From 6fee27c6c7bbad42b9fa1d468cd2a563eb30bced Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 16 Jan 2020 11:20:50 +0100 Subject: [PATCH] 5.4-stable patches added patches: afs-fix-afs_lookup-to-not-clobber-the-version-on-a-new-dentry.patch afs-fix-use-after-loss-of-ref.patch asm-generic-nds32-don-t-redefine-cacheflush-primitives.patch dm-add-dm-clone-to-the-documentation-index.patch documentation-abi-add-missed-attribute-for-mlxreg-io-sysfs-interfaces.patch documentation-abi-fix-documentation-inconsistency-for-mlxreg-io-sysfs-interfaces.patch keys-fix-request_key-cache.patch platform-mellanox-fix-potential-deadlock-in-the-tmfifo-driver.patch platform-x86-asus-wmi-fix-keyboard-brightness-cannot-be-set-to-0.patch platform-x86-gpd-pocket-fan-use-default-values-when-wrong-modparams-are-given.patch rxrpc-fix-missing-security-check-on-incoming-calls.patch scsi-enclosure-fix-stale-device-oops-with-hot-replug.patch scsi-sd-clear-sdkp-protection_type-if-disk-is-reformatted-without-pi.patch scsi-ufs-give-an-unique-id-to-each-ufs-bsg.patch xprtrdma-fix-completion-wait-during-device-removal.patch xprtrdma-fix-create_qp-crash-on-device-unload.patch xprtrdma-fix-oops-in-receive-handler-after-device-removal.patch --- ...-clobber-the-version-on-a-new-dentry.patch | 39 +++ queue-5.4/afs-fix-use-after-loss-of-ref.patch | 88 ++++++ ...don-t-redefine-cacheflush-primitives.patch | 187 ++++++++++++ ...-dm-clone-to-the-documentation-index.patch | 29 ++ ...ibute-for-mlxreg-io-sysfs-interfaces.patch | 38 +++ ...tency-for-mlxreg-io-sysfs-interfaces.patch | 40 +++ queue-5.4/keys-fix-request_key-cache.patch | 41 +++ ...ential-deadlock-in-the-tmfifo-driver.patch | 124 ++++++++ ...yboard-brightness-cannot-be-set-to-0.patch | 40 +++ ...alues-when-wrong-modparams-are-given.patch | 89 ++++++ ...ing-security-check-on-incoming-calls.patch | 279 ++++++++++++++++++ ...ix-stale-device-oops-with-hot-replug.patch | 45 +++ ...pe-if-disk-is-reformatted-without-pi.patch | 42 +++ ...fs-give-an-unique-id-to-each-ufs-bsg.patch | 35 +++ queue-5.4/series | 17 ++ ...ompletion-wait-during-device-removal.patch | 44 +++ ...fix-create_qp-crash-on-device-unload.patch | 69 +++++ ...receive-handler-after-device-removal.patch | 166 +++++++++++ 18 files changed, 1412 insertions(+) create mode 100644 queue-5.4/afs-fix-afs_lookup-to-not-clobber-the-version-on-a-new-dentry.patch create mode 100644 queue-5.4/afs-fix-use-after-loss-of-ref.patch create mode 100644 queue-5.4/asm-generic-nds32-don-t-redefine-cacheflush-primitives.patch create mode 100644 queue-5.4/dm-add-dm-clone-to-the-documentation-index.patch create mode 100644 queue-5.4/documentation-abi-add-missed-attribute-for-mlxreg-io-sysfs-interfaces.patch create mode 100644 queue-5.4/documentation-abi-fix-documentation-inconsistency-for-mlxreg-io-sysfs-interfaces.patch create mode 100644 queue-5.4/keys-fix-request_key-cache.patch create mode 100644 queue-5.4/platform-mellanox-fix-potential-deadlock-in-the-tmfifo-driver.patch create mode 100644 queue-5.4/platform-x86-asus-wmi-fix-keyboard-brightness-cannot-be-set-to-0.patch create mode 100644 queue-5.4/platform-x86-gpd-pocket-fan-use-default-values-when-wrong-modparams-are-given.patch create mode 100644 queue-5.4/rxrpc-fix-missing-security-check-on-incoming-calls.patch create mode 100644 queue-5.4/scsi-enclosure-fix-stale-device-oops-with-hot-replug.patch create mode 100644 queue-5.4/scsi-sd-clear-sdkp-protection_type-if-disk-is-reformatted-without-pi.patch create mode 100644 queue-5.4/scsi-ufs-give-an-unique-id-to-each-ufs-bsg.patch create mode 100644 queue-5.4/xprtrdma-fix-completion-wait-during-device-removal.patch create mode 100644 queue-5.4/xprtrdma-fix-create_qp-crash-on-device-unload.patch create mode 100644 queue-5.4/xprtrdma-fix-oops-in-receive-handler-after-device-removal.patch diff --git a/queue-5.4/afs-fix-afs_lookup-to-not-clobber-the-version-on-a-new-dentry.patch b/queue-5.4/afs-fix-afs_lookup-to-not-clobber-the-version-on-a-new-dentry.patch new file mode 100644 index 00000000000..450fe1bc76f --- /dev/null +++ b/queue-5.4/afs-fix-afs_lookup-to-not-clobber-the-version-on-a-new-dentry.patch @@ -0,0 +1,39 @@ +From f52b83b0b1c40ada38df917973ab719a4a753951 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Tue, 14 Jan 2020 16:16:54 +0000 +Subject: afs: Fix afs_lookup() to not clobber the version on a new dentry + +From: David Howells + +commit f52b83b0b1c40ada38df917973ab719a4a753951 upstream. + +Fix afs_lookup() to not clobber the version set on a new dentry by +afs_do_lookup() - especially as it's using the wrong version of the +version (we need to use the one given to us by whatever op the dir +contents correspond to rather than what's in the afs_vnode). + +Fixes: 9dd0b82ef530 ("afs: Fix missing dentry data version updating") +Signed-off-by: David Howells +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/afs/dir.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/fs/afs/dir.c ++++ b/fs/afs/dir.c +@@ -952,12 +952,8 @@ static struct dentry *afs_lookup(struct + afs_stat_v(dvnode, n_lookup); + inode = afs_do_lookup(dir, dentry, key); + key_put(key); +- if (inode == ERR_PTR(-ENOENT)) { ++ if (inode == ERR_PTR(-ENOENT)) + inode = afs_try_auto_mntpt(dentry, dir); +- } else { +- dentry->d_fsdata = +- (void *)(unsigned long)dvnode->status.data_version; +- } + + if (!IS_ERR_OR_NULL(inode)) + fid = AFS_FS_I(inode)->fid; diff --git a/queue-5.4/afs-fix-use-after-loss-of-ref.patch b/queue-5.4/afs-fix-use-after-loss-of-ref.patch new file mode 100644 index 00000000000..60f068f574f --- /dev/null +++ b/queue-5.4/afs-fix-use-after-loss-of-ref.patch @@ -0,0 +1,88 @@ +From 40a708bd622b78582ae3d280de29b09b50bd04c0 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Tue, 14 Jan 2020 16:16:25 +0000 +Subject: afs: Fix use-after-loss-of-ref + +From: David Howells + +commit 40a708bd622b78582ae3d280de29b09b50bd04c0 upstream. + +afs_lookup() has a tracepoint to indicate the outcome of +d_splice_alias(), passing it the inode to retrieve the fid from. +However, the function gave up its ref on that inode when it called +d_splice_alias(), which may have failed and dropped the inode. + +Fix this by caching the fid. + +Fixes: 80548b03991f ("afs: Add more tracepoints") +Reported-by: Al Viro +Signed-off-by: David Howells +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/afs/dir.c | 12 +++++++----- + include/trace/events/afs.h | 12 +++--------- + 2 files changed, 10 insertions(+), 14 deletions(-) + +--- a/fs/afs/dir.c ++++ b/fs/afs/dir.c +@@ -908,6 +908,7 @@ static struct dentry *afs_lookup(struct + unsigned int flags) + { + struct afs_vnode *dvnode = AFS_FS_I(dir); ++ struct afs_fid fid = {}; + struct inode *inode; + struct dentry *d; + struct key *key; +@@ -957,15 +958,16 @@ static struct dentry *afs_lookup(struct + dentry->d_fsdata = + (void *)(unsigned long)dvnode->status.data_version; + } ++ ++ if (!IS_ERR_OR_NULL(inode)) ++ fid = AFS_FS_I(inode)->fid; ++ + d = d_splice_alias(inode, dentry); + if (!IS_ERR_OR_NULL(d)) { + d->d_fsdata = dentry->d_fsdata; +- trace_afs_lookup(dvnode, &d->d_name, +- inode ? AFS_FS_I(inode) : NULL); ++ trace_afs_lookup(dvnode, &d->d_name, &fid); + } else { +- trace_afs_lookup(dvnode, &dentry->d_name, +- IS_ERR_OR_NULL(inode) ? NULL +- : AFS_FS_I(inode)); ++ trace_afs_lookup(dvnode, &dentry->d_name, &fid); + } + return d; + } +--- a/include/trace/events/afs.h ++++ b/include/trace/events/afs.h +@@ -915,9 +915,9 @@ TRACE_EVENT(afs_call_state, + + TRACE_EVENT(afs_lookup, + TP_PROTO(struct afs_vnode *dvnode, const struct qstr *name, +- struct afs_vnode *vnode), ++ struct afs_fid *fid), + +- TP_ARGS(dvnode, name, vnode), ++ TP_ARGS(dvnode, name, fid), + + TP_STRUCT__entry( + __field_struct(struct afs_fid, dfid ) +@@ -928,13 +928,7 @@ TRACE_EVENT(afs_lookup, + TP_fast_assign( + int __len = min_t(int, name->len, 23); + __entry->dfid = dvnode->fid; +- if (vnode) { +- __entry->fid = vnode->fid; +- } else { +- __entry->fid.vid = 0; +- __entry->fid.vnode = 0; +- __entry->fid.unique = 0; +- } ++ __entry->fid = *fid; + memcpy(__entry->name, name->name, __len); + __entry->name[__len] = 0; + ), diff --git a/queue-5.4/asm-generic-nds32-don-t-redefine-cacheflush-primitives.patch b/queue-5.4/asm-generic-nds32-don-t-redefine-cacheflush-primitives.patch new file mode 100644 index 00000000000..32db68e2661 --- /dev/null +++ b/queue-5.4/asm-generic-nds32-don-t-redefine-cacheflush-primitives.patch @@ -0,0 +1,187 @@ +From 4f0bd808134d73184054ad09173821c84f31dd5d Mon Sep 17 00:00:00 2001 +From: Mike Rapoport +Date: Mon, 23 Dec 2019 13:00:03 +0200 +Subject: asm-generic/nds32: don't redefine cacheflush primitives + +From: Mike Rapoport + +commit 4f0bd808134d73184054ad09173821c84f31dd5d upstream. + +The commit c296d4dc13ae ("asm-generic: fix a compilation warning") changed +asm-generic/cachflush.h to use static inlines instead of macros and as a +result the nds32 build with CONFIG_CPU_CACHE_ALIASING=n fails: + + CC init/main.o +In file included from arch/nds32/include/asm/cacheflush.h:43, + from include/linux/highmem.h:12, + from include/linux/pagemap.h:11, + from include/linux/blkdev.h:16, + from include/linux/blk-cgroup.h:23, + from include/linux/writeback.h:14, + from init/main.c:44: +include/asm-generic/cacheflush.h:50:20: error: static declaration of 'flush_icache_range' follows non-static declaration + static inline void flush_icache_range(unsigned long start, unsigned long end) + ^~~~~~~~~~~~~~~~~~ +In file included from include/linux/highmem.h:12, + from include/linux/pagemap.h:11, + from include/linux/blkdev.h:16, + from include/linux/blk-cgroup.h:23, + from include/linux/writeback.h:14, + from init/main.c:44: +arch/nds32/include/asm/cacheflush.h:11:6: note: previous declaration of 'flush_icache_range' was here + void flush_icache_range(unsigned long start, unsigned long end); + ^~~~~~~~~~~~~~~~~~ + +Surround the inline functions in asm-generic/cacheflush.h by ifdef's so +that architectures could override them and add the required overrides to +nds32. + +Fixes: c296d4dc13ae ("asm-generic: fix a compilation warning") +Link: https://lore.kernel.org/lkml/201912212139.yptX8CsV%25lkp@intel.com/ +Reported-by: kbuild test robot +Signed-off-by: Mike Rapoport +Reviewed-by: Greentime Hu +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + arch/nds32/include/asm/cacheflush.h | 11 +++++++---- + include/asm-generic/cacheflush.h | 33 ++++++++++++++++++++++++++++++++- + 2 files changed, 39 insertions(+), 5 deletions(-) + +--- a/arch/nds32/include/asm/cacheflush.h ++++ b/arch/nds32/include/asm/cacheflush.h +@@ -9,7 +9,11 @@ + #define PG_dcache_dirty PG_arch_1 + + void flush_icache_range(unsigned long start, unsigned long end); ++#define flush_icache_range flush_icache_range ++ + void flush_icache_page(struct vm_area_struct *vma, struct page *page); ++#define flush_icache_page flush_icache_page ++ + #ifdef CONFIG_CPU_CACHE_ALIASING + void flush_cache_mm(struct mm_struct *mm); + void flush_cache_dup_mm(struct mm_struct *mm); +@@ -40,12 +44,11 @@ void invalidate_kernel_vmap_range(void * + #define flush_dcache_mmap_unlock(mapping) xa_unlock_irq(&(mapping)->i_pages) + + #else +-#include +-#undef flush_icache_range +-#undef flush_icache_page +-#undef flush_icache_user_range + void flush_icache_user_range(struct vm_area_struct *vma, struct page *page, + unsigned long addr, int len); ++#define flush_icache_user_range flush_icache_user_range ++ ++#include + #endif + + #endif /* __NDS32_CACHEFLUSH_H__ */ +--- a/include/asm-generic/cacheflush.h ++++ b/include/asm-generic/cacheflush.h +@@ -11,71 +11,102 @@ + * The cache doesn't need to be flushed when TLB entries change when + * the cache is mapped to physical memory, not virtual memory + */ ++#ifndef flush_cache_all + static inline void flush_cache_all(void) + { + } ++#endif + ++#ifndef flush_cache_mm + static inline void flush_cache_mm(struct mm_struct *mm) + { + } ++#endif + ++#ifndef flush_cache_dup_mm + static inline void flush_cache_dup_mm(struct mm_struct *mm) + { + } ++#endif + ++#ifndef flush_cache_range + static inline void flush_cache_range(struct vm_area_struct *vma, + unsigned long start, + unsigned long end) + { + } ++#endif + ++#ifndef flush_cache_page + static inline void flush_cache_page(struct vm_area_struct *vma, + unsigned long vmaddr, + unsigned long pfn) + { + } ++#endif + ++#ifndef flush_dcache_page + static inline void flush_dcache_page(struct page *page) + { + } ++#endif + ++#ifndef flush_dcache_mmap_lock + static inline void flush_dcache_mmap_lock(struct address_space *mapping) + { + } ++#endif + ++#ifndef flush_dcache_mmap_unlock + static inline void flush_dcache_mmap_unlock(struct address_space *mapping) + { + } ++#endif + ++#ifndef flush_icache_range + static inline void flush_icache_range(unsigned long start, unsigned long end) + { + } ++#endif + ++#ifndef flush_icache_page + static inline void flush_icache_page(struct vm_area_struct *vma, + struct page *page) + { + } ++#endif + ++#ifndef flush_icache_user_range + static inline void flush_icache_user_range(struct vm_area_struct *vma, + struct page *page, + unsigned long addr, int len) + { + } ++#endif + ++#ifndef flush_cache_vmap + static inline void flush_cache_vmap(unsigned long start, unsigned long end) + { + } ++#endif + ++#ifndef flush_cache_vunmap + static inline void flush_cache_vunmap(unsigned long start, unsigned long end) + { + } ++#endif + +-#define copy_to_user_page(vma, page, vaddr, dst, src, len) \ ++#ifndef copy_to_user_page ++#define copy_to_user_page(vma, page, vaddr, dst, src, len) \ + do { \ + memcpy(dst, src, len); \ + flush_icache_user_range(vma, page, vaddr, len); \ + } while (0) ++#endif ++ ++#ifndef copy_from_user_page + #define copy_from_user_page(vma, page, vaddr, dst, src, len) \ + memcpy(dst, src, len) ++#endif + + #endif /* __ASM_CACHEFLUSH_H */ diff --git a/queue-5.4/dm-add-dm-clone-to-the-documentation-index.patch b/queue-5.4/dm-add-dm-clone-to-the-documentation-index.patch new file mode 100644 index 00000000000..cc0d705174f --- /dev/null +++ b/queue-5.4/dm-add-dm-clone-to-the-documentation-index.patch @@ -0,0 +1,29 @@ +From 484e0d2b11e1fdd0d17702b282eb2ed56148385f Mon Sep 17 00:00:00 2001 +From: Diego Calleja +Date: Tue, 26 Nov 2019 14:00:31 +0200 +Subject: dm: add dm-clone to the documentation index + +From: Diego Calleja + +commit 484e0d2b11e1fdd0d17702b282eb2ed56148385f upstream. + +Fixes: 7431b7835f554 ("dm: add clone target") +Signed-off-by: Diego Calleja +Signed-off-by: Nikos Tsironis +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/admin-guide/device-mapper/index.rst | 1 + + 1 file changed, 1 insertion(+) + +--- a/Documentation/admin-guide/device-mapper/index.rst ++++ b/Documentation/admin-guide/device-mapper/index.rst +@@ -8,6 +8,7 @@ Device Mapper + cache-policies + cache + delay ++ dm-clone + dm-crypt + dm-flakey + dm-init diff --git a/queue-5.4/documentation-abi-add-missed-attribute-for-mlxreg-io-sysfs-interfaces.patch b/queue-5.4/documentation-abi-add-missed-attribute-for-mlxreg-io-sysfs-interfaces.patch new file mode 100644 index 00000000000..20047bb4ecd --- /dev/null +++ b/queue-5.4/documentation-abi-add-missed-attribute-for-mlxreg-io-sysfs-interfaces.patch @@ -0,0 +1,38 @@ +From f3efc406d67e6236b513c4302133b0c9be74fd99 Mon Sep 17 00:00:00 2001 +From: Vadim Pasternak +Date: Mon, 13 Jan 2020 16:28:31 +0000 +Subject: Documentation/ABI: Add missed attribute for mlxreg-io sysfs interfaces + +From: Vadim Pasternak + +commit f3efc406d67e6236b513c4302133b0c9be74fd99 upstream. + +Add missed "cpld4_version" attribute. + +Fixes: 52675da1d087 ("Documentation/ABI: Add new attribute for mlxreg-io sysfs interfaces") +Signed-off-by: Vadim Pasternak +Signed-off-by: Andy Shevchenko +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/ABI/stable/sysfs-driver-mlxreg-io | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/Documentation/ABI/stable/sysfs-driver-mlxreg-io ++++ b/Documentation/ABI/stable/sysfs-driver-mlxreg-io +@@ -121,6 +121,15 @@ Description: These files show the system + + The files are read only. + ++What: /sys/devices/platform/mlxplat/mlxreg-io/hwmon/hwmon*/cpld4_version ++Date: November 2018 ++KernelVersion: 5.0 ++Contact: Vadim Pasternak ++Description: These files show with which CPLD versions have been burned ++ on LED board. ++ ++ The files are read only. ++ + Date: June 2019 + KernelVersion: 5.3 + Contact: Vadim Pasternak diff --git a/queue-5.4/documentation-abi-fix-documentation-inconsistency-for-mlxreg-io-sysfs-interfaces.patch b/queue-5.4/documentation-abi-fix-documentation-inconsistency-for-mlxreg-io-sysfs-interfaces.patch new file mode 100644 index 00000000000..0cc300383eb --- /dev/null +++ b/queue-5.4/documentation-abi-fix-documentation-inconsistency-for-mlxreg-io-sysfs-interfaces.patch @@ -0,0 +1,40 @@ +From f4094826779dcafe7087e80850513b923eeefdeb Mon Sep 17 00:00:00 2001 +From: Vadim Pasternak +Date: Mon, 13 Jan 2020 16:28:30 +0000 +Subject: Documentation/ABI: Fix documentation inconsistency for mlxreg-io sysfs interfaces + +From: Vadim Pasternak + +commit f4094826779dcafe7087e80850513b923eeefdeb upstream. + +Fix attribute name from "jtag_enable", which described twice to +"cpld3_version", which is expected to be instead of second appearance +of "jtag_enable". + +Fixes: 2752e34442b5 ("Documentation/ABI: Add new attribute for mlxreg-io sysfs interfaces") +Signed-off-by: Vadim Pasternak +Signed-off-by: Andy Shevchenko +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/ABI/stable/sysfs-driver-mlxreg-io | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/Documentation/ABI/stable/sysfs-driver-mlxreg-io ++++ b/Documentation/ABI/stable/sysfs-driver-mlxreg-io +@@ -29,13 +29,13 @@ Description: This file shows the system + + The files are read only. + +-What: /sys/devices/platform/mlxplat/mlxreg-io/hwmon/hwmon*/jtag_enable ++What: /sys/devices/platform/mlxplat/mlxreg-io/hwmon/hwmon*/cpld3_version + + Date: November 2018 + KernelVersion: 5.0 + Contact: Vadim Pasternak + Description: These files show with which CPLD versions have been burned +- on LED board. ++ on LED or Gearbox board. + + The files are read only. + diff --git a/queue-5.4/keys-fix-request_key-cache.patch b/queue-5.4/keys-fix-request_key-cache.patch new file mode 100644 index 00000000000..1808bf91dab --- /dev/null +++ b/queue-5.4/keys-fix-request_key-cache.patch @@ -0,0 +1,41 @@ +From 8379bb84be757d5df2d818509faec5d66adb861d Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Tue, 14 Jan 2020 16:06:14 +0000 +Subject: keys: Fix request_key() cache + +From: David Howells + +commit 8379bb84be757d5df2d818509faec5d66adb861d upstream. + +When the key cached by request_key() and co. is cleaned up on exit(), +the code looks in the wrong task_struct, and so clears the wrong cache. +This leads to anomalies in key refcounting when doing, say, a kernel +build on an afs volume, that then trigger kasan to report a +use-after-free when the key is viewed in /proc/keys. + +Fix this by making exit_creds() look in the passed-in task_struct rather +than in current (the task_struct cleanup code is deferred by RCU and +potentially run in another task). + +Fixes: 7743c48e54ee ("keys: Cache result of request_key*() temporarily in task_struct") +Signed-off-by: David Howells +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cred.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/cred.c ++++ b/kernel/cred.c +@@ -175,8 +175,8 @@ void exit_creds(struct task_struct *tsk) + put_cred(cred); + + #ifdef CONFIG_KEYS_REQUEST_CACHE +- key_put(current->cached_requested_key); +- current->cached_requested_key = NULL; ++ key_put(tsk->cached_requested_key); ++ tsk->cached_requested_key = NULL; + #endif + } + diff --git a/queue-5.4/platform-mellanox-fix-potential-deadlock-in-the-tmfifo-driver.patch b/queue-5.4/platform-mellanox-fix-potential-deadlock-in-the-tmfifo-driver.patch new file mode 100644 index 00000000000..41dcc28db0f --- /dev/null +++ b/queue-5.4/platform-mellanox-fix-potential-deadlock-in-the-tmfifo-driver.patch @@ -0,0 +1,124 @@ +From 638bc4ca3d28c25986cce4cbad69d9b8abf1e434 Mon Sep 17 00:00:00 2001 +From: Liming Sun +Date: Fri, 20 Dec 2019 12:04:33 -0500 +Subject: platform/mellanox: fix potential deadlock in the tmfifo driver + +From: Liming Sun + +commit 638bc4ca3d28c25986cce4cbad69d9b8abf1e434 upstream. + +This commit fixes the potential deadlock caused by the console Rx +and Tx processing at the same time. Rx and Tx both take the console +and tmfifo spinlock but in different order which causes potential +deadlock. The fix is to use different tmfifo spinlock for Rx and +Tx since they protect different resources and it's safe to split +the lock. + +Below is the reported call trace when copying/pasting large string +in the console. + +Rx: + _raw_spin_lock_irqsave (hvc lock) + __hvc_poll + hvc_poll + in_intr + vring_interrupt + mlxbf_tmfifo_rxtx_one_desc (tmfifo lock) + mlxbf_tmfifo_rxtx + mlxbf_tmfifo_work_rxtx +Tx: + _raw_spin_lock_irqsave (tmfifo lock) + mlxbf_tmfifo_virtio_notify + virtqueue_notify + virtqueue_kick + put_chars + hvc_push + hvc_write (hvc lock) + ... + do_tty_write + tty_write + +Fixes: 1357dfd7261f ("platform/mellanox: Add TmFifo driver for Mellanox BlueField Soc") +Cc: # 5.4+ +Reviewed-by: David Woods +Signed-off-by: Liming Sun +Signed-off-by: Andy Shevchenko +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/mellanox/mlxbf-tmfifo.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/drivers/platform/mellanox/mlxbf-tmfifo.c ++++ b/drivers/platform/mellanox/mlxbf-tmfifo.c +@@ -149,7 +149,7 @@ struct mlxbf_tmfifo_irq_info { + * @work: work struct for deferred process + * @timer: background timer + * @vring: Tx/Rx ring +- * @spin_lock: spin lock ++ * @spin_lock: Tx/Rx spin lock + * @is_ready: ready flag + */ + struct mlxbf_tmfifo { +@@ -164,7 +164,7 @@ struct mlxbf_tmfifo { + struct work_struct work; + struct timer_list timer; + struct mlxbf_tmfifo_vring *vring[2]; +- spinlock_t spin_lock; /* spin lock */ ++ spinlock_t spin_lock[2]; /* spin lock */ + bool is_ready; + }; + +@@ -525,7 +525,7 @@ static void mlxbf_tmfifo_console_tx(stru + writeq(*(u64 *)&hdr, fifo->tx_base + MLXBF_TMFIFO_TX_DATA); + + /* Use spin-lock to protect the 'cons->tx_buf'. */ +- spin_lock_irqsave(&fifo->spin_lock, flags); ++ spin_lock_irqsave(&fifo->spin_lock[0], flags); + + while (size > 0) { + addr = cons->tx_buf.buf + cons->tx_buf.tail; +@@ -552,7 +552,7 @@ static void mlxbf_tmfifo_console_tx(stru + } + } + +- spin_unlock_irqrestore(&fifo->spin_lock, flags); ++ spin_unlock_irqrestore(&fifo->spin_lock[0], flags); + } + + /* Rx/Tx one word in the descriptor buffer. */ +@@ -731,9 +731,9 @@ static bool mlxbf_tmfifo_rxtx_one_desc(s + fifo->vring[is_rx] = NULL; + + /* Notify upper layer that packet is done. */ +- spin_lock_irqsave(&fifo->spin_lock, flags); ++ spin_lock_irqsave(&fifo->spin_lock[is_rx], flags); + vring_interrupt(0, vring->vq); +- spin_unlock_irqrestore(&fifo->spin_lock, flags); ++ spin_unlock_irqrestore(&fifo->spin_lock[is_rx], flags); + } + + mlxbf_tmfifo_desc_done: +@@ -852,10 +852,10 @@ static bool mlxbf_tmfifo_virtio_notify(s + * worker handler. + */ + if (vring->vdev_id == VIRTIO_ID_CONSOLE) { +- spin_lock_irqsave(&fifo->spin_lock, flags); ++ spin_lock_irqsave(&fifo->spin_lock[0], flags); + tm_vdev = fifo->vdev[VIRTIO_ID_CONSOLE]; + mlxbf_tmfifo_console_output(tm_vdev, vring); +- spin_unlock_irqrestore(&fifo->spin_lock, flags); ++ spin_unlock_irqrestore(&fifo->spin_lock[0], flags); + } else if (test_and_set_bit(MLXBF_TM_TX_LWM_IRQ, + &fifo->pend_events)) { + return true; +@@ -1189,7 +1189,8 @@ static int mlxbf_tmfifo_probe(struct pla + if (!fifo) + return -ENOMEM; + +- spin_lock_init(&fifo->spin_lock); ++ spin_lock_init(&fifo->spin_lock[0]); ++ spin_lock_init(&fifo->spin_lock[1]); + INIT_WORK(&fifo->work, mlxbf_tmfifo_work_handler); + mutex_init(&fifo->lock); + diff --git a/queue-5.4/platform-x86-asus-wmi-fix-keyboard-brightness-cannot-be-set-to-0.patch b/queue-5.4/platform-x86-asus-wmi-fix-keyboard-brightness-cannot-be-set-to-0.patch new file mode 100644 index 00000000000..f3286423bfa --- /dev/null +++ b/queue-5.4/platform-x86-asus-wmi-fix-keyboard-brightness-cannot-be-set-to-0.patch @@ -0,0 +1,40 @@ +From 176a7fca81c5090a7240664e3002c106d296bf31 Mon Sep 17 00:00:00 2001 +From: Jian-Hong Pan +Date: Mon, 30 Dec 2019 16:30:45 +0800 +Subject: platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 + +From: Jian-Hong Pan + +commit 176a7fca81c5090a7240664e3002c106d296bf31 upstream. + +Some of ASUS laptops like UX431FL keyboard backlight cannot be set to +brightness 0. According to ASUS' information, the brightness should be +0x80 ~ 0x83. This patch fixes it by following the logic. + +Fixes: e9809c0b9670 ("asus-wmi: add keyboard backlight support") +Signed-off-by: Jian-Hong Pan +Reviewed-by: Daniel Drake +Signed-off-by: Andy Shevchenko +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/asus-wmi.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -512,13 +512,7 @@ static void kbd_led_update(struct asus_w + { + int ctrl_param = 0; + +- /* +- * bits 0-2: level +- * bit 7: light on/off +- */ +- if (asus->kbd_led_wk > 0) +- ctrl_param = 0x80 | (asus->kbd_led_wk & 0x7F); +- ++ ctrl_param = 0x80 | (asus->kbd_led_wk & 0x7F); + asus_wmi_set_devstate(ASUS_WMI_DEVID_KBD_BACKLIGHT, ctrl_param, NULL); + } + diff --git a/queue-5.4/platform-x86-gpd-pocket-fan-use-default-values-when-wrong-modparams-are-given.patch b/queue-5.4/platform-x86-gpd-pocket-fan-use-default-values-when-wrong-modparams-are-given.patch new file mode 100644 index 00000000000..51cfd991fcc --- /dev/null +++ b/queue-5.4/platform-x86-gpd-pocket-fan-use-default-values-when-wrong-modparams-are-given.patch @@ -0,0 +1,89 @@ +From 6ae01050e49f0080ae30575d9b45a6d4a3d7ee23 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 6 Jan 2020 15:42:18 +0100 +Subject: platform/x86: GPD pocket fan: Use default values when wrong modparams are given + +From: Hans de Goede + +commit 6ae01050e49f0080ae30575d9b45a6d4a3d7ee23 upstream. + +Use our default values when wrong module-parameters are given, instead of +refusing to load. Refusing to load leaves the fan at the BIOS default +setting, which is "Off". The CPU's thermal throttling should protect the +system from damage, but not-loading is really not the best fallback in this +case. + +This commit fixes this by re-setting module-parameter values to their +defaults if they are out of range, instead of failing the probe with +-EINVAL. + +Cc: stable@vger.kernel.org +Cc: Jason Anderson +Reported-by: Jason Anderson +Fixes: 594ce6db326e ("platform/x86: GPD pocket fan: Use a min-speed of 2 while charging") +Signed-off-by: Hans de Goede +Signed-off-by: Andy Shevchenko +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/gpd-pocket-fan.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/drivers/platform/x86/gpd-pocket-fan.c ++++ b/drivers/platform/x86/gpd-pocket-fan.c +@@ -16,17 +16,27 @@ + + #define MAX_SPEED 3 + +-static int temp_limits[3] = { 55000, 60000, 65000 }; ++#define TEMP_LIMIT0_DEFAULT 55000 ++#define TEMP_LIMIT1_DEFAULT 60000 ++#define TEMP_LIMIT2_DEFAULT 65000 ++ ++#define HYSTERESIS_DEFAULT 3000 ++ ++#define SPEED_ON_AC_DEFAULT 2 ++ ++static int temp_limits[3] = { ++ TEMP_LIMIT0_DEFAULT, TEMP_LIMIT1_DEFAULT, TEMP_LIMIT2_DEFAULT, ++}; + module_param_array(temp_limits, int, NULL, 0444); + MODULE_PARM_DESC(temp_limits, + "Millicelsius values above which the fan speed increases"); + +-static int hysteresis = 3000; ++static int hysteresis = HYSTERESIS_DEFAULT; + module_param(hysteresis, int, 0444); + MODULE_PARM_DESC(hysteresis, + "Hysteresis in millicelsius before lowering the fan speed"); + +-static int speed_on_ac = 2; ++static int speed_on_ac = SPEED_ON_AC_DEFAULT; + module_param(speed_on_ac, int, 0444); + MODULE_PARM_DESC(speed_on_ac, + "minimum fan speed to allow when system is powered by AC"); +@@ -120,18 +130,21 @@ static int gpd_pocket_fan_probe(struct p + if (temp_limits[i] < 40000 || temp_limits[i] > 70000) { + dev_err(&pdev->dev, "Invalid temp-limit %d (must be between 40000 and 70000)\n", + temp_limits[i]); +- return -EINVAL; ++ temp_limits[0] = TEMP_LIMIT0_DEFAULT; ++ temp_limits[1] = TEMP_LIMIT1_DEFAULT; ++ temp_limits[2] = TEMP_LIMIT2_DEFAULT; ++ break; + } + } + if (hysteresis < 1000 || hysteresis > 10000) { + dev_err(&pdev->dev, "Invalid hysteresis %d (must be between 1000 and 10000)\n", + hysteresis); +- return -EINVAL; ++ hysteresis = HYSTERESIS_DEFAULT; + } + if (speed_on_ac < 0 || speed_on_ac > MAX_SPEED) { + dev_err(&pdev->dev, "Invalid speed_on_ac %d (must be between 0 and 3)\n", + speed_on_ac); +- return -EINVAL; ++ speed_on_ac = SPEED_ON_AC_DEFAULT; + } + + fan = devm_kzalloc(&pdev->dev, sizeof(*fan), GFP_KERNEL); diff --git a/queue-5.4/rxrpc-fix-missing-security-check-on-incoming-calls.patch b/queue-5.4/rxrpc-fix-missing-security-check-on-incoming-calls.patch new file mode 100644 index 00000000000..69239c61500 --- /dev/null +++ b/queue-5.4/rxrpc-fix-missing-security-check-on-incoming-calls.patch @@ -0,0 +1,279 @@ +From 063c60d39180cec7c9317f5acfc3071f8fecd705 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Fri, 20 Dec 2019 16:17:16 +0000 +Subject: rxrpc: Fix missing security check on incoming calls + +From: David Howells + +commit 063c60d39180cec7c9317f5acfc3071f8fecd705 upstream. + +Fix rxrpc_new_incoming_call() to check that we have a suitable service key +available for the combination of service ID and security class of a new +incoming call - and to reject calls for which we don't. + +This causes an assertion like the following to appear: + + rxrpc: Assertion failed - 6(0x6) == 12(0xc) is false + kernel BUG at net/rxrpc/call_object.c:456! + +Where call->state is RXRPC_CALL_SERVER_SECURING (6) rather than +RXRPC_CALL_COMPLETE (12). + +Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code") +Reported-by: Marc Dionne +Signed-off-by: David Howells +Signed-off-by: Greg Kroah-Hartman + +--- + net/rxrpc/ar-internal.h | 10 ++++-- + net/rxrpc/call_accept.c | 14 +++++++-- + net/rxrpc/conn_event.c | 16 ---------- + net/rxrpc/conn_service.c | 4 ++ + net/rxrpc/rxkad.c | 5 ++- + net/rxrpc/security.c | 70 ++++++++++++++++++++++------------------------- + 6 files changed, 59 insertions(+), 60 deletions(-) + +--- a/net/rxrpc/ar-internal.h ++++ b/net/rxrpc/ar-internal.h +@@ -209,6 +209,7 @@ struct rxrpc_skb_priv { + struct rxrpc_security { + const char *name; /* name of this service */ + u8 security_index; /* security type provided */ ++ u32 no_key_abort; /* Abort code indicating no key */ + + /* Initialise a security service */ + int (*init)(void); +@@ -977,8 +978,9 @@ static inline void rxrpc_reduce_conn_tim + struct rxrpc_connection *rxrpc_find_service_conn_rcu(struct rxrpc_peer *, + struct sk_buff *); + struct rxrpc_connection *rxrpc_prealloc_service_connection(struct rxrpc_net *, gfp_t); +-void rxrpc_new_incoming_connection(struct rxrpc_sock *, +- struct rxrpc_connection *, struct sk_buff *); ++void rxrpc_new_incoming_connection(struct rxrpc_sock *, struct rxrpc_connection *, ++ const struct rxrpc_security *, struct key *, ++ struct sk_buff *); + void rxrpc_unpublish_service_conn(struct rxrpc_connection *); + + /* +@@ -1103,7 +1105,9 @@ extern const struct rxrpc_security rxkad + int __init rxrpc_init_security(void); + void rxrpc_exit_security(void); + int rxrpc_init_client_conn_security(struct rxrpc_connection *); +-int rxrpc_init_server_conn_security(struct rxrpc_connection *); ++bool rxrpc_look_up_server_security(struct rxrpc_local *, struct rxrpc_sock *, ++ const struct rxrpc_security **, struct key **, ++ struct sk_buff *); + + /* + * sendmsg.c +--- a/net/rxrpc/call_accept.c ++++ b/net/rxrpc/call_accept.c +@@ -247,6 +247,8 @@ static struct rxrpc_call *rxrpc_alloc_in + struct rxrpc_local *local, + struct rxrpc_peer *peer, + struct rxrpc_connection *conn, ++ const struct rxrpc_security *sec, ++ struct key *key, + struct sk_buff *skb) + { + struct rxrpc_backlog *b = rx->backlog; +@@ -294,7 +296,7 @@ static struct rxrpc_call *rxrpc_alloc_in + conn->params.local = rxrpc_get_local(local); + conn->params.peer = peer; + rxrpc_see_connection(conn); +- rxrpc_new_incoming_connection(rx, conn, skb); ++ rxrpc_new_incoming_connection(rx, conn, sec, key, skb); + } else { + rxrpc_get_connection(conn); + } +@@ -333,9 +335,11 @@ struct rxrpc_call *rxrpc_new_incoming_ca + struct sk_buff *skb) + { + struct rxrpc_skb_priv *sp = rxrpc_skb(skb); ++ const struct rxrpc_security *sec = NULL; + struct rxrpc_connection *conn; + struct rxrpc_peer *peer = NULL; +- struct rxrpc_call *call; ++ struct rxrpc_call *call = NULL; ++ struct key *key = NULL; + + _enter(""); + +@@ -358,7 +362,11 @@ struct rxrpc_call *rxrpc_new_incoming_ca + */ + conn = rxrpc_find_connection_rcu(local, skb, &peer); + +- call = rxrpc_alloc_incoming_call(rx, local, peer, conn, skb); ++ if (!conn && !rxrpc_look_up_server_security(local, rx, &sec, &key, skb)) ++ goto no_call; ++ ++ call = rxrpc_alloc_incoming_call(rx, local, peer, conn, sec, key, skb); ++ key_put(key); + if (!call) { + skb->mark = RXRPC_SKB_MARK_REJECT_BUSY; + _leave(" = NULL [busy]"); +--- a/net/rxrpc/conn_event.c ++++ b/net/rxrpc/conn_event.c +@@ -376,21 +376,7 @@ static void rxrpc_secure_connection(stru + _enter("{%d}", conn->debug_id); + + ASSERT(conn->security_ix != 0); +- +- if (!conn->params.key) { +- _debug("set up security"); +- ret = rxrpc_init_server_conn_security(conn); +- switch (ret) { +- case 0: +- break; +- case -ENOENT: +- abort_code = RX_CALL_DEAD; +- goto abort; +- default: +- abort_code = RXKADNOAUTH; +- goto abort; +- } +- } ++ ASSERT(conn->server_key); + + if (conn->security->issue_challenge(conn) < 0) { + abort_code = RX_CALL_DEAD; +--- a/net/rxrpc/conn_service.c ++++ b/net/rxrpc/conn_service.c +@@ -148,6 +148,8 @@ struct rxrpc_connection *rxrpc_prealloc_ + */ + void rxrpc_new_incoming_connection(struct rxrpc_sock *rx, + struct rxrpc_connection *conn, ++ const struct rxrpc_security *sec, ++ struct key *key, + struct sk_buff *skb) + { + struct rxrpc_skb_priv *sp = rxrpc_skb(skb); +@@ -160,6 +162,8 @@ void rxrpc_new_incoming_connection(struc + conn->service_id = sp->hdr.serviceId; + conn->security_ix = sp->hdr.securityIndex; + conn->out_clientflag = 0; ++ conn->security = sec; ++ conn->server_key = key_get(key); + if (conn->security_ix) + conn->state = RXRPC_CONN_SERVICE_UNSECURED; + else +--- a/net/rxrpc/rxkad.c ++++ b/net/rxrpc/rxkad.c +@@ -648,9 +648,9 @@ static int rxkad_issue_challenge(struct + u32 serial; + int ret; + +- _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key)); ++ _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key)); + +- ret = key_validate(conn->params.key); ++ ret = key_validate(conn->server_key); + if (ret < 0) + return ret; + +@@ -1293,6 +1293,7 @@ static void rxkad_exit(void) + const struct rxrpc_security rxkad = { + .name = "rxkad", + .security_index = RXRPC_SECURITY_RXKAD, ++ .no_key_abort = RXKADUNKNOWNKEY, + .init = rxkad_init, + .exit = rxkad_exit, + .init_connection_security = rxkad_init_connection_security, +--- a/net/rxrpc/security.c ++++ b/net/rxrpc/security.c +@@ -101,62 +101,58 @@ int rxrpc_init_client_conn_security(stru + } + + /* +- * initialise the security on a server connection ++ * Find the security key for a server connection. + */ +-int rxrpc_init_server_conn_security(struct rxrpc_connection *conn) ++bool rxrpc_look_up_server_security(struct rxrpc_local *local, struct rxrpc_sock *rx, ++ const struct rxrpc_security **_sec, ++ struct key **_key, ++ struct sk_buff *skb) + { + const struct rxrpc_security *sec; +- struct rxrpc_local *local = conn->params.local; +- struct rxrpc_sock *rx; +- struct key *key; +- key_ref_t kref; ++ struct rxrpc_skb_priv *sp = rxrpc_skb(skb); ++ key_ref_t kref = NULL; + char kdesc[5 + 1 + 3 + 1]; + + _enter(""); + +- sprintf(kdesc, "%u:%u", conn->service_id, conn->security_ix); ++ sprintf(kdesc, "%u:%u", sp->hdr.serviceId, sp->hdr.securityIndex); + +- sec = rxrpc_security_lookup(conn->security_ix); ++ sec = rxrpc_security_lookup(sp->hdr.securityIndex); + if (!sec) { +- _leave(" = -ENOKEY [lookup]"); +- return -ENOKEY; ++ trace_rxrpc_abort(0, "SVS", ++ sp->hdr.cid, sp->hdr.callNumber, sp->hdr.seq, ++ RX_INVALID_OPERATION, EKEYREJECTED); ++ skb->mark = RXRPC_SKB_MARK_REJECT_ABORT; ++ skb->priority = RX_INVALID_OPERATION; ++ return false; + } + +- /* find the service */ +- read_lock(&local->services_lock); +- rx = rcu_dereference_protected(local->service, +- lockdep_is_held(&local->services_lock)); +- if (rx && (rx->srx.srx_service == conn->service_id || +- rx->second_service == conn->service_id)) +- goto found_service; +- +- /* the service appears to have died */ +- read_unlock(&local->services_lock); +- _leave(" = -ENOENT"); +- return -ENOENT; ++ if (sp->hdr.securityIndex == RXRPC_SECURITY_NONE) ++ goto out; + +-found_service: + if (!rx->securities) { +- read_unlock(&local->services_lock); +- _leave(" = -ENOKEY"); +- return -ENOKEY; ++ trace_rxrpc_abort(0, "SVR", ++ sp->hdr.cid, sp->hdr.callNumber, sp->hdr.seq, ++ RX_INVALID_OPERATION, EKEYREJECTED); ++ skb->mark = RXRPC_SKB_MARK_REJECT_ABORT; ++ skb->priority = RX_INVALID_OPERATION; ++ return false; + } + + /* look through the service's keyring */ + kref = keyring_search(make_key_ref(rx->securities, 1UL), + &key_type_rxrpc_s, kdesc, true); + if (IS_ERR(kref)) { +- read_unlock(&local->services_lock); +- _leave(" = %ld [search]", PTR_ERR(kref)); +- return PTR_ERR(kref); ++ trace_rxrpc_abort(0, "SVK", ++ sp->hdr.cid, sp->hdr.callNumber, sp->hdr.seq, ++ sec->no_key_abort, EKEYREJECTED); ++ skb->mark = RXRPC_SKB_MARK_REJECT_ABORT; ++ skb->priority = sec->no_key_abort; ++ return false; + } + +- key = key_ref_to_ptr(kref); +- read_unlock(&local->services_lock); +- +- conn->server_key = key; +- conn->security = sec; +- +- _leave(" = 0"); +- return 0; ++out: ++ *_sec = sec; ++ *_key = key_ref_to_ptr(kref); ++ return true; + } diff --git a/queue-5.4/scsi-enclosure-fix-stale-device-oops-with-hot-replug.patch b/queue-5.4/scsi-enclosure-fix-stale-device-oops-with-hot-replug.patch new file mode 100644 index 00000000000..ec3b1346e87 --- /dev/null +++ b/queue-5.4/scsi-enclosure-fix-stale-device-oops-with-hot-replug.patch @@ -0,0 +1,45 @@ +From 529244bd1afc102ab164429d338d310d5d65e60d Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Wed, 8 Jan 2020 17:21:32 -0800 +Subject: scsi: enclosure: Fix stale device oops with hot replug + +From: James Bottomley + +commit 529244bd1afc102ab164429d338d310d5d65e60d upstream. + +Doing an add/remove/add on a SCSI device in an enclosure leads to an oops +caused by poisoned values in the enclosure device list pointers. The +reason is because we are keeping the enclosure device across the enclosed +device add/remove/add but the current code is doing a +device_add/device_del/device_add on it. This is the wrong thing to do in +sysfs, so fix it by not doing a device_del on the enclosure device simply +because of a hot remove of the drive in the slot. + +[mkp: added missing email addresses] + +Fixes: 43d8eb9cfd0a ("[SCSI] ses: add support for enclosure component hot removal") +Link: https://lore.kernel.org/r/1578532892.3852.10.camel@HansenPartnership.com +Signed-off-by: James Bottomley +Reported-by: Luo Jiaxing +Tested-by: John Garry +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/enclosure.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/misc/enclosure.c ++++ b/drivers/misc/enclosure.c +@@ -406,10 +406,9 @@ int enclosure_remove_device(struct enclo + cdev = &edev->component[i]; + if (cdev->dev == dev) { + enclosure_remove_links(cdev); +- device_del(&cdev->cdev); + put_device(dev); + cdev->dev = NULL; +- return device_add(&cdev->cdev); ++ return 0; + } + } + return -ENODEV; diff --git a/queue-5.4/scsi-sd-clear-sdkp-protection_type-if-disk-is-reformatted-without-pi.patch b/queue-5.4/scsi-sd-clear-sdkp-protection_type-if-disk-is-reformatted-without-pi.patch new file mode 100644 index 00000000000..3cd7933e1ef --- /dev/null +++ b/queue-5.4/scsi-sd-clear-sdkp-protection_type-if-disk-is-reformatted-without-pi.patch @@ -0,0 +1,42 @@ +From 465f4edaecc6c37f81349233e84d46246bcac11a Mon Sep 17 00:00:00 2001 +From: Xiang Chen +Date: Thu, 9 Jan 2020 09:12:24 +0800 +Subject: scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI + +From: Xiang Chen + +commit 465f4edaecc6c37f81349233e84d46246bcac11a upstream. + +If an attached disk with protection information enabled is reformatted +to Type 0 the revalidation code does not clear the original protection +type and subsequent accesses will keep setting RDPROTECT/WRPROTECT. + +Set the protection type to 0 if the disk reports PROT_EN=0 in READ +CAPACITY(16). + +[mkp: commit desc] + +Fixes: fe542396da73 ("[SCSI] sd: Ensure we correctly disable devices with unknown protection type") +Link: https://lore.kernel.org/r/1578532344-101668-1-git-send-email-chenxiang66@hisilicon.com +Signed-off-by: Xiang Chen +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -2192,8 +2192,10 @@ static int sd_read_protection_type(struc + u8 type; + int ret = 0; + +- if (scsi_device_protection(sdp) == 0 || (buffer[12] & 1) == 0) ++ if (scsi_device_protection(sdp) == 0 || (buffer[12] & 1) == 0) { ++ sdkp->protection_type = 0; + return ret; ++ } + + type = ((buffer[12] >> 1) & 7) + 1; /* P_TYPE 0 = Type 1 */ + diff --git a/queue-5.4/scsi-ufs-give-an-unique-id-to-each-ufs-bsg.patch b/queue-5.4/scsi-ufs-give-an-unique-id-to-each-ufs-bsg.patch new file mode 100644 index 00000000000..c6e99ff73a1 --- /dev/null +++ b/queue-5.4/scsi-ufs-give-an-unique-id-to-each-ufs-bsg.patch @@ -0,0 +1,35 @@ +From 8c850a0296004409e7bcb9464712fb2807da656a Mon Sep 17 00:00:00 2001 +From: Can Guo +Date: Tue, 3 Dec 2019 06:58:40 +0000 +Subject: scsi: ufs: Give an unique ID to each ufs-bsg + +From: Can Guo + +commit 8c850a0296004409e7bcb9464712fb2807da656a upstream. + +Considering there can be multiple UFS hosts in SoC, give each ufs-bsg an +unique ID by appending the scsi host number to its device name. + +Link: https://lore.kernel.org/r/0101016eca8dc9d7-d24468d3-04d2-4ef3-a906-abe8b8cbcd3d-000000@us-west-2.amazonses.com +Fixes: df032bf27a41 ("scsi: ufs: Add a bsg endpoint that supports UPIUs") +Signed-off-by: Can Guo +Reviewed-by: Avri Altman +Reviewed-by: Christoph Hellwig +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ufs/ufs_bsg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/ufs/ufs_bsg.c ++++ b/drivers/scsi/ufs/ufs_bsg.c +@@ -202,7 +202,7 @@ int ufs_bsg_probe(struct ufs_hba *hba) + bsg_dev->parent = get_device(parent); + bsg_dev->release = ufs_bsg_node_release; + +- dev_set_name(bsg_dev, "ufs-bsg"); ++ dev_set_name(bsg_dev, "ufs-bsg%u", shost->host_no); + + ret = device_add(bsg_dev); + if (ret) diff --git a/queue-5.4/series b/queue-5.4/series index a5fe92de6b1..875a641136e 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -78,3 +78,20 @@ bpf-make-use-of-probe_user_write-in-probe-write-helper.patch bpf-skmsg-fix-potential-psock-null-pointer-dereference.patch bpf-support-pre-2.25-binutils-objcopy-for-vmlinux-btf.patch libbpf-fix-makefile-libbpf-symbol-mismatch-diagnostic.patch +afs-fix-use-after-loss-of-ref.patch +afs-fix-afs_lookup-to-not-clobber-the-version-on-a-new-dentry.patch +keys-fix-request_key-cache.patch +scsi-enclosure-fix-stale-device-oops-with-hot-replug.patch +scsi-sd-clear-sdkp-protection_type-if-disk-is-reformatted-without-pi.patch +platform-mellanox-fix-potential-deadlock-in-the-tmfifo-driver.patch +platform-x86-asus-wmi-fix-keyboard-brightness-cannot-be-set-to-0.patch +platform-x86-gpd-pocket-fan-use-default-values-when-wrong-modparams-are-given.patch +asm-generic-nds32-don-t-redefine-cacheflush-primitives.patch +documentation-abi-fix-documentation-inconsistency-for-mlxreg-io-sysfs-interfaces.patch +documentation-abi-add-missed-attribute-for-mlxreg-io-sysfs-interfaces.patch +rxrpc-fix-missing-security-check-on-incoming-calls.patch +xprtrdma-fix-create_qp-crash-on-device-unload.patch +xprtrdma-fix-completion-wait-during-device-removal.patch +xprtrdma-fix-oops-in-receive-handler-after-device-removal.patch +dm-add-dm-clone-to-the-documentation-index.patch +scsi-ufs-give-an-unique-id-to-each-ufs-bsg.patch diff --git a/queue-5.4/xprtrdma-fix-completion-wait-during-device-removal.patch b/queue-5.4/xprtrdma-fix-completion-wait-during-device-removal.patch new file mode 100644 index 00000000000..71a54f7fcb7 --- /dev/null +++ b/queue-5.4/xprtrdma-fix-completion-wait-during-device-removal.patch @@ -0,0 +1,44 @@ +From 13cb886c591f341a8759f175292ddf978ef903a1 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Fri, 3 Jan 2020 11:52:17 -0500 +Subject: xprtrdma: Fix completion wait during device removal + +From: Chuck Lever + +commit 13cb886c591f341a8759f175292ddf978ef903a1 upstream. + +I've found that on occasion, "rmmod " will hang while if an NFS +is under load. + +Ensure that ri_remove_done is initialized only just before the +transport is woken up to force a close. This avoids the completion +possibly getting initialized again while the CM event handler is +waiting for a wake-up. + +Fixes: bebd031866ca ("xprtrdma: Support unplugging an HCA from under an NFS mount") +Signed-off-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/xprtrdma/verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sunrpc/xprtrdma/verbs.c ++++ b/net/sunrpc/xprtrdma/verbs.c +@@ -245,6 +245,7 @@ rpcrdma_cm_event_handler(struct rdma_cm_ + ia->ri_id->device->name, + rpcrdma_addrstr(r_xprt), rpcrdma_portstr(r_xprt)); + #endif ++ init_completion(&ia->ri_remove_done); + set_bit(RPCRDMA_IAF_REMOVING, &ia->ri_flags); + ep->rep_connected = -ENODEV; + xprt_force_disconnect(xprt); +@@ -299,7 +300,6 @@ rpcrdma_create_id(struct rpcrdma_xprt *x + trace_xprtrdma_conn_start(xprt); + + init_completion(&ia->ri_done); +- init_completion(&ia->ri_remove_done); + + id = rdma_create_id(xprt->rx_xprt.xprt_net, rpcrdma_cm_event_handler, + xprt, RDMA_PS_TCP, IB_QPT_RC); diff --git a/queue-5.4/xprtrdma-fix-create_qp-crash-on-device-unload.patch b/queue-5.4/xprtrdma-fix-create_qp-crash-on-device-unload.patch new file mode 100644 index 00000000000..3fbd69ccf24 --- /dev/null +++ b/queue-5.4/xprtrdma-fix-create_qp-crash-on-device-unload.patch @@ -0,0 +1,69 @@ +From b32b9ed493f938e191f790a0991d20b18b38c35b Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Fri, 3 Jan 2020 11:52:12 -0500 +Subject: xprtrdma: Fix create_qp crash on device unload + +From: Chuck Lever + +commit b32b9ed493f938e191f790a0991d20b18b38c35b upstream. + +On device re-insertion, the RDMA device driver crashes trying to set +up a new QP: + +Nov 27 16:32:06 manet kernel: BUG: kernel NULL pointer dereference, address: 00000000000001c0 +Nov 27 16:32:06 manet kernel: #PF: supervisor write access in kernel mode +Nov 27 16:32:06 manet kernel: #PF: error_code(0x0002) - not-present page +Nov 27 16:32:06 manet kernel: PGD 0 P4D 0 +Nov 27 16:32:06 manet kernel: Oops: 0002 [#1] SMP +Nov 27 16:32:06 manet kernel: CPU: 1 PID: 345 Comm: kworker/u28:0 Tainted: G W 5.4.0 #852 +Nov 27 16:32:06 manet kernel: Hardware name: Supermicro SYS-6028R-T/X10DRi, BIOS 1.1a 10/16/2015 +Nov 27 16:32:06 manet kernel: Workqueue: xprtiod xprt_rdma_connect_worker [rpcrdma] +Nov 27 16:32:06 manet kernel: RIP: 0010:atomic_try_cmpxchg+0x2/0x12 +Nov 27 16:32:06 manet kernel: Code: ff ff 48 8b 04 24 5a c3 c6 07 00 0f 1f 40 00 c3 31 c0 48 81 ff 08 09 68 81 72 0c 31 c0 48 81 ff 83 0c 68 81 0f 92 c0 c3 8b 06 0f b1 17 0f 94 c2 84 d2 75 02 89 06 88 d0 c3 53 ba 01 00 00 00 +Nov 27 16:32:06 manet kernel: RSP: 0018:ffffc900035abbf0 EFLAGS: 00010046 +Nov 27 16:32:06 manet kernel: RAX: 0000000000000000 RBX: 00000000000001c0 RCX: 0000000000000000 +Nov 27 16:32:06 manet kernel: RDX: 0000000000000001 RSI: ffffc900035abbfc RDI: 00000000000001c0 +Nov 27 16:32:06 manet kernel: RBP: ffffc900035abde0 R08: 000000000000000e R09: ffffffffffffc000 +Nov 27 16:32:06 manet kernel: R10: 0000000000000000 R11: 000000000002e800 R12: ffff88886169d9f8 +Nov 27 16:32:06 manet kernel: R13: ffff88886169d9f4 R14: 0000000000000246 R15: 0000000000000000 +Nov 27 16:32:06 manet kernel: FS: 0000000000000000(0000) GS:ffff88846fa40000(0000) knlGS:0000000000000000 +Nov 27 16:32:06 manet kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +Nov 27 16:32:06 manet kernel: CR2: 00000000000001c0 CR3: 0000000002009006 CR4: 00000000001606e0 +Nov 27 16:32:06 manet kernel: Call Trace: +Nov 27 16:32:06 manet kernel: do_raw_spin_lock+0x2f/0x5a +Nov 27 16:32:06 manet kernel: create_qp_common.isra.47+0x856/0xadf [mlx4_ib] +Nov 27 16:32:06 manet kernel: ? slab_post_alloc_hook.isra.60+0xa/0x1a +Nov 27 16:32:06 manet kernel: ? __kmalloc+0x125/0x139 +Nov 27 16:32:06 manet kernel: mlx4_ib_create_qp+0x57f/0x972 [mlx4_ib] + +The fix is to copy the qp_init_attr struct that was just created by +rpcrdma_ep_create() instead of using the one from the previous +connection instance. + +Fixes: 98ef77d1aaa7 ("xprtrdma: Send Queue size grows after a reconnect") +Signed-off-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/xprtrdma/verbs.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/sunrpc/xprtrdma/verbs.c ++++ b/net/sunrpc/xprtrdma/verbs.c +@@ -607,6 +607,7 @@ static int rpcrdma_ep_recreate_xprt(stru + struct ib_qp_init_attr *qp_init_attr) + { + struct rpcrdma_ia *ia = &r_xprt->rx_ia; ++ struct rpcrdma_ep *ep = &r_xprt->rx_ep; + int rc, err; + + trace_xprtrdma_reinsert(r_xprt); +@@ -621,6 +622,7 @@ static int rpcrdma_ep_recreate_xprt(stru + pr_err("rpcrdma: rpcrdma_ep_create returned %d\n", err); + goto out2; + } ++ memcpy(qp_init_attr, &ep->rep_attr, sizeof(*qp_init_attr)); + + rc = -ENETUNREACH; + err = rdma_create_qp(ia->ri_id, ia->ri_pd, qp_init_attr); diff --git a/queue-5.4/xprtrdma-fix-oops-in-receive-handler-after-device-removal.patch b/queue-5.4/xprtrdma-fix-oops-in-receive-handler-after-device-removal.patch new file mode 100644 index 00000000000..6fdbd7ef4be --- /dev/null +++ b/queue-5.4/xprtrdma-fix-oops-in-receive-handler-after-device-removal.patch @@ -0,0 +1,166 @@ +From 671c450b6fe0680ea1cb1cf1526d764fdd5a3d3f Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Fri, 3 Jan 2020 11:52:22 -0500 +Subject: xprtrdma: Fix oops in Receive handler after device removal + +From: Chuck Lever + +commit 671c450b6fe0680ea1cb1cf1526d764fdd5a3d3f upstream. + +Since v5.4, a device removal occasionally triggered this oops: + +Dec 2 17:13:53 manet kernel: BUG: unable to handle page fault for address: 0000000c00000219 +Dec 2 17:13:53 manet kernel: #PF: supervisor read access in kernel mode +Dec 2 17:13:53 manet kernel: #PF: error_code(0x0000) - not-present page +Dec 2 17:13:53 manet kernel: PGD 0 P4D 0 +Dec 2 17:13:53 manet kernel: Oops: 0000 [#1] SMP +Dec 2 17:13:53 manet kernel: CPU: 2 PID: 468 Comm: kworker/2:1H Tainted: G W 5.4.0-00050-g53717e43af61 #883 +Dec 2 17:13:53 manet kernel: Hardware name: Supermicro SYS-6028R-T/X10DRi, BIOS 1.1a 10/16/2015 +Dec 2 17:13:53 manet kernel: Workqueue: ib-comp-wq ib_cq_poll_work [ib_core] +Dec 2 17:13:53 manet kernel: RIP: 0010:rpcrdma_wc_receive+0x7c/0xf6 [rpcrdma] +Dec 2 17:13:53 manet kernel: Code: 6d 8b 43 14 89 c1 89 45 78 48 89 4d 40 8b 43 2c 89 45 14 8b 43 20 89 45 18 48 8b 45 20 8b 53 14 48 8b 30 48 8b 40 10 48 8b 38 <48> 8b 87 18 02 00 00 48 85 c0 75 18 48 8b 05 1e 24 c4 e1 48 85 c0 +Dec 2 17:13:53 manet kernel: RSP: 0018:ffffc900035dfe00 EFLAGS: 00010246 +Dec 2 17:13:53 manet kernel: RAX: ffff888467290000 RBX: ffff88846c638400 RCX: 0000000000000048 +Dec 2 17:13:53 manet kernel: RDX: 0000000000000048 RSI: 00000000f942e000 RDI: 0000000c00000001 +Dec 2 17:13:53 manet kernel: RBP: ffff888467611b00 R08: ffff888464e4a3c4 R09: 0000000000000000 +Dec 2 17:13:53 manet kernel: R10: ffffc900035dfc88 R11: fefefefefefefeff R12: ffff888865af4428 +Dec 2 17:13:53 manet kernel: R13: ffff888466023000 R14: ffff88846c63f000 R15: 0000000000000010 +Dec 2 17:13:53 manet kernel: FS: 0000000000000000(0000) GS:ffff88846fa80000(0000) knlGS:0000000000000000 +Dec 2 17:13:53 manet kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +Dec 2 17:13:53 manet kernel: CR2: 0000000c00000219 CR3: 0000000002009002 CR4: 00000000001606e0 +Dec 2 17:13:53 manet kernel: Call Trace: +Dec 2 17:13:53 manet kernel: __ib_process_cq+0x5c/0x14e [ib_core] +Dec 2 17:13:53 manet kernel: ib_cq_poll_work+0x26/0x70 [ib_core] +Dec 2 17:13:53 manet kernel: process_one_work+0x19d/0x2cd +Dec 2 17:13:53 manet kernel: ? cancel_delayed_work_sync+0xf/0xf +Dec 2 17:13:53 manet kernel: worker_thread+0x1a6/0x25a +Dec 2 17:13:53 manet kernel: ? cancel_delayed_work_sync+0xf/0xf +Dec 2 17:13:53 manet kernel: kthread+0xf4/0xf9 +Dec 2 17:13:53 manet kernel: ? kthread_queue_delayed_work+0x74/0x74 +Dec 2 17:13:53 manet kernel: ret_from_fork+0x24/0x30 + +The proximal cause is that this rpcrdma_rep has a rr_rdmabuf that +is still pointing to the old ib_device, which has been freed. The +only way that is possible is if this rpcrdma_rep was not destroyed +by rpcrdma_ia_remove. + +Debugging showed that was indeed the case: this rpcrdma_rep was +still in use by a completing RPC at the time of the device removal, +and thus wasn't on the rep free list. So, it was not found by +rpcrdma_reps_destroy(). + +The fix is to introduce a list of all rpcrdma_reps so that they all +can be found when a device is removed. That list is used to perform +only regbuf DMA unmapping, replacing that call to +rpcrdma_reps_destroy(). + +Meanwhile, to prevent corruption of this list, I've moved the +destruction of temp rpcrdma_rep objects to rpcrdma_post_recvs(). +rpcrdma_xprt_drain() ensures that post_recvs (and thus rep_destroy) is +not invoked while rpcrdma_reps_unmap is walking rb_all_reps, thus +protecting the rb_all_reps list. + +Fixes: b0b227f071a0 ("xprtrdma: Use an llist to manage free rpcrdma_reps") +Signed-off-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/xprtrdma/verbs.c | 25 +++++++++++++++++++------ + net/sunrpc/xprtrdma/xprt_rdma.h | 2 ++ + 2 files changed, 21 insertions(+), 6 deletions(-) + +--- a/net/sunrpc/xprtrdma/verbs.c ++++ b/net/sunrpc/xprtrdma/verbs.c +@@ -76,7 +76,7 @@ + */ + static void rpcrdma_sendctx_put_locked(struct rpcrdma_sendctx *sc); + static void rpcrdma_reqs_reset(struct rpcrdma_xprt *r_xprt); +-static void rpcrdma_reps_destroy(struct rpcrdma_buffer *buf); ++static void rpcrdma_reps_unmap(struct rpcrdma_xprt *r_xprt); + static void rpcrdma_mrs_create(struct rpcrdma_xprt *r_xprt); + static void rpcrdma_mrs_destroy(struct rpcrdma_buffer *buf); + static struct rpcrdma_regbuf * +@@ -429,7 +429,7 @@ rpcrdma_ia_remove(struct rpcrdma_ia *ia) + /* The ULP is responsible for ensuring all DMA + * mappings and MRs are gone. + */ +- rpcrdma_reps_destroy(buf); ++ rpcrdma_reps_unmap(r_xprt); + list_for_each_entry(req, &buf->rb_allreqs, rl_all) { + rpcrdma_regbuf_dma_unmap(req->rl_rdmabuf); + rpcrdma_regbuf_dma_unmap(req->rl_sendbuf); +@@ -1086,6 +1086,7 @@ static struct rpcrdma_rep *rpcrdma_rep_c + rep->rr_recv_wr.sg_list = &rep->rr_rdmabuf->rg_iov; + rep->rr_recv_wr.num_sge = 1; + rep->rr_temp = temp; ++ list_add(&rep->rr_all, &r_xprt->rx_buf.rb_all_reps); + return rep; + + out_free: +@@ -1096,6 +1097,7 @@ out: + + static void rpcrdma_rep_destroy(struct rpcrdma_rep *rep) + { ++ list_del(&rep->rr_all); + rpcrdma_regbuf_free(rep->rr_rdmabuf); + kfree(rep); + } +@@ -1114,10 +1116,16 @@ static struct rpcrdma_rep *rpcrdma_rep_g + static void rpcrdma_rep_put(struct rpcrdma_buffer *buf, + struct rpcrdma_rep *rep) + { +- if (!rep->rr_temp) +- llist_add(&rep->rr_node, &buf->rb_free_reps); +- else +- rpcrdma_rep_destroy(rep); ++ llist_add(&rep->rr_node, &buf->rb_free_reps); ++} ++ ++static void rpcrdma_reps_unmap(struct rpcrdma_xprt *r_xprt) ++{ ++ struct rpcrdma_buffer *buf = &r_xprt->rx_buf; ++ struct rpcrdma_rep *rep; ++ ++ list_for_each_entry(rep, &buf->rb_all_reps, rr_all) ++ rpcrdma_regbuf_dma_unmap(rep->rr_rdmabuf); + } + + static void rpcrdma_reps_destroy(struct rpcrdma_buffer *buf) +@@ -1150,6 +1158,7 @@ int rpcrdma_buffer_create(struct rpcrdma + + INIT_LIST_HEAD(&buf->rb_send_bufs); + INIT_LIST_HEAD(&buf->rb_allreqs); ++ INIT_LIST_HEAD(&buf->rb_all_reps); + + rc = -ENOMEM; + for (i = 0; i < buf->rb_max_requests; i++) { +@@ -1506,6 +1515,10 @@ void rpcrdma_post_recvs(struct rpcrdma_x + wr = NULL; + while (needed) { + rep = rpcrdma_rep_get_locked(buf); ++ if (rep && rep->rr_temp) { ++ rpcrdma_rep_destroy(rep); ++ continue; ++ } + if (!rep) + rep = rpcrdma_rep_create(r_xprt, temp); + if (!rep) +--- a/net/sunrpc/xprtrdma/xprt_rdma.h ++++ b/net/sunrpc/xprtrdma/xprt_rdma.h +@@ -203,6 +203,7 @@ struct rpcrdma_rep { + struct xdr_stream rr_stream; + struct llist_node rr_node; + struct ib_recv_wr rr_recv_wr; ++ struct list_head rr_all; + }; + + /* To reduce the rate at which a transport invokes ib_post_recv +@@ -372,6 +373,7 @@ struct rpcrdma_buffer { + + struct list_head rb_allreqs; + struct list_head rb_all_mrs; ++ struct list_head rb_all_reps; + + struct llist_head rb_free_reps; + -- 2.47.3