From: Greg Kroah-Hartman Date: Mon, 13 Aug 2018 17:27:25 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.18.1~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b93a8052cc465a02db0cd2798b32fd6e875618e7;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: arm-dts-imx6sx-fix-irq-for-pcie-bridge.patch ib-core-make-testing-mr-flags-for-writability-a-static-inline-function.patch ib-mlx4-mark-user-mr-as-writable-if-actual-virtual-memory-is-writable.patch ib-ocrdma-fix-out-of-bounds-access-to-local-buffer.patch --- diff --git a/queue-4.4/arm-dts-imx6sx-fix-irq-for-pcie-bridge.patch b/queue-4.4/arm-dts-imx6sx-fix-irq-for-pcie-bridge.patch new file mode 100644 index 00000000000..9e78f7eb15e --- /dev/null +++ b/queue-4.4/arm-dts-imx6sx-fix-irq-for-pcie-bridge.patch @@ -0,0 +1,36 @@ +From 1bcfe0564044be578841744faea1c2f46adc8178 Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Fri, 15 Jun 2018 09:41:29 +0200 +Subject: ARM: dts: imx6sx: fix irq for pcie bridge + +From: Oleksij Rempel + +commit 1bcfe0564044be578841744faea1c2f46adc8178 upstream. + +Use the correct IRQ line for the MSI controller in the PCIe host +controller. Apparently a different IRQ line is used compared to other +i.MX6 variants. Without this change MSI IRQs aren't properly propagated +to the upstream interrupt controller. + +Signed-off-by: Oleksij Rempel +Reviewed-by: Lucas Stach +Fixes: b1d17f68e5c5 ("ARM: dts: imx: add initial imx6sx device tree source") +Signed-off-by: Shawn Guo +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/imx6sx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/imx6sx.dtsi ++++ b/arch/arm/boot/dts/imx6sx.dtsi +@@ -1250,7 +1250,7 @@ + /* non-prefetchable memory */ + 0x82000000 0 0x08000000 0x08000000 0 0x00f00000>; + num-lanes = <1>; +- interrupts = ; ++ interrupts = ; + clocks = <&clks IMX6SX_CLK_PCIE_REF_125M>, + <&clks IMX6SX_CLK_PCIE_AXI>, + <&clks IMX6SX_CLK_LVDS1_OUT>, diff --git a/queue-4.4/ib-core-make-testing-mr-flags-for-writability-a-static-inline-function.patch b/queue-4.4/ib-core-make-testing-mr-flags-for-writability-a-static-inline-function.patch new file mode 100644 index 00000000000..053c6f5a79c --- /dev/null +++ b/queue-4.4/ib-core-make-testing-mr-flags-for-writability-a-static-inline-function.patch @@ -0,0 +1,68 @@ +From 08bb558ac11ab944e0539e78619d7b4c356278bd Mon Sep 17 00:00:00 2001 +From: Jack Morgenstein +Date: Wed, 23 May 2018 15:30:30 +0300 +Subject: IB/core: Make testing MR flags for writability a static inline function + +From: Jack Morgenstein + +commit 08bb558ac11ab944e0539e78619d7b4c356278bd upstream. + +Make the MR writability flags check, which is performed in umem.c, +a static inline function in file ib_verbs.h + +This allows the function to be used by low-level infiniband drivers. + +Cc: +Signed-off-by: Jason Gunthorpe +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/umem.c | 11 +---------- + include/rdma/ib_verbs.h | 14 ++++++++++++++ + 2 files changed, 15 insertions(+), 10 deletions(-) + +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -122,16 +122,7 @@ struct ib_umem *ib_umem_get(struct ib_uc + umem->address = addr; + umem->page_size = PAGE_SIZE; + umem->pid = get_task_pid(current, PIDTYPE_PID); +- /* +- * We ask for writable memory if any of the following +- * access flags are set. "Local write" and "remote write" +- * obviously require write access. "Remote atomic" can do +- * things like fetch and add, which will modify memory, and +- * "MW bind" can change permissions by binding a window. +- */ +- umem->writable = !!(access & +- (IB_ACCESS_LOCAL_WRITE | IB_ACCESS_REMOTE_WRITE | +- IB_ACCESS_REMOTE_ATOMIC | IB_ACCESS_MW_BIND)); ++ umem->writable = ib_access_writable(access); + + if (access & IB_ACCESS_ON_DEMAND) { + put_pid(umem->pid); +--- a/include/rdma/ib_verbs.h ++++ b/include/rdma/ib_verbs.h +@@ -3007,6 +3007,20 @@ static inline int ib_check_mr_access(int + return 0; + } + ++static inline bool ib_access_writable(int access_flags) ++{ ++ /* ++ * We have writable memory backing the MR if any of the following ++ * access flags are set. "Local write" and "remote write" obviously ++ * require write access. "Remote atomic" can do things like fetch and ++ * add, which will modify memory, and "MW bind" can change permissions ++ * by binding a window. ++ */ ++ return access_flags & ++ (IB_ACCESS_LOCAL_WRITE | IB_ACCESS_REMOTE_WRITE | ++ IB_ACCESS_REMOTE_ATOMIC | IB_ACCESS_MW_BIND); ++} ++ + /** + * ib_check_mr_status: lightweight check of MR status. + * This routine may provide status checks on a selected diff --git a/queue-4.4/ib-mlx4-mark-user-mr-as-writable-if-actual-virtual-memory-is-writable.patch b/queue-4.4/ib-mlx4-mark-user-mr-as-writable-if-actual-virtual-memory-is-writable.patch new file mode 100644 index 00000000000..c662aebf006 --- /dev/null +++ b/queue-4.4/ib-mlx4-mark-user-mr-as-writable-if-actual-virtual-memory-is-writable.patch @@ -0,0 +1,121 @@ +From d8f9cc328c8888369880e2527e9186d745f2bbf6 Mon Sep 17 00:00:00 2001 +From: Jack Morgenstein +Date: Wed, 23 May 2018 15:30:31 +0300 +Subject: IB/mlx4: Mark user MR as writable if actual virtual memory is writable + +From: Jack Morgenstein + +commit d8f9cc328c8888369880e2527e9186d745f2bbf6 upstream. + +To allow rereg_user_mr to modify the MR from read-only to writable without +using get_user_pages again, we needed to define the initial MR as writable. +However, this was originally done unconditionally, without taking into +account the writability of the underlying virtual memory. + +As a result, any attempt to register a read-only MR over read-only +virtual memory failed. + +To fix this, do not add the writable flag bit when the user virtual memory +is not writable (e.g. const memory). + +However, when the underlying memory is NOT writable (and we therefore +do not define the initial MR as writable), the IB core adds a +"force writable" flag to its user-pages request. If this succeeds, +the reg_user_mr caller gets a writable copy of the original pages. + +If the user-space caller then does a rereg_user_mr operation to enable +writability, this will succeed. This should not be allowed, since +the original virtual memory was not writable. + +Cc: +Fixes: 9376932d0c26 ("IB/mlx4_ib: Add support for user MR re-registration") +Signed-off-by: Jason Gunthorpe +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx4/mr.c | 50 +++++++++++++++++++++++++++++++++------- + 1 file changed, 42 insertions(+), 8 deletions(-) + +--- a/drivers/infiniband/hw/mlx4/mr.c ++++ b/drivers/infiniband/hw/mlx4/mr.c +@@ -130,6 +130,40 @@ out: + return err; + } + ++static struct ib_umem *mlx4_get_umem_mr(struct ib_ucontext *context, u64 start, ++ u64 length, u64 virt_addr, ++ int access_flags) ++{ ++ /* ++ * Force registering the memory as writable if the underlying pages ++ * are writable. This is so rereg can change the access permissions ++ * from readable to writable without having to run through ib_umem_get ++ * again ++ */ ++ if (!ib_access_writable(access_flags)) { ++ struct vm_area_struct *vma; ++ ++ down_read(¤t->mm->mmap_sem); ++ /* ++ * FIXME: Ideally this would iterate over all the vmas that ++ * cover the memory, but for now it requires a single vma to ++ * entirely cover the MR to support RO mappings. ++ */ ++ vma = find_vma(current->mm, start); ++ if (vma && vma->vm_end >= start + length && ++ vma->vm_start <= start) { ++ if (vma->vm_flags & VM_WRITE) ++ access_flags |= IB_ACCESS_LOCAL_WRITE; ++ } else { ++ access_flags |= IB_ACCESS_LOCAL_WRITE; ++ } ++ ++ up_read(¤t->mm->mmap_sem); ++ } ++ ++ return ib_umem_get(context, start, length, access_flags, 0); ++} ++ + struct ib_mr *mlx4_ib_reg_user_mr(struct ib_pd *pd, u64 start, u64 length, + u64 virt_addr, int access_flags, + struct ib_udata *udata) +@@ -144,10 +178,8 @@ struct ib_mr *mlx4_ib_reg_user_mr(struct + if (!mr) + return ERR_PTR(-ENOMEM); + +- /* Force registering the memory as writable. */ +- /* Used for memory re-registeration. HCA protects the access */ +- mr->umem = ib_umem_get(pd->uobject->context, start, length, +- access_flags | IB_ACCESS_LOCAL_WRITE, 0); ++ mr->umem = mlx4_get_umem_mr(pd->uobject->context, start, length, ++ virt_addr, access_flags); + if (IS_ERR(mr->umem)) { + err = PTR_ERR(mr->umem); + goto err_free; +@@ -214,6 +246,9 @@ int mlx4_ib_rereg_user_mr(struct ib_mr * + } + + if (flags & IB_MR_REREG_ACCESS) { ++ if (ib_access_writable(mr_access_flags) && !mmr->umem->writable) ++ return -EPERM; ++ + err = mlx4_mr_hw_change_access(dev->dev, *pmpt_entry, + convert_access(mr_access_flags)); + +@@ -227,10 +262,9 @@ int mlx4_ib_rereg_user_mr(struct ib_mr * + + mlx4_mr_rereg_mem_cleanup(dev->dev, &mmr->mmr); + ib_umem_release(mmr->umem); +- mmr->umem = ib_umem_get(mr->uobject->context, start, length, +- mr_access_flags | +- IB_ACCESS_LOCAL_WRITE, +- 0); ++ mmr->umem = ++ mlx4_get_umem_mr(mr->uobject->context, start, length, ++ virt_addr, mr_access_flags); + if (IS_ERR(mmr->umem)) { + err = PTR_ERR(mmr->umem); + /* Prevent mlx4_ib_dereg_mr from free'ing invalid pointer */ diff --git a/queue-4.4/ib-ocrdma-fix-out-of-bounds-access-to-local-buffer.patch b/queue-4.4/ib-ocrdma-fix-out-of-bounds-access-to-local-buffer.patch new file mode 100644 index 00000000000..049da32cc7b --- /dev/null +++ b/queue-4.4/ib-ocrdma-fix-out-of-bounds-access-to-local-buffer.patch @@ -0,0 +1,37 @@ +From 062d0f22a30c39840ea49b72cfcfc1aa4cc538fa Mon Sep 17 00:00:00 2001 +From: Michael Mera +Date: Mon, 1 May 2017 15:41:16 +0900 +Subject: IB/ocrdma: fix out of bounds access to local buffer + +From: Michael Mera + +commit 062d0f22a30c39840ea49b72cfcfc1aa4cc538fa upstream. + +In write to debugfs file 'resource_stats' the local buffer 'tmp_str' is +written at index 'count-1' where 'count' is the size of the write, so +potentially 0. + +This patch filters odd values for the write size/position to avoid this +type of problem. + +Signed-off-by: Michael Mera +Reviewed-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/ocrdma/ocrdma_stats.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/ocrdma/ocrdma_stats.c ++++ b/drivers/infiniband/hw/ocrdma/ocrdma_stats.c +@@ -643,7 +643,7 @@ static ssize_t ocrdma_dbgfs_ops_write(st + struct ocrdma_stats *pstats = filp->private_data; + struct ocrdma_dev *dev = pstats->dev; + +- if (count > 32) ++ if (*ppos != 0 || count == 0 || count > sizeof(tmp_str)) + goto err; + + if (copy_from_user(tmp_str, buffer, count)) diff --git a/queue-4.4/series b/queue-4.4/series index 4df72e3a01f..2f7d76d61ca 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -10,3 +10,7 @@ scsi-sr-avoid-that-opening-a-cd-rom-hangs-with-runtime-power-management-enabled. root-dentries-need-rcu-delayed-freeing.patch fix-mntput-mntput-race.patch fix-__legitimize_mnt-mntput-race.patch +ib-core-make-testing-mr-flags-for-writability-a-static-inline-function.patch +ib-mlx4-mark-user-mr-as-writable-if-actual-virtual-memory-is-writable.patch +ib-ocrdma-fix-out-of-bounds-access-to-local-buffer.patch +arm-dts-imx6sx-fix-irq-for-pcie-bridge.patch