From 68b3232f4667c1630bb91e75cd203d8a6f00c5fc Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 5 Jan 2020 13:59:12 -0500 Subject: [PATCH] fixes for 4.14 Signed-off-by: Sasha Levin --- ...imit-to-int_max-in-create_blob-ioctl.patch | 44 +++++ ...-the-declaration-of-struct-nouveau_c.patch | 163 ++++++++++++++++++ ...irror-sequence-of-device-add-during-.patch | 66 +++++++ ...-fix-too-short-conversion-time-delay.patch | 93 ++++++++++ ...dev-before-reference-in-raid1_sync_r.patch | 34 ++++ ...et-read-write_iter-honor-iocb_nowait.patch | 47 +++++ ...le-to-ops-template-to-allow-module-r.patch | 154 +++++++++++++++++ ...-fail-devfreq_dev_release-if-not-in-.patch | 55 ++++++ ...ory_bm_find_bit-tighten-node-optimis.patch | 58 +++++++ ...sed-unregister_pernet_subsys-in-init.patch | 38 ++++ ...alculate-icrc-for-unaligned-payloads.patch | 83 +++++++++ ...ust-sampling-interval-to-avoid-hitti.patch | 75 ++++++++ ...id-sbd-overflow-condition-in-irq-han.patch | 77 +++++++++ ...csi-qla4xxx-fix-double-free-in-probe.patch | 40 +++++ ...-discovering-if-oob-mode-is-disconne.patch | 147 ++++++++++++++++ ...mory-leak-on-lpfc_bsg_write_ebuf_set.patch | 68 ++++++++ ...xxx-don-t-call-qlt_async_event-twice.patch | 51 ++++++ queue-4.14/series | 22 +++ queue-4.14/taskstats-fix-data-race.patch | 105 +++++++++++ .../usb-gadget-fix-wrong-endpoint-desc.patch | 61 +++++++ ...ballooned-page-accounting-without-ho.patch | 43 +++++ ...back-prevent-premature-module-unload.patch | 59 +++++++ ...ilure-crash-on-invalid-iclog-memory-.patch | 47 +++++ 23 files changed, 1630 insertions(+) create mode 100644 queue-4.14/drm-limit-to-int_max-in-create_blob-ioctl.patch create mode 100644 queue-4.14/drm-nouveau-move-the-declaration-of-struct-nouveau_c.patch create mode 100644 queue-4.14/ib-mlx4-follow-mirror-sequence-of-device-add-during-.patch create mode 100644 queue-4.14/iio-adc-max9611-fix-too-short-conversion-time-delay.patch create mode 100644 queue-4.14/md-raid1-check-rdev-before-reference-in-raid1_sync_r.patch create mode 100644 queue-4.14/net-make-socket-read-write_iter-honor-iocb_nowait.patch create mode 100644 queue-4.14/nvme_fc-add-module-to-ops-template-to-allow-module-r.patch create mode 100644 queue-4.14/pm-devfreq-don-t-fail-devfreq_dev_release-if-not-in-.patch create mode 100644 queue-4.14/pm-hibernate-memory_bm_find_bit-tighten-node-optimis.patch create mode 100644 queue-4.14/rdma-cma-add-missed-unregister_pernet_subsys-in-init.patch create mode 100644 queue-4.14/rxe-correctly-calculate-icrc-for-unaligned-payloads.patch create mode 100644 queue-4.14/s390-cpum_sf-adjust-sampling-interval-to-avoid-hitti.patch create mode 100644 queue-4.14/s390-cpum_sf-avoid-sbd-overflow-condition-in-irq-han.patch create mode 100644 queue-4.14/scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch create mode 100644 queue-4.14/scsi-libsas-stop-discovering-if-oob-mode-is-disconne.patch create mode 100644 queue-4.14/scsi-lpfc-fix-memory-leak-on-lpfc_bsg_write_ebuf_set.patch create mode 100644 queue-4.14/scsi-qla2xxx-don-t-call-qlt_async_event-twice.patch create mode 100644 queue-4.14/series create mode 100644 queue-4.14/taskstats-fix-data-race.patch create mode 100644 queue-4.14/usb-gadget-fix-wrong-endpoint-desc.patch create mode 100644 queue-4.14/xen-balloon-fix-ballooned-page-accounting-without-ho.patch create mode 100644 queue-4.14/xen-blkback-prevent-premature-module-unload.patch create mode 100644 queue-4.14/xfs-fix-mount-failure-crash-on-invalid-iclog-memory-.patch diff --git a/queue-4.14/drm-limit-to-int_max-in-create_blob-ioctl.patch b/queue-4.14/drm-limit-to-int_max-in-create_blob-ioctl.patch new file mode 100644 index 00000000000..f89d4037c78 --- /dev/null +++ b/queue-4.14/drm-limit-to-int_max-in-create_blob-ioctl.patch @@ -0,0 +1,44 @@ +From 93408f2a45084cd829437e76ca93e3bfc11abdff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2019 16:52:37 -0800 +Subject: drm: limit to INT_MAX in create_blob ioctl + +From: Daniel Vetter + +[ Upstream commit 5bf8bec3f4ce044a223c40cbce92590d938f0e9c ] + +The hardened usercpy code is too paranoid ever since commit 6a30afa8c1fb +("uaccess: disallow > INT_MAX copy sizes") + +Code itself should have been fine as-is. + +Link: http://lkml.kernel.org/r/20191106164755.31478-1-daniel.vetter@ffwll.ch +Signed-off-by: Daniel Vetter +Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com +Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes") +Cc: Kees Cook +Cc: Alexander Viro +Cc: Stephen Rothwell +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_property.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c +index 78e630771214..9decd981d94e 100644 +--- a/drivers/gpu/drm/drm_property.c ++++ b/drivers/gpu/drm/drm_property.c +@@ -540,7 +540,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length, + struct drm_property_blob *blob; + int ret; + +- if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob)) ++ if (!length || length > INT_MAX - sizeof(struct drm_property_blob)) + return ERR_PTR(-EINVAL); + + blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL); +-- +2.20.1 + diff --git a/queue-4.14/drm-nouveau-move-the-declaration-of-struct-nouveau_c.patch b/queue-4.14/drm-nouveau-move-the-declaration-of-struct-nouveau_c.patch new file mode 100644 index 00000000000..eea96a72878 --- /dev/null +++ b/queue-4.14/drm-nouveau-move-the-declaration-of-struct-nouveau_c.patch @@ -0,0 +1,163 @@ +From 7e10875c25468e16b134fbb0b1308e1793a6646f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2019 10:52:52 +0200 +Subject: drm/nouveau: Move the declaration of struct nouveau_conn_atom up a + bit + +From: Hans de Goede + +[ Upstream commit 37a68eab4cd92b507c9e8afd760fdc18e4fecac6 ] + +Place the declaration of struct nouveau_conn_atom above that of +struct nouveau_connector. This commit makes no changes to the moved +block what so ever, it just moves it up a bit. + +This is a preparation patch to fix some issues with connector handling +on pre nv50 displays (which do not use atomic modesetting). + +Signed-off-by: Hans de Goede +Reviewed-by: Lyude Paul +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_connector.h | 110 ++++++++++---------- + 1 file changed, 55 insertions(+), 55 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.h b/drivers/gpu/drm/nouveau/nouveau_connector.h +index dc7454e7f19a..b46e99f7641e 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_connector.h ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.h +@@ -29,6 +29,7 @@ + + #include + ++#include + #include + #include + #include +@@ -37,6 +38,60 @@ + + struct nvkm_i2c_port; + ++#define nouveau_conn_atom(p) \ ++ container_of((p), struct nouveau_conn_atom, state) ++ ++struct nouveau_conn_atom { ++ struct drm_connector_state state; ++ ++ struct { ++ /* The enum values specifically defined here match nv50/gf119 ++ * hw values, and the code relies on this. ++ */ ++ enum { ++ DITHERING_MODE_OFF = 0x00, ++ DITHERING_MODE_ON = 0x01, ++ DITHERING_MODE_DYNAMIC2X2 = 0x10 | DITHERING_MODE_ON, ++ DITHERING_MODE_STATIC2X2 = 0x18 | DITHERING_MODE_ON, ++ DITHERING_MODE_TEMPORAL = 0x20 | DITHERING_MODE_ON, ++ DITHERING_MODE_AUTO ++ } mode; ++ enum { ++ DITHERING_DEPTH_6BPC = 0x00, ++ DITHERING_DEPTH_8BPC = 0x02, ++ DITHERING_DEPTH_AUTO ++ } depth; ++ } dither; ++ ++ struct { ++ int mode; /* DRM_MODE_SCALE_* */ ++ struct { ++ enum { ++ UNDERSCAN_OFF, ++ UNDERSCAN_ON, ++ UNDERSCAN_AUTO, ++ } mode; ++ u32 hborder; ++ u32 vborder; ++ } underscan; ++ bool full; ++ } scaler; ++ ++ struct { ++ int color_vibrance; ++ int vibrant_hue; ++ } procamp; ++ ++ union { ++ struct { ++ bool dither:1; ++ bool scaler:1; ++ bool procamp:1; ++ }; ++ u8 mask; ++ } set; ++}; ++ + struct nouveau_connector { + struct drm_connector base; + enum dcb_connector_type type; +@@ -111,61 +166,6 @@ extern int nouveau_ignorelid; + extern int nouveau_duallink; + extern int nouveau_hdmimhz; + +-#include +-#define nouveau_conn_atom(p) \ +- container_of((p), struct nouveau_conn_atom, state) +- +-struct nouveau_conn_atom { +- struct drm_connector_state state; +- +- struct { +- /* The enum values specifically defined here match nv50/gf119 +- * hw values, and the code relies on this. +- */ +- enum { +- DITHERING_MODE_OFF = 0x00, +- DITHERING_MODE_ON = 0x01, +- DITHERING_MODE_DYNAMIC2X2 = 0x10 | DITHERING_MODE_ON, +- DITHERING_MODE_STATIC2X2 = 0x18 | DITHERING_MODE_ON, +- DITHERING_MODE_TEMPORAL = 0x20 | DITHERING_MODE_ON, +- DITHERING_MODE_AUTO +- } mode; +- enum { +- DITHERING_DEPTH_6BPC = 0x00, +- DITHERING_DEPTH_8BPC = 0x02, +- DITHERING_DEPTH_AUTO +- } depth; +- } dither; +- +- struct { +- int mode; /* DRM_MODE_SCALE_* */ +- struct { +- enum { +- UNDERSCAN_OFF, +- UNDERSCAN_ON, +- UNDERSCAN_AUTO, +- } mode; +- u32 hborder; +- u32 vborder; +- } underscan; +- bool full; +- } scaler; +- +- struct { +- int color_vibrance; +- int vibrant_hue; +- } procamp; +- +- union { +- struct { +- bool dither:1; +- bool scaler:1; +- bool procamp:1; +- }; +- u8 mask; +- } set; +-}; +- + void nouveau_conn_attach_properties(struct drm_connector *); + void nouveau_conn_reset(struct drm_connector *); + struct drm_connector_state * +-- +2.20.1 + diff --git a/queue-4.14/ib-mlx4-follow-mirror-sequence-of-device-add-during-.patch b/queue-4.14/ib-mlx4-follow-mirror-sequence-of-device-add-during-.patch new file mode 100644 index 00000000000..a842dac814e --- /dev/null +++ b/queue-4.14/ib-mlx4-follow-mirror-sequence-of-device-add-during-.patch @@ -0,0 +1,66 @@ +From e3c9e18ddf02531b59886e59a865b02673511768 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2019 11:12:13 +0200 +Subject: IB/mlx4: Follow mirror sequence of device add during device removal + +From: Parav Pandit + +[ Upstream commit 89f988d93c62384758b19323c886db917a80c371 ] + +Current code device add sequence is: + +ib_register_device() +ib_mad_init() +init_sriov_init() +register_netdev_notifier() + +Therefore, the remove sequence should be, + +unregister_netdev_notifier() +close_sriov() +mad_cleanup() +ib_unregister_device() + +However it is not above. +Hence, make do above remove sequence. + +Fixes: fa417f7b520ee ("IB/mlx4: Add support for IBoE") +Signed-off-by: Parav Pandit +Reviewed-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20191212091214.315005-3-leon@kernel.org +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx4/main.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c +index 0299c0642de8..7e73a1a6cb67 100644 +--- a/drivers/infiniband/hw/mlx4/main.c ++++ b/drivers/infiniband/hw/mlx4/main.c +@@ -3073,16 +3073,17 @@ static void mlx4_ib_remove(struct mlx4_dev *dev, void *ibdev_ptr) + ibdev->ib_active = false; + flush_workqueue(wq); + +- mlx4_ib_close_sriov(ibdev); +- mlx4_ib_mad_cleanup(ibdev); +- ib_unregister_device(&ibdev->ib_dev); +- mlx4_ib_diag_cleanup(ibdev); + if (ibdev->iboe.nb.notifier_call) { + if (unregister_netdevice_notifier(&ibdev->iboe.nb)) + pr_warn("failure unregistering notifier\n"); + ibdev->iboe.nb.notifier_call = NULL; + } + ++ mlx4_ib_close_sriov(ibdev); ++ mlx4_ib_mad_cleanup(ibdev); ++ ib_unregister_device(&ibdev->ib_dev); ++ mlx4_ib_diag_cleanup(ibdev); ++ + mlx4_qp_release_range(dev, ibdev->steer_qpn_base, + ibdev->steer_qpn_count); + kfree(ibdev->ib_uc_qpns_bitmap); +-- +2.20.1 + diff --git a/queue-4.14/iio-adc-max9611-fix-too-short-conversion-time-delay.patch b/queue-4.14/iio-adc-max9611-fix-too-short-conversion-time-delay.patch new file mode 100644 index 00000000000..145e7570f2b --- /dev/null +++ b/queue-4.14/iio-adc-max9611-fix-too-short-conversion-time-delay.patch @@ -0,0 +1,93 @@ +From 18bad2346349099016ad888c0dd541ac07d1a71f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Dec 2019 09:55:46 +0100 +Subject: iio: adc: max9611: Fix too short conversion time delay +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +[ Upstream commit 9fd229c478fbf77c41c8528aa757ef14210365f6 ] + +As of commit b9ddd5091160793e ("iio: adc: max9611: Fix temperature +reading in probe"), max9611 initialization sometimes fails on the +Salvator-X(S) development board with: + + max9611 4-007f: Invalid value received from ADC 0x8000: aborting + max9611: probe of 4-007f failed with error -5 + +The max9611 driver tests communications with the chip by reading the die +temperature during the probe function, which returns an invalid value. + +According to the datasheet, the typical ADC conversion time is 2 ms, but +no minimum or maximum values are provided. Maxim Technical Support +confirmed this was tested with temperature Ta=25 degreeC, and promised +to inform me if a maximum/minimum value is available (they didn't get +back to me, so I assume it is not). + +However, the driver assumes a 1 ms conversion time. Usually the +usleep_range() call returns after more than 1.8 ms, hence it succeeds. +When it returns earlier, the data register may be read too early, and +the previous measurement value will be returned. After boot, this is +the temperature POR (power-on reset) value, causing the failure above. + +Fix this by increasing the delay from 1000-2000 µs to 3000-3300 µs. + +Note that this issue has always been present, but it was exposed by the +aformentioned commit. + +Fixes: 69780a3bbc0b1e7e ("iio: adc: Add Maxim max9611 ADC driver") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Jacopo Mondi +Reviewed-by: Wolfram Sang +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/max9611.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/iio/adc/max9611.c b/drivers/iio/adc/max9611.c +index 33be07c78b96..8649a61c50bc 100644 +--- a/drivers/iio/adc/max9611.c ++++ b/drivers/iio/adc/max9611.c +@@ -92,6 +92,12 @@ + #define MAX9611_TEMP_SCALE_NUM 1000000 + #define MAX9611_TEMP_SCALE_DIV 2083 + ++/* ++ * Conversion time is 2 ms (typically) at Ta=25 degreeC ++ * No maximum value is known, so play it safe. ++ */ ++#define MAX9611_CONV_TIME_US_RANGE 3000, 3300 ++ + struct max9611_dev { + struct device *dev; + struct i2c_client *i2c_client; +@@ -239,11 +245,9 @@ static int max9611_read_single(struct max9611_dev *max9611, + return ret; + } + +- /* +- * need a delay here to make register configuration +- * stabilize. 1 msec at least, from empirical testing. +- */ +- usleep_range(1000, 2000); ++ /* need a delay here to make register configuration stabilize. */ ++ ++ usleep_range(MAX9611_CONV_TIME_US_RANGE); + + ret = i2c_smbus_read_word_swapped(max9611->i2c_client, reg_addr); + if (ret < 0) { +@@ -511,7 +515,7 @@ static int max9611_init(struct max9611_dev *max9611) + MAX9611_REG_CTRL2, 0); + return ret; + } +- usleep_range(1000, 2000); ++ usleep_range(MAX9611_CONV_TIME_US_RANGE); + + return 0; + } +-- +2.20.1 + diff --git a/queue-4.14/md-raid1-check-rdev-before-reference-in-raid1_sync_r.patch b/queue-4.14/md-raid1-check-rdev-before-reference-in-raid1_sync_r.patch new file mode 100644 index 00000000000..067da38d629 --- /dev/null +++ b/queue-4.14/md-raid1-check-rdev-before-reference-in-raid1_sync_r.patch @@ -0,0 +1,34 @@ +From 5666efbb046b1a7b756bfec784d941110ba2b871 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2019 10:42:25 +0800 +Subject: md: raid1: check rdev before reference in raid1_sync_request func + +From: Zhiqiang Liu + +[ Upstream commit 028288df635f5a9addd48ac4677b720192747944 ] + +In raid1_sync_request func, rdev should be checked before reference. + +Signed-off-by: Zhiqiang Liu +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/raid1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index f46ac9db9edb..0a9d623b13c2 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -2749,7 +2749,7 @@ static sector_t raid1_sync_request(struct mddev *mddev, sector_t sector_nr, + write_targets++; + } + } +- if (bio->bi_end_io) { ++ if (rdev && bio->bi_end_io) { + atomic_inc(&rdev->nr_pending); + bio->bi_iter.bi_sector = sector_nr + rdev->data_offset; + bio_set_dev(bio, rdev->bdev); +-- +2.20.1 + diff --git a/queue-4.14/net-make-socket-read-write_iter-honor-iocb_nowait.patch b/queue-4.14/net-make-socket-read-write_iter-honor-iocb_nowait.patch new file mode 100644 index 00000000000..6b65ed1d630 --- /dev/null +++ b/queue-4.14/net-make-socket-read-write_iter-honor-iocb_nowait.patch @@ -0,0 +1,47 @@ +From a90188b5dc5b5ccd625e5377721fa0a5729757ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2019 20:58:56 -0700 +Subject: net: make socket read/write_iter() honor IOCB_NOWAIT + +From: Jens Axboe + +[ Upstream commit ebfcd8955c0b52eb793bcbc9e71140e3d0cdb228 ] + +The socket read/write helpers only look at the file O_NONBLOCK. not +the iocb IOCB_NOWAIT flag. This breaks users like preadv2/pwritev2 +and io_uring that rely on not having the file itself marked nonblocking, +but rather the iocb itself. + +Cc: netdev@vger.kernel.org +Acked-by: David Miller +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + net/socket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/socket.c b/net/socket.c +index aab65277314d..5b134a6b6216 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -891,7 +891,7 @@ static ssize_t sock_read_iter(struct kiocb *iocb, struct iov_iter *to) + .msg_iocb = iocb}; + ssize_t res; + +- if (file->f_flags & O_NONBLOCK) ++ if (file->f_flags & O_NONBLOCK || (iocb->ki_flags & IOCB_NOWAIT)) + msg.msg_flags = MSG_DONTWAIT; + + if (iocb->ki_pos != 0) +@@ -916,7 +916,7 @@ static ssize_t sock_write_iter(struct kiocb *iocb, struct iov_iter *from) + if (iocb->ki_pos != 0) + return -ESPIPE; + +- if (file->f_flags & O_NONBLOCK) ++ if (file->f_flags & O_NONBLOCK || (iocb->ki_flags & IOCB_NOWAIT)) + msg.msg_flags = MSG_DONTWAIT; + + if (sock->type == SOCK_SEQPACKET) +-- +2.20.1 + diff --git a/queue-4.14/nvme_fc-add-module-to-ops-template-to-allow-module-r.patch b/queue-4.14/nvme_fc-add-module-to-ops-template-to-allow-module-r.patch new file mode 100644 index 00000000000..4e6258b5b6f --- /dev/null +++ b/queue-4.14/nvme_fc-add-module-to-ops-template-to-allow-module-r.patch @@ -0,0 +1,154 @@ +From 69df41625cd9eaffc4d75058cdd387752e493dcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 15:15:26 -0800 +Subject: nvme_fc: add module to ops template to allow module references + +From: James Smart + +[ Upstream commit 863fbae929c7a5b64e96b8a3ffb34a29eefb9f8f ] + +In nvme-fc: it's possible to have connected active controllers +and as no references are taken on the LLDD, the LLDD can be +unloaded. The controller would enter a reconnect state and as +long as the LLDD resumed within the reconnect timeout, the +controller would resume. But if a namespace on the controller +is the root device, allowing the driver to unload can be problematic. +To reload the driver, it may require new io to the boot device, +and as it's no longer connected we get into a catch-22 that +eventually fails, and the system locks up. + +Fix this issue by taking a module reference for every connected +controller (which is what the core layer did to the transport +module). Reference is cleared when the controller is removed. + +Acked-by: Himanshu Madhani +Reviewed-by: Christoph Hellwig +Signed-off-by: James Smart +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/fc.c | 14 ++++++++++++-- + drivers/nvme/target/fcloop.c | 1 + + drivers/scsi/lpfc/lpfc_nvme.c | 2 ++ + drivers/scsi/qla2xxx/qla_nvme.c | 1 + + include/linux/nvme-fc-driver.h | 4 ++++ + 5 files changed, 20 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c +index 058d542647dd..9e4d2ecf736d 100644 +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -337,7 +337,8 @@ nvme_fc_register_localport(struct nvme_fc_port_info *pinfo, + !template->ls_req || !template->fcp_io || + !template->ls_abort || !template->fcp_abort || + !template->max_hw_queues || !template->max_sgl_segments || +- !template->max_dif_sgl_segments || !template->dma_boundary) { ++ !template->max_dif_sgl_segments || !template->dma_boundary || ++ !template->module) { + ret = -EINVAL; + goto out_reghost_failed; + } +@@ -1762,6 +1763,7 @@ nvme_fc_ctrl_free(struct kref *ref) + { + struct nvme_fc_ctrl *ctrl = + container_of(ref, struct nvme_fc_ctrl, ref); ++ struct nvme_fc_lport *lport = ctrl->lport; + unsigned long flags; + + if (ctrl->ctrl.tagset) { +@@ -1787,6 +1789,7 @@ nvme_fc_ctrl_free(struct kref *ref) + if (ctrl->ctrl.opts) + nvmf_free_options(ctrl->ctrl.opts); + kfree(ctrl); ++ module_put(lport->ops->module); + } + + static void +@@ -2765,10 +2768,15 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, + goto out_fail; + } + ++ if (!try_module_get(lport->ops->module)) { ++ ret = -EUNATCH; ++ goto out_free_ctrl; ++ } ++ + idx = ida_simple_get(&nvme_fc_ctrl_cnt, 0, 0, GFP_KERNEL); + if (idx < 0) { + ret = -ENOSPC; +- goto out_free_ctrl; ++ goto out_mod_put; + } + + ctrl->ctrl.opts = opts; +@@ -2915,6 +2923,8 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, + out_free_ida: + put_device(ctrl->dev); + ida_simple_remove(&nvme_fc_ctrl_cnt, ctrl->cnum); ++out_mod_put: ++ module_put(lport->ops->module); + out_free_ctrl: + kfree(ctrl); + out_fail: +diff --git a/drivers/nvme/target/fcloop.c b/drivers/nvme/target/fcloop.c +index 096523d8dd42..b8fe8702065b 100644 +--- a/drivers/nvme/target/fcloop.c ++++ b/drivers/nvme/target/fcloop.c +@@ -693,6 +693,7 @@ fcloop_targetport_delete(struct nvmet_fc_target_port *targetport) + #define FCLOOP_DMABOUND_4G 0xFFFFFFFF + + static struct nvme_fc_port_template fctemplate = { ++ .module = THIS_MODULE, + .localport_delete = fcloop_localport_delete, + .remoteport_delete = fcloop_remoteport_delete, + .create_queue = fcloop_create_queue, +diff --git a/drivers/scsi/lpfc/lpfc_nvme.c b/drivers/scsi/lpfc/lpfc_nvme.c +index fcf4b4175d77..af937b91765e 100644 +--- a/drivers/scsi/lpfc/lpfc_nvme.c ++++ b/drivers/scsi/lpfc/lpfc_nvme.c +@@ -1591,6 +1591,8 @@ lpfc_nvme_fcp_abort(struct nvme_fc_local_port *pnvme_lport, + + /* Declare and initialization an instance of the FC NVME template. */ + static struct nvme_fc_port_template lpfc_nvme_template = { ++ .module = THIS_MODULE, ++ + /* initiator-based functions */ + .localport_delete = lpfc_nvme_localport_delete, + .remoteport_delete = lpfc_nvme_remoteport_delete, +diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c +index 6b33a1f24f56..7dceed021236 100644 +--- a/drivers/scsi/qla2xxx/qla_nvme.c ++++ b/drivers/scsi/qla2xxx/qla_nvme.c +@@ -578,6 +578,7 @@ static void qla_nvme_remoteport_delete(struct nvme_fc_remote_port *rport) + } + + static struct nvme_fc_port_template qla_nvme_fc_transport = { ++ .module = THIS_MODULE, + .localport_delete = qla_nvme_localport_delete, + .remoteport_delete = qla_nvme_remoteport_delete, + .create_queue = qla_nvme_alloc_queue, +diff --git a/include/linux/nvme-fc-driver.h b/include/linux/nvme-fc-driver.h +index a726f96010d5..e9c3b98df3e2 100644 +--- a/include/linux/nvme-fc-driver.h ++++ b/include/linux/nvme-fc-driver.h +@@ -279,6 +279,8 @@ struct nvme_fc_remote_port { + * + * Host/Initiator Transport Entrypoints/Parameters: + * ++ * @module: The LLDD module using the interface ++ * + * @localport_delete: The LLDD initiates deletion of a localport via + * nvme_fc_deregister_localport(). However, the teardown is + * asynchronous. This routine is called upon the completion of the +@@ -392,6 +394,8 @@ struct nvme_fc_remote_port { + * Value is Mandatory. Allowed to be zero. + */ + struct nvme_fc_port_template { ++ struct module *module; ++ + /* initiator-based functions */ + void (*localport_delete)(struct nvme_fc_local_port *); + void (*remoteport_delete)(struct nvme_fc_remote_port *); +-- +2.20.1 + diff --git a/queue-4.14/pm-devfreq-don-t-fail-devfreq_dev_release-if-not-in-.patch b/queue-4.14/pm-devfreq-don-t-fail-devfreq_dev_release-if-not-in-.patch new file mode 100644 index 00000000000..32ba99e12c3 --- /dev/null +++ b/queue-4.14/pm-devfreq-don-t-fail-devfreq_dev_release-if-not-in-.patch @@ -0,0 +1,55 @@ +From fbe3ea017e744cafc916389045066c98fee3d23d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 01:21:31 +0200 +Subject: PM / devfreq: Don't fail devfreq_dev_release if not in list + +From: Leonard Crestez + +[ Upstream commit 42a6b25e67df6ee6675e8d1eaf18065bd73328ba ] + +Right now devfreq_dev_release will print a warning and abort the rest of +the cleanup if the devfreq instance is not part of the global +devfreq_list. But this is a valid scenario, for example it can happen if +the governor can't be found or on any other init error that happens +after device_register. + +Initialize devfreq->node to an empty list head in devfreq_add_device so +that list_del becomes a safe noop inside devfreq_dev_release and we can +continue the rest of the cleanup. + +Signed-off-by: Leonard Crestez +Reviewed-by: Matthias Kaehlcke +Reviewed-by: Chanwoo Choi +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/devfreq/devfreq.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c +index dc9c0032c97b..7b510ef1d0dd 100644 +--- a/drivers/devfreq/devfreq.c ++++ b/drivers/devfreq/devfreq.c +@@ -484,11 +484,6 @@ static void devfreq_dev_release(struct device *dev) + struct devfreq *devfreq = to_devfreq(dev); + + mutex_lock(&devfreq_list_lock); +- if (IS_ERR(find_device_devfreq(devfreq->dev.parent))) { +- mutex_unlock(&devfreq_list_lock); +- dev_warn(&devfreq->dev, "releasing devfreq which doesn't exist\n"); +- return; +- } + list_del(&devfreq->node); + mutex_unlock(&devfreq_list_lock); + +@@ -547,6 +542,7 @@ struct devfreq *devfreq_add_device(struct device *dev, + devfreq->dev.parent = dev; + devfreq->dev.class = devfreq_class; + devfreq->dev.release = devfreq_dev_release; ++ INIT_LIST_HEAD(&devfreq->node); + devfreq->profile = profile; + strncpy(devfreq->governor_name, governor_name, DEVFREQ_NAME_LEN); + devfreq->previous_freq = profile->initial_freq; +-- +2.20.1 + diff --git a/queue-4.14/pm-hibernate-memory_bm_find_bit-tighten-node-optimis.patch b/queue-4.14/pm-hibernate-memory_bm_find_bit-tighten-node-optimis.patch new file mode 100644 index 00000000000..f7e4369b0ef --- /dev/null +++ b/queue-4.14/pm-hibernate-memory_bm_find_bit-tighten-node-optimis.patch @@ -0,0 +1,58 @@ +From 78cc38697c1aae9181f6afb6e615254a5f8f77f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2019 15:39:12 +0100 +Subject: PM / hibernate: memory_bm_find_bit(): Tighten node optimisation + +From: Andy Whitcroft + +[ Upstream commit da6043fe85eb5ec621e34a92540735dcebbea134 ] + +When looking for a bit by number we make use of the cached result from the +preceding lookup to speed up operation. Firstly we check if the requested +pfn is within the cached zone and if not lookup the new zone. We then +check if the offset for that pfn falls within the existing cached node. +This happens regardless of whether the node is within the zone we are +now scanning. With certain memory layouts it is possible for this to +false trigger creating a temporary alias for the pfn to a different bit. +This leads the hibernation code to free memory which it was never allocated +with the expected fallout. + +Ensure the zone we are scanning matches the cached zone before considering +the cached node. + +Deep thanks go to Andrea for many, many, many hours of hacking and testing +that went into cornering this bug. + +Reported-by: Andrea Righi +Tested-by: Andrea Righi +Signed-off-by: Andy Whitcroft +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/snapshot.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c +index 0972a8e09d08..ff2aabb70de9 100644 +--- a/kernel/power/snapshot.c ++++ b/kernel/power/snapshot.c +@@ -734,8 +734,15 @@ static int memory_bm_find_bit(struct memory_bitmap *bm, unsigned long pfn, + * We have found the zone. Now walk the radix tree to find the leaf node + * for our PFN. + */ ++ ++ /* ++ * If the zone we wish to scan is the the current zone and the ++ * pfn falls into the current node then we do not need to walk ++ * the tree. ++ */ + node = bm->cur.node; +- if (((pfn - zone->start_pfn) & ~BM_BLOCK_MASK) == bm->cur.node_pfn) ++ if (zone == bm->cur.zone && ++ ((pfn - zone->start_pfn) & ~BM_BLOCK_MASK) == bm->cur.node_pfn) + goto node_found; + + node = zone->rtree; +-- +2.20.1 + diff --git a/queue-4.14/rdma-cma-add-missed-unregister_pernet_subsys-in-init.patch b/queue-4.14/rdma-cma-add-missed-unregister_pernet_subsys-in-init.patch new file mode 100644 index 00000000000..f43fc7b7d5d --- /dev/null +++ b/queue-4.14/rdma-cma-add-missed-unregister_pernet_subsys-in-init.patch @@ -0,0 +1,38 @@ +From 0e7c6236880b835e5a2ab6825bf68f63e07ef8fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2019 09:24:26 +0800 +Subject: RDMA/cma: add missed unregister_pernet_subsys in init failure + +From: Chuhong Yuan + +[ Upstream commit 44a7b6759000ac51b92715579a7bba9e3f9245c2 ] + +The driver forgets to call unregister_pernet_subsys() in the error path +of cma_init(). +Add the missed call to fix it. + +Fixes: 4be74b42a6d0 ("IB/cma: Separate port allocation to network namespaces") +Signed-off-by: Chuhong Yuan +Reviewed-by: Parav Pandit +Link: https://lore.kernel.org/r/20191206012426.12744-1-hslester96@gmail.com +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index f698c6a28c14..fc4630e4acdd 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -4568,6 +4568,7 @@ static int __init cma_init(void) + unregister_netdevice_notifier(&cma_nb); + rdma_addr_unregister_client(&addr_client); + ib_sa_unregister_client(&sa_client); ++ unregister_pernet_subsys(&cma_pernet_operations); + err_wq: + destroy_workqueue(cma_wq); + return ret; +-- +2.20.1 + diff --git a/queue-4.14/rxe-correctly-calculate-icrc-for-unaligned-payloads.patch b/queue-4.14/rxe-correctly-calculate-icrc-for-unaligned-payloads.patch new file mode 100644 index 00000000000..cfb6458572e --- /dev/null +++ b/queue-4.14/rxe-correctly-calculate-icrc-for-unaligned-payloads.patch @@ -0,0 +1,83 @@ +From fcd13ed27a0b8c96a0b0e59ddb8c4fe4fdd06a69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Dec 2019 20:03:20 -0600 +Subject: rxe: correctly calculate iCRC for unaligned payloads + +From: Steve Wise + +[ Upstream commit 2030abddec6884aaf5892f5724c48fc340e6826f ] + +If RoCE PDUs being sent or received contain pad bytes, then the iCRC +is miscalculated, resulting in PDUs being emitted by RXE with an incorrect +iCRC, as well as ingress PDUs being dropped due to erroneously detecting +a bad iCRC in the PDU. The fix is to include the pad bytes, if any, +in iCRC computations. + +Note: This bug has caused broken on-the-wire compatibility with actual +hardware RoCE devices since the soft-RoCE driver was first put into the +mainstream kernel. Fixing it will create an incompatibility with the +original soft-RoCE devices, but is necessary to be compatible with real +hardware devices. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Signed-off-by: Steve Wise +Link: https://lore.kernel.org/r/20191203020319.15036-2-larrystevenwise@gmail.com +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_recv.c | 2 +- + drivers/infiniband/sw/rxe/rxe_req.c | 6 ++++++ + drivers/infiniband/sw/rxe/rxe_resp.c | 7 +++++++ + 3 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c +index 83412df726a5..b7098f7bb30e 100644 +--- a/drivers/infiniband/sw/rxe/rxe_recv.c ++++ b/drivers/infiniband/sw/rxe/rxe_recv.c +@@ -393,7 +393,7 @@ int rxe_rcv(struct sk_buff *skb) + + calc_icrc = rxe_icrc_hdr(pkt, skb); + calc_icrc = rxe_crc32(rxe, calc_icrc, (u8 *)payload_addr(pkt), +- payload_size(pkt)); ++ payload_size(pkt) + bth_pad(pkt)); + calc_icrc = (__force u32)cpu_to_be32(~calc_icrc); + if (unlikely(calc_icrc != pack_icrc)) { + if (skb->protocol == htons(ETH_P_IPV6)) +diff --git a/drivers/infiniband/sw/rxe/rxe_req.c b/drivers/infiniband/sw/rxe/rxe_req.c +index 9fd4f04df3b3..e6785b1ea85f 100644 +--- a/drivers/infiniband/sw/rxe/rxe_req.c ++++ b/drivers/infiniband/sw/rxe/rxe_req.c +@@ -500,6 +500,12 @@ static int fill_packet(struct rxe_qp *qp, struct rxe_send_wqe *wqe, + if (err) + return err; + } ++ if (bth_pad(pkt)) { ++ u8 *pad = payload_addr(pkt) + paylen; ++ ++ memset(pad, 0, bth_pad(pkt)); ++ crc = rxe_crc32(rxe, crc, pad, bth_pad(pkt)); ++ } + } + p = payload_addr(pkt) + paylen + bth_pad(pkt); + +diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c +index 9207682b7a2e..a07a29b48863 100644 +--- a/drivers/infiniband/sw/rxe/rxe_resp.c ++++ b/drivers/infiniband/sw/rxe/rxe_resp.c +@@ -738,6 +738,13 @@ static enum resp_states read_reply(struct rxe_qp *qp, + if (err) + pr_err("Failed copying memory\n"); + ++ if (bth_pad(&ack_pkt)) { ++ struct rxe_dev *rxe = to_rdev(qp->ibqp.device); ++ u8 *pad = payload_addr(&ack_pkt) + payload; ++ ++ memset(pad, 0, bth_pad(&ack_pkt)); ++ icrc = rxe_crc32(rxe, icrc, pad, bth_pad(&ack_pkt)); ++ } + p = payload_addr(&ack_pkt) + payload + bth_pad(&ack_pkt); + *p = ~icrc; + +-- +2.20.1 + diff --git a/queue-4.14/s390-cpum_sf-adjust-sampling-interval-to-avoid-hitti.patch b/queue-4.14/s390-cpum_sf-adjust-sampling-interval-to-avoid-hitti.patch new file mode 100644 index 00000000000..89c52e6c8ab --- /dev/null +++ b/queue-4.14/s390-cpum_sf-adjust-sampling-interval-to-avoid-hitti.patch @@ -0,0 +1,75 @@ +From 09efba5c9c53440a33d2ff7bd56b67eeee97f93b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Nov 2019 10:26:41 +0100 +Subject: s390/cpum_sf: Adjust sampling interval to avoid hitting sample limits + +From: Thomas Richter + +[ Upstream commit 39d4a501a9ef55c57b51e3ef07fc2aeed7f30b3b ] + +Function perf_event_ever_overflow() and perf_event_account_interrupt() +are called every time samples are processed by the interrupt handler. +However function perf_event_account_interrupt() has checks to avoid being +flooded with interrupts (more then 1000 samples are received per +task_tick). Samples are then dropped and a PERF_RECORD_THROTTLED is +added to the perf data. The perf subsystem limit calculation is: + + maximum sample frequency := 100000 --> 1 samples per 10 us + task_tick = 10ms = 10000us --> 1000 samples per task_tick + +The work flow is + +measurement_alert() uses SDBT head and each SBDT points to 511 + SDB pages, each with 126 sample entries. After processing 8 SBDs + and for each valid sample calling: + + perf_event_overflow() + perf_event_account_interrupts() + +there is a considerable amount of samples being dropped, especially when +the sample frequency is very high and near the 100000 limit. + +To avoid the high amount of samples being dropped near the end of a +task_tick time frame, increment the sampling interval in case of +dropped events. The CPU Measurement sampling facility on the s390 +supports only intervals, specifiing how many CPU cycles have to be +executed before a sample is generated. Increase the interval when the +samples being generated hit the task_tick limit. + +Signed-off-by: Thomas Richter +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/perf_cpum_sf.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c +index 45304085b6ee..95c047bf4a12 100644 +--- a/arch/s390/kernel/perf_cpum_sf.c ++++ b/arch/s390/kernel/perf_cpum_sf.c +@@ -1306,6 +1306,22 @@ static void hw_perf_event_update(struct perf_event *event, int flush_all) + if (sampl_overflow) + OVERFLOW_REG(hwc) = DIV_ROUND_UP(OVERFLOW_REG(hwc) + + sampl_overflow, 1 + num_sdb); ++ ++ /* Perf_event_overflow() and perf_event_account_interrupt() limit ++ * the interrupt rate to an upper limit. Roughly 1000 samples per ++ * task tick. ++ * Hitting this limit results in a large number ++ * of throttled REF_REPORT_THROTTLE entries and the samples ++ * are dropped. ++ * Slightly increase the interval to avoid hitting this limit. ++ */ ++ if (event_overflow) { ++ SAMPL_RATE(hwc) += DIV_ROUND_UP(SAMPL_RATE(hwc), 10); ++ debug_sprintf_event(sfdbg, 1, "%s: rate adjustment %ld\n", ++ __func__, ++ DIV_ROUND_UP(SAMPL_RATE(hwc), 10)); ++ } ++ + if (sampl_overflow || event_overflow) + debug_sprintf_event(sfdbg, 4, "hw_perf_event_update: " + "overflow stats: sample=%llu event=%llu\n", +-- +2.20.1 + diff --git a/queue-4.14/s390-cpum_sf-avoid-sbd-overflow-condition-in-irq-han.patch b/queue-4.14/s390-cpum_sf-avoid-sbd-overflow-condition-in-irq-han.patch new file mode 100644 index 00000000000..27269ae8068 --- /dev/null +++ b/queue-4.14/s390-cpum_sf-avoid-sbd-overflow-condition-in-irq-han.patch @@ -0,0 +1,77 @@ +From 4f9e2408246103467b58266776ddfa5285b0e51a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Nov 2019 15:24:25 +0100 +Subject: s390/cpum_sf: Avoid SBD overflow condition in irq handler + +From: Thomas Richter + +[ Upstream commit 0539ad0b22877225095d8adef0c376f52cc23834 ] + +The s390 CPU Measurement sampling facility has an overflow condition +which fires when all entries in a SBD are used. +The measurement alert interrupt is triggered and reads out all samples +in this SDB. It then tests the successor SDB, if this SBD is not full, +the interrupt handler does not read any samples at all from this SDB +The design waits for the hardware to fill this SBD and then trigger +another meassurement alert interrupt. + +This scheme works nicely until +an perf_event_overflow() function call discards the sample due to +a too high sampling rate. +The interrupt handler has logic to read out a partially filled SDB +when the perf event overflow condition in linux common code is met. +This causes the CPUM sampling measurement hardware and the PMU +device driver to operate on the same SBD's trailer entry. +This should not happen. + +This can be seen here using this trace: + cpumsf_pmu_add: tear:0xb5286000 + hw_perf_event_update: sdbt 0xb5286000 full 1 over 0 flush_all:0 + hw_perf_event_update: sdbt 0xb5286008 full 0 over 0 flush_all:0 + above shows 1. interrupt + hw_perf_event_update: sdbt 0xb5286008 full 1 over 0 flush_all:0 + hw_perf_event_update: sdbt 0xb5286008 full 0 over 0 flush_all:0 + above shows 2. interrupt + ... this goes on fine until... + hw_perf_event_update: sdbt 0xb5286068 full 1 over 0 flush_all:0 + perf_push_sample1: overflow + one or more samples read from the IRQ handler are rejected by + perf_event_overflow() and the IRQ handler advances to the next SDB + and modifies the trailer entry of a partially filled SDB. + hw_perf_event_update: sdbt 0xb5286070 full 0 over 0 flush_all:1 + timestamp: 14:32:52.519953 + +Next time the IRQ handler is called for this SDB the trailer entry shows +an overflow count of 19 missed entries. + hw_perf_event_update: sdbt 0xb5286070 full 1 over 19 flush_all:1 + timestamp: 14:32:52.970058 + +Remove access to a follow on SDB when event overflow happened. + +Signed-off-by: Thomas Richter +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/perf_cpum_sf.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c +index 95c047bf4a12..b652593d7de6 100644 +--- a/arch/s390/kernel/perf_cpum_sf.c ++++ b/arch/s390/kernel/perf_cpum_sf.c +@@ -1294,12 +1294,6 @@ static void hw_perf_event_update(struct perf_event *event, int flush_all) + */ + if (flush_all && done) + break; +- +- /* If an event overflow happened, discard samples by +- * processing any remaining sample-data-blocks. +- */ +- if (event_overflow) +- flush_all = 1; + } + + /* Account sample overflows in the event hardware structure */ +-- +2.20.1 + diff --git a/queue-4.14/scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch b/queue-4.14/scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch new file mode 100644 index 00000000000..de7fd8d6f7f --- /dev/null +++ b/queue-4.14/scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch @@ -0,0 +1,40 @@ +From 3b2b39f7da31939caad9d33fe448d852fe018d0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2019 12:45:09 +0300 +Subject: scsi: iscsi: qla4xxx: fix double free in probe + +From: Dan Carpenter + +[ Upstream commit fee92f25777789d73e1936b91472e9c4644457c8 ] + +On this error path we call qla4xxx_mem_free() and then the caller also +calls qla4xxx_free_adapter() which calls qla4xxx_mem_free(). It leads to a +couple double frees: + +drivers/scsi/qla4xxx/ql4_os.c:8856 qla4xxx_probe_adapter() warn: 'ha->chap_dma_pool' double freed +drivers/scsi/qla4xxx/ql4_os.c:8856 qla4xxx_probe_adapter() warn: 'ha->fw_ddb_dma_pool' double freed + +Fixes: afaf5a2d341d ("[SCSI] Initial Commit of qla4xxx") +Link: https://lore.kernel.org/r/20191203094421.hw7ex7qr3j2rbsmx@kili.mountain +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla4xxx/ql4_os.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c +index 4421f9bdfcf7..b0ad60565fe9 100644 +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -4285,7 +4285,6 @@ static int qla4xxx_mem_alloc(struct scsi_qla_host *ha) + return QLA_SUCCESS; + + mem_alloc_error_exit: +- qla4xxx_mem_free(ha); + return QLA_ERROR; + } + +-- +2.20.1 + diff --git a/queue-4.14/scsi-libsas-stop-discovering-if-oob-mode-is-disconne.patch b/queue-4.14/scsi-libsas-stop-discovering-if-oob-mode-is-disconne.patch new file mode 100644 index 00000000000..5dd90389717 --- /dev/null +++ b/queue-4.14/scsi-libsas-stop-discovering-if-oob-mode-is-disconne.patch @@ -0,0 +1,147 @@ +From 783ba3a800ea73851f553fe2b1255c87b7671743 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2019 09:11:18 +0800 +Subject: scsi: libsas: stop discovering if oob mode is disconnected + +From: Jason Yan + +[ Upstream commit f70267f379b5e5e11bdc5d72a56bf17e5feed01f ] + +The discovering of sas port is driven by workqueue in libsas. When libsas +is processing port events or phy events in workqueue, new events may rise +up and change the state of some structures such as asd_sas_phy. This may +cause some problems such as follows: + +==>thread 1 ==>thread 2 + + ==>phy up + ==>phy_up_v3_hw() + ==>oob_mode = SATA_OOB_MODE; + ==>phy down quickly + ==>hisi_sas_phy_down() + ==>sas_ha->notify_phy_event() + ==>sas_phy_disconnected() + ==>oob_mode = OOB_NOT_CONNECTED +==>workqueue wakeup +==>sas_form_port() + ==>sas_discover_domain() + ==>sas_get_port_device() + ==>oob_mode is OOB_NOT_CONNECTED and device + is wrongly taken as expander + +This at last lead to the panic when libsas trying to issue a command to +discover the device. + +[183047.614035] Unable to handle kernel NULL pointer dereference at +virtual address 0000000000000058 +[183047.622896] Mem abort info: +[183047.625762] ESR = 0x96000004 +[183047.628893] Exception class = DABT (current EL), IL = 32 bits +[183047.634888] SET = 0, FnV = 0 +[183047.638015] EA = 0, S1PTW = 0 +[183047.641232] Data abort info: +[183047.644189] ISV = 0, ISS = 0x00000004 +[183047.648100] CM = 0, WnR = 0 +[183047.651145] user pgtable: 4k pages, 48-bit VAs, pgdp = +00000000b7df67be +[183047.657834] [0000000000000058] pgd=0000000000000000 +[183047.662789] Internal error: Oops: 96000004 [#1] SMP +[183047.667740] Process kworker/u16:2 (pid: 31291, stack limit = +0x00000000417c4974) +[183047.675208] CPU: 0 PID: 3291 Comm: kworker/u16:2 Tainted: G +W OE 4.19.36-vhulk1907.1.0.h410.eulerosv2r8.aarch64 #1 +[183047.687015] Hardware name: N/A N/A/Kunpeng Desktop Board D920S10, +BIOS 0.15 10/22/2019 +[183047.695007] Workqueue: 0000:74:02.0_disco_q sas_discover_domain +[183047.700999] pstate: 20c00009 (nzCv daif +PAN +UAO) +[183047.705864] pc : prep_ata_v3_hw+0xf8/0x230 [hisi_sas_v3_hw] +[183047.711510] lr : prep_ata_v3_hw+0xb0/0x230 [hisi_sas_v3_hw] +[183047.717153] sp : ffff00000f28ba60 +[183047.720541] x29: ffff00000f28ba60 x28: ffff8026852d7228 +[183047.725925] x27: ffff8027dba3e0a8 x26: ffff8027c05fc200 +[183047.731310] x25: 0000000000000000 x24: ffff8026bafa8dc0 +[183047.736695] x23: ffff8027c05fc218 x22: ffff8026852d7228 +[183047.742079] x21: ffff80007c2f2940 x20: ffff8027c05fc200 +[183047.747464] x19: 0000000000f80800 x18: 0000000000000010 +[183047.752848] x17: 0000000000000000 x16: 0000000000000000 +[183047.758232] x15: ffff000089a5a4ff x14: 0000000000000005 +[183047.763617] x13: ffff000009a5a50e x12: ffff8026bafa1e20 +[183047.769001] x11: ffff0000087453b8 x10: ffff00000f28b870 +[183047.774385] x9 : 0000000000000000 x8 : ffff80007e58f9b0 +[183047.779770] x7 : 0000000000000000 x6 : 000000000000003f +[183047.785154] x5 : 0000000000000040 x4 : ffffffffffffffe0 +[183047.790538] x3 : 00000000000000f8 x2 : 0000000002000007 +[183047.795922] x1 : 0000000000000008 x0 : 0000000000000000 +[183047.801307] Call trace: +[183047.803827] prep_ata_v3_hw+0xf8/0x230 [hisi_sas_v3_hw] +[183047.809127] hisi_sas_task_prep+0x750/0x888 [hisi_sas_main] +[183047.814773] hisi_sas_task_exec.isra.7+0x88/0x1f0 [hisi_sas_main] +[183047.820939] hisi_sas_queue_command+0x28/0x38 [hisi_sas_main] +[183047.826757] smp_execute_task_sg+0xec/0x218 +[183047.831013] smp_execute_task+0x74/0xa0 +[183047.834921] sas_discover_expander.part.7+0x9c/0x5f8 +[183047.839959] sas_discover_root_expander+0x90/0x160 +[183047.844822] sas_discover_domain+0x1b8/0x1e8 +[183047.849164] process_one_work+0x1b4/0x3f8 +[183047.853246] worker_thread+0x54/0x470 +[183047.856981] kthread+0x134/0x138 +[183047.860283] ret_from_fork+0x10/0x18 +[183047.863931] Code: f9407a80 528000e2 39409281 72a04002 (b9405800) +[183047.870097] kernel fault(0x1) notification starting on CPU 0 +[183047.875828] kernel fault(0x1) notification finished on CPU 0 +[183047.881559] Modules linked in: unibsp(OE) hns3(OE) hclge(OE) +hnae3(OE) mem_drv(OE) hisi_sas_v3_hw(OE) hisi_sas_main(OE) +[183047.892418] ---[ end trace 4cc26083fc11b783 ]--- +[183047.897107] Kernel panic - not syncing: Fatal exception +[183047.902403] kernel fault(0x5) notification starting on CPU 0 +[183047.908134] kernel fault(0x5) notification finished on CPU 0 +[183047.913865] SMP: stopping secondary CPUs +[183047.917861] Kernel Offset: disabled +[183047.921422] CPU features: 0x2,a2a00a38 +[183047.925243] Memory Limit: none +[183047.928372] kernel reboot(0x2) notification starting on CPU 0 +[183047.934190] kernel reboot(0x2) notification finished on CPU 0 +[183047.940008] ---[ end Kernel panic - not syncing: Fatal exception +]--- + +Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") +Link: https://lore.kernel.org/r/20191206011118.46909-1-yanaijie@huawei.com +Reported-by: Gao Chuan +Reviewed-by: John Garry +Signed-off-by: Jason Yan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libsas/sas_discover.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/libsas/sas_discover.c b/drivers/scsi/libsas/sas_discover.c +index 60de66252fa2..b200edc665a5 100644 +--- a/drivers/scsi/libsas/sas_discover.c ++++ b/drivers/scsi/libsas/sas_discover.c +@@ -97,12 +97,21 @@ static int sas_get_port_device(struct asd_sas_port *port) + else + dev->dev_type = SAS_SATA_DEV; + dev->tproto = SAS_PROTOCOL_SATA; +- } else { ++ } else if (port->oob_mode == SAS_OOB_MODE) { + struct sas_identify_frame *id = + (struct sas_identify_frame *) dev->frame_rcvd; + dev->dev_type = id->dev_type; + dev->iproto = id->initiator_bits; + dev->tproto = id->target_bits; ++ } else { ++ /* If the oob mode is OOB_NOT_CONNECTED, the port is ++ * disconnected due to race with PHY down. We cannot ++ * continue to discover this port ++ */ ++ sas_put_device(dev); ++ pr_warn("Port %016llx is disconnected when discovering\n", ++ SAS_ADDR(port->attached_sas_addr)); ++ return -ENODEV; + } + + sas_init_dev(dev); +-- +2.20.1 + diff --git a/queue-4.14/scsi-lpfc-fix-memory-leak-on-lpfc_bsg_write_ebuf_set.patch b/queue-4.14/scsi-lpfc-fix-memory-leak-on-lpfc_bsg_write_ebuf_set.patch new file mode 100644 index 00000000000..5b3499a4ed5 --- /dev/null +++ b/queue-4.14/scsi-lpfc-fix-memory-leak-on-lpfc_bsg_write_ebuf_set.patch @@ -0,0 +1,68 @@ +From 0728be1910195a2f4abaebc43ef783f2ffba5e09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Dec 2019 03:22:46 +0000 +Subject: scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func + +From: Bo Wu + +[ Upstream commit 9a1b0b9a6dab452fb0e39fe96880c4faf3878369 ] + +When phba->mbox_ext_buf_ctx.seqNum != phba->mbox_ext_buf_ctx.numBuf, +dd_data should be freed before return SLI_CONFIG_HANDLED. + +When lpfc_sli_issue_mbox func return fails, pmboxq should be also freed in +job_error tag. + +Link: https://lore.kernel.org/r/EDBAAA0BBBA2AC4E9C8B6B81DEEE1D6915E7A966@DGGEML525-MBS.china.huawei.com +Signed-off-by: Bo Wu +Reviewed-by: Zhiqiang Liu +Reviewed-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_bsg.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_bsg.c b/drivers/scsi/lpfc/lpfc_bsg.c +index 6dde21dc82a3..08ed27b0d4c6 100644 +--- a/drivers/scsi/lpfc/lpfc_bsg.c ++++ b/drivers/scsi/lpfc/lpfc_bsg.c +@@ -4419,12 +4419,6 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job, + phba->mbox_ext_buf_ctx.seqNum++; + nemb_tp = phba->mbox_ext_buf_ctx.nembType; + +- dd_data = kmalloc(sizeof(struct bsg_job_data), GFP_KERNEL); +- if (!dd_data) { +- rc = -ENOMEM; +- goto job_error; +- } +- + pbuf = (uint8_t *)dmabuf->virt; + size = job->request_payload.payload_len; + sg_copy_to_buffer(job->request_payload.sg_list, +@@ -4461,6 +4455,13 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job, + "2968 SLI_CONFIG ext-buffer wr all %d " + "ebuffers received\n", + phba->mbox_ext_buf_ctx.numBuf); ++ ++ dd_data = kmalloc(sizeof(struct bsg_job_data), GFP_KERNEL); ++ if (!dd_data) { ++ rc = -ENOMEM; ++ goto job_error; ++ } ++ + /* mailbox command structure for base driver */ + pmboxq = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL); + if (!pmboxq) { +@@ -4509,6 +4510,8 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job, + return SLI_CONFIG_HANDLED; + + job_error: ++ if (pmboxq) ++ mempool_free(pmboxq, phba->mbox_mem_pool); + lpfc_bsg_dma_page_free(phba, dmabuf); + kfree(dd_data); + +-- +2.20.1 + diff --git a/queue-4.14/scsi-qla2xxx-don-t-call-qlt_async_event-twice.patch b/queue-4.14/scsi-qla2xxx-don-t-call-qlt_async_event-twice.patch new file mode 100644 index 00000000000..b544acc3dfe --- /dev/null +++ b/queue-4.14/scsi-qla2xxx-don-t-call-qlt_async_event-twice.patch @@ -0,0 +1,51 @@ +From 3697149a72bee14bb2a12654709abc01de327b75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2019 19:56:56 +0300 +Subject: scsi: qla2xxx: Don't call qlt_async_event twice + +From: Roman Bolshakov + +[ Upstream commit 2c2f4bed9b6299e6430a65a29b5d27b8763fdf25 ] + +MBA_PORT_UPDATE generates duplicate log lines in target mode because +qlt_async_event is called twice. Drop the calls within the case as the +function will be called right after the switch statement. + +Cc: Quinn Tran +Link: https://lore.kernel.org/r/20191125165702.1013-8-r.bolshakov@yadro.com +Acked-by: Himanshu Madhani +Reviewed-by: Hannes Reinecke +Tested-by: Hannes Reinecke +Acked-by: Himanshu Madhani +Signed-off-by: Roman Bolshakov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_isr.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c +index ebca1a470e9b..7f2da56274bd 100644 +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -1046,8 +1046,6 @@ qla2x00_async_event(scsi_qla_host_t *vha, struct rsp_que *rsp, uint16_t *mb) + ql_dbg(ql_dbg_async, vha, 0x5011, + "Asynchronous PORT UPDATE ignored %04x/%04x/%04x.\n", + mb[1], mb[2], mb[3]); +- +- qlt_async_event(mb[0], vha, mb); + break; + } + +@@ -1065,8 +1063,6 @@ qla2x00_async_event(scsi_qla_host_t *vha, struct rsp_que *rsp, uint16_t *mb) + set_bit(LOOP_RESYNC_NEEDED, &vha->dpc_flags); + set_bit(LOCAL_LOOP_UPDATE, &vha->dpc_flags); + set_bit(VP_CONFIG_OK, &vha->vp_flags); +- +- qlt_async_event(mb[0], vha, mb); + break; + + case MBA_RSCN_UPDATE: /* State Change Registration */ +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..b7d430753e8 --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,22 @@ +nvme_fc-add-module-to-ops-template-to-allow-module-r.patch +iio-adc-max9611-fix-too-short-conversion-time-delay.patch +pm-devfreq-don-t-fail-devfreq_dev_release-if-not-in-.patch +rdma-cma-add-missed-unregister_pernet_subsys-in-init.patch +rxe-correctly-calculate-icrc-for-unaligned-payloads.patch +scsi-lpfc-fix-memory-leak-on-lpfc_bsg_write_ebuf_set.patch +scsi-qla2xxx-don-t-call-qlt_async_event-twice.patch +scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch +scsi-libsas-stop-discovering-if-oob-mode-is-disconne.patch +drm-nouveau-move-the-declaration-of-struct-nouveau_c.patch +usb-gadget-fix-wrong-endpoint-desc.patch +net-make-socket-read-write_iter-honor-iocb_nowait.patch +md-raid1-check-rdev-before-reference-in-raid1_sync_r.patch +s390-cpum_sf-adjust-sampling-interval-to-avoid-hitti.patch +s390-cpum_sf-avoid-sbd-overflow-condition-in-irq-han.patch +ib-mlx4-follow-mirror-sequence-of-device-add-during-.patch +xen-blkback-prevent-premature-module-unload.patch +xen-balloon-fix-ballooned-page-accounting-without-ho.patch +pm-hibernate-memory_bm_find_bit-tighten-node-optimis.patch +xfs-fix-mount-failure-crash-on-invalid-iclog-memory-.patch +taskstats-fix-data-race.patch +drm-limit-to-int_max-in-create_blob-ioctl.patch diff --git a/queue-4.14/taskstats-fix-data-race.patch b/queue-4.14/taskstats-fix-data-race.patch new file mode 100644 index 00000000000..ce7ce49aa3a --- /dev/null +++ b/queue-4.14/taskstats-fix-data-race.patch @@ -0,0 +1,105 @@ +From bacf5435a2b1423405902c00da516bea9436bf67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2019 13:48:09 +0200 +Subject: taskstats: fix data-race + +From: Christian Brauner + +[ Upstream commit 0b8d616fb5a8ffa307b1d3af37f55c15dae14f28 ] + +When assiging and testing taskstats in taskstats_exit() there's a race +when setting up and reading sig->stats when a thread-group with more +than one thread exits: + +write to 0xffff8881157bbe10 of 8 bytes by task 7951 on cpu 0: + taskstats_tgid_alloc kernel/taskstats.c:567 [inline] + taskstats_exit+0x6b7/0x717 kernel/taskstats.c:596 + do_exit+0x2c2/0x18e0 kernel/exit.c:864 + do_group_exit+0xb4/0x1c0 kernel/exit.c:983 + get_signal+0x2a2/0x1320 kernel/signal.c:2734 + do_signal+0x3b/0xc00 arch/x86/kernel/signal.c:815 + exit_to_usermode_loop+0x250/0x2c0 arch/x86/entry/common.c:159 + prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline] + syscall_return_slowpath arch/x86/entry/common.c:274 [inline] + do_syscall_64+0x2d7/0x2f0 arch/x86/entry/common.c:299 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +read to 0xffff8881157bbe10 of 8 bytes by task 7949 on cpu 1: + taskstats_tgid_alloc kernel/taskstats.c:559 [inline] + taskstats_exit+0xb2/0x717 kernel/taskstats.c:596 + do_exit+0x2c2/0x18e0 kernel/exit.c:864 + do_group_exit+0xb4/0x1c0 kernel/exit.c:983 + __do_sys_exit_group kernel/exit.c:994 [inline] + __se_sys_exit_group kernel/exit.c:992 [inline] + __x64_sys_exit_group+0x2e/0x30 kernel/exit.c:992 + do_syscall_64+0xcf/0x2f0 arch/x86/entry/common.c:296 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fix this by using smp_load_acquire() and smp_store_release(). + +Reported-by: syzbot+c5d03165a1bd1dead0c1@syzkaller.appspotmail.com +Fixes: 34ec12349c8a ("taskstats: cleanup ->signal->stats allocation") +Cc: stable@vger.kernel.org +Signed-off-by: Christian Brauner +Acked-by: Marco Elver +Reviewed-by: Will Deacon +Reviewed-by: Andrea Parri +Reviewed-by: Dmitry Vyukov +Link: https://lore.kernel.org/r/20191009114809.8643-1-christian.brauner@ubuntu.com +Signed-off-by: Sasha Levin +--- + kernel/taskstats.c | 30 +++++++++++++++++++----------- + 1 file changed, 19 insertions(+), 11 deletions(-) + +diff --git a/kernel/taskstats.c b/kernel/taskstats.c +index 4559e914452b..390c76d4503c 100644 +--- a/kernel/taskstats.c ++++ b/kernel/taskstats.c +@@ -568,25 +568,33 @@ static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info) + static struct taskstats *taskstats_tgid_alloc(struct task_struct *tsk) + { + struct signal_struct *sig = tsk->signal; +- struct taskstats *stats; ++ struct taskstats *stats_new, *stats; + +- if (sig->stats || thread_group_empty(tsk)) +- goto ret; ++ /* Pairs with smp_store_release() below. */ ++ stats = smp_load_acquire(&sig->stats); ++ if (stats || thread_group_empty(tsk)) ++ return stats; + + /* No problem if kmem_cache_zalloc() fails */ +- stats = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL); ++ stats_new = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL); + + spin_lock_irq(&tsk->sighand->siglock); +- if (!sig->stats) { +- sig->stats = stats; +- stats = NULL; ++ stats = sig->stats; ++ if (!stats) { ++ /* ++ * Pairs with smp_store_release() above and order the ++ * kmem_cache_zalloc(). ++ */ ++ smp_store_release(&sig->stats, stats_new); ++ stats = stats_new; ++ stats_new = NULL; + } + spin_unlock_irq(&tsk->sighand->siglock); + +- if (stats) +- kmem_cache_free(taskstats_cache, stats); +-ret: +- return sig->stats; ++ if (stats_new) ++ kmem_cache_free(taskstats_cache, stats_new); ++ ++ return stats; + } + + /* Send pid data out on exit */ +-- +2.20.1 + diff --git a/queue-4.14/usb-gadget-fix-wrong-endpoint-desc.patch b/queue-4.14/usb-gadget-fix-wrong-endpoint-desc.patch new file mode 100644 index 00000000000..07cab6dcd1a --- /dev/null +++ b/queue-4.14/usb-gadget-fix-wrong-endpoint-desc.patch @@ -0,0 +1,61 @@ +From dab76427ac2cf1a7528fe926a7b13f59b900610a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2019 23:34:56 -0800 +Subject: usb: gadget: fix wrong endpoint desc + +From: EJ Hsu + +[ Upstream commit e5b5da96da50ef30abb39cb9f694e99366404d24 ] + +Gadget driver should always use config_ep_by_speed() to initialize +usb_ep struct according to usb device's operating speed. Otherwise, +usb_ep struct may be wrong if usb devcie's operating speed is changed. + +The key point in this patch is that we want to make sure the desc pointer +in usb_ep struct will be set to NULL when gadget is disconnected. +This will force it to call config_ep_by_speed() to correctly initialize +usb_ep struct based on the new operating speed when gadget is +re-connected later. + +Reviewed-by: Peter Chen +Signed-off-by: EJ Hsu +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_ecm.c | 6 +++++- + drivers/usb/gadget/function/f_rndis.c | 1 + + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/function/f_ecm.c b/drivers/usb/gadget/function/f_ecm.c +index 4c488d15b6f6..dc99ed94f03d 100644 +--- a/drivers/usb/gadget/function/f_ecm.c ++++ b/drivers/usb/gadget/function/f_ecm.c +@@ -625,8 +625,12 @@ static void ecm_disable(struct usb_function *f) + + DBG(cdev, "ecm deactivated\n"); + +- if (ecm->port.in_ep->enabled) ++ if (ecm->port.in_ep->enabled) { + gether_disconnect(&ecm->port); ++ } else { ++ ecm->port.in_ep->desc = NULL; ++ ecm->port.out_ep->desc = NULL; ++ } + + usb_ep_disable(ecm->notify); + ecm->notify->desc = NULL; +diff --git a/drivers/usb/gadget/function/f_rndis.c b/drivers/usb/gadget/function/f_rndis.c +index c7c5b3ce1d98..2bde68f5d246 100644 +--- a/drivers/usb/gadget/function/f_rndis.c ++++ b/drivers/usb/gadget/function/f_rndis.c +@@ -622,6 +622,7 @@ static void rndis_disable(struct usb_function *f) + gether_disconnect(&rndis->port); + + usb_ep_disable(rndis->notify); ++ rndis->notify->desc = NULL; + } + + /*-------------------------------------------------------------------------*/ +-- +2.20.1 + diff --git a/queue-4.14/xen-balloon-fix-ballooned-page-accounting-without-ho.patch b/queue-4.14/xen-balloon-fix-ballooned-page-accounting-without-ho.patch new file mode 100644 index 00000000000..0b7d65c09be --- /dev/null +++ b/queue-4.14/xen-balloon-fix-ballooned-page-accounting-without-ho.patch @@ -0,0 +1,43 @@ +From 1208620481a18b7f28a3d0d8b617abc060dc7ba2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2019 15:17:50 +0100 +Subject: xen/balloon: fix ballooned page accounting without hotplug enabled + +From: Juergen Gross + +[ Upstream commit c673ec61ade89bf2f417960f986bc25671762efb ] + +When CONFIG_XEN_BALLOON_MEMORY_HOTPLUG is not defined +reserve_additional_memory() will set balloon_stats.target_pages to a +wrong value in case there are still some ballooned pages allocated via +alloc_xenballooned_pages(). + +This will result in balloon_process() no longer be triggered when +ballooned pages are freed in batches. + +Reported-by: Nicholas Tsirakis +Signed-off-by: Juergen Gross +Reviewed-by: Boris Ostrovsky +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/balloon.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c +index 71a6deeb4e71..3f9260af701f 100644 +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -401,7 +401,8 @@ static struct notifier_block xen_memory_nb = { + #else + static enum bp_state reserve_additional_memory(void) + { +- balloon_stats.target_pages = balloon_stats.current_pages; ++ balloon_stats.target_pages = balloon_stats.current_pages + ++ balloon_stats.target_unpopulated; + return BP_ECANCELED; + } + #endif /* CONFIG_XEN_BALLOON_MEMORY_HOTPLUG */ +-- +2.20.1 + diff --git a/queue-4.14/xen-blkback-prevent-premature-module-unload.patch b/queue-4.14/xen-blkback-prevent-premature-module-unload.patch new file mode 100644 index 00000000000..97a99987385 --- /dev/null +++ b/queue-4.14/xen-blkback-prevent-premature-module-unload.patch @@ -0,0 +1,59 @@ +From d6cc178ef07fbe7b748240bf31b0de7cd35c0e24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2019 14:53:05 +0000 +Subject: xen-blkback: prevent premature module unload +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paul Durrant + +[ Upstream commit fa2ac657f9783f0891b2935490afe9a7fd29d3fa ] + +Objects allocated by xen_blkif_alloc come from the 'blkif_cache' kmem +cache. This cache is destoyed when xen-blkif is unloaded so it is +necessary to wait for the deferred free routine used for such objects to +complete. This necessity was missed in commit 14855954f636 "xen-blkback: +allow module to be cleanly unloaded". This patch fixes the problem by +taking/releasing extra module references in xen_blkif_alloc/free() +respectively. + +Signed-off-by: Paul Durrant +Reviewed-by: Roger Pau Monné +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/block/xen-blkback/xenbus.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/block/xen-blkback/xenbus.c b/drivers/block/xen-blkback/xenbus.c +index ed4e80779124..e9fa4a1fc791 100644 +--- a/drivers/block/xen-blkback/xenbus.c ++++ b/drivers/block/xen-blkback/xenbus.c +@@ -178,6 +178,15 @@ static struct xen_blkif *xen_blkif_alloc(domid_t domid) + blkif->domid = domid; + atomic_set(&blkif->refcnt, 1); + init_completion(&blkif->drain_complete); ++ ++ /* ++ * Because freeing back to the cache may be deferred, it is not ++ * safe to unload the module (and hence destroy the cache) until ++ * this has completed. To prevent premature unloading, take an ++ * extra module reference here and release only when the object ++ * has been freed back to the cache. ++ */ ++ __module_get(THIS_MODULE); + INIT_WORK(&blkif->free_work, xen_blkif_deferred_free); + + return blkif; +@@ -327,6 +336,7 @@ static void xen_blkif_free(struct xen_blkif *blkif) + + /* Make sure everything is drained before shutting down */ + kmem_cache_free(xen_blkif_cachep, blkif); ++ module_put(THIS_MODULE); + } + + int __init xen_blkif_interface_init(void) +-- +2.20.1 + diff --git a/queue-4.14/xfs-fix-mount-failure-crash-on-invalid-iclog-memory-.patch b/queue-4.14/xfs-fix-mount-failure-crash-on-invalid-iclog-memory-.patch new file mode 100644 index 00000000000..036281664bf --- /dev/null +++ b/queue-4.14/xfs-fix-mount-failure-crash-on-invalid-iclog-memory-.patch @@ -0,0 +1,47 @@ +From 1b48cb08761721f9f0dd662351c14d6d19e55746 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2019 07:53:15 -0800 +Subject: xfs: fix mount failure crash on invalid iclog memory access + +From: Brian Foster + +[ Upstream commit 798a9cada4694ca8d970259f216cec47e675bfd5 ] + +syzbot (via KASAN) reports a use-after-free in the error path of +xlog_alloc_log(). Specifically, the iclog freeing loop doesn't +handle the case of a fully initialized ->l_iclog linked list. +Instead, it assumes that the list is partially constructed and NULL +terminated. + +This bug manifested because there was no possible error scenario +after iclog list setup when the original code was added. Subsequent +code and associated error conditions were added some time later, +while the original error handling code was never updated. Fix up the +error loop to terminate either on a NULL iclog or reaching the end +of the list. + +Reported-by: syzbot+c732f8644185de340492@syzkaller.appspotmail.com +Signed-off-by: Brian Foster +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_log.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c +index dc95a49d62e7..4e768e606998 100644 +--- a/fs/xfs/xfs_log.c ++++ b/fs/xfs/xfs_log.c +@@ -1539,6 +1539,8 @@ xlog_alloc_log( + if (iclog->ic_bp) + xfs_buf_free(iclog->ic_bp); + kmem_free(iclog); ++ if (prev_iclog == log->l_iclog) ++ break; + } + spinlock_destroy(&log->l_icloglock); + xfs_buf_free(log->l_xbuf); +-- +2.20.1 + -- 2.47.3