From: Sasha Levin Date: Sun, 5 Jan 2020 19:24:32 +0000 (-0500) Subject: Revert "fixes for 5.4" X-Git-Tag: v4.14.163~56 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e944bdf451388a72546ab4e1cae0a561ea3a7aea;p=thirdparty%2Fkernel%2Fstable-queue.git Revert "fixes for 5.4" This reverts commit 99928b47e60aa08dc4f6b5d2a17549434b020961. Mismerge, will reapply... Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/6pack-mkiss-fix-possible-deadlock.patch b/queue-5.4/6pack-mkiss-fix-possible-deadlock.patch deleted file mode 100644 index a1620383365..00000000000 --- a/queue-5.4/6pack-mkiss-fix-possible-deadlock.patch +++ /dev/null @@ -1,184 +0,0 @@ -From c5ef1d91ec9747606fddf9f084257902d9f21780 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 12 Dec 2019 10:32:13 -0800 -Subject: 6pack,mkiss: fix possible deadlock - -From: Eric Dumazet - -[ Upstream commit 5c9934b6767b16ba60be22ec3cbd4379ad64170d ] - -We got another syzbot report [1] that tells us we must use -write_lock_irq()/write_unlock_irq() to avoid possible deadlock. - -[1] - -WARNING: inconsistent lock state -5.5.0-rc1-syzkaller #0 Not tainted --------------------------------- -inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-R} usage. -syz-executor826/9605 [HC1[1]:SC0[0]:HE0:SE1] takes: -ffffffff8a128718 (disc_data_lock){+-..}, at: sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138 -{HARDIRQ-ON-W} state was registered at: - lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485 - __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline] - _raw_write_lock_bh+0x33/0x50 kernel/locking/spinlock.c:319 - sixpack_close+0x1d/0x250 drivers/net/hamradio/6pack.c:657 - tty_ldisc_close.isra.0+0x119/0x1a0 drivers/tty/tty_ldisc.c:489 - tty_set_ldisc+0x230/0x6b0 drivers/tty/tty_ldisc.c:585 - tiocsetd drivers/tty/tty_io.c:2337 [inline] - tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2597 - vfs_ioctl fs/ioctl.c:47 [inline] - file_ioctl fs/ioctl.c:545 [inline] - do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 - ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 - __do_sys_ioctl fs/ioctl.c:756 [inline] - __se_sys_ioctl fs/ioctl.c:754 [inline] - __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 - do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 - entry_SYSCALL_64_after_hwframe+0x49/0xbe -irq event stamp: 3946 -hardirqs last enabled at (3945): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline] -hardirqs last enabled at (3945): [] _raw_spin_unlock_irq+0x23/0x80 kernel/locking/spinlock.c:199 -hardirqs last disabled at (3946): [] trace_hardirqs_off_thunk+0x1a/0x1c arch/x86/entry/thunk_64.S:42 -softirqs last enabled at (2658): [] spin_unlock_bh include/linux/spinlock.h:383 [inline] -softirqs last enabled at (2658): [] clusterip_netdev_event+0x46f/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:222 -softirqs last disabled at (2656): [] spin_lock_bh include/linux/spinlock.h:343 [inline] -softirqs last disabled at (2656): [] clusterip_netdev_event+0x1bb/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:196 - -other info that might help us debug this: - Possible unsafe locking scenario: - - CPU0 - ---- - lock(disc_data_lock); - - lock(disc_data_lock); - - *** DEADLOCK *** - -5 locks held by syz-executor826/9605: - #0: ffff8880a905e198 (&tty->legacy_mutex){+.+.}, at: tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19 - #1: ffffffff899a56c0 (rcu_read_lock){....}, at: mutex_spin_on_owner+0x0/0x330 kernel/locking/mutex.c:413 - #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: spin_lock include/linux/spinlock.h:338 [inline] - #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: serial8250_interrupt+0x2d/0x1a0 drivers/tty/serial/8250/8250_core.c:116 - #3: ffffffff8c104048 (&port_lock_key){-.-.}, at: serial8250_handle_irq.part.0+0x24/0x330 drivers/tty/serial/8250/8250_port.c:1823 - #4: ffff8880a905e090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref+0x22/0x90 drivers/tty/tty_ldisc.c:288 - -stack backtrace: -CPU: 1 PID: 9605 Comm: syz-executor826 Not tainted 5.5.0-rc1-syzkaller #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 -Call Trace: - - __dump_stack lib/dump_stack.c:77 [inline] - dump_stack+0x197/0x210 lib/dump_stack.c:118 - print_usage_bug.cold+0x327/0x378 kernel/locking/lockdep.c:3101 - valid_state kernel/locking/lockdep.c:3112 [inline] - mark_lock_irq kernel/locking/lockdep.c:3309 [inline] - mark_lock+0xbb4/0x1220 kernel/locking/lockdep.c:3666 - mark_usage kernel/locking/lockdep.c:3554 [inline] - __lock_acquire+0x1e55/0x4a00 kernel/locking/lockdep.c:3909 - lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485 - __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline] - _raw_read_lock+0x32/0x50 kernel/locking/spinlock.c:223 - sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138 - sixpack_write_wakeup+0x25/0x340 drivers/net/hamradio/6pack.c:402 - tty_wakeup+0xe9/0x120 drivers/tty/tty_io.c:536 - tty_port_default_wakeup+0x2b/0x40 drivers/tty/tty_port.c:50 - tty_port_tty_wakeup+0x57/0x70 drivers/tty/tty_port.c:387 - uart_write_wakeup+0x46/0x70 drivers/tty/serial/serial_core.c:104 - serial8250_tx_chars+0x495/0xaf0 drivers/tty/serial/8250/8250_port.c:1761 - serial8250_handle_irq.part.0+0x2a2/0x330 drivers/tty/serial/8250/8250_port.c:1834 - serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1820 [inline] - serial8250_default_handle_irq+0xc0/0x150 drivers/tty/serial/8250/8250_port.c:1850 - serial8250_interrupt+0xf1/0x1a0 drivers/tty/serial/8250/8250_core.c:126 - __handle_irq_event_percpu+0x15d/0x970 kernel/irq/handle.c:149 - handle_irq_event_percpu+0x74/0x160 kernel/irq/handle.c:189 - handle_irq_event+0xa7/0x134 kernel/irq/handle.c:206 - handle_edge_irq+0x25e/0x8d0 kernel/irq/chip.c:830 - generic_handle_irq_desc include/linux/irqdesc.h:156 [inline] - do_IRQ+0xde/0x280 arch/x86/kernel/irq.c:250 - common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:607 - -RIP: 0010:cpu_relax arch/x86/include/asm/processor.h:685 [inline] -RIP: 0010:mutex_spin_on_owner+0x247/0x330 kernel/locking/mutex.c:579 -Code: c3 be 08 00 00 00 4c 89 e7 e8 e5 06 59 00 4c 89 e0 48 c1 e8 03 42 80 3c 38 00 0f 85 e1 00 00 00 49 8b 04 24 a8 01 75 96 f3 90 2f fe ff ff 0f 0b e8 0d 19 09 00 84 c0 0f 85 ff fd ff ff 48 c7 -RSP: 0018:ffffc90001eafa20 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffd7 -RAX: 0000000000000000 RBX: ffff88809fd9e0c0 RCX: 1ffffffff13266dd -RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000000 -RBP: ffffc90001eafa60 R08: 1ffff11013d22898 R09: ffffed1013d22899 -R10: ffffed1013d22898 R11: ffff88809e9144c7 R12: ffff8880a905e138 -R13: ffff88809e9144c0 R14: 0000000000000000 R15: dffffc0000000000 - mutex_optimistic_spin kernel/locking/mutex.c:673 [inline] - __mutex_lock_common kernel/locking/mutex.c:962 [inline] - __mutex_lock+0x32b/0x13c0 kernel/locking/mutex.c:1106 - mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1121 - tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19 - tty_release+0xb5/0xe90 drivers/tty/tty_io.c:1665 - __fput+0x2ff/0x890 fs/file_table.c:280 - ____fput+0x16/0x20 fs/file_table.c:313 - task_work_run+0x145/0x1c0 kernel/task_work.c:113 - exit_task_work include/linux/task_work.h:22 [inline] - do_exit+0x8e7/0x2ef0 kernel/exit.c:797 - do_group_exit+0x135/0x360 kernel/exit.c:895 - __do_sys_exit_group kernel/exit.c:906 [inline] - __se_sys_exit_group kernel/exit.c:904 [inline] - __x64_sys_exit_group+0x44/0x50 kernel/exit.c:904 - do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 - entry_SYSCALL_64_after_hwframe+0x49/0xbe -RIP: 0033:0x43fef8 -Code: Bad RIP value. -RSP: 002b:00007ffdb07d2338 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 -RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043fef8 -RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 -RBP: 00000000004bf730 R08: 00000000000000e7 R09: ffffffffffffffd0 -R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 -R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 - -Fixes: 6e4e2f811bad ("6pack,mkiss: fix lock inconsistency") -Signed-off-by: Eric Dumazet -Reported-by: syzbot -Cc: Arnd Bergmann -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/hamradio/6pack.c | 4 ++-- - drivers/net/hamradio/mkiss.c | 4 ++-- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c -index 23281aeeb222..71d6629e65c9 100644 ---- a/drivers/net/hamradio/6pack.c -+++ b/drivers/net/hamradio/6pack.c -@@ -654,10 +654,10 @@ static void sixpack_close(struct tty_struct *tty) - { - struct sixpack *sp; - -- write_lock_bh(&disc_data_lock); -+ write_lock_irq(&disc_data_lock); - sp = tty->disc_data; - tty->disc_data = NULL; -- write_unlock_bh(&disc_data_lock); -+ write_unlock_irq(&disc_data_lock); - if (!sp) - return; - -diff --git a/drivers/net/hamradio/mkiss.c b/drivers/net/hamradio/mkiss.c -index c5bfa19ddb93..deef14215110 100644 ---- a/drivers/net/hamradio/mkiss.c -+++ b/drivers/net/hamradio/mkiss.c -@@ -773,10 +773,10 @@ static void mkiss_close(struct tty_struct *tty) - { - struct mkiss *ax; - -- write_lock_bh(&disc_data_lock); -+ write_lock_irq(&disc_data_lock); - ax = tty->disc_data; - tty->disc_data = NULL; -- write_unlock_bh(&disc_data_lock); -+ write_unlock_irq(&disc_data_lock); - - if (!ax) - return; --- -2.20.1 - diff --git a/queue-5.4/afs-fix-afs_find_server-lookups-for-ipv4-peers.patch b/queue-5.4/afs-fix-afs_find_server-lookups-for-ipv4-peers.patch deleted file mode 100644 index 5acfb3d49a8..00000000000 --- a/queue-5.4/afs-fix-afs_find_server-lookups-for-ipv4-peers.patch +++ /dev/null @@ -1,95 +0,0 @@ -From f5f3421bca51084c7ae0ab0cba9761caa3769712 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 9 Dec 2019 15:04:43 +0000 -Subject: afs: Fix afs_find_server lookups for ipv4 peers - -From: Marc Dionne - -[ Upstream commit 9bd0160d12370a076e44f8d1320cde9c83f2c647 ] - -afs_find_server tries to find a server that has an address that -matches the transport address of an rxrpc peer. The code assumes -that the transport address is always ipv6, with ipv4 represented -as ipv4 mapped addresses, but that's not the case. If the transport -family is AF_INET, srx->transport.sin6.sin6_addr.s6_addr32[] will -be beyond the actual ipv4 address and will always be 0, and all -ipv4 addresses will be seen as matching. - -As a result, the first ipv4 address seen on any server will be -considered a match, and the server returned may be the wrong one. - -One of the consequences is that callbacks received over ipv4 will -only be correctly applied for the server that happens to have the -first ipv4 address on the fs_addresses4 list. Callbacks over ipv4 -from all other servers are dropped, causing the client to serve stale -data. - -This is fixed by looking at the transport family, and comparing ipv4 -addresses based on a sockaddr_in structure rather than a sockaddr_in6. - -Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation") -Signed-off-by: Marc Dionne -Signed-off-by: David Howells -Signed-off-by: Sasha Levin ---- - fs/afs/server.c | 21 ++++++++------------- - 1 file changed, 8 insertions(+), 13 deletions(-) - -diff --git a/fs/afs/server.c b/fs/afs/server.c -index 64d440aaabc0..ca8115ba1724 100644 ---- a/fs/afs/server.c -+++ b/fs/afs/server.c -@@ -32,18 +32,11 @@ static void afs_dec_servers_outstanding(struct afs_net *net) - struct afs_server *afs_find_server(struct afs_net *net, - const struct sockaddr_rxrpc *srx) - { -- const struct sockaddr_in6 *a = &srx->transport.sin6, *b; - const struct afs_addr_list *alist; - struct afs_server *server = NULL; - unsigned int i; -- bool ipv6 = true; - int seq = 0, diff; - -- if (srx->transport.sin6.sin6_addr.s6_addr32[0] == 0 || -- srx->transport.sin6.sin6_addr.s6_addr32[1] == 0 || -- srx->transport.sin6.sin6_addr.s6_addr32[2] == htonl(0xffff)) -- ipv6 = false; -- - rcu_read_lock(); - - do { -@@ -52,7 +45,8 @@ struct afs_server *afs_find_server(struct afs_net *net, - server = NULL; - read_seqbegin_or_lock(&net->fs_addr_lock, &seq); - -- if (ipv6) { -+ if (srx->transport.family == AF_INET6) { -+ const struct sockaddr_in6 *a = &srx->transport.sin6, *b; - hlist_for_each_entry_rcu(server, &net->fs_addresses6, addr6_link) { - alist = rcu_dereference(server->addresses); - for (i = alist->nr_ipv4; i < alist->nr_addrs; i++) { -@@ -68,15 +62,16 @@ struct afs_server *afs_find_server(struct afs_net *net, - } - } - } else { -+ const struct sockaddr_in *a = &srx->transport.sin, *b; - hlist_for_each_entry_rcu(server, &net->fs_addresses4, addr4_link) { - alist = rcu_dereference(server->addresses); - for (i = 0; i < alist->nr_ipv4; i++) { -- b = &alist->addrs[i].transport.sin6; -- diff = ((u16 __force)a->sin6_port - -- (u16 __force)b->sin6_port); -+ b = &alist->addrs[i].transport.sin; -+ diff = ((u16 __force)a->sin_port - -+ (u16 __force)b->sin_port); - if (diff == 0) -- diff = ((u32 __force)a->sin6_addr.s6_addr32[3] - -- (u32 __force)b->sin6_addr.s6_addr32[3]); -+ diff = ((u32 __force)a->sin_addr.s_addr - -+ (u32 __force)b->sin_addr.s_addr); - if (diff == 0) - goto found; - } --- -2.20.1 - diff --git a/queue-5.4/afs-fix-creation-calls-in-the-dynamic-root-to-fail-w.patch b/queue-5.4/afs-fix-creation-calls-in-the-dynamic-root-to-fail-w.patch deleted file mode 100644 index 4e3375242fa..00000000000 --- a/queue-5.4/afs-fix-creation-calls-in-the-dynamic-root-to-fail-w.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 027f1e83e3e34d4d805d18e6b83904ee2fdd5bfd Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 11 Dec 2019 08:56:04 +0000 -Subject: afs: Fix creation calls in the dynamic root to fail with EOPNOTSUPP - -From: David Howells - -[ Upstream commit 1da4bd9f9d187f53618890d7b66b9628bbec3c70 ] - -Fix the lookup method on the dynamic root directory such that creation -calls, such as mkdir, open(O_CREAT), symlink, etc. fail with EOPNOTSUPP -rather than failing with some odd error (such as EEXIST). - -lookup() itself tries to create automount directories when it is invoked. -These are cached locally in RAM and not committed to storage. - -Signed-off-by: David Howells -Reviewed-by: Marc Dionne -Tested-by: Jonathan Billings -Signed-off-by: Sasha Levin ---- - fs/afs/dynroot.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c -index 4150280509ff..7503899c0a1b 100644 ---- a/fs/afs/dynroot.c -+++ b/fs/afs/dynroot.c -@@ -136,6 +136,9 @@ static struct dentry *afs_dynroot_lookup(struct inode *dir, struct dentry *dentr - - ASSERTCMP(d_inode(dentry), ==, NULL); - -+ if (flags & LOOKUP_CREATE) -+ return ERR_PTR(-EOPNOTSUPP); -+ - if (dentry->d_name.len >= AFSNAMEMAX) { - _leave(" = -ENAMETOOLONG"); - return ERR_PTR(-ENAMETOOLONG); --- -2.20.1 - diff --git a/queue-5.4/afs-fix-mountpoint-parsing.patch b/queue-5.4/afs-fix-mountpoint-parsing.patch deleted file mode 100644 index 61d3aa8d6ac..00000000000 --- a/queue-5.4/afs-fix-mountpoint-parsing.patch +++ /dev/null @@ -1,65 +0,0 @@ -From fdda4bfe34c1d2284972d3c1e6c2a4d3bfb89c4c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 9 Dec 2019 15:04:45 +0000 -Subject: afs: Fix mountpoint parsing - -From: David Howells - -[ Upstream commit 158d58335393af3956a9c06f0816ee75ed1f1447 ] - -Each AFS mountpoint has strings that define the target to be mounted. This -is required to end in a dot that is supposed to be stripped off. The -string can include suffixes of ".readonly" or ".backup" - which are -supposed to come before the terminal dot. To add to the confusion, the "fs -lsmount" afs utility does not show the terminal dot when displaying the -string. - -The kernel mount source string parser, however, assumes that the terminal -dot marks the suffix and that the suffix is always "" and is thus ignored. -In most cases, there is no suffix and this is not a problem - but if there -is a suffix, it is lost and this affects the ability to mount the correct -volume. - -The command line mount command, on the other hand, is expected not to -include a terminal dot - so the problem doesn't arise there. - -Fix this by making sure that the dot exists and then stripping it when -passing the string to the mount configuration. - -Fixes: bec5eb614130 ("AFS: Implement an autocell mount capability [ver #2]") -Reported-by: Jonathan Billings -Signed-off-by: David Howells -Reviewed-by: Marc Dionne -Tested-by: Jonathan Billings -Signed-off-by: Sasha Levin ---- - fs/afs/mntpt.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/fs/afs/mntpt.c b/fs/afs/mntpt.c -index f532d6d3bd28..79bc5f1338ed 100644 ---- a/fs/afs/mntpt.c -+++ b/fs/afs/mntpt.c -@@ -126,7 +126,7 @@ static int afs_mntpt_set_params(struct fs_context *fc, struct dentry *mntpt) - if (src_as->cell) - ctx->cell = afs_get_cell(src_as->cell); - -- if (size > PAGE_SIZE - 1) -+ if (size < 2 || size > PAGE_SIZE - 1) - return -EINVAL; - - page = read_mapping_page(d_inode(mntpt)->i_mapping, 0, NULL); -@@ -140,7 +140,9 @@ static int afs_mntpt_set_params(struct fs_context *fc, struct dentry *mntpt) - } - - buf = kmap(page); -- ret = vfs_parse_fs_string(fc, "source", buf, size); -+ ret = -EINVAL; -+ if (buf[size - 1] == '.') -+ ret = vfs_parse_fs_string(fc, "source", buf, size - 1); - kunmap(page); - put_page(page); - if (ret < 0) --- -2.20.1 - diff --git a/queue-5.4/afs-fix-selinux-setting-security-label-on-afs.patch b/queue-5.4/afs-fix-selinux-setting-security-label-on-afs.patch deleted file mode 100644 index eec11d3b9ca..00000000000 --- a/queue-5.4/afs-fix-selinux-setting-security-label-on-afs.patch +++ /dev/null @@ -1,42 +0,0 @@ -From e34439c64b0aa19cd3526fda1ba3366299f92d32 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 9 Dec 2019 15:04:45 +0000 -Subject: afs: Fix SELinux setting security label on /afs - -From: David Howells - -[ Upstream commit bcbccaf2edcf1b76f73f890e968babef446151a4 ] - -Make the AFS dynamic root superblock R/W so that SELinux can set the -security label on it. Without this, upgrades to, say, the Fedora -filesystem-afs RPM fail if afs is mounted on it because the SELinux label -can't be (re-)applied. - -It might be better to make it possible to bypass the R/O check for LSM -label application through setxattr. - -Fixes: 4d673da14533 ("afs: Support the AFS dynamic root") -Signed-off-by: David Howells -Reviewed-by: Marc Dionne -cc: selinux@vger.kernel.org -cc: linux-security-module@vger.kernel.org -Signed-off-by: Sasha Levin ---- - fs/afs/super.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/fs/afs/super.c b/fs/afs/super.c -index 488641b1a418..d9a6036b70b9 100644 ---- a/fs/afs/super.c -+++ b/fs/afs/super.c -@@ -448,7 +448,6 @@ static int afs_fill_super(struct super_block *sb, struct afs_fs_context *ctx) - /* allocate the root inode and dentry */ - if (as->dyn_root) { - inode = afs_iget_pseudo_dir(sb, true); -- sb->s_flags |= SB_RDONLY; - } else { - sprintf(sb->s_id, "%llu", as->volume->vid); - afs_activate_volume(as->volume); --- -2.20.1 - diff --git a/queue-5.4/alsa-hda-allow-hda-to-be-runtime-suspended-when-dgpu.patch b/queue-5.4/alsa-hda-allow-hda-to-be-runtime-suspended-when-dgpu.patch deleted file mode 100644 index 3f5b51bdabf..00000000000 --- a/queue-5.4/alsa-hda-allow-hda-to-be-runtime-suspended-when-dgpu.patch +++ /dev/null @@ -1,66 +0,0 @@ -From f5a58a678524e042bbd48c372a4d0f20e189ff09 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 18 Oct 2019 15:38:48 +0800 -Subject: ALSA: hda: Allow HDA to be runtime suspended when dGPU is not bound - to a driver - -From: Kai-Heng Feng - -[ Upstream commit bacd861452d2be86a4df341b12e32db7dac8021e ] - -Nvidia proprietary driver doesn't support runtime power management, so -when a user only wants to use the integrated GPU, it's a common practice -to let dGPU not to bind any driver, and let its upstream port to be -runtime suspended. At the end of runtime suspension the port uses -platform power management to disable power through _OFF method of power -resource, which is listed by _PR3. - -After commit b516ea586d71 ("PCI: Enable NVIDIA HDA controllers"), when -the dGPU comes with an HDA function, the HDA won't be suspended if the -dGPU is unbound, so the power resource can't be turned off by its -upstream port driver. - -Commit 37a3a98ef601 ("ALSA: hda - Enable runtime PM only for -discrete GPU") only allows HDA to be runtime suspended once GPU is -bound, to keep APU's HDA working. - -However, HDA on dGPU isn't that useful if dGPU is not bound to any -driver. So let's relax the runtime suspend requirement for dGPU's HDA -function, to disable the power source to save lots of power. - -BugLink: https://bugs.launchpad.net/bugs/1840835 -Fixes: b516ea586d71 ("PCI: Enable NVIDIA HDA controllers") -Signed-off-by: Kai-Heng Feng -Link: https://lore.kernel.org/r/20191018073848.14590-2-kai.heng.feng@canonical.com -Signed-off-by: Takashi Iwai -Signed-off-by: Sasha Levin ---- - sound/pci/hda/hda_intel.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c -index 86a416cdeb29..4e757aa9d322 100644 ---- a/sound/pci/hda/hda_intel.c -+++ b/sound/pci/hda/hda_intel.c -@@ -1280,11 +1280,17 @@ static void init_vga_switcheroo(struct azx *chip) - { - struct hda_intel *hda = container_of(chip, struct hda_intel, chip); - struct pci_dev *p = get_bound_vga(chip->pci); -+ struct pci_dev *parent; - if (p) { - dev_info(chip->card->dev, - "Handle vga_switcheroo audio client\n"); - hda->use_vga_switcheroo = 1; -- chip->bus.keep_power = 1; /* cleared in either gpu_bound op or codec probe */ -+ -+ /* cleared in either gpu_bound op or codec probe, or when its -+ * upstream port has _PR3 (i.e. dGPU). -+ */ -+ parent = pci_upstream_bridge(p); -+ chip->bus.keep_power = parent ? !pci_pr3_present(parent) : 1; - chip->driver_caps |= AZX_DCAPS_PM_RUNTIME; - pci_dev_put(p); - } --- -2.20.1 - diff --git a/queue-5.4/alsa-hda-downgrade-error-message-for-single-cmd-fall.patch b/queue-5.4/alsa-hda-downgrade-error-message-for-single-cmd-fall.patch deleted file mode 100644 index 9b0c103540d..00000000000 --- a/queue-5.4/alsa-hda-downgrade-error-message-for-single-cmd-fall.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 46fcbdec3a81d7e919d1f14369b6b4666a3cf781 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 16 Dec 2019 16:12:24 +0100 -Subject: ALSA: hda - Downgrade error message for single-cmd fallback - -From: Takashi Iwai - -[ Upstream commit 475feec0c41ad71cb7d02f0310e56256606b57c5 ] - -We made the error message for the CORB/RIRB communication clearer by -upgrading to dev_WARN() so that user can notice better. But this -struck us like a boomerang: now it caught syzbot and reported back as -a fatal issue although it's not really any too serious bug that worth -for stopping the whole system. - -OK, OK, let's be softy, downgrade it to the standard dev_err() again. - -Fixes: dd65f7e19c69 ("ALSA: hda - Show the fatal CORB/RIRB error more clearly") -Reported-by: syzbot+b3028ac3933f5c466389@syzkaller.appspotmail.com -Link: https://lore.kernel.org/r/20191216151224.30013-1-tiwai@suse.de -Signed-off-by: Takashi Iwai -Signed-off-by: Sasha Levin ---- - sound/pci/hda/hda_controller.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c -index 6387c7e90918..76b507058cb4 100644 ---- a/sound/pci/hda/hda_controller.c -+++ b/sound/pci/hda/hda_controller.c -@@ -884,7 +884,7 @@ static int azx_rirb_get_response(struct hdac_bus *bus, unsigned int addr, - return -EAGAIN; /* give a chance to retry */ - } - -- dev_WARN(chip->card->dev, -+ dev_err(chip->card->dev, - "azx_get_response timeout, switching to single_cmd mode: last cmd=0x%08x\n", - bus->last_cmd[addr]); - chip->single_cmd = 1; --- -2.20.1 - diff --git a/queue-5.4/alsa-hda-fixup-for-the-bass-speaker-on-lenovo-carbon.patch b/queue-5.4/alsa-hda-fixup-for-the-bass-speaker-on-lenovo-carbon.patch deleted file mode 100644 index 6fb79b987b0..00000000000 --- a/queue-5.4/alsa-hda-fixup-for-the-bass-speaker-on-lenovo-carbon.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 76d5b940fc543ee0e49d01a25051855aa818bdde Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 29 Nov 2019 15:40:27 +0100 -Subject: ALSA: hda - fixup for the bass speaker on Lenovo Carbon X1 7th gen - -From: Jaroslav Kysela - -[ Upstream commit d2cd795c4ece1a24fda170c35eeb4f17d9826cbb ] - -The auto-parser assigns the bass speaker to DAC3 (NID 0x06) which -is without the volume control. I do not see a reason to use DAC2, -because the shared output to all speakers produces the sufficient -and well balanced sound. The stereo support is enough for this -purpose (laptop). - -Signed-off-by: Jaroslav Kysela -Link: https://lore.kernel.org/r/20191129144027.14765-1-perex@perex.cz -Signed-off-by: Takashi Iwai -Signed-off-by: Sasha Levin ---- - sound/pci/hda/patch_realtek.c | 17 +++++++++++++++++ - 1 file changed, 17 insertions(+) - -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index e849cf681e23..62a471b5fc87 100644 ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -5547,6 +5547,16 @@ static void alc295_fixup_disable_dac3(struct hda_codec *codec, - } - } - -+/* force NID 0x17 (Bass Speaker) to DAC1 to share it with the main speaker */ -+static void alc285_fixup_speaker2_to_dac1(struct hda_codec *codec, -+ const struct hda_fixup *fix, int action) -+{ -+ if (action == HDA_FIXUP_ACT_PRE_PROBE) { -+ hda_nid_t conn[1] = { 0x02 }; -+ snd_hda_override_conn_list(codec, 0x17, 1, conn); -+ } -+} -+ - /* Hook to update amp GPIO4 for automute */ - static void alc280_hp_gpio4_automute_hook(struct hda_codec *codec, - struct hda_jack_callback *jack) -@@ -5849,6 +5859,7 @@ enum { - ALC225_FIXUP_DISABLE_MIC_VREF, - ALC225_FIXUP_DELL1_MIC_NO_PRESENCE, - ALC295_FIXUP_DISABLE_DAC3, -+ ALC285_FIXUP_SPEAKER2_TO_DAC1, - ALC280_FIXUP_HP_HEADSET_MIC, - ALC221_FIXUP_HP_FRONT_MIC, - ALC292_FIXUP_TPT460, -@@ -6652,6 +6663,10 @@ static const struct hda_fixup alc269_fixups[] = { - .type = HDA_FIXUP_FUNC, - .v.func = alc295_fixup_disable_dac3, - }, -+ [ALC285_FIXUP_SPEAKER2_TO_DAC1] = { -+ .type = HDA_FIXUP_FUNC, -+ .v.func = alc285_fixup_speaker2_to_dac1, -+ }, - [ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER] = { - .type = HDA_FIXUP_PINS, - .v.pins = (const struct hda_pintbl[]) { -@@ -7241,6 +7256,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { - SND_PCI_QUIRK(0x17aa, 0x224c, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), - SND_PCI_QUIRK(0x17aa, 0x224d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), - SND_PCI_QUIRK(0x17aa, 0x225d, "Thinkpad T480", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), -+ SND_PCI_QUIRK(0x17aa, 0x2293, "Thinkpad X1 Carbon 7th", ALC285_FIXUP_SPEAKER2_TO_DAC1), - SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), - SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), - SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), -@@ -7425,6 +7441,7 @@ static const struct hda_model_fixup alc269_fixup_models[] = { - {.id = ALC255_FIXUP_DELL_SPK_NOISE, .name = "dell-spk-noise"}, - {.id = ALC225_FIXUP_DELL1_MIC_NO_PRESENCE, .name = "alc225-dell1"}, - {.id = ALC295_FIXUP_DISABLE_DAC3, .name = "alc295-disable-dac3"}, -+ {.id = ALC285_FIXUP_SPEAKER2_TO_DAC1, .name = "alc285-speaker2-to-dac1"}, - {.id = ALC280_FIXUP_HP_HEADSET_MIC, .name = "alc280-hp-headset"}, - {.id = ALC221_FIXUP_HP_FRONT_MIC, .name = "alc221-hp-mic"}, - {.id = ALC298_FIXUP_SPK_VOLUME, .name = "alc298-spk-volume"}, --- -2.20.1 - diff --git a/queue-5.4/alsa-hda-realtek-add-bass-speaker-and-fixed-dac-for-.patch b/queue-5.4/alsa-hda-realtek-add-bass-speaker-and-fixed-dac-for-.patch deleted file mode 100644 index 18fb1256f36..00000000000 --- a/queue-5.4/alsa-hda-realtek-add-bass-speaker-and-fixed-dac-for-.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 6a1114718441eb10dd9c449bb88c3381a76f4d17 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 19 Dec 2019 14:12:15 +0800 -Subject: ALSA: hda/realtek - Add Bass Speaker and fixed dac for bass speaker - -From: Kailang Yang - -[ Upstream commit e79c22695abd3b75a6aecf4ea4b9607e8d82c49c ] - -Dell has new platform which has dual speaker connecting. -They want dual speaker which use same dac for output. - -Signed-off-by: Kailang Yang -Cc: -Link: https://lore.kernel.org/r/229c7efa2b474a16b7d8a916cd096b68@realtek.com -Signed-off-by: Takashi Iwai -Signed-off-by: Sasha Levin ---- - sound/pci/hda/patch_realtek.c | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index e1229dbad6b2..dfcd0e611068 100644 ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -5896,6 +5896,8 @@ enum { - ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC, - ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE, - ALC294_FIXUP_ASUS_INTSPK_GPIO, -+ ALC289_FIXUP_DELL_SPK2, -+ ALC289_FIXUP_DUAL_SPK, - }; - - static const struct hda_fixup alc269_fixups[] = { -@@ -6993,6 +6995,21 @@ static const struct hda_fixup alc269_fixups[] = { - .chained = true, - .chain_id = ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC - }, -+ [ALC289_FIXUP_DELL_SPK2] = { -+ .type = HDA_FIXUP_PINS, -+ .v.pins = (const struct hda_pintbl[]) { -+ { 0x17, 0x90170130 }, /* bass spk */ -+ { } -+ }, -+ .chained = true, -+ .chain_id = ALC269_FIXUP_DELL4_MIC_NO_PRESENCE -+ }, -+ [ALC289_FIXUP_DUAL_SPK] = { -+ .type = HDA_FIXUP_FUNC, -+ .v.func = alc285_fixup_speaker2_to_dac1, -+ .chained = true, -+ .chain_id = ALC289_FIXUP_DELL_SPK2 -+ }, - }; - - static const struct snd_pci_quirk alc269_fixup_tbl[] = { -@@ -7065,6 +7082,8 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { - SND_PCI_QUIRK(0x1028, 0x08ad, "Dell WYSE AIO", ALC225_FIXUP_DELL_WYSE_AIO_MIC_NO_PRESENCE), - SND_PCI_QUIRK(0x1028, 0x08ae, "Dell WYSE NB", ALC225_FIXUP_DELL1_MIC_NO_PRESENCE), - SND_PCI_QUIRK(0x1028, 0x0935, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB), -+ SND_PCI_QUIRK(0x1028, 0x097e, "Dell Precision", ALC289_FIXUP_DUAL_SPK), -+ SND_PCI_QUIRK(0x1028, 0x097d, "Dell Precision", ALC289_FIXUP_DUAL_SPK), - SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), - SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), - SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2), --- -2.20.1 - diff --git a/queue-5.4/alsa-hda-realtek-enable-the-bass-speaker-of-asus-ux4.patch b/queue-5.4/alsa-hda-realtek-enable-the-bass-speaker-of-asus-ux4.patch deleted file mode 100644 index 5adb726a2d2..00000000000 --- a/queue-5.4/alsa-hda-realtek-enable-the-bass-speaker-of-asus-ux4.patch +++ /dev/null @@ -1,110 +0,0 @@ -From 6b91eff7123bb5c616205d2a776103ccf2d80ec9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 30 Dec 2019 11:11:18 +0800 -Subject: ALSA: hda/realtek - Enable the bass speaker of ASUS UX431FLC - -From: Chris Chiu - -[ Upstream commit 48e01504cf5315cbe6de9b7412e792bfcc3dd9e1 ] - -ASUS reported that there's an bass speaker in addition to internal -speaker and it uses DAC 0x02. It was not enabled in the commit -436e25505f34 ("ALSA: hda/realtek - Enable internal speaker of ASUS -UX431FLC") which only enables the amplifier and the front speaker. -This commit enables the bass speaker on top of the aforementioned -work to improve the acoustic experience. - -Fixes: 436e25505f34 ("ALSA: hda/realtek - Enable internal speaker of ASUS UX431FLC") -Signed-off-by: Chris Chiu -Signed-off-by: Jian-Hong Pan -Cc: -Link: https://lore.kernel.org/r/20191230031118.95076-1-chiu@endlessm.com -Signed-off-by: Takashi Iwai -Signed-off-by: Sasha Levin ---- - sound/pci/hda/patch_realtek.c | 38 +++++++++++++++++------------------ - 1 file changed, 18 insertions(+), 20 deletions(-) - -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index dfcd0e611068..e849cf681e23 100644 ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -5893,11 +5893,12 @@ enum { - ALC256_FIXUP_ASUS_HEADSET_MIC, - ALC256_FIXUP_ASUS_MIC_NO_PRESENCE, - ALC299_FIXUP_PREDATOR_SPK, -- ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC, - ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE, -- ALC294_FIXUP_ASUS_INTSPK_GPIO, - ALC289_FIXUP_DELL_SPK2, - ALC289_FIXUP_DUAL_SPK, -+ ALC294_FIXUP_SPK2_TO_DAC1, -+ ALC294_FIXUP_ASUS_DUAL_SPK, -+ - }; - - static const struct hda_fixup alc269_fixups[] = { -@@ -6968,16 +6969,6 @@ static const struct hda_fixup alc269_fixups[] = { - { } - } - }, -- [ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC] = { -- .type = HDA_FIXUP_PINS, -- .v.pins = (const struct hda_pintbl[]) { -- { 0x14, 0x411111f0 }, /* disable confusing internal speaker */ -- { 0x19, 0x04a11150 }, /* use as headset mic, without its own jack detect */ -- { } -- }, -- .chained = true, -- .chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC -- }, - [ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE] = { - .type = HDA_FIXUP_PINS, - .v.pins = (const struct hda_pintbl[]) { -@@ -6988,13 +6979,6 @@ static const struct hda_fixup alc269_fixups[] = { - .chained = true, - .chain_id = ALC256_FIXUP_ASUS_HEADSET_MODE - }, -- [ALC294_FIXUP_ASUS_INTSPK_GPIO] = { -- .type = HDA_FIXUP_FUNC, -- /* The GPIO must be pulled to initialize the AMP */ -- .v.func = alc_fixup_gpio4, -- .chained = true, -- .chain_id = ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC -- }, - [ALC289_FIXUP_DELL_SPK2] = { - .type = HDA_FIXUP_PINS, - .v.pins = (const struct hda_pintbl[]) { -@@ -7010,6 +6994,20 @@ static const struct hda_fixup alc269_fixups[] = { - .chained = true, - .chain_id = ALC289_FIXUP_DELL_SPK2 - }, -+ [ALC294_FIXUP_SPK2_TO_DAC1] = { -+ .type = HDA_FIXUP_FUNC, -+ .v.func = alc285_fixup_speaker2_to_dac1, -+ .chained = true, -+ .chain_id = ALC294_FIXUP_ASUS_HEADSET_MIC -+ }, -+ [ALC294_FIXUP_ASUS_DUAL_SPK] = { -+ .type = HDA_FIXUP_FUNC, -+ /* The GPIO must be pulled to initialize the AMP */ -+ .v.func = alc_fixup_gpio4, -+ .chained = true, -+ .chain_id = ALC294_FIXUP_SPK2_TO_DAC1 -+ }, -+ - }; - - static const struct snd_pci_quirk alc269_fixup_tbl[] = { -@@ -7171,7 +7169,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { - SND_PCI_QUIRK(0x1043, 0x1427, "Asus Zenbook UX31E", ALC269VB_FIXUP_ASUS_ZENBOOK), - SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A), - SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_FIXUP_STEREO_DMIC), -- SND_PCI_QUIRK(0x1043, 0x17d1, "ASUS UX431FL", ALC294_FIXUP_ASUS_INTSPK_GPIO), -+ SND_PCI_QUIRK(0x1043, 0x17d1, "ASUS UX431FL", ALC294_FIXUP_ASUS_DUAL_SPK), - SND_PCI_QUIRK(0x1043, 0x18b1, "Asus MJ401TA", ALC256_FIXUP_ASUS_HEADSET_MIC), - SND_PCI_QUIRK(0x1043, 0x1a13, "Asus G73Jw", ALC269_FIXUP_ASUS_G73JW), - SND_PCI_QUIRK(0x1043, 0x1a30, "ASUS X705UD", ALC256_FIXUP_ASUS_MIC), --- -2.20.1 - diff --git a/queue-5.4/block-add-bio_truncate-to-fix-guard_bio_eod.patch b/queue-5.4/block-add-bio_truncate-to-fix-guard_bio_eod.patch deleted file mode 100644 index 547c08d2e8e..00000000000 --- a/queue-5.4/block-add-bio_truncate-to-fix-guard_bio_eod.patch +++ /dev/null @@ -1,152 +0,0 @@ -From 77f9ee718e4ebb132f391efdd5be26601ea5f8c1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 28 Dec 2019 07:05:48 +0800 -Subject: block: add bio_truncate to fix guard_bio_eod - -From: Ming Lei - -[ Upstream commit 85a8ce62c2eabe28b9d76ca4eecf37922402df93 ] - -Some filesystem, such as vfat, may send bio which crosses device boundary, -and the worse thing is that the IO request starting within device boundaries -can contain more than one segment past EOD. - -Commit dce30ca9e3b6 ("fs: fix guard_bio_eod to check for real EOD errors") -tries to fix this issue by returning -EIO for this situation. However, -this way lets fs user code lose chance to handle -EIO, then sync_inodes_sb() -may hang for ever. - -Also the current truncating on last segment is dangerous by updating the -last bvec, given bvec table becomes not immutable any more, and fs bio -users may not retrieve the truncated pages via bio_for_each_segment_all() in -its .end_io callback. - -Fixes this issue by supporting multi-segment truncating. And the -approach is simpler: - -- just update bio size since block layer can make correct bvec with -the updated bio size. Then bvec table becomes really immutable. - -- zero all truncated segments for read bio - -Cc: Carlos Maiolino -Cc: linux-fsdevel@vger.kernel.org -Fixed-by: dce30ca9e3b6 ("fs: fix guard_bio_eod to check for real EOD errors") -Reported-by: syzbot+2b9e54155c8c25d8d165@syzkaller.appspotmail.com -Signed-off-by: Ming Lei -Signed-off-by: Jens Axboe -Signed-off-by: Sasha Levin ---- - block/bio.c | 39 +++++++++++++++++++++++++++++++++++++++ - fs/buffer.c | 25 +------------------------ - include/linux/bio.h | 1 + - 3 files changed, 41 insertions(+), 24 deletions(-) - -diff --git a/block/bio.c b/block/bio.c -index 43df756b68c4..c822ceb7c4de 100644 ---- a/block/bio.c -+++ b/block/bio.c -@@ -535,6 +535,45 @@ void zero_fill_bio_iter(struct bio *bio, struct bvec_iter start) - } - EXPORT_SYMBOL(zero_fill_bio_iter); - -+void bio_truncate(struct bio *bio, unsigned new_size) -+{ -+ struct bio_vec bv; -+ struct bvec_iter iter; -+ unsigned int done = 0; -+ bool truncated = false; -+ -+ if (new_size >= bio->bi_iter.bi_size) -+ return; -+ -+ if (bio_data_dir(bio) != READ) -+ goto exit; -+ -+ bio_for_each_segment(bv, bio, iter) { -+ if (done + bv.bv_len > new_size) { -+ unsigned offset; -+ -+ if (!truncated) -+ offset = new_size - done; -+ else -+ offset = 0; -+ zero_user(bv.bv_page, offset, bv.bv_len - offset); -+ truncated = true; -+ } -+ done += bv.bv_len; -+ } -+ -+ exit: -+ /* -+ * Don't touch bvec table here and make it really immutable, since -+ * fs bio user has to retrieve all pages via bio_for_each_segment_all -+ * in its .end_bio() callback. -+ * -+ * It is enough to truncate bio by updating .bi_size since we can make -+ * correct bvec with the updated .bi_size for drivers. -+ */ -+ bio->bi_iter.bi_size = new_size; -+} -+ - /** - * bio_put - release a reference to a bio - * @bio: bio to release reference to -diff --git a/fs/buffer.c b/fs/buffer.c -index 86a38b979323..7744488f7bde 100644 ---- a/fs/buffer.c -+++ b/fs/buffer.c -@@ -2994,8 +2994,6 @@ static void end_bio_bh_io_sync(struct bio *bio) - void guard_bio_eod(int op, struct bio *bio) - { - sector_t maxsector; -- struct bio_vec *bvec = bio_last_bvec_all(bio); -- unsigned truncated_bytes; - struct hd_struct *part; - - rcu_read_lock(); -@@ -3021,28 +3019,7 @@ void guard_bio_eod(int op, struct bio *bio) - if (likely((bio->bi_iter.bi_size >> 9) <= maxsector)) - return; - -- /* Uhhuh. We've got a bio that straddles the device size! */ -- truncated_bytes = bio->bi_iter.bi_size - (maxsector << 9); -- -- /* -- * The bio contains more than one segment which spans EOD, just return -- * and let IO layer turn it into an EIO -- */ -- if (truncated_bytes > bvec->bv_len) -- return; -- -- /* Truncate the bio.. */ -- bio->bi_iter.bi_size -= truncated_bytes; -- bvec->bv_len -= truncated_bytes; -- -- /* ..and clear the end of the buffer for reads */ -- if (op == REQ_OP_READ) { -- struct bio_vec bv; -- -- mp_bvec_last_segment(bvec, &bv); -- zero_user(bv.bv_page, bv.bv_offset + bv.bv_len, -- truncated_bytes); -- } -+ bio_truncate(bio, maxsector << 9); - } - - static int submit_bh_wbc(int op, int op_flags, struct buffer_head *bh, -diff --git a/include/linux/bio.h b/include/linux/bio.h -index 3cdb84cdc488..853d92ceee64 100644 ---- a/include/linux/bio.h -+++ b/include/linux/bio.h -@@ -470,6 +470,7 @@ extern struct bio *bio_copy_user_iov(struct request_queue *, - gfp_t); - extern int bio_uncopy_user(struct bio *); - void zero_fill_bio_iter(struct bio *bio, struct bvec_iter iter); -+void bio_truncate(struct bio *bio, unsigned new_size); - - static inline void zero_fill_bio(struct bio *bio) - { --- -2.20.1 - diff --git a/queue-5.4/drm-amd-display-change-the-delay-time-before-enablin.patch b/queue-5.4/drm-amd-display-change-the-delay-time-before-enablin.patch deleted file mode 100644 index 6eea7d535be..00000000000 --- a/queue-5.4/drm-amd-display-change-the-delay-time-before-enablin.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 6e83ba3ad217cf16d6d10315a67915fcbc9751d1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 7 Nov 2019 16:30:04 -0500 -Subject: drm/amd/display: Change the delay time before enabling FEC - -From: Leo (Hanghong) Ma - -[ Upstream commit 28fa24ad14e8f7d23c62283eaf9c79b4fd165c16 ] - -[why] -DP spec requires 1000 symbols delay between the end of link training -and enabling FEC in the stream. Currently we are using 1 miliseconds -delay which is not accurate. - -[how] -One lane RBR should have the maximum time for transmitting 1000 LL -codes which is 6.173 us. So using 7 microseconds delay instead of -1 miliseconds. - -Signed-off-by: Leo (Hanghong) Ma -Reviewed-by: Harry Wentland -Reviewed-by: Nikola Cornij -Acked-by: Leo Li -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c -index 5a583707d198..0ab890c927ec 100644 ---- a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c -+++ b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c -@@ -3492,7 +3492,14 @@ void dp_set_fec_enable(struct dc_link *link, bool enable) - if (link_enc->funcs->fec_set_enable && - link->dpcd_caps.fec_cap.bits.FEC_CAPABLE) { - if (link->fec_state == dc_link_fec_ready && enable) { -- msleep(1); -+ /* Accord to DP spec, FEC enable sequence can first -+ * be transmitted anytime after 1000 LL codes have -+ * been transmitted on the link after link training -+ * completion. Using 1 lane RBR should have the maximum -+ * time for transmitting 1000 LL codes which is 6.173 us. -+ * So use 7 microseconds delay instead. -+ */ -+ udelay(7); - link_enc->funcs->fec_set_enable(link_enc, true); - link->fec_state = dc_link_fec_enabled; - } else if (link->fec_state == dc_link_fec_enabled && !enable) { --- -2.20.1 - diff --git a/queue-5.4/drm-amd-display-fixed-kernel-panic-when-booting-with.patch b/queue-5.4/drm-amd-display-fixed-kernel-panic-when-booting-with.patch deleted file mode 100644 index 9a409867729..00000000000 --- a/queue-5.4/drm-amd-display-fixed-kernel-panic-when-booting-with.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 011554e3fc35bce137da03d816ec8d443360643e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 7 Nov 2019 17:18:20 -0500 -Subject: drm/amd/display: Fixed kernel panic when booting with DP-to-HDMI - dongle - -From: David Galiffi - -[ Upstream commit a51d9f8fe756beac51ce26ef54195da00a260d13 ] - -[Why] -In dc_link_is_dp_sink_present, if dal_ddc_open fails, then -dal_gpio_destroy_ddc is called, destroying pin_data and pin_clock. They -are created only on dc_construct, and next aux access will cause a panic. - -[How] -Instead of calling dal_gpio_destroy_ddc, call dal_ddc_close. - -Signed-off-by: David Galiffi -Reviewed-by: Tony Cheng -Acked-by: Leo Li -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/display/dc/core/dc_link.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link.c b/drivers/gpu/drm/amd/display/dc/core/dc_link.c -index 067f5579f452..793aa8e8ec9a 100644 ---- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c -+++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c -@@ -373,7 +373,7 @@ bool dc_link_is_dp_sink_present(struct dc_link *link) - - if (GPIO_RESULT_OK != dal_ddc_open( - ddc, GPIO_MODE_INPUT, GPIO_DDC_CONFIG_TYPE_MODE_I2C)) { -- dal_gpio_destroy_ddc(&ddc); -+ dal_ddc_close(ddc); - - return present; - } --- -2.20.1 - diff --git a/queue-5.4/drm-amd-display-map-dsc-resources-1-to-1-if-numbers-.patch b/queue-5.4/drm-amd-display-map-dsc-resources-1-to-1-if-numbers-.patch deleted file mode 100644 index 363e58b7fef..00000000000 --- a/queue-5.4/drm-amd-display-map-dsc-resources-1-to-1-if-numbers-.patch +++ /dev/null @@ -1,77 +0,0 @@ -From c0a5f0491459e1f6e383355df62ca06d0183a7e0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 7 Nov 2019 13:06:48 -0500 -Subject: drm/amd/display: Map DSC resources 1-to-1 if numbers of OPPs and DSCs - are equal - -From: Nikola Cornij - -[ Upstream commit a1fc44b609b4e9c0941f0e4a1fc69d367af5ab69 ] - -[why] -On ASICs where number of DSCs is the same as OPPs there's no need -for DSC resource management. Mappping 1-to-1 fixes mode-set- or S3- --related issues for such platforms. - -[how] -Map DSC resources 1-to-1 to pipes only if number of OPPs is the same -as number of DSCs. This will still keep other ASICs working. -A follow-up patch to fix mode-set issues on those ASICs will be -required if testing shows issues with mode set. - -Signed-off-by: Nikola Cornij -Reviewed-by: Dmytro Laktyushkin -Acked-by: Leo Li -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - .../gpu/drm/amd/display/dc/dcn20/dcn20_resource.c | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - -diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c -index 78b2cc2e122f..3b7769a3e67e 100644 ---- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c -+++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c -@@ -1419,13 +1419,20 @@ enum dc_status dcn20_build_mapped_resource(const struct dc *dc, struct dc_state - - static void acquire_dsc(struct resource_context *res_ctx, - const struct resource_pool *pool, -- struct display_stream_compressor **dsc) -+ struct display_stream_compressor **dsc, -+ int pipe_idx) - { - int i; - - ASSERT(*dsc == NULL); - *dsc = NULL; - -+ if (pool->res_cap->num_dsc == pool->res_cap->num_opp) { -+ *dsc = pool->dscs[pipe_idx]; -+ res_ctx->is_dsc_acquired[pipe_idx] = true; -+ return; -+ } -+ - /* Find first free DSC */ - for (i = 0; i < pool->res_cap->num_dsc; i++) - if (!res_ctx->is_dsc_acquired[i]) { -@@ -1468,7 +1475,7 @@ static enum dc_status add_dsc_to_stream_resource(struct dc *dc, - if (pipe_ctx->stream != dc_stream) - continue; - -- acquire_dsc(&dc_ctx->res_ctx, pool, &pipe_ctx->stream_res.dsc); -+ acquire_dsc(&dc_ctx->res_ctx, pool, &pipe_ctx->stream_res.dsc, i); - - /* The number of DSCs can be less than the number of pipes */ - if (!pipe_ctx->stream_res.dsc) { -@@ -1669,7 +1676,7 @@ static bool dcn20_split_stream_for_odm( - next_odm_pipe->stream_res.opp = pool->opps[next_odm_pipe->pipe_idx]; - #ifdef CONFIG_DRM_AMD_DC_DSC_SUPPORT - if (next_odm_pipe->stream->timing.flags.DSC == 1) { -- acquire_dsc(res_ctx, pool, &next_odm_pipe->stream_res.dsc); -+ acquire_dsc(res_ctx, pool, &next_odm_pipe->stream_res.dsc, next_odm_pipe->pipe_idx); - ASSERT(next_odm_pipe->stream_res.dsc); - if (next_odm_pipe->stream_res.dsc == NULL) - return false; --- -2.20.1 - diff --git a/queue-5.4/drm-amd-display-reset-steer-fifo-before-unblanking-t.patch b/queue-5.4/drm-amd-display-reset-steer-fifo-before-unblanking-t.patch deleted file mode 100644 index 2336868b0b5..00000000000 --- a/queue-5.4/drm-amd-display-reset-steer-fifo-before-unblanking-t.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 6f94d734112feb364ec1f47440cb9c509009894c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 11 Nov 2019 18:03:59 -0500 -Subject: drm/amd/display: Reset steer fifo before unblanking the stream - -From: Nikola Cornij - -[ Upstream commit 87de6cb2f28153bc74d0a001ca099c29453e145f ] - -[why] -During mode transition steer fifo could overflow. Quite often it -recovers by itself, but sometimes it doesn't. - -[how] -Add steer fifo reset before unblanking the stream. Also add a short -delay when resetting dig resync fifo to make sure register writes -don't end up back-to-back, in which case the HW might miss the reset -request. - -Signed-off-by: Nikola Cornij -Reviewed-by: Tony Cheng -Acked-by: Leo Li -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - .../drm/amd/display/dc/dcn20/dcn20_stream_encoder.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_stream_encoder.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_stream_encoder.c -index 5ab9d6240498..e95025b1d14d 100644 ---- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_stream_encoder.c -+++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_stream_encoder.c -@@ -492,15 +492,23 @@ void enc2_stream_encoder_dp_unblank( - DP_VID_N_MUL, n_multiply); - } - -- /* set DIG_START to 0x1 to reset FIFO */ -+ /* make sure stream is disabled before resetting steer fifo */ -+ REG_UPDATE(DP_VID_STREAM_CNTL, DP_VID_STREAM_ENABLE, false); -+ REG_WAIT(DP_VID_STREAM_CNTL, DP_VID_STREAM_STATUS, 0, 10, 5000); - -+ /* set DIG_START to 0x1 to reset FIFO */ - REG_UPDATE(DIG_FE_CNTL, DIG_START, 1); -+ udelay(1); - - /* write 0 to take the FIFO out of reset */ - - REG_UPDATE(DIG_FE_CNTL, DIG_START, 0); - -- /* switch DP encoder to CRTC data */ -+ /* switch DP encoder to CRTC data, but reset it the fifo first. It may happen -+ * that it overflows during mode transition, and sometimes doesn't recover. -+ */ -+ REG_UPDATE(DP_STEER_FIFO, DP_STEER_FIFO_RESET, 1); -+ udelay(10); - - REG_UPDATE(DP_STEER_FIFO, DP_STEER_FIFO_RESET, 0); - --- -2.20.1 - diff --git a/queue-5.4/drm-amd-display-update-dispclk-and-dppclk-vco-freque.patch b/queue-5.4/drm-amd-display-update-dispclk-and-dppclk-vco-freque.patch deleted file mode 100644 index b7679bca6b6..00000000000 --- a/queue-5.4/drm-amd-display-update-dispclk-and-dppclk-vco-freque.patch +++ /dev/null @@ -1,38 +0,0 @@ -From fcdd32b1fee3cdbc610da955400cfaeb4c69bcf6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 15 Nov 2019 12:04:25 -0500 -Subject: drm/amd/display: update dispclk and dppclk vco frequency - -From: Eric Yang - -[ Upstream commit 44ce6c3dc8479bb3ed68df13b502b0901675e7d6 ] - -Value obtained from DV is not allowing 8k60 CTA mode with DSC to -pass, after checking real value being used in hw, find out that -correct value is 3600, which will allow that mode. - -Signed-off-by: Eric Yang -Reviewed-by: Tony Cheng -Acked-by: Leo Li -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c -index de182185fe1f..b0e5e64df212 100644 ---- a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c -+++ b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c -@@ -258,7 +258,7 @@ struct _vcs_dpi_soc_bounding_box_st dcn2_1_soc = { - .vmm_page_size_bytes = 4096, - .dram_clock_change_latency_us = 23.84, - .return_bus_width_bytes = 64, -- .dispclk_dppclk_vco_speed_mhz = 3550, -+ .dispclk_dppclk_vco_speed_mhz = 3600, - .xfc_bus_transport_time_us = 4, - .xfc_xbuf_latency_tolerance_us = 4, - .use_urgent_burst_bw = 1, --- -2.20.1 - diff --git a/queue-5.4/drm-amdgpu-add-cache-flush-workaround-to-gfx8-emit_f.patch b/queue-5.4/drm-amdgpu-add-cache-flush-workaround-to-gfx8-emit_f.patch deleted file mode 100644 index 37f4651a0c1..00000000000 --- a/queue-5.4/drm-amdgpu-add-cache-flush-workaround-to-gfx8-emit_f.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 2645e9176bd2243df4f1768b0c8315b16509f3e1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 28 Nov 2019 12:08:58 +0100 -Subject: drm/amdgpu: add cache flush workaround to gfx8 emit_fence - -From: Pierre-Eric Pelloux-Prayer - -[ Upstream commit bf26da927a1cd57c9deb2db29ae8cf276ba8b17b ] - -The same workaround is used for gfx7. -Both PAL and Mesa use it for gfx8 too, so port this commit to -gfx_v8_0_ring_emit_fence_gfx. - -Signed-off-by: Pierre-Eric Pelloux-Prayer -Reviewed-by: Alex Deucher -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 22 +++++++++++++++++++--- - 1 file changed, 19 insertions(+), 3 deletions(-) - -diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c -index 87dd55e9d72b..cc88ba76a8d4 100644 ---- a/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c -+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c -@@ -6184,7 +6184,23 @@ static void gfx_v8_0_ring_emit_fence_gfx(struct amdgpu_ring *ring, u64 addr, - bool write64bit = flags & AMDGPU_FENCE_FLAG_64BIT; - bool int_sel = flags & AMDGPU_FENCE_FLAG_INT; - -- /* EVENT_WRITE_EOP - flush caches, send int */ -+ /* Workaround for cache flush problems. First send a dummy EOP -+ * event down the pipe with seq one below. -+ */ -+ amdgpu_ring_write(ring, PACKET3(PACKET3_EVENT_WRITE_EOP, 4)); -+ amdgpu_ring_write(ring, (EOP_TCL1_ACTION_EN | -+ EOP_TC_ACTION_EN | -+ EOP_TC_WB_ACTION_EN | -+ EVENT_TYPE(CACHE_FLUSH_AND_INV_TS_EVENT) | -+ EVENT_INDEX(5))); -+ amdgpu_ring_write(ring, addr & 0xfffffffc); -+ amdgpu_ring_write(ring, (upper_32_bits(addr) & 0xffff) | -+ DATA_SEL(1) | INT_SEL(0)); -+ amdgpu_ring_write(ring, lower_32_bits(seq - 1)); -+ amdgpu_ring_write(ring, upper_32_bits(seq - 1)); -+ -+ /* Then send the real EOP event down the pipe: -+ * EVENT_WRITE_EOP - flush caches, send int */ - amdgpu_ring_write(ring, PACKET3(PACKET3_EVENT_WRITE_EOP, 4)); - amdgpu_ring_write(ring, (EOP_TCL1_ACTION_EN | - EOP_TC_ACTION_EN | -@@ -6926,7 +6942,7 @@ static const struct amdgpu_ring_funcs gfx_v8_0_ring_funcs_gfx = { - 5 + /* COND_EXEC */ - 7 + /* PIPELINE_SYNC */ - VI_FLUSH_GPU_TLB_NUM_WREG * 5 + 9 + /* VM_FLUSH */ -- 8 + /* FENCE for VM_FLUSH */ -+ 12 + /* FENCE for VM_FLUSH */ - 20 + /* GDS switch */ - 4 + /* double SWITCH_BUFFER, - the first COND_EXEC jump to the place just -@@ -6938,7 +6954,7 @@ static const struct amdgpu_ring_funcs gfx_v8_0_ring_funcs_gfx = { - 31 + /* DE_META */ - 3 + /* CNTX_CTRL */ - 5 + /* HDP_INVL */ -- 8 + 8 + /* FENCE x2 */ -+ 12 + 12 + /* FENCE x2 */ - 2, /* SWITCH_BUFFER */ - .emit_ib_size = 4, /* gfx_v8_0_ring_emit_ib_gfx */ - .emit_ib = gfx_v8_0_ring_emit_ib_gfx, --- -2.20.1 - diff --git a/queue-5.4/drm-amdgpu-add-check-before-enabling-disabling-broad.patch b/queue-5.4/drm-amdgpu-add-check-before-enabling-disabling-broad.patch deleted file mode 100644 index 1b36baafbce..00000000000 --- a/queue-5.4/drm-amdgpu-add-check-before-enabling-disabling-broad.patch +++ /dev/null @@ -1,74 +0,0 @@ -From ce4755a7b4069d0b224656b951e16ae62d833067 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 4 Dec 2019 15:51:16 +0800 -Subject: drm/amdgpu: add check before enabling/disabling broadcast mode - -From: Guchun Chen - -[ Upstream commit 6e807535dae5dbbd53bcc5e81047a20bf5eb08ea ] - -When security violation from new vbios happens, data fabric is -risky to stop working. So prevent the direct access to DF -mmFabricConfigAccessControl from the new vbios and onwards. - -Signed-off-by: Guchun Chen -Reviewed-by: Hawking Zhang -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/amdgpu/df_v3_6.c | 38 ++++++++++++++++------------ - 1 file changed, 22 insertions(+), 16 deletions(-) - -diff --git a/drivers/gpu/drm/amd/amdgpu/df_v3_6.c b/drivers/gpu/drm/amd/amdgpu/df_v3_6.c -index 5850c8e34caa..97d11d792351 100644 ---- a/drivers/gpu/drm/amd/amdgpu/df_v3_6.c -+++ b/drivers/gpu/drm/amd/amdgpu/df_v3_6.c -@@ -261,23 +261,29 @@ static void df_v3_6_update_medium_grain_clock_gating(struct amdgpu_device *adev, - { - u32 tmp; - -- /* Put DF on broadcast mode */ -- adev->df_funcs->enable_broadcast_mode(adev, true); -- -- if (enable && (adev->cg_flags & AMD_CG_SUPPORT_DF_MGCG)) { -- tmp = RREG32_SOC15(DF, 0, mmDF_PIE_AON0_DfGlobalClkGater); -- tmp &= ~DF_PIE_AON0_DfGlobalClkGater__MGCGMode_MASK; -- tmp |= DF_V3_6_MGCG_ENABLE_15_CYCLE_DELAY; -- WREG32_SOC15(DF, 0, mmDF_PIE_AON0_DfGlobalClkGater, tmp); -- } else { -- tmp = RREG32_SOC15(DF, 0, mmDF_PIE_AON0_DfGlobalClkGater); -- tmp &= ~DF_PIE_AON0_DfGlobalClkGater__MGCGMode_MASK; -- tmp |= DF_V3_6_MGCG_DISABLE; -- WREG32_SOC15(DF, 0, mmDF_PIE_AON0_DfGlobalClkGater, tmp); -- } -+ if (adev->cg_flags & AMD_CG_SUPPORT_DF_MGCG) { -+ /* Put DF on broadcast mode */ -+ adev->df_funcs->enable_broadcast_mode(adev, true); -+ -+ if (enable) { -+ tmp = RREG32_SOC15(DF, 0, -+ mmDF_PIE_AON0_DfGlobalClkGater); -+ tmp &= ~DF_PIE_AON0_DfGlobalClkGater__MGCGMode_MASK; -+ tmp |= DF_V3_6_MGCG_ENABLE_15_CYCLE_DELAY; -+ WREG32_SOC15(DF, 0, -+ mmDF_PIE_AON0_DfGlobalClkGater, tmp); -+ } else { -+ tmp = RREG32_SOC15(DF, 0, -+ mmDF_PIE_AON0_DfGlobalClkGater); -+ tmp &= ~DF_PIE_AON0_DfGlobalClkGater__MGCGMode_MASK; -+ tmp |= DF_V3_6_MGCG_DISABLE; -+ WREG32_SOC15(DF, 0, -+ mmDF_PIE_AON0_DfGlobalClkGater, tmp); -+ } - -- /* Exit broadcast mode */ -- adev->df_funcs->enable_broadcast_mode(adev, false); -+ /* Exit broadcast mode */ -+ adev->df_funcs->enable_broadcast_mode(adev, false); -+ } - } - - static void df_v3_6_get_clockgating_state(struct amdgpu_device *adev, --- -2.20.1 - diff --git a/queue-5.4/drm-amdgpu-add-header-line-for-power-profile-on-arct.patch b/queue-5.4/drm-amdgpu-add-header-line-for-power-profile-on-arct.patch deleted file mode 100644 index 373fbda055f..00000000000 --- a/queue-5.4/drm-amdgpu-add-header-line-for-power-profile-on-arct.patch +++ /dev/null @@ -1,43 +0,0 @@ -From fdf2d58245df964bac125677d8887126cb486e20 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 4 Dec 2019 22:07:49 -0500 -Subject: drm/amdgpu: add header line for power profile on Arcturus - -From: Alex Deucher - -[ Upstream commit 14891c316ca7e15d81dba78f30fb630e3f9ee2c9 ] - -So the output is consistent with other asics. - -Reviewed-by: Evan Quan -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/powerplay/arcturus_ppt.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/drivers/gpu/drm/amd/powerplay/arcturus_ppt.c b/drivers/gpu/drm/amd/powerplay/arcturus_ppt.c -index d493a3f8c07a..b68bf8dcfa78 100644 ---- a/drivers/gpu/drm/amd/powerplay/arcturus_ppt.c -+++ b/drivers/gpu/drm/amd/powerplay/arcturus_ppt.c -@@ -1388,12 +1388,17 @@ static int arcturus_get_power_profile_mode(struct smu_context *smu, - "VR", - "COMPUTE", - "CUSTOM"}; -+ static const char *title[] = { -+ "PROFILE_INDEX(NAME)"}; - uint32_t i, size = 0; - int16_t workload_type = 0; - - if (!smu->pm_enabled || !buf) - return -EINVAL; - -+ size += sprintf(buf + size, "%16s\n", -+ title[0]); -+ - for (i = 0; i <= PP_SMC_POWER_PROFILE_CUSTOM; i++) { - /* - * Conv PP_SMC_POWER_PROFILE* to WORKLOAD_PPLIB_*_BIT --- -2.20.1 - diff --git a/queue-5.4/drm-limit-to-int_max-in-create_blob-ioctl.patch b/queue-5.4/drm-limit-to-int_max-in-create_blob-ioctl.patch deleted file mode 100644 index e5328a87a50..00000000000 --- a/queue-5.4/drm-limit-to-int_max-in-create_blob-ioctl.patch +++ /dev/null @@ -1,44 +0,0 @@ -From eeadcb8d51ef273f82916a08b6f9487bccb0ba79 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 4 Dec 2019 16:52:37 -0800 -Subject: drm: limit to INT_MAX in create_blob ioctl - -From: Daniel Vetter - -[ Upstream commit 5bf8bec3f4ce044a223c40cbce92590d938f0e9c ] - -The hardened usercpy code is too paranoid ever since commit 6a30afa8c1fb -("uaccess: disallow > INT_MAX copy sizes") - -Code itself should have been fine as-is. - -Link: http://lkml.kernel.org/r/20191106164755.31478-1-daniel.vetter@ffwll.ch -Signed-off-by: Daniel Vetter -Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com -Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes") -Cc: Kees Cook -Cc: Alexander Viro -Cc: Stephen Rothwell -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/drm_property.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c -index 892ce636ef72..6ee04803c362 100644 ---- a/drivers/gpu/drm/drm_property.c -+++ b/drivers/gpu/drm/drm_property.c -@@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length, - struct drm_property_blob *blob; - int ret; - -- if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob)) -+ if (!length || length > INT_MAX - sizeof(struct drm_property_blob)) - return ERR_PTR(-EINVAL); - - blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL); --- -2.20.1 - diff --git a/queue-5.4/drm-mcde-dsi-fix-invalid-pointer-dereference-if-pane.patch b/queue-5.4/drm-mcde-dsi-fix-invalid-pointer-dereference-if-pane.patch deleted file mode 100644 index 9db35d7d37e..00000000000 --- a/queue-5.4/drm-mcde-dsi-fix-invalid-pointer-dereference-if-pane.patch +++ /dev/null @@ -1,60 +0,0 @@ -From b97a2a59f2db1b36b5804a182637a29ed74da180 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 18 Nov 2019 14:02:52 +0100 -Subject: drm/mcde: dsi: Fix invalid pointer dereference if panel cannot be - found - -From: Stephan Gerhold - -[ Upstream commit c131280c03bd1c225c2e64e9ef75873ffca3d96e ] - -The "panel" pointer is not reset to NULL if of_drm_find_panel() -returns an error. Therefore we later assume that a panel was found, -and try to dereference the error pointer, resulting in: - - mcde-dsi a0351000.dsi: failed to find panel try bridge (4294966779) - Unable to handle kernel paging request at virtual address fffffe03 - PC is at drm_panel_bridge_add.part.0+0x10/0x5c - LR is at mcde_dsi_bind+0x120/0x464 - ... - -Reset "panel" to NULL to avoid this problem. -Also change the format string of the error to %ld to print -the negative errors correctly. The crash above then becomes: - - mcde-dsi a0351000.dsi: failed to find panel try bridge (-517) - mcde-dsi a0351000.dsi: no panel or bridge - ... - -Fixes: 5fc537bfd000 ("drm/mcde: Add new driver for ST-Ericsson MCDE") -Signed-off-by: Stephan Gerhold -Signed-off-by: Linus Walleij -Link: https://patchwork.freedesktop.org/patch/msgid/20191118130252.170324-1-stephan@gerhold.net -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/mcde/mcde_dsi.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/mcde/mcde_dsi.c b/drivers/gpu/drm/mcde/mcde_dsi.c -index f9c9e32b299c..35bb825d1918 100644 ---- a/drivers/gpu/drm/mcde/mcde_dsi.c -+++ b/drivers/gpu/drm/mcde/mcde_dsi.c -@@ -935,11 +935,13 @@ static int mcde_dsi_bind(struct device *dev, struct device *master, - for_each_available_child_of_node(dev->of_node, child) { - panel = of_drm_find_panel(child); - if (IS_ERR(panel)) { -- dev_err(dev, "failed to find panel try bridge (%lu)\n", -+ dev_err(dev, "failed to find panel try bridge (%ld)\n", - PTR_ERR(panel)); -+ panel = NULL; -+ - bridge = of_drm_find_bridge(child); - if (IS_ERR(bridge)) { -- dev_err(dev, "failed to find bridge (%lu)\n", -+ dev_err(dev, "failed to find bridge (%ld)\n", - PTR_ERR(bridge)); - return PTR_ERR(bridge); - } --- -2.20.1 - diff --git a/queue-5.4/drm-nouveau-fix-drm-core-using-atomic-code-paths-on-.patch b/queue-5.4/drm-nouveau-fix-drm-core-using-atomic-code-paths-on-.patch deleted file mode 100644 index c822eab04c8..00000000000 --- a/queue-5.4/drm-nouveau-fix-drm-core-using-atomic-code-paths-on-.patch +++ /dev/null @@ -1,120 +0,0 @@ -From cf7856331b93eff7c828c3fcda48fa8ede71ac50 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 24 Oct 2019 10:52:53 +0200 -Subject: drm/nouveau: Fix drm-core using atomic code-paths on pre-nv50 - hardware - -From: Hans de Goede - -[ Upstream commit 64d17f25dcad518461ccf0c260544e1e379c5b35 ] - -We do not support atomic modesetting on pre-nv50 hardware, but until now -our connector code was setting drm_connector->state on pre-nv50 hardware. - -This causes the core to enter atomic modesetting paths in at least: - -1. drm_connector_get_encoder(), returning connector->state->best_encoder -which is always 0, causing us to always report 0 as encoder_id in -the drmModeConnector struct returned by drmModeGetConnector(). - -2. drm_encoder_get_crtc(), returning NULL because uses_atomic get set, -causing us to always report 0 as crtc_id in the drmModeEncoder struct -returned by drmModeGetEncoder() - -Which in turn confuses userspace, at least plymouth thinks that the pipe -has changed because of this and tries to reconfigure it unnecessarily. - -More in general we should not set drm_connector->state in the non-atomic -code as this violates the drm-core's expectations. - -This commit fixes this by using a nouveau_conn_atom struct embedded in the -nouveau_connector struct for property handling in the non-atomic case. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1706557 -Signed-off-by: Hans de Goede -Signed-off-by: Ben Skeggs -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/nouveau/nouveau_connector.c | 28 +++++++++++++++------ - drivers/gpu/drm/nouveau/nouveau_connector.h | 6 +++++ - 2 files changed, 27 insertions(+), 7 deletions(-) - -diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c -index a442a955f98c..eb31c5b6c8e9 100644 ---- a/drivers/gpu/drm/nouveau/nouveau_connector.c -+++ b/drivers/gpu/drm/nouveau/nouveau_connector.c -@@ -245,14 +245,22 @@ nouveau_conn_atomic_duplicate_state(struct drm_connector *connector) - void - nouveau_conn_reset(struct drm_connector *connector) - { -+ struct nouveau_connector *nv_connector = nouveau_connector(connector); - struct nouveau_conn_atom *asyc; - -- if (WARN_ON(!(asyc = kzalloc(sizeof(*asyc), GFP_KERNEL)))) -- return; -+ if (drm_drv_uses_atomic_modeset(connector->dev)) { -+ if (WARN_ON(!(asyc = kzalloc(sizeof(*asyc), GFP_KERNEL)))) -+ return; -+ -+ if (connector->state) -+ nouveau_conn_atomic_destroy_state(connector, -+ connector->state); -+ -+ __drm_atomic_helper_connector_reset(connector, &asyc->state); -+ } else { -+ asyc = &nv_connector->properties_state; -+ } - -- if (connector->state) -- nouveau_conn_atomic_destroy_state(connector, connector->state); -- __drm_atomic_helper_connector_reset(connector, &asyc->state); - asyc->dither.mode = DITHERING_MODE_AUTO; - asyc->dither.depth = DITHERING_DEPTH_AUTO; - asyc->scaler.mode = DRM_MODE_SCALE_NONE; -@@ -276,8 +284,14 @@ void - nouveau_conn_attach_properties(struct drm_connector *connector) - { - struct drm_device *dev = connector->dev; -- struct nouveau_conn_atom *armc = nouveau_conn_atom(connector->state); - struct nouveau_display *disp = nouveau_display(dev); -+ struct nouveau_connector *nv_connector = nouveau_connector(connector); -+ struct nouveau_conn_atom *armc; -+ -+ if (drm_drv_uses_atomic_modeset(connector->dev)) -+ armc = nouveau_conn_atom(connector->state); -+ else -+ armc = &nv_connector->properties_state; - - /* Init DVI-I specific properties. */ - if (connector->connector_type == DRM_MODE_CONNECTOR_DVII) -@@ -749,9 +763,9 @@ static int - nouveau_connector_set_property(struct drm_connector *connector, - struct drm_property *property, uint64_t value) - { -- struct nouveau_conn_atom *asyc = nouveau_conn_atom(connector->state); - struct nouveau_connector *nv_connector = nouveau_connector(connector); - struct nouveau_encoder *nv_encoder = nv_connector->detected_encoder; -+ struct nouveau_conn_atom *asyc = &nv_connector->properties_state; - struct drm_encoder *encoder = to_drm_encoder(nv_encoder); - int ret; - -diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.h b/drivers/gpu/drm/nouveau/nouveau_connector.h -index de9588420884..de84fb4708c7 100644 ---- a/drivers/gpu/drm/nouveau/nouveau_connector.h -+++ b/drivers/gpu/drm/nouveau/nouveau_connector.h -@@ -118,6 +118,12 @@ struct nouveau_connector { - #ifdef CONFIG_DRM_NOUVEAU_BACKLIGHT - struct nouveau_backlight *backlight; - #endif -+ /* -+ * Our connector property code expects a nouveau_conn_atom struct -+ * even on pre-nv50 where we do not support atomic. This embedded -+ * version gets used in the non atomic modeset case. -+ */ -+ struct nouveau_conn_atom properties_state; - }; - - static inline struct nouveau_connector *nouveau_connector( --- -2.20.1 - diff --git a/queue-5.4/drm-nouveau-kms-nv50-fix-panel-scaling.patch b/queue-5.4/drm-nouveau-kms-nv50-fix-panel-scaling.patch deleted file mode 100644 index 6a283d80953..00000000000 --- a/queue-5.4/drm-nouveau-kms-nv50-fix-panel-scaling.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 60100303df3b576c5bf4933d1b254a8c0b7c41eb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 10 Dec 2019 12:15:44 +1000 -Subject: drm/nouveau/kms/nv50-: fix panel scaling - -From: Ben Skeggs - -[ Upstream commit 3d1890ef8023e61934e070021b06cc9f417260c0 ] - -Under certain circumstances, encoder atomic_check() can be entered -without adjusted_mode having been reset to the same as mode, which -confuses the scaling logic and can lead to a misprogrammed display. - -Fix this by checking against the user-provided mode directly. - -Link: https://bugs.freedesktop.org/show_bug.cgi?id=108615 -Link: https://gitlab.freedesktop.org/xorg/driver/xf86-video-nouveau/issues/464 -Signed-off-by: Ben Skeggs -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/nouveau/dispnv50/disp.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/drivers/gpu/drm/nouveau/dispnv50/disp.c b/drivers/gpu/drm/nouveau/dispnv50/disp.c -index b5b1a34f896f..d735ea7e2d88 100644 ---- a/drivers/gpu/drm/nouveau/dispnv50/disp.c -+++ b/drivers/gpu/drm/nouveau/dispnv50/disp.c -@@ -326,9 +326,9 @@ nv50_outp_atomic_check_view(struct drm_encoder *encoder, - * same size as the native one (e.g. different - * refresh rate) - */ -- if (adjusted_mode->hdisplay == native_mode->hdisplay && -- adjusted_mode->vdisplay == native_mode->vdisplay && -- adjusted_mode->type & DRM_MODE_TYPE_DRIVER) -+ if (mode->hdisplay == native_mode->hdisplay && -+ mode->vdisplay == native_mode->vdisplay && -+ mode->type & DRM_MODE_TYPE_DRIVER) - break; - mode = native_mode; - asyc->scaler.full = true; --- -2.20.1 - diff --git a/queue-5.4/drm-nouveau-move-the-declaration-of-struct-nouveau_c.patch b/queue-5.4/drm-nouveau-move-the-declaration-of-struct-nouveau_c.patch deleted file mode 100644 index c1130bfcbeb..00000000000 --- a/queue-5.4/drm-nouveau-move-the-declaration-of-struct-nouveau_c.patch +++ /dev/null @@ -1,163 +0,0 @@ -From 84bf4989b2af05e88ebfd0efaddf6506ddfcce57 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 24 Oct 2019 10:52:52 +0200 -Subject: drm/nouveau: Move the declaration of struct nouveau_conn_atom up a - bit - -From: Hans de Goede - -[ Upstream commit 37a68eab4cd92b507c9e8afd760fdc18e4fecac6 ] - -Place the declaration of struct nouveau_conn_atom above that of -struct nouveau_connector. This commit makes no changes to the moved -block what so ever, it just moves it up a bit. - -This is a preparation patch to fix some issues with connector handling -on pre nv50 displays (which do not use atomic modesetting). - -Signed-off-by: Hans de Goede -Reviewed-by: Lyude Paul -Signed-off-by: Ben Skeggs -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/nouveau/nouveau_connector.h | 110 ++++++++++---------- - 1 file changed, 55 insertions(+), 55 deletions(-) - -diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.h b/drivers/gpu/drm/nouveau/nouveau_connector.h -index f43a8d63aef8..de9588420884 100644 ---- a/drivers/gpu/drm/nouveau/nouveau_connector.h -+++ b/drivers/gpu/drm/nouveau/nouveau_connector.h -@@ -29,6 +29,7 @@ - - #include - -+#include - #include - #include - #include -@@ -44,6 +45,60 @@ struct dcb_output; - struct nouveau_backlight; - #endif - -+#define nouveau_conn_atom(p) \ -+ container_of((p), struct nouveau_conn_atom, state) -+ -+struct nouveau_conn_atom { -+ struct drm_connector_state state; -+ -+ struct { -+ /* The enum values specifically defined here match nv50/gf119 -+ * hw values, and the code relies on this. -+ */ -+ enum { -+ DITHERING_MODE_OFF = 0x00, -+ DITHERING_MODE_ON = 0x01, -+ DITHERING_MODE_DYNAMIC2X2 = 0x10 | DITHERING_MODE_ON, -+ DITHERING_MODE_STATIC2X2 = 0x18 | DITHERING_MODE_ON, -+ DITHERING_MODE_TEMPORAL = 0x20 | DITHERING_MODE_ON, -+ DITHERING_MODE_AUTO -+ } mode; -+ enum { -+ DITHERING_DEPTH_6BPC = 0x00, -+ DITHERING_DEPTH_8BPC = 0x02, -+ DITHERING_DEPTH_AUTO -+ } depth; -+ } dither; -+ -+ struct { -+ int mode; /* DRM_MODE_SCALE_* */ -+ struct { -+ enum { -+ UNDERSCAN_OFF, -+ UNDERSCAN_ON, -+ UNDERSCAN_AUTO, -+ } mode; -+ u32 hborder; -+ u32 vborder; -+ } underscan; -+ bool full; -+ } scaler; -+ -+ struct { -+ int color_vibrance; -+ int vibrant_hue; -+ } procamp; -+ -+ union { -+ struct { -+ bool dither:1; -+ bool scaler:1; -+ bool procamp:1; -+ }; -+ u8 mask; -+ } set; -+}; -+ - struct nouveau_connector { - struct drm_connector base; - enum dcb_connector_type type; -@@ -121,61 +176,6 @@ extern int nouveau_ignorelid; - extern int nouveau_duallink; - extern int nouveau_hdmimhz; - --#include --#define nouveau_conn_atom(p) \ -- container_of((p), struct nouveau_conn_atom, state) -- --struct nouveau_conn_atom { -- struct drm_connector_state state; -- -- struct { -- /* The enum values specifically defined here match nv50/gf119 -- * hw values, and the code relies on this. -- */ -- enum { -- DITHERING_MODE_OFF = 0x00, -- DITHERING_MODE_ON = 0x01, -- DITHERING_MODE_DYNAMIC2X2 = 0x10 | DITHERING_MODE_ON, -- DITHERING_MODE_STATIC2X2 = 0x18 | DITHERING_MODE_ON, -- DITHERING_MODE_TEMPORAL = 0x20 | DITHERING_MODE_ON, -- DITHERING_MODE_AUTO -- } mode; -- enum { -- DITHERING_DEPTH_6BPC = 0x00, -- DITHERING_DEPTH_8BPC = 0x02, -- DITHERING_DEPTH_AUTO -- } depth; -- } dither; -- -- struct { -- int mode; /* DRM_MODE_SCALE_* */ -- struct { -- enum { -- UNDERSCAN_OFF, -- UNDERSCAN_ON, -- UNDERSCAN_AUTO, -- } mode; -- u32 hborder; -- u32 vborder; -- } underscan; -- bool full; -- } scaler; -- -- struct { -- int color_vibrance; -- int vibrant_hue; -- } procamp; -- -- union { -- struct { -- bool dither:1; -- bool scaler:1; -- bool procamp:1; -- }; -- u8 mask; -- } set; --}; -- - void nouveau_conn_attach_properties(struct drm_connector *); - void nouveau_conn_reset(struct drm_connector *); - struct drm_connector_state * --- -2.20.1 - diff --git a/queue-5.4/ib-mlx4-follow-mirror-sequence-of-device-add-during-.patch b/queue-5.4/ib-mlx4-follow-mirror-sequence-of-device-add-during-.patch deleted file mode 100644 index 0ae56c2d721..00000000000 --- a/queue-5.4/ib-mlx4-follow-mirror-sequence-of-device-add-during-.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 9351bf844bf4a5c26b3f27ad2a1d8a163b59284a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 12 Dec 2019 11:12:13 +0200 -Subject: IB/mlx4: Follow mirror sequence of device add during device removal - -From: Parav Pandit - -[ Upstream commit 89f988d93c62384758b19323c886db917a80c371 ] - -Current code device add sequence is: - -ib_register_device() -ib_mad_init() -init_sriov_init() -register_netdev_notifier() - -Therefore, the remove sequence should be, - -unregister_netdev_notifier() -close_sriov() -mad_cleanup() -ib_unregister_device() - -However it is not above. -Hence, make do above remove sequence. - -Fixes: fa417f7b520ee ("IB/mlx4: Add support for IBoE") -Signed-off-by: Parav Pandit -Reviewed-by: Maor Gottlieb -Signed-off-by: Leon Romanovsky -Link: https://lore.kernel.org/r/20191212091214.315005-3-leon@kernel.org -Signed-off-by: Doug Ledford -Signed-off-by: Sasha Levin ---- - drivers/infiniband/hw/mlx4/main.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c -index 8d2f1e38b891..907d99822bf0 100644 ---- a/drivers/infiniband/hw/mlx4/main.c -+++ b/drivers/infiniband/hw/mlx4/main.c -@@ -3008,16 +3008,17 @@ static void mlx4_ib_remove(struct mlx4_dev *dev, void *ibdev_ptr) - ibdev->ib_active = false; - flush_workqueue(wq); - -- mlx4_ib_close_sriov(ibdev); -- mlx4_ib_mad_cleanup(ibdev); -- ib_unregister_device(&ibdev->ib_dev); -- mlx4_ib_diag_cleanup(ibdev); - if (ibdev->iboe.nb.notifier_call) { - if (unregister_netdevice_notifier(&ibdev->iboe.nb)) - pr_warn("failure unregistering notifier\n"); - ibdev->iboe.nb.notifier_call = NULL; - } - -+ mlx4_ib_close_sriov(ibdev); -+ mlx4_ib_mad_cleanup(ibdev); -+ ib_unregister_device(&ibdev->ib_dev); -+ mlx4_ib_diag_cleanup(ibdev); -+ - mlx4_qp_release_range(dev, ibdev->steer_qpn_base, - ibdev->steer_qpn_count); - kfree(ibdev->ib_uc_qpns_bitmap); --- -2.20.1 - diff --git a/queue-5.4/ib-mlx5-fix-steering-rule-of-drop-and-count.patch b/queue-5.4/ib-mlx5-fix-steering-rule-of-drop-and-count.patch deleted file mode 100644 index 231c7b6f1ea..00000000000 --- a/queue-5.4/ib-mlx5-fix-steering-rule-of-drop-and-count.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 51d569c6ca8b22b64df0d97c873e811d004ee9e5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 12 Dec 2019 11:12:14 +0200 -Subject: IB/mlx5: Fix steering rule of drop and count - -From: Maor Gottlieb - -[ Upstream commit ed9085fed9d95d5921582e3c8474f3736c5d2782 ] - -There are two flow rule destinations: QP and packet. While users are -setting DROP packet rule, the QP should not be set as a destination. - -Fixes: 3b3233fbf02e ("IB/mlx5: Add flow counters binding support") -Signed-off-by: Maor Gottlieb -Reviewed-by: Raed Salem -Signed-off-by: Leon Romanovsky -Link: https://lore.kernel.org/r/20191212091214.315005-4-leon@kernel.org -Signed-off-by: Doug Ledford -Signed-off-by: Sasha Levin ---- - drivers/infiniband/hw/mlx5/main.c | 13 ++++++------- - 1 file changed, 6 insertions(+), 7 deletions(-) - -diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c -index 831539419c30..e1cfbedefcbc 100644 ---- a/drivers/infiniband/hw/mlx5/main.c -+++ b/drivers/infiniband/hw/mlx5/main.c -@@ -3548,10 +3548,6 @@ static struct mlx5_ib_flow_handler *_create_flow_rule(struct mlx5_ib_dev *dev, - } - - INIT_LIST_HEAD(&handler->list); -- if (dst) { -- memcpy(&dest_arr[0], dst, sizeof(*dst)); -- dest_num++; -- } - - for (spec_index = 0; spec_index < flow_attr->num_of_specs; spec_index++) { - err = parse_flow_attr(dev->mdev, spec, -@@ -3564,6 +3560,11 @@ static struct mlx5_ib_flow_handler *_create_flow_rule(struct mlx5_ib_dev *dev, - ib_flow += ((union ib_flow_spec *)ib_flow)->size; - } - -+ if (dst && !(flow_act.action & MLX5_FLOW_CONTEXT_ACTION_DROP)) { -+ memcpy(&dest_arr[0], dst, sizeof(*dst)); -+ dest_num++; -+ } -+ - if (!flow_is_multicast_only(flow_attr)) - set_underlay_qp(dev, spec, underlay_qpn); - -@@ -3604,10 +3605,8 @@ static struct mlx5_ib_flow_handler *_create_flow_rule(struct mlx5_ib_dev *dev, - } - - if (flow_act.action & MLX5_FLOW_CONTEXT_ACTION_DROP) { -- if (!(flow_act.action & MLX5_FLOW_CONTEXT_ACTION_COUNT)) { -+ if (!dest_num) - rule_dst = NULL; -- dest_num = 0; -- } - } else { - if (is_egress) - flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_ALLOW; --- -2.20.1 - diff --git a/queue-5.4/iio-adc-max9611-fix-too-short-conversion-time-delay.patch b/queue-5.4/iio-adc-max9611-fix-too-short-conversion-time-delay.patch deleted file mode 100644 index 56d18101127..00000000000 --- a/queue-5.4/iio-adc-max9611-fix-too-short-conversion-time-delay.patch +++ /dev/null @@ -1,93 +0,0 @@ -From a917781c642d12c4c88bb8b15908dfdfca3ba6fc Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 2 Dec 2019 09:55:46 +0100 -Subject: iio: adc: max9611: Fix too short conversion time delay -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Geert Uytterhoeven - -[ Upstream commit 9fd229c478fbf77c41c8528aa757ef14210365f6 ] - -As of commit b9ddd5091160793e ("iio: adc: max9611: Fix temperature -reading in probe"), max9611 initialization sometimes fails on the -Salvator-X(S) development board with: - - max9611 4-007f: Invalid value received from ADC 0x8000: aborting - max9611: probe of 4-007f failed with error -5 - -The max9611 driver tests communications with the chip by reading the die -temperature during the probe function, which returns an invalid value. - -According to the datasheet, the typical ADC conversion time is 2 ms, but -no minimum or maximum values are provided. Maxim Technical Support -confirmed this was tested with temperature Ta=25 degreeC, and promised -to inform me if a maximum/minimum value is available (they didn't get -back to me, so I assume it is not). - -However, the driver assumes a 1 ms conversion time. Usually the -usleep_range() call returns after more than 1.8 ms, hence it succeeds. -When it returns earlier, the data register may be read too early, and -the previous measurement value will be returned. After boot, this is -the temperature POR (power-on reset) value, causing the failure above. - -Fix this by increasing the delay from 1000-2000 µs to 3000-3300 µs. - -Note that this issue has always been present, but it was exposed by the -aformentioned commit. - -Fixes: 69780a3bbc0b1e7e ("iio: adc: Add Maxim max9611 ADC driver") -Signed-off-by: Geert Uytterhoeven -Reviewed-by: Jacopo Mondi -Reviewed-by: Wolfram Sang -Signed-off-by: Jonathan Cameron -Signed-off-by: Sasha Levin ---- - drivers/iio/adc/max9611.c | 16 ++++++++++------ - 1 file changed, 10 insertions(+), 6 deletions(-) - -diff --git a/drivers/iio/adc/max9611.c b/drivers/iio/adc/max9611.c -index da073d72f649..e480529b3f04 100644 ---- a/drivers/iio/adc/max9611.c -+++ b/drivers/iio/adc/max9611.c -@@ -89,6 +89,12 @@ - #define MAX9611_TEMP_SCALE_NUM 1000000 - #define MAX9611_TEMP_SCALE_DIV 2083 - -+/* -+ * Conversion time is 2 ms (typically) at Ta=25 degreeC -+ * No maximum value is known, so play it safe. -+ */ -+#define MAX9611_CONV_TIME_US_RANGE 3000, 3300 -+ - struct max9611_dev { - struct device *dev; - struct i2c_client *i2c_client; -@@ -236,11 +242,9 @@ static int max9611_read_single(struct max9611_dev *max9611, - return ret; - } - -- /* -- * need a delay here to make register configuration -- * stabilize. 1 msec at least, from empirical testing. -- */ -- usleep_range(1000, 2000); -+ /* need a delay here to make register configuration stabilize. */ -+ -+ usleep_range(MAX9611_CONV_TIME_US_RANGE); - - ret = i2c_smbus_read_word_swapped(max9611->i2c_client, reg_addr); - if (ret < 0) { -@@ -507,7 +511,7 @@ static int max9611_init(struct max9611_dev *max9611) - MAX9611_REG_CTRL2, 0); - return ret; - } -- usleep_range(1000, 2000); -+ usleep_range(MAX9611_CONV_TIME_US_RANGE); - - return 0; - } --- -2.20.1 - diff --git a/queue-5.4/iio-st_accel-fix-unused-variable-warning.patch b/queue-5.4/iio-st_accel-fix-unused-variable-warning.patch deleted file mode 100644 index 4c2a58dd1c5..00000000000 --- a/queue-5.4/iio-st_accel-fix-unused-variable-warning.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 432ef297b2112e54d9689535355d287d2a3390af Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 11 Nov 2019 11:21:15 +0800 -Subject: iio: st_accel: Fix unused variable warning - -From: YueHaibing - -[ Upstream commit 0163c1c521ff8b09cd8ca395003cc00178161d77 ] - -drivers/iio/accel/st_accel_core.c:1005:44: warning: - mount_matrix_ext_info defined but not used [-Wunused-const-variable=] - -Using stub helper while CONFIG_ACPI is disabled to fix it. - -Suggested-by: Ladislav Michl -Signed-off-by: YueHaibing -Signed-off-by: Jonathan Cameron -Signed-off-by: Sasha Levin ---- - drivers/iio/accel/st_accel_core.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/drivers/iio/accel/st_accel_core.c b/drivers/iio/accel/st_accel_core.c -index 2e37f8a6d8cf..be661396095c 100644 ---- a/drivers/iio/accel/st_accel_core.c -+++ b/drivers/iio/accel/st_accel_core.c -@@ -993,6 +993,7 @@ static const struct iio_trigger_ops st_accel_trigger_ops = { - #define ST_ACCEL_TRIGGER_OPS NULL - #endif - -+#ifdef CONFIG_ACPI - static const struct iio_mount_matrix * - get_mount_matrix(const struct iio_dev *indio_dev, - const struct iio_chan_spec *chan) -@@ -1013,7 +1014,6 @@ static const struct iio_chan_spec_ext_info mount_matrix_ext_info[] = { - static int apply_acpi_orientation(struct iio_dev *indio_dev, - struct iio_chan_spec *channels) - { --#ifdef CONFIG_ACPI - struct st_sensor_data *adata = iio_priv(indio_dev); - struct acpi_buffer buffer = {ACPI_ALLOCATE_BUFFER, NULL}; - struct acpi_device *adev; -@@ -1141,10 +1141,14 @@ static int apply_acpi_orientation(struct iio_dev *indio_dev, - out: - kfree(buffer.pointer); - return ret; -+} - #else /* !CONFIG_ACPI */ -+static int apply_acpi_orientation(struct iio_dev *indio_dev, -+ struct iio_chan_spec *channels) -+{ - return 0; --#endif - } -+#endif - - /* - * st_accel_get_settings() - get sensor settings from device name --- -2.20.1 - diff --git a/queue-5.4/inetpeer-fix-data-race-in-inet_putpeer-inet_putpeer.patch b/queue-5.4/inetpeer-fix-data-race-in-inet_putpeer-inet_putpeer.patch deleted file mode 100644 index 3855cd38150..00000000000 --- a/queue-5.4/inetpeer-fix-data-race-in-inet_putpeer-inet_putpeer.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 1f07ee43f7bcaadce17dcb240d1f2520bcc00deb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 7 Nov 2019 10:30:42 -0800 -Subject: inetpeer: fix data-race in inet_putpeer / inet_putpeer - -From: Eric Dumazet - -[ Upstream commit 71685eb4ce80ae9c49eff82ca4dd15acab215de9 ] - -We need to explicitely forbid read/store tearing in inet_peer_gc() -and inet_putpeer(). - -The following syzbot report reminds us about inet_putpeer() -running without a lock held. - -BUG: KCSAN: data-race in inet_putpeer / inet_putpeer - -write to 0xffff888121fb2ed0 of 4 bytes by interrupt on cpu 0: - inet_putpeer+0x37/0xa0 net/ipv4/inetpeer.c:240 - ip4_frag_free+0x3d/0x50 net/ipv4/ip_fragment.c:102 - inet_frag_destroy_rcu+0x58/0x80 net/ipv4/inet_fragment.c:228 - __rcu_reclaim kernel/rcu/rcu.h:222 [inline] - rcu_do_batch+0x256/0x5b0 kernel/rcu/tree.c:2157 - rcu_core+0x369/0x4d0 kernel/rcu/tree.c:2377 - rcu_core_si+0x12/0x20 kernel/rcu/tree.c:2386 - __do_softirq+0x115/0x33f kernel/softirq.c:292 - invoke_softirq kernel/softirq.c:373 [inline] - irq_exit+0xbb/0xe0 kernel/softirq.c:413 - exiting_irq arch/x86/include/asm/apic.h:536 [inline] - smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137 - apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830 - native_safe_halt+0xe/0x10 arch/x86/kernel/paravirt.c:71 - arch_cpu_idle+0x1f/0x30 arch/x86/kernel/process.c:571 - default_idle_call+0x1e/0x40 kernel/sched/idle.c:94 - cpuidle_idle_call kernel/sched/idle.c:154 [inline] - do_idle+0x1af/0x280 kernel/sched/idle.c:263 - -write to 0xffff888121fb2ed0 of 4 bytes by interrupt on cpu 1: - inet_putpeer+0x37/0xa0 net/ipv4/inetpeer.c:240 - ip4_frag_free+0x3d/0x50 net/ipv4/ip_fragment.c:102 - inet_frag_destroy_rcu+0x58/0x80 net/ipv4/inet_fragment.c:228 - __rcu_reclaim kernel/rcu/rcu.h:222 [inline] - rcu_do_batch+0x256/0x5b0 kernel/rcu/tree.c:2157 - rcu_core+0x369/0x4d0 kernel/rcu/tree.c:2377 - rcu_core_si+0x12/0x20 kernel/rcu/tree.c:2386 - __do_softirq+0x115/0x33f kernel/softirq.c:292 - run_ksoftirqd+0x46/0x60 kernel/softirq.c:603 - smpboot_thread_fn+0x37d/0x4a0 kernel/smpboot.c:165 - kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253 - ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 - -Reported by Kernel Concurrency Sanitizer on: -CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.4.0-rc3+ #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 - -Fixes: 4b9d9be839fd ("inetpeer: remove unused list") -Signed-off-by: Eric Dumazet -Reported-by: syzbot -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv4/inetpeer.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c -index be778599bfed..ff327a62c9ce 100644 ---- a/net/ipv4/inetpeer.c -+++ b/net/ipv4/inetpeer.c -@@ -160,7 +160,12 @@ static void inet_peer_gc(struct inet_peer_base *base, - base->total / inet_peer_threshold * HZ; - for (i = 0; i < gc_cnt; i++) { - p = gc_stack[i]; -- delta = (__u32)jiffies - p->dtime; -+ -+ /* The READ_ONCE() pairs with the WRITE_ONCE() -+ * in inet_putpeer() -+ */ -+ delta = (__u32)jiffies - READ_ONCE(p->dtime); -+ - if (delta < ttl || !refcount_dec_if_one(&p->refcnt)) - gc_stack[i] = NULL; - } -@@ -237,7 +242,10 @@ EXPORT_SYMBOL_GPL(inet_getpeer); - - void inet_putpeer(struct inet_peer *p) - { -- p->dtime = (__u32)jiffies; -+ /* The WRITE_ONCE() pairs with itself (we run lockless) -+ * and the READ_ONCE() in inet_peer_gc() -+ */ -+ WRITE_ONCE(p->dtime, (__u32)jiffies); - - if (refcount_dec_and_test(&p->refcnt)) - call_rcu(&p->rcu, inetpeer_free_rcu); --- -2.20.1 - diff --git a/queue-5.4/io_uring-io_allocate_scq_urings-should-return-a-sane.patch b/queue-5.4/io_uring-io_allocate_scq_urings-should-return-a-sane.patch deleted file mode 100644 index 9cdf3c3da9a..00000000000 --- a/queue-5.4/io_uring-io_allocate_scq_urings-should-return-a-sane.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 3d13ba62594638924f247bf1fa1aa40c82b0fb44 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 20 Nov 2019 09:26:29 -0700 -Subject: io_uring: io_allocate_scq_urings() should return a sane state - -From: Jens Axboe - -[ Upstream commit eb065d301e8c83643367bdb0898becc364046bda ] - -We currently rely on the ring destroy on cleaning things up in case of -failure, but io_allocate_scq_urings() can leave things half initialized -if only parts of it fails. - -Be nice and return with either everything setup in success, or return an -error with things nicely cleaned up. - -Reported-by: syzbot+0d818c0d39399188f393@syzkaller.appspotmail.com -Signed-off-by: Jens Axboe -Signed-off-by: Sasha Levin ---- - fs/io_uring.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/fs/io_uring.c b/fs/io_uring.c -index a340147387ec..74e786578c77 100644 ---- a/fs/io_uring.c -+++ b/fs/io_uring.c -@@ -3773,12 +3773,18 @@ static int io_allocate_scq_urings(struct io_ring_ctx *ctx, - ctx->cq_entries = rings->cq_ring_entries; - - size = array_size(sizeof(struct io_uring_sqe), p->sq_entries); -- if (size == SIZE_MAX) -+ if (size == SIZE_MAX) { -+ io_mem_free(ctx->rings); -+ ctx->rings = NULL; - return -EOVERFLOW; -+ } - - ctx->sq_sqes = io_mem_alloc(size); -- if (!ctx->sq_sqes) -+ if (!ctx->sq_sqes) { -+ io_mem_free(ctx->rings); -+ ctx->rings = NULL; - return -ENOMEM; -+ } - - return 0; - } --- -2.20.1 - diff --git a/queue-5.4/md-raid1-check-rdev-before-reference-in-raid1_sync_r.patch b/queue-5.4/md-raid1-check-rdev-before-reference-in-raid1_sync_r.patch deleted file mode 100644 index 14022ac11ee..00000000000 --- a/queue-5.4/md-raid1-check-rdev-before-reference-in-raid1_sync_r.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 9b985a08c93dc91440ad5304e66771d0fcd34500 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 10 Dec 2019 10:42:25 +0800 -Subject: md: raid1: check rdev before reference in raid1_sync_request func - -From: Zhiqiang Liu - -[ Upstream commit 028288df635f5a9addd48ac4677b720192747944 ] - -In raid1_sync_request func, rdev should be checked before reference. - -Signed-off-by: Zhiqiang Liu -Signed-off-by: Song Liu -Signed-off-by: Sasha Levin ---- - drivers/md/raid1.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c -index bb29aeefcbd0..c7137f50bd1d 100644 ---- a/drivers/md/raid1.c -+++ b/drivers/md/raid1.c -@@ -2781,7 +2781,7 @@ static sector_t raid1_sync_request(struct mddev *mddev, sector_t sector_nr, - write_targets++; - } - } -- if (bio->bi_end_io) { -+ if (rdev && bio->bi_end_io) { - atomic_inc(&rdev->nr_pending); - bio->bi_iter.bi_sector = sector_nr + rdev->data_offset; - bio_set_dev(bio, rdev->bdev); --- -2.20.1 - diff --git a/queue-5.4/mm-drop-mmap_sem-before-calling-balance_dirty_pages-.patch b/queue-5.4/mm-drop-mmap_sem-before-calling-balance_dirty_pages-.patch deleted file mode 100644 index 5d8d468af49..00000000000 --- a/queue-5.4/mm-drop-mmap_sem-before-calling-balance_dirty_pages-.patch +++ /dev/null @@ -1,216 +0,0 @@ -From 4c99dcab0fb9bef57dfba73ebf4dfc54941af6f4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 30 Nov 2019 17:50:22 -0800 -Subject: mm: drop mmap_sem before calling balance_dirty_pages() in write fault - -From: Johannes Weiner - -[ Upstream commit 89b15332af7c0312a41e50846819ca6613b58b4c ] - -One of our services is observing hanging ps/top/etc under heavy write -IO, and the task states show this is an mmap_sem priority inversion: - -A write fault is holding the mmap_sem in read-mode and waiting for -(heavily cgroup-limited) IO in balance_dirty_pages(): - - balance_dirty_pages+0x724/0x905 - balance_dirty_pages_ratelimited+0x254/0x390 - fault_dirty_shared_page.isra.96+0x4a/0x90 - do_wp_page+0x33e/0x400 - __handle_mm_fault+0x6f0/0xfa0 - handle_mm_fault+0xe4/0x200 - __do_page_fault+0x22b/0x4a0 - page_fault+0x45/0x50 - -Somebody tries to change the address space, contending for the mmap_sem in -write-mode: - - call_rwsem_down_write_failed_killable+0x13/0x20 - do_mprotect_pkey+0xa8/0x330 - SyS_mprotect+0xf/0x20 - do_syscall_64+0x5b/0x100 - entry_SYSCALL_64_after_hwframe+0x3d/0xa2 - -The waiting writer locks out all subsequent readers to avoid lock -starvation, and several threads can be seen hanging like this: - - call_rwsem_down_read_failed+0x14/0x30 - proc_pid_cmdline_read+0xa0/0x480 - __vfs_read+0x23/0x140 - vfs_read+0x87/0x130 - SyS_read+0x42/0x90 - do_syscall_64+0x5b/0x100 - entry_SYSCALL_64_after_hwframe+0x3d/0xa2 - -To fix this, do what we do for cache read faults already: drop the -mmap_sem before calling into anything IO bound, in this case the -balance_dirty_pages() function, and return VM_FAULT_RETRY. - -Link: http://lkml.kernel.org/r/20190924194238.GA29030@cmpxchg.org -Signed-off-by: Johannes Weiner -Reviewed-by: Matthew Wilcox (Oracle) -Acked-by: Kirill A. Shutemov -Cc: Josef Bacik -Cc: Hillf Danton -Cc: Hugh Dickins -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin ---- - mm/filemap.c | 21 --------------------- - mm/internal.h | 21 +++++++++++++++++++++ - mm/memory.c | 38 +++++++++++++++++++++++++++----------- - 3 files changed, 48 insertions(+), 32 deletions(-) - -diff --git a/mm/filemap.c b/mm/filemap.c -index 85b7d087eb45..1f5731768222 100644 ---- a/mm/filemap.c -+++ b/mm/filemap.c -@@ -2329,27 +2329,6 @@ EXPORT_SYMBOL(generic_file_read_iter); - - #ifdef CONFIG_MMU - #define MMAP_LOTSAMISS (100) --static struct file *maybe_unlock_mmap_for_io(struct vm_fault *vmf, -- struct file *fpin) --{ -- int flags = vmf->flags; -- -- if (fpin) -- return fpin; -- -- /* -- * FAULT_FLAG_RETRY_NOWAIT means we don't want to wait on page locks or -- * anything, so we only pin the file and drop the mmap_sem if only -- * FAULT_FLAG_ALLOW_RETRY is set. -- */ -- if ((flags & (FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_RETRY_NOWAIT)) == -- FAULT_FLAG_ALLOW_RETRY) { -- fpin = get_file(vmf->vma->vm_file); -- up_read(&vmf->vma->vm_mm->mmap_sem); -- } -- return fpin; --} -- - /* - * lock_page_maybe_drop_mmap - lock the page, possibly dropping the mmap_sem - * @vmf - the vm_fault for this fault. -diff --git a/mm/internal.h b/mm/internal.h -index 0d5f720c75ab..7dd7fbb577a9 100644 ---- a/mm/internal.h -+++ b/mm/internal.h -@@ -362,6 +362,27 @@ vma_address(struct page *page, struct vm_area_struct *vma) - return max(start, vma->vm_start); - } - -+static inline struct file *maybe_unlock_mmap_for_io(struct vm_fault *vmf, -+ struct file *fpin) -+{ -+ int flags = vmf->flags; -+ -+ if (fpin) -+ return fpin; -+ -+ /* -+ * FAULT_FLAG_RETRY_NOWAIT means we don't want to wait on page locks or -+ * anything, so we only pin the file and drop the mmap_sem if only -+ * FAULT_FLAG_ALLOW_RETRY is set. -+ */ -+ if ((flags & (FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_RETRY_NOWAIT)) == -+ FAULT_FLAG_ALLOW_RETRY) { -+ fpin = get_file(vmf->vma->vm_file); -+ up_read(&vmf->vma->vm_mm->mmap_sem); -+ } -+ return fpin; -+} -+ - #else /* !CONFIG_MMU */ - static inline void clear_page_mlock(struct page *page) { } - static inline void mlock_vma_page(struct page *page) { } -diff --git a/mm/memory.c b/mm/memory.c -index b1ca51a079f2..cb7c940cf800 100644 ---- a/mm/memory.c -+++ b/mm/memory.c -@@ -2227,10 +2227,11 @@ static vm_fault_t do_page_mkwrite(struct vm_fault *vmf) - * - * The function expects the page to be locked and unlocks it. - */ --static void fault_dirty_shared_page(struct vm_area_struct *vma, -- struct page *page) -+static vm_fault_t fault_dirty_shared_page(struct vm_fault *vmf) - { -+ struct vm_area_struct *vma = vmf->vma; - struct address_space *mapping; -+ struct page *page = vmf->page; - bool dirtied; - bool page_mkwrite = vma->vm_ops && vma->vm_ops->page_mkwrite; - -@@ -2245,16 +2246,30 @@ static void fault_dirty_shared_page(struct vm_area_struct *vma, - mapping = page_rmapping(page); - unlock_page(page); - -+ if (!page_mkwrite) -+ file_update_time(vma->vm_file); -+ -+ /* -+ * Throttle page dirtying rate down to writeback speed. -+ * -+ * mapping may be NULL here because some device drivers do not -+ * set page.mapping but still dirty their pages -+ * -+ * Drop the mmap_sem before waiting on IO, if we can. The file -+ * is pinning the mapping, as per above. -+ */ - if ((dirtied || page_mkwrite) && mapping) { -- /* -- * Some device drivers do not set page.mapping -- * but still dirty their pages -- */ -+ struct file *fpin; -+ -+ fpin = maybe_unlock_mmap_for_io(vmf, NULL); - balance_dirty_pages_ratelimited(mapping); -+ if (fpin) { -+ fput(fpin); -+ return VM_FAULT_RETRY; -+ } - } - -- if (!page_mkwrite) -- file_update_time(vma->vm_file); -+ return 0; - } - - /* -@@ -2497,6 +2512,7 @@ static vm_fault_t wp_page_shared(struct vm_fault *vmf) - __releases(vmf->ptl) - { - struct vm_area_struct *vma = vmf->vma; -+ vm_fault_t ret = VM_FAULT_WRITE; - - get_page(vmf->page); - -@@ -2520,10 +2536,10 @@ static vm_fault_t wp_page_shared(struct vm_fault *vmf) - wp_page_reuse(vmf); - lock_page(vmf->page); - } -- fault_dirty_shared_page(vma, vmf->page); -+ ret |= fault_dirty_shared_page(vmf); - put_page(vmf->page); - -- return VM_FAULT_WRITE; -+ return ret; - } - - /* -@@ -3567,7 +3583,7 @@ static vm_fault_t do_shared_fault(struct vm_fault *vmf) - return ret; - } - -- fault_dirty_shared_page(vma, vmf->page); -+ ret |= fault_dirty_shared_page(vmf); - return ret; - } - --- -2.20.1 - diff --git a/queue-5.4/net-add-a-read_once-in-skb_peek_tail.patch b/queue-5.4/net-add-a-read_once-in-skb_peek_tail.patch deleted file mode 100644 index ccecad12612..00000000000 --- a/queue-5.4/net-add-a-read_once-in-skb_peek_tail.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 1c5962db0d352d89fe81b97e97f78ef1a49a95eb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 7 Nov 2019 18:49:43 -0800 -Subject: net: add a READ_ONCE() in skb_peek_tail() - -From: Eric Dumazet - -[ Upstream commit f8cc62ca3e660ae3fdaee533b1d554297cd2ae82 ] - -skb_peek_tail() can be used without protection of a lock, -as spotted by KCSAN [1] - -In order to avoid load-stearing, add a READ_ONCE() - -Note that the corresponding WRITE_ONCE() are already there. - -[1] -BUG: KCSAN: data-race in sk_wait_data / skb_queue_tail - -read to 0xffff8880b36a4118 of 8 bytes by task 20426 on cpu 1: - skb_peek_tail include/linux/skbuff.h:1784 [inline] - sk_wait_data+0x15b/0x250 net/core/sock.c:2477 - kcm_wait_data+0x112/0x1f0 net/kcm/kcmsock.c:1103 - kcm_recvmsg+0xac/0x320 net/kcm/kcmsock.c:1130 - sock_recvmsg_nosec net/socket.c:871 [inline] - sock_recvmsg net/socket.c:889 [inline] - sock_recvmsg+0x92/0xb0 net/socket.c:885 - ___sys_recvmsg+0x1a0/0x3e0 net/socket.c:2480 - do_recvmmsg+0x19a/0x5c0 net/socket.c:2601 - __sys_recvmmsg+0x1ef/0x200 net/socket.c:2680 - __do_sys_recvmmsg net/socket.c:2703 [inline] - __se_sys_recvmmsg net/socket.c:2696 [inline] - __x64_sys_recvmmsg+0x89/0xb0 net/socket.c:2696 - do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290 - entry_SYSCALL_64_after_hwframe+0x44/0xa9 - -write to 0xffff8880b36a4118 of 8 bytes by task 451 on cpu 0: - __skb_insert include/linux/skbuff.h:1852 [inline] - __skb_queue_before include/linux/skbuff.h:1958 [inline] - __skb_queue_tail include/linux/skbuff.h:1991 [inline] - skb_queue_tail+0x7e/0xc0 net/core/skbuff.c:3145 - kcm_queue_rcv_skb+0x202/0x310 net/kcm/kcmsock.c:206 - kcm_rcv_strparser+0x74/0x4b0 net/kcm/kcmsock.c:370 - __strp_recv+0x348/0xf50 net/strparser/strparser.c:309 - strp_recv+0x84/0xa0 net/strparser/strparser.c:343 - tcp_read_sock+0x174/0x5c0 net/ipv4/tcp.c:1639 - strp_read_sock+0xd4/0x140 net/strparser/strparser.c:366 - do_strp_work net/strparser/strparser.c:414 [inline] - strp_work+0x9a/0xe0 net/strparser/strparser.c:423 - process_one_work+0x3d4/0x890 kernel/workqueue.c:2269 - worker_thread+0xa0/0x800 kernel/workqueue.c:2415 - kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253 - ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 - -Reported by Kernel Concurrency Sanitizer on: -CPU: 0 PID: 451 Comm: kworker/u4:3 Not tainted 5.4.0-rc3+ #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 -Workqueue: kstrp strp_work - -Signed-off-by: Eric Dumazet -Reported-by: syzbot -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - include/linux/skbuff.h | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h -index 1ba6e2cc2725..6ae88b0c1c31 100644 ---- a/include/linux/skbuff.h -+++ b/include/linux/skbuff.h -@@ -1795,7 +1795,7 @@ static inline struct sk_buff *skb_peek_next(struct sk_buff *skb, - */ - static inline struct sk_buff *skb_peek_tail(const struct sk_buff_head *list_) - { -- struct sk_buff *skb = list_->prev; -+ struct sk_buff *skb = READ_ONCE(list_->prev); - - if (skb == (struct sk_buff *)list_) - skb = NULL; -@@ -1861,7 +1861,9 @@ static inline void __skb_insert(struct sk_buff *newsk, - struct sk_buff *prev, struct sk_buff *next, - struct sk_buff_head *list) - { -- /* see skb_queue_empty_lockless() for the opposite READ_ONCE() */ -+ /* See skb_queue_empty_lockless() and skb_peek_tail() -+ * for the opposite READ_ONCE() -+ */ - WRITE_ONCE(newsk->next, next); - WRITE_ONCE(newsk->prev, prev); - WRITE_ONCE(next->prev, newsk); --- -2.20.1 - diff --git a/queue-5.4/net-icmp-fix-data-race-in-cmp_global_allow.patch b/queue-5.4/net-icmp-fix-data-race-in-cmp_global_allow.patch deleted file mode 100644 index d693ba2be95..00000000000 --- a/queue-5.4/net-icmp-fix-data-race-in-cmp_global_allow.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 15f9df4df4c421d435834131ea300a82bc5212b2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 8 Nov 2019 10:34:47 -0800 -Subject: net: icmp: fix data-race in cmp_global_allow() - -From: Eric Dumazet - -[ Upstream commit bbab7ef235031f6733b5429ae7877bfa22339712 ] - -This code reads two global variables without protection -of a lock. We need READ_ONCE()/WRITE_ONCE() pairs to -avoid load/store-tearing and better document the intent. - -KCSAN reported : -BUG: KCSAN: data-race in icmp_global_allow / icmp_global_allow - -read to 0xffffffff861a8014 of 4 bytes by task 11201 on cpu 0: - icmp_global_allow+0x36/0x1b0 net/ipv4/icmp.c:254 - icmpv6_global_allow net/ipv6/icmp.c:184 [inline] - icmpv6_global_allow net/ipv6/icmp.c:179 [inline] - icmp6_send+0x493/0x1140 net/ipv6/icmp.c:514 - icmpv6_send+0x71/0xb0 net/ipv6/ip6_icmp.c:43 - ip6_link_failure+0x43/0x180 net/ipv6/route.c:2640 - dst_link_failure include/net/dst.h:419 [inline] - vti_xmit net/ipv4/ip_vti.c:243 [inline] - vti_tunnel_xmit+0x27f/0xa50 net/ipv4/ip_vti.c:279 - __netdev_start_xmit include/linux/netdevice.h:4420 [inline] - netdev_start_xmit include/linux/netdevice.h:4434 [inline] - xmit_one net/core/dev.c:3280 [inline] - dev_hard_start_xmit+0xef/0x430 net/core/dev.c:3296 - __dev_queue_xmit+0x14c9/0x1b60 net/core/dev.c:3873 - dev_queue_xmit+0x21/0x30 net/core/dev.c:3906 - neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530 - neigh_output include/net/neighbour.h:511 [inline] - ip6_finish_output2+0x7a6/0xec0 net/ipv6/ip6_output.c:116 - __ip6_finish_output net/ipv6/ip6_output.c:142 [inline] - __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127 - ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152 - NF_HOOK_COND include/linux/netfilter.h:294 [inline] - ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175 - dst_output include/net/dst.h:436 [inline] - ip6_local_out+0x74/0x90 net/ipv6/output_core.c:179 - -write to 0xffffffff861a8014 of 4 bytes by task 11183 on cpu 1: - icmp_global_allow+0x174/0x1b0 net/ipv4/icmp.c:272 - icmpv6_global_allow net/ipv6/icmp.c:184 [inline] - icmpv6_global_allow net/ipv6/icmp.c:179 [inline] - icmp6_send+0x493/0x1140 net/ipv6/icmp.c:514 - icmpv6_send+0x71/0xb0 net/ipv6/ip6_icmp.c:43 - ip6_link_failure+0x43/0x180 net/ipv6/route.c:2640 - dst_link_failure include/net/dst.h:419 [inline] - vti_xmit net/ipv4/ip_vti.c:243 [inline] - vti_tunnel_xmit+0x27f/0xa50 net/ipv4/ip_vti.c:279 - __netdev_start_xmit include/linux/netdevice.h:4420 [inline] - netdev_start_xmit include/linux/netdevice.h:4434 [inline] - xmit_one net/core/dev.c:3280 [inline] - dev_hard_start_xmit+0xef/0x430 net/core/dev.c:3296 - __dev_queue_xmit+0x14c9/0x1b60 net/core/dev.c:3873 - dev_queue_xmit+0x21/0x30 net/core/dev.c:3906 - neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530 - neigh_output include/net/neighbour.h:511 [inline] - ip6_finish_output2+0x7a6/0xec0 net/ipv6/ip6_output.c:116 - __ip6_finish_output net/ipv6/ip6_output.c:142 [inline] - __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127 - ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152 - NF_HOOK_COND include/linux/netfilter.h:294 [inline] - ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175 - -Reported by Kernel Concurrency Sanitizer on: -CPU: 1 PID: 11183 Comm: syz-executor.2 Not tainted 5.4.0-rc3+ #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 - -Fixes: 4cdf507d5452 ("icmp: add a global rate limitation") -Signed-off-by: Eric Dumazet -Reported-by: syzbot -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv4/icmp.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c -index 4298aae74e0e..ac95ba78b903 100644 ---- a/net/ipv4/icmp.c -+++ b/net/ipv4/icmp.c -@@ -249,10 +249,11 @@ bool icmp_global_allow(void) - bool rc = false; - - /* Check if token bucket is empty and cannot be refilled -- * without taking the spinlock. -+ * without taking the spinlock. The READ_ONCE() are paired -+ * with the following WRITE_ONCE() in this same function. - */ -- if (!icmp_global.credit) { -- delta = min_t(u32, now - icmp_global.stamp, HZ); -+ if (!READ_ONCE(icmp_global.credit)) { -+ delta = min_t(u32, now - READ_ONCE(icmp_global.stamp), HZ); - if (delta < HZ / 50) - return false; - } -@@ -262,14 +263,14 @@ bool icmp_global_allow(void) - if (delta >= HZ / 50) { - incr = sysctl_icmp_msgs_per_sec * delta / HZ ; - if (incr) -- icmp_global.stamp = now; -+ WRITE_ONCE(icmp_global.stamp, now); - } - credit = min_t(u32, icmp_global.credit + incr, sysctl_icmp_msgs_burst); - if (credit) { - credit--; - rc = true; - } -- icmp_global.credit = credit; -+ WRITE_ONCE(icmp_global.credit, credit); - spin_unlock(&icmp_global.lock); - return rc; - } --- -2.20.1 - diff --git a/queue-5.4/net-make-socket-read-write_iter-honor-iocb_nowait.patch b/queue-5.4/net-make-socket-read-write_iter-honor-iocb_nowait.patch deleted file mode 100644 index bbe7b8be943..00000000000 --- a/queue-5.4/net-make-socket-read-write_iter-honor-iocb_nowait.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 19320c0773dbd8aef83d32a40d02a2a2b92859fe Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 9 Dec 2019 20:58:56 -0700 -Subject: net: make socket read/write_iter() honor IOCB_NOWAIT - -From: Jens Axboe - -[ Upstream commit ebfcd8955c0b52eb793bcbc9e71140e3d0cdb228 ] - -The socket read/write helpers only look at the file O_NONBLOCK. not -the iocb IOCB_NOWAIT flag. This breaks users like preadv2/pwritev2 -and io_uring that rely on not having the file itself marked nonblocking, -but rather the iocb itself. - -Cc: netdev@vger.kernel.org -Acked-by: David Miller -Signed-off-by: Jens Axboe -Signed-off-by: Sasha Levin ---- - net/socket.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/net/socket.c b/net/socket.c -index d7a106028f0e..ca8de9e1582d 100644 ---- a/net/socket.c -+++ b/net/socket.c -@@ -955,7 +955,7 @@ static ssize_t sock_read_iter(struct kiocb *iocb, struct iov_iter *to) - .msg_iocb = iocb}; - ssize_t res; - -- if (file->f_flags & O_NONBLOCK) -+ if (file->f_flags & O_NONBLOCK || (iocb->ki_flags & IOCB_NOWAIT)) - msg.msg_flags = MSG_DONTWAIT; - - if (iocb->ki_pos != 0) -@@ -980,7 +980,7 @@ static ssize_t sock_write_iter(struct kiocb *iocb, struct iov_iter *from) - if (iocb->ki_pos != 0) - return -ESPIPE; - -- if (file->f_flags & O_NONBLOCK) -+ if (file->f_flags & O_NONBLOCK || (iocb->ki_flags & IOCB_NOWAIT)) - msg.msg_flags = MSG_DONTWAIT; - - if (sock->type == SOCK_SEQPACKET) --- -2.20.1 - diff --git a/queue-5.4/net-smc-add-fallback-check-to-connect.patch b/queue-5.4/net-smc-add-fallback-check-to-connect.patch deleted file mode 100644 index fe59b571b30..00000000000 --- a/queue-5.4/net-smc-add-fallback-check-to-connect.patch +++ /dev/null @@ -1,99 +0,0 @@ -From f1b1b7b8dfcadb131fd0205339a035923001ffea Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 12 Dec 2019 22:35:58 +0100 -Subject: net/smc: add fallback check to connect() - -From: Ursula Braun - -[ Upstream commit 86434744fedf0cfe07a9eee3f4632c0e25c1d136 ] - -FASTOPEN setsockopt() or sendmsg() may switch the SMC socket to fallback -mode. Once fallback mode is active, the native TCP socket functions are -called. Nevertheless there is a small race window, when FASTOPEN -setsockopt/sendmsg runs in parallel to a connect(), and switch the -socket into fallback mode before connect() takes the sock lock. -Make sure the SMC-specific connect setup is omitted in this case. - -This way a syzbot-reported refcount problem is fixed, triggered by -different threads running non-blocking connect() and FASTOPEN_KEY -setsockopt. - -Reported-by: syzbot+96d3f9ff6a86d37e44c8@syzkaller.appspotmail.com -Fixes: 6d6dd528d5af ("net/smc: fix refcount non-blocking connect() -part 2") -Signed-off-by: Ursula Braun -Signed-off-by: Karsten Graul -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/smc/af_smc.c | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c -index 737b49909a7a..6a6d3b2aa5a9 100644 ---- a/net/smc/af_smc.c -+++ b/net/smc/af_smc.c -@@ -854,6 +854,8 @@ static int smc_connect(struct socket *sock, struct sockaddr *addr, - goto out; - - sock_hold(&smc->sk); /* sock put in passive closing */ -+ if (smc->use_fallback) -+ goto out; - if (flags & O_NONBLOCK) { - if (schedule_work(&smc->connect_work)) - smc->connect_nonblock = 1; -@@ -1716,8 +1718,6 @@ static int smc_setsockopt(struct socket *sock, int level, int optname, - sk->sk_err = smc->clcsock->sk->sk_err; - sk->sk_error_report(sk); - } -- if (rc) -- return rc; - - if (optlen < sizeof(int)) - return -EINVAL; -@@ -1725,6 +1725,8 @@ static int smc_setsockopt(struct socket *sock, int level, int optname, - return -EFAULT; - - lock_sock(sk); -+ if (rc || smc->use_fallback) -+ goto out; - switch (optname) { - case TCP_ULP: - case TCP_FASTOPEN: -@@ -1736,15 +1738,14 @@ static int smc_setsockopt(struct socket *sock, int level, int optname, - smc_switch_to_fallback(smc); - smc->fallback_rsn = SMC_CLC_DECL_OPTUNSUPP; - } else { -- if (!smc->use_fallback) -- rc = -EINVAL; -+ rc = -EINVAL; - } - break; - case TCP_NODELAY: - if (sk->sk_state != SMC_INIT && - sk->sk_state != SMC_LISTEN && - sk->sk_state != SMC_CLOSED) { -- if (val && !smc->use_fallback) -+ if (val) - mod_delayed_work(system_wq, &smc->conn.tx_work, - 0); - } -@@ -1753,7 +1754,7 @@ static int smc_setsockopt(struct socket *sock, int level, int optname, - if (sk->sk_state != SMC_INIT && - sk->sk_state != SMC_LISTEN && - sk->sk_state != SMC_CLOSED) { -- if (!val && !smc->use_fallback) -+ if (!val) - mod_delayed_work(system_wq, &smc->conn.tx_work, - 0); - } -@@ -1764,6 +1765,7 @@ static int smc_setsockopt(struct socket *sock, int level, int optname, - default: - break; - } -+out: - release_sock(sk); - - return rc; --- -2.20.1 - diff --git a/queue-5.4/netfilter-bridge-make-sure-to-pull-arp-header-in-br_.patch b/queue-5.4/netfilter-bridge-make-sure-to-pull-arp-header-in-br_.patch deleted file mode 100644 index f497406e288..00000000000 --- a/queue-5.4/netfilter-bridge-make-sure-to-pull-arp-header-in-br_.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 86285eb4d1b0620873b82ad4ecdaf5a7d4188d05 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 7 Dec 2019 14:43:39 -0800 -Subject: netfilter: bridge: make sure to pull arp header in - br_nf_forward_arp() - -From: Eric Dumazet - -[ Upstream commit 5604285839aaedfb23ebe297799c6e558939334d ] - -syzbot is kind enough to remind us we need to call skb_may_pull() - -BUG: KMSAN: uninit-value in br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665 -CPU: 1 PID: 11631 Comm: syz-executor.1 Not tainted 5.4.0-rc8-syzkaller #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 -Call Trace: - - __dump_stack lib/dump_stack.c:77 [inline] - dump_stack+0x1c9/0x220 lib/dump_stack.c:118 - kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108 - __msan_warning+0x64/0xc0 mm/kmsan/kmsan_instr.c:245 - br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665 - nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline] - nf_hook_slow+0x18b/0x3f0 net/netfilter/core.c:512 - nf_hook include/linux/netfilter.h:260 [inline] - NF_HOOK include/linux/netfilter.h:303 [inline] - __br_forward+0x78f/0xe30 net/bridge/br_forward.c:109 - br_flood+0xef0/0xfe0 net/bridge/br_forward.c:234 - br_handle_frame_finish+0x1a77/0x1c20 net/bridge/br_input.c:162 - nf_hook_bridge_pre net/bridge/br_input.c:245 [inline] - br_handle_frame+0xfb6/0x1eb0 net/bridge/br_input.c:348 - __netif_receive_skb_core+0x20b9/0x51a0 net/core/dev.c:4830 - __netif_receive_skb_one_core net/core/dev.c:4927 [inline] - __netif_receive_skb net/core/dev.c:5043 [inline] - process_backlog+0x610/0x13c0 net/core/dev.c:5874 - napi_poll net/core/dev.c:6311 [inline] - net_rx_action+0x7a6/0x1aa0 net/core/dev.c:6379 - __do_softirq+0x4a1/0x83a kernel/softirq.c:293 - do_softirq_own_stack+0x49/0x80 arch/x86/entry/entry_64.S:1091 - - do_softirq kernel/softirq.c:338 [inline] - __local_bh_enable_ip+0x184/0x1d0 kernel/softirq.c:190 - local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32 - rcu_read_unlock_bh include/linux/rcupdate.h:688 [inline] - __dev_queue_xmit+0x38e8/0x4200 net/core/dev.c:3819 - dev_queue_xmit+0x4b/0x60 net/core/dev.c:3825 - packet_snd net/packet/af_packet.c:2959 [inline] - packet_sendmsg+0x8234/0x9100 net/packet/af_packet.c:2984 - sock_sendmsg_nosec net/socket.c:637 [inline] - sock_sendmsg net/socket.c:657 [inline] - __sys_sendto+0xc44/0xc70 net/socket.c:1952 - __do_sys_sendto net/socket.c:1964 [inline] - __se_sys_sendto+0x107/0x130 net/socket.c:1960 - __x64_sys_sendto+0x6e/0x90 net/socket.c:1960 - do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 - entry_SYSCALL_64_after_hwframe+0x44/0xa9 -RIP: 0033:0x45a679 -Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 -RSP: 002b:00007f0a3c9e5c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c -RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 000000000045a679 -RDX: 000000000000000e RSI: 0000000020000200 RDI: 0000000000000003 -RBP: 000000000075bf20 R08: 00000000200000c0 R09: 0000000000000014 -R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0a3c9e66d4 -R13: 00000000004c8ec1 R14: 00000000004dfe28 R15: 00000000ffffffff - -Uninit was created at: - kmsan_save_stack_with_flags mm/kmsan/kmsan.c:149 [inline] - kmsan_internal_poison_shadow+0x5c/0x110 mm/kmsan/kmsan.c:132 - kmsan_slab_alloc+0x97/0x100 mm/kmsan/kmsan_hooks.c:86 - slab_alloc_node mm/slub.c:2773 [inline] - __kmalloc_node_track_caller+0xe27/0x11a0 mm/slub.c:4381 - __kmalloc_reserve net/core/skbuff.c:141 [inline] - __alloc_skb+0x306/0xa10 net/core/skbuff.c:209 - alloc_skb include/linux/skbuff.h:1049 [inline] - alloc_skb_with_frags+0x18c/0xa80 net/core/skbuff.c:5662 - sock_alloc_send_pskb+0xafd/0x10a0 net/core/sock.c:2244 - packet_alloc_skb net/packet/af_packet.c:2807 [inline] - packet_snd net/packet/af_packet.c:2902 [inline] - packet_sendmsg+0x63a6/0x9100 net/packet/af_packet.c:2984 - sock_sendmsg_nosec net/socket.c:637 [inline] - sock_sendmsg net/socket.c:657 [inline] - __sys_sendto+0xc44/0xc70 net/socket.c:1952 - __do_sys_sendto net/socket.c:1964 [inline] - __se_sys_sendto+0x107/0x130 net/socket.c:1960 - __x64_sys_sendto+0x6e/0x90 net/socket.c:1960 - do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 - entry_SYSCALL_64_after_hwframe+0x44/0xa9 - -Fixes: c4e70a87d975 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c") -Signed-off-by: Eric Dumazet -Reported-by: syzbot -Reviewed-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Sasha Levin ---- - net/bridge/br_netfilter_hooks.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c -index af7800103e51..59980ecfc962 100644 ---- a/net/bridge/br_netfilter_hooks.c -+++ b/net/bridge/br_netfilter_hooks.c -@@ -662,6 +662,9 @@ static unsigned int br_nf_forward_arp(void *priv, - nf_bridge_pull_encap_header(skb); - } - -+ if (unlikely(!pskb_may_pull(skb, sizeof(struct arphdr)))) -+ return NF_DROP; -+ - if (arp_hdr(skb)->ar_pln != 4) { - if (is_vlan_arp(skb, state->net)) - nf_bridge_push_encap_header(skb); --- -2.20.1 - diff --git a/queue-5.4/netfilter-ebtables-compat-reject-all-padding-in-matc.patch b/queue-5.4/netfilter-ebtables-compat-reject-all-padding-in-matc.patch deleted file mode 100644 index 366bbc36a64..00000000000 --- a/queue-5.4/netfilter-ebtables-compat-reject-all-padding-in-matc.patch +++ /dev/null @@ -1,142 +0,0 @@ -From 3670e8a23ad4883e633af4c7e7c25347d99eadee Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 15 Dec 2019 03:49:25 +0100 -Subject: netfilter: ebtables: compat: reject all padding in matches/watchers - -From: Florian Westphal - -[ Upstream commit e608f631f0ba5f1fc5ee2e260a3a35d13107cbfe ] - -syzbot reported following splat: - -BUG: KASAN: vmalloc-out-of-bounds in size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline] -BUG: KASAN: vmalloc-out-of-bounds in compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155 -Read of size 4 at addr ffffc900004461f4 by task syz-executor267/7937 - -CPU: 1 PID: 7937 Comm: syz-executor267 Not tainted 5.5.0-rc1-syzkaller #0 - size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline] - compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155 - compat_do_replace+0x344/0x720 net/bridge/netfilter/ebtables.c:2249 - compat_do_ebt_set_ctl+0x22f/0x27e net/bridge/netfilter/ebtables.c:2333 - [..] - -Because padding isn't considered during computation of ->buf_user_offset, -"total" is decremented by fewer bytes than it should. - -Therefore, the first part of - -if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry)) - -will pass, -- it should not have. This causes oob access: -entry->next_offset is past the vmalloced size. - -Reject padding and check that computed user offset (sum of ebt_entry -structure plus all individual matches/watchers/targets) is same -value that userspace gave us as the offset of the next entry. - -Reported-by: syzbot+f68108fed972453a0ad4@syzkaller.appspotmail.com -Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support") -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Sasha Levin ---- - net/bridge/netfilter/ebtables.c | 33 ++++++++++++++++----------------- - 1 file changed, 16 insertions(+), 17 deletions(-) - -diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c -index 4096d8a74a2b..e1256e03a9a8 100644 ---- a/net/bridge/netfilter/ebtables.c -+++ b/net/bridge/netfilter/ebtables.c -@@ -1867,7 +1867,7 @@ static int ebt_buf_count(struct ebt_entries_buf_state *state, unsigned int sz) - } - - static int ebt_buf_add(struct ebt_entries_buf_state *state, -- void *data, unsigned int sz) -+ const void *data, unsigned int sz) - { - if (state->buf_kern_start == NULL) - goto count_only; -@@ -1901,7 +1901,7 @@ enum compat_mwt { - EBT_COMPAT_TARGET, - }; - --static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt, -+static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt, - enum compat_mwt compat_mwt, - struct ebt_entries_buf_state *state, - const unsigned char *base) -@@ -1979,22 +1979,23 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt, - /* return size of all matches, watchers or target, including necessary - * alignment and padding. - */ --static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32, -+static int ebt_size_mwt(const struct compat_ebt_entry_mwt *match32, - unsigned int size_left, enum compat_mwt type, - struct ebt_entries_buf_state *state, const void *base) - { -+ const char *buf = (const char *)match32; - int growth = 0; -- char *buf; - - if (size_left == 0) - return 0; - -- buf = (char *) match32; -- -- while (size_left >= sizeof(*match32)) { -+ do { - struct ebt_entry_match *match_kern; - int ret; - -+ if (size_left < sizeof(*match32)) -+ return -EINVAL; -+ - match_kern = (struct ebt_entry_match *) state->buf_kern_start; - if (match_kern) { - char *tmp; -@@ -2031,22 +2032,18 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32, - if (match_kern) - match_kern->match_size = ret; - -- /* rule should have no remaining data after target */ -- if (type == EBT_COMPAT_TARGET && size_left) -- return -EINVAL; -- - match32 = (struct compat_ebt_entry_mwt *) buf; -- } -+ } while (size_left); - - return growth; - } - - /* called for all ebt_entry structures. */ --static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base, -+static int size_entry_mwt(const struct ebt_entry *entry, const unsigned char *base, - unsigned int *total, - struct ebt_entries_buf_state *state) - { -- unsigned int i, j, startoff, new_offset = 0; -+ unsigned int i, j, startoff, next_expected_off, new_offset = 0; - /* stores match/watchers/targets & offset of next struct ebt_entry: */ - unsigned int offsets[4]; - unsigned int *offsets_update = NULL; -@@ -2132,11 +2129,13 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base, - return ret; - } - -- startoff = state->buf_user_offset - startoff; -+ next_expected_off = state->buf_user_offset - startoff; -+ if (next_expected_off != entry->next_offset) -+ return -EINVAL; - -- if (WARN_ON(*total < startoff)) -+ if (*total < entry->next_offset) - return -EINVAL; -- *total -= startoff; -+ *total -= entry->next_offset; - return 0; - } - --- -2.20.1 - diff --git a/queue-5.4/netfilter-nft_tproxy-fix-port-selector-on-big-endian.patch b/queue-5.4/netfilter-nft_tproxy-fix-port-selector-on-big-endian.patch deleted file mode 100644 index 6c8cfdf84cc..00000000000 --- a/queue-5.4/netfilter-nft_tproxy-fix-port-selector-on-big-endian.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 16b14ed4cecd27699ad7cab6ea353608bf8e5fe9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 18 Dec 2019 00:59:29 +0100 -Subject: netfilter: nft_tproxy: Fix port selector on Big Endian -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Phil Sutter - -[ Upstream commit 8cb4ec44de42b99b92399b4d1daf3dc430ed0186 ] - -On Big Endian architectures, u16 port value was extracted from the wrong -parts of u32 sreg_port, just like commit 10596608c4d62 ("netfilter: -nf_tables: fix mismatch in big-endian system") describes. - -Fixes: 4ed8eb6570a49 ("netfilter: nf_tables: Add native tproxy support") -Signed-off-by: Phil Sutter -Acked-by: Florian Westphal -Acked-by: Máté Eckl -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Sasha Levin ---- - net/netfilter/nft_tproxy.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c -index f92a82c73880..95980154ef02 100644 ---- a/net/netfilter/nft_tproxy.c -+++ b/net/netfilter/nft_tproxy.c -@@ -50,7 +50,7 @@ static void nft_tproxy_eval_v4(const struct nft_expr *expr, - taddr = nf_tproxy_laddr4(skb, taddr, iph->daddr); - - if (priv->sreg_port) -- tport = regs->data[priv->sreg_port]; -+ tport = nft_reg_load16(®s->data[priv->sreg_port]); - if (!tport) - tport = hp->dest; - -@@ -117,7 +117,7 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr, - taddr = *nf_tproxy_laddr6(skb, &taddr, &iph->daddr); - - if (priv->sreg_port) -- tport = regs->data[priv->sreg_port]; -+ tport = nft_reg_load16(®s->data[priv->sreg_port]); - if (!tport) - tport = hp->dest; - --- -2.20.1 - diff --git a/queue-5.4/nvme-fc-fix-double-free-scenarios-on-hw-queues.patch b/queue-5.4/nvme-fc-fix-double-free-scenarios-on-hw-queues.patch deleted file mode 100644 index 2ef355920ab..00000000000 --- a/queue-5.4/nvme-fc-fix-double-free-scenarios-on-hw-queues.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 7a7b13b86fea8ee24d2c1b4c2d1e5ae7a3a037ad Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 21 Nov 2019 09:59:37 -0800 -Subject: nvme-fc: fix double-free scenarios on hw queues - -From: James Smart - -[ Upstream commit c869e494ef8b5846d9ba91f1e922c23cd444f0c1 ] - -If an error occurs on one of the ios used for creating an -association, the creating routine has error paths that are -invoked by the command failure and the error paths will free -up the controller resources created to that point. - -But... the io was ultimately determined by an asynchronous -completion routine that detected the error and which -unconditionally invokes the error_recovery path which calls -delete_association. Delete association deletes all outstanding -io then tears down the controller resources. So the -create_association thread can be running in parallel with -the error_recovery thread. What was seen was the LLDD received -a call to delete a queue, causing the LLDD to do a free of a -resource, then the transport called the delete queue again -causing the driver to repeat the free call. The second free -routine corrupted the allocator. The transport shouldn't be -making the duplicate call, and the delete queue is just one -of the resources being freed. - -To fix, it is realized that the create_association path is -completely serialized with one command at a time. So the -failed io completion will always be seen by the create_association -path and as of the failure, there are no ios to terminate and there -is no reason to be manipulating queue freeze states, etc. -The serialized condition stays true until the controller is -transitioned to the LIVE state. Thus the fix is to change the -error recovery path to check the controller state and only -invoke the teardown path if not already in the CONNECTING state. - -Reviewed-by: Himanshu Madhani -Reviewed-by: Ewan D. Milne -Signed-off-by: James Smart -Signed-off-by: Keith Busch -Signed-off-by: Sasha Levin ---- - drivers/nvme/host/fc.c | 18 +++++++++++++++--- - 1 file changed, 15 insertions(+), 3 deletions(-) - -diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c -index 3f102d9f39b8..59474bd0c728 100644 ---- a/drivers/nvme/host/fc.c -+++ b/drivers/nvme/host/fc.c -@@ -2910,10 +2910,22 @@ nvme_fc_reconnect_or_delete(struct nvme_fc_ctrl *ctrl, int status) - static void - __nvme_fc_terminate_io(struct nvme_fc_ctrl *ctrl) - { -- nvme_stop_keep_alive(&ctrl->ctrl); -+ /* -+ * if state is connecting - the error occurred as part of a -+ * reconnect attempt. The create_association error paths will -+ * clean up any outstanding io. -+ * -+ * if it's a different state - ensure all pending io is -+ * terminated. Given this can delay while waiting for the -+ * aborted io to return, we recheck adapter state below -+ * before changing state. -+ */ -+ if (ctrl->ctrl.state != NVME_CTRL_CONNECTING) { -+ nvme_stop_keep_alive(&ctrl->ctrl); - -- /* will block will waiting for io to terminate */ -- nvme_fc_delete_association(ctrl); -+ /* will block will waiting for io to terminate */ -+ nvme_fc_delete_association(ctrl); -+ } - - if (ctrl->ctrl.state != NVME_CTRL_CONNECTING && - !nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_CONNECTING)) --- -2.20.1 - diff --git a/queue-5.4/nvme-pci-fix-read-queue-count.patch b/queue-5.4/nvme-pci-fix-read-queue-count.patch deleted file mode 100644 index 03e93df70d6..00000000000 --- a/queue-5.4/nvme-pci-fix-read-queue-count.patch +++ /dev/null @@ -1,49 +0,0 @@ -From e49eb792d36f55c7def0b2106c527eba884eea6a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 6 Dec 2019 08:11:17 +0900 -Subject: nvme/pci: Fix read queue count - -From: Keith Busch - -[ Upstream commit 7e4c6b9a5d22485acf009b3c3510a370f096dd54 ] - -If nvme.write_queues equals the number of CPUs, the driver had decreased -the number of interrupts available such that there could only be one read -queue even if the controller could support more. Remove the interrupt -count reduction in this case. The driver wouldn't request more IRQs than -it wants queues anyway. - -Reviewed-by: Jens Axboe -Signed-off-by: Keith Busch -Signed-off-by: Sasha Levin ---- - drivers/nvme/host/pci.c | 6 +----- - 1 file changed, 1 insertion(+), 5 deletions(-) - -diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c -index 29d7427c2b19..14d513087a14 100644 ---- a/drivers/nvme/host/pci.c -+++ b/drivers/nvme/host/pci.c -@@ -2060,7 +2060,6 @@ static int nvme_setup_irqs(struct nvme_dev *dev, unsigned int nr_io_queues) - .priv = dev, - }; - unsigned int irq_queues, this_p_queues; -- unsigned int nr_cpus = num_possible_cpus(); - - /* - * Poll queues don't need interrupts, but we need at least one IO -@@ -2071,10 +2070,7 @@ static int nvme_setup_irqs(struct nvme_dev *dev, unsigned int nr_io_queues) - this_p_queues = nr_io_queues - 1; - irq_queues = 1; - } else { -- if (nr_cpus < nr_io_queues - this_p_queues) -- irq_queues = nr_cpus + 1; -- else -- irq_queues = nr_io_queues - this_p_queues + 1; -+ irq_queues = nr_io_queues - this_p_queues + 1; - } - dev->io_queues[HCTX_TYPE_POLL] = this_p_queues; - --- -2.20.1 - diff --git a/queue-5.4/nvme-pci-fix-write-and-poll-queue-types.patch b/queue-5.4/nvme-pci-fix-write-and-poll-queue-types.patch deleted file mode 100644 index 4593e45e457..00000000000 --- a/queue-5.4/nvme-pci-fix-write-and-poll-queue-types.patch +++ /dev/null @@ -1,46 +0,0 @@ -From ac8b9feefbf1b7465f501d9a0438c75f2de45440 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 7 Dec 2019 01:51:54 +0900 -Subject: nvme/pci: Fix write and poll queue types - -From: Keith Busch - -[ Upstream commit 3f68baf706ec68c4120867c25bc439c845fe3e17 ] - -The number of poll or write queues should never be negative. Use unsigned -types so that it's not possible to break have the driver not allocate -any queues. - -Reviewed-by: Jens Axboe -Signed-off-by: Keith Busch -Signed-off-by: Sasha Levin ---- - drivers/nvme/host/pci.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c -index 869f462e6b6e..29d7427c2b19 100644 ---- a/drivers/nvme/host/pci.c -+++ b/drivers/nvme/host/pci.c -@@ -68,14 +68,14 @@ static int io_queue_depth = 1024; - module_param_cb(io_queue_depth, &io_queue_depth_ops, &io_queue_depth, 0644); - MODULE_PARM_DESC(io_queue_depth, "set io queue depth, should >= 2"); - --static int write_queues; --module_param(write_queues, int, 0644); -+static unsigned int write_queues; -+module_param(write_queues, uint, 0644); - MODULE_PARM_DESC(write_queues, - "Number of queues to use for writes. If not set, reads and writes " - "will share a queue set."); - --static int poll_queues; --module_param(poll_queues, int, 0644); -+static unsigned int poll_queues; -+module_param(poll_queues, uint, 0644); - MODULE_PARM_DESC(poll_queues, "Number of queues to use for polled IO."); - - struct nvme_dev; --- -2.20.1 - diff --git a/queue-5.4/nvme_fc-add-module-to-ops-template-to-allow-module-r.patch b/queue-5.4/nvme_fc-add-module-to-ops-template-to-allow-module-r.patch deleted file mode 100644 index 2324a6deb90..00000000000 --- a/queue-5.4/nvme_fc-add-module-to-ops-template-to-allow-module-r.patch +++ /dev/null @@ -1,154 +0,0 @@ -From edc0610322567eb8bcf625a8685aa5c584511638 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 14 Nov 2019 15:15:26 -0800 -Subject: nvme_fc: add module to ops template to allow module references - -From: James Smart - -[ Upstream commit 863fbae929c7a5b64e96b8a3ffb34a29eefb9f8f ] - -In nvme-fc: it's possible to have connected active controllers -and as no references are taken on the LLDD, the LLDD can be -unloaded. The controller would enter a reconnect state and as -long as the LLDD resumed within the reconnect timeout, the -controller would resume. But if a namespace on the controller -is the root device, allowing the driver to unload can be problematic. -To reload the driver, it may require new io to the boot device, -and as it's no longer connected we get into a catch-22 that -eventually fails, and the system locks up. - -Fix this issue by taking a module reference for every connected -controller (which is what the core layer did to the transport -module). Reference is cleared when the controller is removed. - -Acked-by: Himanshu Madhani -Reviewed-by: Christoph Hellwig -Signed-off-by: James Smart -Signed-off-by: Keith Busch -Signed-off-by: Sasha Levin ---- - drivers/nvme/host/fc.c | 14 ++++++++++++-- - drivers/nvme/target/fcloop.c | 1 + - drivers/scsi/lpfc/lpfc_nvme.c | 2 ++ - drivers/scsi/qla2xxx/qla_nvme.c | 1 + - include/linux/nvme-fc-driver.h | 4 ++++ - 5 files changed, 20 insertions(+), 2 deletions(-) - -diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c -index 265f89e11d8b..3f102d9f39b8 100644 ---- a/drivers/nvme/host/fc.c -+++ b/drivers/nvme/host/fc.c -@@ -342,7 +342,8 @@ nvme_fc_register_localport(struct nvme_fc_port_info *pinfo, - !template->ls_req || !template->fcp_io || - !template->ls_abort || !template->fcp_abort || - !template->max_hw_queues || !template->max_sgl_segments || -- !template->max_dif_sgl_segments || !template->dma_boundary) { -+ !template->max_dif_sgl_segments || !template->dma_boundary || -+ !template->module) { - ret = -EINVAL; - goto out_reghost_failed; - } -@@ -2015,6 +2016,7 @@ nvme_fc_ctrl_free(struct kref *ref) - { - struct nvme_fc_ctrl *ctrl = - container_of(ref, struct nvme_fc_ctrl, ref); -+ struct nvme_fc_lport *lport = ctrl->lport; - unsigned long flags; - - if (ctrl->ctrl.tagset) { -@@ -2041,6 +2043,7 @@ nvme_fc_ctrl_free(struct kref *ref) - if (ctrl->ctrl.opts) - nvmf_free_options(ctrl->ctrl.opts); - kfree(ctrl); -+ module_put(lport->ops->module); - } - - static void -@@ -3056,10 +3059,15 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, - goto out_fail; - } - -+ if (!try_module_get(lport->ops->module)) { -+ ret = -EUNATCH; -+ goto out_free_ctrl; -+ } -+ - idx = ida_simple_get(&nvme_fc_ctrl_cnt, 0, 0, GFP_KERNEL); - if (idx < 0) { - ret = -ENOSPC; -- goto out_free_ctrl; -+ goto out_mod_put; - } - - ctrl->ctrl.opts = opts; -@@ -3212,6 +3220,8 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, - out_free_ida: - put_device(ctrl->dev); - ida_simple_remove(&nvme_fc_ctrl_cnt, ctrl->cnum); -+out_mod_put: -+ module_put(lport->ops->module); - out_free_ctrl: - kfree(ctrl); - out_fail: -diff --git a/drivers/nvme/target/fcloop.c b/drivers/nvme/target/fcloop.c -index b50b53db3746..1c50af6219f3 100644 ---- a/drivers/nvme/target/fcloop.c -+++ b/drivers/nvme/target/fcloop.c -@@ -850,6 +850,7 @@ fcloop_targetport_delete(struct nvmet_fc_target_port *targetport) - #define FCLOOP_DMABOUND_4G 0xFFFFFFFF - - static struct nvme_fc_port_template fctemplate = { -+ .module = THIS_MODULE, - .localport_delete = fcloop_localport_delete, - .remoteport_delete = fcloop_remoteport_delete, - .create_queue = fcloop_create_queue, -diff --git a/drivers/scsi/lpfc/lpfc_nvme.c b/drivers/scsi/lpfc/lpfc_nvme.c -index a227e36cbdc2..8e0f03ef346b 100644 ---- a/drivers/scsi/lpfc/lpfc_nvme.c -+++ b/drivers/scsi/lpfc/lpfc_nvme.c -@@ -1976,6 +1976,8 @@ lpfc_nvme_fcp_abort(struct nvme_fc_local_port *pnvme_lport, - - /* Declare and initialization an instance of the FC NVME template. */ - static struct nvme_fc_port_template lpfc_nvme_template = { -+ .module = THIS_MODULE, -+ - /* initiator-based functions */ - .localport_delete = lpfc_nvme_localport_delete, - .remoteport_delete = lpfc_nvme_remoteport_delete, -diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c -index 941aa53363f5..bfcd02fdf2b8 100644 ---- a/drivers/scsi/qla2xxx/qla_nvme.c -+++ b/drivers/scsi/qla2xxx/qla_nvme.c -@@ -610,6 +610,7 @@ static void qla_nvme_remoteport_delete(struct nvme_fc_remote_port *rport) - } - - static struct nvme_fc_port_template qla_nvme_fc_transport = { -+ .module = THIS_MODULE, - .localport_delete = qla_nvme_localport_delete, - .remoteport_delete = qla_nvme_remoteport_delete, - .create_queue = qla_nvme_alloc_queue, -diff --git a/include/linux/nvme-fc-driver.h b/include/linux/nvme-fc-driver.h -index 10f81629b9ce..6d0d70f3219c 100644 ---- a/include/linux/nvme-fc-driver.h -+++ b/include/linux/nvme-fc-driver.h -@@ -270,6 +270,8 @@ struct nvme_fc_remote_port { - * - * Host/Initiator Transport Entrypoints/Parameters: - * -+ * @module: The LLDD module using the interface -+ * - * @localport_delete: The LLDD initiates deletion of a localport via - * nvme_fc_deregister_localport(). However, the teardown is - * asynchronous. This routine is called upon the completion of the -@@ -383,6 +385,8 @@ struct nvme_fc_remote_port { - * Value is Mandatory. Allowed to be zero. - */ - struct nvme_fc_port_template { -+ struct module *module; -+ - /* initiator-based functions */ - void (*localport_delete)(struct nvme_fc_local_port *); - void (*remoteport_delete)(struct nvme_fc_remote_port *); --- -2.20.1 - diff --git a/queue-5.4/pci-add-a-helper-to-check-power-resource-requirement.patch b/queue-5.4/pci-add-a-helper-to-check-power-resource-requirement.patch deleted file mode 100644 index b7caf26361c..00000000000 --- a/queue-5.4/pci-add-a-helper-to-check-power-resource-requirement.patch +++ /dev/null @@ -1,72 +0,0 @@ -From e6563a36a9ed46a5c9d9ecd7d26beaf65ddcdda6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 18 Oct 2019 15:38:47 +0800 -Subject: PCI: Add a helper to check Power Resource Requirements _PR3 existence - -From: Kai-Heng Feng - -[ Upstream commit 52525b7a3cf82adec5c6cf0ecbd23ff228badc94 ] - -A driver may want to know the existence of _PR3, to choose different -runtime suspend behavior. A user will be add in next patch. - -This is mostly the same as nouveau_pr3_present(). - -Signed-off-by: Kai-Heng Feng -Acked-by: Bjorn Helgaas -Link: https://lore.kernel.org/r/20191018073848.14590-1-kai.heng.feng@canonical.com -Signed-off-by: Takashi Iwai -Signed-off-by: Sasha Levin ---- - drivers/pci/pci.c | 18 ++++++++++++++++++ - include/linux/pci.h | 2 ++ - 2 files changed, 20 insertions(+) - -diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c -index a97e2571a527..fcfaadc774ee 100644 ---- a/drivers/pci/pci.c -+++ b/drivers/pci/pci.c -@@ -5854,6 +5854,24 @@ int pci_set_vga_state(struct pci_dev *dev, bool decode, - return 0; - } - -+#ifdef CONFIG_ACPI -+bool pci_pr3_present(struct pci_dev *pdev) -+{ -+ struct acpi_device *adev; -+ -+ if (acpi_disabled) -+ return false; -+ -+ adev = ACPI_COMPANION(&pdev->dev); -+ if (!adev) -+ return false; -+ -+ return adev->power.flags.power_resources && -+ acpi_has_method(adev->handle, "_PR3"); -+} -+EXPORT_SYMBOL_GPL(pci_pr3_present); -+#endif -+ - /** - * pci_add_dma_alias - Add a DMA devfn alias for a device - * @dev: the PCI device for which alias is added -diff --git a/include/linux/pci.h b/include/linux/pci.h -index f9088c89a534..1d15c5d49cdd 100644 ---- a/include/linux/pci.h -+++ b/include/linux/pci.h -@@ -2310,9 +2310,11 @@ struct irq_domain *pci_host_bridge_acpi_msi_domain(struct pci_bus *bus); - - void - pci_msi_register_fwnode_provider(struct fwnode_handle *(*fn)(struct device *)); -+bool pci_pr3_present(struct pci_dev *pdev); - #else - static inline struct irq_domain * - pci_host_bridge_acpi_msi_domain(struct pci_bus *bus) { return NULL; } -+static bool pci_pr3_present(struct pci_dev *pdev) { return false; } - #endif - - #ifdef CONFIG_EEH --- -2.20.1 - diff --git a/queue-5.4/pci-fix-missing-inline-for-pci_pr3_present.patch b/queue-5.4/pci-fix-missing-inline-for-pci_pr3_present.patch deleted file mode 100644 index b54df22b9b2..00000000000 --- a/queue-5.4/pci-fix-missing-inline-for-pci_pr3_present.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 3bb9b8ba98d2eb0da0cd2323db178711246577f1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 21 Oct 2019 16:25:20 +0200 -Subject: PCI: Fix missing inline for pci_pr3_present() - -From: Takashi Iwai - -[ Upstream commit 46b4bff6572b0552b1ee062043621e4b252638d8 ] - -The inline prefix was missing in the dummy function pci_pr3_present() -definition. Fix it. - -Reported-by: kbuild test robot -Fixes: 52525b7a3cf8 ("PCI: Add a helper to check Power Resource Requirements _PR3 existence") -Link: https://lore.kernel.org/r/201910212111.qHm6OcWx%lkp@intel.com -Signed-off-by: Takashi Iwai -Signed-off-by: Sasha Levin ---- - include/linux/pci.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/include/linux/pci.h b/include/linux/pci.h -index 1d15c5d49cdd..be529d311122 100644 ---- a/include/linux/pci.h -+++ b/include/linux/pci.h -@@ -2314,7 +2314,7 @@ bool pci_pr3_present(struct pci_dev *pdev); - #else - static inline struct irq_domain * - pci_host_bridge_acpi_msi_domain(struct pci_bus *bus) { return NULL; } --static bool pci_pr3_present(struct pci_dev *pdev) { return false; } -+static inline bool pci_pr3_present(struct pci_dev *pdev) { return false; } - #endif - - #ifdef CONFIG_EEH --- -2.20.1 - diff --git a/queue-5.4/pm-devfreq-don-t-fail-devfreq_dev_release-if-not-in-.patch b/queue-5.4/pm-devfreq-don-t-fail-devfreq_dev_release-if-not-in-.patch deleted file mode 100644 index 4d653911a79..00000000000 --- a/queue-5.4/pm-devfreq-don-t-fail-devfreq_dev_release-if-not-in-.patch +++ /dev/null @@ -1,55 +0,0 @@ -From bafed4f6f7f05aa33c604088e867d5ee2808bb2a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 14 Nov 2019 01:21:31 +0200 -Subject: PM / devfreq: Don't fail devfreq_dev_release if not in list - -From: Leonard Crestez - -[ Upstream commit 42a6b25e67df6ee6675e8d1eaf18065bd73328ba ] - -Right now devfreq_dev_release will print a warning and abort the rest of -the cleanup if the devfreq instance is not part of the global -devfreq_list. But this is a valid scenario, for example it can happen if -the governor can't be found or on any other init error that happens -after device_register. - -Initialize devfreq->node to an empty list head in devfreq_add_device so -that list_del becomes a safe noop inside devfreq_dev_release and we can -continue the rest of the cleanup. - -Signed-off-by: Leonard Crestez -Reviewed-by: Matthias Kaehlcke -Reviewed-by: Chanwoo Choi -Signed-off-by: Chanwoo Choi -Signed-off-by: Sasha Levin ---- - drivers/devfreq/devfreq.c | 6 +----- - 1 file changed, 1 insertion(+), 5 deletions(-) - -diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c -index e185c8846916..ffd2d6b44dfb 100644 ---- a/drivers/devfreq/devfreq.c -+++ b/drivers/devfreq/devfreq.c -@@ -588,11 +588,6 @@ static void devfreq_dev_release(struct device *dev) - struct devfreq *devfreq = to_devfreq(dev); - - mutex_lock(&devfreq_list_lock); -- if (IS_ERR(find_device_devfreq(devfreq->dev.parent))) { -- mutex_unlock(&devfreq_list_lock); -- dev_warn(&devfreq->dev, "releasing devfreq which doesn't exist\n"); -- return; -- } - list_del(&devfreq->node); - mutex_unlock(&devfreq_list_lock); - -@@ -647,6 +642,7 @@ struct devfreq *devfreq_add_device(struct device *dev, - devfreq->dev.parent = dev; - devfreq->dev.class = devfreq_class; - devfreq->dev.release = devfreq_dev_release; -+ INIT_LIST_HEAD(&devfreq->node); - devfreq->profile = profile; - strncpy(devfreq->governor_name, governor_name, DEVFREQ_NAME_LEN); - devfreq->previous_freq = profile->initial_freq; --- -2.20.1 - diff --git a/queue-5.4/pm-devfreq-fix-devfreq_notifier_call-returning-errno.patch b/queue-5.4/pm-devfreq-fix-devfreq_notifier_call-returning-errno.patch deleted file mode 100644 index 177e8c387f7..00000000000 --- a/queue-5.4/pm-devfreq-fix-devfreq_notifier_call-returning-errno.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 6a893a68216f3e05a434cdd18cef95a60f9db70d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 31 Oct 2019 23:34:18 +0200 -Subject: PM / devfreq: Fix devfreq_notifier_call returning errno - -From: Leonard Crestez - -[ Upstream commit e876e710ede23f670494331e062d643928e4142a ] - -Notifier callbacks shouldn't return negative errno but one of the -NOTIFY_OK/DONE/BAD values. - -The OPP core will ignore return values from notifiers but returning a -value that matches NOTIFY_STOP_MASK will stop the notification chain. - -Fix by always returning NOTIFY_OK. - -Signed-off-by: Leonard Crestez -Reviewed-by: Matthias Kaehlcke -Reviewed-by: Chanwoo Choi -Signed-off-by: Chanwoo Choi -Signed-off-by: Sasha Levin ---- - drivers/devfreq/devfreq.c | 24 +++++++++++++----------- - 1 file changed, 13 insertions(+), 11 deletions(-) - -diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c -index 3a1484e7a3ae..e5c2afdc7b7f 100644 ---- a/drivers/devfreq/devfreq.c -+++ b/drivers/devfreq/devfreq.c -@@ -551,26 +551,28 @@ static int devfreq_notifier_call(struct notifier_block *nb, unsigned long type, - void *devp) - { - struct devfreq *devfreq = container_of(nb, struct devfreq, nb); -- int ret; -+ int err = -EINVAL; - - mutex_lock(&devfreq->lock); - - devfreq->scaling_min_freq = find_available_min_freq(devfreq); -- if (!devfreq->scaling_min_freq) { -- mutex_unlock(&devfreq->lock); -- return -EINVAL; -- } -+ if (!devfreq->scaling_min_freq) -+ goto out; - - devfreq->scaling_max_freq = find_available_max_freq(devfreq); -- if (!devfreq->scaling_max_freq) { -- mutex_unlock(&devfreq->lock); -- return -EINVAL; -- } -+ if (!devfreq->scaling_max_freq) -+ goto out; -+ -+ err = update_devfreq(devfreq); - -- ret = update_devfreq(devfreq); -+out: - mutex_unlock(&devfreq->lock); -+ if (err) -+ dev_err(devfreq->dev.parent, -+ "failed to update frequency from OPP notifier (%d)\n", -+ err); - -- return ret; -+ return NOTIFY_OK; - } - - /** --- -2.20.1 - diff --git a/queue-5.4/pm-devfreq-set-scaling_max_freq-to-max-on-opp-notifi.patch b/queue-5.4/pm-devfreq-set-scaling_max_freq-to-max-on-opp-notifi.patch deleted file mode 100644 index a6902070193..00000000000 --- a/queue-5.4/pm-devfreq-set-scaling_max_freq-to-max-on-opp-notifi.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 12138e840a64b50d4e8f341112abaea61a56632f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 31 Oct 2019 23:34:19 +0200 -Subject: PM / devfreq: Set scaling_max_freq to max on OPP notifier error - -From: Leonard Crestez - -[ Upstream commit e7cc792d00049c874010b398a27c3cc7bc8fef34 ] - -The devfreq_notifier_call functions will update scaling_min_freq and -scaling_max_freq when the OPP table is updated. - -If fetching the maximum frequency fails then scaling_max_freq remains -set to zero which is confusing. Set to ULONG_MAX instead so we don't -need special handling for this case in other places. - -Signed-off-by: Leonard Crestez -Reviewed-by: Matthias Kaehlcke -Reviewed-by: Chanwoo Choi -Signed-off-by: Chanwoo Choi -Signed-off-by: Sasha Levin ---- - drivers/devfreq/devfreq.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c -index e5c2afdc7b7f..e185c8846916 100644 ---- a/drivers/devfreq/devfreq.c -+++ b/drivers/devfreq/devfreq.c -@@ -560,8 +560,10 @@ static int devfreq_notifier_call(struct notifier_block *nb, unsigned long type, - goto out; - - devfreq->scaling_max_freq = find_available_max_freq(devfreq); -- if (!devfreq->scaling_max_freq) -+ if (!devfreq->scaling_max_freq) { -+ devfreq->scaling_max_freq = ULONG_MAX; - goto out; -+ } - - err = update_devfreq(devfreq); - --- -2.20.1 - diff --git a/queue-5.4/pm-hibernate-memory_bm_find_bit-tighten-node-optimis.patch b/queue-5.4/pm-hibernate-memory_bm_find_bit-tighten-node-optimis.patch deleted file mode 100644 index bbc9ef6a4af..00000000000 --- a/queue-5.4/pm-hibernate-memory_bm_find_bit-tighten-node-optimis.patch +++ /dev/null @@ -1,58 +0,0 @@ -From f42c1ac0c164168a2606e986aa94e52a18bc0184 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 25 Sep 2019 15:39:12 +0100 -Subject: PM / hibernate: memory_bm_find_bit(): Tighten node optimisation - -From: Andy Whitcroft - -[ Upstream commit da6043fe85eb5ec621e34a92540735dcebbea134 ] - -When looking for a bit by number we make use of the cached result from the -preceding lookup to speed up operation. Firstly we check if the requested -pfn is within the cached zone and if not lookup the new zone. We then -check if the offset for that pfn falls within the existing cached node. -This happens regardless of whether the node is within the zone we are -now scanning. With certain memory layouts it is possible for this to -false trigger creating a temporary alias for the pfn to a different bit. -This leads the hibernation code to free memory which it was never allocated -with the expected fallout. - -Ensure the zone we are scanning matches the cached zone before considering -the cached node. - -Deep thanks go to Andrea for many, many, many hours of hacking and testing -that went into cornering this bug. - -Reported-by: Andrea Righi -Tested-by: Andrea Righi -Signed-off-by: Andy Whitcroft -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Sasha Levin ---- - kernel/power/snapshot.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c -index 83105874f255..26b9168321e7 100644 ---- a/kernel/power/snapshot.c -+++ b/kernel/power/snapshot.c -@@ -734,8 +734,15 @@ static int memory_bm_find_bit(struct memory_bitmap *bm, unsigned long pfn, - * We have found the zone. Now walk the radix tree to find the leaf node - * for our PFN. - */ -+ -+ /* -+ * If the zone we wish to scan is the the current zone and the -+ * pfn falls into the current node then we do not need to walk -+ * the tree. -+ */ - node = bm->cur.node; -- if (((pfn - zone->start_pfn) & ~BM_BLOCK_MASK) == bm->cur.node_pfn) -+ if (zone == bm->cur.zone && -+ ((pfn - zone->start_pfn) & ~BM_BLOCK_MASK) == bm->cur.node_pfn) - goto node_found; - - node = zone->rtree; --- -2.20.1 - diff --git a/queue-5.4/powerpc-fix-__clear_user-with-kuap-enabled.patch b/queue-5.4/powerpc-fix-__clear_user-with-kuap-enabled.patch deleted file mode 100644 index ffbbc347826..00000000000 --- a/queue-5.4/powerpc-fix-__clear_user-with-kuap-enabled.patch +++ /dev/null @@ -1,118 +0,0 @@ -From 9188ebae190032d40dd1cda201417c60204e0089 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 10 Dec 2019 00:22:21 +1100 -Subject: powerpc: Fix __clear_user() with KUAP enabled - -From: Andrew Donnellan - -[ Upstream commit 61e3acd8c693a14fc69b824cb5b08d02cb90a6e7 ] - -The KUAP implementation adds calls in clear_user() to enable and -disable access to userspace memory. However, it doesn't add these to -__clear_user(), which is used in the ptrace regset code. - -As there's only one direct user of __clear_user() (the regset code), -and the time taken to set the AMR for KUAP purposes is going to -dominate the cost of a quick access_ok(), there's not much point -having a separate path. - -Rename __clear_user() to __arch_clear_user(), and make __clear_user() -just call clear_user(). - -Reported-by: syzbot+f25ecf4b2982d8c7a640@syzkaller-ppc64.appspotmail.com -Reported-by: Daniel Axtens -Suggested-by: Michael Ellerman -Fixes: de78a9c42a79 ("powerpc: Add a framework for Kernel Userspace Access Protection") -Signed-off-by: Andrew Donnellan -[mpe: Use __arch_clear_user() for the asm version like arm64 & nds32] -Signed-off-by: Michael Ellerman -Link: https://lore.kernel.org/r/20191209132221.15328-1-ajd@linux.ibm.com -Signed-off-by: Sasha Levin ---- - arch/powerpc/include/asm/uaccess.h | 9 +++++++-- - arch/powerpc/lib/string_32.S | 4 ++-- - arch/powerpc/lib/string_64.S | 6 +++--- - 3 files changed, 12 insertions(+), 7 deletions(-) - -diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h -index 15002b51ff18..c92fe7fe9692 100644 ---- a/arch/powerpc/include/asm/uaccess.h -+++ b/arch/powerpc/include/asm/uaccess.h -@@ -401,7 +401,7 @@ copy_to_user_mcsafe(void __user *to, const void *from, unsigned long n) - return n; - } - --extern unsigned long __clear_user(void __user *addr, unsigned long size); -+unsigned long __arch_clear_user(void __user *addr, unsigned long size); - - static inline unsigned long clear_user(void __user *addr, unsigned long size) - { -@@ -409,12 +409,17 @@ static inline unsigned long clear_user(void __user *addr, unsigned long size) - might_fault(); - if (likely(access_ok(addr, size))) { - allow_write_to_user(addr, size); -- ret = __clear_user(addr, size); -+ ret = __arch_clear_user(addr, size); - prevent_write_to_user(addr, size); - } - return ret; - } - -+static inline unsigned long __clear_user(void __user *addr, unsigned long size) -+{ -+ return clear_user(addr, size); -+} -+ - extern long strncpy_from_user(char *dst, const char __user *src, long count); - extern __must_check long strnlen_user(const char __user *str, long n); - -diff --git a/arch/powerpc/lib/string_32.S b/arch/powerpc/lib/string_32.S -index f69a6aab7bfb..1ddb26394e8a 100644 ---- a/arch/powerpc/lib/string_32.S -+++ b/arch/powerpc/lib/string_32.S -@@ -17,7 +17,7 @@ CACHELINE_BYTES = L1_CACHE_BYTES - LG_CACHELINE_BYTES = L1_CACHE_SHIFT - CACHELINE_MASK = (L1_CACHE_BYTES-1) - --_GLOBAL(__clear_user) -+_GLOBAL(__arch_clear_user) - /* - * Use dcbz on the complete cache lines in the destination - * to set them to zero. This requires that the destination -@@ -87,4 +87,4 @@ _GLOBAL(__clear_user) - EX_TABLE(8b, 91b) - EX_TABLE(9b, 91b) - --EXPORT_SYMBOL(__clear_user) -+EXPORT_SYMBOL(__arch_clear_user) -diff --git a/arch/powerpc/lib/string_64.S b/arch/powerpc/lib/string_64.S -index 507b18b1660e..169872bc0892 100644 ---- a/arch/powerpc/lib/string_64.S -+++ b/arch/powerpc/lib/string_64.S -@@ -17,7 +17,7 @@ PPC64_CACHES: - .section ".text" - - /** -- * __clear_user: - Zero a block of memory in user space, with less checking. -+ * __arch_clear_user: - Zero a block of memory in user space, with less checking. - * @to: Destination address, in user space. - * @n: Number of bytes to zero. - * -@@ -58,7 +58,7 @@ err3; stb r0,0(r3) - mr r3,r4 - blr - --_GLOBAL_TOC(__clear_user) -+_GLOBAL_TOC(__arch_clear_user) - cmpdi r4,32 - neg r6,r3 - li r0,0 -@@ -181,4 +181,4 @@ err1; dcbz 0,r3 - cmpdi r4,32 - blt .Lshort_clear - b .Lmedium_clear --EXPORT_SYMBOL(__clear_user) -+EXPORT_SYMBOL(__arch_clear_user) --- -2.20.1 - diff --git a/queue-5.4/raid5-need-to-set-stripe_handle-for-batch-head.patch b/queue-5.4/raid5-need-to-set-stripe_handle-for-batch-head.patch deleted file mode 100644 index c9e98016a7c..00000000000 --- a/queue-5.4/raid5-need-to-set-stripe_handle-for-batch-head.patch +++ /dev/null @@ -1,45 +0,0 @@ -From ac0b13cff6a8d95ea6528d05400e59288cc0c613 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 27 Nov 2019 17:57:50 +0100 -Subject: raid5: need to set STRIPE_HANDLE for batch head - -From: Guoqing Jiang - -[ Upstream commit a7ede3d16808b8f3915c8572d783530a82b2f027 ] - -With commit 6ce220dd2f8ea71d6afc29b9a7524c12e39f374a ("raid5: don't set -STRIPE_HANDLE to stripe which is in batch list"), we don't want to set -STRIPE_HANDLE flag for sh which is already in batch list. - -However, the stripe which is the head of batch list should set this flag, -otherwise panic could happen inside init_stripe at BUG_ON(sh->batch_head), -it is reproducible with raid5 on top of nvdimm devices per Xiao oberserved. - -Thanks for Xiao's effort to verify the change. - -Fixes: 6ce220dd2f8ea ("raid5: don't set STRIPE_HANDLE to stripe which is in batch list") -Reported-by: Xiao Ni -Tested-by: Xiao Ni -Signed-off-by: Guoqing Jiang -Signed-off-by: Song Liu -Signed-off-by: Sasha Levin ---- - drivers/md/raid5.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c -index 12a8ce83786e..36cd7c2fbf40 100644 ---- a/drivers/md/raid5.c -+++ b/drivers/md/raid5.c -@@ -5726,7 +5726,7 @@ static bool raid5_make_request(struct mddev *mddev, struct bio * bi) - do_flush = false; - } - -- if (!sh->batch_head) -+ if (!sh->batch_head || sh == sh->batch_head) - set_bit(STRIPE_HANDLE, &sh->state); - clear_bit(STRIPE_DELAYED, &sh->state); - if ((!sh->batch_head || sh == sh->batch_head) && --- -2.20.1 - diff --git a/queue-5.4/rdma-cma-add-missed-unregister_pernet_subsys-in-init.patch b/queue-5.4/rdma-cma-add-missed-unregister_pernet_subsys-in-init.patch deleted file mode 100644 index 14821e34564..00000000000 --- a/queue-5.4/rdma-cma-add-missed-unregister_pernet_subsys-in-init.patch +++ /dev/null @@ -1,38 +0,0 @@ -From f7c1f5fa311b1d0938a6689b86c3bae27433f8ed Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 6 Dec 2019 09:24:26 +0800 -Subject: RDMA/cma: add missed unregister_pernet_subsys in init failure - -From: Chuhong Yuan - -[ Upstream commit 44a7b6759000ac51b92715579a7bba9e3f9245c2 ] - -The driver forgets to call unregister_pernet_subsys() in the error path -of cma_init(). -Add the missed call to fix it. - -Fixes: 4be74b42a6d0 ("IB/cma: Separate port allocation to network namespaces") -Signed-off-by: Chuhong Yuan -Reviewed-by: Parav Pandit -Link: https://lore.kernel.org/r/20191206012426.12744-1-hslester96@gmail.com -Signed-off-by: Doug Ledford -Signed-off-by: Sasha Levin ---- - drivers/infiniband/core/cma.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c -index d78f67623f24..50052e9a1731 100644 ---- a/drivers/infiniband/core/cma.c -+++ b/drivers/infiniband/core/cma.c -@@ -4736,6 +4736,7 @@ static int __init cma_init(void) - err: - unregister_netdevice_notifier(&cma_nb); - ib_sa_unregister_client(&sa_client); -+ unregister_pernet_subsys(&cma_pernet_operations); - err_wq: - destroy_workqueue(cma_wq); - return ret; --- -2.20.1 - diff --git a/queue-5.4/rdma-counter-prevent-auto-binding-a-qp-which-are-not.patch b/queue-5.4/rdma-counter-prevent-auto-binding-a-qp-which-are-not.patch deleted file mode 100644 index 051dbf9b271..00000000000 --- a/queue-5.4/rdma-counter-prevent-auto-binding-a-qp-which-are-not.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 5f7e6edbb5cb2d851976aa77fde7fcaefdb3a238 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 12 Dec 2019 11:12:12 +0200 -Subject: RDMA/counter: Prevent auto-binding a QP which are not tracked with - res - -From: Mark Zhang - -[ Upstream commit 33df2f1929df4a1cb13303e344fbf8a75f0dc41f ] - -Some QPs (e.g. XRC QP) are not tracked in kernel, in this case they have -an invalid res and should not be bound to any dynamically-allocated -counter in auto mode. - -This fixes below call trace: -BUG: kernel NULL pointer dereference, address: 0000000000000390 -PGD 80000001a7233067 P4D 80000001a7233067 PUD 1a7215067 PMD 0 -Oops: 0000 [#1] SMP PTI -CPU: 2 PID: 24822 Comm: ibv_xsrq_pingpo Not tainted 5.4.0-rc5+ #21 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014 -RIP: 0010:rdma_counter_bind_qp_auto+0x142/0x270 [ib_core] -Code: e1 48 85 c0 48 89 c2 0f 84 bc 00 00 00 49 8b 06 48 39 42 48 75 d6 40 3a aa 90 00 00 00 75 cd 49 8b 86 00 01 00 00 48 8b 4a 28 <8b> 80 90 03 00 00 39 81 90 03 00 00 75 b4 85 c0 74 b0 48 8b 04 24 -RSP: 0018:ffffc900003f39c0 EFLAGS: 00010246 -RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 -RDX: ffff88820020ec00 RSI: 0000000000000004 RDI: ffffffffffffffc0 -RBP: 0000000000000001 R08: ffff888224149ff0 R09: ffffc900003f3968 -R10: ffffffffffffffff R11: ffff8882249c5848 R12: ffffffffffffffff -R13: ffff88821d5aca50 R14: ffff8881f7690800 R15: ffff8881ff890000 -FS: 00007fe53a3e1740(0000) GS:ffff888237b00000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 0000000000000390 CR3: 00000001a7292006 CR4: 00000000003606a0 -DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -Call Trace: - _ib_modify_qp+0x3a4/0x3f0 [ib_core] - ? lookup_get_idr_uobject.part.8+0x23/0x40 [ib_uverbs] - modify_qp+0x322/0x3e0 [ib_uverbs] - ib_uverbs_modify_qp+0x43/0x70 [ib_uverbs] - ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0xb1/0xf0 [ib_uverbs] - ib_uverbs_run_method+0x6be/0x760 [ib_uverbs] - ? uverbs_disassociate_api+0xd0/0xd0 [ib_uverbs] - ib_uverbs_cmd_verbs+0x18d/0x3a0 [ib_uverbs] - ? get_acl+0x1a/0x120 - ? __alloc_pages_nodemask+0x15d/0x2c0 - ib_uverbs_ioctl+0xa7/0x110 [ib_uverbs] - do_vfs_ioctl+0xa5/0x610 - ksys_ioctl+0x60/0x90 - __x64_sys_ioctl+0x16/0x20 - do_syscall_64+0x48/0x110 - entry_SYSCALL_64_after_hwframe+0x44/0xa9 - -Fixes: 99fa331dc862 ("RDMA/counter: Add "auto" configuration mode support") -Signed-off-by: Mark Zhang -Reviewed-by: Maor Gottlieb -Reviewed-by: Ido Kalir -Signed-off-by: Leon Romanovsky -Link: https://lore.kernel.org/r/20191212091214.315005-2-leon@kernel.org -Signed-off-by: Doug Ledford -Signed-off-by: Sasha Levin ---- - drivers/infiniband/core/counters.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/infiniband/core/counters.c b/drivers/infiniband/core/counters.c -index 680ad27f497d..023478107f0e 100644 ---- a/drivers/infiniband/core/counters.c -+++ b/drivers/infiniband/core/counters.c -@@ -282,6 +282,9 @@ int rdma_counter_bind_qp_auto(struct ib_qp *qp, u8 port) - struct rdma_counter *counter; - int ret; - -+ if (!qp->res.valid) -+ return 0; -+ - if (!rdma_is_port_valid(dev, port)) - return -EINVAL; - --- -2.20.1 - diff --git a/queue-5.4/revert-iwlwifi-assign-directly-to-iwl_trans-cfg-in-q.patch b/queue-5.4/revert-iwlwifi-assign-directly-to-iwl_trans-cfg-in-q.patch deleted file mode 100644 index 06dc1ca088f..00000000000 --- a/queue-5.4/revert-iwlwifi-assign-directly-to-iwl_trans-cfg-in-q.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 4ba8d5242d6ac29bc096b5448833e52718aed7e4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 2 Dec 2019 17:09:20 -0500 -Subject: Revert "iwlwifi: assign directly to iwl_trans->cfg in QuZ detection" - -From: Anders Kaseorg - -[ Upstream commit db5cce1afc8d2475d2c1c37c2a8267dd0e151526 ] - -This reverts commit 968dcfb4905245dc64d65312c0d17692fa087b99. - -Both that commit and commit 809805a820c6445f7a701ded24fdc6bbc841d1e4 -attempted to fix the same bug (dead assignments to the local variable -cfg), but they did so in incompatible ways. When they were both merged, -independently of each other, the combination actually caused the bug to -reappear, leading to a firmware crash on boot for some cards. - -https://bugzilla.kernel.org/show_bug.cgi?id=205719 - -Signed-off-by: Anders Kaseorg -Acked-by: Luca Coelho -Signed-off-by: Kalle Valo -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 24 +++++++++---------- - 1 file changed, 12 insertions(+), 12 deletions(-) - -diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c -index 040cec17d3ad..b0b7eca1754e 100644 ---- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c -+++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c -@@ -1111,18 +1111,18 @@ static int iwl_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) - - /* same thing for QuZ... */ - if (iwl_trans->hw_rev == CSR_HW_REV_TYPE_QUZ) { -- if (iwl_trans->cfg == &iwl_ax101_cfg_qu_hr) -- iwl_trans->cfg = &iwl_ax101_cfg_quz_hr; -- else if (iwl_trans->cfg == &iwl_ax201_cfg_qu_hr) -- iwl_trans->cfg = &iwl_ax201_cfg_quz_hr; -- else if (iwl_trans->cfg == &iwl9461_2ac_cfg_qu_b0_jf_b0) -- iwl_trans->cfg = &iwl9461_2ac_cfg_quz_a0_jf_b0_soc; -- else if (iwl_trans->cfg == &iwl9462_2ac_cfg_qu_b0_jf_b0) -- iwl_trans->cfg = &iwl9462_2ac_cfg_quz_a0_jf_b0_soc; -- else if (iwl_trans->cfg == &iwl9560_2ac_cfg_qu_b0_jf_b0) -- iwl_trans->cfg = &iwl9560_2ac_cfg_quz_a0_jf_b0_soc; -- else if (iwl_trans->cfg == &iwl9560_2ac_160_cfg_qu_b0_jf_b0) -- iwl_trans->cfg = &iwl9560_2ac_160_cfg_quz_a0_jf_b0_soc; -+ if (cfg == &iwl_ax101_cfg_qu_hr) -+ cfg = &iwl_ax101_cfg_quz_hr; -+ else if (cfg == &iwl_ax201_cfg_qu_hr) -+ cfg = &iwl_ax201_cfg_quz_hr; -+ else if (cfg == &iwl9461_2ac_cfg_qu_b0_jf_b0) -+ cfg = &iwl9461_2ac_cfg_quz_a0_jf_b0_soc; -+ else if (cfg == &iwl9462_2ac_cfg_qu_b0_jf_b0) -+ cfg = &iwl9462_2ac_cfg_quz_a0_jf_b0_soc; -+ else if (cfg == &iwl9560_2ac_cfg_qu_b0_jf_b0) -+ cfg = &iwl9560_2ac_cfg_quz_a0_jf_b0_soc; -+ else if (cfg == &iwl9560_2ac_160_cfg_qu_b0_jf_b0) -+ cfg = &iwl9560_2ac_160_cfg_quz_a0_jf_b0_soc; - } - - #endif --- -2.20.1 - diff --git a/queue-5.4/rxe-correctly-calculate-icrc-for-unaligned-payloads.patch b/queue-5.4/rxe-correctly-calculate-icrc-for-unaligned-payloads.patch deleted file mode 100644 index 58d0d638cc3..00000000000 --- a/queue-5.4/rxe-correctly-calculate-icrc-for-unaligned-payloads.patch +++ /dev/null @@ -1,83 +0,0 @@ -From ecd7705049d0faec686bd67f808efa97abffa8cd Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 2 Dec 2019 20:03:20 -0600 -Subject: rxe: correctly calculate iCRC for unaligned payloads - -From: Steve Wise - -[ Upstream commit 2030abddec6884aaf5892f5724c48fc340e6826f ] - -If RoCE PDUs being sent or received contain pad bytes, then the iCRC -is miscalculated, resulting in PDUs being emitted by RXE with an incorrect -iCRC, as well as ingress PDUs being dropped due to erroneously detecting -a bad iCRC in the PDU. The fix is to include the pad bytes, if any, -in iCRC computations. - -Note: This bug has caused broken on-the-wire compatibility with actual -hardware RoCE devices since the soft-RoCE driver was first put into the -mainstream kernel. Fixing it will create an incompatibility with the -original soft-RoCE devices, but is necessary to be compatible with real -hardware devices. - -Fixes: 8700e3e7c485 ("Soft RoCE driver") -Signed-off-by: Steve Wise -Link: https://lore.kernel.org/r/20191203020319.15036-2-larrystevenwise@gmail.com -Signed-off-by: Doug Ledford -Signed-off-by: Sasha Levin ---- - drivers/infiniband/sw/rxe/rxe_recv.c | 2 +- - drivers/infiniband/sw/rxe/rxe_req.c | 6 ++++++ - drivers/infiniband/sw/rxe/rxe_resp.c | 7 +++++++ - 3 files changed, 14 insertions(+), 1 deletion(-) - -diff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c -index f9a492ed900b..831ad578a7b2 100644 ---- a/drivers/infiniband/sw/rxe/rxe_recv.c -+++ b/drivers/infiniband/sw/rxe/rxe_recv.c -@@ -389,7 +389,7 @@ void rxe_rcv(struct sk_buff *skb) - - calc_icrc = rxe_icrc_hdr(pkt, skb); - calc_icrc = rxe_crc32(rxe, calc_icrc, (u8 *)payload_addr(pkt), -- payload_size(pkt)); -+ payload_size(pkt) + bth_pad(pkt)); - calc_icrc = (__force u32)cpu_to_be32(~calc_icrc); - if (unlikely(calc_icrc != pack_icrc)) { - if (skb->protocol == htons(ETH_P_IPV6)) -diff --git a/drivers/infiniband/sw/rxe/rxe_req.c b/drivers/infiniband/sw/rxe/rxe_req.c -index c5d9b558fa90..e5031172c019 100644 ---- a/drivers/infiniband/sw/rxe/rxe_req.c -+++ b/drivers/infiniband/sw/rxe/rxe_req.c -@@ -500,6 +500,12 @@ static int fill_packet(struct rxe_qp *qp, struct rxe_send_wqe *wqe, - if (err) - return err; - } -+ if (bth_pad(pkt)) { -+ u8 *pad = payload_addr(pkt) + paylen; -+ -+ memset(pad, 0, bth_pad(pkt)); -+ crc = rxe_crc32(rxe, crc, pad, bth_pad(pkt)); -+ } - } - p = payload_addr(pkt) + paylen + bth_pad(pkt); - -diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c -index 1cbfbd98eb22..c4a8195bf670 100644 ---- a/drivers/infiniband/sw/rxe/rxe_resp.c -+++ b/drivers/infiniband/sw/rxe/rxe_resp.c -@@ -732,6 +732,13 @@ static enum resp_states read_reply(struct rxe_qp *qp, - if (err) - pr_err("Failed copying memory\n"); - -+ if (bth_pad(&ack_pkt)) { -+ struct rxe_dev *rxe = to_rdev(qp->ibqp.device); -+ u8 *pad = payload_addr(&ack_pkt) + payload; -+ -+ memset(pad, 0, bth_pad(&ack_pkt)); -+ icrc = rxe_crc32(rxe, icrc, pad, bth_pad(&ack_pkt)); -+ } - p = payload_addr(&ack_pkt) + payload + bth_pad(&ack_pkt); - *p = ~icrc; - --- -2.20.1 - diff --git a/queue-5.4/s390-cpum_sf-adjust-sampling-interval-to-avoid-hitti.patch b/queue-5.4/s390-cpum_sf-adjust-sampling-interval-to-avoid-hitti.patch deleted file mode 100644 index c9106a9276e..00000000000 --- a/queue-5.4/s390-cpum_sf-adjust-sampling-interval-to-avoid-hitti.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 6b19c4e259e8995d85ba2bcf8e422e2468863992 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 28 Nov 2019 10:26:41 +0100 -Subject: s390/cpum_sf: Adjust sampling interval to avoid hitting sample limits - -From: Thomas Richter - -[ Upstream commit 39d4a501a9ef55c57b51e3ef07fc2aeed7f30b3b ] - -Function perf_event_ever_overflow() and perf_event_account_interrupt() -are called every time samples are processed by the interrupt handler. -However function perf_event_account_interrupt() has checks to avoid being -flooded with interrupts (more then 1000 samples are received per -task_tick). Samples are then dropped and a PERF_RECORD_THROTTLED is -added to the perf data. The perf subsystem limit calculation is: - - maximum sample frequency := 100000 --> 1 samples per 10 us - task_tick = 10ms = 10000us --> 1000 samples per task_tick - -The work flow is - -measurement_alert() uses SDBT head and each SBDT points to 511 - SDB pages, each with 126 sample entries. After processing 8 SBDs - and for each valid sample calling: - - perf_event_overflow() - perf_event_account_interrupts() - -there is a considerable amount of samples being dropped, especially when -the sample frequency is very high and near the 100000 limit. - -To avoid the high amount of samples being dropped near the end of a -task_tick time frame, increment the sampling interval in case of -dropped events. The CPU Measurement sampling facility on the s390 -supports only intervals, specifiing how many CPU cycles have to be -executed before a sample is generated. Increase the interval when the -samples being generated hit the task_tick limit. - -Signed-off-by: Thomas Richter -Signed-off-by: Vasily Gorbik -Signed-off-by: Sasha Levin ---- - arch/s390/kernel/perf_cpum_sf.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c -index 3d8b12a9a6ff..8c384e6ea36a 100644 ---- a/arch/s390/kernel/perf_cpum_sf.c -+++ b/arch/s390/kernel/perf_cpum_sf.c -@@ -1312,6 +1312,22 @@ static void hw_perf_event_update(struct perf_event *event, int flush_all) - if (sampl_overflow) - OVERFLOW_REG(hwc) = DIV_ROUND_UP(OVERFLOW_REG(hwc) + - sampl_overflow, 1 + num_sdb); -+ -+ /* Perf_event_overflow() and perf_event_account_interrupt() limit -+ * the interrupt rate to an upper limit. Roughly 1000 samples per -+ * task tick. -+ * Hitting this limit results in a large number -+ * of throttled REF_REPORT_THROTTLE entries and the samples -+ * are dropped. -+ * Slightly increase the interval to avoid hitting this limit. -+ */ -+ if (event_overflow) { -+ SAMPL_RATE(hwc) += DIV_ROUND_UP(SAMPL_RATE(hwc), 10); -+ debug_sprintf_event(sfdbg, 1, "%s: rate adjustment %ld\n", -+ __func__, -+ DIV_ROUND_UP(SAMPL_RATE(hwc), 10)); -+ } -+ - if (sampl_overflow || event_overflow) - debug_sprintf_event(sfdbg, 4, "hw_perf_event_update: " - "overflow stats: sample=%llu event=%llu\n", --- -2.20.1 - diff --git a/queue-5.4/s390-cpum_sf-avoid-sbd-overflow-condition-in-irq-han.patch b/queue-5.4/s390-cpum_sf-avoid-sbd-overflow-condition-in-irq-han.patch deleted file mode 100644 index 77008c53e94..00000000000 --- a/queue-5.4/s390-cpum_sf-avoid-sbd-overflow-condition-in-irq-han.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 40558ca2308d63d3bb3a0c495ad4b89fd7dcf363 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 29 Nov 2019 15:24:25 +0100 -Subject: s390/cpum_sf: Avoid SBD overflow condition in irq handler - -From: Thomas Richter - -[ Upstream commit 0539ad0b22877225095d8adef0c376f52cc23834 ] - -The s390 CPU Measurement sampling facility has an overflow condition -which fires when all entries in a SBD are used. -The measurement alert interrupt is triggered and reads out all samples -in this SDB. It then tests the successor SDB, if this SBD is not full, -the interrupt handler does not read any samples at all from this SDB -The design waits for the hardware to fill this SBD and then trigger -another meassurement alert interrupt. - -This scheme works nicely until -an perf_event_overflow() function call discards the sample due to -a too high sampling rate. -The interrupt handler has logic to read out a partially filled SDB -when the perf event overflow condition in linux common code is met. -This causes the CPUM sampling measurement hardware and the PMU -device driver to operate on the same SBD's trailer entry. -This should not happen. - -This can be seen here using this trace: - cpumsf_pmu_add: tear:0xb5286000 - hw_perf_event_update: sdbt 0xb5286000 full 1 over 0 flush_all:0 - hw_perf_event_update: sdbt 0xb5286008 full 0 over 0 flush_all:0 - above shows 1. interrupt - hw_perf_event_update: sdbt 0xb5286008 full 1 over 0 flush_all:0 - hw_perf_event_update: sdbt 0xb5286008 full 0 over 0 flush_all:0 - above shows 2. interrupt - ... this goes on fine until... - hw_perf_event_update: sdbt 0xb5286068 full 1 over 0 flush_all:0 - perf_push_sample1: overflow - one or more samples read from the IRQ handler are rejected by - perf_event_overflow() and the IRQ handler advances to the next SDB - and modifies the trailer entry of a partially filled SDB. - hw_perf_event_update: sdbt 0xb5286070 full 0 over 0 flush_all:1 - timestamp: 14:32:52.519953 - -Next time the IRQ handler is called for this SDB the trailer entry shows -an overflow count of 19 missed entries. - hw_perf_event_update: sdbt 0xb5286070 full 1 over 19 flush_all:1 - timestamp: 14:32:52.970058 - -Remove access to a follow on SDB when event overflow happened. - -Signed-off-by: Thomas Richter -Signed-off-by: Vasily Gorbik -Signed-off-by: Sasha Levin ---- - arch/s390/kernel/perf_cpum_sf.c | 6 ------ - 1 file changed, 6 deletions(-) - -diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c -index 8c384e6ea36a..8ad406f7264a 100644 ---- a/arch/s390/kernel/perf_cpum_sf.c -+++ b/arch/s390/kernel/perf_cpum_sf.c -@@ -1300,12 +1300,6 @@ static void hw_perf_event_update(struct perf_event *event, int flush_all) - */ - if (flush_all && done) - break; -- -- /* If an event overflow happened, discard samples by -- * processing any remaining sample-data-blocks. -- */ -- if (event_overflow) -- flush_all = 1; - } - - /* Account sample overflows in the event hardware structure */ --- -2.20.1 - diff --git a/queue-5.4/scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-f.patch b/queue-5.4/scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-f.patch deleted file mode 100644 index fb8ff1918be..00000000000 --- a/queue-5.4/scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-f.patch +++ /dev/null @@ -1,113 +0,0 @@ -From b30b2ebef8971598796b2c3a7e7ee456b50a440b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 20 Nov 2019 13:26:17 +0000 -Subject: scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func - -From: Bo Wu - -[ Upstream commit bba340c79bfe3644829db5c852fdfa9e33837d6d ] - -In iscsi_if_rx func, after receiving one request through -iscsi_if_recv_msg func, iscsi_if_send_reply will be called to try to -reply to the request in a do-while loop. If the iscsi_if_send_reply -function keeps returning -EAGAIN, a deadlock will occur. - -For example, a client only send msg without calling recvmsg func, then -it will result in the watchdog soft lockup. The details are given as -follows: - - sock_fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ISCSI); - retval = bind(sock_fd, (struct sock addr*) & src_addr, sizeof(src_addr); - while (1) { - state_msg = sendmsg(sock_fd, &msg, 0); - //Note: recvmsg(sock_fd, &msg, 0) is not processed here. - } - close(sock_fd); - -watchdog: BUG: soft lockup - CPU#7 stuck for 22s! [netlink_test:253305] Sample time: 4000897528 ns(HZ: 250) Sample stat: -curr: user: 675503481560, nice: 321724050, sys: 448689506750, idle: 4654054240530, iowait: 40885550700, irq: 14161174020, softirq: 8104324140, st: 0 -deta: user: 0, nice: 0, sys: 3998210100, idle: 0, iowait: 0, irq: 1547170, softirq: 242870, st: 0 Sample softirq: - TIMER: 992 - SCHED: 8 -Sample irqstat: - irq 2: delta 1003, curr: 3103802, arch_timer -CPU: 7 PID: 253305 Comm: netlink_test Kdump: loaded Tainted: G OE -Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 -pstate: 40400005 (nZcv daif +PAN -UAO) -pc : __alloc_skb+0x104/0x1b0 -lr : __alloc_skb+0x9c/0x1b0 -sp : ffff000033603a30 -x29: ffff000033603a30 x28: 00000000000002dd -x27: ffff800b34ced810 x26: ffff800ba7569f00 -x25: 00000000ffffffff x24: 0000000000000000 -x23: ffff800f7c43f600 x22: 0000000000480020 -x21: ffff0000091d9000 x20: ffff800b34eff200 -x19: ffff800ba7569f00 x18: 0000000000000000 -x17: 0000000000000000 x16: 0000000000000000 -x15: 0000000000000000 x14: 0001000101000100 -x13: 0000000101010000 x12: 0101000001010100 -x11: 0001010101010001 x10: 00000000000002dd -x9 : ffff000033603d58 x8 : ffff800b34eff400 -x7 : ffff800ba7569200 x6 : ffff800b34eff400 -x5 : 0000000000000000 x4 : 00000000ffffffff -x3 : 0000000000000000 x2 : 0000000000000001 -x1 : ffff800b34eff2c0 x0 : 0000000000000300 Call trace: -__alloc_skb+0x104/0x1b0 -iscsi_if_rx+0x144/0x12bc [scsi_transport_iscsi] -netlink_unicast+0x1e0/0x258 -netlink_sendmsg+0x310/0x378 -sock_sendmsg+0x4c/0x70 -sock_write_iter+0x90/0xf0 -__vfs_write+0x11c/0x190 -vfs_write+0xac/0x1c0 -ksys_write+0x6c/0xd8 -__arm64_sys_write+0x24/0x30 -el0_svc_common+0x78/0x130 -el0_svc_handler+0x38/0x78 -el0_svc+0x8/0xc - -Link: https://lore.kernel.org/r/EDBAAA0BBBA2AC4E9C8B6B81DEEE1D6915E3D4D2@dggeml505-mbx.china.huawei.com -Signed-off-by: Bo Wu -Reviewed-by: Zhiqiang Liu -Reviewed-by: Lee Duncan -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/scsi_transport_iscsi.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c -index 417b868d8735..ed8d9709b9b9 100644 ---- a/drivers/scsi/scsi_transport_iscsi.c -+++ b/drivers/scsi/scsi_transport_iscsi.c -@@ -24,6 +24,8 @@ - - #define ISCSI_TRANSPORT_VERSION "2.0-870" - -+#define ISCSI_SEND_MAX_ALLOWED 10 -+ - #define CREATE_TRACE_POINTS - #include - -@@ -3682,6 +3684,7 @@ iscsi_if_rx(struct sk_buff *skb) - struct nlmsghdr *nlh; - struct iscsi_uevent *ev; - uint32_t group; -+ int retries = ISCSI_SEND_MAX_ALLOWED; - - nlh = nlmsg_hdr(skb); - if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) || -@@ -3712,6 +3715,10 @@ iscsi_if_rx(struct sk_buff *skb) - break; - err = iscsi_if_send_reply(portid, nlh->nlmsg_type, - ev, sizeof(*ev)); -+ if (err == -EAGAIN && --retries < 0) { -+ printk(KERN_WARNING "Send reply failed, error %d\n", err); -+ break; -+ } - } while (err < 0 && err != -ECONNREFUSED && err != -ESRCH); - skb_pull(skb, rlen); - } --- -2.20.1 - diff --git a/queue-5.4/scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch b/queue-5.4/scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch deleted file mode 100644 index 019818b7ae6..00000000000 --- a/queue-5.4/scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch +++ /dev/null @@ -1,40 +0,0 @@ -From dd8ad473ac8df32a879cb64cd71d3ad730d8c8cb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 3 Dec 2019 12:45:09 +0300 -Subject: scsi: iscsi: qla4xxx: fix double free in probe - -From: Dan Carpenter - -[ Upstream commit fee92f25777789d73e1936b91472e9c4644457c8 ] - -On this error path we call qla4xxx_mem_free() and then the caller also -calls qla4xxx_free_adapter() which calls qla4xxx_mem_free(). It leads to a -couple double frees: - -drivers/scsi/qla4xxx/ql4_os.c:8856 qla4xxx_probe_adapter() warn: 'ha->chap_dma_pool' double freed -drivers/scsi/qla4xxx/ql4_os.c:8856 qla4xxx_probe_adapter() warn: 'ha->fw_ddb_dma_pool' double freed - -Fixes: afaf5a2d341d ("[SCSI] Initial Commit of qla4xxx") -Link: https://lore.kernel.org/r/20191203094421.hw7ex7qr3j2rbsmx@kili.mountain -Signed-off-by: Dan Carpenter -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla4xxx/ql4_os.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c -index 8c674eca09f1..2323432a0edb 100644 ---- a/drivers/scsi/qla4xxx/ql4_os.c -+++ b/drivers/scsi/qla4xxx/ql4_os.c -@@ -4275,7 +4275,6 @@ static int qla4xxx_mem_alloc(struct scsi_qla_host *ha) - return QLA_SUCCESS; - - mem_alloc_error_exit: -- qla4xxx_mem_free(ha); - return QLA_ERROR; - } - --- -2.20.1 - diff --git a/queue-5.4/scsi-libsas-stop-discovering-if-oob-mode-is-disconne.patch b/queue-5.4/scsi-libsas-stop-discovering-if-oob-mode-is-disconne.patch deleted file mode 100644 index 825b4d52bfc..00000000000 --- a/queue-5.4/scsi-libsas-stop-discovering-if-oob-mode-is-disconne.patch +++ /dev/null @@ -1,147 +0,0 @@ -From d326387cddbbeb72db6a0ac5db5a505b69be1d89 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 6 Dec 2019 09:11:18 +0800 -Subject: scsi: libsas: stop discovering if oob mode is disconnected - -From: Jason Yan - -[ Upstream commit f70267f379b5e5e11bdc5d72a56bf17e5feed01f ] - -The discovering of sas port is driven by workqueue in libsas. When libsas -is processing port events or phy events in workqueue, new events may rise -up and change the state of some structures such as asd_sas_phy. This may -cause some problems such as follows: - -==>thread 1 ==>thread 2 - - ==>phy up - ==>phy_up_v3_hw() - ==>oob_mode = SATA_OOB_MODE; - ==>phy down quickly - ==>hisi_sas_phy_down() - ==>sas_ha->notify_phy_event() - ==>sas_phy_disconnected() - ==>oob_mode = OOB_NOT_CONNECTED -==>workqueue wakeup -==>sas_form_port() - ==>sas_discover_domain() - ==>sas_get_port_device() - ==>oob_mode is OOB_NOT_CONNECTED and device - is wrongly taken as expander - -This at last lead to the panic when libsas trying to issue a command to -discover the device. - -[183047.614035] Unable to handle kernel NULL pointer dereference at -virtual address 0000000000000058 -[183047.622896] Mem abort info: -[183047.625762] ESR = 0x96000004 -[183047.628893] Exception class = DABT (current EL), IL = 32 bits -[183047.634888] SET = 0, FnV = 0 -[183047.638015] EA = 0, S1PTW = 0 -[183047.641232] Data abort info: -[183047.644189] ISV = 0, ISS = 0x00000004 -[183047.648100] CM = 0, WnR = 0 -[183047.651145] user pgtable: 4k pages, 48-bit VAs, pgdp = -00000000b7df67be -[183047.657834] [0000000000000058] pgd=0000000000000000 -[183047.662789] Internal error: Oops: 96000004 [#1] SMP -[183047.667740] Process kworker/u16:2 (pid: 31291, stack limit = -0x00000000417c4974) -[183047.675208] CPU: 0 PID: 3291 Comm: kworker/u16:2 Tainted: G -W OE 4.19.36-vhulk1907.1.0.h410.eulerosv2r8.aarch64 #1 -[183047.687015] Hardware name: N/A N/A/Kunpeng Desktop Board D920S10, -BIOS 0.15 10/22/2019 -[183047.695007] Workqueue: 0000:74:02.0_disco_q sas_discover_domain -[183047.700999] pstate: 20c00009 (nzCv daif +PAN +UAO) -[183047.705864] pc : prep_ata_v3_hw+0xf8/0x230 [hisi_sas_v3_hw] -[183047.711510] lr : prep_ata_v3_hw+0xb0/0x230 [hisi_sas_v3_hw] -[183047.717153] sp : ffff00000f28ba60 -[183047.720541] x29: ffff00000f28ba60 x28: ffff8026852d7228 -[183047.725925] x27: ffff8027dba3e0a8 x26: ffff8027c05fc200 -[183047.731310] x25: 0000000000000000 x24: ffff8026bafa8dc0 -[183047.736695] x23: ffff8027c05fc218 x22: ffff8026852d7228 -[183047.742079] x21: ffff80007c2f2940 x20: ffff8027c05fc200 -[183047.747464] x19: 0000000000f80800 x18: 0000000000000010 -[183047.752848] x17: 0000000000000000 x16: 0000000000000000 -[183047.758232] x15: ffff000089a5a4ff x14: 0000000000000005 -[183047.763617] x13: ffff000009a5a50e x12: ffff8026bafa1e20 -[183047.769001] x11: ffff0000087453b8 x10: ffff00000f28b870 -[183047.774385] x9 : 0000000000000000 x8 : ffff80007e58f9b0 -[183047.779770] x7 : 0000000000000000 x6 : 000000000000003f -[183047.785154] x5 : 0000000000000040 x4 : ffffffffffffffe0 -[183047.790538] x3 : 00000000000000f8 x2 : 0000000002000007 -[183047.795922] x1 : 0000000000000008 x0 : 0000000000000000 -[183047.801307] Call trace: -[183047.803827] prep_ata_v3_hw+0xf8/0x230 [hisi_sas_v3_hw] -[183047.809127] hisi_sas_task_prep+0x750/0x888 [hisi_sas_main] -[183047.814773] hisi_sas_task_exec.isra.7+0x88/0x1f0 [hisi_sas_main] -[183047.820939] hisi_sas_queue_command+0x28/0x38 [hisi_sas_main] -[183047.826757] smp_execute_task_sg+0xec/0x218 -[183047.831013] smp_execute_task+0x74/0xa0 -[183047.834921] sas_discover_expander.part.7+0x9c/0x5f8 -[183047.839959] sas_discover_root_expander+0x90/0x160 -[183047.844822] sas_discover_domain+0x1b8/0x1e8 -[183047.849164] process_one_work+0x1b4/0x3f8 -[183047.853246] worker_thread+0x54/0x470 -[183047.856981] kthread+0x134/0x138 -[183047.860283] ret_from_fork+0x10/0x18 -[183047.863931] Code: f9407a80 528000e2 39409281 72a04002 (b9405800) -[183047.870097] kernel fault(0x1) notification starting on CPU 0 -[183047.875828] kernel fault(0x1) notification finished on CPU 0 -[183047.881559] Modules linked in: unibsp(OE) hns3(OE) hclge(OE) -hnae3(OE) mem_drv(OE) hisi_sas_v3_hw(OE) hisi_sas_main(OE) -[183047.892418] ---[ end trace 4cc26083fc11b783 ]--- -[183047.897107] Kernel panic - not syncing: Fatal exception -[183047.902403] kernel fault(0x5) notification starting on CPU 0 -[183047.908134] kernel fault(0x5) notification finished on CPU 0 -[183047.913865] SMP: stopping secondary CPUs -[183047.917861] Kernel Offset: disabled -[183047.921422] CPU features: 0x2,a2a00a38 -[183047.925243] Memory Limit: none -[183047.928372] kernel reboot(0x2) notification starting on CPU 0 -[183047.934190] kernel reboot(0x2) notification finished on CPU 0 -[183047.940008] ---[ end Kernel panic - not syncing: Fatal exception -]--- - -Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") -Link: https://lore.kernel.org/r/20191206011118.46909-1-yanaijie@huawei.com -Reported-by: Gao Chuan -Reviewed-by: John Garry -Signed-off-by: Jason Yan -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/libsas/sas_discover.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/drivers/scsi/libsas/sas_discover.c b/drivers/scsi/libsas/sas_discover.c -index f47b4b281b14..d7302c2052f9 100644 ---- a/drivers/scsi/libsas/sas_discover.c -+++ b/drivers/scsi/libsas/sas_discover.c -@@ -81,12 +81,21 @@ static int sas_get_port_device(struct asd_sas_port *port) - else - dev->dev_type = SAS_SATA_DEV; - dev->tproto = SAS_PROTOCOL_SATA; -- } else { -+ } else if (port->oob_mode == SAS_OOB_MODE) { - struct sas_identify_frame *id = - (struct sas_identify_frame *) dev->frame_rcvd; - dev->dev_type = id->dev_type; - dev->iproto = id->initiator_bits; - dev->tproto = id->target_bits; -+ } else { -+ /* If the oob mode is OOB_NOT_CONNECTED, the port is -+ * disconnected due to race with PHY down. We cannot -+ * continue to discover this port -+ */ -+ sas_put_device(dev); -+ pr_warn("Port %016llx is disconnected when discovering\n", -+ SAS_ADDR(port->attached_sas_addr)); -+ return -ENODEV; - } - - sas_init_dev(dev); --- -2.20.1 - diff --git a/queue-5.4/scsi-lpfc-fix-memory-leak-on-lpfc_bsg_write_ebuf_set.patch b/queue-5.4/scsi-lpfc-fix-memory-leak-on-lpfc_bsg_write_ebuf_set.patch deleted file mode 100644 index 2598484e573..00000000000 --- a/queue-5.4/scsi-lpfc-fix-memory-leak-on-lpfc_bsg_write_ebuf_set.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 633706a509d6b4104f32d13d7e04daa00d7dc269 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 7 Dec 2019 03:22:46 +0000 -Subject: scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func - -From: Bo Wu - -[ Upstream commit 9a1b0b9a6dab452fb0e39fe96880c4faf3878369 ] - -When phba->mbox_ext_buf_ctx.seqNum != phba->mbox_ext_buf_ctx.numBuf, -dd_data should be freed before return SLI_CONFIG_HANDLED. - -When lpfc_sli_issue_mbox func return fails, pmboxq should be also freed in -job_error tag. - -Link: https://lore.kernel.org/r/EDBAAA0BBBA2AC4E9C8B6B81DEEE1D6915E7A966@DGGEML525-MBS.china.huawei.com -Signed-off-by: Bo Wu -Reviewed-by: Zhiqiang Liu -Reviewed-by: James Smart -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/lpfc/lpfc_bsg.c | 15 +++++++++------ - 1 file changed, 9 insertions(+), 6 deletions(-) - -diff --git a/drivers/scsi/lpfc/lpfc_bsg.c b/drivers/scsi/lpfc/lpfc_bsg.c -index 39a736b887b1..6c2b03415a2c 100644 ---- a/drivers/scsi/lpfc/lpfc_bsg.c -+++ b/drivers/scsi/lpfc/lpfc_bsg.c -@@ -4489,12 +4489,6 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job, - phba->mbox_ext_buf_ctx.seqNum++; - nemb_tp = phba->mbox_ext_buf_ctx.nembType; - -- dd_data = kmalloc(sizeof(struct bsg_job_data), GFP_KERNEL); -- if (!dd_data) { -- rc = -ENOMEM; -- goto job_error; -- } -- - pbuf = (uint8_t *)dmabuf->virt; - size = job->request_payload.payload_len; - sg_copy_to_buffer(job->request_payload.sg_list, -@@ -4531,6 +4525,13 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job, - "2968 SLI_CONFIG ext-buffer wr all %d " - "ebuffers received\n", - phba->mbox_ext_buf_ctx.numBuf); -+ -+ dd_data = kmalloc(sizeof(struct bsg_job_data), GFP_KERNEL); -+ if (!dd_data) { -+ rc = -ENOMEM; -+ goto job_error; -+ } -+ - /* mailbox command structure for base driver */ - pmboxq = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL); - if (!pmboxq) { -@@ -4579,6 +4580,8 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job, - return SLI_CONFIG_HANDLED; - - job_error: -+ if (pmboxq) -+ mempool_free(pmboxq, phba->mbox_mem_pool); - lpfc_bsg_dma_page_free(phba, dmabuf); - kfree(dd_data); - --- -2.20.1 - diff --git a/queue-5.4/scsi-qla2xxx-configure-local-loop-for-n2n-target.patch b/queue-5.4/scsi-qla2xxx-configure-local-loop-for-n2n-target.patch deleted file mode 100644 index e42cfc8b362..00000000000 --- a/queue-5.4/scsi-qla2xxx-configure-local-loop-for-n2n-target.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 69059f09913b171e0aeb97be467cc8baccdd3990 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 25 Nov 2019 19:56:58 +0300 -Subject: scsi: qla2xxx: Configure local loop for N2N target - -From: Roman Bolshakov - -[ Upstream commit fd1de5830a5abaf444cc4312871e02c41e24fdc1 ] - -qla2x00_configure_local_loop initializes PLOGI payload for PLOGI ELS using -Get Parameters mailbox command. - -In the case when the driver is running in target mode, the topology is N2N -and the target port has higher WWPN, LOCAL_LOOP_UPDATE bit is cleared too -early and PLOGI payload is not initialized by the Get Parameters -command. That causes a failure of ELS IOCB carrying the PLOGI with 0x15 aka -Data Underrun error. - -LOCAL_LOOP_UPDATE has to be set to initialize PLOGI payload. - -Fixes: 48acad099074 ("scsi: qla2xxx: Fix N2N link re-connect") -Link: https://lore.kernel.org/r/20191125165702.1013-10-r.bolshakov@yadro.com -Acked-by: Quinn Tran -Acked-by: Himanshu Madhani -Reviewed-by: Hannes Reinecke -Tested-by: Hannes Reinecke -Signed-off-by: Roman Bolshakov -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla2xxx/qla_init.c | 10 ++-------- - 1 file changed, 2 insertions(+), 8 deletions(-) - -diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c -index 5d31e3d52b6b..4e424f1ce5de 100644 ---- a/drivers/scsi/qla2xxx/qla_init.c -+++ b/drivers/scsi/qla2xxx/qla_init.c -@@ -4927,14 +4927,8 @@ qla2x00_configure_loop(scsi_qla_host_t *vha) - set_bit(RSCN_UPDATE, &flags); - clear_bit(LOCAL_LOOP_UPDATE, &flags); - -- } else if (ha->current_topology == ISP_CFG_N) { -- clear_bit(RSCN_UPDATE, &flags); -- if (qla_tgt_mode_enabled(vha)) { -- /* allow the other side to start the login */ -- clear_bit(LOCAL_LOOP_UPDATE, &flags); -- set_bit(RELOGIN_NEEDED, &vha->dpc_flags); -- } -- } else if (ha->current_topology == ISP_CFG_NL) { -+ } else if (ha->current_topology == ISP_CFG_NL || -+ ha->current_topology == ISP_CFG_N) { - clear_bit(RSCN_UPDATE, &flags); - set_bit(LOCAL_LOOP_UPDATE, &flags); - } else if (!vha->flags.online || --- -2.20.1 - diff --git a/queue-5.4/scsi-qla2xxx-don-t-call-qlt_async_event-twice.patch b/queue-5.4/scsi-qla2xxx-don-t-call-qlt_async_event-twice.patch deleted file mode 100644 index 529e6c552ab..00000000000 --- a/queue-5.4/scsi-qla2xxx-don-t-call-qlt_async_event-twice.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 0ba459bba31c871950b40f852b103916f7fd2f9e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 25 Nov 2019 19:56:56 +0300 -Subject: scsi: qla2xxx: Don't call qlt_async_event twice - -From: Roman Bolshakov - -[ Upstream commit 2c2f4bed9b6299e6430a65a29b5d27b8763fdf25 ] - -MBA_PORT_UPDATE generates duplicate log lines in target mode because -qlt_async_event is called twice. Drop the calls within the case as the -function will be called right after the switch statement. - -Cc: Quinn Tran -Link: https://lore.kernel.org/r/20191125165702.1013-8-r.bolshakov@yadro.com -Acked-by: Himanshu Madhani -Reviewed-by: Hannes Reinecke -Tested-by: Hannes Reinecke -Acked-by: Himanshu Madhani -Signed-off-by: Roman Bolshakov -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla2xxx/qla_isr.c | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c -index 9204e8467a4e..b3766b1879e3 100644 ---- a/drivers/scsi/qla2xxx/qla_isr.c -+++ b/drivers/scsi/qla2xxx/qla_isr.c -@@ -1061,8 +1061,6 @@ qla2x00_async_event(scsi_qla_host_t *vha, struct rsp_que *rsp, uint16_t *mb) - ql_dbg(ql_dbg_async, vha, 0x5011, - "Asynchronous PORT UPDATE ignored %04x/%04x/%04x.\n", - mb[1], mb[2], mb[3]); -- -- qlt_async_event(mb[0], vha, mb); - break; - } - -@@ -1079,8 +1077,6 @@ qla2x00_async_event(scsi_qla_host_t *vha, struct rsp_que *rsp, uint16_t *mb) - set_bit(LOOP_RESYNC_NEEDED, &vha->dpc_flags); - set_bit(LOCAL_LOOP_UPDATE, &vha->dpc_flags); - set_bit(VP_CONFIG_OK, &vha->vp_flags); -- -- qlt_async_event(mb[0], vha, mb); - break; - - case MBA_RSCN_UPDATE: /* State Change Registration */ --- -2.20.1 - diff --git a/queue-5.4/scsi-qla2xxx-don-t-defer-relogin-unconditonally.patch b/queue-5.4/scsi-qla2xxx-don-t-defer-relogin-unconditonally.patch deleted file mode 100644 index 4fced41edb9..00000000000 --- a/queue-5.4/scsi-qla2xxx-don-t-defer-relogin-unconditonally.patch +++ /dev/null @@ -1,44 +0,0 @@ -From cb6654fa4596514d61d6350c5c32b12a445eabf4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 25 Nov 2019 19:57:00 +0300 -Subject: scsi: qla2xxx: Don't defer relogin unconditonally - -From: Roman Bolshakov - -[ Upstream commit dabc5ec915f3a2c657ecfb529cd3d4ec303a4412 ] - -qla2x00_configure_local_loop sets RELOGIN_NEEDED bit and calls -qla24xx_fcport_handle_login to perform the login. This bit triggers a wake -up of DPC later after a successful login. - -The deferred call is not needed if login succeeds, and it's set in -qla24xx_fcport_handle_login in case of errors, hence it should be safe to -drop. - -Link: https://lore.kernel.org/r/20191125165702.1013-12-r.bolshakov@yadro.com -Acked-by: Himanshu Madhani -Acked-by: Quinn Tran -Reviewed-by: Hannes Reinecke -Tested-by: Hannes Reinecke -Signed-off-by: Roman Bolshakov -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla2xxx/qla_init.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c -index 4e424f1ce5de..80f276d67c14 100644 ---- a/drivers/scsi/qla2xxx/qla_init.c -+++ b/drivers/scsi/qla2xxx/qla_init.c -@@ -5045,7 +5045,6 @@ qla2x00_configure_local_loop(scsi_qla_host_t *vha) - memcpy(&ha->plogi_els_payld.data, - (void *)ha->init_cb, - sizeof(ha->plogi_els_payld.data)); -- set_bit(RELOGIN_NEEDED, &vha->dpc_flags); - } else { - ql_dbg(ql_dbg_init, vha, 0x00d1, - "PLOGI ELS param read fail.\n"); --- -2.20.1 - diff --git a/queue-5.4/scsi-qla2xxx-drop-superfluous-init_work-of-del_work.patch b/queue-5.4/scsi-qla2xxx-drop-superfluous-init_work-of-del_work.patch deleted file mode 100644 index 30faf0d7469..00000000000 --- a/queue-5.4/scsi-qla2xxx-drop-superfluous-init_work-of-del_work.patch +++ /dev/null @@ -1,42 +0,0 @@ -From a0299ae0c93c338202d3a38064955fa840a6975f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 25 Nov 2019 19:56:53 +0300 -Subject: scsi: qla2xxx: Drop superfluous INIT_WORK of del_work - -From: Roman Bolshakov - -[ Upstream commit 600954e6f2df695434887dfc6a99a098859990cf ] - -del_work is already initialized inside qla2x00_alloc_fcport, there's no -need to overwrite it. Indeed, it might prevent complete traversal of -workqueue list. - -Fixes: a01c77d2cbc45 ("scsi: qla2xxx: Move session delete to driver work queue") -Cc: Quinn Tran -Link: https://lore.kernel.org/r/20191125165702.1013-5-r.bolshakov@yadro.com -Acked-by: Himanshu Madhani -Reviewed-by: Hannes Reinecke -Tested-by: Hannes Reinecke -Reviewed-by: Bart Van Assche -Signed-off-by: Roman Bolshakov -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla2xxx/qla_target.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c -index 950764ed4ab2..18522ac79d9e 100644 ---- a/drivers/scsi/qla2xxx/qla_target.c -+++ b/drivers/scsi/qla2xxx/qla_target.c -@@ -1265,7 +1265,6 @@ void qlt_schedule_sess_for_deletion(struct fc_port *sess) - "Scheduling sess %p for deletion %8phC\n", - sess, sess->port_name); - -- INIT_WORK(&sess->del_work, qla24xx_delete_sess_fn); - WARN_ON(!queue_work(sess->vha->hw->wq, &sess->del_work)); - } - --- -2.20.1 - diff --git a/queue-5.4/scsi-qla2xxx-fix-plogi-payload-and-els-iocb-dump-len.patch b/queue-5.4/scsi-qla2xxx-fix-plogi-payload-and-els-iocb-dump-len.patch deleted file mode 100644 index ab500e296df..00000000000 --- a/queue-5.4/scsi-qla2xxx-fix-plogi-payload-and-els-iocb-dump-len.patch +++ /dev/null @@ -1,52 +0,0 @@ -From cc3997700b63bb866dd5cf708443f46244f302eb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 25 Nov 2019 19:56:57 +0300 -Subject: scsi: qla2xxx: Fix PLOGI payload and ELS IOCB dump length - -From: Roman Bolshakov - -[ Upstream commit 0334cdea1fba36fad8bdf9516f267ce01de625f7 ] - -The size of the buffer is hardcoded as 0x70 or 112 bytes, while the size of -ELS IOCB is 0x40 and the size of PLOGI payload returned by Get Parameters -command is 0x74. - -Cc: Quinn Tran -Link: https://lore.kernel.org/r/20191125165702.1013-9-r.bolshakov@yadro.com -Acked-by: Himanshu Madhani -Reviewed-by: Hannes Reinecke -Tested-by: Hannes Reinecke -Signed-off-by: Roman Bolshakov -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla2xxx/qla_iocb.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c -index 44dc97cebb06..bdf1994251b9 100644 ---- a/drivers/scsi/qla2xxx/qla_iocb.c -+++ b/drivers/scsi/qla2xxx/qla_iocb.c -@@ -2684,7 +2684,8 @@ qla24xx_els_logo_iocb(srb_t *sp, struct els_entry_24xx *els_iocb) - ql_dbg(ql_dbg_io + ql_dbg_buffer, vha, 0x3073, - "PLOGI ELS IOCB:\n"); - ql_dump_buffer(ql_log_info, vha, 0x0109, -- (uint8_t *)els_iocb, 0x70); -+ (uint8_t *)els_iocb, -+ sizeof(*els_iocb)); - } else { - els_iocb->control_flags = 1 << 13; - els_iocb->tx_byte_count = -@@ -2850,7 +2851,8 @@ qla24xx_els_dcmd2_iocb(scsi_qla_host_t *vha, int els_opcode, - - ql_dbg(ql_dbg_disc + ql_dbg_buffer, vha, 0x3073, "PLOGI buffer:\n"); - ql_dump_buffer(ql_dbg_disc + ql_dbg_buffer, vha, 0x0109, -- (uint8_t *)elsio->u.els_plogi.els_plogi_pyld, 0x70); -+ (uint8_t *)elsio->u.els_plogi.els_plogi_pyld, -+ sizeof(*elsio->u.els_plogi.els_plogi_pyld)); - - rval = qla2x00_start_sp(sp); - if (rval != QLA_SUCCESS) { --- -2.20.1 - diff --git a/queue-5.4/scsi-qla2xxx-ignore-port-update-after-n2n-plogi.patch b/queue-5.4/scsi-qla2xxx-ignore-port-update-after-n2n-plogi.patch deleted file mode 100644 index 9a99b618580..00000000000 --- a/queue-5.4/scsi-qla2xxx-ignore-port-update-after-n2n-plogi.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 951be690ed97503e584a8d8b50a25a9f406fd581 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 25 Nov 2019 19:57:01 +0300 -Subject: scsi: qla2xxx: Ignore PORT UPDATE after N2N PLOGI - -From: Roman Bolshakov - -[ Upstream commit af22f0c7b052c5c203207f1e5ebd6aa65f87c538 ] - -PORT UPDATE asynchronous event is generated on the host that issues PLOGI -ELS (in the case of higher WWPN). In that case, the event shouldn't be -handled as it sets unwanted DPC flags (i.e. LOOP_RESYNC_NEEDED) that -trigger link flap. - -Ignore the event if the host has higher WWPN, but handle otherwise. - -Cc: Quinn Tran -Link: https://lore.kernel.org/r/20191125165702.1013-13-r.bolshakov@yadro.com -Acked-by: Himanshu Madhani -Reviewed-by: Hannes Reinecke -Tested-by: Hannes Reinecke -Signed-off-by: Roman Bolshakov -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla2xxx/qla_mbx.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c -index 4d90cf101f5f..eac76e934cbe 100644 ---- a/drivers/scsi/qla2xxx/qla_mbx.c -+++ b/drivers/scsi/qla2xxx/qla_mbx.c -@@ -3920,6 +3920,7 @@ qla24xx_report_id_acquisition(scsi_qla_host_t *vha, - vha->d_id.b24 = 0; - vha->d_id.b.al_pa = 1; - ha->flags.n2n_bigger = 1; -+ ha->flags.n2n_ae = 0; - - id.b.al_pa = 2; - ql_dbg(ql_dbg_async, vha, 0x5075, -@@ -3930,6 +3931,7 @@ qla24xx_report_id_acquisition(scsi_qla_host_t *vha, - "Format 1: Remote login - Waiting for WWPN %8phC.\n", - rptid_entry->u.f1.port_name); - ha->flags.n2n_bigger = 0; -+ ha->flags.n2n_ae = 1; - } - qla24xx_post_newsess_work(vha, &id, - rptid_entry->u.f1.port_name, -@@ -3941,7 +3943,6 @@ qla24xx_report_id_acquisition(scsi_qla_host_t *vha, - /* if our portname is higher then initiate N2N login */ - - set_bit(N2N_LOGIN_NEEDED, &vha->dpc_flags); -- ha->flags.n2n_ae = 1; - return; - break; - case TOPO_FL: --- -2.20.1 - diff --git a/queue-5.4/scsi-qla2xxx-send-notify-ack-after-n2n-plogi.patch b/queue-5.4/scsi-qla2xxx-send-notify-ack-after-n2n-plogi.patch deleted file mode 100644 index 577d70139aa..00000000000 --- a/queue-5.4/scsi-qla2xxx-send-notify-ack-after-n2n-plogi.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 32df77c20e5476f54eb2d699df3e4ca75e6fd697 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 25 Nov 2019 19:56:59 +0300 -Subject: scsi: qla2xxx: Send Notify ACK after N2N PLOGI - -From: Roman Bolshakov - -[ Upstream commit 5e6b01d84b9d20bcd77fc7c4733a2a4149bf220a ] - -qlt_handle_login schedules session for deletion even if a login is in -progress. That causes login bouncing, i.e. a few logins are made before it -settles down. - -Complete the first login by sending Notify Acknowledge IOCB via -qlt_plogi_ack_unref if the session is pending login completion. - -Fixes: 9cd883f07a54 ("scsi: qla2xxx: Fix session cleanup for N2N") -Cc: Krishna Kant -Cc: Alexei Potashnik -Link: https://lore.kernel.org/r/20191125165702.1013-11-r.bolshakov@yadro.com -Acked-by: Quinn Tran -Acked-by: Himanshu Madhani -Reviewed-by: Hannes Reinecke -Tested-by: Hannes Reinecke -Signed-off-by: Roman Bolshakov -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla2xxx/qla_target.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c -index 18522ac79d9e..74a378a91b71 100644 ---- a/drivers/scsi/qla2xxx/qla_target.c -+++ b/drivers/scsi/qla2xxx/qla_target.c -@@ -4803,6 +4803,7 @@ static int qlt_handle_login(struct scsi_qla_host *vha, - - switch (sess->disc_state) { - case DSC_DELETED: -+ case DSC_LOGIN_PEND: - qlt_plogi_ack_unref(vha, pla); - break; - --- -2.20.1 - diff --git a/queue-5.4/scsi-qla2xxx-use-explicit-logo-in-target-mode.patch b/queue-5.4/scsi-qla2xxx-use-explicit-logo-in-target-mode.patch deleted file mode 100644 index 83a238c0f4d..00000000000 --- a/queue-5.4/scsi-qla2xxx-use-explicit-logo-in-target-mode.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 40836029a18f8220825b4f6a97ce547b884b43ee Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 25 Nov 2019 19:56:51 +0300 -Subject: scsi: qla2xxx: Use explicit LOGO in target mode - -From: Quinn Tran - -[ Upstream commit 86196a8fa8a84af1395a28ea0548f2ce6ae9bc22 ] - -Target makes implicit LOGO on session teardown. LOGO ELS is not send on the -wire and initiator is not aware that target no longer wants talking to -it. Initiator keeps sending I/O requests, target responds with BA_RJT, they -time out and then initiator sends ABORT TASK (ABTS-LS). - -Current behaviour incurs unneeded I/O timeout and can be fixed for some -initiators by making explicit LOGO on session deletion. - -Link: https://lore.kernel.org/r/20191125165702.1013-3-r.bolshakov@yadro.com -Reviewed-by: Hannes Reinecke -Tested-by: Hannes Reinecke -Signed-off-by: Quinn Tran -Signed-off-by: Himanshu Madhani -Signed-off-by: Roman Bolshakov -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla2xxx/qla_def.h | 1 + - drivers/scsi/qla2xxx/qla_iocb.c | 16 ++++++++++++---- - drivers/scsi/qla2xxx/qla_target.c | 1 + - drivers/scsi/qla2xxx/tcm_qla2xxx.c | 1 + - 4 files changed, 15 insertions(+), 4 deletions(-) - -diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h -index d5386edddaf6..1eb3fe281cc3 100644 ---- a/drivers/scsi/qla2xxx/qla_def.h -+++ b/drivers/scsi/qla2xxx/qla_def.h -@@ -2401,6 +2401,7 @@ typedef struct fc_port { - unsigned int id_changed:1; - unsigned int scan_needed:1; - unsigned int n2n_flag:1; -+ unsigned int explicit_logout:1; - - struct completion nvme_del_done; - uint32_t nvme_prli_service_param; -diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c -index 518eb954cf42..44dc97cebb06 100644 ---- a/drivers/scsi/qla2xxx/qla_iocb.c -+++ b/drivers/scsi/qla2xxx/qla_iocb.c -@@ -2405,11 +2405,19 @@ qla2x00_login_iocb(srb_t *sp, struct mbx_entry *mbx) - static void - qla24xx_logout_iocb(srb_t *sp, struct logio_entry_24xx *logio) - { -+ u16 control_flags = LCF_COMMAND_LOGO; - logio->entry_type = LOGINOUT_PORT_IOCB_TYPE; -- logio->control_flags = -- cpu_to_le16(LCF_COMMAND_LOGO|LCF_IMPL_LOGO); -- if (!sp->fcport->keep_nport_handle) -- logio->control_flags |= cpu_to_le16(LCF_FREE_NPORT); -+ -+ if (sp->fcport->explicit_logout) { -+ control_flags |= LCF_EXPL_LOGO|LCF_FREE_NPORT; -+ } else { -+ control_flags |= LCF_IMPL_LOGO; -+ -+ if (!sp->fcport->keep_nport_handle) -+ control_flags |= LCF_FREE_NPORT; -+ } -+ -+ logio->control_flags = cpu_to_le16(control_flags); - logio->nport_handle = cpu_to_le16(sp->fcport->loop_id); - logio->port_id[0] = sp->fcport->d_id.b.al_pa; - logio->port_id[1] = sp->fcport->d_id.b.area; -diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c -index a9bd0f513316..950764ed4ab2 100644 ---- a/drivers/scsi/qla2xxx/qla_target.c -+++ b/drivers/scsi/qla2xxx/qla_target.c -@@ -1104,6 +1104,7 @@ void qlt_free_session_done(struct work_struct *work) - } - } - -+ sess->explicit_logout = 0; - spin_unlock_irqrestore(&ha->tgt.sess_lock, flags); - sess->free_pending = 0; - -diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c -index bab2073c1f72..abe7f79bb789 100644 ---- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c -+++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c -@@ -350,6 +350,7 @@ static void tcm_qla2xxx_close_session(struct se_session *se_sess) - target_sess_cmd_list_set_waiting(se_sess); - spin_unlock_irqrestore(&vha->hw->tgt.sess_lock, flags); - -+ sess->explicit_logout = 1; - tcm_qla2xxx_put_sess(sess); - } - --- -2.20.1 - diff --git a/queue-5.4/sctp-fix-err-handling-of-stream-initialization.patch b/queue-5.4/sctp-fix-err-handling-of-stream-initialization.patch deleted file mode 100644 index 261f3a62b12..00000000000 --- a/queue-5.4/sctp-fix-err-handling-of-stream-initialization.patch +++ /dev/null @@ -1,110 +0,0 @@ -From 97d940e880223f65b405b8cd37a8d3ea6b75b7a2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 20 Dec 2019 15:03:44 -0300 -Subject: sctp: fix err handling of stream initialization - -From: Marcelo Ricardo Leitner - -[ Upstream commit 61d5d4062876e21331c3d0ba4b02dbd50c06a658 ] - -The fix on 951c6db954a1 fixed the issued reported there but introduced -another. When the allocation fails within sctp_stream_init() it is -okay/necessary to free the genradix. But it is also called when adding -new streams, from sctp_send_add_streams() and -sctp_process_strreset_addstrm_in() and in those situations it cannot -just free the genradix because by then it is a fully operational -association. - -The fix here then is to only free the genradix in sctp_stream_init() -and on those other call sites move on with what it already had and let -the subsequent error handling to handle it. - -Tested with the reproducers from this report and the previous one, -with lksctp-tools and sctp-tests. - -Reported-by: syzbot+9a1bc632e78a1a98488b@syzkaller.appspotmail.com -Fixes: 951c6db954a1 ("sctp: fix memleak on err handling of stream initialization") -Signed-off-by: Marcelo Ricardo Leitner -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/sctp/stream.c | 30 +++++++++++++++--------------- - 1 file changed, 15 insertions(+), 15 deletions(-) - -diff --git a/net/sctp/stream.c b/net/sctp/stream.c -index 6a30392068a0..c1a100d2fed3 100644 ---- a/net/sctp/stream.c -+++ b/net/sctp/stream.c -@@ -84,10 +84,8 @@ static int sctp_stream_alloc_out(struct sctp_stream *stream, __u16 outcnt, - return 0; - - ret = genradix_prealloc(&stream->out, outcnt, gfp); -- if (ret) { -- genradix_free(&stream->out); -+ if (ret) - return ret; -- } - - stream->outcnt = outcnt; - return 0; -@@ -102,10 +100,8 @@ static int sctp_stream_alloc_in(struct sctp_stream *stream, __u16 incnt, - return 0; - - ret = genradix_prealloc(&stream->in, incnt, gfp); -- if (ret) { -- genradix_free(&stream->in); -+ if (ret) - return ret; -- } - - stream->incnt = incnt; - return 0; -@@ -123,7 +119,7 @@ int sctp_stream_init(struct sctp_stream *stream, __u16 outcnt, __u16 incnt, - * a new one with new outcnt to save memory if needed. - */ - if (outcnt == stream->outcnt) -- goto in; -+ goto handle_in; - - /* Filter out chunks queued on streams that won't exist anymore */ - sched->unsched_all(stream); -@@ -132,24 +128,28 @@ int sctp_stream_init(struct sctp_stream *stream, __u16 outcnt, __u16 incnt, - - ret = sctp_stream_alloc_out(stream, outcnt, gfp); - if (ret) -- goto out; -+ goto out_err; - - for (i = 0; i < stream->outcnt; i++) - SCTP_SO(stream, i)->state = SCTP_STREAM_OPEN; - --in: -+handle_in: - sctp_stream_interleave_init(stream); - if (!incnt) - goto out; - - ret = sctp_stream_alloc_in(stream, incnt, gfp); -- if (ret) { -- sched->free(stream); -- genradix_free(&stream->out); -- stream->outcnt = 0; -- goto out; -- } -+ if (ret) -+ goto in_err; -+ -+ goto out; - -+in_err: -+ sched->free(stream); -+ genradix_free(&stream->in); -+out_err: -+ genradix_free(&stream->out); -+ stream->outcnt = 0; - out: - return ret; - } --- -2.20.1 - diff --git a/queue-5.4/series b/queue-5.4/series deleted file mode 100644 index 75612f6c756..00000000000 --- a/queue-5.4/series +++ /dev/null @@ -1,79 +0,0 @@ -revert-iwlwifi-assign-directly-to-iwl_trans-cfg-in-q.patch -drm-mcde-dsi-fix-invalid-pointer-dereference-if-pane.patch -nvme_fc-add-module-to-ops-template-to-allow-module-r.patch -nvme-fc-fix-double-free-scenarios-on-hw-queues.patch -drm-amdgpu-add-check-before-enabling-disabling-broad.patch -drm-amdgpu-add-header-line-for-power-profile-on-arct.patch -drm-amdgpu-add-cache-flush-workaround-to-gfx8-emit_f.patch -drm-amd-display-map-dsc-resources-1-to-1-if-numbers-.patch -drm-amd-display-fixed-kernel-panic-when-booting-with.patch -drm-amd-display-change-the-delay-time-before-enablin.patch -drm-amd-display-reset-steer-fifo-before-unblanking-t.patch -drm-amd-display-update-dispclk-and-dppclk-vco-freque.patch -nvme-pci-fix-write-and-poll-queue-types.patch -nvme-pci-fix-read-queue-count.patch -iio-st_accel-fix-unused-variable-warning.patch -iio-adc-max9611-fix-too-short-conversion-time-delay.patch -pm-devfreq-fix-devfreq_notifier_call-returning-errno.patch -pm-devfreq-set-scaling_max_freq-to-max-on-opp-notifi.patch -pm-devfreq-don-t-fail-devfreq_dev_release-if-not-in-.patch -afs-fix-afs_find_server-lookups-for-ipv4-peers.patch -afs-fix-selinux-setting-security-label-on-afs.patch -rdma-cma-add-missed-unregister_pernet_subsys-in-init.patch -rxe-correctly-calculate-icrc-for-unaligned-payloads.patch -scsi-lpfc-fix-memory-leak-on-lpfc_bsg_write_ebuf_set.patch -scsi-qla2xxx-use-explicit-logo-in-target-mode.patch -scsi-qla2xxx-drop-superfluous-init_work-of-del_work.patch -scsi-qla2xxx-don-t-call-qlt_async_event-twice.patch -scsi-qla2xxx-fix-plogi-payload-and-els-iocb-dump-len.patch -scsi-qla2xxx-configure-local-loop-for-n2n-target.patch -scsi-qla2xxx-send-notify-ack-after-n2n-plogi.patch -scsi-qla2xxx-don-t-defer-relogin-unconditonally.patch -scsi-qla2xxx-ignore-port-update-after-n2n-plogi.patch -scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch -scsi-libsas-stop-discovering-if-oob-mode-is-disconne.patch -scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-f.patch -staging-wlan-ng-add-crc32-dependency-in-kconfig.patch -drm-nouveau-move-the-declaration-of-struct-nouveau_c.patch -drm-nouveau-fix-drm-core-using-atomic-code-paths-on-.patch -drm-nouveau-kms-nv50-fix-panel-scaling.patch -usb-gadget-fix-wrong-endpoint-desc.patch -net-make-socket-read-write_iter-honor-iocb_nowait.patch -afs-fix-mountpoint-parsing.patch -afs-fix-creation-calls-in-the-dynamic-root-to-fail-w.patch -raid5-need-to-set-stripe_handle-for-batch-head.patch -md-raid1-check-rdev-before-reference-in-raid1_sync_r.patch -s390-cpum_sf-adjust-sampling-interval-to-avoid-hitti.patch -s390-cpum_sf-avoid-sbd-overflow-condition-in-irq-han.patch -rdma-counter-prevent-auto-binding-a-qp-which-are-not.patch -ib-mlx4-follow-mirror-sequence-of-device-add-during-.patch -ib-mlx5-fix-steering-rule-of-drop-and-count.patch -xen-blkback-prevent-premature-module-unload.patch -xen-balloon-fix-ballooned-page-accounting-without-ho.patch -pm-hibernate-memory_bm_find_bit-tighten-node-optimis.patch -alsa-hda-realtek-add-bass-speaker-and-fixed-dac-for-.patch -alsa-hda-realtek-enable-the-bass-speaker-of-asus-ux4.patch -pci-add-a-helper-to-check-power-resource-requirement.patch -alsa-hda-allow-hda-to-be-runtime-suspended-when-dgpu.patch -pci-fix-missing-inline-for-pci_pr3_present.patch -alsa-hda-fixup-for-the-bass-speaker-on-lenovo-carbon.patch -tcp-fix-data-race-in-tcp_recvmsg.patch -inetpeer-fix-data-race-in-inet_putpeer-inet_putpeer.patch -net-add-a-read_once-in-skb_peek_tail.patch -net-icmp-fix-data-race-in-cmp_global_allow.patch -io_uring-io_allocate_scq_urings-should-return-a-sane.patch -shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dro.patch -xfs-fix-mount-failure-crash-on-invalid-iclog-memory-.patch -taskstats-fix-data-race.patch -drm-limit-to-int_max-in-create_blob-ioctl.patch -netfilter-bridge-make-sure-to-pull-arp-header-in-br_.patch -tomoyo-don-t-use-nifty-names-on-sockets.patch -6pack-mkiss-fix-possible-deadlock.patch -net-smc-add-fallback-check-to-connect.patch -powerpc-fix-__clear_user-with-kuap-enabled.patch -alsa-hda-downgrade-error-message-for-single-cmd-fall.patch -netfilter-ebtables-compat-reject-all-padding-in-matc.patch -sctp-fix-err-handling-of-stream-initialization.patch -netfilter-nft_tproxy-fix-port-selector-on-big-endian.patch -block-add-bio_truncate-to-fix-guard_bio_eod.patch -mm-drop-mmap_sem-before-calling-balance_dirty_pages-.patch diff --git a/queue-5.4/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dro.patch b/queue-5.4/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dro.patch deleted file mode 100644 index f9ec0bd7ce4..00000000000 --- a/queue-5.4/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dro.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 7088284e1e36561511ab7d5807bfdbfcf989048d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 30 Nov 2019 17:50:26 -0800 -Subject: shmem: pin the file in shmem_fault() if mmap_sem is dropped - -From: Kirill A. Shutemov - -[ Upstream commit 8897c1b1a1795cab23d5ac13e4e23bf0b5f4e0c6 ] - -syzbot found the following crash: - - BUG: KASAN: use-after-free in perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13 - Read of size 8 at addr ffff8880a5cf2c50 by task syz-executor.0/26173 - - CPU: 0 PID: 26173 Comm: syz-executor.0 Not tainted 5.3.0-rc6 #146 - Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 - Call Trace: - perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13 - trace_lock_acquire include/trace/events/lock.h:13 [inline] - lock_acquire+0x2de/0x410 kernel/locking/lockdep.c:4411 - __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] - _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151 - spin_lock include/linux/spinlock.h:338 [inline] - shmem_fault+0x5ec/0x7b0 mm/shmem.c:2034 - __do_fault+0x111/0x540 mm/memory.c:3083 - do_shared_fault mm/memory.c:3535 [inline] - do_fault mm/memory.c:3613 [inline] - handle_pte_fault mm/memory.c:3840 [inline] - __handle_mm_fault+0x2adf/0x3f20 mm/memory.c:3964 - handle_mm_fault+0x1b5/0x6b0 mm/memory.c:4001 - do_user_addr_fault arch/x86/mm/fault.c:1441 [inline] - __do_page_fault+0x536/0xdd0 arch/x86/mm/fault.c:1506 - do_page_fault+0x38/0x590 arch/x86/mm/fault.c:1530 - page_fault+0x39/0x40 arch/x86/entry/entry_64.S:1202 - -It happens if the VMA got unmapped under us while we dropped mmap_sem -and inode got freed. - -Pinning the file if we drop mmap_sem fixes the issue. - -Link: http://lkml.kernel.org/r/20190927083908.rhifa4mmaxefc24r@box -Signed-off-by: Kirill A. Shutemov -Reported-by: syzbot+03ee87124ee05af991bd@syzkaller.appspotmail.com -Acked-by: Johannes Weiner -Reviewed-by: Matthew Wilcox (Oracle) -Cc: Hillf Danton -Cc: Hugh Dickins -Cc: Josef Bacik -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin ---- - mm/shmem.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/mm/shmem.c b/mm/shmem.c -index 7a22e3e03d11..6074714fdbd4 100644 ---- a/mm/shmem.c -+++ b/mm/shmem.c -@@ -2022,16 +2022,14 @@ static vm_fault_t shmem_fault(struct vm_fault *vmf) - shmem_falloc->waitq && - vmf->pgoff >= shmem_falloc->start && - vmf->pgoff < shmem_falloc->next) { -+ struct file *fpin; - wait_queue_head_t *shmem_falloc_waitq; - DEFINE_WAIT_FUNC(shmem_fault_wait, synchronous_wake_function); - - ret = VM_FAULT_NOPAGE; -- if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) && -- !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) { -- /* It's polite to up mmap_sem if we can */ -- up_read(&vma->vm_mm->mmap_sem); -+ fpin = maybe_unlock_mmap_for_io(vmf, NULL); -+ if (fpin) - ret = VM_FAULT_RETRY; -- } - - shmem_falloc_waitq = shmem_falloc->waitq; - prepare_to_wait(shmem_falloc_waitq, &shmem_fault_wait, -@@ -2049,6 +2047,9 @@ static vm_fault_t shmem_fault(struct vm_fault *vmf) - spin_lock(&inode->i_lock); - finish_wait(shmem_falloc_waitq, &shmem_fault_wait); - spin_unlock(&inode->i_lock); -+ -+ if (fpin) -+ fput(fpin); - return ret; - } - spin_unlock(&inode->i_lock); --- -2.20.1 - diff --git a/queue-5.4/staging-wlan-ng-add-crc32-dependency-in-kconfig.patch b/queue-5.4/staging-wlan-ng-add-crc32-dependency-in-kconfig.patch deleted file mode 100644 index b0bb0d5d8be..00000000000 --- a/queue-5.4/staging-wlan-ng-add-crc32-dependency-in-kconfig.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 666d4ac220958ed5b927ef5b2d7215f07b6932b4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 27 Nov 2019 12:24:57 +0100 -Subject: staging/wlan-ng: add CRC32 dependency in Kconfig - -From: Kay Friedrich - -[ Upstream commit 2740bd3351cd5a4351f458aabaa1c9b77de3867b ] - -wlan-ng uses the function crc32_le, -but CRC32 wasn't a dependency of wlan-ng - -Co-developed-by: Michael Kupfer -Signed-off-by: Michael Kupfer -Signed-off-by: Kay Friedrich -Link: https://lore.kernel.org/r/20191127112457.2301-1-kay.friedrich@fau.de -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/staging/wlan-ng/Kconfig | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/staging/wlan-ng/Kconfig b/drivers/staging/wlan-ng/Kconfig -index ac136663fa8e..082c16a31616 100644 ---- a/drivers/staging/wlan-ng/Kconfig -+++ b/drivers/staging/wlan-ng/Kconfig -@@ -4,6 +4,7 @@ config PRISM2_USB - depends on WLAN && USB && CFG80211 - select WIRELESS_EXT - select WEXT_PRIV -+ select CRC32 - help - This is the wlan-ng prism 2.5/3 USB driver for a wide range of - old USB wireless devices. --- -2.20.1 - diff --git a/queue-5.4/taskstats-fix-data-race.patch b/queue-5.4/taskstats-fix-data-race.patch deleted file mode 100644 index 4147758d8ba..00000000000 --- a/queue-5.4/taskstats-fix-data-race.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 746d34d701547cef99f01b060e1782f8a67e07f0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 9 Oct 2019 13:48:09 +0200 -Subject: taskstats: fix data-race - -From: Christian Brauner - -[ Upstream commit 0b8d616fb5a8ffa307b1d3af37f55c15dae14f28 ] - -When assiging and testing taskstats in taskstats_exit() there's a race -when setting up and reading sig->stats when a thread-group with more -than one thread exits: - -write to 0xffff8881157bbe10 of 8 bytes by task 7951 on cpu 0: - taskstats_tgid_alloc kernel/taskstats.c:567 [inline] - taskstats_exit+0x6b7/0x717 kernel/taskstats.c:596 - do_exit+0x2c2/0x18e0 kernel/exit.c:864 - do_group_exit+0xb4/0x1c0 kernel/exit.c:983 - get_signal+0x2a2/0x1320 kernel/signal.c:2734 - do_signal+0x3b/0xc00 arch/x86/kernel/signal.c:815 - exit_to_usermode_loop+0x250/0x2c0 arch/x86/entry/common.c:159 - prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline] - syscall_return_slowpath arch/x86/entry/common.c:274 [inline] - do_syscall_64+0x2d7/0x2f0 arch/x86/entry/common.c:299 - entry_SYSCALL_64_after_hwframe+0x44/0xa9 - -read to 0xffff8881157bbe10 of 8 bytes by task 7949 on cpu 1: - taskstats_tgid_alloc kernel/taskstats.c:559 [inline] - taskstats_exit+0xb2/0x717 kernel/taskstats.c:596 - do_exit+0x2c2/0x18e0 kernel/exit.c:864 - do_group_exit+0xb4/0x1c0 kernel/exit.c:983 - __do_sys_exit_group kernel/exit.c:994 [inline] - __se_sys_exit_group kernel/exit.c:992 [inline] - __x64_sys_exit_group+0x2e/0x30 kernel/exit.c:992 - do_syscall_64+0xcf/0x2f0 arch/x86/entry/common.c:296 - entry_SYSCALL_64_after_hwframe+0x44/0xa9 - -Fix this by using smp_load_acquire() and smp_store_release(). - -Reported-by: syzbot+c5d03165a1bd1dead0c1@syzkaller.appspotmail.com -Fixes: 34ec12349c8a ("taskstats: cleanup ->signal->stats allocation") -Cc: stable@vger.kernel.org -Signed-off-by: Christian Brauner -Acked-by: Marco Elver -Reviewed-by: Will Deacon -Reviewed-by: Andrea Parri -Reviewed-by: Dmitry Vyukov -Link: https://lore.kernel.org/r/20191009114809.8643-1-christian.brauner@ubuntu.com -Signed-off-by: Sasha Levin ---- - kernel/taskstats.c | 30 +++++++++++++++++++----------- - 1 file changed, 19 insertions(+), 11 deletions(-) - -diff --git a/kernel/taskstats.c b/kernel/taskstats.c -index 13a0f2e6ebc2..e2ac0e37c4ae 100644 ---- a/kernel/taskstats.c -+++ b/kernel/taskstats.c -@@ -554,25 +554,33 @@ static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info) - static struct taskstats *taskstats_tgid_alloc(struct task_struct *tsk) - { - struct signal_struct *sig = tsk->signal; -- struct taskstats *stats; -+ struct taskstats *stats_new, *stats; - -- if (sig->stats || thread_group_empty(tsk)) -- goto ret; -+ /* Pairs with smp_store_release() below. */ -+ stats = smp_load_acquire(&sig->stats); -+ if (stats || thread_group_empty(tsk)) -+ return stats; - - /* No problem if kmem_cache_zalloc() fails */ -- stats = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL); -+ stats_new = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL); - - spin_lock_irq(&tsk->sighand->siglock); -- if (!sig->stats) { -- sig->stats = stats; -- stats = NULL; -+ stats = sig->stats; -+ if (!stats) { -+ /* -+ * Pairs with smp_store_release() above and order the -+ * kmem_cache_zalloc(). -+ */ -+ smp_store_release(&sig->stats, stats_new); -+ stats = stats_new; -+ stats_new = NULL; - } - spin_unlock_irq(&tsk->sighand->siglock); - -- if (stats) -- kmem_cache_free(taskstats_cache, stats); --ret: -- return sig->stats; -+ if (stats_new) -+ kmem_cache_free(taskstats_cache, stats_new); -+ -+ return stats; - } - - /* Send pid data out on exit */ --- -2.20.1 - diff --git a/queue-5.4/tcp-fix-data-race-in-tcp_recvmsg.patch b/queue-5.4/tcp-fix-data-race-in-tcp_recvmsg.patch deleted file mode 100644 index ad6b7ca8330..00000000000 --- a/queue-5.4/tcp-fix-data-race-in-tcp_recvmsg.patch +++ /dev/null @@ -1,125 +0,0 @@ -From c193c7923faeb60c10fa35404ff8d3501d128c33 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 6 Nov 2019 12:59:33 -0800 -Subject: tcp: fix data-race in tcp_recvmsg() - -From: Eric Dumazet - -[ Upstream commit a5a7daa52edb5197a3b696afee13ef174dc2e993 ] - -Reading tp->recvmsg_inq after socket lock is released -raises a KCSAN warning [1] - -Replace has_tss & has_cmsg by cmsg_flags and make -sure to not read tp->recvmsg_inq a second time. - -[1] -BUG: KCSAN: data-race in tcp_chrono_stop / tcp_recvmsg - -write to 0xffff888126adef24 of 2 bytes by interrupt on cpu 0: - tcp_chrono_set net/ipv4/tcp_output.c:2309 [inline] - tcp_chrono_stop+0x14c/0x280 net/ipv4/tcp_output.c:2338 - tcp_clean_rtx_queue net/ipv4/tcp_input.c:3165 [inline] - tcp_ack+0x274f/0x3170 net/ipv4/tcp_input.c:3688 - tcp_rcv_established+0x37e/0xf50 net/ipv4/tcp_input.c:5696 - tcp_v4_do_rcv+0x381/0x4e0 net/ipv4/tcp_ipv4.c:1561 - tcp_v4_rcv+0x19dc/0x1bb0 net/ipv4/tcp_ipv4.c:1942 - ip_protocol_deliver_rcu+0x4d/0x420 net/ipv4/ip_input.c:204 - ip_local_deliver_finish+0x110/0x140 net/ipv4/ip_input.c:231 - NF_HOOK include/linux/netfilter.h:305 [inline] - NF_HOOK include/linux/netfilter.h:299 [inline] - ip_local_deliver+0x133/0x210 net/ipv4/ip_input.c:252 - dst_input include/net/dst.h:442 [inline] - ip_rcv_finish+0x121/0x160 net/ipv4/ip_input.c:413 - NF_HOOK include/linux/netfilter.h:305 [inline] - NF_HOOK include/linux/netfilter.h:299 [inline] - ip_rcv+0x18f/0x1a0 net/ipv4/ip_input.c:523 - __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5010 - __netif_receive_skb+0x37/0xf0 net/core/dev.c:5124 - netif_receive_skb_internal+0x59/0x190 net/core/dev.c:5214 - napi_skb_finish net/core/dev.c:5677 [inline] - napi_gro_receive+0x28f/0x330 net/core/dev.c:5710 - -read to 0xffff888126adef25 of 1 bytes by task 7275 on cpu 1: - tcp_recvmsg+0x77b/0x1a30 net/ipv4/tcp.c:2187 - inet_recvmsg+0xbb/0x250 net/ipv4/af_inet.c:838 - sock_recvmsg_nosec net/socket.c:871 [inline] - sock_recvmsg net/socket.c:889 [inline] - sock_recvmsg+0x92/0xb0 net/socket.c:885 - sock_read_iter+0x15f/0x1e0 net/socket.c:967 - call_read_iter include/linux/fs.h:1889 [inline] - new_sync_read+0x389/0x4f0 fs/read_write.c:414 - __vfs_read+0xb1/0xc0 fs/read_write.c:427 - vfs_read fs/read_write.c:461 [inline] - vfs_read+0x143/0x2c0 fs/read_write.c:446 - ksys_read+0xd5/0x1b0 fs/read_write.c:587 - __do_sys_read fs/read_write.c:597 [inline] - __se_sys_read fs/read_write.c:595 [inline] - __x64_sys_read+0x4c/0x60 fs/read_write.c:595 - do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290 - entry_SYSCALL_64_after_hwframe+0x44/0xa9 - -Reported by Kernel Concurrency Sanitizer on: -CPU: 1 PID: 7275 Comm: sshd Not tainted 5.4.0-rc3+ #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 - -Fixes: b75eba76d3d7 ("tcp: send in-queue bytes in cmsg upon read") -Signed-off-by: Eric Dumazet -Acked-by: Soheil Hassas Yeganeh -Reported-by: syzbot -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp.c | 14 ++++++-------- - 1 file changed, 6 insertions(+), 8 deletions(-) - -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index d8876f0e9672..e537a4b6531b 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -1958,8 +1958,7 @@ int tcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int nonblock, - struct sk_buff *skb, *last; - u32 urg_hole = 0; - struct scm_timestamping_internal tss; -- bool has_tss = false; -- bool has_cmsg; -+ int cmsg_flags; - - if (unlikely(flags & MSG_ERRQUEUE)) - return inet_recv_error(sk, msg, len, addr_len); -@@ -1974,7 +1973,7 @@ int tcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int nonblock, - if (sk->sk_state == TCP_LISTEN) - goto out; - -- has_cmsg = tp->recvmsg_inq; -+ cmsg_flags = tp->recvmsg_inq ? 1 : 0; - timeo = sock_rcvtimeo(sk, nonblock); - - /* Urgent data needs to be handled specially. */ -@@ -2157,8 +2156,7 @@ int tcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int nonblock, - - if (TCP_SKB_CB(skb)->has_rxtstamp) { - tcp_update_recv_tstamps(skb, &tss); -- has_tss = true; -- has_cmsg = true; -+ cmsg_flags |= 2; - } - if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN) - goto found_fin_ok; -@@ -2183,10 +2181,10 @@ int tcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int nonblock, - - release_sock(sk); - -- if (has_cmsg) { -- if (has_tss) -+ if (cmsg_flags) { -+ if (cmsg_flags & 2) - tcp_recv_timestamp(msg, sk, &tss); -- if (tp->recvmsg_inq) { -+ if (cmsg_flags & 1) { - inq = tcp_inq_hint(sk); - put_cmsg(msg, SOL_TCP, TCP_CM_INQ, sizeof(inq), &inq); - } --- -2.20.1 - diff --git a/queue-5.4/tomoyo-don-t-use-nifty-names-on-sockets.patch b/queue-5.4/tomoyo-don-t-use-nifty-names-on-sockets.patch deleted file mode 100644 index 80ac95d4c56..00000000000 --- a/queue-5.4/tomoyo-don-t-use-nifty-names-on-sockets.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 3754e5dc4a4dfc567d1ec6199ce978ec2e3646c4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 25 Nov 2019 10:46:51 +0900 -Subject: tomoyo: Don't use nifty names on sockets. - -From: Tetsuo Handa - -[ Upstream commit 6f7c41374b62fd80bbd8aae3536c43688c54d95e ] - -syzbot is reporting that use of SOCKET_I()->sk from open() can result in -use after free problem [1], for socket's inode is still reachable via -/proc/pid/fd/n despite destruction of SOCKET_I()->sk already completed. - -At first I thought that this race condition applies to only open/getattr -permission checks. But James Morris has pointed out that there are more -permission checks where this race condition applies to. Thus, get rid of -tomoyo_get_socket_name() instead of conditionally bypassing permission -checks on sockets. As a side effect of this patch, -"socket:[family=\$:type=\$:protocol=\$]" in the policy files has to be -rewritten to "socket:[\$]". - -[1] https://syzkaller.appspot.com/bug?id=73d590010454403d55164cca23bd0565b1eb3b74 - -Signed-off-by: Tetsuo Handa -Reported-by: syzbot -Reported-by: James Morris -Signed-off-by: Sasha Levin ---- - security/tomoyo/realpath.c | 32 +------------------------------- - 1 file changed, 1 insertion(+), 31 deletions(-) - -diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c -index e7832448d721..bf38fc1b59b2 100644 ---- a/security/tomoyo/realpath.c -+++ b/security/tomoyo/realpath.c -@@ -217,31 +217,6 @@ static char *tomoyo_get_local_path(struct dentry *dentry, char * const buffer, - return ERR_PTR(-ENOMEM); - } - --/** -- * tomoyo_get_socket_name - Get the name of a socket. -- * -- * @path: Pointer to "struct path". -- * @buffer: Pointer to buffer to return value in. -- * @buflen: Sizeof @buffer. -- * -- * Returns the buffer. -- */ --static char *tomoyo_get_socket_name(const struct path *path, char * const buffer, -- const int buflen) --{ -- struct inode *inode = d_backing_inode(path->dentry); -- struct socket *sock = inode ? SOCKET_I(inode) : NULL; -- struct sock *sk = sock ? sock->sk : NULL; -- -- if (sk) { -- snprintf(buffer, buflen, "socket:[family=%u:type=%u:protocol=%u]", -- sk->sk_family, sk->sk_type, sk->sk_protocol); -- } else { -- snprintf(buffer, buflen, "socket:[unknown]"); -- } -- return buffer; --} -- - /** - * tomoyo_realpath_from_path - Returns realpath(3) of the given pathname but ignores chroot'ed root. - * -@@ -279,12 +254,7 @@ char *tomoyo_realpath_from_path(const struct path *path) - break; - /* To make sure that pos is '\0' terminated. */ - buf[buf_len - 1] = '\0'; -- /* Get better name for socket. */ -- if (sb->s_magic == SOCKFS_MAGIC) { -- pos = tomoyo_get_socket_name(path, buf, buf_len - 1); -- goto encode; -- } -- /* For "pipe:[\$]". */ -+ /* For "pipe:[\$]" and "socket:[\$]". */ - if (dentry->d_op && dentry->d_op->d_dname) { - pos = dentry->d_op->d_dname(dentry, buf, buf_len - 1); - goto encode; --- -2.20.1 - diff --git a/queue-5.4/usb-gadget-fix-wrong-endpoint-desc.patch b/queue-5.4/usb-gadget-fix-wrong-endpoint-desc.patch deleted file mode 100644 index ba15aff57f0..00000000000 --- a/queue-5.4/usb-gadget-fix-wrong-endpoint-desc.patch +++ /dev/null @@ -1,61 +0,0 @@ -From cf921d6da18a37a7cb82e65ee436eb242037f0a6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 3 Dec 2019 23:34:56 -0800 -Subject: usb: gadget: fix wrong endpoint desc - -From: EJ Hsu - -[ Upstream commit e5b5da96da50ef30abb39cb9f694e99366404d24 ] - -Gadget driver should always use config_ep_by_speed() to initialize -usb_ep struct according to usb device's operating speed. Otherwise, -usb_ep struct may be wrong if usb devcie's operating speed is changed. - -The key point in this patch is that we want to make sure the desc pointer -in usb_ep struct will be set to NULL when gadget is disconnected. -This will force it to call config_ep_by_speed() to correctly initialize -usb_ep struct based on the new operating speed when gadget is -re-connected later. - -Reviewed-by: Peter Chen -Signed-off-by: EJ Hsu -Signed-off-by: Felipe Balbi -Signed-off-by: Sasha Levin ---- - drivers/usb/gadget/function/f_ecm.c | 6 +++++- - drivers/usb/gadget/function/f_rndis.c | 1 + - 2 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/drivers/usb/gadget/function/f_ecm.c b/drivers/usb/gadget/function/f_ecm.c -index 6ce044008cf6..460d5d7c984f 100644 ---- a/drivers/usb/gadget/function/f_ecm.c -+++ b/drivers/usb/gadget/function/f_ecm.c -@@ -621,8 +621,12 @@ static void ecm_disable(struct usb_function *f) - - DBG(cdev, "ecm deactivated\n"); - -- if (ecm->port.in_ep->enabled) -+ if (ecm->port.in_ep->enabled) { - gether_disconnect(&ecm->port); -+ } else { -+ ecm->port.in_ep->desc = NULL; -+ ecm->port.out_ep->desc = NULL; -+ } - - usb_ep_disable(ecm->notify); - ecm->notify->desc = NULL; -diff --git a/drivers/usb/gadget/function/f_rndis.c b/drivers/usb/gadget/function/f_rndis.c -index d48df36622b7..0d8e4a364ca6 100644 ---- a/drivers/usb/gadget/function/f_rndis.c -+++ b/drivers/usb/gadget/function/f_rndis.c -@@ -618,6 +618,7 @@ static void rndis_disable(struct usb_function *f) - gether_disconnect(&rndis->port); - - usb_ep_disable(rndis->notify); -+ rndis->notify->desc = NULL; - } - - /*-------------------------------------------------------------------------*/ --- -2.20.1 - diff --git a/queue-5.4/xen-balloon-fix-ballooned-page-accounting-without-ho.patch b/queue-5.4/xen-balloon-fix-ballooned-page-accounting-without-ho.patch deleted file mode 100644 index 8e91ed0a864..00000000000 --- a/queue-5.4/xen-balloon-fix-ballooned-page-accounting-without-ho.patch +++ /dev/null @@ -1,43 +0,0 @@ -From ddf5815b0a1464fbd0e15e889e101c2a646732e3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 12 Dec 2019 15:17:50 +0100 -Subject: xen/balloon: fix ballooned page accounting without hotplug enabled - -From: Juergen Gross - -[ Upstream commit c673ec61ade89bf2f417960f986bc25671762efb ] - -When CONFIG_XEN_BALLOON_MEMORY_HOTPLUG is not defined -reserve_additional_memory() will set balloon_stats.target_pages to a -wrong value in case there are still some ballooned pages allocated via -alloc_xenballooned_pages(). - -This will result in balloon_process() no longer be triggered when -ballooned pages are freed in batches. - -Reported-by: Nicholas Tsirakis -Signed-off-by: Juergen Gross -Reviewed-by: Boris Ostrovsky -Signed-off-by: Juergen Gross -Signed-off-by: Sasha Levin ---- - drivers/xen/balloon.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c -index 5bae515c8e25..bed90d612e48 100644 ---- a/drivers/xen/balloon.c -+++ b/drivers/xen/balloon.c -@@ -395,7 +395,8 @@ static struct notifier_block xen_memory_nb = { - #else - static enum bp_state reserve_additional_memory(void) - { -- balloon_stats.target_pages = balloon_stats.current_pages; -+ balloon_stats.target_pages = balloon_stats.current_pages + -+ balloon_stats.target_unpopulated; - return BP_ECANCELED; - } - #endif /* CONFIG_XEN_BALLOON_MEMORY_HOTPLUG */ --- -2.20.1 - diff --git a/queue-5.4/xen-blkback-prevent-premature-module-unload.patch b/queue-5.4/xen-blkback-prevent-premature-module-unload.patch deleted file mode 100644 index bb6a9deff71..00000000000 --- a/queue-5.4/xen-blkback-prevent-premature-module-unload.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 480f9ffd7841dbde86237d087a89fdba634e21ec Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 10 Dec 2019 14:53:05 +0000 -Subject: xen-blkback: prevent premature module unload -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Paul Durrant - -[ Upstream commit fa2ac657f9783f0891b2935490afe9a7fd29d3fa ] - -Objects allocated by xen_blkif_alloc come from the 'blkif_cache' kmem -cache. This cache is destoyed when xen-blkif is unloaded so it is -necessary to wait for the deferred free routine used for such objects to -complete. This necessity was missed in commit 14855954f636 "xen-blkback: -allow module to be cleanly unloaded". This patch fixes the problem by -taking/releasing extra module references in xen_blkif_alloc/free() -respectively. - -Signed-off-by: Paul Durrant -Reviewed-by: Roger Pau Monné -Signed-off-by: Juergen Gross -Signed-off-by: Sasha Levin ---- - drivers/block/xen-blkback/xenbus.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/drivers/block/xen-blkback/xenbus.c b/drivers/block/xen-blkback/xenbus.c -index b90dbcd99c03..c4cd68116e7f 100644 ---- a/drivers/block/xen-blkback/xenbus.c -+++ b/drivers/block/xen-blkback/xenbus.c -@@ -171,6 +171,15 @@ static struct xen_blkif *xen_blkif_alloc(domid_t domid) - blkif->domid = domid; - atomic_set(&blkif->refcnt, 1); - init_completion(&blkif->drain_complete); -+ -+ /* -+ * Because freeing back to the cache may be deferred, it is not -+ * safe to unload the module (and hence destroy the cache) until -+ * this has completed. To prevent premature unloading, take an -+ * extra module reference here and release only when the object -+ * has been freed back to the cache. -+ */ -+ __module_get(THIS_MODULE); - INIT_WORK(&blkif->free_work, xen_blkif_deferred_free); - - return blkif; -@@ -320,6 +329,7 @@ static void xen_blkif_free(struct xen_blkif *blkif) - - /* Make sure everything is drained before shutting down */ - kmem_cache_free(xen_blkif_cachep, blkif); -+ module_put(THIS_MODULE); - } - - int __init xen_blkif_interface_init(void) --- -2.20.1 - diff --git a/queue-5.4/xfs-fix-mount-failure-crash-on-invalid-iclog-memory-.patch b/queue-5.4/xfs-fix-mount-failure-crash-on-invalid-iclog-memory-.patch deleted file mode 100644 index 7050a1d6ec3..00000000000 --- a/queue-5.4/xfs-fix-mount-failure-crash-on-invalid-iclog-memory-.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 0f1b1b4d60400feda3564064aa7b02c54be7254b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 3 Dec 2019 07:53:15 -0800 -Subject: xfs: fix mount failure crash on invalid iclog memory access - -From: Brian Foster - -[ Upstream commit 798a9cada4694ca8d970259f216cec47e675bfd5 ] - -syzbot (via KASAN) reports a use-after-free in the error path of -xlog_alloc_log(). Specifically, the iclog freeing loop doesn't -handle the case of a fully initialized ->l_iclog linked list. -Instead, it assumes that the list is partially constructed and NULL -terminated. - -This bug manifested because there was no possible error scenario -after iclog list setup when the original code was added. Subsequent -code and associated error conditions were added some time later, -while the original error handling code was never updated. Fix up the -error loop to terminate either on a NULL iclog or reaching the end -of the list. - -Reported-by: syzbot+c732f8644185de340492@syzkaller.appspotmail.com -Signed-off-by: Brian Foster -Reviewed-by: Darrick J. Wong -Signed-off-by: Darrick J. Wong -Signed-off-by: Sasha Levin ---- - fs/xfs/xfs_log.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c -index 641d07f30a27..7b0d9ad8cb1a 100644 ---- a/fs/xfs/xfs_log.c -+++ b/fs/xfs/xfs_log.c -@@ -1495,6 +1495,8 @@ xlog_alloc_log( - prev_iclog = iclog->ic_next; - kmem_free(iclog->ic_data); - kmem_free(iclog); -+ if (prev_iclog == log->l_iclog) -+ break; - } - out_free_log: - kmem_free(log); --- -2.20.1 -