From: Sasha Levin Date: Mon, 11 Nov 2019 15:39:11 +0000 (-0500) Subject: fixes for 4.9 X-Git-Tag: v4.4.201~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eac2ebde3531186a268c7b8fdeed94b4a8874cdb;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/bonding-fix-unexpected-iff_bonding-bit-unset.patch b/queue-4.9/bonding-fix-unexpected-iff_bonding-bit-unset.patch new file mode 100644 index 00000000000..88439811b90 --- /dev/null +++ b/queue-4.9/bonding-fix-unexpected-iff_bonding-bit-unset.patch @@ -0,0 +1,100 @@ +From 119c7d31519736562cf148d33be29f57d374edf6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2019 18:47:52 +0000 +Subject: bonding: fix unexpected IFF_BONDING bit unset + +From: Taehee Yoo + +[ Upstream commit 65de65d9033750d2cf1b336c9d6e9da3a8b5cc6e ] + +The IFF_BONDING means bonding master or bonding slave device. +->ndo_add_slave() sets IFF_BONDING flag and ->ndo_del_slave() unsets +IFF_BONDING flag. + +bond0<--bond1 + +Both bond0 and bond1 are bonding device and these should keep having +IFF_BONDING flag until they are removed. +But bond1 would lose IFF_BONDING at ->ndo_del_slave() because that routine +do not check whether the slave device is the bonding type or not. +This patch adds the interface type check routine before removing +IFF_BONDING flag. + +Test commands: + ip link add bond0 type bond + ip link add bond1 type bond + ip link set bond1 master bond0 + ip link set bond1 nomaster + ip link del bond1 type bond + ip link add bond1 type bond + +Splat looks like: +[ 226.665555] proc_dir_entry 'bonding/bond1' already registered +[ 226.666440] WARNING: CPU: 0 PID: 737 at fs/proc/generic.c:361 proc_register+0x2a9/0x3e0 +[ 226.667571] Modules linked in: bonding af_packet sch_fq_codel ip_tables x_tables unix +[ 226.668662] CPU: 0 PID: 737 Comm: ip Not tainted 5.4.0-rc3+ #96 +[ 226.669508] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +[ 226.670652] RIP: 0010:proc_register+0x2a9/0x3e0 +[ 226.671612] Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 39 01 00 00 48 8b 04 24 48 89 ea 48 c7 c7 a0 0b 14 9f 48 8b b0 e +0 00 00 00 e8 07 e7 88 ff <0f> 0b 48 c7 c7 40 2d a5 9f e8 59 d6 23 01 48 8b 4c 24 10 48 b8 00 +[ 226.675007] RSP: 0018:ffff888050e17078 EFLAGS: 00010282 +[ 226.675761] RAX: dffffc0000000008 RBX: ffff88805fdd0f10 RCX: ffffffff9dd344e2 +[ 226.676757] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88806c9f6b8c +[ 226.677751] RBP: ffff8880507160f3 R08: ffffed100d940019 R09: ffffed100d940019 +[ 226.678761] R10: 0000000000000001 R11: ffffed100d940018 R12: ffff888050716008 +[ 226.679757] R13: ffff8880507160f2 R14: dffffc0000000000 R15: ffffed100a0e2c1e +[ 226.680758] FS: 00007fdc217cc0c0(0000) GS:ffff88806c800000(0000) knlGS:0000000000000000 +[ 226.681886] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 226.682719] CR2: 00007f49313424d0 CR3: 0000000050e46001 CR4: 00000000000606f0 +[ 226.683727] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 226.684725] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 226.685681] Call Trace: +[ 226.687089] proc_create_seq_private+0xb3/0xf0 +[ 226.687778] bond_create_proc_entry+0x1b3/0x3f0 [bonding] +[ 226.691458] bond_netdev_event+0x433/0x970 [bonding] +[ 226.692139] ? __module_text_address+0x13/0x140 +[ 226.692779] notifier_call_chain+0x90/0x160 +[ 226.693401] register_netdevice+0x9b3/0xd80 +[ 226.694010] ? alloc_netdev_mqs+0x854/0xc10 +[ 226.694629] ? netdev_change_features+0xa0/0xa0 +[ 226.695278] ? rtnl_create_link+0x2ed/0xad0 +[ 226.695849] bond_newlink+0x2a/0x60 [bonding] +[ 226.696422] __rtnl_newlink+0xb9f/0x11b0 +[ 226.696968] ? rtnl_link_unregister+0x220/0x220 +[ ... ] + +Fixes: 0b680e753724 ("[PATCH] bonding: Add priv_flag to avoid event mishandling") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index c1971bca62fb1..d52fd842ef1fe 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1759,7 +1759,8 @@ err_detach: + slave_disable_netpoll(new_slave); + + err_close: +- slave_dev->priv_flags &= ~IFF_BONDING; ++ if (!netif_is_bond_master(slave_dev)) ++ slave_dev->priv_flags &= ~IFF_BONDING; + dev_close(slave_dev); + + err_restore_mac: +@@ -1960,7 +1961,8 @@ static int __bond_release_one(struct net_device *bond_dev, + + dev_set_mtu(slave_dev, slave->original_mtu); + +- slave_dev->priv_flags &= ~IFF_BONDING; ++ if (!netif_is_bond_master(slave_dev)) ++ slave_dev->priv_flags &= ~IFF_BONDING; + + bond_free_slave(slave); + +-- +2.20.1 + diff --git a/queue-4.9/can-flexcan-disable-completely-the-ecc-mechanism.patch b/queue-4.9/can-flexcan-disable-completely-the-ecc-mechanism.patch new file mode 100644 index 00000000000..01687d2a99a --- /dev/null +++ b/queue-4.9/can-flexcan-disable-completely-the-ecc-mechanism.patch @@ -0,0 +1,39 @@ +From 10780beb127e974d50c54f920e7f53dd0ac881bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Aug 2019 08:00:26 +0000 +Subject: can: flexcan: disable completely the ECC mechanism + +From: Joakim Zhang + +[ Upstream commit 5e269324db5adb2f5f6ec9a93a9c7b0672932b47 ] + +The ECC (memory error detection and correction) mechanism can be +activated or not, controlled by the ECCDIS bit in CAN_MECR. When +disabled, updates on indications and reporting registers are stopped. +So if want to disable ECC completely, had better assert ECCDIS bit, not +just mask the related interrupts. + +Fixes: cdce844865be ("can: flexcan: add vf610 support for FlexCAN") +Signed-off-by: Joakim Zhang +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/flexcan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c +index baef09b9449f9..6b866d0451b21 100644 +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -923,6 +923,7 @@ static int flexcan_chip_start(struct net_device *dev) + reg_mecr = flexcan_read(®s->mecr); + reg_mecr &= ~FLEXCAN_MECR_ECRWRDIS; + flexcan_write(reg_mecr, ®s->mecr); ++ reg_mecr |= FLEXCAN_MECR_ECCDIS; + reg_mecr &= ~(FLEXCAN_MECR_NCEFAFRZ | FLEXCAN_MECR_HANCEI_MSK | + FLEXCAN_MECR_FANCEI_MSK); + flexcan_write(reg_mecr, ®s->mecr); +-- +2.20.1 + diff --git a/queue-4.9/dmaengine-xilinx_dma-fix-control-reg-update-in-vdma_.patch b/queue-4.9/dmaengine-xilinx_dma-fix-control-reg-update-in-vdma_.patch new file mode 100644 index 00000000000..ee40de2efe1 --- /dev/null +++ b/queue-4.9/dmaengine-xilinx_dma-fix-control-reg-update-in-vdma_.patch @@ -0,0 +1,66 @@ +From 9a1a494d8d47747159c78bf5b7b36dcf2cda6585 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Sep 2019 16:20:58 +0530 +Subject: dmaengine: xilinx_dma: Fix control reg update in + vdma_channel_set_config + +From: Radhey Shyam Pandey + +[ Upstream commit 6c6de1ddb1be3840f2ed5cc9d009a622720940c9 ] + +In vdma_channel_set_config clear the delay, frame count and master mask +before updating their new values. It avoids programming incorrect state +when input parameters are different from default. + +Signed-off-by: Radhey Shyam Pandey +Acked-by: Appana Durga Kedareswara rao +Signed-off-by: Michal Simek +Link: https://lore.kernel.org/r/1569495060-18117-3-git-send-email-radhey.shyam.pandey@xilinx.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/xilinx_dma.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c +index 8288fe4d17c38..cd271f7826051 100644 +--- a/drivers/dma/xilinx/xilinx_dma.c ++++ b/drivers/dma/xilinx/xilinx_dma.c +@@ -72,6 +72,9 @@ + #define XILINX_DMA_DMACR_CIRC_EN BIT(1) + #define XILINX_DMA_DMACR_RUNSTOP BIT(0) + #define XILINX_DMA_DMACR_FSYNCSRC_MASK GENMASK(6, 5) ++#define XILINX_DMA_DMACR_DELAY_MASK GENMASK(31, 24) ++#define XILINX_DMA_DMACR_FRAME_COUNT_MASK GENMASK(23, 16) ++#define XILINX_DMA_DMACR_MASTER_MASK GENMASK(11, 8) + + #define XILINX_DMA_REG_DMASR 0x0004 + #define XILINX_DMA_DMASR_EOL_LATE_ERR BIT(15) +@@ -2054,8 +2057,10 @@ int xilinx_vdma_channel_set_config(struct dma_chan *dchan, + chan->config.gen_lock = cfg->gen_lock; + chan->config.master = cfg->master; + ++ dmacr &= ~XILINX_DMA_DMACR_GENLOCK_EN; + if (cfg->gen_lock && chan->genlock) { + dmacr |= XILINX_DMA_DMACR_GENLOCK_EN; ++ dmacr &= ~XILINX_DMA_DMACR_MASTER_MASK; + dmacr |= cfg->master << XILINX_DMA_DMACR_MASTER_SHIFT; + } + +@@ -2069,11 +2074,13 @@ int xilinx_vdma_channel_set_config(struct dma_chan *dchan, + chan->config.delay = cfg->delay; + + if (cfg->coalesc <= XILINX_DMA_DMACR_FRAME_COUNT_MAX) { ++ dmacr &= ~XILINX_DMA_DMACR_FRAME_COUNT_MASK; + dmacr |= cfg->coalesc << XILINX_DMA_DMACR_FRAME_COUNT_SHIFT; + chan->config.coalesc = cfg->coalesc; + } + + if (cfg->delay <= XILINX_DMA_DMACR_DELAY_MAX) { ++ dmacr &= ~XILINX_DMA_DMACR_DELAY_MASK; + dmacr |= cfg->delay << XILINX_DMA_DMACR_DELAY_SHIFT; + chan->config.delay = cfg->delay; + } +-- +2.20.1 + diff --git a/queue-4.9/e1000-fix-memory-leaks.patch b/queue-4.9/e1000-fix-memory-leaks.patch new file mode 100644 index 00000000000..b8079b244e7 --- /dev/null +++ b/queue-4.9/e1000-fix-memory-leaks.patch @@ -0,0 +1,61 @@ +From c699f002733df7b691efe4aed11a793334de0a7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Aug 2019 00:59:21 -0500 +Subject: e1000: fix memory leaks + +From: Wenwen Wang + +[ Upstream commit 8472ba62154058b64ebb83d5f57259a352d28697 ] + +In e1000_set_ringparam(), 'tx_old' and 'rx_old' are not deallocated if +e1000_up() fails, leading to memory leaks. Refactor the code to fix this +issue. + +Signed-off-by: Wenwen Wang +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +index 2a81f6d721404..8936f19e9325f 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +@@ -628,6 +628,7 @@ static int e1000_set_ringparam(struct net_device *netdev, + for (i = 0; i < adapter->num_rx_queues; i++) + rxdr[i].count = rxdr->count; + ++ err = 0; + if (netif_running(adapter->netdev)) { + /* Try to get new resources before deleting old */ + err = e1000_setup_all_rx_resources(adapter); +@@ -648,14 +649,13 @@ static int e1000_set_ringparam(struct net_device *netdev, + adapter->rx_ring = rxdr; + adapter->tx_ring = txdr; + err = e1000_up(adapter); +- if (err) +- goto err_setup; + } + kfree(tx_old); + kfree(rx_old); + + clear_bit(__E1000_RESETTING, &adapter->flags); +- return 0; ++ return err; ++ + err_setup_tx: + e1000_free_all_rx_resources(adapter); + err_setup_rx: +@@ -667,7 +667,6 @@ err_alloc_rx: + err_alloc_tx: + if (netif_running(adapter->netdev)) + e1000_up(adapter); +-err_setup: + clear_bit(__E1000_RESETTING, &adapter->flags); + return err; + } +-- +2.20.1 + diff --git a/queue-4.9/fjes-handle-workqueue-allocation-failure.patch b/queue-4.9/fjes-handle-workqueue-allocation-failure.patch new file mode 100644 index 00000000000..c6ffbfe095a --- /dev/null +++ b/queue-4.9/fjes-handle-workqueue-allocation-failure.patch @@ -0,0 +1,69 @@ +From 68bfad3c6d830cb4e7ac4bc73d8ac98fbc85f11c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2019 12:06:02 +0100 +Subject: fjes: Handle workqueue allocation failure + +From: Will Deacon + +[ Upstream commit 85ac30fa2e24f628e9f4f9344460f4015d33fd7d ] + +In the highly unlikely event that we fail to allocate either of the +"/txrx" or "/control" workqueues, we should bail cleanly rather than +blindly march on with NULL queue pointer(s) installed in the +'fjes_adapter' instance. + +Cc: "David S. Miller" +Reported-by: Nicolas Waisman +Link: https://lore.kernel.org/lkml/CADJ_3a8WFrs5NouXNqS5WYe7rebFP+_A5CheeqAyD_p7DFJJcg@mail.gmail.com/ +Signed-off-by: Will Deacon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/fjes/fjes_main.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/fjes/fjes_main.c b/drivers/net/fjes/fjes_main.c +index 7ea8ead4fd1c7..bbc983b04561f 100644 +--- a/drivers/net/fjes/fjes_main.c ++++ b/drivers/net/fjes/fjes_main.c +@@ -1187,8 +1187,17 @@ static int fjes_probe(struct platform_device *plat_dev) + adapter->open_guard = false; + + adapter->txrx_wq = alloc_workqueue(DRV_NAME "/txrx", WQ_MEM_RECLAIM, 0); ++ if (unlikely(!adapter->txrx_wq)) { ++ err = -ENOMEM; ++ goto err_free_netdev; ++ } ++ + adapter->control_wq = alloc_workqueue(DRV_NAME "/control", + WQ_MEM_RECLAIM, 0); ++ if (unlikely(!adapter->control_wq)) { ++ err = -ENOMEM; ++ goto err_free_txrx_wq; ++ } + + INIT_WORK(&adapter->tx_stall_task, fjes_tx_stall_task); + INIT_WORK(&adapter->raise_intr_rxdata_task, +@@ -1205,7 +1214,7 @@ static int fjes_probe(struct platform_device *plat_dev) + hw->hw_res.irq = platform_get_irq(plat_dev, 0); + err = fjes_hw_init(&adapter->hw); + if (err) +- goto err_free_netdev; ++ goto err_free_control_wq; + + /* setup MAC address (02:00:00:00:00:[epid])*/ + netdev->dev_addr[0] = 2; +@@ -1225,6 +1234,10 @@ static int fjes_probe(struct platform_device *plat_dev) + + err_hw_exit: + fjes_hw_exit(&adapter->hw); ++err_free_control_wq: ++ destroy_workqueue(adapter->control_wq); ++err_free_txrx_wq: ++ destroy_workqueue(adapter->txrx_wq); + err_free_netdev: + free_netdev(netdev); + err_out: +-- +2.20.1 + diff --git a/queue-4.9/hid-intel-ish-hid-fix-wrong-error-handling-in-ishtp_.patch b/queue-4.9/hid-intel-ish-hid-fix-wrong-error-handling-in-ishtp_.patch new file mode 100644 index 00000000000..9d8ea6da7f2 --- /dev/null +++ b/queue-4.9/hid-intel-ish-hid-fix-wrong-error-handling-in-ishtp_.patch @@ -0,0 +1,36 @@ +From 015e96d1c4b27554c968dccd5ba551c5a9da0ee8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2019 08:15:59 +0800 +Subject: HID: intel-ish-hid: fix wrong error handling in + ishtp_cl_alloc_tx_ring() + +From: Zhang Lixu + +[ Upstream commit 16ff7bf6dbcc6f77d2eec1ac9120edf44213c2f1 ] + +When allocating tx ring buffers failed, should free tx buffers, not rx buffers. + +Signed-off-by: Zhang Lixu +Acked-by: Srinivas Pandruvada +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-ish-hid/ishtp/client-buffers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/intel-ish-hid/ishtp/client-buffers.c b/drivers/hid/intel-ish-hid/ishtp/client-buffers.c +index b9b917d2d50db..c41dbb167c91b 100644 +--- a/drivers/hid/intel-ish-hid/ishtp/client-buffers.c ++++ b/drivers/hid/intel-ish-hid/ishtp/client-buffers.c +@@ -90,7 +90,7 @@ int ishtp_cl_alloc_tx_ring(struct ishtp_cl *cl) + return 0; + out: + dev_err(&cl->device->dev, "error in allocating Tx pool\n"); +- ishtp_cl_free_rx_ring(cl); ++ ishtp_cl_free_tx_ring(cl); + return -ENOMEM; + } + +-- +2.20.1 + diff --git a/queue-4.9/igb-fix-constant-media-auto-sense-switching-when-no-.patch b/queue-4.9/igb-fix-constant-media-auto-sense-switching-when-no-.patch new file mode 100644 index 00000000000..c3af6f06df6 --- /dev/null +++ b/queue-4.9/igb-fix-constant-media-auto-sense-switching-when-no-.patch @@ -0,0 +1,48 @@ +From b7d75310caf1ee217f87b471ec0903ed1e7dc318 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Aug 2019 13:55:20 -0700 +Subject: igb: Fix constant media auto sense switching when no cable is + connected + +From: Manfred Rudigier + +[ Upstream commit 8d5cfd7f76a2414e23c74bb8858af7540365d985 ] + +At least on the i350 there is an annoying behavior that is maybe also +present on 82580 devices, but was probably not noticed yet as MAS is not +widely used. + +If no cable is connected on both fiber/copper ports the media auto sense +code will constantly swap between them as part of the watchdog task and +produce many unnecessary kernel log messages. + +The swap code responsible for this behavior (switching to fiber) should +not be executed if the current media type is copper and there is no signal +detected on the fiber port. In this case we can safely wait until the +AUTOSENSE_EN bit is cleared. + +Signed-off-by: Manfred Rudigier +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 7956176c2c73e..7e35bd6656307 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -1677,7 +1677,8 @@ static void igb_check_swap_media(struct igb_adapter *adapter) + if ((hw->phy.media_type == e1000_media_type_copper) && + (!(connsw & E1000_CONNSW_AUTOSENSE_EN))) { + swap_now = true; +- } else if (!(connsw & E1000_CONNSW_SERDESD)) { ++ } else if ((hw->phy.media_type != e1000_media_type_copper) && ++ !(connsw & E1000_CONNSW_SERDESD)) { + /* copper signal takes time to appear */ + if (adapter->copper_tries < 4) { + adapter->copper_tries++; +-- +2.20.1 + diff --git a/queue-4.9/ipvs-move-old_secure_tcp-into-struct-netns_ipvs.patch b/queue-4.9/ipvs-move-old_secure_tcp-into-struct-netns_ipvs.patch new file mode 100644 index 00000000000..f9ba0ff3d91 --- /dev/null +++ b/queue-4.9/ipvs-move-old_secure_tcp-into-struct-netns_ipvs.patch @@ -0,0 +1,117 @@ +From eefa8c64ced3b4f49bd6337308908143e8891106 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Oct 2019 09:53:03 -0700 +Subject: ipvs: move old_secure_tcp into struct netns_ipvs + +From: Eric Dumazet + +[ Upstream commit c24b75e0f9239e78105f81c5f03a751641eb07ef ] + +syzbot reported the following issue : + +BUG: KCSAN: data-race in update_defense_level / update_defense_level + +read to 0xffffffff861a6260 of 4 bytes by task 3006 on cpu 1: + update_defense_level+0x621/0xb30 net/netfilter/ipvs/ip_vs_ctl.c:177 + defense_work_handler+0x3d/0xd0 net/netfilter/ipvs/ip_vs_ctl.c:225 + process_one_work+0x3d4/0x890 kernel/workqueue.c:2269 + worker_thread+0xa0/0x800 kernel/workqueue.c:2415 + kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 + +write to 0xffffffff861a6260 of 4 bytes by task 7333 on cpu 0: + update_defense_level+0xa62/0xb30 net/netfilter/ipvs/ip_vs_ctl.c:205 + defense_work_handler+0x3d/0xd0 net/netfilter/ipvs/ip_vs_ctl.c:225 + process_one_work+0x3d4/0x890 kernel/workqueue.c:2269 + worker_thread+0xa0/0x800 kernel/workqueue.c:2415 + kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 7333 Comm: kworker/0:5 Not tainted 5.4.0-rc3+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: events defense_work_handler + +Indeed, old_secure_tcp is currently a static variable, while it +needs to be a per netns variable. + +Fixes: a0840e2e165a ("IPVS: netns, ip_vs_ctl local vars moved to ipvs struct.") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: Simon Horman +Signed-off-by: Sasha Levin +--- + include/net/ip_vs.h | 1 + + net/netfilter/ipvs/ip_vs_ctl.c | 15 +++++++-------- + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h +index cd6018a9ee246..a26165744d980 100644 +--- a/include/net/ip_vs.h ++++ b/include/net/ip_vs.h +@@ -887,6 +887,7 @@ struct netns_ipvs { + struct delayed_work defense_work; /* Work handler */ + int drop_rate; + int drop_counter; ++ int old_secure_tcp; + atomic_t dropentry; + /* locks in ctl.c */ + spinlock_t dropentry_lock; /* drop entry handling */ +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 8037b25ddb76a..33125fc009cfd 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -97,7 +97,6 @@ static bool __ip_vs_addr_is_local_v6(struct net *net, + static void update_defense_level(struct netns_ipvs *ipvs) + { + struct sysinfo i; +- static int old_secure_tcp = 0; + int availmem; + int nomem; + int to_change = -1; +@@ -178,35 +177,35 @@ static void update_defense_level(struct netns_ipvs *ipvs) + spin_lock(&ipvs->securetcp_lock); + switch (ipvs->sysctl_secure_tcp) { + case 0: +- if (old_secure_tcp >= 2) ++ if (ipvs->old_secure_tcp >= 2) + to_change = 0; + break; + case 1: + if (nomem) { +- if (old_secure_tcp < 2) ++ if (ipvs->old_secure_tcp < 2) + to_change = 1; + ipvs->sysctl_secure_tcp = 2; + } else { +- if (old_secure_tcp >= 2) ++ if (ipvs->old_secure_tcp >= 2) + to_change = 0; + } + break; + case 2: + if (nomem) { +- if (old_secure_tcp < 2) ++ if (ipvs->old_secure_tcp < 2) + to_change = 1; + } else { +- if (old_secure_tcp >= 2) ++ if (ipvs->old_secure_tcp >= 2) + to_change = 0; + ipvs->sysctl_secure_tcp = 1; + } + break; + case 3: +- if (old_secure_tcp < 2) ++ if (ipvs->old_secure_tcp < 2) + to_change = 1; + break; + } +- old_secure_tcp = ipvs->sysctl_secure_tcp; ++ ipvs->old_secure_tcp = ipvs->sysctl_secure_tcp; + if (to_change >= 0) + ip_vs_protocol_timeout_change(ipvs, + ipvs->sysctl_secure_tcp > 1); +-- +2.20.1 + diff --git a/queue-4.9/net-ethernet-arc-add-the-missed-clk_disable_unprepar.patch b/queue-4.9/net-ethernet-arc-add-the-missed-clk_disable_unprepar.patch new file mode 100644 index 00000000000..73d2d43b32d --- /dev/null +++ b/queue-4.9/net-ethernet-arc-add-the-missed-clk_disable_unprepar.patch @@ -0,0 +1,37 @@ +From 31983caeaf28038722cda61c430488ecf737c10d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Nov 2019 20:17:25 +0800 +Subject: net: ethernet: arc: add the missed clk_disable_unprepare + +From: Chuhong Yuan + +[ Upstream commit 4202e219edd6cc164c042e16fa327525410705ae ] + +The remove misses to disable and unprepare priv->macclk like what is done +when probe fails. +Add the missed call in remove. + +Signed-off-by: Chuhong Yuan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/arc/emac_rockchip.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/arc/emac_rockchip.c b/drivers/net/ethernet/arc/emac_rockchip.c +index c770ca37c9b21..a7d30731d376f 100644 +--- a/drivers/net/ethernet/arc/emac_rockchip.c ++++ b/drivers/net/ethernet/arc/emac_rockchip.c +@@ -261,6 +261,9 @@ static int emac_rockchip_remove(struct platform_device *pdev) + if (priv->regulator) + regulator_disable(priv->regulator); + ++ if (priv->soc_data->need_div_macclk) ++ clk_disable_unprepare(priv->macclk); ++ + free_netdev(ndev); + return err; + } +-- +2.20.1 + diff --git a/queue-4.9/net-hisilicon-fix-trying-to-free-already-free-irq.patch b/queue-4.9/net-hisilicon-fix-trying-to-free-already-free-irq.patch new file mode 100644 index 00000000000..3caca9b6472 --- /dev/null +++ b/queue-4.9/net-hisilicon-fix-trying-to-free-already-free-irq.patch @@ -0,0 +1,59 @@ +From 0ea88a14a184c1dd1ac60cd83601878cd2a2be31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2019 21:48:22 +0800 +Subject: net: hisilicon: Fix "Trying to free already-free IRQ" + +From: Jiangfeng Xiao + +[ Upstream commit 63a41746827cb16dc6ad0d4d761ab4e7dda7a0c3 ] + +When rmmod hip04_eth.ko, we can get the following warning: + +Task track: rmmod(1623)>bash(1591)>login(1581)>init(1) +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 1623 at kernel/irq/manage.c:1557 __free_irq+0xa4/0x2ac() +Trying to free already-free IRQ 200 +Modules linked in: ping(O) pramdisk(O) cpuinfo(O) rtos_snapshot(O) interrupt_ctrl(O) mtdblock mtd_blkdevrtfs nfs_acl nfs lockd grace sunrpc xt_tcpudp ipt_REJECT iptable_filter ip_tables x_tables nf_reject_ipv +CPU: 0 PID: 1623 Comm: rmmod Tainted: G O 4.4.193 #1 +Hardware name: Hisilicon A15 +[] (rtos_unwind_backtrace) from [] (show_stack+0x10/0x14) +[] (show_stack) from [] (dump_stack+0xa0/0xd8) +[] (dump_stack) from [] (warn_slowpath_common+0x84/0xb0) +[] (warn_slowpath_common) from [] (warn_slowpath_fmt+0x3c/0x68) +[] (warn_slowpath_fmt) from [] (__free_irq+0xa4/0x2ac) +[] (__free_irq) from [] (free_irq+0x60/0x7c) +[] (free_irq) from [] (release_nodes+0x1c4/0x1ec) +[] (release_nodes) from [] (__device_release_driver+0xa8/0x104) +[] (__device_release_driver) from [] (driver_detach+0xd0/0xf8) +[] (driver_detach) from [] (bus_remove_driver+0x64/0x8c) +[] (bus_remove_driver) from [] (SyS_delete_module+0x198/0x1e0) +[] (SyS_delete_module) from [] (__sys_trace_return+0x0/0x10) +---[ end trace bb25d6123d849b44 ]--- + +Currently "rmmod hip04_eth.ko" call free_irq more than once +as devres_release_all and hip04_remove both call free_irq. +This results in a 'Trying to free already-free IRQ' warning. +To solve the problem free_irq has been moved out of hip04_remove. + +Signed-off-by: Jiangfeng Xiao +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hip04_eth.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c +index 407e1177d9d1a..4436a0307f32e 100644 +--- a/drivers/net/ethernet/hisilicon/hip04_eth.c ++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c +@@ -953,7 +953,6 @@ static int hip04_remove(struct platform_device *pdev) + + hip04_free_ring(ndev, d); + unregister_netdev(ndev); +- free_irq(ndev->irq, ndev); + of_node_put(priv->phy_node); + cancel_work_sync(&priv->tx_timeout_task); + free_netdev(ndev); +-- +2.20.1 + diff --git a/queue-4.9/nfsv4-don-t-allow-a-cached-open-with-a-revoked-deleg.patch b/queue-4.9/nfsv4-don-t-allow-a-cached-open-with-a-revoked-deleg.patch new file mode 100644 index 00000000000..dca4c48aa7b --- /dev/null +++ b/queue-4.9/nfsv4-don-t-allow-a-cached-open-with-a-revoked-deleg.patch @@ -0,0 +1,97 @@ +From 8d5bc98a285088cf74af18f4dbdd1ac5355769cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2019 18:40:32 -0400 +Subject: NFSv4: Don't allow a cached open with a revoked delegation + +From: Trond Myklebust + +[ Upstream commit be3df3dd4c70ee020587a943a31b98a0fb4b6424 ] + +If the delegation is marked as being revoked, we must not use it +for cached opens. + +Fixes: 869f9dfa4d6d ("NFSv4: Fix races between nfs_remove_bad_delegation() and delegation return") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/delegation.c | 10 ++++++++++ + fs/nfs/delegation.h | 1 + + fs/nfs/nfs4proc.c | 7 ++----- + 3 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/fs/nfs/delegation.c b/fs/nfs/delegation.c +index dff600ae0d747..46afd7cdcc378 100644 +--- a/fs/nfs/delegation.c ++++ b/fs/nfs/delegation.c +@@ -52,6 +52,16 @@ nfs4_is_valid_delegation(const struct nfs_delegation *delegation, + return false; + } + ++struct nfs_delegation *nfs4_get_valid_delegation(const struct inode *inode) ++{ ++ struct nfs_delegation *delegation; ++ ++ delegation = rcu_dereference(NFS_I(inode)->delegation); ++ if (nfs4_is_valid_delegation(delegation, 0)) ++ return delegation; ++ return NULL; ++} ++ + static int + nfs4_do_check_delegation(struct inode *inode, fmode_t flags, bool mark) + { +diff --git a/fs/nfs/delegation.h b/fs/nfs/delegation.h +index e9d5557968739..2c6cb7fb7d5ee 100644 +--- a/fs/nfs/delegation.h ++++ b/fs/nfs/delegation.h +@@ -62,6 +62,7 @@ int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state + int nfs4_lock_delegation_recall(struct file_lock *fl, struct nfs4_state *state, const nfs4_stateid *stateid); + bool nfs4_copy_delegation_stateid(struct inode *inode, fmode_t flags, nfs4_stateid *dst, struct rpc_cred **cred); + ++struct nfs_delegation *nfs4_get_valid_delegation(const struct inode *inode); + void nfs_mark_delegation_referenced(struct nfs_delegation *delegation); + int nfs4_have_delegation(struct inode *inode, fmode_t flags); + int nfs4_check_delegation(struct inode *inode, fmode_t flags); +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 8354dfae7038e..ca4249ae644f2 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1368,8 +1368,6 @@ static int can_open_delegated(struct nfs_delegation *delegation, fmode_t fmode, + return 0; + if ((delegation->type & fmode) != fmode) + return 0; +- if (test_bit(NFS_DELEGATION_RETURNING, &delegation->flags)) +- return 0; + switch (claim) { + case NFS4_OPEN_CLAIM_NULL: + case NFS4_OPEN_CLAIM_FH: +@@ -1628,7 +1626,6 @@ static void nfs4_return_incompatible_delegation(struct inode *inode, fmode_t fmo + static struct nfs4_state *nfs4_try_open_cached(struct nfs4_opendata *opendata) + { + struct nfs4_state *state = opendata->state; +- struct nfs_inode *nfsi = NFS_I(state->inode); + struct nfs_delegation *delegation; + int open_mode = opendata->o_arg.open_flags; + fmode_t fmode = opendata->o_arg.fmode; +@@ -1645,7 +1642,7 @@ static struct nfs4_state *nfs4_try_open_cached(struct nfs4_opendata *opendata) + } + spin_unlock(&state->owner->so_lock); + rcu_read_lock(); +- delegation = rcu_dereference(nfsi->delegation); ++ delegation = nfs4_get_valid_delegation(state->inode); + if (!can_open_delegated(delegation, fmode, claim)) { + rcu_read_unlock(); + break; +@@ -2142,7 +2139,7 @@ static void nfs4_open_prepare(struct rpc_task *task, void *calldata) + if (can_open_cached(data->state, data->o_arg.fmode, data->o_arg.open_flags)) + goto out_no_action; + rcu_read_lock(); +- delegation = rcu_dereference(NFS_I(data->state->inode)->delegation); ++ delegation = nfs4_get_valid_delegation(data->state->inode); + if (can_open_delegated(delegation, data->o_arg.fmode, claim)) + goto unlock_no_action; + rcu_read_unlock(); +-- +2.20.1 + diff --git a/queue-4.9/perf-x86-amd-ibs-fix-reading-of-the-ibs-opdata-regis.patch b/queue-4.9/perf-x86-amd-ibs-fix-reading-of-the-ibs-opdata-regis.patch new file mode 100644 index 00000000000..6d79a9ea919 --- /dev/null +++ b/queue-4.9/perf-x86-amd-ibs-fix-reading-of-the-ibs-opdata-regis.patch @@ -0,0 +1,55 @@ +From d8d6fd70ceab733a61a27902ab581abf0aefde63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Oct 2019 10:09:54 -0500 +Subject: perf/x86/amd/ibs: Fix reading of the IBS OpData register and thus + precise RIP validity + +From: Kim Phillips + +[ Upstream commit 317b96bb14303c7998dbcd5bc606bd8038fdd4b4 ] + +The loop that reads all the IBS MSRs into *buf stopped one MSR short of +reading the IbsOpData register, which contains the RipInvalid status bit. + +Fix the offset_max assignment so the MSR gets read, so the RIP invalid +evaluation is based on what the IBS h/w output, instead of what was +left in memory. + +Signed-off-by: Kim Phillips +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Borislav Petkov +Cc: H. Peter Anvin +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Fixes: d47e8238cd76 ("perf/x86-ibs: Take instruction pointer from ibs sample") +Link: https://lkml.kernel.org/r/20191023150955.30292-1-kim.phillips@amd.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/events/amd/ibs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/events/amd/ibs.c b/arch/x86/events/amd/ibs.c +index 112e3c4636b4f..a8317d384773a 100644 +--- a/arch/x86/events/amd/ibs.c ++++ b/arch/x86/events/amd/ibs.c +@@ -624,7 +624,7 @@ fail: + if (event->attr.sample_type & PERF_SAMPLE_RAW) + offset_max = perf_ibs->offset_max; + else if (check_rip) +- offset_max = 2; ++ offset_max = 3; + else + offset_max = 1; + do { +-- +2.20.1 + diff --git a/queue-4.9/perf-x86-amd-ibs-handle-erratum-420-only-on-the-affe.patch b/queue-4.9/perf-x86-amd-ibs-handle-erratum-420-only-on-the-affe.patch new file mode 100644 index 00000000000..326a49f5749 --- /dev/null +++ b/queue-4.9/perf-x86-amd-ibs-handle-erratum-420-only-on-the-affe.patch @@ -0,0 +1,71 @@ +From 0ea8a0932c3fe7f65f3482ae737f68f628753c8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Oct 2019 10:09:55 -0500 +Subject: perf/x86/amd/ibs: Handle erratum #420 only on the affected CPU family + (10h) + +From: Kim Phillips + +[ Upstream commit e431e79b60603079d269e0c2a5177943b95fa4b6 ] + +This saves us writing the IBS control MSR twice when disabling the +event. + +I searched revision guides for all families since 10h, and did not +find occurrence of erratum #420, nor anything remotely similar: +so we isolate the secondary MSR write to family 10h only. + +Also unconditionally update the count mask for IBS Op implementations +that have read & writeable current count (CurCnt) fields in addition +to the MaxCnt field. These bits were reserved on prior +implementations, and therefore shouldn't have negative impact. + +Signed-off-by: Kim Phillips +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Borislav Petkov +Cc: H. Peter Anvin +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Fixes: c9574fe0bdb9 ("perf/x86-ibs: Implement workaround for IBS erratum #420") +Link: https://lkml.kernel.org/r/20191023150955.30292-2-kim.phillips@amd.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/events/amd/ibs.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/events/amd/ibs.c b/arch/x86/events/amd/ibs.c +index a8317d384773a..5f72b473f3ed3 100644 +--- a/arch/x86/events/amd/ibs.c ++++ b/arch/x86/events/amd/ibs.c +@@ -388,7 +388,8 @@ static inline void perf_ibs_disable_event(struct perf_ibs *perf_ibs, + struct hw_perf_event *hwc, u64 config) + { + config &= ~perf_ibs->cnt_mask; +- wrmsrl(hwc->config_base, config); ++ if (boot_cpu_data.x86 == 0x10) ++ wrmsrl(hwc->config_base, config); + config &= ~perf_ibs->enable_mask; + wrmsrl(hwc->config_base, config); + } +@@ -563,7 +564,8 @@ static struct perf_ibs perf_ibs_op = { + }, + .msr = MSR_AMD64_IBSOPCTL, + .config_mask = IBS_OP_CONFIG_MASK, +- .cnt_mask = IBS_OP_MAX_CNT, ++ .cnt_mask = IBS_OP_MAX_CNT | IBS_OP_CUR_CNT | ++ IBS_OP_CUR_CNT_RAND, + .enable_mask = IBS_OP_ENABLE, + .valid_mask = IBS_OP_VAL, + .max_period = IBS_OP_MAX_CNT << 4, +-- +2.20.1 + diff --git a/queue-4.9/rdma-iw_cxgb4-avoid-freeing-skb-twice-in-arp-failure.patch b/queue-4.9/rdma-iw_cxgb4-avoid-freeing-skb-twice-in-arp-failure.patch new file mode 100644 index 00000000000..fa2ebd28d06 --- /dev/null +++ b/queue-4.9/rdma-iw_cxgb4-avoid-freeing-skb-twice-in-arp-failure.patch @@ -0,0 +1,46 @@ +From 8b40794fdf5bf579deb2e8da0d7fcc14eb82ec83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2019 18:04:40 +0530 +Subject: RDMA/iw_cxgb4: Avoid freeing skb twice in arp failure case + +From: Potnuri Bharat Teja + +[ Upstream commit d4934f45693651ea15357dd6c7c36be28b6da884 ] + +_put_ep_safe() and _put_pass_ep_safe() free the skb before it is freed by +process_work(). fix double free by freeing the skb only in process_work(). + +Fixes: 1dad0ebeea1c ("iw_cxgb4: Avoid touch after free error in ARP failure handlers") +Link: https://lore.kernel.org/r/1572006880-5800-1-git-send-email-bharat@chelsio.com +Signed-off-by: Dakshaja Uppalapati +Signed-off-by: Potnuri Bharat Teja +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/cxgb4/cm.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index e5752352e0fb1..605d50ad123cc 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -490,7 +490,6 @@ static int _put_ep_safe(struct c4iw_dev *dev, struct sk_buff *skb) + + ep = *((struct c4iw_ep **)(skb->cb + 2 * sizeof(void *))); + release_ep_resources(ep); +- kfree_skb(skb); + return 0; + } + +@@ -501,7 +500,6 @@ static int _put_pass_ep_safe(struct c4iw_dev *dev, struct sk_buff *skb) + ep = *((struct c4iw_ep **)(skb->cb + 2 * sizeof(void *))); + c4iw_put_ep(&ep->parent_ep->com); + release_ep_resources(ep); +- kfree_skb(skb); + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.9/scsi-lpfc-honor-module-parameter-lpfc_use_adisc.patch b/queue-4.9/scsi-lpfc-honor-module-parameter-lpfc_use_adisc.patch new file mode 100644 index 00000000000..ab5ed63cf2b --- /dev/null +++ b/queue-4.9/scsi-lpfc-honor-module-parameter-lpfc_use_adisc.patch @@ -0,0 +1,65 @@ +From 94e5921b2ec0bf52409a4974e0c5a4230624ec62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Oct 2019 09:21:12 +0200 +Subject: scsi: lpfc: Honor module parameter lpfc_use_adisc + +From: Daniel Wagner + +[ Upstream commit 0fd103ccfe6a06e40e2d9d8c91d96332cc9e1239 ] + +The initial lpfc_desc_set_adisc implementation in commit +dea3101e0a5c ("lpfc: add Emulex FC driver version 8.0.28") enabled ADISC if + + cfg_use_adisc && RSCN_MODE && FCP_2_DEVICE + +In commit 92d7f7b0cde3 ("[SCSI] lpfc: NPIV: add NPIV support on top of +SLI-3") this changed to + + (cfg_use_adisc && RSC_MODE) || FCP_2_DEVICE + +and later in commit ffc954936b13 ("[SCSI] lpfc 8.3.13: FC Discovery Fixes +and enhancements.") to + + (cfg_use_adisc && RSC_MODE) || (FCP_2_DEVICE && FCP_TARGET) + +A customer reports that after a devloss, an ADISC failure is logged. It +turns out the ADISC flag is set even the user explicitly set lpfc_use_adisc += 0. + +[Sat Dec 22 22:55:58 2018] lpfc 0000:82:00.0: 2:(0):0203 Devloss timeout on WWPN 50:01:43:80:12:8e:40:20 NPort x05df00 Data: x82000000 x8 xa +[Sat Dec 22 23:08:20 2018] lpfc 0000:82:00.0: 2:(0):2755 ADISC failure DID:05DF00 Status:x9/x70000 + +[mkp: fixed Hannes' email] + +Fixes: 92d7f7b0cde3 ("[SCSI] lpfc: NPIV: add NPIV support on top of SLI-3") +Cc: Dick Kennedy +Cc: James Smart +Link: https://lore.kernel.org/r/20191022072112.132268-1-dwagner@suse.de +Reviewed-by: Hannes Reinecke +Reviewed-by: James Smart +Signed-off-by: Daniel Wagner +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_nportdisc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c +index 56a3df4fddb05..21ec7b5b6c85c 100644 +--- a/drivers/scsi/lpfc/lpfc_nportdisc.c ++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c +@@ -759,9 +759,9 @@ lpfc_disc_set_adisc(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp) + + if (!(vport->fc_flag & FC_PT2PT)) { + /* Check config parameter use-adisc or FCP-2 */ +- if ((vport->cfg_use_adisc && (vport->fc_flag & FC_RSCN_MODE)) || ++ if (vport->cfg_use_adisc && ((vport->fc_flag & FC_RSCN_MODE) || + ((ndlp->nlp_fcp_info & NLP_FCP_2_DEVICE) && +- (ndlp->nlp_type & NLP_FCP_TARGET))) { ++ (ndlp->nlp_type & NLP_FCP_TARGET)))) { + spin_lock_irq(shost->host_lock); + ndlp->nlp_flag |= NLP_NPR_ADISC; + spin_unlock_irq(shost->host_lock); +-- +2.20.1 + diff --git a/queue-4.9/scsi-qla2xxx-fixup-incorrect-usage-of-host_byte.patch b/queue-4.9/scsi-qla2xxx-fixup-incorrect-usage-of-host_byte.patch new file mode 100644 index 00000000000..7d47ec07f54 --- /dev/null +++ b/queue-4.9/scsi-qla2xxx-fixup-incorrect-usage-of-host_byte.patch @@ -0,0 +1,56 @@ +From 85b04c2d62ea658804956bd8a55f668b67a34bd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Oct 2019 16:04:58 +0200 +Subject: scsi: qla2xxx: fixup incorrect usage of host_byte + +From: Hannes Reinecke + +[ Upstream commit 66cf50e65b183c863825f5c28a818e3f47a72e40 ] + +DRIVER_ERROR is a a driver byte setting, not a host byte. The qla2xxx +driver should rather return DID_ERROR here to be in line with the other +drivers. + +Link: https://lore.kernel.org/r/20191018140458.108278-1-hare@suse.de +Signed-off-by: Hannes Reinecke +Acked-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_bsg.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_bsg.c b/drivers/scsi/qla2xxx/qla_bsg.c +index 4a6e086279f9a..33e4dceb895f2 100644 +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -252,7 +252,7 @@ qla2x00_process_els(struct fc_bsg_job *bsg_job) + srb_t *sp; + const char *type; + int req_sg_cnt, rsp_sg_cnt; +- int rval = (DRIVER_ERROR << 16); ++ int rval = (DID_ERROR << 16); + uint16_t nextlid = 0; + + if (bsg_job->request->msgcode == FC_BSG_RPT_ELS) { +@@ -426,7 +426,7 @@ qla2x00_process_ct(struct fc_bsg_job *bsg_job) + struct Scsi_Host *host = bsg_job->shost; + scsi_qla_host_t *vha = shost_priv(host); + struct qla_hw_data *ha = vha->hw; +- int rval = (DRIVER_ERROR << 16); ++ int rval = (DID_ERROR << 16); + int req_sg_cnt, rsp_sg_cnt; + uint16_t loop_id; + struct fc_port *fcport; +@@ -1911,7 +1911,7 @@ qlafx00_mgmt_cmd(struct fc_bsg_job *bsg_job) + struct Scsi_Host *host = bsg_job->shost; + scsi_qla_host_t *vha = shost_priv(host); + struct qla_hw_data *ha = vha->hw; +- int rval = (DRIVER_ERROR << 16); ++ int rval = (DID_ERROR << 16); + struct qla_mt_iocb_rqst_fx00 *piocb_rqst; + srb_t *sp; + int req_sg_cnt = 0, rsp_sg_cnt = 0; +-- +2.20.1 + diff --git a/queue-4.9/scsi-qla2xxx-stop-timer-in-shutdown-path.patch b/queue-4.9/scsi-qla2xxx-stop-timer-in-shutdown-path.patch new file mode 100644 index 00000000000..82d0a94497e --- /dev/null +++ b/queue-4.9/scsi-qla2xxx-stop-timer-in-shutdown-path.patch @@ -0,0 +1,49 @@ +From df7b5887c002fda414dfd6fb442e5bed1ed3741a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2019 16:38:04 +1000 +Subject: scsi: qla2xxx: stop timer in shutdown path + +From: Nicholas Piggin + +[ Upstream commit d3566abb1a1e7772116e4d50fb6a58d19c9802e5 ] + +In shutdown/reboot paths, the timer is not stopped: + + qla2x00_shutdown + pci_device_shutdown + device_shutdown + kernel_restart_prepare + kernel_restart + sys_reboot + +This causes lockups (on powerpc) when firmware config space access calls +are interrupted by smp_send_stop later in reboot. + +Fixes: e30d1756480dc ("[SCSI] qla2xxx: Addition of shutdown callback handler.") +Link: https://lore.kernel.org/r/20191024063804.14538-1-npiggin@gmail.com +Signed-off-by: Nicholas Piggin +Acked-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_os.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c +index c813c9b75a10b..3bae56b202f87 100644 +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -3077,6 +3077,10 @@ qla2x00_shutdown(struct pci_dev *pdev) + /* Stop currently executing firmware. */ + qla2x00_try_to_stop_firmware(vha); + ++ /* Disable timer */ ++ if (vha->timer_active) ++ qla2x00_stop_timer(vha); ++ + /* Turn adapter off line */ + vha->flags.online = 0; + +-- +2.20.1 + diff --git a/queue-4.9/series b/queue-4.9/series index da1ded9c2cf..dd8911dd60f 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -35,3 +35,29 @@ usbip-fix-vhci_urb_enqueue-urb-null-transfer-buffer-error-path.patch usbip-fix-possibility-of-dereference-by-nulll-pointer-in-vhci_hcd.c.patch drivers-usb-usbip-add-missing-break-statement-to-switch.patch pci-tegra-enable-relaxed-ordering-only-for-tegra20-tegra30.patch +dmaengine-xilinx_dma-fix-control-reg-update-in-vdma_.patch +hid-intel-ish-hid-fix-wrong-error-handling-in-ishtp_.patch +scsi-qla2xxx-fixup-incorrect-usage-of-host_byte.patch +scsi-lpfc-honor-module-parameter-lpfc_use_adisc.patch +ipvs-move-old_secure_tcp-into-struct-netns_ipvs.patch +bonding-fix-unexpected-iff_bonding-bit-unset.patch +usb-fsl-check-memory-resource-before-releasing-it.patch +usb-gadget-udc-atmel-fix-interrupt-storm-in-fifo-mod.patch +usb-gadget-composite-fix-possible-double-free-memory.patch +usb-gadget-configfs-fix-concurrent-issue-between-com.patch +usb-dwc3-remove-the-call-trace-of-usbx_gfladj.patch +perf-x86-amd-ibs-fix-reading-of-the-ibs-opdata-regis.patch +perf-x86-amd-ibs-handle-erratum-420-only-on-the-affe.patch +usb-skip-endpoints-with-0-maxpacket-length.patch +rdma-iw_cxgb4-avoid-freeing-skb-twice-in-arp-failure.patch +scsi-qla2xxx-stop-timer-in-shutdown-path.patch +fjes-handle-workqueue-allocation-failure.patch +net-hisilicon-fix-trying-to-free-already-free-irq.patch +nfsv4-don-t-allow-a-cached-open-with-a-revoked-deleg.patch +net-ethernet-arc-add-the-missed-clk_disable_unprepar.patch +igb-fix-constant-media-auto-sense-switching-when-no-.patch +e1000-fix-memory-leaks.patch +x86-apic-move-pending-interrupt-check-code-into-it-s.patch +x86-apic-drop-logical_smp_processor_id-inline.patch +x86-apic-32-avoid-bogus-ldr-warnings.patch +can-flexcan-disable-completely-the-ecc-mechanism.patch diff --git a/queue-4.9/usb-dwc3-remove-the-call-trace-of-usbx_gfladj.patch b/queue-4.9/usb-dwc3-remove-the-call-trace-of-usbx_gfladj.patch new file mode 100644 index 00000000000..afc7c13a778 --- /dev/null +++ b/queue-4.9/usb-dwc3-remove-the-call-trace-of-usbx_gfladj.patch @@ -0,0 +1,44 @@ +From 0d3e038313ae29a2eb54b905fea70eec4f24974b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2019 14:46:07 +0800 +Subject: usb: dwc3: remove the call trace of USBx_GFLADJ + +From: Yinbo Zhu + +[ Upstream commit a7d9874c6f3fbc8d25cd9ceba35b6822612c4ebf ] + +layerscape board sometimes reported some usb call trace, that is due to +kernel sent LPM tokerns automatically when it has no pending transfers +and think that the link is idle enough to enter L1, which procedure will +ask usb register has a recovery,then kernel will compare USBx_GFLADJ and +set GFLADJ_30MHZ, GFLADJ_30MHZ_REG until GFLADJ_30MHZ is equal 0x20, if +the conditions were met then issue occur, but whatever the conditions +whether were met that usb is all need keep GFLADJ_30MHZ of value is 0x20 +(xhci spec ask use GFLADJ_30MHZ to adjust any offset from clock source +that generates the clock that drives the SOF counter, 0x20 is default +value of it)That is normal logic, so need remove the call trace. + +Signed-off-by: Yinbo Zhu +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index 73dc5a6c61088..7154a93f01143 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -227,8 +227,7 @@ static void dwc3_frame_length_adjustment(struct dwc3 *dwc) + + reg = dwc3_readl(dwc->regs, DWC3_GFLADJ); + dft = reg & DWC3_GFLADJ_30MHZ_MASK; +- if (!dev_WARN_ONCE(dwc->dev, dft == dwc->fladj, +- "request value same as default, ignoring\n")) { ++ if (dft != dwc->fladj) { + reg &= ~DWC3_GFLADJ_30MHZ_MASK; + reg |= DWC3_GFLADJ_30MHZ_SDBND_SEL | dwc->fladj; + dwc3_writel(dwc->regs, DWC3_GFLADJ, reg); +-- +2.20.1 + diff --git a/queue-4.9/usb-fsl-check-memory-resource-before-releasing-it.patch b/queue-4.9/usb-fsl-check-memory-resource-before-releasing-it.patch new file mode 100644 index 00000000000..2b057fe986a --- /dev/null +++ b/queue-4.9/usb-fsl-check-memory-resource-before-releasing-it.patch @@ -0,0 +1,37 @@ +From 65472cf5bc4cfc379db0f63757ef6cd031af6025 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2019 18:21:51 +0800 +Subject: usb: fsl: Check memory resource before releasing it + +From: Nikhil Badola + +[ Upstream commit bc1e3a2dd0c9954fd956ac43ca2876bbea018c01 ] + +Check memory resource existence before releasing it to avoid NULL +pointer dereference + +Signed-off-by: Nikhil Badola +Reviewed-by: Ran Wang +Reviewed-by: Peter Chen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/fsl_udc_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/fsl_udc_core.c b/drivers/usb/gadget/udc/fsl_udc_core.c +index 8991a40707926..bd98557caa280 100644 +--- a/drivers/usb/gadget/udc/fsl_udc_core.c ++++ b/drivers/usb/gadget/udc/fsl_udc_core.c +@@ -2570,7 +2570,7 @@ static int fsl_udc_remove(struct platform_device *pdev) + dma_pool_destroy(udc_controller->td_pool); + free_irq(udc_controller->irq, udc_controller); + iounmap(dr_regs); +- if (pdata->operating_mode == FSL_USB2_DR_DEVICE) ++ if (res && (pdata->operating_mode == FSL_USB2_DR_DEVICE)) + release_mem_region(res->start, resource_size(res)); + + /* free udc --wait for the release() finished */ +-- +2.20.1 + diff --git a/queue-4.9/usb-gadget-composite-fix-possible-double-free-memory.patch b/queue-4.9/usb-gadget-composite-fix-possible-double-free-memory.patch new file mode 100644 index 00000000000..493b59f3a96 --- /dev/null +++ b/queue-4.9/usb-gadget-composite-fix-possible-double-free-memory.patch @@ -0,0 +1,67 @@ +From 896d24c8c6801cfa937a6105ab74cf9bb41ffff1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2019 13:16:48 +0530 +Subject: usb: gadget: composite: Fix possible double free memory bug + +From: Chandana Kishori Chiluveru + +[ Upstream commit 1c20c89b0421b52b2417bb0f62a611bc669eda1d ] + +composite_dev_cleanup call from the failure of configfs_composite_bind +frees up the cdev->os_desc_req and cdev->req. If the previous calls of +bind and unbind is successful these will carry stale values. + +Consider the below sequence of function calls: +configfs_composite_bind() + composite_dev_prepare() + - Allocate cdev->req, cdev->req->buf + composite_os_desc_req_prepare() + - Allocate cdev->os_desc_req, cdev->os_desc_req->buf +configfs_composite_unbind() + composite_dev_cleanup() + - free the cdev->os_desc_req->buf and cdev->req->buf +Next composition switch +configfs_composite_bind() + - If it fails goto err_comp_cleanup will call the + composite_dev_cleanup() function + composite_dev_cleanup() + - calls kfree up with the stale values of cdev->req->buf and + cdev->os_desc_req from the previous configfs_composite_bind + call. The free call on these stale values leads to double free. + +Hence, Fix this issue by setting request and buffer pointer to NULL after +kfree. + +Signed-off-by: Chandana Kishori Chiluveru +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/composite.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c +index 9fa168af847b5..854c4ec0af2c5 100644 +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -2179,14 +2179,18 @@ void composite_dev_cleanup(struct usb_composite_dev *cdev) + usb_ep_dequeue(cdev->gadget->ep0, cdev->os_desc_req); + + kfree(cdev->os_desc_req->buf); ++ cdev->os_desc_req->buf = NULL; + usb_ep_free_request(cdev->gadget->ep0, cdev->os_desc_req); ++ cdev->os_desc_req = NULL; + } + if (cdev->req) { + if (cdev->setup_pending) + usb_ep_dequeue(cdev->gadget->ep0, cdev->req); + + kfree(cdev->req->buf); ++ cdev->req->buf = NULL; + usb_ep_free_request(cdev->gadget->ep0, cdev->req); ++ cdev->req = NULL; + } + cdev->next_string_id = 0; + device_remove_file(&cdev->gadget->dev, &dev_attr_suspended); +-- +2.20.1 + diff --git a/queue-4.9/usb-gadget-configfs-fix-concurrent-issue-between-com.patch b/queue-4.9/usb-gadget-configfs-fix-concurrent-issue-between-com.patch new file mode 100644 index 00000000000..3b7c00a3521 --- /dev/null +++ b/queue-4.9/usb-gadget-configfs-fix-concurrent-issue-between-com.patch @@ -0,0 +1,422 @@ +From f88eb79f89465d2bd8969bb297b20395beed5bd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2019 15:10:55 -0400 +Subject: usb: gadget: configfs: fix concurrent issue between composite APIs + +From: Peter Chen + +[ Upstream commit 1a1c851bbd706ea9f3a9756c2d3db28523506d3b ] + +We meet several NULL pointer issues if configfs_composite_unbind +and composite_setup (or composite_disconnect) are running together. +These issues occur when do the function switch stress test, the +configfs_compsoite_unbind is called from user mode by +echo "" to /sys/../UDC entry, and meanwhile, the setup interrupt +or disconnect interrupt occurs by hardware. The composite_setup +will get the cdev from get_gadget_data, but configfs_composite_unbind +will set gadget data as NULL, so the NULL pointer issue occurs. +This concurrent is hard to reproduce by native kernel, but can be +reproduced by android kernel. + +In this commit, we introduce one spinlock belongs to structure +gadget_info since we can't use the same spinlock in usb_composite_dev +due to exclusive running together between composite_setup and +configfs_composite_unbind. And one bit flag 'unbind' to indicate the +code is at unbind routine, this bit is needed due to we release the +lock at during configfs_composite_unbind sometimes, and composite_setup +may be run at that time. + +Several oops: + +oops 1: +android_work: sent uevent USB_STATE=CONNECTED +configfs-gadget gadget: super-speed config #1: b +android_work: sent uevent USB_STATE=CONFIGURED +init: Received control message 'start' for 'adbd' from pid: 3515 (system_server) +Unable to handle kernel NULL pointer dereference at virtual address 0000002a +init: Received control message 'stop' for 'adbd' from pid: 3375 (/vendor/bin/hw/android.hardware.usb@1.1-servic) +Mem abort info: + Exception class = DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 +Data abort info: + ISV = 0, ISS = 0x00000004 + CM = 0, WnR = 0 +user pgtable: 4k pages, 48-bit VAs, pgd = ffff8008f1b7f000 +[000000000000002a] *pgd=0000000000000000 +Internal error: Oops: 96000004 [#1] PREEMPT SMP +Modules linked in: +CPU: 4 PID: 2457 Comm: irq/125-5b11000 Not tainted 4.14.98-07846-g0b40a9b-dirty #16 +Hardware name: Freescale i.MX8QM MEK (DT) +task: ffff8008f2a98000 task.stack: ffff00000b7b8000 +PC is at composite_setup+0x44/0x1508 +LR is at android_setup+0xb8/0x13c +pc : [] lr : [] pstate: 800001c5 +sp : ffff00000b7bbb80 +x29: ffff00000b7bbb80 x28: ffff8008f2a3c010 +x27: 0000000000000001 x26: 0000000000000000 [1232/1897] +audit: audit_lost=25791 audit_rate_limit=5 audit_backlog_limit=64 +x25: 00000000ffffffa1 x24: ffff8008f2a3c010 +audit: rate limit exceeded +x23: 0000000000000409 x22: ffff000009c8e000 +x21: ffff8008f7a8b428 x20: ffff00000afae000 +x19: ffff0000089ff000 x18: 0000000000000000 +x17: 0000000000000000 x16: ffff0000082b7c9c +x15: 0000000000000000 x14: f1866f5b952aca46 +x13: e35502e30d44349c x12: 0000000000000008 +x11: 0000000000000008 x10: 0000000000000a30 +x9 : ffff00000b7bbd00 x8 : ffff8008f2a98a90 +x7 : ffff8008f27a9c90 x6 : 0000000000000001 +x5 : 0000000000000000 x4 : 0000000000000001 +x3 : 0000000000000000 x2 : 0000000000000006 +x1 : ffff0000089ff8d0 x0 : 732a010310b9ed00 + +X7: 0xffff8008f27a9c10: +9c10 00000002 00000000 00000001 00000000 13110000 ffff0000 00000002 00208040 +9c30 00000000 00000000 00000000 00000000 00000000 00000005 00000029 00000000 +9c50 00051778 00000001 f27a8e00 ffff8008 00000005 00000000 00000078 00000078 +9c70 00000078 00000000 09031d48 ffff0000 00100000 00000000 00400000 00000000 +9c90 00000001 00000000 00000000 00000000 00000000 00000000 ffefb1a0 ffff8008 +9cb0 f27a9ca8 ffff8008 00000000 00000000 b9d88037 00000173 1618a3eb 00000001 +9cd0 870a792a 0000002e 16188fe6 00000001 0000242b 00000000 00000000 00000000 +using random self ethernet address +9cf0 019a4646 00000000 000547f3 00000000 ecfd6c33 00000002 00000000 +using random host ethernet address + 00000000 + +X8: 0xffff8008f2a98a10: +8a10 00000000 00000000 f7788d00 ffff8008 00000001 00000000 00000000 00000000 +8a30 eb218000 ffff8008 f2a98000 ffff8008 f2a98000 ffff8008 09885000 ffff0000 +8a50 f34df480 ffff8008 00000000 00000000 f2a98648 ffff8008 09c8e000 ffff0000 +8a70 fff2c800 ffff8008 09031d48 ffff0000 0b7bbd00 ffff0000 0b7bbd00 ffff0000 +8a90 080861bc ffff0000 00000000 00000000 00000000 00000000 00000000 00000000 +8ab0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +8ad0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +8af0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 + +X21: 0xffff8008f7a8b3a8: +b3a8 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +b3c8 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +b3e8 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +b408 00000000 00000000 00000000 00000000 00000000 00000000 00000001 00000000 +b428 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +b448 0053004d 00540046 00300031 00010030 eb07b520 ffff8008 20011201 00000003 +b468 e418d109 0104404e 00010302 00000000 eb07b558 ffff8008 eb07b558 ffff8008 +b488 f7a8b488 ffff8008 f7a8b488 ffff8008 f7a8b300 ffff8008 00000000 00000000 + +X24: 0xffff8008f2a3bf90: +bf90 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +bfb0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +bfd0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +bff0 00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008 +c010 00000000 00000000 f2a3c018 ffff8008 f2a3c018 ffff8008 08a067dc ffff0000 +c030 f2a5a000 ffff8008 091c3650 ffff0000 f716fd18 ffff8008 f716fe30 ffff8008 +c050 f2ce4a30 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000 +c070 f76c8010 ffff8008 f2ce4b00 ffff8008 095cac68 ffff0000 f2a5a028 ffff8008 + +X28: 0xffff8008f2a3bf90: +bf90 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +bfb0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +bfd0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +bff0 00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008 +c010 00000000 00000000 f2a3c018 ffff8008 f2a3c018 ffff8008 08a067dc ffff0000 +c030 f2a5a000 ffff8008 091c3650 ffff0000 f716fd18 ffff8008 f716fe30 ffff8008 +c050 f2ce4a30 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000 +c070 f76c8010 ffff8008 f2ce4b00 ffff8008 095cac68 ffff0000 f2a5a028 ffff8008 + +Process irq/125-5b11000 (pid: 2457, stack limit = 0xffff00000b7b8000) +Call trace: +Exception stack(0xffff00000b7bba40 to 0xffff00000b7bbb80) +ba40: 732a010310b9ed00 ffff0000089ff8d0 0000000000000006 0000000000000000 +ba60: 0000000000000001 0000000000000000 0000000000000001 ffff8008f27a9c90 +ba80: ffff8008f2a98a90 ffff00000b7bbd00 0000000000000a30 0000000000000008 +baa0: 0000000000000008 e35502e30d44349c f1866f5b952aca46 0000000000000000 +bac0: ffff0000082b7c9c 0000000000000000 0000000000000000 ffff0000089ff000 +bae0: ffff00000afae000 ffff8008f7a8b428 ffff000009c8e000 0000000000000409 +bb00: ffff8008f2a3c010 00000000ffffffa1 0000000000000000 0000000000000001 +bb20: ffff8008f2a3c010 ffff00000b7bbb80 ffff000008a032fc ffff00000b7bbb80 +bb40: ffff0000089ffb3c 00000000800001c5 ffff00000b7bbb80 732a010310b9ed00 +bb60: ffffffffffffffff ffff0000080f777c ffff00000b7bbb80 ffff0000089ffb3c +[] composite_setup+0x44/0x1508 +[] android_setup+0xb8/0x13c +[] cdns3_ep0_delegate_req+0x44/0x70 +[] cdns3_check_ep0_interrupt_proceed+0x33c/0x654 +[] cdns3_device_thread_irq_handler+0x4b0/0x4bc +[] cdns3_thread_irq+0x48/0x68 +[] irq_thread_fn+0x28/0x88 +[] irq_thread+0x13c/0x228 +[] kthread+0x104/0x130 +[] ret_from_fork+0x10/0x18 + +oops2: +composite_disconnect: Calling disconnect on a Gadget that is not connected +android_work: did not send uevent (0 0 (null)) +init: Received control message 'stop' for 'adbd' from pid: 3359 (/vendor/bin/hw/android.hardware.usb@1.1-service.imx) +init: Sending signal 9 to service 'adbd' (pid 22343) process group... +------------[ cut here ]------------ +audit: audit_lost=180038 audit_rate_limit=5 audit_backlog_limit=64 +audit: rate limit exceeded +WARNING: CPU: 0 PID: 3468 at kernel_imx/drivers/usb/gadget/composite.c:2009 composite_disconnect+0x80/0x88 +Modules linked in: +CPU: 0 PID: 3468 Comm: HWC-UEvent-Thre Not tainted 4.14.98-07846-g0b40a9b-dirty #16 +Hardware name: Freescale i.MX8QM MEK (DT) +task: ffff8008f2349c00 task.stack: ffff00000b0a8000 +PC is at composite_disconnect+0x80/0x88 +LR is at composite_disconnect+0x80/0x88 +pc : [] lr : [] pstate: 600001c5 +sp : ffff000008003dd0 +x29: ffff000008003dd0 x28: ffff8008f2349c00 +x27: ffff000009885018 x26: ffff000008004000 +Timeout for IPC response! +x25: ffff000009885018 x24: ffff000009c8e280 +x23: ffff8008f2d98010 x22: 00000000000001c0 +x21: ffff8008f2d98394 x20: ffff8008f2d98010 +x19: 0000000000000000 x18: 0000e3956f4f075a +fxos8700 4-001e: i2c block read acc failed +x17: 0000e395735727e8 x16: ffff00000829f4d4 +x15: ffffffffffffffff x14: 7463656e6e6f6320 +x13: 746f6e2009090920 x12: 7369207461687420 +x11: 7465676461472061 x10: 206e6f207463656e +x9 : 6e6f637369642067 x8 : ffff000009c8e280 +x7 : ffff0000086ca6cc x6 : ffff000009f15e78 +x5 : 0000000000000000 x4 : 0000000000000000 +x3 : ffffffffffffffff x2 : c3f28b86000c3900 +x1 : c3f28b86000c3900 x0 : 000000000000004e + +X20: 0xffff8008f2d97f90: +7f90 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +7fb0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +libprocessgroup: Failed to kill process cgroup uid 0 pid 22343 in 215ms, 1 processes remain +7fd0 +Timeout for IPC response! + 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +using random self ethernet address +7ff0 00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008 +8010 00000100 00000000 f2d98018 ffff8008 f2d98018 ffff8008 08a067dc +using random host ethernet address + ffff0000 +8030 f206d800 ffff8008 091c3650 ffff0000 f7957b18 ffff8008 f7957730 ffff8008 +8050 f716a630 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000 +8070 f76c8010 ffff8008 f716a800 ffff8008 095cac68 ffff0000 f206d828 ffff8008 + +X21: 0xffff8008f2d98314: +8314 ffff8008 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +8334 00000000 00000000 00000000 00000000 00000000 08a04cf4 ffff0000 00000000 +8354 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +8374 00000000 00000000 00000000 00001001 00000000 00000000 00000000 00000000 +8394 e4bbe4bb 0f230000 ffff0000 0afae000 ffff0000 ae001000 00000000 f206d400 +Timeout for IPC response! +83b4 ffff8008 00000000 00000000 f7957b18 ffff8008 f7957718 ffff8008 f7957018 +83d4 ffff8008 f7957118 ffff8008 f7957618 ffff8008 f7957818 ffff8008 f7957918 +83f4 ffff8008 f7957d18 ffff8008 00000000 00000000 00000000 00000000 00000000 + +X23: 0xffff8008f2d97f90: +7f90 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +7fb0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +7fd0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +7ff0 00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008 +8010 00000100 00000000 f2d98018 ffff8008 f2d98018 ffff8008 08a067dc ffff0000 +8030 f206d800 ffff8008 091c3650 ffff0000 f7957b18 ffff8008 f7957730 ffff8008 +8050 f716a630 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000 +8070 f76c8010 ffff8008 f716a800 ffff8008 095cac68 ffff0000 f206d828 ffff8008 + +X28: 0xffff8008f2349b80: +9b80 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +9ba0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +9bc0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +9be0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +9c00 00000022 00000000 ffffffff ffffffff 00010001 00000000 00000000 00000000 +9c20 0b0a8000 ffff0000 00000002 00404040 00000000 00000000 00000000 00000000 +9c40 00000001 00000000 00000001 00000000 001ebd44 00000001 f390b800 ffff8008 +9c60 00000000 00000001 00000070 00000070 00000070 00000000 09031d48 ffff0000 + +Call trace: +Exception stack(0xffff000008003c90 to 0xffff000008003dd0) +3c80: 000000000000004e c3f28b86000c3900 +3ca0: c3f28b86000c3900 ffffffffffffffff 0000000000000000 0000000000000000 +3cc0: ffff000009f15e78 ffff0000086ca6cc ffff000009c8e280 6e6f637369642067 +3ce0: 206e6f207463656e 7465676461472061 7369207461687420 746f6e2009090920 +3d00: 7463656e6e6f6320 ffffffffffffffff ffff00000829f4d4 0000e395735727e8 +3d20: 0000e3956f4f075a 0000000000000000 ffff8008f2d98010 ffff8008f2d98394 +3d40: 00000000000001c0 ffff8008f2d98010 ffff000009c8e280 ffff000009885018 +3d60: ffff000008004000 ffff000009885018 ffff8008f2349c00 ffff000008003dd0 +3d80: ffff0000089ff9b0 ffff000008003dd0 ffff0000089ff9b0 00000000600001c5 +3da0: ffff8008f33f2cd8 0000000000000000 0000ffffffffffff 0000000000000000 +init: Received control message 'start' for 'adbd' from pid: 3359 (/vendor/bin/hw/android.hardware.usb@1.1-service.imx) +3dc0: ffff000008003dd0 ffff0000089ff9b0 +[] composite_disconnect+0x80/0x88 +[] android_disconnect+0x3c/0x68 +[] cdns3_device_irq_handler+0xfc/0x2c8 +[] cdns3_irq+0x44/0x94 +[] __handle_irq_event_percpu+0x60/0x24c +[] handle_irq_event+0x58/0xc0 +[] handle_fasteoi_irq+0x98/0x180 +[] generic_handle_irq+0x24/0x38 +[] __handle_domain_irq+0x60/0xac +[] gic_handle_irq+0xd4/0x17c + +Signed-off-by: Peter Chen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/configfs.c | 110 ++++++++++++++++++++++++++++++++-- + 1 file changed, 105 insertions(+), 5 deletions(-) + +diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c +index a5ca409dc97e1..b5315a47f0b96 100644 +--- a/drivers/usb/gadget/configfs.c ++++ b/drivers/usb/gadget/configfs.c +@@ -60,6 +60,8 @@ struct gadget_info { + bool use_os_desc; + char b_vendor_code; + char qw_sign[OS_STRING_QW_SIGN_LEN]; ++ spinlock_t spinlock; ++ bool unbind; + }; + + static inline struct gadget_info *to_gadget_info(struct config_item *item) +@@ -1241,6 +1243,7 @@ static int configfs_composite_bind(struct usb_gadget *gadget, + int ret; + + /* the gi->lock is hold by the caller */ ++ gi->unbind = 0; + cdev->gadget = gadget; + set_gadget_data(gadget, cdev); + ret = composite_dev_prepare(composite, cdev); +@@ -1373,31 +1376,128 @@ static void configfs_composite_unbind(struct usb_gadget *gadget) + { + struct usb_composite_dev *cdev; + struct gadget_info *gi; ++ unsigned long flags; + + /* the gi->lock is hold by the caller */ + + cdev = get_gadget_data(gadget); + gi = container_of(cdev, struct gadget_info, cdev); ++ spin_lock_irqsave(&gi->spinlock, flags); ++ gi->unbind = 1; ++ spin_unlock_irqrestore(&gi->spinlock, flags); + + kfree(otg_desc[0]); + otg_desc[0] = NULL; + purge_configs_funcs(gi); + composite_dev_cleanup(cdev); + usb_ep_autoconfig_reset(cdev->gadget); ++ spin_lock_irqsave(&gi->spinlock, flags); + cdev->gadget = NULL; + set_gadget_data(gadget, NULL); ++ spin_unlock_irqrestore(&gi->spinlock, flags); ++} ++ ++static int configfs_composite_setup(struct usb_gadget *gadget, ++ const struct usb_ctrlrequest *ctrl) ++{ ++ struct usb_composite_dev *cdev; ++ struct gadget_info *gi; ++ unsigned long flags; ++ int ret; ++ ++ cdev = get_gadget_data(gadget); ++ if (!cdev) ++ return 0; ++ ++ gi = container_of(cdev, struct gadget_info, cdev); ++ spin_lock_irqsave(&gi->spinlock, flags); ++ cdev = get_gadget_data(gadget); ++ if (!cdev || gi->unbind) { ++ spin_unlock_irqrestore(&gi->spinlock, flags); ++ return 0; ++ } ++ ++ ret = composite_setup(gadget, ctrl); ++ spin_unlock_irqrestore(&gi->spinlock, flags); ++ return ret; ++} ++ ++static void configfs_composite_disconnect(struct usb_gadget *gadget) ++{ ++ struct usb_composite_dev *cdev; ++ struct gadget_info *gi; ++ unsigned long flags; ++ ++ cdev = get_gadget_data(gadget); ++ if (!cdev) ++ return; ++ ++ gi = container_of(cdev, struct gadget_info, cdev); ++ spin_lock_irqsave(&gi->spinlock, flags); ++ cdev = get_gadget_data(gadget); ++ if (!cdev || gi->unbind) { ++ spin_unlock_irqrestore(&gi->spinlock, flags); ++ return; ++ } ++ ++ composite_disconnect(gadget); ++ spin_unlock_irqrestore(&gi->spinlock, flags); ++} ++ ++static void configfs_composite_suspend(struct usb_gadget *gadget) ++{ ++ struct usb_composite_dev *cdev; ++ struct gadget_info *gi; ++ unsigned long flags; ++ ++ cdev = get_gadget_data(gadget); ++ if (!cdev) ++ return; ++ ++ gi = container_of(cdev, struct gadget_info, cdev); ++ spin_lock_irqsave(&gi->spinlock, flags); ++ cdev = get_gadget_data(gadget); ++ if (!cdev || gi->unbind) { ++ spin_unlock_irqrestore(&gi->spinlock, flags); ++ return; ++ } ++ ++ composite_suspend(gadget); ++ spin_unlock_irqrestore(&gi->spinlock, flags); ++} ++ ++static void configfs_composite_resume(struct usb_gadget *gadget) ++{ ++ struct usb_composite_dev *cdev; ++ struct gadget_info *gi; ++ unsigned long flags; ++ ++ cdev = get_gadget_data(gadget); ++ if (!cdev) ++ return; ++ ++ gi = container_of(cdev, struct gadget_info, cdev); ++ spin_lock_irqsave(&gi->spinlock, flags); ++ cdev = get_gadget_data(gadget); ++ if (!cdev || gi->unbind) { ++ spin_unlock_irqrestore(&gi->spinlock, flags); ++ return; ++ } ++ ++ composite_resume(gadget); ++ spin_unlock_irqrestore(&gi->spinlock, flags); + } + + static const struct usb_gadget_driver configfs_driver_template = { + .bind = configfs_composite_bind, + .unbind = configfs_composite_unbind, + +- .setup = composite_setup, +- .reset = composite_disconnect, +- .disconnect = composite_disconnect, ++ .setup = configfs_composite_setup, ++ .reset = configfs_composite_disconnect, ++ .disconnect = configfs_composite_disconnect, + +- .suspend = composite_suspend, +- .resume = composite_resume, ++ .suspend = configfs_composite_suspend, ++ .resume = configfs_composite_resume, + + .max_speed = USB_SPEED_SUPER, + .driver = { +-- +2.20.1 + diff --git a/queue-4.9/usb-gadget-udc-atmel-fix-interrupt-storm-in-fifo-mod.patch b/queue-4.9/usb-gadget-udc-atmel-fix-interrupt-storm-in-fifo-mod.patch new file mode 100644 index 00000000000..ab4bf252ebd --- /dev/null +++ b/queue-4.9/usb-gadget-udc-atmel-fix-interrupt-storm-in-fifo-mod.patch @@ -0,0 +1,42 @@ +From a37f1c91c807ce77d94ed16c1c2eb34e35e3de7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2019 20:10:54 +0300 +Subject: usb: gadget: udc: atmel: Fix interrupt storm in FIFO mode. + +From: Cristian Birsan + +[ Upstream commit ba3a1a915c49cc3023e4ddfc88f21e7514e82aa4 ] + +Fix interrupt storm generated by endpoints when working in FIFO mode. +The TX_COMPLETE interrupt is used only by control endpoints processing. +Do not enable it for other types of endpoints. + +Fixes: 914a3f3b3754 ("USB: add atmel_usba_udc driver") +Signed-off-by: Cristian Birsan +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/atmel_usba_udc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/udc/atmel_usba_udc.c b/drivers/usb/gadget/udc/atmel_usba_udc.c +index 9705bcdbc577f..57dd3bad95397 100644 +--- a/drivers/usb/gadget/udc/atmel_usba_udc.c ++++ b/drivers/usb/gadget/udc/atmel_usba_udc.c +@@ -403,9 +403,11 @@ static void submit_request(struct usba_ep *ep, struct usba_request *req) + next_fifo_transaction(ep, req); + if (req->last_transaction) { + usba_ep_writel(ep, CTL_DIS, USBA_TX_PK_RDY); +- usba_ep_writel(ep, CTL_ENB, USBA_TX_COMPLETE); ++ if (ep_is_control(ep)) ++ usba_ep_writel(ep, CTL_ENB, USBA_TX_COMPLETE); + } else { +- usba_ep_writel(ep, CTL_DIS, USBA_TX_COMPLETE); ++ if (ep_is_control(ep)) ++ usba_ep_writel(ep, CTL_DIS, USBA_TX_COMPLETE); + usba_ep_writel(ep, CTL_ENB, USBA_TX_PK_RDY); + } + } +-- +2.20.1 + diff --git a/queue-4.9/usb-skip-endpoints-with-0-maxpacket-length.patch b/queue-4.9/usb-skip-endpoints-with-0-maxpacket-length.patch new file mode 100644 index 00000000000..0d642071716 --- /dev/null +++ b/queue-4.9/usb-skip-endpoints-with-0-maxpacket-length.patch @@ -0,0 +1,49 @@ +From a3b421cf5582c370c607b60af451a24df95c75c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Oct 2019 10:52:35 -0400 +Subject: USB: Skip endpoints with 0 maxpacket length + +From: Alan Stern + +[ Upstream commit d482c7bb0541d19dea8bff437a9f3c5563b5b2d2 ] + +Endpoints with a maxpacket length of 0 are probably useless. They +can't transfer any data, and it's not at all unlikely that an HCD will +crash or hang when trying to handle an URB for such an endpoint. + +Currently the USB core does not check for endpoints having a maxpacket +value of 0. This patch adds a check, printing a warning and skipping +over any endpoints it catches. + +Now, the USB spec does not rule out endpoints having maxpacket = 0. +But since they wouldn't have any practical use, there doesn't seem to +be any good reason for us to accept them. + +Signed-off-by: Alan Stern + +Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1910281050420.1485-100000@iolanthe.rowland.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/config.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c +index 94ec2dc27748e..e8061b02b7e3b 100644 +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -343,6 +343,11 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum, + + /* Validate the wMaxPacketSize field */ + maxp = usb_endpoint_maxp(&endpoint->desc); ++ if (maxp == 0) { ++ dev_warn(ddev, "config %d interface %d altsetting %d endpoint 0x%X has wMaxPacketSize 0, skipping\n", ++ cfgno, inum, asnum, d->bEndpointAddress); ++ goto skip_to_next_endpoint_or_interface_descriptor; ++ } + + /* Find the highest legal maxpacket size for this endpoint */ + i = 0; /* additional transactions per microframe */ +-- +2.20.1 + diff --git a/queue-4.9/x86-apic-32-avoid-bogus-ldr-warnings.patch b/queue-4.9/x86-apic-32-avoid-bogus-ldr-warnings.patch new file mode 100644 index 00000000000..aa2c6cc3e07 --- /dev/null +++ b/queue-4.9/x86-apic-32-avoid-bogus-ldr-warnings.patch @@ -0,0 +1,85 @@ +From 7b93c8bfd5d4d8fb5952b4a2a69758983c2d916d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2019 10:34:19 +0100 +Subject: x86/apic/32: Avoid bogus LDR warnings + +From: Jan Beulich + +[ Upstream commit fe6f85ca121e9c74e7490fe66b0c5aae38e332c3 ] + +The removal of the LDR initialization in the bigsmp_32 APIC code unearthed +a problem in setup_local_APIC(). + +The code checks unconditionally for a mismatch of the logical APIC id by +comparing the early APIC id which was initialized in get_smp_config() with +the actual LDR value in the APIC. + +Due to the removal of the bogus LDR initialization the check now can +trigger on bigsmp_32 APIC systems emitting a warning for every booting +CPU. This is of course a false positive because the APIC is not using +logical destination mode. + +Restrict the check and the possibly resulting fixup to systems which are +actually using the APIC in logical destination mode. + +[ tglx: Massaged changelog and added Cc stable ] + +Fixes: bae3a8d3308 ("x86/apic: Do not initialize LDR and DFR for bigsmp") +Signed-off-by: Jan Beulich +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/666d8f91-b5a8-1afd-7add-821e72a35f03@suse.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/apic/apic.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c +index ad2a220a4a7f7..722a76b88bcc0 100644 +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -1341,9 +1341,6 @@ void setup_local_APIC(void) + { + int cpu = smp_processor_id(); + unsigned int value; +-#ifdef CONFIG_X86_32 +- int logical_apicid, ldr_apicid; +-#endif + + + if (disable_apic) { +@@ -1384,16 +1381,21 @@ void setup_local_APIC(void) + apic->init_apic_ldr(); + + #ifdef CONFIG_X86_32 +- /* +- * APIC LDR is initialized. If logical_apicid mapping was +- * initialized during get_smp_config(), make sure it matches the +- * actual value. +- */ +- logical_apicid = early_per_cpu(x86_cpu_to_logical_apicid, cpu); +- ldr_apicid = GET_APIC_LOGICAL_ID(apic_read(APIC_LDR)); +- WARN_ON(logical_apicid != BAD_APICID && logical_apicid != ldr_apicid); +- /* always use the value from LDR */ +- early_per_cpu(x86_cpu_to_logical_apicid, cpu) = ldr_apicid; ++ if (apic->dest_logical) { ++ int logical_apicid, ldr_apicid; ++ ++ /* ++ * APIC LDR is initialized. If logical_apicid mapping was ++ * initialized during get_smp_config(), make sure it matches ++ * the actual value. ++ */ ++ logical_apicid = early_per_cpu(x86_cpu_to_logical_apicid, cpu); ++ ldr_apicid = GET_APIC_LOGICAL_ID(apic_read(APIC_LDR)); ++ if (logical_apicid != BAD_APICID) ++ WARN_ON(logical_apicid != ldr_apicid); ++ /* Always use the value from LDR. */ ++ early_per_cpu(x86_cpu_to_logical_apicid, cpu) = ldr_apicid; ++ } + #endif + + /* +-- +2.20.1 + diff --git a/queue-4.9/x86-apic-drop-logical_smp_processor_id-inline.patch b/queue-4.9/x86-apic-drop-logical_smp_processor_id-inline.patch new file mode 100644 index 00000000000..bcce219fb42 --- /dev/null +++ b/queue-4.9/x86-apic-drop-logical_smp_processor_id-inline.patch @@ -0,0 +1,80 @@ +From 8abdd062d965fdc7a3365f3c2cbf89bf78c6c25c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Mar 2018 13:59:30 +0800 +Subject: x86/apic: Drop logical_smp_processor_id() inline + +From: Dou Liyang + +[ Upstream commit 8f1561680f42a5491b371b513f1ab8197f31fd62 ] + +The logical_smp_processor_id() inline which is only called in +setup_local_APIC() on x86_32 systems has no real value. + +Drop it and directly use GET_APIC_LOGICAL_ID() at the call site and use a +more suitable variable name for readability + +Signed-off-by: Dou Liyang +Signed-off-by: Thomas Gleixner +Cc: andy.shevchenko@gmail.com +Cc: bhe@redhat.com +Cc: ebiederm@xmission.com +Link: https://lkml.kernel.org/r/20180301055930.2396-4-douly.fnst@cn.fujitsu.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/smp.h | 10 ---------- + arch/x86/kernel/apic/apic.c | 10 +++++----- + 2 files changed, 5 insertions(+), 15 deletions(-) + +diff --git a/arch/x86/include/asm/smp.h b/arch/x86/include/asm/smp.h +index d25fb6beb2f0c..dcaf7100b69c2 100644 +--- a/arch/x86/include/asm/smp.h ++++ b/arch/x86/include/asm/smp.h +@@ -177,16 +177,6 @@ extern int safe_smp_processor_id(void); + #endif + + #ifdef CONFIG_X86_LOCAL_APIC +- +-#ifndef CONFIG_X86_64 +-static inline int logical_smp_processor_id(void) +-{ +- /* we don't want to mark this access volatile - bad code generation */ +- return GET_APIC_LOGICAL_ID(apic_read(APIC_LDR)); +-} +- +-#endif +- + extern int hard_smp_processor_id(void); + + #else /* CONFIG_X86_LOCAL_APIC */ +diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c +index 264daf1f49915..ad2a220a4a7f7 100644 +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -1342,7 +1342,7 @@ void setup_local_APIC(void) + int cpu = smp_processor_id(); + unsigned int value; + #ifdef CONFIG_X86_32 +- int i; ++ int logical_apicid, ldr_apicid; + #endif + + +@@ -1389,11 +1389,11 @@ void setup_local_APIC(void) + * initialized during get_smp_config(), make sure it matches the + * actual value. + */ +- i = early_per_cpu(x86_cpu_to_logical_apicid, cpu); +- WARN_ON(i != BAD_APICID && i != logical_smp_processor_id()); ++ logical_apicid = early_per_cpu(x86_cpu_to_logical_apicid, cpu); ++ ldr_apicid = GET_APIC_LOGICAL_ID(apic_read(APIC_LDR)); ++ WARN_ON(logical_apicid != BAD_APICID && logical_apicid != ldr_apicid); + /* always use the value from LDR */ +- early_per_cpu(x86_cpu_to_logical_apicid, cpu) = +- logical_smp_processor_id(); ++ early_per_cpu(x86_cpu_to_logical_apicid, cpu) = ldr_apicid; + #endif + + /* +-- +2.20.1 + diff --git a/queue-4.9/x86-apic-move-pending-interrupt-check-code-into-it-s.patch b/queue-4.9/x86-apic-move-pending-interrupt-check-code-into-it-s.patch new file mode 100644 index 00000000000..e47ce0a5806 --- /dev/null +++ b/queue-4.9/x86-apic-move-pending-interrupt-check-code-into-it-s.patch @@ -0,0 +1,155 @@ +From 08f7fdbefe4405e8889c48ca57db61bb37ece94f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Mar 2018 13:59:28 +0800 +Subject: x86/apic: Move pending interrupt check code into it's own function + +From: Dou Liyang + +[ Upstream commit 9b217f33017715903d0956dfc58f82d2a2d00e63 ] + +The pending interrupt check code is mixed with the local APIC setup code, +that looks messy. + +Extract the related code, move it into a new function named +apic_pending_intr_clear(). + +Signed-off-by: Dou Liyang +Signed-off-by: Thomas Gleixner +Reviewed-by: Andy Shevchenko +Cc: bhe@redhat.com +Cc: ebiederm@xmission.com +Link: https://lkml.kernel.org/r/20180301055930.2396-2-douly.fnst@cn.fujitsu.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/apic/apic.c | 100 ++++++++++++++++++++---------------- + 1 file changed, 55 insertions(+), 45 deletions(-) + +diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c +index 232350519062b..264daf1f49915 100644 +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -1281,6 +1281,56 @@ static void lapic_setup_esr(void) + oldvalue, value); + } + ++static void apic_pending_intr_clear(void) ++{ ++ long long max_loops = cpu_khz ? cpu_khz : 1000000; ++ unsigned long long tsc = 0, ntsc; ++ unsigned int value, queued; ++ int i, j, acked = 0; ++ ++ if (boot_cpu_has(X86_FEATURE_TSC)) ++ tsc = rdtsc(); ++ /* ++ * After a crash, we no longer service the interrupts and a pending ++ * interrupt from previous kernel might still have ISR bit set. ++ * ++ * Most probably by now CPU has serviced that pending interrupt and ++ * it might not have done the ack_APIC_irq() because it thought, ++ * interrupt came from i8259 as ExtInt. LAPIC did not get EOI so it ++ * does not clear the ISR bit and cpu thinks it has already serivced ++ * the interrupt. Hence a vector might get locked. It was noticed ++ * for timer irq (vector 0x31). Issue an extra EOI to clear ISR. ++ */ ++ do { ++ queued = 0; ++ for (i = APIC_ISR_NR - 1; i >= 0; i--) ++ queued |= apic_read(APIC_IRR + i*0x10); ++ ++ for (i = APIC_ISR_NR - 1; i >= 0; i--) { ++ value = apic_read(APIC_ISR + i*0x10); ++ for (j = 31; j >= 0; j--) { ++ if (value & (1< 256) { ++ printk(KERN_ERR "LAPIC pending interrupts after %d EOI\n", ++ acked); ++ break; ++ } ++ if (queued) { ++ if (boot_cpu_has(X86_FEATURE_TSC) && cpu_khz) { ++ ntsc = rdtsc(); ++ max_loops = (cpu_khz << 10) - (ntsc - tsc); ++ } else ++ max_loops--; ++ } ++ } while (queued && max_loops > 0); ++ WARN_ON(max_loops <= 0); ++} ++ + /** + * setup_local_APIC - setup the local APIC + * +@@ -1290,13 +1340,11 @@ static void lapic_setup_esr(void) + void setup_local_APIC(void) + { + int cpu = smp_processor_id(); +- unsigned int value, queued; +- int i, j, acked = 0; +- unsigned long long tsc = 0, ntsc; +- long long max_loops = cpu_khz ? cpu_khz : 1000000; ++ unsigned int value; ++#ifdef CONFIG_X86_32 ++ int i; ++#endif + +- if (boot_cpu_has(X86_FEATURE_TSC)) +- tsc = rdtsc(); + + if (disable_apic) { + disable_ioapic_support(); +@@ -1356,45 +1404,7 @@ void setup_local_APIC(void) + value &= ~APIC_TPRI_MASK; + apic_write(APIC_TASKPRI, value); + +- /* +- * After a crash, we no longer service the interrupts and a pending +- * interrupt from previous kernel might still have ISR bit set. +- * +- * Most probably by now CPU has serviced that pending interrupt and +- * it might not have done the ack_APIC_irq() because it thought, +- * interrupt came from i8259 as ExtInt. LAPIC did not get EOI so it +- * does not clear the ISR bit and cpu thinks it has already serivced +- * the interrupt. Hence a vector might get locked. It was noticed +- * for timer irq (vector 0x31). Issue an extra EOI to clear ISR. +- */ +- do { +- queued = 0; +- for (i = APIC_ISR_NR - 1; i >= 0; i--) +- queued |= apic_read(APIC_IRR + i*0x10); +- +- for (i = APIC_ISR_NR - 1; i >= 0; i--) { +- value = apic_read(APIC_ISR + i*0x10); +- for (j = 31; j >= 0; j--) { +- if (value & (1< 256) { +- printk(KERN_ERR "LAPIC pending interrupts after %d EOI\n", +- acked); +- break; +- } +- if (queued) { +- if (boot_cpu_has(X86_FEATURE_TSC) && cpu_khz) { +- ntsc = rdtsc(); +- max_loops = (cpu_khz << 10) - (ntsc - tsc); +- } else +- max_loops--; +- } +- } while (queued && max_loops > 0); +- WARN_ON(max_loops <= 0); ++ apic_pending_intr_clear(); + + /* + * Now that we are all set up, enable the APIC +-- +2.20.1 +