From: Sasha Levin Date: Mon, 24 Aug 2020 01:33:37 +0000 (-0400) Subject: Fixes for 5.8 X-Git-Tag: v4.4.234~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cd02953310e40875ef4a27cfbbad64a72b5594c5;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.8 Signed-off-by: Sasha Levin --- diff --git a/queue-5.8/afs-fix-key-ref-leak-in-afs_put_operation.patch b/queue-5.8/afs-fix-key-ref-leak-in-afs_put_operation.patch new file mode 100644 index 00000000000..4ce95d3f5cd --- /dev/null +++ b/queue-5.8/afs-fix-key-ref-leak-in-afs_put_operation.patch @@ -0,0 +1,36 @@ +From 5ea1cc994fc42fa529c3fdb89f0d4f4e405cbd8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 14:37:12 +0100 +Subject: afs: Fix key ref leak in afs_put_operation() + +From: David Howells + +[ Upstream commit ba8e42077bbe046a09bdb965dbfbf8c27594fe8f ] + +The afs_put_operation() function needs to put the reference to the key +that's authenticating the operation. + +Fixes: e49c7b2f6de7 ("afs: Build an abstraction around an "operation" concept") +Reported-by: Dave Botsch +Signed-off-by: David Howells +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/fs_operation.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/afs/fs_operation.c b/fs/afs/fs_operation.c +index 24fd163c6323e..97cab12b0a6c2 100644 +--- a/fs/afs/fs_operation.c ++++ b/fs/afs/fs_operation.c +@@ -235,6 +235,7 @@ int afs_put_operation(struct afs_operation *op) + afs_end_cursor(&op->ac); + afs_put_serverlist(op->net, op->server_list); + afs_put_volume(op->net, op->volume, afs_volume_trace_put_put_op); ++ key_put(op->key); + kfree(op); + return ret; + } +-- +2.25.1 + diff --git a/queue-5.8/afs-fix-null-deref-in-afs_dynroot_depopulate.patch b/queue-5.8/afs-fix-null-deref-in-afs_dynroot_depopulate.patch new file mode 100644 index 00000000000..e1920080b84 --- /dev/null +++ b/queue-5.8/afs-fix-null-deref-in-afs_dynroot_depopulate.patch @@ -0,0 +1,88 @@ +From 227455a6ee1dd65c50cfc7b15974ca10e000e535 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 10:15:12 +0100 +Subject: afs: Fix NULL deref in afs_dynroot_depopulate() + +From: David Howells + +[ Upstream commit 5e0b17b026eb7c6de9baa9b0d45a51b05f05abe1 ] + +If an error occurs during the construction of an afs superblock, it's +possible that an error occurs after a superblock is created, but before +we've created the root dentry. If the superblock has a dynamic root +(ie. what's normally mounted on /afs), the afs_kill_super() will call +afs_dynroot_depopulate() to unpin any created dentries - but this will +oops if the root hasn't been created yet. + +Fix this by skipping that bit of code if there is no root dentry. + +This leads to an oops looking like: + + general protection fault, ... + KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f] + ... + RIP: 0010:afs_dynroot_depopulate+0x25f/0x529 fs/afs/dynroot.c:385 + ... + Call Trace: + afs_kill_super+0x13b/0x180 fs/afs/super.c:535 + deactivate_locked_super+0x94/0x160 fs/super.c:335 + afs_get_tree+0x1124/0x1460 fs/afs/super.c:598 + vfs_get_tree+0x89/0x2f0 fs/super.c:1547 + do_new_mount fs/namespace.c:2875 [inline] + path_mount+0x1387/0x2070 fs/namespace.c:3192 + do_mount fs/namespace.c:3205 [inline] + __do_sys_mount fs/namespace.c:3413 [inline] + __se_sys_mount fs/namespace.c:3390 [inline] + __x64_sys_mount+0x27f/0x300 fs/namespace.c:3390 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +which is oopsing on this line: + + inode_lock(root->d_inode); + +presumably because sb->s_root was NULL. + +Fixes: 0da0b7fd73e4 ("afs: Display manually added cells in dynamic root mount") +Reported-by: syzbot+c1eff8205244ae7e11a6@syzkaller.appspotmail.com +Signed-off-by: David Howells +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/dynroot.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c +index b79879aacc02e..7b784af604fd9 100644 +--- a/fs/afs/dynroot.c ++++ b/fs/afs/dynroot.c +@@ -382,15 +382,17 @@ void afs_dynroot_depopulate(struct super_block *sb) + net->dynroot_sb = NULL; + mutex_unlock(&net->proc_cells_lock); + +- inode_lock(root->d_inode); +- +- /* Remove all the pins for dirs created for manually added cells */ +- list_for_each_entry_safe(subdir, tmp, &root->d_subdirs, d_child) { +- if (subdir->d_fsdata) { +- subdir->d_fsdata = NULL; +- dput(subdir); ++ if (root) { ++ inode_lock(root->d_inode); ++ ++ /* Remove all the pins for dirs created for manually added cells */ ++ list_for_each_entry_safe(subdir, tmp, &root->d_subdirs, d_child) { ++ if (subdir->d_fsdata) { ++ subdir->d_fsdata = NULL; ++ dput(subdir); ++ } + } +- } + +- inode_unlock(root->d_inode); ++ inode_unlock(root->d_inode); ++ } + } +-- +2.25.1 + diff --git a/queue-5.8/arch-ia64-restore-arch-specific-pgd_offset_k-impleme.patch b/queue-5.8/arch-ia64-restore-arch-specific-pgd_offset_k-impleme.patch new file mode 100644 index 00000000000..e91a355689e --- /dev/null +++ b/queue-5.8/arch-ia64-restore-arch-specific-pgd_offset_k-impleme.patch @@ -0,0 +1,71 @@ +From 191122cfa36c386b1b9bada79d13eee328d3b713 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 19:24:57 +0100 +Subject: arch/ia64: Restore arch-specific pgd_offset_k implementation + +From: Jessica Clarke + +[ Upstream commit bd05220c7be3356046861c317d9c287ca50445ba ] + +IA-64 is special and treats pgd_offset_k() differently to pgd_offset(), +using different formulae to calculate the indices into the kernel and user +PGDs. The index into the user PGDs takes into account the region number, +but the index into the kernel (init_mm) PGD always assumes a predefined +kernel region number. Commit 974b9b2c68f3 ("mm: consolidate pte_index() and +pte_offset_*() definitions") made IA-64 use a generic pgd_offset_k() which +incorrectly used pgd_index() for kernel page tables. As a result, the +index into the kernel PGD was going out of bounds and the kernel hung +during early boot. + +Allow overrides of pgd_offset_k() and override it on IA-64 with the old +implementation that will correctly index the kernel PGD. + +Fixes: 974b9b2c68f3 ("mm: consolidate pte_index() and pte_offset_*() definitions") +Reported-by: John Paul Adrian Glaubitz +Signed-off-by: Jessica Clarke +Tested-by: John Paul Adrian Glaubitz +Acked-by: Tony Luck +Signed-off-by: Mike Rapoport +Signed-off-by: Sasha Levin +--- + arch/ia64/include/asm/pgtable.h | 9 +++++++++ + include/linux/pgtable.h | 2 ++ + 2 files changed, 11 insertions(+) + +diff --git a/arch/ia64/include/asm/pgtable.h b/arch/ia64/include/asm/pgtable.h +index 10850897a91c4..779b6972aa84b 100644 +--- a/arch/ia64/include/asm/pgtable.h ++++ b/arch/ia64/include/asm/pgtable.h +@@ -366,6 +366,15 @@ pgd_index (unsigned long address) + } + #define pgd_index pgd_index + ++/* ++ * In the kernel's mapped region we know everything is in region number 5, so ++ * as an optimisation its PGD already points to the area for that region. ++ * However, this also means that we cannot use pgd_index() and we must ++ * never add the region here. ++ */ ++#define pgd_offset_k(addr) \ ++ (init_mm.pgd + (((addr) >> PGDIR_SHIFT) & (PTRS_PER_PGD - 1))) ++ + /* Look up a pgd entry in the gate area. On IA-64, the gate-area + resides in the kernel-mapped segment, hence we use pgd_offset_k() + here. */ +diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h +index 56c1e8eb7bb0a..8075f6ae185a1 100644 +--- a/include/linux/pgtable.h ++++ b/include/linux/pgtable.h +@@ -117,7 +117,9 @@ static inline pgd_t *pgd_offset_pgd(pgd_t *pgd, unsigned long address) + * a shortcut which implies the use of the kernel's pgd, instead + * of a process's + */ ++#ifndef pgd_offset_k + #define pgd_offset_k(address) pgd_offset(&init_mm, (address)) ++#endif + + /* + * In many cases it is known that a virtual address is mapped at PMD or PTE +-- +2.25.1 + diff --git a/queue-5.8/arm64-vdso32-install-vdso32-from-vdso_install.patch b/queue-5.8/arm64-vdso32-install-vdso32-from-vdso_install.patch new file mode 100644 index 00000000000..2b6cb7b6b8e --- /dev/null +++ b/queue-5.8/arm64-vdso32-install-vdso32-from-vdso_install.patch @@ -0,0 +1,53 @@ +From fce8d3e3d56a3d704913992319c89eed59b37a68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 18:49:50 -0700 +Subject: ARM64: vdso32: Install vdso32 from vdso_install + +From: Stephen Boyd + +[ Upstream commit 8d75785a814241587802655cc33e384230744f0c ] + +Add the 32-bit vdso Makefile to the vdso_install rule so that 'make +vdso_install' installs the 32-bit compat vdso when it is compiled. + +Fixes: a7f71a2c8903 ("arm64: compat: Add vDSO") +Signed-off-by: Stephen Boyd +Reviewed-by: Vincenzo Frascino +Acked-by: Will Deacon +Cc: Vincenzo Frascino +Link: https://lore.kernel.org/r/20200818014950.42492-1-swboyd@chromium.org +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/Makefile | 1 + + arch/arm64/kernel/vdso32/Makefile | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile +index 70f5905954dde..91e377770a6b8 100644 +--- a/arch/arm64/Makefile ++++ b/arch/arm64/Makefile +@@ -158,6 +158,7 @@ zinstall install: + PHONY += vdso_install + vdso_install: + $(Q)$(MAKE) $(build)=arch/arm64/kernel/vdso $@ ++ $(Q)$(MAKE) $(build)=arch/arm64/kernel/vdso32 $@ + + # We use MRPROPER_FILES and CLEAN_FILES now + archclean: +diff --git a/arch/arm64/kernel/vdso32/Makefile b/arch/arm64/kernel/vdso32/Makefile +index 5139a5f192568..d6adb4677c25f 100644 +--- a/arch/arm64/kernel/vdso32/Makefile ++++ b/arch/arm64/kernel/vdso32/Makefile +@@ -208,7 +208,7 @@ quiet_cmd_vdsosym = VDSOSYM $@ + cmd_vdsosym = $(NM) $< | $(gen-vdsosym) | LC_ALL=C sort > $@ + + # Install commands for the unstripped file +-quiet_cmd_vdso_install = INSTALL $@ ++quiet_cmd_vdso_install = INSTALL32 $@ + cmd_vdso_install = cp $(obj)/$@.dbg $(MODLIB)/vdso/vdso32.so + + vdso.so: $(obj)/vdso.so.dbg +-- +2.25.1 + diff --git a/queue-5.8/asoc-intel-fix-memleak-in-sst_media_open.patch b/queue-5.8/asoc-intel-fix-memleak-in-sst_media_open.patch new file mode 100644 index 00000000000..fe13bb1b003 --- /dev/null +++ b/queue-5.8/asoc-intel-fix-memleak-in-sst_media_open.patch @@ -0,0 +1,50 @@ +From 9b4df721b17b90e9ee1a447f0e8bef51b035f6ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 16:41:10 +0800 +Subject: ASoC: intel: Fix memleak in sst_media_open + +From: Dinghao Liu + +[ Upstream commit 062fa09f44f4fb3776a23184d5d296b0c8872eb9 ] + +When power_up_sst() fails, stream needs to be freed +just like when try_module_get() fails. However, current +code is returning directly and ends up leaking memory. + +Fixes: 0121327c1a68b ("ASoC: Intel: mfld-pcm: add control for powering up/down dsp") +Signed-off-by: Dinghao Liu +Acked-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20200813084112.26205-1-dinghao.liu@zju.edu.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/atom/sst-mfld-platform-pcm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/intel/atom/sst-mfld-platform-pcm.c b/sound/soc/intel/atom/sst-mfld-platform-pcm.c +index 8817eaae6bb7a..b520e3aeaf3de 100644 +--- a/sound/soc/intel/atom/sst-mfld-platform-pcm.c ++++ b/sound/soc/intel/atom/sst-mfld-platform-pcm.c +@@ -331,7 +331,7 @@ static int sst_media_open(struct snd_pcm_substream *substream, + + ret_val = power_up_sst(stream); + if (ret_val < 0) +- return ret_val; ++ goto out_power_up; + + /* Make sure, that the period size is always even */ + snd_pcm_hw_constraint_step(substream->runtime, 0, +@@ -340,8 +340,9 @@ static int sst_media_open(struct snd_pcm_substream *substream, + return snd_pcm_hw_constraint_integer(runtime, + SNDRV_PCM_HW_PARAM_PERIODS); + out_ops: +- kfree(stream); + mutex_unlock(&sst_lock); ++out_power_up: ++ kfree(stream); + return ret_val; + } + +-- +2.25.1 + diff --git a/queue-5.8/asoc-msm8916-wcd-analog-fix-register-interrupt-offse.patch b/queue-5.8/asoc-msm8916-wcd-analog-fix-register-interrupt-offse.patch new file mode 100644 index 00000000000..e534a7fee68 --- /dev/null +++ b/queue-5.8/asoc-msm8916-wcd-analog-fix-register-interrupt-offse.patch @@ -0,0 +1,42 @@ +From 90dd45da2f633f924b46fd3840f3c391b2b21e5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 11:34:52 +0100 +Subject: ASoC: msm8916-wcd-analog: fix register Interrupt offset + +From: Srinivas Kandagatla + +[ Upstream commit ff69c97ef84c9f7795adb49e9f07c9adcdd0c288 ] + +For some reason interrupt set and clear register offsets are +not set correctly. +This patch corrects them! + +Fixes: 585e881e5b9e ("ASoC: codecs: Add msm8916-wcd analog codec") +Signed-off-by: Srinivas Kandagatla +Tested-by: Stephan Gerhold +Reviewed-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20200811103452.20448-1-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/msm8916-wcd-analog.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/msm8916-wcd-analog.c b/sound/soc/codecs/msm8916-wcd-analog.c +index 85bc7ae4d2671..26cf372ccda6f 100644 +--- a/sound/soc/codecs/msm8916-wcd-analog.c ++++ b/sound/soc/codecs/msm8916-wcd-analog.c +@@ -19,8 +19,8 @@ + + #define CDC_D_REVISION1 (0xf000) + #define CDC_D_PERPH_SUBTYPE (0xf005) +-#define CDC_D_INT_EN_SET (0x015) +-#define CDC_D_INT_EN_CLR (0x016) ++#define CDC_D_INT_EN_SET (0xf015) ++#define CDC_D_INT_EN_CLR (0xf016) + #define MBHC_SWITCH_INT BIT(7) + #define MBHC_MIC_ELECTRICAL_INS_REM_DET BIT(6) + #define MBHC_BUTTON_PRESS_DET BIT(5) +-- +2.25.1 + diff --git a/queue-5.8/asoc-q6afe-dai-mark-all-widgets-registers-as-snd_soc.patch b/queue-5.8/asoc-q6afe-dai-mark-all-widgets-registers-as-snd_soc.patch new file mode 100644 index 00000000000..2d2d570198e --- /dev/null +++ b/queue-5.8/asoc-q6afe-dai-mark-all-widgets-registers-as-snd_soc.patch @@ -0,0 +1,349 @@ +From faf681acc9aec889d068dc0f3e4e5fbd26b6e28e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 13:02:04 +0100 +Subject: ASoC: q6afe-dai: mark all widgets registers as SND_SOC_NOPM + +From: Srinivas Kandagatla + +[ Upstream commit 56235e4bc5ae58cb8fcd9314dba4e9ab077ddda8 ] + +Looks like the q6afe-dai dapm widget registers are set as "0", +which is a not correct. + +As this registers will be read by ASoC core during startup +which will throw up errors, Fix this by making the registers +as SND_SOC_NOPM as these should be never used. + +With recent changes to ASoC core, every register read/write +failures are reported very verbosely. Prior to this fails to reads +are totally ignored, so we never saw any error messages. + +Fixes: 24c4cbcfac09 ("ASoC: qdsp6: q6afe: Add q6afe dai driver") +Reported-by: John Stultz +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20200811120205.21805-1-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/qcom/qdsp6/q6afe-dai.c | 210 +++++++++++++++---------------- + 1 file changed, 105 insertions(+), 105 deletions(-) + +diff --git a/sound/soc/qcom/qdsp6/q6afe-dai.c b/sound/soc/qcom/qdsp6/q6afe-dai.c +index 2a5302f1db98a..0168af8492727 100644 +--- a/sound/soc/qcom/qdsp6/q6afe-dai.c ++++ b/sound/soc/qcom/qdsp6/q6afe-dai.c +@@ -1150,206 +1150,206 @@ static int q6afe_of_xlate_dai_name(struct snd_soc_component *component, + } + + static const struct snd_soc_dapm_widget q6afe_dai_widgets[] = { +- SND_SOC_DAPM_AIF_IN("HDMI_RX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SLIMBUS_0_RX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SLIMBUS_1_RX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SLIMBUS_2_RX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SLIMBUS_3_RX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SLIMBUS_4_RX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SLIMBUS_5_RX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SLIMBUS_6_RX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SLIMBUS_0_TX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SLIMBUS_1_TX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SLIMBUS_2_TX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SLIMBUS_3_TX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SLIMBUS_4_TX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SLIMBUS_5_TX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SLIMBUS_6_TX", NULL, 0, 0, 0, 0), ++ SND_SOC_DAPM_AIF_IN("HDMI_RX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_IN("SLIMBUS_0_RX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_IN("SLIMBUS_1_RX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_IN("SLIMBUS_2_RX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_IN("SLIMBUS_3_RX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_IN("SLIMBUS_4_RX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_IN("SLIMBUS_5_RX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_IN("SLIMBUS_6_RX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_0_TX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_1_TX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_2_TX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_3_TX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_4_TX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_5_TX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_6_TX", NULL, 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUAT_MI2S_RX", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUAT_MI2S_TX", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("TERT_MI2S_RX", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("TERT_MI2S_TX", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("SEC_MI2S_RX", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("SEC_MI2S_TX", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("SEC_MI2S_RX_SD1", + "Secondary MI2S Playback SD1", +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("PRI_MI2S_RX", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("PRI_MI2S_TX", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + + SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_0", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_1", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_2", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_3", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_4", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_5", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_6", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_7", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_0", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_1", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_2", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_3", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_4", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_5", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_6", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_7", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + + SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_0", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_1", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_2", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_3", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_4", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_5", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_6", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_7", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_0", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_1", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_2", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_3", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_4", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_5", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_6", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_7", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + + SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_0", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_1", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_2", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_3", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_4", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_5", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_6", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_7", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_0", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_1", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_2", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_3", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_4", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_5", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_6", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_7", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + + SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_0", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_1", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_2", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_3", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_4", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_5", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_6", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_7", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_0", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_1", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_2", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_3", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_4", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_5", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_6", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_7", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + + SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_0", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_1", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_2", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_3", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_4", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_5", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_6", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_7", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_0", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_1", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_2", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_3", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_4", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_5", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_6", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_7", NULL, +- 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("DISPLAY_PORT_RX", "NULL", 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_OUT("DISPLAY_PORT_RX", "NULL", 0, SND_SOC_NOPM, 0, 0), + }; + + static const struct snd_soc_component_driver q6afe_dai_component = { +-- +2.25.1 + diff --git a/queue-5.8/asoc-q6routing-add-dummy-register-read-write-functio.patch b/queue-5.8/asoc-q6routing-add-dummy-register-read-write-functio.patch new file mode 100644 index 00000000000..80eefbc72f1 --- /dev/null +++ b/queue-5.8/asoc-q6routing-add-dummy-register-read-write-functio.patch @@ -0,0 +1,68 @@ +From 54b561601d4ff143d683b6891967c208c9169385 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 13:02:05 +0100 +Subject: ASoC: q6routing: add dummy register read/write function + +From: Srinivas Kandagatla + +[ Upstream commit 796a58fe2b8c9b6668db00d92512ec84be663027 ] + +Most of the DAPM widgets for DSP ASoC components reuse reg field +of the widgets for its internal calculations, however these are not +real registers. So read/writes to these numbers are not really +valid. However ASoC core will read these registers to get default +state during startup. + +With recent changes to ASoC core, every register read/write +failures are reported very verbosely. Prior to this fails to reads +are totally ignored, so we never saw any error messages. + +To fix this add dummy read/write function to return default value. + +Fixes: e3a33673e845 ("ASoC: qdsp6: q6routing: Add q6routing driver") +Reported-by: John Stultz +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20200811120205.21805-2-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/qcom/qdsp6/q6routing.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/sound/soc/qcom/qdsp6/q6routing.c b/sound/soc/qcom/qdsp6/q6routing.c +index 46e50612b92c1..750e6a30444eb 100644 +--- a/sound/soc/qcom/qdsp6/q6routing.c ++++ b/sound/soc/qcom/qdsp6/q6routing.c +@@ -973,6 +973,20 @@ static int msm_routing_probe(struct snd_soc_component *c) + return 0; + } + ++static unsigned int q6routing_reg_read(struct snd_soc_component *component, ++ unsigned int reg) ++{ ++ /* default value */ ++ return 0; ++} ++ ++static int q6routing_reg_write(struct snd_soc_component *component, ++ unsigned int reg, unsigned int val) ++{ ++ /* dummy */ ++ return 0; ++} ++ + static const struct snd_soc_component_driver msm_soc_routing_component = { + .probe = msm_routing_probe, + .name = DRV_NAME, +@@ -981,6 +995,8 @@ static const struct snd_soc_component_driver msm_soc_routing_component = { + .num_dapm_widgets = ARRAY_SIZE(msm_qdsp6_widgets), + .dapm_routes = intercon, + .num_dapm_routes = ARRAY_SIZE(intercon), ++ .read = q6routing_reg_read, ++ .write = q6routing_reg_write, + }; + + static int q6pcm_routing_probe(struct platform_device *pdev) +-- +2.25.1 + diff --git a/queue-5.8/bonding-fix-a-potential-double-unregister.patch b/queue-5.8/bonding-fix-a-potential-double-unregister.patch new file mode 100644 index 00000000000..1eb8632d3c1 --- /dev/null +++ b/queue-5.8/bonding-fix-a-potential-double-unregister.patch @@ -0,0 +1,48 @@ +From 45e5dd84184d733c177c83c5bb177fe5de2d30a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 20:05:58 -0700 +Subject: bonding: fix a potential double-unregister + +From: Cong Wang + +[ Upstream commit 832707021666411d04795c564a4adea5d6b94f17 ] + +When we tear down a network namespace, we unregister all +the netdevices within it. So we may queue a slave device +and a bonding device together in the same unregister queue. + +If the only slave device is non-ethernet, it would +automatically unregister the bonding device as well. Thus, +we may end up unregistering the bonding device twice. + +Workaround this special case by checking reg_state. + +Fixes: 9b5e383c11b0 ("net: Introduce unregister_netdevice_many()") +Reported-by: syzbot+af23e7f3e0a7e10c8b67@syzkaller.appspotmail.com +Cc: Eric Dumazet +Cc: Andy Gospodarek +Cc: Jay Vosburgh +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index a35a05610a5e3..f438e20fcda1f 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2084,7 +2084,8 @@ static int bond_release_and_destroy(struct net_device *bond_dev, + int ret; + + ret = __bond_release_one(bond_dev, slave_dev, false, true); +- if (ret == 0 && !bond_has_slaves(bond)) { ++ if (ret == 0 && !bond_has_slaves(bond) && ++ bond_dev->reg_state != NETREG_UNREGISTERING) { + bond_dev->priv_flags |= IFF_DISABLE_NETPOLL; + netdev_info(bond_dev, "Destroying bond\n"); + bond_remove_proc_entry(bond); +-- +2.25.1 + diff --git a/queue-5.8/bonding-fix-active-backup-failover-for-current-arp-s.patch b/queue-5.8/bonding-fix-active-backup-failover-for-current-arp-s.patch new file mode 100644 index 00000000000..6c896783198 --- /dev/null +++ b/queue-5.8/bonding-fix-active-backup-failover-for-current-arp-s.patch @@ -0,0 +1,90 @@ +From f2cfb8316f595ed9f1d8e751bc15806dbd475b84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Aug 2020 20:52:44 +0200 +Subject: bonding: fix active-backup failover for current ARP slave + +From: Jiri Wiesner + +[ Upstream commit 0410d07190961ac526f05085765a8d04d926545b ] + +When the ARP monitor is used for link detection, ARP replies are +validated for all slaves (arp_validate=3) and fail_over_mac is set to +active, two slaves of an active-backup bond may get stuck in a state +where both of them are active and pass packets that they receive to +the bond. This state makes IPv6 duplicate address detection fail. The +state is reached thus: +1. The current active slave goes down because the ARP target + is not reachable. +2. The current ARP slave is chosen and made active. +3. A new slave is enslaved. This new slave becomes the current active + slave and can reach the ARP target. +As a result, the current ARP slave stays active after the enslave +action has finished and the log is littered with "PROBE BAD" messages: +> bond0: PROBE: c_arp ens10 && cas ens11 BAD +The workaround is to remove the slave with "going back" status from +the bond and re-enslave it. This issue was encountered when DPDK PMD +interfaces were being enslaved to an active-backup bond. + +I would be possible to fix the issue in bond_enslave() or +bond_change_active_slave() but the ARP monitor was fixed instead to +keep most of the actions changing the current ARP slave in the ARP +monitor code. The current ARP slave is set as inactive and backup +during the commit phase. A new state, BOND_LINK_FAIL, has been +introduced for slaves in the context of the ARP monitor. This allows +administrators to see how slaves are rotated for sending ARP requests +and attempts are made to find a new active slave. + +Fixes: b2220cad583c9 ("bonding: refactor ARP active-backup monitor") +Signed-off-by: Jiri Wiesner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index f438e20fcda1f..500aa3e19a4c7 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2825,6 +2825,9 @@ static int bond_ab_arp_inspect(struct bonding *bond) + if (bond_time_in_interval(bond, last_rx, 1)) { + bond_propose_link_state(slave, BOND_LINK_UP); + commit++; ++ } else if (slave->link == BOND_LINK_BACK) { ++ bond_propose_link_state(slave, BOND_LINK_FAIL); ++ commit++; + } + continue; + } +@@ -2933,6 +2936,19 @@ static void bond_ab_arp_commit(struct bonding *bond) + + continue; + ++ case BOND_LINK_FAIL: ++ bond_set_slave_link_state(slave, BOND_LINK_FAIL, ++ BOND_SLAVE_NOTIFY_NOW); ++ bond_set_slave_inactive_flags(slave, ++ BOND_SLAVE_NOTIFY_NOW); ++ ++ /* A slave has just been enslaved and has become ++ * the current active slave. ++ */ ++ if (rtnl_dereference(bond->curr_active_slave)) ++ RCU_INIT_POINTER(bond->current_arp_slave, NULL); ++ continue; ++ + default: + slave_err(bond->dev, slave->dev, + "impossible: link_new_state %d on slave\n", +@@ -2983,8 +2999,6 @@ static bool bond_ab_arp_probe(struct bonding *bond) + return should_notify_rtnl; + } + +- bond_set_slave_inactive_flags(curr_arp_slave, BOND_SLAVE_NOTIFY_LATER); +- + bond_for_each_slave_rcu(bond, slave, iter) { + if (!found && !before && bond_slave_is_up(slave)) + before = slave; +-- +2.25.1 + diff --git a/queue-5.8/bonding-show-saner-speed-for-broadcast-mode.patch b/queue-5.8/bonding-show-saner-speed-for-broadcast-mode.patch new file mode 100644 index 00000000000..81639f976c8 --- /dev/null +++ b/queue-5.8/bonding-show-saner-speed-for-broadcast-mode.patch @@ -0,0 +1,79 @@ +From 8d747df62e7b2877e1e97e17ea48a85417ea5dc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 10:09:00 -0400 +Subject: bonding: show saner speed for broadcast mode + +From: Jarod Wilson + +[ Upstream commit 4ca0d9ac3fd8f9f90b72a15d8da2aca3ffb58418 ] + +Broadcast mode bonds transmit a copy of all traffic simultaneously out of +all interfaces, so the "speed" of the bond isn't really the aggregate of +all interfaces, but rather, the speed of the slowest active interface. + +Also, the type of the speed field is u32, not unsigned long, so adjust +that accordingly, as required to make min() function here without +complaining about mismatching types. + +Fixes: bb5b052f751b ("bond: add support to read speed and duplex via ethtool") +CC: Jay Vosburgh +CC: Veaceslav Falico +CC: Andy Gospodarek +CC: "David S. Miller" +CC: netdev@vger.kernel.org +Acked-by: Jay Vosburgh +Signed-off-by: Jarod Wilson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index f88cb097b022a..a35a05610a5e3 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -4431,13 +4431,23 @@ static netdev_tx_t bond_start_xmit(struct sk_buff *skb, struct net_device *dev) + return ret; + } + ++static u32 bond_mode_bcast_speed(struct slave *slave, u32 speed) ++{ ++ if (speed == 0 || speed == SPEED_UNKNOWN) ++ speed = slave->speed; ++ else ++ speed = min(speed, slave->speed); ++ ++ return speed; ++} ++ + static int bond_ethtool_get_link_ksettings(struct net_device *bond_dev, + struct ethtool_link_ksettings *cmd) + { + struct bonding *bond = netdev_priv(bond_dev); +- unsigned long speed = 0; + struct list_head *iter; + struct slave *slave; ++ u32 speed = 0; + + cmd->base.duplex = DUPLEX_UNKNOWN; + cmd->base.port = PORT_OTHER; +@@ -4449,8 +4459,13 @@ static int bond_ethtool_get_link_ksettings(struct net_device *bond_dev, + */ + bond_for_each_slave(bond, slave, iter) { + if (bond_slave_can_tx(slave)) { +- if (slave->speed != SPEED_UNKNOWN) +- speed += slave->speed; ++ if (slave->speed != SPEED_UNKNOWN) { ++ if (BOND_MODE(bond) == BOND_MODE_BROADCAST) ++ speed = bond_mode_bcast_speed(slave, ++ speed); ++ else ++ speed += slave->speed; ++ } + if (cmd->base.duplex == DUPLEX_UNKNOWN && + slave->duplex != DUPLEX_UNKNOWN) + cmd->base.duplex = slave->duplex; +-- +2.25.1 + diff --git a/queue-5.8/bpf-sock_ops-ctx-access-may-stomp-registers-in-corne.patch b/queue-5.8/bpf-sock_ops-ctx-access-may-stomp-registers-in-corne.patch new file mode 100644 index 00000000000..12b532f714f --- /dev/null +++ b/queue-5.8/bpf-sock_ops-ctx-access-may-stomp-registers-in-corne.patch @@ -0,0 +1,227 @@ +From bc7f27ecd4c2ccf8a6645a58499a494ddd0b6cc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 15:04:37 -0700 +Subject: bpf: sock_ops ctx access may stomp registers in corner case + +From: John Fastabend + +[ Upstream commit fd09af010788a884de1c39537c288830c3d305db ] + +I had a sockmap program that after doing some refactoring started spewing +this splat at me: + +[18610.807284] BUG: unable to handle kernel NULL pointer dereference at 0000000000000001 +[...] +[18610.807359] Call Trace: +[18610.807370] ? 0xffffffffc114d0d5 +[18610.807382] __cgroup_bpf_run_filter_sock_ops+0x7d/0xb0 +[18610.807391] tcp_connect+0x895/0xd50 +[18610.807400] tcp_v4_connect+0x465/0x4e0 +[18610.807407] __inet_stream_connect+0xd6/0x3a0 +[18610.807412] ? __inet_stream_connect+0x5/0x3a0 +[18610.807417] inet_stream_connect+0x3b/0x60 +[18610.807425] __sys_connect+0xed/0x120 + +After some debugging I was able to build this simple reproducer, + + __section("sockops/reproducer_bad") + int bpf_reproducer_bad(struct bpf_sock_ops *skops) + { + volatile __maybe_unused __u32 i = skops->snd_ssthresh; + return 0; + } + +And along the way noticed that below program ran without splat, + +__section("sockops/reproducer_good") +int bpf_reproducer_good(struct bpf_sock_ops *skops) +{ + volatile __maybe_unused __u32 i = skops->snd_ssthresh; + volatile __maybe_unused __u32 family; + + compiler_barrier(); + + family = skops->family; + return 0; +} + +So I decided to check out the code we generate for the above two +programs and noticed each generates the BPF code you would expect, + +0000000000000000 : +; volatile __maybe_unused __u32 i = skops->snd_ssthresh; + 0: r1 = *(u32 *)(r1 + 96) + 1: *(u32 *)(r10 - 4) = r1 +; return 0; + 2: r0 = 0 + 3: exit + +0000000000000000 : +; volatile __maybe_unused __u32 i = skops->snd_ssthresh; + 0: r2 = *(u32 *)(r1 + 96) + 1: *(u32 *)(r10 - 4) = r2 +; family = skops->family; + 2: r1 = *(u32 *)(r1 + 20) + 3: *(u32 *)(r10 - 8) = r1 +; return 0; + 4: r0 = 0 + 5: exit + +So we get reasonable assembly, but still something was causing the null +pointer dereference. So, we load the programs and dump the xlated version +observing that line 0 above 'r* = *(u32 *)(r1 +96)' is going to be +translated by the skops access helpers. + +int bpf_reproducer_bad(struct bpf_sock_ops * skops): +; volatile __maybe_unused __u32 i = skops->snd_ssthresh; + 0: (61) r1 = *(u32 *)(r1 +28) + 1: (15) if r1 == 0x0 goto pc+2 + 2: (79) r1 = *(u64 *)(r1 +0) + 3: (61) r1 = *(u32 *)(r1 +2340) +; volatile __maybe_unused __u32 i = skops->snd_ssthresh; + 4: (63) *(u32 *)(r10 -4) = r1 +; return 0; + 5: (b7) r0 = 0 + 6: (95) exit + +int bpf_reproducer_good(struct bpf_sock_ops * skops): +; volatile __maybe_unused __u32 i = skops->snd_ssthresh; + 0: (61) r2 = *(u32 *)(r1 +28) + 1: (15) if r2 == 0x0 goto pc+2 + 2: (79) r2 = *(u64 *)(r1 +0) + 3: (61) r2 = *(u32 *)(r2 +2340) +; volatile __maybe_unused __u32 i = skops->snd_ssthresh; + 4: (63) *(u32 *)(r10 -4) = r2 +; family = skops->family; + 5: (79) r1 = *(u64 *)(r1 +0) + 6: (69) r1 = *(u16 *)(r1 +16) +; family = skops->family; + 7: (63) *(u32 *)(r10 -8) = r1 +; return 0; + 8: (b7) r0 = 0 + 9: (95) exit + +Then we look at lines 0 and 2 above. In the good case we do the zero +check in r2 and then load 'r1 + 0' at line 2. Do a quick cross-check +into the bpf_sock_ops check and we can confirm that is the 'struct +sock *sk' pointer field. But, in the bad case, + + 0: (61) r1 = *(u32 *)(r1 +28) + 1: (15) if r1 == 0x0 goto pc+2 + 2: (79) r1 = *(u64 *)(r1 +0) + +Oh no, we read 'r1 +28' into r1, this is skops->fullsock and then in +line 2 we read the 'r1 +0' as a pointer. Now jumping back to our spat, + +[18610.807284] BUG: unable to handle kernel NULL pointer dereference at 0000000000000001 + +The 0x01 makes sense because that is exactly the fullsock value. And +its not a valid dereference so we splat. + +To fix we need to guard the case when a program is doing a sock_ops field +access with src_reg == dst_reg. This is already handled in the load case +where the ctx_access handler uses a tmp register being careful to +store the old value and restore it. To fix the get case test if +src_reg == dst_reg and in this case do the is_fullsock test in the +temporary register. Remembering to restore the temporary register before +writing to either dst_reg or src_reg to avoid smashing the pointer into +the struct holding the tmp variable. + +Adding this inline code to test_tcpbpf_kern will now be generated +correctly from, + + 9: r2 = *(u32 *)(r2 + 96) + +to xlated code, + + 12: (7b) *(u64 *)(r2 +32) = r9 + 13: (61) r9 = *(u32 *)(r2 +28) + 14: (15) if r9 == 0x0 goto pc+4 + 15: (79) r9 = *(u64 *)(r2 +32) + 16: (79) r2 = *(u64 *)(r2 +0) + 17: (61) r2 = *(u32 *)(r2 +2348) + 18: (05) goto pc+1 + 19: (79) r9 = *(u64 *)(r2 +32) + +And in the normal case we keep the original code, because really this +is an edge case. From this, + + 9: r2 = *(u32 *)(r6 + 96) + +to xlated code, + + 22: (61) r2 = *(u32 *)(r6 +28) + 23: (15) if r2 == 0x0 goto pc+2 + 24: (79) r2 = *(u64 *)(r6 +0) + 25: (61) r2 = *(u32 *)(r2 +2348) + +So three additional instructions if dst == src register, but I scanned +my current code base and did not see this pattern anywhere so should +not be a big deal. Further, it seems no one else has hit this or at +least reported it so it must a fairly rare pattern. + +Fixes: 9b1f3d6e5af29 ("bpf: Refactor sock_ops_convert_ctx_access") +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Acked-by: Song Liu +Acked-by: Martin KaFai Lau +Link: https://lore.kernel.org/bpf/159718347772.4728.2781381670567919577.stgit@john-Precision-5820-Tower +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +diff --git a/net/core/filter.c b/net/core/filter.c +index 82e1b5b061675..09286a1f7457d 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -8249,15 +8249,31 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type, + /* Helper macro for adding read access to tcp_sock or sock fields. */ + #define SOCK_OPS_GET_FIELD(BPF_FIELD, OBJ_FIELD, OBJ) \ + do { \ ++ int fullsock_reg = si->dst_reg, reg = BPF_REG_9, jmp = 2; \ + BUILD_BUG_ON(sizeof_field(OBJ, OBJ_FIELD) > \ + sizeof_field(struct bpf_sock_ops, BPF_FIELD)); \ ++ if (si->dst_reg == reg || si->src_reg == reg) \ ++ reg--; \ ++ if (si->dst_reg == reg || si->src_reg == reg) \ ++ reg--; \ ++ if (si->dst_reg == si->src_reg) { \ ++ *insn++ = BPF_STX_MEM(BPF_DW, si->src_reg, reg, \ ++ offsetof(struct bpf_sock_ops_kern, \ ++ temp)); \ ++ fullsock_reg = reg; \ ++ jmp += 2; \ ++ } \ + *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( \ + struct bpf_sock_ops_kern, \ + is_fullsock), \ +- si->dst_reg, si->src_reg, \ ++ fullsock_reg, si->src_reg, \ + offsetof(struct bpf_sock_ops_kern, \ + is_fullsock)); \ +- *insn++ = BPF_JMP_IMM(BPF_JEQ, si->dst_reg, 0, 2); \ ++ *insn++ = BPF_JMP_IMM(BPF_JEQ, fullsock_reg, 0, jmp); \ ++ if (si->dst_reg == si->src_reg) \ ++ *insn++ = BPF_LDX_MEM(BPF_DW, reg, si->src_reg, \ ++ offsetof(struct bpf_sock_ops_kern, \ ++ temp)); \ + *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( \ + struct bpf_sock_ops_kern, sk),\ + si->dst_reg, si->src_reg, \ +@@ -8266,6 +8282,12 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type, + OBJ_FIELD), \ + si->dst_reg, si->dst_reg, \ + offsetof(OBJ, OBJ_FIELD)); \ ++ if (si->dst_reg == si->src_reg) { \ ++ *insn++ = BPF_JMP_A(1); \ ++ *insn++ = BPF_LDX_MEM(BPF_DW, reg, si->src_reg, \ ++ offsetof(struct bpf_sock_ops_kern, \ ++ temp)); \ ++ } \ + } while (0) + + #define SOCK_OPS_GET_TCP_SOCK_FIELD(FIELD) \ +-- +2.25.1 + diff --git a/queue-5.8/bpf-sock_ops-sk-access-may-stomp-registers-when-dst_.patch b/queue-5.8/bpf-sock_ops-sk-access-may-stomp-registers-when-dst_.patch new file mode 100644 index 00000000000..a84dfe3ee4d --- /dev/null +++ b/queue-5.8/bpf-sock_ops-sk-access-may-stomp-registers-when-dst_.patch @@ -0,0 +1,124 @@ +From ea77cc473f9426579ef85a3d23aadd4d482266d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 15:04:56 -0700 +Subject: bpf: sock_ops sk access may stomp registers when dst_reg = src_reg + +From: John Fastabend + +[ Upstream commit 84f44df664e9f0e261157e16ee1acd77cc1bb78d ] + +Similar to patch ("bpf: sock_ops ctx access may stomp registers") if the +src_reg = dst_reg when reading the sk field of a sock_ops struct we +generate xlated code, + + 53: (61) r9 = *(u32 *)(r9 +28) + 54: (15) if r9 == 0x0 goto pc+3 + 56: (79) r9 = *(u64 *)(r9 +0) + +This stomps on the r9 reg to do the sk_fullsock check and then when +reading the skops->sk field instead of the sk pointer we get the +sk_fullsock. To fix use similar pattern noted in the previous fix +and use the temp field to save/restore a register used to do +sk_fullsock check. + +After the fix the generated xlated code reads, + + 52: (7b) *(u64 *)(r9 +32) = r8 + 53: (61) r8 = *(u32 *)(r9 +28) + 54: (15) if r9 == 0x0 goto pc+3 + 55: (79) r8 = *(u64 *)(r9 +32) + 56: (79) r9 = *(u64 *)(r9 +0) + 57: (05) goto pc+1 + 58: (79) r8 = *(u64 *)(r9 +32) + +Here r9 register was in-use so r8 is chosen as the temporary register. +In line 52 r8 is saved in temp variable and at line 54 restored in case +fullsock != 0. Finally we handle fullsock == 0 case by restoring at +line 58. + +This adds a new macro SOCK_OPS_GET_SK it is almost possible to merge +this with SOCK_OPS_GET_FIELD, but I found the extra branch logic a +bit more confusing than just adding a new macro despite a bit of +duplicating code. + +Fixes: 1314ef561102e ("bpf: export bpf_sock for BPF_PROG_TYPE_SOCK_OPS prog type") +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Acked-by: Song Liu +Acked-by: Martin KaFai Lau +Link: https://lore.kernel.org/bpf/159718349653.4728.6559437186853473612.stgit@john-Precision-5820-Tower +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 49 ++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 38 insertions(+), 11 deletions(-) + +diff --git a/net/core/filter.c b/net/core/filter.c +index 09286a1f7457d..a69e79327c29e 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -8290,6 +8290,43 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type, + } \ + } while (0) + ++#define SOCK_OPS_GET_SK() \ ++ do { \ ++ int fullsock_reg = si->dst_reg, reg = BPF_REG_9, jmp = 1; \ ++ if (si->dst_reg == reg || si->src_reg == reg) \ ++ reg--; \ ++ if (si->dst_reg == reg || si->src_reg == reg) \ ++ reg--; \ ++ if (si->dst_reg == si->src_reg) { \ ++ *insn++ = BPF_STX_MEM(BPF_DW, si->src_reg, reg, \ ++ offsetof(struct bpf_sock_ops_kern, \ ++ temp)); \ ++ fullsock_reg = reg; \ ++ jmp += 2; \ ++ } \ ++ *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( \ ++ struct bpf_sock_ops_kern, \ ++ is_fullsock), \ ++ fullsock_reg, si->src_reg, \ ++ offsetof(struct bpf_sock_ops_kern, \ ++ is_fullsock)); \ ++ *insn++ = BPF_JMP_IMM(BPF_JEQ, fullsock_reg, 0, jmp); \ ++ if (si->dst_reg == si->src_reg) \ ++ *insn++ = BPF_LDX_MEM(BPF_DW, reg, si->src_reg, \ ++ offsetof(struct bpf_sock_ops_kern, \ ++ temp)); \ ++ *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( \ ++ struct bpf_sock_ops_kern, sk),\ ++ si->dst_reg, si->src_reg, \ ++ offsetof(struct bpf_sock_ops_kern, sk));\ ++ if (si->dst_reg == si->src_reg) { \ ++ *insn++ = BPF_JMP_A(1); \ ++ *insn++ = BPF_LDX_MEM(BPF_DW, reg, si->src_reg, \ ++ offsetof(struct bpf_sock_ops_kern, \ ++ temp)); \ ++ } \ ++ } while (0) ++ + #define SOCK_OPS_GET_TCP_SOCK_FIELD(FIELD) \ + SOCK_OPS_GET_FIELD(FIELD, FIELD, struct tcp_sock) + +@@ -8574,17 +8611,7 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type, + SOCK_OPS_GET_TCP_SOCK_FIELD(bytes_acked); + break; + case offsetof(struct bpf_sock_ops, sk): +- *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( +- struct bpf_sock_ops_kern, +- is_fullsock), +- si->dst_reg, si->src_reg, +- offsetof(struct bpf_sock_ops_kern, +- is_fullsock)); +- *insn++ = BPF_JMP_IMM(BPF_JEQ, si->dst_reg, 0, 1); +- *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( +- struct bpf_sock_ops_kern, sk), +- si->dst_reg, si->src_reg, +- offsetof(struct bpf_sock_ops_kern, sk)); ++ SOCK_OPS_GET_SK(); + break; + } + return insn - insn_buf; +-- +2.25.1 + diff --git a/queue-5.8/bpf-use-get_file_rcu-instead-of-get_file-for-task_fi.patch b/queue-5.8/bpf-use-get_file_rcu-instead-of-get_file-for-task_fi.patch new file mode 100644 index 00000000000..c0b61ddf722 --- /dev/null +++ b/queue-5.8/bpf-use-get_file_rcu-instead-of-get_file-for-task_fi.patch @@ -0,0 +1,131 @@ +From d41f20e4dd8034803ba05f23f69d7a98bf843a79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 10:42:14 -0700 +Subject: bpf: Use get_file_rcu() instead of get_file() for task_file iterator + +From: Yonghong Song + +[ Upstream commit cf28f3bbfca097d956f9021cb710dfad56adcc62 ] + +With latest `bpftool prog` command, we observed the following kernel +panic. + BUG: kernel NULL pointer dereference, address: 0000000000000000 + #PF: supervisor instruction fetch in kernel mode + #PF: error_code(0x0010) - not-present page + PGD dfe894067 P4D dfe894067 PUD deb663067 PMD 0 + Oops: 0010 [#1] SMP + CPU: 9 PID: 6023 ... + RIP: 0010:0x0 + Code: Bad RIP value. + RSP: 0000:ffffc900002b8f18 EFLAGS: 00010286 + RAX: ffff8883a405f400 RBX: ffff888e46a6bf00 RCX: 000000008020000c + RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8883a405f400 + RBP: ffff888e46a6bf50 R08: 0000000000000000 R09: ffffffff81129600 + R10: ffff8883a405f300 R11: 0000160000000000 R12: 0000000000002710 + R13: 000000e9494b690c R14: 0000000000000202 R15: 0000000000000009 + FS: 00007fd9187fe700(0000) GS:ffff888e46a40000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffffffffffffffd6 CR3: 0000000de5d33002 CR4: 0000000000360ee0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + + rcu_core+0x1a4/0x440 + __do_softirq+0xd3/0x2c8 + irq_exit+0x9d/0xa0 + smp_apic_timer_interrupt+0x68/0x120 + apic_timer_interrupt+0xf/0x20 + + RIP: 0033:0x47ce80 + Code: Bad RIP value. + RSP: 002b:00007fd9187fba40 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13 + RAX: 0000000000000002 RBX: 00007fd931789160 RCX: 000000000000010c + RDX: 00007fd9308cdfb4 RSI: 00007fd9308cdfb4 RDI: 00007ffedd1ea0a8 + RBP: 00007fd9187fbab0 R08: 000000000000000e R09: 000000000000002a + R10: 0000000000480210 R11: 00007fd9187fc570 R12: 00007fd9316cc400 + R13: 0000000000000118 R14: 00007fd9308cdfb4 R15: 00007fd9317a9380 + +After further analysis, the bug is triggered by +Commit eaaacd23910f ("bpf: Add task and task/file iterator targets") +which introduced task_file bpf iterator, which traverses all open file +descriptors for all tasks in the current namespace. +The latest `bpftool prog` calls a task_file bpf program to traverse +all files in the system in order to associate processes with progs/maps, etc. +When traversing files for a given task, rcu read_lock is taken to +access all files in a file_struct. But it used get_file() to grab +a file, which is not right. It is possible file->f_count is 0 and +get_file() will unconditionally increase it. +Later put_file() may cause all kind of issues with the above +as one of sympotoms. + +The failure can be reproduced with the following steps in a few seconds: + $ cat t.c + #include + #include + #include + #include + #include + + #define N 10000 + int fd[N]; + int main() { + int i; + + for (i = 0; i < N; i++) { + fd[i] = open("./note.txt", 'r'); + if (fd[i] < 0) { + fprintf(stderr, "failed\n"); + return -1; + } + } + for (i = 0; i < N; i++) + close(fd[i]); + + return 0; + } + $ gcc -O2 t.c + $ cat run.sh + #/bin/bash + for i in {1..100} + do + while true; do ./a.out; done & + done + $ ./run.sh + $ while true; do bpftool prog >& /dev/null; done + +This patch used get_file_rcu() which only grabs a file if the +file->f_count is not zero. This is to ensure the file pointer +is always valid. The above reproducer did not fail for more +than 30 minutes. + +Fixes: eaaacd23910f ("bpf: Add task and task/file iterator targets") +Suggested-by: Josef Bacik +Signed-off-by: Yonghong Song +Signed-off-by: Alexei Starovoitov +Reviewed-by: Josef Bacik +Link: https://lore.kernel.org/bpf/20200817174214.252601-1-yhs@fb.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/task_iter.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/bpf/task_iter.c b/kernel/bpf/task_iter.c +index ac7869a389990..a4a0fb4f94cc1 100644 +--- a/kernel/bpf/task_iter.c ++++ b/kernel/bpf/task_iter.c +@@ -177,10 +177,11 @@ task_file_seq_get_next(struct bpf_iter_seq_task_file_info *info, + f = fcheck_files(curr_files, curr_fd); + if (!f) + continue; ++ if (!get_file_rcu(f)) ++ continue; + + /* set info->fd */ + info->fd = curr_fd; +- get_file(f); + rcu_read_unlock(); + return f; + } +-- +2.25.1 + diff --git a/queue-5.8/can-j1939-abort-multipacket-broadcast-session-when-t.patch b/queue-5.8/can-j1939-abort-multipacket-broadcast-session-when-t.patch new file mode 100644 index 00000000000..325f6a5b576 --- /dev/null +++ b/queue-5.8/can-j1939-abort-multipacket-broadcast-session-when-t.patch @@ -0,0 +1,51 @@ +From 30ec044f4d78cd833c88f50e74259cec3f4a37cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 11:50:24 +0800 +Subject: can: j1939: abort multipacket broadcast session when timeout occurs + +From: Zhang Changzhong + +[ Upstream commit 2b8b2e31555cf55ba3680fb28e2b382e168d7ea1 ] + +If timeout occurs, j1939_tp_rxtimer() first calls hrtimer_start() to restart +rxtimer, and then calls __j1939_session_cancel() to set session->state = +J1939_SESSION_WAITING_ABORT. At next timeout expiration, because of the +J1939_SESSION_WAITING_ABORT session state j1939_tp_rxtimer() will call +j1939_session_deactivate_activate_next() to deactivate current session, and +rxtimer won't be set. + +But for multipacket broadcast session, __j1939_session_cancel() don't set +session->state = J1939_SESSION_WAITING_ABORT, thus current session won't be +deactivate and hrtimer_start() is called to start new rxtimer again and again. + +So fix it by moving session->state = J1939_SESSION_WAITING_ABORT out of if +(!j1939_cb_is_broadcast(&session->skcb)) statement. + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/r/1596599425-5534-4-git-send-email-zhangchangzhong@huawei.com +Acked-by: Oleksij Rempel +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/j1939/transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c +index d1a9adde677b0..e3167619b196f 100644 +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -1074,9 +1074,9 @@ static void __j1939_session_cancel(struct j1939_session *session, + lockdep_assert_held(&session->priv->active_session_list_lock); + + session->err = j1939_xtp_abort_to_errno(priv, err); ++ session->state = J1939_SESSION_WAITING_ABORT; + /* do not send aborts on incoming broadcasts */ + if (!j1939_cb_is_broadcast(&session->skcb)) { +- session->state = J1939_SESSION_WAITING_ABORT; + j1939_xtp_tx_abort(priv, &session->skcb, + !session->transmission, + err, session->skcb.addr.pgn); +-- +2.25.1 + diff --git a/queue-5.8/can-j1939-add-rxtimer-for-multipacket-broadcast-sess.patch b/queue-5.8/can-j1939-add-rxtimer-for-multipacket-broadcast-sess.patch new file mode 100644 index 00000000000..1d45e208c2e --- /dev/null +++ b/queue-5.8/can-j1939-add-rxtimer-for-multipacket-broadcast-sess.patch @@ -0,0 +1,99 @@ +From 14fb728fef196f55279b0af892f5744800b95f48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 11:50:25 +0800 +Subject: can: j1939: add rxtimer for multipacket broadcast session + +From: Zhang Changzhong + +[ Upstream commit 0ae18a82686f9b9965a8ce0dd81371871b306ffe ] + +According to SAE J1939/21 (Chapter 5.12.3 and APPENDIX C), for transmit side +the required time interval between packets of a multipacket broadcast message +is 50 to 200 ms, the responder shall use a timeout of 250ms (provides margin +allowing for the maximumm spacing of 200ms). For receive side a timeout will +occur when a time of greater than 750 ms elapsed between two message packets +when more packets were expected. + +So this patch fix and add rxtimer for multipacket broadcast session. + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/r/1596599425-5534-5-git-send-email-zhangchangzhong@huawei.com +Acked-by: Oleksij Rempel +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/j1939/transport.c | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c +index e3167619b196f..dbd215cbc53d8 100644 +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -723,10 +723,12 @@ static int j1939_session_tx_rts(struct j1939_session *session) + return ret; + + session->last_txcmd = dat[0]; +- if (dat[0] == J1939_TP_CMD_BAM) ++ if (dat[0] == J1939_TP_CMD_BAM) { + j1939_tp_schedule_txtimer(session, 50); +- +- j1939_tp_set_rxtimeout(session, 1250); ++ j1939_tp_set_rxtimeout(session, 250); ++ } else { ++ j1939_tp_set_rxtimeout(session, 1250); ++ } + + netdev_dbg(session->priv->ndev, "%s: 0x%p\n", __func__, session); + +@@ -1687,11 +1689,15 @@ static void j1939_xtp_rx_rts(struct j1939_priv *priv, struct sk_buff *skb, + } + session->last_cmd = cmd; + +- j1939_tp_set_rxtimeout(session, 1250); +- +- if (cmd != J1939_TP_CMD_BAM && !session->transmission) { +- j1939_session_txtimer_cancel(session); +- j1939_tp_schedule_txtimer(session, 0); ++ if (cmd == J1939_TP_CMD_BAM) { ++ if (!session->transmission) ++ j1939_tp_set_rxtimeout(session, 750); ++ } else { ++ if (!session->transmission) { ++ j1939_session_txtimer_cancel(session); ++ j1939_tp_schedule_txtimer(session, 0); ++ } ++ j1939_tp_set_rxtimeout(session, 1250); + } + + j1939_session_put(session); +@@ -1742,6 +1748,7 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session, + int offset; + int nbytes; + bool final = false; ++ bool remain = false; + bool do_cts_eoma = false; + int packet; + +@@ -1804,6 +1811,8 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session, + j1939_cb_is_broadcast(&session->skcb)) { + if (session->pkt.rx >= session->pkt.total) + final = true; ++ else ++ remain = true; + } else { + /* never final, an EOMA must follow */ + if (session->pkt.rx >= session->pkt.last) +@@ -1813,6 +1822,9 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session, + if (final) { + j1939_session_timers_cancel(session); + j1939_session_completed(session); ++ } else if (remain) { ++ if (!session->transmission) ++ j1939_tp_set_rxtimeout(session, 750); + } else if (do_cts_eoma) { + j1939_tp_set_rxtimeout(session, 1250); + if (!session->transmission) +-- +2.25.1 + diff --git a/queue-5.8/can-j1939-cancel-rxtimer-on-multipacket-broadcast-se.patch b/queue-5.8/can-j1939-cancel-rxtimer-on-multipacket-broadcast-se.patch new file mode 100644 index 00000000000..ea3f60b5b2d --- /dev/null +++ b/queue-5.8/can-j1939-cancel-rxtimer-on-multipacket-broadcast-se.patch @@ -0,0 +1,37 @@ +From 4c070949a6e04857413733e9f7323948ce8135c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 11:50:23 +0800 +Subject: can: j1939: cancel rxtimer on multipacket broadcast session complete + +From: Zhang Changzhong + +[ Upstream commit e8b17653088f28a87c81845fa41a2d295a3b458c ] + +If j1939_xtp_rx_dat_one() receive last frame of multipacket broadcast message, +j1939_session_timers_cancel() should be called to cancel rxtimer. + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/r/1596599425-5534-3-git-send-email-zhangchangzhong@huawei.com +Acked-by: Oleksij Rempel +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/j1939/transport.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c +index 67189b4c482c5..d1a9adde677b0 100644 +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -1811,6 +1811,7 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session, + } + + if (final) { ++ j1939_session_timers_cancel(session); + j1939_session_completed(session); + } else if (do_cts_eoma) { + j1939_tp_set_rxtimeout(session, 1250); +-- +2.25.1 + diff --git a/queue-5.8/can-j1939-fix-kernel-infoleak-in-j1939_sk_sock2socka.patch b/queue-5.8/can-j1939-fix-kernel-infoleak-in-j1939_sk_sock2socka.patch new file mode 100644 index 00000000000..cad5c902d35 --- /dev/null +++ b/queue-5.8/can-j1939-fix-kernel-infoleak-in-j1939_sk_sock2socka.patch @@ -0,0 +1,85 @@ +From bd6259ec02bc627a7a6be344026893cd5f06903f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 09:18:34 -0700 +Subject: can: j1939: fix kernel-infoleak in j1939_sk_sock2sockaddr_can() + +From: Eric Dumazet + +[ Upstream commit 38ba8b9241f5848a49b80fddac9ab5f4692e434e ] + +syzbot found that at least 2 bytes of kernel information +were leaked during getsockname() on AF_CAN CAN_J1939 socket. + +Since struct sockaddr_can has in fact two holes, simply +clear the whole area before filling it with useful data. + +BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253 +CPU: 0 PID: 8466 Comm: syz-executor511 Not tainted 5.8.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x21c/0x280 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121 + kmsan_internal_check_memory+0x238/0x3d0 mm/kmsan/kmsan.c:423 + kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253 + instrument_copy_to_user include/linux/instrumented.h:91 [inline] + _copy_to_user+0x18e/0x260 lib/usercopy.c:39 + copy_to_user include/linux/uaccess.h:186 [inline] + move_addr_to_user+0x3de/0x670 net/socket.c:237 + __sys_getsockname+0x407/0x5e0 net/socket.c:1909 + __do_sys_getsockname net/socket.c:1920 [inline] + __se_sys_getsockname+0x91/0xb0 net/socket.c:1917 + __x64_sys_getsockname+0x4a/0x70 net/socket.c:1917 + do_syscall_64+0xad/0x160 arch/x86/entry/common.c:386 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x440219 +Code: Bad RIP value. +RSP: 002b:00007ffe5ee150c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000033 +RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440219 +RDX: 0000000020000240 RSI: 0000000020000100 RDI: 0000000000000003 +RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a20 +R13: 0000000000401ab0 R14: 0000000000000000 R15: 0000000000000000 + +Local variable ----address@__sys_getsockname created at: + __sys_getsockname+0x91/0x5e0 net/socket.c:1894 + __sys_getsockname+0x91/0x5e0 net/socket.c:1894 + +Bytes 2-3 of 24 are uninitialized +Memory access of size 24 starts at ffff8880ba2c7de8 +Data copied to user address 0000000020000100 + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Robin van der Gracht +Cc: Oleksij Rempel +Cc: Pengutronix Kernel Team +Cc: linux-can@vger.kernel.org +Acked-by: Oleksij Rempel +Link: https://lore.kernel.org/r/20200813161834.4021638-1-edumazet@google.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/j1939/socket.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c +index 11d566c70a944..1b7dc1a8547f3 100644 +--- a/net/can/j1939/socket.c ++++ b/net/can/j1939/socket.c +@@ -561,6 +561,11 @@ static int j1939_sk_connect(struct socket *sock, struct sockaddr *uaddr, + static void j1939_sk_sock2sockaddr_can(struct sockaddr_can *addr, + const struct j1939_sock *jsk, int peer) + { ++ /* There are two holes (2 bytes and 3 bytes) to clear to avoid ++ * leaking kernel information to user space. ++ */ ++ memset(addr, 0, J1939_MIN_NAMELEN); ++ + addr->can_family = AF_CAN; + addr->can_ifindex = jsk->ifindex; + addr->can_addr.j1939.pgn = jsk->addr.pgn; +-- +2.25.1 + diff --git a/queue-5.8/can-j1939-fix-support-for-multipacket-broadcast-mess.patch b/queue-5.8/can-j1939-fix-support-for-multipacket-broadcast-mess.patch new file mode 100644 index 00000000000..60f2ea0783c --- /dev/null +++ b/queue-5.8/can-j1939-fix-support-for-multipacket-broadcast-mess.patch @@ -0,0 +1,81 @@ +From 8d2b534969033adb99c0f102fc98fc9d84fea7fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 11:50:22 +0800 +Subject: can: j1939: fix support for multipacket broadcast message + +From: Zhang Changzhong + +[ Upstream commit f4fd77fd87e9b214c26bb2ebd4f90055eaea5ade ] + +Currently j1939_tp_im_involved_anydir() in j1939_tp_recv() check the previously +set flags J1939_ECU_LOCAL_DST and J1939_ECU_LOCAL_SRC of incoming skb, thus +multipacket broadcast message was aborted by receive side because it may come +from remote ECUs and have no exact dst address. Similarly, j1939_tp_cmd_recv() +and j1939_xtp_rx_dat() didn't process broadcast message. + +So fix it by checking and process broadcast message in j1939_tp_recv(), +j1939_tp_cmd_recv() and j1939_xtp_rx_dat(). + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/r/1596599425-5534-2-git-send-email-zhangchangzhong@huawei.com +Acked-by: Oleksij Rempel +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/j1939/transport.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c +index 90a2baac8a4aa..67189b4c482c5 100644 +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -1673,8 +1673,12 @@ static void j1939_xtp_rx_rts(struct j1939_priv *priv, struct sk_buff *skb, + return; + } + session = j1939_xtp_rx_rts_session_new(priv, skb); +- if (!session) ++ if (!session) { ++ if (cmd == J1939_TP_CMD_BAM && j1939_sk_recv_match(priv, skcb)) ++ netdev_info(priv->ndev, "%s: failed to create TP BAM session\n", ++ __func__); + return; ++ } + } else { + if (j1939_xtp_rx_rts_session_active(session, skb)) { + j1939_session_put(session); +@@ -1852,6 +1856,13 @@ static void j1939_xtp_rx_dat(struct j1939_priv *priv, struct sk_buff *skb) + else + j1939_xtp_rx_dat_one(session, skb); + } ++ ++ if (j1939_cb_is_broadcast(skcb)) { ++ session = j1939_session_get_by_addr(priv, &skcb->addr, false, ++ false); ++ if (session) ++ j1939_xtp_rx_dat_one(session, skb); ++ } + } + + /* j1939 main intf */ +@@ -1943,7 +1954,7 @@ static void j1939_tp_cmd_recv(struct j1939_priv *priv, struct sk_buff *skb) + if (j1939_tp_im_transmitter(skcb)) + j1939_xtp_rx_rts(priv, skb, true); + +- if (j1939_tp_im_receiver(skcb)) ++ if (j1939_tp_im_receiver(skcb) || j1939_cb_is_broadcast(skcb)) + j1939_xtp_rx_rts(priv, skb, false); + + break; +@@ -2007,7 +2018,7 @@ int j1939_tp_recv(struct j1939_priv *priv, struct sk_buff *skb) + { + struct j1939_sk_buff_cb *skcb = j1939_skb_to_cb(skb); + +- if (!j1939_tp_im_involved_anydir(skcb)) ++ if (!j1939_tp_im_involved_anydir(skcb) && !j1939_cb_is_broadcast(skcb)) + return 0; + + switch (skcb->addr.pgn) { +-- +2.25.1 + diff --git a/queue-5.8/can-j1939-transport-add-j1939_session_skb_find_by_of.patch b/queue-5.8/can-j1939-transport-add-j1939_session_skb_find_by_of.patch new file mode 100644 index 00000000000..d77ea6974af --- /dev/null +++ b/queue-5.8/can-j1939-transport-add-j1939_session_skb_find_by_of.patch @@ -0,0 +1,91 @@ +From 0e2ec63d186c508152de987685e1a6ec5a83ae6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Aug 2020 12:51:59 +0200 +Subject: can: j1939: transport: add j1939_session_skb_find_by_offset() + function + +From: Oleksij Rempel + +[ Upstream commit 840835c9281215341d84966a8855f267a971e6a3 ] + +Sometimes it makes no sense to search the skb by pkt.dpo, since we need +next the skb within the transaction block. This may happen if we have an +ETP session with CTS set to less than 255 packets. + +After this patch, we will be able to work with ETP sessions where the +block size (ETP.CM_CTS byte 2) is less than 255 packets. + +Reported-by: Henrique Figueira +Reported-by: https://github.com/linux-can/can-utils/issues/228 +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Signed-off-by: Oleksij Rempel +Link: https://lore.kernel.org/r/20200807105200.26441-5-o.rempel@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/j1939/transport.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c +index 30957c9a8eb7a..90a2baac8a4aa 100644 +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -352,17 +352,16 @@ void j1939_session_skb_queue(struct j1939_session *session, + skb_queue_tail(&session->skb_queue, skb); + } + +-static struct sk_buff *j1939_session_skb_find(struct j1939_session *session) ++static struct ++sk_buff *j1939_session_skb_find_by_offset(struct j1939_session *session, ++ unsigned int offset_start) + { + struct j1939_priv *priv = session->priv; ++ struct j1939_sk_buff_cb *do_skcb; + struct sk_buff *skb = NULL; + struct sk_buff *do_skb; +- struct j1939_sk_buff_cb *do_skcb; +- unsigned int offset_start; + unsigned long flags; + +- offset_start = session->pkt.dpo * 7; +- + spin_lock_irqsave(&session->skb_queue.lock, flags); + skb_queue_walk(&session->skb_queue, do_skb) { + do_skcb = j1939_skb_to_cb(do_skb); +@@ -382,6 +381,14 @@ static struct sk_buff *j1939_session_skb_find(struct j1939_session *session) + return skb; + } + ++static struct sk_buff *j1939_session_skb_find(struct j1939_session *session) ++{ ++ unsigned int offset_start; ++ ++ offset_start = session->pkt.dpo * 7; ++ return j1939_session_skb_find_by_offset(session, offset_start); ++} ++ + /* see if we are receiver + * returns 0 for broadcasts, although we will receive them + */ +@@ -766,7 +773,7 @@ static int j1939_session_tx_dat(struct j1939_session *session) + int ret = 0; + u8 dat[8]; + +- se_skb = j1939_session_skb_find(session); ++ se_skb = j1939_session_skb_find_by_offset(session, session->pkt.tx * 7); + if (!se_skb) + return -ENOBUFS; + +@@ -1765,7 +1772,8 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session, + __func__, session); + goto out_session_cancel; + } +- se_skb = j1939_session_skb_find(session); ++ ++ se_skb = j1939_session_skb_find_by_offset(session, packet * 7); + if (!se_skb) { + netdev_warn(priv->ndev, "%s: 0x%p: no skb found\n", __func__, + session); +-- +2.25.1 + diff --git a/queue-5.8/can-j1939-transport-j1939_simple_recv-ignore-local-j.patch b/queue-5.8/can-j1939-transport-j1939_simple_recv-ignore-local-j.patch new file mode 100644 index 00000000000..d84bfa84784 --- /dev/null +++ b/queue-5.8/can-j1939-transport-j1939_simple_recv-ignore-local-j.patch @@ -0,0 +1,63 @@ +From 3504785ed9cef1fdf26131dfe3bc589b7fd602ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Aug 2020 12:51:56 +0200 +Subject: can: j1939: transport: j1939_simple_recv(): ignore local J1939 + messages send not by J1939 stack + +From: Oleksij Rempel + +[ Upstream commit b43e3a82bc432c1caaed8950e7662c143470c54c ] + +In current J1939 stack implementation, we process all locally send +messages as own messages. Even if it was send by CAN_RAW socket. + +To reproduce it use following commands: +testj1939 -P -r can0:0x80 & +cansend can0 18238040#0123 + +This step will trigger false positive not critical warning: +j1939_simple_recv: Received already invalidated message + +With this patch we add additional check to make sure, related skb is own +echo message. + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Signed-off-by: Oleksij Rempel +Link: https://lore.kernel.org/r/20200807105200.26441-2-o.rempel@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/j1939/socket.c | 1 + + net/can/j1939/transport.c | 4 ++++ + 2 files changed, 5 insertions(+) + +diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c +index 1b7dc1a8547f3..bf9fd6ee88fe0 100644 +--- a/net/can/j1939/socket.c ++++ b/net/can/j1939/socket.c +@@ -398,6 +398,7 @@ static int j1939_sk_init(struct sock *sk) + spin_lock_init(&jsk->sk_session_queue_lock); + INIT_LIST_HEAD(&jsk->sk_session_queue); + sk->sk_destruct = j1939_sk_sock_destruct; ++ sk->sk_protocol = CAN_J1939; + + return 0; + } +diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c +index 5bfe6bf15a999..30957c9a8eb7a 100644 +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -2032,6 +2032,10 @@ void j1939_simple_recv(struct j1939_priv *priv, struct sk_buff *skb) + if (!skb->sk) + return; + ++ if (skb->sk->sk_family != AF_CAN || ++ skb->sk->sk_protocol != CAN_J1939) ++ return; ++ + j1939_session_list_lock(priv); + session = j1939_session_get_simple(priv, skb); + j1939_session_list_unlock(priv); +-- +2.25.1 + diff --git a/queue-5.8/drm-virtio-fix-missing-dma_fence_put-in-virtio_gpu_e.patch b/queue-5.8/drm-virtio-fix-missing-dma_fence_put-in-virtio_gpu_e.patch new file mode 100644 index 00000000000..7f1be2d70c2 --- /dev/null +++ b/queue-5.8/drm-virtio-fix-missing-dma_fence_put-in-virtio_gpu_e.patch @@ -0,0 +1,40 @@ +From b1eeee54b1d702b99aee61cfe48e36c1f015fa0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jul 2020 18:16:47 +0800 +Subject: drm/virtio: fix missing dma_fence_put() in + virtio_gpu_execbuffer_ioctl() + +From: Qi Liu + +[ Upstream commit 8b6ec999b198b59ae61e86e70f5e9df73fe4754f ] + +We should put the reference count of the fence after calling +virtio_gpu_cmd_submit(). So add the missing dma_fence_put(). + +Fixes: 2cd7b6f08bc4 ("drm/virtio: add in/out fence support for explicit synchronization") +Co-developed-by: Xin He +Signed-off-by: Xin He +Signed-off-by: Qi Liu +Reviewed-by: Muchun Song +Link: http://patchwork.freedesktop.org/patch/msgid/20200721101647.42653-1-hexin.op@bytedance.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/virtio/virtgpu_ioctl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/virtio/virtgpu_ioctl.c b/drivers/gpu/drm/virtio/virtgpu_ioctl.c +index 5df722072ba0b..19c5bc01eb790 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_ioctl.c ++++ b/drivers/gpu/drm/virtio/virtgpu_ioctl.c +@@ -179,6 +179,7 @@ static int virtio_gpu_execbuffer_ioctl(struct drm_device *dev, void *data, + + virtio_gpu_cmd_submit(vgdev, buf, exbuf->size, + vfpriv->ctx_id, buflist, out_fence); ++ dma_fence_put(&out_fence->f); + virtio_gpu_notify(vgdev); + return 0; + +-- +2.25.1 + diff --git a/queue-5.8/efi-avoid-error-message-when-booting-under-xen.patch b/queue-5.8/efi-avoid-error-message-when-booting-under-xen.patch new file mode 100644 index 00000000000..78d10917195 --- /dev/null +++ b/queue-5.8/efi-avoid-error-message-when-booting-under-xen.patch @@ -0,0 +1,39 @@ +From 33af73499bc8f779403dd661206355d9cc8ccb2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 16:16:51 +0200 +Subject: efi: avoid error message when booting under Xen + +From: Juergen Gross + +[ Upstream commit 6163a985e50cb19d5bdf73f98e45b8af91a77658 ] + +efifb_probe() will issue an error message in case the kernel is booted +as Xen dom0 from UEFI as EFI_MEMMAP won't be set in this case. Avoid +that message by calling efi_mem_desc_lookup() only if EFI_MEMMAP is set. + +Fixes: 38ac0287b7f4 ("fbdev/efifb: Honour UEFI memory map attributes when mapping the FB") +Signed-off-by: Juergen Gross +Acked-by: Ard Biesheuvel +Acked-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/efifb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/efifb.c b/drivers/video/fbdev/efifb.c +index 65491ae74808d..e57c00824965c 100644 +--- a/drivers/video/fbdev/efifb.c ++++ b/drivers/video/fbdev/efifb.c +@@ -453,7 +453,7 @@ static int efifb_probe(struct platform_device *dev) + info->apertures->ranges[0].base = efifb_fix.smem_start; + info->apertures->ranges[0].size = size_remap; + +- if (efi_enabled(EFI_BOOT) && ++ if (efi_enabled(EFI_MEMMAP) && + !efi_mem_desc_lookup(efifb_fix.smem_start, &md)) { + if ((efifb_fix.smem_start + efifb_fix.smem_len) > + (md.phys_addr + (md.num_pages << EFI_PAGE_SHIFT))) { +-- +2.25.1 + diff --git a/queue-5.8/ext4-check-journal-inode-extents-more-carefully.patch b/queue-5.8/ext4-check-journal-inode-extents-more-carefully.patch new file mode 100644 index 00000000000..36969e68e77 --- /dev/null +++ b/queue-5.8/ext4-check-journal-inode-extents-more-carefully.patch @@ -0,0 +1,317 @@ +From bc14c93dfbd71fdc2b03ba1d1c3f1e1f9bb9d4fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jul 2020 15:04:34 +0200 +Subject: ext4: check journal inode extents more carefully + +From: Jan Kara + +[ Upstream commit ce9f24cccdc019229b70a5c15e2b09ad9c0ab5d1 ] + +Currently, system zones just track ranges of block, that are "important" +fs metadata (bitmaps, group descriptors, journal blocks, etc.). This +however complicates how extent tree (or indirect blocks) can be checked +for inodes that actually track such metadata - currently the journal +inode but arguably we should be treating quota files or resize inode +similarly. We cannot run __ext4_ext_check() on such metadata inodes when +loading their extents as that would immediately trigger the validity +checks and so we just hack around that and special-case the journal +inode. This however leads to a situation that a journal inode which has +extent tree of depth at least one can have invalid extent tree that gets +unnoticed until ext4_cache_extents() crashes. + +To overcome this limitation, track inode number each system zone belongs +to (0 is used for zones not belonging to any inode). We can then verify +inode number matches the expected one when verifying extent tree and +thus avoid the false errors. With this there's no need to to +special-case journal inode during extent tree checking anymore so remove +it. + +Fixes: 0a944e8a6c66 ("ext4: don't perform block validity checks on the journal inode") +Reported-by: Wolfgang Frisch +Reviewed-by: Lukas Czerner +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20200728130437.7804-4-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/block_validity.c | 51 ++++++++++++++++++++-------------------- + fs/ext4/ext4.h | 6 ++--- + fs/ext4/extents.c | 16 +++++-------- + fs/ext4/indirect.c | 6 ++--- + fs/ext4/inode.c | 5 ++-- + fs/ext4/mballoc.c | 4 ++-- + 6 files changed, 41 insertions(+), 47 deletions(-) + +diff --git a/fs/ext4/block_validity.c b/fs/ext4/block_validity.c +index b394a50ebbe30..e830a9d4e10d3 100644 +--- a/fs/ext4/block_validity.c ++++ b/fs/ext4/block_validity.c +@@ -24,6 +24,7 @@ struct ext4_system_zone { + struct rb_node node; + ext4_fsblk_t start_blk; + unsigned int count; ++ u32 ino; + }; + + static struct kmem_cache *ext4_system_zone_cachep; +@@ -45,7 +46,8 @@ void ext4_exit_system_zone(void) + static inline int can_merge(struct ext4_system_zone *entry1, + struct ext4_system_zone *entry2) + { +- if ((entry1->start_blk + entry1->count) == entry2->start_blk) ++ if ((entry1->start_blk + entry1->count) == entry2->start_blk && ++ entry1->ino == entry2->ino) + return 1; + return 0; + } +@@ -66,7 +68,7 @@ static void release_system_zone(struct ext4_system_blocks *system_blks) + */ + static int add_system_zone(struct ext4_system_blocks *system_blks, + ext4_fsblk_t start_blk, +- unsigned int count) ++ unsigned int count, u32 ino) + { + struct ext4_system_zone *new_entry, *entry; + struct rb_node **n = &system_blks->root.rb_node, *node; +@@ -89,6 +91,7 @@ static int add_system_zone(struct ext4_system_blocks *system_blks, + return -ENOMEM; + new_entry->start_blk = start_blk; + new_entry->count = count; ++ new_entry->ino = ino; + new_node = &new_entry->node; + + rb_link_node(new_node, parent, n); +@@ -149,7 +152,7 @@ static void debug_print_tree(struct ext4_sb_info *sbi) + static int ext4_data_block_valid_rcu(struct ext4_sb_info *sbi, + struct ext4_system_blocks *system_blks, + ext4_fsblk_t start_blk, +- unsigned int count) ++ unsigned int count, ino_t ino) + { + struct ext4_system_zone *entry; + struct rb_node *n; +@@ -170,7 +173,7 @@ static int ext4_data_block_valid_rcu(struct ext4_sb_info *sbi, + else if (start_blk >= (entry->start_blk + entry->count)) + n = n->rb_right; + else +- return 0; ++ return entry->ino == ino; + } + return 1; + } +@@ -204,19 +207,18 @@ static int ext4_protect_reserved_inode(struct super_block *sb, + if (n == 0) { + i++; + } else { +- if (!ext4_data_block_valid_rcu(sbi, system_blks, +- map.m_pblk, n)) { +- err = -EFSCORRUPTED; +- __ext4_error(sb, __func__, __LINE__, -err, +- map.m_pblk, "blocks %llu-%llu " +- "from inode %u overlap system zone", +- map.m_pblk, +- map.m_pblk + map.m_len - 1, ino); ++ err = add_system_zone(system_blks, map.m_pblk, n, ino); ++ if (err < 0) { ++ if (err == -EFSCORRUPTED) { ++ __ext4_error(sb, __func__, __LINE__, ++ -err, map.m_pblk, ++ "blocks %llu-%llu from inode %u overlap system zone", ++ map.m_pblk, ++ map.m_pblk + map.m_len - 1, ++ ino); ++ } + break; + } +- err = add_system_zone(system_blks, map.m_pblk, n); +- if (err < 0) +- break; + i += n; + } + } +@@ -270,19 +272,19 @@ int ext4_setup_system_zone(struct super_block *sb) + ((i < 5) || ((i % flex_size) == 0))) + add_system_zone(system_blks, + ext4_group_first_block_no(sb, i), +- ext4_bg_num_gdb(sb, i) + 1); ++ ext4_bg_num_gdb(sb, i) + 1, 0); + gdp = ext4_get_group_desc(sb, i, NULL); + ret = add_system_zone(system_blks, +- ext4_block_bitmap(sb, gdp), 1); ++ ext4_block_bitmap(sb, gdp), 1, 0); + if (ret) + goto err; + ret = add_system_zone(system_blks, +- ext4_inode_bitmap(sb, gdp), 1); ++ ext4_inode_bitmap(sb, gdp), 1, 0); + if (ret) + goto err; + ret = add_system_zone(system_blks, + ext4_inode_table(sb, gdp), +- sbi->s_itb_per_group); ++ sbi->s_itb_per_group, 0); + if (ret) + goto err; + } +@@ -331,7 +333,7 @@ void ext4_release_system_zone(struct super_block *sb) + call_rcu(&system_blks->rcu, ext4_destroy_system_zone); + } + +-int ext4_data_block_valid(struct ext4_sb_info *sbi, ext4_fsblk_t start_blk, ++int ext4_inode_block_valid(struct inode *inode, ext4_fsblk_t start_blk, + unsigned int count) + { + struct ext4_system_blocks *system_blks; +@@ -343,9 +345,9 @@ int ext4_data_block_valid(struct ext4_sb_info *sbi, ext4_fsblk_t start_blk, + * mount option. + */ + rcu_read_lock(); +- system_blks = rcu_dereference(sbi->system_blks); +- ret = ext4_data_block_valid_rcu(sbi, system_blks, start_blk, +- count); ++ system_blks = rcu_dereference(EXT4_SB(inode->i_sb)->system_blks); ++ ret = ext4_data_block_valid_rcu(EXT4_SB(inode->i_sb), system_blks, ++ start_blk, count, inode->i_ino); + rcu_read_unlock(); + return ret; + } +@@ -364,8 +366,7 @@ int ext4_check_blockref(const char *function, unsigned int line, + while (bref < p+max) { + blk = le32_to_cpu(*bref++); + if (blk && +- unlikely(!ext4_data_block_valid(EXT4_SB(inode->i_sb), +- blk, 1))) { ++ unlikely(!ext4_inode_block_valid(inode, blk, 1))) { + ext4_error_inode(inode, function, line, blk, + "invalid block"); + return -EFSCORRUPTED; +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index 42f5060f3cdf1..42815304902b8 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -3363,9 +3363,9 @@ extern void ext4_release_system_zone(struct super_block *sb); + extern int ext4_setup_system_zone(struct super_block *sb); + extern int __init ext4_init_system_zone(void); + extern void ext4_exit_system_zone(void); +-extern int ext4_data_block_valid(struct ext4_sb_info *sbi, +- ext4_fsblk_t start_blk, +- unsigned int count); ++extern int ext4_inode_block_valid(struct inode *inode, ++ ext4_fsblk_t start_blk, ++ unsigned int count); + extern int ext4_check_blockref(const char *, unsigned int, + struct inode *, __le32 *, unsigned int); + +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index 221f240eae604..d75054570e44c 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -340,7 +340,7 @@ static int ext4_valid_extent(struct inode *inode, struct ext4_extent *ext) + */ + if (lblock + len <= lblock) + return 0; +- return ext4_data_block_valid(EXT4_SB(inode->i_sb), block, len); ++ return ext4_inode_block_valid(inode, block, len); + } + + static int ext4_valid_extent_idx(struct inode *inode, +@@ -348,7 +348,7 @@ static int ext4_valid_extent_idx(struct inode *inode, + { + ext4_fsblk_t block = ext4_idx_pblock(ext_idx); + +- return ext4_data_block_valid(EXT4_SB(inode->i_sb), block, 1); ++ return ext4_inode_block_valid(inode, block, 1); + } + + static int ext4_valid_extent_entries(struct inode *inode, +@@ -507,14 +507,10 @@ __read_extent_tree_block(const char *function, unsigned int line, + } + if (buffer_verified(bh) && !(flags & EXT4_EX_FORCE_CACHE)) + return bh; +- if (!ext4_has_feature_journal(inode->i_sb) || +- (inode->i_ino != +- le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum))) { +- err = __ext4_ext_check(function, line, inode, +- ext_block_hdr(bh), depth, pblk); +- if (err) +- goto errout; +- } ++ err = __ext4_ext_check(function, line, inode, ++ ext_block_hdr(bh), depth, pblk); ++ if (err) ++ goto errout; + set_buffer_verified(bh); + /* + * If this is a leaf block, cache all of its entries +diff --git a/fs/ext4/indirect.c b/fs/ext4/indirect.c +index be2b66eb65f7a..4026418257121 100644 +--- a/fs/ext4/indirect.c ++++ b/fs/ext4/indirect.c +@@ -858,8 +858,7 @@ static int ext4_clear_blocks(handle_t *handle, struct inode *inode, + else if (ext4_should_journal_data(inode)) + flags |= EXT4_FREE_BLOCKS_FORGET; + +- if (!ext4_data_block_valid(EXT4_SB(inode->i_sb), block_to_free, +- count)) { ++ if (!ext4_inode_block_valid(inode, block_to_free, count)) { + EXT4_ERROR_INODE(inode, "attempt to clear invalid " + "blocks %llu len %lu", + (unsigned long long) block_to_free, count); +@@ -1004,8 +1003,7 @@ static void ext4_free_branches(handle_t *handle, struct inode *inode, + if (!nr) + continue; /* A hole */ + +- if (!ext4_data_block_valid(EXT4_SB(inode->i_sb), +- nr, 1)) { ++ if (!ext4_inode_block_valid(inode, nr, 1)) { + EXT4_ERROR_INODE(inode, + "invalid indirect mapped " + "block %lu (level %d)", +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 10dd470876b30..92573f8540ab7 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -394,8 +394,7 @@ static int __check_block_validity(struct inode *inode, const char *func, + (inode->i_ino == + le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum))) + return 0; +- if (!ext4_data_block_valid(EXT4_SB(inode->i_sb), map->m_pblk, +- map->m_len)) { ++ if (!ext4_inode_block_valid(inode, map->m_pblk, map->m_len)) { + ext4_error_inode(inode, func, line, map->m_pblk, + "lblock %lu mapped to illegal pblock %llu " + "(length %d)", (unsigned long) map->m_lblk, +@@ -4760,7 +4759,7 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, + + ret = 0; + if (ei->i_file_acl && +- !ext4_data_block_valid(EXT4_SB(sb), ei->i_file_acl, 1)) { ++ !ext4_inode_block_valid(inode, ei->i_file_acl, 1)) { + ext4_error_inode(inode, function, line, 0, + "iget: bad extended attribute block %llu", + ei->i_file_acl); +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index c0a331e2feb02..38719c156573c 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -3090,7 +3090,7 @@ ext4_mb_mark_diskspace_used(struct ext4_allocation_context *ac, + block = ext4_grp_offs_to_block(sb, &ac->ac_b_ex); + + len = EXT4_C2B(sbi, ac->ac_b_ex.fe_len); +- if (!ext4_data_block_valid(sbi, block, len)) { ++ if (!ext4_inode_block_valid(ac->ac_inode, block, len)) { + ext4_error(sb, "Allocating blocks %llu-%llu which overlap " + "fs metadata", block, block+len); + /* File system mounted not to panic on error +@@ -4915,7 +4915,7 @@ void ext4_free_blocks(handle_t *handle, struct inode *inode, + + sbi = EXT4_SB(sb); + if (!(flags & EXT4_FREE_BLOCKS_VALIDATED) && +- !ext4_data_block_valid(sbi, block, count)) { ++ !ext4_inode_block_valid(inode, block, count)) { + ext4_error(sb, "Freeing blocks not in datazone - " + "block = %llu, count = %lu", block, count); + goto error_return; +-- +2.25.1 + diff --git a/queue-5.8/ext4-don-t-allow-overlapping-system-zones.patch b/queue-5.8/ext4-don-t-allow-overlapping-system-zones.patch new file mode 100644 index 00000000000..ba7fd519c40 --- /dev/null +++ b/queue-5.8/ext4-don-t-allow-overlapping-system-zones.patch @@ -0,0 +1,85 @@ +From 6c415733c47b862404b2a928ac14ff2aa23abe24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jul 2020 15:04:33 +0200 +Subject: ext4: don't allow overlapping system zones + +From: Jan Kara + +[ Upstream commit bf9a379d0980e7413d94cb18dac73db2bfc5f470 ] + +Currently, add_system_zone() just silently merges two added system zones +that overlap. However the overlap should not happen and it generally +suggests that some unrelated metadata overlap which indicates the fs is +corrupted. We should have caught such problems earlier (e.g. in +ext4_check_descriptors()) but add this check as another line of defense. +In later patch we also use this for stricter checking of journal inode +extent tree. + +Reviewed-by: Lukas Czerner +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20200728130437.7804-3-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/block_validity.c | 36 +++++++++++++----------------------- + 1 file changed, 13 insertions(+), 23 deletions(-) + +diff --git a/fs/ext4/block_validity.c b/fs/ext4/block_validity.c +index 16e9b2fda03ae..b394a50ebbe30 100644 +--- a/fs/ext4/block_validity.c ++++ b/fs/ext4/block_validity.c +@@ -68,7 +68,7 @@ static int add_system_zone(struct ext4_system_blocks *system_blks, + ext4_fsblk_t start_blk, + unsigned int count) + { +- struct ext4_system_zone *new_entry = NULL, *entry; ++ struct ext4_system_zone *new_entry, *entry; + struct rb_node **n = &system_blks->root.rb_node, *node; + struct rb_node *parent = NULL, *new_node = NULL; + +@@ -79,30 +79,20 @@ static int add_system_zone(struct ext4_system_blocks *system_blks, + n = &(*n)->rb_left; + else if (start_blk >= (entry->start_blk + entry->count)) + n = &(*n)->rb_right; +- else { +- if (start_blk + count > (entry->start_blk + +- entry->count)) +- entry->count = (start_blk + count - +- entry->start_blk); +- new_node = *n; +- new_entry = rb_entry(new_node, struct ext4_system_zone, +- node); +- break; +- } ++ else /* Unexpected overlap of system zones. */ ++ return -EFSCORRUPTED; + } + +- if (!new_entry) { +- new_entry = kmem_cache_alloc(ext4_system_zone_cachep, +- GFP_KERNEL); +- if (!new_entry) +- return -ENOMEM; +- new_entry->start_blk = start_blk; +- new_entry->count = count; +- new_node = &new_entry->node; +- +- rb_link_node(new_node, parent, n); +- rb_insert_color(new_node, &system_blks->root); +- } ++ new_entry = kmem_cache_alloc(ext4_system_zone_cachep, ++ GFP_KERNEL); ++ if (!new_entry) ++ return -ENOMEM; ++ new_entry->start_blk = start_blk; ++ new_entry->count = count; ++ new_node = &new_entry->node; ++ ++ rb_link_node(new_node, parent, n); ++ rb_insert_color(new_node, &system_blks->root); + + /* Can we merge to the left? */ + node = rb_prev(new_node); +-- +2.25.1 + diff --git a/queue-5.8/ext4-fix-potential-negative-array-index-in-do_split.patch b/queue-5.8/ext4-fix-potential-negative-array-index-in-do_split.patch new file mode 100644 index 00000000000..b08c9073d3b --- /dev/null +++ b/queue-5.8/ext4-fix-potential-negative-array-index-in-do_split.patch @@ -0,0 +1,68 @@ +From 3eb2f400ab71ec361f07bdcaf7d72cefea4eec85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jun 2020 14:19:04 -0500 +Subject: ext4: fix potential negative array index in do_split() + +From: Eric Sandeen + +[ Upstream commit 5872331b3d91820e14716632ebb56b1399b34fe1 ] + +If for any reason a directory passed to do_split() does not have enough +active entries to exceed half the size of the block, we can end up +iterating over all "count" entries without finding a split point. + +In this case, count == move, and split will be zero, and we will +attempt a negative index into map[]. + +Guard against this by detecting this case, and falling back to +split-to-half-of-count instead; in this case we will still have +plenty of space (> half blocksize) in each split block. + +Fixes: ef2b02d3e617 ("ext34: ensure do_split leaves enough free space in both blocks") +Signed-off-by: Eric Sandeen +Reviewed-by: Andreas Dilger +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/f53e246b-647c-64bb-16ec-135383c70ad7@redhat.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/namei.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 98b91f2314eba..a91a5bb8c3a2b 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -1858,7 +1858,7 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, + blocksize, hinfo, map); + map -= count; + dx_sort_map(map, count); +- /* Split the existing block in the middle, size-wise */ ++ /* Ensure that neither split block is over half full */ + size = 0; + move = 0; + for (i = count-1; i >= 0; i--) { +@@ -1868,8 +1868,18 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, + size += map[i].size; + move++; + } +- /* map index at which we will split */ +- split = count - move; ++ /* ++ * map index at which we will split ++ * ++ * If the sum of active entries didn't exceed half the block size, just ++ * split it in half by count; each resulting block will have at least ++ * half the space free. ++ */ ++ if (i > 0) ++ split = count - move; ++ else ++ split = count/2; ++ + hash2 = map[split].hash; + continued = hash2 == map[split - 1].hash; + dxtrace(printk(KERN_INFO "Split block %lu at %x, %i/%i\n", +-- +2.25.1 + diff --git a/queue-5.8/fix-build-error-when-config_acpi-is-not-set-enabled.patch b/queue-5.8/fix-build-error-when-config_acpi-is-not-set-enabled.patch new file mode 100644 index 00000000000..515f38a3d37 --- /dev/null +++ b/queue-5.8/fix-build-error-when-config_acpi-is-not-set-enabled.patch @@ -0,0 +1,45 @@ +From b39bb5917a7eb1c63d2d074e9e32f356ff167c25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 06:30:47 +0200 +Subject: Fix build error when CONFIG_ACPI is not set/enabled: +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit ee87e1557c42dc9c2da11c38e11b87c311569853 ] + +../arch/x86/pci/xen.c: In function ‘pci_xen_init’: +../arch/x86/pci/xen.c:410:2: error: implicit declaration of function ‘acpi_noirq_set’; did you mean ‘acpi_irq_get’? [-Werror=implicit-function-declaration] + acpi_noirq_set(); + +Fixes: 88e9ca161c13 ("xen/pci: Use acpi_noirq_set() helper to avoid #ifdef") +Signed-off-by: Randy Dunlap +Reviewed-by: Juergen Gross +Cc: Andy Shevchenko +Cc: Bjorn Helgaas +Cc: Konrad Rzeszutek Wilk +Cc: xen-devel@lists.xenproject.org +Cc: linux-pci@vger.kernel.org +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/pci/xen.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/pci/xen.c b/arch/x86/pci/xen.c +index e3f1ca3160684..db34fee931388 100644 +--- a/arch/x86/pci/xen.c ++++ b/arch/x86/pci/xen.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + + static int xen_pcifront_enable_irq(struct pci_dev *dev) +-- +2.25.1 + diff --git a/queue-5.8/hv_netvsc-fix-the-queue_mapping-in-netvsc_vf_xmit.patch b/queue-5.8/hv_netvsc-fix-the-queue_mapping-in-netvsc_vf_xmit.patch new file mode 100644 index 00000000000..fd7f422d285 --- /dev/null +++ b/queue-5.8/hv_netvsc-fix-the-queue_mapping-in-netvsc_vf_xmit.patch @@ -0,0 +1,45 @@ +From f523b1bff85102d647473c801e4e259de2e19002 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 14:53:15 -0700 +Subject: hv_netvsc: Fix the queue_mapping in netvsc_vf_xmit() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Haiyang Zhang + +[ Upstream commit c3d897e01aef8ddc43149e4d661b86f823e3aae7 ] + +netvsc_vf_xmit() / dev_queue_xmit() will call VF NIC’s ndo_select_queue +or netdev_pick_tx() again. They will use skb_get_rx_queue() to get the +queue number, so the “skb->queue_mapping - 1” will be used. This may +cause the last queue of VF not been used. + +Use skb_record_rx_queue() here, so that the skb_get_rx_queue() called +later will get the correct queue number, and VF will be able to use +all queues. + +Fixes: b3bf5666a510 ("hv_netvsc: defer queue selection to VF") +Signed-off-by: Haiyang Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hyperv/netvsc_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c +index 0d779bba1b019..6b81c04ab5e29 100644 +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -502,7 +502,7 @@ static int netvsc_vf_xmit(struct net_device *net, struct net_device *vf_netdev, + int rc; + + skb->dev = vf_netdev; +- skb->queue_mapping = qdisc_skb_cb(skb)->slave_dev_queue_mapping; ++ skb_record_rx_queue(skb, qdisc_skb_cb(skb)->slave_dev_queue_mapping); + + rc = dev_queue_xmit(skb); + if (likely(rc == NET_XMIT_SUCCESS || rc == NET_XMIT_CN)) { +-- +2.25.1 + diff --git a/queue-5.8/i40e-fix-crash-during-removing-i40e-driver.patch b/queue-5.8/i40e-fix-crash-during-removing-i40e-driver.patch new file mode 100644 index 00000000000..a5ba97a3e81 --- /dev/null +++ b/queue-5.8/i40e-fix-crash-during-removing-i40e-driver.patch @@ -0,0 +1,80 @@ +From 32fe49f6da513597cf59ad28ed46b6065120015d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 10:56:49 +0000 +Subject: i40e: Fix crash during removing i40e driver + +From: Grzegorz Szczurek + +[ Upstream commit 5b6d4a7f20b09c47ca598760f6dafd554af8b6d5 ] + +Fix the reason of crashing system by add waiting time to finish reset +recovery process before starting remove driver procedure. +Now VSI is releasing if VSI is not in reset recovery mode. +Without this fix it was possible to start remove driver if other +processing command need reset recovery procedure which resulted in +null pointer dereference. VSI used by the ethtool process has been +cleared by remove driver process. + +[ 6731.508665] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 6731.508668] #PF: supervisor read access in kernel mode +[ 6731.508670] #PF: error_code(0x0000) - not-present page +[ 6731.508671] PGD 0 P4D 0 +[ 6731.508674] Oops: 0000 [#1] SMP PTI +[ 6731.508679] Hardware name: Intel Corporation S2600WT2R/S2600WT2R, BIOS SE5C610.86B.01.01.0021.032120170601 03/21/2017 +[ 6731.508694] RIP: 0010:i40e_down+0x252/0x310 [i40e] +[ 6731.508696] Code: c7 78 de fa c0 e8 61 02 3a c1 66 83 bb f6 0c 00 00 00 0f 84 bf 00 00 00 45 31 e4 45 31 ff eb 03 41 89 c7 48 8b 83 98 0c 00 00 <4a> 8b 3c 20 e8 a5 79 02 00 48 83 bb d0 0c 00 00 00 74 10 48 8b 83 +[ 6731.508698] RSP: 0018:ffffb75ac7b3faf0 EFLAGS: 00010246 +[ 6731.508700] RAX: 0000000000000000 RBX: ffff9c9874bd5000 RCX: 0000000000000007 +[ 6731.508701] RDX: 0000000000000000 RSI: 0000000000000096 RDI: ffff9c987f4d9780 +[ 6731.508703] RBP: ffffb75ac7b3fb30 R08: 0000000000005b60 R09: 0000000000000004 +[ 6731.508704] R10: ffffb75ac64fbd90 R11: 0000000000000001 R12: 0000000000000000 +[ 6731.508706] R13: ffff9c97a08e0000 R14: ffff9c97a08e0a68 R15: 0000000000000000 +[ 6731.508708] FS: 00007f2617cd2740(0000) GS:ffff9c987f4c0000(0000) knlGS:0000000000000000 +[ 6731.508710] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 6731.508711] CR2: 0000000000000000 CR3: 0000001e765c4006 CR4: 00000000003606e0 +[ 6731.508713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 6731.508714] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 6731.508715] Call Trace: +[ 6731.508734] i40e_vsi_close+0x84/0x90 [i40e] +[ 6731.508742] i40e_quiesce_vsi.part.98+0x3c/0x40 [i40e] +[ 6731.508749] i40e_pf_quiesce_all_vsi+0x55/0x60 [i40e] +[ 6731.508757] i40e_prep_for_reset+0x59/0x130 [i40e] +[ 6731.508765] i40e_reconfig_rss_queues+0x5a/0x120 [i40e] +[ 6731.508774] i40e_set_channels+0xda/0x170 [i40e] +[ 6731.508778] ethtool_set_channels+0xe9/0x150 +[ 6731.508781] dev_ethtool+0x1b94/0x2920 +[ 6731.508805] dev_ioctl+0xc2/0x590 +[ 6731.508811] sock_do_ioctl+0xae/0x150 +[ 6731.508813] sock_ioctl+0x34f/0x3c0 +[ 6731.508821] ksys_ioctl+0x98/0xb0 +[ 6731.508828] __x64_sys_ioctl+0x1a/0x20 +[ 6731.508831] do_syscall_64+0x57/0x1c0 +[ 6731.508835] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 4b8164467b85 ("i40e: Add common function for finding VSI by type") +Signed-off-by: Grzegorz Szczurek +Signed-off-by: Arkadiusz Kubalewski +Tested-by: Aaron Brown +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 56ecd6c3f2362..6af6367e7cac2 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -15352,6 +15352,9 @@ static void i40e_remove(struct pci_dev *pdev) + i40e_write_rx_ctl(hw, I40E_PFQF_HENA(0), 0); + i40e_write_rx_ctl(hw, I40E_PFQF_HENA(1), 0); + ++ while (test_bit(__I40E_RESET_RECOVERY_PENDING, pf->state)) ++ usleep_range(1000, 2000); ++ + /* no more scheduling of any task */ + set_bit(__I40E_SUSPENDED, pf->state); + set_bit(__I40E_DOWN, pf->state); +-- +2.25.1 + diff --git a/queue-5.8/i40e-set-rx_only-mode-for-unicast-promiscuous-on-vla.patch b/queue-5.8/i40e-set-rx_only-mode-for-unicast-promiscuous-on-vla.patch new file mode 100644 index 00000000000..cfd4bc70ce8 --- /dev/null +++ b/queue-5.8/i40e-set-rx_only-mode-for-unicast-promiscuous-on-vla.patch @@ -0,0 +1,114 @@ +From ffc83e96d05cb2807f2dc7cda8a09d6e3e300273 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 13:40:59 +0000 +Subject: i40e: Set RX_ONLY mode for unicast promiscuous on VLAN + +From: Przemyslaw Patynowski + +[ Upstream commit 4bd5e02a2ed1575c2f65bd3c557a077dd399f0e8 ] + +Trusted VF with unicast promiscuous mode set, could listen to TX +traffic of other VFs. +Set unicast promiscuous mode to RX traffic, if VSI has port VLAN +configured. Rename misleading I40E_AQC_SET_VSI_PROMISC_TX bit to +I40E_AQC_SET_VSI_PROMISC_RX_ONLY. Aligned unicast promiscuous with +VLAN to the one without VLAN. + +Fixes: 6c41a7606967 ("i40e: Add promiscuous on VLAN support") +Fixes: 3b1200891b7f ("i40e: When in promisc mode apply promisc mode to Tx Traffic as well") +Signed-off-by: Przemyslaw Patynowski +Signed-off-by: Aleksandr Loktionov +Signed-off-by: Arkadiusz Kubalewski +Tested-by: Andrew Bowers +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + .../net/ethernet/intel/i40e/i40e_adminq_cmd.h | 2 +- + drivers/net/ethernet/intel/i40e/i40e_common.c | 35 ++++++++++++++----- + 2 files changed, 28 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h b/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h +index aa5f1c0aa7215..0921785a10795 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h ++++ b/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h +@@ -1211,7 +1211,7 @@ struct i40e_aqc_set_vsi_promiscuous_modes { + #define I40E_AQC_SET_VSI_PROMISC_BROADCAST 0x04 + #define I40E_AQC_SET_VSI_DEFAULT 0x08 + #define I40E_AQC_SET_VSI_PROMISC_VLAN 0x10 +-#define I40E_AQC_SET_VSI_PROMISC_TX 0x8000 ++#define I40E_AQC_SET_VSI_PROMISC_RX_ONLY 0x8000 + __le16 seid; + #define I40E_AQC_VSI_PROM_CMD_SEID_MASK 0x3FF + __le16 vlan_tag; +diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c +index 45b90eb11adba..21e44c6cd5eac 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_common.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_common.c +@@ -1969,6 +1969,21 @@ i40e_status i40e_aq_set_phy_debug(struct i40e_hw *hw, u8 cmd_flags, + return status; + } + ++/** ++ * i40e_is_aq_api_ver_ge ++ * @aq: pointer to AdminQ info containing HW API version to compare ++ * @maj: API major value ++ * @min: API minor value ++ * ++ * Assert whether current HW API version is greater/equal than provided. ++ **/ ++static bool i40e_is_aq_api_ver_ge(struct i40e_adminq_info *aq, u16 maj, ++ u16 min) ++{ ++ return (aq->api_maj_ver > maj || ++ (aq->api_maj_ver == maj && aq->api_min_ver >= min)); ++} ++ + /** + * i40e_aq_add_vsi + * @hw: pointer to the hw struct +@@ -2094,18 +2109,16 @@ i40e_status i40e_aq_set_vsi_unicast_promiscuous(struct i40e_hw *hw, + + if (set) { + flags |= I40E_AQC_SET_VSI_PROMISC_UNICAST; +- if (rx_only_promisc && +- (((hw->aq.api_maj_ver == 1) && (hw->aq.api_min_ver >= 5)) || +- (hw->aq.api_maj_ver > 1))) +- flags |= I40E_AQC_SET_VSI_PROMISC_TX; ++ if (rx_only_promisc && i40e_is_aq_api_ver_ge(&hw->aq, 1, 5)) ++ flags |= I40E_AQC_SET_VSI_PROMISC_RX_ONLY; + } + + cmd->promiscuous_flags = cpu_to_le16(flags); + + cmd->valid_flags = cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_UNICAST); +- if (((hw->aq.api_maj_ver >= 1) && (hw->aq.api_min_ver >= 5)) || +- (hw->aq.api_maj_ver > 1)) +- cmd->valid_flags |= cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_TX); ++ if (i40e_is_aq_api_ver_ge(&hw->aq, 1, 5)) ++ cmd->valid_flags |= ++ cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_RX_ONLY); + + cmd->seid = cpu_to_le16(seid); + status = i40e_asq_send_command(hw, &desc, NULL, 0, cmd_details); +@@ -2202,11 +2215,17 @@ enum i40e_status_code i40e_aq_set_vsi_uc_promisc_on_vlan(struct i40e_hw *hw, + i40e_fill_default_direct_cmd_desc(&desc, + i40e_aqc_opc_set_vsi_promiscuous_modes); + +- if (enable) ++ if (enable) { + flags |= I40E_AQC_SET_VSI_PROMISC_UNICAST; ++ if (i40e_is_aq_api_ver_ge(&hw->aq, 1, 5)) ++ flags |= I40E_AQC_SET_VSI_PROMISC_RX_ONLY; ++ } + + cmd->promiscuous_flags = cpu_to_le16(flags); + cmd->valid_flags = cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_UNICAST); ++ if (i40e_is_aq_api_ver_ge(&hw->aq, 1, 5)) ++ cmd->valid_flags |= ++ cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_RX_ONLY); + cmd->seid = cpu_to_le16(seid); + cmd->vlan_tag = cpu_to_le16(vid | I40E_AQC_SET_VSI_VLAN_VALID); + +-- +2.25.1 + diff --git a/queue-5.8/igc-fix-ptp-initialization.patch b/queue-5.8/igc-fix-ptp-initialization.patch new file mode 100644 index 00000000000..003a008d5f0 --- /dev/null +++ b/queue-5.8/igc-fix-ptp-initialization.patch @@ -0,0 +1,117 @@ +From 19783af68c84eedfea1e4a75c892e58b381262f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 11:32:07 -0700 +Subject: igc: Fix PTP initialization + +From: Vinicius Costa Gomes + +[ Upstream commit 3cda505a679ced78d69c889cfb418d1728bb2707 ] + +Right now, igc_ptp_reset() is called from igc_reset(), which is called +from igc_probe() before igc_ptp_init() has a chance to run. It is +detected as an attempt to use an spinlock without registering its key +first. See log below. + +To avoid this problem, simplify the initialization: igc_ptp_init() is +only called from igc_probe(), and igc_ptp_reset() is only called from +igc_reset(). + +[ 2.736332] INFO: trying to register non-static key. +[ 2.736902] input: HDA Intel PCH Front Headphone as /devices/pci0000:00/0000:00:1f.3/sound/card0/input10 +[ 2.737513] the code is fine but needs lockdep annotation. +[ 2.737513] turning off the locking correctness validator. +[ 2.737515] CPU: 8 PID: 239 Comm: systemd-udevd Tainted: G E 5.8.0-rc7+ #13 +[ 2.737515] Hardware name: Gigabyte Technology Co., Ltd. Z390 AORUS ULTRA/Z390 AORUS ULTRA-CF, BIOS F7 03/14/2019 +[ 2.737516] Call Trace: +[ 2.737521] dump_stack+0x78/0xa0 +[ 2.737524] register_lock_class+0x6b1/0x6f0 +[ 2.737526] ? lockdep_hardirqs_on_prepare+0xca/0x160 +[ 2.739177] ? _raw_spin_unlock_irq+0x24/0x50 +[ 2.739179] ? trace_hardirqs_on+0x1c/0xf0 +[ 2.740820] __lock_acquire+0x56/0x1ff0 +[ 2.740823] ? __schedule+0x30c/0x970 +[ 2.740825] lock_acquire+0x97/0x3e0 +[ 2.740830] ? igc_ptp_reset+0x35/0xf0 [igc] +[ 2.740833] ? schedule_hrtimeout_range_clock+0xb7/0x120 +[ 2.742507] _raw_spin_lock_irqsave+0x3a/0x50 +[ 2.742512] ? igc_ptp_reset+0x35/0xf0 [igc] +[ 2.742515] igc_ptp_reset+0x35/0xf0 [igc] +[ 2.742519] igc_reset+0x96/0xd0 [igc] +[ 2.744148] igc_probe+0x68f/0x7d0 [igc] +[ 2.745796] local_pci_probe+0x3d/0x70 +[ 2.745799] pci_device_probe+0xd1/0x190 +[ 2.745802] really_probe+0x15a/0x3f0 +[ 2.759936] driver_probe_device+0xe1/0x150 +[ 2.759937] device_driver_attach+0xa8/0xb0 +[ 2.761786] __driver_attach+0x89/0x150 +[ 2.761786] ? device_driver_attach+0xb0/0xb0 +[ 2.761787] ? device_driver_attach+0xb0/0xb0 +[ 2.761788] bus_for_each_dev+0x66/0x90 +[ 2.765012] bus_add_driver+0x12e/0x1f0 +[ 2.765716] driver_register+0x8b/0xe0 +[ 2.766418] ? 0xffffffffc0230000 +[ 2.767119] do_one_initcall+0x5a/0x310 +[ 2.767826] ? kmem_cache_alloc_trace+0xe9/0x200 +[ 2.768528] do_init_module+0x5c/0x260 +[ 2.769206] __do_sys_finit_module+0x93/0xe0 +[ 2.770048] do_syscall_64+0x46/0xa0 +[ 2.770716] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 2.771396] RIP: 0033:0x7f83534589e0 +[ 2.772073] Code: 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 2e 2e 2e 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 80 24 0d 00 f7 d8 64 89 01 48 +[ 2.772074] RSP: 002b:00007ffd31d0ed18 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +[ 2.774854] RAX: ffffffffffffffda RBX: 000055d52816aba0 RCX: 00007f83534589e0 +[ 2.774855] RDX: 0000000000000000 RSI: 00007f83535b982f RDI: 0000000000000006 +[ 2.774855] RBP: 00007ffd31d0ed60 R08: 0000000000000000 R09: 00007ffd31d0ed30 +[ 2.774856] R10: 0000000000000006 R11: 0000000000000246 R12: 0000000000000000 +[ 2.774856] R13: 0000000000020000 R14: 00007f83535b982f R15: 000055d527f5e120 + +Fixes: 5f2958052c58 ("igc: Add basic skeleton for PTP") +Signed-off-by: Vinicius Costa Gomes +Reviewed-by: Andre Guedes +Tested-by: Aaron Brown +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 5 ++--- + drivers/net/ethernet/intel/igc/igc_ptp.c | 2 -- + 2 files changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 6919c50e449a2..63259ecd41e5b 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -5158,6 +5158,8 @@ static int igc_probe(struct pci_dev *pdev, + device_set_wakeup_enable(&adapter->pdev->dev, + adapter->flags & IGC_FLAG_WOL_SUPPORTED); + ++ igc_ptp_init(adapter); ++ + /* reset the hardware with the new settings */ + igc_reset(adapter); + +@@ -5174,9 +5176,6 @@ static int igc_probe(struct pci_dev *pdev, + /* carrier off reporting is important to ethtool even BEFORE open */ + netif_carrier_off(netdev); + +- /* do hw tstamp init after resetting */ +- igc_ptp_init(adapter); +- + /* Check if Media Autosense is enabled */ + adapter->ei = *ei; + +diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c +index 0d746f8588c81..61e38853aa47d 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ptp.c ++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c +@@ -608,8 +608,6 @@ void igc_ptp_init(struct igc_adapter *adapter) + adapter->tstamp_config.rx_filter = HWTSTAMP_FILTER_NONE; + adapter->tstamp_config.tx_type = HWTSTAMP_TX_OFF; + +- igc_ptp_reset(adapter); +- + adapter->ptp_clock = ptp_clock_register(&adapter->ptp_caps, + &adapter->pdev->dev); + if (IS_ERR(adapter->ptp_clock)) { +-- +2.25.1 + diff --git a/queue-5.8/ipvlan-fix-device-features.patch b/queue-5.8/ipvlan-fix-device-features.patch new file mode 100644 index 00000000000..05e9e990168 --- /dev/null +++ b/queue-5.8/ipvlan-fix-device-features.patch @@ -0,0 +1,113 @@ +From cf57f5075c7bd784fa7ce67ba416ead1c9572c0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 22:53:24 -0700 +Subject: ipvlan: fix device features + +From: Mahesh Bandewar + +[ Upstream commit d0f5c7076e01fef6fcb86988d9508bf3ce258bd4 ] + +Processing NETDEV_FEAT_CHANGE causes IPvlan links to lose +NETIF_F_LLTX feature because of the incorrect handling of +features in ipvlan_fix_features(). + +--before-- +lpaa10:~# ethtool -k ipvl0 | grep tx-lockless +tx-lockless: on [fixed] +lpaa10:~# ethtool -K ipvl0 tso off +Cannot change tcp-segmentation-offload +Actual changes: +vlan-challenged: off [fixed] +tx-lockless: off [fixed] +lpaa10:~# ethtool -k ipvl0 | grep tx-lockless +tx-lockless: off [fixed] +lpaa10:~# + +--after-- +lpaa10:~# ethtool -k ipvl0 | grep tx-lockless +tx-lockless: on [fixed] +lpaa10:~# ethtool -K ipvl0 tso off +Cannot change tcp-segmentation-offload +Could not change any device features +lpaa10:~# ethtool -k ipvl0 | grep tx-lockless +tx-lockless: on [fixed] +lpaa10:~# + +Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") +Signed-off-by: Mahesh Bandewar +Cc: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvlan_main.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c +index 15e87c097b0b3..5bca94c990061 100644 +--- a/drivers/net/ipvlan/ipvlan_main.c ++++ b/drivers/net/ipvlan/ipvlan_main.c +@@ -106,12 +106,21 @@ static void ipvlan_port_destroy(struct net_device *dev) + kfree(port); + } + ++#define IPVLAN_ALWAYS_ON_OFLOADS \ ++ (NETIF_F_SG | NETIF_F_HW_CSUM | \ ++ NETIF_F_GSO_ROBUST | NETIF_F_GSO_SOFTWARE | NETIF_F_GSO_ENCAP_ALL) ++ ++#define IPVLAN_ALWAYS_ON \ ++ (IPVLAN_ALWAYS_ON_OFLOADS | NETIF_F_LLTX | NETIF_F_VLAN_CHALLENGED) ++ + #define IPVLAN_FEATURES \ +- (NETIF_F_SG | NETIF_F_CSUM_MASK | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST | \ ++ (NETIF_F_SG | NETIF_F_HW_CSUM | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST | \ + NETIF_F_GSO | NETIF_F_ALL_TSO | NETIF_F_GSO_ROBUST | \ + NETIF_F_GRO | NETIF_F_RXCSUM | \ + NETIF_F_HW_VLAN_CTAG_FILTER | NETIF_F_HW_VLAN_STAG_FILTER) + ++ /* NETIF_F_GSO_ENCAP_ALL NETIF_F_GSO_SOFTWARE Newly added */ ++ + #define IPVLAN_STATE_MASK \ + ((1<<__LINK_STATE_NOCARRIER) | (1<<__LINK_STATE_DORMANT)) + +@@ -125,7 +134,9 @@ static int ipvlan_init(struct net_device *dev) + dev->state = (dev->state & ~IPVLAN_STATE_MASK) | + (phy_dev->state & IPVLAN_STATE_MASK); + dev->features = phy_dev->features & IPVLAN_FEATURES; +- dev->features |= NETIF_F_LLTX | NETIF_F_VLAN_CHALLENGED; ++ dev->features |= IPVLAN_ALWAYS_ON; ++ dev->vlan_features = phy_dev->vlan_features & IPVLAN_FEATURES; ++ dev->vlan_features |= IPVLAN_ALWAYS_ON_OFLOADS; + dev->hw_enc_features |= dev->features; + dev->gso_max_size = phy_dev->gso_max_size; + dev->gso_max_segs = phy_dev->gso_max_segs; +@@ -227,7 +238,14 @@ static netdev_features_t ipvlan_fix_features(struct net_device *dev, + { + struct ipvl_dev *ipvlan = netdev_priv(dev); + +- return features & (ipvlan->sfeatures | ~IPVLAN_FEATURES); ++ features |= NETIF_F_ALL_FOR_ALL; ++ features &= (ipvlan->sfeatures | ~IPVLAN_FEATURES); ++ features = netdev_increment_features(ipvlan->phy_dev->features, ++ features, features); ++ features |= IPVLAN_ALWAYS_ON; ++ features &= (IPVLAN_FEATURES | IPVLAN_ALWAYS_ON); ++ ++ return features; + } + + static void ipvlan_change_rx_flags(struct net_device *dev, int change) +@@ -734,10 +752,9 @@ static int ipvlan_device_event(struct notifier_block *unused, + + case NETDEV_FEAT_CHANGE: + list_for_each_entry(ipvlan, &port->ipvlans, pnode) { +- ipvlan->dev->features = dev->features & IPVLAN_FEATURES; + ipvlan->dev->gso_max_size = dev->gso_max_size; + ipvlan->dev->gso_max_segs = dev->gso_max_segs; +- netdev_features_change(ipvlan->dev); ++ netdev_update_features(ipvlan->dev); + } + break; + +-- +2.25.1 + diff --git a/queue-5.8/kconfig-qconf-do-not-limit-the-pop-up-menu-to-the-fi.patch b/queue-5.8/kconfig-qconf-do-not-limit-the-pop-up-menu-to-the-fi.patch new file mode 100644 index 00000000000..1115f084b4a --- /dev/null +++ b/queue-5.8/kconfig-qconf-do-not-limit-the-pop-up-menu-to-the-fi.patch @@ -0,0 +1,112 @@ +From fd3de18a7843647178b30c20df4e696fbe8e2273 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Aug 2020 18:19:08 +0900 +Subject: kconfig: qconf: do not limit the pop-up menu to the first row + +From: Masahiro Yamada + +[ Upstream commit fa8de0a3bf3c02e6f00b7746e7e934db522cdda9 ] + +If you right-click the first row in the option tree, the pop-up menu +shows up, but if you right-click the second row or below, the event +is ignored due to the following check: + + if (e->y() <= header()->geometry().bottom()) { + +Perhaps, the intention was to show the pop-menu only when the tree +header was right-clicked, but this handler is not called in that case. + +Since the origin of e->y() starts from the bottom of the header, +this check is odd. + +Going forward, you can right-click anywhere in the tree to get the +pop-up menu. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/qconf.cc | 68 ++++++++++++++++++++-------------------- + 1 file changed, 34 insertions(+), 34 deletions(-) + +diff --git a/scripts/kconfig/qconf.cc b/scripts/kconfig/qconf.cc +index 23d1cb01a41ae..be67e74237d22 100644 +--- a/scripts/kconfig/qconf.cc ++++ b/scripts/kconfig/qconf.cc +@@ -864,40 +864,40 @@ void ConfigList::focusInEvent(QFocusEvent *e) + + void ConfigList::contextMenuEvent(QContextMenuEvent *e) + { +- if (e->y() <= header()->geometry().bottom()) { +- if (!headerPopup) { +- QAction *action; +- +- headerPopup = new QMenu(this); +- action = new QAction("Show Name", this); +- action->setCheckable(true); +- connect(action, SIGNAL(toggled(bool)), +- parent(), SLOT(setShowName(bool))); +- connect(parent(), SIGNAL(showNameChanged(bool)), +- action, SLOT(setOn(bool))); +- action->setChecked(showName); +- headerPopup->addAction(action); +- action = new QAction("Show Range", this); +- action->setCheckable(true); +- connect(action, SIGNAL(toggled(bool)), +- parent(), SLOT(setShowRange(bool))); +- connect(parent(), SIGNAL(showRangeChanged(bool)), +- action, SLOT(setOn(bool))); +- action->setChecked(showRange); +- headerPopup->addAction(action); +- action = new QAction("Show Data", this); +- action->setCheckable(true); +- connect(action, SIGNAL(toggled(bool)), +- parent(), SLOT(setShowData(bool))); +- connect(parent(), SIGNAL(showDataChanged(bool)), +- action, SLOT(setOn(bool))); +- action->setChecked(showData); +- headerPopup->addAction(action); +- } +- headerPopup->exec(e->globalPos()); +- e->accept(); +- } else +- e->ignore(); ++ if (!headerPopup) { ++ QAction *action; ++ ++ headerPopup = new QMenu(this); ++ action = new QAction("Show Name", this); ++ action->setCheckable(true); ++ connect(action, SIGNAL(toggled(bool)), ++ parent(), SLOT(setShowName(bool))); ++ connect(parent(), SIGNAL(showNameChanged(bool)), ++ action, SLOT(setOn(bool))); ++ action->setChecked(showName); ++ headerPopup->addAction(action); ++ ++ action = new QAction("Show Range", this); ++ action->setCheckable(true); ++ connect(action, SIGNAL(toggled(bool)), ++ parent(), SLOT(setShowRange(bool))); ++ connect(parent(), SIGNAL(showRangeChanged(bool)), ++ action, SLOT(setOn(bool))); ++ action->setChecked(showRange); ++ headerPopup->addAction(action); ++ ++ action = new QAction("Show Data", this); ++ action->setCheckable(true); ++ connect(action, SIGNAL(toggled(bool)), ++ parent(), SLOT(setShowData(bool))); ++ connect(parent(), SIGNAL(showDataChanged(bool)), ++ action, SLOT(setOn(bool))); ++ action->setChecked(showData); ++ headerPopup->addAction(action); ++ } ++ ++ headerPopup->exec(e->globalPos()); ++ e->accept(); + } + + ConfigView*ConfigView::viewList; +-- +2.25.1 + diff --git a/queue-5.8/kconfig-qconf-fix-signal-connection-to-invalid-slots.patch b/queue-5.8/kconfig-qconf-fix-signal-connection-to-invalid-slots.patch new file mode 100644 index 00000000000..5a76c6bf9c9 --- /dev/null +++ b/queue-5.8/kconfig-qconf-fix-signal-connection-to-invalid-slots.patch @@ -0,0 +1,75 @@ +From ca5829fe8025794e76463356ebbbba2bd868d69c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 01:36:29 +0900 +Subject: kconfig: qconf: fix signal connection to invalid slots + +From: Masahiro Yamada + +[ Upstream commit d85de3399f97467baa2026fbbbe587850d01ba8a ] + +If you right-click in the ConfigList window, you will see the following +messages in the console: + +QObject::connect: No such slot QAction::setOn(bool) in scripts/kconfig/qconf.cc:888 +QObject::connect: (sender name: 'config') +QObject::connect: No such slot QAction::setOn(bool) in scripts/kconfig/qconf.cc:897 +QObject::connect: (sender name: 'config') +QObject::connect: No such slot QAction::setOn(bool) in scripts/kconfig/qconf.cc:906 +QObject::connect: (sender name: 'config') + +Right, there is no such slot in QAction. I think this is a typo of +setChecked. + +Due to this bug, when you toggled the menu "Option->Show Name/Range/Data" +the state of the context menu was not previously updated. Fix this. + +Fixes: d5d973c3f8a9 ("Port xconfig to Qt5 - Put back some of the old implementation(part 2)") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/qconf.cc | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/scripts/kconfig/qconf.cc b/scripts/kconfig/qconf.cc +index be67e74237d22..91ed69b651e99 100644 +--- a/scripts/kconfig/qconf.cc ++++ b/scripts/kconfig/qconf.cc +@@ -873,7 +873,7 @@ void ConfigList::contextMenuEvent(QContextMenuEvent *e) + connect(action, SIGNAL(toggled(bool)), + parent(), SLOT(setShowName(bool))); + connect(parent(), SIGNAL(showNameChanged(bool)), +- action, SLOT(setOn(bool))); ++ action, SLOT(setChecked(bool))); + action->setChecked(showName); + headerPopup->addAction(action); + +@@ -882,7 +882,7 @@ void ConfigList::contextMenuEvent(QContextMenuEvent *e) + connect(action, SIGNAL(toggled(bool)), + parent(), SLOT(setShowRange(bool))); + connect(parent(), SIGNAL(showRangeChanged(bool)), +- action, SLOT(setOn(bool))); ++ action, SLOT(setChecked(bool))); + action->setChecked(showRange); + headerPopup->addAction(action); + +@@ -891,7 +891,7 @@ void ConfigList::contextMenuEvent(QContextMenuEvent *e) + connect(action, SIGNAL(toggled(bool)), + parent(), SLOT(setShowData(bool))); + connect(parent(), SIGNAL(showDataChanged(bool)), +- action, SLOT(setOn(bool))); ++ action, SLOT(setChecked(bool))); + action->setChecked(showData); + headerPopup->addAction(action); + } +@@ -1275,7 +1275,7 @@ QMenu* ConfigInfoView::createStandardContextMenu(const QPoint & pos) + + action->setCheckable(true); + connect(action, SIGNAL(toggled(bool)), SLOT(setShowDebug(bool))); +- connect(this, SIGNAL(showDebugChanged(bool)), action, SLOT(setOn(bool))); ++ connect(this, SIGNAL(showDebugChanged(bool)), action, SLOT(setChecked(bool))); + action->setChecked(showDebug()); + popup->addSeparator(); + popup->addAction(action); +-- +2.25.1 + diff --git a/queue-5.8/kconfig-qconf-remove-qinfo-to-get-back-qt4-support.patch b/queue-5.8/kconfig-qconf-remove-qinfo-to-get-back-qt4-support.patch new file mode 100644 index 00000000000..e22f98f7499 --- /dev/null +++ b/queue-5.8/kconfig-qconf-remove-qinfo-to-get-back-qt4-support.patch @@ -0,0 +1,64 @@ +From 1531e9d9c77fc01a37e0dc0add87f59f8c3b1b15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 00:16:46 +0900 +Subject: kconfig: qconf: remove qInfo() to get back Qt4 support +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Masahiro Yamada + +[ Upstream commit 53efe2e76ca2bfad7f35e0b5330e2ccd44a643e3 ] + +qconf is supposed to work with Qt4 and Qt5, but since commit +c4f7398bee9c ("kconfig: qconf: make debug links work again"), +building with Qt4 fails as follows: + + HOSTCXX scripts/kconfig/qconf.o +scripts/kconfig/qconf.cc: In member function ‘void ConfigInfoView::clicked(const QUrl&)’: +scripts/kconfig/qconf.cc:1241:3: error: ‘qInfo’ was not declared in this scope; did you mean ‘setInfo’? + 1241 | qInfo() << "Clicked link is empty"; + | ^~~~~ + | setInfo +scripts/kconfig/qconf.cc:1254:3: error: ‘qInfo’ was not declared in this scope; did you mean ‘setInfo’? + 1254 | qInfo() << "Clicked symbol is invalid:" << data; + | ^~~~~ + | setInfo +make[1]: *** [scripts/Makefile.host:129: scripts/kconfig/qconf.o] Error 1 +make: *** [Makefile:606: xconfig] Error 2 + +qInfo() does not exist in Qt4. In my understanding, these call-sites +should be unreachable. Perhaps, qWarning(), assertion, or something +is better, but qInfo() is not the right one to use here, I think. + +Fixes: c4f7398bee9c ("kconfig: qconf: make debug links work again") +Reported-by: Ronald Warsow +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/qconf.cc | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/scripts/kconfig/qconf.cc b/scripts/kconfig/qconf.cc +index 91ed69b651e99..5ceb93010a973 100644 +--- a/scripts/kconfig/qconf.cc ++++ b/scripts/kconfig/qconf.cc +@@ -1228,7 +1228,6 @@ void ConfigInfoView::clicked(const QUrl &url) + struct menu *m = NULL; + + if (count < 1) { +- qInfo() << "Clicked link is empty"; + delete[] data; + return; + } +@@ -1241,7 +1240,6 @@ void ConfigInfoView::clicked(const QUrl &url) + strcat(data, "$"); + result = sym_re_search(data); + if (!result) { +- qInfo() << "Clicked symbol is invalid:" << data; + delete[] data; + return; + } +-- +2.25.1 + diff --git a/queue-5.8/kvm-x86-toggling-cr4.pke-does-not-load-pdptes-in-pae.patch b/queue-5.8/kvm-x86-toggling-cr4.pke-does-not-load-pdptes-in-pae.patch new file mode 100644 index 00000000000..38668db08f8 --- /dev/null +++ b/queue-5.8/kvm-x86-toggling-cr4.pke-does-not-load-pdptes-in-pae.patch @@ -0,0 +1,44 @@ +From 30761fbd0badfe54c778f9f9599714040b218e15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 11:16:54 -0700 +Subject: kvm: x86: Toggling CR4.PKE does not load PDPTEs in PAE mode + +From: Jim Mattson + +[ Upstream commit cb957adb4ea422bd758568df5b2478ea3bb34f35 ] + +See the SDM, volume 3, section 4.4.1: + +If PAE paging would be in use following an execution of MOV to CR0 or +MOV to CR4 (see Section 4.1.1) and the instruction is modifying any of +CR0.CD, CR0.NW, CR0.PG, CR4.PAE, CR4.PGE, CR4.PSE, or CR4.SMEP; then +the PDPTEs are loaded from the address in CR3. + +Fixes: b9baba8614890 ("KVM, pkeys: expose CPUID/CR4 to guest") +Cc: Huaitong Han +Signed-off-by: Jim Mattson +Reviewed-by: Peter Shier +Reviewed-by: Oliver Upton +Message-Id: <20200817181655.3716509-1-jmattson@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/x86.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index a70156b9b72e5..f7304132d5907 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -967,7 +967,7 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) + { + unsigned long old_cr4 = kvm_read_cr4(vcpu); + unsigned long pdptr_bits = X86_CR4_PGE | X86_CR4_PSE | X86_CR4_PAE | +- X86_CR4_SMEP | X86_CR4_PKE; ++ X86_CR4_SMEP; + + if (kvm_valid_cr4(vcpu, cr4)) + return 1; +-- +2.25.1 + diff --git a/queue-5.8/kvm-x86-toggling-cr4.smap-does-not-load-pdptes-in-pa.patch b/queue-5.8/kvm-x86-toggling-cr4.smap-does-not-load-pdptes-in-pa.patch new file mode 100644 index 00000000000..19cf5931bcb --- /dev/null +++ b/queue-5.8/kvm-x86-toggling-cr4.smap-does-not-load-pdptes-in-pa.patch @@ -0,0 +1,44 @@ +From 74d0d804fb2b2b3db2d637f1a7dc49e2a7731f99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 11:16:55 -0700 +Subject: kvm: x86: Toggling CR4.SMAP does not load PDPTEs in PAE mode + +From: Jim Mattson + +[ Upstream commit 427890aff8558eb4326e723835e0eae0e6fe3102 ] + +See the SDM, volume 3, section 4.4.1: + +If PAE paging would be in use following an execution of MOV to CR0 or +MOV to CR4 (see Section 4.1.1) and the instruction is modifying any of +CR0.CD, CR0.NW, CR0.PG, CR4.PAE, CR4.PGE, CR4.PSE, or CR4.SMEP; then +the PDPTEs are loaded from the address in CR3. + +Fixes: 0be0226f07d14 ("KVM: MMU: fix SMAP virtualization") +Cc: Xiao Guangrong +Signed-off-by: Jim Mattson +Reviewed-by: Peter Shier +Reviewed-by: Oliver Upton +Message-Id: <20200817181655.3716509-2-jmattson@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/x86.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 4fe976c2495ea..a70156b9b72e5 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -967,7 +967,7 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) + { + unsigned long old_cr4 = kvm_read_cr4(vcpu); + unsigned long pdptr_bits = X86_CR4_PGE | X86_CR4_PSE | X86_CR4_PAE | +- X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE; ++ X86_CR4_SMEP | X86_CR4_PKE; + + if (kvm_valid_cr4(vcpu, cr4)) + return 1; +-- +2.25.1 + diff --git a/queue-5.8/libbpf-fix-btf-defined-map-in-map-initialization-on-.patch b/queue-5.8/libbpf-fix-btf-defined-map-in-map-initialization-on-.patch new file mode 100644 index 00000000000..3e1b3a90cb5 --- /dev/null +++ b/queue-5.8/libbpf-fix-btf-defined-map-in-map-initialization-on-.patch @@ -0,0 +1,75 @@ +From be236ce9713d60af93b1098499e8164a7adb5231 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 13:49:39 -0700 +Subject: libbpf: Fix BTF-defined map-in-map initialization on 32-bit host + arches + +From: Andrii Nakryiko + +[ Upstream commit 15728ad3e71c120278105f20fa65b3735e715e0f ] + +Libbpf built in 32-bit mode should be careful about not conflating 64-bit BPF +pointers in BPF ELF file and host architecture pointers. This patch fixes +issue of incorrect initializating of map-in-map inner map slots due to such +difference. + +Fixes: 646f02ffdd49 ("libbpf: Add BTF-defined map-in-map support") +Signed-off-by: Andrii Nakryiko +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20200813204945.1020225-4-andriin@fb.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index 11e4725b8b1c0..e7642a6e39f9e 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -5025,7 +5025,8 @@ static int bpf_object__collect_st_ops_relos(struct bpf_object *obj, + static int bpf_object__collect_map_relos(struct bpf_object *obj, + GElf_Shdr *shdr, Elf_Data *data) + { +- int i, j, nrels, new_sz, ptr_sz = sizeof(void *); ++ const int bpf_ptr_sz = 8, host_ptr_sz = sizeof(void *); ++ int i, j, nrels, new_sz; + const struct btf_var_secinfo *vi = NULL; + const struct btf_type *sec, *var, *def; + const struct btf_member *member; +@@ -5074,7 +5075,7 @@ static int bpf_object__collect_map_relos(struct bpf_object *obj, + + vi = btf_var_secinfos(sec) + map->btf_var_idx; + if (vi->offset <= rel.r_offset && +- rel.r_offset + sizeof(void *) <= vi->offset + vi->size) ++ rel.r_offset + bpf_ptr_sz <= vi->offset + vi->size) + break; + } + if (j == obj->nr_maps) { +@@ -5110,17 +5111,20 @@ static int bpf_object__collect_map_relos(struct bpf_object *obj, + return -EINVAL; + + moff = rel.r_offset - vi->offset - moff; +- if (moff % ptr_sz) ++ /* here we use BPF pointer size, which is always 64 bit, as we ++ * are parsing ELF that was built for BPF target ++ */ ++ if (moff % bpf_ptr_sz) + return -EINVAL; +- moff /= ptr_sz; ++ moff /= bpf_ptr_sz; + if (moff >= map->init_slots_sz) { + new_sz = moff + 1; +- tmp = realloc(map->init_slots, new_sz * ptr_sz); ++ tmp = realloc(map->init_slots, new_sz * host_ptr_sz); + if (!tmp) + return -ENOMEM; + map->init_slots = tmp; + memset(map->init_slots + map->init_slots_sz, 0, +- (new_sz - map->init_slots_sz) * ptr_sz); ++ (new_sz - map->init_slots_sz) * host_ptr_sz); + map->init_slots_sz = new_sz; + } + map->init_slots[moff] = targ_map; +-- +2.25.1 + diff --git a/queue-5.8/net-dsa-b53-check-for-timeout.patch b/queue-5.8/net-dsa-b53-check-for-timeout.patch new file mode 100644 index 00000000000..0367ee48e5a --- /dev/null +++ b/queue-5.8/net-dsa-b53-check-for-timeout.patch @@ -0,0 +1,51 @@ +From 63bd0d666ed2e9719c2c96e0268998ee35d3c980 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 06:56:00 -0700 +Subject: net: dsa: b53: check for timeout + +From: Tom Rix + +[ Upstream commit 774d977abfd024e6f73484544b9abe5a5cd62de7 ] + +clang static analysis reports this problem + +b53_common.c:1583:13: warning: The left expression of the compound + assignment is an uninitialized value. The computed value will + also be garbage + ent.port &= ~BIT(port); + ~~~~~~~~ ^ + +ent is set by a successful call to b53_arl_read(). Unsuccessful +calls are caught by an switch statement handling specific returns. +b32_arl_read() calls b53_arl_op_wait() which fails with the +unhandled -ETIMEDOUT. + +So add -ETIMEDOUT to the switch statement. Because +b53_arl_op_wait() already prints out a message, do not add another +one. + +Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations") +Signed-off-by: Tom Rix +Acked-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 1df05841ab6b1..86869337223a8 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1555,6 +1555,8 @@ static int b53_arl_op(struct b53_device *dev, int op, int port, + return ret; + + switch (ret) { ++ case -ETIMEDOUT: ++ return ret; + case -ENOSPC: + dev_dbg(dev->dev, "{%pM,%.4d} no space left in ARL\n", + addr, vid); +-- +2.25.1 + diff --git a/queue-5.8/net-ena-change-warn_on-expression-in-ena_del_napi_in.patch b/queue-5.8/net-ena-change-warn_on-expression-in-ena_del_napi_in.patch new file mode 100644 index 00000000000..bfce455d06f --- /dev/null +++ b/queue-5.8/net-ena-change-warn_on-expression-in-ena_del_napi_in.patch @@ -0,0 +1,63 @@ +From 7a703396d4bd669ce3ad678772d872f35c0dedda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 20:28:37 +0300 +Subject: net: ena: Change WARN_ON expression in ena_del_napi_in_range() + +From: Shay Agroskin + +[ Upstream commit 8b147f6f3e7de4e51113e3e9ec44aa2debc02c58 ] + +The ena_del_napi_in_range() function unregisters the napi handler for +rings in a given range. +This function had the following WARN_ON macro: + + WARN_ON(ENA_IS_XDP_INDEX(adapter, i) && + adapter->ena_napi[i].xdp_ring); + +This macro prints the call stack if the expression inside of it is +true [1], but the expression inside of it is the wanted situation. +The expression checks whether the ring has an XDP queue and its index +corresponds to a XDP one. + +This patch changes the expression to + !ENA_IS_XDP_INDEX(adapter, i) && adapter->ena_napi[i].xdp_ring +which indicates an unwanted situation. + +Also, change the structure of the function. The napi handler is +unregistered for all rings, and so there's no need to check whether the +index is an XDP index or not. By removing this check the code becomes +much more readable. + +Fixes: 548c4940b9f1 ("net: ena: Implement XDP_TX action") +Signed-off-by: Shay Agroskin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c +index 1a2a464fb2f5f..000f57198352d 100644 +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -2177,13 +2177,10 @@ static void ena_del_napi_in_range(struct ena_adapter *adapter, + int i; + + for (i = first_index; i < first_index + count; i++) { +- /* Check if napi was initialized before */ +- if (!ENA_IS_XDP_INDEX(adapter, i) || +- adapter->ena_napi[i].xdp_ring) +- netif_napi_del(&adapter->ena_napi[i].napi); +- else +- WARN_ON(ENA_IS_XDP_INDEX(adapter, i) && +- adapter->ena_napi[i].xdp_ring); ++ netif_napi_del(&adapter->ena_napi[i].napi); ++ ++ WARN_ON(!ENA_IS_XDP_INDEX(adapter, i) && ++ adapter->ena_napi[i].xdp_ring); + } + } + +-- +2.25.1 + diff --git a/queue-5.8/net-ena-prevent-reset-after-device-destruction.patch b/queue-5.8/net-ena-prevent-reset-after-device-destruction.patch new file mode 100644 index 00000000000..3429ed208ed --- /dev/null +++ b/queue-5.8/net-ena-prevent-reset-after-device-destruction.patch @@ -0,0 +1,95 @@ +From 359e0fcb000057099fcdc1c6e23e242c5ededdba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 20:28:36 +0300 +Subject: net: ena: Prevent reset after device destruction + +From: Shay Agroskin + +[ Upstream commit 63d4a4c145cca2e84dc6e62d2ef5cb990c9723c2 ] + +The reset work is scheduled by the timer routine whenever it +detects that a device reset is required (e.g. when a keep_alive signal +is missing). +When releasing device resources in ena_destroy_device() the driver +cancels the scheduling of the timer routine without destroying the reset +work explicitly. + +This creates the following bug: + The driver is suspended and the ena_suspend() function is called + -> This function calls ena_destroy_device() to free the net device + resources + -> The driver waits for the timer routine to finish + its execution and then cancels it, thus preventing from it + to be called again. + + If, in its final execution, the timer routine schedules a reset, + the reset routine might be called afterwards,and a redundant call to + ena_restore_device() would be made. + +By changing the reset routine we allow it to read the device's state +accurately. +This is achieved by checking whether ENA_FLAG_TRIGGER_RESET flag is set +before resetting the device and making both the destruction function and +the flag check are under rtnl lock. +The ENA_FLAG_TRIGGER_RESET is cleared at the end of the destruction +routine. Also surround the flag check with 'likely' because +we expect that the reset routine would be called only when +ENA_FLAG_TRIGGER_RESET flag is set. + +The destruction of the timer and reset services in __ena_shutoff() have to +stay, even though the timer routine is destroyed in ena_destroy_device(). +This is to avoid a case in which the reset routine is scheduled after +free_netdev() in __ena_shutoff(), which would create an access to freed +memory in adapter->flags. + +Fixes: 8c5c7abdeb2d ("net: ena: add power management ops to the ENA driver") +Signed-off-by: Shay Agroskin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c +index dda4b8fc9525e..1a2a464fb2f5f 100644 +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -3523,16 +3523,14 @@ static void ena_fw_reset_device(struct work_struct *work) + { + struct ena_adapter *adapter = + container_of(work, struct ena_adapter, reset_task); +- struct pci_dev *pdev = adapter->pdev; + +- if (unlikely(!test_bit(ENA_FLAG_TRIGGER_RESET, &adapter->flags))) { +- dev_err(&pdev->dev, +- "device reset schedule while reset bit is off\n"); +- return; +- } + rtnl_lock(); +- ena_destroy_device(adapter, false); +- ena_restore_device(adapter); ++ ++ if (likely(test_bit(ENA_FLAG_TRIGGER_RESET, &adapter->flags))) { ++ ena_destroy_device(adapter, false); ++ ena_restore_device(adapter); ++ } ++ + rtnl_unlock(); + } + +@@ -4366,8 +4364,11 @@ static void __ena_shutoff(struct pci_dev *pdev, bool shutdown) + netdev->rx_cpu_rmap = NULL; + } + #endif /* CONFIG_RFS_ACCEL */ +- del_timer_sync(&adapter->timer_service); + ++ /* Make sure timer and reset routine won't be called after ++ * freeing device resources. ++ */ ++ del_timer_sync(&adapter->timer_service); + cancel_work_sync(&adapter->reset_task); + + rtnl_lock(); /* lock released inside the below if-else block */ +-- +2.25.1 + diff --git a/queue-5.8/net-fec-correct-the-error-path-for-regulator-disable.patch b/queue-5.8/net-fec-correct-the-error-path-for-regulator-disable.patch new file mode 100644 index 00000000000..6f1646519ec --- /dev/null +++ b/queue-5.8/net-fec-correct-the-error-path-for-regulator-disable.patch @@ -0,0 +1,40 @@ +From 75bcc3948c382bedf83fc84cd487e4ae0e78202e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 15:13:14 +0800 +Subject: net: fec: correct the error path for regulator disable in probe + +From: Fugang Duan + +[ Upstream commit c6165cf0dbb82ded90163dce3ac183fc7a913dc4 ] + +Correct the error path for regulator disable. + +Fixes: 9269e5560b26 ("net: fec: add phy-reset-gpios PROBE_DEFER check") +Signed-off-by: Fugang Duan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index cc7fbfc093548..534fcc71a2a53 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3714,11 +3714,11 @@ fec_probe(struct platform_device *pdev) + failed_irq: + failed_init: + fec_ptp_stop(pdev); +- if (fep->reg_phy) +- regulator_disable(fep->reg_phy); + failed_reset: + pm_runtime_put_noidle(&pdev->dev); + pm_runtime_disable(&pdev->dev); ++ if (fep->reg_phy) ++ regulator_disable(fep->reg_phy); + failed_regulator: + clk_disable_unprepare(fep->clk_ahb); + failed_clk_ahb: +-- +2.25.1 + diff --git a/queue-5.8/net-gemini-fix-missing-free_netdev-in-error-path-of-.patch b/queue-5.8/net-gemini-fix-missing-free_netdev-in-error-path-of-.patch new file mode 100644 index 00000000000..6e25ef9e9d6 --- /dev/null +++ b/queue-5.8/net-gemini-fix-missing-free_netdev-in-error-path-of-.patch @@ -0,0 +1,54 @@ +From f2e6aec657df8cffef555631b294e04b8bbff851 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 10:33:09 +0800 +Subject: net: gemini: Fix missing free_netdev() in error path of + gemini_ethernet_port_probe() + +From: Wang Hai + +[ Upstream commit cf96d977381d4a23957bade2ddf1c420b74a26b6 ] + +Replace alloc_etherdev_mq with devm_alloc_etherdev_mqs. In this way, +when probe fails, netdev can be freed automatically. + +Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cortina/gemini.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c +index 66e67b24a887c..62e271aea4a50 100644 +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -2389,7 +2389,7 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev) + + dev_info(dev, "probe %s ID %d\n", dev_name(dev), id); + +- netdev = alloc_etherdev_mq(sizeof(*port), TX_QUEUE_NUM); ++ netdev = devm_alloc_etherdev_mqs(dev, sizeof(*port), TX_QUEUE_NUM, TX_QUEUE_NUM); + if (!netdev) { + dev_err(dev, "Can't allocate ethernet device #%d\n", id); + return -ENOMEM; +@@ -2521,7 +2521,6 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev) + } + + port->netdev = NULL; +- free_netdev(netdev); + return ret; + } + +@@ -2530,7 +2529,6 @@ static int gemini_ethernet_port_remove(struct platform_device *pdev) + struct gemini_ethernet_port *port = platform_get_drvdata(pdev); + + gemini_port_remove(port); +- free_netdev(port->netdev); + return 0; + } + +-- +2.25.1 + diff --git a/queue-5.8/netfilter-nf_tables-nft_exthdr-the-presence-return-v.patch b/queue-5.8/netfilter-nf_tables-nft_exthdr-the-presence-return-v.patch new file mode 100644 index 00000000000..6edf19f1d54 --- /dev/null +++ b/queue-5.8/netfilter-nf_tables-nft_exthdr-the-presence-return-v.patch @@ -0,0 +1,67 @@ +From 7a3e92916143a659a4a819753efb8ac7a5a29b5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Aug 2020 17:44:09 -0400 +Subject: netfilter: nf_tables: nft_exthdr: the presence return value should be + little-endian + +From: Stephen Suryaputra + +[ Upstream commit b428336676dbca363262cc134b6218205df4f530 ] + +On big-endian machine, the returned register data when the exthdr is +present is not being compared correctly because little-endian is +assumed. The function nft_cmp_fast_mask(), called by nft_cmp_fast_eval() +and nft_cmp_fast_init(), calls cpu_to_le32(). + +The following dump also shows that little endian is assumed: + +$ nft --debug=netlink add rule ip recordroute forward ip option rr exists counter +ip + [ exthdr load ipv4 1b @ 7 + 0 present => reg 1 ] + [ cmp eq reg 1 0x01000000 ] + [ counter pkts 0 bytes 0 ] + +Lastly, debug print in nft_cmp_fast_init() and nft_cmp_fast_eval() when +RR option exists in the packet shows that the comparison fails because +the assumption: + +nft_cmp_fast_init:189 priv->sreg=4 desc.len=8 mask=0xff000000 data.data[0]=0x10003e0 +nft_cmp_fast_eval:57 regs->data[priv->sreg=4]=0x1 mask=0xff000000 priv->data=0x1000000 + +v2: use nft_reg_store8() instead (Florian Westphal). Also to avoid the + warnings reported by kernel test robot. + +Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options") +Fixes: c078ca3b0c5b ("netfilter: nft_exthdr: Add support for existence check") +Signed-off-by: Stephen Suryaputra +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_exthdr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c +index 07782836fad6e..3c48cdc8935df 100644 +--- a/net/netfilter/nft_exthdr.c ++++ b/net/netfilter/nft_exthdr.c +@@ -44,7 +44,7 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr, + + err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL); + if (priv->flags & NFT_EXTHDR_F_PRESENT) { +- *dest = (err >= 0); ++ nft_reg_store8(dest, err >= 0); + return; + } else if (err < 0) { + goto err; +@@ -141,7 +141,7 @@ static void nft_exthdr_ipv4_eval(const struct nft_expr *expr, + + err = ipv4_find_option(nft_net(pkt), skb, &offset, priv->type); + if (priv->flags & NFT_EXTHDR_F_PRESENT) { +- *dest = (err >= 0); ++ nft_reg_store8(dest, err >= 0); + return; + } else if (err < 0) { + goto err; +-- +2.25.1 + diff --git a/queue-5.8/of-address-check-for-invalid-range.cpu_addr.patch b/queue-5.8/of-address-check-for-invalid-range.cpu_addr.patch new file mode 100644 index 00000000000..f84da856e35 --- /dev/null +++ b/queue-5.8/of-address-check-for-invalid-range.cpu_addr.patch @@ -0,0 +1,42 @@ +From aca4af8bbf053db79e462f2724fb08a5388c3471 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 12:32:08 +0100 +Subject: of/address: check for invalid range.cpu_addr + +From: Colin Ian King + +[ Upstream commit f49c7faf776f16607c948d852a03b04a88c3b583 ] + +Currently invalid CPU addresses are not being sanity checked resulting in +SATA setup failure on a SynQuacer SC2A11 development machine. The original +check was removed by and earlier commit, so add a sanity check back in +to avoid this regression. + +Fixes: 7a8b64d17e35 ("of/address: use range parser for of_dma_get_range") +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20200817113208.523805-1-colin.king@canonical.com +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/address.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/of/address.c b/drivers/of/address.c +index 8eea3f6e29a44..340d3051b1ce2 100644 +--- a/drivers/of/address.c ++++ b/drivers/of/address.c +@@ -980,6 +980,11 @@ int of_dma_get_range(struct device_node *np, u64 *dma_addr, u64 *paddr, u64 *siz + /* Don't error out as we'd break some existing DTs */ + continue; + } ++ if (range.cpu_addr == OF_BAD_ADDR) { ++ pr_err("translation of DMA address(%llx) to CPU address failed node(%pOF)\n", ++ range.bus_addr, node); ++ continue; ++ } + dma_offset = range.cpu_addr - range.bus_addr; + + /* Take lower and upper limits */ +-- +2.25.1 + diff --git a/queue-5.8/powerpc-add-power10-raw-mode-cputable-entry.patch b/queue-5.8/powerpc-add-power10-raw-mode-cputable-entry.patch new file mode 100644 index 00000000000..deb1cee0a90 --- /dev/null +++ b/queue-5.8/powerpc-add-power10-raw-mode-cputable-entry.patch @@ -0,0 +1,67 @@ +From 42042ec9d22c38fcd636299af50f269449860d92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 06:26:18 +0530 +Subject: powerpc: Add POWER10 raw mode cputable entry + +From: Madhavan Srinivasan + +[ Upstream commit 327da008e65a25b8206b36b7fc0c9e4edbb36a58 ] + +Add a raw mode cputable entry for POWER10. Copies most of the fields +from commit a3ea40d5c736 ("powerpc: Add POWER10 architected mode") +except for oprofile_cpu_type, machine_check_early, pvr_mask and +pvr_mask fields. On bare metal systems we use DT CPU features, which +doesn't need a cputable entry. But in VMs we still rely on the raw +cputable entry to set the correct values for the PMU related fields. + +Fixes: a3ea40d5c736 ("powerpc: Add POWER10 architected mode") +Signed-off-by: Madhavan Srinivasan +[mpe: Reorder vs cleanup patch and add Fixes tag] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200817005618.3305028-2-maddy@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/cputable.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/arch/powerpc/kernel/cputable.c b/arch/powerpc/kernel/cputable.c +index b4066354f0730..bb0c7f43a8283 100644 +--- a/arch/powerpc/kernel/cputable.c ++++ b/arch/powerpc/kernel/cputable.c +@@ -75,6 +75,7 @@ extern void __restore_cpu_power10(void); + extern long __machine_check_early_realmode_p7(struct pt_regs *regs); + extern long __machine_check_early_realmode_p8(struct pt_regs *regs); + extern long __machine_check_early_realmode_p9(struct pt_regs *regs); ++extern long __machine_check_early_realmode_p10(struct pt_regs *regs); + #endif /* CONFIG_PPC64 */ + #if defined(CONFIG_E500) + extern void __setup_cpu_e5500(unsigned long offset, struct cpu_spec* spec); +@@ -541,6 +542,25 @@ static struct cpu_spec __initdata cpu_specs[] = { + .machine_check_early = __machine_check_early_realmode_p9, + .platform = "power9", + }, ++ { /* Power10 */ ++ .pvr_mask = 0xffff0000, ++ .pvr_value = 0x00800000, ++ .cpu_name = "POWER10 (raw)", ++ .cpu_features = CPU_FTRS_POWER10, ++ .cpu_user_features = COMMON_USER_POWER10, ++ .cpu_user_features2 = COMMON_USER2_POWER10, ++ .mmu_features = MMU_FTRS_POWER10, ++ .icache_bsize = 128, ++ .dcache_bsize = 128, ++ .num_pmcs = 6, ++ .pmc_type = PPC_PMC_IBM, ++ .oprofile_cpu_type = "ppc64/power10", ++ .oprofile_type = PPC_OPROFILE_INVALID, ++ .cpu_setup = __setup_cpu_power10, ++ .cpu_restore = __restore_cpu_power10, ++ .machine_check_early = __machine_check_early_realmode_p10, ++ .platform = "power10", ++ }, + { /* Cell Broadband Engine */ + .pvr_mask = 0xffff0000, + .pvr_value = 0x00700000, +-- +2.25.1 + diff --git a/queue-5.8/powerpc-fixmap-fix-the-size-of-the-early-debug-area.patch b/queue-5.8/powerpc-fixmap-fix-the-size-of-the-early-debug-area.patch new file mode 100644 index 00000000000..fab205a0a40 --- /dev/null +++ b/queue-5.8/powerpc-fixmap-fix-the-size-of-the-early-debug-area.patch @@ -0,0 +1,40 @@ +From 40c58f526096f652cccb83b458fca559dea134e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 06:03:26 +0000 +Subject: powerpc/fixmap: Fix the size of the early debug area + +From: Christophe Leroy + +[ Upstream commit fdc6edbb31fba76fd25d7bd016b675a92908d81e ] + +Commit ("03fd42d458fb powerpc/fixmap: Fix FIX_EARLY_DEBUG_BASE when +page size is 256k") reworked the setup of the early debug area and +mistakenly replaced 128 * 1024 by SZ_128. + +Change to SZ_128K to restore the original 128 kbytes size of the area. + +Fixes: 03fd42d458fb ("powerpc/fixmap: Fix FIX_EARLY_DEBUG_BASE when page size is 256k") +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/996184974d674ff984643778cf1cdd7fe58cc065.1597644194.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/fixmap.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/include/asm/fixmap.h b/arch/powerpc/include/asm/fixmap.h +index 925cf89cbf4ba..6bfc87915d5db 100644 +--- a/arch/powerpc/include/asm/fixmap.h ++++ b/arch/powerpc/include/asm/fixmap.h +@@ -52,7 +52,7 @@ enum fixed_addresses { + FIX_HOLE, + /* reserve the top 128K for early debugging purposes */ + FIX_EARLY_DEBUG_TOP = FIX_HOLE, +- FIX_EARLY_DEBUG_BASE = FIX_EARLY_DEBUG_TOP+(ALIGN(SZ_128, PAGE_SIZE)/PAGE_SIZE)-1, ++ FIX_EARLY_DEBUG_BASE = FIX_EARLY_DEBUG_TOP+(ALIGN(SZ_128K, PAGE_SIZE)/PAGE_SIZE)-1, + #ifdef CONFIG_HIGHMEM + FIX_KMAP_BEGIN, /* reserved pte's for temporary kernel mappings */ + FIX_KMAP_END = FIX_KMAP_BEGIN+(KM_TYPE_NR*NR_CPUS)-1, +-- +2.25.1 + diff --git a/queue-5.8/powerpc-pseries-hotplug-cpu-wait-indefinitely-for-vc.patch b/queue-5.8/powerpc-pseries-hotplug-cpu-wait-indefinitely-for-vc.patch new file mode 100644 index 00000000000..b703ccf3896 --- /dev/null +++ b/queue-5.8/powerpc-pseries-hotplug-cpu-wait-indefinitely-for-vc.patch @@ -0,0 +1,160 @@ +From 21e09376f862a388631d845391fd919b477cab63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 11:15:44 -0500 +Subject: powerpc/pseries/hotplug-cpu: wait indefinitely for vCPU death + +From: Michael Roth + +[ Upstream commit 801980f6497946048709b9b09771a1729551d705 ] + +For a power9 KVM guest with XIVE enabled, running a test loop +where we hotplug 384 vcpus and then unplug them, the following traces +can be seen (generally within a few loops) either from the unplugged +vcpu: + + cpu 65 (hwid 65) Ready to die... + Querying DEAD? cpu 66 (66) shows 2 + list_del corruption. next->prev should be c00a000002470208, but was c00a000002470048 + ------------[ cut here ]------------ + kernel BUG at lib/list_debug.c:56! + Oops: Exception in kernel mode, sig: 5 [#1] + LE SMP NR_CPUS=2048 NUMA pSeries + Modules linked in: fuse nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 ... + CPU: 66 PID: 0 Comm: swapper/66 Kdump: loaded Not tainted 4.18.0-221.el8.ppc64le #1 + NIP: c0000000007ab50c LR: c0000000007ab508 CTR: 00000000000003ac + REGS: c0000009e5a17840 TRAP: 0700 Not tainted (4.18.0-221.el8.ppc64le) + MSR: 800000000282b033 CR: 28000842 XER: 20040000 + ... + NIP __list_del_entry_valid+0xac/0x100 + LR __list_del_entry_valid+0xa8/0x100 + Call Trace: + __list_del_entry_valid+0xa8/0x100 (unreliable) + free_pcppages_bulk+0x1f8/0x940 + free_unref_page+0xd0/0x100 + xive_spapr_cleanup_queue+0x148/0x1b0 + xive_teardown_cpu+0x1bc/0x240 + pseries_mach_cpu_die+0x78/0x2f0 + cpu_die+0x48/0x70 + arch_cpu_idle_dead+0x20/0x40 + do_idle+0x2f4/0x4c0 + cpu_startup_entry+0x38/0x40 + start_secondary+0x7bc/0x8f0 + start_secondary_prolog+0x10/0x14 + +or on the worker thread handling the unplug: + + pseries-hotplug-cpu: Attempting to remove CPU , drc index: 1000013a + Querying DEAD? cpu 314 (314) shows 2 + BUG: Bad page state in process kworker/u768:3 pfn:95de1 + cpu 314 (hwid 314) Ready to die... + page:c00a000002577840 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 + flags: 0x5ffffc00000000() + raw: 005ffffc00000000 5deadbeef0000100 5deadbeef0000200 0000000000000000 + raw: 0000000000000000 0000000000000000 00000000ffffff7f 0000000000000000 + page dumped because: nonzero mapcount + Modules linked in: kvm xt_CHECKSUM ipt_MASQUERADE xt_conntrack ... + CPU: 0 PID: 548 Comm: kworker/u768:3 Kdump: loaded Not tainted 4.18.0-224.el8.bz1856588.ppc64le #1 + Workqueue: pseries hotplug workque pseries_hp_work_fn + Call Trace: + dump_stack+0xb0/0xf4 (unreliable) + bad_page+0x12c/0x1b0 + free_pcppages_bulk+0x5bc/0x940 + page_alloc_cpu_dead+0x118/0x120 + cpuhp_invoke_callback.constprop.5+0xb8/0x760 + _cpu_down+0x188/0x340 + cpu_down+0x5c/0xa0 + cpu_subsys_offline+0x24/0x40 + device_offline+0xf0/0x130 + dlpar_offline_cpu+0x1c4/0x2a0 + dlpar_cpu_remove+0xb8/0x190 + dlpar_cpu_remove_by_index+0x12c/0x150 + dlpar_cpu+0x94/0x800 + pseries_hp_work_fn+0x128/0x1e0 + process_one_work+0x304/0x5d0 + worker_thread+0xcc/0x7a0 + kthread+0x1ac/0x1c0 + ret_from_kernel_thread+0x5c/0x80 + +The latter trace is due to the following sequence: + + page_alloc_cpu_dead + drain_pages + drain_pages_zone + free_pcppages_bulk + +where drain_pages() in this case is called under the assumption that +the unplugged cpu is no longer executing. To ensure that is the case, +and early call is made to __cpu_die()->pseries_cpu_die(), which runs a +loop that waits for the cpu to reach a halted state by polling its +status via query-cpu-stopped-state RTAS calls. It only polls for 25 +iterations before giving up, however, and in the trace above this +results in the following being printed only .1 seconds after the +hotplug worker thread begins processing the unplug request: + + pseries-hotplug-cpu: Attempting to remove CPU , drc index: 1000013a + Querying DEAD? cpu 314 (314) shows 2 + +At that point the worker thread assumes the unplugged CPU is in some +unknown/dead state and procedes with the cleanup, causing the race +with the XIVE cleanup code executed by the unplugged CPU. + +Fix this by waiting indefinitely, but also making an effort to avoid +spurious lockup messages by allowing for rescheduling after polling +the CPU status and printing a warning if we wait for longer than 120s. + +Fixes: eac1e731b59ee ("powerpc/xive: guest exploitation of the XIVE interrupt controller") +Suggested-by: Michael Ellerman +Signed-off-by: Michael Roth +Tested-by: Greg Kurz +Reviewed-by: Thiago Jung Bauermann +Reviewed-by: Greg Kurz +[mpe: Trim oopses in change log slightly for readability] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200811161544.10513-1-mdroth@linux.vnet.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/hotplug-cpu.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/hotplug-cpu.c b/arch/powerpc/platforms/pseries/hotplug-cpu.c +index 6d4ee03d476a9..ec04fc7f5a641 100644 +--- a/arch/powerpc/platforms/pseries/hotplug-cpu.c ++++ b/arch/powerpc/platforms/pseries/hotplug-cpu.c +@@ -107,22 +107,28 @@ static int pseries_cpu_disable(void) + */ + static void pseries_cpu_die(unsigned int cpu) + { +- int tries; + int cpu_status = 1; + unsigned int pcpu = get_hard_smp_processor_id(cpu); ++ unsigned long timeout = jiffies + msecs_to_jiffies(120000); + +- for (tries = 0; tries < 25; tries++) { ++ while (true) { + cpu_status = smp_query_cpu_stopped(pcpu); + if (cpu_status == QCSS_STOPPED || + cpu_status == QCSS_HARDWARE_ERROR) + break; +- cpu_relax(); + ++ if (time_after(jiffies, timeout)) { ++ pr_warn("CPU %i (hwid %i) didn't die after 120 seconds\n", ++ cpu, pcpu); ++ timeout = jiffies + msecs_to_jiffies(120000); ++ } ++ ++ cond_resched(); + } + +- if (cpu_status != 0) { +- printk("Querying DEAD? cpu %i (%i) shows %i\n", +- cpu, pcpu, cpu_status); ++ if (cpu_status == QCSS_HARDWARE_ERROR) { ++ pr_warn("CPU %i (hwid %i) reported error while dying\n", ++ cpu, pcpu); + } + + /* Isolation and deallocation are definitely done by +-- +2.25.1 + diff --git a/queue-5.8/rdma-bnxt_re-do-not-add-user-qps-to-flushlist.patch b/queue-5.8/rdma-bnxt_re-do-not-add-user-qps-to-flushlist.patch new file mode 100644 index 00000000000..0c3c5df5527 --- /dev/null +++ b/queue-5.8/rdma-bnxt_re-do-not-add-user-qps-to-flushlist.patch @@ -0,0 +1,42 @@ +From 638dcf21869fee7c572b6ec667b83251ad6116f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 21:45:48 -0700 +Subject: RDMA/bnxt_re: Do not add user qps to flushlist + +From: Selvin Xavier + +[ Upstream commit a812f2d60a9fb7818f9c81f967180317b52545c0 ] + +Driver shall add only the kernel qps to the flush list for clean up. +During async error events from the HW, driver is adding qps to this list +without checking if the qp is kernel qp or not. + +Add a check to avoid user qp addition to the flush list. + +Fixes: 942c9b6ca8de ("RDMA/bnxt_re: Avoid Hard lockup during error CQE processing") +Fixes: c50866e2853a ("bnxt_re: fix the regression due to changes in alloc_pbl") +Link: https://lore.kernel.org/r/1596689148-4023-1-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c +index b12fbc857f942..5c41e13496a02 100644 +--- a/drivers/infiniband/hw/bnxt_re/main.c ++++ b/drivers/infiniband/hw/bnxt_re/main.c +@@ -811,7 +811,8 @@ static int bnxt_re_handle_qp_async_event(struct creq_qp_event *qp_event, + struct ib_event event; + unsigned int flags; + +- if (qp->qplib_qp.state == CMDQ_MODIFY_QP_NEW_STATE_ERR) { ++ if (qp->qplib_qp.state == CMDQ_MODIFY_QP_NEW_STATE_ERR && ++ rdma_is_kernel_res(&qp->ib_qp.res)) { + flags = bnxt_re_lock_cqs(qp); + bnxt_qplib_add_flush_qp(&qp->qplib_qp); + bnxt_re_unlock_cqs(qp, flags); +-- +2.25.1 + diff --git a/queue-5.8/revert-rdma-hns-reserve-one-sge-in-order-to-avoid-lo.patch b/queue-5.8/revert-rdma-hns-reserve-one-sge-in-order-to-avoid-lo.patch new file mode 100644 index 00000000000..711595d74f7 --- /dev/null +++ b/queue-5.8/revert-rdma-hns-reserve-one-sge-in-order-to-avoid-lo.patch @@ -0,0 +1,137 @@ +From c4667194ce7512d93d4dc90d24c02e1760ce5a9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 17:39:44 +0800 +Subject: Revert "RDMA/hns: Reserve one sge in order to avoid local length + error" + +From: Weihang Li + +[ Upstream commit 6da06c6291f38be4df6df2efb76ba925096d2691 ] + +This patch caused some issues on SEND operation, and it should be reverted +to make the drivers work correctly. There will be a better solution that +has been tested carefully to solve the original problem. + +This reverts commit 711195e57d341e58133d92cf8aaab1db24e4768d. + +Fixes: 711195e57d34 ("RDMA/hns: Reserve one sge in order to avoid local length error") +Link: https://lore.kernel.org/r/1597829984-20223-1-git-send-email-liweihang@huawei.com +Signed-off-by: Weihang Li +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_device.h | 2 -- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 9 ++++----- + drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 4 +--- + drivers/infiniband/hw/hns/hns_roce_qp.c | 5 ++--- + drivers/infiniband/hw/hns/hns_roce_srq.c | 2 +- + 5 files changed, 8 insertions(+), 14 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_device.h b/drivers/infiniband/hw/hns/hns_roce_device.h +index 479fa557993e7..c69453a62767c 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_device.h ++++ b/drivers/infiniband/hw/hns/hns_roce_device.h +@@ -66,8 +66,6 @@ + #define HNS_ROCE_CQE_WCMD_EMPTY_BIT 0x2 + #define HNS_ROCE_MIN_CQE_CNT 16 + +-#define HNS_ROCE_RESERVED_SGE 1 +- + #define HNS_ROCE_MAX_IRQ_NUM 128 + + #define HNS_ROCE_SGE_IN_WQE 2 +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index eb71b941d21b7..38a48ab3e1d02 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -629,7 +629,7 @@ static int hns_roce_v2_post_recv(struct ib_qp *ibqp, + + wqe_idx = (hr_qp->rq.head + nreq) & (hr_qp->rq.wqe_cnt - 1); + +- if (unlikely(wr->num_sge >= hr_qp->rq.max_gs)) { ++ if (unlikely(wr->num_sge > hr_qp->rq.max_gs)) { + ibdev_err(ibdev, "rq:num_sge=%d >= qp->sq.max_gs=%d\n", + wr->num_sge, hr_qp->rq.max_gs); + ret = -EINVAL; +@@ -649,7 +649,6 @@ static int hns_roce_v2_post_recv(struct ib_qp *ibqp, + if (wr->num_sge < hr_qp->rq.max_gs) { + dseg->lkey = cpu_to_le32(HNS_ROCE_INVALID_LKEY); + dseg->addr = 0; +- dseg->len = cpu_to_le32(HNS_ROCE_INVALID_SGE_LENGTH); + } + + /* rq support inline data */ +@@ -783,8 +782,8 @@ static int hns_roce_v2_post_srq_recv(struct ib_srq *ibsrq, + } + + if (wr->num_sge < srq->max_gs) { +- dseg[i].len = cpu_to_le32(HNS_ROCE_INVALID_SGE_LENGTH); +- dseg[i].lkey = cpu_to_le32(HNS_ROCE_INVALID_LKEY); ++ dseg[i].len = 0; ++ dseg[i].lkey = cpu_to_le32(0x100); + dseg[i].addr = 0; + } + +@@ -5098,7 +5097,7 @@ static int hns_roce_v2_query_srq(struct ib_srq *ibsrq, struct ib_srq_attr *attr) + + attr->srq_limit = limit_wl; + attr->max_wr = srq->wqe_cnt - 1; +- attr->max_sge = srq->max_gs - HNS_ROCE_RESERVED_SGE; ++ attr->max_sge = srq->max_gs; + + out: + hns_roce_free_cmd_mailbox(hr_dev, mailbox); +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +index e6c385ced1872..4f840997c6c73 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +@@ -92,9 +92,7 @@ + #define HNS_ROCE_V2_CQC_TIMER_ENTRY_SZ PAGE_SIZE + #define HNS_ROCE_V2_PAGE_SIZE_SUPPORTED 0xFFFFF000 + #define HNS_ROCE_V2_MAX_INNER_MTPT_NUM 2 +-#define HNS_ROCE_INVALID_LKEY 0x0 +-#define HNS_ROCE_INVALID_SGE_LENGTH 0x80000000 +- ++#define HNS_ROCE_INVALID_LKEY 0x100 + #define HNS_ROCE_CMQ_TX_TIMEOUT 30000 + #define HNS_ROCE_V2_UC_RC_SGE_NUM_IN_WQE 2 + #define HNS_ROCE_V2_RSV_QPS 8 +diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c +index a0a47bd669759..4edea397b6b80 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_qp.c ++++ b/drivers/infiniband/hw/hns/hns_roce_qp.c +@@ -386,8 +386,7 @@ static int set_rq_size(struct hns_roce_dev *hr_dev, struct ib_qp_cap *cap, + return -EINVAL; + } + +- hr_qp->rq.max_gs = roundup_pow_of_two(max(1U, cap->max_recv_sge) + +- HNS_ROCE_RESERVED_SGE); ++ hr_qp->rq.max_gs = roundup_pow_of_two(max(1U, cap->max_recv_sge)); + + if (hr_dev->caps.max_rq_sg <= HNS_ROCE_SGE_IN_WQE) + hr_qp->rq.wqe_shift = ilog2(hr_dev->caps.max_rq_desc_sz); +@@ -402,7 +401,7 @@ static int set_rq_size(struct hns_roce_dev *hr_dev, struct ib_qp_cap *cap, + hr_qp->rq_inl_buf.wqe_cnt = 0; + + cap->max_recv_wr = cnt; +- cap->max_recv_sge = hr_qp->rq.max_gs - HNS_ROCE_RESERVED_SGE; ++ cap->max_recv_sge = hr_qp->rq.max_gs; + + return 0; + } +diff --git a/drivers/infiniband/hw/hns/hns_roce_srq.c b/drivers/infiniband/hw/hns/hns_roce_srq.c +index f40a000e94ee7..b9e2dbd372b66 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_srq.c ++++ b/drivers/infiniband/hw/hns/hns_roce_srq.c +@@ -297,7 +297,7 @@ int hns_roce_create_srq(struct ib_srq *ib_srq, + spin_lock_init(&srq->lock); + + srq->wqe_cnt = roundup_pow_of_two(init_attr->attr.max_wr + 1); +- srq->max_gs = init_attr->attr.max_sge + HNS_ROCE_RESERVED_SGE; ++ srq->max_gs = init_attr->attr.max_sge; + + if (udata) { + ret = ib_copy_from_udata(&ucmd, udata, sizeof(ucmd)); +-- +2.25.1 + diff --git a/queue-5.8/revert-scsi-qla2xxx-disable-t10-dif-feature-with-fc-.patch b/queue-5.8/revert-scsi-qla2xxx-disable-t10-dif-feature-with-fc-.patch new file mode 100644 index 00000000000..b0cc5728ec7 --- /dev/null +++ b/queue-5.8/revert-scsi-qla2xxx-disable-t10-dif-feature-with-fc-.patch @@ -0,0 +1,44 @@ +From 3e4c571a1c2797f88f3116a4d4dbe30acced9245 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 04:10:14 -0700 +Subject: Revert "scsi: qla2xxx: Disable T10-DIF feature with FC-NVMe during + probe" + +From: Quinn Tran + +[ Upstream commit dca93232b361d260413933903cd4bdbd92ebcc7f ] + +FCP T10-PI and NVMe features are independent of each other. This patch +allows both features to co-exist. + +This reverts commit 5da05a26b8305a625bc9d537671b981795b46dab. + +Link: https://lore.kernel.org/r/20200806111014.28434-12-njavali@marvell.com +Fixes: 5da05a26b830 ("scsi: qla2xxx: Disable T10-DIF feature with FC-NVMe during probe") +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_os.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c +index e92fad99338cd..5c7c22d0fab4b 100644 +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -2829,10 +2829,6 @@ qla2x00_probe_one(struct pci_dev *pdev, const struct pci_device_id *id) + /* This may fail but that's ok */ + pci_enable_pcie_error_reporting(pdev); + +- /* Turn off T10-DIF when FC-NVMe is enabled */ +- if (ql2xnvmeenable) +- ql2xenabledif = 0; +- + ha = kzalloc(sizeof(struct qla_hw_data), GFP_KERNEL); + if (!ha) { + ql_log_pci(ql_log_fatal, pdev, 0x0009, +-- +2.25.1 + diff --git a/queue-5.8/s390-ptrace-fix-storage-key-handling.patch b/queue-5.8/s390-ptrace-fix-storage-key-handling.patch new file mode 100644 index 00000000000..83660d747b1 --- /dev/null +++ b/queue-5.8/s390-ptrace-fix-storage-key-handling.patch @@ -0,0 +1,54 @@ +From b29a0df10a6d16127fde71d07a3bb807a9c015f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Aug 2020 18:56:28 +0200 +Subject: s390/ptrace: fix storage key handling + +From: Heiko Carstens + +[ Upstream commit fd78c59446b8d050ecf3e0897c5a486c7de7c595 ] + +The key member of the runtime instrumentation control block contains +only the access key, not the complete storage key. Therefore the value +must be shifted by four bits. Since existing user space does not +necessarily query and set the access key correctly, just ignore the +user space provided key and use the correct one. +Note: this is only relevant for debugging purposes in case somebody +compiles a kernel with a default storage access key set to a value not +equal to zero. + +Fixes: 262832bc5acd ("s390/ptrace: add runtime instrumention register get/set") +Reported-by: Claudio Imbrenda +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/ptrace.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c +index 3cc15c0662983..2924f236d89c6 100644 +--- a/arch/s390/kernel/ptrace.c ++++ b/arch/s390/kernel/ptrace.c +@@ -1310,7 +1310,6 @@ static bool is_ri_cb_valid(struct runtime_instr_cb *cb) + cb->pc == 1 && + cb->qc == 0 && + cb->reserved2 == 0 && +- cb->key == PAGE_DEFAULT_KEY && + cb->reserved3 == 0 && + cb->reserved4 == 0 && + cb->reserved5 == 0 && +@@ -1374,7 +1373,11 @@ static int s390_runtime_instr_set(struct task_struct *target, + kfree(data); + return -EINVAL; + } +- ++ /* ++ * Override access key in any case, since user space should ++ * not be able to set it, nor should it care about it. ++ */ ++ ri_cb.key = PAGE_DEFAULT_KEY >> 4; + preempt_disable(); + if (!target->thread.ri_cb) + target->thread.ri_cb = data; +-- +2.25.1 + diff --git a/queue-5.8/s390-runtime_instrumentation-fix-storage-key-handlin.patch b/queue-5.8/s390-runtime_instrumentation-fix-storage-key-handlin.patch new file mode 100644 index 00000000000..679b657def7 --- /dev/null +++ b/queue-5.8/s390-runtime_instrumentation-fix-storage-key-handlin.patch @@ -0,0 +1,40 @@ +From ca0e6e856c70d10e3d462a5ec7d44d2717f3ff2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Aug 2020 18:55:41 +0200 +Subject: s390/runtime_instrumentation: fix storage key handling + +From: Heiko Carstens + +[ Upstream commit 9eaba29c7985236e16468f4e6a49cc18cf01443e ] + +The key member of the runtime instrumentation control block contains +only the access key, not the complete storage key. Therefore the value +must be shifted by four bits. +Note: this is only relevant for debugging purposes in case somebody +compiles a kernel with a default storage access key set to a value not +equal to zero. + +Fixes: e4b8b3f33fca ("s390: add support for runtime instrumentation") +Reported-by: Claudio Imbrenda +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/runtime_instr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/runtime_instr.c b/arch/s390/kernel/runtime_instr.c +index 125c7f6e87150..1788a5454b6fc 100644 +--- a/arch/s390/kernel/runtime_instr.c ++++ b/arch/s390/kernel/runtime_instr.c +@@ -57,7 +57,7 @@ static void init_runtime_instr_cb(struct runtime_instr_cb *cb) + cb->k = 1; + cb->ps = 1; + cb->pc = 1; +- cb->key = PAGE_DEFAULT_KEY; ++ cb->key = PAGE_DEFAULT_KEY >> 4; + cb->v = 1; + } + +-- +2.25.1 + diff --git a/queue-5.8/scsi-ufs-add-quirk-to-disallow-reset-of-interrupt-ag.patch b/queue-5.8/scsi-ufs-add-quirk-to-disallow-reset-of-interrupt-ag.patch new file mode 100644 index 00000000000..afe0015e5a0 --- /dev/null +++ b/queue-5.8/scsi-ufs-add-quirk-to-disallow-reset-of-interrupt-ag.patch @@ -0,0 +1,57 @@ +From a411a945753a7b48fbd037310f5d8b7e03425e6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 May 2020 06:46:50 +0530 +Subject: scsi: ufs: Add quirk to disallow reset of interrupt aggregation + +From: Alim Akhtar + +[ Upstream commit b638b5eb624bd5d0766683b6181d578f414585e9 ] + +Some host controllers support interrupt aggregation but don't allow +resetting counter and timer in software. + +Link: https://lore.kernel.org/r/20200528011658.71590-3-alim.akhtar@samsung.com +Reviewed-by: Avri Altman +Signed-off-by: Seungwon Jeon +Signed-off-by: Alim Akhtar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 3 ++- + drivers/scsi/ufs/ufshcd.h | 6 ++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 9da44a389becb..47a4c4c239196 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -4914,7 +4914,8 @@ static irqreturn_t ufshcd_transfer_req_compl(struct ufs_hba *hba) + * false interrupt if device completes another request after resetting + * aggregation and before reading the DB. + */ +- if (ufshcd_is_intr_aggr_allowed(hba)) ++ if (ufshcd_is_intr_aggr_allowed(hba) && ++ !(hba->quirks & UFSHCI_QUIRK_SKIP_RESET_INTR_AGGR)) + ufshcd_reset_intr_aggr(hba); + + tr_doorbell = ufshcd_readl(hba, REG_UTP_TRANSFER_REQ_DOOR_BELL); +diff --git a/drivers/scsi/ufs/ufshcd.h b/drivers/scsi/ufs/ufshcd.h +index 2ddf4c2f76f55..bda7ba1aea519 100644 +--- a/drivers/scsi/ufs/ufshcd.h ++++ b/drivers/scsi/ufs/ufshcd.h +@@ -525,6 +525,12 @@ enum ufshcd_quirks { + * Clear handling for transfer/task request list is just opposite. + */ + UFSHCI_QUIRK_BROKEN_REQ_LIST_CLR = 1 << 6, ++ ++ /* ++ * This quirk needs to be enabled if host controller doesn't allow ++ * that the interrupt aggregation timer and counter are reset by s/w. ++ */ ++ UFSHCI_QUIRK_SKIP_RESET_INTR_AGGR = 1 << 7, + }; + + enum ufshcd_caps { +-- +2.25.1 + diff --git a/queue-5.8/scsi-ufs-add-quirk-to-enable-host-controller-without.patch b/queue-5.8/scsi-ufs-add-quirk-to-enable-host-controller-without.patch new file mode 100644 index 00000000000..ce424c4b099 --- /dev/null +++ b/queue-5.8/scsi-ufs-add-quirk-to-enable-host-controller-without.patch @@ -0,0 +1,151 @@ +From 94539950352820f44d471514cb6919ab320ea4c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 May 2020 06:46:51 +0530 +Subject: scsi: ufs: Add quirk to enable host controller without hce + +From: Alim Akhtar + +[ Upstream commit 39bf2d83b54e900675cd7b52737ded695bb60bf1 ] + +Some host controllers don't support host controller enable via HCE. + +Link: https://lore.kernel.org/r/20200528011658.71590-4-alim.akhtar@samsung.com +Reviewed-by: Can Guo +Reviewed-by: Avri Altman +Signed-off-by: Seungwon Jeon +Signed-off-by: Alim Akhtar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 76 +++++++++++++++++++++++++++++++++++++-- + drivers/scsi/ufs/ufshcd.h | 6 ++++ + 2 files changed, 80 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 47a4c4c239196..87473fa5bd0f9 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -3557,6 +3557,52 @@ static int ufshcd_dme_link_startup(struct ufs_hba *hba) + "dme-link-startup: error code %d\n", ret); + return ret; + } ++/** ++ * ufshcd_dme_reset - UIC command for DME_RESET ++ * @hba: per adapter instance ++ * ++ * DME_RESET command is issued in order to reset UniPro stack. ++ * This function now deals with cold reset. ++ * ++ * Returns 0 on success, non-zero value on failure ++ */ ++static int ufshcd_dme_reset(struct ufs_hba *hba) ++{ ++ struct uic_command uic_cmd = {0}; ++ int ret; ++ ++ uic_cmd.command = UIC_CMD_DME_RESET; ++ ++ ret = ufshcd_send_uic_cmd(hba, &uic_cmd); ++ if (ret) ++ dev_err(hba->dev, ++ "dme-reset: error code %d\n", ret); ++ ++ return ret; ++} ++ ++/** ++ * ufshcd_dme_enable - UIC command for DME_ENABLE ++ * @hba: per adapter instance ++ * ++ * DME_ENABLE command is issued in order to enable UniPro stack. ++ * ++ * Returns 0 on success, non-zero value on failure ++ */ ++static int ufshcd_dme_enable(struct ufs_hba *hba) ++{ ++ struct uic_command uic_cmd = {0}; ++ int ret; ++ ++ uic_cmd.command = UIC_CMD_DME_ENABLE; ++ ++ ret = ufshcd_send_uic_cmd(hba, &uic_cmd); ++ if (ret) ++ dev_err(hba->dev, ++ "dme-reset: error code %d\n", ret); ++ ++ return ret; ++} + + static inline void ufshcd_add_delay_before_dme_cmd(struct ufs_hba *hba) + { +@@ -4281,7 +4327,7 @@ static inline void ufshcd_hba_stop(struct ufs_hba *hba) + } + + /** +- * ufshcd_hba_enable - initialize the controller ++ * ufshcd_hba_execute_hce - initialize the controller + * @hba: per adapter instance + * + * The controller resets itself and controller firmware initialization +@@ -4290,7 +4336,7 @@ static inline void ufshcd_hba_stop(struct ufs_hba *hba) + * + * Returns 0 on success, non-zero value on failure + */ +-int ufshcd_hba_enable(struct ufs_hba *hba) ++static int ufshcd_hba_execute_hce(struct ufs_hba *hba) + { + int retry; + +@@ -4338,6 +4384,32 @@ int ufshcd_hba_enable(struct ufs_hba *hba) + + return 0; + } ++ ++int ufshcd_hba_enable(struct ufs_hba *hba) ++{ ++ int ret; ++ ++ if (hba->quirks & UFSHCI_QUIRK_BROKEN_HCE) { ++ ufshcd_set_link_off(hba); ++ ufshcd_vops_hce_enable_notify(hba, PRE_CHANGE); ++ ++ /* enable UIC related interrupts */ ++ ufshcd_enable_intr(hba, UFSHCD_UIC_MASK); ++ ret = ufshcd_dme_reset(hba); ++ if (!ret) { ++ ret = ufshcd_dme_enable(hba); ++ if (!ret) ++ ufshcd_vops_hce_enable_notify(hba, POST_CHANGE); ++ if (ret) ++ dev_err(hba->dev, ++ "Host controller enable failed with non-hce\n"); ++ } ++ } else { ++ ret = ufshcd_hba_execute_hce(hba); ++ } ++ ++ return ret; ++} + EXPORT_SYMBOL_GPL(ufshcd_hba_enable); + + static int ufshcd_disable_tx_lcc(struct ufs_hba *hba, bool peer) +diff --git a/drivers/scsi/ufs/ufshcd.h b/drivers/scsi/ufs/ufshcd.h +index bda7ba1aea519..4198e5d883a1a 100644 +--- a/drivers/scsi/ufs/ufshcd.h ++++ b/drivers/scsi/ufs/ufshcd.h +@@ -531,6 +531,12 @@ enum ufshcd_quirks { + * that the interrupt aggregation timer and counter are reset by s/w. + */ + UFSHCI_QUIRK_SKIP_RESET_INTR_AGGR = 1 << 7, ++ ++ /* ++ * This quirks needs to be enabled if host controller cannot be ++ * enabled via HCE register. ++ */ ++ UFSHCI_QUIRK_BROKEN_HCE = 1 << 8, + }; + + enum ufshcd_caps { +-- +2.25.1 + diff --git a/queue-5.8/scsi-ufs-add-quirk-to-fix-abnormal-ocs-fatal-error.patch b/queue-5.8/scsi-ufs-add-quirk-to-fix-abnormal-ocs-fatal-error.patch new file mode 100644 index 00000000000..e34e8664bc4 --- /dev/null +++ b/queue-5.8/scsi-ufs-add-quirk-to-fix-abnormal-ocs-fatal-error.patch @@ -0,0 +1,62 @@ +From 855a55d05446be71f496673a1209de1418c851b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 May 2020 06:46:53 +0530 +Subject: scsi: ufs: Add quirk to fix abnormal ocs fatal error + +From: Kiwoong Kim + +[ Upstream commit d779a6e90e189f4883ce6f900da02995fb000df5 ] + +Some controller like Exynos determines if FATAL ERROR (0x7) in OCS field in +UTRD occurs for values other than GOOD (0x0) in STATUS field in response +upiu as well as errors that a host controller can't cover. This patch is +to prevent from reporting command results in those cases. + +Link: https://lore.kernel.org/r/20200528011658.71590-6-alim.akhtar@samsung.com +Reviewed-by: Avri Altman +Signed-off-by: Kiwoong Kim +Signed-off-by: Alim Akhtar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 6 ++++++ + drivers/scsi/ufs/ufshcd.h | 6 ++++++ + 2 files changed, 12 insertions(+) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 0be06e7c5f293..69c7c039b5fac 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -4824,6 +4824,12 @@ ufshcd_transfer_rsp_status(struct ufs_hba *hba, struct ufshcd_lrb *lrbp) + /* overall command status of utrd */ + ocs = ufshcd_get_tr_ocs(lrbp); + ++ if (hba->quirks & UFSHCD_QUIRK_BROKEN_OCS_FATAL_ERROR) { ++ if (be32_to_cpu(lrbp->ucd_rsp_ptr->header.dword_1) & ++ MASK_RSP_UPIU_RESULT) ++ ocs = OCS_SUCCESS; ++ } ++ + switch (ocs) { + case OCS_SUCCESS: + result = ufshcd_get_req_rsp(lrbp->ucd_rsp_ptr); +diff --git a/drivers/scsi/ufs/ufshcd.h b/drivers/scsi/ufs/ufshcd.h +index 97d649f546e3a..e38e9e0af6b59 100644 +--- a/drivers/scsi/ufs/ufshcd.h ++++ b/drivers/scsi/ufs/ufshcd.h +@@ -543,6 +543,12 @@ enum ufshcd_quirks { + * resolution of the values of PRDTO and PRDTL in UTRD as byte. + */ + UFSHCD_QUIRK_PRDT_BYTE_GRAN = 1 << 9, ++ ++ /* ++ * This quirk needs to be enabled if the host controller reports ++ * OCS FATAL ERROR with device error through sense data ++ */ ++ UFSHCD_QUIRK_BROKEN_OCS_FATAL_ERROR = 1 << 10, + }; + + enum ufshcd_caps { +-- +2.25.1 + diff --git a/queue-5.8/scsi-ufs-add-quirk-to-fix-mishandling-utrlclr-utmrlc.patch b/queue-5.8/scsi-ufs-add-quirk-to-fix-mishandling-utrlclr-utmrlc.patch new file mode 100644 index 00000000000..e74aa0e8025 --- /dev/null +++ b/queue-5.8/scsi-ufs-add-quirk-to-fix-mishandling-utrlclr-utmrlc.patch @@ -0,0 +1,73 @@ +From 5ad34119780e2c9e05d01e716828cb8bdbe89d2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 May 2020 06:46:49 +0530 +Subject: scsi: ufs: Add quirk to fix mishandling utrlclr/utmrlclr + +From: Alim Akhtar + +[ Upstream commit 871838412adf533ffda0b4a0ede0c2984e3511e7 ] + +With the correct behavior, setting the bit to '0' indicates clear and '1' +indicates no change. If host controller handles this the other way around, +UFSHCI_QUIRK_BROKEN_REQ_LIST_CLR can be used. + +Link: https://lore.kernel.org/r/20200528011658.71590-2-alim.akhtar@samsung.com +Reviewed-by: Can Guo +Reviewed-by: Avri Altman +Signed-off-by: Seungwon Jeon +Signed-off-by: Alim Akhtar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 11 +++++++++-- + drivers/scsi/ufs/ufshcd.h | 5 +++++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index dec56e99335f0..9da44a389becb 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -674,7 +674,11 @@ static inline int ufshcd_get_tr_ocs(struct ufshcd_lrb *lrbp) + */ + static inline void ufshcd_utrl_clear(struct ufs_hba *hba, u32 pos) + { +- ufshcd_writel(hba, ~(1 << pos), REG_UTP_TRANSFER_REQ_LIST_CLEAR); ++ if (hba->quirks & UFSHCI_QUIRK_BROKEN_REQ_LIST_CLR) ++ ufshcd_writel(hba, (1 << pos), REG_UTP_TRANSFER_REQ_LIST_CLEAR); ++ else ++ ufshcd_writel(hba, ~(1 << pos), ++ REG_UTP_TRANSFER_REQ_LIST_CLEAR); + } + + /** +@@ -684,7 +688,10 @@ static inline void ufshcd_utrl_clear(struct ufs_hba *hba, u32 pos) + */ + static inline void ufshcd_utmrl_clear(struct ufs_hba *hba, u32 pos) + { +- ufshcd_writel(hba, ~(1 << pos), REG_UTP_TASK_REQ_LIST_CLEAR); ++ if (hba->quirks & UFSHCI_QUIRK_BROKEN_REQ_LIST_CLR) ++ ufshcd_writel(hba, (1 << pos), REG_UTP_TASK_REQ_LIST_CLEAR); ++ else ++ ufshcd_writel(hba, ~(1 << pos), REG_UTP_TASK_REQ_LIST_CLEAR); + } + + /** +diff --git a/drivers/scsi/ufs/ufshcd.h b/drivers/scsi/ufs/ufshcd.h +index 16187be98a94c..2ddf4c2f76f55 100644 +--- a/drivers/scsi/ufs/ufshcd.h ++++ b/drivers/scsi/ufs/ufshcd.h +@@ -520,6 +520,11 @@ enum ufshcd_quirks { + * ops (get_ufs_hci_version) to get the correct version. + */ + UFSHCD_QUIRK_BROKEN_UFS_HCI_VERSION = 1 << 5, ++ ++ /* ++ * Clear handling for transfer/task request list is just opposite. ++ */ ++ UFSHCI_QUIRK_BROKEN_REQ_LIST_CLR = 1 << 6, + }; + + enum ufshcd_caps { +-- +2.25.1 + diff --git a/queue-5.8/scsi-ufs-fix-interrupt-error-message-for-shared-inte.patch b/queue-5.8/scsi-ufs-fix-interrupt-error-message-for-shared-inte.patch new file mode 100644 index 00000000000..58cef65ad0b --- /dev/null +++ b/queue-5.8/scsi-ufs-fix-interrupt-error-message-for-shared-inte.patch @@ -0,0 +1,39 @@ +From e41790ba1293192bca5cc2bf3d7472d6c70f5dd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 16:39:35 +0300 +Subject: scsi: ufs: Fix interrupt error message for shared interrupts + +From: Adrian Hunter + +[ Upstream commit 6337f58cec030b34ced435b3d9d7d29d63c96e36 ] + +The interrupt might be shared, in which case it is not an error for the +interrupt handler to be called when the interrupt status is zero, so don't +print the message unless there was enabled interrupt status. + +Link: https://lore.kernel.org/r/20200811133936.19171-1-adrian.hunter@intel.com +Fixes: 9333d7757348 ("scsi: ufs: Fix irq return code") +Reviewed-by: Avri Altman +Signed-off-by: Adrian Hunter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 69c7c039b5fac..136b863bc1d45 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -6013,7 +6013,7 @@ static irqreturn_t ufshcd_intr(int irq, void *__hba) + intr_status = ufshcd_readl(hba, REG_INTERRUPT_STATUS); + } while (intr_status && --retries); + +- if (retval == IRQ_NONE) { ++ if (enabled_intr_status && retval == IRQ_NONE) { + dev_err(hba->dev, "%s: Unhandled interrupt 0x%08x\n", + __func__, intr_status); + ufshcd_dump_regs(hba, 0, UFSHCI_REG_SPACE_SIZE, "host_regs: "); +-- +2.25.1 + diff --git a/queue-5.8/scsi-ufs-introduce-ufshcd_quirk_prdt_byte_gran-quirk.patch b/queue-5.8/scsi-ufs-introduce-ufshcd_quirk_prdt_byte_gran-quirk.patch new file mode 100644 index 00000000000..4b4abca357a --- /dev/null +++ b/queue-5.8/scsi-ufs-introduce-ufshcd_quirk_prdt_byte_gran-quirk.patch @@ -0,0 +1,91 @@ +From 5df3e2dcfd338d6c94fac9701547f1be091926d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 May 2020 06:46:52 +0530 +Subject: scsi: ufs: Introduce UFSHCD_QUIRK_PRDT_BYTE_GRAN quirk + +From: Alim Akhtar + +[ Upstream commit 26f968d7de823ba4974a8f25c8bd8ee2df6ab74b ] + +Some UFS host controllers like Exynos uses granularities of PRDT length and +offset as bytes, whereas others use actual segment count. + +Link: https://lore.kernel.org/r/20200528011658.71590-5-alim.akhtar@samsung.com +Reviewed-by: Avri Altman +Signed-off-by: Kiwoong Kim +Signed-off-by: Alim Akhtar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 30 +++++++++++++++++++++++------- + drivers/scsi/ufs/ufshcd.h | 6 ++++++ + 2 files changed, 29 insertions(+), 7 deletions(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 87473fa5bd0f9..0be06e7c5f293 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -2175,8 +2175,14 @@ static int ufshcd_map_sg(struct ufs_hba *hba, struct ufshcd_lrb *lrbp) + return sg_segments; + + if (sg_segments) { +- lrbp->utr_descriptor_ptr->prd_table_length = +- cpu_to_le16((u16)sg_segments); ++ ++ if (hba->quirks & UFSHCD_QUIRK_PRDT_BYTE_GRAN) ++ lrbp->utr_descriptor_ptr->prd_table_length = ++ cpu_to_le16((sg_segments * ++ sizeof(struct ufshcd_sg_entry))); ++ else ++ lrbp->utr_descriptor_ptr->prd_table_length = ++ cpu_to_le16((u16) (sg_segments)); + + prd_table = (struct ufshcd_sg_entry *)lrbp->ucd_prdt_ptr; + +@@ -3523,11 +3529,21 @@ static void ufshcd_host_memory_configure(struct ufs_hba *hba) + cpu_to_le32(upper_32_bits(cmd_desc_element_addr)); + + /* Response upiu and prdt offset should be in double words */ +- utrdlp[i].response_upiu_offset = +- cpu_to_le16(response_offset >> 2); +- utrdlp[i].prd_table_offset = cpu_to_le16(prdt_offset >> 2); +- utrdlp[i].response_upiu_length = +- cpu_to_le16(ALIGNED_UPIU_SIZE >> 2); ++ if (hba->quirks & UFSHCD_QUIRK_PRDT_BYTE_GRAN) { ++ utrdlp[i].response_upiu_offset = ++ cpu_to_le16(response_offset); ++ utrdlp[i].prd_table_offset = ++ cpu_to_le16(prdt_offset); ++ utrdlp[i].response_upiu_length = ++ cpu_to_le16(ALIGNED_UPIU_SIZE); ++ } else { ++ utrdlp[i].response_upiu_offset = ++ cpu_to_le16(response_offset >> 2); ++ utrdlp[i].prd_table_offset = ++ cpu_to_le16(prdt_offset >> 2); ++ utrdlp[i].response_upiu_length = ++ cpu_to_le16(ALIGNED_UPIU_SIZE >> 2); ++ } + + ufshcd_init_lrb(hba, &hba->lrb[i], i); + } +diff --git a/drivers/scsi/ufs/ufshcd.h b/drivers/scsi/ufs/ufshcd.h +index 4198e5d883a1a..97d649f546e3a 100644 +--- a/drivers/scsi/ufs/ufshcd.h ++++ b/drivers/scsi/ufs/ufshcd.h +@@ -537,6 +537,12 @@ enum ufshcd_quirks { + * enabled via HCE register. + */ + UFSHCI_QUIRK_BROKEN_HCE = 1 << 8, ++ ++ /* ++ * This quirk needs to be enabled if the host controller regards ++ * resolution of the values of PRDTO and PRDTL in UTRD as byte. ++ */ ++ UFSHCD_QUIRK_PRDT_BYTE_GRAN = 1 << 9, + }; + + enum ufshcd_caps { +-- +2.25.1 + diff --git a/queue-5.8/scsi-ufs-pci-add-quirk-for-broken-auto-hibernate-for.patch b/queue-5.8/scsi-ufs-pci-add-quirk-for-broken-auto-hibernate-for.patch new file mode 100644 index 00000000000..299e4424203 --- /dev/null +++ b/queue-5.8/scsi-ufs-pci-add-quirk-for-broken-auto-hibernate-for.patch @@ -0,0 +1,94 @@ +From 9b2d567e5b29ee8457d34743d09c89b4b87afb25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Aug 2020 17:10:24 +0300 +Subject: scsi: ufs-pci: Add quirk for broken auto-hibernate for Intel EHL + +From: Adrian Hunter + +[ Upstream commit 8da76f71fef7d8a1a72af09d48899573feb60065 ] + +Intel EHL UFS host controller advertises auto-hibernate capability but it +does not work correctly. Add a quirk for that. + +[mkp: checkpatch fix] + +Link: https://lore.kernel.org/r/20200810141024.28859-1-adrian.hunter@intel.com +Fixes: 8c09d7527697 ("scsi: ufshdc-pci: Add Intel PCI IDs for EHL") +Acked-by: Stanley Chu +Signed-off-by: Adrian Hunter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd-pci.c | 16 ++++++++++++++-- + drivers/scsi/ufs/ufshcd.h | 9 ++++++++- + 2 files changed, 22 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/ufs/ufshcd-pci.c b/drivers/scsi/ufs/ufshcd-pci.c +index 8f78a81514991..b220666774ce8 100644 +--- a/drivers/scsi/ufs/ufshcd-pci.c ++++ b/drivers/scsi/ufs/ufshcd-pci.c +@@ -67,11 +67,23 @@ static int ufs_intel_link_startup_notify(struct ufs_hba *hba, + return err; + } + ++static int ufs_intel_ehl_init(struct ufs_hba *hba) ++{ ++ hba->quirks |= UFSHCD_QUIRK_BROKEN_AUTO_HIBERN8; ++ return 0; ++} ++ + static struct ufs_hba_variant_ops ufs_intel_cnl_hba_vops = { + .name = "intel-pci", + .link_startup_notify = ufs_intel_link_startup_notify, + }; + ++static struct ufs_hba_variant_ops ufs_intel_ehl_hba_vops = { ++ .name = "intel-pci", ++ .init = ufs_intel_ehl_init, ++ .link_startup_notify = ufs_intel_link_startup_notify, ++}; ++ + #ifdef CONFIG_PM_SLEEP + /** + * ufshcd_pci_suspend - suspend power management function +@@ -200,8 +212,8 @@ static const struct dev_pm_ops ufshcd_pci_pm_ops = { + static const struct pci_device_id ufshcd_pci_tbl[] = { + { PCI_VENDOR_ID_SAMSUNG, 0xC00C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 }, + { PCI_VDEVICE(INTEL, 0x9DFA), (kernel_ulong_t)&ufs_intel_cnl_hba_vops }, +- { PCI_VDEVICE(INTEL, 0x4B41), (kernel_ulong_t)&ufs_intel_cnl_hba_vops }, +- { PCI_VDEVICE(INTEL, 0x4B43), (kernel_ulong_t)&ufs_intel_cnl_hba_vops }, ++ { PCI_VDEVICE(INTEL, 0x4B41), (kernel_ulong_t)&ufs_intel_ehl_hba_vops }, ++ { PCI_VDEVICE(INTEL, 0x4B43), (kernel_ulong_t)&ufs_intel_ehl_hba_vops }, + { } /* terminate list */ + }; + +diff --git a/drivers/scsi/ufs/ufshcd.h b/drivers/scsi/ufs/ufshcd.h +index e38e9e0af6b59..4bf98c2295372 100644 +--- a/drivers/scsi/ufs/ufshcd.h ++++ b/drivers/scsi/ufs/ufshcd.h +@@ -549,6 +549,12 @@ enum ufshcd_quirks { + * OCS FATAL ERROR with device error through sense data + */ + UFSHCD_QUIRK_BROKEN_OCS_FATAL_ERROR = 1 << 10, ++ ++ /* ++ * This quirk needs to be enabled if the host controller has ++ * auto-hibernate capability but it doesn't work. ++ */ ++ UFSHCD_QUIRK_BROKEN_AUTO_HIBERN8 = 1 << 11, + }; + + enum ufshcd_caps { +@@ -815,7 +821,8 @@ return true; + + static inline bool ufshcd_is_auto_hibern8_supported(struct ufs_hba *hba) + { +- return (hba->capabilities & MASK_AUTO_HIBERN8_SUPPORT); ++ return (hba->capabilities & MASK_AUTO_HIBERN8_SUPPORT) && ++ !(hba->quirks & UFSHCD_QUIRK_BROKEN_AUTO_HIBERN8); + } + + static inline bool ufshcd_is_auto_hibern8_enabled(struct ufs_hba *hba) +-- +2.25.1 + diff --git a/queue-5.8/scsi-ufs-ti-j721e-ufs-fix-error-return-in-ti_j721e_u.patch b/queue-5.8/scsi-ufs-ti-j721e-ufs-fix-error-return-in-ti_j721e_u.patch new file mode 100644 index 00000000000..a5c9e411517 --- /dev/null +++ b/queue-5.8/scsi-ufs-ti-j721e-ufs-fix-error-return-in-ti_j721e_u.patch @@ -0,0 +1,37 @@ +From 2c349389f1fea38a7e3c2b89771c93550efde314 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 15:01:35 +0800 +Subject: scsi: ufs: ti-j721e-ufs: Fix error return in ti_j721e_ufs_probe() + +From: Jing Xiangfeng + +[ Upstream commit 2138d1c918246e3d8193c3cb8b6d22d0bb888061 ] + +Fix to return error code PTR_ERR() from the error handling case instead of +0. + +Link: https://lore.kernel.org/r/20200806070135.67797-1-jingxiangfeng@huawei.com +Fixes: 22617e216331 ("scsi: ufs: ti-j721e-ufs: Fix unwinding of pm_runtime changes") +Reviewed-by: Avri Altman +Signed-off-by: Jing Xiangfeng +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ti-j721e-ufs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/ufs/ti-j721e-ufs.c b/drivers/scsi/ufs/ti-j721e-ufs.c +index 46bb905b4d6a9..eafe0db98d542 100644 +--- a/drivers/scsi/ufs/ti-j721e-ufs.c ++++ b/drivers/scsi/ufs/ti-j721e-ufs.c +@@ -38,6 +38,7 @@ static int ti_j721e_ufs_probe(struct platform_device *pdev) + /* Select MPHY refclk frequency */ + clk = devm_clk_get(dev, NULL); + if (IS_ERR(clk)) { ++ ret = PTR_ERR(clk); + dev_err(dev, "Cannot claim MPHY clock.\n"); + goto clk_err; + } +-- +2.25.1 + diff --git a/queue-5.8/selftests-bpf-remove-test_align-leftovers.patch b/queue-5.8/selftests-bpf-remove-test_align-leftovers.patch new file mode 100644 index 00000000000..8c9e0f79516 --- /dev/null +++ b/queue-5.8/selftests-bpf-remove-test_align-leftovers.patch @@ -0,0 +1,53 @@ +From 1df6ce30ff81b26783c636da5af972f000be4f01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 18:07:10 +0200 +Subject: selftests/bpf: Remove test_align leftovers + +From: Veronika Kabatova + +[ Upstream commit 5597432dde62befd3ab92e6ef9e073564e277ea8 ] + +Calling generic selftests "make install" fails as rsync expects all +files from TEST_GEN_PROGS to be present. The binary is not generated +anymore (commit 3b09d27cc93d) so we can safely remove it from there +and also from gitignore. + +Fixes: 3b09d27cc93d ("selftests/bpf: Move test_align under test_progs") +Signed-off-by: Veronika Kabatova +Signed-off-by: Alexei Starovoitov +Acked-by: Jesper Dangaard Brouer +Link: https://lore.kernel.org/bpf/20200819160710.1345956-1-vkabatov@redhat.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/.gitignore | 1 - + tools/testing/selftests/bpf/Makefile | 2 +- + 2 files changed, 1 insertion(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/bpf/.gitignore b/tools/testing/selftests/bpf/.gitignore +index 1bb204cee853f..9a0946ddb705a 100644 +--- a/tools/testing/selftests/bpf/.gitignore ++++ b/tools/testing/selftests/bpf/.gitignore +@@ -6,7 +6,6 @@ test_lpm_map + test_tag + FEATURE-DUMP.libbpf + fixdep +-test_align + test_dev_cgroup + /test_progs* + test_tcpbpf_user +diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile +index 4f322d5388757..50965cc7bf098 100644 +--- a/tools/testing/selftests/bpf/Makefile ++++ b/tools/testing/selftests/bpf/Makefile +@@ -32,7 +32,7 @@ LDLIBS += -lcap -lelf -lz -lrt -lpthread + + # Order correspond to 'make run_tests' order + TEST_GEN_PROGS = test_verifier test_tag test_maps test_lru_map test_lpm_map test_progs \ +- test_align test_verifier_log test_dev_cgroup test_tcpbpf_user \ ++ test_verifier_log test_dev_cgroup test_tcpbpf_user \ + test_sock test_btf test_sockmap get_cgroup_id_user test_socket_cookie \ + test_cgroup_storage \ + test_netcnt test_tcpnotify_user test_sock_fields test_sysctl \ +-- +2.25.1 + diff --git a/queue-5.8/series b/queue-5.8/series index 273e1c51420..2fe39b9728f 100644 --- a/queue-5.8/series +++ b/queue-5.8/series @@ -70,3 +70,70 @@ xfs-fix-ubsan-null-ptr-deref-in-xfs_sysfs_init.patch alpha-fix-annotation-of-io-read-write-16-32-be.patch fat-fix-fat_ra_init-for-data-clusters-0.patch fs-signalfd.c-fix-inconsistent-return-codes-for-sign.patch +ext4-fix-potential-negative-array-index-in-do_split.patch +drm-virtio-fix-missing-dma_fence_put-in-virtio_gpu_e.patch +ext4-don-t-allow-overlapping-system-zones.patch +ext4-check-journal-inode-extents-more-carefully.patch +netfilter-nf_tables-nft_exthdr-the-presence-return-v.patch +spi-stm32-fixes-suspend-resume-management.patch +asoc-q6afe-dai-mark-all-widgets-registers-as-snd_soc.patch +asoc-q6routing-add-dummy-register-read-write-functio.patch +tools-bpftool-make-skeleton-code-c-17-friendly-by-dr.patch +bpf-sock_ops-ctx-access-may-stomp-registers-in-corne.patch +bpf-sock_ops-sk-access-may-stomp-registers-when-dst_.patch +libbpf-fix-btf-defined-map-in-map-initialization-on-.patch +can-j1939-fix-kernel-infoleak-in-j1939_sk_sock2socka.patch +can-j1939-transport-j1939_simple_recv-ignore-local-j.patch +can-j1939-transport-add-j1939_session_skb_find_by_of.patch +igc-fix-ptp-initialization.patch +i40e-set-rx_only-mode-for-unicast-promiscuous-on-vla.patch +i40e-fix-crash-during-removing-i40e-driver.patch +net-fec-correct-the-error-path-for-regulator-disable.patch +bonding-show-saner-speed-for-broadcast-mode.patch +can-j1939-fix-support-for-multipacket-broadcast-mess.patch +can-j1939-cancel-rxtimer-on-multipacket-broadcast-se.patch +can-j1939-abort-multipacket-broadcast-session-when-t.patch +can-j1939-add-rxtimer-for-multipacket-broadcast-sess.patch +bonding-fix-a-potential-double-unregister.patch +ipvlan-fix-device-features.patch +s390-runtime_instrumentation-fix-storage-key-handlin.patch +s390-ptrace-fix-storage-key-handling.patch +asoc-msm8916-wcd-analog-fix-register-interrupt-offse.patch +asoc-intel-fix-memleak-in-sst_media_open.patch +watch_queue-limit-the-number-of-watches-a-user-can-h.patch +vfio-pci-avoid-recursive-read-lock-usage.patch +vfio-type1-add-proper-error-unwind-for-vfio_iommu_re.patch +arch-ia64-restore-arch-specific-pgd_offset_k-impleme.patch +kvm-x86-toggling-cr4.smap-does-not-load-pdptes-in-pa.patch +kvm-x86-toggling-cr4.pke-does-not-load-pdptes-in-pae.patch +of-address-check-for-invalid-range.cpu_addr.patch +scsi-ufs-ti-j721e-ufs-fix-error-return-in-ti_j721e_u.patch +scsi-ufs-add-quirk-to-fix-mishandling-utrlclr-utmrlc.patch +scsi-ufs-add-quirk-to-disallow-reset-of-interrupt-ag.patch +scsi-ufs-add-quirk-to-enable-host-controller-without.patch +scsi-ufs-introduce-ufshcd_quirk_prdt_byte_gran-quirk.patch +scsi-ufs-add-quirk-to-fix-abnormal-ocs-fatal-error.patch +scsi-ufs-pci-add-quirk-for-broken-auto-hibernate-for.patch +scsi-ufs-fix-interrupt-error-message-for-shared-inte.patch +revert-scsi-qla2xxx-disable-t10-dif-feature-with-fc-.patch +kconfig-qconf-do-not-limit-the-pop-up-menu-to-the-fi.patch +kconfig-qconf-fix-signal-connection-to-invalid-slots.patch +efi-avoid-error-message-when-booting-under-xen.patch +fix-build-error-when-config_acpi-is-not-set-enabled.patch +rdma-bnxt_re-do-not-add-user-qps-to-flushlist.patch +revert-rdma-hns-reserve-one-sge-in-order-to-avoid-lo.patch +afs-fix-key-ref-leak-in-afs_put_operation.patch +kconfig-qconf-remove-qinfo-to-get-back-qt4-support.patch +afs-fix-null-deref-in-afs_dynroot_depopulate.patch +arm64-vdso32-install-vdso32-from-vdso_install.patch +powerpc-add-power10-raw-mode-cputable-entry.patch +powerpc-fixmap-fix-the-size-of-the-early-debug-area.patch +bpf-use-get_file_rcu-instead-of-get_file-for-task_fi.patch +powerpc-pseries-hotplug-cpu-wait-indefinitely-for-vc.patch +bonding-fix-active-backup-failover-for-current-arp-s.patch +net-ena-prevent-reset-after-device-destruction.patch +net-ena-change-warn_on-expression-in-ena_del_napi_in.patch +net-gemini-fix-missing-free_netdev-in-error-path-of-.patch +selftests-bpf-remove-test_align-leftovers.patch +hv_netvsc-fix-the-queue_mapping-in-netvsc_vf_xmit.patch +net-dsa-b53-check-for-timeout.patch diff --git a/queue-5.8/spi-stm32-fixes-suspend-resume-management.patch b/queue-5.8/spi-stm32-fixes-suspend-resume-management.patch new file mode 100644 index 00000000000..e0b41a95aa2 --- /dev/null +++ b/queue-5.8/spi-stm32-fixes-suspend-resume-management.patch @@ -0,0 +1,93 @@ +From 317cee5aa1fca172d6641a9f49e6cd0363bd54e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Aug 2020 09:12:37 +0200 +Subject: spi: stm32: fixes suspend/resume management + +From: Amelie Delaunay + +[ Upstream commit db96bf976a4fc65439be0b4524c0d41427d98814 ] + +This patch adds pinctrl power management, and reconfigure spi controller +in case of resume. + +Fixes: 038ac869c9d2 ("spi: stm32: add runtime PM support") + +Signed-off-by: Amelie Delaunay +Signed-off-by: Alain Volmat +Link: https://lore.kernel.org/r/1597043558-29668-5-git-send-email-alain.volmat@st.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-stm32.c | 27 ++++++++++++++++++++++++--- + 1 file changed, 24 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-stm32.c b/drivers/spi/spi-stm32.c +index 4c643dfc7fbbc..9672cda2f8031 100644 +--- a/drivers/spi/spi-stm32.c ++++ b/drivers/spi/spi-stm32.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1996,6 +1997,8 @@ static int stm32_spi_remove(struct platform_device *pdev) + + pm_runtime_disable(&pdev->dev); + ++ pinctrl_pm_select_sleep_state(&pdev->dev); ++ + return 0; + } + +@@ -2007,13 +2010,18 @@ static int stm32_spi_runtime_suspend(struct device *dev) + + clk_disable_unprepare(spi->clk); + +- return 0; ++ return pinctrl_pm_select_sleep_state(dev); + } + + static int stm32_spi_runtime_resume(struct device *dev) + { + struct spi_master *master = dev_get_drvdata(dev); + struct stm32_spi *spi = spi_master_get_devdata(master); ++ int ret; ++ ++ ret = pinctrl_pm_select_default_state(dev); ++ if (ret) ++ return ret; + + return clk_prepare_enable(spi->clk); + } +@@ -2043,10 +2051,23 @@ static int stm32_spi_resume(struct device *dev) + return ret; + + ret = spi_master_resume(master); +- if (ret) ++ if (ret) { + clk_disable_unprepare(spi->clk); ++ return ret; ++ } + +- return ret; ++ ret = pm_runtime_get_sync(dev); ++ if (ret) { ++ dev_err(dev, "Unable to power device:%d\n", ret); ++ return ret; ++ } ++ ++ spi->cfg->config(spi); ++ ++ pm_runtime_mark_last_busy(dev); ++ pm_runtime_put_autosuspend(dev); ++ ++ return 0; + } + #endif + +-- +2.25.1 + diff --git a/queue-5.8/tools-bpftool-make-skeleton-code-c-17-friendly-by-dr.patch b/queue-5.8/tools-bpftool-make-skeleton-code-c-17-friendly-by-dr.patch new file mode 100644 index 00000000000..fd31a363ba0 --- /dev/null +++ b/queue-5.8/tools-bpftool-make-skeleton-code-c-17-friendly-by-dr.patch @@ -0,0 +1,68 @@ +From 44dfaaecfdf8920ccdc0923bec4635ffbd78f58a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 19:59:07 -0700 +Subject: tools/bpftool: Make skeleton code C++17-friendly by dropping typeof() + +From: Andrii Nakryiko + +[ Upstream commit 8faf7fc597d59b142af41ddd4a2d59485f75f88a ] + +Seems like C++17 standard mode doesn't recognize typeof() anymore. This can +be tested by compiling test_cpp test with -std=c++17 or -std=c++1z options. +The use of typeof in skeleton generated code is unnecessary, all types are +well-known at the time of code generation, so remove all typeof()'s to make +skeleton code more future-proof when interacting with C++ compilers. + +Fixes: 985ead416df3 ("bpftool: Add skeleton codegen command") +Signed-off-by: Andrii Nakryiko +Signed-off-by: Alexei Starovoitov +Acked-by: Song Liu +Link: https://lore.kernel.org/bpf/20200812025907.1371956-1-andriin@fb.com +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/gen.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/bpf/bpftool/gen.c b/tools/bpf/bpftool/gen.c +index 540ffde0b03a3..0be1330b4c1ba 100644 +--- a/tools/bpf/bpftool/gen.c ++++ b/tools/bpf/bpftool/gen.c +@@ -400,7 +400,7 @@ static int do_skeleton(int argc, char **argv) + { \n\ + struct %1$s *obj; \n\ + \n\ +- obj = (typeof(obj))calloc(1, sizeof(*obj)); \n\ ++ obj = (struct %1$s *)calloc(1, sizeof(*obj)); \n\ + if (!obj) \n\ + return NULL; \n\ + if (%1$s__create_skeleton(obj)) \n\ +@@ -464,7 +464,7 @@ static int do_skeleton(int argc, char **argv) + { \n\ + struct bpf_object_skeleton *s; \n\ + \n\ +- s = (typeof(s))calloc(1, sizeof(*s)); \n\ ++ s = (struct bpf_object_skeleton *)calloc(1, sizeof(*s));\n\ + if (!s) \n\ + return -1; \n\ + obj->skeleton = s; \n\ +@@ -482,7 +482,7 @@ static int do_skeleton(int argc, char **argv) + /* maps */ \n\ + s->map_cnt = %zu; \n\ + s->map_skel_sz = sizeof(*s->maps); \n\ +- s->maps = (typeof(s->maps))calloc(s->map_cnt, s->map_skel_sz);\n\ ++ s->maps = (struct bpf_map_skeleton *)calloc(s->map_cnt, s->map_skel_sz);\n\ + if (!s->maps) \n\ + goto err; \n\ + ", +@@ -518,7 +518,7 @@ static int do_skeleton(int argc, char **argv) + /* programs */ \n\ + s->prog_cnt = %zu; \n\ + s->prog_skel_sz = sizeof(*s->progs); \n\ +- s->progs = (typeof(s->progs))calloc(s->prog_cnt, s->prog_skel_sz);\n\ ++ s->progs = (struct bpf_prog_skeleton *)calloc(s->prog_cnt, s->prog_skel_sz);\n\ + if (!s->progs) \n\ + goto err; \n\ + ", +-- +2.25.1 + diff --git a/queue-5.8/vfio-pci-avoid-recursive-read-lock-usage.patch b/queue-5.8/vfio-pci-avoid-recursive-read-lock-usage.patch new file mode 100644 index 00000000000..4643d197603 --- /dev/null +++ b/queue-5.8/vfio-pci-avoid-recursive-read-lock-usage.patch @@ -0,0 +1,275 @@ +From ec90fe733e1f54a90352430de6d1b8e4adef4dc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 11:08:18 -0600 +Subject: vfio-pci: Avoid recursive read-lock usage + +From: Alex Williamson + +[ Upstream commit bc93b9ae0151ae5ad5b8504cdc598428ea99570b ] + +A down_read on memory_lock is held when performing read/write accesses +to MMIO BAR space, including across the copy_to/from_user() callouts +which may fault. If the user buffer for these copies resides in an +mmap of device MMIO space, the mmap fault handler will acquire a +recursive read-lock on memory_lock. Avoid this by reducing the lock +granularity. Sequential accesses requiring multiple ioread/iowrite +cycles are expected to be rare, therefore typical accesses should not +see additional overhead. + +VGA MMIO accesses are expected to be non-fatal regardless of the PCI +memory enable bit to allow legacy probing, this behavior remains with +a comment added. ioeventfds are now included in memory access testing, +with writes dropped while memory space is disabled. + +Fixes: abafbc551fdd ("vfio-pci: Invalidate mmaps and block MMIO access on disabled memory") +Reported-by: Zhiyi Guo +Tested-by: Zhiyi Guo +Reviewed-by: Cornelia Huck +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci_private.h | 2 + + drivers/vfio/pci/vfio_pci_rdwr.c | 120 ++++++++++++++++++++++------ + 2 files changed, 98 insertions(+), 24 deletions(-) + +diff --git a/drivers/vfio/pci/vfio_pci_private.h b/drivers/vfio/pci/vfio_pci_private.h +index 86a02aff8735f..61ca8ab165dc1 100644 +--- a/drivers/vfio/pci/vfio_pci_private.h ++++ b/drivers/vfio/pci/vfio_pci_private.h +@@ -33,12 +33,14 @@ + + struct vfio_pci_ioeventfd { + struct list_head next; ++ struct vfio_pci_device *vdev; + struct virqfd *virqfd; + void __iomem *addr; + uint64_t data; + loff_t pos; + int bar; + int count; ++ bool test_mem; + }; + + struct vfio_pci_irq_ctx { +diff --git a/drivers/vfio/pci/vfio_pci_rdwr.c b/drivers/vfio/pci/vfio_pci_rdwr.c +index 916b184df3a5b..9e353c484ace2 100644 +--- a/drivers/vfio/pci/vfio_pci_rdwr.c ++++ b/drivers/vfio/pci/vfio_pci_rdwr.c +@@ -37,17 +37,70 @@ + #define vfio_ioread8 ioread8 + #define vfio_iowrite8 iowrite8 + ++#define VFIO_IOWRITE(size) \ ++static int vfio_pci_iowrite##size(struct vfio_pci_device *vdev, \ ++ bool test_mem, u##size val, void __iomem *io) \ ++{ \ ++ if (test_mem) { \ ++ down_read(&vdev->memory_lock); \ ++ if (!__vfio_pci_memory_enabled(vdev)) { \ ++ up_read(&vdev->memory_lock); \ ++ return -EIO; \ ++ } \ ++ } \ ++ \ ++ vfio_iowrite##size(val, io); \ ++ \ ++ if (test_mem) \ ++ up_read(&vdev->memory_lock); \ ++ \ ++ return 0; \ ++} ++ ++VFIO_IOWRITE(8) ++VFIO_IOWRITE(16) ++VFIO_IOWRITE(32) ++#ifdef iowrite64 ++VFIO_IOWRITE(64) ++#endif ++ ++#define VFIO_IOREAD(size) \ ++static int vfio_pci_ioread##size(struct vfio_pci_device *vdev, \ ++ bool test_mem, u##size *val, void __iomem *io) \ ++{ \ ++ if (test_mem) { \ ++ down_read(&vdev->memory_lock); \ ++ if (!__vfio_pci_memory_enabled(vdev)) { \ ++ up_read(&vdev->memory_lock); \ ++ return -EIO; \ ++ } \ ++ } \ ++ \ ++ *val = vfio_ioread##size(io); \ ++ \ ++ if (test_mem) \ ++ up_read(&vdev->memory_lock); \ ++ \ ++ return 0; \ ++} ++ ++VFIO_IOREAD(8) ++VFIO_IOREAD(16) ++VFIO_IOREAD(32) ++ + /* + * Read or write from an __iomem region (MMIO or I/O port) with an excluded + * range which is inaccessible. The excluded range drops writes and fills + * reads with -1. This is intended for handling MSI-X vector tables and + * leftover space for ROM BARs. + */ +-static ssize_t do_io_rw(void __iomem *io, char __user *buf, ++static ssize_t do_io_rw(struct vfio_pci_device *vdev, bool test_mem, ++ void __iomem *io, char __user *buf, + loff_t off, size_t count, size_t x_start, + size_t x_end, bool iswrite) + { + ssize_t done = 0; ++ int ret; + + while (count) { + size_t fillable, filled; +@@ -66,9 +119,15 @@ static ssize_t do_io_rw(void __iomem *io, char __user *buf, + if (copy_from_user(&val, buf, 4)) + return -EFAULT; + +- vfio_iowrite32(val, io + off); ++ ret = vfio_pci_iowrite32(vdev, test_mem, ++ val, io + off); ++ if (ret) ++ return ret; + } else { +- val = vfio_ioread32(io + off); ++ ret = vfio_pci_ioread32(vdev, test_mem, ++ &val, io + off); ++ if (ret) ++ return ret; + + if (copy_to_user(buf, &val, 4)) + return -EFAULT; +@@ -82,9 +141,15 @@ static ssize_t do_io_rw(void __iomem *io, char __user *buf, + if (copy_from_user(&val, buf, 2)) + return -EFAULT; + +- vfio_iowrite16(val, io + off); ++ ret = vfio_pci_iowrite16(vdev, test_mem, ++ val, io + off); ++ if (ret) ++ return ret; + } else { +- val = vfio_ioread16(io + off); ++ ret = vfio_pci_ioread16(vdev, test_mem, ++ &val, io + off); ++ if (ret) ++ return ret; + + if (copy_to_user(buf, &val, 2)) + return -EFAULT; +@@ -98,9 +163,15 @@ static ssize_t do_io_rw(void __iomem *io, char __user *buf, + if (copy_from_user(&val, buf, 1)) + return -EFAULT; + +- vfio_iowrite8(val, io + off); ++ ret = vfio_pci_iowrite8(vdev, test_mem, ++ val, io + off); ++ if (ret) ++ return ret; + } else { +- val = vfio_ioread8(io + off); ++ ret = vfio_pci_ioread8(vdev, test_mem, ++ &val, io + off); ++ if (ret) ++ return ret; + + if (copy_to_user(buf, &val, 1)) + return -EFAULT; +@@ -178,14 +249,6 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf, + + count = min(count, (size_t)(end - pos)); + +- if (res->flags & IORESOURCE_MEM) { +- down_read(&vdev->memory_lock); +- if (!__vfio_pci_memory_enabled(vdev)) { +- up_read(&vdev->memory_lock); +- return -EIO; +- } +- } +- + if (bar == PCI_ROM_RESOURCE) { + /* + * The ROM can fill less space than the BAR, so we start the +@@ -213,7 +276,8 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf, + x_end = vdev->msix_offset + vdev->msix_size; + } + +- done = do_io_rw(io, buf, pos, count, x_start, x_end, iswrite); ++ done = do_io_rw(vdev, res->flags & IORESOURCE_MEM, io, buf, pos, ++ count, x_start, x_end, iswrite); + + if (done >= 0) + *ppos += done; +@@ -221,9 +285,6 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf, + if (bar == PCI_ROM_RESOURCE) + pci_unmap_rom(pdev, io); + out: +- if (res->flags & IORESOURCE_MEM) +- up_read(&vdev->memory_lock); +- + return done; + } + +@@ -278,7 +339,12 @@ ssize_t vfio_pci_vga_rw(struct vfio_pci_device *vdev, char __user *buf, + return ret; + } + +- done = do_io_rw(iomem, buf, off, count, 0, 0, iswrite); ++ /* ++ * VGA MMIO is a legacy, non-BAR resource that hopefully allows ++ * probing, so we don't currently worry about access in relation ++ * to the memory enable bit in the command register. ++ */ ++ done = do_io_rw(vdev, false, iomem, buf, off, count, 0, 0, iswrite); + + vga_put(vdev->pdev, rsrc); + +@@ -296,17 +362,21 @@ static int vfio_pci_ioeventfd_handler(void *opaque, void *unused) + + switch (ioeventfd->count) { + case 1: +- vfio_iowrite8(ioeventfd->data, ioeventfd->addr); ++ vfio_pci_iowrite8(ioeventfd->vdev, ioeventfd->test_mem, ++ ioeventfd->data, ioeventfd->addr); + break; + case 2: +- vfio_iowrite16(ioeventfd->data, ioeventfd->addr); ++ vfio_pci_iowrite16(ioeventfd->vdev, ioeventfd->test_mem, ++ ioeventfd->data, ioeventfd->addr); + break; + case 4: +- vfio_iowrite32(ioeventfd->data, ioeventfd->addr); ++ vfio_pci_iowrite32(ioeventfd->vdev, ioeventfd->test_mem, ++ ioeventfd->data, ioeventfd->addr); + break; + #ifdef iowrite64 + case 8: +- vfio_iowrite64(ioeventfd->data, ioeventfd->addr); ++ vfio_pci_iowrite64(ioeventfd->vdev, ioeventfd->test_mem, ++ ioeventfd->data, ioeventfd->addr); + break; + #endif + } +@@ -378,11 +448,13 @@ long vfio_pci_ioeventfd(struct vfio_pci_device *vdev, loff_t offset, + goto out_unlock; + } + ++ ioeventfd->vdev = vdev; + ioeventfd->addr = vdev->barmap[bar] + pos; + ioeventfd->data = data; + ioeventfd->pos = pos; + ioeventfd->bar = bar; + ioeventfd->count = count; ++ ioeventfd->test_mem = vdev->pdev->resource[bar].flags & IORESOURCE_MEM; + + ret = vfio_virqfd_enable(ioeventfd, vfio_pci_ioeventfd_handler, + NULL, NULL, &ioeventfd->virqfd, fd); +-- +2.25.1 + diff --git a/queue-5.8/vfio-type1-add-proper-error-unwind-for-vfio_iommu_re.patch b/queue-5.8/vfio-type1-add-proper-error-unwind-for-vfio_iommu_re.patch new file mode 100644 index 00000000000..dc5d65828df --- /dev/null +++ b/queue-5.8/vfio-type1-add-proper-error-unwind-for-vfio_iommu_re.patch @@ -0,0 +1,164 @@ +From 9067aa2cca0762d44037e787c7d0a332bbcadd5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 11:09:13 -0600 +Subject: vfio/type1: Add proper error unwind for vfio_iommu_replay() + +From: Alex Williamson + +[ Upstream commit aae7a75a821a793ed6b8ad502a5890fb8e8f172d ] + +The vfio_iommu_replay() function does not currently unwind on error, +yet it does pin pages, perform IOMMU mapping, and modify the vfio_dma +structure to indicate IOMMU mapping. The IOMMU mappings are torn down +when the domain is destroyed, but the other actions go on to cause +trouble later. For example, the iommu->domain_list can be empty if we +only have a non-IOMMU backed mdev attached. We don't currently check +if the list is empty before getting the first entry in the list, which +leads to a bogus domain pointer. If a vfio_dma entry is erroneously +marked as iommu_mapped, we'll attempt to use that bogus pointer to +retrieve the existing physical page addresses. + +This is the scenario that uncovered this issue, attempting to hot-add +a vfio-pci device to a container with an existing mdev device and DMA +mappings, one of which could not be pinned, causing a failure adding +the new group to the existing container and setting the conditions +for a subsequent attempt to explode. + +To resolve this, we can first check if the domain_list is empty so +that we can reject replay of a bogus domain, should we ever encounter +this inconsistent state again in the future. The real fix though is +to add the necessary unwind support, which means cleaning up the +current pinning if an IOMMU mapping fails, then walking back through +the r-b tree of DMA entries, reading from the IOMMU which ranges are +mapped, and unmapping and unpinning those ranges. To be able to do +this, we also defer marking the DMA entry as IOMMU mapped until all +entries are processed, in order to allow the unwind to know the +disposition of each entry. + +Fixes: a54eb55045ae ("vfio iommu type1: Add support for mediated devices") +Reported-by: Zhiyi Guo +Tested-by: Zhiyi Guo +Reviewed-by: Cornelia Huck +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/vfio_iommu_type1.c | 71 ++++++++++++++++++++++++++++++--- + 1 file changed, 66 insertions(+), 5 deletions(-) + +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c +index 5e556ac9102a5..f48f0db908a46 100644 +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -1422,13 +1422,16 @@ static int vfio_bus_type(struct device *dev, void *data) + static int vfio_iommu_replay(struct vfio_iommu *iommu, + struct vfio_domain *domain) + { +- struct vfio_domain *d; ++ struct vfio_domain *d = NULL; + struct rb_node *n; + unsigned long limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT; + int ret; + + /* Arbitrarily pick the first domain in the list for lookups */ +- d = list_first_entry(&iommu->domain_list, struct vfio_domain, next); ++ if (!list_empty(&iommu->domain_list)) ++ d = list_first_entry(&iommu->domain_list, ++ struct vfio_domain, next); ++ + n = rb_first(&iommu->dma_list); + + for (; n; n = rb_next(n)) { +@@ -1446,6 +1449,11 @@ static int vfio_iommu_replay(struct vfio_iommu *iommu, + phys_addr_t p; + dma_addr_t i; + ++ if (WARN_ON(!d)) { /* mapped w/o a domain?! */ ++ ret = -EINVAL; ++ goto unwind; ++ } ++ + phys = iommu_iova_to_phys(d->domain, iova); + + if (WARN_ON(!phys)) { +@@ -1475,7 +1483,7 @@ static int vfio_iommu_replay(struct vfio_iommu *iommu, + if (npage <= 0) { + WARN_ON(!npage); + ret = (int)npage; +- return ret; ++ goto unwind; + } + + phys = pfn << PAGE_SHIFT; +@@ -1484,14 +1492,67 @@ static int vfio_iommu_replay(struct vfio_iommu *iommu, + + ret = iommu_map(domain->domain, iova, phys, + size, dma->prot | domain->prot); +- if (ret) +- return ret; ++ if (ret) { ++ if (!dma->iommu_mapped) ++ vfio_unpin_pages_remote(dma, iova, ++ phys >> PAGE_SHIFT, ++ size >> PAGE_SHIFT, ++ true); ++ goto unwind; ++ } + + iova += size; + } ++ } ++ ++ /* All dmas are now mapped, defer to second tree walk for unwind */ ++ for (n = rb_first(&iommu->dma_list); n; n = rb_next(n)) { ++ struct vfio_dma *dma = rb_entry(n, struct vfio_dma, node); ++ + dma->iommu_mapped = true; + } ++ + return 0; ++ ++unwind: ++ for (; n; n = rb_prev(n)) { ++ struct vfio_dma *dma = rb_entry(n, struct vfio_dma, node); ++ dma_addr_t iova; ++ ++ if (dma->iommu_mapped) { ++ iommu_unmap(domain->domain, dma->iova, dma->size); ++ continue; ++ } ++ ++ iova = dma->iova; ++ while (iova < dma->iova + dma->size) { ++ phys_addr_t phys, p; ++ size_t size; ++ dma_addr_t i; ++ ++ phys = iommu_iova_to_phys(domain->domain, iova); ++ if (!phys) { ++ iova += PAGE_SIZE; ++ continue; ++ } ++ ++ size = PAGE_SIZE; ++ p = phys + size; ++ i = iova + size; ++ while (i < dma->iova + dma->size && ++ p == iommu_iova_to_phys(domain->domain, i)) { ++ size += PAGE_SIZE; ++ p += PAGE_SIZE; ++ i += PAGE_SIZE; ++ } ++ ++ iommu_unmap(domain->domain, iova, size); ++ vfio_unpin_pages_remote(dma, iova, phys >> PAGE_SHIFT, ++ size >> PAGE_SHIFT, true); ++ } ++ } ++ ++ return ret; + } + + /* +-- +2.25.1 + diff --git a/queue-5.8/watch_queue-limit-the-number-of-watches-a-user-can-h.patch b/queue-5.8/watch_queue-limit-the-number-of-watches-a-user-can-h.patch new file mode 100644 index 00000000000..933474a0f14 --- /dev/null +++ b/queue-5.8/watch_queue-limit-the-number-of-watches-a-user-can-h.patch @@ -0,0 +1,99 @@ +From eaa833e616b7b7b4c2f516fdaa9b60c7fe7d6533 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 11:07:28 +0100 +Subject: watch_queue: Limit the number of watches a user can hold + +From: David Howells + +[ Upstream commit 29e44f4535faa71a70827af3639b5e6762d8f02a ] + +Impose a limit on the number of watches that a user can hold so that +they can't use this mechanism to fill up all the available memory. + +This is done by putting a counter in user_struct that's incremented when +a watch is allocated and decreased when it is released. If the number +exceeds the RLIMIT_NOFILE limit, the watch is rejected with EAGAIN. + +This can be tested by the following means: + + (1) Create a watch queue and attach it to fd 5 in the program given - in + this case, bash: + + keyctl watch_session /tmp/nlog /tmp/gclog 5 bash + + (2) In the shell, set the maximum number of files to, say, 99: + + ulimit -n 99 + + (3) Add 200 keyrings: + + for ((i=0; i<200; i++)); do keyctl newring a$i @s || break; done + + (4) Try to watch all of the keyrings: + + for ((i=0; i<200; i++)); do echo $i; keyctl watch_add 5 %:a$i || break; done + + This should fail when the number of watches belonging to the user hits + 99. + + (5) Remove all the keyrings and all of those watches should go away: + + for ((i=0; i<200; i++)); do keyctl unlink %:a$i; done + + (6) Kill off the watch queue by exiting the shell spawned by + watch_session. + +Fixes: c73be61cede5 ("pipe: Add general notification queue support") +Reported-by: Linus Torvalds +Signed-off-by: David Howells +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/sched/user.h | 3 +++ + kernel/watch_queue.c | 8 ++++++++ + 2 files changed, 11 insertions(+) + +diff --git a/include/linux/sched/user.h b/include/linux/sched/user.h +index 917d88edb7b9d..a8ec3b6093fcb 100644 +--- a/include/linux/sched/user.h ++++ b/include/linux/sched/user.h +@@ -36,6 +36,9 @@ struct user_struct { + defined(CONFIG_NET) || defined(CONFIG_IO_URING) + atomic_long_t locked_vm; + #endif ++#ifdef CONFIG_WATCH_QUEUE ++ atomic_t nr_watches; /* The number of watches this user currently has */ ++#endif + + /* Miscellaneous per-user rate limit */ + struct ratelimit_state ratelimit; +diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c +index f74020f6bd9d5..0ef8f65bd2d71 100644 +--- a/kernel/watch_queue.c ++++ b/kernel/watch_queue.c +@@ -393,6 +393,7 @@ static void free_watch(struct rcu_head *rcu) + struct watch *watch = container_of(rcu, struct watch, rcu); + + put_watch_queue(rcu_access_pointer(watch->queue)); ++ atomic_dec(&watch->cred->user->nr_watches); + put_cred(watch->cred); + } + +@@ -452,6 +453,13 @@ int add_watch_to_object(struct watch *watch, struct watch_list *wlist) + watch->cred = get_current_cred(); + rcu_assign_pointer(watch->watch_list, wlist); + ++ if (atomic_inc_return(&watch->cred->user->nr_watches) > ++ task_rlimit(current, RLIMIT_NOFILE)) { ++ atomic_dec(&watch->cred->user->nr_watches); ++ put_cred(watch->cred); ++ return -EAGAIN; ++ } ++ + spin_lock_bh(&wqueue->lock); + kref_get(&wqueue->usage); + kref_get(&watch->usage); +-- +2.25.1 +