From: Sasha Levin Date: Sun, 5 Jan 2020 19:40:31 +0000 (-0500) Subject: fixes for 5.4 X-Git-Tag: v4.14.163~55 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bdfc6e27d74630a085ec5e9b6c3070ad9e24ab65;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/afs-fix-afs_find_server-lookups-for-ipv4-peers.patch b/queue-5.4/afs-fix-afs_find_server-lookups-for-ipv4-peers.patch new file mode 100644 index 00000000000..fd90d593272 --- /dev/null +++ b/queue-5.4/afs-fix-afs_find_server-lookups-for-ipv4-peers.patch @@ -0,0 +1,95 @@ +From a53eecc0c288b9af3558f22f97f5567bc67d8a2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2019 15:04:43 +0000 +Subject: afs: Fix afs_find_server lookups for ipv4 peers + +From: Marc Dionne + +[ Upstream commit 9bd0160d12370a076e44f8d1320cde9c83f2c647 ] + +afs_find_server tries to find a server that has an address that +matches the transport address of an rxrpc peer. The code assumes +that the transport address is always ipv6, with ipv4 represented +as ipv4 mapped addresses, but that's not the case. If the transport +family is AF_INET, srx->transport.sin6.sin6_addr.s6_addr32[] will +be beyond the actual ipv4 address and will always be 0, and all +ipv4 addresses will be seen as matching. + +As a result, the first ipv4 address seen on any server will be +considered a match, and the server returned may be the wrong one. + +One of the consequences is that callbacks received over ipv4 will +only be correctly applied for the server that happens to have the +first ipv4 address on the fs_addresses4 list. Callbacks over ipv4 +from all other servers are dropped, causing the client to serve stale +data. + +This is fixed by looking at the transport family, and comparing ipv4 +addresses based on a sockaddr_in structure rather than a sockaddr_in6. + +Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation") +Signed-off-by: Marc Dionne +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/afs/server.c | 21 ++++++++------------- + 1 file changed, 8 insertions(+), 13 deletions(-) + +diff --git a/fs/afs/server.c b/fs/afs/server.c +index 64d440aaabc0..ca8115ba1724 100644 +--- a/fs/afs/server.c ++++ b/fs/afs/server.c +@@ -32,18 +32,11 @@ static void afs_dec_servers_outstanding(struct afs_net *net) + struct afs_server *afs_find_server(struct afs_net *net, + const struct sockaddr_rxrpc *srx) + { +- const struct sockaddr_in6 *a = &srx->transport.sin6, *b; + const struct afs_addr_list *alist; + struct afs_server *server = NULL; + unsigned int i; +- bool ipv6 = true; + int seq = 0, diff; + +- if (srx->transport.sin6.sin6_addr.s6_addr32[0] == 0 || +- srx->transport.sin6.sin6_addr.s6_addr32[1] == 0 || +- srx->transport.sin6.sin6_addr.s6_addr32[2] == htonl(0xffff)) +- ipv6 = false; +- + rcu_read_lock(); + + do { +@@ -52,7 +45,8 @@ struct afs_server *afs_find_server(struct afs_net *net, + server = NULL; + read_seqbegin_or_lock(&net->fs_addr_lock, &seq); + +- if (ipv6) { ++ if (srx->transport.family == AF_INET6) { ++ const struct sockaddr_in6 *a = &srx->transport.sin6, *b; + hlist_for_each_entry_rcu(server, &net->fs_addresses6, addr6_link) { + alist = rcu_dereference(server->addresses); + for (i = alist->nr_ipv4; i < alist->nr_addrs; i++) { +@@ -68,15 +62,16 @@ struct afs_server *afs_find_server(struct afs_net *net, + } + } + } else { ++ const struct sockaddr_in *a = &srx->transport.sin, *b; + hlist_for_each_entry_rcu(server, &net->fs_addresses4, addr4_link) { + alist = rcu_dereference(server->addresses); + for (i = 0; i < alist->nr_ipv4; i++) { +- b = &alist->addrs[i].transport.sin6; +- diff = ((u16 __force)a->sin6_port - +- (u16 __force)b->sin6_port); ++ b = &alist->addrs[i].transport.sin; ++ diff = ((u16 __force)a->sin_port - ++ (u16 __force)b->sin_port); + if (diff == 0) +- diff = ((u32 __force)a->sin6_addr.s6_addr32[3] - +- (u32 __force)b->sin6_addr.s6_addr32[3]); ++ diff = ((u32 __force)a->sin_addr.s_addr - ++ (u32 __force)b->sin_addr.s_addr); + if (diff == 0) + goto found; + } +-- +2.20.1 + diff --git a/queue-5.4/afs-fix-creation-calls-in-the-dynamic-root-to-fail-w.patch b/queue-5.4/afs-fix-creation-calls-in-the-dynamic-root-to-fail-w.patch new file mode 100644 index 00000000000..a8a6d44c05e --- /dev/null +++ b/queue-5.4/afs-fix-creation-calls-in-the-dynamic-root-to-fail-w.patch @@ -0,0 +1,41 @@ +From b0f2778d86cc0574f78becea7ecc06fbfd038e98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2019 08:56:04 +0000 +Subject: afs: Fix creation calls in the dynamic root to fail with EOPNOTSUPP + +From: David Howells + +[ Upstream commit 1da4bd9f9d187f53618890d7b66b9628bbec3c70 ] + +Fix the lookup method on the dynamic root directory such that creation +calls, such as mkdir, open(O_CREAT), symlink, etc. fail with EOPNOTSUPP +rather than failing with some odd error (such as EEXIST). + +lookup() itself tries to create automount directories when it is invoked. +These are cached locally in RAM and not committed to storage. + +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +Tested-by: Jonathan Billings +Signed-off-by: Sasha Levin +--- + fs/afs/dynroot.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c +index 4150280509ff..7503899c0a1b 100644 +--- a/fs/afs/dynroot.c ++++ b/fs/afs/dynroot.c +@@ -136,6 +136,9 @@ static struct dentry *afs_dynroot_lookup(struct inode *dir, struct dentry *dentr + + ASSERTCMP(d_inode(dentry), ==, NULL); + ++ if (flags & LOOKUP_CREATE) ++ return ERR_PTR(-EOPNOTSUPP); ++ + if (dentry->d_name.len >= AFSNAMEMAX) { + _leave(" = -ENAMETOOLONG"); + return ERR_PTR(-ENAMETOOLONG); +-- +2.20.1 + diff --git a/queue-5.4/afs-fix-mountpoint-parsing.patch b/queue-5.4/afs-fix-mountpoint-parsing.patch new file mode 100644 index 00000000000..2d8a0119828 --- /dev/null +++ b/queue-5.4/afs-fix-mountpoint-parsing.patch @@ -0,0 +1,65 @@ +From 5c46206e7bb47941f02de5d06ae78448d77b9af6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2019 15:04:45 +0000 +Subject: afs: Fix mountpoint parsing + +From: David Howells + +[ Upstream commit 158d58335393af3956a9c06f0816ee75ed1f1447 ] + +Each AFS mountpoint has strings that define the target to be mounted. This +is required to end in a dot that is supposed to be stripped off. The +string can include suffixes of ".readonly" or ".backup" - which are +supposed to come before the terminal dot. To add to the confusion, the "fs +lsmount" afs utility does not show the terminal dot when displaying the +string. + +The kernel mount source string parser, however, assumes that the terminal +dot marks the suffix and that the suffix is always "" and is thus ignored. +In most cases, there is no suffix and this is not a problem - but if there +is a suffix, it is lost and this affects the ability to mount the correct +volume. + +The command line mount command, on the other hand, is expected not to +include a terminal dot - so the problem doesn't arise there. + +Fix this by making sure that the dot exists and then stripping it when +passing the string to the mount configuration. + +Fixes: bec5eb614130 ("AFS: Implement an autocell mount capability [ver #2]") +Reported-by: Jonathan Billings +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +Tested-by: Jonathan Billings +Signed-off-by: Sasha Levin +--- + fs/afs/mntpt.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/afs/mntpt.c b/fs/afs/mntpt.c +index f532d6d3bd28..79bc5f1338ed 100644 +--- a/fs/afs/mntpt.c ++++ b/fs/afs/mntpt.c +@@ -126,7 +126,7 @@ static int afs_mntpt_set_params(struct fs_context *fc, struct dentry *mntpt) + if (src_as->cell) + ctx->cell = afs_get_cell(src_as->cell); + +- if (size > PAGE_SIZE - 1) ++ if (size < 2 || size > PAGE_SIZE - 1) + return -EINVAL; + + page = read_mapping_page(d_inode(mntpt)->i_mapping, 0, NULL); +@@ -140,7 +140,9 @@ static int afs_mntpt_set_params(struct fs_context *fc, struct dentry *mntpt) + } + + buf = kmap(page); +- ret = vfs_parse_fs_string(fc, "source", buf, size); ++ ret = -EINVAL; ++ if (buf[size - 1] == '.') ++ ret = vfs_parse_fs_string(fc, "source", buf, size - 1); + kunmap(page); + put_page(page); + if (ret < 0) +-- +2.20.1 + diff --git a/queue-5.4/afs-fix-selinux-setting-security-label-on-afs.patch b/queue-5.4/afs-fix-selinux-setting-security-label-on-afs.patch new file mode 100644 index 00000000000..44d78c95dda --- /dev/null +++ b/queue-5.4/afs-fix-selinux-setting-security-label-on-afs.patch @@ -0,0 +1,42 @@ +From 407cee34618d3f1a65ae25ec6de1932c20f57758 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2019 15:04:45 +0000 +Subject: afs: Fix SELinux setting security label on /afs + +From: David Howells + +[ Upstream commit bcbccaf2edcf1b76f73f890e968babef446151a4 ] + +Make the AFS dynamic root superblock R/W so that SELinux can set the +security label on it. Without this, upgrades to, say, the Fedora +filesystem-afs RPM fail if afs is mounted on it because the SELinux label +can't be (re-)applied. + +It might be better to make it possible to bypass the R/O check for LSM +label application through setxattr. + +Fixes: 4d673da14533 ("afs: Support the AFS dynamic root") +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +cc: selinux@vger.kernel.org +cc: linux-security-module@vger.kernel.org +Signed-off-by: Sasha Levin +--- + fs/afs/super.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/afs/super.c b/fs/afs/super.c +index 488641b1a418..d9a6036b70b9 100644 +--- a/fs/afs/super.c ++++ b/fs/afs/super.c +@@ -448,7 +448,6 @@ static int afs_fill_super(struct super_block *sb, struct afs_fs_context *ctx) + /* allocate the root inode and dentry */ + if (as->dyn_root) { + inode = afs_iget_pseudo_dir(sb, true); +- sb->s_flags |= SB_RDONLY; + } else { + sprintf(sb->s_id, "%llu", as->volume->vid); + afs_activate_volume(as->volume); +-- +2.20.1 + diff --git a/queue-5.4/alsa-hda-allow-hda-to-be-runtime-suspended-when-dgpu.patch b/queue-5.4/alsa-hda-allow-hda-to-be-runtime-suspended-when-dgpu.patch new file mode 100644 index 00000000000..9f2dee07bd4 --- /dev/null +++ b/queue-5.4/alsa-hda-allow-hda-to-be-runtime-suspended-when-dgpu.patch @@ -0,0 +1,66 @@ +From 96d62742696a6e028d0f112324b9e192d39bef56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Oct 2019 15:38:48 +0800 +Subject: ALSA: hda: Allow HDA to be runtime suspended when dGPU is not bound + to a driver + +From: Kai-Heng Feng + +[ Upstream commit bacd861452d2be86a4df341b12e32db7dac8021e ] + +Nvidia proprietary driver doesn't support runtime power management, so +when a user only wants to use the integrated GPU, it's a common practice +to let dGPU not to bind any driver, and let its upstream port to be +runtime suspended. At the end of runtime suspension the port uses +platform power management to disable power through _OFF method of power +resource, which is listed by _PR3. + +After commit b516ea586d71 ("PCI: Enable NVIDIA HDA controllers"), when +the dGPU comes with an HDA function, the HDA won't be suspended if the +dGPU is unbound, so the power resource can't be turned off by its +upstream port driver. + +Commit 37a3a98ef601 ("ALSA: hda - Enable runtime PM only for +discrete GPU") only allows HDA to be runtime suspended once GPU is +bound, to keep APU's HDA working. + +However, HDA on dGPU isn't that useful if dGPU is not bound to any +driver. So let's relax the runtime suspend requirement for dGPU's HDA +function, to disable the power source to save lots of power. + +BugLink: https://bugs.launchpad.net/bugs/1840835 +Fixes: b516ea586d71 ("PCI: Enable NVIDIA HDA controllers") +Signed-off-by: Kai-Heng Feng +Link: https://lore.kernel.org/r/20191018073848.14590-2-kai.heng.feng@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_intel.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index 86a416cdeb29..4e757aa9d322 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -1280,11 +1280,17 @@ static void init_vga_switcheroo(struct azx *chip) + { + struct hda_intel *hda = container_of(chip, struct hda_intel, chip); + struct pci_dev *p = get_bound_vga(chip->pci); ++ struct pci_dev *parent; + if (p) { + dev_info(chip->card->dev, + "Handle vga_switcheroo audio client\n"); + hda->use_vga_switcheroo = 1; +- chip->bus.keep_power = 1; /* cleared in either gpu_bound op or codec probe */ ++ ++ /* cleared in either gpu_bound op or codec probe, or when its ++ * upstream port has _PR3 (i.e. dGPU). ++ */ ++ parent = pci_upstream_bridge(p); ++ chip->bus.keep_power = parent ? !pci_pr3_present(parent) : 1; + chip->driver_caps |= AZX_DCAPS_PM_RUNTIME; + pci_dev_put(p); + } +-- +2.20.1 + diff --git a/queue-5.4/alsa-hda-downgrade-error-message-for-single-cmd-fall.patch b/queue-5.4/alsa-hda-downgrade-error-message-for-single-cmd-fall.patch new file mode 100644 index 00000000000..2cf872b807c --- /dev/null +++ b/queue-5.4/alsa-hda-downgrade-error-message-for-single-cmd-fall.patch @@ -0,0 +1,42 @@ +From 83bdfb641490f78b860c292452183f214278ce93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Dec 2019 16:12:24 +0100 +Subject: ALSA: hda - Downgrade error message for single-cmd fallback + +From: Takashi Iwai + +[ Upstream commit 475feec0c41ad71cb7d02f0310e56256606b57c5 ] + +We made the error message for the CORB/RIRB communication clearer by +upgrading to dev_WARN() so that user can notice better. But this +struck us like a boomerang: now it caught syzbot and reported back as +a fatal issue although it's not really any too serious bug that worth +for stopping the whole system. + +OK, OK, let's be softy, downgrade it to the standard dev_err() again. + +Fixes: dd65f7e19c69 ("ALSA: hda - Show the fatal CORB/RIRB error more clearly") +Reported-by: syzbot+b3028ac3933f5c466389@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20191216151224.30013-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_controller.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c +index 6387c7e90918..76b507058cb4 100644 +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -884,7 +884,7 @@ static int azx_rirb_get_response(struct hdac_bus *bus, unsigned int addr, + return -EAGAIN; /* give a chance to retry */ + } + +- dev_WARN(chip->card->dev, ++ dev_err(chip->card->dev, + "azx_get_response timeout, switching to single_cmd mode: last cmd=0x%08x\n", + bus->last_cmd[addr]); + chip->single_cmd = 1; +-- +2.20.1 + diff --git a/queue-5.4/alsa-hda-fixup-for-the-bass-speaker-on-lenovo-carbon.patch b/queue-5.4/alsa-hda-fixup-for-the-bass-speaker-on-lenovo-carbon.patch new file mode 100644 index 00000000000..1f7cd907700 --- /dev/null +++ b/queue-5.4/alsa-hda-fixup-for-the-bass-speaker-on-lenovo-carbon.patch @@ -0,0 +1,82 @@ +From 6872ee7c3cb8b44a6e13e8d7bbd9d4c6f184d1f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Nov 2019 15:40:27 +0100 +Subject: ALSA: hda - fixup for the bass speaker on Lenovo Carbon X1 7th gen + +From: Jaroslav Kysela + +[ Upstream commit d2cd795c4ece1a24fda170c35eeb4f17d9826cbb ] + +The auto-parser assigns the bass speaker to DAC3 (NID 0x06) which +is without the volume control. I do not see a reason to use DAC2, +because the shared output to all speakers produces the sufficient +and well balanced sound. The stereo support is enough for this +purpose (laptop). + +Signed-off-by: Jaroslav Kysela +Link: https://lore.kernel.org/r/20191129144027.14765-1-perex@perex.cz +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index e849cf681e23..62a471b5fc87 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5547,6 +5547,16 @@ static void alc295_fixup_disable_dac3(struct hda_codec *codec, + } + } + ++/* force NID 0x17 (Bass Speaker) to DAC1 to share it with the main speaker */ ++static void alc285_fixup_speaker2_to_dac1(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ if (action == HDA_FIXUP_ACT_PRE_PROBE) { ++ hda_nid_t conn[1] = { 0x02 }; ++ snd_hda_override_conn_list(codec, 0x17, 1, conn); ++ } ++} ++ + /* Hook to update amp GPIO4 for automute */ + static void alc280_hp_gpio4_automute_hook(struct hda_codec *codec, + struct hda_jack_callback *jack) +@@ -5849,6 +5859,7 @@ enum { + ALC225_FIXUP_DISABLE_MIC_VREF, + ALC225_FIXUP_DELL1_MIC_NO_PRESENCE, + ALC295_FIXUP_DISABLE_DAC3, ++ ALC285_FIXUP_SPEAKER2_TO_DAC1, + ALC280_FIXUP_HP_HEADSET_MIC, + ALC221_FIXUP_HP_FRONT_MIC, + ALC292_FIXUP_TPT460, +@@ -6652,6 +6663,10 @@ static const struct hda_fixup alc269_fixups[] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc295_fixup_disable_dac3, + }, ++ [ALC285_FIXUP_SPEAKER2_TO_DAC1] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc285_fixup_speaker2_to_dac1, ++ }, + [ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { +@@ -7241,6 +7256,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x224c, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), + SND_PCI_QUIRK(0x17aa, 0x224d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), + SND_PCI_QUIRK(0x17aa, 0x225d, "Thinkpad T480", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), ++ SND_PCI_QUIRK(0x17aa, 0x2293, "Thinkpad X1 Carbon 7th", ALC285_FIXUP_SPEAKER2_TO_DAC1), + SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), +@@ -7425,6 +7441,7 @@ static const struct hda_model_fixup alc269_fixup_models[] = { + {.id = ALC255_FIXUP_DELL_SPK_NOISE, .name = "dell-spk-noise"}, + {.id = ALC225_FIXUP_DELL1_MIC_NO_PRESENCE, .name = "alc225-dell1"}, + {.id = ALC295_FIXUP_DISABLE_DAC3, .name = "alc295-disable-dac3"}, ++ {.id = ALC285_FIXUP_SPEAKER2_TO_DAC1, .name = "alc285-speaker2-to-dac1"}, + {.id = ALC280_FIXUP_HP_HEADSET_MIC, .name = "alc280-hp-headset"}, + {.id = ALC221_FIXUP_HP_FRONT_MIC, .name = "alc221-hp-mic"}, + {.id = ALC298_FIXUP_SPK_VOLUME, .name = "alc298-spk-volume"}, +-- +2.20.1 + diff --git a/queue-5.4/alsa-hda-realtek-add-bass-speaker-and-fixed-dac-for-.patch b/queue-5.4/alsa-hda-realtek-add-bass-speaker-and-fixed-dac-for-.patch new file mode 100644 index 00000000000..b0c81d7fd99 --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-add-bass-speaker-and-fixed-dac-for-.patch @@ -0,0 +1,68 @@ +From 5f83652344a329a2e10acda0355575067cbc0d2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Dec 2019 14:12:15 +0800 +Subject: ALSA: hda/realtek - Add Bass Speaker and fixed dac for bass speaker + +From: Kailang Yang + +[ Upstream commit e79c22695abd3b75a6aecf4ea4b9607e8d82c49c ] + +Dell has new platform which has dual speaker connecting. +They want dual speaker which use same dac for output. + +Signed-off-by: Kailang Yang +Cc: +Link: https://lore.kernel.org/r/229c7efa2b474a16b7d8a916cd096b68@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index e1229dbad6b2..dfcd0e611068 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5896,6 +5896,8 @@ enum { + ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC, + ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE, + ALC294_FIXUP_ASUS_INTSPK_GPIO, ++ ALC289_FIXUP_DELL_SPK2, ++ ALC289_FIXUP_DUAL_SPK, + }; + + static const struct hda_fixup alc269_fixups[] = { +@@ -6993,6 +6995,21 @@ static const struct hda_fixup alc269_fixups[] = { + .chained = true, + .chain_id = ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC + }, ++ [ALC289_FIXUP_DELL_SPK2] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x17, 0x90170130 }, /* bass spk */ ++ { } ++ }, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_DELL4_MIC_NO_PRESENCE ++ }, ++ [ALC289_FIXUP_DUAL_SPK] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc285_fixup_speaker2_to_dac1, ++ .chained = true, ++ .chain_id = ALC289_FIXUP_DELL_SPK2 ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -7065,6 +7082,8 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1028, 0x08ad, "Dell WYSE AIO", ALC225_FIXUP_DELL_WYSE_AIO_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x08ae, "Dell WYSE NB", ALC225_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x0935, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB), ++ SND_PCI_QUIRK(0x1028, 0x097e, "Dell Precision", ALC289_FIXUP_DUAL_SPK), ++ SND_PCI_QUIRK(0x1028, 0x097d, "Dell Precision", ALC289_FIXUP_DUAL_SPK), + SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2), +-- +2.20.1 + diff --git a/queue-5.4/alsa-hda-realtek-enable-the-bass-speaker-of-asus-ux4.patch b/queue-5.4/alsa-hda-realtek-enable-the-bass-speaker-of-asus-ux4.patch new file mode 100644 index 00000000000..cd5ee0fe487 --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-enable-the-bass-speaker-of-asus-ux4.patch @@ -0,0 +1,110 @@ +From 8cebcde578571dc6e04682799fcc4162e7d3178c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Dec 2019 11:11:18 +0800 +Subject: ALSA: hda/realtek - Enable the bass speaker of ASUS UX431FLC + +From: Chris Chiu + +[ Upstream commit 48e01504cf5315cbe6de9b7412e792bfcc3dd9e1 ] + +ASUS reported that there's an bass speaker in addition to internal +speaker and it uses DAC 0x02. It was not enabled in the commit +436e25505f34 ("ALSA: hda/realtek - Enable internal speaker of ASUS +UX431FLC") which only enables the amplifier and the front speaker. +This commit enables the bass speaker on top of the aforementioned +work to improve the acoustic experience. + +Fixes: 436e25505f34 ("ALSA: hda/realtek - Enable internal speaker of ASUS UX431FLC") +Signed-off-by: Chris Chiu +Signed-off-by: Jian-Hong Pan +Cc: +Link: https://lore.kernel.org/r/20191230031118.95076-1-chiu@endlessm.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 38 +++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 20 deletions(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index dfcd0e611068..e849cf681e23 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5893,11 +5893,12 @@ enum { + ALC256_FIXUP_ASUS_HEADSET_MIC, + ALC256_FIXUP_ASUS_MIC_NO_PRESENCE, + ALC299_FIXUP_PREDATOR_SPK, +- ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC, + ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE, +- ALC294_FIXUP_ASUS_INTSPK_GPIO, + ALC289_FIXUP_DELL_SPK2, + ALC289_FIXUP_DUAL_SPK, ++ ALC294_FIXUP_SPK2_TO_DAC1, ++ ALC294_FIXUP_ASUS_DUAL_SPK, ++ + }; + + static const struct hda_fixup alc269_fixups[] = { +@@ -6968,16 +6969,6 @@ static const struct hda_fixup alc269_fixups[] = { + { } + } + }, +- [ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC] = { +- .type = HDA_FIXUP_PINS, +- .v.pins = (const struct hda_pintbl[]) { +- { 0x14, 0x411111f0 }, /* disable confusing internal speaker */ +- { 0x19, 0x04a11150 }, /* use as headset mic, without its own jack detect */ +- { } +- }, +- .chained = true, +- .chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC +- }, + [ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { +@@ -6988,13 +6979,6 @@ static const struct hda_fixup alc269_fixups[] = { + .chained = true, + .chain_id = ALC256_FIXUP_ASUS_HEADSET_MODE + }, +- [ALC294_FIXUP_ASUS_INTSPK_GPIO] = { +- .type = HDA_FIXUP_FUNC, +- /* The GPIO must be pulled to initialize the AMP */ +- .v.func = alc_fixup_gpio4, +- .chained = true, +- .chain_id = ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC +- }, + [ALC289_FIXUP_DELL_SPK2] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { +@@ -7010,6 +6994,20 @@ static const struct hda_fixup alc269_fixups[] = { + .chained = true, + .chain_id = ALC289_FIXUP_DELL_SPK2 + }, ++ [ALC294_FIXUP_SPK2_TO_DAC1] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc285_fixup_speaker2_to_dac1, ++ .chained = true, ++ .chain_id = ALC294_FIXUP_ASUS_HEADSET_MIC ++ }, ++ [ALC294_FIXUP_ASUS_DUAL_SPK] = { ++ .type = HDA_FIXUP_FUNC, ++ /* The GPIO must be pulled to initialize the AMP */ ++ .v.func = alc_fixup_gpio4, ++ .chained = true, ++ .chain_id = ALC294_FIXUP_SPK2_TO_DAC1 ++ }, ++ + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -7171,7 +7169,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x1427, "Asus Zenbook UX31E", ALC269VB_FIXUP_ASUS_ZENBOOK), + SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A), + SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_FIXUP_STEREO_DMIC), +- SND_PCI_QUIRK(0x1043, 0x17d1, "ASUS UX431FL", ALC294_FIXUP_ASUS_INTSPK_GPIO), ++ SND_PCI_QUIRK(0x1043, 0x17d1, "ASUS UX431FL", ALC294_FIXUP_ASUS_DUAL_SPK), + SND_PCI_QUIRK(0x1043, 0x18b1, "Asus MJ401TA", ALC256_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1043, 0x1a13, "Asus G73Jw", ALC269_FIXUP_ASUS_G73JW), + SND_PCI_QUIRK(0x1043, 0x1a30, "ASUS X705UD", ALC256_FIXUP_ASUS_MIC), +-- +2.20.1 + diff --git a/queue-5.4/block-add-bio_truncate-to-fix-guard_bio_eod.patch b/queue-5.4/block-add-bio_truncate-to-fix-guard_bio_eod.patch new file mode 100644 index 00000000000..fdcaeaa045e --- /dev/null +++ b/queue-5.4/block-add-bio_truncate-to-fix-guard_bio_eod.patch @@ -0,0 +1,152 @@ +From b902e5becf6ec2f68dee4de3f36d938a628c8967 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Dec 2019 07:05:48 +0800 +Subject: block: add bio_truncate to fix guard_bio_eod + +From: Ming Lei + +[ Upstream commit 85a8ce62c2eabe28b9d76ca4eecf37922402df93 ] + +Some filesystem, such as vfat, may send bio which crosses device boundary, +and the worse thing is that the IO request starting within device boundaries +can contain more than one segment past EOD. + +Commit dce30ca9e3b6 ("fs: fix guard_bio_eod to check for real EOD errors") +tries to fix this issue by returning -EIO for this situation. However, +this way lets fs user code lose chance to handle -EIO, then sync_inodes_sb() +may hang for ever. + +Also the current truncating on last segment is dangerous by updating the +last bvec, given bvec table becomes not immutable any more, and fs bio +users may not retrieve the truncated pages via bio_for_each_segment_all() in +its .end_io callback. + +Fixes this issue by supporting multi-segment truncating. And the +approach is simpler: + +- just update bio size since block layer can make correct bvec with +the updated bio size. Then bvec table becomes really immutable. + +- zero all truncated segments for read bio + +Cc: Carlos Maiolino +Cc: linux-fsdevel@vger.kernel.org +Fixed-by: dce30ca9e3b6 ("fs: fix guard_bio_eod to check for real EOD errors") +Reported-by: syzbot+2b9e54155c8c25d8d165@syzkaller.appspotmail.com +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bio.c | 39 +++++++++++++++++++++++++++++++++++++++ + fs/buffer.c | 25 +------------------------ + include/linux/bio.h | 1 + + 3 files changed, 41 insertions(+), 24 deletions(-) + +diff --git a/block/bio.c b/block/bio.c +index 43df756b68c4..c822ceb7c4de 100644 +--- a/block/bio.c ++++ b/block/bio.c +@@ -535,6 +535,45 @@ void zero_fill_bio_iter(struct bio *bio, struct bvec_iter start) + } + EXPORT_SYMBOL(zero_fill_bio_iter); + ++void bio_truncate(struct bio *bio, unsigned new_size) ++{ ++ struct bio_vec bv; ++ struct bvec_iter iter; ++ unsigned int done = 0; ++ bool truncated = false; ++ ++ if (new_size >= bio->bi_iter.bi_size) ++ return; ++ ++ if (bio_data_dir(bio) != READ) ++ goto exit; ++ ++ bio_for_each_segment(bv, bio, iter) { ++ if (done + bv.bv_len > new_size) { ++ unsigned offset; ++ ++ if (!truncated) ++ offset = new_size - done; ++ else ++ offset = 0; ++ zero_user(bv.bv_page, offset, bv.bv_len - offset); ++ truncated = true; ++ } ++ done += bv.bv_len; ++ } ++ ++ exit: ++ /* ++ * Don't touch bvec table here and make it really immutable, since ++ * fs bio user has to retrieve all pages via bio_for_each_segment_all ++ * in its .end_bio() callback. ++ * ++ * It is enough to truncate bio by updating .bi_size since we can make ++ * correct bvec with the updated .bi_size for drivers. ++ */ ++ bio->bi_iter.bi_size = new_size; ++} ++ + /** + * bio_put - release a reference to a bio + * @bio: bio to release reference to +diff --git a/fs/buffer.c b/fs/buffer.c +index 86a38b979323..7744488f7bde 100644 +--- a/fs/buffer.c ++++ b/fs/buffer.c +@@ -2994,8 +2994,6 @@ static void end_bio_bh_io_sync(struct bio *bio) + void guard_bio_eod(int op, struct bio *bio) + { + sector_t maxsector; +- struct bio_vec *bvec = bio_last_bvec_all(bio); +- unsigned truncated_bytes; + struct hd_struct *part; + + rcu_read_lock(); +@@ -3021,28 +3019,7 @@ void guard_bio_eod(int op, struct bio *bio) + if (likely((bio->bi_iter.bi_size >> 9) <= maxsector)) + return; + +- /* Uhhuh. We've got a bio that straddles the device size! */ +- truncated_bytes = bio->bi_iter.bi_size - (maxsector << 9); +- +- /* +- * The bio contains more than one segment which spans EOD, just return +- * and let IO layer turn it into an EIO +- */ +- if (truncated_bytes > bvec->bv_len) +- return; +- +- /* Truncate the bio.. */ +- bio->bi_iter.bi_size -= truncated_bytes; +- bvec->bv_len -= truncated_bytes; +- +- /* ..and clear the end of the buffer for reads */ +- if (op == REQ_OP_READ) { +- struct bio_vec bv; +- +- mp_bvec_last_segment(bvec, &bv); +- zero_user(bv.bv_page, bv.bv_offset + bv.bv_len, +- truncated_bytes); +- } ++ bio_truncate(bio, maxsector << 9); + } + + static int submit_bh_wbc(int op, int op_flags, struct buffer_head *bh, +diff --git a/include/linux/bio.h b/include/linux/bio.h +index 3cdb84cdc488..853d92ceee64 100644 +--- a/include/linux/bio.h ++++ b/include/linux/bio.h +@@ -470,6 +470,7 @@ extern struct bio *bio_copy_user_iov(struct request_queue *, + gfp_t); + extern int bio_uncopy_user(struct bio *); + void zero_fill_bio_iter(struct bio *bio, struct bvec_iter iter); ++void bio_truncate(struct bio *bio, unsigned new_size); + + static inline void zero_fill_bio(struct bio *bio) + { +-- +2.20.1 + diff --git a/queue-5.4/drm-amd-display-change-the-delay-time-before-enablin.patch b/queue-5.4/drm-amd-display-change-the-delay-time-before-enablin.patch new file mode 100644 index 00000000000..f3acafd11d5 --- /dev/null +++ b/queue-5.4/drm-amd-display-change-the-delay-time-before-enablin.patch @@ -0,0 +1,52 @@ +From 188ad96c0b1b5b12a60ab2b2b5a4ff79c427e0cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2019 16:30:04 -0500 +Subject: drm/amd/display: Change the delay time before enabling FEC + +From: Leo (Hanghong) Ma + +[ Upstream commit 28fa24ad14e8f7d23c62283eaf9c79b4fd165c16 ] + +[why] +DP spec requires 1000 symbols delay between the end of link training +and enabling FEC in the stream. Currently we are using 1 miliseconds +delay which is not accurate. + +[how] +One lane RBR should have the maximum time for transmitting 1000 LL +codes which is 6.173 us. So using 7 microseconds delay instead of +1 miliseconds. + +Signed-off-by: Leo (Hanghong) Ma +Reviewed-by: Harry Wentland +Reviewed-by: Nikola Cornij +Acked-by: Leo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c +index 5a583707d198..0ab890c927ec 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c +@@ -3492,7 +3492,14 @@ void dp_set_fec_enable(struct dc_link *link, bool enable) + if (link_enc->funcs->fec_set_enable && + link->dpcd_caps.fec_cap.bits.FEC_CAPABLE) { + if (link->fec_state == dc_link_fec_ready && enable) { +- msleep(1); ++ /* Accord to DP spec, FEC enable sequence can first ++ * be transmitted anytime after 1000 LL codes have ++ * been transmitted on the link after link training ++ * completion. Using 1 lane RBR should have the maximum ++ * time for transmitting 1000 LL codes which is 6.173 us. ++ * So use 7 microseconds delay instead. ++ */ ++ udelay(7); + link_enc->funcs->fec_set_enable(link_enc, true); + link->fec_state = dc_link_fec_enabled; + } else if (link->fec_state == dc_link_fec_enabled && !enable) { +-- +2.20.1 + diff --git a/queue-5.4/drm-amd-display-fixed-kernel-panic-when-booting-with.patch b/queue-5.4/drm-amd-display-fixed-kernel-panic-when-booting-with.patch new file mode 100644 index 00000000000..54746a1ef06 --- /dev/null +++ b/queue-5.4/drm-amd-display-fixed-kernel-panic-when-booting-with.patch @@ -0,0 +1,43 @@ +From 822360ffe83f6eab97d1454d33690614551e4264 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2019 17:18:20 -0500 +Subject: drm/amd/display: Fixed kernel panic when booting with DP-to-HDMI + dongle + +From: David Galiffi + +[ Upstream commit a51d9f8fe756beac51ce26ef54195da00a260d13 ] + +[Why] +In dc_link_is_dp_sink_present, if dal_ddc_open fails, then +dal_gpio_destroy_ddc is called, destroying pin_data and pin_clock. They +are created only on dc_construct, and next aux access will cause a panic. + +[How] +Instead of calling dal_gpio_destroy_ddc, call dal_ddc_close. + +Signed-off-by: David Galiffi +Reviewed-by: Tony Cheng +Acked-by: Leo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link.c b/drivers/gpu/drm/amd/display/dc/core/dc_link.c +index 067f5579f452..793aa8e8ec9a 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c +@@ -373,7 +373,7 @@ bool dc_link_is_dp_sink_present(struct dc_link *link) + + if (GPIO_RESULT_OK != dal_ddc_open( + ddc, GPIO_MODE_INPUT, GPIO_DDC_CONFIG_TYPE_MODE_I2C)) { +- dal_gpio_destroy_ddc(&ddc); ++ dal_ddc_close(ddc); + + return present; + } +-- +2.20.1 + diff --git a/queue-5.4/drm-amd-display-map-dsc-resources-1-to-1-if-numbers-.patch b/queue-5.4/drm-amd-display-map-dsc-resources-1-to-1-if-numbers-.patch new file mode 100644 index 00000000000..e462edf8a1c --- /dev/null +++ b/queue-5.4/drm-amd-display-map-dsc-resources-1-to-1-if-numbers-.patch @@ -0,0 +1,77 @@ +From 283d26747ab88d4f618d337b323e694dffe8fa5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2019 13:06:48 -0500 +Subject: drm/amd/display: Map DSC resources 1-to-1 if numbers of OPPs and DSCs + are equal + +From: Nikola Cornij + +[ Upstream commit a1fc44b609b4e9c0941f0e4a1fc69d367af5ab69 ] + +[why] +On ASICs where number of DSCs is the same as OPPs there's no need +for DSC resource management. Mappping 1-to-1 fixes mode-set- or S3- +-related issues for such platforms. + +[how] +Map DSC resources 1-to-1 to pipes only if number of OPPs is the same +as number of DSCs. This will still keep other ASICs working. +A follow-up patch to fix mode-set issues on those ASICs will be +required if testing shows issues with mode set. + +Signed-off-by: Nikola Cornij +Reviewed-by: Dmytro Laktyushkin +Acked-by: Leo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/display/dc/dcn20/dcn20_resource.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c +index 78b2cc2e122f..3b7769a3e67e 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c +@@ -1419,13 +1419,20 @@ enum dc_status dcn20_build_mapped_resource(const struct dc *dc, struct dc_state + + static void acquire_dsc(struct resource_context *res_ctx, + const struct resource_pool *pool, +- struct display_stream_compressor **dsc) ++ struct display_stream_compressor **dsc, ++ int pipe_idx) + { + int i; + + ASSERT(*dsc == NULL); + *dsc = NULL; + ++ if (pool->res_cap->num_dsc == pool->res_cap->num_opp) { ++ *dsc = pool->dscs[pipe_idx]; ++ res_ctx->is_dsc_acquired[pipe_idx] = true; ++ return; ++ } ++ + /* Find first free DSC */ + for (i = 0; i < pool->res_cap->num_dsc; i++) + if (!res_ctx->is_dsc_acquired[i]) { +@@ -1468,7 +1475,7 @@ static enum dc_status add_dsc_to_stream_resource(struct dc *dc, + if (pipe_ctx->stream != dc_stream) + continue; + +- acquire_dsc(&dc_ctx->res_ctx, pool, &pipe_ctx->stream_res.dsc); ++ acquire_dsc(&dc_ctx->res_ctx, pool, &pipe_ctx->stream_res.dsc, i); + + /* The number of DSCs can be less than the number of pipes */ + if (!pipe_ctx->stream_res.dsc) { +@@ -1669,7 +1676,7 @@ static bool dcn20_split_stream_for_odm( + next_odm_pipe->stream_res.opp = pool->opps[next_odm_pipe->pipe_idx]; + #ifdef CONFIG_DRM_AMD_DC_DSC_SUPPORT + if (next_odm_pipe->stream->timing.flags.DSC == 1) { +- acquire_dsc(res_ctx, pool, &next_odm_pipe->stream_res.dsc); ++ acquire_dsc(res_ctx, pool, &next_odm_pipe->stream_res.dsc, next_odm_pipe->pipe_idx); + ASSERT(next_odm_pipe->stream_res.dsc); + if (next_odm_pipe->stream_res.dsc == NULL) + return false; +-- +2.20.1 + diff --git a/queue-5.4/drm-amd-display-reset-steer-fifo-before-unblanking-t.patch b/queue-5.4/drm-amd-display-reset-steer-fifo-before-unblanking-t.patch new file mode 100644 index 00000000000..1674fa5785d --- /dev/null +++ b/queue-5.4/drm-amd-display-reset-steer-fifo-before-unblanking-t.patch @@ -0,0 +1,61 @@ +From a6f03db1af52e581680ab91e0c8b15d4c5a5144e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Nov 2019 18:03:59 -0500 +Subject: drm/amd/display: Reset steer fifo before unblanking the stream + +From: Nikola Cornij + +[ Upstream commit 87de6cb2f28153bc74d0a001ca099c29453e145f ] + +[why] +During mode transition steer fifo could overflow. Quite often it +recovers by itself, but sometimes it doesn't. + +[how] +Add steer fifo reset before unblanking the stream. Also add a short +delay when resetting dig resync fifo to make sure register writes +don't end up back-to-back, in which case the HW might miss the reset +request. + +Signed-off-by: Nikola Cornij +Reviewed-by: Tony Cheng +Acked-by: Leo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../drm/amd/display/dc/dcn20/dcn20_stream_encoder.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_stream_encoder.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_stream_encoder.c +index 5ab9d6240498..e95025b1d14d 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_stream_encoder.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_stream_encoder.c +@@ -492,15 +492,23 @@ void enc2_stream_encoder_dp_unblank( + DP_VID_N_MUL, n_multiply); + } + +- /* set DIG_START to 0x1 to reset FIFO */ ++ /* make sure stream is disabled before resetting steer fifo */ ++ REG_UPDATE(DP_VID_STREAM_CNTL, DP_VID_STREAM_ENABLE, false); ++ REG_WAIT(DP_VID_STREAM_CNTL, DP_VID_STREAM_STATUS, 0, 10, 5000); + ++ /* set DIG_START to 0x1 to reset FIFO */ + REG_UPDATE(DIG_FE_CNTL, DIG_START, 1); ++ udelay(1); + + /* write 0 to take the FIFO out of reset */ + + REG_UPDATE(DIG_FE_CNTL, DIG_START, 0); + +- /* switch DP encoder to CRTC data */ ++ /* switch DP encoder to CRTC data, but reset it the fifo first. It may happen ++ * that it overflows during mode transition, and sometimes doesn't recover. ++ */ ++ REG_UPDATE(DP_STEER_FIFO, DP_STEER_FIFO_RESET, 1); ++ udelay(10); + + REG_UPDATE(DP_STEER_FIFO, DP_STEER_FIFO_RESET, 0); + +-- +2.20.1 + diff --git a/queue-5.4/drm-amd-display-update-dispclk-and-dppclk-vco-freque.patch b/queue-5.4/drm-amd-display-update-dispclk-and-dppclk-vco-freque.patch new file mode 100644 index 00000000000..74d34964302 --- /dev/null +++ b/queue-5.4/drm-amd-display-update-dispclk-and-dppclk-vco-freque.patch @@ -0,0 +1,38 @@ +From ad774add714eee258ca56ba29f528e6ba0e3785c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2019 12:04:25 -0500 +Subject: drm/amd/display: update dispclk and dppclk vco frequency + +From: Eric Yang + +[ Upstream commit 44ce6c3dc8479bb3ed68df13b502b0901675e7d6 ] + +Value obtained from DV is not allowing 8k60 CTA mode with DSC to +pass, after checking real value being used in hw, find out that +correct value is 3600, which will allow that mode. + +Signed-off-by: Eric Yang +Reviewed-by: Tony Cheng +Acked-by: Leo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c +index de182185fe1f..b0e5e64df212 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c +@@ -258,7 +258,7 @@ struct _vcs_dpi_soc_bounding_box_st dcn2_1_soc = { + .vmm_page_size_bytes = 4096, + .dram_clock_change_latency_us = 23.84, + .return_bus_width_bytes = 64, +- .dispclk_dppclk_vco_speed_mhz = 3550, ++ .dispclk_dppclk_vco_speed_mhz = 3600, + .xfc_bus_transport_time_us = 4, + .xfc_xbuf_latency_tolerance_us = 4, + .use_urgent_burst_bw = 1, +-- +2.20.1 + diff --git a/queue-5.4/drm-amdgpu-add-cache-flush-workaround-to-gfx8-emit_f.patch b/queue-5.4/drm-amdgpu-add-cache-flush-workaround-to-gfx8-emit_f.patch new file mode 100644 index 00000000000..c27fb17ce96 --- /dev/null +++ b/queue-5.4/drm-amdgpu-add-cache-flush-workaround-to-gfx8-emit_f.patch @@ -0,0 +1,71 @@ +From 9b6950974675ea54e83df561915c33f64e843408 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Nov 2019 12:08:58 +0100 +Subject: drm/amdgpu: add cache flush workaround to gfx8 emit_fence + +From: Pierre-Eric Pelloux-Prayer + +[ Upstream commit bf26da927a1cd57c9deb2db29ae8cf276ba8b17b ] + +The same workaround is used for gfx7. +Both PAL and Mesa use it for gfx8 too, so port this commit to +gfx_v8_0_ring_emit_fence_gfx. + +Signed-off-by: Pierre-Eric Pelloux-Prayer +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 22 +++++++++++++++++++--- + 1 file changed, 19 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c +index 87dd55e9d72b..cc88ba76a8d4 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c +@@ -6184,7 +6184,23 @@ static void gfx_v8_0_ring_emit_fence_gfx(struct amdgpu_ring *ring, u64 addr, + bool write64bit = flags & AMDGPU_FENCE_FLAG_64BIT; + bool int_sel = flags & AMDGPU_FENCE_FLAG_INT; + +- /* EVENT_WRITE_EOP - flush caches, send int */ ++ /* Workaround for cache flush problems. First send a dummy EOP ++ * event down the pipe with seq one below. ++ */ ++ amdgpu_ring_write(ring, PACKET3(PACKET3_EVENT_WRITE_EOP, 4)); ++ amdgpu_ring_write(ring, (EOP_TCL1_ACTION_EN | ++ EOP_TC_ACTION_EN | ++ EOP_TC_WB_ACTION_EN | ++ EVENT_TYPE(CACHE_FLUSH_AND_INV_TS_EVENT) | ++ EVENT_INDEX(5))); ++ amdgpu_ring_write(ring, addr & 0xfffffffc); ++ amdgpu_ring_write(ring, (upper_32_bits(addr) & 0xffff) | ++ DATA_SEL(1) | INT_SEL(0)); ++ amdgpu_ring_write(ring, lower_32_bits(seq - 1)); ++ amdgpu_ring_write(ring, upper_32_bits(seq - 1)); ++ ++ /* Then send the real EOP event down the pipe: ++ * EVENT_WRITE_EOP - flush caches, send int */ + amdgpu_ring_write(ring, PACKET3(PACKET3_EVENT_WRITE_EOP, 4)); + amdgpu_ring_write(ring, (EOP_TCL1_ACTION_EN | + EOP_TC_ACTION_EN | +@@ -6926,7 +6942,7 @@ static const struct amdgpu_ring_funcs gfx_v8_0_ring_funcs_gfx = { + 5 + /* COND_EXEC */ + 7 + /* PIPELINE_SYNC */ + VI_FLUSH_GPU_TLB_NUM_WREG * 5 + 9 + /* VM_FLUSH */ +- 8 + /* FENCE for VM_FLUSH */ ++ 12 + /* FENCE for VM_FLUSH */ + 20 + /* GDS switch */ + 4 + /* double SWITCH_BUFFER, + the first COND_EXEC jump to the place just +@@ -6938,7 +6954,7 @@ static const struct amdgpu_ring_funcs gfx_v8_0_ring_funcs_gfx = { + 31 + /* DE_META */ + 3 + /* CNTX_CTRL */ + 5 + /* HDP_INVL */ +- 8 + 8 + /* FENCE x2 */ ++ 12 + 12 + /* FENCE x2 */ + 2, /* SWITCH_BUFFER */ + .emit_ib_size = 4, /* gfx_v8_0_ring_emit_ib_gfx */ + .emit_ib = gfx_v8_0_ring_emit_ib_gfx, +-- +2.20.1 + diff --git a/queue-5.4/drm-amdgpu-add-check-before-enabling-disabling-broad.patch b/queue-5.4/drm-amdgpu-add-check-before-enabling-disabling-broad.patch new file mode 100644 index 00000000000..4af92508fdf --- /dev/null +++ b/queue-5.4/drm-amdgpu-add-check-before-enabling-disabling-broad.patch @@ -0,0 +1,74 @@ +From 4ca21fd9b8a488ad60210cd6e2f0249abfe03ff9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2019 15:51:16 +0800 +Subject: drm/amdgpu: add check before enabling/disabling broadcast mode + +From: Guchun Chen + +[ Upstream commit 6e807535dae5dbbd53bcc5e81047a20bf5eb08ea ] + +When security violation from new vbios happens, data fabric is +risky to stop working. So prevent the direct access to DF +mmFabricConfigAccessControl from the new vbios and onwards. + +Signed-off-by: Guchun Chen +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/df_v3_6.c | 38 ++++++++++++++++------------ + 1 file changed, 22 insertions(+), 16 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/df_v3_6.c b/drivers/gpu/drm/amd/amdgpu/df_v3_6.c +index 5850c8e34caa..97d11d792351 100644 +--- a/drivers/gpu/drm/amd/amdgpu/df_v3_6.c ++++ b/drivers/gpu/drm/amd/amdgpu/df_v3_6.c +@@ -261,23 +261,29 @@ static void df_v3_6_update_medium_grain_clock_gating(struct amdgpu_device *adev, + { + u32 tmp; + +- /* Put DF on broadcast mode */ +- adev->df_funcs->enable_broadcast_mode(adev, true); +- +- if (enable && (adev->cg_flags & AMD_CG_SUPPORT_DF_MGCG)) { +- tmp = RREG32_SOC15(DF, 0, mmDF_PIE_AON0_DfGlobalClkGater); +- tmp &= ~DF_PIE_AON0_DfGlobalClkGater__MGCGMode_MASK; +- tmp |= DF_V3_6_MGCG_ENABLE_15_CYCLE_DELAY; +- WREG32_SOC15(DF, 0, mmDF_PIE_AON0_DfGlobalClkGater, tmp); +- } else { +- tmp = RREG32_SOC15(DF, 0, mmDF_PIE_AON0_DfGlobalClkGater); +- tmp &= ~DF_PIE_AON0_DfGlobalClkGater__MGCGMode_MASK; +- tmp |= DF_V3_6_MGCG_DISABLE; +- WREG32_SOC15(DF, 0, mmDF_PIE_AON0_DfGlobalClkGater, tmp); +- } ++ if (adev->cg_flags & AMD_CG_SUPPORT_DF_MGCG) { ++ /* Put DF on broadcast mode */ ++ adev->df_funcs->enable_broadcast_mode(adev, true); ++ ++ if (enable) { ++ tmp = RREG32_SOC15(DF, 0, ++ mmDF_PIE_AON0_DfGlobalClkGater); ++ tmp &= ~DF_PIE_AON0_DfGlobalClkGater__MGCGMode_MASK; ++ tmp |= DF_V3_6_MGCG_ENABLE_15_CYCLE_DELAY; ++ WREG32_SOC15(DF, 0, ++ mmDF_PIE_AON0_DfGlobalClkGater, tmp); ++ } else { ++ tmp = RREG32_SOC15(DF, 0, ++ mmDF_PIE_AON0_DfGlobalClkGater); ++ tmp &= ~DF_PIE_AON0_DfGlobalClkGater__MGCGMode_MASK; ++ tmp |= DF_V3_6_MGCG_DISABLE; ++ WREG32_SOC15(DF, 0, ++ mmDF_PIE_AON0_DfGlobalClkGater, tmp); ++ } + +- /* Exit broadcast mode */ +- adev->df_funcs->enable_broadcast_mode(adev, false); ++ /* Exit broadcast mode */ ++ adev->df_funcs->enable_broadcast_mode(adev, false); ++ } + } + + static void df_v3_6_get_clockgating_state(struct amdgpu_device *adev, +-- +2.20.1 + diff --git a/queue-5.4/drm-amdgpu-add-header-line-for-power-profile-on-arct.patch b/queue-5.4/drm-amdgpu-add-header-line-for-power-profile-on-arct.patch new file mode 100644 index 00000000000..c37483334e9 --- /dev/null +++ b/queue-5.4/drm-amdgpu-add-header-line-for-power-profile-on-arct.patch @@ -0,0 +1,43 @@ +From e7e9028f6a1bd72b437c0d665124eff329359bec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2019 22:07:49 -0500 +Subject: drm/amdgpu: add header line for power profile on Arcturus + +From: Alex Deucher + +[ Upstream commit 14891c316ca7e15d81dba78f30fb630e3f9ee2c9 ] + +So the output is consistent with other asics. + +Reviewed-by: Evan Quan +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/powerplay/arcturus_ppt.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/amd/powerplay/arcturus_ppt.c b/drivers/gpu/drm/amd/powerplay/arcturus_ppt.c +index d493a3f8c07a..b68bf8dcfa78 100644 +--- a/drivers/gpu/drm/amd/powerplay/arcturus_ppt.c ++++ b/drivers/gpu/drm/amd/powerplay/arcturus_ppt.c +@@ -1388,12 +1388,17 @@ static int arcturus_get_power_profile_mode(struct smu_context *smu, + "VR", + "COMPUTE", + "CUSTOM"}; ++ static const char *title[] = { ++ "PROFILE_INDEX(NAME)"}; + uint32_t i, size = 0; + int16_t workload_type = 0; + + if (!smu->pm_enabled || !buf) + return -EINVAL; + ++ size += sprintf(buf + size, "%16s\n", ++ title[0]); ++ + for (i = 0; i <= PP_SMC_POWER_PROFILE_CUSTOM; i++) { + /* + * Conv PP_SMC_POWER_PROFILE* to WORKLOAD_PPLIB_*_BIT +-- +2.20.1 + diff --git a/queue-5.4/drm-mcde-dsi-fix-invalid-pointer-dereference-if-pane.patch b/queue-5.4/drm-mcde-dsi-fix-invalid-pointer-dereference-if-pane.patch new file mode 100644 index 00000000000..ece5cd2f023 --- /dev/null +++ b/queue-5.4/drm-mcde-dsi-fix-invalid-pointer-dereference-if-pane.patch @@ -0,0 +1,60 @@ +From 3461578921c8a0a934959e53e5cda2410ae3300c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Nov 2019 14:02:52 +0100 +Subject: drm/mcde: dsi: Fix invalid pointer dereference if panel cannot be + found + +From: Stephan Gerhold + +[ Upstream commit c131280c03bd1c225c2e64e9ef75873ffca3d96e ] + +The "panel" pointer is not reset to NULL if of_drm_find_panel() +returns an error. Therefore we later assume that a panel was found, +and try to dereference the error pointer, resulting in: + + mcde-dsi a0351000.dsi: failed to find panel try bridge (4294966779) + Unable to handle kernel paging request at virtual address fffffe03 + PC is at drm_panel_bridge_add.part.0+0x10/0x5c + LR is at mcde_dsi_bind+0x120/0x464 + ... + +Reset "panel" to NULL to avoid this problem. +Also change the format string of the error to %ld to print +the negative errors correctly. The crash above then becomes: + + mcde-dsi a0351000.dsi: failed to find panel try bridge (-517) + mcde-dsi a0351000.dsi: no panel or bridge + ... + +Fixes: 5fc537bfd000 ("drm/mcde: Add new driver for ST-Ericsson MCDE") +Signed-off-by: Stephan Gerhold +Signed-off-by: Linus Walleij +Link: https://patchwork.freedesktop.org/patch/msgid/20191118130252.170324-1-stephan@gerhold.net +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mcde/mcde_dsi.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/mcde/mcde_dsi.c b/drivers/gpu/drm/mcde/mcde_dsi.c +index f9c9e32b299c..35bb825d1918 100644 +--- a/drivers/gpu/drm/mcde/mcde_dsi.c ++++ b/drivers/gpu/drm/mcde/mcde_dsi.c +@@ -935,11 +935,13 @@ static int mcde_dsi_bind(struct device *dev, struct device *master, + for_each_available_child_of_node(dev->of_node, child) { + panel = of_drm_find_panel(child); + if (IS_ERR(panel)) { +- dev_err(dev, "failed to find panel try bridge (%lu)\n", ++ dev_err(dev, "failed to find panel try bridge (%ld)\n", + PTR_ERR(panel)); ++ panel = NULL; ++ + bridge = of_drm_find_bridge(child); + if (IS_ERR(bridge)) { +- dev_err(dev, "failed to find bridge (%lu)\n", ++ dev_err(dev, "failed to find bridge (%ld)\n", + PTR_ERR(bridge)); + return PTR_ERR(bridge); + } +-- +2.20.1 + diff --git a/queue-5.4/drm-nouveau-fix-drm-core-using-atomic-code-paths-on-.patch b/queue-5.4/drm-nouveau-fix-drm-core-using-atomic-code-paths-on-.patch new file mode 100644 index 00000000000..3607e579476 --- /dev/null +++ b/queue-5.4/drm-nouveau-fix-drm-core-using-atomic-code-paths-on-.patch @@ -0,0 +1,120 @@ +From b995ab4128966fb45d9d0ea5b7681d78fac79b04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2019 10:52:53 +0200 +Subject: drm/nouveau: Fix drm-core using atomic code-paths on pre-nv50 + hardware + +From: Hans de Goede + +[ Upstream commit 64d17f25dcad518461ccf0c260544e1e379c5b35 ] + +We do not support atomic modesetting on pre-nv50 hardware, but until now +our connector code was setting drm_connector->state on pre-nv50 hardware. + +This causes the core to enter atomic modesetting paths in at least: + +1. drm_connector_get_encoder(), returning connector->state->best_encoder +which is always 0, causing us to always report 0 as encoder_id in +the drmModeConnector struct returned by drmModeGetConnector(). + +2. drm_encoder_get_crtc(), returning NULL because uses_atomic get set, +causing us to always report 0 as crtc_id in the drmModeEncoder struct +returned by drmModeGetEncoder() + +Which in turn confuses userspace, at least plymouth thinks that the pipe +has changed because of this and tries to reconfigure it unnecessarily. + +More in general we should not set drm_connector->state in the non-atomic +code as this violates the drm-core's expectations. + +This commit fixes this by using a nouveau_conn_atom struct embedded in the +nouveau_connector struct for property handling in the non-atomic case. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1706557 +Signed-off-by: Hans de Goede +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_connector.c | 28 +++++++++++++++------ + drivers/gpu/drm/nouveau/nouveau_connector.h | 6 +++++ + 2 files changed, 27 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c +index a442a955f98c..eb31c5b6c8e9 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_connector.c ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c +@@ -245,14 +245,22 @@ nouveau_conn_atomic_duplicate_state(struct drm_connector *connector) + void + nouveau_conn_reset(struct drm_connector *connector) + { ++ struct nouveau_connector *nv_connector = nouveau_connector(connector); + struct nouveau_conn_atom *asyc; + +- if (WARN_ON(!(asyc = kzalloc(sizeof(*asyc), GFP_KERNEL)))) +- return; ++ if (drm_drv_uses_atomic_modeset(connector->dev)) { ++ if (WARN_ON(!(asyc = kzalloc(sizeof(*asyc), GFP_KERNEL)))) ++ return; ++ ++ if (connector->state) ++ nouveau_conn_atomic_destroy_state(connector, ++ connector->state); ++ ++ __drm_atomic_helper_connector_reset(connector, &asyc->state); ++ } else { ++ asyc = &nv_connector->properties_state; ++ } + +- if (connector->state) +- nouveau_conn_atomic_destroy_state(connector, connector->state); +- __drm_atomic_helper_connector_reset(connector, &asyc->state); + asyc->dither.mode = DITHERING_MODE_AUTO; + asyc->dither.depth = DITHERING_DEPTH_AUTO; + asyc->scaler.mode = DRM_MODE_SCALE_NONE; +@@ -276,8 +284,14 @@ void + nouveau_conn_attach_properties(struct drm_connector *connector) + { + struct drm_device *dev = connector->dev; +- struct nouveau_conn_atom *armc = nouveau_conn_atom(connector->state); + struct nouveau_display *disp = nouveau_display(dev); ++ struct nouveau_connector *nv_connector = nouveau_connector(connector); ++ struct nouveau_conn_atom *armc; ++ ++ if (drm_drv_uses_atomic_modeset(connector->dev)) ++ armc = nouveau_conn_atom(connector->state); ++ else ++ armc = &nv_connector->properties_state; + + /* Init DVI-I specific properties. */ + if (connector->connector_type == DRM_MODE_CONNECTOR_DVII) +@@ -749,9 +763,9 @@ static int + nouveau_connector_set_property(struct drm_connector *connector, + struct drm_property *property, uint64_t value) + { +- struct nouveau_conn_atom *asyc = nouveau_conn_atom(connector->state); + struct nouveau_connector *nv_connector = nouveau_connector(connector); + struct nouveau_encoder *nv_encoder = nv_connector->detected_encoder; ++ struct nouveau_conn_atom *asyc = &nv_connector->properties_state; + struct drm_encoder *encoder = to_drm_encoder(nv_encoder); + int ret; + +diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.h b/drivers/gpu/drm/nouveau/nouveau_connector.h +index de9588420884..de84fb4708c7 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_connector.h ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.h +@@ -118,6 +118,12 @@ struct nouveau_connector { + #ifdef CONFIG_DRM_NOUVEAU_BACKLIGHT + struct nouveau_backlight *backlight; + #endif ++ /* ++ * Our connector property code expects a nouveau_conn_atom struct ++ * even on pre-nv50 where we do not support atomic. This embedded ++ * version gets used in the non atomic modeset case. ++ */ ++ struct nouveau_conn_atom properties_state; + }; + + static inline struct nouveau_connector *nouveau_connector( +-- +2.20.1 + diff --git a/queue-5.4/drm-nouveau-kms-nv50-fix-panel-scaling.patch b/queue-5.4/drm-nouveau-kms-nv50-fix-panel-scaling.patch new file mode 100644 index 00000000000..cc13bf54050 --- /dev/null +++ b/queue-5.4/drm-nouveau-kms-nv50-fix-panel-scaling.patch @@ -0,0 +1,43 @@ +From 764b5320b12ecc4871f20867e9b176637d42a50d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2019 12:15:44 +1000 +Subject: drm/nouveau/kms/nv50-: fix panel scaling + +From: Ben Skeggs + +[ Upstream commit 3d1890ef8023e61934e070021b06cc9f417260c0 ] + +Under certain circumstances, encoder atomic_check() can be entered +without adjusted_mode having been reset to the same as mode, which +confuses the scaling logic and can lead to a misprogrammed display. + +Fix this by checking against the user-provided mode directly. + +Link: https://bugs.freedesktop.org/show_bug.cgi?id=108615 +Link: https://gitlab.freedesktop.org/xorg/driver/xf86-video-nouveau/issues/464 +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/dispnv50/disp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/dispnv50/disp.c b/drivers/gpu/drm/nouveau/dispnv50/disp.c +index b5b1a34f896f..d735ea7e2d88 100644 +--- a/drivers/gpu/drm/nouveau/dispnv50/disp.c ++++ b/drivers/gpu/drm/nouveau/dispnv50/disp.c +@@ -326,9 +326,9 @@ nv50_outp_atomic_check_view(struct drm_encoder *encoder, + * same size as the native one (e.g. different + * refresh rate) + */ +- if (adjusted_mode->hdisplay == native_mode->hdisplay && +- adjusted_mode->vdisplay == native_mode->vdisplay && +- adjusted_mode->type & DRM_MODE_TYPE_DRIVER) ++ if (mode->hdisplay == native_mode->hdisplay && ++ mode->vdisplay == native_mode->vdisplay && ++ mode->type & DRM_MODE_TYPE_DRIVER) + break; + mode = native_mode; + asyc->scaler.full = true; +-- +2.20.1 + diff --git a/queue-5.4/drm-nouveau-move-the-declaration-of-struct-nouveau_c.patch b/queue-5.4/drm-nouveau-move-the-declaration-of-struct-nouveau_c.patch new file mode 100644 index 00000000000..e2ca2cd904d --- /dev/null +++ b/queue-5.4/drm-nouveau-move-the-declaration-of-struct-nouveau_c.patch @@ -0,0 +1,163 @@ +From 2b2e8e3438b0b3f566facb5cbd05a7654fc821c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2019 10:52:52 +0200 +Subject: drm/nouveau: Move the declaration of struct nouveau_conn_atom up a + bit + +From: Hans de Goede + +[ Upstream commit 37a68eab4cd92b507c9e8afd760fdc18e4fecac6 ] + +Place the declaration of struct nouveau_conn_atom above that of +struct nouveau_connector. This commit makes no changes to the moved +block what so ever, it just moves it up a bit. + +This is a preparation patch to fix some issues with connector handling +on pre nv50 displays (which do not use atomic modesetting). + +Signed-off-by: Hans de Goede +Reviewed-by: Lyude Paul +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_connector.h | 110 ++++++++++---------- + 1 file changed, 55 insertions(+), 55 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.h b/drivers/gpu/drm/nouveau/nouveau_connector.h +index f43a8d63aef8..de9588420884 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_connector.h ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.h +@@ -29,6 +29,7 @@ + + #include + ++#include + #include + #include + #include +@@ -44,6 +45,60 @@ struct dcb_output; + struct nouveau_backlight; + #endif + ++#define nouveau_conn_atom(p) \ ++ container_of((p), struct nouveau_conn_atom, state) ++ ++struct nouveau_conn_atom { ++ struct drm_connector_state state; ++ ++ struct { ++ /* The enum values specifically defined here match nv50/gf119 ++ * hw values, and the code relies on this. ++ */ ++ enum { ++ DITHERING_MODE_OFF = 0x00, ++ DITHERING_MODE_ON = 0x01, ++ DITHERING_MODE_DYNAMIC2X2 = 0x10 | DITHERING_MODE_ON, ++ DITHERING_MODE_STATIC2X2 = 0x18 | DITHERING_MODE_ON, ++ DITHERING_MODE_TEMPORAL = 0x20 | DITHERING_MODE_ON, ++ DITHERING_MODE_AUTO ++ } mode; ++ enum { ++ DITHERING_DEPTH_6BPC = 0x00, ++ DITHERING_DEPTH_8BPC = 0x02, ++ DITHERING_DEPTH_AUTO ++ } depth; ++ } dither; ++ ++ struct { ++ int mode; /* DRM_MODE_SCALE_* */ ++ struct { ++ enum { ++ UNDERSCAN_OFF, ++ UNDERSCAN_ON, ++ UNDERSCAN_AUTO, ++ } mode; ++ u32 hborder; ++ u32 vborder; ++ } underscan; ++ bool full; ++ } scaler; ++ ++ struct { ++ int color_vibrance; ++ int vibrant_hue; ++ } procamp; ++ ++ union { ++ struct { ++ bool dither:1; ++ bool scaler:1; ++ bool procamp:1; ++ }; ++ u8 mask; ++ } set; ++}; ++ + struct nouveau_connector { + struct drm_connector base; + enum dcb_connector_type type; +@@ -121,61 +176,6 @@ extern int nouveau_ignorelid; + extern int nouveau_duallink; + extern int nouveau_hdmimhz; + +-#include +-#define nouveau_conn_atom(p) \ +- container_of((p), struct nouveau_conn_atom, state) +- +-struct nouveau_conn_atom { +- struct drm_connector_state state; +- +- struct { +- /* The enum values specifically defined here match nv50/gf119 +- * hw values, and the code relies on this. +- */ +- enum { +- DITHERING_MODE_OFF = 0x00, +- DITHERING_MODE_ON = 0x01, +- DITHERING_MODE_DYNAMIC2X2 = 0x10 | DITHERING_MODE_ON, +- DITHERING_MODE_STATIC2X2 = 0x18 | DITHERING_MODE_ON, +- DITHERING_MODE_TEMPORAL = 0x20 | DITHERING_MODE_ON, +- DITHERING_MODE_AUTO +- } mode; +- enum { +- DITHERING_DEPTH_6BPC = 0x00, +- DITHERING_DEPTH_8BPC = 0x02, +- DITHERING_DEPTH_AUTO +- } depth; +- } dither; +- +- struct { +- int mode; /* DRM_MODE_SCALE_* */ +- struct { +- enum { +- UNDERSCAN_OFF, +- UNDERSCAN_ON, +- UNDERSCAN_AUTO, +- } mode; +- u32 hborder; +- u32 vborder; +- } underscan; +- bool full; +- } scaler; +- +- struct { +- int color_vibrance; +- int vibrant_hue; +- } procamp; +- +- union { +- struct { +- bool dither:1; +- bool scaler:1; +- bool procamp:1; +- }; +- u8 mask; +- } set; +-}; +- + void nouveau_conn_attach_properties(struct drm_connector *); + void nouveau_conn_reset(struct drm_connector *); + struct drm_connector_state * +-- +2.20.1 + diff --git a/queue-5.4/ib-mlx4-follow-mirror-sequence-of-device-add-during-.patch b/queue-5.4/ib-mlx4-follow-mirror-sequence-of-device-add-during-.patch new file mode 100644 index 00000000000..90a37a31825 --- /dev/null +++ b/queue-5.4/ib-mlx4-follow-mirror-sequence-of-device-add-during-.patch @@ -0,0 +1,66 @@ +From 587ac9cdb9ddb57eb8683a600483a7be9058de45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2019 11:12:13 +0200 +Subject: IB/mlx4: Follow mirror sequence of device add during device removal + +From: Parav Pandit + +[ Upstream commit 89f988d93c62384758b19323c886db917a80c371 ] + +Current code device add sequence is: + +ib_register_device() +ib_mad_init() +init_sriov_init() +register_netdev_notifier() + +Therefore, the remove sequence should be, + +unregister_netdev_notifier() +close_sriov() +mad_cleanup() +ib_unregister_device() + +However it is not above. +Hence, make do above remove sequence. + +Fixes: fa417f7b520ee ("IB/mlx4: Add support for IBoE") +Signed-off-by: Parav Pandit +Reviewed-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20191212091214.315005-3-leon@kernel.org +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx4/main.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c +index 8d2f1e38b891..907d99822bf0 100644 +--- a/drivers/infiniband/hw/mlx4/main.c ++++ b/drivers/infiniband/hw/mlx4/main.c +@@ -3008,16 +3008,17 @@ static void mlx4_ib_remove(struct mlx4_dev *dev, void *ibdev_ptr) + ibdev->ib_active = false; + flush_workqueue(wq); + +- mlx4_ib_close_sriov(ibdev); +- mlx4_ib_mad_cleanup(ibdev); +- ib_unregister_device(&ibdev->ib_dev); +- mlx4_ib_diag_cleanup(ibdev); + if (ibdev->iboe.nb.notifier_call) { + if (unregister_netdevice_notifier(&ibdev->iboe.nb)) + pr_warn("failure unregistering notifier\n"); + ibdev->iboe.nb.notifier_call = NULL; + } + ++ mlx4_ib_close_sriov(ibdev); ++ mlx4_ib_mad_cleanup(ibdev); ++ ib_unregister_device(&ibdev->ib_dev); ++ mlx4_ib_diag_cleanup(ibdev); ++ + mlx4_qp_release_range(dev, ibdev->steer_qpn_base, + ibdev->steer_qpn_count); + kfree(ibdev->ib_uc_qpns_bitmap); +-- +2.20.1 + diff --git a/queue-5.4/ib-mlx5-fix-steering-rule-of-drop-and-count.patch b/queue-5.4/ib-mlx5-fix-steering-rule-of-drop-and-count.patch new file mode 100644 index 00000000000..6a01cb5db06 --- /dev/null +++ b/queue-5.4/ib-mlx5-fix-steering-rule-of-drop-and-count.patch @@ -0,0 +1,65 @@ +From 02a901fc9f2a86a1ebd8e2295f540e10c3384925 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2019 11:12:14 +0200 +Subject: IB/mlx5: Fix steering rule of drop and count + +From: Maor Gottlieb + +[ Upstream commit ed9085fed9d95d5921582e3c8474f3736c5d2782 ] + +There are two flow rule destinations: QP and packet. While users are +setting DROP packet rule, the QP should not be set as a destination. + +Fixes: 3b3233fbf02e ("IB/mlx5: Add flow counters binding support") +Signed-off-by: Maor Gottlieb +Reviewed-by: Raed Salem +Signed-off-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20191212091214.315005-4-leon@kernel.org +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/main.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index 831539419c30..e1cfbedefcbc 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -3548,10 +3548,6 @@ static struct mlx5_ib_flow_handler *_create_flow_rule(struct mlx5_ib_dev *dev, + } + + INIT_LIST_HEAD(&handler->list); +- if (dst) { +- memcpy(&dest_arr[0], dst, sizeof(*dst)); +- dest_num++; +- } + + for (spec_index = 0; spec_index < flow_attr->num_of_specs; spec_index++) { + err = parse_flow_attr(dev->mdev, spec, +@@ -3564,6 +3560,11 @@ static struct mlx5_ib_flow_handler *_create_flow_rule(struct mlx5_ib_dev *dev, + ib_flow += ((union ib_flow_spec *)ib_flow)->size; + } + ++ if (dst && !(flow_act.action & MLX5_FLOW_CONTEXT_ACTION_DROP)) { ++ memcpy(&dest_arr[0], dst, sizeof(*dst)); ++ dest_num++; ++ } ++ + if (!flow_is_multicast_only(flow_attr)) + set_underlay_qp(dev, spec, underlay_qpn); + +@@ -3604,10 +3605,8 @@ static struct mlx5_ib_flow_handler *_create_flow_rule(struct mlx5_ib_dev *dev, + } + + if (flow_act.action & MLX5_FLOW_CONTEXT_ACTION_DROP) { +- if (!(flow_act.action & MLX5_FLOW_CONTEXT_ACTION_COUNT)) { ++ if (!dest_num) + rule_dst = NULL; +- dest_num = 0; +- } + } else { + if (is_egress) + flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_ALLOW; +-- +2.20.1 + diff --git a/queue-5.4/iio-adc-max9611-fix-too-short-conversion-time-delay.patch b/queue-5.4/iio-adc-max9611-fix-too-short-conversion-time-delay.patch new file mode 100644 index 00000000000..9ebadac6960 --- /dev/null +++ b/queue-5.4/iio-adc-max9611-fix-too-short-conversion-time-delay.patch @@ -0,0 +1,93 @@ +From 518fd00685f59e068b8f0e770fe1d6450658b0cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Dec 2019 09:55:46 +0100 +Subject: iio: adc: max9611: Fix too short conversion time delay +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +[ Upstream commit 9fd229c478fbf77c41c8528aa757ef14210365f6 ] + +As of commit b9ddd5091160793e ("iio: adc: max9611: Fix temperature +reading in probe"), max9611 initialization sometimes fails on the +Salvator-X(S) development board with: + + max9611 4-007f: Invalid value received from ADC 0x8000: aborting + max9611: probe of 4-007f failed with error -5 + +The max9611 driver tests communications with the chip by reading the die +temperature during the probe function, which returns an invalid value. + +According to the datasheet, the typical ADC conversion time is 2 ms, but +no minimum or maximum values are provided. Maxim Technical Support +confirmed this was tested with temperature Ta=25 degreeC, and promised +to inform me if a maximum/minimum value is available (they didn't get +back to me, so I assume it is not). + +However, the driver assumes a 1 ms conversion time. Usually the +usleep_range() call returns after more than 1.8 ms, hence it succeeds. +When it returns earlier, the data register may be read too early, and +the previous measurement value will be returned. After boot, this is +the temperature POR (power-on reset) value, causing the failure above. + +Fix this by increasing the delay from 1000-2000 µs to 3000-3300 µs. + +Note that this issue has always been present, but it was exposed by the +aformentioned commit. + +Fixes: 69780a3bbc0b1e7e ("iio: adc: Add Maxim max9611 ADC driver") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Jacopo Mondi +Reviewed-by: Wolfram Sang +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/max9611.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/iio/adc/max9611.c b/drivers/iio/adc/max9611.c +index da073d72f649..e480529b3f04 100644 +--- a/drivers/iio/adc/max9611.c ++++ b/drivers/iio/adc/max9611.c +@@ -89,6 +89,12 @@ + #define MAX9611_TEMP_SCALE_NUM 1000000 + #define MAX9611_TEMP_SCALE_DIV 2083 + ++/* ++ * Conversion time is 2 ms (typically) at Ta=25 degreeC ++ * No maximum value is known, so play it safe. ++ */ ++#define MAX9611_CONV_TIME_US_RANGE 3000, 3300 ++ + struct max9611_dev { + struct device *dev; + struct i2c_client *i2c_client; +@@ -236,11 +242,9 @@ static int max9611_read_single(struct max9611_dev *max9611, + return ret; + } + +- /* +- * need a delay here to make register configuration +- * stabilize. 1 msec at least, from empirical testing. +- */ +- usleep_range(1000, 2000); ++ /* need a delay here to make register configuration stabilize. */ ++ ++ usleep_range(MAX9611_CONV_TIME_US_RANGE); + + ret = i2c_smbus_read_word_swapped(max9611->i2c_client, reg_addr); + if (ret < 0) { +@@ -507,7 +511,7 @@ static int max9611_init(struct max9611_dev *max9611) + MAX9611_REG_CTRL2, 0); + return ret; + } +- usleep_range(1000, 2000); ++ usleep_range(MAX9611_CONV_TIME_US_RANGE); + + return 0; + } +-- +2.20.1 + diff --git a/queue-5.4/iio-st_accel-fix-unused-variable-warning.patch b/queue-5.4/iio-st_accel-fix-unused-variable-warning.patch new file mode 100644 index 00000000000..05ed639399b --- /dev/null +++ b/queue-5.4/iio-st_accel-fix-unused-variable-warning.patch @@ -0,0 +1,61 @@ +From 859f6a1f87861e9841e3a211ec9544f49f6ac941 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Nov 2019 11:21:15 +0800 +Subject: iio: st_accel: Fix unused variable warning + +From: YueHaibing + +[ Upstream commit 0163c1c521ff8b09cd8ca395003cc00178161d77 ] + +drivers/iio/accel/st_accel_core.c:1005:44: warning: + mount_matrix_ext_info defined but not used [-Wunused-const-variable=] + +Using stub helper while CONFIG_ACPI is disabled to fix it. + +Suggested-by: Ladislav Michl +Signed-off-by: YueHaibing +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/st_accel_core.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/accel/st_accel_core.c b/drivers/iio/accel/st_accel_core.c +index 2e37f8a6d8cf..be661396095c 100644 +--- a/drivers/iio/accel/st_accel_core.c ++++ b/drivers/iio/accel/st_accel_core.c +@@ -993,6 +993,7 @@ static const struct iio_trigger_ops st_accel_trigger_ops = { + #define ST_ACCEL_TRIGGER_OPS NULL + #endif + ++#ifdef CONFIG_ACPI + static const struct iio_mount_matrix * + get_mount_matrix(const struct iio_dev *indio_dev, + const struct iio_chan_spec *chan) +@@ -1013,7 +1014,6 @@ static const struct iio_chan_spec_ext_info mount_matrix_ext_info[] = { + static int apply_acpi_orientation(struct iio_dev *indio_dev, + struct iio_chan_spec *channels) + { +-#ifdef CONFIG_ACPI + struct st_sensor_data *adata = iio_priv(indio_dev); + struct acpi_buffer buffer = {ACPI_ALLOCATE_BUFFER, NULL}; + struct acpi_device *adev; +@@ -1141,10 +1141,14 @@ static int apply_acpi_orientation(struct iio_dev *indio_dev, + out: + kfree(buffer.pointer); + return ret; ++} + #else /* !CONFIG_ACPI */ ++static int apply_acpi_orientation(struct iio_dev *indio_dev, ++ struct iio_chan_spec *channels) ++{ + return 0; +-#endif + } ++#endif + + /* + * st_accel_get_settings() - get sensor settings from device name +-- +2.20.1 + diff --git a/queue-5.4/md-raid1-check-rdev-before-reference-in-raid1_sync_r.patch b/queue-5.4/md-raid1-check-rdev-before-reference-in-raid1_sync_r.patch new file mode 100644 index 00000000000..0cfc7ac4230 --- /dev/null +++ b/queue-5.4/md-raid1-check-rdev-before-reference-in-raid1_sync_r.patch @@ -0,0 +1,34 @@ +From 146338e1620eca43805a1548015dbdd3d1301a4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2019 10:42:25 +0800 +Subject: md: raid1: check rdev before reference in raid1_sync_request func + +From: Zhiqiang Liu + +[ Upstream commit 028288df635f5a9addd48ac4677b720192747944 ] + +In raid1_sync_request func, rdev should be checked before reference. + +Signed-off-by: Zhiqiang Liu +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/raid1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index bb29aeefcbd0..c7137f50bd1d 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -2781,7 +2781,7 @@ static sector_t raid1_sync_request(struct mddev *mddev, sector_t sector_nr, + write_targets++; + } + } +- if (bio->bi_end_io) { ++ if (rdev && bio->bi_end_io) { + atomic_inc(&rdev->nr_pending); + bio->bi_iter.bi_sector = sector_nr + rdev->data_offset; + bio_set_dev(bio, rdev->bdev); +-- +2.20.1 + diff --git a/queue-5.4/mm-drop-mmap_sem-before-calling-balance_dirty_pages-.patch b/queue-5.4/mm-drop-mmap_sem-before-calling-balance_dirty_pages-.patch new file mode 100644 index 00000000000..e1a012a0fdf --- /dev/null +++ b/queue-5.4/mm-drop-mmap_sem-before-calling-balance_dirty_pages-.patch @@ -0,0 +1,216 @@ +From 4b6571735d8de331e35433e406fd91648fd614f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Nov 2019 17:50:22 -0800 +Subject: mm: drop mmap_sem before calling balance_dirty_pages() in write fault + +From: Johannes Weiner + +[ Upstream commit 89b15332af7c0312a41e50846819ca6613b58b4c ] + +One of our services is observing hanging ps/top/etc under heavy write +IO, and the task states show this is an mmap_sem priority inversion: + +A write fault is holding the mmap_sem in read-mode and waiting for +(heavily cgroup-limited) IO in balance_dirty_pages(): + + balance_dirty_pages+0x724/0x905 + balance_dirty_pages_ratelimited+0x254/0x390 + fault_dirty_shared_page.isra.96+0x4a/0x90 + do_wp_page+0x33e/0x400 + __handle_mm_fault+0x6f0/0xfa0 + handle_mm_fault+0xe4/0x200 + __do_page_fault+0x22b/0x4a0 + page_fault+0x45/0x50 + +Somebody tries to change the address space, contending for the mmap_sem in +write-mode: + + call_rwsem_down_write_failed_killable+0x13/0x20 + do_mprotect_pkey+0xa8/0x330 + SyS_mprotect+0xf/0x20 + do_syscall_64+0x5b/0x100 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +The waiting writer locks out all subsequent readers to avoid lock +starvation, and several threads can be seen hanging like this: + + call_rwsem_down_read_failed+0x14/0x30 + proc_pid_cmdline_read+0xa0/0x480 + __vfs_read+0x23/0x140 + vfs_read+0x87/0x130 + SyS_read+0x42/0x90 + do_syscall_64+0x5b/0x100 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +To fix this, do what we do for cache read faults already: drop the +mmap_sem before calling into anything IO bound, in this case the +balance_dirty_pages() function, and return VM_FAULT_RETRY. + +Link: http://lkml.kernel.org/r/20190924194238.GA29030@cmpxchg.org +Signed-off-by: Johannes Weiner +Reviewed-by: Matthew Wilcox (Oracle) +Acked-by: Kirill A. Shutemov +Cc: Josef Bacik +Cc: Hillf Danton +Cc: Hugh Dickins +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/filemap.c | 21 --------------------- + mm/internal.h | 21 +++++++++++++++++++++ + mm/memory.c | 38 +++++++++++++++++++++++++++----------- + 3 files changed, 48 insertions(+), 32 deletions(-) + +diff --git a/mm/filemap.c b/mm/filemap.c +index 85b7d087eb45..1f5731768222 100644 +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -2329,27 +2329,6 @@ EXPORT_SYMBOL(generic_file_read_iter); + + #ifdef CONFIG_MMU + #define MMAP_LOTSAMISS (100) +-static struct file *maybe_unlock_mmap_for_io(struct vm_fault *vmf, +- struct file *fpin) +-{ +- int flags = vmf->flags; +- +- if (fpin) +- return fpin; +- +- /* +- * FAULT_FLAG_RETRY_NOWAIT means we don't want to wait on page locks or +- * anything, so we only pin the file and drop the mmap_sem if only +- * FAULT_FLAG_ALLOW_RETRY is set. +- */ +- if ((flags & (FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_RETRY_NOWAIT)) == +- FAULT_FLAG_ALLOW_RETRY) { +- fpin = get_file(vmf->vma->vm_file); +- up_read(&vmf->vma->vm_mm->mmap_sem); +- } +- return fpin; +-} +- + /* + * lock_page_maybe_drop_mmap - lock the page, possibly dropping the mmap_sem + * @vmf - the vm_fault for this fault. +diff --git a/mm/internal.h b/mm/internal.h +index 0d5f720c75ab..7dd7fbb577a9 100644 +--- a/mm/internal.h ++++ b/mm/internal.h +@@ -362,6 +362,27 @@ vma_address(struct page *page, struct vm_area_struct *vma) + return max(start, vma->vm_start); + } + ++static inline struct file *maybe_unlock_mmap_for_io(struct vm_fault *vmf, ++ struct file *fpin) ++{ ++ int flags = vmf->flags; ++ ++ if (fpin) ++ return fpin; ++ ++ /* ++ * FAULT_FLAG_RETRY_NOWAIT means we don't want to wait on page locks or ++ * anything, so we only pin the file and drop the mmap_sem if only ++ * FAULT_FLAG_ALLOW_RETRY is set. ++ */ ++ if ((flags & (FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_RETRY_NOWAIT)) == ++ FAULT_FLAG_ALLOW_RETRY) { ++ fpin = get_file(vmf->vma->vm_file); ++ up_read(&vmf->vma->vm_mm->mmap_sem); ++ } ++ return fpin; ++} ++ + #else /* !CONFIG_MMU */ + static inline void clear_page_mlock(struct page *page) { } + static inline void mlock_vma_page(struct page *page) { } +diff --git a/mm/memory.c b/mm/memory.c +index b1ca51a079f2..cb7c940cf800 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -2227,10 +2227,11 @@ static vm_fault_t do_page_mkwrite(struct vm_fault *vmf) + * + * The function expects the page to be locked and unlocks it. + */ +-static void fault_dirty_shared_page(struct vm_area_struct *vma, +- struct page *page) ++static vm_fault_t fault_dirty_shared_page(struct vm_fault *vmf) + { ++ struct vm_area_struct *vma = vmf->vma; + struct address_space *mapping; ++ struct page *page = vmf->page; + bool dirtied; + bool page_mkwrite = vma->vm_ops && vma->vm_ops->page_mkwrite; + +@@ -2245,16 +2246,30 @@ static void fault_dirty_shared_page(struct vm_area_struct *vma, + mapping = page_rmapping(page); + unlock_page(page); + ++ if (!page_mkwrite) ++ file_update_time(vma->vm_file); ++ ++ /* ++ * Throttle page dirtying rate down to writeback speed. ++ * ++ * mapping may be NULL here because some device drivers do not ++ * set page.mapping but still dirty their pages ++ * ++ * Drop the mmap_sem before waiting on IO, if we can. The file ++ * is pinning the mapping, as per above. ++ */ + if ((dirtied || page_mkwrite) && mapping) { +- /* +- * Some device drivers do not set page.mapping +- * but still dirty their pages +- */ ++ struct file *fpin; ++ ++ fpin = maybe_unlock_mmap_for_io(vmf, NULL); + balance_dirty_pages_ratelimited(mapping); ++ if (fpin) { ++ fput(fpin); ++ return VM_FAULT_RETRY; ++ } + } + +- if (!page_mkwrite) +- file_update_time(vma->vm_file); ++ return 0; + } + + /* +@@ -2497,6 +2512,7 @@ static vm_fault_t wp_page_shared(struct vm_fault *vmf) + __releases(vmf->ptl) + { + struct vm_area_struct *vma = vmf->vma; ++ vm_fault_t ret = VM_FAULT_WRITE; + + get_page(vmf->page); + +@@ -2520,10 +2536,10 @@ static vm_fault_t wp_page_shared(struct vm_fault *vmf) + wp_page_reuse(vmf); + lock_page(vmf->page); + } +- fault_dirty_shared_page(vma, vmf->page); ++ ret |= fault_dirty_shared_page(vmf); + put_page(vmf->page); + +- return VM_FAULT_WRITE; ++ return ret; + } + + /* +@@ -3567,7 +3583,7 @@ static vm_fault_t do_shared_fault(struct vm_fault *vmf) + return ret; + } + +- fault_dirty_shared_page(vma, vmf->page); ++ ret |= fault_dirty_shared_page(vmf); + return ret; + } + +-- +2.20.1 + diff --git a/queue-5.4/net-make-socket-read-write_iter-honor-iocb_nowait.patch b/queue-5.4/net-make-socket-read-write_iter-honor-iocb_nowait.patch new file mode 100644 index 00000000000..7c5807e8ccb --- /dev/null +++ b/queue-5.4/net-make-socket-read-write_iter-honor-iocb_nowait.patch @@ -0,0 +1,47 @@ +From 53701693cafb26b3bd0a2ae5e78f4ba37df181d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2019 20:58:56 -0700 +Subject: net: make socket read/write_iter() honor IOCB_NOWAIT + +From: Jens Axboe + +[ Upstream commit ebfcd8955c0b52eb793bcbc9e71140e3d0cdb228 ] + +The socket read/write helpers only look at the file O_NONBLOCK. not +the iocb IOCB_NOWAIT flag. This breaks users like preadv2/pwritev2 +and io_uring that rely on not having the file itself marked nonblocking, +but rather the iocb itself. + +Cc: netdev@vger.kernel.org +Acked-by: David Miller +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + net/socket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/socket.c b/net/socket.c +index d7a106028f0e..ca8de9e1582d 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -955,7 +955,7 @@ static ssize_t sock_read_iter(struct kiocb *iocb, struct iov_iter *to) + .msg_iocb = iocb}; + ssize_t res; + +- if (file->f_flags & O_NONBLOCK) ++ if (file->f_flags & O_NONBLOCK || (iocb->ki_flags & IOCB_NOWAIT)) + msg.msg_flags = MSG_DONTWAIT; + + if (iocb->ki_pos != 0) +@@ -980,7 +980,7 @@ static ssize_t sock_write_iter(struct kiocb *iocb, struct iov_iter *from) + if (iocb->ki_pos != 0) + return -ESPIPE; + +- if (file->f_flags & O_NONBLOCK) ++ if (file->f_flags & O_NONBLOCK || (iocb->ki_flags & IOCB_NOWAIT)) + msg.msg_flags = MSG_DONTWAIT; + + if (sock->type == SOCK_SEQPACKET) +-- +2.20.1 + diff --git a/queue-5.4/netfilter-nft_tproxy-fix-port-selector-on-big-endian.patch b/queue-5.4/netfilter-nft_tproxy-fix-port-selector-on-big-endian.patch new file mode 100644 index 00000000000..5f1cf0f7b03 --- /dev/null +++ b/queue-5.4/netfilter-nft_tproxy-fix-port-selector-on-big-endian.patch @@ -0,0 +1,51 @@ +From c9c2b29d7d85bed5fac443f467d7f8244a65f1eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 00:59:29 +0100 +Subject: netfilter: nft_tproxy: Fix port selector on Big Endian +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Phil Sutter + +[ Upstream commit 8cb4ec44de42b99b92399b4d1daf3dc430ed0186 ] + +On Big Endian architectures, u16 port value was extracted from the wrong +parts of u32 sreg_port, just like commit 10596608c4d62 ("netfilter: +nf_tables: fix mismatch in big-endian system") describes. + +Fixes: 4ed8eb6570a49 ("netfilter: nf_tables: Add native tproxy support") +Signed-off-by: Phil Sutter +Acked-by: Florian Westphal +Acked-by: Máté Eckl +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_tproxy.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c +index f92a82c73880..95980154ef02 100644 +--- a/net/netfilter/nft_tproxy.c ++++ b/net/netfilter/nft_tproxy.c +@@ -50,7 +50,7 @@ static void nft_tproxy_eval_v4(const struct nft_expr *expr, + taddr = nf_tproxy_laddr4(skb, taddr, iph->daddr); + + if (priv->sreg_port) +- tport = regs->data[priv->sreg_port]; ++ tport = nft_reg_load16(®s->data[priv->sreg_port]); + if (!tport) + tport = hp->dest; + +@@ -117,7 +117,7 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr, + taddr = *nf_tproxy_laddr6(skb, &taddr, &iph->daddr); + + if (priv->sreg_port) +- tport = regs->data[priv->sreg_port]; ++ tport = nft_reg_load16(®s->data[priv->sreg_port]); + if (!tport) + tport = hp->dest; + +-- +2.20.1 + diff --git a/queue-5.4/nvme-fc-fix-double-free-scenarios-on-hw-queues.patch b/queue-5.4/nvme-fc-fix-double-free-scenarios-on-hw-queues.patch new file mode 100644 index 00000000000..1cc7c94b59e --- /dev/null +++ b/queue-5.4/nvme-fc-fix-double-free-scenarios-on-hw-queues.patch @@ -0,0 +1,80 @@ +From 637467273554ef33df70e3a7f18034830375b52b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2019 09:59:37 -0800 +Subject: nvme-fc: fix double-free scenarios on hw queues + +From: James Smart + +[ Upstream commit c869e494ef8b5846d9ba91f1e922c23cd444f0c1 ] + +If an error occurs on one of the ios used for creating an +association, the creating routine has error paths that are +invoked by the command failure and the error paths will free +up the controller resources created to that point. + +But... the io was ultimately determined by an asynchronous +completion routine that detected the error and which +unconditionally invokes the error_recovery path which calls +delete_association. Delete association deletes all outstanding +io then tears down the controller resources. So the +create_association thread can be running in parallel with +the error_recovery thread. What was seen was the LLDD received +a call to delete a queue, causing the LLDD to do a free of a +resource, then the transport called the delete queue again +causing the driver to repeat the free call. The second free +routine corrupted the allocator. The transport shouldn't be +making the duplicate call, and the delete queue is just one +of the resources being freed. + +To fix, it is realized that the create_association path is +completely serialized with one command at a time. So the +failed io completion will always be seen by the create_association +path and as of the failure, there are no ios to terminate and there +is no reason to be manipulating queue freeze states, etc. +The serialized condition stays true until the controller is +transitioned to the LIVE state. Thus the fix is to change the +error recovery path to check the controller state and only +invoke the teardown path if not already in the CONNECTING state. + +Reviewed-by: Himanshu Madhani +Reviewed-by: Ewan D. Milne +Signed-off-by: James Smart +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/fc.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c +index 3f102d9f39b8..59474bd0c728 100644 +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -2910,10 +2910,22 @@ nvme_fc_reconnect_or_delete(struct nvme_fc_ctrl *ctrl, int status) + static void + __nvme_fc_terminate_io(struct nvme_fc_ctrl *ctrl) + { +- nvme_stop_keep_alive(&ctrl->ctrl); ++ /* ++ * if state is connecting - the error occurred as part of a ++ * reconnect attempt. The create_association error paths will ++ * clean up any outstanding io. ++ * ++ * if it's a different state - ensure all pending io is ++ * terminated. Given this can delay while waiting for the ++ * aborted io to return, we recheck adapter state below ++ * before changing state. ++ */ ++ if (ctrl->ctrl.state != NVME_CTRL_CONNECTING) { ++ nvme_stop_keep_alive(&ctrl->ctrl); + +- /* will block will waiting for io to terminate */ +- nvme_fc_delete_association(ctrl); ++ /* will block will waiting for io to terminate */ ++ nvme_fc_delete_association(ctrl); ++ } + + if (ctrl->ctrl.state != NVME_CTRL_CONNECTING && + !nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_CONNECTING)) +-- +2.20.1 + diff --git a/queue-5.4/nvme-pci-fix-read-queue-count.patch b/queue-5.4/nvme-pci-fix-read-queue-count.patch new file mode 100644 index 00000000000..acd33f90448 --- /dev/null +++ b/queue-5.4/nvme-pci-fix-read-queue-count.patch @@ -0,0 +1,49 @@ +From 87622a55a996fd8914ed1cd56ba6a618e8942ea7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2019 08:11:17 +0900 +Subject: nvme/pci: Fix read queue count + +From: Keith Busch + +[ Upstream commit 7e4c6b9a5d22485acf009b3c3510a370f096dd54 ] + +If nvme.write_queues equals the number of CPUs, the driver had decreased +the number of interrupts available such that there could only be one read +queue even if the controller could support more. Remove the interrupt +count reduction in this case. The driver wouldn't request more IRQs than +it wants queues anyway. + +Reviewed-by: Jens Axboe +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 29d7427c2b19..14d513087a14 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2060,7 +2060,6 @@ static int nvme_setup_irqs(struct nvme_dev *dev, unsigned int nr_io_queues) + .priv = dev, + }; + unsigned int irq_queues, this_p_queues; +- unsigned int nr_cpus = num_possible_cpus(); + + /* + * Poll queues don't need interrupts, but we need at least one IO +@@ -2071,10 +2070,7 @@ static int nvme_setup_irqs(struct nvme_dev *dev, unsigned int nr_io_queues) + this_p_queues = nr_io_queues - 1; + irq_queues = 1; + } else { +- if (nr_cpus < nr_io_queues - this_p_queues) +- irq_queues = nr_cpus + 1; +- else +- irq_queues = nr_io_queues - this_p_queues + 1; ++ irq_queues = nr_io_queues - this_p_queues + 1; + } + dev->io_queues[HCTX_TYPE_POLL] = this_p_queues; + +-- +2.20.1 + diff --git a/queue-5.4/nvme-pci-fix-write-and-poll-queue-types.patch b/queue-5.4/nvme-pci-fix-write-and-poll-queue-types.patch new file mode 100644 index 00000000000..97664768ef4 --- /dev/null +++ b/queue-5.4/nvme-pci-fix-write-and-poll-queue-types.patch @@ -0,0 +1,46 @@ +From f3ea8b1419f44b84b6b92af1548ccba8d604f4dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Dec 2019 01:51:54 +0900 +Subject: nvme/pci: Fix write and poll queue types + +From: Keith Busch + +[ Upstream commit 3f68baf706ec68c4120867c25bc439c845fe3e17 ] + +The number of poll or write queues should never be negative. Use unsigned +types so that it's not possible to break have the driver not allocate +any queues. + +Reviewed-by: Jens Axboe +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 869f462e6b6e..29d7427c2b19 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -68,14 +68,14 @@ static int io_queue_depth = 1024; + module_param_cb(io_queue_depth, &io_queue_depth_ops, &io_queue_depth, 0644); + MODULE_PARM_DESC(io_queue_depth, "set io queue depth, should >= 2"); + +-static int write_queues; +-module_param(write_queues, int, 0644); ++static unsigned int write_queues; ++module_param(write_queues, uint, 0644); + MODULE_PARM_DESC(write_queues, + "Number of queues to use for writes. If not set, reads and writes " + "will share a queue set."); + +-static int poll_queues; +-module_param(poll_queues, int, 0644); ++static unsigned int poll_queues; ++module_param(poll_queues, uint, 0644); + MODULE_PARM_DESC(poll_queues, "Number of queues to use for polled IO."); + + struct nvme_dev; +-- +2.20.1 + diff --git a/queue-5.4/nvme_fc-add-module-to-ops-template-to-allow-module-r.patch b/queue-5.4/nvme_fc-add-module-to-ops-template-to-allow-module-r.patch new file mode 100644 index 00000000000..e1a6076e239 --- /dev/null +++ b/queue-5.4/nvme_fc-add-module-to-ops-template-to-allow-module-r.patch @@ -0,0 +1,154 @@ +From 263850bc26c3062010daef16e8fc121f0dd72434 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 15:15:26 -0800 +Subject: nvme_fc: add module to ops template to allow module references + +From: James Smart + +[ Upstream commit 863fbae929c7a5b64e96b8a3ffb34a29eefb9f8f ] + +In nvme-fc: it's possible to have connected active controllers +and as no references are taken on the LLDD, the LLDD can be +unloaded. The controller would enter a reconnect state and as +long as the LLDD resumed within the reconnect timeout, the +controller would resume. But if a namespace on the controller +is the root device, allowing the driver to unload can be problematic. +To reload the driver, it may require new io to the boot device, +and as it's no longer connected we get into a catch-22 that +eventually fails, and the system locks up. + +Fix this issue by taking a module reference for every connected +controller (which is what the core layer did to the transport +module). Reference is cleared when the controller is removed. + +Acked-by: Himanshu Madhani +Reviewed-by: Christoph Hellwig +Signed-off-by: James Smart +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/fc.c | 14 ++++++++++++-- + drivers/nvme/target/fcloop.c | 1 + + drivers/scsi/lpfc/lpfc_nvme.c | 2 ++ + drivers/scsi/qla2xxx/qla_nvme.c | 1 + + include/linux/nvme-fc-driver.h | 4 ++++ + 5 files changed, 20 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c +index 265f89e11d8b..3f102d9f39b8 100644 +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -342,7 +342,8 @@ nvme_fc_register_localport(struct nvme_fc_port_info *pinfo, + !template->ls_req || !template->fcp_io || + !template->ls_abort || !template->fcp_abort || + !template->max_hw_queues || !template->max_sgl_segments || +- !template->max_dif_sgl_segments || !template->dma_boundary) { ++ !template->max_dif_sgl_segments || !template->dma_boundary || ++ !template->module) { + ret = -EINVAL; + goto out_reghost_failed; + } +@@ -2015,6 +2016,7 @@ nvme_fc_ctrl_free(struct kref *ref) + { + struct nvme_fc_ctrl *ctrl = + container_of(ref, struct nvme_fc_ctrl, ref); ++ struct nvme_fc_lport *lport = ctrl->lport; + unsigned long flags; + + if (ctrl->ctrl.tagset) { +@@ -2041,6 +2043,7 @@ nvme_fc_ctrl_free(struct kref *ref) + if (ctrl->ctrl.opts) + nvmf_free_options(ctrl->ctrl.opts); + kfree(ctrl); ++ module_put(lport->ops->module); + } + + static void +@@ -3056,10 +3059,15 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, + goto out_fail; + } + ++ if (!try_module_get(lport->ops->module)) { ++ ret = -EUNATCH; ++ goto out_free_ctrl; ++ } ++ + idx = ida_simple_get(&nvme_fc_ctrl_cnt, 0, 0, GFP_KERNEL); + if (idx < 0) { + ret = -ENOSPC; +- goto out_free_ctrl; ++ goto out_mod_put; + } + + ctrl->ctrl.opts = opts; +@@ -3212,6 +3220,8 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, + out_free_ida: + put_device(ctrl->dev); + ida_simple_remove(&nvme_fc_ctrl_cnt, ctrl->cnum); ++out_mod_put: ++ module_put(lport->ops->module); + out_free_ctrl: + kfree(ctrl); + out_fail: +diff --git a/drivers/nvme/target/fcloop.c b/drivers/nvme/target/fcloop.c +index b50b53db3746..1c50af6219f3 100644 +--- a/drivers/nvme/target/fcloop.c ++++ b/drivers/nvme/target/fcloop.c +@@ -850,6 +850,7 @@ fcloop_targetport_delete(struct nvmet_fc_target_port *targetport) + #define FCLOOP_DMABOUND_4G 0xFFFFFFFF + + static struct nvme_fc_port_template fctemplate = { ++ .module = THIS_MODULE, + .localport_delete = fcloop_localport_delete, + .remoteport_delete = fcloop_remoteport_delete, + .create_queue = fcloop_create_queue, +diff --git a/drivers/scsi/lpfc/lpfc_nvme.c b/drivers/scsi/lpfc/lpfc_nvme.c +index a227e36cbdc2..8e0f03ef346b 100644 +--- a/drivers/scsi/lpfc/lpfc_nvme.c ++++ b/drivers/scsi/lpfc/lpfc_nvme.c +@@ -1976,6 +1976,8 @@ lpfc_nvme_fcp_abort(struct nvme_fc_local_port *pnvme_lport, + + /* Declare and initialization an instance of the FC NVME template. */ + static struct nvme_fc_port_template lpfc_nvme_template = { ++ .module = THIS_MODULE, ++ + /* initiator-based functions */ + .localport_delete = lpfc_nvme_localport_delete, + .remoteport_delete = lpfc_nvme_remoteport_delete, +diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c +index 941aa53363f5..bfcd02fdf2b8 100644 +--- a/drivers/scsi/qla2xxx/qla_nvme.c ++++ b/drivers/scsi/qla2xxx/qla_nvme.c +@@ -610,6 +610,7 @@ static void qla_nvme_remoteport_delete(struct nvme_fc_remote_port *rport) + } + + static struct nvme_fc_port_template qla_nvme_fc_transport = { ++ .module = THIS_MODULE, + .localport_delete = qla_nvme_localport_delete, + .remoteport_delete = qla_nvme_remoteport_delete, + .create_queue = qla_nvme_alloc_queue, +diff --git a/include/linux/nvme-fc-driver.h b/include/linux/nvme-fc-driver.h +index 10f81629b9ce..6d0d70f3219c 100644 +--- a/include/linux/nvme-fc-driver.h ++++ b/include/linux/nvme-fc-driver.h +@@ -270,6 +270,8 @@ struct nvme_fc_remote_port { + * + * Host/Initiator Transport Entrypoints/Parameters: + * ++ * @module: The LLDD module using the interface ++ * + * @localport_delete: The LLDD initiates deletion of a localport via + * nvme_fc_deregister_localport(). However, the teardown is + * asynchronous. This routine is called upon the completion of the +@@ -383,6 +385,8 @@ struct nvme_fc_remote_port { + * Value is Mandatory. Allowed to be zero. + */ + struct nvme_fc_port_template { ++ struct module *module; ++ + /* initiator-based functions */ + void (*localport_delete)(struct nvme_fc_local_port *); + void (*remoteport_delete)(struct nvme_fc_remote_port *); +-- +2.20.1 + diff --git a/queue-5.4/pci-add-a-helper-to-check-power-resource-requirement.patch b/queue-5.4/pci-add-a-helper-to-check-power-resource-requirement.patch new file mode 100644 index 00000000000..915a84bbacb --- /dev/null +++ b/queue-5.4/pci-add-a-helper-to-check-power-resource-requirement.patch @@ -0,0 +1,72 @@ +From 1530339038f37a31f755cacd80a3cf9a47c5bfcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Oct 2019 15:38:47 +0800 +Subject: PCI: Add a helper to check Power Resource Requirements _PR3 existence + +From: Kai-Heng Feng + +[ Upstream commit 52525b7a3cf82adec5c6cf0ecbd23ff228badc94 ] + +A driver may want to know the existence of _PR3, to choose different +runtime suspend behavior. A user will be add in next patch. + +This is mostly the same as nouveau_pr3_present(). + +Signed-off-by: Kai-Heng Feng +Acked-by: Bjorn Helgaas +Link: https://lore.kernel.org/r/20191018073848.14590-1-kai.heng.feng@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 18 ++++++++++++++++++ + include/linux/pci.h | 2 ++ + 2 files changed, 20 insertions(+) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index a97e2571a527..fcfaadc774ee 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -5854,6 +5854,24 @@ int pci_set_vga_state(struct pci_dev *dev, bool decode, + return 0; + } + ++#ifdef CONFIG_ACPI ++bool pci_pr3_present(struct pci_dev *pdev) ++{ ++ struct acpi_device *adev; ++ ++ if (acpi_disabled) ++ return false; ++ ++ adev = ACPI_COMPANION(&pdev->dev); ++ if (!adev) ++ return false; ++ ++ return adev->power.flags.power_resources && ++ acpi_has_method(adev->handle, "_PR3"); ++} ++EXPORT_SYMBOL_GPL(pci_pr3_present); ++#endif ++ + /** + * pci_add_dma_alias - Add a DMA devfn alias for a device + * @dev: the PCI device for which alias is added +diff --git a/include/linux/pci.h b/include/linux/pci.h +index f9088c89a534..1d15c5d49cdd 100644 +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -2310,9 +2310,11 @@ struct irq_domain *pci_host_bridge_acpi_msi_domain(struct pci_bus *bus); + + void + pci_msi_register_fwnode_provider(struct fwnode_handle *(*fn)(struct device *)); ++bool pci_pr3_present(struct pci_dev *pdev); + #else + static inline struct irq_domain * + pci_host_bridge_acpi_msi_domain(struct pci_bus *bus) { return NULL; } ++static bool pci_pr3_present(struct pci_dev *pdev) { return false; } + #endif + + #ifdef CONFIG_EEH +-- +2.20.1 + diff --git a/queue-5.4/pci-fix-missing-inline-for-pci_pr3_present.patch b/queue-5.4/pci-fix-missing-inline-for-pci_pr3_present.patch new file mode 100644 index 00000000000..4c1d67b85fe --- /dev/null +++ b/queue-5.4/pci-fix-missing-inline-for-pci_pr3_present.patch @@ -0,0 +1,37 @@ +From 8797c216a8395e8c98115d0b71193ea1cc586ce6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2019 16:25:20 +0200 +Subject: PCI: Fix missing inline for pci_pr3_present() + +From: Takashi Iwai + +[ Upstream commit 46b4bff6572b0552b1ee062043621e4b252638d8 ] + +The inline prefix was missing in the dummy function pci_pr3_present() +definition. Fix it. + +Reported-by: kbuild test robot +Fixes: 52525b7a3cf8 ("PCI: Add a helper to check Power Resource Requirements _PR3 existence") +Link: https://lore.kernel.org/r/201910212111.qHm6OcWx%lkp@intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/linux/pci.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/pci.h b/include/linux/pci.h +index 1d15c5d49cdd..be529d311122 100644 +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -2314,7 +2314,7 @@ bool pci_pr3_present(struct pci_dev *pdev); + #else + static inline struct irq_domain * + pci_host_bridge_acpi_msi_domain(struct pci_bus *bus) { return NULL; } +-static bool pci_pr3_present(struct pci_dev *pdev) { return false; } ++static inline bool pci_pr3_present(struct pci_dev *pdev) { return false; } + #endif + + #ifdef CONFIG_EEH +-- +2.20.1 + diff --git a/queue-5.4/pm-devfreq-don-t-fail-devfreq_dev_release-if-not-in-.patch b/queue-5.4/pm-devfreq-don-t-fail-devfreq_dev_release-if-not-in-.patch new file mode 100644 index 00000000000..da6e10031a6 --- /dev/null +++ b/queue-5.4/pm-devfreq-don-t-fail-devfreq_dev_release-if-not-in-.patch @@ -0,0 +1,55 @@ +From e57101b3cf2040f68aecfe9c67bc28b9ce5b6629 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 01:21:31 +0200 +Subject: PM / devfreq: Don't fail devfreq_dev_release if not in list + +From: Leonard Crestez + +[ Upstream commit 42a6b25e67df6ee6675e8d1eaf18065bd73328ba ] + +Right now devfreq_dev_release will print a warning and abort the rest of +the cleanup if the devfreq instance is not part of the global +devfreq_list. But this is a valid scenario, for example it can happen if +the governor can't be found or on any other init error that happens +after device_register. + +Initialize devfreq->node to an empty list head in devfreq_add_device so +that list_del becomes a safe noop inside devfreq_dev_release and we can +continue the rest of the cleanup. + +Signed-off-by: Leonard Crestez +Reviewed-by: Matthias Kaehlcke +Reviewed-by: Chanwoo Choi +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/devfreq/devfreq.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c +index e185c8846916..ffd2d6b44dfb 100644 +--- a/drivers/devfreq/devfreq.c ++++ b/drivers/devfreq/devfreq.c +@@ -588,11 +588,6 @@ static void devfreq_dev_release(struct device *dev) + struct devfreq *devfreq = to_devfreq(dev); + + mutex_lock(&devfreq_list_lock); +- if (IS_ERR(find_device_devfreq(devfreq->dev.parent))) { +- mutex_unlock(&devfreq_list_lock); +- dev_warn(&devfreq->dev, "releasing devfreq which doesn't exist\n"); +- return; +- } + list_del(&devfreq->node); + mutex_unlock(&devfreq_list_lock); + +@@ -647,6 +642,7 @@ struct devfreq *devfreq_add_device(struct device *dev, + devfreq->dev.parent = dev; + devfreq->dev.class = devfreq_class; + devfreq->dev.release = devfreq_dev_release; ++ INIT_LIST_HEAD(&devfreq->node); + devfreq->profile = profile; + strncpy(devfreq->governor_name, governor_name, DEVFREQ_NAME_LEN); + devfreq->previous_freq = profile->initial_freq; +-- +2.20.1 + diff --git a/queue-5.4/pm-devfreq-fix-devfreq_notifier_call-returning-errno.patch b/queue-5.4/pm-devfreq-fix-devfreq_notifier_call-returning-errno.patch new file mode 100644 index 00000000000..a2c13645c27 --- /dev/null +++ b/queue-5.4/pm-devfreq-fix-devfreq_notifier_call-returning-errno.patch @@ -0,0 +1,73 @@ +From 16c870eecbda16aba506fd0e995b0908c1939520 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2019 23:34:18 +0200 +Subject: PM / devfreq: Fix devfreq_notifier_call returning errno + +From: Leonard Crestez + +[ Upstream commit e876e710ede23f670494331e062d643928e4142a ] + +Notifier callbacks shouldn't return negative errno but one of the +NOTIFY_OK/DONE/BAD values. + +The OPP core will ignore return values from notifiers but returning a +value that matches NOTIFY_STOP_MASK will stop the notification chain. + +Fix by always returning NOTIFY_OK. + +Signed-off-by: Leonard Crestez +Reviewed-by: Matthias Kaehlcke +Reviewed-by: Chanwoo Choi +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/devfreq/devfreq.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c +index 3a1484e7a3ae..e5c2afdc7b7f 100644 +--- a/drivers/devfreq/devfreq.c ++++ b/drivers/devfreq/devfreq.c +@@ -551,26 +551,28 @@ static int devfreq_notifier_call(struct notifier_block *nb, unsigned long type, + void *devp) + { + struct devfreq *devfreq = container_of(nb, struct devfreq, nb); +- int ret; ++ int err = -EINVAL; + + mutex_lock(&devfreq->lock); + + devfreq->scaling_min_freq = find_available_min_freq(devfreq); +- if (!devfreq->scaling_min_freq) { +- mutex_unlock(&devfreq->lock); +- return -EINVAL; +- } ++ if (!devfreq->scaling_min_freq) ++ goto out; + + devfreq->scaling_max_freq = find_available_max_freq(devfreq); +- if (!devfreq->scaling_max_freq) { +- mutex_unlock(&devfreq->lock); +- return -EINVAL; +- } ++ if (!devfreq->scaling_max_freq) ++ goto out; ++ ++ err = update_devfreq(devfreq); + +- ret = update_devfreq(devfreq); ++out: + mutex_unlock(&devfreq->lock); ++ if (err) ++ dev_err(devfreq->dev.parent, ++ "failed to update frequency from OPP notifier (%d)\n", ++ err); + +- return ret; ++ return NOTIFY_OK; + } + + /** +-- +2.20.1 + diff --git a/queue-5.4/pm-devfreq-set-scaling_max_freq-to-max-on-opp-notifi.patch b/queue-5.4/pm-devfreq-set-scaling_max_freq-to-max-on-opp-notifi.patch new file mode 100644 index 00000000000..f15d305e670 --- /dev/null +++ b/queue-5.4/pm-devfreq-set-scaling_max_freq-to-max-on-opp-notifi.patch @@ -0,0 +1,44 @@ +From c41febd1cced10e84c0e562698cffabf121d3ea5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2019 23:34:19 +0200 +Subject: PM / devfreq: Set scaling_max_freq to max on OPP notifier error + +From: Leonard Crestez + +[ Upstream commit e7cc792d00049c874010b398a27c3cc7bc8fef34 ] + +The devfreq_notifier_call functions will update scaling_min_freq and +scaling_max_freq when the OPP table is updated. + +If fetching the maximum frequency fails then scaling_max_freq remains +set to zero which is confusing. Set to ULONG_MAX instead so we don't +need special handling for this case in other places. + +Signed-off-by: Leonard Crestez +Reviewed-by: Matthias Kaehlcke +Reviewed-by: Chanwoo Choi +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/devfreq/devfreq.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c +index e5c2afdc7b7f..e185c8846916 100644 +--- a/drivers/devfreq/devfreq.c ++++ b/drivers/devfreq/devfreq.c +@@ -560,8 +560,10 @@ static int devfreq_notifier_call(struct notifier_block *nb, unsigned long type, + goto out; + + devfreq->scaling_max_freq = find_available_max_freq(devfreq); +- if (!devfreq->scaling_max_freq) ++ if (!devfreq->scaling_max_freq) { ++ devfreq->scaling_max_freq = ULONG_MAX; + goto out; ++ } + + err = update_devfreq(devfreq); + +-- +2.20.1 + diff --git a/queue-5.4/pm-hibernate-memory_bm_find_bit-tighten-node-optimis.patch b/queue-5.4/pm-hibernate-memory_bm_find_bit-tighten-node-optimis.patch new file mode 100644 index 00000000000..b4b0004d7f0 --- /dev/null +++ b/queue-5.4/pm-hibernate-memory_bm_find_bit-tighten-node-optimis.patch @@ -0,0 +1,58 @@ +From c638bf4b8091c407f9d0ad316e665d2831a4f1a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2019 15:39:12 +0100 +Subject: PM / hibernate: memory_bm_find_bit(): Tighten node optimisation + +From: Andy Whitcroft + +[ Upstream commit da6043fe85eb5ec621e34a92540735dcebbea134 ] + +When looking for a bit by number we make use of the cached result from the +preceding lookup to speed up operation. Firstly we check if the requested +pfn is within the cached zone and if not lookup the new zone. We then +check if the offset for that pfn falls within the existing cached node. +This happens regardless of whether the node is within the zone we are +now scanning. With certain memory layouts it is possible for this to +false trigger creating a temporary alias for the pfn to a different bit. +This leads the hibernation code to free memory which it was never allocated +with the expected fallout. + +Ensure the zone we are scanning matches the cached zone before considering +the cached node. + +Deep thanks go to Andrea for many, many, many hours of hacking and testing +that went into cornering this bug. + +Reported-by: Andrea Righi +Tested-by: Andrea Righi +Signed-off-by: Andy Whitcroft +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/snapshot.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c +index 83105874f255..26b9168321e7 100644 +--- a/kernel/power/snapshot.c ++++ b/kernel/power/snapshot.c +@@ -734,8 +734,15 @@ static int memory_bm_find_bit(struct memory_bitmap *bm, unsigned long pfn, + * We have found the zone. Now walk the radix tree to find the leaf node + * for our PFN. + */ ++ ++ /* ++ * If the zone we wish to scan is the the current zone and the ++ * pfn falls into the current node then we do not need to walk ++ * the tree. ++ */ + node = bm->cur.node; +- if (((pfn - zone->start_pfn) & ~BM_BLOCK_MASK) == bm->cur.node_pfn) ++ if (zone == bm->cur.zone && ++ ((pfn - zone->start_pfn) & ~BM_BLOCK_MASK) == bm->cur.node_pfn) + goto node_found; + + node = zone->rtree; +-- +2.20.1 + diff --git a/queue-5.4/raid5-need-to-set-stripe_handle-for-batch-head.patch b/queue-5.4/raid5-need-to-set-stripe_handle-for-batch-head.patch new file mode 100644 index 00000000000..74722f0c14c --- /dev/null +++ b/queue-5.4/raid5-need-to-set-stripe_handle-for-batch-head.patch @@ -0,0 +1,45 @@ +From 5c45186681b80741e246b134cab54b31040c161d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2019 17:57:50 +0100 +Subject: raid5: need to set STRIPE_HANDLE for batch head + +From: Guoqing Jiang + +[ Upstream commit a7ede3d16808b8f3915c8572d783530a82b2f027 ] + +With commit 6ce220dd2f8ea71d6afc29b9a7524c12e39f374a ("raid5: don't set +STRIPE_HANDLE to stripe which is in batch list"), we don't want to set +STRIPE_HANDLE flag for sh which is already in batch list. + +However, the stripe which is the head of batch list should set this flag, +otherwise panic could happen inside init_stripe at BUG_ON(sh->batch_head), +it is reproducible with raid5 on top of nvdimm devices per Xiao oberserved. + +Thanks for Xiao's effort to verify the change. + +Fixes: 6ce220dd2f8ea ("raid5: don't set STRIPE_HANDLE to stripe which is in batch list") +Reported-by: Xiao Ni +Tested-by: Xiao Ni +Signed-off-by: Guoqing Jiang +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/raid5.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index 12a8ce83786e..36cd7c2fbf40 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -5726,7 +5726,7 @@ static bool raid5_make_request(struct mddev *mddev, struct bio * bi) + do_flush = false; + } + +- if (!sh->batch_head) ++ if (!sh->batch_head || sh == sh->batch_head) + set_bit(STRIPE_HANDLE, &sh->state); + clear_bit(STRIPE_DELAYED, &sh->state); + if ((!sh->batch_head || sh == sh->batch_head) && +-- +2.20.1 + diff --git a/queue-5.4/rdma-cma-add-missed-unregister_pernet_subsys-in-init.patch b/queue-5.4/rdma-cma-add-missed-unregister_pernet_subsys-in-init.patch new file mode 100644 index 00000000000..feff878004c --- /dev/null +++ b/queue-5.4/rdma-cma-add-missed-unregister_pernet_subsys-in-init.patch @@ -0,0 +1,38 @@ +From ee1fe85c574131d442fc2db517afeaedcd8fd472 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2019 09:24:26 +0800 +Subject: RDMA/cma: add missed unregister_pernet_subsys in init failure + +From: Chuhong Yuan + +[ Upstream commit 44a7b6759000ac51b92715579a7bba9e3f9245c2 ] + +The driver forgets to call unregister_pernet_subsys() in the error path +of cma_init(). +Add the missed call to fix it. + +Fixes: 4be74b42a6d0 ("IB/cma: Separate port allocation to network namespaces") +Signed-off-by: Chuhong Yuan +Reviewed-by: Parav Pandit +Link: https://lore.kernel.org/r/20191206012426.12744-1-hslester96@gmail.com +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index d78f67623f24..50052e9a1731 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -4736,6 +4736,7 @@ static int __init cma_init(void) + err: + unregister_netdevice_notifier(&cma_nb); + ib_sa_unregister_client(&sa_client); ++ unregister_pernet_subsys(&cma_pernet_operations); + err_wq: + destroy_workqueue(cma_wq); + return ret; +-- +2.20.1 + diff --git a/queue-5.4/rdma-counter-prevent-auto-binding-a-qp-which-are-not.patch b/queue-5.4/rdma-counter-prevent-auto-binding-a-qp-which-are-not.patch new file mode 100644 index 00000000000..ac56ee17d3b --- /dev/null +++ b/queue-5.4/rdma-counter-prevent-auto-binding-a-qp-which-are-not.patch @@ -0,0 +1,80 @@ +From 783ffb8c6702f35bc63d016179a8bd1db19e8f5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2019 11:12:12 +0200 +Subject: RDMA/counter: Prevent auto-binding a QP which are not tracked with + res + +From: Mark Zhang + +[ Upstream commit 33df2f1929df4a1cb13303e344fbf8a75f0dc41f ] + +Some QPs (e.g. XRC QP) are not tracked in kernel, in this case they have +an invalid res and should not be bound to any dynamically-allocated +counter in auto mode. + +This fixes below call trace: +BUG: kernel NULL pointer dereference, address: 0000000000000390 +PGD 80000001a7233067 P4D 80000001a7233067 PUD 1a7215067 PMD 0 +Oops: 0000 [#1] SMP PTI +CPU: 2 PID: 24822 Comm: ibv_xsrq_pingpo Not tainted 5.4.0-rc5+ #21 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014 +RIP: 0010:rdma_counter_bind_qp_auto+0x142/0x270 [ib_core] +Code: e1 48 85 c0 48 89 c2 0f 84 bc 00 00 00 49 8b 06 48 39 42 48 75 d6 40 3a aa 90 00 00 00 75 cd 49 8b 86 00 01 00 00 48 8b 4a 28 <8b> 80 90 03 00 00 39 81 90 03 00 00 75 b4 85 c0 74 b0 48 8b 04 24 +RSP: 0018:ffffc900003f39c0 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 +RDX: ffff88820020ec00 RSI: 0000000000000004 RDI: ffffffffffffffc0 +RBP: 0000000000000001 R08: ffff888224149ff0 R09: ffffc900003f3968 +R10: ffffffffffffffff R11: ffff8882249c5848 R12: ffffffffffffffff +R13: ffff88821d5aca50 R14: ffff8881f7690800 R15: ffff8881ff890000 +FS: 00007fe53a3e1740(0000) GS:ffff888237b00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000390 CR3: 00000001a7292006 CR4: 00000000003606a0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + _ib_modify_qp+0x3a4/0x3f0 [ib_core] + ? lookup_get_idr_uobject.part.8+0x23/0x40 [ib_uverbs] + modify_qp+0x322/0x3e0 [ib_uverbs] + ib_uverbs_modify_qp+0x43/0x70 [ib_uverbs] + ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0xb1/0xf0 [ib_uverbs] + ib_uverbs_run_method+0x6be/0x760 [ib_uverbs] + ? uverbs_disassociate_api+0xd0/0xd0 [ib_uverbs] + ib_uverbs_cmd_verbs+0x18d/0x3a0 [ib_uverbs] + ? get_acl+0x1a/0x120 + ? __alloc_pages_nodemask+0x15d/0x2c0 + ib_uverbs_ioctl+0xa7/0x110 [ib_uverbs] + do_vfs_ioctl+0xa5/0x610 + ksys_ioctl+0x60/0x90 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x48/0x110 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 99fa331dc862 ("RDMA/counter: Add "auto" configuration mode support") +Signed-off-by: Mark Zhang +Reviewed-by: Maor Gottlieb +Reviewed-by: Ido Kalir +Signed-off-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20191212091214.315005-2-leon@kernel.org +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/counters.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/infiniband/core/counters.c b/drivers/infiniband/core/counters.c +index 680ad27f497d..023478107f0e 100644 +--- a/drivers/infiniband/core/counters.c ++++ b/drivers/infiniband/core/counters.c +@@ -282,6 +282,9 @@ int rdma_counter_bind_qp_auto(struct ib_qp *qp, u8 port) + struct rdma_counter *counter; + int ret; + ++ if (!qp->res.valid) ++ return 0; ++ + if (!rdma_is_port_valid(dev, port)) + return -EINVAL; + +-- +2.20.1 + diff --git a/queue-5.4/rxe-correctly-calculate-icrc-for-unaligned-payloads.patch b/queue-5.4/rxe-correctly-calculate-icrc-for-unaligned-payloads.patch new file mode 100644 index 00000000000..6a65190615c --- /dev/null +++ b/queue-5.4/rxe-correctly-calculate-icrc-for-unaligned-payloads.patch @@ -0,0 +1,83 @@ +From 786c7b8f6ced8b63e9b4c659a8aa8fe382d01050 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Dec 2019 20:03:20 -0600 +Subject: rxe: correctly calculate iCRC for unaligned payloads + +From: Steve Wise + +[ Upstream commit 2030abddec6884aaf5892f5724c48fc340e6826f ] + +If RoCE PDUs being sent or received contain pad bytes, then the iCRC +is miscalculated, resulting in PDUs being emitted by RXE with an incorrect +iCRC, as well as ingress PDUs being dropped due to erroneously detecting +a bad iCRC in the PDU. The fix is to include the pad bytes, if any, +in iCRC computations. + +Note: This bug has caused broken on-the-wire compatibility with actual +hardware RoCE devices since the soft-RoCE driver was first put into the +mainstream kernel. Fixing it will create an incompatibility with the +original soft-RoCE devices, but is necessary to be compatible with real +hardware devices. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Signed-off-by: Steve Wise +Link: https://lore.kernel.org/r/20191203020319.15036-2-larrystevenwise@gmail.com +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_recv.c | 2 +- + drivers/infiniband/sw/rxe/rxe_req.c | 6 ++++++ + drivers/infiniband/sw/rxe/rxe_resp.c | 7 +++++++ + 3 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c +index f9a492ed900b..831ad578a7b2 100644 +--- a/drivers/infiniband/sw/rxe/rxe_recv.c ++++ b/drivers/infiniband/sw/rxe/rxe_recv.c +@@ -389,7 +389,7 @@ void rxe_rcv(struct sk_buff *skb) + + calc_icrc = rxe_icrc_hdr(pkt, skb); + calc_icrc = rxe_crc32(rxe, calc_icrc, (u8 *)payload_addr(pkt), +- payload_size(pkt)); ++ payload_size(pkt) + bth_pad(pkt)); + calc_icrc = (__force u32)cpu_to_be32(~calc_icrc); + if (unlikely(calc_icrc != pack_icrc)) { + if (skb->protocol == htons(ETH_P_IPV6)) +diff --git a/drivers/infiniband/sw/rxe/rxe_req.c b/drivers/infiniband/sw/rxe/rxe_req.c +index c5d9b558fa90..e5031172c019 100644 +--- a/drivers/infiniband/sw/rxe/rxe_req.c ++++ b/drivers/infiniband/sw/rxe/rxe_req.c +@@ -500,6 +500,12 @@ static int fill_packet(struct rxe_qp *qp, struct rxe_send_wqe *wqe, + if (err) + return err; + } ++ if (bth_pad(pkt)) { ++ u8 *pad = payload_addr(pkt) + paylen; ++ ++ memset(pad, 0, bth_pad(pkt)); ++ crc = rxe_crc32(rxe, crc, pad, bth_pad(pkt)); ++ } + } + p = payload_addr(pkt) + paylen + bth_pad(pkt); + +diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c +index 1cbfbd98eb22..c4a8195bf670 100644 +--- a/drivers/infiniband/sw/rxe/rxe_resp.c ++++ b/drivers/infiniband/sw/rxe/rxe_resp.c +@@ -732,6 +732,13 @@ static enum resp_states read_reply(struct rxe_qp *qp, + if (err) + pr_err("Failed copying memory\n"); + ++ if (bth_pad(&ack_pkt)) { ++ struct rxe_dev *rxe = to_rdev(qp->ibqp.device); ++ u8 *pad = payload_addr(&ack_pkt) + payload; ++ ++ memset(pad, 0, bth_pad(&ack_pkt)); ++ icrc = rxe_crc32(rxe, icrc, pad, bth_pad(&ack_pkt)); ++ } + p = payload_addr(&ack_pkt) + payload + bth_pad(&ack_pkt); + *p = ~icrc; + +-- +2.20.1 + diff --git a/queue-5.4/s390-cpum_sf-adjust-sampling-interval-to-avoid-hitti.patch b/queue-5.4/s390-cpum_sf-adjust-sampling-interval-to-avoid-hitti.patch new file mode 100644 index 00000000000..afd55df131c --- /dev/null +++ b/queue-5.4/s390-cpum_sf-adjust-sampling-interval-to-avoid-hitti.patch @@ -0,0 +1,75 @@ +From f51d8cb2f4308074d082e6df79b3899c61d071b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Nov 2019 10:26:41 +0100 +Subject: s390/cpum_sf: Adjust sampling interval to avoid hitting sample limits + +From: Thomas Richter + +[ Upstream commit 39d4a501a9ef55c57b51e3ef07fc2aeed7f30b3b ] + +Function perf_event_ever_overflow() and perf_event_account_interrupt() +are called every time samples are processed by the interrupt handler. +However function perf_event_account_interrupt() has checks to avoid being +flooded with interrupts (more then 1000 samples are received per +task_tick). Samples are then dropped and a PERF_RECORD_THROTTLED is +added to the perf data. The perf subsystem limit calculation is: + + maximum sample frequency := 100000 --> 1 samples per 10 us + task_tick = 10ms = 10000us --> 1000 samples per task_tick + +The work flow is + +measurement_alert() uses SDBT head and each SBDT points to 511 + SDB pages, each with 126 sample entries. After processing 8 SBDs + and for each valid sample calling: + + perf_event_overflow() + perf_event_account_interrupts() + +there is a considerable amount of samples being dropped, especially when +the sample frequency is very high and near the 100000 limit. + +To avoid the high amount of samples being dropped near the end of a +task_tick time frame, increment the sampling interval in case of +dropped events. The CPU Measurement sampling facility on the s390 +supports only intervals, specifiing how many CPU cycles have to be +executed before a sample is generated. Increase the interval when the +samples being generated hit the task_tick limit. + +Signed-off-by: Thomas Richter +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/perf_cpum_sf.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c +index 7511b71d2931..47515c96032e 100644 +--- a/arch/s390/kernel/perf_cpum_sf.c ++++ b/arch/s390/kernel/perf_cpum_sf.c +@@ -1325,6 +1325,22 @@ static void hw_perf_event_update(struct perf_event *event, int flush_all) + if (sampl_overflow) + OVERFLOW_REG(hwc) = DIV_ROUND_UP(OVERFLOW_REG(hwc) + + sampl_overflow, 1 + num_sdb); ++ ++ /* Perf_event_overflow() and perf_event_account_interrupt() limit ++ * the interrupt rate to an upper limit. Roughly 1000 samples per ++ * task tick. ++ * Hitting this limit results in a large number ++ * of throttled REF_REPORT_THROTTLE entries and the samples ++ * are dropped. ++ * Slightly increase the interval to avoid hitting this limit. ++ */ ++ if (event_overflow) { ++ SAMPL_RATE(hwc) += DIV_ROUND_UP(SAMPL_RATE(hwc), 10); ++ debug_sprintf_event(sfdbg, 1, "%s: rate adjustment %ld\n", ++ __func__, ++ DIV_ROUND_UP(SAMPL_RATE(hwc), 10)); ++ } ++ + if (sampl_overflow || event_overflow) + debug_sprintf_event(sfdbg, 4, "hw_perf_event_update: " + "overflow stats: sample=%llu event=%llu\n", +-- +2.20.1 + diff --git a/queue-5.4/s390-cpum_sf-avoid-sbd-overflow-condition-in-irq-han.patch b/queue-5.4/s390-cpum_sf-avoid-sbd-overflow-condition-in-irq-han.patch new file mode 100644 index 00000000000..f0308d577f8 --- /dev/null +++ b/queue-5.4/s390-cpum_sf-avoid-sbd-overflow-condition-in-irq-han.patch @@ -0,0 +1,77 @@ +From 7ca485267443f3ceb87fb10ca207ab15ec82b9b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Nov 2019 15:24:25 +0100 +Subject: s390/cpum_sf: Avoid SBD overflow condition in irq handler + +From: Thomas Richter + +[ Upstream commit 0539ad0b22877225095d8adef0c376f52cc23834 ] + +The s390 CPU Measurement sampling facility has an overflow condition +which fires when all entries in a SBD are used. +The measurement alert interrupt is triggered and reads out all samples +in this SDB. It then tests the successor SDB, if this SBD is not full, +the interrupt handler does not read any samples at all from this SDB +The design waits for the hardware to fill this SBD and then trigger +another meassurement alert interrupt. + +This scheme works nicely until +an perf_event_overflow() function call discards the sample due to +a too high sampling rate. +The interrupt handler has logic to read out a partially filled SDB +when the perf event overflow condition in linux common code is met. +This causes the CPUM sampling measurement hardware and the PMU +device driver to operate on the same SBD's trailer entry. +This should not happen. + +This can be seen here using this trace: + cpumsf_pmu_add: tear:0xb5286000 + hw_perf_event_update: sdbt 0xb5286000 full 1 over 0 flush_all:0 + hw_perf_event_update: sdbt 0xb5286008 full 0 over 0 flush_all:0 + above shows 1. interrupt + hw_perf_event_update: sdbt 0xb5286008 full 1 over 0 flush_all:0 + hw_perf_event_update: sdbt 0xb5286008 full 0 over 0 flush_all:0 + above shows 2. interrupt + ... this goes on fine until... + hw_perf_event_update: sdbt 0xb5286068 full 1 over 0 flush_all:0 + perf_push_sample1: overflow + one or more samples read from the IRQ handler are rejected by + perf_event_overflow() and the IRQ handler advances to the next SDB + and modifies the trailer entry of a partially filled SDB. + hw_perf_event_update: sdbt 0xb5286070 full 0 over 0 flush_all:1 + timestamp: 14:32:52.519953 + +Next time the IRQ handler is called for this SDB the trailer entry shows +an overflow count of 19 missed entries. + hw_perf_event_update: sdbt 0xb5286070 full 1 over 19 flush_all:1 + timestamp: 14:32:52.970058 + +Remove access to a follow on SDB when event overflow happened. + +Signed-off-by: Thomas Richter +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/perf_cpum_sf.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c +index 47515c96032e..fdb8083e7870 100644 +--- a/arch/s390/kernel/perf_cpum_sf.c ++++ b/arch/s390/kernel/perf_cpum_sf.c +@@ -1313,12 +1313,6 @@ static void hw_perf_event_update(struct perf_event *event, int flush_all) + */ + if (flush_all && done) + break; +- +- /* If an event overflow happened, discard samples by +- * processing any remaining sample-data-blocks. +- */ +- if (event_overflow) +- flush_all = 1; + } + + /* Account sample overflows in the event hardware structure */ +-- +2.20.1 + diff --git a/queue-5.4/scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-f.patch b/queue-5.4/scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-f.patch new file mode 100644 index 00000000000..009c8eb48be --- /dev/null +++ b/queue-5.4/scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-f.patch @@ -0,0 +1,113 @@ +From 0eb29138cb1f0c0a91a2f046710af92a337bddc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Nov 2019 13:26:17 +0000 +Subject: scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func + +From: Bo Wu + +[ Upstream commit bba340c79bfe3644829db5c852fdfa9e33837d6d ] + +In iscsi_if_rx func, after receiving one request through +iscsi_if_recv_msg func, iscsi_if_send_reply will be called to try to +reply to the request in a do-while loop. If the iscsi_if_send_reply +function keeps returning -EAGAIN, a deadlock will occur. + +For example, a client only send msg without calling recvmsg func, then +it will result in the watchdog soft lockup. The details are given as +follows: + + sock_fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ISCSI); + retval = bind(sock_fd, (struct sock addr*) & src_addr, sizeof(src_addr); + while (1) { + state_msg = sendmsg(sock_fd, &msg, 0); + //Note: recvmsg(sock_fd, &msg, 0) is not processed here. + } + close(sock_fd); + +watchdog: BUG: soft lockup - CPU#7 stuck for 22s! [netlink_test:253305] Sample time: 4000897528 ns(HZ: 250) Sample stat: +curr: user: 675503481560, nice: 321724050, sys: 448689506750, idle: 4654054240530, iowait: 40885550700, irq: 14161174020, softirq: 8104324140, st: 0 +deta: user: 0, nice: 0, sys: 3998210100, idle: 0, iowait: 0, irq: 1547170, softirq: 242870, st: 0 Sample softirq: + TIMER: 992 + SCHED: 8 +Sample irqstat: + irq 2: delta 1003, curr: 3103802, arch_timer +CPU: 7 PID: 253305 Comm: netlink_test Kdump: loaded Tainted: G OE +Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 +pstate: 40400005 (nZcv daif +PAN -UAO) +pc : __alloc_skb+0x104/0x1b0 +lr : __alloc_skb+0x9c/0x1b0 +sp : ffff000033603a30 +x29: ffff000033603a30 x28: 00000000000002dd +x27: ffff800b34ced810 x26: ffff800ba7569f00 +x25: 00000000ffffffff x24: 0000000000000000 +x23: ffff800f7c43f600 x22: 0000000000480020 +x21: ffff0000091d9000 x20: ffff800b34eff200 +x19: ffff800ba7569f00 x18: 0000000000000000 +x17: 0000000000000000 x16: 0000000000000000 +x15: 0000000000000000 x14: 0001000101000100 +x13: 0000000101010000 x12: 0101000001010100 +x11: 0001010101010001 x10: 00000000000002dd +x9 : ffff000033603d58 x8 : ffff800b34eff400 +x7 : ffff800ba7569200 x6 : ffff800b34eff400 +x5 : 0000000000000000 x4 : 00000000ffffffff +x3 : 0000000000000000 x2 : 0000000000000001 +x1 : ffff800b34eff2c0 x0 : 0000000000000300 Call trace: +__alloc_skb+0x104/0x1b0 +iscsi_if_rx+0x144/0x12bc [scsi_transport_iscsi] +netlink_unicast+0x1e0/0x258 +netlink_sendmsg+0x310/0x378 +sock_sendmsg+0x4c/0x70 +sock_write_iter+0x90/0xf0 +__vfs_write+0x11c/0x190 +vfs_write+0xac/0x1c0 +ksys_write+0x6c/0xd8 +__arm64_sys_write+0x24/0x30 +el0_svc_common+0x78/0x130 +el0_svc_handler+0x38/0x78 +el0_svc+0x8/0xc + +Link: https://lore.kernel.org/r/EDBAAA0BBBA2AC4E9C8B6B81DEEE1D6915E3D4D2@dggeml505-mbx.china.huawei.com +Signed-off-by: Bo Wu +Reviewed-by: Zhiqiang Liu +Reviewed-by: Lee Duncan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 417b868d8735..ed8d9709b9b9 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -24,6 +24,8 @@ + + #define ISCSI_TRANSPORT_VERSION "2.0-870" + ++#define ISCSI_SEND_MAX_ALLOWED 10 ++ + #define CREATE_TRACE_POINTS + #include + +@@ -3682,6 +3684,7 @@ iscsi_if_rx(struct sk_buff *skb) + struct nlmsghdr *nlh; + struct iscsi_uevent *ev; + uint32_t group; ++ int retries = ISCSI_SEND_MAX_ALLOWED; + + nlh = nlmsg_hdr(skb); + if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) || +@@ -3712,6 +3715,10 @@ iscsi_if_rx(struct sk_buff *skb) + break; + err = iscsi_if_send_reply(portid, nlh->nlmsg_type, + ev, sizeof(*ev)); ++ if (err == -EAGAIN && --retries < 0) { ++ printk(KERN_WARNING "Send reply failed, error %d\n", err); ++ break; ++ } + } while (err < 0 && err != -ECONNREFUSED && err != -ESRCH); + skb_pull(skb, rlen); + } +-- +2.20.1 + diff --git a/queue-5.4/scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch b/queue-5.4/scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch new file mode 100644 index 00000000000..dc9ce04a47c --- /dev/null +++ b/queue-5.4/scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch @@ -0,0 +1,40 @@ +From 6cb39692fb66cbd82d7a515d1155f3e5f3fc2d31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2019 12:45:09 +0300 +Subject: scsi: iscsi: qla4xxx: fix double free in probe + +From: Dan Carpenter + +[ Upstream commit fee92f25777789d73e1936b91472e9c4644457c8 ] + +On this error path we call qla4xxx_mem_free() and then the caller also +calls qla4xxx_free_adapter() which calls qla4xxx_mem_free(). It leads to a +couple double frees: + +drivers/scsi/qla4xxx/ql4_os.c:8856 qla4xxx_probe_adapter() warn: 'ha->chap_dma_pool' double freed +drivers/scsi/qla4xxx/ql4_os.c:8856 qla4xxx_probe_adapter() warn: 'ha->fw_ddb_dma_pool' double freed + +Fixes: afaf5a2d341d ("[SCSI] Initial Commit of qla4xxx") +Link: https://lore.kernel.org/r/20191203094421.hw7ex7qr3j2rbsmx@kili.mountain +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla4xxx/ql4_os.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c +index 8c674eca09f1..2323432a0edb 100644 +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -4275,7 +4275,6 @@ static int qla4xxx_mem_alloc(struct scsi_qla_host *ha) + return QLA_SUCCESS; + + mem_alloc_error_exit: +- qla4xxx_mem_free(ha); + return QLA_ERROR; + } + +-- +2.20.1 + diff --git a/queue-5.4/scsi-libsas-stop-discovering-if-oob-mode-is-disconne.patch b/queue-5.4/scsi-libsas-stop-discovering-if-oob-mode-is-disconne.patch new file mode 100644 index 00000000000..952563af9a2 --- /dev/null +++ b/queue-5.4/scsi-libsas-stop-discovering-if-oob-mode-is-disconne.patch @@ -0,0 +1,147 @@ +From ec4e54639505edc6e8fbcbb100bf743b9a308dbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2019 09:11:18 +0800 +Subject: scsi: libsas: stop discovering if oob mode is disconnected + +From: Jason Yan + +[ Upstream commit f70267f379b5e5e11bdc5d72a56bf17e5feed01f ] + +The discovering of sas port is driven by workqueue in libsas. When libsas +is processing port events or phy events in workqueue, new events may rise +up and change the state of some structures such as asd_sas_phy. This may +cause some problems such as follows: + +==>thread 1 ==>thread 2 + + ==>phy up + ==>phy_up_v3_hw() + ==>oob_mode = SATA_OOB_MODE; + ==>phy down quickly + ==>hisi_sas_phy_down() + ==>sas_ha->notify_phy_event() + ==>sas_phy_disconnected() + ==>oob_mode = OOB_NOT_CONNECTED +==>workqueue wakeup +==>sas_form_port() + ==>sas_discover_domain() + ==>sas_get_port_device() + ==>oob_mode is OOB_NOT_CONNECTED and device + is wrongly taken as expander + +This at last lead to the panic when libsas trying to issue a command to +discover the device. + +[183047.614035] Unable to handle kernel NULL pointer dereference at +virtual address 0000000000000058 +[183047.622896] Mem abort info: +[183047.625762] ESR = 0x96000004 +[183047.628893] Exception class = DABT (current EL), IL = 32 bits +[183047.634888] SET = 0, FnV = 0 +[183047.638015] EA = 0, S1PTW = 0 +[183047.641232] Data abort info: +[183047.644189] ISV = 0, ISS = 0x00000004 +[183047.648100] CM = 0, WnR = 0 +[183047.651145] user pgtable: 4k pages, 48-bit VAs, pgdp = +00000000b7df67be +[183047.657834] [0000000000000058] pgd=0000000000000000 +[183047.662789] Internal error: Oops: 96000004 [#1] SMP +[183047.667740] Process kworker/u16:2 (pid: 31291, stack limit = +0x00000000417c4974) +[183047.675208] CPU: 0 PID: 3291 Comm: kworker/u16:2 Tainted: G +W OE 4.19.36-vhulk1907.1.0.h410.eulerosv2r8.aarch64 #1 +[183047.687015] Hardware name: N/A N/A/Kunpeng Desktop Board D920S10, +BIOS 0.15 10/22/2019 +[183047.695007] Workqueue: 0000:74:02.0_disco_q sas_discover_domain +[183047.700999] pstate: 20c00009 (nzCv daif +PAN +UAO) +[183047.705864] pc : prep_ata_v3_hw+0xf8/0x230 [hisi_sas_v3_hw] +[183047.711510] lr : prep_ata_v3_hw+0xb0/0x230 [hisi_sas_v3_hw] +[183047.717153] sp : ffff00000f28ba60 +[183047.720541] x29: ffff00000f28ba60 x28: ffff8026852d7228 +[183047.725925] x27: ffff8027dba3e0a8 x26: ffff8027c05fc200 +[183047.731310] x25: 0000000000000000 x24: ffff8026bafa8dc0 +[183047.736695] x23: ffff8027c05fc218 x22: ffff8026852d7228 +[183047.742079] x21: ffff80007c2f2940 x20: ffff8027c05fc200 +[183047.747464] x19: 0000000000f80800 x18: 0000000000000010 +[183047.752848] x17: 0000000000000000 x16: 0000000000000000 +[183047.758232] x15: ffff000089a5a4ff x14: 0000000000000005 +[183047.763617] x13: ffff000009a5a50e x12: ffff8026bafa1e20 +[183047.769001] x11: ffff0000087453b8 x10: ffff00000f28b870 +[183047.774385] x9 : 0000000000000000 x8 : ffff80007e58f9b0 +[183047.779770] x7 : 0000000000000000 x6 : 000000000000003f +[183047.785154] x5 : 0000000000000040 x4 : ffffffffffffffe0 +[183047.790538] x3 : 00000000000000f8 x2 : 0000000002000007 +[183047.795922] x1 : 0000000000000008 x0 : 0000000000000000 +[183047.801307] Call trace: +[183047.803827] prep_ata_v3_hw+0xf8/0x230 [hisi_sas_v3_hw] +[183047.809127] hisi_sas_task_prep+0x750/0x888 [hisi_sas_main] +[183047.814773] hisi_sas_task_exec.isra.7+0x88/0x1f0 [hisi_sas_main] +[183047.820939] hisi_sas_queue_command+0x28/0x38 [hisi_sas_main] +[183047.826757] smp_execute_task_sg+0xec/0x218 +[183047.831013] smp_execute_task+0x74/0xa0 +[183047.834921] sas_discover_expander.part.7+0x9c/0x5f8 +[183047.839959] sas_discover_root_expander+0x90/0x160 +[183047.844822] sas_discover_domain+0x1b8/0x1e8 +[183047.849164] process_one_work+0x1b4/0x3f8 +[183047.853246] worker_thread+0x54/0x470 +[183047.856981] kthread+0x134/0x138 +[183047.860283] ret_from_fork+0x10/0x18 +[183047.863931] Code: f9407a80 528000e2 39409281 72a04002 (b9405800) +[183047.870097] kernel fault(0x1) notification starting on CPU 0 +[183047.875828] kernel fault(0x1) notification finished on CPU 0 +[183047.881559] Modules linked in: unibsp(OE) hns3(OE) hclge(OE) +hnae3(OE) mem_drv(OE) hisi_sas_v3_hw(OE) hisi_sas_main(OE) +[183047.892418] ---[ end trace 4cc26083fc11b783 ]--- +[183047.897107] Kernel panic - not syncing: Fatal exception +[183047.902403] kernel fault(0x5) notification starting on CPU 0 +[183047.908134] kernel fault(0x5) notification finished on CPU 0 +[183047.913865] SMP: stopping secondary CPUs +[183047.917861] Kernel Offset: disabled +[183047.921422] CPU features: 0x2,a2a00a38 +[183047.925243] Memory Limit: none +[183047.928372] kernel reboot(0x2) notification starting on CPU 0 +[183047.934190] kernel reboot(0x2) notification finished on CPU 0 +[183047.940008] ---[ end Kernel panic - not syncing: Fatal exception +]--- + +Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") +Link: https://lore.kernel.org/r/20191206011118.46909-1-yanaijie@huawei.com +Reported-by: Gao Chuan +Reviewed-by: John Garry +Signed-off-by: Jason Yan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libsas/sas_discover.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/libsas/sas_discover.c b/drivers/scsi/libsas/sas_discover.c +index f47b4b281b14..d7302c2052f9 100644 +--- a/drivers/scsi/libsas/sas_discover.c ++++ b/drivers/scsi/libsas/sas_discover.c +@@ -81,12 +81,21 @@ static int sas_get_port_device(struct asd_sas_port *port) + else + dev->dev_type = SAS_SATA_DEV; + dev->tproto = SAS_PROTOCOL_SATA; +- } else { ++ } else if (port->oob_mode == SAS_OOB_MODE) { + struct sas_identify_frame *id = + (struct sas_identify_frame *) dev->frame_rcvd; + dev->dev_type = id->dev_type; + dev->iproto = id->initiator_bits; + dev->tproto = id->target_bits; ++ } else { ++ /* If the oob mode is OOB_NOT_CONNECTED, the port is ++ * disconnected due to race with PHY down. We cannot ++ * continue to discover this port ++ */ ++ sas_put_device(dev); ++ pr_warn("Port %016llx is disconnected when discovering\n", ++ SAS_ADDR(port->attached_sas_addr)); ++ return -ENODEV; + } + + sas_init_dev(dev); +-- +2.20.1 + diff --git a/queue-5.4/scsi-lpfc-fix-memory-leak-on-lpfc_bsg_write_ebuf_set.patch b/queue-5.4/scsi-lpfc-fix-memory-leak-on-lpfc_bsg_write_ebuf_set.patch new file mode 100644 index 00000000000..6101acd2d03 --- /dev/null +++ b/queue-5.4/scsi-lpfc-fix-memory-leak-on-lpfc_bsg_write_ebuf_set.patch @@ -0,0 +1,68 @@ +From 6e48d1865d9fac31ce1884d3da5ab9754fd6e0f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Dec 2019 03:22:46 +0000 +Subject: scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func + +From: Bo Wu + +[ Upstream commit 9a1b0b9a6dab452fb0e39fe96880c4faf3878369 ] + +When phba->mbox_ext_buf_ctx.seqNum != phba->mbox_ext_buf_ctx.numBuf, +dd_data should be freed before return SLI_CONFIG_HANDLED. + +When lpfc_sli_issue_mbox func return fails, pmboxq should be also freed in +job_error tag. + +Link: https://lore.kernel.org/r/EDBAAA0BBBA2AC4E9C8B6B81DEEE1D6915E7A966@DGGEML525-MBS.china.huawei.com +Signed-off-by: Bo Wu +Reviewed-by: Zhiqiang Liu +Reviewed-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_bsg.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_bsg.c b/drivers/scsi/lpfc/lpfc_bsg.c +index 39a736b887b1..6c2b03415a2c 100644 +--- a/drivers/scsi/lpfc/lpfc_bsg.c ++++ b/drivers/scsi/lpfc/lpfc_bsg.c +@@ -4489,12 +4489,6 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job, + phba->mbox_ext_buf_ctx.seqNum++; + nemb_tp = phba->mbox_ext_buf_ctx.nembType; + +- dd_data = kmalloc(sizeof(struct bsg_job_data), GFP_KERNEL); +- if (!dd_data) { +- rc = -ENOMEM; +- goto job_error; +- } +- + pbuf = (uint8_t *)dmabuf->virt; + size = job->request_payload.payload_len; + sg_copy_to_buffer(job->request_payload.sg_list, +@@ -4531,6 +4525,13 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job, + "2968 SLI_CONFIG ext-buffer wr all %d " + "ebuffers received\n", + phba->mbox_ext_buf_ctx.numBuf); ++ ++ dd_data = kmalloc(sizeof(struct bsg_job_data), GFP_KERNEL); ++ if (!dd_data) { ++ rc = -ENOMEM; ++ goto job_error; ++ } ++ + /* mailbox command structure for base driver */ + pmboxq = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL); + if (!pmboxq) { +@@ -4579,6 +4580,8 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job, + return SLI_CONFIG_HANDLED; + + job_error: ++ if (pmboxq) ++ mempool_free(pmboxq, phba->mbox_mem_pool); + lpfc_bsg_dma_page_free(phba, dmabuf); + kfree(dd_data); + +-- +2.20.1 + diff --git a/queue-5.4/scsi-qla2xxx-configure-local-loop-for-n2n-target.patch b/queue-5.4/scsi-qla2xxx-configure-local-loop-for-n2n-target.patch new file mode 100644 index 00000000000..7cfca9b7f9d --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-configure-local-loop-for-n2n-target.patch @@ -0,0 +1,57 @@ +From 499d1e71c6d2d9f95d0f51d49cd5ec9273d636c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2019 19:56:58 +0300 +Subject: scsi: qla2xxx: Configure local loop for N2N target + +From: Roman Bolshakov + +[ Upstream commit fd1de5830a5abaf444cc4312871e02c41e24fdc1 ] + +qla2x00_configure_local_loop initializes PLOGI payload for PLOGI ELS using +Get Parameters mailbox command. + +In the case when the driver is running in target mode, the topology is N2N +and the target port has higher WWPN, LOCAL_LOOP_UPDATE bit is cleared too +early and PLOGI payload is not initialized by the Get Parameters +command. That causes a failure of ELS IOCB carrying the PLOGI with 0x15 aka +Data Underrun error. + +LOCAL_LOOP_UPDATE has to be set to initialize PLOGI payload. + +Fixes: 48acad099074 ("scsi: qla2xxx: Fix N2N link re-connect") +Link: https://lore.kernel.org/r/20191125165702.1013-10-r.bolshakov@yadro.com +Acked-by: Quinn Tran +Acked-by: Himanshu Madhani +Reviewed-by: Hannes Reinecke +Tested-by: Hannes Reinecke +Signed-off-by: Roman Bolshakov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_init.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index 5d31e3d52b6b..4e424f1ce5de 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -4927,14 +4927,8 @@ qla2x00_configure_loop(scsi_qla_host_t *vha) + set_bit(RSCN_UPDATE, &flags); + clear_bit(LOCAL_LOOP_UPDATE, &flags); + +- } else if (ha->current_topology == ISP_CFG_N) { +- clear_bit(RSCN_UPDATE, &flags); +- if (qla_tgt_mode_enabled(vha)) { +- /* allow the other side to start the login */ +- clear_bit(LOCAL_LOOP_UPDATE, &flags); +- set_bit(RELOGIN_NEEDED, &vha->dpc_flags); +- } +- } else if (ha->current_topology == ISP_CFG_NL) { ++ } else if (ha->current_topology == ISP_CFG_NL || ++ ha->current_topology == ISP_CFG_N) { + clear_bit(RSCN_UPDATE, &flags); + set_bit(LOCAL_LOOP_UPDATE, &flags); + } else if (!vha->flags.online || +-- +2.20.1 + diff --git a/queue-5.4/scsi-qla2xxx-don-t-call-qlt_async_event-twice.patch b/queue-5.4/scsi-qla2xxx-don-t-call-qlt_async_event-twice.patch new file mode 100644 index 00000000000..7eb8cb3ffb3 --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-don-t-call-qlt_async_event-twice.patch @@ -0,0 +1,51 @@ +From 364b7132a082d3966a552911271d653eab6ea631 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2019 19:56:56 +0300 +Subject: scsi: qla2xxx: Don't call qlt_async_event twice + +From: Roman Bolshakov + +[ Upstream commit 2c2f4bed9b6299e6430a65a29b5d27b8763fdf25 ] + +MBA_PORT_UPDATE generates duplicate log lines in target mode because +qlt_async_event is called twice. Drop the calls within the case as the +function will be called right after the switch statement. + +Cc: Quinn Tran +Link: https://lore.kernel.org/r/20191125165702.1013-8-r.bolshakov@yadro.com +Acked-by: Himanshu Madhani +Reviewed-by: Hannes Reinecke +Tested-by: Hannes Reinecke +Acked-by: Himanshu Madhani +Signed-off-by: Roman Bolshakov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_isr.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c +index 9204e8467a4e..b3766b1879e3 100644 +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -1061,8 +1061,6 @@ qla2x00_async_event(scsi_qla_host_t *vha, struct rsp_que *rsp, uint16_t *mb) + ql_dbg(ql_dbg_async, vha, 0x5011, + "Asynchronous PORT UPDATE ignored %04x/%04x/%04x.\n", + mb[1], mb[2], mb[3]); +- +- qlt_async_event(mb[0], vha, mb); + break; + } + +@@ -1079,8 +1077,6 @@ qla2x00_async_event(scsi_qla_host_t *vha, struct rsp_que *rsp, uint16_t *mb) + set_bit(LOOP_RESYNC_NEEDED, &vha->dpc_flags); + set_bit(LOCAL_LOOP_UPDATE, &vha->dpc_flags); + set_bit(VP_CONFIG_OK, &vha->vp_flags); +- +- qlt_async_event(mb[0], vha, mb); + break; + + case MBA_RSCN_UPDATE: /* State Change Registration */ +-- +2.20.1 + diff --git a/queue-5.4/scsi-qla2xxx-don-t-defer-relogin-unconditonally.patch b/queue-5.4/scsi-qla2xxx-don-t-defer-relogin-unconditonally.patch new file mode 100644 index 00000000000..e2df8d305a8 --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-don-t-defer-relogin-unconditonally.patch @@ -0,0 +1,44 @@ +From 5609464b245d1ff9a87c989e382b0cc3ce6d78fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2019 19:57:00 +0300 +Subject: scsi: qla2xxx: Don't defer relogin unconditonally + +From: Roman Bolshakov + +[ Upstream commit dabc5ec915f3a2c657ecfb529cd3d4ec303a4412 ] + +qla2x00_configure_local_loop sets RELOGIN_NEEDED bit and calls +qla24xx_fcport_handle_login to perform the login. This bit triggers a wake +up of DPC later after a successful login. + +The deferred call is not needed if login succeeds, and it's set in +qla24xx_fcport_handle_login in case of errors, hence it should be safe to +drop. + +Link: https://lore.kernel.org/r/20191125165702.1013-12-r.bolshakov@yadro.com +Acked-by: Himanshu Madhani +Acked-by: Quinn Tran +Reviewed-by: Hannes Reinecke +Tested-by: Hannes Reinecke +Signed-off-by: Roman Bolshakov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_init.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index 4e424f1ce5de..80f276d67c14 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -5045,7 +5045,6 @@ qla2x00_configure_local_loop(scsi_qla_host_t *vha) + memcpy(&ha->plogi_els_payld.data, + (void *)ha->init_cb, + sizeof(ha->plogi_els_payld.data)); +- set_bit(RELOGIN_NEEDED, &vha->dpc_flags); + } else { + ql_dbg(ql_dbg_init, vha, 0x00d1, + "PLOGI ELS param read fail.\n"); +-- +2.20.1 + diff --git a/queue-5.4/scsi-qla2xxx-drop-superfluous-init_work-of-del_work.patch b/queue-5.4/scsi-qla2xxx-drop-superfluous-init_work-of-del_work.patch new file mode 100644 index 00000000000..77d01af2cc6 --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-drop-superfluous-init_work-of-del_work.patch @@ -0,0 +1,42 @@ +From b92ed4330b03478d54553db2cbe4ca4e6b6d631b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2019 19:56:53 +0300 +Subject: scsi: qla2xxx: Drop superfluous INIT_WORK of del_work + +From: Roman Bolshakov + +[ Upstream commit 600954e6f2df695434887dfc6a99a098859990cf ] + +del_work is already initialized inside qla2x00_alloc_fcport, there's no +need to overwrite it. Indeed, it might prevent complete traversal of +workqueue list. + +Fixes: a01c77d2cbc45 ("scsi: qla2xxx: Move session delete to driver work queue") +Cc: Quinn Tran +Link: https://lore.kernel.org/r/20191125165702.1013-5-r.bolshakov@yadro.com +Acked-by: Himanshu Madhani +Reviewed-by: Hannes Reinecke +Tested-by: Hannes Reinecke +Reviewed-by: Bart Van Assche +Signed-off-by: Roman Bolshakov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_target.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c +index 950764ed4ab2..18522ac79d9e 100644 +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -1265,7 +1265,6 @@ void qlt_schedule_sess_for_deletion(struct fc_port *sess) + "Scheduling sess %p for deletion %8phC\n", + sess, sess->port_name); + +- INIT_WORK(&sess->del_work, qla24xx_delete_sess_fn); + WARN_ON(!queue_work(sess->vha->hw->wq, &sess->del_work)); + } + +-- +2.20.1 + diff --git a/queue-5.4/scsi-qla2xxx-fix-plogi-payload-and-els-iocb-dump-len.patch b/queue-5.4/scsi-qla2xxx-fix-plogi-payload-and-els-iocb-dump-len.patch new file mode 100644 index 00000000000..17036ba9b6c --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-fix-plogi-payload-and-els-iocb-dump-len.patch @@ -0,0 +1,52 @@ +From d29549c60d304dc7a737b743ccb23a9fee93b382 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2019 19:56:57 +0300 +Subject: scsi: qla2xxx: Fix PLOGI payload and ELS IOCB dump length + +From: Roman Bolshakov + +[ Upstream commit 0334cdea1fba36fad8bdf9516f267ce01de625f7 ] + +The size of the buffer is hardcoded as 0x70 or 112 bytes, while the size of +ELS IOCB is 0x40 and the size of PLOGI payload returned by Get Parameters +command is 0x74. + +Cc: Quinn Tran +Link: https://lore.kernel.org/r/20191125165702.1013-9-r.bolshakov@yadro.com +Acked-by: Himanshu Madhani +Reviewed-by: Hannes Reinecke +Tested-by: Hannes Reinecke +Signed-off-by: Roman Bolshakov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_iocb.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c +index 44dc97cebb06..bdf1994251b9 100644 +--- a/drivers/scsi/qla2xxx/qla_iocb.c ++++ b/drivers/scsi/qla2xxx/qla_iocb.c +@@ -2684,7 +2684,8 @@ qla24xx_els_logo_iocb(srb_t *sp, struct els_entry_24xx *els_iocb) + ql_dbg(ql_dbg_io + ql_dbg_buffer, vha, 0x3073, + "PLOGI ELS IOCB:\n"); + ql_dump_buffer(ql_log_info, vha, 0x0109, +- (uint8_t *)els_iocb, 0x70); ++ (uint8_t *)els_iocb, ++ sizeof(*els_iocb)); + } else { + els_iocb->control_flags = 1 << 13; + els_iocb->tx_byte_count = +@@ -2850,7 +2851,8 @@ qla24xx_els_dcmd2_iocb(scsi_qla_host_t *vha, int els_opcode, + + ql_dbg(ql_dbg_disc + ql_dbg_buffer, vha, 0x3073, "PLOGI buffer:\n"); + ql_dump_buffer(ql_dbg_disc + ql_dbg_buffer, vha, 0x0109, +- (uint8_t *)elsio->u.els_plogi.els_plogi_pyld, 0x70); ++ (uint8_t *)elsio->u.els_plogi.els_plogi_pyld, ++ sizeof(*elsio->u.els_plogi.els_plogi_pyld)); + + rval = qla2x00_start_sp(sp); + if (rval != QLA_SUCCESS) { +-- +2.20.1 + diff --git a/queue-5.4/scsi-qla2xxx-ignore-port-update-after-n2n-plogi.patch b/queue-5.4/scsi-qla2xxx-ignore-port-update-after-n2n-plogi.patch new file mode 100644 index 00000000000..233897d1f82 --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-ignore-port-update-after-n2n-plogi.patch @@ -0,0 +1,59 @@ +From d79f5c320ad1fe4c1adb3db39b99cd0a171577e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2019 19:57:01 +0300 +Subject: scsi: qla2xxx: Ignore PORT UPDATE after N2N PLOGI + +From: Roman Bolshakov + +[ Upstream commit af22f0c7b052c5c203207f1e5ebd6aa65f87c538 ] + +PORT UPDATE asynchronous event is generated on the host that issues PLOGI +ELS (in the case of higher WWPN). In that case, the event shouldn't be +handled as it sets unwanted DPC flags (i.e. LOOP_RESYNC_NEEDED) that +trigger link flap. + +Ignore the event if the host has higher WWPN, but handle otherwise. + +Cc: Quinn Tran +Link: https://lore.kernel.org/r/20191125165702.1013-13-r.bolshakov@yadro.com +Acked-by: Himanshu Madhani +Reviewed-by: Hannes Reinecke +Tested-by: Hannes Reinecke +Signed-off-by: Roman Bolshakov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_mbx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c +index 4d90cf101f5f..eac76e934cbe 100644 +--- a/drivers/scsi/qla2xxx/qla_mbx.c ++++ b/drivers/scsi/qla2xxx/qla_mbx.c +@@ -3920,6 +3920,7 @@ qla24xx_report_id_acquisition(scsi_qla_host_t *vha, + vha->d_id.b24 = 0; + vha->d_id.b.al_pa = 1; + ha->flags.n2n_bigger = 1; ++ ha->flags.n2n_ae = 0; + + id.b.al_pa = 2; + ql_dbg(ql_dbg_async, vha, 0x5075, +@@ -3930,6 +3931,7 @@ qla24xx_report_id_acquisition(scsi_qla_host_t *vha, + "Format 1: Remote login - Waiting for WWPN %8phC.\n", + rptid_entry->u.f1.port_name); + ha->flags.n2n_bigger = 0; ++ ha->flags.n2n_ae = 1; + } + qla24xx_post_newsess_work(vha, &id, + rptid_entry->u.f1.port_name, +@@ -3941,7 +3943,6 @@ qla24xx_report_id_acquisition(scsi_qla_host_t *vha, + /* if our portname is higher then initiate N2N login */ + + set_bit(N2N_LOGIN_NEEDED, &vha->dpc_flags); +- ha->flags.n2n_ae = 1; + return; + break; + case TOPO_FL: +-- +2.20.1 + diff --git a/queue-5.4/scsi-qla2xxx-send-notify-ack-after-n2n-plogi.patch b/queue-5.4/scsi-qla2xxx-send-notify-ack-after-n2n-plogi.patch new file mode 100644 index 00000000000..47907276f9a --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-send-notify-ack-after-n2n-plogi.patch @@ -0,0 +1,46 @@ +From fd17f1ce79d49f6ef3ab0719f092f9e7ebade978 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2019 19:56:59 +0300 +Subject: scsi: qla2xxx: Send Notify ACK after N2N PLOGI + +From: Roman Bolshakov + +[ Upstream commit 5e6b01d84b9d20bcd77fc7c4733a2a4149bf220a ] + +qlt_handle_login schedules session for deletion even if a login is in +progress. That causes login bouncing, i.e. a few logins are made before it +settles down. + +Complete the first login by sending Notify Acknowledge IOCB via +qlt_plogi_ack_unref if the session is pending login completion. + +Fixes: 9cd883f07a54 ("scsi: qla2xxx: Fix session cleanup for N2N") +Cc: Krishna Kant +Cc: Alexei Potashnik +Link: https://lore.kernel.org/r/20191125165702.1013-11-r.bolshakov@yadro.com +Acked-by: Quinn Tran +Acked-by: Himanshu Madhani +Reviewed-by: Hannes Reinecke +Tested-by: Hannes Reinecke +Signed-off-by: Roman Bolshakov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_target.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c +index 18522ac79d9e..74a378a91b71 100644 +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -4803,6 +4803,7 @@ static int qlt_handle_login(struct scsi_qla_host *vha, + + switch (sess->disc_state) { + case DSC_DELETED: ++ case DSC_LOGIN_PEND: + qlt_plogi_ack_unref(vha, pla); + break; + +-- +2.20.1 + diff --git a/queue-5.4/scsi-qla2xxx-use-explicit-logo-in-target-mode.patch b/queue-5.4/scsi-qla2xxx-use-explicit-logo-in-target-mode.patch new file mode 100644 index 00000000000..cad996b62cd --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-use-explicit-logo-in-target-mode.patch @@ -0,0 +1,99 @@ +From 529450d1215bc320c7265fc98a7b22cb91884dc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2019 19:56:51 +0300 +Subject: scsi: qla2xxx: Use explicit LOGO in target mode + +From: Quinn Tran + +[ Upstream commit 86196a8fa8a84af1395a28ea0548f2ce6ae9bc22 ] + +Target makes implicit LOGO on session teardown. LOGO ELS is not send on the +wire and initiator is not aware that target no longer wants talking to +it. Initiator keeps sending I/O requests, target responds with BA_RJT, they +time out and then initiator sends ABORT TASK (ABTS-LS). + +Current behaviour incurs unneeded I/O timeout and can be fixed for some +initiators by making explicit LOGO on session deletion. + +Link: https://lore.kernel.org/r/20191125165702.1013-3-r.bolshakov@yadro.com +Reviewed-by: Hannes Reinecke +Tested-by: Hannes Reinecke +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Signed-off-by: Roman Bolshakov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_def.h | 1 + + drivers/scsi/qla2xxx/qla_iocb.c | 16 ++++++++++++---- + drivers/scsi/qla2xxx/qla_target.c | 1 + + drivers/scsi/qla2xxx/tcm_qla2xxx.c | 1 + + 4 files changed, 15 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h +index d5386edddaf6..1eb3fe281cc3 100644 +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -2401,6 +2401,7 @@ typedef struct fc_port { + unsigned int id_changed:1; + unsigned int scan_needed:1; + unsigned int n2n_flag:1; ++ unsigned int explicit_logout:1; + + struct completion nvme_del_done; + uint32_t nvme_prli_service_param; +diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c +index 518eb954cf42..44dc97cebb06 100644 +--- a/drivers/scsi/qla2xxx/qla_iocb.c ++++ b/drivers/scsi/qla2xxx/qla_iocb.c +@@ -2405,11 +2405,19 @@ qla2x00_login_iocb(srb_t *sp, struct mbx_entry *mbx) + static void + qla24xx_logout_iocb(srb_t *sp, struct logio_entry_24xx *logio) + { ++ u16 control_flags = LCF_COMMAND_LOGO; + logio->entry_type = LOGINOUT_PORT_IOCB_TYPE; +- logio->control_flags = +- cpu_to_le16(LCF_COMMAND_LOGO|LCF_IMPL_LOGO); +- if (!sp->fcport->keep_nport_handle) +- logio->control_flags |= cpu_to_le16(LCF_FREE_NPORT); ++ ++ if (sp->fcport->explicit_logout) { ++ control_flags |= LCF_EXPL_LOGO|LCF_FREE_NPORT; ++ } else { ++ control_flags |= LCF_IMPL_LOGO; ++ ++ if (!sp->fcport->keep_nport_handle) ++ control_flags |= LCF_FREE_NPORT; ++ } ++ ++ logio->control_flags = cpu_to_le16(control_flags); + logio->nport_handle = cpu_to_le16(sp->fcport->loop_id); + logio->port_id[0] = sp->fcport->d_id.b.al_pa; + logio->port_id[1] = sp->fcport->d_id.b.area; +diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c +index a9bd0f513316..950764ed4ab2 100644 +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -1104,6 +1104,7 @@ void qlt_free_session_done(struct work_struct *work) + } + } + ++ sess->explicit_logout = 0; + spin_unlock_irqrestore(&ha->tgt.sess_lock, flags); + sess->free_pending = 0; + +diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c +index bab2073c1f72..abe7f79bb789 100644 +--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c ++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c +@@ -350,6 +350,7 @@ static void tcm_qla2xxx_close_session(struct se_session *se_sess) + target_sess_cmd_list_set_waiting(se_sess); + spin_unlock_irqrestore(&vha->hw->tgt.sess_lock, flags); + ++ sess->explicit_logout = 1; + tcm_qla2xxx_put_sess(sess); + } + +-- +2.20.1 + diff --git a/queue-5.4/series b/queue-5.4/series new file mode 100644 index 00000000000..fa9f3202df1 --- /dev/null +++ b/queue-5.4/series @@ -0,0 +1,65 @@ +drm-mcde-dsi-fix-invalid-pointer-dereference-if-pane.patch +nvme_fc-add-module-to-ops-template-to-allow-module-r.patch +nvme-fc-fix-double-free-scenarios-on-hw-queues.patch +drm-amdgpu-add-check-before-enabling-disabling-broad.patch +drm-amdgpu-add-header-line-for-power-profile-on-arct.patch +drm-amdgpu-add-cache-flush-workaround-to-gfx8-emit_f.patch +drm-amd-display-map-dsc-resources-1-to-1-if-numbers-.patch +drm-amd-display-fixed-kernel-panic-when-booting-with.patch +drm-amd-display-change-the-delay-time-before-enablin.patch +drm-amd-display-reset-steer-fifo-before-unblanking-t.patch +drm-amd-display-update-dispclk-and-dppclk-vco-freque.patch +nvme-pci-fix-write-and-poll-queue-types.patch +nvme-pci-fix-read-queue-count.patch +iio-st_accel-fix-unused-variable-warning.patch +iio-adc-max9611-fix-too-short-conversion-time-delay.patch +pm-devfreq-fix-devfreq_notifier_call-returning-errno.patch +pm-devfreq-set-scaling_max_freq-to-max-on-opp-notifi.patch +pm-devfreq-don-t-fail-devfreq_dev_release-if-not-in-.patch +afs-fix-afs_find_server-lookups-for-ipv4-peers.patch +afs-fix-selinux-setting-security-label-on-afs.patch +rdma-cma-add-missed-unregister_pernet_subsys-in-init.patch +rxe-correctly-calculate-icrc-for-unaligned-payloads.patch +scsi-lpfc-fix-memory-leak-on-lpfc_bsg_write_ebuf_set.patch +scsi-qla2xxx-use-explicit-logo-in-target-mode.patch +scsi-qla2xxx-drop-superfluous-init_work-of-del_work.patch +scsi-qla2xxx-don-t-call-qlt_async_event-twice.patch +scsi-qla2xxx-fix-plogi-payload-and-els-iocb-dump-len.patch +scsi-qla2xxx-configure-local-loop-for-n2n-target.patch +scsi-qla2xxx-send-notify-ack-after-n2n-plogi.patch +scsi-qla2xxx-don-t-defer-relogin-unconditonally.patch +scsi-qla2xxx-ignore-port-update-after-n2n-plogi.patch +scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch +scsi-libsas-stop-discovering-if-oob-mode-is-disconne.patch +scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-f.patch +staging-wlan-ng-add-crc32-dependency-in-kconfig.patch +drm-nouveau-move-the-declaration-of-struct-nouveau_c.patch +drm-nouveau-fix-drm-core-using-atomic-code-paths-on-.patch +drm-nouveau-kms-nv50-fix-panel-scaling.patch +usb-gadget-fix-wrong-endpoint-desc.patch +net-make-socket-read-write_iter-honor-iocb_nowait.patch +afs-fix-mountpoint-parsing.patch +afs-fix-creation-calls-in-the-dynamic-root-to-fail-w.patch +raid5-need-to-set-stripe_handle-for-batch-head.patch +md-raid1-check-rdev-before-reference-in-raid1_sync_r.patch +s390-cpum_sf-adjust-sampling-interval-to-avoid-hitti.patch +s390-cpum_sf-avoid-sbd-overflow-condition-in-irq-han.patch +rdma-counter-prevent-auto-binding-a-qp-which-are-not.patch +ib-mlx4-follow-mirror-sequence-of-device-add-during-.patch +ib-mlx5-fix-steering-rule-of-drop-and-count.patch +xen-blkback-prevent-premature-module-unload.patch +xen-balloon-fix-ballooned-page-accounting-without-ho.patch +pm-hibernate-memory_bm_find_bit-tighten-node-optimis.patch +alsa-hda-realtek-add-bass-speaker-and-fixed-dac-for-.patch +alsa-hda-realtek-enable-the-bass-speaker-of-asus-ux4.patch +pci-add-a-helper-to-check-power-resource-requirement.patch +alsa-hda-allow-hda-to-be-runtime-suspended-when-dgpu.patch +pci-fix-missing-inline-for-pci_pr3_present.patch +alsa-hda-fixup-for-the-bass-speaker-on-lenovo-carbon.patch +tcp-fix-data-race-in-tcp_recvmsg.patch +shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dro.patch +taskstats-fix-data-race.patch +alsa-hda-downgrade-error-message-for-single-cmd-fall.patch +netfilter-nft_tproxy-fix-port-selector-on-big-endian.patch +block-add-bio_truncate-to-fix-guard_bio_eod.patch +mm-drop-mmap_sem-before-calling-balance_dirty_pages-.patch diff --git a/queue-5.4/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dro.patch b/queue-5.4/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dro.patch new file mode 100644 index 00000000000..fd3064e0f7c --- /dev/null +++ b/queue-5.4/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dro.patch @@ -0,0 +1,92 @@ +From d8479c600bd9d90e9c6b3be1ea4a7efb77008bab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Nov 2019 17:50:26 -0800 +Subject: shmem: pin the file in shmem_fault() if mmap_sem is dropped + +From: Kirill A. Shutemov + +[ Upstream commit 8897c1b1a1795cab23d5ac13e4e23bf0b5f4e0c6 ] + +syzbot found the following crash: + + BUG: KASAN: use-after-free in perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13 + Read of size 8 at addr ffff8880a5cf2c50 by task syz-executor.0/26173 + + CPU: 0 PID: 26173 Comm: syz-executor.0 Not tainted 5.3.0-rc6 #146 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + Call Trace: + perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13 + trace_lock_acquire include/trace/events/lock.h:13 [inline] + lock_acquire+0x2de/0x410 kernel/locking/lockdep.c:4411 + __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] + _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151 + spin_lock include/linux/spinlock.h:338 [inline] + shmem_fault+0x5ec/0x7b0 mm/shmem.c:2034 + __do_fault+0x111/0x540 mm/memory.c:3083 + do_shared_fault mm/memory.c:3535 [inline] + do_fault mm/memory.c:3613 [inline] + handle_pte_fault mm/memory.c:3840 [inline] + __handle_mm_fault+0x2adf/0x3f20 mm/memory.c:3964 + handle_mm_fault+0x1b5/0x6b0 mm/memory.c:4001 + do_user_addr_fault arch/x86/mm/fault.c:1441 [inline] + __do_page_fault+0x536/0xdd0 arch/x86/mm/fault.c:1506 + do_page_fault+0x38/0x590 arch/x86/mm/fault.c:1530 + page_fault+0x39/0x40 arch/x86/entry/entry_64.S:1202 + +It happens if the VMA got unmapped under us while we dropped mmap_sem +and inode got freed. + +Pinning the file if we drop mmap_sem fixes the issue. + +Link: http://lkml.kernel.org/r/20190927083908.rhifa4mmaxefc24r@box +Signed-off-by: Kirill A. Shutemov +Reported-by: syzbot+03ee87124ee05af991bd@syzkaller.appspotmail.com +Acked-by: Johannes Weiner +Reviewed-by: Matthew Wilcox (Oracle) +Cc: Hillf Danton +Cc: Hugh Dickins +Cc: Josef Bacik +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/shmem.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/mm/shmem.c b/mm/shmem.c +index 7a22e3e03d11..6074714fdbd4 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -2022,16 +2022,14 @@ static vm_fault_t shmem_fault(struct vm_fault *vmf) + shmem_falloc->waitq && + vmf->pgoff >= shmem_falloc->start && + vmf->pgoff < shmem_falloc->next) { ++ struct file *fpin; + wait_queue_head_t *shmem_falloc_waitq; + DEFINE_WAIT_FUNC(shmem_fault_wait, synchronous_wake_function); + + ret = VM_FAULT_NOPAGE; +- if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) && +- !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) { +- /* It's polite to up mmap_sem if we can */ +- up_read(&vma->vm_mm->mmap_sem); ++ fpin = maybe_unlock_mmap_for_io(vmf, NULL); ++ if (fpin) + ret = VM_FAULT_RETRY; +- } + + shmem_falloc_waitq = shmem_falloc->waitq; + prepare_to_wait(shmem_falloc_waitq, &shmem_fault_wait, +@@ -2049,6 +2047,9 @@ static vm_fault_t shmem_fault(struct vm_fault *vmf) + spin_lock(&inode->i_lock); + finish_wait(shmem_falloc_waitq, &shmem_fault_wait); + spin_unlock(&inode->i_lock); ++ ++ if (fpin) ++ fput(fpin); + return ret; + } + spin_unlock(&inode->i_lock); +-- +2.20.1 + diff --git a/queue-5.4/staging-wlan-ng-add-crc32-dependency-in-kconfig.patch b/queue-5.4/staging-wlan-ng-add-crc32-dependency-in-kconfig.patch new file mode 100644 index 00000000000..a3f824fa8e9 --- /dev/null +++ b/queue-5.4/staging-wlan-ng-add-crc32-dependency-in-kconfig.patch @@ -0,0 +1,37 @@ +From 55659882e56c1bd09630e46ab12d2b96b7a2e362 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2019 12:24:57 +0100 +Subject: staging/wlan-ng: add CRC32 dependency in Kconfig + +From: Kay Friedrich + +[ Upstream commit 2740bd3351cd5a4351f458aabaa1c9b77de3867b ] + +wlan-ng uses the function crc32_le, +but CRC32 wasn't a dependency of wlan-ng + +Co-developed-by: Michael Kupfer +Signed-off-by: Michael Kupfer +Signed-off-by: Kay Friedrich +Link: https://lore.kernel.org/r/20191127112457.2301-1-kay.friedrich@fau.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/wlan-ng/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/staging/wlan-ng/Kconfig b/drivers/staging/wlan-ng/Kconfig +index ac136663fa8e..082c16a31616 100644 +--- a/drivers/staging/wlan-ng/Kconfig ++++ b/drivers/staging/wlan-ng/Kconfig +@@ -4,6 +4,7 @@ config PRISM2_USB + depends on WLAN && USB && CFG80211 + select WIRELESS_EXT + select WEXT_PRIV ++ select CRC32 + help + This is the wlan-ng prism 2.5/3 USB driver for a wide range of + old USB wireless devices. +-- +2.20.1 + diff --git a/queue-5.4/taskstats-fix-data-race.patch b/queue-5.4/taskstats-fix-data-race.patch new file mode 100644 index 00000000000..12f8b4fedf7 --- /dev/null +++ b/queue-5.4/taskstats-fix-data-race.patch @@ -0,0 +1,105 @@ +From de3ec09c062c6590f64d982858811ea33f46cee4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2019 13:48:09 +0200 +Subject: taskstats: fix data-race + +From: Christian Brauner + +[ Upstream commit 0b8d616fb5a8ffa307b1d3af37f55c15dae14f28 ] + +When assiging and testing taskstats in taskstats_exit() there's a race +when setting up and reading sig->stats when a thread-group with more +than one thread exits: + +write to 0xffff8881157bbe10 of 8 bytes by task 7951 on cpu 0: + taskstats_tgid_alloc kernel/taskstats.c:567 [inline] + taskstats_exit+0x6b7/0x717 kernel/taskstats.c:596 + do_exit+0x2c2/0x18e0 kernel/exit.c:864 + do_group_exit+0xb4/0x1c0 kernel/exit.c:983 + get_signal+0x2a2/0x1320 kernel/signal.c:2734 + do_signal+0x3b/0xc00 arch/x86/kernel/signal.c:815 + exit_to_usermode_loop+0x250/0x2c0 arch/x86/entry/common.c:159 + prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline] + syscall_return_slowpath arch/x86/entry/common.c:274 [inline] + do_syscall_64+0x2d7/0x2f0 arch/x86/entry/common.c:299 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +read to 0xffff8881157bbe10 of 8 bytes by task 7949 on cpu 1: + taskstats_tgid_alloc kernel/taskstats.c:559 [inline] + taskstats_exit+0xb2/0x717 kernel/taskstats.c:596 + do_exit+0x2c2/0x18e0 kernel/exit.c:864 + do_group_exit+0xb4/0x1c0 kernel/exit.c:983 + __do_sys_exit_group kernel/exit.c:994 [inline] + __se_sys_exit_group kernel/exit.c:992 [inline] + __x64_sys_exit_group+0x2e/0x30 kernel/exit.c:992 + do_syscall_64+0xcf/0x2f0 arch/x86/entry/common.c:296 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fix this by using smp_load_acquire() and smp_store_release(). + +Reported-by: syzbot+c5d03165a1bd1dead0c1@syzkaller.appspotmail.com +Fixes: 34ec12349c8a ("taskstats: cleanup ->signal->stats allocation") +Cc: stable@vger.kernel.org +Signed-off-by: Christian Brauner +Acked-by: Marco Elver +Reviewed-by: Will Deacon +Reviewed-by: Andrea Parri +Reviewed-by: Dmitry Vyukov +Link: https://lore.kernel.org/r/20191009114809.8643-1-christian.brauner@ubuntu.com +Signed-off-by: Sasha Levin +--- + kernel/taskstats.c | 30 +++++++++++++++++++----------- + 1 file changed, 19 insertions(+), 11 deletions(-) + +diff --git a/kernel/taskstats.c b/kernel/taskstats.c +index 13a0f2e6ebc2..e2ac0e37c4ae 100644 +--- a/kernel/taskstats.c ++++ b/kernel/taskstats.c +@@ -554,25 +554,33 @@ static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info) + static struct taskstats *taskstats_tgid_alloc(struct task_struct *tsk) + { + struct signal_struct *sig = tsk->signal; +- struct taskstats *stats; ++ struct taskstats *stats_new, *stats; + +- if (sig->stats || thread_group_empty(tsk)) +- goto ret; ++ /* Pairs with smp_store_release() below. */ ++ stats = smp_load_acquire(&sig->stats); ++ if (stats || thread_group_empty(tsk)) ++ return stats; + + /* No problem if kmem_cache_zalloc() fails */ +- stats = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL); ++ stats_new = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL); + + spin_lock_irq(&tsk->sighand->siglock); +- if (!sig->stats) { +- sig->stats = stats; +- stats = NULL; ++ stats = sig->stats; ++ if (!stats) { ++ /* ++ * Pairs with smp_store_release() above and order the ++ * kmem_cache_zalloc(). ++ */ ++ smp_store_release(&sig->stats, stats_new); ++ stats = stats_new; ++ stats_new = NULL; + } + spin_unlock_irq(&tsk->sighand->siglock); + +- if (stats) +- kmem_cache_free(taskstats_cache, stats); +-ret: +- return sig->stats; ++ if (stats_new) ++ kmem_cache_free(taskstats_cache, stats_new); ++ ++ return stats; + } + + /* Send pid data out on exit */ +-- +2.20.1 + diff --git a/queue-5.4/tcp-fix-data-race-in-tcp_recvmsg.patch b/queue-5.4/tcp-fix-data-race-in-tcp_recvmsg.patch new file mode 100644 index 00000000000..1b0585197e4 --- /dev/null +++ b/queue-5.4/tcp-fix-data-race-in-tcp_recvmsg.patch @@ -0,0 +1,125 @@ +From 8b940885dc2e215d48cf88fd75564effa6958556 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Nov 2019 12:59:33 -0800 +Subject: tcp: fix data-race in tcp_recvmsg() + +From: Eric Dumazet + +[ Upstream commit a5a7daa52edb5197a3b696afee13ef174dc2e993 ] + +Reading tp->recvmsg_inq after socket lock is released +raises a KCSAN warning [1] + +Replace has_tss & has_cmsg by cmsg_flags and make +sure to not read tp->recvmsg_inq a second time. + +[1] +BUG: KCSAN: data-race in tcp_chrono_stop / tcp_recvmsg + +write to 0xffff888126adef24 of 2 bytes by interrupt on cpu 0: + tcp_chrono_set net/ipv4/tcp_output.c:2309 [inline] + tcp_chrono_stop+0x14c/0x280 net/ipv4/tcp_output.c:2338 + tcp_clean_rtx_queue net/ipv4/tcp_input.c:3165 [inline] + tcp_ack+0x274f/0x3170 net/ipv4/tcp_input.c:3688 + tcp_rcv_established+0x37e/0xf50 net/ipv4/tcp_input.c:5696 + tcp_v4_do_rcv+0x381/0x4e0 net/ipv4/tcp_ipv4.c:1561 + tcp_v4_rcv+0x19dc/0x1bb0 net/ipv4/tcp_ipv4.c:1942 + ip_protocol_deliver_rcu+0x4d/0x420 net/ipv4/ip_input.c:204 + ip_local_deliver_finish+0x110/0x140 net/ipv4/ip_input.c:231 + NF_HOOK include/linux/netfilter.h:305 [inline] + NF_HOOK include/linux/netfilter.h:299 [inline] + ip_local_deliver+0x133/0x210 net/ipv4/ip_input.c:252 + dst_input include/net/dst.h:442 [inline] + ip_rcv_finish+0x121/0x160 net/ipv4/ip_input.c:413 + NF_HOOK include/linux/netfilter.h:305 [inline] + NF_HOOK include/linux/netfilter.h:299 [inline] + ip_rcv+0x18f/0x1a0 net/ipv4/ip_input.c:523 + __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5010 + __netif_receive_skb+0x37/0xf0 net/core/dev.c:5124 + netif_receive_skb_internal+0x59/0x190 net/core/dev.c:5214 + napi_skb_finish net/core/dev.c:5677 [inline] + napi_gro_receive+0x28f/0x330 net/core/dev.c:5710 + +read to 0xffff888126adef25 of 1 bytes by task 7275 on cpu 1: + tcp_recvmsg+0x77b/0x1a30 net/ipv4/tcp.c:2187 + inet_recvmsg+0xbb/0x250 net/ipv4/af_inet.c:838 + sock_recvmsg_nosec net/socket.c:871 [inline] + sock_recvmsg net/socket.c:889 [inline] + sock_recvmsg+0x92/0xb0 net/socket.c:885 + sock_read_iter+0x15f/0x1e0 net/socket.c:967 + call_read_iter include/linux/fs.h:1889 [inline] + new_sync_read+0x389/0x4f0 fs/read_write.c:414 + __vfs_read+0xb1/0xc0 fs/read_write.c:427 + vfs_read fs/read_write.c:461 [inline] + vfs_read+0x143/0x2c0 fs/read_write.c:446 + ksys_read+0xd5/0x1b0 fs/read_write.c:587 + __do_sys_read fs/read_write.c:597 [inline] + __se_sys_read fs/read_write.c:595 [inline] + __x64_sys_read+0x4c/0x60 fs/read_write.c:595 + do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 7275 Comm: sshd Not tainted 5.4.0-rc3+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: b75eba76d3d7 ("tcp: send in-queue bytes in cmsg upon read") +Signed-off-by: Eric Dumazet +Acked-by: Soheil Hassas Yeganeh +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index d8876f0e9672..e537a4b6531b 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -1958,8 +1958,7 @@ int tcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int nonblock, + struct sk_buff *skb, *last; + u32 urg_hole = 0; + struct scm_timestamping_internal tss; +- bool has_tss = false; +- bool has_cmsg; ++ int cmsg_flags; + + if (unlikely(flags & MSG_ERRQUEUE)) + return inet_recv_error(sk, msg, len, addr_len); +@@ -1974,7 +1973,7 @@ int tcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int nonblock, + if (sk->sk_state == TCP_LISTEN) + goto out; + +- has_cmsg = tp->recvmsg_inq; ++ cmsg_flags = tp->recvmsg_inq ? 1 : 0; + timeo = sock_rcvtimeo(sk, nonblock); + + /* Urgent data needs to be handled specially. */ +@@ -2157,8 +2156,7 @@ int tcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int nonblock, + + if (TCP_SKB_CB(skb)->has_rxtstamp) { + tcp_update_recv_tstamps(skb, &tss); +- has_tss = true; +- has_cmsg = true; ++ cmsg_flags |= 2; + } + if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN) + goto found_fin_ok; +@@ -2183,10 +2181,10 @@ int tcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int nonblock, + + release_sock(sk); + +- if (has_cmsg) { +- if (has_tss) ++ if (cmsg_flags) { ++ if (cmsg_flags & 2) + tcp_recv_timestamp(msg, sk, &tss); +- if (tp->recvmsg_inq) { ++ if (cmsg_flags & 1) { + inq = tcp_inq_hint(sk); + put_cmsg(msg, SOL_TCP, TCP_CM_INQ, sizeof(inq), &inq); + } +-- +2.20.1 + diff --git a/queue-5.4/usb-gadget-fix-wrong-endpoint-desc.patch b/queue-5.4/usb-gadget-fix-wrong-endpoint-desc.patch new file mode 100644 index 00000000000..a493139a960 --- /dev/null +++ b/queue-5.4/usb-gadget-fix-wrong-endpoint-desc.patch @@ -0,0 +1,61 @@ +From 5fc5f339c8e4c4c80a63130e99e3f6cd42ad980d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2019 23:34:56 -0800 +Subject: usb: gadget: fix wrong endpoint desc + +From: EJ Hsu + +[ Upstream commit e5b5da96da50ef30abb39cb9f694e99366404d24 ] + +Gadget driver should always use config_ep_by_speed() to initialize +usb_ep struct according to usb device's operating speed. Otherwise, +usb_ep struct may be wrong if usb devcie's operating speed is changed. + +The key point in this patch is that we want to make sure the desc pointer +in usb_ep struct will be set to NULL when gadget is disconnected. +This will force it to call config_ep_by_speed() to correctly initialize +usb_ep struct based on the new operating speed when gadget is +re-connected later. + +Reviewed-by: Peter Chen +Signed-off-by: EJ Hsu +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_ecm.c | 6 +++++- + drivers/usb/gadget/function/f_rndis.c | 1 + + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/function/f_ecm.c b/drivers/usb/gadget/function/f_ecm.c +index 6ce044008cf6..460d5d7c984f 100644 +--- a/drivers/usb/gadget/function/f_ecm.c ++++ b/drivers/usb/gadget/function/f_ecm.c +@@ -621,8 +621,12 @@ static void ecm_disable(struct usb_function *f) + + DBG(cdev, "ecm deactivated\n"); + +- if (ecm->port.in_ep->enabled) ++ if (ecm->port.in_ep->enabled) { + gether_disconnect(&ecm->port); ++ } else { ++ ecm->port.in_ep->desc = NULL; ++ ecm->port.out_ep->desc = NULL; ++ } + + usb_ep_disable(ecm->notify); + ecm->notify->desc = NULL; +diff --git a/drivers/usb/gadget/function/f_rndis.c b/drivers/usb/gadget/function/f_rndis.c +index d48df36622b7..0d8e4a364ca6 100644 +--- a/drivers/usb/gadget/function/f_rndis.c ++++ b/drivers/usb/gadget/function/f_rndis.c +@@ -618,6 +618,7 @@ static void rndis_disable(struct usb_function *f) + gether_disconnect(&rndis->port); + + usb_ep_disable(rndis->notify); ++ rndis->notify->desc = NULL; + } + + /*-------------------------------------------------------------------------*/ +-- +2.20.1 + diff --git a/queue-5.4/xen-balloon-fix-ballooned-page-accounting-without-ho.patch b/queue-5.4/xen-balloon-fix-ballooned-page-accounting-without-ho.patch new file mode 100644 index 00000000000..ae4854d3bd5 --- /dev/null +++ b/queue-5.4/xen-balloon-fix-ballooned-page-accounting-without-ho.patch @@ -0,0 +1,43 @@ +From 46a2f91b47eea1c78037cc128c7dcb63dc484d06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2019 15:17:50 +0100 +Subject: xen/balloon: fix ballooned page accounting without hotplug enabled + +From: Juergen Gross + +[ Upstream commit c673ec61ade89bf2f417960f986bc25671762efb ] + +When CONFIG_XEN_BALLOON_MEMORY_HOTPLUG is not defined +reserve_additional_memory() will set balloon_stats.target_pages to a +wrong value in case there are still some ballooned pages allocated via +alloc_xenballooned_pages(). + +This will result in balloon_process() no longer be triggered when +ballooned pages are freed in batches. + +Reported-by: Nicholas Tsirakis +Signed-off-by: Juergen Gross +Reviewed-by: Boris Ostrovsky +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/balloon.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c +index 5bae515c8e25..bed90d612e48 100644 +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -395,7 +395,8 @@ static struct notifier_block xen_memory_nb = { + #else + static enum bp_state reserve_additional_memory(void) + { +- balloon_stats.target_pages = balloon_stats.current_pages; ++ balloon_stats.target_pages = balloon_stats.current_pages + ++ balloon_stats.target_unpopulated; + return BP_ECANCELED; + } + #endif /* CONFIG_XEN_BALLOON_MEMORY_HOTPLUG */ +-- +2.20.1 + diff --git a/queue-5.4/xen-blkback-prevent-premature-module-unload.patch b/queue-5.4/xen-blkback-prevent-premature-module-unload.patch new file mode 100644 index 00000000000..8f975cb71e0 --- /dev/null +++ b/queue-5.4/xen-blkback-prevent-premature-module-unload.patch @@ -0,0 +1,59 @@ +From 87c20c9326573a825505e45920bb2f6b09aae360 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2019 14:53:05 +0000 +Subject: xen-blkback: prevent premature module unload +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paul Durrant + +[ Upstream commit fa2ac657f9783f0891b2935490afe9a7fd29d3fa ] + +Objects allocated by xen_blkif_alloc come from the 'blkif_cache' kmem +cache. This cache is destoyed when xen-blkif is unloaded so it is +necessary to wait for the deferred free routine used for such objects to +complete. This necessity was missed in commit 14855954f636 "xen-blkback: +allow module to be cleanly unloaded". This patch fixes the problem by +taking/releasing extra module references in xen_blkif_alloc/free() +respectively. + +Signed-off-by: Paul Durrant +Reviewed-by: Roger Pau Monné +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/block/xen-blkback/xenbus.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/block/xen-blkback/xenbus.c b/drivers/block/xen-blkback/xenbus.c +index b90dbcd99c03..c4cd68116e7f 100644 +--- a/drivers/block/xen-blkback/xenbus.c ++++ b/drivers/block/xen-blkback/xenbus.c +@@ -171,6 +171,15 @@ static struct xen_blkif *xen_blkif_alloc(domid_t domid) + blkif->domid = domid; + atomic_set(&blkif->refcnt, 1); + init_completion(&blkif->drain_complete); ++ ++ /* ++ * Because freeing back to the cache may be deferred, it is not ++ * safe to unload the module (and hence destroy the cache) until ++ * this has completed. To prevent premature unloading, take an ++ * extra module reference here and release only when the object ++ * has been freed back to the cache. ++ */ ++ __module_get(THIS_MODULE); + INIT_WORK(&blkif->free_work, xen_blkif_deferred_free); + + return blkif; +@@ -320,6 +329,7 @@ static void xen_blkif_free(struct xen_blkif *blkif) + + /* Make sure everything is drained before shutting down */ + kmem_cache_free(xen_blkif_cachep, blkif); ++ module_put(THIS_MODULE); + } + + int __init xen_blkif_interface_init(void) +-- +2.20.1 +