From: Greg Kroah-Hartman Date: Sun, 29 Dec 2019 16:09:56 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.14.161~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f8f9d711983470c33bf81401259ea4ad1bb828a9;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: ext4-check-for-directory-entries-too-close-to-block-end.patch ext4-fix-ext4_empty_dir-for-directories-with-holes.patch ext4-unlock-on-error-in-ext4_expand_extra_isize.patch kvm-arm64-ensure-params-is-initialised-when-looking-up-sys-register.patch mmc-sdhci-of-esdhc-fix-p2020-errata-handling.patch mmc-sdhci-of-esdhc-revert-mmc-sdhci-of-esdhc-add-erratum-a-009204-support.patch mmc-sdhci-update-the-tuning-failed-messages-to-pr_debug-level.patch nbd-fix-shutdown-and-recv-work-deadlock-v2.patch powerpc-irq-fix-stack-overflow-verification.patch x86-mce-amd-allow-reserved-types-to-be-overwritten-in-smca_banks.patch x86-mce-amd-do-not-use-rdmsr_safe_on_cpu-in-smca_configure.patch --- diff --git a/queue-4.14/ext4-check-for-directory-entries-too-close-to-block-end.patch b/queue-4.14/ext4-check-for-directory-entries-too-close-to-block-end.patch new file mode 100644 index 00000000000..d4cc41f175b --- /dev/null +++ b/queue-4.14/ext4-check-for-directory-entries-too-close-to-block-end.patch @@ -0,0 +1,39 @@ +From 109ba779d6cca2d519c5dd624a3276d03e21948e Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 2 Dec 2019 18:02:13 +0100 +Subject: ext4: check for directory entries too close to block end + +From: Jan Kara + +commit 109ba779d6cca2d519c5dd624a3276d03e21948e upstream. + +ext4_check_dir_entry() currently does not catch a case when a directory +entry ends so close to the block end that the header of the next +directory entry would not fit in the remaining space. This can lead to +directory iteration code trying to access address beyond end of current +buffer head leading to oops. + +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20191202170213.4761-3-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/dir.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/ext4/dir.c ++++ b/fs/ext4/dir.c +@@ -76,6 +76,11 @@ int __ext4_check_dir_entry(const char *f + error_msg = "rec_len is too small for name_len"; + else if (unlikely(((char *) de - buf) + rlen > size)) + error_msg = "directory entry overrun"; ++ else if (unlikely(((char *) de - buf) + rlen > ++ size - EXT4_DIR_REC_LEN(1) && ++ ((char *) de - buf) + rlen != size)) { ++ error_msg = "directory entry too close to block end"; ++ } + else if (unlikely(le32_to_cpu(de->inode) > + le32_to_cpu(EXT4_SB(dir->i_sb)->s_es->s_inodes_count))) + error_msg = "inode out of bounds"; diff --git a/queue-4.14/ext4-fix-ext4_empty_dir-for-directories-with-holes.patch b/queue-4.14/ext4-fix-ext4_empty_dir-for-directories-with-holes.patch new file mode 100644 index 00000000000..56f93e8ec25 --- /dev/null +++ b/queue-4.14/ext4-fix-ext4_empty_dir-for-directories-with-holes.patch @@ -0,0 +1,97 @@ +From 64d4ce892383b2ad6d782e080d25502f91bf2a38 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 2 Dec 2019 18:02:12 +0100 +Subject: ext4: fix ext4_empty_dir() for directories with holes + +From: Jan Kara + +commit 64d4ce892383b2ad6d782e080d25502f91bf2a38 upstream. + +Function ext4_empty_dir() doesn't correctly handle directories with +holes and crashes on bh->b_data dereference when bh is NULL. Reorganize +the loop to use 'offset' variable all the times instead of comparing +pointers to current direntry with bh->b_data pointer. Also add more +strict checking of '.' and '..' directory entries to avoid entering loop +in possibly invalid state on corrupted filesystems. + +References: CVE-2019-19037 +CC: stable@vger.kernel.org +Fixes: 4e19d6b65fb4 ("ext4: allow directory holes") +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20191202170213.4761-2-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/namei.c | 32 ++++++++++++++++++-------------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -2702,7 +2702,7 @@ bool ext4_empty_dir(struct inode *inode) + { + unsigned int offset; + struct buffer_head *bh; +- struct ext4_dir_entry_2 *de, *de1; ++ struct ext4_dir_entry_2 *de; + struct super_block *sb; + + if (ext4_has_inline_data(inode)) { +@@ -2727,19 +2727,25 @@ bool ext4_empty_dir(struct inode *inode) + return true; + + de = (struct ext4_dir_entry_2 *) bh->b_data; +- de1 = ext4_next_entry(de, sb->s_blocksize); +- if (le32_to_cpu(de->inode) != inode->i_ino || +- le32_to_cpu(de1->inode) == 0 || +- strcmp(".", de->name) || strcmp("..", de1->name)) { +- ext4_warning_inode(inode, "directory missing '.' and/or '..'"); ++ if (ext4_check_dir_entry(inode, NULL, de, bh, bh->b_data, bh->b_size, ++ 0) || ++ le32_to_cpu(de->inode) != inode->i_ino || strcmp(".", de->name)) { ++ ext4_warning_inode(inode, "directory missing '.'"); + brelse(bh); + return true; + } +- offset = ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize) + +- ext4_rec_len_from_disk(de1->rec_len, sb->s_blocksize); +- de = ext4_next_entry(de1, sb->s_blocksize); ++ offset = ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize); ++ de = ext4_next_entry(de, sb->s_blocksize); ++ if (ext4_check_dir_entry(inode, NULL, de, bh, bh->b_data, bh->b_size, ++ offset) || ++ le32_to_cpu(de->inode) == 0 || strcmp("..", de->name)) { ++ ext4_warning_inode(inode, "directory missing '..'"); ++ brelse(bh); ++ return true; ++ } ++ offset += ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize); + while (offset < inode->i_size) { +- if ((void *) de >= (void *) (bh->b_data+sb->s_blocksize)) { ++ if (!(offset & (sb->s_blocksize - 1))) { + unsigned int lblock; + brelse(bh); + lblock = offset >> EXT4_BLOCK_SIZE_BITS(sb); +@@ -2750,12 +2756,11 @@ bool ext4_empty_dir(struct inode *inode) + } + if (IS_ERR(bh)) + return true; +- de = (struct ext4_dir_entry_2 *) bh->b_data; + } ++ de = (struct ext4_dir_entry_2 *) (bh->b_data + ++ (offset & (sb->s_blocksize - 1))); + if (ext4_check_dir_entry(inode, NULL, de, bh, + bh->b_data, bh->b_size, offset)) { +- de = (struct ext4_dir_entry_2 *)(bh->b_data + +- sb->s_blocksize); + offset = (offset | (sb->s_blocksize - 1)) + 1; + continue; + } +@@ -2764,7 +2769,6 @@ bool ext4_empty_dir(struct inode *inode) + return false; + } + offset += ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize); +- de = ext4_next_entry(de, sb->s_blocksize); + } + brelse(bh); + return true; diff --git a/queue-4.14/ext4-unlock-on-error-in-ext4_expand_extra_isize.patch b/queue-4.14/ext4-unlock-on-error-in-ext4_expand_extra_isize.patch new file mode 100644 index 00000000000..460c500f90d --- /dev/null +++ b/queue-4.14/ext4-unlock-on-error-in-ext4_expand_extra_isize.patch @@ -0,0 +1,43 @@ +From 7f420d64a08c1dcd65b27be82a27cf2bdb2e7847 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 13 Dec 2019 21:50:11 +0300 +Subject: ext4: unlock on error in ext4_expand_extra_isize() + +From: Dan Carpenter + +commit 7f420d64a08c1dcd65b27be82a27cf2bdb2e7847 upstream. + +We need to unlock the xattr before returning on this error path. + +Cc: stable@kernel.org # 4.13 +Fixes: c03b45b853f5 ("ext4, project: expand inode extra size if possible") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20191213185010.6k7yl2tck3wlsdkt@kili.mountain +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5874,7 +5874,7 @@ int ext4_expand_extra_isize(struct inode + error = ext4_journal_get_write_access(handle, iloc->bh); + if (error) { + brelse(iloc->bh); +- goto out_stop; ++ goto out_unlock; + } + + error = __ext4_expand_extra_isize(inode, new_extra_isize, iloc, +@@ -5884,8 +5884,8 @@ int ext4_expand_extra_isize(struct inode + if (!error) + error = rc; + ++out_unlock: + ext4_write_unlock_xattr(inode, &no_expand); +-out_stop: + ext4_journal_stop(handle); + return error; + } diff --git a/queue-4.14/kvm-arm64-ensure-params-is-initialised-when-looking-up-sys-register.patch b/queue-4.14/kvm-arm64-ensure-params-is-initialised-when-looking-up-sys-register.patch new file mode 100644 index 00000000000..b93e0dd3288 --- /dev/null +++ b/queue-4.14/kvm-arm64-ensure-params-is-initialised-when-looking-up-sys-register.patch @@ -0,0 +1,58 @@ +From 1ce74e96c2407df2b5867e5d45a70aacb8923c14 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Thu, 12 Dec 2019 09:40:49 +0000 +Subject: KVM: arm64: Ensure 'params' is initialised when looking up sys register +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Will Deacon + +commit 1ce74e96c2407df2b5867e5d45a70aacb8923c14 upstream. + +Commit 4b927b94d5df ("KVM: arm/arm64: vgic: Introduce find_reg_by_id()") +introduced 'find_reg_by_id()', which looks up a system register only if +the 'id' index parameter identifies a valid system register. As part of +the patch, existing callers of 'find_reg()' were ported over to the new +interface, but this breaks 'index_to_sys_reg_desc()' in the case that the +initial lookup in the vCPU target table fails because we will then call +into 'find_reg()' for the system register table with an uninitialised +'param' as the key to the lookup. + +GCC 10 is bright enough to spot this (amongst a tonne of false positives, +but hey!): + + | arch/arm64/kvm/sys_regs.c: In function ‘index_to_sys_reg_desc.part.0.isra’: + | arch/arm64/kvm/sys_regs.c:983:33: warning: ‘params.Op2’ may be used uninitialized in this function [-Wmaybe-uninitialized] + | 983 | (u32)(x)->CRn, (u32)(x)->CRm, (u32)(x)->Op2); + | [...] + +Revert the hunk of 4b927b94d5df which breaks 'index_to_sys_reg_desc()' so +that the old behaviour of checking the index upfront is restored. + +Fixes: 4b927b94d5df ("KVM: arm/arm64: vgic: Introduce find_reg_by_id()") +Signed-off-by: Will Deacon +Signed-off-by: Marc Zyngier +Cc: +Link: https://lore.kernel.org/r/20191212094049.12437-1-will@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kvm/sys_regs.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kvm/sys_regs.c ++++ b/arch/arm64/kvm/sys_regs.c +@@ -1785,8 +1785,11 @@ static const struct sys_reg_desc *index_ + if ((id & KVM_REG_ARM_COPROC_MASK) != KVM_REG_ARM64_SYSREG) + return NULL; + ++ if (!index_to_params(id, ¶ms)) ++ return NULL; ++ + table = get_target_table(vcpu->arch.target, true, &num); +- r = find_reg_by_id(id, ¶ms, table, num); ++ r = find_reg(¶ms, table, num); + if (!r) + r = find_reg(¶ms, sys_reg_descs, ARRAY_SIZE(sys_reg_descs)); + diff --git a/queue-4.14/mmc-sdhci-of-esdhc-fix-p2020-errata-handling.patch b/queue-4.14/mmc-sdhci-of-esdhc-fix-p2020-errata-handling.patch new file mode 100644 index 00000000000..8c2644a6ffc --- /dev/null +++ b/queue-4.14/mmc-sdhci-of-esdhc-fix-p2020-errata-handling.patch @@ -0,0 +1,47 @@ +From fe0acab448f68c3146235afe03fb932e242ec94c Mon Sep 17 00:00:00 2001 +From: Yangbo Lu +Date: Mon, 16 Dec 2019 11:18:42 +0800 +Subject: mmc: sdhci-of-esdhc: fix P2020 errata handling + +From: Yangbo Lu + +commit fe0acab448f68c3146235afe03fb932e242ec94c upstream. + +Two previous patches introduced below quirks for P2020 platforms. +- SDHCI_QUIRK_RESET_AFTER_REQUEST +- SDHCI_QUIRK_BROKEN_TIMEOUT_VAL + +The patches made a mistake to add them in quirks2 of sdhci_host +structure, while they were defined for quirks. + host->quirks2 |= SDHCI_QUIRK_RESET_AFTER_REQUEST; + host->quirks2 |= SDHCI_QUIRK_BROKEN_TIMEOUT_VAL; + +This patch is to fix them. + host->quirks |= SDHCI_QUIRK_RESET_AFTER_REQUEST; + host->quirks |= SDHCI_QUIRK_BROKEN_TIMEOUT_VAL; + +Fixes: 05cb6b2a66fa ("mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support") +Fixes: a46e42712596 ("mmc: sdhci-of-esdhc: add erratum eSDHC5 support") +Signed-off-by: Yangbo Lu +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20191216031842.40068-1-yangbo.lu@nxp.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-of-esdhc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/host/sdhci-of-esdhc.c ++++ b/drivers/mmc/host/sdhci-of-esdhc.c +@@ -886,8 +886,8 @@ static int sdhci_esdhc_probe(struct plat + host->quirks &= ~SDHCI_QUIRK_NO_BUSY_IRQ; + + if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc")) { +- host->quirks2 |= SDHCI_QUIRK_RESET_AFTER_REQUEST; +- host->quirks2 |= SDHCI_QUIRK_BROKEN_TIMEOUT_VAL; ++ host->quirks |= SDHCI_QUIRK_RESET_AFTER_REQUEST; ++ host->quirks |= SDHCI_QUIRK_BROKEN_TIMEOUT_VAL; + } + + if (of_device_is_compatible(np, "fsl,p5040-esdhc") || diff --git a/queue-4.14/mmc-sdhci-of-esdhc-revert-mmc-sdhci-of-esdhc-add-erratum-a-009204-support.patch b/queue-4.14/mmc-sdhci-of-esdhc-revert-mmc-sdhci-of-esdhc-add-erratum-a-009204-support.patch new file mode 100644 index 00000000000..16649037535 --- /dev/null +++ b/queue-4.14/mmc-sdhci-of-esdhc-revert-mmc-sdhci-of-esdhc-add-erratum-a-009204-support.patch @@ -0,0 +1,50 @@ +From 8b6dc6b2d60221e90703babbc141f063b8a07e72 Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes +Date: Wed, 4 Dec 2019 09:54:46 +0100 +Subject: mmc: sdhci-of-esdhc: Revert "mmc: sdhci-of-esdhc: add erratum A-009204 support" + +From: Rasmus Villemoes + +commit 8b6dc6b2d60221e90703babbc141f063b8a07e72 upstream. + +This reverts commit 5dd195522562542bc6ebe6e7bd47890d8b7ca93c. + +First, the fix seems to be plain wrong, since the erratum suggests +waiting 5ms before setting setting SYSCTL[RSTD], but this msleep() +happens after the call of sdhci_reset() which is where that bit gets +set (if SDHCI_RESET_DATA is in mask). + +Second, walking the whole device tree to figure out if some node has a +"fsl,p2020-esdhc" compatible string is hugely expensive - about 70 to +100 us on our mpc8309 board. Walking the device tree is done under a +raw_spin_lock, so this is obviously really bad on an -rt system, and a +waste of time on all. + +In fact, since esdhc_reset() seems to get called around 100 times per +second, that mpc8309 now spends 0.8% of its time determining that +it is not a p2020. Whether those 100 calls/s are normal or due to some +other bug or misconfiguration, regularly hitting a 100 us +non-preemptible window is unacceptable. + +Signed-off-by: Rasmus Villemoes +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20191204085447.27491-1-linux@rasmusvillemoes.dk +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-of-esdhc.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/mmc/host/sdhci-of-esdhc.c ++++ b/drivers/mmc/host/sdhci-of-esdhc.c +@@ -615,9 +615,6 @@ static void esdhc_reset(struct sdhci_hos + sdhci_writel(host, host->ier, SDHCI_INT_ENABLE); + sdhci_writel(host, host->ier, SDHCI_SIGNAL_ENABLE); + +- if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc")) +- mdelay(5); +- + if (mask & SDHCI_RESET_ALL) { + val = sdhci_readl(host, ESDHC_TBCTL); + val &= ~ESDHC_TB_EN; diff --git a/queue-4.14/mmc-sdhci-update-the-tuning-failed-messages-to-pr_debug-level.patch b/queue-4.14/mmc-sdhci-update-the-tuning-failed-messages-to-pr_debug-level.patch new file mode 100644 index 00000000000..98b0fc9d3dd --- /dev/null +++ b/queue-4.14/mmc-sdhci-update-the-tuning-failed-messages-to-pr_debug-level.patch @@ -0,0 +1,43 @@ +From 2c92dd20304f505b6ef43d206fff21bda8f1f0ae Mon Sep 17 00:00:00 2001 +From: Faiz Abbas +Date: Fri, 6 Dec 2019 17:13:26 +0530 +Subject: mmc: sdhci: Update the tuning failed messages to pr_debug level + +From: Faiz Abbas + +commit 2c92dd20304f505b6ef43d206fff21bda8f1f0ae upstream. + +Tuning support in DDR50 speed mode was added in SD Specifications Part1 +Physical Layer Specification v3.01. Its not possible to distinguish +between v3.00 and v3.01 from the SCR and that is why since +commit 4324f6de6d2e ("mmc: core: enable CMD19 tuning for DDR50 mode") +tuning failures are ignored in DDR50 speed mode. + +Cards compatible with v3.00 don't respond to CMD19 in DDR50 and this +error gets printed during enumeration and also if retune is triggered at +any time during operation. Update the printk level to pr_debug so that +these errors don't lead to false error reports. + +Signed-off-by: Faiz Abbas +Cc: stable@vger.kernel.org # v4.4+ +Link: https://lore.kernel.org/r/20191206114326.15856-1-faiz_abbas@ti.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -2162,8 +2162,8 @@ static void __sdhci_execute_tuning(struc + sdhci_send_tuning(host, opcode); + + if (!host->tuning_done) { +- pr_info("%s: Tuning timeout, falling back to fixed sampling clock\n", +- mmc_hostname(host->mmc)); ++ pr_debug("%s: Tuning timeout, falling back to fixed sampling clock\n", ++ mmc_hostname(host->mmc)); + sdhci_abort_tuning(host, opcode); + return; + } diff --git a/queue-4.14/nbd-fix-shutdown-and-recv-work-deadlock-v2.patch b/queue-4.14/nbd-fix-shutdown-and-recv-work-deadlock-v2.patch new file mode 100644 index 00000000000..ab1ff15afcd --- /dev/null +++ b/queue-4.14/nbd-fix-shutdown-and-recv-work-deadlock-v2.patch @@ -0,0 +1,55 @@ +From 1c05839aa973cfae8c3db964a21f9c0eef8fcc21 Mon Sep 17 00:00:00 2001 +From: Mike Christie +Date: Sun, 8 Dec 2019 16:51:50 -0600 +Subject: nbd: fix shutdown and recv work deadlock v2 + +From: Mike Christie + +commit 1c05839aa973cfae8c3db964a21f9c0eef8fcc21 upstream. + +This fixes a regression added with: + +commit e9e006f5fcf2bab59149cb38a48a4817c1b538b4 +Author: Mike Christie +Date: Sun Aug 4 14:10:06 2019 -0500 + + nbd: fix max number of supported devs + +where we can deadlock during device shutdown. The problem occurs if +the recv_work's nbd_config_put occurs after nbd_start_device_ioctl has +returned and the userspace app has droppped its reference via closing +the device and running nbd_release. The recv_work nbd_config_put call +would then drop the refcount to zero and try to destroy the config which +would try to do destroy_workqueue from the recv work. + +This patch just has nbd_start_device_ioctl do a flush_workqueue when it +wakes so we know after the ioctl returns running works have exited. This +also fixes a possible race where we could try to reuse the device while +old recv_works are still running. + +Cc: stable@vger.kernel.org +Fixes: e9e006f5fcf2 ("nbd: fix max number of supported devs") +Signed-off-by: Mike Christie +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/nbd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1234,10 +1234,10 @@ static int nbd_start_device_ioctl(struct + mutex_unlock(&nbd->config_lock); + ret = wait_event_interruptible(config->recv_wq, + atomic_read(&config->recv_threads) == 0); +- if (ret) { ++ if (ret) + sock_shutdown(nbd); +- flush_workqueue(nbd->recv_workq); +- } ++ flush_workqueue(nbd->recv_workq); ++ + mutex_lock(&nbd->config_lock); + bd_set_size(bdev, 0); + /* user requested, ignore socket errors */ diff --git a/queue-4.14/powerpc-irq-fix-stack-overflow-verification.patch b/queue-4.14/powerpc-irq-fix-stack-overflow-verification.patch new file mode 100644 index 00000000000..004d3047acb --- /dev/null +++ b/queue-4.14/powerpc-irq-fix-stack-overflow-verification.patch @@ -0,0 +1,50 @@ +From 099bc4812f09155da77eeb960a983470249c9ce1 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Mon, 9 Dec 2019 06:19:08 +0000 +Subject: powerpc/irq: fix stack overflow verification + +From: Christophe Leroy + +commit 099bc4812f09155da77eeb960a983470249c9ce1 upstream. + +Before commit 0366a1c70b89 ("powerpc/irq: Run softirqs off the top of +the irq stack"), check_stack_overflow() was called by do_IRQ(), before +switching to the irq stack. +In that commit, do_IRQ() was renamed __do_irq(), and is now executing +on the irq stack, so check_stack_overflow() has just become almost +useless. + +Move check_stack_overflow() call in do_IRQ() to do the check while +still on the current stack. + +Fixes: 0366a1c70b89 ("powerpc/irq: Run softirqs off the top of the irq stack") +Cc: stable@vger.kernel.org +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/e033aa8116ab12b7ca9a9c75189ad0741e3b9b5f.1575872340.git.christophe.leroy@c-s.fr +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/irq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/irq.c ++++ b/arch/powerpc/kernel/irq.c +@@ -561,8 +561,6 @@ void __do_irq(struct pt_regs *regs) + + trace_irq_entry(regs); + +- check_stack_overflow(); +- + /* + * Query the platform PIC for the interrupt & ack it. + * +@@ -594,6 +592,8 @@ void do_IRQ(struct pt_regs *regs) + irqtp = hardirq_ctx[raw_smp_processor_id()]; + sirqtp = softirq_ctx[raw_smp_processor_id()]; + ++ check_stack_overflow(); ++ + /* Already there ? */ + if (unlikely(curtp == irqtp || curtp == sirqtp)) { + __do_irq(regs); diff --git a/queue-4.14/series b/queue-4.14/series index eed0aaa649b..c294b33ed45 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -148,3 +148,14 @@ intel_th-pci-add-comet-lake-pch-v-support.patch intel_th-pci-add-elkhart-lake-soc-support.patch platform-x86-hp-wmi-make-buffer-for-hpwmi_feature2_query-128-bytes.patch staging-comedi-gsc_hpdi-check-dma_alloc_coherent-return-value.patch +ext4-fix-ext4_empty_dir-for-directories-with-holes.patch +ext4-check-for-directory-entries-too-close-to-block-end.patch +ext4-unlock-on-error-in-ext4_expand_extra_isize.patch +kvm-arm64-ensure-params-is-initialised-when-looking-up-sys-register.patch +x86-mce-amd-do-not-use-rdmsr_safe_on_cpu-in-smca_configure.patch +x86-mce-amd-allow-reserved-types-to-be-overwritten-in-smca_banks.patch +powerpc-irq-fix-stack-overflow-verification.patch +mmc-sdhci-of-esdhc-revert-mmc-sdhci-of-esdhc-add-erratum-a-009204-support.patch +mmc-sdhci-update-the-tuning-failed-messages-to-pr_debug-level.patch +mmc-sdhci-of-esdhc-fix-p2020-errata-handling.patch +nbd-fix-shutdown-and-recv-work-deadlock-v2.patch diff --git a/queue-4.14/x86-mce-amd-allow-reserved-types-to-be-overwritten-in-smca_banks.patch b/queue-4.14/x86-mce-amd-allow-reserved-types-to-be-overwritten-in-smca_banks.patch new file mode 100644 index 00000000000..b24c076058d --- /dev/null +++ b/queue-4.14/x86-mce-amd-allow-reserved-types-to-be-overwritten-in-smca_banks.patch @@ -0,0 +1,96 @@ +From 966af20929ac24360ba3fac5533eb2ab003747da Mon Sep 17 00:00:00 2001 +From: Yazen Ghannam +Date: Thu, 21 Nov 2019 08:15:08 -0600 +Subject: x86/MCE/AMD: Allow Reserved types to be overwritten in smca_banks[] + +From: Yazen Ghannam + +commit 966af20929ac24360ba3fac5533eb2ab003747da upstream. + +Each logical CPU in Scalable MCA systems controls a unique set of MCA +banks in the system. These banks are not shared between CPUs. The bank +types and ordering will be the same across CPUs on currently available +systems. + +However, some CPUs may see a bank as Reserved/Read-as-Zero (RAZ) while +other CPUs do not. In this case, the bank seen as Reserved on one CPU is +assumed to be the same type as the bank seen as a known type on another +CPU. + +In general, this occurs when the hardware represented by the MCA bank +is disabled, e.g. disabled memory controllers on certain models, etc. +The MCA bank is disabled in the hardware, so there is no possibility of +getting an MCA/MCE from it even if it is assumed to have a known type. + +For example: + +Full system: + Bank | Type seen on CPU0 | Type seen on CPU1 + ------------------------------------------------ + 0 | LS | LS + 1 | UMC | UMC + 2 | CS | CS + +System with hardware disabled: + Bank | Type seen on CPU0 | Type seen on CPU1 + ------------------------------------------------ + 0 | LS | LS + 1 | UMC | RAZ + 2 | CS | CS + +For this reason, there is a single, global struct smca_banks[] that is +initialized at boot time. This array is initialized on each CPU as it +comes online. However, the array will not be updated if an entry already +exists. + +This works as expected when the first CPU (usually CPU0) has all +possible MCA banks enabled. But if the first CPU has a subset, then it +will save a "Reserved" type in smca_banks[]. Successive CPUs will then +not be able to update smca_banks[] even if they encounter a known bank +type. + +This may result in unexpected behavior. Depending on the system +configuration, a user may observe issues enumerating the MCA +thresholding sysfs interface. The issues may be as trivial as sysfs +entries not being available, or as severe as system hangs. + +For example: + + Bank | Type seen on CPU0 | Type seen on CPU1 + ------------------------------------------------ + 0 | LS | LS + 1 | RAZ | UMC + 2 | CS | CS + +Extend the smca_banks[] entry check to return if the entry is a +non-reserved type. Otherwise, continue so that CPUs that encounter a +known bank type can update smca_banks[]. + +Fixes: 68627a697c19 ("x86/mce/AMD, EDAC/mce_amd: Enumerate Reserved SMCA bank type") +Signed-off-by: Yazen Ghannam +Signed-off-by: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: linux-edac +Cc: +Cc: Thomas Gleixner +Cc: Tony Luck +Cc: x86-ml +Link: https://lkml.kernel.org/r/20191121141508.141273-1-Yazen.Ghannam@amd.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mcheck/mce_amd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c ++++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c +@@ -228,7 +228,7 @@ static void smca_configure(unsigned int + } + + /* Return early if this bank was already initialized. */ +- if (smca_banks[bank].hwid) ++ if (smca_banks[bank].hwid && smca_banks[bank].hwid->hwid_mcatype != 0) + return; + + if (rdmsr_safe(MSR_AMD64_SMCA_MCx_IPID(bank), &low, &high)) { diff --git a/queue-4.14/x86-mce-amd-do-not-use-rdmsr_safe_on_cpu-in-smca_configure.patch b/queue-4.14/x86-mce-amd-do-not-use-rdmsr_safe_on_cpu-in-smca_configure.patch new file mode 100644 index 00000000000..a077651acb2 --- /dev/null +++ b/queue-4.14/x86-mce-amd-do-not-use-rdmsr_safe_on_cpu-in-smca_configure.patch @@ -0,0 +1,73 @@ +From 246ff09f89e54fdf740a8d496176c86743db3ec7 Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Thu, 31 Oct 2019 16:04:48 +0300 +Subject: x86/MCE/AMD: Do not use rdmsr_safe_on_cpu() in smca_configure() + +From: Konstantin Khlebnikov + +commit 246ff09f89e54fdf740a8d496176c86743db3ec7 upstream. + +... because interrupts are disabled that early and sending IPIs can +deadlock: + + BUG: sleeping function called from invalid context at kernel/sched/completion.c:99 + in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1 + no locks held by swapper/1/0. + irq event stamp: 0 + hardirqs last enabled at (0): [<0000000000000000>] 0x0 + hardirqs last disabled at (0): [] copy_process+0x8b9/0x1ca0 + softirqs last enabled at (0): [] copy_process+0x8b9/0x1ca0 + softirqs last disabled at (0): [<0000000000000000>] 0x0 + Preemption disabled at: + [] start_secondary+0x3b/0x190 + CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.5.0-rc2+ #1 + Hardware name: GIGABYTE MZ01-CE1-00/MZ01-CE1-00, BIOS F02 08/29/2018 + Call Trace: + dump_stack + ___might_sleep.cold.92 + wait_for_completion + ? generic_exec_single + rdmsr_safe_on_cpu + ? wrmsr_on_cpus + mce_amd_feature_init + mcheck_cpu_init + identify_cpu + identify_secondary_cpu + smp_store_cpu_info + start_secondary + secondary_startup_64 + +The function smca_configure() is called only on the current CPU anyway, +therefore replace rdmsr_safe_on_cpu() with atomic rdmsr_safe() and avoid +the IPI. + + [ bp: Update commit message. ] + +Signed-off-by: Konstantin Khlebnikov +Signed-off-by: Borislav Petkov +Reviewed-by: Yazen Ghannam +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: linux-edac +Cc: +Cc: Thomas Gleixner +Cc: Tony Luck +Cc: x86-ml +Link: https://lkml.kernel.org/r/157252708836.3876.4604398213417262402.stgit@buzz +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mcheck/mce_amd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c ++++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c +@@ -231,7 +231,7 @@ static void smca_configure(unsigned int + if (smca_banks[bank].hwid) + return; + +- if (rdmsr_safe_on_cpu(cpu, MSR_AMD64_SMCA_MCx_IPID(bank), &low, &high)) { ++ if (rdmsr_safe(MSR_AMD64_SMCA_MCx_IPID(bank), &low, &high)) { + pr_warn("Failed to read MCA_IPID for bank %d\n", bank); + return; + }