From 65cc60c8825801827dab05cdd93ab379476a860b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 8 Oct 2018 17:40:59 +0200 Subject: [PATCH] 4.18-stable patches added patches: arch-hexagon-fix-kernel-dma.c-build-warning.patch arm64-jump_label.h-use-asm_volatile_goto-macro-instead-of-asm-goto.patch asm-generic-io-fix-ioport_map-for-config_generic_iomap-config_indirect_pio.patch bnxt_re-fix-couple-of-memory-leaks-that-could-lead-to-iommu-call-traces.patch cifs-read-overflow-in-is_valid_oplock_break.patch dm-raid-fix-raid-leg-rebuild-errors.patch dm-raid-fix-rebuild-of-specific-devices-by-updating-superblock.patch dm-raid-fix-reshape-race-on-small-devices.patch dm-raid-fix-stripe-adding-reshape-deadlock.patch dm-thin-metadata-try-to-avoid-ever-aborting-transactions.patch drm-amdgpu-fix-error-handling-in-amdgpu_cs_user_fence_chunk.patch drm-amdgpu-fix-sdma-hang-in-prt-mode-v2.patch drm-nouveau-disp-fix-dp-disable-race.patch drm-nouveau-disp-gm200-enforce-identity-mapped-sor-assignment-for-lvds-edp-panels.patch drm-nouveau-fix-oops-in-client-init-failure-path.patch drm-nouveau-mmu-don-t-attempt-to-dereference-vmm-without-valid-instance-pointer.patch drm-nouveau-tbddevinit-don-t-fail-when-pmu-pre_os-is-missing-from-vbios.patch fs-cifs-suppress-a-string-overflow-warning.patch hexagon-modify-ffs-and-fls-to-return-int.patch hid-add-support-for-apple-magic-keyboards.patch hid-hid-saitek-add-device-id-for-rat-7-contagion.patch hid-i2c-hid-don-t-reset-device-upon-system-resume.patch hid-intel-ish-hid-enable-sunrise-point-h-ish-driver.patch hid-sensor-hub-restore-fixup-for-lenovo-thinkpad-helix-2-sensor-hub-report.patch iio-imu-st_lsm6dsx-take-into-account-ts-samples-in-wm-configuration.patch net-ena-fix-device-destruction-to-gracefully-free-resources.patch net-ena-fix-driver-when-page_size-64kb.patch net-ena-fix-missing-calls-to-read_once.patch net-ena-fix-missing-lock-during-device-destruction.patch net-ena-fix-potential-double-ena_destroy_device.patch net-ena-fix-surprise-unplug-null-dereference-kernel-crash.patch net-mlx5-consider-pci-domain-in-search-for-next-dev.patch netfilter-conntrack-timeout-interface-depend-on-config_nf_conntrack_timeout.patch netfilter-kconfig-nat-related-expression-depend-on-nftables-core.patch netfilter-nf_tables-release-chain-in-flushing-set.patch netfilter-nfnetlink_queue-solve-the-nfqueue-conntrack-clash-for-nf_repeat.patch netfilter-xt_checksum-ignore-gso-skbs.patch netfilter-xt_cluster-add-dependency-on-conntrack-module.patch netfilter-xt_hashlimit-use-s-file-instead-of-s-private.patch nvmet-rdma-fix-possible-bogus-dereference-under-heavy-load.patch perf-annotate-fix-parsing-aarch64-branch-instructions-after-objdump-update.patch perf-annotate-properly-interpret-indirect-call.patch perf-evsel-fix-potential-null-pointer-dereference-in-perf_evsel__new_idx.patch perf-probe-powerpc-ignore-sys-symbols-irrespective-of-endianness.patch perf-util-fix-bad-memory-access-in-trace-info.patch perf-x86-intel-add-support-quirk-for-the-mispredict-bit-on-knights-landing-cpus.patch pinctrl-msm-really-mask-level-interrupts-to-prevent-latching.patch r8169-clear-rtl_flag_task_-_pending-when-clearing-rtl_flag_task_enabled.patch r8169-set-txconfig-register-after-tx-rx-is-enabled-just-like-rxconfig.patch rdma-ucma-check-fd-type-in-ucma_migrate_id.patch revert-iio-temperature-maxim_thermocouple-add-max31856-part.patch riscv-do-not-overwrite-initrd_start-and-initrd_end.patch s390-qeth-don-t-dump-past-end-of-unknown-hw-header.patch s390-qeth-use-vzalloc-for-query-oat-buffer.patch sched-topology-set-correct-numa-topology-type.patch scsi-iscsi-target-fix-conn_ops-double-free.patch scsi-iscsi-target-set-conn-sess-to-null-when-iscsi_login_set_conn_values-fails.patch scsi-qedi-add-the-crc-size-within-iscsi-nvm-image.patch usb-gadget-fotg210-udc-fix-memory-leak-of-fotg210-ep.patch usb-host-xhci-plat-iterate-over-parent-nodes-for-finding-quirks.patch usb-yurex-check-for-truncation-in-yurex_read.patch x86-apm-fix-build-warning-when-proc_fs-is-not-enabled.patch xen-avoid-crash-in-disable_hotplug_cpu.patch xen-fix-gcc-warning-and-remove-duplicate-evtchn_row-evtchn_col-usage.patch xen-manage-don-t-complain-about-an-empty-value-in-control-sysrq-node.patch --- ...xagon-fix-kernel-dma.c-build-warning.patch | 40 ++ ...atile_goto-macro-instead-of-asm-goto.patch | 44 ++ ...ig_generic_iomap-config_indirect_pio.patch | 47 ++ ...that-could-lead-to-iommu-call-traces.patch | 47 ++ ...ad-overflow-in-is_valid_oplock_break.patch | 41 ++ .../dm-raid-fix-raid-leg-rebuild-errors.patch | 193 ++++++++ ...cific-devices-by-updating-superblock.patch | 36 ++ ...id-fix-reshape-race-on-small-devices.patch | 141 ++++++ ...d-fix-stripe-adding-reshape-deadlock.patch | 57 +++ ...-to-avoid-ever-aborting-transactions.patch | 260 ++++++++++ ...ndling-in-amdgpu_cs_user_fence_chunk.patch | 65 +++ ...-amdgpu-fix-sdma-hang-in-prt-mode-v2.patch | 56 +++ ...drm-nouveau-disp-fix-dp-disable-race.patch | 108 +++++ ...d-sor-assignment-for-lvds-edp-panels.patch | 111 +++++ ...fix-oops-in-client-init-failure-path.patch | 74 +++ ...e-vmm-without-valid-instance-pointer.patch | 29 ++ ...hen-pmu-pre_os-is-missing-from-vbios.patch | 33 ++ ...s-suppress-a-string-overflow-warning.patch | 48 ++ ...gon-modify-ffs-and-fls-to-return-int.patch | 56 +++ ...dd-support-for-apple-magic-keyboards.patch | 76 +++ ...ek-add-device-id-for-rat-7-contagion.patch | 39 ++ ...on-t-reset-device-upon-system-resume.patch | 85 ++++ ...id-enable-sunrise-point-h-ish-driver.patch | 41 ++ ...o-thinkpad-helix-2-sensor-hub-report.patch | 69 +++ ...count-ts-samples-in-wm-configuration.patch | 59 +++ ...ruction-to-gracefully-free-resources.patch | 86 ++++ ...t-ena-fix-driver-when-page_size-64kb.patch | 86 ++++ ...t-ena-fix-missing-calls-to-read_once.patch | 51 ++ ...ssing-lock-during-device-destruction.patch | 57 +++ ...-potential-double-ena_destroy_device.patch | 49 ++ ...unplug-null-dereference-kernel-crash.patch | 39 ++ ...er-pci-domain-in-search-for-next-dev.patch | 49 ++ ...epend-on-config_nf_conntrack_timeout.patch | 448 ++++++++++++++++++ ...d-expression-depend-on-nftables-core.patch | 63 +++ ...tables-release-chain-in-flushing-set.patch | 78 +++ ...fqueue-conntrack-clash-for-nf_repeat.patch | 33 ++ ...etfilter-xt_checksum-ignore-gso-skbs.patch | 114 +++++ ...r-add-dependency-on-conntrack-module.patch | 63 +++ ...imit-use-s-file-instead-of-s-private.patch | 108 +++++ ...e-bogus-dereference-under-heavy-load.patch | 94 ++++ ...ch-instructions-after-objdump-update.patch | 139 ++++++ ...ate-properly-interpret-indirect-call.patch | 98 ++++ ...r-dereference-in-perf_evsel__new_idx.patch | 40 ++ ...s-symbols-irrespective-of-endianness.patch | 55 +++ ...-fix-bad-memory-access-in-trace-info.patch | 37 ++ ...spredict-bit-on-knights-landing-cpus.patch | 72 +++ ...level-interrupts-to-prevent-latching.patch | 93 ++++ ...-when-clearing-rtl_flag_task_enabled.patch | 69 +++ ...-tx-rx-is-enabled-just-like-rxconfig.patch | 55 +++ ...cma-check-fd-type-in-ucma_migrate_id.patch | 55 +++ ...maxim_thermocouple-add-max31856-part.patch | 35 ++ ...verwrite-initrd_start-and-initrd_end.patch | 43 ++ ...t-dump-past-end-of-unknown-hw-header.patch | 45 ++ ...eth-use-vzalloc-for-query-oat-buffer.patch | 55 +++ ...ology-set-correct-numa-topology-type.patch | 66 +++ ...scsi-target-fix-conn_ops-double-free.patch | 281 +++++++++++ ...en-iscsi_login_set_conn_values-fails.patch | 105 ++++ ...-the-crc-size-within-iscsi-nvm-image.patch | 117 +++++ queue-4.18/series | 65 +++ ...10-udc-fix-memory-leak-of-fotg210-ep.patch | 87 ++++ ...over-parent-nodes-for-finding-quirks.patch | 75 +++ ...x-check-for-truncation-in-yurex_read.patch | 37 ++ ...-warning-when-proc_fs-is-not-enabled.patch | 44 ++ ...n-avoid-crash-in-disable_hotplug_cpu.patch | 83 ++++ ...uplicate-evtchn_row-evtchn_col-usage.patch | 34 ++ ...an-empty-value-in-control-sysrq-node.patch | 46 ++ 66 files changed, 5204 insertions(+) create mode 100644 queue-4.18/arch-hexagon-fix-kernel-dma.c-build-warning.patch create mode 100644 queue-4.18/arm64-jump_label.h-use-asm_volatile_goto-macro-instead-of-asm-goto.patch create mode 100644 queue-4.18/asm-generic-io-fix-ioport_map-for-config_generic_iomap-config_indirect_pio.patch create mode 100644 queue-4.18/bnxt_re-fix-couple-of-memory-leaks-that-could-lead-to-iommu-call-traces.patch create mode 100644 queue-4.18/cifs-read-overflow-in-is_valid_oplock_break.patch create mode 100644 queue-4.18/dm-raid-fix-raid-leg-rebuild-errors.patch create mode 100644 queue-4.18/dm-raid-fix-rebuild-of-specific-devices-by-updating-superblock.patch create mode 100644 queue-4.18/dm-raid-fix-reshape-race-on-small-devices.patch create mode 100644 queue-4.18/dm-raid-fix-stripe-adding-reshape-deadlock.patch create mode 100644 queue-4.18/dm-thin-metadata-try-to-avoid-ever-aborting-transactions.patch create mode 100644 queue-4.18/drm-amdgpu-fix-error-handling-in-amdgpu_cs_user_fence_chunk.patch create mode 100644 queue-4.18/drm-amdgpu-fix-sdma-hang-in-prt-mode-v2.patch create mode 100644 queue-4.18/drm-nouveau-disp-fix-dp-disable-race.patch create mode 100644 queue-4.18/drm-nouveau-disp-gm200-enforce-identity-mapped-sor-assignment-for-lvds-edp-panels.patch create mode 100644 queue-4.18/drm-nouveau-fix-oops-in-client-init-failure-path.patch create mode 100644 queue-4.18/drm-nouveau-mmu-don-t-attempt-to-dereference-vmm-without-valid-instance-pointer.patch create mode 100644 queue-4.18/drm-nouveau-tbddevinit-don-t-fail-when-pmu-pre_os-is-missing-from-vbios.patch create mode 100644 queue-4.18/fs-cifs-suppress-a-string-overflow-warning.patch create mode 100644 queue-4.18/hexagon-modify-ffs-and-fls-to-return-int.patch create mode 100644 queue-4.18/hid-add-support-for-apple-magic-keyboards.patch create mode 100644 queue-4.18/hid-hid-saitek-add-device-id-for-rat-7-contagion.patch create mode 100644 queue-4.18/hid-i2c-hid-don-t-reset-device-upon-system-resume.patch create mode 100644 queue-4.18/hid-intel-ish-hid-enable-sunrise-point-h-ish-driver.patch create mode 100644 queue-4.18/hid-sensor-hub-restore-fixup-for-lenovo-thinkpad-helix-2-sensor-hub-report.patch create mode 100644 queue-4.18/iio-imu-st_lsm6dsx-take-into-account-ts-samples-in-wm-configuration.patch create mode 100644 queue-4.18/net-ena-fix-device-destruction-to-gracefully-free-resources.patch create mode 100644 queue-4.18/net-ena-fix-driver-when-page_size-64kb.patch create mode 100644 queue-4.18/net-ena-fix-missing-calls-to-read_once.patch create mode 100644 queue-4.18/net-ena-fix-missing-lock-during-device-destruction.patch create mode 100644 queue-4.18/net-ena-fix-potential-double-ena_destroy_device.patch create mode 100644 queue-4.18/net-ena-fix-surprise-unplug-null-dereference-kernel-crash.patch create mode 100644 queue-4.18/net-mlx5-consider-pci-domain-in-search-for-next-dev.patch create mode 100644 queue-4.18/netfilter-conntrack-timeout-interface-depend-on-config_nf_conntrack_timeout.patch create mode 100644 queue-4.18/netfilter-kconfig-nat-related-expression-depend-on-nftables-core.patch create mode 100644 queue-4.18/netfilter-nf_tables-release-chain-in-flushing-set.patch create mode 100644 queue-4.18/netfilter-nfnetlink_queue-solve-the-nfqueue-conntrack-clash-for-nf_repeat.patch create mode 100644 queue-4.18/netfilter-xt_checksum-ignore-gso-skbs.patch create mode 100644 queue-4.18/netfilter-xt_cluster-add-dependency-on-conntrack-module.patch create mode 100644 queue-4.18/netfilter-xt_hashlimit-use-s-file-instead-of-s-private.patch create mode 100644 queue-4.18/nvmet-rdma-fix-possible-bogus-dereference-under-heavy-load.patch create mode 100644 queue-4.18/perf-annotate-fix-parsing-aarch64-branch-instructions-after-objdump-update.patch create mode 100644 queue-4.18/perf-annotate-properly-interpret-indirect-call.patch create mode 100644 queue-4.18/perf-evsel-fix-potential-null-pointer-dereference-in-perf_evsel__new_idx.patch create mode 100644 queue-4.18/perf-probe-powerpc-ignore-sys-symbols-irrespective-of-endianness.patch create mode 100644 queue-4.18/perf-util-fix-bad-memory-access-in-trace-info.patch create mode 100644 queue-4.18/perf-x86-intel-add-support-quirk-for-the-mispredict-bit-on-knights-landing-cpus.patch create mode 100644 queue-4.18/pinctrl-msm-really-mask-level-interrupts-to-prevent-latching.patch create mode 100644 queue-4.18/r8169-clear-rtl_flag_task_-_pending-when-clearing-rtl_flag_task_enabled.patch create mode 100644 queue-4.18/r8169-set-txconfig-register-after-tx-rx-is-enabled-just-like-rxconfig.patch create mode 100644 queue-4.18/rdma-ucma-check-fd-type-in-ucma_migrate_id.patch create mode 100644 queue-4.18/revert-iio-temperature-maxim_thermocouple-add-max31856-part.patch create mode 100644 queue-4.18/riscv-do-not-overwrite-initrd_start-and-initrd_end.patch create mode 100644 queue-4.18/s390-qeth-don-t-dump-past-end-of-unknown-hw-header.patch create mode 100644 queue-4.18/s390-qeth-use-vzalloc-for-query-oat-buffer.patch create mode 100644 queue-4.18/sched-topology-set-correct-numa-topology-type.patch create mode 100644 queue-4.18/scsi-iscsi-target-fix-conn_ops-double-free.patch create mode 100644 queue-4.18/scsi-iscsi-target-set-conn-sess-to-null-when-iscsi_login_set_conn_values-fails.patch create mode 100644 queue-4.18/scsi-qedi-add-the-crc-size-within-iscsi-nvm-image.patch create mode 100644 queue-4.18/usb-gadget-fotg210-udc-fix-memory-leak-of-fotg210-ep.patch create mode 100644 queue-4.18/usb-host-xhci-plat-iterate-over-parent-nodes-for-finding-quirks.patch create mode 100644 queue-4.18/usb-yurex-check-for-truncation-in-yurex_read.patch create mode 100644 queue-4.18/x86-apm-fix-build-warning-when-proc_fs-is-not-enabled.patch create mode 100644 queue-4.18/xen-avoid-crash-in-disable_hotplug_cpu.patch create mode 100644 queue-4.18/xen-fix-gcc-warning-and-remove-duplicate-evtchn_row-evtchn_col-usage.patch create mode 100644 queue-4.18/xen-manage-don-t-complain-about-an-empty-value-in-control-sysrq-node.patch diff --git a/queue-4.18/arch-hexagon-fix-kernel-dma.c-build-warning.patch b/queue-4.18/arch-hexagon-fix-kernel-dma.c-build-warning.patch new file mode 100644 index 00000000000..d314adef5da --- /dev/null +++ b/queue-4.18/arch-hexagon-fix-kernel-dma.c-build-warning.patch @@ -0,0 +1,40 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Randy Dunlap +Date: Fri, 20 Jul 2018 20:17:35 -0700 +Subject: arch/hexagon: fix kernel/dma.c build warning + +From: Randy Dunlap + +[ Upstream commit 200f351e27f014fcbf69b544b0b4b72aeaf45fd3 ] + +Fix build warning in arch/hexagon/kernel/dma.c by casting a void * +to unsigned long to match the function parameter type. + +../arch/hexagon/kernel/dma.c: In function 'arch_dma_alloc': +../arch/hexagon/kernel/dma.c:51:5: warning: passing argument 2 of 'gen_pool_add' makes integer from pointer without a cast [enabled by default] +../include/linux/genalloc.h:112:19: note: expected 'long unsigned int' but argument is of type 'void *' + +Signed-off-by: Randy Dunlap +Cc: Yoshinori Sato +Cc: Rich Felker +Cc: linux-sh@vger.kernel.org +Patch-mainline: linux-kernel @ 07/20/2018, 20:17 +[rkuo@codeaurora.org: fixed architecture name] +Signed-off-by: Richard Kuo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/hexagon/kernel/dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/hexagon/kernel/dma.c ++++ b/arch/hexagon/kernel/dma.c +@@ -60,7 +60,7 @@ static void *hexagon_dma_alloc_coherent( + panic("Can't create %s() memory pool!", __func__); + else + gen_pool_add(coherent_pool, +- pfn_to_virt(max_low_pfn), ++ (unsigned long)pfn_to_virt(max_low_pfn), + hexagon_coherent_pool_size, -1); + } + diff --git a/queue-4.18/arm64-jump_label.h-use-asm_volatile_goto-macro-instead-of-asm-goto.patch b/queue-4.18/arm64-jump_label.h-use-asm_volatile_goto-macro-instead-of-asm-goto.patch new file mode 100644 index 00000000000..593a30c3158 --- /dev/null +++ b/queue-4.18/arm64-jump_label.h-use-asm_volatile_goto-macro-instead-of-asm-goto.patch @@ -0,0 +1,44 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Miguel Ojeda +Date: Sun, 9 Sep 2018 17:47:31 +0200 +Subject: arm64: jump_label.h: use asm_volatile_goto macro instead of "asm goto" + +From: Miguel Ojeda + +[ Upstream commit 13aceef06adfaf93d52e01e28a8bc8a0ad471d83 ] + +All other uses of "asm goto" go through asm_volatile_goto, which avoids +a miscompile when using GCC < 4.8.2. Replace our open-coded "asm goto" +statements with the asm_volatile_goto macro to avoid issues with older +toolchains. + +Cc: Catalin Marinas +Reviewed-by: Nick Desaulniers +Signed-off-by: Miguel Ojeda +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/jump_label.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/include/asm/jump_label.h ++++ b/arch/arm64/include/asm/jump_label.h +@@ -28,7 +28,7 @@ + + static __always_inline bool arch_static_branch(struct static_key *key, bool branch) + { +- asm goto("1: nop\n\t" ++ asm_volatile_goto("1: nop\n\t" + ".pushsection __jump_table, \"aw\"\n\t" + ".align 3\n\t" + ".quad 1b, %l[l_yes], %c0\n\t" +@@ -42,7 +42,7 @@ l_yes: + + static __always_inline bool arch_static_branch_jump(struct static_key *key, bool branch) + { +- asm goto("1: b %l[l_yes]\n\t" ++ asm_volatile_goto("1: b %l[l_yes]\n\t" + ".pushsection __jump_table, \"aw\"\n\t" + ".align 3\n\t" + ".quad 1b, %l[l_yes], %c0\n\t" diff --git a/queue-4.18/asm-generic-io-fix-ioport_map-for-config_generic_iomap-config_indirect_pio.patch b/queue-4.18/asm-generic-io-fix-ioport_map-for-config_generic_iomap-config_indirect_pio.patch new file mode 100644 index 00000000000..34025d866c9 --- /dev/null +++ b/queue-4.18/asm-generic-io-fix-ioport_map-for-config_generic_iomap-config_indirect_pio.patch @@ -0,0 +1,47 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Andrew Murray +Date: Thu, 13 Sep 2018 13:48:27 +0100 +Subject: asm-generic: io: Fix ioport_map() for !CONFIG_GENERIC_IOMAP && CONFIG_INDIRECT_PIO + +From: Andrew Murray + +[ Upstream commit 500dd232449e7c07500e713dc6970aa713f8e4f1 ] + +The !CONFIG_GENERIC_IOMAP version of ioport_map uses MMIO_UPPER_LIMIT to +prevent users from making I/O accesses outside the expected I/O range - +however it erroneously treats MMIO_UPPER_LIMIT as a mask which is +contradictory to its other users. + +The introduction of CONFIG_INDIRECT_PIO, which subtracts an arbitrary +amount from IO_SPACE_LIMIT to form MMIO_UPPER_LIMIT, results in ioport_map +mangling the given port rather than capping it. + +We address this by aligning more closely with the CONFIG_GENERIC_IOMAP +implementation of ioport_map by using the comparison operator and +returning NULL where the port exceeds MMIO_UPPER_LIMIT. Though note that +we preserve the existing behavior of masking with IO_SPACE_LIMIT such that +we don't break existing buggy drivers that somehow rely on this masking. + +Fixes: 5745392e0c2b ("PCI: Apply the new generic I/O management on PCI IO hosts") +Reported-by: Will Deacon +Reviewed-by: Arnd Bergmann +Signed-off-by: Andrew Murray +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/asm-generic/io.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/asm-generic/io.h ++++ b/include/asm-generic/io.h +@@ -1026,7 +1026,8 @@ static inline void __iomem *ioremap_wt(p + #define ioport_map ioport_map + static inline void __iomem *ioport_map(unsigned long port, unsigned int nr) + { +- return PCI_IOBASE + (port & MMIO_UPPER_LIMIT); ++ port &= IO_SPACE_LIMIT; ++ return (port > MMIO_UPPER_LIMIT) ? NULL : PCI_IOBASE + port; + } + #endif + diff --git a/queue-4.18/bnxt_re-fix-couple-of-memory-leaks-that-could-lead-to-iommu-call-traces.patch b/queue-4.18/bnxt_re-fix-couple-of-memory-leaks-that-could-lead-to-iommu-call-traces.patch new file mode 100644 index 00000000000..90838f02e02 --- /dev/null +++ b/queue-4.18/bnxt_re-fix-couple-of-memory-leaks-that-could-lead-to-iommu-call-traces.patch @@ -0,0 +1,47 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Somnath Kotur +Date: Wed, 5 Sep 2018 13:20:34 +0530 +Subject: bnxt_re: Fix couple of memory leaks that could lead to IOMMU call traces + +From: Somnath Kotur + +[ Upstream commit f40f299bbe806a2e2c8b0d7cdda822fa3bdd171b ] + +1. DMA-able memory allocated for Shadow QP was not being freed. +2. bnxt_qplib_alloc_qp_hdr_buf() had a bug wherein the SQ pointer was + erroneously pointing to the RQ. But since the corresponding + free_qp_hdr_buf() was correct, memory being free was less than what was + allocated. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Signed-off-by: Somnath Kotur +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 ++ + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -844,6 +844,8 @@ int bnxt_re_destroy_qp(struct ib_qp *ib_ + "Failed to destroy Shadow QP"); + return rc; + } ++ bnxt_qplib_free_qp_res(&rdev->qplib_res, ++ &rdev->qp1_sqp->qplib_qp); + mutex_lock(&rdev->qp_lock); + list_del(&rdev->qp1_sqp->list); + atomic_dec(&rdev->qp_count); +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +@@ -196,7 +196,7 @@ static int bnxt_qplib_alloc_qp_hdr_buf(s + struct bnxt_qplib_qp *qp) + { + struct bnxt_qplib_q *rq = &qp->rq; +- struct bnxt_qplib_q *sq = &qp->rq; ++ struct bnxt_qplib_q *sq = &qp->sq; + int rc = 0; + + if (qp->sq_hdr_buf_size && sq->hwq.max_elements) { diff --git a/queue-4.18/cifs-read-overflow-in-is_valid_oplock_break.patch b/queue-4.18/cifs-read-overflow-in-is_valid_oplock_break.patch new file mode 100644 index 00000000000..4f8865ffa9b --- /dev/null +++ b/queue-4.18/cifs-read-overflow-in-is_valid_oplock_break.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Dan Carpenter +Date: Thu, 6 Sep 2018 12:47:01 +0300 +Subject: cifs: read overflow in is_valid_oplock_break() + +From: Dan Carpenter + +[ Upstream commit 097f5863b1a0c9901f180bbd56ae7d630655faaa ] + +We need to verify that the "data_offset" is within bounds. + +Reported-by: Dr Silvio Cesare of InfoSect +Signed-off-by: Dan Carpenter +Signed-off-by: Steve French +Reviewed-by: Aurelien Aptel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/misc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/cifs/misc.c ++++ b/fs/cifs/misc.c +@@ -404,9 +404,17 @@ is_valid_oplock_break(char *buffer, stru + (struct smb_com_transaction_change_notify_rsp *)buf; + struct file_notify_information *pnotify; + __u32 data_offset = 0; ++ size_t len = srv->total_read - sizeof(pSMBr->hdr.smb_buf_length); ++ + if (get_bcc(buf) > sizeof(struct file_notify_information)) { + data_offset = le32_to_cpu(pSMBr->DataOffset); + ++ if (data_offset > ++ len - sizeof(struct file_notify_information)) { ++ cifs_dbg(FYI, "invalid data_offset %u\n", ++ data_offset); ++ return true; ++ } + pnotify = (struct file_notify_information *) + ((char *)&pSMBr->hdr.Protocol + data_offset); + cifs_dbg(FYI, "dnotify on %s Action: 0x%x\n", diff --git a/queue-4.18/dm-raid-fix-raid-leg-rebuild-errors.patch b/queue-4.18/dm-raid-fix-raid-leg-rebuild-errors.patch new file mode 100644 index 00000000000..b261c136348 --- /dev/null +++ b/queue-4.18/dm-raid-fix-raid-leg-rebuild-errors.patch @@ -0,0 +1,193 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Heinz Mauelshagen +Date: Thu, 6 Sep 2018 22:54:29 +0200 +Subject: dm raid: fix RAID leg rebuild errors + +From: Heinz Mauelshagen + +[ Upstream commit 36a240a706d43383bbdd377522501ddd2e5771f6 ] + +On fast devices such as NVMe, a flaw in rs_get_progress() results in +false target status output when userspace lvm2 requests leg rebuilds +(symptom of the failure is device health chars 'aaaaaaaa' instead of +expected 'aAaAAAAA' causing lvm2 to fail). + +The correct sync action state definitions already exist in +decipher_sync_action() so fix rs_get_progress() to use it. + +Change decipher_sync_action() to return an enum rather than a string for +the sync states and call it from rs_get_progress(). Introduce +sync_str() to translate from enum to the string that is needed by +raid_status(). + +Signed-off-by: Heinz Mauelshagen +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-raid.c | 80 +++++++++++++++++++++++++++++---------------------- + 1 file changed, 46 insertions(+), 34 deletions(-) + +--- a/drivers/md/dm-raid.c ++++ b/drivers/md/dm-raid.c +@@ -3332,32 +3332,53 @@ static int raid_map(struct dm_target *ti + return DM_MAPIO_SUBMITTED; + } + +-/* Return string describing the current sync action of @mddev */ +-static const char *decipher_sync_action(struct mddev *mddev, unsigned long recovery) ++/* Return sync state string for @state */ ++enum sync_state { st_frozen, st_reshape, st_resync, st_check, st_repair, st_recover, st_idle }; ++static const char *sync_str(enum sync_state state) ++{ ++ /* Has to be in above sync_state order! */ ++ static const char *sync_strs[] = { ++ "frozen", ++ "reshape", ++ "resync", ++ "check", ++ "repair", ++ "recover", ++ "idle" ++ }; ++ ++ return __within_range(state, 0, ARRAY_SIZE(sync_strs) - 1) ? sync_strs[state] : "undef"; ++}; ++ ++/* Return enum sync_state for @mddev derived from @recovery flags */ ++static const enum sync_state decipher_sync_action(struct mddev *mddev, unsigned long recovery) + { + if (test_bit(MD_RECOVERY_FROZEN, &recovery)) +- return "frozen"; ++ return st_frozen; + +- /* The MD sync thread can be done with io but still be running */ ++ /* The MD sync thread can be done with io or be interrupted but still be running */ + if (!test_bit(MD_RECOVERY_DONE, &recovery) && + (test_bit(MD_RECOVERY_RUNNING, &recovery) || + (!mddev->ro && test_bit(MD_RECOVERY_NEEDED, &recovery)))) { + if (test_bit(MD_RECOVERY_RESHAPE, &recovery)) +- return "reshape"; ++ return st_reshape; + + if (test_bit(MD_RECOVERY_SYNC, &recovery)) { + if (!test_bit(MD_RECOVERY_REQUESTED, &recovery)) +- return "resync"; +- else if (test_bit(MD_RECOVERY_CHECK, &recovery)) +- return "check"; +- return "repair"; ++ return st_resync; ++ if (test_bit(MD_RECOVERY_CHECK, &recovery)) ++ return st_check; ++ return st_repair; + } + + if (test_bit(MD_RECOVERY_RECOVER, &recovery)) +- return "recover"; ++ return st_recover; ++ ++ if (mddev->reshape_position != MaxSector) ++ return st_reshape; + } + +- return "idle"; ++ return st_idle; + } + + /* +@@ -3391,6 +3412,7 @@ static sector_t rs_get_progress(struct r + sector_t resync_max_sectors) + { + sector_t r; ++ enum sync_state state; + struct mddev *mddev = &rs->md; + + clear_bit(RT_FLAG_RS_IN_SYNC, &rs->runtime_flags); +@@ -3401,20 +3423,14 @@ static sector_t rs_get_progress(struct r + set_bit(RT_FLAG_RS_IN_SYNC, &rs->runtime_flags); + + } else { +- if (!test_bit(__CTR_FLAG_NOSYNC, &rs->ctr_flags) && +- !test_bit(MD_RECOVERY_INTR, &recovery) && +- (test_bit(MD_RECOVERY_NEEDED, &recovery) || +- test_bit(MD_RECOVERY_RESHAPE, &recovery) || +- test_bit(MD_RECOVERY_RUNNING, &recovery))) +- r = mddev->curr_resync_completed; +- else ++ state = decipher_sync_action(mddev, recovery); ++ ++ if (state == st_idle && !test_bit(MD_RECOVERY_INTR, &recovery)) + r = mddev->recovery_cp; ++ else ++ r = mddev->curr_resync_completed; + +- if (r >= resync_max_sectors && +- (!test_bit(MD_RECOVERY_REQUESTED, &recovery) || +- (!test_bit(MD_RECOVERY_FROZEN, &recovery) && +- !test_bit(MD_RECOVERY_NEEDED, &recovery) && +- !test_bit(MD_RECOVERY_RUNNING, &recovery)))) { ++ if (state == st_idle && r >= resync_max_sectors) { + /* + * Sync complete. + */ +@@ -3422,24 +3438,20 @@ static sector_t rs_get_progress(struct r + if (test_bit(MD_RECOVERY_RECOVER, &recovery)) + set_bit(RT_FLAG_RS_IN_SYNC, &rs->runtime_flags); + +- } else if (test_bit(MD_RECOVERY_RECOVER, &recovery)) { ++ } else if (state == st_recover) + /* + * In case we are recovering, the array is not in sync + * and health chars should show the recovering legs. + */ + ; +- +- } else if (test_bit(MD_RECOVERY_SYNC, &recovery) && +- !test_bit(MD_RECOVERY_REQUESTED, &recovery)) { ++ else if (state == st_resync) + /* + * If "resync" is occurring, the raid set + * is or may be out of sync hence the health + * characters shall be 'a'. + */ + set_bit(RT_FLAG_RS_RESYNCING, &rs->runtime_flags); +- +- } else if (test_bit(MD_RECOVERY_RESHAPE, &recovery) && +- !test_bit(MD_RECOVERY_REQUESTED, &recovery)) { ++ else if (state == st_reshape) + /* + * If "reshape" is occurring, the raid set + * is or may be out of sync hence the health +@@ -3447,7 +3459,7 @@ static sector_t rs_get_progress(struct r + */ + set_bit(RT_FLAG_RS_RESYNCING, &rs->runtime_flags); + +- } else if (test_bit(MD_RECOVERY_REQUESTED, &recovery)) { ++ else if (state == st_check || state == st_repair) + /* + * If "check" or "repair" is occurring, the raid set has + * undergone an initial sync and the health characters +@@ -3455,12 +3467,12 @@ static sector_t rs_get_progress(struct r + */ + set_bit(RT_FLAG_RS_IN_SYNC, &rs->runtime_flags); + +- } else { ++ else { + struct md_rdev *rdev; + + /* + * We are idle and recovery is needed, prevent 'A' chars race +- * caused by components still set to in-sync by constrcuctor. ++ * caused by components still set to in-sync by constructor. + */ + if (test_bit(MD_RECOVERY_NEEDED, &recovery)) + set_bit(RT_FLAG_RS_RESYNCING, &rs->runtime_flags); +@@ -3524,7 +3536,7 @@ static void raid_status(struct dm_target + progress = rs_get_progress(rs, recovery, resync_max_sectors); + resync_mismatches = (mddev->last_sync_action && !strcasecmp(mddev->last_sync_action, "check")) ? + atomic64_read(&mddev->resync_mismatches) : 0; +- sync_action = decipher_sync_action(&rs->md, recovery); ++ sync_action = sync_str(decipher_sync_action(&rs->md, recovery)); + + /* HM FIXME: do we want another state char for raid0? It shows 'D'/'A'/'-' now */ + for (i = 0; i < rs->raid_disks; i++) diff --git a/queue-4.18/dm-raid-fix-rebuild-of-specific-devices-by-updating-superblock.patch b/queue-4.18/dm-raid-fix-rebuild-of-specific-devices-by-updating-superblock.patch new file mode 100644 index 00000000000..cb9901c119e --- /dev/null +++ b/queue-4.18/dm-raid-fix-rebuild-of-specific-devices-by-updating-superblock.patch @@ -0,0 +1,36 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Heinz Mauelshagen +Date: Thu, 6 Sep 2018 18:33:40 +0200 +Subject: dm raid: fix rebuild of specific devices by updating superblock + +From: Heinz Mauelshagen + +[ Upstream commit c44a5ee803d2b7ed8c2e6ce24a5c4dd60778886e ] + +Update superblock when particular devices are requested via rebuild +(e.g. lvconvert --replace ...) to avoid spurious failure with the "New +device injected into existing raid set without 'delta_disks' or +'rebuild' parameter specified" error message. + +Signed-off-by: Heinz Mauelshagen +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-raid.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/md/dm-raid.c ++++ b/drivers/md/dm-raid.c +@@ -3126,6 +3126,11 @@ static int raid_ctr(struct dm_target *ti + set_bit(RT_FLAG_UPDATE_SBS, &rs->runtime_flags); + rs_set_new(rs); + } else if (rs_is_recovering(rs)) { ++ /* Rebuild particular devices */ ++ if (test_bit(__CTR_FLAG_REBUILD, &rs->ctr_flags)) { ++ set_bit(RT_FLAG_UPDATE_SBS, &rs->runtime_flags); ++ rs_setup_recovery(rs, MaxSector); ++ } + /* A recovering raid set may be resized */ + ; /* skip setup rs */ + } else if (rs_is_reshaping(rs)) { diff --git a/queue-4.18/dm-raid-fix-reshape-race-on-small-devices.patch b/queue-4.18/dm-raid-fix-reshape-race-on-small-devices.patch new file mode 100644 index 00000000000..78ee7cb556c --- /dev/null +++ b/queue-4.18/dm-raid-fix-reshape-race-on-small-devices.patch @@ -0,0 +1,141 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Heinz Mauelshagen +Date: Thu, 6 Sep 2018 18:33:38 +0200 +Subject: dm raid: fix reshape race on small devices + +From: Heinz Mauelshagen + +[ Upstream commit 38b0bd0cda07d34ad6f145fce675ead74739c44e ] + +Loading a new mapping table, the dm-raid target's constructor +retrieves the volatile reshaping state from the raid superblocks. + +When the new table is activated in a following resume, the actual +reshape position is retrieved. The reshape driven by the previous +mapping can already have finished on small and/or fast devices thus +updating raid superblocks about the new raid layout. + +This causes the actual array state (e.g. stripe size reshape finished) +to be inconsistent with the one in the new mapping, causing hangs with +left behind devices. + +This race does not occur with usual raid device sizes but with small +ones (e.g. those created by the lvm2 test suite). + +Fix by no longer transferring stale/inconsistent raid_set state during +preresume. + +Signed-off-by: Heinz Mauelshagen +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-raid.c | 48 +----------------------------------------------- + 1 file changed, 1 insertion(+), 47 deletions(-) + +--- a/drivers/md/dm-raid.c ++++ b/drivers/md/dm-raid.c +@@ -29,9 +29,6 @@ + */ + #define MIN_RAID456_JOURNAL_SPACE (4*2048) + +-/* Global list of all raid sets */ +-static LIST_HEAD(raid_sets); +- + static bool devices_handle_discard_safely = false; + + /* +@@ -227,7 +224,6 @@ struct rs_layout { + + struct raid_set { + struct dm_target *ti; +- struct list_head list; + + uint32_t stripe_cache_entries; + unsigned long ctr_flags; +@@ -273,19 +269,6 @@ static void rs_config_restore(struct rai + mddev->new_chunk_sectors = l->new_chunk_sectors; + } + +-/* Find any raid_set in active slot for @rs on global list */ +-static struct raid_set *rs_find_active(struct raid_set *rs) +-{ +- struct raid_set *r; +- struct mapped_device *md = dm_table_get_md(rs->ti->table); +- +- list_for_each_entry(r, &raid_sets, list) +- if (r != rs && dm_table_get_md(r->ti->table) == md) +- return r; +- +- return NULL; +-} +- + /* raid10 algorithms (i.e. formats) */ + #define ALGORITHM_RAID10_DEFAULT 0 + #define ALGORITHM_RAID10_NEAR 1 +@@ -764,7 +747,6 @@ static struct raid_set *raid_set_alloc(s + + mddev_init(&rs->md); + +- INIT_LIST_HEAD(&rs->list); + rs->raid_disks = raid_devs; + rs->delta_disks = 0; + +@@ -782,9 +764,6 @@ static struct raid_set *raid_set_alloc(s + for (i = 0; i < raid_devs; i++) + md_rdev_init(&rs->dev[i].rdev); + +- /* Add @rs to global list. */ +- list_add(&rs->list, &raid_sets); +- + /* + * Remaining items to be initialized by further RAID params: + * rs->md.persistent +@@ -797,7 +776,7 @@ static struct raid_set *raid_set_alloc(s + return rs; + } + +-/* Free all @rs allocations and remove it from global list. */ ++/* Free all @rs allocations */ + static void raid_set_free(struct raid_set *rs) + { + int i; +@@ -815,8 +794,6 @@ static void raid_set_free(struct raid_se + dm_put_device(rs->ti, rs->dev[i].data_dev); + } + +- list_del(&rs->list); +- + kfree(rs); + } + +@@ -3947,29 +3924,6 @@ static int raid_preresume(struct dm_targ + if (test_and_set_bit(RT_FLAG_RS_PRERESUMED, &rs->runtime_flags)) + return 0; + +- if (!test_bit(__CTR_FLAG_REBUILD, &rs->ctr_flags)) { +- struct raid_set *rs_active = rs_find_active(rs); +- +- if (rs_active) { +- /* +- * In case no rebuilds have been requested +- * and an active table slot exists, copy +- * current resynchonization completed and +- * reshape position pointers across from +- * suspended raid set in the active slot. +- * +- * This resumes the new mapping at current +- * offsets to continue recover/reshape without +- * necessarily redoing a raid set partially or +- * causing data corruption in case of a reshape. +- */ +- if (rs_active->md.curr_resync_completed != MaxSector) +- mddev->curr_resync_completed = rs_active->md.curr_resync_completed; +- if (rs_active->md.reshape_position != MaxSector) +- mddev->reshape_position = rs_active->md.reshape_position; +- } +- } +- + /* + * The superblocks need to be updated on disk if the + * array is new or new devices got added (thus zeroed diff --git a/queue-4.18/dm-raid-fix-stripe-adding-reshape-deadlock.patch b/queue-4.18/dm-raid-fix-stripe-adding-reshape-deadlock.patch new file mode 100644 index 00000000000..6d747c8bb9e --- /dev/null +++ b/queue-4.18/dm-raid-fix-stripe-adding-reshape-deadlock.patch @@ -0,0 +1,57 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Heinz Mauelshagen +Date: Thu, 6 Sep 2018 18:33:39 +0200 +Subject: dm raid: fix stripe adding reshape deadlock + +From: Heinz Mauelshagen + +[ Upstream commit 644e2537fdc77baeeefc829524937bca64329f82 ] + +When initiating a stripe adding reshape, a deadlock between +md_stop_writes() waiting for the sync thread to stop and the running +sync thread waiting for inactive stripes occurs (this frequently happens +on single-core but rarely on multi-core systems). + +Fix this deadlock by setting MD_RECOVERY_WAIT to have the main MD +resynchronization thread worker (md_do_sync()) bail out when initiating +the reshape via constructor arguments. + +Signed-off-by: Heinz Mauelshagen +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-raid.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +--- a/drivers/md/dm-raid.c ++++ b/drivers/md/dm-raid.c +@@ -3869,14 +3869,13 @@ static int rs_start_reshape(struct raid_ + struct mddev *mddev = &rs->md; + struct md_personality *pers = mddev->pers; + ++ /* Don't allow the sync thread to work until the table gets reloaded. */ ++ set_bit(MD_RECOVERY_WAIT, &mddev->recovery); ++ + r = rs_setup_reshape(rs); + if (r) + return r; + +- /* Need to be resumed to be able to start reshape, recovery is frozen until raid_resume() though */ +- if (test_and_clear_bit(RT_FLAG_RS_SUSPENDED, &rs->runtime_flags)) +- mddev_resume(mddev); +- + /* + * Check any reshape constraints enforced by the personalility + * +@@ -3900,10 +3899,6 @@ static int rs_start_reshape(struct raid_ + } + } + +- /* Suspend because a resume will happen in raid_resume() */ +- set_bit(RT_FLAG_RS_SUSPENDED, &rs->runtime_flags); +- mddev_suspend(mddev); +- + /* + * Now reshape got set up, update superblocks to + * reflect the fact so that a table reload will diff --git a/queue-4.18/dm-thin-metadata-try-to-avoid-ever-aborting-transactions.patch b/queue-4.18/dm-thin-metadata-try-to-avoid-ever-aborting-transactions.patch new file mode 100644 index 00000000000..e25767ce5ba --- /dev/null +++ b/queue-4.18/dm-thin-metadata-try-to-avoid-ever-aborting-transactions.patch @@ -0,0 +1,260 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Joe Thornber +Date: Mon, 10 Sep 2018 16:50:09 +0100 +Subject: dm thin metadata: try to avoid ever aborting transactions + +From: Joe Thornber + +[ Upstream commit 3ab91828166895600efd9cdc3a0eb32001f7204a ] + +Committing a transaction can consume some metadata of it's own, we now +reserve a small amount of metadata to cover this. Free metadata +reported by the kernel will not include this reserve. + +If any of the reserve has been used after a commit we enter a new +internal state PM_OUT_OF_METADATA_SPACE. This is reported as +PM_READ_ONLY, so no userland changes are needed. If the metadata +device is resized the pool will move back to PM_WRITE. + +These changes mean we never need to abort and rollback a transaction due +to running out of metadata space. This is particularly important +because there have been a handful of reports of data corruption against +DM thin-provisioning that can all be attributed to the thin-pool having +ran out of metadata space. + +Signed-off-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-thin-metadata.c | 36 ++++++++++++++++++++ + drivers/md/dm-thin.c | 73 +++++++++++++++++++++++++++++++++++++----- + 2 files changed, 100 insertions(+), 9 deletions(-) + +--- a/drivers/md/dm-thin-metadata.c ++++ b/drivers/md/dm-thin-metadata.c +@@ -189,6 +189,12 @@ struct dm_pool_metadata { + sector_t data_block_size; + + /* ++ * We reserve a section of the metadata for commit overhead. ++ * All reported space does *not* include this. ++ */ ++ dm_block_t metadata_reserve; ++ ++ /* + * Set if a transaction has to be aborted but the attempt to roll back + * to the previous (good) transaction failed. The only pool metadata + * operation possible in this state is the closing of the device. +@@ -816,6 +822,22 @@ static int __commit_transaction(struct d + return dm_tm_commit(pmd->tm, sblock); + } + ++static void __set_metadata_reserve(struct dm_pool_metadata *pmd) ++{ ++ int r; ++ dm_block_t total; ++ dm_block_t max_blocks = 4096; /* 16M */ ++ ++ r = dm_sm_get_nr_blocks(pmd->metadata_sm, &total); ++ if (r) { ++ DMERR("could not get size of metadata device"); ++ pmd->metadata_reserve = max_blocks; ++ } else { ++ sector_div(total, 10); ++ pmd->metadata_reserve = min(max_blocks, total); ++ } ++} ++ + struct dm_pool_metadata *dm_pool_metadata_open(struct block_device *bdev, + sector_t data_block_size, + bool format_device) +@@ -849,6 +871,8 @@ struct dm_pool_metadata *dm_pool_metadat + return ERR_PTR(r); + } + ++ __set_metadata_reserve(pmd); ++ + return pmd; + } + +@@ -1820,6 +1844,13 @@ int dm_pool_get_free_metadata_block_coun + down_read(&pmd->root_lock); + if (!pmd->fail_io) + r = dm_sm_get_nr_free(pmd->metadata_sm, result); ++ ++ if (!r) { ++ if (*result < pmd->metadata_reserve) ++ *result = 0; ++ else ++ *result -= pmd->metadata_reserve; ++ } + up_read(&pmd->root_lock); + + return r; +@@ -1932,8 +1963,11 @@ int dm_pool_resize_metadata_dev(struct d + int r = -EINVAL; + + down_write(&pmd->root_lock); +- if (!pmd->fail_io) ++ if (!pmd->fail_io) { + r = __resize_space_map(pmd->metadata_sm, new_count); ++ if (!r) ++ __set_metadata_reserve(pmd); ++ } + up_write(&pmd->root_lock); + + return r; +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -200,7 +200,13 @@ struct dm_thin_new_mapping; + enum pool_mode { + PM_WRITE, /* metadata may be changed */ + PM_OUT_OF_DATA_SPACE, /* metadata may be changed, though data may not be allocated */ ++ ++ /* ++ * Like READ_ONLY, except may switch back to WRITE on metadata resize. Reported as READ_ONLY. ++ */ ++ PM_OUT_OF_METADATA_SPACE, + PM_READ_ONLY, /* metadata may not be changed */ ++ + PM_FAIL, /* all I/O fails */ + }; + +@@ -1388,7 +1394,35 @@ static void set_pool_mode(struct pool *p + + static void requeue_bios(struct pool *pool); + +-static void check_for_space(struct pool *pool) ++static bool is_read_only_pool_mode(enum pool_mode mode) ++{ ++ return (mode == PM_OUT_OF_METADATA_SPACE || mode == PM_READ_ONLY); ++} ++ ++static bool is_read_only(struct pool *pool) ++{ ++ return is_read_only_pool_mode(get_pool_mode(pool)); ++} ++ ++static void check_for_metadata_space(struct pool *pool) ++{ ++ int r; ++ const char *ooms_reason = NULL; ++ dm_block_t nr_free; ++ ++ r = dm_pool_get_free_metadata_block_count(pool->pmd, &nr_free); ++ if (r) ++ ooms_reason = "Could not get free metadata blocks"; ++ else if (!nr_free) ++ ooms_reason = "No free metadata blocks"; ++ ++ if (ooms_reason && !is_read_only(pool)) { ++ DMERR("%s", ooms_reason); ++ set_pool_mode(pool, PM_OUT_OF_METADATA_SPACE); ++ } ++} ++ ++static void check_for_data_space(struct pool *pool) + { + int r; + dm_block_t nr_free; +@@ -1414,14 +1448,16 @@ static int commit(struct pool *pool) + { + int r; + +- if (get_pool_mode(pool) >= PM_READ_ONLY) ++ if (get_pool_mode(pool) >= PM_OUT_OF_METADATA_SPACE) + return -EINVAL; + + r = dm_pool_commit_metadata(pool->pmd); + if (r) + metadata_operation_failed(pool, "dm_pool_commit_metadata", r); +- else +- check_for_space(pool); ++ else { ++ check_for_metadata_space(pool); ++ check_for_data_space(pool); ++ } + + return r; + } +@@ -1487,6 +1523,19 @@ static int alloc_data_block(struct thin_ + return r; + } + ++ r = dm_pool_get_free_metadata_block_count(pool->pmd, &free_blocks); ++ if (r) { ++ metadata_operation_failed(pool, "dm_pool_get_free_metadata_block_count", r); ++ return r; ++ } ++ ++ if (!free_blocks) { ++ /* Let's commit before we use up the metadata reserve. */ ++ r = commit(pool); ++ if (r) ++ return r; ++ } ++ + return 0; + } + +@@ -1518,6 +1567,7 @@ static blk_status_t should_error_unservi + case PM_OUT_OF_DATA_SPACE: + return pool->pf.error_if_no_space ? BLK_STS_NOSPC : 0; + ++ case PM_OUT_OF_METADATA_SPACE: + case PM_READ_ONLY: + case PM_FAIL: + return BLK_STS_IOERR; +@@ -2481,8 +2531,9 @@ static void set_pool_mode(struct pool *p + error_retry_list(pool); + break; + ++ case PM_OUT_OF_METADATA_SPACE: + case PM_READ_ONLY: +- if (old_mode != new_mode) ++ if (!is_read_only_pool_mode(old_mode)) + notify_of_pool_mode_change(pool, "read-only"); + dm_pool_metadata_read_only(pool->pmd); + pool->process_bio = process_bio_read_only; +@@ -3420,6 +3471,10 @@ static int maybe_resize_metadata_dev(str + DMINFO("%s: growing the metadata device from %llu to %llu blocks", + dm_device_name(pool->pool_md), + sb_metadata_dev_size, metadata_dev_size); ++ ++ if (get_pool_mode(pool) == PM_OUT_OF_METADATA_SPACE) ++ set_pool_mode(pool, PM_WRITE); ++ + r = dm_pool_resize_metadata_dev(pool->pmd, metadata_dev_size); + if (r) { + metadata_operation_failed(pool, "dm_pool_resize_metadata_dev", r); +@@ -3724,7 +3779,7 @@ static int pool_message(struct dm_target + struct pool_c *pt = ti->private; + struct pool *pool = pt->pool; + +- if (get_pool_mode(pool) >= PM_READ_ONLY) { ++ if (get_pool_mode(pool) >= PM_OUT_OF_METADATA_SPACE) { + DMERR("%s: unable to service pool target messages in READ_ONLY or FAIL mode", + dm_device_name(pool->pool_md)); + return -EOPNOTSUPP; +@@ -3798,6 +3853,7 @@ static void pool_status(struct dm_target + dm_block_t nr_blocks_data; + dm_block_t nr_blocks_metadata; + dm_block_t held_root; ++ enum pool_mode mode; + char buf[BDEVNAME_SIZE]; + char buf2[BDEVNAME_SIZE]; + struct pool_c *pt = ti->private; +@@ -3868,9 +3924,10 @@ static void pool_status(struct dm_target + else + DMEMIT("- "); + +- if (pool->pf.mode == PM_OUT_OF_DATA_SPACE) ++ mode = get_pool_mode(pool); ++ if (mode == PM_OUT_OF_DATA_SPACE) + DMEMIT("out_of_data_space "); +- else if (pool->pf.mode == PM_READ_ONLY) ++ else if (is_read_only_pool_mode(mode)) + DMEMIT("ro "); + else + DMEMIT("rw "); diff --git a/queue-4.18/drm-amdgpu-fix-error-handling-in-amdgpu_cs_user_fence_chunk.patch b/queue-4.18/drm-amdgpu-fix-error-handling-in-amdgpu_cs_user_fence_chunk.patch new file mode 100644 index 00000000000..65747675d85 --- /dev/null +++ b/queue-4.18/drm-amdgpu-fix-error-handling-in-amdgpu_cs_user_fence_chunk.patch @@ -0,0 +1,65 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: "Christian König" +Date: Mon, 10 Sep 2018 15:52:55 +0200 +Subject: drm/amdgpu: fix error handling in amdgpu_cs_user_fence_chunk + +From: "Christian König" + +[ Upstream commit 0165de983272d1fae0809ed9db47c46a412279bc ] + +Slowly leaking memory one page at a time :) + +Signed-off-by: Christian König +Reviewed-by: Andrey Grodzovsky +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +@@ -38,6 +38,7 @@ static int amdgpu_cs_user_fence_chunk(st + { + struct drm_gem_object *gobj; + unsigned long size; ++ int r; + + gobj = drm_gem_object_lookup(p->filp, data->handle); + if (gobj == NULL) +@@ -49,20 +50,26 @@ static int amdgpu_cs_user_fence_chunk(st + p->uf_entry.tv.shared = true; + p->uf_entry.user_pages = NULL; + +- size = amdgpu_bo_size(p->uf_entry.robj); +- if (size != PAGE_SIZE || (data->offset + 8) > size) +- return -EINVAL; +- +- *offset = data->offset; +- + drm_gem_object_put_unlocked(gobj); + ++ size = amdgpu_bo_size(p->uf_entry.robj); ++ if (size != PAGE_SIZE || (data->offset + 8) > size) { ++ r = -EINVAL; ++ goto error_unref; ++ } ++ + if (amdgpu_ttm_tt_get_usermm(p->uf_entry.robj->tbo.ttm)) { +- amdgpu_bo_unref(&p->uf_entry.robj); +- return -EINVAL; ++ r = -EINVAL; ++ goto error_unref; + } + ++ *offset = data->offset; ++ + return 0; ++ ++error_unref: ++ amdgpu_bo_unref(&p->uf_entry.robj); ++ return r; + } + + static int amdgpu_cs_parser_init(struct amdgpu_cs_parser *p, void *data) diff --git a/queue-4.18/drm-amdgpu-fix-sdma-hang-in-prt-mode-v2.patch b/queue-4.18/drm-amdgpu-fix-sdma-hang-in-prt-mode-v2.patch new file mode 100644 index 00000000000..87eae8730c0 --- /dev/null +++ b/queue-4.18/drm-amdgpu-fix-sdma-hang-in-prt-mode-v2.patch @@ -0,0 +1,56 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Tao Zhou +Date: Fri, 7 Sep 2018 13:50:31 +0800 +Subject: drm/amdgpu: Fix SDMA hang in prt mode v2 + +From: Tao Zhou + +[ Upstream commit 68ebc13ea40656fddd3803735d621921a2d74a5e ] + +Fix SDMA hang in prt mode, clear XNACK_WATERMARK in reg SDMA0_UTCL1_WATERMK to avoid the issue + +Affected ASICs: VEGA10 VEGA12 RV1 RV2 + +v2: add reg clear for SDMA1 + +Signed-off-by: Tao Zhou +Tested-by: Yukun Li +Reviewed-by: Hawking Zhang +Acked-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c +@@ -67,6 +67,7 @@ static const struct soc15_reg_golden gol + SOC15_REG_GOLDEN_VALUE(SDMA0, 0, mmSDMA0_RLC1_IB_CNTL, 0x800f0100, 0x00000100), + SOC15_REG_GOLDEN_VALUE(SDMA0, 0, mmSDMA0_RLC1_RB_WPTR_POLL_CNTL, 0x0000fff0, 0x00403000), + SOC15_REG_GOLDEN_VALUE(SDMA0, 0, mmSDMA0_UTCL1_PAGE, 0x000003ff, 0x000003c0), ++ SOC15_REG_GOLDEN_VALUE(SDMA0, 0, mmSDMA0_UTCL1_WATERMK, 0xfc000000, 0x00000000), + SOC15_REG_GOLDEN_VALUE(SDMA1, 0, mmSDMA1_CHICKEN_BITS, 0xfe931f07, 0x02831f07), + SOC15_REG_GOLDEN_VALUE(SDMA1, 0, mmSDMA1_CLK_CTRL, 0xffffffff, 0x3f000100), + SOC15_REG_GOLDEN_VALUE(SDMA1, 0, mmSDMA1_GFX_IB_CNTL, 0x800f0100, 0x00000100), +@@ -78,7 +79,8 @@ static const struct soc15_reg_golden gol + SOC15_REG_GOLDEN_VALUE(SDMA1, 0, mmSDMA1_RLC0_RB_WPTR_POLL_CNTL, 0x0000fff0, 0x00403000), + SOC15_REG_GOLDEN_VALUE(SDMA1, 0, mmSDMA1_RLC1_IB_CNTL, 0x800f0100, 0x00000100), + SOC15_REG_GOLDEN_VALUE(SDMA1, 0, mmSDMA1_RLC1_RB_WPTR_POLL_CNTL, 0x0000fff0, 0x00403000), +- SOC15_REG_GOLDEN_VALUE(SDMA1, 0, mmSDMA1_UTCL1_PAGE, 0x000003ff, 0x000003c0) ++ SOC15_REG_GOLDEN_VALUE(SDMA1, 0, mmSDMA1_UTCL1_PAGE, 0x000003ff, 0x000003c0), ++ SOC15_REG_GOLDEN_VALUE(SDMA1, 0, mmSDMA1_UTCL1_WATERMK, 0xfc000000, 0x00000000) + }; + + static const struct soc15_reg_golden golden_settings_sdma_vg10[] = { +@@ -106,7 +108,8 @@ static const struct soc15_reg_golden gol + SOC15_REG_GOLDEN_VALUE(SDMA0, 0, mmSDMA0_RLC0_RB_WPTR_POLL_CNTL, 0xfffffff7, 0x00403000), + SOC15_REG_GOLDEN_VALUE(SDMA0, 0, mmSDMA0_RLC1_IB_CNTL, 0x800f0111, 0x00000100), + SOC15_REG_GOLDEN_VALUE(SDMA0, 0, mmSDMA0_RLC1_RB_WPTR_POLL_CNTL, 0xfffffff7, 0x00403000), +- SOC15_REG_GOLDEN_VALUE(SDMA0, 0, mmSDMA0_UTCL1_PAGE, 0x000003ff, 0x000003c0) ++ SOC15_REG_GOLDEN_VALUE(SDMA0, 0, mmSDMA0_UTCL1_PAGE, 0x000003ff, 0x000003c0), ++ SOC15_REG_GOLDEN_VALUE(SDMA0, 0, mmSDMA0_UTCL1_WATERMK, 0xfc000000, 0x00000000) + }; + + static const struct soc15_reg_golden golden_settings_sdma_4_2[] = diff --git a/queue-4.18/drm-nouveau-disp-fix-dp-disable-race.patch b/queue-4.18/drm-nouveau-disp-fix-dp-disable-race.patch new file mode 100644 index 00000000000..b7a10625888 --- /dev/null +++ b/queue-4.18/drm-nouveau-disp-fix-dp-disable-race.patch @@ -0,0 +1,108 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Ben Skeggs +Date: Tue, 4 Sep 2018 15:57:09 +1000 +Subject: drm/nouveau/disp: fix DP disable race + +From: Ben Skeggs + +[ Upstream commit e04cfdc9b7398c60dbc70212415ea63b6c6a93ae ] + +If a HPD pulse signalling the need to retrain the link occurs between +the KMS driver releasing the output and the supervisor interrupt that +finishes the teardown, it was possible get a NULL-ptr deref. + +Avoid this by marking the link as inactive earlier. + +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/engine/disp/dp.c | 17 ++++++++++++----- + drivers/gpu/drm/nouveau/nvkm/engine/disp/nv50.c | 6 +++--- + drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.c | 2 ++ + drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.h | 3 ++- + 4 files changed, 19 insertions(+), 9 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dp.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dp.c +@@ -412,14 +412,10 @@ nvkm_dp_train(struct nvkm_dp *dp, u32 da + } + + static void +-nvkm_dp_release(struct nvkm_outp *outp, struct nvkm_ior *ior) ++nvkm_dp_disable(struct nvkm_outp *outp, struct nvkm_ior *ior) + { + struct nvkm_dp *dp = nvkm_dp(outp); + +- /* Prevent link from being retrained if sink sends an IRQ. */ +- atomic_set(&dp->lt.done, 0); +- ior->dp.nr = 0; +- + /* Execute DisableLT script from DP Info Table. */ + nvbios_init(&ior->disp->engine.subdev, dp->info.script[4], + init.outp = &dp->outp.info; +@@ -428,6 +424,16 @@ nvkm_dp_release(struct nvkm_outp *outp, + ); + } + ++static void ++nvkm_dp_release(struct nvkm_outp *outp) ++{ ++ struct nvkm_dp *dp = nvkm_dp(outp); ++ ++ /* Prevent link from being retrained if sink sends an IRQ. */ ++ atomic_set(&dp->lt.done, 0); ++ dp->outp.ior->dp.nr = 0; ++} ++ + static int + nvkm_dp_acquire(struct nvkm_outp *outp) + { +@@ -576,6 +582,7 @@ nvkm_dp_func = { + .fini = nvkm_dp_fini, + .acquire = nvkm_dp_acquire, + .release = nvkm_dp_release, ++ .disable = nvkm_dp_disable, + }; + + static int +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/nv50.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/nv50.c +@@ -501,11 +501,11 @@ nv50_disp_super_2_0(struct nv50_disp *di + nv50_disp_super_ied_off(head, ior, 2); + + /* If we're shutting down the OR's only active head, execute +- * the output path's release function. ++ * the output path's disable function. + */ + if (ior->arm.head == (1 << head->id)) { +- if ((outp = ior->arm.outp) && outp->func->release) +- outp->func->release(outp, ior); ++ if ((outp = ior->arm.outp) && outp->func->disable) ++ outp->func->disable(outp, ior); + } + } + +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.c +@@ -93,6 +93,8 @@ nvkm_outp_release(struct nvkm_outp *outp + if (ior) { + outp->acquired &= ~user; + if (!outp->acquired) { ++ if (outp->func->release && outp->ior) ++ outp->func->release(outp); + outp->ior->asy.outp = NULL; + outp->ior = NULL; + } +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.h ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.h +@@ -41,7 +41,8 @@ struct nvkm_outp_func { + void (*init)(struct nvkm_outp *); + void (*fini)(struct nvkm_outp *); + int (*acquire)(struct nvkm_outp *); +- void (*release)(struct nvkm_outp *, struct nvkm_ior *); ++ void (*release)(struct nvkm_outp *); ++ void (*disable)(struct nvkm_outp *, struct nvkm_ior *); + }; + + #define OUTP_MSG(o,l,f,a...) do { \ diff --git a/queue-4.18/drm-nouveau-disp-gm200-enforce-identity-mapped-sor-assignment-for-lvds-edp-panels.patch b/queue-4.18/drm-nouveau-disp-gm200-enforce-identity-mapped-sor-assignment-for-lvds-edp-panels.patch new file mode 100644 index 00000000000..9e9edd22bfc --- /dev/null +++ b/queue-4.18/drm-nouveau-disp-gm200-enforce-identity-mapped-sor-assignment-for-lvds-edp-panels.patch @@ -0,0 +1,111 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Ben Skeggs +Date: Tue, 4 Sep 2018 15:57:11 +1000 +Subject: drm/nouveau/disp/gm200-: enforce identity-mapped SOR assignment for LVDS/eDP panels + +From: Ben Skeggs + +[ Upstream commit 53b0cc46f27cfc2cadca609b503a7d92b5185a47 ] + +Fixes eDP backlight issues on more recent laptops. + +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c | 14 ++++++++++++++ + drivers/gpu/drm/nouveau/nvkm/engine/disp/ior.h | 1 + + drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.c | 15 ++++++++++++--- + drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.h | 1 + + 4 files changed, 28 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c +@@ -275,6 +275,7 @@ nvkm_disp_oneinit(struct nvkm_engine *en + struct nvkm_outp *outp, *outt, *pair; + struct nvkm_conn *conn; + struct nvkm_head *head; ++ struct nvkm_ior *ior; + struct nvbios_connE connE; + struct dcb_output dcbE; + u8 hpd = 0, ver, hdr; +@@ -399,6 +400,19 @@ nvkm_disp_oneinit(struct nvkm_engine *en + return ret; + } + ++ /* Enforce identity-mapped SOR assignment for panels, which have ++ * certain bits (ie. backlight controls) wired to a specific SOR. ++ */ ++ list_for_each_entry(outp, &disp->outp, head) { ++ if (outp->conn->info.type == DCB_CONNECTOR_LVDS || ++ outp->conn->info.type == DCB_CONNECTOR_eDP) { ++ ior = nvkm_ior_find(disp, SOR, ffs(outp->info.or) - 1); ++ if (!WARN_ON(!ior)) ++ ior->identity = true; ++ outp->identity = true; ++ } ++ } ++ + i = 0; + list_for_each_entry(head, &disp->head, head) + i = max(i, head->id + 1); +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/ior.h ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/ior.h +@@ -16,6 +16,7 @@ struct nvkm_ior { + char name[8]; + + struct list_head head; ++ bool identity; + + struct nvkm_ior_state { + struct nvkm_outp *outp; +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.c +@@ -129,17 +129,26 @@ nvkm_outp_acquire(struct nvkm_outp *outp + if (proto == UNKNOWN) + return -ENOSYS; + ++ /* Deal with panels requiring identity-mapped SOR assignment. */ ++ if (outp->identity) { ++ ior = nvkm_ior_find(outp->disp, SOR, ffs(outp->info.or) - 1); ++ if (WARN_ON(!ior)) ++ return -ENOSPC; ++ return nvkm_outp_acquire_ior(outp, user, ior); ++ } ++ + /* First preference is to reuse the OR that is currently armed + * on HW, if any, in order to prevent unnecessary switching. + */ + list_for_each_entry(ior, &outp->disp->ior, head) { +- if (!ior->asy.outp && ior->arm.outp == outp) ++ if (!ior->identity && !ior->asy.outp && ior->arm.outp == outp) + return nvkm_outp_acquire_ior(outp, user, ior); + } + + /* Failing that, a completely unused OR is the next best thing. */ + list_for_each_entry(ior, &outp->disp->ior, head) { +- if (!ior->asy.outp && ior->type == type && !ior->arm.outp && ++ if (!ior->identity && ++ !ior->asy.outp && ior->type == type && !ior->arm.outp && + (ior->func->route.set || ior->id == __ffs(outp->info.or))) + return nvkm_outp_acquire_ior(outp, user, ior); + } +@@ -148,7 +157,7 @@ nvkm_outp_acquire(struct nvkm_outp *outp + * but will be released during the next modeset. + */ + list_for_each_entry(ior, &outp->disp->ior, head) { +- if (!ior->asy.outp && ior->type == type && ++ if (!ior->identity && !ior->asy.outp && ior->type == type && + (ior->func->route.set || ior->id == __ffs(outp->info.or))) + return nvkm_outp_acquire_ior(outp, user, ior); + } +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.h ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.h +@@ -17,6 +17,7 @@ struct nvkm_outp { + + struct list_head head; + struct nvkm_conn *conn; ++ bool identity; + + /* Assembly state. */ + #define NVKM_OUTP_PRIV 1 diff --git a/queue-4.18/drm-nouveau-fix-oops-in-client-init-failure-path.patch b/queue-4.18/drm-nouveau-fix-oops-in-client-init-failure-path.patch new file mode 100644 index 00000000000..13c859dba46 --- /dev/null +++ b/queue-4.18/drm-nouveau-fix-oops-in-client-init-failure-path.patch @@ -0,0 +1,74 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Ben Skeggs +Date: Tue, 28 Aug 2018 14:10:34 +1000 +Subject: drm/nouveau: fix oops in client init failure path + +From: Ben Skeggs + +[ Upstream commit a43b16dda2d7485f5c5aed075c1dc9785e339515 ] + +The NV_ERROR macro requires drm->client to be initialised, which it may not +be at this stage of the init process. + +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_drm.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nouveau_drm.c ++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c +@@ -230,7 +230,7 @@ nouveau_cli_init(struct nouveau_drm *drm + mutex_unlock(&drm->master.lock); + } + if (ret) { +- NV_ERROR(drm, "Client allocation failed: %d\n", ret); ++ NV_PRINTK(err, cli, "Client allocation failed: %d\n", ret); + goto done; + } + +@@ -240,37 +240,37 @@ nouveau_cli_init(struct nouveau_drm *drm + }, sizeof(struct nv_device_v0), + &cli->device); + if (ret) { +- NV_ERROR(drm, "Device allocation failed: %d\n", ret); ++ NV_PRINTK(err, cli, "Device allocation failed: %d\n", ret); + goto done; + } + + ret = nvif_mclass(&cli->device.object, mmus); + if (ret < 0) { +- NV_ERROR(drm, "No supported MMU class\n"); ++ NV_PRINTK(err, cli, "No supported MMU class\n"); + goto done; + } + + ret = nvif_mmu_init(&cli->device.object, mmus[ret].oclass, &cli->mmu); + if (ret) { +- NV_ERROR(drm, "MMU allocation failed: %d\n", ret); ++ NV_PRINTK(err, cli, "MMU allocation failed: %d\n", ret); + goto done; + } + + ret = nvif_mclass(&cli->mmu.object, vmms); + if (ret < 0) { +- NV_ERROR(drm, "No supported VMM class\n"); ++ NV_PRINTK(err, cli, "No supported VMM class\n"); + goto done; + } + + ret = nouveau_vmm_init(cli, vmms[ret].oclass, &cli->vmm); + if (ret) { +- NV_ERROR(drm, "VMM allocation failed: %d\n", ret); ++ NV_PRINTK(err, cli, "VMM allocation failed: %d\n", ret); + goto done; + } + + ret = nvif_mclass(&cli->mmu.object, mems); + if (ret < 0) { +- NV_ERROR(drm, "No supported MEM class\n"); ++ NV_PRINTK(err, cli, "No supported MEM class\n"); + goto done; + } + diff --git a/queue-4.18/drm-nouveau-mmu-don-t-attempt-to-dereference-vmm-without-valid-instance-pointer.patch b/queue-4.18/drm-nouveau-mmu-don-t-attempt-to-dereference-vmm-without-valid-instance-pointer.patch new file mode 100644 index 00000000000..e7cd6b6141a --- /dev/null +++ b/queue-4.18/drm-nouveau-mmu-don-t-attempt-to-dereference-vmm-without-valid-instance-pointer.patch @@ -0,0 +1,29 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Ben Skeggs +Date: Tue, 28 Aug 2018 14:10:42 +1000 +Subject: drm/nouveau/mmu: don't attempt to dereference vmm without valid instance pointer + +From: Ben Skeggs + +[ Upstream commit 51ed833c881b9d96557c773f6a37018d79e29a46 ] + +Fixes oopses in certain failure paths. + +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c +@@ -1423,7 +1423,7 @@ nvkm_vmm_get(struct nvkm_vmm *vmm, u8 pa + void + nvkm_vmm_part(struct nvkm_vmm *vmm, struct nvkm_memory *inst) + { +- if (vmm->func->part && inst) { ++ if (inst && vmm->func->part) { + mutex_lock(&vmm->mutex); + vmm->func->part(vmm, inst); + mutex_unlock(&vmm->mutex); diff --git a/queue-4.18/drm-nouveau-tbddevinit-don-t-fail-when-pmu-pre_os-is-missing-from-vbios.patch b/queue-4.18/drm-nouveau-tbddevinit-don-t-fail-when-pmu-pre_os-is-missing-from-vbios.patch new file mode 100644 index 00000000000..cf601198d2e --- /dev/null +++ b/queue-4.18/drm-nouveau-tbddevinit-don-t-fail-when-pmu-pre_os-is-missing-from-vbios.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Ben Skeggs +Date: Tue, 4 Sep 2018 15:56:57 +1000 +Subject: drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS + +From: Ben Skeggs + +[ Upstream commit 0a6986c6595e9afd20ff7280dab36431c1e467f8 ] + +This Falcon application doesn't appear to be present on some newer +systems, so let's not fail init if we can't find it. + +TBD: is there a way to determine whether it *should* be there? + +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/subdev/devinit/gm200.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/devinit/gm200.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/devinit/gm200.c +@@ -158,7 +158,8 @@ gm200_devinit_post(struct nvkm_devinit * + } + + /* load and execute some other ucode image (bios therm?) */ +- return pmu_load(init, 0x01, post, NULL, NULL); ++ pmu_load(init, 0x01, post, NULL, NULL); ++ return 0; + } + + static const struct nvkm_devinit_func diff --git a/queue-4.18/fs-cifs-suppress-a-string-overflow-warning.patch b/queue-4.18/fs-cifs-suppress-a-string-overflow-warning.patch new file mode 100644 index 00000000000..7ebf814ee43 --- /dev/null +++ b/queue-4.18/fs-cifs-suppress-a-string-overflow-warning.patch @@ -0,0 +1,48 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Stephen Rothwell +Date: Mon, 3 Sep 2018 13:15:58 +1000 +Subject: fs/cifs: suppress a string overflow warning + +From: Stephen Rothwell + +[ Upstream commit bcfb84a996f6fa90b5e6e2954b2accb7a4711097 ] + +A powerpc build of cifs with gcc v8.2.0 produces this warning: + +fs/cifs/cifssmb.c: In function ‘CIFSSMBNegotiate’: +fs/cifs/cifssmb.c:605:3: warning: ‘strncpy’ writing 16 bytes into a region of size 1 overflows the destination [-Wstringop-overflow=] + strncpy(pSMB->DialectsArray+count, protocols[i].name, 16); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Since we are already doing a strlen() on the source, change the strncpy +to a memcpy(). + +Signed-off-by: Stephen Rothwell +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifssmb.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -601,10 +601,15 @@ CIFSSMBNegotiate(const unsigned int xid, + } + + count = 0; ++ /* ++ * We know that all the name entries in the protocols array ++ * are short (< 16 bytes anyway) and are NUL terminated. ++ */ + for (i = 0; i < CIFS_NUM_PROT; i++) { +- strncpy(pSMB->DialectsArray+count, protocols[i].name, 16); +- count += strlen(protocols[i].name) + 1; +- /* null at end of source and target buffers anyway */ ++ size_t len = strlen(protocols[i].name) + 1; ++ ++ memcpy(pSMB->DialectsArray+count, protocols[i].name, len); ++ count += len; + } + inc_rfc1001_len(pSMB, count); + pSMB->ByteCount = cpu_to_le16(count); diff --git a/queue-4.18/hexagon-modify-ffs-and-fls-to-return-int.patch b/queue-4.18/hexagon-modify-ffs-and-fls-to-return-int.patch new file mode 100644 index 00000000000..268fea1bee7 --- /dev/null +++ b/queue-4.18/hexagon-modify-ffs-and-fls-to-return-int.patch @@ -0,0 +1,56 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Randy Dunlap +Date: Sun, 22 Jul 2018 16:03:58 -0700 +Subject: hexagon: modify ffs() and fls() to return int + +From: Randy Dunlap + +[ Upstream commit 5c41aaad409c097cf1ef74f2c649fed994744ef5 ] + +Building drivers/mtd/nand/raw/nandsim.c on arch/hexagon/ produces a +printk format build warning. This is due to hexagon's ffs() being +coded as returning long instead of int. + +Fix the printk format warning by changing all of hexagon's ffs() and +fls() functions to return int instead of long. The variables that +they return are already int instead of long. This return type +matches the return type in . + +../drivers/mtd/nand/raw/nandsim.c: In function 'init_nandsim': +../drivers/mtd/nand/raw/nandsim.c:760:2: warning: format '%u' expects argument of type 'unsigned int', but argument 2 has type 'long int' [-Wformat] + +There are no ffs() or fls() allmodconfig build errors after making this +change. + +Signed-off-by: Randy Dunlap +Cc: Richard Kuo +Cc: linux-hexagon@vger.kernel.org +Cc: Geert Uytterhoeven +Patch-mainline: linux-kernel @ 07/22/2018, 16:03 +Signed-off-by: Richard Kuo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/hexagon/include/asm/bitops.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/hexagon/include/asm/bitops.h ++++ b/arch/hexagon/include/asm/bitops.h +@@ -211,7 +211,7 @@ static inline long ffz(int x) + * This is defined the same way as ffs. + * Note fls(0) = 0, fls(1) = 1, fls(0x80000000) = 32. + */ +-static inline long fls(int x) ++static inline int fls(int x) + { + int r; + +@@ -232,7 +232,7 @@ static inline long fls(int x) + * the libc and compiler builtin ffs routines, therefore + * differs in spirit from the above ffz (man ffs). + */ +-static inline long ffs(int x) ++static inline int ffs(int x) + { + int r; + diff --git a/queue-4.18/hid-add-support-for-apple-magic-keyboards.patch b/queue-4.18/hid-add-support-for-apple-magic-keyboards.patch new file mode 100644 index 00000000000..584ed754f12 --- /dev/null +++ b/queue-4.18/hid-add-support-for-apple-magic-keyboards.patch @@ -0,0 +1,76 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Sean O'Brien +Date: Mon, 27 Aug 2018 13:02:15 -0700 +Subject: HID: add support for Apple Magic Keyboards + +From: Sean O'Brien + +[ Upstream commit ee345492437043a79db058a3d4f029ebcb52089a ] + +USB device + Vendor 05ac (Apple) + Device 026c (Magic Keyboard with Numeric Keypad) + +Bluetooth devices + Vendor 004c (Apple) + Device 0267 (Magic Keyboard) + Device 026c (Magic Keyboard with Numeric Keypad) + +Support already exists for the Magic Keyboard over USB connection. +Add support for the Magic Keyboard over Bluetooth connection, and for +the Magic Keyboard with Numeric Keypad over Bluetooth and USB +connection. + +Signed-off-by: Sean O'Brien +Reviewed-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-apple.c | 9 ++++++++- + drivers/hid/hid-ids.h | 2 ++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-apple.c ++++ b/drivers/hid/hid-apple.c +@@ -335,7 +335,8 @@ static int apple_input_mapping(struct hi + struct hid_field *field, struct hid_usage *usage, + unsigned long **bit, int *max) + { +- if (usage->hid == (HID_UP_CUSTOM | 0x0003)) { ++ if (usage->hid == (HID_UP_CUSTOM | 0x0003) || ++ usage->hid == (HID_UP_MSVENDOR | 0x0003)) { + /* The fn key on Apple USB keyboards */ + set_bit(EV_REP, hi->input->evbit); + hid_map_usage_clear(hi, usage, bit, max, EV_KEY, KEY_FN); +@@ -472,6 +473,12 @@ static const struct hid_device_id apple_ + .driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_ANSI), + .driver_data = APPLE_HAS_FN }, ++ { HID_BLUETOOTH_DEVICE(BT_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_ANSI), ++ .driver_data = APPLE_HAS_FN }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_NUMPAD_ANSI), ++ .driver_data = APPLE_HAS_FN }, ++ { HID_BLUETOOTH_DEVICE(BT_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_NUMPAD_ANSI), ++ .driver_data = APPLE_HAS_FN }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING_ANSI), + .driver_data = APPLE_HAS_FN }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING_ISO), +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -88,6 +88,7 @@ + #define USB_DEVICE_ID_ANTON_TOUCH_PAD 0x3101 + + #define USB_VENDOR_ID_APPLE 0x05ac ++#define BT_VENDOR_ID_APPLE 0x004c + #define USB_DEVICE_ID_APPLE_MIGHTYMOUSE 0x0304 + #define USB_DEVICE_ID_APPLE_MAGICMOUSE 0x030d + #define USB_DEVICE_ID_APPLE_MAGICTRACKPAD 0x030e +@@ -157,6 +158,7 @@ + #define USB_DEVICE_ID_APPLE_ALU_WIRELESS_2011_ISO 0x0256 + #define USB_DEVICE_ID_APPLE_ALU_WIRELESS_2011_JIS 0x0257 + #define USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_ANSI 0x0267 ++#define USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_NUMPAD_ANSI 0x026c + #define USB_DEVICE_ID_APPLE_WELLSPRING8_ANSI 0x0290 + #define USB_DEVICE_ID_APPLE_WELLSPRING8_ISO 0x0291 + #define USB_DEVICE_ID_APPLE_WELLSPRING8_JIS 0x0292 diff --git a/queue-4.18/hid-hid-saitek-add-device-id-for-rat-7-contagion.patch b/queue-4.18/hid-hid-saitek-add-device-id-for-rat-7-contagion.patch new file mode 100644 index 00000000000..ed63ba7825a --- /dev/null +++ b/queue-4.18/hid-hid-saitek-add-device-id-for-rat-7-contagion.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Harry Mallon +Date: Tue, 28 Aug 2018 22:51:29 +0100 +Subject: HID: hid-saitek: Add device ID for RAT 7 Contagion + +From: Harry Mallon + +[ Upstream commit 43822c98f2ebb2cbd5e467ab72bbcdae7f0caa22 ] + +Signed-off-by: Harry Mallon +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-saitek.c | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -951,6 +951,7 @@ + #define USB_DEVICE_ID_SAITEK_RUMBLEPAD 0xff17 + #define USB_DEVICE_ID_SAITEK_PS1000 0x0621 + #define USB_DEVICE_ID_SAITEK_RAT7_OLD 0x0ccb ++#define USB_DEVICE_ID_SAITEK_RAT7_CONTAGION 0x0ccd + #define USB_DEVICE_ID_SAITEK_RAT7 0x0cd7 + #define USB_DEVICE_ID_SAITEK_RAT9 0x0cfa + #define USB_DEVICE_ID_SAITEK_MMO7 0x0cd0 +--- a/drivers/hid/hid-saitek.c ++++ b/drivers/hid/hid-saitek.c +@@ -183,6 +183,8 @@ static const struct hid_device_id saitek + .driver_data = SAITEK_RELEASE_MODE_RAT7 }, + { HID_USB_DEVICE(USB_VENDOR_ID_SAITEK, USB_DEVICE_ID_SAITEK_RAT7), + .driver_data = SAITEK_RELEASE_MODE_RAT7 }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_SAITEK, USB_DEVICE_ID_SAITEK_RAT7_CONTAGION), ++ .driver_data = SAITEK_RELEASE_MODE_RAT7 }, + { HID_USB_DEVICE(USB_VENDOR_ID_SAITEK, USB_DEVICE_ID_SAITEK_RAT9), + .driver_data = SAITEK_RELEASE_MODE_RAT7 }, + { HID_USB_DEVICE(USB_VENDOR_ID_MADCATZ, USB_DEVICE_ID_MADCATZ_RAT9), diff --git a/queue-4.18/hid-i2c-hid-don-t-reset-device-upon-system-resume.patch b/queue-4.18/hid-i2c-hid-don-t-reset-device-upon-system-resume.patch new file mode 100644 index 00000000000..02fa4bee570 --- /dev/null +++ b/queue-4.18/hid-i2c-hid-don-t-reset-device-upon-system-resume.patch @@ -0,0 +1,85 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Kai-Heng Feng +Date: Thu, 6 Sep 2018 10:55:18 +0800 +Subject: HID: i2c-hid: Don't reset device upon system resume + +From: Kai-Heng Feng + +[ Upstream commit 52cf93e63ee672a92f349edc6ddad86ec8808fd8 ] + +Raydium touchscreen triggers interrupt storm after system-wide suspend: + + [ 179.085033] i2c_hid i2c-CUST0000:00: i2c_hid_get_input: incomplete report (58/65535) + +According to Raydium, Windows driver does not reset the device after system +resume. + +The HID over I2C spec does specify a reset should be used at intialization, but +it doesn't specify if reset is required for system suspend. + +Tested this patch on other i2c-hid touchpanels I have and those touchpanels do +work after S3 without doing reset. If any regression happens to other +touchpanel vendors, we can use quirk for Raydium devices. + +There's still one device uses I2C_HID_QUIRK_RESEND_REPORT_DESCR so keep it +there. + +Cc: Aaron Ma +Cc: AceLan Kao +Signed-off-by: Kai-Heng Feng +Reviewed-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-ids.h | 4 ---- + drivers/hid/i2c-hid/i2c-hid.c | 13 +++++++------ + 2 files changed, 7 insertions(+), 10 deletions(-) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -528,10 +528,6 @@ + #define I2C_VENDOR_ID_HANTICK 0x0911 + #define I2C_PRODUCT_ID_HANTICK_5288 0x5288 + +-#define I2C_VENDOR_ID_RAYD 0x2386 +-#define I2C_PRODUCT_ID_RAYD_3118 0x3118 +-#define I2C_PRODUCT_ID_RAYD_4B33 0x4B33 +- + #define USB_VENDOR_ID_HANWANG 0x0b57 + #define USB_DEVICE_ID_HANWANG_TABLET_FIRST 0x5000 + #define USB_DEVICE_ID_HANWANG_TABLET_LAST 0x8fff +--- a/drivers/hid/i2c-hid/i2c-hid.c ++++ b/drivers/hid/i2c-hid/i2c-hid.c +@@ -170,12 +170,8 @@ static const struct i2c_hid_quirks { + I2C_HID_QUIRK_SET_PWR_WAKEUP_DEV }, + { I2C_VENDOR_ID_HANTICK, I2C_PRODUCT_ID_HANTICK_5288, + I2C_HID_QUIRK_NO_IRQ_AFTER_RESET }, +- { I2C_VENDOR_ID_RAYD, I2C_PRODUCT_ID_RAYD_3118, +- I2C_HID_QUIRK_RESEND_REPORT_DESCR }, + { USB_VENDOR_ID_SIS_TOUCH, USB_DEVICE_ID_SIS10FB_TOUCH, + I2C_HID_QUIRK_RESEND_REPORT_DESCR }, +- { I2C_VENDOR_ID_RAYD, I2C_PRODUCT_ID_RAYD_4B33, +- I2C_HID_QUIRK_RESEND_REPORT_DESCR }, + { 0, 0 } + }; + +@@ -1237,11 +1233,16 @@ static int i2c_hid_resume(struct device + pm_runtime_enable(dev); + + enable_irq(client->irq); +- ret = i2c_hid_hwreset(client); ++ ++ /* Instead of resetting device, simply powers the device on. This ++ * solves "incomplete reports" on Raydium devices 2386:3118 and ++ * 2386:4B33 ++ */ ++ ret = i2c_hid_set_power(client, I2C_HID_PWR_ON); + if (ret) + return ret; + +- /* RAYDIUM device (2386:3118) need to re-send report descr cmd ++ /* Some devices need to re-send report descr cmd + * after resume, after this it will be back normal. + * otherwise it issues too many incomplete reports. + */ diff --git a/queue-4.18/hid-intel-ish-hid-enable-sunrise-point-h-ish-driver.patch b/queue-4.18/hid-intel-ish-hid-enable-sunrise-point-h-ish-driver.patch new file mode 100644 index 00000000000..c7f73894442 --- /dev/null +++ b/queue-4.18/hid-intel-ish-hid-enable-sunrise-point-h-ish-driver.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Andreas Bosch +Date: Fri, 17 Aug 2018 22:16:00 +0200 +Subject: HID: intel-ish-hid: Enable Sunrise Point-H ish driver + +From: Andreas Bosch + +[ Upstream commit e0ab8b26aa9661df0541a657e2b2416d90488809 ] + +Added PCI ID for Sunrise Point-H ISH. + +Signed-off-by: Andreas Bosch +Acked-by: Srinivas Pandruvada +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/intel-ish-hid/ipc/hw-ish.h | 1 + + drivers/hid/intel-ish-hid/ipc/pci-ish.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/hid/intel-ish-hid/ipc/hw-ish.h ++++ b/drivers/hid/intel-ish-hid/ipc/hw-ish.h +@@ -29,6 +29,7 @@ + #define CNL_Ax_DEVICE_ID 0x9DFC + #define GLK_Ax_DEVICE_ID 0x31A2 + #define CNL_H_DEVICE_ID 0xA37C ++#define SPT_H_DEVICE_ID 0xA135 + + #define REVISION_ID_CHT_A0 0x6 + #define REVISION_ID_CHT_Ax_SI 0x0 +--- a/drivers/hid/intel-ish-hid/ipc/pci-ish.c ++++ b/drivers/hid/intel-ish-hid/ipc/pci-ish.c +@@ -38,6 +38,7 @@ static const struct pci_device_id ish_pc + {PCI_DEVICE(PCI_VENDOR_ID_INTEL, CNL_Ax_DEVICE_ID)}, + {PCI_DEVICE(PCI_VENDOR_ID_INTEL, GLK_Ax_DEVICE_ID)}, + {PCI_DEVICE(PCI_VENDOR_ID_INTEL, CNL_H_DEVICE_ID)}, ++ {PCI_DEVICE(PCI_VENDOR_ID_INTEL, SPT_H_DEVICE_ID)}, + {0, } + }; + MODULE_DEVICE_TABLE(pci, ish_pci_tbl); diff --git a/queue-4.18/hid-sensor-hub-restore-fixup-for-lenovo-thinkpad-helix-2-sensor-hub-report.patch b/queue-4.18/hid-sensor-hub-restore-fixup-for-lenovo-thinkpad-helix-2-sensor-hub-report.patch new file mode 100644 index 00000000000..7a9f7eb9b0e --- /dev/null +++ b/queue-4.18/hid-sensor-hub-restore-fixup-for-lenovo-thinkpad-helix-2-sensor-hub-report.patch @@ -0,0 +1,69 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Hans de Goede +Date: Sat, 18 Aug 2018 10:12:08 +0200 +Subject: HID: sensor-hub: Restore fixup for Lenovo ThinkPad Helix 2 sensor hub report + +From: Hans de Goede + +[ Upstream commit ade573eb1e03d1ee5abcb3359b1259469ab6e8ed ] + +Commit b0f847e16c1e ("HID: hid-sensor-hub: Force logical minimum to 1 for +power and report state") not only replaced the descriptor fixup done for +devices with the HID_SENSOR_HUB_ENUM_QUIRK with a generic fix, but also +accidentally removed the unrelated descriptor fixup for the Lenovo ThinkPad +Helix 2 sensor hub. This commit restores this fixup. + +Restoring this fixup not only fixes the Lenovo ThinkPad Helix 2's sensors, +but also the Lenovo ThinkPad 8's sensors. + +Fixes: b0f847e16c1e ("HID: hid-sensor-hub: Force logical minimum ...") +Cc: Srinivas Pandruvada +Cc: Fernando D S Lima +Acked-by: Srinivas Pandruvada +Signed-off-by: Hans de Goede +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-sensor-hub.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/drivers/hid/hid-sensor-hub.c ++++ b/drivers/hid/hid-sensor-hub.c +@@ -579,6 +579,28 @@ void sensor_hub_device_close(struct hid_ + } + EXPORT_SYMBOL_GPL(sensor_hub_device_close); + ++static __u8 *sensor_hub_report_fixup(struct hid_device *hdev, __u8 *rdesc, ++ unsigned int *rsize) ++{ ++ /* ++ * Checks if the report descriptor of Thinkpad Helix 2 has a logical ++ * minimum for magnetic flux axis greater than the maximum. ++ */ ++ if (hdev->product == USB_DEVICE_ID_TEXAS_INSTRUMENTS_LENOVO_YOGA && ++ *rsize == 2558 && rdesc[913] == 0x17 && rdesc[914] == 0x40 && ++ rdesc[915] == 0x81 && rdesc[916] == 0x08 && ++ rdesc[917] == 0x00 && rdesc[918] == 0x27 && ++ rdesc[921] == 0x07 && rdesc[922] == 0x00) { ++ /* Sets negative logical minimum for mag x, y and z */ ++ rdesc[914] = rdesc[935] = rdesc[956] = 0xc0; ++ rdesc[915] = rdesc[936] = rdesc[957] = 0x7e; ++ rdesc[916] = rdesc[937] = rdesc[958] = 0xf7; ++ rdesc[917] = rdesc[938] = rdesc[959] = 0xff; ++ } ++ ++ return rdesc; ++} ++ + static int sensor_hub_probe(struct hid_device *hdev, + const struct hid_device_id *id) + { +@@ -743,6 +765,7 @@ static struct hid_driver sensor_hub_driv + .probe = sensor_hub_probe, + .remove = sensor_hub_remove, + .raw_event = sensor_hub_raw_event, ++ .report_fixup = sensor_hub_report_fixup, + #ifdef CONFIG_PM + .suspend = sensor_hub_suspend, + .resume = sensor_hub_resume, diff --git a/queue-4.18/iio-imu-st_lsm6dsx-take-into-account-ts-samples-in-wm-configuration.patch b/queue-4.18/iio-imu-st_lsm6dsx-take-into-account-ts-samples-in-wm-configuration.patch new file mode 100644 index 00000000000..b0d4d1c1557 --- /dev/null +++ b/queue-4.18/iio-imu-st_lsm6dsx-take-into-account-ts-samples-in-wm-configuration.patch @@ -0,0 +1,59 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Lorenzo Bianconi +Date: Fri, 31 Aug 2018 10:51:14 +0200 +Subject: iio: imu: st_lsm6dsx: take into account ts samples in wm configuration + +From: Lorenzo Bianconi + +[ Upstream commit a13bf65f3f2e36008ea60b49d3bda2527e09fd9c ] + +Take into account hw timer samples in pattern length computation done +in st_lsm6dsx_update_watermark routine for watermark configuration. +Moreover use samples in pattern (sip) already computed in +st_lsm6dsx_update_decimators routine + +Fixes: 213451076bd3 ("iio: imu: st_lsm6dsx: add hw timestamp support") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c ++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c +@@ -187,12 +187,15 @@ static int st_lsm6dsx_set_fifo_odr(struc + + int st_lsm6dsx_update_watermark(struct st_lsm6dsx_sensor *sensor, u16 watermark) + { +- u16 fifo_watermark = ~0, cur_watermark, sip = 0, fifo_th_mask; ++ u16 fifo_watermark = ~0, cur_watermark, fifo_th_mask; + struct st_lsm6dsx_hw *hw = sensor->hw; + struct st_lsm6dsx_sensor *cur_sensor; + int i, err, data; + __le16 wdata; + ++ if (!hw->sip) ++ return 0; ++ + for (i = 0; i < ST_LSM6DSX_ID_MAX; i++) { + cur_sensor = iio_priv(hw->iio_devs[i]); + +@@ -203,14 +206,10 @@ int st_lsm6dsx_update_watermark(struct s + : cur_sensor->watermark; + + fifo_watermark = min_t(u16, fifo_watermark, cur_watermark); +- sip += cur_sensor->sip; + } + +- if (!sip) +- return 0; +- +- fifo_watermark = max_t(u16, fifo_watermark, sip); +- fifo_watermark = (fifo_watermark / sip) * sip; ++ fifo_watermark = max_t(u16, fifo_watermark, hw->sip); ++ fifo_watermark = (fifo_watermark / hw->sip) * hw->sip; + fifo_watermark = fifo_watermark * hw->settings->fifo_ops.th_wl; + + err = regmap_read(hw->regmap, hw->settings->fifo_ops.fifo_th.addr + 1, diff --git a/queue-4.18/net-ena-fix-device-destruction-to-gracefully-free-resources.patch b/queue-4.18/net-ena-fix-device-destruction-to-gracefully-free-resources.patch new file mode 100644 index 00000000000..911d7a1b024 --- /dev/null +++ b/queue-4.18/net-ena-fix-device-destruction-to-gracefully-free-resources.patch @@ -0,0 +1,86 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Netanel Belgazal +Date: Sun, 9 Sep 2018 08:15:22 +0000 +Subject: net: ena: fix device destruction to gracefully free resources + +From: Netanel Belgazal + +[ Upstream commit cfa324a514233b28a6934de619183eee941f02d7 ] + +When ena_destroy_device() is called from ena_suspend(), the device is +still reachable from the driver. Therefore, the driver can send a command +to the device to free all resources. +However, in all other cases of calling ena_destroy_device(), the device is +potentially in an error state and unreachable from the driver. In these +cases the driver must not send commands to the device. + +The current implementation does not request resource freeing from the +device even when possible. We add the graceful parameter to +ena_destroy_device() to enable resource freeing when possible, and +use it in ena_suspend(). + +Signed-off-by: Netanel Belgazal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -76,7 +76,7 @@ MODULE_DEVICE_TABLE(pci, ena_pci_tbl); + + static int ena_rss_init_default(struct ena_adapter *adapter); + static void check_for_admin_com_state(struct ena_adapter *adapter); +-static void ena_destroy_device(struct ena_adapter *adapter); ++static void ena_destroy_device(struct ena_adapter *adapter, bool graceful); + static int ena_restore_device(struct ena_adapter *adapter); + + static void ena_tx_timeout(struct net_device *dev) +@@ -1900,7 +1900,7 @@ static int ena_close(struct net_device * + "Destroy failure, restarting device\n"); + ena_dump_stats_to_dmesg(adapter); + /* rtnl lock already obtained in dev_ioctl() layer */ +- ena_destroy_device(adapter); ++ ena_destroy_device(adapter, false); + ena_restore_device(adapter); + } + +@@ -2549,7 +2549,7 @@ err_disable_msix: + return rc; + } + +-static void ena_destroy_device(struct ena_adapter *adapter) ++static void ena_destroy_device(struct ena_adapter *adapter, bool graceful) + { + struct net_device *netdev = adapter->netdev; + struct ena_com_dev *ena_dev = adapter->ena_dev; +@@ -2562,7 +2562,8 @@ static void ena_destroy_device(struct en + dev_up = test_bit(ENA_FLAG_DEV_UP, &adapter->flags); + adapter->dev_up_before_reset = dev_up; + +- ena_com_set_admin_running_state(ena_dev, false); ++ if (!graceful) ++ ena_com_set_admin_running_state(ena_dev, false); + + if (test_bit(ENA_FLAG_DEV_UP, &adapter->flags)) + ena_down(adapter); +@@ -2664,7 +2665,7 @@ static void ena_fw_reset_device(struct w + return; + } + rtnl_lock(); +- ena_destroy_device(adapter); ++ ena_destroy_device(adapter, false); + ena_restore_device(adapter); + rtnl_unlock(); + } +@@ -3466,7 +3467,7 @@ static int ena_suspend(struct pci_dev *p + "ignoring device reset request as the device is being suspended\n"); + clear_bit(ENA_FLAG_TRIGGER_RESET, &adapter->flags); + } +- ena_destroy_device(adapter); ++ ena_destroy_device(adapter, true); + rtnl_unlock(); + return 0; + } diff --git a/queue-4.18/net-ena-fix-driver-when-page_size-64kb.patch b/queue-4.18/net-ena-fix-driver-when-page_size-64kb.patch new file mode 100644 index 00000000000..dc83f0b90c5 --- /dev/null +++ b/queue-4.18/net-ena-fix-driver-when-page_size-64kb.patch @@ -0,0 +1,86 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Netanel Belgazal +Date: Sun, 9 Sep 2018 08:15:21 +0000 +Subject: net: ena: fix driver when PAGE_SIZE == 64kB + +From: Netanel Belgazal + +[ Upstream commit ef5b0771d247379c90c8bf1332ff32f7f74bff7f ] + +The buffer length field in the ena rx descriptor is 16 bit, and the +current driver passes a full page in each ena rx descriptor. +When PAGE_SIZE equals 64kB or more, the buffer length field becomes +zero. +To solve this issue, limit the ena Rx descriptor to use 16kB even +when allocating 64kB kernel pages. This change would not impact ena +device functionality, as 16kB is still larger than maximum MTU. + +Signed-off-by: Netanel Belgazal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 10 +++++----- + drivers/net/ethernet/amazon/ena/ena_netdev.h | 11 +++++++++++ + 2 files changed, 16 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -461,7 +461,7 @@ static inline int ena_alloc_rx_page(stru + return -ENOMEM; + } + +- dma = dma_map_page(rx_ring->dev, page, 0, PAGE_SIZE, ++ dma = dma_map_page(rx_ring->dev, page, 0, ENA_PAGE_SIZE, + DMA_FROM_DEVICE); + if (unlikely(dma_mapping_error(rx_ring->dev, dma))) { + u64_stats_update_begin(&rx_ring->syncp); +@@ -478,7 +478,7 @@ static inline int ena_alloc_rx_page(stru + rx_info->page_offset = 0; + ena_buf = &rx_info->ena_buf; + ena_buf->paddr = dma; +- ena_buf->len = PAGE_SIZE; ++ ena_buf->len = ENA_PAGE_SIZE; + + return 0; + } +@@ -495,7 +495,7 @@ static void ena_free_rx_page(struct ena_ + return; + } + +- dma_unmap_page(rx_ring->dev, ena_buf->paddr, PAGE_SIZE, ++ dma_unmap_page(rx_ring->dev, ena_buf->paddr, ENA_PAGE_SIZE, + DMA_FROM_DEVICE); + + __free_page(page); +@@ -916,10 +916,10 @@ static struct sk_buff *ena_rx_skb(struct + do { + dma_unmap_page(rx_ring->dev, + dma_unmap_addr(&rx_info->ena_buf, paddr), +- PAGE_SIZE, DMA_FROM_DEVICE); ++ ENA_PAGE_SIZE, DMA_FROM_DEVICE); + + skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, rx_info->page, +- rx_info->page_offset, len, PAGE_SIZE); ++ rx_info->page_offset, len, ENA_PAGE_SIZE); + + netif_dbg(rx_ring->adapter, rx_status, rx_ring->netdev, + "rx skb updated. len %d. data_len %d\n", +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.h ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.h +@@ -355,4 +355,15 @@ void ena_dump_stats_to_buf(struct ena_ad + + int ena_get_sset_count(struct net_device *netdev, int sset); + ++/* The ENA buffer length fields is 16 bit long. So when PAGE_SIZE == 64kB the ++ * driver passas 0. ++ * Since the max packet size the ENA handles is ~9kB limit the buffer length to ++ * 16kB. ++ */ ++#if PAGE_SIZE > SZ_16K ++#define ENA_PAGE_SIZE SZ_16K ++#else ++#define ENA_PAGE_SIZE PAGE_SIZE ++#endif ++ + #endif /* !(ENA_H) */ diff --git a/queue-4.18/net-ena-fix-missing-calls-to-read_once.patch b/queue-4.18/net-ena-fix-missing-calls-to-read_once.patch new file mode 100644 index 00000000000..dcb968a8721 --- /dev/null +++ b/queue-4.18/net-ena-fix-missing-calls-to-read_once.patch @@ -0,0 +1,51 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Netanel Belgazal +Date: Sun, 9 Sep 2018 08:15:25 +0000 +Subject: net: ena: fix missing calls to READ_ONCE + +From: Netanel Belgazal + +[ Upstream commit 28abf4e9c9201eda5c4d29ea609d07e877b464b8 ] + +Add READ_ONCE calls where necessary (for example when iterating +over a memory field that gets updated by the hardware). + +Signed-off-by: Netanel Belgazal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amazon/ena/ena_com.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/amazon/ena/ena_com.c ++++ b/drivers/net/ethernet/amazon/ena/ena_com.c +@@ -459,7 +459,7 @@ static void ena_com_handle_admin_complet + cqe = &admin_queue->cq.entries[head_masked]; + + /* Go over all the completions */ +- while ((cqe->acq_common_descriptor.flags & ++ while ((READ_ONCE(cqe->acq_common_descriptor.flags) & + ENA_ADMIN_ACQ_COMMON_DESC_PHASE_MASK) == phase) { + /* Do not read the rest of the completion entry before the + * phase bit was validated +@@ -637,7 +637,7 @@ static u32 ena_com_reg_bar_read32(struct + + mmiowb(); + for (i = 0; i < timeout; i++) { +- if (read_resp->req_id == mmio_read->seq_num) ++ if (READ_ONCE(read_resp->req_id) == mmio_read->seq_num) + break; + + udelay(1); +@@ -1796,8 +1796,8 @@ void ena_com_aenq_intr_handler(struct en + aenq_common = &aenq_e->aenq_common_desc; + + /* Go over all the events */ +- while ((aenq_common->flags & ENA_ADMIN_AENQ_COMMON_DESC_PHASE_MASK) == +- phase) { ++ while ((READ_ONCE(aenq_common->flags) & ++ ENA_ADMIN_AENQ_COMMON_DESC_PHASE_MASK) == phase) { + pr_debug("AENQ! Group[%x] Syndrom[%x] timestamp: [%llus]\n", + aenq_common->group, aenq_common->syndrom, + (u64)aenq_common->timestamp_low + diff --git a/queue-4.18/net-ena-fix-missing-lock-during-device-destruction.patch b/queue-4.18/net-ena-fix-missing-lock-during-device-destruction.patch new file mode 100644 index 00000000000..1a8e09994a3 --- /dev/null +++ b/queue-4.18/net-ena-fix-missing-lock-during-device-destruction.patch @@ -0,0 +1,57 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Netanel Belgazal +Date: Sun, 9 Sep 2018 08:15:24 +0000 +Subject: net: ena: fix missing lock during device destruction + +From: Netanel Belgazal + +[ Upstream commit 944b28aa2982b4590d4d4dfc777cf85135dca2c0 ] + +acquire the rtnl_lock during device destruction to avoid +using partially destroyed device. + +ena_remove() shares almost the same logic as ena_destroy_device(), +so use ena_destroy_device() and avoid duplications. + +Signed-off-by: Netanel Belgazal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 20 +++++++------------- + 1 file changed, 7 insertions(+), 13 deletions(-) + +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -3420,24 +3420,18 @@ static void ena_remove(struct pci_dev *p + + unregister_netdev(netdev); + +- /* Reset the device only if the device is running. */ ++ /* If the device is running then we want to make sure the device will be ++ * reset to make sure no more events will be issued by the device. ++ */ + if (test_bit(ENA_FLAG_DEVICE_RUNNING, &adapter->flags)) +- ena_com_dev_reset(ena_dev, adapter->reset_reason); ++ set_bit(ENA_FLAG_TRIGGER_RESET, &adapter->flags); + +- ena_free_mgmnt_irq(adapter); +- +- ena_disable_msix(adapter); ++ rtnl_lock(); ++ ena_destroy_device(adapter, true); ++ rtnl_unlock(); + + free_netdev(netdev); + +- ena_com_mmio_reg_read_request_destroy(ena_dev); +- +- ena_com_abort_admin_commands(ena_dev); +- +- ena_com_wait_for_abort_completion(ena_dev); +- +- ena_com_admin_destroy(ena_dev); +- + ena_com_rss_destroy(ena_dev); + + ena_com_delete_debug_area(ena_dev); diff --git a/queue-4.18/net-ena-fix-potential-double-ena_destroy_device.patch b/queue-4.18/net-ena-fix-potential-double-ena_destroy_device.patch new file mode 100644 index 00000000000..0aeee9e5195 --- /dev/null +++ b/queue-4.18/net-ena-fix-potential-double-ena_destroy_device.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Netanel Belgazal +Date: Sun, 9 Sep 2018 08:15:23 +0000 +Subject: net: ena: fix potential double ena_destroy_device() + +From: Netanel Belgazal + +[ Upstream commit fe870c77efdf8682252545cbd3d29800d8379efc ] + +ena_destroy_device() can potentially be called twice. +To avoid this, check that the device is running and +only then proceed destroying it. + +Signed-off-by: Netanel Belgazal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -2555,6 +2555,9 @@ static void ena_destroy_device(struct en + struct ena_com_dev *ena_dev = adapter->ena_dev; + bool dev_up; + ++ if (!test_bit(ENA_FLAG_DEVICE_RUNNING, &adapter->flags)) ++ return; ++ + netif_carrier_off(netdev); + + del_timer_sync(&adapter->timer_service); +@@ -2591,6 +2594,7 @@ static void ena_destroy_device(struct en + adapter->reset_reason = ENA_REGS_RESET_NORMAL; + + clear_bit(ENA_FLAG_TRIGGER_RESET, &adapter->flags); ++ clear_bit(ENA_FLAG_DEVICE_RUNNING, &adapter->flags); + } + + static int ena_restore_device(struct ena_adapter *adapter) +@@ -2635,6 +2639,7 @@ static int ena_restore_device(struct ena + } + } + ++ set_bit(ENA_FLAG_DEVICE_RUNNING, &adapter->flags); + mod_timer(&adapter->timer_service, round_jiffies(jiffies + HZ)); + dev_err(&pdev->dev, "Device reset completed successfully\n"); + diff --git a/queue-4.18/net-ena-fix-surprise-unplug-null-dereference-kernel-crash.patch b/queue-4.18/net-ena-fix-surprise-unplug-null-dereference-kernel-crash.patch new file mode 100644 index 00000000000..36e078c77cf --- /dev/null +++ b/queue-4.18/net-ena-fix-surprise-unplug-null-dereference-kernel-crash.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Netanel Belgazal +Date: Sun, 9 Sep 2018 08:15:20 +0000 +Subject: net: ena: fix surprise unplug NULL dereference kernel crash + +From: Netanel Belgazal + +[ Upstream commit 772ed869f535b4ec2b134645c951ff22de4d3f79 ] + +Starting with driver version 1.5.0, in case of a surprise device +unplug, there is a race caused by invoking ena_destroy_device() +from two different places. As a result, the readless register might +be accessed after it was destroyed. + +Signed-off-by: Netanel Belgazal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -3408,12 +3408,12 @@ static void ena_remove(struct pci_dev *p + netdev->rx_cpu_rmap = NULL; + } + #endif /* CONFIG_RFS_ACCEL */ +- +- unregister_netdev(netdev); + del_timer_sync(&adapter->timer_service); + + cancel_work_sync(&adapter->reset_task); + ++ unregister_netdev(netdev); ++ + /* Reset the device only if the device is running. */ + if (test_bit(ENA_FLAG_DEVICE_RUNNING, &adapter->flags)) + ena_com_dev_reset(ena_dev, adapter->reset_reason); diff --git a/queue-4.18/net-mlx5-consider-pci-domain-in-search-for-next-dev.patch b/queue-4.18/net-mlx5-consider-pci-domain-in-search-for-next-dev.patch new file mode 100644 index 00000000000..c6bc0546bb0 --- /dev/null +++ b/queue-4.18/net-mlx5-consider-pci-domain-in-search-for-next-dev.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Daniel Jurgens +Date: Mon, 27 Aug 2018 09:09:46 -0500 +Subject: net/mlx5: Consider PCI domain in search for next dev + +From: Daniel Jurgens + +[ Upstream commit df7ddb2396cd162e64aaff9401be05e31e438961 ] + +The PCI BDF is not unique. PCI domain must also be considered when +searching for the next physical device during lag setup. Example below: + +mlx5_core 0000:01:00.0: MLX5E: StrdRq(1) RqSz(8) StrdSz(128) RxCqeCmprss(0) +mlx5_core 0000:01:00.1: MLX5E: StrdRq(1) RqSz(8) StrdSz(128) RxCqeCmprss(0) +mlx5_core 0001:01:00.0: MLX5E: StrdRq(1) RqSz(8) StrdSz(128) RxCqeCmprss(0) +mlx5_core 0001:01:00.1: MLX5E: StrdRq(1) RqSz(8) StrdSz(128) RxCqeCmprss(0) + +Signed-off-by: Daniel Jurgens +Reviewed-by: Aviv Heller +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/dev.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/dev.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/dev.c +@@ -396,16 +396,17 @@ void mlx5_remove_dev_by_protocol(struct + } + } + +-static u16 mlx5_gen_pci_id(struct mlx5_core_dev *dev) ++static u32 mlx5_gen_pci_id(struct mlx5_core_dev *dev) + { +- return (u16)((dev->pdev->bus->number << 8) | ++ return (u32)((pci_domain_nr(dev->pdev->bus) << 16) | ++ (dev->pdev->bus->number << 8) | + PCI_SLOT(dev->pdev->devfn)); + } + + /* Must be called with intf_mutex held */ + struct mlx5_core_dev *mlx5_get_next_phys_dev(struct mlx5_core_dev *dev) + { +- u16 pci_id = mlx5_gen_pci_id(dev); ++ u32 pci_id = mlx5_gen_pci_id(dev); + struct mlx5_core_dev *res = NULL; + struct mlx5_core_dev *tmp_dev; + struct mlx5_priv *priv; diff --git a/queue-4.18/netfilter-conntrack-timeout-interface-depend-on-config_nf_conntrack_timeout.patch b/queue-4.18/netfilter-conntrack-timeout-interface-depend-on-config_nf_conntrack_timeout.patch new file mode 100644 index 00000000000..a37df534a12 --- /dev/null +++ b/queue-4.18/netfilter-conntrack-timeout-interface-depend-on-config_nf_conntrack_timeout.patch @@ -0,0 +1,448 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Pablo Neira Ayuso +Date: Fri, 31 Aug 2018 12:36:01 +0200 +Subject: netfilter: conntrack: timeout interface depend on CONFIG_NF_CONNTRACK_TIMEOUT + +From: Pablo Neira Ayuso + +[ Upstream commit a874752a10da113f513980e28f562d946d3f829d ] + +Now that cttimeout support for nft_ct is in place, these should depend +on CONFIG_NF_CONNTRACK_TIMEOUT otherwise we can crash when dumping the +policy if this option is not enabled. + +[ 71.600121] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 +[...] +[ 71.600141] CPU: 3 PID: 7612 Comm: nft Not tainted 4.18.0+ #246 +[...] +[ 71.600188] Call Trace: +[ 71.600201] ? nft_ct_timeout_obj_dump+0xc6/0xf0 [nft_ct] + +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 8 ++++---- + net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 8 ++++---- + net/netfilter/nf_conntrack_proto_dccp.c | 12 ++++++------ + net/netfilter/nf_conntrack_proto_generic.c | 8 ++++---- + net/netfilter/nf_conntrack_proto_gre.c | 8 ++++---- + net/netfilter/nf_conntrack_proto_sctp.c | 14 +++++++------- + net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++------ + net/netfilter/nf_conntrack_proto_udp.c | 20 ++++++++++---------- + 8 files changed, 45 insertions(+), 45 deletions(-) + +--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c ++++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c +@@ -269,7 +269,7 @@ static unsigned int icmp_nlattr_tuple_si + } + #endif + +-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) ++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + + #include + #include +@@ -307,7 +307,7 @@ static const struct nla_policy + icmp_timeout_nla_policy[CTA_TIMEOUT_ICMP_MAX+1] = { + [CTA_TIMEOUT_ICMP_TIMEOUT] = { .type = NLA_U32 }, + }; +-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ ++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ + + #ifdef CONFIG_SYSCTL + static struct ctl_table icmp_sysctl_table[] = { +@@ -369,7 +369,7 @@ const struct nf_conntrack_l4proto nf_con + .nlattr_to_tuple = icmp_nlattr_to_tuple, + .nla_policy = icmp_nla_policy, + #endif +-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) ++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + .ctnl_timeout = { + .nlattr_to_obj = icmp_timeout_nlattr_to_obj, + .obj_to_nlattr = icmp_timeout_obj_to_nlattr, +@@ -377,7 +377,7 @@ const struct nf_conntrack_l4proto nf_con + .obj_size = sizeof(unsigned int), + .nla_policy = icmp_timeout_nla_policy, + }, +-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ ++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ + .init_net = icmp_init_net, + .get_net_proto = icmp_get_net_proto, + }; +--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c ++++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c +@@ -270,7 +270,7 @@ static unsigned int icmpv6_nlattr_tuple_ + } + #endif + +-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) ++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + + #include + #include +@@ -308,7 +308,7 @@ static const struct nla_policy + icmpv6_timeout_nla_policy[CTA_TIMEOUT_ICMPV6_MAX+1] = { + [CTA_TIMEOUT_ICMPV6_TIMEOUT] = { .type = NLA_U32 }, + }; +-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ ++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ + + #ifdef CONFIG_SYSCTL + static struct ctl_table icmpv6_sysctl_table[] = { +@@ -368,7 +368,7 @@ const struct nf_conntrack_l4proto nf_con + .nlattr_to_tuple = icmpv6_nlattr_to_tuple, + .nla_policy = icmpv6_nla_policy, + #endif +-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) ++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + .ctnl_timeout = { + .nlattr_to_obj = icmpv6_timeout_nlattr_to_obj, + .obj_to_nlattr = icmpv6_timeout_obj_to_nlattr, +@@ -376,7 +376,7 @@ const struct nf_conntrack_l4proto nf_con + .obj_size = sizeof(unsigned int), + .nla_policy = icmpv6_timeout_nla_policy, + }, +-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ ++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ + .init_net = icmpv6_init_net, + .get_net_proto = icmpv6_get_net_proto, + }; +--- a/net/netfilter/nf_conntrack_proto_dccp.c ++++ b/net/netfilter/nf_conntrack_proto_dccp.c +@@ -699,7 +699,7 @@ static int nlattr_to_dccp(struct nlattr + } + #endif + +-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) ++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + + #include + #include +@@ -750,7 +750,7 @@ dccp_timeout_nla_policy[CTA_TIMEOUT_DCCP + [CTA_TIMEOUT_DCCP_CLOSING] = { .type = NLA_U32 }, + [CTA_TIMEOUT_DCCP_TIMEWAIT] = { .type = NLA_U32 }, + }; +-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ ++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ + + #ifdef CONFIG_SYSCTL + /* template, data assigned later */ +@@ -883,7 +883,7 @@ const struct nf_conntrack_l4proto nf_con + .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, + .nla_policy = nf_ct_port_nla_policy, + #endif +-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) ++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + .ctnl_timeout = { + .nlattr_to_obj = dccp_timeout_nlattr_to_obj, + .obj_to_nlattr = dccp_timeout_obj_to_nlattr, +@@ -891,7 +891,7 @@ const struct nf_conntrack_l4proto nf_con + .obj_size = sizeof(unsigned int) * CT_DCCP_MAX, + .nla_policy = dccp_timeout_nla_policy, + }, +-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ ++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ + .init_net = dccp_init_net, + .get_net_proto = dccp_get_net_proto, + }; +@@ -919,7 +919,7 @@ const struct nf_conntrack_l4proto nf_con + .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, + .nla_policy = nf_ct_port_nla_policy, + #endif +-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) ++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + .ctnl_timeout = { + .nlattr_to_obj = dccp_timeout_nlattr_to_obj, + .obj_to_nlattr = dccp_timeout_obj_to_nlattr, +@@ -927,7 +927,7 @@ const struct nf_conntrack_l4proto nf_con + .obj_size = sizeof(unsigned int) * CT_DCCP_MAX, + .nla_policy = dccp_timeout_nla_policy, + }, +-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ ++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ + .init_net = dccp_init_net, + .get_net_proto = dccp_get_net_proto, + }; +--- a/net/netfilter/nf_conntrack_proto_generic.c ++++ b/net/netfilter/nf_conntrack_proto_generic.c +@@ -79,7 +79,7 @@ static bool generic_new(struct nf_conn * + return ret; + } + +-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) ++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + + #include + #include +@@ -119,7 +119,7 @@ static const struct nla_policy + generic_timeout_nla_policy[CTA_TIMEOUT_GENERIC_MAX+1] = { + [CTA_TIMEOUT_GENERIC_TIMEOUT] = { .type = NLA_U32 }, + }; +-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ ++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ + + #ifdef CONFIG_SYSCTL + static struct ctl_table generic_sysctl_table[] = { +@@ -172,7 +172,7 @@ const struct nf_conntrack_l4proto nf_con + .packet = generic_packet, + .get_timeouts = generic_get_timeouts, + .new = generic_new, +-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) ++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + .ctnl_timeout = { + .nlattr_to_obj = generic_timeout_nlattr_to_obj, + .obj_to_nlattr = generic_timeout_obj_to_nlattr, +@@ -180,7 +180,7 @@ const struct nf_conntrack_l4proto nf_con + .obj_size = sizeof(unsigned int), + .nla_policy = generic_timeout_nla_policy, + }, +-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ ++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ + .init_net = generic_init_net, + .get_net_proto = generic_get_net_proto, + }; +--- a/net/netfilter/nf_conntrack_proto_gre.c ++++ b/net/netfilter/nf_conntrack_proto_gre.c +@@ -289,7 +289,7 @@ static void gre_destroy(struct nf_conn * + nf_ct_gre_keymap_destroy(master); + } + +-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) ++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + + #include + #include +@@ -336,7 +336,7 @@ gre_timeout_nla_policy[CTA_TIMEOUT_GRE_M + [CTA_TIMEOUT_GRE_UNREPLIED] = { .type = NLA_U32 }, + [CTA_TIMEOUT_GRE_REPLIED] = { .type = NLA_U32 }, + }; +-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ ++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ + + static int gre_init_net(struct net *net, u_int16_t proto) + { +@@ -371,7 +371,7 @@ static const struct nf_conntrack_l4proto + .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, + .nla_policy = nf_ct_port_nla_policy, + #endif +-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) ++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + .ctnl_timeout = { + .nlattr_to_obj = gre_timeout_nlattr_to_obj, + .obj_to_nlattr = gre_timeout_obj_to_nlattr, +@@ -379,7 +379,7 @@ static const struct nf_conntrack_l4proto + .obj_size = sizeof(unsigned int) * GRE_CT_MAX, + .nla_policy = gre_timeout_nla_policy, + }, +-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ ++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ + .net_id = &proto_gre_net_id, + .init_net = gre_init_net, + }; +--- a/net/netfilter/nf_conntrack_proto_sctp.c ++++ b/net/netfilter/nf_conntrack_proto_sctp.c +@@ -615,7 +615,7 @@ static int nlattr_to_sctp(struct nlattr + } + #endif + +-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) ++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + + #include + #include +@@ -668,7 +668,7 @@ sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP + [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 }, + [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 }, + }; +-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ ++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ + + + #ifdef CONFIG_SYSCTL +@@ -800,7 +800,7 @@ const struct nf_conntrack_l4proto nf_con + .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, + .nla_policy = nf_ct_port_nla_policy, + #endif +-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) ++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + .ctnl_timeout = { + .nlattr_to_obj = sctp_timeout_nlattr_to_obj, + .obj_to_nlattr = sctp_timeout_obj_to_nlattr, +@@ -808,7 +808,7 @@ const struct nf_conntrack_l4proto nf_con + .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX, + .nla_policy = sctp_timeout_nla_policy, + }, +-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ ++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ + .init_net = sctp_init_net, + .get_net_proto = sctp_get_net_proto, + }; +@@ -836,7 +836,8 @@ const struct nf_conntrack_l4proto nf_con + .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, + .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, + .nla_policy = nf_ct_port_nla_policy, +-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) ++#endif ++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + .ctnl_timeout = { + .nlattr_to_obj = sctp_timeout_nlattr_to_obj, + .obj_to_nlattr = sctp_timeout_obj_to_nlattr, +@@ -844,8 +845,7 @@ const struct nf_conntrack_l4proto nf_con + .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX, + .nla_policy = sctp_timeout_nla_policy, + }, +-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ +-#endif ++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ + .init_net = sctp_init_net, + .get_net_proto = sctp_get_net_proto, + }; +--- a/net/netfilter/nf_conntrack_proto_tcp.c ++++ b/net/netfilter/nf_conntrack_proto_tcp.c +@@ -1305,7 +1305,7 @@ static unsigned int tcp_nlattr_tuple_siz + } + #endif + +-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) ++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + + #include + #include +@@ -1415,7 +1415,7 @@ static const struct nla_policy tcp_timeo + [CTA_TIMEOUT_TCP_RETRANS] = { .type = NLA_U32 }, + [CTA_TIMEOUT_TCP_UNACK] = { .type = NLA_U32 }, + }; +-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ ++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ + + #ifdef CONFIG_SYSCTL + static struct ctl_table tcp_sysctl_table[] = { +@@ -1578,7 +1578,7 @@ const struct nf_conntrack_l4proto nf_con + .nlattr_size = TCP_NLATTR_SIZE, + .nla_policy = nf_ct_port_nla_policy, + #endif +-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) ++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + .ctnl_timeout = { + .nlattr_to_obj = tcp_timeout_nlattr_to_obj, + .obj_to_nlattr = tcp_timeout_obj_to_nlattr, +@@ -1587,7 +1587,7 @@ const struct nf_conntrack_l4proto nf_con + TCP_CONNTRACK_TIMEOUT_MAX, + .nla_policy = tcp_timeout_nla_policy, + }, +-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ ++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ + .init_net = tcp_init_net, + .get_net_proto = tcp_get_net_proto, + }; +@@ -1616,7 +1616,7 @@ const struct nf_conntrack_l4proto nf_con + .nlattr_tuple_size = tcp_nlattr_tuple_size, + .nla_policy = nf_ct_port_nla_policy, + #endif +-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) ++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + .ctnl_timeout = { + .nlattr_to_obj = tcp_timeout_nlattr_to_obj, + .obj_to_nlattr = tcp_timeout_obj_to_nlattr, +@@ -1625,7 +1625,7 @@ const struct nf_conntrack_l4proto nf_con + TCP_CONNTRACK_TIMEOUT_MAX, + .nla_policy = tcp_timeout_nla_policy, + }, +-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ ++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ + .init_net = tcp_init_net, + .get_net_proto = tcp_get_net_proto, + }; +--- a/net/netfilter/nf_conntrack_proto_udp.c ++++ b/net/netfilter/nf_conntrack_proto_udp.c +@@ -192,7 +192,7 @@ static int udp_error(struct net *net, st + return NF_ACCEPT; + } + +-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) ++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + + #include + #include +@@ -239,7 +239,7 @@ udp_timeout_nla_policy[CTA_TIMEOUT_UDP_M + [CTA_TIMEOUT_UDP_UNREPLIED] = { .type = NLA_U32 }, + [CTA_TIMEOUT_UDP_REPLIED] = { .type = NLA_U32 }, + }; +-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ ++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ + + #ifdef CONFIG_SYSCTL + static struct ctl_table udp_sysctl_table[] = { +@@ -313,7 +313,7 @@ const struct nf_conntrack_l4proto nf_con + .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, + .nla_policy = nf_ct_port_nla_policy, + #endif +-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) ++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + .ctnl_timeout = { + .nlattr_to_obj = udp_timeout_nlattr_to_obj, + .obj_to_nlattr = udp_timeout_obj_to_nlattr, +@@ -321,7 +321,7 @@ const struct nf_conntrack_l4proto nf_con + .obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX, + .nla_policy = udp_timeout_nla_policy, + }, +-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ ++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ + .init_net = udp_init_net, + .get_net_proto = udp_get_net_proto, + }; +@@ -345,7 +345,7 @@ const struct nf_conntrack_l4proto nf_con + .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, + .nla_policy = nf_ct_port_nla_policy, + #endif +-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) ++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + .ctnl_timeout = { + .nlattr_to_obj = udp_timeout_nlattr_to_obj, + .obj_to_nlattr = udp_timeout_obj_to_nlattr, +@@ -353,7 +353,7 @@ const struct nf_conntrack_l4proto nf_con + .obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX, + .nla_policy = udp_timeout_nla_policy, + }, +-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ ++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ + .init_net = udp_init_net, + .get_net_proto = udp_get_net_proto, + }; +@@ -377,7 +377,7 @@ const struct nf_conntrack_l4proto nf_con + .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, + .nla_policy = nf_ct_port_nla_policy, + #endif +-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) ++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + .ctnl_timeout = { + .nlattr_to_obj = udp_timeout_nlattr_to_obj, + .obj_to_nlattr = udp_timeout_obj_to_nlattr, +@@ -385,7 +385,7 @@ const struct nf_conntrack_l4proto nf_con + .obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX, + .nla_policy = udp_timeout_nla_policy, + }, +-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ ++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ + .init_net = udp_init_net, + .get_net_proto = udp_get_net_proto, + }; +@@ -409,7 +409,7 @@ const struct nf_conntrack_l4proto nf_con + .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, + .nla_policy = nf_ct_port_nla_policy, + #endif +-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) ++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + .ctnl_timeout = { + .nlattr_to_obj = udp_timeout_nlattr_to_obj, + .obj_to_nlattr = udp_timeout_obj_to_nlattr, +@@ -417,7 +417,7 @@ const struct nf_conntrack_l4proto nf_con + .obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX, + .nla_policy = udp_timeout_nla_policy, + }, +-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ ++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ + .init_net = udp_init_net, + .get_net_proto = udp_get_net_proto, + }; diff --git a/queue-4.18/netfilter-kconfig-nat-related-expression-depend-on-nftables-core.patch b/queue-4.18/netfilter-kconfig-nat-related-expression-depend-on-nftables-core.patch new file mode 100644 index 00000000000..ff657c796f7 --- /dev/null +++ b/queue-4.18/netfilter-kconfig-nat-related-expression-depend-on-nftables-core.patch @@ -0,0 +1,63 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Florian Westphal +Date: Sat, 25 Aug 2018 01:14:46 +0200 +Subject: netfilter: kconfig: nat related expression depend on nftables core + +From: Florian Westphal + +[ Upstream commit e0758412208960be9de11e6d2350c81ffd88410f ] + +NF_TABLES_IPV4 is now boolean so it is possible to set + +NF_TABLES=m +NF_TABLES_IPV4=y +NFT_CHAIN_NAT_IPV4=y + +which causes: +nft_chain_nat_ipv4.c:(.text+0x6d): undefined reference to `nft_do_chain' + +Wrap NFT_CHAIN_NAT_IPV4 and related nat expressions with NF_TABLES to +restore the dependency. + +Reported-by: Randy Dunlap +Fixes: 02c7b25e5f54 ("netfilter: nf_tables: build-in filter chain type") +Signed-off-by: Florian Westphal +Acked-by: Randy Dunlap +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/netfilter/Kconfig | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/ipv4/netfilter/Kconfig ++++ b/net/ipv4/netfilter/Kconfig +@@ -122,6 +122,10 @@ config NF_NAT_IPV4 + + if NF_NAT_IPV4 + ++config NF_NAT_MASQUERADE_IPV4 ++ bool ++ ++if NF_TABLES + config NFT_CHAIN_NAT_IPV4 + depends on NF_TABLES_IPV4 + tristate "IPv4 nf_tables nat chain support" +@@ -131,9 +135,6 @@ config NFT_CHAIN_NAT_IPV4 + packet transformations such as the source, destination address and + source and destination ports. + +-config NF_NAT_MASQUERADE_IPV4 +- bool +- + config NFT_MASQ_IPV4 + tristate "IPv4 masquerading support for nf_tables" + depends on NF_TABLES_IPV4 +@@ -151,6 +152,7 @@ config NFT_REDIR_IPV4 + help + This is the expression that provides IPv4 redirect support for + nf_tables. ++endif # NF_TABLES + + config NF_NAT_SNMP_BASIC + tristate "Basic SNMP-ALG support" diff --git a/queue-4.18/netfilter-nf_tables-release-chain-in-flushing-set.patch b/queue-4.18/netfilter-nf_tables-release-chain-in-flushing-set.patch new file mode 100644 index 00000000000..262e80b72ec --- /dev/null +++ b/queue-4.18/netfilter-nf_tables-release-chain-in-flushing-set.patch @@ -0,0 +1,78 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Taehee Yoo +Date: Sun, 26 Aug 2018 02:35:44 +0900 +Subject: netfilter: nf_tables: release chain in flushing set + +From: Taehee Yoo + +[ Upstream commit 7acfda539c0b9636a58bfee56abfb3aeee806d96 ] + +When element of verdict map is deleted, the delete routine should +release chain. however, flush element of verdict map routine doesn't +release chain. + +test commands: + %nft add table ip filter + %nft add chain ip filter c1 + %nft add map ip filter map1 { type ipv4_addr : verdict \; } + %nft add element ip filter map1 { 1 : jump c1 } + %nft flush map ip filter map1 + %nft flush ruleset + +splat looks like: +[ 4895.170899] kernel BUG at net/netfilter/nf_tables_api.c:1415! +[ 4895.178114] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI +[ 4895.178880] CPU: 0 PID: 1670 Comm: nft Not tainted 4.18.0+ #55 +[ 4895.178880] RIP: 0010:nf_tables_chain_destroy.isra.28+0x39/0x220 [nf_tables] +[ 4895.178880] Code: fc ff df 53 48 89 fb 48 83 c7 50 48 89 fa 48 c1 ea 03 0f b6 04 02 84 c0 74 09 3c 03 7f 05 e8 3e 4c 25 e1 8b 43 50 85 c0 74 02 <0f> 0b 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 +[ 4895.228342] RSP: 0018:ffff88010b98f4c0 EFLAGS: 00010202 +[ 4895.234841] RAX: 0000000000000001 RBX: ffff8801131c6968 RCX: ffff8801146585b0 +[ 4895.234841] RDX: 1ffff10022638d37 RSI: ffff8801191a9348 RDI: ffff8801131c69b8 +[ 4895.234841] RBP: ffff8801146585a8 R08: 1ffff1002323526a R09: 0000000000000000 +[ 4895.234841] R10: 0000000000000000 R11: 0000000000000000 R12: dead000000000200 +[ 4895.234841] R13: dead000000000100 R14: ffffffffa3638af8 R15: dffffc0000000000 +[ 4895.234841] FS: 00007f6d188e6700(0000) GS:ffff88011b600000(0000) knlGS:0000000000000000 +[ 4895.234841] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 4895.234841] CR2: 00007ffe72b8df88 CR3: 000000010e2d4000 CR4: 00000000001006f0 +[ 4895.234841] Call Trace: +[ 4895.234841] nf_tables_commit+0x2704/0x2c70 [nf_tables] +[ 4895.234841] ? nfnetlink_rcv_batch+0xa4f/0x11b0 [nfnetlink] +[ 4895.234841] ? nf_tables_setelem_notify.constprop.48+0x1a0/0x1a0 [nf_tables] +[ 4895.323824] ? __lock_is_held+0x9d/0x130 +[ 4895.323824] ? kasan_unpoison_shadow+0x30/0x40 +[ 4895.333299] ? kasan_kmalloc+0xa9/0xc0 +[ 4895.333299] ? kmem_cache_alloc_trace+0x2c0/0x310 +[ 4895.333299] ? nfnetlink_rcv_batch+0xa4f/0x11b0 [nfnetlink] +[ 4895.333299] nfnetlink_rcv_batch+0xdb9/0x11b0 [nfnetlink] +[ 4895.333299] ? debug_show_all_locks+0x290/0x290 +[ 4895.333299] ? nfnetlink_net_init+0x150/0x150 [nfnetlink] +[ 4895.333299] ? sched_clock_cpu+0xe5/0x170 +[ 4895.333299] ? sched_clock_local+0xff/0x130 +[ 4895.333299] ? sched_clock_cpu+0xe5/0x170 +[ 4895.333299] ? find_held_lock+0x39/0x1b0 +[ 4895.333299] ? sched_clock_local+0xff/0x130 +[ 4895.333299] ? memset+0x1f/0x40 +[ 4895.333299] ? nla_parse+0x33/0x260 +[ 4895.333299] ? ns_capable_common+0x6e/0x110 +[ 4895.333299] nfnetlink_rcv+0x2c0/0x310 [nfnetlink] +[ ... ] + +Fixes: 591054469b3e ("netfilter: nf_tables: revisit chain/object refcounting from elements") +Signed-off-by: Taehee Yoo +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4582,6 +4582,7 @@ static int nft_flush_set(const struct nf + } + set->ndeact++; + ++ nft_set_elem_deactivate(ctx->net, set, elem); + nft_trans_elem_set(trans) = set; + nft_trans_elem(trans) = *elem; + list_add_tail(&trans->list, &ctx->net->nft.commit_list); diff --git a/queue-4.18/netfilter-nfnetlink_queue-solve-the-nfqueue-conntrack-clash-for-nf_repeat.patch b/queue-4.18/netfilter-nfnetlink_queue-solve-the-nfqueue-conntrack-clash-for-nf_repeat.patch new file mode 100644 index 00000000000..15c8d8a822c --- /dev/null +++ b/queue-4.18/netfilter-nfnetlink_queue-solve-the-nfqueue-conntrack-clash-for-nf_repeat.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Michal 'vorner' Vaner +Date: Tue, 4 Sep 2018 13:25:44 +0200 +Subject: netfilter: nfnetlink_queue: Solve the NFQUEUE/conntrack clash for NF_REPEAT + +From: Michal 'vorner' Vaner + +[ Upstream commit ad18d7bf68a3da860ebb62a59c449804a6d237b4 ] + +NF_REPEAT places the packet at the beginning of the iptables chain +instead of accepting or rejecting it right away. The packet however will +reach the end of the chain and continue to the end of iptables +eventually, so it needs the same handling as NF_ACCEPT and NF_DROP. + +Fixes: 368982cd7d1b ("netfilter: nfnetlink_queue: resolve clash for unconfirmed conntracks") +Signed-off-by: Michal 'vorner' Vaner +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nfnetlink_queue.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -233,6 +233,7 @@ static void nfqnl_reinject(struct nf_que + int err; + + if (verdict == NF_ACCEPT || ++ verdict == NF_REPEAT || + verdict == NF_STOP) { + rcu_read_lock(); + ct_hook = rcu_dereference(nf_ct_hook); diff --git a/queue-4.18/netfilter-xt_checksum-ignore-gso-skbs.patch b/queue-4.18/netfilter-xt_checksum-ignore-gso-skbs.patch new file mode 100644 index 00000000000..e5c7e5b544a --- /dev/null +++ b/queue-4.18/netfilter-xt_checksum-ignore-gso-skbs.patch @@ -0,0 +1,114 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Florian Westphal +Date: Wed, 22 Aug 2018 11:33:27 +0200 +Subject: netfilter: xt_checksum: ignore gso skbs + +From: Florian Westphal + +[ Upstream commit 10568f6c5761db24249c610c94d6e44d5505a0ba ] + +Satish Patel reports a skb_warn_bad_offload() splat caused +by -j CHECKSUM rules: + +-A POSTROUTING -p tcp -m tcp --sport 80 -j CHECKSUM + +The CHECKSUM target has never worked with GSO skbs, and the above rule +makes no sense as kernel will handle checksum updates on transmit. + +Unfortunately, there are 3rd party tools that install such rules, so we +cannot reject this from the config plane without potential breakage. + +Amend Kconfig text to clarify that the CHECKSUM target is only useful +in virtualized environments, where old dhcp clients that use AF_PACKET +used to discard UDP packets with a 'bad' header checksum and add a +one-time warning in case such rule isn't restricted to UDP. + +v2: check IP6T_F_PROTO flag before cmp (Michal Kubecek) + +Reported-by: Satish Patel +Reported-by: Markos Chandras +Reported-by: Michal Kubecek +Signed-off-by: Florian Westphal +Reviewed-by: Michal Kubecek +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/Kconfig | 12 ++++++------ + net/netfilter/xt_CHECKSUM.c | 22 +++++++++++++++++++++- + 2 files changed, 27 insertions(+), 7 deletions(-) + +--- a/net/netfilter/Kconfig ++++ b/net/netfilter/Kconfig +@@ -740,13 +740,13 @@ config NETFILTER_XT_TARGET_CHECKSUM + depends on NETFILTER_ADVANCED + ---help--- + This option adds a `CHECKSUM' target, which can be used in the iptables mangle +- table. ++ table to work around buggy DHCP clients in virtualized environments. + +- You can use this target to compute and fill in the checksum in +- a packet that lacks a checksum. This is particularly useful, +- if you need to work around old applications such as dhcp clients, +- that do not work well with checksum offloads, but don't want to disable +- checksum offload in your device. ++ Some old DHCP clients drop packets because they are not aware ++ that the checksum would normally be offloaded to hardware and ++ thus should be considered valid. ++ This target can be used to fill in the checksum using iptables ++ when such packets are sent via a virtual network device. + + To compile it as a module, choose M here. If unsure, say N. + +--- a/net/netfilter/xt_CHECKSUM.c ++++ b/net/netfilter/xt_CHECKSUM.c +@@ -16,6 +16,9 @@ + #include + #include + ++#include ++#include ++ + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Michael S. Tsirkin "); + MODULE_DESCRIPTION("Xtables: checksum modification"); +@@ -25,7 +28,7 @@ MODULE_ALIAS("ip6t_CHECKSUM"); + static unsigned int + checksum_tg(struct sk_buff *skb, const struct xt_action_param *par) + { +- if (skb->ip_summed == CHECKSUM_PARTIAL) ++ if (skb->ip_summed == CHECKSUM_PARTIAL && !skb_is_gso(skb)) + skb_checksum_help(skb); + + return XT_CONTINUE; +@@ -34,6 +37,8 @@ checksum_tg(struct sk_buff *skb, const s + static int checksum_tg_check(const struct xt_tgchk_param *par) + { + const struct xt_CHECKSUM_info *einfo = par->targinfo; ++ const struct ip6t_ip6 *i6 = par->entryinfo; ++ const struct ipt_ip *i4 = par->entryinfo; + + if (einfo->operation & ~XT_CHECKSUM_OP_FILL) { + pr_info_ratelimited("unsupported CHECKSUM operation %x\n", +@@ -43,6 +48,21 @@ static int checksum_tg_check(const struc + if (!einfo->operation) + return -EINVAL; + ++ switch (par->family) { ++ case NFPROTO_IPV4: ++ if (i4->proto == IPPROTO_UDP && ++ (i4->invflags & XT_INV_PROTO) == 0) ++ return 0; ++ break; ++ case NFPROTO_IPV6: ++ if ((i6->flags & IP6T_F_PROTO) && ++ i6->proto == IPPROTO_UDP && ++ (i6->invflags & XT_INV_PROTO) == 0) ++ return 0; ++ break; ++ } ++ ++ pr_warn_once("CHECKSUM should be avoided. If really needed, restrict with \"-p udp\" and only use in OUTPUT\n"); + return 0; + } + diff --git a/queue-4.18/netfilter-xt_cluster-add-dependency-on-conntrack-module.patch b/queue-4.18/netfilter-xt_cluster-add-dependency-on-conntrack-module.patch new file mode 100644 index 00000000000..85ccaad30ec --- /dev/null +++ b/queue-4.18/netfilter-xt_cluster-add-dependency-on-conntrack-module.patch @@ -0,0 +1,63 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Martin Willi +Date: Wed, 22 Aug 2018 10:27:17 +0200 +Subject: netfilter: xt_cluster: add dependency on conntrack module + +From: Martin Willi + +[ Upstream commit c1dc2912059901f97345d9e10c96b841215fdc0f ] + +The cluster match requires conntrack for matching packets. If the +netns does not have conntrack hooks registered, the match does not +work at all. + +Implicitly load the conntrack hook for the family, exactly as many +other extensions do. This ensures that the match works even if the +hooks have not been registered by other means. + +Signed-off-by: Martin Willi +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/xt_cluster.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/net/netfilter/xt_cluster.c ++++ b/net/netfilter/xt_cluster.c +@@ -125,6 +125,7 @@ xt_cluster_mt(const struct sk_buff *skb, + static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par) + { + struct xt_cluster_match_info *info = par->matchinfo; ++ int ret; + + if (info->total_nodes > XT_CLUSTER_NODES_MAX) { + pr_info_ratelimited("you have exceeded the maximum number of cluster nodes (%u > %u)\n", +@@ -135,7 +136,17 @@ static int xt_cluster_mt_checkentry(cons + pr_info_ratelimited("node mask cannot exceed total number of nodes\n"); + return -EDOM; + } +- return 0; ++ ++ ret = nf_ct_netns_get(par->net, par->family); ++ if (ret < 0) ++ pr_info_ratelimited("cannot load conntrack support for proto=%u\n", ++ par->family); ++ return ret; ++} ++ ++static void xt_cluster_mt_destroy(const struct xt_mtdtor_param *par) ++{ ++ nf_ct_netns_put(par->net, par->family); + } + + static struct xt_match xt_cluster_match __read_mostly = { +@@ -144,6 +155,7 @@ static struct xt_match xt_cluster_match + .match = xt_cluster_mt, + .checkentry = xt_cluster_mt_checkentry, + .matchsize = sizeof(struct xt_cluster_match_info), ++ .destroy = xt_cluster_mt_destroy, + .me = THIS_MODULE, + }; + diff --git a/queue-4.18/netfilter-xt_hashlimit-use-s-file-instead-of-s-private.patch b/queue-4.18/netfilter-xt_hashlimit-use-s-file-instead-of-s-private.patch new file mode 100644 index 00000000000..af5f879af58 --- /dev/null +++ b/queue-4.18/netfilter-xt_hashlimit-use-s-file-instead-of-s-private.patch @@ -0,0 +1,108 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Cong Wang +Date: Wed, 5 Sep 2018 11:41:31 -0700 +Subject: netfilter: xt_hashlimit: use s->file instead of s->private + +From: Cong Wang + +[ Upstream commit 1286df269f498165061e0cf8092ca212545dbb5a ] + +After switching to the new procfs API, it is supposed to +retrieve the private pointer from PDE_DATA(file_inode(s->file)), +s->private is no longer referred. + +Fixes: 1cd671827290 ("netfilter/x_tables: switch to proc_create_seq_private") +Reported-by: Sami Farin +Signed-off-by: Cong Wang +Acked-by: Christoph Hellwig +Tested-by: Sami Farin +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/xt_hashlimit.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/net/netfilter/xt_hashlimit.c ++++ b/net/netfilter/xt_hashlimit.c +@@ -1057,7 +1057,7 @@ static struct xt_match hashlimit_mt_reg[ + static void *dl_seq_start(struct seq_file *s, loff_t *pos) + __acquires(htable->lock) + { +- struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private)); ++ struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file)); + unsigned int *bucket; + + spin_lock_bh(&htable->lock); +@@ -1074,7 +1074,7 @@ static void *dl_seq_start(struct seq_fil + + static void *dl_seq_next(struct seq_file *s, void *v, loff_t *pos) + { +- struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private)); ++ struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file)); + unsigned int *bucket = v; + + *pos = ++(*bucket); +@@ -1088,7 +1088,7 @@ static void *dl_seq_next(struct seq_file + static void dl_seq_stop(struct seq_file *s, void *v) + __releases(htable->lock) + { +- struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private)); ++ struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file)); + unsigned int *bucket = v; + + if (!IS_ERR(bucket)) +@@ -1130,7 +1130,7 @@ static void dl_seq_print(struct dsthash_ + static int dl_seq_real_show_v2(struct dsthash_ent *ent, u_int8_t family, + struct seq_file *s) + { +- struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->private)); ++ struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->file)); + + spin_lock(&ent->lock); + /* recalculate to show accurate numbers */ +@@ -1145,7 +1145,7 @@ static int dl_seq_real_show_v2(struct ds + static int dl_seq_real_show_v1(struct dsthash_ent *ent, u_int8_t family, + struct seq_file *s) + { +- struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->private)); ++ struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->file)); + + spin_lock(&ent->lock); + /* recalculate to show accurate numbers */ +@@ -1160,7 +1160,7 @@ static int dl_seq_real_show_v1(struct ds + static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family, + struct seq_file *s) + { +- struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->private)); ++ struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->file)); + + spin_lock(&ent->lock); + /* recalculate to show accurate numbers */ +@@ -1174,7 +1174,7 @@ static int dl_seq_real_show(struct dstha + + static int dl_seq_show_v2(struct seq_file *s, void *v) + { +- struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private)); ++ struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file)); + unsigned int *bucket = (unsigned int *)v; + struct dsthash_ent *ent; + +@@ -1188,7 +1188,7 @@ static int dl_seq_show_v2(struct seq_fil + + static int dl_seq_show_v1(struct seq_file *s, void *v) + { +- struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private)); ++ struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file)); + unsigned int *bucket = v; + struct dsthash_ent *ent; + +@@ -1202,7 +1202,7 @@ static int dl_seq_show_v1(struct seq_fil + + static int dl_seq_show(struct seq_file *s, void *v) + { +- struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private)); ++ struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file)); + unsigned int *bucket = v; + struct dsthash_ent *ent; + diff --git a/queue-4.18/nvmet-rdma-fix-possible-bogus-dereference-under-heavy-load.patch b/queue-4.18/nvmet-rdma-fix-possible-bogus-dereference-under-heavy-load.patch new file mode 100644 index 00000000000..727f14445cc --- /dev/null +++ b/queue-4.18/nvmet-rdma-fix-possible-bogus-dereference-under-heavy-load.patch @@ -0,0 +1,94 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Sagi Grimberg +Date: Mon, 3 Sep 2018 03:47:07 -0700 +Subject: nvmet-rdma: fix possible bogus dereference under heavy load + +From: Sagi Grimberg + +[ Upstream commit 8407879c4e0d7731f6e7e905893cecf61a7762c7 ] + +Currently we always repost the recv buffer before we send a response +capsule back to the host. Since ordering is not guaranteed for send +and recv completions, it is posible that we will receive a new request +from the host before we got a send completion for the response capsule. + +Today, we pre-allocate 2x rsps the length of the queue, but in reality, +under heavy load there is nothing that is really preventing the gap to +expand until we exhaust all our rsps. + +To fix this, if we don't have any pre-allocated rsps left, we dynamically +allocate a rsp and make sure to free it when we are done. If under memory +pressure we fail to allocate a rsp, we silently drop the command and +wait for the host to retry. + +Reported-by: Steve Wise +Tested-by: Steve Wise +Signed-off-by: Sagi Grimberg +[hch: dropped a superflous assignment] +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/rdma.c | 27 +++++++++++++++++++++++++-- + 1 file changed, 25 insertions(+), 2 deletions(-) + +--- a/drivers/nvme/target/rdma.c ++++ b/drivers/nvme/target/rdma.c +@@ -65,6 +65,7 @@ struct nvmet_rdma_rsp { + + struct nvmet_req req; + ++ bool allocated; + u8 n_rdma; + u32 flags; + u32 invalidate_rkey; +@@ -166,11 +167,19 @@ nvmet_rdma_get_rsp(struct nvmet_rdma_que + unsigned long flags; + + spin_lock_irqsave(&queue->rsps_lock, flags); +- rsp = list_first_entry(&queue->free_rsps, ++ rsp = list_first_entry_or_null(&queue->free_rsps, + struct nvmet_rdma_rsp, free_list); +- list_del(&rsp->free_list); ++ if (likely(rsp)) ++ list_del(&rsp->free_list); + spin_unlock_irqrestore(&queue->rsps_lock, flags); + ++ if (unlikely(!rsp)) { ++ rsp = kmalloc(sizeof(*rsp), GFP_KERNEL); ++ if (unlikely(!rsp)) ++ return NULL; ++ rsp->allocated = true; ++ } ++ + return rsp; + } + +@@ -179,6 +188,11 @@ nvmet_rdma_put_rsp(struct nvmet_rdma_rsp + { + unsigned long flags; + ++ if (rsp->allocated) { ++ kfree(rsp); ++ return; ++ } ++ + spin_lock_irqsave(&rsp->queue->rsps_lock, flags); + list_add_tail(&rsp->free_list, &rsp->queue->free_rsps); + spin_unlock_irqrestore(&rsp->queue->rsps_lock, flags); +@@ -702,6 +716,15 @@ static void nvmet_rdma_recv_done(struct + + cmd->queue = queue; + rsp = nvmet_rdma_get_rsp(queue); ++ if (unlikely(!rsp)) { ++ /* ++ * we get here only under memory pressure, ++ * silently drop and have the host retry ++ * as we can't even fail it. ++ */ ++ nvmet_rdma_post_recv(queue->dev, cmd); ++ return; ++ } + rsp->queue = queue; + rsp->cmd = cmd; + rsp->flags = 0; diff --git a/queue-4.18/perf-annotate-fix-parsing-aarch64-branch-instructions-after-objdump-update.patch b/queue-4.18/perf-annotate-fix-parsing-aarch64-branch-instructions-after-objdump-update.patch new file mode 100644 index 00000000000..49a6844fc9d --- /dev/null +++ b/queue-4.18/perf-annotate-fix-parsing-aarch64-branch-instructions-after-objdump-update.patch @@ -0,0 +1,139 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Kim Phillips +Date: Mon, 27 Aug 2018 12:53:40 -0500 +Subject: perf annotate: Fix parsing aarch64 branch instructions after objdump update + +From: Kim Phillips + +[ Upstream commit 4e67b2a5df5d3f341776d12ee575e00ca3ef92de ] + +Starting with binutils 2.28, aarch64 objdump adds comments to the +disassembly output to show the alternative names of a condition code +[1]. + +It is assumed that commas in objdump comments could occur in other +arches now or in the future, so this fix is arch-independent. + +The fix could have been done with arm64 specific jump__parse and +jump__scnprintf functions, but the jump__scnprintf instruction would +have to have its comment character be a literal, since the scnprintf +functions cannot receive a struct arch easily. + +This inconvenience also applies to the generic jump__scnprintf, which is +why we add a raw_comment pointer to struct ins_operands, so the __parse +function assigns it to be re-used by its corresponding __scnprintf +function. + +Example differences in 'perf annotate --stdio2' output on an aarch64 +perf.data file: + +BEFORE: → b.cs ffff200008133d1c // b.hs, dffff7ecc47b +AFTER : ↓ b.cs 18c + +BEFORE: → b.cc ffff200008d8d9cc // b.lo, b.ul, dffff727295b +AFTER : ↓ b.cc 31c + +The branch target labels 18c and 31c also now appear in the output: + +BEFORE: add x26, x29, #0x80 +AFTER : 18c: add x26, x29, #0x80 + +BEFORE: add x21, x21, #0x8 +AFTER : 31c: add x21, x21, #0x8 + +The Fixes: tag below is added so stable branches will get the update; it +doesn't necessarily mean that commit was broken at the time, rather it +didn't withstand the aarch64 objdump update. + +Tested no difference in output for sample x86_64, power arch perf.data files. + +[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=bb7eff5206e4795ac79c177a80fe9f4630aaf730 + +Signed-off-by: Kim Phillips +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Anton Blanchard +Cc: Christian Borntraeger +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Ravi Bangoria +Cc: Robin Murphy +Cc: Taeung Song +Cc: linux-arm-kernel@lists.infradead.org +Fixes: b13bbeee5ee6 ("perf annotate: Fix branch instruction with multiple operands") +Link: http://lkml.kernel.org/r/20180827125340.a2f7e291901d17cea05daba4@arm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/annotate.c | 22 +++++++++++++++++++++- + tools/perf/util/annotate.h | 1 + + 2 files changed, 22 insertions(+), 1 deletion(-) + +--- a/tools/perf/util/annotate.c ++++ b/tools/perf/util/annotate.c +@@ -281,7 +281,19 @@ bool ins__is_call(const struct ins *ins) + return ins->ops == &call_ops || ins->ops == &s390_call_ops; + } + +-static int jump__parse(struct arch *arch __maybe_unused, struct ins_operands *ops, struct map_symbol *ms) ++/* ++ * Prevents from matching commas in the comment section, e.g.: ++ * ffff200008446e70: b.cs ffff2000084470f4 // b.hs, b.nlast ++ */ ++static inline const char *validate_comma(const char *c, struct ins_operands *ops) ++{ ++ if (ops->raw_comment && c > ops->raw_comment) ++ return NULL; ++ ++ return c; ++} ++ ++static int jump__parse(struct arch *arch, struct ins_operands *ops, struct map_symbol *ms) + { + struct map *map = ms->map; + struct symbol *sym = ms->sym; +@@ -290,6 +302,10 @@ static int jump__parse(struct arch *arch + }; + const char *c = strchr(ops->raw, ','); + u64 start, end; ++ ++ ops->raw_comment = strchr(ops->raw, arch->objdump.comment_char); ++ c = validate_comma(c, ops); ++ + /* + * Examples of lines to parse for the _cpp_lex_token@@Base + * function: +@@ -309,6 +325,7 @@ static int jump__parse(struct arch *arch + ops->target.addr = strtoull(c, NULL, 16); + if (!ops->target.addr) { + c = strchr(c, ','); ++ c = validate_comma(c, ops); + if (c++ != NULL) + ops->target.addr = strtoull(c, NULL, 16); + } +@@ -366,9 +383,12 @@ static int jump__scnprintf(struct ins *i + return scnprintf(bf, size, "%-6s %s", ins->name, ops->target.sym->name); + + c = strchr(ops->raw, ','); ++ c = validate_comma(c, ops); ++ + if (c != NULL) { + const char *c2 = strchr(c + 1, ','); + ++ c2 = validate_comma(c2, ops); + /* check for 3-op insn */ + if (c2 != NULL) + c = c2; +--- a/tools/perf/util/annotate.h ++++ b/tools/perf/util/annotate.h +@@ -21,6 +21,7 @@ struct ins { + + struct ins_operands { + char *raw; ++ char *raw_comment; + struct { + char *raw; + char *name; diff --git a/queue-4.18/perf-annotate-properly-interpret-indirect-call.patch b/queue-4.18/perf-annotate-properly-interpret-indirect-call.patch new file mode 100644 index 00000000000..b79c2fb4708 --- /dev/null +++ b/queue-4.18/perf-annotate-properly-interpret-indirect-call.patch @@ -0,0 +1,98 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: "Martin LiÅ¡ka" +Date: Thu, 23 Aug 2018 14:29:34 +0200 +Subject: perf annotate: Properly interpret indirect call + +From: "Martin LiÅ¡ka" + +[ Upstream commit 1dc27f63303db58ce1b1a6932d1825305f86d574 ] + +The patch changes the parsing of: + + callq *0x8(%rbx) + +from: + + 0.26 │ → callq *8 + +to: + + 0.26 │ → callq *0x8(%rbx) + +in this case an address is followed by a register, thus one can't parse +only the address. + +Committer testing: + +1) run 'perf record sleep 10' +2) before applying the patch, run: + + perf annotate --stdio2 > /tmp/before + +3) after applying the patch, run: + + perf annotate --stdio2 > /tmp/after + +4) diff /tmp/before /tmp/after: +# --- /tmp/before 2018-08-28 11:16:03.238384143 -0300 +# +++ /tmp/after 2018-08-28 11:15:39.335341042 -0300 +# @@ -13274,7 +13274,7 @@ +# ↓ jle 128 +# hash_value = hash_table->hash_func (key); +# mov 0x8(%rsp),%rdi +# - 0.91 → callq *30 +# + 0.91 → callq *0x30(%r12) +# mov $0x2,%r8d +# cmp $0x2,%eax +# node_hash = hash_table->hashes[node_index]; +# @@ -13848,7 +13848,7 @@ +# mov %r14,%rdi +# sub %rbx,%r13 +# mov %r13,%rdx +# - → callq *38 +# + → callq *0x38(%r15) +# cmp %rax,%r13 +# 1.91 ↓ je 240 +# 1b4: mov $0xffffffff,%r13d +# @@ -14026,7 +14026,7 @@ +# mov %rcx,-0x500(%rbp) +# mov %r15,%rsi +# mov %r14,%rdi +# - → callq *38 +# + → callq *0x38(%rax) +# mov -0x500(%rbp),%rcx +# cmp %rax,%rcx +# ↓ jne 9b0 + + +Signed-off-by: Martin LiÅ¡ka +Tested-by: Arnaldo Carvalho de Melo +Tested-by: Kim Phillips +Cc: Jiri Olsa +Link: http://lkml.kernel.org/r/bd1f3932-be2b-85f9-7582-111ee0a43b07@suse.cz +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/annotate.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/tools/perf/util/annotate.c ++++ b/tools/perf/util/annotate.c +@@ -245,8 +245,14 @@ find_target: + + indirect_call: + tok = strchr(endptr, '*'); +- if (tok != NULL) +- ops->target.addr = strtoull(tok + 1, NULL, 16); ++ if (tok != NULL) { ++ endptr++; ++ ++ /* Indirect call can use a non-rip register and offset: callq *0x8(%rbx). ++ * Do not parse such instruction. */ ++ if (strstr(endptr, "(%r") == NULL) ++ ops->target.addr = strtoull(endptr, NULL, 16); ++ } + goto find_target; + } + diff --git a/queue-4.18/perf-evsel-fix-potential-null-pointer-dereference-in-perf_evsel__new_idx.patch b/queue-4.18/perf-evsel-fix-potential-null-pointer-dereference-in-perf_evsel__new_idx.patch new file mode 100644 index 00000000000..6c03378ec91 --- /dev/null +++ b/queue-4.18/perf-evsel-fix-potential-null-pointer-dereference-in-perf_evsel__new_idx.patch @@ -0,0 +1,40 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Hisao Tanabe +Date: Sat, 25 Aug 2018 00:45:56 +0900 +Subject: perf evsel: Fix potential null pointer dereference in perf_evsel__new_idx() + +From: Hisao Tanabe + +[ Upstream commit fd8d2702791a970c751f8b526a17d8e725a05b46 ] + +If evsel is NULL, we should return NULL to avoid a NULL pointer +dereference a bit later in the code. + +Signed-off-by: Hisao Tanabe +Acked-by: Namhyung Kim +Cc: Jiri Olsa +Cc: Wang Nan +Fixes: 03e0a7df3efd ("perf tools: Introduce bpf-output event") +LPU-Reference: 20180824154556.23428-1-xtanabe@gmail.com +Link: https://lkml.kernel.org/n/tip-e5plzjhx6595a5yjaf22jss3@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/evsel.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -251,8 +251,9 @@ struct perf_evsel *perf_evsel__new_idx(s + { + struct perf_evsel *evsel = zalloc(perf_evsel__object.size); + +- if (evsel != NULL) +- perf_evsel__init(evsel, attr, idx); ++ if (!evsel) ++ return NULL; ++ perf_evsel__init(evsel, attr, idx); + + if (perf_evsel__is_bpf_output(evsel)) { + evsel->attr.sample_type |= (PERF_SAMPLE_RAW | PERF_SAMPLE_TIME | diff --git a/queue-4.18/perf-probe-powerpc-ignore-sys-symbols-irrespective-of-endianness.patch b/queue-4.18/perf-probe-powerpc-ignore-sys-symbols-irrespective-of-endianness.patch new file mode 100644 index 00000000000..e413091e8eb --- /dev/null +++ b/queue-4.18/perf-probe-powerpc-ignore-sys-symbols-irrespective-of-endianness.patch @@ -0,0 +1,55 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Sandipan Das +Date: Tue, 28 Aug 2018 14:38:48 +0530 +Subject: perf probe powerpc: Ignore SyS symbols irrespective of endianness + +From: Sandipan Das + +[ Upstream commit fa694160cca6dbba17c57dc7efec5f93feaf8795 ] + +This makes sure that the SyS symbols are ignored for any powerpc system, +not just the big endian ones. + +Reported-by: Naveen N. Rao +Signed-off-by: Sandipan Das +Reviewed-by: Kamalesh Babulal +Acked-by: Naveen N. Rao +Cc: Jiri Olsa +Cc: Ravi Bangoria +Fixes: fb6d59423115 ("perf probe ppc: Use the right prefix when ignoring SyS symbols on ppc") +Link: http://lkml.kernel.org/r/20180828090848.1914-1-sandipan@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/arch/powerpc/util/sym-handling.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/tools/perf/arch/powerpc/util/sym-handling.c ++++ b/tools/perf/arch/powerpc/util/sym-handling.c +@@ -22,15 +22,16 @@ bool elf__needs_adjust_symbols(GElf_Ehdr + + #endif + +-#if !defined(_CALL_ELF) || _CALL_ELF != 2 + int arch__choose_best_symbol(struct symbol *syma, + struct symbol *symb __maybe_unused) + { + char *sym = syma->name; + ++#if !defined(_CALL_ELF) || _CALL_ELF != 2 + /* Skip over any initial dot */ + if (*sym == '.') + sym++; ++#endif + + /* Avoid "SyS" kernel syscall aliases */ + if (strlen(sym) >= 3 && !strncmp(sym, "SyS", 3)) +@@ -41,6 +42,7 @@ int arch__choose_best_symbol(struct symb + return SYMBOL_A; + } + ++#if !defined(_CALL_ELF) || _CALL_ELF != 2 + /* Allow matching against dot variants */ + int arch__compare_symbol_names(const char *namea, const char *nameb) + { diff --git a/queue-4.18/perf-util-fix-bad-memory-access-in-trace-info.patch b/queue-4.18/perf-util-fix-bad-memory-access-in-trace-info.patch new file mode 100644 index 00000000000..f115b219d96 --- /dev/null +++ b/queue-4.18/perf-util-fix-bad-memory-access-in-trace-info.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Chris Phlipot +Date: Tue, 28 Aug 2018 23:19:54 -0700 +Subject: perf util: Fix bad memory access in trace info. + +From: Chris Phlipot + +[ Upstream commit a72f64261359b7451f8478f2a2bf357b4e6c757f ] + +In the write to the output_fd in the error condition of +record_saved_cmdline(), we are writing 8 bytes from a memory location on +the stack that contains a primitive that is only 4 bytes in size. +Change the primitive to 8 bytes in size to match the size of the write +in order to avoid reading unknown memory from the stack. + +Signed-off-by: Chris Phlipot +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20180829061954.18871-1-cphlipot0@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/trace-event-info.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/util/trace-event-info.c ++++ b/tools/perf/util/trace-event-info.c +@@ -377,7 +377,7 @@ out: + + static int record_saved_cmdline(void) + { +- unsigned int size; ++ unsigned long long size; + char *path; + struct stat st; + int ret, err = 0; diff --git a/queue-4.18/perf-x86-intel-add-support-quirk-for-the-mispredict-bit-on-knights-landing-cpus.patch b/queue-4.18/perf-x86-intel-add-support-quirk-for-the-mispredict-bit-on-knights-landing-cpus.patch new file mode 100644 index 00000000000..3e66431a588 --- /dev/null +++ b/queue-4.18/perf-x86-intel-add-support-quirk-for-the-mispredict-bit-on-knights-landing-cpus.patch @@ -0,0 +1,72 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Jacek Tomaka +Date: Thu, 2 Aug 2018 09:38:30 +0800 +Subject: perf/x86/intel: Add support/quirk for the MISPREDICT bit on Knights Landing CPUs + +From: Jacek Tomaka + +[ Upstream commit 16160c1946b702dcfa95ef63389a56deb2f1c7cb ] + +Problem: perf did not show branch predicted/mispredicted bit in brstack. + +Output of perf -F brstack for profile collected + +Before: + + 0x4fdbcd/0x4fdc03/-/-/-/0 + 0x45f4c1/0x4fdba0/-/-/-/0 + 0x45f544/0x45f4bb/-/-/-/0 + 0x45f555/0x45f53c/-/-/-/0 + 0x7f66901cc24b/0x45f555/-/-/-/0 + 0x7f66901cc22e/0x7f66901cc23d/-/-/-/0 + 0x7f66901cc1ff/0x7f66901cc20f/-/-/-/0 + 0x7f66901cc1e8/0x7f66901cc1fc/-/-/-/0 + +After: + + 0x4fdbcd/0x4fdc03/P/-/-/0 + 0x45f4c1/0x4fdba0/P/-/-/0 + 0x45f544/0x45f4bb/P/-/-/0 + 0x45f555/0x45f53c/P/-/-/0 + 0x7f66901cc24b/0x45f555/P/-/-/0 + 0x7f66901cc22e/0x7f66901cc23d/P/-/-/0 + 0x7f66901cc1ff/0x7f66901cc20f/P/-/-/0 + 0x7f66901cc1e8/0x7f66901cc1fc/P/-/-/0 + +Cause: + +As mentioned in Software Development Manual vol 3, 17.4.8.1, +IA32_PERF_CAPABILITIES[5:0] indicates the format of the address that is +stored in the LBR stack. Knights Landing reports 1 (LBR_FORMAT_LIP) as +its format. Despite that, registers containing FROM address of the branch, +do have MISPREDICT bit but because of the format indicated in +IA32_PERF_CAPABILITIES[5:0], LBR did not read MISPREDICT bit. + +Solution: + +Teach LBR about above Knights Landing quirk and make it read MISPREDICT bit. + +Signed-off-by: Jacek Tomaka +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20180802013830.10600-1-jacekt@dugeo.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/lbr.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/x86/events/intel/lbr.c ++++ b/arch/x86/events/intel/lbr.c +@@ -1250,4 +1250,8 @@ void intel_pmu_lbr_init_knl(void) + + x86_pmu.lbr_sel_mask = LBR_SEL_MASK; + x86_pmu.lbr_sel_map = snb_lbr_sel_map; ++ ++ /* Knights Landing does have MISPREDICT bit */ ++ if (x86_pmu.intel_cap.lbr_format == LBR_FORMAT_LIP) ++ x86_pmu.intel_cap.lbr_format = LBR_FORMAT_EIP_FLAGS; + } diff --git a/queue-4.18/pinctrl-msm-really-mask-level-interrupts-to-prevent-latching.patch b/queue-4.18/pinctrl-msm-really-mask-level-interrupts-to-prevent-latching.patch new file mode 100644 index 00000000000..c756a75e1b9 --- /dev/null +++ b/queue-4.18/pinctrl-msm-really-mask-level-interrupts-to-prevent-latching.patch @@ -0,0 +1,93 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Stephen Boyd +Date: Thu, 16 Aug 2018 13:06:46 -0700 +Subject: pinctrl: msm: Really mask level interrupts to prevent latching + +From: Stephen Boyd + +[ Upstream commit b55326dc969ea2d704a008d9a97583b128f54f4f ] + +The interrupt controller hardware in this pin controller has two status +enable bits. The first "normal" status enable bit enables or disables +the summary interrupt line being raised when a gpio interrupt triggers +and the "raw" status enable bit allows or prevents the hardware from +latching an interrupt into the status register for a gpio interrupt. +Currently we just toggle the "normal" status enable bit in the mask and +unmask ops so that the summary irq interrupt going to the CPU's +interrupt controller doesn't trigger for the masked gpio interrupt. + +For a level triggered interrupt, the flow would be as follows: the pin +controller sees the interrupt, latches the status into the status +register, raises the summary irq to the CPU, summary irq handler runs +and calls handle_level_irq(), handle_level_irq() masks and acks the gpio +interrupt, the interrupt handler runs, and finally unmask the interrupt. +When the interrupt handler completes, we expect that the interrupt line +level will go back to the deasserted state so the genirq code can unmask +the interrupt without it triggering again. + +If we only mask the interrupt by clearing the "normal" status enable bit +then we'll ack the interrupt but it will continue to show up as pending +in the status register because the raw status bit is enabled, the +hardware hasn't deasserted the line, and thus the asserted state latches +into the status register again. When the hardware deasserts the +interrupt the pin controller still thinks there is a pending unserviced +level interrupt because it latched it earlier. This behavior causes +software to see an extra interrupt for level type interrupts each time +the interrupt is handled. + +Let's fix this by clearing the raw status enable bit for level type +interrupts so that the hardware stops latching the status of the +interrupt after we ack it. We don't do this for edge type interrupts +because it seems that toggling the raw status enable bit for edge type +interrupts causes spurious edge interrupts. + +Signed-off-by: Stephen Boyd +Reviewed-by: Douglas Anderson +Reviewed-by: Bjorn Andersson +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/qcom/pinctrl-msm.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/drivers/pinctrl/qcom/pinctrl-msm.c ++++ b/drivers/pinctrl/qcom/pinctrl-msm.c +@@ -634,6 +634,29 @@ static void msm_gpio_irq_mask(struct irq + raw_spin_lock_irqsave(&pctrl->lock, flags); + + val = readl(pctrl->regs + g->intr_cfg_reg); ++ /* ++ * There are two bits that control interrupt forwarding to the CPU. The ++ * RAW_STATUS_EN bit causes the level or edge sensed on the line to be ++ * latched into the interrupt status register when the hardware detects ++ * an irq that it's configured for (either edge for edge type or level ++ * for level type irq). The 'non-raw' status enable bit causes the ++ * hardware to assert the summary interrupt to the CPU if the latched ++ * status bit is set. There's a bug though, the edge detection logic ++ * seems to have a problem where toggling the RAW_STATUS_EN bit may ++ * cause the status bit to latch spuriously when there isn't any edge ++ * so we can't touch that bit for edge type irqs and we have to keep ++ * the bit set anyway so that edges are latched while the line is masked. ++ * ++ * To make matters more complicated, leaving the RAW_STATUS_EN bit ++ * enabled all the time causes level interrupts to re-latch into the ++ * status register because the level is still present on the line after ++ * we ack it. We clear the raw status enable bit during mask here and ++ * set the bit on unmask so the interrupt can't latch into the hardware ++ * while it's masked. ++ */ ++ if (irqd_get_trigger_type(d) & IRQ_TYPE_LEVEL_MASK) ++ val &= ~BIT(g->intr_raw_status_bit); ++ + val &= ~BIT(g->intr_enable_bit); + writel(val, pctrl->regs + g->intr_cfg_reg); + +@@ -655,6 +678,7 @@ static void msm_gpio_irq_unmask(struct i + raw_spin_lock_irqsave(&pctrl->lock, flags); + + val = readl(pctrl->regs + g->intr_cfg_reg); ++ val |= BIT(g->intr_raw_status_bit); + val |= BIT(g->intr_enable_bit); + writel(val, pctrl->regs + g->intr_cfg_reg); + diff --git a/queue-4.18/r8169-clear-rtl_flag_task_-_pending-when-clearing-rtl_flag_task_enabled.patch b/queue-4.18/r8169-clear-rtl_flag_task_-_pending-when-clearing-rtl_flag_task_enabled.patch new file mode 100644 index 00000000000..a1683f5e169 --- /dev/null +++ b/queue-4.18/r8169-clear-rtl_flag_task_-_pending-when-clearing-rtl_flag_task_enabled.patch @@ -0,0 +1,69 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Kai-Heng Feng +Date: Tue, 11 Sep 2018 01:51:43 +0800 +Subject: r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED + +From: Kai-Heng Feng + +[ Upstream commit 6ad569019999300afd8e614d296fdc356550b77f ] + +After system suspend, sometimes the r8169 doesn't work when ethernet +cable gets pluggued. + +This issue happens because rtl_reset_work() doesn't get called from +rtl8169_runtime_resume(), after system suspend. + +In rtl_task(), RTL_FLAG_TASK_* only gets cleared if this condition is +met: +if (!netif_running(dev) || + !test_bit(RTL_FLAG_TASK_ENABLED, tp->wk.flags)) + ... + +If RTL_FLAG_TASK_ENABLED was cleared during system suspend while +RTL_FLAG_TASK_RESET_PENDING was set, the next rtl_schedule_task() won't +schedule task as the flag is still there. + +So in addition to clearing RTL_FLAG_TASK_ENABLED, also clears other +flags. + +Cc: Heiner Kallweit +Signed-off-by: Kai-Heng Feng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -730,7 +730,7 @@ struct rtl8169_tc_offsets { + }; + + enum rtl_flag { +- RTL_FLAG_TASK_ENABLED, ++ RTL_FLAG_TASK_ENABLED = 0, + RTL_FLAG_TASK_SLOW_PENDING, + RTL_FLAG_TASK_RESET_PENDING, + RTL_FLAG_TASK_PHY_PENDING, +@@ -7125,7 +7125,8 @@ static int rtl8169_close(struct net_devi + rtl8169_update_counters(tp); + + rtl_lock_work(tp); +- clear_bit(RTL_FLAG_TASK_ENABLED, tp->wk.flags); ++ /* Clear all task flags */ ++ bitmap_zero(tp->wk.flags, RTL_FLAG_MAX); + + rtl8169_down(dev); + rtl_unlock_work(tp); +@@ -7301,7 +7302,9 @@ static void rtl8169_net_suspend(struct n + + rtl_lock_work(tp); + napi_disable(&tp->napi); +- clear_bit(RTL_FLAG_TASK_ENABLED, tp->wk.flags); ++ /* Clear all task flags */ ++ bitmap_zero(tp->wk.flags, RTL_FLAG_MAX); ++ + rtl_unlock_work(tp); + + rtl_pll_power_down(tp); diff --git a/queue-4.18/r8169-set-txconfig-register-after-tx-rx-is-enabled-just-like-rxconfig.patch b/queue-4.18/r8169-set-txconfig-register-after-tx-rx-is-enabled-just-like-rxconfig.patch new file mode 100644 index 00000000000..2344e10f2d3 --- /dev/null +++ b/queue-4.18/r8169-set-txconfig-register-after-tx-rx-is-enabled-just-like-rxconfig.patch @@ -0,0 +1,55 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: "Maciej S. Szmigiero" +Date: Fri, 7 Sep 2018 20:15:22 +0200 +Subject: r8169: set TxConfig register after TX / RX is enabled, just like RxConfig + +From: "Maciej S. Szmigiero" + +[ Upstream commit f74dd480cf4e31e12971c58a1d832044db945670 ] + +Commit 3559d81e76bf ("r8169: simplify rtl_hw_start_8169") changed order of +two register writes: +1) Caused RxConfig to be written before TX / RX is enabled, +2) Caused TxConfig to be written before TX / RX is enabled. + +At least on XIDs 10000000 ("RTL8169sb/8110sb") and +18000000 ("RTL8169sc/8110sc") such writes are ignored by the chip, leaving +values in these registers intact. + +Change 1) was reverted by +commit 05212ba8132b42 ("r8169: set RxConfig after tx/rx is enabled for RTL8169sb/8110sb devices"), +however change 2) wasn't. + +In practice, this caused TxConfig's "InterFrameGap time" and "Max DMA Burst +Size per Tx DMA Burst" bits to be zero dramatically reducing TX performance +(in my tests it dropped from around 500Mbps to around 50Mbps). + +This patch fixes the issue by moving TxConfig register write a bit later in +the code so it happens after TX / RX is already enabled. + +Fixes: 05212ba8132b42 ("r8169: set RxConfig after tx/rx is enabled for RTL8169sb/8110sb devices") +Signed-off-by: Maciej S. Szmigiero +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -5150,13 +5150,13 @@ static void rtl_hw_start(struct rtl8169 + + rtl_set_rx_max_size(tp); + rtl_set_rx_tx_desc_registers(tp); +- rtl_set_tx_config_registers(tp); + RTL_W8(tp, Cfg9346, Cfg9346_Lock); + + /* Initially a 10 us delay. Turned it into a PCI commit. - FR */ + RTL_R8(tp, IntrMask); + RTL_W8(tp, ChipCmd, CmdTxEnb | CmdRxEnb); + rtl_init_rxcfg(tp); ++ rtl_set_tx_config_registers(tp); + + rtl_set_rx_mode(tp->dev); + /* no early-rx interrupts */ diff --git a/queue-4.18/rdma-ucma-check-fd-type-in-ucma_migrate_id.patch b/queue-4.18/rdma-ucma-check-fd-type-in-ucma_migrate_id.patch new file mode 100644 index 00000000000..5063fdd4344 --- /dev/null +++ b/queue-4.18/rdma-ucma-check-fd-type-in-ucma_migrate_id.patch @@ -0,0 +1,55 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Jann Horn +Date: Mon, 3 Sep 2018 18:54:14 +0200 +Subject: RDMA/ucma: check fd type in ucma_migrate_id() + +From: Jann Horn + +[ Upstream commit 0d23ba6034b9cf48b8918404367506da3e4b3ee5 ] + +The current code grabs the private_data of whatever file descriptor +userspace has supplied and implicitly casts it to a `struct ucma_file *`, +potentially causing a type confusion. + +This is probably fine in practice because the pointer is only used for +comparisons, it is never actually dereferenced; and even in the +comparisons, it is unlikely that a file from another filesystem would have +a ->private_data pointer that happens to also be valid in this context. +But ->private_data is not always guaranteed to be a valid pointer to an +object owned by the file's filesystem; for example, some filesystems just +cram numbers in there. + +Check the type of the supplied file descriptor to be safe, analogous to how +other places in the kernel do it. + +Fixes: 88314e4dda1e ("RDMA/cma: add support for rdma_migrate_id()") +Signed-off-by: Jann Horn +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/ucma.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -124,6 +124,8 @@ static DEFINE_MUTEX(mut); + static DEFINE_IDR(ctx_idr); + static DEFINE_IDR(multicast_idr); + ++static const struct file_operations ucma_fops; ++ + static inline struct ucma_context *_ucma_find_context(int id, + struct ucma_file *file) + { +@@ -1581,6 +1583,10 @@ static ssize_t ucma_migrate_id(struct uc + f = fdget(cmd.fd); + if (!f.file) + return -ENOENT; ++ if (f.file->f_op != &ucma_fops) { ++ ret = -EINVAL; ++ goto file_put; ++ } + + /* Validate current fd and prevent destruction of id. */ + ctx = ucma_get_ctx(f.file->private_data, cmd.id); diff --git a/queue-4.18/revert-iio-temperature-maxim_thermocouple-add-max31856-part.patch b/queue-4.18/revert-iio-temperature-maxim_thermocouple-add-max31856-part.patch new file mode 100644 index 00000000000..10b402077cc --- /dev/null +++ b/queue-4.18/revert-iio-temperature-maxim_thermocouple-add-max31856-part.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Matt Ranostay +Date: Sat, 25 Aug 2018 02:00:48 -0700 +Subject: Revert "iio: temperature: maxim_thermocouple: add MAX31856 part" + +From: Matt Ranostay + +[ Upstream commit 65099ea85e885c3ea1272eca8774b771419d8ce8 ] + +This reverts commit 535fba29b3e1afef4ba201b3c69a6992583ec0bd. + +Seems the submitter (er me, hang head in shame) didn't look at the datasheet +enough to see that the registers are quite different. + +This needs to be reverted because a) would never work b) to open it be added +to a Maxim RTDs (Resistance Temperature Detectors) under development by author + +Signed-off-by: Matt Ranostay +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/temperature/maxim_thermocouple.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/iio/temperature/maxim_thermocouple.c ++++ b/drivers/iio/temperature/maxim_thermocouple.c +@@ -258,7 +258,6 @@ static int maxim_thermocouple_remove(str + static const struct spi_device_id maxim_thermocouple_id[] = { + {"max6675", MAX6675}, + {"max31855", MAX31855}, +- {"max31856", MAX31855}, + {}, + }; + MODULE_DEVICE_TABLE(spi, maxim_thermocouple_id); diff --git a/queue-4.18/riscv-do-not-overwrite-initrd_start-and-initrd_end.patch b/queue-4.18/riscv-do-not-overwrite-initrd_start-and-initrd_end.patch new file mode 100644 index 00000000000..c26d1f2af88 --- /dev/null +++ b/queue-4.18/riscv-do-not-overwrite-initrd_start-and-initrd_end.patch @@ -0,0 +1,43 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Guenter Roeck +Date: Tue, 28 Aug 2018 17:33:46 -0700 +Subject: riscv: Do not overwrite initrd_start and initrd_end + +From: Guenter Roeck + +[ Upstream commit e866d3e84eb7c9588afb77604d417e8cc49fe216 ] + +setup_initrd() overwrites initrd_start and initrd_end if __initramfs_size +is larger than 0, which is always true even if there is no embedded +initramfs. This prevents booting qemu with "-initrd" parameter. +Overwriting initrd_start and initrd_end is not necessary since +__initramfs_start and __initramfs_size are used directly in +populate_rootfs() to load the built-in initramfs, so just drop +that code. + +Signed-off-by: Guenter Roeck +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/setup.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/arch/riscv/kernel/setup.c ++++ b/arch/riscv/kernel/setup.c +@@ -64,15 +64,8 @@ atomic_t hart_lottery; + #ifdef CONFIG_BLK_DEV_INITRD + static void __init setup_initrd(void) + { +- extern char __initramfs_start[]; +- extern unsigned long __initramfs_size; + unsigned long size; + +- if (__initramfs_size > 0) { +- initrd_start = (unsigned long)(&__initramfs_start); +- initrd_end = initrd_start + __initramfs_size; +- } +- + if (initrd_start >= initrd_end) { + printk(KERN_INFO "initrd not found or empty"); + goto disable; diff --git a/queue-4.18/s390-qeth-don-t-dump-past-end-of-unknown-hw-header.patch b/queue-4.18/s390-qeth-don-t-dump-past-end-of-unknown-hw-header.patch new file mode 100644 index 00000000000..ceb536bdc8d --- /dev/null +++ b/queue-4.18/s390-qeth-don-t-dump-past-end-of-unknown-hw-header.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Julian Wiedmann +Date: Wed, 12 Sep 2018 15:31:35 +0200 +Subject: s390/qeth: don't dump past end of unknown HW header + +From: Julian Wiedmann + +[ Upstream commit 0ac1487c4b2de383b91ecad1be561b8f7a2c15f4 ] + +For inbound data with an unsupported HW header format, only dump the +actual HW header. We have no idea how much payload follows it, and what +it contains. Worst case, we dump past the end of the Inbound Buffer and +access whatever is located next in memory. + +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/net/qeth_l2_main.c | 2 +- + drivers/s390/net/qeth_l3_main.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/s390/net/qeth_l2_main.c ++++ b/drivers/s390/net/qeth_l2_main.c +@@ -425,7 +425,7 @@ static int qeth_l2_process_inbound_buffe + default: + dev_kfree_skb_any(skb); + QETH_CARD_TEXT(card, 3, "inbunkno"); +- QETH_DBF_HEX(CTRL, 3, hdr, QETH_DBF_CTRL_LEN); ++ QETH_DBF_HEX(CTRL, 3, hdr, sizeof(*hdr)); + continue; + } + work_done++; +--- a/drivers/s390/net/qeth_l3_main.c ++++ b/drivers/s390/net/qeth_l3_main.c +@@ -1390,7 +1390,7 @@ static int qeth_l3_process_inbound_buffe + default: + dev_kfree_skb_any(skb); + QETH_CARD_TEXT(card, 3, "inbunkno"); +- QETH_DBF_HEX(CTRL, 3, hdr, QETH_DBF_CTRL_LEN); ++ QETH_DBF_HEX(CTRL, 3, hdr, sizeof(*hdr)); + continue; + } + work_done++; diff --git a/queue-4.18/s390-qeth-use-vzalloc-for-query-oat-buffer.patch b/queue-4.18/s390-qeth-use-vzalloc-for-query-oat-buffer.patch new file mode 100644 index 00000000000..234590ae571 --- /dev/null +++ b/queue-4.18/s390-qeth-use-vzalloc-for-query-oat-buffer.patch @@ -0,0 +1,55 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Wenjia Zhang +Date: Wed, 12 Sep 2018 15:31:34 +0200 +Subject: s390/qeth: use vzalloc for QUERY OAT buffer + +From: Wenjia Zhang + +[ Upstream commit aec45e857c5538664edb76a60dd452e3265f37d1 ] + +qeth_query_oat_command() currently allocates the kernel buffer for +the SIOC_QETH_QUERY_OAT ioctl with kzalloc. So on systems with +fragmented memory, large allocations may fail (eg. the qethqoat tool by +default uses 132KB). + +Solve this issue by using vzalloc, backing the allocation with +non-contiguous memory. + +Signed-off-by: Wenjia Zhang +Reviewed-by: Julian Wiedmann +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/net/qeth_core_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -4738,7 +4739,7 @@ static int qeth_query_oat_command(struct + + priv.buffer_len = oat_data.buffer_len; + priv.response_len = 0; +- priv.buffer = kzalloc(oat_data.buffer_len, GFP_KERNEL); ++ priv.buffer = vzalloc(oat_data.buffer_len); + if (!priv.buffer) { + rc = -ENOMEM; + goto out; +@@ -4779,7 +4780,7 @@ static int qeth_query_oat_command(struct + rc = -EFAULT; + + out_free: +- kfree(priv.buffer); ++ vfree(priv.buffer); + out: + return rc; + } diff --git a/queue-4.18/sched-topology-set-correct-numa-topology-type.patch b/queue-4.18/sched-topology-set-correct-numa-topology-type.patch new file mode 100644 index 00000000000..cccd8be8dce --- /dev/null +++ b/queue-4.18/sched-topology-set-correct-numa-topology-type.patch @@ -0,0 +1,66 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Srikar Dronamraju +Date: Fri, 10 Aug 2018 22:30:18 +0530 +Subject: sched/topology: Set correct NUMA topology type + +From: Srikar Dronamraju + +[ Upstream commit e5e96fafd9028b1478b165db78c52d981c14f471 ] + +With the following commit: + + 051f3ca02e46 ("sched/topology: Introduce NUMA identity node sched domain") + +the scheduler introduced a new NUMA level. However this leads to the NUMA topology +on 2 node systems to not be marked as NUMA_DIRECT anymore. + +After this commit, it gets reported as NUMA_BACKPLANE, because +sched_domains_numa_level is now 2 on 2 node systems. + +Fix this by allowing setting systems that have up to 2 NUMA levels as +NUMA_DIRECT. + +While here remove code that assumes that level can be 0. + +Signed-off-by: Srikar Dronamraju +Signed-off-by: Peter Zijlstra (Intel) +Cc: Andre Wild +Cc: Heiko Carstens +Cc: Linus Torvalds +Cc: Mel Gorman +Cc: Michael Ellerman +Cc: Peter Zijlstra +Cc: Rik van Riel +Cc: Suravee Suthikulpanit +Cc: Thomas Gleixner +Cc: linuxppc-dev +Fixes: 051f3ca02e46 "Introduce NUMA identity node sched domain" +Link: http://lkml.kernel.org/r/1533920419-17410-1-git-send-email-srikar@linux.vnet.ibm.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/topology.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/kernel/sched/topology.c ++++ b/kernel/sched/topology.c +@@ -1295,7 +1295,7 @@ static void init_numa_topology_type(void + + n = sched_max_numa_distance; + +- if (sched_domains_numa_levels <= 1) { ++ if (sched_domains_numa_levels <= 2) { + sched_numa_topology_type = NUMA_DIRECT; + return; + } +@@ -1380,9 +1380,6 @@ void sched_init_numa(void) + break; + } + +- if (!level) +- return; +- + /* + * 'level' contains the number of unique distances + * diff --git a/queue-4.18/scsi-iscsi-target-fix-conn_ops-double-free.patch b/queue-4.18/scsi-iscsi-target-fix-conn_ops-double-free.patch new file mode 100644 index 00000000000..fb0ca9d1586 --- /dev/null +++ b/queue-4.18/scsi-iscsi-target-fix-conn_ops-double-free.patch @@ -0,0 +1,281 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Mike Christie +Date: Mon, 27 Aug 2018 14:45:16 -0500 +Subject: scsi: iscsi: target: Fix conn_ops double free + +From: Mike Christie + +[ Upstream commit 05a86e78ea9823ec25b3515db078dd8a76fc263c ] + +If iscsi_login_init_conn fails it can free conn_ops. +__iscsi_target_login_thread will then call iscsi_target_login_sess_out +which will also free it. + +This fixes the problem by organizing conn allocation/setup into parts that +are needed through the life of the conn and parts that are only needed for +the login. The free functions then release what was allocated in the alloc +functions. + +With this patch we have: + +iscsit_alloc_conn/iscsit_free_conn - allocs/frees the conn we need for the +entire life of the conn. + +iscsi_login_init_conn/iscsi_target_nego_release - allocs/frees the parts +of the conn that are only needed during login. + +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/iscsi/iscsi_target.c | 9 - + drivers/target/iscsi/iscsi_target_login.c | 141 +++++++++++++++--------------- + drivers/target/iscsi/iscsi_target_login.h | 2 + 3 files changed, 77 insertions(+), 75 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -4211,22 +4211,15 @@ int iscsit_close_connection( + crypto_free_ahash(tfm); + } + +- free_cpumask_var(conn->conn_cpumask); +- +- kfree(conn->conn_ops); +- conn->conn_ops = NULL; +- + if (conn->sock) + sock_release(conn->sock); + + if (conn->conn_transport->iscsit_free_conn) + conn->conn_transport->iscsit_free_conn(conn); + +- iscsit_put_transport(conn->conn_transport); +- + pr_debug("Moving to TARG_CONN_STATE_FREE.\n"); + conn->conn_state = TARG_CONN_STATE_FREE; +- kfree(conn); ++ iscsit_free_conn(conn); + + spin_lock_bh(&sess->conn_lock); + atomic_dec(&sess->nconn); +--- a/drivers/target/iscsi/iscsi_target_login.c ++++ b/drivers/target/iscsi/iscsi_target_login.c +@@ -67,45 +67,10 @@ static struct iscsi_login *iscsi_login_i + goto out_req_buf; + } + +- conn->conn_ops = kzalloc(sizeof(struct iscsi_conn_ops), GFP_KERNEL); +- if (!conn->conn_ops) { +- pr_err("Unable to allocate memory for" +- " struct iscsi_conn_ops.\n"); +- goto out_rsp_buf; +- } +- +- init_waitqueue_head(&conn->queues_wq); +- INIT_LIST_HEAD(&conn->conn_list); +- INIT_LIST_HEAD(&conn->conn_cmd_list); +- INIT_LIST_HEAD(&conn->immed_queue_list); +- INIT_LIST_HEAD(&conn->response_queue_list); +- init_completion(&conn->conn_post_wait_comp); +- init_completion(&conn->conn_wait_comp); +- init_completion(&conn->conn_wait_rcfr_comp); +- init_completion(&conn->conn_waiting_on_uc_comp); +- init_completion(&conn->conn_logout_comp); +- init_completion(&conn->rx_half_close_comp); +- init_completion(&conn->tx_half_close_comp); +- init_completion(&conn->rx_login_comp); +- spin_lock_init(&conn->cmd_lock); +- spin_lock_init(&conn->conn_usage_lock); +- spin_lock_init(&conn->immed_queue_lock); +- spin_lock_init(&conn->nopin_timer_lock); +- spin_lock_init(&conn->response_queue_lock); +- spin_lock_init(&conn->state_lock); +- +- if (!zalloc_cpumask_var(&conn->conn_cpumask, GFP_KERNEL)) { +- pr_err("Unable to allocate conn->conn_cpumask\n"); +- goto out_conn_ops; +- } + conn->conn_login = login; + + return login; + +-out_conn_ops: +- kfree(conn->conn_ops); +-out_rsp_buf: +- kfree(login->rsp_buf); + out_req_buf: + kfree(login->req_buf); + out_login: +@@ -1155,6 +1120,75 @@ iscsit_conn_set_transport(struct iscsi_c + return 0; + } + ++static struct iscsi_conn *iscsit_alloc_conn(struct iscsi_np *np) ++{ ++ struct iscsi_conn *conn; ++ ++ conn = kzalloc(sizeof(struct iscsi_conn), GFP_KERNEL); ++ if (!conn) { ++ pr_err("Could not allocate memory for new connection\n"); ++ return NULL; ++ } ++ pr_debug("Moving to TARG_CONN_STATE_FREE.\n"); ++ conn->conn_state = TARG_CONN_STATE_FREE; ++ ++ init_waitqueue_head(&conn->queues_wq); ++ INIT_LIST_HEAD(&conn->conn_list); ++ INIT_LIST_HEAD(&conn->conn_cmd_list); ++ INIT_LIST_HEAD(&conn->immed_queue_list); ++ INIT_LIST_HEAD(&conn->response_queue_list); ++ init_completion(&conn->conn_post_wait_comp); ++ init_completion(&conn->conn_wait_comp); ++ init_completion(&conn->conn_wait_rcfr_comp); ++ init_completion(&conn->conn_waiting_on_uc_comp); ++ init_completion(&conn->conn_logout_comp); ++ init_completion(&conn->rx_half_close_comp); ++ init_completion(&conn->tx_half_close_comp); ++ init_completion(&conn->rx_login_comp); ++ spin_lock_init(&conn->cmd_lock); ++ spin_lock_init(&conn->conn_usage_lock); ++ spin_lock_init(&conn->immed_queue_lock); ++ spin_lock_init(&conn->nopin_timer_lock); ++ spin_lock_init(&conn->response_queue_lock); ++ spin_lock_init(&conn->state_lock); ++ ++ timer_setup(&conn->nopin_response_timer, ++ iscsit_handle_nopin_response_timeout, 0); ++ timer_setup(&conn->nopin_timer, iscsit_handle_nopin_timeout, 0); ++ ++ if (iscsit_conn_set_transport(conn, np->np_transport) < 0) ++ goto free_conn; ++ ++ conn->conn_ops = kzalloc(sizeof(struct iscsi_conn_ops), GFP_KERNEL); ++ if (!conn->conn_ops) { ++ pr_err("Unable to allocate memory for struct iscsi_conn_ops.\n"); ++ goto put_transport; ++ } ++ ++ if (!zalloc_cpumask_var(&conn->conn_cpumask, GFP_KERNEL)) { ++ pr_err("Unable to allocate conn->conn_cpumask\n"); ++ goto free_mask; ++ } ++ ++ return conn; ++ ++free_mask: ++ free_cpumask_var(conn->conn_cpumask); ++put_transport: ++ iscsit_put_transport(conn->conn_transport); ++free_conn: ++ kfree(conn); ++ return NULL; ++} ++ ++void iscsit_free_conn(struct iscsi_conn *conn) ++{ ++ free_cpumask_var(conn->conn_cpumask); ++ kfree(conn->conn_ops); ++ iscsit_put_transport(conn->conn_transport); ++ kfree(conn); ++} ++ + void iscsi_target_login_sess_out(struct iscsi_conn *conn, + struct iscsi_np *np, bool zero_tsih, bool new_sess) + { +@@ -1208,10 +1242,6 @@ old_sess_out: + crypto_free_ahash(tfm); + } + +- free_cpumask_var(conn->conn_cpumask); +- +- kfree(conn->conn_ops); +- + if (conn->param_list) { + iscsi_release_param_list(conn->param_list); + conn->param_list = NULL; +@@ -1229,8 +1259,7 @@ old_sess_out: + if (conn->conn_transport->iscsit_free_conn) + conn->conn_transport->iscsit_free_conn(conn); + +- iscsit_put_transport(conn->conn_transport); +- kfree(conn); ++ iscsit_free_conn(conn); + } + + static int __iscsi_target_login_thread(struct iscsi_np *np) +@@ -1260,31 +1289,16 @@ static int __iscsi_target_login_thread(s + } + spin_unlock_bh(&np->np_thread_lock); + +- conn = kzalloc(sizeof(struct iscsi_conn), GFP_KERNEL); ++ conn = iscsit_alloc_conn(np); + if (!conn) { +- pr_err("Could not allocate memory for" +- " new connection\n"); + /* Get another socket */ + return 1; + } +- pr_debug("Moving to TARG_CONN_STATE_FREE.\n"); +- conn->conn_state = TARG_CONN_STATE_FREE; +- +- timer_setup(&conn->nopin_response_timer, +- iscsit_handle_nopin_response_timeout, 0); +- timer_setup(&conn->nopin_timer, iscsit_handle_nopin_timeout, 0); +- +- if (iscsit_conn_set_transport(conn, np->np_transport) < 0) { +- kfree(conn); +- return 1; +- } + + rc = np->np_transport->iscsit_accept_np(np, conn); + if (rc == -ENOSYS) { + complete(&np->np_restart_comp); +- iscsit_put_transport(conn->conn_transport); +- kfree(conn); +- conn = NULL; ++ iscsit_free_conn(conn); + goto exit; + } else if (rc < 0) { + spin_lock_bh(&np->np_thread_lock); +@@ -1292,17 +1306,13 @@ static int __iscsi_target_login_thread(s + np->np_thread_state = ISCSI_NP_THREAD_ACTIVE; + spin_unlock_bh(&np->np_thread_lock); + complete(&np->np_restart_comp); +- iscsit_put_transport(conn->conn_transport); +- kfree(conn); +- conn = NULL; ++ iscsit_free_conn(conn); + /* Get another socket */ + return 1; + } + spin_unlock_bh(&np->np_thread_lock); +- iscsit_put_transport(conn->conn_transport); +- kfree(conn); +- conn = NULL; +- goto out; ++ iscsit_free_conn(conn); ++ return 1; + } + /* + * Perform the remaining iSCSI connection initialization items.. +@@ -1452,7 +1462,6 @@ old_sess_out: + tpg_np = NULL; + } + +-out: + return 1; + + exit: +--- a/drivers/target/iscsi/iscsi_target_login.h ++++ b/drivers/target/iscsi/iscsi_target_login.h +@@ -19,7 +19,7 @@ extern int iscsi_target_setup_login_sock + extern int iscsit_accept_np(struct iscsi_np *, struct iscsi_conn *); + extern int iscsit_get_login_rx(struct iscsi_conn *, struct iscsi_login *); + extern int iscsit_put_login_tx(struct iscsi_conn *, struct iscsi_login *, u32); +-extern void iscsit_free_conn(struct iscsi_np *, struct iscsi_conn *); ++extern void iscsit_free_conn(struct iscsi_conn *); + extern int iscsit_start_kthreads(struct iscsi_conn *); + extern void iscsi_post_login_handler(struct iscsi_np *, struct iscsi_conn *, u8); + extern void iscsi_target_login_sess_out(struct iscsi_conn *, struct iscsi_np *, diff --git a/queue-4.18/scsi-iscsi-target-set-conn-sess-to-null-when-iscsi_login_set_conn_values-fails.patch b/queue-4.18/scsi-iscsi-target-set-conn-sess-to-null-when-iscsi_login_set_conn_values-fails.patch new file mode 100644 index 00000000000..eff7472f27e --- /dev/null +++ b/queue-4.18/scsi-iscsi-target-set-conn-sess-to-null-when-iscsi_login_set_conn_values-fails.patch @@ -0,0 +1,105 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Vincent Pelletier +Date: Mon, 27 Aug 2018 14:45:15 -0500 +Subject: scsi: iscsi: target: Set conn->sess to NULL when iscsi_login_set_conn_values fails + +From: Vincent Pelletier + +[ Upstream commit 7915919bb94e12460c58e27c708472e6f85f6699 ] + +Fixes a use-after-free reported by KASAN when later +iscsi_target_login_sess_out gets called and it tries to access +conn->sess->se_sess: + +Disabling lock debugging due to kernel taint +iSCSI Login timeout on Network Portal [::]:3260 +iSCSI Login negotiation failed. +================================================================== +BUG: KASAN: use-after-free in +iscsi_target_login_sess_out.cold.12+0x58/0xff [iscsi_target_mod] +Read of size 8 at addr ffff880109d070c8 by task iscsi_np/980 + +CPU: 1 PID: 980 Comm: iscsi_np Tainted: G O +4.17.8kasan.sess.connops+ #4 +Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, +BIOS 5.6.5 05/19/2014 +Call Trace: + dump_stack+0x71/0xac + print_address_description+0x65/0x22e + ? iscsi_target_login_sess_out.cold.12+0x58/0xff [iscsi_target_mod] + kasan_report.cold.6+0x241/0x2fd + iscsi_target_login_sess_out.cold.12+0x58/0xff [iscsi_target_mod] + iscsi_target_login_thread+0x1086/0x1710 [iscsi_target_mod] + ? __sched_text_start+0x8/0x8 + ? iscsi_target_login_sess_out+0x250/0x250 [iscsi_target_mod] + ? __kthread_parkme+0xcc/0x100 + ? parse_args.cold.14+0xd3/0xd3 + ? iscsi_target_login_sess_out+0x250/0x250 [iscsi_target_mod] + kthread+0x1a0/0x1c0 + ? kthread_bind+0x30/0x30 + ret_from_fork+0x35/0x40 + +Allocated by task 980: + kasan_kmalloc+0xbf/0xe0 + kmem_cache_alloc_trace+0x112/0x210 + iscsi_target_login_thread+0x816/0x1710 [iscsi_target_mod] + kthread+0x1a0/0x1c0 + ret_from_fork+0x35/0x40 + +Freed by task 980: + __kasan_slab_free+0x125/0x170 + kfree+0x90/0x1d0 + iscsi_target_login_thread+0x1577/0x1710 [iscsi_target_mod] + kthread+0x1a0/0x1c0 + ret_from_fork+0x35/0x40 + +The buggy address belongs to the object at ffff880109d06f00 + which belongs to the cache kmalloc-512 of size 512 +The buggy address is located 456 bytes inside of + 512-byte region [ffff880109d06f00, ffff880109d07100) +The buggy address belongs to the page: +page:ffffea0004274180 count:1 mapcount:0 mapping:0000000000000000 +index:0x0 compound_mapcount: 0 +flags: 0x17fffc000008100(slab|head) +raw: 017fffc000008100 0000000000000000 0000000000000000 00000001000c000c +raw: dead000000000100 dead000000000200 ffff88011b002e00 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff880109d06f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff880109d07000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff880109d07080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff880109d07100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff880109d07180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +================================================================== + +Signed-off-by: Vincent Pelletier +[rebased against idr/ida changes and to handle ret review comments from Matthew] +Signed-off-by: Mike Christie +Cc: Matthew Wilcox +Reviewed-by: Matthew Wilcox +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/iscsi/iscsi_target_login.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target_login.c ++++ b/drivers/target/iscsi/iscsi_target_login.c +@@ -310,11 +310,9 @@ static int iscsi_login_zero_tsih_s1( + return -ENOMEM; + } + +- ret = iscsi_login_set_conn_values(sess, conn, pdu->cid); +- if (unlikely(ret)) { +- kfree(sess); +- return ret; +- } ++ if (iscsi_login_set_conn_values(sess, conn, pdu->cid)) ++ goto free_sess; ++ + sess->init_task_tag = pdu->itt; + memcpy(&sess->isid, pdu->isid, 6); + sess->exp_cmd_sn = be32_to_cpu(pdu->cmdsn); diff --git a/queue-4.18/scsi-qedi-add-the-crc-size-within-iscsi-nvm-image.patch b/queue-4.18/scsi-qedi-add-the-crc-size-within-iscsi-nvm-image.patch new file mode 100644 index 00000000000..de26b642785 --- /dev/null +++ b/queue-4.18/scsi-qedi-add-the-crc-size-within-iscsi-nvm-image.patch @@ -0,0 +1,117 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Nilesh Javali +Date: Wed, 29 Aug 2018 23:55:53 -0700 +Subject: scsi: qedi: Add the CRC size within iSCSI NVM image + +From: Nilesh Javali + +[ Upstream commit c77a2fa3ff8f73d1a485e67e6f81c64823739d59 ] + +The QED driver commit, 1ac4329a1cff ("qed: Add configuration information +to register dump and debug data"), removes the CRC length validation +causing nvm_get_image failure while loading qedi driver: + +[qed_mcp_get_nvm_image:2700(host_10-0)]Image [0] is too big - 00006008 bytes +where only 00006004 are available +[qedi_get_boot_info:2253]:10: Could not get NVM image. ret = -12 + +Hence add and adjust the CRC size to iSCSI NVM image to read boot info at +qedi load time. + +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qedi/qedi.h | 7 ++++++- + drivers/scsi/qedi/qedi_main.c | 28 +++++++++++++++------------- + 2 files changed, 21 insertions(+), 14 deletions(-) + +--- a/drivers/scsi/qedi/qedi.h ++++ b/drivers/scsi/qedi/qedi.h +@@ -77,6 +77,11 @@ enum qedi_nvm_tgts { + QEDI_NVM_TGT_SEC, + }; + ++struct qedi_nvm_iscsi_image { ++ struct nvm_iscsi_cfg iscsi_cfg; ++ u32 crc; ++}; ++ + struct qedi_uio_ctrl { + /* meta data */ + u32 uio_hsi_version; +@@ -294,7 +299,7 @@ struct qedi_ctx { + void *bdq_pbl_list; + dma_addr_t bdq_pbl_list_dma; + u8 bdq_pbl_list_num_entries; +- struct nvm_iscsi_cfg *iscsi_cfg; ++ struct qedi_nvm_iscsi_image *iscsi_image; + dma_addr_t nvm_buf_dma; + void __iomem *bdq_primary_prod; + void __iomem *bdq_secondary_prod; +--- a/drivers/scsi/qedi/qedi_main.c ++++ b/drivers/scsi/qedi/qedi_main.c +@@ -1346,23 +1346,26 @@ exit_setup_int: + + static void qedi_free_nvm_iscsi_cfg(struct qedi_ctx *qedi) + { +- if (qedi->iscsi_cfg) ++ if (qedi->iscsi_image) + dma_free_coherent(&qedi->pdev->dev, +- sizeof(struct nvm_iscsi_cfg), +- qedi->iscsi_cfg, qedi->nvm_buf_dma); ++ sizeof(struct qedi_nvm_iscsi_image), ++ qedi->iscsi_image, qedi->nvm_buf_dma); + } + + static int qedi_alloc_nvm_iscsi_cfg(struct qedi_ctx *qedi) + { +- qedi->iscsi_cfg = dma_zalloc_coherent(&qedi->pdev->dev, +- sizeof(struct nvm_iscsi_cfg), +- &qedi->nvm_buf_dma, GFP_KERNEL); +- if (!qedi->iscsi_cfg) { ++ struct qedi_nvm_iscsi_image nvm_image; ++ ++ qedi->iscsi_image = dma_zalloc_coherent(&qedi->pdev->dev, ++ sizeof(nvm_image), ++ &qedi->nvm_buf_dma, ++ GFP_KERNEL); ++ if (!qedi->iscsi_image) { + QEDI_ERR(&qedi->dbg_ctx, "Could not allocate NVM BUF.\n"); + return -ENOMEM; + } + QEDI_INFO(&qedi->dbg_ctx, QEDI_LOG_INFO, +- "NVM BUF addr=0x%p dma=0x%llx.\n", qedi->iscsi_cfg, ++ "NVM BUF addr=0x%p dma=0x%llx.\n", qedi->iscsi_image, + qedi->nvm_buf_dma); + + return 0; +@@ -1905,7 +1908,7 @@ qedi_get_nvram_block(struct qedi_ctx *qe + struct nvm_iscsi_block *block; + + pf = qedi->dev_info.common.abs_pf_id; +- block = &qedi->iscsi_cfg->block[0]; ++ block = &qedi->iscsi_image->iscsi_cfg.block[0]; + for (i = 0; i < NUM_OF_ISCSI_PF_SUPPORTED; i++, block++) { + flags = ((block->id) & NVM_ISCSI_CFG_BLK_CTRL_FLAG_MASK) >> + NVM_ISCSI_CFG_BLK_CTRL_FLAG_OFFSET; +@@ -2194,15 +2197,14 @@ static void qedi_boot_release(void *data + static int qedi_get_boot_info(struct qedi_ctx *qedi) + { + int ret = 1; +- u16 len; +- +- len = sizeof(struct nvm_iscsi_cfg); ++ struct qedi_nvm_iscsi_image nvm_image; + + QEDI_INFO(&qedi->dbg_ctx, QEDI_LOG_INFO, + "Get NVM iSCSI CFG image\n"); + ret = qedi_ops->common->nvm_get_image(qedi->cdev, + QED_NVM_IMAGE_ISCSI_CFG, +- (char *)qedi->iscsi_cfg, len); ++ (char *)qedi->iscsi_image, ++ sizeof(nvm_image)); + if (ret) + QEDI_ERR(&qedi->dbg_ctx, + "Could not get NVM image. ret = %d\n", ret); diff --git a/queue-4.18/series b/queue-4.18/series index 99a3032c840..af1221be1e2 100644 --- a/queue-4.18/series +++ b/queue-4.18/series @@ -76,3 +76,68 @@ firmware-arm_scmi-fix-divide-by-zero-when-sustained_perf_level-is-zero.patch afs-fix-cell-specification-to-permit-an-empty-address-list.patch mm-madvise-madv_dodump-allow-hugetlbfs-pages.patch bpf-32-bit-rsh-verification-must-truncate-input-before-the-alu-op.patch +netfilter-xt_cluster-add-dependency-on-conntrack-module.patch +netfilter-xt_checksum-ignore-gso-skbs.patch +hid-intel-ish-hid-enable-sunrise-point-h-ish-driver.patch +hid-add-support-for-apple-magic-keyboards.patch +usb-gadget-fotg210-udc-fix-memory-leak-of-fotg210-ep.patch +pinctrl-msm-really-mask-level-interrupts-to-prevent-latching.patch +hid-hid-saitek-add-device-id-for-rat-7-contagion.patch +scsi-iscsi-target-set-conn-sess-to-null-when-iscsi_login_set_conn_values-fails.patch +scsi-iscsi-target-fix-conn_ops-double-free.patch +scsi-qedi-add-the-crc-size-within-iscsi-nvm-image.patch +perf-annotate-properly-interpret-indirect-call.patch +perf-evsel-fix-potential-null-pointer-dereference-in-perf_evsel__new_idx.patch +perf-util-fix-bad-memory-access-in-trace-info.patch +perf-probe-powerpc-ignore-sys-symbols-irrespective-of-endianness.patch +perf-annotate-fix-parsing-aarch64-branch-instructions-after-objdump-update.patch +netfilter-kconfig-nat-related-expression-depend-on-nftables-core.patch +netfilter-nf_tables-release-chain-in-flushing-set.patch +revert-iio-temperature-maxim_thermocouple-add-max31856-part.patch +iio-imu-st_lsm6dsx-take-into-account-ts-samples-in-wm-configuration.patch +rdma-ucma-check-fd-type-in-ucma_migrate_id.patch +riscv-do-not-overwrite-initrd_start-and-initrd_end.patch +hid-sensor-hub-restore-fixup-for-lenovo-thinkpad-helix-2-sensor-hub-report.patch +usb-host-xhci-plat-iterate-over-parent-nodes-for-finding-quirks.patch +usb-yurex-check-for-truncation-in-yurex_read.patch +nvmet-rdma-fix-possible-bogus-dereference-under-heavy-load.patch +bnxt_re-fix-couple-of-memory-leaks-that-could-lead-to-iommu-call-traces.patch +net-mlx5-consider-pci-domain-in-search-for-next-dev.patch +hid-i2c-hid-don-t-reset-device-upon-system-resume.patch +dm-raid-fix-reshape-race-on-small-devices.patch +drm-nouveau-fix-oops-in-client-init-failure-path.patch +drm-nouveau-mmu-don-t-attempt-to-dereference-vmm-without-valid-instance-pointer.patch +drm-nouveau-tbddevinit-don-t-fail-when-pmu-pre_os-is-missing-from-vbios.patch +drm-nouveau-disp-fix-dp-disable-race.patch +drm-nouveau-disp-gm200-enforce-identity-mapped-sor-assignment-for-lvds-edp-panels.patch +dm-raid-fix-stripe-adding-reshape-deadlock.patch +dm-raid-fix-rebuild-of-specific-devices-by-updating-superblock.patch +dm-raid-fix-raid-leg-rebuild-errors.patch +r8169-set-txconfig-register-after-tx-rx-is-enabled-just-like-rxconfig.patch +fs-cifs-suppress-a-string-overflow-warning.patch +net-ena-fix-surprise-unplug-null-dereference-kernel-crash.patch +net-ena-fix-driver-when-page_size-64kb.patch +net-ena-fix-device-destruction-to-gracefully-free-resources.patch +net-ena-fix-potential-double-ena_destroy_device.patch +net-ena-fix-missing-lock-during-device-destruction.patch +net-ena-fix-missing-calls-to-read_once.patch +perf-x86-intel-add-support-quirk-for-the-mispredict-bit-on-knights-landing-cpus.patch +sched-topology-set-correct-numa-topology-type.patch +dm-thin-metadata-try-to-avoid-ever-aborting-transactions.patch +netfilter-conntrack-timeout-interface-depend-on-config_nf_conntrack_timeout.patch +netfilter-nfnetlink_queue-solve-the-nfqueue-conntrack-clash-for-nf_repeat.patch +netfilter-xt_hashlimit-use-s-file-instead-of-s-private.patch +arch-hexagon-fix-kernel-dma.c-build-warning.patch +hexagon-modify-ffs-and-fls-to-return-int.patch +drm-amdgpu-fix-sdma-hang-in-prt-mode-v2.patch +arm64-jump_label.h-use-asm_volatile_goto-macro-instead-of-asm-goto.patch +drm-amdgpu-fix-error-handling-in-amdgpu_cs_user_fence_chunk.patch +r8169-clear-rtl_flag_task_-_pending-when-clearing-rtl_flag_task_enabled.patch +s390-qeth-use-vzalloc-for-query-oat-buffer.patch +s390-qeth-don-t-dump-past-end-of-unknown-hw-header.patch +cifs-read-overflow-in-is_valid_oplock_break.patch +asm-generic-io-fix-ioport_map-for-config_generic_iomap-config_indirect_pio.patch +xen-manage-don-t-complain-about-an-empty-value-in-control-sysrq-node.patch +xen-avoid-crash-in-disable_hotplug_cpu.patch +xen-fix-gcc-warning-and-remove-duplicate-evtchn_row-evtchn_col-usage.patch +x86-apm-fix-build-warning-when-proc_fs-is-not-enabled.patch diff --git a/queue-4.18/usb-gadget-fotg210-udc-fix-memory-leak-of-fotg210-ep.patch b/queue-4.18/usb-gadget-fotg210-udc-fix-memory-leak-of-fotg210-ep.patch new file mode 100644 index 00000000000..72df1382f6a --- /dev/null +++ b/queue-4.18/usb-gadget-fotg210-udc-fix-memory-leak-of-fotg210-ep.patch @@ -0,0 +1,87 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Anton Vasilyev +Date: Tue, 7 Aug 2018 14:44:48 +0300 +Subject: usb: gadget: fotg210-udc: Fix memory leak of fotg210->ep[i] + +From: Anton Vasilyev + +[ Upstream commit c37bd52836296ecc9a0fc8060b819089aebdbcde ] + +There is no deallocation of fotg210->ep[i] elements, allocated at +fotg210_udc_probe. + +The patch adds deallocation of fotg210->ep array elements and simplifies +error path of fotg210_udc_probe(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/fotg210-udc.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/drivers/usb/gadget/udc/fotg210-udc.c ++++ b/drivers/usb/gadget/udc/fotg210-udc.c +@@ -1063,12 +1063,15 @@ static const struct usb_gadget_ops fotg2 + static int fotg210_udc_remove(struct platform_device *pdev) + { + struct fotg210_udc *fotg210 = platform_get_drvdata(pdev); ++ int i; + + usb_del_gadget_udc(&fotg210->gadget); + iounmap(fotg210->reg); + free_irq(platform_get_irq(pdev, 0), fotg210); + + fotg210_ep_free_request(&fotg210->ep[0]->ep, fotg210->ep0_req); ++ for (i = 0; i < FOTG210_MAX_NUM_EP; i++) ++ kfree(fotg210->ep[i]); + kfree(fotg210); + + return 0; +@@ -1099,7 +1102,7 @@ static int fotg210_udc_probe(struct plat + /* initialize udc */ + fotg210 = kzalloc(sizeof(struct fotg210_udc), GFP_KERNEL); + if (fotg210 == NULL) +- goto err_alloc; ++ goto err; + + for (i = 0; i < FOTG210_MAX_NUM_EP; i++) { + _ep[i] = kzalloc(sizeof(struct fotg210_ep), GFP_KERNEL); +@@ -1111,7 +1114,7 @@ static int fotg210_udc_probe(struct plat + fotg210->reg = ioremap(res->start, resource_size(res)); + if (fotg210->reg == NULL) { + pr_err("ioremap error.\n"); +- goto err_map; ++ goto err_alloc; + } + + spin_lock_init(&fotg210->lock); +@@ -1159,7 +1162,7 @@ static int fotg210_udc_probe(struct plat + fotg210->ep0_req = fotg210_ep_alloc_request(&fotg210->ep[0]->ep, + GFP_KERNEL); + if (fotg210->ep0_req == NULL) +- goto err_req; ++ goto err_map; + + fotg210_init(fotg210); + +@@ -1187,12 +1190,14 @@ err_req: + fotg210_ep_free_request(&fotg210->ep[0]->ep, fotg210->ep0_req); + + err_map: +- if (fotg210->reg) +- iounmap(fotg210->reg); ++ iounmap(fotg210->reg); + + err_alloc: ++ for (i = 0; i < FOTG210_MAX_NUM_EP; i++) ++ kfree(fotg210->ep[i]); + kfree(fotg210); + ++err: + return ret; + } + diff --git a/queue-4.18/usb-host-xhci-plat-iterate-over-parent-nodes-for-finding-quirks.patch b/queue-4.18/usb-host-xhci-plat-iterate-over-parent-nodes-for-finding-quirks.patch new file mode 100644 index 00000000000..933124e24c0 --- /dev/null +++ b/queue-4.18/usb-host-xhci-plat-iterate-over-parent-nodes-for-finding-quirks.patch @@ -0,0 +1,75 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Anurag Kumar Vulisha +Date: Fri, 31 Aug 2018 17:24:42 +0300 +Subject: usb: host: xhci-plat: Iterate over parent nodes for finding quirks + +From: Anurag Kumar Vulisha + +[ Upstream commit 222471f7640d9771a993218d825d84825adc805d ] + +In xhci_plat_probe() both sysdev and pdev->dev are being used +for finding quirks. There are some drivers(like dwc3 host.c) +which adds quirks(like usb3-lpm-capable) into pdev and the logic +present in xhci_plat_probe() checks for quirks in either sysdev +or pdev for finding the quirks. Because of this logic, some of +the quirks are getting missed(usb3-lpm-capable quirk added by dwc3 +host.c driver is getting missed).This patch fixes this by iterating +over all the available parents for finding the quirks. In this way +all the quirks which are present in child or parent are correctly +updated. + +Signed-off-by: Anurag Kumar Vulisha +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-plat.c | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -152,7 +152,7 @@ static int xhci_plat_probe(struct platfo + { + const struct xhci_plat_priv *priv_match; + const struct hc_driver *driver; +- struct device *sysdev; ++ struct device *sysdev, *tmpdev; + struct xhci_hcd *xhci; + struct resource *res; + struct usb_hcd *hcd; +@@ -272,19 +272,24 @@ static int xhci_plat_probe(struct platfo + goto disable_clk; + } + +- if (device_property_read_bool(sysdev, "usb2-lpm-disable")) +- xhci->quirks |= XHCI_HW_LPM_DISABLE; ++ /* imod_interval is the interrupt moderation value in nanoseconds. */ ++ xhci->imod_interval = 40000; + +- if (device_property_read_bool(sysdev, "usb3-lpm-capable")) +- xhci->quirks |= XHCI_LPM_SUPPORT; ++ /* Iterate over all parent nodes for finding quirks */ ++ for (tmpdev = &pdev->dev; tmpdev; tmpdev = tmpdev->parent) { + +- if (device_property_read_bool(&pdev->dev, "quirk-broken-port-ped")) +- xhci->quirks |= XHCI_BROKEN_PORT_PED; ++ if (device_property_read_bool(tmpdev, "usb2-lpm-disable")) ++ xhci->quirks |= XHCI_HW_LPM_DISABLE; + +- /* imod_interval is the interrupt moderation value in nanoseconds. */ +- xhci->imod_interval = 40000; +- device_property_read_u32(sysdev, "imod-interval-ns", +- &xhci->imod_interval); ++ if (device_property_read_bool(tmpdev, "usb3-lpm-capable")) ++ xhci->quirks |= XHCI_LPM_SUPPORT; ++ ++ if (device_property_read_bool(tmpdev, "quirk-broken-port-ped")) ++ xhci->quirks |= XHCI_BROKEN_PORT_PED; ++ ++ device_property_read_u32(tmpdev, "imod-interval-ns", ++ &xhci->imod_interval); ++ } + + hcd->usb_phy = devm_usb_get_phy_by_phandle(sysdev, "usb-phy", 0); + if (IS_ERR(hcd->usb_phy)) { diff --git a/queue-4.18/usb-yurex-check-for-truncation-in-yurex_read.patch b/queue-4.18/usb-yurex-check-for-truncation-in-yurex_read.patch new file mode 100644 index 00000000000..dbd41b5924e --- /dev/null +++ b/queue-4.18/usb-yurex-check-for-truncation-in-yurex_read.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Ben Hutchings +Date: Wed, 15 Aug 2018 21:45:37 +0100 +Subject: USB: yurex: Check for truncation in yurex_read() + +From: Ben Hutchings + +[ Upstream commit 14427b86837a4baf1c121934c6599bdb67dfa9fc ] + +snprintf() always returns the full length of the string it could have +printed, even if it was truncated because the buffer was too small. +So in case the counter value is truncated, we will over-read from +in_buffer and over-write to the caller's buffer. + +I don't think it's actually possible for this to happen, but in case +truncation occurs, WARN and return -EIO. + +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/misc/yurex.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/misc/yurex.c ++++ b/drivers/usb/misc/yurex.c +@@ -413,6 +413,9 @@ static ssize_t yurex_read(struct file *f + spin_unlock_irqrestore(&dev->lock, flags); + mutex_unlock(&dev->io_mutex); + ++ if (WARN_ON_ONCE(len >= sizeof(in_buffer))) ++ return -EIO; ++ + return simple_read_from_buffer(buffer, count, ppos, in_buffer, len); + } + diff --git a/queue-4.18/x86-apm-fix-build-warning-when-proc_fs-is-not-enabled.patch b/queue-4.18/x86-apm-fix-build-warning-when-proc_fs-is-not-enabled.patch new file mode 100644 index 00000000000..621f735a444 --- /dev/null +++ b/queue-4.18/x86-apm-fix-build-warning-when-proc_fs-is-not-enabled.patch @@ -0,0 +1,44 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Randy Dunlap +Date: Fri, 14 Sep 2018 15:10:29 -0700 +Subject: x86/APM: Fix build warning when PROC_FS is not enabled + +From: Randy Dunlap + +[ Upstream commit 002b87d2aace62b4f3841c3aa43309d2380092be ] + +Fix build warning in apm_32.c when CONFIG_PROC_FS is not enabled: + +../arch/x86/kernel/apm_32.c:1643:12: warning: 'proc_apm_show' defined but not used [-Wunused-function] + static int proc_apm_show(struct seq_file *m, void *v) + +Fixes: 3f3942aca6da ("proc: introduce proc_create_single{,_data}") +Signed-off-by: Randy Dunlap +Signed-off-by: Thomas Gleixner +Reviewed-by: Christoph Hellwig +Cc: Jiri Kosina +Link: https://lkml.kernel.org/r/be39ac12-44c2-4715-247f-4dcc3c525b8b@infradead.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/apm_32.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kernel/apm_32.c ++++ b/arch/x86/kernel/apm_32.c +@@ -1640,6 +1640,7 @@ static int do_open(struct inode *inode, + return 0; + } + ++#ifdef CONFIG_PROC_FS + static int proc_apm_show(struct seq_file *m, void *v) + { + unsigned short bx; +@@ -1719,6 +1720,7 @@ static int proc_apm_show(struct seq_file + units); + return 0; + } ++#endif + + static int apm(void *unused) + { diff --git a/queue-4.18/xen-avoid-crash-in-disable_hotplug_cpu.patch b/queue-4.18/xen-avoid-crash-in-disable_hotplug_cpu.patch new file mode 100644 index 00000000000..4667525b07d --- /dev/null +++ b/queue-4.18/xen-avoid-crash-in-disable_hotplug_cpu.patch @@ -0,0 +1,83 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Olaf Hering +Date: Fri, 7 Sep 2018 16:31:35 +0200 +Subject: xen: avoid crash in disable_hotplug_cpu + +From: Olaf Hering + +[ Upstream commit 3366cdb6d350d95466ee430ac50f3c8415ca8f46 ] + +The command 'xl vcpu-set 0 0', issued in dom0, will crash dom0: + +BUG: unable to handle kernel NULL pointer dereference at 00000000000002d8 +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP NOPTI +CPU: 7 PID: 65 Comm: xenwatch Not tainted 4.19.0-rc2-1.ga9462db-default #1 openSUSE Tumbleweed (unreleased) +Hardware name: Intel Corporation S5520UR/S5520UR, BIOS S5500.86B.01.00.0050.050620101605 05/06/2010 +RIP: e030:device_offline+0x9/0xb0 +Code: 77 24 00 e9 ce fe ff ff 48 8b 13 e9 68 ff ff ff 48 8b 13 e9 29 ff ff ff 48 8b 13 e9 ea fe ff ff 90 66 66 66 66 90 41 54 55 53 87 d8 02 00 00 01 0f 85 88 00 00 00 48 c7 c2 20 09 60 81 31 f6 +RSP: e02b:ffffc90040f27e80 EFLAGS: 00010203 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: ffff8801f3800000 RSI: ffffc90040f27e70 RDI: 0000000000000000 +RBP: 0000000000000000 R08: ffffffff820e47b3 R09: 0000000000000000 +R10: 0000000000007ff0 R11: 0000000000000000 R12: ffffffff822e6d30 +R13: dead000000000200 R14: dead000000000100 R15: ffffffff8158b4e0 +FS: 00007ffa595158c0(0000) GS:ffff8801f39c0000(0000) knlGS:0000000000000000 +CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000000002d8 CR3: 00000001d9602000 CR4: 0000000000002660 +Call Trace: + handle_vcpu_hotplug_event+0xb5/0xc0 + xenwatch_thread+0x80/0x140 + ? wait_woken+0x80/0x80 + kthread+0x112/0x130 + ? kthread_create_worker_on_cpu+0x40/0x40 + ret_from_fork+0x3a/0x50 + +This happens because handle_vcpu_hotplug_event is called twice. In the +first iteration cpu_present is still true, in the second iteration +cpu_present is false which causes get_cpu_device to return NULL. +In case of cpu#0, cpu_online is apparently always true. + +Fix this crash by checking if the cpu can be hotplugged, which is false +for a cpu that was just removed. + +Also check if the cpu was actually offlined by device_remove, otherwise +leave the cpu_present state as it is. + +Rearrange to code to do all work with device_hotplug_lock held. + +Signed-off-by: Olaf Hering +Reviewed-by: Juergen Gross +Signed-off-by: Boris Ostrovsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/cpu_hotplug.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/xen/cpu_hotplug.c ++++ b/drivers/xen/cpu_hotplug.c +@@ -19,15 +19,16 @@ static void enable_hotplug_cpu(int cpu) + + static void disable_hotplug_cpu(int cpu) + { +- if (cpu_online(cpu)) { +- lock_device_hotplug(); ++ if (!cpu_is_hotpluggable(cpu)) ++ return; ++ lock_device_hotplug(); ++ if (cpu_online(cpu)) + device_offline(get_cpu_device(cpu)); +- unlock_device_hotplug(); +- } +- if (cpu_present(cpu)) ++ if (!cpu_online(cpu) && cpu_present(cpu)) { + xen_arch_unregister_cpu(cpu); +- +- set_cpu_present(cpu, false); ++ set_cpu_present(cpu, false); ++ } ++ unlock_device_hotplug(); + } + + static int vcpu_online(unsigned int cpu) diff --git a/queue-4.18/xen-fix-gcc-warning-and-remove-duplicate-evtchn_row-evtchn_col-usage.patch b/queue-4.18/xen-fix-gcc-warning-and-remove-duplicate-evtchn_row-evtchn_col-usage.patch new file mode 100644 index 00000000000..b6ccfce9f07 --- /dev/null +++ b/queue-4.18/xen-fix-gcc-warning-and-remove-duplicate-evtchn_row-evtchn_col-usage.patch @@ -0,0 +1,34 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Josh Abraham +Date: Wed, 12 Sep 2018 15:13:54 -1000 +Subject: xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage + +From: Josh Abraham + +[ Upstream commit 4dca864b59dd150a221730775e2f21f49779c135 ] + +This patch removes duplicate macro useage in events_base.c. + +It also fixes gcc warning: +variable ‘col’ set but not used [-Wunused-but-set-variable] + +Signed-off-by: Joshua Abraham +Reviewed-by: Juergen Gross +Signed-off-by: Boris Ostrovsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/events/events_base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -138,7 +138,7 @@ static int set_evtchn_to_irq(unsigned ev + clear_evtchn_to_irq_row(row); + } + +- evtchn_to_irq[EVTCHN_ROW(evtchn)][EVTCHN_COL(evtchn)] = irq; ++ evtchn_to_irq[row][col] = irq; + return 0; + } + diff --git a/queue-4.18/xen-manage-don-t-complain-about-an-empty-value-in-control-sysrq-node.patch b/queue-4.18/xen-manage-don-t-complain-about-an-empty-value-in-control-sysrq-node.patch new file mode 100644 index 00000000000..6518dc0bc99 --- /dev/null +++ b/queue-4.18/xen-manage-don-t-complain-about-an-empty-value-in-control-sysrq-node.patch @@ -0,0 +1,46 @@ +From foo@baz Mon Oct 8 17:39:53 CEST 2018 +From: Vitaly Kuznetsov +Date: Thu, 6 Sep 2018 13:26:08 +0200 +Subject: xen/manage: don't complain about an empty value in control/sysrq node + +From: Vitaly Kuznetsov + +[ Upstream commit 87dffe86d406bee8782cac2db035acb9a28620a7 ] + +When guest receives a sysrq request from the host it acknowledges it by +writing '\0' to control/sysrq xenstore node. This, however, make xenstore +watch fire again but xenbus_scanf() fails to parse empty value with "%c" +format string: + + sysrq: SysRq : Emergency Sync + Emergency Sync complete + xen:manage: Error -34 reading sysrq code in control/sysrq + +Ignore -ERANGE the same way we already ignore -ENOENT, empty value in +control/sysrq is totally legal. + +Signed-off-by: Vitaly Kuznetsov +Reviewed-by: Wei Liu +Signed-off-by: Boris Ostrovsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/manage.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/xen/manage.c ++++ b/drivers/xen/manage.c +@@ -280,9 +280,11 @@ static void sysrq_handler(struct xenbus_ + /* + * The Xenstore watch fires directly after registering it and + * after a suspend/resume cycle. So ENOENT is no error but +- * might happen in those cases. ++ * might happen in those cases. ERANGE is observed when we get ++ * an empty value (''), this happens when we acknowledge the ++ * request by writing '\0' below. + */ +- if (err != -ENOENT) ++ if (err != -ENOENT && err != -ERANGE) + pr_err("Error %d reading sysrq code in control/sysrq\n", + err); + xenbus_transaction_end(xbt, 1); -- 2.47.2