From: Greg Kroah-Hartman Date: Tue, 1 Oct 2019 18:06:31 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.4.195~66 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b1eecd0c6f9a9d623516ff15b489c3ca55fd6822;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: alsa-firewire-tascam-check-intermediate-state-of-clock-status-and-retry.patch alsa-firewire-tascam-handle-error-code-when-getting-current-source-of-clock.patch ib-hfi1-define-variables-as-unsigned-long-to-fix-kasan-warning.patch ib-mlx5-free-mpi-in-mp_slave-mode.patch iwlwifi-fw-don-t-send-geo_tx_power_limit-command-to-fw-version-36.patch printk-do-not-lose-last-line-in-kmsg-buffer-dump.patch randstruct-check-member-structs-in-is_pure_ops_struct.patch scsi-qla2xxx-fix-relogin-to-prevent-modifying-scan_state-flag.patch scsi-scsi_dh_rdac-zero-cdb-in-send_mode_select.patch --- diff --git a/queue-4.19/alsa-firewire-tascam-check-intermediate-state-of-clock-status-and-retry.patch b/queue-4.19/alsa-firewire-tascam-check-intermediate-state-of-clock-status-and-retry.patch new file mode 100644 index 00000000000..81935cab108 --- /dev/null +++ b/queue-4.19/alsa-firewire-tascam-check-intermediate-state-of-clock-status-and-retry.patch @@ -0,0 +1,110 @@ +From e1a00b5b253a4f97216b9a33199a863987075162 Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Tue, 10 Sep 2019 22:51:52 +0900 +Subject: ALSA: firewire-tascam: check intermediate state of clock status and retry + +From: Takashi Sakamoto + +commit e1a00b5b253a4f97216b9a33199a863987075162 upstream. + +2 bytes in MSB of register for clock status is zero during intermediate +state after changing status of sampling clock in models of TASCAM FireWire +series. The duration of this state differs depending on cases. During the +state, it's better to retry reading the register for current status of +the clock. + +In current implementation, the intermediate state is checked only when +getting current sampling transmission frequency, then retry reading. +This care is required for the other operations to read the register. + +This commit moves the codes of check and retry into helper function +commonly used for operations to read the register. + +Fixes: e453df44f0d6 ("ALSA: firewire-tascam: add PCM functionality") +Cc: # v4.4+ +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20190910135152.29800-3-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/tascam/tascam-stream.c | 42 ++++++++++++++++++++++------------ + 1 file changed, 28 insertions(+), 14 deletions(-) + +--- a/sound/firewire/tascam/tascam-stream.c ++++ b/sound/firewire/tascam/tascam-stream.c +@@ -9,20 +9,37 @@ + #include + #include "tascam.h" + ++#define CLOCK_STATUS_MASK 0xffff0000 ++#define CLOCK_CONFIG_MASK 0x0000ffff ++ + #define CALLBACK_TIMEOUT 500 + + static int get_clock(struct snd_tscm *tscm, u32 *data) + { ++ int trial = 0; + __be32 reg; + int err; + +- err = snd_fw_transaction(tscm->unit, TCODE_READ_QUADLET_REQUEST, +- TSCM_ADDR_BASE + TSCM_OFFSET_CLOCK_STATUS, +- ®, sizeof(reg), 0); +- if (err >= 0) ++ while (trial++ < 5) { ++ err = snd_fw_transaction(tscm->unit, TCODE_READ_QUADLET_REQUEST, ++ TSCM_ADDR_BASE + TSCM_OFFSET_CLOCK_STATUS, ++ ®, sizeof(reg), 0); ++ if (err < 0) ++ return err; ++ + *data = be32_to_cpu(reg); ++ if (*data & CLOCK_STATUS_MASK) ++ break; ++ ++ // In intermediate state after changing clock status. ++ msleep(50); ++ } + +- return err; ++ // Still in the intermediate state. ++ if (trial >= 5) ++ return -EAGAIN; ++ ++ return 0; + } + + static int set_clock(struct snd_tscm *tscm, unsigned int rate, +@@ -35,7 +52,7 @@ static int set_clock(struct snd_tscm *ts + err = get_clock(tscm, &data); + if (err < 0) + return err; +- data &= 0x0000ffff; ++ data &= CLOCK_CONFIG_MASK; + + if (rate > 0) { + data &= 0x000000ff; +@@ -80,17 +97,14 @@ static int set_clock(struct snd_tscm *ts + + int snd_tscm_stream_get_rate(struct snd_tscm *tscm, unsigned int *rate) + { +- u32 data = 0x0; +- unsigned int trials = 0; ++ u32 data; + int err; + +- while (data == 0x0 || trials++ < 5) { +- err = get_clock(tscm, &data); +- if (err < 0) +- return err; ++ err = get_clock(tscm, &data); ++ if (err < 0) ++ return err; + +- data = (data & 0xff000000) >> 24; +- } ++ data = (data & 0xff000000) >> 24; + + /* Check base rate. */ + if ((data & 0x0f) == 0x01) diff --git a/queue-4.19/alsa-firewire-tascam-handle-error-code-when-getting-current-source-of-clock.patch b/queue-4.19/alsa-firewire-tascam-handle-error-code-when-getting-current-source-of-clock.patch new file mode 100644 index 00000000000..0bec3122adb --- /dev/null +++ b/queue-4.19/alsa-firewire-tascam-handle-error-code-when-getting-current-source-of-clock.patch @@ -0,0 +1,35 @@ +From 2617120f4de6d0423384e0e86b14c78b9de84d5a Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Tue, 10 Sep 2019 22:51:51 +0900 +Subject: ALSA: firewire-tascam: handle error code when getting current source of clock + +From: Takashi Sakamoto + +commit 2617120f4de6d0423384e0e86b14c78b9de84d5a upstream. + +The return value of snd_tscm_stream_get_clock() is ignored. This commit +checks the value and handle error. + +Fixes: e453df44f0d6 ("ALSA: firewire-tascam: add PCM functionality") +Cc: # v4.4+ +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20190910135152.29800-2-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/tascam/tascam-pcm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/firewire/tascam/tascam-pcm.c ++++ b/sound/firewire/tascam/tascam-pcm.c +@@ -57,6 +57,9 @@ static int pcm_open(struct snd_pcm_subst + goto err_locked; + + err = snd_tscm_stream_get_clock(tscm, &clock); ++ if (err < 0) ++ goto err_locked; ++ + if (clock != SND_TSCM_CLOCK_INTERNAL || + amdtp_stream_pcm_running(&tscm->rx_stream) || + amdtp_stream_pcm_running(&tscm->tx_stream)) { diff --git a/queue-4.19/ib-hfi1-define-variables-as-unsigned-long-to-fix-kasan-warning.patch b/queue-4.19/ib-hfi1-define-variables-as-unsigned-long-to-fix-kasan-warning.patch new file mode 100644 index 00000000000..f13c10eccd1 --- /dev/null +++ b/queue-4.19/ib-hfi1-define-variables-as-unsigned-long-to-fix-kasan-warning.patch @@ -0,0 +1,255 @@ +From f8659d68e2bee5b86a1beaf7be42d942e1fc81f4 Mon Sep 17 00:00:00 2001 +From: Ira Weiny +Date: Wed, 11 Sep 2019 07:30:53 -0400 +Subject: IB/hfi1: Define variables as unsigned long to fix KASAN warning + +From: Ira Weiny + +commit f8659d68e2bee5b86a1beaf7be42d942e1fc81f4 upstream. + +Define the working variables to be unsigned long to be compatible with +for_each_set_bit and change types as needed. + +While we are at it remove unused variables from a couple of functions. + +This was found because of the following KASAN warning: + ================================================================== + BUG: KASAN: stack-out-of-bounds in find_first_bit+0x19/0x70 + Read of size 8 at addr ffff888362d778d0 by task kworker/u308:2/1889 + + CPU: 21 PID: 1889 Comm: kworker/u308:2 Tainted: G W 5.3.0-rc2-mm1+ #2 + Hardware name: Intel Corporation W2600CR/W2600CR, BIOS SE5C600.86B.02.04.0003.102320141138 10/23/2014 + Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core] + Call Trace: + dump_stack+0x9a/0xf0 + ? find_first_bit+0x19/0x70 + print_address_description+0x6c/0x332 + ? find_first_bit+0x19/0x70 + ? find_first_bit+0x19/0x70 + __kasan_report.cold.6+0x1a/0x3b + ? find_first_bit+0x19/0x70 + kasan_report+0xe/0x12 + find_first_bit+0x19/0x70 + pma_get_opa_portstatus+0x5cc/0xa80 [hfi1] + ? ret_from_fork+0x3a/0x50 + ? pma_get_opa_port_ectrs+0x200/0x200 [hfi1] + ? stack_trace_consume_entry+0x80/0x80 + hfi1_process_mad+0x39b/0x26c0 [hfi1] + ? __lock_acquire+0x65e/0x21b0 + ? clear_linkup_counters+0xb0/0xb0 [hfi1] + ? check_chain_key+0x1d7/0x2e0 + ? lock_downgrade+0x3a0/0x3a0 + ? match_held_lock+0x2e/0x250 + ib_mad_recv_done+0x698/0x15e0 [ib_core] + ? clear_linkup_counters+0xb0/0xb0 [hfi1] + ? ib_mad_send_done+0xc80/0xc80 [ib_core] + ? mark_held_locks+0x79/0xa0 + ? _raw_spin_unlock_irqrestore+0x44/0x60 + ? rvt_poll_cq+0x1e1/0x340 [rdmavt] + __ib_process_cq+0x97/0x100 [ib_core] + ib_cq_poll_work+0x31/0xb0 [ib_core] + process_one_work+0x4ee/0xa00 + ? pwq_dec_nr_in_flight+0x110/0x110 + ? do_raw_spin_lock+0x113/0x1d0 + worker_thread+0x57/0x5a0 + ? process_one_work+0xa00/0xa00 + kthread+0x1bb/0x1e0 + ? kthread_create_on_node+0xc0/0xc0 + ret_from_fork+0x3a/0x50 + + The buggy address belongs to the page: + page:ffffea000d8b5dc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 + flags: 0x17ffffc0000000() + raw: 0017ffffc0000000 0000000000000000 ffffea000d8b5dc8 0000000000000000 + raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + + addr ffff888362d778d0 is located in stack of task kworker/u308:2/1889 at offset 32 in frame: + pma_get_opa_portstatus+0x0/0xa80 [hfi1] + + this frame has 1 object: + [32, 36) 'vl_select_mask' + + Memory state around the buggy address: + ffff888362d77780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff888362d77800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + >ffff888362d77880: 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 00 00 + ^ + ffff888362d77900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff888362d77980: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 + + ================================================================== + +Cc: +Fixes: 7724105686e7 ("IB/hfi1: add driver files") +Link: https://lore.kernel.org/r/20190911113053.126040.47327.stgit@awfm-01.aw.intel.com +Reviewed-by: Mike Marciniszyn +Signed-off-by: Ira Weiny +Signed-off-by: Kaike Wan +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/mad.c | 45 ++++++++++++++++----------------------- + 1 file changed, 19 insertions(+), 26 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/mad.c ++++ b/drivers/infiniband/hw/hfi1/mad.c +@@ -2326,7 +2326,7 @@ struct opa_port_status_req { + __be32 vl_select_mask; + }; + +-#define VL_MASK_ALL 0x000080ff ++#define VL_MASK_ALL 0x00000000000080ffUL + + struct opa_port_status_rsp { + __u8 port_num; +@@ -2625,15 +2625,14 @@ static int pma_get_opa_classportinfo(str + } + + static void a0_portstatus(struct hfi1_pportdata *ppd, +- struct opa_port_status_rsp *rsp, u32 vl_select_mask) ++ struct opa_port_status_rsp *rsp) + { + if (!is_bx(ppd->dd)) { + unsigned long vl; + u64 sum_vl_xmit_wait = 0; +- u32 vl_all_mask = VL_MASK_ALL; ++ unsigned long vl_all_mask = VL_MASK_ALL; + +- for_each_set_bit(vl, (unsigned long *)&(vl_all_mask), +- 8 * sizeof(vl_all_mask)) { ++ for_each_set_bit(vl, &vl_all_mask, BITS_PER_LONG) { + u64 tmp = sum_vl_xmit_wait + + read_port_cntr(ppd, C_TX_WAIT_VL, + idx_from_vl(vl)); +@@ -2730,12 +2729,12 @@ static int pma_get_opa_portstatus(struct + (struct opa_port_status_req *)pmp->data; + struct hfi1_devdata *dd = dd_from_ibdev(ibdev); + struct opa_port_status_rsp *rsp; +- u32 vl_select_mask = be32_to_cpu(req->vl_select_mask); ++ unsigned long vl_select_mask = be32_to_cpu(req->vl_select_mask); + unsigned long vl; + size_t response_data_size; + u32 nports = be32_to_cpu(pmp->mad_hdr.attr_mod) >> 24; + u8 port_num = req->port_num; +- u8 num_vls = hweight32(vl_select_mask); ++ u8 num_vls = hweight64(vl_select_mask); + struct _vls_pctrs *vlinfo; + struct hfi1_ibport *ibp = to_iport(ibdev, port); + struct hfi1_pportdata *ppd = ppd_from_ibp(ibp); +@@ -2771,7 +2770,7 @@ static int pma_get_opa_portstatus(struct + + hfi1_read_link_quality(dd, &rsp->link_quality_indicator); + +- rsp->vl_select_mask = cpu_to_be32(vl_select_mask); ++ rsp->vl_select_mask = cpu_to_be32((u32)vl_select_mask); + rsp->port_xmit_data = cpu_to_be64(read_dev_cntr(dd, C_DC_XMIT_FLITS, + CNTR_INVALID_VL)); + rsp->port_rcv_data = cpu_to_be64(read_dev_cntr(dd, C_DC_RCV_FLITS, +@@ -2842,8 +2841,7 @@ static int pma_get_opa_portstatus(struct + * So in the for_each_set_bit() loop below, we don't need + * any additional checks for vl. + */ +- for_each_set_bit(vl, (unsigned long *)&(vl_select_mask), +- 8 * sizeof(vl_select_mask)) { ++ for_each_set_bit(vl, &vl_select_mask, BITS_PER_LONG) { + memset(vlinfo, 0, sizeof(*vlinfo)); + + tmp = read_dev_cntr(dd, C_DC_RX_FLIT_VL, idx_from_vl(vl)); +@@ -2884,7 +2882,7 @@ static int pma_get_opa_portstatus(struct + vfi++; + } + +- a0_portstatus(ppd, rsp, vl_select_mask); ++ a0_portstatus(ppd, rsp); + + if (resp_len) + *resp_len += response_data_size; +@@ -2931,16 +2929,14 @@ static u64 get_error_counter_summary(str + return error_counter_summary; + } + +-static void a0_datacounters(struct hfi1_pportdata *ppd, struct _port_dctrs *rsp, +- u32 vl_select_mask) ++static void a0_datacounters(struct hfi1_pportdata *ppd, struct _port_dctrs *rsp) + { + if (!is_bx(ppd->dd)) { + unsigned long vl; + u64 sum_vl_xmit_wait = 0; +- u32 vl_all_mask = VL_MASK_ALL; ++ unsigned long vl_all_mask = VL_MASK_ALL; + +- for_each_set_bit(vl, (unsigned long *)&(vl_all_mask), +- 8 * sizeof(vl_all_mask)) { ++ for_each_set_bit(vl, &vl_all_mask, BITS_PER_LONG) { + u64 tmp = sum_vl_xmit_wait + + read_port_cntr(ppd, C_TX_WAIT_VL, + idx_from_vl(vl)); +@@ -2995,7 +2991,7 @@ static int pma_get_opa_datacounters(stru + u64 port_mask; + u8 port_num; + unsigned long vl; +- u32 vl_select_mask; ++ unsigned long vl_select_mask; + int vfi; + u16 link_width; + u16 link_speed; +@@ -3073,8 +3069,7 @@ static int pma_get_opa_datacounters(stru + * So in the for_each_set_bit() loop below, we don't need + * any additional checks for vl. + */ +- for_each_set_bit(vl, (unsigned long *)&(vl_select_mask), +- 8 * sizeof(req->vl_select_mask)) { ++ for_each_set_bit(vl, &vl_select_mask, BITS_PER_LONG) { + memset(vlinfo, 0, sizeof(*vlinfo)); + + rsp->vls[vfi].port_vl_xmit_data = +@@ -3122,7 +3117,7 @@ static int pma_get_opa_datacounters(stru + vfi++; + } + +- a0_datacounters(ppd, rsp, vl_select_mask); ++ a0_datacounters(ppd, rsp); + + if (resp_len) + *resp_len += response_data_size; +@@ -3217,7 +3212,7 @@ static int pma_get_opa_porterrors(struct + struct _vls_ectrs *vlinfo; + unsigned long vl; + u64 port_mask, tmp; +- u32 vl_select_mask; ++ unsigned long vl_select_mask; + int vfi; + + req = (struct opa_port_error_counters64_msg *)pmp->data; +@@ -3276,8 +3271,7 @@ static int pma_get_opa_porterrors(struct + vlinfo = &rsp->vls[0]; + vfi = 0; + vl_select_mask = be32_to_cpu(req->vl_select_mask); +- for_each_set_bit(vl, (unsigned long *)&(vl_select_mask), +- 8 * sizeof(req->vl_select_mask)) { ++ for_each_set_bit(vl, &vl_select_mask, BITS_PER_LONG) { + memset(vlinfo, 0, sizeof(*vlinfo)); + rsp->vls[vfi].port_vl_xmit_discards = + cpu_to_be64(read_port_cntr(ppd, C_SW_XMIT_DSCD_VL, +@@ -3488,7 +3482,7 @@ static int pma_set_opa_portstatus(struct + u32 nports = be32_to_cpu(pmp->mad_hdr.attr_mod) >> 24; + u64 portn = be64_to_cpu(req->port_select_mask[3]); + u32 counter_select = be32_to_cpu(req->counter_select_mask); +- u32 vl_select_mask = VL_MASK_ALL; /* clear all per-vl cnts */ ++ unsigned long vl_select_mask = VL_MASK_ALL; /* clear all per-vl cnts */ + unsigned long vl; + + if ((nports != 1) || (portn != 1 << port)) { +@@ -3582,8 +3576,7 @@ static int pma_set_opa_portstatus(struct + if (counter_select & CS_UNCORRECTABLE_ERRORS) + write_dev_cntr(dd, C_DC_UNC_ERR, CNTR_INVALID_VL, 0); + +- for_each_set_bit(vl, (unsigned long *)&(vl_select_mask), +- 8 * sizeof(vl_select_mask)) { ++ for_each_set_bit(vl, &vl_select_mask, BITS_PER_LONG) { + if (counter_select & CS_PORT_XMIT_DATA) + write_port_cntr(ppd, C_TX_FLIT_VL, idx_from_vl(vl), 0); + diff --git a/queue-4.19/ib-mlx5-free-mpi-in-mp_slave-mode.patch b/queue-4.19/ib-mlx5-free-mpi-in-mp_slave-mode.patch new file mode 100644 index 00000000000..504438ddb0d --- /dev/null +++ b/queue-4.19/ib-mlx5-free-mpi-in-mp_slave-mode.patch @@ -0,0 +1,34 @@ +From 5d44adebbb7e785939df3db36ac360f5e8b73e44 Mon Sep 17 00:00:00 2001 +From: Danit Goldberg +Date: Mon, 16 Sep 2019 09:48:18 +0300 +Subject: IB/mlx5: Free mpi in mp_slave mode + +From: Danit Goldberg + +commit 5d44adebbb7e785939df3db36ac360f5e8b73e44 upstream. + +ib_add_slave_port() allocates a multiport struct but never frees it. +Don't leak memory, free the allocated mpi struct during driver unload. + +Cc: +Fixes: 32f69e4be269 ("{net, IB}/mlx5: Manage port association for multiport RoCE") +Link: https://lore.kernel.org/r/20190916064818.19823-3-leon@kernel.org +Signed-off-by: Danit Goldberg +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -6370,6 +6370,7 @@ static void mlx5_ib_remove(struct mlx5_c + mlx5_ib_unbind_slave_port(mpi->ibdev, mpi); + list_del(&mpi->list); + mutex_unlock(&mlx5_ib_multiport_mutex); ++ kfree(mpi); + return; + } + diff --git a/queue-4.19/iwlwifi-fw-don-t-send-geo_tx_power_limit-command-to-fw-version-36.patch b/queue-4.19/iwlwifi-fw-don-t-send-geo_tx_power_limit-command-to-fw-version-36.patch new file mode 100644 index 00000000000..a6b74a3710b --- /dev/null +++ b/queue-4.19/iwlwifi-fw-don-t-send-geo_tx_power_limit-command-to-fw-version-36.patch @@ -0,0 +1,45 @@ +From fddbfeece9c7882cc47754c7da460fe427e3e85b Mon Sep 17 00:00:00 2001 +From: Luca Coelho +Date: Tue, 24 Sep 2019 13:30:57 +0300 +Subject: iwlwifi: fw: don't send GEO_TX_POWER_LIMIT command to FW version 36 + +From: Luca Coelho + +commit fddbfeece9c7882cc47754c7da460fe427e3e85b upstream. + +The intention was to have the GEO_TX_POWER_LIMIT command in FW version +36 as well, but not all 8000 family got this feature enabled. The +8000 family is the only one using version 36, so skip this version +entirely. If we try to send this command to the firmwares that do not +support it, we get a BAD_COMMAND response from the firmware. + +This fixes https://bugzilla.kernel.org/show_bug.cgi?id=204151. + +Cc: stable@vger.kernel.org # 4.19+ +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +@@ -843,11 +843,13 @@ static bool iwl_mvm_sar_geo_support(stru + * firmware versions. Unfortunately, we don't have a TLV API + * flag to rely on, so rely on the major version which is in + * the first byte of ucode_ver. This was implemented +- * initially on version 38 and then backported to 36, 29 and +- * 17. ++ * initially on version 38 and then backported to29 and 17. ++ * The intention was to have it in 36 as well, but not all ++ * 8000 family got this feature enabled. The 8000 family is ++ * the only one using version 36, so skip this version ++ * entirely. + */ + return IWL_UCODE_SERIAL(mvm->fw->ucode_ver) >= 38 || +- IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 36 || + IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 29 || + IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 17; + } diff --git a/queue-4.19/printk-do-not-lose-last-line-in-kmsg-buffer-dump.patch b/queue-4.19/printk-do-not-lose-last-line-in-kmsg-buffer-dump.patch new file mode 100644 index 00000000000..54942fce698 --- /dev/null +++ b/queue-4.19/printk-do-not-lose-last-line-in-kmsg-buffer-dump.patch @@ -0,0 +1,70 @@ +From c9dccacfccc72c32692eedff4a27a4b0833a2afd Mon Sep 17 00:00:00 2001 +From: Vincent Whitchurch +Date: Thu, 11 Jul 2019 16:29:37 +0200 +Subject: printk: Do not lose last line in kmsg buffer dump + +From: Vincent Whitchurch + +commit c9dccacfccc72c32692eedff4a27a4b0833a2afd upstream. + +kmsg_dump_get_buffer() is supposed to select all the youngest log +messages which fit into the provided buffer. It determines the correct +start index by using msg_print_text() with a NULL buffer to calculate +the size of each entry. However, when performing the actual writes, +msg_print_text() only writes the entry to the buffer if the written len +is lesser than the size of the buffer. So if the lengths of the +selected youngest log messages happen to precisely fill up the provided +buffer, the last log message is not included. + +We don't want to modify msg_print_text() to fill up the buffer and start +returning a length which is equal to the size of the buffer, since +callers of its other users, such as kmsg_dump_get_line(), depend upon +the current behaviour. + +Instead, fix kmsg_dump_get_buffer() to compensate for this. + +For example, with the following two final prints: + +[ 6.427502] AAAAAAAAAAAAA +[ 6.427769] BBBBBBBB12345 + +A dump of a 64-byte buffer filled by kmsg_dump_get_buffer(), before this +patch: + + 00000000: 3c 30 3e 5b 20 20 20 20 36 2e 35 32 32 31 39 37 <0>[ 6.522197 + 00000010: 5d 20 41 41 41 41 41 41 41 41 41 41 41 41 41 0a ] AAAAAAAAAAAAA. + 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + +After this patch: + + 00000000: 3c 30 3e 5b 20 20 20 20 36 2e 34 35 36 36 37 38 <0>[ 6.456678 + 00000010: 5d 20 42 42 42 42 42 42 42 42 31 32 33 34 35 0a ] BBBBBBBB12345. + 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + +Link: http://lkml.kernel.org/r/20190711142937.4083-1-vincent.whitchurch@axis.com +Fixes: e2ae715d66bf4bec ("kmsg - kmsg_dump() use iterator to receive log buffer content") +To: rostedt@goodmis.org +Cc: linux-kernel@vger.kernel.org +Cc: # v3.5+ +Signed-off-by: Vincent Whitchurch +Reviewed-by: Sergey Senozhatsky +Signed-off-by: Petr Mladek +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/printk/printk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -3210,7 +3210,7 @@ bool kmsg_dump_get_buffer(struct kmsg_du + /* move first record forward until length fits into the buffer */ + seq = dumper->cur_seq; + idx = dumper->cur_idx; +- while (l > size && seq < dumper->next_seq) { ++ while (l >= size && seq < dumper->next_seq) { + struct printk_log *msg = log_from_idx(idx); + + l -= msg_print_text(msg, true, NULL, 0); diff --git a/queue-4.19/randstruct-check-member-structs-in-is_pure_ops_struct.patch b/queue-4.19/randstruct-check-member-structs-in-is_pure_ops_struct.patch new file mode 100644 index 00000000000..0b3784b80c2 --- /dev/null +++ b/queue-4.19/randstruct-check-member-structs-in-is_pure_ops_struct.patch @@ -0,0 +1,45 @@ +From 60f2c82ed20bde57c362e66f796cf9e0e38a6dbb Mon Sep 17 00:00:00 2001 +From: Joonwon Kang +Date: Sun, 28 Jul 2019 00:58:41 +0900 +Subject: randstruct: Check member structs in is_pure_ops_struct() + +From: Joonwon Kang + +commit 60f2c82ed20bde57c362e66f796cf9e0e38a6dbb upstream. + +While no uses in the kernel triggered this case, it was possible to have +a false negative where a struct contains other structs which contain only +function pointers because of unreachable code in is_pure_ops_struct(). + +Signed-off-by: Joonwon Kang +Link: https://lore.kernel.org/r/20190727155841.GA13586@host +Fixes: 313dd1b62921 ("gcc-plugins: Add the randstruct plugin") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/gcc-plugins/randomize_layout_plugin.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/scripts/gcc-plugins/randomize_layout_plugin.c ++++ b/scripts/gcc-plugins/randomize_layout_plugin.c +@@ -443,13 +443,13 @@ static int is_pure_ops_struct(const_tree + if (node == fieldtype) + continue; + +- if (!is_fptr(fieldtype)) +- return 0; +- +- if (code != RECORD_TYPE && code != UNION_TYPE) ++ if (code == RECORD_TYPE || code == UNION_TYPE) { ++ if (!is_pure_ops_struct(fieldtype)) ++ return 0; + continue; ++ } + +- if (!is_pure_ops_struct(fieldtype)) ++ if (!is_fptr(fieldtype)) + return 0; + } + diff --git a/queue-4.19/scsi-qla2xxx-fix-relogin-to-prevent-modifying-scan_state-flag.patch b/queue-4.19/scsi-qla2xxx-fix-relogin-to-prevent-modifying-scan_state-flag.patch new file mode 100644 index 00000000000..a40f9ef0bd1 --- /dev/null +++ b/queue-4.19/scsi-qla2xxx-fix-relogin-to-prevent-modifying-scan_state-flag.patch @@ -0,0 +1,106 @@ +From 8b5292bcfcacf15182a77a973a98d310e76fd58b Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Fri, 26 Jul 2019 09:07:32 -0700 +Subject: scsi: qla2xxx: Fix Relogin to prevent modifying scan_state flag + +From: Quinn Tran + +commit 8b5292bcfcacf15182a77a973a98d310e76fd58b upstream. + +Relogin fails to move forward due to scan_state flag indicating device is +not there. Before relogin process, Session delete process accidently +modified the scan_state flag. + +[mkp: typos plus corrected Fixes: sha as reported by sfr] + +Fixes: 2dee5521028c ("scsi: qla2xxx: Fix login state machine freeze") +Cc: stable@vger.kernel.org +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_init.c | 25 ++++++++++++++++++++----- + drivers/scsi/qla2xxx/qla_os.c | 1 + + drivers/scsi/qla2xxx/qla_target.c | 1 - + 3 files changed, 21 insertions(+), 6 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -216,8 +216,13 @@ qla2x00_async_login(struct scsi_qla_host + struct srb_iocb *lio; + int rval = QLA_FUNCTION_FAILED; + +- if (!vha->flags.online) +- goto done; ++ if (!vha->flags.online || (fcport->flags & FCF_ASYNC_SENT) || ++ fcport->loop_id == FC_NO_LOOP_ID) { ++ ql_log(ql_log_warn, vha, 0xffff, ++ "%s: %8phC - not sending command.\n", ++ __func__, fcport->port_name); ++ return rval; ++ } + + sp = qla2x00_get_sp(vha, fcport, GFP_KERNEL); + if (!sp) +@@ -1123,8 +1128,13 @@ int qla24xx_async_gpdb(struct scsi_qla_h + struct port_database_24xx *pd; + struct qla_hw_data *ha = vha->hw; + +- if (!vha->flags.online || (fcport->flags & FCF_ASYNC_SENT)) ++ if (!vha->flags.online || (fcport->flags & FCF_ASYNC_SENT) || ++ fcport->loop_id == FC_NO_LOOP_ID) { ++ ql_log(ql_log_warn, vha, 0xffff, ++ "%s: %8phC - not sending command.\n", ++ __func__, fcport->port_name); + return rval; ++ } + + fcport->disc_state = DSC_GPDB; + +@@ -1904,8 +1914,11 @@ qla24xx_handle_plogi_done_event(struct s + return; + } + +- if (fcport->disc_state == DSC_DELETE_PEND) ++ if ((fcport->disc_state == DSC_DELETE_PEND) || ++ (fcport->disc_state == DSC_DELETED)) { ++ set_bit(RELOGIN_NEEDED, &vha->dpc_flags); + return; ++ } + + if (ea->sp->gen2 != fcport->login_gen) { + /* target side must have changed it. */ +@@ -6557,8 +6570,10 @@ qla2x00_abort_isp_cleanup(scsi_qla_host_ + } + + /* Clear all async request states across all VPs. */ +- list_for_each_entry(fcport, &vha->vp_fcports, list) ++ list_for_each_entry(fcport, &vha->vp_fcports, list) { + fcport->flags &= ~(FCF_LOGIN_NEEDED | FCF_ASYNC_SENT); ++ fcport->scan_state = 0; ++ } + spin_lock_irqsave(&ha->vport_slock, flags); + list_for_each_entry(vp, &ha->vp_list, list) { + atomic_inc(&vp->vref_count); +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -4864,6 +4864,7 @@ void qla24xx_create_new_sess(struct scsi + if (fcport) { + fcport->id_changed = 1; + fcport->scan_state = QLA_FCPORT_FOUND; ++ fcport->chip_reset = vha->hw->base_qpair->chip_reset; + memcpy(fcport->node_name, e->u.new_sess.node_name, WWN_SIZE); + + if (pla) { +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -1216,7 +1216,6 @@ static void qla24xx_chk_fcp_state(struct + sess->logout_on_delete = 0; + sess->logo_ack_needed = 0; + sess->fw_login_state = DSC_LS_PORT_UNAVAIL; +- sess->scan_state = 0; + } + } + diff --git a/queue-4.19/scsi-scsi_dh_rdac-zero-cdb-in-send_mode_select.patch b/queue-4.19/scsi-scsi_dh_rdac-zero-cdb-in-send_mode_select.patch new file mode 100644 index 00000000000..ff3e100b59b --- /dev/null +++ b/queue-4.19/scsi-scsi_dh_rdac-zero-cdb-in-send_mode_select.patch @@ -0,0 +1,43 @@ +From 57adf5d4cfd3198aa480e7c94a101fc8c4e6109d Mon Sep 17 00:00:00 2001 +From: Martin Wilck +Date: Wed, 4 Sep 2019 15:52:29 +0000 +Subject: scsi: scsi_dh_rdac: zero cdb in send_mode_select() + +From: Martin Wilck + +commit 57adf5d4cfd3198aa480e7c94a101fc8c4e6109d upstream. + +cdb in send_mode_select() is not zeroed and is only partially filled in +rdac_failover_get(), which leads to some random data getting to the +device. Users have reported storage responding to such commands with +INVALID FIELD IN CDB. Code before commit 327825574132 was not affected, as +it called blk_rq_set_block_pc(). + +Fix this by zeroing out the cdb first. + +Identified & fix proposed by HPE. + +Fixes: 327825574132 ("scsi_dh_rdac: switch to scsi_execute_req_flags()") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20190904155205.1666-1-martin.wilck@suse.com +Signed-off-by: Martin Wilck +Acked-by: Ales Novak +Reviewed-by: Shane Seymour +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/device_handler/scsi_dh_rdac.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/device_handler/scsi_dh_rdac.c ++++ b/drivers/scsi/device_handler/scsi_dh_rdac.c +@@ -546,6 +546,8 @@ static void send_mode_select(struct work + spin_unlock(&ctlr->ms_lock); + + retry: ++ memset(cdb, 0, sizeof(cdb)); ++ + data_size = rdac_failover_get(ctlr, &list, cdb); + + RDAC_LOG(RDAC_LOG_FAILOVER, sdev, "array %s, ctlr %d, " diff --git a/queue-4.19/series b/queue-4.19/series index 37612950e18..252c372d136 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -21,3 +21,12 @@ ax25-enforce-cap_net_raw-for-raw-sockets.patch ieee802154-enforce-cap_net_raw-for-raw-sockets.patch nfc-enforce-cap_net_raw-for-raw-sockets.patch nfp-flower-prevent-memory-leak-in-nfp_flower_spawn_phy_reprs.patch +iwlwifi-fw-don-t-send-geo_tx_power_limit-command-to-fw-version-36.patch +alsa-firewire-tascam-handle-error-code-when-getting-current-source-of-clock.patch +alsa-firewire-tascam-check-intermediate-state-of-clock-status-and-retry.patch +scsi-scsi_dh_rdac-zero-cdb-in-send_mode_select.patch +scsi-qla2xxx-fix-relogin-to-prevent-modifying-scan_state-flag.patch +printk-do-not-lose-last-line-in-kmsg-buffer-dump.patch +ib-mlx5-free-mpi-in-mp_slave-mode.patch +ib-hfi1-define-variables-as-unsigned-long-to-fix-kasan-warning.patch +randstruct-check-member-structs-in-is_pure_ops_struct.patch