From: Greg Kroah-Hartman Date: Wed, 14 Aug 2019 17:13:57 +0000 (+0200) Subject: 5.2-stable patches X-Git-Tag: v5.2.9~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d6535b968bdcc4c0fdcaff003d5f3eaa1f546dd6;p=thirdparty%2Fkernel%2Fstable-queue.git 5.2-stable patches added patches: alsa-firewire-fix-a-memory-leak-bug.patch alsa-hda-don-t-override-global-pcm-hw-info-flag.patch alsa-hda-workaround-for-crackled-sound-on-amd-controller-1022-1457.patch alsa-hiface-fix-multiple-memory-leak-bugs.patch can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch dax-dax_layout_busy_page-should-not-unmap-cow-pages.patch drm-i915-fix-wrong-escape-clock-divisor-init-for-glk.patch hwmon-lm75-fixup-tmp75b-clr_mask.patch hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch iwlwifi-mvm-don-t-send-geo_tx_power_limit-on-version-41.patch iwlwifi-mvm-fix-a-use-after-free-bug-in-iwl_mvm_tx_tso_segment.patch iwlwifi-mvm-fix-an-out-of-bound-access.patch iwlwifi-mvm-fix-version-check-for-geo_tx_power_limit-support.patch kvm-arm-arm64-sync-ich_vmcr_el2-back-when-about-to-block.patch kvm-fix-leak-vcpu-s-vmcs-value-into-other-pcpu.patch mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch mwifiex-fix-802.11n-wpa-detection.patch nfsv4-check-the-return-value-of-update_open_stateid.patch nfsv4-fix-an-oops-in-nfs4_do_setattr.patch nfsv4-fix-delegation-state-recovery.patch smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch smb3-send-cap_dfs-capability-during-session-setup.patch --- diff --git a/queue-5.2/alsa-firewire-fix-a-memory-leak-bug.patch b/queue-5.2/alsa-firewire-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..05ca846644c --- /dev/null +++ b/queue-5.2/alsa-firewire-fix-a-memory-leak-bug.patch @@ -0,0 +1,39 @@ +From 1be3c1fae6c1e1f5bb982b255d2034034454527a Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Thu, 8 Aug 2019 00:50:58 -0500 +Subject: ALSA: firewire: fix a memory leak bug + +From: Wenwen Wang + +commit 1be3c1fae6c1e1f5bb982b255d2034034454527a upstream. + +In iso_packets_buffer_init(), 'b->packets' is allocated through +kmalloc_array(). Then, the aligned packet size is checked. If it is +larger than PAGE_SIZE, -EINVAL will be returned to indicate the error. +However, the allocated 'b->packets' is not deallocated on this path, +leading to a memory leak. + +To fix the above issue, free 'b->packets' before returning the error code. + +Fixes: 31ef9134eb52 ("ALSA: add LaCie FireWire Speakers/Griffin FireWave Surround driver") +Signed-off-by: Wenwen Wang +Reviewed-by: Takashi Sakamoto +Cc: # v2.6.39+ +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/packets-buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/firewire/packets-buffer.c ++++ b/sound/firewire/packets-buffer.c +@@ -37,7 +37,7 @@ int iso_packets_buffer_init(struct iso_p + packets_per_page = PAGE_SIZE / packet_size; + if (WARN_ON(!packets_per_page)) { + err = -EINVAL; +- goto error; ++ goto err_packets; + } + pages = DIV_ROUND_UP(count, packets_per_page); + diff --git a/queue-5.2/alsa-hda-don-t-override-global-pcm-hw-info-flag.patch b/queue-5.2/alsa-hda-don-t-override-global-pcm-hw-info-flag.patch new file mode 100644 index 00000000000..876a45346e2 --- /dev/null +++ b/queue-5.2/alsa-hda-don-t-override-global-pcm-hw-info-flag.patch @@ -0,0 +1,42 @@ +From c1c6c877b0c79fd7e05c931435aa42211eaeebaf Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 6 Aug 2019 14:03:56 +0200 +Subject: ALSA: hda - Don't override global PCM hw info flag + +From: Takashi Iwai + +commit c1c6c877b0c79fd7e05c931435aa42211eaeebaf upstream. + +The commit bfcba288b97f ("ALSA - hda: Add support for link audio time +reporting") introduced the conditional PCM hw info setup, but it +overwrites the global azx_pcm_hw object. This will cause a problem if +any other HD-audio controller, as it'll inherit the same bit flag +although another controller doesn't support that feature. + +Fix the bug by setting the PCM hw info flag locally. + +Fixes: bfcba288b97f ("ALSA - hda: Add support for link audio time reporting") +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_controller.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -598,11 +598,9 @@ static int azx_pcm_open(struct snd_pcm_s + } + runtime->private_data = azx_dev; + +- if (chip->gts_present) +- azx_pcm_hw.info = azx_pcm_hw.info | +- SNDRV_PCM_INFO_HAS_LINK_SYNCHRONIZED_ATIME; +- + runtime->hw = azx_pcm_hw; ++ if (chip->gts_present) ++ runtime->hw.info |= SNDRV_PCM_INFO_HAS_LINK_SYNCHRONIZED_ATIME; + runtime->hw.channels_min = hinfo->channels_min; + runtime->hw.channels_max = hinfo->channels_max; + runtime->hw.formats = hinfo->formats; diff --git a/queue-5.2/alsa-hda-workaround-for-crackled-sound-on-amd-controller-1022-1457.patch b/queue-5.2/alsa-hda-workaround-for-crackled-sound-on-amd-controller-1022-1457.patch new file mode 100644 index 00000000000..73a7e229b63 --- /dev/null +++ b/queue-5.2/alsa-hda-workaround-for-crackled-sound-on-amd-controller-1022-1457.patch @@ -0,0 +1,202 @@ +From c02f77d32d2c45cfb1b2bb99eabd8a78f5ecc7db Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 6 Aug 2019 17:31:48 +0200 +Subject: ALSA: hda - Workaround for crackled sound on AMD controller (1022:1457) + +From: Takashi Iwai + +commit c02f77d32d2c45cfb1b2bb99eabd8a78f5ecc7db upstream. + +A long-time problem on the recent AMD chip (X370, X470, B450, etc with +PCI ID 1022:1457) with Realtek codecs is the crackled or distorted +sound for capture streams, as well as occasional playback hiccups. +After lengthy debugging sessions, the workarounds we've found are like +the following: + +- Set up the proper driver caps for this controller, similar as the + other AMD controller. + +- Correct the DMA position reporting with the fixed FIFO size, which + is similar like as workaround used for VIA chip set. + +- Even after the position correction, PulseAudio still shows + mysterious stalls of playback streams when a capture is triggered in + timer-scheduled mode. Since we have no clear way to eliminate the + stall, pass the BATCH PCM flag for PA to suppress the tsched mode as + a temporary workaround. + +This patch implements the workarounds. For the driver caps, it +defines a new preset, AXZ_DCAPS_PRESET_AMD_SB. It enables the FIFO- +corrected position reporting (corresponding to the new position_fix=6) +and enforces the SNDRV_PCM_INFO_BATCH flag. + +Note that the current implementation is merely a workaround. +Hopefully we'll find a better alternative in future, especially about +removing the BATCH flag hack again. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=195303 +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_controller.c | 7 ++++ + sound/pci/hda/hda_controller.h | 2 - + sound/pci/hda/hda_intel.c | 63 ++++++++++++++++++++++++++++++++++++++++- + 3 files changed, 70 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -613,6 +613,13 @@ static int azx_pcm_open(struct snd_pcm_s + 20, + 178000000); + ++ /* by some reason, the playback stream stalls on PulseAudio with ++ * tsched=1 when a capture stream triggers. Until we figure out the ++ * real cause, disable tsched mode by telling the PCM info flag. ++ */ ++ if (chip->driver_caps & AZX_DCAPS_AMD_WORKAROUND) ++ runtime->hw.info |= SNDRV_PCM_INFO_BATCH; ++ + if (chip->align_buffer_size) + /* constrain buffer sizes to be multiple of 128 + bytes. This is more efficient in terms of memory +--- a/sound/pci/hda/hda_controller.h ++++ b/sound/pci/hda/hda_controller.h +@@ -31,7 +31,7 @@ + /* 14 unused */ + #define AZX_DCAPS_CTX_WORKAROUND (1 << 15) /* X-Fi workaround */ + #define AZX_DCAPS_POSFIX_LPIB (1 << 16) /* Use LPIB as default */ +-/* 17 unused */ ++#define AZX_DCAPS_AMD_WORKAROUND (1 << 17) /* AMD-specific workaround */ + #define AZX_DCAPS_NO_64BIT (1 << 18) /* No 64bit address */ + #define AZX_DCAPS_SYNC_WRITE (1 << 19) /* sync each cmd write */ + #define AZX_DCAPS_OLD_SSYNC (1 << 20) /* Old SSYNC reg for ICH */ +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -64,6 +64,7 @@ enum { + POS_FIX_VIACOMBO, + POS_FIX_COMBO, + POS_FIX_SKL, ++ POS_FIX_FIFO, + }; + + /* Defines for ATI HD Audio support in SB450 south bridge */ +@@ -135,7 +136,7 @@ module_param_array(model, charp, NULL, 0 + MODULE_PARM_DESC(model, "Use the given board model."); + module_param_array(position_fix, int, NULL, 0444); + MODULE_PARM_DESC(position_fix, "DMA pointer read method." +- "(-1 = system default, 0 = auto, 1 = LPIB, 2 = POSBUF, 3 = VIACOMBO, 4 = COMBO, 5 = SKL+)."); ++ "(-1 = system default, 0 = auto, 1 = LPIB, 2 = POSBUF, 3 = VIACOMBO, 4 = COMBO, 5 = SKL+, 6 = FIFO)."); + module_param_array(bdl_pos_adj, int, NULL, 0644); + MODULE_PARM_DESC(bdl_pos_adj, "BDL position adjustment offset."); + module_param_array(probe_mask, int, NULL, 0444); +@@ -332,6 +333,11 @@ enum { + #define AZX_DCAPS_PRESET_ATI_HDMI_NS \ + (AZX_DCAPS_PRESET_ATI_HDMI | AZX_DCAPS_SNOOP_OFF) + ++/* quirks for AMD SB */ ++#define AZX_DCAPS_PRESET_AMD_SB \ ++ (AZX_DCAPS_NO_TCSEL | AZX_DCAPS_SYNC_WRITE | AZX_DCAPS_AMD_WORKAROUND |\ ++ AZX_DCAPS_SNOOP_TYPE(ATI) | AZX_DCAPS_PM_RUNTIME) ++ + /* quirks for Nvidia */ + #define AZX_DCAPS_PRESET_NVIDIA \ + (AZX_DCAPS_NO_MSI | AZX_DCAPS_CORBRP_SELF_CLEAR |\ +@@ -841,6 +847,49 @@ static unsigned int azx_via_get_position + return bound_pos + mod_dma_pos; + } + ++#define AMD_FIFO_SIZE 32 ++ ++/* get the current DMA position with FIFO size correction */ ++static unsigned int azx_get_pos_fifo(struct azx *chip, struct azx_dev *azx_dev) ++{ ++ struct snd_pcm_substream *substream = azx_dev->core.substream; ++ struct snd_pcm_runtime *runtime = substream->runtime; ++ unsigned int pos, delay; ++ ++ pos = snd_hdac_stream_get_pos_lpib(azx_stream(azx_dev)); ++ if (!runtime) ++ return pos; ++ ++ runtime->delay = AMD_FIFO_SIZE; ++ delay = frames_to_bytes(runtime, AMD_FIFO_SIZE); ++ if (azx_dev->insufficient) { ++ if (pos < delay) { ++ delay = pos; ++ runtime->delay = bytes_to_frames(runtime, pos); ++ } else { ++ azx_dev->insufficient = 0; ++ } ++ } ++ ++ /* correct the DMA position for capture stream */ ++ if (substream->stream == SNDRV_PCM_STREAM_CAPTURE) { ++ if (pos < delay) ++ pos += azx_dev->core.bufsize; ++ pos -= delay; ++ } ++ ++ return pos; ++} ++ ++static int azx_get_delay_from_fifo(struct azx *chip, struct azx_dev *azx_dev, ++ unsigned int pos) ++{ ++ struct snd_pcm_substream *substream = azx_dev->core.substream; ++ ++ /* just read back the calculated value in the above */ ++ return substream->runtime->delay; ++} ++ + static unsigned int azx_skl_get_dpib_pos(struct azx *chip, + struct azx_dev *azx_dev) + { +@@ -1417,6 +1466,7 @@ static int check_position_fix(struct azx + case POS_FIX_VIACOMBO: + case POS_FIX_COMBO: + case POS_FIX_SKL: ++ case POS_FIX_FIFO: + return fix; + } + +@@ -1433,6 +1483,10 @@ static int check_position_fix(struct azx + dev_dbg(chip->card->dev, "Using VIACOMBO position fix\n"); + return POS_FIX_VIACOMBO; + } ++ if (chip->driver_caps & AZX_DCAPS_AMD_WORKAROUND) { ++ dev_dbg(chip->card->dev, "Using FIFO position fix\n"); ++ return POS_FIX_FIFO; ++ } + if (chip->driver_caps & AZX_DCAPS_POSFIX_LPIB) { + dev_dbg(chip->card->dev, "Using LPIB position fix\n"); + return POS_FIX_LPIB; +@@ -1453,6 +1507,7 @@ static void assign_position_fix(struct a + [POS_FIX_VIACOMBO] = azx_via_get_position, + [POS_FIX_COMBO] = azx_get_pos_lpib, + [POS_FIX_SKL] = azx_get_pos_skl, ++ [POS_FIX_FIFO] = azx_get_pos_fifo, + }; + + chip->get_position[0] = chip->get_position[1] = callbacks[fix]; +@@ -1467,6 +1522,9 @@ static void assign_position_fix(struct a + azx_get_delay_from_lpib; + } + ++ if (fix == POS_FIX_FIFO) ++ chip->get_delay[0] = chip->get_delay[1] = ++ azx_get_delay_from_fifo; + } + + /* +@@ -2444,6 +2502,9 @@ static const struct pci_device_id azx_id + /* AMD Hudson */ + { PCI_DEVICE(0x1022, 0x780d), + .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB }, ++ /* AMD, X370 & co */ ++ { PCI_DEVICE(0x1022, 0x1457), ++ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_AMD_SB }, + /* AMD Stoney */ + { PCI_DEVICE(0x1022, 0x157a), + .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB | diff --git a/queue-5.2/alsa-hiface-fix-multiple-memory-leak-bugs.patch b/queue-5.2/alsa-hiface-fix-multiple-memory-leak-bugs.patch new file mode 100644 index 00000000000..1a81da8b51c --- /dev/null +++ b/queue-5.2/alsa-hiface-fix-multiple-memory-leak-bugs.patch @@ -0,0 +1,58 @@ +From 3d92aa45fbfd7319e3a19f4ec59fd32b3862b723 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Wed, 7 Aug 2019 04:08:51 -0500 +Subject: ALSA: hiface: fix multiple memory leak bugs + +From: Wenwen Wang + +commit 3d92aa45fbfd7319e3a19f4ec59fd32b3862b723 upstream. + +In hiface_pcm_init(), 'rt' is firstly allocated through kzalloc(). Later +on, hiface_pcm_init_urb() is invoked to initialize 'rt->out_urbs[i]'. In +hiface_pcm_init_urb(), 'rt->out_urbs[i].buffer' is allocated through +kzalloc(). However, if hiface_pcm_init_urb() fails, both 'rt' and +'rt->out_urbs[i].buffer' are not deallocated, leading to memory leak bugs. +Also, 'rt->out_urbs[i].buffer' is not deallocated if snd_pcm_new() fails. + +To fix the above issues, free 'rt' and 'rt->out_urbs[i].buffer'. + +Fixes: a91c3fb2f842 ("Add M2Tech hiFace USB-SPDIF driver") +Signed-off-by: Wenwen Wang +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/hiface/pcm.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/sound/usb/hiface/pcm.c ++++ b/sound/usb/hiface/pcm.c +@@ -600,14 +600,13 @@ int hiface_pcm_init(struct hiface_chip * + ret = hiface_pcm_init_urb(&rt->out_urbs[i], chip, OUT_EP, + hiface_pcm_out_urb_handler); + if (ret < 0) +- return ret; ++ goto error; + } + + ret = snd_pcm_new(chip->card, "USB-SPDIF Audio", 0, 1, 0, &pcm); + if (ret < 0) { +- kfree(rt); + dev_err(&chip->dev->dev, "Cannot create pcm instance\n"); +- return ret; ++ goto error; + } + + pcm->private_data = rt; +@@ -620,4 +619,10 @@ int hiface_pcm_init(struct hiface_chip * + + chip->pcm = rt; + return 0; ++ ++error: ++ for (i = 0; i < PCM_N_URBS; i++) ++ kfree(rt->out_urbs[i].buffer); ++ kfree(rt); ++ return ret; + } diff --git a/queue-5.2/can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch b/queue-5.2/can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch new file mode 100644 index 00000000000..4fa77547206 --- /dev/null +++ b/queue-5.2/can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch @@ -0,0 +1,35 @@ +From 30a8beeb3042f49d0537b7050fd21b490166a3d9 Mon Sep 17 00:00:00 2001 +From: Tomas Bortoli +Date: Wed, 31 Jul 2019 10:54:47 -0400 +Subject: can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices + +From: Tomas Bortoli + +commit 30a8beeb3042f49d0537b7050fd21b490166a3d9 upstream. + +Uninitialized Kernel memory can leak to USB devices. + +Fix by using kzalloc() instead of kmalloc() on the affected buffers. + +Signed-off-by: Tomas Bortoli +Reported-by: syzbot+513e4d0985298538bf9b@syzkaller.appspotmail.com +Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters") +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c +@@ -841,7 +841,7 @@ static int pcan_usb_fd_init(struct peak_ + goto err_out; + + /* allocate command buffer once for all for the interface */ +- pdev->cmd_buffer_addr = kmalloc(PCAN_UFD_CMD_BUFFER_SIZE, ++ pdev->cmd_buffer_addr = kzalloc(PCAN_UFD_CMD_BUFFER_SIZE, + GFP_KERNEL); + if (!pdev->cmd_buffer_addr) + goto err_out_1; diff --git a/queue-5.2/can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch b/queue-5.2/can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch new file mode 100644 index 00000000000..eab2fc8362b --- /dev/null +++ b/queue-5.2/can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch @@ -0,0 +1,35 @@ +From ead16e53c2f0ed946d82d4037c630e2f60f4ab69 Mon Sep 17 00:00:00 2001 +From: Tomas Bortoli +Date: Wed, 31 Jul 2019 10:54:47 -0400 +Subject: can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices + +From: Tomas Bortoli + +commit ead16e53c2f0ed946d82d4037c630e2f60f4ab69 upstream. + +Uninitialized Kernel memory can leak to USB devices. + +Fix by using kzalloc() instead of kmalloc() on the affected buffers. + +Signed-off-by: Tomas Bortoli +Reported-by: syzbot+d6a5a1a3657b596ef132@syzkaller.appspotmail.com +Fixes: f14e22435a27 ("net: can: peak_usb: Do not do dma on the stack") +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/peak_usb/pcan_usb_pro.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/usb/peak_usb/pcan_usb_pro.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_pro.c +@@ -494,7 +494,7 @@ static int pcan_usb_pro_drv_loaded(struc + u8 *buffer; + int err; + +- buffer = kmalloc(PCAN_USBPRO_FCT_DRVLD_REQ_LEN, GFP_KERNEL); ++ buffer = kzalloc(PCAN_USBPRO_FCT_DRVLD_REQ_LEN, GFP_KERNEL); + if (!buffer) + return -ENOMEM; + diff --git a/queue-5.2/dax-dax_layout_busy_page-should-not-unmap-cow-pages.patch b/queue-5.2/dax-dax_layout_busy_page-should-not-unmap-cow-pages.patch new file mode 100644 index 00000000000..bcc15235503 --- /dev/null +++ b/queue-5.2/dax-dax_layout_busy_page-should-not-unmap-cow-pages.patch @@ -0,0 +1,60 @@ +From d75996dd022b6d83bd14af59b2775b1aa639e4b9 Mon Sep 17 00:00:00 2001 +From: Vivek Goyal +Date: Fri, 2 Aug 2019 15:29:56 -0400 +Subject: dax: dax_layout_busy_page() should not unmap cow pages + +From: Vivek Goyal + +commit d75996dd022b6d83bd14af59b2775b1aa639e4b9 upstream. + +Vivek: + + "As of now dax_layout_busy_page() calls unmap_mapping_range() with last + argument as 1, which says even unmap cow pages. I am wondering who needs + to get rid of cow pages as well. + + I noticed one interesting side affect of this. I mount xfs with -o dax and + mmaped a file with MAP_PRIVATE and wrote some data to a page which created + cow page. Then I called fallocate() on that file to zero a page of file. + fallocate() called dax_layout_busy_page() which unmapped cow pages as well + and then I tried to read back the data I wrote and what I get is old + data from persistent memory. I lost the data I had written. This + read basically resulted in new fault and read back the data from + persistent memory. + + This sounds wrong. Are there any users which need to unmap cow pages + as well? If not, I am proposing changing it to not unmap cow pages. + + I noticed this while while writing virtio_fs code where when I tried + to reclaim a memory range and that corrupted the executable and I + was running from virtio-fs and program got segment violation." + +Dan: + + "In fact the unmap_mapping_range() in this path is only to synchronize + against get_user_pages_fast() and force it to call back into the + filesystem to re-establish the mapping. COW pages should be left + untouched by dax_layout_busy_page()." + +Cc: +Fixes: 5fac7408d828 ("mm, fs, dax: handle layout changes to pinned dax mappings") +Signed-off-by: Vivek Goyal +Link: https://lore.kernel.org/r/20190802192956.GA3032@redhat.com +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + fs/dax.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/dax.c ++++ b/fs/dax.c +@@ -601,7 +601,7 @@ struct page *dax_layout_busy_page(struct + * guaranteed to either see new references or prevent new + * references from being established. + */ +- unmap_mapping_range(mapping, 0, 0, 1); ++ unmap_mapping_range(mapping, 0, 0, 0); + + xas_lock_irq(&xas); + xas_for_each(&xas, entry, ULONG_MAX) { diff --git a/queue-5.2/drm-i915-fix-wrong-escape-clock-divisor-init-for-glk.patch b/queue-5.2/drm-i915-fix-wrong-escape-clock-divisor-init-for-glk.patch new file mode 100644 index 00000000000..66fbb27a447 --- /dev/null +++ b/queue-5.2/drm-i915-fix-wrong-escape-clock-divisor-init-for-glk.patch @@ -0,0 +1,54 @@ +From 73a0ff0b30af79bf0303d557eb82f1d1945bb6ee Mon Sep 17 00:00:00 2001 +From: Stanislav Lisovskiy +Date: Fri, 12 Jul 2019 11:19:38 +0300 +Subject: drm/i915: Fix wrong escape clock divisor init for GLK + +From: Stanislav Lisovskiy + +commit 73a0ff0b30af79bf0303d557eb82f1d1945bb6ee upstream. + +According to Bspec clock divisor registers in GeminiLake +should be initialized by shifting 1(<<) to amount of correspondent +divisor. While i915 was writing all this time that value as is. + +Surprisingly that it by accident worked, until we met some issues +with Microtech Etab. + +v2: Added Fixes tag and cc +v3: Added stable to cc as well. + +Signed-off-by: Stanislav Lisovskiy +Reviewed-by: Vandita Kulkarni +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108826 +Fixes: bcc657004841 ("drm/i915/glk: Program txesc clock divider for GLK") +Cc: Deepak M +Cc: Madhav Chauhan +Cc: Jani Nikula +Cc: Jani Nikula +Cc: Joonas Lahtinen +Cc: Rodrigo Vivi +Cc: intel-gfx@lists.freedesktop.org +Cc: stable@vger.kernel.org +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20190712081938.14185-1-stanislav.lisovskiy@intel.com +(cherry picked from commit ce52ad5dd52cfaf3398058384e0ff94134bbd89c) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/vlv_dsi_pll.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/vlv_dsi_pll.c ++++ b/drivers/gpu/drm/i915/vlv_dsi_pll.c +@@ -394,8 +394,8 @@ static void glk_dsi_program_esc_clock(st + else + txesc2_div = 10; + +- I915_WRITE(MIPIO_TXESC_CLK_DIV1, txesc1_div & GLK_TX_ESC_CLK_DIV1_MASK); +- I915_WRITE(MIPIO_TXESC_CLK_DIV2, txesc2_div & GLK_TX_ESC_CLK_DIV2_MASK); ++ I915_WRITE(MIPIO_TXESC_CLK_DIV1, (1 << (txesc1_div - 1)) & GLK_TX_ESC_CLK_DIV1_MASK); ++ I915_WRITE(MIPIO_TXESC_CLK_DIV2, (1 << (txesc2_div - 1)) & GLK_TX_ESC_CLK_DIV2_MASK); + } + + /* Program BXT Mipi clocks and dividers */ diff --git a/queue-5.2/hwmon-lm75-fixup-tmp75b-clr_mask.patch b/queue-5.2/hwmon-lm75-fixup-tmp75b-clr_mask.patch new file mode 100644 index 00000000000..66466ba77ed --- /dev/null +++ b/queue-5.2/hwmon-lm75-fixup-tmp75b-clr_mask.patch @@ -0,0 +1,37 @@ +From a95a4f3f2702b55a89393bf0f1b2b3d79e0f7da2 Mon Sep 17 00:00:00 2001 +From: Iker Perez del Palomar Sustatxa +Date: Thu, 1 Aug 2019 08:53:24 +0100 +Subject: hwmon: (lm75) Fixup tmp75b clr_mask + +From: Iker Perez del Palomar Sustatxa + +commit a95a4f3f2702b55a89393bf0f1b2b3d79e0f7da2 upstream. + +The configuration register of the tmp75b sensor is 16bit long, however +the first byte is reserved, so there is not no need to take care of it. + +Because the order of the bytes is little endian and it is only necessary +to write one byte, the desired bits must be shifted into a 8 bit range. + +Fixes: 39abe9d88b30 ("hwmon: (lm75) Add support for TMP75B") +Cc: stable@vger.kernel.org +Signed-off-by: Iker Perez del Palomar Sustatxa +Link: https://lore.kernel.org/r/20190801075324.4638-1-iker.perez@codethink.co.uk +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/lm75.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwmon/lm75.c ++++ b/drivers/hwmon/lm75.c +@@ -343,7 +343,7 @@ lm75_probe(struct i2c_client *client, co + data->sample_time = MSEC_PER_SEC / 2; + break; + case tmp75b: /* not one-shot mode, Conversion rate 37Hz */ +- clr_mask |= 1 << 15 | 0x3 << 13; ++ clr_mask |= 1 << 7 | 0x3 << 5; + data->resolution = 12; + data->sample_time = MSEC_PER_SEC / 37; + break; diff --git a/queue-5.2/hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch b/queue-5.2/hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch new file mode 100644 index 00000000000..eb1463ede08 --- /dev/null +++ b/queue-5.2/hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch @@ -0,0 +1,56 @@ +From 38ada2f406a9b81fb1249c5c9227fa657e7d5671 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Fri, 26 Jul 2019 08:00:49 -0700 +Subject: hwmon: (nct7802) Fix wrong detection of in4 presence + +From: Guenter Roeck + +commit 38ada2f406a9b81fb1249c5c9227fa657e7d5671 upstream. + +The code to detect if in4 is present is wrong; if in4 is not present, +the in4_input sysfs attribute is still present. + +In detail: + +- Ihen RTD3_MD=11 (VSEN3 present), everything is as expected (no bug). +- If we have RTD3_MD!=11 (no VSEN3), we unexpectedly have a in4_input + file under /sys and the "sensors" command displays in4_input. + But as expected, we have no in4_min, in4_max, in4_alarm, in4_beep. + +Fix is_visible function to detect and report in4_input visibility +as expected. + +Reported-by: Gilles Buloz +Cc: Gilles Buloz +Cc: stable@vger.kernel.org +Fixes: 3434f37835804 ("hwmon: Driver for Nuvoton NCT7802Y") +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/nct7802.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/hwmon/nct7802.c ++++ b/drivers/hwmon/nct7802.c +@@ -704,7 +704,7 @@ static struct attribute *nct7802_in_attr + &sensor_dev_attr_in3_alarm.dev_attr.attr, + &sensor_dev_attr_in3_beep.dev_attr.attr, + +- &sensor_dev_attr_in4_input.dev_attr.attr, /* 17 */ ++ &sensor_dev_attr_in4_input.dev_attr.attr, /* 16 */ + &sensor_dev_attr_in4_min.dev_attr.attr, + &sensor_dev_attr_in4_max.dev_attr.attr, + &sensor_dev_attr_in4_alarm.dev_attr.attr, +@@ -730,9 +730,9 @@ static umode_t nct7802_in_is_visible(str + + if (index >= 6 && index < 11 && (reg & 0x03) != 0x03) /* VSEN1 */ + return 0; +- if (index >= 11 && index < 17 && (reg & 0x0c) != 0x0c) /* VSEN2 */ ++ if (index >= 11 && index < 16 && (reg & 0x0c) != 0x0c) /* VSEN2 */ + return 0; +- if (index >= 17 && (reg & 0x30) != 0x30) /* VSEN3 */ ++ if (index >= 16 && (reg & 0x30) != 0x30) /* VSEN3 */ + return 0; + + return attr->mode; diff --git a/queue-5.2/iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch b/queue-5.2/iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch new file mode 100644 index 00000000000..b1a30bdbc50 --- /dev/null +++ b/queue-5.2/iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch @@ -0,0 +1,37 @@ +From 87e7e25aee6b59fef740856f4e86d4b60496c9e1 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Sun, 21 Jul 2019 14:02:27 +0300 +Subject: iwlwifi: don't unmap as page memory that was mapped as single + +From: Emmanuel Grumbach + +commit 87e7e25aee6b59fef740856f4e86d4b60496c9e1 upstream. + +In order to remember how to unmap a memory (as single or +as page), we maintain a bit per Transmit Buffer (TBs) in +the meta data (structure iwl_cmd_meta). +We maintain a bitmap: 1 bit per TB. +If the TB is set, we will free the memory as a page. +This bitmap was never cleared. Fix this. + +Cc: stable@vger.kernel.org +Fixes: 3cd1980b0cdf ("iwlwifi: pcie: introduce new tfd and tb formats") +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c +@@ -435,6 +435,8 @@ static void iwl_pcie_tfd_unmap(struct iw + DMA_TO_DEVICE); + } + ++ meta->tbs = 0; ++ + if (trans->cfg->use_tfh) { + struct iwl_tfh_tfd *tfd_fh = (void *)tfd; + diff --git a/queue-5.2/iwlwifi-mvm-don-t-send-geo_tx_power_limit-on-version-41.patch b/queue-5.2/iwlwifi-mvm-don-t-send-geo_tx_power_limit-on-version-41.patch new file mode 100644 index 00000000000..7f071c70566 --- /dev/null +++ b/queue-5.2/iwlwifi-mvm-don-t-send-geo_tx_power_limit-on-version-41.patch @@ -0,0 +1,73 @@ +From 39bd984c203e86f3109b49c2a2e20677c4d3ab65 Mon Sep 17 00:00:00 2001 +From: Luca Coelho +Date: Mon, 24 Jun 2019 22:29:33 +0300 +Subject: iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT on version < 41 + +From: Luca Coelho + +commit 39bd984c203e86f3109b49c2a2e20677c4d3ab65 upstream. + +Firmware versions before 41 don't support the GEO_TX_POWER_LIMIT +command, and sending it to the firmware will cause a firmware crash. +We allow this via debugfs, so we need to return an error value in case +it's not supported. + +This had already been fixed during init, when we send the command if +the ACPI WGDS table is present. Fix it also for the other, +userspace-triggered case. + +Cc: stable@vger.kernel.org +Fixes: 7fe90e0e3d60 ("iwlwifi: mvm: refactor geo init") +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +@@ -874,6 +874,17 @@ int iwl_mvm_sar_select_profile(struct iw + return iwl_mvm_send_cmd_pdu(mvm, REDUCE_TX_POWER_CMD, 0, len, &cmd); + } + ++static bool iwl_mvm_sar_geo_support(struct iwl_mvm *mvm) ++{ ++ /* ++ * The GEO_TX_POWER_LIMIT command is not supported on earlier ++ * firmware versions. Unfortunately, we don't have a TLV API ++ * flag to rely on, so rely on the major version which is in ++ * the first byte of ucode_ver. ++ */ ++ return IWL_UCODE_SERIAL(mvm->fw->ucode_ver) >= 41; ++} ++ + int iwl_mvm_get_sar_geo_profile(struct iwl_mvm *mvm) + { + struct iwl_geo_tx_power_profiles_resp *resp; +@@ -889,6 +900,9 @@ int iwl_mvm_get_sar_geo_profile(struct i + .data = { &geo_cmd }, + }; + ++ if (!iwl_mvm_sar_geo_support(mvm)) ++ return -EOPNOTSUPP; ++ + ret = iwl_mvm_send_cmd(mvm, &cmd); + if (ret) { + IWL_ERR(mvm, "Failed to get geographic profile info %d\n", ret); +@@ -914,13 +928,7 @@ static int iwl_mvm_sar_geo_init(struct i + int ret, i, j; + u16 cmd_wide_id = WIDE_ID(PHY_OPS_GROUP, GEO_TX_POWER_LIMIT); + +- /* +- * This command is not supported on earlier firmware versions. +- * Unfortunately, we don't have a TLV API flag to rely on, so +- * rely on the major version which is in the first byte of +- * ucode_ver. +- */ +- if (IWL_UCODE_SERIAL(mvm->fw->ucode_ver) < 41) ++ if (!iwl_mvm_sar_geo_support(mvm)) + return 0; + + ret = iwl_mvm_sar_get_wgds_table(mvm); diff --git a/queue-5.2/iwlwifi-mvm-fix-a-use-after-free-bug-in-iwl_mvm_tx_tso_segment.patch b/queue-5.2/iwlwifi-mvm-fix-a-use-after-free-bug-in-iwl_mvm_tx_tso_segment.patch new file mode 100644 index 00000000000..7737d256524 --- /dev/null +++ b/queue-5.2/iwlwifi-mvm-fix-a-use-after-free-bug-in-iwl_mvm_tx_tso_segment.patch @@ -0,0 +1,44 @@ +From 71b256f8f7a5c09810d2c3ed6165629c2cc0a652 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Mon, 22 Jul 2019 13:02:25 +0300 +Subject: iwlwifi: mvm: fix a use-after-free bug in iwl_mvm_tx_tso_segment + +From: Emmanuel Grumbach + +commit 71b256f8f7a5c09810d2c3ed6165629c2cc0a652 upstream. + +Accessing the hdr of an skb that was consumed already isn't +a good idea. +First ask if the skb is a QoS packet, then keep that data +on stack, and then consume the skb. +This was spotted by KASAN. + +Cc: stable@vger.kernel.org +Fixes: 08f7d8b69aaf ("iwlwifi: mvm: bring back mvm GSO code") +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +@@ -831,6 +831,7 @@ iwl_mvm_tx_tso_segment(struct sk_buff *s + unsigned int tcp_payload_len; + unsigned int mss = skb_shinfo(skb)->gso_size; + bool ipv4 = (skb->protocol == htons(ETH_P_IP)); ++ bool qos = ieee80211_is_data_qos(hdr->frame_control); + u16 ip_base_id = ipv4 ? ntohs(ip_hdr(skb)->id) : 0; + + skb_shinfo(skb)->gso_size = num_subframes * mss; +@@ -864,7 +865,7 @@ iwl_mvm_tx_tso_segment(struct sk_buff *s + if (tcp_payload_len > mss) { + skb_shinfo(tmp)->gso_size = mss; + } else { +- if (ieee80211_is_data_qos(hdr->frame_control)) { ++ if (qos) { + u8 *qc; + + if (ipv4) diff --git a/queue-5.2/iwlwifi-mvm-fix-an-out-of-bound-access.patch b/queue-5.2/iwlwifi-mvm-fix-an-out-of-bound-access.patch new file mode 100644 index 00000000000..106006906e1 --- /dev/null +++ b/queue-5.2/iwlwifi-mvm-fix-an-out-of-bound-access.patch @@ -0,0 +1,38 @@ +From ba3224db78034435e9ff0247277cce7c7bb1756c Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Mon, 22 Jul 2019 12:47:27 +0300 +Subject: iwlwifi: mvm: fix an out-of-bound access + +From: Emmanuel Grumbach + +commit ba3224db78034435e9ff0247277cce7c7bb1756c upstream. + +The index for the elements of the ACPI object we dereference +was static. This means that if we called the function twice +we wouldn't start from 3 again, but rather from the latest +index we reached in the previous call. +This was dutifully reported by KASAN. + +Fix this. + +Cc: stable@vger.kernel.org +Fixes: 6996490501ed ("iwlwifi: mvm: add support for EWRD (Dynamic SAR) ACPI table") +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +@@ -753,7 +753,7 @@ static int iwl_mvm_sar_get_ewrd_table(st + + for (i = 0; i < n_profiles; i++) { + /* the tables start at element 3 */ +- static int pos = 3; ++ int pos = 3; + + /* The EWRD profiles officially go from 2 to 4, but we + * save them in sar_profiles[1-3] (because we don't diff --git a/queue-5.2/iwlwifi-mvm-fix-version-check-for-geo_tx_power_limit-support.patch b/queue-5.2/iwlwifi-mvm-fix-version-check-for-geo_tx_power_limit-support.patch new file mode 100644 index 00000000000..56f38eec97c --- /dev/null +++ b/queue-5.2/iwlwifi-mvm-fix-version-check-for-geo_tx_power_limit-support.patch @@ -0,0 +1,43 @@ +From f5a47fae6aa3eb06f100e701d2342ee56b857bee Mon Sep 17 00:00:00 2001 +From: Luca Coelho +Date: Fri, 19 Jul 2019 12:21:59 +0300 +Subject: iwlwifi: mvm: fix version check for GEO_TX_POWER_LIMIT support + +From: Luca Coelho + +commit f5a47fae6aa3eb06f100e701d2342ee56b857bee upstream. + +We erroneously added a check for FW API version 41 before sending +GEO_TX_POWER_LIMIT, but this was already implemented in version 38. +Additionally, it was cherry-picked to older versions, namely 17, 26 +and 29, so check for those as well. + +Cc: stable@vger.kernel.org +Fixes: eca1e56ceedd ("iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT to old firmwares") +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +@@ -880,9 +880,14 @@ static bool iwl_mvm_sar_geo_support(stru + * The GEO_TX_POWER_LIMIT command is not supported on earlier + * firmware versions. Unfortunately, we don't have a TLV API + * flag to rely on, so rely on the major version which is in +- * the first byte of ucode_ver. ++ * the first byte of ucode_ver. This was implemented ++ * initially on version 38 and then backported to 36, 29 and ++ * 17. + */ +- return IWL_UCODE_SERIAL(mvm->fw->ucode_ver) >= 41; ++ return IWL_UCODE_SERIAL(mvm->fw->ucode_ver) >= 38 || ++ IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 36 || ++ IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 29 || ++ IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 17; + } + + int iwl_mvm_get_sar_geo_profile(struct iwl_mvm *mvm) diff --git a/queue-5.2/kvm-arm-arm64-sync-ich_vmcr_el2-back-when-about-to-block.patch b/queue-5.2/kvm-arm-arm64-sync-ich_vmcr_el2-back-when-about-to-block.patch new file mode 100644 index 00000000000..51c039a53bd --- /dev/null +++ b/queue-5.2/kvm-arm-arm64-sync-ich_vmcr_el2-back-when-about-to-block.patch @@ -0,0 +1,171 @@ +From 5eeaf10eec394b28fad2c58f1f5c3a5da0e87d1c Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Fri, 2 Aug 2019 10:28:32 +0100 +Subject: KVM: arm/arm64: Sync ICH_VMCR_EL2 back when about to block + +From: Marc Zyngier + +commit 5eeaf10eec394b28fad2c58f1f5c3a5da0e87d1c upstream. + +Since commit commit 328e56647944 ("KVM: arm/arm64: vgic: Defer +touching GICH_VMCR to vcpu_load/put"), we leave ICH_VMCR_EL2 (or +its GICv2 equivalent) loaded as long as we can, only syncing it +back when we're scheduled out. + +There is a small snag with that though: kvm_vgic_vcpu_pending_irq(), +which is indirectly called from kvm_vcpu_check_block(), needs to +evaluate the guest's view of ICC_PMR_EL1. At the point were we +call kvm_vcpu_check_block(), the vcpu is still loaded, and whatever +changes to PMR is not visible in memory until we do a vcpu_put(). + +Things go really south if the guest does the following: + + mov x0, #0 // or any small value masking interrupts + msr ICC_PMR_EL1, x0 + + [vcpu preempted, then rescheduled, VMCR sampled] + + mov x0, #ff // allow all interrupts + msr ICC_PMR_EL1, x0 + wfi // traps to EL2, so samping of VMCR + + [interrupt arrives just after WFI] + +Here, the hypervisor's view of PMR is zero, while the guest has enabled +its interrupts. kvm_vgic_vcpu_pending_irq() will then say that no +interrupts are pending (despite an interrupt being received) and we'll +block for no reason. If the guest doesn't have a periodic interrupt +firing once it has blocked, it will stay there forever. + +To avoid this unfortuante situation, let's resync VMCR from +kvm_arch_vcpu_blocking(), ensuring that a following kvm_vcpu_check_block() +will observe the latest value of PMR. + +This has been found by booting an arm64 Linux guest with the pseudo NMI +feature, and thus using interrupt priorities to mask interrupts instead +of the usual PSTATE masking. + +Cc: stable@vger.kernel.org # 4.12 +Fixes: 328e56647944 ("KVM: arm/arm64: vgic: Defer touching GICH_VMCR to vcpu_load/put") +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + include/kvm/arm_vgic.h | 1 + + virt/kvm/arm/arm.c | 11 +++++++++++ + virt/kvm/arm/vgic/vgic-v2.c | 9 ++++++++- + virt/kvm/arm/vgic/vgic-v3.c | 7 ++++++- + virt/kvm/arm/vgic/vgic.c | 11 +++++++++++ + virt/kvm/arm/vgic/vgic.h | 2 ++ + 6 files changed, 39 insertions(+), 2 deletions(-) + +--- a/include/kvm/arm_vgic.h ++++ b/include/kvm/arm_vgic.h +@@ -350,6 +350,7 @@ int kvm_vgic_vcpu_pending_irq(struct kvm + + void kvm_vgic_load(struct kvm_vcpu *vcpu); + void kvm_vgic_put(struct kvm_vcpu *vcpu); ++void kvm_vgic_vmcr_sync(struct kvm_vcpu *vcpu); + + #define irqchip_in_kernel(k) (!!((k)->arch.vgic.in_kernel)) + #define vgic_initialized(k) ((k)->arch.vgic.initialized) +--- a/virt/kvm/arm/arm.c ++++ b/virt/kvm/arm/arm.c +@@ -323,6 +323,17 @@ int kvm_cpu_has_pending_timer(struct kvm + + void kvm_arch_vcpu_blocking(struct kvm_vcpu *vcpu) + { ++ /* ++ * If we're about to block (most likely because we've just hit a ++ * WFI), we need to sync back the state of the GIC CPU interface ++ * so that we have the lastest PMR and group enables. This ensures ++ * that kvm_arch_vcpu_runnable has up-to-date data to decide ++ * whether we have pending interrupts. ++ */ ++ preempt_disable(); ++ kvm_vgic_vmcr_sync(vcpu); ++ preempt_enable(); ++ + kvm_vgic_v4_enable_doorbell(vcpu); + } + +--- a/virt/kvm/arm/vgic/vgic-v2.c ++++ b/virt/kvm/arm/vgic/vgic-v2.c +@@ -484,10 +484,17 @@ void vgic_v2_load(struct kvm_vcpu *vcpu) + kvm_vgic_global_state.vctrl_base + GICH_APR); + } + +-void vgic_v2_put(struct kvm_vcpu *vcpu) ++void vgic_v2_vmcr_sync(struct kvm_vcpu *vcpu) + { + struct vgic_v2_cpu_if *cpu_if = &vcpu->arch.vgic_cpu.vgic_v2; + + cpu_if->vgic_vmcr = readl_relaxed(kvm_vgic_global_state.vctrl_base + GICH_VMCR); ++} ++ ++void vgic_v2_put(struct kvm_vcpu *vcpu) ++{ ++ struct vgic_v2_cpu_if *cpu_if = &vcpu->arch.vgic_cpu.vgic_v2; ++ ++ vgic_v2_vmcr_sync(vcpu); + cpu_if->vgic_apr = readl_relaxed(kvm_vgic_global_state.vctrl_base + GICH_APR); + } +--- a/virt/kvm/arm/vgic/vgic-v3.c ++++ b/virt/kvm/arm/vgic/vgic-v3.c +@@ -662,12 +662,17 @@ void vgic_v3_load(struct kvm_vcpu *vcpu) + __vgic_v3_activate_traps(vcpu); + } + +-void vgic_v3_put(struct kvm_vcpu *vcpu) ++void vgic_v3_vmcr_sync(struct kvm_vcpu *vcpu) + { + struct vgic_v3_cpu_if *cpu_if = &vcpu->arch.vgic_cpu.vgic_v3; + + if (likely(cpu_if->vgic_sre)) + cpu_if->vgic_vmcr = kvm_call_hyp_ret(__vgic_v3_read_vmcr); ++} ++ ++void vgic_v3_put(struct kvm_vcpu *vcpu) ++{ ++ vgic_v3_vmcr_sync(vcpu); + + kvm_call_hyp(__vgic_v3_save_aprs, vcpu); + +--- a/virt/kvm/arm/vgic/vgic.c ++++ b/virt/kvm/arm/vgic/vgic.c +@@ -919,6 +919,17 @@ void kvm_vgic_put(struct kvm_vcpu *vcpu) + vgic_v3_put(vcpu); + } + ++void kvm_vgic_vmcr_sync(struct kvm_vcpu *vcpu) ++{ ++ if (unlikely(!irqchip_in_kernel(vcpu->kvm))) ++ return; ++ ++ if (kvm_vgic_global_state.type == VGIC_V2) ++ vgic_v2_vmcr_sync(vcpu); ++ else ++ vgic_v3_vmcr_sync(vcpu); ++} ++ + int kvm_vgic_vcpu_pending_irq(struct kvm_vcpu *vcpu) + { + struct vgic_cpu *vgic_cpu = &vcpu->arch.vgic_cpu; +--- a/virt/kvm/arm/vgic/vgic.h ++++ b/virt/kvm/arm/vgic/vgic.h +@@ -193,6 +193,7 @@ int vgic_register_dist_iodev(struct kvm + void vgic_v2_init_lrs(void); + void vgic_v2_load(struct kvm_vcpu *vcpu); + void vgic_v2_put(struct kvm_vcpu *vcpu); ++void vgic_v2_vmcr_sync(struct kvm_vcpu *vcpu); + + void vgic_v2_save_state(struct kvm_vcpu *vcpu); + void vgic_v2_restore_state(struct kvm_vcpu *vcpu); +@@ -223,6 +224,7 @@ bool vgic_v3_check_base(struct kvm *kvm) + + void vgic_v3_load(struct kvm_vcpu *vcpu); + void vgic_v3_put(struct kvm_vcpu *vcpu); ++void vgic_v3_vmcr_sync(struct kvm_vcpu *vcpu); + + bool vgic_has_its(struct kvm *kvm); + int kvm_vgic_register_its_device(void); diff --git a/queue-5.2/kvm-fix-leak-vcpu-s-vmcs-value-into-other-pcpu.patch b/queue-5.2/kvm-fix-leak-vcpu-s-vmcs-value-into-other-pcpu.patch new file mode 100644 index 00000000000..1d9fff24df2 --- /dev/null +++ b/queue-5.2/kvm-fix-leak-vcpu-s-vmcs-value-into-other-pcpu.patch @@ -0,0 +1,200 @@ +From 17e433b54393a6269acbcb792da97791fe1592d8 Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Mon, 5 Aug 2019 10:03:19 +0800 +Subject: KVM: Fix leak vCPU's VMCS value into other pCPU +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wanpeng Li + +commit 17e433b54393a6269acbcb792da97791fe1592d8 upstream. + +After commit d73eb57b80b (KVM: Boost vCPUs that are delivering interrupts), a +five years old bug is exposed. Running ebizzy benchmark in three 80 vCPUs VMs +on one 80 pCPUs Skylake server, a lot of rcu_sched stall warning splatting +in the VMs after stress testing: + + INFO: rcu_sched detected stalls on CPUs/tasks: { 4 41 57 62 77} (detected by 15, t=60004 jiffies, g=899, c=898, q=15073) + Call Trace: + flush_tlb_mm_range+0x68/0x140 + tlb_flush_mmu.part.75+0x37/0xe0 + tlb_finish_mmu+0x55/0x60 + zap_page_range+0x142/0x190 + SyS_madvise+0x3cd/0x9c0 + system_call_fastpath+0x1c/0x21 + +swait_active() sustains to be true before finish_swait() is called in +kvm_vcpu_block(), voluntarily preempted vCPUs are taken into account +by kvm_vcpu_on_spin() loop greatly increases the probability condition +kvm_arch_vcpu_runnable(vcpu) is checked and can be true, when APICv +is enabled the yield-candidate vCPU's VMCS RVI field leaks(by +vmx_sync_pir_to_irr()) into spinning-on-a-taken-lock vCPU's current +VMCS. + +This patch fixes it by checking conservatively a subset of events. + +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Christian Borntraeger +Cc: Marc Zyngier +Cc: stable@vger.kernel.org +Fixes: 98f4a1467 (KVM: add kvm_arch_vcpu_runnable() test to kvm_vcpu_on_spin() loop) +Signed-off-by: Wanpeng Li +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/powerpc.c | 5 +++++ + arch/x86/include/asm/kvm_host.h | 1 + + arch/x86/kvm/svm.c | 6 ++++++ + arch/x86/kvm/vmx/vmx.c | 6 ++++++ + arch/x86/kvm/x86.c | 16 ++++++++++++++++ + include/linux/kvm_host.h | 1 + + virt/kvm/kvm_main.c | 25 ++++++++++++++++++++++++- + 7 files changed, 59 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kvm/powerpc.c ++++ b/arch/powerpc/kvm/powerpc.c +@@ -50,6 +50,11 @@ int kvm_arch_vcpu_runnable(struct kvm_vc + return !!(v->arch.pending_exceptions) || kvm_request_pending(v); + } + ++bool kvm_arch_dy_runnable(struct kvm_vcpu *vcpu) ++{ ++ return kvm_arch_vcpu_runnable(vcpu); ++} ++ + bool kvm_arch_vcpu_in_kernel(struct kvm_vcpu *vcpu) + { + return false; +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1169,6 +1169,7 @@ struct kvm_x86_ops { + int (*update_pi_irte)(struct kvm *kvm, unsigned int host_irq, + uint32_t guest_irq, bool set); + void (*apicv_post_state_restore)(struct kvm_vcpu *vcpu); ++ bool (*dy_apicv_has_pending_interrupt)(struct kvm_vcpu *vcpu); + + int (*set_hv_timer)(struct kvm_vcpu *vcpu, u64 guest_deadline_tsc, + bool *expired); +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -5167,6 +5167,11 @@ static void svm_deliver_avic_intr(struct + kvm_vcpu_wake_up(vcpu); + } + ++static bool svm_dy_apicv_has_pending_interrupt(struct kvm_vcpu *vcpu) ++{ ++ return false; ++} ++ + static void svm_ir_list_del(struct vcpu_svm *svm, struct amd_iommu_pi_data *pi) + { + unsigned long flags; +@@ -7264,6 +7269,7 @@ static struct kvm_x86_ops svm_x86_ops __ + + .pmu_ops = &amd_pmu_ops, + .deliver_posted_interrupt = svm_deliver_avic_intr, ++ .dy_apicv_has_pending_interrupt = svm_dy_apicv_has_pending_interrupt, + .update_pi_irte = svm_update_pi_irte, + .setup_mce = svm_setup_mce, + +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -6096,6 +6096,11 @@ static int vmx_sync_pir_to_irr(struct kv + return max_irr; + } + ++static bool vmx_dy_apicv_has_pending_interrupt(struct kvm_vcpu *vcpu) ++{ ++ return pi_test_on(vcpu_to_pi_desc(vcpu)); ++} ++ + static void vmx_load_eoi_exitmap(struct kvm_vcpu *vcpu, u64 *eoi_exit_bitmap) + { + if (!kvm_vcpu_apicv_active(vcpu)) +@@ -7662,6 +7667,7 @@ static struct kvm_x86_ops vmx_x86_ops __ + .guest_apic_has_interrupt = vmx_guest_apic_has_interrupt, + .sync_pir_to_irr = vmx_sync_pir_to_irr, + .deliver_posted_interrupt = vmx_deliver_posted_interrupt, ++ .dy_apicv_has_pending_interrupt = vmx_dy_apicv_has_pending_interrupt, + + .set_tss_addr = vmx_set_tss_addr, + .set_identity_map_addr = vmx_set_identity_map_addr, +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -9641,6 +9641,22 @@ int kvm_arch_vcpu_runnable(struct kvm_vc + return kvm_vcpu_running(vcpu) || kvm_vcpu_has_events(vcpu); + } + ++bool kvm_arch_dy_runnable(struct kvm_vcpu *vcpu) ++{ ++ if (READ_ONCE(vcpu->arch.pv.pv_unhalted)) ++ return true; ++ ++ if (kvm_test_request(KVM_REQ_NMI, vcpu) || ++ kvm_test_request(KVM_REQ_SMI, vcpu) || ++ kvm_test_request(KVM_REQ_EVENT, vcpu)) ++ return true; ++ ++ if (vcpu->arch.apicv_active && kvm_x86_ops->dy_apicv_has_pending_interrupt(vcpu)) ++ return true; ++ ++ return false; ++} ++ + bool kvm_arch_vcpu_in_kernel(struct kvm_vcpu *vcpu) + { + return vcpu->arch.preempted_in_kernel; +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -871,6 +871,7 @@ void kvm_arch_check_processor_compat(voi + int kvm_arch_vcpu_runnable(struct kvm_vcpu *vcpu); + bool kvm_arch_vcpu_in_kernel(struct kvm_vcpu *vcpu); + int kvm_arch_vcpu_should_kick(struct kvm_vcpu *vcpu); ++bool kvm_arch_dy_runnable(struct kvm_vcpu *vcpu); + + #ifndef __KVM_HAVE_ARCH_VM_ALLOC + /* +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -2475,6 +2475,29 @@ static bool kvm_vcpu_eligible_for_direct + #endif + } + ++/* ++ * Unlike kvm_arch_vcpu_runnable, this function is called outside ++ * a vcpu_load/vcpu_put pair. However, for most architectures ++ * kvm_arch_vcpu_runnable does not require vcpu_load. ++ */ ++bool __weak kvm_arch_dy_runnable(struct kvm_vcpu *vcpu) ++{ ++ return kvm_arch_vcpu_runnable(vcpu); ++} ++ ++static bool vcpu_dy_runnable(struct kvm_vcpu *vcpu) ++{ ++ if (kvm_arch_dy_runnable(vcpu)) ++ return true; ++ ++#ifdef CONFIG_KVM_ASYNC_PF ++ if (!list_empty_careful(&vcpu->async_pf.done)) ++ return true; ++#endif ++ ++ return false; ++} ++ + void kvm_vcpu_on_spin(struct kvm_vcpu *me, bool yield_to_kernel_mode) + { + struct kvm *kvm = me->kvm; +@@ -2504,7 +2527,7 @@ void kvm_vcpu_on_spin(struct kvm_vcpu *m + continue; + if (vcpu == me) + continue; +- if (swait_active(&vcpu->wq) && !kvm_arch_vcpu_runnable(vcpu)) ++ if (swait_active(&vcpu->wq) && !vcpu_dy_runnable(vcpu)) + continue; + if (yield_to_kernel_mode && !kvm_arch_vcpu_in_kernel(vcpu)) + continue; diff --git a/queue-5.2/mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch b/queue-5.2/mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch new file mode 100644 index 00000000000..2b45e8040e2 --- /dev/null +++ b/queue-5.2/mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch @@ -0,0 +1,53 @@ +From 05aaa5c97dce4c10a9e7eae2f1569a684e0c5ced Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Fri, 26 Jul 2019 15:47:58 -0700 +Subject: mac80211: don't WARN on short WMM parameters from AP + +From: Brian Norris + +commit 05aaa5c97dce4c10a9e7eae2f1569a684e0c5ced upstream. + +In a very similar spirit to commit c470bdc1aaf3 ("mac80211: don't WARN +on bad WMM parameters from buggy APs"), an AP may not transmit a +fully-formed WMM IE. For example, it may miss or repeat an Access +Category. The above loop won't catch that and will instead leave one of +the four ACs zeroed out. This triggers the following warning in +drv_conf_tx() + + wlan0: invalid CW_min/CW_max: 0/0 + +and it may leave one of the hardware queues unconfigured. If we detect +such a case, let's just print a warning and fall back to the defaults. + +Tested with a hacked version of hostapd, intentionally corrupting the +IEs in hostapd_eid_wmm(). + +Cc: stable@vger.kernel.org +Signed-off-by: Brian Norris +Link: https://lore.kernel.org/r/20190726224758.210953-1-briannorris@chromium.org +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mlme.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -2041,6 +2041,16 @@ ieee80211_sta_wmm_params(struct ieee8021 + ieee80211_regulatory_limit_wmm_params(sdata, ¶ms[ac], ac); + } + ++ /* WMM specification requires all 4 ACIs. */ ++ for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) { ++ if (params[ac].cw_min == 0) { ++ sdata_info(sdata, ++ "AP has invalid WMM params (missing AC %d), using defaults\n", ++ ac); ++ return false; ++ } ++ } ++ + for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) { + mlme_dbg(sdata, + "WMM AC=%d acm=%d aifs=%d cWmin=%d cWmax=%d txop=%d uapsd=%d, downgraded=%d\n", diff --git a/queue-5.2/mwifiex-fix-802.11n-wpa-detection.patch b/queue-5.2/mwifiex-fix-802.11n-wpa-detection.patch new file mode 100644 index 00000000000..a7340937120 --- /dev/null +++ b/queue-5.2/mwifiex-fix-802.11n-wpa-detection.patch @@ -0,0 +1,52 @@ +From df612421fe2566654047769c6852ffae1a31df16 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Wed, 24 Jul 2019 12:46:34 -0700 +Subject: mwifiex: fix 802.11n/WPA detection + +From: Brian Norris + +commit df612421fe2566654047769c6852ffae1a31df16 upstream. + +Commit 63d7ef36103d ("mwifiex: Don't abort on small, spec-compliant +vendor IEs") adjusted the ieee_types_vendor_header struct, which +inadvertently messed up the offsets used in +mwifiex_is_wpa_oui_present(). Add that offset back in, mirroring +mwifiex_is_rsn_oui_present(). + +As it stands, commit 63d7ef36103d breaks compatibility with WPA (not +WPA2) 802.11n networks, since we hit the "info: Disable 11n if AES is +not supported by AP" case in mwifiex_is_network_compatible(). + +Fixes: 63d7ef36103d ("mwifiex: Don't abort on small, spec-compliant vendor IEs") +Cc: +Signed-off-by: Brian Norris +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/mwifiex/main.h | 1 + + drivers/net/wireless/marvell/mwifiex/scan.c | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/marvell/mwifiex/main.h ++++ b/drivers/net/wireless/marvell/mwifiex/main.h +@@ -124,6 +124,7 @@ enum { + + #define MWIFIEX_MAX_TOTAL_SCAN_TIME (MWIFIEX_TIMER_10S - MWIFIEX_TIMER_1S) + ++#define WPA_GTK_OUI_OFFSET 2 + #define RSN_GTK_OUI_OFFSET 2 + + #define MWIFIEX_OUI_NOT_PRESENT 0 +--- a/drivers/net/wireless/marvell/mwifiex/scan.c ++++ b/drivers/net/wireless/marvell/mwifiex/scan.c +@@ -181,7 +181,8 @@ mwifiex_is_wpa_oui_present(struct mwifie + u8 ret = MWIFIEX_OUI_NOT_PRESENT; + + if (has_vendor_hdr(bss_desc->bcn_wpa_ie, WLAN_EID_VENDOR_SPECIFIC)) { +- iebody = (struct ie_body *) bss_desc->bcn_wpa_ie->data; ++ iebody = (struct ie_body *)((u8 *)bss_desc->bcn_wpa_ie->data + ++ WPA_GTK_OUI_OFFSET); + oui = &mwifiex_wpa_oui[cipher][0]; + ret = mwifiex_search_oui_in_ie(iebody, oui); + if (ret) diff --git a/queue-5.2/nfsv4-check-the-return-value-of-update_open_stateid.patch b/queue-5.2/nfsv4-check-the-return-value-of-update_open_stateid.patch new file mode 100644 index 00000000000..25cf7efc2fc --- /dev/null +++ b/queue-5.2/nfsv4-check-the-return-value-of-update_open_stateid.patch @@ -0,0 +1,50 @@ +From e3c8dc761ead061da2220ee8f8132f729ac3ddfe Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 29 Jul 2019 18:25:00 +0100 +Subject: NFSv4: Check the return value of update_open_stateid() + +From: Trond Myklebust + +commit e3c8dc761ead061da2220ee8f8132f729ac3ddfe upstream. + +Ensure that we always check the return value of update_open_stateid() +so that we can retry if the update of local state failed. This fixes +infinite looping on state recovery. + +Fixes: e23008ec81ef3 ("NFSv4 reduce attribute requests for open reclaim") +Signed-off-by: Trond Myklebust +Cc: stable@vger.kernel.org # v3.7+ +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1878,8 +1878,9 @@ _nfs4_opendata_reclaim_to_nfs4_state(str + if (data->o_res.delegation_type != 0) + nfs4_opendata_check_deleg(data, state); + update: +- update_open_stateid(state, &data->o_res.stateid, NULL, +- data->o_arg.fmode); ++ if (!update_open_stateid(state, &data->o_res.stateid, ++ NULL, data->o_arg.fmode)) ++ return ERR_PTR(-EAGAIN); + refcount_inc(&state->count); + + return state; +@@ -1944,8 +1945,11 @@ _nfs4_opendata_to_nfs4_state(struct nfs4 + + if (data->o_res.delegation_type != 0) + nfs4_opendata_check_deleg(data, state); +- update_open_stateid(state, &data->o_res.stateid, NULL, +- data->o_arg.fmode); ++ if (!update_open_stateid(state, &data->o_res.stateid, ++ NULL, data->o_arg.fmode)) { ++ nfs4_put_open_state(state); ++ state = ERR_PTR(-EAGAIN); ++ } + out: + nfs_release_seqid(data->o_arg.seqid); + return state; diff --git a/queue-5.2/nfsv4-fix-an-oops-in-nfs4_do_setattr.patch b/queue-5.2/nfsv4-fix-an-oops-in-nfs4_do_setattr.patch new file mode 100644 index 00000000000..caaf40b1c1d --- /dev/null +++ b/queue-5.2/nfsv4-fix-an-oops-in-nfs4_do_setattr.patch @@ -0,0 +1,34 @@ +From 09a54f0ebfe263bc27c90bbd80187b9a93283887 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sat, 3 Aug 2019 10:28:18 -0400 +Subject: NFSv4: Fix an Oops in nfs4_do_setattr + +From: Trond Myklebust + +commit 09a54f0ebfe263bc27c90bbd80187b9a93283887 upstream. + +If the user specifies an open mode of 3, then we don't have a NFSv4 state +attached to the context, and so we Oops when we try to dereference it. + +Reported-by: Olga Kornievskaia +Fixes: 29b59f9416937 ("NFSv4: change nfs4_do_setattr to take...") +Signed-off-by: Trond Myklebust +Cc: stable@vger.kernel.org # v4.10: 991eedb1371dc: NFSv4: Only pass the... +Cc: stable@vger.kernel.org # v4.10+ +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3175,7 +3175,7 @@ static int _nfs4_do_setattr(struct inode + + if (nfs4_copy_delegation_stateid(inode, FMODE_WRITE, &arg->stateid, &delegation_cred)) { + /* Use that stateid */ +- } else if (ctx != NULL) { ++ } else if (ctx != NULL && ctx->state) { + struct nfs_lock_context *l_ctx; + if (!nfs4_valid_open_stateid(ctx->state)) + return -EBADF; diff --git a/queue-5.2/nfsv4-fix-delegation-state-recovery.patch b/queue-5.2/nfsv4-fix-delegation-state-recovery.patch new file mode 100644 index 00000000000..f9c830612c9 --- /dev/null +++ b/queue-5.2/nfsv4-fix-delegation-state-recovery.patch @@ -0,0 +1,113 @@ +From 5eb8d18ca0e001c6055da2b7f30d8f6dca23a44f Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Fri, 19 Jul 2019 14:08:37 -0400 +Subject: NFSv4: Fix delegation state recovery + +From: Trond Myklebust + +commit 5eb8d18ca0e001c6055da2b7f30d8f6dca23a44f upstream. + +Once we clear the NFS_DELEGATED_STATE flag, we're telling +nfs_delegation_claim_opens() that we're done recovering all open state +for that stateid, so we really need to ensure that we test for all +open modes that are currently cached and recover them before exiting +nfs4_open_delegation_recall(). + +Fixes: 24311f884189d ("NFSv4: Recovery of recalled read delegations...") +Signed-off-by: Trond Myklebust +Cc: stable@vger.kernel.org # v4.3+ +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/delegation.c | 2 +- + fs/nfs/delegation.h | 2 +- + fs/nfs/nfs4proc.c | 25 ++++++++++++------------- + 3 files changed, 14 insertions(+), 15 deletions(-) + +--- a/fs/nfs/delegation.c ++++ b/fs/nfs/delegation.c +@@ -153,7 +153,7 @@ again: + /* Block nfs4_proc_unlck */ + mutex_lock(&sp->so_delegreturn_mutex); + seq = raw_seqcount_begin(&sp->so_reclaim_seqcount); +- err = nfs4_open_delegation_recall(ctx, state, stateid, type); ++ err = nfs4_open_delegation_recall(ctx, state, stateid); + if (!err) + err = nfs_delegation_claim_locks(state, stateid); + if (!err && read_seqcount_retry(&sp->so_reclaim_seqcount, seq)) +--- a/fs/nfs/delegation.h ++++ b/fs/nfs/delegation.h +@@ -63,7 +63,7 @@ void nfs_reap_expired_delegations(struct + + /* NFSv4 delegation-related procedures */ + int nfs4_proc_delegreturn(struct inode *inode, const struct cred *cred, const nfs4_stateid *stateid, int issync); +-int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid, fmode_t type); ++int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid); + int nfs4_lock_delegation_recall(struct file_lock *fl, struct nfs4_state *state, const nfs4_stateid *stateid); + bool nfs4_copy_delegation_stateid(struct inode *inode, fmode_t flags, nfs4_stateid *dst, const struct cred **cred); + bool nfs4_refresh_delegation_stateid(nfs4_stateid *dst, struct inode *inode); +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -2148,12 +2148,10 @@ static int nfs4_handle_delegation_recall + case -NFS4ERR_BAD_HIGH_SLOT: + case -NFS4ERR_CONN_NOT_BOUND_TO_SESSION: + case -NFS4ERR_DEADSESSION: +- set_bit(NFS_DELEGATED_STATE, &state->flags); + nfs4_schedule_session_recovery(server->nfs_client->cl_session, err); + return -EAGAIN; + case -NFS4ERR_STALE_CLIENTID: + case -NFS4ERR_STALE_STATEID: +- set_bit(NFS_DELEGATED_STATE, &state->flags); + /* Don't recall a delegation if it was lost */ + nfs4_schedule_lease_recovery(server->nfs_client); + return -EAGAIN; +@@ -2174,7 +2172,6 @@ static int nfs4_handle_delegation_recall + return -EAGAIN; + case -NFS4ERR_DELAY: + case -NFS4ERR_GRACE: +- set_bit(NFS_DELEGATED_STATE, &state->flags); + ssleep(1); + return -EAGAIN; + case -ENOMEM: +@@ -2190,8 +2187,7 @@ static int nfs4_handle_delegation_recall + } + + int nfs4_open_delegation_recall(struct nfs_open_context *ctx, +- struct nfs4_state *state, const nfs4_stateid *stateid, +- fmode_t type) ++ struct nfs4_state *state, const nfs4_stateid *stateid) + { + struct nfs_server *server = NFS_SERVER(state->inode); + struct nfs4_opendata *opendata; +@@ -2202,20 +2198,23 @@ int nfs4_open_delegation_recall(struct n + if (IS_ERR(opendata)) + return PTR_ERR(opendata); + nfs4_stateid_copy(&opendata->o_arg.u.delegation, stateid); +- nfs_state_clear_delegation(state); +- switch (type & (FMODE_READ|FMODE_WRITE)) { +- case FMODE_READ|FMODE_WRITE: +- case FMODE_WRITE: ++ if (!test_bit(NFS_O_RDWR_STATE, &state->flags)) { + err = nfs4_open_recover_helper(opendata, FMODE_READ|FMODE_WRITE); + if (err) +- break; ++ goto out; ++ } ++ if (!test_bit(NFS_O_WRONLY_STATE, &state->flags)) { + err = nfs4_open_recover_helper(opendata, FMODE_WRITE); + if (err) +- break; +- /* Fall through */ +- case FMODE_READ: ++ goto out; ++ } ++ if (!test_bit(NFS_O_RDONLY_STATE, &state->flags)) { + err = nfs4_open_recover_helper(opendata, FMODE_READ); ++ if (err) ++ goto out; + } ++ nfs_state_clear_delegation(state); ++out: + nfs4_opendata_put(opendata); + return nfs4_handle_delegation_recall_error(server, state, stateid, NULL, err); + } diff --git a/queue-5.2/series b/queue-5.2/series index b8ef9efa50b..2b6e7f6fdcc 100644 --- a/queue-5.2/series +++ b/queue-5.2/series @@ -118,3 +118,27 @@ gen_compile_commands-lower-the-entry-count-threshold.patch hid-sony-fix-race-condition-between-rumble-and-device-remove.patch alsa-usb-audio-fix-a-memory-leak-bug.patch kvm-nsvm-properly-map-nested-vmcb.patch +can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch +can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch +hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch +hwmon-lm75-fixup-tmp75b-clr_mask.patch +drm-i915-fix-wrong-escape-clock-divisor-init-for-glk.patch +alsa-firewire-fix-a-memory-leak-bug.patch +alsa-hiface-fix-multiple-memory-leak-bugs.patch +alsa-hda-don-t-override-global-pcm-hw-info-flag.patch +alsa-hda-workaround-for-crackled-sound-on-amd-controller-1022-1457.patch +mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch +dax-dax_layout_busy_page-should-not-unmap-cow-pages.patch +smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch +smb3-send-cap_dfs-capability-during-session-setup.patch +nfsv4-fix-delegation-state-recovery.patch +nfsv4-check-the-return-value-of-update_open_stateid.patch +nfsv4-fix-an-oops-in-nfs4_do_setattr.patch +kvm-fix-leak-vcpu-s-vmcs-value-into-other-pcpu.patch +kvm-arm-arm64-sync-ich_vmcr_el2-back-when-about-to-block.patch +mwifiex-fix-802.11n-wpa-detection.patch +iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch +iwlwifi-mvm-fix-an-out-of-bound-access.patch +iwlwifi-mvm-fix-a-use-after-free-bug-in-iwl_mvm_tx_tso_segment.patch +iwlwifi-mvm-don-t-send-geo_tx_power_limit-on-version-41.patch +iwlwifi-mvm-fix-version-check-for-geo_tx_power_limit-support.patch diff --git a/queue-5.2/smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch b/queue-5.2/smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch new file mode 100644 index 00000000000..dfc2bff6370 --- /dev/null +++ b/queue-5.2/smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch @@ -0,0 +1,38 @@ +From e99c63e4d86d3a94818693147b469fa70de6f945 Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Mon, 22 Jul 2019 11:34:59 -0700 +Subject: SMB3: Fix deadlock in validate negotiate hits reconnect + +From: Pavel Shilovsky + +commit e99c63e4d86d3a94818693147b469fa70de6f945 upstream. + +Currently we skip SMB2_TREE_CONNECT command when checking during +reconnect because Tree Connect happens when establishing +an SMB session. For SMB 3.0 protocol version the code also calls +validate negotiate which results in SMB2_IOCL command being sent +over the wire. This may deadlock on trying to acquire a mutex when +checking for reconnect. Fix this by skipping SMB2_IOCL command +when doing the reconnect check. + +Signed-off-by: Pavel Shilovsky +Signed-off-by: Steve French +Reviewed-by: Ronnie Sahlberg +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -252,7 +252,7 @@ smb2_reconnect(__le16 smb2_command, stru + if (tcon == NULL) + return 0; + +- if (smb2_command == SMB2_TREE_CONNECT) ++ if (smb2_command == SMB2_TREE_CONNECT || smb2_command == SMB2_IOCTL) + return 0; + + if (tcon->tidStatus == CifsExiting) { diff --git a/queue-5.2/smb3-send-cap_dfs-capability-during-session-setup.patch b/queue-5.2/smb3-send-cap_dfs-capability-during-session-setup.patch new file mode 100644 index 00000000000..ece74be5023 --- /dev/null +++ b/queue-5.2/smb3-send-cap_dfs-capability-during-session-setup.patch @@ -0,0 +1,40 @@ +From 8d33096a460d5b9bd13300f01615df5bb454db10 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Thu, 25 Jul 2019 18:13:10 -0500 +Subject: smb3: send CAP_DFS capability during session setup + +From: Steve French + +commit 8d33096a460d5b9bd13300f01615df5bb454db10 upstream. + +We had a report of a server which did not do a DFS referral +because the session setup Capabilities field was set to 0 +(unlike negotiate protocol where we set CAP_DFS). Better to +send it session setup in the capabilities as well (this also +more closely matches Windows client behavior). + +Signed-off-by: Steve French +Reviewed-off-by: Ronnie Sahlberg +Reviewed-by: Pavel Shilovsky +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -1173,7 +1173,12 @@ SMB2_sess_alloc_buffer(struct SMB2_sess_ + else + req->SecurityMode = 0; + ++#ifdef CONFIG_CIFS_DFS_UPCALL ++ req->Capabilities = cpu_to_le32(SMB2_GLOBAL_CAP_DFS); ++#else + req->Capabilities = 0; ++#endif /* DFS_UPCALL */ ++ + req->Channel = 0; /* MBZ */ + + sess_data->iov[0].iov_base = (char *)req;