT_REROUTE, ip_route_input_noref is directly called on +this skb. This causes invalid memory access, as ip_route_input_slow calls +skb_tunnel_info(skb) that expects the dst->lwstate->data to be +struct ip_tunnel_info. This results to struct bpf_lwt being accessed as +struct ip_tunnel_info. + +Drop the dst before calling the IP route input functions (both for IPv4 and +IPv6). + +Reported by KASAN. + +Fixes: 3bd0b15281af ("bpf: add handling of BPF_LWT_REROUTE to lwt_bpf.c") +Signed-off-by: Jiri Benc +Signed-off-by: Alexei Starovoitov +Acked-by: Peter Oskolkov +Link: https://lore.kernel.org/bpf/111664d58fe4e9dd9c8014bb3d0b2dab93086a9e.1570609794.git.jbenc@redhat.com +Signed-off-by: Sasha Levin +--- + net/core/lwt_bpf.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c +index f93785e5833c1..74cfb8b5ab330 100644 +--- a/net/core/lwt_bpf.c ++++ b/net/core/lwt_bpf.c +@@ -88,11 +88,16 @@ static int bpf_lwt_input_reroute(struct sk_buff *skb) + int err = -EINVAL; + + if (skb->protocol == htons(ETH_P_IP)) { ++ struct net_device *dev = skb_dst(skb)->dev; + struct iphdr *iph = ip_hdr(skb); + ++ dev_hold(dev); ++ skb_dst_drop(skb); + err = ip_route_input_noref(skb, iph->daddr, iph->saddr, +- iph->tos, skb_dst(skb)->dev); ++ iph->tos, dev); ++ dev_put(dev); + } else if (skb->protocol == htons(ETH_P_IPV6)) { ++ skb_dst_drop(skb); + err = ipv6_stub->ipv6_route_input(skb); + } else { + err = -EAFNOSUPPORT; +-- +2.20.1 + diff --git a/queue-5.3/clk-imx8m-use-sys_pll1_800m-as-intermediate-parent-o.patch b/queue-5.3/clk-imx8m-use-sys_pll1_800m-as-intermediate-parent-o.patch new file mode 100644 index 00000000000..df71d36f7d0 --- /dev/null +++ b/queue-5.3/clk-imx8m-use-sys_pll1_800m-as-intermediate-parent-o.patch @@ -0,0 +1,51 @@ +From 3b80bfbdf34e191f7837a60339d3a8559ddfb89d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Oct 2019 22:21:28 +0300 +Subject: clk: imx8m: Use SYS_PLL1_800M as intermediate parent of CLK_ARM + +From: Leonard Crestez + +[ Upstream commit b234fe9558615098d8d62516e7041ad7f99ebcea ] + +During cpu frequency switching the main "CLK_ARM" is reparented to an +intermediate "step" clock. On imx8mm and imx8mn the 24M oscillator is +used for this purpose but it is extremely slow, increasing wakeup +latencies to the point that i2c transactions can timeout and system +becomes unresponsive. + +Fix by switching the "step" clk to SYS_PLL1_800M, matching the behavior +of imx8m cpufreq drivers in imx vendor tree. + +This bug was not immediately apparent because upstream arm64 defconfig +uses the "performance" governor by default so no cpufreq transitions +happen. + +Fixes: ba5625c3e272 ("clk: imx: Add clock driver support for imx8mm") +Fixes: 96d6392b54db ("clk: imx: Add support for i.MX8MN clock driver") + +Cc: stable@vger.kernel.org +Signed-off-by: Leonard Crestez +Link: https://lkml.kernel.org/r/f5d2b9c53f1ed5ccb1dd3c6624f56759d92e1689.1571771777.git.leonard.crestez@nxp.com +Acked-by: Shawn Guo +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-imx8mm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/imx/clk-imx8mm.c b/drivers/clk/imx/clk-imx8mm.c +index 6f46bcb1d6432..59ce93691e970 100644 +--- a/drivers/clk/imx/clk-imx8mm.c ++++ b/drivers/clk/imx/clk-imx8mm.c +@@ -666,7 +666,7 @@ static int __init imx8mm_clocks_init(struct device_node *ccm_node) + clks[IMX8MM_CLK_A53_DIV], + clks[IMX8MM_CLK_A53_SRC], + clks[IMX8MM_ARM_PLL_OUT], +- clks[IMX8MM_CLK_24M]); ++ clks[IMX8MM_SYS_PLL1_800M]); + + imx_check_clocks(clks, ARRAY_SIZE(clks)); + +-- +2.20.1 + diff --git a/queue-5.3/dc.c-use-kzalloc-without-test.patch b/queue-5.3/dc.c-use-kzalloc-without-test.patch new file mode 100644 index 00000000000..df3cf1f5c04 --- /dev/null +++ b/queue-5.3/dc.c-use-kzalloc-without-test.patch @@ -0,0 +1,37 @@ +From dfd2ae46dd15278c07664bf3bb8a30ac65e91246 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Oct 2019 16:32:23 +0800 +Subject: dc.c:use kzalloc without test + +From: zhongshiqi + +[ Upstream commit 364593f3ee5fdefc6efd89475e1804c928b4e6ba ] + +dc.c:583:null check is needed after using kzalloc function + +Reviewed-by: Harry Wentland +Signed-off-by: zhongshiqi +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c +index 730f97ba8dbbe..dd4731ab935cd 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -566,6 +566,10 @@ static bool construct(struct dc *dc, + #ifdef CONFIG_DRM_AMD_DC_DCN2_0 + // Allocate memory for the vm_helper + dc->vm_helper = kzalloc(sizeof(struct vm_helper), GFP_KERNEL); ++ if (!dc->vm_helper) { ++ dm_error("%s: failed to create dc->vm_helper\n", __func__); ++ goto fail; ++ } + + #endif + memcpy(&dc->bb_overrides, &init_params->bb_overrides, sizeof(dc->bb_overrides)); +-- +2.20.1 + diff --git a/queue-5.3/dmaengine-sprd-fix-the-link-list-pointer-register-co.patch b/queue-5.3/dmaengine-sprd-fix-the-link-list-pointer-register-co.patch new file mode 100644 index 00000000000..5c0550cd92d --- /dev/null +++ b/queue-5.3/dmaengine-sprd-fix-the-link-list-pointer-register-co.patch @@ -0,0 +1,76 @@ +From 13ecb4cdd688c866e93c366c0a4b1d355e7ad0eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2019 13:47:18 +0800 +Subject: dmaengine: sprd: Fix the link-list pointer register configuration + issue + +From: Zhenfang Wang + +[ Upstream commit 8b6bc5fd71e677864d1a3b896b3069a6e0c5e214 ] + +We will set the link-list pointer register point to next link-list +configuration's physical address, which can load DMA configuration +from the link-list node automatically. + +But the link-list node's physical address can be larger than 32bits, +and now Spreadtrum DMA driver only supports 32bits physical address, +which may cause loading a incorrect DMA configuration when starting +the link-list transfer mode. According to the DMA datasheet, we can +use SRC_BLK_STEP register (bit28 - bit31) to save the high bits of the +link-list node's physical address to fix this issue. + +Fixes: 4ac695464763 ("dmaengine: sprd: Support DMA link-list mode") +Signed-off-by: Zhenfang Wang +Signed-off-by: Baolin Wang +Link: https://lore.kernel.org/r/eadfe9295499efa003e1c344e67e2890f9d1d780.1568267061.git.baolin.wang@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/sprd-dma.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/sprd-dma.c b/drivers/dma/sprd-dma.c +index 525dc7338fe3b..a4a91f233121a 100644 +--- a/drivers/dma/sprd-dma.c ++++ b/drivers/dma/sprd-dma.c +@@ -134,6 +134,10 @@ + #define SPRD_DMA_SRC_TRSF_STEP_OFFSET 0 + #define SPRD_DMA_TRSF_STEP_MASK GENMASK(15, 0) + ++/* SPRD DMA_SRC_BLK_STEP register definition */ ++#define SPRD_DMA_LLIST_HIGH_MASK GENMASK(31, 28) ++#define SPRD_DMA_LLIST_HIGH_SHIFT 28 ++ + /* define DMA channel mode & trigger mode mask */ + #define SPRD_DMA_CHN_MODE_MASK GENMASK(7, 0) + #define SPRD_DMA_TRG_MODE_MASK GENMASK(7, 0) +@@ -717,6 +721,7 @@ static int sprd_dma_fill_desc(struct dma_chan *chan, + u32 int_mode = flags & SPRD_DMA_INT_MASK; + int src_datawidth, dst_datawidth, src_step, dst_step; + u32 temp, fix_mode = 0, fix_en = 0; ++ phys_addr_t llist_ptr; + + if (dir == DMA_MEM_TO_DEV) { + src_step = sprd_dma_get_step(slave_cfg->src_addr_width); +@@ -814,13 +819,16 @@ static int sprd_dma_fill_desc(struct dma_chan *chan, + * Set the link-list pointer point to next link-list + * configuration's physical address. + */ +- hw->llist_ptr = schan->linklist.phy_addr + temp; ++ llist_ptr = schan->linklist.phy_addr + temp; ++ hw->llist_ptr = lower_32_bits(llist_ptr); ++ hw->src_blk_step = (upper_32_bits(llist_ptr) << SPRD_DMA_LLIST_HIGH_SHIFT) & ++ SPRD_DMA_LLIST_HIGH_MASK; + } else { + hw->llist_ptr = 0; ++ hw->src_blk_step = 0; + } + + hw->frg_step = 0; +- hw->src_blk_step = 0; + hw->des_blk_step = 0; + return 0; + } +-- +2.20.1 + diff --git a/queue-5.3/dmaengine-sprd-fix-the-possible-memory-leak-issue.patch b/queue-5.3/dmaengine-sprd-fix-the-possible-memory-leak-issue.patch new file mode 100644 index 00000000000..2a85cb83773 --- /dev/null +++ b/queue-5.3/dmaengine-sprd-fix-the-possible-memory-leak-issue.patch @@ -0,0 +1,87 @@ +From e8fe78e339654d990d80cb70a220d4639282f4b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2019 17:11:30 +0800 +Subject: dmaengine: sprd: Fix the possible memory leak issue + +From: Baolin Wang + +[ Upstream commit ec1ac309596a7bdf206743b092748205f6cd5720 ] + +If we terminate the channel to free all descriptors associated with this +channel, we will leak the memory of current descriptor if the current +descriptor is not completed, since it had been deteled from the desc_issued +list and have not been added into the desc_completed list. + +Thus we should check if current descriptor is completed or not, when freeing +the descriptors associated with one channel, if not, we should free it to +avoid this issue. + +Fixes: 9b3b8171f7f4 ("dmaengine: sprd: Add Spreadtrum DMA driver") +Reported-by: Zhenfang Wang +Tested-by: Zhenfang Wang +Signed-off-by: Baolin Wang +Link: https://lore.kernel.org/r/170dbbc6d5366b6fa974ce2d366652e23a334251.1570609788.git.baolin.wang@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/sprd-dma.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/drivers/dma/sprd-dma.c b/drivers/dma/sprd-dma.c +index a4a91f233121a..8546ad0347208 100644 +--- a/drivers/dma/sprd-dma.c ++++ b/drivers/dma/sprd-dma.c +@@ -212,6 +212,7 @@ struct sprd_dma_dev { + struct sprd_dma_chn channels[0]; + }; + ++static void sprd_dma_free_desc(struct virt_dma_desc *vd); + static bool sprd_dma_filter_fn(struct dma_chan *chan, void *param); + static struct of_dma_filter_info sprd_dma_info = { + .filter_fn = sprd_dma_filter_fn, +@@ -613,12 +614,19 @@ static int sprd_dma_alloc_chan_resources(struct dma_chan *chan) + static void sprd_dma_free_chan_resources(struct dma_chan *chan) + { + struct sprd_dma_chn *schan = to_sprd_dma_chan(chan); ++ struct virt_dma_desc *cur_vd = NULL; + unsigned long flags; + + spin_lock_irqsave(&schan->vc.lock, flags); ++ if (schan->cur_desc) ++ cur_vd = &schan->cur_desc->vd; ++ + sprd_dma_stop(schan); + spin_unlock_irqrestore(&schan->vc.lock, flags); + ++ if (cur_vd) ++ sprd_dma_free_desc(cur_vd); ++ + vchan_free_chan_resources(&schan->vc); + pm_runtime_put(chan->device->dev); + } +@@ -1031,15 +1039,22 @@ static int sprd_dma_resume(struct dma_chan *chan) + static int sprd_dma_terminate_all(struct dma_chan *chan) + { + struct sprd_dma_chn *schan = to_sprd_dma_chan(chan); ++ struct virt_dma_desc *cur_vd = NULL; + unsigned long flags; + LIST_HEAD(head); + + spin_lock_irqsave(&schan->vc.lock, flags); ++ if (schan->cur_desc) ++ cur_vd = &schan->cur_desc->vd; ++ + sprd_dma_stop(schan); + + vchan_get_all_descriptors(&schan->vc, &head); + spin_unlock_irqrestore(&schan->vc.lock, flags); + ++ if (cur_vd) ++ sprd_dma_free_desc(cur_vd); ++ + vchan_dma_desc_free_list(&schan->vc, &head); + return 0; + } +-- +2.20.1 + diff --git a/queue-5.3/dmaengine-xilinx_dma-fix-64-bit-simple-axidma-transf.patch b/queue-5.3/dmaengine-xilinx_dma-fix-64-bit-simple-axidma-transf.patch new file mode 100644 index 00000000000..2eb3051b103 --- /dev/null +++ b/queue-5.3/dmaengine-xilinx_dma-fix-64-bit-simple-axidma-transf.patch @@ -0,0 +1,38 @@ +From 7777331f675434025c9da97f5c9e71c68076bceb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Sep 2019 16:20:57 +0530 +Subject: dmaengine: xilinx_dma: Fix 64-bit simple AXIDMA transfer + +From: Radhey Shyam Pandey + +[ Upstream commit 68fe2b520cee829ed518b4b1f64d2a557bcbffe1 ] + +In AXI DMA simple mode also pass MSB bits of source and destination +address to xilinx_write function. It fixes simple AXI DMA operation +mode using 64-bit addressing. + +Signed-off-by: Radhey Shyam Pandey +Link: https://lore.kernel.org/r/1569495060-18117-2-git-send-email-radhey.shyam.pandey@xilinx.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/xilinx_dma.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c +index e7dc3c4dc8e07..1fbe0258578b0 100644 +--- a/drivers/dma/xilinx/xilinx_dma.c ++++ b/drivers/dma/xilinx/xilinx_dma.c +@@ -1354,7 +1354,8 @@ static void xilinx_dma_start_transfer(struct xilinx_dma_chan *chan) + node); + hw = &segment->hw; + +- xilinx_write(chan, XILINX_DMA_REG_SRCDSTADDR, hw->buf_addr); ++ xilinx_write(chan, XILINX_DMA_REG_SRCDSTADDR, ++ xilinx_prep_dma_addr_t(hw->buf_addr)); + + /* Start the transfer */ + dma_ctrl_write(chan, XILINX_DMA_REG_BTT, +-- +2.20.1 + diff --git a/queue-5.3/dmaengine-xilinx_dma-fix-control-reg-update-in-vdma_.patch b/queue-5.3/dmaengine-xilinx_dma-fix-control-reg-update-in-vdma_.patch new file mode 100644 index 00000000000..7d1e4e048d6 --- /dev/null +++ b/queue-5.3/dmaengine-xilinx_dma-fix-control-reg-update-in-vdma_.patch @@ -0,0 +1,66 @@ +From 1d73c5af5b5f7cf3553ce9b564d5901297e40ed3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Sep 2019 16:20:58 +0530 +Subject: dmaengine: xilinx_dma: Fix control reg update in + vdma_channel_set_config + +From: Radhey Shyam Pandey + +[ Upstream commit 6c6de1ddb1be3840f2ed5cc9d009a622720940c9 ] + +In vdma_channel_set_config clear the delay, frame count and master mask +before updating their new values. It avoids programming incorrect state +when input parameters are different from default. + +Signed-off-by: Radhey Shyam Pandey +Acked-by: Appana Durga Kedareswara rao +Signed-off-by: Michal Simek +Link: https://lore.kernel.org/r/1569495060-18117-3-git-send-email-radhey.shyam.pandey@xilinx.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/xilinx_dma.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c +index 1fbe0258578b0..5d56f1e4d332c 100644 +--- a/drivers/dma/xilinx/xilinx_dma.c ++++ b/drivers/dma/xilinx/xilinx_dma.c +@@ -68,6 +68,9 @@ + #define XILINX_DMA_DMACR_CIRC_EN BIT(1) + #define XILINX_DMA_DMACR_RUNSTOP BIT(0) + #define XILINX_DMA_DMACR_FSYNCSRC_MASK GENMASK(6, 5) ++#define XILINX_DMA_DMACR_DELAY_MASK GENMASK(31, 24) ++#define XILINX_DMA_DMACR_FRAME_COUNT_MASK GENMASK(23, 16) ++#define XILINX_DMA_DMACR_MASTER_MASK GENMASK(11, 8) + + #define XILINX_DMA_REG_DMASR 0x0004 + #define XILINX_DMA_DMASR_EOL_LATE_ERR BIT(15) +@@ -2118,8 +2121,10 @@ int xilinx_vdma_channel_set_config(struct dma_chan *dchan, + chan->config.gen_lock = cfg->gen_lock; + chan->config.master = cfg->master; + ++ dmacr &= ~XILINX_DMA_DMACR_GENLOCK_EN; + if (cfg->gen_lock && chan->genlock) { + dmacr |= XILINX_DMA_DMACR_GENLOCK_EN; ++ dmacr &= ~XILINX_DMA_DMACR_MASTER_MASK; + dmacr |= cfg->master << XILINX_DMA_DMACR_MASTER_SHIFT; + } + +@@ -2135,11 +2140,13 @@ int xilinx_vdma_channel_set_config(struct dma_chan *dchan, + chan->config.delay = cfg->delay; + + if (cfg->coalesc <= XILINX_DMA_DMACR_FRAME_COUNT_MAX) { ++ dmacr &= ~XILINX_DMA_DMACR_FRAME_COUNT_MASK; + dmacr |= cfg->coalesc << XILINX_DMA_DMACR_FRAME_COUNT_SHIFT; + chan->config.coalesc = cfg->coalesc; + } + + if (cfg->delay <= XILINX_DMA_DMACR_DELAY_MAX) { ++ dmacr &= ~XILINX_DMA_DMACR_DELAY_MASK; + dmacr |= cfg->delay << XILINX_DMA_DMACR_DELAY_SHIFT; + chan->config.delay = cfg->delay; + } +-- +2.20.1 + diff --git a/queue-5.3/drm-amd-display-add-50us-buffer-as-wa-for-pstate-swi.patch b/queue-5.3/drm-amd-display-add-50us-buffer-as-wa-for-pstate-swi.patch new file mode 100644 index 00000000000..802d3e2564e --- /dev/null +++ b/queue-5.3/drm-amd-display-add-50us-buffer-as-wa-for-pstate-swi.patch @@ -0,0 +1,35 @@ +From 2845a638d9cf985c7e465e94746befde1aa6e5ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Sep 2019 17:43:45 -0400 +Subject: drm/amd/display: add 50us buffer as WA for pstate switch in active + +From: Jun Lei + +[ Upstream commit 7c37d399c2b84d4b79de4d512a38373f1d71ab90 ] + +Signed-off-by: Jun Lei +Reviewed-by: Aric Cyr +Acked-by: Leo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20.c b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20.c +index 649883777f62a..6c6c486b774a4 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20.c +@@ -2577,7 +2577,8 @@ static void dml20_DISPCLKDPPCLKDCFCLKDeepSleepPrefetchParametersWatermarksAndPer + mode_lib->vba.MinActiveDRAMClockChangeMargin + + mode_lib->vba.DRAMClockChangeLatency; + +- if (mode_lib->vba.MinActiveDRAMClockChangeMargin > 0) { ++ if (mode_lib->vba.MinActiveDRAMClockChangeMargin > 50) { ++ mode_lib->vba.DRAMClockChangeWatermark += 25; + mode_lib->vba.DRAMClockChangeSupport[0][0] = dm_dram_clock_change_vactive; + } else { + if (mode_lib->vba.SynchronizedVBlank || mode_lib->vba.NumberOfActivePlanes == 1) { +-- +2.20.1 + diff --git a/queue-5.3/drm-amd-display-do-not-synchronize-drr-displays.patch b/queue-5.3/drm-amd-display-do-not-synchronize-drr-displays.patch new file mode 100644 index 00000000000..1abc1e313c4 --- /dev/null +++ b/queue-5.3/drm-amd-display-do-not-synchronize-drr-displays.patch @@ -0,0 +1,58 @@ +From d8c545c27dfab4bec04b8fa429896aeac5f5e767 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Oct 2019 15:09:53 -0400 +Subject: drm/amd/display: do not synchronize "drr" displays + +From: Jun Lei + +[ Upstream commit 8775e89fa7121535d2da738c95167b8c65aa6e90 ] + +[why] +A display that supports DRR can never really be considered +"synchronized" with any other display because we can dynamically +enable DRR (i.e. without modeset). this will cause their +relative CRTC positions to drift and lose sync. this will disrupt +features such as MCLK switching that assume and depend on +their permanent alignment (that can only change with modeset) + +[how] +check for ignore_msa in stream when considered synchronizability +this ignore_msa is basically actually implemented as "supports drr" + +Signed-off-by: Jun Lei +Reviewed-by: Yongqiang Sun +Acked-by: Anthony Koo +Acked-by: Leo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +index 68db60e4caf32..d1a33e04570f4 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +@@ -394,6 +394,9 @@ bool resource_are_streams_timing_synchronizable( + if (stream1->view_format != stream2->view_format) + return false; + ++ if (stream1->ignore_msa_timing_param || stream2->ignore_msa_timing_param) ++ return false; ++ + return true; + } + static bool is_dp_and_hdmi_sharable( +@@ -1566,6 +1569,9 @@ bool dc_is_stream_unchanged( + if (!are_stream_backends_same(old_stream, stream)) + return false; + ++ if (old_stream->ignore_msa_timing_param != stream->ignore_msa_timing_param) ++ return false; ++ + return true; + } + +-- +2.20.1 + diff --git a/queue-5.3/drm-amd-display-passive-dp-hdmi-dongle-detection-fix.patch b/queue-5.3/drm-amd-display-passive-dp-hdmi-dongle-detection-fix.patch new file mode 100644 index 00000000000..214bf1b4756 --- /dev/null +++ b/queue-5.3/drm-amd-display-passive-dp-hdmi-dongle-detection-fix.patch @@ -0,0 +1,72 @@ +From aab3c324312a121bafa2153838be9827f09f59b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Oct 2019 11:54:15 -0400 +Subject: drm/amd/display: Passive DP->HDMI dongle detection fix + +From: Michael Strauss + +[ Upstream commit bc2fde42e2418808dbfc04de1a6da91d7d31cf1a ] + +[WHY] +i2c_read is called to differentiate passive DP->HDMI and DP->DVI-D dongles +The call is expected to fail in DVI-D case but pass in HDMI case +Some HDMI dongles have a chance to fail as well, causing misdetection as DVI-D + +[HOW] +Retry i2c_read to ensure failed result is valid + +Signed-off-by: Michael Strauss +Reviewed-by: Tony Cheng +Acked-by: Leo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/display/dc/core/dc_link_ddc.c | 24 ++++++++++++++----- + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link_ddc.c b/drivers/gpu/drm/amd/display/dc/core/dc_link_ddc.c +index e6da8506128bd..623c1ab4d3db2 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_link_ddc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link_ddc.c +@@ -374,6 +374,7 @@ void dal_ddc_service_i2c_query_dp_dual_mode_adaptor( + enum display_dongle_type *dongle = &sink_cap->dongle_type; + uint8_t type2_dongle_buf[DP_ADAPTOR_TYPE2_SIZE]; + bool is_type2_dongle = false; ++ int retry_count = 2; + struct dp_hdmi_dongle_signature_data *dongle_signature; + + /* Assume we have no valid DP passive dongle connected */ +@@ -386,13 +387,24 @@ void dal_ddc_service_i2c_query_dp_dual_mode_adaptor( + DP_HDMI_DONGLE_ADDRESS, + type2_dongle_buf, + sizeof(type2_dongle_buf))) { +- *dongle = DISPLAY_DONGLE_DP_DVI_DONGLE; +- sink_cap->max_hdmi_pixel_clock = DP_ADAPTOR_DVI_MAX_TMDS_CLK; ++ /* Passive HDMI dongles can sometimes fail here without retrying*/ ++ while (retry_count > 0) { ++ if (i2c_read(ddc, ++ DP_HDMI_DONGLE_ADDRESS, ++ type2_dongle_buf, ++ sizeof(type2_dongle_buf))) ++ break; ++ retry_count--; ++ } ++ if (retry_count == 0) { ++ *dongle = DISPLAY_DONGLE_DP_DVI_DONGLE; ++ sink_cap->max_hdmi_pixel_clock = DP_ADAPTOR_DVI_MAX_TMDS_CLK; + +- CONN_DATA_DETECT(ddc->link, type2_dongle_buf, sizeof(type2_dongle_buf), +- "DP-DVI passive dongle %dMhz: ", +- DP_ADAPTOR_DVI_MAX_TMDS_CLK / 1000); +- return; ++ CONN_DATA_DETECT(ddc->link, type2_dongle_buf, sizeof(type2_dongle_buf), ++ "DP-DVI passive dongle %dMhz: ", ++ DP_ADAPTOR_DVI_MAX_TMDS_CLK / 1000); ++ return; ++ } + } + + /* Check if Type 2 dongle.*/ +-- +2.20.1 + diff --git a/queue-5.3/drm-amdgpu-if-amdgpu_ib_schedule-fails-return-back-t.patch b/queue-5.3/drm-amdgpu-if-amdgpu_ib_schedule-fails-return-back-t.patch new file mode 100644 index 00000000000..d02d83118f4 --- /dev/null +++ b/queue-5.3/drm-amdgpu-if-amdgpu_ib_schedule-fails-return-back-t.patch @@ -0,0 +1,47 @@ +From 290ee0c27007b866a3141f67afc4c3f8ed3b67b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2019 15:44:10 -0400 +Subject: drm/amdgpu: If amdgpu_ib_schedule fails return back the error. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andrey Grodzovsky + +[ Upstream commit 57c0f58e9f562089de5f0b60da103677d232374c ] + +Use ERR_PTR to return back the error happened during amdgpu_ib_schedule. + +Signed-off-by: Andrey Grodzovsky +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c +index 9d76e0923a5a3..96b2a31ccfed3 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c +@@ -218,7 +218,7 @@ static struct dma_fence *amdgpu_job_run(struct drm_sched_job *sched_job) + struct amdgpu_ring *ring = to_amdgpu_ring(sched_job->sched); + struct dma_fence *fence = NULL, *finished; + struct amdgpu_job *job; +- int r; ++ int r = 0; + + job = to_amdgpu_job(sched_job); + finished = &job->base.s_fence->finished; +@@ -243,6 +243,8 @@ static struct dma_fence *amdgpu_job_run(struct drm_sched_job *sched_job) + job->fence = dma_fence_get(fence); + + amdgpu_job_free_resources(job); ++ ++ fence = r ? ERR_PTR(r) : fence; + return fence; + } + +-- +2.20.1 + diff --git a/queue-5.3/drm-amdgpu-sdma5-do-not-execute-0-sized-ibs-v2.patch b/queue-5.3/drm-amdgpu-sdma5-do-not-execute-0-sized-ibs-v2.patch new file mode 100644 index 00000000000..7d610ef9a9f --- /dev/null +++ b/queue-5.3/drm-amdgpu-sdma5-do-not-execute-0-sized-ibs-v2.patch @@ -0,0 +1,39 @@ +From 69174cf50157c45badf26321d8d6c73e2420d7de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Oct 2019 19:22:11 +0200 +Subject: drm/amdgpu/sdma5: do not execute 0-sized IBs (v2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pierre-Eric Pelloux-Prayer + +[ Upstream commit 9bdf63d3579e36942f4b91d3558a90da8116bb40 ] + +This seems to help with https://bugs.freedesktop.org/show_bug.cgi?id=111481. + +v2: insert a NOP instead of skipping all 0-sized IBs to avoid breaking older hw + +Signed-off-by: Pierre-Eric Pelloux-Prayer +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c +index 5eeb72fcc123a..6a51e6a4a035b 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c +@@ -264,6 +264,7 @@ static void gmc_v10_0_flush_gpu_tlb(struct amdgpu_device *adev, + + job->vm_pd_addr = amdgpu_gmc_pd_addr(adev->gart.bo); + job->vm_needs_flush = true; ++ job->ibs->ptr[job->ibs->length_dw++] = ring->funcs->nop; + amdgpu_ring_pad_ib(ring, &job->ibs[0]); + r = amdgpu_job_submit(job, &adev->mman.entity, + AMDGPU_FENCE_OWNER_UNDEFINED, &fence); +-- +2.20.1 + diff --git a/queue-5.3/drm-sched-set-error-to-s_fence-if-hw-job-submission-.patch b/queue-5.3/drm-sched-set-error-to-s_fence-if-hw-job-submission-.patch new file mode 100644 index 00000000000..46effb976fd --- /dev/null +++ b/queue-5.3/drm-sched-set-error-to-s_fence-if-hw-job-submission-.patch @@ -0,0 +1,85 @@ +From 9ea2418b793977a997a02fde20b747e774755416 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2019 15:39:06 -0400 +Subject: drm/sched: Set error to s_fence if HW job submission failed. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andrey Grodzovsky + +[ Upstream commit 167bf96014a095753053595f3224fcdeb49ac3c8 ] + +Problem: +When run_job fails and HW fence returned is NULL we still signal +the s_fence to avoid hangs but the user has no way of knowing if +the actual HW job was ran and finished. + +Fix: +Allow .run_job implementations to return ERR_PTR in the fence pointer +returned and then set this error for s_fence->finished fence so whoever +wait on this fence can inspect the signaled fence for an error. + +Signed-off-by: Andrey Grodzovsky +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/scheduler/sched_main.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c +index c1058eece16b4..27e6449da24ad 100644 +--- a/drivers/gpu/drm/scheduler/sched_main.c ++++ b/drivers/gpu/drm/scheduler/sched_main.c +@@ -478,6 +478,7 @@ void drm_sched_resubmit_jobs(struct drm_gpu_scheduler *sched) + struct drm_sched_job *s_job, *tmp; + uint64_t guilty_context; + bool found_guilty = false; ++ struct dma_fence *fence; + + list_for_each_entry_safe(s_job, tmp, &sched->ring_mirror_list, node) { + struct drm_sched_fence *s_fence = s_job->s_fence; +@@ -491,7 +492,16 @@ void drm_sched_resubmit_jobs(struct drm_gpu_scheduler *sched) + dma_fence_set_error(&s_fence->finished, -ECANCELED); + + dma_fence_put(s_job->s_fence->parent); +- s_job->s_fence->parent = sched->ops->run_job(s_job); ++ fence = sched->ops->run_job(s_job); ++ ++ if (IS_ERR_OR_NULL(fence)) { ++ s_job->s_fence->parent = NULL; ++ dma_fence_set_error(&s_fence->finished, PTR_ERR(fence)); ++ } else { ++ s_job->s_fence->parent = fence; ++ } ++ ++ + } + } + EXPORT_SYMBOL(drm_sched_resubmit_jobs); +@@ -719,7 +729,7 @@ static int drm_sched_main(void *param) + fence = sched->ops->run_job(sched_job); + drm_sched_fence_scheduled(s_fence); + +- if (fence) { ++ if (!IS_ERR_OR_NULL(fence)) { + s_fence->parent = dma_fence_get(fence); + r = dma_fence_add_callback(fence, &sched_job->cb, + drm_sched_process_job); +@@ -729,8 +739,11 @@ static int drm_sched_main(void *param) + DRM_ERROR("fence add callback failed (%d)\n", + r); + dma_fence_put(fence); +- } else ++ } else { ++ ++ dma_fence_set_error(&s_fence->finished, PTR_ERR(fence)); + drm_sched_process_job(NULL, &sched_job->cb); ++ } + + wake_up(&sched->job_scheduled); + } +-- +2.20.1 + diff --git a/queue-5.3/drm-v3d-fix-memory-leak-in-v3d_submit_cl_ioctl.patch b/queue-5.3/drm-v3d-fix-memory-leak-in-v3d_submit_cl_ioctl.patch new file mode 100644 index 00000000000..7ffc25c5f17 --- /dev/null +++ b/queue-5.3/drm-v3d-fix-memory-leak-in-v3d_submit_cl_ioctl.patch @@ -0,0 +1,50 @@ +From 811372537450de89e53d500dcdd1da439a38385d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2019 13:52:49 -0500 +Subject: drm/v3d: Fix memory leak in v3d_submit_cl_ioctl + +From: Navid Emamdoost + +[ Upstream commit 29cd13cfd7624726d9e6becbae9aa419ef35af7f ] + +In the impelementation of v3d_submit_cl_ioctl() there are two memory +leaks. One is when allocation for bin fails, and the other is when bin +initialization fails. If kcalloc fails to allocate memory for bin then +render->base should be put. Also, if v3d_job_init() fails to initialize +bin->base then allocated memory for bin should be released. + +Fixes: a783a09ee76d ("drm/v3d: Refactor job management.") +Signed-off-by: Navid Emamdoost +Reviewed-by: Eric Anholt +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20191021185250.26130-1-navid.emamdoost@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/v3d/v3d_gem.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/v3d/v3d_gem.c b/drivers/gpu/drm/v3d/v3d_gem.c +index 27e0f87075d96..4dc7e38c99c7c 100644 +--- a/drivers/gpu/drm/v3d/v3d_gem.c ++++ b/drivers/gpu/drm/v3d/v3d_gem.c +@@ -555,13 +555,16 @@ v3d_submit_cl_ioctl(struct drm_device *dev, void *data, + + if (args->bcl_start != args->bcl_end) { + bin = kcalloc(1, sizeof(*bin), GFP_KERNEL); +- if (!bin) ++ if (!bin) { ++ v3d_job_put(&render->base); + return -ENOMEM; ++ } + + ret = v3d_job_init(v3d, file_priv, &bin->base, + v3d_job_free, args->in_sync_bcl); + if (ret) { + v3d_job_put(&render->base); ++ kfree(bin); + return ret; + } + +-- +2.20.1 + diff --git a/queue-5.3/e1000-fix-memory-leaks.patch b/queue-5.3/e1000-fix-memory-leaks.patch new file mode 100644 index 00000000000..b9597e5a521 --- /dev/null +++ b/queue-5.3/e1000-fix-memory-leaks.patch @@ -0,0 +1,61 @@ +From 756bc2476e3a4446f97ef3f74e9e277a36369669 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Aug 2019 00:59:21 -0500 +Subject: e1000: fix memory leaks + +From: Wenwen Wang + +[ Upstream commit 8472ba62154058b64ebb83d5f57259a352d28697 ] + +In e1000_set_ringparam(), 'tx_old' and 'rx_old' are not deallocated if +e1000_up() fails, leading to memory leaks. Refactor the code to fix this +issue. + +Signed-off-by: Wenwen Wang +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +index a41008523c983..2e07ffa87e346 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +@@ -607,6 +607,7 @@ static int e1000_set_ringparam(struct net_device *netdev, + for (i = 0; i < adapter->num_rx_queues; i++) + rxdr[i].count = rxdr->count; + ++ err = 0; + if (netif_running(adapter->netdev)) { + /* Try to get new resources before deleting old */ + err = e1000_setup_all_rx_resources(adapter); +@@ -627,14 +628,13 @@ static int e1000_set_ringparam(struct net_device *netdev, + adapter->rx_ring = rxdr; + adapter->tx_ring = txdr; + err = e1000_up(adapter); +- if (err) +- goto err_setup; + } + kfree(tx_old); + kfree(rx_old); + + clear_bit(__E1000_RESETTING, &adapter->flags); +- return 0; ++ return err; ++ + err_setup_tx: + e1000_free_all_rx_resources(adapter); + err_setup_rx: +@@ -646,7 +646,6 @@ err_alloc_rx: + err_alloc_tx: + if (netif_running(adapter->netdev)) + e1000_up(adapter); +-err_setup: + clear_bit(__E1000_RESETTING, &adapter->flags); + return err; + } +-- +2.20.1 + diff --git a/queue-5.3/efi-libstub-arm-account-for-firmware-reserved-memory.patch b/queue-5.3/efi-libstub-arm-account-for-firmware-reserved-memory.patch new file mode 100644 index 00000000000..c0ddf50895c --- /dev/null +++ b/queue-5.3/efi-libstub-arm-account-for-firmware-reserved-memory.patch @@ -0,0 +1,101 @@ +From 9bd8efe10f8dcce430951985dc878e085244f147 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2019 18:37:53 +0100 +Subject: efi: libstub/arm: Account for firmware reserved memory at the base of + RAM + +From: Ard Biesheuvel + +[ Upstream commit 41cd96fa149b29684ebd38759fefb07f9c7d5276 ] + +The EFI stubloader for ARM starts out by allocating a 32 MB window +at the base of RAM, in order to ensure that the decompressor (which +blindly copies the uncompressed kernel into that window) does not +overwrite other allocations that are made while running in the context +of the EFI firmware. + +In some cases, (e.g., U-Boot running on the Raspberry Pi 2), this is +causing boot failures because this initial allocation conflicts with +a page of reserved memory at the base of RAM that contains the SMP spin +tables and other pieces of firmware data and which was put there by +the bootloader under the assumption that the TEXT_OFFSET window right +below the kernel is only used partially during early boot, and will be +left alone once the memory reservations are processed and taken into +account. + +So let's permit reserved memory regions to exist in the region starting +at the base of RAM, and ending at TEXT_OFFSET - 5 * PAGE_SIZE, which is +the window below the kernel that is not touched by the early boot code. + +Tested-by: Guillaume Gardet +Signed-off-by: Ard Biesheuvel +Acked-by: Chester Lin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Link: https://lkml.kernel.org/r/20191029173755.27149-5-ardb@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/Makefile | 1 + + drivers/firmware/efi/libstub/arm32-stub.c | 16 +++++++++++++--- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile +index 0460c7581220e..ee0661ddb25bb 100644 +--- a/drivers/firmware/efi/libstub/Makefile ++++ b/drivers/firmware/efi/libstub/Makefile +@@ -52,6 +52,7 @@ lib-$(CONFIG_EFI_ARMSTUB) += arm-stub.o fdt.o string.o random.o \ + + lib-$(CONFIG_ARM) += arm32-stub.o + lib-$(CONFIG_ARM64) += arm64-stub.o ++CFLAGS_arm32-stub.o := -DTEXT_OFFSET=$(TEXT_OFFSET) + CFLAGS_arm64-stub.o := -DTEXT_OFFSET=$(TEXT_OFFSET) + + # +diff --git a/drivers/firmware/efi/libstub/arm32-stub.c b/drivers/firmware/efi/libstub/arm32-stub.c +index e8f7aefb6813d..ffa242ad0a82e 100644 +--- a/drivers/firmware/efi/libstub/arm32-stub.c ++++ b/drivers/firmware/efi/libstub/arm32-stub.c +@@ -195,6 +195,7 @@ efi_status_t handle_kernel_image(efi_system_table_t *sys_table, + unsigned long dram_base, + efi_loaded_image_t *image) + { ++ unsigned long kernel_base; + efi_status_t status; + + /* +@@ -204,9 +205,18 @@ efi_status_t handle_kernel_image(efi_system_table_t *sys_table, + * loaded. These assumptions are made by the decompressor, + * before any memory map is available. + */ +- dram_base = round_up(dram_base, SZ_128M); ++ kernel_base = round_up(dram_base, SZ_128M); + +- status = reserve_kernel_base(sys_table, dram_base, reserve_addr, ++ /* ++ * Note that some platforms (notably, the Raspberry Pi 2) put ++ * spin-tables and other pieces of firmware at the base of RAM, ++ * abusing the fact that the window of TEXT_OFFSET bytes at the ++ * base of the kernel image is only partially used at the moment. ++ * (Up to 5 pages are used for the swapper page tables) ++ */ ++ kernel_base += TEXT_OFFSET - 5 * PAGE_SIZE; ++ ++ status = reserve_kernel_base(sys_table, kernel_base, reserve_addr, + reserve_size); + if (status != EFI_SUCCESS) { + pr_efi_err(sys_table, "Unable to allocate memory for uncompressed kernel.\n"); +@@ -220,7 +230,7 @@ efi_status_t handle_kernel_image(efi_system_table_t *sys_table, + *image_size = image->image_size; + status = efi_relocate_kernel(sys_table, image_addr, *image_size, + *image_size, +- dram_base + MAX_UNCOMP_KERNEL_SIZE, 0); ++ kernel_base + MAX_UNCOMP_KERNEL_SIZE, 0); + if (status != EFI_SUCCESS) { + pr_efi_err(sys_table, "Failed to relocate kernel.\n"); + efi_free(sys_table, *reserve_size, *reserve_addr); +-- +2.20.1 + diff --git a/queue-5.3/efi-tpm-return-einval-when-determining-tpm-final-eve.patch b/queue-5.3/efi-tpm-return-einval-when-determining-tpm-final-eve.patch new file mode 100644 index 00000000000..14bb274def8 --- /dev/null +++ b/queue-5.3/efi-tpm-return-einval-when-determining-tpm-final-eve.patch @@ -0,0 +1,46 @@ +From 4c55e92123db0d83fd4acdc786d1303972520617 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2019 18:37:51 +0100 +Subject: efi/tpm: Return -EINVAL when determining tpm final events log size + fails + +From: Jerry Snitselaar + +[ Upstream commit 2bb6a81633cb47dcba4c9f75605cbe49e6b73d60 ] + +Currently nothing checks the return value of efi_tpm_eventlog_init(), +but in case that changes in the future make sure an error is +returned when it fails to determine the tpm final events log +size. + +Suggested-by: Dan Carpenter +Signed-off-by: Jerry Snitselaar +Signed-off-by: Ard Biesheuvel +Reviewed-by: Jarkko Sakkinen +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Fixes: e658c82be556 ("efi/tpm: Only set 'efi_tpm_final_log_size' after ...") +Link: https://lkml.kernel.org/r/20191029173755.27149-3-ardb@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/tpm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c +index ebd7977653a8e..31f9f0e369b97 100644 +--- a/drivers/firmware/efi/tpm.c ++++ b/drivers/firmware/efi/tpm.c +@@ -88,6 +88,7 @@ int __init efi_tpm_eventlog_init(void) + + if (tbl_size < 0) { + pr_err(FW_BUG "Failed to parse event in TPM Final Events Log\n"); ++ ret = -EINVAL; + goto out_calc; + } + +-- +2.20.1 + diff --git a/queue-5.3/fjes-handle-workqueue-allocation-failure.patch b/queue-5.3/fjes-handle-workqueue-allocation-failure.patch new file mode 100644 index 00000000000..a911867a2b9 --- /dev/null +++ b/queue-5.3/fjes-handle-workqueue-allocation-failure.patch @@ -0,0 +1,69 @@ +From 21070af5014c2336d4222f295f0cac6c3e9736c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2019 12:06:02 +0100 +Subject: fjes: Handle workqueue allocation failure + +From: Will Deacon + +[ Upstream commit 85ac30fa2e24f628e9f4f9344460f4015d33fd7d ] + +In the highly unlikely event that we fail to allocate either of the +"/txrx" or "/control" workqueues, we should bail cleanly rather than +blindly march on with NULL queue pointer(s) installed in the +'fjes_adapter' instance. + +Cc: "David S. Miller" +Reported-by: Nicolas Waisman +Link: https://lore.kernel.org/lkml/CADJ_3a8WFrs5NouXNqS5WYe7rebFP+_A5CheeqAyD_p7DFJJcg@mail.gmail.com/ +Signed-off-by: Will Deacon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/fjes/fjes_main.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/fjes/fjes_main.c b/drivers/net/fjes/fjes_main.c +index bbbc1dcb6ab5c..b517c1af9de05 100644 +--- a/drivers/net/fjes/fjes_main.c ++++ b/drivers/net/fjes/fjes_main.c +@@ -1237,8 +1237,17 @@ static int fjes_probe(struct platform_device *plat_dev) + adapter->open_guard = false; + + adapter->txrx_wq = alloc_workqueue(DRV_NAME "/txrx", WQ_MEM_RECLAIM, 0); ++ if (unlikely(!adapter->txrx_wq)) { ++ err = -ENOMEM; ++ goto err_free_netdev; ++ } ++ + adapter->control_wq = alloc_workqueue(DRV_NAME "/control", + WQ_MEM_RECLAIM, 0); ++ if (unlikely(!adapter->control_wq)) { ++ err = -ENOMEM; ++ goto err_free_txrx_wq; ++ } + + INIT_WORK(&adapter->tx_stall_task, fjes_tx_stall_task); + INIT_WORK(&adapter->raise_intr_rxdata_task, +@@ -1255,7 +1264,7 @@ static int fjes_probe(struct platform_device *plat_dev) + hw->hw_res.irq = platform_get_irq(plat_dev, 0); + err = fjes_hw_init(&adapter->hw); + if (err) +- goto err_free_netdev; ++ goto err_free_control_wq; + + /* setup MAC address (02:00:00:00:00:[epid])*/ + netdev->dev_addr[0] = 2; +@@ -1277,6 +1286,10 @@ static int fjes_probe(struct platform_device *plat_dev) + + err_hw_exit: + fjes_hw_exit(&adapter->hw); ++err_free_control_wq: ++ destroy_workqueue(adapter->control_wq); ++err_free_txrx_wq: ++ destroy_workqueue(adapter->txrx_wq); + err_free_netdev: + free_netdev(netdev); + err_out: +-- +2.20.1 + diff --git a/queue-5.3/gve-fixes-dma-synchronization.patch b/queue-5.3/gve-fixes-dma-synchronization.patch new file mode 100644 index 00000000000..adadaaebe8f --- /dev/null +++ b/queue-5.3/gve-fixes-dma-synchronization.patch @@ -0,0 +1,93 @@ +From 5b6466572efe39fc0b97acf4443c2b15da5278db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Nov 2019 10:09:56 -0700 +Subject: gve: Fixes DMA synchronization. + +From: Yangchun Fu + +[ Upstream commit 9cfeeb576d49a7b5e643b8066ba64a55e8417c5d ] + +Synces the DMA buffer properly in order for CPU and device to see +the most up-to-data data. + +Signed-off-by: Yangchun Fu +Reviewed-by: Catherine Sullivan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve_rx.c | 2 ++ + drivers/net/ethernet/google/gve/gve_tx.c | 24 ++++++++++++++++++++++-- + 2 files changed, 24 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/google/gve/gve_rx.c b/drivers/net/ethernet/google/gve/gve_rx.c +index 59564ac99d2a6..edec61dfc8687 100644 +--- a/drivers/net/ethernet/google/gve/gve_rx.c ++++ b/drivers/net/ethernet/google/gve/gve_rx.c +@@ -289,6 +289,8 @@ static bool gve_rx(struct gve_rx_ring *rx, struct gve_rx_desc *rx_desc, + + len = be16_to_cpu(rx_desc->len) - GVE_RX_PAD; + page_info = &rx->data.page_info[idx]; ++ dma_sync_single_for_cpu(&priv->pdev->dev, rx->data.qpl->page_buses[idx], ++ PAGE_SIZE, DMA_FROM_DEVICE); + + /* gvnic can only receive into registered segments. If the buffer + * can't be recycled, our only choice is to copy the data out of +diff --git a/drivers/net/ethernet/google/gve/gve_tx.c b/drivers/net/ethernet/google/gve/gve_tx.c +index 778b87b5a06c2..0a9a7ee2a8668 100644 +--- a/drivers/net/ethernet/google/gve/gve_tx.c ++++ b/drivers/net/ethernet/google/gve/gve_tx.c +@@ -390,7 +390,21 @@ static void gve_tx_fill_seg_desc(union gve_tx_desc *seg_desc, + seg_desc->seg.seg_addr = cpu_to_be64(addr); + } + +-static int gve_tx_add_skb(struct gve_tx_ring *tx, struct sk_buff *skb) ++static void gve_dma_sync_for_device(struct device *dev, dma_addr_t *page_buses, ++ u64 iov_offset, u64 iov_len) ++{ ++ dma_addr_t dma; ++ u64 addr; ++ ++ for (addr = iov_offset; addr < iov_offset + iov_len; ++ addr += PAGE_SIZE) { ++ dma = page_buses[addr / PAGE_SIZE]; ++ dma_sync_single_for_device(dev, dma, PAGE_SIZE, DMA_TO_DEVICE); ++ } ++} ++ ++static int gve_tx_add_skb(struct gve_tx_ring *tx, struct sk_buff *skb, ++ struct device *dev) + { + int pad_bytes, hlen, hdr_nfrags, payload_nfrags, l4_hdr_offset; + union gve_tx_desc *pkt_desc, *seg_desc; +@@ -432,6 +446,9 @@ static int gve_tx_add_skb(struct gve_tx_ring *tx, struct sk_buff *skb) + skb_copy_bits(skb, 0, + tx->tx_fifo.base + info->iov[hdr_nfrags - 1].iov_offset, + hlen); ++ gve_dma_sync_for_device(dev, tx->tx_fifo.qpl->page_buses, ++ info->iov[hdr_nfrags - 1].iov_offset, ++ info->iov[hdr_nfrags - 1].iov_len); + copy_offset = hlen; + + for (i = payload_iov; i < payload_nfrags + payload_iov; i++) { +@@ -445,6 +462,9 @@ static int gve_tx_add_skb(struct gve_tx_ring *tx, struct sk_buff *skb) + skb_copy_bits(skb, copy_offset, + tx->tx_fifo.base + info->iov[i].iov_offset, + info->iov[i].iov_len); ++ gve_dma_sync_for_device(dev, tx->tx_fifo.qpl->page_buses, ++ info->iov[i].iov_offset, ++ info->iov[i].iov_len); + copy_offset += info->iov[i].iov_len; + } + +@@ -473,7 +493,7 @@ netdev_tx_t gve_tx(struct sk_buff *skb, struct net_device *dev) + gve_tx_put_doorbell(priv, tx->q_resources, tx->req); + return NETDEV_TX_BUSY; + } +- nsegs = gve_tx_add_skb(tx, skb); ++ nsegs = gve_tx_add_skb(tx, skb, &priv->pdev->dev); + + netdev_tx_sent_queue(tx->netdev_txq, skb->len); + skb_tx_timestamp(skb); +-- +2.20.1 + diff --git a/queue-5.3/hid-google-add-magnemite-masterball-usb-ids.patch b/queue-5.3/hid-google-add-magnemite-masterball-usb-ids.patch new file mode 100644 index 00000000000..532071a0582 --- /dev/null +++ b/queue-5.3/hid-google-add-magnemite-masterball-usb-ids.patch @@ -0,0 +1,50 @@ +From fc6a6c0cc8c6ef24bb44c06b81190f899bf7aef3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Oct 2019 11:17:59 +0800 +Subject: HID: google: add magnemite/masterball USB ids + +From: Nicolas Boichat + +[ Upstream commit 9e4dbc4646a84b2562ea7c64a542740687ff7daf ] + +Add 2 additional hammer-like devices. + +Signed-off-by: Nicolas Boichat +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-google-hammer.c | 4 ++++ + drivers/hid/hid-ids.h | 2 ++ + 2 files changed, 6 insertions(+) + +diff --git a/drivers/hid/hid-google-hammer.c b/drivers/hid/hid-google-hammer.c +index ee5e0bdcf078f..154f1ce771d54 100644 +--- a/drivers/hid/hid-google-hammer.c ++++ b/drivers/hid/hid-google-hammer.c +@@ -469,6 +469,10 @@ static int hammer_probe(struct hid_device *hdev, + static const struct hid_device_id hammer_devices[] = { + { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, + USB_VENDOR_ID_GOOGLE, USB_DEVICE_ID_GOOGLE_HAMMER) }, ++ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, ++ USB_VENDOR_ID_GOOGLE, USB_DEVICE_ID_GOOGLE_MAGNEMITE) }, ++ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, ++ USB_VENDOR_ID_GOOGLE, USB_DEVICE_ID_GOOGLE_MASTERBALL) }, + { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, + USB_VENDOR_ID_GOOGLE, USB_DEVICE_ID_GOOGLE_STAFF) }, + { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index e4d51ce20a6aa..9cf5a95c1bd3c 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -475,6 +475,8 @@ + #define USB_DEVICE_ID_GOOGLE_STAFF 0x502b + #define USB_DEVICE_ID_GOOGLE_WAND 0x502d + #define USB_DEVICE_ID_GOOGLE_WHISKERS 0x5030 ++#define USB_DEVICE_ID_GOOGLE_MASTERBALL 0x503c ++#define USB_DEVICE_ID_GOOGLE_MAGNEMITE 0x503d + + #define USB_VENDOR_ID_GOTOP 0x08f2 + #define USB_DEVICE_ID_SUPER_Q2 0x007f +-- +2.20.1 + diff --git a/queue-5.3/hid-intel-ish-hid-fix-wrong-error-handling-in-ishtp_.patch b/queue-5.3/hid-intel-ish-hid-fix-wrong-error-handling-in-ishtp_.patch new file mode 100644 index 00000000000..3f43b2262b1 --- /dev/null +++ b/queue-5.3/hid-intel-ish-hid-fix-wrong-error-handling-in-ishtp_.patch @@ -0,0 +1,36 @@ +From 6a03065ec954c8f4658cbcbdfb470a62b4be62ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2019 08:15:59 +0800 +Subject: HID: intel-ish-hid: fix wrong error handling in + ishtp_cl_alloc_tx_ring() + +From: Zhang Lixu + +[ Upstream commit 16ff7bf6dbcc6f77d2eec1ac9120edf44213c2f1 ] + +When allocating tx ring buffers failed, should free tx buffers, not rx buffers. + +Signed-off-by: Zhang Lixu +Acked-by: Srinivas Pandruvada +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-ish-hid/ishtp/client-buffers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/intel-ish-hid/ishtp/client-buffers.c b/drivers/hid/intel-ish-hid/ishtp/client-buffers.c +index 1b0a0cc605e77..513d7a4a1b8ac 100644 +--- a/drivers/hid/intel-ish-hid/ishtp/client-buffers.c ++++ b/drivers/hid/intel-ish-hid/ishtp/client-buffers.c +@@ -84,7 +84,7 @@ int ishtp_cl_alloc_tx_ring(struct ishtp_cl *cl) + return 0; + out: + dev_err(&cl->device->dev, "error in allocating Tx pool\n"); +- ishtp_cl_free_rx_ring(cl); ++ ishtp_cl_free_tx_ring(cl); + return -ENOMEM; + } + +-- +2.20.1 + diff --git a/queue-5.3/hv_netvsc-fix-error-handling-in-netvsc_attach.patch b/queue-5.3/hv_netvsc-fix-error-handling-in-netvsc_attach.patch new file mode 100644 index 00000000000..3c4c45d996f --- /dev/null +++ b/queue-5.3/hv_netvsc-fix-error-handling-in-netvsc_attach.patch @@ -0,0 +1,51 @@ +From 96271d8c9c0244637e6618dd68018aa5895c41a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Oct 2019 15:32:13 +0000 +Subject: hv_netvsc: Fix error handling in netvsc_attach() + +From: Haiyang Zhang + +[ Upstream commit 719b85c336ed35565d0f3982269d6f684087bb00 ] + +If rndis_filter_open() fails, we need to remove the rndis device created +in earlier steps, before returning an error code. Otherwise, the retry of +netvsc_attach() from its callers will fail and hang. + +Fixes: 7b2ee50c0cd5 ("hv_netvsc: common detach logic") +Signed-off-by: Haiyang Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hyperv/netvsc_drv.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c +index e8fce6d715ef0..8ed79b418d88a 100644 +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -982,7 +982,7 @@ static int netvsc_attach(struct net_device *ndev, + if (netif_running(ndev)) { + ret = rndis_filter_open(nvdev); + if (ret) +- return ret; ++ goto err; + + rdev = nvdev->extension; + if (!rdev->link_state) +@@ -990,6 +990,13 @@ static int netvsc_attach(struct net_device *ndev, + } + + return 0; ++ ++err: ++ netif_device_detach(ndev); ++ ++ rndis_filter_device_remove(hdev, nvdev); ++ ++ return ret; + } + + static int netvsc_set_channels(struct net_device *net, +-- +2.20.1 + diff --git a/queue-5.3/hwmon-ina3221-fix-read-timeout-issue.patch b/queue-5.3/hwmon-ina3221-fix-read-timeout-issue.patch new file mode 100644 index 00000000000..1b89c757690 --- /dev/null +++ b/queue-5.3/hwmon-ina3221-fix-read-timeout-issue.patch @@ -0,0 +1,42 @@ +From 4b66bb03c1a367c2e2ba8e17d7dd32734823dc89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2019 17:59:22 -0700 +Subject: hwmon: (ina3221) Fix read timeout issue + +From: Nicolin Chen + +[ Upstream commit 2ccb4f16d013a0954459061d38172b1c53553ba6 ] + +After introducing "samples" to the calculation of wait time, the +driver might timeout at the regmap_field_read_poll_timeout call, +because the wait time could be longer than the 100000 usec limit +due to a large "samples" number. + +So this patch sets the timeout limit to 2 times of the wait time +in order to fix this issue. + +Fixes: 5c090abf945b ("hwmon: (ina3221) Add averaging mode support") +Signed-off-by: Nicolin Chen +Link: https://lore.kernel.org/r/20191022005922.30239-1-nicoleotsuka@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ina3221.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/ina3221.c b/drivers/hwmon/ina3221.c +index 0037e2bdacd6b..8a51dcf055eab 100644 +--- a/drivers/hwmon/ina3221.c ++++ b/drivers/hwmon/ina3221.c +@@ -170,7 +170,7 @@ static inline int ina3221_wait_for_data(struct ina3221_data *ina) + + /* Polling the CVRF bit to make sure read data is ready */ + return regmap_field_read_poll_timeout(ina->fields[F_CVRF], +- cvrf, cvrf, wait, 100000); ++ cvrf, cvrf, wait, wait * 2); + } + + static int ina3221_read_value(struct ina3221_data *ina, unsigned int reg, +-- +2.20.1 + diff --git a/queue-5.3/ib-core-use-rdma_read_gid_l2_fields-to-compare-gid-l.patch b/queue-5.3/ib-core-use-rdma_read_gid_l2_fields-to-compare-gid-l.patch new file mode 100644 index 00000000000..488e45aea98 --- /dev/null +++ b/queue-5.3/ib-core-use-rdma_read_gid_l2_fields-to-compare-gid-l.patch @@ -0,0 +1,59 @@ +From 8c79fca402afbb0efc14b01f1b142d9588b474d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2019 15:17:50 +0300 +Subject: IB/core: Use rdma_read_gid_l2_fields to compare GID L2 fields + +From: Parav Pandit + +[ Upstream commit 777a8b32bc0f9bb25848a025f72a9febc30d9033 ] + +Current code tries to derive VLAN ID and compares it with GID +attribute for matching entry. This raw search fails on macvlan +netdevice as its not a VLAN device, but its an upper device of a VLAN +netdevice. + +Due to this limitation, incoming QP1 packets fail to match in the +GID table. Such packets are dropped. + +Hence, to support it, use the existing rdma_read_gid_l2_fields() +that takes care of diffferent device types. + +Fixes: dbf727de7440 ("IB/core: Use GID table in AH creation and dmac resolution") +Signed-off-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20191002121750.17313-1-leon@kernel.org +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/verbs.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c +index 92349bf37589f..5b1dc11a72838 100644 +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -662,16 +662,17 @@ static bool find_gid_index(const union ib_gid *gid, + void *context) + { + struct find_gid_index_context *ctx = context; ++ u16 vlan_id = 0xffff; ++ int ret; + + if (ctx->gid_type != gid_attr->gid_type) + return false; + +- if ((!!(ctx->vlan_id != 0xffff) == !is_vlan_dev(gid_attr->ndev)) || +- (is_vlan_dev(gid_attr->ndev) && +- vlan_dev_vlan_id(gid_attr->ndev) != ctx->vlan_id)) ++ ret = rdma_read_gid_l2_fields(gid_attr, &vlan_id, NULL); ++ if (ret) + return false; + +- return true; ++ return ctx->vlan_id == vlan_id; + } + + static const struct ib_gid_attr * +-- +2.20.1 + diff --git a/queue-5.3/igb-fix-constant-media-auto-sense-switching-when-no-.patch b/queue-5.3/igb-fix-constant-media-auto-sense-switching-when-no-.patch new file mode 100644 index 00000000000..c1e5a751fea --- /dev/null +++ b/queue-5.3/igb-fix-constant-media-auto-sense-switching-when-no-.patch @@ -0,0 +1,48 @@ +From ce4d0534fcaa00eb53b158202349b46e56320133 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Aug 2019 13:55:20 -0700 +Subject: igb: Fix constant media auto sense switching when no cable is + connected + +From: Manfred Rudigier + +[ Upstream commit 8d5cfd7f76a2414e23c74bb8858af7540365d985 ] + +At least on the i350 there is an annoying behavior that is maybe also +present on 82580 devices, but was probably not noticed yet as MAS is not +widely used. + +If no cable is connected on both fiber/copper ports the media auto sense +code will constantly swap between them as part of the watchdog task and +produce many unnecessary kernel log messages. + +The swap code responsible for this behavior (switching to fiber) should +not be executed if the current media type is copper and there is no signal +detected on the fiber port. In this case we can safely wait until the +AUTOSENSE_EN bit is cleared. + +Signed-off-by: Manfred Rudigier +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index b4df3e319467e..93a1352f5be90 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -2064,7 +2064,8 @@ static void igb_check_swap_media(struct igb_adapter *adapter) + if ((hw->phy.media_type == e1000_media_type_copper) && + (!(connsw & E1000_CONNSW_AUTOSENSE_EN))) { + swap_now = true; +- } else if (!(connsw & E1000_CONNSW_SERDESD)) { ++ } else if ((hw->phy.media_type != e1000_media_type_copper) && ++ !(connsw & E1000_CONNSW_SERDESD)) { + /* copper signal takes time to appear */ + if (adapter->copper_tries < 4) { + adapter->copper_tries++; +-- +2.20.1 + diff --git a/queue-5.3/iommu-amd-apply-the-same-ivrs-ioapic-workaround-to-a.patch b/queue-5.3/iommu-amd-apply-the-same-ivrs-ioapic-workaround-to-a.patch new file mode 100644 index 00000000000..cb1d3505b8c --- /dev/null +++ b/queue-5.3/iommu-amd-apply-the-same-ivrs-ioapic-workaround-to-a.patch @@ -0,0 +1,48 @@ +From 7be1433d250136f973442856e708b8f66d244b9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2019 17:17:21 +0200 +Subject: iommu/amd: Apply the same IVRS IOAPIC workaround to Acer Aspire + A315-41 + +From: Takashi Iwai + +[ Upstream commit ad3e8da2d422c63c13819a53d3c5ea9312cc0b9d ] + +Acer Aspire A315-41 requires the very same workaround as the existing +quirk for Dell Latitude 5495. Add the new entry for that. + +BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1137799 +Signed-off-by: Takashi Iwai +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu_quirks.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/iommu/amd_iommu_quirks.c b/drivers/iommu/amd_iommu_quirks.c +index c235f79b7a200..5120ce4fdce32 100644 +--- a/drivers/iommu/amd_iommu_quirks.c ++++ b/drivers/iommu/amd_iommu_quirks.c +@@ -73,6 +73,19 @@ static const struct dmi_system_id ivrs_quirks[] __initconst = { + }, + .driver_data = (void *)&ivrs_ioapic_quirks[DELL_LATITUDE_5495], + }, ++ { ++ /* ++ * Acer Aspire A315-41 requires the very same workaround as ++ * Dell Latitude 5495 ++ */ ++ .callback = ivrs_ioapic_quirk_cb, ++ .ident = "Acer Aspire A315-41", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire A315-41"), ++ }, ++ .driver_data = (void *)&ivrs_ioapic_quirks[DELL_LATITUDE_5495], ++ }, + { + .callback = ivrs_ioapic_quirk_cb, + .ident = "Lenovo ideapad 330S-15ARR", +-- +2.20.1 + diff --git a/queue-5.3/ipvs-don-t-ignore-errors-in-case-refcounting-ip_vs-m.patch b/queue-5.3/ipvs-don-t-ignore-errors-in-case-refcounting-ip_vs-m.patch new file mode 100644 index 00000000000..7e43f6dc8fc --- /dev/null +++ b/queue-5.3/ipvs-don-t-ignore-errors-in-case-refcounting-ip_vs-m.patch @@ -0,0 +1,238 @@ +From 5070f70c29a7a852b580b45fac4a590b069d9593 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Oct 2019 17:34:35 +0200 +Subject: ipvs: don't ignore errors in case refcounting ip_vs module fails + +From: Davide Caratti + +[ Upstream commit 62931f59ce9cbabb934a431f48f2f1f441c605ac ] + +if the IPVS module is removed while the sync daemon is starting, there is +a small gap where try_module_get() might fail getting the refcount inside +ip_vs_use_count_inc(). Then, the refcounts of IPVS module are unbalanced, +and the subsequent call to stop_sync_thread() causes the following splat: + + WARNING: CPU: 0 PID: 4013 at kernel/module.c:1146 module_put.part.44+0x15b/0x290 + Modules linked in: ip_vs(-) nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 veth ip6table_filter ip6_tables iptable_filter binfmt_misc intel_rapl_msr intel_rapl_common crct10dif_pclmul crc32_pclmul ext4 mbcache jbd2 ghash_clmulni_intel snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_nhlt snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm aesni_intel crypto_simd cryptd glue_helper joydev pcspkr snd_timer virtio_balloon snd soundcore i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi virtio_net net_failover virtio_blk failover virtio_console qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ata_piix ttm crc32c_intel serio_raw drm virtio_pci libata virtio_ring virtio floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: nf_defrag_ipv6] + CPU: 0 PID: 4013 Comm: modprobe Tainted: G W 5.4.0-rc1.upstream+ #741 + Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 + RIP: 0010:module_put.part.44+0x15b/0x290 + Code: 04 25 28 00 00 00 0f 85 18 01 00 00 48 83 c4 68 5b 5d 41 5c 41 5d 41 5e 41 5f c3 89 44 24 28 83 e8 01 89 c5 0f 89 57 ff ff ff <0f> 0b e9 78 ff ff ff 65 8b 1d 67 83 26 4a 89 db be 08 00 00 00 48 + RSP: 0018:ffff888050607c78 EFLAGS: 00010297 + RAX: 0000000000000003 RBX: ffffffffc1420590 RCX: ffffffffb5db0ef9 + RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffc1420590 + RBP: 00000000ffffffff R08: fffffbfff82840b3 R09: fffffbfff82840b3 + R10: 0000000000000001 R11: fffffbfff82840b2 R12: 1ffff1100a0c0f90 + R13: ffffffffc1420200 R14: ffff88804f533300 R15: ffff88804f533ca0 + FS: 00007f8ea9720740(0000) GS:ffff888053800000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f3245abe000 CR3: 000000004c28a006 CR4: 00000000001606f0 + Call Trace: + stop_sync_thread+0x3a3/0x7c0 [ip_vs] + ip_vs_sync_net_cleanup+0x13/0x50 [ip_vs] + ops_exit_list.isra.5+0x94/0x140 + unregister_pernet_operations+0x29d/0x460 + unregister_pernet_device+0x26/0x60 + ip_vs_cleanup+0x11/0x38 [ip_vs] + __x64_sys_delete_module+0x2d5/0x400 + do_syscall_64+0xa5/0x4e0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + RIP: 0033:0x7f8ea8bf0db7 + Code: 73 01 c3 48 8b 0d b9 80 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 89 80 2c 00 f7 d8 64 89 01 48 + RSP: 002b:00007ffcd38d2fe8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 + RAX: ffffffffffffffda RBX: 0000000002436240 RCX: 00007f8ea8bf0db7 + RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00000000024362a8 + RBP: 0000000000000000 R08: 00007f8ea8eba060 R09: 00007f8ea8c658a0 + R10: 00007ffcd38d2a60 R11: 0000000000000206 R12: 0000000000000000 + R13: 0000000000000001 R14: 00000000024362a8 R15: 0000000000000000 + irq event stamp: 4538 + hardirqs last enabled at (4537): [] quarantine_put+0x9e/0x170 + hardirqs last disabled at (4538): [] trace_hardirqs_off_thunk+0x1a/0x20 + softirqs last enabled at (4522): [] sk_common_release+0x169/0x2d0 + softirqs last disabled at (4520): [] sk_common_release+0xbe/0x2d0 + +Check the return value of ip_vs_use_count_inc() and let its caller return +proper error. Inside do_ip_vs_set_ctl() the module is already refcounted, +we don't need refcount/derefcount there. Finally, in register_ip_vs_app() +and start_sync_thread(), take the module refcount earlier and ensure it's +released in the error path. + +Change since v1: + - better return values in case of failure of ip_vs_use_count_inc(), + thanks to Julian Anastasov + - no need to increase/decrease the module refcount in ip_vs_set_ctl(), + thanks to Julian Anastasov + +Signed-off-by: Davide Caratti +Signed-off-by: Julian Anastasov +Signed-off-by: Simon Horman +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_app.c | 12 ++++++++++-- + net/netfilter/ipvs/ip_vs_ctl.c | 14 ++++---------- + net/netfilter/ipvs/ip_vs_pe.c | 3 ++- + net/netfilter/ipvs/ip_vs_sched.c | 3 ++- + net/netfilter/ipvs/ip_vs_sync.c | 13 ++++++++++--- + 5 files changed, 28 insertions(+), 17 deletions(-) + +diff --git a/net/netfilter/ipvs/ip_vs_app.c b/net/netfilter/ipvs/ip_vs_app.c +index 4515056ef1c2b..f9b16f2b22191 100644 +--- a/net/netfilter/ipvs/ip_vs_app.c ++++ b/net/netfilter/ipvs/ip_vs_app.c +@@ -193,21 +193,29 @@ struct ip_vs_app *register_ip_vs_app(struct netns_ipvs *ipvs, struct ip_vs_app * + + mutex_lock(&__ip_vs_app_mutex); + ++ /* increase the module use count */ ++ if (!ip_vs_use_count_inc()) { ++ err = -ENOENT; ++ goto out_unlock; ++ } ++ + list_for_each_entry(a, &ipvs->app_list, a_list) { + if (!strcmp(app->name, a->name)) { + err = -EEXIST; ++ /* decrease the module use count */ ++ ip_vs_use_count_dec(); + goto out_unlock; + } + } + a = kmemdup(app, sizeof(*app), GFP_KERNEL); + if (!a) { + err = -ENOMEM; ++ /* decrease the module use count */ ++ ip_vs_use_count_dec(); + goto out_unlock; + } + INIT_LIST_HEAD(&a->incs_list); + list_add(&a->a_list, &ipvs->app_list); +- /* increase the module use count */ +- ip_vs_use_count_inc(); + + out_unlock: + mutex_unlock(&__ip_vs_app_mutex); +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 060565e7d227a..248c76290116e 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -1275,7 +1275,8 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u, + struct ip_vs_service *svc = NULL; + + /* increase the module use count */ +- ip_vs_use_count_inc(); ++ if (!ip_vs_use_count_inc()) ++ return -ENOPROTOOPT; + + /* Lookup the scheduler by 'u->sched_name' */ + if (strcmp(u->sched_name, "none")) { +@@ -2434,9 +2435,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) + if (copy_from_user(arg, user, len) != 0) + return -EFAULT; + +- /* increase the module use count */ +- ip_vs_use_count_inc(); +- + /* Handle daemons since they have another lock */ + if (cmd == IP_VS_SO_SET_STARTDAEMON || + cmd == IP_VS_SO_SET_STOPDAEMON) { +@@ -2449,13 +2447,13 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) + ret = -EINVAL; + if (strscpy(cfg.mcast_ifn, dm->mcast_ifn, + sizeof(cfg.mcast_ifn)) <= 0) +- goto out_dec; ++ return ret; + cfg.syncid = dm->syncid; + ret = start_sync_thread(ipvs, &cfg, dm->state); + } else { + ret = stop_sync_thread(ipvs, dm->state); + } +- goto out_dec; ++ return ret; + } + + mutex_lock(&__ip_vs_mutex); +@@ -2550,10 +2548,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) + + out_unlock: + mutex_unlock(&__ip_vs_mutex); +- out_dec: +- /* decrease the module use count */ +- ip_vs_use_count_dec(); +- + return ret; + } + +diff --git a/net/netfilter/ipvs/ip_vs_pe.c b/net/netfilter/ipvs/ip_vs_pe.c +index 8e104dff7abc4..166c669f07634 100644 +--- a/net/netfilter/ipvs/ip_vs_pe.c ++++ b/net/netfilter/ipvs/ip_vs_pe.c +@@ -68,7 +68,8 @@ int register_ip_vs_pe(struct ip_vs_pe *pe) + struct ip_vs_pe *tmp; + + /* increase the module use count */ +- ip_vs_use_count_inc(); ++ if (!ip_vs_use_count_inc()) ++ return -ENOENT; + + mutex_lock(&ip_vs_pe_mutex); + /* Make sure that the pe with this name doesn't exist +diff --git a/net/netfilter/ipvs/ip_vs_sched.c b/net/netfilter/ipvs/ip_vs_sched.c +index 2f9d5cd5daeee..d4903723be7e9 100644 +--- a/net/netfilter/ipvs/ip_vs_sched.c ++++ b/net/netfilter/ipvs/ip_vs_sched.c +@@ -179,7 +179,8 @@ int register_ip_vs_scheduler(struct ip_vs_scheduler *scheduler) + } + + /* increase the module use count */ +- ip_vs_use_count_inc(); ++ if (!ip_vs_use_count_inc()) ++ return -ENOENT; + + mutex_lock(&ip_vs_sched_mutex); + +diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c +index a4a78c4b06dec..8dc892a9dc91a 100644 +--- a/net/netfilter/ipvs/ip_vs_sync.c ++++ b/net/netfilter/ipvs/ip_vs_sync.c +@@ -1762,6 +1762,10 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, + IP_VS_DBG(7, "Each ip_vs_sync_conn entry needs %zd bytes\n", + sizeof(struct ip_vs_sync_conn_v0)); + ++ /* increase the module use count */ ++ if (!ip_vs_use_count_inc()) ++ return -ENOPROTOOPT; ++ + /* Do not hold one mutex and then to block on another */ + for (;;) { + rtnl_lock(); +@@ -1892,9 +1896,6 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, + mutex_unlock(&ipvs->sync_mutex); + rtnl_unlock(); + +- /* increase the module use count */ +- ip_vs_use_count_inc(); +- + return 0; + + out: +@@ -1924,11 +1925,17 @@ out: + } + kfree(ti); + } ++ ++ /* decrease the module use count */ ++ ip_vs_use_count_dec(); + return result; + + out_early: + mutex_unlock(&ipvs->sync_mutex); + rtnl_unlock(); ++ ++ /* decrease the module use count */ ++ ip_vs_use_count_dec(); + return result; + } + +-- +2.20.1 + diff --git a/queue-5.3/ipvs-move-old_secure_tcp-into-struct-netns_ipvs.patch b/queue-5.3/ipvs-move-old_secure_tcp-into-struct-netns_ipvs.patch new file mode 100644 index 00000000000..dab66e6d493 --- /dev/null +++ b/queue-5.3/ipvs-move-old_secure_tcp-into-struct-netns_ipvs.patch @@ -0,0 +1,117 @@ +From 10f3c81131787050fa54fb1847bcf988b097ace8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Oct 2019 09:53:03 -0700 +Subject: ipvs: move old_secure_tcp into struct netns_ipvs + +From: Eric Dumazet + +[ Upstream commit c24b75e0f9239e78105f81c5f03a751641eb07ef ] + +syzbot reported the following issue : + +BUG: KCSAN: data-race in update_defense_level / update_defense_level + +read to 0xffffffff861a6260 of 4 bytes by task 3006 on cpu 1: + update_defense_level+0x621/0xb30 net/netfilter/ipvs/ip_vs_ctl.c:177 + defense_work_handler+0x3d/0xd0 net/netfilter/ipvs/ip_vs_ctl.c:225 + process_one_work+0x3d4/0x890 kernel/workqueue.c:2269 + worker_thread+0xa0/0x800 kernel/workqueue.c:2415 + kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 + +write to 0xffffffff861a6260 of 4 bytes by task 7333 on cpu 0: + update_defense_level+0xa62/0xb30 net/netfilter/ipvs/ip_vs_ctl.c:205 + defense_work_handler+0x3d/0xd0 net/netfilter/ipvs/ip_vs_ctl.c:225 + process_one_work+0x3d4/0x890 kernel/workqueue.c:2269 + worker_thread+0xa0/0x800 kernel/workqueue.c:2415 + kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 7333 Comm: kworker/0:5 Not tainted 5.4.0-rc3+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: events defense_work_handler + +Indeed, old_secure_tcp is currently a static variable, while it +needs to be a per netns variable. + +Fixes: a0840e2e165a ("IPVS: netns, ip_vs_ctl local vars moved to ipvs struct.") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: Simon Horman +Signed-off-by: Sasha Levin +--- + include/net/ip_vs.h | 1 + + net/netfilter/ipvs/ip_vs_ctl.c | 15 +++++++-------- + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h +index 3759167f91f56..078887c8c586a 100644 +--- a/include/net/ip_vs.h ++++ b/include/net/ip_vs.h +@@ -889,6 +889,7 @@ struct netns_ipvs { + struct delayed_work defense_work; /* Work handler */ + int drop_rate; + int drop_counter; ++ int old_secure_tcp; + atomic_t dropentry; + /* locks in ctl.c */ + spinlock_t dropentry_lock; /* drop entry handling */ +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 248c76290116e..e29b00f514a0a 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -93,7 +93,6 @@ static bool __ip_vs_addr_is_local_v6(struct net *net, + static void update_defense_level(struct netns_ipvs *ipvs) + { + struct sysinfo i; +- static int old_secure_tcp = 0; + int availmem; + int nomem; + int to_change = -1; +@@ -174,35 +173,35 @@ static void update_defense_level(struct netns_ipvs *ipvs) + spin_lock(&ipvs->securetcp_lock); + switch (ipvs->sysctl_secure_tcp) { + case 0: +- if (old_secure_tcp >= 2) ++ if (ipvs->old_secure_tcp >= 2) + to_change = 0; + break; + case 1: + if (nomem) { +- if (old_secure_tcp < 2) ++ if (ipvs->old_secure_tcp < 2) + to_change = 1; + ipvs->sysctl_secure_tcp = 2; + } else { +- if (old_secure_tcp >= 2) ++ if (ipvs->old_secure_tcp >= 2) + to_change = 0; + } + break; + case 2: + if (nomem) { +- if (old_secure_tcp < 2) ++ if (ipvs->old_secure_tcp < 2) + to_change = 1; + } else { +- if (old_secure_tcp >= 2) ++ if (ipvs->old_secure_tcp >= 2) + to_change = 0; + ipvs->sysctl_secure_tcp = 1; + } + break; + case 3: +- if (old_secure_tcp < 2) ++ if (ipvs->old_secure_tcp < 2) + to_change = 1; + break; + } +- old_secure_tcp = ipvs->sysctl_secure_tcp; ++ ipvs->old_secure_tcp = ipvs->sysctl_secure_tcp; + if (to_change >= 0) + ip_vs_protocol_timeout_change(ipvs, + ipvs->sysctl_secure_tcp > 1); +-- +2.20.1 + diff --git a/queue-5.3/iw_cxgb4-fix-ecn-check-on-the-passive-accept.patch b/queue-5.3/iw_cxgb4-fix-ecn-check-on-the-passive-accept.patch new file mode 100644 index 00000000000..9cf03d44592 --- /dev/null +++ b/queue-5.3/iw_cxgb4-fix-ecn-check-on-the-passive-accept.patch @@ -0,0 +1,73 @@ +From 53c97ec5513c303e5266fd627cf6ad801633c531 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Oct 2019 16:13:53 +0530 +Subject: iw_cxgb4: fix ECN check on the passive accept + +From: Potnuri Bharat Teja + +[ Upstream commit 612e0486ad0845c41ac10492e78144f99e326375 ] + +pass_accept_req() is using the same skb for handling accept request and +sending accept reply to HW. Here req and rpl structures are pointing to +same skb->data which is over written by INIT_TP_WR() and leads to +accessing corrupt req fields in accept_cr() while checking for ECN flags. +Reordered code in accept_cr() to fetch correct req fields. + +Fixes: 92e7ae7172 ("iw_cxgb4: Choose appropriate hw mtu index and ISS for iWARP connections") +Signed-off-by: Potnuri Bharat Teja +Link: https://lore.kernel.org/r/20191003104353.11590-1-bharat@chelsio.com +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/cxgb4/cm.c | 28 ++++++++++++++-------------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index e87fc04084704..9e8eca7b613c0 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -2424,20 +2424,6 @@ static int accept_cr(struct c4iw_ep *ep, struct sk_buff *skb, + enum chip_type adapter_type = ep->com.dev->rdev.lldi.adapter_type; + + pr_debug("ep %p tid %u\n", ep, ep->hwtid); +- +- skb_get(skb); +- rpl = cplhdr(skb); +- if (!is_t4(adapter_type)) { +- skb_trim(skb, roundup(sizeof(*rpl5), 16)); +- rpl5 = (void *)rpl; +- INIT_TP_WR(rpl5, ep->hwtid); +- } else { +- skb_trim(skb, sizeof(*rpl)); +- INIT_TP_WR(rpl, ep->hwtid); +- } +- OPCODE_TID(rpl) = cpu_to_be32(MK_OPCODE_TID(CPL_PASS_ACCEPT_RPL, +- ep->hwtid)); +- + cxgb_best_mtu(ep->com.dev->rdev.lldi.mtus, ep->mtu, &mtu_idx, + enable_tcp_timestamps && req->tcpopt.tstamp, + (ep->com.remote_addr.ss_family == AF_INET) ? 0 : 1); +@@ -2483,6 +2469,20 @@ static int accept_cr(struct c4iw_ep *ep, struct sk_buff *skb, + if (tcph->ece && tcph->cwr) + opt2 |= CCTRL_ECN_V(1); + } ++ ++ skb_get(skb); ++ rpl = cplhdr(skb); ++ if (!is_t4(adapter_type)) { ++ skb_trim(skb, roundup(sizeof(*rpl5), 16)); ++ rpl5 = (void *)rpl; ++ INIT_TP_WR(rpl5, ep->hwtid); ++ } else { ++ skb_trim(skb, sizeof(*rpl)); ++ INIT_TP_WR(rpl, ep->hwtid); ++ } ++ OPCODE_TID(rpl) = cpu_to_be32(MK_OPCODE_TID(CPL_PASS_ACCEPT_RPL, ++ ep->hwtid)); ++ + if (CHELSIO_CHIP_VERSION(adapter_type) > CHELSIO_T4) { + u32 isn = (prandom_u32() & ~7UL) - 1; + opt2 |= T5_OPT_2_VALID_F; +-- +2.20.1 + diff --git a/queue-5.3/iwlwifi-pcie-0x2720-is-qu-and-0x30dc-is-not.patch b/queue-5.3/iwlwifi-pcie-0x2720-is-qu-and-0x30dc-is-not.patch new file mode 100644 index 00000000000..dea6e76de59 --- /dev/null +++ b/queue-5.3/iwlwifi-pcie-0x2720-is-qu-and-0x30dc-is-not.patch @@ -0,0 +1,143 @@ +From f0b9fa149f84217c147cd7a781863a1094afcbb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Oct 2019 13:03:31 +0300 +Subject: iwlwifi: pcie: 0x2720 is qu and 0x30DC is not + +From: Luca Coelho + +[ Upstream commit 17c216ed6b9eef34e647192063f6149d33eff579 ] + +When converting the wrong qu configurations in an earlier commit, I +accidentally swapped 0x2720 and 0x30DC. Instead of converting 0x2720, +I converted 0x30DC. Undo 0x30DC and convert 0x2720. + +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 109 +++++++++--------- + 1 file changed, 55 insertions(+), 54 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +index 3645c98c407e1..2ee5c5dc78cbb 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -618,60 +618,61 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + {IWL_PCI_DEVICE(0x271B, 0x0210, iwl9160_2ac_cfg)}, + {IWL_PCI_DEVICE(0x271B, 0x0214, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x271C, 0x0214, iwl9260_2ac_cfg)}, +- {IWL_PCI_DEVICE(0x2720, 0x0034, iwl9560_2ac_160_cfg_soc)}, +- {IWL_PCI_DEVICE(0x2720, 0x0038, iwl9560_2ac_160_cfg_soc)}, +- {IWL_PCI_DEVICE(0x2720, 0x003C, iwl9560_2ac_160_cfg_soc)}, +- {IWL_PCI_DEVICE(0x2720, 0x0060, iwl9461_2ac_cfg_soc)}, +- {IWL_PCI_DEVICE(0x2720, 0x0064, iwl9461_2ac_cfg_soc)}, +- {IWL_PCI_DEVICE(0x2720, 0x00A0, iwl9462_2ac_cfg_soc)}, +- {IWL_PCI_DEVICE(0x2720, 0x00A4, iwl9462_2ac_cfg_soc)}, +- {IWL_PCI_DEVICE(0x2720, 0x0230, iwl9560_2ac_cfg)}, +- {IWL_PCI_DEVICE(0x2720, 0x0234, iwl9560_2ac_cfg)}, +- {IWL_PCI_DEVICE(0x2720, 0x0238, iwl9560_2ac_cfg)}, +- {IWL_PCI_DEVICE(0x2720, 0x023C, iwl9560_2ac_cfg)}, +- {IWL_PCI_DEVICE(0x2720, 0x0260, iwl9461_2ac_cfg_soc)}, +- {IWL_PCI_DEVICE(0x2720, 0x0264, iwl9461_2ac_cfg_soc)}, +- {IWL_PCI_DEVICE(0x2720, 0x02A0, iwl9462_2ac_cfg_soc)}, +- {IWL_PCI_DEVICE(0x2720, 0x02A4, iwl9462_2ac_cfg_soc)}, +- {IWL_PCI_DEVICE(0x2720, 0x1010, iwl9260_2ac_cfg)}, +- {IWL_PCI_DEVICE(0x2720, 0x1030, iwl9560_2ac_cfg_soc)}, +- {IWL_PCI_DEVICE(0x2720, 0x1210, iwl9260_2ac_cfg)}, +- {IWL_PCI_DEVICE(0x2720, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, +- {IWL_PCI_DEVICE(0x2720, 0x1552, iwl9560_killer_2ac_cfg_soc)}, +- {IWL_PCI_DEVICE(0x2720, 0x2030, iwl9560_2ac_160_cfg_soc)}, +- {IWL_PCI_DEVICE(0x2720, 0x2034, iwl9560_2ac_160_cfg_soc)}, +- {IWL_PCI_DEVICE(0x2720, 0x4030, iwl9560_2ac_160_cfg_soc)}, +- {IWL_PCI_DEVICE(0x2720, 0x4034, iwl9560_2ac_160_cfg_soc)}, +- {IWL_PCI_DEVICE(0x2720, 0x40A4, iwl9462_2ac_cfg_soc)}, +- {IWL_PCI_DEVICE(0x2720, 0x4234, iwl9560_2ac_cfg_soc)}, +- {IWL_PCI_DEVICE(0x2720, 0x42A4, iwl9462_2ac_cfg_soc)}, +- +- {IWL_PCI_DEVICE(0x30DC, 0x0030, iwl9560_2ac_160_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x0034, iwl9560_2ac_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x0038, iwl9560_2ac_160_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x003C, iwl9560_2ac_160_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x0060, iwl9461_2ac_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x0064, iwl9461_2ac_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x00A0, iwl9462_2ac_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x00A4, iwl9462_2ac_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x0230, iwl9560_2ac_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x0234, iwl9560_2ac_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x0238, iwl9560_2ac_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x023C, iwl9560_2ac_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x0260, iwl9461_2ac_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x0264, iwl9461_2ac_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x02A0, iwl9462_2ac_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x02A4, iwl9462_2ac_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x1030, iwl9560_2ac_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x1551, killer1550s_2ac_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x1552, killer1550i_2ac_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x2030, iwl9560_2ac_160_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x2034, iwl9560_2ac_160_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x4030, iwl9560_2ac_160_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x4034, iwl9560_2ac_160_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x40A4, iwl9462_2ac_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x4234, iwl9560_2ac_cfg_qu_b0_jf_b0)}, +- {IWL_PCI_DEVICE(0x30DC, 0x42A4, iwl9462_2ac_cfg_qu_b0_jf_b0)}, ++ ++ {IWL_PCI_DEVICE(0x2720, 0x0034, iwl9560_2ac_cfg_qu_b0_jf_b0)}, ++ {IWL_PCI_DEVICE(0x2720, 0x0038, iwl9560_2ac_160_cfg_qu_b0_jf_b0)}, ++ {IWL_PCI_DEVICE(0x2720, 0x003C, iwl9560_2ac_160_cfg_qu_b0_jf_b0)}, ++ {IWL_PCI_DEVICE(0x2720, 0x0060, iwl9461_2ac_cfg_qu_b0_jf_b0)}, ++ {IWL_PCI_DEVICE(0x2720, 0x0064, iwl9461_2ac_cfg_qu_b0_jf_b0)}, ++ {IWL_PCI_DEVICE(0x2720, 0x00A0, iwl9462_2ac_cfg_qu_b0_jf_b0)}, ++ {IWL_PCI_DEVICE(0x2720, 0x00A4, iwl9462_2ac_cfg_qu_b0_jf_b0)}, ++ {IWL_PCI_DEVICE(0x2720, 0x0230, iwl9560_2ac_cfg_qu_b0_jf_b0)}, ++ {IWL_PCI_DEVICE(0x2720, 0x0234, iwl9560_2ac_cfg_qu_b0_jf_b0)}, ++ {IWL_PCI_DEVICE(0x2720, 0x0238, iwl9560_2ac_cfg_qu_b0_jf_b0)}, ++ {IWL_PCI_DEVICE(0x2720, 0x023C, iwl9560_2ac_cfg_qu_b0_jf_b0)}, ++ {IWL_PCI_DEVICE(0x2720, 0x0260, iwl9461_2ac_cfg_qu_b0_jf_b0)}, ++ {IWL_PCI_DEVICE(0x2720, 0x0264, iwl9461_2ac_cfg_qu_b0_jf_b0)}, ++ {IWL_PCI_DEVICE(0x2720, 0x02A0, iwl9462_2ac_cfg_qu_b0_jf_b0)}, ++ {IWL_PCI_DEVICE(0x2720, 0x02A4, iwl9462_2ac_cfg_qu_b0_jf_b0)}, ++ {IWL_PCI_DEVICE(0x2720, 0x1030, iwl9560_2ac_cfg_qu_b0_jf_b0)}, ++ {IWL_PCI_DEVICE(0x2720, 0x1551, killer1550s_2ac_cfg_qu_b0_jf_b0)}, ++ {IWL_PCI_DEVICE(0x2720, 0x1552, killer1550i_2ac_cfg_qu_b0_jf_b0)}, ++ {IWL_PCI_DEVICE(0x2720, 0x2030, iwl9560_2ac_160_cfg_qu_b0_jf_b0)}, ++ {IWL_PCI_DEVICE(0x2720, 0x2034, iwl9560_2ac_160_cfg_qu_b0_jf_b0)}, ++ {IWL_PCI_DEVICE(0x2720, 0x4030, iwl9560_2ac_160_cfg_qu_b0_jf_b0)}, ++ {IWL_PCI_DEVICE(0x2720, 0x4034, iwl9560_2ac_160_cfg_qu_b0_jf_b0)}, ++ {IWL_PCI_DEVICE(0x2720, 0x40A4, iwl9462_2ac_cfg_qu_b0_jf_b0)}, ++ {IWL_PCI_DEVICE(0x2720, 0x4234, iwl9560_2ac_cfg_qu_b0_jf_b0)}, ++ {IWL_PCI_DEVICE(0x2720, 0x42A4, iwl9462_2ac_cfg_qu_b0_jf_b0)}, ++ ++ {IWL_PCI_DEVICE(0x30DC, 0x0030, iwl9560_2ac_160_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x0034, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x0038, iwl9560_2ac_160_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x003C, iwl9560_2ac_160_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x0060, iwl9460_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x0064, iwl9461_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x00A0, iwl9462_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x00A4, iwl9462_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x0230, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x0234, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x0238, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x023C, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x0260, iwl9461_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x0264, iwl9461_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x02A0, iwl9462_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x02A4, iwl9462_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x1010, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x1030, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x1552, iwl9560_killer_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x2030, iwl9560_2ac_160_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x2034, iwl9560_2ac_160_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x4030, iwl9560_2ac_160_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x4034, iwl9560_2ac_160_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x40A4, iwl9462_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x4234, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x42A4, iwl9462_2ac_cfg_soc)}, + + {IWL_PCI_DEVICE(0x31DC, 0x0030, iwl9560_2ac_160_cfg_shared_clk)}, + {IWL_PCI_DEVICE(0x31DC, 0x0034, iwl9560_2ac_cfg_shared_clk)}, +-- +2.20.1 + diff --git a/queue-5.3/iwlwifi-pcie-fix-all-9460-entries-for-qnj.patch b/queue-5.3/iwlwifi-pcie-fix-all-9460-entries-for-qnj.patch new file mode 100644 index 00000000000..c3e15209590 --- /dev/null +++ b/queue-5.3/iwlwifi-pcie-fix-all-9460-entries-for-qnj.patch @@ -0,0 +1,64 @@ +From 977e3f3b03923c8085d21dd8126f4d60f0e7f77f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Oct 2019 13:03:28 +0300 +Subject: iwlwifi: pcie: fix all 9460 entries for qnj + +From: Luca Coelho + +[ Upstream commit e55890150a961944e861a46efc8599f80f25de76 ] + +A bunch of the entries for qnj were wrong. The 9460 device doesn't +exist, so update them to 9461 and 9462. There are still a bunch of +other occurrences of 9460, but that will be fixed separately. + +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +index cef29de053932..3645c98c407e1 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -573,20 +573,20 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + {IWL_PCI_DEVICE(0x2526, 0x0034, iwl9560_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x0038, iwl9560_2ac_160_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x003C, iwl9560_2ac_160_cfg)}, +- {IWL_PCI_DEVICE(0x2526, 0x0060, iwl9460_2ac_cfg)}, +- {IWL_PCI_DEVICE(0x2526, 0x0064, iwl9460_2ac_cfg)}, +- {IWL_PCI_DEVICE(0x2526, 0x00A0, iwl9460_2ac_cfg)}, +- {IWL_PCI_DEVICE(0x2526, 0x00A4, iwl9460_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x2526, 0x0060, iwl9461_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x2526, 0x0064, iwl9461_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x2526, 0x00A0, iwl9462_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x2526, 0x00A4, iwl9462_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2526, 0x0210, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x0214, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x0230, iwl9560_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x0234, iwl9560_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x0238, iwl9560_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x023C, iwl9560_2ac_cfg)}, +- {IWL_PCI_DEVICE(0x2526, 0x0260, iwl9460_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x2526, 0x0260, iwl9461_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2526, 0x0264, iwl9461_2ac_cfg_soc)}, +- {IWL_PCI_DEVICE(0x2526, 0x02A0, iwl9460_2ac_cfg)}, +- {IWL_PCI_DEVICE(0x2526, 0x02A4, iwl9460_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x2526, 0x02A0, iwl9462_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x2526, 0x02A4, iwl9462_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2526, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x1030, iwl9560_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x1210, iwl9260_2ac_cfg)}, +@@ -603,7 +603,7 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + {IWL_PCI_DEVICE(0x2526, 0x401C, iwl9260_2ac_160_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x4030, iwl9560_2ac_160_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x4034, iwl9560_2ac_160_cfg_soc)}, +- {IWL_PCI_DEVICE(0x2526, 0x40A4, iwl9460_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x2526, 0x40A4, iwl9462_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2526, 0x4234, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2526, 0x42A4, iwl9462_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2526, 0x6010, iwl9260_2ac_160_cfg)}, +-- +2.20.1 + diff --git a/queue-5.3/iwlwifi-pcie-fix-pci-id-0x2720-configs-that-should-b.patch b/queue-5.3/iwlwifi-pcie-fix-pci-id-0x2720-configs-that-should-b.patch new file mode 100644 index 00000000000..ab3429f9a06 --- /dev/null +++ b/queue-5.3/iwlwifi-pcie-fix-pci-id-0x2720-configs-that-should-b.patch @@ -0,0 +1,48 @@ +From 430ac7f684c2f17bbb6e5bb367587d15acfc7a02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Oct 2019 13:03:27 +0300 +Subject: iwlwifi: pcie: fix PCI ID 0x2720 configs that should be soc + +From: Luca Coelho + +[ Upstream commit 6dea7da7019aa04c02edf1878c9c2e59d6cb75a5 ] + +Some entries for PCI ID 0x2720 were using iwl9260_2ac_cfg, but the +correct is to use iwl9260_2ac_cfg_soc. Fix that. + +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +index acbadfdbdd3fe..cef29de053932 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -618,9 +618,9 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + {IWL_PCI_DEVICE(0x271B, 0x0210, iwl9160_2ac_cfg)}, + {IWL_PCI_DEVICE(0x271B, 0x0214, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x271C, 0x0214, iwl9260_2ac_cfg)}, +- {IWL_PCI_DEVICE(0x2720, 0x0034, iwl9560_2ac_160_cfg)}, +- {IWL_PCI_DEVICE(0x2720, 0x0038, iwl9560_2ac_160_cfg)}, +- {IWL_PCI_DEVICE(0x2720, 0x003C, iwl9560_2ac_160_cfg)}, ++ {IWL_PCI_DEVICE(0x2720, 0x0034, iwl9560_2ac_160_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x2720, 0x0038, iwl9560_2ac_160_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x2720, 0x003C, iwl9560_2ac_160_cfg_soc)}, + {IWL_PCI_DEVICE(0x2720, 0x0060, iwl9461_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2720, 0x0064, iwl9461_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2720, 0x00A0, iwl9462_2ac_cfg_soc)}, +@@ -640,7 +640,7 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + {IWL_PCI_DEVICE(0x2720, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2720, 0x2030, iwl9560_2ac_160_cfg_soc)}, + {IWL_PCI_DEVICE(0x2720, 0x2034, iwl9560_2ac_160_cfg_soc)}, +- {IWL_PCI_DEVICE(0x2720, 0x4030, iwl9560_2ac_160_cfg)}, ++ {IWL_PCI_DEVICE(0x2720, 0x4030, iwl9560_2ac_160_cfg_soc)}, + {IWL_PCI_DEVICE(0x2720, 0x4034, iwl9560_2ac_160_cfg_soc)}, + {IWL_PCI_DEVICE(0x2720, 0x40A4, iwl9462_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2720, 0x4234, iwl9560_2ac_cfg_soc)}, +-- +2.20.1 + diff --git a/queue-5.3/macsec-fix-refcnt-leak-in-module-exit-routine.patch b/queue-5.3/macsec-fix-refcnt-leak-in-module-exit-routine.patch new file mode 100644 index 00000000000..104b0b73290 --- /dev/null +++ b/queue-5.3/macsec-fix-refcnt-leak-in-module-exit-routine.patch @@ -0,0 +1,76 @@ +From 5404485990c1479d2a9dc596bd0a153facd83ba6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2019 18:47:55 +0000 +Subject: macsec: fix refcnt leak in module exit routine + +From: Taehee Yoo + +[ Upstream commit 2bce1ebed17da54c65042ec2b962e3234bad5b47 ] + +When a macsec interface is created, it increases a refcnt to a lower +device(real device). when macsec interface is deleted, the refcnt is +decreased in macsec_free_netdev(), which is ->priv_destructor() of +macsec interface. + +The problem scenario is this. +When nested macsec interfaces are exiting, the exit routine of the +macsec module makes refcnt leaks. + +Test commands: + ip link add dummy0 type dummy + ip link add macsec0 link dummy0 type macsec + ip link add macsec1 link macsec0 type macsec + modprobe -rv macsec + +[ 208.629433] unregister_netdevice: waiting for macsec0 to become free. Usage count = 1 + +Steps of exit routine of macsec module are below. +1. Calls ->dellink() in __rtnl_link_unregister(). +2. Checks refcnt and wait refcnt to be 0 if refcnt is not 0 in +netdev_run_todo(). +3. Calls ->priv_destruvtor() in netdev_run_todo(). + +Step2 checks refcnt, but step3 decreases refcnt. +So, step2 waits forever. + +This patch makes the macsec module do not hold a refcnt of the lower +device because it already holds a refcnt of the lower device with +netdev_upper_dev_link(). + +Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index cb7637364b40d..1bd113b142ea7 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -3001,12 +3001,10 @@ static const struct nla_policy macsec_rtnl_policy[IFLA_MACSEC_MAX + 1] = { + static void macsec_free_netdev(struct net_device *dev) + { + struct macsec_dev *macsec = macsec_priv(dev); +- struct net_device *real_dev = macsec->real_dev; + + free_percpu(macsec->stats); + free_percpu(macsec->secy.tx_sc.stats); + +- dev_put(real_dev); + } + + static void macsec_setup(struct net_device *dev) +@@ -3261,8 +3259,6 @@ static int macsec_newlink(struct net *net, struct net_device *dev, + if (err < 0) + return err; + +- dev_hold(real_dev); +- + macsec->nest_level = dev_get_nest_level(real_dev) + 1; + netdev_lockdep_set_classes(dev); + lockdep_set_class_and_subclass(&dev->addr_list_lock, +-- +2.20.1 + diff --git a/queue-5.3/mt76-dma-fix-buffer-unmap-with-non-linear-skbs.patch b/queue-5.3/mt76-dma-fix-buffer-unmap-with-non-linear-skbs.patch new file mode 100644 index 00000000000..394f85e3798 --- /dev/null +++ b/queue-5.3/mt76-dma-fix-buffer-unmap-with-non-linear-skbs.patch @@ -0,0 +1,69 @@ +From f3d0f3fb9bba4e75840a5b86d85ddb348627d682 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Oct 2019 20:53:09 +0100 +Subject: mt76: dma: fix buffer unmap with non-linear skbs + +From: Lorenzo Bianconi + +[ Upstream commit 7bd0650be63cbb9e45e394d689c81365fe48e495 ] + +mt76 dma layer is supposed to unmap skb data buffers while keep txwi +mapped on hw dma ring. At the moment mt76 wrongly unmap txwi or does +not unmap data fragments in even positions for non-linear skbs. This +issue may result in hw hangs with A-MSDU if the system relies on IOMMU +or SWIOTLB. Fix this behaviour properly unmapping data fragments on +non-linear skbs. + +Fixes: 17f1de56df05 ("mt76: add common code shared between multiple chipsets") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/dma.c | 6 ++++-- + drivers/net/wireless/mediatek/mt76/mt76.h | 5 +++-- + 2 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/dma.c b/drivers/net/wireless/mediatek/mt76/dma.c +index d8f61e540bfd3..ed744cd19819c 100644 +--- a/drivers/net/wireless/mediatek/mt76/dma.c ++++ b/drivers/net/wireless/mediatek/mt76/dma.c +@@ -64,8 +64,10 @@ mt76_dma_add_buf(struct mt76_dev *dev, struct mt76_queue *q, + u32 ctrl; + int i, idx = -1; + +- if (txwi) ++ if (txwi) { + q->entry[q->head].txwi = DMA_DUMMY_DATA; ++ q->entry[q->head].skip_buf0 = true; ++ } + + for (i = 0; i < nbufs; i += 2, buf += 2) { + u32 buf0 = buf[0].addr, buf1 = 0; +@@ -108,7 +110,7 @@ mt76_dma_tx_cleanup_idx(struct mt76_dev *dev, struct mt76_queue *q, int idx, + __le32 __ctrl = READ_ONCE(q->desc[idx].ctrl); + u32 ctrl = le32_to_cpu(__ctrl); + +- if (!e->txwi || !e->skb) { ++ if (!e->skip_buf0) { + __le32 addr = READ_ONCE(q->desc[idx].buf0); + u32 len = FIELD_GET(MT_DMA_CTL_SD_LEN0, ctrl); + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76.h b/drivers/net/wireless/mediatek/mt76/mt76.h +index 989386ecb5e4e..e98859ab480b7 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76.h ++++ b/drivers/net/wireless/mediatek/mt76/mt76.h +@@ -102,8 +102,9 @@ struct mt76_queue_entry { + struct urb *urb; + }; + enum mt76_txq_id qid; +- bool schedule; +- bool done; ++ bool skip_buf0:1; ++ bool schedule:1; ++ bool done:1; + }; + + struct mt76_queue_regs { +-- +2.20.1 + diff --git a/queue-5.3/net-ethernet-arc-add-the-missed-clk_disable_unprepar.patch b/queue-5.3/net-ethernet-arc-add-the-missed-clk_disable_unprepar.patch new file mode 100644 index 00000000000..5492cbadd06 --- /dev/null +++ b/queue-5.3/net-ethernet-arc-add-the-missed-clk_disable_unprepar.patch @@ -0,0 +1,37 @@ +From 89c4e7e2ecae851e556e1cd92a9cbc66dd2aa789 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Nov 2019 20:17:25 +0800 +Subject: net: ethernet: arc: add the missed clk_disable_unprepare + +From: Chuhong Yuan + +[ Upstream commit 4202e219edd6cc164c042e16fa327525410705ae ] + +The remove misses to disable and unprepare priv->macclk like what is done +when probe fails. +Add the missed call in remove. + +Signed-off-by: Chuhong Yuan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/arc/emac_rockchip.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/arc/emac_rockchip.c b/drivers/net/ethernet/arc/emac_rockchip.c +index 42d2e1b02c440..664d664e09250 100644 +--- a/drivers/net/ethernet/arc/emac_rockchip.c ++++ b/drivers/net/ethernet/arc/emac_rockchip.c +@@ -256,6 +256,9 @@ static int emac_rockchip_remove(struct platform_device *pdev) + if (priv->regulator) + regulator_disable(priv->regulator); + ++ if (priv->soc_data->need_div_macclk) ++ clk_disable_unprepare(priv->macclk); ++ + free_netdev(ndev); + return err; + } +-- +2.20.1 + diff --git a/queue-5.3/net-hisilicon-fix-trying-to-free-already-free-irq.patch b/queue-5.3/net-hisilicon-fix-trying-to-free-already-free-irq.patch new file mode 100644 index 00000000000..e4a027f6cc2 --- /dev/null +++ b/queue-5.3/net-hisilicon-fix-trying-to-free-already-free-irq.patch @@ -0,0 +1,59 @@ +From fae824e184b1a66c15a03bdcdb18faa4be1d833b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2019 21:48:22 +0800 +Subject: net: hisilicon: Fix "Trying to free already-free IRQ" + +From: Jiangfeng Xiao + +[ Upstream commit 63a41746827cb16dc6ad0d4d761ab4e7dda7a0c3 ] + +When rmmod hip04_eth.ko, we can get the following warning: + +Task track: rmmod(1623)>bash(1591)>login(1581)>init(1) +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 1623 at kernel/irq/manage.c:1557 __free_irq+0xa4/0x2ac() +Trying to free already-free IRQ 200 +Modules linked in: ping(O) pramdisk(O) cpuinfo(O) rtos_snapshot(O) interrupt_ctrl(O) mtdblock mtd_blkdevrtfs nfs_acl nfs lockd grace sunrpc xt_tcpudp ipt_REJECT iptable_filter ip_tables x_tables nf_reject_ipv +CPU: 0 PID: 1623 Comm: rmmod Tainted: G O 4.4.193 #1 +Hardware name: Hisilicon A15 +[] (rtos_unwind_backtrace) from [] (show_stack+0x10/0x14) +[] (show_stack) from [] (dump_stack+0xa0/0xd8) +[] (dump_stack) from [] (warn_slowpath_common+0x84/0xb0) +[] (warn_slowpath_common) from [] (warn_slowpath_fmt+0x3c/0x68) +[] (warn_slowpath_fmt) from [] (__free_irq+0xa4/0x2ac) +[] (__free_irq) from [] (free_irq+0x60/0x7c) +[] (free_irq) from [] (release_nodes+0x1c4/0x1ec) +[] (release_nodes) from [] (__device_release_driver+0xa8/0x104) +[] (__device_release_driver) from [] (driver_detach+0xd0/0xf8) +[] (driver_detach) from [] (bus_remove_driver+0x64/0x8c) +[] (bus_remove_driver) from [] (SyS_delete_module+0x198/0x1e0) +[] (SyS_delete_module) from [] (__sys_trace_return+0x0/0x10) +---[ end trace bb25d6123d849b44 ]--- + +Currently "rmmod hip04_eth.ko" call free_irq more than once +as devres_release_all and hip04_remove both call free_irq. +This results in a 'Trying to free already-free IRQ' warning. +To solve the problem free_irq has been moved out of hip04_remove. + +Signed-off-by: Jiangfeng Xiao +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hip04_eth.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c +index f51bc0255556f..4606a7e4a6d19 100644 +--- a/drivers/net/ethernet/hisilicon/hip04_eth.c ++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c +@@ -1041,7 +1041,6 @@ static int hip04_remove(struct platform_device *pdev) + + hip04_free_ring(ndev, d); + unregister_netdev(ndev); +- free_irq(ndev->irq, ndev); + of_node_put(priv->phy_node); + cancel_work_sync(&priv->tx_timeout_task); + free_netdev(ndev); +-- +2.20.1 + diff --git a/queue-5.3/net-mlx5-fix-memory-leak-in-mlx5_fw_fatal_reporter_d.patch b/queue-5.3/net-mlx5-fix-memory-leak-in-mlx5_fw_fatal_reporter_d.patch new file mode 100644 index 00000000000..d3349299bf2 --- /dev/null +++ b/queue-5.3/net-mlx5-fix-memory-leak-in-mlx5_fw_fatal_reporter_d.patch @@ -0,0 +1,38 @@ +From 5eb1645d6d5569fa83a1fb21669315dffe30f424 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2019 17:37:28 -0500 +Subject: net/mlx5: fix memory leak in mlx5_fw_fatal_reporter_dump + +From: Navid Emamdoost + +[ Upstream commit c7ed6d0183d5ea9bc31bcaeeba4070bd62546471 ] + +In mlx5_fw_fatal_reporter_dump if mlx5_crdump_collect fails the +allocated memory for cr_data must be released otherwise there will be +memory leak. To fix this, this commit changes the return instruction +into goto error handling. + +Fixes: 9b1f29823605 ("net/mlx5: Add support for FW fatal reporter dump") +Signed-off-by: Navid Emamdoost +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/health.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/health.c b/drivers/net/ethernet/mellanox/mlx5/core/health.c +index d685122d9ff76..c07f3154437c6 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/health.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/health.c +@@ -572,7 +572,7 @@ mlx5_fw_fatal_reporter_dump(struct devlink_health_reporter *reporter, + return -ENOMEM; + err = mlx5_crdump_collect(dev, cr_data); + if (err) +- return err; ++ goto free_data; + + if (priv_ctx) { + struct mlx5_fw_reporter_ctx *fw_reporter_ctx = priv_ctx; +-- +2.20.1 + diff --git a/queue-5.3/net-mlx5-prevent-memory-leak-in-mlx5_fpga_conn_creat.patch b/queue-5.3/net-mlx5-prevent-memory-leak-in-mlx5_fpga_conn_creat.patch new file mode 100644 index 00000000000..23613579cbd --- /dev/null +++ b/queue-5.3/net-mlx5-prevent-memory-leak-in-mlx5_fpga_conn_creat.patch @@ -0,0 +1,39 @@ +From ab5dab3929fa5a8e06e35b697a119d84d373e3d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2019 22:20:34 -0500 +Subject: net/mlx5: prevent memory leak in mlx5_fpga_conn_create_cq + +From: Navid Emamdoost + +[ Upstream commit c8c2a057fdc7de1cd16f4baa51425b932a42eb39 ] + +In mlx5_fpga_conn_create_cq if mlx5_vector2eqn fails the allocated +memory should be released. + +Fixes: 537a50574175 ("net/mlx5: FPGA, Add high-speed connection routines") +Signed-off-by: Navid Emamdoost +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c b/drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c +index 4c50efe4e7f11..61021133029e6 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c +@@ -464,8 +464,10 @@ static int mlx5_fpga_conn_create_cq(struct mlx5_fpga_conn *conn, int cq_size) + } + + err = mlx5_vector2eqn(mdev, smp_processor_id(), &eqn, &irqn); +- if (err) ++ if (err) { ++ kvfree(in); + goto err_cqwq; ++ } + + cqc = MLX5_ADDR_OF(create_cq_in, in, cq_context); + MLX5_SET(cqc, cqc, log_cq_size, ilog2(cq_size)); +-- +2.20.1 + diff --git a/queue-5.3/net-mlx5e-ktls-release-reference-on-dumped-fragments.patch b/queue-5.3/net-mlx5e-ktls-release-reference-on-dumped-fragments.patch new file mode 100644 index 00000000000..50b1f6ca1b0 --- /dev/null +++ b/queue-5.3/net-mlx5e-ktls-release-reference-on-dumped-fragments.patch @@ -0,0 +1,139 @@ +From 7a6cfc95f586420cc3a557cff67b5feabab19aff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Sep 2019 13:45:38 +0300 +Subject: net/mlx5e: kTLS, Release reference on DUMPed fragments in shutdown + flow + +From: Tariq Toukan + +[ Upstream commit 2c559361389b452ca23494080d0c65ab812706c1 ] + +A call to kTLS completion handler was missing in the TXQSQ release +flow. Add it. + +Fixes: d2ead1f360e8 ("net/mlx5e: Add kTLS TX HW offload support") +Signed-off-by: Tariq Toukan +Reviewed-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../mellanox/mlx5/core/en_accel/ktls.h | 7 ++++- + .../mellanox/mlx5/core/en_accel/ktls_tx.c | 11 ++++++-- + .../net/ethernet/mellanox/mlx5/core/en_tx.c | 28 ++++++++++--------- + 3 files changed, 30 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls.h b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls.h +index b7298f9ee3d3f..c4c128908b6e8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls.h +@@ -86,7 +86,7 @@ struct sk_buff *mlx5e_ktls_handle_tx_skb(struct net_device *netdev, + struct mlx5e_tx_wqe **wqe, u16 *pi); + void mlx5e_ktls_tx_handle_resync_dump_comp(struct mlx5e_txqsq *sq, + struct mlx5e_tx_wqe_info *wi, +- struct mlx5e_sq_dma *dma); ++ u32 *dma_fifo_cc); + + #else + +@@ -94,6 +94,11 @@ static inline void mlx5e_ktls_build_netdev(struct mlx5e_priv *priv) + { + } + ++static inline void ++mlx5e_ktls_tx_handle_resync_dump_comp(struct mlx5e_txqsq *sq, ++ struct mlx5e_tx_wqe_info *wi, ++ u32 *dma_fifo_cc) {} ++ + #endif + + #endif /* __MLX5E_TLS_H__ */ +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c +index 7833ddef04278..002245bb6b287 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c +@@ -304,9 +304,16 @@ tx_post_resync_dump(struct mlx5e_txqsq *sq, struct sk_buff *skb, + + void mlx5e_ktls_tx_handle_resync_dump_comp(struct mlx5e_txqsq *sq, + struct mlx5e_tx_wqe_info *wi, +- struct mlx5e_sq_dma *dma) ++ u32 *dma_fifo_cc) + { +- struct mlx5e_sq_stats *stats = sq->stats; ++ struct mlx5e_sq_stats *stats; ++ struct mlx5e_sq_dma *dma; ++ ++ if (!wi->resync_dump_frag) ++ return; ++ ++ dma = mlx5e_dma_get(sq, (*dma_fifo_cc)++); ++ stats = sq->stats; + + mlx5e_tx_dma_unmap(sq->pdev, dma); + __skb_frag_unref(wi->resync_dump_frag); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c +index 9aaf74407a11f..4eebf7946aca1 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c +@@ -480,14 +480,7 @@ bool mlx5e_poll_tx_cq(struct mlx5e_cq *cq, int napi_budget) + skb = wi->skb; + + if (unlikely(!skb)) { +-#ifdef CONFIG_MLX5_EN_TLS +- if (wi->resync_dump_frag) { +- struct mlx5e_sq_dma *dma = +- mlx5e_dma_get(sq, dma_fifo_cc++); +- +- mlx5e_ktls_tx_handle_resync_dump_comp(sq, wi, dma); +- } +-#endif ++ mlx5e_ktls_tx_handle_resync_dump_comp(sq, wi, &dma_fifo_cc); + sqcc += wi->num_wqebbs; + continue; + } +@@ -543,29 +536,38 @@ void mlx5e_free_txqsq_descs(struct mlx5e_txqsq *sq) + { + struct mlx5e_tx_wqe_info *wi; + struct sk_buff *skb; ++ u32 dma_fifo_cc; ++ u16 sqcc; + u16 ci; + int i; + +- while (sq->cc != sq->pc) { +- ci = mlx5_wq_cyc_ctr2ix(&sq->wq, sq->cc); ++ sqcc = sq->cc; ++ dma_fifo_cc = sq->dma_fifo_cc; ++ ++ while (sqcc != sq->pc) { ++ ci = mlx5_wq_cyc_ctr2ix(&sq->wq, sqcc); + wi = &sq->db.wqe_info[ci]; + skb = wi->skb; + + if (!skb) { +- sq->cc += wi->num_wqebbs; ++ mlx5e_ktls_tx_handle_resync_dump_comp(sq, wi, &dma_fifo_cc); ++ sqcc += wi->num_wqebbs; + continue; + } + + for (i = 0; i < wi->num_dma; i++) { + struct mlx5e_sq_dma *dma = +- mlx5e_dma_get(sq, sq->dma_fifo_cc++); ++ mlx5e_dma_get(sq, dma_fifo_cc++); + + mlx5e_tx_dma_unmap(sq->pdev, dma); + } + + dev_kfree_skb_any(skb); +- sq->cc += wi->num_wqebbs; ++ sqcc += wi->num_wqebbs; + } ++ ++ sq->dma_fifo_cc = dma_fifo_cc; ++ sq->cc = sqcc; + } + + #ifdef CONFIG_MLX5_CORE_IPOIB +-- +2.20.1 + diff --git a/queue-5.3/net-mlx5e-tx-fix-assumption-of-single-wqebb-of-nop-i.patch b/queue-5.3/net-mlx5e-tx-fix-assumption-of-single-wqebb-of-nop-i.patch new file mode 100644 index 00000000000..dbf8607015a --- /dev/null +++ b/queue-5.3/net-mlx5e-tx-fix-assumption-of-single-wqebb-of-nop-i.patch @@ -0,0 +1,59 @@ +From 6890092aaaa02e26f55a427c35bff28936a89aaa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Sep 2019 17:43:33 +0300 +Subject: net/mlx5e: Tx, Fix assumption of single WQEBB of NOP in cleanup flow + +From: Tariq Toukan + +[ Upstream commit 0c258dec8d98af15b34dbffdb89c008b6da01ff8 ] + +Cited patch removed the assumption only in datapath. +Here we remove it also form control/cleanup flow. + +Fixes: 9ab0233728ca ("net/mlx5e: Tx, Don't implicitly assume SKB-less wqe has one WQEBB") +Signed-off-by: Tariq Toukan +Reviewed-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 6 +++++- + drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 4 ++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 9d5f6e56188f8..f3a2970c3fcf0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -1347,9 +1347,13 @@ static void mlx5e_deactivate_txqsq(struct mlx5e_txqsq *sq) + /* last doorbell out, godspeed .. */ + if (mlx5e_wqc_has_room_for(wq, sq->cc, sq->pc, 1)) { + u16 pi = mlx5_wq_cyc_ctr2ix(wq, sq->pc); ++ struct mlx5e_tx_wqe_info *wi; + struct mlx5e_tx_wqe *nop; + +- sq->db.wqe_info[pi].skb = NULL; ++ wi = &sq->db.wqe_info[pi]; ++ ++ memset(wi, 0, sizeof(*wi)); ++ wi->num_wqebbs = 1; + nop = mlx5e_post_nop(wq, sq->sqn, &sq->pc); + mlx5e_notify_hw(wq, sq->pc, sq->uar_map, &nop->ctrl); + } +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c +index 600e92cb629a2..9aaf74407a11f 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c +@@ -551,8 +551,8 @@ void mlx5e_free_txqsq_descs(struct mlx5e_txqsq *sq) + wi = &sq->db.wqe_info[ci]; + skb = wi->skb; + +- if (!skb) { /* nop */ +- sq->cc++; ++ if (!skb) { ++ sq->cc += wi->num_wqebbs; + continue; + } + +-- +2.20.1 + diff --git a/queue-5.3/net-mlx5e-tx-fix-consumer-index-of-error-cqe-dump.patch b/queue-5.3/net-mlx5e-tx-fix-consumer-index-of-error-cqe-dump.patch new file mode 100644 index 00000000000..b31f129ba7c --- /dev/null +++ b/queue-5.3/net-mlx5e-tx-fix-consumer-index-of-error-cqe-dump.patch @@ -0,0 +1,41 @@ +From 8314ee48044d2ecd5e90baef126d852a54a61f7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2019 11:29:09 +0300 +Subject: net/mlx5e: TX, Fix consumer index of error cqe dump + +From: Tariq Toukan + +[ Upstream commit 61ea02d2c13106116c6e4916ac5d9dd41151c959 ] + +The completion queue consumer index increments upon a call to +mlx5_cqwq_pop(). +When dumping an error CQE, the index is already incremented. +Decrease one for the print command. + +Fixes: 16cc14d81733 ("net/mlx5e: Dump xmit error completions") +Signed-off-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c +index 4eebf7946aca1..d5d2b1af3dbcc 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c +@@ -404,7 +404,10 @@ netdev_tx_t mlx5e_xmit(struct sk_buff *skb, struct net_device *dev) + static void mlx5e_dump_error_cqe(struct mlx5e_txqsq *sq, + struct mlx5_err_cqe *err_cqe) + { +- u32 ci = mlx5_cqwq_get_ci(&sq->cq.wq); ++ struct mlx5_cqwq *wq = &sq->cq.wq; ++ u32 ci; ++ ++ ci = mlx5_cqwq_ctr2ix(wq, wq->cc - 1); + + netdev_err(sq->channel->netdev, + "Error cqe on cqn 0x%x, ci 0x%x, sqn 0x%x, opcode 0x%x, syndrome 0x%x, vendor syndrome 0x%x\n", +-- +2.20.1 + diff --git a/queue-5.3/net-mscc-ocelot-fix-vlan_filtering-when-enslaving-to.patch b/queue-5.3/net-mscc-ocelot-fix-vlan_filtering-when-enslaving-to.patch new file mode 100644 index 00000000000..44cce3cc5c7 --- /dev/null +++ b/queue-5.3/net-mscc-ocelot-fix-vlan_filtering-when-enslaving-to.patch @@ -0,0 +1,112 @@ +From 9b366d2f4e734bd3f771c40a9bbb6470d22c5180 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Oct 2019 21:04:26 +0300 +Subject: net: mscc: ocelot: fix vlan_filtering when enslaving to bridge before + link is up + +From: Vladimir Oltean + +[ Upstream commit 1c44ce560b4de639f237b458be1729489ff44d0a ] + +Background information: the driver operates the hardware in a mode where +a single VLAN can be transmitted as untagged on a particular egress +port. That is the "native VLAN on trunk port" use case. Its value is +held in port->vid. + +Consider the following command sequence (no network manager, all +interfaces are down, debugging prints added by me): + +$ ip link add dev br0 type bridge vlan_filtering 1 +$ ip link set dev swp0 master br0 + +Kernel code path during last command: + +br_add_slave -> ocelot_netdevice_port_event (NETDEV_CHANGEUPPER): +[ 21.401901] ocelot_vlan_port_apply: port 0 vlan aware 0 pvid 0 vid 0 + +br_add_slave -> nbp_vlan_init -> switchdev_port_attr_set -> ocelot_port_attr_set (SWITCHDEV_ATTR_ID_BRIDGE_VLAN_FILTERING): +[ 21.413335] ocelot_vlan_port_apply: port 0 vlan aware 1 pvid 0 vid 0 + +br_add_slave -> nbp_vlan_init -> nbp_vlan_add -> br_switchdev_port_vlan_add -> switchdev_port_obj_add -> ocelot_port_obj_add -> ocelot_vlan_vid_add +[ 21.667421] ocelot_vlan_port_apply: port 0 vlan aware 1 pvid 1 vid 1 + +So far so good. The bridge has replaced the driver's default pvid used +in standalone mode (0) with its own default_pvid (1). The port's vid +(native VLAN) has also changed from 0 to 1. + +$ ip link set dev swp0 up + +[ 31.722956] 8021q: adding VLAN 0 to HW filter on device swp0 +do_setlink -> dev_change_flags -> vlan_vid_add -> ocelot_vlan_rx_add_vid -> ocelot_vlan_vid_add: +[ 31.728700] ocelot_vlan_port_apply: port 0 vlan aware 1 pvid 1 vid 0 + +The 8021q module uses the .ndo_vlan_rx_add_vid API on .ndo_open to make +ports be able to transmit and receive 802.1p-tagged traffic by default. +This API is supposed to offload a VLAN sub-interface, which for a switch +port means to add a VLAN that is not a pvid, and tagged on egress. + +But the driver implementation of .ndo_vlan_rx_add_vid is wrong: it adds +back vid 0 as "egress untagged". Now back to the initial paragraph: +there is a single untagged VID that the driver keeps track of, and that +has just changed from 1 (the pvid) to 0. So this breaks the bridge +core's expectation, because it has changed vid 1 from untagged to +tagged, when what the user sees is. + +$ bridge vlan +port vlan ids +swp0 1 PVID Egress Untagged + +br0 1 PVID Egress Untagged + +But curiously, instead of manifesting itself as "untagged and +pvid-tagged traffic gets sent as tagged on egress", the bug: + +- is hidden when vlan_filtering=0 +- manifests as dropped traffic when vlan_filtering=1, due to this setting: + + if (port->vlan_aware && !port->vid) + /* If port is vlan-aware and tagged, drop untagged and priority + * tagged frames. + */ + val |= ANA_PORT_DROP_CFG_DROP_UNTAGGED_ENA | + ANA_PORT_DROP_CFG_DROP_PRIO_S_TAGGED_ENA | + ANA_PORT_DROP_CFG_DROP_PRIO_C_TAGGED_ENA; + +which would have made sense if it weren't for this bug. The setting's +intention was "this is a trunk port with no native VLAN, so don't accept +untagged traffic". So the driver was never expecting to set VLAN 0 as +the value of the native VLAN, 0 was just encoding for "invalid". + +So the fix is to not send 802.1p traffic as untagged, because that would +change the port's native vlan to 0, unbeknownst to the bridge, and +trigger unexpected code paths in the driver. + +Cc: Antoine Tenart +Cc: Alexandre Belloni +Fixes: 7142529f1688 ("net: mscc: ocelot: add VLAN filtering") +Signed-off-by: Vladimir Oltean +Reviewed-by: Florian Fainelli +Acked-by: Alexandre Belloni +Reviewed-by: Horatiu Vultur +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c +index dc78940f08fb1..07ca3e0cdf92b 100644 +--- a/drivers/net/ethernet/mscc/ocelot.c ++++ b/drivers/net/ethernet/mscc/ocelot.c +@@ -877,7 +877,7 @@ end: + static int ocelot_vlan_rx_add_vid(struct net_device *dev, __be16 proto, + u16 vid) + { +- return ocelot_vlan_vid_add(dev, vid, false, true); ++ return ocelot_vlan_vid_add(dev, vid, false, false); + } + + static int ocelot_vlan_rx_kill_vid(struct net_device *dev, __be16 proto, +-- +2.20.1 + diff --git a/queue-5.3/net-mscc-ocelot-refuse-to-overwrite-the-port-s-nativ.patch b/queue-5.3/net-mscc-ocelot-refuse-to-overwrite-the-port-s-nativ.patch new file mode 100644 index 00000000000..833d634a639 --- /dev/null +++ b/queue-5.3/net-mscc-ocelot-refuse-to-overwrite-the-port-s-nativ.patch @@ -0,0 +1,71 @@ +From c81011c24e8770771b7de872c9adf353c49fba81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Oct 2019 21:04:27 +0300 +Subject: net: mscc: ocelot: refuse to overwrite the port's native vlan + +From: Vladimir Oltean + +[ Upstream commit b9cd75e6689560140dadaed98eb4b41aad75d55d ] + +The switch driver keeps a "vid" variable per port, which signifies _the_ +VLAN ID that is stripped on that port's egress (aka the native VLAN on a +trunk port). + +That is the way the hardware is designed (mostly). The port->vid is +programmed into REW:PORT:PORT_VLAN_CFG:PORT_VID and the rewriter is told +to send all traffic as tagged except the one having port->vid. + +There exists a possibility of finer-grained egress untagging decisions: +using the VCAP IS1 engine, one rule can be added to match every +VLAN-tagged frame whose VLAN should be untagged, and set POP_CNT=1 as +action. However, the IS1 can hold at most 512 entries, and the VLANs are +in the order of 6 * 4096. + +So the code is fine for now. But this sequence of commands: + +$ bridge vlan add dev swp0 vid 1 pvid untagged +$ bridge vlan add dev swp0 vid 2 untagged + +makes untagged and pvid-tagged traffic be sent out of swp0 as tagged +with VID 1, despite user's request. + +Prevent that from happening. The user should temporarily remove the +existing untagged VLAN (1 in this case), add it back as tagged, and then +add the new untagged VLAN (2 in this case). + +Cc: Antoine Tenart +Cc: Alexandre Belloni +Fixes: 7142529f1688 ("net: mscc: ocelot: add VLAN filtering") +Signed-off-by: Vladimir Oltean +Reviewed-by: Florian Fainelli +Acked-by: Alexandre Belloni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c +index 07ca3e0cdf92b..7ffe5959a7e73 100644 +--- a/drivers/net/ethernet/mscc/ocelot.c ++++ b/drivers/net/ethernet/mscc/ocelot.c +@@ -260,8 +260,15 @@ static int ocelot_vlan_vid_add(struct net_device *dev, u16 vid, bool pvid, + port->pvid = vid; + + /* Untagged egress vlan clasification */ +- if (untagged) ++ if (untagged && port->vid != vid) { ++ if (port->vid) { ++ dev_err(ocelot->dev, ++ "Port already has a native VLAN: %d\n", ++ port->vid); ++ return -EBUSY; ++ } + port->vid = vid; ++ } + + ocelot_vlan_port_apply(ocelot, port); + +-- +2.20.1 + diff --git a/queue-5.3/net-openvswitch-free-vport-unless-register_netdevice.patch b/queue-5.3/net-openvswitch-free-vport-unless-register_netdevice.patch new file mode 100644 index 00000000000..87d901cb82d --- /dev/null +++ b/queue-5.3/net-openvswitch-free-vport-unless-register_netdevice.patch @@ -0,0 +1,195 @@ +From d9d55a092308612bf42d68a3dbf444818b61e79b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2019 12:01:57 +0200 +Subject: net: openvswitch: free vport unless register_netdevice() succeeds + +From: Hillf Danton + +[ Upstream commit 9464cc37f3671ee69cb1c00662b5e1f113a96b23 ] + +syzbot found the following crash on: + +HEAD commit: 1e78030e Merge tag 'mmc-v5.3-rc1' of git://git.kernel.org/.. +git tree: upstream +console output: https://syzkaller.appspot.com/x/log.txt?x=148d3d1a600000 +kernel config: https://syzkaller.appspot.com/x/.config?x=30cef20daf3e9977 +dashboard link: https://syzkaller.appspot.com/bug?extid=13210896153522fe1ee5 +compiler: gcc (GCC) 9.0.0 20181231 (experimental) +syz repro: https://syzkaller.appspot.com/x/repro.syz?x=136aa8c4600000 +C reproducer: https://syzkaller.appspot.com/x/repro.c?x=109ba792600000 + +===================================================================== +BUG: memory leak +unreferenced object 0xffff8881207e4100 (size 128): + comm "syz-executor032", pid 7014, jiffies 4294944027 (age 13.830s) + hex dump (first 32 bytes): + 00 70 16 18 81 88 ff ff 80 af 8c 22 81 88 ff ff .p.........".... + 00 b6 23 17 81 88 ff ff 00 00 00 00 00 00 00 00 ..#............. + backtrace: + [<000000000eb78212>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] + [<000000000eb78212>] slab_post_alloc_hook mm/slab.h:522 [inline] + [<000000000eb78212>] slab_alloc mm/slab.c:3319 [inline] + [<000000000eb78212>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3548 + [<00000000006ea6c6>] kmalloc include/linux/slab.h:552 [inline] + [<00000000006ea6c6>] kzalloc include/linux/slab.h:748 [inline] + [<00000000006ea6c6>] ovs_vport_alloc+0x37/0xf0 net/openvswitch/vport.c:130 + [<00000000f9a04a7d>] internal_dev_create+0x24/0x1d0 net/openvswitch/vport-internal_dev.c:164 + [<0000000056ee7c13>] ovs_vport_add+0x81/0x190 net/openvswitch/vport.c:199 + [<000000005434efc7>] new_vport+0x19/0x80 net/openvswitch/datapath.c:194 + [<00000000b7b253f1>] ovs_dp_cmd_new+0x22f/0x410 net/openvswitch/datapath.c:1614 + [<00000000e0988518>] genl_family_rcv_msg+0x2ab/0x5b0 net/netlink/genetlink.c:629 + [<00000000d0cc9347>] genl_rcv_msg+0x54/0x9c net/netlink/genetlink.c:654 + [<000000006694b647>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477 + [<0000000088381f37>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:665 + [<00000000dad42a47>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + [<00000000dad42a47>] netlink_unicast+0x1ec/0x2d0 net/netlink/af_netlink.c:1328 + [<0000000067e6b079>] netlink_sendmsg+0x270/0x480 net/netlink/af_netlink.c:1917 + [<00000000aab08a47>] sock_sendmsg_nosec net/socket.c:637 [inline] + [<00000000aab08a47>] sock_sendmsg+0x54/0x70 net/socket.c:657 + [<000000004cb7c11d>] ___sys_sendmsg+0x393/0x3c0 net/socket.c:2311 + [<00000000c4901c63>] __sys_sendmsg+0x80/0xf0 net/socket.c:2356 + [<00000000c10abb2d>] __do_sys_sendmsg net/socket.c:2365 [inline] + [<00000000c10abb2d>] __se_sys_sendmsg net/socket.c:2363 [inline] + [<00000000c10abb2d>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2363 + +BUG: memory leak +unreferenced object 0xffff88811723b600 (size 64): + comm "syz-executor032", pid 7014, jiffies 4294944027 (age 13.830s) + hex dump (first 32 bytes): + 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 02 00 00 00 05 35 82 c1 .............5.. + backtrace: + [<00000000352f46d8>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] + [<00000000352f46d8>] slab_post_alloc_hook mm/slab.h:522 [inline] + [<00000000352f46d8>] slab_alloc mm/slab.c:3319 [inline] + [<00000000352f46d8>] __do_kmalloc mm/slab.c:3653 [inline] + [<00000000352f46d8>] __kmalloc+0x169/0x300 mm/slab.c:3664 + [<000000008e48f3d1>] kmalloc include/linux/slab.h:557 [inline] + [<000000008e48f3d1>] ovs_vport_set_upcall_portids+0x54/0xd0 net/openvswitch/vport.c:343 + [<00000000541e4f4a>] ovs_vport_alloc+0x7f/0xf0 net/openvswitch/vport.c:139 + [<00000000f9a04a7d>] internal_dev_create+0x24/0x1d0 net/openvswitch/vport-internal_dev.c:164 + [<0000000056ee7c13>] ovs_vport_add+0x81/0x190 net/openvswitch/vport.c:199 + [<000000005434efc7>] new_vport+0x19/0x80 net/openvswitch/datapath.c:194 + [<00000000b7b253f1>] ovs_dp_cmd_new+0x22f/0x410 net/openvswitch/datapath.c:1614 + [<00000000e0988518>] genl_family_rcv_msg+0x2ab/0x5b0 net/netlink/genetlink.c:629 + [<00000000d0cc9347>] genl_rcv_msg+0x54/0x9c net/netlink/genetlink.c:654 + [<000000006694b647>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477 + [<0000000088381f37>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:665 + [<00000000dad42a47>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + [<00000000dad42a47>] netlink_unicast+0x1ec/0x2d0 net/netlink/af_netlink.c:1328 + [<0000000067e6b079>] netlink_sendmsg+0x270/0x480 net/netlink/af_netlink.c:1917 + [<00000000aab08a47>] sock_sendmsg_nosec net/socket.c:637 [inline] + [<00000000aab08a47>] sock_sendmsg+0x54/0x70 net/socket.c:657 + [<000000004cb7c11d>] ___sys_sendmsg+0x393/0x3c0 net/socket.c:2311 + [<00000000c4901c63>] __sys_sendmsg+0x80/0xf0 net/socket.c:2356 + +BUG: memory leak +unreferenced object 0xffff8881228ca500 (size 128): + comm "syz-executor032", pid 7015, jiffies 4294944622 (age 7.880s) + hex dump (first 32 bytes): + 00 f0 27 18 81 88 ff ff 80 ac 8c 22 81 88 ff ff ..'........".... + 40 b7 23 17 81 88 ff ff 00 00 00 00 00 00 00 00 @.#............. + backtrace: + [<000000000eb78212>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] + [<000000000eb78212>] slab_post_alloc_hook mm/slab.h:522 [inline] + [<000000000eb78212>] slab_alloc mm/slab.c:3319 [inline] + [<000000000eb78212>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3548 + [<00000000006ea6c6>] kmalloc include/linux/slab.h:552 [inline] + [<00000000006ea6c6>] kzalloc include/linux/slab.h:748 [inline] + [<00000000006ea6c6>] ovs_vport_alloc+0x37/0xf0 net/openvswitch/vport.c:130 + [<00000000f9a04a7d>] internal_dev_create+0x24/0x1d0 net/openvswitch/vport-internal_dev.c:164 + [<0000000056ee7c13>] ovs_vport_add+0x81/0x190 net/openvswitch/vport.c:199 + [<000000005434efc7>] new_vport+0x19/0x80 net/openvswitch/datapath.c:194 + [<00000000b7b253f1>] ovs_dp_cmd_new+0x22f/0x410 net/openvswitch/datapath.c:1614 + [<00000000e0988518>] genl_family_rcv_msg+0x2ab/0x5b0 net/netlink/genetlink.c:629 + [<00000000d0cc9347>] genl_rcv_msg+0x54/0x9c net/netlink/genetlink.c:654 + [<000000006694b647>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477 + [<0000000088381f37>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:665 + [<00000000dad42a47>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + [<00000000dad42a47>] netlink_unicast+0x1ec/0x2d0 net/netlink/af_netlink.c:1328 + [<0000000067e6b079>] netlink_sendmsg+0x270/0x480 net/netlink/af_netlink.c:1917 + [<00000000aab08a47>] sock_sendmsg_nosec net/socket.c:637 [inline] + [<00000000aab08a47>] sock_sendmsg+0x54/0x70 net/socket.c:657 + [<000000004cb7c11d>] ___sys_sendmsg+0x393/0x3c0 net/socket.c:2311 + [<00000000c4901c63>] __sys_sendmsg+0x80/0xf0 net/socket.c:2356 + [<00000000c10abb2d>] __do_sys_sendmsg net/socket.c:2365 [inline] + [<00000000c10abb2d>] __se_sys_sendmsg net/socket.c:2363 [inline] + [<00000000c10abb2d>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2363 +===================================================================== + +The function in net core, register_netdevice(), may fail with vport's +destruction callback either invoked or not. After commit 309b66970ee2 +("net: openvswitch: do not free vport if register_netdevice() is failed."), +the duty to destroy vport is offloaded from the driver OTOH, which ends +up in the memory leak reported. + +It is fixed by releasing vport unless device is registered successfully. +To do that, the callback assignment is defered until device is registered. + +Reported-by: syzbot+13210896153522fe1ee5@syzkaller.appspotmail.com +Fixes: 309b66970ee2 ("net: openvswitch: do not free vport if register_netdevice() is failed.") +Cc: Taehee Yoo +Cc: Greg Rose +Cc: Eric Dumazet +Cc: Marcelo Ricardo Leitner +Cc: Ying Xue +Cc: Andrey Konovalov +Signed-off-by: Hillf Danton +Acked-by: Pravin B Shelar +[sbrivio: this was sent to dev@openvswitch.org and never made its way + to netdev -- resending original patch] +Signed-off-by: Stefano Brivio +Reviewed-by: Greg Rose +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/vport-internal_dev.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/net/openvswitch/vport-internal_dev.c b/net/openvswitch/vport-internal_dev.c +index d2437b5b2f6ad..baa33103108a5 100644 +--- a/net/openvswitch/vport-internal_dev.c ++++ b/net/openvswitch/vport-internal_dev.c +@@ -137,7 +137,7 @@ static void do_setup(struct net_device *netdev) + netdev->priv_flags |= IFF_LIVE_ADDR_CHANGE | IFF_OPENVSWITCH | + IFF_NO_QUEUE; + netdev->needs_free_netdev = true; +- netdev->priv_destructor = internal_dev_destructor; ++ netdev->priv_destructor = NULL; + netdev->ethtool_ops = &internal_dev_ethtool_ops; + netdev->rtnl_link_ops = &internal_dev_link_ops; + +@@ -159,7 +159,6 @@ static struct vport *internal_dev_create(const struct vport_parms *parms) + struct internal_dev *internal_dev; + struct net_device *dev; + int err; +- bool free_vport = true; + + vport = ovs_vport_alloc(0, &ovs_internal_vport_ops, parms); + if (IS_ERR(vport)) { +@@ -190,10 +189,9 @@ static struct vport *internal_dev_create(const struct vport_parms *parms) + + rtnl_lock(); + err = register_netdevice(vport->dev); +- if (err) { +- free_vport = false; ++ if (err) + goto error_unlock; +- } ++ vport->dev->priv_destructor = internal_dev_destructor; + + dev_set_promiscuity(vport->dev, 1); + rtnl_unlock(); +@@ -207,8 +205,7 @@ error_unlock: + error_free_netdev: + free_netdev(dev); + error_free_vport: +- if (free_vport) +- ovs_vport_free(vport); ++ ovs_vport_free(vport); + error: + return ERR_PTR(err); + } +-- +2.20.1 + diff --git a/queue-5.3/net-phy-smsc-lan8740-add-phy_rst_after_clk_en-flag.patch b/queue-5.3/net-phy-smsc-lan8740-add-phy_rst_after_clk_en-flag.patch new file mode 100644 index 00000000000..61f7ec4f90b --- /dev/null +++ b/queue-5.3/net-phy-smsc-lan8740-add-phy_rst_after_clk_en-flag.patch @@ -0,0 +1,42 @@ +From 99806ed7f40cff28a3b40cdd0fcc26a4227df472 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Oct 2019 11:44:24 +0200 +Subject: net: phy: smsc: LAN8740: add PHY_RST_AFTER_CLK_EN flag + +From: Martin Fuzzey + +[ Upstream commit 76db2d466f6a929a04775f0f87d837e3bcba44e8 ] + +The LAN8740, like the 8720, also requires a reset after enabling clock. +The datasheet [1] 3.8.5.1 says: + "During a Hardware reset, an external clock must be supplied + to the XTAL1/CLKIN signal." + +I have observed this issue on a custom i.MX6 based board with +the LAN8740A. + +[1] http://ww1.microchip.com/downloads/en/DeviceDoc/8740a.pdf + +Signed-off-by: Martin Fuzzey +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/smsc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c +index dc3d92d340c4d..b732982507939 100644 +--- a/drivers/net/phy/smsc.c ++++ b/drivers/net/phy/smsc.c +@@ -327,6 +327,7 @@ static struct phy_driver smsc_phy_driver[] = { + .name = "SMSC LAN8740", + + /* PHY_BASIC_FEATURES */ ++ .flags = PHY_RST_AFTER_CLK_EN, + + .probe = smsc_phy_probe, + +-- +2.20.1 + diff --git a/queue-5.3/net-stmmac-fix-the-problem-of-tso_xmit.patch b/queue-5.3/net-stmmac-fix-the-problem-of-tso_xmit.patch new file mode 100644 index 00000000000..e88af8bec3c --- /dev/null +++ b/queue-5.3/net-stmmac-fix-the-problem-of-tso_xmit.patch @@ -0,0 +1,43 @@ +From b48e2d8d6dfbbc4e74b80fa98d2c607868f23910 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2019 11:27:34 +0800 +Subject: net: stmmac: Fix the problem of tso_xmit + +From: yuqi jin + +[ Upstream commit 34c15202896d11e3974788daf9005a84ec45f7a2 ] + +When the address width of DMA is greater than 32, the packet header occupies +a BD descriptor. The starting address of the data should be added to the +header length. + +Fixes: a993db88d17d ("net: stmmac: Enable support for > 32 Bits addressing in XGMAC") +Cc: Eric Dumazet +Cc: Giuseppe Cavallaro +Cc: Alexandre Torgue +Cc: Jose Abreu +Cc: "David S. Miller" +Cc: Maxime Coquelin +Signed-off-by: yuqi jin +Signed-off-by: Shaokun Zhang +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index fe2d3029de5ea..ed0e694a08553 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -2906,6 +2906,7 @@ static netdev_tx_t stmmac_tso_xmit(struct sk_buff *skb, struct net_device *dev) + } else { + stmmac_set_desc_addr(priv, first, des); + tmp_pay_len = pay_len; ++ des += proto_hdr_len; + } + + stmmac_tso_allocator(priv, des, tmp_pay_len, (nfrags == 0), queue); +-- +2.20.1 + diff --git a/queue-5.3/netfilter-nf_flow_table-set-timeout-before-insertion.patch b/queue-5.3/netfilter-nf_flow_table-set-timeout-before-insertion.patch new file mode 100644 index 00000000000..d9a9ca11bcd --- /dev/null +++ b/queue-5.3/netfilter-nf_flow_table-set-timeout-before-insertion.patch @@ -0,0 +1,63 @@ +From b890b38950bf706e433440e6aa883e7bf2c6f3a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2019 11:03:15 +0200 +Subject: netfilter: nf_flow_table: set timeout before insertion into hashes + +From: Pablo Neira Ayuso + +[ Upstream commit daf61b026f4686250e6afa619e6d7b49edc61df7 ] + +Other garbage collector might remove an entry not fully set up yet. + +[570953.958293] RIP: 0010:memcmp+0x9/0x50 +[...] +[570953.958567] flow_offload_hash_cmp+0x1e/0x30 [nf_flow_table] +[570953.958585] flow_offload_lookup+0x8c/0x110 [nf_flow_table] +[570953.958606] nf_flow_offload_ip_hook+0x135/0xb30 [nf_flow_table] +[570953.958624] nf_flow_offload_inet_hook+0x35/0x37 [nf_flow_table_inet] +[570953.958646] nf_hook_slow+0x3c/0xb0 +[570953.958664] __netif_receive_skb_core+0x90f/0xb10 +[570953.958678] ? ip_rcv_finish+0x82/0xa0 +[570953.958692] __netif_receive_skb_one_core+0x3b/0x80 +[570953.958711] __netif_receive_skb+0x18/0x60 +[570953.958727] netif_receive_skb_internal+0x45/0xf0 +[570953.958741] napi_gro_receive+0xcd/0xf0 +[570953.958764] ixgbe_clean_rx_irq+0x432/0xe00 [ixgbe] +[570953.958782] ixgbe_poll+0x27b/0x700 [ixgbe] +[570953.958796] net_rx_action+0x284/0x3c0 +[570953.958817] __do_softirq+0xcc/0x27c +[570953.959464] irq_exit+0xe8/0x100 +[570953.960097] do_IRQ+0x59/0xe0 +[570953.960734] common_interrupt+0xf/0xf + +Fixes: 43c8f131184f ("netfilter: nf_flow_table: fix missing error check for rhashtable_insert_fast") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_flow_table_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c +index a0b4bf654de2d..4c2f8959de587 100644 +--- a/net/netfilter/nf_flow_table_core.c ++++ b/net/netfilter/nf_flow_table_core.c +@@ -201,6 +201,8 @@ int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow) + { + int err; + ++ flow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT; ++ + err = rhashtable_insert_fast(&flow_table->rhashtable, + &flow->tuplehash[0].node, + nf_flow_offload_rhash_params); +@@ -217,7 +219,6 @@ int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow) + return err; + } + +- flow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT; + return 0; + } + EXPORT_SYMBOL_GPL(flow_offload_add); +-- +2.20.1 + diff --git a/queue-5.3/netfilter-nft_payload-fix-missing-check-for-matching.patch b/queue-5.3/netfilter-nft_payload-fix-missing-check-for-matching.patch new file mode 100644 index 00000000000..f0e2d51bc60 --- /dev/null +++ b/queue-5.3/netfilter-nft_payload-fix-missing-check-for-matching.patch @@ -0,0 +1,140 @@ +From 64bcb410228aad6e18b8528b8e353f8e53a76496 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2019 15:52:45 +0800 +Subject: netfilter: nft_payload: fix missing check for matching length in + offloads + +From: wenxu + +[ Upstream commit a69a85da458f79088c38a38db034a4d64d9c32c3 ] + +Payload offload rule should also check the length of the match. +Moreover, check for unsupported link-layer fields: + + nft --debug=netlink add rule firewall zones vlan id 100 + ... + [ payload load 2b @ link header + 0 => reg 1 ] + +this loads 2byte base on ll header and offset 0. + +This also fixes unsupported raw payload match. + +Fixes: 92ad6325cb89 ("netfilter: nf_tables: add hardware offload support") +Signed-off-by: wenxu +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_payload.c | 38 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 38 insertions(+) + +diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c +index 22a80eb60222e..5cb2d8908d2a5 100644 +--- a/net/netfilter/nft_payload.c ++++ b/net/netfilter/nft_payload.c +@@ -161,13 +161,21 @@ static int nft_payload_offload_ll(struct nft_offload_ctx *ctx, + + switch (priv->offset) { + case offsetof(struct ethhdr, h_source): ++ if (priv->len != ETH_ALEN) ++ return -EOPNOTSUPP; ++ + NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ETH_ADDRS, eth_addrs, + src, ETH_ALEN, reg); + break; + case offsetof(struct ethhdr, h_dest): ++ if (priv->len != ETH_ALEN) ++ return -EOPNOTSUPP; ++ + NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ETH_ADDRS, eth_addrs, + dst, ETH_ALEN, reg); + break; ++ default: ++ return -EOPNOTSUPP; + } + + return 0; +@@ -181,14 +189,23 @@ static int nft_payload_offload_ip(struct nft_offload_ctx *ctx, + + switch (priv->offset) { + case offsetof(struct iphdr, saddr): ++ if (priv->len != sizeof(struct in_addr)) ++ return -EOPNOTSUPP; ++ + NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4, src, + sizeof(struct in_addr), reg); + break; + case offsetof(struct iphdr, daddr): ++ if (priv->len != sizeof(struct in_addr)) ++ return -EOPNOTSUPP; ++ + NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4, dst, + sizeof(struct in_addr), reg); + break; + case offsetof(struct iphdr, protocol): ++ if (priv->len != sizeof(__u8)) ++ return -EOPNOTSUPP; ++ + NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_BASIC, basic, ip_proto, + sizeof(__u8), reg); + nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_TRANSPORT); +@@ -208,14 +225,23 @@ static int nft_payload_offload_ip6(struct nft_offload_ctx *ctx, + + switch (priv->offset) { + case offsetof(struct ipv6hdr, saddr): ++ if (priv->len != sizeof(struct in6_addr)) ++ return -EOPNOTSUPP; ++ + NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV6_ADDRS, ipv6, src, + sizeof(struct in6_addr), reg); + break; + case offsetof(struct ipv6hdr, daddr): ++ if (priv->len != sizeof(struct in6_addr)) ++ return -EOPNOTSUPP; ++ + NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV6_ADDRS, ipv6, dst, + sizeof(struct in6_addr), reg); + break; + case offsetof(struct ipv6hdr, nexthdr): ++ if (priv->len != sizeof(__u8)) ++ return -EOPNOTSUPP; ++ + NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_BASIC, basic, ip_proto, + sizeof(__u8), reg); + nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_TRANSPORT); +@@ -255,10 +281,16 @@ static int nft_payload_offload_tcp(struct nft_offload_ctx *ctx, + + switch (priv->offset) { + case offsetof(struct tcphdr, source): ++ if (priv->len != sizeof(__be16)) ++ return -EOPNOTSUPP; ++ + NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_PORTS, tp, src, + sizeof(__be16), reg); + break; + case offsetof(struct tcphdr, dest): ++ if (priv->len != sizeof(__be16)) ++ return -EOPNOTSUPP; ++ + NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_PORTS, tp, dst, + sizeof(__be16), reg); + break; +@@ -277,10 +309,16 @@ static int nft_payload_offload_udp(struct nft_offload_ctx *ctx, + + switch (priv->offset) { + case offsetof(struct udphdr, source): ++ if (priv->len != sizeof(__be16)) ++ return -EOPNOTSUPP; ++ + NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_PORTS, tp, src, + sizeof(__be16), reg); + break; + case offsetof(struct udphdr, dest): ++ if (priv->len != sizeof(__be16)) ++ return -EOPNOTSUPP; ++ + NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_PORTS, tp, dst, + sizeof(__be16), reg); + break; +-- +2.20.1 + diff --git a/queue-5.3/nfsv4-don-t-allow-a-cached-open-with-a-revoked-deleg.patch b/queue-5.3/nfsv4-don-t-allow-a-cached-open-with-a-revoked-deleg.patch new file mode 100644 index 00000000000..6d824eb10cb --- /dev/null +++ b/queue-5.3/nfsv4-don-t-allow-a-cached-open-with-a-revoked-deleg.patch @@ -0,0 +1,97 @@ +From bc725733ba50796c5f7e5f47d0e21bd213b2e2ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2019 18:40:32 -0400 +Subject: NFSv4: Don't allow a cached open with a revoked delegation + +From: Trond Myklebust + +[ Upstream commit be3df3dd4c70ee020587a943a31b98a0fb4b6424 ] + +If the delegation is marked as being revoked, we must not use it +for cached opens. + +Fixes: 869f9dfa4d6d ("NFSv4: Fix races between nfs_remove_bad_delegation() and delegation return") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/delegation.c | 10 ++++++++++ + fs/nfs/delegation.h | 1 + + fs/nfs/nfs4proc.c | 7 ++----- + 3 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/fs/nfs/delegation.c b/fs/nfs/delegation.c +index ad7a771014714..af549d70ec507 100644 +--- a/fs/nfs/delegation.c ++++ b/fs/nfs/delegation.c +@@ -53,6 +53,16 @@ nfs4_is_valid_delegation(const struct nfs_delegation *delegation, + return false; + } + ++struct nfs_delegation *nfs4_get_valid_delegation(const struct inode *inode) ++{ ++ struct nfs_delegation *delegation; ++ ++ delegation = rcu_dereference(NFS_I(inode)->delegation); ++ if (nfs4_is_valid_delegation(delegation, 0)) ++ return delegation; ++ return NULL; ++} ++ + static int + nfs4_do_check_delegation(struct inode *inode, fmode_t flags, bool mark) + { +diff --git a/fs/nfs/delegation.h b/fs/nfs/delegation.h +index 9eb87ae4c9827..8b14d441e699b 100644 +--- a/fs/nfs/delegation.h ++++ b/fs/nfs/delegation.h +@@ -68,6 +68,7 @@ int nfs4_lock_delegation_recall(struct file_lock *fl, struct nfs4_state *state, + bool nfs4_copy_delegation_stateid(struct inode *inode, fmode_t flags, nfs4_stateid *dst, const struct cred **cred); + bool nfs4_refresh_delegation_stateid(nfs4_stateid *dst, struct inode *inode); + ++struct nfs_delegation *nfs4_get_valid_delegation(const struct inode *inode); + void nfs_mark_delegation_referenced(struct nfs_delegation *delegation); + int nfs4_have_delegation(struct inode *inode, fmode_t flags); + int nfs4_check_delegation(struct inode *inode, fmode_t flags); +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index e1e7d2724b971..e600f28b1ddb9 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1435,8 +1435,6 @@ static int can_open_delegated(struct nfs_delegation *delegation, fmode_t fmode, + return 0; + if ((delegation->type & fmode) != fmode) + return 0; +- if (test_bit(NFS_DELEGATION_RETURNING, &delegation->flags)) +- return 0; + switch (claim) { + case NFS4_OPEN_CLAIM_NULL: + case NFS4_OPEN_CLAIM_FH: +@@ -1805,7 +1803,6 @@ static void nfs4_return_incompatible_delegation(struct inode *inode, fmode_t fmo + static struct nfs4_state *nfs4_try_open_cached(struct nfs4_opendata *opendata) + { + struct nfs4_state *state = opendata->state; +- struct nfs_inode *nfsi = NFS_I(state->inode); + struct nfs_delegation *delegation; + int open_mode = opendata->o_arg.open_flags; + fmode_t fmode = opendata->o_arg.fmode; +@@ -1822,7 +1819,7 @@ static struct nfs4_state *nfs4_try_open_cached(struct nfs4_opendata *opendata) + } + spin_unlock(&state->owner->so_lock); + rcu_read_lock(); +- delegation = rcu_dereference(nfsi->delegation); ++ delegation = nfs4_get_valid_delegation(state->inode); + if (!can_open_delegated(delegation, fmode, claim)) { + rcu_read_unlock(); + break; +@@ -2366,7 +2363,7 @@ static void nfs4_open_prepare(struct rpc_task *task, void *calldata) + data->o_arg.open_flags, claim)) + goto out_no_action; + rcu_read_lock(); +- delegation = rcu_dereference(NFS_I(data->state->inode)->delegation); ++ delegation = nfs4_get_valid_delegation(data->state->inode); + if (can_open_delegated(delegation, data->o_arg.fmode, claim)) + goto unlock_no_action; + rcu_read_unlock(); +-- +2.20.1 + diff --git a/queue-5.3/nvme-multipath-fix-possible-io-hang-after-ctrl-recon.patch b/queue-5.3/nvme-multipath-fix-possible-io-hang-after-ctrl-recon.patch new file mode 100644 index 00000000000..d093de1fcd0 --- /dev/null +++ b/queue-5.3/nvme-multipath-fix-possible-io-hang-after-ctrl-recon.patch @@ -0,0 +1,65 @@ +From 67e4e6b89078eaeb760fdc1b14119537c1143df6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Oct 2019 11:32:50 -0700 +Subject: nvme-multipath: fix possible io hang after ctrl reconnect + +From: Anton Eidelman + +[ Upstream commit af8fd0424713a2adb812d10d55e86718152cf656 ] + +The following scenario results in an IO hang: +1) ctrl completes a request with NVME_SC_ANA_TRANSITION. + NVME_NS_ANA_PENDING bit in ns->flags is set and ana_work is triggered. +2) ana_work: nvme_read_ana_log() tries to get the ANA log page from the ctrl. + This fails because ctrl disconnects. + Therefore nvme_update_ns_ana_state() is not called + and NVME_NS_ANA_PENDING bit in ns->flags is not cleared. +3) ctrl reconnects: nvme_mpath_init(ctrl,...) calls + nvme_read_ana_log(ctrl, groups_only=true). + However, nvme_update_ana_state() does not update namespaces + because nr_nsids = 0 (due to groups_only mode). +4) scan_work calls nvme_validate_ns() finds the ns and re-validates OK. + +Result: +The ctrl is now live but NVME_NS_ANA_PENDING bit in ns->flags is still set. +Consequently ctrl will never be considered a viable path by __nvme_find_path(). +IO will hang if ctrl is the only or the last path to the namespace. + +More generally, while ctrl is reconnecting, its ANA state may change. +And because nvme_mpath_init() requests ANA log in groups_only mode, +these changes are not propagated to the existing ctrl namespaces. +This may result in a mal-function or an IO hang. + +Solution: +nvme_mpath_init() will nvme_read_ana_log() with groups_only set to false. +This will not harm the new ctrl case (no namespaces present), +and will make sure the ANA state of namespaces gets updated after reconnect. + +Note: Another option would be for nvme_mpath_init() to invoke +nvme_parse_ana_log(..., nvme_set_ns_ana_state) for each existing namespace. + +Reviewed-by: Sagi Grimberg +Signed-off-by: Anton Eidelman +Signed-off-by: Keith Busch +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/multipath.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index 30de7efef0035..d320684d25b20 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -715,7 +715,7 @@ int nvme_mpath_init(struct nvme_ctrl *ctrl, struct nvme_id_ctrl *id) + goto out; + } + +- error = nvme_read_ana_log(ctrl, true); ++ error = nvme_read_ana_log(ctrl, false); + if (error) + goto out_free_ana_log_buf; + return 0; +-- +2.20.1 + diff --git a/queue-5.3/ocfs2-protect-extent-tree-in-ocfs2_prepare_inode_for.patch b/queue-5.3/ocfs2-protect-extent-tree-in-ocfs2_prepare_inode_for.patch new file mode 100644 index 00000000000..4fc70acb4f7 --- /dev/null +++ b/queue-5.3/ocfs2-protect-extent-tree-in-ocfs2_prepare_inode_for.patch @@ -0,0 +1,266 @@ +From 48a57381013ced1c39cb0d3a2051fba37528cb96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2019 21:16:34 -0800 +Subject: ocfs2: protect extent tree in ocfs2_prepare_inode_for_write() + +From: Shuning Zhang + +[ Upstream commit e74540b285569d2b1e14fe7aee92297078f235ce ] + +When the extent tree is modified, it should be protected by inode +cluster lock and ip_alloc_sem. + +The extent tree is accessed and modified in the +ocfs2_prepare_inode_for_write, but isn't protected by ip_alloc_sem. + +The following is a case. The function ocfs2_fiemap is accessing the +extent tree, which is modified at the same time. + + kernel BUG at fs/ocfs2/extent_map.c:475! + invalid opcode: 0000 [#1] SMP + Modules linked in: tun ocfs2 ocfs2_nodemanager configfs ocfs2_stackglue [...] + CPU: 16 PID: 14047 Comm: o2info Not tainted 4.1.12-124.23.1.el6uek.x86_64 #2 + Hardware name: Oracle Corporation ORACLE SERVER X7-2L/ASM, MB MECH, X7-2L, BIOS 42040600 10/19/2018 + task: ffff88019487e200 ti: ffff88003daa4000 task.ti: ffff88003daa4000 + RIP: ocfs2_get_clusters_nocache.isra.11+0x390/0x550 [ocfs2] + Call Trace: + ocfs2_fiemap+0x1e3/0x430 [ocfs2] + do_vfs_ioctl+0x155/0x510 + SyS_ioctl+0x81/0xa0 + system_call_fastpath+0x18/0xd8 + Code: 18 48 c7 c6 60 7f 65 a0 31 c0 bb e2 ff ff ff 48 8b 4a 40 48 8b 7a 28 48 c7 c2 78 2d 66 a0 e8 38 4f 05 00 e9 28 fe ff ff 0f 1f 00 <0f> 0b 66 0f 1f 44 00 00 bb 86 ff ff ff e9 13 fe ff ff 66 0f 1f + RIP ocfs2_get_clusters_nocache.isra.11+0x390/0x550 [ocfs2] + ---[ end trace c8aa0c8180e869dc ]--- + Kernel panic - not syncing: Fatal exception + Kernel Offset: disabled + +This issue can be reproduced every week in a production environment. + +This issue is related to the usage mode. If others use ocfs2 in this +mode, the kernel will panic frequently. + +[akpm@linux-foundation.org: coding style fixes] +[Fix new warning due to unused function by removing said function - Linus ] +Link: http://lkml.kernel.org/r/1568772175-2906-2-git-send-email-sunny.s.zhang@oracle.com +Signed-off-by: Shuning Zhang +Reviewed-by: Junxiao Bi +Reviewed-by: Gang He +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Joseph Qi +Cc: Changwei Ge +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/file.c | 134 ++++++++++++++++++++++++++++++++---------------- + 1 file changed, 90 insertions(+), 44 deletions(-) + +diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c +index 4435df3e5adb9..f6d790b7f2e2e 100644 +--- a/fs/ocfs2/file.c ++++ b/fs/ocfs2/file.c +@@ -2092,54 +2092,90 @@ static int ocfs2_is_io_unaligned(struct inode *inode, size_t count, loff_t pos) + return 0; + } + +-static int ocfs2_prepare_inode_for_refcount(struct inode *inode, +- struct file *file, +- loff_t pos, size_t count, +- int *meta_level) ++static int ocfs2_inode_lock_for_extent_tree(struct inode *inode, ++ struct buffer_head **di_bh, ++ int meta_level, ++ int overwrite_io, ++ int write_sem, ++ int wait) + { +- int ret; +- struct buffer_head *di_bh = NULL; +- u32 cpos = pos >> OCFS2_SB(inode->i_sb)->s_clustersize_bits; +- u32 clusters = +- ocfs2_clusters_for_bytes(inode->i_sb, pos + count) - cpos; ++ int ret = 0; + +- ret = ocfs2_inode_lock(inode, &di_bh, 1); +- if (ret) { +- mlog_errno(ret); ++ if (wait) ++ ret = ocfs2_inode_lock(inode, NULL, meta_level); ++ else ++ ret = ocfs2_try_inode_lock(inode, ++ overwrite_io ? NULL : di_bh, meta_level); ++ if (ret < 0) + goto out; ++ ++ if (wait) { ++ if (write_sem) ++ down_write(&OCFS2_I(inode)->ip_alloc_sem); ++ else ++ down_read(&OCFS2_I(inode)->ip_alloc_sem); ++ } else { ++ if (write_sem) ++ ret = down_write_trylock(&OCFS2_I(inode)->ip_alloc_sem); ++ else ++ ret = down_read_trylock(&OCFS2_I(inode)->ip_alloc_sem); ++ ++ if (!ret) { ++ ret = -EAGAIN; ++ goto out_unlock; ++ } + } + +- *meta_level = 1; ++ return ret; + +- ret = ocfs2_refcount_cow(inode, di_bh, cpos, clusters, UINT_MAX); +- if (ret) +- mlog_errno(ret); ++out_unlock: ++ brelse(*di_bh); ++ ocfs2_inode_unlock(inode, meta_level); + out: +- brelse(di_bh); + return ret; + } + ++static void ocfs2_inode_unlock_for_extent_tree(struct inode *inode, ++ struct buffer_head **di_bh, ++ int meta_level, ++ int write_sem) ++{ ++ if (write_sem) ++ up_write(&OCFS2_I(inode)->ip_alloc_sem); ++ else ++ up_read(&OCFS2_I(inode)->ip_alloc_sem); ++ ++ brelse(*di_bh); ++ *di_bh = NULL; ++ ++ if (meta_level >= 0) ++ ocfs2_inode_unlock(inode, meta_level); ++} ++ + static int ocfs2_prepare_inode_for_write(struct file *file, + loff_t pos, size_t count, int wait) + { + int ret = 0, meta_level = 0, overwrite_io = 0; ++ int write_sem = 0; + struct dentry *dentry = file->f_path.dentry; + struct inode *inode = d_inode(dentry); + struct buffer_head *di_bh = NULL; + loff_t end; ++ u32 cpos; ++ u32 clusters; + + /* + * We start with a read level meta lock and only jump to an ex + * if we need to make modifications here. + */ + for(;;) { +- if (wait) +- ret = ocfs2_inode_lock(inode, NULL, meta_level); +- else +- ret = ocfs2_try_inode_lock(inode, +- overwrite_io ? NULL : &di_bh, meta_level); ++ ret = ocfs2_inode_lock_for_extent_tree(inode, ++ &di_bh, ++ meta_level, ++ overwrite_io, ++ write_sem, ++ wait); + if (ret < 0) { +- meta_level = -1; + if (ret != -EAGAIN) + mlog_errno(ret); + goto out; +@@ -2151,15 +2187,8 @@ static int ocfs2_prepare_inode_for_write(struct file *file, + */ + if (!wait && !overwrite_io) { + overwrite_io = 1; +- if (!down_read_trylock(&OCFS2_I(inode)->ip_alloc_sem)) { +- ret = -EAGAIN; +- goto out_unlock; +- } + + ret = ocfs2_overwrite_io(inode, di_bh, pos, count); +- brelse(di_bh); +- di_bh = NULL; +- up_read(&OCFS2_I(inode)->ip_alloc_sem); + if (ret < 0) { + if (ret != -EAGAIN) + mlog_errno(ret); +@@ -2178,7 +2207,10 @@ static int ocfs2_prepare_inode_for_write(struct file *file, + * set inode->i_size at the end of a write. */ + if (should_remove_suid(dentry)) { + if (meta_level == 0) { +- ocfs2_inode_unlock(inode, meta_level); ++ ocfs2_inode_unlock_for_extent_tree(inode, ++ &di_bh, ++ meta_level, ++ write_sem); + meta_level = 1; + continue; + } +@@ -2194,18 +2226,32 @@ static int ocfs2_prepare_inode_for_write(struct file *file, + + ret = ocfs2_check_range_for_refcount(inode, pos, count); + if (ret == 1) { +- ocfs2_inode_unlock(inode, meta_level); +- meta_level = -1; +- +- ret = ocfs2_prepare_inode_for_refcount(inode, +- file, +- pos, +- count, +- &meta_level); ++ ocfs2_inode_unlock_for_extent_tree(inode, ++ &di_bh, ++ meta_level, ++ write_sem); ++ ret = ocfs2_inode_lock_for_extent_tree(inode, ++ &di_bh, ++ meta_level, ++ overwrite_io, ++ 1, ++ wait); ++ write_sem = 1; ++ if (ret < 0) { ++ if (ret != -EAGAIN) ++ mlog_errno(ret); ++ goto out; ++ } ++ ++ cpos = pos >> OCFS2_SB(inode->i_sb)->s_clustersize_bits; ++ clusters = ++ ocfs2_clusters_for_bytes(inode->i_sb, pos + count) - cpos; ++ ret = ocfs2_refcount_cow(inode, di_bh, cpos, clusters, UINT_MAX); + } + + if (ret < 0) { +- mlog_errno(ret); ++ if (ret != -EAGAIN) ++ mlog_errno(ret); + goto out_unlock; + } + +@@ -2216,10 +2262,10 @@ out_unlock: + trace_ocfs2_prepare_inode_for_write(OCFS2_I(inode)->ip_blkno, + pos, count, wait); + +- brelse(di_bh); +- +- if (meta_level >= 0) +- ocfs2_inode_unlock(inode, meta_level); ++ ocfs2_inode_unlock_for_extent_tree(inode, ++ &di_bh, ++ meta_level, ++ write_sem); + + out: + return ret; +-- +2.20.1 + diff --git a/queue-5.3/perf-x86-amd-ibs-fix-reading-of-the-ibs-opdata-regis.patch b/queue-5.3/perf-x86-amd-ibs-fix-reading-of-the-ibs-opdata-regis.patch new file mode 100644 index 00000000000..c67697b0d9d --- /dev/null +++ b/queue-5.3/perf-x86-amd-ibs-fix-reading-of-the-ibs-opdata-regis.patch @@ -0,0 +1,55 @@ +From 2afc659388770b40213cfb7e5076454ad0d13bf8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Oct 2019 10:09:54 -0500 +Subject: perf/x86/amd/ibs: Fix reading of the IBS OpData register and thus + precise RIP validity + +From: Kim Phillips + +[ Upstream commit 317b96bb14303c7998dbcd5bc606bd8038fdd4b4 ] + +The loop that reads all the IBS MSRs into *buf stopped one MSR short of +reading the IbsOpData register, which contains the RipInvalid status bit. + +Fix the offset_max assignment so the MSR gets read, so the RIP invalid +evaluation is based on what the IBS h/w output, instead of what was +left in memory. + +Signed-off-by: Kim Phillips +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Borislav Petkov +Cc: H. Peter Anvin +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Fixes: d47e8238cd76 ("perf/x86-ibs: Take instruction pointer from ibs sample") +Link: https://lkml.kernel.org/r/20191023150955.30292-1-kim.phillips@amd.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/events/amd/ibs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/events/amd/ibs.c b/arch/x86/events/amd/ibs.c +index 5b35b7ea5d728..98ba21a588a15 100644 +--- a/arch/x86/events/amd/ibs.c ++++ b/arch/x86/events/amd/ibs.c +@@ -614,7 +614,7 @@ fail: + if (event->attr.sample_type & PERF_SAMPLE_RAW) + offset_max = perf_ibs->offset_max; + else if (check_rip) +- offset_max = 2; ++ offset_max = 3; + else + offset_max = 1; + do { +-- +2.20.1 + diff --git a/queue-5.3/perf-x86-amd-ibs-handle-erratum-420-only-on-the-affe.patch b/queue-5.3/perf-x86-amd-ibs-handle-erratum-420-only-on-the-affe.patch new file mode 100644 index 00000000000..d640b69f03d --- /dev/null +++ b/queue-5.3/perf-x86-amd-ibs-handle-erratum-420-only-on-the-affe.patch @@ -0,0 +1,71 @@ +From dc37a379d94623486006cfba2f0f7d0eeb7beb41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Oct 2019 10:09:55 -0500 +Subject: perf/x86/amd/ibs: Handle erratum #420 only on the affected CPU family + (10h) + +From: Kim Phillips + +[ Upstream commit e431e79b60603079d269e0c2a5177943b95fa4b6 ] + +This saves us writing the IBS control MSR twice when disabling the +event. + +I searched revision guides for all families since 10h, and did not +find occurrence of erratum #420, nor anything remotely similar: +so we isolate the secondary MSR write to family 10h only. + +Also unconditionally update the count mask for IBS Op implementations +that have read & writeable current count (CurCnt) fields in addition +to the MaxCnt field. These bits were reserved on prior +implementations, and therefore shouldn't have negative impact. + +Signed-off-by: Kim Phillips +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Borislav Petkov +Cc: H. Peter Anvin +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Fixes: c9574fe0bdb9 ("perf/x86-ibs: Implement workaround for IBS erratum #420") +Link: https://lkml.kernel.org/r/20191023150955.30292-2-kim.phillips@amd.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/events/amd/ibs.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/events/amd/ibs.c b/arch/x86/events/amd/ibs.c +index 98ba21a588a15..26c36357c4c9c 100644 +--- a/arch/x86/events/amd/ibs.c ++++ b/arch/x86/events/amd/ibs.c +@@ -377,7 +377,8 @@ static inline void perf_ibs_disable_event(struct perf_ibs *perf_ibs, + struct hw_perf_event *hwc, u64 config) + { + config &= ~perf_ibs->cnt_mask; +- wrmsrl(hwc->config_base, config); ++ if (boot_cpu_data.x86 == 0x10) ++ wrmsrl(hwc->config_base, config); + config &= ~perf_ibs->enable_mask; + wrmsrl(hwc->config_base, config); + } +@@ -553,7 +554,8 @@ static struct perf_ibs perf_ibs_op = { + }, + .msr = MSR_AMD64_IBSOPCTL, + .config_mask = IBS_OP_CONFIG_MASK, +- .cnt_mask = IBS_OP_MAX_CNT, ++ .cnt_mask = IBS_OP_MAX_CNT | IBS_OP_CUR_CNT | ++ IBS_OP_CUR_CNT_RAND, + .enable_mask = IBS_OP_ENABLE, + .valid_mask = IBS_OP_VAL, + .max_period = IBS_OP_MAX_CNT << 4, +-- +2.20.1 + diff --git a/queue-5.3/perf-x86-uncore-fix-event-group-support.patch b/queue-5.3/perf-x86-uncore-fix-event-group-support.patch new file mode 100644 index 00000000000..a4b905418ec --- /dev/null +++ b/queue-5.3/perf-x86-uncore-fix-event-group-support.patch @@ -0,0 +1,168 @@ +From e9a3aafb5d709b54413dba51278012442bc9ff56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2019 07:43:13 -0700 +Subject: perf/x86/uncore: Fix event group support + +From: Kan Liang + +[ Upstream commit 75be6f703a141b048590d659a3954c4fedd30bba ] + +The events in the same group don't start or stop simultaneously. +Here is the ftrace when enabling event group for uncore_iio_0: + + # perf stat -e "{uncore_iio_0/event=0x1/,uncore_iio_0/event=0xe/}" + + -0 [000] d.h. 8959.064832: read_msr: a41, value + b2b0b030 //Read counter reg of IIO unit0 counter0 + -0 [000] d.h. 8959.064835: write_msr: a48, value + 400001 //Write Ctrl reg of IIO unit0 counter0 to enable + counter0. <------ Although counter0 is enabled, Unit Ctrl is still + freezed. Nothing will count. We are still good here. + -0 [000] d.h. 8959.064836: read_msr: a40, value + 30100 //Read Unit Ctrl reg of IIO unit0 + -0 [000] d.h. 8959.064838: write_msr: a40, value + 30000 //Write Unit Ctrl reg of IIO unit0 to enable all + counters in the unit by clear Freeze bit <------Unit0 is un-freezed. + Counter0 has been enabled. Now it starts counting. But counter1 has not + been enabled yet. The issue starts here. + -0 [000] d.h. 8959.064846: read_msr: a42, value 0 + //Read counter reg of IIO unit0 counter1 + -0 [000] d.h. 8959.064847: write_msr: a49, value + 40000e //Write Ctrl reg of IIO unit0 counter1 to enable + counter1. <------ Now, counter1 just starts to count. Counter0 has + been running for a while. + +Current code un-freezes the Unit Ctrl right after the first counter is +enabled. The subsequent group events always loses some counter values. + +Implement pmu_enable and pmu_disable support for uncore, which can help +to batch hardware accesses. + +No one uses uncore_enable_box and uncore_disable_box. Remove them. + +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: linux-drivers-review@eclists.intel.com +Cc: linux-perf@eclists.intel.com +Fixes: 087bfbb03269 ("perf/x86: Add generic Intel uncore PMU support") +Link: https://lkml.kernel.org/r/1572014593-31591-1-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/uncore.c | 44 +++++++++++++++++++++++++++++----- + arch/x86/events/intel/uncore.h | 12 ---------- + 2 files changed, 38 insertions(+), 18 deletions(-) + +diff --git a/arch/x86/events/intel/uncore.c b/arch/x86/events/intel/uncore.c +index 3694a5d0703d9..f7b191d3c9b01 100644 +--- a/arch/x86/events/intel/uncore.c ++++ b/arch/x86/events/intel/uncore.c +@@ -502,10 +502,8 @@ void uncore_pmu_event_start(struct perf_event *event, int flags) + local64_set(&event->hw.prev_count, uncore_read_counter(box, event)); + uncore_enable_event(box, event); + +- if (box->n_active == 1) { +- uncore_enable_box(box); ++ if (box->n_active == 1) + uncore_pmu_start_hrtimer(box); +- } + } + + void uncore_pmu_event_stop(struct perf_event *event, int flags) +@@ -529,10 +527,8 @@ void uncore_pmu_event_stop(struct perf_event *event, int flags) + WARN_ON_ONCE(hwc->state & PERF_HES_STOPPED); + hwc->state |= PERF_HES_STOPPED; + +- if (box->n_active == 0) { +- uncore_disable_box(box); ++ if (box->n_active == 0) + uncore_pmu_cancel_hrtimer(box); +- } + } + + if ((flags & PERF_EF_UPDATE) && !(hwc->state & PERF_HES_UPTODATE)) { +@@ -778,6 +774,40 @@ static int uncore_pmu_event_init(struct perf_event *event) + return ret; + } + ++static void uncore_pmu_enable(struct pmu *pmu) ++{ ++ struct intel_uncore_pmu *uncore_pmu; ++ struct intel_uncore_box *box; ++ ++ uncore_pmu = container_of(pmu, struct intel_uncore_pmu, pmu); ++ if (!uncore_pmu) ++ return; ++ ++ box = uncore_pmu_to_box(uncore_pmu, smp_processor_id()); ++ if (!box) ++ return; ++ ++ if (uncore_pmu->type->ops->enable_box) ++ uncore_pmu->type->ops->enable_box(box); ++} ++ ++static void uncore_pmu_disable(struct pmu *pmu) ++{ ++ struct intel_uncore_pmu *uncore_pmu; ++ struct intel_uncore_box *box; ++ ++ uncore_pmu = container_of(pmu, struct intel_uncore_pmu, pmu); ++ if (!uncore_pmu) ++ return; ++ ++ box = uncore_pmu_to_box(uncore_pmu, smp_processor_id()); ++ if (!box) ++ return; ++ ++ if (uncore_pmu->type->ops->disable_box) ++ uncore_pmu->type->ops->disable_box(box); ++} ++ + static ssize_t uncore_get_attr_cpumask(struct device *dev, + struct device_attribute *attr, char *buf) + { +@@ -803,6 +833,8 @@ static int uncore_pmu_register(struct intel_uncore_pmu *pmu) + pmu->pmu = (struct pmu) { + .attr_groups = pmu->type->attr_groups, + .task_ctx_nr = perf_invalid_context, ++ .pmu_enable = uncore_pmu_enable, ++ .pmu_disable = uncore_pmu_disable, + .event_init = uncore_pmu_event_init, + .add = uncore_pmu_event_add, + .del = uncore_pmu_event_del, +diff --git a/arch/x86/events/intel/uncore.h b/arch/x86/events/intel/uncore.h +index f36f7bebbc1bb..bbfdaa720b456 100644 +--- a/arch/x86/events/intel/uncore.h ++++ b/arch/x86/events/intel/uncore.h +@@ -441,18 +441,6 @@ static inline int uncore_freerunning_hw_config(struct intel_uncore_box *box, + return -EINVAL; + } + +-static inline void uncore_disable_box(struct intel_uncore_box *box) +-{ +- if (box->pmu->type->ops->disable_box) +- box->pmu->type->ops->disable_box(box); +-} +- +-static inline void uncore_enable_box(struct intel_uncore_box *box) +-{ +- if (box->pmu->type->ops->enable_box) +- box->pmu->type->ops->enable_box(box); +-} +- + static inline void uncore_disable_event(struct intel_uncore_box *box, + struct perf_event *event) + { +-- +2.20.1 + diff --git a/queue-5.3/pinctrl-cherryview-fix-irq_valid_mask-calculation.patch b/queue-5.3/pinctrl-cherryview-fix-irq_valid_mask-calculation.patch new file mode 100644 index 00000000000..909dac51e1e --- /dev/null +++ b/queue-5.3/pinctrl-cherryview-fix-irq_valid_mask-calculation.patch @@ -0,0 +1,57 @@ +From fd0fa1cad872db98379a35f03603df5b70581acb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Oct 2019 11:08:42 +0200 +Subject: pinctrl: cherryview: Fix irq_valid_mask calculation + +From: Hans de Goede + +[ Upstream commit 63bdef6cd6941917c823b9cc9aa0219d19fcb716 ] + +Commit 03c4749dd6c7 ("gpio / ACPI: Drop unnecessary ACPI GPIO to Linux +GPIO translation") has made the cherryview gpio numbers sparse, to get +a 1:1 mapping between ACPI pin numbers and gpio numbers in Linux. + +This has greatly simplified things, but the code setting the +irq_valid_mask was not updated for this, so the valid mask is still in +the old "compressed" numbering with the gaps in the pin numbers skipped, +which is wrong as irq_valid_mask needs to be expressed in gpio numbers. + +This results in the following error on devices using pin 24 (0x0018) on +the north GPIO controller as an ACPI event source: + +[ 0.422452] cherryview-pinctrl INT33FF:01: Failed to translate GPIO to IRQ + +This has been reported (by email) to be happening on a Caterpillar CAT T20 +tablet and I've reproduced this myself on a Medion Akoya e2215t 2-in-1. + +This commit uses the pin number instead of the compressed index into +community->pins to clear the correct bits in irq_valid_mask for GPIOs +using GPEs for interrupts, fixing these errors and in case of the +Medion Akoya e2215t also fixing the LID switch not working. + +Cc: stable@vger.kernel.org +Fixes: 03c4749dd6c7 ("gpio / ACPI: Drop unnecessary ACPI GPIO to Linux GPIO translation") +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Signed-off-by: Mika Westerberg +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-cherryview.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/intel/pinctrl-cherryview.c b/drivers/pinctrl/intel/pinctrl-cherryview.c +index bf049d1bbb87c..17a248b723b9b 100644 +--- a/drivers/pinctrl/intel/pinctrl-cherryview.c ++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c +@@ -1584,7 +1584,7 @@ static int chv_gpio_probe(struct chv_pinctrl *pctrl, int irq) + intsel >>= CHV_PADCTRL0_INTSEL_SHIFT; + + if (need_valid_mask && intsel >= community->nirqs) +- clear_bit(i, chip->irq.valid_mask); ++ clear_bit(desc->number, chip->irq.valid_mask); + } + + /* +-- +2.20.1 + diff --git a/queue-5.3/powerpc-32s-fix-allow-prevent_user_access-when-cross.patch b/queue-5.3/powerpc-32s-fix-allow-prevent_user_access-when-cross.patch new file mode 100644 index 00000000000..f671afa10ef --- /dev/null +++ b/queue-5.3/powerpc-32s-fix-allow-prevent_user_access-when-cross.patch @@ -0,0 +1,38 @@ +From c6ea951097dd2d0310d095ee8d3f79d403c08cbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2019 16:51:28 +0000 +Subject: powerpc/32s: fix allow/prevent_user_access() when crossing segment + boundaries. + +From: Christophe Leroy + +[ Upstream commit d10f60ae27d26d811e2a1bb39ded47df96d7499f ] + +Make sure starting addr is aligned to segment boundary so that when +incrementing the segment, the starting address of the new segment is +below the end address. Otherwise the last segment might get missed. + +Fixes: a68c31fc01ef ("powerpc/32s: Implement Kernel Userspace Access Protection") +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/067a1b09f15f421d40797c2d04c22d4049a1cee8.1571071875.git.christophe.leroy@c-s.fr +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/book3s/32/kup.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/include/asm/book3s/32/kup.h b/arch/powerpc/include/asm/book3s/32/kup.h +index 677e9babef801..f9dc597b0b868 100644 +--- a/arch/powerpc/include/asm/book3s/32/kup.h ++++ b/arch/powerpc/include/asm/book3s/32/kup.h +@@ -91,6 +91,7 @@ + + static inline void kuap_update_sr(u32 sr, u32 addr, u32 end) + { ++ addr &= 0xf0000000; /* align addr to start of segment */ + barrier(); /* make sure thread.kuap is updated before playing with SRs */ + while (addr < end) { + mtsrin(sr, addr); +-- +2.20.1 + diff --git a/queue-5.3/rdma-hns-prevent-memory-leaks-of-eq-buf_list.patch b/queue-5.3/rdma-hns-prevent-memory-leaks-of-eq-buf_list.patch new file mode 100644 index 00000000000..5afe732bf57 --- /dev/null +++ b/queue-5.3/rdma-hns-prevent-memory-leaks-of-eq-buf_list.patch @@ -0,0 +1,42 @@ +From 6ef08d5d90c4fd879f9222d3211743b927e5c60f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Oct 2019 14:56:35 +0800 +Subject: RDMA/hns: Prevent memory leaks of eq->buf_list + +From: Lijun Ou + +[ Upstream commit b681a0529968d2261aa15d7a1e78801b2c06bb07 ] + +eq->buf_list->buf and eq->buf_list should also be freed when eqe_hop_num +is set to 0, or there will be memory leaks. + +Fixes: a5073d6054f7 ("RDMA/hns: Add eq support of hip08") +Link: https://lore.kernel.org/r/1572072995-11277-3-git-send-email-liweihang@hisilicon.com +Signed-off-by: Lijun Ou +Signed-off-by: Weihang Li +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index b76e3beeafb8f..854898433916b 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -5268,9 +5268,9 @@ static void hns_roce_v2_free_eq(struct hns_roce_dev *hr_dev, + return; + } + +- if (eq->buf_list) +- dma_free_coherent(hr_dev->dev, buf_chk_sz, +- eq->buf_list->buf, eq->buf_list->map); ++ dma_free_coherent(hr_dev->dev, buf_chk_sz, eq->buf_list->buf, ++ eq->buf_list->map); ++ kfree(eq->buf_list); + } + + static void hns_roce_config_eqc(struct hns_roce_dev *hr_dev, +-- +2.20.1 + diff --git a/queue-5.3/rdma-iw_cxgb4-avoid-freeing-skb-twice-in-arp-failure.patch b/queue-5.3/rdma-iw_cxgb4-avoid-freeing-skb-twice-in-arp-failure.patch new file mode 100644 index 00000000000..b2758a72818 --- /dev/null +++ b/queue-5.3/rdma-iw_cxgb4-avoid-freeing-skb-twice-in-arp-failure.patch @@ -0,0 +1,46 @@ +From 70df04303fc1852d9b287c5e2521ac8ef32f1a47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2019 18:04:40 +0530 +Subject: RDMA/iw_cxgb4: Avoid freeing skb twice in arp failure case + +From: Potnuri Bharat Teja + +[ Upstream commit d4934f45693651ea15357dd6c7c36be28b6da884 ] + +_put_ep_safe() and _put_pass_ep_safe() free the skb before it is freed by +process_work(). fix double free by freeing the skb only in process_work(). + +Fixes: 1dad0ebeea1c ("iw_cxgb4: Avoid touch after free error in ARP failure handlers") +Link: https://lore.kernel.org/r/1572006880-5800-1-git-send-email-bharat@chelsio.com +Signed-off-by: Dakshaja Uppalapati +Signed-off-by: Potnuri Bharat Teja +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/cxgb4/cm.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index 9e8eca7b613c0..347dc242fb882 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -495,7 +495,6 @@ static int _put_ep_safe(struct c4iw_dev *dev, struct sk_buff *skb) + + ep = *((struct c4iw_ep **)(skb->cb + 2 * sizeof(void *))); + release_ep_resources(ep); +- kfree_skb(skb); + return 0; + } + +@@ -506,7 +505,6 @@ static int _put_pass_ep_safe(struct c4iw_dev *dev, struct sk_buff *skb) + ep = *((struct c4iw_ep **)(skb->cb + 2 * sizeof(void *))); + c4iw_put_ep(&ep->parent_ep->com); + release_ep_resources(ep); +- kfree_skb(skb); + return 0; + } + +-- +2.20.1 + diff --git a/queue-5.3/rdma-mlx5-clear-old-rate-limit-when-closing-qp.patch b/queue-5.3/rdma-mlx5-clear-old-rate-limit-when-closing-qp.patch new file mode 100644 index 00000000000..2f11cd0a858 --- /dev/null +++ b/queue-5.3/rdma-mlx5-clear-old-rate-limit-when-closing-qp.patch @@ -0,0 +1,47 @@ +From 253437f84068bb3d366b56953dcbe42bb1ab96c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2019 15:02:43 +0300 +Subject: RDMA/mlx5: Clear old rate limit when closing QP + +From: Rafi Wiener + +[ Upstream commit c8973df2da677f375f8b12b6eefca2f44c8884d5 ] + +Before QP is closed it changes to ERROR state, when this happens +the QP was left with old rate limit that was already removed from +the table. + +Fixes: 7d29f349a4b9 ("IB/mlx5: Properly adjust rate limit on QP state transitions") +Signed-off-by: Rafi Wiener +Signed-off-by: Oleg Kuporosov +Signed-off-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20191002120243.16971-1-leon@kernel.org +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/qp.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c +index 72869ff4a3342..3903141a387ed 100644 +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -3249,10 +3249,12 @@ static int modify_raw_packet_qp_sq( + } + + /* Only remove the old rate after new rate was set */ +- if ((old_rl.rate && +- !mlx5_rl_are_equal(&old_rl, &new_rl)) || +- (new_state != MLX5_SQC_STATE_RDY)) ++ if ((old_rl.rate && !mlx5_rl_are_equal(&old_rl, &new_rl)) || ++ (new_state != MLX5_SQC_STATE_RDY)) { + mlx5_rl_remove_rate(dev, &old_rl); ++ if (new_state != MLX5_SQC_STATE_RDY) ++ memset(&new_rl, 0, sizeof(new_rl)); ++ } + + ibqp->rl = new_rl; + sq->state = new_state; +-- +2.20.1 + diff --git a/queue-5.3/rdma-nldev-skip-counter-if-port-doesn-t-match.patch b/queue-5.3/rdma-nldev-skip-counter-if-port-doesn-t-match.patch new file mode 100644 index 00000000000..ad3e44138c6 --- /dev/null +++ b/queue-5.3/rdma-nldev-skip-counter-if-port-doesn-t-match.patch @@ -0,0 +1,42 @@ +From 8c4835b803660060057eba7f12c85c49a945986d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Oct 2019 09:28:00 +0300 +Subject: RDMA/nldev: Skip counter if port doesn't match + +From: Mark Zhang + +[ Upstream commit a15542bb72a48042f5df7475893d46f725f5f9fb ] + +The counter resource should return -EAGAIN if it was requested for a +different port, this is similar to how QP works if the users provides a +port filter. + +Otherwise port filtering in netlink will return broken counter nests. + +Fixes: c4ffee7c9bdb ("RDMA/netlink: Implement counter dumpit calback") +Link: https://lore.kernel.org/r/20191020062800.8065-1-leon@kernel.org +Signed-off-by: Mark Zhang +Signed-off-by: Leon Romanovsky +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/nldev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c +index f42e856f30729..4300e21865845 100644 +--- a/drivers/infiniband/core/nldev.c ++++ b/drivers/infiniband/core/nldev.c +@@ -778,7 +778,7 @@ static int fill_res_counter_entry(struct sk_buff *msg, bool has_cap_net_admin, + container_of(res, struct rdma_counter, res); + + if (port && port != counter->port) +- return 0; ++ return -EAGAIN; + + /* Dump it even query failed */ + rdma_counter_query_stats(counter); +-- +2.20.1 + diff --git a/queue-5.3/rdma-qedr-fix-reported-firmware-version.patch b/queue-5.3/rdma-qedr-fix-reported-firmware-version.patch new file mode 100644 index 00000000000..4799914c838 --- /dev/null +++ b/queue-5.3/rdma-qedr-fix-reported-firmware-version.patch @@ -0,0 +1,47 @@ +From d26f9dde1a6030e7d11b59404187ee97a43d3b54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2019 00:07:30 +0300 +Subject: RDMA/qedr: Fix reported firmware version +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kamal Heib + +[ Upstream commit b806c94ee44e53233b8ce6c92d9078d9781786a5 ] + +Remove spaces from the reported firmware version string. +Actual value: +$ cat /sys/class/infiniband/qedr0/fw_ver +8. 37. 7. 0 + +Expected value: +$ cat /sys/class/infiniband/qedr0/fw_ver +8.37.7.0 + +Fixes: ec72fce401c6 ("qedr: Add support for RoCE HW init") +Signed-off-by: Kamal Heib +Acked-by: Michal Kalderon  +Link: https://lore.kernel.org/r/20191007210730.7173-1-kamalheib1@gmail.com +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qedr/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/qedr/main.c b/drivers/infiniband/hw/qedr/main.c +index f97b3d65b30cc..2fef7a48f77bf 100644 +--- a/drivers/infiniband/hw/qedr/main.c ++++ b/drivers/infiniband/hw/qedr/main.c +@@ -76,7 +76,7 @@ static void qedr_get_dev_fw_str(struct ib_device *ibdev, char *str) + struct qedr_dev *qedr = get_qedr_dev(ibdev); + u32 fw_ver = (u32)qedr->attr.fw_ver; + +- snprintf(str, IB_FW_VERSION_NAME_MAX, "%d. %d. %d. %d", ++ snprintf(str, IB_FW_VERSION_NAME_MAX, "%d.%d.%d.%d", + (fw_ver >> 24) & 0xFF, (fw_ver >> 16) & 0xFF, + (fw_ver >> 8) & 0xFF, fw_ver & 0xFF); + } +-- +2.20.1 + diff --git a/queue-5.3/rdma-siw-free-siw_base_qp-in-kref-release-routine.patch b/queue-5.3/rdma-siw-free-siw_base_qp-in-kref-release-routine.patch new file mode 100644 index 00000000000..486214b87c3 --- /dev/null +++ b/queue-5.3/rdma-siw-free-siw_base_qp-in-kref-release-routine.patch @@ -0,0 +1,65 @@ +From 8521c90ee338230bc24ddd703d2a22d8e594de41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2019 16:12:29 +0530 +Subject: RDMA/siw: free siw_base_qp in kref release routine + +From: Krishnamraju Eraparaju + +[ Upstream commit e17fa5c95ef2434a08e0be217969d246d037f0c2 ] + +As siw_free_qp() is the last routine to access 'siw_base_qp' structure, +freeing this structure early in siw_destroy_qp() could cause +touch-after-free issue. +Hence, moved kfree(siw_base_qp) from siw_destroy_qp() to siw_free_qp(). + +Fixes: 303ae1cdfdf7 ("rdma/siw: application interface") +Signed-off-by: Krishnamraju Eraparaju +Link: https://lore.kernel.org/r/20191007104229.29412-1-krishna2@chelsio.com +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/siw/siw_qp.c | 2 ++ + drivers/infiniband/sw/siw/siw_verbs.c | 2 -- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/sw/siw/siw_qp.c b/drivers/infiniband/sw/siw/siw_qp.c +index 52d402f39df93..b4317480cee74 100644 +--- a/drivers/infiniband/sw/siw/siw_qp.c ++++ b/drivers/infiniband/sw/siw/siw_qp.c +@@ -1312,6 +1312,7 @@ int siw_qp_add(struct siw_device *sdev, struct siw_qp *qp) + void siw_free_qp(struct kref *ref) + { + struct siw_qp *found, *qp = container_of(ref, struct siw_qp, ref); ++ struct siw_base_qp *siw_base_qp = to_siw_base_qp(qp->ib_qp); + struct siw_device *sdev = qp->sdev; + unsigned long flags; + +@@ -1334,4 +1335,5 @@ void siw_free_qp(struct kref *ref) + atomic_dec(&sdev->num_qp); + siw_dbg_qp(qp, "free QP\n"); + kfree_rcu(qp, rcu); ++ kfree(siw_base_qp); + } +diff --git a/drivers/infiniband/sw/siw/siw_verbs.c b/drivers/infiniband/sw/siw/siw_verbs.c +index da52c90e06d48..ac08d84d84cbf 100644 +--- a/drivers/infiniband/sw/siw/siw_verbs.c ++++ b/drivers/infiniband/sw/siw/siw_verbs.c +@@ -603,7 +603,6 @@ out: + int siw_destroy_qp(struct ib_qp *base_qp, struct ib_udata *udata) + { + struct siw_qp *qp = to_siw_qp(base_qp); +- struct siw_base_qp *siw_base_qp = to_siw_base_qp(base_qp); + struct siw_ucontext *uctx = + rdma_udata_to_drv_context(udata, struct siw_ucontext, + base_ucontext); +@@ -640,7 +639,6 @@ int siw_destroy_qp(struct ib_qp *base_qp, struct ib_udata *udata) + qp->scq = qp->rcq = NULL; + + siw_qp_put(qp); +- kfree(siw_base_qp); + + return 0; + } +-- +2.20.1 + diff --git a/queue-5.3/rdma-uverbs-prevent-potential-underflow.patch b/queue-5.3/rdma-uverbs-prevent-potential-underflow.patch new file mode 100644 index 00000000000..4f2596b7155 --- /dev/null +++ b/queue-5.3/rdma-uverbs-prevent-potential-underflow.patch @@ -0,0 +1,61 @@ +From 2c5edd2c3a4834ae09ff6cc07ef41f39d0e63d08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2019 16:34:19 +0300 +Subject: RDMA/uverbs: Prevent potential underflow + +From: Dan Carpenter + +[ Upstream commit a9018adfde809d44e71189b984fa61cc89682b5e ] + +The issue is in drivers/infiniband/core/uverbs_std_types_cq.c in the +UVERBS_HANDLER(UVERBS_METHOD_CQ_CREATE) function. We check that: + + if (attr.comp_vector >= attrs->ufile->device->num_comp_vectors) { + +But we don't check if "attr.comp_vector" is negative. It could +potentially lead to an array underflow. My concern would be where +cq->vector is used in the create_cq() function from the cxgb4 driver. + +And really "attr.comp_vector" is appears as a u32 to user space so that's +the right type to use. + +Fixes: 9ee79fce3642 ("IB/core: Add completion queue (cq) object actions") +Link: https://lore.kernel.org/r/20191011133419.GA22905@mwanda +Signed-off-by: Dan Carpenter +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/uverbs.h | 2 +- + include/rdma/ib_verbs.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/core/uverbs.h b/drivers/infiniband/core/uverbs.h +index 1e5aeb39f774d..63f7f7db59028 100644 +--- a/drivers/infiniband/core/uverbs.h ++++ b/drivers/infiniband/core/uverbs.h +@@ -98,7 +98,7 @@ ib_uverbs_init_udata_buf_or_null(struct ib_udata *udata, + + struct ib_uverbs_device { + atomic_t refcount; +- int num_comp_vectors; ++ u32 num_comp_vectors; + struct completion comp; + struct device dev; + /* First group for device attributes, NULL terminated array */ +diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h +index 4f225175cb91e..77d8df4518051 100644 +--- a/include/rdma/ib_verbs.h ++++ b/include/rdma/ib_verbs.h +@@ -327,7 +327,7 @@ struct ib_tm_caps { + + struct ib_cq_init_attr { + unsigned int cqe; +- int comp_vector; ++ u32 comp_vector; + u32 flags; + }; + +-- +2.20.1 + diff --git a/queue-5.3/sched-topology-allow-sched_asym_cpucapacity-to-be-di.patch b/queue-5.3/sched-topology-allow-sched_asym_cpucapacity-to-be-di.patch new file mode 100644 index 00000000000..07b6c5853a0 --- /dev/null +++ b/queue-5.3/sched-topology-allow-sched_asym_cpucapacity-to-be-di.patch @@ -0,0 +1,117 @@ +From 1cadd05d258f3d0ca0cf333265a072349497b912 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Oct 2019 16:37:45 +0100 +Subject: sched/topology: Allow sched_asym_cpucapacity to be disabled + +From: Valentin Schneider + +[ Upstream commit e284df705cf1eeedb5ec3a66ed82d17a64659150 ] + +While the static key is correctly initialized as being disabled, it will +remain forever enabled once turned on. This means that if we start with an +asymmetric system and hotplug out enough CPUs to end up with an SMP system, +the static key will remain set - which is obviously wrong. We should detect +this and turn off things like misfit migration and capacity aware wakeups. + +As Quentin pointed out, having separate root domains makes this slightly +trickier. We could have exclusive cpusets that create an SMP island - IOW, +the domains within this root domain will not see any asymmetry. This means +we can't just disable the key on domain destruction, we need to count how +many asymmetric root domains we have. + +Consider the following example using Juno r0 which is 2+4 big.LITTLE, where +two identical cpusets are created: they both span both big and LITTLE CPUs: + + asym0 asym1 + [ ][ ] + L L B L L B + + $ cgcreate -g cpuset:asym0 + $ cgset -r cpuset.cpus=0,1,3 asym0 + $ cgset -r cpuset.mems=0 asym0 + $ cgset -r cpuset.cpu_exclusive=1 asym0 + + $ cgcreate -g cpuset:asym1 + $ cgset -r cpuset.cpus=2,4,5 asym1 + $ cgset -r cpuset.mems=0 asym1 + $ cgset -r cpuset.cpu_exclusive=1 asym1 + + $ cgset -r cpuset.sched_load_balance=0 . + +(the CPU numbering may look odd because on the Juno LITTLEs are CPUs 0,3-5 +and bigs are CPUs 1-2) + +If we make one of those SMP (IOW remove asymmetry) by e.g. hotplugging its +big core, we would end up with an SMP cpuset and an asymmetric cpuset - the +static key must remain set, because we still have one asymmetric root domain. + +With the above example, this could be done with: + + $ echo 0 > /sys/devices/system/cpu/cpu2/online + +Which would result in: + + asym0 asym1 + [ ][ ] + L L B L L + +When both SMP and asymmetric cpusets are present, all CPUs will observe +sched_asym_cpucapacity being set (it is system-wide), but not all CPUs +observe asymmetry in their sched domain hierarchy: + + per_cpu(sd_asym_cpucapacity, ) == + per_cpu(sd_asym_cpucapacity, ) == NULL + +Change the simple key enablement to an increment, and decrement the key +counter when destroying domains that cover asymmetric CPUs. + +Signed-off-by: Valentin Schneider +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Dietmar Eggemann +Cc: Dietmar.Eggemann@arm.com +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: hannes@cmpxchg.org +Cc: lizefan@huawei.com +Cc: morten.rasmussen@arm.com +Cc: qperret@google.com +Cc: tj@kernel.org +Cc: vincent.guittot@linaro.org +Fixes: df054e8445a4 ("sched/topology: Add static_key for asymmetric CPU capacity optimizations") +Link: https://lkml.kernel.org/r/20191023153745.19515-3-valentin.schneider@arm.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/sched/topology.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c +index 1906edb44d63c..93a8749763ea0 100644 +--- a/kernel/sched/topology.c ++++ b/kernel/sched/topology.c +@@ -2008,7 +2008,7 @@ build_sched_domains(const struct cpumask *cpu_map, struct sched_domain_attr *att + rcu_read_unlock(); + + if (has_asym) +- static_branch_enable_cpuslocked(&sched_asym_cpucapacity); ++ static_branch_inc_cpuslocked(&sched_asym_cpucapacity); + + if (rq && sched_debug_enabled) { + pr_info("root domain span: %*pbl (max cpu_capacity = %lu)\n", +@@ -2103,8 +2103,12 @@ int sched_init_domains(const struct cpumask *cpu_map) + */ + static void detach_destroy_domains(const struct cpumask *cpu_map) + { ++ unsigned int cpu = cpumask_any(cpu_map); + int i; + ++ if (rcu_access_pointer(per_cpu(sd_asym_cpucapacity, cpu))) ++ static_branch_dec_cpuslocked(&sched_asym_cpucapacity); ++ + rcu_read_lock(); + for_each_cpu(i, cpu_map) + cpu_attach_domain(NULL, &def_root_domain, i); +-- +2.20.1 + diff --git a/queue-5.3/sched-topology-don-t-try-to-build-empty-sched-domain.patch b/queue-5.3/sched-topology-don-t-try-to-build-empty-sched-domain.patch new file mode 100644 index 00000000000..17b2fef6815 --- /dev/null +++ b/queue-5.3/sched-topology-don-t-try-to-build-empty-sched-domain.patch @@ -0,0 +1,123 @@ +From 3878f29a0cb8b5e1978fe2ca23afdfd08868b242 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Oct 2019 16:37:44 +0100 +Subject: sched/topology: Don't try to build empty sched domains + +From: Valentin Schneider + +[ Upstream commit cd1cb3350561d2bf544ddfef76fbf0b1c9c7178f ] + +Turns out hotplugging CPUs that are in exclusive cpusets can lead to the +cpuset code feeding empty cpumasks to the sched domain rebuild machinery. + +This leads to the following splat: + + Internal error: Oops: 96000004 [#1] PREEMPT SMP + Modules linked in: + CPU: 0 PID: 235 Comm: kworker/5:2 Not tainted 5.4.0-rc1-00005-g8d495477d62e #23 + Hardware name: ARM Juno development board (r0) (DT) + Workqueue: events cpuset_hotplug_workfn + pstate: 60000005 (nZCv daif -PAN -UAO) + pc : build_sched_domains (./include/linux/arch_topology.h:23 kernel/sched/topology.c:1898 kernel/sched/topology.c:1969) + lr : build_sched_domains (kernel/sched/topology.c:1966) + Call trace: + build_sched_domains (./include/linux/arch_topology.h:23 kernel/sched/topology.c:1898 kernel/sched/topology.c:1969) + partition_sched_domains_locked (kernel/sched/topology.c:2250) + rebuild_sched_domains_locked (./include/linux/bitmap.h:370 ./include/linux/cpumask.h:538 kernel/cgroup/cpuset.c:955 kernel/cgroup/cpuset.c:978 kernel/cgroup/cpuset.c:1019) + rebuild_sched_domains (kernel/cgroup/cpuset.c:1032) + cpuset_hotplug_workfn (kernel/cgroup/cpuset.c:3205 (discriminator 2)) + process_one_work (./arch/arm64/include/asm/jump_label.h:21 ./include/linux/jump_label.h:200 ./include/trace/events/workqueue.h:114 kernel/workqueue.c:2274) + worker_thread (./include/linux/compiler.h:199 ./include/linux/list.h:268 kernel/workqueue.c:2416) + kthread (kernel/kthread.c:255) + ret_from_fork (arch/arm64/kernel/entry.S:1167) + Code: f860dae2 912802d6 aa1603e1 12800000 (f8616853) + +The faulty line in question is: + + cap = arch_scale_cpu_capacity(cpumask_first(cpu_map)); + +and we're not checking the return value against nr_cpu_ids (we shouldn't +have to!), which leads to the above. + +Prevent generate_sched_domains() from returning empty cpumasks, and add +some assertion in build_sched_domains() to scream bloody murder if it +happens again. + +The above splat was obtained on my Juno r0 with the following reproducer: + + $ cgcreate -g cpuset:asym + $ cgset -r cpuset.cpus=0-3 asym + $ cgset -r cpuset.mems=0 asym + $ cgset -r cpuset.cpu_exclusive=1 asym + + $ cgcreate -g cpuset:smp + $ cgset -r cpuset.cpus=4-5 smp + $ cgset -r cpuset.mems=0 smp + $ cgset -r cpuset.cpu_exclusive=1 smp + + $ cgset -r cpuset.sched_load_balance=0 . + + $ echo 0 > /sys/devices/system/cpu/cpu4/online + $ echo 0 > /sys/devices/system/cpu/cpu5/online + +Signed-off-by: Valentin Schneider +Signed-off-by: Peter Zijlstra (Intel) +Cc: Dietmar.Eggemann@arm.com +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: hannes@cmpxchg.org +Cc: lizefan@huawei.com +Cc: morten.rasmussen@arm.com +Cc: qperret@google.com +Cc: tj@kernel.org +Cc: vincent.guittot@linaro.org +Fixes: 05484e098448 ("sched/topology: Add SD_ASYM_CPUCAPACITY flag detection") +Link: https://lkml.kernel.org/r/20191023153745.19515-2-valentin.schneider@arm.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cpuset.c | 3 ++- + kernel/sched/topology.c | 5 ++++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c +index 5aa37531ce76f..a8122c405603b 100644 +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -786,7 +786,8 @@ static int generate_sched_domains(cpumask_var_t **domains, + cpumask_subset(cp->cpus_allowed, top_cpuset.effective_cpus)) + continue; + +- if (is_sched_load_balance(cp)) ++ if (is_sched_load_balance(cp) && ++ !cpumask_empty(cp->effective_cpus)) + csa[csn++] = cp; + + /* skip @cp's subtree if not a partition root */ +diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c +index f751ce0b783e5..1906edb44d63c 100644 +--- a/kernel/sched/topology.c ++++ b/kernel/sched/topology.c +@@ -1927,7 +1927,7 @@ next_level: + static int + build_sched_domains(const struct cpumask *cpu_map, struct sched_domain_attr *attr) + { +- enum s_alloc alloc_state; ++ enum s_alloc alloc_state = sa_none; + struct sched_domain *sd; + struct s_data d; + struct rq *rq = NULL; +@@ -1935,6 +1935,9 @@ build_sched_domains(const struct cpumask *cpu_map, struct sched_domain_attr *att + struct sched_domain_topology_level *tl_asym; + bool has_asym = false; + ++ if (WARN_ON(cpumask_empty(cpu_map))) ++ goto error; ++ + alloc_state = __visit_domain_allocation_hell(&d, cpu_map); + if (alloc_state != sa_rootdomain) + goto error; +-- +2.20.1 + diff --git a/queue-5.3/scsi-lpfc-check-queue-pointer-before-use.patch b/queue-5.3/scsi-lpfc-check-queue-pointer-before-use.patch new file mode 100644 index 00000000000..4926bc262c0 --- /dev/null +++ b/queue-5.3/scsi-lpfc-check-queue-pointer-before-use.patch @@ -0,0 +1,40 @@ +From 21e738375011c37a1c74ce886d08037077302aef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Oct 2019 18:21:11 +0200 +Subject: scsi: lpfc: Check queue pointer before use + +From: Daniel Wagner + +[ Upstream commit 535fb49e730a6fe1e9f11af4ae67ef4228ff4287 ] + +The queue pointer might not be valid. The rest of the code checks the +pointer before accessing it. lpfc_sli4_process_missed_mbox_completions is +the only place where the check is missing. + +Fixes: 657add4e5e15 ("scsi: lpfc: Fix poor use of hardware queues if fewer irq vectors") +Cc: James Smart +Link: https://lore.kernel.org/r/20191018162111.8798-1-dwagner@suse.de +Signed-off-by: Daniel Wagner +Reviewed-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_sli.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index f9e6a135d6565..c7027ecd4d19e 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -7898,7 +7898,7 @@ lpfc_sli4_process_missed_mbox_completions(struct lpfc_hba *phba) + if (sli4_hba->hdwq) { + for (eqidx = 0; eqidx < phba->cfg_irq_chann; eqidx++) { + eq = phba->sli4_hba.hba_eq_hdl[eqidx].eq; +- if (eq->queue_id == sli4_hba->mbx_cq->assoc_qid) { ++ if (eq && eq->queue_id == sli4_hba->mbx_cq->assoc_qid) { + fpeq = eq; + break; + } +-- +2.20.1 + diff --git a/queue-5.3/scsi-lpfc-honor-module-parameter-lpfc_use_adisc.patch b/queue-5.3/scsi-lpfc-honor-module-parameter-lpfc_use_adisc.patch new file mode 100644 index 00000000000..78f15be72cc --- /dev/null +++ b/queue-5.3/scsi-lpfc-honor-module-parameter-lpfc_use_adisc.patch @@ -0,0 +1,65 @@ +From 92be27cd0ff1b1924cd986a9cdd9232118a2acbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Oct 2019 09:21:12 +0200 +Subject: scsi: lpfc: Honor module parameter lpfc_use_adisc + +From: Daniel Wagner + +[ Upstream commit 0fd103ccfe6a06e40e2d9d8c91d96332cc9e1239 ] + +The initial lpfc_desc_set_adisc implementation in commit +dea3101e0a5c ("lpfc: add Emulex FC driver version 8.0.28") enabled ADISC if + + cfg_use_adisc && RSCN_MODE && FCP_2_DEVICE + +In commit 92d7f7b0cde3 ("[SCSI] lpfc: NPIV: add NPIV support on top of +SLI-3") this changed to + + (cfg_use_adisc && RSC_MODE) || FCP_2_DEVICE + +and later in commit ffc954936b13 ("[SCSI] lpfc 8.3.13: FC Discovery Fixes +and enhancements.") to + + (cfg_use_adisc && RSC_MODE) || (FCP_2_DEVICE && FCP_TARGET) + +A customer reports that after a devloss, an ADISC failure is logged. It +turns out the ADISC flag is set even the user explicitly set lpfc_use_adisc += 0. + +[Sat Dec 22 22:55:58 2018] lpfc 0000:82:00.0: 2:(0):0203 Devloss timeout on WWPN 50:01:43:80:12:8e:40:20 NPort x05df00 Data: x82000000 x8 xa +[Sat Dec 22 23:08:20 2018] lpfc 0000:82:00.0: 2:(0):2755 ADISC failure DID:05DF00 Status:x9/x70000 + +[mkp: fixed Hannes' email] + +Fixes: 92d7f7b0cde3 ("[SCSI] lpfc: NPIV: add NPIV support on top of SLI-3") +Cc: Dick Kennedy +Cc: James Smart +Link: https://lore.kernel.org/r/20191022072112.132268-1-dwagner@suse.de +Reviewed-by: Hannes Reinecke +Reviewed-by: James Smart +Signed-off-by: Daniel Wagner +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_nportdisc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c +index 59252bfca14e2..41309ac656934 100644 +--- a/drivers/scsi/lpfc/lpfc_nportdisc.c ++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c +@@ -845,9 +845,9 @@ lpfc_disc_set_adisc(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp) + + if (!(vport->fc_flag & FC_PT2PT)) { + /* Check config parameter use-adisc or FCP-2 */ +- if ((vport->cfg_use_adisc && (vport->fc_flag & FC_RSCN_MODE)) || ++ if (vport->cfg_use_adisc && ((vport->fc_flag & FC_RSCN_MODE) || + ((ndlp->nlp_fcp_info & NLP_FCP_2_DEVICE) && +- (ndlp->nlp_type & NLP_FCP_TARGET))) { ++ (ndlp->nlp_type & NLP_FCP_TARGET)))) { + spin_lock_irq(shost->host_lock); + ndlp->nlp_flag |= NLP_NPR_ADISC; + spin_unlock_irq(shost->host_lock); +-- +2.20.1 + diff --git a/queue-5.3/scsi-qla2xxx-fixup-incorrect-usage-of-host_byte.patch b/queue-5.3/scsi-qla2xxx-fixup-incorrect-usage-of-host_byte.patch new file mode 100644 index 00000000000..d23d471fd10 --- /dev/null +++ b/queue-5.3/scsi-qla2xxx-fixup-incorrect-usage-of-host_byte.patch @@ -0,0 +1,56 @@ +From 5cdd7ba60b7278bac2feda9b71337c03b75f7440 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Oct 2019 16:04:58 +0200 +Subject: scsi: qla2xxx: fixup incorrect usage of host_byte + +From: Hannes Reinecke + +[ Upstream commit 66cf50e65b183c863825f5c28a818e3f47a72e40 ] + +DRIVER_ERROR is a a driver byte setting, not a host byte. The qla2xxx +driver should rather return DID_ERROR here to be in line with the other +drivers. + +Link: https://lore.kernel.org/r/20191018140458.108278-1-hare@suse.de +Signed-off-by: Hannes Reinecke +Acked-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_bsg.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_bsg.c b/drivers/scsi/qla2xxx/qla_bsg.c +index 5441557b424b3..3084c2cff7bd5 100644 +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -257,7 +257,7 @@ qla2x00_process_els(struct bsg_job *bsg_job) + srb_t *sp; + const char *type; + int req_sg_cnt, rsp_sg_cnt; +- int rval = (DRIVER_ERROR << 16); ++ int rval = (DID_ERROR << 16); + uint16_t nextlid = 0; + + if (bsg_request->msgcode == FC_BSG_RPT_ELS) { +@@ -432,7 +432,7 @@ qla2x00_process_ct(struct bsg_job *bsg_job) + struct Scsi_Host *host = fc_bsg_to_shost(bsg_job); + scsi_qla_host_t *vha = shost_priv(host); + struct qla_hw_data *ha = vha->hw; +- int rval = (DRIVER_ERROR << 16); ++ int rval = (DID_ERROR << 16); + int req_sg_cnt, rsp_sg_cnt; + uint16_t loop_id; + struct fc_port *fcport; +@@ -1951,7 +1951,7 @@ qlafx00_mgmt_cmd(struct bsg_job *bsg_job) + struct Scsi_Host *host = fc_bsg_to_shost(bsg_job); + scsi_qla_host_t *vha = shost_priv(host); + struct qla_hw_data *ha = vha->hw; +- int rval = (DRIVER_ERROR << 16); ++ int rval = (DID_ERROR << 16); + struct qla_mt_iocb_rqst_fx00 *piocb_rqst; + srb_t *sp; + int req_sg_cnt = 0, rsp_sg_cnt = 0; +-- +2.20.1 + diff --git a/queue-5.3/scsi-qla2xxx-initialized-mailbox-to-prevent-driver-l.patch b/queue-5.3/scsi-qla2xxx-initialized-mailbox-to-prevent-driver-l.patch new file mode 100644 index 00000000000..6cd87e4ccd3 --- /dev/null +++ b/queue-5.3/scsi-qla2xxx-initialized-mailbox-to-prevent-driver-l.patch @@ -0,0 +1,52 @@ +From 0e8363b5ac08d7a7e59a9b80e28533745db7b4cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Oct 2019 12:36:42 -0700 +Subject: scsi: qla2xxx: Initialized mailbox to prevent driver load failure + +From: Himanshu Madhani + +[ Upstream commit c2ff2a36eff60efb5e123c940115216d6bf65684 ] + +This patch fixes issue with Gen7 adapter in a blade environment where one +of the ports will not be detected by driver. Firmware expects mailbox 11 to +be set or cleared by driver for newer ISP. + +Following message is seen in the log file: + +[ 18.810892] qla2xxx [0000:d8:00.0]-1820:1: **** Failed=102 mb[0]=4005 mb[1]=37 mb[2]=20 mb[3]=8 +[ 18.819596] cmd=2 **** + +[mkp: typos] + +Link: https://lore.kernel.org/r/20191022193643.7076-2-hmadhani@marvell.com +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_mbx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c +index abfb9c800ce28..ac4640f456786 100644 +--- a/drivers/scsi/qla2xxx/qla_mbx.c ++++ b/drivers/scsi/qla2xxx/qla_mbx.c +@@ -710,6 +710,7 @@ qla2x00_execute_fw(scsi_qla_host_t *vha, uint32_t risc_addr) + mcp->mb[2] = LSW(risc_addr); + mcp->mb[3] = 0; + mcp->mb[4] = 0; ++ mcp->mb[11] = 0; + ha->flags.using_lr_setting = 0; + if (IS_QLA25XX(ha) || IS_QLA81XX(ha) || IS_QLA83XX(ha) || + IS_QLA27XX(ha) || IS_QLA28XX(ha)) { +@@ -754,7 +755,7 @@ qla2x00_execute_fw(scsi_qla_host_t *vha, uint32_t risc_addr) + if (ha->flags.exchoffld_enabled) + mcp->mb[4] |= ENABLE_EXCHANGE_OFFLD; + +- mcp->out_mb |= MBX_4|MBX_3|MBX_2|MBX_1; ++ mcp->out_mb |= MBX_4 | MBX_3 | MBX_2 | MBX_1 | MBX_11; + mcp->in_mb |= MBX_3 | MBX_2 | MBX_1; + } else { + mcp->mb[1] = LSW(risc_addr); +-- +2.20.1 + diff --git a/queue-5.3/scsi-qla2xxx-stop-timer-in-shutdown-path.patch b/queue-5.3/scsi-qla2xxx-stop-timer-in-shutdown-path.patch new file mode 100644 index 00000000000..3a50e526218 --- /dev/null +++ b/queue-5.3/scsi-qla2xxx-stop-timer-in-shutdown-path.patch @@ -0,0 +1,49 @@ +From a71ef67b030a946798071760e45d574c51d12193 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2019 16:38:04 +1000 +Subject: scsi: qla2xxx: stop timer in shutdown path + +From: Nicholas Piggin + +[ Upstream commit d3566abb1a1e7772116e4d50fb6a58d19c9802e5 ] + +In shutdown/reboot paths, the timer is not stopped: + + qla2x00_shutdown + pci_device_shutdown + device_shutdown + kernel_restart_prepare + kernel_restart + sys_reboot + +This causes lockups (on powerpc) when firmware config space access calls +are interrupted by smp_send_stop later in reboot. + +Fixes: e30d1756480dc ("[SCSI] qla2xxx: Addition of shutdown callback handler.") +Link: https://lore.kernel.org/r/20191024063804.14538-1-npiggin@gmail.com +Signed-off-by: Nicholas Piggin +Acked-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_os.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c +index 04cf6986eb8e6..ac96771bb06df 100644 +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -3543,6 +3543,10 @@ qla2x00_shutdown(struct pci_dev *pdev) + qla2x00_try_to_stop_firmware(vha); + } + ++ /* Disable timer */ ++ if (vha->timer_active) ++ qla2x00_stop_timer(vha); ++ + /* Turn adapter off line */ + vha->flags.online = 0; + +-- +2.20.1 + diff --git a/queue-5.3/scsi-sd-define-variable-dif-as-unsigned-int-instead-.patch b/queue-5.3/scsi-sd-define-variable-dif-as-unsigned-int-instead-.patch new file mode 100644 index 00000000000..f8509687316 --- /dev/null +++ b/queue-5.3/scsi-sd-define-variable-dif-as-unsigned-int-instead-.patch @@ -0,0 +1,46 @@ +From b698c28f6710663e851f7e7cc036afc545349fae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Oct 2019 14:27:08 +0800 +Subject: scsi: sd: define variable dif as unsigned int instead of bool + +From: Xiang Chen + +[ Upstream commit 0cf9f4e547cebb5f5d2d046437c71ddcc8ea4a39 ] + +Variable dif in function sd_setup_read_write_cmnd() is the return value of +function scsi_host_dif_capable() which returns dif capability of disks. If +define it as bool, even for the disks which support DIF3, the function +still return dif=1, which causes IO error. So define variable dif as +unsigned int instead of bool. + +Fixes: e249e42d277e ("scsi: sd: Clean up sd_setup_read_write_cmnd()") +Link: https://lore.kernel.org/r/1571725628-132736-1-git-send-email-chenxiang66@hisilicon.com +Signed-off-by: Xiang Chen +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/sd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index 2d77f32e13d5e..9dc367e2e742d 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -1166,11 +1166,12 @@ static blk_status_t sd_setup_read_write_cmnd(struct scsi_cmnd *cmd) + sector_t lba = sectors_to_logical(sdp, blk_rq_pos(rq)); + sector_t threshold; + unsigned int nr_blocks = sectors_to_logical(sdp, blk_rq_sectors(rq)); +- bool dif, dix; + unsigned int mask = logical_to_sectors(sdp, 1) - 1; + bool write = rq_data_dir(rq) == WRITE; + unsigned char protect, fua; + blk_status_t ret; ++ unsigned int dif; ++ bool dix; + + ret = scsi_init_io(cmd); + if (ret != BLK_STS_OK) +-- +2.20.1 + diff --git a/queue-5.3/scsi-ufs-bsg-wake-the-device-before-sending-raw-upiu.patch b/queue-5.3/scsi-ufs-bsg-wake-the-device-before-sending-raw-upiu.patch new file mode 100644 index 00000000000..c09ed7e7822 --- /dev/null +++ b/queue-5.3/scsi-ufs-bsg-wake-the-device-before-sending-raw-upiu.patch @@ -0,0 +1,53 @@ +From f28a55ee9e52a1397aa68aa6fda87a34cfb38b4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2019 11:31:07 +0300 +Subject: scsi: ufs-bsg: Wake the device before sending raw upiu commands + +From: Avri Altman + +[ Upstream commit 74e5e468b664d3739b2872d54764af97ac38e795 ] + +The scsi async probe process is calling blk_pm_runtime_init for each lun, +and then those request queues are monitored by the block layer pm +engine (blk-pm.c). This is however, not the case for scsi-passthrough +queues, created by bsg_setup_queue(). + +So the ufs-bsg driver might send various commands, disregarding the pm +status of the device. This is wrong, regardless if its request queue is +pm-aware or not. + +Fixes: df032bf27a41 (scsi: ufs: Add a bsg endpoint that supports UPIUs) +Link: https://lore.kernel.org/r/1570696267-8487-1-git-send-email-avri.altman@wdc.com +Reported-by: Yuliy Izrailov +Signed-off-by: Avri Altman +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufs_bsg.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/scsi/ufs/ufs_bsg.c b/drivers/scsi/ufs/ufs_bsg.c +index a9344eb4e047f..dc2f6d2b46edc 100644 +--- a/drivers/scsi/ufs/ufs_bsg.c ++++ b/drivers/scsi/ufs/ufs_bsg.c +@@ -98,6 +98,8 @@ static int ufs_bsg_request(struct bsg_job *job) + + bsg_reply->reply_payload_rcv_len = 0; + ++ pm_runtime_get_sync(hba->dev); ++ + msgcode = bsg_request->msgcode; + switch (msgcode) { + case UPIU_TRANSACTION_QUERY_REQ: +@@ -135,6 +137,8 @@ static int ufs_bsg_request(struct bsg_job *job) + break; + } + ++ pm_runtime_put_sync(hba->dev); ++ + if (!desc_buff) + goto out; + +-- +2.20.1 + diff --git a/queue-5.3/selftests-bpf-more-compatible-nc-options-in-test_tc_.patch b/queue-5.3/selftests-bpf-more-compatible-nc-options-in-test_tc_.patch new file mode 100644 index 00000000000..305ae6e3256 --- /dev/null +++ b/queue-5.3/selftests-bpf-more-compatible-nc-options-in-test_tc_.patch @@ -0,0 +1,39 @@ +From 430d6d356b96aa4a40621f06238c4618426180dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Oct 2019 14:00:42 +0200 +Subject: selftests/bpf: More compatible nc options in test_tc_edt + +From: Jiri Benc + +[ Upstream commit 11875ba7f251c52effb2b924e04c2ddefa9856ef ] + +Out of the three nc implementations widely in use, at least two (BSD netcat +and nmap-ncat) do not support -l combined with -s. Modify the nc invocation +to be accepted by all of them. + +Fixes: 7df5e3db8f63 ("selftests: bpf: tc-bpf flow shaping with EDT") +Signed-off-by: Jiri Benc +Signed-off-by: Daniel Borkmann +Acked-by: Peter Oskolkov +Link: https://lore.kernel.org/bpf/f5bf07dccd8b552a76c84d49e80b86c5aa071122.1571400024.git.jbenc@redhat.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_tc_edt.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/test_tc_edt.sh b/tools/testing/selftests/bpf/test_tc_edt.sh +index f38567ef694b6..daa7d1b8d3092 100755 +--- a/tools/testing/selftests/bpf/test_tc_edt.sh ++++ b/tools/testing/selftests/bpf/test_tc_edt.sh +@@ -59,7 +59,7 @@ ip netns exec ${NS_SRC} tc filter add dev veth_src egress \ + + # start the listener + ip netns exec ${NS_DST} bash -c \ +- "nc -4 -l -s ${IP_DST} -p 9000 >/dev/null &" ++ "nc -4 -l -p 9000 >/dev/null &" + declare -i NC_PID=$! + sleep 1 + +-- +2.20.1 + diff --git a/queue-5.3/series b/queue-5.3/series index 9cf6cf37d66..3b96a12ca50 100644 --- a/queue-5.3/series +++ b/queue-5.3/series @@ -88,3 +88,104 @@ alsa-usb-audio-fix-possible-null-dereference-at-create_yamaha_midi_quirk.patch alsa-usb-audio-remove-some-dead-code.patch alsa-usb-audio-fix-copy-paste-error-in-the-validator.patch usbip-implement-sg-support-to-vhci-hcd-and-stub-driver.patch +hid-google-add-magnemite-masterball-usb-ids.patch +dmaengine-sprd-fix-the-link-list-pointer-register-co.patch +bpf-lwtunnel-fix-reroute-supplying-invalid-dst.patch +dmaengine-xilinx_dma-fix-64-bit-simple-axidma-transf.patch +dmaengine-xilinx_dma-fix-control-reg-update-in-vdma_.patch +dmaengine-sprd-fix-the-possible-memory-leak-issue.patch +hid-intel-ish-hid-fix-wrong-error-handling-in-ishtp_.patch +powerpc-32s-fix-allow-prevent_user_access-when-cross.patch +rdma-mlx5-clear-old-rate-limit-when-closing-qp.patch +iw_cxgb4-fix-ecn-check-on-the-passive-accept.patch +rdma-siw-free-siw_base_qp-in-kref-release-routine.patch +rdma-qedr-fix-reported-firmware-version.patch +ib-core-use-rdma_read_gid_l2_fields-to-compare-gid-l.patch +net-mlx5e-tx-fix-assumption-of-single-wqebb-of-nop-i.patch +net-mlx5e-ktls-release-reference-on-dumped-fragments.patch +net-mlx5e-tx-fix-consumer-index-of-error-cqe-dump.patch +net-mlx5-prevent-memory-leak-in-mlx5_fpga_conn_creat.patch +net-mlx5-fix-memory-leak-in-mlx5_fw_fatal_reporter_d.patch +selftests-bpf-more-compatible-nc-options-in-test_tc_.patch +scsi-qla2xxx-fixup-incorrect-usage-of-host_byte.patch +scsi-lpfc-check-queue-pointer-before-use.patch +scsi-ufs-bsg-wake-the-device-before-sending-raw-upiu.patch +arc-plat-hsdk-enable-on-board-spi-nor-flash-ic.patch +rdma-uverbs-prevent-potential-underflow.patch +bpf-fix-use-after-free-in-subprog-s-jited-symbol-rem.patch +net-stmmac-fix-the-problem-of-tso_xmit.patch +net-openvswitch-free-vport-unless-register_netdevice.patch +scsi-lpfc-honor-module-parameter-lpfc_use_adisc.patch +scsi-qla2xxx-initialized-mailbox-to-prevent-driver-l.patch +bpf-fix-use-after-free-in-bpf_get_prog_name.patch +iwlwifi-pcie-fix-pci-id-0x2720-configs-that-should-b.patch +iwlwifi-pcie-fix-all-9460-entries-for-qnj.patch +iwlwifi-pcie-0x2720-is-qu-and-0x30dc-is-not.patch +netfilter-nf_flow_table-set-timeout-before-insertion.patch +drm-v3d-fix-memory-leak-in-v3d_submit_cl_ioctl.patch +xsk-fix-registration-of-rx-only-sockets.patch +net-phy-smsc-lan8740-add-phy_rst_after_clk_en-flag.patch +ipvs-don-t-ignore-errors-in-case-refcounting-ip_vs-m.patch +ipvs-move-old_secure_tcp-into-struct-netns_ipvs.patch +netfilter-nft_payload-fix-missing-check-for-matching.patch +rdma-nldev-skip-counter-if-port-doesn-t-match.patch +bonding-fix-unexpected-iff_bonding-bit-unset.patch +bonding-use-dynamic-lockdep-key-instead-of-subclass.patch +macsec-fix-refcnt-leak-in-module-exit-routine.patch +virt_wifi-fix-refcnt-leak-in-module-exit-routine.patch +scsi-sd-define-variable-dif-as-unsigned-int-instead-.patch +usb-dwc3-select-config_regmap_mmio.patch +usb-fsl-check-memory-resource-before-releasing-it.patch +usb-gadget-udc-atmel-fix-interrupt-storm-in-fifo-mod.patch +usb-gadget-composite-fix-possible-double-free-memory.patch +usb-dwc3-pci-prevent-memory-leak-in-dwc3_pci_probe.patch +usb-gadget-configfs-fix-concurrent-issue-between-com.patch +usb-dwc3-remove-the-call-trace-of-usbx_gfladj.patch +perf-x86-amd-ibs-fix-reading-of-the-ibs-opdata-regis.patch +perf-x86-amd-ibs-handle-erratum-420-only-on-the-affe.patch +perf-x86-uncore-fix-event-group-support.patch +usb-skip-endpoints-with-0-maxpacket-length.patch +usb-ldusb-use-unsigned-size-format-specifiers.patch +usbip-tools-fix-read_usb_vudc_device-error-path-hand.patch +rdma-iw_cxgb4-avoid-freeing-skb-twice-in-arp-failure.patch +rdma-hns-prevent-memory-leaks-of-eq-buf_list.patch +hwmon-ina3221-fix-read-timeout-issue.patch +scsi-qla2xxx-stop-timer-in-shutdown-path.patch +sched-topology-don-t-try-to-build-empty-sched-domain.patch +sched-topology-allow-sched_asym_cpucapacity-to-be-di.patch +nvme-multipath-fix-possible-io-hang-after-ctrl-recon.patch +fjes-handle-workqueue-allocation-failure.patch +net-hisilicon-fix-trying-to-free-already-free-irq.patch +wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_t.patch +net-mscc-ocelot-fix-vlan_filtering-when-enslaving-to.patch +net-mscc-ocelot-refuse-to-overwrite-the-port-s-nativ.patch +iommu-amd-apply-the-same-ivrs-ioapic-workaround-to-a.patch +mt76-dma-fix-buffer-unmap-with-non-linear-skbs.patch +drm-amdgpu-sdma5-do-not-execute-0-sized-ibs-v2.patch +drm-sched-set-error-to-s_fence-if-hw-job-submission-.patch +drm-amdgpu-if-amdgpu_ib_schedule-fails-return-back-t.patch +drm-amd-display-do-not-synchronize-drr-displays.patch +drm-amd-display-add-50us-buffer-as-wa-for-pstate-swi.patch +drm-amd-display-passive-dp-hdmi-dongle-detection-fix.patch +dc.c-use-kzalloc-without-test.patch +sunrpc-the-tcp-back-channel-mustn-t-disappear-while-.patch +sunrpc-the-rdma-back-channel-mustn-t-disappear-while.patch +sunrpc-destroy-the-back-channel-when-we-destroy-the-.patch +hv_netvsc-fix-error-handling-in-netvsc_attach.patch +efi-tpm-return-einval-when-determining-tpm-final-eve.patch +efi-libstub-arm-account-for-firmware-reserved-memory.patch +x86-efi-never-relocate-kernel-below-lowest-acceptabl.patch +arm64-cpufeature-enable-qualcomm-falkor-errata-1009-.patch +usb-dwc3-gadget-fix-race-when-disabling-ep-with-canc.patch +arm64-apply-arm64_erratum_845719-workaround-for-brah.patch +arm64-brahma-b53-is-ssb-and-spectre-v2-safe.patch +arm64-apply-arm64_erratum_843419-workaround-for-brah.patch +nfsv4-don-t-allow-a-cached-open-with-a-revoked-deleg.patch +net-ethernet-arc-add-the-missed-clk_disable_unprepar.patch +igb-fix-constant-media-auto-sense-switching-when-no-.patch +e1000-fix-memory-leaks.patch +gve-fixes-dma-synchronization.patch +ocfs2-protect-extent-tree-in-ocfs2_prepare_inode_for.patch +pinctrl-cherryview-fix-irq_valid_mask-calculation.patch +clk-imx8m-use-sys_pll1_800m-as-intermediate-parent-o.patch +timekeeping-vsyscall-update-vdso-data-unconditionall.patch diff --git a/queue-5.3/sunrpc-destroy-the-back-channel-when-we-destroy-the-.patch b/queue-5.3/sunrpc-destroy-the-back-channel-when-we-destroy-the-.patch new file mode 100644 index 00000000000..5aba6182d96 --- /dev/null +++ b/queue-5.3/sunrpc-destroy-the-back-channel-when-we-destroy-the-.patch @@ -0,0 +1,72 @@ +From 4830c0d911b35c2966dac309cab218e02708b7b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Oct 2019 09:02:21 -0400 +Subject: SUNRPC: Destroy the back channel when we destroy the host transport + +From: Trond Myklebust + +[ Upstream commit 669996add4c92476e0f8d6b4cd2bb308d1939fd7 ] + +When we're destroying the host transport mechanism, we should ensure +that we do not leak memory by failing to release any back channel +slots that might still exist. + +Reported-by: Neil Brown +Reported-by: kbuild test robot +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + include/linux/sunrpc/bc_xprt.h | 5 +++++ + net/sunrpc/backchannel_rqst.c | 2 +- + net/sunrpc/xprt.c | 5 +++++ + 3 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/include/linux/sunrpc/bc_xprt.h b/include/linux/sunrpc/bc_xprt.h +index 87d27e13d8859..d796058cdff2a 100644 +--- a/include/linux/sunrpc/bc_xprt.h ++++ b/include/linux/sunrpc/bc_xprt.h +@@ -64,6 +64,11 @@ static inline int xprt_setup_backchannel(struct rpc_xprt *xprt, + return 0; + } + ++static inline void xprt_destroy_backchannel(struct rpc_xprt *xprt, ++ unsigned int max_reqs) ++{ ++} ++ + static inline bool svc_is_backchannel(const struct svc_rqst *rqstp) + { + return false; +diff --git a/net/sunrpc/backchannel_rqst.c b/net/sunrpc/backchannel_rqst.c +index 7eb251372f947..195b40c5dae4b 100644 +--- a/net/sunrpc/backchannel_rqst.c ++++ b/net/sunrpc/backchannel_rqst.c +@@ -220,7 +220,7 @@ void xprt_destroy_bc(struct rpc_xprt *xprt, unsigned int max_reqs) + goto out; + + spin_lock_bh(&xprt->bc_pa_lock); +- xprt->bc_alloc_max -= max_reqs; ++ xprt->bc_alloc_max -= min(max_reqs, xprt->bc_alloc_max); + list_for_each_entry_safe(req, tmp, &xprt->bc_pa_list, rq_bc_pa_list) { + dprintk("RPC: req=%p\n", req); + list_del(&req->rq_bc_pa_list); +diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c +index 20631d64312cb..ac796f3d42409 100644 +--- a/net/sunrpc/xprt.c ++++ b/net/sunrpc/xprt.c +@@ -1935,6 +1935,11 @@ static void xprt_destroy_cb(struct work_struct *work) + rpc_destroy_wait_queue(&xprt->sending); + rpc_destroy_wait_queue(&xprt->backlog); + kfree(xprt->servername); ++ /* ++ * Destroy any existing back channel ++ */ ++ xprt_destroy_backchannel(xprt, UINT_MAX); ++ + /* + * Tear down transport state and free the rpc_xprt + */ +-- +2.20.1 + diff --git a/queue-5.3/sunrpc-the-rdma-back-channel-mustn-t-disappear-while.patch b/queue-5.3/sunrpc-the-rdma-back-channel-mustn-t-disappear-while.patch new file mode 100644 index 00000000000..07751d3483f --- /dev/null +++ b/queue-5.3/sunrpc-the-rdma-back-channel-mustn-t-disappear-while.patch @@ -0,0 +1,46 @@ +From 394830b69fd557442c5294a092a50ffdcc660036 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Oct 2019 09:02:20 -0400 +Subject: SUNRPC: The RDMA back channel mustn't disappear while requests are + outstanding + +From: Trond Myklebust + +[ Upstream commit 9edb455e6797bb50aa38ef71e62668966065ede8 ] + +If there are RDMA back channel requests being processed by the +server threads, then we should hold a reference to the transport +to ensure it doesn't get freed from underneath us. + +Reported-by: Neil Brown +Fixes: 63cae47005af ("xprtrdma: Handle incoming backward direction RPC calls") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtrdma/backchannel.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/sunrpc/xprtrdma/backchannel.c b/net/sunrpc/xprtrdma/backchannel.c +index 59e624b1d7a0d..7cccaab9a17ae 100644 +--- a/net/sunrpc/xprtrdma/backchannel.c ++++ b/net/sunrpc/xprtrdma/backchannel.c +@@ -165,6 +165,7 @@ void xprt_rdma_bc_free_rqst(struct rpc_rqst *rqst) + spin_lock(&xprt->bc_pa_lock); + list_add_tail(&rqst->rq_bc_pa_list, &xprt->bc_pa_list); + spin_unlock(&xprt->bc_pa_lock); ++ xprt_put(xprt); + } + + static struct rpc_rqst *rpcrdma_bc_rqst_get(struct rpcrdma_xprt *r_xprt) +@@ -261,6 +262,7 @@ void rpcrdma_bc_receive_call(struct rpcrdma_xprt *r_xprt, + + /* Queue rqst for ULP's callback service */ + bc_serv = xprt->bc_serv; ++ xprt_get(xprt); + spin_lock(&bc_serv->sv_cb_lock); + list_add(&rqst->rq_bc_list, &bc_serv->sv_cb_list); + spin_unlock(&bc_serv->sv_cb_lock); +-- +2.20.1 + diff --git a/queue-5.3/sunrpc-the-tcp-back-channel-mustn-t-disappear-while-.patch b/queue-5.3/sunrpc-the-tcp-back-channel-mustn-t-disappear-while-.patch new file mode 100644 index 00000000000..344f843380f --- /dev/null +++ b/queue-5.3/sunrpc-the-tcp-back-channel-mustn-t-disappear-while-.patch @@ -0,0 +1,57 @@ +From c787b5d03f973dcd5150657bea9cc7d3f75b6789 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Oct 2019 09:02:19 -0400 +Subject: SUNRPC: The TCP back channel mustn't disappear while requests are + outstanding + +From: Trond Myklebust + +[ Upstream commit 875f0706accd6501c3209bb99df8573171fb5d75 ] + +If there are TCP back channel requests being processed by the +server threads, then we should hold a reference to the transport +to ensure it doesn't get freed from underneath us. + +Reported-by: Neil Brown +Fixes: 2ea24497a1b3 ("SUNRPC: RPC callbacks may be split across several..") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + net/sunrpc/backchannel_rqst.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/sunrpc/backchannel_rqst.c b/net/sunrpc/backchannel_rqst.c +index 339e8c077c2db..7eb251372f947 100644 +--- a/net/sunrpc/backchannel_rqst.c ++++ b/net/sunrpc/backchannel_rqst.c +@@ -307,8 +307,8 @@ void xprt_free_bc_rqst(struct rpc_rqst *req) + */ + dprintk("RPC: Last session removed req=%p\n", req); + xprt_free_allocation(req); +- return; + } ++ xprt_put(xprt); + } + + /* +@@ -339,7 +339,7 @@ found: + spin_unlock(&xprt->bc_pa_lock); + if (new) { + if (req != new) +- xprt_free_bc_rqst(new); ++ xprt_free_allocation(new); + break; + } else if (req) + break; +@@ -368,6 +368,7 @@ void xprt_complete_bc_request(struct rpc_rqst *req, uint32_t copied) + set_bit(RPC_BC_PA_IN_USE, &req->rq_bc_pa_state); + + dprintk("RPC: add callback request to list\n"); ++ xprt_get(xprt); + spin_lock(&bc_serv->sv_cb_lock); + list_add(&req->rq_bc_list, &bc_serv->sv_cb_list); + wake_up(&bc_serv->sv_cb_waitq); +-- +2.20.1 + diff --git a/queue-5.3/timekeeping-vsyscall-update-vdso-data-unconditionall.patch b/queue-5.3/timekeeping-vsyscall-update-vdso-data-unconditionall.patch new file mode 100644 index 00000000000..548da08424e --- /dev/null +++ b/queue-5.3/timekeeping-vsyscall-update-vdso-data-unconditionall.patch @@ -0,0 +1,116 @@ +From 25c1b8c7ee53949042bec6825495987a1c8415dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2019 11:28:29 +0800 +Subject: timekeeping/vsyscall: Update VDSO data unconditionally + +From: Huacai Chen + +[ Upstream commit 52338415cf4d4064ae6b8dd972dadbda841da4fa ] + +The update of the VDSO data is depending on __arch_use_vsyscall() returning +True. This is a leftover from the attempt to map the features of various +architectures 1:1 into generic code. + +The usage of __arch_use_vsyscall() in the actual vsyscall implementations +got dropped and replaced by the requirement for the architecture code to +return U64_MAX if the global clocksource is not usable in the VDSO. + +But the __arch_use_vsyscall() check in the update code stayed which causes +the VDSO data to be stale or invalid when an architecture actually +implements that function and returns False when the current clocksource is +not usable in the VDSO. + +As a consequence the VDSO implementations of clock_getres(), time(), +clock_gettime(CLOCK_.*_COARSE) operate on invalid data and return bogus +information. + +Remove the __arch_use_vsyscall() check from the VDSO update function and +update the VDSO data unconditionally. + +[ tglx: Massaged changelog and removed the now useless implementations in + asm-generic/ARM64/MIPS ] + +Fixes: 44f57d788e7deecb50 ("timekeeping: Provide a generic update_vsyscall() implementation") +Signed-off-by: Huacai Chen +Signed-off-by: Thomas Gleixner +Cc: Andy Lutomirski +Cc: Vincenzo Frascino +Cc: Arnd Bergmann +Cc: Paul Burton +Cc: linux-mips@vger.kernel.org +Cc: linux-arm-kernel@lists.infradead.org +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/1571887709-11447-1-git-send-email-chenhc@lemote.com +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/vdso/vsyscall.h | 7 ------- + include/asm-generic/vdso/vsyscall.h | 7 ------- + kernel/time/vsyscall.c | 9 +++------ + 3 files changed, 3 insertions(+), 20 deletions(-) + +diff --git a/arch/arm64/include/asm/vdso/vsyscall.h b/arch/arm64/include/asm/vdso/vsyscall.h +index 0c731bfc7c8c7..0c20a7c1bee50 100644 +--- a/arch/arm64/include/asm/vdso/vsyscall.h ++++ b/arch/arm64/include/asm/vdso/vsyscall.h +@@ -30,13 +30,6 @@ int __arm64_get_clock_mode(struct timekeeper *tk) + } + #define __arch_get_clock_mode __arm64_get_clock_mode + +-static __always_inline +-int __arm64_use_vsyscall(struct vdso_data *vdata) +-{ +- return !vdata[CS_HRES_COARSE].clock_mode; +-} +-#define __arch_use_vsyscall __arm64_use_vsyscall +- + static __always_inline + void __arm64_update_vsyscall(struct vdso_data *vdata, struct timekeeper *tk) + { +diff --git a/include/asm-generic/vdso/vsyscall.h b/include/asm-generic/vdso/vsyscall.h +index e94b19782c92f..ce41032086193 100644 +--- a/include/asm-generic/vdso/vsyscall.h ++++ b/include/asm-generic/vdso/vsyscall.h +@@ -25,13 +25,6 @@ static __always_inline int __arch_get_clock_mode(struct timekeeper *tk) + } + #endif /* __arch_get_clock_mode */ + +-#ifndef __arch_use_vsyscall +-static __always_inline int __arch_use_vsyscall(struct vdso_data *vdata) +-{ +- return 1; +-} +-#endif /* __arch_use_vsyscall */ +- + #ifndef __arch_update_vsyscall + static __always_inline void __arch_update_vsyscall(struct vdso_data *vdata, + struct timekeeper *tk) +diff --git a/kernel/time/vsyscall.c b/kernel/time/vsyscall.c +index 4bc37ac3bb052..5ee0f77094107 100644 +--- a/kernel/time/vsyscall.c ++++ b/kernel/time/vsyscall.c +@@ -110,8 +110,7 @@ void update_vsyscall(struct timekeeper *tk) + nsec = nsec + tk->wall_to_monotonic.tv_nsec; + vdso_ts->sec += __iter_div_u64_rem(nsec, NSEC_PER_SEC, &vdso_ts->nsec); + +- if (__arch_use_vsyscall(vdata)) +- update_vdso_data(vdata, tk); ++ update_vdso_data(vdata, tk); + + __arch_update_vsyscall(vdata, tk); + +@@ -124,10 +123,8 @@ void update_vsyscall_tz(void) + { + struct vdso_data *vdata = __arch_get_k_vdso_data(); + +- if (__arch_use_vsyscall(vdata)) { +- vdata[CS_HRES_COARSE].tz_minuteswest = sys_tz.tz_minuteswest; +- vdata[CS_HRES_COARSE].tz_dsttime = sys_tz.tz_dsttime; +- } ++ vdata[CS_HRES_COARSE].tz_minuteswest = sys_tz.tz_minuteswest; ++ vdata[CS_HRES_COARSE].tz_dsttime = sys_tz.tz_dsttime; + + __arch_sync_vdso_data(vdata); + } +-- +2.20.1 + diff --git a/queue-5.3/usb-dwc3-gadget-fix-race-when-disabling-ep-with-canc.patch b/queue-5.3/usb-dwc3-gadget-fix-race-when-disabling-ep-with-canc.patch new file mode 100644 index 00000000000..a16d9b419cf --- /dev/null +++ b/queue-5.3/usb-dwc3-gadget-fix-race-when-disabling-ep-with-canc.patch @@ -0,0 +1,45 @@ +From 914e6e782eb2024274338b99c91adbe6ae0dcb09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2019 11:07:13 +0200 +Subject: usb: dwc3: gadget: fix race when disabling ep with cancelled xfers + +From: Felipe Balbi + +[ Upstream commit d8eca64eec7103ab1fbabc0a187dbf6acfb2af93 ] + +When disabling an endpoint which has cancelled requests, we should +make sure to giveback requests that are currently pending in the +cancelled list, otherwise we may fall into a situation where command +completion interrupt fires after endpoint has been disabled, therefore +causing a splat. + +Fixes: fec9095bdef4 "usb: dwc3: gadget: remove wait_end_transfer" +Reported-by: Roger Quadros +Signed-off-by: Felipe Balbi +Link: https://lore.kernel.org/r/20191031090713.1452818-1-felipe.balbi@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/gadget.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 173f5329d3d9e..56bd6ae0c18f9 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -707,6 +707,12 @@ static void dwc3_remove_requests(struct dwc3 *dwc, struct dwc3_ep *dep) + + dwc3_gadget_giveback(dep, req, -ESHUTDOWN); + } ++ ++ while (!list_empty(&dep->cancelled_list)) { ++ req = next_request(&dep->cancelled_list); ++ ++ dwc3_gadget_giveback(dep, req, -ESHUTDOWN); ++ } + } + + /** +-- +2.20.1 + diff --git a/queue-5.3/usb-dwc3-pci-prevent-memory-leak-in-dwc3_pci_probe.patch b/queue-5.3/usb-dwc3-pci-prevent-memory-leak-in-dwc3_pci_probe.patch new file mode 100644 index 00000000000..6c2836e7d29 --- /dev/null +++ b/queue-5.3/usb-dwc3-pci-prevent-memory-leak-in-dwc3_pci_probe.patch @@ -0,0 +1,38 @@ +From d68b91db03ae7ff101aa2905efdc515a04b82b62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Sep 2019 21:41:45 -0500 +Subject: usb: dwc3: pci: prevent memory leak in dwc3_pci_probe + +From: Navid Emamdoost + +[ Upstream commit 9bbfceea12a8f145097a27d7c7267af25893c060 ] + +In dwc3_pci_probe a call to platform_device_alloc allocates a device +which is correctly put in case of error except one case: when the call to +platform_device_add_properties fails it directly returns instead of +going to error handling. This commit replaces return with the goto. + +Fixes: 1a7b12f69a94 ("usb: dwc3: pci: Supply device properties via driver data") +Signed-off-by: Navid Emamdoost +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c +index 5e8e18222f922..023f0357efd77 100644 +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -258,7 +258,7 @@ static int dwc3_pci_probe(struct pci_dev *pci, const struct pci_device_id *id) + + ret = platform_device_add_properties(dwc->dwc3, p); + if (ret < 0) +- return ret; ++ goto err; + + ret = dwc3_pci_quirks(dwc); + if (ret) +-- +2.20.1 + diff --git a/queue-5.3/usb-dwc3-remove-the-call-trace-of-usbx_gfladj.patch b/queue-5.3/usb-dwc3-remove-the-call-trace-of-usbx_gfladj.patch new file mode 100644 index 00000000000..2addd190cb4 --- /dev/null +++ b/queue-5.3/usb-dwc3-remove-the-call-trace-of-usbx_gfladj.patch @@ -0,0 +1,44 @@ +From 952d727dbdc0dad4edec83234cc181206df9e69d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2019 14:46:07 +0800 +Subject: usb: dwc3: remove the call trace of USBx_GFLADJ + +From: Yinbo Zhu + +[ Upstream commit a7d9874c6f3fbc8d25cd9ceba35b6822612c4ebf ] + +layerscape board sometimes reported some usb call trace, that is due to +kernel sent LPM tokerns automatically when it has no pending transfers +and think that the link is idle enough to enter L1, which procedure will +ask usb register has a recovery,then kernel will compare USBx_GFLADJ and +set GFLADJ_30MHZ, GFLADJ_30MHZ_REG until GFLADJ_30MHZ is equal 0x20, if +the conditions were met then issue occur, but whatever the conditions +whether were met that usb is all need keep GFLADJ_30MHZ of value is 0x20 +(xhci spec ask use GFLADJ_30MHZ to adjust any offset from clock source +that generates the clock that drives the SOF counter, 0x20 is default +value of it)That is normal logic, so need remove the call trace. + +Signed-off-by: Yinbo Zhu +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index c9bb93a2c81e2..06d7e8612dfed 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -300,8 +300,7 @@ static void dwc3_frame_length_adjustment(struct dwc3 *dwc) + + reg = dwc3_readl(dwc->regs, DWC3_GFLADJ); + dft = reg & DWC3_GFLADJ_30MHZ_MASK; +- if (!dev_WARN_ONCE(dwc->dev, dft == dwc->fladj, +- "request value same as default, ignoring\n")) { ++ if (dft != dwc->fladj) { + reg &= ~DWC3_GFLADJ_30MHZ_MASK; + reg |= DWC3_GFLADJ_30MHZ_SDBND_SEL | dwc->fladj; + dwc3_writel(dwc->regs, DWC3_GFLADJ, reg); +-- +2.20.1 + diff --git a/queue-5.3/usb-dwc3-select-config_regmap_mmio.patch b/queue-5.3/usb-dwc3-select-config_regmap_mmio.patch new file mode 100644 index 00000000000..fa065aede15 --- /dev/null +++ b/queue-5.3/usb-dwc3-select-config_regmap_mmio.patch @@ -0,0 +1,42 @@ +From 3cd90fcb8b22f79115f4a090bff3988d2b15896f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2019 16:18:36 +0200 +Subject: usb: dwc3: select CONFIG_REGMAP_MMIO + +From: Arnd Bergmann + +[ Upstream commit a51bab592fbbef10f0e42a8aed86adfbf6a68fa7 ] + +After many randconfig builds, one configuration caused a link +error with dwc3-meson-g12a lacking the regmap-mmio code: + +drivers/usb/dwc3/dwc3-meson-g12a.o: In function `dwc3_meson_g12a_probe': +dwc3-meson-g12a.c:(.text+0x9f): undefined reference to `__devm_regmap_init_mmio_clk' + +Add the select statement that we have for all other users +of that dependency. + +Fixes: c99993376f72 ("usb: dwc3: Add Amlogic G12A DWC3 glue") +Acked-by: Neil Armstrong +Signed-off-by: Arnd Bergmann +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/dwc3/Kconfig b/drivers/usb/dwc3/Kconfig +index 89abc6078703f..556a876c78962 100644 +--- a/drivers/usb/dwc3/Kconfig ++++ b/drivers/usb/dwc3/Kconfig +@@ -102,6 +102,7 @@ config USB_DWC3_MESON_G12A + depends on ARCH_MESON || COMPILE_TEST + default USB_DWC3 + select USB_ROLE_SWITCH ++ select REGMAP_MMIO + help + Support USB2/3 functionality in Amlogic G12A platforms. + Say 'Y' or 'M' if you have one such device. +-- +2.20.1 + diff --git a/queue-5.3/usb-fsl-check-memory-resource-before-releasing-it.patch b/queue-5.3/usb-fsl-check-memory-resource-before-releasing-it.patch new file mode 100644 index 00000000000..6cad1a1887d --- /dev/null +++ b/queue-5.3/usb-fsl-check-memory-resource-before-releasing-it.patch @@ -0,0 +1,37 @@ +From 3278bda8f0bc916bb78f09ffa64a3d242a65273c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2019 18:21:51 +0800 +Subject: usb: fsl: Check memory resource before releasing it + +From: Nikhil Badola + +[ Upstream commit bc1e3a2dd0c9954fd956ac43ca2876bbea018c01 ] + +Check memory resource existence before releasing it to avoid NULL +pointer dereference + +Signed-off-by: Nikhil Badola +Reviewed-by: Ran Wang +Reviewed-by: Peter Chen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/fsl_udc_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/fsl_udc_core.c b/drivers/usb/gadget/udc/fsl_udc_core.c +index 20141c3096f68..9a05863b28768 100644 +--- a/drivers/usb/gadget/udc/fsl_udc_core.c ++++ b/drivers/usb/gadget/udc/fsl_udc_core.c +@@ -2576,7 +2576,7 @@ static int fsl_udc_remove(struct platform_device *pdev) + dma_pool_destroy(udc_controller->td_pool); + free_irq(udc_controller->irq, udc_controller); + iounmap(dr_regs); +- if (pdata->operating_mode == FSL_USB2_DR_DEVICE) ++ if (res && (pdata->operating_mode == FSL_USB2_DR_DEVICE)) + release_mem_region(res->start, resource_size(res)); + + /* free udc --wait for the release() finished */ +-- +2.20.1 + diff --git a/queue-5.3/usb-gadget-composite-fix-possible-double-free-memory.patch b/queue-5.3/usb-gadget-composite-fix-possible-double-free-memory.patch new file mode 100644 index 00000000000..69f626a0bce --- /dev/null +++ b/queue-5.3/usb-gadget-composite-fix-possible-double-free-memory.patch @@ -0,0 +1,67 @@ +From 7029bebe55052d01618e4a0f220b1a814d9f87ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2019 13:16:48 +0530 +Subject: usb: gadget: composite: Fix possible double free memory bug + +From: Chandana Kishori Chiluveru + +[ Upstream commit 1c20c89b0421b52b2417bb0f62a611bc669eda1d ] + +composite_dev_cleanup call from the failure of configfs_composite_bind +frees up the cdev->os_desc_req and cdev->req. If the previous calls of +bind and unbind is successful these will carry stale values. + +Consider the below sequence of function calls: +configfs_composite_bind() + composite_dev_prepare() + - Allocate cdev->req, cdev->req->buf + composite_os_desc_req_prepare() + - Allocate cdev->os_desc_req, cdev->os_desc_req->buf +configfs_composite_unbind() + composite_dev_cleanup() + - free the cdev->os_desc_req->buf and cdev->req->buf +Next composition switch +configfs_composite_bind() + - If it fails goto err_comp_cleanup will call the + composite_dev_cleanup() function + composite_dev_cleanup() + - calls kfree up with the stale values of cdev->req->buf and + cdev->os_desc_req from the previous configfs_composite_bind + call. The free call on these stale values leads to double free. + +Hence, Fix this issue by setting request and buffer pointer to NULL after +kfree. + +Signed-off-by: Chandana Kishori Chiluveru +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/composite.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c +index 76883ff4f5bb6..c8ae07cd6fbfd 100644 +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -2156,14 +2156,18 @@ void composite_dev_cleanup(struct usb_composite_dev *cdev) + usb_ep_dequeue(cdev->gadget->ep0, cdev->os_desc_req); + + kfree(cdev->os_desc_req->buf); ++ cdev->os_desc_req->buf = NULL; + usb_ep_free_request(cdev->gadget->ep0, cdev->os_desc_req); ++ cdev->os_desc_req = NULL; + } + if (cdev->req) { + if (cdev->setup_pending) + usb_ep_dequeue(cdev->gadget->ep0, cdev->req); + + kfree(cdev->req->buf); ++ cdev->req->buf = NULL; + usb_ep_free_request(cdev->gadget->ep0, cdev->req); ++ cdev->req = NULL; + } + cdev->next_string_id = 0; + device_remove_file(&cdev->gadget->dev, &dev_attr_suspended); +-- +2.20.1 + diff --git a/queue-5.3/usb-gadget-configfs-fix-concurrent-issue-between-com.patch b/queue-5.3/usb-gadget-configfs-fix-concurrent-issue-between-com.patch new file mode 100644 index 00000000000..7143d9007b1 --- /dev/null +++ b/queue-5.3/usb-gadget-configfs-fix-concurrent-issue-between-com.patch @@ -0,0 +1,422 @@ +From 0af82fd7d41b977a4d0d186a86a48835fe7a46c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2019 15:10:55 -0400 +Subject: usb: gadget: configfs: fix concurrent issue between composite APIs + +From: Peter Chen + +[ Upstream commit 1a1c851bbd706ea9f3a9756c2d3db28523506d3b ] + +We meet several NULL pointer issues if configfs_composite_unbind +and composite_setup (or composite_disconnect) are running together. +These issues occur when do the function switch stress test, the +configfs_compsoite_unbind is called from user mode by +echo "" to /sys/../UDC entry, and meanwhile, the setup interrupt +or disconnect interrupt occurs by hardware. The composite_setup +will get the cdev from get_gadget_data, but configfs_composite_unbind +will set gadget data as NULL, so the NULL pointer issue occurs. +This concurrent is hard to reproduce by native kernel, but can be +reproduced by android kernel. + +In this commit, we introduce one spinlock belongs to structure +gadget_info since we can't use the same spinlock in usb_composite_dev +due to exclusive running together between composite_setup and +configfs_composite_unbind. And one bit flag 'unbind' to indicate the +code is at unbind routine, this bit is needed due to we release the +lock at during configfs_composite_unbind sometimes, and composite_setup +may be run at that time. + +Several oops: + +oops 1: +android_work: sent uevent USB_STATE=CONNECTED +configfs-gadget gadget: super-speed config #1: b +android_work: sent uevent USB_STATE=CONFIGURED +init: Received control message 'start' for 'adbd' from pid: 3515 (system_server) +Unable to handle kernel NULL pointer dereference at virtual address 0000002a +init: Received control message 'stop' for 'adbd' from pid: 3375 (/vendor/bin/hw/android.hardware.usb@1.1-servic) +Mem abort info: + Exception class = DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 +Data abort info: + ISV = 0, ISS = 0x00000004 + CM = 0, WnR = 0 +user pgtable: 4k pages, 48-bit VAs, pgd = ffff8008f1b7f000 +[000000000000002a] *pgd=0000000000000000 +Internal error: Oops: 96000004 [#1] PREEMPT SMP +Modules linked in: +CPU: 4 PID: 2457 Comm: irq/125-5b11000 Not tainted 4.14.98-07846-g0b40a9b-dirty #16 +Hardware name: Freescale i.MX8QM MEK (DT) +task: ffff8008f2a98000 task.stack: ffff00000b7b8000 +PC is at composite_setup+0x44/0x1508 +LR is at android_setup+0xb8/0x13c +pc : [] lr : [] pstate: 800001c5 +sp : ffff00000b7bbb80 +x29: ffff00000b7bbb80 x28: ffff8008f2a3c010 +x27: 0000000000000001 x26: 0000000000000000 [1232/1897] +audit: audit_lost=25791 audit_rate_limit=5 audit_backlog_limit=64 +x25: 00000000ffffffa1 x24: ffff8008f2a3c010 +audit: rate limit exceeded +x23: 0000000000000409 x22: ffff000009c8e000 +x21: ffff8008f7a8b428 x20: ffff00000afae000 +x19: ffff0000089ff000 x18: 0000000000000000 +x17: 0000000000000000 x16: ffff0000082b7c9c +x15: 0000000000000000 x14: f1866f5b952aca46 +x13: e35502e30d44349c x12: 0000000000000008 +x11: 0000000000000008 x10: 0000000000000a30 +x9 : ffff00000b7bbd00 x8 : ffff8008f2a98a90 +x7 : ffff8008f27a9c90 x6 : 0000000000000001 +x5 : 0000000000000000 x4 : 0000000000000001 +x3 : 0000000000000000 x2 : 0000000000000006 +x1 : ffff0000089ff8d0 x0 : 732a010310b9ed00 + +X7: 0xffff8008f27a9c10: +9c10 00000002 00000000 00000001 00000000 13110000 ffff0000 00000002 00208040 +9c30 00000000 00000000 00000000 00000000 00000000 00000005 00000029 00000000 +9c50 00051778 00000001 f27a8e00 ffff8008 00000005 00000000 00000078 00000078 +9c70 00000078 00000000 09031d48 ffff0000 00100000 00000000 00400000 00000000 +9c90 00000001 00000000 00000000 00000000 00000000 00000000 ffefb1a0 ffff8008 +9cb0 f27a9ca8 ffff8008 00000000 00000000 b9d88037 00000173 1618a3eb 00000001 +9cd0 870a792a 0000002e 16188fe6 00000001 0000242b 00000000 00000000 00000000 +using random self ethernet address +9cf0 019a4646 00000000 000547f3 00000000 ecfd6c33 00000002 00000000 +using random host ethernet address + 00000000 + +X8: 0xffff8008f2a98a10: +8a10 00000000 00000000 f7788d00 ffff8008 00000001 00000000 00000000 00000000 +8a30 eb218000 ffff8008 f2a98000 ffff8008 f2a98000 ffff8008 09885000 ffff0000 +8a50 f34df480 ffff8008 00000000 00000000 f2a98648 ffff8008 09c8e000 ffff0000 +8a70 fff2c800 ffff8008 09031d48 ffff0000 0b7bbd00 ffff0000 0b7bbd00 ffff0000 +8a90 080861bc ffff0000 00000000 00000000 00000000 00000000 00000000 00000000 +8ab0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +8ad0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +8af0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 + +X21: 0xffff8008f7a8b3a8: +b3a8 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +b3c8 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +b3e8 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +b408 00000000 00000000 00000000 00000000 00000000 00000000 00000001 00000000 +b428 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +b448 0053004d 00540046 00300031 00010030 eb07b520 ffff8008 20011201 00000003 +b468 e418d109 0104404e 00010302 00000000 eb07b558 ffff8008 eb07b558 ffff8008 +b488 f7a8b488 ffff8008 f7a8b488 ffff8008 f7a8b300 ffff8008 00000000 00000000 + +X24: 0xffff8008f2a3bf90: +bf90 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +bfb0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +bfd0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +bff0 00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008 +c010 00000000 00000000 f2a3c018 ffff8008 f2a3c018 ffff8008 08a067dc ffff0000 +c030 f2a5a000 ffff8008 091c3650 ffff0000 f716fd18 ffff8008 f716fe30 ffff8008 +c050 f2ce4a30 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000 +c070 f76c8010 ffff8008 f2ce4b00 ffff8008 095cac68 ffff0000 f2a5a028 ffff8008 + +X28: 0xffff8008f2a3bf90: +bf90 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +bfb0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +bfd0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +bff0 00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008 +c010 00000000 00000000 f2a3c018 ffff8008 f2a3c018 ffff8008 08a067dc ffff0000 +c030 f2a5a000 ffff8008 091c3650 ffff0000 f716fd18 ffff8008 f716fe30 ffff8008 +c050 f2ce4a30 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000 +c070 f76c8010 ffff8008 f2ce4b00 ffff8008 095cac68 ffff0000 f2a5a028 ffff8008 + +Process irq/125-5b11000 (pid: 2457, stack limit = 0xffff00000b7b8000) +Call trace: +Exception stack(0xffff00000b7bba40 to 0xffff00000b7bbb80) +ba40: 732a010310b9ed00 ffff0000089ff8d0 0000000000000006 0000000000000000 +ba60: 0000000000000001 0000000000000000 0000000000000001 ffff8008f27a9c90 +ba80: ffff8008f2a98a90 ffff00000b7bbd00 0000000000000a30 0000000000000008 +baa0: 0000000000000008 e35502e30d44349c f1866f5b952aca46 0000000000000000 +bac0: ffff0000082b7c9c 0000000000000000 0000000000000000 ffff0000089ff000 +bae0: ffff00000afae000 ffff8008f7a8b428 ffff000009c8e000 0000000000000409 +bb00: ffff8008f2a3c010 00000000ffffffa1 0000000000000000 0000000000000001 +bb20: ffff8008f2a3c010 ffff00000b7bbb80 ffff000008a032fc ffff00000b7bbb80 +bb40: ffff0000089ffb3c 00000000800001c5 ffff00000b7bbb80 732a010310b9ed00 +bb60: ffffffffffffffff ffff0000080f777c ffff00000b7bbb80 ffff0000089ffb3c +[] composite_setup+0x44/0x1508 +[] android_setup+0xb8/0x13c +[] cdns3_ep0_delegate_req+0x44/0x70 +[] cdns3_check_ep0_interrupt_proceed+0x33c/0x654 +[] cdns3_device_thread_irq_handler+0x4b0/0x4bc +[] cdns3_thread_irq+0x48/0x68 +[] irq_thread_fn+0x28/0x88 +[] irq_thread+0x13c/0x228 +[] kthread+0x104/0x130 +[] ret_from_fork+0x10/0x18 + +oops2: +composite_disconnect: Calling disconnect on a Gadget that is not connected +android_work: did not send uevent (0 0 (null)) +init: Received control message 'stop' for 'adbd' from pid: 3359 (/vendor/bin/hw/android.hardware.usb@1.1-service.imx) +init: Sending signal 9 to service 'adbd' (pid 22343) process group... +------------[ cut here ]------------ +audit: audit_lost=180038 audit_rate_limit=5 audit_backlog_limit=64 +audit: rate limit exceeded +WARNING: CPU: 0 PID: 3468 at kernel_imx/drivers/usb/gadget/composite.c:2009 composite_disconnect+0x80/0x88 +Modules linked in: +CPU: 0 PID: 3468 Comm: HWC-UEvent-Thre Not tainted 4.14.98-07846-g0b40a9b-dirty #16 +Hardware name: Freescale i.MX8QM MEK (DT) +task: ffff8008f2349c00 task.stack: ffff00000b0a8000 +PC is at composite_disconnect+0x80/0x88 +LR is at composite_disconnect+0x80/0x88 +pc : [] lr : [] pstate: 600001c5 +sp : ffff000008003dd0 +x29: ffff000008003dd0 x28: ffff8008f2349c00 +x27: ffff000009885018 x26: ffff000008004000 +Timeout for IPC response! +x25: ffff000009885018 x24: ffff000009c8e280 +x23: ffff8008f2d98010 x22: 00000000000001c0 +x21: ffff8008f2d98394 x20: ffff8008f2d98010 +x19: 0000000000000000 x18: 0000e3956f4f075a +fxos8700 4-001e: i2c block read acc failed +x17: 0000e395735727e8 x16: ffff00000829f4d4 +x15: ffffffffffffffff x14: 7463656e6e6f6320 +x13: 746f6e2009090920 x12: 7369207461687420 +x11: 7465676461472061 x10: 206e6f207463656e +x9 : 6e6f637369642067 x8 : ffff000009c8e280 +x7 : ffff0000086ca6cc x6 : ffff000009f15e78 +x5 : 0000000000000000 x4 : 0000000000000000 +x3 : ffffffffffffffff x2 : c3f28b86000c3900 +x1 : c3f28b86000c3900 x0 : 000000000000004e + +X20: 0xffff8008f2d97f90: +7f90 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +7fb0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +libprocessgroup: Failed to kill process cgroup uid 0 pid 22343 in 215ms, 1 processes remain +7fd0 +Timeout for IPC response! + 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +using random self ethernet address +7ff0 00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008 +8010 00000100 00000000 f2d98018 ffff8008 f2d98018 ffff8008 08a067dc +using random host ethernet address + ffff0000 +8030 f206d800 ffff8008 091c3650 ffff0000 f7957b18 ffff8008 f7957730 ffff8008 +8050 f716a630 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000 +8070 f76c8010 ffff8008 f716a800 ffff8008 095cac68 ffff0000 f206d828 ffff8008 + +X21: 0xffff8008f2d98314: +8314 ffff8008 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +8334 00000000 00000000 00000000 00000000 00000000 08a04cf4 ffff0000 00000000 +8354 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +8374 00000000 00000000 00000000 00001001 00000000 00000000 00000000 00000000 +8394 e4bbe4bb 0f230000 ffff0000 0afae000 ffff0000 ae001000 00000000 f206d400 +Timeout for IPC response! +83b4 ffff8008 00000000 00000000 f7957b18 ffff8008 f7957718 ffff8008 f7957018 +83d4 ffff8008 f7957118 ffff8008 f7957618 ffff8008 f7957818 ffff8008 f7957918 +83f4 ffff8008 f7957d18 ffff8008 00000000 00000000 00000000 00000000 00000000 + +X23: 0xffff8008f2d97f90: +7f90 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +7fb0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +7fd0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +7ff0 00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008 +8010 00000100 00000000 f2d98018 ffff8008 f2d98018 ffff8008 08a067dc ffff0000 +8030 f206d800 ffff8008 091c3650 ffff0000 f7957b18 ffff8008 f7957730 ffff8008 +8050 f716a630 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000 +8070 f76c8010 ffff8008 f716a800 ffff8008 095cac68 ffff0000 f206d828 ffff8008 + +X28: 0xffff8008f2349b80: +9b80 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +9ba0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +9bc0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +9be0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +9c00 00000022 00000000 ffffffff ffffffff 00010001 00000000 00000000 00000000 +9c20 0b0a8000 ffff0000 00000002 00404040 00000000 00000000 00000000 00000000 +9c40 00000001 00000000 00000001 00000000 001ebd44 00000001 f390b800 ffff8008 +9c60 00000000 00000001 00000070 00000070 00000070 00000000 09031d48 ffff0000 + +Call trace: +Exception stack(0xffff000008003c90 to 0xffff000008003dd0) +3c80: 000000000000004e c3f28b86000c3900 +3ca0: c3f28b86000c3900 ffffffffffffffff 0000000000000000 0000000000000000 +3cc0: ffff000009f15e78 ffff0000086ca6cc ffff000009c8e280 6e6f637369642067 +3ce0: 206e6f207463656e 7465676461472061 7369207461687420 746f6e2009090920 +3d00: 7463656e6e6f6320 ffffffffffffffff ffff00000829f4d4 0000e395735727e8 +3d20: 0000e3956f4f075a 0000000000000000 ffff8008f2d98010 ffff8008f2d98394 +3d40: 00000000000001c0 ffff8008f2d98010 ffff000009c8e280 ffff000009885018 +3d60: ffff000008004000 ffff000009885018 ffff8008f2349c00 ffff000008003dd0 +3d80: ffff0000089ff9b0 ffff000008003dd0 ffff0000089ff9b0 00000000600001c5 +3da0: ffff8008f33f2cd8 0000000000000000 0000ffffffffffff 0000000000000000 +init: Received control message 'start' for 'adbd' from pid: 3359 (/vendor/bin/hw/android.hardware.usb@1.1-service.imx) +3dc0: ffff000008003dd0 ffff0000089ff9b0 +[] composite_disconnect+0x80/0x88 +[] android_disconnect+0x3c/0x68 +[] cdns3_device_irq_handler+0xfc/0x2c8 +[] cdns3_irq+0x44/0x94 +[] __handle_irq_event_percpu+0x60/0x24c +[] handle_irq_event+0x58/0xc0 +[] handle_fasteoi_irq+0x98/0x180 +[] generic_handle_irq+0x24/0x38 +[] __handle_domain_irq+0x60/0xac +[] gic_handle_irq+0xd4/0x17c + +Signed-off-by: Peter Chen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/configfs.c | 110 ++++++++++++++++++++++++++++++++-- + 1 file changed, 105 insertions(+), 5 deletions(-) + +diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c +index 0251299428946..33852c2b29d1a 100644 +--- a/drivers/usb/gadget/configfs.c ++++ b/drivers/usb/gadget/configfs.c +@@ -61,6 +61,8 @@ struct gadget_info { + bool use_os_desc; + char b_vendor_code; + char qw_sign[OS_STRING_QW_SIGN_LEN]; ++ spinlock_t spinlock; ++ bool unbind; + }; + + static inline struct gadget_info *to_gadget_info(struct config_item *item) +@@ -1244,6 +1246,7 @@ static int configfs_composite_bind(struct usb_gadget *gadget, + int ret; + + /* the gi->lock is hold by the caller */ ++ gi->unbind = 0; + cdev->gadget = gadget; + set_gadget_data(gadget, cdev); + ret = composite_dev_prepare(composite, cdev); +@@ -1376,31 +1379,128 @@ static void configfs_composite_unbind(struct usb_gadget *gadget) + { + struct usb_composite_dev *cdev; + struct gadget_info *gi; ++ unsigned long flags; + + /* the gi->lock is hold by the caller */ + + cdev = get_gadget_data(gadget); + gi = container_of(cdev, struct gadget_info, cdev); ++ spin_lock_irqsave(&gi->spinlock, flags); ++ gi->unbind = 1; ++ spin_unlock_irqrestore(&gi->spinlock, flags); + + kfree(otg_desc[0]); + otg_desc[0] = NULL; + purge_configs_funcs(gi); + composite_dev_cleanup(cdev); + usb_ep_autoconfig_reset(cdev->gadget); ++ spin_lock_irqsave(&gi->spinlock, flags); + cdev->gadget = NULL; + set_gadget_data(gadget, NULL); ++ spin_unlock_irqrestore(&gi->spinlock, flags); ++} ++ ++static int configfs_composite_setup(struct usb_gadget *gadget, ++ const struct usb_ctrlrequest *ctrl) ++{ ++ struct usb_composite_dev *cdev; ++ struct gadget_info *gi; ++ unsigned long flags; ++ int ret; ++ ++ cdev = get_gadget_data(gadget); ++ if (!cdev) ++ return 0; ++ ++ gi = container_of(cdev, struct gadget_info, cdev); ++ spin_lock_irqsave(&gi->spinlock, flags); ++ cdev = get_gadget_data(gadget); ++ if (!cdev || gi->unbind) { ++ spin_unlock_irqrestore(&gi->spinlock, flags); ++ return 0; ++ } ++ ++ ret = composite_setup(gadget, ctrl); ++ spin_unlock_irqrestore(&gi->spinlock, flags); ++ return ret; ++} ++ ++static void configfs_composite_disconnect(struct usb_gadget *gadget) ++{ ++ struct usb_composite_dev *cdev; ++ struct gadget_info *gi; ++ unsigned long flags; ++ ++ cdev = get_gadget_data(gadget); ++ if (!cdev) ++ return; ++ ++ gi = container_of(cdev, struct gadget_info, cdev); ++ spin_lock_irqsave(&gi->spinlock, flags); ++ cdev = get_gadget_data(gadget); ++ if (!cdev || gi->unbind) { ++ spin_unlock_irqrestore(&gi->spinlock, flags); ++ return; ++ } ++ ++ composite_disconnect(gadget); ++ spin_unlock_irqrestore(&gi->spinlock, flags); ++} ++ ++static void configfs_composite_suspend(struct usb_gadget *gadget) ++{ ++ struct usb_composite_dev *cdev; ++ struct gadget_info *gi; ++ unsigned long flags; ++ ++ cdev = get_gadget_data(gadget); ++ if (!cdev) ++ return; ++ ++ gi = container_of(cdev, struct gadget_info, cdev); ++ spin_lock_irqsave(&gi->spinlock, flags); ++ cdev = get_gadget_data(gadget); ++ if (!cdev || gi->unbind) { ++ spin_unlock_irqrestore(&gi->spinlock, flags); ++ return; ++ } ++ ++ composite_suspend(gadget); ++ spin_unlock_irqrestore(&gi->spinlock, flags); ++} ++ ++static void configfs_composite_resume(struct usb_gadget *gadget) ++{ ++ struct usb_composite_dev *cdev; ++ struct gadget_info *gi; ++ unsigned long flags; ++ ++ cdev = get_gadget_data(gadget); ++ if (!cdev) ++ return; ++ ++ gi = container_of(cdev, struct gadget_info, cdev); ++ spin_lock_irqsave(&gi->spinlock, flags); ++ cdev = get_gadget_data(gadget); ++ if (!cdev || gi->unbind) { ++ spin_unlock_irqrestore(&gi->spinlock, flags); ++ return; ++ } ++ ++ composite_resume(gadget); ++ spin_unlock_irqrestore(&gi->spinlock, flags); + } + + static const struct usb_gadget_driver configfs_driver_template = { + .bind = configfs_composite_bind, + .unbind = configfs_composite_unbind, + +- .setup = composite_setup, +- .reset = composite_disconnect, +- .disconnect = composite_disconnect, ++ .setup = configfs_composite_setup, ++ .reset = configfs_composite_disconnect, ++ .disconnect = configfs_composite_disconnect, + +- .suspend = composite_suspend, +- .resume = composite_resume, ++ .suspend = configfs_composite_suspend, ++ .resume = configfs_composite_resume, + + .max_speed = USB_SPEED_SUPER, + .driver = { +-- +2.20.1 + diff --git a/queue-5.3/usb-gadget-udc-atmel-fix-interrupt-storm-in-fifo-mod.patch b/queue-5.3/usb-gadget-udc-atmel-fix-interrupt-storm-in-fifo-mod.patch new file mode 100644 index 00000000000..9f3ce76b4f3 --- /dev/null +++ b/queue-5.3/usb-gadget-udc-atmel-fix-interrupt-storm-in-fifo-mod.patch @@ -0,0 +1,42 @@ +From 4dbe51b3abb5de723acaed7ef73f1bdd07ef080e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2019 20:10:54 +0300 +Subject: usb: gadget: udc: atmel: Fix interrupt storm in FIFO mode. + +From: Cristian Birsan + +[ Upstream commit ba3a1a915c49cc3023e4ddfc88f21e7514e82aa4 ] + +Fix interrupt storm generated by endpoints when working in FIFO mode. +The TX_COMPLETE interrupt is used only by control endpoints processing. +Do not enable it for other types of endpoints. + +Fixes: 914a3f3b3754 ("USB: add atmel_usba_udc driver") +Signed-off-by: Cristian Birsan +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/atmel_usba_udc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/udc/atmel_usba_udc.c b/drivers/usb/gadget/udc/atmel_usba_udc.c +index 503d275bc4c4b..761e8a8088573 100644 +--- a/drivers/usb/gadget/udc/atmel_usba_udc.c ++++ b/drivers/usb/gadget/udc/atmel_usba_udc.c +@@ -448,9 +448,11 @@ static void submit_request(struct usba_ep *ep, struct usba_request *req) + next_fifo_transaction(ep, req); + if (req->last_transaction) { + usba_ep_writel(ep, CTL_DIS, USBA_TX_PK_RDY); +- usba_ep_writel(ep, CTL_ENB, USBA_TX_COMPLETE); ++ if (ep_is_control(ep)) ++ usba_ep_writel(ep, CTL_ENB, USBA_TX_COMPLETE); + } else { +- usba_ep_writel(ep, CTL_DIS, USBA_TX_COMPLETE); ++ if (ep_is_control(ep)) ++ usba_ep_writel(ep, CTL_DIS, USBA_TX_COMPLETE); + usba_ep_writel(ep, CTL_ENB, USBA_TX_PK_RDY); + } + } +-- +2.20.1 + diff --git a/queue-5.3/usb-ldusb-use-unsigned-size-format-specifiers.patch b/queue-5.3/usb-ldusb-use-unsigned-size-format-specifiers.patch new file mode 100644 index 00000000000..02b69ad60e9 --- /dev/null +++ b/queue-5.3/usb-ldusb-use-unsigned-size-format-specifiers.patch @@ -0,0 +1,55 @@ +From d696d98d222f2a2cf01508fec9e128a121c1e77f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Oct 2019 16:32:03 +0200 +Subject: USB: ldusb: use unsigned size format specifiers + +From: Johan Hovold + +[ Upstream commit 88f6bf3846ee90bf33aa1ce848cd3bfb3229f4a4 ] + +A recent info-leak bug manifested itself along with warning about a +negative buffer overflow: + + ldusb 1-1:0.28: Read buffer overflow, -131383859965943 bytes dropped + +when it was really a rather large positive one. + +A sanity check that prevents this has now been put in place, but let's +fix up the size format specifiers, which should all be unsigned. + +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191022143203.5260-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/misc/ldusb.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/misc/ldusb.c b/drivers/usb/misc/ldusb.c +index f5e34c5034547..8f86b4ebca898 100644 +--- a/drivers/usb/misc/ldusb.c ++++ b/drivers/usb/misc/ldusb.c +@@ -487,7 +487,7 @@ static ssize_t ld_usb_read(struct file *file, char __user *buffer, size_t count, + } + bytes_to_read = min(count, *actual_buffer); + if (bytes_to_read < *actual_buffer) +- dev_warn(&dev->intf->dev, "Read buffer overflow, %zd bytes dropped\n", ++ dev_warn(&dev->intf->dev, "Read buffer overflow, %zu bytes dropped\n", + *actual_buffer-bytes_to_read); + + /* copy one interrupt_in_buffer from ring_buffer into userspace */ +@@ -562,8 +562,9 @@ static ssize_t ld_usb_write(struct file *file, const char __user *buffer, + /* write the data into interrupt_out_buffer from userspace */ + bytes_to_write = min(count, write_buffer_size*dev->interrupt_out_endpoint_size); + if (bytes_to_write < count) +- dev_warn(&dev->intf->dev, "Write buffer overflow, %zd bytes dropped\n", count-bytes_to_write); +- dev_dbg(&dev->intf->dev, "%s: count = %zd, bytes_to_write = %zd\n", ++ dev_warn(&dev->intf->dev, "Write buffer overflow, %zu bytes dropped\n", ++ count - bytes_to_write); ++ dev_dbg(&dev->intf->dev, "%s: count = %zu, bytes_to_write = %zu\n", + __func__, count, bytes_to_write); + + if (copy_from_user(dev->interrupt_out_buffer, buffer, bytes_to_write)) { +-- +2.20.1 + diff --git a/queue-5.3/usb-skip-endpoints-with-0-maxpacket-length.patch b/queue-5.3/usb-skip-endpoints-with-0-maxpacket-length.patch new file mode 100644 index 00000000000..3a764a91419 --- /dev/null +++ b/queue-5.3/usb-skip-endpoints-with-0-maxpacket-length.patch @@ -0,0 +1,49 @@ +From 1bf04eec29503d0ab6ca940184a44ebb012f05d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Oct 2019 10:52:35 -0400 +Subject: USB: Skip endpoints with 0 maxpacket length + +From: Alan Stern + +[ Upstream commit d482c7bb0541d19dea8bff437a9f3c5563b5b2d2 ] + +Endpoints with a maxpacket length of 0 are probably useless. They +can't transfer any data, and it's not at all unlikely that an HCD will +crash or hang when trying to handle an URB for such an endpoint. + +Currently the USB core does not check for endpoints having a maxpacket +value of 0. This patch adds a check, printing a warning and skipping +over any endpoints it catches. + +Now, the USB spec does not rule out endpoints having maxpacket = 0. +But since they wouldn't have any practical use, there doesn't seem to +be any good reason for us to accept them. + +Signed-off-by: Alan Stern + +Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1910281050420.1485-100000@iolanthe.rowland.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/config.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c +index 151a74a543862..1ac1095bfeac8 100644 +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -348,6 +348,11 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum, + + /* Validate the wMaxPacketSize field */ + maxp = usb_endpoint_maxp(&endpoint->desc); ++ if (maxp == 0) { ++ dev_warn(ddev, "config %d interface %d altsetting %d endpoint 0x%X has wMaxPacketSize 0, skipping\n", ++ cfgno, inum, asnum, d->bEndpointAddress); ++ goto skip_to_next_endpoint_or_interface_descriptor; ++ } + + /* Find the highest legal maxpacket size for this endpoint */ + i = 0; /* additional transactions per microframe */ +-- +2.20.1 + diff --git a/queue-5.3/usbip-tools-fix-read_usb_vudc_device-error-path-hand.patch b/queue-5.3/usbip-tools-fix-read_usb_vudc_device-error-path-hand.patch new file mode 100644 index 00000000000..5cf523f481c --- /dev/null +++ b/queue-5.3/usbip-tools-fix-read_usb_vudc_device-error-path-hand.patch @@ -0,0 +1,50 @@ +From 32507fbc1986a69c59afc083e230b7c6336fbb6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Oct 2019 03:22:23 +0000 +Subject: usbip: tools: Fix read_usb_vudc_device() error path handling + +From: GwanYeong Kim + +[ Upstream commit 28df0642abbf6d66908a2858922a7e4b21cdd8c2 ] + +This isn't really accurate right. fread() doesn't always +return 0 in error. It could return < number of elements +and set errno. + +Signed-off-by: GwanYeong Kim +Acked-by: Shuah Khan +Link: https://lore.kernel.org/r/20191018032223.4644-1-gy741.kim@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + tools/usb/usbip/libsrc/usbip_device_driver.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/tools/usb/usbip/libsrc/usbip_device_driver.c b/tools/usb/usbip/libsrc/usbip_device_driver.c +index 5a3726eb44abc..b237a43e62990 100644 +--- a/tools/usb/usbip/libsrc/usbip_device_driver.c ++++ b/tools/usb/usbip/libsrc/usbip_device_driver.c +@@ -69,7 +69,7 @@ int read_usb_vudc_device(struct udev_device *sdev, struct usbip_usb_device *dev) + FILE *fd = NULL; + struct udev_device *plat; + const char *speed; +- int ret = 0; ++ size_t ret; + + plat = udev_device_get_parent(sdev); + path = udev_device_get_syspath(plat); +@@ -79,8 +79,10 @@ int read_usb_vudc_device(struct udev_device *sdev, struct usbip_usb_device *dev) + if (!fd) + return -1; + ret = fread((char *) &descr, sizeof(descr), 1, fd); +- if (ret < 0) ++ if (ret != 1) { ++ err("Cannot read vudc device descr file: %s", strerror(errno)); + goto err; ++ } + fclose(fd); + + copy_descr_attr(dev, &descr, bDeviceClass); +-- +2.20.1 + diff --git a/queue-5.3/virt_wifi-fix-refcnt-leak-in-module-exit-routine.patch b/queue-5.3/virt_wifi-fix-refcnt-leak-in-module-exit-routine.patch new file mode 100644 index 00000000000..1ce48842022 --- /dev/null +++ b/queue-5.3/virt_wifi-fix-refcnt-leak-in-module-exit-routine.patch @@ -0,0 +1,167 @@ +From 500b44a2dfbc0fcec1cad916500c75fc66a71678 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2019 18:47:59 +0000 +Subject: virt_wifi: fix refcnt leak in module exit routine + +From: Taehee Yoo + +[ Upstream commit 1962f86b42ed06ea6af9ff09390243b99d9eb83a ] + +virt_wifi_newlink() calls netdev_upper_dev_link() and it internally +holds reference count of lower interface. + +Current code does not release a reference count of the lower interface +when the lower interface is being deleted. +So, reference count leaks occur. + +Test commands: + ip link add dummy0 type dummy + ip link add vw1 link dummy0 type virt_wifi + ip link del dummy0 + +Splat looks like: +[ 133.787526][ T788] WARNING: CPU: 1 PID: 788 at net/core/dev.c:8274 rollback_registered_many+0x835/0xc80 +[ 133.788355][ T788] Modules linked in: virt_wifi cfg80211 dummy team af_packet sch_fq_codel ip_tables x_tables unix +[ 133.789377][ T788] CPU: 1 PID: 788 Comm: ip Not tainted 5.4.0-rc3+ #96 +[ 133.790069][ T788] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +[ 133.791167][ T788] RIP: 0010:rollback_registered_many+0x835/0xc80 +[ 133.791906][ T788] Code: 00 4d 85 ff 0f 84 b5 fd ff ff ba c0 0c 00 00 48 89 de 4c 89 ff e8 9b 58 04 00 48 89 df e8 30 +[ 133.794317][ T788] RSP: 0018:ffff88805ba3f338 EFLAGS: 00010202 +[ 133.795080][ T788] RAX: ffff88805e57e801 RBX: ffff88805ba34000 RCX: ffffffffa9294723 +[ 133.796045][ T788] RDX: 1ffff1100b746816 RSI: 0000000000000008 RDI: ffffffffabcc4240 +[ 133.797006][ T788] RBP: ffff88805ba3f4c0 R08: fffffbfff5798849 R09: fffffbfff5798849 +[ 133.797993][ T788] R10: 0000000000000001 R11: fffffbfff5798848 R12: dffffc0000000000 +[ 133.802514][ T788] R13: ffff88805ba3f440 R14: ffff88805ba3f400 R15: ffff88805ed622c0 +[ 133.803237][ T788] FS: 00007f2e9608c0c0(0000) GS:ffff88806cc00000(0000) knlGS:0000000000000000 +[ 133.804002][ T788] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 133.804664][ T788] CR2: 00007f2e95610603 CR3: 000000005f68c004 CR4: 00000000000606e0 +[ 133.805363][ T788] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 133.806073][ T788] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 133.806787][ T788] Call Trace: +[ 133.807069][ T788] ? generic_xdp_install+0x310/0x310 +[ 133.807612][ T788] ? lock_acquire+0x164/0x3b0 +[ 133.808077][ T788] ? is_bpf_text_address+0x5/0xf0 +[ 133.808640][ T788] ? deref_stack_reg+0x9c/0xd0 +[ 133.809138][ T788] ? __nla_validate_parse+0x98/0x1ab0 +[ 133.809944][ T788] unregister_netdevice_many.part.122+0x13/0x1b0 +[ 133.810599][ T788] rtnl_delete_link+0xbc/0x100 +[ 133.811073][ T788] ? rtnl_af_register+0xc0/0xc0 +[ 133.811672][ T788] rtnl_dellink+0x30e/0x8a0 +[ 133.812205][ T788] ? is_bpf_text_address+0x5/0xf0 +[ ... ] + +[ 144.110530][ T788] unregister_netdevice: waiting for dummy0 to become free. Usage count = 1 + +This patch adds notifier routine to delete upper interface before deleting +lower interface. + +Fixes: c7cdba31ed8b ("mac80211-next: rtnetlink wifi simulation device") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/virt_wifi.c | 54 ++++++++++++++++++++++++++++++-- + 1 file changed, 52 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/virt_wifi.c b/drivers/net/wireless/virt_wifi.c +index be92e1220284c..7997cc6de334f 100644 +--- a/drivers/net/wireless/virt_wifi.c ++++ b/drivers/net/wireless/virt_wifi.c +@@ -548,6 +548,7 @@ static int virt_wifi_newlink(struct net *src_net, struct net_device *dev, + priv->is_connected = false; + priv->is_up = false; + INIT_DELAYED_WORK(&priv->connect, virt_wifi_connect_complete); ++ __module_get(THIS_MODULE); + + return 0; + unregister_netdev: +@@ -578,6 +579,7 @@ static void virt_wifi_dellink(struct net_device *dev, + netdev_upper_dev_unlink(priv->lowerdev, dev); + + unregister_netdevice_queue(dev, head); ++ module_put(THIS_MODULE); + + /* Deleting the wiphy is handled in the module destructor. */ + } +@@ -590,6 +592,42 @@ static struct rtnl_link_ops virt_wifi_link_ops = { + .priv_size = sizeof(struct virt_wifi_netdev_priv), + }; + ++static bool netif_is_virt_wifi_dev(const struct net_device *dev) ++{ ++ return rcu_access_pointer(dev->rx_handler) == virt_wifi_rx_handler; ++} ++ ++static int virt_wifi_event(struct notifier_block *this, unsigned long event, ++ void *ptr) ++{ ++ struct net_device *lower_dev = netdev_notifier_info_to_dev(ptr); ++ struct virt_wifi_netdev_priv *priv; ++ struct net_device *upper_dev; ++ LIST_HEAD(list_kill); ++ ++ if (!netif_is_virt_wifi_dev(lower_dev)) ++ return NOTIFY_DONE; ++ ++ switch (event) { ++ case NETDEV_UNREGISTER: ++ priv = rtnl_dereference(lower_dev->rx_handler_data); ++ if (!priv) ++ return NOTIFY_DONE; ++ ++ upper_dev = priv->upperdev; ++ ++ upper_dev->rtnl_link_ops->dellink(upper_dev, &list_kill); ++ unregister_netdevice_many(&list_kill); ++ break; ++ } ++ ++ return NOTIFY_DONE; ++} ++ ++static struct notifier_block virt_wifi_notifier = { ++ .notifier_call = virt_wifi_event, ++}; ++ + /* Acquires and releases the rtnl lock. */ + static int __init virt_wifi_init_module(void) + { +@@ -598,14 +636,25 @@ static int __init virt_wifi_init_module(void) + /* Guaranteed to be locallly-administered and not multicast. */ + eth_random_addr(fake_router_bssid); + ++ err = register_netdevice_notifier(&virt_wifi_notifier); ++ if (err) ++ return err; ++ ++ err = -ENOMEM; + common_wiphy = virt_wifi_make_wiphy(); + if (!common_wiphy) +- return -ENOMEM; ++ goto notifier; + + err = rtnl_link_register(&virt_wifi_link_ops); + if (err) +- virt_wifi_destroy_wiphy(common_wiphy); ++ goto destroy_wiphy; + ++ return 0; ++ ++destroy_wiphy: ++ virt_wifi_destroy_wiphy(common_wiphy); ++notifier: ++ unregister_netdevice_notifier(&virt_wifi_notifier); + return err; + } + +@@ -615,6 +664,7 @@ static void __exit virt_wifi_cleanup_module(void) + /* Will delete any devices that depend on the wiphy. */ + rtnl_link_unregister(&virt_wifi_link_ops); + virt_wifi_destroy_wiphy(common_wiphy); ++ unregister_netdevice_notifier(&virt_wifi_notifier); + } + + module_init(virt_wifi_init_module); +-- +2.20.1 + diff --git a/queue-5.3/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_t.patch b/queue-5.3/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_t.patch new file mode 100644 index 00000000000..8157a8628b3 --- /dev/null +++ b/queue-5.3/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_t.patch @@ -0,0 +1,44 @@ +From d04d32d7f9b9b4d33cda30cee1b6aae2dc260151 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2019 23:53:30 -0500 +Subject: wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle + +From: Navid Emamdoost + +[ Upstream commit 6f3ef5c25cc762687a7341c18cbea5af54461407 ] + +In the implementation of i2400m_op_rfkill_sw_toggle() the allocated +buffer for cmd should be released before returning. The +documentation for i2400m_msg_to_dev() says when it returns the buffer +can be reused. Meaning cmd should be released in either case. Move +kfree(cmd) before return to be reached by all execution paths. + +Fixes: 2507e6ab7a9a ("wimax: i2400: fix memory leak") +Signed-off-by: Navid Emamdoost +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wimax/i2400m/op-rfkill.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wimax/i2400m/op-rfkill.c b/drivers/net/wimax/i2400m/op-rfkill.c +index 8efb493ceec2f..5c79f052cad20 100644 +--- a/drivers/net/wimax/i2400m/op-rfkill.c ++++ b/drivers/net/wimax/i2400m/op-rfkill.c +@@ -127,12 +127,12 @@ int i2400m_op_rfkill_sw_toggle(struct wimax_dev *wimax_dev, + "%d\n", result); + result = 0; + error_cmd: +- kfree(cmd); + kfree_skb(ack_skb); + error_msg_to_dev: + error_alloc: + d_fnend(4, dev, "(wimax_dev %p state %d) = %d\n", + wimax_dev, state, result); ++ kfree(cmd); + return result; + } + +-- +2.20.1 + diff --git a/queue-5.3/x86-efi-never-relocate-kernel-below-lowest-acceptabl.patch b/queue-5.3/x86-efi-never-relocate-kernel-below-lowest-acceptabl.patch new file mode 100644 index 00000000000..4e09094c22c --- /dev/null +++ b/queue-5.3/x86-efi-never-relocate-kernel-below-lowest-acceptabl.patch @@ -0,0 +1,193 @@ +From 70aa12b7d294b3fc3c2b7affab2e19f551ae2c00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2019 18:37:54 +0100 +Subject: x86, efi: Never relocate kernel below lowest acceptable address + +From: Kairui Song + +[ Upstream commit 220dd7699c46d5940115bd797b01b2ab047c87b8 ] + +Currently, kernel fails to boot on some HyperV VMs when using EFI. +And it's a potential issue on all x86 platforms. + +It's caused by broken kernel relocation on EFI systems, when below three +conditions are met: + +1. Kernel image is not loaded to the default address (LOAD_PHYSICAL_ADDR) + by the loader. +2. There isn't enough room to contain the kernel, starting from the + default load address (eg. something else occupied part the region). +3. In the memmap provided by EFI firmware, there is a memory region + starts below LOAD_PHYSICAL_ADDR, and suitable for containing the + kernel. + +EFI stub will perform a kernel relocation when condition 1 is met. But +due to condition 2, EFI stub can't relocate kernel to the preferred +address, so it fallback to ask EFI firmware to alloc lowest usable memory +region, got the low region mentioned in condition 3, and relocated +kernel there. + +It's incorrect to relocate the kernel below LOAD_PHYSICAL_ADDR. This +is the lowest acceptable kernel relocation address. + +The first thing goes wrong is in arch/x86/boot/compressed/head_64.S. +Kernel decompression will force use LOAD_PHYSICAL_ADDR as the output +address if kernel is located below it. Then the relocation before +decompression, which move kernel to the end of the decompression buffer, +will overwrite other memory region, as there is no enough memory there. + +To fix it, just don't let EFI stub relocate the kernel to any address +lower than lowest acceptable address. + +[ ardb: introduce efi_low_alloc_above() to reduce the scope of the change ] + +Signed-off-by: Kairui Song +Signed-off-by: Ard Biesheuvel +Acked-by: Jarkko Sakkinen +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Link: https://lkml.kernel.org/r/20191029173755.27149-6-ardb@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/boot/compressed/eboot.c | 4 +++- + drivers/firmware/efi/libstub/arm32-stub.c | 2 +- + .../firmware/efi/libstub/efi-stub-helper.c | 24 ++++++++----------- + include/linux/efi.h | 18 ++++++++++++-- + 4 files changed, 30 insertions(+), 18 deletions(-) + +diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c +index d6662fdef3001..82bc60c8acb24 100644 +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + + #include "../string.h" + #include "eboot.h" +@@ -813,7 +814,8 @@ efi_main(struct efi_config *c, struct boot_params *boot_params) + status = efi_relocate_kernel(sys_table, &bzimage_addr, + hdr->init_size, hdr->init_size, + hdr->pref_address, +- hdr->kernel_alignment); ++ hdr->kernel_alignment, ++ LOAD_PHYSICAL_ADDR); + if (status != EFI_SUCCESS) { + efi_printk(sys_table, "efi_relocate_kernel() failed!\n"); + goto fail; +diff --git a/drivers/firmware/efi/libstub/arm32-stub.c b/drivers/firmware/efi/libstub/arm32-stub.c +index ffa242ad0a82e..41213bf5fcf5e 100644 +--- a/drivers/firmware/efi/libstub/arm32-stub.c ++++ b/drivers/firmware/efi/libstub/arm32-stub.c +@@ -230,7 +230,7 @@ efi_status_t handle_kernel_image(efi_system_table_t *sys_table, + *image_size = image->image_size; + status = efi_relocate_kernel(sys_table, image_addr, *image_size, + *image_size, +- kernel_base + MAX_UNCOMP_KERNEL_SIZE, 0); ++ kernel_base + MAX_UNCOMP_KERNEL_SIZE, 0, 0); + if (status != EFI_SUCCESS) { + pr_efi_err(sys_table, "Failed to relocate kernel.\n"); + efi_free(sys_table, *reserve_size, *reserve_addr); +diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c +index 3caae7f2cf567..35dbc2791c973 100644 +--- a/drivers/firmware/efi/libstub/efi-stub-helper.c ++++ b/drivers/firmware/efi/libstub/efi-stub-helper.c +@@ -260,11 +260,11 @@ fail: + } + + /* +- * Allocate at the lowest possible address. ++ * Allocate at the lowest possible address that is not below 'min'. + */ +-efi_status_t efi_low_alloc(efi_system_table_t *sys_table_arg, +- unsigned long size, unsigned long align, +- unsigned long *addr) ++efi_status_t efi_low_alloc_above(efi_system_table_t *sys_table_arg, ++ unsigned long size, unsigned long align, ++ unsigned long *addr, unsigned long min) + { + unsigned long map_size, desc_size, buff_size; + efi_memory_desc_t *map; +@@ -311,13 +311,8 @@ efi_status_t efi_low_alloc(efi_system_table_t *sys_table_arg, + start = desc->phys_addr; + end = start + desc->num_pages * EFI_PAGE_SIZE; + +- /* +- * Don't allocate at 0x0. It will confuse code that +- * checks pointers against NULL. Skip the first 8 +- * bytes so we start at a nice even number. +- */ +- if (start == 0x0) +- start += 8; ++ if (start < min) ++ start = min; + + start = round_up(start, align); + if ((start + size) > end) +@@ -698,7 +693,8 @@ efi_status_t efi_relocate_kernel(efi_system_table_t *sys_table_arg, + unsigned long image_size, + unsigned long alloc_size, + unsigned long preferred_addr, +- unsigned long alignment) ++ unsigned long alignment, ++ unsigned long min_addr) + { + unsigned long cur_image_addr; + unsigned long new_addr = 0; +@@ -731,8 +727,8 @@ efi_status_t efi_relocate_kernel(efi_system_table_t *sys_table_arg, + * possible. + */ + if (status != EFI_SUCCESS) { +- status = efi_low_alloc(sys_table_arg, alloc_size, alignment, +- &new_addr); ++ status = efi_low_alloc_above(sys_table_arg, alloc_size, ++ alignment, &new_addr, min_addr); + } + if (status != EFI_SUCCESS) { + pr_efi_err(sys_table_arg, "Failed to allocate usable memory for kernel.\n"); +diff --git a/include/linux/efi.h b/include/linux/efi.h +index f87fabea4a859..b3a93f8e6e596 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -1585,9 +1585,22 @@ char *efi_convert_cmdline(efi_system_table_t *sys_table_arg, + efi_status_t efi_get_memory_map(efi_system_table_t *sys_table_arg, + struct efi_boot_memmap *map); + ++efi_status_t efi_low_alloc_above(efi_system_table_t *sys_table_arg, ++ unsigned long size, unsigned long align, ++ unsigned long *addr, unsigned long min); ++ ++static inline + efi_status_t efi_low_alloc(efi_system_table_t *sys_table_arg, + unsigned long size, unsigned long align, +- unsigned long *addr); ++ unsigned long *addr) ++{ ++ /* ++ * Don't allocate at 0x0. It will confuse code that ++ * checks pointers against NULL. Skip the first 8 ++ * bytes so we start at a nice even number. ++ */ ++ return efi_low_alloc_above(sys_table_arg, size, align, addr, 0x8); ++} + + efi_status_t efi_high_alloc(efi_system_table_t *sys_table_arg, + unsigned long size, unsigned long align, +@@ -1598,7 +1611,8 @@ efi_status_t efi_relocate_kernel(efi_system_table_t *sys_table_arg, + unsigned long image_size, + unsigned long alloc_size, + unsigned long preferred_addr, +- unsigned long alignment); ++ unsigned long alignment, ++ unsigned long min_addr); + + efi_status_t handle_cmdline_files(efi_system_table_t *sys_table_arg, + efi_loaded_image_t *image, +-- +2.20.1 + diff --git a/queue-5.3/xsk-fix-registration-of-rx-only-sockets.patch b/queue-5.3/xsk-fix-registration-of-rx-only-sockets.patch new file mode 100644 index 00000000000..b68b076cd0d --- /dev/null +++ b/queue-5.3/xsk-fix-registration-of-rx-only-sockets.patch @@ -0,0 +1,60 @@ +From 1a88f389332cb3b07b3ee67d69730a7a7fd9d40f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2019 10:16:58 +0200 +Subject: xsk: Fix registration of Rx-only sockets + +From: Magnus Karlsson + +[ Upstream commit 2afd23f78f39da84937006ecd24aa664a4ab052b ] + +Having Rx-only AF_XDP sockets can potentially lead to a crash in the +system by a NULL pointer dereference in xsk_umem_consume_tx(). This +function iterates through a list of all sockets tied to a umem and +checks if there are any packets to send on the Tx ring. Rx-only +sockets do not have a Tx ring, so this will cause a NULL pointer +dereference. This will happen if you have registered one or more +Rx-only sockets to a umem and the driver is checking the Tx ring even +on Rx, or if the XDP_SHARED_UMEM mode is used and there is a mix of +Rx-only and other sockets tied to the same umem. + +Fixed by only putting sockets with a Tx component on the list that +xsk_umem_consume_tx() iterates over. + +Fixes: ac98d8aab61b ("xsk: wire upp Tx zero-copy functions") +Reported-by: Kal Cutter Conley +Signed-off-by: Magnus Karlsson +Signed-off-by: Alexei Starovoitov +Acked-by: Jonathan Lemon +Link: https://lore.kernel.org/bpf/1571645818-16244-1-git-send-email-magnus.karlsson@intel.com +Signed-off-by: Sasha Levin +--- + net/xdp/xdp_umem.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c +index 688aac7a6943a..182f9eb48dde9 100644 +--- a/net/xdp/xdp_umem.c ++++ b/net/xdp/xdp_umem.c +@@ -26,6 +26,9 @@ void xdp_add_sk_umem(struct xdp_umem *umem, struct xdp_sock *xs) + { + unsigned long flags; + ++ if (!xs->tx) ++ return; ++ + spin_lock_irqsave(&umem->xsk_list_lock, flags); + list_add_rcu(&xs->list, &umem->xsk_list); + spin_unlock_irqrestore(&umem->xsk_list_lock, flags); +@@ -35,6 +38,9 @@ void xdp_del_sk_umem(struct xdp_umem *umem, struct xdp_sock *xs) + { + unsigned long flags; + ++ if (!xs->tx) ++ return; ++ + spin_lock_irqsave(&umem->xsk_list_lock, flags); + list_del_rcu(&xs->list); + spin_unlock_irqrestore(&umem->xsk_list_lock, flags); +-- +2.20.1 +