From 970311c8c69ae2b368d1cd3397b09374f271d9c4 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 6 Dec 2019 16:13:24 -0500 Subject: [PATCH] fixes for 5.3 Signed-off-by: Sasha Levin --- ...fix-race-in-commit-bulk-status-fetch.patch | 61 ++++++ ...vents-struct-__compat_aio_sigset-lay.patch | 91 +++++++++ .../alsa-hda-add-cometlake-s-pci-id.patch | 36 ++++ ...eam-lock-usage-in-snd_pcm_period_ela.patch | 53 ++++++ ...get_nd-don-t-unlock-parent-too-early.patch | 40 ++++ ...fix-a-leak-in-autofs_expire_indirect.patch | 39 ++++ ...-check-bi_size-overflow-before-merge.patch | 80 ++++++++ ...group-don-t-put-err_ptr-into-fc-root.patch | 40 ++++ ...-set-min-division-of-tcon0_dclk-to-1.patch | 44 +++++ ...ink-and-rmdir-in-face-of-underlying-.patch | 173 ++++++++++++++++++ ...fh-negative-pinned-may-become-positi.patch | 69 +++++++ ...-fix-use-after-free-in-of_i2c_notify.patch | 43 +++++ ...-cyttsp4_core-fix-use-after-free-bug.patch | 51 ++++++ ...pcie-don-t-consider-iv-len-in-a-msdu.patch | 90 +++++++++ ...27-fix-exception-handler-replication.patch | 99 ++++++++++ ...ix-mismatch-of-request_mem_region-in.patch | 46 +++++ ...ns3-fix-ets-bandwidth-validation-bug.patch | 40 ++++ ...ate-ssu-buffer-size-when-pfc_en-chan.patch | 63 +++++++ ...null-pointer-dereference-after-i2c-c.patch | 73 ++++++++ ...tently-fail-fork-on-allocation-failu.patch | 55 ++++++ ...lement-mtu-change-while-device-is-up.patch | 131 +++++++++++++ ...s-uninitialized-warning-in-rbd_objec.patch | 46 +++++ ...-the-value-of-hns_roce_hem_chunk_len.patch | 39 ++++ ...s-correct-the-value-of-srq_desc_size.patch | 38 ++++ ...ed-destroy_workqueue-calls-in-remove.patch | 38 ++++ ...ore-avoid-spurious-lock-dependencies.patch | 67 +++++++ ...-fix-update-of-blocked-pelt-ordering.patch | 95 ++++++++++ ...ftests-kvm-fix-build-with-glibc-2.30.patch | 56 ++++++ queue-5.3/series | 30 +++ ...esctrl-fix-potential-lockdep-warning.patch | 71 +++++++ ...e-device-reference-for-invalid-state.patch | 62 +++++++ 31 files changed, 1959 insertions(+) create mode 100644 queue-5.3/afs-fix-race-in-commit-bulk-status-fetch.patch create mode 100644 queue-5.3/aio-fix-io_pgetevents-struct-__compat_aio_sigset-lay.patch create mode 100644 queue-5.3/alsa-hda-add-cometlake-s-pci-id.patch create mode 100644 queue-5.3/alsa-pcm-fix-stream-lock-usage-in-snd_pcm_period_ela.patch create mode 100644 queue-5.3/audit_get_nd-don-t-unlock-parent-too-early.patch create mode 100644 queue-5.3/autofs-fix-a-leak-in-autofs_expire_indirect.patch create mode 100644 queue-5.3/block-check-bi_size-overflow-before-merge.patch create mode 100644 queue-5.3/cgroup-don-t-put-err_ptr-into-fc-root.patch create mode 100644 queue-5.3/drm-sun4i-tcon-set-min-division-of-tcon0_dclk-to-1.patch create mode 100644 queue-5.3/ecryptfs-fix-unlink-and-rmdir-in-face-of-underlying-.patch create mode 100644 queue-5.3/exportfs_decode_fh-negative-pinned-may-become-positi.patch create mode 100644 queue-5.3/i2c-core-fix-use-after-free-in-of_i2c_notify.patch create mode 100644 queue-5.3/input-cyttsp4_core-fix-use-after-free-bug.patch create mode 100644 queue-5.3/iwlwifi-pcie-don-t-consider-iv-len-in-a-msdu.patch create mode 100644 queue-5.3/mips-sgi-ip27-fix-exception-handler-replication.patch create mode 100644 queue-5.3/net-ep93xx_eth-fix-mismatch-of-request_mem_region-in.patch create mode 100644 queue-5.3/net-hns3-fix-ets-bandwidth-validation-bug.patch create mode 100644 queue-5.3/net-hns3-reallocate-ssu-buffer-size-when-pfc_en-chan.patch create mode 100644 queue-5.3/nfc-nxp-nci-fix-null-pointer-dereference-after-i2c-c.patch create mode 100644 queue-5.3/perf-core-consistently-fail-fork-on-allocation-failu.patch create mode 100644 queue-5.3/ravb-implement-mtu-change-while-device-is-up.patch create mode 100644 queue-5.3/rbd-silence-bogus-uninitialized-warning-in-rbd_objec.patch create mode 100644 queue-5.3/rdma-hns-correct-the-value-of-hns_roce_hem_chunk_len.patch create mode 100644 queue-5.3/rdma-hns-correct-the-value-of-srq_desc_size.patch create mode 100644 queue-5.3/rsxx-add-missed-destroy_workqueue-calls-in-remove.patch create mode 100644 queue-5.3/sched-core-avoid-spurious-lock-dependencies.patch create mode 100644 queue-5.3/sched-pelt-fix-update-of-blocked-pelt-ordering.patch create mode 100644 queue-5.3/selftests-kvm-fix-build-with-glibc-2.30.patch create mode 100644 queue-5.3/x86-resctrl-fix-potential-lockdep-warning.patch create mode 100644 queue-5.3/xfrm-release-device-reference-for-invalid-state.patch diff --git a/queue-5.3/afs-fix-race-in-commit-bulk-status-fetch.patch b/queue-5.3/afs-fix-race-in-commit-bulk-status-fetch.patch new file mode 100644 index 00000000000..ef24fc37cab --- /dev/null +++ b/queue-5.3/afs-fix-race-in-commit-bulk-status-fetch.patch @@ -0,0 +1,61 @@ +From d891600f80220e622c0dfefd3c656956c551e859 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 18:41:03 +0000 +Subject: afs: Fix race in commit bulk status fetch + +From: David Howells + +[ Upstream commit a28f239e296767ebf4ec4ae8a9ecb57d0d444b3f ] + +When a lookup is done, the afs filesystem will perform a bulk status-fetch +operation on the requested vnode (file) plus the next 49 other vnodes from +the directory list (in AFS, directory contents are downloaded as blobs and +parsed locally). When the results are received, it will speculatively +populate the inode cache from the extra data. + +However, if the lookup races with another lookup on the same directory, but +for a different file - one that's in the 49 extra fetches, then if the bulk +status-fetch operation finishes first, it will try and update the inode +from the other lookup. + +If this other inode is still in the throes of being created, however, this +will cause an assertion failure in afs_apply_status(): + + BUG_ON(test_bit(AFS_VNODE_UNSET, &vnode->flags)); + +on or about fs/afs/inode.c:175 because it expects data to be there already +that it can compare to. + +Fix this by skipping the update if the inode is being created as the +creator will presumably set up the inode with the same information. + +Fixes: 39db9815da48 ("afs: Fix application of the results of a inline bulk status fetch") +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/dir.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/afs/dir.c b/fs/afs/dir.c +index 139b4e3cc9464..f4fdf3eaa5709 100644 +--- a/fs/afs/dir.c ++++ b/fs/afs/dir.c +@@ -803,7 +803,12 @@ success: + continue; + + if (cookie->inodes[i]) { +- afs_vnode_commit_status(&fc, AFS_FS_I(cookie->inodes[i]), ++ struct afs_vnode *iv = AFS_FS_I(cookie->inodes[i]); ++ ++ if (test_bit(AFS_VNODE_UNSET, &iv->flags)) ++ continue; ++ ++ afs_vnode_commit_status(&fc, iv, + scb->cb_break, NULL, scb); + continue; + } +-- +2.20.1 + diff --git a/queue-5.3/aio-fix-io_pgetevents-struct-__compat_aio_sigset-lay.patch b/queue-5.3/aio-fix-io_pgetevents-struct-__compat_aio_sigset-lay.patch new file mode 100644 index 00000000000..f71f9a5dcfc --- /dev/null +++ b/queue-5.3/aio-fix-io_pgetevents-struct-__compat_aio_sigset-lay.patch @@ -0,0 +1,91 @@ +From da691c3bb533e59afd59b054695dd2786219e0f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2019 05:38:20 +0200 +Subject: aio: Fix io_pgetevents() struct __compat_aio_sigset layout + +From: Guillem Jover + +[ Upstream commit 97eba80fcca754856d09e048f469db22773bec68 ] + +This type is used to pass the sigset_t from userland to the kernel, +but it was using the kernel native pointer type for the member +representing the compat userland pointer to the userland sigset_t. + +This messes up the layout, and makes the kernel eat up both the +userland pointer and the size members into the kernel pointer, and +then reads garbage into the kernel sigsetsize. Which makes the sigset_t +size consistency check fail, and consequently the syscall always +returns -EINVAL. + +This breaks both libaio and strace on 32-bit userland running on 64-bit +kernels. And there are apparently no users in the wild of the current +broken layout (at least according to codesearch.debian.org and a brief +check over github.com search). So it looks safe to fix this directly +in the kernel, instead of either letting userland deal with this +permanently with the additional overhead or trying to make the syscall +infer what layout userland used, even though this is also being worked +around in libaio to temporarily cope with kernels that have not yet +been fixed. + +We use a proper compat_uptr_t instead of a compat_sigset_t pointer. + +Fixes: 7a074e96dee6 ("aio: implement io_pgetevents") +Signed-off-by: Guillem Jover +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/aio.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/fs/aio.c b/fs/aio.c +index 01e0fb9ae45ae..0d9a559d488c1 100644 +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -2179,7 +2179,7 @@ SYSCALL_DEFINE5(io_getevents_time32, __u32, ctx_id, + #ifdef CONFIG_COMPAT + + struct __compat_aio_sigset { +- compat_sigset_t __user *sigmask; ++ compat_uptr_t sigmask; + compat_size_t sigsetsize; + }; + +@@ -2193,7 +2193,7 @@ COMPAT_SYSCALL_DEFINE6(io_pgetevents, + struct old_timespec32 __user *, timeout, + const struct __compat_aio_sigset __user *, usig) + { +- struct __compat_aio_sigset ksig = { NULL, }; ++ struct __compat_aio_sigset ksig = { 0, }; + struct timespec64 t; + bool interrupted; + int ret; +@@ -2204,7 +2204,7 @@ COMPAT_SYSCALL_DEFINE6(io_pgetevents, + if (usig && copy_from_user(&ksig, usig, sizeof(ksig))) + return -EFAULT; + +- ret = set_compat_user_sigmask(ksig.sigmask, ksig.sigsetsize); ++ ret = set_compat_user_sigmask(compat_ptr(ksig.sigmask), ksig.sigsetsize); + if (ret) + return ret; + +@@ -2228,7 +2228,7 @@ COMPAT_SYSCALL_DEFINE6(io_pgetevents_time64, + struct __kernel_timespec __user *, timeout, + const struct __compat_aio_sigset __user *, usig) + { +- struct __compat_aio_sigset ksig = { NULL, }; ++ struct __compat_aio_sigset ksig = { 0, }; + struct timespec64 t; + bool interrupted; + int ret; +@@ -2239,7 +2239,7 @@ COMPAT_SYSCALL_DEFINE6(io_pgetevents_time64, + if (usig && copy_from_user(&ksig, usig, sizeof(ksig))) + return -EFAULT; + +- ret = set_compat_user_sigmask(ksig.sigmask, ksig.sigsetsize); ++ ret = set_compat_user_sigmask(compat_ptr(ksig.sigmask), ksig.sigsetsize); + if (ret) + return ret; + +-- +2.20.1 + diff --git a/queue-5.3/alsa-hda-add-cometlake-s-pci-id.patch b/queue-5.3/alsa-hda-add-cometlake-s-pci-id.patch new file mode 100644 index 00000000000..fd3f4cf627a --- /dev/null +++ b/queue-5.3/alsa-hda-add-cometlake-s-pci-id.patch @@ -0,0 +1,36 @@ +From 871b19d8c5d1b2df9277bde10c1d444d184099e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Nov 2019 15:13:49 +0800 +Subject: ALSA: hda: Add Cometlake-S PCI ID + +From: Chiou, Cooper + +[ Upstream commit b73a58549ea37a44434c7afab3c7ad9af210cfd9 ] + +Add HD Audio Device PCI ID for the Intel Cometlake-S platform + +Signed-off-by: Chiou, Cooper +Link: https://lore.kernel.org/r/20191108071349.12840-1-cooper.chiou@intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_intel.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index e1791d01ccc01..46c2b1022495f 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2428,6 +2428,9 @@ static const struct pci_device_id azx_ids[] = { + /* CometLake-H */ + { PCI_DEVICE(0x8086, 0x06C8), + .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, ++ /* CometLake-S */ ++ { PCI_DEVICE(0x8086, 0xa3f0), ++ .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, + /* Icelake */ + { PCI_DEVICE(0x8086, 0x34c8), + .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, +-- +2.20.1 + diff --git a/queue-5.3/alsa-pcm-fix-stream-lock-usage-in-snd_pcm_period_ela.patch b/queue-5.3/alsa-pcm-fix-stream-lock-usage-in-snd_pcm_period_ela.patch new file mode 100644 index 00000000000..5b81f786f94 --- /dev/null +++ b/queue-5.3/alsa-pcm-fix-stream-lock-usage-in-snd_pcm_period_ela.patch @@ -0,0 +1,53 @@ +From adf17c8def113c975c652fac45a04ee1323b801e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2019 01:17:14 +0800 +Subject: ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed() + +From: paulhsia + +[ Upstream commit f5cdc9d4003a2f66ea57b3edd3e04acc2b1a4439 ] + +If the nullity check for `substream->runtime` is outside of the lock +region, it is possible to have a null runtime in the critical section +if snd_pcm_detach_substream is called right before the lock. + +Signed-off-by: paulhsia +Link: https://lore.kernel.org/r/20191112171715.128727-2-paulhsia@chromium.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/pcm_lib.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c +index d80041ea4e01c..2236b5e0c1f25 100644 +--- a/sound/core/pcm_lib.c ++++ b/sound/core/pcm_lib.c +@@ -1782,11 +1782,14 @@ void snd_pcm_period_elapsed(struct snd_pcm_substream *substream) + struct snd_pcm_runtime *runtime; + unsigned long flags; + +- if (PCM_RUNTIME_CHECK(substream)) ++ if (snd_BUG_ON(!substream)) + return; +- runtime = substream->runtime; + + snd_pcm_stream_lock_irqsave(substream, flags); ++ if (PCM_RUNTIME_CHECK(substream)) ++ goto _unlock; ++ runtime = substream->runtime; ++ + if (!snd_pcm_running(substream) || + snd_pcm_update_hw_ptr0(substream, 1) < 0) + goto _end; +@@ -1797,6 +1800,7 @@ void snd_pcm_period_elapsed(struct snd_pcm_substream *substream) + #endif + _end: + kill_fasync(&runtime->fasync, SIGIO, POLL_IN); ++ _unlock: + snd_pcm_stream_unlock_irqrestore(substream, flags); + } + EXPORT_SYMBOL(snd_pcm_period_elapsed); +-- +2.20.1 + diff --git a/queue-5.3/audit_get_nd-don-t-unlock-parent-too-early.patch b/queue-5.3/audit_get_nd-don-t-unlock-parent-too-early.patch new file mode 100644 index 00000000000..5fd4416d9ca --- /dev/null +++ b/queue-5.3/audit_get_nd-don-t-unlock-parent-too-early.patch @@ -0,0 +1,40 @@ +From 8d0853a8997beba71105ab0294a4262c15bbb5c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Nov 2019 13:11:41 -0400 +Subject: audit_get_nd(): don't unlock parent too early + +From: Al Viro + +[ Upstream commit 69924b89687a2923e88cc42144aea27868913d0e ] + +if the child has been negative and just went positive +under us, we want coherent d_is_positive() and ->d_inode. +Don't unlock the parent until we'd done that work... + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + kernel/audit_watch.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c +index 1f31c2f1e6fc1..4508d5e0cf696 100644 +--- a/kernel/audit_watch.c ++++ b/kernel/audit_watch.c +@@ -351,12 +351,12 @@ static int audit_get_nd(struct audit_watch *watch, struct path *parent) + struct dentry *d = kern_path_locked(watch->path, parent); + if (IS_ERR(d)) + return PTR_ERR(d); +- inode_unlock(d_backing_inode(parent->dentry)); + if (d_is_positive(d)) { + /* update watch filter fields */ + watch->dev = d->d_sb->s_dev; + watch->ino = d_backing_inode(d)->i_ino; + } ++ inode_unlock(d_backing_inode(parent->dentry)); + dput(d); + return 0; + } +-- +2.20.1 + diff --git a/queue-5.3/autofs-fix-a-leak-in-autofs_expire_indirect.patch b/queue-5.3/autofs-fix-a-leak-in-autofs_expire_indirect.patch new file mode 100644 index 00000000000..6a16b946d1f --- /dev/null +++ b/queue-5.3/autofs-fix-a-leak-in-autofs_expire_indirect.patch @@ -0,0 +1,39 @@ +From 09ddebfa8eb22ec34d98c1aa40982af74b8b4d7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2019 00:03:11 -0400 +Subject: autofs: fix a leak in autofs_expire_indirect() + +From: Al Viro + +[ Upstream commit 03ad0d703df75c43f78bd72e16124b5b94a95188 ] + +if the second call of should_expire() in there ends up +grabbing and returning a new reference to dentry, we need +to drop it before continuing. + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/autofs/expire.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/autofs/expire.c b/fs/autofs/expire.c +index cdff0567aacb3..2d01553a6d586 100644 +--- a/fs/autofs/expire.c ++++ b/fs/autofs/expire.c +@@ -498,9 +498,10 @@ static struct dentry *autofs_expire_indirect(struct super_block *sb, + */ + how &= ~AUTOFS_EXP_LEAVES; + found = should_expire(expired, mnt, timeout, how); +- if (!found || found != expired) +- /* Something has changed, continue */ ++ if (found != expired) { // something has changed, continue ++ dput(found); + goto next; ++ } + + if (expired != dentry) + dput(dentry); +-- +2.20.1 + diff --git a/queue-5.3/block-check-bi_size-overflow-before-merge.patch b/queue-5.3/block-check-bi_size-overflow-before-merge.patch new file mode 100644 index 00000000000..9180089125f --- /dev/null +++ b/queue-5.3/block-check-bi_size-overflow-before-merge.patch @@ -0,0 +1,80 @@ +From 217a02cd87bc541baa1f79f5c2a2ca3fc33548e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Nov 2019 07:19:58 +0000 +Subject: block: check bi_size overflow before merge + +From: Junichi Nomura + +[ Upstream commit e3a5d8e386c3fb973fa75f2403622a8f3640ec06 ] + +__bio_try_merge_page() may merge a page to bio without bio_full() check +and cause bi_size overflow. + +The overflow typically ends up with sd_init_command() warning on zero +segment request with call trace like this: + + ------------[ cut here ]------------ + WARNING: CPU: 2 PID: 1986 at drivers/scsi/scsi_lib.c:1025 scsi_init_io+0x156/0x180 + CPU: 2 PID: 1986 Comm: kworker/2:1H Kdump: loaded Not tainted 5.4.0-rc7 #1 + Workqueue: kblockd blk_mq_run_work_fn + RIP: 0010:scsi_init_io+0x156/0x180 + RSP: 0018:ffffa11487663bf0 EFLAGS: 00010246 + RAX: 00000000002be0a0 RBX: ffff8e6e9ff30118 RCX: 0000000000000000 + RDX: 00000000ffffffe1 RSI: 0000000000000000 RDI: ffff8e6e9ff30118 + RBP: ffffa11487663c18 R08: ffffa11487663d28 R09: ffff8e6e9ff30150 + R10: 0000000000000001 R11: 0000000000000000 R12: ffff8e6e9ff30000 + R13: 0000000000000001 R14: ffff8e74a1cf1800 R15: ffff8e6e9ff30000 + FS: 0000000000000000(0000) GS:ffff8e6ea7680000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fff18cf0fe8 CR3: 0000000659f0a001 CR4: 00000000001606e0 + Call Trace: + sd_init_command+0x326/0xb40 [sd_mod] + scsi_queue_rq+0x502/0xaa0 + ? blk_mq_get_driver_tag+0xe7/0x120 + blk_mq_dispatch_rq_list+0x256/0x5a0 + ? elv_rb_del+0x24/0x30 + ? deadline_remove_request+0x7b/0xc0 + blk_mq_do_dispatch_sched+0xa3/0x140 + blk_mq_sched_dispatch_requests+0xfb/0x170 + __blk_mq_run_hw_queue+0x81/0x130 + blk_mq_run_work_fn+0x1b/0x20 + process_one_work+0x179/0x390 + worker_thread+0x4f/0x3e0 + kthread+0x105/0x140 + ? max_active_store+0x80/0x80 + ? kthread_bind+0x20/0x20 + ret_from_fork+0x35/0x40 + ---[ end trace f9036abf5af4a4d3 ]--- + blk_update_request: I/O error, dev sdd, sector 2875552 op 0x1:(WRITE) flags 0x0 phys_seg 0 prio class 0 + XFS (sdd1): writeback error on sector 2875552 + +__bio_try_merge_page() should check the overflow before actually doing +merge. + +Fixes: 07173c3ec276c ("block: enable multipage bvecs") +Reviewed-by: Christoph Hellwig +Reviewed-by: Ming Lei +Reviewed-by: Hannes Reinecke +Signed-off-by: Jun'ichi Nomura +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/bio.c b/block/bio.c +index 299a0e7651ec0..31d56e7e2ce05 100644 +--- a/block/bio.c ++++ b/block/bio.c +@@ -769,7 +769,7 @@ bool __bio_try_merge_page(struct bio *bio, struct page *page, + if (WARN_ON_ONCE(bio_flagged(bio, BIO_CLONED))) + return false; + +- if (bio->bi_vcnt > 0) { ++ if (bio->bi_vcnt > 0 && !bio_full(bio, len)) { + struct bio_vec *bv = &bio->bi_io_vec[bio->bi_vcnt - 1]; + + if (page_is_mergeable(bv, page, len, off, same_page)) { +-- +2.20.1 + diff --git a/queue-5.3/cgroup-don-t-put-err_ptr-into-fc-root.patch b/queue-5.3/cgroup-don-t-put-err_ptr-into-fc-root.patch new file mode 100644 index 00000000000..b49173a22bd --- /dev/null +++ b/queue-5.3/cgroup-don-t-put-err_ptr-into-fc-root.patch @@ -0,0 +1,40 @@ +From 39475ab8f5905b1cb942655a71895fe099c38d0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Nov 2019 11:53:27 -0500 +Subject: cgroup: don't put ERR_PTR() into fc->root + +From: Al Viro + +[ Upstream commit 630faf81b3e61bcc90dc6d8b497800657d2752a5 ] + +the caller of ->get_tree() expects NULL left there on error... + +Reported-by: Thibaut Sautereau +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cgroup.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index 8be1da1ebd9a4..f23862fa15146 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -2119,11 +2119,12 @@ int cgroup_do_get_tree(struct fs_context *fc) + + nsdentry = kernfs_node_dentry(cgrp->kn, sb); + dput(fc->root); +- fc->root = nsdentry; + if (IS_ERR(nsdentry)) { +- ret = PTR_ERR(nsdentry); + deactivate_locked_super(sb); ++ ret = PTR_ERR(nsdentry); ++ nsdentry = NULL; + } ++ fc->root = nsdentry; + } + + if (!ctx->kfc.new_sb_created) +-- +2.20.1 + diff --git a/queue-5.3/drm-sun4i-tcon-set-min-division-of-tcon0_dclk-to-1.patch b/queue-5.3/drm-sun4i-tcon-set-min-division-of-tcon0_dclk-to-1.patch new file mode 100644 index 00000000000..5c2f7c3a881 --- /dev/null +++ b/queue-5.3/drm-sun4i-tcon-set-min-division-of-tcon0_dclk-to-1.patch @@ -0,0 +1,44 @@ +From 5d22fe7118450ff5b51def32fc370c685caea73e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2019 13:27:25 +0000 +Subject: drm/sun4i: tcon: Set min division of TCON0_DCLK to 1. + +From: Yunhao Tian + +[ Upstream commit 0b8e7bbde5e7e2c419567e1ee29587dae3b78ee3 ] + +The datasheet of V3s (and various other chips) wrote +that TCON0_DCLK_DIV can be >= 1 if only dclk is used, +and must >= 6 if dclk1 or dclk2 is used. As currently +neither dclk1 nor dclk2 is used (no writes to these +bits), let's set minimal division to 1. + +If this minimal division is 6, some common dot clock +frequencies can't be produced (e.g. 30MHz will not be +possible and will fallback to 25MHz), which is +obviously not an expected behaviour. + +Signed-off-by: Yunhao Tian +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/linux-arm-kernel/MN2PR08MB57905AD8A00C08DA219377C989760@MN2PR08MB5790.namprd08.prod.outlook.com/ +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sun4i/sun4i_tcon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/sun4i/sun4i_tcon.c b/drivers/gpu/drm/sun4i/sun4i_tcon.c +index df0cc8f46d7bd..3491c4c7659e4 100644 +--- a/drivers/gpu/drm/sun4i/sun4i_tcon.c ++++ b/drivers/gpu/drm/sun4i/sun4i_tcon.c +@@ -486,7 +486,7 @@ static void sun4i_tcon0_mode_set_rgb(struct sun4i_tcon *tcon, + + WARN_ON(!tcon->quirks->has_channel_0); + +- tcon->dclk_min_div = 6; ++ tcon->dclk_min_div = 1; + tcon->dclk_max_div = 127; + sun4i_tcon0_mode_set_common(tcon, mode); + +-- +2.20.1 + diff --git a/queue-5.3/ecryptfs-fix-unlink-and-rmdir-in-face-of-underlying-.patch b/queue-5.3/ecryptfs-fix-unlink-and-rmdir-in-face-of-underlying-.patch new file mode 100644 index 00000000000..c74101b4dd9 --- /dev/null +++ b/queue-5.3/ecryptfs-fix-unlink-and-rmdir-in-face-of-underlying-.patch @@ -0,0 +1,173 @@ +From 6a92e5c09664cf18c06fd627cc93cb82d06ca3a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Nov 2019 12:07:15 -0500 +Subject: ecryptfs: fix unlink and rmdir in face of underlying fs modifications + +From: Al Viro + +[ Upstream commit bcf0d9d4b76976f892154efdfc509b256fd898e8 ] + +A problem similar to the one caught in commit 74dd7c97ea2a ("ecryptfs_rename(): +verify that lower dentries are still OK after lock_rename()") exists for +unlink/rmdir as well. + +Instead of playing with dget_parent() of underlying dentry of victim +and hoping it's the same as underlying dentry of our directory, +do the following: + * find the underlying dentry of victim + * find the underlying directory of victim's parent (stable +since the victim is ecryptfs dentry and inode of its parent is +held exclusive by the caller). + * lock the inode of dentry underlying the victim's parent + * check that underlying dentry of victim is still hashed and +has the right parent - it can be moved, but it can't be moved to/from +the directory we are holding exclusive. So while ->d_parent itself +might not be stable, the result of comparison is. + +If the check passes, everything is fine - underlying directory is locked, +underlying victim is still a child of that directory and we can go ahead +and feed them to vfs_unlink(). As in the current mainline we need to +pin the underlying dentry of victim, so that it wouldn't go negative under +us, but that's the only temporary reference that needs to be grabbed there. +Underlying dentry of parent won't go away (it's pinned by the parent, +which is held by caller), so there's no need to grab it. + +The same problem (with the same solution) exists for rmdir. Moreover, +rename gets simpler and more robust with the same "don't bother with +dget_parent()" approach. + +Fixes: 74dd7c97ea2 "ecryptfs_rename(): verify that lower dentries are still OK after lock_rename()" +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/ecryptfs/inode.c | 65 ++++++++++++++++++++++++++++----------------- + 1 file changed, 40 insertions(+), 25 deletions(-) + +diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c +index 0c7ea4596202a..e23752d9a79f3 100644 +--- a/fs/ecryptfs/inode.c ++++ b/fs/ecryptfs/inode.c +@@ -128,13 +128,20 @@ static int ecryptfs_do_unlink(struct inode *dir, struct dentry *dentry, + struct inode *inode) + { + struct dentry *lower_dentry = ecryptfs_dentry_to_lower(dentry); +- struct inode *lower_dir_inode = ecryptfs_inode_to_lower(dir); + struct dentry *lower_dir_dentry; ++ struct inode *lower_dir_inode; + int rc; + +- dget(lower_dentry); +- lower_dir_dentry = lock_parent(lower_dentry); +- rc = vfs_unlink(lower_dir_inode, lower_dentry, NULL); ++ lower_dir_dentry = ecryptfs_dentry_to_lower(dentry->d_parent); ++ lower_dir_inode = d_inode(lower_dir_dentry); ++ inode_lock_nested(lower_dir_inode, I_MUTEX_PARENT); ++ dget(lower_dentry); // don't even try to make the lower negative ++ if (lower_dentry->d_parent != lower_dir_dentry) ++ rc = -EINVAL; ++ else if (d_unhashed(lower_dentry)) ++ rc = -EINVAL; ++ else ++ rc = vfs_unlink(lower_dir_inode, lower_dentry, NULL); + if (rc) { + printk(KERN_ERR "Error in vfs_unlink; rc = [%d]\n", rc); + goto out_unlock; +@@ -142,10 +149,11 @@ static int ecryptfs_do_unlink(struct inode *dir, struct dentry *dentry, + fsstack_copy_attr_times(dir, lower_dir_inode); + set_nlink(inode, ecryptfs_inode_to_lower(inode)->i_nlink); + inode->i_ctime = dir->i_ctime; +- d_drop(dentry); + out_unlock: +- unlock_dir(lower_dir_dentry); + dput(lower_dentry); ++ inode_unlock(lower_dir_inode); ++ if (!rc) ++ d_drop(dentry); + return rc; + } + +@@ -519,22 +527,30 @@ static int ecryptfs_rmdir(struct inode *dir, struct dentry *dentry) + { + struct dentry *lower_dentry; + struct dentry *lower_dir_dentry; ++ struct inode *lower_dir_inode; + int rc; + + lower_dentry = ecryptfs_dentry_to_lower(dentry); +- dget(dentry); +- lower_dir_dentry = lock_parent(lower_dentry); +- dget(lower_dentry); +- rc = vfs_rmdir(d_inode(lower_dir_dentry), lower_dentry); +- dput(lower_dentry); +- if (!rc && d_really_is_positive(dentry)) ++ lower_dir_dentry = ecryptfs_dentry_to_lower(dentry->d_parent); ++ lower_dir_inode = d_inode(lower_dir_dentry); ++ ++ inode_lock_nested(lower_dir_inode, I_MUTEX_PARENT); ++ dget(lower_dentry); // don't even try to make the lower negative ++ if (lower_dentry->d_parent != lower_dir_dentry) ++ rc = -EINVAL; ++ else if (d_unhashed(lower_dentry)) ++ rc = -EINVAL; ++ else ++ rc = vfs_rmdir(lower_dir_inode, lower_dentry); ++ if (!rc) { + clear_nlink(d_inode(dentry)); +- fsstack_copy_attr_times(dir, d_inode(lower_dir_dentry)); +- set_nlink(dir, d_inode(lower_dir_dentry)->i_nlink); +- unlock_dir(lower_dir_dentry); ++ fsstack_copy_attr_times(dir, lower_dir_inode); ++ set_nlink(dir, lower_dir_inode->i_nlink); ++ } ++ dput(lower_dentry); ++ inode_unlock(lower_dir_inode); + if (!rc) + d_drop(dentry); +- dput(dentry); + return rc; + } + +@@ -572,20 +588,22 @@ ecryptfs_rename(struct inode *old_dir, struct dentry *old_dentry, + struct dentry *lower_new_dentry; + struct dentry *lower_old_dir_dentry; + struct dentry *lower_new_dir_dentry; +- struct dentry *trap = NULL; ++ struct dentry *trap; + struct inode *target_inode; + + if (flags) + return -EINVAL; + ++ lower_old_dir_dentry = ecryptfs_dentry_to_lower(old_dentry->d_parent); ++ lower_new_dir_dentry = ecryptfs_dentry_to_lower(new_dentry->d_parent); ++ + lower_old_dentry = ecryptfs_dentry_to_lower(old_dentry); + lower_new_dentry = ecryptfs_dentry_to_lower(new_dentry); +- dget(lower_old_dentry); +- dget(lower_new_dentry); +- lower_old_dir_dentry = dget_parent(lower_old_dentry); +- lower_new_dir_dentry = dget_parent(lower_new_dentry); ++ + target_inode = d_inode(new_dentry); ++ + trap = lock_rename(lower_old_dir_dentry, lower_new_dir_dentry); ++ dget(lower_new_dentry); + rc = -EINVAL; + if (lower_old_dentry->d_parent != lower_old_dir_dentry) + goto out_lock; +@@ -613,11 +631,8 @@ ecryptfs_rename(struct inode *old_dir, struct dentry *old_dentry, + if (new_dir != old_dir) + fsstack_copy_attr_all(old_dir, d_inode(lower_old_dir_dentry)); + out_lock: +- unlock_rename(lower_old_dir_dentry, lower_new_dir_dentry); +- dput(lower_new_dir_dentry); +- dput(lower_old_dir_dentry); + dput(lower_new_dentry); +- dput(lower_old_dentry); ++ unlock_rename(lower_old_dir_dentry, lower_new_dir_dentry); + return rc; + } + +-- +2.20.1 + diff --git a/queue-5.3/exportfs_decode_fh-negative-pinned-may-become-positi.patch b/queue-5.3/exportfs_decode_fh-negative-pinned-may-become-positi.patch new file mode 100644 index 00000000000..1c97819074e --- /dev/null +++ b/queue-5.3/exportfs_decode_fh-negative-pinned-may-become-positi.patch @@ -0,0 +1,69 @@ +From 3dd2f011de395b359a52a7e42ffae784ea455bd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Nov 2019 22:08:29 -0500 +Subject: exportfs_decode_fh(): negative pinned may become positive without the + parent locked + +From: Al Viro + +[ Upstream commit a2ece088882666e1dc7113744ac912eb161e3f87 ] + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/exportfs/expfs.c | 31 +++++++++++++++++++------------ + 1 file changed, 19 insertions(+), 12 deletions(-) + +diff --git a/fs/exportfs/expfs.c b/fs/exportfs/expfs.c +index f0e549783caf9..ba6de72a3e34a 100644 +--- a/fs/exportfs/expfs.c ++++ b/fs/exportfs/expfs.c +@@ -519,26 +519,33 @@ struct dentry *exportfs_decode_fh(struct vfsmount *mnt, struct fid *fid, + * inode is actually connected to the parent. + */ + err = exportfs_get_name(mnt, target_dir, nbuf, result); +- if (!err) { +- inode_lock(target_dir->d_inode); +- nresult = lookup_one_len(nbuf, target_dir, +- strlen(nbuf)); +- inode_unlock(target_dir->d_inode); +- if (!IS_ERR(nresult)) { +- if (nresult->d_inode) { +- dput(result); +- result = nresult; +- } else +- dput(nresult); +- } ++ if (err) { ++ dput(target_dir); ++ goto err_result; + } + ++ inode_lock(target_dir->d_inode); ++ nresult = lookup_one_len(nbuf, target_dir, strlen(nbuf)); ++ if (!IS_ERR(nresult)) { ++ if (unlikely(nresult->d_inode != result->d_inode)) { ++ dput(nresult); ++ nresult = ERR_PTR(-ESTALE); ++ } ++ } ++ inode_unlock(target_dir->d_inode); + /* + * At this point we are done with the parent, but it's pinned + * by the child dentry anyway. + */ + dput(target_dir); + ++ if (IS_ERR(nresult)) { ++ err = PTR_ERR(nresult); ++ goto err_result; ++ } ++ dput(result); ++ result = nresult; ++ + /* + * And finally make sure the dentry is actually acceptable + * to NFSD. +-- +2.20.1 + diff --git a/queue-5.3/i2c-core-fix-use-after-free-in-of_i2c_notify.patch b/queue-5.3/i2c-core-fix-use-after-free-in-of_i2c_notify.patch new file mode 100644 index 00000000000..b111058e686 --- /dev/null +++ b/queue-5.3/i2c-core-fix-use-after-free-in-of_i2c_notify.patch @@ -0,0 +1,43 @@ +From 76b16e1fca0ee52197b918d3042dc1f694f0a126 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Nov 2019 16:36:48 +0800 +Subject: i2c: core: fix use after free in of_i2c_notify + +From: Wen Yang + +[ Upstream commit a4c2fec16f5e6a5fee4865e6e0e91e2bc2d10f37 ] + +We can't use "adap->dev" after it has been freed. + +Fixes: 5bf4fa7daea6 ("i2c: break out OF support into separate file") +Signed-off-by: Wen Yang +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-core-of.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/i2c/i2c-core-of.c b/drivers/i2c/i2c-core-of.c +index d1c48dec7118e..9b2fce4906c41 100644 +--- a/drivers/i2c/i2c-core-of.c ++++ b/drivers/i2c/i2c-core-of.c +@@ -250,14 +250,14 @@ static int of_i2c_notify(struct notifier_block *nb, unsigned long action, + } + + client = of_i2c_register_device(adap, rd->dn); +- put_device(&adap->dev); +- + if (IS_ERR(client)) { + dev_err(&adap->dev, "failed to create client for '%pOF'\n", + rd->dn); ++ put_device(&adap->dev); + of_node_clear_flag(rd->dn, OF_POPULATED); + return notifier_from_errno(PTR_ERR(client)); + } ++ put_device(&adap->dev); + break; + case OF_RECONFIG_CHANGE_REMOVE: + /* already depopulated? */ +-- +2.20.1 + diff --git a/queue-5.3/input-cyttsp4_core-fix-use-after-free-bug.patch b/queue-5.3/input-cyttsp4_core-fix-use-after-free-bug.patch new file mode 100644 index 00000000000..eeeb3ecb0f6 --- /dev/null +++ b/queue-5.3/input-cyttsp4_core-fix-use-after-free-bug.patch @@ -0,0 +1,51 @@ +From 3abaeaecfe6bc6a74da3c3efcf29e1444625cfa5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Nov 2019 17:04:54 -0800 +Subject: Input: cyttsp4_core - fix use after free bug + +From: Pan Bian + +[ Upstream commit 79aae6acbef16f720a7949f8fc6ac69816c79d62 ] + +The device md->input is used after it is released. Setting the device +data to NULL is unnecessary as the device is never used again. Instead, +md->input should be assigned NULL to avoid accessing the freed memory +accidently. Besides, checking md->si against NULL is superfluous as it +points to a variable address, which cannot be NULL. + +Signed-off-by: Pan Bian +Link: https://lore.kernel.org/r/1572936379-6423-1-git-send-email-bianpan2016@163.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/cyttsp4_core.c | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/drivers/input/touchscreen/cyttsp4_core.c b/drivers/input/touchscreen/cyttsp4_core.c +index 4b22d49a0f49a..6bcffc930384a 100644 +--- a/drivers/input/touchscreen/cyttsp4_core.c ++++ b/drivers/input/touchscreen/cyttsp4_core.c +@@ -1990,11 +1990,6 @@ static int cyttsp4_mt_probe(struct cyttsp4 *cd) + + /* get sysinfo */ + md->si = &cd->sysinfo; +- if (!md->si) { +- dev_err(dev, "%s: Fail get sysinfo pointer from core p=%p\n", +- __func__, md->si); +- goto error_get_sysinfo; +- } + + rc = cyttsp4_setup_input_device(cd); + if (rc) +@@ -2004,8 +1999,6 @@ static int cyttsp4_mt_probe(struct cyttsp4 *cd) + + error_init_input: + input_free_device(md->input); +-error_get_sysinfo: +- input_set_drvdata(md->input, NULL); + error_alloc_failed: + dev_err(dev, "%s failed.\n", __func__); + return rc; +-- +2.20.1 + diff --git a/queue-5.3/iwlwifi-pcie-don-t-consider-iv-len-in-a-msdu.patch b/queue-5.3/iwlwifi-pcie-don-t-consider-iv-len-in-a-msdu.patch new file mode 100644 index 00000000000..9e987978a33 --- /dev/null +++ b/queue-5.3/iwlwifi-pcie-don-t-consider-iv-len-in-a-msdu.patch @@ -0,0 +1,90 @@ +From e3967213ce45315781071a325ab79e204cc84018 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2019 13:51:47 +0200 +Subject: iwlwifi: pcie: don't consider IV len in A-MSDU + +From: Mordechay Goodstein + +[ Upstream commit cb1a4badf59275eb7221dcec621e8154917eabd1 ] + +From gen2 PN is totally offloaded to hardware (also the space for the +IV isn't part of the skb). As you can see in mvm/mac80211.c:3545, the +MAC for cipher types CCMP/GCMP doesn't set +IEEE80211_KEY_FLAG_PUT_IV_SPACE for gen2 NICs. + +This causes all the AMSDU data to be corrupted with cipher enabled. + +Signed-off-by: Mordechay Goodstein +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + .../net/wireless/intel/iwlwifi/pcie/tx-gen2.c | 20 +++++++------------ + 1 file changed, 7 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c b/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c +index 9ef6b8fe03c1b..0fbf8c1d5c98b 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c +@@ -252,27 +252,23 @@ static int iwl_pcie_gen2_build_amsdu(struct iwl_trans *trans, + struct ieee80211_hdr *hdr = (void *)skb->data; + unsigned int snap_ip_tcp_hdrlen, ip_hdrlen, total_len, hdr_room; + unsigned int mss = skb_shinfo(skb)->gso_size; +- u16 length, iv_len, amsdu_pad; ++ u16 length, amsdu_pad; + u8 *start_hdr; + struct iwl_tso_hdr_page *hdr_page; + struct page **page_ptr; + struct tso_t tso; + +- /* if the packet is protected, then it must be CCMP or GCMP */ +- iv_len = ieee80211_has_protected(hdr->frame_control) ? +- IEEE80211_CCMP_HDR_LEN : 0; +- + trace_iwlwifi_dev_tx(trans->dev, skb, tfd, sizeof(*tfd), + &dev_cmd->hdr, start_len, 0); + + ip_hdrlen = skb_transport_header(skb) - skb_network_header(skb); + snap_ip_tcp_hdrlen = 8 + ip_hdrlen + tcp_hdrlen(skb); +- total_len = skb->len - snap_ip_tcp_hdrlen - hdr_len - iv_len; ++ total_len = skb->len - snap_ip_tcp_hdrlen - hdr_len; + amsdu_pad = 0; + + /* total amount of header we may need for this A-MSDU */ + hdr_room = DIV_ROUND_UP(total_len, mss) * +- (3 + snap_ip_tcp_hdrlen + sizeof(struct ethhdr)) + iv_len; ++ (3 + snap_ip_tcp_hdrlen + sizeof(struct ethhdr)); + + /* Our device supports 9 segments at most, it will fit in 1 page */ + hdr_page = get_page_hdr(trans, hdr_room); +@@ -283,14 +279,12 @@ static int iwl_pcie_gen2_build_amsdu(struct iwl_trans *trans, + start_hdr = hdr_page->pos; + page_ptr = (void *)((u8 *)skb->cb + trans_pcie->page_offs); + *page_ptr = hdr_page->page; +- memcpy(hdr_page->pos, skb->data + hdr_len, iv_len); +- hdr_page->pos += iv_len; + + /* +- * Pull the ieee80211 header + IV to be able to use TSO core, ++ * Pull the ieee80211 header to be able to use TSO core, + * we will restore it for the tx_status flow. + */ +- skb_pull(skb, hdr_len + iv_len); ++ skb_pull(skb, hdr_len); + + /* + * Remove the length of all the headers that we don't actually +@@ -365,8 +359,8 @@ static int iwl_pcie_gen2_build_amsdu(struct iwl_trans *trans, + } + } + +- /* re -add the WiFi header and IV */ +- skb_push(skb, hdr_len + iv_len); ++ /* re -add the WiFi header */ ++ skb_push(skb, hdr_len); + + return 0; + +-- +2.20.1 + diff --git a/queue-5.3/mips-sgi-ip27-fix-exception-handler-replication.patch b/queue-5.3/mips-sgi-ip27-fix-exception-handler-replication.patch new file mode 100644 index 00000000000..74dce2fe374 --- /dev/null +++ b/queue-5.3/mips-sgi-ip27-fix-exception-handler-replication.patch @@ -0,0 +1,99 @@ +From 5452d0fb60540c7aa1e25f041413a1fff051f6e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2019 10:46:04 +0100 +Subject: MIPS: SGI-IP27: fix exception handler replication + +From: Thomas Bogendoerfer + +[ Upstream commit 637346748245e94c877aa746e6fe0d7079b7736a ] + +Commit 775b089aeffa ("MIPS: tlbex: Remove cpu_has_local_ebase") removed +generating tlb refill handlers for every CPU, which was needed for +generating per node exception handlers on IP27. Instead of resurrecting +(and fixing) refill handler generation, we simply copy all exception +vectors from the boot node to the other nodes. Also remove the config +option since the memory tradeoff for expection handler replication +is just 8k per node. + +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Paul Burton +Cc: Ralf Baechle +Cc: Paul Burton +Cc: James Hogan +Cc: linux-mips@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Sasha Levin +--- + arch/mips/sgi-ip27/Kconfig | 7 ------- + arch/mips/sgi-ip27/ip27-init.c | 21 ++++++--------------- + arch/mips/sgi-ip27/ip27-memory.c | 4 ---- + 3 files changed, 6 insertions(+), 26 deletions(-) + +diff --git a/arch/mips/sgi-ip27/Kconfig b/arch/mips/sgi-ip27/Kconfig +index ef3847e7aee02..e5b6cadbec857 100644 +--- a/arch/mips/sgi-ip27/Kconfig ++++ b/arch/mips/sgi-ip27/Kconfig +@@ -38,10 +38,3 @@ config REPLICATE_KTEXT + Say Y here to enable replicating the kernel text across multiple + nodes in a NUMA cluster. This trades memory for speed. + +-config REPLICATE_EXHANDLERS +- bool "Exception handler replication support" +- depends on SGI_IP27 +- help +- Say Y here to enable replicating the kernel exception handlers +- across multiple nodes in a NUMA cluster. This trades memory for +- speed. +diff --git a/arch/mips/sgi-ip27/ip27-init.c b/arch/mips/sgi-ip27/ip27-init.c +index 066b33f50bcc4..db58ebf02870f 100644 +--- a/arch/mips/sgi-ip27/ip27-init.c ++++ b/arch/mips/sgi-ip27/ip27-init.c +@@ -69,23 +69,14 @@ static void per_hub_init(cnodeid_t cnode) + + hub_rtc_init(cnode); + +-#ifdef CONFIG_REPLICATE_EXHANDLERS +- /* +- * If this is not a headless node initialization, +- * copy over the caliased exception handlers. +- */ +- if (get_compact_nodeid() == cnode) { +- extern char except_vec2_generic, except_vec3_generic; +- extern void build_tlb_refill_handler(void); +- +- memcpy((void *)(CKSEG0 + 0x100), &except_vec2_generic, 0x80); +- memcpy((void *)(CKSEG0 + 0x180), &except_vec3_generic, 0x80); +- build_tlb_refill_handler(); +- memcpy((void *)(CKSEG0 + 0x100), (void *) CKSEG0, 0x80); +- memcpy((void *)(CKSEG0 + 0x180), &except_vec3_generic, 0x100); ++ if (nasid) { ++ /* copy exception handlers from first node to current node */ ++ memcpy((void *)NODE_OFFSET_TO_K0(nasid, 0), ++ (void *)CKSEG0, 0x200); + __flush_cache_all(); ++ /* switch to node local exception handlers */ ++ REMOTE_HUB_S(nasid, PI_CALIAS_SIZE, PI_CALIAS_SIZE_8K); + } +-#endif + } + + void per_cpu_init(void) +diff --git a/arch/mips/sgi-ip27/ip27-memory.c b/arch/mips/sgi-ip27/ip27-memory.c +index fb077a9475756..8624a885d95bf 100644 +--- a/arch/mips/sgi-ip27/ip27-memory.c ++++ b/arch/mips/sgi-ip27/ip27-memory.c +@@ -332,11 +332,7 @@ static void __init mlreset(void) + * thinks it is a node 0 address. + */ + REMOTE_HUB_S(nasid, PI_REGION_PRESENT, (region_mask | 1)); +-#ifdef CONFIG_REPLICATE_EXHANDLERS +- REMOTE_HUB_S(nasid, PI_CALIAS_SIZE, PI_CALIAS_SIZE_8K); +-#else + REMOTE_HUB_S(nasid, PI_CALIAS_SIZE, PI_CALIAS_SIZE_0); +-#endif + + #ifdef LATER + /* +-- +2.20.1 + diff --git a/queue-5.3/net-ep93xx_eth-fix-mismatch-of-request_mem_region-in.patch b/queue-5.3/net-ep93xx_eth-fix-mismatch-of-request_mem_region-in.patch new file mode 100644 index 00000000000..61320da9b6e --- /dev/null +++ b/queue-5.3/net-ep93xx_eth-fix-mismatch-of-request_mem_region-in.patch @@ -0,0 +1,46 @@ +From 6ddb5a439d580f171b2645c35ca9a082f7fdd4af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 23:43:24 +0800 +Subject: net: ep93xx_eth: fix mismatch of request_mem_region in remove + +From: Chuhong Yuan + +[ Upstream commit 3df70afe8d33f4977d0e0891bdcfb639320b5257 ] + +The driver calls release_resource in remove to match request_mem_region +in probe, which is incorrect. +Fix it by using the right one, release_mem_region. + +Signed-off-by: Chuhong Yuan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cirrus/ep93xx_eth.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cirrus/ep93xx_eth.c b/drivers/net/ethernet/cirrus/ep93xx_eth.c +index f1a0c4dceda0c..f37c9a08c4cf5 100644 +--- a/drivers/net/ethernet/cirrus/ep93xx_eth.c ++++ b/drivers/net/ethernet/cirrus/ep93xx_eth.c +@@ -763,6 +763,7 @@ static int ep93xx_eth_remove(struct platform_device *pdev) + { + struct net_device *dev; + struct ep93xx_priv *ep; ++ struct resource *mem; + + dev = platform_get_drvdata(pdev); + if (dev == NULL) +@@ -778,8 +779,8 @@ static int ep93xx_eth_remove(struct platform_device *pdev) + iounmap(ep->base_addr); + + if (ep->res != NULL) { +- release_resource(ep->res); +- kfree(ep->res); ++ mem = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ release_mem_region(mem->start, resource_size(mem)); + } + + free_netdev(dev); +-- +2.20.1 + diff --git a/queue-5.3/net-hns3-fix-ets-bandwidth-validation-bug.patch b/queue-5.3/net-hns3-fix-ets-bandwidth-validation-bug.patch new file mode 100644 index 00000000000..2c47b19997a --- /dev/null +++ b/queue-5.3/net-hns3-fix-ets-bandwidth-validation-bug.patch @@ -0,0 +1,40 @@ +From 5b972102e92bd9f4a68921cc05ae66429b3d8694 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 10:32:41 +0800 +Subject: net: hns3: fix ETS bandwidth validation bug + +From: Yonglong Liu + +[ Upstream commit c2d56897819338eb0ba8b93184f7d10329b36653 ] + +Some device only support 4 TCs, but the driver check the total +bandwidth of 8 TCs, so may cause wrong configurations write to +the hw. + +This patch uses hdev->tc_max to instead HNAE3_MAX_TC to fix it. + +Fixes: e432abfb99e5 ("net: hns3: add common validation in hclge_dcb") +Signed-off-by: Yonglong Liu +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c +index d9136a199d8db..f5c323e798343 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c +@@ -124,7 +124,7 @@ static int hclge_ets_validate(struct hclge_dev *hdev, struct ieee_ets *ets, + if (ret) + return ret; + +- for (i = 0; i < HNAE3_MAX_TC; i++) { ++ for (i = 0; i < hdev->tc_max; i++) { + switch (ets->tc_tsa[i]) { + case IEEE_8021QAZ_TSA_STRICT: + if (hdev->tm_info.tc_info[i].tc_sch_mode != +-- +2.20.1 + diff --git a/queue-5.3/net-hns3-reallocate-ssu-buffer-size-when-pfc_en-chan.patch b/queue-5.3/net-hns3-reallocate-ssu-buffer-size-when-pfc_en-chan.patch new file mode 100644 index 00000000000..0b2fd7325ea --- /dev/null +++ b/queue-5.3/net-hns3-reallocate-ssu-buffer-size-when-pfc_en-chan.patch @@ -0,0 +1,63 @@ +From 7694df1583a71a857913ae4e181b655aecf998be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 10:32:40 +0800 +Subject: net: hns3: reallocate SSU' buffer size when pfc_en changes + +From: Yunsheng Lin + +[ Upstream commit aea8cfb35a82d6c2f3517c86694933ba766635e5 ] + +When a TC's PFC is disabled or enabled, the RX private buffer for +this TC need to be changed too, otherwise this may cause packet +dropped problem. + +This patch fixes it by calling hclge_buffer_alloc to reallocate +buffer when pfc_en changes. + +Fixes: cacde272dd00 ("net: hns3: Add hclge_dcb module for the support of DCB feature") +Signed-off-by: Yunsheng Lin +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c +index bac4ce13f6ae4..d9136a199d8db 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c +@@ -302,6 +302,7 @@ static int hclge_ieee_setpfc(struct hnae3_handle *h, struct ieee_pfc *pfc) + struct hclge_vport *vport = hclge_get_vport(h); + struct hclge_dev *hdev = vport->back; + u8 i, j, pfc_map, *prio_tc; ++ int ret; + + if (!(hdev->dcbx_cap & DCB_CAP_DCBX_VER_IEEE) || + hdev->flag & HCLGE_FLAG_MQPRIO_ENABLE) +@@ -327,7 +328,21 @@ static int hclge_ieee_setpfc(struct hnae3_handle *h, struct ieee_pfc *pfc) + + hclge_tm_pfc_info_update(hdev); + +- return hclge_pause_setup_hw(hdev, false); ++ ret = hclge_pause_setup_hw(hdev, false); ++ if (ret) ++ return ret; ++ ++ ret = hclge_notify_client(hdev, HNAE3_DOWN_CLIENT); ++ if (ret) ++ return ret; ++ ++ ret = hclge_buffer_alloc(hdev); ++ if (ret) { ++ hclge_notify_client(hdev, HNAE3_UP_CLIENT); ++ return ret; ++ } ++ ++ return hclge_notify_client(hdev, HNAE3_UP_CLIENT); + } + + /* DCBX configuration */ +-- +2.20.1 + diff --git a/queue-5.3/nfc-nxp-nci-fix-null-pointer-dereference-after-i2c-c.patch b/queue-5.3/nfc-nxp-nci-fix-null-pointer-dereference-after-i2c-c.patch new file mode 100644 index 00000000000..8b8c2761ad0 --- /dev/null +++ b/queue-5.3/nfc-nxp-nci-fix-null-pointer-dereference-after-i2c-c.patch @@ -0,0 +1,73 @@ +From 31a0c3fec77fb6e403d6e1d560f9070281a4905b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Nov 2019 17:19:15 +0100 +Subject: NFC: nxp-nci: Fix NULL pointer dereference after I2C communication + error + +From: Stephan Gerhold + +[ Upstream commit a71a29f50de1ef97ab55c151a1598eb12dde379d ] + +I2C communication errors (-EREMOTEIO) during the IRQ handler of nxp-nci +result in a NULL pointer dereference at the moment: + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + Oops: 0002 [#1] PREEMPT SMP NOPTI + CPU: 1 PID: 355 Comm: irq/137-nxp-nci Not tainted 5.4.0-rc6 #1 + RIP: 0010:skb_queue_tail+0x25/0x50 + Call Trace: + nci_recv_frame+0x36/0x90 [nci] + nxp_nci_i2c_irq_thread_fn+0xd1/0x285 [nxp_nci_i2c] + ? preempt_count_add+0x68/0xa0 + ? irq_forced_thread_fn+0x80/0x80 + irq_thread_fn+0x20/0x60 + irq_thread+0xee/0x180 + ? wake_threads_waitq+0x30/0x30 + kthread+0xfb/0x130 + ? irq_thread_check_affinity+0xd0/0xd0 + ? kthread_park+0x90/0x90 + ret_from_fork+0x1f/0x40 + +Afterward the kernel must be rebooted to work properly again. + +This happens because it attempts to call nci_recv_frame() with skb == NULL. +However, unlike nxp_nci_fw_recv_frame(), nci_recv_frame() does not have any +NULL checks for skb, causing the NULL pointer dereference. + +Change the code to call only nxp_nci_fw_recv_frame() in case of an error. +Make sure to log it so it is obvious that a communication error occurred. +The error above then becomes: + + nxp-nci_i2c i2c-NXP1001:00: NFC: Read failed with error -121 + nci: __nci_request: wait_for_completion_interruptible_timeout failed 0 + nxp-nci_i2c i2c-NXP1001:00: NFC: Read failed with error -121 + +Fixes: 6be88670fc59 ("NFC: nxp-nci_i2c: Add I2C support to NXP NCI driver") +Signed-off-by: Stephan Gerhold +Reviewed-by: Andy Shevchenko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/nfc/nxp-nci/i2c.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/nfc/nxp-nci/i2c.c b/drivers/nfc/nxp-nci/i2c.c +index 4aeb3861b4095..6c468899f2ffe 100644 +--- a/drivers/nfc/nxp-nci/i2c.c ++++ b/drivers/nfc/nxp-nci/i2c.c +@@ -225,8 +225,10 @@ static irqreturn_t nxp_nci_i2c_irq_thread_fn(int irq, void *phy_id) + + if (r == -EREMOTEIO) { + phy->hard_fault = r; +- skb = NULL; +- } else if (r < 0) { ++ if (info->mode == NXP_NCI_MODE_FW) ++ nxp_nci_fw_recv_frame(phy->ndev, NULL); ++ } ++ if (r < 0) { + nfc_err(&client->dev, "Read failed with error %d\n", r); + goto exit_irq_handled; + } +-- +2.20.1 + diff --git a/queue-5.3/perf-core-consistently-fail-fork-on-allocation-failu.patch b/queue-5.3/perf-core-consistently-fail-fork-on-allocation-failu.patch new file mode 100644 index 00000000000..d72aa127593 --- /dev/null +++ b/queue-5.3/perf-core-consistently-fail-fork-on-allocation-failu.patch @@ -0,0 +1,55 @@ +From 4b5171c667658449a2826f49b4aa7924fa14794b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2019 09:57:02 +0200 +Subject: perf/core: Consistently fail fork on allocation failures + +From: Alexander Shishkin + +[ Upstream commit 697d877849d4b34ab58d7078d6930bad0ef6fc66 ] + +Commit: + + 313ccb9615948 ("perf: Allocate context task_ctx_data for child event") + +makes the inherit path skip over the current event in case of task_ctx_data +allocation failure. This, however, is inconsistent with allocation failures +in perf_event_alloc(), which would abort the fork. + +Correct this by returning an error code on task_ctx_data allocation +failure and failing the fork in that case. + +Signed-off-by: Alexander Shishkin +Signed-off-by: Peter Zijlstra (Intel) +Cc: Arnaldo Carvalho de Melo +Cc: David Ahern +Cc: Jiri Olsa +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Link: https://lkml.kernel.org/r/20191105075702.60319-1-alexander.shishkin@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 53173883513c1..25942e43b8d48 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -11719,7 +11719,7 @@ inherit_event(struct perf_event *parent_event, + GFP_KERNEL); + if (!child_ctx->task_ctx_data) { + free_event(child_event); +- return NULL; ++ return ERR_PTR(-ENOMEM); + } + } + +-- +2.20.1 + diff --git a/queue-5.3/ravb-implement-mtu-change-while-device-is-up.patch b/queue-5.3/ravb-implement-mtu-change-while-device-is-up.patch new file mode 100644 index 00000000000..0c9d990907a --- /dev/null +++ b/queue-5.3/ravb-implement-mtu-change-while-device-is-up.patch @@ -0,0 +1,131 @@ +From 131ee6c91894f3b60cce725c217675a29aef3ee4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 02:49:49 +0100 +Subject: ravb: implement MTU change while device is up + +From: Ulrich Hecht + +[ Upstream commit 15fb35fa9ff456b81159033eba6397fcee85e671 ] + +Pre-allocates buffers sufficient for the maximum supported MTU (2026) in +order to eliminate the possibility of resource exhaustion when changing the +MTU while the device is up. + +Signed-off-by: Ulrich Hecht +Reviewed-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb.h | 3 ++- + drivers/net/ethernet/renesas/ravb_main.c | 26 +++++++++++++----------- + 2 files changed, 16 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/ravb.h b/drivers/net/ethernet/renesas/ravb.h +index ac9195add8116..7090229398227 100644 +--- a/drivers/net/ethernet/renesas/ravb.h ++++ b/drivers/net/ethernet/renesas/ravb.h +@@ -960,6 +960,8 @@ enum RAVB_QUEUE { + #define NUM_RX_QUEUE 2 + #define NUM_TX_QUEUE 2 + ++#define RX_BUF_SZ (2048 - ETH_FCS_LEN + sizeof(__sum16)) ++ + /* TX descriptors per packet */ + #define NUM_TX_DESC_GEN2 2 + #define NUM_TX_DESC_GEN3 1 +@@ -1023,7 +1025,6 @@ struct ravb_private { + u32 dirty_rx[NUM_RX_QUEUE]; /* Producer ring indices */ + u32 cur_tx[NUM_TX_QUEUE]; + u32 dirty_tx[NUM_TX_QUEUE]; +- u32 rx_buf_sz; /* Based on MTU+slack. */ + struct napi_struct napi[NUM_RX_QUEUE]; + struct work_struct work; + /* MII transceiver section. */ +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 6cacd5e893aca..393644833cd57 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -230,7 +230,7 @@ static void ravb_ring_free(struct net_device *ndev, int q) + le32_to_cpu(desc->dptr))) + dma_unmap_single(ndev->dev.parent, + le32_to_cpu(desc->dptr), +- priv->rx_buf_sz, ++ RX_BUF_SZ, + DMA_FROM_DEVICE); + } + ring_size = sizeof(struct ravb_ex_rx_desc) * +@@ -293,9 +293,9 @@ static void ravb_ring_format(struct net_device *ndev, int q) + for (i = 0; i < priv->num_rx_ring[q]; i++) { + /* RX descriptor */ + rx_desc = &priv->rx_ring[q][i]; +- rx_desc->ds_cc = cpu_to_le16(priv->rx_buf_sz); ++ rx_desc->ds_cc = cpu_to_le16(RX_BUF_SZ); + dma_addr = dma_map_single(ndev->dev.parent, priv->rx_skb[q][i]->data, +- priv->rx_buf_sz, ++ RX_BUF_SZ, + DMA_FROM_DEVICE); + /* We just set the data size to 0 for a failed mapping which + * should prevent DMA from happening... +@@ -342,9 +342,6 @@ static int ravb_ring_init(struct net_device *ndev, int q) + int ring_size; + int i; + +- priv->rx_buf_sz = (ndev->mtu <= 1492 ? PKT_BUF_SZ : ndev->mtu) + +- ETH_HLEN + VLAN_HLEN + sizeof(__sum16); +- + /* Allocate RX and TX skb rings */ + priv->rx_skb[q] = kcalloc(priv->num_rx_ring[q], + sizeof(*priv->rx_skb[q]), GFP_KERNEL); +@@ -354,7 +351,7 @@ static int ravb_ring_init(struct net_device *ndev, int q) + goto error; + + for (i = 0; i < priv->num_rx_ring[q]; i++) { +- skb = netdev_alloc_skb(ndev, priv->rx_buf_sz + RAVB_ALIGN - 1); ++ skb = netdev_alloc_skb(ndev, RX_BUF_SZ + RAVB_ALIGN - 1); + if (!skb) + goto error; + ravb_set_buffer_align(skb); +@@ -590,7 +587,7 @@ static bool ravb_rx(struct net_device *ndev, int *quota, int q) + skb = priv->rx_skb[q][entry]; + priv->rx_skb[q][entry] = NULL; + dma_unmap_single(ndev->dev.parent, le32_to_cpu(desc->dptr), +- priv->rx_buf_sz, ++ RX_BUF_SZ, + DMA_FROM_DEVICE); + get_ts &= (q == RAVB_NC) ? + RAVB_RXTSTAMP_TYPE_V2_L2_EVENT : +@@ -623,11 +620,11 @@ static bool ravb_rx(struct net_device *ndev, int *quota, int q) + for (; priv->cur_rx[q] - priv->dirty_rx[q] > 0; priv->dirty_rx[q]++) { + entry = priv->dirty_rx[q] % priv->num_rx_ring[q]; + desc = &priv->rx_ring[q][entry]; +- desc->ds_cc = cpu_to_le16(priv->rx_buf_sz); ++ desc->ds_cc = cpu_to_le16(RX_BUF_SZ); + + if (!priv->rx_skb[q][entry]) { + skb = netdev_alloc_skb(ndev, +- priv->rx_buf_sz + ++ RX_BUF_SZ + + RAVB_ALIGN - 1); + if (!skb) + break; /* Better luck next round. */ +@@ -1814,10 +1811,15 @@ static int ravb_do_ioctl(struct net_device *ndev, struct ifreq *req, int cmd) + + static int ravb_change_mtu(struct net_device *ndev, int new_mtu) + { +- if (netif_running(ndev)) +- return -EBUSY; ++ struct ravb_private *priv = netdev_priv(ndev); + + ndev->mtu = new_mtu; ++ ++ if (netif_running(ndev)) { ++ synchronize_irq(priv->emac_irq); ++ ravb_emac_init(ndev); ++ } ++ + netdev_update_features(ndev); + + return 0; +-- +2.20.1 + diff --git a/queue-5.3/rbd-silence-bogus-uninitialized-warning-in-rbd_objec.patch b/queue-5.3/rbd-silence-bogus-uninitialized-warning-in-rbd_objec.patch new file mode 100644 index 00000000000..2dbe2c6a49b --- /dev/null +++ b/queue-5.3/rbd-silence-bogus-uninitialized-warning-in-rbd_objec.patch @@ -0,0 +1,46 @@ +From 60a4684da91299fb9d53adcc50a2b1a598a4e904 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2019 12:07:15 +0100 +Subject: rbd: silence bogus uninitialized warning in + rbd_object_map_update_finish() + +From: Ilya Dryomov + +[ Upstream commit 633739b2fedb6617d782ca252797b7a8ad754347 ] + +Some versions of gcc (so far 6.3 and 7.4) throw a warning: + + drivers/block/rbd.c: In function 'rbd_object_map_callback': + drivers/block/rbd.c:2124:21: warning: 'current_state' may be used uninitialized in this function [-Wmaybe-uninitialized] + (current_state == OBJECT_EXISTS && state == OBJECT_EXISTS_CLEAN)) + drivers/block/rbd.c:2092:23: note: 'current_state' was declared here + u8 state, new_state, current_state; + ^~~~~~~~~~~~~ + +It's bogus because all current_state accesses are guarded by +has_current_state. + +Reported-by: kbuild test robot +Signed-off-by: Ilya Dryomov +Reviewed-by: Dongsheng Yang +Signed-off-by: Sasha Levin +--- + drivers/block/rbd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c +index c8fb886aebd4e..64e364c4a0fb8 100644 +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -2089,7 +2089,7 @@ static int rbd_object_map_update_finish(struct rbd_obj_request *obj_req, + struct rbd_device *rbd_dev = obj_req->img_request->rbd_dev; + struct ceph_osd_data *osd_data; + u64 objno; +- u8 state, new_state, current_state; ++ u8 state, new_state, uninitialized_var(current_state); + bool has_current_state; + void *p; + +-- +2.20.1 + diff --git a/queue-5.3/rdma-hns-correct-the-value-of-hns_roce_hem_chunk_len.patch b/queue-5.3/rdma-hns-correct-the-value-of-hns_roce_hem_chunk_len.patch new file mode 100644 index 00000000000..8705a2a1aba --- /dev/null +++ b/queue-5.3/rdma-hns-correct-the-value-of-hns_roce_hem_chunk_len.patch @@ -0,0 +1,39 @@ +From 0860fb658e51c98d4c0692255322ce7c8d2379dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Nov 2019 10:33:29 +0800 +Subject: RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN + +From: Sirong Wang + +[ Upstream commit 531eb45b3da4267fc2a64233ba256c8ffb02edd2 ] + +Size of pointer to buf field of struct hns_roce_hem_chunk should be +considered when calculating HNS_ROCE_HEM_CHUNK_LEN, or sg table size will +be larger than expected when allocating hem. + +Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") +Link: https://lore.kernel.org/r/1572575610-52530-2-git-send-email-liweihang@hisilicon.com +Signed-off-by: Sirong Wang +Signed-off-by: Weihang Li +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hem.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.h b/drivers/infiniband/hw/hns/hns_roce_hem.h +index f1ccb8f35fe59..e41ebc25b1f90 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hem.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hem.h +@@ -59,7 +59,7 @@ enum { + + #define HNS_ROCE_HEM_CHUNK_LEN \ + ((256 - sizeof(struct list_head) - 2 * sizeof(int)) / \ +- (sizeof(struct scatterlist))) ++ (sizeof(struct scatterlist) + sizeof(void *))) + + #define check_whether_bt_num_3(type, hop_num) \ + (type < HEM_TYPE_MTT && hop_num == 2) +-- +2.20.1 + diff --git a/queue-5.3/rdma-hns-correct-the-value-of-srq_desc_size.patch b/queue-5.3/rdma-hns-correct-the-value-of-srq_desc_size.patch new file mode 100644 index 00000000000..7773413de2e --- /dev/null +++ b/queue-5.3/rdma-hns-correct-the-value-of-srq_desc_size.patch @@ -0,0 +1,38 @@ +From 1de4d41f1b40c9b57158e448fe9684756a784e13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Nov 2019 10:33:30 +0800 +Subject: RDMA/hns: Correct the value of srq_desc_size + +From: Wenpeng Liang + +[ Upstream commit 411c1e6774e2e1f96b1ccce4f119376b94ade3e4 ] + +srq_desc_size should be rounded up to pow of two before used, or related +calculation may cause allocating wrong size of memory for srq buffer. + +Fixes: c7bcb13442e1 ("RDMA/hns: Add SRQ support for hip08 kernel mode") +Link: https://lore.kernel.org/r/1572575610-52530-3-git-send-email-liweihang@hisilicon.com +Signed-off-by: Wenpeng Liang +Signed-off-by: Weihang Li +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_srq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_srq.c b/drivers/infiniband/hw/hns/hns_roce_srq.c +index 38bb548eaa6d8..9768e377cd22c 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_srq.c ++++ b/drivers/infiniband/hw/hns/hns_roce_srq.c +@@ -221,7 +221,7 @@ int hns_roce_create_srq(struct ib_srq *ib_srq, + srq->max = roundup_pow_of_two(srq_init_attr->attr.max_wr + 1); + srq->max_gs = srq_init_attr->attr.max_sge; + +- srq_desc_size = max(16, 16 * srq->max_gs); ++ srq_desc_size = roundup_pow_of_two(max(16, 16 * srq->max_gs)); + + srq->wqe_shift = ilog2(srq_desc_size); + +-- +2.20.1 + diff --git a/queue-5.3/rsxx-add-missed-destroy_workqueue-calls-in-remove.patch b/queue-5.3/rsxx-add-missed-destroy_workqueue-calls-in-remove.patch new file mode 100644 index 00000000000..504b0e36e8a --- /dev/null +++ b/queue-5.3/rsxx-add-missed-destroy_workqueue-calls-in-remove.patch @@ -0,0 +1,38 @@ +From f02f0979f474872562e88feae925ef98796c571a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2019 14:38:47 +0800 +Subject: rsxx: add missed destroy_workqueue calls in remove + +From: Chuhong Yuan + +[ Upstream commit dcb77e4b274b8f13ac6482dfb09160cd2fae9a40 ] + +The driver misses calling destroy_workqueue in remove like what is done +when probe fails. +Add the missed calls to fix it. + +Signed-off-by: Chuhong Yuan +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/rsxx/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/block/rsxx/core.c b/drivers/block/rsxx/core.c +index 76b73ddf8fd73..10f6368117d81 100644 +--- a/drivers/block/rsxx/core.c ++++ b/drivers/block/rsxx/core.c +@@ -1000,8 +1000,10 @@ static void rsxx_pci_remove(struct pci_dev *dev) + + cancel_work_sync(&card->event_work); + ++ destroy_workqueue(card->event_wq); + rsxx_destroy_dev(card); + rsxx_dma_destroy(card); ++ destroy_workqueue(card->creg_ctrl.creg_wq); + + spin_lock_irqsave(&card->irq_lock, flags); + rsxx_disable_ier_and_isr(card, CR_INTR_ALL); +-- +2.20.1 + diff --git a/queue-5.3/sched-core-avoid-spurious-lock-dependencies.patch b/queue-5.3/sched-core-avoid-spurious-lock-dependencies.patch new file mode 100644 index 00000000000..61a2f1a093e --- /dev/null +++ b/queue-5.3/sched-core-avoid-spurious-lock-dependencies.patch @@ -0,0 +1,67 @@ +From 0bdebcea2882e30c12931f7edd7c58c5f1a4c7f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2019 11:18:37 +0200 +Subject: sched/core: Avoid spurious lock dependencies + +From: Peter Zijlstra + +[ Upstream commit ff51ff84d82aea5a889b85f2b9fb3aa2b8691668 ] + +While seemingly harmless, __sched_fork() does hrtimer_init(), which, +when DEBUG_OBJETS, can end up doing allocations. + +This then results in the following lock order: + + rq->lock + zone->lock.rlock + batched_entropy_u64.lock + +Which in turn causes deadlocks when we do wakeups while holding that +batched_entropy lock -- as the random code does. + +Solve this by moving __sched_fork() out from under rq->lock. This is +safe because nothing there relies on rq->lock, as also evident from the +other __sched_fork() callsite. + +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Qian Cai +Cc: Thomas Gleixner +Cc: akpm@linux-foundation.org +Cc: bigeasy@linutronix.de +Cc: cl@linux.com +Cc: keescook@chromium.org +Cc: penberg@kernel.org +Cc: rientjes@google.com +Cc: thgarnie@google.com +Cc: tytso@mit.edu +Cc: will@kernel.org +Fixes: b7d5dc21072c ("random: add a spinlock_t to struct batched_entropy") +Link: https://lkml.kernel.org/r/20191001091837.GK4536@hirez.programming.kicks-ass.net +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/sched/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index fffe790d98bb2..9a839798851c2 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -5874,10 +5874,11 @@ void init_idle(struct task_struct *idle, int cpu) + struct rq *rq = cpu_rq(cpu); + unsigned long flags; + ++ __sched_fork(0, idle); ++ + raw_spin_lock_irqsave(&idle->pi_lock, flags); + raw_spin_lock(&rq->lock); + +- __sched_fork(0, idle); + idle->state = TASK_RUNNING; + idle->se.exec_start = sched_clock(); + idle->flags |= PF_IDLE; +-- +2.20.1 + diff --git a/queue-5.3/sched-pelt-fix-update-of-blocked-pelt-ordering.patch b/queue-5.3/sched-pelt-fix-update-of-blocked-pelt-ordering.patch new file mode 100644 index 00000000000..9e98cd83c22 --- /dev/null +++ b/queue-5.3/sched-pelt-fix-update-of-blocked-pelt-ordering.patch @@ -0,0 +1,95 @@ +From 094ae803c9394558ba4f80c2bc29846b2ae08887 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Oct 2019 12:18:29 +0100 +Subject: sched/pelt: Fix update of blocked PELT ordering + +From: Vincent Guittot + +[ Upstream commit b90f7c9d2198d789709390280a43e0a46345682b ] + +update_cfs_rq_load_avg() can call cpufreq_update_util() to trigger an +update of the frequency. Make sure that RT, DL and IRQ PELT signals have +been updated before calling cpufreq. + +Signed-off-by: Vincent Guittot +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: dietmar.eggemann@arm.com +Cc: dsmythies@telus.net +Cc: juri.lelli@redhat.com +Cc: mgorman@suse.de +Cc: rostedt@goodmis.org +Fixes: 371bf4273269 ("sched/rt: Add rt_rq utilization tracking") +Fixes: 3727e0e16340 ("sched/dl: Add dl_rq utilization tracking") +Fixes: 91c27493e78d ("sched/irq: Add IRQ utilization tracking") +Link: https://lkml.kernel.org/r/1572434309-32512-1-git-send-email-vincent.guittot@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 649c6b60929e2..ba7cc68a39935 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -7530,6 +7530,19 @@ static void update_blocked_averages(int cpu) + rq_lock_irqsave(rq, &rf); + update_rq_clock(rq); + ++ /* ++ * update_cfs_rq_load_avg() can call cpufreq_update_util(). Make sure ++ * that RT, DL and IRQ signals have been updated before updating CFS. ++ */ ++ curr_class = rq->curr->sched_class; ++ update_rt_rq_load_avg(rq_clock_pelt(rq), rq, curr_class == &rt_sched_class); ++ update_dl_rq_load_avg(rq_clock_pelt(rq), rq, curr_class == &dl_sched_class); ++ update_irq_load_avg(rq, 0); ++ ++ /* Don't need periodic decay once load/util_avg are null */ ++ if (others_have_blocked(rq)) ++ done = false; ++ + /* + * Iterates the task_group tree in a bottom up fashion, see + * list_add_leaf_cfs_rq() for details. +@@ -7557,14 +7570,6 @@ static void update_blocked_averages(int cpu) + done = false; + } + +- curr_class = rq->curr->sched_class; +- update_rt_rq_load_avg(rq_clock_pelt(rq), rq, curr_class == &rt_sched_class); +- update_dl_rq_load_avg(rq_clock_pelt(rq), rq, curr_class == &dl_sched_class); +- update_irq_load_avg(rq, 0); +- /* Don't need periodic decay once load/util_avg are null */ +- if (others_have_blocked(rq)) +- done = false; +- + update_blocked_load_status(rq, !done); + rq_unlock_irqrestore(rq, &rf); + } +@@ -7625,12 +7630,18 @@ static inline void update_blocked_averages(int cpu) + + rq_lock_irqsave(rq, &rf); + update_rq_clock(rq); +- update_cfs_rq_load_avg(cfs_rq_clock_pelt(cfs_rq), cfs_rq); + ++ /* ++ * update_cfs_rq_load_avg() can call cpufreq_update_util(). Make sure ++ * that RT, DL and IRQ signals have been updated before updating CFS. ++ */ + curr_class = rq->curr->sched_class; + update_rt_rq_load_avg(rq_clock_pelt(rq), rq, curr_class == &rt_sched_class); + update_dl_rq_load_avg(rq_clock_pelt(rq), rq, curr_class == &dl_sched_class); + update_irq_load_avg(rq, 0); ++ ++ update_cfs_rq_load_avg(cfs_rq_clock_pelt(cfs_rq), cfs_rq); ++ + update_blocked_load_status(rq, cfs_rq_has_blocked(cfs_rq) || others_have_blocked(rq)); + rq_unlock_irqrestore(rq, &rf); + } +-- +2.20.1 + diff --git a/queue-5.3/selftests-kvm-fix-build-with-glibc-2.30.patch b/queue-5.3/selftests-kvm-fix-build-with-glibc-2.30.patch new file mode 100644 index 00000000000..eed2b5a7c70 --- /dev/null +++ b/queue-5.3/selftests-kvm-fix-build-with-glibc-2.30.patch @@ -0,0 +1,56 @@ +From 8fec72f54425be633ba979e86172b9ee70f0ff05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2019 13:51:15 +0100 +Subject: selftests: kvm: fix build with glibc >= 2.30 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Vitaly Kuznetsov + +[ Upstream commit e37f9f139f62deddff90c7298ae3a85026a71067 ] + +Glibc-2.30 gained gettid() wrapper, selftests fail to compile: + +lib/assert.c:58:14: error: static declaration of ‘gettid’ follows non-static declaration + 58 | static pid_t gettid(void) + | ^~~~~~ +In file included from /usr/include/unistd.h:1170, + from include/test_util.h:18, + from lib/assert.c:10: +/usr/include/bits/unistd_ext.h:34:16: note: previous declaration of ‘gettid’ was here + 34 | extern __pid_t gettid (void) __THROW; + | ^~~~~~ + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kvm/lib/assert.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/kvm/lib/assert.c b/tools/testing/selftests/kvm/lib/assert.c +index 4911fc77d0f6a..d1cf9f6e0e6bc 100644 +--- a/tools/testing/selftests/kvm/lib/assert.c ++++ b/tools/testing/selftests/kvm/lib/assert.c +@@ -55,7 +55,7 @@ static void test_dump_stack(void) + #pragma GCC diagnostic pop + } + +-static pid_t gettid(void) ++static pid_t _gettid(void) + { + return syscall(SYS_gettid); + } +@@ -72,7 +72,7 @@ test_assert(bool exp, const char *exp_str, + fprintf(stderr, "==== Test Assertion Failure ====\n" + " %s:%u: %s\n" + " pid=%d tid=%d - %s\n", +- file, line, exp_str, getpid(), gettid(), ++ file, line, exp_str, getpid(), _gettid(), + strerror(errno)); + test_dump_stack(); + if (fmt) { +-- +2.20.1 + diff --git a/queue-5.3/series b/queue-5.3/series index 16fa615056a..934caf0bdde 100644 --- a/queue-5.3/series +++ b/queue-5.3/series @@ -11,3 +11,33 @@ serial-pl011-fix-dma-flush_buffer.patch serial-serial_core-perform-null-checks-for-break_ctl-ops.patch serial-stm32-fix-clearing-interrupt-error-flags.patch serial-ifx6x60-add-missed-pm_runtime_disable.patch +aio-fix-io_pgetevents-struct-__compat_aio_sigset-lay.patch +autofs-fix-a-leak-in-autofs_expire_indirect.patch +mips-sgi-ip27-fix-exception-handler-replication.patch +rdma-hns-correct-the-value-of-hns_roce_hem_chunk_len.patch +rdma-hns-correct-the-value-of-srq_desc_size.patch +iwlwifi-pcie-don-t-consider-iv-len-in-a-msdu.patch +cgroup-don-t-put-err_ptr-into-fc-root.patch +exportfs_decode_fh-negative-pinned-may-become-positi.patch +audit_get_nd-don-t-unlock-parent-too-early.patch +ecryptfs-fix-unlink-and-rmdir-in-face-of-underlying-.patch +alsa-hda-add-cometlake-s-pci-id.patch +nfc-nxp-nci-fix-null-pointer-dereference-after-i2c-c.patch +xfrm-release-device-reference-for-invalid-state.patch +block-check-bi_size-overflow-before-merge.patch +input-cyttsp4_core-fix-use-after-free-bug.patch +sched-core-avoid-spurious-lock-dependencies.patch +sched-pelt-fix-update-of-blocked-pelt-ordering.patch +perf-core-consistently-fail-fork-on-allocation-failu.patch +alsa-pcm-fix-stream-lock-usage-in-snd_pcm_period_ela.patch +x86-resctrl-fix-potential-lockdep-warning.patch +drm-sun4i-tcon-set-min-division-of-tcon0_dclk-to-1.patch +selftests-kvm-fix-build-with-glibc-2.30.patch +rbd-silence-bogus-uninitialized-warning-in-rbd_objec.patch +rsxx-add-missed-destroy_workqueue-calls-in-remove.patch +ravb-implement-mtu-change-while-device-is-up.patch +net-hns3-reallocate-ssu-buffer-size-when-pfc_en-chan.patch +net-hns3-fix-ets-bandwidth-validation-bug.patch +afs-fix-race-in-commit-bulk-status-fetch.patch +net-ep93xx_eth-fix-mismatch-of-request_mem_region-in.patch +i2c-core-fix-use-after-free-in-of_i2c_notify.patch diff --git a/queue-5.3/x86-resctrl-fix-potential-lockdep-warning.patch b/queue-5.3/x86-resctrl-fix-potential-lockdep-warning.patch new file mode 100644 index 00000000000..710b3a4c221 --- /dev/null +++ b/queue-5.3/x86-resctrl-fix-potential-lockdep-warning.patch @@ -0,0 +1,71 @@ +From 221e620f37324c9341695c417c6e9e53df992371 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2019 06:36:36 +0800 +Subject: x86/resctrl: Fix potential lockdep warning + +From: Xiaochen Shen + +[ Upstream commit c8eafe1495303bfd0eedaa8156b1ee9082ee9642 ] + +rdtgroup_cpus_write() and mkdir_rdt_prepare() call +rdtgroup_kn_lock_live() -> kernfs_to_rdtgroup() to get 'rdtgrp', and +then call the rdt_last_cmd_{clear,puts,...}() functions which will check +if rdtgroup_mutex is held/requires its caller to hold rdtgroup_mutex. + +But if 'rdtgrp' returned from kernfs_to_rdtgroup() is NULL, +rdtgroup_mutex is not held and calling rdt_last_cmd_{clear,puts,...}() +will result in a self-incurred, potential lockdep warning. + +Remove the rdt_last_cmd_{clear,puts,...}() calls in these two paths. +Just returning error should be sufficient to report to the user that the +entry doesn't exist any more. + + [ bp: Massage. ] + +Fixes: 94457b36e8a5 ("x86/intel_rdt: Add diagnostics when writing the cpus file") +Fixes: cfd0f34e4cd5 ("x86/intel_rdt: Add diagnostics when making directories") +Signed-off-by: Xiaochen Shen +Signed-off-by: Borislav Petkov +Reviewed-by: Tony Luck +Reviewed-by: Fenghua Yu +Reviewed-by: Reinette Chatre +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: pei.p.jia@intel.com +Cc: Thomas Gleixner +Cc: x86-ml +Link: https://lkml.kernel.org/r/1573079796-11713-1-git-send-email-xiaochen.shen@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/resctrl/rdtgroup.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/arch/x86/kernel/cpu/resctrl/rdtgroup.c b/arch/x86/kernel/cpu/resctrl/rdtgroup.c +index a46dee8e78db4..2e3b06d6bbc6d 100644 +--- a/arch/x86/kernel/cpu/resctrl/rdtgroup.c ++++ b/arch/x86/kernel/cpu/resctrl/rdtgroup.c +@@ -461,10 +461,8 @@ static ssize_t rdtgroup_cpus_write(struct kernfs_open_file *of, + } + + rdtgrp = rdtgroup_kn_lock_live(of->kn); +- rdt_last_cmd_clear(); + if (!rdtgrp) { + ret = -ENOENT; +- rdt_last_cmd_puts("Directory was removed\n"); + goto unlock; + } + +@@ -2648,10 +2646,8 @@ static int mkdir_rdt_prepare(struct kernfs_node *parent_kn, + int ret; + + prdtgrp = rdtgroup_kn_lock_live(prgrp_kn); +- rdt_last_cmd_clear(); + if (!prdtgrp) { + ret = -ENODEV; +- rdt_last_cmd_puts("Directory was removed\n"); + goto out_unlock; + } + +-- +2.20.1 + diff --git a/queue-5.3/xfrm-release-device-reference-for-invalid-state.patch b/queue-5.3/xfrm-release-device-reference-for-invalid-state.patch new file mode 100644 index 00000000000..248a0d80be3 --- /dev/null +++ b/queue-5.3/xfrm-release-device-reference-for-invalid-state.patch @@ -0,0 +1,62 @@ +From 8d2ca75329373d196e928c3de4ea0d52d3852d31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Nov 2019 15:05:46 -0800 +Subject: xfrm: release device reference for invalid state + +From: Xiaodong Xu + +[ Upstream commit 4944a4b1077f74d89073624bd286219d2fcbfce3 ] + +An ESP packet could be decrypted in async mode if the input handler for +this packet returns -EINPROGRESS in xfrm_input(). At this moment the device +reference in skb is held. Later xfrm_input() will be invoked again to +resume the processing. +If the transform state is still valid it would continue to release the +device reference and there won't be a problem; however if the transform +state is not valid when async resumption happens, the packet will be +dropped while the device reference is still being held. +When the device is deleted for some reason and the reference to this +device is not properly released, the kernel will keep logging like: + +unregister_netdevice: waiting for ppp2 to become free. Usage count = 1 + +The issue is observed when running IPsec traffic over a PPPoE device based +on a bridge interface. By terminating the PPPoE connection on the server +end for multiple times, the PPPoE device on the client side will eventually +get stuck on the above warning message. + +This patch will check the async mode first and continue to release device +reference in async resumption, before it is dropped due to invalid state. + +v2: Do not assign address family from outer_mode in the transform if the +state is invalid + +v3: Release device reference in the error path instead of jumping to resume + +Fixes: 4ce3dbe397d7b ("xfrm: Fix xfrm_input() to verify state is valid when (encap_type < 0)") +Signed-off-by: Xiaodong Xu +Reported-by: Bo Chen +Tested-by: Bo Chen +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_input.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c +index 6088bc2dc11e3..fcd4b1f36e669 100644 +--- a/net/xfrm/xfrm_input.c ++++ b/net/xfrm/xfrm_input.c +@@ -480,6 +480,9 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) + else + XFRM_INC_STATS(net, + LINUX_MIB_XFRMINSTATEINVALID); ++ ++ if (encap_type == -1) ++ dev_put(skb->dev); + goto drop; + } + +-- +2.20.1 + -- 2.47.3