From: Sasha Levin Date: Mon, 24 Aug 2020 01:33:39 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v4.4.234~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=be2b4a1533ced334a5c5a958c9c0690049ccc099;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/afs-fix-null-deref-in-afs_dynroot_depopulate.patch b/queue-4.19/afs-fix-null-deref-in-afs_dynroot_depopulate.patch new file mode 100644 index 00000000000..4524ba5e0cc --- /dev/null +++ b/queue-4.19/afs-fix-null-deref-in-afs_dynroot_depopulate.patch @@ -0,0 +1,88 @@ +From 3f9b81f2ff448c6384b972fd60d985be901f5d1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 10:15:12 +0100 +Subject: afs: Fix NULL deref in afs_dynroot_depopulate() + +From: David Howells + +[ Upstream commit 5e0b17b026eb7c6de9baa9b0d45a51b05f05abe1 ] + +If an error occurs during the construction of an afs superblock, it's +possible that an error occurs after a superblock is created, but before +we've created the root dentry. If the superblock has a dynamic root +(ie. what's normally mounted on /afs), the afs_kill_super() will call +afs_dynroot_depopulate() to unpin any created dentries - but this will +oops if the root hasn't been created yet. + +Fix this by skipping that bit of code if there is no root dentry. + +This leads to an oops looking like: + + general protection fault, ... + KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f] + ... + RIP: 0010:afs_dynroot_depopulate+0x25f/0x529 fs/afs/dynroot.c:385 + ... + Call Trace: + afs_kill_super+0x13b/0x180 fs/afs/super.c:535 + deactivate_locked_super+0x94/0x160 fs/super.c:335 + afs_get_tree+0x1124/0x1460 fs/afs/super.c:598 + vfs_get_tree+0x89/0x2f0 fs/super.c:1547 + do_new_mount fs/namespace.c:2875 [inline] + path_mount+0x1387/0x2070 fs/namespace.c:3192 + do_mount fs/namespace.c:3205 [inline] + __do_sys_mount fs/namespace.c:3413 [inline] + __se_sys_mount fs/namespace.c:3390 [inline] + __x64_sys_mount+0x27f/0x300 fs/namespace.c:3390 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +which is oopsing on this line: + + inode_lock(root->d_inode); + +presumably because sb->s_root was NULL. + +Fixes: 0da0b7fd73e4 ("afs: Display manually added cells in dynamic root mount") +Reported-by: syzbot+c1eff8205244ae7e11a6@syzkaller.appspotmail.com +Signed-off-by: David Howells +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/dynroot.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c +index 069273a2483f9..fc6c42eeb659c 100644 +--- a/fs/afs/dynroot.c ++++ b/fs/afs/dynroot.c +@@ -299,15 +299,17 @@ void afs_dynroot_depopulate(struct super_block *sb) + net->dynroot_sb = NULL; + mutex_unlock(&net->proc_cells_lock); + +- inode_lock(root->d_inode); +- +- /* Remove all the pins for dirs created for manually added cells */ +- list_for_each_entry_safe(subdir, tmp, &root->d_subdirs, d_child) { +- if (subdir->d_fsdata) { +- subdir->d_fsdata = NULL; +- dput(subdir); ++ if (root) { ++ inode_lock(root->d_inode); ++ ++ /* Remove all the pins for dirs created for manually added cells */ ++ list_for_each_entry_safe(subdir, tmp, &root->d_subdirs, d_child) { ++ if (subdir->d_fsdata) { ++ subdir->d_fsdata = NULL; ++ dput(subdir); ++ } + } +- } + +- inode_unlock(root->d_inode); ++ inode_unlock(root->d_inode); ++ } + } +-- +2.25.1 + diff --git a/queue-4.19/asoc-intel-fix-memleak-in-sst_media_open.patch b/queue-4.19/asoc-intel-fix-memleak-in-sst_media_open.patch new file mode 100644 index 00000000000..12b3cb299cd --- /dev/null +++ b/queue-4.19/asoc-intel-fix-memleak-in-sst_media_open.patch @@ -0,0 +1,50 @@ +From ff3dfc90707eb6d3778877232e45e8c8fe1ab1a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 16:41:10 +0800 +Subject: ASoC: intel: Fix memleak in sst_media_open + +From: Dinghao Liu + +[ Upstream commit 062fa09f44f4fb3776a23184d5d296b0c8872eb9 ] + +When power_up_sst() fails, stream needs to be freed +just like when try_module_get() fails. However, current +code is returning directly and ends up leaking memory. + +Fixes: 0121327c1a68b ("ASoC: Intel: mfld-pcm: add control for powering up/down dsp") +Signed-off-by: Dinghao Liu +Acked-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20200813084112.26205-1-dinghao.liu@zju.edu.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/atom/sst-mfld-platform-pcm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/intel/atom/sst-mfld-platform-pcm.c b/sound/soc/intel/atom/sst-mfld-platform-pcm.c +index 6868e71e3a3f0..0572c3c964506 100644 +--- a/sound/soc/intel/atom/sst-mfld-platform-pcm.c ++++ b/sound/soc/intel/atom/sst-mfld-platform-pcm.c +@@ -339,7 +339,7 @@ static int sst_media_open(struct snd_pcm_substream *substream, + + ret_val = power_up_sst(stream); + if (ret_val < 0) +- return ret_val; ++ goto out_power_up; + + /* Make sure, that the period size is always even */ + snd_pcm_hw_constraint_step(substream->runtime, 0, +@@ -348,8 +348,9 @@ static int sst_media_open(struct snd_pcm_substream *substream, + return snd_pcm_hw_constraint_integer(runtime, + SNDRV_PCM_HW_PARAM_PERIODS); + out_ops: +- kfree(stream); + mutex_unlock(&sst_lock); ++out_power_up: ++ kfree(stream); + return ret_val; + } + +-- +2.25.1 + diff --git a/queue-4.19/asoc-msm8916-wcd-analog-fix-register-interrupt-offse.patch b/queue-4.19/asoc-msm8916-wcd-analog-fix-register-interrupt-offse.patch new file mode 100644 index 00000000000..26557cbbaa2 --- /dev/null +++ b/queue-4.19/asoc-msm8916-wcd-analog-fix-register-interrupt-offse.patch @@ -0,0 +1,42 @@ +From 339acebe5acb7113706dfbecc04d00e67d86b3d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 11:34:52 +0100 +Subject: ASoC: msm8916-wcd-analog: fix register Interrupt offset + +From: Srinivas Kandagatla + +[ Upstream commit ff69c97ef84c9f7795adb49e9f07c9adcdd0c288 ] + +For some reason interrupt set and clear register offsets are +not set correctly. +This patch corrects them! + +Fixes: 585e881e5b9e ("ASoC: codecs: Add msm8916-wcd analog codec") +Signed-off-by: Srinivas Kandagatla +Tested-by: Stephan Gerhold +Reviewed-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20200811103452.20448-1-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/msm8916-wcd-analog.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/msm8916-wcd-analog.c b/sound/soc/codecs/msm8916-wcd-analog.c +index cbdb6d4bb91ef..f4aba065c9257 100644 +--- a/sound/soc/codecs/msm8916-wcd-analog.c ++++ b/sound/soc/codecs/msm8916-wcd-analog.c +@@ -16,8 +16,8 @@ + + #define CDC_D_REVISION1 (0xf000) + #define CDC_D_PERPH_SUBTYPE (0xf005) +-#define CDC_D_INT_EN_SET (0x015) +-#define CDC_D_INT_EN_CLR (0x016) ++#define CDC_D_INT_EN_SET (0xf015) ++#define CDC_D_INT_EN_CLR (0xf016) + #define MBHC_SWITCH_INT BIT(7) + #define MBHC_MIC_ELECTRICAL_INS_REM_DET BIT(6) + #define MBHC_BUTTON_PRESS_DET BIT(5) +-- +2.25.1 + diff --git a/queue-4.19/asoc-q6routing-add-dummy-register-read-write-functio.patch b/queue-4.19/asoc-q6routing-add-dummy-register-read-write-functio.patch new file mode 100644 index 00000000000..dd470b91b1e --- /dev/null +++ b/queue-4.19/asoc-q6routing-add-dummy-register-read-write-functio.patch @@ -0,0 +1,68 @@ +From 6230a2a377a9cc817ccabc7ceea7c107b6f2cafd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 13:02:05 +0100 +Subject: ASoC: q6routing: add dummy register read/write function + +From: Srinivas Kandagatla + +[ Upstream commit 796a58fe2b8c9b6668db00d92512ec84be663027 ] + +Most of the DAPM widgets for DSP ASoC components reuse reg field +of the widgets for its internal calculations, however these are not +real registers. So read/writes to these numbers are not really +valid. However ASoC core will read these registers to get default +state during startup. + +With recent changes to ASoC core, every register read/write +failures are reported very verbosely. Prior to this fails to reads +are totally ignored, so we never saw any error messages. + +To fix this add dummy read/write function to return default value. + +Fixes: e3a33673e845 ("ASoC: qdsp6: q6routing: Add q6routing driver") +Reported-by: John Stultz +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20200811120205.21805-2-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/qcom/qdsp6/q6routing.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/sound/soc/qcom/qdsp6/q6routing.c b/sound/soc/qcom/qdsp6/q6routing.c +index c6b51571be945..44eee18c658ae 100644 +--- a/sound/soc/qcom/qdsp6/q6routing.c ++++ b/sound/soc/qcom/qdsp6/q6routing.c +@@ -968,6 +968,20 @@ static int msm_routing_probe(struct snd_soc_component *c) + return 0; + } + ++static unsigned int q6routing_reg_read(struct snd_soc_component *component, ++ unsigned int reg) ++{ ++ /* default value */ ++ return 0; ++} ++ ++static int q6routing_reg_write(struct snd_soc_component *component, ++ unsigned int reg, unsigned int val) ++{ ++ /* dummy */ ++ return 0; ++} ++ + static const struct snd_soc_component_driver msm_soc_routing_component = { + .ops = &q6pcm_routing_ops, + .probe = msm_routing_probe, +@@ -976,6 +990,8 @@ static const struct snd_soc_component_driver msm_soc_routing_component = { + .num_dapm_widgets = ARRAY_SIZE(msm_qdsp6_widgets), + .dapm_routes = intercon, + .num_dapm_routes = ARRAY_SIZE(intercon), ++ .read = q6routing_reg_read, ++ .write = q6routing_reg_write, + }; + + static int q6pcm_routing_probe(struct platform_device *pdev) +-- +2.25.1 + diff --git a/queue-4.19/bonding-fix-a-potential-double-unregister.patch b/queue-4.19/bonding-fix-a-potential-double-unregister.patch new file mode 100644 index 00000000000..acfc6c14357 --- /dev/null +++ b/queue-4.19/bonding-fix-a-potential-double-unregister.patch @@ -0,0 +1,48 @@ +From 89fd8276ba11b4f681392ab16a401cb28ee62ff0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 20:05:58 -0700 +Subject: bonding: fix a potential double-unregister + +From: Cong Wang + +[ Upstream commit 832707021666411d04795c564a4adea5d6b94f17 ] + +When we tear down a network namespace, we unregister all +the netdevices within it. So we may queue a slave device +and a bonding device together in the same unregister queue. + +If the only slave device is non-ethernet, it would +automatically unregister the bonding device as well. Thus, +we may end up unregistering the bonding device twice. + +Workaround this special case by checking reg_state. + +Fixes: 9b5e383c11b0 ("net: Introduce unregister_netdevice_many()") +Reported-by: syzbot+af23e7f3e0a7e10c8b67@syzkaller.appspotmail.com +Cc: Eric Dumazet +Cc: Andy Gospodarek +Cc: Jay Vosburgh +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 76fd5fc437ebe..ee7138a92d5e7 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2029,7 +2029,8 @@ static int bond_release_and_destroy(struct net_device *bond_dev, + int ret; + + ret = __bond_release_one(bond_dev, slave_dev, false, true); +- if (ret == 0 && !bond_has_slaves(bond)) { ++ if (ret == 0 && !bond_has_slaves(bond) && ++ bond_dev->reg_state != NETREG_UNREGISTERING) { + bond_dev->priv_flags |= IFF_DISABLE_NETPOLL; + netdev_info(bond_dev, "Destroying bond %s\n", + bond_dev->name); +-- +2.25.1 + diff --git a/queue-4.19/bonding-fix-active-backup-failover-for-current-arp-s.patch b/queue-4.19/bonding-fix-active-backup-failover-for-current-arp-s.patch new file mode 100644 index 00000000000..7da7dd098c2 --- /dev/null +++ b/queue-4.19/bonding-fix-active-backup-failover-for-current-arp-s.patch @@ -0,0 +1,90 @@ +From 66f477b67719227e08ac9f06efa485d9ca741c65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Aug 2020 20:52:44 +0200 +Subject: bonding: fix active-backup failover for current ARP slave + +From: Jiri Wiesner + +[ Upstream commit 0410d07190961ac526f05085765a8d04d926545b ] + +When the ARP monitor is used for link detection, ARP replies are +validated for all slaves (arp_validate=3) and fail_over_mac is set to +active, two slaves of an active-backup bond may get stuck in a state +where both of them are active and pass packets that they receive to +the bond. This state makes IPv6 duplicate address detection fail. The +state is reached thus: +1. The current active slave goes down because the ARP target + is not reachable. +2. The current ARP slave is chosen and made active. +3. A new slave is enslaved. This new slave becomes the current active + slave and can reach the ARP target. +As a result, the current ARP slave stays active after the enslave +action has finished and the log is littered with "PROBE BAD" messages: +> bond0: PROBE: c_arp ens10 && cas ens11 BAD +The workaround is to remove the slave with "going back" status from +the bond and re-enslave it. This issue was encountered when DPDK PMD +interfaces were being enslaved to an active-backup bond. + +I would be possible to fix the issue in bond_enslave() or +bond_change_active_slave() but the ARP monitor was fixed instead to +keep most of the actions changing the current ARP slave in the ARP +monitor code. The current ARP slave is set as inactive and backup +during the commit phase. A new state, BOND_LINK_FAIL, has been +introduced for slaves in the context of the ARP monitor. This allows +administrators to see how slaves are rotated for sending ARP requests +and attempts are made to find a new active slave. + +Fixes: b2220cad583c9 ("bonding: refactor ARP active-backup monitor") +Signed-off-by: Jiri Wiesner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index ee7138a92d5e7..d32e32e791741 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2773,6 +2773,9 @@ static int bond_ab_arp_inspect(struct bonding *bond) + if (bond_time_in_interval(bond, last_rx, 1)) { + bond_propose_link_state(slave, BOND_LINK_UP); + commit++; ++ } else if (slave->link == BOND_LINK_BACK) { ++ bond_propose_link_state(slave, BOND_LINK_FAIL); ++ commit++; + } + continue; + } +@@ -2883,6 +2886,19 @@ static void bond_ab_arp_commit(struct bonding *bond) + + continue; + ++ case BOND_LINK_FAIL: ++ bond_set_slave_link_state(slave, BOND_LINK_FAIL, ++ BOND_SLAVE_NOTIFY_NOW); ++ bond_set_slave_inactive_flags(slave, ++ BOND_SLAVE_NOTIFY_NOW); ++ ++ /* A slave has just been enslaved and has become ++ * the current active slave. ++ */ ++ if (rtnl_dereference(bond->curr_active_slave)) ++ RCU_INIT_POINTER(bond->current_arp_slave, NULL); ++ continue; ++ + default: + netdev_err(bond->dev, "impossible: new_link %d on slave %s\n", + slave->link_new_state, slave->dev->name); +@@ -2932,8 +2948,6 @@ static bool bond_ab_arp_probe(struct bonding *bond) + return should_notify_rtnl; + } + +- bond_set_slave_inactive_flags(curr_arp_slave, BOND_SLAVE_NOTIFY_LATER); +- + bond_for_each_slave_rcu(bond, slave, iter) { + if (!found && !before && bond_slave_is_up(slave)) + before = slave; +-- +2.25.1 + diff --git a/queue-4.19/bonding-show-saner-speed-for-broadcast-mode.patch b/queue-4.19/bonding-show-saner-speed-for-broadcast-mode.patch new file mode 100644 index 00000000000..46bda11dc08 --- /dev/null +++ b/queue-4.19/bonding-show-saner-speed-for-broadcast-mode.patch @@ -0,0 +1,79 @@ +From 98f484cc522b95e001b485dcc54eee0e53caf6fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 10:09:00 -0400 +Subject: bonding: show saner speed for broadcast mode + +From: Jarod Wilson + +[ Upstream commit 4ca0d9ac3fd8f9f90b72a15d8da2aca3ffb58418 ] + +Broadcast mode bonds transmit a copy of all traffic simultaneously out of +all interfaces, so the "speed" of the bond isn't really the aggregate of +all interfaces, but rather, the speed of the slowest active interface. + +Also, the type of the speed field is u32, not unsigned long, so adjust +that accordingly, as required to make min() function here without +complaining about mismatching types. + +Fixes: bb5b052f751b ("bond: add support to read speed and duplex via ethtool") +CC: Jay Vosburgh +CC: Veaceslav Falico +CC: Andy Gospodarek +CC: "David S. Miller" +CC: netdev@vger.kernel.org +Acked-by: Jay Vosburgh +Signed-off-by: Jarod Wilson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 11429df743067..76fd5fc437ebe 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -4200,13 +4200,23 @@ static netdev_tx_t bond_start_xmit(struct sk_buff *skb, struct net_device *dev) + return ret; + } + ++static u32 bond_mode_bcast_speed(struct slave *slave, u32 speed) ++{ ++ if (speed == 0 || speed == SPEED_UNKNOWN) ++ speed = slave->speed; ++ else ++ speed = min(speed, slave->speed); ++ ++ return speed; ++} ++ + static int bond_ethtool_get_link_ksettings(struct net_device *bond_dev, + struct ethtool_link_ksettings *cmd) + { + struct bonding *bond = netdev_priv(bond_dev); +- unsigned long speed = 0; + struct list_head *iter; + struct slave *slave; ++ u32 speed = 0; + + cmd->base.duplex = DUPLEX_UNKNOWN; + cmd->base.port = PORT_OTHER; +@@ -4218,8 +4228,13 @@ static int bond_ethtool_get_link_ksettings(struct net_device *bond_dev, + */ + bond_for_each_slave(bond, slave, iter) { + if (bond_slave_can_tx(slave)) { +- if (slave->speed != SPEED_UNKNOWN) +- speed += slave->speed; ++ if (slave->speed != SPEED_UNKNOWN) { ++ if (BOND_MODE(bond) == BOND_MODE_BROADCAST) ++ speed = bond_mode_bcast_speed(slave, ++ speed); ++ else ++ speed += slave->speed; ++ } + if (cmd->base.duplex == DUPLEX_UNKNOWN && + slave->duplex != DUPLEX_UNKNOWN) + cmd->base.duplex = slave->duplex; +-- +2.25.1 + diff --git a/queue-4.19/efi-avoid-error-message-when-booting-under-xen.patch b/queue-4.19/efi-avoid-error-message-when-booting-under-xen.patch new file mode 100644 index 00000000000..0fb84a1a714 --- /dev/null +++ b/queue-4.19/efi-avoid-error-message-when-booting-under-xen.patch @@ -0,0 +1,39 @@ +From bc0eaf7f3a5a85f23340a15ed9c5d41cedc65f47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 16:16:51 +0200 +Subject: efi: avoid error message when booting under Xen + +From: Juergen Gross + +[ Upstream commit 6163a985e50cb19d5bdf73f98e45b8af91a77658 ] + +efifb_probe() will issue an error message in case the kernel is booted +as Xen dom0 from UEFI as EFI_MEMMAP won't be set in this case. Avoid +that message by calling efi_mem_desc_lookup() only if EFI_MEMMAP is set. + +Fixes: 38ac0287b7f4 ("fbdev/efifb: Honour UEFI memory map attributes when mapping the FB") +Signed-off-by: Juergen Gross +Acked-by: Ard Biesheuvel +Acked-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/efifb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/efifb.c b/drivers/video/fbdev/efifb.c +index cc1006375cacb..f50cc1a7c31a9 100644 +--- a/drivers/video/fbdev/efifb.c ++++ b/drivers/video/fbdev/efifb.c +@@ -449,7 +449,7 @@ static int efifb_probe(struct platform_device *dev) + info->apertures->ranges[0].base = efifb_fix.smem_start; + info->apertures->ranges[0].size = size_remap; + +- if (efi_enabled(EFI_BOOT) && ++ if (efi_enabled(EFI_MEMMAP) && + !efi_mem_desc_lookup(efifb_fix.smem_start, &md)) { + if ((efifb_fix.smem_start + efifb_fix.smem_len) > + (md.phys_addr + (md.num_pages << EFI_PAGE_SHIFT))) { +-- +2.25.1 + diff --git a/queue-4.19/ext4-don-t-allow-overlapping-system-zones.patch b/queue-4.19/ext4-don-t-allow-overlapping-system-zones.patch new file mode 100644 index 00000000000..54d2efb1b49 --- /dev/null +++ b/queue-4.19/ext4-don-t-allow-overlapping-system-zones.patch @@ -0,0 +1,85 @@ +From d6d903f4947e20643b23bf2ad45a8be364404211 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jul 2020 15:04:33 +0200 +Subject: ext4: don't allow overlapping system zones + +From: Jan Kara + +[ Upstream commit bf9a379d0980e7413d94cb18dac73db2bfc5f470 ] + +Currently, add_system_zone() just silently merges two added system zones +that overlap. However the overlap should not happen and it generally +suggests that some unrelated metadata overlap which indicates the fs is +corrupted. We should have caught such problems earlier (e.g. in +ext4_check_descriptors()) but add this check as another line of defense. +In later patch we also use this for stricter checking of journal inode +extent tree. + +Reviewed-by: Lukas Czerner +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20200728130437.7804-3-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/block_validity.c | 36 +++++++++++++----------------------- + 1 file changed, 13 insertions(+), 23 deletions(-) + +diff --git a/fs/ext4/block_validity.c b/fs/ext4/block_validity.c +index d203cc935ff83..552164034d340 100644 +--- a/fs/ext4/block_validity.c ++++ b/fs/ext4/block_validity.c +@@ -68,7 +68,7 @@ static int add_system_zone(struct ext4_system_blocks *system_blks, + ext4_fsblk_t start_blk, + unsigned int count) + { +- struct ext4_system_zone *new_entry = NULL, *entry; ++ struct ext4_system_zone *new_entry, *entry; + struct rb_node **n = &system_blks->root.rb_node, *node; + struct rb_node *parent = NULL, *new_node = NULL; + +@@ -79,30 +79,20 @@ static int add_system_zone(struct ext4_system_blocks *system_blks, + n = &(*n)->rb_left; + else if (start_blk >= (entry->start_blk + entry->count)) + n = &(*n)->rb_right; +- else { +- if (start_blk + count > (entry->start_blk + +- entry->count)) +- entry->count = (start_blk + count - +- entry->start_blk); +- new_node = *n; +- new_entry = rb_entry(new_node, struct ext4_system_zone, +- node); +- break; +- } ++ else /* Unexpected overlap of system zones. */ ++ return -EFSCORRUPTED; + } + +- if (!new_entry) { +- new_entry = kmem_cache_alloc(ext4_system_zone_cachep, +- GFP_KERNEL); +- if (!new_entry) +- return -ENOMEM; +- new_entry->start_blk = start_blk; +- new_entry->count = count; +- new_node = &new_entry->node; +- +- rb_link_node(new_node, parent, n); +- rb_insert_color(new_node, &system_blks->root); +- } ++ new_entry = kmem_cache_alloc(ext4_system_zone_cachep, ++ GFP_KERNEL); ++ if (!new_entry) ++ return -ENOMEM; ++ new_entry->start_blk = start_blk; ++ new_entry->count = count; ++ new_node = &new_entry->node; ++ ++ rb_link_node(new_node, parent, n); ++ rb_insert_color(new_node, &system_blks->root); + + /* Can we merge to the left? */ + node = rb_prev(new_node); +-- +2.25.1 + diff --git a/queue-4.19/ext4-fix-potential-negative-array-index-in-do_split.patch b/queue-4.19/ext4-fix-potential-negative-array-index-in-do_split.patch new file mode 100644 index 00000000000..bd48afa2a7d --- /dev/null +++ b/queue-4.19/ext4-fix-potential-negative-array-index-in-do_split.patch @@ -0,0 +1,68 @@ +From a02c7742b37012d7139688a7d5203f9f45711063 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jun 2020 14:19:04 -0500 +Subject: ext4: fix potential negative array index in do_split() + +From: Eric Sandeen + +[ Upstream commit 5872331b3d91820e14716632ebb56b1399b34fe1 ] + +If for any reason a directory passed to do_split() does not have enough +active entries to exceed half the size of the block, we can end up +iterating over all "count" entries without finding a split point. + +In this case, count == move, and split will be zero, and we will +attempt a negative index into map[]. + +Guard against this by detecting this case, and falling back to +split-to-half-of-count instead; in this case we will still have +plenty of space (> half blocksize) in each split block. + +Fixes: ef2b02d3e617 ("ext34: ensure do_split leaves enough free space in both blocks") +Signed-off-by: Eric Sandeen +Reviewed-by: Andreas Dilger +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/f53e246b-647c-64bb-16ec-135383c70ad7@redhat.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/namei.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index a2425e2d439cf..186a2dd05bd87 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -1732,7 +1732,7 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, + blocksize, hinfo, map); + map -= count; + dx_sort_map(map, count); +- /* Split the existing block in the middle, size-wise */ ++ /* Ensure that neither split block is over half full */ + size = 0; + move = 0; + for (i = count-1; i >= 0; i--) { +@@ -1742,8 +1742,18 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, + size += map[i].size; + move++; + } +- /* map index at which we will split */ +- split = count - move; ++ /* ++ * map index at which we will split ++ * ++ * If the sum of active entries didn't exceed half the block size, just ++ * split it in half by count; each resulting block will have at least ++ * half the space free. ++ */ ++ if (i > 0) ++ split = count - move; ++ else ++ split = count/2; ++ + hash2 = map[split].hash; + continued = hash2 == map[split - 1].hash; + dxtrace(printk(KERN_INFO "Split block %lu at %x, %i/%i\n", +-- +2.25.1 + diff --git a/queue-4.19/fix-build-error-when-config_acpi-is-not-set-enabled.patch b/queue-4.19/fix-build-error-when-config_acpi-is-not-set-enabled.patch new file mode 100644 index 00000000000..47c55f36cd5 --- /dev/null +++ b/queue-4.19/fix-build-error-when-config_acpi-is-not-set-enabled.patch @@ -0,0 +1,45 @@ +From 28d0fae398cbb06ed1f211b216a159a052406041 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 06:30:47 +0200 +Subject: Fix build error when CONFIG_ACPI is not set/enabled: +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit ee87e1557c42dc9c2da11c38e11b87c311569853 ] + +../arch/x86/pci/xen.c: In function ‘pci_xen_init’: +../arch/x86/pci/xen.c:410:2: error: implicit declaration of function ‘acpi_noirq_set’; did you mean ‘acpi_irq_get’? [-Werror=implicit-function-declaration] + acpi_noirq_set(); + +Fixes: 88e9ca161c13 ("xen/pci: Use acpi_noirq_set() helper to avoid #ifdef") +Signed-off-by: Randy Dunlap +Reviewed-by: Juergen Gross +Cc: Andy Shevchenko +Cc: Bjorn Helgaas +Cc: Konrad Rzeszutek Wilk +Cc: xen-devel@lists.xenproject.org +Cc: linux-pci@vger.kernel.org +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/pci/xen.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/pci/xen.c b/arch/x86/pci/xen.c +index 9112d1cb397bb..22da9bfd8a458 100644 +--- a/arch/x86/pci/xen.c ++++ b/arch/x86/pci/xen.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include + + static int xen_pcifront_enable_irq(struct pci_dev *dev) +-- +2.25.1 + diff --git a/queue-4.19/hv_netvsc-fix-the-queue_mapping-in-netvsc_vf_xmit.patch b/queue-4.19/hv_netvsc-fix-the-queue_mapping-in-netvsc_vf_xmit.patch new file mode 100644 index 00000000000..3ec1099d3da --- /dev/null +++ b/queue-4.19/hv_netvsc-fix-the-queue_mapping-in-netvsc_vf_xmit.patch @@ -0,0 +1,45 @@ +From 4a930f5172995a8bd2f252494c42c40814fb5048 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 14:53:15 -0700 +Subject: hv_netvsc: Fix the queue_mapping in netvsc_vf_xmit() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Haiyang Zhang + +[ Upstream commit c3d897e01aef8ddc43149e4d661b86f823e3aae7 ] + +netvsc_vf_xmit() / dev_queue_xmit() will call VF NIC’s ndo_select_queue +or netdev_pick_tx() again. They will use skb_get_rx_queue() to get the +queue number, so the “skb->queue_mapping - 1” will be used. This may +cause the last queue of VF not been used. + +Use skb_record_rx_queue() here, so that the skb_get_rx_queue() called +later will get the correct queue number, and VF will be able to use +all queues. + +Fixes: b3bf5666a510 ("hv_netvsc: defer queue selection to VF") +Signed-off-by: Haiyang Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hyperv/netvsc_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c +index e33cbb793b638..4a5d99ecb89d3 100644 +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -513,7 +513,7 @@ static int netvsc_vf_xmit(struct net_device *net, struct net_device *vf_netdev, + int rc; + + skb->dev = vf_netdev; +- skb->queue_mapping = qdisc_skb_cb(skb)->slave_dev_queue_mapping; ++ skb_record_rx_queue(skb, qdisc_skb_cb(skb)->slave_dev_queue_mapping); + + rc = dev_queue_xmit(skb); + if (likely(rc == NET_XMIT_SUCCESS || rc == NET_XMIT_CN)) { +-- +2.25.1 + diff --git a/queue-4.19/i40e-fix-crash-during-removing-i40e-driver.patch b/queue-4.19/i40e-fix-crash-during-removing-i40e-driver.patch new file mode 100644 index 00000000000..72009e5fafc --- /dev/null +++ b/queue-4.19/i40e-fix-crash-during-removing-i40e-driver.patch @@ -0,0 +1,80 @@ +From 1dc233f7593621094f4506d0f70f554151c4535a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 10:56:49 +0000 +Subject: i40e: Fix crash during removing i40e driver + +From: Grzegorz Szczurek + +[ Upstream commit 5b6d4a7f20b09c47ca598760f6dafd554af8b6d5 ] + +Fix the reason of crashing system by add waiting time to finish reset +recovery process before starting remove driver procedure. +Now VSI is releasing if VSI is not in reset recovery mode. +Without this fix it was possible to start remove driver if other +processing command need reset recovery procedure which resulted in +null pointer dereference. VSI used by the ethtool process has been +cleared by remove driver process. + +[ 6731.508665] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 6731.508668] #PF: supervisor read access in kernel mode +[ 6731.508670] #PF: error_code(0x0000) - not-present page +[ 6731.508671] PGD 0 P4D 0 +[ 6731.508674] Oops: 0000 [#1] SMP PTI +[ 6731.508679] Hardware name: Intel Corporation S2600WT2R/S2600WT2R, BIOS SE5C610.86B.01.01.0021.032120170601 03/21/2017 +[ 6731.508694] RIP: 0010:i40e_down+0x252/0x310 [i40e] +[ 6731.508696] Code: c7 78 de fa c0 e8 61 02 3a c1 66 83 bb f6 0c 00 00 00 0f 84 bf 00 00 00 45 31 e4 45 31 ff eb 03 41 89 c7 48 8b 83 98 0c 00 00 <4a> 8b 3c 20 e8 a5 79 02 00 48 83 bb d0 0c 00 00 00 74 10 48 8b 83 +[ 6731.508698] RSP: 0018:ffffb75ac7b3faf0 EFLAGS: 00010246 +[ 6731.508700] RAX: 0000000000000000 RBX: ffff9c9874bd5000 RCX: 0000000000000007 +[ 6731.508701] RDX: 0000000000000000 RSI: 0000000000000096 RDI: ffff9c987f4d9780 +[ 6731.508703] RBP: ffffb75ac7b3fb30 R08: 0000000000005b60 R09: 0000000000000004 +[ 6731.508704] R10: ffffb75ac64fbd90 R11: 0000000000000001 R12: 0000000000000000 +[ 6731.508706] R13: ffff9c97a08e0000 R14: ffff9c97a08e0a68 R15: 0000000000000000 +[ 6731.508708] FS: 00007f2617cd2740(0000) GS:ffff9c987f4c0000(0000) knlGS:0000000000000000 +[ 6731.508710] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 6731.508711] CR2: 0000000000000000 CR3: 0000001e765c4006 CR4: 00000000003606e0 +[ 6731.508713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 6731.508714] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 6731.508715] Call Trace: +[ 6731.508734] i40e_vsi_close+0x84/0x90 [i40e] +[ 6731.508742] i40e_quiesce_vsi.part.98+0x3c/0x40 [i40e] +[ 6731.508749] i40e_pf_quiesce_all_vsi+0x55/0x60 [i40e] +[ 6731.508757] i40e_prep_for_reset+0x59/0x130 [i40e] +[ 6731.508765] i40e_reconfig_rss_queues+0x5a/0x120 [i40e] +[ 6731.508774] i40e_set_channels+0xda/0x170 [i40e] +[ 6731.508778] ethtool_set_channels+0xe9/0x150 +[ 6731.508781] dev_ethtool+0x1b94/0x2920 +[ 6731.508805] dev_ioctl+0xc2/0x590 +[ 6731.508811] sock_do_ioctl+0xae/0x150 +[ 6731.508813] sock_ioctl+0x34f/0x3c0 +[ 6731.508821] ksys_ioctl+0x98/0xb0 +[ 6731.508828] __x64_sys_ioctl+0x1a/0x20 +[ 6731.508831] do_syscall_64+0x57/0x1c0 +[ 6731.508835] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 4b8164467b85 ("i40e: Add common function for finding VSI by type") +Signed-off-by: Grzegorz Szczurek +Signed-off-by: Arkadiusz Kubalewski +Tested-by: Aaron Brown +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index a74b01bf581e9..3200c75b9ed2a 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -14152,6 +14152,9 @@ static void i40e_remove(struct pci_dev *pdev) + i40e_write_rx_ctl(hw, I40E_PFQF_HENA(0), 0); + i40e_write_rx_ctl(hw, I40E_PFQF_HENA(1), 0); + ++ while (test_bit(__I40E_RESET_RECOVERY_PENDING, pf->state)) ++ usleep_range(1000, 2000); ++ + /* no more scheduling of any task */ + set_bit(__I40E_SUSPENDED, pf->state); + set_bit(__I40E_DOWN, pf->state); +-- +2.25.1 + diff --git a/queue-4.19/i40e-set-rx_only-mode-for-unicast-promiscuous-on-vla.patch b/queue-4.19/i40e-set-rx_only-mode-for-unicast-promiscuous-on-vla.patch new file mode 100644 index 00000000000..773336cc27a --- /dev/null +++ b/queue-4.19/i40e-set-rx_only-mode-for-unicast-promiscuous-on-vla.patch @@ -0,0 +1,114 @@ +From de94b18d6da2f94bfc05666f8b01ced63c451e5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 13:40:59 +0000 +Subject: i40e: Set RX_ONLY mode for unicast promiscuous on VLAN + +From: Przemyslaw Patynowski + +[ Upstream commit 4bd5e02a2ed1575c2f65bd3c557a077dd399f0e8 ] + +Trusted VF with unicast promiscuous mode set, could listen to TX +traffic of other VFs. +Set unicast promiscuous mode to RX traffic, if VSI has port VLAN +configured. Rename misleading I40E_AQC_SET_VSI_PROMISC_TX bit to +I40E_AQC_SET_VSI_PROMISC_RX_ONLY. Aligned unicast promiscuous with +VLAN to the one without VLAN. + +Fixes: 6c41a7606967 ("i40e: Add promiscuous on VLAN support") +Fixes: 3b1200891b7f ("i40e: When in promisc mode apply promisc mode to Tx Traffic as well") +Signed-off-by: Przemyslaw Patynowski +Signed-off-by: Aleksandr Loktionov +Signed-off-by: Arkadiusz Kubalewski +Tested-by: Andrew Bowers +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + .../net/ethernet/intel/i40e/i40e_adminq_cmd.h | 2 +- + drivers/net/ethernet/intel/i40e/i40e_common.c | 35 ++++++++++++++----- + 2 files changed, 28 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h b/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h +index 80e3eec6134ee..a5e5e7e14e6c5 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h ++++ b/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h +@@ -1206,7 +1206,7 @@ struct i40e_aqc_set_vsi_promiscuous_modes { + #define I40E_AQC_SET_VSI_PROMISC_BROADCAST 0x04 + #define I40E_AQC_SET_VSI_DEFAULT 0x08 + #define I40E_AQC_SET_VSI_PROMISC_VLAN 0x10 +-#define I40E_AQC_SET_VSI_PROMISC_TX 0x8000 ++#define I40E_AQC_SET_VSI_PROMISC_RX_ONLY 0x8000 + __le16 seid; + #define I40E_AQC_VSI_PROM_CMD_SEID_MASK 0x3FF + __le16 vlan_tag; +diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c +index eb0ae6ab01e26..e75b4c4872c09 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_common.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_common.c +@@ -1970,6 +1970,21 @@ i40e_status i40e_aq_set_phy_debug(struct i40e_hw *hw, u8 cmd_flags, + return status; + } + ++/** ++ * i40e_is_aq_api_ver_ge ++ * @aq: pointer to AdminQ info containing HW API version to compare ++ * @maj: API major value ++ * @min: API minor value ++ * ++ * Assert whether current HW API version is greater/equal than provided. ++ **/ ++static bool i40e_is_aq_api_ver_ge(struct i40e_adminq_info *aq, u16 maj, ++ u16 min) ++{ ++ return (aq->api_maj_ver > maj || ++ (aq->api_maj_ver == maj && aq->api_min_ver >= min)); ++} ++ + /** + * i40e_aq_add_vsi + * @hw: pointer to the hw struct +@@ -2095,18 +2110,16 @@ i40e_status i40e_aq_set_vsi_unicast_promiscuous(struct i40e_hw *hw, + + if (set) { + flags |= I40E_AQC_SET_VSI_PROMISC_UNICAST; +- if (rx_only_promisc && +- (((hw->aq.api_maj_ver == 1) && (hw->aq.api_min_ver >= 5)) || +- (hw->aq.api_maj_ver > 1))) +- flags |= I40E_AQC_SET_VSI_PROMISC_TX; ++ if (rx_only_promisc && i40e_is_aq_api_ver_ge(&hw->aq, 1, 5)) ++ flags |= I40E_AQC_SET_VSI_PROMISC_RX_ONLY; + } + + cmd->promiscuous_flags = cpu_to_le16(flags); + + cmd->valid_flags = cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_UNICAST); +- if (((hw->aq.api_maj_ver >= 1) && (hw->aq.api_min_ver >= 5)) || +- (hw->aq.api_maj_ver > 1)) +- cmd->valid_flags |= cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_TX); ++ if (i40e_is_aq_api_ver_ge(&hw->aq, 1, 5)) ++ cmd->valid_flags |= ++ cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_RX_ONLY); + + cmd->seid = cpu_to_le16(seid); + status = i40e_asq_send_command(hw, &desc, NULL, 0, cmd_details); +@@ -2203,11 +2216,17 @@ enum i40e_status_code i40e_aq_set_vsi_uc_promisc_on_vlan(struct i40e_hw *hw, + i40e_fill_default_direct_cmd_desc(&desc, + i40e_aqc_opc_set_vsi_promiscuous_modes); + +- if (enable) ++ if (enable) { + flags |= I40E_AQC_SET_VSI_PROMISC_UNICAST; ++ if (i40e_is_aq_api_ver_ge(&hw->aq, 1, 5)) ++ flags |= I40E_AQC_SET_VSI_PROMISC_RX_ONLY; ++ } + + cmd->promiscuous_flags = cpu_to_le16(flags); + cmd->valid_flags = cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_UNICAST); ++ if (i40e_is_aq_api_ver_ge(&hw->aq, 1, 5)) ++ cmd->valid_flags |= ++ cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_RX_ONLY); + cmd->seid = cpu_to_le16(seid); + cmd->vlan_tag = cpu_to_le16(vid | I40E_AQC_SET_VSI_VLAN_VALID); + +-- +2.25.1 + diff --git a/queue-4.19/kconfig-qconf-do-not-limit-the-pop-up-menu-to-the-fi.patch b/queue-4.19/kconfig-qconf-do-not-limit-the-pop-up-menu-to-the-fi.patch new file mode 100644 index 00000000000..a01604e4c58 --- /dev/null +++ b/queue-4.19/kconfig-qconf-do-not-limit-the-pop-up-menu-to-the-fi.patch @@ -0,0 +1,112 @@ +From 36c0bbadba16d36919ae1144b8c15a4d7171f553 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Aug 2020 18:19:08 +0900 +Subject: kconfig: qconf: do not limit the pop-up menu to the first row + +From: Masahiro Yamada + +[ Upstream commit fa8de0a3bf3c02e6f00b7746e7e934db522cdda9 ] + +If you right-click the first row in the option tree, the pop-up menu +shows up, but if you right-click the second row or below, the event +is ignored due to the following check: + + if (e->y() <= header()->geometry().bottom()) { + +Perhaps, the intention was to show the pop-menu only when the tree +header was right-clicked, but this handler is not called in that case. + +Since the origin of e->y() starts from the bottom of the header, +this check is odd. + +Going forward, you can right-click anywhere in the tree to get the +pop-up menu. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/qconf.cc | 68 ++++++++++++++++++++-------------------- + 1 file changed, 34 insertions(+), 34 deletions(-) + +diff --git a/scripts/kconfig/qconf.cc b/scripts/kconfig/qconf.cc +index 8f004db6f6034..294d4329f4810 100644 +--- a/scripts/kconfig/qconf.cc ++++ b/scripts/kconfig/qconf.cc +@@ -869,40 +869,40 @@ void ConfigList::focusInEvent(QFocusEvent *e) + + void ConfigList::contextMenuEvent(QContextMenuEvent *e) + { +- if (e->y() <= header()->geometry().bottom()) { +- if (!headerPopup) { +- QAction *action; +- +- headerPopup = new QMenu(this); +- action = new QAction("Show Name", this); +- action->setCheckable(true); +- connect(action, SIGNAL(toggled(bool)), +- parent(), SLOT(setShowName(bool))); +- connect(parent(), SIGNAL(showNameChanged(bool)), +- action, SLOT(setOn(bool))); +- action->setChecked(showName); +- headerPopup->addAction(action); +- action = new QAction("Show Range", this); +- action->setCheckable(true); +- connect(action, SIGNAL(toggled(bool)), +- parent(), SLOT(setShowRange(bool))); +- connect(parent(), SIGNAL(showRangeChanged(bool)), +- action, SLOT(setOn(bool))); +- action->setChecked(showRange); +- headerPopup->addAction(action); +- action = new QAction("Show Data", this); +- action->setCheckable(true); +- connect(action, SIGNAL(toggled(bool)), +- parent(), SLOT(setShowData(bool))); +- connect(parent(), SIGNAL(showDataChanged(bool)), +- action, SLOT(setOn(bool))); +- action->setChecked(showData); +- headerPopup->addAction(action); +- } +- headerPopup->exec(e->globalPos()); +- e->accept(); +- } else +- e->ignore(); ++ if (!headerPopup) { ++ QAction *action; ++ ++ headerPopup = new QMenu(this); ++ action = new QAction("Show Name", this); ++ action->setCheckable(true); ++ connect(action, SIGNAL(toggled(bool)), ++ parent(), SLOT(setShowName(bool))); ++ connect(parent(), SIGNAL(showNameChanged(bool)), ++ action, SLOT(setOn(bool))); ++ action->setChecked(showName); ++ headerPopup->addAction(action); ++ ++ action = new QAction("Show Range", this); ++ action->setCheckable(true); ++ connect(action, SIGNAL(toggled(bool)), ++ parent(), SLOT(setShowRange(bool))); ++ connect(parent(), SIGNAL(showRangeChanged(bool)), ++ action, SLOT(setOn(bool))); ++ action->setChecked(showRange); ++ headerPopup->addAction(action); ++ ++ action = new QAction("Show Data", this); ++ action->setCheckable(true); ++ connect(action, SIGNAL(toggled(bool)), ++ parent(), SLOT(setShowData(bool))); ++ connect(parent(), SIGNAL(showDataChanged(bool)), ++ action, SLOT(setOn(bool))); ++ action->setChecked(showData); ++ headerPopup->addAction(action); ++ } ++ ++ headerPopup->exec(e->globalPos()); ++ e->accept(); + } + + ConfigView*ConfigView::viewList; +-- +2.25.1 + diff --git a/queue-4.19/kconfig-qconf-fix-signal-connection-to-invalid-slots.patch b/queue-4.19/kconfig-qconf-fix-signal-connection-to-invalid-slots.patch new file mode 100644 index 00000000000..7e94d71e959 --- /dev/null +++ b/queue-4.19/kconfig-qconf-fix-signal-connection-to-invalid-slots.patch @@ -0,0 +1,75 @@ +From d6adf35037df31523659adc4110759647279ea85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 01:36:29 +0900 +Subject: kconfig: qconf: fix signal connection to invalid slots + +From: Masahiro Yamada + +[ Upstream commit d85de3399f97467baa2026fbbbe587850d01ba8a ] + +If you right-click in the ConfigList window, you will see the following +messages in the console: + +QObject::connect: No such slot QAction::setOn(bool) in scripts/kconfig/qconf.cc:888 +QObject::connect: (sender name: 'config') +QObject::connect: No such slot QAction::setOn(bool) in scripts/kconfig/qconf.cc:897 +QObject::connect: (sender name: 'config') +QObject::connect: No such slot QAction::setOn(bool) in scripts/kconfig/qconf.cc:906 +QObject::connect: (sender name: 'config') + +Right, there is no such slot in QAction. I think this is a typo of +setChecked. + +Due to this bug, when you toggled the menu "Option->Show Name/Range/Data" +the state of the context menu was not previously updated. Fix this. + +Fixes: d5d973c3f8a9 ("Port xconfig to Qt5 - Put back some of the old implementation(part 2)") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/qconf.cc | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/scripts/kconfig/qconf.cc b/scripts/kconfig/qconf.cc +index 294d4329f4810..1ee33d2e15bf8 100644 +--- a/scripts/kconfig/qconf.cc ++++ b/scripts/kconfig/qconf.cc +@@ -878,7 +878,7 @@ void ConfigList::contextMenuEvent(QContextMenuEvent *e) + connect(action, SIGNAL(toggled(bool)), + parent(), SLOT(setShowName(bool))); + connect(parent(), SIGNAL(showNameChanged(bool)), +- action, SLOT(setOn(bool))); ++ action, SLOT(setChecked(bool))); + action->setChecked(showName); + headerPopup->addAction(action); + +@@ -887,7 +887,7 @@ void ConfigList::contextMenuEvent(QContextMenuEvent *e) + connect(action, SIGNAL(toggled(bool)), + parent(), SLOT(setShowRange(bool))); + connect(parent(), SIGNAL(showRangeChanged(bool)), +- action, SLOT(setOn(bool))); ++ action, SLOT(setChecked(bool))); + action->setChecked(showRange); + headerPopup->addAction(action); + +@@ -896,7 +896,7 @@ void ConfigList::contextMenuEvent(QContextMenuEvent *e) + connect(action, SIGNAL(toggled(bool)), + parent(), SLOT(setShowData(bool))); + connect(parent(), SIGNAL(showDataChanged(bool)), +- action, SLOT(setOn(bool))); ++ action, SLOT(setChecked(bool))); + action->setChecked(showData); + headerPopup->addAction(action); + } +@@ -1228,7 +1228,7 @@ QMenu* ConfigInfoView::createStandardContextMenu(const QPoint & pos) + + action->setCheckable(true); + connect(action, SIGNAL(toggled(bool)), SLOT(setShowDebug(bool))); +- connect(this, SIGNAL(showDebugChanged(bool)), action, SLOT(setOn(bool))); ++ connect(this, SIGNAL(showDebugChanged(bool)), action, SLOT(setChecked(bool))); + action->setChecked(showDebug()); + popup->addSeparator(); + popup->addAction(action); +-- +2.25.1 + diff --git a/queue-4.19/kvm-x86-toggling-cr4.pke-does-not-load-pdptes-in-pae.patch b/queue-4.19/kvm-x86-toggling-cr4.pke-does-not-load-pdptes-in-pae.patch new file mode 100644 index 00000000000..3208255b6e7 --- /dev/null +++ b/queue-4.19/kvm-x86-toggling-cr4.pke-does-not-load-pdptes-in-pae.patch @@ -0,0 +1,44 @@ +From 1709d027fdf31e7b617733bc74773343f812ff11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 11:16:54 -0700 +Subject: kvm: x86: Toggling CR4.PKE does not load PDPTEs in PAE mode + +From: Jim Mattson + +[ Upstream commit cb957adb4ea422bd758568df5b2478ea3bb34f35 ] + +See the SDM, volume 3, section 4.4.1: + +If PAE paging would be in use following an execution of MOV to CR0 or +MOV to CR4 (see Section 4.1.1) and the instruction is modifying any of +CR0.CD, CR0.NW, CR0.PG, CR4.PAE, CR4.PGE, CR4.PSE, or CR4.SMEP; then +the PDPTEs are loaded from the address in CR3. + +Fixes: b9baba8614890 ("KVM, pkeys: expose CPUID/CR4 to guest") +Cc: Huaitong Han +Signed-off-by: Jim Mattson +Reviewed-by: Peter Shier +Reviewed-by: Oliver Upton +Message-Id: <20200817181655.3716509-1-jmattson@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/x86.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index ff1f764c4709a..430a4bc66f604 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -857,7 +857,7 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) + { + unsigned long old_cr4 = kvm_read_cr4(vcpu); + unsigned long pdptr_bits = X86_CR4_PGE | X86_CR4_PSE | X86_CR4_PAE | +- X86_CR4_SMEP | X86_CR4_PKE; ++ X86_CR4_SMEP; + + if (kvm_valid_cr4(vcpu, cr4)) + return 1; +-- +2.25.1 + diff --git a/queue-4.19/kvm-x86-toggling-cr4.smap-does-not-load-pdptes-in-pa.patch b/queue-4.19/kvm-x86-toggling-cr4.smap-does-not-load-pdptes-in-pa.patch new file mode 100644 index 00000000000..1946c595d10 --- /dev/null +++ b/queue-4.19/kvm-x86-toggling-cr4.smap-does-not-load-pdptes-in-pa.patch @@ -0,0 +1,44 @@ +From dfb98b34677743db67e7a0e652dbdfb33a3da6af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 11:16:55 -0700 +Subject: kvm: x86: Toggling CR4.SMAP does not load PDPTEs in PAE mode + +From: Jim Mattson + +[ Upstream commit 427890aff8558eb4326e723835e0eae0e6fe3102 ] + +See the SDM, volume 3, section 4.4.1: + +If PAE paging would be in use following an execution of MOV to CR0 or +MOV to CR4 (see Section 4.1.1) and the instruction is modifying any of +CR0.CD, CR0.NW, CR0.PG, CR4.PAE, CR4.PGE, CR4.PSE, or CR4.SMEP; then +the PDPTEs are loaded from the address in CR3. + +Fixes: 0be0226f07d14 ("KVM: MMU: fix SMAP virtualization") +Cc: Xiao Guangrong +Signed-off-by: Jim Mattson +Reviewed-by: Peter Shier +Reviewed-by: Oliver Upton +Message-Id: <20200817181655.3716509-2-jmattson@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/x86.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 5b2440e591fc1..ff1f764c4709a 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -857,7 +857,7 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) + { + unsigned long old_cr4 = kvm_read_cr4(vcpu); + unsigned long pdptr_bits = X86_CR4_PGE | X86_CR4_PSE | X86_CR4_PAE | +- X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE; ++ X86_CR4_SMEP | X86_CR4_PKE; + + if (kvm_valid_cr4(vcpu, cr4)) + return 1; +-- +2.25.1 + diff --git a/queue-4.19/net-dsa-b53-check-for-timeout.patch b/queue-4.19/net-dsa-b53-check-for-timeout.patch new file mode 100644 index 00000000000..dd54d6ef3cb --- /dev/null +++ b/queue-4.19/net-dsa-b53-check-for-timeout.patch @@ -0,0 +1,51 @@ +From 27cb69cc60ae25ff181cff8c484114f32d150816 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 06:56:00 -0700 +Subject: net: dsa: b53: check for timeout + +From: Tom Rix + +[ Upstream commit 774d977abfd024e6f73484544b9abe5a5cd62de7 ] + +clang static analysis reports this problem + +b53_common.c:1583:13: warning: The left expression of the compound + assignment is an uninitialized value. The computed value will + also be garbage + ent.port &= ~BIT(port); + ~~~~~~~~ ^ + +ent is set by a successful call to b53_arl_read(). Unsuccessful +calls are caught by an switch statement handling specific returns. +b32_arl_read() calls b53_arl_op_wait() which fails with the +unhandled -ETIMEDOUT. + +So add -ETIMEDOUT to the switch statement. Because +b53_arl_op_wait() already prints out a message, do not add another +one. + +Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations") +Signed-off-by: Tom Rix +Acked-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 11f3993ab7f30..294be86420b6d 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1335,6 +1335,8 @@ static int b53_arl_op(struct b53_device *dev, int op, int port, + return ret; + + switch (ret) { ++ case -ETIMEDOUT: ++ return ret; + case -ENOSPC: + dev_dbg(dev->dev, "{%pM,%.4d} no space left in ARL\n", + addr, vid); +-- +2.25.1 + diff --git a/queue-4.19/net-ena-prevent-reset-after-device-destruction.patch b/queue-4.19/net-ena-prevent-reset-after-device-destruction.patch new file mode 100644 index 00000000000..c811cb13079 --- /dev/null +++ b/queue-4.19/net-ena-prevent-reset-after-device-destruction.patch @@ -0,0 +1,95 @@ +From a486cd1e51b73ff89425785c3a6a4bf54cb0338a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 20:28:36 +0300 +Subject: net: ena: Prevent reset after device destruction + +From: Shay Agroskin + +[ Upstream commit 63d4a4c145cca2e84dc6e62d2ef5cb990c9723c2 ] + +The reset work is scheduled by the timer routine whenever it +detects that a device reset is required (e.g. when a keep_alive signal +is missing). +When releasing device resources in ena_destroy_device() the driver +cancels the scheduling of the timer routine without destroying the reset +work explicitly. + +This creates the following bug: + The driver is suspended and the ena_suspend() function is called + -> This function calls ena_destroy_device() to free the net device + resources + -> The driver waits for the timer routine to finish + its execution and then cancels it, thus preventing from it + to be called again. + + If, in its final execution, the timer routine schedules a reset, + the reset routine might be called afterwards,and a redundant call to + ena_restore_device() would be made. + +By changing the reset routine we allow it to read the device's state +accurately. +This is achieved by checking whether ENA_FLAG_TRIGGER_RESET flag is set +before resetting the device and making both the destruction function and +the flag check are under rtnl lock. +The ENA_FLAG_TRIGGER_RESET is cleared at the end of the destruction +routine. Also surround the flag check with 'likely' because +we expect that the reset routine would be called only when +ENA_FLAG_TRIGGER_RESET flag is set. + +The destruction of the timer and reset services in __ena_shutoff() have to +stay, even though the timer routine is destroyed in ena_destroy_device(). +This is to avoid a case in which the reset routine is scheduled after +free_netdev() in __ena_shutoff(), which would create an access to freed +memory in adapter->flags. + +Fixes: 8c5c7abdeb2d ("net: ena: add power management ops to the ENA driver") +Signed-off-by: Shay Agroskin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c +index 8736718b17359..55cc70ba5b093 100644 +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -2647,16 +2647,14 @@ static void ena_fw_reset_device(struct work_struct *work) + { + struct ena_adapter *adapter = + container_of(work, struct ena_adapter, reset_task); +- struct pci_dev *pdev = adapter->pdev; + +- if (unlikely(!test_bit(ENA_FLAG_TRIGGER_RESET, &adapter->flags))) { +- dev_err(&pdev->dev, +- "device reset schedule while reset bit is off\n"); +- return; +- } + rtnl_lock(); +- ena_destroy_device(adapter, false); +- ena_restore_device(adapter); ++ ++ if (likely(test_bit(ENA_FLAG_TRIGGER_RESET, &adapter->flags))) { ++ ena_destroy_device(adapter, false); ++ ena_restore_device(adapter); ++ } ++ + rtnl_unlock(); + } + +@@ -3392,8 +3390,11 @@ static void ena_remove(struct pci_dev *pdev) + netdev->rx_cpu_rmap = NULL; + } + #endif /* CONFIG_RFS_ACCEL */ +- del_timer_sync(&adapter->timer_service); + ++ /* Make sure timer and reset routine won't be called after ++ * freeing device resources. ++ */ ++ del_timer_sync(&adapter->timer_service); + cancel_work_sync(&adapter->reset_task); + + unregister_netdev(netdev); +-- +2.25.1 + diff --git a/queue-4.19/net-fec-correct-the-error-path-for-regulator-disable.patch b/queue-4.19/net-fec-correct-the-error-path-for-regulator-disable.patch new file mode 100644 index 00000000000..daa0d126e4d --- /dev/null +++ b/queue-4.19/net-fec-correct-the-error-path-for-regulator-disable.patch @@ -0,0 +1,40 @@ +From 52ebc2bcdb38ee85e7ffdb69cd2ca514772e3825 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 15:13:14 +0800 +Subject: net: fec: correct the error path for regulator disable in probe + +From: Fugang Duan + +[ Upstream commit c6165cf0dbb82ded90163dce3ac183fc7a913dc4 ] + +Correct the error path for regulator disable. + +Fixes: 9269e5560b26 ("net: fec: add phy-reset-gpios PROBE_DEFER check") +Signed-off-by: Fugang Duan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 48c58f93b124b..3b6da228140e3 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3659,11 +3659,11 @@ fec_probe(struct platform_device *pdev) + failed_irq: + failed_init: + fec_ptp_stop(pdev); +- if (fep->reg_phy) +- regulator_disable(fep->reg_phy); + failed_reset: + pm_runtime_put_noidle(&pdev->dev); + pm_runtime_disable(&pdev->dev); ++ if (fep->reg_phy) ++ regulator_disable(fep->reg_phy); + failed_regulator: + clk_disable_unprepare(fep->clk_ahb); + failed_clk_ahb: +-- +2.25.1 + diff --git a/queue-4.19/net-gemini-fix-missing-free_netdev-in-error-path-of-.patch b/queue-4.19/net-gemini-fix-missing-free_netdev-in-error-path-of-.patch new file mode 100644 index 00000000000..e8cfba87e66 --- /dev/null +++ b/queue-4.19/net-gemini-fix-missing-free_netdev-in-error-path-of-.patch @@ -0,0 +1,54 @@ +From 45c67b482f46d71e31dec520852003e04176ec68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 10:33:09 +0800 +Subject: net: gemini: Fix missing free_netdev() in error path of + gemini_ethernet_port_probe() + +From: Wang Hai + +[ Upstream commit cf96d977381d4a23957bade2ddf1c420b74a26b6 ] + +Replace alloc_etherdev_mq with devm_alloc_etherdev_mqs. In this way, +when probe fails, netdev can be freed automatically. + +Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cortina/gemini.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c +index f402af39da42a..16de0fa92ab74 100644 +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -2392,7 +2392,7 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev) + + dev_info(dev, "probe %s ID %d\n", dev_name(dev), id); + +- netdev = alloc_etherdev_mq(sizeof(*port), TX_QUEUE_NUM); ++ netdev = devm_alloc_etherdev_mqs(dev, sizeof(*port), TX_QUEUE_NUM, TX_QUEUE_NUM); + if (!netdev) { + dev_err(dev, "Can't allocate ethernet device #%d\n", id); + return -ENOMEM; +@@ -2526,7 +2526,6 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev) + } + + port->netdev = NULL; +- free_netdev(netdev); + return ret; + } + +@@ -2535,7 +2534,6 @@ static int gemini_ethernet_port_remove(struct platform_device *pdev) + struct gemini_ethernet_port *port = platform_get_drvdata(pdev); + + gemini_port_remove(port); +- free_netdev(port->netdev); + return 0; + } + +-- +2.25.1 + diff --git a/queue-4.19/rdma-bnxt_re-do-not-add-user-qps-to-flushlist.patch b/queue-4.19/rdma-bnxt_re-do-not-add-user-qps-to-flushlist.patch new file mode 100644 index 00000000000..0cb766de3ff --- /dev/null +++ b/queue-4.19/rdma-bnxt_re-do-not-add-user-qps-to-flushlist.patch @@ -0,0 +1,42 @@ +From 99cb3206ff9814b087e5ddf7a828ccbd701b94df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 21:45:48 -0700 +Subject: RDMA/bnxt_re: Do not add user qps to flushlist + +From: Selvin Xavier + +[ Upstream commit a812f2d60a9fb7818f9c81f967180317b52545c0 ] + +Driver shall add only the kernel qps to the flush list for clean up. +During async error events from the HW, driver is adding qps to this list +without checking if the qp is kernel qp or not. + +Add a check to avoid user qp addition to the flush list. + +Fixes: 942c9b6ca8de ("RDMA/bnxt_re: Avoid Hard lockup during error CQE processing") +Fixes: c50866e2853a ("bnxt_re: fix the regression due to changes in alloc_pbl") +Link: https://lore.kernel.org/r/1596689148-4023-1-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c +index 589b0d4677d52..f1b666c80f368 100644 +--- a/drivers/infiniband/hw/bnxt_re/main.c ++++ b/drivers/infiniband/hw/bnxt_re/main.c +@@ -753,7 +753,8 @@ static int bnxt_re_handle_qp_async_event(struct creq_qp_event *qp_event, + struct ib_event event; + unsigned int flags; + +- if (qp->qplib_qp.state == CMDQ_MODIFY_QP_NEW_STATE_ERR) { ++ if (qp->qplib_qp.state == CMDQ_MODIFY_QP_NEW_STATE_ERR && ++ rdma_is_kernel_res(&qp->ib_qp.res)) { + flags = bnxt_re_lock_cqs(qp); + bnxt_qplib_add_flush_qp(&qp->qplib_qp); + bnxt_re_unlock_cqs(qp, flags); +-- +2.25.1 + diff --git a/queue-4.19/s390-ptrace-fix-storage-key-handling.patch b/queue-4.19/s390-ptrace-fix-storage-key-handling.patch new file mode 100644 index 00000000000..9f7d8327a2f --- /dev/null +++ b/queue-4.19/s390-ptrace-fix-storage-key-handling.patch @@ -0,0 +1,54 @@ +From 42a27da7889ad71c14a09747cc1b84642dd1a87f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Aug 2020 18:56:28 +0200 +Subject: s390/ptrace: fix storage key handling + +From: Heiko Carstens + +[ Upstream commit fd78c59446b8d050ecf3e0897c5a486c7de7c595 ] + +The key member of the runtime instrumentation control block contains +only the access key, not the complete storage key. Therefore the value +must be shifted by four bits. Since existing user space does not +necessarily query and set the access key correctly, just ignore the +user space provided key and use the correct one. +Note: this is only relevant for debugging purposes in case somebody +compiles a kernel with a default storage access key set to a value not +equal to zero. + +Fixes: 262832bc5acd ("s390/ptrace: add runtime instrumention register get/set") +Reported-by: Claudio Imbrenda +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/ptrace.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c +index 65fefbf61e1ca..3ffa2847c110b 100644 +--- a/arch/s390/kernel/ptrace.c ++++ b/arch/s390/kernel/ptrace.c +@@ -1286,7 +1286,6 @@ static bool is_ri_cb_valid(struct runtime_instr_cb *cb) + cb->pc == 1 && + cb->qc == 0 && + cb->reserved2 == 0 && +- cb->key == PAGE_DEFAULT_KEY && + cb->reserved3 == 0 && + cb->reserved4 == 0 && + cb->reserved5 == 0 && +@@ -1350,7 +1349,11 @@ static int s390_runtime_instr_set(struct task_struct *target, + kfree(data); + return -EINVAL; + } +- ++ /* ++ * Override access key in any case, since user space should ++ * not be able to set it, nor should it care about it. ++ */ ++ ri_cb.key = PAGE_DEFAULT_KEY >> 4; + preempt_disable(); + if (!target->thread.ri_cb) + target->thread.ri_cb = data; +-- +2.25.1 + diff --git a/queue-4.19/s390-runtime_instrumentation-fix-storage-key-handlin.patch b/queue-4.19/s390-runtime_instrumentation-fix-storage-key-handlin.patch new file mode 100644 index 00000000000..9c8c712e8b7 --- /dev/null +++ b/queue-4.19/s390-runtime_instrumentation-fix-storage-key-handlin.patch @@ -0,0 +1,40 @@ +From e61798dcaf451dea8191c4a07825890fcb46e81c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Aug 2020 18:55:41 +0200 +Subject: s390/runtime_instrumentation: fix storage key handling + +From: Heiko Carstens + +[ Upstream commit 9eaba29c7985236e16468f4e6a49cc18cf01443e ] + +The key member of the runtime instrumentation control block contains +only the access key, not the complete storage key. Therefore the value +must be shifted by four bits. +Note: this is only relevant for debugging purposes in case somebody +compiles a kernel with a default storage access key set to a value not +equal to zero. + +Fixes: e4b8b3f33fca ("s390: add support for runtime instrumentation") +Reported-by: Claudio Imbrenda +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/runtime_instr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/runtime_instr.c b/arch/s390/kernel/runtime_instr.c +index 125c7f6e87150..1788a5454b6fc 100644 +--- a/arch/s390/kernel/runtime_instr.c ++++ b/arch/s390/kernel/runtime_instr.c +@@ -57,7 +57,7 @@ static void init_runtime_instr_cb(struct runtime_instr_cb *cb) + cb->k = 1; + cb->ps = 1; + cb->pc = 1; +- cb->key = PAGE_DEFAULT_KEY; ++ cb->key = PAGE_DEFAULT_KEY >> 4; + cb->v = 1; + } + +-- +2.25.1 + diff --git a/queue-4.19/series b/queue-4.19/series index 0acd9ae8bcf..52fdc08dc70 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -36,3 +36,29 @@ tools-testing-selftests-cgroup-cgroup_util.c-cg_read.patch xfs-fix-ubsan-null-ptr-deref-in-xfs_sysfs_init.patch alpha-fix-annotation-of-io-read-write-16-32-be.patch fs-signalfd.c-fix-inconsistent-return-codes-for-sign.patch +ext4-fix-potential-negative-array-index-in-do_split.patch +ext4-don-t-allow-overlapping-system-zones.patch +asoc-q6routing-add-dummy-register-read-write-functio.patch +i40e-set-rx_only-mode-for-unicast-promiscuous-on-vla.patch +i40e-fix-crash-during-removing-i40e-driver.patch +net-fec-correct-the-error-path-for-regulator-disable.patch +bonding-show-saner-speed-for-broadcast-mode.patch +bonding-fix-a-potential-double-unregister.patch +s390-runtime_instrumentation-fix-storage-key-handlin.patch +s390-ptrace-fix-storage-key-handling.patch +asoc-msm8916-wcd-analog-fix-register-interrupt-offse.patch +asoc-intel-fix-memleak-in-sst_media_open.patch +vfio-type1-add-proper-error-unwind-for-vfio_iommu_re.patch +kvm-x86-toggling-cr4.smap-does-not-load-pdptes-in-pa.patch +kvm-x86-toggling-cr4.pke-does-not-load-pdptes-in-pae.patch +kconfig-qconf-do-not-limit-the-pop-up-menu-to-the-fi.patch +kconfig-qconf-fix-signal-connection-to-invalid-slots.patch +efi-avoid-error-message-when-booting-under-xen.patch +fix-build-error-when-config_acpi-is-not-set-enabled.patch +rdma-bnxt_re-do-not-add-user-qps-to-flushlist.patch +afs-fix-null-deref-in-afs_dynroot_depopulate.patch +bonding-fix-active-backup-failover-for-current-arp-s.patch +net-ena-prevent-reset-after-device-destruction.patch +net-gemini-fix-missing-free_netdev-in-error-path-of-.patch +hv_netvsc-fix-the-queue_mapping-in-netvsc_vf_xmit.patch +net-dsa-b53-check-for-timeout.patch diff --git a/queue-4.19/vfio-type1-add-proper-error-unwind-for-vfio_iommu_re.patch b/queue-4.19/vfio-type1-add-proper-error-unwind-for-vfio_iommu_re.patch new file mode 100644 index 00000000000..bfd13f7be43 --- /dev/null +++ b/queue-4.19/vfio-type1-add-proper-error-unwind-for-vfio_iommu_re.patch @@ -0,0 +1,164 @@ +From 633d52039e11e2f917ea7848cdc76d130d26f58a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 11:09:13 -0600 +Subject: vfio/type1: Add proper error unwind for vfio_iommu_replay() + +From: Alex Williamson + +[ Upstream commit aae7a75a821a793ed6b8ad502a5890fb8e8f172d ] + +The vfio_iommu_replay() function does not currently unwind on error, +yet it does pin pages, perform IOMMU mapping, and modify the vfio_dma +structure to indicate IOMMU mapping. The IOMMU mappings are torn down +when the domain is destroyed, but the other actions go on to cause +trouble later. For example, the iommu->domain_list can be empty if we +only have a non-IOMMU backed mdev attached. We don't currently check +if the list is empty before getting the first entry in the list, which +leads to a bogus domain pointer. If a vfio_dma entry is erroneously +marked as iommu_mapped, we'll attempt to use that bogus pointer to +retrieve the existing physical page addresses. + +This is the scenario that uncovered this issue, attempting to hot-add +a vfio-pci device to a container with an existing mdev device and DMA +mappings, one of which could not be pinned, causing a failure adding +the new group to the existing container and setting the conditions +for a subsequent attempt to explode. + +To resolve this, we can first check if the domain_list is empty so +that we can reject replay of a bogus domain, should we ever encounter +this inconsistent state again in the future. The real fix though is +to add the necessary unwind support, which means cleaning up the +current pinning if an IOMMU mapping fails, then walking back through +the r-b tree of DMA entries, reading from the IOMMU which ranges are +mapped, and unmapping and unpinning those ranges. To be able to do +this, we also defer marking the DMA entry as IOMMU mapped until all +entries are processed, in order to allow the unwind to know the +disposition of each entry. + +Fixes: a54eb55045ae ("vfio iommu type1: Add support for mediated devices") +Reported-by: Zhiyi Guo +Tested-by: Zhiyi Guo +Reviewed-by: Cornelia Huck +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/vfio_iommu_type1.c | 71 ++++++++++++++++++++++++++++++--- + 1 file changed, 66 insertions(+), 5 deletions(-) + +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c +index 6dbdadb936a89..52083b710b87e 100644 +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -1193,13 +1193,16 @@ static int vfio_bus_type(struct device *dev, void *data) + static int vfio_iommu_replay(struct vfio_iommu *iommu, + struct vfio_domain *domain) + { +- struct vfio_domain *d; ++ struct vfio_domain *d = NULL; + struct rb_node *n; + unsigned long limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT; + int ret; + + /* Arbitrarily pick the first domain in the list for lookups */ +- d = list_first_entry(&iommu->domain_list, struct vfio_domain, next); ++ if (!list_empty(&iommu->domain_list)) ++ d = list_first_entry(&iommu->domain_list, ++ struct vfio_domain, next); ++ + n = rb_first(&iommu->dma_list); + + for (; n; n = rb_next(n)) { +@@ -1217,6 +1220,11 @@ static int vfio_iommu_replay(struct vfio_iommu *iommu, + phys_addr_t p; + dma_addr_t i; + ++ if (WARN_ON(!d)) { /* mapped w/o a domain?! */ ++ ret = -EINVAL; ++ goto unwind; ++ } ++ + phys = iommu_iova_to_phys(d->domain, iova); + + if (WARN_ON(!phys)) { +@@ -1246,7 +1254,7 @@ static int vfio_iommu_replay(struct vfio_iommu *iommu, + if (npage <= 0) { + WARN_ON(!npage); + ret = (int)npage; +- return ret; ++ goto unwind; + } + + phys = pfn << PAGE_SHIFT; +@@ -1255,14 +1263,67 @@ static int vfio_iommu_replay(struct vfio_iommu *iommu, + + ret = iommu_map(domain->domain, iova, phys, + size, dma->prot | domain->prot); +- if (ret) +- return ret; ++ if (ret) { ++ if (!dma->iommu_mapped) ++ vfio_unpin_pages_remote(dma, iova, ++ phys >> PAGE_SHIFT, ++ size >> PAGE_SHIFT, ++ true); ++ goto unwind; ++ } + + iova += size; + } ++ } ++ ++ /* All dmas are now mapped, defer to second tree walk for unwind */ ++ for (n = rb_first(&iommu->dma_list); n; n = rb_next(n)) { ++ struct vfio_dma *dma = rb_entry(n, struct vfio_dma, node); ++ + dma->iommu_mapped = true; + } ++ + return 0; ++ ++unwind: ++ for (; n; n = rb_prev(n)) { ++ struct vfio_dma *dma = rb_entry(n, struct vfio_dma, node); ++ dma_addr_t iova; ++ ++ if (dma->iommu_mapped) { ++ iommu_unmap(domain->domain, dma->iova, dma->size); ++ continue; ++ } ++ ++ iova = dma->iova; ++ while (iova < dma->iova + dma->size) { ++ phys_addr_t phys, p; ++ size_t size; ++ dma_addr_t i; ++ ++ phys = iommu_iova_to_phys(domain->domain, iova); ++ if (!phys) { ++ iova += PAGE_SIZE; ++ continue; ++ } ++ ++ size = PAGE_SIZE; ++ p = phys + size; ++ i = iova + size; ++ while (i < dma->iova + dma->size && ++ p == iommu_iova_to_phys(domain->domain, i)) { ++ size += PAGE_SIZE; ++ p += PAGE_SIZE; ++ i += PAGE_SIZE; ++ } ++ ++ iommu_unmap(domain->domain, iova, size); ++ vfio_unpin_pages_remote(dma, iova, phys >> PAGE_SHIFT, ++ size >> PAGE_SHIFT, true); ++ } ++ } ++ ++ return ret; + } + + /* +-- +2.25.1 +