From 66e134efbdd9b9f1ce22cedff02d96969eb2b674 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 6 Sep 2020 22:55:57 -0400 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...-uninitialized-chaddr-when-handling-.patch | 52 ++ ...se-netif_rx_ni-when-not-in-interrupt.patch | 42 + ...fix-own-ogm-check-in-aggregated-ogms.patch | 65 ++ ...-t-enable-napi-until-rings-are-ready.patch | 86 ++ ...-check-for-zero-dir-entries-in-nvram.patch | 39 + ...query-fw-when-netif_running-is-false.patch | 40 + ...m-error-when-querying-vf-temperature.patch | 60 ++ ...t_en-fix-pci-aer-error-recovery-flow.patch | 46 ++ ...possible-crash-in-bnxt_fw_reset_task.patch | 68 ++ ...fix-thermal-zone-device-registration.patch | 111 +++ ...ac-check-return-value-of-of_find_dev.patch | 39 + ...-fix-of_dma_router_xlate-s-of_dma_xl.patch | 47 ++ ...fix-burst-length-if-burst-size-is-sm.patch | 48 ++ ...adeon-prefer-lower-feedback-dividers.patch | 48 ++ ...n-epoll-keep-a-reference-on-files-ad.patch | 42 + ...a_link-info-to-msg-sent-to-userspace.patch | 36 + ...g2.h-add-missing-around-n-in-roundup.patch | 37 + ...e-irte.remapen-bit-after-programming.patch | 46 ++ ...lize-iommu-gcmd-register-modificatio.patch | 62 ++ ...dd-missing-v4l2_ctrl_request_hdl_put.patch | 54 ++ ...dd-missing-v4l2_ctrl_request_hdl_put.patch | 37 + ...-msacsr-and-upper-msa-initialization.patch | 50 ++ ...call-bmips_cpu_setup-for-secondary-c.patch | 37 + ...ps5000-has-inclusive-physical-caches.patch | 41 + ...i-acpi-fix-hs400-tuning-for-amdi0040.patch | 139 ++++ ...c_emac-fix-memleak-in-arc_mdio_probe.patch | 36 + ...ix-advertising-unsupported-1000baset.patch | 38 + ...4-fix-memory-allocation-in-mlx4_budd.patch | 44 ++ ...cpsw-fix-clean-up-of-vlan-mc-entries.patch | 41 + ...nother-missing-clk_disable_unprepare.patch | 84 ++ ...hns-fix-memleak-in-hns_nic_dev_probe.patch | 50 ++ ...t-packet-fix-overflow-in-tpacket_rcv.patch | 59 ++ ...ort-fix-memleak-in-bcm_sysport_probe.patch | 40 + ...les-add-nfta_set_userdata-if-not-nul.patch | 36 + ...les-fix-destination-register-zeroing.patch | 82 ++ ...les-incorrect-enum-nft_list_attribut.patch | 35 + ...ink-nfnetlink_unicast-reports-eagain.patch | 238 ++++++ .../nvme-fix-controller-instance-leak.patch | 40 + ...issed-_irqsave-version-of-spin_lock-.patch | 44 ++ ...ents-fix-suspicious-code-in-fixregex.patch | 47 ++ ...rf-tools-correct-snoopx-field-offset.patch | 51 ++ ...b-fixed-to-be-able-to-unload-modules.patch | 208 +++++ ...ck-serial-in-a-var-in-rxrpc_input_ac.patch | 99 +++ ...pc_kernel_get_srtt-indicate-validity.patch | 98 +++ ...pf-fix-massive-output-from-test_maps.patch | 42 + queue-5.4/series | 54 ++ ...oft-lockup-when-tg3_reset_task-fails.patch | 80 ++ ...i-temp-alarm-don-t-suppress-negative.patch | 49 ++ ...hermal-fix-bogus-thermal-shutdowns-f.patch | 110 +++ ...i-fault-mmaps-to-enable-vma-tracking.patch | 154 ++++ ...ate-mmaps-and-block-mmio-access-on-d.patch | 741 ++++++++++++++++++ ...o-type1-support-faulting-pfnmap-vmas.patch | 81 ++ ...akenuma-fix-invalid-starting-node-id.patch | 74 ++ ...ry-test-in-xfs_attr_shortform_verify.patch | 54 ++ ..._validate_extent_raw-when-checking-a.patch | 37 + 55 files changed, 4218 insertions(+) create mode 100644 queue-5.4/batman-adv-avoid-uninitialized-chaddr-when-handling-.patch create mode 100644 queue-5.4/batman-adv-bla-use-netif_rx_ni-when-not-in-interrupt.patch create mode 100644 queue-5.4/batman-adv-fix-own-ogm-check-in-aggregated-ogms.patch create mode 100644 queue-5.4/bnxt-don-t-enable-napi-until-rings-are-ready.patch create mode 100644 queue-5.4/bnxt_en-check-for-zero-dir-entries-in-nvram.patch create mode 100644 queue-5.4/bnxt_en-don-t-query-fw-when-netif_running-is-false.patch create mode 100644 queue-5.4/bnxt_en-fix-hwrm-error-when-querying-vf-temperature.patch create mode 100644 queue-5.4/bnxt_en-fix-pci-aer-error-recovery-flow.patch create mode 100644 queue-5.4/bnxt_en-fix-possible-crash-in-bnxt_fw_reset_task.patch create mode 100644 queue-5.4/cxgb4-fix-thermal-zone-device-registration.patch create mode 100644 queue-5.4/dmaengine-at_hdmac-check-return-value-of-of_find_dev.patch create mode 100644 queue-5.4/dmaengine-of-dma-fix-of_dma_router_xlate-s-of_dma_xl.patch create mode 100644 queue-5.4/dmaengine-pl330-fix-burst-length-if-burst-size-is-sm.patch create mode 100644 queue-5.4/drm-radeon-prefer-lower-feedback-dividers.patch create mode 100644 queue-5.4/fix-regression-in-epoll-keep-a-reference-on-files-ad.patch create mode 100644 queue-5.4/gtp-add-gtpa_link-info-to-msg-sent-to-userspace.patch create mode 100644 queue-5.4/include-linux-log2.h-add-missing-around-n-in-roundup.patch create mode 100644 queue-5.4/iommu-amd-restore-irte.remapen-bit-after-programming.patch create mode 100644 queue-5.4/iommu-vt-d-serialize-iommu-gcmd-register-modificatio.patch create mode 100644 queue-5.4/media-cedrus-add-missing-v4l2_ctrl_request_hdl_put.patch create mode 100644 queue-5.4/media-vicodec-add-missing-v4l2_ctrl_request_hdl_put.patch create mode 100644 queue-5.4/mips-add-missing-msacsr-and-upper-msa-initialization.patch create mode 100644 queue-5.4/mips-bmips-also-call-bmips_cpu_setup-for-secondary-c.patch create mode 100644 queue-5.4/mips-mm-bmips5000-has-inclusive-physical-caches.patch create mode 100644 queue-5.4/mmc-sdhci-acpi-fix-hs400-tuning-for-amdi0040.patch create mode 100644 queue-5.4/net-arc_emac-fix-memleak-in-arc_mdio_probe.patch create mode 100644 queue-5.4/net-dsa-mt7530-fix-advertising-unsupported-1000baset.patch create mode 100644 queue-5.4/net-ethernet-mlx4-fix-memory-allocation-in-mlx4_budd.patch create mode 100644 queue-5.4/net-ethernet-ti-cpsw-fix-clean-up-of-vlan-mc-entries.patch create mode 100644 queue-5.4/net-gemini-fix-another-missing-clk_disable_unprepare.patch create mode 100644 queue-5.4/net-hns-fix-memleak-in-hns_nic_dev_probe.patch create mode 100644 queue-5.4/net-packet-fix-overflow-in-tpacket_rcv.patch create mode 100644 queue-5.4/net-systemport-fix-memleak-in-bcm_sysport_probe.patch create mode 100644 queue-5.4/netfilter-nf_tables-add-nfta_set_userdata-if-not-nul.patch create mode 100644 queue-5.4/netfilter-nf_tables-fix-destination-register-zeroing.patch create mode 100644 queue-5.4/netfilter-nf_tables-incorrect-enum-nft_list_attribut.patch create mode 100644 queue-5.4/netfilter-nfnetlink-nfnetlink_unicast-reports-eagain.patch create mode 100644 queue-5.4/nvme-fix-controller-instance-leak.patch create mode 100644 queue-5.4/nvmet-fc-fix-a-missed-_irqsave-version-of-spin_lock-.patch create mode 100644 queue-5.4/perf-jevents-fix-suspicious-code-in-fixregex.patch create mode 100644 queue-5.4/perf-tools-correct-snoopx-field-offset.patch create mode 100644 queue-5.4/ravb-fixed-to-be-able-to-unload-modules.patch create mode 100644 queue-5.4/rxrpc-keep-the-ack-serial-in-a-var-in-rxrpc_input_ac.patch create mode 100644 queue-5.4/rxrpc-make-rxrpc_kernel_get_srtt-indicate-validity.patch create mode 100644 queue-5.4/selftests-bpf-fix-massive-output-from-test_maps.patch create mode 100644 queue-5.4/tg3-fix-soft-lockup-when-tg3_reset_task-fails.patch create mode 100644 queue-5.4/thermal-qcom-spmi-temp-alarm-don-t-suppress-negative.patch create mode 100644 queue-5.4/thermal-ti-soc-thermal-fix-bogus-thermal-shutdowns-f.patch create mode 100644 queue-5.4/vfio-pci-fault-mmaps-to-enable-vma-tracking.patch create mode 100644 queue-5.4/vfio-pci-invalidate-mmaps-and-block-mmio-access-on-d.patch create mode 100644 queue-5.4/vfio-type1-support-faulting-pfnmap-vmas.patch create mode 100644 queue-5.4/x86-fakenuma-fix-invalid-starting-node-id.patch create mode 100644 queue-5.4/xfs-fix-boundary-test-in-xfs_attr_shortform_verify.patch create mode 100644 queue-5.4/xfs-fix-xfs_bmap_validate_extent_raw-when-checking-a.patch diff --git a/queue-5.4/batman-adv-avoid-uninitialized-chaddr-when-handling-.patch b/queue-5.4/batman-adv-avoid-uninitialized-chaddr-when-handling-.patch new file mode 100644 index 00000000000..b0d3f65a25b --- /dev/null +++ b/queue-5.4/batman-adv-avoid-uninitialized-chaddr-when-handling-.patch @@ -0,0 +1,52 @@ +From e1ad1bd7cb77e80f35f0a111e7e0e566ea22658c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jul 2020 20:36:43 +0200 +Subject: batman-adv: Avoid uninitialized chaddr when handling DHCP + +From: Sven Eckelmann + +[ Upstream commit 303216e76dcab6049c9d42390b1032f0649a8206 ] + +The gateway client code can try to optimize the delivery of DHCP packets to +avoid broadcasting them through the whole mesh. But also transmissions to +the client can be optimized by looking up the destination via the chaddr of +the DHCP packet. + +But the chaddr is currently only done when chaddr is fully inside the +non-paged area of the skbuff. Otherwise it will not be initialized and the +unoptimized path should have been taken. + +But the implementation didn't handle this correctly. It didn't retrieve the +correct chaddr but still tried to perform the TT lookup with this +uninitialized memory. + +Reported-by: syzbot+ab16e463b903f5a37036@syzkaller.appspotmail.com +Fixes: 6c413b1c22a2 ("batman-adv: send every DHCP packet as bat-unicast") +Signed-off-by: Sven Eckelmann +Acked-by: Antonio Quartulli +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/gateway_client.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c +index 47df4c6789886..89c9097007c3a 100644 +--- a/net/batman-adv/gateway_client.c ++++ b/net/batman-adv/gateway_client.c +@@ -703,8 +703,10 @@ batadv_gw_dhcp_recipient_get(struct sk_buff *skb, unsigned int *header_len, + + chaddr_offset = *header_len + BATADV_DHCP_CHADDR_OFFSET; + /* store the client address if the message is going to a client */ +- if (ret == BATADV_DHCP_TO_CLIENT && +- pskb_may_pull(skb, chaddr_offset + ETH_ALEN)) { ++ if (ret == BATADV_DHCP_TO_CLIENT) { ++ if (!pskb_may_pull(skb, chaddr_offset + ETH_ALEN)) ++ return BATADV_DHCP_NO; ++ + /* check if the DHCP packet carries an Ethernet DHCP */ + p = skb->data + *header_len + BATADV_DHCP_HTYPE_OFFSET; + if (*p != BATADV_DHCP_HTYPE_ETHERNET) +-- +2.25.1 + diff --git a/queue-5.4/batman-adv-bla-use-netif_rx_ni-when-not-in-interrupt.patch b/queue-5.4/batman-adv-bla-use-netif_rx_ni-when-not-in-interrupt.patch new file mode 100644 index 00000000000..75bf15ae904 --- /dev/null +++ b/queue-5.4/batman-adv-bla-use-netif_rx_ni-when-not-in-interrupt.patch @@ -0,0 +1,42 @@ +From a9ab2b125f5ac0643e92b3a541fb0f6e85c2a75e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 17:46:10 +0300 +Subject: batman-adv: bla: use netif_rx_ni when not in interrupt context + +From: Jussi Kivilinna + +[ Upstream commit 279e89b2281af3b1a9f04906e157992c19c9f163 ] + +batadv_bla_send_claim() gets called from worker thread context through +batadv_bla_periodic_work(), thus netif_rx_ni needs to be used in that +case. This fixes "NOHZ: local_softirq_pending 08" log messages seen +when batman-adv is enabled. + +Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code") +Signed-off-by: Jussi Kivilinna +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/bridge_loop_avoidance.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c +index 663a53b6d36e6..5f6309ade1ea1 100644 +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -437,7 +437,10 @@ static void batadv_bla_send_claim(struct batadv_priv *bat_priv, u8 *mac, + batadv_add_counter(bat_priv, BATADV_CNT_RX_BYTES, + skb->len + ETH_HLEN); + +- netif_rx(skb); ++ if (in_interrupt()) ++ netif_rx(skb); ++ else ++ netif_rx_ni(skb); + out: + if (primary_if) + batadv_hardif_put(primary_if); +-- +2.25.1 + diff --git a/queue-5.4/batman-adv-fix-own-ogm-check-in-aggregated-ogms.patch b/queue-5.4/batman-adv-fix-own-ogm-check-in-aggregated-ogms.patch new file mode 100644 index 00000000000..fa8a636cac0 --- /dev/null +++ b/queue-5.4/batman-adv-fix-own-ogm-check-in-aggregated-ogms.patch @@ -0,0 +1,65 @@ +From aa774a275255cb1bf521306976e68b8412ea61c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jul 2020 14:28:08 +0200 +Subject: batman-adv: Fix own OGM check in aggregated OGMs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +[ Upstream commit d8bf0c01642275c7dca1e5d02c34e4199c200b1f ] + +The own OGM check is currently misplaced and can lead to the following +issues: + +For one thing we might receive an aggregated OGM from a neighbor node +which has our own OGM in the first place. We would then not only skip +our own OGM but erroneously also any other, following OGM in the +aggregate. + +For another, we might receive an OGM aggregate which has our own OGM in +a place other then the first one. Then we would wrongly not skip this +OGM, leading to populating the orginator and gateway table with ourself. + +Fixes: 9323158ef9f4 ("batman-adv: OGMv2 - implement originators logic") +Signed-off-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/bat_v_ogm.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c +index a9e7540c56918..3165f6ff8ee71 100644 +--- a/net/batman-adv/bat_v_ogm.c ++++ b/net/batman-adv/bat_v_ogm.c +@@ -878,6 +878,12 @@ static void batadv_v_ogm_process(const struct sk_buff *skb, int ogm_offset, + ntohl(ogm_packet->seqno), ogm_throughput, ogm_packet->ttl, + ogm_packet->version, ntohs(ogm_packet->tvlv_len)); + ++ if (batadv_is_my_mac(bat_priv, ogm_packet->orig)) { ++ batadv_dbg(BATADV_DBG_BATMAN, bat_priv, ++ "Drop packet: originator packet from ourself\n"); ++ return; ++ } ++ + /* If the throughput metric is 0, immediately drop the packet. No need + * to create orig_node / neigh_node for an unusable route. + */ +@@ -1005,11 +1011,6 @@ int batadv_v_ogm_packet_recv(struct sk_buff *skb, + if (batadv_is_my_mac(bat_priv, ethhdr->h_source)) + goto free_skb; + +- ogm_packet = (struct batadv_ogm2_packet *)skb->data; +- +- if (batadv_is_my_mac(bat_priv, ogm_packet->orig)) +- goto free_skb; +- + batadv_inc_counter(bat_priv, BATADV_CNT_MGMT_RX); + batadv_add_counter(bat_priv, BATADV_CNT_MGMT_RX_BYTES, + skb->len + ETH_HLEN); +-- +2.25.1 + diff --git a/queue-5.4/bnxt-don-t-enable-napi-until-rings-are-ready.patch b/queue-5.4/bnxt-don-t-enable-napi-until-rings-are-ready.patch new file mode 100644 index 00000000000..b443473dd55 --- /dev/null +++ b/queue-5.4/bnxt-don-t-enable-napi-until-rings-are-ready.patch @@ -0,0 +1,86 @@ +From 0a3018223231a09b7078f993e11992de831c5a77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 12:40:07 -0700 +Subject: bnxt: don't enable NAPI until rings are ready + +From: Jakub Kicinski + +[ Upstream commit 96ecdcc992eb7f468b2cf829b0f5408a1fad4668 ] + +Netpoll can try to poll napi as soon as napi_enable() is called. +It crashes trying to access a doorbell which is still NULL: + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + CPU: 59 PID: 6039 Comm: ethtool Kdump: loaded Tainted: G S 5.9.0-rc1-00469-g5fd99b5d9950-dirty #26 + RIP: 0010:bnxt_poll+0x121/0x1c0 + Code: c4 20 44 89 e0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 41 8b 86 a0 01 00 00 41 23 85 18 01 00 00 49 8b 96 a8 01 00 00 0d 00 00 00 24 <89> 02 +41 f6 45 77 02 74 cb 49 8b ae d8 01 00 00 31 c0 c7 44 24 1a + netpoll_poll_dev+0xbd/0x1a0 + __netpoll_send_skb+0x1b2/0x210 + netpoll_send_udp+0x2c9/0x406 + write_ext_msg+0x1d7/0x1f0 + console_unlock+0x23c/0x520 + vprintk_emit+0xe0/0x1d0 + printk+0x58/0x6f + x86_vector_activate.cold+0xf/0x46 + __irq_domain_activate_irq+0x50/0x80 + __irq_domain_activate_irq+0x32/0x80 + __irq_domain_activate_irq+0x32/0x80 + irq_domain_activate_irq+0x25/0x40 + __setup_irq+0x2d2/0x700 + request_threaded_irq+0xfb/0x160 + __bnxt_open_nic+0x3b1/0x750 + bnxt_open_nic+0x19/0x30 + ethtool_set_channels+0x1ac/0x220 + dev_ethtool+0x11ba/0x2240 + dev_ioctl+0x1cf/0x390 + sock_do_ioctl+0x95/0x130 + +Reported-by: Rob Sherwood +Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") +Signed-off-by: Jakub Kicinski +Reviewed-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 089d7b9cc409d..4030020f92be5 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -9132,15 +9132,15 @@ static int __bnxt_open_nic(struct bnxt *bp, bool irq_re_init, bool link_re_init) + } + } + +- bnxt_enable_napi(bp); +- bnxt_debug_dev_init(bp); +- + rc = bnxt_init_nic(bp, irq_re_init); + if (rc) { + netdev_err(bp->dev, "bnxt_init_nic err: %x\n", rc); +- goto open_err; ++ goto open_err_irq; + } + ++ bnxt_enable_napi(bp); ++ bnxt_debug_dev_init(bp); ++ + if (link_re_init) { + mutex_lock(&bp->link_lock); + rc = bnxt_update_phy_setting(bp); +@@ -9171,10 +9171,6 @@ static int __bnxt_open_nic(struct bnxt *bp, bool irq_re_init, bool link_re_init) + bnxt_vf_reps_open(bp); + return 0; + +-open_err: +- bnxt_debug_dev_exit(bp); +- bnxt_disable_napi(bp); +- + open_err_irq: + bnxt_del_napi(bp); + +-- +2.25.1 + diff --git a/queue-5.4/bnxt_en-check-for-zero-dir-entries-in-nvram.patch b/queue-5.4/bnxt_en-check-for-zero-dir-entries-in-nvram.patch new file mode 100644 index 00000000000..be2231ff9dd --- /dev/null +++ b/queue-5.4/bnxt_en-check-for-zero-dir-entries-in-nvram.patch @@ -0,0 +1,39 @@ +From 976ac91e404046b5adea78818b54471e86c40a94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 01:08:33 -0400 +Subject: bnxt_en: Check for zero dir entries in NVRAM. + +From: Vasundhara Volam + +[ Upstream commit dbbfa96ad920c50d58bcaefa57f5f33ceef9d00e ] + +If firmware goes into unstable state, HWRM_NVM_GET_DIR_INFO firmware +command may return zero dir entries. Return error in such case to +avoid zero length dma buffer request. + +Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") +Signed-off-by: Vasundhara Volam +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +index de9b34a255cf1..fd01bcc8e28d4 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +@@ -2161,6 +2161,9 @@ static int bnxt_get_nvram_directory(struct net_device *dev, u32 len, u8 *data) + if (rc != 0) + return rc; + ++ if (!dir_entries || !entry_length) ++ return -EIO; ++ + /* Insert 2 bytes of directory info (count and size of entries) */ + if (len < 2) + return -EINVAL; +-- +2.25.1 + diff --git a/queue-5.4/bnxt_en-don-t-query-fw-when-netif_running-is-false.patch b/queue-5.4/bnxt_en-don-t-query-fw-when-netif_running-is-false.patch new file mode 100644 index 00000000000..79839a44777 --- /dev/null +++ b/queue-5.4/bnxt_en-don-t-query-fw-when-netif_running-is-false.patch @@ -0,0 +1,40 @@ +From bb853f3d294aa87e3205a976749d3238ee43cfa9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 01:08:32 -0400 +Subject: bnxt_en: Don't query FW when netif_running() is false. + +From: Pavan Chebbi + +[ Upstream commit c1c2d77408022a398a1a7c51cf20488c922629de ] + +In rare conditions like two stage OS installation, the +ethtool's get_channels function may be called when the +device is in D3 state, leading to uncorrectable PCI error. +Check netif_running() first before making any query to FW +which involves writing to BAR. + +Fixes: db4723b3cd2d ("bnxt_en: Check max_tx_scheduler_inputs value from firmware.") +Signed-off-by: Pavan Chebbi +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +index 1f512e7c3d434..de9b34a255cf1 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +@@ -769,7 +769,7 @@ static void bnxt_get_channels(struct net_device *dev, + int max_tx_sch_inputs; + + /* Get the most up-to-date max_tx_sch_inputs. */ +- if (BNXT_NEW_RM(bp)) ++ if (netif_running(dev) && BNXT_NEW_RM(bp)) + bnxt_hwrm_func_resc_qcaps(bp, false); + max_tx_sch_inputs = hw_resc->max_tx_sch_inputs; + +-- +2.25.1 + diff --git a/queue-5.4/bnxt_en-fix-hwrm-error-when-querying-vf-temperature.patch b/queue-5.4/bnxt_en-fix-hwrm-error-when-querying-vf-temperature.patch new file mode 100644 index 00000000000..a8449dc695f --- /dev/null +++ b/queue-5.4/bnxt_en-fix-hwrm-error-when-querying-vf-temperature.patch @@ -0,0 +1,60 @@ +From f16b12f862f144d60b08003692ecddc45f176bc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 01:08:37 -0400 +Subject: bnxt_en: fix HWRM error when querying VF temperature + +From: Edwin Peer + +[ Upstream commit 12cce90b934bf2b0ed9c339b4d5503e69954351a ] + +Firmware returns RESOURCE_ACCESS_DENIED for HWRM_TEMP_MONITORY_QUERY for +VFs. This produces unpleasing error messages in the log when temp1_input +is queried via the hwmon sysfs interface from a VF. + +The error is harmless and expected, so silence it and return unknown as +the value. Since the device temperature is not particularly sensitive +information, provide flexibility to change this policy in future by +silencing the error rather than avoiding the HWRM call entirely for VFs. + +Fixes: cde49a42a9bb ("bnxt_en: Add hwmon sysfs support to read temperature") +Cc: Marc Smith +Reported-by: Marc Smith +Signed-off-by: Edwin Peer +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 16462d21fea38..089d7b9cc409d 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -8938,16 +8938,19 @@ static ssize_t bnxt_show_temp(struct device *dev, + struct hwrm_temp_monitor_query_input req = {0}; + struct hwrm_temp_monitor_query_output *resp; + struct bnxt *bp = dev_get_drvdata(dev); +- u32 temp = 0; ++ u32 len = 0; + + resp = bp->hwrm_cmd_resp_addr; + bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_TEMP_MONITOR_QUERY, -1, -1); + mutex_lock(&bp->hwrm_cmd_lock); +- if (!_hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT)) +- temp = resp->temp * 1000; /* display millidegree */ ++ if (!_hwrm_send_message_silent(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT)) ++ len = sprintf(buf, "%u\n", resp->temp * 1000); /* display millidegree */ + mutex_unlock(&bp->hwrm_cmd_lock); + +- return sprintf(buf, "%u\n", temp); ++ if (len) ++ return len; ++ ++ return sprintf(buf, "unknown\n"); + } + static SENSOR_DEVICE_ATTR(temp1_input, 0444, bnxt_show_temp, NULL, 0); + +-- +2.25.1 + diff --git a/queue-5.4/bnxt_en-fix-pci-aer-error-recovery-flow.patch b/queue-5.4/bnxt_en-fix-pci-aer-error-recovery-flow.patch new file mode 100644 index 00000000000..b0e4793268f --- /dev/null +++ b/queue-5.4/bnxt_en-fix-pci-aer-error-recovery-flow.patch @@ -0,0 +1,46 @@ +From 2dbc14c8edecb6a9488bd3cdb2b3738f27bfaba0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 01:08:35 -0400 +Subject: bnxt_en: Fix PCI AER error recovery flow + +From: Vasundhara Volam + +[ Upstream commit df3875ec550396974b1d8a518bd120d034738236 ] + +When a PCI error is detected the PCI state could be corrupt, save +the PCI state after initialization and restore it after the slot +reset. + +Fixes: 6316ea6db93d ("bnxt_en: Enable AER support.") +Signed-off-by: Vasundhara Volam +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 2cbfe0cd7eefa..7cb74d7a78e3c 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -11900,6 +11900,7 @@ static int bnxt_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + (long)pci_resource_start(pdev, 0), dev->dev_addr); + pcie_print_link_status(pdev); + ++ pci_save_state(pdev); + return 0; + + init_err_cleanup: +@@ -12066,6 +12067,8 @@ static pci_ers_result_t bnxt_io_slot_reset(struct pci_dev *pdev) + "Cannot re-enable PCI device after reset.\n"); + } else { + pci_set_master(pdev); ++ pci_restore_state(pdev); ++ pci_save_state(pdev); + + err = bnxt_hwrm_func_reset(bp); + if (!err && netif_running(netdev)) +-- +2.25.1 + diff --git a/queue-5.4/bnxt_en-fix-possible-crash-in-bnxt_fw_reset_task.patch b/queue-5.4/bnxt_en-fix-possible-crash-in-bnxt_fw_reset_task.patch new file mode 100644 index 00000000000..069f7017f59 --- /dev/null +++ b/queue-5.4/bnxt_en-fix-possible-crash-in-bnxt_fw_reset_task.patch @@ -0,0 +1,68 @@ +From 1ed14856dbc2fd0023ea79392aad1e6e8e8a42b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 01:08:36 -0400 +Subject: bnxt_en: Fix possible crash in bnxt_fw_reset_task(). + +From: Michael Chan + +[ Upstream commit b148bb238c02f0c7797efed026e9bba5892d2172 ] + +bnxt_fw_reset_task() is run from a delayed workqueue. The current +code is not cancelling the workqueue in the driver's .remove() +method and it can potentially crash if the device is removed with +the workqueue still pending. + +The fix is to clear the BNXT_STATE_IN_FW_RESET flag and then cancel +the delayed workqueue in bnxt_remove_one(). bnxt_queue_fw_reset_work() +also needs to check that this flag is set before scheduling. This +will guarantee that no rescheduling will be done after it is cancelled. + +Fixes: 230d1f0de754 ("bnxt_en: Handle firmware reset.") +Reviewed-by: Vasundhara Volam +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 7cb74d7a78e3c..16462d21fea38 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -1143,6 +1143,9 @@ static int bnxt_discard_rx(struct bnxt *bp, struct bnxt_cp_ring_info *cpr, + + static void bnxt_queue_fw_reset_work(struct bnxt *bp, unsigned long delay) + { ++ if (!(test_bit(BNXT_STATE_IN_FW_RESET, &bp->state))) ++ return; ++ + if (BNXT_PF(bp)) + queue_delayed_work(bnxt_pf_wq, &bp->fw_reset_task, delay); + else +@@ -1159,10 +1162,12 @@ static void bnxt_queue_sp_work(struct bnxt *bp) + + static void bnxt_cancel_sp_work(struct bnxt *bp) + { +- if (BNXT_PF(bp)) ++ if (BNXT_PF(bp)) { + flush_workqueue(bnxt_pf_wq); +- else ++ } else { + cancel_work_sync(&bp->sp_task); ++ cancel_delayed_work_sync(&bp->fw_reset_task); ++ } + } + + static void bnxt_sched_reset(struct bnxt *bp, struct bnxt_rx_ring_info *rxr) +@@ -11386,6 +11391,7 @@ static void bnxt_remove_one(struct pci_dev *pdev) + unregister_netdev(dev); + bnxt_dl_unregister(bp); + bnxt_shutdown_tc(bp); ++ clear_bit(BNXT_STATE_IN_FW_RESET, &bp->state); + bnxt_cancel_sp_work(bp); + bp->sp_event = 0; + +-- +2.25.1 + diff --git a/queue-5.4/cxgb4-fix-thermal-zone-device-registration.patch b/queue-5.4/cxgb4-fix-thermal-zone-device-registration.patch new file mode 100644 index 00000000000..b90bdf587c1 --- /dev/null +++ b/queue-5.4/cxgb4-fix-thermal-zone-device-registration.patch @@ -0,0 +1,111 @@ +From 274eaf324ddef94d1162684fc563174cb55535fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 21:14:40 +0530 +Subject: cxgb4: fix thermal zone device registration + +From: Potnuri Bharat Teja + +[ Upstream commit 6b6382a857d824c0866056d5736bbcb597a922ed ] + +When multiple adapters are present in the system, pci hot-removing second +adapter leads to the following warning as both the adapters registered +thermal zone device with same thermal zone name/type. +Therefore, use unique thermal zone name during thermal zone device +initialization. Also mark thermal zone dev NULL once unregistered. + +[ 414.370143] ------------[ cut here ]------------ +[ 414.370944] sysfs group 'power' not found for kobject 'hwmon0' +[ 414.371747] WARNING: CPU: 9 PID: 2661 at fs/sysfs/group.c:281 + sysfs_remove_group+0x76/0x80 +[ 414.382550] CPU: 9 PID: 2661 Comm: bash Not tainted 5.8.0-rc6+ #33 +[ 414.383593] Hardware name: Supermicro X10SRA-F/X10SRA-F, BIOS 2.0a 06/23/2016 +[ 414.384669] RIP: 0010:sysfs_remove_group+0x76/0x80 +[ 414.385738] Code: 48 89 df 5b 5d 41 5c e9 d8 b5 ff ff 48 89 df e8 60 b0 ff ff + eb cb 49 8b 14 24 48 8b 75 00 48 c7 c7 90 ae 13 bb e8 6a 27 d0 ff <0f> 0b 5b 5d + 41 5c c3 0f 1f 00 0f 1f 44 00 00 48 85 f6 74 31 41 54 +[ 414.388404] RSP: 0018:ffffa22bc080fcb0 EFLAGS: 00010286 +[ 414.389638] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +[ 414.390829] RDX: 0000000000000001 RSI: ffff8ee2de3e9510 RDI: ffff8ee2de3e9510 +[ 414.392064] RBP: ffffffffbaef2ee0 R08: 0000000000000000 R09: 0000000000000000 +[ 414.393224] R10: 0000000000000000 R11: 000000002b30006c R12: ffff8ee260720008 +[ 414.394388] R13: ffff8ee25e0a40e8 R14: ffffa22bc080ff08 R15: ffff8ee2c3be5020 +[ 414.395661] FS: 00007fd2a7171740(0000) GS:ffff8ee2de200000(0000) + knlGS:0000000000000000 +[ 414.396825] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 414.398011] CR2: 00007f178ffe5020 CR3: 000000084c5cc003 CR4: 00000000003606e0 +[ 414.399172] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 414.400352] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 414.401473] Call Trace: +[ 414.402685] device_del+0x89/0x400 +[ 414.403819] device_unregister+0x16/0x60 +[ 414.405024] hwmon_device_unregister+0x44/0xa0 +[ 414.406112] thermal_remove_hwmon_sysfs+0x196/0x200 +[ 414.407256] thermal_zone_device_unregister+0x1b5/0x1f0 +[ 414.408415] cxgb4_thermal_remove+0x3c/0x4f [cxgb4] +[ 414.409668] remove_one+0x212/0x290 [cxgb4] +[ 414.410875] pci_device_remove+0x36/0xb0 +[ 414.412004] device_release_driver_internal+0xe2/0x1c0 +[ 414.413276] pci_stop_bus_device+0x64/0x90 +[ 414.414433] pci_stop_and_remove_bus_device_locked+0x16/0x30 +[ 414.415609] remove_store+0x75/0x90 +[ 414.416790] kernfs_fop_write+0x114/0x1b0 +[ 414.417930] vfs_write+0xcf/0x210 +[ 414.419059] ksys_write+0xa7/0xe0 +[ 414.420120] do_syscall_64+0x4c/0xa0 +[ 414.421278] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 414.422335] RIP: 0033:0x7fd2a686afd0 +[ 414.423396] Code: Bad RIP value. +[ 414.424549] RSP: 002b:00007fffc1446148 EFLAGS: 00000246 ORIG_RAX: + 0000000000000001 +[ 414.425638] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fd2a686afd0 +[ 414.426830] RDX: 0000000000000002 RSI: 00007fd2a7196000 RDI: 0000000000000001 +[ 414.427927] RBP: 00007fd2a7196000 R08: 000000000000000a R09: 00007fd2a7171740 +[ 414.428923] R10: 00007fd2a7171740 R11: 0000000000000246 R12: 00007fd2a6b43400 +[ 414.430082] R13: 0000000000000002 R14: 0000000000000001 R15: 0000000000000000 +[ 414.431027] irq event stamp: 76300 +[ 414.435678] ---[ end trace 13865acb4d5ab00f ]--- + +Fixes: b18719157762 ("cxgb4: Add thermal zone support") +Signed-off-by: Potnuri Bharat Teja +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_thermal.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_thermal.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_thermal.c +index 3de8a5e83b6c7..d7fefdbf3e575 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_thermal.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_thermal.c +@@ -62,6 +62,7 @@ static struct thermal_zone_device_ops cxgb4_thermal_ops = { + int cxgb4_thermal_init(struct adapter *adap) + { + struct ch_thermal *ch_thermal = &adap->ch_thermal; ++ char ch_tz_name[THERMAL_NAME_LENGTH]; + int num_trip = CXGB4_NUM_TRIPS; + u32 param, val; + int ret; +@@ -82,7 +83,8 @@ int cxgb4_thermal_init(struct adapter *adap) + ch_thermal->trip_type = THERMAL_TRIP_CRITICAL; + } + +- ch_thermal->tzdev = thermal_zone_device_register("cxgb4", num_trip, ++ snprintf(ch_tz_name, sizeof(ch_tz_name), "cxgb4_%s", adap->name); ++ ch_thermal->tzdev = thermal_zone_device_register(ch_tz_name, num_trip, + 0, adap, + &cxgb4_thermal_ops, + NULL, 0, 0); +@@ -97,7 +99,9 @@ int cxgb4_thermal_init(struct adapter *adap) + + int cxgb4_thermal_remove(struct adapter *adap) + { +- if (adap->ch_thermal.tzdev) ++ if (adap->ch_thermal.tzdev) { + thermal_zone_device_unregister(adap->ch_thermal.tzdev); ++ adap->ch_thermal.tzdev = NULL; ++ } + return 0; + } +-- +2.25.1 + diff --git a/queue-5.4/dmaengine-at_hdmac-check-return-value-of-of_find_dev.patch b/queue-5.4/dmaengine-at_hdmac-check-return-value-of-of_find_dev.patch new file mode 100644 index 00000000000..d219c7f16a5 --- /dev/null +++ b/queue-5.4/dmaengine-at_hdmac-check-return-value-of-of_find_dev.patch @@ -0,0 +1,39 @@ +From 6c79449f7f37bab2a0f933a0f65056b5057c1f79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 19:57:26 +0800 +Subject: dmaengine: at_hdmac: check return value of of_find_device_by_node() + in at_dma_xlate() + +From: Yu Kuai + +[ Upstream commit 0cef8e2c5a07d482ec907249dbd6687e8697677f ] + +The reurn value of of_find_device_by_node() is not checked, thus null +pointer dereference will be triggered if of_find_device_by_node() +failed. + +Fixes: bbe89c8e3d59 ("at_hdmac: move to generic DMA binding") +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20200817115728.1706719-2-yukuai3@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/at_hdmac.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/dma/at_hdmac.c b/drivers/dma/at_hdmac.c +index 672c73b4a2d4f..ff366c2f58c18 100644 +--- a/drivers/dma/at_hdmac.c ++++ b/drivers/dma/at_hdmac.c +@@ -1667,6 +1667,8 @@ static struct dma_chan *at_dma_xlate(struct of_phandle_args *dma_spec, + return NULL; + + dmac_pdev = of_find_device_by_node(dma_spec->np); ++ if (!dmac_pdev) ++ return NULL; + + dma_cap_zero(mask); + dma_cap_set(DMA_SLAVE, mask); +-- +2.25.1 + diff --git a/queue-5.4/dmaengine-of-dma-fix-of_dma_router_xlate-s-of_dma_xl.patch b/queue-5.4/dmaengine-of-dma-fix-of_dma_router_xlate-s-of_dma_xl.patch new file mode 100644 index 00000000000..cbf140810a4 --- /dev/null +++ b/queue-5.4/dmaengine-of-dma-fix-of_dma_router_xlate-s-of_dma_xl.patch @@ -0,0 +1,47 @@ +From 591c6e8092d765de08ac2f051f3a1a0f9dd78697 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 13:49:28 +0300 +Subject: dmaengine: of-dma: Fix of_dma_router_xlate's of_dma_xlate handling + +From: Peter Ujfalusi + +[ Upstream commit 5b2aa9f918f6837ae943557f8cec02c34fcf80e7 ] + +of_dma_xlate callback can return ERR_PTR as well NULL in case of failure. + +If error code is returned (not NULL) then the route should be released and +the router should not be registered for the channel. + +Fixes: 56f13c0d9524c ("dmaengine: of_dma: Support for DMA routers") +Signed-off-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20200806104928.25975-1-peter.ujfalusi@ti.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/of-dma.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/dma/of-dma.c b/drivers/dma/of-dma.c +index c2d779daa4b51..4bbf4172b9bf9 100644 +--- a/drivers/dma/of-dma.c ++++ b/drivers/dma/of-dma.c +@@ -69,12 +69,12 @@ static struct dma_chan *of_dma_router_xlate(struct of_phandle_args *dma_spec, + return NULL; + + chan = ofdma_target->of_dma_xlate(&dma_spec_target, ofdma_target); +- if (chan) { +- chan->router = ofdma->dma_router; +- chan->route_data = route_data; +- } else { ++ if (IS_ERR_OR_NULL(chan)) { + ofdma->dma_router->route_free(ofdma->dma_router->dev, + route_data); ++ } else { ++ chan->router = ofdma->dma_router; ++ chan->route_data = route_data; + } + + /* +-- +2.25.1 + diff --git a/queue-5.4/dmaengine-pl330-fix-burst-length-if-burst-size-is-sm.patch b/queue-5.4/dmaengine-pl330-fix-burst-length-if-burst-size-is-sm.patch new file mode 100644 index 00000000000..5bf91370b2c --- /dev/null +++ b/queue-5.4/dmaengine-pl330-fix-burst-length-if-burst-size-is-sm.patch @@ -0,0 +1,48 @@ +From ee89586e4e150d93d2288df00148ddbaf67895ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 08:46:17 +0200 +Subject: dmaengine: pl330: Fix burst length if burst size is smaller than bus + width + +From: Marek Szyprowski + +[ Upstream commit 0661cef675d37e2c4b66a996389ebeae8568e49e ] + +Move the burst len fixup after setting the generic value for it. This +finally enables the fixup introduced by commit 137bd11090d8 ("dmaengine: +pl330: Align DMA memcpy operations to MFIFO width"), which otherwise was +overwritten by the generic value. + +Reported-by: kernel test robot +Fixes: 137bd11090d8 ("dmaengine: pl330: Align DMA memcpy operations to MFIFO width") +Signed-off-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20200825064617.16193-1-m.szyprowski@samsung.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/pl330.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c +index 6cce9ef61b294..cd81d10974a29 100644 +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -2788,6 +2788,7 @@ pl330_prep_dma_memcpy(struct dma_chan *chan, dma_addr_t dst, + while (burst != (1 << desc->rqcfg.brst_size)) + desc->rqcfg.brst_size++; + ++ desc->rqcfg.brst_len = get_burst_len(desc, len); + /* + * If burst size is smaller than bus width then make sure we only + * transfer one at a time to avoid a burst stradling an MFIFO entry. +@@ -2795,7 +2796,6 @@ pl330_prep_dma_memcpy(struct dma_chan *chan, dma_addr_t dst, + if (desc->rqcfg.brst_size * 8 < pl330->pcfg.data_bus_width) + desc->rqcfg.brst_len = 1; + +- desc->rqcfg.brst_len = get_burst_len(desc, len); + desc->bytes_requested = len; + + desc->txd.flags = flags; +-- +2.25.1 + diff --git a/queue-5.4/drm-radeon-prefer-lower-feedback-dividers.patch b/queue-5.4/drm-radeon-prefer-lower-feedback-dividers.patch new file mode 100644 index 00000000000..6e6bb3a01ec --- /dev/null +++ b/queue-5.4/drm-radeon-prefer-lower-feedback-dividers.patch @@ -0,0 +1,48 @@ +From 7abad39f34f506b0e75391e3c3dc430ec97bf3d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 01:33:48 +0800 +Subject: drm/radeon: Prefer lower feedback dividers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kai-Heng Feng + +[ Upstream commit fc8c70526bd30733ea8667adb8b8ffebea30a8ed ] + +Commit 2e26ccb119bd ("drm/radeon: prefer lower reference dividers") +fixed screen flicker for HP Compaq nx9420 but breaks other laptops like +Asus X50SL. + +Turns out we also need to favor lower feedback dividers. + +Users confirmed this change fixes the regression and doesn't regress the +original fix. + +Fixes: 2e26ccb119bd ("drm/radeon: prefer lower reference dividers") +BugLink: https://bugs.launchpad.net/bugs/1791312 +BugLink: https://bugs.launchpad.net/bugs/1861554 +Reviewed-by: Christian König +Signed-off-by: Kai-Heng Feng +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_display.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c +index f9f74150d0d73..e7c4e06bc7d4f 100644 +--- a/drivers/gpu/drm/radeon/radeon_display.c ++++ b/drivers/gpu/drm/radeon/radeon_display.c +@@ -932,7 +932,7 @@ static void avivo_get_fb_ref_div(unsigned nom, unsigned den, unsigned post_div, + + /* get matching reference and feedback divider */ + *ref_div = min(max(den/post_div, 1u), ref_div_max); +- *fb_div = DIV_ROUND_CLOSEST(nom * *ref_div * post_div, den); ++ *fb_div = max(nom * *ref_div * post_div / den, 1u); + + /* limit fb divider to its maximum */ + if (*fb_div > fb_div_max) { +-- +2.25.1 + diff --git a/queue-5.4/fix-regression-in-epoll-keep-a-reference-on-files-ad.patch b/queue-5.4/fix-regression-in-epoll-keep-a-reference-on-files-ad.patch new file mode 100644 index 00000000000..6ddaa3d86c0 --- /dev/null +++ b/queue-5.4/fix-regression-in-epoll-keep-a-reference-on-files-ad.patch @@ -0,0 +1,42 @@ +From 16d858d142afa3a7951940c47c454f7c9076b75f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 11:30:48 -0400 +Subject: fix regression in "epoll: Keep a reference on files added to the + check list" + +From: Al Viro + +[ Upstream commit 77f4689de17c0887775bb77896f4cc11a39bf848 ] + +epoll_loop_check_proc() can run into a file already committed to destruction; +we can't grab a reference on those and don't need to add them to the set for +reverse path check anyway. + +Tested-by: Marc Zyngier +Fixes: a9ed4a6560b8 ("epoll: Keep a reference on files added to the check list") +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/eventpoll.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index 0d9b1e2b9da72..ae1d32344f7ac 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -1992,9 +1992,9 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests) + * during ep_insert(). + */ + if (list_empty(&epi->ffd.file->f_tfile_llink)) { +- get_file(epi->ffd.file); +- list_add(&epi->ffd.file->f_tfile_llink, +- &tfile_check_list); ++ if (get_file_rcu(epi->ffd.file)) ++ list_add(&epi->ffd.file->f_tfile_llink, ++ &tfile_check_list); + } + } + } +-- +2.25.1 + diff --git a/queue-5.4/gtp-add-gtpa_link-info-to-msg-sent-to-userspace.patch b/queue-5.4/gtp-add-gtpa_link-info-to-msg-sent-to-userspace.patch new file mode 100644 index 00000000000..e23ea16a7b5 --- /dev/null +++ b/queue-5.4/gtp-add-gtpa_link-info-to-msg-sent-to-userspace.patch @@ -0,0 +1,36 @@ +From 07a2da868915dcf7af9996412a585b795f50febc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 14:59:40 +0200 +Subject: gtp: add GTPA_LINK info to msg sent to userspace + +From: Nicolas Dichtel + +[ Upstream commit b274e47d9e3f4dcd4ad4028a316ec22dc4533ac7 ] + +During a dump, this attribute is essential, it enables the userspace to +know on which interface the context is linked to. + +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Signed-off-by: Nicolas Dichtel +Tested-by: Gabriel Ganne +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index d89ec99abcd63..634bdea38ecb3 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -1182,6 +1182,7 @@ static int gtp_genl_fill_info(struct sk_buff *skb, u32 snd_portid, u32 snd_seq, + goto nlmsg_failure; + + if (nla_put_u32(skb, GTPA_VERSION, pctx->gtp_version) || ++ nla_put_u32(skb, GTPA_LINK, pctx->dev->ifindex) || + nla_put_be32(skb, GTPA_PEER_ADDRESS, pctx->peer_addr_ip4.s_addr) || + nla_put_be32(skb, GTPA_MS_ADDRESS, pctx->ms_addr_ip4.s_addr)) + goto nla_put_failure; +-- +2.25.1 + diff --git a/queue-5.4/include-linux-log2.h-add-missing-around-n-in-roundup.patch b/queue-5.4/include-linux-log2.h-add-missing-around-n-in-roundup.patch new file mode 100644 index 00000000000..e2bc09864b6 --- /dev/null +++ b/queue-5.4/include-linux-log2.h-add-missing-around-n-in-roundup.patch @@ -0,0 +1,37 @@ +From b56716891fa7a4440c98f403346e4ea8a669fec8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 16:36:19 -0700 +Subject: include/linux/log2.h: add missing () around n in roundup_pow_of_two() + +From: Jason Gunthorpe + +[ Upstream commit 428fc0aff4e59399ec719ffcc1f7a5d29a4ee476 ] + +Otherwise gcc generates warnings if the expression is complicated. + +Fixes: 312a0c170945 ("[PATCH] LOG2: Alter roundup_pow_of_two() so that it can use a ilog2() on a constant") +Signed-off-by: Jason Gunthorpe +Signed-off-by: Andrew Morton +Link: https://lkml.kernel.org/r/0-v1-8a2697e3c003+41165-log_brackets_jgg@nvidia.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/log2.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/log2.h b/include/linux/log2.h +index 83a4a3ca3e8a7..c619ec6eff4ae 100644 +--- a/include/linux/log2.h ++++ b/include/linux/log2.h +@@ -173,7 +173,7 @@ unsigned long __rounddown_pow_of_two(unsigned long n) + #define roundup_pow_of_two(n) \ + ( \ + __builtin_constant_p(n) ? ( \ +- (n == 1) ? 1 : \ ++ ((n) == 1) ? 1 : \ + (1UL << (ilog2((n) - 1) + 1)) \ + ) : \ + __roundup_pow_of_two(n) \ +-- +2.25.1 + diff --git a/queue-5.4/iommu-amd-restore-irte.remapen-bit-after-programming.patch b/queue-5.4/iommu-amd-restore-irte.remapen-bit-after-programming.patch new file mode 100644 index 00000000000..82b698d56f5 --- /dev/null +++ b/queue-5.4/iommu-amd-restore-irte.remapen-bit-after-programming.patch @@ -0,0 +1,46 @@ +From 58471b61c79069be39d3ecb727cdcb2de96ef3c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Sep 2020 09:38:21 +0000 +Subject: iommu/amd: Restore IRTE.RemapEn bit after programming IRTE + +From: Suravee Suthikulpanit + +[ Upstream commit 26e495f341075c09023ba16dee9a7f37a021e745 ] + +Currently, the RemapEn (valid) bit is accidentally cleared when +programming IRTE w/ guestMode=0. It should be restored to +the prior state. + +Fixes: b9fc6b56f478 ("iommu/amd: Implements irq_set_vcpu_affinity() hook to setup vapic mode for pass-through devices") +Signed-off-by: Suravee Suthikulpanit +Reviewed-by: Joao Martins +Link: https://lore.kernel.org/r/20200903093822.52012-2-suravee.suthikulpanit@amd.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c +index 3a7094f4813f2..cdafc652d9d1a 100644 +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -4431,6 +4431,7 @@ int amd_iommu_deactivate_guest_mode(void *data) + struct amd_ir_data *ir_data = (struct amd_ir_data *)data; + struct irte_ga *entry = (struct irte_ga *) ir_data->entry; + struct irq_cfg *cfg = ir_data->cfg; ++ u64 valid = entry->lo.fields_remap.valid; + + if (!AMD_IOMMU_GUEST_IR_VAPIC(amd_iommu_guest_ir) || + !entry || !entry->lo.fields_vapic.guest_mode) +@@ -4439,6 +4440,7 @@ int amd_iommu_deactivate_guest_mode(void *data) + entry->lo.val = 0; + entry->hi.val = 0; + ++ entry->lo.fields_remap.valid = valid; + entry->lo.fields_remap.dm = apic->irq_dest_mode; + entry->lo.fields_remap.int_type = apic->irq_delivery_mode; + entry->hi.fields.vector = cfg->vector; +-- +2.25.1 + diff --git a/queue-5.4/iommu-vt-d-serialize-iommu-gcmd-register-modificatio.patch b/queue-5.4/iommu-vt-d-serialize-iommu-gcmd-register-modificatio.patch new file mode 100644 index 00000000000..373bad9276f --- /dev/null +++ b/queue-5.4/iommu-vt-d-serialize-iommu-gcmd-register-modificatio.patch @@ -0,0 +1,62 @@ +From 525179270949a2df40e0a8efbc86ca3d6c907b0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 08:06:15 +0800 +Subject: iommu/vt-d: Serialize IOMMU GCMD register modifications + +From: Lu Baolu + +[ Upstream commit 6e4e9ec65078093165463c13d4eb92b3e8d7b2e8 ] + +The VT-d spec requires (10.4.4 Global Command Register, GCMD_REG General +Description) that: + +If multiple control fields in this register need to be modified, software +must serialize the modifications through multiple writes to this register. + +However, in irq_remapping.c, modifications of IRE and CFI are done in one +write. We need to do two separate writes with STS checking after each. It +also checks the status register before writing command register to avoid +unnecessary register write. + +Fixes: af8d102f999a4 ("x86/intel/irq_remapping: Clean up x2apic opt-out security warning mess") +Signed-off-by: Lu Baolu +Reviewed-by: Kevin Tian +Cc: Andy Lutomirski +Cc: Jacob Pan +Cc: Kevin Tian +Cc: Ashok Raj +Link: https://lore.kernel.org/r/20200828000615.8281-1-baolu.lu@linux.intel.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel_irq_remapping.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c +index 6bfb283e6f287..f697f3a1d46bc 100644 +--- a/drivers/iommu/intel_irq_remapping.c ++++ b/drivers/iommu/intel_irq_remapping.c +@@ -507,12 +507,18 @@ static void iommu_enable_irq_remapping(struct intel_iommu *iommu) + + /* Enable interrupt-remapping */ + iommu->gcmd |= DMA_GCMD_IRE; +- iommu->gcmd &= ~DMA_GCMD_CFI; /* Block compatibility-format MSIs */ + writel(iommu->gcmd, iommu->reg + DMAR_GCMD_REG); +- + IOMMU_WAIT_OP(iommu, DMAR_GSTS_REG, + readl, (sts & DMA_GSTS_IRES), sts); + ++ /* Block compatibility-format MSIs */ ++ if (sts & DMA_GSTS_CFIS) { ++ iommu->gcmd &= ~DMA_GCMD_CFI; ++ writel(iommu->gcmd, iommu->reg + DMAR_GCMD_REG); ++ IOMMU_WAIT_OP(iommu, DMAR_GSTS_REG, ++ readl, !(sts & DMA_GSTS_CFIS), sts); ++ } ++ + /* + * With CFI clear in the Global Command register, we should be + * protected from dangerous (i.e. compatibility) interrupts +-- +2.25.1 + diff --git a/queue-5.4/media-cedrus-add-missing-v4l2_ctrl_request_hdl_put.patch b/queue-5.4/media-cedrus-add-missing-v4l2_ctrl_request_hdl_put.patch new file mode 100644 index 00000000000..8dca7300bb7 --- /dev/null +++ b/queue-5.4/media-cedrus-add-missing-v4l2_ctrl_request_hdl_put.patch @@ -0,0 +1,54 @@ +From 5cf463fafc7a0671dfdca5902a5ec9224f6c1e60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 21:18:33 +0200 +Subject: media: cedrus: Add missing v4l2_ctrl_request_hdl_put() + +From: Ezequiel Garcia + +[ Upstream commit b30063976f29fc221a99d18d37d22ca035068aa9 ] + +The check for a required control in the request was missing a call to +v4l2_ctrl_request_hdl_put() in the error path. Fix it. + +Fixes: 50e761516f2b8c ("media: platform: Add Cedrus VPU decoder driver") +Signed-off-by: Ezequiel Garcia +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/sunxi/cedrus/cedrus.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/media/sunxi/cedrus/cedrus.c b/drivers/staging/media/sunxi/cedrus/cedrus.c +index 3439f6ad63380..e80e82a276e93 100644 +--- a/drivers/staging/media/sunxi/cedrus/cedrus.c ++++ b/drivers/staging/media/sunxi/cedrus/cedrus.c +@@ -159,6 +159,7 @@ static int cedrus_request_validate(struct media_request *req) + struct v4l2_ctrl *ctrl_test; + unsigned int count; + unsigned int i; ++ int ret = 0; + + list_for_each_entry(obj, &req->objects, list) { + struct vb2_buffer *vb; +@@ -203,12 +204,16 @@ static int cedrus_request_validate(struct media_request *req) + if (!ctrl_test) { + v4l2_info(&ctx->dev->v4l2_dev, + "Missing required codec control\n"); +- return -ENOENT; ++ ret = -ENOENT; ++ break; + } + } + + v4l2_ctrl_request_hdl_put(hdl); + ++ if (ret) ++ return ret; ++ + return vb2_request_validate(req); + } + +-- +2.25.1 + diff --git a/queue-5.4/media-vicodec-add-missing-v4l2_ctrl_request_hdl_put.patch b/queue-5.4/media-vicodec-add-missing-v4l2_ctrl_request_hdl_put.patch new file mode 100644 index 00000000000..6b781292ae7 --- /dev/null +++ b/queue-5.4/media-vicodec-add-missing-v4l2_ctrl_request_hdl_put.patch @@ -0,0 +1,37 @@ +From 09a0a49d2b85998ff89ff937ba98711adbafb02d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Aug 2020 12:30:33 +0200 +Subject: media: vicodec: add missing v4l2_ctrl_request_hdl_put() + +From: Hans Verkuil + +[ Upstream commit 2e7c8fb8942773f412fe12f3b63e8bb92c18ab3f ] + +The check for a required control in the request was missing a call to +v4l2_ctrl_request_hdl_put(), so the control request object was never +released. + +Signed-off-by: Hans Verkuil +Fixes: 997deb811bf5 ("media: vicodec: Add support for stateless decoder.") +Reviewed-by: Ezequiel Garcia +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/vicodec/vicodec-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/platform/vicodec/vicodec-core.c b/drivers/media/platform/vicodec/vicodec-core.c +index 84ec36156f73f..c77281d43f892 100644 +--- a/drivers/media/platform/vicodec/vicodec-core.c ++++ b/drivers/media/platform/vicodec/vicodec-core.c +@@ -2052,6 +2052,7 @@ static int vicodec_request_validate(struct media_request *req) + } + ctrl = v4l2_ctrl_request_hdl_ctrl_find(hdl, + vicodec_ctrl_stateless_state.id); ++ v4l2_ctrl_request_hdl_put(hdl); + if (!ctrl) { + v4l2_info(&ctx->dev->v4l2_dev, + "Missing required codec control\n"); +-- +2.25.1 + diff --git a/queue-5.4/mips-add-missing-msacsr-and-upper-msa-initialization.patch b/queue-5.4/mips-add-missing-msacsr-and-upper-msa-initialization.patch new file mode 100644 index 00000000000..0cab250d08c --- /dev/null +++ b/queue-5.4/mips-add-missing-msacsr-and-upper-msa-initialization.patch @@ -0,0 +1,50 @@ +From 362a3da876cee4d9b8ef0206eb4412297dbee21f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Sep 2020 14:53:09 +0800 +Subject: MIPS: add missing MSACSR and upper MSA initialization + +From: Huang Pei + +[ Upstream commit bb06748207cfb1502d11b90325eba7f8c44c9f02 ] + +In cc97ab235f3f ("MIPS: Simplify FP context initialization), init_fp_ctx +just initialize the fp/msa context, and own_fp_inatomic just restore +FCSR and 64bit FP regs from it, but miss MSACSR and upper MSA regs for +MSA, so MSACSR and MSA upper regs's value from previous task on current +cpu can leak into current task and cause unpredictable behavior when MSA +context not initialized. + +Fixes: cc97ab235f3f ("MIPS: Simplify FP context initialization") +Signed-off-by: Huang Pei +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/traps.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c +index 6a25364600266..8282d0feb0b21 100644 +--- a/arch/mips/kernel/traps.c ++++ b/arch/mips/kernel/traps.c +@@ -1240,6 +1240,18 @@ static int enable_restore_fp_context(int msa) + err = own_fpu_inatomic(1); + if (msa && !err) { + enable_msa(); ++ /* ++ * with MSA enabled, userspace can see MSACSR ++ * and MSA regs, but the values in them are from ++ * other task before current task, restore them ++ * from saved fp/msa context ++ */ ++ write_msa_csr(current->thread.fpu.msacsr); ++ /* ++ * own_fpu_inatomic(1) just restore low 64bit, ++ * fix the high 64bit ++ */ ++ init_msa_upper(); + set_thread_flag(TIF_USEDMSA); + set_thread_flag(TIF_MSA_CTX_LIVE); + } +-- +2.25.1 + diff --git a/queue-5.4/mips-bmips-also-call-bmips_cpu_setup-for-secondary-c.patch b/queue-5.4/mips-bmips-also-call-bmips_cpu_setup-for-secondary-c.patch new file mode 100644 index 00000000000..648e6ba4d5a --- /dev/null +++ b/queue-5.4/mips-bmips-also-call-bmips_cpu_setup-for-secondary-c.patch @@ -0,0 +1,37 @@ +From 29ccdc81271b2c710a7899b5d35ac1bdd146b2c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 11:26:45 -0700 +Subject: MIPS: BMIPS: Also call bmips_cpu_setup() for secondary cores + +From: Florian Fainelli + +[ Upstream commit e14f633b66902615cf7faa5d032b45ab8b6fb158 ] + +The initialization done by bmips_cpu_setup() typically affects both +threads of a given core, on 7435 which supports 2 cores and 2 threads, +logical CPU number 2 and 3 would not run this initialization. + +Fixes: 738a3f79027b ("MIPS: BMIPS: Add early CPU initialization code") +Signed-off-by: Florian Fainelli +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/smp-bmips.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/mips/kernel/smp-bmips.c b/arch/mips/kernel/smp-bmips.c +index 712c15de6ab9f..6b304acf506fe 100644 +--- a/arch/mips/kernel/smp-bmips.c ++++ b/arch/mips/kernel/smp-bmips.c +@@ -241,6 +241,8 @@ static int bmips_boot_secondary(int cpu, struct task_struct *idle) + */ + static void bmips_init_secondary(void) + { ++ bmips_cpu_setup(); ++ + switch (current_cpu_type()) { + case CPU_BMIPS4350: + case CPU_BMIPS4380: +-- +2.25.1 + diff --git a/queue-5.4/mips-mm-bmips5000-has-inclusive-physical-caches.patch b/queue-5.4/mips-mm-bmips5000-has-inclusive-physical-caches.patch new file mode 100644 index 00000000000..8de051cdd1b --- /dev/null +++ b/queue-5.4/mips-mm-bmips5000-has-inclusive-physical-caches.patch @@ -0,0 +1,41 @@ +From 23b81d27f2d18b0dbe9d8bc135f7bce318d1e105 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 11:26:44 -0700 +Subject: MIPS: mm: BMIPS5000 has inclusive physical caches + +From: Florian Fainelli + +[ Upstream commit dbfc95f98f0158958d1f1e6bf06d74be38dbd821 ] + +When the BMIPS generic cpu-feature-overrides.h file was introduced, +cpu_has_inclusive_caches/MIPS_CPU_INCLUSIVE_CACHES was not set for +BMIPS5000 CPUs. Correct this when we have initialized the MIPS secondary +cache successfully. + +Fixes: f337967d6d87 ("MIPS: BMIPS: Add cpu-feature-overrides.h") +Signed-off-by: Florian Fainelli +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/mm/c-r4k.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/mips/mm/c-r4k.c b/arch/mips/mm/c-r4k.c +index 89b9c851d8227..c4785a456dedc 100644 +--- a/arch/mips/mm/c-r4k.c ++++ b/arch/mips/mm/c-r4k.c +@@ -1676,7 +1676,11 @@ static void setup_scache(void) + printk("MIPS secondary cache %ldkB, %s, linesize %d bytes.\n", + scache_size >> 10, + way_string[c->scache.ways], c->scache.linesz); ++ ++ if (current_cpu_type() == CPU_BMIPS5000) ++ c->options |= MIPS_CPU_INCLUSIVE_CACHES; + } ++ + #else + if (!(c->scache.flags & MIPS_CACHE_NOT_PRESENT)) + panic("Dunno how to handle MIPS32 / MIPS64 second level cache"); +-- +2.25.1 + diff --git a/queue-5.4/mmc-sdhci-acpi-fix-hs400-tuning-for-amdi0040.patch b/queue-5.4/mmc-sdhci-acpi-fix-hs400-tuning-for-amdi0040.patch new file mode 100644 index 00000000000..8967e2f4fee --- /dev/null +++ b/queue-5.4/mmc-sdhci-acpi-fix-hs400-tuning-for-amdi0040.patch @@ -0,0 +1,139 @@ +From 84d545d65bed3f71c56ad996cd68c29b36c45a7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 13:00:19 -0600 +Subject: mmc: sdhci-acpi: Fix HS400 tuning for AMDI0040 + +From: Raul E Rangel + +[ Upstream commit 61d7437ed13906984c44697970ee792ac6271a31 ] + +The AMD eMMC Controller can only use the tuned clock while in HS200 and +HS400 mode. If we switch to a different mode, we need to disable the +tuned clock. If we have previously performed tuning and switch back to +HS200 or HS400, we can re-enable the tuned clock. + +Previously the tuned clock was not getting disabled when switching to +DDR52 which is part of the HS400 tuning sequence. + +Fixes: 34597a3f60b1 ("mmc: sdhci-acpi: Add support for ACPI HID of AMD Controller with HS400") +Signed-off-by: Raul E Rangel +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20200819125832.v2.1.Ie8f0689ec9f449203328b37409d1cf06b565f331@changeid +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-acpi.c | 67 +++++++++++++++++++++++++++++------ + 1 file changed, 57 insertions(+), 10 deletions(-) + +diff --git a/drivers/mmc/host/sdhci-acpi.c b/drivers/mmc/host/sdhci-acpi.c +index 01fc437ed9659..5581a5c86fce3 100644 +--- a/drivers/mmc/host/sdhci-acpi.c ++++ b/drivers/mmc/host/sdhci-acpi.c +@@ -532,6 +532,11 @@ static const struct sdhci_acpi_slot sdhci_acpi_slot_qcom_sd = { + .caps = MMC_CAP_NONREMOVABLE, + }; + ++struct amd_sdhci_host { ++ bool tuned_clock; ++ bool dll_enabled; ++}; ++ + /* AMD sdhci reset dll register. */ + #define SDHCI_AMD_RESET_DLL_REGISTER 0x908 + +@@ -551,26 +556,66 @@ static void sdhci_acpi_amd_hs400_dll(struct sdhci_host *host) + } + + /* +- * For AMD Platform it is required to disable the tuning +- * bit first controller to bring to HS Mode from HS200 +- * mode, later enable to tune to HS400 mode. ++ * The initialization sequence for HS400 is: ++ * HS->HS200->Perform Tuning->HS->HS400 ++ * ++ * The re-tuning sequence is: ++ * HS400->DDR52->HS->HS200->Perform Tuning->HS->HS400 ++ * ++ * The AMD eMMC Controller can only use the tuned clock while in HS200 and HS400 ++ * mode. If we switch to a different mode, we need to disable the tuned clock. ++ * If we have previously performed tuning and switch back to HS200 or ++ * HS400, we can re-enable the tuned clock. ++ * + */ + static void amd_set_ios(struct mmc_host *mmc, struct mmc_ios *ios) + { + struct sdhci_host *host = mmc_priv(mmc); ++ struct sdhci_acpi_host *acpi_host = sdhci_priv(host); ++ struct amd_sdhci_host *amd_host = sdhci_acpi_priv(acpi_host); + unsigned int old_timing = host->timing; ++ u16 val; + + sdhci_set_ios(mmc, ios); +- if (old_timing == MMC_TIMING_MMC_HS200 && +- ios->timing == MMC_TIMING_MMC_HS) +- sdhci_writew(host, 0x9, SDHCI_HOST_CONTROL2); +- if (old_timing != MMC_TIMING_MMC_HS400 && +- ios->timing == MMC_TIMING_MMC_HS400) { +- sdhci_writew(host, 0x80, SDHCI_HOST_CONTROL2); +- sdhci_acpi_amd_hs400_dll(host); ++ ++ if (old_timing != host->timing && amd_host->tuned_clock) { ++ if (host->timing == MMC_TIMING_MMC_HS400 || ++ host->timing == MMC_TIMING_MMC_HS200) { ++ val = sdhci_readw(host, SDHCI_HOST_CONTROL2); ++ val |= SDHCI_CTRL_TUNED_CLK; ++ sdhci_writew(host, val, SDHCI_HOST_CONTROL2); ++ } else { ++ val = sdhci_readw(host, SDHCI_HOST_CONTROL2); ++ val &= ~SDHCI_CTRL_TUNED_CLK; ++ sdhci_writew(host, val, SDHCI_HOST_CONTROL2); ++ } ++ ++ /* DLL is only required for HS400 */ ++ if (host->timing == MMC_TIMING_MMC_HS400 && ++ !amd_host->dll_enabled) { ++ sdhci_acpi_amd_hs400_dll(host); ++ amd_host->dll_enabled = true; ++ } + } + } + ++static int amd_sdhci_execute_tuning(struct mmc_host *mmc, u32 opcode) ++{ ++ int err; ++ struct sdhci_host *host = mmc_priv(mmc); ++ struct sdhci_acpi_host *acpi_host = sdhci_priv(host); ++ struct amd_sdhci_host *amd_host = sdhci_acpi_priv(acpi_host); ++ ++ amd_host->tuned_clock = false; ++ ++ err = sdhci_execute_tuning(mmc, opcode); ++ ++ if (!err && !host->tuning_err) ++ amd_host->tuned_clock = true; ++ ++ return err; ++} ++ + static const struct sdhci_ops sdhci_acpi_ops_amd = { + .set_clock = sdhci_set_clock, + .set_bus_width = sdhci_set_bus_width, +@@ -598,6 +643,7 @@ static int sdhci_acpi_emmc_amd_probe_slot(struct platform_device *pdev, + + host->mmc_host_ops.select_drive_strength = amd_select_drive_strength; + host->mmc_host_ops.set_ios = amd_set_ios; ++ host->mmc_host_ops.execute_tuning = amd_sdhci_execute_tuning; + return 0; + } + +@@ -609,6 +655,7 @@ static const struct sdhci_acpi_slot sdhci_acpi_slot_amd_emmc = { + SDHCI_QUIRK_32BIT_ADMA_SIZE, + .quirks2 = SDHCI_QUIRK2_BROKEN_64_BIT_DMA, + .probe_slot = sdhci_acpi_emmc_amd_probe_slot, ++ .priv_size = sizeof(struct amd_sdhci_host), + }; + + struct sdhci_acpi_uid_slot { +-- +2.25.1 + diff --git a/queue-5.4/net-arc_emac-fix-memleak-in-arc_mdio_probe.patch b/queue-5.4/net-arc_emac-fix-memleak-in-arc_mdio_probe.patch new file mode 100644 index 00000000000..0b3ead4f83f --- /dev/null +++ b/queue-5.4/net-arc_emac-fix-memleak-in-arc_mdio_probe.patch @@ -0,0 +1,36 @@ +From b57f9cae576270e5e409af7c133840260cebddee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Aug 2020 16:56:47 +0800 +Subject: net: arc_emac: Fix memleak in arc_mdio_probe + +From: Dinghao Liu + +[ Upstream commit e2d79cd8875fa8c3cc7defa98a8cc99a1ed0c62f ] + +When devm_gpiod_get_optional() fails, bus should be +freed just like when of_mdiobus_register() fails. + +Fixes: 1bddd96cba03d ("net: arc_emac: support the phy reset for emac driver") +Signed-off-by: Dinghao Liu +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/arc/emac_mdio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/arc/emac_mdio.c b/drivers/net/ethernet/arc/emac_mdio.c +index 0187dbf3b87df..54cdafdd067db 100644 +--- a/drivers/net/ethernet/arc/emac_mdio.c ++++ b/drivers/net/ethernet/arc/emac_mdio.c +@@ -153,6 +153,7 @@ int arc_mdio_probe(struct arc_emac_priv *priv) + if (IS_ERR(data->reset_gpio)) { + error = PTR_ERR(data->reset_gpio); + dev_err(priv->dev, "Failed to request gpio: %d\n", error); ++ mdiobus_free(bus); + return error; + } + +-- +2.25.1 + diff --git a/queue-5.4/net-dsa-mt7530-fix-advertising-unsupported-1000baset.patch b/queue-5.4/net-dsa-mt7530-fix-advertising-unsupported-1000baset.patch new file mode 100644 index 00000000000..e47215785f3 --- /dev/null +++ b/queue-5.4/net-dsa-mt7530-fix-advertising-unsupported-1000baset.patch @@ -0,0 +1,38 @@ +From cdac2796825e99a9b4ff8e9c81363b0c19d2ebc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 17:15:47 +0800 +Subject: net: dsa: mt7530: fix advertising unsupported 1000baseT_Half + +From: Landen Chao + +[ Upstream commit f272285f6abb9178d029375599626baf3d5f4e8a ] + +Remove 1000baseT_Half to advertise correct hardware capability in +phylink_validate() callback function. + +Fixes: 38f790a80560 ("net: dsa: mt7530: Add support for port 5") +Signed-off-by: Landen Chao +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mt7530.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c +index dc9a3bb241149..00d680cb44418 100644 +--- a/drivers/net/dsa/mt7530.c ++++ b/drivers/net/dsa/mt7530.c +@@ -1456,7 +1456,7 @@ unsupported: + phylink_set(mask, 100baseT_Full); + + if (state->interface != PHY_INTERFACE_MODE_MII) { +- phylink_set(mask, 1000baseT_Half); ++ /* This switch only supports 1G full-duplex. */ + phylink_set(mask, 1000baseT_Full); + if (port == 5) + phylink_set(mask, 1000baseX_Full); +-- +2.25.1 + diff --git a/queue-5.4/net-ethernet-mlx4-fix-memory-allocation-in-mlx4_budd.patch b/queue-5.4/net-ethernet-mlx4-fix-memory-allocation-in-mlx4_budd.patch new file mode 100644 index 00000000000..b9ec4c8af65 --- /dev/null +++ b/queue-5.4/net-ethernet-mlx4-fix-memory-allocation-in-mlx4_budd.patch @@ -0,0 +1,44 @@ +From e93d143f4f8ebe760b5fa97f41f02a6d0e5e6def Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Aug 2020 22:37:09 +0800 +Subject: net: ethernet: mlx4: Fix memory allocation in mlx4_buddy_init() + +From: Shung-Hsi Yu + +[ Upstream commit cbedcb044e9cc4e14bbe6658111224bb923094f4 ] + +On machines with much memory (> 2 TByte) and log_mtts_per_seg == 0, a +max_order of 31 will be passed to mlx_buddy_init(), which results in +s = BITS_TO_LONGS(1 << 31) becoming a negative value, leading to +kvmalloc_array() failure when it is converted to size_t. + + mlx4_core 0000:b1:00.0: Failed to initialize memory region table, aborting + mlx4_core: probe of 0000:b1:00.0 failed with error -12 + +Fix this issue by changing the left shifting operand from a signed literal to +an unsigned one. + +Fixes: 225c7b1feef1 ("IB/mlx4: Add a driver Mellanox ConnectX InfiniBand adapters") +Signed-off-by: Shung-Hsi Yu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/mr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/mr.c b/drivers/net/ethernet/mellanox/mlx4/mr.c +index 1a11bc0e16123..cfa0bba3940fb 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/mr.c ++++ b/drivers/net/ethernet/mellanox/mlx4/mr.c +@@ -114,7 +114,7 @@ static int mlx4_buddy_init(struct mlx4_buddy *buddy, int max_order) + goto err_out; + + for (i = 0; i <= buddy->max_order; ++i) { +- s = BITS_TO_LONGS(1 << (buddy->max_order - i)); ++ s = BITS_TO_LONGS(1UL << (buddy->max_order - i)); + buddy->bits[i] = kvmalloc_array(s, sizeof(long), GFP_KERNEL | __GFP_ZERO); + if (!buddy->bits[i]) + goto err_out_free; +-- +2.25.1 + diff --git a/queue-5.4/net-ethernet-ti-cpsw-fix-clean-up-of-vlan-mc-entries.patch b/queue-5.4/net-ethernet-ti-cpsw-fix-clean-up-of-vlan-mc-entries.patch new file mode 100644 index 00000000000..86dbcd75f85 --- /dev/null +++ b/queue-5.4/net-ethernet-ti-cpsw-fix-clean-up-of-vlan-mc-entries.patch @@ -0,0 +1,41 @@ +From 0679772e99dc3c99b023b090718c4b7d4449fc95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 11:10:52 -0400 +Subject: net: ethernet: ti: cpsw: fix clean up of vlan mc entries for host + port + +From: Murali Karicheri + +[ Upstream commit 99d469fc64d06f0c81c0fe2a1c01645a67e0cbf0 ] + +To flush the vid + mc entries from ALE, which is required when a VLAN +interface is removed, driver needs to call cpsw_ale_flush_multicast() +with ALE_PORT_HOST for port mask as these entries are added only for +host port. Without this, these entries remain in the ALE table even +after removing the VLAN interface. cpsw_ale_flush_multicast() calls +cpsw_ale_flush_mcast which expects a port mask to do the job. + +Fixes: 15180eca569b ("net: ethernet: ti: cpsw: fix vlan mcast") +Signed-off-by: Murali Karicheri +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/cpsw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ti/cpsw.c b/drivers/net/ethernet/ti/cpsw.c +index 39df8c8feb6ce..e7b4d93e3f288 100644 +--- a/drivers/net/ethernet/ti/cpsw.c ++++ b/drivers/net/ethernet/ti/cpsw.c +@@ -2209,7 +2209,7 @@ static int cpsw_ndo_vlan_rx_kill_vid(struct net_device *ndev, + HOST_PORT_NUM, ALE_VLAN, vid); + ret |= cpsw_ale_del_mcast(cpsw->ale, priv->ndev->broadcast, + 0, ALE_VLAN, vid); +- ret |= cpsw_ale_flush_multicast(cpsw->ale, 0, vid); ++ ret |= cpsw_ale_flush_multicast(cpsw->ale, ALE_PORT_HOST, vid); + err: + pm_runtime_put(cpsw->dev); + return ret; +-- +2.25.1 + diff --git a/queue-5.4/net-gemini-fix-another-missing-clk_disable_unprepare.patch b/queue-5.4/net-gemini-fix-another-missing-clk_disable_unprepare.patch new file mode 100644 index 00000000000..7b91167a90c --- /dev/null +++ b/queue-5.4/net-gemini-fix-another-missing-clk_disable_unprepare.patch @@ -0,0 +1,84 @@ +From a0ab2be9e27134b07a4ad96cad663b8cebd572e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 14:56:31 +0300 +Subject: net: gemini: Fix another missing clk_disable_unprepare() in probe + +From: Dan Carpenter + +[ Upstream commit eb0f3bc463d59d86402f19c59aa44e82dc3fab6d ] + +We recently added some calls to clk_disable_unprepare() but we missed +the last error path if register_netdev() fails. + +I made a couple cleanups so we avoid mistakes like this in the future. +First I reversed the "if (!ret)" condition and pulled the code in one +indent level. Also, the "port->netdev = NULL;" is not required because +"port" isn't used again outside this function so I deleted that line. + +Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cortina/gemini.c | 34 +++++++++++++-------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c +index 28d4c54505f9a..c9fb1ec625d8b 100644 +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -2445,8 +2445,8 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev) + port->reset = devm_reset_control_get_exclusive(dev, NULL); + if (IS_ERR(port->reset)) { + dev_err(dev, "no reset\n"); +- clk_disable_unprepare(port->pclk); +- return PTR_ERR(port->reset); ++ ret = PTR_ERR(port->reset); ++ goto unprepare; + } + reset_control_reset(port->reset); + usleep_range(100, 500); +@@ -2501,25 +2501,25 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev) + IRQF_SHARED, + port_names[port->id], + port); +- if (ret) { +- clk_disable_unprepare(port->pclk); +- return ret; +- } ++ if (ret) ++ goto unprepare; + + ret = register_netdev(netdev); +- if (!ret) { ++ if (ret) ++ goto unprepare; ++ ++ netdev_info(netdev, ++ "irq %d, DMA @ 0x%pap, GMAC @ 0x%pap\n", ++ port->irq, &dmares->start, ++ &gmacres->start); ++ ret = gmac_setup_phy(netdev); ++ if (ret) + netdev_info(netdev, +- "irq %d, DMA @ 0x%pap, GMAC @ 0x%pap\n", +- port->irq, &dmares->start, +- &gmacres->start); +- ret = gmac_setup_phy(netdev); +- if (ret) +- netdev_info(netdev, +- "PHY init failed, deferring to ifup time\n"); +- return 0; +- } ++ "PHY init failed, deferring to ifup time\n"); ++ return 0; + +- port->netdev = NULL; ++unprepare: ++ clk_disable_unprepare(port->pclk); + return ret; + } + +-- +2.25.1 + diff --git a/queue-5.4/net-hns-fix-memleak-in-hns_nic_dev_probe.patch b/queue-5.4/net-hns-fix-memleak-in-hns_nic_dev_probe.patch new file mode 100644 index 00000000000..81df658c3ed --- /dev/null +++ b/queue-5.4/net-hns-fix-memleak-in-hns_nic_dev_probe.patch @@ -0,0 +1,50 @@ +From ba3e1cf7f4900e35ee46408d3caed760b8193a26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 13:44:42 +0800 +Subject: net: hns: Fix memleak in hns_nic_dev_probe + +From: Dinghao Liu + +[ Upstream commit 100e3345c6e719d2291e1efd5de311cc24bb9c0b ] + +hns_nic_dev_probe allocates ndev, but not free it on +two error handling paths, which may lead to memleak. + +Fixes: 63434888aaf1b ("net: hns: net: hns: enet adds support of acpi") +Signed-off-by: Dinghao Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns/hns_enet.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +index eb69e5c81a4d0..6d5d53cfc7ab4 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +@@ -2296,8 +2296,10 @@ static int hns_nic_dev_probe(struct platform_device *pdev) + priv->enet_ver = AE_VERSION_1; + else if (acpi_dev_found(hns_enet_acpi_match[1].id)) + priv->enet_ver = AE_VERSION_2; +- else +- return -ENXIO; ++ else { ++ ret = -ENXIO; ++ goto out_read_prop_fail; ++ } + + /* try to find port-idx-in-ae first */ + ret = acpi_node_get_property_reference(dev->fwnode, +@@ -2313,7 +2315,8 @@ static int hns_nic_dev_probe(struct platform_device *pdev) + priv->fwnode = args.fwnode; + } else { + dev_err(dev, "cannot read cfg data from OF or acpi\n"); +- return -ENXIO; ++ ret = -ENXIO; ++ goto out_read_prop_fail; + } + + ret = device_property_read_u32(dev, "port-idx-in-ae", &port_id); +-- +2.25.1 + diff --git a/queue-5.4/net-packet-fix-overflow-in-tpacket_rcv.patch b/queue-5.4/net-packet-fix-overflow-in-tpacket_rcv.patch new file mode 100644 index 00000000000..11d7f8aa39c --- /dev/null +++ b/queue-5.4/net-packet-fix-overflow-in-tpacket_rcv.patch @@ -0,0 +1,59 @@ +From b97a2c6bc35ef6de875a24125dc4ae8e8e7b95eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Sep 2020 21:05:28 -0700 +Subject: net/packet: fix overflow in tpacket_rcv + +From: Or Cohen + +[ Upstream commit acf69c946233259ab4d64f8869d4037a198c7f06 ] + +Using tp_reserve to calculate netoff can overflow as +tp_reserve is unsigned int and netoff is unsigned short. + +This may lead to macoff receving a smaller value then +sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr +is set, an out-of-bounds write will occur when +calling virtio_net_hdr_from_skb. + +The bug is fixed by converting netoff to unsigned int +and checking if it exceeds USHRT_MAX. + +This addresses CVE-2020-14386 + +Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") +Signed-off-by: Or Cohen +Signed-off-by: Eric Dumazet +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 7735340c892eb..fbc2d4dfddf0e 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2169,7 +2169,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + int skb_len = skb->len; + unsigned int snaplen, res; + unsigned long status = TP_STATUS_USER; +- unsigned short macoff, netoff, hdrlen; ++ unsigned short macoff, hdrlen; ++ unsigned int netoff; + struct sk_buff *copy_skb = NULL; + struct timespec ts; + __u32 ts_status; +@@ -2238,6 +2239,10 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + } + macoff = netoff - maclen; + } ++ if (netoff > USHRT_MAX) { ++ atomic_inc(&po->tp_drops); ++ goto drop_n_restore; ++ } + if (po->tp_version <= TPACKET_V2) { + if (macoff + snaplen > po->rx_ring.frame_size) { + if (po->copy_thresh && +-- +2.25.1 + diff --git a/queue-5.4/net-systemport-fix-memleak-in-bcm_sysport_probe.patch b/queue-5.4/net-systemport-fix-memleak-in-bcm_sysport_probe.patch new file mode 100644 index 00000000000..f11353f415d --- /dev/null +++ b/queue-5.4/net-systemport-fix-memleak-in-bcm_sysport_probe.patch @@ -0,0 +1,40 @@ +From 52882eeb348febb8bde62f75589f3959772d6606 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 13:58:31 +0800 +Subject: net: systemport: Fix memleak in bcm_sysport_probe + +From: Dinghao Liu + +[ Upstream commit 7ef1fc57301f3cef7201497aa27e89ccb91737fe ] + +When devm_kcalloc() fails, dev should be freed just +like what we've done in the subsequent error paths. + +Fixes: 7b78be48a8eb6 ("net: systemport: Dynamically allocate number of TX rings") +Signed-off-by: Dinghao Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c +index 4dfdb5a58025b..71eb8914e620b 100644 +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -2453,8 +2453,10 @@ static int bcm_sysport_probe(struct platform_device *pdev) + priv->tx_rings = devm_kcalloc(&pdev->dev, txq, + sizeof(struct bcm_sysport_tx_ring), + GFP_KERNEL); +- if (!priv->tx_rings) +- return -ENOMEM; ++ if (!priv->tx_rings) { ++ ret = -ENOMEM; ++ goto err_free_netdev; ++ } + + priv->is_lite = params->is_lite; + priv->num_rx_desc_words = params->num_rx_desc_words; +-- +2.25.1 + diff --git a/queue-5.4/netfilter-nf_tables-add-nfta_set_userdata-if-not-nul.patch b/queue-5.4/netfilter-nf_tables-add-nfta_set_userdata-if-not-nul.patch new file mode 100644 index 00000000000..723668a47e0 --- /dev/null +++ b/queue-5.4/netfilter-nf_tables-add-nfta_set_userdata-if-not-nul.patch @@ -0,0 +1,36 @@ +From d8a1bd6436e1adb424b3061363d3e774b93c103b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 14:12:54 +0200 +Subject: netfilter: nf_tables: add NFTA_SET_USERDATA if not null + +From: Pablo Neira Ayuso + +[ Upstream commit 6f03bf43ee05b31d3822def2a80f11b3591c55b3 ] + +Kernel sends an empty NFTA_SET_USERDATA attribute with no value if +userspace adds a set with no NFTA_SET_USERDATA attribute. + +Fixes: e6d8ecac9e68 ("netfilter: nf_tables: Add new attributes into nft_set to store user data.") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index f7129232c8250..c1920adb27e62 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3353,7 +3353,8 @@ static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx, + goto nla_put_failure; + } + +- if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata)) ++ if (set->udata && ++ nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata)) + goto nla_put_failure; + + desc = nla_nest_start_noflag(skb, NFTA_SET_DESC); +-- +2.25.1 + diff --git a/queue-5.4/netfilter-nf_tables-fix-destination-register-zeroing.patch b/queue-5.4/netfilter-nf_tables-fix-destination-register-zeroing.patch new file mode 100644 index 00000000000..e1caa5f4cc9 --- /dev/null +++ b/queue-5.4/netfilter-nf_tables-fix-destination-register-zeroing.patch @@ -0,0 +1,82 @@ +From 9fc46b2631524ed98a709359e3fd31762530b39c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 21:05:50 +0200 +Subject: netfilter: nf_tables: fix destination register zeroing + +From: Florian Westphal + +[ Upstream commit 1e105e6afa6c3d32bfb52c00ffa393894a525c27 ] + +Following bug was reported via irc: +nft list ruleset + set knock_candidates_ipv4 { + type ipv4_addr . inet_service + size 65535 + elements = { 127.0.0.1 . 123, + 127.0.0.1 . 123 } + } + .. + udp dport 123 add @knock_candidates_ipv4 { ip saddr . 123 } + udp dport 123 add @knock_candidates_ipv4 { ip saddr . udp dport } + +It should not have been possible to add a duplicate set entry. + +After some debugging it turned out that the problem is the immediate +value (123) in the second-to-last rule. + +Concatenations use 32bit registers, i.e. the elements are 8 bytes each, +not 6 and it turns out the kernel inserted + +inet firewall @knock_candidates_ipv4 + element 0100007f ffff7b00 : 0 [end] + element 0100007f 00007b00 : 0 [end] + +Note the non-zero upper bits of the first element. It turns out that +nft_immediate doesn't zero the destination register, but this is needed +when the length isn't a multiple of 4. + +Furthermore, the zeroing in nft_payload is broken. We can't use +[len / 4] = 0 -- if len is a multiple of 4, index is off by one. + +Skip zeroing in this case and use a conditional instead of (len -1) / 4. + +Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables.h | 2 ++ + net/netfilter/nft_payload.c | 4 +++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index 2d0275f13bbfd..bc2c73f549622 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -143,6 +143,8 @@ static inline u64 nft_reg_load64(u32 *sreg) + static inline void nft_data_copy(u32 *dst, const struct nft_data *src, + unsigned int len) + { ++ if (len % NFT_REG32_SIZE) ++ dst[len / NFT_REG32_SIZE] = 0; + memcpy(dst, src, len); + } + +diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c +index 0e3bfbc26e790..62dc728bf93c9 100644 +--- a/net/netfilter/nft_payload.c ++++ b/net/netfilter/nft_payload.c +@@ -79,7 +79,9 @@ void nft_payload_eval(const struct nft_expr *expr, + u32 *dest = ®s->data[priv->dreg]; + int offset; + +- dest[priv->len / NFT_REG32_SIZE] = 0; ++ if (priv->len % NFT_REG32_SIZE) ++ dest[priv->len / NFT_REG32_SIZE] = 0; ++ + switch (priv->base) { + case NFT_PAYLOAD_LL_HEADER: + if (!skb_mac_header_was_set(skb)) +-- +2.25.1 + diff --git a/queue-5.4/netfilter-nf_tables-incorrect-enum-nft_list_attribut.patch b/queue-5.4/netfilter-nf_tables-incorrect-enum-nft_list_attribut.patch new file mode 100644 index 00000000000..673024197e8 --- /dev/null +++ b/queue-5.4/netfilter-nf_tables-incorrect-enum-nft_list_attribut.patch @@ -0,0 +1,35 @@ +From 5ea27e2ec0bbbb4f7cebf01feeb4dabda049c785 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 14:12:55 +0200 +Subject: netfilter: nf_tables: incorrect enum nft_list_attributes definition + +From: Pablo Neira Ayuso + +[ Upstream commit da9125df854ea48a6240c66e8a67be06e2c12c03 ] + +This should be NFTA_LIST_UNSPEC instead of NFTA_LIST_UNPEC, all other +similar attribute definitions are postfixed with _UNSPEC. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/uapi/linux/netfilter/nf_tables.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h +index ed8881ad18edd..0a995403172cc 100644 +--- a/include/uapi/linux/netfilter/nf_tables.h ++++ b/include/uapi/linux/netfilter/nf_tables.h +@@ -132,7 +132,7 @@ enum nf_tables_msg_types { + * @NFTA_LIST_ELEM: list element (NLA_NESTED) + */ + enum nft_list_attributes { +- NFTA_LIST_UNPEC, ++ NFTA_LIST_UNSPEC, + NFTA_LIST_ELEM, + __NFTA_LIST_MAX + }; +-- +2.25.1 + diff --git a/queue-5.4/netfilter-nfnetlink-nfnetlink_unicast-reports-eagain.patch b/queue-5.4/netfilter-nfnetlink-nfnetlink_unicast-reports-eagain.patch new file mode 100644 index 00000000000..9636d1c1207 --- /dev/null +++ b/queue-5.4/netfilter-nfnetlink-nfnetlink_unicast-reports-eagain.patch @@ -0,0 +1,238 @@ +From f02b52e37da916dac84f3a08d78e69a1baabbbb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Aug 2020 13:55:36 +0200 +Subject: netfilter: nfnetlink: nfnetlink_unicast() reports EAGAIN instead of + ENOBUFS + +From: Pablo Neira Ayuso + +[ Upstream commit ee921183557af39c1a0475f982d43b0fcac25e2e ] + +Frontend callback reports EAGAIN to nfnetlink to retry a command, this +is used to signal that module autoloading is required. Unfortunately, +nlmsg_unicast() reports EAGAIN in case the receiver socket buffer gets +full, so it enters a busy-loop. + +This patch updates nfnetlink_unicast() to turn EAGAIN into ENOBUFS and +to use nlmsg_unicast(). Remove the flags field in nfnetlink_unicast() +since this is always MSG_DONTWAIT in the existing code which is exactly +what nlmsg_unicast() passes to netlink_unicast() as parameter. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Reported-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/linux/netfilter/nfnetlink.h | 3 +- + net/netfilter/nf_tables_api.c | 61 ++++++++++++++--------------- + net/netfilter/nfnetlink.c | 11 ++++-- + net/netfilter/nfnetlink_log.c | 3 +- + net/netfilter/nfnetlink_queue.c | 2 +- + 5 files changed, 40 insertions(+), 40 deletions(-) + +diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h +index 851425c3178f1..89016d08f6a27 100644 +--- a/include/linux/netfilter/nfnetlink.h ++++ b/include/linux/netfilter/nfnetlink.h +@@ -43,8 +43,7 @@ int nfnetlink_has_listeners(struct net *net, unsigned int group); + int nfnetlink_send(struct sk_buff *skb, struct net *net, u32 portid, + unsigned int group, int echo, gfp_t flags); + int nfnetlink_set_err(struct net *net, u32 portid, u32 group, int error); +-int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid, +- int flags); ++int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid); + + static inline u16 nfnl_msg_type(u8 subsys, u8 msg_type) + { +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index c1920adb27e62..2023650c27249 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -744,11 +744,11 @@ static int nf_tables_gettable(struct net *net, struct sock *nlsk, + nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0, + family, table); + if (err < 0) +- goto err; ++ goto err_fill_table_info; + +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); + +-err: ++err_fill_table_info: + kfree_skb(skb2); + return err; + } +@@ -1443,11 +1443,11 @@ static int nf_tables_getchain(struct net *net, struct sock *nlsk, + nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0, + family, table, chain); + if (err < 0) +- goto err; ++ goto err_fill_chain_info; + +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); + +-err: ++err_fill_chain_info: + kfree_skb(skb2); + return err; + } +@@ -2622,11 +2622,11 @@ static int nf_tables_getrule(struct net *net, struct sock *nlsk, + nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0, + family, table, chain, rule, NULL); + if (err < 0) +- goto err; ++ goto err_fill_rule_info; + +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); + +-err: ++err_fill_rule_info: + kfree_skb(skb2); + return err; + } +@@ -3526,11 +3526,11 @@ static int nf_tables_getset(struct net *net, struct sock *nlsk, + + err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0); + if (err < 0) +- goto err; ++ goto err_fill_set_info; + +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); + +-err: ++err_fill_set_info: + kfree_skb(skb2); + return err; + } +@@ -4305,24 +4305,18 @@ static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set, + err = -ENOMEM; + skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC); + if (skb == NULL) +- goto err1; ++ return err; + + err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid, + NFT_MSG_NEWSETELEM, 0, set, &elem); + if (err < 0) +- goto err2; ++ goto err_fill_setelem; + +- err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT); +- /* This avoids a loop in nfnetlink. */ +- if (err < 0) +- goto err1; ++ return nfnetlink_unicast(skb, ctx->net, ctx->portid); + +- return 0; +-err2: ++err_fill_setelem: + kfree_skb(skb); +-err1: +- /* this avoids a loop in nfnetlink. */ +- return err == -EAGAIN ? -ENOBUFS : err; ++ return err; + } + + /* called with rcu_read_lock held */ +@@ -5499,10 +5493,11 @@ static int nf_tables_getobj(struct net *net, struct sock *nlsk, + nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0, + family, table, obj, reset); + if (err < 0) +- goto err; ++ goto err_fill_obj_info; + +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); +-err: ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); ++ ++err_fill_obj_info: + kfree_skb(skb2); + return err; + } +@@ -6174,10 +6169,11 @@ static int nf_tables_getflowtable(struct net *net, struct sock *nlsk, + NFT_MSG_NEWFLOWTABLE, 0, family, + flowtable); + if (err < 0) +- goto err; ++ goto err_fill_flowtable_info; + +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); +-err: ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); ++ ++err_fill_flowtable_info: + kfree_skb(skb2); + return err; + } +@@ -6338,10 +6334,11 @@ static int nf_tables_getgen(struct net *net, struct sock *nlsk, + err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid, + nlh->nlmsg_seq); + if (err < 0) +- goto err; ++ goto err_fill_gen_info; + +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); +-err: ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); ++ ++err_fill_gen_info: + kfree_skb(skb2); + return err; + } +diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c +index 99127e2d95a84..6d03b09096210 100644 +--- a/net/netfilter/nfnetlink.c ++++ b/net/netfilter/nfnetlink.c +@@ -148,10 +148,15 @@ int nfnetlink_set_err(struct net *net, u32 portid, u32 group, int error) + } + EXPORT_SYMBOL_GPL(nfnetlink_set_err); + +-int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid, +- int flags) ++int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid) + { +- return netlink_unicast(net->nfnl, skb, portid, flags); ++ int err; ++ ++ err = nlmsg_unicast(net->nfnl, skb, portid); ++ if (err == -EAGAIN) ++ err = -ENOBUFS; ++ ++ return err; + } + EXPORT_SYMBOL_GPL(nfnetlink_unicast); + +diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c +index 0ba020ca38e68..7ca2ca4bba055 100644 +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -356,8 +356,7 @@ __nfulnl_send(struct nfulnl_instance *inst) + goto out; + } + } +- nfnetlink_unicast(inst->skb, inst->net, inst->peer_portid, +- MSG_DONTWAIT); ++ nfnetlink_unicast(inst->skb, inst->net, inst->peer_portid); + out: + inst->qlen = 0; + inst->skb = NULL; +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index feabdfb22920b..6f0a2bad8ad5e 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -681,7 +681,7 @@ __nfqnl_enqueue_packet(struct net *net, struct nfqnl_instance *queue, + *packet_id_ptr = htonl(entry->id); + + /* nfnetlink_unicast will either free the nskb or add it to a socket */ +- err = nfnetlink_unicast(nskb, net, queue->peer_portid, MSG_DONTWAIT); ++ err = nfnetlink_unicast(nskb, net, queue->peer_portid); + if (err < 0) { + if (queue->flags & NFQA_CFG_F_FAIL_OPEN) { + failopen = 1; +-- +2.25.1 + diff --git a/queue-5.4/nvme-fix-controller-instance-leak.patch b/queue-5.4/nvme-fix-controller-instance-leak.patch new file mode 100644 index 00000000000..3c583827a04 --- /dev/null +++ b/queue-5.4/nvme-fix-controller-instance-leak.patch @@ -0,0 +1,40 @@ +From bc1cb94594f3dcb748ac92db3e686526759a58e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 10:53:04 -0700 +Subject: nvme: fix controller instance leak + +From: Keith Busch + +[ Upstream commit 192f6c29bb28bfd0a17e6ad331d09f1ec84143d0 ] + +If the driver has to unbind from the controller for an early failure +before the subsystem has been set up, there won't be a subsystem holding +the controller's instance, so the controller needs to free its own +instance in this case. + +Fixes: 733e4b69d508d ("nvme: Assign subsys instance from first ctrl") +Signed-off-by: Keith Busch +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Christoph Hellwig +Signed-off-by: Sagi Grimberg +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index ff5681da8780d..3cb017fa3a790 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -4012,7 +4012,7 @@ static void nvme_free_ctrl(struct device *dev) + container_of(dev, struct nvme_ctrl, ctrl_device); + struct nvme_subsystem *subsys = ctrl->subsys; + +- if (subsys && ctrl->instance != subsys->instance) ++ if (!subsys || ctrl->instance != subsys->instance) + ida_simple_remove(&nvme_instance_ida, ctrl->instance); + + kfree(ctrl->effects); +-- +2.25.1 + diff --git a/queue-5.4/nvmet-fc-fix-a-missed-_irqsave-version-of-spin_lock-.patch b/queue-5.4/nvmet-fc-fix-a-missed-_irqsave-version-of-spin_lock-.patch new file mode 100644 index 00000000000..f026efa8241 --- /dev/null +++ b/queue-5.4/nvmet-fc-fix-a-missed-_irqsave-version-of-spin_lock-.patch @@ -0,0 +1,44 @@ +From 5302a49daa582615da14dbfeaa8712c44639c9b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 09:58:19 +0200 +Subject: nvmet-fc: Fix a missed _irqsave version of spin_lock in + 'nvmet_fc_fod_op_done()' + +From: Christophe JAILLET + +[ Upstream commit 70e37988db94aba607d5491a94f80ba08e399b6b ] + +The way 'spin_lock()' and 'spin_lock_irqsave()' are used is not consistent +in this function. + +Use 'spin_lock_irqsave()' also here, as there is no guarantee that +interruptions are disabled at that point, according to surrounding code. + +Fixes: a97ec51b37ef ("nvmet_fc: Rework target side abort handling") +Signed-off-by: Christophe JAILLET +Reviewed-by: Christoph Hellwig +Signed-off-by: Sagi Grimberg +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/fc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c +index ce8d819f86ccc..fc35f7ae67b0a 100644 +--- a/drivers/nvme/target/fc.c ++++ b/drivers/nvme/target/fc.c +@@ -1994,9 +1994,9 @@ nvmet_fc_fod_op_done(struct nvmet_fc_fcp_iod *fod) + return; + if (fcpreq->fcp_error || + fcpreq->transferred_length != fcpreq->transfer_length) { +- spin_lock(&fod->flock); ++ spin_lock_irqsave(&fod->flock, flags); + fod->abort = true; +- spin_unlock(&fod->flock); ++ spin_unlock_irqrestore(&fod->flock, flags); + + nvmet_req_complete(&fod->req, NVME_SC_INTERNAL); + return; +-- +2.25.1 + diff --git a/queue-5.4/perf-jevents-fix-suspicious-code-in-fixregex.patch b/queue-5.4/perf-jevents-fix-suspicious-code-in-fixregex.patch new file mode 100644 index 00000000000..856d4222f8e --- /dev/null +++ b/queue-5.4/perf-jevents-fix-suspicious-code-in-fixregex.patch @@ -0,0 +1,47 @@ +From 4a127ea83732dc7b71f9b792c0bf6e8710e9a5b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 00:25:10 +0900 +Subject: perf jevents: Fix suspicious code in fixregex() + +From: Namhyung Kim + +[ Upstream commit e62458e3940eb3dfb009481850e140fbee183b04 ] + +The new string should have enough space for the original string and the +back slashes IMHO. + +Fixes: fbc2844e84038ce3 ("perf vendor events: Use more flexible pattern matching for CPU identification for mapfile.csv") +Signed-off-by: Namhyung Kim +Reviewed-by: Ian Rogers +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Jiri Olsa +Cc: John Garry +Cc: Kajol Jain +Cc: Mark Rutland +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: William Cohen +Link: http://lore.kernel.org/lkml/20200903152510.489233-1-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/pmu-events/jevents.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/pmu-events/jevents.c b/tools/perf/pmu-events/jevents.c +index 99e3fd04a5cb3..d36ae65ae3330 100644 +--- a/tools/perf/pmu-events/jevents.c ++++ b/tools/perf/pmu-events/jevents.c +@@ -137,7 +137,7 @@ static char *fixregex(char *s) + return s; + + /* allocate space for a new string */ +- fixed = (char *) malloc(len + 1); ++ fixed = (char *) malloc(len + esc_count + 1); + if (!fixed) + return NULL; + +-- +2.25.1 + diff --git a/queue-5.4/perf-tools-correct-snoopx-field-offset.patch b/queue-5.4/perf-tools-correct-snoopx-field-offset.patch new file mode 100644 index 00000000000..60536293b99 --- /dev/null +++ b/queue-5.4/perf-tools-correct-snoopx-field-offset.patch @@ -0,0 +1,51 @@ +From 2eca1c72c6d0669fce63ec067fdce44d01f9bdf3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Sep 2020 12:10:14 -0300 +Subject: perf tools: Correct SNOOPX field offset + +From: Al Grant + +[ Upstream commit 39c0a53b114d0317e5c4e76b631f41d133af5cb0 ] + +perf_event.h has macros that define the field offsets in the data_src +bitmask in perf records. The SNOOPX and REMOTE offsets were both 37. + +These are distinct fields, and the bitfield layout in perf_mem_data_src +confirms that SNOOPX should be at offset 38. + +Committer notes: + +This was extracted from a larger patch that also contained kernel +changes. + +Fixes: 52839e653b5629bd ("perf tools: Add support for printing new mem_info encodings") +Signed-off-by: Al Grant +Reviewed-by: Andi Kleen +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/9974f2d0-bf7f-518e-d9f7-4520e5ff1bb0@foss.arm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/include/uapi/linux/perf_event.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/include/uapi/linux/perf_event.h b/tools/include/uapi/linux/perf_event.h +index bb7b271397a66..fabe5aeaa351a 100644 +--- a/tools/include/uapi/linux/perf_event.h ++++ b/tools/include/uapi/linux/perf_event.h +@@ -1131,7 +1131,7 @@ union perf_mem_data_src { + + #define PERF_MEM_SNOOPX_FWD 0x01 /* forward */ + /* 1 free */ +-#define PERF_MEM_SNOOPX_SHIFT 37 ++#define PERF_MEM_SNOOPX_SHIFT 38 + + /* locked instruction */ + #define PERF_MEM_LOCK_NA 0x01 /* not available */ +-- +2.25.1 + diff --git a/queue-5.4/ravb-fixed-to-be-able-to-unload-modules.patch b/queue-5.4/ravb-fixed-to-be-able-to-unload-modules.patch new file mode 100644 index 00000000000..9013c569df5 --- /dev/null +++ b/queue-5.4/ravb-fixed-to-be-able-to-unload-modules.patch @@ -0,0 +1,208 @@ +From 0995dcfb52720a3df87aae91f914947f3e57605f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 18:43:07 +0900 +Subject: ravb: Fixed to be able to unload modules + +From: Yuusuke Ashizuka + +[ Upstream commit 1838d6c62f57836639bd3d83e7855e0ee4f6defc ] + +When this driver is built as a module, I cannot rmmod it after insmoding +it. +This is because that this driver calls ravb_mdio_init() at the time of +probe, and module->refcnt is incremented by alloc_mdio_bitbang() called +after that. +Therefore, even if ifup is not performed, the driver is in use and rmmod +cannot be performed. + +$ lsmod +Module Size Used by +ravb 40960 1 +$ rmmod ravb +rmmod: ERROR: Module ravb is in use + +Call ravb_mdio_init() at open and free_mdio_bitbang() at close, thereby +rmmod is possible in the ifdown state. + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Signed-off-by: Yuusuke Ashizuka +Reviewed-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 110 +++++++++++------------ + 1 file changed, 55 insertions(+), 55 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 30cdabf64ccc1..907ae1359a7c1 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -1336,6 +1336,51 @@ static inline int ravb_hook_irq(unsigned int irq, irq_handler_t handler, + return error; + } + ++/* MDIO bus init function */ ++static int ravb_mdio_init(struct ravb_private *priv) ++{ ++ struct platform_device *pdev = priv->pdev; ++ struct device *dev = &pdev->dev; ++ int error; ++ ++ /* Bitbang init */ ++ priv->mdiobb.ops = &bb_ops; ++ ++ /* MII controller setting */ ++ priv->mii_bus = alloc_mdio_bitbang(&priv->mdiobb); ++ if (!priv->mii_bus) ++ return -ENOMEM; ++ ++ /* Hook up MII support for ethtool */ ++ priv->mii_bus->name = "ravb_mii"; ++ priv->mii_bus->parent = dev; ++ snprintf(priv->mii_bus->id, MII_BUS_ID_SIZE, "%s-%x", ++ pdev->name, pdev->id); ++ ++ /* Register MDIO bus */ ++ error = of_mdiobus_register(priv->mii_bus, dev->of_node); ++ if (error) ++ goto out_free_bus; ++ ++ return 0; ++ ++out_free_bus: ++ free_mdio_bitbang(priv->mii_bus); ++ return error; ++} ++ ++/* MDIO bus release function */ ++static int ravb_mdio_release(struct ravb_private *priv) ++{ ++ /* Unregister mdio bus */ ++ mdiobus_unregister(priv->mii_bus); ++ ++ /* Free bitbang info */ ++ free_mdio_bitbang(priv->mii_bus); ++ ++ return 0; ++} ++ + /* Network device open function for Ethernet AVB */ + static int ravb_open(struct net_device *ndev) + { +@@ -1344,6 +1389,13 @@ static int ravb_open(struct net_device *ndev) + struct device *dev = &pdev->dev; + int error; + ++ /* MDIO bus init */ ++ error = ravb_mdio_init(priv); ++ if (error) { ++ netdev_err(ndev, "failed to initialize MDIO\n"); ++ return error; ++ } ++ + napi_enable(&priv->napi[RAVB_BE]); + napi_enable(&priv->napi[RAVB_NC]); + +@@ -1421,6 +1473,7 @@ out_free_irq: + out_napi_off: + napi_disable(&priv->napi[RAVB_NC]); + napi_disable(&priv->napi[RAVB_BE]); ++ ravb_mdio_release(priv); + return error; + } + +@@ -1730,6 +1783,8 @@ static int ravb_close(struct net_device *ndev) + ravb_ring_free(ndev, RAVB_BE); + ravb_ring_free(ndev, RAVB_NC); + ++ ravb_mdio_release(priv); ++ + return 0; + } + +@@ -1881,51 +1936,6 @@ static const struct net_device_ops ravb_netdev_ops = { + .ndo_set_features = ravb_set_features, + }; + +-/* MDIO bus init function */ +-static int ravb_mdio_init(struct ravb_private *priv) +-{ +- struct platform_device *pdev = priv->pdev; +- struct device *dev = &pdev->dev; +- int error; +- +- /* Bitbang init */ +- priv->mdiobb.ops = &bb_ops; +- +- /* MII controller setting */ +- priv->mii_bus = alloc_mdio_bitbang(&priv->mdiobb); +- if (!priv->mii_bus) +- return -ENOMEM; +- +- /* Hook up MII support for ethtool */ +- priv->mii_bus->name = "ravb_mii"; +- priv->mii_bus->parent = dev; +- snprintf(priv->mii_bus->id, MII_BUS_ID_SIZE, "%s-%x", +- pdev->name, pdev->id); +- +- /* Register MDIO bus */ +- error = of_mdiobus_register(priv->mii_bus, dev->of_node); +- if (error) +- goto out_free_bus; +- +- return 0; +- +-out_free_bus: +- free_mdio_bitbang(priv->mii_bus); +- return error; +-} +- +-/* MDIO bus release function */ +-static int ravb_mdio_release(struct ravb_private *priv) +-{ +- /* Unregister mdio bus */ +- mdiobus_unregister(priv->mii_bus); +- +- /* Free bitbang info */ +- free_mdio_bitbang(priv->mii_bus); +- +- return 0; +-} +- + static const struct of_device_id ravb_match_table[] = { + { .compatible = "renesas,etheravb-r8a7790", .data = (void *)RCAR_GEN2 }, + { .compatible = "renesas,etheravb-r8a7794", .data = (void *)RCAR_GEN2 }, +@@ -2166,13 +2176,6 @@ static int ravb_probe(struct platform_device *pdev) + eth_hw_addr_random(ndev); + } + +- /* MDIO bus init */ +- error = ravb_mdio_init(priv); +- if (error) { +- dev_err(&pdev->dev, "failed to initialize MDIO\n"); +- goto out_dma_free; +- } +- + netif_napi_add(ndev, &priv->napi[RAVB_BE], ravb_poll, 64); + netif_napi_add(ndev, &priv->napi[RAVB_NC], ravb_poll, 64); + +@@ -2194,8 +2197,6 @@ static int ravb_probe(struct platform_device *pdev) + out_napi_del: + netif_napi_del(&priv->napi[RAVB_NC]); + netif_napi_del(&priv->napi[RAVB_BE]); +- ravb_mdio_release(priv); +-out_dma_free: + dma_free_coherent(ndev->dev.parent, priv->desc_bat_size, priv->desc_bat, + priv->desc_bat_dma); + +@@ -2227,7 +2228,6 @@ static int ravb_remove(struct platform_device *pdev) + unregister_netdev(ndev); + netif_napi_del(&priv->napi[RAVB_NC]); + netif_napi_del(&priv->napi[RAVB_BE]); +- ravb_mdio_release(priv); + pm_runtime_disable(&pdev->dev); + free_netdev(ndev); + platform_set_drvdata(pdev, NULL); +-- +2.25.1 + diff --git a/queue-5.4/rxrpc-keep-the-ack-serial-in-a-var-in-rxrpc_input_ac.patch b/queue-5.4/rxrpc-keep-the-ack-serial-in-a-var-in-rxrpc_input_ac.patch new file mode 100644 index 00000000000..baed2baef0f --- /dev/null +++ b/queue-5.4/rxrpc-keep-the-ack-serial-in-a-var-in-rxrpc_input_ac.patch @@ -0,0 +1,99 @@ +From 4ac45d73bcbde02547c06301cf915d48d6511bc6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 14:12:33 +0100 +Subject: rxrpc: Keep the ACK serial in a var in rxrpc_input_ack() + +From: David Howells + +[ Upstream commit 68528d937dcd675e79973061c1a314db598162d1 ] + +Keep the ACK serial number in a variable in rxrpc_input_ack() as it's used +frequently. + +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/input.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c +index 22dec6049e1bb..6cace43b217ee 100644 +--- a/net/rxrpc/input.c ++++ b/net/rxrpc/input.c +@@ -844,7 +844,7 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb) + struct rxrpc_ackinfo info; + u8 acks[RXRPC_MAXACKS]; + } buf; +- rxrpc_serial_t acked_serial; ++ rxrpc_serial_t ack_serial, acked_serial; + rxrpc_seq_t first_soft_ack, hard_ack, prev_pkt; + int nr_acks, offset, ioffset; + +@@ -857,6 +857,7 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb) + } + offset += sizeof(buf.ack); + ++ ack_serial = sp->hdr.serial; + acked_serial = ntohl(buf.ack.serial); + first_soft_ack = ntohl(buf.ack.firstPacket); + prev_pkt = ntohl(buf.ack.previousPacket); +@@ -865,31 +866,31 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb) + summary.ack_reason = (buf.ack.reason < RXRPC_ACK__INVALID ? + buf.ack.reason : RXRPC_ACK__INVALID); + +- trace_rxrpc_rx_ack(call, sp->hdr.serial, acked_serial, ++ trace_rxrpc_rx_ack(call, ack_serial, acked_serial, + first_soft_ack, prev_pkt, + summary.ack_reason, nr_acks); + + if (buf.ack.reason == RXRPC_ACK_PING_RESPONSE) + rxrpc_input_ping_response(call, skb->tstamp, acked_serial, +- sp->hdr.serial); ++ ack_serial); + if (buf.ack.reason == RXRPC_ACK_REQUESTED) + rxrpc_input_requested_ack(call, skb->tstamp, acked_serial, +- sp->hdr.serial); ++ ack_serial); + + if (buf.ack.reason == RXRPC_ACK_PING) { +- _proto("Rx ACK %%%u PING Request", sp->hdr.serial); ++ _proto("Rx ACK %%%u PING Request", ack_serial); + rxrpc_propose_ACK(call, RXRPC_ACK_PING_RESPONSE, +- sp->hdr.serial, true, true, ++ ack_serial, true, true, + rxrpc_propose_ack_respond_to_ping); + } else if (sp->hdr.flags & RXRPC_REQUEST_ACK) { + rxrpc_propose_ACK(call, RXRPC_ACK_REQUESTED, +- sp->hdr.serial, true, true, ++ ack_serial, true, true, + rxrpc_propose_ack_respond_to_ack); + } + + /* Discard any out-of-order or duplicate ACKs (outside lock). */ + if (!rxrpc_is_ack_valid(call, first_soft_ack, prev_pkt)) { +- trace_rxrpc_rx_discard_ack(call->debug_id, sp->hdr.serial, ++ trace_rxrpc_rx_discard_ack(call->debug_id, ack_serial, + first_soft_ack, call->ackr_first_seq, + prev_pkt, call->ackr_prev_seq); + return; +@@ -905,7 +906,7 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb) + + /* Discard any out-of-order or duplicate ACKs (inside lock). */ + if (!rxrpc_is_ack_valid(call, first_soft_ack, prev_pkt)) { +- trace_rxrpc_rx_discard_ack(call->debug_id, sp->hdr.serial, ++ trace_rxrpc_rx_discard_ack(call->debug_id, ack_serial, + first_soft_ack, call->ackr_first_seq, + prev_pkt, call->ackr_prev_seq); + goto out; +@@ -965,7 +966,7 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb) + RXRPC_TX_ANNO_LAST && + summary.nr_acks == call->tx_top - hard_ack && + rxrpc_is_client_call(call)) +- rxrpc_propose_ACK(call, RXRPC_ACK_PING, sp->hdr.serial, ++ rxrpc_propose_ACK(call, RXRPC_ACK_PING, ack_serial, + false, true, + rxrpc_propose_ack_ping_for_lost_reply); + +-- +2.25.1 + diff --git a/queue-5.4/rxrpc-make-rxrpc_kernel_get_srtt-indicate-validity.patch b/queue-5.4/rxrpc-make-rxrpc_kernel_get_srtt-indicate-validity.patch new file mode 100644 index 00000000000..b8de2ac3674 --- /dev/null +++ b/queue-5.4/rxrpc-make-rxrpc_kernel_get_srtt-indicate-validity.patch @@ -0,0 +1,98 @@ +From 0b647ba3c11fbf8f44fcb34b7e4a11e0d7d16660 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 15:13:00 +0100 +Subject: rxrpc: Make rxrpc_kernel_get_srtt() indicate validity + +From: David Howells + +[ Upstream commit 1d4adfaf65746203861c72d9d78de349eb97d528 ] + +Fix rxrpc_kernel_get_srtt() to indicate the validity of the returned +smoothed RTT. If we haven't had any valid samples yet, the SRTT isn't +useful. + +Fixes: c410bf01933e ("rxrpc: Fix the excessive initial retransmission timeout") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/afs/fs_probe.c | 4 ++-- + fs/afs/vl_probe.c | 4 ++-- + include/net/af_rxrpc.h | 2 +- + net/rxrpc/peer_object.c | 16 +++++++++++++--- + 4 files changed, 18 insertions(+), 8 deletions(-) + +diff --git a/fs/afs/fs_probe.c b/fs/afs/fs_probe.c +index 02e976ca5732f..51ee3dd79700f 100644 +--- a/fs/afs/fs_probe.c ++++ b/fs/afs/fs_probe.c +@@ -92,8 +92,8 @@ responded: + } + } + +- rtt_us = rxrpc_kernel_get_srtt(call->net->socket, call->rxcall); +- if (rtt_us < server->probe.rtt) { ++ if (rxrpc_kernel_get_srtt(call->net->socket, call->rxcall, &rtt_us) && ++ rtt_us < server->probe.rtt) { + server->probe.rtt = rtt_us; + alist->preferred = index; + have_result = true; +diff --git a/fs/afs/vl_probe.c b/fs/afs/vl_probe.c +index e3aa013c21779..081b7e5b13f58 100644 +--- a/fs/afs/vl_probe.c ++++ b/fs/afs/vl_probe.c +@@ -92,8 +92,8 @@ responded: + } + } + +- rtt_us = rxrpc_kernel_get_srtt(call->net->socket, call->rxcall); +- if (rtt_us < server->probe.rtt) { ++ if (rxrpc_kernel_get_srtt(call->net->socket, call->rxcall, &rtt_us) && ++ rtt_us < server->probe.rtt) { + server->probe.rtt = rtt_us; + alist->preferred = index; + have_result = true; +diff --git a/include/net/af_rxrpc.h b/include/net/af_rxrpc.h +index ab988940bf045..55b980b21f4b4 100644 +--- a/include/net/af_rxrpc.h ++++ b/include/net/af_rxrpc.h +@@ -59,7 +59,7 @@ bool rxrpc_kernel_abort_call(struct socket *, struct rxrpc_call *, + void rxrpc_kernel_end_call(struct socket *, struct rxrpc_call *); + void rxrpc_kernel_get_peer(struct socket *, struct rxrpc_call *, + struct sockaddr_rxrpc *); +-u32 rxrpc_kernel_get_srtt(struct socket *, struct rxrpc_call *); ++bool rxrpc_kernel_get_srtt(struct socket *, struct rxrpc_call *, u32 *); + int rxrpc_kernel_charge_accept(struct socket *, rxrpc_notify_rx_t, + rxrpc_user_attach_call_t, unsigned long, gfp_t, + unsigned int); +diff --git a/net/rxrpc/peer_object.c b/net/rxrpc/peer_object.c +index efce27802a74f..e011594adcd13 100644 +--- a/net/rxrpc/peer_object.c ++++ b/net/rxrpc/peer_object.c +@@ -500,11 +500,21 @@ EXPORT_SYMBOL(rxrpc_kernel_get_peer); + * rxrpc_kernel_get_srtt - Get a call's peer smoothed RTT + * @sock: The socket on which the call is in progress. + * @call: The call to query ++ * @_srtt: Where to store the SRTT value. + * +- * Get the call's peer smoothed RTT. ++ * Get the call's peer smoothed RTT in uS. + */ +-u32 rxrpc_kernel_get_srtt(struct socket *sock, struct rxrpc_call *call) ++bool rxrpc_kernel_get_srtt(struct socket *sock, struct rxrpc_call *call, ++ u32 *_srtt) + { +- return call->peer->srtt_us >> 3; ++ struct rxrpc_peer *peer = call->peer; ++ ++ if (peer->rtt_count == 0) { ++ *_srtt = 1000000; /* 1S */ ++ return false; ++ } ++ ++ *_srtt = call->peer->srtt_us >> 3; ++ return true; + } + EXPORT_SYMBOL(rxrpc_kernel_get_srtt); +-- +2.25.1 + diff --git a/queue-5.4/selftests-bpf-fix-massive-output-from-test_maps.patch b/queue-5.4/selftests-bpf-fix-massive-output-from-test_maps.patch new file mode 100644 index 00000000000..07b346acd76 --- /dev/null +++ b/queue-5.4/selftests-bpf-fix-massive-output-from-test_maps.patch @@ -0,0 +1,42 @@ +From 826dc3bde7bfe8b89b9490289e70ff74d8dcc47e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 10:17:36 +0200 +Subject: selftests/bpf: Fix massive output from test_maps + +From: Jesper Dangaard Brouer + +[ Upstream commit fa4505675e093e895b7ec49a76d44f6b5ad9602e ] + +When stdout output from the selftests tool 'test_maps' gets redirected +into e.g file or pipe, then the output lines increase a lot (from 21 +to 33949 lines). This is caused by the printf that happens before the +fork() call, and there are user-space buffered printf data that seems +to be duplicated into the forked process. + +To fix this fflush() stdout before the fork loop in __run_parallel(). + +Fixes: 1a97cf1fe503 ("selftests/bpf: speedup test_maps") +Signed-off-by: Jesper Dangaard Brouer +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/159842985651.1050885.2154399297503372406.stgit@firesoul +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_maps.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/testing/selftests/bpf/test_maps.c b/tools/testing/selftests/bpf/test_maps.c +index c812f0178b643..1c4219ceced2f 100644 +--- a/tools/testing/selftests/bpf/test_maps.c ++++ b/tools/testing/selftests/bpf/test_maps.c +@@ -1282,6 +1282,8 @@ static void __run_parallel(unsigned int tasks, + pid_t pid[tasks]; + int i; + ++ fflush(stdout); ++ + for (i = 0; i < tasks; i++) { + pid[i] = fork(); + if (pid[i] == 0) { +-- +2.25.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 98e2dc8a3cb..e11341e1189 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -19,3 +19,57 @@ drm-amd-display-retry-aux-write-when-fail-occurs.patch drm-amd-display-fix-memleak-in-amdgpu_dm_mode_config.patch xen-xenbus-fix-granting-of-vmalloc-d-memory.patch fsldma-fix-very-broken-32-bit-ppc-ioread64-functiona.patch +dmaengine-of-dma-fix-of_dma_router_xlate-s-of_dma_xl.patch +batman-adv-avoid-uninitialized-chaddr-when-handling-.patch +batman-adv-fix-own-ogm-check-in-aggregated-ogms.patch +batman-adv-bla-use-netif_rx_ni-when-not-in-interrupt.patch +dmaengine-at_hdmac-check-return-value-of-of_find_dev.patch +rxrpc-keep-the-ack-serial-in-a-var-in-rxrpc_input_ac.patch +rxrpc-make-rxrpc_kernel_get_srtt-indicate-validity.patch +mips-mm-bmips5000-has-inclusive-physical-caches.patch +mips-bmips-also-call-bmips_cpu_setup-for-secondary-c.patch +mmc-sdhci-acpi-fix-hs400-tuning-for-amdi0040.patch +netfilter-nf_tables-add-nfta_set_userdata-if-not-nul.patch +netfilter-nf_tables-incorrect-enum-nft_list_attribut.patch +netfilter-nf_tables-fix-destination-register-zeroing.patch +net-hns-fix-memleak-in-hns_nic_dev_probe.patch +net-systemport-fix-memleak-in-bcm_sysport_probe.patch +ravb-fixed-to-be-able-to-unload-modules.patch +net-arc_emac-fix-memleak-in-arc_mdio_probe.patch +dmaengine-pl330-fix-burst-length-if-burst-size-is-sm.patch +gtp-add-gtpa_link-info-to-msg-sent-to-userspace.patch +net-ethernet-ti-cpsw-fix-clean-up-of-vlan-mc-entries.patch +bnxt_en-don-t-query-fw-when-netif_running-is-false.patch +bnxt_en-check-for-zero-dir-entries-in-nvram.patch +bnxt_en-fix-pci-aer-error-recovery-flow.patch +bnxt_en-fix-possible-crash-in-bnxt_fw_reset_task.patch +bnxt_en-fix-hwrm-error-when-querying-vf-temperature.patch +xfs-fix-boundary-test-in-xfs_attr_shortform_verify.patch +bnxt-don-t-enable-napi-until-rings-are-ready.patch +media-vicodec-add-missing-v4l2_ctrl_request_hdl_put.patch +media-cedrus-add-missing-v4l2_ctrl_request_hdl_put.patch +selftests-bpf-fix-massive-output-from-test_maps.patch +net-dsa-mt7530-fix-advertising-unsupported-1000baset.patch +netfilter-nfnetlink-nfnetlink_unicast-reports-eagain.patch +nvmet-fc-fix-a-missed-_irqsave-version-of-spin_lock-.patch +nvme-fix-controller-instance-leak.patch +cxgb4-fix-thermal-zone-device-registration.patch +perf-tools-correct-snoopx-field-offset.patch +net-ethernet-mlx4-fix-memory-allocation-in-mlx4_budd.patch +fix-regression-in-epoll-keep-a-reference-on-files-ad.patch +net-gemini-fix-another-missing-clk_disable_unprepare.patch +drm-radeon-prefer-lower-feedback-dividers.patch +mips-add-missing-msacsr-and-upper-msa-initialization.patch +xfs-fix-xfs_bmap_validate_extent_raw-when-checking-a.patch +perf-jevents-fix-suspicious-code-in-fixregex.patch +tg3-fix-soft-lockup-when-tg3_reset_task-fails.patch +x86-fakenuma-fix-invalid-starting-node-id.patch +iommu-vt-d-serialize-iommu-gcmd-register-modificatio.patch +thermal-ti-soc-thermal-fix-bogus-thermal-shutdowns-f.patch +thermal-qcom-spmi-temp-alarm-don-t-suppress-negative.patch +iommu-amd-restore-irte.remapen-bit-after-programming.patch +net-packet-fix-overflow-in-tpacket_rcv.patch +include-linux-log2.h-add-missing-around-n-in-roundup.patch +vfio-type1-support-faulting-pfnmap-vmas.patch +vfio-pci-fault-mmaps-to-enable-vma-tracking.patch +vfio-pci-invalidate-mmaps-and-block-mmio-access-on-d.patch diff --git a/queue-5.4/tg3-fix-soft-lockup-when-tg3_reset_task-fails.patch b/queue-5.4/tg3-fix-soft-lockup-when-tg3_reset_task-fails.patch new file mode 100644 index 00000000000..bcbbc174090 --- /dev/null +++ b/queue-5.4/tg3-fix-soft-lockup-when-tg3_reset_task-fails.patch @@ -0,0 +1,80 @@ +From db6e84afb80188a7a9e226964ea285ede92415d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Sep 2020 14:28:54 -0400 +Subject: tg3: Fix soft lockup when tg3_reset_task() fails. + +From: Michael Chan + +[ Upstream commit 556699341efa98243e08e34401b3f601da91f5a3 ] + +If tg3_reset_task() fails, the device state is left in an inconsistent +state with IFF_RUNNING still set but NAPI state not enabled. A +subsequent operation, such as ifdown or AER error can cause it to +soft lock up when it tries to disable NAPI state. + +Fix it by bringing down the device to !IFF_RUNNING state when +tg3_reset_task() fails. tg3_reset_task() running from workqueue +will now call tg3_close() when the reset fails. We need to +modify tg3_reset_task_cancel() slightly to avoid tg3_close() +calling cancel_work_sync() to cancel tg3_reset_task(). Otherwise +cancel_work_sync() will wait forever for tg3_reset_task() to +finish. + +Reported-by: David Christensen +Reported-by: Baptiste Covolato +Fixes: db2199737990 ("tg3: Schedule at most one tg3_reset_task run") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/tg3.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index e12ba81288e64..70bd79dc43f2e 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -7227,8 +7227,8 @@ static inline void tg3_reset_task_schedule(struct tg3 *tp) + + static inline void tg3_reset_task_cancel(struct tg3 *tp) + { +- cancel_work_sync(&tp->reset_task); +- tg3_flag_clear(tp, RESET_TASK_PENDING); ++ if (test_and_clear_bit(TG3_FLAG_RESET_TASK_PENDING, tp->tg3_flags)) ++ cancel_work_sync(&tp->reset_task); + tg3_flag_clear(tp, TX_RECOVERY_PENDING); + } + +@@ -11219,18 +11219,27 @@ static void tg3_reset_task(struct work_struct *work) + + tg3_halt(tp, RESET_KIND_SHUTDOWN, 0); + err = tg3_init_hw(tp, true); +- if (err) ++ if (err) { ++ tg3_full_unlock(tp); ++ tp->irq_sync = 0; ++ tg3_napi_enable(tp); ++ /* Clear this flag so that tg3_reset_task_cancel() will not ++ * call cancel_work_sync() and wait forever. ++ */ ++ tg3_flag_clear(tp, RESET_TASK_PENDING); ++ dev_close(tp->dev); + goto out; ++ } + + tg3_netif_start(tp); + +-out: + tg3_full_unlock(tp); + + if (!err) + tg3_phy_start(tp); + + tg3_flag_clear(tp, RESET_TASK_PENDING); ++out: + rtnl_unlock(); + } + +-- +2.25.1 + diff --git a/queue-5.4/thermal-qcom-spmi-temp-alarm-don-t-suppress-negative.patch b/queue-5.4/thermal-qcom-spmi-temp-alarm-don-t-suppress-negative.patch new file mode 100644 index 00000000000..8bc9dcd1699 --- /dev/null +++ b/queue-5.4/thermal-qcom-spmi-temp-alarm-don-t-suppress-negative.patch @@ -0,0 +1,49 @@ +From 2d3d749622d02cc8f7a8a0e4a79fb5e20401e6ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jul 2020 09:52:51 -0700 +Subject: thermal: qcom-spmi-temp-alarm: Don't suppress negative temp + +From: Veera Vegivada + +[ Upstream commit 0ffdab6f2dea9e23ec33230de24e492ff0b186d9 ] + +Currently driver is suppressing the negative temperature +readings from the vadc. Consumers of the thermal zones need +to read the negative temperature too. Don't suppress the +readings. + +Fixes: c610afaa21d3c6e ("thermal: Add QPNP PMIC temperature alarm driver") +Signed-off-by: Veera Vegivada +Signed-off-by: Guru Das Srinagesh +Reviewed-by: Stephen Boyd +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/944856eb819081268fab783236a916257de120e4.1596040416.git.gurus@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/thermal/qcom/qcom-spmi-temp-alarm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/thermal/qcom/qcom-spmi-temp-alarm.c b/drivers/thermal/qcom/qcom-spmi-temp-alarm.c +index bf7bae42c141c..6dc879fea9c8a 100644 +--- a/drivers/thermal/qcom/qcom-spmi-temp-alarm.c ++++ b/drivers/thermal/qcom/qcom-spmi-temp-alarm.c +@@ -1,6 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0-only + /* +- * Copyright (c) 2011-2015, 2017, The Linux Foundation. All rights reserved. ++ * Copyright (c) 2011-2015, 2017, 2020, The Linux Foundation. All rights reserved. + */ + + #include +@@ -191,7 +191,7 @@ static int qpnp_tm_get_temp(void *data, int *temp) + chip->temp = mili_celsius; + } + +- *temp = chip->temp < 0 ? 0 : chip->temp; ++ *temp = chip->temp; + + return 0; + } +-- +2.25.1 + diff --git a/queue-5.4/thermal-ti-soc-thermal-fix-bogus-thermal-shutdowns-f.patch b/queue-5.4/thermal-ti-soc-thermal-fix-bogus-thermal-shutdowns-f.patch new file mode 100644 index 00000000000..5ff46ad8c83 --- /dev/null +++ b/queue-5.4/thermal-ti-soc-thermal-fix-bogus-thermal-shutdowns-f.patch @@ -0,0 +1,110 @@ +From 55a914d650bc4cb832604fa67fc4e6b0d608f832 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jul 2020 11:33:38 -0700 +Subject: thermal: ti-soc-thermal: Fix bogus thermal shutdowns for omap4430 + +From: Tony Lindgren + +[ Upstream commit 30d24faba0532d6972df79a1bf060601994b5873 ] + +We can sometimes get bogus thermal shutdowns on omap4430 at least with +droid4 running idle with a battery charger connected: + +thermal thermal_zone0: critical temperature reached (143 C), shutting down + +Dumping out the register values shows we can occasionally get a 0x7f value +that is outside the TRM listed values in the ADC conversion table. And then +we get a normal value when reading again after that. Reading the register +multiple times does not seem help avoiding the bogus values as they stay +until the next sample is ready. + +Looking at the TRM chapter "18.4.10.2.3 ADC Codes Versus Temperature", we +should have values from 13 to 107 listed with a total of 95 values. But +looking at the omap4430_adc_to_temp array, the values are off, and the +end values are missing. And it seems that the 4430 ADC table is similar +to omap3630 rather than omap4460. + +Let's fix the issue by using values based on the omap3630 table and just +ignoring invalid values. Compared to the 4430 TRM, the omap3630 table has +the missing values added while the TRM table only shows every second +value. + +Note that sometimes the ADC register values within the valid table can +also be way off for about 1 out of 10 values. But it seems that those +just show about 25 C too low values rather than too high values. So those +do not cause a bogus thermal shutdown. + +Fixes: 1a31270e54d7 ("staging: omap-thermal: add OMAP4 data structures") +Cc: Merlijn Wajer +Cc: Pavel Machek +Cc: Sebastian Reichel +Signed-off-by: Tony Lindgren +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20200706183338.25622-1-tony@atomide.com +Signed-off-by: Sasha Levin +--- + .../ti-soc-thermal/omap4-thermal-data.c | 23 ++++++++++--------- + .../thermal/ti-soc-thermal/omap4xxx-bandgap.h | 10 +++++--- + 2 files changed, 19 insertions(+), 14 deletions(-) + +diff --git a/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c b/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c +index 63b02bfb2adf6..fdb8a495ab69a 100644 +--- a/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c ++++ b/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c +@@ -37,20 +37,21 @@ static struct temp_sensor_data omap4430_mpu_temp_sensor_data = { + + /* + * Temperature values in milli degree celsius +- * ADC code values from 530 to 923 ++ * ADC code values from 13 to 107, see TRM ++ * "18.4.10.2.3 ADC Codes Versus Temperature". + */ + static const int + omap4430_adc_to_temp[OMAP4430_ADC_END_VALUE - OMAP4430_ADC_START_VALUE + 1] = { +- -38000, -35000, -34000, -32000, -30000, -28000, -26000, -24000, -22000, +- -20000, -18000, -17000, -15000, -13000, -12000, -10000, -8000, -6000, +- -5000, -3000, -1000, 0, 2000, 3000, 5000, 6000, 8000, 10000, 12000, +- 13000, 15000, 17000, 19000, 21000, 23000, 25000, 27000, 28000, 30000, +- 32000, 33000, 35000, 37000, 38000, 40000, 42000, 43000, 45000, 47000, +- 48000, 50000, 52000, 53000, 55000, 57000, 58000, 60000, 62000, 64000, +- 66000, 68000, 70000, 71000, 73000, 75000, 77000, 78000, 80000, 82000, +- 83000, 85000, 87000, 88000, 90000, 92000, 93000, 95000, 97000, 98000, +- 100000, 102000, 103000, 105000, 107000, 109000, 111000, 113000, 115000, +- 117000, 118000, 120000, 122000, 123000, ++ -40000, -38000, -35000, -34000, -32000, -30000, -28000, -26000, -24000, ++ -22000, -20000, -18500, -17000, -15000, -13500, -12000, -10000, -8000, ++ -6500, -5000, -3500, -1500, 0, 2000, 3500, 5000, 6500, 8500, 10000, ++ 12000, 13500, 15000, 17000, 19000, 21000, 23000, 25000, 27000, 28500, ++ 30000, 32000, 33500, 35000, 37000, 38500, 40000, 42000, 43500, 45000, ++ 47000, 48500, 50000, 52000, 53500, 55000, 57000, 58500, 60000, 62000, ++ 64000, 66000, 68000, 70000, 71500, 73500, 75000, 77000, 78500, 80000, ++ 82000, 83500, 85000, 87000, 88500, 90000, 92000, 93500, 95000, 97000, ++ 98500, 100000, 102000, 103500, 105000, 107000, 109000, 111000, 113000, ++ 115000, 117000, 118500, 120000, 122000, 123500, 125000, + }; + + /* OMAP4430 data */ +diff --git a/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h b/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h +index a453ff8eb313e..9a3955c3853ba 100644 +--- a/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h ++++ b/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h +@@ -53,9 +53,13 @@ + * and thresholds for OMAP4430. + */ + +-/* ADC conversion table limits */ +-#define OMAP4430_ADC_START_VALUE 0 +-#define OMAP4430_ADC_END_VALUE 127 ++/* ++ * ADC conversion table limits. Ignore values outside the TRM listed ++ * range to avoid bogus thermal shutdowns. See omap4430 TRM chapter ++ * "18.4.10.2.3 ADC Codes Versus Temperature". ++ */ ++#define OMAP4430_ADC_START_VALUE 13 ++#define OMAP4430_ADC_END_VALUE 107 + /* bandgap clock limits (no control on 4430) */ + #define OMAP4430_MAX_FREQ 32768 + #define OMAP4430_MIN_FREQ 32768 +-- +2.25.1 + diff --git a/queue-5.4/vfio-pci-fault-mmaps-to-enable-vma-tracking.patch b/queue-5.4/vfio-pci-fault-mmaps-to-enable-vma-tracking.patch new file mode 100644 index 00000000000..a39945b9b45 --- /dev/null +++ b/queue-5.4/vfio-pci-fault-mmaps-to-enable-vma-tracking.patch @@ -0,0 +1,154 @@ +From d206bf0d0a68c3fd8ef342d291f6619034363c1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Sep 2020 19:37:55 +0530 +Subject: vfio-pci: Fault mmaps to enable vma tracking + +From: Ajay Kaher + +commit 11c4cd07ba111a09f49625f9e4c851d83daf0a22 upstream. + +Rather than calling remap_pfn_range() when a region is mmap'd, setup +a vm_ops handler to support dynamic faulting of the range on access. +This allows us to manage a list of vmas actively mapping the area that +we can later use to invalidate those mappings. The open callback +invalidates the vma range so that all tracking is inserted in the +fault handler and removed in the close handler. + +Reviewed-by: Peter Xu +Signed-off-by: Alex Williamson +Signed-off-by: Ajay Kaher +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci.c | 76 ++++++++++++++++++++++++++++- + drivers/vfio/pci/vfio_pci_private.h | 7 +++ + 2 files changed, 81 insertions(+), 2 deletions(-) + +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c +index 02206162eaa9e..da1d1eac0def1 100644 +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -1192,6 +1192,70 @@ static ssize_t vfio_pci_write(void *device_data, const char __user *buf, + return vfio_pci_rw(device_data, (char __user *)buf, count, ppos, true); + } + ++static int vfio_pci_add_vma(struct vfio_pci_device *vdev, ++ struct vm_area_struct *vma) ++{ ++ struct vfio_pci_mmap_vma *mmap_vma; ++ ++ mmap_vma = kmalloc(sizeof(*mmap_vma), GFP_KERNEL); ++ if (!mmap_vma) ++ return -ENOMEM; ++ ++ mmap_vma->vma = vma; ++ ++ mutex_lock(&vdev->vma_lock); ++ list_add(&mmap_vma->vma_next, &vdev->vma_list); ++ mutex_unlock(&vdev->vma_lock); ++ ++ return 0; ++} ++ ++/* ++ * Zap mmaps on open so that we can fault them in on access and therefore ++ * our vma_list only tracks mappings accessed since last zap. ++ */ ++static void vfio_pci_mmap_open(struct vm_area_struct *vma) ++{ ++ zap_vma_ptes(vma, vma->vm_start, vma->vm_end - vma->vm_start); ++} ++ ++static void vfio_pci_mmap_close(struct vm_area_struct *vma) ++{ ++ struct vfio_pci_device *vdev = vma->vm_private_data; ++ struct vfio_pci_mmap_vma *mmap_vma; ++ ++ mutex_lock(&vdev->vma_lock); ++ list_for_each_entry(mmap_vma, &vdev->vma_list, vma_next) { ++ if (mmap_vma->vma == vma) { ++ list_del(&mmap_vma->vma_next); ++ kfree(mmap_vma); ++ break; ++ } ++ } ++ mutex_unlock(&vdev->vma_lock); ++} ++ ++static vm_fault_t vfio_pci_mmap_fault(struct vm_fault *vmf) ++{ ++ struct vm_area_struct *vma = vmf->vma; ++ struct vfio_pci_device *vdev = vma->vm_private_data; ++ ++ if (vfio_pci_add_vma(vdev, vma)) ++ return VM_FAULT_OOM; ++ ++ if (remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff, ++ vma->vm_end - vma->vm_start, vma->vm_page_prot)) ++ return VM_FAULT_SIGBUS; ++ ++ return VM_FAULT_NOPAGE; ++} ++ ++static const struct vm_operations_struct vfio_pci_mmap_ops = { ++ .open = vfio_pci_mmap_open, ++ .close = vfio_pci_mmap_close, ++ .fault = vfio_pci_mmap_fault, ++}; ++ + static int vfio_pci_mmap(void *device_data, struct vm_area_struct *vma) + { + struct vfio_pci_device *vdev = device_data; +@@ -1250,8 +1314,14 @@ static int vfio_pci_mmap(void *device_data, struct vm_area_struct *vma) + vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); + vma->vm_pgoff = (pci_resource_start(pdev, index) >> PAGE_SHIFT) + pgoff; + +- return remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff, +- req_len, vma->vm_page_prot); ++ /* ++ * See remap_pfn_range(), called from vfio_pci_fault() but we can't ++ * change vm_flags within the fault handler. Set them now. ++ */ ++ vma->vm_flags |= VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP; ++ vma->vm_ops = &vfio_pci_mmap_ops; ++ ++ return 0; + } + + static void vfio_pci_request(void *device_data, unsigned int count) +@@ -1327,6 +1397,8 @@ static int vfio_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + spin_lock_init(&vdev->irqlock); + mutex_init(&vdev->ioeventfds_lock); + INIT_LIST_HEAD(&vdev->ioeventfds_list); ++ mutex_init(&vdev->vma_lock); ++ INIT_LIST_HEAD(&vdev->vma_list); + + ret = vfio_add_group_dev(&pdev->dev, &vfio_pci_ops, vdev); + if (ret) { +diff --git a/drivers/vfio/pci/vfio_pci_private.h b/drivers/vfio/pci/vfio_pci_private.h +index ee6ee91718a4d..898844894ed85 100644 +--- a/drivers/vfio/pci/vfio_pci_private.h ++++ b/drivers/vfio/pci/vfio_pci_private.h +@@ -84,6 +84,11 @@ struct vfio_pci_reflck { + struct mutex lock; + }; + ++struct vfio_pci_mmap_vma { ++ struct vm_area_struct *vma; ++ struct list_head vma_next; ++}; ++ + struct vfio_pci_device { + struct pci_dev *pdev; + void __iomem *barmap[PCI_STD_RESOURCE_END + 1]; +@@ -122,6 +127,8 @@ struct vfio_pci_device { + struct list_head dummy_resources_list; + struct mutex ioeventfds_lock; + struct list_head ioeventfds_list; ++ struct mutex vma_lock; ++ struct list_head vma_list; + }; + + #define is_intx(vdev) (vdev->irq_type == VFIO_PCI_INTX_IRQ_INDEX) +-- +2.25.1 + diff --git a/queue-5.4/vfio-pci-invalidate-mmaps-and-block-mmio-access-on-d.patch b/queue-5.4/vfio-pci-invalidate-mmaps-and-block-mmio-access-on-d.patch new file mode 100644 index 00000000000..050812f83f5 --- /dev/null +++ b/queue-5.4/vfio-pci-invalidate-mmaps-and-block-mmio-access-on-d.patch @@ -0,0 +1,741 @@ +From 7f13ff01a76ef498616f4bbe85da2e496981a3c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Sep 2020 19:37:56 +0530 +Subject: vfio-pci: Invalidate mmaps and block MMIO access on disabled memory + +From: Ajay Kaher + +commit abafbc551fddede3e0a08dee1dcde08fc0eb8476 upstream. + +Accessing the disabled memory space of a PCI device would typically +result in a master abort response on conventional PCI, or an +unsupported request on PCI express. The user would generally see +these as a -1 response for the read return data and the write would be +silently discarded, possibly with an uncorrected, non-fatal AER error +triggered on the host. Some systems however take it upon themselves +to bring down the entire system when they see something that might +indicate a loss of data, such as this discarded write to a disabled +memory space. + +To avoid this, we want to try to block the user from accessing memory +spaces while they're disabled. We start with a semaphore around the +memory enable bit, where writers modify the memory enable state and +must be serialized, while readers make use of the memory region and +can access in parallel. Writers include both direct manipulation via +the command register, as well as any reset path where the internal +mechanics of the reset may both explicitly and implicitly disable +memory access, and manipulation of the MSI-X configuration, where the +MSI-X vector table resides in MMIO space of the device. Readers +include the read and write file ops to access the vfio device fd +offsets as well as memory mapped access. In the latter case, we make +use of our new vma list support to zap, or invalidate, those memory +mappings in order to force them to be faulted back in on access. + +Our semaphore usage will stall user access to MMIO spaces across +internal operations like reset, but the user might experience new +behavior when trying to access the MMIO space while disabled via the +PCI command register. Access via read or write while disabled will +return -EIO and access via memory maps will result in a SIGBUS. This +is expected to be compatible with known use cases and potentially +provides better error handling capabilities than present in the +hardware, while avoiding the more readily accessible and severe +platform error responses that might otherwise occur. + +Fixes: CVE-2020-12888 +Reviewed-by: Peter Xu +Signed-off-by: Alex Williamson +Signed-off-by: Ajay Kaher +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci.c | 291 ++++++++++++++++++++++++---- + drivers/vfio/pci/vfio_pci_config.c | 36 +++- + drivers/vfio/pci/vfio_pci_intrs.c | 14 ++ + drivers/vfio/pci/vfio_pci_private.h | 8 + + drivers/vfio/pci/vfio_pci_rdwr.c | 24 ++- + 5 files changed, 330 insertions(+), 43 deletions(-) + +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c +index da1d1eac0def1..0d16f9806655f 100644 +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + + #include "vfio_pci_private.h" + +@@ -177,6 +178,7 @@ no_mmap: + + static void vfio_pci_try_bus_reset(struct vfio_pci_device *vdev); + static void vfio_pci_disable(struct vfio_pci_device *vdev); ++static int vfio_pci_try_zap_and_vma_lock_cb(struct pci_dev *pdev, void *data); + + /* + * INTx masking requires the ability to disable INTx signaling via PCI_COMMAND +@@ -688,6 +690,12 @@ int vfio_pci_register_dev_region(struct vfio_pci_device *vdev, + return 0; + } + ++struct vfio_devices { ++ struct vfio_device **devices; ++ int cur_index; ++ int max_index; ++}; ++ + static long vfio_pci_ioctl(void *device_data, + unsigned int cmd, unsigned long arg) + { +@@ -761,7 +769,7 @@ static long vfio_pci_ioctl(void *device_data, + { + void __iomem *io; + size_t size; +- u16 orig_cmd; ++ u16 cmd; + + info.offset = VFIO_PCI_INDEX_TO_OFFSET(info.index); + info.flags = 0; +@@ -781,10 +789,7 @@ static long vfio_pci_ioctl(void *device_data, + * Is it really there? Enable memory decode for + * implicit access in pci_map_rom(). + */ +- pci_read_config_word(pdev, PCI_COMMAND, &orig_cmd); +- pci_write_config_word(pdev, PCI_COMMAND, +- orig_cmd | PCI_COMMAND_MEMORY); +- ++ cmd = vfio_pci_memory_lock_and_enable(vdev); + io = pci_map_rom(pdev, &size); + if (io) { + info.flags = VFIO_REGION_INFO_FLAG_READ; +@@ -792,8 +797,8 @@ static long vfio_pci_ioctl(void *device_data, + } else { + info.size = 0; + } ++ vfio_pci_memory_unlock_and_restore(vdev, cmd); + +- pci_write_config_word(pdev, PCI_COMMAND, orig_cmd); + break; + } + case VFIO_PCI_VGA_REGION_INDEX: +@@ -936,8 +941,16 @@ static long vfio_pci_ioctl(void *device_data, + return ret; + + } else if (cmd == VFIO_DEVICE_RESET) { +- return vdev->reset_works ? +- pci_try_reset_function(vdev->pdev) : -EINVAL; ++ int ret; ++ ++ if (!vdev->reset_works) ++ return -EINVAL; ++ ++ vfio_pci_zap_and_down_write_memory_lock(vdev); ++ ret = pci_try_reset_function(vdev->pdev); ++ up_write(&vdev->memory_lock); ++ ++ return ret; + + } else if (cmd == VFIO_DEVICE_GET_PCI_HOT_RESET_INFO) { + struct vfio_pci_hot_reset_info hdr; +@@ -1017,8 +1030,9 @@ reset_info_exit: + int32_t *group_fds; + struct vfio_pci_group_entry *groups; + struct vfio_pci_group_info info; ++ struct vfio_devices devs = { .cur_index = 0 }; + bool slot = false; +- int i, count = 0, ret = 0; ++ int i, group_idx, mem_idx = 0, count = 0, ret = 0; + + minsz = offsetofend(struct vfio_pci_hot_reset, count); + +@@ -1070,9 +1084,9 @@ reset_info_exit: + * user interface and store the group and iommu ID. This + * ensures the group is held across the reset. + */ +- for (i = 0; i < hdr.count; i++) { ++ for (group_idx = 0; group_idx < hdr.count; group_idx++) { + struct vfio_group *group; +- struct fd f = fdget(group_fds[i]); ++ struct fd f = fdget(group_fds[group_idx]); + if (!f.file) { + ret = -EBADF; + break; +@@ -1085,8 +1099,9 @@ reset_info_exit: + break; + } + +- groups[i].group = group; +- groups[i].id = vfio_external_user_iommu_id(group); ++ groups[group_idx].group = group; ++ groups[group_idx].id = ++ vfio_external_user_iommu_id(group); + } + + kfree(group_fds); +@@ -1105,13 +1120,63 @@ reset_info_exit: + ret = vfio_pci_for_each_slot_or_bus(vdev->pdev, + vfio_pci_validate_devs, + &info, slot); +- if (!ret) +- /* User has access, do the reset */ +- ret = pci_reset_bus(vdev->pdev); ++ if (ret) ++ goto hot_reset_release; ++ ++ devs.max_index = count; ++ devs.devices = kcalloc(count, sizeof(struct vfio_device *), ++ GFP_KERNEL); ++ if (!devs.devices) { ++ ret = -ENOMEM; ++ goto hot_reset_release; ++ } ++ ++ /* ++ * We need to get memory_lock for each device, but devices ++ * can share mmap_sem, therefore we need to zap and hold ++ * the vma_lock for each device, and only then get each ++ * memory_lock. ++ */ ++ ret = vfio_pci_for_each_slot_or_bus(vdev->pdev, ++ vfio_pci_try_zap_and_vma_lock_cb, ++ &devs, slot); ++ if (ret) ++ goto hot_reset_release; ++ ++ for (; mem_idx < devs.cur_index; mem_idx++) { ++ struct vfio_pci_device *tmp; ++ ++ tmp = vfio_device_data(devs.devices[mem_idx]); ++ ++ ret = down_write_trylock(&tmp->memory_lock); ++ if (!ret) { ++ ret = -EBUSY; ++ goto hot_reset_release; ++ } ++ mutex_unlock(&tmp->vma_lock); ++ } ++ ++ /* User has access, do the reset */ ++ ret = pci_reset_bus(vdev->pdev); + + hot_reset_release: +- for (i--; i >= 0; i--) +- vfio_group_put_external_user(groups[i].group); ++ for (i = 0; i < devs.cur_index; i++) { ++ struct vfio_device *device; ++ struct vfio_pci_device *tmp; ++ ++ device = devs.devices[i]; ++ tmp = vfio_device_data(device); ++ ++ if (i < mem_idx) ++ up_write(&tmp->memory_lock); ++ else ++ mutex_unlock(&tmp->vma_lock); ++ vfio_device_put(device); ++ } ++ kfree(devs.devices); ++ ++ for (group_idx--; group_idx >= 0; group_idx--) ++ vfio_group_put_external_user(groups[group_idx].group); + + kfree(groups); + return ret; +@@ -1192,8 +1257,126 @@ static ssize_t vfio_pci_write(void *device_data, const char __user *buf, + return vfio_pci_rw(device_data, (char __user *)buf, count, ppos, true); + } + +-static int vfio_pci_add_vma(struct vfio_pci_device *vdev, +- struct vm_area_struct *vma) ++/* Return 1 on zap and vma_lock acquired, 0 on contention (only with @try) */ ++static int vfio_pci_zap_and_vma_lock(struct vfio_pci_device *vdev, bool try) ++{ ++ struct vfio_pci_mmap_vma *mmap_vma, *tmp; ++ ++ /* ++ * Lock ordering: ++ * vma_lock is nested under mmap_sem for vm_ops callback paths. ++ * The memory_lock semaphore is used by both code paths calling ++ * into this function to zap vmas and the vm_ops.fault callback ++ * to protect the memory enable state of the device. ++ * ++ * When zapping vmas we need to maintain the mmap_sem => vma_lock ++ * ordering, which requires using vma_lock to walk vma_list to ++ * acquire an mm, then dropping vma_lock to get the mmap_sem and ++ * reacquiring vma_lock. This logic is derived from similar ++ * requirements in uverbs_user_mmap_disassociate(). ++ * ++ * mmap_sem must always be the top-level lock when it is taken. ++ * Therefore we can only hold the memory_lock write lock when ++ * vma_list is empty, as we'd need to take mmap_sem to clear ++ * entries. vma_list can only be guaranteed empty when holding ++ * vma_lock, thus memory_lock is nested under vma_lock. ++ * ++ * This enables the vm_ops.fault callback to acquire vma_lock, ++ * followed by memory_lock read lock, while already holding ++ * mmap_sem without risk of deadlock. ++ */ ++ while (1) { ++ struct mm_struct *mm = NULL; ++ ++ if (try) { ++ if (!mutex_trylock(&vdev->vma_lock)) ++ return 0; ++ } else { ++ mutex_lock(&vdev->vma_lock); ++ } ++ while (!list_empty(&vdev->vma_list)) { ++ mmap_vma = list_first_entry(&vdev->vma_list, ++ struct vfio_pci_mmap_vma, ++ vma_next); ++ mm = mmap_vma->vma->vm_mm; ++ if (mmget_not_zero(mm)) ++ break; ++ ++ list_del(&mmap_vma->vma_next); ++ kfree(mmap_vma); ++ mm = NULL; ++ } ++ if (!mm) ++ return 1; ++ mutex_unlock(&vdev->vma_lock); ++ ++ if (try) { ++ if (!down_read_trylock(&mm->mmap_sem)) { ++ mmput(mm); ++ return 0; ++ } ++ } else { ++ down_read(&mm->mmap_sem); ++ } ++ if (mmget_still_valid(mm)) { ++ if (try) { ++ if (!mutex_trylock(&vdev->vma_lock)) { ++ up_read(&mm->mmap_sem); ++ mmput(mm); ++ return 0; ++ } ++ } else { ++ mutex_lock(&vdev->vma_lock); ++ } ++ list_for_each_entry_safe(mmap_vma, tmp, ++ &vdev->vma_list, vma_next) { ++ struct vm_area_struct *vma = mmap_vma->vma; ++ ++ if (vma->vm_mm != mm) ++ continue; ++ ++ list_del(&mmap_vma->vma_next); ++ kfree(mmap_vma); ++ ++ zap_vma_ptes(vma, vma->vm_start, ++ vma->vm_end - vma->vm_start); ++ } ++ mutex_unlock(&vdev->vma_lock); ++ } ++ up_read(&mm->mmap_sem); ++ mmput(mm); ++ } ++} ++ ++void vfio_pci_zap_and_down_write_memory_lock(struct vfio_pci_device *vdev) ++{ ++ vfio_pci_zap_and_vma_lock(vdev, false); ++ down_write(&vdev->memory_lock); ++ mutex_unlock(&vdev->vma_lock); ++} ++ ++u16 vfio_pci_memory_lock_and_enable(struct vfio_pci_device *vdev) ++{ ++ u16 cmd; ++ ++ down_write(&vdev->memory_lock); ++ pci_read_config_word(vdev->pdev, PCI_COMMAND, &cmd); ++ if (!(cmd & PCI_COMMAND_MEMORY)) ++ pci_write_config_word(vdev->pdev, PCI_COMMAND, ++ cmd | PCI_COMMAND_MEMORY); ++ ++ return cmd; ++} ++ ++void vfio_pci_memory_unlock_and_restore(struct vfio_pci_device *vdev, u16 cmd) ++{ ++ pci_write_config_word(vdev->pdev, PCI_COMMAND, cmd); ++ up_write(&vdev->memory_lock); ++} ++ ++/* Caller holds vma_lock */ ++static int __vfio_pci_add_vma(struct vfio_pci_device *vdev, ++ struct vm_area_struct *vma) + { + struct vfio_pci_mmap_vma *mmap_vma; + +@@ -1202,10 +1385,7 @@ static int vfio_pci_add_vma(struct vfio_pci_device *vdev, + return -ENOMEM; + + mmap_vma->vma = vma; +- +- mutex_lock(&vdev->vma_lock); + list_add(&mmap_vma->vma_next, &vdev->vma_list); +- mutex_unlock(&vdev->vma_lock); + + return 0; + } +@@ -1239,15 +1419,32 @@ static vm_fault_t vfio_pci_mmap_fault(struct vm_fault *vmf) + { + struct vm_area_struct *vma = vmf->vma; + struct vfio_pci_device *vdev = vma->vm_private_data; ++ vm_fault_t ret = VM_FAULT_NOPAGE; ++ ++ mutex_lock(&vdev->vma_lock); ++ down_read(&vdev->memory_lock); ++ ++ if (!__vfio_pci_memory_enabled(vdev)) { ++ ret = VM_FAULT_SIGBUS; ++ mutex_unlock(&vdev->vma_lock); ++ goto up_out; ++ } ++ ++ if (__vfio_pci_add_vma(vdev, vma)) { ++ ret = VM_FAULT_OOM; ++ mutex_unlock(&vdev->vma_lock); ++ goto up_out; ++ } + +- if (vfio_pci_add_vma(vdev, vma)) +- return VM_FAULT_OOM; ++ mutex_unlock(&vdev->vma_lock); + + if (remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff, + vma->vm_end - vma->vm_start, vma->vm_page_prot)) +- return VM_FAULT_SIGBUS; ++ ret = VM_FAULT_SIGBUS; + +- return VM_FAULT_NOPAGE; ++up_out: ++ up_read(&vdev->memory_lock); ++ return ret; + } + + static const struct vm_operations_struct vfio_pci_mmap_ops = { +@@ -1399,6 +1596,7 @@ static int vfio_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + INIT_LIST_HEAD(&vdev->ioeventfds_list); + mutex_init(&vdev->vma_lock); + INIT_LIST_HEAD(&vdev->vma_list); ++ init_rwsem(&vdev->memory_lock); + + ret = vfio_add_group_dev(&pdev->dev, &vfio_pci_ops, vdev); + if (ret) { +@@ -1588,12 +1786,6 @@ static void vfio_pci_reflck_put(struct vfio_pci_reflck *reflck) + kref_put_mutex(&reflck->kref, vfio_pci_reflck_release, &reflck_lock); + } + +-struct vfio_devices { +- struct vfio_device **devices; +- int cur_index; +- int max_index; +-}; +- + static int vfio_pci_get_unused_devs(struct pci_dev *pdev, void *data) + { + struct vfio_devices *devs = data; +@@ -1624,6 +1816,39 @@ static int vfio_pci_get_unused_devs(struct pci_dev *pdev, void *data) + return 0; + } + ++static int vfio_pci_try_zap_and_vma_lock_cb(struct pci_dev *pdev, void *data) ++{ ++ struct vfio_devices *devs = data; ++ struct vfio_device *device; ++ struct vfio_pci_device *vdev; ++ ++ if (devs->cur_index == devs->max_index) ++ return -ENOSPC; ++ ++ device = vfio_device_get_from_dev(&pdev->dev); ++ if (!device) ++ return -EINVAL; ++ ++ if (pci_dev_driver(pdev) != &vfio_pci_driver) { ++ vfio_device_put(device); ++ return -EBUSY; ++ } ++ ++ vdev = vfio_device_data(device); ++ ++ /* ++ * Locking multiple devices is prone to deadlock, runaway and ++ * unwind if we hit contention. ++ */ ++ if (!vfio_pci_zap_and_vma_lock(vdev, true)) { ++ vfio_device_put(device); ++ return -EBUSY; ++ } ++ ++ devs->devices[devs->cur_index++] = device; ++ return 0; ++} ++ + /* + * If a bus or slot reset is available for the provided device and: + * - All of the devices affected by that bus or slot reset are unused +diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c +index d6359c37c9e55..e8646873dadb1 100644 +--- a/drivers/vfio/pci/vfio_pci_config.c ++++ b/drivers/vfio/pci/vfio_pci_config.c +@@ -395,6 +395,14 @@ static inline void p_setd(struct perm_bits *p, int off, u32 virt, u32 write) + *(__le32 *)(&p->write[off]) = cpu_to_le32(write); + } + ++/* Caller should hold memory_lock semaphore */ ++bool __vfio_pci_memory_enabled(struct vfio_pci_device *vdev) ++{ ++ u16 cmd = le16_to_cpu(*(__le16 *)&vdev->vconfig[PCI_COMMAND]); ++ ++ return cmd & PCI_COMMAND_MEMORY; ++} ++ + /* + * Restore the *real* BARs after we detect a FLR or backdoor reset. + * (backdoor = some device specific technique that we didn't catch) +@@ -554,13 +562,18 @@ static int vfio_basic_config_write(struct vfio_pci_device *vdev, int pos, + + new_cmd = le32_to_cpu(val); + ++ phys_io = !!(phys_cmd & PCI_COMMAND_IO); ++ virt_io = !!(le16_to_cpu(*virt_cmd) & PCI_COMMAND_IO); ++ new_io = !!(new_cmd & PCI_COMMAND_IO); ++ + phys_mem = !!(phys_cmd & PCI_COMMAND_MEMORY); + virt_mem = !!(le16_to_cpu(*virt_cmd) & PCI_COMMAND_MEMORY); + new_mem = !!(new_cmd & PCI_COMMAND_MEMORY); + +- phys_io = !!(phys_cmd & PCI_COMMAND_IO); +- virt_io = !!(le16_to_cpu(*virt_cmd) & PCI_COMMAND_IO); +- new_io = !!(new_cmd & PCI_COMMAND_IO); ++ if (!new_mem) ++ vfio_pci_zap_and_down_write_memory_lock(vdev); ++ else ++ down_write(&vdev->memory_lock); + + /* + * If the user is writing mem/io enable (new_mem/io) and we +@@ -577,8 +590,11 @@ static int vfio_basic_config_write(struct vfio_pci_device *vdev, int pos, + } + + count = vfio_default_config_write(vdev, pos, count, perm, offset, val); +- if (count < 0) ++ if (count < 0) { ++ if (offset == PCI_COMMAND) ++ up_write(&vdev->memory_lock); + return count; ++ } + + /* + * Save current memory/io enable bits in vconfig to allow for +@@ -589,6 +605,8 @@ static int vfio_basic_config_write(struct vfio_pci_device *vdev, int pos, + + *virt_cmd &= cpu_to_le16(~mask); + *virt_cmd |= cpu_to_le16(new_cmd & mask); ++ ++ up_write(&vdev->memory_lock); + } + + /* Emulate INTx disable */ +@@ -826,8 +844,11 @@ static int vfio_exp_config_write(struct vfio_pci_device *vdev, int pos, + pos - offset + PCI_EXP_DEVCAP, + &cap); + +- if (!ret && (cap & PCI_EXP_DEVCAP_FLR)) ++ if (!ret && (cap & PCI_EXP_DEVCAP_FLR)) { ++ vfio_pci_zap_and_down_write_memory_lock(vdev); + pci_try_reset_function(vdev->pdev); ++ up_write(&vdev->memory_lock); ++ } + } + + /* +@@ -905,8 +926,11 @@ static int vfio_af_config_write(struct vfio_pci_device *vdev, int pos, + pos - offset + PCI_AF_CAP, + &cap); + +- if (!ret && (cap & PCI_AF_CAP_FLR) && (cap & PCI_AF_CAP_TP)) ++ if (!ret && (cap & PCI_AF_CAP_FLR) && (cap & PCI_AF_CAP_TP)) { ++ vfio_pci_zap_and_down_write_memory_lock(vdev); + pci_try_reset_function(vdev->pdev); ++ up_write(&vdev->memory_lock); ++ } + } + + return count; +diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c +index 2056f3f85f59b..1d9fb25929459 100644 +--- a/drivers/vfio/pci/vfio_pci_intrs.c ++++ b/drivers/vfio/pci/vfio_pci_intrs.c +@@ -249,6 +249,7 @@ static int vfio_msi_enable(struct vfio_pci_device *vdev, int nvec, bool msix) + struct pci_dev *pdev = vdev->pdev; + unsigned int flag = msix ? PCI_IRQ_MSIX : PCI_IRQ_MSI; + int ret; ++ u16 cmd; + + if (!is_irq_none(vdev)) + return -EINVAL; +@@ -258,13 +259,16 @@ static int vfio_msi_enable(struct vfio_pci_device *vdev, int nvec, bool msix) + return -ENOMEM; + + /* return the number of supported vectors if we can't get all: */ ++ cmd = vfio_pci_memory_lock_and_enable(vdev); + ret = pci_alloc_irq_vectors(pdev, 1, nvec, flag); + if (ret < nvec) { + if (ret > 0) + pci_free_irq_vectors(pdev); ++ vfio_pci_memory_unlock_and_restore(vdev, cmd); + kfree(vdev->ctx); + return ret; + } ++ vfio_pci_memory_unlock_and_restore(vdev, cmd); + + vdev->num_ctx = nvec; + vdev->irq_type = msix ? VFIO_PCI_MSIX_IRQ_INDEX : +@@ -287,6 +291,7 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev, + struct pci_dev *pdev = vdev->pdev; + struct eventfd_ctx *trigger; + int irq, ret; ++ u16 cmd; + + if (vector < 0 || vector >= vdev->num_ctx) + return -EINVAL; +@@ -295,7 +300,11 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev, + + if (vdev->ctx[vector].trigger) { + irq_bypass_unregister_producer(&vdev->ctx[vector].producer); ++ ++ cmd = vfio_pci_memory_lock_and_enable(vdev); + free_irq(irq, vdev->ctx[vector].trigger); ++ vfio_pci_memory_unlock_and_restore(vdev, cmd); ++ + kfree(vdev->ctx[vector].name); + eventfd_ctx_put(vdev->ctx[vector].trigger); + vdev->ctx[vector].trigger = NULL; +@@ -323,6 +332,7 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev, + * such a reset it would be unsuccessful. To avoid this, restore the + * cached value of the message prior to enabling. + */ ++ cmd = vfio_pci_memory_lock_and_enable(vdev); + if (msix) { + struct msi_msg msg; + +@@ -332,6 +342,7 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev, + + ret = request_irq(irq, vfio_msihandler, 0, + vdev->ctx[vector].name, trigger); ++ vfio_pci_memory_unlock_and_restore(vdev, cmd); + if (ret) { + kfree(vdev->ctx[vector].name); + eventfd_ctx_put(trigger); +@@ -376,6 +387,7 @@ static void vfio_msi_disable(struct vfio_pci_device *vdev, bool msix) + { + struct pci_dev *pdev = vdev->pdev; + int i; ++ u16 cmd; + + for (i = 0; i < vdev->num_ctx; i++) { + vfio_virqfd_disable(&vdev->ctx[i].unmask); +@@ -384,7 +396,9 @@ static void vfio_msi_disable(struct vfio_pci_device *vdev, bool msix) + + vfio_msi_set_block(vdev, 0, vdev->num_ctx, NULL, msix); + ++ cmd = vfio_pci_memory_lock_and_enable(vdev); + pci_free_irq_vectors(pdev); ++ vfio_pci_memory_unlock_and_restore(vdev, cmd); + + /* + * Both disable paths above use pci_intx_for_msi() to clear DisINTx +diff --git a/drivers/vfio/pci/vfio_pci_private.h b/drivers/vfio/pci/vfio_pci_private.h +index 898844894ed85..987b4d311fde9 100644 +--- a/drivers/vfio/pci/vfio_pci_private.h ++++ b/drivers/vfio/pci/vfio_pci_private.h +@@ -129,6 +129,7 @@ struct vfio_pci_device { + struct list_head ioeventfds_list; + struct mutex vma_lock; + struct list_head vma_list; ++ struct rw_semaphore memory_lock; + }; + + #define is_intx(vdev) (vdev->irq_type == VFIO_PCI_INTX_IRQ_INDEX) +@@ -171,6 +172,13 @@ extern int vfio_pci_register_dev_region(struct vfio_pci_device *vdev, + extern int vfio_pci_set_power_state(struct vfio_pci_device *vdev, + pci_power_t state); + ++extern bool __vfio_pci_memory_enabled(struct vfio_pci_device *vdev); ++extern void vfio_pci_zap_and_down_write_memory_lock(struct vfio_pci_device ++ *vdev); ++extern u16 vfio_pci_memory_lock_and_enable(struct vfio_pci_device *vdev); ++extern void vfio_pci_memory_unlock_and_restore(struct vfio_pci_device *vdev, ++ u16 cmd); ++ + #ifdef CONFIG_VFIO_PCI_IGD + extern int vfio_pci_igd_init(struct vfio_pci_device *vdev); + #else +diff --git a/drivers/vfio/pci/vfio_pci_rdwr.c b/drivers/vfio/pci/vfio_pci_rdwr.c +index 0120d8324a402..83f81d24df78e 100644 +--- a/drivers/vfio/pci/vfio_pci_rdwr.c ++++ b/drivers/vfio/pci/vfio_pci_rdwr.c +@@ -162,6 +162,7 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf, + size_t x_start = 0, x_end = 0; + resource_size_t end; + void __iomem *io; ++ struct resource *res = &vdev->pdev->resource[bar]; + ssize_t done; + + if (pci_resource_start(pdev, bar)) +@@ -177,6 +178,14 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf, + + count = min(count, (size_t)(end - pos)); + ++ if (res->flags & IORESOURCE_MEM) { ++ down_read(&vdev->memory_lock); ++ if (!__vfio_pci_memory_enabled(vdev)) { ++ up_read(&vdev->memory_lock); ++ return -EIO; ++ } ++ } ++ + if (bar == PCI_ROM_RESOURCE) { + /* + * The ROM can fill less space than the BAR, so we start the +@@ -184,13 +193,17 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf, + * filling large ROM BARs much faster. + */ + io = pci_map_rom(pdev, &x_start); +- if (!io) +- return -ENOMEM; ++ if (!io) { ++ done = -ENOMEM; ++ goto out; ++ } + x_end = end; + } else { + int ret = vfio_pci_setup_barmap(vdev, bar); +- if (ret) +- return ret; ++ if (ret) { ++ done = ret; ++ goto out; ++ } + + io = vdev->barmap[bar]; + } +@@ -207,6 +220,9 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf, + + if (bar == PCI_ROM_RESOURCE) + pci_unmap_rom(pdev, io); ++out: ++ if (res->flags & IORESOURCE_MEM) ++ up_read(&vdev->memory_lock); + + return done; + } +-- +2.25.1 + diff --git a/queue-5.4/vfio-type1-support-faulting-pfnmap-vmas.patch b/queue-5.4/vfio-type1-support-faulting-pfnmap-vmas.patch new file mode 100644 index 00000000000..b9947f86f5f --- /dev/null +++ b/queue-5.4/vfio-type1-support-faulting-pfnmap-vmas.patch @@ -0,0 +1,81 @@ +From 0c46b5eb230f39b74fe932771ab601eec182e573 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Sep 2020 19:37:54 +0530 +Subject: vfio/type1: Support faulting PFNMAP vmas + +From: Ajay Kaher + +commit 41311242221e3482b20bfed10fa4d9db98d87016 upstream. + +With conversion to follow_pfn(), DMA mapping a PFNMAP range depends on +the range being faulted into the vma. Add support to manually provide +that, in the same way as done on KVM with hva_to_pfn_remapped(). + +Reviewed-by: Peter Xu +Signed-off-by: Alex Williamson +Signed-off-by: Ajay Kaher +Signed-off-by: Sasha Levin +--- + drivers/vfio/vfio_iommu_type1.c | 36 ++++++++++++++++++++++++++++++--- + 1 file changed, 33 insertions(+), 3 deletions(-) + +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c +index ca8c10aa4a4bc..c6220f57fdf3e 100644 +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -335,6 +335,32 @@ static int put_pfn(unsigned long pfn, int prot) + return 0; + } + ++static int follow_fault_pfn(struct vm_area_struct *vma, struct mm_struct *mm, ++ unsigned long vaddr, unsigned long *pfn, ++ bool write_fault) ++{ ++ int ret; ++ ++ ret = follow_pfn(vma, vaddr, pfn); ++ if (ret) { ++ bool unlocked = false; ++ ++ ret = fixup_user_fault(NULL, mm, vaddr, ++ FAULT_FLAG_REMOTE | ++ (write_fault ? FAULT_FLAG_WRITE : 0), ++ &unlocked); ++ if (unlocked) ++ return -EAGAIN; ++ ++ if (ret) ++ return ret; ++ ++ ret = follow_pfn(vma, vaddr, pfn); ++ } ++ ++ return ret; ++} ++ + static int vaddr_get_pfn(struct mm_struct *mm, unsigned long vaddr, + int prot, unsigned long *pfn) + { +@@ -377,12 +403,16 @@ static int vaddr_get_pfn(struct mm_struct *mm, unsigned long vaddr, + + vaddr = untagged_addr(vaddr); + ++retry: + vma = find_vma_intersection(mm, vaddr, vaddr + 1); + + if (vma && vma->vm_flags & VM_PFNMAP) { +- if (!follow_pfn(vma, vaddr, pfn) && +- is_invalid_reserved_pfn(*pfn)) +- ret = 0; ++ ret = follow_fault_pfn(vma, mm, vaddr, pfn, prot & IOMMU_WRITE); ++ if (ret == -EAGAIN) ++ goto retry; ++ ++ if (!ret && !is_invalid_reserved_pfn(*pfn)) ++ ret = -EFAULT; + } + + up_read(&mm->mmap_sem); +-- +2.25.1 + diff --git a/queue-5.4/x86-fakenuma-fix-invalid-starting-node-id.patch b/queue-5.4/x86-fakenuma-fix-invalid-starting-node-id.patch new file mode 100644 index 00000000000..709748fee2b --- /dev/null +++ b/queue-5.4/x86-fakenuma-fix-invalid-starting-node-id.patch @@ -0,0 +1,74 @@ +From 336630c9b67172474c1dfb0235f0470309a5fd5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 14:10:47 +0800 +Subject: x86, fakenuma: Fix invalid starting node ID + +From: Huang Ying + +[ Upstream commit ccae0f36d500aef727f98acd8d0601e6b262a513 ] + +Commit: + + cc9aec03e58f ("x86/numa_emulation: Introduce uniform split capability") + +uses "-1" as the starting node ID, which causes the strange kernel log as +follows, when "numa=fake=32G" is added to the kernel command line: + + Faking node -1 at [mem 0x0000000000000000-0x0000000893ffffff] (35136MB) + Faking node 0 at [mem 0x0000001840000000-0x000000203fffffff] (32768MB) + Faking node 1 at [mem 0x0000000894000000-0x000000183fffffff] (64192MB) + Faking node 2 at [mem 0x0000002040000000-0x000000283fffffff] (32768MB) + Faking node 3 at [mem 0x0000002840000000-0x000000303fffffff] (32768MB) + +And finally the kernel crashes: + + BUG: Bad page state in process swapper pfn:00011 + page:(____ptrval____) refcount:0 mapcount:1 mapping:(____ptrval____) index:0x55cd7e44b270 pfn:0x11 + failed to read mapping contents, not a valid kernel address? + flags: 0x5(locked|uptodate) + raw: 0000000000000005 000055cd7e44af30 000055cd7e44af50 0000000100000006 + raw: 000055cd7e44b270 000055cd7e44b290 0000000000000000 000055cd7e44b510 + page dumped because: page still charged to cgroup + page->mem_cgroup:000055cd7e44b510 + Modules linked in: + CPU: 0 PID: 0 Comm: swapper Not tainted 5.9.0-rc2 #1 + Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 + Call Trace: + dump_stack+0x57/0x80 + bad_page.cold+0x63/0x94 + __free_pages_ok+0x33f/0x360 + memblock_free_all+0x127/0x195 + mem_init+0x23/0x1f5 + start_kernel+0x219/0x4f5 + secondary_startup_64+0xb6/0xc0 + +Fix this bug via using 0 as the starting node ID. This restores the +original behavior before cc9aec03e58f. + +[ mingo: Massaged the changelog. ] + +Fixes: cc9aec03e58f ("x86/numa_emulation: Introduce uniform split capability") +Signed-off-by: "Huang, Ying" +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20200904061047.612950-1-ying.huang@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/mm/numa_emulation.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/mm/numa_emulation.c b/arch/x86/mm/numa_emulation.c +index abffa0be80da1..87282258d5bea 100644 +--- a/arch/x86/mm/numa_emulation.c ++++ b/arch/x86/mm/numa_emulation.c +@@ -321,7 +321,7 @@ static int __init split_nodes_size_interleave(struct numa_meminfo *ei, + u64 addr, u64 max_addr, u64 size) + { + return split_nodes_size_interleave_uniform(ei, pi, addr, max_addr, size, +- 0, NULL, NUMA_NO_NODE); ++ 0, NULL, 0); + } + + int __init setup_emu2phys_nid(int *dfl_phys_nid) +-- +2.25.1 + diff --git a/queue-5.4/xfs-fix-boundary-test-in-xfs_attr_shortform_verify.patch b/queue-5.4/xfs-fix-boundary-test-in-xfs_attr_shortform_verify.patch new file mode 100644 index 00000000000..b9f7e40217a --- /dev/null +++ b/queue-5.4/xfs-fix-boundary-test-in-xfs_attr_shortform_verify.patch @@ -0,0 +1,54 @@ +From 7294e9609f15b783e020e09321736c3f04fb69e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 14:11:58 -0700 +Subject: xfs: fix boundary test in xfs_attr_shortform_verify + +From: Eric Sandeen + +[ Upstream commit f4020438fab05364018c91f7e02ebdd192085933 ] + +The boundary test for the fixed-offset parts of xfs_attr_sf_entry in +xfs_attr_shortform_verify is off by one, because the variable array +at the end is defined as nameval[1] not nameval[]. +Hence we need to subtract 1 from the calculation. + +This can be shown by: + +# touch file +# setfattr -n root.a file + +and verifications will fail when it's written to disk. + +This only matters for a last attribute which has a single-byte name +and no value, otherwise the combination of namelen & valuelen will +push endp further out and this test won't fail. + +Fixes: 1e1bbd8e7ee06 ("xfs: create structure verifier function for shortform xattrs") +Signed-off-by: Eric Sandeen +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/xfs/libxfs/xfs_attr_leaf.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c +index f0089e862216c..fe277ee5ec7c4 100644 +--- a/fs/xfs/libxfs/xfs_attr_leaf.c ++++ b/fs/xfs/libxfs/xfs_attr_leaf.c +@@ -946,8 +946,10 @@ xfs_attr_shortform_verify( + * struct xfs_attr_sf_entry has a variable length. + * Check the fixed-offset parts of the structure are + * within the data buffer. ++ * xfs_attr_sf_entry is defined with a 1-byte variable ++ * array at the end, so we must subtract that off. + */ +- if (((char *)sfep + sizeof(*sfep)) >= endp) ++ if (((char *)sfep + sizeof(*sfep) - 1) >= endp) + return __this_address; + + /* Don't allow names with known bad length. */ +-- +2.25.1 + diff --git a/queue-5.4/xfs-fix-xfs_bmap_validate_extent_raw-when-checking-a.patch b/queue-5.4/xfs-fix-xfs_bmap_validate_extent_raw-when-checking-a.patch new file mode 100644 index 00000000000..06c1d881e06 --- /dev/null +++ b/queue-5.4/xfs-fix-xfs_bmap_validate_extent_raw-when-checking-a.patch @@ -0,0 +1,37 @@ +From 35135f92205ddb192114f656b1368a633387989b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 10:47:02 -0700 +Subject: xfs: fix xfs_bmap_validate_extent_raw when checking attr fork of rt + files + +From: Darrick J. Wong + +[ Upstream commit d0c20d38af135b2b4b90aa59df7878ef0c8fbef4 ] + +The realtime flag only applies to the data fork, so don't use the +realtime block number checks on the attr fork of a realtime file. + +Fixes: 30b0984d9117 ("xfs: refactor bmap record validation") +Signed-off-by: Darrick J. Wong +Reviewed-by: Eric Sandeen +Signed-off-by: Sasha Levin +--- + fs/xfs/libxfs/xfs_bmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c +index 3f76da11197c4..19a600443b9ee 100644 +--- a/fs/xfs/libxfs/xfs_bmap.c ++++ b/fs/xfs/libxfs/xfs_bmap.c +@@ -6179,7 +6179,7 @@ xfs_bmap_validate_extent( + + isrt = XFS_IS_REALTIME_INODE(ip); + endfsb = irec->br_startblock + irec->br_blockcount - 1; +- if (isrt) { ++ if (isrt && whichfork == XFS_DATA_FORK) { + if (!xfs_verify_rtbno(mp, irec->br_startblock)) + return __this_address; + if (!xfs_verify_rtbno(mp, endfsb)) +-- +2.25.1 + -- 2.47.3