From: Sasha Levin Date: Fri, 30 Aug 2019 02:30:29 +0000 (-0400) Subject: fixes for 5.2 X-Git-Tag: v4.4.191~63 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9ebaa8c00ca7639310371ffc8d5c49acc12c7a19;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 5.2 Signed-off-by: Sasha Levin --- diff --git a/queue-5.2/afs-fix-loop-index-mixup-in-afs_deliver_vl_get_entry.patch b/queue-5.2/afs-fix-loop-index-mixup-in-afs_deliver_vl_get_entry.patch new file mode 100644 index 00000000000..4cd04e0ac61 --- /dev/null +++ b/queue-5.2/afs-fix-loop-index-mixup-in-afs_deliver_vl_get_entry.patch @@ -0,0 +1,68 @@ +From ac4e424732c2aa97b441f67169bf63540f1a70f3 Mon Sep 17 00:00:00 2001 +From: Marc Dionne +Date: Tue, 30 Jul 2019 14:38:51 +0100 +Subject: afs: Fix loop index mixup in afs_deliver_vl_get_entry_by_name_u() + +[ Upstream commit 4a46fdba449a5cd890271df5a9e23927d519ed00 ] + +afs_deliver_vl_get_entry_by_name_u() scans through the vl entry +received from the volume location server and builds a return list +containing the sites that are currently valid. When assigning +values for the return list, the index into the vl entry (i) is used +rather than the one for the new list (entry->nr_server). If all +sites are usable, this works out fine as the indices will match. +If some sites are not valid, for example if AFS_VLSF_DONTUSE is +set, fs_mask and the uuid will be set for the wrong return site. + +Fix this by using entry->nr_server as the index into the arrays +being filled in rather than i. + +This can lead to EDESTADDRREQ errors if none of the returned sites +have a valid fs_mask. + +Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation") +Signed-off-by: Marc Dionne +Signed-off-by: David Howells +Reviewed-by: Jeffrey Altman +Signed-off-by: Sasha Levin +--- + fs/afs/vlclient.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/fs/afs/vlclient.c b/fs/afs/vlclient.c +index d7e0fd3c00df9..cfb0ac4bd039e 100644 +--- a/fs/afs/vlclient.c ++++ b/fs/afs/vlclient.c +@@ -56,23 +56,24 @@ static int afs_deliver_vl_get_entry_by_name_u(struct afs_call *call) + struct afs_uuid__xdr *xdr; + struct afs_uuid *uuid; + int j; ++ int n = entry->nr_servers; + + tmp = ntohl(uvldb->serverFlags[i]); + if (tmp & AFS_VLSF_DONTUSE || + (new_only && !(tmp & AFS_VLSF_NEWREPSITE))) + continue; + if (tmp & AFS_VLSF_RWVOL) { +- entry->fs_mask[i] |= AFS_VOL_VTM_RW; ++ entry->fs_mask[n] |= AFS_VOL_VTM_RW; + if (vlflags & AFS_VLF_BACKEXISTS) +- entry->fs_mask[i] |= AFS_VOL_VTM_BAK; ++ entry->fs_mask[n] |= AFS_VOL_VTM_BAK; + } + if (tmp & AFS_VLSF_ROVOL) +- entry->fs_mask[i] |= AFS_VOL_VTM_RO; +- if (!entry->fs_mask[i]) ++ entry->fs_mask[n] |= AFS_VOL_VTM_RO; ++ if (!entry->fs_mask[n]) + continue; + + xdr = &uvldb->serverNumber[i]; +- uuid = (struct afs_uuid *)&entry->fs_server[i]; ++ uuid = (struct afs_uuid *)&entry->fs_server[n]; + uuid->time_low = xdr->time_low; + uuid->time_mid = htons(ntohl(xdr->time_mid)); + uuid->time_hi_and_version = htons(ntohl(xdr->time_hi_and_version)); +-- +2.20.1 + diff --git a/queue-5.2/afs-fix-missing-dentry-data-version-updating.patch b/queue-5.2/afs-fix-missing-dentry-data-version-updating.patch new file mode 100644 index 00000000000..193d194875a --- /dev/null +++ b/queue-5.2/afs-fix-missing-dentry-data-version-updating.patch @@ -0,0 +1,316 @@ +From 2634c19f3141657470347f6858cdbf93ffbff6cf Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Tue, 30 Jul 2019 14:38:52 +0100 +Subject: afs: Fix missing dentry data version updating + +[ Upstream commit 9dd0b82ef530cdfe805c9f7079c99e104be59a14 ] + +In the in-kernel afs filesystem, the d_fsdata dentry field is used to hold +the data version of the parent directory when it was created or when +d_revalidate() last caused it to be updated. This is compared to the +->invalid_before field in the directory inode, rather than the actual data +version number, thereby allowing changes due to local edits to be ignored. +Only if the server data version gets bumped unexpectedly (eg. by a +competing client), do we need to revalidate stuff. + +However, the d_fsdata field should also be updated if an rpc op is +performed that modifies that particular dentry. Such ops return the +revised data version of the directory(ies) involved, so we should use that. + +This is particularly problematic for rename, since a dentry from one +directory may be moved directly into another directory (ie. mv a/x b/x). +It would then be sporting the wrong data version - and if this is in the +future, for the destination directory, revalidations would be missed, +leading to foreign renames and hard-link deletion being missed. + +Fix this by the following means: + + (1) Return the data version number from operations that read the directory + contents - if they issue the read. This starts in afs_dir_iterate() + and is used, ignored or passed back by its callers. + + (2) In afs_lookup*(), set the dentry version to the version returned by + (1) before d_splice_alias() is called and the dentry published. + + (3) In afs_d_revalidate(), set the dentry version to that returned from + (1) if an rpc call was issued. This means that if a parallel + procedure, such as mkdir(), modifies the directory, we won't + accidentally use the data version from that. + + (4) In afs_{mkdir,create,link,symlink}(), set the new dentry's version to + the directory data version before d_instantiate() is called. + + (5) In afs_{rmdir,unlink}, update the target dentry's version to the + directory data version as soon as we've updated the directory inode. + + (6) In afs_rename(), we need to unhash the old dentry before we start so + that we don't get afs_d_revalidate() reverting the version change in + cross-directory renames. + + We then need to set both the old and the new dentry versions the data + version of the new directory before we call d_move() as d_move() will + rehash them. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/afs/dir.c | 84 +++++++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 70 insertions(+), 14 deletions(-) + +diff --git a/fs/afs/dir.c b/fs/afs/dir.c +index b87b41721eaa8..9620f19308f58 100644 +--- a/fs/afs/dir.c ++++ b/fs/afs/dir.c +@@ -441,7 +441,7 @@ static int afs_dir_iterate_block(struct afs_vnode *dvnode, + * iterate through the data blob that lists the contents of an AFS directory + */ + static int afs_dir_iterate(struct inode *dir, struct dir_context *ctx, +- struct key *key) ++ struct key *key, afs_dataversion_t *_dir_version) + { + struct afs_vnode *dvnode = AFS_FS_I(dir); + struct afs_xdr_dir_page *dbuf; +@@ -461,6 +461,7 @@ static int afs_dir_iterate(struct inode *dir, struct dir_context *ctx, + req = afs_read_dir(dvnode, key); + if (IS_ERR(req)) + return PTR_ERR(req); ++ *_dir_version = req->data_version; + + /* round the file position up to the next entry boundary */ + ctx->pos += sizeof(union afs_xdr_dirent) - 1; +@@ -515,7 +516,10 @@ out: + */ + static int afs_readdir(struct file *file, struct dir_context *ctx) + { +- return afs_dir_iterate(file_inode(file), ctx, afs_file_key(file)); ++ afs_dataversion_t dir_version; ++ ++ return afs_dir_iterate(file_inode(file), ctx, afs_file_key(file), ++ &dir_version); + } + + /* +@@ -556,7 +560,8 @@ static int afs_lookup_one_filldir(struct dir_context *ctx, const char *name, + * - just returns the FID the dentry name maps to if found + */ + static int afs_do_lookup_one(struct inode *dir, struct dentry *dentry, +- struct afs_fid *fid, struct key *key) ++ struct afs_fid *fid, struct key *key, ++ afs_dataversion_t *_dir_version) + { + struct afs_super_info *as = dir->i_sb->s_fs_info; + struct afs_lookup_one_cookie cookie = { +@@ -569,7 +574,7 @@ static int afs_do_lookup_one(struct inode *dir, struct dentry *dentry, + _enter("{%lu},%p{%pd},", dir->i_ino, dentry, dentry); + + /* search the directory */ +- ret = afs_dir_iterate(dir, &cookie.ctx, key); ++ ret = afs_dir_iterate(dir, &cookie.ctx, key, _dir_version); + if (ret < 0) { + _leave(" = %d [iter]", ret); + return ret; +@@ -643,6 +648,7 @@ static struct inode *afs_do_lookup(struct inode *dir, struct dentry *dentry, + struct afs_server *server; + struct afs_vnode *dvnode = AFS_FS_I(dir), *vnode; + struct inode *inode = NULL, *ti; ++ afs_dataversion_t data_version = READ_ONCE(dvnode->status.data_version); + int ret, i; + + _enter("{%lu},%p{%pd},", dir->i_ino, dentry, dentry); +@@ -670,12 +676,14 @@ static struct inode *afs_do_lookup(struct inode *dir, struct dentry *dentry, + cookie->fids[i].vid = as->volume->vid; + + /* search the directory */ +- ret = afs_dir_iterate(dir, &cookie->ctx, key); ++ ret = afs_dir_iterate(dir, &cookie->ctx, key, &data_version); + if (ret < 0) { + inode = ERR_PTR(ret); + goto out; + } + ++ dentry->d_fsdata = (void *)(unsigned long)data_version; ++ + inode = ERR_PTR(-ENOENT); + if (!cookie->found) + goto out; +@@ -969,7 +977,8 @@ static int afs_d_revalidate(struct dentry *dentry, unsigned int flags) + struct dentry *parent; + struct inode *inode; + struct key *key; +- long dir_version, de_version; ++ afs_dataversion_t dir_version; ++ long de_version; + int ret; + + if (flags & LOOKUP_RCU) +@@ -1015,20 +1024,20 @@ static int afs_d_revalidate(struct dentry *dentry, unsigned int flags) + * on a 32-bit system, we only have 32 bits in the dentry to store the + * version. + */ +- dir_version = (long)dir->status.data_version; ++ dir_version = dir->status.data_version; + de_version = (long)dentry->d_fsdata; +- if (de_version == dir_version) ++ if (de_version == (long)dir_version) + goto out_valid_noupdate; + +- dir_version = (long)dir->invalid_before; +- if (de_version - dir_version >= 0) ++ dir_version = dir->invalid_before; ++ if (de_version - (long)dir_version >= 0) + goto out_valid; + + _debug("dir modified"); + afs_stat_v(dir, n_reval); + + /* search the directory for this vnode */ +- ret = afs_do_lookup_one(&dir->vfs_inode, dentry, &fid, key); ++ ret = afs_do_lookup_one(&dir->vfs_inode, dentry, &fid, key, &dir_version); + switch (ret) { + case 0: + /* the filename maps to something */ +@@ -1081,7 +1090,7 @@ static int afs_d_revalidate(struct dentry *dentry, unsigned int flags) + } + + out_valid: +- dentry->d_fsdata = (void *)dir_version; ++ dentry->d_fsdata = (void *)(unsigned long)dir_version; + out_valid_noupdate: + dput(parent); + key_put(key); +@@ -1187,6 +1196,20 @@ static void afs_prep_for_new_inode(struct afs_fs_cursor *fc, + iget_data->cb_s_break = fc->cbi->server->cb_s_break; + } + ++/* ++ * Note that a dentry got changed. We need to set d_fsdata to the data version ++ * number derived from the result of the operation. It doesn't matter if ++ * d_fsdata goes backwards as we'll just revalidate. ++ */ ++static void afs_update_dentry_version(struct afs_fs_cursor *fc, ++ struct dentry *dentry, ++ struct afs_status_cb *scb) ++{ ++ if (fc->ac.error == 0) ++ dentry->d_fsdata = ++ (void *)(unsigned long)scb->status.data_version; ++} ++ + /* + * create a directory on an AFS filesystem + */ +@@ -1229,6 +1252,7 @@ static int afs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode) + afs_check_for_remote_deletion(&fc, dvnode); + afs_vnode_commit_status(&fc, dvnode, fc.cb_break, + &data_version, &scb[0]); ++ afs_update_dentry_version(&fc, dentry, &scb[0]); + afs_vnode_new_inode(&fc, dentry, &iget_data, &scb[1]); + ret = afs_end_vnode_operation(&fc); + if (ret < 0) +@@ -1321,6 +1345,7 @@ static int afs_rmdir(struct inode *dir, struct dentry *dentry) + + afs_vnode_commit_status(&fc, dvnode, fc.cb_break, + &data_version, scb); ++ afs_update_dentry_version(&fc, dentry, scb); + ret = afs_end_vnode_operation(&fc); + if (ret == 0) { + afs_dir_remove_subdir(dentry); +@@ -1462,6 +1487,7 @@ static int afs_unlink(struct inode *dir, struct dentry *dentry) + &data_version, &scb[0]); + afs_vnode_commit_status(&fc, vnode, fc.cb_break_2, + &data_version_2, &scb[1]); ++ afs_update_dentry_version(&fc, dentry, &scb[0]); + ret = afs_end_vnode_operation(&fc); + if (ret == 0 && !(scb[1].have_status || scb[1].have_error)) + ret = afs_dir_remove_link(dvnode, dentry, key); +@@ -1530,6 +1556,7 @@ static int afs_create(struct inode *dir, struct dentry *dentry, umode_t mode, + afs_check_for_remote_deletion(&fc, dvnode); + afs_vnode_commit_status(&fc, dvnode, fc.cb_break, + &data_version, &scb[0]); ++ afs_update_dentry_version(&fc, dentry, &scb[0]); + afs_vnode_new_inode(&fc, dentry, &iget_data, &scb[1]); + ret = afs_end_vnode_operation(&fc); + if (ret < 0) +@@ -1611,6 +1638,7 @@ static int afs_link(struct dentry *from, struct inode *dir, + afs_vnode_commit_status(&fc, vnode, fc.cb_break_2, + NULL, &scb[1]); + ihold(&vnode->vfs_inode); ++ afs_update_dentry_version(&fc, dentry, &scb[0]); + d_instantiate(dentry, &vnode->vfs_inode); + + mutex_unlock(&vnode->io_lock); +@@ -1690,6 +1718,7 @@ static int afs_symlink(struct inode *dir, struct dentry *dentry, + afs_check_for_remote_deletion(&fc, dvnode); + afs_vnode_commit_status(&fc, dvnode, fc.cb_break, + &data_version, &scb[0]); ++ afs_update_dentry_version(&fc, dentry, &scb[0]); + afs_vnode_new_inode(&fc, dentry, &iget_data, &scb[1]); + ret = afs_end_vnode_operation(&fc); + if (ret < 0) +@@ -1795,6 +1824,17 @@ static int afs_rename(struct inode *old_dir, struct dentry *old_dentry, + } + } + ++ /* This bit is potentially nasty as there's a potential race with ++ * afs_d_revalidate{,_rcu}(). We have to change d_fsdata on the dentry ++ * to reflect it's new parent's new data_version after the op, but ++ * d_revalidate may see old_dentry between the op having taken place ++ * and the version being updated. ++ * ++ * So drop the old_dentry for now to make other threads go through ++ * lookup instead - which we hold a lock against. ++ */ ++ d_drop(old_dentry); ++ + ret = -ERESTARTSYS; + if (afs_begin_vnode_operation(&fc, orig_dvnode, key, true)) { + afs_dataversion_t orig_data_version; +@@ -1806,7 +1846,7 @@ static int afs_rename(struct inode *old_dir, struct dentry *old_dentry, + if (orig_dvnode != new_dvnode) { + if (mutex_lock_interruptible_nested(&new_dvnode->io_lock, 1) < 0) { + afs_end_vnode_operation(&fc); +- goto error_rehash; ++ goto error_rehash_old; + } + new_data_version = new_dvnode->status.data_version + 1; + } else { +@@ -1831,7 +1871,7 @@ static int afs_rename(struct inode *old_dir, struct dentry *old_dentry, + } + ret = afs_end_vnode_operation(&fc); + if (ret < 0) +- goto error_rehash; ++ goto error_rehash_old; + } + + if (ret == 0) { +@@ -1857,10 +1897,26 @@ static int afs_rename(struct inode *old_dir, struct dentry *old_dentry, + drop_nlink(new_inode); + spin_unlock(&new_inode->i_lock); + } ++ ++ /* Now we can update d_fsdata on the dentries to reflect their ++ * new parent's data_version. ++ * ++ * Note that if we ever implement RENAME_EXCHANGE, we'll have ++ * to update both dentries with opposing dir versions. ++ */ ++ if (new_dvnode != orig_dvnode) { ++ afs_update_dentry_version(&fc, old_dentry, &scb[1]); ++ afs_update_dentry_version(&fc, new_dentry, &scb[1]); ++ } else { ++ afs_update_dentry_version(&fc, old_dentry, &scb[0]); ++ afs_update_dentry_version(&fc, new_dentry, &scb[0]); ++ } + d_move(old_dentry, new_dentry); + goto error_tmp; + } + ++error_rehash_old: ++ d_rehash(new_dentry); + error_rehash: + if (rehash) + d_rehash(rehash); +-- +2.20.1 + diff --git a/queue-5.2/afs-fix-off-by-one-in-afs_rename-expected-data-versi.patch b/queue-5.2/afs-fix-off-by-one-in-afs_rename-expected-data-versi.patch new file mode 100644 index 00000000000..6c352b8c4f4 --- /dev/null +++ b/queue-5.2/afs-fix-off-by-one-in-afs_rename-expected-data-versi.patch @@ -0,0 +1,35 @@ +From a23f1a676169b400c826b56450f0e03582badf9c Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Tue, 30 Jul 2019 14:38:51 +0100 +Subject: afs: Fix off-by-one in afs_rename() expected data version calculation + +[ Upstream commit 37c0bbb3326674940e657118306ac52364314523 ] + +When afs_rename() calculates the expected data version of the target +directory in a cross-directory rename, it doesn't increment it as it +should, so it always thinks that the target inode is unexpectedly modified +on the server. + +Fixes: a58823ac4589 ("afs: Fix application of status and callback to be under same lock") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/afs/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/afs/dir.c b/fs/afs/dir.c +index da9563d62b327..9750ac70f8ffb 100644 +--- a/fs/afs/dir.c ++++ b/fs/afs/dir.c +@@ -1807,7 +1807,7 @@ static int afs_rename(struct inode *old_dir, struct dentry *old_dentry, + afs_end_vnode_operation(&fc); + goto error_rehash; + } +- new_data_version = new_dvnode->status.data_version; ++ new_data_version = new_dvnode->status.data_version + 1; + } else { + new_data_version = orig_data_version; + new_scb = &scb[0]; +-- +2.20.1 + diff --git a/queue-5.2/afs-fix-the-cb.probeuuid-service-handler-to-reply-co.patch b/queue-5.2/afs-fix-the-cb.probeuuid-service-handler-to-reply-co.patch new file mode 100644 index 00000000000..a5a2a643f34 --- /dev/null +++ b/queue-5.2/afs-fix-the-cb.probeuuid-service-handler-to-reply-co.patch @@ -0,0 +1,60 @@ +From 709382a072aab8aefe511606606ab9aeb580354b Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Tue, 30 Jul 2019 14:38:51 +0100 +Subject: afs: Fix the CB.ProbeUuid service handler to reply correctly + +[ Upstream commit 2067b2b3f4846402a040286135f98f46f8919939 ] + +Fix the service handler function for the CB.ProbeUuid RPC call so that it +replies in the correct manner - that is an empty reply for success and an +abort of 1 for failure. + +Putting 0 or 1 in an integer in the body of the reply should result in the +fileserver throwing an RX_PROTOCOL_ERROR abort and discarding its record of +the client; older servers, however, don't necessarily check that all the +data got consumed, and so might incorrectly think that they got a positive +response and associate the client with the wrong host record. + +If the client is incorrectly associated, this will result in callbacks +intended for a different client being delivered to this one and then, when +the other client connects and responds positively, all of the callback +promises meant for the client that issued the improper response will be +lost and it won't receive any further change notifications. + +Fixes: 9396d496d745 ("afs: support the CB.ProbeUuid RPC op") +Signed-off-by: David Howells +Reviewed-by: Jeffrey Altman +Signed-off-by: Sasha Levin +--- + fs/afs/cmservice.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/fs/afs/cmservice.c b/fs/afs/cmservice.c +index 3451be03667f0..00033a481ba05 100644 +--- a/fs/afs/cmservice.c ++++ b/fs/afs/cmservice.c +@@ -502,18 +502,14 @@ static void SRXAFSCB_ProbeUuid(struct work_struct *work) + struct afs_call *call = container_of(work, struct afs_call, work); + struct afs_uuid *r = call->request; + +- struct { +- __be32 match; +- } reply; +- + _enter(""); + + if (memcmp(r, &call->net->uuid, sizeof(call->net->uuid)) == 0) +- reply.match = htonl(0); ++ afs_send_empty_reply(call); + else +- reply.match = htonl(1); ++ rxrpc_kernel_abort_call(call->net->socket, call->rxcall, ++ 1, 1, "K-1"); + +- afs_send_simple_reply(call, &reply, sizeof(reply)); + afs_put_call(call); + _leave(""); + } +-- +2.20.1 + diff --git a/queue-5.2/afs-only-update-d_fsdata-if-different-in-afs_d_reval.patch b/queue-5.2/afs-only-update-d_fsdata-if-different-in-afs_d_reval.patch new file mode 100644 index 00000000000..299b48e6db6 --- /dev/null +++ b/queue-5.2/afs-only-update-d_fsdata-if-different-in-afs_d_reval.patch @@ -0,0 +1,46 @@ +From d1638ee8791d004f41e336977c9a8661a5ad3da3 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Tue, 30 Jul 2019 14:38:51 +0100 +Subject: afs: Only update d_fsdata if different in afs_d_revalidate() + +[ Upstream commit 5dc84855b0fc7e1db182b55c5564fd539d6eff92 ] + +In the in-kernel afs filesystem, d_fsdata is set with the data version of +the parent directory. afs_d_revalidate() will update this to the current +directory version, but it shouldn't do this if it the value it read from +d_fsdata is the same as no lock is held and cmpxchg() is not used. + +Fix the code to only change the value if it is different from the current +directory version. + +Fixes: 260a980317da ("[AFS]: Add "directory write" support.") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/afs/dir.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/afs/dir.c b/fs/afs/dir.c +index 9750ac70f8ffb..b87b41721eaa8 100644 +--- a/fs/afs/dir.c ++++ b/fs/afs/dir.c +@@ -1018,7 +1018,7 @@ static int afs_d_revalidate(struct dentry *dentry, unsigned int flags) + dir_version = (long)dir->status.data_version; + de_version = (long)dentry->d_fsdata; + if (de_version == dir_version) +- goto out_valid; ++ goto out_valid_noupdate; + + dir_version = (long)dir->invalid_before; + if (de_version - dir_version >= 0) +@@ -1082,6 +1082,7 @@ static int afs_d_revalidate(struct dentry *dentry, unsigned int flags) + + out_valid: + dentry->d_fsdata = (void *)dir_version; ++out_valid_noupdate: + dput(parent); + key_put(key); + _leave(" = 1 [valid]"); +-- +2.20.1 + diff --git a/queue-5.2/arm64-cpufeature-don-t-treat-granule-sizes-as-strict.patch b/queue-5.2/arm64-cpufeature-don-t-treat-granule-sizes-as-strict.patch new file mode 100644 index 00000000000..9c585bf9ac2 --- /dev/null +++ b/queue-5.2/arm64-cpufeature-don-t-treat-granule-sizes-as-strict.patch @@ -0,0 +1,66 @@ +From b19f546cd1320bbc124a5cc037dde0d16bb8a3a3 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Mon, 12 Aug 2019 16:02:25 +0100 +Subject: arm64: cpufeature: Don't treat granule sizes as strict + +[ Upstream commit 5717fe5ab38f9ccb32718bcb03bea68409c9cce4 ] + +If a CPU doesn't support the page size for which the kernel is +configured, then we will complain and refuse to bring it online. For +secondary CPUs (and the boot CPU on a system booting with EFI), we will +also print an error identifying the mismatch. + +Consequently, the only time that the cpufeature code can detect a +granule size mismatch is for a granule other than the one that is +currently being used. Although we would rather such systems didn't +exist, we've unfortunately lost that battle and Kevin reports that +on his amlogic S922X (odroid-n2 board) we end up warning and taining +with defconfig because 16k pages are not supported by all of the CPUs. + +In such a situation, we don't actually care about the feature mismatch, +particularly now that KVM only exposes the sanitised view of the CPU +registers (commit 93390c0a1b20 - "arm64: KVM: Hide unsupported AArch64 +CPU features from guests"). Treat the granule fields as non-strict and +let Kevin run without a tainted kernel. + +Cc: Marc Zyngier +Reported-by: Kevin Hilman +Tested-by: Kevin Hilman +Acked-by: Mark Rutland +Acked-by: Suzuki K Poulose +Signed-off-by: Will Deacon +[catalin.marinas@arm.com: changelog updated with KVM sanitised regs commit] +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/cpufeature.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c +index ae63eedea1c12..68faf535f40a3 100644 +--- a/arch/arm64/kernel/cpufeature.c ++++ b/arch/arm64/kernel/cpufeature.c +@@ -184,9 +184,17 @@ static const struct arm64_ftr_bits ftr_id_aa64zfr0[] = { + }; + + static const struct arm64_ftr_bits ftr_id_aa64mmfr0[] = { +- S_ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64MMFR0_TGRAN4_SHIFT, 4, ID_AA64MMFR0_TGRAN4_NI), +- S_ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64MMFR0_TGRAN64_SHIFT, 4, ID_AA64MMFR0_TGRAN64_NI), +- ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64MMFR0_TGRAN16_SHIFT, 4, ID_AA64MMFR0_TGRAN16_NI), ++ /* ++ * We already refuse to boot CPUs that don't support our configured ++ * page size, so we can only detect mismatches for a page size other ++ * than the one we're currently using. Unfortunately, SoCs like this ++ * exist in the wild so, even though we don't like it, we'll have to go ++ * along with it and treat them as non-strict. ++ */ ++ S_ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_LOWER_SAFE, ID_AA64MMFR0_TGRAN4_SHIFT, 4, ID_AA64MMFR0_TGRAN4_NI), ++ S_ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_LOWER_SAFE, ID_AA64MMFR0_TGRAN64_SHIFT, 4, ID_AA64MMFR0_TGRAN64_NI), ++ ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_LOWER_SAFE, ID_AA64MMFR0_TGRAN16_SHIFT, 4, ID_AA64MMFR0_TGRAN16_NI), ++ + ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64MMFR0_BIGENDEL0_SHIFT, 4, 0), + /* Linux shouldn't care about secure memory */ + ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_LOWER_SAFE, ID_AA64MMFR0_SNSMEM_SHIFT, 4, 0), +-- +2.20.1 + diff --git a/queue-5.2/auxdisplay-panel-need-to-delete-scan_timer-when-misc.patch b/queue-5.2/auxdisplay-panel-need-to-delete-scan_timer-when-misc.patch new file mode 100644 index 00000000000..df2c8a13852 --- /dev/null +++ b/queue-5.2/auxdisplay-panel-need-to-delete-scan_timer-when-misc.patch @@ -0,0 +1,35 @@ +From 83ef8e36870de5f4a983392315a4c6f851cc9542 Mon Sep 17 00:00:00 2001 +From: zhengbin +Date: Mon, 8 Jul 2019 20:42:18 +0800 +Subject: auxdisplay: panel: need to delete scan_timer when misc_register fails + in panel_attach + +[ Upstream commit b33d567560c1aadf3033290d74d4fd67af47aa61 ] + +In panel_attach, if misc_register fails, we need to delete scan_timer, +which was setup in keypad_init->init_scan_timer. + +Reported-by: Hulk Robot +Signed-off-by: zhengbin +Signed-off-by: Miguel Ojeda +Signed-off-by: Sasha Levin +--- + drivers/auxdisplay/panel.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/auxdisplay/panel.c b/drivers/auxdisplay/panel.c +index e06de63497cf8..e6bd727da503a 100644 +--- a/drivers/auxdisplay/panel.c ++++ b/drivers/auxdisplay/panel.c +@@ -1617,6 +1617,8 @@ static void panel_attach(struct parport *port) + return; + + err_lcd_unreg: ++ if (scan_timer.function) ++ del_timer_sync(&scan_timer); + if (lcd.enabled) + charlcd_unregister(lcd.charlcd); + err_unreg_device: +-- +2.20.1 + diff --git a/queue-5.2/btrfs-trim-check-the-range-passed-into-to-prevent-ov.patch b/queue-5.2/btrfs-trim-check-the-range-passed-into-to-prevent-ov.patch new file mode 100644 index 00000000000..7583cd646cf --- /dev/null +++ b/queue-5.2/btrfs-trim-check-the-range-passed-into-to-prevent-ov.patch @@ -0,0 +1,63 @@ +From 5a0acb5097a8c72bf26c533bbc7058a2523962cc Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Tue, 28 May 2019 16:21:54 +0800 +Subject: btrfs: trim: Check the range passed into to prevent overflow + +[ Upstream commit 07301df7d2fc220d3de5f7ad804dcb941400cb00 ] + +Normally the range->len is set to default value (U64_MAX), but when it's +not default value, we should check if the range overflows. + +And if it overflows, return -EINVAL before doing anything. + +Reviewed-by: Nikolay Borisov +Reviewed-by: Anand Jain +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent-tree.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index 5faf057f6f37f..b8f4720879021 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -11226,6 +11226,7 @@ int btrfs_trim_fs(struct btrfs_fs_info *fs_info, struct fstrim_range *range) + struct btrfs_device *device; + struct list_head *devices; + u64 group_trimmed; ++ u64 range_end = U64_MAX; + u64 start; + u64 end; + u64 trimmed = 0; +@@ -11235,16 +11236,23 @@ int btrfs_trim_fs(struct btrfs_fs_info *fs_info, struct fstrim_range *range) + int dev_ret = 0; + int ret = 0; + ++ /* ++ * Check range overflow if range->len is set. ++ * The default range->len is U64_MAX. ++ */ ++ if (range->len != U64_MAX && ++ check_add_overflow(range->start, range->len, &range_end)) ++ return -EINVAL; ++ + cache = btrfs_lookup_first_block_group(fs_info, range->start); + for (; cache; cache = next_block_group(cache)) { +- if (cache->key.objectid >= (range->start + range->len)) { ++ if (cache->key.objectid >= range_end) { + btrfs_put_block_group(cache); + break; + } + + start = max(range->start, cache->key.objectid); +- end = min(range->start + range->len, +- cache->key.objectid + cache->key.offset); ++ end = min(range_end, cache->key.objectid + cache->key.offset); + + if (end - start >= range->minlen) { + if (!block_group_cache_done(cache)) { +-- +2.20.1 + diff --git a/queue-5.2/dma-direct-don-t-truncate-dma_required_mask-to-bus-a.patch b/queue-5.2/dma-direct-don-t-truncate-dma_required_mask-to-bus-a.patch new file mode 100644 index 00000000000..f582e16b178 --- /dev/null +++ b/queue-5.2/dma-direct-don-t-truncate-dma_required_mask-to-bus-a.patch @@ -0,0 +1,39 @@ +From c40dcc2229debb94f1348f8ae261f98c9994af96 Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Mon, 5 Aug 2019 17:51:53 +0200 +Subject: dma-direct: don't truncate dma_required_mask to bus addressing + capabilities + +[ Upstream commit d8ad55538abe443919e20e0bb996561bca9cad84 ] + +The dma required_mask needs to reflect the actual addressing capabilities +needed to handle the whole system RAM. When truncated down to the bus +addressing capabilities dma_addressing_limited() will incorrectly signal +no limitations for devices which are restricted by the bus_dma_mask. + +Fixes: b4ebe6063204 (dma-direct: implement complete bus_dma_mask handling) +Signed-off-by: Lucas Stach +Tested-by: Atish Patra +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + kernel/dma/direct.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/kernel/dma/direct.c b/kernel/dma/direct.c +index 2c2772e9702ab..9912be7a970de 100644 +--- a/kernel/dma/direct.c ++++ b/kernel/dma/direct.c +@@ -55,9 +55,6 @@ u64 dma_direct_get_required_mask(struct device *dev) + { + u64 max_dma = phys_to_dma_direct(dev, (max_pfn - 1) << PAGE_SHIFT); + +- if (dev->bus_dma_mask && dev->bus_dma_mask < max_dma) +- max_dma = dev->bus_dma_mask; +- + return (1ULL << (fls64(max_dma) - 1)) * 2 - 1; + } + +-- +2.20.1 + diff --git a/queue-5.2/dmaengine-ste_dma40-fix-unneeded-variable-warning.patch b/queue-5.2/dmaengine-ste_dma40-fix-unneeded-variable-warning.patch new file mode 100644 index 00000000000..d3f8efdaf61 --- /dev/null +++ b/queue-5.2/dmaengine-ste_dma40-fix-unneeded-variable-warning.patch @@ -0,0 +1,54 @@ +From 8ffbf568daeecddba333a814e6f2879e749b1736 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 12 Jul 2019 11:13:30 +0200 +Subject: dmaengine: ste_dma40: fix unneeded variable warning + +[ Upstream commit 5d6fb560729a5d5554e23db8d00eb57cd0021083 ] + +clang-9 points out that there are two variables that depending on the +configuration may only be used in an ARRAY_SIZE() expression but not +referenced: + +drivers/dma/ste_dma40.c:145:12: error: variable 'd40_backup_regs' is not needed and will not be emitted [-Werror,-Wunneeded-internal-declaration] +static u32 d40_backup_regs[] = { + ^ +drivers/dma/ste_dma40.c:214:12: error: variable 'd40_backup_regs_chan' is not needed and will not be emitted [-Werror,-Wunneeded-internal-declaration] +static u32 d40_backup_regs_chan[] = { + +Mark these __maybe_unused to shut up the warning. + +Signed-off-by: Arnd Bergmann +Reviewed-by: Nathan Chancellor +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20190712091357.744515-1-arnd@arndb.de +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ste_dma40.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/ste_dma40.c b/drivers/dma/ste_dma40.c +index 89d710899010d..de8bfd9a76e9e 100644 +--- a/drivers/dma/ste_dma40.c ++++ b/drivers/dma/ste_dma40.c +@@ -142,7 +142,7 @@ enum d40_events { + * when the DMA hw is powered off. + * TODO: Add save/restore of D40_DREG_GCC on dma40 v3 or later, if that works. + */ +-static u32 d40_backup_regs[] = { ++static __maybe_unused u32 d40_backup_regs[] = { + D40_DREG_LCPA, + D40_DREG_LCLA, + D40_DREG_PRMSE, +@@ -211,7 +211,7 @@ static u32 d40_backup_regs_v4b[] = { + + #define BACKUP_REGS_SZ_V4B ARRAY_SIZE(d40_backup_regs_v4b) + +-static u32 d40_backup_regs_chan[] = { ++static __maybe_unused u32 d40_backup_regs_chan[] = { + D40_CHAN_REG_SSCFG, + D40_CHAN_REG_SSELT, + D40_CHAN_REG_SSPTR, +-- +2.20.1 + diff --git a/queue-5.2/dmaengine-stm32-mdma-fix-a-possible-null-pointer-der.patch b/queue-5.2/dmaengine-stm32-mdma-fix-a-possible-null-pointer-der.patch new file mode 100644 index 00000000000..c1b322222ba --- /dev/null +++ b/queue-5.2/dmaengine-stm32-mdma-fix-a-possible-null-pointer-der.patch @@ -0,0 +1,41 @@ +From d7024cfc18bd15978b8f7529d735061f9b1d7464 Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Mon, 29 Jul 2019 10:08:49 +0800 +Subject: dmaengine: stm32-mdma: Fix a possible null-pointer dereference in + stm32_mdma_irq_handler() + +[ Upstream commit 39c71a5b8212f4b502d9a630c6706ac723abd422 ] + +In stm32_mdma_irq_handler(), chan is checked on line 1368. +When chan is NULL, it is still used on line 1369: + dev_err(chan2dev(chan), "MDMA channel not initialized\n"); + +Thus, a possible null-pointer dereference may occur. + +To fix this bug, "dev_dbg(mdma2dev(dmadev), ...)" is used instead. + +Signed-off-by: Jia-Ju Bai +Fixes: a4ffb13c8946 ("dmaengine: Add STM32 MDMA driver") +Link: https://lore.kernel.org/r/20190729020849.17971-1-baijiaju1990@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/stm32-mdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/stm32-mdma.c b/drivers/dma/stm32-mdma.c +index d6e919d3936a2..1311de74bfdde 100644 +--- a/drivers/dma/stm32-mdma.c ++++ b/drivers/dma/stm32-mdma.c +@@ -1366,7 +1366,7 @@ static irqreturn_t stm32_mdma_irq_handler(int irq, void *devid) + + chan = &dmadev->chan[id]; + if (!chan) { +- dev_err(chan2dev(chan), "MDMA channel not initialized\n"); ++ dev_dbg(mdma2dev(dmadev), "MDMA channel not initialized\n"); + goto exit; + } + +-- +2.20.1 + diff --git a/queue-5.2/drm-ast-fixed-reboot-test-may-cause-system-hanged.patch b/queue-5.2/drm-ast-fixed-reboot-test-may-cause-system-hanged.patch new file mode 100644 index 00000000000..45050801b4e --- /dev/null +++ b/queue-5.2/drm-ast-fixed-reboot-test-may-cause-system-hanged.patch @@ -0,0 +1,74 @@ +From 760685c852e1f729d3c74f7eb255b8f0b8c8c9c2 Mon Sep 17 00:00:00 2001 +From: "Y.C. Chen" +Date: Wed, 11 Apr 2018 09:27:39 +0800 +Subject: drm/ast: Fixed reboot test may cause system hanged + +[ Upstream commit 05b439711f6ff8700e8660f97a1179650778b9cb ] + +There is another thread still access standard VGA I/O while loading drm driver. +Disable standard VGA I/O decode to avoid this issue. + +Signed-off-by: Y.C. Chen +Reviewed-by: Benjamin Herrenschmidt +Signed-off-by: Dave Airlie +Link: https://patchwork.freedesktop.org/patch/msgid/1523410059-18415-1-git-send-email-yc_chen@aspeedtech.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/ast/ast_main.c | 5 ++++- + drivers/gpu/drm/ast/ast_mode.c | 2 +- + drivers/gpu/drm/ast/ast_post.c | 2 +- + 3 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/ast/ast_main.c b/drivers/gpu/drm/ast/ast_main.c +index 2854399856ba0..4aebe21e6ad9f 100644 +--- a/drivers/gpu/drm/ast/ast_main.c ++++ b/drivers/gpu/drm/ast/ast_main.c +@@ -131,8 +131,8 @@ static int ast_detect_chip(struct drm_device *dev, bool *need_post) + + + /* Enable extended register access */ +- ast_enable_mmio(dev); + ast_open_key(ast); ++ ast_enable_mmio(dev); + + /* Find out whether P2A works or whether to use device-tree */ + ast_detect_config_mode(dev, &scu_rev); +@@ -576,6 +576,9 @@ void ast_driver_unload(struct drm_device *dev) + { + struct ast_private *ast = dev->dev_private; + ++ /* enable standard VGA decode */ ++ ast_set_index_reg(ast, AST_IO_CRTC_PORT, 0xa1, 0x04); ++ + ast_release_firmware(dev); + kfree(ast->dp501_fw_addr); + ast_mode_fini(dev); +diff --git a/drivers/gpu/drm/ast/ast_mode.c b/drivers/gpu/drm/ast/ast_mode.c +index 97fed0627d1c8..74da15a3341a8 100644 +--- a/drivers/gpu/drm/ast/ast_mode.c ++++ b/drivers/gpu/drm/ast/ast_mode.c +@@ -601,7 +601,7 @@ static int ast_crtc_mode_set(struct drm_crtc *crtc, + return -EINVAL; + ast_open_key(ast); + +- ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xa1, 0xff, 0x04); ++ ast_set_index_reg(ast, AST_IO_CRTC_PORT, 0xa1, 0x06); + + ast_set_std_reg(crtc, adjusted_mode, &vbios_mode); + ast_set_crtc_reg(crtc, adjusted_mode, &vbios_mode); +diff --git a/drivers/gpu/drm/ast/ast_post.c b/drivers/gpu/drm/ast/ast_post.c +index f7d421359d564..c1d1ac51d1c20 100644 +--- a/drivers/gpu/drm/ast/ast_post.c ++++ b/drivers/gpu/drm/ast/ast_post.c +@@ -46,7 +46,7 @@ void ast_enable_mmio(struct drm_device *dev) + { + struct ast_private *ast = dev->dev_private; + +- ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xa1, 0xff, 0x04); ++ ast_set_index_reg(ast, AST_IO_CRTC_PORT, 0xa1, 0x06); + } + + +-- +2.20.1 + diff --git a/queue-5.2/drm-bridge-tfp410-fix-memleak-in-get_modes.patch b/queue-5.2/drm-bridge-tfp410-fix-memleak-in-get_modes.patch new file mode 100644 index 00000000000..d61bba684e4 --- /dev/null +++ b/queue-5.2/drm-bridge-tfp410-fix-memleak-in-get_modes.patch @@ -0,0 +1,40 @@ +From 967745eb5a0df59d16f9360730f4c17f0c01dd47 Mon Sep 17 00:00:00 2001 +From: Tomi Valkeinen +Date: Mon, 10 Jun 2019 16:57:38 +0300 +Subject: drm/bridge: tfp410: fix memleak in get_modes() + +[ Upstream commit c08f99c39083ab55a9c93b3e93cef48711294dad ] + +We don't free the edid blob allocated by the call to drm_get_edid(), +causing a memleak. Fix this by calling kfree(edid) at the end of the +get_modes(). + +Signed-off-by: Tomi Valkeinen +Signed-off-by: Andrzej Hajda +Link: https://patchwork.freedesktop.org/patch/msgid/20190610135739.6077-1-tomi.valkeinen@ti.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/ti-tfp410.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/ti-tfp410.c b/drivers/gpu/drm/bridge/ti-tfp410.c +index 3a8af9978ebdf..791f164bdadc8 100644 +--- a/drivers/gpu/drm/bridge/ti-tfp410.c ++++ b/drivers/gpu/drm/bridge/ti-tfp410.c +@@ -66,7 +66,12 @@ static int tfp410_get_modes(struct drm_connector *connector) + + drm_connector_update_edid_property(connector, edid); + +- return drm_add_edid_modes(connector, edid); ++ ret = drm_add_edid_modes(connector, edid); ++ ++ kfree(edid); ++ ++ return ret; ++ + fallback: + /* No EDID, fallback on the XGA standard modes */ + ret = drm_add_modes_noedid(connector, 1920, 1200); +-- +2.20.1 + diff --git a/queue-5.2/drm-scheduler-use-job-count-instead-of-peek.patch b/queue-5.2/drm-scheduler-use-job-count-instead-of-peek.patch new file mode 100644 index 00000000000..5ce6d478e5a --- /dev/null +++ b/queue-5.2/drm-scheduler-use-job-count-instead-of-peek.patch @@ -0,0 +1,49 @@ +From a0e2c392b6bea1846c2a267a4f9b927b2e6bd423 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20K=C3=B6nig?= +Date: Fri, 9 Aug 2019 17:27:21 +0200 +Subject: drm/scheduler: use job count instead of peek +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit e1b4ce25dbc93ab0cb8ed0f236a3b9ff7b03802c ] + +The spsc_queue_peek function is accessing queue->head which belongs to +the consumer thread and shouldn't be accessed by the producer + +This is fixing a rare race condition when destroying entities. + +Signed-off-by: Christian König +Acked-by: Andrey Grodzovsky +Reviewed-by: Monk.liu@amd.com +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/scheduler/sched_entity.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c +index 35ddbec1375ae..671c90f34ede6 100644 +--- a/drivers/gpu/drm/scheduler/sched_entity.c ++++ b/drivers/gpu/drm/scheduler/sched_entity.c +@@ -95,7 +95,7 @@ static bool drm_sched_entity_is_idle(struct drm_sched_entity *entity) + rmb(); /* for list_empty to work without lock */ + + if (list_empty(&entity->list) || +- spsc_queue_peek(&entity->job_queue) == NULL) ++ spsc_queue_count(&entity->job_queue) == 0) + return true; + + return false; +@@ -281,7 +281,7 @@ void drm_sched_entity_fini(struct drm_sched_entity *entity) + /* Consumption of existing IBs wasn't completed. Forcefully + * remove them here. + */ +- if (spsc_queue_peek(&entity->job_queue)) { ++ if (spsc_queue_count(&entity->job_queue)) { + if (sched) { + /* Park the kernel for a moment to make sure it isn't processing + * our enity. +-- +2.20.1 + diff --git a/queue-5.2/fs-afs-fix-a-possible-null-pointer-dereference-in-af.patch b/queue-5.2/fs-afs-fix-a-possible-null-pointer-dereference-in-af.patch new file mode 100644 index 00000000000..3e1fb92cf04 --- /dev/null +++ b/queue-5.2/fs-afs-fix-a-possible-null-pointer-dereference-in-af.patch @@ -0,0 +1,55 @@ +From 79a60dcc4d94cb645bec9ff38875b33ad38d0571 Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Tue, 30 Jul 2019 14:38:51 +0100 +Subject: fs: afs: Fix a possible null-pointer dereference in afs_put_read() + +[ Upstream commit a6eed4ab5dd4bfb696c1a3f49742b8d1846a66a0 ] + +In afs_read_dir(), there is an if statement on line 255 to check whether +req->pages is NULL: + if (!req->pages) + goto error; + +If req->pages is NULL, afs_put_read() on line 337 is executed. +In afs_put_read(), req->pages[i] is used on line 195. +Thus, a possible null-pointer dereference may occur in this case. + +To fix this possible bug, an if statement is added in afs_put_read() to +check req->pages. + +This bug is found by a static analysis tool STCheck written by us. + +Fixes: f3ddee8dc4e2 ("afs: Fix directory handling") +Signed-off-by: Jia-Ju Bai +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/afs/file.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/fs/afs/file.c b/fs/afs/file.c +index 8fd7d3b9a1b1f..87beabc7114ee 100644 +--- a/fs/afs/file.c ++++ b/fs/afs/file.c +@@ -191,11 +191,13 @@ void afs_put_read(struct afs_read *req) + int i; + + if (refcount_dec_and_test(&req->usage)) { +- for (i = 0; i < req->nr_pages; i++) +- if (req->pages[i]) +- put_page(req->pages[i]); +- if (req->pages != req->array) +- kfree(req->pages); ++ if (req->pages) { ++ for (i = 0; i < req->nr_pages; i++) ++ if (req->pages[i]) ++ put_page(req->pages[i]); ++ if (req->pages != req->array) ++ kfree(req->pages); ++ } + kfree(req); + } + } +-- +2.20.1 + diff --git a/queue-5.2/habanalabs-fix-completion-queue-handling-when-host-i.patch b/queue-5.2/habanalabs-fix-completion-queue-handling-when-host-i.patch new file mode 100644 index 00000000000..fabf396c522 --- /dev/null +++ b/queue-5.2/habanalabs-fix-completion-queue-handling-when-host-i.patch @@ -0,0 +1,95 @@ +From db8d8d1f134db6d721f8fa7e5b7841cdeb328d04 Mon Sep 17 00:00:00 2001 +From: Ben Segal +Date: Thu, 1 Aug 2019 23:22:20 +0000 +Subject: habanalabs: fix completion queue handling when host is BE + +[ Upstream commit 4e87334a0ef43663019dbaf3638ad10fd8c3320c ] + +This patch fix the CQ irq handler to work in hosts with BE architecture. +It adds the correct endian-swapping macros around the relevant memory +accesses. + +Signed-off-by: Ben Segal +Reviewed-by: Oded Gabbay +Signed-off-by: Oded Gabbay +Signed-off-by: Sasha Levin +--- + drivers/misc/habanalabs/irq.c | 27 +++++++++++++-------------- + 1 file changed, 13 insertions(+), 14 deletions(-) + +diff --git a/drivers/misc/habanalabs/irq.c b/drivers/misc/habanalabs/irq.c +index ea9f72ff456cf..199791b57caf2 100644 +--- a/drivers/misc/habanalabs/irq.c ++++ b/drivers/misc/habanalabs/irq.c +@@ -80,8 +80,7 @@ irqreturn_t hl_irq_handler_cq(int irq, void *arg) + struct hl_cs_job *job; + bool shadow_index_valid; + u16 shadow_index; +- u32 *cq_entry; +- u32 *cq_base; ++ struct hl_cq_entry *cq_entry, *cq_base; + + if (hdev->disabled) { + dev_dbg(hdev->dev, +@@ -90,29 +89,29 @@ irqreturn_t hl_irq_handler_cq(int irq, void *arg) + return IRQ_HANDLED; + } + +- cq_base = (u32 *) (uintptr_t) cq->kernel_address; ++ cq_base = (struct hl_cq_entry *) (uintptr_t) cq->kernel_address; + + while (1) { +- bool entry_ready = ((cq_base[cq->ci] & CQ_ENTRY_READY_MASK) ++ bool entry_ready = ((le32_to_cpu(cq_base[cq->ci].data) & ++ CQ_ENTRY_READY_MASK) + >> CQ_ENTRY_READY_SHIFT); + + if (!entry_ready) + break; + +- cq_entry = (u32 *) &cq_base[cq->ci]; ++ cq_entry = (struct hl_cq_entry *) &cq_base[cq->ci]; + +- /* +- * Make sure we read CQ entry contents after we've ++ /* Make sure we read CQ entry contents after we've + * checked the ownership bit. + */ + dma_rmb(); + +- shadow_index_valid = +- ((*cq_entry & CQ_ENTRY_SHADOW_INDEX_VALID_MASK) ++ shadow_index_valid = ((le32_to_cpu(cq_entry->data) & ++ CQ_ENTRY_SHADOW_INDEX_VALID_MASK) + >> CQ_ENTRY_SHADOW_INDEX_VALID_SHIFT); + +- shadow_index = (u16) +- ((*cq_entry & CQ_ENTRY_SHADOW_INDEX_MASK) ++ shadow_index = (u16) ((le32_to_cpu(cq_entry->data) & ++ CQ_ENTRY_SHADOW_INDEX_MASK) + >> CQ_ENTRY_SHADOW_INDEX_SHIFT); + + queue = &hdev->kernel_queues[cq->hw_queue_id]; +@@ -122,8 +121,7 @@ irqreturn_t hl_irq_handler_cq(int irq, void *arg) + queue_work(hdev->cq_wq, &job->finish_work); + } + +- /* +- * Update ci of the context's queue. There is no ++ /* Update ci of the context's queue. There is no + * need to protect it with spinlock because this update is + * done only inside IRQ and there is a different IRQ per + * queue +@@ -131,7 +129,8 @@ irqreturn_t hl_irq_handler_cq(int irq, void *arg) + queue->ci = hl_queue_inc_ptr(queue->ci); + + /* Clear CQ entry ready bit */ +- cq_base[cq->ci] &= ~CQ_ENTRY_READY_MASK; ++ cq_entry->data = cpu_to_le32(le32_to_cpu(cq_entry->data) & ++ ~CQ_ENTRY_READY_MASK); + + cq->ci = hl_cq_inc_ptr(cq->ci); + +-- +2.20.1 + diff --git a/queue-5.2/habanalabs-fix-device-irq-unmasking-for-be-host.patch b/queue-5.2/habanalabs-fix-device-irq-unmasking-for-be-host.patch new file mode 100644 index 00000000000..9a4e3fee26e --- /dev/null +++ b/queue-5.2/habanalabs-fix-device-irq-unmasking-for-be-host.patch @@ -0,0 +1,98 @@ +From 561236a585cafbb2346b8b94764c3a57c6ecb043 Mon Sep 17 00:00:00 2001 +From: Ben Segal +Date: Wed, 7 Aug 2019 13:54:54 +0000 +Subject: habanalabs: fix device IRQ unmasking for BE host + +[ Upstream commit b421d83a3947369fd5718824aecfaebe1efbf7ed ] + +When unmasking IRQs inside the ASIC, the driver passes an array of all the +IRQ to unmask. The ASIC's CPU is working in LE so when running in a BE +host, the driver needs to do the proper endianness swapping when preparing +this array. + +In addition, this patch also fixes the endianness of a couple of kernel log +debug messages that print values of packets + +Signed-off-by: Ben Segal +Reviewed-by: Oded Gabbay +Signed-off-by: Oded Gabbay +Signed-off-by: Sasha Levin +--- + drivers/misc/habanalabs/goya/goya.c | 33 +++++++++++++++++++++-------- + 1 file changed, 24 insertions(+), 9 deletions(-) + +diff --git a/drivers/misc/habanalabs/goya/goya.c b/drivers/misc/habanalabs/goya/goya.c +index 9216cc3599178..ac6b252a1ddcb 100644 +--- a/drivers/misc/habanalabs/goya/goya.c ++++ b/drivers/misc/habanalabs/goya/goya.c +@@ -3311,9 +3311,11 @@ static int goya_validate_dma_pkt_no_mmu(struct hl_device *hdev, + int rc; + + dev_dbg(hdev->dev, "DMA packet details:\n"); +- dev_dbg(hdev->dev, "source == 0x%llx\n", user_dma_pkt->src_addr); +- dev_dbg(hdev->dev, "destination == 0x%llx\n", user_dma_pkt->dst_addr); +- dev_dbg(hdev->dev, "size == %u\n", user_dma_pkt->tsize); ++ dev_dbg(hdev->dev, "source == 0x%llx\n", ++ le64_to_cpu(user_dma_pkt->src_addr)); ++ dev_dbg(hdev->dev, "destination == 0x%llx\n", ++ le64_to_cpu(user_dma_pkt->dst_addr)); ++ dev_dbg(hdev->dev, "size == %u\n", le32_to_cpu(user_dma_pkt->tsize)); + + ctl = le32_to_cpu(user_dma_pkt->ctl); + user_dir = (ctl & GOYA_PKT_LIN_DMA_CTL_DMA_DIR_MASK) >> +@@ -3342,9 +3344,11 @@ static int goya_validate_dma_pkt_mmu(struct hl_device *hdev, + struct packet_lin_dma *user_dma_pkt) + { + dev_dbg(hdev->dev, "DMA packet details:\n"); +- dev_dbg(hdev->dev, "source == 0x%llx\n", user_dma_pkt->src_addr); +- dev_dbg(hdev->dev, "destination == 0x%llx\n", user_dma_pkt->dst_addr); +- dev_dbg(hdev->dev, "size == %u\n", user_dma_pkt->tsize); ++ dev_dbg(hdev->dev, "source == 0x%llx\n", ++ le64_to_cpu(user_dma_pkt->src_addr)); ++ dev_dbg(hdev->dev, "destination == 0x%llx\n", ++ le64_to_cpu(user_dma_pkt->dst_addr)); ++ dev_dbg(hdev->dev, "size == %u\n", le32_to_cpu(user_dma_pkt->tsize)); + + /* + * WA for HW-23. +@@ -3384,7 +3388,8 @@ static int goya_validate_wreg32(struct hl_device *hdev, + + dev_dbg(hdev->dev, "WREG32 packet details:\n"); + dev_dbg(hdev->dev, "reg_offset == 0x%x\n", reg_offset); +- dev_dbg(hdev->dev, "value == 0x%x\n", wreg_pkt->value); ++ dev_dbg(hdev->dev, "value == 0x%x\n", ++ le32_to_cpu(wreg_pkt->value)); + + if (reg_offset != (mmDMA_CH_0_WR_COMP_ADDR_LO & 0x1FFF)) { + dev_err(hdev->dev, "WREG32 packet with illegal address 0x%x\n", +@@ -4252,6 +4257,8 @@ static int goya_unmask_irq_arr(struct hl_device *hdev, u32 *irq_arr, + size_t total_pkt_size; + long result; + int rc; ++ int irq_num_entries, irq_arr_index; ++ __le32 *goya_irq_arr; + + total_pkt_size = sizeof(struct armcp_unmask_irq_arr_packet) + + irq_arr_size; +@@ -4269,8 +4276,16 @@ static int goya_unmask_irq_arr(struct hl_device *hdev, u32 *irq_arr, + if (!pkt) + return -ENOMEM; + +- pkt->length = cpu_to_le32(irq_arr_size / sizeof(irq_arr[0])); +- memcpy(&pkt->irqs, irq_arr, irq_arr_size); ++ irq_num_entries = irq_arr_size / sizeof(irq_arr[0]); ++ pkt->length = cpu_to_le32(irq_num_entries); ++ ++ /* We must perform any necessary endianness conversation on the irq ++ * array being passed to the goya hardware ++ */ ++ for (irq_arr_index = 0, goya_irq_arr = (__le32 *) &pkt->irqs; ++ irq_arr_index < irq_num_entries ; irq_arr_index++) ++ goya_irq_arr[irq_arr_index] = ++ cpu_to_le32(irq_arr[irq_arr_index]); + + pkt->armcp_pkt.ctl = cpu_to_le32(ARMCP_PACKET_UNMASK_RAZWI_IRQ_ARRAY << + ARMCP_PKT_CTL_OPCODE_SHIFT); +-- +2.20.1 + diff --git a/queue-5.2/habanalabs-fix-dram-usage-accounting-on-context-tear.patch b/queue-5.2/habanalabs-fix-dram-usage-accounting-on-context-tear.patch new file mode 100644 index 00000000000..f2feb14ea84 --- /dev/null +++ b/queue-5.2/habanalabs-fix-dram-usage-accounting-on-context-tear.patch @@ -0,0 +1,35 @@ +From 07f81e664b3629f81ef22d0493a0cf2bb8c41ced Mon Sep 17 00:00:00 2001 +From: Tomer Tayar +Date: Sun, 4 Aug 2019 07:03:41 +0000 +Subject: habanalabs: fix DRAM usage accounting on context tear down + +[ Upstream commit c8113756ba27298d6e95403c087dc5881b419a99 ] + +The patch fix the DRAM usage accounting by adding a missing update of +the DRAM memory consumption, when a context is being torn down without an +organized release of the allocated memory. + +Signed-off-by: Tomer Tayar +Reviewed-by: Oded Gabbay +Signed-off-by: Oded Gabbay +Signed-off-by: Sasha Levin +--- + drivers/misc/habanalabs/memory.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/misc/habanalabs/memory.c b/drivers/misc/habanalabs/memory.c +index 693877e37fd87..924a438ba9736 100644 +--- a/drivers/misc/habanalabs/memory.c ++++ b/drivers/misc/habanalabs/memory.c +@@ -1629,6 +1629,8 @@ void hl_vm_ctx_fini(struct hl_ctx *ctx) + dev_dbg(hdev->dev, + "page list 0x%p of asid %d is still alive\n", + phys_pg_list, ctx->asid); ++ atomic64_sub(phys_pg_list->total_size, ++ &hdev->dram_used_mem); + free_phys_pg_pack(hdev, phys_pg_list); + idr_remove(&vm->phys_pg_pack_handles, i); + } +-- +2.20.1 + diff --git a/queue-5.2/habanalabs-fix-endianness-handling-for-internal-qman.patch b/queue-5.2/habanalabs-fix-endianness-handling-for-internal-qman.patch new file mode 100644 index 00000000000..cd9afc2c489 --- /dev/null +++ b/queue-5.2/habanalabs-fix-endianness-handling-for-internal-qman.patch @@ -0,0 +1,129 @@ +From d1c78176f130bd079233a217dce88d201ee258d2 Mon Sep 17 00:00:00 2001 +From: Oded Gabbay +Date: Thu, 8 Aug 2019 15:45:58 +0300 +Subject: habanalabs: fix endianness handling for internal QMAN submission + +[ Upstream commit b9040c99414ba5b85090595a61abc686a5dbb388 ] + +The PQs of internal H/W queues (QMANs) can be located in different memory +areas for different ASICs. Therefore, when writing PQEs, we need to use +the correct function according to the location of the PQ. e.g. if the PQ +is located in the device's memory (SRAM or DRAM), we need to use +memcpy_toio() so it would work in architectures that have separate +address ranges for IO memory. + +This patch makes the code that writes the PQE to be ASIC-specific so we +can handle this properly per ASIC. + +Signed-off-by: Oded Gabbay +Tested-by: Ben Segal +Signed-off-by: Sasha Levin +--- + drivers/misc/habanalabs/goya/goya.c | 7 ++++--- + drivers/misc/habanalabs/goya/goyaP.h | 2 +- + drivers/misc/habanalabs/habanalabs.h | 9 +++++++-- + drivers/misc/habanalabs/hw_queue.c | 14 +++++--------- + 4 files changed, 17 insertions(+), 15 deletions(-) + +diff --git a/drivers/misc/habanalabs/goya/goya.c b/drivers/misc/habanalabs/goya/goya.c +index 0644fd7742057..9216cc3599178 100644 +--- a/drivers/misc/habanalabs/goya/goya.c ++++ b/drivers/misc/habanalabs/goya/goya.c +@@ -2716,9 +2716,10 @@ void goya_ring_doorbell(struct hl_device *hdev, u32 hw_queue_id, u32 pi) + GOYA_ASYNC_EVENT_ID_PI_UPDATE); + } + +-void goya_flush_pq_write(struct hl_device *hdev, u64 *pq, u64 exp_val) ++void goya_pqe_write(struct hl_device *hdev, __le64 *pqe, struct hl_bd *bd) + { +- /* Not needed in Goya */ ++ /* The QMANs are on the SRAM so need to copy to IO space */ ++ memcpy_toio((void __iomem *) pqe, bd, sizeof(struct hl_bd)); + } + + static void *goya_dma_alloc_coherent(struct hl_device *hdev, size_t size, +@@ -4784,7 +4785,7 @@ static const struct hl_asic_funcs goya_funcs = { + .resume = goya_resume, + .cb_mmap = goya_cb_mmap, + .ring_doorbell = goya_ring_doorbell, +- .flush_pq_write = goya_flush_pq_write, ++ .pqe_write = goya_pqe_write, + .asic_dma_alloc_coherent = goya_dma_alloc_coherent, + .asic_dma_free_coherent = goya_dma_free_coherent, + .get_int_queue_base = goya_get_int_queue_base, +diff --git a/drivers/misc/habanalabs/goya/goyaP.h b/drivers/misc/habanalabs/goya/goyaP.h +index c83cab0d641e2..e2040fd331ca1 100644 +--- a/drivers/misc/habanalabs/goya/goyaP.h ++++ b/drivers/misc/habanalabs/goya/goyaP.h +@@ -170,7 +170,7 @@ int goya_late_init(struct hl_device *hdev); + void goya_late_fini(struct hl_device *hdev); + + void goya_ring_doorbell(struct hl_device *hdev, u32 hw_queue_id, u32 pi); +-void goya_flush_pq_write(struct hl_device *hdev, u64 *pq, u64 exp_val); ++void goya_pqe_write(struct hl_device *hdev, __le64 *pqe, struct hl_bd *bd); + void goya_update_eq_ci(struct hl_device *hdev, u32 val); + void goya_restore_phase_topology(struct hl_device *hdev); + int goya_context_switch(struct hl_device *hdev, u32 asid); +diff --git a/drivers/misc/habanalabs/habanalabs.h b/drivers/misc/habanalabs/habanalabs.h +index adef7d9d7488a..d56ab65d5b2a4 100644 +--- a/drivers/misc/habanalabs/habanalabs.h ++++ b/drivers/misc/habanalabs/habanalabs.h +@@ -449,7 +449,11 @@ enum hl_pll_frequency { + * @resume: handles IP specific H/W or SW changes for resume. + * @cb_mmap: maps a CB. + * @ring_doorbell: increment PI on a given QMAN. +- * @flush_pq_write: flush PQ entry write if necessary, WARN if flushing failed. ++ * @pqe_write: Write the PQ entry to the PQ. This is ASIC-specific ++ * function because the PQs are located in different memory areas ++ * per ASIC (SRAM, DRAM, Host memory) and therefore, the method of ++ * writing the PQE must match the destination memory area ++ * properties. + * @asic_dma_alloc_coherent: Allocate coherent DMA memory by calling + * dma_alloc_coherent(). This is ASIC function because + * its implementation is not trivial when the driver +@@ -518,7 +522,8 @@ struct hl_asic_funcs { + int (*cb_mmap)(struct hl_device *hdev, struct vm_area_struct *vma, + u64 kaddress, phys_addr_t paddress, u32 size); + void (*ring_doorbell)(struct hl_device *hdev, u32 hw_queue_id, u32 pi); +- void (*flush_pq_write)(struct hl_device *hdev, u64 *pq, u64 exp_val); ++ void (*pqe_write)(struct hl_device *hdev, __le64 *pqe, ++ struct hl_bd *bd); + void* (*asic_dma_alloc_coherent)(struct hl_device *hdev, size_t size, + dma_addr_t *dma_handle, gfp_t flag); + void (*asic_dma_free_coherent)(struct hl_device *hdev, size_t size, +diff --git a/drivers/misc/habanalabs/hw_queue.c b/drivers/misc/habanalabs/hw_queue.c +index 2894d89759334..bb76794747279 100644 +--- a/drivers/misc/habanalabs/hw_queue.c ++++ b/drivers/misc/habanalabs/hw_queue.c +@@ -290,23 +290,19 @@ static void int_hw_queue_schedule_job(struct hl_cs_job *job) + struct hl_device *hdev = job->cs->ctx->hdev; + struct hl_hw_queue *q = &hdev->kernel_queues[job->hw_queue_id]; + struct hl_bd bd; +- u64 *pi, *pbd = (u64 *) &bd; ++ __le64 *pi; + + bd.ctl = 0; +- bd.len = __cpu_to_le32(job->job_cb_size); +- bd.ptr = __cpu_to_le64((u64) (uintptr_t) job->user_cb); ++ bd.len = cpu_to_le32(job->job_cb_size); ++ bd.ptr = cpu_to_le64((u64) (uintptr_t) job->user_cb); + +- pi = (u64 *) (uintptr_t) (q->kernel_address + ++ pi = (__le64 *) (uintptr_t) (q->kernel_address + + ((q->pi & (q->int_queue_len - 1)) * sizeof(bd))); + +- pi[0] = pbd[0]; +- pi[1] = pbd[1]; +- + q->pi++; + q->pi &= ((q->int_queue_len << 1) - 1); + +- /* Flush PQ entry write. Relevant only for specific ASICs */ +- hdev->asic_funcs->flush_pq_write(hdev, pi, pbd[0]); ++ hdev->asic_funcs->pqe_write(hdev, pi, &bd); + + hdev->asic_funcs->ring_doorbell(hdev, q->hw_queue_id, q->pi); + } +-- +2.20.1 + diff --git a/queue-5.2/habanalabs-fix-endianness-handling-for-packets-from-.patch b/queue-5.2/habanalabs-fix-endianness-handling-for-packets-from-.patch new file mode 100644 index 00000000000..13cda4403f6 --- /dev/null +++ b/queue-5.2/habanalabs-fix-endianness-handling-for-packets-from-.patch @@ -0,0 +1,137 @@ +From 2d16394741442fc3250cd63c6ceed547230dcfbd Mon Sep 17 00:00:00 2001 +From: Ben Segal +Date: Thu, 1 Aug 2019 23:20:32 +0000 +Subject: habanalabs: fix endianness handling for packets from user + +[ Upstream commit 213ad5ad016a0da975b35f54e8cd236c3b04724b ] + +Packets that arrive from the user and need to be parsed by the driver are +assumed to be in LE format. + +This patch fix all the places where the code handles these packets and use +the correct endianness macros to handle them, as the driver handles the +packets in CPU format (LE or BE depending on the arch). + +Signed-off-by: Ben Segal +Reviewed-by: Oded Gabbay +Signed-off-by: Oded Gabbay +Signed-off-by: Sasha Levin +--- + drivers/misc/habanalabs/goya/goya.c | 32 +++++++++++-------- + .../habanalabs/include/goya/goya_packets.h | 13 ++++++++ + 2 files changed, 32 insertions(+), 13 deletions(-) + +diff --git a/drivers/misc/habanalabs/goya/goya.c b/drivers/misc/habanalabs/goya/goya.c +index 02d116b01a1a2..0644fd7742057 100644 +--- a/drivers/misc/habanalabs/goya/goya.c ++++ b/drivers/misc/habanalabs/goya/goya.c +@@ -3425,12 +3425,13 @@ static int goya_validate_cb(struct hl_device *hdev, + while (cb_parsed_length < parser->user_cb_size) { + enum packet_id pkt_id; + u16 pkt_size; +- void *user_pkt; ++ struct goya_packet *user_pkt; + +- user_pkt = (void *) (uintptr_t) ++ user_pkt = (struct goya_packet *) (uintptr_t) + (parser->user_cb->kernel_address + cb_parsed_length); + +- pkt_id = (enum packet_id) (((*(u64 *) user_pkt) & ++ pkt_id = (enum packet_id) ( ++ (le64_to_cpu(user_pkt->header) & + PACKET_HEADER_PACKET_ID_MASK) >> + PACKET_HEADER_PACKET_ID_SHIFT); + +@@ -3450,7 +3451,8 @@ static int goya_validate_cb(struct hl_device *hdev, + * need to validate here as well because patch_cb() is + * not called in MMU path while this function is called + */ +- rc = goya_validate_wreg32(hdev, parser, user_pkt); ++ rc = goya_validate_wreg32(hdev, ++ parser, (struct packet_wreg32 *) user_pkt); + break; + + case PACKET_WREG_BULK: +@@ -3478,10 +3480,10 @@ static int goya_validate_cb(struct hl_device *hdev, + case PACKET_LIN_DMA: + if (is_mmu) + rc = goya_validate_dma_pkt_mmu(hdev, parser, +- user_pkt); ++ (struct packet_lin_dma *) user_pkt); + else + rc = goya_validate_dma_pkt_no_mmu(hdev, parser, +- user_pkt); ++ (struct packet_lin_dma *) user_pkt); + break; + + case PACKET_MSG_LONG: +@@ -3654,15 +3656,16 @@ static int goya_patch_cb(struct hl_device *hdev, + enum packet_id pkt_id; + u16 pkt_size; + u32 new_pkt_size = 0; +- void *user_pkt, *kernel_pkt; ++ struct goya_packet *user_pkt, *kernel_pkt; + +- user_pkt = (void *) (uintptr_t) ++ user_pkt = (struct goya_packet *) (uintptr_t) + (parser->user_cb->kernel_address + cb_parsed_length); +- kernel_pkt = (void *) (uintptr_t) ++ kernel_pkt = (struct goya_packet *) (uintptr_t) + (parser->patched_cb->kernel_address + + cb_patched_cur_length); + +- pkt_id = (enum packet_id) (((*(u64 *) user_pkt) & ++ pkt_id = (enum packet_id) ( ++ (le64_to_cpu(user_pkt->header) & + PACKET_HEADER_PACKET_ID_MASK) >> + PACKET_HEADER_PACKET_ID_SHIFT); + +@@ -3677,15 +3680,18 @@ static int goya_patch_cb(struct hl_device *hdev, + + switch (pkt_id) { + case PACKET_LIN_DMA: +- rc = goya_patch_dma_packet(hdev, parser, user_pkt, +- kernel_pkt, &new_pkt_size); ++ rc = goya_patch_dma_packet(hdev, parser, ++ (struct packet_lin_dma *) user_pkt, ++ (struct packet_lin_dma *) kernel_pkt, ++ &new_pkt_size); + cb_patched_cur_length += new_pkt_size; + break; + + case PACKET_WREG_32: + memcpy(kernel_pkt, user_pkt, pkt_size); + cb_patched_cur_length += pkt_size; +- rc = goya_validate_wreg32(hdev, parser, kernel_pkt); ++ rc = goya_validate_wreg32(hdev, parser, ++ (struct packet_wreg32 *) kernel_pkt); + break; + + case PACKET_WREG_BULK: +diff --git a/drivers/misc/habanalabs/include/goya/goya_packets.h b/drivers/misc/habanalabs/include/goya/goya_packets.h +index a14407b975e4e..ef54bad205099 100644 +--- a/drivers/misc/habanalabs/include/goya/goya_packets.h ++++ b/drivers/misc/habanalabs/include/goya/goya_packets.h +@@ -52,6 +52,19 @@ enum goya_dma_direction { + #define GOYA_PKT_CTL_MB_SHIFT 31 + #define GOYA_PKT_CTL_MB_MASK 0x80000000 + ++/* All packets have, at least, an 8-byte header, which contains ++ * the packet type. The kernel driver uses the packet header for packet ++ * validation and to perform any necessary required preparation before ++ * sending them off to the hardware. ++ */ ++struct goya_packet { ++ __le64 header; ++ /* The rest of the packet data follows. Use the corresponding ++ * packet_XXX struct to deference the data, based on packet type ++ */ ++ u8 contents[0]; ++}; ++ + struct packet_nop { + __le32 reserved; + __le32 ctl; +-- +2.20.1 + diff --git a/queue-5.2/i2c-emev2-avoid-race-when-unregistering-slave-client.patch b/queue-5.2/i2c-emev2-avoid-race-when-unregistering-slave-client.patch new file mode 100644 index 00000000000..1f95cf9e656 --- /dev/null +++ b/queue-5.2/i2c-emev2-avoid-race-when-unregistering-slave-client.patch @@ -0,0 +1,78 @@ +From 395819d93fa31137f8eb511a4c0ccce9356fd8f4 Mon Sep 17 00:00:00 2001 +From: Wolfram Sang +Date: Thu, 8 Aug 2019 21:54:17 +0200 +Subject: i2c: emev2: avoid race when unregistering slave client + +[ Upstream commit d7437fc0d8291181debe032671a289b6bd93f46f ] + +After we disabled interrupts, there might still be an active one +running. Sync before clearing the pointer to the slave device. + +Fixes: c31d0a00021d ("i2c: emev2: add slave support") +Reported-by: Krzysztof Adamski +Signed-off-by: Wolfram Sang +Reviewed-by: Krzysztof Adamski +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-emev2.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-emev2.c b/drivers/i2c/busses/i2c-emev2.c +index 35b302d983e0d..959d4912ec0d5 100644 +--- a/drivers/i2c/busses/i2c-emev2.c ++++ b/drivers/i2c/busses/i2c-emev2.c +@@ -69,6 +69,7 @@ struct em_i2c_device { + struct completion msg_done; + struct clk *sclk; + struct i2c_client *slave; ++ int irq; + }; + + static inline void em_clear_set_bit(struct em_i2c_device *priv, u8 clear, u8 set, u8 reg) +@@ -339,6 +340,12 @@ static int em_i2c_unreg_slave(struct i2c_client *slave) + + writeb(0, priv->base + I2C_OFS_SVA0); + ++ /* ++ * Wait for interrupt to finish. New slave irqs cannot happen because we ++ * cleared the slave address and, thus, only extension codes will be ++ * detected which do not use the slave ptr. ++ */ ++ synchronize_irq(priv->irq); + priv->slave = NULL; + + return 0; +@@ -355,7 +362,7 @@ static int em_i2c_probe(struct platform_device *pdev) + { + struct em_i2c_device *priv; + struct resource *r; +- int irq, ret; ++ int ret; + + priv = devm_kzalloc(&pdev->dev, sizeof(*priv), GFP_KERNEL); + if (!priv) +@@ -390,8 +397,8 @@ static int em_i2c_probe(struct platform_device *pdev) + + em_i2c_reset(&priv->adap); + +- irq = platform_get_irq(pdev, 0); +- ret = devm_request_irq(&pdev->dev, irq, em_i2c_irq_handler, 0, ++ priv->irq = platform_get_irq(pdev, 0); ++ ret = devm_request_irq(&pdev->dev, priv->irq, em_i2c_irq_handler, 0, + "em_i2c", priv); + if (ret) + goto err_clk; +@@ -401,7 +408,8 @@ static int em_i2c_probe(struct platform_device *pdev) + if (ret) + goto err_clk; + +- dev_info(&pdev->dev, "Added i2c controller %d, irq %d\n", priv->adap.nr, irq); ++ dev_info(&pdev->dev, "Added i2c controller %d, irq %d\n", priv->adap.nr, ++ priv->irq); + + return 0; + +-- +2.20.1 + diff --git a/queue-5.2/i2c-rcar-avoid-race-when-unregistering-slave-client.patch b/queue-5.2/i2c-rcar-avoid-race-when-unregistering-slave-client.patch new file mode 100644 index 00000000000..94329da7f6b --- /dev/null +++ b/queue-5.2/i2c-rcar-avoid-race-when-unregistering-slave-client.patch @@ -0,0 +1,70 @@ +From a477c280a5629f0e37a4427d5ff0a4a99ead2d61 Mon Sep 17 00:00:00 2001 +From: Wolfram Sang +Date: Thu, 8 Aug 2019 21:39:10 +0200 +Subject: i2c: rcar: avoid race when unregistering slave client + +[ Upstream commit 7b814d852af6944657c2961039f404c4490771c0 ] + +After we disabled interrupts, there might still be an active one +running. Sync before clearing the pointer to the slave device. + +Fixes: de20d1857dd6 ("i2c: rcar: add slave support") +Reported-by: Krzysztof Adamski +Signed-off-by: Wolfram Sang +Reviewed-by: Krzysztof Adamski +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-rcar.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-rcar.c b/drivers/i2c/busses/i2c-rcar.c +index d39a4606f72d3..531c01100b560 100644 +--- a/drivers/i2c/busses/i2c-rcar.c ++++ b/drivers/i2c/busses/i2c-rcar.c +@@ -139,6 +139,7 @@ struct rcar_i2c_priv { + enum dma_data_direction dma_direction; + + struct reset_control *rstc; ++ int irq; + }; + + #define rcar_i2c_priv_to_dev(p) ((p)->adap.dev.parent) +@@ -861,9 +862,11 @@ static int rcar_unreg_slave(struct i2c_client *slave) + + WARN_ON(!priv->slave); + ++ /* disable irqs and ensure none is running before clearing ptr */ + rcar_i2c_write(priv, ICSIER, 0); + rcar_i2c_write(priv, ICSCR, 0); + ++ synchronize_irq(priv->irq); + priv->slave = NULL; + + pm_runtime_put(rcar_i2c_priv_to_dev(priv)); +@@ -918,7 +921,7 @@ static int rcar_i2c_probe(struct platform_device *pdev) + struct i2c_adapter *adap; + struct device *dev = &pdev->dev; + struct i2c_timings i2c_t; +- int irq, ret; ++ int ret; + + /* Otherwise logic will break because some bytes must always use PIO */ + BUILD_BUG_ON_MSG(RCAR_MIN_DMA_LEN < 3, "Invalid min DMA length"); +@@ -984,10 +987,10 @@ static int rcar_i2c_probe(struct platform_device *pdev) + pm_runtime_put(dev); + + +- irq = platform_get_irq(pdev, 0); +- ret = devm_request_irq(dev, irq, rcar_i2c_irq, 0, dev_name(dev), priv); ++ priv->irq = platform_get_irq(pdev, 0); ++ ret = devm_request_irq(dev, priv->irq, rcar_i2c_irq, 0, dev_name(dev), priv); + if (ret < 0) { +- dev_err(dev, "cannot get irq %d\n", irq); ++ dev_err(dev, "cannot get irq %d\n", priv->irq); + goto out_pm_disable; + } + +-- +2.20.1 + diff --git a/queue-5.2/ib-mlx5-fix-implicit-mr-release-flow.patch b/queue-5.2/ib-mlx5-fix-implicit-mr-release-flow.patch new file mode 100644 index 00000000000..35425dd7983 --- /dev/null +++ b/queue-5.2/ib-mlx5-fix-implicit-mr-release-flow.patch @@ -0,0 +1,143 @@ +From 1daabdc0f33cd8e294ffcf5ef95e08b07cb3a099 Mon Sep 17 00:00:00 2001 +From: Yishai Hadas +Date: Mon, 5 Aug 2019 11:30:10 +0300 +Subject: IB/mlx5: Fix implicit MR release flow + +[ Upstream commit f591822c3cf314442819486f45ff7dc1f690e0c0 ] + +Once implicit MR is being called to be released by +ib_umem_notifier_release() its leaves were marked as "dying". + +However, when dereg_mr()->mlx5_ib_free_implicit_mr()->mr_leaf_free() is +called, it skips running the mr_leaf_free_action (i.e. umem_odp->work) +when those leaves were marked as "dying". + +As such ib_umem_release() for the leaves won't be called and their MRs +will be leaked as well. + +When an application exits/killed without calling dereg_mr we might hit the +above flow. + +This fatal scenario is reported by WARN_ON() upon +mlx5_ib_dealloc_ucontext() as ibcontext->per_mm_list is not empty, the +call trace can be seen below. + +Originally the "dying" mark as part of ib_umem_notifier_release() was +introduced to prevent pagefault_mr() from returning a success response +once this happened. However, we already have today the completion +mechanism so no need for that in those flows any more. Even in case a +success response will be returned the firmware will not find the pages and +an error will be returned in the following call as a released mm will +cause ib_umem_odp_map_dma_pages() to permanently fail mmget_not_zero(). + +Fix the above issue by dropping the "dying" from the above flows. The +other flows that are using "dying" are still needed it for their +synchronization purposes. + + WARNING: CPU: 1 PID: 7218 at + drivers/infiniband/hw/mlx5/main.c:2004 + mlx5_ib_dealloc_ucontext+0x84/0x90 [mlx5_ib] + CPU: 1 PID: 7218 Comm: ibv_rc_pingpong Tainted: G E + 5.2.0-rc6+ #13 + Call Trace: + uverbs_destroy_ufile_hw+0xb5/0x120 [ib_uverbs] + ib_uverbs_close+0x1f/0x80 [ib_uverbs] + __fput+0xbe/0x250 + task_work_run+0x88/0xa0 + do_exit+0x2cb/0xc30 + ? __fput+0x14b/0x250 + do_group_exit+0x39/0xb0 + get_signal+0x191/0x920 + ? _raw_spin_unlock_bh+0xa/0x20 + ? inet_csk_accept+0x229/0x2f0 + do_signal+0x36/0x5e0 + ? put_unused_fd+0x5b/0x70 + ? __sys_accept4+0x1a6/0x1e0 + ? inet_hash+0x35/0x40 + ? release_sock+0x43/0x90 + ? _raw_spin_unlock_bh+0xa/0x20 + ? inet_listen+0x9f/0x120 + exit_to_usermode_loop+0x5c/0xc6 + do_syscall_64+0x182/0x1b0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 81713d3788d2 ("IB/mlx5: Add implicit MR support") +Link: https://lore.kernel.org/r/20190805083010.21777-1-leon@kernel.org +Signed-off-by: Yishai Hadas +Reviewed-by: Artemy Kovalyov +Signed-off-by: Leon Romanovsky +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/umem_odp.c | 4 ---- + drivers/infiniband/hw/mlx5/odp.c | 24 +++++++++--------------- + 2 files changed, 9 insertions(+), 19 deletions(-) + +diff --git a/drivers/infiniband/core/umem_odp.c b/drivers/infiniband/core/umem_odp.c +index e4b13a32692a9..5e5f7dd82c50d 100644 +--- a/drivers/infiniband/core/umem_odp.c ++++ b/drivers/infiniband/core/umem_odp.c +@@ -114,10 +114,6 @@ static int ib_umem_notifier_release_trampoline(struct ib_umem_odp *umem_odp, + * prevent any further fault handling on this MR. + */ + ib_umem_notifier_start_account(umem_odp); +- umem_odp->dying = 1; +- /* Make sure that the fact the umem is dying is out before we release +- * all pending page faults. */ +- smp_wmb(); + complete_all(&umem_odp->notifier_completion); + umem->context->invalidate_range(umem_odp, ib_umem_start(umem), + ib_umem_end(umem)); +diff --git a/drivers/infiniband/hw/mlx5/odp.c b/drivers/infiniband/hw/mlx5/odp.c +index f6e5351ba4d50..fda3dfd6f87b6 100644 +--- a/drivers/infiniband/hw/mlx5/odp.c ++++ b/drivers/infiniband/hw/mlx5/odp.c +@@ -581,7 +581,6 @@ static int pagefault_mr(struct mlx5_ib_dev *dev, struct mlx5_ib_mr *mr, + u32 flags) + { + int npages = 0, current_seq, page_shift, ret, np; +- bool implicit = false; + struct ib_umem_odp *odp_mr = to_ib_umem_odp(mr->umem); + bool downgrade = flags & MLX5_PF_FLAGS_DOWNGRADE; + bool prefetch = flags & MLX5_PF_FLAGS_PREFETCH; +@@ -596,7 +595,6 @@ static int pagefault_mr(struct mlx5_ib_dev *dev, struct mlx5_ib_mr *mr, + if (IS_ERR(odp)) + return PTR_ERR(odp); + mr = odp->private; +- implicit = true; + } else { + odp = odp_mr; + } +@@ -684,19 +682,15 @@ next_mr: + + out: + if (ret == -EAGAIN) { +- if (implicit || !odp->dying) { +- unsigned long timeout = +- msecs_to_jiffies(MMU_NOTIFIER_TIMEOUT); +- +- if (!wait_for_completion_timeout( +- &odp->notifier_completion, +- timeout)) { +- mlx5_ib_warn(dev, "timeout waiting for mmu notifier. seq %d against %d. notifiers_count=%d\n", +- current_seq, odp->notifiers_seq, odp->notifiers_count); +- } +- } else { +- /* The MR is being killed, kill the QP as well. */ +- ret = -EFAULT; ++ unsigned long timeout = msecs_to_jiffies(MMU_NOTIFIER_TIMEOUT); ++ ++ if (!wait_for_completion_timeout(&odp->notifier_completion, ++ timeout)) { ++ mlx5_ib_warn( ++ dev, ++ "timeout waiting for mmu notifier. seq %d against %d. notifiers_count=%d\n", ++ current_seq, odp->notifiers_seq, ++ odp->notifiers_count); + } + } + +-- +2.20.1 + diff --git a/queue-5.2/iommu-dma-handle-sg-length-overflow-better.patch b/queue-5.2/iommu-dma-handle-sg-length-overflow-better.patch new file mode 100644 index 00000000000..e39e4e6c1a7 --- /dev/null +++ b/queue-5.2/iommu-dma-handle-sg-length-overflow-better.patch @@ -0,0 +1,45 @@ +From 783b756d8b4b74e0c231b2ca3c2a0569bdc9a3a7 Mon Sep 17 00:00:00 2001 +From: Robin Murphy +Date: Mon, 29 Jul 2019 17:46:00 +0100 +Subject: iommu/dma: Handle SG length overflow better + +[ Upstream commit ab2cbeb0ed301a9f0460078e91b09f39958212ef ] + +Since scatterlist dimensions are all unsigned ints, in the relatively +rare cases where a device's max_segment_size is set to UINT_MAX, then +the "cur_len + s_length <= max_len" check in __finalise_sg() will always +return true. As a result, the corner case of such a device mapping an +excessively large scatterlist which is mergeable to or beyond a total +length of 4GB can lead to overflow and a bogus truncated dma_length in +the resulting segment. + +As we already assume that any single segment must be no longer than +max_len to begin with, this can easily be addressed by reshuffling the +comparison. + +Fixes: 809eac54cdd6 ("iommu/dma: Implement scatterlist segment merging") +Reported-by: Nicolin Chen +Tested-by: Nicolin Chen +Signed-off-by: Robin Murphy +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/dma-iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c +index 379318266468c..8c02d2283d647 100644 +--- a/drivers/iommu/dma-iommu.c ++++ b/drivers/iommu/dma-iommu.c +@@ -710,7 +710,7 @@ static int __finalise_sg(struct device *dev, struct scatterlist *sg, int nents, + * - and wouldn't make the resulting output segment too long + */ + if (cur_len && !s_iova_off && (dma_addr & seg_mask) && +- (cur_len + s_length <= max_len)) { ++ (max_len - cur_len >= s_length)) { + /* ...then concatenate it with the previous one */ + cur_len += s_length; + } else { +-- +2.20.1 + diff --git a/queue-5.2/lcoking-rwsem-add-missing-acquire-to-read_slowpath-s.patch b/queue-5.2/lcoking-rwsem-add-missing-acquire-to-read_slowpath-s.patch new file mode 100644 index 00000000000..bfb04295e35 --- /dev/null +++ b/queue-5.2/lcoking-rwsem-add-missing-acquire-to-read_slowpath-s.patch @@ -0,0 +1,68 @@ +From dea939de3f5fb867092c28f581fa82d7a361f5c4 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Mon, 26 Aug 2019 10:31:14 -0400 +Subject: lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep loop + +[ Upstream commit 99143f82a255e7f054bead8443462fae76dd829e ] + +While reviewing another read_slowpath patch, both Will and I noticed +another missing ACQUIRE, namely: + + X = 0; + + CPU0 CPU1 + + rwsem_down_read() + for (;;) { + set_current_state(TASK_UNINTERRUPTIBLE); + + X = 1; + rwsem_up_write(); + rwsem_mark_wake() + atomic_long_add(adjustment, &sem->count); + smp_store_release(&waiter->task, NULL); + + if (!waiter.task) + break; + + ... + } + + r = X; + +Allows 'r == 0'. + +Reported-by: Peter Zijlstra (Intel) +Reported-by: Will Deacon +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Will Deacon +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Ingo Molnar +Acked-by: Jan Stancek +Signed-off-by: Sasha Levin +--- + kernel/locking/rwsem-xadd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/locking/rwsem-xadd.c b/kernel/locking/rwsem-xadd.c +index 397dedc58432d..385ebcfc31a6d 100644 +--- a/kernel/locking/rwsem-xadd.c ++++ b/kernel/locking/rwsem-xadd.c +@@ -485,8 +485,10 @@ __rwsem_down_read_failed_common(struct rw_semaphore *sem, int state) + /* wait to be given the lock */ + while (true) { + set_current_state(state); +- if (!waiter.task) ++ if (!smp_load_acquire(&waiter.task)) { ++ /* Orders against rwsem_mark_wake()'s smp_store_release() */ + break; ++ } + if (signal_pending_state(state, current)) { + raw_spin_lock_irq(&sem->wait_lock); + if (waiter.task) +-- +2.20.1 + diff --git a/queue-5.2/locking-rwsem-add-missing-acquire-to-read_slowpath-e.patch b/queue-5.2/locking-rwsem-add-missing-acquire-to-read_slowpath-e.patch new file mode 100644 index 00000000000..8e10081d041 --- /dev/null +++ b/queue-5.2/locking-rwsem-add-missing-acquire-to-read_slowpath-e.patch @@ -0,0 +1,72 @@ +From 7821081f49e389a4076f193231fd6521e0abcd9e Mon Sep 17 00:00:00 2001 +From: Jan Stancek +Date: Mon, 26 Aug 2019 10:31:13 -0400 +Subject: locking/rwsem: Add missing ACQUIRE to read_slowpath exit when queue + is empty + +[ Upstream commit e1b98fa316648420d0434d9ff5b92ad6609ba6c3 ] + +LTP mtest06 has been observed to occasionally hit "still mapped when +deleted" and following BUG_ON on arm64. + +The extra mapcount originated from pagefault handler, which handled +pagefault for vma that has already been detached. vma is detached +under mmap_sem write lock by detach_vmas_to_be_unmapped(), which +also invalidates vmacache. + +When the pagefault handler (under mmap_sem read lock) calls +find_vma(), vmacache_valid() wrongly reports vmacache as valid. + +After rwsem down_read() returns via 'queue empty' path (as of v5.2), +it does so without an ACQUIRE on sem->count: + + down_read() + __down_read() + rwsem_down_read_failed() + __rwsem_down_read_failed_common() + raw_spin_lock_irq(&sem->wait_lock); + if (list_empty(&sem->wait_list)) { + if (atomic_long_read(&sem->count) >= 0) { + raw_spin_unlock_irq(&sem->wait_lock); + return sem; + +The problem can be reproduced by running LTP mtest06 in a loop and +building the kernel (-j $NCPUS) in parallel. It does reproduces since +v4.20 on arm64 HPE Apollo 70 (224 CPUs, 256GB RAM, 2 nodes). It +triggers reliably in about an hour. + +The patched kernel ran fine for 10+ hours. + +Signed-off-by: Jan Stancek +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Will Deacon +Acked-by: Waiman Long +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: dbueso@suse.de +Fixes: 4b486b535c33 ("locking/rwsem: Exit read lock slowpath if queue empty & no writer") +Link: https://lkml.kernel.org/r/50b8914e20d1d62bb2dee42d342836c2c16ebee7.1563438048.git.jstancek@redhat.com +Signed-off-by: Ingo Molnar +Acked-by: Jan Stancek +Signed-off-by: Sasha Levin +--- + kernel/locking/rwsem-xadd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/locking/rwsem-xadd.c b/kernel/locking/rwsem-xadd.c +index 0b1f779572402..397dedc58432d 100644 +--- a/kernel/locking/rwsem-xadd.c ++++ b/kernel/locking/rwsem-xadd.c +@@ -454,6 +454,8 @@ __rwsem_down_read_failed_common(struct rw_semaphore *sem, int state) + * been set in the count. + */ + if (atomic_long_read(&sem->count) >= 0) { ++ /* Provide lock ACQUIRE */ ++ smp_acquire__after_ctrl_dep(); + raw_spin_unlock_irq(&sem->wait_lock); + rwsem_set_reader_owned(sem); + lockevent_inc(rwsem_rlock_fast); +-- +2.20.1 + diff --git a/queue-5.2/nvme-core-fix-extra-device_put-call-on-error-path.patch b/queue-5.2/nvme-core-fix-extra-device_put-call-on-error-path.patch new file mode 100644 index 00000000000..aebb0672518 --- /dev/null +++ b/queue-5.2/nvme-core-fix-extra-device_put-call-on-error-path.patch @@ -0,0 +1,146 @@ +From fb0492fa524586a99ae5204ac6e93704750ea779 Mon Sep 17 00:00:00 2001 +From: Logan Gunthorpe +Date: Wed, 31 Jul 2019 17:35:34 -0600 +Subject: nvme-core: Fix extra device_put() call on error path + +[ Upstream commit 8c36e66fb407ce076535a7db98ab9f6d720b866a ] + +In the error path for nvme_init_subsystem(), nvme_put_subsystem() +will call device_put(), but it will get called again after the +mutex_unlock(). + +The device_put() only needs to be called if device_add() fails. + +This bug caused a KASAN use-after-free error when adding and +removing subsytems in a loop: + + BUG: KASAN: use-after-free in device_del+0x8d9/0x9a0 + Read of size 8 at addr ffff8883cdaf7120 by task multipathd/329 + + CPU: 0 PID: 329 Comm: multipathd Not tainted 5.2.0-rc6-vmlocalyes-00019-g70a2b39005fd-dirty #314 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 + Call Trace: + dump_stack+0x7b/0xb5 + print_address_description+0x6f/0x280 + ? device_del+0x8d9/0x9a0 + __kasan_report+0x148/0x199 + ? device_del+0x8d9/0x9a0 + ? class_release+0x100/0x130 + ? device_del+0x8d9/0x9a0 + kasan_report+0x12/0x20 + __asan_report_load8_noabort+0x14/0x20 + device_del+0x8d9/0x9a0 + ? device_platform_notify+0x70/0x70 + nvme_destroy_subsystem+0xf9/0x150 + nvme_free_ctrl+0x280/0x3a0 + device_release+0x72/0x1d0 + kobject_put+0x144/0x410 + put_device+0x13/0x20 + nvme_free_ns+0xc4/0x100 + nvme_release+0xb3/0xe0 + __blkdev_put+0x549/0x6e0 + ? kasan_check_write+0x14/0x20 + ? bd_set_size+0xb0/0xb0 + ? kasan_check_write+0x14/0x20 + ? mutex_lock+0x8f/0xe0 + ? __mutex_lock_slowpath+0x20/0x20 + ? locks_remove_file+0x239/0x370 + blkdev_put+0x72/0x2c0 + blkdev_close+0x8d/0xd0 + __fput+0x256/0x770 + ? _raw_read_lock_irq+0x40/0x40 + ____fput+0xe/0x10 + task_work_run+0x10c/0x180 + ? filp_close+0xf7/0x140 + exit_to_usermode_loop+0x151/0x170 + do_syscall_64+0x240/0x2e0 + ? prepare_exit_to_usermode+0xd5/0x190 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x7f5a79af05d7 + Code: 00 00 0f 05 48 3d 00 f0 ff ff 77 3f c3 66 0f 1f 44 00 00 53 89 fb 48 83 ec 10 e8 c4 fb ff ff 89 df 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2b 89 d7 89 44 24 0c e8 06 fc ff ff 8b 44 24 + RSP: 002b:00007f5a7799c810 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 + RAX: 0000000000000000 RBX: 0000000000000008 RCX: 00007f5a79af05d7 + RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000008 + RBP: 00007f5a58000f98 R08: 0000000000000002 R09: 00007f5a7935ee80 + R10: 0000000000000000 R11: 0000000000000293 R12: 000055e432447240 + R13: 0000000000000000 R14: 0000000000000001 R15: 000055e4324a9cf0 + + Allocated by task 1236: + save_stack+0x21/0x80 + __kasan_kmalloc.constprop.6+0xab/0xe0 + kasan_kmalloc+0x9/0x10 + kmem_cache_alloc_trace+0x102/0x210 + nvme_init_identify+0x13c3/0x3820 + nvme_loop_configure_admin_queue+0x4fa/0x5e0 + nvme_loop_create_ctrl+0x469/0xf40 + nvmf_dev_write+0x19a3/0x21ab + __vfs_write+0x66/0x120 + vfs_write+0x154/0x490 + ksys_write+0x104/0x240 + __x64_sys_write+0x73/0xb0 + do_syscall_64+0xa5/0x2e0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + + Freed by task 329: + save_stack+0x21/0x80 + __kasan_slab_free+0x129/0x190 + kasan_slab_free+0xe/0x10 + kfree+0xa7/0x200 + nvme_release_subsystem+0x49/0x60 + device_release+0x72/0x1d0 + kobject_put+0x144/0x410 + put_device+0x13/0x20 + klist_class_dev_put+0x31/0x40 + klist_put+0x8f/0xf0 + klist_del+0xe/0x10 + device_del+0x3a7/0x9a0 + nvme_destroy_subsystem+0xf9/0x150 + nvme_free_ctrl+0x280/0x3a0 + device_release+0x72/0x1d0 + kobject_put+0x144/0x410 + put_device+0x13/0x20 + nvme_free_ns+0xc4/0x100 + nvme_release+0xb3/0xe0 + __blkdev_put+0x549/0x6e0 + blkdev_put+0x72/0x2c0 + blkdev_close+0x8d/0xd0 + __fput+0x256/0x770 + ____fput+0xe/0x10 + task_work_run+0x10c/0x180 + exit_to_usermode_loop+0x151/0x170 + do_syscall_64+0x240/0x2e0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 32fd90c40768 ("nvme: change locking for the per-subsystem controller list") +Signed-off-by: Logan Gunthorpe +Reviewed-by: Sagi Grimberg +Reviewed-by : Chaitanya Kulkarni +Signed-off-by: Sagi Grimberg +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index ab1a2b1ec3637..dfbd5872f4422 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2440,6 +2440,7 @@ static int nvme_init_subsystem(struct nvme_ctrl *ctrl, struct nvme_id_ctrl *id) + if (ret) { + dev_err(ctrl->device, + "failed to register subsystem device.\n"); ++ put_device(&subsys->dev); + goto out_unlock; + } + ida_init(&subsys->ns_ida); +@@ -2462,7 +2463,6 @@ out_put_subsystem: + nvme_put_subsystem(subsys); + out_unlock: + mutex_unlock(&nvme_subsystems_lock); +- put_device(&subsys->dev); + return ret; + } + +-- +2.20.1 + diff --git a/queue-5.2/nvme-fix-a-possible-deadlock-when-passthru-commands-.patch b/queue-5.2/nvme-fix-a-possible-deadlock-when-passthru-commands-.patch new file mode 100644 index 00000000000..b2e44d81c9d --- /dev/null +++ b/queue-5.2/nvme-fix-a-possible-deadlock-when-passthru-commands-.patch @@ -0,0 +1,209 @@ +From d23522a34d117b5b9732dd4e81bbb89da8834224 Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Wed, 31 Jul 2019 11:00:26 -0700 +Subject: nvme: fix a possible deadlock when passthru commands sent to a + multipath device + +[ Upstream commit b9156daeb1601d69007b7e50efcf89d69d72ec1d ] + +When the user issues a command with side effects, we will end up freezing +the namespace request queue when updating disk info (and the same for +the corresponding mpath disk node). + +However, we are not freezing the mpath node request queue, +which means that mpath I/O can still come in and block on blk_queue_enter +(called from nvme_ns_head_make_request -> direct_make_request). + +This is a deadlock, because blk_queue_enter will block until the inner +namespace request queue is unfroze, but that process is blocked because +the namespace revalidation is trying to update the mpath disk info +and freeze its request queue (which will never complete because +of the I/O that is blocked on blk_queue_enter). + +Fix this by freezing all the subsystem nsheads request queues before +executing the passthru command. Given that these commands are infrequent +we should not worry about this temporary I/O freeze to keep things sane. + +Here is the matching hang traces: +-- +[ 374.465002] INFO: task systemd-udevd:17994 blocked for more than 122 seconds. +[ 374.472975] Not tainted 5.2.0-rc3-mpdebug+ #42 +[ 374.478522] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +[ 374.487274] systemd-udevd D 0 17994 1 0x00000000 +[ 374.493407] Call Trace: +[ 374.496145] __schedule+0x2ef/0x620 +[ 374.500047] schedule+0x38/0xa0 +[ 374.503569] blk_queue_enter+0x139/0x220 +[ 374.507959] ? remove_wait_queue+0x60/0x60 +[ 374.512540] direct_make_request+0x60/0x130 +[ 374.517219] nvme_ns_head_make_request+0x11d/0x420 [nvme_core] +[ 374.523740] ? generic_make_request_checks+0x307/0x6f0 +[ 374.529484] generic_make_request+0x10d/0x2e0 +[ 374.534356] submit_bio+0x75/0x140 +[ 374.538163] ? guard_bio_eod+0x32/0xe0 +[ 374.542361] submit_bh_wbc+0x171/0x1b0 +[ 374.546553] block_read_full_page+0x1ed/0x330 +[ 374.551426] ? check_disk_change+0x70/0x70 +[ 374.556008] ? scan_shadow_nodes+0x30/0x30 +[ 374.560588] blkdev_readpage+0x18/0x20 +[ 374.564783] do_read_cache_page+0x301/0x860 +[ 374.569463] ? blkdev_writepages+0x10/0x10 +[ 374.574037] ? prep_new_page+0x88/0x130 +[ 374.578329] ? get_page_from_freelist+0xa2f/0x1280 +[ 374.583688] ? __alloc_pages_nodemask+0x179/0x320 +[ 374.588947] read_cache_page+0x12/0x20 +[ 374.593142] read_dev_sector+0x2d/0xd0 +[ 374.597337] read_lba+0x104/0x1f0 +[ 374.601046] find_valid_gpt+0xfa/0x720 +[ 374.605243] ? string_nocheck+0x58/0x70 +[ 374.609534] ? find_valid_gpt+0x720/0x720 +[ 374.614016] efi_partition+0x89/0x430 +[ 374.618113] ? string+0x48/0x60 +[ 374.621632] ? snprintf+0x49/0x70 +[ 374.625339] ? find_valid_gpt+0x720/0x720 +[ 374.629828] check_partition+0x116/0x210 +[ 374.634214] rescan_partitions+0xb6/0x360 +[ 374.638699] __blkdev_reread_part+0x64/0x70 +[ 374.643377] blkdev_reread_part+0x23/0x40 +[ 374.647860] blkdev_ioctl+0x48c/0x990 +[ 374.651956] block_ioctl+0x41/0x50 +[ 374.655766] do_vfs_ioctl+0xa7/0x600 +[ 374.659766] ? locks_lock_inode_wait+0xb1/0x150 +[ 374.664832] ksys_ioctl+0x67/0x90 +[ 374.668539] __x64_sys_ioctl+0x1a/0x20 +[ 374.672732] do_syscall_64+0x5a/0x1c0 +[ 374.676828] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +[ 374.738474] INFO: task nvmeadm:49141 blocked for more than 123 seconds. +[ 374.745871] Not tainted 5.2.0-rc3-mpdebug+ #42 +[ 374.751419] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +[ 374.760170] nvmeadm D 0 49141 36333 0x00004080 +[ 374.766301] Call Trace: +[ 374.769038] __schedule+0x2ef/0x620 +[ 374.772939] schedule+0x38/0xa0 +[ 374.776452] blk_mq_freeze_queue_wait+0x59/0x100 +[ 374.781614] ? remove_wait_queue+0x60/0x60 +[ 374.786192] blk_mq_freeze_queue+0x1a/0x20 +[ 374.790773] nvme_update_disk_info.isra.57+0x5f/0x350 [nvme_core] +[ 374.797582] ? nvme_identify_ns.isra.50+0x71/0xc0 [nvme_core] +[ 374.804006] __nvme_revalidate_disk+0xe5/0x110 [nvme_core] +[ 374.810139] nvme_revalidate_disk+0xa6/0x120 [nvme_core] +[ 374.816078] ? nvme_submit_user_cmd+0x11e/0x320 [nvme_core] +[ 374.822299] nvme_user_cmd+0x264/0x370 [nvme_core] +[ 374.827661] nvme_dev_ioctl+0x112/0x1d0 [nvme_core] +[ 374.833114] do_vfs_ioctl+0xa7/0x600 +[ 374.837117] ? __audit_syscall_entry+0xdd/0x130 +[ 374.842184] ksys_ioctl+0x67/0x90 +[ 374.845891] __x64_sys_ioctl+0x1a/0x20 +[ 374.850082] do_syscall_64+0x5a/0x1c0 +[ 374.854178] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +-- + +Reported-by: James Puthukattukaran +Tested-by: James Puthukattukaran +Reviewed-by: Keith Busch +Signed-off-by: Sagi Grimberg +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 5 +++++ + drivers/nvme/host/multipath.c | 30 ++++++++++++++++++++++++++++++ + drivers/nvme/host/nvme.h | 12 ++++++++++++ + 3 files changed, 47 insertions(+) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index dfbd5872f4422..05301b94e2fa0 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1268,6 +1268,9 @@ static u32 nvme_passthru_start(struct nvme_ctrl *ctrl, struct nvme_ns *ns, + */ + if (effects & (NVME_CMD_EFFECTS_LBCC | NVME_CMD_EFFECTS_CSE_MASK)) { + mutex_lock(&ctrl->scan_lock); ++ mutex_lock(&ctrl->subsys->lock); ++ nvme_mpath_start_freeze(ctrl->subsys); ++ nvme_mpath_wait_freeze(ctrl->subsys); + nvme_start_freeze(ctrl); + nvme_wait_freeze(ctrl); + } +@@ -1298,6 +1301,8 @@ static void nvme_passthru_end(struct nvme_ctrl *ctrl, u32 effects) + nvme_update_formats(ctrl); + if (effects & (NVME_CMD_EFFECTS_LBCC | NVME_CMD_EFFECTS_CSE_MASK)) { + nvme_unfreeze(ctrl); ++ nvme_mpath_unfreeze(ctrl->subsys); ++ mutex_unlock(&ctrl->subsys->lock); + mutex_unlock(&ctrl->scan_lock); + } + if (effects & NVME_CMD_EFFECTS_CCC) +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index e942b3e840687..dafb9e4aa1237 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -12,6 +12,36 @@ module_param(multipath, bool, 0444); + MODULE_PARM_DESC(multipath, + "turn on native support for multiple controllers per subsystem"); + ++void nvme_mpath_unfreeze(struct nvme_subsystem *subsys) ++{ ++ struct nvme_ns_head *h; ++ ++ lockdep_assert_held(&subsys->lock); ++ list_for_each_entry(h, &subsys->nsheads, entry) ++ if (h->disk) ++ blk_mq_unfreeze_queue(h->disk->queue); ++} ++ ++void nvme_mpath_wait_freeze(struct nvme_subsystem *subsys) ++{ ++ struct nvme_ns_head *h; ++ ++ lockdep_assert_held(&subsys->lock); ++ list_for_each_entry(h, &subsys->nsheads, entry) ++ if (h->disk) ++ blk_mq_freeze_queue_wait(h->disk->queue); ++} ++ ++void nvme_mpath_start_freeze(struct nvme_subsystem *subsys) ++{ ++ struct nvme_ns_head *h; ++ ++ lockdep_assert_held(&subsys->lock); ++ list_for_each_entry(h, &subsys->nsheads, entry) ++ if (h->disk) ++ blk_freeze_queue_start(h->disk->queue); ++} ++ + /* + * If multipathing is enabled we need to always use the subsystem instance + * number for numbering our devices to avoid conflicts between subsystems that +diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h +index 7391cd0a7739e..b8b45822f7be0 100644 +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -477,6 +477,9 @@ static inline bool nvme_ctrl_use_ana(struct nvme_ctrl *ctrl) + return ctrl->ana_log_buf != NULL; + } + ++void nvme_mpath_unfreeze(struct nvme_subsystem *subsys); ++void nvme_mpath_wait_freeze(struct nvme_subsystem *subsys); ++void nvme_mpath_start_freeze(struct nvme_subsystem *subsys); + void nvme_set_disk_name(char *disk_name, struct nvme_ns *ns, + struct nvme_ctrl *ctrl, int *flags); + void nvme_failover_req(struct request *req); +@@ -555,6 +558,15 @@ static inline void nvme_mpath_uninit(struct nvme_ctrl *ctrl) + static inline void nvme_mpath_stop(struct nvme_ctrl *ctrl) + { + } ++static inline void nvme_mpath_unfreeze(struct nvme_subsystem *subsys) ++{ ++} ++static inline void nvme_mpath_wait_freeze(struct nvme_subsystem *subsys) ++{ ++} ++static inline void nvme_mpath_start_freeze(struct nvme_subsystem *subsys) ++{ ++} + #endif /* CONFIG_NVME_MULTIPATH */ + + #ifdef CONFIG_NVM +-- +2.20.1 + diff --git a/queue-5.2/nvme-fix-controller-removal-race-with-scan-work.patch b/queue-5.2/nvme-fix-controller-removal-race-with-scan-work.patch new file mode 100644 index 00000000000..70e40bc0f06 --- /dev/null +++ b/queue-5.2/nvme-fix-controller-removal-race-with-scan-work.patch @@ -0,0 +1,218 @@ +From 04987d1f22a86717b4bd72b16a72c4e0029e95b5 Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Thu, 25 Jul 2019 11:56:57 -0700 +Subject: nvme: fix controller removal race with scan work + +[ Upstream commit 0157ec8dad3c8fc9bc9790f76e0831ffdaf2e7f0 ] + +With multipath enabled, nvme_scan_work() can read from the device +(through nvme_mpath_add_disk()) and hang [1]. However, with fabrics, +once ctrl->state is set to NVME_CTRL_DELETING, the reads will hang +(see nvmf_check_ready()) and the mpath stack device make_request +will block if head->list is not empty. However, when the head->list +consistst of only DELETING/DEAD controllers, we should actually not +block, but rather fail immediately. + +In addition, before we go ahead and remove the namespaces, make sure +to clear the current path and kick the requeue list so that the +request will fast fail upon requeuing. + +[1]: +-- + INFO: task kworker/u4:3:166 blocked for more than 120 seconds. + Not tainted 5.2.0-rc6-vmlocalyes-00005-g808c8c2dc0cf #316 + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + kworker/u4:3 D 0 166 2 0x80004000 + Workqueue: nvme-wq nvme_scan_work + Call Trace: + __schedule+0x851/0x1400 + schedule+0x99/0x210 + io_schedule+0x21/0x70 + do_read_cache_page+0xa57/0x1330 + read_cache_page+0x4a/0x70 + read_dev_sector+0xbf/0x380 + amiga_partition+0xc4/0x1230 + check_partition+0x30f/0x630 + rescan_partitions+0x19a/0x980 + __blkdev_get+0x85a/0x12f0 + blkdev_get+0x2a5/0x790 + __device_add_disk+0xe25/0x1250 + device_add_disk+0x13/0x20 + nvme_mpath_set_live+0x172/0x2b0 + nvme_update_ns_ana_state+0x130/0x180 + nvme_set_ns_ana_state+0x9a/0xb0 + nvme_parse_ana_log+0x1c3/0x4a0 + nvme_mpath_add_disk+0x157/0x290 + nvme_validate_ns+0x1017/0x1bd0 + nvme_scan_work+0x44d/0x6a0 + process_one_work+0x7d7/0x1240 + worker_thread+0x8e/0xff0 + kthread+0x2c3/0x3b0 + ret_from_fork+0x35/0x40 + + INFO: task kworker/u4:1:1034 blocked for more than 120 seconds. + Not tainted 5.2.0-rc6-vmlocalyes-00005-g808c8c2dc0cf #316 + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + kworker/u4:1 D 0 1034 2 0x80004000 + Workqueue: nvme-delete-wq nvme_delete_ctrl_work + Call Trace: + __schedule+0x851/0x1400 + schedule+0x99/0x210 + schedule_timeout+0x390/0x830 + wait_for_completion+0x1a7/0x310 + __flush_work+0x241/0x5d0 + flush_work+0x10/0x20 + nvme_remove_namespaces+0x85/0x3d0 + nvme_do_delete_ctrl+0xb4/0x1e0 + nvme_delete_ctrl_work+0x15/0x20 + process_one_work+0x7d7/0x1240 + worker_thread+0x8e/0xff0 + kthread+0x2c3/0x3b0 + ret_from_fork+0x35/0x40 +-- + +Reported-by: Logan Gunthorpe +Tested-by: Logan Gunthorpe +Reviewed-by: Logan Gunthorpe +Reviewed-by: Ming Lei +Signed-off-by: Sagi Grimberg +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 7 ++++++ + drivers/nvme/host/multipath.c | 46 ++++++++++++++++++++++++++++++----- + drivers/nvme/host/nvme.h | 9 +++++-- + 3 files changed, 54 insertions(+), 8 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 05301b94e2fa0..601509b3251ae 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -3529,6 +3529,13 @@ void nvme_remove_namespaces(struct nvme_ctrl *ctrl) + struct nvme_ns *ns, *next; + LIST_HEAD(ns_list); + ++ /* ++ * make sure to requeue I/O to all namespaces as these ++ * might result from the scan itself and must complete ++ * for the scan_work to make progress ++ */ ++ nvme_mpath_clear_ctrl_paths(ctrl); ++ + /* prevent racing with ns scanning */ + flush_work(&ctrl->scan_work); + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index dafb9e4aa1237..747c0d4f9ff5b 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -134,18 +134,34 @@ static const char *nvme_ana_state_names[] = { + [NVME_ANA_CHANGE] = "change", + }; + +-void nvme_mpath_clear_current_path(struct nvme_ns *ns) ++bool nvme_mpath_clear_current_path(struct nvme_ns *ns) + { + struct nvme_ns_head *head = ns->head; ++ bool changed = false; + int node; + + if (!head) +- return; ++ goto out; + + for_each_node(node) { +- if (ns == rcu_access_pointer(head->current_path[node])) ++ if (ns == rcu_access_pointer(head->current_path[node])) { + rcu_assign_pointer(head->current_path[node], NULL); ++ changed = true; ++ } + } ++out: ++ return changed; ++} ++ ++void nvme_mpath_clear_ctrl_paths(struct nvme_ctrl *ctrl) ++{ ++ struct nvme_ns *ns; ++ ++ mutex_lock(&ctrl->scan_lock); ++ list_for_each_entry(ns, &ctrl->namespaces, list) ++ if (nvme_mpath_clear_current_path(ns)) ++ kblockd_schedule_work(&ns->head->requeue_work); ++ mutex_unlock(&ctrl->scan_lock); + } + + static struct nvme_ns *__nvme_find_path(struct nvme_ns_head *head, int node) +@@ -248,6 +264,24 @@ inline struct nvme_ns *nvme_find_path(struct nvme_ns_head *head) + return ns; + } + ++static bool nvme_available_path(struct nvme_ns_head *head) ++{ ++ struct nvme_ns *ns; ++ ++ list_for_each_entry_rcu(ns, &head->list, siblings) { ++ switch (ns->ctrl->state) { ++ case NVME_CTRL_LIVE: ++ case NVME_CTRL_RESETTING: ++ case NVME_CTRL_CONNECTING: ++ /* fallthru */ ++ return true; ++ default: ++ break; ++ } ++ } ++ return false; ++} ++ + static blk_qc_t nvme_ns_head_make_request(struct request_queue *q, + struct bio *bio) + { +@@ -274,14 +308,14 @@ static blk_qc_t nvme_ns_head_make_request(struct request_queue *q, + disk_devt(ns->head->disk), + bio->bi_iter.bi_sector); + ret = direct_make_request(bio); +- } else if (!list_empty_careful(&head->list)) { +- dev_warn_ratelimited(dev, "no path available - requeuing I/O\n"); ++ } else if (nvme_available_path(head)) { ++ dev_warn_ratelimited(dev, "no usable path - requeuing I/O\n"); + + spin_lock_irq(&head->requeue_lock); + bio_list_add(&head->requeue_list, bio); + spin_unlock_irq(&head->requeue_lock); + } else { +- dev_warn_ratelimited(dev, "no path - failing I/O\n"); ++ dev_warn_ratelimited(dev, "no available path - failing I/O\n"); + + bio->bi_status = BLK_STS_IOERR; + bio_endio(bio); +diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h +index b8b45822f7be0..81215ca32671a 100644 +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -490,7 +490,8 @@ void nvme_mpath_remove_disk(struct nvme_ns_head *head); + int nvme_mpath_init(struct nvme_ctrl *ctrl, struct nvme_id_ctrl *id); + void nvme_mpath_uninit(struct nvme_ctrl *ctrl); + void nvme_mpath_stop(struct nvme_ctrl *ctrl); +-void nvme_mpath_clear_current_path(struct nvme_ns *ns); ++bool nvme_mpath_clear_current_path(struct nvme_ns *ns); ++void nvme_mpath_clear_ctrl_paths(struct nvme_ctrl *ctrl); + struct nvme_ns *nvme_find_path(struct nvme_ns_head *head); + + static inline void nvme_mpath_check_last_path(struct nvme_ns *ns) +@@ -538,7 +539,11 @@ static inline void nvme_mpath_add_disk(struct nvme_ns *ns, + static inline void nvme_mpath_remove_disk(struct nvme_ns_head *head) + { + } +-static inline void nvme_mpath_clear_current_path(struct nvme_ns *ns) ++static inline bool nvme_mpath_clear_current_path(struct nvme_ns *ns) ++{ ++ return false; ++} ++static inline void nvme_mpath_clear_ctrl_paths(struct nvme_ctrl *ctrl) + { + } + static inline void nvme_mpath_check_last_path(struct nvme_ns *ns) +-- +2.20.1 + diff --git a/queue-5.2/nvme-multipath-revalidate-nvme_ns_head-gendisk-in-nv.patch b/queue-5.2/nvme-multipath-revalidate-nvme_ns_head-gendisk-in-nv.patch new file mode 100644 index 00000000000..823e81b43c5 --- /dev/null +++ b/queue-5.2/nvme-multipath-revalidate-nvme_ns_head-gendisk-in-nv.patch @@ -0,0 +1,45 @@ +From b113b3d25810b79ec9a380e4b4e7b1f26761c0b8 Mon Sep 17 00:00:00 2001 +From: Anthony Iliopoulos +Date: Mon, 29 Jul 2019 14:40:40 +0200 +Subject: nvme-multipath: revalidate nvme_ns_head gendisk in nvme_validate_ns + +[ Upstream commit fab7772bfbcfe8fb8e3e352a6a8fcaf044cded17 ] + +When CONFIG_NVME_MULTIPATH is set, only the hidden gendisk associated +with the per-controller ns is run through revalidate_disk when a +rescan is triggered, while the visible blockdev never gets its size +(bdev->bd_inode->i_size) updated to reflect any capacity changes that +may have occurred. + +This prevents online resizing of nvme block devices and in extension of +any filesystems atop that will are unable to expand while mounted, as +userspace relies on the blockdev size for obtaining the disk capacity +(via BLKGETSIZE/64 ioctls). + +Fix this by explicitly revalidating the actual namespace gendisk in +addition to the per-controller gendisk, when multipath is enabled. + +Signed-off-by: Anthony Iliopoulos +Reviewed-by: Sagi Grimberg +Reviewed-by: Johannes Thumshirn +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 5deb4deb38209..ab1a2b1ec3637 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1668,6 +1668,7 @@ static void __nvme_revalidate_disk(struct gendisk *disk, struct nvme_id_ns *id) + if (ns->head->disk) { + nvme_update_disk_info(ns->head->disk, ns, id); + blk_queue_stack_limits(ns->head->disk->queue, ns->queue); ++ revalidate_disk(ns->head->disk); + } + #endif + } +-- +2.20.1 + diff --git a/queue-5.2/nvme-pci-fix-async-probe-remove-race.patch b/queue-5.2/nvme-pci-fix-async-probe-remove-race.patch new file mode 100644 index 00000000000..ccf086101d0 --- /dev/null +++ b/queue-5.2/nvme-pci-fix-async-probe-remove-race.patch @@ -0,0 +1,45 @@ +From f28f059b2a4b7e70d4a8871c120d70a4d43663fa Mon Sep 17 00:00:00 2001 +From: Keith Busch +Date: Mon, 29 Jul 2019 16:34:52 -0600 +Subject: nvme-pci: Fix async probe remove race + +[ Upstream commit bd46a90634302bfe791e93ad5496f98f165f7ae0 ] + +Ensure the controller is not in the NEW state when nvme_probe() exits. +This will always allow a subsequent nvme_remove() to set the state to +DELETING, fixing a potential race between the initial asynchronous probe +and device removal. + +Reported-by: Li Zhong +Reviewed-by: Sagi Grimberg +Signed-off-by: Keith Busch +Signed-off-by: Sagi Grimberg +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index f9959eaaa185e..09ffd21d18096 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2712,7 +2712,7 @@ static void nvme_async_probe(void *data, async_cookie_t cookie) + { + struct nvme_dev *dev = data; + +- nvme_reset_ctrl_sync(&dev->ctrl); ++ flush_work(&dev->ctrl.reset_work); + flush_work(&dev->ctrl.scan_work); + nvme_put_ctrl(&dev->ctrl); + } +@@ -2778,6 +2778,7 @@ static int nvme_probe(struct pci_dev *pdev, const struct pci_device_id *id) + + dev_info(dev->ctrl.device, "pci function %s\n", dev_name(&pdev->dev)); + ++ nvme_reset_ctrl(&dev->ctrl); + nvme_get_ctrl(&dev->ctrl); + async_schedule(nvme_async_probe, dev); + +-- +2.20.1 + diff --git a/queue-5.2/nvme-rdma-fix-possible-use-after-free-in-connect-err.patch b/queue-5.2/nvme-rdma-fix-possible-use-after-free-in-connect-err.patch new file mode 100644 index 00000000000..7c4c1ca194c --- /dev/null +++ b/queue-5.2/nvme-rdma-fix-possible-use-after-free-in-connect-err.patch @@ -0,0 +1,92 @@ +From d297bea0cb9157d8ad1ecd849f31a29cdb35a3b6 Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Fri, 26 Jul 2019 10:29:49 -0700 +Subject: nvme-rdma: fix possible use-after-free in connect error flow + +[ Upstream commit d94211b8bad3787e0655a67284105f57db728cb1 ] + +When start_queue fails, we need to make sure to drain the +queue cq before freeing the rdma resources because we might +still race with the completion path. Have start_queue() error +path safely stop the queue. + +-- +[30371.808111] nvme nvme1: Failed reconnect attempt 11 +[30371.808113] nvme nvme1: Reconnecting in 10 seconds... +[...] +[30382.069315] nvme nvme1: creating 4 I/O queues. +[30382.257058] nvme nvme1: Connect Invalid SQE Parameter, qid 4 +[30382.257061] nvme nvme1: failed to connect queue: 4 ret=386 +[30382.305001] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 +[30382.305022] IP: qedr_poll_cq+0x8a3/0x1170 [qedr] +[30382.305028] PGD 0 P4D 0 +[30382.305037] Oops: 0000 [#1] SMP PTI +[...] +[30382.305153] Call Trace: +[30382.305166] ? __switch_to_asm+0x34/0x70 +[30382.305187] __ib_process_cq+0x56/0xd0 [ib_core] +[30382.305201] ib_poll_handler+0x26/0x70 [ib_core] +[30382.305213] irq_poll_softirq+0x88/0x110 +[30382.305223] ? sort_range+0x20/0x20 +[30382.305232] __do_softirq+0xde/0x2c6 +[30382.305241] ? sort_range+0x20/0x20 +[30382.305249] run_ksoftirqd+0x1c/0x60 +[30382.305258] smpboot_thread_fn+0xef/0x160 +[30382.305265] kthread+0x113/0x130 +[30382.305273] ? kthread_create_worker_on_cpu+0x50/0x50 +[30382.305281] ret_from_fork+0x35/0x40 +-- + +Reported-by: Nicolas Morey-Chaisemartin +Reviewed-by: Max Gurtovoy +Reviewed-by: Hannes Reinecke +Signed-off-by: Sagi Grimberg +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/rdma.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c +index 97f668a39ae1c..7b074323bcdf2 100644 +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -562,13 +562,17 @@ out_destroy_cm_id: + return ret; + } + ++static void __nvme_rdma_stop_queue(struct nvme_rdma_queue *queue) ++{ ++ rdma_disconnect(queue->cm_id); ++ ib_drain_qp(queue->qp); ++} ++ + static void nvme_rdma_stop_queue(struct nvme_rdma_queue *queue) + { + if (!test_and_clear_bit(NVME_RDMA_Q_LIVE, &queue->flags)) + return; +- +- rdma_disconnect(queue->cm_id); +- ib_drain_qp(queue->qp); ++ __nvme_rdma_stop_queue(queue); + } + + static void nvme_rdma_free_queue(struct nvme_rdma_queue *queue) +@@ -607,11 +611,13 @@ static int nvme_rdma_start_queue(struct nvme_rdma_ctrl *ctrl, int idx) + else + ret = nvmf_connect_admin_queue(&ctrl->ctrl); + +- if (!ret) ++ if (!ret) { + set_bit(NVME_RDMA_Q_LIVE, &queue->flags); +- else ++ } else { ++ __nvme_rdma_stop_queue(queue); + dev_info(ctrl->ctrl.device, + "failed to connect queue: %d ret=%d\n", idx, ret); ++ } + return ret; + } + +-- +2.20.1 + diff --git a/queue-5.2/nvmet-file-fix-nvmet_file_flush-always-returning-an-.patch b/queue-5.2/nvmet-file-fix-nvmet_file_flush-always-returning-an-.patch new file mode 100644 index 00000000000..ee7fa2e5cf8 --- /dev/null +++ b/queue-5.2/nvmet-file-fix-nvmet_file_flush-always-returning-an-.patch @@ -0,0 +1,45 @@ +From 05903dd4c96d0eb06ea7a6ce6e3f246e3fa87d3d Mon Sep 17 00:00:00 2001 +From: Logan Gunthorpe +Date: Wed, 31 Jul 2019 17:35:33 -0600 +Subject: nvmet-file: fix nvmet_file_flush() always returning an error + +[ Upstream commit cfc1a1af56200362d1508b82b9a3cc3acb2eae0c ] + +Presently, nvmet_file_flush() always returns a call to +errno_to_nvme_status() but that helper doesn't take into account the +case when errno=0. So nvmet_file_flush() always returns an error code. + +All other callers of errno_to_nvme_status() check for success before +calling it. + +To fix this, ensure errno_to_nvme_status() returns success if the +errno is zero. This should prevent future mistakes like this from +happening. + +Fixes: c6aa3542e010 ("nvmet: add error log support for file backend") +Signed-off-by: Logan Gunthorpe +Reviewed-by: Sagi Grimberg +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Sagi Grimberg +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c +index e4db9a4411681..396cbc7ea3532 100644 +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -43,6 +43,9 @@ inline u16 errno_to_nvme_status(struct nvmet_req *req, int errno) + u16 status; + + switch (errno) { ++ case 0: ++ status = NVME_SC_SUCCESS; ++ break; + case -ENOSPC: + req->error_loc = offsetof(struct nvme_rw_command, length); + status = NVME_SC_CAP_EXCEEDED | NVME_SC_DNR; +-- +2.20.1 + diff --git a/queue-5.2/nvmet-fix-use-after-free-bug-when-a-port-is-removed.patch b/queue-5.2/nvmet-fix-use-after-free-bug-when-a-port-is-removed.patch new file mode 100644 index 00000000000..1a602287ee0 --- /dev/null +++ b/queue-5.2/nvmet-fix-use-after-free-bug-when-a-port-is-removed.patch @@ -0,0 +1,80 @@ +From cccaea7f9069c7f847210c74686db5b9b36c3d2c Mon Sep 17 00:00:00 2001 +From: Logan Gunthorpe +Date: Wed, 31 Jul 2019 17:35:31 -0600 +Subject: nvmet: Fix use-after-free bug when a port is removed + +[ Upstream commit 3aed86731ee2b23e4dc4d2c6d943d33992cd551b ] + +When a port is removed through configfs, any connected controllers +are still active and can still send commands. This causes a +use-after-free bug which is detected by KASAN for any admin command +that dereferences req->port (like in nvmet_execute_identify_ctrl). + +To fix this, disconnect all active controllers when a subsystem is +removed from a port. This ensures there are no active controllers +when the port is eventually removed. + +Signed-off-by: Logan Gunthorpe +Reviewed-by: Sagi Grimberg +Reviewed-by: Max Gurtovoy +Reviewed-by : Chaitanya Kulkarni +Signed-off-by: Sagi Grimberg +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/configfs.c | 1 + + drivers/nvme/target/core.c | 12 ++++++++++++ + drivers/nvme/target/nvmet.h | 3 +++ + 3 files changed, 16 insertions(+) + +diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c +index 08dd5af357f7c..3854363118ccf 100644 +--- a/drivers/nvme/target/configfs.c ++++ b/drivers/nvme/target/configfs.c +@@ -673,6 +673,7 @@ static void nvmet_port_subsys_drop_link(struct config_item *parent, + + found: + list_del(&p->entry); ++ nvmet_port_del_ctrls(port, subsys); + nvmet_port_disc_changed(port, subsys); + + if (list_empty(&port->subsystems)) +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c +index 7734a6acff851..e4db9a4411681 100644 +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -277,6 +277,18 @@ void nvmet_unregister_transport(const struct nvmet_fabrics_ops *ops) + } + EXPORT_SYMBOL_GPL(nvmet_unregister_transport); + ++void nvmet_port_del_ctrls(struct nvmet_port *port, struct nvmet_subsys *subsys) ++{ ++ struct nvmet_ctrl *ctrl; ++ ++ mutex_lock(&subsys->lock); ++ list_for_each_entry(ctrl, &subsys->ctrls, subsys_entry) { ++ if (ctrl->port == port) ++ ctrl->ops->delete_ctrl(ctrl); ++ } ++ mutex_unlock(&subsys->lock); ++} ++ + int nvmet_enable_port(struct nvmet_port *port) + { + const struct nvmet_fabrics_ops *ops; +diff --git a/drivers/nvme/target/nvmet.h b/drivers/nvme/target/nvmet.h +index c25d88fc9dec8..b6b0d483e0c50 100644 +--- a/drivers/nvme/target/nvmet.h ++++ b/drivers/nvme/target/nvmet.h +@@ -415,6 +415,9 @@ void nvmet_port_send_ana_event(struct nvmet_port *port); + int nvmet_register_transport(const struct nvmet_fabrics_ops *ops); + void nvmet_unregister_transport(const struct nvmet_fabrics_ops *ops); + ++void nvmet_port_del_ctrls(struct nvmet_port *port, ++ struct nvmet_subsys *subsys); ++ + int nvmet_enable_port(struct nvmet_port *port); + void nvmet_disable_port(struct nvmet_port *port); + +-- +2.20.1 + diff --git a/queue-5.2/nvmet-loop-flush-nvme_delete_wq-when-removing-the-po.patch b/queue-5.2/nvmet-loop-flush-nvme_delete_wq-when-removing-the-po.patch new file mode 100644 index 00000000000..78e4e91fe5c --- /dev/null +++ b/queue-5.2/nvmet-loop-flush-nvme_delete_wq-when-removing-the-po.patch @@ -0,0 +1,50 @@ +From 1be9ecc8fdb7431e29e46195040329553699c20a Mon Sep 17 00:00:00 2001 +From: Logan Gunthorpe +Date: Wed, 31 Jul 2019 17:35:32 -0600 +Subject: nvmet-loop: Flush nvme_delete_wq when removing the port + +[ Upstream commit 86b9a63e595ff03f9d0a7b92b6acc231fecefc29 ] + +After calling nvme_loop_delete_ctrl(), the controllers will not +yet be deleted because nvme_delete_ctrl() only schedules work +to do the delete. + +This means a race can occur if a port is removed but there +are still active controllers trying to access that memory. + +To fix this, flush the nvme_delete_wq before returning from +nvme_loop_remove_port() so that any controllers that might +be in the process of being deleted won't access a freed port. + +Signed-off-by: Logan Gunthorpe +Reviewed-by: Sagi Grimberg +Reviewed-by: Max Gurtovoy +Reviewed-by : Chaitanya Kulkarni +Signed-off-by: Sagi Grimberg +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/loop.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c +index 9e211ad6bdd3d..da9cd07461fbb 100644 +--- a/drivers/nvme/target/loop.c ++++ b/drivers/nvme/target/loop.c +@@ -654,6 +654,14 @@ static void nvme_loop_remove_port(struct nvmet_port *port) + mutex_lock(&nvme_loop_ports_mutex); + list_del_init(&port->entry); + mutex_unlock(&nvme_loop_ports_mutex); ++ ++ /* ++ * Ensure any ctrls that are in the process of being ++ * deleted are in fact deleted before we return ++ * and free the port. This is to prevent active ++ * ctrls from using a port after it's freed. ++ */ ++ flush_workqueue(nvme_delete_wq); + } + + static const struct nvmet_fabrics_ops nvme_loop_ops = { +-- +2.20.1 + diff --git a/queue-5.2/omap-dma-omap_vout_vrfb-fix-off-by-one-fi-value.patch b/queue-5.2/omap-dma-omap_vout_vrfb-fix-off-by-one-fi-value.patch new file mode 100644 index 00000000000..082a842e130 --- /dev/null +++ b/queue-5.2/omap-dma-omap_vout_vrfb-fix-off-by-one-fi-value.patch @@ -0,0 +1,78 @@ +From 6b4407195774cc3638f143ef16a33f59c6bdb136 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Fri, 9 Aug 2019 10:32:40 +0200 +Subject: omap-dma/omap_vout_vrfb: fix off-by-one fi value + +[ Upstream commit d555c34338cae844b207564c482e5a3fb089d25e ] + +The OMAP 4 TRM specifies that when using double-index addressing +the address increases by the ES plus the EI value minus 1 within +a frame. When a full frame is transferred, the address increases +by the ES plus the frame index (FI) value minus 1. + +The omap-dma code didn't account for the 'minus 1' in the FI register. +To get correct addressing, add 1 to the src_icg value. + +This was found when testing a hacked version of the media m2m-deinterlace.c +driver on a Pandaboard. + +The only other source that uses this feature is omap_vout_vrfb.c, +and that adds a + 1 when setting the dst_icg. This is a workaround +for the broken omap-dma.c behavior. So remove the workaround at the +same time that we fix omap-dma.c. + +I tested the omap_vout driver with a Beagle XM board to check that +the '+ 1' in omap_vout_vrfb.c was indeed a workaround for the omap-dma +bug. + +Signed-off-by: Hans Verkuil +Reviewed-by: Laurent Pinchart +Acked-by: Peter Ujfalusi +Acked-by: Mauro Carvalho Chehab +Link: https://lore.kernel.org/r/952e7f51-f208-9333-6f58-b7ed20d2ea0b@xs4all.nl +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ti/omap-dma.c | 4 ++-- + drivers/media/platform/omap/omap_vout_vrfb.c | 3 +-- + 2 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/dma/ti/omap-dma.c b/drivers/dma/ti/omap-dma.c +index ba2489d4ea246..ba27802efcd0a 100644 +--- a/drivers/dma/ti/omap-dma.c ++++ b/drivers/dma/ti/omap-dma.c +@@ -1234,7 +1234,7 @@ static struct dma_async_tx_descriptor *omap_dma_prep_dma_interleaved( + if (src_icg) { + d->ccr |= CCR_SRC_AMODE_DBLIDX; + d->ei = 1; +- d->fi = src_icg; ++ d->fi = src_icg + 1; + } else if (xt->src_inc) { + d->ccr |= CCR_SRC_AMODE_POSTINC; + d->fi = 0; +@@ -1249,7 +1249,7 @@ static struct dma_async_tx_descriptor *omap_dma_prep_dma_interleaved( + if (dst_icg) { + d->ccr |= CCR_DST_AMODE_DBLIDX; + sg->ei = 1; +- sg->fi = dst_icg; ++ sg->fi = dst_icg + 1; + } else if (xt->dst_inc) { + d->ccr |= CCR_DST_AMODE_POSTINC; + sg->fi = 0; +diff --git a/drivers/media/platform/omap/omap_vout_vrfb.c b/drivers/media/platform/omap/omap_vout_vrfb.c +index 29e3f5da59c1f..11ec048929e80 100644 +--- a/drivers/media/platform/omap/omap_vout_vrfb.c ++++ b/drivers/media/platform/omap/omap_vout_vrfb.c +@@ -253,8 +253,7 @@ int omap_vout_prepare_vrfb(struct omap_vout_device *vout, + */ + + pixsize = vout->bpp * vout->vrfb_bpp; +- dst_icg = ((MAX_PIXELS_PER_LINE * pixsize) - +- (vout->pix.width * vout->bpp)) + 1; ++ dst_icg = MAX_PIXELS_PER_LINE * pixsize - vout->pix.width * vout->bpp; + + xt->src_start = vout->buf_phy_addr[vb->i]; + xt->dst_start = vout->vrfb_context[vb->i].paddr[0]; +-- +2.20.1 + diff --git a/queue-5.2/riscv-fix-flush_tlb_range-end-address-for-flush_tlb_.patch b/queue-5.2/riscv-fix-flush_tlb_range-end-address-for-flush_tlb_.patch new file mode 100644 index 00000000000..583e57a8b58 --- /dev/null +++ b/queue-5.2/riscv-fix-flush_tlb_range-end-address-for-flush_tlb_.patch @@ -0,0 +1,58 @@ +From 83be67ff23d2c8c144f36f375ec5efb098eaaeec Mon Sep 17 00:00:00 2001 +From: Paul Walmsley +Date: Wed, 7 Aug 2019 19:07:34 -0700 +Subject: riscv: fix flush_tlb_range() end address for flush_tlb_page() + +[ Upstream commit eb93685847a9055283d05951c1b205e737f38533 ] + +The RISC-V kernel implementation of flush_tlb_page() when CONFIG_SMP +is set is wrong. It passes zero to flush_tlb_range() as the final +address to flush, but it should be at least 'addr'. + +Some other Linux architecture ports use the beginning address to +flush, plus PAGE_SIZE, as the final address to flush. This might +flush slightly more than what's needed, but it seems unlikely that +being more clever would improve anything. So let's just take that +implementation for now. + +While here, convert the macro into a static inline function, primarily +to avoid unintentional multiple evaluations of 'addr'. + +This second version of the patch fixes a coding style issue found by +Christoph Hellwig . + +Reported-by: Andreas Schwab +Signed-off-by: Paul Walmsley +Reviewed-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + arch/riscv/include/asm/tlbflush.h | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/include/asm/tlbflush.h b/arch/riscv/include/asm/tlbflush.h +index 687dd19735a7e..4d9bbe8438bf6 100644 +--- a/arch/riscv/include/asm/tlbflush.h ++++ b/arch/riscv/include/asm/tlbflush.h +@@ -53,10 +53,17 @@ static inline void remote_sfence_vma(struct cpumask *cmask, unsigned long start, + } + + #define flush_tlb_all() sbi_remote_sfence_vma(NULL, 0, -1) +-#define flush_tlb_page(vma, addr) flush_tlb_range(vma, addr, 0) ++ + #define flush_tlb_range(vma, start, end) \ + remote_sfence_vma(mm_cpumask((vma)->vm_mm), start, (end) - (start)) +-#define flush_tlb_mm(mm) \ ++ ++static inline void flush_tlb_page(struct vm_area_struct *vma, ++ unsigned long addr) ++{ ++ flush_tlb_range(vma, addr, addr + PAGE_SIZE); ++} ++ ++#define flush_tlb_mm(mm) \ + remote_sfence_vma(mm_cpumask(mm), 0, -1) + + #endif /* CONFIG_SMP */ +-- +2.20.1 + diff --git a/queue-5.2/selftests-bpf-install-files-test_xdp_vlan.sh.patch b/queue-5.2/selftests-bpf-install-files-test_xdp_vlan.sh.patch new file mode 100644 index 00000000000..b59f8b7b56b --- /dev/null +++ b/queue-5.2/selftests-bpf-install-files-test_xdp_vlan.sh.patch @@ -0,0 +1,43 @@ +From d66018ceed12604e94d52a9d1d86446bb900fec2 Mon Sep 17 00:00:00 2001 +From: Anders Roxell +Date: Tue, 20 Aug 2019 15:41:21 +0200 +Subject: selftests/bpf: install files test_xdp_vlan.sh + +[ Upstream commit 3035bb72ee47d494c041465b4add9c6407c832ed ] + +When ./test_xdp_vlan_mode_generic.sh runs it complains that it can't +find file test_xdp_vlan.sh. + + # selftests: bpf: test_xdp_vlan_mode_generic.sh + # ./test_xdp_vlan_mode_generic.sh: line 9: ./test_xdp_vlan.sh: No such + file or directory + +Rework so that test_xdp_vlan.sh gets installed, added to the variable +TEST_PROGS_EXTENDED. + +Fixes: d35661fcf95d ("selftests/bpf: add wrapper scripts for test_xdp_vlan.sh") +Signed-off-by: Anders Roxell +Acked-by: Jesper Dangaard Brouer +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/Makefile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile +index b9e88ccc289ba..adced69d026e5 100644 +--- a/tools/testing/selftests/bpf/Makefile ++++ b/tools/testing/selftests/bpf/Makefile +@@ -61,7 +61,8 @@ TEST_PROGS := test_kmod.sh \ + TEST_PROGS_EXTENDED := with_addr.sh \ + with_tunnels.sh \ + tcp_client.py \ +- tcp_server.py ++ tcp_server.py \ ++ test_xdp_vlan.sh + + # Compile but not part of 'make run_tests' + TEST_GEN_PROGS_EXTENDED = test_libbpf_open test_sock_addr test_skb_cgroup_id_user \ +-- +2.20.1 + diff --git a/queue-5.2/series b/queue-5.2/series new file mode 100644 index 00000000000..e325a9209bb --- /dev/null +++ b/queue-5.2/series @@ -0,0 +1,47 @@ +dmaengine-ste_dma40-fix-unneeded-variable-warning.patch +nvme-multipath-revalidate-nvme_ns_head-gendisk-in-nv.patch +afs-fix-the-cb.probeuuid-service-handler-to-reply-co.patch +afs-fix-loop-index-mixup-in-afs_deliver_vl_get_entry.patch +fs-afs-fix-a-possible-null-pointer-dereference-in-af.patch +afs-fix-off-by-one-in-afs_rename-expected-data-versi.patch +afs-only-update-d_fsdata-if-different-in-afs_d_reval.patch +afs-fix-missing-dentry-data-version-updating.patch +nvmet-fix-use-after-free-bug-when-a-port-is-removed.patch +nvmet-loop-flush-nvme_delete_wq-when-removing-the-po.patch +nvmet-file-fix-nvmet_file_flush-always-returning-an-.patch +nvme-core-fix-extra-device_put-call-on-error-path.patch +nvme-fix-a-possible-deadlock-when-passthru-commands-.patch +nvme-rdma-fix-possible-use-after-free-in-connect-err.patch +nvme-fix-controller-removal-race-with-scan-work.patch +nvme-pci-fix-async-probe-remove-race.patch +soundwire-cadence_master-fix-register-definition-for.patch +soundwire-cadence_master-fix-definitions-for-intstat.patch +auxdisplay-panel-need-to-delete-scan_timer-when-misc.patch +btrfs-trim-check-the-range-passed-into-to-prevent-ov.patch +ib-mlx5-fix-implicit-mr-release-flow.patch +dmaengine-stm32-mdma-fix-a-possible-null-pointer-der.patch +omap-dma-omap_vout_vrfb-fix-off-by-one-fi-value.patch +iommu-dma-handle-sg-length-overflow-better.patch +dma-direct-don-t-truncate-dma_required_mask-to-bus-a.patch +usb-gadget-composite-clear-suspended-on-reset-discon.patch +usb-gadget-mass_storage-fix-races-between-fsg_disabl.patch +habanalabs-fix-dram-usage-accounting-on-context-tear.patch +habanalabs-fix-endianness-handling-for-packets-from-.patch +habanalabs-fix-completion-queue-handling-when-host-i.patch +habanalabs-fix-endianness-handling-for-internal-qman.patch +habanalabs-fix-device-irq-unmasking-for-be-host.patch +xen-blkback-fix-memory-leaks.patch +arm64-cpufeature-don-t-treat-granule-sizes-as-strict.patch +riscv-fix-flush_tlb_range-end-address-for-flush_tlb_.patch +i2c-rcar-avoid-race-when-unregistering-slave-client.patch +i2c-emev2-avoid-race-when-unregistering-slave-client.patch +drm-scheduler-use-job-count-instead-of-peek.patch +drm-ast-fixed-reboot-test-may-cause-system-hanged.patch +usb-host-fotg2-restart-hcd-after-port-reset.patch +tools-hv-fixed-python-pep8-flake8-warnings-for-lsvmb.patch +tools-hv-fix-kvp-and-vss-daemons-exit-code.patch +locking-rwsem-add-missing-acquire-to-read_slowpath-e.patch +lcoking-rwsem-add-missing-acquire-to-read_slowpath-s.patch +watchdog-bcm2835_wdt-fix-module-autoload.patch +selftests-bpf-install-files-test_xdp_vlan.sh.patch +drm-bridge-tfp410-fix-memleak-in-get_modes.patch diff --git a/queue-5.2/soundwire-cadence_master-fix-definitions-for-intstat.patch b/queue-5.2/soundwire-cadence_master-fix-definitions-for-intstat.patch new file mode 100644 index 00000000000..641e3e578e6 --- /dev/null +++ b/queue-5.2/soundwire-cadence_master-fix-definitions-for-intstat.patch @@ -0,0 +1,36 @@ +From 08f4f5558009a3e0eea3a687a014f1f1a38ebc17 Mon Sep 17 00:00:00 2001 +From: Pierre-Louis Bossart +Date: Thu, 25 Jul 2019 18:40:06 -0500 +Subject: soundwire: cadence_master: fix definitions for INTSTAT0/1 + +[ Upstream commit 664b16589f882202b8fa8149d0074f3159bade76 ] + +Two off-by-one errors: INTSTAT0 missed BIT(31) and INTSTAT1 is only +defined on first 16 bits. + +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20190725234032.21152-15-pierre-louis.bossart@linux.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/cadence_master.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/soundwire/cadence_master.c b/drivers/soundwire/cadence_master.c +index 18afb2e21dc9a..57ed2e2024bf4 100644 +--- a/drivers/soundwire/cadence_master.c ++++ b/drivers/soundwire/cadence_master.c +@@ -95,8 +95,8 @@ + #define CDNS_MCP_SLAVE_INTMASK0 0x5C + #define CDNS_MCP_SLAVE_INTMASK1 0x60 + +-#define CDNS_MCP_SLAVE_INTMASK0_MASK GENMASK(30, 0) +-#define CDNS_MCP_SLAVE_INTMASK1_MASK GENMASK(16, 0) ++#define CDNS_MCP_SLAVE_INTMASK0_MASK GENMASK(31, 0) ++#define CDNS_MCP_SLAVE_INTMASK1_MASK GENMASK(15, 0) + + #define CDNS_MCP_PORT_INTSTAT 0x64 + #define CDNS_MCP_PDI_STAT 0x6C +-- +2.20.1 + diff --git a/queue-5.2/soundwire-cadence_master-fix-register-definition-for.patch b/queue-5.2/soundwire-cadence_master-fix-register-definition-for.patch new file mode 100644 index 00000000000..5108bffb767 --- /dev/null +++ b/queue-5.2/soundwire-cadence_master-fix-register-definition-for.patch @@ -0,0 +1,35 @@ +From b7b1442e51d2f8ddc6ac884d746ab3cec35716a8 Mon Sep 17 00:00:00 2001 +From: Pierre-Louis Bossart +Date: Thu, 25 Jul 2019 18:40:05 -0500 +Subject: soundwire: cadence_master: fix register definition for SLAVE_STATE + +[ Upstream commit b07dd9b400981f487940a4d84292d3a0e7cd9362 ] + +wrong prefix and wrong macro. + +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20190725234032.21152-14-pierre-louis.bossart@linux.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/cadence_master.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/soundwire/cadence_master.c b/drivers/soundwire/cadence_master.c +index 682789bb8ab30..18afb2e21dc9a 100644 +--- a/drivers/soundwire/cadence_master.c ++++ b/drivers/soundwire/cadence_master.c +@@ -80,8 +80,8 @@ + + #define CDNS_MCP_INTSET 0x4C + +-#define CDNS_SDW_SLAVE_STAT 0x50 +-#define CDNS_MCP_SLAVE_STAT_MASK BIT(1, 0) ++#define CDNS_MCP_SLAVE_STAT 0x50 ++#define CDNS_MCP_SLAVE_STAT_MASK GENMASK(1, 0) + + #define CDNS_MCP_SLAVE_INTSTAT0 0x54 + #define CDNS_MCP_SLAVE_INTSTAT1 0x58 +-- +2.20.1 + diff --git a/queue-5.2/tools-hv-fix-kvp-and-vss-daemons-exit-code.patch b/queue-5.2/tools-hv-fix-kvp-and-vss-daemons-exit-code.patch new file mode 100644 index 00000000000..23fb769844a --- /dev/null +++ b/queue-5.2/tools-hv-fix-kvp-and-vss-daemons-exit-code.patch @@ -0,0 +1,52 @@ +From 8fecd9182a59893e2e8e167ba09580b7c87b4b89 Mon Sep 17 00:00:00 2001 +From: Adrian Vladu +Date: Mon, 6 May 2019 16:50:58 +0000 +Subject: tools: hv: fix KVP and VSS daemons exit code + +[ Upstream commit b0995156071b0ff29a5902964a9dc8cfad6f81c0 ] + +HyperV KVP and VSS daemons should exit with 0 when the '--help' +or '-h' flags are used. + +Signed-off-by: Adrian Vladu + +Cc: "K. Y. Srinivasan" +Cc: Haiyang Zhang +Cc: Stephen Hemminger +Cc: Sasha Levin +Cc: Alessandro Pilotti +Signed-off-by: Sasha Levin +--- + tools/hv/hv_kvp_daemon.c | 2 ++ + tools/hv/hv_vss_daemon.c | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/tools/hv/hv_kvp_daemon.c b/tools/hv/hv_kvp_daemon.c +index d7e06fe0270ee..0ce50c319cfd6 100644 +--- a/tools/hv/hv_kvp_daemon.c ++++ b/tools/hv/hv_kvp_daemon.c +@@ -1386,6 +1386,8 @@ int main(int argc, char *argv[]) + daemonize = 0; + break; + case 'h': ++ print_usage(argv); ++ exit(0); + default: + print_usage(argv); + exit(EXIT_FAILURE); +diff --git a/tools/hv/hv_vss_daemon.c b/tools/hv/hv_vss_daemon.c +index efe1e34dd91b4..8f813f5233d48 100644 +--- a/tools/hv/hv_vss_daemon.c ++++ b/tools/hv/hv_vss_daemon.c +@@ -218,6 +218,8 @@ int main(int argc, char *argv[]) + daemonize = 0; + break; + case 'h': ++ print_usage(argv); ++ exit(0); + default: + print_usage(argv); + exit(EXIT_FAILURE); +-- +2.20.1 + diff --git a/queue-5.2/tools-hv-fixed-python-pep8-flake8-warnings-for-lsvmb.patch b/queue-5.2/tools-hv-fixed-python-pep8-flake8-warnings-for-lsvmb.patch new file mode 100644 index 00000000000..4702d1204cb --- /dev/null +++ b/queue-5.2/tools-hv-fixed-python-pep8-flake8-warnings-for-lsvmb.patch @@ -0,0 +1,154 @@ +From 1f097c6cdb4db5c7a33202b69f04dba884589a45 Mon Sep 17 00:00:00 2001 +From: Adrian Vladu +Date: Mon, 6 May 2019 17:27:37 +0000 +Subject: tools: hv: fixed Python pep8/flake8 warnings for lsvmbus + +[ Upstream commit 5912e791f3018de0a007c8cfa9cb38c97d3e5f5c ] + +Fixed pep8/flake8 python style code for lsvmbus tool. + +The TAB indentation was on purpose ignored (pep8 rule W191) to make +sure the code is complying with the Linux code guideline. +The following command doe not show any warnings now: +pep8 --ignore=W191 lsvmbus +flake8 --ignore=W191 lsvmbus + +Signed-off-by: Adrian Vladu + +Cc: "K. Y. Srinivasan" +Cc: Haiyang Zhang +Cc: Stephen Hemminger +Cc: Sasha Levin +Cc: Dexuan Cui +Cc: Alessandro Pilotti +Signed-off-by: Sasha Levin +--- + tools/hv/lsvmbus | 75 +++++++++++++++++++++++++++--------------------- + 1 file changed, 42 insertions(+), 33 deletions(-) + +diff --git a/tools/hv/lsvmbus b/tools/hv/lsvmbus +index 55e7374bade0d..099f2c44dbed2 100644 +--- a/tools/hv/lsvmbus ++++ b/tools/hv/lsvmbus +@@ -4,10 +4,10 @@ + import os + from optparse import OptionParser + ++help_msg = "print verbose messages. Try -vv, -vvv for more verbose messages" + parser = OptionParser() +-parser.add_option("-v", "--verbose", dest="verbose", +- help="print verbose messages. Try -vv, -vvv for \ +- more verbose messages", action="count") ++parser.add_option( ++ "-v", "--verbose", dest="verbose", help=help_msg, action="count") + + (options, args) = parser.parse_args() + +@@ -21,27 +21,28 @@ if not os.path.isdir(vmbus_sys_path): + exit(-1) + + vmbus_dev_dict = { +- '{0e0b6031-5213-4934-818b-38d90ced39db}' : '[Operating system shutdown]', +- '{9527e630-d0ae-497b-adce-e80ab0175caf}' : '[Time Synchronization]', +- '{57164f39-9115-4e78-ab55-382f3bd5422d}' : '[Heartbeat]', +- '{a9a0f4e7-5a45-4d96-b827-8a841e8c03e6}' : '[Data Exchange]', +- '{35fa2e29-ea23-4236-96ae-3a6ebacba440}' : '[Backup (volume checkpoint)]', +- '{34d14be3-dee4-41c8-9ae7-6b174977c192}' : '[Guest services]', +- '{525074dc-8985-46e2-8057-a307dc18a502}' : '[Dynamic Memory]', +- '{cfa8b69e-5b4a-4cc0-b98b-8ba1a1f3f95a}' : 'Synthetic mouse', +- '{f912ad6d-2b17-48ea-bd65-f927a61c7684}' : 'Synthetic keyboard', +- '{da0a7802-e377-4aac-8e77-0558eb1073f8}' : 'Synthetic framebuffer adapter', +- '{f8615163-df3e-46c5-913f-f2d2f965ed0e}' : 'Synthetic network adapter', +- '{32412632-86cb-44a2-9b5c-50d1417354f5}' : 'Synthetic IDE Controller', +- '{ba6163d9-04a1-4d29-b605-72e2ffb1dc7f}' : 'Synthetic SCSI Controller', +- '{2f9bcc4a-0069-4af3-b76b-6fd0be528cda}' : 'Synthetic fiber channel adapter', +- '{8c2eaf3d-32a7-4b09-ab99-bd1f1c86b501}' : 'Synthetic RDMA adapter', +- '{44c4f61d-4444-4400-9d52-802e27ede19f}' : 'PCI Express pass-through', +- '{276aacf4-ac15-426c-98dd-7521ad3f01fe}' : '[Reserved system device]', +- '{f8e65716-3cb3-4a06-9a60-1889c5cccab5}' : '[Reserved system device]', +- '{3375baf4-9e15-4b30-b765-67acb10d607b}' : '[Reserved system device]', ++ '{0e0b6031-5213-4934-818b-38d90ced39db}': '[Operating system shutdown]', ++ '{9527e630-d0ae-497b-adce-e80ab0175caf}': '[Time Synchronization]', ++ '{57164f39-9115-4e78-ab55-382f3bd5422d}': '[Heartbeat]', ++ '{a9a0f4e7-5a45-4d96-b827-8a841e8c03e6}': '[Data Exchange]', ++ '{35fa2e29-ea23-4236-96ae-3a6ebacba440}': '[Backup (volume checkpoint)]', ++ '{34d14be3-dee4-41c8-9ae7-6b174977c192}': '[Guest services]', ++ '{525074dc-8985-46e2-8057-a307dc18a502}': '[Dynamic Memory]', ++ '{cfa8b69e-5b4a-4cc0-b98b-8ba1a1f3f95a}': 'Synthetic mouse', ++ '{f912ad6d-2b17-48ea-bd65-f927a61c7684}': 'Synthetic keyboard', ++ '{da0a7802-e377-4aac-8e77-0558eb1073f8}': 'Synthetic framebuffer adapter', ++ '{f8615163-df3e-46c5-913f-f2d2f965ed0e}': 'Synthetic network adapter', ++ '{32412632-86cb-44a2-9b5c-50d1417354f5}': 'Synthetic IDE Controller', ++ '{ba6163d9-04a1-4d29-b605-72e2ffb1dc7f}': 'Synthetic SCSI Controller', ++ '{2f9bcc4a-0069-4af3-b76b-6fd0be528cda}': 'Synthetic fiber channel adapter', ++ '{8c2eaf3d-32a7-4b09-ab99-bd1f1c86b501}': 'Synthetic RDMA adapter', ++ '{44c4f61d-4444-4400-9d52-802e27ede19f}': 'PCI Express pass-through', ++ '{276aacf4-ac15-426c-98dd-7521ad3f01fe}': '[Reserved system device]', ++ '{f8e65716-3cb3-4a06-9a60-1889c5cccab5}': '[Reserved system device]', ++ '{3375baf4-9e15-4b30-b765-67acb10d607b}': '[Reserved system device]', + } + ++ + def get_vmbus_dev_attr(dev_name, attr): + try: + f = open('%s/%s/%s' % (vmbus_sys_path, dev_name, attr), 'r') +@@ -52,6 +53,7 @@ def get_vmbus_dev_attr(dev_name, attr): + + return lines + ++ + class VMBus_Dev: + pass + +@@ -66,12 +68,13 @@ for f in os.listdir(vmbus_sys_path): + + chn_vp_mapping = get_vmbus_dev_attr(f, 'channel_vp_mapping') + chn_vp_mapping = [c.strip() for c in chn_vp_mapping] +- chn_vp_mapping = sorted(chn_vp_mapping, +- key = lambda c : int(c.split(':')[0])) ++ chn_vp_mapping = sorted( ++ chn_vp_mapping, key=lambda c: int(c.split(':')[0])) + +- chn_vp_mapping = ['\tRel_ID=%s, target_cpu=%s' % +- (c.split(':')[0], c.split(':')[1]) +- for c in chn_vp_mapping] ++ chn_vp_mapping = [ ++ '\tRel_ID=%s, target_cpu=%s' % ++ (c.split(':')[0], c.split(':')[1]) for c in chn_vp_mapping ++ ] + d = VMBus_Dev() + d.sysfs_path = '%s/%s' % (vmbus_sys_path, f) + d.vmbus_id = vmbus_id +@@ -85,7 +88,7 @@ for f in os.listdir(vmbus_sys_path): + vmbus_dev_list.append(d) + + +-vmbus_dev_list = sorted(vmbus_dev_list, key = lambda d : int(d.vmbus_id)) ++vmbus_dev_list = sorted(vmbus_dev_list, key=lambda d: int(d.vmbus_id)) + + format0 = '%2s: %s' + format1 = '%2s: Class_ID = %s - %s\n%s' +@@ -95,9 +98,15 @@ for d in vmbus_dev_list: + if verbose == 0: + print(('VMBUS ID ' + format0) % (d.vmbus_id, d.dev_desc)) + elif verbose == 1: +- print (('VMBUS ID ' + format1) % \ +- (d.vmbus_id, d.class_id, d.dev_desc, d.chn_vp_mapping)) ++ print( ++ ('VMBUS ID ' + format1) % ++ (d.vmbus_id, d.class_id, d.dev_desc, d.chn_vp_mapping) ++ ) + else: +- print (('VMBUS ID ' + format2) % \ +- (d.vmbus_id, d.class_id, d.dev_desc, \ +- d.device_id, d.sysfs_path, d.chn_vp_mapping)) ++ print( ++ ('VMBUS ID ' + format2) % ++ ( ++ d.vmbus_id, d.class_id, d.dev_desc, ++ d.device_id, d.sysfs_path, d.chn_vp_mapping ++ ) ++ ) +-- +2.20.1 + diff --git a/queue-5.2/usb-gadget-composite-clear-suspended-on-reset-discon.patch b/queue-5.2/usb-gadget-composite-clear-suspended-on-reset-discon.patch new file mode 100644 index 00000000000..479c9569e33 --- /dev/null +++ b/queue-5.2/usb-gadget-composite-clear-suspended-on-reset-discon.patch @@ -0,0 +1,33 @@ +From 68b86a91c579aa691031bdf2914f7e5cdc5d2fba Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Fri, 26 Jul 2019 14:59:03 +1000 +Subject: usb: gadget: composite: Clear "suspended" on reset/disconnect + +[ Upstream commit 602fda17c7356bb7ae98467d93549057481d11dd ] + +In some cases, one can get out of suspend with a reset or +a disconnect followed by a reconnect. Previously we would +leave a stale suspended flag set. + +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/composite.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c +index b8a15840b4ffd..dfcabadeed01b 100644 +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -1976,6 +1976,7 @@ void composite_disconnect(struct usb_gadget *gadget) + * disconnect callbacks? + */ + spin_lock_irqsave(&cdev->lock, flags); ++ cdev->suspended = 0; + if (cdev->config) + reset_config(cdev); + if (cdev->driver->disconnect) +-- +2.20.1 + diff --git a/queue-5.2/usb-gadget-mass_storage-fix-races-between-fsg_disabl.patch b/queue-5.2/usb-gadget-mass_storage-fix-races-between-fsg_disabl.patch new file mode 100644 index 00000000000..11cfaaa05db --- /dev/null +++ b/queue-5.2/usb-gadget-mass_storage-fix-races-between-fsg_disabl.patch @@ -0,0 +1,168 @@ +From 66df13b1beb68ea1ac09684c3c011ab8c15b6dd1 Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Fri, 26 Jul 2019 14:59:04 +1000 +Subject: usb: gadget: mass_storage: Fix races between fsg_disable and + fsg_set_alt + +[ Upstream commit 4a56a478a525d6427be90753451c40e1327caa1a ] + +If fsg_disable() and fsg_set_alt() are called too closely to each +other (for example due to a quick reset/reconnect), what can happen +is that fsg_set_alt sets common->new_fsg from an interrupt while +handle_exception is trying to process the config change caused by +fsg_disable(): + + fsg_disable() + ... + handle_exception() + sets state back to FSG_STATE_NORMAL + hasn't yet called do_set_interface() + or is inside it. + + ---> interrupt + fsg_set_alt + sets common->new_fsg + queues a new FSG_STATE_CONFIG_CHANGE + <--- + +Now, the first handle_exception can "see" the updated +new_fsg, treats it as if it was a fsg_set_alt() response, +call usb_composite_setup_continue() etc... + +But then, the thread sees the second FSG_STATE_CONFIG_CHANGE, +and goes back down the same path, wipes and reattaches a now +active fsg, and .. calls usb_composite_setup_continue() which +at this point is wrong. + +Not only we get a backtrace, but I suspect the second set_interface +wrecks some state causing the host to get upset in my case. + +This fixes it by replacing "new_fsg" by a "state argument" (same +principle) which is set in the same lock section as the state +update, and retrieved similarly. + +That way, there is never any discrepancy between the dequeued +state and the observed value of it. We keep the ability to have +the latest reconfig operation take precedence, but we guarantee +that once "dequeued" the argument (new_fsg) will not be clobbered +by any new event. + +Signed-off-by: Benjamin Herrenschmidt +Acked-by: Alan Stern +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_mass_storage.c | 28 +++++++++++++------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_mass_storage.c b/drivers/usb/gadget/function/f_mass_storage.c +index 043f97ad8f226..f2bc8d0370676 100644 +--- a/drivers/usb/gadget/function/f_mass_storage.c ++++ b/drivers/usb/gadget/function/f_mass_storage.c +@@ -261,7 +261,7 @@ struct fsg_common; + struct fsg_common { + struct usb_gadget *gadget; + struct usb_composite_dev *cdev; +- struct fsg_dev *fsg, *new_fsg; ++ struct fsg_dev *fsg; + wait_queue_head_t io_wait; + wait_queue_head_t fsg_wait; + +@@ -290,6 +290,7 @@ struct fsg_common { + unsigned int bulk_out_maxpacket; + enum fsg_state state; /* For exception handling */ + unsigned int exception_req_tag; ++ void *exception_arg; + + enum data_direction data_dir; + u32 data_size; +@@ -391,7 +392,8 @@ static int fsg_set_halt(struct fsg_dev *fsg, struct usb_ep *ep) + + /* These routines may be called in process context or in_irq */ + +-static void raise_exception(struct fsg_common *common, enum fsg_state new_state) ++static void __raise_exception(struct fsg_common *common, enum fsg_state new_state, ++ void *arg) + { + unsigned long flags; + +@@ -404,6 +406,7 @@ static void raise_exception(struct fsg_common *common, enum fsg_state new_state) + if (common->state <= new_state) { + common->exception_req_tag = common->ep0_req_tag; + common->state = new_state; ++ common->exception_arg = arg; + if (common->thread_task) + send_sig_info(SIGUSR1, SEND_SIG_PRIV, + common->thread_task); +@@ -411,6 +414,10 @@ static void raise_exception(struct fsg_common *common, enum fsg_state new_state) + spin_unlock_irqrestore(&common->lock, flags); + } + ++static void raise_exception(struct fsg_common *common, enum fsg_state new_state) ++{ ++ __raise_exception(common, new_state, NULL); ++} + + /*-------------------------------------------------------------------------*/ + +@@ -2285,16 +2292,16 @@ reset: + static int fsg_set_alt(struct usb_function *f, unsigned intf, unsigned alt) + { + struct fsg_dev *fsg = fsg_from_func(f); +- fsg->common->new_fsg = fsg; +- raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE); ++ ++ __raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE, fsg); + return USB_GADGET_DELAYED_STATUS; + } + + static void fsg_disable(struct usb_function *f) + { + struct fsg_dev *fsg = fsg_from_func(f); +- fsg->common->new_fsg = NULL; +- raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE); ++ ++ __raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE, NULL); + } + + +@@ -2307,6 +2314,7 @@ static void handle_exception(struct fsg_common *common) + enum fsg_state old_state; + struct fsg_lun *curlun; + unsigned int exception_req_tag; ++ struct fsg_dev *new_fsg; + + /* + * Clear the existing signals. Anything but SIGUSR1 is converted +@@ -2360,6 +2368,7 @@ static void handle_exception(struct fsg_common *common) + common->next_buffhd_to_fill = &common->buffhds[0]; + common->next_buffhd_to_drain = &common->buffhds[0]; + exception_req_tag = common->exception_req_tag; ++ new_fsg = common->exception_arg; + old_state = common->state; + common->state = FSG_STATE_NORMAL; + +@@ -2413,8 +2422,8 @@ static void handle_exception(struct fsg_common *common) + break; + + case FSG_STATE_CONFIG_CHANGE: +- do_set_interface(common, common->new_fsg); +- if (common->new_fsg) ++ do_set_interface(common, new_fsg); ++ if (new_fsg) + usb_composite_setup_continue(common->cdev); + break; + +@@ -2989,8 +2998,7 @@ static void fsg_unbind(struct usb_configuration *c, struct usb_function *f) + + DBG(fsg, "unbind\n"); + if (fsg->common->fsg == fsg) { +- fsg->common->new_fsg = NULL; +- raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE); ++ __raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE, NULL); + /* FIXME: make interruptible or killable somehow? */ + wait_event(common->fsg_wait, common->fsg != fsg); + } +-- +2.20.1 + diff --git a/queue-5.2/usb-host-fotg2-restart-hcd-after-port-reset.patch b/queue-5.2/usb-host-fotg2-restart-hcd-after-port-reset.patch new file mode 100644 index 00000000000..a86cd848aee --- /dev/null +++ b/queue-5.2/usb-host-fotg2-restart-hcd-after-port-reset.patch @@ -0,0 +1,37 @@ +From 5711fa3fd105dfa9f1b053ddb44e6d7fab313310 Mon Sep 17 00:00:00 2001 +From: Hans Ulli Kroll +Date: Sat, 10 Aug 2019 17:04:58 +0200 +Subject: usb: host: fotg2: restart hcd after port reset + +[ Upstream commit 777758888ffe59ef754cc39ab2f275dc277732f4 ] + +On the Gemini SoC the FOTG2 stalls after port reset +so restart the HCD after each port reset. + +Signed-off-by: Hans Ulli Kroll +Signed-off-by: Linus Walleij +Link: https://lore.kernel.org/r/20190810150458.817-1-linus.walleij@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/fotg210-hcd.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/usb/host/fotg210-hcd.c b/drivers/usb/host/fotg210-hcd.c +index 0da68df259c86..7bf621d40c5ae 100644 +--- a/drivers/usb/host/fotg210-hcd.c ++++ b/drivers/usb/host/fotg210-hcd.c +@@ -1628,6 +1628,10 @@ static int fotg210_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, + /* see what we found out */ + temp = check_reset_complete(fotg210, wIndex, status_reg, + fotg210_readl(fotg210, status_reg)); ++ ++ /* restart schedule */ ++ fotg210->command |= CMD_RUN; ++ fotg210_writel(fotg210, fotg210->command, &fotg210->regs->command); + } + + if (!(temp & (PORT_RESUME|PORT_RESET))) { +-- +2.20.1 + diff --git a/queue-5.2/watchdog-bcm2835_wdt-fix-module-autoload.patch b/queue-5.2/watchdog-bcm2835_wdt-fix-module-autoload.patch new file mode 100644 index 00000000000..ea46b16dc28 --- /dev/null +++ b/queue-5.2/watchdog-bcm2835_wdt-fix-module-autoload.patch @@ -0,0 +1,35 @@ +From c2d539c0c461c2a5537c9a24edba346b754492ea Mon Sep 17 00:00:00 2001 +From: Stefan Wahren +Date: Wed, 15 May 2019 19:14:18 +0200 +Subject: watchdog: bcm2835_wdt: Fix module autoload + +[ Upstream commit 215e06f0d18d5d653d6ea269e4dfc684854d48bf ] + +The commit 5e6acc3e678e ("bcm2835-pm: Move bcm2835-watchdog's DT probe +to an MFD.") broke module autoloading on Raspberry Pi. So add a +module alias this fix this. + +Signed-off-by: Stefan Wahren +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/bcm2835_wdt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/watchdog/bcm2835_wdt.c b/drivers/watchdog/bcm2835_wdt.c +index 560c1c54c1779..f4937a91e5160 100644 +--- a/drivers/watchdog/bcm2835_wdt.c ++++ b/drivers/watchdog/bcm2835_wdt.c +@@ -240,6 +240,7 @@ module_param(nowayout, bool, 0); + MODULE_PARM_DESC(nowayout, "Watchdog cannot be stopped once started (default=" + __MODULE_STRING(WATCHDOG_NOWAYOUT) ")"); + ++MODULE_ALIAS("platform:bcm2835-wdt"); + MODULE_AUTHOR("Lubomir Rintel "); + MODULE_DESCRIPTION("Driver for Broadcom BCM2835 watchdog timer"); + MODULE_LICENSE("GPL"); +-- +2.20.1 + diff --git a/queue-5.2/xen-blkback-fix-memory-leaks.patch b/queue-5.2/xen-blkback-fix-memory-leaks.patch new file mode 100644 index 00000000000..060e409f526 --- /dev/null +++ b/queue-5.2/xen-blkback-fix-memory-leaks.patch @@ -0,0 +1,59 @@ +From e9812cd26c1320693e70844ad22cd5a5375111b5 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Sun, 11 Aug 2019 12:23:22 -0500 +Subject: xen/blkback: fix memory leaks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit ae78ca3cf3d9e9f914bfcd0bc5c389ff18b9c2e0 ] + +In read_per_ring_refs(), after 'req' and related memory regions are +allocated, xen_blkif_map() is invoked to map the shared frame, irq, and +etc. However, if this mapping process fails, no cleanup is performed, +leading to memory leaks. To fix this issue, invoke the cleanup before +returning the error. + +Acked-by: Roger Pau Monné +Reviewed-by: Boris Ostrovsky +Signed-off-by: Wenwen Wang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/xen-blkback/xenbus.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/block/xen-blkback/xenbus.c b/drivers/block/xen-blkback/xenbus.c +index 3ac6a5d180717..b90dbcd99c03e 100644 +--- a/drivers/block/xen-blkback/xenbus.c ++++ b/drivers/block/xen-blkback/xenbus.c +@@ -965,6 +965,7 @@ static int read_per_ring_refs(struct xen_blkif_ring *ring, const char *dir) + } + } + ++ err = -ENOMEM; + for (i = 0; i < nr_grefs * XEN_BLKIF_REQS_PER_PAGE; i++) { + req = kzalloc(sizeof(*req), GFP_KERNEL); + if (!req) +@@ -987,7 +988,7 @@ static int read_per_ring_refs(struct xen_blkif_ring *ring, const char *dir) + err = xen_blkif_map(ring, ring_ref, nr_grefs, evtchn); + if (err) { + xenbus_dev_fatal(dev, err, "mapping ring-ref port %u", evtchn); +- return err; ++ goto fail; + } + + return 0; +@@ -1007,8 +1008,7 @@ fail: + } + kfree(req); + } +- return -ENOMEM; +- ++ return err; + } + + static int connect_ring(struct backend_info *be) +-- +2.20.1 +