From: Greg Kroah-Hartman Date: Wed, 17 Jul 2019 00:23:42 +0000 (+0900) Subject: 4.14-stable patches X-Git-Tag: v5.2.2~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ae786593385ea38d16fc82d8abe3cd77a32c1713;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: arc-hide-unused-function-unw_hdr_alloc.patch crypto-nx-set-receive-window-credits-to-max-number-of-crbs-in-rxfifo.patch s390-fix-stfle-zero-padding.patch s390-qdio-don-t-touch-the-dsci-in-tiqdio_add_input_queues.patch s390-qdio-re-initialize-tiqdio-list-entries.patch --- diff --git a/queue-4.14/arc-hide-unused-function-unw_hdr_alloc.patch b/queue-4.14/arc-hide-unused-function-unw_hdr_alloc.patch new file mode 100644 index 00000000000..ad3067959b2 --- /dev/null +++ b/queue-4.14/arc-hide-unused-function-unw_hdr_alloc.patch @@ -0,0 +1,50 @@ +From fd5de2721ea7d16e2b16c4049ac49f229551b290 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 3 Jul 2019 15:39:25 +0200 +Subject: ARC: hide unused function unw_hdr_alloc + +From: Arnd Bergmann + +commit fd5de2721ea7d16e2b16c4049ac49f229551b290 upstream. + +As kernelci.org reports, this function is not used in +vdk_hs38_defconfig: + +arch/arc/kernel/unwind.c:188:14: warning: 'unw_hdr_alloc' defined but not used [-Wunused-function] + +Fixes: bc79c9a72165 ("ARC: dw2 unwind: Reinstante unwinding out of modules") +Link: https://kernelci.org/build/id/5d1cae3f59b514300340c132/logs/ +Cc: stable@vger.kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/kernel/unwind.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/arch/arc/kernel/unwind.c ++++ b/arch/arc/kernel/unwind.c +@@ -185,11 +185,6 @@ static void *__init unw_hdr_alloc_early( + MAX_DMA_ADDRESS); + } + +-static void *unw_hdr_alloc(unsigned long sz) +-{ +- return kmalloc(sz, GFP_KERNEL); +-} +- + static void init_unwind_table(struct unwind_table *table, const char *name, + const void *core_start, unsigned long core_size, + const void *init_start, unsigned long init_size, +@@ -370,6 +365,10 @@ ret_err: + } + + #ifdef CONFIG_MODULES ++static void *unw_hdr_alloc(unsigned long sz) ++{ ++ return kmalloc(sz, GFP_KERNEL); ++} + + static struct unwind_table *last_table; + diff --git a/queue-4.14/crypto-nx-set-receive-window-credits-to-max-number-of-crbs-in-rxfifo.patch b/queue-4.14/crypto-nx-set-receive-window-credits-to-max-number-of-crbs-in-rxfifo.patch new file mode 100644 index 00000000000..02e1023e244 --- /dev/null +++ b/queue-4.14/crypto-nx-set-receive-window-credits-to-max-number-of-crbs-in-rxfifo.patch @@ -0,0 +1,49 @@ +From e52d484d9869eb291140545746ccbe5ffc7c9306 Mon Sep 17 00:00:00 2001 +From: Haren Myneni +Date: Tue, 18 Jun 2019 12:09:22 -0700 +Subject: crypto/NX: Set receive window credits to max number of CRBs in RxFIFO + +From: Haren Myneni + +commit e52d484d9869eb291140545746ccbe5ffc7c9306 upstream. + +System gets checkstop if RxFIFO overruns with more requests than the +maximum possible number of CRBs in FIFO at the same time. The max number +of requests per window is controlled by window credits. So find max +CRBs from FIFO size and set it to receive window credits. + +Fixes: b0d6c9bab5e4 ("crypto/nx: Add P9 NX support for 842 compression engine") +CC: stable@vger.kernel.org # v4.14+ +Signed-off-by:Haren Myneni +Signed-off-by: Greg Kroah-Hartman + +Signed-off-by: Herbert Xu + +--- + drivers/crypto/nx/nx-842-powernv.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/crypto/nx/nx-842-powernv.c ++++ b/drivers/crypto/nx/nx-842-powernv.c +@@ -34,8 +34,6 @@ MODULE_ALIAS_CRYPTO("842-nx"); + #define WORKMEM_ALIGN (CRB_ALIGN) + #define CSB_WAIT_MAX (5000) /* ms */ + #define VAS_RETRIES (10) +-/* # of requests allowed per RxFIFO at a time. 0 for unlimited */ +-#define MAX_CREDITS_PER_RXFIFO (1024) + + struct nx842_workmem { + /* Below fields must be properly aligned */ +@@ -801,7 +799,11 @@ static int __init vas_cfg_coproc_info(st + rxattr.lnotify_lpid = lpid; + rxattr.lnotify_pid = pid; + rxattr.lnotify_tid = tid; +- rxattr.wcreds_max = MAX_CREDITS_PER_RXFIFO; ++ /* ++ * Maximum RX window credits can not be more than #CRBs in ++ * RxFIFO. Otherwise, can get checkstop if RxFIFO overruns. ++ */ ++ rxattr.wcreds_max = fifo_size / CRB_SIZE; + + /* + * Open a VAS receice window which is used to configure RxFIFO diff --git a/queue-4.14/s390-fix-stfle-zero-padding.patch b/queue-4.14/s390-fix-stfle-zero-padding.patch new file mode 100644 index 00000000000..49029d872a2 --- /dev/null +++ b/queue-4.14/s390-fix-stfle-zero-padding.patch @@ -0,0 +1,83 @@ +From 4f18d869ffd056c7858f3d617c71345cf19be008 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Mon, 17 Jun 2019 14:02:41 +0200 +Subject: s390: fix stfle zero padding + +From: Heiko Carstens + +commit 4f18d869ffd056c7858f3d617c71345cf19be008 upstream. + +The stfle inline assembly returns the number of double words written +(condition code 0) or the double words it would have written +(condition code 3), if the memory array it got as parameter would have +been large enough. + +The current stfle implementation assumes that the array is always +large enough and clears those parts of the array that have not been +written to with a subsequent memset call. + +If however the array is not large enough memset will get a negative +length parameter, which means that memset clears memory until it gets +an exception and the kernel crashes. + +To fix this simply limit the maximum length. Move also the inline +assembly to an extra function to avoid clobbering of register 0, which +might happen because of the added min_t invocation together with code +instrumentation. + +The bug was introduced with commit 14375bc4eb8d ("[S390] cleanup +facility list handling") but was rather harmless, since it would only +write to a rather large array. It became a potential problem with +commit 3ab121ab1866 ("[S390] kernel: Add z/VM LGR detection"). Since +then it writes to an array with only four double words, while some +machines already deliver three double words. As soon as machines have +a facility bit within the fifth double a crash on IPL would happen. + +Fixes: 14375bc4eb8d ("[S390] cleanup facility list handling") +Cc: # v2.6.37+ +Reviewed-by: Vasily Gorbik +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/include/asm/facility.h | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +--- a/arch/s390/include/asm/facility.h ++++ b/arch/s390/include/asm/facility.h +@@ -59,6 +59,18 @@ static inline int test_facility(unsigned + return __test_facility(nr, &S390_lowcore.stfle_fac_list); + } + ++static inline unsigned long __stfle_asm(u64 *stfle_fac_list, int size) ++{ ++ register unsigned long reg0 asm("0") = size - 1; ++ ++ asm volatile( ++ ".insn s,0xb2b00000,0(%1)" /* stfle */ ++ : "+d" (reg0) ++ : "a" (stfle_fac_list) ++ : "memory", "cc"); ++ return reg0; ++} ++ + /** + * stfle - Store facility list extended + * @stfle_fac_list: array where facility list can be stored +@@ -76,13 +88,8 @@ static inline void stfle(u64 *stfle_fac_ + memcpy(stfle_fac_list, &S390_lowcore.stfl_fac_list, 4); + if (S390_lowcore.stfl_fac_list & 0x01000000) { + /* More facility bits available with stfle */ +- register unsigned long reg0 asm("0") = size - 1; +- +- asm volatile(".insn s,0xb2b00000,0(%1)" /* stfle */ +- : "+d" (reg0) +- : "a" (stfle_fac_list) +- : "memory", "cc"); +- nr = (reg0 + 1) * 8; /* # bytes stored by stfle */ ++ nr = __stfle_asm(stfle_fac_list, size); ++ nr = min_t(unsigned long, (nr + 1) * 8, size * 8); + } + memset((char *) stfle_fac_list + nr, 0, size * 8 - nr); + preempt_enable(); diff --git a/queue-4.14/s390-qdio-don-t-touch-the-dsci-in-tiqdio_add_input_queues.patch b/queue-4.14/s390-qdio-don-t-touch-the-dsci-in-tiqdio_add_input_queues.patch new file mode 100644 index 00000000000..cc98139148d --- /dev/null +++ b/queue-4.14/s390-qdio-don-t-touch-the-dsci-in-tiqdio_add_input_queues.patch @@ -0,0 +1,37 @@ +From ac6639cd3db607d386616487902b4cc1850a7be5 Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann +Date: Tue, 18 Jun 2019 13:12:20 +0200 +Subject: s390/qdio: don't touch the dsci in tiqdio_add_input_queues() + +From: Julian Wiedmann + +commit ac6639cd3db607d386616487902b4cc1850a7be5 upstream. + +Current code sets the dsci to 0x00000080. Which doesn't make any sense, +as the indicator area is located in the _left-most_ byte. + +Worse: if the dsci is the _shared_ indicator, this potentially clears +the indication of activity for a _different_ device. +tiqdio_thinint_handler() will then have no reason to call that device's +IRQ handler, and the device ends up stalling. + +Fixes: d0c9d4a89fff ("[S390] qdio: set correct bit in dsci") +Cc: +Signed-off-by: Julian Wiedmann +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/cio/qdio_thinint.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/s390/cio/qdio_thinint.c ++++ b/drivers/s390/cio/qdio_thinint.c +@@ -83,7 +83,6 @@ void tiqdio_add_input_queues(struct qdio + mutex_lock(&tiq_list_lock); + list_add_rcu(&irq_ptr->input_qs[0]->entry, &tiq_list); + mutex_unlock(&tiq_list_lock); +- xchg(irq_ptr->dsci, 1 << 7); + } + + void tiqdio_remove_input_queues(struct qdio_irq *irq_ptr) diff --git a/queue-4.14/s390-qdio-re-initialize-tiqdio-list-entries.patch b/queue-4.14/s390-qdio-re-initialize-tiqdio-list-entries.patch new file mode 100644 index 00000000000..7ee5bba4277 --- /dev/null +++ b/queue-4.14/s390-qdio-re-initialize-tiqdio-list-entries.patch @@ -0,0 +1,77 @@ +From e54e4785cb5cb4896cf4285964aeef2125612fb2 Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann +Date: Tue, 18 Jun 2019 11:25:59 +0200 +Subject: s390/qdio: (re-)initialize tiqdio list entries + +From: Julian Wiedmann + +commit e54e4785cb5cb4896cf4285964aeef2125612fb2 upstream. + +When tiqdio_remove_input_queues() removes a queue from the tiq_list as +part of qdio_shutdown(), it doesn't re-initialize the queue's list entry +and the prev/next pointers go stale. + +If a subsequent qdio_establish() fails while sending the ESTABLISH cmd, +it calls qdio_shutdown() again in QDIO_IRQ_STATE_ERR state and +tiqdio_remove_input_queues() will attempt to remove the queue entry a +second time. This dereferences the stale pointers, and bad things ensue. +Fix this by re-initializing the list entry after removing it from the +list. + +For good practice also initialize the list entry when the queue is first +allocated, and remove the quirky checks that papered over this omission. +Note that prior to +commit e521813468f7 ("s390/qdio: fix access to uninitialized qdio_q fields"), +these checks were bogus anyway. + +setup_queues_misc() clears the whole queue struct, and thus needs to +re-init the prev/next pointers as well. + +Fixes: 779e6e1c724d ("[S390] qdio: new qdio driver.") +Cc: +Signed-off-by: Julian Wiedmann +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/cio/qdio_setup.c | 2 ++ + drivers/s390/cio/qdio_thinint.c | 4 ++-- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/s390/cio/qdio_setup.c ++++ b/drivers/s390/cio/qdio_setup.c +@@ -150,6 +150,7 @@ static int __qdio_allocate_qs(struct qdi + return -ENOMEM; + } + irq_ptr_qs[i] = q; ++ INIT_LIST_HEAD(&q->entry); + } + return 0; + } +@@ -178,6 +179,7 @@ static void setup_queues_misc(struct qdi + q->mask = 1 << (31 - i); + q->nr = i; + q->handler = handler; ++ INIT_LIST_HEAD(&q->entry); + } + + static void setup_storage_lists(struct qdio_q *q, struct qdio_irq *irq_ptr, +--- a/drivers/s390/cio/qdio_thinint.c ++++ b/drivers/s390/cio/qdio_thinint.c +@@ -91,14 +91,14 @@ void tiqdio_remove_input_queues(struct q + struct qdio_q *q; + + q = irq_ptr->input_qs[0]; +- /* if establish triggered an error */ +- if (!q || !q->entry.prev || !q->entry.next) ++ if (!q) + return; + + mutex_lock(&tiq_list_lock); + list_del_rcu(&q->entry); + mutex_unlock(&tiq_list_lock); + synchronize_rcu(); ++ INIT_LIST_HEAD(&q->entry); + } + + static inline int has_multiple_inq_on_dsci(struct qdio_irq *irq_ptr) diff --git a/queue-4.14/series b/queue-4.14/series index baa24da396b..56de20be538 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -71,3 +71,8 @@ dm-verity-use-message-limit-for-data-block-corruptio.patch x86-boot-64-fix-crash-if-kernel-image-crosses-page-t.patch cpu-hotplug-fix-out-of-bounds-read-when-setting-fail.patch linux-kernel.h-fix-overflow-for-div_round_up_ull.patch +arc-hide-unused-function-unw_hdr_alloc.patch +s390-fix-stfle-zero-padding.patch +s390-qdio-re-initialize-tiqdio-list-entries.patch +s390-qdio-don-t-touch-the-dsci-in-tiqdio_add_input_queues.patch +crypto-nx-set-receive-window-credits-to-max-number-of-crbs-in-rxfifo.patch