From: Sasha Levin Date: Sat, 15 Jun 2019 23:17:06 +0000 (-0400) Subject: fixes for 5.1 X-Git-Tag: v5.1.11~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fb43722cc434a6238c4f56243914d1b79a609495;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 5.1 Signed-off-by: Sasha Levin --- diff --git a/queue-5.1/alsa-seq-fix-race-of-get-subscription-call-vs-port-d.patch b/queue-5.1/alsa-seq-fix-race-of-get-subscription-call-vs-port-d.patch new file mode 100644 index 00000000000..b6b6ae63da5 --- /dev/null +++ b/queue-5.1/alsa-seq-fix-race-of-get-subscription-call-vs-port-d.patch @@ -0,0 +1,102 @@ +From 2f9f4566838c22c6201bade83fb74f8580f1a827 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 9 Apr 2019 18:04:17 +0200 +Subject: ALSA: seq: Fix race of get-subscription call vs port-delete ioctls + +[ Upstream commit 2eabc5ec8ab4d4748a82050dfcb994119b983750 ] + +The snd_seq_ioctl_get_subscription() retrieves the port subscriber +information as a pointer, while the object isn't protected, hence it +may be deleted before the actual reference. This race was spotted by +syzkaller and may lead to a UAF. + +The fix is simply copying the data in the lookup function that +performs in the rwsem to protect against the deletion. + +Reported-by: syzbot+9437020c82413d00222d@syzkaller.appspotmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_clientmgr.c | 10 ++-------- + sound/core/seq/seq_ports.c | 13 ++++++++----- + sound/core/seq/seq_ports.h | 5 +++-- + 3 files changed, 13 insertions(+), 15 deletions(-) + +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index b3280e81bfd1..8599f2937ac1 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -1900,20 +1900,14 @@ static int snd_seq_ioctl_get_subscription(struct snd_seq_client *client, + int result; + struct snd_seq_client *sender = NULL; + struct snd_seq_client_port *sport = NULL; +- struct snd_seq_subscribers *p; + + result = -EINVAL; + if ((sender = snd_seq_client_use_ptr(subs->sender.client)) == NULL) + goto __end; + if ((sport = snd_seq_port_use_ptr(sender, subs->sender.port)) == NULL) + goto __end; +- p = snd_seq_port_get_subscription(&sport->c_src, &subs->dest); +- if (p) { +- result = 0; +- *subs = p->info; +- } else +- result = -ENOENT; +- ++ result = snd_seq_port_get_subscription(&sport->c_src, &subs->dest, ++ subs); + __end: + if (sport) + snd_seq_port_unlock(sport); +diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c +index da31aa8e216e..16289aefb443 100644 +--- a/sound/core/seq/seq_ports.c ++++ b/sound/core/seq/seq_ports.c +@@ -635,20 +635,23 @@ int snd_seq_port_disconnect(struct snd_seq_client *connector, + + + /* get matched subscriber */ +-struct snd_seq_subscribers *snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp, +- struct snd_seq_addr *dest_addr) ++int snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp, ++ struct snd_seq_addr *dest_addr, ++ struct snd_seq_port_subscribe *subs) + { +- struct snd_seq_subscribers *s, *found = NULL; ++ struct snd_seq_subscribers *s; ++ int err = -ENOENT; + + down_read(&src_grp->list_mutex); + list_for_each_entry(s, &src_grp->list_head, src_list) { + if (addr_match(dest_addr, &s->info.dest)) { +- found = s; ++ *subs = s->info; ++ err = 0; + break; + } + } + up_read(&src_grp->list_mutex); +- return found; ++ return err; + } + + /* +diff --git a/sound/core/seq/seq_ports.h b/sound/core/seq/seq_ports.h +index 26bd71f36c41..06003b36652e 100644 +--- a/sound/core/seq/seq_ports.h ++++ b/sound/core/seq/seq_ports.h +@@ -135,7 +135,8 @@ int snd_seq_port_subscribe(struct snd_seq_client_port *port, + struct snd_seq_port_subscribe *info); + + /* get matched subscriber */ +-struct snd_seq_subscribers *snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp, +- struct snd_seq_addr *dest_addr); ++int snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp, ++ struct snd_seq_addr *dest_addr, ++ struct snd_seq_port_subscribe *subs); + + #endif +-- +2.20.1 + diff --git a/queue-5.1/alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch b/queue-5.1/alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch new file mode 100644 index 00000000000..0ad6554a582 --- /dev/null +++ b/queue-5.1/alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch @@ -0,0 +1,53 @@ +From a41a3a0f3a60fd49690d01da4aac8cd824ac2b25 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 9 Apr 2019 17:35:22 +0200 +Subject: ALSA: seq: Protect in-kernel ioctl calls with mutex + +[ Upstream commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32 ] + +ALSA OSS sequencer calls the ioctl function indirectly via +snd_seq_kernel_client_ctl(). While we already applied the protection +against races between the normal ioctls and writes via the client's +ioctl_mutex, this code path was left untouched. And this seems to be +the cause of still remaining some rare UAF as spontaneously triggered +by syzkaller. + +For the sake of robustness, wrap the ioctl_mutex also for the call via +snd_seq_kernel_client_ctl(), too. + +Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_clientmgr.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index 38e7deab6384..b3280e81bfd1 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -2343,14 +2343,19 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg) + { + const struct ioctl_handler *handler; + struct snd_seq_client *client; ++ int err; + + client = clientptr(clientid); + if (client == NULL) + return -ENXIO; + + for (handler = ioctl_handlers; handler->cmd > 0; ++handler) { +- if (handler->cmd == cmd) +- return handler->func(client, arg); ++ if (handler->cmd == cmd) { ++ mutex_lock(&client->ioctl_mutex); ++ err = handler->func(client, arg); ++ mutex_unlock(&client->ioctl_mutex); ++ return err; ++ } + } + + pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n", +-- +2.20.1 + diff --git a/queue-5.1/arm64-mm-inhibit-huge-vmap-with-ptdump.patch b/queue-5.1/arm64-mm-inhibit-huge-vmap-with-ptdump.patch new file mode 100644 index 00000000000..56557c465c9 --- /dev/null +++ b/queue-5.1/arm64-mm-inhibit-huge-vmap-with-ptdump.patch @@ -0,0 +1,76 @@ +From 29f47500aa1e8acc19ad1bba8c409f60ed971019 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Tue, 14 May 2019 14:30:06 +0530 +Subject: arm64/mm: Inhibit huge-vmap with ptdump + +[ Upstream commit 7ba36eccb3f83983a651efd570b4f933ecad1b5c ] + +The arm64 ptdump code can race with concurrent modification of the +kernel page tables. At the time this was added, this was sound as: + +* Modifications to leaf entries could result in stale information being + logged, but would not result in a functional problem. + +* Boot time modifications to non-leaf entries (e.g. freeing of initmem) + were performed when the ptdump code cannot be invoked. + +* At runtime, modifications to non-leaf entries only occurred in the + vmalloc region, and these were strictly additive, as intermediate + entries were never freed. + +However, since commit: + + commit 324420bf91f6 ("arm64: add support for ioremap() block mappings") + +... it has been possible to create huge mappings in the vmalloc area at +runtime, and as part of this existing intermediate levels of table my be +removed and freed. + +It's possible for the ptdump code to race with this, and continue to +walk tables which have been freed (and potentially poisoned or +reallocated). As a result of this, the ptdump code may dereference bogus +addresses, which could be fatal. + +Since huge-vmap is a TLB and memory optimization, we can disable it when +the runtime ptdump code is in use to avoid this problem. + +Cc: Catalin Marinas +Fixes: 324420bf91f60582 ("arm64: add support for ioremap() block mappings") +Acked-by: Ard Biesheuvel +Signed-off-by: Mark Rutland +Signed-off-by: Anshuman Khandual +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/mm/mmu.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c +index e97f018ff740..ece9490e3018 100644 +--- a/arch/arm64/mm/mmu.c ++++ b/arch/arm64/mm/mmu.c +@@ -936,13 +936,18 @@ void *__init fixmap_remap_fdt(phys_addr_t dt_phys) + + int __init arch_ioremap_pud_supported(void) + { +- /* only 4k granule supports level 1 block mappings */ +- return IS_ENABLED(CONFIG_ARM64_4K_PAGES); ++ /* ++ * Only 4k granule supports level 1 block mappings. ++ * SW table walks can't handle removal of intermediate entries. ++ */ ++ return IS_ENABLED(CONFIG_ARM64_4K_PAGES) && ++ !IS_ENABLED(CONFIG_ARM64_PTDUMP_DEBUGFS); + } + + int __init arch_ioremap_pmd_supported(void) + { +- return 1; ++ /* See arch_ioremap_pud_supported() */ ++ return !IS_ENABLED(CONFIG_ARM64_PTDUMP_DEBUGFS); + } + + int pud_set_huge(pud_t *pudp, phys_addr_t phys, pgprot_t prot) +-- +2.20.1 + diff --git a/queue-5.1/arm64-print-physical-address-of-page-table-base-in-s.patch b/queue-5.1/arm64-print-physical-address-of-page-table-base-in-s.patch new file mode 100644 index 00000000000..88f87c75adf --- /dev/null +++ b/queue-5.1/arm64-print-physical-address-of-page-table-base-in-s.patch @@ -0,0 +1,41 @@ +From 151b413ebc0531bcfea660157f02043c5e308542 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Tue, 14 May 2019 12:25:28 +0100 +Subject: arm64: Print physical address of page table base in show_pte() + +[ Upstream commit 48caebf7e1313eb9f0a06fe59a07ac05b38a5806 ] + +When dumping the page table in response to an unexpected kernel page +fault, we print the virtual (hashed) address of the page table base, but +display physical addresses for everything else. + +Make the page table dumping code in show_pte() consistent, by printing +the page table base pointer as a physical address. + +Reported-by: Mark Rutland +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/mm/fault.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c +index 9a6099a2c633..f637447e96b0 100644 +--- a/arch/arm64/mm/fault.c ++++ b/arch/arm64/mm/fault.c +@@ -171,9 +171,10 @@ void show_pte(unsigned long addr) + return; + } + +- pr_alert("%s pgtable: %luk pages, %u-bit VAs, pgdp = %p\n", ++ pr_alert("%s pgtable: %luk pages, %u-bit VAs, pgdp=%016lx\n", + mm == &init_mm ? "swapper" : "user", PAGE_SIZE / SZ_1K, +- mm == &init_mm ? VA_BITS : (int) vabits_user, mm->pgd); ++ mm == &init_mm ? VA_BITS : (int)vabits_user, ++ (unsigned long)virt_to_phys(mm->pgd)); + pgdp = pgd_offset(mm, addr); + pgd = READ_ONCE(*pgdp); + pr_alert("[%016lx] pgd=%016llx", addr, pgd_val(pgd)); +-- +2.20.1 + diff --git a/queue-5.1/bpf-sockmap-fix-msg-sg.size-account-on-ingress-skb.patch b/queue-5.1/bpf-sockmap-fix-msg-sg.size-account-on-ingress-skb.patch new file mode 100644 index 00000000000..5c656b8e7e7 --- /dev/null +++ b/queue-5.1/bpf-sockmap-fix-msg-sg.size-account-on-ingress-skb.patch @@ -0,0 +1,37 @@ +From 662b852b4005ff137912d2d2ac796b19e7315a6a Mon Sep 17 00:00:00 2001 +From: John Fastabend +Date: Mon, 13 May 2019 07:19:55 -0700 +Subject: bpf: sockmap fix msg->sg.size account on ingress skb + +[ Upstream commit cabede8b4f2b746232aa25730a0b752de1cb82ca ] + +When converting a skb to msg->sg we forget to set the size after the +latest ktls/tls code conversion. This patch can be reached by doing +a redir into ingress path from BPF skb sock recv hook. Then trying to +read the size fails. + +Fix this by setting the size. + +Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + net/core/skmsg.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index 49d1efa329d7..93bffaad2135 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -411,6 +411,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb) + sk_mem_charge(sk, skb->len); + copied = skb->len; + msg->sg.start = 0; ++ msg->sg.size = copied; + msg->sg.end = num_sge == MAX_MSG_FRAGS ? 0 : num_sge; + msg->skb = skb; + +-- +2.20.1 + diff --git a/queue-5.1/bpf-sockmap-only-stop-flush-strp-if-it-was-enabled-a.patch b/queue-5.1/bpf-sockmap-only-stop-flush-strp-if-it-was-enabled-a.patch new file mode 100644 index 00000000000..d3300453da8 --- /dev/null +++ b/queue-5.1/bpf-sockmap-only-stop-flush-strp-if-it-was-enabled-a.patch @@ -0,0 +1,68 @@ +From af686f5de9fa74073720af567f3702472e671115 Mon Sep 17 00:00:00 2001 +From: John Fastabend +Date: Mon, 13 May 2019 07:19:19 -0700 +Subject: bpf: sockmap, only stop/flush strp if it was enabled at some point + +[ Upstream commit 014894360ec95abe868e94416b3dd6569f6e2c0c ] + +If we try to call strp_done on a parser that has never been +initialized, because the sockmap user is only using TX side for +example we get the following error. + + [ 883.422081] WARNING: CPU: 1 PID: 208 at kernel/workqueue.c:3030 __flush_work+0x1ca/0x1e0 + ... + [ 883.422095] Workqueue: events sk_psock_destroy_deferred + [ 883.422097] RIP: 0010:__flush_work+0x1ca/0x1e0 + +This had been wrapped in a 'if (psock->parser.enabled)' logic which +was broken because the strp_done() was never actually being called +because we do a strp_stop() earlier in the tear down logic will +set parser.enabled to false. This could result in a use after free +if work was still in the queue and was resolved by the patch here, +1d79895aef18f ("sk_msg: Always cancel strp work before freeing the +psock"). However, calling strp_stop(), done by the patch marked in +the fixes tag, only is useful if we never initialized a strp parser +program and never initialized the strp to start with. Because if +we had initialized a stream parser strp_stop() would have been called +by sk_psock_drop() earlier in the tear down process. By forcing the +strp to stop we get past the WARNING in strp_done that checks +the stopped flag but calling cancel_work_sync on work that has never +been initialized is also wrong and generates the warning above. + +To fix check if the parser program exists. If the program exists +then the strp work has been initialized and must be sync'd and +cancelled before free'ing any structures. If no program exists we +never initialized the stream parser in the first place so skip the +sync/cancel logic implemented by strp_done. + +Finally, remove the strp_done its not needed and in the case where we +are using the stream parser has already been called. + +Fixes: e8e3437762ad9 ("bpf: Stop the psock parser before canceling its work") +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + net/core/skmsg.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index cc94d921476c..49d1efa329d7 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -554,8 +554,10 @@ static void sk_psock_destroy_deferred(struct work_struct *gc) + struct sk_psock *psock = container_of(gc, struct sk_psock, gc); + + /* No sk_callback_lock since already detached. */ +- strp_stop(&psock->parser.strp); +- strp_done(&psock->parser.strp); ++ ++ /* Parser has been stopped */ ++ if (psock->progs.skb_parser) ++ strp_done(&psock->parser.strp); + + cancel_work_sync(&psock->work); + +-- +2.20.1 + diff --git a/queue-5.1/bpf-sockmap-remove-duplicate-queue-free.patch b/queue-5.1/bpf-sockmap-remove-duplicate-queue-free.patch new file mode 100644 index 00000000000..3af05d6dd69 --- /dev/null +++ b/queue-5.1/bpf-sockmap-remove-duplicate-queue-free.patch @@ -0,0 +1,40 @@ +From 4409871ad3026f4ce3f62a8b6f3fbdf33054b68d Mon Sep 17 00:00:00 2001 +From: John Fastabend +Date: Mon, 13 May 2019 07:19:37 -0700 +Subject: bpf: sockmap remove duplicate queue free + +[ Upstream commit c42253cc88206fd0e9868c8b2fd7f9e79f9e0e03 ] + +In tcp bpf remove we free the cork list and purge the ingress msg +list. However we do this before the ref count reaches zero so it +could be possible some other access is in progress. In this case +(tcp close and/or tcp_unhash) we happen to also hold the sock +lock so no path exists but lets fix it otherwise it is extremely +fragile and breaks the reference counting rules. Also we already +check the cork list and ingress msg queue and free them once the +ref count reaches zero so its wasteful to check twice. + +Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_bpf.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c +index 1bb7321a256d..4a619c85daed 100644 +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -528,8 +528,6 @@ static void tcp_bpf_remove(struct sock *sk, struct sk_psock *psock) + { + struct sk_psock_link *link; + +- sk_psock_cork_free(psock); +- __sk_psock_purge_ingress_msg(psock); + while ((link = sk_psock_link_pop(psock))) { + sk_psock_unlink(sk, link); + sk_psock_free_link(link); +-- +2.20.1 + diff --git a/queue-5.1/bpf-tcp-correctly-handle-dont_wait-flags-and-timeo-0.patch b/queue-5.1/bpf-tcp-correctly-handle-dont_wait-flags-and-timeo-0.patch new file mode 100644 index 00000000000..9f1509161a8 --- /dev/null +++ b/queue-5.1/bpf-tcp-correctly-handle-dont_wait-flags-and-timeo-0.patch @@ -0,0 +1,43 @@ +From 9bdf427b20037a68242b648ddbc4eb56cc66e405 Mon Sep 17 00:00:00 2001 +From: John Fastabend +Date: Mon, 13 May 2019 21:42:03 -0700 +Subject: bpf, tcp: correctly handle DONT_WAIT flags and timeo == 0 + +[ Upstream commit 5fa2ca7c4a3fc176f31b495e1a704862d8188b53 ] + +The tcp_bpf_wait_data() routine needs to check timeo != 0 before +calling sk_wait_event() otherwise we may see unexpected stalls +on receiver. + +Arika did all the leg work here I just formatted, posted and ran +a few tests. + +Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") +Reported-by: Arika Chen +Suggested-by: Arika Chen +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_bpf.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c +index 4a619c85daed..3d1e15401384 100644 +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -27,7 +27,10 @@ static int tcp_bpf_wait_data(struct sock *sk, struct sk_psock *psock, + int flags, long timeo, int *err) + { + DEFINE_WAIT_FUNC(wait, woken_wake_function); +- int ret; ++ int ret = 0; ++ ++ if (!timeo) ++ return ret; + + add_wait_queue(sk_sleep(sk), &wait); + sk_set_bit(SOCKWQ_ASYNC_WAITDATA, sk); +-- +2.20.1 + diff --git a/queue-5.1/drivers-misc-fix-out-of-bounds-access-in-function-pa.patch b/queue-5.1/drivers-misc-fix-out-of-bounds-access-in-function-pa.patch new file mode 100644 index 00000000000..3c90e40ecb3 --- /dev/null +++ b/queue-5.1/drivers-misc-fix-out-of-bounds-access-in-function-pa.patch @@ -0,0 +1,46 @@ +From bf2a66120205154abca5ec854086948651ffba16 Mon Sep 17 00:00:00 2001 +From: Young Xiao +Date: Fri, 12 Apr 2019 15:45:06 +0800 +Subject: Drivers: misc: fix out-of-bounds access in function + param_set_kgdbts_var + +[ Upstream commit b281218ad4311a0342a40cb02fb17a363df08b48 ] + +There is an out-of-bounds access to "config[len - 1]" array when the +variable "len" is zero. + +See commit dada6a43b040 ("kgdboc: fix KASAN global-out-of-bounds bug +in param_set_kgdboc_var()") for details. + +Signed-off-by: Young Xiao +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/kgdbts.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/misc/kgdbts.c b/drivers/misc/kgdbts.c +index de20bdaa148d..8b01257783dd 100644 +--- a/drivers/misc/kgdbts.c ++++ b/drivers/misc/kgdbts.c +@@ -1135,7 +1135,7 @@ static void kgdbts_put_char(u8 chr) + static int param_set_kgdbts_var(const char *kmessage, + const struct kernel_param *kp) + { +- int len = strlen(kmessage); ++ size_t len = strlen(kmessage); + + if (len >= MAX_CONFIG_LEN) { + printk(KERN_ERR "kgdbts: config string too long\n"); +@@ -1155,7 +1155,7 @@ static int param_set_kgdbts_var(const char *kmessage, + + strcpy(config, kmessage); + /* Chop out \n char as a result of echo */ +- if (config[len - 1] == '\n') ++ if (len && config[len - 1] == '\n') + config[len - 1] = '\0'; + + /* Go and configure with the new params. */ +-- +2.20.1 + diff --git a/queue-5.1/drivers-perf-arm_spe-don-t-error-on-high-order-pages.patch b/queue-5.1/drivers-perf-arm_spe-don-t-error-on-high-order-pages.patch new file mode 100644 index 00000000000..1b492b40f64 --- /dev/null +++ b/queue-5.1/drivers-perf-arm_spe-don-t-error-on-high-order-pages.patch @@ -0,0 +1,56 @@ +From bcb9a8b14ff683afd38f6efd5a246559165db8d1 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Mon, 13 May 2019 17:53:03 +0100 +Subject: drivers/perf: arm_spe: Don't error on high-order pages for aux buf + +[ Upstream commit 14ae42a6f0b13130a97d94d23481128961de5d38 ] + +Since commit 5768402fd9c6 ("perf/ring_buffer: Use high order allocations +for AUX buffers optimistically"), the perf core tends to back aux buffer +allocations with high-order pages with the order encoded in the +PagePrivate data. The Arm SPE driver explicitly rejects such pages, +causing the perf tool to fail with: + + | failed to mmap with 12 (Cannot allocate memory) + +In actual fact, we can simply treat these pages just like any other +since the perf core takes care to populate the page array appropriately. +In theory we could try to map with PMDs where possible, but for now, +let's just get things working again. + +Cc: Alexander Shishkin +Fixes: 5768402fd9c6 ("perf/ring_buffer: Use high order allocations for AUX buffers optimistically") +Reported-by: Hanjun Guo +Tested-by: Hanjun Guo +Tested-by: Sudeep Holla +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/arm_spe_pmu.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +diff --git a/drivers/perf/arm_spe_pmu.c b/drivers/perf/arm_spe_pmu.c +index 7cb766dafe85..e120f933412a 100644 +--- a/drivers/perf/arm_spe_pmu.c ++++ b/drivers/perf/arm_spe_pmu.c +@@ -855,16 +855,8 @@ static void *arm_spe_pmu_setup_aux(struct perf_event *event, void **pages, + if (!pglist) + goto out_free_buf; + +- for (i = 0; i < nr_pages; ++i) { +- struct page *page = virt_to_page(pages[i]); +- +- if (PagePrivate(page)) { +- pr_warn("unexpected high-order page for auxbuf!"); +- goto out_free_pglist; +- } +- ++ for (i = 0; i < nr_pages; ++i) + pglist[i] = virt_to_page(pages[i]); +- } + + buf->base = vmap(pglist, nr_pages, VM_MAP, PAGE_KERNEL); + if (!buf->base) +-- +2.20.1 + diff --git a/queue-5.1/drm-amdgpu-keep-stolen-memory-on-picasso.patch b/queue-5.1/drm-amdgpu-keep-stolen-memory-on-picasso.patch new file mode 100644 index 00000000000..3d457d3c43a --- /dev/null +++ b/queue-5.1/drm-amdgpu-keep-stolen-memory-on-picasso.patch @@ -0,0 +1,32 @@ +From 3a5aa17c1b74d208dc911d224278abe72b6f0c83 Mon Sep 17 00:00:00 2001 +From: Flora Cui +Date: Fri, 17 May 2019 11:33:56 +0800 +Subject: drm/amdgpu: keep stolen memory on picasso + +[ Upstream commit 379109351f4f6f2405cf54e7a296055f589c3ad1 ] + +otherwise screen corrupts during modprobe. + +Signed-off-by: Flora Cui +Reviewed-by: Feifei Xu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c +index 2fe8397241ea..1611bef19a2c 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c +@@ -715,6 +715,7 @@ static bool gmc_v9_0_keep_stolen_memory(struct amdgpu_device *adev) + case CHIP_VEGA10: + return true; + case CHIP_RAVEN: ++ return (adev->pdev->device == 0x15d8); + case CHIP_VEGA12: + case CHIP_VEGA20: + default: +-- +2.20.1 + diff --git a/queue-5.1/enetc-fix-null-dma-address-unmap-for-tx-bd-extension.patch b/queue-5.1/enetc-fix-null-dma-address-unmap-for-tx-bd-extension.patch new file mode 100644 index 00000000000..d9aa91e4418 --- /dev/null +++ b/queue-5.1/enetc-fix-null-dma-address-unmap-for-tx-bd-extension.patch @@ -0,0 +1,37 @@ +From 2d0d70b4430c8475a4dd13564dcd480ac7a35a7e Mon Sep 17 00:00:00 2001 +From: Claudiu Manoil +Date: Wed, 15 May 2019 19:08:56 +0300 +Subject: enetc: Fix NULL dma address unmap for Tx BD extensions + +[ Upstream commit f4a0be84d73ec648628bf8094600ceb73cb6073f ] + +For the unlikely case of TxBD extensions (i.e. ptp) +the driver tries to unmap the tx_swbd corresponding +to the extension, which is bogus as it has no buffer +attached. + +Signed-off-by: Claudiu Manoil +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/enetc/enetc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/enetc/enetc.c b/drivers/net/ethernet/freescale/enetc/enetc.c +index 5bb9eb35d76d..491475d87736 100644 +--- a/drivers/net/ethernet/freescale/enetc/enetc.c ++++ b/drivers/net/ethernet/freescale/enetc/enetc.c +@@ -313,7 +313,9 @@ static bool enetc_clean_tx_ring(struct enetc_bdr *tx_ring, int napi_budget) + while (bds_to_clean && tx_frm_cnt < ENETC_DEFAULT_TX_WORK) { + bool is_eof = !!tx_swbd->skb; + +- enetc_unmap_tx_buff(tx_ring, tx_swbd); ++ if (likely(tx_swbd->dma)) ++ enetc_unmap_tx_buff(tx_ring, tx_swbd); ++ + if (is_eof) { + napi_consume_skb(tx_swbd->skb, napi_budget); + tx_swbd->skb = NULL; +-- +2.20.1 + diff --git a/queue-5.1/f2fs-fix-to-avoid-accessing-xattr-across-the-boundar.patch b/queue-5.1/f2fs-fix-to-avoid-accessing-xattr-across-the-boundar.patch new file mode 100644 index 00000000000..560d9639d8b --- /dev/null +++ b/queue-5.1/f2fs-fix-to-avoid-accessing-xattr-across-the-boundar.patch @@ -0,0 +1,154 @@ +From 03cfc9275efe2c2c4c7f73100bcecd891b79c64d Mon Sep 17 00:00:00 2001 +From: Randall Huang +Date: Thu, 11 Apr 2019 16:26:46 +0800 +Subject: f2fs: fix to avoid accessing xattr across the boundary + +[ Upstream commit 2777e654371dd4207a3a7f4fb5fa39550053a080 ] + +When we traverse xattr entries via __find_xattr(), +if the raw filesystem content is faked or any hardware failure occurs, +out-of-bound error can be detected by KASAN. +Fix the issue by introducing boundary check. + +[ 38.402878] c7 1827 BUG: KASAN: slab-out-of-bounds in f2fs_getxattr+0x518/0x68c +[ 38.402891] c7 1827 Read of size 4 at addr ffffffc0b6fb35dc by task +[ 38.402935] c7 1827 Call trace: +[ 38.402952] c7 1827 [] dump_backtrace+0x0/0x6bc +[ 38.402966] c7 1827 [] show_stack+0x20/0x2c +[ 38.402981] c7 1827 [] dump_stack+0xfc/0x140 +[ 38.402995] c7 1827 [] print_address_description+0x80/0x2d8 +[ 38.403009] c7 1827 [] kasan_report_error+0x198/0x1fc +[ 38.403022] c7 1827 [] kasan_report_error+0x0/0x1fc +[ 38.403037] c7 1827 [] __asan_load4+0x1b0/0x1b8 +[ 38.403051] c7 1827 [] f2fs_getxattr+0x518/0x68c +[ 38.403066] c7 1827 [] f2fs_xattr_generic_get+0xb0/0xd0 +[ 38.403080] c7 1827 [] __vfs_getxattr+0x1f4/0x1fc +[ 38.403096] c7 1827 [] inode_doinit_with_dentry+0x360/0x938 +[ 38.403109] c7 1827 [] selinux_d_instantiate+0x2c/0x38 +[ 38.403123] c7 1827 [] security_d_instantiate+0x68/0x98 +[ 38.403136] c7 1827 [] d_splice_alias+0x58/0x348 +[ 38.403149] c7 1827 [] f2fs_lookup+0x608/0x774 +[ 38.403163] c7 1827 [] lookup_slow+0x1e0/0x2cc +[ 38.403177] c7 1827 [] walk_component+0x160/0x520 +[ 38.403190] c7 1827 [] path_lookupat+0x110/0x2b4 +[ 38.403203] c7 1827 [] filename_lookup+0x1d8/0x3a8 +[ 38.403216] c7 1827 [] user_path_at_empty+0x54/0x68 +[ 38.403229] c7 1827 [] SyS_getxattr+0xb4/0x18c +[ 38.403241] c7 1827 [] el0_svc_naked+0x34/0x38 + +Signed-off-by: Randall Huang +[Jaegeuk Kim: Fix wrong ending boundary] +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/xattr.c | 36 +++++++++++++++++++++++++++--------- + fs/f2fs/xattr.h | 2 ++ + 2 files changed, 29 insertions(+), 9 deletions(-) + +diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c +index 848a785abe25..e791741d193b 100644 +--- a/fs/f2fs/xattr.c ++++ b/fs/f2fs/xattr.c +@@ -202,12 +202,17 @@ static inline const struct xattr_handler *f2fs_xattr_handler(int index) + return handler; + } + +-static struct f2fs_xattr_entry *__find_xattr(void *base_addr, int index, +- size_t len, const char *name) ++static struct f2fs_xattr_entry *__find_xattr(void *base_addr, ++ void *last_base_addr, int index, ++ size_t len, const char *name) + { + struct f2fs_xattr_entry *entry; + + list_for_each_xattr(entry, base_addr) { ++ if ((void *)(entry) + sizeof(__u32) > last_base_addr || ++ (void *)XATTR_NEXT_ENTRY(entry) > last_base_addr) ++ return NULL; ++ + if (entry->e_name_index != index) + continue; + if (entry->e_name_len != len) +@@ -297,20 +302,22 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage, + const char *name, struct f2fs_xattr_entry **xe, + void **base_addr, int *base_size) + { +- void *cur_addr, *txattr_addr, *last_addr = NULL; ++ void *cur_addr, *txattr_addr, *last_txattr_addr; ++ void *last_addr = NULL; + nid_t xnid = F2FS_I(inode)->i_xattr_nid; +- unsigned int size = xnid ? VALID_XATTR_BLOCK_SIZE : 0; + unsigned int inline_size = inline_xattr_size(inode); + int err = 0; + +- if (!size && !inline_size) ++ if (!xnid && !inline_size) + return -ENODATA; + +- *base_size = inline_size + size + XATTR_PADDING_SIZE; ++ *base_size = XATTR_SIZE(xnid, inode) + XATTR_PADDING_SIZE; + txattr_addr = f2fs_kzalloc(F2FS_I_SB(inode), *base_size, GFP_NOFS); + if (!txattr_addr) + return -ENOMEM; + ++ last_txattr_addr = (void *)txattr_addr + XATTR_SIZE(xnid, inode); ++ + /* read from inline xattr */ + if (inline_size) { + err = read_inline_xattr(inode, ipage, txattr_addr); +@@ -337,7 +344,11 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage, + else + cur_addr = txattr_addr; + +- *xe = __find_xattr(cur_addr, index, len, name); ++ *xe = __find_xattr(cur_addr, last_txattr_addr, index, len, name); ++ if (!*xe) { ++ err = -EFAULT; ++ goto out; ++ } + check: + if (IS_XATTR_LAST_ENTRY(*xe)) { + err = -ENODATA; +@@ -581,7 +592,8 @@ static int __f2fs_setxattr(struct inode *inode, int index, + struct page *ipage, int flags) + { + struct f2fs_xattr_entry *here, *last; +- void *base_addr; ++ void *base_addr, *last_base_addr; ++ nid_t xnid = F2FS_I(inode)->i_xattr_nid; + int found, newsize; + size_t len; + __u32 new_hsize; +@@ -605,8 +617,14 @@ static int __f2fs_setxattr(struct inode *inode, int index, + if (error) + return error; + ++ last_base_addr = (void *)base_addr + XATTR_SIZE(xnid, inode); ++ + /* find entry with wanted name. */ +- here = __find_xattr(base_addr, index, len, name); ++ here = __find_xattr(base_addr, last_base_addr, index, len, name); ++ if (!here) { ++ error = -EFAULT; ++ goto exit; ++ } + + found = IS_XATTR_LAST_ENTRY(here) ? 0 : 1; + +diff --git a/fs/f2fs/xattr.h b/fs/f2fs/xattr.h +index 9172ee082ca8..a90920e2f949 100644 +--- a/fs/f2fs/xattr.h ++++ b/fs/f2fs/xattr.h +@@ -71,6 +71,8 @@ struct f2fs_xattr_entry { + entry = XATTR_NEXT_ENTRY(entry)) + #define VALID_XATTR_BLOCK_SIZE (PAGE_SIZE - sizeof(struct node_footer)) + #define XATTR_PADDING_SIZE (sizeof(__u32)) ++#define XATTR_SIZE(x,i) (((x) ? VALID_XATTR_BLOCK_SIZE : 0) + \ ++ (inline_xattr_size(i))) + #define MIN_OFFSET(i) XATTR_ALIGN(inline_xattr_size(i) + \ + VALID_XATTR_BLOCK_SIZE) + +-- +2.20.1 + diff --git a/queue-5.1/kvm-arm-arm64-move-cc-it-checks-under-hyp-s-makefile.patch b/queue-5.1/kvm-arm-arm64-move-cc-it-checks-under-hyp-s-makefile.patch new file mode 100644 index 00000000000..10143d5bd72 --- /dev/null +++ b/queue-5.1/kvm-arm-arm64-move-cc-it-checks-under-hyp-s-makefile.patch @@ -0,0 +1,330 @@ +From 38ae241a4c470941c75d4cce01b0d01ff329c52e Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Wed, 22 May 2019 18:47:05 +0100 +Subject: KVM: arm/arm64: Move cc/it checks under hyp's Makefile to avoid + instrumentation + +[ Upstream commit 623e1528d4090bd1abaf93ec46f047dee9a6fb32 ] + +KVM has helpers to handle the condition codes of trapped aarch32 +instructions. These are marked __hyp_text and used from HYP, but they +aren't built by the 'hyp' Makefile, which has all the runes to avoid ASAN +and KCOV instrumentation. + +Move this code to a new hyp/aarch32.c to avoid a hyp-panic when starting +an aarch32 guest on a host built with the ASAN/KCOV debug options. + +Fixes: 021234ef3752f ("KVM: arm64: Make kvm_condition_valid32() accessible from EL2") +Fixes: 8cebe750c4d9a ("arm64: KVM: Make kvm_skip_instr32 available to HYP") +Signed-off-by: James Morse +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + arch/arm/kvm/hyp/Makefile | 1 + + arch/arm64/kvm/hyp/Makefile | 1 + + virt/kvm/arm/aarch32.c | 121 -------------------------------- + virt/kvm/arm/hyp/aarch32.c | 136 ++++++++++++++++++++++++++++++++++++ + 4 files changed, 138 insertions(+), 121 deletions(-) + create mode 100644 virt/kvm/arm/hyp/aarch32.c + +diff --git a/arch/arm/kvm/hyp/Makefile b/arch/arm/kvm/hyp/Makefile +index d2b5ec9c4b92..ba88b1eca93c 100644 +--- a/arch/arm/kvm/hyp/Makefile ++++ b/arch/arm/kvm/hyp/Makefile +@@ -11,6 +11,7 @@ CFLAGS_ARMV7VE :=$(call cc-option, -march=armv7ve) + + obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/vgic-v3-sr.o + obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/timer-sr.o ++obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/aarch32.o + + obj-$(CONFIG_KVM_ARM_HOST) += tlb.o + obj-$(CONFIG_KVM_ARM_HOST) += cp15-sr.o +diff --git a/arch/arm64/kvm/hyp/Makefile b/arch/arm64/kvm/hyp/Makefile +index 82d1904328ad..ea710f674cb6 100644 +--- a/arch/arm64/kvm/hyp/Makefile ++++ b/arch/arm64/kvm/hyp/Makefile +@@ -10,6 +10,7 @@ KVM=../../../../virt/kvm + + obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/vgic-v3-sr.o + obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/timer-sr.o ++obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/aarch32.o + + obj-$(CONFIG_KVM_ARM_HOST) += vgic-v2-cpuif-proxy.o + obj-$(CONFIG_KVM_ARM_HOST) += sysreg-sr.o +diff --git a/virt/kvm/arm/aarch32.c b/virt/kvm/arm/aarch32.c +index 5abbe9b3c652..6880236974b8 100644 +--- a/virt/kvm/arm/aarch32.c ++++ b/virt/kvm/arm/aarch32.c +@@ -25,127 +25,6 @@ + #include + #include + +-/* +- * stolen from arch/arm/kernel/opcodes.c +- * +- * condition code lookup table +- * index into the table is test code: EQ, NE, ... LT, GT, AL, NV +- * +- * bit position in short is condition code: NZCV +- */ +-static const unsigned short cc_map[16] = { +- 0xF0F0, /* EQ == Z set */ +- 0x0F0F, /* NE */ +- 0xCCCC, /* CS == C set */ +- 0x3333, /* CC */ +- 0xFF00, /* MI == N set */ +- 0x00FF, /* PL */ +- 0xAAAA, /* VS == V set */ +- 0x5555, /* VC */ +- 0x0C0C, /* HI == C set && Z clear */ +- 0xF3F3, /* LS == C clear || Z set */ +- 0xAA55, /* GE == (N==V) */ +- 0x55AA, /* LT == (N!=V) */ +- 0x0A05, /* GT == (!Z && (N==V)) */ +- 0xF5FA, /* LE == (Z || (N!=V)) */ +- 0xFFFF, /* AL always */ +- 0 /* NV */ +-}; +- +-/* +- * Check if a trapped instruction should have been executed or not. +- */ +-bool __hyp_text kvm_condition_valid32(const struct kvm_vcpu *vcpu) +-{ +- unsigned long cpsr; +- u32 cpsr_cond; +- int cond; +- +- /* Top two bits non-zero? Unconditional. */ +- if (kvm_vcpu_get_hsr(vcpu) >> 30) +- return true; +- +- /* Is condition field valid? */ +- cond = kvm_vcpu_get_condition(vcpu); +- if (cond == 0xE) +- return true; +- +- cpsr = *vcpu_cpsr(vcpu); +- +- if (cond < 0) { +- /* This can happen in Thumb mode: examine IT state. */ +- unsigned long it; +- +- it = ((cpsr >> 8) & 0xFC) | ((cpsr >> 25) & 0x3); +- +- /* it == 0 => unconditional. */ +- if (it == 0) +- return true; +- +- /* The cond for this insn works out as the top 4 bits. */ +- cond = (it >> 4); +- } +- +- cpsr_cond = cpsr >> 28; +- +- if (!((cc_map[cond] >> cpsr_cond) & 1)) +- return false; +- +- return true; +-} +- +-/** +- * adjust_itstate - adjust ITSTATE when emulating instructions in IT-block +- * @vcpu: The VCPU pointer +- * +- * When exceptions occur while instructions are executed in Thumb IF-THEN +- * blocks, the ITSTATE field of the CPSR is not advanced (updated), so we have +- * to do this little bit of work manually. The fields map like this: +- * +- * IT[7:0] -> CPSR[26:25],CPSR[15:10] +- */ +-static void __hyp_text kvm_adjust_itstate(struct kvm_vcpu *vcpu) +-{ +- unsigned long itbits, cond; +- unsigned long cpsr = *vcpu_cpsr(vcpu); +- bool is_arm = !(cpsr & PSR_AA32_T_BIT); +- +- if (is_arm || !(cpsr & PSR_AA32_IT_MASK)) +- return; +- +- cond = (cpsr & 0xe000) >> 13; +- itbits = (cpsr & 0x1c00) >> (10 - 2); +- itbits |= (cpsr & (0x3 << 25)) >> 25; +- +- /* Perform ITAdvance (see page A2-52 in ARM DDI 0406C) */ +- if ((itbits & 0x7) == 0) +- itbits = cond = 0; +- else +- itbits = (itbits << 1) & 0x1f; +- +- cpsr &= ~PSR_AA32_IT_MASK; +- cpsr |= cond << 13; +- cpsr |= (itbits & 0x1c) << (10 - 2); +- cpsr |= (itbits & 0x3) << 25; +- *vcpu_cpsr(vcpu) = cpsr; +-} +- +-/** +- * kvm_skip_instr - skip a trapped instruction and proceed to the next +- * @vcpu: The vcpu pointer +- */ +-void __hyp_text kvm_skip_instr32(struct kvm_vcpu *vcpu, bool is_wide_instr) +-{ +- bool is_thumb; +- +- is_thumb = !!(*vcpu_cpsr(vcpu) & PSR_AA32_T_BIT); +- if (is_thumb && !is_wide_instr) +- *vcpu_pc(vcpu) += 2; +- else +- *vcpu_pc(vcpu) += 4; +- kvm_adjust_itstate(vcpu); +-} +- + /* + * Table taken from ARMv8 ARM DDI0487B-B, table G1-10. + */ +diff --git a/virt/kvm/arm/hyp/aarch32.c b/virt/kvm/arm/hyp/aarch32.c +new file mode 100644 +index 000000000000..d31f267961e7 +--- /dev/null ++++ b/virt/kvm/arm/hyp/aarch32.c +@@ -0,0 +1,136 @@ ++// SPDX-License-Identifier: GPL-2.0 ++/* ++ * Hyp portion of the (not much of an) Emulation layer for 32bit guests. ++ * ++ * Copyright (C) 2012,2013 - ARM Ltd ++ * Author: Marc Zyngier ++ * ++ * based on arch/arm/kvm/emulate.c ++ * Copyright (C) 2012 - Virtual Open Systems and Columbia University ++ * Author: Christoffer Dall ++ */ ++ ++#include ++#include ++#include ++ ++/* ++ * stolen from arch/arm/kernel/opcodes.c ++ * ++ * condition code lookup table ++ * index into the table is test code: EQ, NE, ... LT, GT, AL, NV ++ * ++ * bit position in short is condition code: NZCV ++ */ ++static const unsigned short cc_map[16] = { ++ 0xF0F0, /* EQ == Z set */ ++ 0x0F0F, /* NE */ ++ 0xCCCC, /* CS == C set */ ++ 0x3333, /* CC */ ++ 0xFF00, /* MI == N set */ ++ 0x00FF, /* PL */ ++ 0xAAAA, /* VS == V set */ ++ 0x5555, /* VC */ ++ 0x0C0C, /* HI == C set && Z clear */ ++ 0xF3F3, /* LS == C clear || Z set */ ++ 0xAA55, /* GE == (N==V) */ ++ 0x55AA, /* LT == (N!=V) */ ++ 0x0A05, /* GT == (!Z && (N==V)) */ ++ 0xF5FA, /* LE == (Z || (N!=V)) */ ++ 0xFFFF, /* AL always */ ++ 0 /* NV */ ++}; ++ ++/* ++ * Check if a trapped instruction should have been executed or not. ++ */ ++bool __hyp_text kvm_condition_valid32(const struct kvm_vcpu *vcpu) ++{ ++ unsigned long cpsr; ++ u32 cpsr_cond; ++ int cond; ++ ++ /* Top two bits non-zero? Unconditional. */ ++ if (kvm_vcpu_get_hsr(vcpu) >> 30) ++ return true; ++ ++ /* Is condition field valid? */ ++ cond = kvm_vcpu_get_condition(vcpu); ++ if (cond == 0xE) ++ return true; ++ ++ cpsr = *vcpu_cpsr(vcpu); ++ ++ if (cond < 0) { ++ /* This can happen in Thumb mode: examine IT state. */ ++ unsigned long it; ++ ++ it = ((cpsr >> 8) & 0xFC) | ((cpsr >> 25) & 0x3); ++ ++ /* it == 0 => unconditional. */ ++ if (it == 0) ++ return true; ++ ++ /* The cond for this insn works out as the top 4 bits. */ ++ cond = (it >> 4); ++ } ++ ++ cpsr_cond = cpsr >> 28; ++ ++ if (!((cc_map[cond] >> cpsr_cond) & 1)) ++ return false; ++ ++ return true; ++} ++ ++/** ++ * adjust_itstate - adjust ITSTATE when emulating instructions in IT-block ++ * @vcpu: The VCPU pointer ++ * ++ * When exceptions occur while instructions are executed in Thumb IF-THEN ++ * blocks, the ITSTATE field of the CPSR is not advanced (updated), so we have ++ * to do this little bit of work manually. The fields map like this: ++ * ++ * IT[7:0] -> CPSR[26:25],CPSR[15:10] ++ */ ++static void __hyp_text kvm_adjust_itstate(struct kvm_vcpu *vcpu) ++{ ++ unsigned long itbits, cond; ++ unsigned long cpsr = *vcpu_cpsr(vcpu); ++ bool is_arm = !(cpsr & PSR_AA32_T_BIT); ++ ++ if (is_arm || !(cpsr & PSR_AA32_IT_MASK)) ++ return; ++ ++ cond = (cpsr & 0xe000) >> 13; ++ itbits = (cpsr & 0x1c00) >> (10 - 2); ++ itbits |= (cpsr & (0x3 << 25)) >> 25; ++ ++ /* Perform ITAdvance (see page A2-52 in ARM DDI 0406C) */ ++ if ((itbits & 0x7) == 0) ++ itbits = cond = 0; ++ else ++ itbits = (itbits << 1) & 0x1f; ++ ++ cpsr &= ~PSR_AA32_IT_MASK; ++ cpsr |= cond << 13; ++ cpsr |= (itbits & 0x1c) << (10 - 2); ++ cpsr |= (itbits & 0x3) << 25; ++ *vcpu_cpsr(vcpu) = cpsr; ++} ++ ++/** ++ * kvm_skip_instr - skip a trapped instruction and proceed to the next ++ * @vcpu: The vcpu pointer ++ */ ++void __hyp_text kvm_skip_instr32(struct kvm_vcpu *vcpu, bool is_wide_instr) ++{ ++ bool is_thumb; ++ ++ is_thumb = !!(*vcpu_cpsr(vcpu) & PSR_AA32_T_BIT); ++ if (is_thumb && !is_wide_instr) ++ *vcpu_pc(vcpu) += 2; ++ else ++ *vcpu_pc(vcpu) += 4; ++ kvm_adjust_itstate(vcpu); ++} +-- +2.20.1 + diff --git a/queue-5.1/kvm-lapic-fix-lapic_timer_advance_ns-parameter-overf.patch b/queue-5.1/kvm-lapic-fix-lapic_timer_advance_ns-parameter-overf.patch new file mode 100644 index 00000000000..7a396abc923 --- /dev/null +++ b/queue-5.1/kvm-lapic-fix-lapic_timer_advance_ns-parameter-overf.patch @@ -0,0 +1,52 @@ +From 506ed6b5845a3959a44ed79033587723a263d177 Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Mon, 20 May 2019 16:18:06 +0800 +Subject: KVM: LAPIC: Fix lapic_timer_advance_ns parameter overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 0e6edceb8f18a4e31526d83e6099fef1f29c3af5 ] + +After commit c3941d9e0 (KVM: lapic: Allow user to disable adaptive tuning of +timer advancement), '-1' enables adaptive tuning starting from default +advancment of 1000ns. However, we should expose an int instead of an overflow +uint module parameter. + +Before patch: + +/sys/module/kvm/parameters/lapic_timer_advance_ns:4294967295 + +After patch: + +/sys/module/kvm/parameters/lapic_timer_advance_ns:-1 + +Fixes: c3941d9e0 (KVM: lapic: Allow user to disable adaptive tuning of timer advancement) +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Sean Christopherson +Cc: Liran Alon +Reviewed-by: Sean Christopherson +Signed-off-by: Wanpeng Li +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/x86.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index efc8adf7ca0e..b07868eb1656 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -143,7 +143,7 @@ module_param(tsc_tolerance_ppm, uint, S_IRUGO | S_IWUSR); + * tuning, i.e. allows priveleged userspace to set an exact advancement time. + */ + static int __read_mostly lapic_timer_advance_ns = -1; +-module_param(lapic_timer_advance_ns, uint, S_IRUGO | S_IWUSR); ++module_param(lapic_timer_advance_ns, int, S_IRUGO | S_IWUSR); + + static bool __read_mostly vector_hashing = true; + module_param(vector_hashing, bool, S_IRUGO); +-- +2.20.1 + diff --git a/queue-5.1/kvm-nvmx-really-fix-the-size-checks-on-kvm_set_neste.patch b/queue-5.1/kvm-nvmx-really-fix-the-size-checks-on-kvm_set_neste.patch new file mode 100644 index 00000000000..64329a1b3b5 --- /dev/null +++ b/queue-5.1/kvm-nvmx-really-fix-the-size-checks-on-kvm_set_neste.patch @@ -0,0 +1,34 @@ +From 7f4d21ecf7d8552e66f374576e45f5d20c4cde45 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 20 May 2019 11:55:36 +0200 +Subject: KVM: nVMX: really fix the size checks on KVM_SET_NESTED_STATE + +[ Upstream commit db80927ea1977a845230a161df643b48fd1e1ea4 ] + +The offset for reading the shadow VMCS is sizeof(*kvm_state)+VMCS12_SIZE, +so the correct size must be that plus sizeof(*vmcs12). This could lead +to KVM reading garbage data from userspace and not reporting an error, +but is otherwise not sensitive. + +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/vmx/nested.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c +index 8f6f69c26c35..5fa0c17d0b41 100644 +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -5467,7 +5467,7 @@ static int vmx_set_nested_state(struct kvm_vcpu *vcpu, + vmcs12->vmcs_link_pointer != -1ull) { + struct vmcs12 *shadow_vmcs12 = get_shadow_vmcs12(vcpu); + +- if (kvm_state->size < sizeof(*kvm_state) + 2 * sizeof(*vmcs12)) ++ if (kvm_state->size < sizeof(*kvm_state) + VMCS12_SIZE + sizeof(*vmcs12)) + return -EINVAL; + + if (copy_from_user(shadow_vmcs12, +-- +2.20.1 + diff --git a/queue-5.1/kvm-s390-fix-memory-slot-handling-for-kvm_set_user_m.patch b/queue-5.1/kvm-s390-fix-memory-slot-handling-for-kvm_set_user_m.patch new file mode 100644 index 00000000000..dbfb3e9b96c --- /dev/null +++ b/queue-5.1/kvm-s390-fix-memory-slot-handling-for-kvm_set_user_m.patch @@ -0,0 +1,69 @@ +From 9b42ad76df55bc578ce4845e931d809ad4098b38 Mon Sep 17 00:00:00 2001 +From: Christian Borntraeger +Date: Fri, 24 May 2019 16:06:23 +0200 +Subject: KVM: s390: fix memory slot handling for KVM_SET_USER_MEMORY_REGION + +[ Upstream commit 19ec166c3f39fe1d3789888a74cc95544ac266d4 ] + +kselftests exposed a problem in the s390 handling for memory slots. +Right now we only do proper memory slot handling for creation of new +memory slots. Neither MOVE, nor DELETION are handled properly. Let us +implement those. + +Signed-off-by: Christian Borntraeger +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/kvm-s390.c | 35 +++++++++++++++++++++-------------- + 1 file changed, 21 insertions(+), 14 deletions(-) + +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index c4180ecfbb2a..ee35f1112db9 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -4413,21 +4413,28 @@ void kvm_arch_commit_memory_region(struct kvm *kvm, + const struct kvm_memory_slot *new, + enum kvm_mr_change change) + { +- int rc; +- +- /* If the basics of the memslot do not change, we do not want +- * to update the gmap. Every update causes several unnecessary +- * segment translation exceptions. This is usually handled just +- * fine by the normal fault handler + gmap, but it will also +- * cause faults on the prefix page of running guest CPUs. +- */ +- if (old->userspace_addr == mem->userspace_addr && +- old->base_gfn * PAGE_SIZE == mem->guest_phys_addr && +- old->npages * PAGE_SIZE == mem->memory_size) +- return; ++ int rc = 0; + +- rc = gmap_map_segment(kvm->arch.gmap, mem->userspace_addr, +- mem->guest_phys_addr, mem->memory_size); ++ switch (change) { ++ case KVM_MR_DELETE: ++ rc = gmap_unmap_segment(kvm->arch.gmap, old->base_gfn * PAGE_SIZE, ++ old->npages * PAGE_SIZE); ++ break; ++ case KVM_MR_MOVE: ++ rc = gmap_unmap_segment(kvm->arch.gmap, old->base_gfn * PAGE_SIZE, ++ old->npages * PAGE_SIZE); ++ if (rc) ++ break; ++ /* FALLTHROUGH */ ++ case KVM_MR_CREATE: ++ rc = gmap_map_segment(kvm->arch.gmap, mem->userspace_addr, ++ mem->guest_phys_addr, mem->memory_size); ++ break; ++ case KVM_MR_FLAGS_ONLY: ++ break; ++ default: ++ WARN(1, "Unknown KVM MR CHANGE: %d\n", change); ++ } + if (rc) + pr_warn("failed to commit memory region\n"); + return; +-- +2.20.1 + diff --git a/queue-5.1/kvm-selftests-aarch64-dirty_log_test-fix-unaligned-m.patch b/queue-5.1/kvm-selftests-aarch64-dirty_log_test-fix-unaligned-m.patch new file mode 100644 index 00000000000..32db703863b --- /dev/null +++ b/queue-5.1/kvm-selftests-aarch64-dirty_log_test-fix-unaligned-m.patch @@ -0,0 +1,38 @@ +From 357d9f15c386a322800efec267109e12b11f20ab Mon Sep 17 00:00:00 2001 +From: Andrew Jones +Date: Thu, 23 May 2019 11:34:05 +0200 +Subject: kvm: selftests: aarch64: dirty_log_test: fix unaligned memslot size + +[ Upstream commit bffed38d4fb536c5d5d6c37846a7fb8fde1452fa ] + +The memory slot size must be aligned to the host's page size. When +testing a guest with a 4k page size on a host with a 64k page size, +then 3 guest pages are not host page size aligned. Since we just need +a nearly arbitrary number of extra pages to ensure the memslot is not +aligned to a 64 host-page boundary for this test, then we can use +16, as that's 64k aligned, but not 64 * 64k aligned. + +Fixes: 76d58e0f07ec ("KVM: fix KVM_CLEAR_DIRTY_LOG for memory slots of unaligned size", 2019-04-17) +Signed-off-by: Andrew Jones +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kvm/dirty_log_test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/kvm/dirty_log_test.c b/tools/testing/selftests/kvm/dirty_log_test.c +index 93f99c6b7d79..a2542ed42819 100644 +--- a/tools/testing/selftests/kvm/dirty_log_test.c ++++ b/tools/testing/selftests/kvm/dirty_log_test.c +@@ -292,7 +292,7 @@ static void run_test(enum vm_guest_mode mode, unsigned long iterations, + * A little more than 1G of guest page sized pages. Cover the + * case where the size is not aligned to 64 pages. + */ +- guest_num_pages = (1ul << (30 - guest_page_shift)) + 3; ++ guest_num_pages = (1ul << (30 - guest_page_shift)) + 16; + host_page_size = getpagesize(); + host_num_pages = (guest_num_pages * guest_page_size) / host_page_size + + !!((guest_num_pages * guest_page_size) % host_page_size); +-- +2.20.1 + diff --git a/queue-5.1/kvm-selftests-aarch64-fix-default-vm-mode.patch b/queue-5.1/kvm-selftests-aarch64-fix-default-vm-mode.patch new file mode 100644 index 00000000000..f73d9605fa2 --- /dev/null +++ b/queue-5.1/kvm-selftests-aarch64-fix-default-vm-mode.patch @@ -0,0 +1,37 @@ +From e2c681747631ed6a49ba0ca6eb3f07eeb705a0f9 Mon Sep 17 00:00:00 2001 +From: Andrew Jones +Date: Thu, 23 May 2019 13:05:46 +0200 +Subject: kvm: selftests: aarch64: fix default vm mode + +[ Upstream commit 55eda003f02f075bab0223a188e548dbf3ac8dfe ] + +VM_MODE_P52V48_4K is not a valid mode for AArch64. Replace its +use in vm_create_default() with a mode that works and represents +a good AArch64 default. (We didn't ever see a problem with this +because we don't have any unit tests using vm_create_default(), +but it's good to get it fixed in advance.) + +Reported-by: Thomas Huth +Signed-off-by: Andrew Jones +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kvm/lib/aarch64/processor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/kvm/lib/aarch64/processor.c b/tools/testing/selftests/kvm/lib/aarch64/processor.c +index e8c42506a09d..fa6cd340137c 100644 +--- a/tools/testing/selftests/kvm/lib/aarch64/processor.c ++++ b/tools/testing/selftests/kvm/lib/aarch64/processor.c +@@ -226,7 +226,7 @@ struct kvm_vm *vm_create_default(uint32_t vcpuid, uint64_t extra_mem_pages, + uint64_t extra_pg_pages = (extra_mem_pages / ptrs_per_4k_pte) * 2; + struct kvm_vm *vm; + +- vm = vm_create(VM_MODE_P52V48_4K, DEFAULT_GUEST_PHY_PAGES + extra_pg_pages, O_RDWR); ++ vm = vm_create(VM_MODE_P40V48_4K, DEFAULT_GUEST_PHY_PAGES + extra_pg_pages, O_RDWR); + + kvm_vm_elf_load(vm, program_invocation_name, 0, 0); + vm_vcpu_add_default(vm, vcpuid, guest_code); +-- +2.20.1 + diff --git a/queue-5.1/kvm-selftests-fix-a-condition-in-test_hv_cpuid.patch b/queue-5.1/kvm-selftests-fix-a-condition-in-test_hv_cpuid.patch new file mode 100644 index 00000000000..f43e1ad68fb --- /dev/null +++ b/queue-5.1/kvm-selftests-fix-a-condition-in-test_hv_cpuid.patch @@ -0,0 +1,50 @@ +From f814a74c2501910f198d748a47aa3f991541927c Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 14 May 2019 13:34:51 +0300 +Subject: KVM: selftests: Fix a condition in test_hv_cpuid() + +[ Upstream commit be7fcf1d1701a5266dd36eab4978476f63d1bd57 ] + +The code is trying to check that all the padding is zeroed out and it +does this: + + entry->padding[0] == entry->padding[1] == entry->padding[2] == 0 + +Assume everything is zeroed correctly, then the first comparison is +true, the next comparison is false and false is equal to zero so the +overall condition is true. This bug doesn't affect run time very +badly, but the code should instead just check that all three paddings +are zero individually. + +Also the error message was copy and pasted from an earlier error and it +wasn't correct. + +Fixes: 7edcb7343327 ("KVM: selftests: Add hyperv_cpuid test") +Signed-off-by: Dan Carpenter +Reviewed-by: Vitaly Kuznetsov +Reviewed-by: Thomas Huth +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kvm/x86_64/hyperv_cpuid.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/tools/testing/selftests/kvm/x86_64/hyperv_cpuid.c b/tools/testing/selftests/kvm/x86_64/hyperv_cpuid.c +index 9a21e912097c..63b9fc3fdfbe 100644 +--- a/tools/testing/selftests/kvm/x86_64/hyperv_cpuid.c ++++ b/tools/testing/selftests/kvm/x86_64/hyperv_cpuid.c +@@ -58,9 +58,8 @@ static void test_hv_cpuid(struct kvm_cpuid2 *hv_cpuid_entries, + TEST_ASSERT(entry->flags == 0, + ".flags field should be zero"); + +- TEST_ASSERT(entry->padding[0] == entry->padding[1] +- == entry->padding[2] == 0, +- ".index field should be zero"); ++ TEST_ASSERT(!entry->padding[0] && !entry->padding[1] && ++ !entry->padding[2], "padding should be zero"); + + /* + * If needed for debug: +-- +2.20.1 + diff --git a/queue-5.1/kvm-vmx-fix-wmissing-prototypes-warnings.patch b/queue-5.1/kvm-vmx-fix-wmissing-prototypes-warnings.patch new file mode 100644 index 00000000000..79400640ab1 --- /dev/null +++ b/queue-5.1/kvm-vmx-fix-wmissing-prototypes-warnings.patch @@ -0,0 +1,38 @@ +From 0c21fa9d818d8514669278866fe214a06d7430fc Mon Sep 17 00:00:00 2001 +From: Yi Wang +Date: Mon, 20 May 2019 12:27:47 +0800 +Subject: kvm: vmx: Fix -Wmissing-prototypes warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 4d259965655c92053f3255aca14d81aab1e21219 ] + +We get a warning when build kernel W=1: +arch/x86/kvm/vmx/vmx.c:6365:6: warning: no previous prototype for ‘vmx_update_host_rsp’ [-Wmissing-prototypes] + void vmx_update_host_rsp(struct vcpu_vmx *vmx, unsigned long host_rsp) + +Add the missing declaration to fix this. + +Signed-off-by: Yi Wang +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/vmx/vmx.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h +index f879529906b4..9cd72decdfe4 100644 +--- a/arch/x86/kvm/vmx/vmx.h ++++ b/arch/x86/kvm/vmx/vmx.h +@@ -314,6 +314,7 @@ void vmx_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked); + void vmx_set_virtual_apic_mode(struct kvm_vcpu *vcpu); + struct shared_msr_entry *find_msr_entry(struct vcpu_vmx *vmx, u32 msr); + void pt_update_intercept_for_msr(struct vcpu_vmx *vmx); ++void vmx_update_host_rsp(struct vcpu_vmx *vmx, unsigned long host_rsp); + + #define POSTED_INTR_ON 0 + #define POSTED_INTR_SN 1 +-- +2.20.1 + diff --git a/queue-5.1/kvm-x86-do-not-spam-dmesg-with-vmcs-vmcb-dumps.patch b/queue-5.1/kvm-x86-do-not-spam-dmesg-with-vmcs-vmcb-dumps.patch new file mode 100644 index 00000000000..912ad99667f --- /dev/null +++ b/queue-5.1/kvm-x86-do-not-spam-dmesg-with-vmcs-vmcb-dumps.patch @@ -0,0 +1,101 @@ +From c688492f62bfa80ecc3d2b966489ef2188bf166a Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 20 May 2019 15:34:35 +0200 +Subject: KVM: x86: do not spam dmesg with VMCS/VMCB dumps + +[ Upstream commit 6f2f84532c153d32a5e53b6083b06a3e24368d30 ] + +Userspace can easily set up invalid processor state in such a way that +dmesg will be filled with VMCS or VMCB dumps. Disable this by default +using a module parameter. + +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/svm.c | 9 ++++++++- + arch/x86/kvm/vmx/vmx.c | 26 +++++++++++++++++++------- + 2 files changed, 27 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index ae6e51828a54..aa3b77acfbf9 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -379,6 +379,9 @@ module_param(vgif, int, 0444); + static int sev = IS_ENABLED(CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT); + module_param(sev, int, 0444); + ++static bool __read_mostly dump_invalid_vmcb = 0; ++module_param(dump_invalid_vmcb, bool, 0644); ++ + static u8 rsm_ins_bytes[] = "\x0f\xaa"; + + static void svm_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0); +@@ -4834,6 +4837,11 @@ static void dump_vmcb(struct kvm_vcpu *vcpu) + struct vmcb_control_area *control = &svm->vmcb->control; + struct vmcb_save_area *save = &svm->vmcb->save; + ++ if (!dump_invalid_vmcb) { ++ pr_warn_ratelimited("set kvm_amd.dump_invalid_vmcb=1 to dump internal KVM state.\n"); ++ return; ++ } ++ + pr_err("VMCB Control Area:\n"); + pr_err("%-20s%04x\n", "cr_read:", control->intercept_cr & 0xffff); + pr_err("%-20s%04x\n", "cr_write:", control->intercept_cr >> 16); +@@ -4992,7 +5000,6 @@ static int handle_exit(struct kvm_vcpu *vcpu) + kvm_run->exit_reason = KVM_EXIT_FAIL_ENTRY; + kvm_run->fail_entry.hardware_entry_failure_reason + = svm->vmcb->control.exit_code; +- pr_err("KVM: FAILED VMRUN WITH VMCB:\n"); + dump_vmcb(vcpu); + return 0; + } +diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c +index 2b4a3d32c511..cfb8f1ec9a0a 100644 +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -114,6 +114,9 @@ static u64 __read_mostly host_xss; + bool __read_mostly enable_pml = 1; + module_param_named(pml, enable_pml, bool, S_IRUGO); + ++static bool __read_mostly dump_invalid_vmcs = 0; ++module_param(dump_invalid_vmcs, bool, 0644); ++ + #define MSR_BITMAP_MODE_X2APIC 1 + #define MSR_BITMAP_MODE_X2APIC_APICV 2 + +@@ -5605,15 +5608,24 @@ static void vmx_dump_dtsel(char *name, uint32_t limit) + + void dump_vmcs(void) + { +- u32 vmentry_ctl = vmcs_read32(VM_ENTRY_CONTROLS); +- u32 vmexit_ctl = vmcs_read32(VM_EXIT_CONTROLS); +- u32 cpu_based_exec_ctrl = vmcs_read32(CPU_BASED_VM_EXEC_CONTROL); +- u32 pin_based_exec_ctrl = vmcs_read32(PIN_BASED_VM_EXEC_CONTROL); +- u32 secondary_exec_control = 0; +- unsigned long cr4 = vmcs_readl(GUEST_CR4); +- u64 efer = vmcs_read64(GUEST_IA32_EFER); ++ u32 vmentry_ctl, vmexit_ctl; ++ u32 cpu_based_exec_ctrl, pin_based_exec_ctrl, secondary_exec_control; ++ unsigned long cr4; ++ u64 efer; + int i, n; + ++ if (!dump_invalid_vmcs) { ++ pr_warn_ratelimited("set kvm_intel.dump_invalid_vmcs=1 to dump internal KVM state.\n"); ++ return; ++ } ++ ++ vmentry_ctl = vmcs_read32(VM_ENTRY_CONTROLS); ++ vmexit_ctl = vmcs_read32(VM_EXIT_CONTROLS); ++ cpu_based_exec_ctrl = vmcs_read32(CPU_BASED_VM_EXEC_CONTROL); ++ pin_based_exec_ctrl = vmcs_read32(PIN_BASED_VM_EXEC_CONTROL); ++ cr4 = vmcs_readl(GUEST_CR4); ++ efer = vmcs_read64(GUEST_IA32_EFER); ++ secondary_exec_control = 0; + if (cpu_has_secondary_exec_ctrls()) + secondary_exec_control = vmcs_read32(SECONDARY_VM_EXEC_CONTROL); + +-- +2.20.1 + diff --git a/queue-5.1/kvm-x86-pmu-do-not-mask-the-value-that-is-written-to.patch b/queue-5.1/kvm-x86-pmu-do-not-mask-the-value-that-is-written-to.patch new file mode 100644 index 00000000000..70097697629 --- /dev/null +++ b/queue-5.1/kvm-x86-pmu-do-not-mask-the-value-that-is-written-to.patch @@ -0,0 +1,48 @@ +From 95b64772e0b1538104a28356293609fb973b81b1 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 20 May 2019 17:34:30 +0200 +Subject: KVM: x86/pmu: do not mask the value that is written to fixed PMUs + +[ Upstream commit 2924b52117b2812e9633d5ea337333299166d373 ] + +According to the SDM, for MSR_IA32_PERFCTR0/1 "the lower-order 32 bits of +each MSR may be written with any value, and the high-order 8 bits are +sign-extended according to the value of bit 31", but the fixed counters +in real hardware are limited to the width of the fixed counters ("bits +beyond the width of the fixed-function counter are reserved and must be +written as zeros"). Fix KVM to do the same. + +Reported-by: Nadav Amit +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/vmx/pmu_intel.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/kvm/vmx/pmu_intel.c b/arch/x86/kvm/vmx/pmu_intel.c +index ad7ea81fbfbf..c3f103e2b08e 100644 +--- a/arch/x86/kvm/vmx/pmu_intel.c ++++ b/arch/x86/kvm/vmx/pmu_intel.c +@@ -240,11 +240,14 @@ static int intel_pmu_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + } + break; + default: +- if ((pmc = get_gp_pmc(pmu, msr, MSR_IA32_PERFCTR0)) || +- (pmc = get_fixed_pmc(pmu, msr))) { +- if (!msr_info->host_initiated) +- data = (s64)(s32)data; +- pmc->counter += data - pmc_read_counter(pmc); ++ if ((pmc = get_gp_pmc(pmu, msr, MSR_IA32_PERFCTR0))) { ++ if (msr_info->host_initiated) ++ pmc->counter = data; ++ else ++ pmc->counter = (s32)data; ++ return 0; ++ } else if ((pmc = get_fixed_pmc(pmu, msr))) { ++ pmc->counter = data; + return 0; + } else if ((pmc = get_gp_pmc(pmu, msr, MSR_P6_EVNTSEL0))) { + if (data == pmc->eventsel) +-- +2.20.1 + diff --git a/queue-5.1/kvm-x86-pmu-mask-the-result-of-rdpmc-according-to-th.patch b/queue-5.1/kvm-x86-pmu-mask-the-result-of-rdpmc-according-to-th.patch new file mode 100644 index 00000000000..70e76e37567 --- /dev/null +++ b/queue-5.1/kvm-x86-pmu-mask-the-result-of-rdpmc-according-to-th.patch @@ -0,0 +1,119 @@ +From fd822f8bf0f622639f35cb923e0bac6e43684c5e Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 20 May 2019 17:20:40 +0200 +Subject: KVM: x86/pmu: mask the result of rdpmc according to the width of the + counters + +[ Upstream commit 0e6f467ee28ec97f68c7b74e35ec1601bb1368a7 ] + +This patch will simplify the changes in the next, by enforcing the +masking of the counters to RDPMC and RDMSR. + +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/pmu.c | 10 +++------- + arch/x86/kvm/pmu.h | 3 ++- + arch/x86/kvm/pmu_amd.c | 2 +- + arch/x86/kvm/vmx/pmu_intel.c | 13 +++++++++---- + 4 files changed, 15 insertions(+), 13 deletions(-) + +diff --git a/arch/x86/kvm/pmu.c b/arch/x86/kvm/pmu.c +index e39741997893..dd745b58ffd8 100644 +--- a/arch/x86/kvm/pmu.c ++++ b/arch/x86/kvm/pmu.c +@@ -283,7 +283,7 @@ int kvm_pmu_rdpmc(struct kvm_vcpu *vcpu, unsigned idx, u64 *data) + bool fast_mode = idx & (1u << 31); + struct kvm_pmu *pmu = vcpu_to_pmu(vcpu); + struct kvm_pmc *pmc; +- u64 ctr_val; ++ u64 mask = fast_mode ? ~0u : ~0ull; + + if (!pmu->version) + return 1; +@@ -291,15 +291,11 @@ int kvm_pmu_rdpmc(struct kvm_vcpu *vcpu, unsigned idx, u64 *data) + if (is_vmware_backdoor_pmc(idx)) + return kvm_pmu_rdpmc_vmware(vcpu, idx, data); + +- pmc = kvm_x86_ops->pmu_ops->msr_idx_to_pmc(vcpu, idx); ++ pmc = kvm_x86_ops->pmu_ops->msr_idx_to_pmc(vcpu, idx, &mask); + if (!pmc) + return 1; + +- ctr_val = pmc_read_counter(pmc); +- if (fast_mode) +- ctr_val = (u32)ctr_val; +- +- *data = ctr_val; ++ *data = pmc_read_counter(pmc) & mask; + return 0; + } + +diff --git a/arch/x86/kvm/pmu.h b/arch/x86/kvm/pmu.h +index ba8898e1a854..22dff661145a 100644 +--- a/arch/x86/kvm/pmu.h ++++ b/arch/x86/kvm/pmu.h +@@ -25,7 +25,8 @@ struct kvm_pmu_ops { + unsigned (*find_fixed_event)(int idx); + bool (*pmc_is_enabled)(struct kvm_pmc *pmc); + struct kvm_pmc *(*pmc_idx_to_pmc)(struct kvm_pmu *pmu, int pmc_idx); +- struct kvm_pmc *(*msr_idx_to_pmc)(struct kvm_vcpu *vcpu, unsigned idx); ++ struct kvm_pmc *(*msr_idx_to_pmc)(struct kvm_vcpu *vcpu, unsigned idx, ++ u64 *mask); + int (*is_valid_msr_idx)(struct kvm_vcpu *vcpu, unsigned idx); + bool (*is_valid_msr)(struct kvm_vcpu *vcpu, u32 msr); + int (*get_msr)(struct kvm_vcpu *vcpu, u32 msr, u64 *data); +diff --git a/arch/x86/kvm/pmu_amd.c b/arch/x86/kvm/pmu_amd.c +index 50fa9450fcf1..d3118088f1cd 100644 +--- a/arch/x86/kvm/pmu_amd.c ++++ b/arch/x86/kvm/pmu_amd.c +@@ -186,7 +186,7 @@ static int amd_is_valid_msr_idx(struct kvm_vcpu *vcpu, unsigned idx) + } + + /* idx is the ECX register of RDPMC instruction */ +-static struct kvm_pmc *amd_msr_idx_to_pmc(struct kvm_vcpu *vcpu, unsigned idx) ++static struct kvm_pmc *amd_msr_idx_to_pmc(struct kvm_vcpu *vcpu, unsigned idx, u64 *mask) + { + struct kvm_pmu *pmu = vcpu_to_pmu(vcpu); + struct kvm_pmc *counters; +diff --git a/arch/x86/kvm/vmx/pmu_intel.c b/arch/x86/kvm/vmx/pmu_intel.c +index 5ab4a364348e..ad7ea81fbfbf 100644 +--- a/arch/x86/kvm/vmx/pmu_intel.c ++++ b/arch/x86/kvm/vmx/pmu_intel.c +@@ -126,7 +126,7 @@ static int intel_is_valid_msr_idx(struct kvm_vcpu *vcpu, unsigned idx) + } + + static struct kvm_pmc *intel_msr_idx_to_pmc(struct kvm_vcpu *vcpu, +- unsigned idx) ++ unsigned idx, u64 *mask) + { + struct kvm_pmu *pmu = vcpu_to_pmu(vcpu); + bool fixed = idx & (1u << 30); +@@ -138,6 +138,7 @@ static struct kvm_pmc *intel_msr_idx_to_pmc(struct kvm_vcpu *vcpu, + if (fixed && idx >= pmu->nr_arch_fixed_counters) + return NULL; + counters = fixed ? pmu->fixed_counters : pmu->gp_counters; ++ *mask &= pmu->counter_bitmask[fixed ? KVM_PMC_FIXED : KVM_PMC_GP]; + + return &counters[idx]; + } +@@ -183,9 +184,13 @@ static int intel_pmu_get_msr(struct kvm_vcpu *vcpu, u32 msr, u64 *data) + *data = pmu->global_ovf_ctrl; + return 0; + default: +- if ((pmc = get_gp_pmc(pmu, msr, MSR_IA32_PERFCTR0)) || +- (pmc = get_fixed_pmc(pmu, msr))) { +- *data = pmc_read_counter(pmc); ++ if ((pmc = get_gp_pmc(pmu, msr, MSR_IA32_PERFCTR0))) { ++ u64 val = pmc_read_counter(pmc); ++ *data = val & pmu->counter_bitmask[KVM_PMC_GP]; ++ return 0; ++ } else if ((pmc = get_fixed_pmc(pmu, msr))) { ++ u64 val = pmc_read_counter(pmc); ++ *data = val & pmu->counter_bitmask[KVM_PMC_FIXED]; + return 0; + } else if ((pmc = get_gp_pmc(pmu, msr, MSR_P6_EVNTSEL0))) { + *data = pmc->eventsel; +-- +2.20.1 + diff --git a/queue-5.1/libnvdimm-fix-compilation-warnings-with-w-1.patch b/queue-5.1/libnvdimm-fix-compilation-warnings-with-w-1.patch new file mode 100644 index 00000000000..559946e8233 --- /dev/null +++ b/queue-5.1/libnvdimm-fix-compilation-warnings-with-w-1.patch @@ -0,0 +1,86 @@ +From bbbf480346b86f889617da1160063a74c69afa76 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Thu, 16 May 2019 12:04:53 -0400 +Subject: libnvdimm: Fix compilation warnings with W=1 + +[ Upstream commit c01dafad77fea8d64c4fdca0a6031c980842ad65 ] + +Several places (dimm_devs.c, core.c etc) include label.h but only +label.c uses NSINDEX_SIGNATURE, so move its definition to label.c +instead. + +In file included from drivers/nvdimm/dimm_devs.c:23: +drivers/nvdimm/label.h:41:19: warning: 'NSINDEX_SIGNATURE' defined but +not used [-Wunused-const-variable=] + +Also, some places abuse "/**" which is only reserved for the kernel-doc. + +drivers/nvdimm/bus.c:648: warning: cannot understand function prototype: +'struct attribute_group nd_device_attribute_group = ' +drivers/nvdimm/bus.c:677: warning: cannot understand function prototype: +'struct attribute_group nd_numa_attribute_group = ' + +Those are just some member assignments for the "struct attribute_group" +instances and it can't be expressed in the kernel-doc. + +Reviewed-by: Vishal Verma +Signed-off-by: Qian Cai +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + drivers/nvdimm/bus.c | 4 ++-- + drivers/nvdimm/label.c | 2 ++ + drivers/nvdimm/label.h | 2 -- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c +index 7bbff0af29b2..99d5892ea98a 100644 +--- a/drivers/nvdimm/bus.c ++++ b/drivers/nvdimm/bus.c +@@ -642,7 +642,7 @@ static struct attribute *nd_device_attributes[] = { + NULL, + }; + +-/** ++/* + * nd_device_attribute_group - generic attributes for all devices on an nd bus + */ + struct attribute_group nd_device_attribute_group = { +@@ -671,7 +671,7 @@ static umode_t nd_numa_attr_visible(struct kobject *kobj, struct attribute *a, + return a->mode; + } + +-/** ++/* + * nd_numa_attribute_group - NUMA attributes for all devices on an nd bus + */ + struct attribute_group nd_numa_attribute_group = { +diff --git a/drivers/nvdimm/label.c b/drivers/nvdimm/label.c +index 2030805aa216..edf278067e72 100644 +--- a/drivers/nvdimm/label.c ++++ b/drivers/nvdimm/label.c +@@ -25,6 +25,8 @@ static guid_t nvdimm_btt2_guid; + static guid_t nvdimm_pfn_guid; + static guid_t nvdimm_dax_guid; + ++static const char NSINDEX_SIGNATURE[] = "NAMESPACE_INDEX\0"; ++ + static u32 best_seq(u32 a, u32 b) + { + a &= NSINDEX_SEQ_MASK; +diff --git a/drivers/nvdimm/label.h b/drivers/nvdimm/label.h +index e9a2ad3c2150..4bb7add39580 100644 +--- a/drivers/nvdimm/label.h ++++ b/drivers/nvdimm/label.h +@@ -38,8 +38,6 @@ enum { + ND_NSINDEX_INIT = 0x1, + }; + +-static const char NSINDEX_SIGNATURE[] = "NAMESPACE_INDEX\0"; +- + /** + * struct nd_namespace_index - label set superblock + * @sig: NAMESPACE_INDEX\0 +-- +2.20.1 + diff --git a/queue-5.1/net-macb-fix-error-format-in-dev_err.patch b/queue-5.1/net-macb-fix-error-format-in-dev_err.patch new file mode 100644 index 00000000000..8a6af06a99d --- /dev/null +++ b/queue-5.1/net-macb-fix-error-format-in-dev_err.patch @@ -0,0 +1,96 @@ +From 1c8d723db3d30a0a959ea31a1b390d044b49df16 Mon Sep 17 00:00:00 2001 +From: Luca Ceresoli +Date: Tue, 14 May 2019 15:23:07 +0200 +Subject: net: macb: fix error format in dev_err() + +[ Upstream commit f413cbb332a0b5251a790f396d0eb4ebcade5dec ] + +Errors are negative numbers. Using %u shows them as very large positive +numbers such as 4294967277 that don't make sense. Use the %d format +instead, and get a much nicer -19. + +Signed-off-by: Luca Ceresoli +Fixes: b48e0bab142f ("net: macb: Migrate to devm clock interface") +Fixes: 93b31f48b3ba ("net/macb: unify clock management") +Fixes: 421d9df0628b ("net/macb: merge at91_ether driver into macb driver") +Fixes: aead88bd0e99 ("net: ethernet: macb: Add support for rx_clk") +Fixes: f5473d1d44e4 ("net: macb: Support clock management for tsu_clk") +Acked-by: Nicolas Ferre +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index a6535e226d84..d005ed12b4d1 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -3377,7 +3377,7 @@ static int macb_clk_init(struct platform_device *pdev, struct clk **pclk, + if (!err) + err = -ENODEV; + +- dev_err(&pdev->dev, "failed to get macb_clk (%u)\n", err); ++ dev_err(&pdev->dev, "failed to get macb_clk (%d)\n", err); + return err; + } + +@@ -3386,7 +3386,7 @@ static int macb_clk_init(struct platform_device *pdev, struct clk **pclk, + if (!err) + err = -ENODEV; + +- dev_err(&pdev->dev, "failed to get hclk (%u)\n", err); ++ dev_err(&pdev->dev, "failed to get hclk (%d)\n", err); + return err; + } + +@@ -3404,31 +3404,31 @@ static int macb_clk_init(struct platform_device *pdev, struct clk **pclk, + + err = clk_prepare_enable(*pclk); + if (err) { +- dev_err(&pdev->dev, "failed to enable pclk (%u)\n", err); ++ dev_err(&pdev->dev, "failed to enable pclk (%d)\n", err); + return err; + } + + err = clk_prepare_enable(*hclk); + if (err) { +- dev_err(&pdev->dev, "failed to enable hclk (%u)\n", err); ++ dev_err(&pdev->dev, "failed to enable hclk (%d)\n", err); + goto err_disable_pclk; + } + + err = clk_prepare_enable(*tx_clk); + if (err) { +- dev_err(&pdev->dev, "failed to enable tx_clk (%u)\n", err); ++ dev_err(&pdev->dev, "failed to enable tx_clk (%d)\n", err); + goto err_disable_hclk; + } + + err = clk_prepare_enable(*rx_clk); + if (err) { +- dev_err(&pdev->dev, "failed to enable rx_clk (%u)\n", err); ++ dev_err(&pdev->dev, "failed to enable rx_clk (%d)\n", err); + goto err_disable_txclk; + } + + err = clk_prepare_enable(*tsu_clk); + if (err) { +- dev_err(&pdev->dev, "failed to enable tsu_clk (%u)\n", err); ++ dev_err(&pdev->dev, "failed to enable tsu_clk (%d)\n", err); + goto err_disable_rxclk; + } + +@@ -3902,7 +3902,7 @@ static int at91ether_clk_init(struct platform_device *pdev, struct clk **pclk, + + err = clk_prepare_enable(*pclk); + if (err) { +- dev_err(&pdev->dev, "failed to enable pclk (%u)\n", err); ++ dev_err(&pdev->dev, "failed to enable pclk (%d)\n", err); + return err; + } + +-- +2.20.1 + diff --git a/queue-5.1/nvme-fix-memory-leak-for-power-latency-tolerance.patch b/queue-5.1/nvme-fix-memory-leak-for-power-latency-tolerance.patch new file mode 100644 index 00000000000..6500989653f --- /dev/null +++ b/queue-5.1/nvme-fix-memory-leak-for-power-latency-tolerance.patch @@ -0,0 +1,38 @@ +From 8da0498a5a8d71bd1167254ec9175effbea92d6d Mon Sep 17 00:00:00 2001 +From: Yufen Yu +Date: Thu, 16 May 2019 19:30:07 -0700 +Subject: nvme: fix memory leak for power latency tolerance + +[ Upstream commit 510a405d945bc985abc513fafe45890cac34fafa ] + +Unconditionally hide device pm latency tolerance when uninitializing +the controller to ensure all qos resources are released so that we're +not leaking this memory. This is safe to call if none were allocated in +the first place, or were previously freed. + +Fixes: c5552fde102fc("nvme: Enable autonomous power state transitions") +Suggested-by: Keith Busch +Tested-by: David Milburn +Signed-off-by: Yufen Yu +[changelog] +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 23c90382a515..35d2202ee2fd 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -3699,6 +3699,7 @@ EXPORT_SYMBOL_GPL(nvme_start_ctrl); + + void nvme_uninit_ctrl(struct nvme_ctrl *ctrl) + { ++ dev_pm_qos_hide_latency_tolerance(ctrl->device); + cdev_device_del(&ctrl->cdev, ctrl->device); + } + EXPORT_SYMBOL_GPL(nvme_uninit_ctrl); +-- +2.20.1 + diff --git a/queue-5.1/nvme-fix-srcu-locking-on-error-return-in-nvme_get_ns.patch b/queue-5.1/nvme-fix-srcu-locking-on-error-return-in-nvme_get_ns.patch new file mode 100644 index 00000000000..2b9151743cf --- /dev/null +++ b/queue-5.1/nvme-fix-srcu-locking-on-error-return-in-nvme_get_ns.patch @@ -0,0 +1,55 @@ +From 5058ab089148342cfcee79ed39f01707e9747b32 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Fri, 17 May 2019 02:47:33 -0700 +Subject: nvme: fix srcu locking on error return in nvme_get_ns_from_disk + +[ Upstream commit 100c815cbd56480b3e31518475b04719c363614a ] + +If we can't get a namespace don't leak the SRCU lock. nvme_ioctl was +working around this, but nvme_pr_command wasn't handling this properly. +Just do what callers would usually expect. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 8782d86a8ca3..e29c395f44d2 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1362,9 +1362,14 @@ static struct nvme_ns *nvme_get_ns_from_disk(struct gendisk *disk, + { + #ifdef CONFIG_NVME_MULTIPATH + if (disk->fops == &nvme_ns_head_ops) { ++ struct nvme_ns *ns; ++ + *head = disk->private_data; + *srcu_idx = srcu_read_lock(&(*head)->srcu); +- return nvme_find_path(*head); ++ ns = nvme_find_path(*head); ++ if (!ns) ++ srcu_read_unlock(&(*head)->srcu, *srcu_idx); ++ return ns; + } + #endif + *head = NULL; +@@ -1411,9 +1416,9 @@ static int nvme_ioctl(struct block_device *bdev, fmode_t mode, + + ns = nvme_get_ns_from_disk(bdev->bd_disk, &head, &srcu_idx); + if (unlikely(!ns)) +- ret = -EWOULDBLOCK; +- else +- ret = nvme_ns_ioctl(ns, cmd, arg); ++ return -EWOULDBLOCK; ++ ++ ret = nvme_ns_ioctl(ns, cmd, arg); + nvme_put_ns_from_disk(head, srcu_idx); + return ret; + } +-- +2.20.1 + diff --git a/queue-5.1/nvme-merge-nvme_ns_ioctl-into-nvme_ioctl.patch b/queue-5.1/nvme-merge-nvme_ns_ioctl-into-nvme_ioctl.patch new file mode 100644 index 00000000000..bccc2fca3c0 --- /dev/null +++ b/queue-5.1/nvme-merge-nvme_ns_ioctl-into-nvme_ioctl.patch @@ -0,0 +1,89 @@ +From 3c525a2cb2cd69dda285dd8a7de0bf7a7d9e5038 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Fri, 17 May 2019 02:47:35 -0700 +Subject: nvme: merge nvme_ns_ioctl into nvme_ioctl + +[ Upstream commit 90ec611adcf20b96d0c2b7166497d53e4301a57f ] + +Merge the two functions to make future changes a little easier. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 47 ++++++++++++++++++++-------------------- + 1 file changed, 24 insertions(+), 23 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index decc0b3a3854..8b77e6a05f4b 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1383,32 +1383,11 @@ static void nvme_put_ns_from_disk(struct nvme_ns_head *head, int idx) + srcu_read_unlock(&head->srcu, idx); + } + +-static int nvme_ns_ioctl(struct nvme_ns *ns, unsigned cmd, unsigned long arg) +-{ +- switch (cmd) { +- case NVME_IOCTL_ID: +- force_successful_syscall_return(); +- return ns->head->ns_id; +- case NVME_IOCTL_ADMIN_CMD: +- return nvme_user_cmd(ns->ctrl, NULL, (void __user *)arg); +- case NVME_IOCTL_IO_CMD: +- return nvme_user_cmd(ns->ctrl, ns, (void __user *)arg); +- case NVME_IOCTL_SUBMIT_IO: +- return nvme_submit_io(ns, (void __user *)arg); +- default: +- if (ns->ndev) +- return nvme_nvm_ioctl(ns, cmd, arg); +- if (is_sed_ioctl(cmd)) +- return sed_ioctl(ns->ctrl->opal_dev, cmd, +- (void __user *) arg); +- return -ENOTTY; +- } +-} +- + static int nvme_ioctl(struct block_device *bdev, fmode_t mode, + unsigned int cmd, unsigned long arg) + { + struct nvme_ns_head *head = NULL; ++ void __user *argp = (void __user *)arg; + struct nvme_ns *ns; + int srcu_idx, ret; + +@@ -1416,7 +1395,29 @@ static int nvme_ioctl(struct block_device *bdev, fmode_t mode, + if (unlikely(!ns)) + return -EWOULDBLOCK; + +- ret = nvme_ns_ioctl(ns, cmd, arg); ++ switch (cmd) { ++ case NVME_IOCTL_ID: ++ force_successful_syscall_return(); ++ ret = ns->head->ns_id; ++ break; ++ case NVME_IOCTL_ADMIN_CMD: ++ ret = nvme_user_cmd(ns->ctrl, NULL, argp); ++ break; ++ case NVME_IOCTL_IO_CMD: ++ ret = nvme_user_cmd(ns->ctrl, ns, argp); ++ break; ++ case NVME_IOCTL_SUBMIT_IO: ++ ret = nvme_submit_io(ns, argp); ++ break; ++ default: ++ if (ns->ndev) ++ ret = nvme_nvm_ioctl(ns, cmd, arg); ++ else if (is_sed_ioctl(cmd)) ++ ret = sed_ioctl(ns->ctrl->opal_dev, cmd, argp); ++ else ++ ret = -ENOTTY; ++ } ++ + nvme_put_ns_from_disk(head, srcu_idx); + return ret; + } +-- +2.20.1 + diff --git a/queue-5.1/nvme-pci-fix-controller-freeze-wait-disabling.patch b/queue-5.1/nvme-pci-fix-controller-freeze-wait-disabling.patch new file mode 100644 index 00000000000..67aa564adda --- /dev/null +++ b/queue-5.1/nvme-pci-fix-controller-freeze-wait-disabling.patch @@ -0,0 +1,59 @@ +From 1884f20ae78c8129d6f332ac7e6b83da60beee1c Mon Sep 17 00:00:00 2001 +From: Keith Busch +Date: Tue, 14 May 2019 14:07:38 -0600 +Subject: nvme-pci: Fix controller freeze wait disabling + +[ Upstream commit e43269e6e5c49d7fec599e6bba71963935b0e4ba ] + +If a controller disabling didn't start a freeze, don't wait for the +operation to complete. + +Reviewed-by: Ming Lei +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 372d3f4a106a..f20da2e3da2c 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2400,7 +2400,7 @@ static void nvme_pci_disable(struct nvme_dev *dev) + + static void nvme_dev_disable(struct nvme_dev *dev, bool shutdown) + { +- bool dead = true; ++ bool dead = true, freeze = false; + struct pci_dev *pdev = to_pci_dev(dev->dev); + + mutex_lock(&dev->shutdown_lock); +@@ -2408,8 +2408,10 @@ static void nvme_dev_disable(struct nvme_dev *dev, bool shutdown) + u32 csts = readl(dev->bar + NVME_REG_CSTS); + + if (dev->ctrl.state == NVME_CTRL_LIVE || +- dev->ctrl.state == NVME_CTRL_RESETTING) ++ dev->ctrl.state == NVME_CTRL_RESETTING) { ++ freeze = true; + nvme_start_freeze(&dev->ctrl); ++ } + dead = !!((csts & NVME_CSTS_CFS) || !(csts & NVME_CSTS_RDY) || + pdev->error_state != pci_channel_io_normal); + } +@@ -2418,10 +2420,8 @@ static void nvme_dev_disable(struct nvme_dev *dev, bool shutdown) + * Give the controller a chance to complete all entered requests if + * doing a safe shutdown. + */ +- if (!dead) { +- if (shutdown) +- nvme_wait_freeze_timeout(&dev->ctrl, NVME_IO_TIMEOUT); +- } ++ if (!dead && shutdown && freeze) ++ nvme_wait_freeze_timeout(&dev->ctrl, NVME_IO_TIMEOUT); + + nvme_stop_queues(&dev->ctrl); + +-- +2.20.1 + diff --git a/queue-5.1/nvme-pci-use-blk-mq-mapping-for-unmanaged-irqs.patch b/queue-5.1/nvme-pci-use-blk-mq-mapping-for-unmanaged-irqs.patch new file mode 100644 index 00000000000..414455920a9 --- /dev/null +++ b/queue-5.1/nvme-pci-use-blk-mq-mapping-for-unmanaged-irqs.patch @@ -0,0 +1,72 @@ +From 252341c53dcf124dec4b843bef71b2476f397f69 Mon Sep 17 00:00:00 2001 +From: Keith Busch +Date: Tue, 21 May 2019 10:56:43 -0600 +Subject: nvme-pci: use blk-mq mapping for unmanaged irqs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit cb9e0e5006064a807b5d722c7e3c42f307193792 ] + +If a device is providing a single IRQ vector, the IO queue will share +that vector with the admin queue. This is an unmanaged vector, so does +not have a valid PCI IRQ affinity. Avoid trying to extract a managed +affinity in this case and let blk-mq set up the cpu:queue mapping instead. +Otherwise we'd hit the following warning when the device is using MSI: + + WARNING: CPU: 4 PID: 7 at drivers/pci/msi.c:1272 pci_irq_get_affinity+0x66/0x80 + Modules linked in: nvme nvme_core serio_raw + CPU: 4 PID: 7 Comm: kworker/u16:0 Tainted: G W 5.2.0-rc1+ #494 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 + Workqueue: nvme-reset-wq nvme_reset_work [nvme] + RIP: 0010:pci_irq_get_affinity+0x66/0x80 + Code: 0b 31 c0 c3 83 e2 10 48 c7 c0 b0 83 35 91 74 2a 48 8b 87 d8 03 00 00 48 85 c0 74 0e 48 8b 50 30 48 85 d2 74 05 39 70 14 77 05 <0f> 0b 31 c0 c3 48 63 f6 48 8d 04 76 48 8d 04 c2 f3 c3 48 8b 40 30 + RSP: 0000:ffffb5abc01d3cc8 EFLAGS: 00010246 + RAX: ffff9536786a39c0 RBX: 0000000000000000 RCX: 0000000000000080 + RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9536781ed000 + RBP: ffff95367346a008 R08: ffff95367d43f080 R09: ffff953678c07800 + R10: ffff953678164800 R11: 0000000000000000 R12: 0000000000000000 + R13: ffff9536781ed000 R14: 00000000ffffffff R15: ffff95367346a008 + FS: 0000000000000000(0000) GS:ffff95367d400000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fdf814a3ff0 CR3: 000000001a20f000 CR4: 00000000000006e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + blk_mq_pci_map_queues+0x37/0xd0 + nvme_pci_map_queues+0x80/0xb0 [nvme] + blk_mq_alloc_tag_set+0x133/0x2f0 + nvme_reset_work+0x105d/0x1590 [nvme] + process_one_work+0x291/0x530 + worker_thread+0x218/0x3d0 + ? process_one_work+0x530/0x530 + kthread+0x111/0x130 + ? kthread_park+0x90/0x90 + ret_from_fork+0x1f/0x30 + ---[ end trace 74587339d93c83c0 ]--- + +Fixes: 22b5560195bd6 ("nvme-pci: Separate IO and admin queue IRQ vectors") +Reported-by: Iván Chavero +Reviewed-by: Ming Lei +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index f20da2e3da2c..693f2a856200 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -500,7 +500,7 @@ static int nvme_pci_map_queues(struct blk_mq_tag_set *set) + * affinity), so use the regular blk-mq cpu mapping + */ + map->queue_offset = qoff; +- if (i != HCTX_TYPE_POLL) ++ if (i != HCTX_TYPE_POLL && offset) + blk_mq_pci_map_queues(map, to_pci_dev(dev->dev), offset); + else + blk_mq_map_queues(map); +-- +2.20.1 + diff --git a/queue-5.1/nvme-release-namespace-srcu-protection-before-perfor.patch b/queue-5.1/nvme-release-namespace-srcu-protection-before-perfor.patch new file mode 100644 index 00000000000..f51278953c6 --- /dev/null +++ b/queue-5.1/nvme-release-namespace-srcu-protection-before-perfor.patch @@ -0,0 +1,73 @@ +From c1e7f5043239b4a293a630b31a5f45bad1f37a4c Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Fri, 17 May 2019 11:47:36 +0200 +Subject: nvme: release namespace SRCU protection before performing controller + ioctls + +[ Upstream commit 5fb4aac756acacf260b9ebd88747251effa3a2f2 ] + +Holding the SRCU critical section protecting the namespace list can +cause deadlocks when using the per-namespace admin passthrough ioctl to +delete as namespace. Release it earlier when performing per-controller +ioctls to avoid that. + +Reported-by: Kenneth Heitke +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Keith Busch +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 25 ++++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 8b77e6a05f4b..23c90382a515 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1395,14 +1395,31 @@ static int nvme_ioctl(struct block_device *bdev, fmode_t mode, + if (unlikely(!ns)) + return -EWOULDBLOCK; + ++ /* ++ * Handle ioctls that apply to the controller instead of the namespace ++ * seperately and drop the ns SRCU reference early. This avoids a ++ * deadlock when deleting namespaces using the passthrough interface. ++ */ ++ if (cmd == NVME_IOCTL_ADMIN_CMD || is_sed_ioctl(cmd)) { ++ struct nvme_ctrl *ctrl = ns->ctrl; ++ ++ nvme_get_ctrl(ns->ctrl); ++ nvme_put_ns_from_disk(head, srcu_idx); ++ ++ if (cmd == NVME_IOCTL_ADMIN_CMD) ++ ret = nvme_user_cmd(ctrl, NULL, argp); ++ else ++ ret = sed_ioctl(ctrl->opal_dev, cmd, argp); ++ ++ nvme_put_ctrl(ctrl); ++ return ret; ++ } ++ + switch (cmd) { + case NVME_IOCTL_ID: + force_successful_syscall_return(); + ret = ns->head->ns_id; + break; +- case NVME_IOCTL_ADMIN_CMD: +- ret = nvme_user_cmd(ns->ctrl, NULL, argp); +- break; + case NVME_IOCTL_IO_CMD: + ret = nvme_user_cmd(ns->ctrl, ns, argp); + break; +@@ -1412,8 +1429,6 @@ static int nvme_ioctl(struct block_device *bdev, fmode_t mode, + default: + if (ns->ndev) + ret = nvme_nvm_ioctl(ns, cmd, arg); +- else if (is_sed_ioctl(cmd)) +- ret = sed_ioctl(ns->ctrl->opal_dev, cmd, argp); + else + ret = -ENOTTY; + } +-- +2.20.1 + diff --git a/queue-5.1/nvme-remove-the-ifdef-around-nvme_nvm_ioctl.patch b/queue-5.1/nvme-remove-the-ifdef-around-nvme_nvm_ioctl.patch new file mode 100644 index 00000000000..ed623233740 --- /dev/null +++ b/queue-5.1/nvme-remove-the-ifdef-around-nvme_nvm_ioctl.patch @@ -0,0 +1,36 @@ +From fad0c55be6b10fbe6b8ad9de9dd4062e8d6be137 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Fri, 17 May 2019 02:47:34 -0700 +Subject: nvme: remove the ifdef around nvme_nvm_ioctl + +[ Upstream commit 3f98bcc58cd5f1e4668db289dcab771874cc0920 ] + +We already have a proper stub if lightnvm is not enabled, so don't bother +with the ifdef. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index e29c395f44d2..decc0b3a3854 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1396,10 +1396,8 @@ static int nvme_ns_ioctl(struct nvme_ns *ns, unsigned cmd, unsigned long arg) + case NVME_IOCTL_SUBMIT_IO: + return nvme_submit_io(ns, (void __user *)arg); + default: +-#ifdef CONFIG_NVM + if (ns->ndev) + return nvme_nvm_ioctl(ns, cmd, arg); +-#endif + if (is_sed_ioctl(cmd)) + return sed_ioctl(ns->ctrl->opal_dev, cmd, + (void __user *) arg); +-- +2.20.1 + diff --git a/queue-5.1/platform-x86-pmc_atom-add-lex-3i380d-industrial-pc-t.patch b/queue-5.1/platform-x86-pmc_atom-add-lex-3i380d-industrial-pc-t.patch new file mode 100644 index 00000000000..e35cf9d976f --- /dev/null +++ b/queue-5.1/platform-x86-pmc_atom-add-lex-3i380d-industrial-pc-t.patch @@ -0,0 +1,52 @@ +From 49e0607b7dd298fdb27cd5ad8e7f8dd81c5a5c08 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 29 Apr 2019 17:01:35 +0200 +Subject: platform/x86: pmc_atom: Add Lex 3I380D industrial PC to + critclk_systems DMI table + +[ Upstream commit 3d0818f5eba80fbe4c0addbfe6ddb2d19dc82cd4 ] + +The Lex 3I380D industrial PC has 4 ethernet controllers on board +which need pmc_plt_clk0 - 3 to function, add it to the critclk_systems +DMI table, so that drivers/clk/x86/clk-pmc-atom.c will mark the clocks +as CLK_CRITICAL and they will not get turned off. + +Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL") +Reported-and-tested-by: Semyon Verchenko +Signed-off-by: Hans de Goede +Acked-by: Andy Shevchenko +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/pmc_atom.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/platform/x86/pmc_atom.c b/drivers/platform/x86/pmc_atom.c +index c7039f52ad51..a311f48ce7c9 100644 +--- a/drivers/platform/x86/pmc_atom.c ++++ b/drivers/platform/x86/pmc_atom.c +@@ -398,12 +398,21 @@ static int pmc_dbgfs_register(struct pmc_dev *pmc) + */ + static const struct dmi_system_id critclk_systems[] = { + { ++ /* pmc_plt_clk0 is used for an external HSIC USB HUB */ + .ident = "MPL CEC1x", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "MPL AG"), + DMI_MATCH(DMI_PRODUCT_NAME, "CEC10 Family"), + }, + }, ++ { ++ /* pmc_plt_clk0 - 3 are used for the 4 ethernet controllers */ ++ .ident = "Lex 3I380D", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Lex BayTrail"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "3I380D"), ++ }, ++ }, + { /*sentinel*/ } + }; + +-- +2.20.1 + diff --git a/queue-5.1/platform-x86-pmc_atom-add-several-beckhoff-automatio.patch b/queue-5.1/platform-x86-pmc_atom-add-several-beckhoff-automatio.patch new file mode 100644 index 00000000000..c9b11cb524e --- /dev/null +++ b/queue-5.1/platform-x86-pmc_atom-add-several-beckhoff-automatio.patch @@ -0,0 +1,59 @@ +From 3360ff253cbbb086387fd0288421a13144481d3e Mon Sep 17 00:00:00 2001 +From: Steffen Dirkwinkel +Date: Thu, 2 May 2019 15:03:51 +0200 +Subject: platform/x86: pmc_atom: Add several Beckhoff Automation boards to + critclk_systems DMI table + +[ Upstream commit d6423bd03031c020121da26c41a26bd5cc6d0da3 ] + +There are several Beckhoff Automation industrial PC boards which use +pmc_plt_clk* clocks for ethernet controllers. This adds affected boards +to critclk_systems DMI table so the clocks are marked as CLK_CRITICAL and +not turned off. + +Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL") +Signed-off-by: Steffen Dirkwinkel +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/pmc_atom.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/drivers/platform/x86/pmc_atom.c b/drivers/platform/x86/pmc_atom.c +index a311f48ce7c9..b1d804376237 100644 +--- a/drivers/platform/x86/pmc_atom.c ++++ b/drivers/platform/x86/pmc_atom.c +@@ -413,6 +413,30 @@ static const struct dmi_system_id critclk_systems[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "3I380D"), + }, + }, ++ { ++ /* pmc_plt_clk* - are used for ethernet controllers */ ++ .ident = "Beckhoff CB3163", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"), ++ DMI_MATCH(DMI_BOARD_NAME, "CB3163"), ++ }, ++ }, ++ { ++ /* pmc_plt_clk* - are used for ethernet controllers */ ++ .ident = "Beckhoff CB6263", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"), ++ DMI_MATCH(DMI_BOARD_NAME, "CB6263"), ++ }, ++ }, ++ { ++ /* pmc_plt_clk* - are used for ethernet controllers */ ++ .ident = "Beckhoff CB6363", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"), ++ DMI_MATCH(DMI_BOARD_NAME, "CB6363"), ++ }, ++ }, + { /*sentinel*/ } + }; + +-- +2.20.1 + diff --git a/queue-5.1/revert-alsa-seq-protect-in-kernel-ioctl-calls-with-m.patch b/queue-5.1/revert-alsa-seq-protect-in-kernel-ioctl-calls-with-m.patch new file mode 100644 index 00000000000..4d940d5927e --- /dev/null +++ b/queue-5.1/revert-alsa-seq-protect-in-kernel-ioctl-calls-with-m.patch @@ -0,0 +1,50 @@ +From a40a52b3eae3d5b2cfcb6a3c1b48cde900928886 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 11 Apr 2019 19:58:32 +0200 +Subject: Revert "ALSA: seq: Protect in-kernel ioctl calls with mutex" + +[ Upstream commit f0654ba94e33699b295ce4f3dc73094db6209035 ] + +This reverts commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32. + +The fix attempt was incorrect, leading to the mutex deadlock through +the close of OSS sequencer client. The proper fix needs more +consideration, so let's revert it now. + +Fixes: feb689025fbb ("ALSA: seq: Protect in-kernel ioctl calls with mutex") +Reported-by: syzbot+47ded6c0f23016cde310@syzkaller.appspotmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_clientmgr.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index 8599f2937ac1..c99e1b77a45b 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -2337,19 +2337,14 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg) + { + const struct ioctl_handler *handler; + struct snd_seq_client *client; +- int err; + + client = clientptr(clientid); + if (client == NULL) + return -ENXIO; + + for (handler = ioctl_handlers; handler->cmd > 0; ++handler) { +- if (handler->cmd == cmd) { +- mutex_lock(&client->ioctl_mutex); +- err = handler->func(client, arg); +- mutex_unlock(&client->ioctl_mutex); +- return err; +- } ++ if (handler->cmd == cmd) ++ return handler->func(client, arg); + } + + pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n", +-- +2.20.1 + diff --git a/queue-5.1/scsi-bnx2fc-fix-incorrect-cast-to-u64-on-shift-opera.patch b/queue-5.1/scsi-bnx2fc-fix-incorrect-cast-to-u64-on-shift-opera.patch new file mode 100644 index 00000000000..2790c725d3c --- /dev/null +++ b/queue-5.1/scsi-bnx2fc-fix-incorrect-cast-to-u64-on-shift-opera.patch @@ -0,0 +1,37 @@ +From 5aeafe74b65c7f410609364d3bc7053764db1485 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Sat, 4 May 2019 17:48:29 +0100 +Subject: scsi: bnx2fc: fix incorrect cast to u64 on shift operation + +[ Upstream commit d0c0d902339249c75da85fd9257a86cbb98dfaa5 ] + +Currently an int is being shifted and the result is being cast to a u64 +which leads to undefined behaviour if the shift is more than 31 bits. Fix +this by casting the integer value 1 to u64 before the shift operation. + +Addresses-Coverity: ("Bad shift operation") +Fixes: 7b594769120b ("[SCSI] bnx2fc: Handle REC_TOV error code from firmware") +Signed-off-by: Colin Ian King +Acked-by: Saurav Kashyap +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/bnx2fc/bnx2fc_hwi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/bnx2fc/bnx2fc_hwi.c b/drivers/scsi/bnx2fc/bnx2fc_hwi.c +index 039328d9ef13..30e6d78e82f0 100644 +--- a/drivers/scsi/bnx2fc/bnx2fc_hwi.c ++++ b/drivers/scsi/bnx2fc/bnx2fc_hwi.c +@@ -830,7 +830,7 @@ ret_err_rqe: + ((u64)err_entry->data.err_warn_bitmap_hi << 32) | + (u64)err_entry->data.err_warn_bitmap_lo; + for (i = 0; i < BNX2FC_NUM_ERR_BITS; i++) { +- if (err_warn_bit_map & (u64) (1 << i)) { ++ if (err_warn_bit_map & ((u64)1 << i)) { + err_warn = i; + break; + } +-- +2.20.1 + diff --git a/queue-5.1/scsi-lpfc-add-check-for-loss-of-ndlp-when-sending-rr.patch b/queue-5.1/scsi-lpfc-add-check-for-loss-of-ndlp-when-sending-rr.patch new file mode 100644 index 00000000000..d83da98c3ad --- /dev/null +++ b/queue-5.1/scsi-lpfc-add-check-for-loss-of-ndlp-when-sending-rr.patch @@ -0,0 +1,38 @@ +From 6374cd0a53bb683cd84cbb822195a4ac585b979e Mon Sep 17 00:00:00 2001 +From: James Smart +Date: Mon, 6 May 2019 17:26:49 -0700 +Subject: scsi: lpfc: add check for loss of ndlp when sending RRQ + +[ Upstream commit c8cb261a072c88ca1aff0e804a30db4c7606521b ] + +There was a missing qualification of a valid ndlp structure when calling to +send an RRQ for an abort. Add the check. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Tested-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_els.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index fc077cb87900..965f8a1a8f67 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -7338,7 +7338,10 @@ int + lpfc_send_rrq(struct lpfc_hba *phba, struct lpfc_node_rrq *rrq) + { + struct lpfc_nodelist *ndlp = lpfc_findnode_did(rrq->vport, +- rrq->nlp_DID); ++ rrq->nlp_DID); ++ if (!ndlp) ++ return 1; ++ + if (lpfc_test_rrq_active(phba, ndlp, rrq->xritag)) + return lpfc_issue_els_rrq(rrq->vport, ndlp, + rrq->nlp_DID, rrq); +-- +2.20.1 + diff --git a/queue-5.1/scsi-lpfc-correct-rcu-unlock-issue-in-lpfc_nvme_info.patch b/queue-5.1/scsi-lpfc-correct-rcu-unlock-issue-in-lpfc_nvme_info.patch new file mode 100644 index 00000000000..29dc4e5912d --- /dev/null +++ b/queue-5.1/scsi-lpfc-correct-rcu-unlock-issue-in-lpfc_nvme_info.patch @@ -0,0 +1,122 @@ +From 9450c00c32b3d1caf45e04ee6be409093cc1db06 Mon Sep 17 00:00:00 2001 +From: James Smart +Date: Mon, 6 May 2019 17:26:48 -0700 +Subject: scsi: lpfc: correct rcu unlock issue in lpfc_nvme_info_show + +[ Upstream commit 79080d349f7f58a2e86c56043a3d04184d5f294a ] + +Many of the exit cases were not releasing the rcu read lock. Corrected the +exit paths. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Tested-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_attr.c | 32 +++++++++++++++++++------------- + 1 file changed, 19 insertions(+), 13 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c +index f30cb0fb9a82..26a22e41204e 100644 +--- a/drivers/scsi/lpfc/lpfc_attr.c ++++ b/drivers/scsi/lpfc/lpfc_attr.c +@@ -338,7 +338,7 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr, + phba->sli4_hba.io_xri_max, + lpfc_sli4_get_els_iocb_cnt(phba)); + if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE) +- goto buffer_done; ++ goto rcu_unlock_buf_done; + + /* Port state is only one of two values for now. */ + if (localport->port_id) +@@ -354,7 +354,7 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr, + wwn_to_u64(vport->fc_nodename.u.wwn), + localport->port_id, statep); + if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE) +- goto buffer_done; ++ goto rcu_unlock_buf_done; + + list_for_each_entry(ndlp, &vport->fc_nodes, nlp_listp) { + nrport = NULL; +@@ -381,39 +381,39 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr, + + /* Tab in to show lport ownership. */ + if (strlcat(buf, "NVME RPORT ", PAGE_SIZE) >= PAGE_SIZE) +- goto buffer_done; ++ goto rcu_unlock_buf_done; + if (phba->brd_no >= 10) { + if (strlcat(buf, " ", PAGE_SIZE) >= PAGE_SIZE) +- goto buffer_done; ++ goto rcu_unlock_buf_done; + } + + scnprintf(tmp, sizeof(tmp), "WWPN x%llx ", + nrport->port_name); + if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE) +- goto buffer_done; ++ goto rcu_unlock_buf_done; + + scnprintf(tmp, sizeof(tmp), "WWNN x%llx ", + nrport->node_name); + if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE) +- goto buffer_done; ++ goto rcu_unlock_buf_done; + + scnprintf(tmp, sizeof(tmp), "DID x%06x ", + nrport->port_id); + if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE) +- goto buffer_done; ++ goto rcu_unlock_buf_done; + + /* An NVME rport can have multiple roles. */ + if (nrport->port_role & FC_PORT_ROLE_NVME_INITIATOR) { + if (strlcat(buf, "INITIATOR ", PAGE_SIZE) >= PAGE_SIZE) +- goto buffer_done; ++ goto rcu_unlock_buf_done; + } + if (nrport->port_role & FC_PORT_ROLE_NVME_TARGET) { + if (strlcat(buf, "TARGET ", PAGE_SIZE) >= PAGE_SIZE) +- goto buffer_done; ++ goto rcu_unlock_buf_done; + } + if (nrport->port_role & FC_PORT_ROLE_NVME_DISCOVERY) { + if (strlcat(buf, "DISCSRVC ", PAGE_SIZE) >= PAGE_SIZE) +- goto buffer_done; ++ goto rcu_unlock_buf_done; + } + if (nrport->port_role & ~(FC_PORT_ROLE_NVME_INITIATOR | + FC_PORT_ROLE_NVME_TARGET | +@@ -421,12 +421,12 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr, + scnprintf(tmp, sizeof(tmp), "UNKNOWN ROLE x%x", + nrport->port_role); + if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE) +- goto buffer_done; ++ goto rcu_unlock_buf_done; + } + + scnprintf(tmp, sizeof(tmp), "%s\n", statep); + if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE) +- goto buffer_done; ++ goto rcu_unlock_buf_done; + } + rcu_read_unlock(); + +@@ -488,7 +488,13 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr, + atomic_read(&lport->cmpl_fcp_err)); + strlcat(buf, tmp, PAGE_SIZE); + +-buffer_done: ++ /* RCU is already unlocked. */ ++ goto buffer_done; ++ ++ rcu_unlock_buf_done: ++ rcu_read_unlock(); ++ ++ buffer_done: + len = strnlen(buf, PAGE_SIZE); + + if (unlikely(len >= (PAGE_SIZE - 1))) { +-- +2.20.1 + diff --git a/queue-5.1/scsi-lpfc-resolve-lockdep-warnings.patch b/queue-5.1/scsi-lpfc-resolve-lockdep-warnings.patch new file mode 100644 index 00000000000..fdd5cf994b4 --- /dev/null +++ b/queue-5.1/scsi-lpfc-resolve-lockdep-warnings.patch @@ -0,0 +1,299 @@ +From fb16da0c0b6d2b6da2bcfe1e6ff14a2c23bb770a Mon Sep 17 00:00:00 2001 +From: James Smart +Date: Mon, 6 May 2019 17:26:47 -0700 +Subject: scsi: lpfc: resolve lockdep warnings + +[ Upstream commit e2a8be5696e706a2fce6edd11e5c74ce14cffec0 ] + +There were a number of erroneous comments and incorrect older lockdep +checks that were causing a number of warnings. + +Resolve the following: + + - Inconsistent lock state warnings in lpfc_nvme_info_show(). + + - Fixed comments and code on sequences where ring lock is now held instead + of hbalock. + + - Reworked calling sequences around lpfc_sli_iocbq_lookup(). Rather than + locking prior to the routine and have routine guess on what lock, take + the lock within the routine. The lockdep check becomes unnecessary. + + - Fixed comments and removed erroneous hbalock checks. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +CC: Bart Van Assche +Tested-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_attr.c | 5 ++- + drivers/scsi/lpfc/lpfc_sli.c | 84 ++++++++++++++++++++++------------- + 2 files changed, 56 insertions(+), 33 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c +index a09a742d7ec1..f30cb0fb9a82 100644 +--- a/drivers/scsi/lpfc/lpfc_attr.c ++++ b/drivers/scsi/lpfc/lpfc_attr.c +@@ -159,6 +159,7 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr, + int i; + int len = 0; + char tmp[LPFC_MAX_NVME_INFO_TMP_LEN] = {0}; ++ unsigned long iflags = 0; + + if (!(vport->cfg_enable_fc4_type & LPFC_ENABLE_NVME)) { + len = scnprintf(buf, PAGE_SIZE, "NVME Disabled\n"); +@@ -357,11 +358,11 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr, + + list_for_each_entry(ndlp, &vport->fc_nodes, nlp_listp) { + nrport = NULL; +- spin_lock(&vport->phba->hbalock); ++ spin_lock_irqsave(&vport->phba->hbalock, iflags); + rport = lpfc_ndlp_get_nrport(ndlp); + if (rport) + nrport = rport->remoteport; +- spin_unlock(&vport->phba->hbalock); ++ spin_unlock_irqrestore(&vport->phba->hbalock, iflags); + if (!nrport) + continue; + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index dc933b6d7800..363b21c4255e 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -994,15 +994,14 @@ lpfc_cleanup_vports_rrqs(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp) + * @ndlp: Targets nodelist pointer for this exchange. + * @xritag the xri in the bitmap to test. + * +- * This function is called with hbalock held. This function +- * returns 0 = rrq not active for this xri +- * 1 = rrq is valid for this xri. ++ * This function returns: ++ * 0 = rrq not active for this xri ++ * 1 = rrq is valid for this xri. + **/ + int + lpfc_test_rrq_active(struct lpfc_hba *phba, struct lpfc_nodelist *ndlp, + uint16_t xritag) + { +- lockdep_assert_held(&phba->hbalock); + if (!ndlp) + return 0; + if (!ndlp->active_rrqs_xri_bitmap) +@@ -1105,10 +1104,11 @@ out: + * @phba: Pointer to HBA context object. + * @piocb: Pointer to the iocbq. + * +- * This function is called with the ring lock held. This function +- * gets a new driver sglq object from the sglq list. If the +- * list is not empty then it is successful, it returns pointer to the newly +- * allocated sglq object else it returns NULL. ++ * The driver calls this function with either the nvme ls ring lock ++ * or the fc els ring lock held depending on the iocb usage. This function ++ * gets a new driver sglq object from the sglq list. If the list is not empty ++ * then it is successful, it returns pointer to the newly allocated sglq ++ * object else it returns NULL. + **/ + static struct lpfc_sglq * + __lpfc_sli_get_els_sglq(struct lpfc_hba *phba, struct lpfc_iocbq *piocbq) +@@ -1118,9 +1118,15 @@ __lpfc_sli_get_els_sglq(struct lpfc_hba *phba, struct lpfc_iocbq *piocbq) + struct lpfc_sglq *start_sglq = NULL; + struct lpfc_io_buf *lpfc_cmd; + struct lpfc_nodelist *ndlp; ++ struct lpfc_sli_ring *pring = NULL; + int found = 0; + +- lockdep_assert_held(&phba->hbalock); ++ if (piocbq->iocb_flag & LPFC_IO_NVME_LS) ++ pring = phba->sli4_hba.nvmels_wq->pring; ++ else ++ pring = lpfc_phba_elsring(phba); ++ ++ lockdep_assert_held(&pring->ring_lock); + + if (piocbq->iocb_flag & LPFC_IO_FCP) { + lpfc_cmd = (struct lpfc_io_buf *) piocbq->context1; +@@ -1563,7 +1569,8 @@ lpfc_sli_ring_map(struct lpfc_hba *phba) + * @pring: Pointer to driver SLI ring object. + * @piocb: Pointer to the driver iocb object. + * +- * This function is called with hbalock held. The function adds the ++ * The driver calls this function with the hbalock held for SLI3 ports or ++ * the ring lock held for SLI4 ports. The function adds the + * new iocb to txcmplq of the given ring. This function always returns + * 0. If this function is called for ELS ring, this function checks if + * there is a vport associated with the ELS command. This function also +@@ -1573,7 +1580,10 @@ static int + lpfc_sli_ringtxcmpl_put(struct lpfc_hba *phba, struct lpfc_sli_ring *pring, + struct lpfc_iocbq *piocb) + { +- lockdep_assert_held(&phba->hbalock); ++ if (phba->sli_rev == LPFC_SLI_REV4) ++ lockdep_assert_held(&pring->ring_lock); ++ else ++ lockdep_assert_held(&phba->hbalock); + + BUG_ON(!piocb); + +@@ -2970,8 +2980,8 @@ lpfc_sli_process_unsol_iocb(struct lpfc_hba *phba, struct lpfc_sli_ring *pring, + * + * This function looks up the iocb_lookup table to get the command iocb + * corresponding to the given response iocb using the iotag of the +- * response iocb. This function is called with the hbalock held +- * for sli3 devices or the ring_lock for sli4 devices. ++ * response iocb. The driver calls this function with the hbalock held ++ * for SLI3 ports or the ring lock held for SLI4 ports. + * This function returns the command iocb object if it finds the command + * iocb else returns NULL. + **/ +@@ -2982,8 +2992,15 @@ lpfc_sli_iocbq_lookup(struct lpfc_hba *phba, + { + struct lpfc_iocbq *cmd_iocb = NULL; + uint16_t iotag; +- lockdep_assert_held(&phba->hbalock); ++ spinlock_t *temp_lock = NULL; ++ unsigned long iflag = 0; + ++ if (phba->sli_rev == LPFC_SLI_REV4) ++ temp_lock = &pring->ring_lock; ++ else ++ temp_lock = &phba->hbalock; ++ ++ spin_lock_irqsave(temp_lock, iflag); + iotag = prspiocb->iocb.ulpIoTag; + + if (iotag != 0 && iotag <= phba->sli.last_iotag) { +@@ -2993,10 +3010,12 @@ lpfc_sli_iocbq_lookup(struct lpfc_hba *phba, + list_del_init(&cmd_iocb->list); + cmd_iocb->iocb_flag &= ~LPFC_IO_ON_TXCMPLQ; + pring->txcmplq_cnt--; ++ spin_unlock_irqrestore(temp_lock, iflag); + return cmd_iocb; + } + } + ++ spin_unlock_irqrestore(temp_lock, iflag); + lpfc_printf_log(phba, KERN_ERR, LOG_SLI, + "0317 iotag x%x is out of " + "range: max iotag x%x wd0 x%x\n", +@@ -3012,8 +3031,8 @@ lpfc_sli_iocbq_lookup(struct lpfc_hba *phba, + * @iotag: IOCB tag. + * + * This function looks up the iocb_lookup table to get the command iocb +- * corresponding to the given iotag. This function is called with the +- * hbalock held. ++ * corresponding to the given iotag. The driver calls this function with ++ * the ring lock held because this function is an SLI4 port only helper. + * This function returns the command iocb object if it finds the command + * iocb else returns NULL. + **/ +@@ -3022,8 +3041,15 @@ lpfc_sli_iocbq_lookup_by_tag(struct lpfc_hba *phba, + struct lpfc_sli_ring *pring, uint16_t iotag) + { + struct lpfc_iocbq *cmd_iocb = NULL; ++ spinlock_t *temp_lock = NULL; ++ unsigned long iflag = 0; + +- lockdep_assert_held(&phba->hbalock); ++ if (phba->sli_rev == LPFC_SLI_REV4) ++ temp_lock = &pring->ring_lock; ++ else ++ temp_lock = &phba->hbalock; ++ ++ spin_lock_irqsave(temp_lock, iflag); + if (iotag != 0 && iotag <= phba->sli.last_iotag) { + cmd_iocb = phba->sli.iocbq_lookup[iotag]; + if (cmd_iocb->iocb_flag & LPFC_IO_ON_TXCMPLQ) { +@@ -3031,10 +3057,12 @@ lpfc_sli_iocbq_lookup_by_tag(struct lpfc_hba *phba, + list_del_init(&cmd_iocb->list); + cmd_iocb->iocb_flag &= ~LPFC_IO_ON_TXCMPLQ; + pring->txcmplq_cnt--; ++ spin_unlock_irqrestore(temp_lock, iflag); + return cmd_iocb; + } + } + ++ spin_unlock_irqrestore(temp_lock, iflag); + lpfc_printf_log(phba, KERN_ERR, LOG_SLI, + "0372 iotag x%x lookup error: max iotag (x%x) " + "iocb_flag x%x\n", +@@ -3068,17 +3096,7 @@ lpfc_sli_process_sol_iocb(struct lpfc_hba *phba, struct lpfc_sli_ring *pring, + int rc = 1; + unsigned long iflag; + +- /* Based on the iotag field, get the cmd IOCB from the txcmplq */ +- if (phba->sli_rev == LPFC_SLI_REV4) +- spin_lock_irqsave(&pring->ring_lock, iflag); +- else +- spin_lock_irqsave(&phba->hbalock, iflag); + cmdiocbp = lpfc_sli_iocbq_lookup(phba, pring, saveq); +- if (phba->sli_rev == LPFC_SLI_REV4) +- spin_unlock_irqrestore(&pring->ring_lock, iflag); +- else +- spin_unlock_irqrestore(&phba->hbalock, iflag); +- + if (cmdiocbp) { + if (cmdiocbp->iocb_cmpl) { + /* +@@ -3409,8 +3427,10 @@ lpfc_sli_handle_fast_ring_event(struct lpfc_hba *phba, + break; + } + ++ spin_unlock_irqrestore(&phba->hbalock, iflag); + cmdiocbq = lpfc_sli_iocbq_lookup(phba, pring, + &rspiocbq); ++ spin_lock_irqsave(&phba->hbalock, iflag); + if (unlikely(!cmdiocbq)) + break; + if (cmdiocbq->iocb_flag & LPFC_DRIVER_ABORTED) +@@ -3604,9 +3624,12 @@ lpfc_sli_sp_handle_rspiocb(struct lpfc_hba *phba, struct lpfc_sli_ring *pring, + + case LPFC_ABORT_IOCB: + cmdiocbp = NULL; +- if (irsp->ulpCommand != CMD_XRI_ABORTED_CX) ++ if (irsp->ulpCommand != CMD_XRI_ABORTED_CX) { ++ spin_unlock_irqrestore(&phba->hbalock, iflag); + cmdiocbp = lpfc_sli_iocbq_lookup(phba, pring, + saveq); ++ spin_lock_irqsave(&phba->hbalock, iflag); ++ } + if (cmdiocbp) { + /* Call the specified completion routine */ + if (cmdiocbp->iocb_cmpl) { +@@ -13070,13 +13093,11 @@ lpfc_sli4_els_wcqe_to_rspiocbq(struct lpfc_hba *phba, + return NULL; + + wcqe = &irspiocbq->cq_event.cqe.wcqe_cmpl; +- spin_lock_irqsave(&pring->ring_lock, iflags); + pring->stats.iocb_event++; + /* Look up the ELS command IOCB and create pseudo response IOCB */ + cmdiocbq = lpfc_sli_iocbq_lookup_by_tag(phba, pring, + bf_get(lpfc_wcqe_c_request_tag, wcqe)); + if (unlikely(!cmdiocbq)) { +- spin_unlock_irqrestore(&pring->ring_lock, iflags); + lpfc_printf_log(phba, KERN_WARNING, LOG_SLI, + "0386 ELS complete with no corresponding " + "cmdiocb: 0x%x 0x%x 0x%x 0x%x\n", +@@ -13086,6 +13107,7 @@ lpfc_sli4_els_wcqe_to_rspiocbq(struct lpfc_hba *phba, + return NULL; + } + ++ spin_lock_irqsave(&pring->ring_lock, iflags); + /* Put the iocb back on the txcmplq */ + lpfc_sli_ringtxcmpl_put(phba, pring, cmdiocbq); + spin_unlock_irqrestore(&pring->ring_lock, iflags); +@@ -13856,9 +13878,9 @@ lpfc_sli4_fp_handle_fcp_wcqe(struct lpfc_hba *phba, struct lpfc_queue *cq, + /* Look up the FCP command IOCB and create pseudo response IOCB */ + spin_lock_irqsave(&pring->ring_lock, iflags); + pring->stats.iocb_event++; ++ spin_unlock_irqrestore(&pring->ring_lock, iflags); + cmdiocbq = lpfc_sli_iocbq_lookup_by_tag(phba, pring, + bf_get(lpfc_wcqe_c_request_tag, wcqe)); +- spin_unlock_irqrestore(&pring->ring_lock, iflags); + if (unlikely(!cmdiocbq)) { + lpfc_printf_log(phba, KERN_WARNING, LOG_SLI, + "0374 FCP complete with no corresponding " +-- +2.20.1 + diff --git a/queue-5.1/scsi-myrs-fix-uninitialized-variable.patch b/queue-5.1/scsi-myrs-fix-uninitialized-variable.patch new file mode 100644 index 00000000000..3f0408cfab0 --- /dev/null +++ b/queue-5.1/scsi-myrs-fix-uninitialized-variable.patch @@ -0,0 +1,39 @@ +From cf93ad1324675537b092a0d006572c1e137c5f38 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Thu, 9 May 2019 23:22:47 +0800 +Subject: scsi: myrs: Fix uninitialized variable + +[ Upstream commit 41552199b5518fe26bee0829a28dd1880441b430 ] + +drivers/scsi/myrs.c: In function 'myrs_log_event': +drivers/scsi/myrs.c:821:24: warning: 'sshdr.sense_key' may be used uninitialized in this function [-Wmaybe-uninitialized] + struct scsi_sense_hdr sshdr; + +If ev->ev_code is not 0x1C, sshdr.sense_key may be used uninitialized. Fix +this by initializing variable 'sshdr' to 0. + +Fixes: 77266186397c ("scsi: myrs: Add Mylex RAID controller (SCSI interface)") +Signed-off-by: YueHaibing +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/myrs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/myrs.c b/drivers/scsi/myrs.c +index b8d54ef8cf6d..eb0dd566330a 100644 +--- a/drivers/scsi/myrs.c ++++ b/drivers/scsi/myrs.c +@@ -818,7 +818,7 @@ static void myrs_log_event(struct myrs_hba *cs, struct myrs_event *ev) + unsigned char ev_type, *ev_msg; + struct Scsi_Host *shost = cs->host; + struct scsi_device *sdev; +- struct scsi_sense_hdr sshdr; ++ struct scsi_sense_hdr sshdr = {0}; + unsigned char sense_info[4]; + unsigned char cmd_specific[4]; + +-- +2.20.1 + diff --git a/queue-5.1/scsi-qedi-remove-memset-memcpy-to-nfunc-and-use-func.patch b/queue-5.1/scsi-qedi-remove-memset-memcpy-to-nfunc-and-use-func.patch new file mode 100644 index 00000000000..d92abee8b6d --- /dev/null +++ b/queue-5.1/scsi-qedi-remove-memset-memcpy-to-nfunc-and-use-func.patch @@ -0,0 +1,167 @@ +From 1c3122db53825b4f335d77d9eefe54ed88bf9007 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Sat, 20 Apr 2019 12:05:54 +0800 +Subject: scsi: qedi: remove memset/memcpy to nfunc and use func instead + +[ Upstream commit c09581a52765a85f19fc35340127396d5e3379cc ] + +KASAN reports this: + +BUG: KASAN: global-out-of-bounds in qedi_dbg_err+0xda/0x330 [qedi] +Read of size 31 at addr ffffffffc12b0ae0 by task syz-executor.0/2429 + +CPU: 0 PID: 2429 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xfa/0x1ce lib/dump_stack.c:113 + print_address_description+0x1c4/0x270 mm/kasan/report.c:187 + kasan_report+0x149/0x18d mm/kasan/report.c:317 + memcpy+0x1f/0x50 mm/kasan/common.c:130 + qedi_dbg_err+0xda/0x330 [qedi] + ? 0xffffffffc12d0000 + qedi_init+0x118/0x1000 [qedi] + ? 0xffffffffc12d0000 + ? 0xffffffffc12d0000 + ? 0xffffffffc12d0000 + do_one_initcall+0xfa/0x5ca init/main.c:887 + do_init_module+0x204/0x5f6 kernel/module.c:3460 + load_module+0x66b2/0x8570 kernel/module.c:3808 + __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462e99 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f2d57e55c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +RAX: ffffffffffffffda RBX: 000000000073bfa0 RCX: 0000000000462e99 +RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000003 +RBP: 00007f2d57e55c70 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2d57e566bc +R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004 + +The buggy address belongs to the variable: + __func__.67584+0x0/0xffffffffffffd520 [qedi] + +Memory state around the buggy address: + ffffffffc12b0980: fa fa fa fa 00 04 fa fa fa fa fa fa 00 00 05 fa + ffffffffc12b0a00: fa fa fa fa 00 00 04 fa fa fa fa fa 00 05 fa fa +> ffffffffc12b0a80: fa fa fa fa 00 06 fa fa fa fa fa fa 00 02 fa fa + ^ + ffffffffc12b0b00: fa fa fa fa 00 00 04 fa fa fa fa fa 00 00 03 fa + ffffffffc12b0b80: fa fa fa fa 00 00 02 fa fa fa fa fa 00 00 04 fa + +Currently the qedi_dbg_* family of functions can overrun the end of the +source string if it is less than the destination buffer length because of +the use of a fixed sized memcpy. Remove the memset/memcpy calls to nfunc +and just use func instead as it is always a null terminated string. + +Reported-by: Hulk Robot +Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.") +Signed-off-by: YueHaibing +Reviewed-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedi/qedi_dbg.c | 32 ++++++++------------------------ + 1 file changed, 8 insertions(+), 24 deletions(-) + +diff --git a/drivers/scsi/qedi/qedi_dbg.c b/drivers/scsi/qedi/qedi_dbg.c +index 8fd28b056f73..3383314a3882 100644 +--- a/drivers/scsi/qedi/qedi_dbg.c ++++ b/drivers/scsi/qedi/qedi_dbg.c +@@ -16,10 +16,6 @@ qedi_dbg_err(struct qedi_dbg_ctx *qedi, const char *func, u32 line, + { + va_list va; + struct va_format vaf; +- char nfunc[32]; +- +- memset(nfunc, 0, sizeof(nfunc)); +- memcpy(nfunc, func, sizeof(nfunc) - 1); + + va_start(va, fmt); + +@@ -28,9 +24,9 @@ qedi_dbg_err(struct qedi_dbg_ctx *qedi, const char *func, u32 line, + + if (likely(qedi) && likely(qedi->pdev)) + pr_err("[%s]:[%s:%d]:%d: %pV", dev_name(&qedi->pdev->dev), +- nfunc, line, qedi->host_no, &vaf); ++ func, line, qedi->host_no, &vaf); + else +- pr_err("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf); ++ pr_err("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf); + + va_end(va); + } +@@ -41,10 +37,6 @@ qedi_dbg_warn(struct qedi_dbg_ctx *qedi, const char *func, u32 line, + { + va_list va; + struct va_format vaf; +- char nfunc[32]; +- +- memset(nfunc, 0, sizeof(nfunc)); +- memcpy(nfunc, func, sizeof(nfunc) - 1); + + va_start(va, fmt); + +@@ -56,9 +48,9 @@ qedi_dbg_warn(struct qedi_dbg_ctx *qedi, const char *func, u32 line, + + if (likely(qedi) && likely(qedi->pdev)) + pr_warn("[%s]:[%s:%d]:%d: %pV", dev_name(&qedi->pdev->dev), +- nfunc, line, qedi->host_no, &vaf); ++ func, line, qedi->host_no, &vaf); + else +- pr_warn("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf); ++ pr_warn("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf); + + ret: + va_end(va); +@@ -70,10 +62,6 @@ qedi_dbg_notice(struct qedi_dbg_ctx *qedi, const char *func, u32 line, + { + va_list va; + struct va_format vaf; +- char nfunc[32]; +- +- memset(nfunc, 0, sizeof(nfunc)); +- memcpy(nfunc, func, sizeof(nfunc) - 1); + + va_start(va, fmt); + +@@ -85,10 +73,10 @@ qedi_dbg_notice(struct qedi_dbg_ctx *qedi, const char *func, u32 line, + + if (likely(qedi) && likely(qedi->pdev)) + pr_notice("[%s]:[%s:%d]:%d: %pV", +- dev_name(&qedi->pdev->dev), nfunc, line, ++ dev_name(&qedi->pdev->dev), func, line, + qedi->host_no, &vaf); + else +- pr_notice("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf); ++ pr_notice("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf); + + ret: + va_end(va); +@@ -100,10 +88,6 @@ qedi_dbg_info(struct qedi_dbg_ctx *qedi, const char *func, u32 line, + { + va_list va; + struct va_format vaf; +- char nfunc[32]; +- +- memset(nfunc, 0, sizeof(nfunc)); +- memcpy(nfunc, func, sizeof(nfunc) - 1); + + va_start(va, fmt); + +@@ -115,9 +99,9 @@ qedi_dbg_info(struct qedi_dbg_ctx *qedi, const char *func, u32 line, + + if (likely(qedi) && likely(qedi->pdev)) + pr_info("[%s]:[%s:%d]:%d: %pV", dev_name(&qedi->pdev->dev), +- nfunc, line, qedi->host_no, &vaf); ++ func, line, qedi->host_no, &vaf); + else +- pr_info("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf); ++ pr_info("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf); + + ret: + va_end(va); +-- +2.20.1 + diff --git a/queue-5.1/scsi-qedi-remove-set-but-not-used-variables-cdev-and.patch b/queue-5.1/scsi-qedi-remove-set-but-not-used-variables-cdev-and.patch new file mode 100644 index 00000000000..6e780da6a8e --- /dev/null +++ b/queue-5.1/scsi-qedi-remove-set-but-not-used-variables-cdev-and.patch @@ -0,0 +1,48 @@ +From a4d4c4b3241def444cc45f573d3d912c81053e21 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Wed, 24 Apr 2019 16:02:56 +0800 +Subject: scsi: qedi: remove set but not used variables 'cdev' and 'udev' + +[ Upstream commit d0adee5d12752256ff0c87ad7f002f21fe49d618 ] + +Fixes gcc '-Wunused-but-set-variable' warning: + +drivers/scsi/qedi/qedi_iscsi.c: In function 'qedi_ep_connect': +drivers/scsi/qedi/qedi_iscsi.c:813:23: warning: variable 'udev' set but not used [-Wunused-but-set-variable] +drivers/scsi/qedi/qedi_iscsi.c:812:18: warning: variable 'cdev' set but not used [-Wunused-but-set-variable] + +These have never been used since introduction. + +Signed-off-by: YueHaibing +Acked-by: Manish Rangankar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedi/qedi_iscsi.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/scsi/qedi/qedi_iscsi.c b/drivers/scsi/qedi/qedi_iscsi.c +index bf371e7b957d..c3d0d246df14 100644 +--- a/drivers/scsi/qedi/qedi_iscsi.c ++++ b/drivers/scsi/qedi/qedi_iscsi.c +@@ -809,8 +809,6 @@ qedi_ep_connect(struct Scsi_Host *shost, struct sockaddr *dst_addr, + struct qedi_endpoint *qedi_ep; + struct sockaddr_in *addr; + struct sockaddr_in6 *addr6; +- struct qed_dev *cdev = NULL; +- struct qedi_uio_dev *udev = NULL; + struct iscsi_path path_req; + u32 msg_type = ISCSI_KEVENT_IF_DOWN; + u32 iscsi_cid = QEDI_CID_RESERVED; +@@ -830,8 +828,6 @@ qedi_ep_connect(struct Scsi_Host *shost, struct sockaddr *dst_addr, + } + + qedi = iscsi_host_priv(shost); +- cdev = qedi->cdev; +- udev = qedi->udev; + + if (test_bit(QEDI_IN_OFFLINE, &qedi->flags) || + test_bit(QEDI_IN_RECOVERY, &qedi->flags)) { +-- +2.20.1 + diff --git a/queue-5.1/scsi-qla2xxx-add-cleanup-for-pci-eeh-recovery.patch b/queue-5.1/scsi-qla2xxx-add-cleanup-for-pci-eeh-recovery.patch new file mode 100644 index 00000000000..b039ddff8b2 --- /dev/null +++ b/queue-5.1/scsi-qla2xxx-add-cleanup-for-pci-eeh-recovery.patch @@ -0,0 +1,304 @@ +From 4c6dac87cc65532fcc5d4ada82aaa7bfb3f582fc Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Mon, 6 May 2019 13:52:19 -0700 +Subject: scsi: qla2xxx: Add cleanup for PCI EEH recovery + +[ Upstream commit 5386a4e6c7fecd282d265a24d930a74ba3c5917b ] + +During EEH error recovery testing it was discovered that driver's reset() +callback partially frees resources used by driver, leaving some stale +memory. After reset() is done and when resume() callback in driver uses +old data which results into error leaving adapter disabled due to PCIe +error. + +This patch does cleanup for EEH recovery code path and prevents adapter +from getting disabled. + +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Reviewed-by: Ewan D. Milne +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_os.c | 221 +++++++++++++--------------------- + 1 file changed, 82 insertions(+), 139 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c +index 91f576d743fe..d377e50a6c19 100644 +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -6838,6 +6838,78 @@ qla2x00_release_firmware(void) + mutex_unlock(&qla_fw_lock); + } + ++static void qla_pci_error_cleanup(scsi_qla_host_t *vha) ++{ ++ struct qla_hw_data *ha = vha->hw; ++ scsi_qla_host_t *base_vha = pci_get_drvdata(ha->pdev); ++ struct qla_qpair *qpair = NULL; ++ struct scsi_qla_host *vp; ++ fc_port_t *fcport; ++ int i; ++ unsigned long flags; ++ ++ ha->chip_reset++; ++ ++ ha->base_qpair->chip_reset = ha->chip_reset; ++ for (i = 0; i < ha->max_qpairs; i++) { ++ if (ha->queue_pair_map[i]) ++ ha->queue_pair_map[i]->chip_reset = ++ ha->base_qpair->chip_reset; ++ } ++ ++ /* purge MBox commands */ ++ if (atomic_read(&ha->num_pend_mbx_stage3)) { ++ clear_bit(MBX_INTR_WAIT, &ha->mbx_cmd_flags); ++ complete(&ha->mbx_intr_comp); ++ } ++ ++ i = 0; ++ ++ while (atomic_read(&ha->num_pend_mbx_stage3) || ++ atomic_read(&ha->num_pend_mbx_stage2) || ++ atomic_read(&ha->num_pend_mbx_stage1)) { ++ msleep(20); ++ i++; ++ if (i > 50) ++ break; ++ } ++ ++ ha->flags.purge_mbox = 0; ++ ++ mutex_lock(&ha->mq_lock); ++ list_for_each_entry(qpair, &base_vha->qp_list, qp_list_elem) ++ qpair->online = 0; ++ mutex_unlock(&ha->mq_lock); ++ ++ qla2x00_mark_all_devices_lost(vha, 0); ++ ++ spin_lock_irqsave(&ha->vport_slock, flags); ++ list_for_each_entry(vp, &ha->vp_list, list) { ++ atomic_inc(&vp->vref_count); ++ spin_unlock_irqrestore(&ha->vport_slock, flags); ++ qla2x00_mark_all_devices_lost(vp, 0); ++ spin_lock_irqsave(&ha->vport_slock, flags); ++ atomic_dec(&vp->vref_count); ++ } ++ spin_unlock_irqrestore(&ha->vport_slock, flags); ++ ++ /* Clear all async request states across all VPs. */ ++ list_for_each_entry(fcport, &vha->vp_fcports, list) ++ fcport->flags &= ~(FCF_LOGIN_NEEDED | FCF_ASYNC_SENT); ++ ++ spin_lock_irqsave(&ha->vport_slock, flags); ++ list_for_each_entry(vp, &ha->vp_list, list) { ++ atomic_inc(&vp->vref_count); ++ spin_unlock_irqrestore(&ha->vport_slock, flags); ++ list_for_each_entry(fcport, &vp->vp_fcports, list) ++ fcport->flags &= ~(FCF_LOGIN_NEEDED | FCF_ASYNC_SENT); ++ spin_lock_irqsave(&ha->vport_slock, flags); ++ atomic_dec(&vp->vref_count); ++ } ++ spin_unlock_irqrestore(&ha->vport_slock, flags); ++} ++ ++ + static pci_ers_result_t + qla2xxx_pci_error_detected(struct pci_dev *pdev, pci_channel_state_t state) + { +@@ -6863,20 +6935,7 @@ qla2xxx_pci_error_detected(struct pci_dev *pdev, pci_channel_state_t state) + return PCI_ERS_RESULT_CAN_RECOVER; + case pci_channel_io_frozen: + ha->flags.eeh_busy = 1; +- /* For ISP82XX complete any pending mailbox cmd */ +- if (IS_QLA82XX(ha)) { +- ha->flags.isp82xx_fw_hung = 1; +- ql_dbg(ql_dbg_aer, vha, 0x9001, "Pci channel io frozen\n"); +- qla82xx_clear_pending_mbx(vha); +- } +- qla2x00_free_irqs(vha); +- pci_disable_device(pdev); +- /* Return back all IOs */ +- qla2x00_abort_all_cmds(vha, DID_RESET << 16); +- if (ql2xmqsupport || ql2xnvmeenable) { +- set_bit(QPAIR_ONLINE_CHECK_NEEDED, &vha->dpc_flags); +- qla2xxx_wake_dpc(vha); +- } ++ qla_pci_error_cleanup(vha); + return PCI_ERS_RESULT_NEED_RESET; + case pci_channel_io_perm_failure: + ha->flags.pci_channel_io_perm_failure = 1; +@@ -6930,122 +6989,14 @@ qla2xxx_pci_mmio_enabled(struct pci_dev *pdev) + return PCI_ERS_RESULT_RECOVERED; + } + +-static uint32_t +-qla82xx_error_recovery(scsi_qla_host_t *base_vha) +-{ +- uint32_t rval = QLA_FUNCTION_FAILED; +- uint32_t drv_active = 0; +- struct qla_hw_data *ha = base_vha->hw; +- int fn; +- struct pci_dev *other_pdev = NULL; +- +- ql_dbg(ql_dbg_aer, base_vha, 0x9006, +- "Entered %s.\n", __func__); +- +- set_bit(ABORT_ISP_ACTIVE, &base_vha->dpc_flags); +- +- if (base_vha->flags.online) { +- /* Abort all outstanding commands, +- * so as to be requeued later */ +- qla2x00_abort_isp_cleanup(base_vha); +- } +- +- +- fn = PCI_FUNC(ha->pdev->devfn); +- while (fn > 0) { +- fn--; +- ql_dbg(ql_dbg_aer, base_vha, 0x9007, +- "Finding pci device at function = 0x%x.\n", fn); +- other_pdev = +- pci_get_domain_bus_and_slot(pci_domain_nr(ha->pdev->bus), +- ha->pdev->bus->number, PCI_DEVFN(PCI_SLOT(ha->pdev->devfn), +- fn)); +- +- if (!other_pdev) +- continue; +- if (atomic_read(&other_pdev->enable_cnt)) { +- ql_dbg(ql_dbg_aer, base_vha, 0x9008, +- "Found PCI func available and enable at 0x%x.\n", +- fn); +- pci_dev_put(other_pdev); +- break; +- } +- pci_dev_put(other_pdev); +- } +- +- if (!fn) { +- /* Reset owner */ +- ql_dbg(ql_dbg_aer, base_vha, 0x9009, +- "This devfn is reset owner = 0x%x.\n", +- ha->pdev->devfn); +- qla82xx_idc_lock(ha); +- +- qla82xx_wr_32(ha, QLA82XX_CRB_DEV_STATE, +- QLA8XXX_DEV_INITIALIZING); +- +- qla82xx_wr_32(ha, QLA82XX_CRB_DRV_IDC_VERSION, +- QLA82XX_IDC_VERSION); +- +- drv_active = qla82xx_rd_32(ha, QLA82XX_CRB_DRV_ACTIVE); +- ql_dbg(ql_dbg_aer, base_vha, 0x900a, +- "drv_active = 0x%x.\n", drv_active); +- +- qla82xx_idc_unlock(ha); +- /* Reset if device is not already reset +- * drv_active would be 0 if a reset has already been done +- */ +- if (drv_active) +- rval = qla82xx_start_firmware(base_vha); +- else +- rval = QLA_SUCCESS; +- qla82xx_idc_lock(ha); +- +- if (rval != QLA_SUCCESS) { +- ql_log(ql_log_info, base_vha, 0x900b, +- "HW State: FAILED.\n"); +- qla82xx_clear_drv_active(ha); +- qla82xx_wr_32(ha, QLA82XX_CRB_DEV_STATE, +- QLA8XXX_DEV_FAILED); +- } else { +- ql_log(ql_log_info, base_vha, 0x900c, +- "HW State: READY.\n"); +- qla82xx_wr_32(ha, QLA82XX_CRB_DEV_STATE, +- QLA8XXX_DEV_READY); +- qla82xx_idc_unlock(ha); +- ha->flags.isp82xx_fw_hung = 0; +- rval = qla82xx_restart_isp(base_vha); +- qla82xx_idc_lock(ha); +- /* Clear driver state register */ +- qla82xx_wr_32(ha, QLA82XX_CRB_DRV_STATE, 0); +- qla82xx_set_drv_active(base_vha); +- } +- qla82xx_idc_unlock(ha); +- } else { +- ql_dbg(ql_dbg_aer, base_vha, 0x900d, +- "This devfn is not reset owner = 0x%x.\n", +- ha->pdev->devfn); +- if ((qla82xx_rd_32(ha, QLA82XX_CRB_DEV_STATE) == +- QLA8XXX_DEV_READY)) { +- ha->flags.isp82xx_fw_hung = 0; +- rval = qla82xx_restart_isp(base_vha); +- qla82xx_idc_lock(ha); +- qla82xx_set_drv_active(base_vha); +- qla82xx_idc_unlock(ha); +- } +- } +- clear_bit(ABORT_ISP_ACTIVE, &base_vha->dpc_flags); +- +- return rval; +-} +- + static pci_ers_result_t + qla2xxx_pci_slot_reset(struct pci_dev *pdev) + { + pci_ers_result_t ret = PCI_ERS_RESULT_DISCONNECT; + scsi_qla_host_t *base_vha = pci_get_drvdata(pdev); + struct qla_hw_data *ha = base_vha->hw; +- struct rsp_que *rsp; +- int rc, retries = 10; ++ int rc; ++ struct qla_qpair *qpair = NULL; + + ql_dbg(ql_dbg_aer, base_vha, 0x9004, + "Slot Reset.\n"); +@@ -7074,24 +7025,16 @@ qla2xxx_pci_slot_reset(struct pci_dev *pdev) + goto exit_slot_reset; + } + +- rsp = ha->rsp_q_map[0]; +- if (qla2x00_request_irqs(ha, rsp)) +- goto exit_slot_reset; + + if (ha->isp_ops->pci_config(base_vha)) + goto exit_slot_reset; + +- if (IS_QLA82XX(ha)) { +- if (qla82xx_error_recovery(base_vha) == QLA_SUCCESS) { +- ret = PCI_ERS_RESULT_RECOVERED; +- goto exit_slot_reset; +- } else +- goto exit_slot_reset; +- } +- +- while (ha->flags.mbox_busy && retries--) +- msleep(1000); ++ mutex_lock(&ha->mq_lock); ++ list_for_each_entry(qpair, &base_vha->qp_list, qp_list_elem) ++ qpair->online = 1; ++ mutex_unlock(&ha->mq_lock); + ++ base_vha->flags.online = 1; + set_bit(ABORT_ISP_ACTIVE, &base_vha->dpc_flags); + if (ha->isp_ops->abort_isp(base_vha) == QLA_SUCCESS) + ret = PCI_ERS_RESULT_RECOVERED; +@@ -7115,13 +7058,13 @@ qla2xxx_pci_resume(struct pci_dev *pdev) + ql_dbg(ql_dbg_aer, base_vha, 0x900f, + "pci_resume.\n"); + ++ ha->flags.eeh_busy = 0; ++ + ret = qla2x00_wait_for_hba_online(base_vha); + if (ret != QLA_SUCCESS) { + ql_log(ql_log_fatal, base_vha, 0x9002, + "The device failed to resume I/O from slot/link_reset.\n"); + } +- +- ha->flags.eeh_busy = 0; + } + + static void +-- +2.20.1 + diff --git a/queue-5.1/selftests-bpf-fix-bpf_get_current_task.patch b/queue-5.1/selftests-bpf-fix-bpf_get_current_task.patch new file mode 100644 index 00000000000..20f4b653183 --- /dev/null +++ b/queue-5.1/selftests-bpf-fix-bpf_get_current_task.patch @@ -0,0 +1,33 @@ +From 4c96d4b936cfe8f5d89f883794c8fc204b4fce45 Mon Sep 17 00:00:00 2001 +From: Alexei Starovoitov +Date: Thu, 16 May 2019 21:34:11 -0700 +Subject: selftests/bpf: fix bpf_get_current_task + +[ Upstream commit 7ed4b4e60bb1dd3df7a45dfbde3a96efce9df7eb ] + +Fix bpf_get_current_task() declaration. + +Signed-off-by: Alexei Starovoitov +Acked-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/bpf_helpers.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/bpf_helpers.h b/tools/testing/selftests/bpf/bpf_helpers.h +index c81fc350f7ad..a43a52cdd3f0 100644 +--- a/tools/testing/selftests/bpf/bpf_helpers.h ++++ b/tools/testing/selftests/bpf/bpf_helpers.h +@@ -246,7 +246,7 @@ static int (*bpf_skb_change_type)(void *ctx, __u32 type) = + (void *) BPF_FUNC_skb_change_type; + static unsigned int (*bpf_get_hash_recalc)(void *ctx) = + (void *) BPF_FUNC_get_hash_recalc; +-static unsigned long long (*bpf_get_current_task)(void *ctx) = ++static unsigned long long (*bpf_get_current_task)(void) = + (void *) BPF_FUNC_get_current_task; + static int (*bpf_skb_change_tail)(void *ctx, __u32 len, __u64 flags) = + (void *) BPF_FUNC_skb_change_tail; +-- +2.20.1 + diff --git a/queue-5.1/selftests-fib_rule_tests-fix-local-ipv4-address-typo.patch b/queue-5.1/selftests-fib_rule_tests-fix-local-ipv4-address-typo.patch new file mode 100644 index 00000000000..f19a14acfa5 --- /dev/null +++ b/queue-5.1/selftests-fib_rule_tests-fix-local-ipv4-address-typo.patch @@ -0,0 +1,35 @@ +From 952a7736b64286c32588b0285e38f328ca39dac8 Mon Sep 17 00:00:00 2001 +From: Hangbin Liu +Date: Mon, 20 May 2019 12:36:54 +0800 +Subject: selftests: fib_rule_tests: fix local IPv4 address typo + +[ Upstream commit fc82d93e57e3d41f79eff19031588b262fc3d0b6 ] + +The IPv4 testing address are all in 192.51.100.0 subnet. It doesn't make +sense to set a 198.51.100.1 local address. Should be a typo. + +Fixes: 65b2b4939a64 ("selftests: net: initial fib rule tests") +Signed-off-by: Hangbin Liu +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/fib_rule_tests.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/fib_rule_tests.sh b/tools/testing/selftests/net/fib_rule_tests.sh +index 4b7e107865bf..1ba069967fa2 100755 +--- a/tools/testing/selftests/net/fib_rule_tests.sh ++++ b/tools/testing/selftests/net/fib_rule_tests.sh +@@ -55,7 +55,7 @@ setup() + + $IP link add dummy0 type dummy + $IP link set dev dummy0 up +- $IP address add 198.51.100.1/24 dev dummy0 ++ $IP address add 192.51.100.1/24 dev dummy0 + $IP -6 address add 2001:db8:1::1/64 dev dummy0 + + set +e +-- +2.20.1 + diff --git a/queue-5.1/selftests-timers-add-missing-fflush-stdout-calls.patch b/queue-5.1/selftests-timers-add-missing-fflush-stdout-calls.patch new file mode 100644 index 00000000000..c07ee1b5d9b --- /dev/null +++ b/queue-5.1/selftests-timers-add-missing-fflush-stdout-calls.patch @@ -0,0 +1,167 @@ +From 439e124aa2e7b24c23590e600373379e525ff81c Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 20 May 2019 15:37:49 -0700 +Subject: selftests/timers: Add missing fflush(stdout) calls + +[ Upstream commit fe48319243a626c860fd666ca032daacc2ba84a5 ] + +When running under a pipe, some timer tests would not report output in +real-time because stdout flushes were missing after printf()s that lacked +a newline. This adds them to restore real-time status output that humans +can enjoy. + +Signed-off-by: Kees Cook +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/timers/adjtick.c | 1 + + tools/testing/selftests/timers/leapcrash.c | 1 + + tools/testing/selftests/timers/mqueue-lat.c | 1 + + tools/testing/selftests/timers/nanosleep.c | 1 + + tools/testing/selftests/timers/nsleep-lat.c | 1 + + tools/testing/selftests/timers/raw_skew.c | 1 + + tools/testing/selftests/timers/set-tai.c | 1 + + tools/testing/selftests/timers/set-tz.c | 2 ++ + tools/testing/selftests/timers/threadtest.c | 1 + + tools/testing/selftests/timers/valid-adjtimex.c | 2 ++ + 10 files changed, 12 insertions(+) + +diff --git a/tools/testing/selftests/timers/adjtick.c b/tools/testing/selftests/timers/adjtick.c +index 0caca3a06bd2..54d8d87f36b3 100644 +--- a/tools/testing/selftests/timers/adjtick.c ++++ b/tools/testing/selftests/timers/adjtick.c +@@ -136,6 +136,7 @@ int check_tick_adj(long tickval) + + eppm = get_ppm_drift(); + printf("%lld usec, %lld ppm", systick + (systick * eppm / MILLION), eppm); ++ fflush(stdout); + + tx1.modes = 0; + adjtimex(&tx1); +diff --git a/tools/testing/selftests/timers/leapcrash.c b/tools/testing/selftests/timers/leapcrash.c +index 830c462f605d..dc80728ed191 100644 +--- a/tools/testing/selftests/timers/leapcrash.c ++++ b/tools/testing/selftests/timers/leapcrash.c +@@ -101,6 +101,7 @@ int main(void) + } + clear_time_state(); + printf("."); ++ fflush(stdout); + } + printf("[OK]\n"); + return ksft_exit_pass(); +diff --git a/tools/testing/selftests/timers/mqueue-lat.c b/tools/testing/selftests/timers/mqueue-lat.c +index 1867db5d6f5e..7916cf5cc6ff 100644 +--- a/tools/testing/selftests/timers/mqueue-lat.c ++++ b/tools/testing/selftests/timers/mqueue-lat.c +@@ -102,6 +102,7 @@ int main(int argc, char **argv) + int ret; + + printf("Mqueue latency : "); ++ fflush(stdout); + + ret = mqueue_lat_test(); + if (ret < 0) { +diff --git a/tools/testing/selftests/timers/nanosleep.c b/tools/testing/selftests/timers/nanosleep.c +index 8adb0bb51d4d..71b5441c2fd9 100644 +--- a/tools/testing/selftests/timers/nanosleep.c ++++ b/tools/testing/selftests/timers/nanosleep.c +@@ -142,6 +142,7 @@ int main(int argc, char **argv) + continue; + + printf("Nanosleep %-31s ", clockstring(clockid)); ++ fflush(stdout); + + length = 10; + while (length <= (NSEC_PER_SEC * 10)) { +diff --git a/tools/testing/selftests/timers/nsleep-lat.c b/tools/testing/selftests/timers/nsleep-lat.c +index c3c3dc10db17..eb3e79ed7b4a 100644 +--- a/tools/testing/selftests/timers/nsleep-lat.c ++++ b/tools/testing/selftests/timers/nsleep-lat.c +@@ -155,6 +155,7 @@ int main(int argc, char **argv) + continue; + + printf("nsleep latency %-26s ", clockstring(clockid)); ++ fflush(stdout); + + length = 10; + while (length <= (NSEC_PER_SEC * 10)) { +diff --git a/tools/testing/selftests/timers/raw_skew.c b/tools/testing/selftests/timers/raw_skew.c +index dcf73c5dab6e..b41d8dd0c40c 100644 +--- a/tools/testing/selftests/timers/raw_skew.c ++++ b/tools/testing/selftests/timers/raw_skew.c +@@ -112,6 +112,7 @@ int main(int argv, char **argc) + printf("WARNING: ADJ_OFFSET in progress, this will cause inaccurate results\n"); + + printf("Estimating clock drift: "); ++ fflush(stdout); + sleep(120); + + get_monotonic_and_raw(&mon, &raw); +diff --git a/tools/testing/selftests/timers/set-tai.c b/tools/testing/selftests/timers/set-tai.c +index 70fed27d8fd3..8c4179ee2ca2 100644 +--- a/tools/testing/selftests/timers/set-tai.c ++++ b/tools/testing/selftests/timers/set-tai.c +@@ -55,6 +55,7 @@ int main(int argc, char **argv) + printf("tai offset started at %i\n", ret); + + printf("Checking tai offsets can be properly set: "); ++ fflush(stdout); + for (i = 1; i <= 60; i++) { + ret = set_tai(i); + ret = get_tai(); +diff --git a/tools/testing/selftests/timers/set-tz.c b/tools/testing/selftests/timers/set-tz.c +index 877fd5532fee..62bd33eb16f0 100644 +--- a/tools/testing/selftests/timers/set-tz.c ++++ b/tools/testing/selftests/timers/set-tz.c +@@ -65,6 +65,7 @@ int main(int argc, char **argv) + printf("tz_minuteswest started at %i, dst at %i\n", min, dst); + + printf("Checking tz_minuteswest can be properly set: "); ++ fflush(stdout); + for (i = -15*60; i < 15*60; i += 30) { + ret = set_tz(i, dst); + ret = get_tz_min(); +@@ -76,6 +77,7 @@ int main(int argc, char **argv) + printf("[OK]\n"); + + printf("Checking invalid tz_minuteswest values are caught: "); ++ fflush(stdout); + + if (!set_tz(-15*60-1, dst)) { + printf("[FAILED] %i didn't return failure!\n", -15*60-1); +diff --git a/tools/testing/selftests/timers/threadtest.c b/tools/testing/selftests/timers/threadtest.c +index 759c9c06f1a0..cf3e48919874 100644 +--- a/tools/testing/selftests/timers/threadtest.c ++++ b/tools/testing/selftests/timers/threadtest.c +@@ -163,6 +163,7 @@ int main(int argc, char **argv) + strftime(buf, 255, "%a, %d %b %Y %T %z", localtime(&start)); + printf("%s\n", buf); + printf("Testing consistency with %i threads for %ld seconds: ", thread_count, runtime); ++ fflush(stdout); + + /* spawn */ + for (i = 0; i < thread_count; i++) +diff --git a/tools/testing/selftests/timers/valid-adjtimex.c b/tools/testing/selftests/timers/valid-adjtimex.c +index d9d3ab93b31a..5397de708d3c 100644 +--- a/tools/testing/selftests/timers/valid-adjtimex.c ++++ b/tools/testing/selftests/timers/valid-adjtimex.c +@@ -123,6 +123,7 @@ int validate_freq(void) + /* Set the leap second insert flag */ + + printf("Testing ADJ_FREQ... "); ++ fflush(stdout); + for (i = 0; i < NUM_FREQ_VALID; i++) { + tx.modes = ADJ_FREQUENCY; + tx.freq = valid_freq[i]; +@@ -250,6 +251,7 @@ int set_bad_offset(long sec, long usec, int use_nano) + int validate_set_offset(void) + { + printf("Testing ADJ_SETOFFSET... "); ++ fflush(stdout); + + /* Test valid values */ + if (set_offset(NSEC_PER_SEC - 1, 1)) +-- +2.20.1 + diff --git a/queue-5.1/series b/queue-5.1/series index 682e8d8d0ad..fb1f909338c 100644 --- a/queue-5.1/series +++ b/queue-5.1/series @@ -39,3 +39,56 @@ drm-i915-sdvo-implement-proper-hdmi-audio-support-for-sdvo.patch drm-i915-dsi-use-a-fuzzy-check-for-burst-mode-clock-check.patch drm-i915-fix-per-pixel-alpha-with-ccs.patch drm-i915-dmc-protect-against-reading-random-memory.patch +x86-uaccess-kcov-disable-stack-protector.patch +alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch +alsa-seq-fix-race-of-get-subscription-call-vs-port-d.patch +revert-alsa-seq-protect-in-kernel-ioctl-calls-with-m.patch +drivers-misc-fix-out-of-bounds-access-in-function-pa.patch +f2fs-fix-to-avoid-accessing-xattr-across-the-boundar.patch +drivers-perf-arm_spe-don-t-error-on-high-order-pages.patch +bpf-sockmap-only-stop-flush-strp-if-it-was-enabled-a.patch +bpf-sockmap-remove-duplicate-queue-free.patch +bpf-sockmap-fix-msg-sg.size-account-on-ingress-skb.patch +scsi-qla2xxx-add-cleanup-for-pci-eeh-recovery.patch +scsi-qedi-remove-memset-memcpy-to-nfunc-and-use-func.patch +scsi-qedi-remove-set-but-not-used-variables-cdev-and.patch +scsi-lpfc-resolve-lockdep-warnings.patch +scsi-lpfc-correct-rcu-unlock-issue-in-lpfc_nvme_info.patch +scsi-lpfc-add-check-for-loss-of-ndlp-when-sending-rr.patch +arm64-print-physical-address-of-page-table-base-in-s.patch +net-macb-fix-error-format-in-dev_err.patch +enetc-fix-null-dma-address-unmap-for-tx-bd-extension.patch +bpf-tcp-correctly-handle-dont_wait-flags-and-timeo-0.patch +arm64-mm-inhibit-huge-vmap-with-ptdump.patch +tools-bpftool-move-set_max_rlimit-before-__bpf_objec.patch +selftests-bpf-fix-bpf_get_current_task.patch +nvme-pci-fix-controller-freeze-wait-disabling.patch +nvme-fix-srcu-locking-on-error-return-in-nvme_get_ns.patch +nvme-remove-the-ifdef-around-nvme_nvm_ioctl.patch +nvme-merge-nvme_ns_ioctl-into-nvme_ioctl.patch +nvme-release-namespace-srcu-protection-before-perfor.patch +nvme-fix-memory-leak-for-power-latency-tolerance.patch +platform-x86-pmc_atom-add-lex-3i380d-industrial-pc-t.patch +platform-x86-pmc_atom-add-several-beckhoff-automatio.patch +scsi-myrs-fix-uninitialized-variable.patch +scsi-bnx2fc-fix-incorrect-cast-to-u64-on-shift-opera.patch +drm-amdgpu-keep-stolen-memory-on-picasso.patch +libnvdimm-fix-compilation-warnings-with-w-1.patch +selftests-fib_rule_tests-fix-local-ipv4-address-typo.patch +selftests-timers-add-missing-fflush-stdout-calls.patch +tracing-prevent-hist_field_var_ref-from-accessing-nu.patch +usbnet-ipheth-fix-racing-condition.patch +nvme-pci-use-blk-mq-mapping-for-unmanaged-irqs.patch +tools-io_uring-fix-makefile-for-pthread-library-link.patch +kvm-arm-arm64-move-cc-it-checks-under-hyp-s-makefile.patch +kvm-nvmx-really-fix-the-size-checks-on-kvm_set_neste.patch +kvm-selftests-fix-a-condition-in-test_hv_cpuid.patch +kvm-vmx-fix-wmissing-prototypes-warnings.patch +kvm-lapic-fix-lapic_timer_advance_ns-parameter-overf.patch +kvm-x86-do-not-spam-dmesg-with-vmcs-vmcb-dumps.patch +kvm-x86-pmu-mask-the-result-of-rdpmc-according-to-th.patch +kvm-x86-pmu-do-not-mask-the-value-that-is-written-to.patch +kvm-s390-fix-memory-slot-handling-for-kvm_set_user_m.patch +kvm-selftests-aarch64-dirty_log_test-fix-unaligned-m.patch +kvm-selftests-aarch64-fix-default-vm-mode.patch +tools-kvm_stat-fix-fields-filter-for-child-events.patch diff --git a/queue-5.1/tools-bpftool-move-set_max_rlimit-before-__bpf_objec.patch b/queue-5.1/tools-bpftool-move-set_max_rlimit-before-__bpf_objec.patch new file mode 100644 index 00000000000..2ab91a72cc8 --- /dev/null +++ b/queue-5.1/tools-bpftool-move-set_max_rlimit-before-__bpf_objec.patch @@ -0,0 +1,58 @@ +From b9f2becf900b7cf3e9e361263701af44c87ccd50 Mon Sep 17 00:00:00 2001 +From: Yonghong Song +Date: Thu, 16 May 2019 10:17:31 -0700 +Subject: tools/bpftool: move set_max_rlimit() before + __bpf_object__open_xattr() + +[ Upstream commit ac4e0e055fee5751c78bba1fc9ce508a6874d916 ] + +For a host which has a lower rlimit for max locked memory (e.g., 64KB), +the following error occurs in one of our production systems: + # /usr/sbin/bpftool prog load /paragon/pods/52877437/home/mark.o \ + /sys/fs/bpf/paragon_mark_21 type cgroup/skb \ + map idx 0 pinned /sys/fs/bpf/paragon_map_21 + libbpf: Error in bpf_object__probe_name():Operation not permitted(1). + Couldn't load basic 'r0 = 0' BPF program. + Error: failed to open object file + +The reason is due to low locked memory during bpf_object__probe_name() +which probes whether program name is supported in kernel or not +during __bpf_object__open_xattr(). + +bpftool program load already tries to relax mlock rlimit before +bpf_object__load(). Let us move set_max_rlimit() before +__bpf_object__open_xattr(), which fixed the issue here. + +Fixes: 47eff61777c7 ("bpf, libbpf: introduce bpf_object__probe_caps to test BPF capabilities") +Signed-off-by: Yonghong Song +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/prog.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c +index d2be5a06c339..ed8ef5c82256 100644 +--- a/tools/bpf/bpftool/prog.c ++++ b/tools/bpf/bpftool/prog.c +@@ -873,6 +873,8 @@ static int load_with_options(int argc, char **argv, bool first_prog_only) + } + } + ++ set_max_rlimit(); ++ + obj = __bpf_object__open_xattr(&attr, bpf_flags); + if (IS_ERR_OR_NULL(obj)) { + p_err("failed to open object file"); +@@ -952,8 +954,6 @@ static int load_with_options(int argc, char **argv, bool first_prog_only) + goto err_close_obj; + } + +- set_max_rlimit(); +- + err = bpf_object__load(obj); + if (err) { + p_err("failed to load object file"); +-- +2.20.1 + diff --git a/queue-5.1/tools-io_uring-fix-makefile-for-pthread-library-link.patch b/queue-5.1/tools-io_uring-fix-makefile-for-pthread-library-link.patch new file mode 100644 index 00000000000..dd0f8e44938 --- /dev/null +++ b/queue-5.1/tools-io_uring-fix-makefile-for-pthread-library-link.patch @@ -0,0 +1,40 @@ +From d53db702cd7a685e0b224bd54e0a43ff6e200739 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Wed, 22 May 2019 08:47:54 -0600 +Subject: tools/io_uring: fix Makefile for pthread library link + +[ Upstream commit 486f069253c3c738dec62daeb16f7232b2cca065 ] + +Currently fails with: + +io_uring-bench.o: In function `main': +/home/axboe/git/linux-block/tools/io_uring/io_uring-bench.c:560: undefined reference to `pthread_create' +/home/axboe/git/linux-block/tools/io_uring/io_uring-bench.c:588: undefined reference to `pthread_join' +collect2: error: ld returned 1 exit status +Makefile:11: recipe for target 'io_uring-bench' failed +make: *** [io_uring-bench] Error 1 + +Move -lpthread to the end. + +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + tools/io_uring/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/io_uring/Makefile b/tools/io_uring/Makefile +index f79522fc37b5..00f146c54c53 100644 +--- a/tools/io_uring/Makefile ++++ b/tools/io_uring/Makefile +@@ -8,7 +8,7 @@ all: io_uring-cp io_uring-bench + $(CC) $(CFLAGS) -o $@ $^ + + io_uring-bench: syscall.o io_uring-bench.o +- $(CC) $(CFLAGS) $(LDLIBS) -o $@ $^ ++ $(CC) $(CFLAGS) -o $@ $^ $(LDLIBS) + + io_uring-cp: setup.o syscall.o queue.o + +-- +2.20.1 + diff --git a/queue-5.1/tools-kvm_stat-fix-fields-filter-for-child-events.patch b/queue-5.1/tools-kvm_stat-fix-fields-filter-for-child-events.patch new file mode 100644 index 00000000000..20570dd4c7e --- /dev/null +++ b/queue-5.1/tools-kvm_stat-fix-fields-filter-for-child-events.patch @@ -0,0 +1,90 @@ +From fb979946f7556bc5f8ddec9cdb94e8269c6a1895 Mon Sep 17 00:00:00 2001 +From: Stefan Raspl +Date: Sun, 21 Apr 2019 15:26:24 +0200 +Subject: tools/kvm_stat: fix fields filter for child events + +[ Upstream commit 883d25e70b2f699fed9017e509d1ef8e36229b89 ] + +The fields filter would not work with child fields, as the respective +parents would not be included. No parents displayed == no childs displayed. +To reproduce, run on s390 (would work on other platforms, too, but would +require a different filter name): +- Run 'kvm_stat -d' +- Press 'f' +- Enter 'instruct' +Notice that events like instruction_diag_44 or instruction_diag_500 are not +displayed - the output remains empty. +With this patch, we will filter by matching events and their parents. +However, consider the following example where we filter by +instruction_diag_44: + + kvm statistics - summary + regex filter: instruction_diag_44 + Event Total %Total CurAvg/s + exit_instruction 276 100.0 12 + instruction_diag_44 256 92.8 11 + Total 276 12 + +Note that the parent ('exit_instruction') displays the total events, but +the childs listed do not match its total (256 instead of 276). This is +intended (since we're filtering all but one child), but might be confusing +on first sight. + +Signed-off-by: Stefan Raspl +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + tools/kvm/kvm_stat/kvm_stat | 16 ++++++++++++---- + tools/kvm/kvm_stat/kvm_stat.txt | 2 ++ + 2 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/tools/kvm/kvm_stat/kvm_stat b/tools/kvm/kvm_stat/kvm_stat +index 2ed395b817cb..bc508dae286c 100755 +--- a/tools/kvm/kvm_stat/kvm_stat ++++ b/tools/kvm/kvm_stat/kvm_stat +@@ -575,8 +575,12 @@ class TracepointProvider(Provider): + def update_fields(self, fields_filter): + """Refresh fields, applying fields_filter""" + self.fields = [field for field in self._get_available_fields() +- if self.is_field_wanted(fields_filter, field) or +- ARCH.tracepoint_is_child(field)] ++ if self.is_field_wanted(fields_filter, field)] ++ # add parents for child fields - otherwise we won't see any output! ++ for field in self._fields: ++ parent = ARCH.tracepoint_is_child(field) ++ if (parent and parent not in self._fields): ++ self.fields.append(parent) + + @staticmethod + def _get_online_cpus(): +@@ -735,8 +739,12 @@ class DebugfsProvider(Provider): + def update_fields(self, fields_filter): + """Refresh fields, applying fields_filter""" + self._fields = [field for field in self._get_available_fields() +- if self.is_field_wanted(fields_filter, field) or +- ARCH.debugfs_is_child(field)] ++ if self.is_field_wanted(fields_filter, field)] ++ # add parents for child fields - otherwise we won't see any output! ++ for field in self._fields: ++ parent = ARCH.debugfs_is_child(field) ++ if (parent and parent not in self._fields): ++ self.fields.append(parent) + + @property + def fields(self): +diff --git a/tools/kvm/kvm_stat/kvm_stat.txt b/tools/kvm/kvm_stat/kvm_stat.txt +index 0811d860fe75..c057ba52364e 100644 +--- a/tools/kvm/kvm_stat/kvm_stat.txt ++++ b/tools/kvm/kvm_stat/kvm_stat.txt +@@ -34,6 +34,8 @@ INTERACTIVE COMMANDS + *c*:: clear filter + + *f*:: filter by regular expression ++ :: *Note*: Child events pull in their parents, and parents' stats summarize ++ all child events, not just the filtered ones + + *g*:: filter by guest name/PID + +-- +2.20.1 + diff --git a/queue-5.1/tracing-prevent-hist_field_var_ref-from-accessing-nu.patch b/queue-5.1/tracing-prevent-hist_field_var_ref-from-accessing-nu.patch new file mode 100644 index 00000000000..c47d807b5e6 --- /dev/null +++ b/queue-5.1/tracing-prevent-hist_field_var_ref-from-accessing-nu.patch @@ -0,0 +1,50 @@ +From 2c12c95ac8d163b2f5d8e74a65a7b29f3ed81bd5 Mon Sep 17 00:00:00 2001 +From: Tom Zanussi +Date: Thu, 18 Apr 2019 10:18:50 -0500 +Subject: tracing: Prevent hist_field_var_ref() from accessing NULL + tracing_map_elts + +[ Upstream commit 55267c88c003a3648567beae7c90512d3e2ab15e ] + +hist_field_var_ref() is an implementation of hist_field_fn_t(), which +can be called with a null tracing_map_elt elt param when assembling a +key in event_hist_trigger(). + +In the case of hist_field_var_ref() this doesn't make sense, because a +variable can only be resolved by looking it up using an already +assembled key i.e. a variable can't be used to assemble a key since +the key is required in order to access the variable. + +Upper layers should prevent the user from constructing a key using a +variable in the first place, but in case one slips through, it +shouldn't cause a NULL pointer dereference. Also if one does slip +through, we want to know about it, so emit a one-time warning in that +case. + +Link: http://lkml.kernel.org/r/64ec8dc15c14d305295b64cdfcc6b2b9dd14753f.1555597045.git.tom.zanussi@linux.intel.com + +Reported-by: Vincent Bernat +Signed-off-by: Tom Zanussi +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events_hist.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c +index 0a200d42fa96..f50d57eac875 100644 +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -1815,6 +1815,9 @@ static u64 hist_field_var_ref(struct hist_field *hist_field, + struct hist_elt_data *elt_data; + u64 var_val = 0; + ++ if (WARN_ON_ONCE(!elt)) ++ return var_val; ++ + elt_data = elt->private_data; + var_val = elt_data->var_ref_vals[hist_field->var_ref_idx]; + +-- +2.20.1 + diff --git a/queue-5.1/usbnet-ipheth-fix-racing-condition.patch b/queue-5.1/usbnet-ipheth-fix-racing-condition.patch new file mode 100644 index 00000000000..1311f01c56c --- /dev/null +++ b/queue-5.1/usbnet-ipheth-fix-racing-condition.patch @@ -0,0 +1,62 @@ +From 4dc3c793a124d09ee873b0b8ecea61f101effe99 Mon Sep 17 00:00:00 2001 +From: Bernd Eckstein <3erndeckstein@gmail.com> +Date: Mon, 20 May 2019 17:31:09 +0200 +Subject: usbnet: ipheth: fix racing condition + +[ Upstream commit 94d250fae48e6f873d8362308f5c4d02cd1b1fd2 ] + +Fix a racing condition in ipheth.c that can lead to slow performance. + +Bug: In ipheth_tx(), netif_wake_queue() may be called on the callback +ipheth_sndbulk_callback(), _before_ netif_stop_queue() is called. +When this happens, the queue is stopped longer than it needs to be, +thus reducing network performance. + +Fix: Move netif_stop_queue() in front of usb_submit_urb(). Now the order +is always correct. In case, usb_submit_urb() fails, the queue is woken up +again as callback will not fire. + +Testing: This racing condition is usually not noticeable, as it has to +occur very frequently to slowdown the network. The callback from the USB +is usually triggered slow enough, so the situation does not appear. +However, on a Ubuntu Linux on VMWare Workstation, running on Windows 10, +the we loose the race quite often and the following speedup can be noticed: + +Without this patch: Download: 4.10 Mbit/s, Upload: 4.01 Mbit/s +With this patch: Download: 36.23 Mbit/s, Upload: 17.61 Mbit/s + +Signed-off-by: Oliver Zweigle +Signed-off-by: Bernd Eckstein <3ernd.Eckstein@gmail.com> +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/ipheth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c +index 3d8a70d3ea9b..3d71f1716390 100644 +--- a/drivers/net/usb/ipheth.c ++++ b/drivers/net/usb/ipheth.c +@@ -437,17 +437,18 @@ static int ipheth_tx(struct sk_buff *skb, struct net_device *net) + dev); + dev->tx_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; + ++ netif_stop_queue(net); + retval = usb_submit_urb(dev->tx_urb, GFP_ATOMIC); + if (retval) { + dev_err(&dev->intf->dev, "%s: usb_submit_urb: %d\n", + __func__, retval); + dev->net->stats.tx_errors++; + dev_kfree_skb_any(skb); ++ netif_wake_queue(net); + } else { + dev->net->stats.tx_packets++; + dev->net->stats.tx_bytes += skb->len; + dev_consume_skb_any(skb); +- netif_stop_queue(net); + } + + return NETDEV_TX_OK; +-- +2.20.1 + diff --git a/queue-5.1/x86-uaccess-kcov-disable-stack-protector.patch b/queue-5.1/x86-uaccess-kcov-disable-stack-protector.patch new file mode 100644 index 00000000000..b251a7d0c67 --- /dev/null +++ b/queue-5.1/x86-uaccess-kcov-disable-stack-protector.patch @@ -0,0 +1,42 @@ +From f7f0840a06b69a15ee0848f80062cffd9b00567b Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 7 Mar 2019 19:54:25 +0100 +Subject: x86/uaccess, kcov: Disable stack protector + +[ Upstream commit 40ea97290b08be2e038b31cbb33097d1145e8169 ] + +New tooling noticed this mishap: + + kernel/kcov.o: warning: objtool: write_comp_data()+0x138: call to __stack_chk_fail() with UACCESS enabled + kernel/kcov.o: warning: objtool: __sanitizer_cov_trace_pc()+0xd9: call to __stack_chk_fail() with UACCESS enabled + +All the other instrumentation (KASAN,UBSAN) also have stack protector +disabled. + +Signed-off-by: Peter Zijlstra (Intel) +Cc: Borislav Petkov +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/Makefile b/kernel/Makefile +index 6c57e78817da..62471e75a2b0 100644 +--- a/kernel/Makefile ++++ b/kernel/Makefile +@@ -30,6 +30,7 @@ KCOV_INSTRUMENT_extable.o := n + # Don't self-instrument. + KCOV_INSTRUMENT_kcov.o := n + KASAN_SANITIZE_kcov.o := n ++CFLAGS_kcov.o := $(call cc-option, -fno-conserve-stack -fno-stack-protector) + + # cond_syscall is currently not LTO compatible + CFLAGS_sys_ni.o = $(DISABLE_LTO) +-- +2.20.1 +