From: Sasha Levin Date: Thu, 20 Jun 2019 00:06:57 +0000 (-0400) Subject: fixes for 4.19 X-Git-Tag: v5.1.13~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a15a8890e43c48a82f918e06afb42fbc323118fb;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/acpi-pci-pm-add-missing-wakeup.flags.valid-checks.patch b/queue-4.19/acpi-pci-pm-add-missing-wakeup.flags.valid-checks.patch new file mode 100644 index 00000000000..782f07ab180 --- /dev/null +++ b/queue-4.19/acpi-pci-pm-add-missing-wakeup.flags.valid-checks.patch @@ -0,0 +1,58 @@ +From bb61347c921a0f1fe5e08b6dcc7f033445373a00 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Thu, 16 May 2019 12:42:20 +0200 +Subject: ACPI/PCI: PM: Add missing wakeup.flags.valid checks + +[ Upstream commit 9a51c6b1f9e0239a9435db036b212498a2a3b75c ] + +Both acpi_pci_need_resume() and acpi_dev_needs_resume() check if the +current ACPI wakeup configuration of the device matches what is +expected as far as system wakeup from sleep states is concerned, as +reflected by the device_may_wakeup() return value for the device. + +However, they only should do that if wakeup.flags.valid is set for +the device's ACPI companion, because otherwise the wakeup.prepare_count +value for it is meaningless. + +Add the missing wakeup.flags.valid checks to these functions. + +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Mika Westerberg +Signed-off-by: Sasha Levin +--- + drivers/acpi/device_pm.c | 4 ++-- + drivers/pci/pci-acpi.c | 3 ++- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/acpi/device_pm.c b/drivers/acpi/device_pm.c +index a7c2673ffd36..1806260938e8 100644 +--- a/drivers/acpi/device_pm.c ++++ b/drivers/acpi/device_pm.c +@@ -948,8 +948,8 @@ static bool acpi_dev_needs_resume(struct device *dev, struct acpi_device *adev) + u32 sys_target = acpi_target_system_state(); + int ret, state; + +- if (!pm_runtime_suspended(dev) || !adev || +- device_may_wakeup(dev) != !!adev->wakeup.prepare_count) ++ if (!pm_runtime_suspended(dev) || !adev || (adev->wakeup.flags.valid && ++ device_may_wakeup(dev) != !!adev->wakeup.prepare_count)) + return true; + + if (sys_target == ACPI_STATE_S0) +diff --git a/drivers/pci/pci-acpi.c b/drivers/pci/pci-acpi.c +index f8436d1c4d45..f7218c1673ce 100644 +--- a/drivers/pci/pci-acpi.c ++++ b/drivers/pci/pci-acpi.c +@@ -625,7 +625,8 @@ static bool acpi_pci_need_resume(struct pci_dev *dev) + if (!adev || !acpi_device_power_manageable(adev)) + return false; + +- if (device_may_wakeup(&dev->dev) != !!adev->wakeup.prepare_count) ++ if (adev->wakeup.flags.valid && ++ device_may_wakeup(&dev->dev) != !!adev->wakeup.prepare_count) + return true; + + if (acpi_target_system_state() == ACPI_STATE_S0) +-- +2.20.1 + diff --git a/queue-4.19/alsa-hda-force-polling-mode-on-cnl-for-fixing-codec-.patch b/queue-4.19/alsa-hda-force-polling-mode-on-cnl-for-fixing-codec-.patch new file mode 100644 index 00000000000..efe77e6ce6e --- /dev/null +++ b/queue-4.19/alsa-hda-force-polling-mode-on-cnl-for-fixing-codec-.patch @@ -0,0 +1,44 @@ +From 2e3cce3a33cf83a246d4abc233704bb3815ef91b Mon Sep 17 00:00:00 2001 +From: Bard Liao +Date: Mon, 27 May 2019 00:58:32 +0800 +Subject: ALSA: hda - Force polling mode on CNL for fixing codec communication + +[ Upstream commit fa763f1b2858752e6150ffff46886a1b7faffc82 ] + +We observed the same issue as reported by commit a8d7bde23e7130686b7662 +("ALSA: hda - Force polling mode on CFL for fixing codec communication") +We don't have a better solution. So apply the same workaround to CNL. + +Signed-off-by: Bard Liao +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_intel.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index 45bf89ed31de..308ce76149cc 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -378,6 +378,7 @@ enum { + + #define IS_BXT(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x5a98) + #define IS_CFL(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0xa348) ++#define IS_CNL(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x9dc8) + + static char *driver_short_names[] = { + [AZX_DRIVER_ICH] = "HDA Intel", +@@ -1795,8 +1796,8 @@ static int azx_create(struct snd_card *card, struct pci_dev *pci, + else + chip->bdl_pos_adj = bdl_pos_adj[dev]; + +- /* Workaround for a communication error on CFL (bko#199007) */ +- if (IS_CFL(pci)) ++ /* Workaround for a communication error on CFL (bko#199007) and CNL */ ++ if (IS_CFL(pci) || IS_CNL(pci)) + chip->polling_mode = 1; + + err = azx_bus_init(chip, model[dev], &pci_hda_io_ops); +-- +2.20.1 + diff --git a/queue-4.19/arm64-fix-syscall_fn_t-type.patch b/queue-4.19/arm64-fix-syscall_fn_t-type.patch new file mode 100644 index 00000000000..57ba25432ac --- /dev/null +++ b/queue-4.19/arm64-fix-syscall_fn_t-type.patch @@ -0,0 +1,35 @@ +From 3dc9bb878a575471a09978a77615d42cab18a7df Mon Sep 17 00:00:00 2001 +From: Sami Tolvanen +Date: Fri, 24 May 2019 15:11:16 -0700 +Subject: arm64: fix syscall_fn_t type + +[ Upstream commit 8ef8f368ce72b5e17f7c1f1ef15c38dcfd0fef64 ] + +Syscall wrappers in use const struct pt_regs * +as the argument type. Use const in syscall_fn_t as well to fix indirect +call type mismatches with Control-Flow Integrity checking. + +Signed-off-by: Sami Tolvanen +Reviewed-by: Mark Rutland +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/syscall.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h +index ad8be16a39c9..58102652bf9e 100644 +--- a/arch/arm64/include/asm/syscall.h ++++ b/arch/arm64/include/asm/syscall.h +@@ -20,7 +20,7 @@ + #include + #include + +-typedef long (*syscall_fn_t)(struct pt_regs *regs); ++typedef long (*syscall_fn_t)(const struct pt_regs *regs); + + extern const syscall_fn_t sys_call_table[]; + +-- +2.20.1 + diff --git a/queue-4.19/arm64-use-the-correct-function-type-for-__arm64_sys_.patch b/queue-4.19/arm64-use-the-correct-function-type-for-__arm64_sys_.patch new file mode 100644 index 00000000000..38c462431d5 --- /dev/null +++ b/queue-4.19/arm64-use-the-correct-function-type-for-__arm64_sys_.patch @@ -0,0 +1,83 @@ +From 7fdbf7a52757d00ff8e7fd9a19e8bfa7c5fe190b Mon Sep 17 00:00:00 2001 +From: Sami Tolvanen +Date: Fri, 24 May 2019 15:11:18 -0700 +Subject: arm64: use the correct function type for __arm64_sys_ni_syscall + +[ Upstream commit 1e29ab3186e33c77dbb2d7566172a205b59fa390 ] + +Calling sys_ni_syscall through a syscall_fn_t pointer trips indirect +call Control-Flow Integrity checking due to a function type +mismatch. Use SYSCALL_DEFINE0 for __arm64_sys_ni_syscall instead and +remove the now unnecessary casts. + +Signed-off-by: Sami Tolvanen +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/sys.c | 14 +++++++++----- + arch/arm64/kernel/sys32.c | 7 ++----- + 2 files changed, 11 insertions(+), 10 deletions(-) + +diff --git a/arch/arm64/kernel/sys.c b/arch/arm64/kernel/sys.c +index 162a95ed0881..fe20c461582a 100644 +--- a/arch/arm64/kernel/sys.c ++++ b/arch/arm64/kernel/sys.c +@@ -47,22 +47,26 @@ SYSCALL_DEFINE1(arm64_personality, unsigned int, personality) + return ksys_personality(personality); + } + ++asmlinkage long sys_ni_syscall(void); ++ ++asmlinkage long __arm64_sys_ni_syscall(const struct pt_regs *__unused) ++{ ++ return sys_ni_syscall(); ++} ++ + /* + * Wrappers to pass the pt_regs argument. + */ + #define __arm64_sys_personality __arm64_sys_arm64_personality + +-asmlinkage long sys_ni_syscall(const struct pt_regs *); +-#define __arm64_sys_ni_syscall sys_ni_syscall +- + #undef __SYSCALL + #define __SYSCALL(nr, sym) asmlinkage long __arm64_##sym(const struct pt_regs *); + #include + + #undef __SYSCALL +-#define __SYSCALL(nr, sym) [nr] = (syscall_fn_t)__arm64_##sym, ++#define __SYSCALL(nr, sym) [nr] = __arm64_##sym, + + const syscall_fn_t sys_call_table[__NR_syscalls] = { +- [0 ... __NR_syscalls - 1] = (syscall_fn_t)sys_ni_syscall, ++ [0 ... __NR_syscalls - 1] = __arm64_sys_ni_syscall, + #include + }; +diff --git a/arch/arm64/kernel/sys32.c b/arch/arm64/kernel/sys32.c +index 0f8bcb7de700..3c80a40c1c9d 100644 +--- a/arch/arm64/kernel/sys32.c ++++ b/arch/arm64/kernel/sys32.c +@@ -133,17 +133,14 @@ COMPAT_SYSCALL_DEFINE6(aarch32_fallocate, int, fd, int, mode, + return ksys_fallocate(fd, mode, arg_u64(offset), arg_u64(len)); + } + +-asmlinkage long sys_ni_syscall(const struct pt_regs *); +-#define __arm64_sys_ni_syscall sys_ni_syscall +- + #undef __SYSCALL + #define __SYSCALL(nr, sym) asmlinkage long __arm64_##sym(const struct pt_regs *); + #include + + #undef __SYSCALL +-#define __SYSCALL(nr, sym) [nr] = (syscall_fn_t)__arm64_##sym, ++#define __SYSCALL(nr, sym) [nr] = __arm64_##sym, + + const syscall_fn_t compat_sys_call_table[__NR_compat_syscalls] = { +- [0 ... __NR_compat_syscalls - 1] = (syscall_fn_t)sys_ni_syscall, ++ [0 ... __NR_compat_syscalls - 1] = __arm64_sys_ni_syscall, + #include + }; +-- +2.20.1 + diff --git a/queue-4.19/arm64-use-the-correct-function-type-in-syscall_defin.patch b/queue-4.19/arm64-use-the-correct-function-type-in-syscall_defin.patch new file mode 100644 index 00000000000..84a79846735 --- /dev/null +++ b/queue-4.19/arm64-use-the-correct-function-type-in-syscall_defin.patch @@ -0,0 +1,57 @@ +From 5692faa4dca102777ab937a0233d00ea8fb7ea1e Mon Sep 17 00:00:00 2001 +From: Sami Tolvanen +Date: Fri, 24 May 2019 15:11:17 -0700 +Subject: arm64: use the correct function type in SYSCALL_DEFINE0 + +[ Upstream commit 0e358bd7b7ebd27e491dabed938eae254c17fe3b ] + +Although a syscall defined using SYSCALL_DEFINE0 doesn't accept +parameters, use the correct function type to avoid indirect call +type mismatches with Control-Flow Integrity checking. + +Signed-off-by: Sami Tolvanen +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/syscall_wrapper.h | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/arch/arm64/include/asm/syscall_wrapper.h b/arch/arm64/include/asm/syscall_wrapper.h +index a4477e515b79..507d0ee6bc69 100644 +--- a/arch/arm64/include/asm/syscall_wrapper.h ++++ b/arch/arm64/include/asm/syscall_wrapper.h +@@ -30,10 +30,10 @@ + } \ + static inline long __do_compat_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) + +-#define COMPAT_SYSCALL_DEFINE0(sname) \ +- asmlinkage long __arm64_compat_sys_##sname(void); \ +- ALLOW_ERROR_INJECTION(__arm64_compat_sys_##sname, ERRNO); \ +- asmlinkage long __arm64_compat_sys_##sname(void) ++#define COMPAT_SYSCALL_DEFINE0(sname) \ ++ asmlinkage long __arm64_compat_sys_##sname(const struct pt_regs *__unused); \ ++ ALLOW_ERROR_INJECTION(__arm64_compat_sys_##sname, ERRNO); \ ++ asmlinkage long __arm64_compat_sys_##sname(const struct pt_regs *__unused) + + #define COND_SYSCALL_COMPAT(name) \ + cond_syscall(__arm64_compat_sys_##name); +@@ -62,11 +62,11 @@ + static inline long __do_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) + + #ifndef SYSCALL_DEFINE0 +-#define SYSCALL_DEFINE0(sname) \ +- SYSCALL_METADATA(_##sname, 0); \ +- asmlinkage long __arm64_sys_##sname(void); \ +- ALLOW_ERROR_INJECTION(__arm64_sys_##sname, ERRNO); \ +- asmlinkage long __arm64_sys_##sname(void) ++#define SYSCALL_DEFINE0(sname) \ ++ SYSCALL_METADATA(_##sname, 0); \ ++ asmlinkage long __arm64_sys_##sname(const struct pt_regs *__unused); \ ++ ALLOW_ERROR_INJECTION(__arm64_sys_##sname, ERRNO); \ ++ asmlinkage long __arm64_sys_##sname(const struct pt_regs *__unused) + #endif + + #ifndef COND_SYSCALL +-- +2.20.1 + diff --git a/queue-4.19/clk-ti-clkctrl-fix-clkdm_clk-handling.patch b/queue-4.19/clk-ti-clkctrl-fix-clkdm_clk-handling.patch new file mode 100644 index 00000000000..792e75c1e24 --- /dev/null +++ b/queue-4.19/clk-ti-clkctrl-fix-clkdm_clk-handling.patch @@ -0,0 +1,56 @@ +From 7d86146d62dafe50dec810f187c30c8511abf5e8 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Mon, 6 May 2019 14:08:54 -0700 +Subject: clk: ti: clkctrl: Fix clkdm_clk handling + +[ Upstream commit 1cc54078d104f5b4d7e9f8d55362efa5a8daffdb ] + +We need to always call clkdm_clk_enable() and clkdm_clk_disable() even +the clkctrl clock(s) enabled for the domain do not have any gate register +bits. Otherwise clockdomains may never get enabled except when devices get +probed with the legacy "ti,hwmods" devicetree property. + +Fixes: 88a172526c32 ("clk: ti: add support for clkctrl clocks") +Signed-off-by: Tony Lindgren +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/ti/clkctrl.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/clk/ti/clkctrl.c b/drivers/clk/ti/clkctrl.c +index 421b05392220..ca3218337fd7 100644 +--- a/drivers/clk/ti/clkctrl.c ++++ b/drivers/clk/ti/clkctrl.c +@@ -137,9 +137,6 @@ static int _omap4_clkctrl_clk_enable(struct clk_hw *hw) + int ret; + union omap4_timeout timeout = { 0 }; + +- if (!clk->enable_bit) +- return 0; +- + if (clk->clkdm) { + ret = ti_clk_ll_ops->clkdm_clk_enable(clk->clkdm, hw->clk); + if (ret) { +@@ -151,6 +148,9 @@ static int _omap4_clkctrl_clk_enable(struct clk_hw *hw) + } + } + ++ if (!clk->enable_bit) ++ return 0; ++ + val = ti_clk_ll_ops->clk_readl(&clk->enable_reg); + + val &= ~OMAP4_MODULEMODE_MASK; +@@ -179,7 +179,7 @@ static void _omap4_clkctrl_clk_disable(struct clk_hw *hw) + union omap4_timeout timeout = { 0 }; + + if (!clk->enable_bit) +- return; ++ goto exit; + + val = ti_clk_ll_ops->clk_readl(&clk->enable_reg); + +-- +2.20.1 + diff --git a/queue-4.19/configfs-fix-use-after-free-when-accessing-sd-s_dent.patch b/queue-4.19/configfs-fix-use-after-free-when-accessing-sd-s_dent.patch new file mode 100644 index 00000000000..a5f4746e2b4 --- /dev/null +++ b/queue-4.19/configfs-fix-use-after-free-when-accessing-sd-s_dent.patch @@ -0,0 +1,58 @@ +From cedabc41f8db72fa7c5fdb250f0f31c39f2f700b Mon Sep 17 00:00:00 2001 +From: Sahitya Tummala +Date: Thu, 3 Jan 2019 16:48:15 +0530 +Subject: configfs: Fix use-after-free when accessing sd->s_dentry + +[ Upstream commit f6122ed2a4f9c9c1c073ddf6308d1b2ac10e0781 ] + +In the vfs_statx() context, during path lookup, the dentry gets +added to sd->s_dentry via configfs_attach_attr(). In the end, +vfs_statx() kills the dentry by calling path_put(), which invokes +configfs_d_iput(). Ideally, this dentry must be removed from +sd->s_dentry but it doesn't if the sd->s_count >= 3. As a result, +sd->s_dentry is holding reference to a stale dentry pointer whose +memory is already freed up. This results in use-after-free issue, +when this stale sd->s_dentry is accessed later in +configfs_readdir() path. + +This issue can be easily reproduced, by running the LTP test case - +sh fs_racer_file_list.sh /config +(https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/fs/racer/fs_racer_file_list.sh) + +Fixes: 76ae281f6307 ('configfs: fix race between dentry put and lookup') +Signed-off-by: Sahitya Tummala +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/configfs/dir.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c +index 920d350df37b..809c1edffbaf 100644 +--- a/fs/configfs/dir.c ++++ b/fs/configfs/dir.c +@@ -58,15 +58,13 @@ static void configfs_d_iput(struct dentry * dentry, + if (sd) { + /* Coordinate with configfs_readdir */ + spin_lock(&configfs_dirent_lock); +- /* Coordinate with configfs_attach_attr where will increase +- * sd->s_count and update sd->s_dentry to new allocated one. +- * Only set sd->dentry to null when this dentry is the only +- * sd owner. +- * If not do so, configfs_d_iput may run just after +- * configfs_attach_attr and set sd->s_dentry to null +- * even it's still in use. ++ /* ++ * Set sd->s_dentry to null only when this dentry is the one ++ * that is going to be killed. Otherwise configfs_d_iput may ++ * run just after configfs_attach_attr and set sd->s_dentry to ++ * NULL even it's still in use. + */ +- if (atomic_read(&sd->s_count) <= 2) ++ if (sd->s_dentry == dentry) + sd->s_dentry = NULL; + + spin_unlock(&configfs_dirent_lock); +-- +2.20.1 + diff --git a/queue-4.19/drm-etnaviv-lock-mmu-while-dumping-core.patch b/queue-4.19/drm-etnaviv-lock-mmu-while-dumping-core.patch new file mode 100644 index 00000000000..89bede1128c --- /dev/null +++ b/queue-4.19/drm-etnaviv-lock-mmu-while-dumping-core.patch @@ -0,0 +1,55 @@ +From d57d05abde0ff390edde2585727f5b8b8c93e412 Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Tue, 21 May 2019 14:53:40 +0200 +Subject: drm/etnaviv: lock MMU while dumping core + +[ Upstream commit 1396500d673bd027683a0609ff84dca7eb6ea2e7 ] + +The devcoredump needs to operate on a stable state of the MMU while +it is writing the MMU state to the coredump. The missing lock +allowed both the userspace submit, as well as the GPU job finish +paths to mutate the MMU state while a coredump is under way. + +Fixes: a8c21a5451d8 (drm/etnaviv: add initial etnaviv DRM driver) +Reported-by: David Jander +Signed-off-by: Lucas Stach +Tested-by: David Jander +Reviewed-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/etnaviv/etnaviv_dump.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/etnaviv/etnaviv_dump.c b/drivers/gpu/drm/etnaviv/etnaviv_dump.c +index 9146e30e24a6..468dff2f7904 100644 +--- a/drivers/gpu/drm/etnaviv/etnaviv_dump.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_dump.c +@@ -124,6 +124,8 @@ void etnaviv_core_dump(struct etnaviv_gpu *gpu) + return; + etnaviv_dump_core = false; + ++ mutex_lock(&gpu->mmu->lock); ++ + mmu_size = etnaviv_iommu_dump_size(gpu->mmu); + + /* We always dump registers, mmu, ring and end marker */ +@@ -166,6 +168,7 @@ void etnaviv_core_dump(struct etnaviv_gpu *gpu) + iter.start = __vmalloc(file_size, GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY, + PAGE_KERNEL); + if (!iter.start) { ++ mutex_unlock(&gpu->mmu->lock); + dev_warn(gpu->dev, "failed to allocate devcoredump file\n"); + return; + } +@@ -233,6 +236,8 @@ void etnaviv_core_dump(struct etnaviv_gpu *gpu) + obj->base.size); + } + ++ mutex_unlock(&gpu->mmu->lock); ++ + etnaviv_core_dump_header(&iter, ETDUMP_BUF_END, iter.data); + + dev_coredumpv(gpu->dev, iter.start, iter.data - iter.start, GFP_KERNEL); +-- +2.20.1 + diff --git a/queue-4.19/gpio-fix-gpio-adp5588-build-errors.patch b/queue-4.19/gpio-fix-gpio-adp5588-build-errors.patch new file mode 100644 index 00000000000..580b00aa079 --- /dev/null +++ b/queue-4.19/gpio-fix-gpio-adp5588-build-errors.patch @@ -0,0 +1,54 @@ +From f5e654ab2111a79b7d18fb3fa7028473effcc1f2 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Thu, 23 May 2019 15:00:41 -0700 +Subject: gpio: fix gpio-adp5588 build errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit e9646f0f5bb62b7d43f0968f39d536cfe7123b53 ] + +The gpio-adp5588 driver uses interfaces that are provided by +GPIOLIB_IRQCHIP, so select that symbol in its Kconfig entry. + +Fixes these build errors: + +../drivers/gpio/gpio-adp5588.c: In function ‘adp5588_irq_handler’: +../drivers/gpio/gpio-adp5588.c:266:26: error: ‘struct gpio_chip’ has no member named ‘irq’ + dev->gpio_chip.irq.domain, gpio)); + ^ +../drivers/gpio/gpio-adp5588.c: In function ‘adp5588_irq_setup’: +../drivers/gpio/gpio-adp5588.c:298:2: error: implicit declaration of function ‘gpiochip_irqchip_add_nested’ [-Werror=implicit-function-declaration] + ret = gpiochip_irqchip_add_nested(&dev->gpio_chip, + ^ +../drivers/gpio/gpio-adp5588.c:307:2: error: implicit declaration of function ‘gpiochip_set_nested_irqchip’ [-Werror=implicit-function-declaration] + gpiochip_set_nested_irqchip(&dev->gpio_chip, + ^ + +Fixes: 459773ae8dbb ("gpio: adp5588-gpio: support interrupt controller") +Reported-by: kbuild test robot +Signed-off-by: Randy Dunlap +Cc: linux-gpio@vger.kernel.org +Reviewed-by: Bartosz Golaszewski +Acked-by: Michael Hennerich +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpio/Kconfig b/drivers/gpio/Kconfig +index 4f52c3a8ec99..ed51221621a5 100644 +--- a/drivers/gpio/Kconfig ++++ b/drivers/gpio/Kconfig +@@ -784,6 +784,7 @@ config GPIO_ADP5588 + config GPIO_ADP5588_IRQ + bool "Interrupt controller support for ADP5588" + depends on GPIO_ADP5588=y ++ select GPIOLIB_IRQCHIP + help + Say yes here to enable the adp5588 to be used as an interrupt + controller. It requires the driver to be built in the kernel. +-- +2.20.1 + diff --git a/queue-4.19/i2c-dev-fix-potential-memory-leak-in-i2cdev_ioctl_rd.patch b/queue-4.19/i2c-dev-fix-potential-memory-leak-in-i2cdev_ioctl_rd.patch new file mode 100644 index 00000000000..f16d039d089 --- /dev/null +++ b/queue-4.19/i2c-dev-fix-potential-memory-leak-in-i2cdev_ioctl_rd.patch @@ -0,0 +1,33 @@ +From af1ba071f1aa41455c378847324fcdd1b7840f54 Mon Sep 17 00:00:00 2001 +From: Yingjoe Chen +Date: Tue, 7 May 2019 22:20:32 +0800 +Subject: i2c: dev: fix potential memory leak in i2cdev_ioctl_rdwr + +[ Upstream commit a0692f0eef91354b62c2b4c94954536536be5425 ] + +If I2C_M_RECV_LEN check failed, msgs[i].buf allocated by memdup_user +will not be freed. Pump index up so it will be freed. + +Fixes: 838bfa6049fb ("i2c-dev: Add support for I2C_M_RECV_LEN") +Signed-off-by: Yingjoe Chen +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-dev.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c +index ccd76c71af09..cb07651f4b46 100644 +--- a/drivers/i2c/i2c-dev.c ++++ b/drivers/i2c/i2c-dev.c +@@ -283,6 +283,7 @@ static noinline int i2cdev_ioctl_rdwr(struct i2c_client *client, + msgs[i].len < 1 || msgs[i].buf[0] < 1 || + msgs[i].len < msgs[i].buf[0] + + I2C_SMBUS_BLOCK_MAX) { ++ i++; + res = -EINVAL; + break; + } +-- +2.20.1 + diff --git a/queue-4.19/ia64-fix-build-errors-by-exporting-paddr_to_nid.patch b/queue-4.19/ia64-fix-build-errors-by-exporting-paddr_to_nid.patch new file mode 100644 index 00000000000..a456e2bbde0 --- /dev/null +++ b/queue-4.19/ia64-fix-build-errors-by-exporting-paddr_to_nid.patch @@ -0,0 +1,58 @@ +From b6f4ce7a1351cb3de8fe0bb0b391dcbb83f44176 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Tue, 28 May 2019 09:14:30 -0700 +Subject: ia64: fix build errors by exporting paddr_to_nid() + +[ Upstream commit 9a626c4a6326da4433a0d4d4a8a7d1571caf1ed3 ] + +Fix build errors on ia64 when DISCONTIGMEM=y and NUMA=y by +exporting paddr_to_nid(). + +Fixes these build errors: + +ERROR: "paddr_to_nid" [sound/core/snd-pcm.ko] undefined! +ERROR: "paddr_to_nid" [net/sunrpc/sunrpc.ko] undefined! +ERROR: "paddr_to_nid" [fs/cifs/cifs.ko] undefined! +ERROR: "paddr_to_nid" [drivers/video/fbdev/core/fb.ko] undefined! +ERROR: "paddr_to_nid" [drivers/usb/mon/usbmon.ko] undefined! +ERROR: "paddr_to_nid" [drivers/usb/core/usbcore.ko] undefined! +ERROR: "paddr_to_nid" [drivers/md/raid1.ko] undefined! +ERROR: "paddr_to_nid" [drivers/md/dm-mod.ko] undefined! +ERROR: "paddr_to_nid" [drivers/md/dm-crypt.ko] undefined! +ERROR: "paddr_to_nid" [drivers/md/dm-bufio.ko] undefined! +ERROR: "paddr_to_nid" [drivers/ide/ide-core.ko] undefined! +ERROR: "paddr_to_nid" [drivers/ide/ide-cd_mod.ko] undefined! +ERROR: "paddr_to_nid" [drivers/gpu/drm/drm.ko] undefined! +ERROR: "paddr_to_nid" [drivers/char/agp/agpgart.ko] undefined! +ERROR: "paddr_to_nid" [drivers/block/nbd.ko] undefined! +ERROR: "paddr_to_nid" [drivers/block/loop.ko] undefined! +ERROR: "paddr_to_nid" [drivers/block/brd.ko] undefined! +ERROR: "paddr_to_nid" [crypto/ccm.ko] undefined! + +Reported-by: kbuild test robot +Signed-off-by: Randy Dunlap +Cc: Tony Luck +Cc: Fenghua Yu +Cc: linux-ia64@vger.kernel.org +Signed-off-by: Tony Luck +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/ia64/mm/numa.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/ia64/mm/numa.c b/arch/ia64/mm/numa.c +index aa19b7ac8222..476c7b4be378 100644 +--- a/arch/ia64/mm/numa.c ++++ b/arch/ia64/mm/numa.c +@@ -49,6 +49,7 @@ paddr_to_nid(unsigned long paddr) + + return (i < num_node_memblks) ? node_memblk[i].nid : (num_node_memblks ? -1 : 0); + } ++EXPORT_SYMBOL(paddr_to_nid); + + #if defined(CONFIG_SPARSEMEM) && defined(CONFIG_NUMA) + /* +-- +2.20.1 + diff --git a/queue-4.19/ipv6-flowlabel-fl6_sock_lookup-must-use-atomic_inc_n.patch b/queue-4.19/ipv6-flowlabel-fl6_sock_lookup-must-use-atomic_inc_n.patch new file mode 100644 index 00000000000..f03b0dd32b1 --- /dev/null +++ b/queue-4.19/ipv6-flowlabel-fl6_sock_lookup-must-use-atomic_inc_n.patch @@ -0,0 +1,50 @@ +From 1355406b8d840e932fae71e38323c9a6566e67ad Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 6 Jun 2019 14:32:34 -0700 +Subject: ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero + +[ Upstream commit 65a3c497c0e965a552008db8bc2653f62bc925a1 ] + +Before taking a refcount, make sure the object is not already +scheduled for deletion. + +Same fix is needed in ipv6_flowlabel_opt() + +Fixes: 18367681a10b ("ipv6 flowlabel: Convert np->ipv6_fl_list to RCU.") +Signed-off-by: Eric Dumazet +Cc: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_flowlabel.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c +index be5f3d7ceb96..f994f50e1516 100644 +--- a/net/ipv6/ip6_flowlabel.c ++++ b/net/ipv6/ip6_flowlabel.c +@@ -254,9 +254,9 @@ struct ip6_flowlabel *fl6_sock_lookup(struct sock *sk, __be32 label) + rcu_read_lock_bh(); + for_each_sk_fl_rcu(np, sfl) { + struct ip6_flowlabel *fl = sfl->fl; +- if (fl->label == label) { ++ ++ if (fl->label == label && atomic_inc_not_zero(&fl->users)) { + fl->lastuse = jiffies; +- atomic_inc(&fl->users); + rcu_read_unlock_bh(); + return fl; + } +@@ -622,7 +622,8 @@ int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen) + goto done; + } + fl1 = sfl->fl; +- atomic_inc(&fl1->users); ++ if (!atomic_inc_not_zero(&fl1->users)) ++ fl1 = NULL; + break; + } + } +-- +2.20.1 + diff --git a/queue-4.19/ipvs-fix-use-after-free-in-ip_vs_in.patch b/queue-4.19/ipvs-fix-use-after-free-in-ip_vs_in.patch new file mode 100644 index 00000000000..0ed7a2be3b1 --- /dev/null +++ b/queue-4.19/ipvs-fix-use-after-free-in-ip_vs_in.patch @@ -0,0 +1,133 @@ +From 283b14d6b947a572c8d207afb73fe43367bbdff3 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Fri, 17 May 2019 22:31:49 +0800 +Subject: ipvs: Fix use-after-free in ip_vs_in + +[ Upstream commit 719c7d563c17b150877cee03a4b812a424989dfa ] + +BUG: KASAN: use-after-free in ip_vs_in.part.29+0xe8/0xd20 [ip_vs] +Read of size 4 at addr ffff8881e9b26e2c by task sshd/5603 + +CPU: 0 PID: 5603 Comm: sshd Not tainted 4.19.39+ #30 +Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 +Call Trace: + dump_stack+0x71/0xab + print_address_description+0x6a/0x270 + kasan_report+0x179/0x2c0 + ip_vs_in.part.29+0xe8/0xd20 [ip_vs] + ip_vs_in+0xd8/0x170 [ip_vs] + nf_hook_slow+0x5f/0xe0 + __ip_local_out+0x1d5/0x250 + ip_local_out+0x19/0x60 + __tcp_transmit_skb+0xba1/0x14f0 + tcp_write_xmit+0x41f/0x1ed0 + ? _copy_from_iter_full+0xca/0x340 + __tcp_push_pending_frames+0x52/0x140 + tcp_sendmsg_locked+0x787/0x1600 + ? tcp_sendpage+0x60/0x60 + ? inet_sk_set_state+0xb0/0xb0 + tcp_sendmsg+0x27/0x40 + sock_sendmsg+0x6d/0x80 + sock_write_iter+0x121/0x1c0 + ? sock_sendmsg+0x80/0x80 + __vfs_write+0x23e/0x370 + vfs_write+0xe7/0x230 + ksys_write+0xa1/0x120 + ? __ia32_sys_read+0x50/0x50 + ? __audit_syscall_exit+0x3ce/0x450 + do_syscall_64+0x73/0x200 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x7ff6f6147c60 +Code: 73 01 c3 48 8b 0d 28 12 2d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 5d 73 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 +RSP: 002b:00007ffd772ead18 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 0000000000000034 RCX: 00007ff6f6147c60 +RDX: 0000000000000034 RSI: 000055df30a31270 RDI: 0000000000000003 +RBP: 000055df30a31270 R08: 0000000000000000 R09: 0000000000000000 +R10: 00007ffd772ead70 R11: 0000000000000246 R12: 00007ffd772ead74 +R13: 00007ffd772eae20 R14: 00007ffd772eae24 R15: 000055df2f12ddc0 + +Allocated by task 6052: + kasan_kmalloc+0xa0/0xd0 + __kmalloc+0x10a/0x220 + ops_init+0x97/0x190 + register_pernet_operations+0x1ac/0x360 + register_pernet_subsys+0x24/0x40 + 0xffffffffc0ea016d + do_one_initcall+0x8b/0x253 + do_init_module+0xe3/0x335 + load_module+0x2fc0/0x3890 + __do_sys_finit_module+0x192/0x1c0 + do_syscall_64+0x73/0x200 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Freed by task 6067: + __kasan_slab_free+0x130/0x180 + kfree+0x90/0x1a0 + ops_free_list.part.7+0xa6/0xc0 + unregister_pernet_operations+0x18b/0x1f0 + unregister_pernet_subsys+0x1d/0x30 + ip_vs_cleanup+0x1d/0xd2f [ip_vs] + __x64_sys_delete_module+0x20c/0x300 + do_syscall_64+0x73/0x200 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The buggy address belongs to the object at ffff8881e9b26600 which belongs to the cache kmalloc-4096 of size 4096 +The buggy address is located 2092 bytes inside of 4096-byte region [ffff8881e9b26600, ffff8881e9b27600) +The buggy address belongs to the page: +page:ffffea0007a6c800 count:1 mapcount:0 mapping:ffff888107c0e600 index:0x0 compound_mapcount: 0 +flags: 0x17ffffc0008100(slab|head) +raw: 0017ffffc0008100 dead000000000100 dead000000000200 ffff888107c0e600 +raw: 0000000000000000 0000000080070007 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +while unregistering ipvs module, ops_free_list calls +__ip_vs_cleanup, then nf_unregister_net_hooks be called to +do remove nf hook entries. It need a RCU period to finish, +however net->ipvs is set to NULL immediately, which will +trigger NULL pointer dereference when a packet is hooked +and handled by ip_vs_in where net->ipvs is dereferenced. + +Another scene is ops_free_list call ops_free to free the +net_generic directly while __ip_vs_cleanup finished, then +calling ip_vs_in will triggers use-after-free. + +This patch moves nf_unregister_net_hooks from __ip_vs_cleanup() +to __ip_vs_dev_cleanup(), where rcu_barrier() is called by +unregister_pernet_device -> unregister_pernet_operations, +that will do the needed grace period. + +Reported-by: Hulk Robot +Fixes: efe41606184e ("ipvs: convert to use pernet nf_hook api") +Suggested-by: Julian Anastasov +Signed-off-by: YueHaibing +Acked-by: Julian Anastasov +Signed-off-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c +index a42c1bc7c698..62c0e80dcd71 100644 +--- a/net/netfilter/ipvs/ip_vs_core.c ++++ b/net/netfilter/ipvs/ip_vs_core.c +@@ -2280,7 +2280,6 @@ static void __net_exit __ip_vs_cleanup(struct net *net) + { + struct netns_ipvs *ipvs = net_ipvs(net); + +- nf_unregister_net_hooks(net, ip_vs_ops, ARRAY_SIZE(ip_vs_ops)); + ip_vs_service_net_cleanup(ipvs); /* ip_vs_flush() with locks */ + ip_vs_conn_net_cleanup(ipvs); + ip_vs_app_net_cleanup(ipvs); +@@ -2295,6 +2294,7 @@ static void __net_exit __ip_vs_dev_cleanup(struct net *net) + { + struct netns_ipvs *ipvs = net_ipvs(net); + EnterFunction(2); ++ nf_unregister_net_hooks(net, ip_vs_ops, ARRAY_SIZE(ip_vs_ops)); + ipvs->enable = 0; /* Disable packet reception */ + smp_wmb(); + ip_vs_sync_net_cleanup(ipvs); +-- +2.20.1 + diff --git a/queue-4.19/kvm-ppc-book3s-hv-don-t-take-kvm-lock-around-kvm_for.patch b/queue-4.19/kvm-ppc-book3s-hv-don-t-take-kvm-lock-around-kvm_for.patch new file mode 100644 index 00000000000..56527bbd5b7 --- /dev/null +++ b/queue-4.19/kvm-ppc-book3s-hv-don-t-take-kvm-lock-around-kvm_for.patch @@ -0,0 +1,68 @@ +From fd4151f889375be570c9058b5492269b1cf7f94d Mon Sep 17 00:00:00 2001 +From: Paul Mackerras +Date: Thu, 23 May 2019 16:36:32 +1000 +Subject: KVM: PPC: Book3S HV: Don't take kvm->lock around kvm_for_each_vcpu +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 5a3f49364c3ffa1107bd88f8292406e98c5d206c ] + +Currently the HV KVM code takes the kvm->lock around calls to +kvm_for_each_vcpu() and kvm_get_vcpu_by_id() (which can call +kvm_for_each_vcpu() internally). However, that leads to a lock +order inversion problem, because these are called in contexts where +the vcpu mutex is held, but the vcpu mutexes nest within kvm->lock +according to Documentation/virtual/kvm/locking.txt. Hence there +is a possibility of deadlock. + +To fix this, we simply don't take the kvm->lock mutex around these +calls. This is safe because the implementations of kvm_for_each_vcpu() +and kvm_get_vcpu_by_id() have been designed to be able to be called +locklessly. + +Signed-off-by: Paul Mackerras +Reviewed-by: Cédric Le Goater +Signed-off-by: Paul Mackerras +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/book3s_hv.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c +index 3e3a71594e63..083dcedba11c 100644 +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -426,12 +426,7 @@ static void kvmppc_dump_regs(struct kvm_vcpu *vcpu) + + static struct kvm_vcpu *kvmppc_find_vcpu(struct kvm *kvm, int id) + { +- struct kvm_vcpu *ret; +- +- mutex_lock(&kvm->lock); +- ret = kvm_get_vcpu_by_id(kvm, id); +- mutex_unlock(&kvm->lock); +- return ret; ++ return kvm_get_vcpu_by_id(kvm, id); + } + + static void init_vpa(struct kvm_vcpu *vcpu, struct lppaca *vpa) +@@ -1309,7 +1304,6 @@ static void kvmppc_set_lpcr(struct kvm_vcpu *vcpu, u64 new_lpcr, + struct kvmppc_vcore *vc = vcpu->arch.vcore; + u64 mask; + +- mutex_lock(&kvm->lock); + spin_lock(&vc->lock); + /* + * If ILE (interrupt little-endian) has changed, update the +@@ -1349,7 +1343,6 @@ static void kvmppc_set_lpcr(struct kvm_vcpu *vcpu, u64 new_lpcr, + mask &= 0xFFFFFFFF; + vc->lpcr = (vc->lpcr & ~mask) | (new_lpcr & mask); + spin_unlock(&vc->lock); +- mutex_unlock(&kvm->lock); + } + + static int kvmppc_get_one_reg_hv(struct kvm_vcpu *vcpu, u64 id, +-- +2.20.1 + diff --git a/queue-4.19/kvm-ppc-book3s-use-new-mutex-to-synchronize-access-t.patch b/queue-4.19/kvm-ppc-book3s-use-new-mutex-to-synchronize-access-t.patch new file mode 100644 index 00000000000..2376ca785b8 --- /dev/null +++ b/queue-4.19/kvm-ppc-book3s-use-new-mutex-to-synchronize-access-t.patch @@ -0,0 +1,125 @@ +From bc3c51cabd27911f6b6c25722ba71b02de162077 Mon Sep 17 00:00:00 2001 +From: Paul Mackerras +Date: Wed, 29 May 2019 11:54:00 +1000 +Subject: KVM: PPC: Book3S: Use new mutex to synchronize access to rtas token + list + +[ Upstream commit 1659e27d2bc1ef47b6d031abe01b467f18cb72d9 ] + +Currently the Book 3S KVM code uses kvm->lock to synchronize access +to the kvm->arch.rtas_tokens list. Because this list is scanned +inside kvmppc_rtas_hcall(), which is called with the vcpu mutex held, +taking kvm->lock cause a lock inversion problem, which could lead to +a deadlock. + +To fix this, we add a new mutex, kvm->arch.rtas_token_lock, which nests +inside the vcpu mutexes, and use that instead of kvm->lock when +accessing the rtas token list. + +This removes the lockdep_assert_held() in kvmppc_rtas_tokens_free(). +At this point we don't hold the new mutex, but that is OK because +kvmppc_rtas_tokens_free() is only called when the whole VM is being +destroyed, and at that point nothing can be looking up a token in +the list. + +Signed-off-by: Paul Mackerras +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/kvm_host.h | 1 + + arch/powerpc/kvm/book3s.c | 1 + + arch/powerpc/kvm/book3s_rtas.c | 14 ++++++-------- + 3 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/arch/powerpc/include/asm/kvm_host.h b/arch/powerpc/include/asm/kvm_host.h +index bccc5051249e..2b6049e83970 100644 +--- a/arch/powerpc/include/asm/kvm_host.h ++++ b/arch/powerpc/include/asm/kvm_host.h +@@ -299,6 +299,7 @@ struct kvm_arch { + #ifdef CONFIG_PPC_BOOK3S_64 + struct list_head spapr_tce_tables; + struct list_head rtas_tokens; ++ struct mutex rtas_token_lock; + DECLARE_BITMAP(enabled_hcalls, MAX_HCALL_OPCODE/4 + 1); + #endif + #ifdef CONFIG_KVM_MPIC +diff --git a/arch/powerpc/kvm/book3s.c b/arch/powerpc/kvm/book3s.c +index 87348e498c89..281f074581a3 100644 +--- a/arch/powerpc/kvm/book3s.c ++++ b/arch/powerpc/kvm/book3s.c +@@ -840,6 +840,7 @@ int kvmppc_core_init_vm(struct kvm *kvm) + #ifdef CONFIG_PPC64 + INIT_LIST_HEAD_RCU(&kvm->arch.spapr_tce_tables); + INIT_LIST_HEAD(&kvm->arch.rtas_tokens); ++ mutex_init(&kvm->arch.rtas_token_lock); + #endif + + return kvm->arch.kvm_ops->init_vm(kvm); +diff --git a/arch/powerpc/kvm/book3s_rtas.c b/arch/powerpc/kvm/book3s_rtas.c +index 2d3b2b1cc272..8f2355138f80 100644 +--- a/arch/powerpc/kvm/book3s_rtas.c ++++ b/arch/powerpc/kvm/book3s_rtas.c +@@ -146,7 +146,7 @@ static int rtas_token_undefine(struct kvm *kvm, char *name) + { + struct rtas_token_definition *d, *tmp; + +- lockdep_assert_held(&kvm->lock); ++ lockdep_assert_held(&kvm->arch.rtas_token_lock); + + list_for_each_entry_safe(d, tmp, &kvm->arch.rtas_tokens, list) { + if (rtas_name_matches(d->handler->name, name)) { +@@ -167,7 +167,7 @@ static int rtas_token_define(struct kvm *kvm, char *name, u64 token) + bool found; + int i; + +- lockdep_assert_held(&kvm->lock); ++ lockdep_assert_held(&kvm->arch.rtas_token_lock); + + list_for_each_entry(d, &kvm->arch.rtas_tokens, list) { + if (d->token == token) +@@ -206,14 +206,14 @@ int kvm_vm_ioctl_rtas_define_token(struct kvm *kvm, void __user *argp) + if (copy_from_user(&args, argp, sizeof(args))) + return -EFAULT; + +- mutex_lock(&kvm->lock); ++ mutex_lock(&kvm->arch.rtas_token_lock); + + if (args.token) + rc = rtas_token_define(kvm, args.name, args.token); + else + rc = rtas_token_undefine(kvm, args.name); + +- mutex_unlock(&kvm->lock); ++ mutex_unlock(&kvm->arch.rtas_token_lock); + + return rc; + } +@@ -245,7 +245,7 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu) + orig_rets = args.rets; + args.rets = &args.args[be32_to_cpu(args.nargs)]; + +- mutex_lock(&vcpu->kvm->lock); ++ mutex_lock(&vcpu->kvm->arch.rtas_token_lock); + + rc = -ENOENT; + list_for_each_entry(d, &vcpu->kvm->arch.rtas_tokens, list) { +@@ -256,7 +256,7 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu) + } + } + +- mutex_unlock(&vcpu->kvm->lock); ++ mutex_unlock(&vcpu->kvm->arch.rtas_token_lock); + + if (rc == 0) { + args.rets = orig_rets; +@@ -282,8 +282,6 @@ void kvmppc_rtas_tokens_free(struct kvm *kvm) + { + struct rtas_token_definition *d, *tmp; + +- lockdep_assert_held(&kvm->lock); +- + list_for_each_entry_safe(d, tmp, &kvm->arch.rtas_tokens, list) { + list_del(&d->list); + kfree(d); +-- +2.20.1 + diff --git a/queue-4.19/lapb-fixed-leak-of-control-blocks.patch-3152 b/queue-4.19/lapb-fixed-leak-of-control-blocks.patch-3152 new file mode 100644 index 00000000000..39b96cb9c64 --- /dev/null +++ b/queue-4.19/lapb-fixed-leak-of-control-blocks.patch-3152 @@ -0,0 +1,45 @@ +From 20a6bbf9cf4ba9667612f9e7408b6aa3fd9a54f1 Mon Sep 17 00:00:00 2001 +From: Jeremy Sowden +Date: Sun, 16 Jun 2019 16:54:37 +0100 +Subject: lapb: fixed leak of control-blocks. + +[ Upstream commit 6be8e297f9bcea666ea85ac7a6cd9d52d6deaf92 ] + +lapb_register calls lapb_create_cb, which initializes the control- +block's ref-count to one, and __lapb_insert_cb, which increments it when +adding the new block to the list of blocks. + +lapb_unregister calls __lapb_remove_cb, which decrements the ref-count +when removing control-block from the list of blocks, and calls lapb_put +itself to decrement the ref-count before returning. + +However, lapb_unregister also calls __lapb_devtostruct to look up the +right control-block for the given net_device, and __lapb_devtostruct +also bumps the ref-count, which means that when lapb_unregister returns +the ref-count is still 1 and the control-block is leaked. + +Call lapb_put after __lapb_devtostruct to fix leak. + +Reported-by: syzbot+afb980676c836b4a0afa@syzkaller.appspotmail.com +Signed-off-by: Jeremy Sowden +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/lapb/lapb_iface.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/lapb/lapb_iface.c b/net/lapb/lapb_iface.c +index db6e0afe3a20..1740f852002e 100644 +--- a/net/lapb/lapb_iface.c ++++ b/net/lapb/lapb_iface.c +@@ -182,6 +182,7 @@ int lapb_unregister(struct net_device *dev) + lapb = __lapb_devtostruct(dev); + if (!lapb) + goto out; ++ lapb_put(lapb); + + lapb_stop_t1timer(lapb); + lapb_stop_t2timer(lapb); +-- +2.20.1 + diff --git a/queue-4.19/loop-don-t-change-loop-device-under-exclusive-opener.patch b/queue-4.19/loop-don-t-change-loop-device-under-exclusive-opener.patch new file mode 100644 index 00000000000..705749119e8 --- /dev/null +++ b/queue-4.19/loop-don-t-change-loop-device-under-exclusive-opener.patch @@ -0,0 +1,83 @@ +From 2d0a678f24f1debfa1de9f64648876ac41e2cd25 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 16 May 2019 16:01:27 +0200 +Subject: loop: Don't change loop device under exclusive opener + +[ Upstream commit 33ec3e53e7b1869d7851e59e126bdb0fe0bd1982 ] + +Loop module allows calling LOOP_SET_FD while there are other openers of +the loop device. Even exclusive ones. This can lead to weird +consequences such as kernel deadlocks like: + +mount_bdev() lo_ioctl() + udf_fill_super() + udf_load_vrs() + sb_set_blocksize() - sets desired block size B + udf_tread() + sb_bread() + __bread_gfp(bdev, block, B) + loop_set_fd() + set_blocksize() + - now __getblk_slow() indefinitely loops because B != bdev + block size + +Fix the problem by disallowing LOOP_SET_FD ioctl when there are +exclusive openers of a loop device. + +[Deliberately chosen not to CC stable as a user with priviledges to +trigger this race has other means of taking the system down and this +has a potential of breaking some weird userspace setup] + +Reported-and-tested-by: syzbot+10007d66ca02b08f0e60@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/loop.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index f1e63eb7cbca..a443910f5d6f 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -920,9 +920,20 @@ static int loop_set_fd(struct loop_device *lo, fmode_t mode, + if (!file) + goto out; + ++ /* ++ * If we don't hold exclusive handle for the device, upgrade to it ++ * here to avoid changing device under exclusive owner. ++ */ ++ if (!(mode & FMODE_EXCL)) { ++ bdgrab(bdev); ++ error = blkdev_get(bdev, mode | FMODE_EXCL, loop_set_fd); ++ if (error) ++ goto out_putf; ++ } ++ + error = mutex_lock_killable(&loop_ctl_mutex); + if (error) +- goto out_putf; ++ goto out_bdev; + + error = -EBUSY; + if (lo->lo_state != Lo_unbound) +@@ -986,10 +997,15 @@ static int loop_set_fd(struct loop_device *lo, fmode_t mode, + mutex_unlock(&loop_ctl_mutex); + if (partscan) + loop_reread_partitions(lo, bdev); ++ if (!(mode & FMODE_EXCL)) ++ blkdev_put(bdev, mode | FMODE_EXCL); + return 0; + + out_unlock: + mutex_unlock(&loop_ctl_mutex); ++out_bdev: ++ if (!(mode & FMODE_EXCL)) ++ blkdev_put(bdev, mode | FMODE_EXCL); + out_putf: + fput(file); + out: +-- +2.20.1 + diff --git a/queue-4.19/misdn-make-sure-device-name-is-nul-terminated.patch b/queue-4.19/misdn-make-sure-device-name-is-nul-terminated.patch new file mode 100644 index 00000000000..72f1c7c5ca9 --- /dev/null +++ b/queue-4.19/misdn-make-sure-device-name-is-nul-terminated.patch @@ -0,0 +1,56 @@ +From 677db97411bfb724aaf32ebb0fdca2a0b0ac25bd Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 22 May 2019 11:45:13 +0300 +Subject: mISDN: make sure device name is NUL terminated + +[ Upstream commit ccfb62f27beb295103e9392462b20a6ed807d0ea ] + +The user can change the device_name with the IMSETDEVNAME ioctl, but we +need to ensure that the user's name is NUL terminated. Otherwise it +could result in a buffer overflow when we copy the name back to the user +with IMGETDEVINFO ioctl. + +I also changed two strcpy() calls which handle the name to strscpy(). +Hopefully, there aren't any other ways to create a too long name, but +it's nice to do this as a kernel hardening measure. + +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/socket.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c +index b2abc44fa5cb..a73337b74f41 100644 +--- a/drivers/isdn/mISDN/socket.c ++++ b/drivers/isdn/mISDN/socket.c +@@ -394,7 +394,7 @@ data_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) + memcpy(di.channelmap, dev->channelmap, + sizeof(di.channelmap)); + di.nrbchan = dev->nrbchan; +- strcpy(di.name, dev_name(&dev->dev)); ++ strscpy(di.name, dev_name(&dev->dev), sizeof(di.name)); + if (copy_to_user((void __user *)arg, &di, sizeof(di))) + err = -EFAULT; + } else +@@ -677,7 +677,7 @@ base_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) + memcpy(di.channelmap, dev->channelmap, + sizeof(di.channelmap)); + di.nrbchan = dev->nrbchan; +- strcpy(di.name, dev_name(&dev->dev)); ++ strscpy(di.name, dev_name(&dev->dev), sizeof(di.name)); + if (copy_to_user((void __user *)arg, &di, sizeof(di))) + err = -EFAULT; + } else +@@ -691,6 +691,7 @@ base_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) + err = -EFAULT; + break; + } ++ dn.name[sizeof(dn.name) - 1] = '\0'; + dev = get_mdevice(dn.id); + if (dev) + err = device_rename(&dev->dev, dn.name); +-- +2.20.1 + diff --git a/queue-4.19/mlxsw-spectrum-prevent-force-of-56g.patch b/queue-4.19/mlxsw-spectrum-prevent-force-of-56g.patch new file mode 100644 index 00000000000..c84a47c0569 --- /dev/null +++ b/queue-4.19/mlxsw-spectrum-prevent-force-of-56g.patch @@ -0,0 +1,41 @@ +From 9fc80880cd167f5dea33f9626dbb31cd8f014dd7 Mon Sep 17 00:00:00 2001 +From: Amit Cohen +Date: Wed, 29 May 2019 10:59:45 +0300 +Subject: mlxsw: spectrum: Prevent force of 56G + +[ Upstream commit 275e928f19117d22f6d26dee94548baf4041b773 ] + +Force of 56G is not supported by hardware in Ethernet devices. This +configuration fails with a bad parameter error from firmware. + +Add check of this case. Instead of trying to set 56G with autoneg off, +return a meaningful error. + +Fixes: 56ade8fe3fe1 ("mlxsw: spectrum: Add initial support for Spectrum ASIC") +Signed-off-by: Amit Cohen +Acked-by: Jiri Pirko +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c +index c5b82e283d13..ff2f6b8e2fab 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c +@@ -2488,6 +2488,10 @@ mlxsw_sp_port_set_link_ksettings(struct net_device *dev, + mlxsw_reg_ptys_eth_unpack(ptys_pl, ð_proto_cap, NULL, NULL); + + autoneg = cmd->base.autoneg == AUTONEG_ENABLE; ++ if (!autoneg && cmd->base.speed == SPEED_56000) { ++ netdev_err(dev, "56G not supported with autoneg off\n"); ++ return -EINVAL; ++ } + eth_proto_new = autoneg ? + mlxsw_sp_to_ptys_advert_link(cmd) : + mlxsw_sp_to_ptys_speed(cmd->base.speed); +-- +2.20.1 + diff --git a/queue-4.19/neigh-fix-use-after-free-read-in-pneigh_get_next.patch-3377 b/queue-4.19/neigh-fix-use-after-free-read-in-pneigh_get_next.patch-3377 new file mode 100644 index 00000000000..2ecce3a0ac0 --- /dev/null +++ b/queue-4.19/neigh-fix-use-after-free-read-in-pneigh_get_next.patch-3377 @@ -0,0 +1,188 @@ +From c5095242d1faf966c4e2605277caf3014f66f9c1 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Sat, 15 Jun 2019 16:28:48 -0700 +Subject: neigh: fix use-after-free read in pneigh_get_next + +[ Upstream commit f3e92cb8e2eb8c27d109e6fd73d3a69a8c09e288 ] + +Nine years ago, I added RCU handling to neighbours, not pneighbours. +(pneigh are not commonly used) + +Unfortunately I missed that /proc dump operations would use a +common entry and exit point : neigh_seq_start() and neigh_seq_stop() + +We need to read_lock(tbl->lock) or risk use-after-free while +iterating the pneigh structures. + +We might later convert pneigh to RCU and revert this patch. + +sysbot reported : + +BUG: KASAN: use-after-free in pneigh_get_next.isra.0+0x24b/0x280 net/core/neighbour.c:3158 +Read of size 8 at addr ffff888097f2a700 by task syz-executor.0/9825 + +CPU: 1 PID: 9825 Comm: syz-executor.0 Not tainted 5.2.0-rc4+ #32 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x172/0x1f0 lib/dump_stack.c:113 + print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188 + __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 + kasan_report+0x12/0x20 mm/kasan/common.c:614 + __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 + pneigh_get_next.isra.0+0x24b/0x280 net/core/neighbour.c:3158 + neigh_seq_next+0xdb/0x210 net/core/neighbour.c:3240 + seq_read+0x9cf/0x1110 fs/seq_file.c:258 + proc_reg_read+0x1fc/0x2c0 fs/proc/inode.c:221 + do_loop_readv_writev fs/read_write.c:714 [inline] + do_loop_readv_writev fs/read_write.c:701 [inline] + do_iter_read+0x4a4/0x660 fs/read_write.c:935 + vfs_readv+0xf0/0x160 fs/read_write.c:997 + kernel_readv fs/splice.c:359 [inline] + default_file_splice_read+0x475/0x890 fs/splice.c:414 + do_splice_to+0x127/0x180 fs/splice.c:877 + splice_direct_to_actor+0x2d2/0x970 fs/splice.c:954 + do_splice_direct+0x1da/0x2a0 fs/splice.c:1063 + do_sendfile+0x597/0xd00 fs/read_write.c:1464 + __do_sys_sendfile64 fs/read_write.c:1525 [inline] + __se_sys_sendfile64 fs/read_write.c:1511 [inline] + __x64_sys_sendfile64+0x1dd/0x220 fs/read_write.c:1511 + do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x4592c9 +Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f4aab51dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 +RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004592c9 +RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000005 +RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000080000000 R11: 0000000000000246 R12: 00007f4aab51e6d4 +R13: 00000000004c689d R14: 00000000004db828 R15: 00000000ffffffff + +Allocated by task 9827: + save_stack+0x23/0x90 mm/kasan/common.c:71 + set_track mm/kasan/common.c:79 [inline] + __kasan_kmalloc mm/kasan/common.c:489 [inline] + __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462 + kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503 + __do_kmalloc mm/slab.c:3660 [inline] + __kmalloc+0x15c/0x740 mm/slab.c:3669 + kmalloc include/linux/slab.h:552 [inline] + pneigh_lookup+0x19c/0x4a0 net/core/neighbour.c:731 + arp_req_set_public net/ipv4/arp.c:1010 [inline] + arp_req_set+0x613/0x720 net/ipv4/arp.c:1026 + arp_ioctl+0x652/0x7f0 net/ipv4/arp.c:1226 + inet_ioctl+0x2a0/0x340 net/ipv4/af_inet.c:926 + sock_do_ioctl+0xd8/0x2f0 net/socket.c:1043 + sock_ioctl+0x3ed/0x780 net/socket.c:1194 + vfs_ioctl fs/ioctl.c:46 [inline] + file_ioctl fs/ioctl.c:509 [inline] + do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:696 + ksys_ioctl+0xab/0xd0 fs/ioctl.c:713 + __do_sys_ioctl fs/ioctl.c:720 [inline] + __se_sys_ioctl fs/ioctl.c:718 [inline] + __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 + do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 9824: + save_stack+0x23/0x90 mm/kasan/common.c:71 + set_track mm/kasan/common.c:79 [inline] + __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451 + kasan_slab_free+0xe/0x10 mm/kasan/common.c:459 + __cache_free mm/slab.c:3432 [inline] + kfree+0xcf/0x220 mm/slab.c:3755 + pneigh_ifdown_and_unlock net/core/neighbour.c:812 [inline] + __neigh_ifdown+0x236/0x2f0 net/core/neighbour.c:356 + neigh_ifdown+0x20/0x30 net/core/neighbour.c:372 + arp_ifdown+0x1d/0x21 net/ipv4/arp.c:1274 + inetdev_destroy net/ipv4/devinet.c:319 [inline] + inetdev_event+0xa14/0x11f0 net/ipv4/devinet.c:1544 + notifier_call_chain+0xc2/0x230 kernel/notifier.c:95 + __raw_notifier_call_chain kernel/notifier.c:396 [inline] + raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:403 + call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1749 + call_netdevice_notifiers_extack net/core/dev.c:1761 [inline] + call_netdevice_notifiers net/core/dev.c:1775 [inline] + rollback_registered_many+0x9b9/0xfc0 net/core/dev.c:8178 + rollback_registered+0x109/0x1d0 net/core/dev.c:8220 + unregister_netdevice_queue net/core/dev.c:9267 [inline] + unregister_netdevice_queue+0x1ee/0x2c0 net/core/dev.c:9260 + unregister_netdevice include/linux/netdevice.h:2631 [inline] + __tun_detach+0xd8a/0x1040 drivers/net/tun.c:724 + tun_detach drivers/net/tun.c:741 [inline] + tun_chr_close+0xe0/0x180 drivers/net/tun.c:3451 + __fput+0x2ff/0x890 fs/file_table.c:280 + ____fput+0x16/0x20 fs/file_table.c:313 + task_work_run+0x145/0x1c0 kernel/task_work.c:113 + tracehook_notify_resume include/linux/tracehook.h:185 [inline] + exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:168 + prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline] + syscall_return_slowpath arch/x86/entry/common.c:279 [inline] + do_syscall_64+0x58e/0x680 arch/x86/entry/common.c:304 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The buggy address belongs to the object at ffff888097f2a700 + which belongs to the cache kmalloc-64 of size 64 +The buggy address is located 0 bytes inside of + 64-byte region [ffff888097f2a700, ffff888097f2a740) +The buggy address belongs to the page: +page:ffffea00025fca80 refcount:1 mapcount:0 mapping:ffff8880aa400340 index:0x0 +flags: 0x1fffc0000000200(slab) +raw: 01fffc0000000200 ffffea000250d548 ffffea00025726c8 ffff8880aa400340 +raw: 0000000000000000 ffff888097f2a000 0000000100000020 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff888097f2a600: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc + ffff888097f2a680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +>ffff888097f2a700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + ^ + ffff888097f2a780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + ffff888097f2a800: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + +Fixes: 767e97e1e0db ("neigh: RCU conversion of struct neighbour") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/neighbour.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 4e4ac77c6816..cd9e991f21d7 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -2751,6 +2751,7 @@ static void *neigh_get_idx_any(struct seq_file *seq, loff_t *pos) + } + + void *neigh_seq_start(struct seq_file *seq, loff_t *pos, struct neigh_table *tbl, unsigned int neigh_seq_flags) ++ __acquires(tbl->lock) + __acquires(rcu_bh) + { + struct neigh_seq_state *state = seq->private; +@@ -2761,6 +2762,7 @@ void *neigh_seq_start(struct seq_file *seq, loff_t *pos, struct neigh_table *tbl + + rcu_read_lock_bh(); + state->nht = rcu_dereference_bh(tbl->nht); ++ read_lock(&tbl->lock); + + return *pos ? neigh_get_idx_any(seq, pos) : SEQ_START_TOKEN; + } +@@ -2794,8 +2796,13 @@ void *neigh_seq_next(struct seq_file *seq, void *v, loff_t *pos) + EXPORT_SYMBOL(neigh_seq_next); + + void neigh_seq_stop(struct seq_file *seq, void *v) ++ __releases(tbl->lock) + __releases(rcu_bh) + { ++ struct neigh_seq_state *state = seq->private; ++ struct neigh_table *tbl = state->tbl; ++ ++ read_unlock(&tbl->lock); + rcu_read_unlock_bh(); + } + EXPORT_SYMBOL(neigh_seq_stop); +-- +2.20.1 + diff --git a/queue-4.19/net-aquantia-fix-lro-with-fcs-error.patch b/queue-4.19/net-aquantia-fix-lro-with-fcs-error.patch new file mode 100644 index 00000000000..afcbe630d97 --- /dev/null +++ b/queue-4.19/net-aquantia-fix-lro-with-fcs-error.patch @@ -0,0 +1,104 @@ +From 6460d4530b9adde94834f3a53920739b80a1e6d7 Mon Sep 17 00:00:00 2001 +From: Dmitry Bogdanov +Date: Sat, 25 May 2019 09:58:03 +0000 +Subject: net: aquantia: fix LRO with FCS error + +[ Upstream commit eaeb3b7494ba9159323814a8ce8af06a9277d99b ] + +Driver stops producing skbs on ring if a packet with FCS error +was coalesced into LRO session. Ring gets hang forever. + +Thats a logical error in driver processing descriptors: +When rx_stat indicates MAC Error, next pointer and eop flags +are not filled. This confuses driver so it waits for descriptor 0 +to be filled by HW. + +Solution is fill next pointer and eop flag even for packets with FCS error. + +Fixes: bab6de8fd180b ("net: ethernet: aquantia: Atlantic A0 and B0 specific functions.") +Signed-off-by: Igor Russkikh +Signed-off-by: Dmitry Bogdanov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../aquantia/atlantic/hw_atl/hw_atl_b0.c | 61 ++++++++++--------- + 1 file changed, 32 insertions(+), 29 deletions(-) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c +index 56363ff5c891..51cd1f98bcf0 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c ++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c +@@ -695,38 +695,41 @@ static int hw_atl_b0_hw_ring_rx_receive(struct aq_hw_s *self, + if ((rx_stat & BIT(0)) || rxd_wb->type & 0x1000U) { + /* MAC error or DMA error */ + buff->is_error = 1U; +- } else { +- if (self->aq_nic_cfg->is_rss) { +- /* last 4 byte */ +- u16 rss_type = rxd_wb->type & 0xFU; +- +- if (rss_type && rss_type < 0x8U) { +- buff->is_hash_l4 = (rss_type == 0x4 || +- rss_type == 0x5); +- buff->rss_hash = rxd_wb->rss_hash; +- } ++ } ++ if (self->aq_nic_cfg->is_rss) { ++ /* last 4 byte */ ++ u16 rss_type = rxd_wb->type & 0xFU; ++ ++ if (rss_type && rss_type < 0x8U) { ++ buff->is_hash_l4 = (rss_type == 0x4 || ++ rss_type == 0x5); ++ buff->rss_hash = rxd_wb->rss_hash; + } ++ } + +- if (HW_ATL_B0_RXD_WB_STAT2_EOP & rxd_wb->status) { +- buff->len = rxd_wb->pkt_len % +- AQ_CFG_RX_FRAME_MAX; +- buff->len = buff->len ? +- buff->len : AQ_CFG_RX_FRAME_MAX; +- buff->next = 0U; +- buff->is_eop = 1U; ++ if (HW_ATL_B0_RXD_WB_STAT2_EOP & rxd_wb->status) { ++ buff->len = rxd_wb->pkt_len % ++ AQ_CFG_RX_FRAME_MAX; ++ buff->len = buff->len ? ++ buff->len : AQ_CFG_RX_FRAME_MAX; ++ buff->next = 0U; ++ buff->is_eop = 1U; ++ } else { ++ buff->len = ++ rxd_wb->pkt_len > AQ_CFG_RX_FRAME_MAX ? ++ AQ_CFG_RX_FRAME_MAX : rxd_wb->pkt_len; ++ ++ if (HW_ATL_B0_RXD_WB_STAT2_RSCCNT & ++ rxd_wb->status) { ++ /* LRO */ ++ buff->next = rxd_wb->next_desc_ptr; ++ ++ring->stats.rx.lro_packets; + } else { +- if (HW_ATL_B0_RXD_WB_STAT2_RSCCNT & +- rxd_wb->status) { +- /* LRO */ +- buff->next = rxd_wb->next_desc_ptr; +- ++ring->stats.rx.lro_packets; +- } else { +- /* jumbo */ +- buff->next = +- aq_ring_next_dx(ring, +- ring->hw_head); +- ++ring->stats.rx.jumbo_packets; +- } ++ /* jumbo */ ++ buff->next = ++ aq_ring_next_dx(ring, ++ ring->hw_head); ++ ++ring->stats.rx.jumbo_packets; + } + } + } +-- +2.20.1 + diff --git a/queue-4.19/net-aquantia-tx-clean-budget-logic-error.patch b/queue-4.19/net-aquantia-tx-clean-budget-logic-error.patch new file mode 100644 index 00000000000..aef43b9f108 --- /dev/null +++ b/queue-4.19/net-aquantia-tx-clean-budget-logic-error.patch @@ -0,0 +1,53 @@ +From 5122b5d03f515f5cec1429414a7a3b66c8f83027 Mon Sep 17 00:00:00 2001 +From: Igor Russkikh +Date: Sat, 25 May 2019 09:57:59 +0000 +Subject: net: aquantia: tx clean budget logic error + +[ Upstream commit 31bafc49a7736989e4c2d9f7280002c66536e590 ] + +In case no other traffic happening on the ring, full tx cleanup +may not be completed. That may cause socket buffer to overflow +and tx traffic to stuck until next activity on the ring happens. + +This is due to logic error in budget variable decrementor. +Variable is compared with zero, and then post decremented, +causing it to become MAX_INT. Solution is remove decrementor +from the `for` statement and rewrite it in a clear way. + +Fixes: b647d3980948e ("net: aquantia: Add tx clean budget and valid budget handling logic") +Signed-off-by: Igor Russkikh +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +index 6f3312350cac..b3c7994d73eb 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +@@ -139,10 +139,10 @@ void aq_ring_queue_stop(struct aq_ring_s *ring) + bool aq_ring_tx_clean(struct aq_ring_s *self) + { + struct device *dev = aq_nic_get_dev(self->aq_nic); +- unsigned int budget = AQ_CFG_TX_CLEAN_BUDGET; ++ unsigned int budget; + +- for (; self->sw_head != self->hw_head && budget--; +- self->sw_head = aq_ring_next_dx(self, self->sw_head)) { ++ for (budget = AQ_CFG_TX_CLEAN_BUDGET; ++ budget && self->sw_head != self->hw_head; budget--) { + struct aq_ring_buff_s *buff = &self->buff_ring[self->sw_head]; + + if (likely(buff->is_mapped)) { +@@ -167,6 +167,7 @@ bool aq_ring_tx_clean(struct aq_ring_s *self) + + buff->pa = 0U; + buff->eop_index = 0xffffU; ++ self->sw_head = aq_ring_next_dx(self, self->sw_head); + } + + return !!budget; +-- +2.20.1 + diff --git a/queue-4.19/net-dsa-rtl8366-fix-up-vlan-filtering.patch-7886 b/queue-4.19/net-dsa-rtl8366-fix-up-vlan-filtering.patch-7886 new file mode 100644 index 00000000000..51bf1032f72 --- /dev/null +++ b/queue-4.19/net-dsa-rtl8366-fix-up-vlan-filtering.patch-7886 @@ -0,0 +1,63 @@ +From 435b8bc77d6adeb6e65128fbb9bb2bd41cd1de19 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Fri, 14 Jun 2019 00:25:20 +0200 +Subject: net: dsa: rtl8366: Fix up VLAN filtering + +[ Upstream commit 760c80b70bed2cd01630e8595d1bbde910339f31 ] + +We get this regression when using RTL8366RB as part of a bridge +with OpenWrt: + +WARNING: CPU: 0 PID: 1347 at net/switchdev/switchdev.c:291 + switchdev_port_attr_set_now+0x80/0xa4 +lan0: Commit of attribute (id=7) failed. +(...) +realtek-smi switch lan0: failed to initialize vlan filtering on this port + +This is because it is trying to disable VLAN filtering +on VLAN0, as we have forgot to add 1 to the port number +to get the right VLAN in rtl8366_vlan_filtering(): when +we initialize the VLAN we associate VLAN1 with port 0, +VLAN2 with port 1 etc, so we need to add 1 to the port +offset. + +Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver") +Signed-off-by: Linus Walleij +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/rtl8366.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/dsa/rtl8366.c b/drivers/net/dsa/rtl8366.c +index 6dedd43442cc..35b767baf21f 100644 +--- a/drivers/net/dsa/rtl8366.c ++++ b/drivers/net/dsa/rtl8366.c +@@ -307,7 +307,8 @@ int rtl8366_vlan_filtering(struct dsa_switch *ds, int port, bool vlan_filtering) + struct rtl8366_vlan_4k vlan4k; + int ret; + +- if (!smi->ops->is_vlan_valid(smi, port)) ++ /* Use VLAN nr port + 1 since VLAN0 is not valid */ ++ if (!smi->ops->is_vlan_valid(smi, port + 1)) + return -EINVAL; + + dev_info(smi->dev, "%s filtering on port %d\n", +@@ -318,12 +319,12 @@ int rtl8366_vlan_filtering(struct dsa_switch *ds, int port, bool vlan_filtering) + * The hardware support filter ID (FID) 0..7, I have no clue how to + * support this in the driver when the callback only says on/off. + */ +- ret = smi->ops->get_vlan_4k(smi, port, &vlan4k); ++ ret = smi->ops->get_vlan_4k(smi, port + 1, &vlan4k); + if (ret) + return ret; + + /* Just set the filter to FID 1 for now then */ +- ret = rtl8366_set_vlan(smi, port, ++ ret = rtl8366_set_vlan(smi, port + 1, + vlan4k.member, + vlan4k.untag, + 1); +-- +2.20.1 + diff --git a/queue-4.19/net-mlx5-avoid-reloading-already-removed-devices.patch-5846 b/queue-4.19/net-mlx5-avoid-reloading-already-removed-devices.patch-5846 new file mode 100644 index 00000000000..02908655cd9 --- /dev/null +++ b/queue-4.19/net-mlx5-avoid-reloading-already-removed-devices.patch-5846 @@ -0,0 +1,64 @@ +From 51e480eb6aba358e6f3f5be906574e3c2b122780 Mon Sep 17 00:00:00 2001 +From: Alaa Hleihel +Date: Sun, 19 May 2019 11:11:49 +0300 +Subject: net/mlx5: Avoid reloading already removed devices + +Prior to reloading a device we must first verify that it was not already +removed. Otherwise, the attempt to remove the device will do nothing, and +in that case we will end up proceeding with adding an new device that no +one was expecting to remove, leaving behind used resources such as EQs that +causes a failure to destroy comp EQs and syndrome (0x30f433). + +Fix that by making sure that we try to remove and add a device (based on a +protocol) only if the device is already added. + +Fixes: c5447c70594b ("net/mlx5: E-Switch, Reload IB interface when switching devlink modes") +Signed-off-by: Alaa Hleihel +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/dev.c | 25 +++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/dev.c b/drivers/net/ethernet/mellanox/mlx5/core/dev.c +index 37ba7c78859d..1c225be9c7db 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/dev.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/dev.c +@@ -342,11 +342,32 @@ void mlx5_unregister_interface(struct mlx5_interface *intf) + } + EXPORT_SYMBOL(mlx5_unregister_interface); + ++/* Must be called with intf_mutex held */ ++static bool mlx5_has_added_dev_by_protocol(struct mlx5_core_dev *mdev, int protocol) ++{ ++ struct mlx5_device_context *dev_ctx; ++ struct mlx5_interface *intf; ++ bool found = false; ++ ++ list_for_each_entry(intf, &intf_list, list) { ++ if (intf->protocol == protocol) { ++ dev_ctx = mlx5_get_device(intf, &mdev->priv); ++ if (dev_ctx && test_bit(MLX5_INTERFACE_ADDED, &dev_ctx->state)) ++ found = true; ++ break; ++ } ++ } ++ ++ return found; ++} ++ + void mlx5_reload_interface(struct mlx5_core_dev *mdev, int protocol) + { + mutex_lock(&mlx5_intf_mutex); +- mlx5_remove_dev_by_protocol(mdev, protocol); +- mlx5_add_dev_by_protocol(mdev, protocol); ++ if (mlx5_has_added_dev_by_protocol(mdev, protocol)) { ++ mlx5_remove_dev_by_protocol(mdev, protocol); ++ mlx5_add_dev_by_protocol(mdev, protocol); ++ } + mutex_unlock(&mlx5_intf_mutex); + } + +-- +2.20.1 + diff --git a/queue-4.19/net-mvpp2-prs-fix-parser-range-for-vid-filtering.patch-28142 b/queue-4.19/net-mvpp2-prs-fix-parser-range-for-vid-filtering.patch-28142 new file mode 100644 index 00000000000..ec70173f8ff --- /dev/null +++ b/queue-4.19/net-mvpp2-prs-fix-parser-range-for-vid-filtering.patch-28142 @@ -0,0 +1,80 @@ +From 80968ca355fa5b1cff3c15aafa82996405f36f44 Mon Sep 17 00:00:00 2001 +From: Maxime Chevallier +Date: Tue, 11 Jun 2019 11:51:42 +0200 +Subject: net: mvpp2: prs: Fix parser range for VID filtering + +[ Upstream commit 46b0090a6636cf34c0e856f15dd03e15ba4cdda6 ] + +VID filtering is implemented in the Header Parser, with one range of 11 +vids being assigned for each no-loopback port. + +Make sure we use the per-port range when looking for existing entries in +the Parser. + +Since we used a global range instead of a per-port one, this causes VIDs +to be removed from the whitelist from all ports of the same PPv2 +instance. + +Fixes: 56beda3db602 ("net: mvpp2: Add hardware offloading for VLAN filtering") +Suggested-by: Yuri Chipchev +Signed-off-by: Maxime Chevallier +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +index 392fd895f278..e0da4db3bf56 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +@@ -1905,8 +1905,7 @@ static int mvpp2_prs_ip6_init(struct mvpp2 *priv) + } + + /* Find tcam entry with matched pair */ +-static int mvpp2_prs_vid_range_find(struct mvpp2 *priv, int pmap, u16 vid, +- u16 mask) ++static int mvpp2_prs_vid_range_find(struct mvpp2_port *port, u16 vid, u16 mask) + { + unsigned char byte[2], enable[2]; + struct mvpp2_prs_entry pe; +@@ -1914,13 +1913,13 @@ static int mvpp2_prs_vid_range_find(struct mvpp2 *priv, int pmap, u16 vid, + int tid; + + /* Go through the all entries with MVPP2_PRS_LU_VID */ +- for (tid = MVPP2_PE_VID_FILT_RANGE_START; +- tid <= MVPP2_PE_VID_FILT_RANGE_END; tid++) { +- if (!priv->prs_shadow[tid].valid || +- priv->prs_shadow[tid].lu != MVPP2_PRS_LU_VID) ++ for (tid = MVPP2_PRS_VID_PORT_FIRST(port->id); ++ tid <= MVPP2_PRS_VID_PORT_LAST(port->id); tid++) { ++ if (!port->priv->prs_shadow[tid].valid || ++ port->priv->prs_shadow[tid].lu != MVPP2_PRS_LU_VID) + continue; + +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ mvpp2_prs_init_from_hw(port->priv, &pe, tid); + + mvpp2_prs_tcam_data_byte_get(&pe, 2, &byte[0], &enable[0]); + mvpp2_prs_tcam_data_byte_get(&pe, 3, &byte[1], &enable[1]); +@@ -1950,7 +1949,7 @@ int mvpp2_prs_vid_entry_add(struct mvpp2_port *port, u16 vid) + memset(&pe, 0, sizeof(pe)); + + /* Scan TCAM and see if entry with this already exist */ +- tid = mvpp2_prs_vid_range_find(priv, (1 << port->id), vid, mask); ++ tid = mvpp2_prs_vid_range_find(port, vid, mask); + + reg_val = mvpp2_read(priv, MVPP2_MH_REG(port->id)); + if (reg_val & MVPP2_DSA_EXTENDED) +@@ -2008,7 +2007,7 @@ void mvpp2_prs_vid_entry_remove(struct mvpp2_port *port, u16 vid) + int tid; + + /* Scan TCAM and see if entry with this already exist */ +- tid = mvpp2_prs_vid_range_find(priv, (1 << port->id), vid, 0xfff); ++ tid = mvpp2_prs_vid_range_find(port, vid, 0xfff); + + /* No such entry */ + if (tid < 0) +-- +2.20.1 + diff --git a/queue-4.19/net-mvpp2-prs-use-the-correct-helpers-when-removing-.patch b/queue-4.19/net-mvpp2-prs-use-the-correct-helpers-when-removing-.patch new file mode 100644 index 00000000000..1cc2b20c099 --- /dev/null +++ b/queue-4.19/net-mvpp2-prs-use-the-correct-helpers-when-removing-.patch @@ -0,0 +1,43 @@ +From 8f1114692bcc6038f9179a8376ae873f1fbac8bc Mon Sep 17 00:00:00 2001 +From: Maxime Chevallier +Date: Tue, 11 Jun 2019 11:51:43 +0200 +Subject: net: mvpp2: prs: Use the correct helpers when removing all VID + filters + +[ Upstream commit 6b7a3430c163455cf8a514d636bda52b04654972 ] + +When removing all VID filters, the mvpp2_prs_vid_entry_remove would be +called with the TCAM id incorrectly used as a VID, causing the wrong +TCAM entries to be invalidated. + +Fix this by directly invalidating entries in the VID range. + +Fixes: 56beda3db602 ("net: mvpp2: Add hardware offloading for VLAN filtering") +Suggested-by: Yuri Chipchev +Signed-off-by: Maxime Chevallier +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +index e0da4db3bf56..ae2240074d8e 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +@@ -2025,8 +2025,10 @@ void mvpp2_prs_vid_remove_all(struct mvpp2_port *port) + + for (tid = MVPP2_PRS_VID_PORT_FIRST(port->id); + tid <= MVPP2_PRS_VID_PORT_LAST(port->id); tid++) { +- if (priv->prs_shadow[tid].valid) +- mvpp2_prs_vid_entry_remove(port, tid); ++ if (priv->prs_shadow[tid].valid) { ++ mvpp2_prs_hw_inv(priv, tid); ++ priv->prs_shadow[tid].valid = false; ++ } + } + } + +-- +2.20.1 + diff --git a/queue-4.19/net-openvswitch-do-not-free-vport-if-register_netdev.patch b/queue-4.19/net-openvswitch-do-not-free-vport-if-register_netdev.patch new file mode 100644 index 00000000000..b3871707abb --- /dev/null +++ b/queue-4.19/net-openvswitch-do-not-free-vport-if-register_netdev.patch @@ -0,0 +1,112 @@ +From b7acd5b9344e6997587f2853406d9ff96716758f Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Sun, 9 Jun 2019 23:26:21 +0900 +Subject: net: openvswitch: do not free vport if register_netdevice() is + failed. + +[ Upstream commit 309b66970ee2abf721ecd0876a48940fa0b99a35 ] + +In order to create an internal vport, internal_dev_create() is used and +that calls register_netdevice() internally. +If register_netdevice() fails, it calls dev->priv_destructor() to free +private data of netdev. actually, a private data of this is a vport. + +Hence internal_dev_create() should not free and use a vport after failure +of register_netdevice(). + +Test command + ovs-dpctl add-dp bonding_masters + +Splat looks like: +[ 1035.667767] kasan: GPF could be caused by NULL-ptr deref or user memory access +[ 1035.675958] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI +[ 1035.676916] CPU: 1 PID: 1028 Comm: ovs-vswitchd Tainted: G B 5.2.0-rc3+ #240 +[ 1035.676916] RIP: 0010:internal_dev_create+0x2e5/0x4e0 [openvswitch] +[ 1035.676916] Code: 48 c1 ea 03 80 3c 02 00 0f 85 9f 01 00 00 4c 8b 23 48 b8 00 00 00 00 00 fc ff df 49 8d bc 24 60 05 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 86 01 00 00 49 8b bc 24 60 05 00 00 e8 e4 68 f4 +[ 1035.713720] RSP: 0018:ffff88810dcb7578 EFLAGS: 00010206 +[ 1035.713720] RAX: dffffc0000000000 RBX: ffff88810d13fe08 RCX: ffffffff84297704 +[ 1035.713720] RDX: 00000000000000ac RSI: 0000000000000000 RDI: 0000000000000560 +[ 1035.713720] RBP: 00000000ffffffef R08: fffffbfff0d3b881 R09: fffffbfff0d3b881 +[ 1035.713720] R10: 0000000000000001 R11: fffffbfff0d3b880 R12: 0000000000000000 +[ 1035.768776] R13: 0000607ee460b900 R14: ffff88810dcb7690 R15: ffff88810dcb7698 +[ 1035.777709] FS: 00007f02095fc980(0000) GS:ffff88811b400000(0000) knlGS:0000000000000000 +[ 1035.777709] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1035.777709] CR2: 00007ffdf01d2f28 CR3: 0000000108258000 CR4: 00000000001006e0 +[ 1035.777709] Call Trace: +[ 1035.777709] ovs_vport_add+0x267/0x4f0 [openvswitch] +[ 1035.777709] new_vport+0x15/0x1e0 [openvswitch] +[ 1035.777709] ovs_vport_cmd_new+0x567/0xd10 [openvswitch] +[ 1035.777709] ? ovs_dp_cmd_dump+0x490/0x490 [openvswitch] +[ 1035.777709] ? __kmalloc+0x131/0x2e0 +[ 1035.777709] ? genl_family_rcv_msg+0xa54/0x1030 +[ 1035.777709] genl_family_rcv_msg+0x63a/0x1030 +[ 1035.777709] ? genl_unregister_family+0x630/0x630 +[ 1035.841681] ? debug_show_all_locks+0x2d0/0x2d0 +[ ... ] + +Fixes: cf124db566e6 ("net: Fix inconsistent teardown and release of private netdev state.") +Signed-off-by: Taehee Yoo +Reviewed-by: Greg Rose +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/vport-internal_dev.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/net/openvswitch/vport-internal_dev.c b/net/openvswitch/vport-internal_dev.c +index bb95c43aae76..5a304cfc8423 100644 +--- a/net/openvswitch/vport-internal_dev.c ++++ b/net/openvswitch/vport-internal_dev.c +@@ -169,7 +169,9 @@ static struct vport *internal_dev_create(const struct vport_parms *parms) + { + struct vport *vport; + struct internal_dev *internal_dev; ++ struct net_device *dev; + int err; ++ bool free_vport = true; + + vport = ovs_vport_alloc(0, &ovs_internal_vport_ops, parms); + if (IS_ERR(vport)) { +@@ -177,8 +179,9 @@ static struct vport *internal_dev_create(const struct vport_parms *parms) + goto error; + } + +- vport->dev = alloc_netdev(sizeof(struct internal_dev), +- parms->name, NET_NAME_USER, do_setup); ++ dev = alloc_netdev(sizeof(struct internal_dev), ++ parms->name, NET_NAME_USER, do_setup); ++ vport->dev = dev; + if (!vport->dev) { + err = -ENOMEM; + goto error_free_vport; +@@ -199,8 +202,10 @@ static struct vport *internal_dev_create(const struct vport_parms *parms) + + rtnl_lock(); + err = register_netdevice(vport->dev); +- if (err) ++ if (err) { ++ free_vport = false; + goto error_unlock; ++ } + + dev_set_promiscuity(vport->dev, 1); + rtnl_unlock(); +@@ -210,11 +215,12 @@ static struct vport *internal_dev_create(const struct vport_parms *parms) + + error_unlock: + rtnl_unlock(); +- free_percpu(vport->dev->tstats); ++ free_percpu(dev->tstats); + error_free_netdev: +- free_netdev(vport->dev); ++ free_netdev(dev); + error_free_vport: +- ovs_vport_free(vport); ++ if (free_vport) ++ ovs_vport_free(vport); + error: + return ERR_PTR(err); + } +-- +2.20.1 + diff --git a/queue-4.19/net-phy-dp83867-set-up-rgmii-tx-delay.patch b/queue-4.19/net-phy-dp83867-set-up-rgmii-tx-delay.patch new file mode 100644 index 00000000000..35a06687ffa --- /dev/null +++ b/queue-4.19/net-phy-dp83867-set-up-rgmii-tx-delay.patch @@ -0,0 +1,39 @@ +From 4873fe40194cf6f9748e16e7edfe12463735a7d8 Mon Sep 17 00:00:00 2001 +From: Max Uvarov +Date: Tue, 28 May 2019 13:00:52 +0300 +Subject: net: phy: dp83867: Set up RGMII TX delay + +[ Upstream commit 2b892649254fec01678c64f16427622b41fa27f4 ] + +PHY_INTERFACE_MODE_RGMII_RXID is less then TXID +so code to set tx delay is never called. + +Fixes: 2a10154abcb75 ("net: phy: dp83867: Add TI dp83867 phy") +Signed-off-by: Max Uvarov +Cc: Florian Fainelli +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/dp83867.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/phy/dp83867.c b/drivers/net/phy/dp83867.c +index b3935778b19f..e4bf9e7d7583 100644 +--- a/drivers/net/phy/dp83867.c ++++ b/drivers/net/phy/dp83867.c +@@ -260,10 +260,8 @@ static int dp83867_config_init(struct phy_device *phydev) + ret = phy_write(phydev, MII_DP83867_PHYCTRL, val); + if (ret) + return ret; +- } + +- if ((phydev->interface >= PHY_INTERFACE_MODE_RGMII_ID) && +- (phydev->interface <= PHY_INTERFACE_MODE_RGMII_RXID)) { ++ /* Set up RGMII delays */ + val = phy_read_mmd(phydev, DP83867_DEVADDR, DP83867_RGMIICTL); + + if (phydev->interface == PHY_INTERFACE_MODE_RGMII_ID) +-- +2.20.1 + diff --git a/queue-4.19/net-phylink-ensure-consistent-phy-interface-mode.patch b/queue-4.19/net-phylink-ensure-consistent-phy-interface-mode.patch new file mode 100644 index 00000000000..9b2a68c106e --- /dev/null +++ b/queue-4.19/net-phylink-ensure-consistent-phy-interface-mode.patch @@ -0,0 +1,54 @@ +From da62577632857d63e82467c524cdbbf0425f7eec Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Tue, 28 May 2019 10:27:21 +0100 +Subject: net: phylink: ensure consistent phy interface mode + +[ Upstream commit c678726305b9425454be7c8a7624290b602602fc ] + +Ensure that we supply the same phy interface mode to mac_link_down() as +we did for the corresponding mac_link_up() call. This ensures that MAC +drivers that use the phy interface mode in these methods can depend on +mac_link_down() always corresponding to a mac_link_up() call for the +same interface mode. + +Signed-off-by: Russell King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phylink.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c +index c5a509129ae6..b7dafa9dfef4 100644 +--- a/drivers/net/phy/phylink.c ++++ b/drivers/net/phy/phylink.c +@@ -54,6 +54,10 @@ struct phylink { + + /* The link configuration settings */ + struct phylink_link_state link_config; ++ ++ /* The current settings */ ++ phy_interface_t cur_interface; ++ + struct gpio_desc *link_gpio; + struct timer_list link_poll; + void (*get_fixed_state)(struct net_device *dev, +@@ -477,12 +481,12 @@ static void phylink_resolve(struct work_struct *w) + if (!link_state.link) { + netif_carrier_off(ndev); + pl->ops->mac_link_down(ndev, pl->link_an_mode, +- pl->phy_state.interface); ++ pl->cur_interface); + netdev_info(ndev, "Link is Down\n"); + } else { ++ pl->cur_interface = link_state.interface; + pl->ops->mac_link_up(ndev, pl->link_an_mode, +- pl->phy_state.interface, +- pl->phydev); ++ pl->cur_interface, pl->phydev); + + netif_carrier_on(ndev); + +-- +2.20.1 + diff --git a/queue-4.19/net-phylink-set-the-autoneg-state-in-phylink_phy_cha.patch b/queue-4.19/net-phylink-set-the-autoneg-state-in-phylink_phy_cha.patch new file mode 100644 index 00000000000..19a53357942 --- /dev/null +++ b/queue-4.19/net-phylink-set-the-autoneg-state-in-phylink_phy_cha.patch @@ -0,0 +1,35 @@ +From 85735f3acb2fd44e0b490996bbf26c6a23474a73 Mon Sep 17 00:00:00 2001 +From: Ioana Ciornei +Date: Thu, 13 Jun 2019 09:37:51 +0300 +Subject: net: phylink: set the autoneg state in phylink_phy_change + +[ Upstream commit ef7bfa84725d891bbdb88707ed55b2cbf94942bb ] + +The phy_state field of phylink should carry only valid information +especially when this can be passed to the .mac_config callback. +Update the an_enabled field with the autoneg state in the +phylink_phy_change function. + +Fixes: 9525ae83959b ("phylink: add phylink infrastructure") +Signed-off-by: Ioana Ciornei +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phylink.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c +index f6e70f2dfd12..c5a509129ae6 100644 +--- a/drivers/net/phy/phylink.c ++++ b/drivers/net/phy/phylink.c +@@ -662,6 +662,7 @@ static void phylink_phy_change(struct phy_device *phydev, bool up, + pl->phy_state.pause |= MLO_PAUSE_ASYM; + pl->phy_state.interface = phydev->interface; + pl->phy_state.link = up; ++ pl->phy_state.an_enabled = phydev->autoneg; + mutex_unlock(&pl->state_mutex); + + phylink_run_resolve(pl); +-- +2.20.1 + diff --git a/queue-4.19/net-sh_eth-fix-mdio-access-in-sh_eth_close-for-r-car.patch b/queue-4.19/net-sh_eth-fix-mdio-access-in-sh_eth_close-for-r-car.patch new file mode 100644 index 00000000000..a7558e33b5a --- /dev/null +++ b/queue-4.19/net-sh_eth-fix-mdio-access-in-sh_eth_close-for-r-car.patch @@ -0,0 +1,51 @@ +From 53f150b778e402590126a5b3539d7f2d6097e0aa Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Tue, 28 May 2019 13:10:46 +0900 +Subject: net: sh_eth: fix mdio access in sh_eth_close() for R-Car Gen2 and + RZ/A1 SoCs + +[ Upstream commit 315ca92dd863fecbffc0bb52ae0ac11e0398726a ] + +The sh_eth_close() resets the MAC and then calls phy_stop() +so that mdio read access result is incorrect without any error +according to kernel trace like below: + +ifconfig-216 [003] .n.. 109.133124: mdio_access: ee700000.ethernet-ffffffff read phy:0x01 reg:0x00 val:0xffff + +According to the hardware manual, the RMII mode should be set to 1 +before operation the Ethernet MAC. However, the previous code was not +set to 1 after the driver issued the soft_reset in sh_eth_dev_exit() +so that the mdio read access result seemed incorrect. To fix the issue, +this patch adds a condition and set the RMII mode register in +sh_eth_dev_exit() for R-Car Gen2 and RZ/A1 SoCs. + +Note that when I have tried to move the sh_eth_dev_exit() calling +after phy_stop() on sh_eth_close(), but it gets worse (kernel panic +happened and it seems that a register is accessed while the clock is +off). + +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/sh_eth.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index f27a0dc8c563..5e3e6e262ba3 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -1588,6 +1588,10 @@ static void sh_eth_dev_exit(struct net_device *ndev) + sh_eth_get_stats(ndev); + mdp->cd->soft_reset(ndev); + ++ /* Set the RMII mode again if required */ ++ if (mdp->cd->rmiimode) ++ sh_eth_write(ndev, 0x1, RMIIMODE); ++ + /* Set MAC address again */ + update_mac_address(ndev); + } +-- +2.20.1 + diff --git a/queue-4.19/net-stmmac-update-rx-tail-pointer-register-to-fix-rx.patch b/queue-4.19/net-stmmac-update-rx-tail-pointer-register-to-fix-rx.patch new file mode 100644 index 00000000000..b1aaff15a68 --- /dev/null +++ b/queue-4.19/net-stmmac-update-rx-tail-pointer-register-to-fix-rx.patch @@ -0,0 +1,38 @@ +From df1fff0d6c2994c801cc4a196a63f3b97d6442fa Mon Sep 17 00:00:00 2001 +From: Biao Huang +Date: Fri, 24 May 2019 14:26:07 +0800 +Subject: net: stmmac: update rx tail pointer register to fix rx dma hang + issue. + +[ Upstream commit 4523a5611526709ec9b4e2574f1bb7818212651e ] + +Currently we will not update the receive descriptor tail pointer in +stmmac_rx_refill. Rx dma will think no available descriptors and stop +once received packets exceed DMA_RX_SIZE, so that the rx only test will fail. + +Update the receive tail pointer in stmmac_rx_refill to add more descriptors +to the rx channel, so packets can be received continually + +Fixes: 54139cf3bb33 ("net: stmmac: adding multiple buffers for rx") +Signed-off-by: Biao Huang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 50c00822b2d8..45e64d71a93f 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -3319,6 +3319,7 @@ static inline void stmmac_rx_refill(struct stmmac_priv *priv, u32 queue) + entry = STMMAC_GET_ENTRY(entry, DMA_RX_SIZE); + } + rx_q->dirty_rx = entry; ++ stmmac_set_rx_tail_ptr(priv, priv->ioaddr, rx_q->rx_tail_addr, queue); + } + + /** +-- +2.20.1 + diff --git a/queue-4.19/net-tulip-de4x5-drop-redundant-module_device_table.patch b/queue-4.19/net-tulip-de4x5-drop-redundant-module_device_table.patch new file mode 100644 index 00000000000..c2f5d424784 --- /dev/null +++ b/queue-4.19/net-tulip-de4x5-drop-redundant-module_device_table.patch @@ -0,0 +1,54 @@ +From c6fc2e580a1af3e201909459c849afe64d11ee03 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Fri, 24 May 2019 13:20:19 -0700 +Subject: net: tulip: de4x5: Drop redundant MODULE_DEVICE_TABLE() + +[ Upstream commit 3e66b7cc50ef921121babc91487e1fb98af1ba6e ] + +Building with Clang reports the redundant use of MODULE_DEVICE_TABLE(): + +drivers/net/ethernet/dec/tulip/de4x5.c:2110:1: error: redefinition of '__mod_eisa__de4x5_eisa_ids_device_table' +MODULE_DEVICE_TABLE(eisa, de4x5_eisa_ids); +^ +./include/linux/module.h:229:21: note: expanded from macro 'MODULE_DEVICE_TABLE' +extern typeof(name) __mod_##type##__##name##_device_table \ + ^ +:90:1: note: expanded from here +__mod_eisa__de4x5_eisa_ids_device_table +^ +drivers/net/ethernet/dec/tulip/de4x5.c:2100:1: note: previous definition is here +MODULE_DEVICE_TABLE(eisa, de4x5_eisa_ids); +^ +./include/linux/module.h:229:21: note: expanded from macro 'MODULE_DEVICE_TABLE' +extern typeof(name) __mod_##type##__##name##_device_table \ + ^ +:85:1: note: expanded from here +__mod_eisa__de4x5_eisa_ids_device_table +^ + +This drops the one further from the table definition to match the common +use of MODULE_DEVICE_TABLE(). + +Fixes: 07563c711fbc ("EISA bus MODALIAS attributes support") +Signed-off-by: Kees Cook +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/dec/tulip/de4x5.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/dec/tulip/de4x5.c b/drivers/net/ethernet/dec/tulip/de4x5.c +index 66535d1653f6..f16853c3c851 100644 +--- a/drivers/net/ethernet/dec/tulip/de4x5.c ++++ b/drivers/net/ethernet/dec/tulip/de4x5.c +@@ -2107,7 +2107,6 @@ static struct eisa_driver de4x5_eisa_driver = { + .remove = de4x5_eisa_remove, + } + }; +-MODULE_DEVICE_TABLE(eisa, de4x5_eisa_ids); + #endif + + #ifdef CONFIG_PCI +-- +2.20.1 + diff --git a/queue-4.19/netfilter-nf_queue-fix-reinject-verdict-handling.patch b/queue-4.19/netfilter-nf_queue-fix-reinject-verdict-handling.patch new file mode 100644 index 00000000000..efa16a768d2 --- /dev/null +++ b/queue-4.19/netfilter-nf_queue-fix-reinject-verdict-handling.patch @@ -0,0 +1,37 @@ +From 8974d5d6481d0b34ab9354d637199ede78654a9b Mon Sep 17 00:00:00 2001 +From: Jagdish Motwani +Date: Mon, 13 May 2019 23:47:40 +0530 +Subject: netfilter: nf_queue: fix reinject verdict handling + +[ Upstream commit 946c0d8e6ed43dae6527e878d0077c1e11015db0 ] + +This patch fixes netfilter hook traversal when there are more than 1 hooks +returning NF_QUEUE verdict. When the first queue reinjects the packet, +'nf_reinject' starts traversing hooks with a proper hook_index. However, +if it again receives a NF_QUEUE verdict (by some other netfilter hook), it +queues the packet with a wrong hook_index. So, when the second queue +reinjects the packet, it re-executes hooks in between. + +Fixes: 960632ece694 ("netfilter: convert hook list to an array") +Signed-off-by: Jagdish Motwani +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_queue.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c +index d67a96a25a68..7569ba00e732 100644 +--- a/net/netfilter/nf_queue.c ++++ b/net/netfilter/nf_queue.c +@@ -238,6 +238,7 @@ static unsigned int nf_iterate(struct sk_buff *skb, + repeat: + verdict = nf_hook_entry_hookfn(hook, skb, state); + if (verdict != NF_ACCEPT) { ++ *index = i; + if (verdict != NF_REPEAT) + return verdict; + goto repeat; +-- +2.20.1 + diff --git a/queue-4.19/nfc-ensure-presence-of-required-attributes-in-the-de.patch b/queue-4.19/nfc-ensure-presence-of-required-attributes-in-the-de.patch new file mode 100644 index 00000000000..75606848be0 --- /dev/null +++ b/queue-4.19/nfc-ensure-presence-of-required-attributes-in-the-de.patch @@ -0,0 +1,38 @@ +From 80ced5ac18af3ef4dc9300fd6b152a732891cdb1 Mon Sep 17 00:00:00 2001 +From: Young Xiao <92siuyang@gmail.com> +Date: Fri, 14 Jun 2019 15:13:02 +0800 +Subject: nfc: Ensure presence of required attributes in the deactivate_target + handler + +[ Upstream commit 385097a3675749cbc9e97c085c0e5dfe4269ca51 ] + +Check that the NFC_ATTR_TARGET_INDEX attributes (in addition to +NFC_ATTR_DEVICE_INDEX) are provided by the netlink client prior to +accessing them. This prevents potential unhandled NULL pointer dereference +exceptions which can be triggered by malicious user-mode programs, +if they omit one or both of these attributes. + +Signed-off-by: Young Xiao <92siuyang@gmail.com> +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/netlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c +index 376181cc1def..9f2875efb4ac 100644 +--- a/net/nfc/netlink.c ++++ b/net/nfc/netlink.c +@@ -922,7 +922,8 @@ static int nfc_genl_deactivate_target(struct sk_buff *skb, + u32 device_idx, target_idx; + int rc; + +- if (!info->attrs[NFC_ATTR_DEVICE_INDEX]) ++ if (!info->attrs[NFC_ATTR_DEVICE_INDEX] || ++ !info->attrs[NFC_ATTR_TARGET_INDEX]) + return -EINVAL; + + device_idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]); +-- +2.20.1 + diff --git a/queue-4.19/ocfs2-fix-error-path-kobject-memory-leak.patch b/queue-4.19/ocfs2-fix-error-path-kobject-memory-leak.patch new file mode 100644 index 00000000000..be8abed3730 --- /dev/null +++ b/queue-4.19/ocfs2-fix-error-path-kobject-memory-leak.patch @@ -0,0 +1,46 @@ +From b0ce99953bb1b201a032818ced2e39d879412158 Mon Sep 17 00:00:00 2001 +From: "Tobin C. Harding" +Date: Fri, 31 May 2019 22:30:29 -0700 +Subject: ocfs2: fix error path kobject memory leak + +[ Upstream commit b9fba67b3806e21b98bd5a98dc3921a8e9b42d61 ] + +If a call to kobject_init_and_add() fails we should call kobject_put() +otherwise we leak memory. + +Add call to kobject_put() in the error path of call to +kobject_init_and_add(). Please note, this has the side effect that the +release method is called if kobject_init_and_add() fails. + +Link: http://lkml.kernel.org/r/20190513033458.2824-1-tobin@kernel.org +Signed-off-by: Tobin C. Harding +Reviewed-by: Greg Kroah-Hartman +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/filecheck.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ocfs2/filecheck.c b/fs/ocfs2/filecheck.c +index f65f2b2f594d..1906cc962c4d 100644 +--- a/fs/ocfs2/filecheck.c ++++ b/fs/ocfs2/filecheck.c +@@ -193,6 +193,7 @@ int ocfs2_filecheck_create_sysfs(struct ocfs2_super *osb) + ret = kobject_init_and_add(&entry->fs_kobj, &ocfs2_ktype_filecheck, + NULL, "filecheck"); + if (ret) { ++ kobject_put(&entry->fs_kobj); + kfree(fcheck); + return ret; + } +-- +2.20.1 + diff --git a/queue-4.19/perf-data-fix-strncat-may-truncate-build-failure-wit.patch b/queue-4.19/perf-data-fix-strncat-may-truncate-build-failure-wit.patch new file mode 100644 index 00000000000..050aa96184b --- /dev/null +++ b/queue-4.19/perf-data-fix-strncat-may-truncate-build-failure-wit.patch @@ -0,0 +1,53 @@ +From ad9dc0e3d1796e1337486a8859ee737a08c8a764 Mon Sep 17 00:00:00 2001 +From: Shawn Landden +Date: Sat, 18 May 2019 15:32:38 -0300 +Subject: perf data: Fix 'strncat may truncate' build failure with recent gcc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 97acec7df172cd1e450f81f5e293c0aa145a2797 ] + +This strncat() is safe because the buffer was allocated with zalloc(), +however gcc doesn't know that. Since the string always has 4 non-null +bytes, just use memcpy() here. + + CC /home/shawn/linux/tools/perf/util/data-convert-bt.o + In file included from /usr/include/string.h:494, + from /home/shawn/linux/tools/lib/traceevent/event-parse.h:27, + from util/data-convert-bt.c:22: + In function ‘strncat’, + inlined from ‘string_set_value’ at util/data-convert-bt.c:274:4: + /usr/include/powerpc64le-linux-gnu/bits/string_fortified.h:136:10: error: ‘__builtin_strncat’ output may be truncated copying 4 bytes from a string of length 4 [-Werror=stringop-truncation] + 136 | return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest)); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Shawn Landden +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Wang Nan +LPU-Reference: 20190518183238.10954-1-shawn@git.icu +Link: https://lkml.kernel.org/n/tip-289f1jice17ta7tr3tstm9jm@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/data-convert-bt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/data-convert-bt.c b/tools/perf/util/data-convert-bt.c +index abd38abf1d91..24f2a87cf91d 100644 +--- a/tools/perf/util/data-convert-bt.c ++++ b/tools/perf/util/data-convert-bt.c +@@ -271,7 +271,7 @@ static int string_set_value(struct bt_ctf_field *field, const char *string) + if (i > 0) + strncpy(buffer, string, i); + } +- strncat(buffer + p, numstr, 4); ++ memcpy(buffer + p, numstr, 4); + p += 3; + } + } +-- +2.20.1 + diff --git a/queue-4.19/perf-namespace-protect-reading-thread-s-namespace.patch b/queue-4.19/perf-namespace-protect-reading-thread-s-namespace.patch new file mode 100644 index 00000000000..6c894443a66 --- /dev/null +++ b/queue-4.19/perf-namespace-protect-reading-thread-s-namespace.patch @@ -0,0 +1,60 @@ +From d3f7cba32820e241abf2f94ada3ce83ad96b04e4 Mon Sep 17 00:00:00 2001 +From: Namhyung Kim +Date: Wed, 22 May 2019 14:32:48 +0900 +Subject: perf namespace: Protect reading thread's namespace + +[ Upstream commit 6584140ba9e6762dd7ec73795243289b914f31f9 ] + +It seems that the current code lacks holding the namespace lock in +thread__namespaces(). Otherwise it can see inconsistent results. + +Signed-off-by: Namhyung Kim +Cc: Hari Bathini +Cc: Jiri Olsa +Cc: Krister Johansen +Link: http://lkml.kernel.org/r/20190522053250.207156-2-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/thread.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/thread.c b/tools/perf/util/thread.c +index 2048d393ece6..56007a7e0b4d 100644 +--- a/tools/perf/util/thread.c ++++ b/tools/perf/util/thread.c +@@ -128,7 +128,7 @@ void thread__put(struct thread *thread) + } + } + +-struct namespaces *thread__namespaces(const struct thread *thread) ++static struct namespaces *__thread__namespaces(const struct thread *thread) + { + if (list_empty(&thread->namespaces_list)) + return NULL; +@@ -136,10 +136,21 @@ struct namespaces *thread__namespaces(const struct thread *thread) + return list_first_entry(&thread->namespaces_list, struct namespaces, list); + } + ++struct namespaces *thread__namespaces(const struct thread *thread) ++{ ++ struct namespaces *ns; ++ ++ down_read((struct rw_semaphore *)&thread->namespaces_lock); ++ ns = __thread__namespaces(thread); ++ up_read((struct rw_semaphore *)&thread->namespaces_lock); ++ ++ return ns; ++} ++ + static int __thread__set_namespaces(struct thread *thread, u64 timestamp, + struct namespaces_event *event) + { +- struct namespaces *new, *curr = thread__namespaces(thread); ++ struct namespaces *new, *curr = __thread__namespaces(thread); + + new = namespaces__new(event); + if (!new) +-- +2.20.1 + diff --git a/queue-4.19/perf-record-fix-s390-missing-module-symbol-and-warni.patch b/queue-4.19/perf-record-fix-s390-missing-module-symbol-and-warni.patch new file mode 100644 index 00000000000..19c0e33b08b --- /dev/null +++ b/queue-4.19/perf-record-fix-s390-missing-module-symbol-and-warni.patch @@ -0,0 +1,103 @@ +From 6927a3d41c74f37e4350743d9b255a9b6d711a1b Mon Sep 17 00:00:00 2001 +From: Thomas Richter +Date: Wed, 22 May 2019 16:46:01 +0200 +Subject: perf record: Fix s390 missing module symbol and warning for non-root + users + +[ Upstream commit 6738028dd57df064b969d8392c943ef3b3ae705d ] + +Command 'perf record' and 'perf report' on a system without kernel +debuginfo packages uses /proc/kallsyms and /proc/modules to find +addresses for kernel and module symbols. On x86 this works for root and +non-root users. + +On s390, when invoked as non-root user, many of the following warnings +are shown and module symbols are missing: + + proc/{kallsyms,modules} inconsistency while looking for + "[sha1_s390]" module! + +Command 'perf record' creates a list of module start addresses by +parsing the output of /proc/modules and creates a PERF_RECORD_MMAP +record for the kernel and each module. The following function call +sequence is executed: + + machine__create_kernel_maps + machine__create_module + modules__parse + machine__create_module --> for each line in /proc/modules + arch__fix_module_text_start + +Function arch__fix_module_text_start() is s390 specific. It opens +file /sys/module//sections/.text to extract the module's .text +section start address. On s390 the module loader prepends a header +before the first section, whereas on x86 the module's text section +address is identical the the module's load address. + +However module section files are root readable only. For non-root the +read operation fails and machine__create_module() returns an error. +Command perf record does not generate any PERF_RECORD_MMAP record +for loaded modules. Later command perf report complains about missing +module maps. + +To fix this function arch__fix_module_text_start() always returns +success. For root users there is no change, for non-root users +the module's load address is used as module's text start address +(the prepended header then counts as part of the text section). + +This enable non-root users to use module symbols and avoid the +warning when perf report is executed. + +Output before: + + [tmricht@m83lp54 perf]$ ./perf report -D | fgrep MMAP + 0 0x168 [0x50]: PERF_RECORD_MMAP ... x [kernel.kallsyms]_text + +Output after: + + [tmricht@m83lp54 perf]$ ./perf report -D | fgrep MMAP + 0 0x168 [0x50]: PERF_RECORD_MMAP ... x [kernel.kallsyms]_text + 0 0x1b8 [0x98]: PERF_RECORD_MMAP ... x /lib/modules/.../autofs4.ko.xz + 0 0x250 [0xa8]: PERF_RECORD_MMAP ... x /lib/modules/.../sha_common.ko.xz + 0 0x2f8 [0x98]: PERF_RECORD_MMAP ... x /lib/modules/.../des_generic.ko.xz + +Signed-off-by: Thomas Richter +Reviewed-by: Hendrik Brueckner +Cc: Heiko Carstens +Link: http://lkml.kernel.org/r/20190522144601.50763-4-tmricht@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/arch/s390/util/machine.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/arch/s390/util/machine.c b/tools/perf/arch/s390/util/machine.c +index 0b2054007314..a19690a17291 100644 +--- a/tools/perf/arch/s390/util/machine.c ++++ b/tools/perf/arch/s390/util/machine.c +@@ -5,16 +5,19 @@ + #include "util.h" + #include "machine.h" + #include "api/fs/fs.h" ++#include "debug.h" + + int arch__fix_module_text_start(u64 *start, const char *name) + { ++ u64 m_start = *start; + char path[PATH_MAX]; + + snprintf(path, PATH_MAX, "module/%.*s/sections/.text", + (int)strlen(name) - 2, name + 1); +- +- if (sysfs__read_ull(path, (unsigned long long *)start) < 0) +- return -1; ++ if (sysfs__read_ull(path, (unsigned long long *)start) < 0) { ++ pr_debug2("Using module %s start:%#lx\n", path, m_start); ++ *start = m_start; ++ } + + return 0; + } +-- +2.20.1 + diff --git a/queue-4.19/perf-ring-buffer-always-use-read-write-_once-for-rb-.patch b/queue-4.19/perf-ring-buffer-always-use-read-write-_once-for-rb-.patch new file mode 100644 index 00000000000..5c49fc7b08a --- /dev/null +++ b/queue-4.19/perf-ring-buffer-always-use-read-write-_once-for-rb-.patch @@ -0,0 +1,67 @@ +From c9aaa2b9874868e372a8e3b1ede9140e00cdf4fb Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Fri, 17 May 2019 13:52:33 +0200 +Subject: perf/ring-buffer: Always use {READ,WRITE}_ONCE() for rb->user_page + data + +[ Upstream commit 4d839dd9e4356bbacf3eb0ab13a549b83b008c21 ] + +We must use {READ,WRITE}_ONCE() on rb->user_page data such that +concurrent usage will see whole values. A few key sites were missing +this. + +Suggested-by: Yabin Cui +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: acme@kernel.org +Cc: mark.rutland@arm.com +Cc: namhyung@kernel.org +Fixes: 7b732a750477 ("perf_counter: new output ABI - part 1") +Link: http://lkml.kernel.org/r/20190517115418.394192145@infradead.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/events/ring_buffer.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c +index d32b9375ec0e..12f351b253bb 100644 +--- a/kernel/events/ring_buffer.c ++++ b/kernel/events/ring_buffer.c +@@ -101,7 +101,7 @@ static void perf_output_put_handle(struct perf_output_handle *handle) + * See perf_output_begin(). + */ + smp_wmb(); /* B, matches C */ +- rb->user_page->data_head = head; ++ WRITE_ONCE(rb->user_page->data_head, head); + + /* + * We must publish the head before decrementing the nest count, +@@ -490,7 +490,7 @@ void perf_aux_output_end(struct perf_output_handle *handle, unsigned long size) + handle->aux_flags); + } + +- rb->user_page->aux_head = rb->aux_head; ++ WRITE_ONCE(rb->user_page->aux_head, rb->aux_head); + if (rb_need_aux_wakeup(rb)) + wakeup = true; + +@@ -522,7 +522,7 @@ int perf_aux_output_skip(struct perf_output_handle *handle, unsigned long size) + + rb->aux_head += size; + +- rb->user_page->aux_head = rb->aux_head; ++ WRITE_ONCE(rb->user_page->aux_head, rb->aux_head); + if (rb_need_aux_wakeup(rb)) { + perf_output_wakeup(handle); + handle->wakeup = rb->aux_wakeup + rb->aux_watermark; +-- +2.20.1 + diff --git a/queue-4.19/perf-ring_buffer-add-ordering-to-rb-nest-increment.patch b/queue-4.19/perf-ring_buffer-add-ordering-to-rb-nest-increment.patch new file mode 100644 index 00000000000..952a7758cfe --- /dev/null +++ b/queue-4.19/perf-ring_buffer-add-ordering-to-rb-nest-increment.patch @@ -0,0 +1,60 @@ +From 6b63c95707a2873d97b40b22fccf31d600add995 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Fri, 17 May 2019 13:52:32 +0200 +Subject: perf/ring_buffer: Add ordering to rb->nest increment + +[ Upstream commit 3f9fbe9bd86c534eba2faf5d840fd44c6049f50e ] + +Similar to how decrementing rb->next too early can cause data_head to +(temporarily) be observed to go backward, so too can this happen when +we increment too late. + +This barrier() ensures the rb->head load happens after the increment, +both the one in the 'goto again' path, as the one from +perf_output_get_handle() -- albeit very unlikely to matter for the +latter. + +Suggested-by: Yabin Cui +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: acme@kernel.org +Cc: mark.rutland@arm.com +Cc: namhyung@kernel.org +Fixes: ef60777c9abd ("perf: Optimize the perf_output() path by removing IRQ-disables") +Link: http://lkml.kernel.org/r/20190517115418.309516009@infradead.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/events/ring_buffer.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c +index 31edf1f39cca..d32b9375ec0e 100644 +--- a/kernel/events/ring_buffer.c ++++ b/kernel/events/ring_buffer.c +@@ -49,6 +49,15 @@ static void perf_output_put_handle(struct perf_output_handle *handle) + unsigned long head; + + again: ++ /* ++ * In order to avoid publishing a head value that goes backwards, ++ * we must ensure the load of @rb->head happens after we've ++ * incremented @rb->nest. ++ * ++ * Otherwise we can observe a @rb->head value before one published ++ * by an IRQ/NMI happening between the load and the increment. ++ */ ++ barrier(); + head = local_read(&rb->head); + + /* +-- +2.20.1 + diff --git a/queue-4.19/perf-ring_buffer-fix-exposing-a-temporarily-decrease.patch b/queue-4.19/perf-ring_buffer-fix-exposing-a-temporarily-decrease.patch new file mode 100644 index 00000000000..a2435220d05 --- /dev/null +++ b/queue-4.19/perf-ring_buffer-fix-exposing-a-temporarily-decrease.patch @@ -0,0 +1,97 @@ +From b7f7f5b54f5b1562d24115a9b2d98b2ce98e9074 Mon Sep 17 00:00:00 2001 +From: Yabin Cui +Date: Fri, 17 May 2019 13:52:31 +0200 +Subject: perf/ring_buffer: Fix exposing a temporarily decreased data_head + +[ Upstream commit 1b038c6e05ff70a1e66e3e571c2e6106bdb75f53 ] + +In perf_output_put_handle(), an IRQ/NMI can happen in below location and +write records to the same ring buffer: + + ... + local_dec_and_test(&rb->nest) + ... <-- an IRQ/NMI can happen here + rb->user_page->data_head = head; + ... + +In this case, a value A is written to data_head in the IRQ, then a value +B is written to data_head after the IRQ. And A > B. As a result, +data_head is temporarily decreased from A to B. And a reader may see +data_head < data_tail if it read the buffer frequently enough, which +creates unexpected behaviors. + +This can be fixed by moving dec(&rb->nest) to after updating data_head, +which prevents the IRQ/NMI above from updating data_head. + +[ Split up by peterz. ] + +Signed-off-by: Yabin Cui +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: mark.rutland@arm.com +Fixes: ef60777c9abd ("perf: Optimize the perf_output() path by removing IRQ-disables") +Link: http://lkml.kernel.org/r/20190517115418.224478157@infradead.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/events/ring_buffer.c | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c +index 99c7f199f2d4..31edf1f39cca 100644 +--- a/kernel/events/ring_buffer.c ++++ b/kernel/events/ring_buffer.c +@@ -52,11 +52,18 @@ static void perf_output_put_handle(struct perf_output_handle *handle) + head = local_read(&rb->head); + + /* +- * IRQ/NMI can happen here, which means we can miss a head update. ++ * IRQ/NMI can happen here and advance @rb->head, causing our ++ * load above to be stale. + */ + +- if (!local_dec_and_test(&rb->nest)) ++ /* ++ * If this isn't the outermost nesting, we don't have to update ++ * @rb->user_page->data_head. ++ */ ++ if (local_read(&rb->nest) > 1) { ++ local_dec(&rb->nest); + goto out; ++ } + + /* + * Since the mmap() consumer (userspace) can run on a different CPU: +@@ -88,9 +95,18 @@ static void perf_output_put_handle(struct perf_output_handle *handle) + rb->user_page->data_head = head; + + /* +- * Now check if we missed an update -- rely on previous implied +- * compiler barriers to force a re-read. ++ * We must publish the head before decrementing the nest count, ++ * otherwise an IRQ/NMI can publish a more recent head value and our ++ * write will (temporarily) publish a stale value. ++ */ ++ barrier(); ++ local_set(&rb->nest, 0); ++ ++ /* ++ * Ensure we decrement @rb->nest before we validate the @rb->head. ++ * Otherwise we cannot be sure we caught the 'last' nested update. + */ ++ barrier(); + if (unlikely(head != local_read(&rb->head))) { + local_inc(&rb->nest); + goto again; +-- +2.20.1 + diff --git a/queue-4.19/perf-x86-intel-ds-fix-event-vs.-uevent-pebs-constrai.patch b/queue-4.19/perf-x86-intel-ds-fix-event-vs.-uevent-pebs-constrai.patch new file mode 100644 index 00000000000..56470c8fba9 --- /dev/null +++ b/queue-4.19/perf-x86-intel-ds-fix-event-vs.-uevent-pebs-constrai.patch @@ -0,0 +1,153 @@ +From 2e97378843c2b5bfa540176a3db2154812af4881 Mon Sep 17 00:00:00 2001 +From: Stephane Eranian +Date: Mon, 20 May 2019 17:52:46 -0700 +Subject: perf/x86/intel/ds: Fix EVENT vs. UEVENT PEBS constraints + +[ Upstream commit 23e3983a466cd540ffdd2bbc6e0c51e31934f941 ] + +This patch fixes an bug revealed by the following commit: + + 6b89d4c1ae85 ("perf/x86/intel: Fix INTEL_FLAGS_EVENT_CONSTRAINT* masking") + +That patch modified INTEL_FLAGS_EVENT_CONSTRAINT() to only look at the event code +when matching a constraint. If code+umask were needed, then the +INTEL_FLAGS_UEVENT_CONSTRAINT() macro was needed instead. +This broke with some of the constraints for PEBS events. + +Several of them, including the one used for cycles:p, cycles:pp, cycles:ppp +fell in that category and caused the event to be rejected in PEBS mode. +In other words, on some platforms a cmdline such as: + + $ perf top -e cycles:pp + +would fail with -EINVAL. + +This patch fixes this bug by properly using INTEL_FLAGS_UEVENT_CONSTRAINT() +when needed in the PEBS constraint tables. + +Reported-by: Ingo Molnar +Signed-off-by: Stephane Eranian +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: kan.liang@intel.com +Link: http://lkml.kernel.org/r/20190521005246.423-1-eranian@google.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/ds.c | 28 ++++++++++++++-------------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +diff --git a/arch/x86/events/intel/ds.c b/arch/x86/events/intel/ds.c +index b7b01d762d32..e91814d1a27f 100644 +--- a/arch/x86/events/intel/ds.c ++++ b/arch/x86/events/intel/ds.c +@@ -684,7 +684,7 @@ struct event_constraint intel_core2_pebs_event_constraints[] = { + INTEL_FLAGS_UEVENT_CONSTRAINT(0x1fc7, 0x1), /* SIMD_INST_RETURED.ANY */ + INTEL_FLAGS_EVENT_CONSTRAINT(0xcb, 0x1), /* MEM_LOAD_RETIRED.* */ + /* INST_RETIRED.ANY_P, inv=1, cmask=16 (cycles:p). */ +- INTEL_FLAGS_EVENT_CONSTRAINT(0x108000c0, 0x01), ++ INTEL_FLAGS_UEVENT_CONSTRAINT(0x108000c0, 0x01), + EVENT_CONSTRAINT_END + }; + +@@ -693,7 +693,7 @@ struct event_constraint intel_atom_pebs_event_constraints[] = { + INTEL_FLAGS_UEVENT_CONSTRAINT(0x00c5, 0x1), /* MISPREDICTED_BRANCH_RETIRED */ + INTEL_FLAGS_EVENT_CONSTRAINT(0xcb, 0x1), /* MEM_LOAD_RETIRED.* */ + /* INST_RETIRED.ANY_P, inv=1, cmask=16 (cycles:p). */ +- INTEL_FLAGS_EVENT_CONSTRAINT(0x108000c0, 0x01), ++ INTEL_FLAGS_UEVENT_CONSTRAINT(0x108000c0, 0x01), + /* Allow all events as PEBS with no flags */ + INTEL_ALL_EVENT_CONSTRAINT(0, 0x1), + EVENT_CONSTRAINT_END +@@ -701,7 +701,7 @@ struct event_constraint intel_atom_pebs_event_constraints[] = { + + struct event_constraint intel_slm_pebs_event_constraints[] = { + /* INST_RETIRED.ANY_P, inv=1, cmask=16 (cycles:p). */ +- INTEL_FLAGS_EVENT_CONSTRAINT(0x108000c0, 0x1), ++ INTEL_FLAGS_UEVENT_CONSTRAINT(0x108000c0, 0x1), + /* Allow all events as PEBS with no flags */ + INTEL_ALL_EVENT_CONSTRAINT(0, 0x1), + EVENT_CONSTRAINT_END +@@ -726,7 +726,7 @@ struct event_constraint intel_nehalem_pebs_event_constraints[] = { + INTEL_FLAGS_EVENT_CONSTRAINT(0xcb, 0xf), /* MEM_LOAD_RETIRED.* */ + INTEL_FLAGS_EVENT_CONSTRAINT(0xf7, 0xf), /* FP_ASSIST.* */ + /* INST_RETIRED.ANY_P, inv=1, cmask=16 (cycles:p). */ +- INTEL_FLAGS_EVENT_CONSTRAINT(0x108000c0, 0x0f), ++ INTEL_FLAGS_UEVENT_CONSTRAINT(0x108000c0, 0x0f), + EVENT_CONSTRAINT_END + }; + +@@ -743,7 +743,7 @@ struct event_constraint intel_westmere_pebs_event_constraints[] = { + INTEL_FLAGS_EVENT_CONSTRAINT(0xcb, 0xf), /* MEM_LOAD_RETIRED.* */ + INTEL_FLAGS_EVENT_CONSTRAINT(0xf7, 0xf), /* FP_ASSIST.* */ + /* INST_RETIRED.ANY_P, inv=1, cmask=16 (cycles:p). */ +- INTEL_FLAGS_EVENT_CONSTRAINT(0x108000c0, 0x0f), ++ INTEL_FLAGS_UEVENT_CONSTRAINT(0x108000c0, 0x0f), + EVENT_CONSTRAINT_END + }; + +@@ -752,7 +752,7 @@ struct event_constraint intel_snb_pebs_event_constraints[] = { + INTEL_PLD_CONSTRAINT(0x01cd, 0x8), /* MEM_TRANS_RETIRED.LAT_ABOVE_THR */ + INTEL_PST_CONSTRAINT(0x02cd, 0x8), /* MEM_TRANS_RETIRED.PRECISE_STORES */ + /* UOPS_RETIRED.ALL, inv=1, cmask=16 (cycles:p). */ +- INTEL_FLAGS_EVENT_CONSTRAINT(0x108001c2, 0xf), ++ INTEL_FLAGS_UEVENT_CONSTRAINT(0x108001c2, 0xf), + INTEL_EXCLEVT_CONSTRAINT(0xd0, 0xf), /* MEM_UOP_RETIRED.* */ + INTEL_EXCLEVT_CONSTRAINT(0xd1, 0xf), /* MEM_LOAD_UOPS_RETIRED.* */ + INTEL_EXCLEVT_CONSTRAINT(0xd2, 0xf), /* MEM_LOAD_UOPS_LLC_HIT_RETIRED.* */ +@@ -767,9 +767,9 @@ struct event_constraint intel_ivb_pebs_event_constraints[] = { + INTEL_PLD_CONSTRAINT(0x01cd, 0x8), /* MEM_TRANS_RETIRED.LAT_ABOVE_THR */ + INTEL_PST_CONSTRAINT(0x02cd, 0x8), /* MEM_TRANS_RETIRED.PRECISE_STORES */ + /* UOPS_RETIRED.ALL, inv=1, cmask=16 (cycles:p). */ +- INTEL_FLAGS_EVENT_CONSTRAINT(0x108001c2, 0xf), ++ INTEL_FLAGS_UEVENT_CONSTRAINT(0x108001c2, 0xf), + /* INST_RETIRED.PREC_DIST, inv=1, cmask=16 (cycles:ppp). */ +- INTEL_FLAGS_EVENT_CONSTRAINT(0x108001c0, 0x2), ++ INTEL_FLAGS_UEVENT_CONSTRAINT(0x108001c0, 0x2), + INTEL_EXCLEVT_CONSTRAINT(0xd0, 0xf), /* MEM_UOP_RETIRED.* */ + INTEL_EXCLEVT_CONSTRAINT(0xd1, 0xf), /* MEM_LOAD_UOPS_RETIRED.* */ + INTEL_EXCLEVT_CONSTRAINT(0xd2, 0xf), /* MEM_LOAD_UOPS_LLC_HIT_RETIRED.* */ +@@ -783,9 +783,9 @@ struct event_constraint intel_hsw_pebs_event_constraints[] = { + INTEL_FLAGS_UEVENT_CONSTRAINT(0x01c0, 0x2), /* INST_RETIRED.PRECDIST */ + INTEL_PLD_CONSTRAINT(0x01cd, 0xf), /* MEM_TRANS_RETIRED.* */ + /* UOPS_RETIRED.ALL, inv=1, cmask=16 (cycles:p). */ +- INTEL_FLAGS_EVENT_CONSTRAINT(0x108001c2, 0xf), ++ INTEL_FLAGS_UEVENT_CONSTRAINT(0x108001c2, 0xf), + /* INST_RETIRED.PREC_DIST, inv=1, cmask=16 (cycles:ppp). */ +- INTEL_FLAGS_EVENT_CONSTRAINT(0x108001c0, 0x2), ++ INTEL_FLAGS_UEVENT_CONSTRAINT(0x108001c0, 0x2), + INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_NA(0x01c2, 0xf), /* UOPS_RETIRED.ALL */ + INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_XLD(0x11d0, 0xf), /* MEM_UOPS_RETIRED.STLB_MISS_LOADS */ + INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_XLD(0x21d0, 0xf), /* MEM_UOPS_RETIRED.LOCK_LOADS */ +@@ -806,9 +806,9 @@ struct event_constraint intel_bdw_pebs_event_constraints[] = { + INTEL_FLAGS_UEVENT_CONSTRAINT(0x01c0, 0x2), /* INST_RETIRED.PRECDIST */ + INTEL_PLD_CONSTRAINT(0x01cd, 0xf), /* MEM_TRANS_RETIRED.* */ + /* UOPS_RETIRED.ALL, inv=1, cmask=16 (cycles:p). */ +- INTEL_FLAGS_EVENT_CONSTRAINT(0x108001c2, 0xf), ++ INTEL_FLAGS_UEVENT_CONSTRAINT(0x108001c2, 0xf), + /* INST_RETIRED.PREC_DIST, inv=1, cmask=16 (cycles:ppp). */ +- INTEL_FLAGS_EVENT_CONSTRAINT(0x108001c0, 0x2), ++ INTEL_FLAGS_UEVENT_CONSTRAINT(0x108001c0, 0x2), + INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_NA(0x01c2, 0xf), /* UOPS_RETIRED.ALL */ + INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_LD(0x11d0, 0xf), /* MEM_UOPS_RETIRED.STLB_MISS_LOADS */ + INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_LD(0x21d0, 0xf), /* MEM_UOPS_RETIRED.LOCK_LOADS */ +@@ -829,9 +829,9 @@ struct event_constraint intel_bdw_pebs_event_constraints[] = { + struct event_constraint intel_skl_pebs_event_constraints[] = { + INTEL_FLAGS_UEVENT_CONSTRAINT(0x1c0, 0x2), /* INST_RETIRED.PREC_DIST */ + /* INST_RETIRED.PREC_DIST, inv=1, cmask=16 (cycles:ppp). */ +- INTEL_FLAGS_EVENT_CONSTRAINT(0x108001c0, 0x2), ++ INTEL_FLAGS_UEVENT_CONSTRAINT(0x108001c0, 0x2), + /* INST_RETIRED.TOTAL_CYCLES_PS (inv=1, cmask=16) (cycles:p). */ +- INTEL_FLAGS_EVENT_CONSTRAINT(0x108000c0, 0x0f), ++ INTEL_FLAGS_UEVENT_CONSTRAINT(0x108000c0, 0x0f), + INTEL_PLD_CONSTRAINT(0x1cd, 0xf), /* MEM_TRANS_RETIRED.* */ + INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_LD(0x11d0, 0xf), /* MEM_INST_RETIRED.STLB_MISS_LOADS */ + INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_ST(0x12d0, 0xf), /* MEM_INST_RETIRED.STLB_MISS_STORES */ +-- +2.20.1 + diff --git a/queue-4.19/powerpc-powernv-return-for-invalid-imc-domain.patch b/queue-4.19/powerpc-powernv-return-for-invalid-imc-domain.patch new file mode 100644 index 00000000000..d050d6514f8 --- /dev/null +++ b/queue-4.19/powerpc-powernv-return-for-invalid-imc-domain.patch @@ -0,0 +1,50 @@ +From d8f5f5c1ca15e857b32adc76be3f07fd50c80a27 Mon Sep 17 00:00:00 2001 +From: Anju T Sudhakar +Date: Mon, 20 May 2019 14:27:53 +0530 +Subject: powerpc/powernv: Return for invalid IMC domain + +[ Upstream commit b59bd3527fe3c1939340df558d7f9d568fc9f882 ] + +Currently init_imc_pmu() can fail either because we try to register an +IMC unit with an invalid domain (i.e an IMC node not supported by the +kernel) or something went wrong while registering a valid IMC unit. In +both the cases kernel provides a 'Register failed' error message. + +For example when trace-imc node is not supported by the kernel, but +skiboot advertises a trace-imc node we print: + + IMC Unknown Device type + IMC PMU (null) Register failed + +To avoid confusion just print the unknown device type message, before +attempting PMU registration, so the second message isn't printed. + +Fixes: 8f95faaac56c ("powerpc/powernv: Detect and create IMC device") +Reported-by: Pavaman Subramaniyam +Signed-off-by: Anju T Sudhakar +Reviewed-by: Madhavan Srinivasan +[mpe: Reword change log a bit] +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/opal-imc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/powerpc/platforms/powernv/opal-imc.c b/arch/powerpc/platforms/powernv/opal-imc.c +index 3d27f02695e4..828f6656f8f7 100644 +--- a/arch/powerpc/platforms/powernv/opal-imc.c ++++ b/arch/powerpc/platforms/powernv/opal-imc.c +@@ -161,6 +161,10 @@ static int imc_pmu_create(struct device_node *parent, int pmu_index, int domain) + struct imc_pmu *pmu_ptr; + u32 offset; + ++ /* Return for unknown domain */ ++ if (domain < 0) ++ return -EINVAL; ++ + /* memory for pmu */ + pmu_ptr = kzalloc(sizeof(*pmu_ptr), GFP_KERNEL); + if (!pmu_ptr) +-- +2.20.1 + diff --git a/queue-4.19/scsi-libcxgbi-add-a-check-for-null-pointer-in-cxgbi_.patch b/queue-4.19/scsi-libcxgbi-add-a-check-for-null-pointer-in-cxgbi_.patch new file mode 100644 index 00000000000..721a5212e22 --- /dev/null +++ b/queue-4.19/scsi-libcxgbi-add-a-check-for-null-pointer-in-cxgbi_.patch @@ -0,0 +1,34 @@ +From e8b27eb5d275456cc09d3bc3d16c839c309dd248 Mon Sep 17 00:00:00 2001 +From: Varun Prakash +Date: Wed, 22 May 2019 20:10:55 +0530 +Subject: scsi: libcxgbi: add a check for NULL pointer in cxgbi_check_route() + +[ Upstream commit cc555759117e8349088e0c5d19f2f2a500bafdbd ] + +ip_dev_find() can return NULL so add a check for NULL pointer. + +Signed-off-by: Varun Prakash +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/cxgbi/libcxgbi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/scsi/cxgbi/libcxgbi.c b/drivers/scsi/cxgbi/libcxgbi.c +index f2c561ca731a..cd2c247d6d0c 100644 +--- a/drivers/scsi/cxgbi/libcxgbi.c ++++ b/drivers/scsi/cxgbi/libcxgbi.c +@@ -641,6 +641,10 @@ cxgbi_check_route(struct sockaddr *dst_addr, int ifindex) + + if (ndev->flags & IFF_LOOPBACK) { + ndev = ip_dev_find(&init_net, daddr->sin_addr.s_addr); ++ if (!ndev) { ++ err = -ENETUNREACH; ++ goto rel_neigh; ++ } + mtu = ndev->mtu; + pr_info("rt dev %s, loopback -> %s, mtu %u.\n", + n->dev->name, ndev->name, mtu); +-- +2.20.1 + diff --git a/queue-4.19/scsi-libsas-delete-sas-port-if-expander-discover-fai.patch b/queue-4.19/scsi-libsas-delete-sas-port-if-expander-discover-fai.patch new file mode 100644 index 00000000000..7529d4e4d2f --- /dev/null +++ b/queue-4.19/scsi-libsas-delete-sas-port-if-expander-discover-fai.patch @@ -0,0 +1,89 @@ +From 93aafccd3def3d57a44dd3352d9c895b1b8178e0 Mon Sep 17 00:00:00 2001 +From: Jason Yan +Date: Tue, 14 May 2019 10:42:39 +0800 +Subject: scsi: libsas: delete sas port if expander discover failed + +[ Upstream commit 3b0541791453fbe7f42867e310e0c9eb6295364d ] + +The sas_port(phy->port) allocated in sas_ex_discover_expander() will not be +deleted when the expander failed to discover. This will cause resource leak +and a further issue of kernel BUG like below: + +[159785.843156] port-2:17:29: trying to add phy phy-2:17:29 fails: it's +already part of another port +[159785.852144] ------------[ cut here ]------------ +[159785.856833] kernel BUG at drivers/scsi/scsi_transport_sas.c:1086! +[159785.863000] Internal error: Oops - BUG: 0 [#1] SMP +[159785.867866] CPU: 39 PID: 16993 Comm: kworker/u96:2 Tainted: G +W OE 4.19.25-vhulk1901.1.0.h111.aarch64 #1 +[159785.878458] Hardware name: Huawei Technologies Co., Ltd. +Hi1620EVBCS/Hi1620EVBCS, BIOS Hi1620 CS B070 1P TA 03/21/2019 +[159785.889231] Workqueue: 0000:74:02.0_disco_q sas_discover_domain +[159785.895224] pstate: 40c00009 (nZcv daif +PAN +UAO) +[159785.900094] pc : sas_port_add_phy+0x188/0x1b8 +[159785.904524] lr : sas_port_add_phy+0x188/0x1b8 +[159785.908952] sp : ffff0001120e3b80 +[159785.912341] x29: ffff0001120e3b80 x28: 0000000000000000 +[159785.917727] x27: ffff802ade8f5400 x26: ffff0000681b7560 +[159785.923111] x25: ffff802adf11a800 x24: ffff0000680e8000 +[159785.928496] x23: ffff802ade8f5728 x22: ffff802ade8f5708 +[159785.933880] x21: ffff802adea2db40 x20: ffff802ade8f5400 +[159785.939264] x19: ffff802adea2d800 x18: 0000000000000010 +[159785.944649] x17: 00000000821bf734 x16: ffff00006714faa0 +[159785.950033] x15: ffff0000e8ab4ecf x14: 7261702079646165 +[159785.955417] x13: 726c612073277469 x12: ffff00006887b830 +[159785.960802] x11: ffff00006773eaa0 x10: 7968702079687020 +[159785.966186] x9 : 0000000000002453 x8 : 726f702072656874 +[159785.971570] x7 : 6f6e6120666f2074 x6 : ffff802bcfb21290 +[159785.976955] x5 : ffff802bcfb21290 x4 : 0000000000000000 +[159785.982339] x3 : ffff802bcfb298c8 x2 : 337752b234c2ab00 +[159785.987723] x1 : 337752b234c2ab00 x0 : 0000000000000000 +[159785.993108] Process kworker/u96:2 (pid: 16993, stack limit = +0x0000000072dae094) +[159786.000576] Call trace: +[159786.003097] sas_port_add_phy+0x188/0x1b8 +[159786.007179] sas_ex_get_linkrate.isra.5+0x134/0x140 +[159786.012130] sas_ex_discover_expander+0x128/0x408 +[159786.016906] sas_ex_discover_dev+0x218/0x4c8 +[159786.021249] sas_ex_discover_devices+0x9c/0x1a8 +[159786.025852] sas_discover_root_expander+0x134/0x160 +[159786.030802] sas_discover_domain+0x1b8/0x1e8 +[159786.035148] process_one_work+0x1b4/0x3f8 +[159786.039230] worker_thread+0x54/0x470 +[159786.042967] kthread+0x134/0x138 +[159786.046269] ret_from_fork+0x10/0x18 +[159786.049918] Code: 91322300 f0004402 91178042 97fe4c9b (d4210000) +[159786.056083] Modules linked in: hns3_enet_ut(OE) hclge(OE) hnae3(OE) +hisi_sas_test_hw(OE) hisi_sas_test_main(OE) serdes(OE) +[159786.067202] ---[ end trace 03622b9e2d99e196 ]--- +[159786.071893] Kernel panic - not syncing: Fatal exception +[159786.077190] SMP: stopping secondary CPUs +[159786.081192] Kernel Offset: disabled +[159786.084753] CPU features: 0x2,a2a00a38 + +Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") +Reported-by: Jian Luo +Signed-off-by: Jason Yan +CC: John Garry +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libsas/sas_expander.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c +index 231eb79efa32..b141d1061f38 100644 +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -989,6 +989,8 @@ static struct domain_device *sas_ex_discover_expander( + list_del(&child->dev_list_node); + spin_unlock_irq(&parent->port->dev_list_lock); + sas_put_device(child); ++ sas_port_delete(phy->port); ++ phy->port = NULL; + return NULL; + } + list_add_tail(&child->siblings, &parent->ex_dev.children); +-- +2.20.1 + diff --git a/queue-4.19/scsi-scsi_dh_alua-fix-possible-null-ptr-deref.patch b/queue-4.19/scsi-scsi_dh_alua-fix-possible-null-ptr-deref.patch new file mode 100644 index 00000000000..7100d84d855 --- /dev/null +++ b/queue-4.19/scsi-scsi_dh_alua-fix-possible-null-ptr-deref.patch @@ -0,0 +1,61 @@ +From 69c5cf352e44af886b99851724602b1e6a5af5db Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Mon, 27 May 2019 22:22:09 +0800 +Subject: scsi: scsi_dh_alua: Fix possible null-ptr-deref + +[ Upstream commit 12e750bc62044de096ab9a95201213fd912b9994 ] + +If alloc_workqueue fails in alua_init, it should return -ENOMEM, otherwise +it will trigger null-ptr-deref while unloading module which calls +destroy_workqueue dereference +wq->lock like this: + +BUG: KASAN: null-ptr-deref in __lock_acquire+0x6b4/0x1ee0 +Read of size 8 at addr 0000000000000080 by task syz-executor.0/7045 + +CPU: 0 PID: 7045 Comm: syz-executor.0 Tainted: G C 5.1.0+ #28 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 +Call Trace: + dump_stack+0xa9/0x10e + __kasan_report+0x171/0x18d + ? __lock_acquire+0x6b4/0x1ee0 + kasan_report+0xe/0x20 + __lock_acquire+0x6b4/0x1ee0 + lock_acquire+0xb4/0x1b0 + __mutex_lock+0xd8/0xb90 + drain_workqueue+0x25/0x290 + destroy_workqueue+0x1f/0x3f0 + __x64_sys_delete_module+0x244/0x330 + do_syscall_64+0x72/0x2a0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Reported-by: Hulk Robot +Fixes: 03197b61c5ec ("scsi_dh_alua: Use workqueue for RTPG") +Signed-off-by: YueHaibing +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/device_handler/scsi_dh_alua.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c +index 12dc7100bb4c..d1154baa9436 100644 +--- a/drivers/scsi/device_handler/scsi_dh_alua.c ++++ b/drivers/scsi/device_handler/scsi_dh_alua.c +@@ -1173,10 +1173,8 @@ static int __init alua_init(void) + int r; + + kaluad_wq = alloc_workqueue("kaluad", WQ_MEM_RECLAIM, 0); +- if (!kaluad_wq) { +- /* Temporary failure, bypass */ +- return SCSI_DH_DEV_TEMP_BUSY; +- } ++ if (!kaluad_wq) ++ return -ENOMEM; + + r = scsi_register_device_handler(&alua_dh); + if (r != 0) { +-- +2.20.1 + diff --git a/queue-4.19/scsi-smartpqi-properly-set-both-the-dma-mask-and-the.patch b/queue-4.19/scsi-smartpqi-properly-set-both-the-dma-mask-and-the.patch new file mode 100644 index 00000000000..fae2b72fa45 --- /dev/null +++ b/queue-4.19/scsi-smartpqi-properly-set-both-the-dma-mask-and-the.patch @@ -0,0 +1,57 @@ +From 4b13ac70296b5e995f6b82424df5bfbc51a5605e Mon Sep 17 00:00:00 2001 +From: Lianbo Jiang +Date: Mon, 27 May 2019 08:59:34 +0800 +Subject: scsi: smartpqi: properly set both the DMA mask and the coherent DMA + mask + +[ Upstream commit 1d94f06e7f5df4064ef336b7b710f50143b64a53 ] + +When SME is enabled, the smartpqi driver won't work on the HP DL385 G10 +machine, which causes the failure of kernel boot because it fails to +allocate pqi error buffer. Please refer to the kernel log: +.... +[ 9.431749] usbcore: registered new interface driver uas +[ 9.441524] Microsemi PQI Driver (v1.1.4-130) +[ 9.442956] i40e 0000:04:00.0: fw 6.70.48768 api 1.7 nvm 10.2.5 +[ 9.447237] smartpqi 0000:23:00.0: Microsemi Smart Family Controller found + Starting dracut initqueue hook... +[ OK ] Started Show Plymouth Boot Scre[ 9.471654] Broadcom NetXtreme-C/E driver bnxt_en v1.9.1 +en. +[ OK ] Started Forward Password Requests to Plymouth Directory Watch. +[[0;[ 9.487108] smartpqi 0000:23:00.0: failed to allocate PQI error buffer +.... +[ 139.050544] dracut-initqueue[949]: Warning: dracut-initqueue timeout - starting timeout scripts +[ 139.589779] dracut-initqueue[949]: Warning: dracut-initqueue timeout - starting timeout scripts + +Basically, the fact that the coherent DMA mask value wasn't set caused the +driver to fall back to SWIOTLB when SME is active. + +For correct operation, lets call the dma_set_mask_and_coherent() to +properly set the mask for both streaming and coherent, in order to inform +the kernel about the devices DMA addressing capabilities. + +Signed-off-by: Lianbo Jiang +Acked-by: Don Brace +Tested-by: Don Brace +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/smartpqi/smartpqi_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c +index 3781e8109dd7..411d656f2530 100644 +--- a/drivers/scsi/smartpqi/smartpqi_init.c ++++ b/drivers/scsi/smartpqi/smartpqi_init.c +@@ -6378,7 +6378,7 @@ static int pqi_pci_init(struct pqi_ctrl_info *ctrl_info) + else + mask = DMA_BIT_MASK(32); + +- rc = dma_set_mask(&ctrl_info->pci_dev->dev, mask); ++ rc = dma_set_mask_and_coherent(&ctrl_info->pci_dev->dev, mask); + if (rc) { + dev_err(&ctrl_info->pci_dev->dev, "failed to set DMA mask\n"); + goto disable_device; +-- +2.20.1 + diff --git a/queue-4.19/sctp-free-cookie-before-we-memdup-a-new-one.patch-9156 b/queue-4.19/sctp-free-cookie-before-we-memdup-a-new-one.patch-9156 new file mode 100644 index 00000000000..d8ac5cf99bc --- /dev/null +++ b/queue-4.19/sctp-free-cookie-before-we-memdup-a-new-one.patch-9156 @@ -0,0 +1,85 @@ +From 94952b029ca67d652a477f4d01300a91fdf05f26 Mon Sep 17 00:00:00 2001 +From: Neil Horman +Date: Thu, 13 Jun 2019 06:35:59 -0400 +Subject: sctp: Free cookie before we memdup a new one + +[ Upstream commit ce950f1050cece5e406a5cde723c69bba60e1b26 ] + +Based on comments from Xin, even after fixes for our recent syzbot +report of cookie memory leaks, its possible to get a resend of an INIT +chunk which would lead to us leaking cookie memory. + +To ensure that we don't leak cookie memory, free any previously +allocated cookie first. + +Change notes +v1->v2 +update subsystem tag in subject (davem) +repeat kfree check for peer_random and peer_hmacs (xin) + +v2->v3 +net->sctp +also free peer_chunks + +v3->v4 +fix subject tags + +v4->v5 +remove cut line + +Signed-off-by: Neil Horman +Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com +CC: Marcelo Ricardo Leitner +CC: Xin Long +CC: "David S. Miller" +CC: netdev@vger.kernel.org +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sm_make_chunk.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c +index ae65a1cfa596..fb546b2d67ca 100644 +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -2600,6 +2600,8 @@ static int sctp_process_param(struct sctp_association *asoc, + case SCTP_PARAM_STATE_COOKIE: + asoc->peer.cookie_len = + ntohs(param.p->length) - sizeof(struct sctp_paramhdr); ++ if (asoc->peer.cookie) ++ kfree(asoc->peer.cookie); + asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp); + if (!asoc->peer.cookie) + retval = 0; +@@ -2664,6 +2666,8 @@ static int sctp_process_param(struct sctp_association *asoc, + goto fall_through; + + /* Save peer's random parameter */ ++ if (asoc->peer.peer_random) ++ kfree(asoc->peer.peer_random); + asoc->peer.peer_random = kmemdup(param.p, + ntohs(param.p->length), gfp); + if (!asoc->peer.peer_random) { +@@ -2677,6 +2681,8 @@ static int sctp_process_param(struct sctp_association *asoc, + goto fall_through; + + /* Save peer's HMAC list */ ++ if (asoc->peer.peer_hmacs) ++ kfree(asoc->peer.peer_hmacs); + asoc->peer.peer_hmacs = kmemdup(param.p, + ntohs(param.p->length), gfp); + if (!asoc->peer.peer_hmacs) { +@@ -2692,6 +2698,8 @@ static int sctp_process_param(struct sctp_association *asoc, + if (!ep->auth_enable) + goto fall_through; + ++ if (asoc->peer.peer_chunks) ++ kfree(asoc->peer.peer_chunks); + asoc->peer.peer_chunks = kmemdup(param.p, + ntohs(param.p->length), gfp); + if (!asoc->peer.peer_chunks) +-- +2.20.1 + diff --git a/queue-4.19/selftests-netfilter-missing-error-check-when-setting.patch b/queue-4.19/selftests-netfilter-missing-error-check-when-setting.patch new file mode 100644 index 00000000000..5321f6d00d8 --- /dev/null +++ b/queue-4.19/selftests-netfilter-missing-error-check-when-setting.patch @@ -0,0 +1,41 @@ +From e7c4c931b7064808805a0cd038a2a54060e9a7a2 Mon Sep 17 00:00:00 2001 +From: Jeffrin Jose T +Date: Wed, 15 May 2019 12:14:04 +0530 +Subject: selftests: netfilter: missing error check when setting up veth + interface + +[ Upstream commit 82ce6eb1dd13fd12e449b2ee2c2ec051e6f52c43 ] + +A test for the basic NAT functionality uses ip command which needs veth +device. There is a condition where the kernel support for veth is not +compiled into the kernel and the test script breaks. This patch contains +code for reasonable error display and correct code exit. + +Signed-off-by: Jeffrin Jose T +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/netfilter/nft_nat.sh | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/netfilter/nft_nat.sh b/tools/testing/selftests/netfilter/nft_nat.sh +index 8ec76681605c..f25f72a75cf3 100755 +--- a/tools/testing/selftests/netfilter/nft_nat.sh ++++ b/tools/testing/selftests/netfilter/nft_nat.sh +@@ -23,7 +23,11 @@ ip netns add ns0 + ip netns add ns1 + ip netns add ns2 + +-ip link add veth0 netns ns0 type veth peer name eth0 netns ns1 ++ip link add veth0 netns ns0 type veth peer name eth0 netns ns1 > /dev/null 2>&1 ++if [ $? -ne 0 ];then ++ echo "SKIP: No virtual ethernet pair device support in kernel" ++ exit $ksft_skip ++fi + ip link add veth1 netns ns0 type veth peer name eth0 netns ns2 + + ip -net ns0 link set lo up +-- +2.20.1 + diff --git a/queue-4.19/series b/queue-4.19/series index e8ab4675218..3bab3dd3c48 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -15,3 +15,61 @@ vsock-virtio-set-sock_done-on-peer-shutdown.patch net-mlx5-avoid-reloading-already-removed-devices.patch net-mvpp2-prs-fix-parser-range-for-vid-filtering.patch net-mvpp2-prs-use-the-correct-helpers-when-removing-all-vid-filters.patch +ipv6-flowlabel-fl6_sock_lookup-must-use-atomic_inc_n.patch +lapb-fixed-leak-of-control-blocks.patch-3152 +neigh-fix-use-after-free-read-in-pneigh_get_next.patch-3377 +net-dsa-rtl8366-fix-up-vlan-filtering.patch-7886 +net-openvswitch-do-not-free-vport-if-register_netdev.patch +net-phylink-set-the-autoneg-state-in-phylink_phy_cha.patch +nfc-ensure-presence-of-required-attributes-in-the-de.patch +sctp-free-cookie-before-we-memdup-a-new-one.patch-9156 +sunhv-fix-device-naming-inconsistency-between-sunhv_.patch +tipc-purge-deferredq-list-for-each-grp-member-in-tip.patch +vsock-virtio-set-sock_done-on-peer-shutdown.patch-7251 +net-mlx5-avoid-reloading-already-removed-devices.patch-5846 +net-mvpp2-prs-fix-parser-range-for-vid-filtering.patch-28142 +net-mvpp2-prs-use-the-correct-helpers-when-removing-.patch +staging-vc04_services-fix-a-couple-error-codes.patch +perf-x86-intel-ds-fix-event-vs.-uevent-pebs-constrai.patch +netfilter-nf_queue-fix-reinject-verdict-handling.patch +ipvs-fix-use-after-free-in-ip_vs_in.patch +selftests-netfilter-missing-error-check-when-setting.patch +clk-ti-clkctrl-fix-clkdm_clk-handling.patch +powerpc-powernv-return-for-invalid-imc-domain.patch +usb-xhci-fix-a-potential-null-pointer-dereference-in.patch +misdn-make-sure-device-name-is-nul-terminated.patch +x86-cpu-amd-don-t-force-the-cpb-cap-when-running-und.patch +perf-ring_buffer-fix-exposing-a-temporarily-decrease.patch +perf-ring_buffer-add-ordering-to-rb-nest-increment.patch +perf-ring-buffer-always-use-read-write-_once-for-rb-.patch +gpio-fix-gpio-adp5588-build-errors.patch +net-stmmac-update-rx-tail-pointer-register-to-fix-rx.patch +net-tulip-de4x5-drop-redundant-module_device_table.patch +acpi-pci-pm-add-missing-wakeup.flags.valid-checks.patch +loop-don-t-change-loop-device-under-exclusive-opener.patch +drm-etnaviv-lock-mmu-while-dumping-core.patch +net-aquantia-tx-clean-budget-logic-error.patch +net-aquantia-fix-lro-with-fcs-error.patch +i2c-dev-fix-potential-memory-leak-in-i2cdev_ioctl_rd.patch +alsa-hda-force-polling-mode-on-cnl-for-fixing-codec-.patch +configfs-fix-use-after-free-when-accessing-sd-s_dent.patch +perf-data-fix-strncat-may-truncate-build-failure-wit.patch +perf-namespace-protect-reading-thread-s-namespace.patch +perf-record-fix-s390-missing-module-symbol-and-warni.patch +ia64-fix-build-errors-by-exporting-paddr_to_nid.patch +xen-pvcalls-remove-set-but-not-used-variable.patch +xenbus-avoid-deadlock-during-suspend-due-to-open-tra.patch +kvm-ppc-book3s-use-new-mutex-to-synchronize-access-t.patch +kvm-ppc-book3s-hv-don-t-take-kvm-lock-around-kvm_for.patch +arm64-fix-syscall_fn_t-type.patch +arm64-use-the-correct-function-type-in-syscall_defin.patch +arm64-use-the-correct-function-type-for-__arm64_sys_.patch +net-sh_eth-fix-mdio-access-in-sh_eth_close-for-r-car.patch +net-phylink-ensure-consistent-phy-interface-mode.patch +net-phy-dp83867-set-up-rgmii-tx-delay.patch +scsi-libcxgbi-add-a-check-for-null-pointer-in-cxgbi_.patch +scsi-smartpqi-properly-set-both-the-dma-mask-and-the.patch +scsi-scsi_dh_alua-fix-possible-null-ptr-deref.patch +scsi-libsas-delete-sas-port-if-expander-discover-fai.patch +mlxsw-spectrum-prevent-force-of-56g.patch +ocfs2-fix-error-path-kobject-memory-leak.patch diff --git a/queue-4.19/staging-vc04_services-fix-a-couple-error-codes.patch b/queue-4.19/staging-vc04_services-fix-a-couple-error-codes.patch new file mode 100644 index 00000000000..58b2a50fed8 --- /dev/null +++ b/queue-4.19/staging-vc04_services-fix-a-couple-error-codes.patch @@ -0,0 +1,44 @@ +From 1c05d06419cc38781143292bc13a9d387ab1bbef Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 13 May 2019 14:07:18 +0300 +Subject: Staging: vc04_services: Fix a couple error codes + +[ Upstream commit ca4e4efbefbbdde0a7bb3023ea08d491f4daf9b9 ] + +These are accidentally returning positive EINVAL instead of negative +-EINVAL. Some of the callers treat positive values as success. + +Fixes: 7b3ad5abf027 ("staging: Import the BCM2835 MMAL-based V4L2 camera driver.") +Signed-off-by: Dan Carpenter +Acked-by: Stefan Wahren +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/vc04_services/bcm2835-camera/controls.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/vc04_services/bcm2835-camera/controls.c b/drivers/staging/vc04_services/bcm2835-camera/controls.c +index cff7b1e07153..b688ebc01740 100644 +--- a/drivers/staging/vc04_services/bcm2835-camera/controls.c ++++ b/drivers/staging/vc04_services/bcm2835-camera/controls.c +@@ -576,7 +576,7 @@ static int ctrl_set_image_effect(struct bm2835_mmal_dev *dev, + dev->colourfx.enable ? "true" : "false", + dev->colourfx.u, dev->colourfx.v, + ret, (ret == 0 ? 0 : -EINVAL)); +- return (ret == 0 ? 0 : EINVAL); ++ return (ret == 0 ? 0 : -EINVAL); + } + + static int ctrl_set_colfx(struct bm2835_mmal_dev *dev, +@@ -600,7 +600,7 @@ static int ctrl_set_colfx(struct bm2835_mmal_dev *dev, + "%s: After: mmal_ctrl:%p ctrl id:0x%x ctrl val:%d ret %d(%d)\n", + __func__, mmal_ctrl, ctrl->id, ctrl->val, ret, + (ret == 0 ? 0 : -EINVAL)); +- return (ret == 0 ? 0 : EINVAL); ++ return (ret == 0 ? 0 : -EINVAL); + } + + static int ctrl_set_bitrate(struct bm2835_mmal_dev *dev, +-- +2.20.1 + diff --git a/queue-4.19/sunhv-fix-device-naming-inconsistency-between-sunhv_.patch b/queue-4.19/sunhv-fix-device-naming-inconsistency-between-sunhv_.patch new file mode 100644 index 00000000000..8844e679034 --- /dev/null +++ b/queue-4.19/sunhv-fix-device-naming-inconsistency-between-sunhv_.patch @@ -0,0 +1,65 @@ +From 837cc34fcc298696326f1bd3d4e919d65f81e0b5 Mon Sep 17 00:00:00 2001 +From: John Paul Adrian Glaubitz +Date: Tue, 11 Jun 2019 17:38:37 +0200 +Subject: sunhv: Fix device naming inconsistency between sunhv_console and + sunhv_reg + +[ Upstream commit 07a6d63eb1b54b5fb38092780fe618dfe1d96e23 ] + +In d5a2aa24, the name in struct console sunhv_console was changed from "ttyS" +to "ttyHV" while the name in struct uart_ops sunhv_pops remained unchanged. + +This results in the hypervisor console device to be listed as "ttyHV0" under +/proc/consoles while the device node is still named "ttyS0": + +root@osaka:~# cat /proc/consoles +ttyHV0 -W- (EC p ) 4:64 +tty0 -WU (E ) 4:1 +root@osaka:~# readlink /sys/dev/char/4:64 +../../devices/root/f02836f0/f0285690/tty/ttyS0 +root@osaka:~# + +This means that any userland code which tries to determine the name of the +device file of the hypervisor console device can not rely on the information +provided by /proc/consoles. In particular, booting current versions of debian- +installer inside a SPARC LDOM will fail with the installer unable to determine +the console device. + +After renaming the device in struct uart_ops sunhv_pops to "ttyHV" as well, +the inconsistency is fixed and it is possible again to determine the name +of the device file of the hypervisor console device by reading the contents +of /proc/console: + +root@osaka:~# cat /proc/consoles +ttyHV0 -W- (EC p ) 4:64 +tty0 -WU (E ) 4:1 +root@osaka:~# readlink /sys/dev/char/4:64 +../../devices/root/f02836f0/f0285690/tty/ttyHV0 +root@osaka:~# + +With this change, debian-installer works correctly when installing inside +a SPARC LDOM. + +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sunhv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/sunhv.c b/drivers/tty/serial/sunhv.c +index 63e34d868de8..f8503f8fc44e 100644 +--- a/drivers/tty/serial/sunhv.c ++++ b/drivers/tty/serial/sunhv.c +@@ -397,7 +397,7 @@ static const struct uart_ops sunhv_pops = { + static struct uart_driver sunhv_reg = { + .owner = THIS_MODULE, + .driver_name = "sunhv", +- .dev_name = "ttyS", ++ .dev_name = "ttyHV", + .major = TTY_MAJOR, + }; + +-- +2.20.1 + diff --git a/queue-4.19/tipc-purge-deferredq-list-for-each-grp-member-in-tip.patch b/queue-4.19/tipc-purge-deferredq-list-for-each-grp-member-in-tip.patch new file mode 100644 index 00000000000..84c7538c3f0 --- /dev/null +++ b/queue-4.19/tipc-purge-deferredq-list-for-each-grp-member-in-tip.patch @@ -0,0 +1,41 @@ +From b539b3ac7f8ef183a88e29e9e196832f88dbd43e Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Sun, 16 Jun 2019 17:24:07 +0800 +Subject: tipc: purge deferredq list for each grp member in tipc_group_delete + +[ Upstream commit 5cf02612b33f104fe1015b2dfaf1758ad3675588 ] + +Syzbot reported a memleak caused by grp members' deferredq list not +purged when the grp is be deleted. + +The issue occurs when more(msg_grp_bc_seqno(hdr), m->bc_rcv_nxt) in +tipc_group_filter_msg() and the skb will stay in deferredq. + +So fix it by calling __skb_queue_purge for each member's deferredq +in tipc_group_delete() when a tipc sk leaves the grp. + +Fixes: b87a5ea31c93 ("tipc: guarantee group unicast doesn't bypass group broadcast") +Reported-by: syzbot+78fbe679c8ca8d264a8d@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Acked-by: Ying Xue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/group.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/tipc/group.c b/net/tipc/group.c +index 06fee142f09f..3ee93b5c19b6 100644 +--- a/net/tipc/group.c ++++ b/net/tipc/group.c +@@ -218,6 +218,7 @@ void tipc_group_delete(struct net *net, struct tipc_group *grp) + + rbtree_postorder_for_each_entry_safe(m, tmp, tree, tree_node) { + tipc_group_proto_xmit(grp, m, GRP_LEAVE_MSG, &xmitq); ++ __skb_queue_purge(&m->deferredq); + list_del(&m->list); + kfree(m); + } +-- +2.20.1 + diff --git a/queue-4.19/usb-xhci-fix-a-potential-null-pointer-dereference-in.patch b/queue-4.19/usb-xhci-fix-a-potential-null-pointer-dereference-in.patch new file mode 100644 index 00000000000..f50942fe38c --- /dev/null +++ b/queue-4.19/usb-xhci-fix-a-potential-null-pointer-dereference-in.patch @@ -0,0 +1,45 @@ +From f9076059b547b93821b13682bcb4294ed13c5d4d Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Wed, 22 May 2019 14:33:58 +0300 +Subject: usb: xhci: Fix a potential null pointer dereference in + xhci_debugfs_create_endpoint() + +[ Upstream commit 5bce256f0b528624a34fe907db385133bb7be33e ] + +In xhci_debugfs_create_slot(), kzalloc() can fail and +dev->debugfs_private will be NULL. +In xhci_debugfs_create_endpoint(), dev->debugfs_private is used without +any null-pointer check, and can cause a null pointer dereference. + +To fix this bug, a null-pointer check is added in +xhci_debugfs_create_endpoint(). + +This bug is found by a runtime fuzzing tool named FIZZER written by us. + +[subjet line change change, add potential -Mathais] +Signed-off-by: Jia-Ju Bai +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-debugfs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/host/xhci-debugfs.c b/drivers/usb/host/xhci-debugfs.c +index cadc01336bf8..7ba6afc7ef23 100644 +--- a/drivers/usb/host/xhci-debugfs.c ++++ b/drivers/usb/host/xhci-debugfs.c +@@ -440,6 +440,9 @@ void xhci_debugfs_create_endpoint(struct xhci_hcd *xhci, + struct xhci_ep_priv *epriv; + struct xhci_slot_priv *spriv = dev->debugfs_private; + ++ if (!spriv) ++ return; ++ + if (spriv->eps[ep_index]) + return; + +-- +2.20.1 + diff --git a/queue-4.19/vsock-virtio-set-sock_done-on-peer-shutdown.patch-7251 b/queue-4.19/vsock-virtio-set-sock_done-on-peer-shutdown.patch-7251 new file mode 100644 index 00000000000..0787e4f7c8d --- /dev/null +++ b/queue-4.19/vsock-virtio-set-sock_done-on-peer-shutdown.patch-7251 @@ -0,0 +1,41 @@ +From 42a9ce27172ea5f3858bf742a60d3c0e352c0018 Mon Sep 17 00:00:00 2001 +From: Stephen Barber +Date: Fri, 14 Jun 2019 23:42:37 -0700 +Subject: vsock/virtio: set SOCK_DONE on peer shutdown + +[ Upstream commit 42f5cda5eaf4396a939ae9bb43bb8d1d09c1b15c ] + +Set the SOCK_DONE flag to match the TCP_CLOSING state when a peer has +shut down and there is nothing left to read. + +This fixes the following bug: +1) Peer sends SHUTDOWN(RDWR). +2) Socket enters TCP_CLOSING but SOCK_DONE is not set. +3) read() returns -ENOTCONN until close() is called, then returns 0. + +Signed-off-by: Stephen Barber +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport_common.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index f3f3d06cb6d8..e30f53728725 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -871,8 +871,10 @@ virtio_transport_recv_connected(struct sock *sk, + if (le32_to_cpu(pkt->hdr.flags) & VIRTIO_VSOCK_SHUTDOWN_SEND) + vsk->peer_shutdown |= SEND_SHUTDOWN; + if (vsk->peer_shutdown == SHUTDOWN_MASK && +- vsock_stream_has_data(vsk) <= 0) ++ vsock_stream_has_data(vsk) <= 0) { ++ sock_set_flag(sk, SOCK_DONE); + sk->sk_state = TCP_CLOSING; ++ } + if (le32_to_cpu(pkt->hdr.flags)) + sk->sk_state_change(sk); + break; +-- +2.20.1 + diff --git a/queue-4.19/x86-cpu-amd-don-t-force-the-cpb-cap-when-running-und.patch b/queue-4.19/x86-cpu-amd-don-t-force-the-cpb-cap-when-running-und.patch new file mode 100644 index 00000000000..7bb97919adc --- /dev/null +++ b/queue-4.19/x86-cpu-amd-don-t-force-the-cpb-cap-when-running-und.patch @@ -0,0 +1,68 @@ +From 5787b250603accfa2870606eb63628b9a252b324 Mon Sep 17 00:00:00 2001 +From: Frank van der Linden +Date: Wed, 22 May 2019 22:17:45 +0000 +Subject: x86/CPU/AMD: Don't force the CPB cap when running under a hypervisor + +[ Upstream commit 2ac44ab608705948564791ce1d15d43ba81a1e38 ] + +For F17h AMD CPUs, the CPB capability ('Core Performance Boost') is forcibly set, +because some versions of that chip incorrectly report that they do not have it. + +However, a hypervisor may filter out the CPB capability, for good +reasons. For example, KVM currently does not emulate setting the CPB +bit in MSR_K7_HWCR, and unchecked MSR access errors will be thrown +when trying to set it as a guest: + + unchecked MSR access error: WRMSR to 0xc0010015 (tried to write 0x0000000001000011) at rIP: 0xffffffff890638f4 (native_write_msr+0x4/0x20) + + Call Trace: + boost_set_msr+0x50/0x80 [acpi_cpufreq] + cpuhp_invoke_callback+0x86/0x560 + sort_range+0x20/0x20 + cpuhp_thread_fun+0xb0/0x110 + smpboot_thread_fn+0xef/0x160 + kthread+0x113/0x130 + kthread_create_worker_on_cpu+0x70/0x70 + ret_from_fork+0x35/0x40 + +To avoid this issue, don't forcibly set the CPB capability for a CPU +when running under a hypervisor. + +Signed-off-by: Frank van der Linden +Acked-by: Borislav Petkov +Cc: Andy Lutomirski +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: bp@alien8.de +Cc: jiaxun.yang@flygoat.com +Fixes: 0237199186e7 ("x86/CPU/AMD: Set the CPB bit unconditionally on F17h") +Link: http://lkml.kernel.org/r/20190522221745.GA15789@dev-dsk-fllinden-2c-c1893d73.us-west-2.amazon.com +[ Minor edits to the changelog. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/amd.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c +index 6a25278e0092..da1f5e78363e 100644 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -819,8 +819,11 @@ static void init_amd_zn(struct cpuinfo_x86 *c) + { + set_cpu_cap(c, X86_FEATURE_ZEN); + +- /* Fix erratum 1076: CPB feature bit not being set in CPUID. */ +- if (!cpu_has(c, X86_FEATURE_CPB)) ++ /* ++ * Fix erratum 1076: CPB feature bit not being set in CPUID. ++ * Always set it, except when running under a hypervisor. ++ */ ++ if (!cpu_has(c, X86_FEATURE_HYPERVISOR) && !cpu_has(c, X86_FEATURE_CPB)) + set_cpu_cap(c, X86_FEATURE_CPB); + } + +-- +2.20.1 + diff --git a/queue-4.19/xen-pvcalls-remove-set-but-not-used-variable.patch b/queue-4.19/xen-pvcalls-remove-set-but-not-used-variable.patch new file mode 100644 index 00000000000..a9e85e47a80 --- /dev/null +++ b/queue-4.19/xen-pvcalls-remove-set-but-not-used-variable.patch @@ -0,0 +1,63 @@ +From 4601b82a8e6946fd49354e0000c14ba6ca3137d3 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Sat, 25 May 2019 22:21:51 +0800 +Subject: xen/pvcalls: Remove set but not used variable + +[ Upstream commit 41349672e3cbc2e8349831f21253509c3415aa2b ] + +Fixes gcc '-Wunused-but-set-variable' warning: + +drivers/xen/pvcalls-front.c: In function pvcalls_front_sendmsg: +drivers/xen/pvcalls-front.c:543:25: warning: variable bedata set but not used [-Wunused-but-set-variable] +drivers/xen/pvcalls-front.c: In function pvcalls_front_recvmsg: +drivers/xen/pvcalls-front.c:638:25: warning: variable bedata set but not used [-Wunused-but-set-variable] + +They are never used since introduction. + +Signed-off-by: YueHaibing +Reviewed-by: Juergen Gross +Signed-off-by: Boris Ostrovsky +Signed-off-by: Sasha Levin +--- + drivers/xen/pvcalls-front.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/xen/pvcalls-front.c b/drivers/xen/pvcalls-front.c +index 91da7e44d5d4..3a144eecb6a7 100644 +--- a/drivers/xen/pvcalls-front.c ++++ b/drivers/xen/pvcalls-front.c +@@ -538,7 +538,6 @@ static int __write_ring(struct pvcalls_data_intf *intf, + int pvcalls_front_sendmsg(struct socket *sock, struct msghdr *msg, + size_t len) + { +- struct pvcalls_bedata *bedata; + struct sock_mapping *map; + int sent, tot_sent = 0; + int count = 0, flags; +@@ -550,7 +549,6 @@ int pvcalls_front_sendmsg(struct socket *sock, struct msghdr *msg, + map = pvcalls_enter_sock(sock); + if (IS_ERR(map)) + return PTR_ERR(map); +- bedata = dev_get_drvdata(&pvcalls_front_dev->dev); + + mutex_lock(&map->active.out_mutex); + if ((flags & MSG_DONTWAIT) && !pvcalls_front_write_todo(map)) { +@@ -633,7 +631,6 @@ static int __read_ring(struct pvcalls_data_intf *intf, + int pvcalls_front_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + int flags) + { +- struct pvcalls_bedata *bedata; + int ret; + struct sock_mapping *map; + +@@ -643,7 +640,6 @@ int pvcalls_front_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + map = pvcalls_enter_sock(sock); + if (IS_ERR(map)) + return PTR_ERR(map); +- bedata = dev_get_drvdata(&pvcalls_front_dev->dev); + + mutex_lock(&map->active.in_mutex); + if (len > XEN_FLEX_RING_SIZE(PVCALLS_RING_ORDER)) +-- +2.20.1 + diff --git a/queue-4.19/xenbus-avoid-deadlock-during-suspend-due-to-open-tra.patch b/queue-4.19/xenbus-avoid-deadlock-during-suspend-due-to-open-tra.patch new file mode 100644 index 00000000000..5ecd11df57f --- /dev/null +++ b/queue-4.19/xenbus-avoid-deadlock-during-suspend-due-to-open-tra.patch @@ -0,0 +1,161 @@ +From 0fb28e46a86e6d5ece83ad652bf05e20a719d6c4 Mon Sep 17 00:00:00 2001 +From: Ross Lagerwall +Date: Mon, 13 May 2019 14:56:35 +0100 +Subject: xenbus: Avoid deadlock during suspend due to open transactions + +[ Upstream commit d10e0cc113c9e1b64b5c6e3db37b5c839794f3df ] + +During a suspend/resume, the xenwatch thread waits for all outstanding +xenstore requests and transactions to complete. This does not work +correctly for transactions started by userspace because it waits for +them to complete after freezing userspace threads which means the +transactions have no way of completing, resulting in a deadlock. This is +trivial to reproduce by running this script and then suspending the VM: + + import pyxs, time + c = pyxs.client.Client(xen_bus_path="/dev/xen/xenbus") + c.connect() + c.transaction() + time.sleep(3600) + +Even if this deadlock were resolved, misbehaving userspace should not +prevent a VM from being migrated. So, instead of waiting for these +transactions to complete before suspending, store the current generation +id for each transaction when it is started. The global generation id is +incremented during resume. If the caller commits the transaction and the +generation id does not match the current generation id, return EAGAIN so +that they try again. If the transaction was instead discarded, return OK +since no changes were made anyway. + +This only affects users of the xenbus file interface. In-kernel users of +xenbus are assumed to be well-behaved and complete all transactions +before freezing. + +Signed-off-by: Ross Lagerwall +Reviewed-by: Juergen Gross +Signed-off-by: Boris Ostrovsky +Signed-off-by: Sasha Levin +--- + drivers/xen/xenbus/xenbus.h | 3 +++ + drivers/xen/xenbus/xenbus_dev_frontend.c | 18 ++++++++++++++++++ + drivers/xen/xenbus/xenbus_xs.c | 7 +++++-- + 3 files changed, 26 insertions(+), 2 deletions(-) + +diff --git a/drivers/xen/xenbus/xenbus.h b/drivers/xen/xenbus/xenbus.h +index 092981171df1..d75a2385b37c 100644 +--- a/drivers/xen/xenbus/xenbus.h ++++ b/drivers/xen/xenbus/xenbus.h +@@ -83,6 +83,7 @@ struct xb_req_data { + int num_vecs; + int err; + enum xb_req_state state; ++ bool user_req; + void (*cb)(struct xb_req_data *); + void *par; + }; +@@ -133,4 +134,6 @@ void xenbus_ring_ops_init(void); + int xenbus_dev_request_and_reply(struct xsd_sockmsg *msg, void *par); + void xenbus_dev_queue_reply(struct xb_req_data *req); + ++extern unsigned int xb_dev_generation_id; ++ + #endif +diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c +index 0782ff3c2273..39c63152a358 100644 +--- a/drivers/xen/xenbus/xenbus_dev_frontend.c ++++ b/drivers/xen/xenbus/xenbus_dev_frontend.c +@@ -62,6 +62,8 @@ + + #include "xenbus.h" + ++unsigned int xb_dev_generation_id; ++ + /* + * An element of a list of outstanding transactions, for which we're + * still waiting a reply. +@@ -69,6 +71,7 @@ + struct xenbus_transaction_holder { + struct list_head list; + struct xenbus_transaction handle; ++ unsigned int generation_id; + }; + + /* +@@ -441,6 +444,7 @@ static int xenbus_write_transaction(unsigned msg_type, + rc = -ENOMEM; + goto out; + } ++ trans->generation_id = xb_dev_generation_id; + list_add(&trans->list, &u->transactions); + } else if (msg->hdr.tx_id != 0 && + !xenbus_get_transaction(u, msg->hdr.tx_id)) +@@ -449,6 +453,20 @@ static int xenbus_write_transaction(unsigned msg_type, + !(msg->hdr.len == 2 && + (!strcmp(msg->body, "T") || !strcmp(msg->body, "F")))) + return xenbus_command_reply(u, XS_ERROR, "EINVAL"); ++ else if (msg_type == XS_TRANSACTION_END) { ++ trans = xenbus_get_transaction(u, msg->hdr.tx_id); ++ if (trans && trans->generation_id != xb_dev_generation_id) { ++ list_del(&trans->list); ++ kfree(trans); ++ if (!strcmp(msg->body, "T")) ++ return xenbus_command_reply(u, XS_ERROR, ++ "EAGAIN"); ++ else ++ return xenbus_command_reply(u, ++ XS_TRANSACTION_END, ++ "OK"); ++ } ++ } + + rc = xenbus_dev_request_and_reply(&msg->hdr, u); + if (rc && trans) { +diff --git a/drivers/xen/xenbus/xenbus_xs.c b/drivers/xen/xenbus/xenbus_xs.c +index 49a3874ae6bb..ddc18da61834 100644 +--- a/drivers/xen/xenbus/xenbus_xs.c ++++ b/drivers/xen/xenbus/xenbus_xs.c +@@ -105,6 +105,7 @@ static void xs_suspend_enter(void) + + static void xs_suspend_exit(void) + { ++ xb_dev_generation_id++; + spin_lock(&xs_state_lock); + xs_suspend_active--; + spin_unlock(&xs_state_lock); +@@ -125,7 +126,7 @@ static uint32_t xs_request_enter(struct xb_req_data *req) + spin_lock(&xs_state_lock); + } + +- if (req->type == XS_TRANSACTION_START) ++ if (req->type == XS_TRANSACTION_START && !req->user_req) + xs_state_users++; + xs_state_users++; + rq_id = xs_request_id++; +@@ -140,7 +141,7 @@ void xs_request_exit(struct xb_req_data *req) + spin_lock(&xs_state_lock); + xs_state_users--; + if ((req->type == XS_TRANSACTION_START && req->msg.type == XS_ERROR) || +- (req->type == XS_TRANSACTION_END && ++ (req->type == XS_TRANSACTION_END && !req->user_req && + !WARN_ON_ONCE(req->msg.type == XS_ERROR && + !strcmp(req->body, "ENOENT")))) + xs_state_users--; +@@ -286,6 +287,7 @@ int xenbus_dev_request_and_reply(struct xsd_sockmsg *msg, void *par) + req->num_vecs = 1; + req->cb = xenbus_dev_queue_reply; + req->par = par; ++ req->user_req = true; + + xs_send(req, msg); + +@@ -313,6 +315,7 @@ static void *xs_talkv(struct xenbus_transaction t, + req->vec = iovec; + req->num_vecs = num_vecs; + req->cb = xs_wake_up; ++ req->user_req = false; + + msg.req_id = 0; + msg.tx_id = t.id; +-- +2.20.1 +