From 2289b8c5f5c57f8373d1a9350980760db23c9d0a Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 15 Jun 2019 19:17:06 -0400 Subject: [PATCH] fixes for 4.19 Signed-off-by: Sasha Levin --- ...e-of-get-subscription-call-vs-port-d.patch | 102 ++++++ ...ect-in-kernel-ioctl-calls-with-mutex.patch | 53 +++ ...m64-mm-inhibit-huge-vmap-with-ptdump.patch | 76 ++++ ...-out-of-bounds-access-in-function-pa.patch | 46 +++ ...d-accessing-xattr-across-the-boundar.patch | 154 ++++++++ ...ve-cc-it-checks-under-hyp-s-makefile.patch | 330 ++++++++++++++++++ ...ory-slot-handling-for-kvm_set_user_m.patch | 69 ++++ ...ot-mask-the-value-that-is-written-to.patch | 48 +++ ...-the-result-of-rdpmc-according-to-th.patch | 116 ++++++ ...mm-fix-compilation-warnings-with-w-1.patch | 86 +++++ ...ory-leak-for-power-latency-tolerance.patch | 38 ++ ...cking-on-error-return-in-nvme_get_ns.patch | 55 +++ ...-merge-nvme_ns_ioctl-into-nvme_ioctl.patch | 89 +++++ ...espace-srcu-protection-before-perfor.patch | 73 ++++ ...move-the-ifdef-around-nvme_nvm_ioctl.patch | 36 ++ ..._atom-add-lex-3i380d-industrial-pc-t.patch | 52 +++ ..._atom-add-several-beckhoff-automatio.patch | 59 ++++ ...protect-in-kernel-ioctl-calls-with-m.patch | 50 +++ ...n-fix-strncpy_from_user-kasan-checks.patch | 41 +++ ...incorrect-cast-to-u64-on-shift-opera.patch | 37 ++ ...eck-for-loss-of-ndlp-when-sending-rr.patch | 38 ++ ...t-rcu-unlock-issue-in-lpfc_nvme_info.patch | 122 +++++++ ...-memset-memcpy-to-nfunc-and-use-func.patch | 167 +++++++++ ...-set-but-not-used-variables-cdev-and.patch | 48 +++ ...le_tests-fix-local-ipv4-address-typo.patch | 35 ++ ...mers-add-missing-fflush-stdout-calls.patch | 167 +++++++++ queue-4.19/series | 30 ++ ...t-fix-fields-filter-for-child-events.patch | 90 +++++ ...hist_field_var_ref-from-accessing-nu.patch | 50 +++ .../usbnet-ipheth-fix-racing-condition.patch | 62 ++++ ...uaccess-kcov-disable-stack-protector.patch | 42 +++ 31 files changed, 2461 insertions(+) create mode 100644 queue-4.19/alsa-seq-fix-race-of-get-subscription-call-vs-port-d.patch create mode 100644 queue-4.19/alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch create mode 100644 queue-4.19/arm64-mm-inhibit-huge-vmap-with-ptdump.patch create mode 100644 queue-4.19/drivers-misc-fix-out-of-bounds-access-in-function-pa.patch create mode 100644 queue-4.19/f2fs-fix-to-avoid-accessing-xattr-across-the-boundar.patch create mode 100644 queue-4.19/kvm-arm-arm64-move-cc-it-checks-under-hyp-s-makefile.patch create mode 100644 queue-4.19/kvm-s390-fix-memory-slot-handling-for-kvm_set_user_m.patch create mode 100644 queue-4.19/kvm-x86-pmu-do-not-mask-the-value-that-is-written-to.patch create mode 100644 queue-4.19/kvm-x86-pmu-mask-the-result-of-rdpmc-according-to-th.patch create mode 100644 queue-4.19/libnvdimm-fix-compilation-warnings-with-w-1.patch create mode 100644 queue-4.19/nvme-fix-memory-leak-for-power-latency-tolerance.patch create mode 100644 queue-4.19/nvme-fix-srcu-locking-on-error-return-in-nvme_get_ns.patch create mode 100644 queue-4.19/nvme-merge-nvme_ns_ioctl-into-nvme_ioctl.patch create mode 100644 queue-4.19/nvme-release-namespace-srcu-protection-before-perfor.patch create mode 100644 queue-4.19/nvme-remove-the-ifdef-around-nvme_nvm_ioctl.patch create mode 100644 queue-4.19/platform-x86-pmc_atom-add-lex-3i380d-industrial-pc-t.patch create mode 100644 queue-4.19/platform-x86-pmc_atom-add-several-beckhoff-automatio.patch create mode 100644 queue-4.19/revert-alsa-seq-protect-in-kernel-ioctl-calls-with-m.patch create mode 100644 queue-4.19/s390-kasan-fix-strncpy_from_user-kasan-checks.patch create mode 100644 queue-4.19/scsi-bnx2fc-fix-incorrect-cast-to-u64-on-shift-opera.patch create mode 100644 queue-4.19/scsi-lpfc-add-check-for-loss-of-ndlp-when-sending-rr.patch create mode 100644 queue-4.19/scsi-lpfc-correct-rcu-unlock-issue-in-lpfc_nvme_info.patch create mode 100644 queue-4.19/scsi-qedi-remove-memset-memcpy-to-nfunc-and-use-func.patch create mode 100644 queue-4.19/scsi-qedi-remove-set-but-not-used-variables-cdev-and.patch create mode 100644 queue-4.19/selftests-fib_rule_tests-fix-local-ipv4-address-typo.patch create mode 100644 queue-4.19/selftests-timers-add-missing-fflush-stdout-calls.patch create mode 100644 queue-4.19/tools-kvm_stat-fix-fields-filter-for-child-events.patch create mode 100644 queue-4.19/tracing-prevent-hist_field_var_ref-from-accessing-nu.patch create mode 100644 queue-4.19/usbnet-ipheth-fix-racing-condition.patch create mode 100644 queue-4.19/x86-uaccess-kcov-disable-stack-protector.patch diff --git a/queue-4.19/alsa-seq-fix-race-of-get-subscription-call-vs-port-d.patch b/queue-4.19/alsa-seq-fix-race-of-get-subscription-call-vs-port-d.patch new file mode 100644 index 00000000000..fa60c47b8fb --- /dev/null +++ b/queue-4.19/alsa-seq-fix-race-of-get-subscription-call-vs-port-d.patch @@ -0,0 +1,102 @@ +From 6a68f11c406e63795b5c283e914b9985ff5e3da2 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 9 Apr 2019 18:04:17 +0200 +Subject: ALSA: seq: Fix race of get-subscription call vs port-delete ioctls + +[ Upstream commit 2eabc5ec8ab4d4748a82050dfcb994119b983750 ] + +The snd_seq_ioctl_get_subscription() retrieves the port subscriber +information as a pointer, while the object isn't protected, hence it +may be deleted before the actual reference. This race was spotted by +syzkaller and may lead to a UAF. + +The fix is simply copying the data in the lookup function that +performs in the rwsem to protect against the deletion. + +Reported-by: syzbot+9437020c82413d00222d@syzkaller.appspotmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_clientmgr.c | 10 ++-------- + sound/core/seq/seq_ports.c | 13 ++++++++----- + sound/core/seq/seq_ports.h | 5 +++-- + 3 files changed, 13 insertions(+), 15 deletions(-) + +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index 40ae8f67efde..37312a3ae60f 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -1900,20 +1900,14 @@ static int snd_seq_ioctl_get_subscription(struct snd_seq_client *client, + int result; + struct snd_seq_client *sender = NULL; + struct snd_seq_client_port *sport = NULL; +- struct snd_seq_subscribers *p; + + result = -EINVAL; + if ((sender = snd_seq_client_use_ptr(subs->sender.client)) == NULL) + goto __end; + if ((sport = snd_seq_port_use_ptr(sender, subs->sender.port)) == NULL) + goto __end; +- p = snd_seq_port_get_subscription(&sport->c_src, &subs->dest); +- if (p) { +- result = 0; +- *subs = p->info; +- } else +- result = -ENOENT; +- ++ result = snd_seq_port_get_subscription(&sport->c_src, &subs->dest, ++ subs); + __end: + if (sport) + snd_seq_port_unlock(sport); +diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c +index da31aa8e216e..16289aefb443 100644 +--- a/sound/core/seq/seq_ports.c ++++ b/sound/core/seq/seq_ports.c +@@ -635,20 +635,23 @@ int snd_seq_port_disconnect(struct snd_seq_client *connector, + + + /* get matched subscriber */ +-struct snd_seq_subscribers *snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp, +- struct snd_seq_addr *dest_addr) ++int snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp, ++ struct snd_seq_addr *dest_addr, ++ struct snd_seq_port_subscribe *subs) + { +- struct snd_seq_subscribers *s, *found = NULL; ++ struct snd_seq_subscribers *s; ++ int err = -ENOENT; + + down_read(&src_grp->list_mutex); + list_for_each_entry(s, &src_grp->list_head, src_list) { + if (addr_match(dest_addr, &s->info.dest)) { +- found = s; ++ *subs = s->info; ++ err = 0; + break; + } + } + up_read(&src_grp->list_mutex); +- return found; ++ return err; + } + + /* +diff --git a/sound/core/seq/seq_ports.h b/sound/core/seq/seq_ports.h +index 26bd71f36c41..06003b36652e 100644 +--- a/sound/core/seq/seq_ports.h ++++ b/sound/core/seq/seq_ports.h +@@ -135,7 +135,8 @@ int snd_seq_port_subscribe(struct snd_seq_client_port *port, + struct snd_seq_port_subscribe *info); + + /* get matched subscriber */ +-struct snd_seq_subscribers *snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp, +- struct snd_seq_addr *dest_addr); ++int snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp, ++ struct snd_seq_addr *dest_addr, ++ struct snd_seq_port_subscribe *subs); + + #endif +-- +2.20.1 + diff --git a/queue-4.19/alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch b/queue-4.19/alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch new file mode 100644 index 00000000000..2ff9aeac377 --- /dev/null +++ b/queue-4.19/alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch @@ -0,0 +1,53 @@ +From 310b4ab58553793343b3ded3efc72bee50bfa5c6 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 9 Apr 2019 17:35:22 +0200 +Subject: ALSA: seq: Protect in-kernel ioctl calls with mutex + +[ Upstream commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32 ] + +ALSA OSS sequencer calls the ioctl function indirectly via +snd_seq_kernel_client_ctl(). While we already applied the protection +against races between the normal ioctls and writes via the client's +ioctl_mutex, this code path was left untouched. And this seems to be +the cause of still remaining some rare UAF as spontaneously triggered +by syzkaller. + +For the sake of robustness, wrap the ioctl_mutex also for the call via +snd_seq_kernel_client_ctl(), too. + +Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_clientmgr.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index b55cb96d1fed..40ae8f67efde 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -2343,14 +2343,19 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg) + { + const struct ioctl_handler *handler; + struct snd_seq_client *client; ++ int err; + + client = clientptr(clientid); + if (client == NULL) + return -ENXIO; + + for (handler = ioctl_handlers; handler->cmd > 0; ++handler) { +- if (handler->cmd == cmd) +- return handler->func(client, arg); ++ if (handler->cmd == cmd) { ++ mutex_lock(&client->ioctl_mutex); ++ err = handler->func(client, arg); ++ mutex_unlock(&client->ioctl_mutex); ++ return err; ++ } + } + + pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n", +-- +2.20.1 + diff --git a/queue-4.19/arm64-mm-inhibit-huge-vmap-with-ptdump.patch b/queue-4.19/arm64-mm-inhibit-huge-vmap-with-ptdump.patch new file mode 100644 index 00000000000..118df4e91ea --- /dev/null +++ b/queue-4.19/arm64-mm-inhibit-huge-vmap-with-ptdump.patch @@ -0,0 +1,76 @@ +From 234c4d98a8ea683357afe5f4240b13db12e04aec Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Tue, 14 May 2019 14:30:06 +0530 +Subject: arm64/mm: Inhibit huge-vmap with ptdump + +[ Upstream commit 7ba36eccb3f83983a651efd570b4f933ecad1b5c ] + +The arm64 ptdump code can race with concurrent modification of the +kernel page tables. At the time this was added, this was sound as: + +* Modifications to leaf entries could result in stale information being + logged, but would not result in a functional problem. + +* Boot time modifications to non-leaf entries (e.g. freeing of initmem) + were performed when the ptdump code cannot be invoked. + +* At runtime, modifications to non-leaf entries only occurred in the + vmalloc region, and these were strictly additive, as intermediate + entries were never freed. + +However, since commit: + + commit 324420bf91f6 ("arm64: add support for ioremap() block mappings") + +... it has been possible to create huge mappings in the vmalloc area at +runtime, and as part of this existing intermediate levels of table my be +removed and freed. + +It's possible for the ptdump code to race with this, and continue to +walk tables which have been freed (and potentially poisoned or +reallocated). As a result of this, the ptdump code may dereference bogus +addresses, which could be fatal. + +Since huge-vmap is a TLB and memory optimization, we can disable it when +the runtime ptdump code is in use to avoid this problem. + +Cc: Catalin Marinas +Fixes: 324420bf91f60582 ("arm64: add support for ioremap() block mappings") +Acked-by: Ard Biesheuvel +Signed-off-by: Mark Rutland +Signed-off-by: Anshuman Khandual +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/mm/mmu.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c +index 8080c9f489c3..0fa558176fb1 100644 +--- a/arch/arm64/mm/mmu.c ++++ b/arch/arm64/mm/mmu.c +@@ -921,13 +921,18 @@ void *__init fixmap_remap_fdt(phys_addr_t dt_phys) + + int __init arch_ioremap_pud_supported(void) + { +- /* only 4k granule supports level 1 block mappings */ +- return IS_ENABLED(CONFIG_ARM64_4K_PAGES); ++ /* ++ * Only 4k granule supports level 1 block mappings. ++ * SW table walks can't handle removal of intermediate entries. ++ */ ++ return IS_ENABLED(CONFIG_ARM64_4K_PAGES) && ++ !IS_ENABLED(CONFIG_ARM64_PTDUMP_DEBUGFS); + } + + int __init arch_ioremap_pmd_supported(void) + { +- return 1; ++ /* See arch_ioremap_pud_supported() */ ++ return !IS_ENABLED(CONFIG_ARM64_PTDUMP_DEBUGFS); + } + + int pud_set_huge(pud_t *pudp, phys_addr_t phys, pgprot_t prot) +-- +2.20.1 + diff --git a/queue-4.19/drivers-misc-fix-out-of-bounds-access-in-function-pa.patch b/queue-4.19/drivers-misc-fix-out-of-bounds-access-in-function-pa.patch new file mode 100644 index 00000000000..4c9ffc836a5 --- /dev/null +++ b/queue-4.19/drivers-misc-fix-out-of-bounds-access-in-function-pa.patch @@ -0,0 +1,46 @@ +From 235ea756a25d398437a8d48880075bd21e91adda Mon Sep 17 00:00:00 2001 +From: Young Xiao +Date: Fri, 12 Apr 2019 15:45:06 +0800 +Subject: Drivers: misc: fix out-of-bounds access in function + param_set_kgdbts_var + +[ Upstream commit b281218ad4311a0342a40cb02fb17a363df08b48 ] + +There is an out-of-bounds access to "config[len - 1]" array when the +variable "len" is zero. + +See commit dada6a43b040 ("kgdboc: fix KASAN global-out-of-bounds bug +in param_set_kgdboc_var()") for details. + +Signed-off-by: Young Xiao +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/kgdbts.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/misc/kgdbts.c b/drivers/misc/kgdbts.c +index 6193270e7b3d..eb4d90b7d99e 100644 +--- a/drivers/misc/kgdbts.c ++++ b/drivers/misc/kgdbts.c +@@ -1139,7 +1139,7 @@ static void kgdbts_put_char(u8 chr) + static int param_set_kgdbts_var(const char *kmessage, + const struct kernel_param *kp) + { +- int len = strlen(kmessage); ++ size_t len = strlen(kmessage); + + if (len >= MAX_CONFIG_LEN) { + printk(KERN_ERR "kgdbts: config string too long\n"); +@@ -1159,7 +1159,7 @@ static int param_set_kgdbts_var(const char *kmessage, + + strcpy(config, kmessage); + /* Chop out \n char as a result of echo */ +- if (config[len - 1] == '\n') ++ if (len && config[len - 1] == '\n') + config[len - 1] = '\0'; + + /* Go and configure with the new params. */ +-- +2.20.1 + diff --git a/queue-4.19/f2fs-fix-to-avoid-accessing-xattr-across-the-boundar.patch b/queue-4.19/f2fs-fix-to-avoid-accessing-xattr-across-the-boundar.patch new file mode 100644 index 00000000000..f8ea942f1f8 --- /dev/null +++ b/queue-4.19/f2fs-fix-to-avoid-accessing-xattr-across-the-boundar.patch @@ -0,0 +1,154 @@ +From 551220c9cfa90499cd0ee031bb3f97f8ebf6b818 Mon Sep 17 00:00:00 2001 +From: Randall Huang +Date: Thu, 11 Apr 2019 16:26:46 +0800 +Subject: f2fs: fix to avoid accessing xattr across the boundary + +[ Upstream commit 2777e654371dd4207a3a7f4fb5fa39550053a080 ] + +When we traverse xattr entries via __find_xattr(), +if the raw filesystem content is faked or any hardware failure occurs, +out-of-bound error can be detected by KASAN. +Fix the issue by introducing boundary check. + +[ 38.402878] c7 1827 BUG: KASAN: slab-out-of-bounds in f2fs_getxattr+0x518/0x68c +[ 38.402891] c7 1827 Read of size 4 at addr ffffffc0b6fb35dc by task +[ 38.402935] c7 1827 Call trace: +[ 38.402952] c7 1827 [] dump_backtrace+0x0/0x6bc +[ 38.402966] c7 1827 [] show_stack+0x20/0x2c +[ 38.402981] c7 1827 [] dump_stack+0xfc/0x140 +[ 38.402995] c7 1827 [] print_address_description+0x80/0x2d8 +[ 38.403009] c7 1827 [] kasan_report_error+0x198/0x1fc +[ 38.403022] c7 1827 [] kasan_report_error+0x0/0x1fc +[ 38.403037] c7 1827 [] __asan_load4+0x1b0/0x1b8 +[ 38.403051] c7 1827 [] f2fs_getxattr+0x518/0x68c +[ 38.403066] c7 1827 [] f2fs_xattr_generic_get+0xb0/0xd0 +[ 38.403080] c7 1827 [] __vfs_getxattr+0x1f4/0x1fc +[ 38.403096] c7 1827 [] inode_doinit_with_dentry+0x360/0x938 +[ 38.403109] c7 1827 [] selinux_d_instantiate+0x2c/0x38 +[ 38.403123] c7 1827 [] security_d_instantiate+0x68/0x98 +[ 38.403136] c7 1827 [] d_splice_alias+0x58/0x348 +[ 38.403149] c7 1827 [] f2fs_lookup+0x608/0x774 +[ 38.403163] c7 1827 [] lookup_slow+0x1e0/0x2cc +[ 38.403177] c7 1827 [] walk_component+0x160/0x520 +[ 38.403190] c7 1827 [] path_lookupat+0x110/0x2b4 +[ 38.403203] c7 1827 [] filename_lookup+0x1d8/0x3a8 +[ 38.403216] c7 1827 [] user_path_at_empty+0x54/0x68 +[ 38.403229] c7 1827 [] SyS_getxattr+0xb4/0x18c +[ 38.403241] c7 1827 [] el0_svc_naked+0x34/0x38 + +Signed-off-by: Randall Huang +[Jaegeuk Kim: Fix wrong ending boundary] +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/xattr.c | 36 +++++++++++++++++++++++++++--------- + fs/f2fs/xattr.h | 2 ++ + 2 files changed, 29 insertions(+), 9 deletions(-) + +diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c +index 409a637f7a92..88e30f7cf9e1 100644 +--- a/fs/f2fs/xattr.c ++++ b/fs/f2fs/xattr.c +@@ -205,12 +205,17 @@ static inline const struct xattr_handler *f2fs_xattr_handler(int index) + return handler; + } + +-static struct f2fs_xattr_entry *__find_xattr(void *base_addr, int index, +- size_t len, const char *name) ++static struct f2fs_xattr_entry *__find_xattr(void *base_addr, ++ void *last_base_addr, int index, ++ size_t len, const char *name) + { + struct f2fs_xattr_entry *entry; + + list_for_each_xattr(entry, base_addr) { ++ if ((void *)(entry) + sizeof(__u32) > last_base_addr || ++ (void *)XATTR_NEXT_ENTRY(entry) > last_base_addr) ++ return NULL; ++ + if (entry->e_name_index != index) + continue; + if (entry->e_name_len != len) +@@ -300,20 +305,22 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage, + const char *name, struct f2fs_xattr_entry **xe, + void **base_addr, int *base_size) + { +- void *cur_addr, *txattr_addr, *last_addr = NULL; ++ void *cur_addr, *txattr_addr, *last_txattr_addr; ++ void *last_addr = NULL; + nid_t xnid = F2FS_I(inode)->i_xattr_nid; +- unsigned int size = xnid ? VALID_XATTR_BLOCK_SIZE : 0; + unsigned int inline_size = inline_xattr_size(inode); + int err = 0; + +- if (!size && !inline_size) ++ if (!xnid && !inline_size) + return -ENODATA; + +- *base_size = inline_size + size + XATTR_PADDING_SIZE; ++ *base_size = XATTR_SIZE(xnid, inode) + XATTR_PADDING_SIZE; + txattr_addr = f2fs_kzalloc(F2FS_I_SB(inode), *base_size, GFP_NOFS); + if (!txattr_addr) + return -ENOMEM; + ++ last_txattr_addr = (void *)txattr_addr + XATTR_SIZE(xnid, inode); ++ + /* read from inline xattr */ + if (inline_size) { + err = read_inline_xattr(inode, ipage, txattr_addr); +@@ -340,7 +347,11 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage, + else + cur_addr = txattr_addr; + +- *xe = __find_xattr(cur_addr, index, len, name); ++ *xe = __find_xattr(cur_addr, last_txattr_addr, index, len, name); ++ if (!*xe) { ++ err = -EFAULT; ++ goto out; ++ } + check: + if (IS_XATTR_LAST_ENTRY(*xe)) { + err = -ENODATA; +@@ -584,7 +595,8 @@ static int __f2fs_setxattr(struct inode *inode, int index, + struct page *ipage, int flags) + { + struct f2fs_xattr_entry *here, *last; +- void *base_addr; ++ void *base_addr, *last_base_addr; ++ nid_t xnid = F2FS_I(inode)->i_xattr_nid; + int found, newsize; + size_t len; + __u32 new_hsize; +@@ -608,8 +620,14 @@ static int __f2fs_setxattr(struct inode *inode, int index, + if (error) + return error; + ++ last_base_addr = (void *)base_addr + XATTR_SIZE(xnid, inode); ++ + /* find entry with wanted name. */ +- here = __find_xattr(base_addr, index, len, name); ++ here = __find_xattr(base_addr, last_base_addr, index, len, name); ++ if (!here) { ++ error = -EFAULT; ++ goto exit; ++ } + + found = IS_XATTR_LAST_ENTRY(here) ? 0 : 1; + +diff --git a/fs/f2fs/xattr.h b/fs/f2fs/xattr.h +index dbcd1d16e669..2a4ecaf338ea 100644 +--- a/fs/f2fs/xattr.h ++++ b/fs/f2fs/xattr.h +@@ -74,6 +74,8 @@ struct f2fs_xattr_entry { + entry = XATTR_NEXT_ENTRY(entry)) + #define VALID_XATTR_BLOCK_SIZE (PAGE_SIZE - sizeof(struct node_footer)) + #define XATTR_PADDING_SIZE (sizeof(__u32)) ++#define XATTR_SIZE(x,i) (((x) ? VALID_XATTR_BLOCK_SIZE : 0) + \ ++ (inline_xattr_size(i))) + #define MIN_OFFSET(i) XATTR_ALIGN(inline_xattr_size(i) + \ + VALID_XATTR_BLOCK_SIZE) + +-- +2.20.1 + diff --git a/queue-4.19/kvm-arm-arm64-move-cc-it-checks-under-hyp-s-makefile.patch b/queue-4.19/kvm-arm-arm64-move-cc-it-checks-under-hyp-s-makefile.patch new file mode 100644 index 00000000000..8788b728ff2 --- /dev/null +++ b/queue-4.19/kvm-arm-arm64-move-cc-it-checks-under-hyp-s-makefile.patch @@ -0,0 +1,330 @@ +From 4c37e3642dc8e0ecc0be4cee4eb636c1ca9441fc Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Wed, 22 May 2019 18:47:05 +0100 +Subject: KVM: arm/arm64: Move cc/it checks under hyp's Makefile to avoid + instrumentation + +[ Upstream commit 623e1528d4090bd1abaf93ec46f047dee9a6fb32 ] + +KVM has helpers to handle the condition codes of trapped aarch32 +instructions. These are marked __hyp_text and used from HYP, but they +aren't built by the 'hyp' Makefile, which has all the runes to avoid ASAN +and KCOV instrumentation. + +Move this code to a new hyp/aarch32.c to avoid a hyp-panic when starting +an aarch32 guest on a host built with the ASAN/KCOV debug options. + +Fixes: 021234ef3752f ("KVM: arm64: Make kvm_condition_valid32() accessible from EL2") +Fixes: 8cebe750c4d9a ("arm64: KVM: Make kvm_skip_instr32 available to HYP") +Signed-off-by: James Morse +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + arch/arm/kvm/hyp/Makefile | 1 + + arch/arm64/kvm/hyp/Makefile | 1 + + virt/kvm/arm/aarch32.c | 121 -------------------------------- + virt/kvm/arm/hyp/aarch32.c | 136 ++++++++++++++++++++++++++++++++++++ + 4 files changed, 138 insertions(+), 121 deletions(-) + create mode 100644 virt/kvm/arm/hyp/aarch32.c + +diff --git a/arch/arm/kvm/hyp/Makefile b/arch/arm/kvm/hyp/Makefile +index d2b5ec9c4b92..ba88b1eca93c 100644 +--- a/arch/arm/kvm/hyp/Makefile ++++ b/arch/arm/kvm/hyp/Makefile +@@ -11,6 +11,7 @@ CFLAGS_ARMV7VE :=$(call cc-option, -march=armv7ve) + + obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/vgic-v3-sr.o + obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/timer-sr.o ++obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/aarch32.o + + obj-$(CONFIG_KVM_ARM_HOST) += tlb.o + obj-$(CONFIG_KVM_ARM_HOST) += cp15-sr.o +diff --git a/arch/arm64/kvm/hyp/Makefile b/arch/arm64/kvm/hyp/Makefile +index 2fabc2dc1966..feef06fc7c5a 100644 +--- a/arch/arm64/kvm/hyp/Makefile ++++ b/arch/arm64/kvm/hyp/Makefile +@@ -10,6 +10,7 @@ KVM=../../../../virt/kvm + + obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/vgic-v3-sr.o + obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/timer-sr.o ++obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/aarch32.o + + obj-$(CONFIG_KVM_ARM_HOST) += vgic-v2-cpuif-proxy.o + obj-$(CONFIG_KVM_ARM_HOST) += sysreg-sr.o +diff --git a/virt/kvm/arm/aarch32.c b/virt/kvm/arm/aarch32.c +index 5abbe9b3c652..6880236974b8 100644 +--- a/virt/kvm/arm/aarch32.c ++++ b/virt/kvm/arm/aarch32.c +@@ -25,127 +25,6 @@ + #include + #include + +-/* +- * stolen from arch/arm/kernel/opcodes.c +- * +- * condition code lookup table +- * index into the table is test code: EQ, NE, ... LT, GT, AL, NV +- * +- * bit position in short is condition code: NZCV +- */ +-static const unsigned short cc_map[16] = { +- 0xF0F0, /* EQ == Z set */ +- 0x0F0F, /* NE */ +- 0xCCCC, /* CS == C set */ +- 0x3333, /* CC */ +- 0xFF00, /* MI == N set */ +- 0x00FF, /* PL */ +- 0xAAAA, /* VS == V set */ +- 0x5555, /* VC */ +- 0x0C0C, /* HI == C set && Z clear */ +- 0xF3F3, /* LS == C clear || Z set */ +- 0xAA55, /* GE == (N==V) */ +- 0x55AA, /* LT == (N!=V) */ +- 0x0A05, /* GT == (!Z && (N==V)) */ +- 0xF5FA, /* LE == (Z || (N!=V)) */ +- 0xFFFF, /* AL always */ +- 0 /* NV */ +-}; +- +-/* +- * Check if a trapped instruction should have been executed or not. +- */ +-bool __hyp_text kvm_condition_valid32(const struct kvm_vcpu *vcpu) +-{ +- unsigned long cpsr; +- u32 cpsr_cond; +- int cond; +- +- /* Top two bits non-zero? Unconditional. */ +- if (kvm_vcpu_get_hsr(vcpu) >> 30) +- return true; +- +- /* Is condition field valid? */ +- cond = kvm_vcpu_get_condition(vcpu); +- if (cond == 0xE) +- return true; +- +- cpsr = *vcpu_cpsr(vcpu); +- +- if (cond < 0) { +- /* This can happen in Thumb mode: examine IT state. */ +- unsigned long it; +- +- it = ((cpsr >> 8) & 0xFC) | ((cpsr >> 25) & 0x3); +- +- /* it == 0 => unconditional. */ +- if (it == 0) +- return true; +- +- /* The cond for this insn works out as the top 4 bits. */ +- cond = (it >> 4); +- } +- +- cpsr_cond = cpsr >> 28; +- +- if (!((cc_map[cond] >> cpsr_cond) & 1)) +- return false; +- +- return true; +-} +- +-/** +- * adjust_itstate - adjust ITSTATE when emulating instructions in IT-block +- * @vcpu: The VCPU pointer +- * +- * When exceptions occur while instructions are executed in Thumb IF-THEN +- * blocks, the ITSTATE field of the CPSR is not advanced (updated), so we have +- * to do this little bit of work manually. The fields map like this: +- * +- * IT[7:0] -> CPSR[26:25],CPSR[15:10] +- */ +-static void __hyp_text kvm_adjust_itstate(struct kvm_vcpu *vcpu) +-{ +- unsigned long itbits, cond; +- unsigned long cpsr = *vcpu_cpsr(vcpu); +- bool is_arm = !(cpsr & PSR_AA32_T_BIT); +- +- if (is_arm || !(cpsr & PSR_AA32_IT_MASK)) +- return; +- +- cond = (cpsr & 0xe000) >> 13; +- itbits = (cpsr & 0x1c00) >> (10 - 2); +- itbits |= (cpsr & (0x3 << 25)) >> 25; +- +- /* Perform ITAdvance (see page A2-52 in ARM DDI 0406C) */ +- if ((itbits & 0x7) == 0) +- itbits = cond = 0; +- else +- itbits = (itbits << 1) & 0x1f; +- +- cpsr &= ~PSR_AA32_IT_MASK; +- cpsr |= cond << 13; +- cpsr |= (itbits & 0x1c) << (10 - 2); +- cpsr |= (itbits & 0x3) << 25; +- *vcpu_cpsr(vcpu) = cpsr; +-} +- +-/** +- * kvm_skip_instr - skip a trapped instruction and proceed to the next +- * @vcpu: The vcpu pointer +- */ +-void __hyp_text kvm_skip_instr32(struct kvm_vcpu *vcpu, bool is_wide_instr) +-{ +- bool is_thumb; +- +- is_thumb = !!(*vcpu_cpsr(vcpu) & PSR_AA32_T_BIT); +- if (is_thumb && !is_wide_instr) +- *vcpu_pc(vcpu) += 2; +- else +- *vcpu_pc(vcpu) += 4; +- kvm_adjust_itstate(vcpu); +-} +- + /* + * Table taken from ARMv8 ARM DDI0487B-B, table G1-10. + */ +diff --git a/virt/kvm/arm/hyp/aarch32.c b/virt/kvm/arm/hyp/aarch32.c +new file mode 100644 +index 000000000000..d31f267961e7 +--- /dev/null ++++ b/virt/kvm/arm/hyp/aarch32.c +@@ -0,0 +1,136 @@ ++// SPDX-License-Identifier: GPL-2.0 ++/* ++ * Hyp portion of the (not much of an) Emulation layer for 32bit guests. ++ * ++ * Copyright (C) 2012,2013 - ARM Ltd ++ * Author: Marc Zyngier ++ * ++ * based on arch/arm/kvm/emulate.c ++ * Copyright (C) 2012 - Virtual Open Systems and Columbia University ++ * Author: Christoffer Dall ++ */ ++ ++#include ++#include ++#include ++ ++/* ++ * stolen from arch/arm/kernel/opcodes.c ++ * ++ * condition code lookup table ++ * index into the table is test code: EQ, NE, ... LT, GT, AL, NV ++ * ++ * bit position in short is condition code: NZCV ++ */ ++static const unsigned short cc_map[16] = { ++ 0xF0F0, /* EQ == Z set */ ++ 0x0F0F, /* NE */ ++ 0xCCCC, /* CS == C set */ ++ 0x3333, /* CC */ ++ 0xFF00, /* MI == N set */ ++ 0x00FF, /* PL */ ++ 0xAAAA, /* VS == V set */ ++ 0x5555, /* VC */ ++ 0x0C0C, /* HI == C set && Z clear */ ++ 0xF3F3, /* LS == C clear || Z set */ ++ 0xAA55, /* GE == (N==V) */ ++ 0x55AA, /* LT == (N!=V) */ ++ 0x0A05, /* GT == (!Z && (N==V)) */ ++ 0xF5FA, /* LE == (Z || (N!=V)) */ ++ 0xFFFF, /* AL always */ ++ 0 /* NV */ ++}; ++ ++/* ++ * Check if a trapped instruction should have been executed or not. ++ */ ++bool __hyp_text kvm_condition_valid32(const struct kvm_vcpu *vcpu) ++{ ++ unsigned long cpsr; ++ u32 cpsr_cond; ++ int cond; ++ ++ /* Top two bits non-zero? Unconditional. */ ++ if (kvm_vcpu_get_hsr(vcpu) >> 30) ++ return true; ++ ++ /* Is condition field valid? */ ++ cond = kvm_vcpu_get_condition(vcpu); ++ if (cond == 0xE) ++ return true; ++ ++ cpsr = *vcpu_cpsr(vcpu); ++ ++ if (cond < 0) { ++ /* This can happen in Thumb mode: examine IT state. */ ++ unsigned long it; ++ ++ it = ((cpsr >> 8) & 0xFC) | ((cpsr >> 25) & 0x3); ++ ++ /* it == 0 => unconditional. */ ++ if (it == 0) ++ return true; ++ ++ /* The cond for this insn works out as the top 4 bits. */ ++ cond = (it >> 4); ++ } ++ ++ cpsr_cond = cpsr >> 28; ++ ++ if (!((cc_map[cond] >> cpsr_cond) & 1)) ++ return false; ++ ++ return true; ++} ++ ++/** ++ * adjust_itstate - adjust ITSTATE when emulating instructions in IT-block ++ * @vcpu: The VCPU pointer ++ * ++ * When exceptions occur while instructions are executed in Thumb IF-THEN ++ * blocks, the ITSTATE field of the CPSR is not advanced (updated), so we have ++ * to do this little bit of work manually. The fields map like this: ++ * ++ * IT[7:0] -> CPSR[26:25],CPSR[15:10] ++ */ ++static void __hyp_text kvm_adjust_itstate(struct kvm_vcpu *vcpu) ++{ ++ unsigned long itbits, cond; ++ unsigned long cpsr = *vcpu_cpsr(vcpu); ++ bool is_arm = !(cpsr & PSR_AA32_T_BIT); ++ ++ if (is_arm || !(cpsr & PSR_AA32_IT_MASK)) ++ return; ++ ++ cond = (cpsr & 0xe000) >> 13; ++ itbits = (cpsr & 0x1c00) >> (10 - 2); ++ itbits |= (cpsr & (0x3 << 25)) >> 25; ++ ++ /* Perform ITAdvance (see page A2-52 in ARM DDI 0406C) */ ++ if ((itbits & 0x7) == 0) ++ itbits = cond = 0; ++ else ++ itbits = (itbits << 1) & 0x1f; ++ ++ cpsr &= ~PSR_AA32_IT_MASK; ++ cpsr |= cond << 13; ++ cpsr |= (itbits & 0x1c) << (10 - 2); ++ cpsr |= (itbits & 0x3) << 25; ++ *vcpu_cpsr(vcpu) = cpsr; ++} ++ ++/** ++ * kvm_skip_instr - skip a trapped instruction and proceed to the next ++ * @vcpu: The vcpu pointer ++ */ ++void __hyp_text kvm_skip_instr32(struct kvm_vcpu *vcpu, bool is_wide_instr) ++{ ++ bool is_thumb; ++ ++ is_thumb = !!(*vcpu_cpsr(vcpu) & PSR_AA32_T_BIT); ++ if (is_thumb && !is_wide_instr) ++ *vcpu_pc(vcpu) += 2; ++ else ++ *vcpu_pc(vcpu) += 4; ++ kvm_adjust_itstate(vcpu); ++} +-- +2.20.1 + diff --git a/queue-4.19/kvm-s390-fix-memory-slot-handling-for-kvm_set_user_m.patch b/queue-4.19/kvm-s390-fix-memory-slot-handling-for-kvm_set_user_m.patch new file mode 100644 index 00000000000..3a746360b71 --- /dev/null +++ b/queue-4.19/kvm-s390-fix-memory-slot-handling-for-kvm_set_user_m.patch @@ -0,0 +1,69 @@ +From 82ec14e4f731f48f279459f210c214e92bc120f3 Mon Sep 17 00:00:00 2001 +From: Christian Borntraeger +Date: Fri, 24 May 2019 16:06:23 +0200 +Subject: KVM: s390: fix memory slot handling for KVM_SET_USER_MEMORY_REGION + +[ Upstream commit 19ec166c3f39fe1d3789888a74cc95544ac266d4 ] + +kselftests exposed a problem in the s390 handling for memory slots. +Right now we only do proper memory slot handling for creation of new +memory slots. Neither MOVE, nor DELETION are handled properly. Let us +implement those. + +Signed-off-by: Christian Borntraeger +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/kvm-s390.c | 35 +++++++++++++++++++++-------------- + 1 file changed, 21 insertions(+), 14 deletions(-) + +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index f538e3fac7ad..fc7de27960e7 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -4156,21 +4156,28 @@ void kvm_arch_commit_memory_region(struct kvm *kvm, + const struct kvm_memory_slot *new, + enum kvm_mr_change change) + { +- int rc; +- +- /* If the basics of the memslot do not change, we do not want +- * to update the gmap. Every update causes several unnecessary +- * segment translation exceptions. This is usually handled just +- * fine by the normal fault handler + gmap, but it will also +- * cause faults on the prefix page of running guest CPUs. +- */ +- if (old->userspace_addr == mem->userspace_addr && +- old->base_gfn * PAGE_SIZE == mem->guest_phys_addr && +- old->npages * PAGE_SIZE == mem->memory_size) +- return; ++ int rc = 0; + +- rc = gmap_map_segment(kvm->arch.gmap, mem->userspace_addr, +- mem->guest_phys_addr, mem->memory_size); ++ switch (change) { ++ case KVM_MR_DELETE: ++ rc = gmap_unmap_segment(kvm->arch.gmap, old->base_gfn * PAGE_SIZE, ++ old->npages * PAGE_SIZE); ++ break; ++ case KVM_MR_MOVE: ++ rc = gmap_unmap_segment(kvm->arch.gmap, old->base_gfn * PAGE_SIZE, ++ old->npages * PAGE_SIZE); ++ if (rc) ++ break; ++ /* FALLTHROUGH */ ++ case KVM_MR_CREATE: ++ rc = gmap_map_segment(kvm->arch.gmap, mem->userspace_addr, ++ mem->guest_phys_addr, mem->memory_size); ++ break; ++ case KVM_MR_FLAGS_ONLY: ++ break; ++ default: ++ WARN(1, "Unknown KVM MR CHANGE: %d\n", change); ++ } + if (rc) + pr_warn("failed to commit memory region\n"); + return; +-- +2.20.1 + diff --git a/queue-4.19/kvm-x86-pmu-do-not-mask-the-value-that-is-written-to.patch b/queue-4.19/kvm-x86-pmu-do-not-mask-the-value-that-is-written-to.patch new file mode 100644 index 00000000000..ae90cffe5b2 --- /dev/null +++ b/queue-4.19/kvm-x86-pmu-do-not-mask-the-value-that-is-written-to.patch @@ -0,0 +1,48 @@ +From 5a3b25545d1dd31e8b1e84d7c2dd0a849c949542 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 20 May 2019 17:34:30 +0200 +Subject: KVM: x86/pmu: do not mask the value that is written to fixed PMUs + +[ Upstream commit 2924b52117b2812e9633d5ea337333299166d373 ] + +According to the SDM, for MSR_IA32_PERFCTR0/1 "the lower-order 32 bits of +each MSR may be written with any value, and the high-order 8 bits are +sign-extended according to the value of bit 31", but the fixed counters +in real hardware are limited to the width of the fixed counters ("bits +beyond the width of the fixed-function counter are reserved and must be +written as zeros"). Fix KVM to do the same. + +Reported-by: Nadav Amit +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/pmu_intel.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/kvm/pmu_intel.c b/arch/x86/kvm/pmu_intel.c +index ad7ea81fbfbf..c3f103e2b08e 100644 +--- a/arch/x86/kvm/pmu_intel.c ++++ b/arch/x86/kvm/pmu_intel.c +@@ -240,11 +240,14 @@ static int intel_pmu_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + } + break; + default: +- if ((pmc = get_gp_pmc(pmu, msr, MSR_IA32_PERFCTR0)) || +- (pmc = get_fixed_pmc(pmu, msr))) { +- if (!msr_info->host_initiated) +- data = (s64)(s32)data; +- pmc->counter += data - pmc_read_counter(pmc); ++ if ((pmc = get_gp_pmc(pmu, msr, MSR_IA32_PERFCTR0))) { ++ if (msr_info->host_initiated) ++ pmc->counter = data; ++ else ++ pmc->counter = (s32)data; ++ return 0; ++ } else if ((pmc = get_fixed_pmc(pmu, msr))) { ++ pmc->counter = data; + return 0; + } else if ((pmc = get_gp_pmc(pmu, msr, MSR_P6_EVNTSEL0))) { + if (data == pmc->eventsel) +-- +2.20.1 + diff --git a/queue-4.19/kvm-x86-pmu-mask-the-result-of-rdpmc-according-to-th.patch b/queue-4.19/kvm-x86-pmu-mask-the-result-of-rdpmc-according-to-th.patch new file mode 100644 index 00000000000..ce2c5e4d230 --- /dev/null +++ b/queue-4.19/kvm-x86-pmu-mask-the-result-of-rdpmc-according-to-th.patch @@ -0,0 +1,116 @@ +From be536c2e23dc305f7ac01a9474b170bafa6ed761 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 20 May 2019 17:20:40 +0200 +Subject: KVM: x86/pmu: mask the result of rdpmc according to the width of the + counters + +[ Upstream commit 0e6f467ee28ec97f68c7b74e35ec1601bb1368a7 ] + +This patch will simplify the changes in the next, by enforcing the +masking of the counters to RDPMC and RDMSR. + +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/pmu.c | 10 +++------- + arch/x86/kvm/pmu.h | 3 ++- + arch/x86/kvm/pmu_amd.c | 2 +- + arch/x86/kvm/pmu_intel.c | 13 +++++++++---- + 4 files changed, 15 insertions(+), 13 deletions(-) + +diff --git a/arch/x86/kvm/pmu.c b/arch/x86/kvm/pmu.c +index 58ead7db71a3..952aebd0a8a3 100644 +--- a/arch/x86/kvm/pmu.c ++++ b/arch/x86/kvm/pmu.c +@@ -282,20 +282,16 @@ int kvm_pmu_rdpmc(struct kvm_vcpu *vcpu, unsigned idx, u64 *data) + { + bool fast_mode = idx & (1u << 31); + struct kvm_pmc *pmc; +- u64 ctr_val; ++ u64 mask = fast_mode ? ~0u : ~0ull; + + if (is_vmware_backdoor_pmc(idx)) + return kvm_pmu_rdpmc_vmware(vcpu, idx, data); + +- pmc = kvm_x86_ops->pmu_ops->msr_idx_to_pmc(vcpu, idx); ++ pmc = kvm_x86_ops->pmu_ops->msr_idx_to_pmc(vcpu, idx, &mask); + if (!pmc) + return 1; + +- ctr_val = pmc_read_counter(pmc); +- if (fast_mode) +- ctr_val = (u32)ctr_val; +- +- *data = ctr_val; ++ *data = pmc_read_counter(pmc) & mask; + return 0; + } + +diff --git a/arch/x86/kvm/pmu.h b/arch/x86/kvm/pmu.h +index ba8898e1a854..22dff661145a 100644 +--- a/arch/x86/kvm/pmu.h ++++ b/arch/x86/kvm/pmu.h +@@ -25,7 +25,8 @@ struct kvm_pmu_ops { + unsigned (*find_fixed_event)(int idx); + bool (*pmc_is_enabled)(struct kvm_pmc *pmc); + struct kvm_pmc *(*pmc_idx_to_pmc)(struct kvm_pmu *pmu, int pmc_idx); +- struct kvm_pmc *(*msr_idx_to_pmc)(struct kvm_vcpu *vcpu, unsigned idx); ++ struct kvm_pmc *(*msr_idx_to_pmc)(struct kvm_vcpu *vcpu, unsigned idx, ++ u64 *mask); + int (*is_valid_msr_idx)(struct kvm_vcpu *vcpu, unsigned idx); + bool (*is_valid_msr)(struct kvm_vcpu *vcpu, u32 msr); + int (*get_msr)(struct kvm_vcpu *vcpu, u32 msr, u64 *data); +diff --git a/arch/x86/kvm/pmu_amd.c b/arch/x86/kvm/pmu_amd.c +index 1495a735b38e..41dff881e0f0 100644 +--- a/arch/x86/kvm/pmu_amd.c ++++ b/arch/x86/kvm/pmu_amd.c +@@ -186,7 +186,7 @@ static int amd_is_valid_msr_idx(struct kvm_vcpu *vcpu, unsigned idx) + } + + /* idx is the ECX register of RDPMC instruction */ +-static struct kvm_pmc *amd_msr_idx_to_pmc(struct kvm_vcpu *vcpu, unsigned idx) ++static struct kvm_pmc *amd_msr_idx_to_pmc(struct kvm_vcpu *vcpu, unsigned idx, u64 *mask) + { + struct kvm_pmu *pmu = vcpu_to_pmu(vcpu); + struct kvm_pmc *counters; +diff --git a/arch/x86/kvm/pmu_intel.c b/arch/x86/kvm/pmu_intel.c +index 5ab4a364348e..ad7ea81fbfbf 100644 +--- a/arch/x86/kvm/pmu_intel.c ++++ b/arch/x86/kvm/pmu_intel.c +@@ -126,7 +126,7 @@ static int intel_is_valid_msr_idx(struct kvm_vcpu *vcpu, unsigned idx) + } + + static struct kvm_pmc *intel_msr_idx_to_pmc(struct kvm_vcpu *vcpu, +- unsigned idx) ++ unsigned idx, u64 *mask) + { + struct kvm_pmu *pmu = vcpu_to_pmu(vcpu); + bool fixed = idx & (1u << 30); +@@ -138,6 +138,7 @@ static struct kvm_pmc *intel_msr_idx_to_pmc(struct kvm_vcpu *vcpu, + if (fixed && idx >= pmu->nr_arch_fixed_counters) + return NULL; + counters = fixed ? pmu->fixed_counters : pmu->gp_counters; ++ *mask &= pmu->counter_bitmask[fixed ? KVM_PMC_FIXED : KVM_PMC_GP]; + + return &counters[idx]; + } +@@ -183,9 +184,13 @@ static int intel_pmu_get_msr(struct kvm_vcpu *vcpu, u32 msr, u64 *data) + *data = pmu->global_ovf_ctrl; + return 0; + default: +- if ((pmc = get_gp_pmc(pmu, msr, MSR_IA32_PERFCTR0)) || +- (pmc = get_fixed_pmc(pmu, msr))) { +- *data = pmc_read_counter(pmc); ++ if ((pmc = get_gp_pmc(pmu, msr, MSR_IA32_PERFCTR0))) { ++ u64 val = pmc_read_counter(pmc); ++ *data = val & pmu->counter_bitmask[KVM_PMC_GP]; ++ return 0; ++ } else if ((pmc = get_fixed_pmc(pmu, msr))) { ++ u64 val = pmc_read_counter(pmc); ++ *data = val & pmu->counter_bitmask[KVM_PMC_FIXED]; + return 0; + } else if ((pmc = get_gp_pmc(pmu, msr, MSR_P6_EVNTSEL0))) { + *data = pmc->eventsel; +-- +2.20.1 + diff --git a/queue-4.19/libnvdimm-fix-compilation-warnings-with-w-1.patch b/queue-4.19/libnvdimm-fix-compilation-warnings-with-w-1.patch new file mode 100644 index 00000000000..09da034b303 --- /dev/null +++ b/queue-4.19/libnvdimm-fix-compilation-warnings-with-w-1.patch @@ -0,0 +1,86 @@ +From 41e8d47b09252207bf56043648fe3910974dea70 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Thu, 16 May 2019 12:04:53 -0400 +Subject: libnvdimm: Fix compilation warnings with W=1 + +[ Upstream commit c01dafad77fea8d64c4fdca0a6031c980842ad65 ] + +Several places (dimm_devs.c, core.c etc) include label.h but only +label.c uses NSINDEX_SIGNATURE, so move its definition to label.c +instead. + +In file included from drivers/nvdimm/dimm_devs.c:23: +drivers/nvdimm/label.h:41:19: warning: 'NSINDEX_SIGNATURE' defined but +not used [-Wunused-const-variable=] + +Also, some places abuse "/**" which is only reserved for the kernel-doc. + +drivers/nvdimm/bus.c:648: warning: cannot understand function prototype: +'struct attribute_group nd_device_attribute_group = ' +drivers/nvdimm/bus.c:677: warning: cannot understand function prototype: +'struct attribute_group nd_numa_attribute_group = ' + +Those are just some member assignments for the "struct attribute_group" +instances and it can't be expressed in the kernel-doc. + +Reviewed-by: Vishal Verma +Signed-off-by: Qian Cai +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + drivers/nvdimm/bus.c | 4 ++-- + drivers/nvdimm/label.c | 2 ++ + drivers/nvdimm/label.h | 2 -- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c +index 9148015ed803..a3132a9eb91c 100644 +--- a/drivers/nvdimm/bus.c ++++ b/drivers/nvdimm/bus.c +@@ -612,7 +612,7 @@ static struct attribute *nd_device_attributes[] = { + NULL, + }; + +-/** ++/* + * nd_device_attribute_group - generic attributes for all devices on an nd bus + */ + struct attribute_group nd_device_attribute_group = { +@@ -641,7 +641,7 @@ static umode_t nd_numa_attr_visible(struct kobject *kobj, struct attribute *a, + return a->mode; + } + +-/** ++/* + * nd_numa_attribute_group - NUMA attributes for all devices on an nd bus + */ + struct attribute_group nd_numa_attribute_group = { +diff --git a/drivers/nvdimm/label.c b/drivers/nvdimm/label.c +index 452ad379ed70..9f1b7e3153f9 100644 +--- a/drivers/nvdimm/label.c ++++ b/drivers/nvdimm/label.c +@@ -25,6 +25,8 @@ static guid_t nvdimm_btt2_guid; + static guid_t nvdimm_pfn_guid; + static guid_t nvdimm_dax_guid; + ++static const char NSINDEX_SIGNATURE[] = "NAMESPACE_INDEX\0"; ++ + static u32 best_seq(u32 a, u32 b) + { + a &= NSINDEX_SEQ_MASK; +diff --git a/drivers/nvdimm/label.h b/drivers/nvdimm/label.h +index 18bbe183b3a9..52f9fcada00a 100644 +--- a/drivers/nvdimm/label.h ++++ b/drivers/nvdimm/label.h +@@ -38,8 +38,6 @@ enum { + ND_NSINDEX_INIT = 0x1, + }; + +-static const char NSINDEX_SIGNATURE[] = "NAMESPACE_INDEX\0"; +- + /** + * struct nd_namespace_index - label set superblock + * @sig: NAMESPACE_INDEX\0 +-- +2.20.1 + diff --git a/queue-4.19/nvme-fix-memory-leak-for-power-latency-tolerance.patch b/queue-4.19/nvme-fix-memory-leak-for-power-latency-tolerance.patch new file mode 100644 index 00000000000..18efce89cab --- /dev/null +++ b/queue-4.19/nvme-fix-memory-leak-for-power-latency-tolerance.patch @@ -0,0 +1,38 @@ +From 44482a7804dd9efd6ecc64b2ed3ad3f8523218d1 Mon Sep 17 00:00:00 2001 +From: Yufen Yu +Date: Thu, 16 May 2019 19:30:07 -0700 +Subject: nvme: fix memory leak for power latency tolerance + +[ Upstream commit 510a405d945bc985abc513fafe45890cac34fafa ] + +Unconditionally hide device pm latency tolerance when uninitializing +the controller to ensure all qos resources are released so that we're +not leaking this memory. This is safe to call if none were allocated in +the first place, or were previously freed. + +Fixes: c5552fde102fc("nvme: Enable autonomous power state transitions") +Suggested-by: Keith Busch +Tested-by: David Milburn +Signed-off-by: Yufen Yu +[changelog] +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 818788275406..a867a139bb35 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -3525,6 +3525,7 @@ EXPORT_SYMBOL_GPL(nvme_start_ctrl); + + void nvme_uninit_ctrl(struct nvme_ctrl *ctrl) + { ++ dev_pm_qos_hide_latency_tolerance(ctrl->device); + cdev_device_del(&ctrl->cdev, ctrl->device); + } + EXPORT_SYMBOL_GPL(nvme_uninit_ctrl); +-- +2.20.1 + diff --git a/queue-4.19/nvme-fix-srcu-locking-on-error-return-in-nvme_get_ns.patch b/queue-4.19/nvme-fix-srcu-locking-on-error-return-in-nvme_get_ns.patch new file mode 100644 index 00000000000..652f5911995 --- /dev/null +++ b/queue-4.19/nvme-fix-srcu-locking-on-error-return-in-nvme_get_ns.patch @@ -0,0 +1,55 @@ +From 68cc7e87c5bd34b5024a7ee52694cd054aec1575 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Fri, 17 May 2019 02:47:33 -0700 +Subject: nvme: fix srcu locking on error return in nvme_get_ns_from_disk + +[ Upstream commit 100c815cbd56480b3e31518475b04719c363614a ] + +If we can't get a namespace don't leak the SRCU lock. nvme_ioctl was +working around this, but nvme_pr_command wasn't handling this properly. +Just do what callers would usually expect. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index abfb46378cc1..44d8077fbe95 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1277,9 +1277,14 @@ static struct nvme_ns *nvme_get_ns_from_disk(struct gendisk *disk, + { + #ifdef CONFIG_NVME_MULTIPATH + if (disk->fops == &nvme_ns_head_ops) { ++ struct nvme_ns *ns; ++ + *head = disk->private_data; + *srcu_idx = srcu_read_lock(&(*head)->srcu); +- return nvme_find_path(*head); ++ ns = nvme_find_path(*head); ++ if (!ns) ++ srcu_read_unlock(&(*head)->srcu, *srcu_idx); ++ return ns; + } + #endif + *head = NULL; +@@ -1326,9 +1331,9 @@ static int nvme_ioctl(struct block_device *bdev, fmode_t mode, + + ns = nvme_get_ns_from_disk(bdev->bd_disk, &head, &srcu_idx); + if (unlikely(!ns)) +- ret = -EWOULDBLOCK; +- else +- ret = nvme_ns_ioctl(ns, cmd, arg); ++ return -EWOULDBLOCK; ++ ++ ret = nvme_ns_ioctl(ns, cmd, arg); + nvme_put_ns_from_disk(head, srcu_idx); + return ret; + } +-- +2.20.1 + diff --git a/queue-4.19/nvme-merge-nvme_ns_ioctl-into-nvme_ioctl.patch b/queue-4.19/nvme-merge-nvme_ns_ioctl-into-nvme_ioctl.patch new file mode 100644 index 00000000000..b9d5a2e2825 --- /dev/null +++ b/queue-4.19/nvme-merge-nvme_ns_ioctl-into-nvme_ioctl.patch @@ -0,0 +1,89 @@ +From 827bde44e79a6f06b93c46c803ee953cfc8f90b5 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Fri, 17 May 2019 02:47:35 -0700 +Subject: nvme: merge nvme_ns_ioctl into nvme_ioctl + +[ Upstream commit 90ec611adcf20b96d0c2b7166497d53e4301a57f ] + +Merge the two functions to make future changes a little easier. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 47 ++++++++++++++++++++-------------------- + 1 file changed, 24 insertions(+), 23 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 1cdfea3c094a..82f5f1d030d4 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1298,32 +1298,11 @@ static void nvme_put_ns_from_disk(struct nvme_ns_head *head, int idx) + srcu_read_unlock(&head->srcu, idx); + } + +-static int nvme_ns_ioctl(struct nvme_ns *ns, unsigned cmd, unsigned long arg) +-{ +- switch (cmd) { +- case NVME_IOCTL_ID: +- force_successful_syscall_return(); +- return ns->head->ns_id; +- case NVME_IOCTL_ADMIN_CMD: +- return nvme_user_cmd(ns->ctrl, NULL, (void __user *)arg); +- case NVME_IOCTL_IO_CMD: +- return nvme_user_cmd(ns->ctrl, ns, (void __user *)arg); +- case NVME_IOCTL_SUBMIT_IO: +- return nvme_submit_io(ns, (void __user *)arg); +- default: +- if (ns->ndev) +- return nvme_nvm_ioctl(ns, cmd, arg); +- if (is_sed_ioctl(cmd)) +- return sed_ioctl(ns->ctrl->opal_dev, cmd, +- (void __user *) arg); +- return -ENOTTY; +- } +-} +- + static int nvme_ioctl(struct block_device *bdev, fmode_t mode, + unsigned int cmd, unsigned long arg) + { + struct nvme_ns_head *head = NULL; ++ void __user *argp = (void __user *)arg; + struct nvme_ns *ns; + int srcu_idx, ret; + +@@ -1331,7 +1310,29 @@ static int nvme_ioctl(struct block_device *bdev, fmode_t mode, + if (unlikely(!ns)) + return -EWOULDBLOCK; + +- ret = nvme_ns_ioctl(ns, cmd, arg); ++ switch (cmd) { ++ case NVME_IOCTL_ID: ++ force_successful_syscall_return(); ++ ret = ns->head->ns_id; ++ break; ++ case NVME_IOCTL_ADMIN_CMD: ++ ret = nvme_user_cmd(ns->ctrl, NULL, argp); ++ break; ++ case NVME_IOCTL_IO_CMD: ++ ret = nvme_user_cmd(ns->ctrl, ns, argp); ++ break; ++ case NVME_IOCTL_SUBMIT_IO: ++ ret = nvme_submit_io(ns, argp); ++ break; ++ default: ++ if (ns->ndev) ++ ret = nvme_nvm_ioctl(ns, cmd, arg); ++ else if (is_sed_ioctl(cmd)) ++ ret = sed_ioctl(ns->ctrl->opal_dev, cmd, argp); ++ else ++ ret = -ENOTTY; ++ } ++ + nvme_put_ns_from_disk(head, srcu_idx); + return ret; + } +-- +2.20.1 + diff --git a/queue-4.19/nvme-release-namespace-srcu-protection-before-perfor.patch b/queue-4.19/nvme-release-namespace-srcu-protection-before-perfor.patch new file mode 100644 index 00000000000..c37b11d900c --- /dev/null +++ b/queue-4.19/nvme-release-namespace-srcu-protection-before-perfor.patch @@ -0,0 +1,73 @@ +From db251685664dd1cf36456732d5372b31b0f69d12 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Fri, 17 May 2019 11:47:36 +0200 +Subject: nvme: release namespace SRCU protection before performing controller + ioctls + +[ Upstream commit 5fb4aac756acacf260b9ebd88747251effa3a2f2 ] + +Holding the SRCU critical section protecting the namespace list can +cause deadlocks when using the per-namespace admin passthrough ioctl to +delete as namespace. Release it earlier when performing per-controller +ioctls to avoid that. + +Reported-by: Kenneth Heitke +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Keith Busch +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 25 ++++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 82f5f1d030d4..818788275406 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1310,14 +1310,31 @@ static int nvme_ioctl(struct block_device *bdev, fmode_t mode, + if (unlikely(!ns)) + return -EWOULDBLOCK; + ++ /* ++ * Handle ioctls that apply to the controller instead of the namespace ++ * seperately and drop the ns SRCU reference early. This avoids a ++ * deadlock when deleting namespaces using the passthrough interface. ++ */ ++ if (cmd == NVME_IOCTL_ADMIN_CMD || is_sed_ioctl(cmd)) { ++ struct nvme_ctrl *ctrl = ns->ctrl; ++ ++ nvme_get_ctrl(ns->ctrl); ++ nvme_put_ns_from_disk(head, srcu_idx); ++ ++ if (cmd == NVME_IOCTL_ADMIN_CMD) ++ ret = nvme_user_cmd(ctrl, NULL, argp); ++ else ++ ret = sed_ioctl(ctrl->opal_dev, cmd, argp); ++ ++ nvme_put_ctrl(ctrl); ++ return ret; ++ } ++ + switch (cmd) { + case NVME_IOCTL_ID: + force_successful_syscall_return(); + ret = ns->head->ns_id; + break; +- case NVME_IOCTL_ADMIN_CMD: +- ret = nvme_user_cmd(ns->ctrl, NULL, argp); +- break; + case NVME_IOCTL_IO_CMD: + ret = nvme_user_cmd(ns->ctrl, ns, argp); + break; +@@ -1327,8 +1344,6 @@ static int nvme_ioctl(struct block_device *bdev, fmode_t mode, + default: + if (ns->ndev) + ret = nvme_nvm_ioctl(ns, cmd, arg); +- else if (is_sed_ioctl(cmd)) +- ret = sed_ioctl(ns->ctrl->opal_dev, cmd, argp); + else + ret = -ENOTTY; + } +-- +2.20.1 + diff --git a/queue-4.19/nvme-remove-the-ifdef-around-nvme_nvm_ioctl.patch b/queue-4.19/nvme-remove-the-ifdef-around-nvme_nvm_ioctl.patch new file mode 100644 index 00000000000..2e6a18b1f81 --- /dev/null +++ b/queue-4.19/nvme-remove-the-ifdef-around-nvme_nvm_ioctl.patch @@ -0,0 +1,36 @@ +From 570323416a8877caf51536e15e3b2c62856937eb Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Fri, 17 May 2019 02:47:34 -0700 +Subject: nvme: remove the ifdef around nvme_nvm_ioctl + +[ Upstream commit 3f98bcc58cd5f1e4668db289dcab771874cc0920 ] + +We already have a proper stub if lightnvm is not enabled, so don't bother +with the ifdef. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 44d8077fbe95..1cdfea3c094a 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1311,10 +1311,8 @@ static int nvme_ns_ioctl(struct nvme_ns *ns, unsigned cmd, unsigned long arg) + case NVME_IOCTL_SUBMIT_IO: + return nvme_submit_io(ns, (void __user *)arg); + default: +-#ifdef CONFIG_NVM + if (ns->ndev) + return nvme_nvm_ioctl(ns, cmd, arg); +-#endif + if (is_sed_ioctl(cmd)) + return sed_ioctl(ns->ctrl->opal_dev, cmd, + (void __user *) arg); +-- +2.20.1 + diff --git a/queue-4.19/platform-x86-pmc_atom-add-lex-3i380d-industrial-pc-t.patch b/queue-4.19/platform-x86-pmc_atom-add-lex-3i380d-industrial-pc-t.patch new file mode 100644 index 00000000000..5656d59ab07 --- /dev/null +++ b/queue-4.19/platform-x86-pmc_atom-add-lex-3i380d-industrial-pc-t.patch @@ -0,0 +1,52 @@ +From b96e67bd55410412b12999b87d7ef8b666b109af Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 29 Apr 2019 17:01:35 +0200 +Subject: platform/x86: pmc_atom: Add Lex 3I380D industrial PC to + critclk_systems DMI table + +[ Upstream commit 3d0818f5eba80fbe4c0addbfe6ddb2d19dc82cd4 ] + +The Lex 3I380D industrial PC has 4 ethernet controllers on board +which need pmc_plt_clk0 - 3 to function, add it to the critclk_systems +DMI table, so that drivers/clk/x86/clk-pmc-atom.c will mark the clocks +as CLK_CRITICAL and they will not get turned off. + +Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL") +Reported-and-tested-by: Semyon Verchenko +Signed-off-by: Hans de Goede +Acked-by: Andy Shevchenko +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/pmc_atom.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/platform/x86/pmc_atom.c b/drivers/platform/x86/pmc_atom.c +index c7039f52ad51..a311f48ce7c9 100644 +--- a/drivers/platform/x86/pmc_atom.c ++++ b/drivers/platform/x86/pmc_atom.c +@@ -398,12 +398,21 @@ static int pmc_dbgfs_register(struct pmc_dev *pmc) + */ + static const struct dmi_system_id critclk_systems[] = { + { ++ /* pmc_plt_clk0 is used for an external HSIC USB HUB */ + .ident = "MPL CEC1x", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "MPL AG"), + DMI_MATCH(DMI_PRODUCT_NAME, "CEC10 Family"), + }, + }, ++ { ++ /* pmc_plt_clk0 - 3 are used for the 4 ethernet controllers */ ++ .ident = "Lex 3I380D", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Lex BayTrail"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "3I380D"), ++ }, ++ }, + { /*sentinel*/ } + }; + +-- +2.20.1 + diff --git a/queue-4.19/platform-x86-pmc_atom-add-several-beckhoff-automatio.patch b/queue-4.19/platform-x86-pmc_atom-add-several-beckhoff-automatio.patch new file mode 100644 index 00000000000..7f9021d93fc --- /dev/null +++ b/queue-4.19/platform-x86-pmc_atom-add-several-beckhoff-automatio.patch @@ -0,0 +1,59 @@ +From a0263cb5a140a118c38e1b9591ddc68c8c09fdbd Mon Sep 17 00:00:00 2001 +From: Steffen Dirkwinkel +Date: Thu, 2 May 2019 15:03:51 +0200 +Subject: platform/x86: pmc_atom: Add several Beckhoff Automation boards to + critclk_systems DMI table + +[ Upstream commit d6423bd03031c020121da26c41a26bd5cc6d0da3 ] + +There are several Beckhoff Automation industrial PC boards which use +pmc_plt_clk* clocks for ethernet controllers. This adds affected boards +to critclk_systems DMI table so the clocks are marked as CLK_CRITICAL and +not turned off. + +Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL") +Signed-off-by: Steffen Dirkwinkel +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/pmc_atom.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/drivers/platform/x86/pmc_atom.c b/drivers/platform/x86/pmc_atom.c +index a311f48ce7c9..b1d804376237 100644 +--- a/drivers/platform/x86/pmc_atom.c ++++ b/drivers/platform/x86/pmc_atom.c +@@ -413,6 +413,30 @@ static const struct dmi_system_id critclk_systems[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "3I380D"), + }, + }, ++ { ++ /* pmc_plt_clk* - are used for ethernet controllers */ ++ .ident = "Beckhoff CB3163", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"), ++ DMI_MATCH(DMI_BOARD_NAME, "CB3163"), ++ }, ++ }, ++ { ++ /* pmc_plt_clk* - are used for ethernet controllers */ ++ .ident = "Beckhoff CB6263", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"), ++ DMI_MATCH(DMI_BOARD_NAME, "CB6263"), ++ }, ++ }, ++ { ++ /* pmc_plt_clk* - are used for ethernet controllers */ ++ .ident = "Beckhoff CB6363", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"), ++ DMI_MATCH(DMI_BOARD_NAME, "CB6363"), ++ }, ++ }, + { /*sentinel*/ } + }; + +-- +2.20.1 + diff --git a/queue-4.19/revert-alsa-seq-protect-in-kernel-ioctl-calls-with-m.patch b/queue-4.19/revert-alsa-seq-protect-in-kernel-ioctl-calls-with-m.patch new file mode 100644 index 00000000000..b5771493016 --- /dev/null +++ b/queue-4.19/revert-alsa-seq-protect-in-kernel-ioctl-calls-with-m.patch @@ -0,0 +1,50 @@ +From 207b3c11e76dcbffe76539c6a1fb24df126e7eae Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 11 Apr 2019 19:58:32 +0200 +Subject: Revert "ALSA: seq: Protect in-kernel ioctl calls with mutex" + +[ Upstream commit f0654ba94e33699b295ce4f3dc73094db6209035 ] + +This reverts commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32. + +The fix attempt was incorrect, leading to the mutex deadlock through +the close of OSS sequencer client. The proper fix needs more +consideration, so let's revert it now. + +Fixes: feb689025fbb ("ALSA: seq: Protect in-kernel ioctl calls with mutex") +Reported-by: syzbot+47ded6c0f23016cde310@syzkaller.appspotmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_clientmgr.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index 37312a3ae60f..f59e13c1d84a 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -2337,19 +2337,14 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg) + { + const struct ioctl_handler *handler; + struct snd_seq_client *client; +- int err; + + client = clientptr(clientid); + if (client == NULL) + return -ENXIO; + + for (handler = ioctl_handlers; handler->cmd > 0; ++handler) { +- if (handler->cmd == cmd) { +- mutex_lock(&client->ioctl_mutex); +- err = handler->func(client, arg); +- mutex_unlock(&client->ioctl_mutex); +- return err; +- } ++ if (handler->cmd == cmd) ++ return handler->func(client, arg); + } + + pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n", +-- +2.20.1 + diff --git a/queue-4.19/s390-kasan-fix-strncpy_from_user-kasan-checks.patch b/queue-4.19/s390-kasan-fix-strncpy_from_user-kasan-checks.patch new file mode 100644 index 00000000000..a476e178abf --- /dev/null +++ b/queue-4.19/s390-kasan-fix-strncpy_from_user-kasan-checks.patch @@ -0,0 +1,41 @@ +From 8ddc768af39a1e298e2ac61868319052e22f28da Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Tue, 23 Apr 2019 15:36:36 +0200 +Subject: s390/kasan: fix strncpy_from_user kasan checks + +[ Upstream commit 01eb42afb45719cb41bb32c278e068073738899d ] + +arch/s390/lib/uaccess.c is built without kasan instrumentation. Kasan +checks are performed explicitly in copy_from_user/copy_to_user +functions. But since those functions could be inlined, calls from +files like uaccess.c with instrumentation disabled won't generate +kasan reports. This is currently the case with strncpy_from_user +function which was revealed by newly added kasan test. Avoid inlining of +copy_from_user/copy_to_user when the kernel is built with kasan support +to make sure kasan checks are fully functional. + +Signed-off-by: Vasily Gorbik +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/uaccess.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h +index ad6b91013a05..5332f628c1ed 100644 +--- a/arch/s390/include/asm/uaccess.h ++++ b/arch/s390/include/asm/uaccess.h +@@ -56,8 +56,10 @@ raw_copy_from_user(void *to, const void __user *from, unsigned long n); + unsigned long __must_check + raw_copy_to_user(void __user *to, const void *from, unsigned long n); + ++#ifndef CONFIG_KASAN + #define INLINE_COPY_FROM_USER + #define INLINE_COPY_TO_USER ++#endif + + #ifdef CONFIG_HAVE_MARCH_Z10_FEATURES + +-- +2.20.1 + diff --git a/queue-4.19/scsi-bnx2fc-fix-incorrect-cast-to-u64-on-shift-opera.patch b/queue-4.19/scsi-bnx2fc-fix-incorrect-cast-to-u64-on-shift-opera.patch new file mode 100644 index 00000000000..f99cbafe63d --- /dev/null +++ b/queue-4.19/scsi-bnx2fc-fix-incorrect-cast-to-u64-on-shift-opera.patch @@ -0,0 +1,37 @@ +From 6ed90c1dc28f933d20470d51258b3b3445fc5c18 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Sat, 4 May 2019 17:48:29 +0100 +Subject: scsi: bnx2fc: fix incorrect cast to u64 on shift operation + +[ Upstream commit d0c0d902339249c75da85fd9257a86cbb98dfaa5 ] + +Currently an int is being shifted and the result is being cast to a u64 +which leads to undefined behaviour if the shift is more than 31 bits. Fix +this by casting the integer value 1 to u64 before the shift operation. + +Addresses-Coverity: ("Bad shift operation") +Fixes: 7b594769120b ("[SCSI] bnx2fc: Handle REC_TOV error code from firmware") +Signed-off-by: Colin Ian King +Acked-by: Saurav Kashyap +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/bnx2fc/bnx2fc_hwi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/bnx2fc/bnx2fc_hwi.c b/drivers/scsi/bnx2fc/bnx2fc_hwi.c +index e8ae4d671d23..097305949a95 100644 +--- a/drivers/scsi/bnx2fc/bnx2fc_hwi.c ++++ b/drivers/scsi/bnx2fc/bnx2fc_hwi.c +@@ -830,7 +830,7 @@ ret_err_rqe: + ((u64)err_entry->data.err_warn_bitmap_hi << 32) | + (u64)err_entry->data.err_warn_bitmap_lo; + for (i = 0; i < BNX2FC_NUM_ERR_BITS; i++) { +- if (err_warn_bit_map & (u64) (1 << i)) { ++ if (err_warn_bit_map & ((u64)1 << i)) { + err_warn = i; + break; + } +-- +2.20.1 + diff --git a/queue-4.19/scsi-lpfc-add-check-for-loss-of-ndlp-when-sending-rr.patch b/queue-4.19/scsi-lpfc-add-check-for-loss-of-ndlp-when-sending-rr.patch new file mode 100644 index 00000000000..e014c64b026 --- /dev/null +++ b/queue-4.19/scsi-lpfc-add-check-for-loss-of-ndlp-when-sending-rr.patch @@ -0,0 +1,38 @@ +From 8e801179e64f5e636bf838292db11f99c5b46279 Mon Sep 17 00:00:00 2001 +From: James Smart +Date: Mon, 6 May 2019 17:26:49 -0700 +Subject: scsi: lpfc: add check for loss of ndlp when sending RRQ + +[ Upstream commit c8cb261a072c88ca1aff0e804a30db4c7606521b ] + +There was a missing qualification of a valid ndlp structure when calling to +send an RRQ for an abort. Add the check. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Tested-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_els.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 0d214e6b8e9a..f3c6801c0b31 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -7094,7 +7094,10 @@ int + lpfc_send_rrq(struct lpfc_hba *phba, struct lpfc_node_rrq *rrq) + { + struct lpfc_nodelist *ndlp = lpfc_findnode_did(rrq->vport, +- rrq->nlp_DID); ++ rrq->nlp_DID); ++ if (!ndlp) ++ return 1; ++ + if (lpfc_test_rrq_active(phba, ndlp, rrq->xritag)) + return lpfc_issue_els_rrq(rrq->vport, ndlp, + rrq->nlp_DID, rrq); +-- +2.20.1 + diff --git a/queue-4.19/scsi-lpfc-correct-rcu-unlock-issue-in-lpfc_nvme_info.patch b/queue-4.19/scsi-lpfc-correct-rcu-unlock-issue-in-lpfc_nvme_info.patch new file mode 100644 index 00000000000..6a90eb38361 --- /dev/null +++ b/queue-4.19/scsi-lpfc-correct-rcu-unlock-issue-in-lpfc_nvme_info.patch @@ -0,0 +1,122 @@ +From 6a792491bfc8b9183ae4746b3b520803e88004ca Mon Sep 17 00:00:00 2001 +From: James Smart +Date: Mon, 6 May 2019 17:26:48 -0700 +Subject: scsi: lpfc: correct rcu unlock issue in lpfc_nvme_info_show + +[ Upstream commit 79080d349f7f58a2e86c56043a3d04184d5f294a ] + +Many of the exit cases were not releasing the rcu read lock. Corrected the +exit paths. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Tested-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_attr.c | 32 +++++++++++++++++++------------- + 1 file changed, 19 insertions(+), 13 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c +index cb19b12e7211..55cd96e2469c 100644 +--- a/drivers/scsi/lpfc/lpfc_attr.c ++++ b/drivers/scsi/lpfc/lpfc_attr.c +@@ -341,7 +341,7 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr, + phba->sli4_hba.scsi_xri_max, + lpfc_sli4_get_els_iocb_cnt(phba)); + if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE) +- goto buffer_done; ++ goto rcu_unlock_buf_done; + + /* Port state is only one of two values for now. */ + if (localport->port_id) +@@ -357,7 +357,7 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr, + wwn_to_u64(vport->fc_nodename.u.wwn), + localport->port_id, statep); + if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE) +- goto buffer_done; ++ goto rcu_unlock_buf_done; + + list_for_each_entry(ndlp, &vport->fc_nodes, nlp_listp) { + nrport = NULL; +@@ -384,39 +384,39 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr, + + /* Tab in to show lport ownership. */ + if (strlcat(buf, "NVME RPORT ", PAGE_SIZE) >= PAGE_SIZE) +- goto buffer_done; ++ goto rcu_unlock_buf_done; + if (phba->brd_no >= 10) { + if (strlcat(buf, " ", PAGE_SIZE) >= PAGE_SIZE) +- goto buffer_done; ++ goto rcu_unlock_buf_done; + } + + scnprintf(tmp, sizeof(tmp), "WWPN x%llx ", + nrport->port_name); + if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE) +- goto buffer_done; ++ goto rcu_unlock_buf_done; + + scnprintf(tmp, sizeof(tmp), "WWNN x%llx ", + nrport->node_name); + if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE) +- goto buffer_done; ++ goto rcu_unlock_buf_done; + + scnprintf(tmp, sizeof(tmp), "DID x%06x ", + nrport->port_id); + if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE) +- goto buffer_done; ++ goto rcu_unlock_buf_done; + + /* An NVME rport can have multiple roles. */ + if (nrport->port_role & FC_PORT_ROLE_NVME_INITIATOR) { + if (strlcat(buf, "INITIATOR ", PAGE_SIZE) >= PAGE_SIZE) +- goto buffer_done; ++ goto rcu_unlock_buf_done; + } + if (nrport->port_role & FC_PORT_ROLE_NVME_TARGET) { + if (strlcat(buf, "TARGET ", PAGE_SIZE) >= PAGE_SIZE) +- goto buffer_done; ++ goto rcu_unlock_buf_done; + } + if (nrport->port_role & FC_PORT_ROLE_NVME_DISCOVERY) { + if (strlcat(buf, "DISCSRVC ", PAGE_SIZE) >= PAGE_SIZE) +- goto buffer_done; ++ goto rcu_unlock_buf_done; + } + if (nrport->port_role & ~(FC_PORT_ROLE_NVME_INITIATOR | + FC_PORT_ROLE_NVME_TARGET | +@@ -424,12 +424,12 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr, + scnprintf(tmp, sizeof(tmp), "UNKNOWN ROLE x%x", + nrport->port_role); + if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE) +- goto buffer_done; ++ goto rcu_unlock_buf_done; + } + + scnprintf(tmp, sizeof(tmp), "%s\n", statep); + if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE) +- goto buffer_done; ++ goto rcu_unlock_buf_done; + } + rcu_read_unlock(); + +@@ -491,7 +491,13 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr, + atomic_read(&lport->cmpl_fcp_err)); + strlcat(buf, tmp, PAGE_SIZE); + +-buffer_done: ++ /* RCU is already unlocked. */ ++ goto buffer_done; ++ ++ rcu_unlock_buf_done: ++ rcu_read_unlock(); ++ ++ buffer_done: + len = strnlen(buf, PAGE_SIZE); + + if (unlikely(len >= (PAGE_SIZE - 1))) { +-- +2.20.1 + diff --git a/queue-4.19/scsi-qedi-remove-memset-memcpy-to-nfunc-and-use-func.patch b/queue-4.19/scsi-qedi-remove-memset-memcpy-to-nfunc-and-use-func.patch new file mode 100644 index 00000000000..516be146558 --- /dev/null +++ b/queue-4.19/scsi-qedi-remove-memset-memcpy-to-nfunc-and-use-func.patch @@ -0,0 +1,167 @@ +From d1d5c55990f64799c6e62970b2acbe654000b94d Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Sat, 20 Apr 2019 12:05:54 +0800 +Subject: scsi: qedi: remove memset/memcpy to nfunc and use func instead + +[ Upstream commit c09581a52765a85f19fc35340127396d5e3379cc ] + +KASAN reports this: + +BUG: KASAN: global-out-of-bounds in qedi_dbg_err+0xda/0x330 [qedi] +Read of size 31 at addr ffffffffc12b0ae0 by task syz-executor.0/2429 + +CPU: 0 PID: 2429 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xfa/0x1ce lib/dump_stack.c:113 + print_address_description+0x1c4/0x270 mm/kasan/report.c:187 + kasan_report+0x149/0x18d mm/kasan/report.c:317 + memcpy+0x1f/0x50 mm/kasan/common.c:130 + qedi_dbg_err+0xda/0x330 [qedi] + ? 0xffffffffc12d0000 + qedi_init+0x118/0x1000 [qedi] + ? 0xffffffffc12d0000 + ? 0xffffffffc12d0000 + ? 0xffffffffc12d0000 + do_one_initcall+0xfa/0x5ca init/main.c:887 + do_init_module+0x204/0x5f6 kernel/module.c:3460 + load_module+0x66b2/0x8570 kernel/module.c:3808 + __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462e99 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f2d57e55c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +RAX: ffffffffffffffda RBX: 000000000073bfa0 RCX: 0000000000462e99 +RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000003 +RBP: 00007f2d57e55c70 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2d57e566bc +R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004 + +The buggy address belongs to the variable: + __func__.67584+0x0/0xffffffffffffd520 [qedi] + +Memory state around the buggy address: + ffffffffc12b0980: fa fa fa fa 00 04 fa fa fa fa fa fa 00 00 05 fa + ffffffffc12b0a00: fa fa fa fa 00 00 04 fa fa fa fa fa 00 05 fa fa +> ffffffffc12b0a80: fa fa fa fa 00 06 fa fa fa fa fa fa 00 02 fa fa + ^ + ffffffffc12b0b00: fa fa fa fa 00 00 04 fa fa fa fa fa 00 00 03 fa + ffffffffc12b0b80: fa fa fa fa 00 00 02 fa fa fa fa fa 00 00 04 fa + +Currently the qedi_dbg_* family of functions can overrun the end of the +source string if it is less than the destination buffer length because of +the use of a fixed sized memcpy. Remove the memset/memcpy calls to nfunc +and just use func instead as it is always a null terminated string. + +Reported-by: Hulk Robot +Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.") +Signed-off-by: YueHaibing +Reviewed-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedi/qedi_dbg.c | 32 ++++++++------------------------ + 1 file changed, 8 insertions(+), 24 deletions(-) + +diff --git a/drivers/scsi/qedi/qedi_dbg.c b/drivers/scsi/qedi/qedi_dbg.c +index 8fd28b056f73..3383314a3882 100644 +--- a/drivers/scsi/qedi/qedi_dbg.c ++++ b/drivers/scsi/qedi/qedi_dbg.c +@@ -16,10 +16,6 @@ qedi_dbg_err(struct qedi_dbg_ctx *qedi, const char *func, u32 line, + { + va_list va; + struct va_format vaf; +- char nfunc[32]; +- +- memset(nfunc, 0, sizeof(nfunc)); +- memcpy(nfunc, func, sizeof(nfunc) - 1); + + va_start(va, fmt); + +@@ -28,9 +24,9 @@ qedi_dbg_err(struct qedi_dbg_ctx *qedi, const char *func, u32 line, + + if (likely(qedi) && likely(qedi->pdev)) + pr_err("[%s]:[%s:%d]:%d: %pV", dev_name(&qedi->pdev->dev), +- nfunc, line, qedi->host_no, &vaf); ++ func, line, qedi->host_no, &vaf); + else +- pr_err("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf); ++ pr_err("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf); + + va_end(va); + } +@@ -41,10 +37,6 @@ qedi_dbg_warn(struct qedi_dbg_ctx *qedi, const char *func, u32 line, + { + va_list va; + struct va_format vaf; +- char nfunc[32]; +- +- memset(nfunc, 0, sizeof(nfunc)); +- memcpy(nfunc, func, sizeof(nfunc) - 1); + + va_start(va, fmt); + +@@ -56,9 +48,9 @@ qedi_dbg_warn(struct qedi_dbg_ctx *qedi, const char *func, u32 line, + + if (likely(qedi) && likely(qedi->pdev)) + pr_warn("[%s]:[%s:%d]:%d: %pV", dev_name(&qedi->pdev->dev), +- nfunc, line, qedi->host_no, &vaf); ++ func, line, qedi->host_no, &vaf); + else +- pr_warn("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf); ++ pr_warn("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf); + + ret: + va_end(va); +@@ -70,10 +62,6 @@ qedi_dbg_notice(struct qedi_dbg_ctx *qedi, const char *func, u32 line, + { + va_list va; + struct va_format vaf; +- char nfunc[32]; +- +- memset(nfunc, 0, sizeof(nfunc)); +- memcpy(nfunc, func, sizeof(nfunc) - 1); + + va_start(va, fmt); + +@@ -85,10 +73,10 @@ qedi_dbg_notice(struct qedi_dbg_ctx *qedi, const char *func, u32 line, + + if (likely(qedi) && likely(qedi->pdev)) + pr_notice("[%s]:[%s:%d]:%d: %pV", +- dev_name(&qedi->pdev->dev), nfunc, line, ++ dev_name(&qedi->pdev->dev), func, line, + qedi->host_no, &vaf); + else +- pr_notice("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf); ++ pr_notice("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf); + + ret: + va_end(va); +@@ -100,10 +88,6 @@ qedi_dbg_info(struct qedi_dbg_ctx *qedi, const char *func, u32 line, + { + va_list va; + struct va_format vaf; +- char nfunc[32]; +- +- memset(nfunc, 0, sizeof(nfunc)); +- memcpy(nfunc, func, sizeof(nfunc) - 1); + + va_start(va, fmt); + +@@ -115,9 +99,9 @@ qedi_dbg_info(struct qedi_dbg_ctx *qedi, const char *func, u32 line, + + if (likely(qedi) && likely(qedi->pdev)) + pr_info("[%s]:[%s:%d]:%d: %pV", dev_name(&qedi->pdev->dev), +- nfunc, line, qedi->host_no, &vaf); ++ func, line, qedi->host_no, &vaf); + else +- pr_info("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf); ++ pr_info("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf); + + ret: + va_end(va); +-- +2.20.1 + diff --git a/queue-4.19/scsi-qedi-remove-set-but-not-used-variables-cdev-and.patch b/queue-4.19/scsi-qedi-remove-set-but-not-used-variables-cdev-and.patch new file mode 100644 index 00000000000..ff7d8a28012 --- /dev/null +++ b/queue-4.19/scsi-qedi-remove-set-but-not-used-variables-cdev-and.patch @@ -0,0 +1,48 @@ +From 7c35678757e7fc8f176e2b1dcfc4540a1c1a9b51 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Wed, 24 Apr 2019 16:02:56 +0800 +Subject: scsi: qedi: remove set but not used variables 'cdev' and 'udev' + +[ Upstream commit d0adee5d12752256ff0c87ad7f002f21fe49d618 ] + +Fixes gcc '-Wunused-but-set-variable' warning: + +drivers/scsi/qedi/qedi_iscsi.c: In function 'qedi_ep_connect': +drivers/scsi/qedi/qedi_iscsi.c:813:23: warning: variable 'udev' set but not used [-Wunused-but-set-variable] +drivers/scsi/qedi/qedi_iscsi.c:812:18: warning: variable 'cdev' set but not used [-Wunused-but-set-variable] + +These have never been used since introduction. + +Signed-off-by: YueHaibing +Acked-by: Manish Rangankar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedi/qedi_iscsi.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/scsi/qedi/qedi_iscsi.c b/drivers/scsi/qedi/qedi_iscsi.c +index 4130b9117055..1b7049dce169 100644 +--- a/drivers/scsi/qedi/qedi_iscsi.c ++++ b/drivers/scsi/qedi/qedi_iscsi.c +@@ -810,8 +810,6 @@ qedi_ep_connect(struct Scsi_Host *shost, struct sockaddr *dst_addr, + struct qedi_endpoint *qedi_ep; + struct sockaddr_in *addr; + struct sockaddr_in6 *addr6; +- struct qed_dev *cdev = NULL; +- struct qedi_uio_dev *udev = NULL; + struct iscsi_path path_req; + u32 msg_type = ISCSI_KEVENT_IF_DOWN; + u32 iscsi_cid = QEDI_CID_RESERVED; +@@ -831,8 +829,6 @@ qedi_ep_connect(struct Scsi_Host *shost, struct sockaddr *dst_addr, + } + + qedi = iscsi_host_priv(shost); +- cdev = qedi->cdev; +- udev = qedi->udev; + + if (test_bit(QEDI_IN_OFFLINE, &qedi->flags) || + test_bit(QEDI_IN_RECOVERY, &qedi->flags)) { +-- +2.20.1 + diff --git a/queue-4.19/selftests-fib_rule_tests-fix-local-ipv4-address-typo.patch b/queue-4.19/selftests-fib_rule_tests-fix-local-ipv4-address-typo.patch new file mode 100644 index 00000000000..4173bb05646 --- /dev/null +++ b/queue-4.19/selftests-fib_rule_tests-fix-local-ipv4-address-typo.patch @@ -0,0 +1,35 @@ +From e1ba3caabf9c9f2484bdeb846e7d8ade5244e98f Mon Sep 17 00:00:00 2001 +From: Hangbin Liu +Date: Mon, 20 May 2019 12:36:54 +0800 +Subject: selftests: fib_rule_tests: fix local IPv4 address typo + +[ Upstream commit fc82d93e57e3d41f79eff19031588b262fc3d0b6 ] + +The IPv4 testing address are all in 192.51.100.0 subnet. It doesn't make +sense to set a 198.51.100.1 local address. Should be a typo. + +Fixes: 65b2b4939a64 ("selftests: net: initial fib rule tests") +Signed-off-by: Hangbin Liu +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/fib_rule_tests.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/fib_rule_tests.sh b/tools/testing/selftests/net/fib_rule_tests.sh +index d84193bdc307..dbd90ca73e44 100755 +--- a/tools/testing/selftests/net/fib_rule_tests.sh ++++ b/tools/testing/selftests/net/fib_rule_tests.sh +@@ -55,7 +55,7 @@ setup() + + $IP link add dummy0 type dummy + $IP link set dev dummy0 up +- $IP address add 198.51.100.1/24 dev dummy0 ++ $IP address add 192.51.100.1/24 dev dummy0 + $IP -6 address add 2001:db8:1::1/64 dev dummy0 + + set +e +-- +2.20.1 + diff --git a/queue-4.19/selftests-timers-add-missing-fflush-stdout-calls.patch b/queue-4.19/selftests-timers-add-missing-fflush-stdout-calls.patch new file mode 100644 index 00000000000..359df26391d --- /dev/null +++ b/queue-4.19/selftests-timers-add-missing-fflush-stdout-calls.patch @@ -0,0 +1,167 @@ +From 41cf3b1a9e952a695b93478a1fae39f53fc2cf35 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 20 May 2019 15:37:49 -0700 +Subject: selftests/timers: Add missing fflush(stdout) calls + +[ Upstream commit fe48319243a626c860fd666ca032daacc2ba84a5 ] + +When running under a pipe, some timer tests would not report output in +real-time because stdout flushes were missing after printf()s that lacked +a newline. This adds them to restore real-time status output that humans +can enjoy. + +Signed-off-by: Kees Cook +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/timers/adjtick.c | 1 + + tools/testing/selftests/timers/leapcrash.c | 1 + + tools/testing/selftests/timers/mqueue-lat.c | 1 + + tools/testing/selftests/timers/nanosleep.c | 1 + + tools/testing/selftests/timers/nsleep-lat.c | 1 + + tools/testing/selftests/timers/raw_skew.c | 1 + + tools/testing/selftests/timers/set-tai.c | 1 + + tools/testing/selftests/timers/set-tz.c | 2 ++ + tools/testing/selftests/timers/threadtest.c | 1 + + tools/testing/selftests/timers/valid-adjtimex.c | 2 ++ + 10 files changed, 12 insertions(+) + +diff --git a/tools/testing/selftests/timers/adjtick.c b/tools/testing/selftests/timers/adjtick.c +index 0caca3a06bd2..54d8d87f36b3 100644 +--- a/tools/testing/selftests/timers/adjtick.c ++++ b/tools/testing/selftests/timers/adjtick.c +@@ -136,6 +136,7 @@ int check_tick_adj(long tickval) + + eppm = get_ppm_drift(); + printf("%lld usec, %lld ppm", systick + (systick * eppm / MILLION), eppm); ++ fflush(stdout); + + tx1.modes = 0; + adjtimex(&tx1); +diff --git a/tools/testing/selftests/timers/leapcrash.c b/tools/testing/selftests/timers/leapcrash.c +index 830c462f605d..dc80728ed191 100644 +--- a/tools/testing/selftests/timers/leapcrash.c ++++ b/tools/testing/selftests/timers/leapcrash.c +@@ -101,6 +101,7 @@ int main(void) + } + clear_time_state(); + printf("."); ++ fflush(stdout); + } + printf("[OK]\n"); + return ksft_exit_pass(); +diff --git a/tools/testing/selftests/timers/mqueue-lat.c b/tools/testing/selftests/timers/mqueue-lat.c +index 1867db5d6f5e..7916cf5cc6ff 100644 +--- a/tools/testing/selftests/timers/mqueue-lat.c ++++ b/tools/testing/selftests/timers/mqueue-lat.c +@@ -102,6 +102,7 @@ int main(int argc, char **argv) + int ret; + + printf("Mqueue latency : "); ++ fflush(stdout); + + ret = mqueue_lat_test(); + if (ret < 0) { +diff --git a/tools/testing/selftests/timers/nanosleep.c b/tools/testing/selftests/timers/nanosleep.c +index 8adb0bb51d4d..71b5441c2fd9 100644 +--- a/tools/testing/selftests/timers/nanosleep.c ++++ b/tools/testing/selftests/timers/nanosleep.c +@@ -142,6 +142,7 @@ int main(int argc, char **argv) + continue; + + printf("Nanosleep %-31s ", clockstring(clockid)); ++ fflush(stdout); + + length = 10; + while (length <= (NSEC_PER_SEC * 10)) { +diff --git a/tools/testing/selftests/timers/nsleep-lat.c b/tools/testing/selftests/timers/nsleep-lat.c +index c3c3dc10db17..eb3e79ed7b4a 100644 +--- a/tools/testing/selftests/timers/nsleep-lat.c ++++ b/tools/testing/selftests/timers/nsleep-lat.c +@@ -155,6 +155,7 @@ int main(int argc, char **argv) + continue; + + printf("nsleep latency %-26s ", clockstring(clockid)); ++ fflush(stdout); + + length = 10; + while (length <= (NSEC_PER_SEC * 10)) { +diff --git a/tools/testing/selftests/timers/raw_skew.c b/tools/testing/selftests/timers/raw_skew.c +index dcf73c5dab6e..b41d8dd0c40c 100644 +--- a/tools/testing/selftests/timers/raw_skew.c ++++ b/tools/testing/selftests/timers/raw_skew.c +@@ -112,6 +112,7 @@ int main(int argv, char **argc) + printf("WARNING: ADJ_OFFSET in progress, this will cause inaccurate results\n"); + + printf("Estimating clock drift: "); ++ fflush(stdout); + sleep(120); + + get_monotonic_and_raw(&mon, &raw); +diff --git a/tools/testing/selftests/timers/set-tai.c b/tools/testing/selftests/timers/set-tai.c +index 70fed27d8fd3..8c4179ee2ca2 100644 +--- a/tools/testing/selftests/timers/set-tai.c ++++ b/tools/testing/selftests/timers/set-tai.c +@@ -55,6 +55,7 @@ int main(int argc, char **argv) + printf("tai offset started at %i\n", ret); + + printf("Checking tai offsets can be properly set: "); ++ fflush(stdout); + for (i = 1; i <= 60; i++) { + ret = set_tai(i); + ret = get_tai(); +diff --git a/tools/testing/selftests/timers/set-tz.c b/tools/testing/selftests/timers/set-tz.c +index 877fd5532fee..62bd33eb16f0 100644 +--- a/tools/testing/selftests/timers/set-tz.c ++++ b/tools/testing/selftests/timers/set-tz.c +@@ -65,6 +65,7 @@ int main(int argc, char **argv) + printf("tz_minuteswest started at %i, dst at %i\n", min, dst); + + printf("Checking tz_minuteswest can be properly set: "); ++ fflush(stdout); + for (i = -15*60; i < 15*60; i += 30) { + ret = set_tz(i, dst); + ret = get_tz_min(); +@@ -76,6 +77,7 @@ int main(int argc, char **argv) + printf("[OK]\n"); + + printf("Checking invalid tz_minuteswest values are caught: "); ++ fflush(stdout); + + if (!set_tz(-15*60-1, dst)) { + printf("[FAILED] %i didn't return failure!\n", -15*60-1); +diff --git a/tools/testing/selftests/timers/threadtest.c b/tools/testing/selftests/timers/threadtest.c +index 759c9c06f1a0..cf3e48919874 100644 +--- a/tools/testing/selftests/timers/threadtest.c ++++ b/tools/testing/selftests/timers/threadtest.c +@@ -163,6 +163,7 @@ int main(int argc, char **argv) + strftime(buf, 255, "%a, %d %b %Y %T %z", localtime(&start)); + printf("%s\n", buf); + printf("Testing consistency with %i threads for %ld seconds: ", thread_count, runtime); ++ fflush(stdout); + + /* spawn */ + for (i = 0; i < thread_count; i++) +diff --git a/tools/testing/selftests/timers/valid-adjtimex.c b/tools/testing/selftests/timers/valid-adjtimex.c +index d9d3ab93b31a..5397de708d3c 100644 +--- a/tools/testing/selftests/timers/valid-adjtimex.c ++++ b/tools/testing/selftests/timers/valid-adjtimex.c +@@ -123,6 +123,7 @@ int validate_freq(void) + /* Set the leap second insert flag */ + + printf("Testing ADJ_FREQ... "); ++ fflush(stdout); + for (i = 0; i < NUM_FREQ_VALID; i++) { + tx.modes = ADJ_FREQUENCY; + tx.freq = valid_freq[i]; +@@ -250,6 +251,7 @@ int set_bad_offset(long sec, long usec, int use_nano) + int validate_set_offset(void) + { + printf("Testing ADJ_SETOFFSET... "); ++ fflush(stdout); + + /* Test valid values */ + if (set_offset(NSEC_PER_SEC - 1, 1)) +-- +2.20.1 + diff --git a/queue-4.19/series b/queue-4.19/series index f51d5f66b6d..59a94794f76 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -24,3 +24,33 @@ cgroup-use-css_tryget-instead-of-css_tryget_online-in-task_get_css.patch asoc-cs42xx8-add-regcache-mask-dirty.patch asoc-fsl_asrc-fix-the-issue-about-unsupported-rate.patch drm-i915-sdvo-implement-proper-hdmi-audio-support-for-sdvo.patch +x86-uaccess-kcov-disable-stack-protector.patch +alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch +alsa-seq-fix-race-of-get-subscription-call-vs-port-d.patch +revert-alsa-seq-protect-in-kernel-ioctl-calls-with-m.patch +s390-kasan-fix-strncpy_from_user-kasan-checks.patch +drivers-misc-fix-out-of-bounds-access-in-function-pa.patch +f2fs-fix-to-avoid-accessing-xattr-across-the-boundar.patch +scsi-qedi-remove-memset-memcpy-to-nfunc-and-use-func.patch +scsi-qedi-remove-set-but-not-used-variables-cdev-and.patch +scsi-lpfc-correct-rcu-unlock-issue-in-lpfc_nvme_info.patch +scsi-lpfc-add-check-for-loss-of-ndlp-when-sending-rr.patch +arm64-mm-inhibit-huge-vmap-with-ptdump.patch +nvme-fix-srcu-locking-on-error-return-in-nvme_get_ns.patch +nvme-remove-the-ifdef-around-nvme_nvm_ioctl.patch +nvme-merge-nvme_ns_ioctl-into-nvme_ioctl.patch +nvme-release-namespace-srcu-protection-before-perfor.patch +nvme-fix-memory-leak-for-power-latency-tolerance.patch +platform-x86-pmc_atom-add-lex-3i380d-industrial-pc-t.patch +platform-x86-pmc_atom-add-several-beckhoff-automatio.patch +scsi-bnx2fc-fix-incorrect-cast-to-u64-on-shift-opera.patch +libnvdimm-fix-compilation-warnings-with-w-1.patch +selftests-fib_rule_tests-fix-local-ipv4-address-typo.patch +selftests-timers-add-missing-fflush-stdout-calls.patch +tracing-prevent-hist_field_var_ref-from-accessing-nu.patch +usbnet-ipheth-fix-racing-condition.patch +kvm-arm-arm64-move-cc-it-checks-under-hyp-s-makefile.patch +kvm-x86-pmu-mask-the-result-of-rdpmc-according-to-th.patch +kvm-x86-pmu-do-not-mask-the-value-that-is-written-to.patch +kvm-s390-fix-memory-slot-handling-for-kvm_set_user_m.patch +tools-kvm_stat-fix-fields-filter-for-child-events.patch diff --git a/queue-4.19/tools-kvm_stat-fix-fields-filter-for-child-events.patch b/queue-4.19/tools-kvm_stat-fix-fields-filter-for-child-events.patch new file mode 100644 index 00000000000..80a631f1520 --- /dev/null +++ b/queue-4.19/tools-kvm_stat-fix-fields-filter-for-child-events.patch @@ -0,0 +1,90 @@ +From e2c2f6ceb3ed3182c4e2c1581ca3fb819b92614f Mon Sep 17 00:00:00 2001 +From: Stefan Raspl +Date: Sun, 21 Apr 2019 15:26:24 +0200 +Subject: tools/kvm_stat: fix fields filter for child events + +[ Upstream commit 883d25e70b2f699fed9017e509d1ef8e36229b89 ] + +The fields filter would not work with child fields, as the respective +parents would not be included. No parents displayed == no childs displayed. +To reproduce, run on s390 (would work on other platforms, too, but would +require a different filter name): +- Run 'kvm_stat -d' +- Press 'f' +- Enter 'instruct' +Notice that events like instruction_diag_44 or instruction_diag_500 are not +displayed - the output remains empty. +With this patch, we will filter by matching events and their parents. +However, consider the following example where we filter by +instruction_diag_44: + + kvm statistics - summary + regex filter: instruction_diag_44 + Event Total %Total CurAvg/s + exit_instruction 276 100.0 12 + instruction_diag_44 256 92.8 11 + Total 276 12 + +Note that the parent ('exit_instruction') displays the total events, but +the childs listed do not match its total (256 instead of 276). This is +intended (since we're filtering all but one child), but might be confusing +on first sight. + +Signed-off-by: Stefan Raspl +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + tools/kvm/kvm_stat/kvm_stat | 16 ++++++++++++---- + tools/kvm/kvm_stat/kvm_stat.txt | 2 ++ + 2 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/tools/kvm/kvm_stat/kvm_stat b/tools/kvm/kvm_stat/kvm_stat +index 195ba486640f..ba7ee74ee533 100755 +--- a/tools/kvm/kvm_stat/kvm_stat ++++ b/tools/kvm/kvm_stat/kvm_stat +@@ -575,8 +575,12 @@ class TracepointProvider(Provider): + def update_fields(self, fields_filter): + """Refresh fields, applying fields_filter""" + self.fields = [field for field in self._get_available_fields() +- if self.is_field_wanted(fields_filter, field) or +- ARCH.tracepoint_is_child(field)] ++ if self.is_field_wanted(fields_filter, field)] ++ # add parents for child fields - otherwise we won't see any output! ++ for field in self._fields: ++ parent = ARCH.tracepoint_is_child(field) ++ if (parent and parent not in self._fields): ++ self.fields.append(parent) + + @staticmethod + def _get_online_cpus(): +@@ -735,8 +739,12 @@ class DebugfsProvider(Provider): + def update_fields(self, fields_filter): + """Refresh fields, applying fields_filter""" + self._fields = [field for field in self._get_available_fields() +- if self.is_field_wanted(fields_filter, field) or +- ARCH.debugfs_is_child(field)] ++ if self.is_field_wanted(fields_filter, field)] ++ # add parents for child fields - otherwise we won't see any output! ++ for field in self._fields: ++ parent = ARCH.debugfs_is_child(field) ++ if (parent and parent not in self._fields): ++ self.fields.append(parent) + + @property + def fields(self): +diff --git a/tools/kvm/kvm_stat/kvm_stat.txt b/tools/kvm/kvm_stat/kvm_stat.txt +index 0811d860fe75..c057ba52364e 100644 +--- a/tools/kvm/kvm_stat/kvm_stat.txt ++++ b/tools/kvm/kvm_stat/kvm_stat.txt +@@ -34,6 +34,8 @@ INTERACTIVE COMMANDS + *c*:: clear filter + + *f*:: filter by regular expression ++ :: *Note*: Child events pull in their parents, and parents' stats summarize ++ all child events, not just the filtered ones + + *g*:: filter by guest name/PID + +-- +2.20.1 + diff --git a/queue-4.19/tracing-prevent-hist_field_var_ref-from-accessing-nu.patch b/queue-4.19/tracing-prevent-hist_field_var_ref-from-accessing-nu.patch new file mode 100644 index 00000000000..33dad1ae4a9 --- /dev/null +++ b/queue-4.19/tracing-prevent-hist_field_var_ref-from-accessing-nu.patch @@ -0,0 +1,50 @@ +From 9d5ad9072bd55982fef63a2e02fcbdd0399600b0 Mon Sep 17 00:00:00 2001 +From: Tom Zanussi +Date: Thu, 18 Apr 2019 10:18:50 -0500 +Subject: tracing: Prevent hist_field_var_ref() from accessing NULL + tracing_map_elts + +[ Upstream commit 55267c88c003a3648567beae7c90512d3e2ab15e ] + +hist_field_var_ref() is an implementation of hist_field_fn_t(), which +can be called with a null tracing_map_elt elt param when assembling a +key in event_hist_trigger(). + +In the case of hist_field_var_ref() this doesn't make sense, because a +variable can only be resolved by looking it up using an already +assembled key i.e. a variable can't be used to assemble a key since +the key is required in order to access the variable. + +Upper layers should prevent the user from constructing a key using a +variable in the first place, but in case one slips through, it +shouldn't cause a NULL pointer dereference. Also if one does slip +through, we want to know about it, so emit a one-time warning in that +case. + +Link: http://lkml.kernel.org/r/64ec8dc15c14d305295b64cdfcc6b2b9dd14753f.1555597045.git.tom.zanussi@linux.intel.com + +Reported-by: Vincent Bernat +Signed-off-by: Tom Zanussi +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events_hist.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c +index 11853e90b649..3f34cfb66a85 100644 +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -1632,6 +1632,9 @@ static u64 hist_field_var_ref(struct hist_field *hist_field, + struct hist_elt_data *elt_data; + u64 var_val = 0; + ++ if (WARN_ON_ONCE(!elt)) ++ return var_val; ++ + elt_data = elt->private_data; + var_val = elt_data->var_ref_vals[hist_field->var_ref_idx]; + +-- +2.20.1 + diff --git a/queue-4.19/usbnet-ipheth-fix-racing-condition.patch b/queue-4.19/usbnet-ipheth-fix-racing-condition.patch new file mode 100644 index 00000000000..f779c1f4bf4 --- /dev/null +++ b/queue-4.19/usbnet-ipheth-fix-racing-condition.patch @@ -0,0 +1,62 @@ +From b4e94d8462c7cb873e499c57f501fe19bee90c84 Mon Sep 17 00:00:00 2001 +From: Bernd Eckstein <3erndeckstein@gmail.com> +Date: Mon, 20 May 2019 17:31:09 +0200 +Subject: usbnet: ipheth: fix racing condition + +[ Upstream commit 94d250fae48e6f873d8362308f5c4d02cd1b1fd2 ] + +Fix a racing condition in ipheth.c that can lead to slow performance. + +Bug: In ipheth_tx(), netif_wake_queue() may be called on the callback +ipheth_sndbulk_callback(), _before_ netif_stop_queue() is called. +When this happens, the queue is stopped longer than it needs to be, +thus reducing network performance. + +Fix: Move netif_stop_queue() in front of usb_submit_urb(). Now the order +is always correct. In case, usb_submit_urb() fails, the queue is woken up +again as callback will not fire. + +Testing: This racing condition is usually not noticeable, as it has to +occur very frequently to slowdown the network. The callback from the USB +is usually triggered slow enough, so the situation does not appear. +However, on a Ubuntu Linux on VMWare Workstation, running on Windows 10, +the we loose the race quite often and the following speedup can be noticed: + +Without this patch: Download: 4.10 Mbit/s, Upload: 4.01 Mbit/s +With this patch: Download: 36.23 Mbit/s, Upload: 17.61 Mbit/s + +Signed-off-by: Oliver Zweigle +Signed-off-by: Bernd Eckstein <3ernd.Eckstein@gmail.com> +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/ipheth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c +index 3d8a70d3ea9b..3d71f1716390 100644 +--- a/drivers/net/usb/ipheth.c ++++ b/drivers/net/usb/ipheth.c +@@ -437,17 +437,18 @@ static int ipheth_tx(struct sk_buff *skb, struct net_device *net) + dev); + dev->tx_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; + ++ netif_stop_queue(net); + retval = usb_submit_urb(dev->tx_urb, GFP_ATOMIC); + if (retval) { + dev_err(&dev->intf->dev, "%s: usb_submit_urb: %d\n", + __func__, retval); + dev->net->stats.tx_errors++; + dev_kfree_skb_any(skb); ++ netif_wake_queue(net); + } else { + dev->net->stats.tx_packets++; + dev->net->stats.tx_bytes += skb->len; + dev_consume_skb_any(skb); +- netif_stop_queue(net); + } + + return NETDEV_TX_OK; +-- +2.20.1 + diff --git a/queue-4.19/x86-uaccess-kcov-disable-stack-protector.patch b/queue-4.19/x86-uaccess-kcov-disable-stack-protector.patch new file mode 100644 index 00000000000..328db938066 --- /dev/null +++ b/queue-4.19/x86-uaccess-kcov-disable-stack-protector.patch @@ -0,0 +1,42 @@ +From 10b0263ea1a24e7cb309c433f9699511decbd809 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 7 Mar 2019 19:54:25 +0100 +Subject: x86/uaccess, kcov: Disable stack protector + +[ Upstream commit 40ea97290b08be2e038b31cbb33097d1145e8169 ] + +New tooling noticed this mishap: + + kernel/kcov.o: warning: objtool: write_comp_data()+0x138: call to __stack_chk_fail() with UACCESS enabled + kernel/kcov.o: warning: objtool: __sanitizer_cov_trace_pc()+0xd9: call to __stack_chk_fail() with UACCESS enabled + +All the other instrumentation (KASAN,UBSAN) also have stack protector +disabled. + +Signed-off-by: Peter Zijlstra (Intel) +Cc: Borislav Petkov +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/Makefile b/kernel/Makefile +index 7a63d567fdb5..df5e3ca30acd 100644 +--- a/kernel/Makefile ++++ b/kernel/Makefile +@@ -30,6 +30,7 @@ KCOV_INSTRUMENT_extable.o := n + # Don't self-instrument. + KCOV_INSTRUMENT_kcov.o := n + KASAN_SANITIZE_kcov.o := n ++CFLAGS_kcov.o := $(call cc-option, -fno-conserve-stack -fno-stack-protector) + + # cond_syscall is currently not LTO compatible + CFLAGS_sys_ni.o = $(DISABLE_LTO) +-- +2.20.1 + -- 2.47.2