From: Greg Kroah-Hartman Date: Tue, 18 Feb 2020 08:48:02 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.19.105~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f1c916bb254243ae554b248c891dc4969c24bed8;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: hwmon-pmbus-ltc2978-fix-pmbus-polling-of-mfr_common-definitions.patch ib-hfi1-acquire-lock-to-release-tid-entries-when-user-file-is-closed.patch ib-hfi1-close-window-for-pq-and-request-coliding.patch ib-rdmavt-reset-all-qps-when-the-device-is-shut-down.patch nfsv4.1-make-cachethis-no-for-writes.patch nvme-fix-the-parameter-order-for-nvme_get_log-in-nvme_get_fw_slot_info.patch perf-x86-intel-fix-inaccurate-period-in-context-switch-for-auto-reload.patch rdma-core-fix-invalid-memory-access-in-spec_filter_size.patch rdma-core-fix-protection-fault-in-get_pkey_idx_qp_list.patch rdma-hfi1-fix-memory-leak-in-_dev_comp_vect_mappings_create.patch rdma-rxe-fix-soft-lockup-problem-due-to-using-tasklets-in-softirq.patch s390-time-fix-clk-type-in-get_tod_clock.patch --- diff --git a/queue-4.19/hwmon-pmbus-ltc2978-fix-pmbus-polling-of-mfr_common-definitions.patch b/queue-4.19/hwmon-pmbus-ltc2978-fix-pmbus-polling-of-mfr_common-definitions.patch new file mode 100644 index 00000000000..6aa9bf38e0b --- /dev/null +++ b/queue-4.19/hwmon-pmbus-ltc2978-fix-pmbus-polling-of-mfr_common-definitions.patch @@ -0,0 +1,40 @@ +From cf2b012c90e74e85d8aea7d67e48868069cfee0c Mon Sep 17 00:00:00 2001 +From: Mike Jones +Date: Tue, 28 Jan 2020 10:59:59 -0700 +Subject: hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions. + +From: Mike Jones + +commit cf2b012c90e74e85d8aea7d67e48868069cfee0c upstream. + +Change 21537dc driver PMBus polling of MFR_COMMON from bits 5/4 to +bits 6/5. This fixs a LTC297X family bug where polling always returns +not busy even when the part is busy. This fixes a LTC388X and +LTM467X bug where polling used PEND and NOT_IN_TRANS, and BUSY was +not polled, which can lead to NACKing of commands. LTC388X and +LTM467X modules now poll BUSY and PEND, increasing reliability by +eliminating NACKing of commands. + +Signed-off-by: Mike Jones +Link: https://lore.kernel.org/r/1580234400-2829-2-git-send-email-michael-a1.jones@analog.com +Fixes: e04d1ce9bbb49 ("hwmon: (ltc2978) Add polling for chips requiring it") +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/pmbus/ltc2978.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/hwmon/pmbus/ltc2978.c ++++ b/drivers/hwmon/pmbus/ltc2978.c +@@ -89,8 +89,8 @@ enum chips { ltc2974, ltc2975, ltc2977, + + #define LTC_POLL_TIMEOUT 100 /* in milli-seconds */ + +-#define LTC_NOT_BUSY BIT(5) +-#define LTC_NOT_PENDING BIT(4) ++#define LTC_NOT_BUSY BIT(6) ++#define LTC_NOT_PENDING BIT(5) + + /* + * LTC2978 clears peak data whenever the CLEAR_FAULTS command is executed, which diff --git a/queue-4.19/ib-hfi1-acquire-lock-to-release-tid-entries-when-user-file-is-closed.patch b/queue-4.19/ib-hfi1-acquire-lock-to-release-tid-entries-when-user-file-is-closed.patch new file mode 100644 index 00000000000..97dc6fb8c20 --- /dev/null +++ b/queue-4.19/ib-hfi1-acquire-lock-to-release-tid-entries-when-user-file-is-closed.patch @@ -0,0 +1,52 @@ +From a70ed0f2e6262e723ae8d70accb984ba309eacc2 Mon Sep 17 00:00:00 2001 +From: Kaike Wan +Date: Mon, 10 Feb 2020 08:10:26 -0500 +Subject: IB/hfi1: Acquire lock to release TID entries when user file is closed + +From: Kaike Wan + +commit a70ed0f2e6262e723ae8d70accb984ba309eacc2 upstream. + +Each user context is allocated a certain number of RcvArray (TID) +entries and these entries are managed through TID groups. These groups +are put into one of three lists in each user context: tid_group_list, +tid_used_list, and tid_full_list, depending on the number of used TID +entries within each group. When TID packets are expected, one or more +TID groups will be allocated. After the packets are received, the TID +groups will be freed. Since multiple user threads may access the TID +groups simultaneously, a mutex exp_mutex is used to synchronize the +access. However, when the user file is closed, it tries to release +all TID groups without acquiring the mutex first, which risks a race +condition with another thread that may be releasing its TID groups, +leading to data corruption. + +This patch addresses the issue by acquiring the mutex first before +releasing the TID groups when the file is closed. + +Fixes: 3abb33ac6521 ("staging/hfi1: Add TID cache receive init and free funcs") +Link: https://lore.kernel.org/r/20200210131026.87408.86853.stgit@awfm-01.aw.intel.com +Reviewed-by: Mike Marciniszyn +Signed-off-by: Kaike Wan +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/user_exp_rcv.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c ++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +@@ -165,10 +165,12 @@ void hfi1_user_exp_rcv_free(struct hfi1_ + if (fd->handler) { + hfi1_mmu_rb_unregister(fd->handler); + } else { ++ mutex_lock(&uctxt->exp_mutex); + if (!EXP_TID_SET_EMPTY(uctxt->tid_full_list)) + unlock_exp_tids(uctxt, &uctxt->tid_full_list, fd); + if (!EXP_TID_SET_EMPTY(uctxt->tid_used_list)) + unlock_exp_tids(uctxt, &uctxt->tid_used_list, fd); ++ mutex_unlock(&uctxt->exp_mutex); + } + + kfree(fd->invalid_tids); diff --git a/queue-4.19/ib-hfi1-close-window-for-pq-and-request-coliding.patch b/queue-4.19/ib-hfi1-close-window-for-pq-and-request-coliding.patch new file mode 100644 index 00000000000..6d5d3f38696 --- /dev/null +++ b/queue-4.19/ib-hfi1-close-window-for-pq-and-request-coliding.patch @@ -0,0 +1,270 @@ +From be8638344c70bf492963ace206a9896606b6922d Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Mon, 10 Feb 2020 08:10:33 -0500 +Subject: IB/hfi1: Close window for pq and request coliding + +From: Mike Marciniszyn + +commit be8638344c70bf492963ace206a9896606b6922d upstream. + +Cleaning up a pq can result in the following warning and panic: + + WARNING: CPU: 52 PID: 77418 at lib/list_debug.c:53 __list_del_entry+0x63/0xd0 + list_del corruption, ffff88cb2c6ac068->next is LIST_POISON1 (dead000000000100) + Modules linked in: mmfs26(OE) mmfslinux(OE) tracedev(OE) 8021q garp mrp ib_isert iscsi_target_mod target_core_mod crc_t10dif crct10dif_generic opa_vnic rpcrdma ib_iser libiscsi scsi_transport_iscsi ib_ipoib(OE) bridge stp llc iTCO_wdt iTCO_vendor_support intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass crct10dif_pclmul crct10dif_common crc32_pclmul ghash_clmulni_intel ast aesni_intel ttm lrw gf128mul glue_helper ablk_helper drm_kms_helper cryptd syscopyarea sysfillrect sysimgblt fb_sys_fops drm pcspkr joydev lpc_ich mei_me drm_panel_orientation_quirks i2c_i801 mei wmi ipmi_si ipmi_devintf ipmi_msghandler nfit libnvdimm acpi_power_meter acpi_pad hfi1(OE) rdmavt(OE) rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm ib_core binfmt_misc numatools(OE) xpmem(OE) ip_tables + nfsv3 nfs_acl nfs lockd grace sunrpc fscache igb ahci i2c_algo_bit libahci dca ptp libata pps_core crc32c_intel [last unloaded: i2c_algo_bit] + CPU: 52 PID: 77418 Comm: pvbatch Kdump: loaded Tainted: G OE ------------ 3.10.0-957.38.3.el7.x86_64 #1 + Hardware name: HPE.COM HPE SGI 8600-XA730i Gen10/X11DPT-SB-SG007, BIOS SBED1229 01/22/2019 + Call Trace: + [] dump_stack+0x19/0x1b + [] __warn+0xd8/0x100 + [] warn_slowpath_fmt+0x5f/0x80 + [] __list_del_entry+0x63/0xd0 + [] list_del+0xd/0x30 + [] kmem_cache_destroy+0x50/0x110 + [] hfi1_user_sdma_free_queues+0xf0/0x200 [hfi1] + [] hfi1_file_close+0x70/0x1e0 [hfi1] + [] __fput+0xec/0x260 + [] ____fput+0xe/0x10 + [] task_work_run+0xbb/0xe0 + [] do_notify_resume+0xa5/0xc0 + [] int_signal+0x12/0x17 + BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 + IP: [] kmem_cache_close+0x7e/0x300 + PGD 2cdab19067 PUD 2f7bfdb067 PMD 0 + Oops: 0000 [#1] SMP + Modules linked in: mmfs26(OE) mmfslinux(OE) tracedev(OE) 8021q garp mrp ib_isert iscsi_target_mod target_core_mod crc_t10dif crct10dif_generic opa_vnic rpcrdma ib_iser libiscsi scsi_transport_iscsi ib_ipoib(OE) bridge stp llc iTCO_wdt iTCO_vendor_support intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass crct10dif_pclmul crct10dif_common crc32_pclmul ghash_clmulni_intel ast aesni_intel ttm lrw gf128mul glue_helper ablk_helper drm_kms_helper cryptd syscopyarea sysfillrect sysimgblt fb_sys_fops drm pcspkr joydev lpc_ich mei_me drm_panel_orientation_quirks i2c_i801 mei wmi ipmi_si ipmi_devintf ipmi_msghandler nfit libnvdimm acpi_power_meter acpi_pad hfi1(OE) rdmavt(OE) rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm ib_core binfmt_misc numatools(OE) xpmem(OE) ip_tables + nfsv3 nfs_acl nfs lockd grace sunrpc fscache igb ahci i2c_algo_bit libahci dca ptp libata pps_core crc32c_intel [last unloaded: i2c_algo_bit] + CPU: 52 PID: 77418 Comm: pvbatch Kdump: loaded Tainted: G W OE ------------ 3.10.0-957.38.3.el7.x86_64 #1 + Hardware name: HPE.COM HPE SGI 8600-XA730i Gen10/X11DPT-SB-SG007, BIOS SBED1229 01/22/2019 + task: ffff88cc26db9040 ti: ffff88b5393a8000 task.ti: ffff88b5393a8000 + RIP: 0010:[] [] kmem_cache_close+0x7e/0x300 + RSP: 0018:ffff88b5393abd60 EFLAGS: 00010287 + RAX: 0000000000000000 RBX: ffff88cb2c6ac000 RCX: 0000000000000003 + RDX: 0000000000000400 RSI: 0000000000000400 RDI: ffffffff9095b800 + RBP: ffff88b5393abdb0 R08: ffffffff9095b808 R09: ffffffff8ff77c19 + R10: ffff88b73ce1f160 R11: ffffddecddde9800 R12: ffff88cb2c6ac000 + R13: 000000000000000c R14: ffff88cf3fdca780 R15: 0000000000000000 + FS: 00002aaaaab52500(0000) GS:ffff88b73ce00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000010 CR3: 0000002d27664000 CR4: 00000000007607e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + [] __kmem_cache_shutdown+0x14/0x80 + [] kmem_cache_destroy+0x58/0x110 + [] hfi1_user_sdma_free_queues+0xf0/0x200 [hfi1] + [] hfi1_file_close+0x70/0x1e0 [hfi1] + [] __fput+0xec/0x260 + [] ____fput+0xe/0x10 + [] task_work_run+0xbb/0xe0 + [] do_notify_resume+0xa5/0xc0 + [] int_signal+0x12/0x17 + Code: 00 00 ba 00 04 00 00 0f 4f c2 3d 00 04 00 00 89 45 bc 0f 84 e7 01 00 00 48 63 45 bc 49 8d 04 c4 48 89 45 b0 48 8b 80 c8 00 00 00 <48> 8b 78 10 48 89 45 c0 48 83 c0 10 48 89 45 d0 48 8b 17 48 39 + RIP [] kmem_cache_close+0x7e/0x300 + RSP + CR2: 0000000000000010 + +The panic is the result of slab entries being freed during the destruction +of the pq slab. + +The code attempts to quiesce the pq, but looking for n_req == 0 doesn't +account for new requests. + +Fix the issue by using SRCU to get a pq pointer and adjust the pq free +logic to NULL the fd pq pointer prior to the quiesce. + +Fixes: e87473bc1b6c ("IB/hfi1: Only set fd pointer when base context is completely initialized") +Link: https://lore.kernel.org/r/20200210131033.87408.81174.stgit@awfm-01.aw.intel.com +Reviewed-by: Kaike Wan +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/file_ops.c | 52 ++++++++++++++++++------------ + drivers/infiniband/hw/hfi1/hfi.h | 5 ++ + drivers/infiniband/hw/hfi1/user_exp_rcv.c | 3 - + drivers/infiniband/hw/hfi1/user_sdma.c | 17 ++++++--- + 4 files changed, 48 insertions(+), 29 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/file_ops.c ++++ b/drivers/infiniband/hw/hfi1/file_ops.c +@@ -200,23 +200,24 @@ static int hfi1_file_open(struct inode * + + fd = kzalloc(sizeof(*fd), GFP_KERNEL); + +- if (fd) { +- fd->rec_cpu_num = -1; /* no cpu affinity by default */ +- fd->mm = current->mm; +- mmgrab(fd->mm); +- fd->dd = dd; +- kobject_get(&fd->dd->kobj); +- fp->private_data = fd; +- } else { +- fp->private_data = NULL; +- +- if (atomic_dec_and_test(&dd->user_refcount)) +- complete(&dd->user_comp); +- +- return -ENOMEM; +- } +- ++ if (!fd || init_srcu_struct(&fd->pq_srcu)) ++ goto nomem; ++ spin_lock_init(&fd->pq_rcu_lock); ++ spin_lock_init(&fd->tid_lock); ++ spin_lock_init(&fd->invalid_lock); ++ fd->rec_cpu_num = -1; /* no cpu affinity by default */ ++ fd->mm = current->mm; ++ mmgrab(fd->mm); ++ fd->dd = dd; ++ kobject_get(&fd->dd->kobj); ++ fp->private_data = fd; + return 0; ++nomem: ++ kfree(fd); ++ fp->private_data = NULL; ++ if (atomic_dec_and_test(&dd->user_refcount)) ++ complete(&dd->user_comp); ++ return -ENOMEM; + } + + static long hfi1_file_ioctl(struct file *fp, unsigned int cmd, +@@ -301,21 +302,30 @@ static long hfi1_file_ioctl(struct file + static ssize_t hfi1_write_iter(struct kiocb *kiocb, struct iov_iter *from) + { + struct hfi1_filedata *fd = kiocb->ki_filp->private_data; +- struct hfi1_user_sdma_pkt_q *pq = fd->pq; ++ struct hfi1_user_sdma_pkt_q *pq; + struct hfi1_user_sdma_comp_q *cq = fd->cq; + int done = 0, reqs = 0; + unsigned long dim = from->nr_segs; ++ int idx; + +- if (!cq || !pq) ++ idx = srcu_read_lock(&fd->pq_srcu); ++ pq = srcu_dereference(fd->pq, &fd->pq_srcu); ++ if (!cq || !pq) { ++ srcu_read_unlock(&fd->pq_srcu, idx); + return -EIO; ++ } + +- if (!iter_is_iovec(from) || !dim) ++ if (!iter_is_iovec(from) || !dim) { ++ srcu_read_unlock(&fd->pq_srcu, idx); + return -EINVAL; ++ } + + trace_hfi1_sdma_request(fd->dd, fd->uctxt->ctxt, fd->subctxt, dim); + +- if (atomic_read(&pq->n_reqs) == pq->n_max_reqs) ++ if (atomic_read(&pq->n_reqs) == pq->n_max_reqs) { ++ srcu_read_unlock(&fd->pq_srcu, idx); + return -ENOSPC; ++ } + + while (dim) { + int ret; +@@ -333,6 +343,7 @@ static ssize_t hfi1_write_iter(struct ki + reqs++; + } + ++ srcu_read_unlock(&fd->pq_srcu, idx); + return reqs; + } + +@@ -706,6 +717,7 @@ done: + if (atomic_dec_and_test(&dd->user_refcount)) + complete(&dd->user_comp); + ++ cleanup_srcu_struct(&fdata->pq_srcu); + kfree(fdata); + return 0; + } +--- a/drivers/infiniband/hw/hfi1/hfi.h ++++ b/drivers/infiniband/hw/hfi1/hfi.h +@@ -1376,10 +1376,13 @@ struct mmu_rb_handler; + + /* Private data for file operations */ + struct hfi1_filedata { ++ struct srcu_struct pq_srcu; + struct hfi1_devdata *dd; + struct hfi1_ctxtdata *uctxt; + struct hfi1_user_sdma_comp_q *cq; +- struct hfi1_user_sdma_pkt_q *pq; ++ /* update side lock for SRCU */ ++ spinlock_t pq_rcu_lock; ++ struct hfi1_user_sdma_pkt_q __rcu *pq; + u16 subctxt; + /* for cpu affinity; -1 if none */ + int rec_cpu_num; +--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c ++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +@@ -90,9 +90,6 @@ int hfi1_user_exp_rcv_init(struct hfi1_f + struct hfi1_devdata *dd = uctxt->dd; + int ret = 0; + +- spin_lock_init(&fd->tid_lock); +- spin_lock_init(&fd->invalid_lock); +- + fd->entry_to_rb = kcalloc(uctxt->expected_count, + sizeof(struct rb_node *), + GFP_KERNEL); +--- a/drivers/infiniband/hw/hfi1/user_sdma.c ++++ b/drivers/infiniband/hw/hfi1/user_sdma.c +@@ -179,7 +179,6 @@ int hfi1_user_sdma_alloc_queues(struct h + pq = kzalloc(sizeof(*pq), GFP_KERNEL); + if (!pq) + return -ENOMEM; +- + pq->dd = dd; + pq->ctxt = uctxt->ctxt; + pq->subctxt = fd->subctxt; +@@ -236,7 +235,7 @@ int hfi1_user_sdma_alloc_queues(struct h + goto pq_mmu_fail; + } + +- fd->pq = pq; ++ rcu_assign_pointer(fd->pq, pq); + fd->cq = cq; + + return 0; +@@ -264,8 +263,14 @@ int hfi1_user_sdma_free_queues(struct hf + + trace_hfi1_sdma_user_free_queues(uctxt->dd, uctxt->ctxt, fd->subctxt); + +- pq = fd->pq; ++ spin_lock(&fd->pq_rcu_lock); ++ pq = srcu_dereference_check(fd->pq, &fd->pq_srcu, ++ lockdep_is_held(&fd->pq_rcu_lock)); + if (pq) { ++ rcu_assign_pointer(fd->pq, NULL); ++ spin_unlock(&fd->pq_rcu_lock); ++ synchronize_srcu(&fd->pq_srcu); ++ /* at this point there can be no more new requests */ + if (pq->handler) + hfi1_mmu_rb_unregister(pq->handler); + iowait_sdma_drain(&pq->busy); +@@ -277,7 +282,8 @@ int hfi1_user_sdma_free_queues(struct hf + kfree(pq->req_in_use); + kmem_cache_destroy(pq->txreq_cache); + kfree(pq); +- fd->pq = NULL; ++ } else { ++ spin_unlock(&fd->pq_rcu_lock); + } + if (fd->cq) { + vfree(fd->cq->comps); +@@ -321,7 +327,8 @@ int hfi1_user_sdma_process_request(struc + { + int ret = 0, i; + struct hfi1_ctxtdata *uctxt = fd->uctxt; +- struct hfi1_user_sdma_pkt_q *pq = fd->pq; ++ struct hfi1_user_sdma_pkt_q *pq = ++ srcu_dereference(fd->pq, &fd->pq_srcu); + struct hfi1_user_sdma_comp_q *cq = fd->cq; + struct hfi1_devdata *dd = pq->dd; + unsigned long idx = 0; diff --git a/queue-4.19/ib-rdmavt-reset-all-qps-when-the-device-is-shut-down.patch b/queue-4.19/ib-rdmavt-reset-all-qps-when-the-device-is-shut-down.patch new file mode 100644 index 00000000000..793148f668c --- /dev/null +++ b/queue-4.19/ib-rdmavt-reset-all-qps-when-the-device-is-shut-down.patch @@ -0,0 +1,230 @@ +From f92e48718889b3d49cee41853402aa88cac84a6b Mon Sep 17 00:00:00 2001 +From: Kaike Wan +Date: Mon, 10 Feb 2020 08:10:40 -0500 +Subject: IB/rdmavt: Reset all QPs when the device is shut down + +From: Kaike Wan + +commit f92e48718889b3d49cee41853402aa88cac84a6b upstream. + +When the hfi1 device is shut down during a system reboot, it is possible +that some QPs might have not not freed by ULPs. More requests could be +post sent and a lingering timer could be triggered to schedule more packet +sends, leading to a crash: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000102 + IP: [ffffffff810a65f2] __queue_work+0x32/0x3c0 + PGD 0 + Oops: 0000 1 SMP + Modules linked in: nvmet_rdma(OE) nvmet(OE) nvme(OE) dm_round_robin nvme_rdma(OE) nvme_fabrics(OE) nvme_core(OE) pal_raw(POE) pal_pmt(POE) pal_cache(POE) pal_pile(POE) pal(POE) pal_compatible(OE) rpcrdma sunrpc ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm mlx4_ib sb_edac edac_core intel_powerclamp coretemp intel_rapl iosf_mbi kvm irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd iTCO_wdt iTCO_vendor_support mxm_wmi ipmi_ssif pcspkr ses enclosure joydev scsi_transport_sas i2c_i801 sg mei_me lpc_ich mei ioatdma shpchp ipmi_si ipmi_devintf ipmi_msghandler wmi acpi_power_meter acpi_pad dm_multipath hangcheck_timer ip_tables ext4 mbcache jbd2 mlx4_en + sd_mod crc_t10dif crct10dif_generic mgag200 drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm mlx4_core crct10dif_pclmul crct10dif_common hfi1(OE) igb crc32c_intel rdmavt(OE) ahci ib_core libahci libata ptp megaraid_sas pps_core dca i2c_algo_bit i2c_core devlink dm_mirror dm_region_hash dm_log dm_mod + CPU: 23 PID: 0 Comm: swapper/23 Tainted: P OE ------------ 3.10.0-693.el7.x86_64 #1 + Hardware name: Intel Corporation S2600CWR/S2600CWR, BIOS SE5C610.86B.01.01.0028.121720182203 12/17/2018 + task: ffff8808f4ec4f10 ti: ffff8808f4ed8000 task.ti: ffff8808f4ed8000 + RIP: 0010:[ffffffff810a65f2] [ffffffff810a65f2] __queue_work+0x32/0x3c0 + RSP: 0018:ffff88105df43d48 EFLAGS: 00010046 + RAX: 0000000000000086 RBX: 0000000000000086 RCX: 0000000000000000 + RDX: ffff880f74e758b0 RSI: 0000000000000000 RDI: 000000000000001f + RBP: ffff88105df43d80 R08: ffff8808f3c583c8 R09: ffff8808f3c58000 + R10: 0000000000000002 R11: ffff88105df43da8 R12: ffff880f74e758b0 + R13: 000000000000001f R14: 0000000000000000 R15: ffff88105a300000 + FS: 0000000000000000(0000) GS:ffff88105df40000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000102 CR3: 00000000019f2000 CR4: 00000000001407e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 + Stack: + ffff88105b6dd708 0000001f00000286 0000000000000086 ffff88105a300000 + ffff880f74e75800 0000000000000000 ffff88105a300000 ffff88105df43d98 + ffffffff810a6b85 ffff88105a301e80 ffff88105df43dc8 ffffffffc0224cde + Call Trace: + IRQ + + [ffffffff810a6b85] queue_work_on+0x45/0x50 + [ffffffffc0224cde] _hfi1_schedule_send+0x6e/0xc0 [hfi1] + [ffffffffc0170570] ? get_map_page+0x60/0x60 [rdmavt] + [ffffffffc0224d62] hfi1_schedule_send+0x32/0x70 [hfi1] + [ffffffffc0170644] rvt_rc_timeout+0xd4/0x120 [rdmavt] + [ffffffffc0170570] ? get_map_page+0x60/0x60 [rdmavt] + [ffffffff81097316] call_timer_fn+0x36/0x110 + [ffffffffc0170570] ? get_map_page+0x60/0x60 [rdmavt] + [ffffffff8109982d] run_timer_softirq+0x22d/0x310 + [ffffffff81090b3f] __do_softirq+0xef/0x280 + [ffffffff816b6a5c] call_softirq+0x1c/0x30 + [ffffffff8102d3c5] do_softirq+0x65/0xa0 + [ffffffff81090ec5] irq_exit+0x105/0x110 + [ffffffff816b76c2] smp_apic_timer_interrupt+0x42/0x50 + [ffffffff816b5c1d] apic_timer_interrupt+0x6d/0x80 + EOI + + [ffffffff81527a02] ? cpuidle_enter_state+0x52/0xc0 + [ffffffff81527b48] cpuidle_idle_call+0xd8/0x210 + [ffffffff81034fee] arch_cpu_idle+0xe/0x30 + [ffffffff810e7bca] cpu_startup_entry+0x14a/0x1c0 + [ffffffff81051af6] start_secondary+0x1b6/0x230 + Code: 89 e5 41 57 41 56 49 89 f6 41 55 41 89 fd 41 54 49 89 d4 53 48 83 ec 10 89 7d d4 9c 58 0f 1f 44 00 00 f6 c4 02 0f 85 be 02 00 00 41 f6 86 02 01 00 00 01 0f 85 58 02 00 00 49 c7 c7 28 19 01 00 + RIP [ffffffff810a65f2] __queue_work+0x32/0x3c0 + RSP ffff88105df43d48 + CR2: 0000000000000102 + +The solution is to reset the QPs before the device resources are freed. +This reset will change the QP state to prevent post sends and delete +timers to prevent callbacks. + +Fixes: 0acb0cc7ecc1 ("IB/rdmavt: Initialize and teardown of qpn table") +Link: https://lore.kernel.org/r/20200210131040.87408.38161.stgit@awfm-01.aw.intel.com +Reviewed-by: Mike Marciniszyn +Signed-off-by: Kaike Wan +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/sw/rdmavt/qp.c | 84 +++++++++++++++++++++++--------------- + 1 file changed, 51 insertions(+), 33 deletions(-) + +--- a/drivers/infiniband/sw/rdmavt/qp.c ++++ b/drivers/infiniband/sw/rdmavt/qp.c +@@ -58,6 +58,8 @@ + #include "trace.h" + + static void rvt_rc_timeout(struct timer_list *t); ++static void rvt_reset_qp(struct rvt_dev_info *rdi, struct rvt_qp *qp, ++ enum ib_qp_type type); + + /* + * Convert the AETH RNR timeout code into the number of microseconds. +@@ -268,40 +270,41 @@ no_qp_table: + } + + /** +- * free_all_qps - check for QPs still in use ++ * rvt_free_qp_cb - callback function to reset a qp ++ * @qp: the qp to reset ++ * @v: a 64-bit value ++ * ++ * This function resets the qp and removes it from the ++ * qp hash table. ++ */ ++static void rvt_free_qp_cb(struct rvt_qp *qp, u64 v) ++{ ++ unsigned int *qp_inuse = (unsigned int *)v; ++ struct rvt_dev_info *rdi = ib_to_rvt(qp->ibqp.device); ++ ++ /* Reset the qp and remove it from the qp hash list */ ++ rvt_reset_qp(rdi, qp, qp->ibqp.qp_type); ++ ++ /* Increment the qp_inuse count */ ++ (*qp_inuse)++; ++} ++ ++/** ++ * rvt_free_all_qps - check for QPs still in use + * @rdi: rvt device info structure + * + * There should not be any QPs still in use. + * Free memory for table. ++ * Return the number of QPs still in use. + */ + static unsigned rvt_free_all_qps(struct rvt_dev_info *rdi) + { +- unsigned long flags; +- struct rvt_qp *qp; +- unsigned n, qp_inuse = 0; +- spinlock_t *ql; /* work around too long line below */ +- +- if (rdi->driver_f.free_all_qps) +- qp_inuse = rdi->driver_f.free_all_qps(rdi); ++ unsigned int qp_inuse = 0; + + qp_inuse += rvt_mcast_tree_empty(rdi); + +- if (!rdi->qp_dev) +- return qp_inuse; ++ rvt_qp_iter(rdi, (u64)&qp_inuse, rvt_free_qp_cb); + +- ql = &rdi->qp_dev->qpt_lock; +- spin_lock_irqsave(ql, flags); +- for (n = 0; n < rdi->qp_dev->qp_table_size; n++) { +- qp = rcu_dereference_protected(rdi->qp_dev->qp_table[n], +- lockdep_is_held(ql)); +- RCU_INIT_POINTER(rdi->qp_dev->qp_table[n], NULL); +- +- for (; qp; qp = rcu_dereference_protected(qp->next, +- lockdep_is_held(ql))) +- qp_inuse++; +- } +- spin_unlock_irqrestore(ql, flags); +- synchronize_rcu(); + return qp_inuse; + } + +@@ -684,14 +687,14 @@ static void rvt_init_qp(struct rvt_dev_i + } + + /** +- * rvt_reset_qp - initialize the QP state to the reset state ++ * _rvt_reset_qp - initialize the QP state to the reset state + * @qp: the QP to reset + * @type: the QP type + * + * r_lock, s_hlock, and s_lock are required to be held by the caller + */ +-static void rvt_reset_qp(struct rvt_dev_info *rdi, struct rvt_qp *qp, +- enum ib_qp_type type) ++static void _rvt_reset_qp(struct rvt_dev_info *rdi, struct rvt_qp *qp, ++ enum ib_qp_type type) + __must_hold(&qp->s_lock) + __must_hold(&qp->s_hlock) + __must_hold(&qp->r_lock) +@@ -737,6 +740,27 @@ static void rvt_reset_qp(struct rvt_dev_ + lockdep_assert_held(&qp->s_lock); + } + ++/** ++ * rvt_reset_qp - initialize the QP state to the reset state ++ * @rdi: the device info ++ * @qp: the QP to reset ++ * @type: the QP type ++ * ++ * This is the wrapper function to acquire the r_lock, s_hlock, and s_lock ++ * before calling _rvt_reset_qp(). ++ */ ++static void rvt_reset_qp(struct rvt_dev_info *rdi, struct rvt_qp *qp, ++ enum ib_qp_type type) ++{ ++ spin_lock_irq(&qp->r_lock); ++ spin_lock(&qp->s_hlock); ++ spin_lock(&qp->s_lock); ++ _rvt_reset_qp(rdi, qp, type); ++ spin_unlock(&qp->s_lock); ++ spin_unlock(&qp->s_hlock); ++ spin_unlock_irq(&qp->r_lock); ++} ++ + /** rvt_free_qpn - Free a qpn from the bit map + * @qpt: QP table + * @qpn: queue pair number to free +@@ -1285,7 +1309,7 @@ int rvt_modify_qp(struct ib_qp *ibqp, st + switch (new_state) { + case IB_QPS_RESET: + if (qp->state != IB_QPS_RESET) +- rvt_reset_qp(rdi, qp, ibqp->qp_type); ++ _rvt_reset_qp(rdi, qp, ibqp->qp_type); + break; + + case IB_QPS_RTR: +@@ -1434,13 +1458,7 @@ int rvt_destroy_qp(struct ib_qp *ibqp) + struct rvt_qp *qp = ibqp_to_rvtqp(ibqp); + struct rvt_dev_info *rdi = ib_to_rvt(ibqp->device); + +- spin_lock_irq(&qp->r_lock); +- spin_lock(&qp->s_hlock); +- spin_lock(&qp->s_lock); + rvt_reset_qp(rdi, qp, ibqp->qp_type); +- spin_unlock(&qp->s_lock); +- spin_unlock(&qp->s_hlock); +- spin_unlock_irq(&qp->r_lock); + + wait_event(qp->wait, !atomic_read(&qp->refcount)); + /* qpn is now available for use again */ diff --git a/queue-4.19/nfsv4.1-make-cachethis-no-for-writes.patch b/queue-4.19/nfsv4.1-make-cachethis-no-for-writes.patch new file mode 100644 index 00000000000..03160518b11 --- /dev/null +++ b/queue-4.19/nfsv4.1-make-cachethis-no-for-writes.patch @@ -0,0 +1,32 @@ +From cd1b659d8ce7697ee9799b64f887528315b9097b Mon Sep 17 00:00:00 2001 +From: Olga Kornievskaia +Date: Wed, 12 Feb 2020 17:32:12 -0500 +Subject: NFSv4.1 make cachethis=no for writes + +From: Olga Kornievskaia + +commit cd1b659d8ce7697ee9799b64f887528315b9097b upstream. + +Turning caching off for writes on the server should improve performance. + +Fixes: fba83f34119a ("NFS: Pass "privileged" value to nfs4_init_sequence()") +Signed-off-by: Olga Kornievskaia +Reviewed-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -5117,7 +5117,7 @@ static void nfs4_proc_write_setup(struct + hdr->timestamp = jiffies; + + msg->rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_WRITE]; +- nfs4_init_sequence(&hdr->args.seq_args, &hdr->res.seq_res, 1, 0); ++ nfs4_init_sequence(&hdr->args.seq_args, &hdr->res.seq_res, 0, 0); + nfs4_state_protect_write(server->nfs_client, clnt, msg, hdr); + } + diff --git a/queue-4.19/nvme-fix-the-parameter-order-for-nvme_get_log-in-nvme_get_fw_slot_info.patch b/queue-4.19/nvme-fix-the-parameter-order-for-nvme_get_log-in-nvme_get_fw_slot_info.patch new file mode 100644 index 00000000000..4e675bb19b5 --- /dev/null +++ b/queue-4.19/nvme-fix-the-parameter-order-for-nvme_get_log-in-nvme_get_fw_slot_info.patch @@ -0,0 +1,37 @@ +From f25372ffc3f6c2684b57fb718219137e6ee2b64c Mon Sep 17 00:00:00 2001 +From: Yi Zhang +Date: Fri, 14 Feb 2020 18:48:02 +0800 +Subject: nvme: fix the parameter order for nvme_get_log in nvme_get_fw_slot_info + +From: Yi Zhang + +commit f25372ffc3f6c2684b57fb718219137e6ee2b64c upstream. + +nvme fw-activate operation will get bellow warning log, +fix it by update the parameter order + +[ 113.231513] nvme nvme0: Get FW SLOT INFO log error + +Fixes: 0e98719b0e4b ("nvme: simplify the API for getting log pages") +Reported-by: Sujith Pandel +Reviewed-by: David Milburn +Signed-off-by: Yi Zhang +Signed-off-by: Keith Busch +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvme/host/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -3449,7 +3449,7 @@ static void nvme_get_fw_slot_info(struct + if (!log) + return; + +- if (nvme_get_log(ctrl, NVME_NSID_ALL, 0, NVME_LOG_FW_SLOT, log, ++ if (nvme_get_log(ctrl, NVME_NSID_ALL, NVME_LOG_FW_SLOT, 0, log, + sizeof(*log), 0)) + dev_warn(ctrl->device, "Get FW SLOT INFO log error\n"); + kfree(log); diff --git a/queue-4.19/perf-x86-intel-fix-inaccurate-period-in-context-switch-for-auto-reload.patch b/queue-4.19/perf-x86-intel-fix-inaccurate-period-in-context-switch-for-auto-reload.patch new file mode 100644 index 00000000000..b18b2d54904 --- /dev/null +++ b/queue-4.19/perf-x86-intel-fix-inaccurate-period-in-context-switch-for-auto-reload.patch @@ -0,0 +1,87 @@ +From f861854e1b435b27197417f6f90d87188003cb24 Mon Sep 17 00:00:00 2001 +From: Kan Liang +Date: Tue, 21 Jan 2020 11:01:25 -0800 +Subject: perf/x86/intel: Fix inaccurate period in context switch for auto-reload + +From: Kan Liang + +commit f861854e1b435b27197417f6f90d87188003cb24 upstream. + +Perf doesn't take the left period into account when auto-reload is +enabled with fixed period sampling mode in context switch. + +Here is the MSR trace of the perf command as below. +(The MSR trace is simplified from a ftrace log.) + + #perf record -e cycles:p -c 2000000 -- ./triad_loop + + //The MSR trace of task schedule out + //perf disable all counters, disable PEBS, disable GP counter 0, + //read GP counter 0, and re-enable all counters. + //The counter 0 stops at 0xfffffff82840 + write_msr: MSR_CORE_PERF_GLOBAL_CTRL(38f), value 0 + write_msr: MSR_IA32_PEBS_ENABLE(3f1), value 0 + write_msr: MSR_P6_EVNTSEL0(186), value 40003003c + rdpmc: 0, value fffffff82840 + write_msr: MSR_CORE_PERF_GLOBAL_CTRL(38f), value f000000ff + + //The MSR trace of the same task schedule in again + //perf disable all counters, enable and set GP counter 0, + //enable PEBS, and re-enable all counters. + //0xffffffe17b80 (-2000000) is written to GP counter 0. + write_msr: MSR_CORE_PERF_GLOBAL_CTRL(38f), value 0 + write_msr: MSR_IA32_PMC0(4c1), value ffffffe17b80 + write_msr: MSR_P6_EVNTSEL0(186), value 40043003c + write_msr: MSR_IA32_PEBS_ENABLE(3f1), value 1 + write_msr: MSR_CORE_PERF_GLOBAL_CTRL(38f), value f000000ff + +When the same task schedule in again, the counter should starts from +previous left. However, it starts from the fixed period -2000000 again. + +A special variant of intel_pmu_save_and_restart() is used for +auto-reload, which doesn't update the hwc->period_left. +When the monitored task schedules in again, perf doesn't know the left +period. The fixed period is used, which is inaccurate. + +With auto-reload, the counter always has a negative counter value. So +the left period is -value. Update the period_left in +intel_pmu_save_and_restart_reload(). + +With the patch: + + //The MSR trace of task schedule out + write_msr: MSR_CORE_PERF_GLOBAL_CTRL(38f), value 0 + write_msr: MSR_IA32_PEBS_ENABLE(3f1), value 0 + write_msr: MSR_P6_EVNTSEL0(186), value 40003003c + rdpmc: 0, value ffffffe25cbc + write_msr: MSR_CORE_PERF_GLOBAL_CTRL(38f), value f000000ff + + //The MSR trace of the same task schedule in again + write_msr: MSR_CORE_PERF_GLOBAL_CTRL(38f), value 0 + write_msr: MSR_IA32_PMC0(4c1), value ffffffe25cbc + write_msr: MSR_P6_EVNTSEL0(186), value 40043003c + write_msr: MSR_IA32_PEBS_ENABLE(3f1), value 1 + write_msr: MSR_CORE_PERF_GLOBAL_CTRL(38f), value f000000ff + +Fixes: d31fc13fdcb2 ("perf/x86/intel: Fix event update for auto-reload") +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Link: https://lkml.kernel.org/r/20200121190125.3389-1-kan.liang@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/intel/ds.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/events/intel/ds.c ++++ b/arch/x86/events/intel/ds.c +@@ -1402,6 +1402,8 @@ intel_pmu_save_and_restart_reload(struct + old = ((s64)(prev_raw_count << shift) >> shift); + local64_add(new - old + count * period, &event->count); + ++ local64_set(&hwc->period_left, -new); ++ + perf_event_update_userpage(event); + + return 0; diff --git a/queue-4.19/rdma-core-fix-invalid-memory-access-in-spec_filter_size.patch b/queue-4.19/rdma-core-fix-invalid-memory-access-in-spec_filter_size.patch new file mode 100644 index 00000000000..b3de7437d2e --- /dev/null +++ b/queue-4.19/rdma-core-fix-invalid-memory-access-in-spec_filter_size.patch @@ -0,0 +1,105 @@ +From a72f4ac1d778f7bde93dfee69bfc23377ec3d74f Mon Sep 17 00:00:00 2001 +From: Avihai Horon +Date: Sun, 26 Jan 2020 19:15:00 +0200 +Subject: RDMA/core: Fix invalid memory access in spec_filter_size + +From: Avihai Horon + +commit a72f4ac1d778f7bde93dfee69bfc23377ec3d74f upstream. + +Add a check that the size specified in the flow spec header doesn't cause +an overflow when calculating the filter size, and thus prevent access to +invalid memory. The following crash from syzkaller revealed it. + + kasan: CONFIG_KASAN_INLINE enabled + kasan: GPF could be caused by NULL-ptr deref or user memory access + general protection fault: 0000 [#1] SMP KASAN PTI + CPU: 1 PID: 17834 Comm: syz-executor.3 Not tainted 5.5.0-rc5 #2 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS + rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 + RIP: 0010:memchr_inv+0xd3/0x330 + Code: 89 f9 89 f5 83 e1 07 0f 85 f9 00 00 00 49 89 d5 49 c1 ed 03 45 85 + ed 74 6f 48 89 d9 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 <80> 3c 01 + 00 0f 85 0d 02 00 00 44 0f b6 e5 48 b8 01 01 01 01 01 01 + RSP: 0018:ffffc9000a13fa50 EFLAGS: 00010202 + RAX: dffffc0000000000 RBX: 7fff88810de9d820 RCX: 0ffff11021bd3b04 + RDX: 000000000000fff8 RSI: 0000000000000000 RDI: 7fff88810de9d820 + RBP: 0000000000000000 R08: ffff888110d69018 R09: 0000000000000009 + R10: 0000000000000001 R11: ffffed10236267cc R12: 0000000000000004 + R13: 0000000000001fff R14: ffff88810de9d820 R15: 0000000000000040 + FS: 00007f9ee0e51700(0000) GS:ffff88811b100000(0000) + knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 0000000115ea0006 CR4: 0000000000360ee0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + spec_filter_size.part.16+0x34/0x50 + ib_uverbs_kern_spec_to_ib_spec_filter+0x691/0x770 + ib_uverbs_ex_create_flow+0x9ea/0x1b40 + ib_uverbs_write+0xaa5/0xdf0 + __vfs_write+0x7c/0x100 + vfs_write+0x168/0x4a0 + ksys_write+0xc8/0x200 + do_syscall_64+0x9c/0x390 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x465b49 + Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 + f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 + f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 + RSP: 002b:00007f9ee0e50c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 + RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000465b49 + RDX: 00000000000003a0 RSI: 00000000200007c0 RDI: 0000000000000004 + RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9ee0e516bc + R13: 00000000004ca2da R14: 000000000070deb8 R15: 00000000ffffffff + Modules linked in: + Dumping ftrace buffer: + (ftrace buffer empty) + +Fixes: 94e03f11ad1f ("IB/uverbs: Add support for flow tag") +Link: https://lore.kernel.org/r/20200126171500.4623-1-leon@kernel.org +Signed-off-by: Avihai Horon +Reviewed-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/uverbs_cmd.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -2914,12 +2914,6 @@ static int kern_spec_to_ib_spec_action(s + return 0; + } + +-static size_t kern_spec_filter_sz(const struct ib_uverbs_flow_spec_hdr *spec) +-{ +- /* Returns user space filter size, includes padding */ +- return (spec->size - sizeof(struct ib_uverbs_flow_spec_hdr)) / 2; +-} +- + static ssize_t spec_filter_size(const void *kern_spec_filter, u16 kern_filter_size, + u16 ib_real_filter_sz) + { +@@ -3063,11 +3057,16 @@ int ib_uverbs_kern_spec_to_ib_spec_filte + static int kern_spec_to_ib_spec_filter(struct ib_uverbs_flow_spec *kern_spec, + union ib_flow_spec *ib_spec) + { +- ssize_t kern_filter_sz; ++ size_t kern_filter_sz; + void *kern_spec_mask; + void *kern_spec_val; + +- kern_filter_sz = kern_spec_filter_sz(&kern_spec->hdr); ++ if (check_sub_overflow((size_t)kern_spec->hdr.size, ++ sizeof(struct ib_uverbs_flow_spec_hdr), ++ &kern_filter_sz)) ++ return -EINVAL; ++ ++ kern_filter_sz /= 2; + + kern_spec_val = (void *)kern_spec + + sizeof(struct ib_uverbs_flow_spec_hdr); diff --git a/queue-4.19/rdma-core-fix-protection-fault-in-get_pkey_idx_qp_list.patch b/queue-4.19/rdma-core-fix-protection-fault-in-get_pkey_idx_qp_list.patch new file mode 100644 index 00000000000..2117ae2a1a1 --- /dev/null +++ b/queue-4.19/rdma-core-fix-protection-fault-in-get_pkey_idx_qp_list.patch @@ -0,0 +1,94 @@ +From 1dd017882e01d2fcd9c5dbbf1eb376211111c393 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Wed, 12 Feb 2020 10:06:51 +0200 +Subject: RDMA/core: Fix protection fault in get_pkey_idx_qp_list + +From: Leon Romanovsky + +commit 1dd017882e01d2fcd9c5dbbf1eb376211111c393 upstream. + +We don't need to set pkey as valid in case that user set only one of pkey +index or port number, otherwise it will be resulted in NULL pointer +dereference while accessing to uninitialized pkey list. The following +crash from Syzkaller revealed it. + + kasan: CONFIG_KASAN_INLINE enabled + kasan: GPF could be caused by NULL-ptr deref or user memory access + general protection fault: 0000 [#1] SMP KASAN PTI + CPU: 1 PID: 14753 Comm: syz-executor.2 Not tainted 5.5.0-rc5 #2 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS + rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 + RIP: 0010:get_pkey_idx_qp_list+0x161/0x2d0 + Code: 01 00 00 49 8b 5e 20 4c 39 e3 0f 84 b9 00 00 00 e8 e4 42 6e fe 48 + 8d 7b 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 + 02 84 c0 74 08 3c 01 0f 8e d0 00 00 00 48 8d 7d 04 48 b8 + RSP: 0018:ffffc9000bc6f950 EFLAGS: 00010202 + RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff82c8bdec + RDX: 0000000000000002 RSI: ffffc900030a8000 RDI: 0000000000000010 + RBP: ffff888112c8ce80 R08: 0000000000000004 R09: fffff5200178df1f + R10: 0000000000000001 R11: fffff5200178df1f R12: ffff888115dc4430 + R13: ffff888115da8498 R14: ffff888115dc4410 R15: ffff888115da8000 + FS: 00007f20777de700(0000) GS:ffff88811b100000(0000) + knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000001b2f721000 CR3: 00000001173ca002 CR4: 0000000000360ee0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + port_pkey_list_insert+0xd7/0x7c0 + ib_security_modify_qp+0x6fa/0xfc0 + _ib_modify_qp+0x8c4/0xbf0 + modify_qp+0x10da/0x16d0 + ib_uverbs_modify_qp+0x9a/0x100 + ib_uverbs_write+0xaa5/0xdf0 + __vfs_write+0x7c/0x100 + vfs_write+0x168/0x4a0 + ksys_write+0xc8/0x200 + do_syscall_64+0x9c/0x390 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: d291f1a65232 ("IB/core: Enforce PKey security on QPs") +Link: https://lore.kernel.org/r/20200212080651.GB679970@unreal +Signed-off-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Message-Id: <20200212080651.GB679970@unreal> +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/security.c | 24 +++++++++--------------- + 1 file changed, 9 insertions(+), 15 deletions(-) + +--- a/drivers/infiniband/core/security.c ++++ b/drivers/infiniband/core/security.c +@@ -336,22 +336,16 @@ static struct ib_ports_pkeys *get_new_pp + if (!new_pps) + return NULL; + +- if (qp_attr_mask & (IB_QP_PKEY_INDEX | IB_QP_PORT)) { +- if (!qp_pps) { +- new_pps->main.port_num = qp_attr->port_num; +- new_pps->main.pkey_index = qp_attr->pkey_index; +- } else { +- new_pps->main.port_num = (qp_attr_mask & IB_QP_PORT) ? +- qp_attr->port_num : +- qp_pps->main.port_num; +- +- new_pps->main.pkey_index = +- (qp_attr_mask & IB_QP_PKEY_INDEX) ? +- qp_attr->pkey_index : +- qp_pps->main.pkey_index; +- } ++ if (qp_attr_mask & IB_QP_PORT) ++ new_pps->main.port_num = ++ (qp_pps) ? qp_pps->main.port_num : qp_attr->port_num; ++ if (qp_attr_mask & IB_QP_PKEY_INDEX) ++ new_pps->main.pkey_index = (qp_pps) ? qp_pps->main.pkey_index : ++ qp_attr->pkey_index; ++ if ((qp_attr_mask & IB_QP_PKEY_INDEX) && (qp_attr_mask & IB_QP_PORT)) + new_pps->main.state = IB_PORT_PKEY_VALID; +- } else if (qp_pps) { ++ ++ if (!(qp_attr_mask & (IB_QP_PKEY_INDEX || IB_QP_PORT)) && qp_pps) { + new_pps->main.port_num = qp_pps->main.port_num; + new_pps->main.pkey_index = qp_pps->main.pkey_index; + if (qp_pps->main.state != IB_PORT_PKEY_NOT_VALID) diff --git a/queue-4.19/rdma-hfi1-fix-memory-leak-in-_dev_comp_vect_mappings_create.patch b/queue-4.19/rdma-hfi1-fix-memory-leak-in-_dev_comp_vect_mappings_create.patch new file mode 100644 index 00000000000..ee54b8ec2af --- /dev/null +++ b/queue-4.19/rdma-hfi1-fix-memory-leak-in-_dev_comp_vect_mappings_create.patch @@ -0,0 +1,51 @@ +From 8a4f300b978edbbaa73ef9eca660e45eb9f13873 Mon Sep 17 00:00:00 2001 +From: Kamal Heib +Date: Wed, 5 Feb 2020 13:05:30 +0200 +Subject: RDMA/hfi1: Fix memory leak in _dev_comp_vect_mappings_create + +From: Kamal Heib + +commit 8a4f300b978edbbaa73ef9eca660e45eb9f13873 upstream. + +Make sure to free the allocated cpumask_var_t's to avoid the following +reported memory leak by kmemleak: + +$ cat /sys/kernel/debug/kmemleak +unreferenced object 0xffff8897f812d6a8 (size 8): + comm "kworker/1:1", pid 347, jiffies 4294751400 (age 101.703s) + hex dump (first 8 bytes): + 00 00 00 00 00 00 00 00 ........ + backtrace: + [<00000000bff49664>] alloc_cpumask_var_node+0x4c/0xb0 + [<0000000075d3ca81>] hfi1_comp_vectors_set_up+0x20f/0x800 [hfi1] + [<0000000098d420df>] hfi1_init_dd+0x3311/0x4960 [hfi1] + [<0000000071be7e52>] init_one+0x25e/0xf10 [hfi1] + [<000000005483d4c2>] local_pci_probe+0xd4/0x180 + [<000000007c3cbc6e>] work_for_cpu_fn+0x51/0xa0 + [<000000001d626905>] process_one_work+0x8f0/0x17b0 + [<000000007e569e7e>] worker_thread+0x536/0xb50 + [<00000000fd39a4a5>] kthread+0x30c/0x3d0 + [<0000000056f2edb3>] ret_from_fork+0x3a/0x50 + +Fixes: 5d18ee67d4c1 ("IB/{hfi1, rdmavt, qib}: Implement CQ completion vector support") +Link: https://lore.kernel.org/r/20200205110530.12129-1-kamalheib1@gmail.com +Signed-off-by: Kamal Heib +Reviewed-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/affinity.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/infiniband/hw/hfi1/affinity.c ++++ b/drivers/infiniband/hw/hfi1/affinity.c +@@ -478,6 +478,8 @@ static int _dev_comp_vect_mappings_creat + rvt_get_ibdev_name(&(dd)->verbs_dev.rdi), i, cpu); + } + ++ free_cpumask_var(available_cpus); ++ free_cpumask_var(non_intr_cpus); + return 0; + + fail: diff --git a/queue-4.19/rdma-rxe-fix-soft-lockup-problem-due-to-using-tasklets-in-softirq.patch b/queue-4.19/rdma-rxe-fix-soft-lockup-problem-due-to-using-tasklets-in-softirq.patch new file mode 100644 index 00000000000..a9f3d9f0ee2 --- /dev/null +++ b/queue-4.19/rdma-rxe-fix-soft-lockup-problem-due-to-using-tasklets-in-softirq.patch @@ -0,0 +1,83 @@ +From 8ac0e6641c7ca14833a2a8c6f13d8e0a435e535c Mon Sep 17 00:00:00 2001 +From: Zhu Yanjun +Date: Wed, 12 Feb 2020 09:26:33 +0200 +Subject: RDMA/rxe: Fix soft lockup problem due to using tasklets in softirq + +From: Zhu Yanjun + +commit 8ac0e6641c7ca14833a2a8c6f13d8e0a435e535c upstream. + +When run stress tests with RXE, the following Call Traces often occur + + watchdog: BUG: soft lockup - CPU#2 stuck for 22s! [swapper/2:0] + ... + Call Trace: + + create_object+0x3f/0x3b0 + kmem_cache_alloc_node_trace+0x129/0x2d0 + __kmalloc_reserve.isra.52+0x2e/0x80 + __alloc_skb+0x83/0x270 + rxe_init_packet+0x99/0x150 [rdma_rxe] + rxe_requester+0x34e/0x11a0 [rdma_rxe] + rxe_do_task+0x85/0xf0 [rdma_rxe] + tasklet_action_common.isra.21+0xeb/0x100 + __do_softirq+0xd0/0x298 + irq_exit+0xc5/0xd0 + smp_apic_timer_interrupt+0x68/0x120 + apic_timer_interrupt+0xf/0x20 + + ... + +The root cause is that tasklet is actually a softirq. In a tasklet +handler, another softirq handler is triggered. Usually these softirq +handlers run on the same cpu core. So this will cause "soft lockup Bug". + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20200212072635.682689-8-leon@kernel.org +Signed-off-by: Zhu Yanjun +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/sw/rxe/rxe_comp.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/infiniband/sw/rxe/rxe_comp.c ++++ b/drivers/infiniband/sw/rxe/rxe_comp.c +@@ -329,7 +329,7 @@ static inline enum comp_state check_ack( + qp->comp.psn = pkt->psn; + if (qp->req.wait_psn) { + qp->req.wait_psn = 0; +- rxe_run_task(&qp->req.task, 1); ++ rxe_run_task(&qp->req.task, 0); + } + } + return COMPST_ERROR_RETRY; +@@ -457,7 +457,7 @@ static void do_complete(struct rxe_qp *q + */ + if (qp->req.wait_fence) { + qp->req.wait_fence = 0; +- rxe_run_task(&qp->req.task, 1); ++ rxe_run_task(&qp->req.task, 0); + } + } + +@@ -473,7 +473,7 @@ static inline enum comp_state complete_a + if (qp->req.need_rd_atomic) { + qp->comp.timeout_retry = 0; + qp->req.need_rd_atomic = 0; +- rxe_run_task(&qp->req.task, 1); ++ rxe_run_task(&qp->req.task, 0); + } + } + +@@ -719,7 +719,7 @@ int rxe_completer(void *arg) + RXE_CNT_COMP_RETRY); + qp->req.need_retry = 1; + qp->comp.started_retry = 1; +- rxe_run_task(&qp->req.task, 1); ++ rxe_run_task(&qp->req.task, 0); + } + + if (pkt) { diff --git a/queue-4.19/s390-time-fix-clk-type-in-get_tod_clock.patch b/queue-4.19/s390-time-fix-clk-type-in-get_tod_clock.patch new file mode 100644 index 00000000000..694d0d8ea9c --- /dev/null +++ b/queue-4.19/s390-time-fix-clk-type-in-get_tod_clock.patch @@ -0,0 +1,54 @@ +From 0f8a206df7c920150d2aa45574fba0ab7ff6be4f Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Sat, 8 Feb 2020 07:08:59 -0700 +Subject: s390/time: Fix clk type in get_tod_clock + +From: Nathan Chancellor + +commit 0f8a206df7c920150d2aa45574fba0ab7ff6be4f upstream. + +Clang warns: + +In file included from ../arch/s390/boot/startup.c:3: +In file included from ../include/linux/elf.h:5: +In file included from ../arch/s390/include/asm/elf.h:132: +In file included from ../include/linux/compat.h:10: +In file included from ../include/linux/time.h:74: +In file included from ../include/linux/time32.h:13: +In file included from ../include/linux/timex.h:65: +../arch/s390/include/asm/timex.h:160:20: warning: passing 'unsigned char +[16]' to parameter of type 'char *' converts between pointers to integer +types with different sign [-Wpointer-sign] + get_tod_clock_ext(clk); + ^~~ +../arch/s390/include/asm/timex.h:149:44: note: passing argument to +parameter 'clk' here +static inline void get_tod_clock_ext(char *clk) + ^ + +Change clk's type to just be char so that it matches what happens in +get_tod_clock_ext. + +Fixes: 57b28f66316d ("[S390] s390_hypfs: Add new attributes") +Link: https://github.com/ClangBuiltLinux/linux/issues/861 +Link: http://lkml.kernel.org/r/20200208140858.47970-1-natechancellor@gmail.com +Reviewed-by: Nick Desaulniers +Signed-off-by: Nathan Chancellor +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/include/asm/timex.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/include/asm/timex.h ++++ b/arch/s390/include/asm/timex.h +@@ -155,7 +155,7 @@ static inline void get_tod_clock_ext(cha + + static inline unsigned long long get_tod_clock(void) + { +- unsigned char clk[STORE_CLOCK_EXT_SIZE]; ++ char clk[STORE_CLOCK_EXT_SIZE]; + + get_tod_clock_ext(clk); + return *((unsigned long long *)&clk[1]); diff --git a/queue-4.19/series b/queue-4.19/series index 45e16d512a2..c89ee3685b5 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -21,3 +21,15 @@ arm-npcm-bring-back-gpiolib-support.patch arm64-ssbs-fix-context-switch-when-ssbs-is-present-on-all-cpus.patch kvm-nvmx-use-correct-root-level-for-nested-ept-shadow-page-tables.patch perf-x86-amd-add-missing-l2-misses-event-spec-to-amd-family-17h-s-event-map.patch +nvme-fix-the-parameter-order-for-nvme_get_log-in-nvme_get_fw_slot_info.patch +ib-hfi1-acquire-lock-to-release-tid-entries-when-user-file-is-closed.patch +ib-hfi1-close-window-for-pq-and-request-coliding.patch +ib-rdmavt-reset-all-qps-when-the-device-is-shut-down.patch +rdma-core-fix-invalid-memory-access-in-spec_filter_size.patch +rdma-hfi1-fix-memory-leak-in-_dev_comp_vect_mappings_create.patch +rdma-rxe-fix-soft-lockup-problem-due-to-using-tasklets-in-softirq.patch +rdma-core-fix-protection-fault-in-get_pkey_idx_qp_list.patch +s390-time-fix-clk-type-in-get_tod_clock.patch +perf-x86-intel-fix-inaccurate-period-in-context-switch-for-auto-reload.patch +hwmon-pmbus-ltc2978-fix-pmbus-polling-of-mfr_common-definitions.patch +nfsv4.1-make-cachethis-no-for-writes.patch