From 56a10581303e2f331b40e191fa4e2e0bcd1a0018 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 5 May 2018 17:43:17 -0700 Subject: [PATCH] 4.16-stable patches added patches: btrfs-take-trans-lock-before-access-running-trans-in-check_delayed_ref.patch drm-bridge-vga-dac-fix-edid-memory-leak.patch drm-vc4-make-sure-vc4_bo_-inc-dec-_usecnt-calls-are-balanced.patch drm-vmwgfx-fix-a-buffer-object-leak.patch ib-hfi1-fix-handling-of-fecn-marked-multicast-packet.patch ib-hfi1-fix-loss-of-becn-with-ahg.patch ib-hfi1-fix-null-pointer-dereference-when-invalid-num_vls-is-used.patch infiniband-mlx5-fix-build-errors-when-infiniband_user_access-m.patch iw_cxgb4-atomically-flush-per-qp-hw-cqes.patch test_firmware-fix-setting-old-custom-fw-path-back-on-exit-second-try.patch --- ...s-running-trans-in-check_delayed_ref.patch | 71 ++++++++ ...-bridge-vga-dac-fix-edid-memory-leak.patch | 42 +++++ ..._-inc-dec-_usecnt-calls-are-balanced.patch | 123 ++++++++++++++ .../drm-vmwgfx-fix-a-buffer-object-leak.patch | 33 ++++ ...ling-of-fecn-marked-multicast-packet.patch | 151 ++++++++++++++++++ .../ib-hfi1-fix-loss-of-becn-with-ahg.patch | 125 +++++++++++++++ ...ference-when-invalid-num_vls-is-used.patch | 79 +++++++++ ...errors-when-infiniband_user_access-m.patch | 44 +++++ ...xgb4-atomically-flush-per-qp-hw-cqes.patch | 88 ++++++++++ queue-4.16/series | 10 ++ ...stom-fw-path-back-on-exit-second-try.patch | 44 +++++ 11 files changed, 810 insertions(+) create mode 100644 queue-4.16/btrfs-take-trans-lock-before-access-running-trans-in-check_delayed_ref.patch create mode 100644 queue-4.16/drm-bridge-vga-dac-fix-edid-memory-leak.patch create mode 100644 queue-4.16/drm-vc4-make-sure-vc4_bo_-inc-dec-_usecnt-calls-are-balanced.patch create mode 100644 queue-4.16/drm-vmwgfx-fix-a-buffer-object-leak.patch create mode 100644 queue-4.16/ib-hfi1-fix-handling-of-fecn-marked-multicast-packet.patch create mode 100644 queue-4.16/ib-hfi1-fix-loss-of-becn-with-ahg.patch create mode 100644 queue-4.16/ib-hfi1-fix-null-pointer-dereference-when-invalid-num_vls-is-used.patch create mode 100644 queue-4.16/infiniband-mlx5-fix-build-errors-when-infiniband_user_access-m.patch create mode 100644 queue-4.16/iw_cxgb4-atomically-flush-per-qp-hw-cqes.patch create mode 100644 queue-4.16/test_firmware-fix-setting-old-custom-fw-path-back-on-exit-second-try.patch diff --git a/queue-4.16/btrfs-take-trans-lock-before-access-running-trans-in-check_delayed_ref.patch b/queue-4.16/btrfs-take-trans-lock-before-access-running-trans-in-check_delayed_ref.patch new file mode 100644 index 00000000000..bb54a0b5bef --- /dev/null +++ b/queue-4.16/btrfs-take-trans-lock-before-access-running-trans-in-check_delayed_ref.patch @@ -0,0 +1,71 @@ +From 998ac6d21cfd6efd58f5edf420bae8839dda9f2a Mon Sep 17 00:00:00 2001 +From: ethanwu +Date: Sun, 29 Apr 2018 15:59:42 +0800 +Subject: btrfs: Take trans lock before access running trans in check_delayed_ref + +From: ethanwu + +commit 998ac6d21cfd6efd58f5edf420bae8839dda9f2a upstream. + +In preivous patch: +Btrfs: kill trans in run_delalloc_nocow and btrfs_cross_ref_exist +We avoid starting btrfs transaction and get this information from +fs_info->running_transaction directly. + +When accessing running_transaction in check_delayed_ref, there's a +chance that current transaction will be freed by commit transaction +after the NULL pointer check of running_transaction is passed. + +After looking all the other places using fs_info->running_transaction, +they are either protected by trans_lock or holding the transactions. + +Fix this by using trans_lock and increasing the use_count. + +Fixes: e4c3b2dcd144 ("Btrfs: kill trans in run_delalloc_nocow and btrfs_cross_ref_exist") +CC: stable@vger.kernel.org # 4.14+ +Signed-off-by: ethanwu +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent-tree.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -3155,7 +3155,11 @@ static noinline int check_delayed_ref(st + struct rb_node *node; + int ret = 0; + ++ spin_lock(&root->fs_info->trans_lock); + cur_trans = root->fs_info->running_transaction; ++ if (cur_trans) ++ refcount_inc(&cur_trans->use_count); ++ spin_unlock(&root->fs_info->trans_lock); + if (!cur_trans) + return 0; + +@@ -3164,6 +3168,7 @@ static noinline int check_delayed_ref(st + head = btrfs_find_delayed_ref_head(delayed_refs, bytenr); + if (!head) { + spin_unlock(&delayed_refs->lock); ++ btrfs_put_transaction(cur_trans); + return 0; + } + +@@ -3180,6 +3185,7 @@ static noinline int check_delayed_ref(st + mutex_lock(&head->mutex); + mutex_unlock(&head->mutex); + btrfs_put_delayed_ref_head(head); ++ btrfs_put_transaction(cur_trans); + return -EAGAIN; + } + spin_unlock(&delayed_refs->lock); +@@ -3212,6 +3218,7 @@ static noinline int check_delayed_ref(st + } + spin_unlock(&head->lock); + mutex_unlock(&head->mutex); ++ btrfs_put_transaction(cur_trans); + return ret; + } + diff --git a/queue-4.16/drm-bridge-vga-dac-fix-edid-memory-leak.patch b/queue-4.16/drm-bridge-vga-dac-fix-edid-memory-leak.patch new file mode 100644 index 00000000000..e9622d3635c --- /dev/null +++ b/queue-4.16/drm-bridge-vga-dac-fix-edid-memory-leak.patch @@ -0,0 +1,42 @@ +From 49ceda9de2da4d1827941d06701f3017c27c1855 Mon Sep 17 00:00:00 2001 +From: Sean Paul +Date: Fri, 20 Apr 2018 14:59:59 -0400 +Subject: drm/bridge: vga-dac: Fix edid memory leak + +From: Sean Paul + +commit 49ceda9de2da4d1827941d06701f3017c27c1855 upstream. + +edid should be freed once it's finished being used. + +Fixes: 56fe8b6f4991 ("drm/bridge: Add RGB to VGA bridge support") +Cc: Rob Herring +Cc: Sean Paul +Cc: Maxime Ripard +Cc: Archit Taneja +Cc: Andrzej Hajda +Cc: Laurent Pinchart +Cc: # v4.9+ +Reviewed-by: Maxime Ripard +Reviewed-by: Laurent Pinchart +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20180420190007.1572-1-seanpaul@chromium.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/bridge/dumb-vga-dac.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/bridge/dumb-vga-dac.c ++++ b/drivers/gpu/drm/bridge/dumb-vga-dac.c +@@ -55,7 +55,9 @@ static int dumb_vga_get_modes(struct drm + } + + drm_mode_connector_update_edid_property(connector, edid); +- return drm_add_edid_modes(connector, edid); ++ ret = drm_add_edid_modes(connector, edid); ++ kfree(edid); ++ return ret; + + fallback: + /* diff --git a/queue-4.16/drm-vc4-make-sure-vc4_bo_-inc-dec-_usecnt-calls-are-balanced.patch b/queue-4.16/drm-vc4-make-sure-vc4_bo_-inc-dec-_usecnt-calls-are-balanced.patch new file mode 100644 index 00000000000..e23410a2287 --- /dev/null +++ b/queue-4.16/drm-vc4-make-sure-vc4_bo_-inc-dec-_usecnt-calls-are-balanced.patch @@ -0,0 +1,123 @@ +From f7aef1c207092770d06d0df21dceafdca2b49c39 Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Mon, 30 Apr 2018 15:32:32 +0200 +Subject: drm/vc4: Make sure vc4_bo_{inc,dec}_usecnt() calls are balanced + +From: Boris Brezillon + +commit f7aef1c207092770d06d0df21dceafdca2b49c39 upstream. + +Commit b9f19259b84d ("drm/vc4: Add the DRM_IOCTL_VC4_GEM_MADVISE ioctl") +introduced a mechanism to mark some BOs as purgeable to allow the driver +to drop them under memory pressure. In order to implement this feature +we had to add a mechanism to mark BOs as currently used by a piece of +hardware which materialized through the ->usecnt counter. + +Plane code is supposed to increment usecnt when it attaches a BO to a +plane and decrement it when it's done with this BO, which was done in +the ->prepare_fb() and ->cleanup_fb() hooks. The problem is, async page +flip logic does not go through the regular atomic update path, and +->prepare_fb() and ->cleanup_fb() are not called in this case. + +Fix that by manually calling vc4_bo_{inc,dec}_usecnt() in the +async-page-flip path. + +Note that all this should go away as soon as we get generic async page +flip support in the core, in the meantime, this fix should do the +trick. + +Fixes: b9f19259b84d ("drm/vc4: Add the DRM_IOCTL_VC4_GEM_MADVISE ioctl") +Reported-by: Peter Robinson +Cc: +Signed-off-by: Boris Brezillon +Signed-off-by: Eric Anholt +Link: https://patchwork.freedesktop.org/patch/msgid/20180430133232.32457-1-boris.brezillon@bootlin.com +Link: https://patchwork.freedesktop.org/patch/msgid/20180430133232.32457-1-boris.brezillon@bootlin.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vc4/vc4_crtc.c | 46 ++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 45 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/vc4/vc4_crtc.c ++++ b/drivers/gpu/drm/vc4/vc4_crtc.c +@@ -735,6 +735,7 @@ static irqreturn_t vc4_crtc_irq_handler( + struct vc4_async_flip_state { + struct drm_crtc *crtc; + struct drm_framebuffer *fb; ++ struct drm_framebuffer *old_fb; + struct drm_pending_vblank_event *event; + + struct vc4_seqno_cb cb; +@@ -764,6 +765,23 @@ vc4_async_page_flip_complete(struct vc4_ + + drm_crtc_vblank_put(crtc); + drm_framebuffer_put(flip_state->fb); ++ ++ /* Decrement the BO usecnt in order to keep the inc/dec calls balanced ++ * when the planes are updated through the async update path. ++ * FIXME: we should move to generic async-page-flip when it's ++ * available, so that we can get rid of this hand-made cleanup_fb() ++ * logic. ++ */ ++ if (flip_state->old_fb) { ++ struct drm_gem_cma_object *cma_bo; ++ struct vc4_bo *bo; ++ ++ cma_bo = drm_fb_cma_get_gem_obj(flip_state->old_fb, 0); ++ bo = to_vc4_bo(&cma_bo->base); ++ vc4_bo_dec_usecnt(bo); ++ drm_framebuffer_put(flip_state->old_fb); ++ } ++ + kfree(flip_state); + + up(&vc4->async_modeset); +@@ -788,9 +806,22 @@ static int vc4_async_page_flip(struct dr + struct drm_gem_cma_object *cma_bo = drm_fb_cma_get_gem_obj(fb, 0); + struct vc4_bo *bo = to_vc4_bo(&cma_bo->base); + ++ /* Increment the BO usecnt here, so that we never end up with an ++ * unbalanced number of vc4_bo_{dec,inc}_usecnt() calls when the ++ * plane is later updated through the non-async path. ++ * FIXME: we should move to generic async-page-flip when it's ++ * available, so that we can get rid of this hand-made prepare_fb() ++ * logic. ++ */ ++ ret = vc4_bo_inc_usecnt(bo); ++ if (ret) ++ return ret; ++ + flip_state = kzalloc(sizeof(*flip_state), GFP_KERNEL); +- if (!flip_state) ++ if (!flip_state) { ++ vc4_bo_dec_usecnt(bo); + return -ENOMEM; ++ } + + drm_framebuffer_get(fb); + flip_state->fb = fb; +@@ -801,10 +832,23 @@ static int vc4_async_page_flip(struct dr + ret = down_interruptible(&vc4->async_modeset); + if (ret) { + drm_framebuffer_put(fb); ++ vc4_bo_dec_usecnt(bo); + kfree(flip_state); + return ret; + } + ++ /* Save the current FB before it's replaced by the new one in ++ * drm_atomic_set_fb_for_plane(). We'll need the old FB in ++ * vc4_async_page_flip_complete() to decrement the BO usecnt and keep ++ * it consistent. ++ * FIXME: we should move to generic async-page-flip when it's ++ * available, so that we can get rid of this hand-made cleanup_fb() ++ * logic. ++ */ ++ flip_state->old_fb = plane->state->fb; ++ if (flip_state->old_fb) ++ drm_framebuffer_get(flip_state->old_fb); ++ + WARN_ON(drm_crtc_vblank_get(crtc) != 0); + + /* Immediately update the plane's legacy fb pointer, so that later diff --git a/queue-4.16/drm-vmwgfx-fix-a-buffer-object-leak.patch b/queue-4.16/drm-vmwgfx-fix-a-buffer-object-leak.patch new file mode 100644 index 00000000000..a7f40f00b60 --- /dev/null +++ b/queue-4.16/drm-vmwgfx-fix-a-buffer-object-leak.patch @@ -0,0 +1,33 @@ +From 13f149d47392782baafd96d54d4e65f3b5ca342f Mon Sep 17 00:00:00 2001 +From: Thomas Hellstrom +Date: Thu, 26 Apr 2018 09:59:30 +0200 +Subject: drm/vmwgfx: Fix a buffer object leak + +From: Thomas Hellstrom + +commit 13f149d47392782baafd96d54d4e65f3b5ca342f upstream. + +A buffer object leak was introduced when fixing a premature buffer +object release. Fix this. + +Cc: +Fixes: 73a88250b709 ("Fix a destoy-while-held mutex problem.") +Signed-off-by: Thomas Hellstrom +Reviewed-by: Deepak Rawat +Reviewed-by: Sinclair Yeh +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +@@ -2598,6 +2598,7 @@ void vmw_kms_helper_resource_finish(stru + vmw_kms_helper_buffer_finish(res->dev_priv, NULL, ctx->buf, + out_fence, NULL); + ++ vmw_dmabuf_unreference(&ctx->buf); + vmw_resource_unreserve(res, false, NULL, 0); + mutex_unlock(&res->dev_priv->cmdbuf_mutex); + } diff --git a/queue-4.16/ib-hfi1-fix-handling-of-fecn-marked-multicast-packet.patch b/queue-4.16/ib-hfi1-fix-handling-of-fecn-marked-multicast-packet.patch new file mode 100644 index 00000000000..833365e2488 --- /dev/null +++ b/queue-4.16/ib-hfi1-fix-handling-of-fecn-marked-multicast-packet.patch @@ -0,0 +1,151 @@ +From f59fb9e05109b836230813e45f71c9ecc2d5dbe6 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Tue, 1 May 2018 05:35:36 -0700 +Subject: IB/hfi1: Fix handling of FECN marked multicast packet + +From: Mike Marciniszyn + +commit f59fb9e05109b836230813e45f71c9ecc2d5dbe6 upstream. + +The code for handling a marked UD packet unconditionally returns the +dlid in the header of the FECN marked packet. This is not correct +for multicast packets where the DLID is in the multicast range. + +The subsequent attempt to send the CNP with the multicast lid will +cause the chip to halt the ack send context because the source +lid doesn't match the chip programming. The send context will +be halted and flush any other pending packets in the pio ring causing +the CNP to not be sent. + +A part of investigating the fix, it was determined that the 16B work +broke the FECN routine badly with inconsistent use of 16 bit and 32 bits +types for lids and pkeys. Since the port's source lid was correctly 32 +bits the type mixmatches need to be dealt with at the same time as +fixing the CNP header issue. + +Fix these issues by: +- Using the ports lid for as the SLID for responding to FECN marked UD + packets +- Insure pkey is always 16 bit in this and subordinate routines +- Insure lids are 32 bits in this and subordinate routines + +Cc: # 4.14.x +Fixes: 88733e3b8450 ("IB/hfi1: Add 16B UD support") +Reviewed-by: Don Hiatt +Reviewed-by: Michael J. Ruhl +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/driver.c | 19 +++++++++++++++---- + drivers/infiniband/hw/hfi1/hfi.h | 8 ++++---- + drivers/infiniband/hw/hfi1/ud.c | 4 ++-- + 3 files changed, 21 insertions(+), 10 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/driver.c ++++ b/drivers/infiniband/hw/hfi1/driver.c +@@ -432,31 +432,43 @@ void hfi1_process_ecn_slowpath(struct rv + bool do_cnp) + { + struct hfi1_ibport *ibp = to_iport(qp->ibqp.device, qp->port_num); ++ struct hfi1_pportdata *ppd = ppd_from_ibp(ibp); + struct ib_other_headers *ohdr = pkt->ohdr; + struct ib_grh *grh = pkt->grh; + u32 rqpn = 0, bth1; +- u16 pkey, rlid, dlid = ib_get_dlid(pkt->hdr); ++ u16 pkey; ++ u32 rlid, slid, dlid = 0; + u8 hdr_type, sc, svc_type; + bool is_mcast = false; + ++ /* can be called from prescan */ + if (pkt->etype == RHF_RCV_TYPE_BYPASS) { + is_mcast = hfi1_is_16B_mcast(dlid); + pkey = hfi1_16B_get_pkey(pkt->hdr); + sc = hfi1_16B_get_sc(pkt->hdr); ++ dlid = hfi1_16B_get_dlid(pkt->hdr); ++ slid = hfi1_16B_get_slid(pkt->hdr); + hdr_type = HFI1_PKT_TYPE_16B; + } else { + is_mcast = (dlid > be16_to_cpu(IB_MULTICAST_LID_BASE)) && + (dlid != be16_to_cpu(IB_LID_PERMISSIVE)); + pkey = ib_bth_get_pkey(ohdr); + sc = hfi1_9B_get_sc5(pkt->hdr, pkt->rhf); ++ dlid = ib_get_dlid(pkt->hdr); ++ slid = ib_get_slid(pkt->hdr); + hdr_type = HFI1_PKT_TYPE_9B; + } + + switch (qp->ibqp.qp_type) { ++ case IB_QPT_UD: ++ dlid = ppd->lid; ++ rlid = slid; ++ rqpn = ib_get_sqpn(pkt->ohdr); ++ svc_type = IB_CC_SVCTYPE_UD; ++ break; + case IB_QPT_SMI: + case IB_QPT_GSI: +- case IB_QPT_UD: +- rlid = ib_get_slid(pkt->hdr); ++ rlid = slid; + rqpn = ib_get_sqpn(pkt->ohdr); + svc_type = IB_CC_SVCTYPE_UD; + break; +@@ -481,7 +493,6 @@ void hfi1_process_ecn_slowpath(struct rv + dlid, rlid, sc, grh); + + if (!is_mcast && (bth1 & IB_BECN_SMASK)) { +- struct hfi1_pportdata *ppd = ppd_from_ibp(ibp); + u32 lqpn = bth1 & RVT_QPN_MASK; + u8 sl = ibp->sc_to_sl[sc]; + +--- a/drivers/infiniband/hw/hfi1/hfi.h ++++ b/drivers/infiniband/hw/hfi1/hfi.h +@@ -1538,13 +1538,13 @@ void set_link_ipg(struct hfi1_pportdata + void process_becn(struct hfi1_pportdata *ppd, u8 sl, u32 rlid, u32 lqpn, + u32 rqpn, u8 svc_type); + void return_cnp(struct hfi1_ibport *ibp, struct rvt_qp *qp, u32 remote_qpn, +- u32 pkey, u32 slid, u32 dlid, u8 sc5, ++ u16 pkey, u32 slid, u32 dlid, u8 sc5, + const struct ib_grh *old_grh); + void return_cnp_16B(struct hfi1_ibport *ibp, struct rvt_qp *qp, +- u32 remote_qpn, u32 pkey, u32 slid, u32 dlid, ++ u32 remote_qpn, u16 pkey, u32 slid, u32 dlid, + u8 sc5, const struct ib_grh *old_grh); + typedef void (*hfi1_handle_cnp)(struct hfi1_ibport *ibp, struct rvt_qp *qp, +- u32 remote_qpn, u32 pkey, u32 slid, u32 dlid, ++ u32 remote_qpn, u16 pkey, u32 slid, u32 dlid, + u8 sc5, const struct ib_grh *old_grh); + + #define PKEY_CHECK_INVALID -1 +@@ -2438,7 +2438,7 @@ static inline void hfi1_make_16b_hdr(str + ((slid >> OPA_16B_SLID_SHIFT) << OPA_16B_SLID_HIGH_SHIFT); + lrh2 = (lrh2 & ~OPA_16B_DLID_MASK) | + ((dlid >> OPA_16B_DLID_SHIFT) << OPA_16B_DLID_HIGH_SHIFT); +- lrh2 = (lrh2 & ~OPA_16B_PKEY_MASK) | (pkey << OPA_16B_PKEY_SHIFT); ++ lrh2 = (lrh2 & ~OPA_16B_PKEY_MASK) | ((u32)pkey << OPA_16B_PKEY_SHIFT); + lrh2 = (lrh2 & ~OPA_16B_L4_MASK) | l4; + + hdr->lrh[0] = lrh0; +--- a/drivers/infiniband/hw/hfi1/ud.c ++++ b/drivers/infiniband/hw/hfi1/ud.c +@@ -628,7 +628,7 @@ int hfi1_lookup_pkey_idx(struct hfi1_ibp + } + + void return_cnp_16B(struct hfi1_ibport *ibp, struct rvt_qp *qp, +- u32 remote_qpn, u32 pkey, u32 slid, u32 dlid, ++ u32 remote_qpn, u16 pkey, u32 slid, u32 dlid, + u8 sc5, const struct ib_grh *old_grh) + { + u64 pbc, pbc_flags = 0; +@@ -687,7 +687,7 @@ void return_cnp_16B(struct hfi1_ibport * + } + + void return_cnp(struct hfi1_ibport *ibp, struct rvt_qp *qp, u32 remote_qpn, +- u32 pkey, u32 slid, u32 dlid, u8 sc5, ++ u16 pkey, u32 slid, u32 dlid, u8 sc5, + const struct ib_grh *old_grh) + { + u64 pbc, pbc_flags = 0; diff --git a/queue-4.16/ib-hfi1-fix-loss-of-becn-with-ahg.patch b/queue-4.16/ib-hfi1-fix-loss-of-becn-with-ahg.patch new file mode 100644 index 00000000000..eadb121eeec --- /dev/null +++ b/queue-4.16/ib-hfi1-fix-loss-of-becn-with-ahg.patch @@ -0,0 +1,125 @@ +From 0a0bcb046b2f0c15b89f8c1b08ad3de601a83c66 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Tue, 1 May 2018 05:35:51 -0700 +Subject: IB/hfi1: Fix loss of BECN with AHG + +From: Mike Marciniszyn + +commit 0a0bcb046b2f0c15b89f8c1b08ad3de601a83c66 upstream. + +AHG may be armed to use the stored header, which by design is limited +to edits in the PSN/A 32 bit word (bth2). + +When the code is trying to send a BECN, the use of the stored header +will lose the BECN bit. + +Fix by avoiding AHG when getting ready to send a BECN. This is +accomplished by always claiming the packet is not a middle packet which +is an AHG precursor. BECNs are not a normal case and this should not +hurt AHG optimizations. + +Cc: # 4.14.x +Reviewed-by: Michael J. Ruhl +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/ruc.c | 50 +++++++++++++++++++++++++++++++-------- + 1 file changed, 40 insertions(+), 10 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/ruc.c ++++ b/drivers/infiniband/hw/hfi1/ruc.c +@@ -733,6 +733,20 @@ static inline void hfi1_make_ruc_bth(str + ohdr->bth[2] = cpu_to_be32(bth2); + } + ++/** ++ * hfi1_make_ruc_header_16B - build a 16B header ++ * @qp: the queue pair ++ * @ohdr: a pointer to the destination header memory ++ * @bth0: bth0 passed in from the RC/UC builder ++ * @bth2: bth2 passed in from the RC/UC builder ++ * @middle: non zero implies indicates ahg "could" be used ++ * @ps: the current packet state ++ * ++ * This routine may disarm ahg under these situations: ++ * - packet needs a GRH ++ * - BECN needed ++ * - migration state not IB_MIG_MIGRATED ++ */ + static inline void hfi1_make_ruc_header_16B(struct rvt_qp *qp, + struct ib_other_headers *ohdr, + u32 bth0, u32 bth2, int middle, +@@ -777,6 +791,12 @@ static inline void hfi1_make_ruc_header_ + else + middle = 0; + ++ if (qp->s_flags & RVT_S_ECN) { ++ qp->s_flags &= ~RVT_S_ECN; ++ /* we recently received a FECN, so return a BECN */ ++ becn = true; ++ middle = 0; ++ } + if (middle) + build_ahg(qp, bth2); + else +@@ -784,11 +804,6 @@ static inline void hfi1_make_ruc_header_ + + bth0 |= pkey; + bth0 |= extra_bytes << 20; +- if (qp->s_flags & RVT_S_ECN) { +- qp->s_flags &= ~RVT_S_ECN; +- /* we recently received a FECN, so return a BECN */ +- becn = true; +- } + hfi1_make_ruc_bth(qp, ohdr, bth0, bth1, bth2); + + if (!ppd->lid) +@@ -806,6 +821,20 @@ static inline void hfi1_make_ruc_header_ + pkey, becn, 0, l4, priv->s_sc); + } + ++/** ++ * hfi1_make_ruc_header_9B - build a 9B header ++ * @qp: the queue pair ++ * @ohdr: a pointer to the destination header memory ++ * @bth0: bth0 passed in from the RC/UC builder ++ * @bth2: bth2 passed in from the RC/UC builder ++ * @middle: non zero implies indicates ahg "could" be used ++ * @ps: the current packet state ++ * ++ * This routine may disarm ahg under these situations: ++ * - packet needs a GRH ++ * - BECN needed ++ * - migration state not IB_MIG_MIGRATED ++ */ + static inline void hfi1_make_ruc_header_9B(struct rvt_qp *qp, + struct ib_other_headers *ohdr, + u32 bth0, u32 bth2, int middle, +@@ -839,6 +868,12 @@ static inline void hfi1_make_ruc_header_ + else + middle = 0; + ++ if (qp->s_flags & RVT_S_ECN) { ++ qp->s_flags &= ~RVT_S_ECN; ++ /* we recently received a FECN, so return a BECN */ ++ bth1 |= (IB_BECN_MASK << IB_BECN_SHIFT); ++ middle = 0; ++ } + if (middle) + build_ahg(qp, bth2); + else +@@ -846,11 +881,6 @@ static inline void hfi1_make_ruc_header_ + + bth0 |= pkey; + bth0 |= extra_bytes << 20; +- if (qp->s_flags & RVT_S_ECN) { +- qp->s_flags &= ~RVT_S_ECN; +- /* we recently received a FECN, so return a BECN */ +- bth1 |= (IB_BECN_MASK << IB_BECN_SHIFT); +- } + hfi1_make_ruc_bth(qp, ohdr, bth0, bth1, bth2); + hfi1_make_ib_hdr(&ps->s_txreq->phdr.hdr.ibh, + lrh0, diff --git a/queue-4.16/ib-hfi1-fix-null-pointer-dereference-when-invalid-num_vls-is-used.patch b/queue-4.16/ib-hfi1-fix-null-pointer-dereference-when-invalid-num_vls-is-used.patch new file mode 100644 index 00000000000..624b0c9a230 --- /dev/null +++ b/queue-4.16/ib-hfi1-fix-null-pointer-dereference-when-invalid-num_vls-is-used.patch @@ -0,0 +1,79 @@ +From 45d924571a5e1329580811f2419da61b07ac3613 Mon Sep 17 00:00:00 2001 +From: Sebastian Sanchez +Date: Tue, 1 May 2018 05:35:58 -0700 +Subject: IB/hfi1: Fix NULL pointer dereference when invalid num_vls is used + +From: Sebastian Sanchez + +commit 45d924571a5e1329580811f2419da61b07ac3613 upstream. + +When an invalid num_vls is used as a module parameter, the code +execution follows an exception path where the macro dd_dev_err() +expects dd->pcidev->dev not to be NULL in hfi1_init_dd(). This +causes a NULL pointer dereference. + +Fix hfi1_init_dd() by initializing dd->pcidev and dd->pcidev->dev +earlier in the code. If a dd exists, then dd->pcidev and +dd->pcidev->dev always exists. + +BUG: unable to handle kernel NULL pointer dereference +at 00000000000000f0 +IP: __dev_printk+0x15/0x90 +Workqueue: events work_for_cpu_fn +RIP: 0010:__dev_printk+0x15/0x90 +Call Trace: + dev_err+0x6c/0x90 + ? hfi1_init_pportdata+0x38d/0x3f0 [hfi1] + hfi1_init_dd+0xdd/0x2530 [hfi1] + ? pci_conf1_read+0xb2/0xf0 + ? pci_read_config_word.part.9+0x64/0x80 + ? pci_conf1_write+0xb0/0xf0 + ? pcie_capability_clear_and_set_word+0x57/0x80 + init_one+0x141/0x490 [hfi1] + local_pci_probe+0x3f/0xa0 + work_for_cpu_fn+0x10/0x20 + process_one_work+0x152/0x350 + worker_thread+0x1cf/0x3e0 + kthread+0xf5/0x130 + ? max_active_store+0x80/0x80 + ? kthread_bind+0x10/0x10 + ? do_syscall_64+0x6e/0x1a0 + ? SyS_exit_group+0x10/0x10 + ret_from_fork+0x35/0x40 + +Cc: # 4.9.x +Reviewed-by: Mike Marciniszyn +Reviewed-by: Michael J. Ruhl +Signed-off-by: Sebastian Sanchez +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/init.c | 2 ++ + drivers/infiniband/hw/hfi1/pcie.c | 3 --- + 2 files changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/init.c ++++ b/drivers/infiniband/hw/hfi1/init.c +@@ -1265,6 +1265,8 @@ struct hfi1_devdata *hfi1_alloc_devdata( + return ERR_PTR(-ENOMEM); + dd->num_pports = nports; + dd->pport = (struct hfi1_pportdata *)(dd + 1); ++ dd->pcidev = pdev; ++ pci_set_drvdata(pdev, dd); + + INIT_LIST_HEAD(&dd->list); + idr_preload(GFP_KERNEL); +--- a/drivers/infiniband/hw/hfi1/pcie.c ++++ b/drivers/infiniband/hw/hfi1/pcie.c +@@ -163,9 +163,6 @@ int hfi1_pcie_ddinit(struct hfi1_devdata + resource_size_t addr; + int ret = 0; + +- dd->pcidev = pdev; +- pci_set_drvdata(pdev, dd); +- + addr = pci_resource_start(pdev, 0); + len = pci_resource_len(pdev, 0); + diff --git a/queue-4.16/infiniband-mlx5-fix-build-errors-when-infiniband_user_access-m.patch b/queue-4.16/infiniband-mlx5-fix-build-errors-when-infiniband_user_access-m.patch new file mode 100644 index 00000000000..d58601dd4aa --- /dev/null +++ b/queue-4.16/infiniband-mlx5-fix-build-errors-when-infiniband_user_access-m.patch @@ -0,0 +1,44 @@ +From b3fe6c62bc66868c45b5bb16050e6bcb333af337 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Mon, 16 Apr 2018 18:51:50 -0700 +Subject: infiniband: mlx5: fix build errors when INFINIBAND_USER_ACCESS=m + +From: Randy Dunlap + +commit b3fe6c62bc66868c45b5bb16050e6bcb333af337 upstream. + +Fix build errors when INFINIBAND_USER_ACCESS=m and MLX5_INFINIBAND=y. +The build error occurs when the mlx5 driver code attempts to use +USER_ACCESS interfaces, which are built as a loadable module. + +Fixes these build errors: + +drivers/infiniband/hw/mlx5/main.o: In function `populate_specs_root': +../drivers/infiniband/hw/mlx5/main.c:4982: undefined reference to `uverbs_default_get_objects' +../drivers/infiniband/hw/mlx5/main.c:4994: undefined reference to `uverbs_alloc_spec_tree' +drivers/infiniband/hw/mlx5/main.o: In function `depopulate_specs_root': +../drivers/infiniband/hw/mlx5/main.c:5001: undefined reference to `uverbs_free_spec_tree' + +Build-tested with multiple config combinations. + +Fixes: 8c84660bb437 ("IB/mlx5: Initialize the parsing tree root without the help of uverbs") +Cc: stable@vger.kernel.org # reported against 4.16 +Reported-by: kbuild test robot +Signed-off-by: Randy Dunlap +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/hw/mlx5/Kconfig ++++ b/drivers/infiniband/hw/mlx5/Kconfig +@@ -1,6 +1,7 @@ + config MLX5_INFINIBAND + tristate "Mellanox Connect-IB HCA support" + depends on NETDEVICES && ETHERNET && PCI && MLX5_CORE ++ depends on INFINIBAND_USER_ACCESS || INFINIBAND_USER_ACCESS=n + ---help--- + This driver provides low-level InfiniBand support for + Mellanox Connect-IB PCI Express host channel adapters (HCAs). diff --git a/queue-4.16/iw_cxgb4-atomically-flush-per-qp-hw-cqes.patch b/queue-4.16/iw_cxgb4-atomically-flush-per-qp-hw-cqes.patch new file mode 100644 index 00000000000..80c82957aff --- /dev/null +++ b/queue-4.16/iw_cxgb4-atomically-flush-per-qp-hw-cqes.patch @@ -0,0 +1,88 @@ +From 2df19e19ae90d94fd8724083f161f368a2797537 Mon Sep 17 00:00:00 2001 +From: Bharat Potnuri +Date: Fri, 27 Apr 2018 16:41:16 +0530 +Subject: iw_cxgb4: Atomically flush per QP HW CQEs + +From: Bharat Potnuri + +commit 2df19e19ae90d94fd8724083f161f368a2797537 upstream. + +When a CQ is shared by multiple QPs, c4iw_flush_hw_cq() needs to acquire +corresponding QP lock before moving the CQEs into its corresponding SW +queue and accessing the SQ contents for completing a WR. +Ignore CQEs if corresponding QP is already flushed. + +Cc: stable@vger.kernel.org +Signed-off-by: Potnuri Bharat Teja +Reviewed-by: Steve Wise +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/cxgb4/cq.c | 11 ++++++++++- + drivers/infiniband/hw/cxgb4/iw_cxgb4.h | 2 +- + drivers/infiniband/hw/cxgb4/qp.c | 4 ++-- + 3 files changed, 13 insertions(+), 4 deletions(-) + +--- a/drivers/infiniband/hw/cxgb4/cq.c ++++ b/drivers/infiniband/hw/cxgb4/cq.c +@@ -315,7 +315,7 @@ static void advance_oldest_read(struct t + * Deal with out-of-order and/or completions that complete + * prior unsignalled WRs. + */ +-void c4iw_flush_hw_cq(struct c4iw_cq *chp) ++void c4iw_flush_hw_cq(struct c4iw_cq *chp, struct c4iw_qp *flush_qhp) + { + struct t4_cqe *hw_cqe, *swcqe, read_cqe; + struct c4iw_qp *qhp; +@@ -339,6 +339,13 @@ void c4iw_flush_hw_cq(struct c4iw_cq *ch + if (qhp == NULL) + goto next_cqe; + ++ if (flush_qhp != qhp) { ++ spin_lock(&qhp->lock); ++ ++ if (qhp->wq.flushed == 1) ++ goto next_cqe; ++ } ++ + if (CQE_OPCODE(hw_cqe) == FW_RI_TERMINATE) + goto next_cqe; + +@@ -390,6 +397,8 @@ void c4iw_flush_hw_cq(struct c4iw_cq *ch + next_cqe: + t4_hwcq_consume(&chp->cq); + ret = t4_next_hw_cqe(&chp->cq, &hw_cqe); ++ if (qhp && flush_qhp != qhp) ++ spin_unlock(&qhp->lock); + } + } + +--- a/drivers/infiniband/hw/cxgb4/iw_cxgb4.h ++++ b/drivers/infiniband/hw/cxgb4/iw_cxgb4.h +@@ -1053,7 +1053,7 @@ u32 c4iw_pblpool_alloc(struct c4iw_rdev + void c4iw_pblpool_free(struct c4iw_rdev *rdev, u32 addr, int size); + u32 c4iw_ocqp_pool_alloc(struct c4iw_rdev *rdev, int size); + void c4iw_ocqp_pool_free(struct c4iw_rdev *rdev, u32 addr, int size); +-void c4iw_flush_hw_cq(struct c4iw_cq *chp); ++void c4iw_flush_hw_cq(struct c4iw_cq *chp, struct c4iw_qp *flush_qhp); + void c4iw_count_rcqes(struct t4_cq *cq, struct t4_wq *wq, int *count); + int c4iw_ep_disconnect(struct c4iw_ep *ep, int abrupt, gfp_t gfp); + int c4iw_flush_rq(struct t4_wq *wq, struct t4_cq *cq, int count); +--- a/drivers/infiniband/hw/cxgb4/qp.c ++++ b/drivers/infiniband/hw/cxgb4/qp.c +@@ -1343,12 +1343,12 @@ static void __flush_qp(struct c4iw_qp *q + qhp->wq.flushed = 1; + t4_set_wq_in_error(&qhp->wq); + +- c4iw_flush_hw_cq(rchp); ++ c4iw_flush_hw_cq(rchp, qhp); + c4iw_count_rcqes(&rchp->cq, &qhp->wq, &count); + rq_flushed = c4iw_flush_rq(&qhp->wq, &rchp->cq, count); + + if (schp != rchp) +- c4iw_flush_hw_cq(schp); ++ c4iw_flush_hw_cq(schp, qhp); + sq_flushed = c4iw_flush_sq(qhp); + + spin_unlock(&qhp->lock); diff --git a/queue-4.16/series b/queue-4.16/series index ce4bcfe084f..ff44f4b24cf 100644 --- a/queue-4.16/series +++ b/queue-4.16/series @@ -22,3 +22,13 @@ rdma-mlx4-add-missed-rss-hash-inner-header-flag.patch rdma-mlx5-protect-from-shift-operand-overflow.patch net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch ib-mlx5-use-unlimited-rate-when-static-rate-is-not-supported.patch +infiniband-mlx5-fix-build-errors-when-infiniband_user_access-m.patch +ib-hfi1-fix-handling-of-fecn-marked-multicast-packet.patch +ib-hfi1-fix-loss-of-becn-with-ahg.patch +ib-hfi1-fix-null-pointer-dereference-when-invalid-num_vls-is-used.patch +iw_cxgb4-atomically-flush-per-qp-hw-cqes.patch +btrfs-take-trans-lock-before-access-running-trans-in-check_delayed_ref.patch +drm-vc4-make-sure-vc4_bo_-inc-dec-_usecnt-calls-are-balanced.patch +drm-vmwgfx-fix-a-buffer-object-leak.patch +drm-bridge-vga-dac-fix-edid-memory-leak.patch +test_firmware-fix-setting-old-custom-fw-path-back-on-exit-second-try.patch diff --git a/queue-4.16/test_firmware-fix-setting-old-custom-fw-path-back-on-exit-second-try.patch b/queue-4.16/test_firmware-fix-setting-old-custom-fw-path-back-on-exit-second-try.patch new file mode 100644 index 00000000000..9837b77ee54 --- /dev/null +++ b/queue-4.16/test_firmware-fix-setting-old-custom-fw-path-back-on-exit-second-try.patch @@ -0,0 +1,44 @@ +From e538409257d0217a9bc715686100a5328db75a15 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Wed, 4 Apr 2018 22:38:49 +0200 +Subject: test_firmware: fix setting old custom fw path back on exit, second try + +From: Ben Hutchings + +commit e538409257d0217a9bc715686100a5328db75a15 upstream. + +Commit 65c79230576 tried to clear the custom firmware path on exit by +writing a single space to the firmware_class.path parameter. This +doesn't work because nothing strips this space from the value stored +and fw_get_filesystem_firmware() only ignores zero-length paths. + +Instead, write a null byte. + +Fixes: 0a8adf58475 ("test: add firmware_class loader test") +Fixes: 65c79230576 ("test_firmware: fix setting old custom fw path back on exit") +Signed-off-by: Ben Hutchings +Acked-by: Luis R. Rodriguez +Cc: stable +Signed-off-by: Greg Kroah-Hartman + + +--- + tools/testing/selftests/firmware/fw_filesystem.sh | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/firmware/fw_filesystem.sh ++++ b/tools/testing/selftests/firmware/fw_filesystem.sh +@@ -46,9 +46,11 @@ test_finish() + echo "$OLD_TIMEOUT" >/sys/class/firmware/timeout + fi + if [ "$OLD_FWPATH" = "" ]; then +- OLD_FWPATH=" " ++ # A zero-length write won't work; write a null byte ++ printf '\000' >/sys/module/firmware_class/parameters/path ++ else ++ echo -n "$OLD_FWPATH" >/sys/module/firmware_class/parameters/path + fi +- echo -n "$OLD_FWPATH" >/sys/module/firmware_class/parameters/path + rm -f "$FW" + rmdir "$FWPATH" + } -- 2.47.3