From: Sasha Levin Date: Mon, 13 May 2019 18:42:40 +0000 (-0400) Subject: autosel fixes for 5.0 X-Git-Tag: v5.1.2~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8179894696b1c478b691e6dbb8d4530defa05c2d;p=thirdparty%2Fkernel%2Fstable-queue.git autosel fixes for 5.0 Signed-off-by: Sasha Levin --- diff --git a/queue-5.0/acpi-nfit-always-dump-_dsm-output-payload.patch b/queue-5.0/acpi-nfit-always-dump-_dsm-output-payload.patch new file mode 100644 index 00000000000..e37890d27c4 --- /dev/null +++ b/queue-5.0/acpi-nfit-always-dump-_dsm-output-payload.patch @@ -0,0 +1,52 @@ +From 887cd8a880f552e02b7878e3399010c7379fbe59 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Tue, 12 Mar 2019 12:28:03 -0700 +Subject: acpi/nfit: Always dump _DSM output payload + +[ Upstream commit 351f339faa308c1c1461314a18c832239a841ca0 ] + +The dynamic-debug statements for command payload output only get emitted +when the command is not ND_CMD_CALL. Move the output payload dumping +ahead of the early return path for ND_CMD_CALL. + +Fixes: 31eca76ba2fc9 ("...whitelisted dimm command marshaling mechanism") +Reported-by: Vishal Verma +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + drivers/acpi/nfit/core.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c +index 4be4dc3e8aa62..38ec79bb3edde 100644 +--- a/drivers/acpi/nfit/core.c ++++ b/drivers/acpi/nfit/core.c +@@ -563,6 +563,12 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm, + goto out; + } + ++ dev_dbg(dev, "%s cmd: %s output length: %d\n", dimm_name, ++ cmd_name, out_obj->buffer.length); ++ print_hex_dump_debug(cmd_name, DUMP_PREFIX_OFFSET, 4, 4, ++ out_obj->buffer.pointer, ++ min_t(u32, 128, out_obj->buffer.length), true); ++ + if (call_pkg) { + call_pkg->nd_fw_size = out_obj->buffer.length; + memcpy(call_pkg->nd_payload + call_pkg->nd_size_in, +@@ -581,12 +587,6 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm, + return 0; + } + +- dev_dbg(dev, "%s cmd: %s output length: %d\n", dimm_name, +- cmd_name, out_obj->buffer.length); +- print_hex_dump_debug(cmd_name, DUMP_PREFIX_OFFSET, 4, 4, +- out_obj->buffer.pointer, +- min_t(u32, 128, out_obj->buffer.length), true); +- + for (i = 0, offset = 0; i < desc->out_num; i++) { + u32 out_size = nd_cmd_out_size(nvdimm, cmd, desc, i, buf, + (u32 *) out_obj->buffer.pointer, +-- +2.20.1 + diff --git a/queue-5.0/afs-fix-in-progess-ops-to-ignore-server-level-callba.patch b/queue-5.0/afs-fix-in-progess-ops-to-ignore-server-level-callba.patch new file mode 100644 index 00000000000..6dec339faee --- /dev/null +++ b/queue-5.0/afs-fix-in-progess-ops-to-ignore-server-level-callba.patch @@ -0,0 +1,170 @@ +From 764c2884d1dc5d7e1edd2f1c7aabaaa9b55af9ae Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Sat, 13 Apr 2019 08:37:37 +0100 +Subject: afs: Fix in-progess ops to ignore server-level callback invalidation + +[ Upstream commit eeba1e9cf31d064284dd1fa7bd6cfe01395bd03d ] + +The in-kernel afs filesystem client counts the number of server-level +callback invalidation events (CB.InitCallBackState* RPC operations) that it +receives from the server. This is stored in cb_s_break in various +structures, including afs_server and afs_vnode. + +If an inode is examined by afs_validate(), say, the afs_server copy is +compared, along with other break counters, to those in afs_vnode, and if +one or more of the counters do not match, it is considered that the +server's callback promise is broken. At points where this happens, +AFS_VNODE_CB_PROMISED is cleared to indicate that the status must be +refetched from the server. + +afs_validate() issues an FS.FetchStatus operation to get updated metadata - +and based on the updated data_version may invalidate the pagecache too. + +However, the break counters are also used to determine whether to note a +new callback in the vnode (which would set the AFS_VNODE_CB_PROMISED flag) +and whether to cache the permit data included in the YFSFetchStatus record +by the server. + +The problem comes when the server sends us a CB.InitCallBackState op. The +first such instance doesn't cause cb_s_break to be incremented, but rather +causes AFS_SERVER_FL_NEW to be cleared - but thereafter, say some hours +after last use and all the volumes have been automatically unmounted and +the server has forgotten about the client[*], this *will* likely cause an +increment. + + [*] There are other circumstances too, such as the server restarting or + needing to make space in its callback table. + +Note that the server won't send us a CB.InitCallBackState op until we talk +to it again. + +So what happens is: + + (1) A mount for a new volume is attempted, a inode is created for the root + vnode and vnode->cb_s_break and AFS_VNODE_CB_PROMISED aren't set + immediately, as we don't have a nominated server to talk to yet - and + we may iterate through a few to find one. + + (2) Before the operation happens, afs_fetch_status(), say, notes in the + cursor (fc.cb_break) the break counter sum from the vnode, volume and + server counters, but the server->cb_s_break is currently 0. + + (3) We send FS.FetchStatus to the server. The server sends us back + CB.InitCallBackState. We increment server->cb_s_break. + + (4) Our FS.FetchStatus completes. The reply includes a callback record. + + (5) xdr_decode_AFSCallBack()/xdr_decode_YFSCallBack() check to see whether + the callback promise was broken by checking the break counter sum from + step (2) against the current sum. + + This fails because of step (3), so we don't set the callback record + and, importantly, don't set AFS_VNODE_CB_PROMISED on the vnode. + +This does not preclude the syscall from progressing, and we don't loop here +rechecking the status, but rather assume it's good enough for one round +only and will need to be rechecked next time. + + (6) afs_validate() it triggered on the vnode, probably called from + d_revalidate() checking the parent directory. + + (7) afs_validate() notes that AFS_VNODE_CB_PROMISED isn't set, so doesn't + update vnode->cb_s_break and assumes the vnode to be invalid. + + (8) afs_validate() needs to calls afs_fetch_status(). Go back to step (2) + and repeat, every time the vnode is validated. + +This primarily affects volume root dir vnodes. Everything subsequent to +those inherit an already incremented cb_s_break upon mounting. + +The issue is that we assume that the callback record and the cached permit +information in a reply from the server can't be trusted after getting a +server break - but this is wrong since the server makes sure things are +done in the right order, holding up our ops if necessary[*]. + + [*] There is an extremely unlikely scenario where a reply from before the + CB.InitCallBackState could get its delivery deferred till after - at + which point we think we have a promise when we don't. This, however, + requires unlucky mass packet loss to one call. + +AFS_SERVER_FL_NEW tries to paper over the cracks for the initial mount from +a server we've never contacted before, but this should be unnecessary. +It's also further insulated from the problem on an initial mount by +querying the server first with FS.GetCapabilities, which triggers the +CB.InitCallBackState. + +Fix this by + + (1) Remove AFS_SERVER_FL_NEW. + + (2) In afs_calc_vnode_cb_break(), don't include cb_s_break in the + calculation. + + (3) In afs_cb_is_broken(), don't include cb_s_break in the check. + +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/afs/callback.c | 3 +-- + fs/afs/internal.h | 4 +--- + fs/afs/server.c | 1 - + 3 files changed, 2 insertions(+), 6 deletions(-) + +diff --git a/fs/afs/callback.c b/fs/afs/callback.c +index 1c7955f5cdaf2..128f2dbe256a4 100644 +--- a/fs/afs/callback.c ++++ b/fs/afs/callback.c +@@ -203,8 +203,7 @@ void afs_put_cb_interest(struct afs_net *net, struct afs_cb_interest *cbi) + */ + void afs_init_callback_state(struct afs_server *server) + { +- if (!test_and_clear_bit(AFS_SERVER_FL_NEW, &server->flags)) +- server->cb_s_break++; ++ server->cb_s_break++; + } + + /* +diff --git a/fs/afs/internal.h b/fs/afs/internal.h +index 8871b9e8645f1..465526f495b01 100644 +--- a/fs/afs/internal.h ++++ b/fs/afs/internal.h +@@ -475,7 +475,6 @@ struct afs_server { + time64_t put_time; /* Time at which last put */ + time64_t update_at; /* Time at which to next update the record */ + unsigned long flags; +-#define AFS_SERVER_FL_NEW 0 /* New server, don't inc cb_s_break */ + #define AFS_SERVER_FL_NOT_READY 1 /* The record is not ready for use */ + #define AFS_SERVER_FL_NOT_FOUND 2 /* VL server says no such server */ + #define AFS_SERVER_FL_VL_FAIL 3 /* Failed to access VL server */ +@@ -828,7 +827,7 @@ static inline struct afs_cb_interest *afs_get_cb_interest(struct afs_cb_interest + + static inline unsigned int afs_calc_vnode_cb_break(struct afs_vnode *vnode) + { +- return vnode->cb_break + vnode->cb_s_break + vnode->cb_v_break; ++ return vnode->cb_break + vnode->cb_v_break; + } + + static inline bool afs_cb_is_broken(unsigned int cb_break, +@@ -836,7 +835,6 @@ static inline bool afs_cb_is_broken(unsigned int cb_break, + const struct afs_cb_interest *cbi) + { + return !cbi || cb_break != (vnode->cb_break + +- cbi->server->cb_s_break + + vnode->volume->cb_v_break); + } + +diff --git a/fs/afs/server.c b/fs/afs/server.c +index 642afa2e9783c..65b33b6da48b9 100644 +--- a/fs/afs/server.c ++++ b/fs/afs/server.c +@@ -226,7 +226,6 @@ static struct afs_server *afs_alloc_server(struct afs_net *net, + RCU_INIT_POINTER(server->addresses, alist); + server->addr_version = alist->version; + server->uuid = *uuid; +- server->flags = (1UL << AFS_SERVER_FL_NEW); + server->update_at = ktime_get_real_seconds() + afs_server_update_delay; + rwlock_init(&server->fs_lock); + INIT_HLIST_HEAD(&server->cb_volumes); +-- +2.20.1 + diff --git a/queue-5.0/afs-unlock-pages-for-__pagevec_release.patch b/queue-5.0/afs-unlock-pages-for-__pagevec_release.patch new file mode 100644 index 00000000000..745a38bc68a --- /dev/null +++ b/queue-5.0/afs-unlock-pages-for-__pagevec_release.patch @@ -0,0 +1,36 @@ +From 5219b4becbf26f799511e60bbdb956cff3986391 Mon Sep 17 00:00:00 2001 +From: Marc Dionne +Date: Sat, 13 Apr 2019 08:37:37 +0100 +Subject: afs: Unlock pages for __pagevec_release() + +[ Upstream commit 21bd68f196ca91fc0f3d9bd1b32f6e530e8c1c88 ] + +__pagevec_release() complains loudly if any page in the vector is still +locked. The pages need to be locked for generic_error_remove_page(), but +that function doesn't actually unlock them. + +Unlock the pages afterwards. + +Signed-off-by: Marc Dionne +Signed-off-by: David Howells +Tested-by: Jonathan Billings +Signed-off-by: Sasha Levin +--- + fs/afs/write.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/afs/write.c b/fs/afs/write.c +index 72efcfcf9f95e..0122d7445fba1 100644 +--- a/fs/afs/write.c ++++ b/fs/afs/write.c +@@ -264,6 +264,7 @@ static void afs_kill_pages(struct address_space *mapping, + first = page->index + 1; + lock_page(page); + generic_error_remove_page(mapping, page); ++ unlock_page(page); + } + + __pagevec_release(&pv); +-- +2.20.1 + diff --git a/queue-5.0/arm-8856-1-nommu-fix-ccr-register-faulty-initializat.patch b/queue-5.0/arm-8856-1-nommu-fix-ccr-register-faulty-initializat.patch new file mode 100644 index 00000000000..6ce08ef9866 --- /dev/null +++ b/queue-5.0/arm-8856-1-nommu-fix-ccr-register-faulty-initializat.patch @@ -0,0 +1,39 @@ +From d8ca9c5bb9119153e04a04d19a3886fcb746fa57 Mon Sep 17 00:00:00 2001 +From: Tigran Tadevosyan +Date: Fri, 5 Apr 2019 14:16:13 +0100 +Subject: ARM: 8856/1: NOMMU: Fix CCR register faulty initialization when MPU + is disabled + +[ Upstream commit c3143967807adb1357c36b68a7563fc0c4e1f615 ] + +When CONFIG_ARM_MPU is not defined, the base address of v7M SCB register +is not initialized with correct value. This prevents enabling I/D caches +when the L1 cache poilcy is applied in kernel. + +Fixes: 3c24121039c9da14692eb48f6e39565b28c0f3cf ("ARM: 8756/1: NOMMU: Postpone MPU activation till __after_proc_init") +Signed-off-by: Tigran Tadevosyan +Signed-off-by: Vladimir Murzin +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/head-nommu.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/kernel/head-nommu.S b/arch/arm/kernel/head-nommu.S +index ec29de2500764..cab89479d15ef 100644 +--- a/arch/arm/kernel/head-nommu.S ++++ b/arch/arm/kernel/head-nommu.S +@@ -133,9 +133,9 @@ __secondary_data: + */ + .text + __after_proc_init: +-#ifdef CONFIG_ARM_MPU + M_CLASS(movw r12, #:lower16:BASEADDR_V7M_SCB) + M_CLASS(movt r12, #:upper16:BASEADDR_V7M_SCB) ++#ifdef CONFIG_ARM_MPU + M_CLASS(ldr r3, [r12, 0x50]) + AR_CLASS(mrc p15, 0, r3, c0, c1, 4) @ Read ID_MMFR0 + and r3, r3, #(MMFR0_PMSA) @ PMSA field +-- +2.20.1 + diff --git a/queue-5.0/arm-fix-function-graph-tracer-and-unwinder-dependenc.patch b/queue-5.0/arm-fix-function-graph-tracer-and-unwinder-dependenc.patch new file mode 100644 index 00000000000..b0f3548e97a --- /dev/null +++ b/queue-5.0/arm-fix-function-graph-tracer-and-unwinder-dependenc.patch @@ -0,0 +1,72 @@ +From 26c775c98b9eaa9a13e4388555b7c67655fc0c46 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Tue, 23 Apr 2019 17:09:38 +0100 +Subject: ARM: fix function graph tracer and unwinder dependencies + +[ Upstream commit 503621628b32782a07b2318e4112bd4372aa3401 ] + +Naresh Kamboju recently reported that the function-graph tracer crashes +on ARM. The function-graph tracer assumes that the kernel is built with +frame pointers. + +We explicitly disabled the function-graph tracer when building Thumb2, +since the Thumb2 ABI doesn't have frame pointers. + +We recently changed the way the unwinder method was selected, which +seems to have made it more likely that we can end up with the function- +graph tracer enabled but without the kernel built with frame pointers. + +Fix up the function graph tracer dependencies so the option is not +available when we have no possibility of having frame pointers, and +adjust the dependencies on the unwinder option to hide the non-frame +pointer unwinder options if the function-graph tracer is enabled. + +Reviewed-by: Masami Hiramatsu +Tested-by: Masami Hiramatsu +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/Kconfig | 2 +- + arch/arm/Kconfig.debug | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig +index e5d56d9b712c2..3b353af9c48dc 100644 +--- a/arch/arm/Kconfig ++++ b/arch/arm/Kconfig +@@ -69,7 +69,7 @@ config ARM + select HAVE_EFFICIENT_UNALIGNED_ACCESS if (CPU_V6 || CPU_V6K || CPU_V7) && MMU + select HAVE_EXIT_THREAD + select HAVE_FTRACE_MCOUNT_RECORD if !XIP_KERNEL +- select HAVE_FUNCTION_GRAPH_TRACER if !THUMB2_KERNEL ++ select HAVE_FUNCTION_GRAPH_TRACER if !THUMB2_KERNEL && !CC_IS_CLANG + select HAVE_FUNCTION_TRACER if !XIP_KERNEL + select HAVE_GCC_PLUGINS + select HAVE_GENERIC_DMA_COHERENT +diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug +index 6d6e0330930b5..e388af4594a6e 100644 +--- a/arch/arm/Kconfig.debug ++++ b/arch/arm/Kconfig.debug +@@ -47,8 +47,8 @@ config DEBUG_WX + + choice + prompt "Choose kernel unwinder" +- default UNWINDER_ARM if AEABI && !FUNCTION_GRAPH_TRACER +- default UNWINDER_FRAME_POINTER if !AEABI || FUNCTION_GRAPH_TRACER ++ default UNWINDER_ARM if AEABI ++ default UNWINDER_FRAME_POINTER if !AEABI + help + This determines which method will be used for unwinding kernel stack + traces for panics, oopses, bugs, warnings, perf, /proc//stack, +@@ -65,7 +65,7 @@ config UNWINDER_FRAME_POINTER + + config UNWINDER_ARM + bool "ARM EABI stack unwinder" +- depends on AEABI ++ depends on AEABI && !FUNCTION_GRAPH_TRACER + select ARM_UNWIND + help + This option enables stack unwinding support in the kernel +-- +2.20.1 + diff --git a/queue-5.0/arm64-module-ftrace-deal-with-place-relative-nature-.patch b/queue-5.0/arm64-module-ftrace-deal-with-place-relative-nature-.patch new file mode 100644 index 00000000000..0174a8b8584 --- /dev/null +++ b/queue-5.0/arm64-module-ftrace-deal-with-place-relative-nature-.patch @@ -0,0 +1,49 @@ +From 9df378e2bb9616efba8df7945e5345965928faf8 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Fri, 12 Apr 2019 23:59:25 -0700 +Subject: arm64/module: ftrace: deal with place relative nature of PLTs + +[ Upstream commit 4e69ecf4da1ee0b2ac735e1f1bb13935acd5a38d ] + +Another bodge for the ftrace PLT code: plt_entries_equal() now takes +the place relative nature of the ADRP/ADD based PLT entries into +account, which means that a struct trampoline instance on the stack +is no longer equal to the same set of opcodes in the module struct, +given that they don't point to the same place in memory anymore. + +Work around this by using memcmp() in the ftrace PLT handling code. + +Acked-by: Will Deacon +Tested-by: dann frazier +Signed-off-by: Ard Biesheuvel +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/ftrace.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/kernel/ftrace.c b/arch/arm64/kernel/ftrace.c +index 07b2981201820..65a51331088eb 100644 +--- a/arch/arm64/kernel/ftrace.c ++++ b/arch/arm64/kernel/ftrace.c +@@ -103,10 +103,15 @@ int ftrace_make_call(struct dyn_ftrace *rec, unsigned long addr) + * to be revisited if support for multiple ftrace entry points + * is added in the future, but for now, the pr_err() below + * deals with a theoretical issue only. ++ * ++ * Note that PLTs are place relative, and plt_entries_equal() ++ * checks whether they point to the same target. Here, we need ++ * to check if the actual opcodes are in fact identical, ++ * regardless of the offset in memory so use memcmp() instead. + */ + trampoline = get_plt_entry(addr, mod->arch.ftrace_trampoline); +- if (!plt_entries_equal(mod->arch.ftrace_trampoline, +- &trampoline)) { ++ if (memcmp(mod->arch.ftrace_trampoline, &trampoline, ++ sizeof(trampoline))) { + if (plt_entry_is_initialized(mod->arch.ftrace_trampoline)) { + pr_err("ftrace: far branches to multiple entry points unsupported inside a single module\n"); + return -EINVAL; +-- +2.20.1 + diff --git a/queue-5.0/bpf-only-test-gso-type-on-gso-packets.patch b/queue-5.0/bpf-only-test-gso-type-on-gso-packets.patch new file mode 100644 index 00000000000..3cb7a0560c7 --- /dev/null +++ b/queue-5.0/bpf-only-test-gso-type-on-gso-packets.patch @@ -0,0 +1,81 @@ +From c2f00e9664a0b9d52b8a60edf35b01a32b356683 Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn +Date: Wed, 6 Mar 2019 14:35:15 -0500 +Subject: bpf: only test gso type on gso packets + +[ Upstream commit 4c3024debf62de4c6ac6d3cb4c0063be21d4f652 ] + +BPF can adjust gso only for tcp bytestreams. Fail on other gso types. + +But only on gso packets. It does not touch this field if !gso_size. + +Fixes: b90efd225874 ("bpf: only adjust gso_size on bytestream protocols") +Signed-off-by: Willem de Bruijn +Acked-by: Yonghong Song +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + include/linux/skbuff.h | 4 ++-- + net/core/filter.c | 8 ++++---- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index bdb9563c64a01..b8679dcba96f8 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -4212,10 +4212,10 @@ static inline bool skb_is_gso_sctp(const struct sk_buff *skb) + return skb_shinfo(skb)->gso_type & SKB_GSO_SCTP; + } + ++/* Note: Should be called only if skb_is_gso(skb) is true */ + static inline bool skb_is_gso_tcp(const struct sk_buff *skb) + { +- return skb_is_gso(skb) && +- skb_shinfo(skb)->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6); ++ return skb_shinfo(skb)->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6); + } + + static inline void skb_gso_reset(struct sk_buff *skb) +diff --git a/net/core/filter.c b/net/core/filter.c +index f7d0004fc1609..ff07996515f2d 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -2789,7 +2789,7 @@ static int bpf_skb_proto_4_to_6(struct sk_buff *skb) + u32 off = skb_mac_header_len(skb); + int ret; + +- if (!skb_is_gso_tcp(skb)) ++ if (skb_is_gso(skb) && !skb_is_gso_tcp(skb)) + return -ENOTSUPP; + + ret = skb_cow(skb, len_diff); +@@ -2830,7 +2830,7 @@ static int bpf_skb_proto_6_to_4(struct sk_buff *skb) + u32 off = skb_mac_header_len(skb); + int ret; + +- if (!skb_is_gso_tcp(skb)) ++ if (skb_is_gso(skb) && !skb_is_gso_tcp(skb)) + return -ENOTSUPP; + + ret = skb_unclone(skb, GFP_ATOMIC); +@@ -2955,7 +2955,7 @@ static int bpf_skb_net_grow(struct sk_buff *skb, u32 len_diff) + u32 off = skb_mac_header_len(skb) + bpf_skb_net_base_len(skb); + int ret; + +- if (!skb_is_gso_tcp(skb)) ++ if (skb_is_gso(skb) && !skb_is_gso_tcp(skb)) + return -ENOTSUPP; + + ret = skb_cow(skb, len_diff); +@@ -2984,7 +2984,7 @@ static int bpf_skb_net_shrink(struct sk_buff *skb, u32 len_diff) + u32 off = skb_mac_header_len(skb) + bpf_skb_net_base_len(skb); + int ret; + +- if (!skb_is_gso_tcp(skb)) ++ if (skb_is_gso(skb) && !skb_is_gso_tcp(skb)) + return -ENOTSUPP; + + ret = skb_unclone(skb, GFP_ATOMIC); +-- +2.20.1 + diff --git a/queue-5.0/ceph-handle-the-case-where-a-dentry-has-been-renamed.patch b/queue-5.0/ceph-handle-the-case-where-a-dentry-has-been-renamed.patch new file mode 100644 index 00000000000..dac32225014 --- /dev/null +++ b/queue-5.0/ceph-handle-the-case-where-a-dentry-has-been-renamed.patch @@ -0,0 +1,62 @@ +From aa11d7001062610d545f09985c32976537d30544 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Mon, 15 Apr 2019 12:00:42 -0400 +Subject: ceph: handle the case where a dentry has been renamed on outstanding + req + +[ Upstream commit 4b8222870032715f9d995f3eb7c7acd8379a275d ] + +It's possible for us to issue a lookup to revalidate a dentry +concurrently with a rename. If done in the right order, then we could +end up processing dentry info in the reply that no longer reflects the +state of the dentry. + +If req->r_dentry->d_name differs from the one in the trace, then just +ignore the trace in the reply. We only need to do this however if the +parent's i_rwsem is not held. + +Signed-off-by: Jeff Layton +Reviewed-by: "Yan, Zheng" +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/inode.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c +index f7f9e305aaf87..fd3db2e112d6e 100644 +--- a/fs/ceph/inode.c ++++ b/fs/ceph/inode.c +@@ -1152,6 +1152,19 @@ static int splice_dentry(struct dentry **pdn, struct inode *in) + return 0; + } + ++static int d_name_cmp(struct dentry *dentry, const char *name, size_t len) ++{ ++ int ret; ++ ++ /* take d_lock to ensure dentry->d_name stability */ ++ spin_lock(&dentry->d_lock); ++ ret = dentry->d_name.len - len; ++ if (!ret) ++ ret = memcmp(dentry->d_name.name, name, len); ++ spin_unlock(&dentry->d_lock); ++ return ret; ++} ++ + /* + * Incorporate results into the local cache. This is either just + * one inode, or a directory, dentry, and possibly linked-to inode (e.g., +@@ -1401,7 +1414,8 @@ int ceph_fill_trace(struct super_block *sb, struct ceph_mds_request *req) + err = splice_dentry(&req->r_dentry, in); + if (err < 0) + goto done; +- } else if (rinfo->head->is_dentry) { ++ } else if (rinfo->head->is_dentry && ++ !d_name_cmp(req->r_dentry, rinfo->dname, rinfo->dname_len)) { + struct ceph_vino *ptvino = NULL; + + if ((le32_to_cpu(rinfo->diri.in->cap.caps) & CEPH_CAP_FILE_SHARED) || +-- +2.20.1 + diff --git a/queue-5.0/cfg80211-handle-wmm-rules-in-regulatory-domain-inter.patch b/queue-5.0/cfg80211-handle-wmm-rules-in-regulatory-domain-inter.patch new file mode 100644 index 00000000000..ee31279d6ae --- /dev/null +++ b/queue-5.0/cfg80211-handle-wmm-rules-in-regulatory-domain-inter.patch @@ -0,0 +1,93 @@ +From 9f7b50168622ca618333fd21df02ea9952dba4bc Mon Sep 17 00:00:00 2001 +From: Ilan Peer +Date: Fri, 15 Mar 2019 17:39:00 +0200 +Subject: cfg80211: Handle WMM rules in regulatory domain intersection + +[ Upstream commit 08a75a887ee46828b54600f4bb7068d872a5edd5 ] + +The support added for regulatory WMM rules did not handle +the case of regulatory domain intersections. Fix it. + +Signed-off-by: Ilan Peer +Fixes: 230ebaa189af ("cfg80211: read wmm rules from regulatory database") +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/reg.c | 39 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +diff --git a/net/wireless/reg.c b/net/wireless/reg.c +index dd58b9909ac99..649c89946dec1 100644 +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -1298,6 +1298,16 @@ reg_intersect_dfs_region(const enum nl80211_dfs_regions dfs_region1, + return dfs_region1; + } + ++static void reg_wmm_rules_intersect(const struct ieee80211_wmm_ac *wmm_ac1, ++ const struct ieee80211_wmm_ac *wmm_ac2, ++ struct ieee80211_wmm_ac *intersect) ++{ ++ intersect->cw_min = max_t(u16, wmm_ac1->cw_min, wmm_ac2->cw_min); ++ intersect->cw_max = max_t(u16, wmm_ac1->cw_max, wmm_ac2->cw_max); ++ intersect->cot = min_t(u16, wmm_ac1->cot, wmm_ac2->cot); ++ intersect->aifsn = max_t(u8, wmm_ac1->aifsn, wmm_ac2->aifsn); ++} ++ + /* + * Helper for regdom_intersect(), this does the real + * mathematical intersection fun +@@ -1312,6 +1322,8 @@ static int reg_rules_intersect(const struct ieee80211_regdomain *rd1, + struct ieee80211_freq_range *freq_range; + const struct ieee80211_power_rule *power_rule1, *power_rule2; + struct ieee80211_power_rule *power_rule; ++ const struct ieee80211_wmm_rule *wmm_rule1, *wmm_rule2; ++ struct ieee80211_wmm_rule *wmm_rule; + u32 freq_diff, max_bandwidth1, max_bandwidth2; + + freq_range1 = &rule1->freq_range; +@@ -1322,6 +1334,10 @@ static int reg_rules_intersect(const struct ieee80211_regdomain *rd1, + power_rule2 = &rule2->power_rule; + power_rule = &intersected_rule->power_rule; + ++ wmm_rule1 = &rule1->wmm_rule; ++ wmm_rule2 = &rule2->wmm_rule; ++ wmm_rule = &intersected_rule->wmm_rule; ++ + freq_range->start_freq_khz = max(freq_range1->start_freq_khz, + freq_range2->start_freq_khz); + freq_range->end_freq_khz = min(freq_range1->end_freq_khz, +@@ -1365,6 +1381,29 @@ static int reg_rules_intersect(const struct ieee80211_regdomain *rd1, + intersected_rule->dfs_cac_ms = max(rule1->dfs_cac_ms, + rule2->dfs_cac_ms); + ++ if (rule1->has_wmm && rule2->has_wmm) { ++ u8 ac; ++ ++ for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) { ++ reg_wmm_rules_intersect(&wmm_rule1->client[ac], ++ &wmm_rule2->client[ac], ++ &wmm_rule->client[ac]); ++ reg_wmm_rules_intersect(&wmm_rule1->ap[ac], ++ &wmm_rule2->ap[ac], ++ &wmm_rule->ap[ac]); ++ } ++ ++ intersected_rule->has_wmm = true; ++ } else if (rule1->has_wmm) { ++ *wmm_rule = *wmm_rule1; ++ intersected_rule->has_wmm = true; ++ } else if (rule2->has_wmm) { ++ *wmm_rule = *wmm_rule2; ++ intersected_rule->has_wmm = true; ++ } else { ++ intersected_rule->has_wmm = false; ++ } ++ + if (!is_valid_reg_rule(intersected_rule)) + return -EINVAL; + +-- +2.20.1 + diff --git a/queue-5.0/clocksource-drivers-npcm-select-timer_of.patch b/queue-5.0/clocksource-drivers-npcm-select-timer_of.patch new file mode 100644 index 00000000000..3f7c3b372a7 --- /dev/null +++ b/queue-5.0/clocksource-drivers-npcm-select-timer_of.patch @@ -0,0 +1,35 @@ +From db45233e26be769174428fd44f6ca990f08fe132 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 5 Mar 2019 14:24:48 +0100 +Subject: clocksource/drivers/npcm: select TIMER_OF + +[ Upstream commit 99834eead2a04e93a120abb112542b87c42ff5e1 ] + +When this is disabled, we get a link failure: + +drivers/clocksource/timer-npcm7xx.o: In function `npcm7xx_timer_init': +timer-npcm7xx.c:(.init.text+0xf): undefined reference to `timer_of_init' + +Fixes: 1c00289ecd12 ("clocksource/drivers/npcm: Add NPCM7xx timer driver") +Signed-off-by: Arnd Bergmann +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/clocksource/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clocksource/Kconfig b/drivers/clocksource/Kconfig +index 8dfd3bc448d04..9df90daa9c030 100644 +--- a/drivers/clocksource/Kconfig ++++ b/drivers/clocksource/Kconfig +@@ -144,6 +144,7 @@ config VT8500_TIMER + config NPCM7XX_TIMER + bool "NPCM7xx timer driver" if COMPILE_TEST + depends on HAS_IOMEM ++ select TIMER_OF + select CLKSRC_MMIO + help + Enable 24-bit TIMER0 and TIMER1 counters in the NPCM7xx architecture, +-- +2.20.1 + diff --git a/queue-5.0/clocksource-drivers-oxnas-fix-ox820-compatible.patch b/queue-5.0/clocksource-drivers-oxnas-fix-ox820-compatible.patch new file mode 100644 index 00000000000..86889974b40 --- /dev/null +++ b/queue-5.0/clocksource-drivers-oxnas-fix-ox820-compatible.patch @@ -0,0 +1,31 @@ +From ab66aaec1bdd775b0a96ca0d4b935f7c474cbc69 Mon Sep 17 00:00:00 2001 +From: Neil Armstrong +Date: Tue, 12 Mar 2019 11:32:56 +0100 +Subject: clocksource/drivers/oxnas: Fix OX820 compatible + +[ Upstream commit fbc87aa0f7c429999dc31f1bac3b2615008cac32 ] + +The OX820 compatible is wrong is the driver, fix it. + +Fixes: 2ea3401e2a84 ("clocksource/drivers/oxnas: Add OX820 compatible") +Reported-by: Daniel Golle +Signed-off-by: Neil Armstrong +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-oxnas-rps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clocksource/timer-oxnas-rps.c b/drivers/clocksource/timer-oxnas-rps.c +index eed6feff8b5f2..30c6f4ce672b3 100644 +--- a/drivers/clocksource/timer-oxnas-rps.c ++++ b/drivers/clocksource/timer-oxnas-rps.c +@@ -296,4 +296,4 @@ static int __init oxnas_rps_timer_init(struct device_node *np) + TIMER_OF_DECLARE(ox810se_rps, + "oxsemi,ox810se-rps-timer", oxnas_rps_timer_init); + TIMER_OF_DECLARE(ox820_rps, +- "oxsemi,ox820se-rps-timer", oxnas_rps_timer_init); ++ "oxsemi,ox820-rps-timer", oxnas_rps_timer_init); +-- +2.20.1 + diff --git a/queue-5.0/dmaengine-bcm2835-avoid-gfp_kernel-in-device_prep_sl.patch b/queue-5.0/dmaengine-bcm2835-avoid-gfp_kernel-in-device_prep_sl.patch new file mode 100644 index 00000000000..eadcdb85c6f --- /dev/null +++ b/queue-5.0/dmaengine-bcm2835-avoid-gfp_kernel-in-device_prep_sl.patch @@ -0,0 +1,41 @@ +From 944f20abed6f83a813bc8e594c71b085ac375d9f Mon Sep 17 00:00:00 2001 +From: Stefan Wahren +Date: Mon, 1 Apr 2019 20:38:19 +0200 +Subject: dmaengine: bcm2835: Avoid GFP_KERNEL in device_prep_slave_sg + +[ Upstream commit f147384774a7b24dda4783a3dcd61af272757ea8 ] + +The commit af19b7ce76ba ("mmc: bcm2835: Avoid possible races on +data requests") introduces a possible circular locking dependency, +which is triggered by swapping to the sdhost interface. + +So instead of reintroduce the race condition again, we could also +avoid this situation by using GFP_NOWAIT for the allocation of the +DMA buffer descriptors. + +Reported-by: Aaro Koskinen +Signed-off-by: Stefan Wahren +Fixes: af19b7ce76ba ("mmc: bcm2835: Avoid possible races on data requests") +Link: http://lists.infradead.org/pipermail/linux-rpi-kernel/2019-March/008615.html +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/bcm2835-dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/bcm2835-dma.c b/drivers/dma/bcm2835-dma.c +index ae10f5614f953..bf51192036378 100644 +--- a/drivers/dma/bcm2835-dma.c ++++ b/drivers/dma/bcm2835-dma.c +@@ -674,7 +674,7 @@ static struct dma_async_tx_descriptor *bcm2835_dma_prep_slave_sg( + d = bcm2835_dma_create_cb_chain(chan, direction, false, + info, extra, + frames, src, dst, 0, 0, +- GFP_KERNEL); ++ GFP_NOWAIT); + if (!d) + return NULL; + +-- +2.20.1 + diff --git a/queue-5.0/drm-amd-display-extending-aux-sw-timeout.patch b/queue-5.0/drm-amd-display-extending-aux-sw-timeout.patch new file mode 100644 index 00000000000..dfc2f7195c3 --- /dev/null +++ b/queue-5.0/drm-amd-display-extending-aux-sw-timeout.patch @@ -0,0 +1,76 @@ +From 68e21c6c44e19c77565a2756e29e40a324726bc7 Mon Sep 17 00:00:00 2001 +From: Martin Leung +Date: Tue, 26 Mar 2019 13:14:11 -0400 +Subject: drm/amd/display: extending AUX SW Timeout + +[ Upstream commit f4bbebf8e7eb4d294b040ab2d2ba71e70e69b930 ] + +[Why] +AUX takes longer to reply when using active DP-DVI dongle on some asics +resulting in up to 2000+ us edid read (timeout). + +[How] +1. Adjust AUX poll to match spec +2. Extend the SW timeout. This does not affect normal +operation since we exit the loop as soon as AUX acks. + +Signed-off-by: Martin Leung +Reviewed-by: Jun Lei +Acked-by: Joshua Aberback +Acked-by: Leo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dce/dce_aux.c | 9 ++++++--- + drivers/gpu/drm/amd/display/dc/dce/dce_aux.h | 6 +++--- + 2 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dce/dce_aux.c b/drivers/gpu/drm/amd/display/dc/dce/dce_aux.c +index aaeb7faac0c43..e0fff5744b5f6 100644 +--- a/drivers/gpu/drm/amd/display/dc/dce/dce_aux.c ++++ b/drivers/gpu/drm/amd/display/dc/dce/dce_aux.c +@@ -189,6 +189,12 @@ static void submit_channel_request( + 1, + 0); + } ++ ++ REG_UPDATE(AUX_INTERRUPT_CONTROL, AUX_SW_DONE_ACK, 1); ++ ++ REG_WAIT(AUX_SW_STATUS, AUX_SW_DONE, 0, ++ 10, aux110->timeout_period/10); ++ + /* set the delay and the number of bytes to write */ + + /* The length include +@@ -241,9 +247,6 @@ static void submit_channel_request( + } + } + +- REG_UPDATE(AUX_INTERRUPT_CONTROL, AUX_SW_DONE_ACK, 1); +- REG_WAIT(AUX_SW_STATUS, AUX_SW_DONE, 0, +- 10, aux110->timeout_period/10); + REG_UPDATE(AUX_SW_CONTROL, AUX_SW_GO, 1); + } + +diff --git a/drivers/gpu/drm/amd/display/dc/dce/dce_aux.h b/drivers/gpu/drm/amd/display/dc/dce/dce_aux.h +index f7caab85dc801..2c6f50b4245a4 100644 +--- a/drivers/gpu/drm/amd/display/dc/dce/dce_aux.h ++++ b/drivers/gpu/drm/amd/display/dc/dce/dce_aux.h +@@ -69,11 +69,11 @@ enum { /* This is the timeout as defined in DP 1.2a, + * at most within ~240usec. That means, + * increasing this timeout will not affect normal operation, + * and we'll timeout after +- * SW_AUX_TIMEOUT_PERIOD_MULTIPLIER * AUX_TIMEOUT_PERIOD = 1600usec. ++ * SW_AUX_TIMEOUT_PERIOD_MULTIPLIER * AUX_TIMEOUT_PERIOD = 2400usec. + * This timeout is especially important for +- * resume from S3 and CTS. ++ * converters, resume from S3, and CTS. + */ +- SW_AUX_TIMEOUT_PERIOD_MULTIPLIER = 4 ++ SW_AUX_TIMEOUT_PERIOD_MULTIPLIER = 6 + }; + struct aux_engine_dce110 { + struct aux_engine base; +-- +2.20.1 + diff --git a/queue-5.0/drm-amd-display-if-one-stream-full-updates-full-upda.patch b/queue-5.0/drm-amd-display-if-one-stream-full-updates-full-upda.patch new file mode 100644 index 00000000000..8114d32234a --- /dev/null +++ b/queue-5.0/drm-amd-display-if-one-stream-full-updates-full-upda.patch @@ -0,0 +1,120 @@ +From 433fb4932ff2143e4f276879f5f21b1980c48452 Mon Sep 17 00:00:00 2001 +From: David Francis +Date: Fri, 29 Mar 2019 13:23:15 -0400 +Subject: drm/amd/display: If one stream full updates, full update all planes + +[ Upstream commit c238bfe0be9ef7420f7669a69e27c8c8f4d8a568 ] + +[Why] +On some compositors, with two monitors attached, VT terminal +switch can cause a graphical issue by the following means: + +There are two streams, one for each monitor. Each stream has one +plane + +current state: + M1:S1->P1 + M2:S2->P2 + +The user calls for a terminal switch and a commit is made to +change both planes to linear swizzle mode. In atomic check, +a new dc_state is constructed with new planes on each stream + +new state: + M1:S1->P3 + M2:S2->P4 + +In commit tail, each stream is committed, one at a time. The first +stream (S1) updates properly, triggerring a full update and replacing +the state + +current state: + M1:S1->P3 + M2:S2->P4 + +The update for S2 comes in, but dc detects that there is no difference +between the stream and plane in the new and current states, and so +triggers a fast update. The fast update does not program swizzle, +so the second monitor is corrupted + +[How] +Add a flag to dc_plane_state that forces full updates + +When a stream undergoes a full update, set this flag on all changed +planes, then clear it on the current stream + +Subsequent streams will get full updates as a result + +Signed-off-by: David Francis +Signed-off-by: Nicholas Kazlauskas +Reviewed-by: Roman Li +Acked-by: Bhawanpreet Lakha +Acked-by: Nicholas Kazlauskas +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 19 +++++++++++++++++++ + drivers/gpu/drm/amd/display/dc/dc.h | 3 +++ + 2 files changed, 22 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c +index 1f92e7e8e3d38..5af2ea1f201d3 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -1308,6 +1308,11 @@ static enum surface_update_type det_surface_update(const struct dc *dc, + return UPDATE_TYPE_FULL; + } + ++ if (u->surface->force_full_update) { ++ update_flags->bits.full_update = 1; ++ return UPDATE_TYPE_FULL; ++ } ++ + type = get_plane_info_update_type(u); + elevate_update_type(&overall_type, type); + +@@ -1637,6 +1642,14 @@ void dc_commit_updates_for_stream(struct dc *dc, + } + + dc_resource_state_copy_construct(state, context); ++ ++ for (i = 0; i < dc->res_pool->pipe_count; i++) { ++ struct pipe_ctx *new_pipe = &context->res_ctx.pipe_ctx[i]; ++ struct pipe_ctx *old_pipe = &dc->current_state->res_ctx.pipe_ctx[i]; ++ ++ if (new_pipe->plane_state && new_pipe->plane_state != old_pipe->plane_state) ++ new_pipe->plane_state->force_full_update = true; ++ } + } + + +@@ -1680,6 +1693,12 @@ void dc_commit_updates_for_stream(struct dc *dc, + dc->current_state = context; + dc_release_state(old); + ++ for (i = 0; i < dc->res_pool->pipe_count; i++) { ++ struct pipe_ctx *pipe_ctx = &context->res_ctx.pipe_ctx[i]; ++ ++ if (pipe_ctx->plane_state && pipe_ctx->stream == stream) ++ pipe_ctx->plane_state->force_full_update = false; ++ } + } + /*let's use current_state to update watermark etc*/ + if (update_type >= UPDATE_TYPE_FULL) +diff --git a/drivers/gpu/drm/amd/display/dc/dc.h b/drivers/gpu/drm/amd/display/dc/dc.h +index 4b5bbb13ce7fe..7d5656d7e460d 100644 +--- a/drivers/gpu/drm/amd/display/dc/dc.h ++++ b/drivers/gpu/drm/amd/display/dc/dc.h +@@ -496,6 +496,9 @@ struct dc_plane_state { + struct dc_plane_status status; + struct dc_context *ctx; + ++ /* HACK: Workaround for forcing full reprogramming under some conditions */ ++ bool force_full_update; ++ + /* private to dc_surface.c */ + enum dc_irq_source irq_source; + struct kref refcount; +-- +2.20.1 + diff --git a/queue-5.0/drm-amdgpu-shadow-in-shadow_list-without-tbo.mem.sta.patch b/queue-5.0/drm-amdgpu-shadow-in-shadow_list-without-tbo.mem.sta.patch new file mode 100644 index 00000000000..dd3fdc162bf --- /dev/null +++ b/queue-5.0/drm-amdgpu-shadow-in-shadow_list-without-tbo.mem.sta.patch @@ -0,0 +1,40 @@ +From b6e9f607c230eb308cdb6b231e4a6a7dcee405d1 Mon Sep 17 00:00:00 2001 +From: wentalou +Date: Fri, 12 Apr 2019 15:01:14 +0800 +Subject: drm/amdgpu: shadow in shadow_list without tbo.mem.start cause page + fault in sriov TDR +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit b575f10dbd6f84c2c8744ff1f486bfae1e4f6f38 ] + +shadow was added into shadow_list by amdgpu_bo_create_shadow. +meanwhile, shadow->tbo.mem was not fully configured. +tbo.mem would be fully configured by amdgpu_vm_sdma_map_table until calling amdgpu_vm_clear_bo. +If sriov TDR occurred between amdgpu_bo_create_shadow and amdgpu_vm_sdma_map_table, +amdgpu_device_recover_vram would deal with shadow without tbo.mem.start. + +Signed-off-by: Wentao Lou +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index d55dd570a7023..27baac26d8e9c 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -3150,6 +3150,7 @@ static int amdgpu_device_recover_vram(struct amdgpu_device *adev) + + /* No need to recover an evicted BO */ + if (shadow->tbo.mem.mem_type != TTM_PL_TT || ++ shadow->tbo.mem.start == AMDGPU_BO_INVALID_OFFSET || + shadow->parent->tbo.mem.mem_type != TTM_PL_VRAM) + continue; + +-- +2.20.1 + diff --git a/queue-5.0/drm-bridge-dw-hdmi-fix-overflow-workaround-for-rockc.patch b/queue-5.0/drm-bridge-dw-hdmi-fix-overflow-workaround-for-rockc.patch new file mode 100644 index 00000000000..2fbfe6af1b3 --- /dev/null +++ b/queue-5.0/drm-bridge-dw-hdmi-fix-overflow-workaround-for-rockc.patch @@ -0,0 +1,46 @@ +From 37b0b7a1d72fcd0b4845d3aa654139f7973b2482 Mon Sep 17 00:00:00 2001 +From: Jonas Karlman +Date: Wed, 20 Feb 2019 07:52:31 +0000 +Subject: drm: bridge: dw-hdmi: Fix overflow workaround for Rockchip SoCs + +[ Upstream commit d15d9fd02575ecfada92d42f655940c4f10af842 ] + +The Rockchip RK3288 SoC (v2.00a) and RK3328/RK3399 SoCs (v2.11a) have +also been identified as needing this workaround with a single iteration. + +Fixes: be41fc55f1aa ("drm: bridge: dw-hdmi: Handle overflow workaround based on device version") +Signed-off-by: Jonas Karlman +Tested-by: Heiko Stueber +Signed-off-by: Andrzej Hajda +Link: https://patchwork.freedesktop.org/patch/msgid/AM3PR03MB0966818FAAAE6192FF4ED11AAC7D0@AM3PR03MB0966.eurprd03.prod.outlook.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/synopsys/dw-hdmi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c +index 64c3cf0275182..14223c0ee7843 100644 +--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c ++++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c +@@ -1655,6 +1655,8 @@ static void dw_hdmi_clear_overflow(struct dw_hdmi *hdmi) + * iteration for others. + * The Amlogic Meson GX SoCs (v2.01a) have been identified as needing + * the workaround with a single iteration. ++ * The Rockchip RK3288 SoC (v2.00a) and RK3328/RK3399 SoCs (v2.11a) have ++ * been identified as needing the workaround with a single iteration. + */ + + switch (hdmi->version) { +@@ -1663,7 +1665,9 @@ static void dw_hdmi_clear_overflow(struct dw_hdmi *hdmi) + break; + case 0x131a: + case 0x132a: ++ case 0x200a: + case 0x201a: ++ case 0x211a: + case 0x212a: + count = 1; + break; +-- +2.20.1 + diff --git a/queue-5.0/drm-imx-don-t-skip-dp-channel-disable-for-background.patch b/queue-5.0/drm-imx-don-t-skip-dp-channel-disable-for-background.patch new file mode 100644 index 00000000000..a4a384847c1 --- /dev/null +++ b/queue-5.0/drm-imx-don-t-skip-dp-channel-disable-for-background.patch @@ -0,0 +1,32 @@ +From c252a15dd7c0a007e0cb9266f8f7764480590a52 Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Fri, 12 Apr 2019 17:59:41 +0200 +Subject: drm/imx: don't skip DP channel disable for background plane + +[ Upstream commit 7bcde275eb1d0ac8793c77c7e666a886eb16633d ] + +In order to make sure that the plane color space gets reset correctly. + +Signed-off-by: Lucas Stach +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/imx/ipuv3-crtc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/imx/ipuv3-crtc.c b/drivers/gpu/drm/imx/ipuv3-crtc.c +index 058b53c0aa7ec..1bb3e598cb843 100644 +--- a/drivers/gpu/drm/imx/ipuv3-crtc.c ++++ b/drivers/gpu/drm/imx/ipuv3-crtc.c +@@ -70,7 +70,7 @@ static void ipu_crtc_disable_planes(struct ipu_crtc *ipu_crtc, + if (disable_partial) + ipu_plane_disable(ipu_crtc->plane[1], true); + if (disable_full) +- ipu_plane_disable(ipu_crtc->plane[0], false); ++ ipu_plane_disable(ipu_crtc->plane[0], true); + } + + static void ipu_crtc_atomic_disable(struct drm_crtc *crtc, +-- +2.20.1 + diff --git a/queue-5.0/drm-rockchip-fix-for-mailbox-read-validation.patch b/queue-5.0/drm-rockchip-fix-for-mailbox-read-validation.patch new file mode 100644 index 00000000000..4818d3db9be --- /dev/null +++ b/queue-5.0/drm-rockchip-fix-for-mailbox-read-validation.patch @@ -0,0 +1,37 @@ +From acae5ec5e92b82dbb792d727d2737804cfd88998 Mon Sep 17 00:00:00 2001 +From: Damian Kos +Date: Mon, 19 Nov 2018 15:14:14 +0000 +Subject: drm/rockchip: fix for mailbox read validation. + +[ Upstream commit e4056bbb6719fe713bfc4030ac78e8e97ddf7574 ] + +This is basically the same fix as in +commit fa68d4f8476b ("drm/rockchip: fix for mailbox read size") +but for cdn_dp_mailbox_validate_receive function. + +See patchwork.kernel.org/patch/10671981/ for details. + +Signed-off-by: Damian Kos +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/1542640463-18332-1-git-send-email-dkos@cadence.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/cdn-dp-reg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/rockchip/cdn-dp-reg.c b/drivers/gpu/drm/rockchip/cdn-dp-reg.c +index 5a485489a1e23..6c8b14fb1d2f3 100644 +--- a/drivers/gpu/drm/rockchip/cdn-dp-reg.c ++++ b/drivers/gpu/drm/rockchip/cdn-dp-reg.c +@@ -113,7 +113,7 @@ static int cdp_dp_mailbox_write(struct cdn_dp_device *dp, u8 val) + + static int cdn_dp_mailbox_validate_receive(struct cdn_dp_device *dp, + u8 module_id, u8 opcode, +- u8 req_size) ++ u16 req_size) + { + u32 mbox_size, i; + u8 header[4]; +-- +2.20.1 + diff --git a/queue-5.0/drm-sun4i-fix-component-unbinding-and-component-mast.patch b/queue-5.0/drm-sun4i-fix-component-unbinding-and-component-mast.patch new file mode 100644 index 00000000000..2cde922f914 --- /dev/null +++ b/queue-5.0/drm-sun4i-fix-component-unbinding-and-component-mast.patch @@ -0,0 +1,46 @@ +From c7128a6b9cc617cd619d827f7edadf75ba74b7c7 Mon Sep 17 00:00:00 2001 +From: Paul Kocialkowski +Date: Thu, 18 Apr 2019 15:27:27 +0200 +Subject: drm/sun4i: Fix component unbinding and component master deletion + +[ Upstream commit f5a9ed867c83875546c9aadd4ed8e785e9adcc3c ] + +For our component-backed driver to be properly removed, we need to +delete the component master in sun4i_drv_remove and make sure to call +component_unbind_all in the master's unbind so that all components are +unbound when the master is. + +Fixes: 9026e0d122ac ("drm: Add Allwinner A10 Display Engine support") +Signed-off-by: Paul Kocialkowski +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20190418132727.5128-4-paul.kocialkowski@bootlin.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sun4i/sun4i_drv.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/sun4i/sun4i_drv.c b/drivers/gpu/drm/sun4i/sun4i_drv.c +index c6b65a9699794..9a5713fa03b25 100644 +--- a/drivers/gpu/drm/sun4i/sun4i_drv.c ++++ b/drivers/gpu/drm/sun4i/sun4i_drv.c +@@ -148,6 +148,8 @@ static void sun4i_drv_unbind(struct device *dev) + drm_mode_config_cleanup(drm); + of_reserved_mem_device_release(dev); + drm_dev_put(drm); ++ ++ component_unbind_all(dev, NULL); + } + + static const struct component_master_ops sun4i_drv_master_ops = { +@@ -395,6 +397,8 @@ static int sun4i_drv_probe(struct platform_device *pdev) + + static int sun4i_drv_remove(struct platform_device *pdev) + { ++ component_master_del(&pdev->dev, &sun4i_drv_master_ops); ++ + return 0; + } + +-- +2.20.1 + diff --git a/queue-5.0/drm-sun4i-set-device-driver-data-at-bind-time-for-us.patch b/queue-5.0/drm-sun4i-set-device-driver-data-at-bind-time-for-us.patch new file mode 100644 index 00000000000..35c9c4650b9 --- /dev/null +++ b/queue-5.0/drm-sun4i-set-device-driver-data-at-bind-time-for-us.patch @@ -0,0 +1,37 @@ +From 6cf4650f6b3b9241ac4d6277472905343d36529e Mon Sep 17 00:00:00 2001 +From: Paul Kocialkowski +Date: Thu, 18 Apr 2019 15:27:26 +0200 +Subject: drm/sun4i: Set device driver data at bind time for use in unbind + +[ Upstream commit 02b92adbe33e6dbd15dc6e32540b22f47c4ff0a2 ] + +Our sun4i_drv_unbind gets the drm device using dev_get_drvdata. +However, that driver data is never set in sun4i_drv_bind. + +Set it there to avoid getting a NULL pointer at unbind time. + +Fixes: 9026e0d122ac ("drm: Add Allwinner A10 Display Engine support") +Signed-off-by: Paul Kocialkowski +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20190418132727.5128-3-paul.kocialkowski@bootlin.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sun4i/sun4i_drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/sun4i/sun4i_drv.c b/drivers/gpu/drm/sun4i/sun4i_drv.c +index 9e4c375ccc96f..c6b65a9699794 100644 +--- a/drivers/gpu/drm/sun4i/sun4i_drv.c ++++ b/drivers/gpu/drm/sun4i/sun4i_drv.c +@@ -85,6 +85,8 @@ static int sun4i_drv_bind(struct device *dev) + ret = -ENOMEM; + goto free_drm; + } ++ ++ dev_set_drvdata(dev, drm); + drm->dev_private = drv; + INIT_LIST_HEAD(&drv->frontend_list); + INIT_LIST_HEAD(&drv->engine_list); +-- +2.20.1 + diff --git a/queue-5.0/drm-sun4i-unbind-components-before-releasing-drm-and.patch b/queue-5.0/drm-sun4i-unbind-components-before-releasing-drm-and.patch new file mode 100644 index 00000000000..99503076750 --- /dev/null +++ b/queue-5.0/drm-sun4i-unbind-components-before-releasing-drm-and.patch @@ -0,0 +1,44 @@ +From 48df4d50a7dd6de035ce2094cab8395305f9bbe8 Mon Sep 17 00:00:00 2001 +From: Paul Kocialkowski +Date: Wed, 24 Apr 2019 11:04:13 +0200 +Subject: drm/sun4i: Unbind components before releasing DRM and memory + +[ Upstream commit e02bc29b2cfa7806830d6da8b2322cddd67e8dfe ] + +Our components may still be using the DRM device driver (if only to +access our driver's private data), so make sure to unbind them before +the final drm_dev_put. + +Also release our reserved memory after component unbind instead of +before to match reverse creation order. + +Fixes: f5a9ed867c83 ("drm/sun4i: Fix component unbinding and component master deletion") +Signed-off-by: Paul Kocialkowski +Reviewed-by: Chen-Yu Tsai +Link: https://patchwork.freedesktop.org/patch/msgid/20190424090413.6918-1-paul.kocialkowski@bootlin.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sun4i/sun4i_drv.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/sun4i/sun4i_drv.c b/drivers/gpu/drm/sun4i/sun4i_drv.c +index 9a5713fa03b25..f8bf5bbec2df3 100644 +--- a/drivers/gpu/drm/sun4i/sun4i_drv.c ++++ b/drivers/gpu/drm/sun4i/sun4i_drv.c +@@ -146,10 +146,11 @@ static void sun4i_drv_unbind(struct device *dev) + drm_dev_unregister(drm); + drm_kms_helper_poll_fini(drm); + drm_mode_config_cleanup(drm); +- of_reserved_mem_device_release(dev); +- drm_dev_put(drm); + + component_unbind_all(dev, NULL); ++ of_reserved_mem_device_release(dev); ++ ++ drm_dev_put(drm); + } + + static const struct component_master_ops sun4i_drv_master_ops = { +-- +2.20.1 + diff --git a/queue-5.0/drm-ttm-fix-dma_fence-refcount-imbalance-on-error-pa.patch b/queue-5.0/drm-ttm-fix-dma_fence-refcount-imbalance-on-error-pa.patch new file mode 100644 index 00000000000..e3be2447a55 --- /dev/null +++ b/queue-5.0/drm-ttm-fix-dma_fence-refcount-imbalance-on-error-pa.patch @@ -0,0 +1,41 @@ +From 6c3a7b53bbf0d058a4a111f288982f1287845b67 Mon Sep 17 00:00:00 2001 +From: Lin Yi +Date: Wed, 10 Apr 2019 10:23:34 +0800 +Subject: drm/ttm: fix dma_fence refcount imbalance on error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 543c364d8eeeb42c0edfaac9764f4e9f3d777ec1 ] + +the ttm_bo_add_move_fence takes a reference to the struct dma_fence, but +failed to release it on the error path, leading to a memory leak. +add dma_fence_put before return when error occur. + +Signed-off-by: Lin Yi +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/ttm/ttm_bo.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c +index 996cadd83f244..d8e1b3f129046 100644 +--- a/drivers/gpu/drm/ttm/ttm_bo.c ++++ b/drivers/gpu/drm/ttm/ttm_bo.c +@@ -881,8 +881,10 @@ static int ttm_bo_add_move_fence(struct ttm_buffer_object *bo, + reservation_object_add_shared_fence(bo->resv, fence); + + ret = reservation_object_reserve_shared(bo->resv, 1); +- if (unlikely(ret)) ++ if (unlikely(ret)) { ++ dma_fence_put(fence); + return ret; ++ } + + dma_fence_put(bo->moving); + bo->moving = fence; +-- +2.20.1 + diff --git a/queue-5.0/gpio-fix-gpiochip_add_data_with_key-error-path.patch b/queue-5.0/gpio-fix-gpiochip_add_data_with_key-error-path.patch new file mode 100644 index 00000000000..d12ba6dbc10 --- /dev/null +++ b/queue-5.0/gpio-fix-gpiochip_add_data_with_key-error-path.patch @@ -0,0 +1,104 @@ +From f8b68a2b9944a29717a31f08b80b101cc22ed438 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Wed, 24 Apr 2019 15:59:33 +0200 +Subject: gpio: Fix gpiochip_add_data_with_key() error path + +[ Upstream commit 357798909164bf423eac6a78ff7da7e98d2d7f7f ] + +The err_remove_chip block is too coarse, and may perform cleanup that +must not be done. E.g. if of_gpiochip_add() fails, of_gpiochip_remove() +is still called, causing: + + OF: ERROR: Bad of_node_put() on /soc/gpio@e6050000 + CPU: 1 PID: 20 Comm: kworker/1:1 Not tainted 5.1.0-rc2-koelsch+ #407 + Hardware name: Generic R-Car Gen2 (Flattened Device Tree) + Workqueue: events deferred_probe_work_func + [] (unwind_backtrace) from [] (show_stack+0x10/0x14) + [] (show_stack) from [] (dump_stack+0x7c/0x9c) + [] (dump_stack) from [] (kobject_put+0x94/0xbc) + [] (kobject_put) from [] (gpiochip_add_data_with_key+0x8d8/0xa3c) + [] (gpiochip_add_data_with_key) from [] (gpio_rcar_probe+0x1d4/0x314) + [] (gpio_rcar_probe) from [] (platform_drv_probe+0x48/0x94) + +and later, if a GPIO consumer tries to use a GPIO from a failed +controller: + + WARNING: CPU: 0 PID: 1 at lib/refcount.c:156 kobject_get+0x38/0x4c + refcount_t: increment on 0; use-after-free. + Modules linked in: + CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.1.0-rc2-koelsch+ #407 + Hardware name: Generic R-Car Gen2 (Flattened Device Tree) + [] (unwind_backtrace) from [] (show_stack+0x10/0x14) + [] (show_stack) from [] (dump_stack+0x7c/0x9c) + [] (dump_stack) from [] (__warn+0xd0/0xec) + [] (__warn) from [] (warn_slowpath_fmt+0x44/0x6c) + [] (warn_slowpath_fmt) from [] (kobject_get+0x38/0x4c) + [] (kobject_get) from [] (of_node_get+0x14/0x1c) + [] (of_node_get) from [] (of_find_node_by_phandle+0xc0/0xf0) + [] (of_find_node_by_phandle) from [] (of_phandle_iterator_next+0x68/0x154) + [] (of_phandle_iterator_next) from [] (__of_parse_phandle_with_args+0x40/0xd0) + [] (__of_parse_phandle_with_args) from [] (of_parse_phandle_with_args_map+0x100/0x3ac) + [] (of_parse_phandle_with_args_map) from [] (of_get_named_gpiod_flags+0x38/0x380) + [] (of_get_named_gpiod_flags) from [] (gpiod_get_from_of_node+0x24/0xd8) + [] (gpiod_get_from_of_node) from [] (devm_fwnode_get_index_gpiod_from_child+0xa0/0x144) + [] (devm_fwnode_get_index_gpiod_from_child) from [] (gpio_keys_probe+0x418/0x7bc) + [] (gpio_keys_probe) from [] (platform_drv_probe+0x48/0x94) + +Fix this by splitting the cleanup block, and adding a missing call to +gpiochip_irqchip_remove(). + +Fixes: 28355f81969962cf ("gpio: defer probe if pinctrl cannot be found") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Mukesh Ojha +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index d1adfdf50fb30..34fbf879411f6 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -1379,7 +1379,7 @@ int gpiochip_add_data_with_key(struct gpio_chip *chip, void *data, + + status = gpiochip_add_irqchip(chip, lock_key, request_key); + if (status) +- goto err_remove_chip; ++ goto err_free_gpiochip_mask; + + status = of_gpiochip_add(chip); + if (status) +@@ -1387,7 +1387,7 @@ int gpiochip_add_data_with_key(struct gpio_chip *chip, void *data, + + status = gpiochip_init_valid_mask(chip); + if (status) +- goto err_remove_chip; ++ goto err_remove_of_chip; + + for (i = 0; i < chip->ngpio; i++) { + struct gpio_desc *desc = &gdev->descs[i]; +@@ -1415,14 +1415,18 @@ int gpiochip_add_data_with_key(struct gpio_chip *chip, void *data, + if (gpiolib_initialized) { + status = gpiochip_setup_dev(gdev); + if (status) +- goto err_remove_chip; ++ goto err_remove_acpi_chip; + } + return 0; + +-err_remove_chip: ++err_remove_acpi_chip: + acpi_gpiochip_remove(chip); ++err_remove_of_chip: + gpiochip_free_hogs(chip); + of_gpiochip_remove(chip); ++err_remove_chip: ++ gpiochip_irqchip_remove(chip); ++err_free_gpiochip_mask: + gpiochip_free_valid_mask(chip); + err_remove_irqchip_mask: + gpiochip_irqchip_free_valid_mask(chip); +-- +2.20.1 + diff --git a/queue-5.0/gpu-ipu-v3-dp-fix-csc-handling.patch b/queue-5.0/gpu-ipu-v3-dp-fix-csc-handling.patch new file mode 100644 index 00000000000..bbc23af5a78 --- /dev/null +++ b/queue-5.0/gpu-ipu-v3-dp-fix-csc-handling.patch @@ -0,0 +1,69 @@ +From 2a9a1201d9973cba2a448dfa3b430218833f0832 Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Fri, 12 Apr 2019 17:59:40 +0200 +Subject: gpu: ipu-v3: dp: fix CSC handling + +[ Upstream commit d4fad0a426c6e26f48c9a7cdd21a7fe9c198d645 ] + +Initialize the flow input colorspaces to unknown and reset to that value +when the channel gets disabled. This avoids the state getting mixed up +with a previous mode. + +Also keep the CSC settings for the background flow intact when disabling +the foreground flow. + +Root-caused-by: Jonathan Marek +Signed-off-by: Lucas Stach +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/gpu/ipu-v3/ipu-dp.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/ipu-v3/ipu-dp.c b/drivers/gpu/ipu-v3/ipu-dp.c +index 9b2b3fa479c46..5e44ff1f20851 100644 +--- a/drivers/gpu/ipu-v3/ipu-dp.c ++++ b/drivers/gpu/ipu-v3/ipu-dp.c +@@ -195,7 +195,8 @@ int ipu_dp_setup_channel(struct ipu_dp *dp, + ipu_dp_csc_init(flow, flow->foreground.in_cs, flow->out_cs, + DP_COM_CONF_CSC_DEF_BOTH); + } else { +- if (flow->foreground.in_cs == flow->out_cs) ++ if (flow->foreground.in_cs == IPUV3_COLORSPACE_UNKNOWN || ++ flow->foreground.in_cs == flow->out_cs) + /* + * foreground identical to output, apply color + * conversion on background +@@ -261,6 +262,8 @@ void ipu_dp_disable_channel(struct ipu_dp *dp, bool sync) + struct ipu_dp_priv *priv = flow->priv; + u32 reg, csc; + ++ dp->in_cs = IPUV3_COLORSPACE_UNKNOWN; ++ + if (!dp->foreground) + return; + +@@ -268,8 +271,9 @@ void ipu_dp_disable_channel(struct ipu_dp *dp, bool sync) + + reg = readl(flow->base + DP_COM_CONF); + csc = reg & DP_COM_CONF_CSC_DEF_MASK; +- if (csc == DP_COM_CONF_CSC_DEF_FG) +- reg &= ~DP_COM_CONF_CSC_DEF_MASK; ++ reg &= ~DP_COM_CONF_CSC_DEF_MASK; ++ if (csc == DP_COM_CONF_CSC_DEF_BOTH || csc == DP_COM_CONF_CSC_DEF_BG) ++ reg |= DP_COM_CONF_CSC_DEF_BG; + + reg &= ~DP_COM_CONF_FG_EN; + writel(reg, flow->base + DP_COM_CONF); +@@ -347,6 +351,8 @@ int ipu_dp_init(struct ipu_soc *ipu, struct device *dev, unsigned long base) + mutex_init(&priv->mutex); + + for (i = 0; i < IPUV3_NUM_FLOWS; i++) { ++ priv->flow[i].background.in_cs = IPUV3_COLORSPACE_UNKNOWN; ++ priv->flow[i].foreground.in_cs = IPUV3_COLORSPACE_UNKNOWN; + priv->flow[i].foreground.foreground = true; + priv->flow[i].base = priv->base + ipu_dp_flow_base[i]; + priv->flow[i].priv = priv; +-- +2.20.1 + diff --git a/queue-5.0/hid-input-add-mapping-for-expose-overview-key.patch b/queue-5.0/hid-input-add-mapping-for-expose-overview-key.patch new file mode 100644 index 00000000000..c79da691170 --- /dev/null +++ b/queue-5.0/hid-input-add-mapping-for-expose-overview-key.patch @@ -0,0 +1,37 @@ +From 00bac42e17cddb0ce1b3a719856267085a287fb8 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Fri, 18 Jan 2019 13:59:08 -0800 +Subject: HID: input: add mapping for Expose/Overview key +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 96dd86871e1fffbc39e4fa61c9c75ec54ee9af0f ] + +According to HUTRR77 usage 0x29f from the consumer page is reserved for +the Desktop application to present all running user’s application windows. +Linux defines KEY_SCALE to request Compiz Scale (Expose) mode, so let's +add the mapping. + +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-input.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index ff92a7b2fc897..468da6f6765db 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -1042,6 +1042,8 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel + case 0x2cb: map_key_clear(KEY_KBDINPUTASSIST_ACCEPT); break; + case 0x2cc: map_key_clear(KEY_KBDINPUTASSIST_CANCEL); break; + ++ case 0x29f: map_key_clear(KEY_SCALE); break; ++ + default: map_key_clear(KEY_UNKNOWN); + } + break; +-- +2.20.1 + diff --git a/queue-5.0/hid-input-add-mapping-for-keyboard-brightness-up-dow.patch b/queue-5.0/hid-input-add-mapping-for-keyboard-brightness-up-dow.patch new file mode 100644 index 00000000000..de3b33a8006 --- /dev/null +++ b/queue-5.0/hid-input-add-mapping-for-keyboard-brightness-up-dow.patch @@ -0,0 +1,34 @@ +From d36539c29b459716a7f4b84d7888111f26e88ad6 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Fri, 18 Jan 2019 14:05:52 -0800 +Subject: HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys + +[ Upstream commit 7975a1d6a7afeb3eb61c971a153d24dd8fa032f3 ] + +According to HUTRR73 usages 0x79, 0x7a and 0x7c from the consumer page +correspond to Brightness Up/Down/Toggle keys, so let's add the mappings. + +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-input.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index 468da6f6765db..290efac7e6bfd 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -908,6 +908,10 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel + case 0x074: map_key_clear(KEY_BRIGHTNESS_MAX); break; + case 0x075: map_key_clear(KEY_BRIGHTNESS_AUTO); break; + ++ case 0x079: map_key_clear(KEY_KBDILLUMUP); break; ++ case 0x07a: map_key_clear(KEY_KBDILLUMDOWN); break; ++ case 0x07c: map_key_clear(KEY_KBDILLUMTOGGLE); break; ++ + case 0x082: map_key_clear(KEY_VIDEO_NEXT); break; + case 0x083: map_key_clear(KEY_LAST); break; + case 0x084: map_key_clear(KEY_ENTER); break; +-- +2.20.1 + diff --git a/queue-5.0/hid-input-add-mapping-for-toggle-display-key.patch b/queue-5.0/hid-input-add-mapping-for-toggle-display-key.patch new file mode 100644 index 00000000000..0be69f6badf --- /dev/null +++ b/queue-5.0/hid-input-add-mapping-for-toggle-display-key.patch @@ -0,0 +1,39 @@ +From 32abb27d69a0019e5b49febe7b8d84d4c7fc5a5f Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Fri, 18 Jan 2019 14:35:45 -0800 +Subject: HID: input: add mapping for "Toggle Display" key + +[ Upstream commit c01908a14bf735b871170092807c618bb9dae654 ] + +According to HUT 1.12 usage 0xb5 from the generic desktop page is reserved +for switching between external and internal display, so let's add the +mapping. + +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-input.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index 290efac7e6bfd..4f119300ce3f5 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -677,6 +677,14 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel + break; + } + ++ if ((usage->hid & 0xf0) == 0xb0) { /* SC - Display */ ++ switch (usage->hid & 0xf) { ++ case 0x05: map_key_clear(KEY_SWITCHVIDEOMODE); break; ++ default: goto ignore; ++ } ++ break; ++ } ++ + /* + * Some lazy vendors declare 255 usages for System Control, + * leading to the creation of ABS_X|Y axis and too many others. +-- +2.20.1 + diff --git a/queue-5.0/ib-mlx5-fix-scatter-to-cqe-in-dct-qp-creation.patch b/queue-5.0/ib-mlx5-fix-scatter-to-cqe-in-dct-qp-creation.patch new file mode 100644 index 00000000000..c270efccab5 --- /dev/null +++ b/queue-5.0/ib-mlx5-fix-scatter-to-cqe-in-dct-qp-creation.patch @@ -0,0 +1,81 @@ +From 015fcd2b5dfafdde4c13d4754b36b944fb1c10cb Mon Sep 17 00:00:00 2001 +From: Guy Levi +Date: Wed, 10 Apr 2019 10:59:45 +0300 +Subject: IB/mlx5: Fix scatter to CQE in DCT QP creation + +[ Upstream commit 7249c8ea227a582c14f63e9e8853eb7369122f10 ] + +When scatter to CQE is enabled on a DCT QP it corrupts the mailbox command +since it tried to treat it as as QP create mailbox command instead of a +DCT create command. + +The corrupted mailbox command causes userspace to malfunction as the +device doesn't create the QP as expected. + +A new mlx5 capability is exposed to user-space which ensures that it will +not enable the feature on DCT without this fix in the kernel. + +Fixes: 5d6ff1babe78 ("IB/mlx5: Support scatter to CQE for DC transport type") +Signed-off-by: Guy Levi +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/main.c | 2 ++ + drivers/infiniband/hw/mlx5/qp.c | 11 +++++++---- + include/uapi/rdma/mlx5-abi.h | 1 + + 3 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index 497181f5ba091..c6bdd0d16c4b6 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -1025,6 +1025,8 @@ static int mlx5_ib_query_device(struct ib_device *ibdev, + if (MLX5_CAP_GEN(mdev, qp_packet_based)) + resp.flags |= + MLX5_IB_QUERY_DEV_RESP_PACKET_BASED_CREDIT_MODE; ++ ++ resp.flags |= MLX5_IB_QUERY_DEV_RESP_FLAGS_SCAT2CQE_DCT; + } + + if (field_avail(typeof(resp), sw_parsing_caps, +diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c +index 7db778d96ef5c..afc88e6e172e7 100644 +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -1724,13 +1724,16 @@ static void configure_responder_scat_cqe(struct ib_qp_init_attr *init_attr, + + rcqe_sz = mlx5_ib_get_cqe_size(init_attr->recv_cq); + +- if (rcqe_sz == 128) { +- MLX5_SET(qpc, qpc, cs_res, MLX5_RES_SCAT_DATA64_CQE); ++ if (init_attr->qp_type == MLX5_IB_QPT_DCT) { ++ if (rcqe_sz == 128) ++ MLX5_SET(dctc, qpc, cs_res, MLX5_RES_SCAT_DATA64_CQE); ++ + return; + } + +- if (init_attr->qp_type != MLX5_IB_QPT_DCT) +- MLX5_SET(qpc, qpc, cs_res, MLX5_RES_SCAT_DATA32_CQE); ++ MLX5_SET(qpc, qpc, cs_res, ++ rcqe_sz == 128 ? MLX5_RES_SCAT_DATA64_CQE : ++ MLX5_RES_SCAT_DATA32_CQE); + } + + static void configure_requester_scat_cqe(struct mlx5_ib_dev *dev, +diff --git a/include/uapi/rdma/mlx5-abi.h b/include/uapi/rdma/mlx5-abi.h +index 87b3198f4b5d7..f4d4010b7e3e5 100644 +--- a/include/uapi/rdma/mlx5-abi.h ++++ b/include/uapi/rdma/mlx5-abi.h +@@ -238,6 +238,7 @@ enum mlx5_ib_query_dev_resp_flags { + MLX5_IB_QUERY_DEV_RESP_FLAGS_CQE_128B_COMP = 1 << 0, + MLX5_IB_QUERY_DEV_RESP_FLAGS_CQE_128B_PAD = 1 << 1, + MLX5_IB_QUERY_DEV_RESP_PACKET_BASED_CREDIT_MODE = 1 << 2, ++ MLX5_IB_QUERY_DEV_RESP_FLAGS_SCAT2CQE_DCT = 1 << 3, + }; + + enum mlx5_ib_tunnel_offloads { +-- +2.20.1 + diff --git a/queue-5.0/iio-adc-xilinx-fix-potential-use-after-free-on-probe.patch b/queue-5.0/iio-adc-xilinx-fix-potential-use-after-free-on-probe.patch new file mode 100644 index 00000000000..a18f4919338 --- /dev/null +++ b/queue-5.0/iio-adc-xilinx-fix-potential-use-after-free-on-probe.patch @@ -0,0 +1,40 @@ +From 0b7e1e5ef4b165c2c8831e085a419dbb8d1dcf4a Mon Sep 17 00:00:00 2001 +From: Sven Van Asbroeck +Date: Sun, 10 Mar 2019 14:58:25 -0400 +Subject: iio: adc: xilinx: fix potential use-after-free on probe + +[ Upstream commit 862e4644fd2d7df8998edc65e0963ea2f567bde9 ] + +If probe errors out after request_irq(), its error path +does not explicitly cancel the delayed work, which may +have been scheduled by the interrupt handler. + +This means the delayed work may still be running when +the core frees the private structure (struct xadc). +This is a potential use-after-free. + +Fix by inserting cancel_delayed_work_sync() in the probe +error path. + +Signed-off-by: Sven Van Asbroeck +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/xilinx-xadc-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/iio/adc/xilinx-xadc-core.c b/drivers/iio/adc/xilinx-xadc-core.c +index 1960694e80076..15e1a103f37da 100644 +--- a/drivers/iio/adc/xilinx-xadc-core.c ++++ b/drivers/iio/adc/xilinx-xadc-core.c +@@ -1290,6 +1290,7 @@ static int xadc_probe(struct platform_device *pdev) + + err_free_irq: + free_irq(xadc->irq, indio_dev); ++ cancel_delayed_work_sync(&xadc->zynq_unmask_work); + err_clk_disable_unprepare: + clk_disable_unprepare(xadc->clk); + err_free_samplerate_trigger: +-- +2.20.1 + diff --git a/queue-5.0/iio-adc-xilinx-fix-potential-use-after-free-on-remov.patch b/queue-5.0/iio-adc-xilinx-fix-potential-use-after-free-on-remov.patch new file mode 100644 index 00000000000..f22918650fa --- /dev/null +++ b/queue-5.0/iio-adc-xilinx-fix-potential-use-after-free-on-remov.patch @@ -0,0 +1,38 @@ +From 47bd0a1576669590407ad14a6997b295ca89ddae Mon Sep 17 00:00:00 2001 +From: Sven Van Asbroeck +Date: Sun, 10 Mar 2019 14:58:24 -0400 +Subject: iio: adc: xilinx: fix potential use-after-free on remove + +[ Upstream commit 62039b6aef63380ba7a37c113bbaeee8a55c5342 ] + +When cancel_delayed_work() returns, the delayed work may still +be running. This means that the core could potentially free +the private structure (struct xadc) while the delayed work +is still using it. This is a potential use-after-free. + +Fix by calling cancel_delayed_work_sync(), which waits for +any residual work to finish before returning. + +Signed-off-by: Sven Van Asbroeck +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/xilinx-xadc-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/adc/xilinx-xadc-core.c b/drivers/iio/adc/xilinx-xadc-core.c +index 3f6be5ac049a8..1960694e80076 100644 +--- a/drivers/iio/adc/xilinx-xadc-core.c ++++ b/drivers/iio/adc/xilinx-xadc-core.c +@@ -1320,7 +1320,7 @@ static int xadc_remove(struct platform_device *pdev) + } + free_irq(xadc->irq, indio_dev); + clk_disable_unprepare(xadc->clk); +- cancel_delayed_work(&xadc->zynq_unmask_work); ++ cancel_delayed_work_sync(&xadc->zynq_unmask_work); + kfree(xadc->data); + kfree(indio_dev->channels); + +-- +2.20.1 + diff --git a/queue-5.0/iio-adc-xilinx-prevent-touching-unclocked-h-w-on-rem.patch b/queue-5.0/iio-adc-xilinx-prevent-touching-unclocked-h-w-on-rem.patch new file mode 100644 index 00000000000..d0f4eda4dd8 --- /dev/null +++ b/queue-5.0/iio-adc-xilinx-prevent-touching-unclocked-h-w-on-rem.patch @@ -0,0 +1,39 @@ +From 28c6c4a1e26bda1f778a869a534294dcf627ff93 Mon Sep 17 00:00:00 2001 +From: Sven Van Asbroeck +Date: Sun, 10 Mar 2019 14:58:26 -0400 +Subject: iio: adc: xilinx: prevent touching unclocked h/w on remove + +[ Upstream commit 2e4b88f73966adead360e47621df0183586fac32 ] + +In remove, the clock is disabled before canceling the +delayed work. This means that the delayed work may be +touching unclocked hardware. + +Fix by disabling the clock after the delayed work is +fully canceled. This is consistent with the probe error +path order. + +Signed-off-by: Sven Van Asbroeck +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/xilinx-xadc-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/adc/xilinx-xadc-core.c b/drivers/iio/adc/xilinx-xadc-core.c +index 15e1a103f37da..1ae86e7359f73 100644 +--- a/drivers/iio/adc/xilinx-xadc-core.c ++++ b/drivers/iio/adc/xilinx-xadc-core.c +@@ -1320,8 +1320,8 @@ static int xadc_remove(struct platform_device *pdev) + iio_triggered_buffer_cleanup(indio_dev); + } + free_irq(xadc->irq, indio_dev); +- clk_disable_unprepare(xadc->clk); + cancel_delayed_work_sync(&xadc->zynq_unmask_work); ++ clk_disable_unprepare(xadc->clk); + kfree(xadc->data); + kfree(indio_dev->channels); + +-- +2.20.1 + diff --git a/queue-5.0/init-initialize-jump-labels-before-command-line-opti.patch b/queue-5.0/init-initialize-jump-labels-before-command-line-opti.patch new file mode 100644 index 00000000000..efa10937868 --- /dev/null +++ b/queue-5.0/init-initialize-jump-labels-before-command-line-opti.patch @@ -0,0 +1,79 @@ +From 1290904c7dd1553a016c697deb47fdc86b20bf74 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Thu, 18 Apr 2019 17:50:44 -0700 +Subject: init: initialize jump labels before command line option parsing + +[ Upstream commit 6041186a32585fc7a1d0f6cfe2f138b05fdc3c82 ] + +When a module option, or core kernel argument, toggles a static-key it +requires jump labels to be initialized early. While x86, PowerPC, and +ARM64 arrange for jump_label_init() to be called before parse_args(), +ARM does not. + + Kernel command line: rdinit=/sbin/init page_alloc.shuffle=1 panic=-1 console=ttyAMA0,115200 page_alloc.shuffle=1 + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 0 at ./include/linux/jump_label.h:303 + page_alloc_shuffle+0x12c/0x1ac + static_key_enable(): static key 'page_alloc_shuffle_key+0x0/0x4' used + before call to jump_label_init() + Modules linked in: + CPU: 0 PID: 0 Comm: swapper Not tainted + 5.1.0-rc4-next-20190410-00003-g3367c36ce744 #1 + Hardware name: ARM Integrator/CP (Device Tree) + [] (unwind_backtrace) from [] (show_stack+0x10/0x18) + [] (show_stack) from [] (dump_stack+0x18/0x24) + [] (dump_stack) from [] (__warn+0xe0/0x108) + [] (__warn) from [] (warn_slowpath_fmt+0x44/0x6c) + [] (warn_slowpath_fmt) from [] + (page_alloc_shuffle+0x12c/0x1ac) + [] (page_alloc_shuffle) from [] (shuffle_store+0x28/0x48) + [] (shuffle_store) from [] (parse_args+0x1f4/0x350) + [] (parse_args) from [] (start_kernel+0x1c0/0x488) + +Move the fallback call to jump_label_init() to occur before +parse_args(). + +The redundant calls to jump_label_init() in other archs are left intact +in case they have static key toggling use cases that are even earlier +than option parsing. + +Link: http://lkml.kernel.org/r/155544804466.1032396.13418949511615676665.stgit@dwillia2-desk3.amr.corp.intel.com +Signed-off-by: Dan Williams +Reported-by: Guenter Roeck +Reviewed-by: Kees Cook +Cc: Mathieu Desnoyers +Cc: Thomas Gleixner +Cc: Mike Rapoport +Cc: Russell King +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + init/main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/init/main.c b/init/main.c +index c86a1c8f19f40..7ae8245452650 100644 +--- a/init/main.c ++++ b/init/main.c +@@ -574,6 +574,8 @@ asmlinkage __visible void __init start_kernel(void) + page_alloc_init(); + + pr_notice("Kernel command line: %s\n", boot_command_line); ++ /* parameters may set static keys */ ++ jump_label_init(); + parse_early_param(); + after_dashes = parse_args("Booting kernel", + static_command_line, __start___param, +@@ -583,8 +585,6 @@ asmlinkage __visible void __init start_kernel(void) + parse_args("Setting init args", after_dashes, NULL, 0, -1, -1, + NULL, set_init_arg); + +- jump_label_init(); +- + /* + * These use large bootmem allocations and must precede + * kmem_cache_init() +-- +2.20.1 + diff --git a/queue-5.0/input-snvs_pwrkey-make-it-depend-on-arch_mxc.patch b/queue-5.0/input-snvs_pwrkey-make-it-depend-on-arch_mxc.patch new file mode 100644 index 00000000000..4ce37ae914b --- /dev/null +++ b/queue-5.0/input-snvs_pwrkey-make-it-depend-on-arch_mxc.patch @@ -0,0 +1,36 @@ +From aa5139dbd77314ae41abf7c2b1b373e44df1b616 Mon Sep 17 00:00:00 2001 +From: Jacky Bai +Date: Fri, 5 Apr 2019 10:31:09 -0700 +Subject: Input: snvs_pwrkey - make it depend on ARCH_MXC + +[ Upstream commit f06eba72274788db6a43012a05a99915c0283aef ] + +The SNVS power key is not only used on i.MX6SX and i.MX7D, it is also +used by i.MX6UL and NXP's latest ARMv8 based i.MX8M series SOC. So +update the config dependency to use ARCH_MXC, and add the COMPILE_TEST +too. + +Signed-off-by: Jacky Bai +Reviewed-by: Dong Aisheng +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/keyboard/Kconfig b/drivers/input/keyboard/Kconfig +index a878351f16439..52d7f55fca329 100644 +--- a/drivers/input/keyboard/Kconfig ++++ b/drivers/input/keyboard/Kconfig +@@ -420,7 +420,7 @@ config KEYBOARD_MPR121 + + config KEYBOARD_SNVS_PWRKEY + tristate "IMX SNVS Power Key Driver" +- depends on SOC_IMX6SX || SOC_IMX7D ++ depends on ARCH_MXC || COMPILE_TEST + depends on OF + help + This is the snvs powerkey driver for the Freescale i.MX application +-- +2.20.1 + diff --git a/queue-5.0/input-synaptics-rmi4-fix-possible-double-free.patch b/queue-5.0/input-synaptics-rmi4-fix-possible-double-free.patch new file mode 100644 index 00000000000..f320bd9b431 --- /dev/null +++ b/queue-5.0/input-synaptics-rmi4-fix-possible-double-free.patch @@ -0,0 +1,45 @@ +From 71a1c1f6e5903373240470442f09dcbb7f12b44b Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Fri, 19 Apr 2019 07:39:00 +0000 +Subject: Input: synaptics-rmi4 - fix possible double free + +[ Upstream commit bce1a78423961fce676ac65540a31b6ffd179e6d ] + +The RMI4 function structure has been released in rmi_register_function +if error occurs. However, it will be released again in the function +rmi_create_function, which may result in a double-free bug. + +Signed-off-by: Pan Bian +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/rmi4/rmi_driver.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c +index fc3ab93b7aea4..7fb358f961957 100644 +--- a/drivers/input/rmi4/rmi_driver.c ++++ b/drivers/input/rmi4/rmi_driver.c +@@ -860,7 +860,7 @@ static int rmi_create_function(struct rmi_device *rmi_dev, + + error = rmi_register_function(fn); + if (error) +- goto err_put_fn; ++ return error; + + if (pdt->function_number == 0x01) + data->f01_container = fn; +@@ -870,10 +870,6 @@ static int rmi_create_function(struct rmi_device *rmi_dev, + list_add_tail(&fn->node, &data->function_list); + + return RMI_SCAN_CONTINUE; +- +-err_put_fn: +- put_device(&fn->dev); +- return error; + } + + void rmi_enable_irq(struct rmi_device *rmi_dev, bool clear_wake) +-- +2.20.1 + diff --git a/queue-5.0/ipmi-ipmi_si_hardcode.c-init-si_type-array-to-fix-a-.patch b/queue-5.0/ipmi-ipmi_si_hardcode.c-init-si_type-array-to-fix-a-.patch new file mode 100644 index 00000000000..a66dc6cfeb8 --- /dev/null +++ b/queue-5.0/ipmi-ipmi_si_hardcode.c-init-si_type-array-to-fix-a-.patch @@ -0,0 +1,48 @@ +From e30b86ae999d7a39c1fdb2050da9925ddff31372 Mon Sep 17 00:00:00 2001 +From: Tony Camuso +Date: Tue, 9 Apr 2019 15:20:03 -0400 +Subject: ipmi: ipmi_si_hardcode.c: init si_type array to fix a crash + +[ Upstream commit a885bcfd152f97b25005298ab2d6b741aed9b49c ] + +The intended behavior of function ipmi_hardcode_init_one() is to default +to kcs interface when no type argument is presented when initializing +ipmi with hard coded addresses. + +However, the array of char pointers allocated on the stack by function +ipmi_hardcode_init() was not inited to zeroes, so it contained stack +debris. + +Consequently, passing the cruft stored in this array to function +ipmi_hardcode_init_one() caused a crash when it was unable to detect +that the char * being passed was nonsense and tried to access the +address specified by the bogus pointer. + +The fix is simply to initialize the si_type array to zeroes, so if +there were no type argument given to at the command line, function +ipmi_hardcode_init_one() could properly default to the kcs interface. + +Signed-off-by: Tony Camuso +Message-Id: <1554837603-40299-1-git-send-email-tcamuso@redhat.com> +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_si_hardcode.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/char/ipmi/ipmi_si_hardcode.c b/drivers/char/ipmi/ipmi_si_hardcode.c +index 1e5783961b0dc..ab7180c46d8dd 100644 +--- a/drivers/char/ipmi/ipmi_si_hardcode.c ++++ b/drivers/char/ipmi/ipmi_si_hardcode.c +@@ -201,6 +201,8 @@ void __init ipmi_hardcode_init(void) + char *str; + char *si_type[SI_MAX_PARMS]; + ++ memset(si_type, 0, sizeof(si_type)); ++ + /* Parse out the si_type string into its components. */ + str = si_type_str; + if (*str != '\0') { +-- +2.20.1 + diff --git a/queue-5.0/ipvs-do-not-schedule-icmp-errors-from-tunnels.patch b/queue-5.0/ipvs-do-not-schedule-icmp-errors-from-tunnels.patch new file mode 100644 index 00000000000..99066633f18 --- /dev/null +++ b/queue-5.0/ipvs-do-not-schedule-icmp-errors-from-tunnels.patch @@ -0,0 +1,38 @@ +From 2b764ee796105c0503c3b89b319ab6fe5ecf85a9 Mon Sep 17 00:00:00 2001 +From: Julian Anastasov +Date: Sun, 31 Mar 2019 13:24:52 +0300 +Subject: ipvs: do not schedule icmp errors from tunnels + +[ Upstream commit 0261ea1bd1eb0da5c0792a9119b8655cf33c80a3 ] + +We can receive ICMP errors from client or from +tunneling real server. While the former can be +scheduled to real server, the latter should +not be scheduled, they are decapsulated only when +existing connection is found. + +Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets") +Signed-off-by: Julian Anastasov +Signed-off-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c +index 235205c93e14b..df112b27246a3 100644 +--- a/net/netfilter/ipvs/ip_vs_core.c ++++ b/net/netfilter/ipvs/ip_vs_core.c +@@ -1647,7 +1647,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related, + if (!cp) { + int v; + +- if (!sysctl_schedule_icmp(ipvs)) ++ if (ipip || !sysctl_schedule_icmp(ipvs)) + return NF_ACCEPT; + + if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph)) +-- +2.20.1 + diff --git a/queue-5.0/kvm-fix-spectrev1-gadgets.patch b/queue-5.0/kvm-fix-spectrev1-gadgets.patch new file mode 100644 index 00000000000..97b4798d530 --- /dev/null +++ b/queue-5.0/kvm-fix-spectrev1-gadgets.patch @@ -0,0 +1,133 @@ +From a90e6647093c854b759c17b3e507a4905e686003 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Thu, 11 Apr 2019 11:16:47 +0200 +Subject: KVM: fix spectrev1 gadgets + +[ Upstream commit 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c ] + +These were found with smatch, and then generalized when applicable. + +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/lapic.c | 4 +++- + include/linux/kvm_host.h | 10 ++++++---- + virt/kvm/irqchip.c | 5 +++-- + virt/kvm/kvm_main.c | 6 ++++-- + 4 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 3339697de6e52..235687f3388fa 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -137,6 +137,7 @@ static inline bool kvm_apic_map_get_logical_dest(struct kvm_apic_map *map, + if (offset <= max_apic_id) { + u8 cluster_size = min(max_apic_id - offset + 1, 16U); + ++ offset = array_index_nospec(offset, map->max_apic_id + 1); + *cluster = &map->phys_map[offset]; + *mask = dest_id & (0xffff >> (16 - cluster_size)); + } else { +@@ -899,7 +900,8 @@ static inline bool kvm_apic_map_get_dest_lapic(struct kvm *kvm, + if (irq->dest_id > map->max_apic_id) { + *bitmap = 0; + } else { +- *dst = &map->phys_map[irq->dest_id]; ++ u32 dest_id = array_index_nospec(irq->dest_id, map->max_apic_id + 1); ++ *dst = &map->phys_map[dest_id]; + *bitmap = 1; + } + return true; +diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h +index cf761ff582248..e41503b2c5a16 100644 +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -492,10 +493,10 @@ static inline struct kvm_io_bus *kvm_get_bus(struct kvm *kvm, enum kvm_bus idx) + + static inline struct kvm_vcpu *kvm_get_vcpu(struct kvm *kvm, int i) + { +- /* Pairs with smp_wmb() in kvm_vm_ioctl_create_vcpu, in case +- * the caller has read kvm->online_vcpus before (as is the case +- * for kvm_for_each_vcpu, for example). +- */ ++ int num_vcpus = atomic_read(&kvm->online_vcpus); ++ i = array_index_nospec(i, num_vcpus); ++ ++ /* Pairs with smp_wmb() in kvm_vm_ioctl_create_vcpu. */ + smp_rmb(); + return kvm->vcpus[i]; + } +@@ -579,6 +580,7 @@ void kvm_put_kvm(struct kvm *kvm); + + static inline struct kvm_memslots *__kvm_memslots(struct kvm *kvm, int as_id) + { ++ as_id = array_index_nospec(as_id, KVM_ADDRESS_SPACE_NUM); + return srcu_dereference_check(kvm->memslots[as_id], &kvm->srcu, + lockdep_is_held(&kvm->slots_lock) || + !refcount_read(&kvm->users_count)); +diff --git a/virt/kvm/irqchip.c b/virt/kvm/irqchip.c +index b1286c4e07122..0bd0683640bdf 100644 +--- a/virt/kvm/irqchip.c ++++ b/virt/kvm/irqchip.c +@@ -144,18 +144,19 @@ static int setup_routing_entry(struct kvm *kvm, + { + struct kvm_kernel_irq_routing_entry *ei; + int r; ++ u32 gsi = array_index_nospec(ue->gsi, KVM_MAX_IRQ_ROUTES); + + /* + * Do not allow GSI to be mapped to the same irqchip more than once. + * Allow only one to one mapping between GSI and non-irqchip routing. + */ +- hlist_for_each_entry(ei, &rt->map[ue->gsi], link) ++ hlist_for_each_entry(ei, &rt->map[gsi], link) + if (ei->type != KVM_IRQ_ROUTING_IRQCHIP || + ue->type != KVM_IRQ_ROUTING_IRQCHIP || + ue->u.irqchip.irqchip == ei->irqchip.irqchip) + return -EINVAL; + +- e->gsi = ue->gsi; ++ e->gsi = gsi; + e->type = ue->type; + r = kvm_set_routing_entry(kvm, e, ue); + if (r) +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index b4f2d892a1d36..ff68b07e94e97 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -2974,12 +2974,14 @@ static int kvm_ioctl_create_device(struct kvm *kvm, + struct kvm_device_ops *ops = NULL; + struct kvm_device *dev; + bool test = cd->flags & KVM_CREATE_DEVICE_TEST; ++ int type; + int ret; + + if (cd->type >= ARRAY_SIZE(kvm_device_ops_table)) + return -ENODEV; + +- ops = kvm_device_ops_table[cd->type]; ++ type = array_index_nospec(cd->type, ARRAY_SIZE(kvm_device_ops_table)); ++ ops = kvm_device_ops_table[type]; + if (ops == NULL) + return -ENODEV; + +@@ -2994,7 +2996,7 @@ static int kvm_ioctl_create_device(struct kvm *kvm, + dev->kvm = kvm; + + mutex_lock(&kvm->lock); +- ret = ops->create(dev, cd->type); ++ ret = ops->create(dev, type); + if (ret < 0) { + mutex_unlock(&kvm->lock); + kfree(dev); +-- +2.20.1 + diff --git a/queue-5.0/kvm-nvmx-always-use-early-vmcs-check-when-ept-is-dis.patch b/queue-5.0/kvm-nvmx-always-use-early-vmcs-check-when-ept-is-dis.patch new file mode 100644 index 00000000000..cc92465364e --- /dev/null +++ b/queue-5.0/kvm-nvmx-always-use-early-vmcs-check-when-ept-is-dis.patch @@ -0,0 +1,79 @@ +From c81e5619f8f10afe99ef552a04f909e133728171 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 15 Apr 2019 15:57:19 +0200 +Subject: KVM: nVMX: always use early vmcs check when EPT is disabled + +[ Upstream commit 2b27924bb1d48e3775f432b70bdad5e6dd4e7798 ] + +The remaining failures of vmx.flat when EPT is disabled are caused by +incorrectly reflecting VMfails to the L1 hypervisor. What happens is +that nested_vmx_restore_host_state corrupts the guest CR3, reloading it +with the host's shadow CR3 instead, because it blindly loads GUEST_CR3 +from the vmcs01. + +For simplicity let's just always use hardware VMCS checks when EPT is +disabled. This way, nested_vmx_restore_host_state is not reached at +all (or at least shouldn't be reached). + +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/include/uapi/asm/vmx.h | 1 + + arch/x86/kvm/vmx/nested.c | 22 ++++++++++++++++++++-- + 2 files changed, 21 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/include/uapi/asm/vmx.h b/arch/x86/include/uapi/asm/vmx.h +index f0b0c90dd3982..d213ec5c3766d 100644 +--- a/arch/x86/include/uapi/asm/vmx.h ++++ b/arch/x86/include/uapi/asm/vmx.h +@@ -146,6 +146,7 @@ + + #define VMX_ABORT_SAVE_GUEST_MSR_FAIL 1 + #define VMX_ABORT_LOAD_HOST_PDPTE_FAIL 2 ++#define VMX_ABORT_VMCS_CORRUPTED 3 + #define VMX_ABORT_LOAD_HOST_MSR_FAIL 4 + + #endif /* _UAPIVMX_H */ +diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c +index 8f8c42b048757..2a16bd8877297 100644 +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -3790,8 +3790,18 @@ static void nested_vmx_restore_host_state(struct kvm_vcpu *vcpu) + vmx_set_cr4(vcpu, vmcs_readl(CR4_READ_SHADOW)); + + nested_ept_uninit_mmu_context(vcpu); +- vcpu->arch.cr3 = vmcs_readl(GUEST_CR3); +- __set_bit(VCPU_EXREG_CR3, (ulong *)&vcpu->arch.regs_avail); ++ ++ /* ++ * This is only valid if EPT is in use, otherwise the vmcs01 GUEST_CR3 ++ * points to shadow pages! Fortunately we only get here after a WARN_ON ++ * if EPT is disabled, so a VMabort is perfectly fine. ++ */ ++ if (enable_ept) { ++ vcpu->arch.cr3 = vmcs_readl(GUEST_CR3); ++ __set_bit(VCPU_EXREG_CR3, (ulong *)&vcpu->arch.regs_avail); ++ } else { ++ nested_vmx_abort(vcpu, VMX_ABORT_VMCS_CORRUPTED); ++ } + + /* + * Use ept_save_pdptrs(vcpu) to load the MMU's cached PDPTRs +@@ -5739,6 +5749,14 @@ __init int nested_vmx_hardware_setup(int (*exit_handlers[])(struct kvm_vcpu *)) + { + int i; + ++ /* ++ * Without EPT it is not possible to restore L1's CR3 and PDPTR on ++ * VMfail, because they are not available in vmcs01. Just always ++ * use hardware checks. ++ */ ++ if (!enable_ept) ++ nested_early_check = 1; ++ + if (!cpu_has_vmx_shadow_vmcs()) + enable_shadow_vmcs = 0; + if (enable_shadow_vmcs) { +-- +2.20.1 + diff --git a/queue-5.0/kvm-nvmx-expose-rdpmc-exiting-only-when-guest-suppor.patch b/queue-5.0/kvm-nvmx-expose-rdpmc-exiting-only-when-guest-suppor.patch new file mode 100644 index 00000000000..8af5b9e2310 --- /dev/null +++ b/queue-5.0/kvm-nvmx-expose-rdpmc-exiting-only-when-guest-suppor.patch @@ -0,0 +1,83 @@ +From b2f60a8fdcd51dddc0245e1e6dce33d3e2064b4a Mon Sep 17 00:00:00 2001 +From: Liran Alon +Date: Mon, 25 Mar 2019 21:09:17 +0200 +Subject: KVM: nVMX: Expose RDPMC-exiting only when guest supports PMU + +[ Upstream commit e51bfdb68725dc052d16241ace40ea3140f938aa ] + +Issue was discovered when running kvm-unit-tests on KVM running as L1 on +top of Hyper-V. + +When vmx_instruction_intercept unit-test attempts to run RDPMC to test +RDPMC-exiting, it is intercepted by L1 KVM which it's EXIT_REASON_RDPMC +handler raise #GP because vCPU exposed by Hyper-V doesn't support PMU. +Instead of unit-test expectation to be reflected with EXIT_REASON_RDPMC. + +The reason vmx_instruction_intercept unit-test attempts to run RDPMC +even though Hyper-V doesn't support PMU is because L1 expose to L2 +support for RDPMC-exiting. Which is reasonable to assume that is +supported only in case CPU supports PMU to being with. + +Above issue can easily be simulated by modifying +vmx_instruction_intercept config in x86/unittests.cfg to run QEMU with +"-cpu host,+vmx,-pmu" and run unit-test. + +To handle issue, change KVM to expose RDPMC-exiting only when guest +supports PMU. + +Reported-by: Saar Amar +Reviewed-by: Mihai Carabas +Reviewed-by: Jim Mattson +Signed-off-by: Liran Alon +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/vmx/vmx.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c +index da6fdd5434a17..8f0426d46ba3c 100644 +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -6982,6 +6982,30 @@ static void nested_vmx_entry_exit_ctls_update(struct kvm_vcpu *vcpu) + } + } + ++static bool guest_cpuid_has_pmu(struct kvm_vcpu *vcpu) ++{ ++ struct kvm_cpuid_entry2 *entry; ++ union cpuid10_eax eax; ++ ++ entry = kvm_find_cpuid_entry(vcpu, 0xa, 0); ++ if (!entry) ++ return false; ++ ++ eax.full = entry->eax; ++ return (eax.split.version_id > 0); ++} ++ ++static void nested_vmx_procbased_ctls_update(struct kvm_vcpu *vcpu) ++{ ++ struct vcpu_vmx *vmx = to_vmx(vcpu); ++ bool pmu_enabled = guest_cpuid_has_pmu(vcpu); ++ ++ if (pmu_enabled) ++ vmx->nested.msrs.procbased_ctls_high |= CPU_BASED_RDPMC_EXITING; ++ else ++ vmx->nested.msrs.procbased_ctls_high &= ~CPU_BASED_RDPMC_EXITING; ++} ++ + static void update_intel_pt_cfg(struct kvm_vcpu *vcpu) + { + struct vcpu_vmx *vmx = to_vmx(vcpu); +@@ -7070,6 +7094,7 @@ static void vmx_cpuid_update(struct kvm_vcpu *vcpu) + if (nested_vmx_allowed(vcpu)) { + nested_vmx_cr_fixed1_bits_update(vcpu); + nested_vmx_entry_exit_ctls_update(vcpu); ++ nested_vmx_procbased_ctls_update(vcpu); + } + + if (boot_cpu_has(X86_FEATURE_INTEL_PT) && +-- +2.20.1 + diff --git a/queue-5.0/kvm-x86-avoid-misreporting-level-triggered-irqs-as-e.patch b/queue-5.0/kvm-x86-avoid-misreporting-level-triggered-irqs-as-e.patch new file mode 100644 index 00000000000..a607577f5c1 --- /dev/null +++ b/queue-5.0/kvm-x86-avoid-misreporting-level-triggered-irqs-as-e.patch @@ -0,0 +1,51 @@ +From 181f9e622f3b1bd95570f55f23a3173db13c75ea Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Wed, 27 Mar 2019 15:12:20 +0100 +Subject: KVM: x86: avoid misreporting level-triggered irqs as edge-triggered + in tracing + +[ Upstream commit 7a223e06b1a411cef6c4cd7a9b9a33c8d225b10e ] + +In __apic_accept_irq() interface trig_mode is int and actually on some code +paths it is set above u8: + +kvm_apic_set_irq() extracts it from 'struct kvm_lapic_irq' where trig_mode +is u16. This is done on purpose as e.g. kvm_set_msi_irq() sets it to +(1 << 15) & e->msi.data + +kvm_apic_local_deliver sets it to reg & (1 << 15). + +Fix the immediate issue by making 'tm' into u16. We may also want to adjust +__apic_accept_irq() interface and use proper sizes for vector, level, +trig_mode but this is not urgent. + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/trace.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/trace.h b/arch/x86/kvm/trace.h +index 6432d08c7de79..4d47a2631d1fb 100644 +--- a/arch/x86/kvm/trace.h ++++ b/arch/x86/kvm/trace.h +@@ -438,13 +438,13 @@ TRACE_EVENT(kvm_apic_ipi, + ); + + TRACE_EVENT(kvm_apic_accept_irq, +- TP_PROTO(__u32 apicid, __u16 dm, __u8 tm, __u8 vec), ++ TP_PROTO(__u32 apicid, __u16 dm, __u16 tm, __u8 vec), + TP_ARGS(apicid, dm, tm, vec), + + TP_STRUCT__entry( + __field( __u32, apicid ) + __field( __u16, dm ) +- __field( __u8, tm ) ++ __field( __u16, tm ) + __field( __u8, vec ) + ), + +-- +2.20.1 + diff --git a/queue-5.0/kvm-x86-raise-gp-when-guest-vcpu-do-not-support-pmu.patch b/queue-5.0/kvm-x86-raise-gp-when-guest-vcpu-do-not-support-pmu.patch new file mode 100644 index 00000000000..e2e5f81191a --- /dev/null +++ b/queue-5.0/kvm-x86-raise-gp-when-guest-vcpu-do-not-support-pmu.patch @@ -0,0 +1,40 @@ +From 203d4ce96d1c7e027a30a3eeb5a623834bbf0d26 Mon Sep 17 00:00:00 2001 +From: Liran Alon +Date: Mon, 25 Mar 2019 21:10:17 +0200 +Subject: KVM: x86: Raise #GP when guest vCPU do not support PMU + +[ Upstream commit 672ff6cff80ca43bf3258410d2b887036969df5f ] + +Before this change, reading a VMware pseduo PMC will succeed even when +PMU is not supported by guest. This can easily be seen by running +kvm-unit-test vmware_backdoors with "-cpu host,-pmu" option. + +Reviewed-by: Mihai Carabas +Signed-off-by: Liran Alon +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/pmu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/x86/kvm/pmu.c b/arch/x86/kvm/pmu.c +index 58ead7db71a31..e39741997893a 100644 +--- a/arch/x86/kvm/pmu.c ++++ b/arch/x86/kvm/pmu.c +@@ -281,9 +281,13 @@ static int kvm_pmu_rdpmc_vmware(struct kvm_vcpu *vcpu, unsigned idx, u64 *data) + int kvm_pmu_rdpmc(struct kvm_vcpu *vcpu, unsigned idx, u64 *data) + { + bool fast_mode = idx & (1u << 31); ++ struct kvm_pmu *pmu = vcpu_to_pmu(vcpu); + struct kvm_pmc *pmc; + u64 ctr_val; + ++ if (!pmu->version) ++ return 1; ++ + if (is_vmware_backdoor_pmc(idx)) + return kvm_pmu_rdpmc_vmware(vcpu, idx, data); + +-- +2.20.1 + diff --git a/queue-5.0/libnvdimm-btt-fix-a-kmemdup-failure-check.patch b/queue-5.0/libnvdimm-btt-fix-a-kmemdup-failure-check.patch new file mode 100644 index 00000000000..1d50f661b79 --- /dev/null +++ b/queue-5.0/libnvdimm-btt-fix-a-kmemdup-failure-check.patch @@ -0,0 +1,59 @@ +From ca737b5804e368575bd770aa4df100a3816dd548 Mon Sep 17 00:00:00 2001 +From: Aditya Pakki +Date: Mon, 25 Mar 2019 16:55:27 -0500 +Subject: libnvdimm/btt: Fix a kmemdup failure check + +[ Upstream commit 486fa92df4707b5df58d6508728bdb9321a59766 ] + +In case kmemdup fails, the fix releases resources and returns to +avoid the NULL pointer dereference. + +Signed-off-by: Aditya Pakki +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + drivers/nvdimm/btt_devs.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/drivers/nvdimm/btt_devs.c b/drivers/nvdimm/btt_devs.c +index 795ad4ff35caf..e341498876cad 100644 +--- a/drivers/nvdimm/btt_devs.c ++++ b/drivers/nvdimm/btt_devs.c +@@ -190,14 +190,15 @@ static struct device *__nd_btt_create(struct nd_region *nd_region, + return NULL; + + nd_btt->id = ida_simple_get(&nd_region->btt_ida, 0, 0, GFP_KERNEL); +- if (nd_btt->id < 0) { +- kfree(nd_btt); +- return NULL; +- } ++ if (nd_btt->id < 0) ++ goto out_nd_btt; + + nd_btt->lbasize = lbasize; +- if (uuid) ++ if (uuid) { + uuid = kmemdup(uuid, 16, GFP_KERNEL); ++ if (!uuid) ++ goto out_put_id; ++ } + nd_btt->uuid = uuid; + dev = &nd_btt->dev; + dev_set_name(dev, "btt%d.%d", nd_region->id, nd_btt->id); +@@ -212,6 +213,13 @@ static struct device *__nd_btt_create(struct nd_region *nd_region, + return NULL; + } + return dev; ++ ++out_put_id: ++ ida_simple_remove(&nd_region->btt_ida, nd_btt->id); ++ ++out_nd_btt: ++ kfree(nd_btt); ++ return NULL; + } + + struct device *nd_btt_create(struct nd_region *nd_region) +-- +2.20.1 + diff --git a/queue-5.0/libnvdimm-namespace-fix-a-potential-null-pointer-der.patch b/queue-5.0/libnvdimm-namespace-fix-a-potential-null-pointer-der.patch new file mode 100644 index 00000000000..595f2023292 --- /dev/null +++ b/queue-5.0/libnvdimm-namespace-fix-a-potential-null-pointer-der.patch @@ -0,0 +1,38 @@ +From 021e38680b5b5a0e68af3a4a4f75802e463cbcbe Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 12 Mar 2019 03:20:34 -0500 +Subject: libnvdimm/namespace: Fix a potential NULL pointer dereference + +[ Upstream commit 55c1fc0af29a6c1b92f217b7eb7581a882e0c07c ] + +In case kmemdup fails, the fix goes to blk_err to avoid NULL +pointer dereference. + +Signed-off-by: Kangjie Lu +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + drivers/nvdimm/namespace_devs.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvdimm/namespace_devs.c b/drivers/nvdimm/namespace_devs.c +index 33a3b23b3db71..e761b29f71606 100644 +--- a/drivers/nvdimm/namespace_devs.c ++++ b/drivers/nvdimm/namespace_devs.c +@@ -2249,9 +2249,12 @@ static struct device *create_namespace_blk(struct nd_region *nd_region, + if (!nsblk->uuid) + goto blk_err; + memcpy(name, nd_label->name, NSLABEL_NAME_LEN); +- if (name[0]) ++ if (name[0]) { + nsblk->alt_name = kmemdup(name, NSLABEL_NAME_LEN, + GFP_KERNEL); ++ if (!nsblk->alt_name) ++ goto blk_err; ++ } + res = nsblk_add_resource(nd_region, ndd, nsblk, + __le64_to_cpu(nd_label->dpa)); + if (!res) +-- +2.20.1 + diff --git a/queue-5.0/libnvdimm-pmem-fix-a-possible-oob-access-when-read-a.patch b/queue-5.0/libnvdimm-pmem-fix-a-possible-oob-access-when-read-a.patch new file mode 100644 index 00000000000..5ced3f0642c --- /dev/null +++ b/queue-5.0/libnvdimm-pmem-fix-a-possible-oob-access-when-read-a.patch @@ -0,0 +1,63 @@ +From 4b6329ae2b7b52cab41030cabf9a4a83473074de Mon Sep 17 00:00:00 2001 +From: Li RongQing +Date: Thu, 4 Apr 2019 10:58:01 +0800 +Subject: libnvdimm/pmem: fix a possible OOB access when read and write pmem + +[ Upstream commit 9dc6488e84b0f64df17672271664752488cd6a25 ] + +If offset is not zero and length is bigger than PAGE_SIZE, +this will cause to out of boundary access to a page memory + +Fixes: 98cc093cba1e ("block, THP: make block_device_operations.rw_page support THP") +Co-developed-by: Liang ZhiCheng +Signed-off-by: Liang ZhiCheng +Signed-off-by: Li RongQing +Reviewed-by: Ira Weiny +Reviewed-by: Jeff Moyer +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + drivers/nvdimm/pmem.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/nvdimm/pmem.c b/drivers/nvdimm/pmem.c +index bc2f700feef8a..0279eb1da3ef5 100644 +--- a/drivers/nvdimm/pmem.c ++++ b/drivers/nvdimm/pmem.c +@@ -113,13 +113,13 @@ static void write_pmem(void *pmem_addr, struct page *page, + + while (len) { + mem = kmap_atomic(page); +- chunk = min_t(unsigned int, len, PAGE_SIZE); ++ chunk = min_t(unsigned int, len, PAGE_SIZE - off); + memcpy_flushcache(pmem_addr, mem + off, chunk); + kunmap_atomic(mem); + len -= chunk; + off = 0; + page++; +- pmem_addr += PAGE_SIZE; ++ pmem_addr += chunk; + } + } + +@@ -132,7 +132,7 @@ static blk_status_t read_pmem(struct page *page, unsigned int off, + + while (len) { + mem = kmap_atomic(page); +- chunk = min_t(unsigned int, len, PAGE_SIZE); ++ chunk = min_t(unsigned int, len, PAGE_SIZE - off); + rem = memcpy_mcsafe(mem + off, pmem_addr, chunk); + kunmap_atomic(mem); + if (rem) +@@ -140,7 +140,7 @@ static blk_status_t read_pmem(struct page *page, unsigned int off, + len -= chunk; + off = 0; + page++; +- pmem_addr += PAGE_SIZE; ++ pmem_addr += chunk; + } + return BLK_STS_OK; + } +-- +2.20.1 + diff --git a/queue-5.0/libnvdimm-security-provide-fix-for-secure-erase-to-u.patch b/queue-5.0/libnvdimm-security-provide-fix-for-secure-erase-to-u.patch new file mode 100644 index 00000000000..348698a6af4 --- /dev/null +++ b/queue-5.0/libnvdimm-security-provide-fix-for-secure-erase-to-u.patch @@ -0,0 +1,106 @@ +From 0dfa071b7289cf311bf82d9d9d828045263bb24b Mon Sep 17 00:00:00 2001 +From: Dave Jiang +Date: Wed, 27 Mar 2019 11:10:44 -0700 +Subject: libnvdimm/security: provide fix for secure-erase to use zero-key + +[ Upstream commit 037c8489ade669e0f09ad40d5b91e5e1159a14b1 ] + +Add a zero key in order to standardize hardware that want a key of 0's to +be passed. Some platforms defaults to a zero-key with security enabled +rather than allow the OS to enable the security. The zero key would allow +us to manage those platform as well. This also adds a fix to secure erase +so it can use the zero key to do crypto erase. Some other security commands +already use zero keys. This introduces a standard zero-key to allow +unification of semantics cross nvdimm security commands. + +Signed-off-by: Dave Jiang +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + drivers/nvdimm/security.c | 17 ++++++++++++----- + tools/testing/nvdimm/test/nfit.c | 11 +++++++++-- + 2 files changed, 21 insertions(+), 7 deletions(-) + +diff --git a/drivers/nvdimm/security.c b/drivers/nvdimm/security.c +index f8bb746a549f7..6bea6852bf278 100644 +--- a/drivers/nvdimm/security.c ++++ b/drivers/nvdimm/security.c +@@ -22,6 +22,8 @@ static bool key_revalidate = true; + module_param(key_revalidate, bool, 0444); + MODULE_PARM_DESC(key_revalidate, "Require key validation at init."); + ++static const char zero_key[NVDIMM_PASSPHRASE_LEN]; ++ + static void *key_data(struct key *key) + { + struct encrypted_key_payload *epayload = dereference_key_locked(key); +@@ -286,8 +288,9 @@ int nvdimm_security_erase(struct nvdimm *nvdimm, unsigned int keyid, + { + struct device *dev = &nvdimm->dev; + struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(dev); +- struct key *key; ++ struct key *key = NULL; + int rc; ++ const void *data; + + /* The bus lock should be held at the top level of the call stack */ + lockdep_assert_held(&nvdimm_bus->reconfig_mutex); +@@ -319,11 +322,15 @@ int nvdimm_security_erase(struct nvdimm *nvdimm, unsigned int keyid, + return -EOPNOTSUPP; + } + +- key = nvdimm_lookup_user_key(nvdimm, keyid, NVDIMM_BASE_KEY); +- if (!key) +- return -ENOKEY; ++ if (keyid != 0) { ++ key = nvdimm_lookup_user_key(nvdimm, keyid, NVDIMM_BASE_KEY); ++ if (!key) ++ return -ENOKEY; ++ data = key_data(key); ++ } else ++ data = zero_key; + +- rc = nvdimm->sec.ops->erase(nvdimm, key_data(key), pass_type); ++ rc = nvdimm->sec.ops->erase(nvdimm, data, pass_type); + dev_dbg(dev, "key: %d erase%s: %s\n", key_serial(key), + pass_type == NVDIMM_MASTER ? "(master)" : "(user)", + rc == 0 ? "success" : "fail"); +diff --git a/tools/testing/nvdimm/test/nfit.c b/tools/testing/nvdimm/test/nfit.c +index b579f962451d6..cad719876ef45 100644 +--- a/tools/testing/nvdimm/test/nfit.c ++++ b/tools/testing/nvdimm/test/nfit.c +@@ -225,6 +225,8 @@ static struct workqueue_struct *nfit_wq; + + static struct gen_pool *nfit_pool; + ++static const char zero_key[NVDIMM_PASSPHRASE_LEN]; ++ + static struct nfit_test *to_nfit_test(struct device *dev) + { + struct platform_device *pdev = to_platform_device(dev); +@@ -1059,8 +1061,7 @@ static int nd_intel_test_cmd_secure_erase(struct nfit_test *t, + struct device *dev = &t->pdev.dev; + struct nfit_test_sec *sec = &dimm_sec_info[dimm]; + +- if (!(sec->state & ND_INTEL_SEC_STATE_ENABLED) || +- (sec->state & ND_INTEL_SEC_STATE_FROZEN)) { ++ if (sec->state & ND_INTEL_SEC_STATE_FROZEN) { + nd_cmd->status = ND_INTEL_STATUS_INVALID_STATE; + dev_dbg(dev, "secure erase: wrong security state\n"); + } else if (memcmp(nd_cmd->passphrase, sec->passphrase, +@@ -1068,6 +1069,12 @@ static int nd_intel_test_cmd_secure_erase(struct nfit_test *t, + nd_cmd->status = ND_INTEL_STATUS_INVALID_PASS; + dev_dbg(dev, "secure erase: wrong passphrase\n"); + } else { ++ if (!(sec->state & ND_INTEL_SEC_STATE_ENABLED) ++ && (memcmp(nd_cmd->passphrase, zero_key, ++ ND_INTEL_PASSPHRASE_SIZE) != 0)) { ++ dev_dbg(dev, "invalid zero key\n"); ++ return 0; ++ } + memset(sec->passphrase, 0, ND_INTEL_PASSPHRASE_SIZE); + memset(sec->master_passphrase, 0, ND_INTEL_PASSPHRASE_SIZE); + sec->state = 0; +-- +2.20.1 + diff --git a/queue-5.0/mac80211-fix-memory-accounting-with-a-msdu-aggregati.patch b/queue-5.0/mac80211-fix-memory-accounting-with-a-msdu-aggregati.patch new file mode 100644 index 00000000000..4c7edb363ec --- /dev/null +++ b/queue-5.0/mac80211-fix-memory-accounting-with-a-msdu-aggregati.patch @@ -0,0 +1,52 @@ +From 8a7687806e56715eefd334e4446682bb3d709376 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Sat, 16 Mar 2019 18:06:31 +0100 +Subject: mac80211: fix memory accounting with A-MSDU aggregation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit eb9b64e3a9f8483e6e54f4e03b2ae14ae5db2690 ] + +skb->truesize can change due to memory reallocation or when adding extra +fragments. Adjust fq->memory_usage accordingly + +Signed-off-by: Felix Fietkau +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 928f13a208b05..714d80e48a102 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3214,6 +3214,7 @@ static bool ieee80211_amsdu_aggregate(struct ieee80211_sub_if_data *sdata, + u8 max_subframes = sta->sta.max_amsdu_subframes; + int max_frags = local->hw.max_tx_fragments; + int max_amsdu_len = sta->sta.max_amsdu_len; ++ int orig_truesize; + __be16 len; + void *data; + bool ret = false; +@@ -3254,6 +3255,7 @@ static bool ieee80211_amsdu_aggregate(struct ieee80211_sub_if_data *sdata, + if (!head || skb_is_gso(head)) + goto out; + ++ orig_truesize = head->truesize; + orig_len = head->len; + + if (skb->len + head->len > max_amsdu_len) +@@ -3311,6 +3313,7 @@ static bool ieee80211_amsdu_aggregate(struct ieee80211_sub_if_data *sdata, + *frag_tail = skb; + + out_recalc: ++ fq->memory_usage += head->truesize - orig_truesize; + if (head->len != orig_len) { + flow->backlog += head->len - orig_len; + tin->backlog_bytes += head->len - orig_len; +-- +2.20.1 + diff --git a/queue-5.0/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch b/queue-5.0/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch new file mode 100644 index 00000000000..863f104fcf6 --- /dev/null +++ b/queue-5.0/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch @@ -0,0 +1,33 @@ +From 5e011ec74ec21c36a1d46b5c56991d01779660a5 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Wed, 13 Mar 2019 18:54:27 +0100 +Subject: mac80211: fix unaligned access in mesh table hash function + +[ Upstream commit 40586e3fc400c00c11151804dcdc93f8c831c808 ] + +The pointer to the last four bytes of the address is not guaranteed to be +aligned, so we need to use __get_unaligned_cpu32 here + +Signed-off-by: Felix Fietkau +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh_pathtbl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c +index 88a6d5e18ccc9..ac1f5db529945 100644 +--- a/net/mac80211/mesh_pathtbl.c ++++ b/net/mac80211/mesh_pathtbl.c +@@ -23,7 +23,7 @@ static void mesh_path_free_rcu(struct mesh_table *tbl, struct mesh_path *mpath); + static u32 mesh_table_hash(const void *addr, u32 len, u32 seed) + { + /* Use last four bytes of hw addr as hash index */ +- return jhash_1word(*(u32 *)(addr+2), seed); ++ return jhash_1word(__get_unaligned_cpu32((u8 *)addr + 2), seed); + } + + static const struct rhashtable_params mesh_rht_params = { +-- +2.20.1 + diff --git a/queue-5.0/mac80211-increase-max_msg_len.patch b/queue-5.0/mac80211-increase-max_msg_len.patch new file mode 100644 index 00000000000..df1567904bd --- /dev/null +++ b/queue-5.0/mac80211-increase-max_msg_len.patch @@ -0,0 +1,45 @@ +From 45945ac379ce196c4157e0bef783a4f185cb2d10 Mon Sep 17 00:00:00 2001 +From: Andrei Otcheretianski +Date: Fri, 15 Mar 2019 17:38:57 +0200 +Subject: mac80211: Increase MAX_MSG_LEN + +[ Upstream commit 78be2d21cc1cd3069c6138dcfecec62583130171 ] + +Looks that 100 chars isn't enough for messages, as we keep getting +warnings popping from different places due to message shortening. +Instead of trying to shorten the prints, just increase the buffer size. + +Signed-off-by: Andrei Otcheretianski +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/trace_msg.h | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/trace_msg.h b/net/mac80211/trace_msg.h +index 366b9e6f043e2..40141df09f255 100644 +--- a/net/mac80211/trace_msg.h ++++ b/net/mac80211/trace_msg.h +@@ -1,4 +1,9 @@ + /* SPDX-License-Identifier: GPL-2.0 */ ++/* ++ * Portions of this file ++ * Copyright (C) 2019 Intel Corporation ++ */ ++ + #ifdef CONFIG_MAC80211_MESSAGE_TRACING + + #if !defined(__MAC80211_MSG_DRIVER_TRACE) || defined(TRACE_HEADER_MULTI_READ) +@@ -11,7 +16,7 @@ + #undef TRACE_SYSTEM + #define TRACE_SYSTEM mac80211_msg + +-#define MAX_MSG_LEN 100 ++#define MAX_MSG_LEN 120 + + DECLARE_EVENT_CLASS(mac80211_msg_event, + TP_PROTO(struct va_format *vaf), +-- +2.20.1 + diff --git a/queue-5.0/mips-perf-ath79-fix-perfcount-irq-assignment.patch b/queue-5.0/mips-perf-ath79-fix-perfcount-irq-assignment.patch new file mode 100644 index 00000000000..0722b13cfef --- /dev/null +++ b/queue-5.0/mips-perf-ath79-fix-perfcount-irq-assignment.patch @@ -0,0 +1,118 @@ +From ef0b897af6fda289b8bb3a3785818f32cb07c6bb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20=C5=A0tetiar?= +Date: Fri, 12 Apr 2019 23:08:32 +0200 +Subject: MIPS: perf: ath79: Fix perfcount IRQ assignment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit a1e8783db8e0d58891681bc1e6d9ada66eae8e20 ] + +Currently it's not possible to use perf on ath79 due to genirq flags +mismatch happening on static virtual IRQ 13 which is used for +performance counters hardware IRQ 5. + +On TP-Link Archer C7v5: + + CPU0 + 2: 0 MIPS 2 ath9k + 4: 318 MIPS 4 19000000.eth + 7: 55034 MIPS 7 timer + 8: 1236 MISC 3 ttyS0 + 12: 0 INTC 1 ehci_hcd:usb1 + 13: 0 gpio-ath79 2 keys + 14: 0 gpio-ath79 5 keys + 15: 31 AR724X PCI 1 ath10k_pci + + $ perf top + genirq: Flags mismatch irq 13. 00014c83 (mips_perf_pmu) vs. 00002003 (keys) + +On TP-Link Archer C7v4: + + CPU0 + 4: 0 MIPS 4 19000000.eth + 5: 7135 MIPS 5 1a000000.eth + 7: 98379 MIPS 7 timer + 8: 30 MISC 3 ttyS0 + 12: 90028 INTC 0 ath9k + 13: 5520 INTC 1 ehci_hcd:usb1 + 14: 4623 INTC 2 ehci_hcd:usb2 + 15: 32844 AR724X PCI 1 ath10k_pci + 16: 0 gpio-ath79 16 keys + 23: 0 gpio-ath79 23 keys + + $ perf top + genirq: Flags mismatch irq 13. 00014c80 (mips_perf_pmu) vs. 00000080 (ehci_hcd:usb1) + +This problem is happening, because currently statically assigned virtual +IRQ 13 for performance counters is not claimed during the initialization +of MIPS PMU during the bootup, so the IRQ subsystem doesn't know, that +this interrupt isn't available for further use. + +So this patch fixes the issue by simply booking hardware IRQ 5 for MIPS PMU. + +Tested-by: Kevin 'ldir' Darbyshire-Bryant +Signed-off-by: Petr Štetiar +Acked-by: John Crispin +Acked-by: Marc Zyngier +Signed-off-by: Paul Burton +Cc: linux-mips@vger.kernel.org +Cc: Ralf Baechle +Cc: James Hogan +Cc: Thomas Gleixner +Cc: Jason Cooper +Signed-off-by: Sasha Levin +--- + arch/mips/ath79/setup.c | 6 ------ + drivers/irqchip/irq-ath79-misc.c | 11 +++++++++++ + 2 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/arch/mips/ath79/setup.c b/arch/mips/ath79/setup.c +index 9728abcb18fac..c04ae685003f7 100644 +--- a/arch/mips/ath79/setup.c ++++ b/arch/mips/ath79/setup.c +@@ -211,12 +211,6 @@ const char *get_system_type(void) + return ath79_sys_type; + } + +-int get_c0_perfcount_int(void) +-{ +- return ATH79_MISC_IRQ(5); +-} +-EXPORT_SYMBOL_GPL(get_c0_perfcount_int); +- + unsigned int get_c0_compare_int(void) + { + return CP0_LEGACY_COMPARE_IRQ; +diff --git a/drivers/irqchip/irq-ath79-misc.c b/drivers/irqchip/irq-ath79-misc.c +index aa72907846360..0390603170b40 100644 +--- a/drivers/irqchip/irq-ath79-misc.c ++++ b/drivers/irqchip/irq-ath79-misc.c +@@ -22,6 +22,15 @@ + #define AR71XX_RESET_REG_MISC_INT_ENABLE 4 + + #define ATH79_MISC_IRQ_COUNT 32 ++#define ATH79_MISC_PERF_IRQ 5 ++ ++static int ath79_perfcount_irq; ++ ++int get_c0_perfcount_int(void) ++{ ++ return ath79_perfcount_irq; ++} ++EXPORT_SYMBOL_GPL(get_c0_perfcount_int); + + static void ath79_misc_irq_handler(struct irq_desc *desc) + { +@@ -113,6 +122,8 @@ static void __init ath79_misc_intc_domain_init( + { + void __iomem *base = domain->host_data; + ++ ath79_perfcount_irq = irq_create_mapping(domain, ATH79_MISC_PERF_IRQ); ++ + /* Disable and clear all interrupts */ + __raw_writel(0, base + AR71XX_RESET_REG_MISC_INT_ENABLE); + __raw_writel(0, base + AR71XX_RESET_REG_MISC_INT_STATUS); +-- +2.20.1 + diff --git a/queue-5.0/misdn-check-address-length-before-reading-address-fa.patch b/queue-5.0/misdn-check-address-length-before-reading-address-fa.patch new file mode 100644 index 00000000000..d003d3528f5 --- /dev/null +++ b/queue-5.0/misdn-check-address-length-before-reading-address-fa.patch @@ -0,0 +1,37 @@ +From b7521968faa242fe941d60cd3c5e4c309d6ab3f9 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Fri, 12 Apr 2019 19:52:36 +0900 +Subject: mISDN: Check address length before reading address family + +[ Upstream commit 238ffdc49ef98b15819cfd5e3fb23194e3ea3d39 ] + +KMSAN will complain if valid address length passed to bind() is shorter +than sizeof("struct sockaddr_mISDN"->family) bytes. + +Signed-off-by: Tetsuo Handa +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/socket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c +index 15d3ca37669a4..04da3a17cd950 100644 +--- a/drivers/isdn/mISDN/socket.c ++++ b/drivers/isdn/mISDN/socket.c +@@ -710,10 +710,10 @@ base_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len) + struct sock *sk = sock->sk; + int err = 0; + +- if (!maddr || maddr->family != AF_ISDN) ++ if (addr_len < sizeof(struct sockaddr_mISDN)) + return -EINVAL; + +- if (addr_len < sizeof(struct sockaddr_mISDN)) ++ if (!maddr || maddr->family != AF_ISDN) + return -EINVAL; + + lock_sock(sk); +-- +2.20.1 + diff --git a/queue-5.0/mm-fix-inactive-list-balancing-between-numa-nodes-an.patch b/queue-5.0/mm-fix-inactive-list-balancing-between-numa-nodes-an.patch new file mode 100644 index 00000000000..a579be75cfe --- /dev/null +++ b/queue-5.0/mm-fix-inactive-list-balancing-between-numa-nodes-an.patch @@ -0,0 +1,143 @@ +From a46082331c93bb10e3f08a907fa330e78e446509 Mon Sep 17 00:00:00 2001 +From: Johannes Weiner +Date: Thu, 18 Apr 2019 17:50:34 -0700 +Subject: mm: fix inactive list balancing between NUMA nodes and cgroups + +[ Upstream commit 3b991208b897f52507168374033771a984b947b1 ] + +During !CONFIG_CGROUP reclaim, we expand the inactive list size if it's +thrashing on the node that is about to be reclaimed. But when cgroups +are enabled, we suddenly ignore the node scope and use the cgroup scope +only. The result is that pressure bleeds between NUMA nodes depending +on whether cgroups are merely compiled into Linux. This behavioral +difference is unexpected and undesirable. + +When the refault adaptivity of the inactive list was first introduced, +there were no statistics at the lruvec level - the intersection of node +and memcg - so it was better than nothing. + +But now that we have that infrastructure, use lruvec_page_state() to +make the list balancing decision always NUMA aware. + +[hannes@cmpxchg.org: fix bisection hole] + Link: http://lkml.kernel.org/r/20190417155241.GB23013@cmpxchg.org +Link: http://lkml.kernel.org/r/20190412144438.2645-1-hannes@cmpxchg.org +Fixes: 2a2e48854d70 ("mm: vmscan: fix IO/refault regression in cache workingset transition") +Signed-off-by: Johannes Weiner +Reviewed-by: Shakeel Butt +Cc: Roman Gushchin +Cc: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/vmscan.c | 29 +++++++++-------------------- + 1 file changed, 9 insertions(+), 20 deletions(-) + +diff --git a/mm/vmscan.c b/mm/vmscan.c +index e979705bbf325..022afabac3f69 100644 +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -2199,7 +2199,6 @@ static void shrink_active_list(unsigned long nr_to_scan, + * 10TB 320 32GB + */ + static bool inactive_list_is_low(struct lruvec *lruvec, bool file, +- struct mem_cgroup *memcg, + struct scan_control *sc, bool actual_reclaim) + { + enum lru_list active_lru = file * LRU_FILE + LRU_ACTIVE; +@@ -2220,16 +2219,12 @@ static bool inactive_list_is_low(struct lruvec *lruvec, bool file, + inactive = lruvec_lru_size(lruvec, inactive_lru, sc->reclaim_idx); + active = lruvec_lru_size(lruvec, active_lru, sc->reclaim_idx); + +- if (memcg) +- refaults = memcg_page_state(memcg, WORKINGSET_ACTIVATE); +- else +- refaults = node_page_state(pgdat, WORKINGSET_ACTIVATE); +- + /* + * When refaults are being observed, it means a new workingset + * is being established. Disable active list protection to get + * rid of the stale workingset quickly. + */ ++ refaults = lruvec_page_state(lruvec, WORKINGSET_ACTIVATE); + if (file && actual_reclaim && lruvec->refaults != refaults) { + inactive_ratio = 0; + } else { +@@ -2250,12 +2245,10 @@ static bool inactive_list_is_low(struct lruvec *lruvec, bool file, + } + + static unsigned long shrink_list(enum lru_list lru, unsigned long nr_to_scan, +- struct lruvec *lruvec, struct mem_cgroup *memcg, +- struct scan_control *sc) ++ struct lruvec *lruvec, struct scan_control *sc) + { + if (is_active_lru(lru)) { +- if (inactive_list_is_low(lruvec, is_file_lru(lru), +- memcg, sc, true)) ++ if (inactive_list_is_low(lruvec, is_file_lru(lru), sc, true)) + shrink_active_list(nr_to_scan, lruvec, sc, lru); + return 0; + } +@@ -2355,7 +2348,7 @@ static void get_scan_count(struct lruvec *lruvec, struct mem_cgroup *memcg, + * anonymous pages on the LRU in eligible zones. + * Otherwise, the small LRU gets thrashed. + */ +- if (!inactive_list_is_low(lruvec, false, memcg, sc, false) && ++ if (!inactive_list_is_low(lruvec, false, sc, false) && + lruvec_lru_size(lruvec, LRU_INACTIVE_ANON, sc->reclaim_idx) + >> sc->priority) { + scan_balance = SCAN_ANON; +@@ -2373,7 +2366,7 @@ static void get_scan_count(struct lruvec *lruvec, struct mem_cgroup *memcg, + * lruvec even if it has plenty of old anonymous pages unless the + * system is under heavy pressure. + */ +- if (!inactive_list_is_low(lruvec, true, memcg, sc, false) && ++ if (!inactive_list_is_low(lruvec, true, sc, false) && + lruvec_lru_size(lruvec, LRU_INACTIVE_FILE, sc->reclaim_idx) >> sc->priority) { + scan_balance = SCAN_FILE; + goto out; +@@ -2526,7 +2519,7 @@ static void shrink_node_memcg(struct pglist_data *pgdat, struct mem_cgroup *memc + nr[lru] -= nr_to_scan; + + nr_reclaimed += shrink_list(lru, nr_to_scan, +- lruvec, memcg, sc); ++ lruvec, sc); + } + } + +@@ -2593,7 +2586,7 @@ static void shrink_node_memcg(struct pglist_data *pgdat, struct mem_cgroup *memc + * Even if we did not try to evict anon pages at all, we want to + * rebalance the anon lru active/inactive ratio. + */ +- if (inactive_list_is_low(lruvec, false, memcg, sc, true)) ++ if (inactive_list_is_low(lruvec, false, sc, true)) + shrink_active_list(SWAP_CLUSTER_MAX, lruvec, + sc, LRU_ACTIVE_ANON); + } +@@ -2993,12 +2986,8 @@ static void snapshot_refaults(struct mem_cgroup *root_memcg, pg_data_t *pgdat) + unsigned long refaults; + struct lruvec *lruvec; + +- if (memcg) +- refaults = memcg_page_state(memcg, WORKINGSET_ACTIVATE); +- else +- refaults = node_page_state(pgdat, WORKINGSET_ACTIVATE); +- + lruvec = mem_cgroup_lruvec(pgdat, memcg); ++ refaults = lruvec_page_state(lruvec, WORKINGSET_ACTIVATE); + lruvec->refaults = refaults; + } while ((memcg = mem_cgroup_iter(root_memcg, memcg, NULL))); + } +@@ -3363,7 +3352,7 @@ static void age_active_anon(struct pglist_data *pgdat, + do { + struct lruvec *lruvec = mem_cgroup_lruvec(pgdat, memcg); + +- if (inactive_list_is_low(lruvec, false, memcg, sc, true)) ++ if (inactive_list_is_low(lruvec, false, sc, true)) + shrink_active_list(SWAP_CLUSTER_MAX, lruvec, + sc, LRU_ACTIVE_ANON); + +-- +2.20.1 + diff --git a/queue-5.0/mm-hotplug-treat-cma-pages-as-unmovable.patch b/queue-5.0/mm-hotplug-treat-cma-pages-as-unmovable.patch new file mode 100644 index 00000000000..7c73897e9de --- /dev/null +++ b/queue-5.0/mm-hotplug-treat-cma-pages-as-unmovable.patch @@ -0,0 +1,129 @@ +From fff821d6af97b9da2e03f3b645e0bc3d99bc068f Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Thu, 18 Apr 2019 17:50:30 -0700 +Subject: mm/hotplug: treat CMA pages as unmovable + +[ Upstream commit 1a9f219157b22d0ffb340a9c5f431afd02cd2cf3 ] + +has_unmovable_pages() is used by allocating CMA and gigantic pages as +well as the memory hotplug. The later doesn't know how to offline CMA +pool properly now, but if an unused (free) CMA page is encountered, then +has_unmovable_pages() happily considers it as a free memory and +propagates this up the call chain. Memory offlining code then frees the +page without a proper CMA tear down which leads to an accounting issues. +Moreover if the same memory range is onlined again then the memory never +gets back to the CMA pool. + +State after memory offline: + + # grep cma /proc/vmstat + nr_free_cma 205824 + + # cat /sys/kernel/debug/cma/cma-kvm_cma/count + 209920 + +Also, kmemleak still think those memory address are reserved below but +have already been used by the buddy allocator after onlining. This +patch fixes the situation by treating CMA pageblocks as unmovable except +when has_unmovable_pages() is called as part of CMA allocation. + + Offlined Pages 4096 + kmemleak: Cannot insert 0xc000201f7d040008 into the object search tree (overlaps existing) + Call Trace: + dump_stack+0xb0/0xf4 (unreliable) + create_object+0x344/0x380 + __kmalloc_node+0x3ec/0x860 + kvmalloc_node+0x58/0x110 + seq_read+0x41c/0x620 + __vfs_read+0x3c/0x70 + vfs_read+0xbc/0x1a0 + ksys_read+0x7c/0x140 + system_call+0x5c/0x70 + kmemleak: Kernel memory leak detector disabled + kmemleak: Object 0xc000201cc8000000 (size 13757317120): + kmemleak: comm "swapper/0", pid 0, jiffies 4294937297 + kmemleak: min_count = -1 + kmemleak: count = 0 + kmemleak: flags = 0x5 + kmemleak: checksum = 0 + kmemleak: backtrace: + cma_declare_contiguous+0x2a4/0x3b0 + kvm_cma_reserve+0x11c/0x134 + setup_arch+0x300/0x3f8 + start_kernel+0x9c/0x6e8 + start_here_common+0x1c/0x4b0 + kmemleak: Automatic memory scanning thread ended + +[cai@lca.pw: use is_migrate_cma_page() and update commit log] + Link: http://lkml.kernel.org/r/20190416170510.20048-1-cai@lca.pw +Link: http://lkml.kernel.org/r/20190413002623.8967-1-cai@lca.pw +Signed-off-by: Qian Cai +Acked-by: Michal Hocko +Acked-by: Vlastimil Babka +Reviewed-by: Oscar Salvador +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/page_alloc.c | 30 ++++++++++++++++++------------ + 1 file changed, 18 insertions(+), 12 deletions(-) + +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 318ef6ccdb3b5..eedb57f9b40b5 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -7945,7 +7945,10 @@ void *__init alloc_large_system_hash(const char *tablename, + bool has_unmovable_pages(struct zone *zone, struct page *page, int count, + int migratetype, int flags) + { +- unsigned long pfn, iter, found; ++ unsigned long found; ++ unsigned long iter = 0; ++ unsigned long pfn = page_to_pfn(page); ++ const char *reason = "unmovable page"; + + /* + * TODO we could make this much more efficient by not checking every +@@ -7955,17 +7958,20 @@ bool has_unmovable_pages(struct zone *zone, struct page *page, int count, + * can still lead to having bootmem allocations in zone_movable. + */ + +- /* +- * CMA allocations (alloc_contig_range) really need to mark isolate +- * CMA pageblocks even when they are not movable in fact so consider +- * them movable here. +- */ +- if (is_migrate_cma(migratetype) && +- is_migrate_cma(get_pageblock_migratetype(page))) +- return false; ++ if (is_migrate_cma_page(page)) { ++ /* ++ * CMA allocations (alloc_contig_range) really need to mark ++ * isolate CMA pageblocks even when they are not movable in fact ++ * so consider them movable here. ++ */ ++ if (is_migrate_cma(migratetype)) ++ return false; ++ ++ reason = "CMA page"; ++ goto unmovable; ++ } + +- pfn = page_to_pfn(page); +- for (found = 0, iter = 0; iter < pageblock_nr_pages; iter++) { ++ for (found = 0; iter < pageblock_nr_pages; iter++) { + unsigned long check = pfn + iter; + + if (!pfn_valid_within(check)) +@@ -8045,7 +8051,7 @@ bool has_unmovable_pages(struct zone *zone, struct page *page, int count, + unmovable: + WARN_ON_ONCE(zone_idx(zone) == ZONE_MOVABLE); + if (flags & REPORT_FAILURE) +- dump_page(pfn_to_page(pfn+iter), "unmovable page"); ++ dump_page(pfn_to_page(pfn + iter), reason); + return true; + } + +-- +2.20.1 + diff --git a/queue-5.0/mm-memory_hotplug.c-drop-memory-device-reference-aft.patch b/queue-5.0/mm-memory_hotplug.c-drop-memory-device-reference-aft.patch new file mode 100644 index 00000000000..acda8dac3c7 --- /dev/null +++ b/queue-5.0/mm-memory_hotplug.c-drop-memory-device-reference-aft.patch @@ -0,0 +1,49 @@ +From a12db310039156e4a59a314890d8ef26f0a98353 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Thu, 25 Apr 2019 22:23:37 -0700 +Subject: mm/memory_hotplug.c: drop memory device reference after + find_memory_block() + +[ Upstream commit 89c02e69fc5245f8a2f34b58b42d43a737af1a5e ] + +Right now we are using find_memory_block() to get the node id for the +pfn range to online. We are missing to drop a reference to the memory +block device. While the device still gets unregistered via +device_unregister(), resulting in no user visible problem, the device is +never released via device_release(), resulting in a memory leak. Fix +that by properly using a put_device(). + +Link: http://lkml.kernel.org/r/20190411110955.1430-1-david@redhat.com +Fixes: d0dc12e86b31 ("mm/memory_hotplug: optimize memory hotplug") +Signed-off-by: David Hildenbrand +Reviewed-by: Oscar Salvador +Reviewed-by: Wei Yang +Acked-by: Michal Hocko +Acked-by: Pankaj Gupta +Cc: David Hildenbrand +Cc: Pavel Tatashin +Cc: Qian Cai +Cc: Arun KS +Cc: Mathieu Malaterre +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/memory_hotplug.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c +index 11593a03c051f..7493f50ee8800 100644 +--- a/mm/memory_hotplug.c ++++ b/mm/memory_hotplug.c +@@ -858,6 +858,7 @@ int __ref online_pages(unsigned long pfn, unsigned long nr_pages, int online_typ + */ + mem = find_memory_block(__pfn_to_section(pfn)); + nid = mem->nid; ++ put_device(&mem->dev); + + /* associate pfn range with the zone */ + zone = move_pfn_range(online_type, nid, pfn, nr_pages); +-- +2.20.1 + diff --git a/queue-5.0/mm-page_alloc.c-avoid-potential-null-pointer-derefer.patch b/queue-5.0/mm-page_alloc.c-avoid-potential-null-pointer-derefer.patch new file mode 100644 index 00000000000..a2f635d4936 --- /dev/null +++ b/queue-5.0/mm-page_alloc.c-avoid-potential-null-pointer-derefer.patch @@ -0,0 +1,41 @@ +From ec564ec4f2654cdc6b48e5cd48fe7eb9d1eb6c93 Mon Sep 17 00:00:00 2001 +From: Andrey Ryabinin +Date: Thu, 25 Apr 2019 22:23:58 -0700 +Subject: mm/page_alloc.c: avoid potential NULL pointer dereference + +[ Upstream commit 8139ad043d632c0e9e12d760068a7a8e91659aa1 ] + +ac.preferred_zoneref->zone passed to alloc_flags_nofragment() can be NULL. +'zone' pointer unconditionally derefernced in alloc_flags_nofragment(). +Bail out on NULL zone to avoid potential crash. Currently we don't see +any crashes only because alloc_flags_nofragment() has another bug which +allows compiler to optimize away all accesses to 'zone'. + +Link: http://lkml.kernel.org/r/20190423120806.3503-1-aryabinin@virtuozzo.com +Fixes: 6bb154504f8b ("mm, page_alloc: spread allocations across zones before introducing fragmentation") +Signed-off-by: Andrey Ryabinin +Acked-by: Mel Gorman +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/page_alloc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index eedb57f9b40b5..d59be95ba45cf 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -3385,6 +3385,9 @@ alloc_flags_nofragment(struct zone *zone, gfp_t gfp_mask) + alloc_flags |= ALLOC_KSWAPD; + + #ifdef CONFIG_ZONE_DMA32 ++ if (!zone) ++ return alloc_flags; ++ + if (zone_idx(zone) != ZONE_NORMAL) + goto out; + +-- +2.20.1 + diff --git a/queue-5.0/net-mvpp2-fix-validate-for-ppv2.1.patch b/queue-5.0/net-mvpp2-fix-validate-for-ppv2.1.patch new file mode 100644 index 00000000000..9b5193df8e3 --- /dev/null +++ b/queue-5.0/net-mvpp2-fix-validate-for-ppv2.1.patch @@ -0,0 +1,37 @@ +From c6cd8632b739976f59d7ba9ebc397a733e0e4c3e Mon Sep 17 00:00:00 2001 +From: Antoine Tenart +Date: Fri, 1 Mar 2019 11:52:08 +0100 +Subject: net: mvpp2: fix validate for PPv2.1 + +[ Upstream commit 8b318f30ab4ef9bbc1241e6f8c1db366dbd347f2 ] + +The Phylink validate function is the Marvell PPv2 driver makes a check +on the GoP id. This is valid an has to be done when using PPv2.2 engines +but makes no sense when using PPv2.1. The check done when using an RGMII +interface makes sure the GoP id is not 0, but this breaks PPv2.1. Fixes +it. + +Fixes: 0fb628f0f250 ("net: mvpp2: fix phylink handling of invalid PHY modes") +Signed-off-by: Antoine Tenart +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index 931beac3359d1..70031e2b22944 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -4370,7 +4370,7 @@ static void mvpp2_phylink_validate(struct net_device *dev, + case PHY_INTERFACE_MODE_RGMII_ID: + case PHY_INTERFACE_MODE_RGMII_RXID: + case PHY_INTERFACE_MODE_RGMII_TXID: +- if (port->gop_id == 0) ++ if (port->priv->hw_version == MVPP22 && port->gop_id == 0) + goto empty_set; + break; + default: +-- +2.20.1 + diff --git a/queue-5.0/net-sched-fix-cleanup-null-pointer-exception-in-act_.patch b/queue-5.0/net-sched-fix-cleanup-null-pointer-exception-in-act_.patch new file mode 100644 index 00000000000..35ebbc554ba --- /dev/null +++ b/queue-5.0/net-sched-fix-cleanup-null-pointer-exception-in-act_.patch @@ -0,0 +1,92 @@ +From 940d9dd615e3fbfb9834545b0f3211def0502bb0 Mon Sep 17 00:00:00 2001 +From: John Hurley +Date: Fri, 22 Mar 2019 12:37:35 +0000 +Subject: net: sched: fix cleanup NULL pointer exception in act_mirr + +[ Upstream commit 064c5d6881e897077639e04973de26440ee205e6 ] + +A new mirred action is created by the tcf_mirred_init function. This +contains a list head struct which is inserted into a global list on +successful creation of a new action. However, after a creation, it is +still possible to error out and call the tcf_idr_release function. This, +in turn, calls the act_mirr cleanup function via __tcf_idr_release and +__tcf_action_put. This cleanup function tries to delete the list entry +which is as yet uninitialised, leading to a NULL pointer exception. + +Fix this by initialising the list entry on creation of a new action. + +Bug report: + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 +PGD 8000000840c73067 P4D 8000000840c73067 PUD 858dcc067 PMD 0 +Oops: 0002 [#1] SMP PTI +CPU: 32 PID: 5636 Comm: handler194 Tainted: G OE 5.0.0+ #186 +Hardware name: Dell Inc. PowerEdge R730/0599V5, BIOS 1.3.6 06/03/2015 +RIP: 0010:tcf_mirred_release+0x42/0xa7 [act_mirred] +Code: f0 90 39 c0 e8 52 04 57 c8 48 c7 c7 b8 80 39 c0 e8 94 fa d4 c7 48 8b 93 d0 00 00 00 48 8b 83 d8 00 00 00 48 c7 c7 f0 90 39 c0 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 83 d0 00 +RSP: 0018:ffffac4aa059f688 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: ffff9dcd1b214d00 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: ffff9dcd1fa165f8 RDI: ffffffffc03990f0 +RBP: ffff9dccf9c7af80 R08: 0000000000000a3b R09: 0000000000000000 +R10: ffff9dccfa11f420 R11: 0000000000000000 R12: 0000000000000001 +R13: ffff9dcd16b433c0 R14: ffff9dcd1b214d80 R15: 0000000000000000 +FS: 00007f441bfff700(0000) GS:ffff9dcd1fa00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000008 CR3: 0000000839e64004 CR4: 00000000001606e0 +Call Trace: +tcf_action_cleanup+0x59/0xca +__tcf_action_put+0x54/0x6b +__tcf_idr_release.cold.33+0x9/0x12 +tcf_mirred_init.cold.20+0x22e/0x3b0 [act_mirred] +tcf_action_init_1+0x3d0/0x4c0 +tcf_action_init+0x9c/0x130 +tcf_exts_validate+0xab/0xc0 +fl_change+0x1ca/0x982 [cls_flower] +tc_new_tfilter+0x647/0x8d0 +? load_balance+0x14b/0x9e0 +rtnetlink_rcv_msg+0xe3/0x370 +? __switch_to_asm+0x40/0x70 +? __switch_to_asm+0x34/0x70 +? _cond_resched+0x15/0x30 +? __kmalloc_node_track_caller+0x1d4/0x2b0 +? rtnl_calcit.isra.31+0xf0/0xf0 +netlink_rcv_skb+0x49/0x110 +netlink_unicast+0x16f/0x210 +netlink_sendmsg+0x1df/0x390 +sock_sendmsg+0x36/0x40 +___sys_sendmsg+0x27b/0x2c0 +? futex_wake+0x80/0x140 +? do_futex+0x2b9/0xac0 +? ep_scan_ready_list.constprop.22+0x1f2/0x210 +? ep_poll+0x7a/0x430 +__sys_sendmsg+0x47/0x80 +do_syscall_64+0x55/0x100 +entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 4e232818bd32 ("net: sched: act_mirred: remove dependency on rtnl lock") +Signed-off-by: John Hurley +Reviewed-by: Jakub Kicinski +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/act_mirred.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c +index c8cf4d10c4355..971dc03304f42 100644 +--- a/net/sched/act_mirred.c ++++ b/net/sched/act_mirred.c +@@ -159,6 +159,9 @@ static int tcf_mirred_init(struct net *net, struct nlattr *nla, + } + m = to_mirred(*a); + ++ if (ret == ACT_P_CREATED) ++ INIT_LIST_HEAD(&m->tcfm_list); ++ + spin_lock_bh(&m->tcf_lock); + m->tcf_action = parm->action; + m->tcfm_eaction = parm->eaction; +-- +2.20.1 + diff --git a/queue-5.0/net-vrf-fix-operation-not-supported-when-set-vrf-mac.patch b/queue-5.0/net-vrf-fix-operation-not-supported-when-set-vrf-mac.patch new file mode 100644 index 00000000000..68246b13307 --- /dev/null +++ b/queue-5.0/net-vrf-fix-operation-not-supported-when-set-vrf-mac.patch @@ -0,0 +1,42 @@ +From 014ce98139c0a9534360d982c0ee241c1b91cfe1 Mon Sep 17 00:00:00 2001 +From: Miaohe Lin +Date: Sat, 20 Apr 2019 12:09:39 +0800 +Subject: net: vrf: Fix operation not supported when set vrf mac + +[ Upstream commit 6819e3f6d83a24777813b0d031ebe0861694db5a ] + +Vrf device is not able to change mac address now because lack of +ndo_set_mac_address. Complete this in case some apps need to do +this. + +Reported-by: Hui Wang +Signed-off-by: Miaohe Lin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/vrf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c +index cd15c32b2e436..9ee4d7402ca23 100644 +--- a/drivers/net/vrf.c ++++ b/drivers/net/vrf.c +@@ -875,6 +875,7 @@ static const struct net_device_ops vrf_netdev_ops = { + .ndo_init = vrf_dev_init, + .ndo_uninit = vrf_dev_uninit, + .ndo_start_xmit = vrf_xmit, ++ .ndo_set_mac_address = eth_mac_addr, + .ndo_get_stats64 = vrf_get_stats64, + .ndo_add_slave = vrf_add_slave, + .ndo_del_slave = vrf_del_slave, +@@ -1274,6 +1275,7 @@ static void vrf_setup(struct net_device *dev) + /* default to no qdisc; user can add if desired */ + dev->priv_flags |= IFF_NO_QUEUE; + dev->priv_flags |= IFF_NO_RX_HANDLER; ++ dev->priv_flags |= IFF_LIVE_ADDR_CHANGE; + + /* VRF devices do not care about MTU, but if the MTU is set + * too low then the ipv4 and ipv6 protocols are disabled +-- +2.20.1 + diff --git a/queue-5.0/netfilter-ctnetlink-don-t-use-conntrack-expect-objec.patch b/queue-5.0/netfilter-ctnetlink-don-t-use-conntrack-expect-objec.patch new file mode 100644 index 00000000000..db9f55bfc7f --- /dev/null +++ b/queue-5.0/netfilter-ctnetlink-don-t-use-conntrack-expect-objec.patch @@ -0,0 +1,177 @@ +From b9c8734b8a5f24dd3fd7641576389827d68451cc Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 1 Apr 2019 13:08:54 +0200 +Subject: netfilter: ctnetlink: don't use conntrack/expect object addresses as + id + +[ Upstream commit 3c79107631db1f7fd32cf3f7368e4672004a3010 ] + +else, we leak the addresses to userspace via ctnetlink events +and dumps. + +Compute an ID on demand based on the immutable parts of nf_conn struct. + +Another advantage compared to using an address is that there is no +immediate re-use of the same ID in case the conntrack entry is freed and +reallocated again immediately. + +Fixes: 3583240249ef ("[NETFILTER]: nf_conntrack_expect: kill unique ID") +Fixes: 7f85f914721f ("[NETFILTER]: nf_conntrack: kill unique ID") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_conntrack.h | 2 ++ + net/netfilter/nf_conntrack_core.c | 35 ++++++++++++++++++++++++++++ + net/netfilter/nf_conntrack_netlink.c | 34 +++++++++++++++++++++++---- + 3 files changed, 66 insertions(+), 5 deletions(-) + +diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h +index 249d0a5b12b82..63fd47e924b92 100644 +--- a/include/net/netfilter/nf_conntrack.h ++++ b/include/net/netfilter/nf_conntrack.h +@@ -318,6 +318,8 @@ struct nf_conn *nf_ct_tmpl_alloc(struct net *net, + gfp_t flags); + void nf_ct_tmpl_free(struct nf_conn *tmpl); + ++u32 nf_ct_get_id(const struct nf_conn *ct); ++ + static inline void + nf_ct_set(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info info) + { +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index 9dd4c2048a2ba..1982faf21ebb5 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -424,6 +425,40 @@ nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse, + } + EXPORT_SYMBOL_GPL(nf_ct_invert_tuple); + ++/* Generate a almost-unique pseudo-id for a given conntrack. ++ * ++ * intentionally doesn't re-use any of the seeds used for hash ++ * table location, we assume id gets exposed to userspace. ++ * ++ * Following nf_conn items do not change throughout lifetime ++ * of the nf_conn after it has been committed to main hash table: ++ * ++ * 1. nf_conn address ++ * 2. nf_conn->ext address ++ * 3. nf_conn->master address (normally NULL) ++ * 4. tuple ++ * 5. the associated net namespace ++ */ ++u32 nf_ct_get_id(const struct nf_conn *ct) ++{ ++ static __read_mostly siphash_key_t ct_id_seed; ++ unsigned long a, b, c, d; ++ ++ net_get_random_once(&ct_id_seed, sizeof(ct_id_seed)); ++ ++ a = (unsigned long)ct; ++ b = (unsigned long)ct->master ^ net_hash_mix(nf_ct_net(ct)); ++ c = (unsigned long)ct->ext; ++ d = (unsigned long)siphash(&ct->tuplehash, sizeof(ct->tuplehash), ++ &ct_id_seed); ++#ifdef CONFIG_64BIT ++ return siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &ct_id_seed); ++#else ++ return siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &ct_id_seed); ++#endif ++} ++EXPORT_SYMBOL_GPL(nf_ct_get_id); ++ + static void + clean_from_lists(struct nf_conn *ct) + { +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 1213beb5a7146..36619ad8ab8c2 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -485,7 +486,9 @@ static int ctnetlink_dump_ct_synproxy(struct sk_buff *skb, struct nf_conn *ct) + + static int ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct) + { +- if (nla_put_be32(skb, CTA_ID, htonl((unsigned long)ct))) ++ __be32 id = (__force __be32)nf_ct_get_id(ct); ++ ++ if (nla_put_be32(skb, CTA_ID, id)) + goto nla_put_failure; + return 0; + +@@ -1286,8 +1289,9 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl, + } + + if (cda[CTA_ID]) { +- u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID])); +- if (id != (u32)(unsigned long)ct) { ++ __be32 id = nla_get_be32(cda[CTA_ID]); ++ ++ if (id != (__force __be32)nf_ct_get_id(ct)) { + nf_ct_put(ct); + return -ENOENT; + } +@@ -2694,6 +2698,25 @@ static int ctnetlink_exp_dump_mask(struct sk_buff *skb, + + static const union nf_inet_addr any_addr; + ++static __be32 nf_expect_get_id(const struct nf_conntrack_expect *exp) ++{ ++ static __read_mostly siphash_key_t exp_id_seed; ++ unsigned long a, b, c, d; ++ ++ net_get_random_once(&exp_id_seed, sizeof(exp_id_seed)); ++ ++ a = (unsigned long)exp; ++ b = (unsigned long)exp->helper; ++ c = (unsigned long)exp->master; ++ d = (unsigned long)siphash(&exp->tuple, sizeof(exp->tuple), &exp_id_seed); ++ ++#ifdef CONFIG_64BIT ++ return (__force __be32)siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &exp_id_seed); ++#else ++ return (__force __be32)siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &exp_id_seed); ++#endif ++} ++ + static int + ctnetlink_exp_dump_expect(struct sk_buff *skb, + const struct nf_conntrack_expect *exp) +@@ -2741,7 +2764,7 @@ ctnetlink_exp_dump_expect(struct sk_buff *skb, + } + #endif + if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) || +- nla_put_be32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp)) || ++ nla_put_be32(skb, CTA_EXPECT_ID, nf_expect_get_id(exp)) || + nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) || + nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class))) + goto nla_put_failure; +@@ -3046,7 +3069,8 @@ static int ctnetlink_get_expect(struct net *net, struct sock *ctnl, + + if (cda[CTA_EXPECT_ID]) { + __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); +- if (ntohl(id) != (u32)(unsigned long)exp) { ++ ++ if (id != nf_expect_get_id(exp)) { + nf_ct_expect_put(exp); + return -ENOENT; + } +-- +2.20.1 + diff --git a/queue-5.0/netfilter-fix-nf_l4proto_log_invalid-to-log-invalid-.patch b/queue-5.0/netfilter-fix-nf_l4proto_log_invalid-to-log-invalid-.patch new file mode 100644 index 00000000000..f83bdb7e219 --- /dev/null +++ b/queue-5.0/netfilter-fix-nf_l4proto_log_invalid-to-log-invalid-.patch @@ -0,0 +1,37 @@ +From fc578e2fb36b4ec9de1a189f271fa5e0804d9198 Mon Sep 17 00:00:00 2001 +From: Andrei Vagin +Date: Wed, 17 Apr 2019 09:49:44 -0700 +Subject: netfilter: fix nf_l4proto_log_invalid to log invalid packets + +[ Upstream commit d48668052b2603b6262459625c86108c493588dd ] + +It doesn't log a packet if sysctl_log_invalid isn't equal to protonum +OR sysctl_log_invalid isn't equal to IPPROTO_RAW. This sentence is +always true. I believe we need to replace OR to AND. + +Cc: Florian Westphal +Fixes: c4f3db1595827 ("netfilter: conntrack: add and use nf_l4proto_log_invalid") +Signed-off-by: Andrei Vagin +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_proto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c +index 859f5d07a9159..78361e462e802 100644 +--- a/net/netfilter/nf_conntrack_proto.c ++++ b/net/netfilter/nf_conntrack_proto.c +@@ -86,7 +86,7 @@ void nf_l4proto_log_invalid(const struct sk_buff *skb, + struct va_format vaf; + va_list args; + +- if (net->ct.sysctl_log_invalid != protonum || ++ if (net->ct.sysctl_log_invalid != protonum && + net->ct.sysctl_log_invalid != IPPROTO_RAW) + return; + +-- +2.20.1 + diff --git a/queue-5.0/netfilter-nat-fix-icmp-id-randomization.patch b/queue-5.0/netfilter-nat-fix-icmp-id-randomization.patch new file mode 100644 index 00000000000..4b837017740 --- /dev/null +++ b/queue-5.0/netfilter-nat-fix-icmp-id-randomization.patch @@ -0,0 +1,174 @@ +From 2f35a392f856617eb0e478ab173ed437aae55307 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 9 Apr 2019 14:45:20 +0200 +Subject: netfilter: nat: fix icmp id randomization + +[ Upstream commit 5bdac418f33f60b07a34e01e722889140ee8fac9 ] + +Sven Auhagen reported that a 2nd ping request will fail if 'fully-random' +mode is used. + +Reason is that if no proto information is given, min/max are both 0, +so we set the icmp id to 0 instead of chosing a random value between +0 and 65535. + +Update test case as well to catch this, without fix this yields: +[..] +ERROR: cannot ping ns1 from ns2 with ip masquerade fully-random (attempt 2) +ERROR: cannot ping ns1 from ns2 with ipv6 masquerade fully-random (attempt 2) + +... becaus 2nd ping clashes with existing 'id 0' icmp conntrack and gets +dropped. + +Fixes: 203f2e78200c27e ("netfilter: nat: remove l4proto->unique_tuple") +Reported-by: Sven Auhagen +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_nat_core.c | 11 ++++-- + tools/testing/selftests/netfilter/nft_nat.sh | 36 +++++++++++++++----- + 2 files changed, 35 insertions(+), 12 deletions(-) + +diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c +index d159e9e7835b4..ade527565127b 100644 +--- a/net/netfilter/nf_nat_core.c ++++ b/net/netfilter/nf_nat_core.c +@@ -358,9 +358,14 @@ static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple, + case IPPROTO_ICMPV6: + /* id is same for either direction... */ + keyptr = &tuple->src.u.icmp.id; +- min = range->min_proto.icmp.id; +- range_size = ntohs(range->max_proto.icmp.id) - +- ntohs(range->min_proto.icmp.id) + 1; ++ if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) { ++ min = 0; ++ range_size = 65536; ++ } else { ++ min = ntohs(range->min_proto.icmp.id); ++ range_size = ntohs(range->max_proto.icmp.id) - ++ ntohs(range->min_proto.icmp.id) + 1; ++ } + goto find_free_id; + #if IS_ENABLED(CONFIG_NF_CT_PROTO_GRE) + case IPPROTO_GRE: +diff --git a/tools/testing/selftests/netfilter/nft_nat.sh b/tools/testing/selftests/netfilter/nft_nat.sh +index 8ec76681605cc..3194007cf8d1b 100755 +--- a/tools/testing/selftests/netfilter/nft_nat.sh ++++ b/tools/testing/selftests/netfilter/nft_nat.sh +@@ -321,6 +321,7 @@ EOF + + test_masquerade6() + { ++ local natflags=$1 + local lret=0 + + ip netns exec ns0 sysctl net.ipv6.conf.all.forwarding=1 > /dev/null +@@ -354,13 +355,13 @@ ip netns exec ns0 nft -f - < /dev/null # ping ns2->ns1 + if [ $? -ne 0 ] ; then +- echo "ERROR: cannot ping ns1 from ns2 with active ipv6 masquerading" ++ echo "ERROR: cannot ping ns1 from ns2 with active ipv6 masquerade $natflags" + lret=1 + fi + +@@ -397,19 +398,26 @@ EOF + fi + done + ++ ip netns exec ns2 ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1 ++ if [ $? -ne 0 ] ; then ++ echo "ERROR: cannot ping ns1 from ns2 with active ipv6 masquerade $natflags (attempt 2)" ++ lret=1 ++ fi ++ + ip netns exec ns0 nft flush chain ip6 nat postrouting + if [ $? -ne 0 ]; then + echo "ERROR: Could not flush ip6 nat postrouting" 1>&2 + lret=1 + fi + +- test $lret -eq 0 && echo "PASS: IPv6 masquerade for ns2" ++ test $lret -eq 0 && echo "PASS: IPv6 masquerade $natflags for ns2" + + return $lret + } + + test_masquerade() + { ++ local natflags=$1 + local lret=0 + + ip netns exec ns0 sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null +@@ -417,7 +425,7 @@ test_masquerade() + + ip netns exec ns2 ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 + if [ $? -ne 0 ] ; then +- echo "ERROR: canot ping ns1 from ns2" ++ echo "ERROR: cannot ping ns1 from ns2 $natflags" + lret=1 + fi + +@@ -443,13 +451,13 @@ ip netns exec ns0 nft -f - < /dev/null # ping ns2->ns1 + if [ $? -ne 0 ] ; then +- echo "ERROR: cannot ping ns1 from ns2 with active ip masquerading" ++ echo "ERROR: cannot ping ns1 from ns2 with active ip masquere $natflags" + lret=1 + fi + +@@ -485,13 +493,19 @@ EOF + fi + done + ++ ip netns exec ns2 ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 ++ if [ $? -ne 0 ] ; then ++ echo "ERROR: cannot ping ns1 from ns2 with active ip masquerade $natflags (attempt 2)" ++ lret=1 ++ fi ++ + ip netns exec ns0 nft flush chain ip nat postrouting + if [ $? -ne 0 ]; then + echo "ERROR: Could not flush nat postrouting" 1>&2 + lret=1 + fi + +- test $lret -eq 0 && echo "PASS: IP masquerade for ns2" ++ test $lret -eq 0 && echo "PASS: IP masquerade $natflags for ns2" + + return $lret + } +@@ -750,8 +764,12 @@ test_local_dnat + test_local_dnat6 + + reset_counters +-test_masquerade +-test_masquerade6 ++test_masquerade "" ++test_masquerade6 "" ++ ++reset_counters ++test_masquerade "fully-random" ++test_masquerade6 "fully-random" + + reset_counters + test_redirect +-- +2.20.1 + diff --git a/queue-5.0/netfilter-never-get-set-skb-tstamp.patch b/queue-5.0/netfilter-never-get-set-skb-tstamp.patch new file mode 100644 index 00000000000..8ca3be3b310 --- /dev/null +++ b/queue-5.0/netfilter-never-get-set-skb-tstamp.patch @@ -0,0 +1,121 @@ +From 47663fb01cbb1c2369e828e26335ecce0534014e Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Wed, 17 Apr 2019 02:17:23 +0200 +Subject: netfilter: never get/set skb->tstamp + +[ Upstream commit 916f6efae62305796e012e7c3a7884a267cbacbf ] + +setting net.netfilter.nf_conntrack_timestamp=1 breaks xmit with fq +scheduler. skb->tstamp might be "refreshed" using ktime_get_real(), +but fq expects CLOCK_MONOTONIC. + +This patch removes all places in netfilter that check/set skb->tstamp: + +1. To fix the bogus "start" time seen with conntrack timestamping for + outgoing packets, never use skb->tstamp and always use current time. +2. In nfqueue and nflog, only use skb->tstamp for incoming packets, + as determined by current hook (prerouting, input, forward). +3. xt_time has to use system clock as well rather than skb->tstamp. + We could still use skb->tstamp for prerouting/input/foward, but + I see no advantage to make this conditional. + +Fixes: fb420d5d91c1 ("tcp/fq: move back to CLOCK_MONOTONIC") +Cc: Eric Dumazet +Reported-by: Michal Soltys +Signed-off-by: Florian Westphal +Acked-by: Eric Dumazet +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_core.c | 7 ++----- + net/netfilter/nfnetlink_log.c | 2 +- + net/netfilter/nfnetlink_queue.c | 2 +- + net/netfilter/xt_time.c | 23 ++++++++++++++--------- + 4 files changed, 18 insertions(+), 16 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index 1982faf21ebb5..d7ac2f82bb6d8 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -983,12 +983,9 @@ __nf_conntrack_confirm(struct sk_buff *skb) + + /* set conntrack timestamp, if enabled. */ + tstamp = nf_conn_tstamp_find(ct); +- if (tstamp) { +- if (skb->tstamp == 0) +- __net_timestamp(skb); ++ if (tstamp) ++ tstamp->start = ktime_get_real_ns(); + +- tstamp->start = ktime_to_ns(skb->tstamp); +- } + /* Since the lookup is lockless, hash insertion must be done after + * starting the timer and setting the CONFIRMED bit. The RCU barriers + * guarantee that no other CPU can find the conntrack before the above +diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c +index b1f9c5303f026..0b3347570265c 100644 +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -540,7 +540,7 @@ __build_packet_message(struct nfnl_log_net *log, + goto nla_put_failure; + } + +- if (skb->tstamp) { ++ if (hooknum <= NF_INET_FORWARD && skb->tstamp) { + struct nfulnl_msg_packet_timestamp ts; + struct timespec64 kts = ktime_to_timespec64(skb->tstamp); + ts.sec = cpu_to_be64(kts.tv_sec); +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index 0dcc3592d053f..e057b2961d313 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -582,7 +582,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, + if (nfqnl_put_bridge(entry, skb) < 0) + goto nla_put_failure; + +- if (entskb->tstamp) { ++ if (entry->state.hook <= NF_INET_FORWARD && entskb->tstamp) { + struct nfqnl_msg_packet_timestamp ts; + struct timespec64 kts = ktime_to_timespec64(entskb->tstamp); + +diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c +index c13bcd0ab4913..8dbb4d48f2ed5 100644 +--- a/net/netfilter/xt_time.c ++++ b/net/netfilter/xt_time.c +@@ -163,19 +163,24 @@ time_mt(const struct sk_buff *skb, struct xt_action_param *par) + s64 stamp; + + /* +- * We cannot use get_seconds() instead of __net_timestamp() here. ++ * We need real time here, but we can neither use skb->tstamp ++ * nor __net_timestamp(). ++ * ++ * skb->tstamp and skb->skb_mstamp_ns overlap, however, they ++ * use different clock types (real vs monotonic). ++ * + * Suppose you have two rules: +- * 1. match before 13:00 +- * 2. match after 13:00 ++ * 1. match before 13:00 ++ * 2. match after 13:00 ++ * + * If you match against processing time (get_seconds) it + * may happen that the same packet matches both rules if +- * it arrived at the right moment before 13:00. ++ * it arrived at the right moment before 13:00, so it would be ++ * better to check skb->tstamp and set it via __net_timestamp() ++ * if needed. This however breaks outgoing packets tx timestamp, ++ * and causes them to get delayed forever by fq packet scheduler. + */ +- if (skb->tstamp == 0) +- __net_timestamp((struct sk_buff *)skb); +- +- stamp = ktime_to_ns(skb->tstamp); +- stamp = div_s64(stamp, NSEC_PER_SEC); ++ stamp = get_seconds(); + + if (info->flags & XT_TIME_LOCAL_TZ) + /* Adjust for local timezone */ +-- +2.20.1 + diff --git a/queue-5.0/netfilter-nf_tables-prevent-shift-wrap-in-nft_chain_.patch b/queue-5.0/netfilter-nf_tables-prevent-shift-wrap-in-nft_chain_.patch new file mode 100644 index 00000000000..38019f74c93 --- /dev/null +++ b/queue-5.0/netfilter-nf_tables-prevent-shift-wrap-in-nft_chain_.patch @@ -0,0 +1,37 @@ +From c0cf1eaf1aee8c40ebb23bbaa3901647c80b78df Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sat, 6 Apr 2019 08:26:52 +0300 +Subject: netfilter: nf_tables: prevent shift wrap in nft_chain_parse_hook() + +[ Upstream commit 33d1c018179d0a30c39cc5f1682b77867282694b ] + +I believe that "hook->num" can be up to UINT_MAX. Shifting more than +31 bits would is undefined in C but in practice it would lead to shift +wrapping. That would lead to an array overflow in nf_tables_addchain(): + + ops->hook = hook.type->hooks[ops->hooknum]; + +Fixes: fe19c04ca137 ("netfilter: nf_tables: remove nhooks field from struct nft_af_info") +Signed-off-by: Dan Carpenter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index e2aac80f9b7b1..25c2b98b9a960 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1502,7 +1502,7 @@ static int nft_chain_parse_hook(struct net *net, + if (IS_ERR(type)) + return PTR_ERR(type); + } +- if (!(type->hook_mask & (1 << hook->num))) ++ if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num))) + return -EOPNOTSUPP; + + if (type->type == NFT_CHAIN_T_NAT && +-- +2.20.1 + diff --git a/queue-5.0/nl80211-add-nl80211_flag_clear_skb-flag-for-other-nl.patch b/queue-5.0/nl80211-add-nl80211_flag_clear_skb-flag-for-other-nl.patch new file mode 100644 index 00000000000..6a7c99bf57e --- /dev/null +++ b/queue-5.0/nl80211-add-nl80211_flag_clear_skb-flag-for-other-nl.patch @@ -0,0 +1,88 @@ +From 8676d393cd5ac081ad68685cf366192398e7d5c0 Mon Sep 17 00:00:00 2001 +From: Sunil Dutt +Date: Mon, 25 Feb 2019 15:37:20 +0530 +Subject: nl80211: Add NL80211_FLAG_CLEAR_SKB flag for other NL commands + +[ Upstream commit d6db02a88a4aaa1cd7105137c67ddec7f3bdbc05 ] + +This commit adds NL80211_FLAG_CLEAR_SKB flag to other NL commands +that carry key data to ensure they do not stick around on heap +after the SKB is freed. + +Also introduced this flag for NL80211_CMD_VENDOR as there are sub +commands which configure the keys. + +Signed-off-by: Sunil Dutt +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index d91a408db113e..156ce708b5330 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -13596,7 +13596,8 @@ static const struct genl_ops nl80211_ops[] = { + .policy = nl80211_policy, + .flags = GENL_UNS_ADMIN_PERM, + .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | +- NL80211_FLAG_NEED_RTNL, ++ NL80211_FLAG_NEED_RTNL | ++ NL80211_FLAG_CLEAR_SKB, + }, + { + .cmd = NL80211_CMD_DEAUTHENTICATE, +@@ -13647,7 +13648,8 @@ static const struct genl_ops nl80211_ops[] = { + .policy = nl80211_policy, + .flags = GENL_UNS_ADMIN_PERM, + .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | +- NL80211_FLAG_NEED_RTNL, ++ NL80211_FLAG_NEED_RTNL | ++ NL80211_FLAG_CLEAR_SKB, + }, + { + .cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS, +@@ -13655,7 +13657,8 @@ static const struct genl_ops nl80211_ops[] = { + .policy = nl80211_policy, + .flags = GENL_ADMIN_PERM, + .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | +- NL80211_FLAG_NEED_RTNL, ++ NL80211_FLAG_NEED_RTNL | ++ NL80211_FLAG_CLEAR_SKB, + }, + { + .cmd = NL80211_CMD_DISCONNECT, +@@ -13684,7 +13687,8 @@ static const struct genl_ops nl80211_ops[] = { + .policy = nl80211_policy, + .flags = GENL_UNS_ADMIN_PERM, + .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | +- NL80211_FLAG_NEED_RTNL, ++ NL80211_FLAG_NEED_RTNL | ++ NL80211_FLAG_CLEAR_SKB, + }, + { + .cmd = NL80211_CMD_DEL_PMKSA, +@@ -14036,7 +14040,8 @@ static const struct genl_ops nl80211_ops[] = { + .policy = nl80211_policy, + .flags = GENL_UNS_ADMIN_PERM, + .internal_flags = NL80211_FLAG_NEED_WIPHY | +- NL80211_FLAG_NEED_RTNL, ++ NL80211_FLAG_NEED_RTNL | ++ NL80211_FLAG_CLEAR_SKB, + }, + { + .cmd = NL80211_CMD_SET_QOS_MAP, +@@ -14091,7 +14096,8 @@ static const struct genl_ops nl80211_ops[] = { + .doit = nl80211_set_pmk, + .policy = nl80211_policy, + .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | +- NL80211_FLAG_NEED_RTNL, ++ NL80211_FLAG_NEED_RTNL | ++ NL80211_FLAG_CLEAR_SKB, + }, + { + .cmd = NL80211_CMD_DEL_PMK, +-- +2.20.1 + diff --git a/queue-5.0/ocelot-don-t-sleep-in-atomic-context-irqs_disabled.patch b/queue-5.0/ocelot-don-t-sleep-in-atomic-context-irqs_disabled.patch new file mode 100644 index 00000000000..ddc08efd979 --- /dev/null +++ b/queue-5.0/ocelot-don-t-sleep-in-atomic-context-irqs_disabled.patch @@ -0,0 +1,45 @@ +From 8de16b441f65ac540f0330cc88f98f147f21dd00 Mon Sep 17 00:00:00 2001 +From: Claudiu Manoil +Date: Tue, 16 Apr 2019 17:51:58 +0300 +Subject: ocelot: Don't sleep in atomic context (irqs_disabled()) + +[ Upstream commit a8fd48b50deaa20808bbf0f6685f6f1acba6a64c ] + +Preemption disabled at: + [] dev_set_rx_mode+0x1c/0x38 + Call trace: + [] dump_backtrace+0x0/0x3d0 + [] show_stack+0x14/0x20 + [] dump_stack+0xac/0xe4 + [] ___might_sleep+0x164/0x238 + [] __might_sleep+0x50/0x88 + [] kmem_cache_alloc+0x17c/0x1d0 + [] ocelot_set_rx_mode+0x108/0x188 [mscc_ocelot_common] + [] __dev_set_rx_mode+0x58/0xa0 + [] dev_set_rx_mode+0x24/0x38 + +Fixes: a556c76adc05 ("net: mscc: Add initial Ocelot switch support") + +Signed-off-by: Claudiu Manoil +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c +index 215a45374d7b0..0ef95abde6bb0 100644 +--- a/drivers/net/ethernet/mscc/ocelot.c ++++ b/drivers/net/ethernet/mscc/ocelot.c +@@ -613,7 +613,7 @@ static int ocelot_mact_mc_add(struct ocelot_port *port, + struct netdev_hw_addr *hw_addr) + { + struct ocelot *ocelot = port->ocelot; +- struct netdev_hw_addr *ha = kzalloc(sizeof(*ha), GFP_KERNEL); ++ struct netdev_hw_addr *ha = kzalloc(sizeof(*ha), GFP_ATOMIC); + + if (!ha) + return -ENOMEM; +-- +2.20.1 + diff --git a/queue-5.0/of_net-fix-residues-after-of_get_nvmem_mac_address-r.patch b/queue-5.0/of_net-fix-residues-after-of_get_nvmem_mac_address-r.patch new file mode 100644 index 00000000000..913e04082ec --- /dev/null +++ b/queue-5.0/of_net-fix-residues-after-of_get_nvmem_mac_address-r.patch @@ -0,0 +1,97 @@ +From 0526bbb0d330b59492d260601be3b2289ef23b64 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20=C5=A0tetiar?= +Date: Wed, 17 Apr 2019 22:09:12 +0200 +Subject: of_net: Fix residues after of_get_nvmem_mac_address removal +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 36ad7022536e0c65f8baeeaa5efde11dec44808a ] + +I've discovered following discrepancy in the bindings/net/ethernet.txt +documentation, where it states following: + + - nvmem-cells: phandle, reference to an nvmem node for the MAC address; + - nvmem-cell-names: string, should be "mac-address" if nvmem is to be.. + +which is actually misleading and confusing. There are only two ethernet +drivers in the tree, cadence/macb and davinci which supports this +properties. + +This nvmem-cell* properties were introduced in commit 9217e566bdee +("of_net: Implement of_get_nvmem_mac_address helper"), but +commit afa64a72b862 ("of: net: kill of_get_nvmem_mac_address()") +forget to properly clean up this parts. + +So this patch fixes the documentation by moving the nvmem-cell* +properties at the appropriate places. While at it, I've removed unused +include as well. + +Cc: Bartosz Golaszewski +Fixes: afa64a72b862 ("of: net: kill of_get_nvmem_mac_address()") +Signed-off-by: Petr Štetiar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/net/davinci_emac.txt | 2 ++ + Documentation/devicetree/bindings/net/ethernet.txt | 2 -- + Documentation/devicetree/bindings/net/macb.txt | 4 ++++ + drivers/of/of_net.c | 1 - + 4 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/Documentation/devicetree/bindings/net/davinci_emac.txt b/Documentation/devicetree/bindings/net/davinci_emac.txt +index 24c5cdaba8d27..ca83dcc84fb8e 100644 +--- a/Documentation/devicetree/bindings/net/davinci_emac.txt ++++ b/Documentation/devicetree/bindings/net/davinci_emac.txt +@@ -20,6 +20,8 @@ Required properties: + Optional properties: + - phy-handle: See ethernet.txt file in the same directory. + If absent, davinci_emac driver defaults to 100/FULL. ++- nvmem-cells: phandle, reference to an nvmem node for the MAC address ++- nvmem-cell-names: string, should be "mac-address" if nvmem is to be used + - ti,davinci-rmii-en: 1 byte, 1 means use RMII + - ti,davinci-no-bd-ram: boolean, does EMAC have BD RAM? + +diff --git a/Documentation/devicetree/bindings/net/ethernet.txt b/Documentation/devicetree/bindings/net/ethernet.txt +index cfc376bc977aa..2974e63ba311a 100644 +--- a/Documentation/devicetree/bindings/net/ethernet.txt ++++ b/Documentation/devicetree/bindings/net/ethernet.txt +@@ -10,8 +10,6 @@ Documentation/devicetree/bindings/phy/phy-bindings.txt. + the boot program; should be used in cases where the MAC address assigned to + the device by the boot program is different from the "local-mac-address" + property; +-- nvmem-cells: phandle, reference to an nvmem node for the MAC address; +-- nvmem-cell-names: string, should be "mac-address" if nvmem is to be used; + - max-speed: number, specifies maximum speed in Mbit/s supported by the device; + - max-frame-size: number, maximum transfer unit (IEEE defined MTU), rather than + the maximum frame size (there's contradiction in the Devicetree +diff --git a/Documentation/devicetree/bindings/net/macb.txt b/Documentation/devicetree/bindings/net/macb.txt +index 3e17ac1d5d58c..1a914116f4c2c 100644 +--- a/Documentation/devicetree/bindings/net/macb.txt ++++ b/Documentation/devicetree/bindings/net/macb.txt +@@ -26,6 +26,10 @@ Required properties: + Optional elements: 'tsu_clk' + - clocks: Phandles to input clocks. + ++Optional properties: ++- nvmem-cells: phandle, reference to an nvmem node for the MAC address ++- nvmem-cell-names: string, should be "mac-address" if nvmem is to be used ++ + Optional properties for PHY child node: + - reset-gpios : Should specify the gpio for phy reset + - magic-packet : If present, indicates that the hardware supports waking +diff --git a/drivers/of/of_net.c b/drivers/of/of_net.c +index 810ab0fbcccbf..d820f3edd4311 100644 +--- a/drivers/of/of_net.c ++++ b/drivers/of/of_net.c +@@ -7,7 +7,6 @@ + */ + #include + #include +-#include + #include + #include + #include +-- +2.20.1 + diff --git a/queue-5.0/perf-tools-fix-map-reference-counting.patch b/queue-5.0/perf-tools-fix-map-reference-counting.patch new file mode 100644 index 00000000000..8417ef3178f --- /dev/null +++ b/queue-5.0/perf-tools-fix-map-reference-counting.patch @@ -0,0 +1,75 @@ +From 8b4c7219d1fe71b62c491a0a83d0548b9fd024e9 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Tue, 16 Apr 2019 18:01:24 +0200 +Subject: perf tools: Fix map reference counting + +[ Upstream commit b9abbdfa88024d52c8084d8f46ea4f161606c692 ] + +By calling maps__insert() we assume to get 2 references on the map, +which we relese within maps__remove call. + +However if there's already same map name, we currently don't bump the +reference and can crash, like: + + Program received signal SIGABRT, Aborted. + 0x00007ffff75e60f5 in raise () from /lib64/libc.so.6 + + (gdb) bt + #0 0x00007ffff75e60f5 in raise () from /lib64/libc.so.6 + #1 0x00007ffff75d0895 in abort () from /lib64/libc.so.6 + #2 0x00007ffff75d0769 in __assert_fail_base.cold () from /lib64/libc.so.6 + #3 0x00007ffff75de596 in __assert_fail () from /lib64/libc.so.6 + #4 0x00000000004fc006 in refcount_sub_and_test (i=1, r=0x1224e88) at tools/include/linux/refcount.h:131 + #5 refcount_dec_and_test (r=0x1224e88) at tools/include/linux/refcount.h:148 + #6 map__put (map=0x1224df0) at util/map.c:299 + #7 0x00000000004fdb95 in __maps__remove (map=0x1224df0, maps=0xb17d80) at util/map.c:953 + #8 maps__remove (maps=0xb17d80, map=0x1224df0) at util/map.c:959 + #9 0x00000000004f7d8a in map_groups__remove (map=, mg=) at util/map_groups.h:65 + #10 machine__process_ksymbol_unregister (sample=, event=0x7ffff7279670, machine=) at util/machine.c:728 + #11 machine__process_ksymbol (machine=, event=0x7ffff7279670, sample=) at util/machine.c:741 + #12 0x00000000004fffbb in perf_session__deliver_event (session=0xb11390, event=0x7ffff7279670, tool=0x7fffffffc7b0, file_offset=13936) at util/session.c:1362 + #13 0x00000000005039bb in do_flush (show_progress=false, oe=0xb17e80) at util/ordered-events.c:243 + #14 __ordered_events__flush (oe=0xb17e80, how=OE_FLUSH__ROUND, timestamp=) at util/ordered-events.c:322 + #15 0x00000000005005e4 in perf_session__process_user_event (session=session@entry=0xb11390, event=event@entry=0x7ffff72a4af8, + ... + +Add the map to the list and getting the reference event if we find the +map with same name. + +Signed-off-by: Jiri Olsa +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Alexei Starovoitov +Cc: Andi Kleen +Cc: Daniel Borkmann +Cc: Eric Saint-Etienne +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Song Liu +Fixes: 1e6285699b30 ("perf symbols: Fix slowness due to -ffunction-section") +Link: http://lkml.kernel.org/r/20190416160127.30203-10-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/map.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/tools/perf/util/map.c b/tools/perf/util/map.c +index 2b37f56f05493..e33f20d16c8d6 100644 +--- a/tools/perf/util/map.c ++++ b/tools/perf/util/map.c +@@ -904,10 +904,8 @@ static void __maps__insert_name(struct maps *maps, struct map *map) + rc = strcmp(m->dso->short_name, map->dso->short_name); + if (rc < 0) + p = &(*p)->rb_left; +- else if (rc > 0) +- p = &(*p)->rb_right; + else +- return; ++ p = &(*p)->rb_right; + } + rb_link_node(&map->rb_node_name, parent, p); + rb_insert_color(&map->rb_node_name, &maps->names); +-- +2.20.1 + diff --git a/queue-5.0/perf-top-always-sample-time-to-satisfy-needs-of-use-.patch b/queue-5.0/perf-top-always-sample-time-to-satisfy-needs-of-use-.patch new file mode 100644 index 00000000000..6dac7d64dbd --- /dev/null +++ b/queue-5.0/perf-top-always-sample-time-to-satisfy-needs-of-use-.patch @@ -0,0 +1,49 @@ +From 2b6ef46a09b3177639e3368cf020993d4225fe34 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Mon, 15 Apr 2019 14:53:33 +0200 +Subject: perf top: Always sample time to satisfy needs of use of ordered + queuing + +[ Upstream commit 1e6db2ee86e6a4399fc0ae5689e55e0fd1c43caf ] + +Bastian reported broken 'perf top -p PID' command, it won't display any +data. + +The problem is that for -p option we monitor single thread, so we don't +enable time in samples, because it's not needed. + +However since commit 16c66bc167cc we use ordered queues to stash data +plus later commits added logic for dropping samples in case there's big +load and we don't keep up. All this needs timestamp for sample. Enabling +it unconditionally for perf top. + +Reported-by: Bastian Beischer +Signed-off-by: Jiri Olsa +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: bastian beischer +Fixes: 16c66bc167cc ("perf top: Add processing thread") +Link: http://lkml.kernel.org/r/20190415125333.27160-1-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-top.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c +index 616408251e258..63750a711123f 100644 +--- a/tools/perf/builtin-top.c ++++ b/tools/perf/builtin-top.c +@@ -1393,6 +1393,7 @@ int cmd_top(int argc, const char **argv) + * */ + .overwrite = 0, + .sample_time = true, ++ .sample_time_set = true, + }, + .max_stack = sysctl__max_stack(), + .annotation_opts = annotation__default_options, +-- +2.20.1 + diff --git a/queue-5.0/qed-delete-redundant-doorbell-recovery-types.patch b/queue-5.0/qed-delete-redundant-doorbell-recovery-types.patch new file mode 100644 index 00000000000..b6e7b08db1c --- /dev/null +++ b/queue-5.0/qed-delete-redundant-doorbell-recovery-types.patch @@ -0,0 +1,186 @@ +From ed8c23509ac9f6ddf86a657a254477e29ba13ba2 Mon Sep 17 00:00:00 2001 +From: Denis Bolotin +Date: Sun, 14 Apr 2019 17:23:05 +0300 +Subject: qed: Delete redundant doorbell recovery types + +[ Upstream commit 9ac6bb1414ac0d45fe9cefbd1f5b06f0e1a3c98a ] + +DB_REC_DRY_RUN (running doorbell recovery without sending doorbells) is +never used. DB_REC_ONCE (send a single doorbell from the doorbell recovery) +is not needed anymore because by running the periodic handler we make sure +we check the overflow status later instead. +This patch is needed because in the next patches, the only doorbell +recovery type being used is DB_REC_REAL_DEAL, and the fixes are much +cleaner without this enum. + +Signed-off-by: Denis Bolotin +Signed-off-by: Michal Kalderon +Signed-off-by: Ariel Elior +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed.h | 3 +- + drivers/net/ethernet/qlogic/qed/qed_dev.c | 69 +++++++++-------------- + drivers/net/ethernet/qlogic/qed/qed_int.c | 6 +- + drivers/net/ethernet/qlogic/qed/qed_int.h | 4 +- + 4 files changed, 31 insertions(+), 51 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed.h b/drivers/net/ethernet/qlogic/qed/qed.h +index 2d8a77cc156ba..d5fece7eb1698 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed.h ++++ b/drivers/net/ethernet/qlogic/qed/qed.h +@@ -918,8 +918,7 @@ u16 qed_get_cm_pq_idx_llt_mtc(struct qed_hwfn *p_hwfn, u8 tc); + + /* doorbell recovery mechanism */ + void qed_db_recovery_dp(struct qed_hwfn *p_hwfn); +-void qed_db_recovery_execute(struct qed_hwfn *p_hwfn, +- enum qed_db_rec_exec db_exec); ++void qed_db_recovery_execute(struct qed_hwfn *p_hwfn); + bool qed_edpm_enabled(struct qed_hwfn *p_hwfn); + + /* Other Linux specific common definitions */ +diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c +index 2ecaaaa4469a6..ff0bbf8d073d6 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c +@@ -300,26 +300,19 @@ void qed_db_recovery_dp(struct qed_hwfn *p_hwfn) + + /* Ring the doorbell of a single doorbell recovery entry */ + static void qed_db_recovery_ring(struct qed_hwfn *p_hwfn, +- struct qed_db_recovery_entry *db_entry, +- enum qed_db_rec_exec db_exec) +-{ +- if (db_exec != DB_REC_ONCE) { +- /* Print according to width */ +- if (db_entry->db_width == DB_REC_WIDTH_32B) { +- DP_VERBOSE(p_hwfn, QED_MSG_SPQ, +- "%s doorbell address %p data %x\n", +- db_exec == DB_REC_DRY_RUN ? +- "would have rung" : "ringing", +- db_entry->db_addr, +- *(u32 *)db_entry->db_data); +- } else { +- DP_VERBOSE(p_hwfn, QED_MSG_SPQ, +- "%s doorbell address %p data %llx\n", +- db_exec == DB_REC_DRY_RUN ? +- "would have rung" : "ringing", +- db_entry->db_addr, +- *(u64 *)(db_entry->db_data)); +- } ++ struct qed_db_recovery_entry *db_entry) ++{ ++ /* Print according to width */ ++ if (db_entry->db_width == DB_REC_WIDTH_32B) { ++ DP_VERBOSE(p_hwfn, QED_MSG_SPQ, ++ "ringing doorbell address %p data %x\n", ++ db_entry->db_addr, ++ *(u32 *)db_entry->db_data); ++ } else { ++ DP_VERBOSE(p_hwfn, QED_MSG_SPQ, ++ "ringing doorbell address %p data %llx\n", ++ db_entry->db_addr, ++ *(u64 *)(db_entry->db_data)); + } + + /* Sanity */ +@@ -334,14 +327,12 @@ static void qed_db_recovery_ring(struct qed_hwfn *p_hwfn, + wmb(); + + /* Ring the doorbell */ +- if (db_exec == DB_REC_REAL_DEAL || db_exec == DB_REC_ONCE) { +- if (db_entry->db_width == DB_REC_WIDTH_32B) +- DIRECT_REG_WR(db_entry->db_addr, +- *(u32 *)(db_entry->db_data)); +- else +- DIRECT_REG_WR64(db_entry->db_addr, +- *(u64 *)(db_entry->db_data)); +- } ++ if (db_entry->db_width == DB_REC_WIDTH_32B) ++ DIRECT_REG_WR(db_entry->db_addr, ++ *(u32 *)(db_entry->db_data)); ++ else ++ DIRECT_REG_WR64(db_entry->db_addr, ++ *(u64 *)(db_entry->db_data)); + + /* Flush the write combined buffer. Next doorbell may come from a + * different entity to the same address... +@@ -350,29 +341,21 @@ static void qed_db_recovery_ring(struct qed_hwfn *p_hwfn, + } + + /* Traverse the doorbell recovery entry list and ring all the doorbells */ +-void qed_db_recovery_execute(struct qed_hwfn *p_hwfn, +- enum qed_db_rec_exec db_exec) ++void qed_db_recovery_execute(struct qed_hwfn *p_hwfn) + { + struct qed_db_recovery_entry *db_entry = NULL; + +- if (db_exec != DB_REC_ONCE) { +- DP_NOTICE(p_hwfn, +- "Executing doorbell recovery. Counter was %d\n", +- p_hwfn->db_recovery_info.db_recovery_counter); ++ DP_NOTICE(p_hwfn, "Executing doorbell recovery. Counter was %d\n", ++ p_hwfn->db_recovery_info.db_recovery_counter); + +- /* Track amount of times recovery was executed */ +- p_hwfn->db_recovery_info.db_recovery_counter++; +- } ++ /* Track amount of times recovery was executed */ ++ p_hwfn->db_recovery_info.db_recovery_counter++; + + /* Protect the list */ + spin_lock_bh(&p_hwfn->db_recovery_info.lock); + list_for_each_entry(db_entry, +- &p_hwfn->db_recovery_info.list, list_entry) { +- qed_db_recovery_ring(p_hwfn, db_entry, db_exec); +- if (db_exec == DB_REC_ONCE) +- break; +- } +- ++ &p_hwfn->db_recovery_info.list, list_entry) ++ qed_db_recovery_ring(p_hwfn, db_entry); + spin_unlock_bh(&p_hwfn->db_recovery_info.lock); + } + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_int.c b/drivers/net/ethernet/qlogic/qed/qed_int.c +index 92340919d8521..b994f81eb51c3 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_int.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_int.c +@@ -409,10 +409,8 @@ int qed_db_rec_handler(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt) + + overflow = qed_rd(p_hwfn, p_ptt, DORQ_REG_PF_OVFL_STICKY); + DP_NOTICE(p_hwfn, "PF Overflow sticky 0x%x\n", overflow); +- if (!overflow) { +- qed_db_recovery_execute(p_hwfn, DB_REC_ONCE); ++ if (!overflow) + return 0; +- } + + if (qed_edpm_enabled(p_hwfn)) { + rc = qed_db_rec_flush_queue(p_hwfn, p_ptt); +@@ -427,7 +425,7 @@ int qed_db_rec_handler(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt) + qed_wr(p_hwfn, p_ptt, DORQ_REG_PF_OVFL_STICKY, 0x0); + + /* Repeat all last doorbells (doorbell drop recovery) */ +- qed_db_recovery_execute(p_hwfn, DB_REC_REAL_DEAL); ++ qed_db_recovery_execute(p_hwfn); + + return 0; + } +diff --git a/drivers/net/ethernet/qlogic/qed/qed_int.h b/drivers/net/ethernet/qlogic/qed/qed_int.h +index d81a62ebd5244..df26bf333893d 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_int.h ++++ b/drivers/net/ethernet/qlogic/qed/qed_int.h +@@ -192,8 +192,8 @@ void qed_int_disable_post_isr_release(struct qed_dev *cdev); + + /** + * @brief - Doorbell Recovery handler. +- * Run DB_REAL_DEAL doorbell recovery in case of PF overflow +- * (and flush DORQ if needed), otherwise run DB_REC_ONCE. ++ * Run doorbell recovery in case of PF overflow (and flush DORQ if ++ * needed). + * + * @param p_hwfn + * @param p_ptt +-- +2.20.1 + diff --git a/queue-5.0/qed-fix-missing-dorq-attentions.patch b/queue-5.0/qed-fix-missing-dorq-attentions.patch new file mode 100644 index 00000000000..7508f9f2b7c --- /dev/null +++ b/queue-5.0/qed-fix-missing-dorq-attentions.patch @@ -0,0 +1,112 @@ +From 7a9fdcb029c98591ad6dcbbfb7c76a63d4b2ed48 Mon Sep 17 00:00:00 2001 +From: Denis Bolotin +Date: Sun, 14 Apr 2019 17:23:07 +0300 +Subject: qed: Fix missing DORQ attentions + +[ Upstream commit d4476b8a6151b2dd86c09b5acec64f66430db55d ] + +When the DORQ (doorbell block) is overflowed, all PFs get attentions at the +same time. If one PF finished handling the attention before another PF even +started, the second PF might miss the DORQ's attention bit and not handle +the attention at all. +If the DORQ attention is missed and the issue is not resolved, another +attention will not be sent, therefore each attention is treated as a +potential DORQ attention. +As a result, the attention callback is called more frequently so the debug +print was moved to reduce its quantity. +The number of periodic doorbell recovery handler schedules was reduced +because it was the previous way to mitigating the missed attention issue. + +Signed-off-by: Denis Bolotin +Signed-off-by: Michal Kalderon +Signed-off-by: Ariel Elior +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed.h | 1 + + drivers/net/ethernet/qlogic/qed/qed_int.c | 20 ++++++++++++++++++-- + drivers/net/ethernet/qlogic/qed/qed_main.c | 2 +- + 3 files changed, 20 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed.h b/drivers/net/ethernet/qlogic/qed/qed.h +index d5fece7eb1698..07ae600d0f357 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed.h ++++ b/drivers/net/ethernet/qlogic/qed/qed.h +@@ -436,6 +436,7 @@ struct qed_db_recovery_info { + + /* Lock to protect the doorbell recovery mechanism list */ + spinlock_t lock; ++ bool dorq_attn; + u32 db_recovery_counter; + }; + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_int.c b/drivers/net/ethernet/qlogic/qed/qed_int.c +index b994f81eb51c3..00688f4c04645 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_int.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_int.c +@@ -436,17 +436,19 @@ static int qed_dorq_attn_cb(struct qed_hwfn *p_hwfn) + struct qed_ptt *p_ptt = p_hwfn->p_dpc_ptt; + int rc; + +- int_sts = qed_rd(p_hwfn, p_ptt, DORQ_REG_INT_STS); +- DP_NOTICE(p_hwfn->cdev, "DORQ attention. int_sts was %x\n", int_sts); ++ p_hwfn->db_recovery_info.dorq_attn = true; + + /* int_sts may be zero since all PFs were interrupted for doorbell + * overflow but another one already handled it. Can abort here. If + * This PF also requires overflow recovery we will be interrupted again. + * The masked almost full indication may also be set. Ignoring. + */ ++ int_sts = qed_rd(p_hwfn, p_ptt, DORQ_REG_INT_STS); + if (!(int_sts & ~DORQ_REG_INT_STS_DORQ_FIFO_AFULL)) + return 0; + ++ DP_NOTICE(p_hwfn->cdev, "DORQ attention. int_sts was %x\n", int_sts); ++ + /* check if db_drop or overflow happened */ + if (int_sts & (DORQ_REG_INT_STS_DB_DROP | + DORQ_REG_INT_STS_DORQ_FIFO_OVFL_ERR)) { +@@ -503,6 +505,17 @@ static int qed_dorq_attn_cb(struct qed_hwfn *p_hwfn) + return -EINVAL; + } + ++static void qed_dorq_attn_handler(struct qed_hwfn *p_hwfn) ++{ ++ if (p_hwfn->db_recovery_info.dorq_attn) ++ goto out; ++ ++ /* Call DORQ callback if the attention was missed */ ++ qed_dorq_attn_cb(p_hwfn); ++out: ++ p_hwfn->db_recovery_info.dorq_attn = false; ++} ++ + /* Instead of major changes to the data-structure, we have a some 'special' + * identifiers for sources that changed meaning between adapters. + */ +@@ -1076,6 +1089,9 @@ static int qed_int_deassertion(struct qed_hwfn *p_hwfn, + } + } + ++ /* Handle missed DORQ attention */ ++ qed_dorq_attn_handler(p_hwfn); ++ + /* Clear IGU indication for the deasserted bits */ + DIRECT_REG_WR((u8 __iomem *)p_hwfn->regview + + GTT_BAR0_MAP_REG_IGU_CMD + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_main.c b/drivers/net/ethernet/qlogic/qed/qed_main.c +index 6adf5bda9811e..26bfcbeebc4ca 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_main.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_main.c +@@ -966,7 +966,7 @@ static void qed_update_pf_params(struct qed_dev *cdev, + } + } + +-#define QED_PERIODIC_DB_REC_COUNT 100 ++#define QED_PERIODIC_DB_REC_COUNT 10 + #define QED_PERIODIC_DB_REC_INTERVAL_MS 100 + #define QED_PERIODIC_DB_REC_INTERVAL \ + msecs_to_jiffies(QED_PERIODIC_DB_REC_INTERVAL_MS) +-- +2.20.1 + diff --git a/queue-5.0/qed-fix-the-doorbell-address-sanity-check.patch b/queue-5.0/qed-fix-the-doorbell-address-sanity-check.patch new file mode 100644 index 00000000000..2e9acc34a19 --- /dev/null +++ b/queue-5.0/qed-fix-the-doorbell-address-sanity-check.patch @@ -0,0 +1,74 @@ +From 017a1f53a083fb1b20e5bb8a1b769a49f25e60ab Mon Sep 17 00:00:00 2001 +From: Denis Bolotin +Date: Sun, 14 Apr 2019 17:23:06 +0300 +Subject: qed: Fix the doorbell address sanity check + +[ Upstream commit b61b04ad81d5f975349d66abbecabf96ba211140 ] + +Fix the condition which verifies that doorbell address is inside the +doorbell bar by checking that the end of the address is within range +as well. + +Signed-off-by: Denis Bolotin +Signed-off-by: Michal Kalderon +Signed-off-by: Ariel Elior +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_dev.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c +index ff0bbf8d073d6..228891e459bc0 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c +@@ -102,11 +102,15 @@ static void qed_db_recovery_dp_entry(struct qed_hwfn *p_hwfn, + + /* Doorbell address sanity (address within doorbell bar range) */ + static bool qed_db_rec_sanity(struct qed_dev *cdev, +- void __iomem *db_addr, void *db_data) ++ void __iomem *db_addr, ++ enum qed_db_rec_width db_width, ++ void *db_data) + { ++ u32 width = (db_width == DB_REC_WIDTH_32B) ? 32 : 64; ++ + /* Make sure doorbell address is within the doorbell bar */ + if (db_addr < cdev->doorbells || +- (u8 __iomem *)db_addr > ++ (u8 __iomem *)db_addr + width > + (u8 __iomem *)cdev->doorbells + cdev->db_size) { + WARN(true, + "Illegal doorbell address: %p. Legal range for doorbell addresses is [%p..%p]\n", +@@ -159,7 +163,7 @@ int qed_db_recovery_add(struct qed_dev *cdev, + } + + /* Sanitize doorbell address */ +- if (!qed_db_rec_sanity(cdev, db_addr, db_data)) ++ if (!qed_db_rec_sanity(cdev, db_addr, db_width, db_data)) + return -EINVAL; + + /* Obtain hwfn from doorbell address */ +@@ -205,10 +209,6 @@ int qed_db_recovery_del(struct qed_dev *cdev, + return 0; + } + +- /* Sanitize doorbell address */ +- if (!qed_db_rec_sanity(cdev, db_addr, db_data)) +- return -EINVAL; +- + /* Obtain hwfn from doorbell address */ + p_hwfn = qed_db_rec_find_hwfn(cdev, db_addr); + +@@ -317,7 +317,7 @@ static void qed_db_recovery_ring(struct qed_hwfn *p_hwfn, + + /* Sanity */ + if (!qed_db_rec_sanity(p_hwfn->cdev, db_entry->db_addr, +- db_entry->db_data)) ++ db_entry->db_width, db_entry->db_data)) + return; + + /* Flush the write combined buffer. Since there are multiple doorbelling +-- +2.20.1 + diff --git a/queue-5.0/qed-fix-the-dorq-s-attentions-handling.patch b/queue-5.0/qed-fix-the-dorq-s-attentions-handling.patch new file mode 100644 index 00000000000..be2a167b543 --- /dev/null +++ b/queue-5.0/qed-fix-the-dorq-s-attentions-handling.patch @@ -0,0 +1,166 @@ +From 61ae888f629467485462492e7265aa68a5d33395 Mon Sep 17 00:00:00 2001 +From: Denis Bolotin +Date: Sun, 14 Apr 2019 17:23:08 +0300 +Subject: qed: Fix the DORQ's attentions handling + +[ Upstream commit 0d72c2ac89185f179da1e8a91c40c82f3fa38f0b ] + +Separate the overflow handling from the hardware interrupt status analysis. +The interrupt status is a single register and is common for all PFs. The +first PF reading the register is not necessarily the one who overflowed. +All PFs must check their overflow status on every attention. +In this change we clear the sticky indication in the attention handler to +allow doorbells to be processed again as soon as possible, but running +the doorbell recovery is scheduled for the periodic handler to reduce the +time spent in the attention handler. +Checking the need for DORQ flush was changed to "db_bar_no_edpm" because +qed_edpm_enabled()'s result could change dynamically and might have +prevented a needed flush. + +Signed-off-by: Denis Bolotin +Signed-off-by: Michal Kalderon +Signed-off-by: Ariel Elior +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed.h | 3 ++ + drivers/net/ethernet/qlogic/qed/qed_int.c | 61 +++++++++++++++++------ + 2 files changed, 48 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed.h b/drivers/net/ethernet/qlogic/qed/qed.h +index 07ae600d0f357..f458c9776a89c 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed.h ++++ b/drivers/net/ethernet/qlogic/qed/qed.h +@@ -431,6 +431,8 @@ struct qed_qm_info { + u8 num_pf_rls; + }; + ++#define QED_OVERFLOW_BIT 1 ++ + struct qed_db_recovery_info { + struct list_head list; + +@@ -438,6 +440,7 @@ struct qed_db_recovery_info { + spinlock_t lock; + bool dorq_attn; + u32 db_recovery_counter; ++ unsigned long overflow; + }; + + struct storm_stats { +diff --git a/drivers/net/ethernet/qlogic/qed/qed_int.c b/drivers/net/ethernet/qlogic/qed/qed_int.c +index 00688f4c04645..a7e95f239317f 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_int.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_int.c +@@ -376,6 +376,9 @@ static int qed_db_rec_flush_queue(struct qed_hwfn *p_hwfn, + u32 count = QED_DB_REC_COUNT; + u32 usage = 1; + ++ /* Flush any pending (e)dpms as they may never arrive */ ++ qed_wr(p_hwfn, p_ptt, DORQ_REG_DPM_FORCE_ABORT, 0x1); ++ + /* wait for usage to zero or count to run out. This is necessary since + * EDPM doorbell transactions can take multiple 64b cycles, and as such + * can "split" over the pci. Possibly, the doorbell drop can happen with +@@ -404,23 +407,24 @@ static int qed_db_rec_flush_queue(struct qed_hwfn *p_hwfn, + + int qed_db_rec_handler(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt) + { +- u32 overflow; ++ u32 attn_ovfl, cur_ovfl; + int rc; + +- overflow = qed_rd(p_hwfn, p_ptt, DORQ_REG_PF_OVFL_STICKY); +- DP_NOTICE(p_hwfn, "PF Overflow sticky 0x%x\n", overflow); +- if (!overflow) ++ attn_ovfl = test_and_clear_bit(QED_OVERFLOW_BIT, ++ &p_hwfn->db_recovery_info.overflow); ++ cur_ovfl = qed_rd(p_hwfn, p_ptt, DORQ_REG_PF_OVFL_STICKY); ++ if (!cur_ovfl && !attn_ovfl) + return 0; + +- if (qed_edpm_enabled(p_hwfn)) { ++ DP_NOTICE(p_hwfn, "PF Overflow sticky: attn %u current %u\n", ++ attn_ovfl, cur_ovfl); ++ ++ if (cur_ovfl && !p_hwfn->db_bar_no_edpm) { + rc = qed_db_rec_flush_queue(p_hwfn, p_ptt); + if (rc) + return rc; + } + +- /* Flush any pending (e)dpm as they may never arrive */ +- qed_wr(p_hwfn, p_ptt, DORQ_REG_DPM_FORCE_ABORT, 0x1); +- + /* Release overflow sticky indication (stop silently dropping everything) */ + qed_wr(p_hwfn, p_ptt, DORQ_REG_PF_OVFL_STICKY, 0x0); + +@@ -430,13 +434,35 @@ int qed_db_rec_handler(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt) + return 0; + } + +-static int qed_dorq_attn_cb(struct qed_hwfn *p_hwfn) ++static void qed_dorq_attn_overflow(struct qed_hwfn *p_hwfn) + { +- u32 int_sts, first_drop_reason, details, address, all_drops_reason; + struct qed_ptt *p_ptt = p_hwfn->p_dpc_ptt; ++ u32 overflow; + int rc; + +- p_hwfn->db_recovery_info.dorq_attn = true; ++ overflow = qed_rd(p_hwfn, p_ptt, DORQ_REG_PF_OVFL_STICKY); ++ if (!overflow) ++ goto out; ++ ++ /* Run PF doorbell recovery in next periodic handler */ ++ set_bit(QED_OVERFLOW_BIT, &p_hwfn->db_recovery_info.overflow); ++ ++ if (!p_hwfn->db_bar_no_edpm) { ++ rc = qed_db_rec_flush_queue(p_hwfn, p_ptt); ++ if (rc) ++ goto out; ++ } ++ ++ qed_wr(p_hwfn, p_ptt, DORQ_REG_PF_OVFL_STICKY, 0x0); ++out: ++ /* Schedule the handler even if overflow was not detected */ ++ qed_periodic_db_rec_start(p_hwfn); ++} ++ ++static int qed_dorq_attn_int_sts(struct qed_hwfn *p_hwfn) ++{ ++ u32 int_sts, first_drop_reason, details, address, all_drops_reason; ++ struct qed_ptt *p_ptt = p_hwfn->p_dpc_ptt; + + /* int_sts may be zero since all PFs were interrupted for doorbell + * overflow but another one already handled it. Can abort here. If +@@ -475,11 +501,6 @@ static int qed_dorq_attn_cb(struct qed_hwfn *p_hwfn) + GET_FIELD(details, QED_DORQ_ATTENTION_SIZE) * 4, + first_drop_reason, all_drops_reason); + +- rc = qed_db_rec_handler(p_hwfn, p_ptt); +- qed_periodic_db_rec_start(p_hwfn); +- if (rc) +- return rc; +- + /* Clear the doorbell drop details and prepare for next drop */ + qed_wr(p_hwfn, p_ptt, DORQ_REG_DB_DROP_DETAILS_REL, 0); + +@@ -505,6 +526,14 @@ static int qed_dorq_attn_cb(struct qed_hwfn *p_hwfn) + return -EINVAL; + } + ++static int qed_dorq_attn_cb(struct qed_hwfn *p_hwfn) ++{ ++ p_hwfn->db_recovery_info.dorq_attn = true; ++ qed_dorq_attn_overflow(p_hwfn); ++ ++ return qed_dorq_attn_int_sts(p_hwfn); ++} ++ + static void qed_dorq_attn_handler(struct qed_hwfn *p_hwfn) + { + if (p_hwfn->db_recovery_info.dorq_attn) +-- +2.20.1 + diff --git a/queue-5.0/qede-fix-write-to-free-d-pointer-error-and-double-fr.patch b/queue-5.0/qede-fix-write-to-free-d-pointer-error-and-double-fr.patch new file mode 100644 index 00000000000..6f8a7eb3998 --- /dev/null +++ b/queue-5.0/qede-fix-write-to-free-d-pointer-error-and-double-fr.patch @@ -0,0 +1,53 @@ +From a2ba89c7cb54fb6a34a3bbd64bfe49afce7eb122 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Fri, 12 Apr 2019 15:13:27 +0100 +Subject: qede: fix write to free'd pointer error and double free of ptp + +[ Upstream commit 1dc2b3d65523780ed1972d446c76e62e13f3e8f5 ] + +The err2 error return path calls qede_ptp_disable that cleans up +on an error and frees ptp. After this, the free'd ptp is dereferenced +when ptp->clock is set to NULL and the code falls-through to error +path err1 that frees ptp again. + +Fix this by calling qede_ptp_disable and exiting via an error +return path that does not set ptp->clock or kfree ptp. + +Addresses-Coverity: ("Write to pointer after free") +Fixes: 035744975aec ("qede: Add support for PTP resource locking.") +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qede/qede_ptp.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qede/qede_ptp.c b/drivers/net/ethernet/qlogic/qede/qede_ptp.c +index 5f3f42a253616..bddb2b5982dcf 100644 +--- a/drivers/net/ethernet/qlogic/qede/qede_ptp.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_ptp.c +@@ -490,18 +490,17 @@ int qede_ptp_enable(struct qede_dev *edev, bool init_tc) + + ptp->clock = ptp_clock_register(&ptp->clock_info, &edev->pdev->dev); + if (IS_ERR(ptp->clock)) { +- rc = -EINVAL; + DP_ERR(edev, "PTP clock registration failed\n"); ++ qede_ptp_disable(edev); ++ rc = -EINVAL; + goto err2; + } + + return 0; + +-err2: +- qede_ptp_disable(edev); +- ptp->clock = NULL; + err1: + kfree(ptp); ++err2: + edev->ptp = NULL; + + return rc; +-- +2.20.1 + diff --git a/queue-5.0/rdma-hns-bugfix-for-mapping-user-db.patch b/queue-5.0/rdma-hns-bugfix-for-mapping-user-db.patch new file mode 100644 index 00000000000..5d6a6756ac7 --- /dev/null +++ b/queue-5.0/rdma-hns-bugfix-for-mapping-user-db.patch @@ -0,0 +1,46 @@ +From e0f4f906f365ebeb82e10b750de795869ec0abc3 Mon Sep 17 00:00:00 2001 +From: Lijun Ou +Date: Tue, 23 Apr 2019 17:30:26 +0800 +Subject: RDMA/hns: Bugfix for mapping user db + +[ Upstream commit 2557fabd6e29f349bfa0ac13f38ac98aa5eafc74 ] + +When the maximum send wr delivered by the user is zero, the qp does not +have a sq. + +When allocating the sq db buffer to store the user sq pi pointer and map +it to the kernel mode, max_send_wr is used as the trigger condition, while +the kernel does not consider the max_send_wr trigger condition when +mapmping db. It will cause sq record doorbell map fail and create qp fail. + +The failed print information as follows: + + hns3 0000:7d:00.1: Send cmd: tail - 418, opcode - 0x8504, flag - 0x0011, retval - 0x0000 + hns3 0000:7d:00.1: Send cmd: 0xe59dc000 0x00000000 0x00000000 0x00000000 0x00000116 0x0000ffff + hns3 0000:7d:00.1: sq record doorbell map failed! + hns3 0000:7d:00.1: Create RC QP failed + +Fixes: 0425e3e6e0c7 ("RDMA/hns: Support flush cqe for hip08 in kernel space") +Signed-off-by: Lijun Ou +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_qp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c +index 54031c5b53fa9..89dd2380fc812 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_qp.c ++++ b/drivers/infiniband/hw/hns/hns_roce_qp.c +@@ -517,7 +517,7 @@ static int hns_roce_set_kernel_sq_size(struct hns_roce_dev *hr_dev, + + static int hns_roce_qp_has_sq(struct ib_qp_init_attr *attr) + { +- if (attr->qp_type == IB_QPT_XRC_TGT) ++ if (attr->qp_type == IB_QPT_XRC_TGT || !attr->cap.max_send_wr) + return 0; + + return 1; +-- +2.20.1 + diff --git a/queue-5.0/revert-drm-virtio-drop-prime-import-export-callbacks.patch b/queue-5.0/revert-drm-virtio-drop-prime-import-export-callbacks.patch new file mode 100644 index 00000000000..73e1ea13163 --- /dev/null +++ b/queue-5.0/revert-drm-virtio-drop-prime-import-export-callbacks.patch @@ -0,0 +1,98 @@ +From b297e16876a7fa6cca4f4da3dfb51f20296bd838 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Wed, 24 Apr 2019 10:52:20 +1000 +Subject: Revert "drm/virtio: drop prime import/export callbacks" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit a0cecc23cfcbf2626497a8c8770856dd56b67917 ] + +This patch does more harm than good, as it breaks both Xwayland and +gnome-shell with X11. + +Xwayland requires DRI3 & DRI3 requires PRIME. + +X11 crash for obscure double-free reason which are hard to debug +(starting X11 by hand doesn't trigger the crash). + +I don't see an apparent problem implementing those stub prime +functions, they may return an error at run-time, and it seems to be +handled fine by GNOME at least. + +This reverts commit b318e3ff7ca065d6b107e424c85a63d7a6798a69. +[airlied: +This broke userspace for virtio-gpus, and regressed things from DRI3 to DRI2. + +This brings back the original problem, but it's better than regressions.] + +Fixes: b318e3ff7ca065d6b107e424c85a63d7a6798a ("drm/virtio: drop prime import/export callbacks") +Signed-off-by: Marc-André Lureau +Signed-off-by: Dave Airlie +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/virtio/virtgpu_drv.c | 4 ++++ + drivers/gpu/drm/virtio/virtgpu_drv.h | 4 ++++ + drivers/gpu/drm/virtio/virtgpu_prime.c | 12 ++++++++++++ + 3 files changed, 20 insertions(+) + +diff --git a/drivers/gpu/drm/virtio/virtgpu_drv.c b/drivers/gpu/drm/virtio/virtgpu_drv.c +index 2d1aaca491050..f7f32a885af79 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_drv.c ++++ b/drivers/gpu/drm/virtio/virtgpu_drv.c +@@ -127,10 +127,14 @@ static struct drm_driver driver = { + #if defined(CONFIG_DEBUG_FS) + .debugfs_init = virtio_gpu_debugfs_init, + #endif ++ .prime_handle_to_fd = drm_gem_prime_handle_to_fd, ++ .prime_fd_to_handle = drm_gem_prime_fd_to_handle, + .gem_prime_export = drm_gem_prime_export, + .gem_prime_import = drm_gem_prime_import, + .gem_prime_pin = virtgpu_gem_prime_pin, + .gem_prime_unpin = virtgpu_gem_prime_unpin, ++ .gem_prime_get_sg_table = virtgpu_gem_prime_get_sg_table, ++ .gem_prime_import_sg_table = virtgpu_gem_prime_import_sg_table, + .gem_prime_vmap = virtgpu_gem_prime_vmap, + .gem_prime_vunmap = virtgpu_gem_prime_vunmap, + .gem_prime_mmap = virtgpu_gem_prime_mmap, +diff --git a/drivers/gpu/drm/virtio/virtgpu_drv.h b/drivers/gpu/drm/virtio/virtgpu_drv.h +index 0c15000f926eb..1deb41d42ea4d 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_drv.h ++++ b/drivers/gpu/drm/virtio/virtgpu_drv.h +@@ -372,6 +372,10 @@ int virtio_gpu_object_wait(struct virtio_gpu_object *bo, bool no_wait); + /* virtgpu_prime.c */ + int virtgpu_gem_prime_pin(struct drm_gem_object *obj); + void virtgpu_gem_prime_unpin(struct drm_gem_object *obj); ++struct sg_table *virtgpu_gem_prime_get_sg_table(struct drm_gem_object *obj); ++struct drm_gem_object *virtgpu_gem_prime_import_sg_table( ++ struct drm_device *dev, struct dma_buf_attachment *attach, ++ struct sg_table *sgt); + void *virtgpu_gem_prime_vmap(struct drm_gem_object *obj); + void virtgpu_gem_prime_vunmap(struct drm_gem_object *obj, void *vaddr); + int virtgpu_gem_prime_mmap(struct drm_gem_object *obj, +diff --git a/drivers/gpu/drm/virtio/virtgpu_prime.c b/drivers/gpu/drm/virtio/virtgpu_prime.c +index c59ec34c80a5d..eb51a78e11991 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_prime.c ++++ b/drivers/gpu/drm/virtio/virtgpu_prime.c +@@ -39,6 +39,18 @@ void virtgpu_gem_prime_unpin(struct drm_gem_object *obj) + WARN_ONCE(1, "not implemented"); + } + ++struct sg_table *virtgpu_gem_prime_get_sg_table(struct drm_gem_object *obj) ++{ ++ return ERR_PTR(-ENODEV); ++} ++ ++struct drm_gem_object *virtgpu_gem_prime_import_sg_table( ++ struct drm_device *dev, struct dma_buf_attachment *attach, ++ struct sg_table *table) ++{ ++ return ERR_PTR(-ENODEV); ++} ++ + void *virtgpu_gem_prime_vmap(struct drm_gem_object *obj) + { + struct virtio_gpu_object *bo = gem_to_virtio_gpu_obj(obj); +-- +2.20.1 + diff --git a/queue-5.0/s390-3270-fix-lockdep-false-positive-on-view-lock.patch b/queue-5.0/s390-3270-fix-lockdep-false-positive-on-view-lock.patch new file mode 100644 index 00000000000..8eaf4b74a1b --- /dev/null +++ b/queue-5.0/s390-3270-fix-lockdep-false-positive-on-view-lock.patch @@ -0,0 +1,122 @@ +From 08df3c610a9d846db99dd832ffe84e368006ddf7 Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Wed, 3 Apr 2019 09:13:34 +0200 +Subject: s390/3270: fix lockdep false positive on view->lock + +[ Upstream commit 5712f3301a12c0c3de9cc423484496b0464f2faf ] + +The spinlock in the raw3270_view structure is used by con3270, tty3270 +and fs3270 in different ways. For con3270 the lock can be acquired in +irq context, for tty3270 and fs3270 the highest context is bh. + +Lockdep sees the view->lock as a single class and if the 3270 driver +is used for the console the following message is generated: + +WARNING: inconsistent lock state +5.1.0-rc3-05157-g5c168033979d #12 Not tainted +-------------------------------- +inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. +swapper/0/1 [HC0[0]:SC1[1]:HE1:SE0] takes: +(____ptrval____) (&(&view->lock)->rlock){?.-.}, at: tty3270_update+0x7c/0x330 + +Introduce a lockdep subclass for the view lock to distinguish bh from +irq locks. + +Signed-off-by: Martin Schwidefsky + +Signed-off-by: Sasha Levin +--- + drivers/s390/char/con3270.c | 2 +- + drivers/s390/char/fs3270.c | 3 ++- + drivers/s390/char/raw3270.c | 3 ++- + drivers/s390/char/raw3270.h | 4 +++- + drivers/s390/char/tty3270.c | 3 ++- + 5 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/s390/char/con3270.c b/drivers/s390/char/con3270.c +index fd2146bcc0add..e17364e13d2f7 100644 +--- a/drivers/s390/char/con3270.c ++++ b/drivers/s390/char/con3270.c +@@ -629,7 +629,7 @@ con3270_init(void) + (void (*)(unsigned long)) con3270_read_tasklet, + (unsigned long) condev->read); + +- raw3270_add_view(&condev->view, &con3270_fn, 1); ++ raw3270_add_view(&condev->view, &con3270_fn, 1, RAW3270_VIEW_LOCK_IRQ); + + INIT_LIST_HEAD(&condev->freemem); + for (i = 0; i < CON3270_STRING_PAGES; i++) { +diff --git a/drivers/s390/char/fs3270.c b/drivers/s390/char/fs3270.c +index 8f3a2eeb28dca..8b48ba9c598ec 100644 +--- a/drivers/s390/char/fs3270.c ++++ b/drivers/s390/char/fs3270.c +@@ -463,7 +463,8 @@ fs3270_open(struct inode *inode, struct file *filp) + + init_waitqueue_head(&fp->wait); + fp->fs_pid = get_pid(task_pid(current)); +- rc = raw3270_add_view(&fp->view, &fs3270_fn, minor); ++ rc = raw3270_add_view(&fp->view, &fs3270_fn, minor, ++ RAW3270_VIEW_LOCK_BH); + if (rc) { + fs3270_free_view(&fp->view); + goto out; +diff --git a/drivers/s390/char/raw3270.c b/drivers/s390/char/raw3270.c +index f8cd2935fbfd4..63a41b1687610 100644 +--- a/drivers/s390/char/raw3270.c ++++ b/drivers/s390/char/raw3270.c +@@ -920,7 +920,7 @@ raw3270_deactivate_view(struct raw3270_view *view) + * Add view to device with minor "minor". + */ + int +-raw3270_add_view(struct raw3270_view *view, struct raw3270_fn *fn, int minor) ++raw3270_add_view(struct raw3270_view *view, struct raw3270_fn *fn, int minor, int subclass) + { + unsigned long flags; + struct raw3270 *rp; +@@ -942,6 +942,7 @@ raw3270_add_view(struct raw3270_view *view, struct raw3270_fn *fn, int minor) + view->cols = rp->cols; + view->ascebc = rp->ascebc; + spin_lock_init(&view->lock); ++ lockdep_set_subclass(&view->lock, subclass); + list_add(&view->list, &rp->view_list); + rc = 0; + spin_unlock_irqrestore(get_ccwdev_lock(rp->cdev), flags); +diff --git a/drivers/s390/char/raw3270.h b/drivers/s390/char/raw3270.h +index 114ca7cbf8897..3afaa35f73513 100644 +--- a/drivers/s390/char/raw3270.h ++++ b/drivers/s390/char/raw3270.h +@@ -150,6 +150,8 @@ struct raw3270_fn { + struct raw3270_view { + struct list_head list; + spinlock_t lock; ++#define RAW3270_VIEW_LOCK_IRQ 0 ++#define RAW3270_VIEW_LOCK_BH 1 + atomic_t ref_count; + struct raw3270 *dev; + struct raw3270_fn *fn; +@@ -158,7 +160,7 @@ struct raw3270_view { + unsigned char *ascebc; /* ascii -> ebcdic table */ + }; + +-int raw3270_add_view(struct raw3270_view *, struct raw3270_fn *, int); ++int raw3270_add_view(struct raw3270_view *, struct raw3270_fn *, int, int); + int raw3270_activate_view(struct raw3270_view *); + void raw3270_del_view(struct raw3270_view *); + void raw3270_deactivate_view(struct raw3270_view *); +diff --git a/drivers/s390/char/tty3270.c b/drivers/s390/char/tty3270.c +index 2b0c36c2c5688..98d7fc152e32f 100644 +--- a/drivers/s390/char/tty3270.c ++++ b/drivers/s390/char/tty3270.c +@@ -980,7 +980,8 @@ static int tty3270_install(struct tty_driver *driver, struct tty_struct *tty) + return PTR_ERR(tp); + + rc = raw3270_add_view(&tp->view, &tty3270_fn, +- tty->index + RAW3270_FIRSTMINOR); ++ tty->index + RAW3270_FIRSTMINOR, ++ RAW3270_VIEW_LOCK_BH); + if (rc) { + tty3270_free_view(tp); + return rc; +-- +2.20.1 + diff --git a/queue-5.0/s390-ctcm-fix-ctcm_new_device-error-return-code.patch b/queue-5.0/s390-ctcm-fix-ctcm_new_device-error-return-code.patch new file mode 100644 index 00000000000..f2a6803aeee --- /dev/null +++ b/queue-5.0/s390-ctcm-fix-ctcm_new_device-error-return-code.patch @@ -0,0 +1,53 @@ +From d7a39164d029acf3fef674eebe0aeb27e89962d0 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 17 Apr 2019 18:29:13 +0200 +Subject: s390: ctcm: fix ctcm_new_device error return code + +[ Upstream commit 27b141fc234a3670d21bd742c35d7205d03cbb3a ] + +clang points out that the return code from this function is +undefined for one of the error paths: + +../drivers/s390/net/ctcm_main.c:1595:7: warning: variable 'result' is used uninitialized whenever 'if' condition is true + [-Wsometimes-uninitialized] + if (priv->channel[direction] == NULL) { + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../drivers/s390/net/ctcm_main.c:1638:9: note: uninitialized use occurs here + return result; + ^~~~~~ +../drivers/s390/net/ctcm_main.c:1595:3: note: remove the 'if' if its condition is always false + if (priv->channel[direction] == NULL) { + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../drivers/s390/net/ctcm_main.c:1539:12: note: initialize the variable 'result' to silence this warning + int result; + ^ + +Make it return -ENODEV here, as in the related failure cases. +gcc has a known bug in underreporting some of these warnings +when it has already eliminated the assignment of the return code +based on some earlier optimization step. + +Reviewed-by: Nathan Chancellor +Signed-off-by: Arnd Bergmann +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/ctcm_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/s390/net/ctcm_main.c b/drivers/s390/net/ctcm_main.c +index 7617d21cb2960..f63c5c871d3dd 100644 +--- a/drivers/s390/net/ctcm_main.c ++++ b/drivers/s390/net/ctcm_main.c +@@ -1595,6 +1595,7 @@ static int ctcm_new_device(struct ccwgroup_device *cgdev) + if (priv->channel[direction] == NULL) { + if (direction == CTCM_WRITE) + channel_free(priv->channel[CTCM_READ]); ++ result = -ENODEV; + goto out_dev; + } + priv->channel[direction]->netdev = dev; +-- +2.20.1 + diff --git a/queue-5.0/s390-dasd-fix-capacity-calculation-for-large-volumes.patch b/queue-5.0/s390-dasd-fix-capacity-calculation-for-large-volumes.patch new file mode 100644 index 00000000000..675d784e967 --- /dev/null +++ b/queue-5.0/s390-dasd-fix-capacity-calculation-for-large-volumes.patch @@ -0,0 +1,59 @@ +From cdc0e308bd62c4b9db54bb8fd0b2f36da81779dc Mon Sep 17 00:00:00 2001 +From: Peter Oberparleiter +Date: Fri, 22 Mar 2019 16:01:17 +0100 +Subject: s390/dasd: Fix capacity calculation for large volumes + +[ Upstream commit 2cc9637ce825f3a9f51f8f78af7474e9e85bfa5f ] + +The DASD driver incorrectly limits the maximum number of blocks of ECKD +DASD volumes to 32 bit numbers. Volumes with a capacity greater than +2^32-1 blocks are incorrectly recognized as smaller volumes. + +This results in the following volume capacity limits depending on the +formatted block size: + + BLKSIZE MAX_GB MAX_CYL + 512 2047 5843492 + 1024 4095 8676701 + 2048 8191 13634816 + 4096 16383 23860929 + +The same problem occurs when a volume with more than 17895697 cylinders +is accessed in raw-track-access mode. + +Fix this problem by adding an explicit type cast when calculating the +maximum number of blocks. + +Signed-off-by: Peter Oberparleiter +Reviewed-by: Stefan Haberland +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +--- + drivers/s390/block/dasd_eckd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c +index 6e294b4d3635f..f89f9d02e7884 100644 +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -2004,14 +2004,14 @@ static int dasd_eckd_end_analysis(struct dasd_block *block) + blk_per_trk = recs_per_track(&private->rdc_data, 0, block->bp_block); + + raw: +- block->blocks = (private->real_cyl * ++ block->blocks = ((unsigned long) private->real_cyl * + private->rdc_data.trk_per_cyl * + blk_per_trk); + + dev_info(&device->cdev->dev, +- "DASD with %d KB/block, %d KB total size, %d KB/track, " ++ "DASD with %u KB/block, %lu KB total size, %u KB/track, " + "%s\n", (block->bp_block >> 10), +- ((private->real_cyl * ++ (((unsigned long) private->real_cyl * + private->rdc_data.trk_per_cyl * + blk_per_trk * (block->bp_block >> 9)) >> 1), + ((blk_per_trk * block->bp_block) >> 10), +-- +2.20.1 + diff --git a/queue-5.0/s390-pkey-add-one-more-argument-space-for-debug-feat.patch b/queue-5.0/s390-pkey-add-one-more-argument-space-for-debug-feat.patch new file mode 100644 index 00000000000..6b46e3deafa --- /dev/null +++ b/queue-5.0/s390-pkey-add-one-more-argument-space-for-debug-feat.patch @@ -0,0 +1,43 @@ +From c45da6c02f37eab72f77a05e7f1936d416cbfa97 Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Fri, 12 Apr 2019 11:04:50 +0200 +Subject: s390/pkey: add one more argument space for debug feature entry + +[ Upstream commit 6b1f16ba730d4c0cda1247568c3a1bf4fa3a2f2f ] + +The debug feature entries have been used with up to 5 arguents +(including the pointer to the format string) but there was only +space reserved for 4 arguemnts. So now the registration does +reserve space for 5 times a long value. + +This fixes a sometime appearing weired value as the last +value of an debug feature entry like this: + +... pkey_sec2protkey zcrypt_send_cprb (cardnr=10 domain=12) + failed with errno -2143346254 + +Signed-off-by: Harald Freudenberger +Reported-by: Christian Rund +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +--- + drivers/s390/crypto/pkey_api.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c +index 2f92bbed4bf68..097e890e0d6d9 100644 +--- a/drivers/s390/crypto/pkey_api.c ++++ b/drivers/s390/crypto/pkey_api.c +@@ -51,7 +51,8 @@ static debug_info_t *debug_info; + + static void __init pkey_debug_init(void) + { +- debug_info = debug_register("pkey", 1, 1, 4 * sizeof(long)); ++ /* 5 arguments per dbf entry (including the format string ptr) */ ++ debug_info = debug_register("pkey", 1, 1, 5 * sizeof(long)); + debug_register_view(debug_info, &debug_sprintf_view); + debug_set_level(debug_info, 3); + } +-- +2.20.1 + diff --git a/queue-5.0/scsi-aic7xxx-fix-eisa-support.patch b/queue-5.0/scsi-aic7xxx-fix-eisa-support.patch new file mode 100644 index 00000000000..32d988635c2 --- /dev/null +++ b/queue-5.0/scsi-aic7xxx-fix-eisa-support.patch @@ -0,0 +1,98 @@ +From 6b9fff169f74b6f32216ca91f9c865919b5f2be9 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Thu, 18 Apr 2019 18:13:58 +0200 +Subject: scsi: aic7xxx: fix EISA support + +[ Upstream commit 144ec97493af34efdb77c5aba146e9c7de8d0a06 ] + +Instead of relying on the now removed NULL argument to +pci_alloc_consistent, switch to the generic DMA API, and store the struct +device so that we can pass it. + +Fixes: 4167b2ad5182 ("PCI: Remove NULL device handling from PCI DMA API") +Reported-by: Matthew Whitehead +Signed-off-by: Christoph Hellwig +Tested-by: Matthew Whitehead +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/aic7xxx/aic7770_osm.c | 1 + + drivers/scsi/aic7xxx/aic7xxx.h | 1 + + drivers/scsi/aic7xxx/aic7xxx_osm.c | 10 ++++------ + drivers/scsi/aic7xxx/aic7xxx_osm_pci.c | 1 + + 4 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/scsi/aic7xxx/aic7770_osm.c b/drivers/scsi/aic7xxx/aic7770_osm.c +index 3d401d02c0195..bdd177e3d7622 100644 +--- a/drivers/scsi/aic7xxx/aic7770_osm.c ++++ b/drivers/scsi/aic7xxx/aic7770_osm.c +@@ -91,6 +91,7 @@ aic7770_probe(struct device *dev) + ahc = ahc_alloc(&aic7xxx_driver_template, name); + if (ahc == NULL) + return (ENOMEM); ++ ahc->dev = dev; + error = aic7770_config(ahc, aic7770_ident_table + edev->id.driver_data, + eisaBase); + if (error != 0) { +diff --git a/drivers/scsi/aic7xxx/aic7xxx.h b/drivers/scsi/aic7xxx/aic7xxx.h +index 5614921b4041a..88b90f9806c99 100644 +--- a/drivers/scsi/aic7xxx/aic7xxx.h ++++ b/drivers/scsi/aic7xxx/aic7xxx.h +@@ -943,6 +943,7 @@ struct ahc_softc { + * Platform specific device information. + */ + ahc_dev_softc_t dev_softc; ++ struct device *dev; + + /* + * Bus specific device information. +diff --git a/drivers/scsi/aic7xxx/aic7xxx_osm.c b/drivers/scsi/aic7xxx/aic7xxx_osm.c +index 3c9c17450bb39..d5c4a0d237062 100644 +--- a/drivers/scsi/aic7xxx/aic7xxx_osm.c ++++ b/drivers/scsi/aic7xxx/aic7xxx_osm.c +@@ -860,8 +860,8 @@ int + ahc_dmamem_alloc(struct ahc_softc *ahc, bus_dma_tag_t dmat, void** vaddr, + int flags, bus_dmamap_t *mapp) + { +- *vaddr = pci_alloc_consistent(ahc->dev_softc, +- dmat->maxsize, mapp); ++ /* XXX: check if we really need the GFP_ATOMIC and unwind this mess! */ ++ *vaddr = dma_alloc_coherent(ahc->dev, dmat->maxsize, mapp, GFP_ATOMIC); + if (*vaddr == NULL) + return ENOMEM; + return 0; +@@ -871,8 +871,7 @@ void + ahc_dmamem_free(struct ahc_softc *ahc, bus_dma_tag_t dmat, + void* vaddr, bus_dmamap_t map) + { +- pci_free_consistent(ahc->dev_softc, dmat->maxsize, +- vaddr, map); ++ dma_free_coherent(ahc->dev, dmat->maxsize, vaddr, map); + } + + int +@@ -1123,8 +1122,7 @@ ahc_linux_register_host(struct ahc_softc *ahc, struct scsi_host_template *templa + + host->transportt = ahc_linux_transport_template; + +- retval = scsi_add_host(host, +- (ahc->dev_softc ? &ahc->dev_softc->dev : NULL)); ++ retval = scsi_add_host(host, ahc->dev); + if (retval) { + printk(KERN_WARNING "aic7xxx: scsi_add_host failed\n"); + scsi_host_put(host); +diff --git a/drivers/scsi/aic7xxx/aic7xxx_osm_pci.c b/drivers/scsi/aic7xxx/aic7xxx_osm_pci.c +index 0fc14dac7070c..717d8d1082ce1 100644 +--- a/drivers/scsi/aic7xxx/aic7xxx_osm_pci.c ++++ b/drivers/scsi/aic7xxx/aic7xxx_osm_pci.c +@@ -250,6 +250,7 @@ ahc_linux_pci_dev_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + } + } + ahc->dev_softc = pci; ++ ahc->dev = &pci->dev; + error = ahc_pci_config(ahc, entry); + if (error != 0) { + ahc_free(ahc); +-- +2.20.1 + diff --git a/queue-5.0/selftests-fib_tests-fix-command-line-is-not-complete.patch b/queue-5.0/selftests-fib_tests-fix-command-line-is-not-complete.patch new file mode 100644 index 00000000000..61bae77800c --- /dev/null +++ b/queue-5.0/selftests-fib_tests-fix-command-line-is-not-complete.patch @@ -0,0 +1,179 @@ +From 338e29f1cf61c7ec9a7f0cf723672822cce4a727 Mon Sep 17 00:00:00 2001 +From: David Ahern +Date: Tue, 9 Apr 2019 14:23:10 -0700 +Subject: selftests: fib_tests: Fix 'Command line is not complete' errors + +[ Upstream commit a5f622984a623df9a84cf43f6b098d8dd76fbe05 ] + +A couple of tests are verifying a route has been removed. The helper +expects the prefix as the first part of the expected output. When +checking that a route has been deleted the prefix is empty leading +to an invalid ip command: + + $ ip ro ls match + Command line is not complete. Try option "help" + +Fix by moving the comparison of expected output and output to a new +function that is used by both check_route and check_route6. Use the +new helper for the 2 checks on route removal. + +Also, remove the reset of 'set -x' in route_setup which overrides the +user managed setting. + +Fixes: d69faad76584c ("selftests: fib_tests: Add prefix route tests with metric") +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/fib_tests.sh | 94 ++++++++++-------------- + 1 file changed, 40 insertions(+), 54 deletions(-) + +diff --git a/tools/testing/selftests/net/fib_tests.sh b/tools/testing/selftests/net/fib_tests.sh +index 1080ff55a788f..0d2a5f4f1e638 100755 +--- a/tools/testing/selftests/net/fib_tests.sh ++++ b/tools/testing/selftests/net/fib_tests.sh +@@ -605,6 +605,39 @@ run_cmd() + return $rc + } + ++check_expected() ++{ ++ local out="$1" ++ local expected="$2" ++ local rc=0 ++ ++ [ "${out}" = "${expected}" ] && return 0 ++ ++ if [ -z "${out}" ]; then ++ if [ "$VERBOSE" = "1" ]; then ++ printf "\nNo route entry found\n" ++ printf "Expected:\n" ++ printf " ${expected}\n" ++ fi ++ return 1 ++ fi ++ ++ # tricky way to convert output to 1-line without ip's ++ # messy '\'; this drops all extra white space ++ out=$(echo ${out}) ++ if [ "${out}" != "${expected}" ]; then ++ rc=1 ++ if [ "${VERBOSE}" = "1" ]; then ++ printf " Unexpected route entry. Have:\n" ++ printf " ${out}\n" ++ printf " Expected:\n" ++ printf " ${expected}\n\n" ++ fi ++ fi ++ ++ return $rc ++} ++ + # add route for a prefix, flushing any existing routes first + # expected to be the first step of a test + add_route6() +@@ -652,31 +685,7 @@ check_route6() + pfx=$1 + + out=$($IP -6 ro ls match ${pfx} | sed -e 's/ pref medium//') +- [ "${out}" = "${expected}" ] && return 0 +- +- if [ -z "${out}" ]; then +- if [ "$VERBOSE" = "1" ]; then +- printf "\nNo route entry found\n" +- printf "Expected:\n" +- printf " ${expected}\n" +- fi +- return 1 +- fi +- +- # tricky way to convert output to 1-line without ip's +- # messy '\'; this drops all extra white space +- out=$(echo ${out}) +- if [ "${out}" != "${expected}" ]; then +- rc=1 +- if [ "${VERBOSE}" = "1" ]; then +- printf " Unexpected route entry. Have:\n" +- printf " ${out}\n" +- printf " Expected:\n" +- printf " ${expected}\n\n" +- fi +- fi +- +- return $rc ++ check_expected "${out}" "${expected}" + } + + route_cleanup() +@@ -725,7 +734,7 @@ route_setup() + ip -netns ns2 addr add 172.16.103.2/24 dev veth4 + ip -netns ns2 addr add 172.16.104.1/24 dev dummy1 + +- set +ex ++ set +e + } + + # assumption is that basic add of a single path route works +@@ -960,7 +969,8 @@ ipv6_addr_metric_test() + run_cmd "$IP li set dev dummy2 down" + rc=$? + if [ $rc -eq 0 ]; then +- check_route6 "" ++ out=$($IP -6 ro ls match 2001:db8:104::/64) ++ check_expected "${out}" "" + rc=$? + fi + log_test $rc 0 "Prefix route removed on link down" +@@ -1091,38 +1101,13 @@ check_route() + local pfx + local expected="$1" + local out +- local rc=0 + + set -- $expected + pfx=$1 + [ "${pfx}" = "unreachable" ] && pfx=$2 + + out=$($IP ro ls match ${pfx}) +- [ "${out}" = "${expected}" ] && return 0 +- +- if [ -z "${out}" ]; then +- if [ "$VERBOSE" = "1" ]; then +- printf "\nNo route entry found\n" +- printf "Expected:\n" +- printf " ${expected}\n" +- fi +- return 1 +- fi +- +- # tricky way to convert output to 1-line without ip's +- # messy '\'; this drops all extra white space +- out=$(echo ${out}) +- if [ "${out}" != "${expected}" ]; then +- rc=1 +- if [ "${VERBOSE}" = "1" ]; then +- printf " Unexpected route entry. Have:\n" +- printf " ${out}\n" +- printf " Expected:\n" +- printf " ${expected}\n\n" +- fi +- fi +- +- return $rc ++ check_expected "${out}" "${expected}" + } + + # assumption is that basic add of a single path route works +@@ -1387,7 +1372,8 @@ ipv4_addr_metric_test() + run_cmd "$IP li set dev dummy2 down" + rc=$? + if [ $rc -eq 0 ]; then +- check_route "" ++ out=$($IP ro ls match 172.16.104.0/24) ++ check_expected "${out}" "" + rc=$? + fi + log_test $rc 0 "Prefix route removed on link down" +-- +2.20.1 + diff --git a/queue-5.0/selftests-net-correct-the-return-value-for-run_afpac.patch b/queue-5.0/selftests-net-correct-the-return-value-for-run_afpac.patch new file mode 100644 index 00000000000..0b0b8f6521f --- /dev/null +++ b/queue-5.0/selftests-net-correct-the-return-value-for-run_afpac.patch @@ -0,0 +1,63 @@ +From 0ec57bb37d9eab23d3bd281a6e241796dd358e16 Mon Sep 17 00:00:00 2001 +From: Po-Hsu Lin +Date: Fri, 19 Apr 2019 19:01:13 +0800 +Subject: selftests/net: correct the return value for run_afpackettests + +[ Upstream commit 8c03557c3f25271e62e39154af66ebdd1b59c9ca ] + +The run_afpackettests will be marked as passed regardless the return +value of those sub-tests in the script: + -------------------- + running psock_tpacket test + -------------------- + [FAIL] + selftests: run_afpackettests [PASS] + +Fix this by changing the return value for each tests. + +Signed-off-by: Po-Hsu Lin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/run_afpackettests | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tools/testing/selftests/net/run_afpackettests b/tools/testing/selftests/net/run_afpackettests +index 2dc95fda7ef76..ea5938ec009a5 100755 +--- a/tools/testing/selftests/net/run_afpackettests ++++ b/tools/testing/selftests/net/run_afpackettests +@@ -6,12 +6,14 @@ if [ $(id -u) != 0 ]; then + exit 0 + fi + ++ret=0 + echo "--------------------" + echo "running psock_fanout test" + echo "--------------------" + ./in_netns.sh ./psock_fanout + if [ $? -ne 0 ]; then + echo "[FAIL]" ++ ret=1 + else + echo "[PASS]" + fi +@@ -22,6 +24,7 @@ echo "--------------------" + ./in_netns.sh ./psock_tpacket + if [ $? -ne 0 ]; then + echo "[FAIL]" ++ ret=1 + else + echo "[PASS]" + fi +@@ -32,6 +35,8 @@ echo "--------------------" + ./in_netns.sh ./txring_overwrite + if [ $? -ne 0 ]; then + echo "[FAIL]" ++ ret=1 + else + echo "[PASS]" + fi ++exit $ret +-- +2.20.1 + diff --git a/queue-5.0/selftests-net-correct-the-return-value-for-run_netso.patch b/queue-5.0/selftests-net-correct-the-return-value-for-run_netso.patch new file mode 100644 index 00000000000..6a5e15d50a9 --- /dev/null +++ b/queue-5.0/selftests-net-correct-the-return-value-for-run_netso.patch @@ -0,0 +1,44 @@ +From 9591eb5b3efb14a927504f6fb894e16d4cc59d4e Mon Sep 17 00:00:00 2001 +From: Po-Hsu Lin +Date: Thu, 18 Apr 2019 19:57:25 +0800 +Subject: selftests/net: correct the return value for run_netsocktests + +[ Upstream commit 30c04d796b693e22405c38e9b78e9a364e4c77e6 ] + +The run_netsocktests will be marked as passed regardless the actual test +result from the ./socket: + + selftests: net: run_netsocktests + ======================================== + -------------------- + running socket test + -------------------- + [FAIL] + ok 1..6 selftests: net: run_netsocktests [PASS] + +This is because the test script itself has been successfully executed. +Fix this by exit 1 when the test failed. + +Signed-off-by: Po-Hsu Lin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/run_netsocktests | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/run_netsocktests b/tools/testing/selftests/net/run_netsocktests +index b093f39c298c3..14e41faf2c574 100755 +--- a/tools/testing/selftests/net/run_netsocktests ++++ b/tools/testing/selftests/net/run_netsocktests +@@ -7,7 +7,7 @@ echo "--------------------" + ./socket + if [ $? -ne 0 ]; then + echo "[FAIL]" ++ exit 1 + else + echo "[PASS]" + fi +- +-- +2.20.1 + diff --git a/queue-5.0/selftests-netfilter-check-icmp-pkttoobig-errors-are-.patch b/queue-5.0/selftests-netfilter-check-icmp-pkttoobig-errors-are-.patch new file mode 100644 index 00000000000..80f1d5d150f --- /dev/null +++ b/queue-5.0/selftests-netfilter-check-icmp-pkttoobig-errors-are-.patch @@ -0,0 +1,333 @@ +From f6549d5f22822eb1a0881eb7d606a7649f1a581c Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 25 Mar 2019 23:11:53 +0100 +Subject: selftests: netfilter: check icmp pkttoobig errors are set as related + +[ Upstream commit becf2319f320cae43e20cf179cc51a355a0deb5f ] + +When an icmp error such as pkttoobig is received, conntrack checks +if the "inner" header (header of packet that did not fit link mtu) +is matches an existing connection, and, if so, sets that packet as +being related to the conntrack entry it found. + +It was recently reported that this "related" setting also works +if the inner header is from another, different connection (i.e., +artificial/forged icmp error). + +Add a test, followup patch will add additional "inner dst matches +outer dst in reverse direction" check before setting related state. + +Link: https://www.synacktiv.com/posts/systems/icmp-reachable.html +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/netfilter/Makefile | 2 +- + .../netfilter/conntrack_icmp_related.sh | 283 ++++++++++++++++++ + 2 files changed, 284 insertions(+), 1 deletion(-) + create mode 100755 tools/testing/selftests/netfilter/conntrack_icmp_related.sh + +diff --git a/tools/testing/selftests/netfilter/Makefile b/tools/testing/selftests/netfilter/Makefile +index c9ff2b47bd1ca..a37cb1192c6a6 100644 +--- a/tools/testing/selftests/netfilter/Makefile ++++ b/tools/testing/selftests/netfilter/Makefile +@@ -1,6 +1,6 @@ + # SPDX-License-Identifier: GPL-2.0 + # Makefile for netfilter selftests + +-TEST_PROGS := nft_trans_stress.sh nft_nat.sh ++TEST_PROGS := nft_trans_stress.sh nft_nat.sh conntrack_icmp_related.sh + + include ../lib.mk +diff --git a/tools/testing/selftests/netfilter/conntrack_icmp_related.sh b/tools/testing/selftests/netfilter/conntrack_icmp_related.sh +new file mode 100755 +index 0000000000000..b48e1833bc896 +--- /dev/null ++++ b/tools/testing/selftests/netfilter/conntrack_icmp_related.sh +@@ -0,0 +1,283 @@ ++#!/bin/bash ++# ++# check that ICMP df-needed/pkttoobig icmp are set are set as related ++# state ++# ++# Setup is: ++# ++# nsclient1 -> nsrouter1 -> nsrouter2 -> nsclient2 ++# MTU 1500, except for nsrouter2 <-> nsclient2 link (1280). ++# ping nsclient2 from nsclient1, checking that conntrack did set RELATED ++# 'fragmentation needed' icmp packet. ++# ++# In addition, nsrouter1 will perform IP masquerading, i.e. also ++# check the icmp errors are propagated to the correct host as per ++# nat of "established" icmp-echo "connection". ++ ++# Kselftest framework requirement - SKIP code is 4. ++ksft_skip=4 ++ret=0 ++ ++nft --version > /dev/null 2>&1 ++if [ $? -ne 0 ];then ++ echo "SKIP: Could not run test without nft tool" ++ exit $ksft_skip ++fi ++ ++ip -Version > /dev/null 2>&1 ++if [ $? -ne 0 ];then ++ echo "SKIP: Could not run test without ip tool" ++ exit $ksft_skip ++fi ++ ++cleanup() { ++ for i in 1 2;do ip netns del nsclient$i;done ++ for i in 1 2;do ip netns del nsrouter$i;done ++} ++ ++ipv4() { ++ echo -n 192.168.$1.2 ++} ++ ++ipv6 () { ++ echo -n dead:$1::2 ++} ++ ++check_counter() ++{ ++ ns=$1 ++ name=$2 ++ expect=$3 ++ local lret=0 ++ ++ cnt=$(ip netns exec $ns nft list counter inet filter "$name" | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ echo "ERROR: counter $name in $ns has unexpected value (expected $expect)" 1>&2 ++ ip netns exec $ns nft list counter inet filter "$name" 1>&2 ++ lret=1 ++ fi ++ ++ return $lret ++} ++ ++check_unknown() ++{ ++ expect="packets 0 bytes 0" ++ for n in nsclient1 nsclient2 nsrouter1 nsrouter2; do ++ check_counter $n "unknown" "$expect" ++ if [ $? -ne 0 ] ;then ++ return 1 ++ fi ++ done ++ ++ return 0 ++} ++ ++for n in nsclient1 nsclient2 nsrouter1 nsrouter2; do ++ ip netns add $n ++ ip -net $n link set lo up ++done ++ ++DEV=veth0 ++ip link add $DEV netns nsclient1 type veth peer name eth1 netns nsrouter1 ++DEV=veth0 ++ip link add $DEV netns nsclient2 type veth peer name eth1 netns nsrouter2 ++ ++DEV=veth0 ++ip link add $DEV netns nsrouter1 type veth peer name eth2 netns nsrouter2 ++ ++DEV=veth0 ++for i in 1 2; do ++ ip -net nsclient$i link set $DEV up ++ ip -net nsclient$i addr add $(ipv4 $i)/24 dev $DEV ++ ip -net nsclient$i addr add $(ipv6 $i)/64 dev $DEV ++done ++ ++ip -net nsrouter1 link set eth1 up ++ip -net nsrouter1 link set veth0 up ++ ++ip -net nsrouter2 link set eth1 up ++ip -net nsrouter2 link set eth2 up ++ ++ip -net nsclient1 route add default via 192.168.1.1 ++ip -net nsclient1 -6 route add default via dead:1::1 ++ ++ip -net nsclient2 route add default via 192.168.2.1 ++ip -net nsclient2 route add default via dead:2::1 ++ ++i=3 ++ip -net nsrouter1 addr add 192.168.1.1/24 dev eth1 ++ip -net nsrouter1 addr add 192.168.3.1/24 dev veth0 ++ip -net nsrouter1 addr add dead:1::1/64 dev eth1 ++ip -net nsrouter1 addr add dead:3::1/64 dev veth0 ++ip -net nsrouter1 route add default via 192.168.3.10 ++ip -net nsrouter1 -6 route add default via dead:3::10 ++ ++ip -net nsrouter2 addr add 192.168.2.1/24 dev eth1 ++ip -net nsrouter2 addr add 192.168.3.10/24 dev eth2 ++ip -net nsrouter2 addr add dead:2::1/64 dev eth1 ++ip -net nsrouter2 addr add dead:3::10/64 dev eth2 ++ip -net nsrouter2 route add default via 192.168.3.1 ++ip -net nsrouter2 route add default via dead:3::1 ++ ++sleep 2 ++for i in 4 6; do ++ ip netns exec nsrouter1 sysctl -q net.ipv$i.conf.all.forwarding=1 ++ ip netns exec nsrouter2 sysctl -q net.ipv$i.conf.all.forwarding=1 ++done ++ ++for netns in nsrouter1 nsrouter2; do ++ip netns exec $netns nft -f - </dev/null ++if [ $? -ne 0 ]; then ++ echo "ERROR: netns ip routing/connectivity broken" 1>&2 ++ cleanup ++ exit 1 ++fi ++ip netns exec nsclient1 ping6 -q -c 1 -s 1000 dead:2::2 >/dev/null ++if [ $? -ne 0 ]; then ++ echo "ERROR: netns ipv6 routing/connectivity broken" 1>&2 ++ cleanup ++ exit 1 ++fi ++ ++check_unknown ++if [ $? -ne 0 ]; then ++ ret=1 ++fi ++ ++expect="packets 0 bytes 0" ++for netns in nsrouter1 nsrouter2 nsclient1;do ++ check_counter "$netns" "related" "$expect" ++ if [ $? -ne 0 ]; then ++ ret=1 ++ fi ++done ++ ++expect="packets 2 bytes 2076" ++check_counter nsclient2 "new" "$expect" ++if [ $? -ne 0 ]; then ++ ret=1 ++fi ++ ++ip netns exec nsclient1 ping -q -c 1 -s 1300 -M do 192.168.2.2 > /dev/null ++if [ $? -eq 0 ]; then ++ echo "ERROR: ping should have failed with PMTU too big error" 1>&2 ++ ret=1 ++fi ++ ++# nsrouter2 should have generated the icmp error, so ++# related counter should be 0 (its in forward). ++expect="packets 0 bytes 0" ++check_counter "nsrouter2" "related" "$expect" ++if [ $? -ne 0 ]; then ++ ret=1 ++fi ++ ++# but nsrouter1 should have seen it, same for nsclient1. ++expect="packets 1 bytes 576" ++for netns in nsrouter1 nsclient1;do ++ check_counter "$netns" "related" "$expect" ++ if [ $? -ne 0 ]; then ++ ret=1 ++ fi ++done ++ ++ip netns exec nsclient1 ping6 -c 1 -s 1300 dead:2::2 > /dev/null ++if [ $? -eq 0 ]; then ++ echo "ERROR: ping6 should have failed with PMTU too big error" 1>&2 ++ ret=1 ++fi ++ ++expect="packets 2 bytes 1856" ++for netns in nsrouter1 nsclient1;do ++ check_counter "$netns" "related" "$expect" ++ if [ $? -ne 0 ]; then ++ ret=1 ++ fi ++done ++ ++if [ $ret -eq 0 ];then ++ echo "PASS: icmp mtu error had RELATED state" ++else ++ echo "ERROR: icmp error RELATED state test has failed" ++fi ++ ++cleanup ++exit $ret +-- +2.20.1 + diff --git a/queue-5.0/series b/queue-5.0/series index 771ff7c0c7c..0d9a70f4de5 100644 --- a/queue-5.0/series +++ b/queue-5.0/series @@ -8,3 +8,95 @@ selftests-seccomp-handle-namespace-failures-gracefully.patch kernfs-fix-barrier-usage-in-__kernfs_new_node.patch virt-vbox-sanity-check-parameter-types-for-hgcm-calls-coming-from-userspace.patch usb-serial-fix-unthrottle-races.patch +iio-adc-xilinx-fix-potential-use-after-free-on-remov.patch +iio-adc-xilinx-fix-potential-use-after-free-on-probe.patch +iio-adc-xilinx-prevent-touching-unclocked-h-w-on-rem.patch +acpi-nfit-always-dump-_dsm-output-payload.patch +libnvdimm-namespace-fix-a-potential-null-pointer-der.patch +hid-input-add-mapping-for-expose-overview-key.patch +hid-input-add-mapping-for-keyboard-brightness-up-dow.patch +hid-input-add-mapping-for-toggle-display-key.patch +libnvdimm-btt-fix-a-kmemdup-failure-check.patch +s390-dasd-fix-capacity-calculation-for-large-volumes.patch +mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch +mac80211-increase-max_msg_len.patch +cfg80211-handle-wmm-rules-in-regulatory-domain-inter.patch +mac80211-fix-memory-accounting-with-a-msdu-aggregati.patch +nl80211-add-nl80211_flag_clear_skb-flag-for-other-nl.patch +libnvdimm-security-provide-fix-for-secure-erase-to-u.patch +libnvdimm-pmem-fix-a-possible-oob-access-when-read-a.patch +tools-testing-nvdimm-retain-security-state-after-ove.patch +s390-3270-fix-lockdep-false-positive-on-view-lock.patch +drm-ttm-fix-dma_fence-refcount-imbalance-on-error-pa.patch +drm-amd-display-extending-aux-sw-timeout.patch +clocksource-drivers-npcm-select-timer_of.patch +clocksource-drivers-oxnas-fix-ox820-compatible.patch +selftests-fib_tests-fix-command-line-is-not-complete.patch +drm-amdgpu-shadow-in-shadow_list-without-tbo.mem.sta.patch +misdn-check-address-length-before-reading-address-fa.patch +vxge-fix-return-of-a-free-d-memblock-on-a-failed-dma.patch +qede-fix-write-to-free-d-pointer-error-and-double-fr.patch +afs-unlock-pages-for-__pagevec_release.patch +afs-fix-in-progess-ops-to-ignore-server-level-callba.patch +qed-delete-redundant-doorbell-recovery-types.patch +qed-fix-the-doorbell-address-sanity-check.patch +qed-fix-missing-dorq-attentions.patch +qed-fix-the-dorq-s-attentions-handling.patch +drm-amd-display-if-one-stream-full-updates-full-upda.patch +s390-pkey-add-one-more-argument-space-for-debug-feat.patch +x86-build-lto-fix-truncated-.bss-with-fdata-sections.patch +x86-mm-prevent-bogus-warnings-with-noexec-off.patch +x86-reboot-efi-use-efi-reboot-for-acer-travelmate-x5.patch +kvm-nvmx-always-use-early-vmcs-check-when-ept-is-dis.patch +kvm-x86-raise-gp-when-guest-vcpu-do-not-support-pmu.patch +kvm-nvmx-expose-rdpmc-exiting-only-when-guest-suppor.patch +kvm-fix-spectrev1-gadgets.patch +kvm-x86-avoid-misreporting-level-triggered-irqs-as-e.patch +tools-lib-traceevent-fix-missing-equality-check-for-.patch +perf-top-always-sample-time-to-satisfy-needs-of-use-.patch +ipmi-ipmi_si_hardcode.c-init-si_type-array-to-fix-a-.patch +ocelot-don-t-sleep-in-atomic-context-irqs_disabled.patch +perf-tools-fix-map-reference-counting.patch +scsi-aic7xxx-fix-eisa-support.patch +slab-store-tagged-freelist-for-off-slab-slabmgmt.patch +mm-hotplug-treat-cma-pages-as-unmovable.patch +mm-fix-inactive-list-balancing-between-numa-nodes-an.patch +init-initialize-jump-labels-before-command-line-opti.patch +drm-bridge-dw-hdmi-fix-overflow-workaround-for-rockc.patch +selftests-netfilter-check-icmp-pkttoobig-errors-are-.patch +ipvs-do-not-schedule-icmp-errors-from-tunnels.patch +netfilter-ctnetlink-don-t-use-conntrack-expect-objec.patch +netfilter-nf_tables-prevent-shift-wrap-in-nft_chain_.patch +netfilter-nat-fix-icmp-id-randomization.patch +mips-perf-ath79-fix-perfcount-irq-assignment.patch +ib-mlx5-fix-scatter-to-cqe-in-dct-qp-creation.patch +s390-ctcm-fix-ctcm_new_device-error-return-code.patch +drm-sun4i-set-device-driver-data-at-bind-time-for-us.patch +drm-sun4i-fix-component-unbinding-and-component-mast.patch +of_net-fix-residues-after-of_get_nvmem_mac_address-r.patch +selftests-net-correct-the-return-value-for-run_netso.patch +selftests-net-correct-the-return-value-for-run_afpac.patch +netfilter-never-get-set-skb-tstamp.patch +netfilter-fix-nf_l4proto_log_invalid-to-log-invalid-.patch +dmaengine-bcm2835-avoid-gfp_kernel-in-device_prep_sl.patch +arm64-module-ftrace-deal-with-place-relative-nature-.patch +gpu-ipu-v3-dp-fix-csc-handling.patch +drm-imx-don-t-skip-dp-channel-disable-for-background.patch +arm-fix-function-graph-tracer-and-unwinder-dependenc.patch +arm-8856-1-nommu-fix-ccr-register-faulty-initializat.patch +spi-micrel-eth-switch-declare-missing-of-table.patch +spi-st-st95hf-nfc-declare-missing-of-table.patch +ceph-handle-the-case-where-a-dentry-has-been-renamed.patch +revert-drm-virtio-drop-prime-import-export-callbacks.patch +drm-sun4i-unbind-components-before-releasing-drm-and.patch +input-snvs_pwrkey-make-it-depend-on-arch_mxc.patch +input-synaptics-rmi4-fix-possible-double-free.patch +net-vrf-fix-operation-not-supported-when-set-vrf-mac.patch +gpio-fix-gpiochip_add_data_with_key-error-path.patch +rdma-hns-bugfix-for-mapping-user-db.patch +mm-memory_hotplug.c-drop-memory-device-reference-aft.patch +mm-page_alloc.c-avoid-potential-null-pointer-derefer.patch +bpf-only-test-gso-type-on-gso-packets.patch +net-sched-fix-cleanup-null-pointer-exception-in-act_.patch +net-mvpp2-fix-validate-for-ppv2.1.patch +drm-rockchip-fix-for-mailbox-read-validation.patch diff --git a/queue-5.0/slab-store-tagged-freelist-for-off-slab-slabmgmt.patch b/queue-5.0/slab-store-tagged-freelist-for-off-slab-slabmgmt.patch new file mode 100644 index 00000000000..d83ffb26143 --- /dev/null +++ b/queue-5.0/slab-store-tagged-freelist-for-off-slab-slabmgmt.patch @@ -0,0 +1,144 @@ +From 9122c9347bebb381ed1865505f4a117070123200 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Thu, 18 Apr 2019 17:49:55 -0700 +Subject: slab: store tagged freelist for off-slab slabmgmt + +[ Upstream commit 1a62b18d51e5c5ecc0345c85bb9fef870ab721ed ] + +Commit 51dedad06b5f ("kasan, slab: make freelist stored without tags") +calls kasan_reset_tag() for off-slab slab management object leading to +freelist being stored non-tagged. + +However, cache_grow_begin() calls alloc_slabmgmt() which calls +kmem_cache_alloc_node() assigns a tag for the address and stores it in +the shadow address. As the result, it causes endless errors below +during boot due to drain_freelist() -> slab_destroy() -> +kasan_slab_free() which compares already untagged freelist against the +stored tag in the shadow address. + +Since off-slab slab management object freelist is such a special case, +just store it tagged. Non-off-slab management object freelist is still +stored untagged which has not been assigned a tag and should not cause +any other troubles with this inconsistency. + + BUG: KASAN: double-free or invalid-free in slab_destroy+0x84/0x88 + Pointer tag: [ff], memory tag: [99] + + CPU: 0 PID: 1376 Comm: kworker/0:4 Tainted: G W 5.1.0-rc3+ #8 + Hardware name: HPE Apollo 70 /C01_APACHE_MB , BIOS L50_5.13_1.0.6 07/10/2018 + Workqueue: cgroup_destroy css_killed_work_fn + Call trace: + print_address_description+0x74/0x2a4 + kasan_report_invalid_free+0x80/0xc0 + __kasan_slab_free+0x204/0x208 + kasan_slab_free+0xc/0x18 + kmem_cache_free+0xe4/0x254 + slab_destroy+0x84/0x88 + drain_freelist+0xd0/0x104 + __kmem_cache_shrink+0x1ac/0x224 + __kmemcg_cache_deactivate+0x1c/0x28 + memcg_deactivate_kmem_caches+0xa0/0xe8 + memcg_offline_kmem+0x8c/0x3d4 + mem_cgroup_css_offline+0x24c/0x290 + css_killed_work_fn+0x154/0x618 + process_one_work+0x9cc/0x183c + worker_thread+0x9b0/0xe38 + kthread+0x374/0x390 + ret_from_fork+0x10/0x18 + + Allocated by task 1625: + __kasan_kmalloc+0x168/0x240 + kasan_slab_alloc+0x18/0x20 + kmem_cache_alloc_node+0x1f8/0x3a0 + cache_grow_begin+0x4fc/0xa24 + cache_alloc_refill+0x2f8/0x3e8 + kmem_cache_alloc+0x1bc/0x3bc + sock_alloc_inode+0x58/0x334 + alloc_inode+0xb8/0x164 + new_inode_pseudo+0x20/0xec + sock_alloc+0x74/0x284 + __sock_create+0xb0/0x58c + sock_create+0x98/0xb8 + __sys_socket+0x60/0x138 + __arm64_sys_socket+0xa4/0x110 + el0_svc_handler+0x2c0/0x47c + el0_svc+0x8/0xc + + Freed by task 1625: + __kasan_slab_free+0x114/0x208 + kasan_slab_free+0xc/0x18 + kfree+0x1a8/0x1e0 + single_release+0x7c/0x9c + close_pdeo+0x13c/0x43c + proc_reg_release+0xec/0x108 + __fput+0x2f8/0x784 + ____fput+0x1c/0x28 + task_work_run+0xc0/0x1b0 + do_notify_resume+0xb44/0x1278 + work_pending+0x8/0x10 + + The buggy address belongs to the object at ffff809681b89e00 + which belongs to the cache kmalloc-128 of size 128 + The buggy address is located 0 bytes inside of + 128-byte region [ffff809681b89e00, ffff809681b89e80) + The buggy address belongs to the page: + page:ffff7fe025a06e00 count:1 mapcount:0 mapping:01ff80082000fb00 + index:0xffff809681b8fe04 + flags: 0x17ffffffc000200(slab) + raw: 017ffffffc000200 ffff7fe025a06d08 ffff7fe022ef7b88 01ff80082000fb00 + raw: ffff809681b8fe04 ffff809681b80000 00000001000000e0 0000000000000000 + page dumped because: kasan: bad access detected + page allocated via order 0, migratetype Unmovable, gfp_mask + 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE) + prep_new_page+0x4e0/0x5e0 + get_page_from_freelist+0x4ce8/0x50d4 + __alloc_pages_nodemask+0x738/0x38b8 + cache_grow_begin+0xd8/0xa24 + ____cache_alloc_node+0x14c/0x268 + __kmalloc+0x1c8/0x3fc + ftrace_free_mem+0x408/0x1284 + ftrace_free_init_mem+0x20/0x28 + kernel_init+0x24/0x548 + ret_from_fork+0x10/0x18 + + Memory state around the buggy address: + ffff809681b89c00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe + ffff809681b89d00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe + >ffff809681b89e00: 99 99 99 99 99 99 99 99 fe fe fe fe fe fe fe fe + ^ + ffff809681b89f00: 43 43 43 43 43 fe fe fe fe fe fe fe fe fe fe fe + ffff809681b8a000: 6d fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe + +Link: http://lkml.kernel.org/r/20190403022858.97584-1-cai@lca.pw +Fixes: 51dedad06b5f ("kasan, slab: make freelist stored without tags") +Signed-off-by: Qian Cai +Reviewed-by: Andrey Konovalov +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: Andrey Ryabinin +Cc: Alexander Potapenko +Cc: Dmitry Vyukov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/slab.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/mm/slab.c b/mm/slab.c +index 188c4b65255dc..f4bbc53008f3b 100644 +--- a/mm/slab.c ++++ b/mm/slab.c +@@ -2371,7 +2371,6 @@ static void *alloc_slabmgmt(struct kmem_cache *cachep, + /* Slab management obj is off-slab. */ + freelist = kmem_cache_alloc_node(cachep->freelist_cache, + local_flags, nodeid); +- freelist = kasan_reset_tag(freelist); + if (!freelist) + return NULL; + } else { +-- +2.20.1 + diff --git a/queue-5.0/spi-micrel-eth-switch-declare-missing-of-table.patch b/queue-5.0/spi-micrel-eth-switch-declare-missing-of-table.patch new file mode 100644 index 00000000000..35c7d05a540 --- /dev/null +++ b/queue-5.0/spi-micrel-eth-switch-declare-missing-of-table.patch @@ -0,0 +1,66 @@ +From cdcfd7123d9f0eb54042cc867d198158da2a6e9b Mon Sep 17 00:00:00 2001 +From: Daniel Gomez +Date: Mon, 22 Apr 2019 21:08:03 +0200 +Subject: spi: Micrel eth switch: declare missing of table + +[ Upstream commit 2f23a2a768bee7ad2ff1e9527c3f7e279e794a46 ] + +Add missing table for SPI driver relying on SPI +device match since compatible is in a DT binding or in a DTS. + +Before this patch: +modinfo drivers/net/phy/spi_ks8995.ko | grep alias +alias: spi:ksz8795 +alias: spi:ksz8864 +alias: spi:ks8995 + +After this patch: +modinfo drivers/net/phy/spi_ks8995.ko | grep alias +alias: spi:ksz8795 +alias: spi:ksz8864 +alias: spi:ks8995 +alias: of:N*T*Cmicrel,ksz8795C* +alias: of:N*T*Cmicrel,ksz8795 +alias: of:N*T*Cmicrel,ksz8864C* +alias: of:N*T*Cmicrel,ksz8864 +alias: of:N*T*Cmicrel,ks8995C* +alias: of:N*T*Cmicrel,ks8995 + +Reported-by: Javier Martinez Canillas +Signed-off-by: Daniel Gomez +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/spi_ks8995.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/phy/spi_ks8995.c b/drivers/net/phy/spi_ks8995.c +index f17b3441779bf..d8ea4147dfe78 100644 +--- a/drivers/net/phy/spi_ks8995.c ++++ b/drivers/net/phy/spi_ks8995.c +@@ -162,6 +162,14 @@ static const struct spi_device_id ks8995_id[] = { + }; + MODULE_DEVICE_TABLE(spi, ks8995_id); + ++static const struct of_device_id ks8895_spi_of_match[] = { ++ { .compatible = "micrel,ks8995" }, ++ { .compatible = "micrel,ksz8864" }, ++ { .compatible = "micrel,ksz8795" }, ++ { }, ++ }; ++MODULE_DEVICE_TABLE(of, ks8895_spi_of_match); ++ + static inline u8 get_chip_id(u8 val) + { + return (val >> ID1_CHIPID_S) & ID1_CHIPID_M; +@@ -529,6 +537,7 @@ static int ks8995_remove(struct spi_device *spi) + static struct spi_driver ks8995_driver = { + .driver = { + .name = "spi-ks8995", ++ .of_match_table = of_match_ptr(ks8895_spi_of_match), + }, + .probe = ks8995_probe, + .remove = ks8995_remove, +-- +2.20.1 + diff --git a/queue-5.0/spi-st-st95hf-nfc-declare-missing-of-table.patch b/queue-5.0/spi-st-st95hf-nfc-declare-missing-of-table.patch new file mode 100644 index 00000000000..15003a400ce --- /dev/null +++ b/queue-5.0/spi-st-st95hf-nfc-declare-missing-of-table.patch @@ -0,0 +1,56 @@ +From 179789dabf0d50a1bc65e8a39931bc4decc653a1 Mon Sep 17 00:00:00 2001 +From: Daniel Gomez +Date: Mon, 22 Apr 2019 21:08:04 +0200 +Subject: spi: ST ST95HF NFC: declare missing of table + +[ Upstream commit d04830531d0c4a99c897a44038e5da3d23331d2f ] + +Add missing table for SPI driver relying on SPI +device match since compatible is in a DT binding or in a DTS. + +Before this patch: +modinfo drivers/nfc/st95hf/st95hf.ko | grep alias +alias: spi:st95hf + +After this patch: +modinfo drivers/nfc/st95hf/st95hf.ko | grep alias +alias: spi:st95hf +alias: of:N*T*Cst,st95hfC* +alias: of:N*T*Cst,st95hf + +Reported-by: Javier Martinez Canillas +Signed-off-by: Daniel Gomez +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/nfc/st95hf/core.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/nfc/st95hf/core.c b/drivers/nfc/st95hf/core.c +index 2b26f762fbc3b..01acb6e533655 100644 +--- a/drivers/nfc/st95hf/core.c ++++ b/drivers/nfc/st95hf/core.c +@@ -1074,6 +1074,12 @@ static const struct spi_device_id st95hf_id[] = { + }; + MODULE_DEVICE_TABLE(spi, st95hf_id); + ++static const struct of_device_id st95hf_spi_of_match[] = { ++ { .compatible = "st,st95hf" }, ++ { }, ++}; ++MODULE_DEVICE_TABLE(of, st95hf_spi_of_match); ++ + static int st95hf_probe(struct spi_device *nfc_spi_dev) + { + int ret; +@@ -1260,6 +1266,7 @@ static struct spi_driver st95hf_driver = { + .driver = { + .name = "st95hf", + .owner = THIS_MODULE, ++ .of_match_table = of_match_ptr(st95hf_spi_of_match), + }, + .id_table = st95hf_id, + .probe = st95hf_probe, +-- +2.20.1 + diff --git a/queue-5.0/tools-lib-traceevent-fix-missing-equality-check-for-.patch b/queue-5.0/tools-lib-traceevent-fix-missing-equality-check-for-.patch new file mode 100644 index 00000000000..4b425a8e728 --- /dev/null +++ b/queue-5.0/tools-lib-traceevent-fix-missing-equality-check-for-.patch @@ -0,0 +1,59 @@ +From 7d8191c94ce3894216a447b76f11f0c8a9341b41 Mon Sep 17 00:00:00 2001 +From: Rikard Falkeborn +Date: Tue, 9 Apr 2019 11:15:29 +0200 +Subject: tools lib traceevent: Fix missing equality check for strcmp + +[ Upstream commit f32c2877bcb068a718bb70094cd59ccc29d4d082 ] + +There was a missing comparison with 0 when checking if type is "s64" or +"u64". Therefore, the body of the if-statement was entered if "type" was +"u64" or not "s64", which made the first strcmp() redundant since if +type is "u64", it's not "s64". + +If type is "s64", the body of the if-statement is not entered but since +the remainder of the function consists of if-statements which will not +be entered if type is "s64", we will just return "val", which is +correct, albeit at the cost of a few more calls to strcmp(), i.e., it +will behave just as if the if-statement was entered. + +If type is neither "s64" or "u64", the body of the if-statement will be +entered incorrectly and "val" returned. This means that any type that is +checked after "s64" and "u64" is handled the same way as "s64" and +"u64", i.e., the limiting of "val" to fit in for example "s8" is never +reached. + +This was introduced in the kernel tree when the sources were copied from +trace-cmd in commit f7d82350e597 ("tools/events: Add files to create +libtraceevent.a"), and in the trace-cmd repo in 1cdbae6035cei +("Implement typecasting in parser") when the function was introduced, +i.e., it has always behaved the wrong way. + +Detected by cppcheck. + +Signed-off-by: Rikard Falkeborn +Reviewed-by: Steven Rostedt (VMware) +Cc: Tzvetomir Stoyanov +Fixes: f7d82350e597 ("tools/events: Add files to create libtraceevent.a") +Link: http://lkml.kernel.org/r/20190409091529.2686-1-rikard.falkeborn@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/lib/traceevent/event-parse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c +index 87494c7c619d8..981c6ce2da2c7 100644 +--- a/tools/lib/traceevent/event-parse.c ++++ b/tools/lib/traceevent/event-parse.c +@@ -2233,7 +2233,7 @@ eval_type_str(unsigned long long val, const char *type, int pointer) + return val & 0xffffffff; + + if (strcmp(type, "u64") == 0 || +- strcmp(type, "s64")) ++ strcmp(type, "s64") == 0) + return val; + + if (strcmp(type, "s8") == 0) +-- +2.20.1 + diff --git a/queue-5.0/tools-testing-nvdimm-retain-security-state-after-ove.patch b/queue-5.0/tools-testing-nvdimm-retain-security-state-after-ove.patch new file mode 100644 index 00000000000..97dce4b217e --- /dev/null +++ b/queue-5.0/tools-testing-nvdimm-retain-security-state-after-ove.patch @@ -0,0 +1,53 @@ +From 4aed252d6278e399da46c768399eecde0477f984 Mon Sep 17 00:00:00 2001 +From: Dave Jiang +Date: Mon, 11 Mar 2019 12:47:14 -0700 +Subject: tools/testing/nvdimm: Retain security state after overwrite + +[ Upstream commit 2170a0d53bee1a6c1a4ebd042f99d85aafc6c0ea ] + +Overwrite retains the security state after completion of operation. Fix +nfit_test to reflect this so that the kernel can test the behavior it is +more likely to see in practice. + +Fixes: 926f74802cb1 ("tools/testing/nvdimm: Add overwrite support for nfit_test") +Signed-off-by: Dave Jiang +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + tools/testing/nvdimm/test/nfit.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/nvdimm/test/nfit.c b/tools/testing/nvdimm/test/nfit.c +index cad719876ef45..85ffdcfa596b5 100644 +--- a/tools/testing/nvdimm/test/nfit.c ++++ b/tools/testing/nvdimm/test/nfit.c +@@ -146,6 +146,7 @@ static int dimm_fail_cmd_code[ARRAY_SIZE(handle)]; + struct nfit_test_sec { + u8 state; + u8 ext_state; ++ u8 old_state; + u8 passphrase[32]; + u8 master_passphrase[32]; + u64 overwrite_end_time; +@@ -1100,7 +1101,7 @@ static int nd_intel_test_cmd_overwrite(struct nfit_test *t, + return 0; + } + +- memset(sec->passphrase, 0, ND_INTEL_PASSPHRASE_SIZE); ++ sec->old_state = sec->state; + sec->state = ND_INTEL_SEC_STATE_OVERWRITE; + dev_dbg(dev, "overwrite progressing.\n"); + sec->overwrite_end_time = get_jiffies_64() + 5 * HZ; +@@ -1122,7 +1123,8 @@ static int nd_intel_test_cmd_query_overwrite(struct nfit_test *t, + + if (time_is_before_jiffies64(sec->overwrite_end_time)) { + sec->overwrite_end_time = 0; +- sec->state = 0; ++ sec->state = sec->old_state; ++ sec->old_state = 0; + sec->ext_state = ND_INTEL_SEC_ESTATE_ENABLED; + dev_dbg(dev, "overwrite is complete\n"); + } else +-- +2.20.1 + diff --git a/queue-5.0/vxge-fix-return-of-a-free-d-memblock-on-a-failed-dma.patch b/queue-5.0/vxge-fix-return-of-a-free-d-memblock-on-a-failed-dma.patch new file mode 100644 index 00000000000..ba6ccafb662 --- /dev/null +++ b/queue-5.0/vxge-fix-return-of-a-free-d-memblock-on-a-failed-dma.patch @@ -0,0 +1,35 @@ +From 3b6be18d084626cc715a30cbf877c92f29d120aa Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Fri, 12 Apr 2019 14:45:12 +0100 +Subject: vxge: fix return of a free'd memblock on a failed dma mapping + +[ Upstream commit 0a2c34f18c94b596562bf3d019fceab998b8b584 ] + +Currently if a pci dma mapping failure is detected a free'd +memblock address is returned rather than a NULL (that indicates +an error). Fix this by ensuring NULL is returned on this error case. + +Addresses-Coverity: ("Use after free") +Fixes: 528f727279ae ("vxge: code cleanup and reorganization") +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/neterion/vxge/vxge-config.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/neterion/vxge/vxge-config.c b/drivers/net/ethernet/neterion/vxge/vxge-config.c +index 7cde387e5ec62..51cd57ab3d958 100644 +--- a/drivers/net/ethernet/neterion/vxge/vxge-config.c ++++ b/drivers/net/ethernet/neterion/vxge/vxge-config.c +@@ -2366,6 +2366,7 @@ static void *__vxge_hw_blockpool_malloc(struct __vxge_hw_device *devh, u32 size, + dma_object->addr))) { + vxge_os_dma_free(devh->pdev, memblock, + &dma_object->acc_handle); ++ memblock = NULL; + goto exit; + } + +-- +2.20.1 + diff --git a/queue-5.0/x86-build-lto-fix-truncated-.bss-with-fdata-sections.patch b/queue-5.0/x86-build-lto-fix-truncated-.bss-with-fdata-sections.patch new file mode 100644 index 00000000000..4bbb6bc44f6 --- /dev/null +++ b/queue-5.0/x86-build-lto-fix-truncated-.bss-with-fdata-sections.patch @@ -0,0 +1,52 @@ +From 7e60d5a33f5991524422261324266edaf4a2e6b7 Mon Sep 17 00:00:00 2001 +From: Sami Tolvanen +Date: Mon, 15 Apr 2019 09:49:56 -0700 +Subject: x86/build/lto: Fix truncated .bss with -fdata-sections + +[ Upstream commit 6a03469a1edc94da52b65478f1e00837add869a3 ] + +With CONFIG_LD_DEAD_CODE_DATA_ELIMINATION=y, we compile the kernel with +-fdata-sections, which also splits the .bss section. + +The new section, with a new .bss.* name, which pattern gets missed by the +main x86 linker script which only expects the '.bss' name. This results +in the discarding of the second part and a too small, truncated .bss +section and an unhappy, non-working kernel. + +Use the common BSS_MAIN macro in the linker script to properly capture +and merge all the generated BSS sections. + +Signed-off-by: Sami Tolvanen +Reviewed-by: Nick Desaulniers +Reviewed-by: Kees Cook +Cc: Borislav Petkov +Cc: Kees Cook +Cc: Linus Torvalds +Cc: Nicholas Piggin +Cc: Nick Desaulniers +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20190415164956.124067-1-samitolvanen@google.com +[ Extended the changelog. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/vmlinux.lds.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S +index ee3b5c7d662e1..c45214c44e612 100644 +--- a/arch/x86/kernel/vmlinux.lds.S ++++ b/arch/x86/kernel/vmlinux.lds.S +@@ -362,7 +362,7 @@ SECTIONS + .bss : AT(ADDR(.bss) - LOAD_OFFSET) { + __bss_start = .; + *(.bss..page_aligned) +- *(.bss) ++ *(BSS_MAIN) + BSS_DECRYPTED + . = ALIGN(PAGE_SIZE); + __bss_stop = .; +-- +2.20.1 + diff --git a/queue-5.0/x86-mm-prevent-bogus-warnings-with-noexec-off.patch b/queue-5.0/x86-mm-prevent-bogus-warnings-with-noexec-off.patch new file mode 100644 index 00000000000..bf4f305c42a --- /dev/null +++ b/queue-5.0/x86-mm-prevent-bogus-warnings-with-noexec-off.patch @@ -0,0 +1,78 @@ +From 62673713fb19d033f8eba868a125f511aa089d6c Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Mon, 15 Apr 2019 10:46:07 +0200 +Subject: x86/mm: Prevent bogus warnings with "noexec=off" + +[ Upstream commit 510bb96fe5b3480b4b22d815786377e54cb701e7 ] + +Xose Vazquez Perez reported boot warnings when NX is disabled on the kernel command line. + +__early_set_fixmap() triggers this warning: + + attempted to set unsupported pgprot: 8000000000000163 + bits: 8000000000000000 + supported: 7fffffffffffffff + + WARNING: CPU: 0 PID: 0 at arch/x86/include/asm/pgtable.h:537 + __early_set_fixmap+0xa2/0xff + +because it uses __default_kernel_pte_mask to mask out unsupported bits. + +Use __supported_pte_mask instead. + +Disabling NX on the command line also triggers the NX warning in the page +table mapping check: + + WARNING: CPU: 1 PID: 1 at arch/x86/mm/dump_pagetables.c:262 note_page+0x2ae/0x650 + .... + +Make the warning depend on NX set in __supported_pte_mask. + +Reported-by: Xose Vazquez Perez +Tested-by: Xose Vazquez Perez +Signed-off-by: Thomas Gleixner +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Rik van Riel +Link: http://lkml.kernel.org/r/alpine.DEB.2.21.1904151037530.1729@nanos.tec.linutronix.de +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/mm/dump_pagetables.c | 3 ++- + arch/x86/mm/ioremap.c | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/mm/dump_pagetables.c b/arch/x86/mm/dump_pagetables.c +index e3cdc85ce5b6e..84304626b1cb8 100644 +--- a/arch/x86/mm/dump_pagetables.c ++++ b/arch/x86/mm/dump_pagetables.c +@@ -259,7 +259,8 @@ static void note_wx(struct pg_state *st) + #endif + /* Account the WX pages */ + st->wx_pages += npages; +- WARN_ONCE(1, "x86/mm: Found insecure W+X mapping at address %pS\n", ++ WARN_ONCE(__supported_pte_mask & _PAGE_NX, ++ "x86/mm: Found insecure W+X mapping at address %pS\n", + (void *)st->start_address); + } + +diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c +index 5378d10f1d31d..3b76fe954978c 100644 +--- a/arch/x86/mm/ioremap.c ++++ b/arch/x86/mm/ioremap.c +@@ -825,7 +825,7 @@ void __init __early_set_fixmap(enum fixed_addresses idx, + pte = early_ioremap_pte(addr); + + /* Sanitize 'prot' against any unsupported bits: */ +- pgprot_val(flags) &= __default_kernel_pte_mask; ++ pgprot_val(flags) &= __supported_pte_mask; + + if (pgprot_val(flags)) + set_pte(pte, pfn_pte(phys >> PAGE_SHIFT, flags)); +-- +2.20.1 + diff --git a/queue-5.0/x86-reboot-efi-use-efi-reboot-for-acer-travelmate-x5.patch b/queue-5.0/x86-reboot-efi-use-efi-reboot-for-acer-travelmate-x5.patch new file mode 100644 index 00000000000..435bcecef6b --- /dev/null +++ b/queue-5.0/x86-reboot-efi-use-efi-reboot-for-acer-travelmate-x5.patch @@ -0,0 +1,102 @@ +From fe6804bb524f3712dcaeb69ec3ee10465c972bb1 Mon Sep 17 00:00:00 2001 +From: Jian-Hong Pan +Date: Fri, 12 Apr 2019 16:01:53 +0800 +Subject: x86/reboot, efi: Use EFI reboot for Acer TravelMate X514-51T + +[ Upstream commit 0082517fa4bce073e7cf542633439f26538a14cc ] + +Upon reboot, the Acer TravelMate X514-51T laptop appears to complete the +shutdown process, but then it hangs in BIOS POST with a black screen. + +The problem is intermittent - at some points it has appeared related to +Secure Boot settings or different kernel builds, but ultimately we have +not been able to identify the exact conditions that trigger the issue to +come and go. + +Besides, the EFI mode cannot be disabled in the BIOS of this model. + +However, after extensive testing, we observe that using the EFI reboot +method reliably avoids the issue in all cases. + +So add a boot time quirk to use EFI reboot on such systems. + +Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=203119 +Signed-off-by: Jian-Hong Pan +Signed-off-by: Daniel Drake +Cc: Ard Biesheuvel +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: Matt Fleming +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Cc: linux@endlessm.com +Link: http://lkml.kernel.org/r/20190412080152.3718-1-jian-hong@endlessm.com +[ Fix !CONFIG_EFI build failure, clarify the code and the changelog a bit. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/reboot.c | 21 +++++++++++++++++++++ + include/linux/efi.h | 7 ++++++- + 2 files changed, 27 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c +index 725624b6c0c05..8fd3cedd9accd 100644 +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -81,6 +81,19 @@ static int __init set_bios_reboot(const struct dmi_system_id *d) + return 0; + } + ++/* ++ * Some machines don't handle the default ACPI reboot method and ++ * require the EFI reboot method: ++ */ ++static int __init set_efi_reboot(const struct dmi_system_id *d) ++{ ++ if (reboot_type != BOOT_EFI && !efi_runtime_disabled()) { ++ reboot_type = BOOT_EFI; ++ pr_info("%s series board detected. Selecting EFI-method for reboot.\n", d->ident); ++ } ++ return 0; ++} ++ + void __noreturn machine_real_restart(unsigned int type) + { + local_irq_disable(); +@@ -166,6 +179,14 @@ static const struct dmi_system_id reboot_dmi_table[] __initconst = { + DMI_MATCH(DMI_PRODUCT_NAME, "AOA110"), + }, + }, ++ { /* Handle reboot issue on Acer TravelMate X514-51T */ ++ .callback = set_efi_reboot, ++ .ident = "Acer TravelMate X514-51T", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate X514-51T"), ++ }, ++ }, + + /* Apple */ + { /* Handle problems with rebooting on Apple MacBook5 */ +diff --git a/include/linux/efi.h b/include/linux/efi.h +index a86485ac7c878..de05a43025292 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -1598,7 +1598,12 @@ efi_status_t efi_setup_gop(efi_system_table_t *sys_table_arg, + struct screen_info *si, efi_guid_t *proto, + unsigned long size); + +-bool efi_runtime_disabled(void); ++#ifdef CONFIG_EFI ++extern bool efi_runtime_disabled(void); ++#else ++static inline bool efi_runtime_disabled(void) { return true; } ++#endif ++ + extern void efi_call_virt_check_flags(unsigned long flags, const char *call); + + enum efi_secureboot_mode { +-- +2.20.1 +