From a4a598b52e7ca4529c35a174fa09457bc0119bf7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 23 Jun 2019 18:04:59 +0200 Subject: [PATCH] 5.1-stable patches added patches: apparmor-enforce-nullbyte-at-end-of-tag-string.patch apparmor-fix-profile_mediates-for-untrusted-input.patch apparmor-reset-pos-on-failure-to-unpack-for-various-functions.patch brcmfmac-sdio-disable-auto-tuning-around-commands-expected-to-fail.patch brcmfmac-sdio-don-t-tune-while-the-card-is-off.patch cifs-add-spinlock-for-the-openfilelist-to-cifsinodeinfo.patch cifs-fix-globalmid_lock-bug-in-cifs_reconnect.patch cifs-fix-panic-in-smb2_reconnect.patch ib-hfi1-avoid-hardlockup-with-flushlist_lock.patch ib-hfi1-close-psm-sdma_progress-sleep-window.patch ib-hfi1-correct-tid-qp-rcd-to-match-verbs-context.patch ib-hfi1-silence-txreq-allocation-warnings.patch ib-hfi1-validate-fault-injection-opcode-user-input.patch iio-imu-st_lsm6dsx-fix-pm-support-for-st_lsm6dsx-i2c-controller.patch iio-temperature-mlx90632-relax-the-compatibility-check.patch input-silead-add-mssl0017-to-acpi_device_id.patch input-synaptics-enable-smbus-on-thinkpad-e480-and-e580.patch input-uinput-add-compat-ioctl-number-translation-for-ui_-_ff_upload.patch revert-brcmfmac-disable-command-decode-in-sdio_aos.patch --- ...nforce-nullbyte-at-end-of-tag-string.patch | 38 ++++ ...profile_mediates-for-untrusted-input.patch | 52 ++++++ ...lure-to-unpack-for-various-functions.patch | 167 ++++++++++++++++++ ...ing-around-commands-expected-to-fail.patch | 54 ++++++ ...dio-don-t-tune-while-the-card-is-off.patch | 81 +++++++++ ...or-the-openfilelist-to-cifsinodeinfo.patch | 103 +++++++++++ ...globalmid_lock-bug-in-cifs_reconnect.patch | 47 +++++ .../cifs-fix-panic-in-smb2_reconnect.patch | 55 ++++++ ...avoid-hardlockup-with-flushlist_lock.patch | 60 +++++++ ...close-psm-sdma_progress-sleep-window.patch | 85 +++++++++ ...ct-tid-qp-rcd-to-match-verbs-context.patch | 116 ++++++++++++ ...i1-silence-txreq-allocation-warnings.patch | 91 ++++++++++ ...te-fault-injection-opcode-user-input.patch | 47 +++++ ...upport-for-st_lsm6dsx-i2c-controller.patch | 95 ++++++++++ ...x90632-relax-the-compatibility-check.patch | 56 ++++++ ...ilead-add-mssl0017-to-acpi_device_id.patch | 31 ++++ ...able-smbus-on-thinkpad-e480-and-e580.patch | 36 ++++ ...umber-translation-for-ui_-_ff_upload.patch | 61 +++++++ ...c-disable-command-decode-in-sdio_aos.patch | 56 ++++++ queue-5.1/series | 19 ++ 20 files changed, 1350 insertions(+) create mode 100644 queue-5.1/apparmor-enforce-nullbyte-at-end-of-tag-string.patch create mode 100644 queue-5.1/apparmor-fix-profile_mediates-for-untrusted-input.patch create mode 100644 queue-5.1/apparmor-reset-pos-on-failure-to-unpack-for-various-functions.patch create mode 100644 queue-5.1/brcmfmac-sdio-disable-auto-tuning-around-commands-expected-to-fail.patch create mode 100644 queue-5.1/brcmfmac-sdio-don-t-tune-while-the-card-is-off.patch create mode 100644 queue-5.1/cifs-add-spinlock-for-the-openfilelist-to-cifsinodeinfo.patch create mode 100644 queue-5.1/cifs-fix-globalmid_lock-bug-in-cifs_reconnect.patch create mode 100644 queue-5.1/cifs-fix-panic-in-smb2_reconnect.patch create mode 100644 queue-5.1/ib-hfi1-avoid-hardlockup-with-flushlist_lock.patch create mode 100644 queue-5.1/ib-hfi1-close-psm-sdma_progress-sleep-window.patch create mode 100644 queue-5.1/ib-hfi1-correct-tid-qp-rcd-to-match-verbs-context.patch create mode 100644 queue-5.1/ib-hfi1-silence-txreq-allocation-warnings.patch create mode 100644 queue-5.1/ib-hfi1-validate-fault-injection-opcode-user-input.patch create mode 100644 queue-5.1/iio-imu-st_lsm6dsx-fix-pm-support-for-st_lsm6dsx-i2c-controller.patch create mode 100644 queue-5.1/iio-temperature-mlx90632-relax-the-compatibility-check.patch create mode 100644 queue-5.1/input-silead-add-mssl0017-to-acpi_device_id.patch create mode 100644 queue-5.1/input-synaptics-enable-smbus-on-thinkpad-e480-and-e580.patch create mode 100644 queue-5.1/input-uinput-add-compat-ioctl-number-translation-for-ui_-_ff_upload.patch create mode 100644 queue-5.1/revert-brcmfmac-disable-command-decode-in-sdio_aos.patch diff --git a/queue-5.1/apparmor-enforce-nullbyte-at-end-of-tag-string.patch b/queue-5.1/apparmor-enforce-nullbyte-at-end-of-tag-string.patch new file mode 100644 index 00000000000..bd4f7114d68 --- /dev/null +++ b/queue-5.1/apparmor-enforce-nullbyte-at-end-of-tag-string.patch @@ -0,0 +1,38 @@ +From 8404d7a674c49278607d19726e0acc0cae299357 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Tue, 28 May 2019 17:32:26 +0200 +Subject: apparmor: enforce nullbyte at end of tag string + +From: Jann Horn + +commit 8404d7a674c49278607d19726e0acc0cae299357 upstream. + +A packed AppArmor policy contains null-terminated tag strings that are read +by unpack_nameX(). However, unpack_nameX() uses string functions on them +without ensuring that they are actually null-terminated, potentially +leading to out-of-bounds accesses. + +Make sure that the tag string is null-terminated before passing it to +strcmp(). + +Cc: stable@vger.kernel.org +Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy") +Signed-off-by: Jann Horn +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman + +--- + security/apparmor/policy_unpack.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/apparmor/policy_unpack.c ++++ b/security/apparmor/policy_unpack.c +@@ -276,7 +276,7 @@ static bool unpack_nameX(struct aa_ext * + char *tag = NULL; + size_t size = unpack_u16_chunk(e, &tag); + /* if a name is specified it must match. otherwise skip tag */ +- if (name && (!size || strcmp(name, tag))) ++ if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag))) + goto fail; + } else if (name) { + /* if a name is specified and there is no name tag fail */ diff --git a/queue-5.1/apparmor-fix-profile_mediates-for-untrusted-input.patch b/queue-5.1/apparmor-fix-profile_mediates-for-untrusted-input.patch new file mode 100644 index 00000000000..30a2511c17c --- /dev/null +++ b/queue-5.1/apparmor-fix-profile_mediates-for-untrusted-input.patch @@ -0,0 +1,52 @@ +From 23375b13f98c5464c2b4d15f983cc062940f1f4e Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Sun, 26 May 2019 06:42:23 -0700 +Subject: apparmor: fix PROFILE_MEDIATES for untrusted input + +From: John Johansen + +commit 23375b13f98c5464c2b4d15f983cc062940f1f4e upstream. + +While commit 11c236b89d7c2 ("apparmor: add a default null dfa") ensure +every profile has a policy.dfa it does not resize the policy.start[] +to have entries for every possible start value. Which means +PROFILE_MEDIATES is not safe to use on untrusted input. Unforunately +commit b9590ad4c4f2 ("apparmor: remove POLICY_MEDIATES_SAFE") did not +take into account the start value usage. + +The input string in profile_query_cb() is user controlled and is not +properly checked to be within the limited start[] entries, even worse +it can't be as userspace policy is allowed to make us of entries types +the kernel does not know about. This mean usespace can currently cause +the kernel to access memory up to 240 entries beyond the start array +bounds. + +Cc: stable@vger.kernel.org +Fixes: b9590ad4c4f2 ("apparmor: remove POLICY_MEDIATES_SAFE") +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman + +--- + security/apparmor/include/policy.h | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/security/apparmor/include/policy.h ++++ b/security/apparmor/include/policy.h +@@ -217,7 +217,16 @@ static inline struct aa_profile *aa_get_ + return labels_profile(aa_get_newest_label(&p->label)); + } + +-#define PROFILE_MEDIATES(P, T) ((P)->policy.start[(unsigned char) (T)]) ++static inline unsigned int PROFILE_MEDIATES(struct aa_profile *profile, ++ unsigned char class) ++{ ++ if (class <= AA_CLASS_LAST) ++ return profile->policy.start[class]; ++ else ++ return aa_dfa_match_len(profile->policy.dfa, ++ profile->policy.start[0], &class, 1); ++} ++ + static inline unsigned int PROFILE_MEDIATES_AF(struct aa_profile *profile, + u16 AF) { + unsigned int state = PROFILE_MEDIATES(profile, AA_CLASS_NET); diff --git a/queue-5.1/apparmor-reset-pos-on-failure-to-unpack-for-various-functions.patch b/queue-5.1/apparmor-reset-pos-on-failure-to-unpack-for-various-functions.patch new file mode 100644 index 00000000000..2101506508c --- /dev/null +++ b/queue-5.1/apparmor-reset-pos-on-failure-to-unpack-for-various-functions.patch @@ -0,0 +1,167 @@ +From 156e42996bd84eccb6acf319f19ce0cb140d00e3 Mon Sep 17 00:00:00 2001 +From: Mike Salvatore +Date: Wed, 12 Jun 2019 14:55:14 -0700 +Subject: apparmor: reset pos on failure to unpack for various functions + +From: Mike Salvatore + +commit 156e42996bd84eccb6acf319f19ce0cb140d00e3 upstream. + +Each function that manipulates the aa_ext struct should reset it's "pos" +member on failure. This ensures that, on failure, no changes are made to +the state of the aa_ext struct. + +There are paths were elements are optional and the error path is +used to indicate the optional element is not present. This means +instead of just aborting on error the unpack stream can become +unsynchronized on optional elements, if using one of the affected +functions. + +Cc: stable@vger.kernel.org +Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy") +Signed-off-by: Mike Salvatore +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman + +--- + security/apparmor/policy_unpack.c | 47 +++++++++++++++++++++++++++++++------- + 1 file changed, 39 insertions(+), 8 deletions(-) + +--- a/security/apparmor/policy_unpack.c ++++ b/security/apparmor/policy_unpack.c +@@ -223,16 +223,21 @@ static void *kvmemdup(const void *src, s + static size_t unpack_u16_chunk(struct aa_ext *e, char **chunk) + { + size_t size = 0; ++ void *pos = e->pos; + + if (!inbounds(e, sizeof(u16))) +- return 0; ++ goto fail; + size = le16_to_cpu(get_unaligned((__le16 *) e->pos)); + e->pos += sizeof(__le16); + if (!inbounds(e, size)) +- return 0; ++ goto fail; + *chunk = e->pos; + e->pos += size; + return size; ++ ++fail: ++ e->pos = pos; ++ return 0; + } + + /* unpack control byte */ +@@ -294,62 +299,84 @@ fail: + + static bool unpack_u8(struct aa_ext *e, u8 *data, const char *name) + { ++ void *pos = e->pos; ++ + if (unpack_nameX(e, AA_U8, name)) { + if (!inbounds(e, sizeof(u8))) +- return 0; ++ goto fail; + if (data) + *data = get_unaligned((u8 *)e->pos); + e->pos += sizeof(u8); + return 1; + } ++ ++fail: ++ e->pos = pos; + return 0; + } + + static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name) + { ++ void *pos = e->pos; ++ + if (unpack_nameX(e, AA_U32, name)) { + if (!inbounds(e, sizeof(u32))) +- return 0; ++ goto fail; + if (data) + *data = le32_to_cpu(get_unaligned((__le32 *) e->pos)); + e->pos += sizeof(u32); + return 1; + } ++ ++fail: ++ e->pos = pos; + return 0; + } + + static bool unpack_u64(struct aa_ext *e, u64 *data, const char *name) + { ++ void *pos = e->pos; ++ + if (unpack_nameX(e, AA_U64, name)) { + if (!inbounds(e, sizeof(u64))) +- return 0; ++ goto fail; + if (data) + *data = le64_to_cpu(get_unaligned((__le64 *) e->pos)); + e->pos += sizeof(u64); + return 1; + } ++ ++fail: ++ e->pos = pos; + return 0; + } + + static size_t unpack_array(struct aa_ext *e, const char *name) + { ++ void *pos = e->pos; ++ + if (unpack_nameX(e, AA_ARRAY, name)) { + int size; + if (!inbounds(e, sizeof(u16))) +- return 0; ++ goto fail; + size = (int)le16_to_cpu(get_unaligned((__le16 *) e->pos)); + e->pos += sizeof(u16); + return size; + } ++ ++fail: ++ e->pos = pos; + return 0; + } + + static size_t unpack_blob(struct aa_ext *e, char **blob, const char *name) + { ++ void *pos = e->pos; ++ + if (unpack_nameX(e, AA_BLOB, name)) { + u32 size; + if (!inbounds(e, sizeof(u32))) +- return 0; ++ goto fail; + size = le32_to_cpu(get_unaligned((__le32 *) e->pos)); + e->pos += sizeof(u32); + if (inbounds(e, (size_t) size)) { +@@ -358,6 +385,9 @@ static size_t unpack_blob(struct aa_ext + return size; + } + } ++ ++fail: ++ e->pos = pos; + return 0; + } + +@@ -374,9 +404,10 @@ static int unpack_str(struct aa_ext *e, + if (src_str[size - 1] != 0) + goto fail; + *string = src_str; ++ ++ return size; + } + } +- return size; + + fail: + e->pos = pos; diff --git a/queue-5.1/brcmfmac-sdio-disable-auto-tuning-around-commands-expected-to-fail.patch b/queue-5.1/brcmfmac-sdio-disable-auto-tuning-around-commands-expected-to-fail.patch new file mode 100644 index 00000000000..206be792081 --- /dev/null +++ b/queue-5.1/brcmfmac-sdio-disable-auto-tuning-around-commands-expected-to-fail.patch @@ -0,0 +1,54 @@ +From 2de0b42da263c97d330d276f5ccf7c4470e3324f Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Mon, 17 Jun 2019 10:56:51 -0700 +Subject: brcmfmac: sdio: Disable auto-tuning around commands expected to fail + +From: Douglas Anderson + +commit 2de0b42da263c97d330d276f5ccf7c4470e3324f upstream. + +There are certain cases, notably when transitioning between sleep and +active state, when Broadcom SDIO WiFi cards will produce errors on the +SDIO bus. This is evident from the source code where you can see that +we try commands in a loop until we either get success or we've tried +too many times. The comment in the code reinforces this by saying +"just one write attempt may fail" + +Unfortunately these failures sometimes end up causing an "-EILSEQ" +back to the core which triggers a retuning of the SDIO card and that +blocks all traffic to the card until it's done. + +Let's disable retuning around the commands we expect might fail. + +Cc: stable@vger.kernel.org #v4.18+ +Signed-off-by: Douglas Anderson +Acked-by: Adrian Hunter +Reviewed-by: Arend van Spriel +Acked-by: Kalle Valo +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -676,6 +676,8 @@ brcmf_sdio_kso_control(struct brcmf_sdio + + brcmf_dbg(TRACE, "Enter: on=%d\n", on); + ++ sdio_retune_crc_disable(bus->sdiodev->func1); ++ + wr_val = (on << SBSDIO_FUNC1_SLEEPCSR_KSO_SHIFT); + /* 1st KSO write goes to AOS wake up core if device is asleep */ + brcmf_sdiod_writeb(bus->sdiodev, SBSDIO_FUNC1_SLEEPCSR, wr_val, &err); +@@ -736,6 +738,8 @@ brcmf_sdio_kso_control(struct brcmf_sdio + if (try_cnt > MAX_KSO_ATTEMPTS) + brcmf_err("max tries: rd_val=0x%x err=%d\n", rd_val, err); + ++ sdio_retune_crc_enable(bus->sdiodev->func1); ++ + return err; + } + diff --git a/queue-5.1/brcmfmac-sdio-don-t-tune-while-the-card-is-off.patch b/queue-5.1/brcmfmac-sdio-don-t-tune-while-the-card-is-off.patch new file mode 100644 index 00000000000..4a71ae55876 --- /dev/null +++ b/queue-5.1/brcmfmac-sdio-don-t-tune-while-the-card-is-off.patch @@ -0,0 +1,81 @@ +From 65dade6044079a5c206fd1803642ff420061417a Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Mon, 17 Jun 2019 10:56:53 -0700 +Subject: brcmfmac: sdio: Don't tune while the card is off + +From: Douglas Anderson + +commit 65dade6044079a5c206fd1803642ff420061417a upstream. + +When Broadcom SDIO cards are idled they go to sleep and a whole +separate subsystem takes over their SDIO communication. This is the +Always-On-Subsystem (AOS) and it can't handle tuning requests. + +Specifically, as tested on rk3288-veyron-minnie (which reports having +BCM4354/1 in dmesg), if I force a retune in brcmf_sdio_kso_control() +when "on = 1" (aka we're transition from sleep to wake) by whacking: + bus->sdiodev->func1->card->host->need_retune = 1 +...then I can often see tuning fail. In this case dw_mmc reports "All +phases bad!"). Note that I don't get 100% failure, presumably because +sometimes the card itself has already transitioned away from the AOS +itself by the time we try to wake it up. If I force retuning when "on += 0" (AKA force retuning right before sending the command to go to +sleep) then retuning is always OK. + +NOTE: we need _both_ this patch and the patch to avoid triggering +tuning due to CRC errors in the sleep/wake transition, AKA ("brcmfmac: +sdio: Disable auto-tuning around commands expected to fail"). Though +both patches handle issues with Broadcom's AOS, the problems are +distinct: +1. We want to defer (but not ignore) asynchronous (like + timer-requested) tuning requests till the card is awake. However, + we want to ignore CRC errors during the transition, we don't want + to queue deferred tuning request. +2. You could imagine that the AOS could implement retuning but we + could still get errors while transitioning in and out of the AOS. + Similarly you could imagine a seamless transition into and out of + the AOS (with no CRC errors) even if the AOS couldn't handle + tuning. + +ALSO NOTE: presumably there is never a desperate need to retune in +order to wake up the card, since doing so is impossible. Luckily the +only way the card can get into sleep state is if we had a good enough +tuning to send it the command to put it into sleep, so presumably that +"good enough" tuning is enough to wake us up, at least with a few +retries. + +Cc: stable@vger.kernel.org #v4.18+ +Signed-off-by: Douglas Anderson +Acked-by: Adrian Hunter +Reviewed-by: Arend van Spriel +Acked-by: Kalle Valo +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -678,6 +678,10 @@ brcmf_sdio_kso_control(struct brcmf_sdio + + sdio_retune_crc_disable(bus->sdiodev->func1); + ++ /* Cannot re-tune if device is asleep; defer till we're awake */ ++ if (on) ++ sdio_retune_hold_now(bus->sdiodev->func1); ++ + wr_val = (on << SBSDIO_FUNC1_SLEEPCSR_KSO_SHIFT); + /* 1st KSO write goes to AOS wake up core if device is asleep */ + brcmf_sdiod_writeb(bus->sdiodev, SBSDIO_FUNC1_SLEEPCSR, wr_val, &err); +@@ -738,6 +742,9 @@ brcmf_sdio_kso_control(struct brcmf_sdio + if (try_cnt > MAX_KSO_ATTEMPTS) + brcmf_err("max tries: rd_val=0x%x err=%d\n", rd_val, err); + ++ if (on) ++ sdio_retune_release(bus->sdiodev->func1); ++ + sdio_retune_crc_enable(bus->sdiodev->func1); + + return err; diff --git a/queue-5.1/cifs-add-spinlock-for-the-openfilelist-to-cifsinodeinfo.patch b/queue-5.1/cifs-add-spinlock-for-the-openfilelist-to-cifsinodeinfo.patch new file mode 100644 index 00000000000..25fadfee800 --- /dev/null +++ b/queue-5.1/cifs-add-spinlock-for-the-openfilelist-to-cifsinodeinfo.patch @@ -0,0 +1,103 @@ +From 487317c99477d00f22370625d53be3239febabbe Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Wed, 5 Jun 2019 10:38:38 +1000 +Subject: cifs: add spinlock for the openFileList to cifsInodeInfo + +From: Ronnie Sahlberg + +commit 487317c99477d00f22370625d53be3239febabbe upstream. + +We can not depend on the tcon->open_file_lock here since in multiuser mode +we may have the same file/inode open via multiple different tcons. + +The current code is race prone and will crash if one user deletes a file +at the same time a different user opens/create the file. + +To avoid this we need to have a spinlock attached to the inode and not the tcon. + +RHBZ: 1580165 + +CC: Stable +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Reviewed-by: Pavel Shilovsky +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifsfs.c | 1 + + fs/cifs/cifsglob.h | 5 +++++ + fs/cifs/file.c | 8 ++++++-- + 3 files changed, 12 insertions(+), 2 deletions(-) + +--- a/fs/cifs/cifsfs.c ++++ b/fs/cifs/cifsfs.c +@@ -303,6 +303,7 @@ cifs_alloc_inode(struct super_block *sb) + cifs_inode->uniqueid = 0; + cifs_inode->createtime = 0; + cifs_inode->epoch = 0; ++ spin_lock_init(&cifs_inode->open_file_lock); + generate_random_uuid(cifs_inode->lease_key); + + /* +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -1357,6 +1357,7 @@ struct cifsInodeInfo { + struct rw_semaphore lock_sem; /* protect the fields above */ + /* BB add in lists for dirty pages i.e. write caching info for oplock */ + struct list_head openFileList; ++ spinlock_t open_file_lock; /* protects openFileList */ + __u32 cifsAttrs; /* e.g. DOS archive bit, sparse, compressed, system */ + unsigned int oplock; /* oplock/lease level we have */ + unsigned int epoch; /* used to track lease state changes */ +@@ -1760,10 +1761,14 @@ require use of the stronger protocol */ + * tcp_ses_lock protects: + * list operations on tcp and SMB session lists + * tcon->open_file_lock protects the list of open files hanging off the tcon ++ * inode->open_file_lock protects the openFileList hanging off the inode + * cfile->file_info_lock protects counters and fields in cifs file struct + * f_owner.lock protects certain per file struct operations + * mapping->page_lock protects certain per page operations + * ++ * Note that the cifs_tcon.open_file_lock should be taken before ++ * not after the cifsInodeInfo.open_file_lock ++ * + * Semaphores + * ---------- + * sesSem operations on smb session +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -338,10 +338,12 @@ cifs_new_fileinfo(struct cifs_fid *fid, + atomic_inc(&tcon->num_local_opens); + + /* if readable file instance put first in list*/ ++ spin_lock(&cinode->open_file_lock); + if (file->f_mode & FMODE_READ) + list_add(&cfile->flist, &cinode->openFileList); + else + list_add_tail(&cfile->flist, &cinode->openFileList); ++ spin_unlock(&cinode->open_file_lock); + spin_unlock(&tcon->open_file_lock); + + if (fid->purge_cache) +@@ -413,7 +415,9 @@ void _cifsFileInfo_put(struct cifsFileIn + cifs_add_pending_open_locked(&fid, cifs_file->tlink, &open); + + /* remove it from the lists */ ++ spin_lock(&cifsi->open_file_lock); + list_del(&cifs_file->flist); ++ spin_unlock(&cifsi->open_file_lock); + list_del(&cifs_file->tlist); + atomic_dec(&tcon->num_local_opens); + +@@ -1950,9 +1954,9 @@ refind_writable: + return 0; + } + +- spin_lock(&tcon->open_file_lock); ++ spin_lock(&cifs_inode->open_file_lock); + list_move_tail(&inv_file->flist, &cifs_inode->openFileList); +- spin_unlock(&tcon->open_file_lock); ++ spin_unlock(&cifs_inode->open_file_lock); + cifsFileInfo_put(inv_file); + ++refind; + inv_file = NULL; diff --git a/queue-5.1/cifs-fix-globalmid_lock-bug-in-cifs_reconnect.patch b/queue-5.1/cifs-fix-globalmid_lock-bug-in-cifs_reconnect.patch new file mode 100644 index 00000000000..4429e602626 --- /dev/null +++ b/queue-5.1/cifs-fix-globalmid_lock-bug-in-cifs_reconnect.patch @@ -0,0 +1,47 @@ +From 61cabc7b0a5cf0d3c532cfa96594c801743fe7f6 Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Fri, 14 Jun 2019 13:02:29 +1000 +Subject: cifs: fix GlobalMid_Lock bug in cifs_reconnect + +From: Ronnie Sahlberg + +commit 61cabc7b0a5cf0d3c532cfa96594c801743fe7f6 upstream. + +We can not hold the GlobalMid_Lock spinlock during the +dfs processing in cifs_reconnect since it invokes things that may sleep +and thus trigger : + +BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:23 + +Thus we need to drop the spinlock during this code block. + +RHBZ: 1716743 + +Cc: stable@vger.kernel.org +Signed-off-by: Ronnie Sahlberg +Acked-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/connect.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -478,6 +478,7 @@ cifs_reconnect(struct TCP_Server_Info *s + spin_lock(&GlobalMid_Lock); + server->nr_targets = 1; + #ifdef CONFIG_CIFS_DFS_UPCALL ++ spin_unlock(&GlobalMid_Lock); + cifs_sb = find_super_by_tcp(server); + if (IS_ERR(cifs_sb)) { + rc = PTR_ERR(cifs_sb); +@@ -495,6 +496,7 @@ cifs_reconnect(struct TCP_Server_Info *s + } + cifs_dbg(FYI, "%s: will retry %d target(s)\n", __func__, + server->nr_targets); ++ spin_lock(&GlobalMid_Lock); + #endif + if (server->tcpStatus == CifsExiting) { + /* the demux thread will exit normally diff --git a/queue-5.1/cifs-fix-panic-in-smb2_reconnect.patch b/queue-5.1/cifs-fix-panic-in-smb2_reconnect.patch new file mode 100644 index 00000000000..999e18a2638 --- /dev/null +++ b/queue-5.1/cifs-fix-panic-in-smb2_reconnect.patch @@ -0,0 +1,55 @@ +From 0ff2b018b02f89da26a616e0148582321a00fd99 Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Wed, 5 Jun 2019 10:15:34 +1000 +Subject: cifs: fix panic in smb2_reconnect + +From: Ronnie Sahlberg + +commit 0ff2b018b02f89da26a616e0148582321a00fd99 upstream. + +RH Bugzilla: 1702264 + +We need to protect so that the call to smb2_reconnect() in +smb2_reconnect_server() does not end up freeing the session +because it can lead to a use after free and crash. + +Reviewed-by: Aurelien Aptel +Cc: +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Reviewed-by: Pavel Shilovsky +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -3049,9 +3049,14 @@ void smb2_reconnect_server(struct work_s + tcon_exist = true; + } + } ++ /* ++ * IPC has the same lifetime as its session and uses its ++ * refcount. ++ */ + if (ses->tcon_ipc && ses->tcon_ipc->need_reconnect) { + list_add_tail(&ses->tcon_ipc->rlist, &tmp_list); + tcon_exist = true; ++ ses->ses_count++; + } + } + /* +@@ -3070,7 +3075,10 @@ void smb2_reconnect_server(struct work_s + else + resched = true; + list_del_init(&tcon->rlist); +- cifs_put_tcon(tcon); ++ if (tcon->ipc) ++ cifs_put_smb_ses(tcon->ses); ++ else ++ cifs_put_tcon(tcon); + } + + cifs_dbg(FYI, "Reconnecting tcons finished\n"); diff --git a/queue-5.1/ib-hfi1-avoid-hardlockup-with-flushlist_lock.patch b/queue-5.1/ib-hfi1-avoid-hardlockup-with-flushlist_lock.patch new file mode 100644 index 00000000000..2f44bb150d0 --- /dev/null +++ b/queue-5.1/ib-hfi1-avoid-hardlockup-with-flushlist_lock.patch @@ -0,0 +1,60 @@ +From cf131a81967583ae737df6383a0893b9fee75b4e Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Fri, 14 Jun 2019 12:32:26 -0400 +Subject: IB/hfi1: Avoid hardlockup with flushlist_lock + +From: Mike Marciniszyn + +commit cf131a81967583ae737df6383a0893b9fee75b4e upstream. + +Heavy contention of the sde flushlist_lock can cause hard lockups at +extreme scale when the flushing logic is under stress. + +Mitigate by replacing the item at a time copy to the local list with +an O(1) list_splice_init() and using the high priority work queue to +do the flushes. + +Fixes: 7724105686e7 ("IB/hfi1: add driver files") +Cc: +Reviewed-by: Dennis Dalessandro +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/sdma.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/sdma.c ++++ b/drivers/infiniband/hw/hfi1/sdma.c +@@ -410,10 +410,7 @@ static void sdma_flush(struct sdma_engin + sdma_flush_descq(sde); + spin_lock_irqsave(&sde->flushlist_lock, flags); + /* copy flush list */ +- list_for_each_entry_safe(txp, txp_next, &sde->flushlist, list) { +- list_del_init(&txp->list); +- list_add_tail(&txp->list, &flushlist); +- } ++ list_splice_init(&sde->flushlist, &flushlist); + spin_unlock_irqrestore(&sde->flushlist_lock, flags); + /* flush from flush list */ + list_for_each_entry_safe(txp, txp_next, &flushlist, list) +@@ -2413,7 +2410,7 @@ unlock_noconn: + list_add_tail(&tx->list, &sde->flushlist); + spin_unlock(&sde->flushlist_lock); + iowait_inc_wait_count(wait, tx->num_desc); +- schedule_work(&sde->flush_worker); ++ queue_work_on(sde->cpu, system_highpri_wq, &sde->flush_worker); + ret = -ECOMM; + goto unlock; + nodesc: +@@ -2511,7 +2508,7 @@ unlock_noconn: + iowait_inc_wait_count(wait, tx->num_desc); + } + spin_unlock(&sde->flushlist_lock); +- schedule_work(&sde->flush_worker); ++ queue_work_on(sde->cpu, system_highpri_wq, &sde->flush_worker); + ret = -ECOMM; + goto update_tail; + nodesc: diff --git a/queue-5.1/ib-hfi1-close-psm-sdma_progress-sleep-window.patch b/queue-5.1/ib-hfi1-close-psm-sdma_progress-sleep-window.patch new file mode 100644 index 00000000000..7a9a8fe8fae --- /dev/null +++ b/queue-5.1/ib-hfi1-close-psm-sdma_progress-sleep-window.patch @@ -0,0 +1,85 @@ +From da9de5f8527f4b9efc82f967d29a583318c034c7 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Fri, 7 Jun 2019 08:25:31 -0400 +Subject: IB/hfi1: Close PSM sdma_progress sleep window + +From: Mike Marciniszyn + +commit da9de5f8527f4b9efc82f967d29a583318c034c7 upstream. + +The call to sdma_progress() is called outside the wait lock. + +In this case, there is a race condition where sdma_progress() can return +false and the sdma_engine can idle. If that happens, there will be no +more sdma interrupts to cause the wakeup and the user_sdma xmit will hang. + +Fix by moving the lock to enclose the sdma_progress() call. + +Also, delete busycount. The need for this was removed by: +commit bcad29137a97 ("IB/hfi1: Serve the most starved iowait entry first") + +Cc: +Fixes: 7724105686e7 ("IB/hfi1: add driver files") +Reviewed-by: Gary Leshner +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/user_sdma.c | 12 ++++-------- + drivers/infiniband/hw/hfi1/user_sdma.h | 1 - + 2 files changed, 4 insertions(+), 9 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/user_sdma.c ++++ b/drivers/infiniband/hw/hfi1/user_sdma.c +@@ -130,20 +130,16 @@ static int defer_packet_queue( + { + struct hfi1_user_sdma_pkt_q *pq = + container_of(wait->iow, struct hfi1_user_sdma_pkt_q, busy); +- struct user_sdma_txreq *tx = +- container_of(txreq, struct user_sdma_txreq, txreq); + +- if (sdma_progress(sde, seq, txreq)) { +- if (tx->busycount++ < MAX_DEFER_RETRY_COUNT) +- goto eagain; +- } ++ write_seqlock(&sde->waitlock); ++ if (sdma_progress(sde, seq, txreq)) ++ goto eagain; + /* + * We are assuming that if the list is enqueued somewhere, it + * is to the dmawait list since that is the only place where + * it is supposed to be enqueued. + */ + xchg(&pq->state, SDMA_PKT_Q_DEFERRED); +- write_seqlock(&sde->waitlock); + if (list_empty(&pq->busy.list)) { + iowait_get_priority(&pq->busy); + iowait_queue(pkts_sent, &pq->busy, &sde->dmawait); +@@ -151,6 +147,7 @@ static int defer_packet_queue( + write_sequnlock(&sde->waitlock); + return -EBUSY; + eagain: ++ write_sequnlock(&sde->waitlock); + return -EAGAIN; + } + +@@ -804,7 +801,6 @@ static int user_sdma_send_pkts(struct us + + tx->flags = 0; + tx->req = req; +- tx->busycount = 0; + INIT_LIST_HEAD(&tx->list); + + /* +--- a/drivers/infiniband/hw/hfi1/user_sdma.h ++++ b/drivers/infiniband/hw/hfi1/user_sdma.h +@@ -245,7 +245,6 @@ struct user_sdma_txreq { + struct list_head list; + struct user_sdma_request *req; + u16 flags; +- unsigned int busycount; + u16 seqnum; + }; + diff --git a/queue-5.1/ib-hfi1-correct-tid-qp-rcd-to-match-verbs-context.patch b/queue-5.1/ib-hfi1-correct-tid-qp-rcd-to-match-verbs-context.patch new file mode 100644 index 00000000000..ce4bdad2e18 --- /dev/null +++ b/queue-5.1/ib-hfi1-correct-tid-qp-rcd-to-match-verbs-context.patch @@ -0,0 +1,116 @@ +From cc78076af14e1478c1a8fb18997674b5f8cbe3c8 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Mon, 10 Jun 2019 12:28:18 -0400 +Subject: IB/hfi1: Correct tid qp rcd to match verbs context + +From: Mike Marciniszyn + +commit cc78076af14e1478c1a8fb18997674b5f8cbe3c8 upstream. + +The qp priv rcd pointer doesn't match the context being used for verbs +causing issues when 9B and kdeth packets are processed by different +receive contexts and hence different CPUs. + +When running on different CPUs the following panic can occur: + + WARNING: CPU: 3 PID: 2584 at lib/list_debug.c:59 __list_del_entry+0xa1/0xd0 + list_del corruption. prev->next should be ffff9a7ac31f7a30, but was ffff9a7c3bc89230 + CPU: 3 PID: 2584 Comm: z_wr_iss Kdump: loaded Tainted: P OE ------------ 3.10.0-862.2.3.el7_lustre.x86_64 #1 + Call Trace: + [] dump_stack+0x19/0x1b + [] __warn+0xd8/0x100 + [] warn_slowpath_fmt+0x5f/0x80 + [] __list_del_entry+0xa1/0xd0 + [] process_rcv_qp_work+0xb5/0x160 [hfi1] + [] handle_receive_interrupt_nodma_rtail+0x20b/0x2b0 [hfi1] + [] receive_context_interrupt+0x23/0x40 [hfi1] + [] __handle_irq_event_percpu+0x44/0x1c0 + [] handle_irq_event_percpu+0x32/0x80 + [] handle_irq_event+0x3c/0x60 + [] handle_edge_irq+0x7f/0x150 + [] handle_irq+0xe4/0x1a0 + [] do_IRQ+0x4d/0xf0 + [] common_interrupt+0x162/0x162 + [] ? memcpy+0x6/0x110 + [] ? abd_copy_from_buf_off_cb+0x1d/0x30 [zfs] + [] ? abd_copy_to_buf_off_cb+0x30/0x30 [zfs] + [] abd_iterate_func+0x97/0x120 [zfs] + [] abd_copy_from_buf_off+0x39/0x60 [zfs] + [] arc_write_ready+0x178/0x300 [zfs] + [] ? mutex_lock+0x12/0x2f + [] ? mutex_lock+0x12/0x2f + [] zio_ready+0x65/0x3d0 [zfs] + [] ? tsd_get_by_thread+0x2e/0x50 [spl] + [] ? taskq_member+0x18/0x30 [spl] + [] zio_execute+0xa2/0x100 [zfs] + [] taskq_thread+0x2ac/0x4f0 [spl] + [] ? wake_up_state+0x20/0x20 + [] ? zio_taskq_member.isra.7.constprop.10+0x80/0x80 [zfs] + [] ? taskq_thread_spawn+0x60/0x60 [spl] + [] kthread+0xd1/0xe0 + [] ? insert_kthread_work+0x40/0x40 + [] ret_from_fork_nospec_begin+0x21/0x21 + [] ? insert_kthread_work+0x40/0x40 + +Fix by reading the map entry in the same manner as the hardware so that +the kdeth and verbs contexts match. + +Cc: +Fixes: 5190f052a365 ("IB/hfi1: Allow the driver to initialize QP priv struct") +Reviewed-by: Kaike Wan +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/chip.c | 13 +++++++++++++ + drivers/infiniband/hw/hfi1/chip.h | 1 + + drivers/infiniband/hw/hfi1/tid_rdma.c | 4 +--- + 3 files changed, 15 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/chip.c ++++ b/drivers/infiniband/hw/hfi1/chip.c +@@ -14028,6 +14028,19 @@ static void init_kdeth_qp(struct hfi1_de + } + + /** ++ * hfi1_get_qp_map ++ * @dd: device data ++ * @idx: index to read ++ */ ++u8 hfi1_get_qp_map(struct hfi1_devdata *dd, u8 idx) ++{ ++ u64 reg = read_csr(dd, RCV_QP_MAP_TABLE + (idx / 8) * 8); ++ ++ reg >>= (idx % 8) * 8; ++ return reg; ++} ++ ++/** + * init_qpmap_table + * @dd - device data + * @first_ctxt - first context +--- a/drivers/infiniband/hw/hfi1/chip.h ++++ b/drivers/infiniband/hw/hfi1/chip.h +@@ -1442,6 +1442,7 @@ void clear_all_interrupts(struct hfi1_de + void remap_intr(struct hfi1_devdata *dd, int isrc, int msix_intr); + void remap_sdma_interrupts(struct hfi1_devdata *dd, int engine, int msix_intr); + void reset_interrupts(struct hfi1_devdata *dd); ++u8 hfi1_get_qp_map(struct hfi1_devdata *dd, u8 idx); + + /* + * Interrupt source table. +--- a/drivers/infiniband/hw/hfi1/tid_rdma.c ++++ b/drivers/infiniband/hw/hfi1/tid_rdma.c +@@ -305,9 +305,7 @@ static struct hfi1_ctxtdata *qp_to_rcd(s + if (qp->ibqp.qp_num == 0) + ctxt = 0; + else +- ctxt = ((qp->ibqp.qp_num >> dd->qos_shift) % +- (dd->n_krcv_queues - 1)) + 1; +- ++ ctxt = hfi1_get_qp_map(dd, qp->ibqp.qp_num >> dd->qos_shift); + return dd->rcd[ctxt]; + } + diff --git a/queue-5.1/ib-hfi1-silence-txreq-allocation-warnings.patch b/queue-5.1/ib-hfi1-silence-txreq-allocation-warnings.patch new file mode 100644 index 00000000000..4dd3d7c7ed6 --- /dev/null +++ b/queue-5.1/ib-hfi1-silence-txreq-allocation-warnings.patch @@ -0,0 +1,91 @@ +From 3230f4a8d44e4a0bb7afea814b280b5129521f52 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Fri, 14 Jun 2019 12:32:32 -0400 +Subject: IB/hfi1: Silence txreq allocation warnings + +From: Mike Marciniszyn + +commit 3230f4a8d44e4a0bb7afea814b280b5129521f52 upstream. + +The following warning can happen when a memory shortage +occurs during txreq allocation: + +[10220.939246] SLUB: Unable to allocate memory on node -1, gfp=0xa20(GFP_ATOMIC) +[10220.939246] Hardware name: Intel Corporation S2600WT2R/S2600WT2R, BIOS SE5C610.86B.01.01.0018.C4.072020161249 07/20/2016 +[10220.939247] cache: mnt_cache, object size: 384, buffer size: 384, default order: 2, min order: 0 +[10220.939260] Workqueue: hfi0_0 _hfi1_do_send [hfi1] +[10220.939261] node 0: slabs: 1026568, objs: 43115856, free: 0 +[10220.939262] Call Trace: +[10220.939262] node 1: slabs: 820872, objs: 34476624, free: 0 +[10220.939263] dump_stack+0x5a/0x73 +[10220.939265] warn_alloc+0x103/0x190 +[10220.939267] ? wake_all_kswapds+0x54/0x8b +[10220.939268] __alloc_pages_slowpath+0x86c/0xa2e +[10220.939270] ? __alloc_pages_nodemask+0x2fe/0x320 +[10220.939271] __alloc_pages_nodemask+0x2fe/0x320 +[10220.939273] new_slab+0x475/0x550 +[10220.939275] ___slab_alloc+0x36c/0x520 +[10220.939287] ? hfi1_make_rc_req+0x90/0x18b0 [hfi1] +[10220.939299] ? __get_txreq+0x54/0x160 [hfi1] +[10220.939310] ? hfi1_make_rc_req+0x90/0x18b0 [hfi1] +[10220.939312] __slab_alloc+0x40/0x61 +[10220.939323] ? hfi1_make_rc_req+0x90/0x18b0 [hfi1] +[10220.939325] kmem_cache_alloc+0x181/0x1b0 +[10220.939336] hfi1_make_rc_req+0x90/0x18b0 [hfi1] +[10220.939348] ? hfi1_verbs_send_dma+0x386/0xa10 [hfi1] +[10220.939359] ? find_prev_entry+0xb0/0xb0 [hfi1] +[10220.939371] hfi1_do_send+0x1d9/0x3f0 [hfi1] +[10220.939372] process_one_work+0x171/0x380 +[10220.939374] worker_thread+0x49/0x3f0 +[10220.939375] kthread+0xf8/0x130 +[10220.939377] ? max_active_store+0x80/0x80 +[10220.939378] ? kthread_bind+0x10/0x10 +[10220.939379] ret_from_fork+0x35/0x40 +[10220.939381] SLUB: Unable to allocate memory on node -1, gfp=0xa20(GFP_ATOMIC) + +The shortage is handled properly so the message isn't needed. Silence by +adding the no warn option to the slab allocation. + +Fixes: 45842abbb292 ("staging/rdma/hfi1: move txreq header code") +Cc: +Reviewed-by: Dennis Dalessandro +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/verbs_txreq.c | 2 +- + drivers/infiniband/hw/hfi1/verbs_txreq.h | 3 ++- + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/verbs_txreq.c ++++ b/drivers/infiniband/hw/hfi1/verbs_txreq.c +@@ -100,7 +100,7 @@ struct verbs_txreq *__get_txreq(struct h + if (ib_rvt_state_ops[qp->state] & RVT_PROCESS_RECV_OK) { + struct hfi1_qp_priv *priv; + +- tx = kmem_cache_alloc(dev->verbs_txreq_cache, GFP_ATOMIC); ++ tx = kmem_cache_alloc(dev->verbs_txreq_cache, VERBS_TXREQ_GFP); + if (tx) + goto out; + priv = qp->priv; +--- a/drivers/infiniband/hw/hfi1/verbs_txreq.h ++++ b/drivers/infiniband/hw/hfi1/verbs_txreq.h +@@ -72,6 +72,7 @@ struct hfi1_ibdev; + struct verbs_txreq *__get_txreq(struct hfi1_ibdev *dev, + struct rvt_qp *qp); + ++#define VERBS_TXREQ_GFP (GFP_ATOMIC | __GFP_NOWARN) + static inline struct verbs_txreq *get_txreq(struct hfi1_ibdev *dev, + struct rvt_qp *qp) + __must_hold(&qp->slock) +@@ -79,7 +80,7 @@ static inline struct verbs_txreq *get_tx + struct verbs_txreq *tx; + struct hfi1_qp_priv *priv = qp->priv; + +- tx = kmem_cache_alloc(dev->verbs_txreq_cache, GFP_ATOMIC); ++ tx = kmem_cache_alloc(dev->verbs_txreq_cache, VERBS_TXREQ_GFP); + if (unlikely(!tx)) { + /* call slow path to get the lock */ + tx = __get_txreq(dev, qp); diff --git a/queue-5.1/ib-hfi1-validate-fault-injection-opcode-user-input.patch b/queue-5.1/ib-hfi1-validate-fault-injection-opcode-user-input.patch new file mode 100644 index 00000000000..a3b79cdd601 --- /dev/null +++ b/queue-5.1/ib-hfi1-validate-fault-injection-opcode-user-input.patch @@ -0,0 +1,47 @@ +From 5f90677ed31963abb184ee08ebee4a4a68225dd8 Mon Sep 17 00:00:00 2001 +From: Kaike Wan +Date: Fri, 7 Jun 2019 08:25:25 -0400 +Subject: IB/hfi1: Validate fault injection opcode user input + +From: Kaike Wan + +commit 5f90677ed31963abb184ee08ebee4a4a68225dd8 upstream. + +The opcode range for fault injection from user should be validated before +it is applied to the fault->opcodes[] bitmap to avoid out-of-bound +error. + +Cc: +Fixes: a74d5307caba ("IB/hfi1: Rework fault injection machinery") +Reported-by: Dan Carpenter +Reviewed-by: Mike Marciniszyn +Signed-off-by: Kaike Wan +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/fault.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/infiniband/hw/hfi1/fault.c ++++ b/drivers/infiniband/hw/hfi1/fault.c +@@ -153,6 +153,7 @@ static ssize_t fault_opcodes_write(struc + char *dash; + unsigned long range_start, range_end, i; + bool remove = false; ++ unsigned long bound = 1U << BITS_PER_BYTE; + + end = strchr(ptr, ','); + if (end) +@@ -178,6 +179,10 @@ static ssize_t fault_opcodes_write(struc + BITS_PER_BYTE); + break; + } ++ /* Check the inputs */ ++ if (range_start >= bound || range_end >= bound) ++ break; ++ + for (i = range_start; i <= range_end; i++) { + if (remove) + clear_bit(i, fault->opcodes); diff --git a/queue-5.1/iio-imu-st_lsm6dsx-fix-pm-support-for-st_lsm6dsx-i2c-controller.patch b/queue-5.1/iio-imu-st_lsm6dsx-fix-pm-support-for-st_lsm6dsx-i2c-controller.patch new file mode 100644 index 00000000000..e24118c6811 --- /dev/null +++ b/queue-5.1/iio-imu-st_lsm6dsx-fix-pm-support-for-st_lsm6dsx-i2c-controller.patch @@ -0,0 +1,95 @@ +From bce0d57db388cdb1c1931d0aa7d31c77b590e0f0 Mon Sep 17 00:00:00 2001 +From: Lorenzo Bianconi +Date: Sun, 19 May 2019 10:58:23 +0200 +Subject: iio: imu: st_lsm6dsx: fix PM support for st_lsm6dsx i2c controller + +From: Lorenzo Bianconi + +commit bce0d57db388cdb1c1931d0aa7d31c77b590e0f0 upstream. + +Properly suspend/resume i2c slaves connected to st_lsm6dsx master +controller if the CPU goes in suspended state + +Fixes: c91c1c844ebd ("imu: st_lsm6dsx: add i2c embedded controller support") +Signed-off-by: Lorenzo Bianconi +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h | 2 ++ + drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c | 25 +++++++++++++++++-------- + 2 files changed, 19 insertions(+), 8 deletions(-) + +--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h ++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h +@@ -265,6 +265,7 @@ struct st_lsm6dsx_sensor { + * @conf_lock: Mutex to prevent concurrent FIFO configuration update. + * @page_lock: Mutex to prevent concurrent memory page configuration. + * @fifo_mode: FIFO operating mode supported by the device. ++ * @suspend_mask: Suspended sensor bitmask. + * @enable_mask: Enabled sensor bitmask. + * @ts_sip: Total number of timestamp samples in a given pattern. + * @sip: Total number of samples (acc/gyro/ts) in a given pattern. +@@ -282,6 +283,7 @@ struct st_lsm6dsx_hw { + struct mutex page_lock; + + enum st_lsm6dsx_fifo_mode fifo_mode; ++ u8 suspend_mask; + u8 enable_mask; + u8 ts_sip; + u8 sip; +--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c ++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c +@@ -1023,8 +1023,6 @@ static int __maybe_unused st_lsm6dsx_sus + { + struct st_lsm6dsx_hw *hw = dev_get_drvdata(dev); + struct st_lsm6dsx_sensor *sensor; +- const struct st_lsm6dsx_reg *reg; +- unsigned int data; + int i, err = 0; + + for (i = 0; i < ST_LSM6DSX_ID_MAX; i++) { +@@ -1035,12 +1033,16 @@ static int __maybe_unused st_lsm6dsx_sus + if (!(hw->enable_mask & BIT(sensor->id))) + continue; + +- reg = &st_lsm6dsx_odr_table[sensor->id].reg; +- data = ST_LSM6DSX_SHIFT_VAL(0, reg->mask); +- err = st_lsm6dsx_update_bits_locked(hw, reg->addr, reg->mask, +- data); ++ if (sensor->id == ST_LSM6DSX_ID_EXT0 || ++ sensor->id == ST_LSM6DSX_ID_EXT1 || ++ sensor->id == ST_LSM6DSX_ID_EXT2) ++ err = st_lsm6dsx_shub_set_enable(sensor, false); ++ else ++ err = st_lsm6dsx_sensor_set_enable(sensor, false); + if (err < 0) + return err; ++ ++ hw->suspend_mask |= BIT(sensor->id); + } + + if (hw->fifo_mode != ST_LSM6DSX_FIFO_BYPASS) +@@ -1060,12 +1062,19 @@ static int __maybe_unused st_lsm6dsx_res + continue; + + sensor = iio_priv(hw->iio_devs[i]); +- if (!(hw->enable_mask & BIT(sensor->id))) ++ if (!(hw->suspend_mask & BIT(sensor->id))) + continue; + +- err = st_lsm6dsx_set_odr(sensor, sensor->odr); ++ if (sensor->id == ST_LSM6DSX_ID_EXT0 || ++ sensor->id == ST_LSM6DSX_ID_EXT1 || ++ sensor->id == ST_LSM6DSX_ID_EXT2) ++ err = st_lsm6dsx_shub_set_enable(sensor, true); ++ else ++ err = st_lsm6dsx_sensor_set_enable(sensor, true); + if (err < 0) + return err; ++ ++ hw->suspend_mask &= ~BIT(sensor->id); + } + + if (hw->enable_mask) diff --git a/queue-5.1/iio-temperature-mlx90632-relax-the-compatibility-check.patch b/queue-5.1/iio-temperature-mlx90632-relax-the-compatibility-check.patch new file mode 100644 index 00000000000..0e16a215e91 --- /dev/null +++ b/queue-5.1/iio-temperature-mlx90632-relax-the-compatibility-check.patch @@ -0,0 +1,56 @@ +From 389fc70b60f534d679aea9a3f05146040ce20d77 Mon Sep 17 00:00:00 2001 +From: Crt Mori +Date: Thu, 23 May 2019 14:07:22 +0200 +Subject: iio: temperature: mlx90632 Relax the compatibility check + +From: Crt Mori + +commit 389fc70b60f534d679aea9a3f05146040ce20d77 upstream. + +Register EE_VERSION contains mixture of calibration information and DSP +version. So far, because calibrations were definite, the driver +compatibility depended on whole contents, but in the newer production +process the calibration part changes. Because of that, value in EE_VERSION +will be changed and to avoid that calibration value is same as DSP version +the MSB in calibration part was fixed to 1. +That means existing calibrations (medical and consumer) will now have +hex values (bits 8 to 15) of 83 and 84 respectively. Driver compatibility +should be based only on DSP version part of the EE_VERSION (bits 0 to 7) +register. + +Signed-off-by: Crt Mori +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/temperature/mlx90632.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/iio/temperature/mlx90632.c ++++ b/drivers/iio/temperature/mlx90632.c +@@ -81,6 +81,8 @@ + /* Magic constants */ + #define MLX90632_ID_MEDICAL 0x0105 /* EEPROM DSPv5 Medical device id */ + #define MLX90632_ID_CONSUMER 0x0205 /* EEPROM DSPv5 Consumer device id */ ++#define MLX90632_DSP_VERSION 5 /* DSP version */ ++#define MLX90632_DSP_MASK GENMASK(7, 0) /* DSP version in EE_VERSION */ + #define MLX90632_RESET_CMD 0x0006 /* Reset sensor (address or global) */ + #define MLX90632_REF_12 12LL /**< ResCtrlRef value of Ch 1 or Ch 2 */ + #define MLX90632_REF_3 12LL /**< ResCtrlRef value of Channel 3 */ +@@ -667,10 +669,13 @@ static int mlx90632_probe(struct i2c_cli + } else if (read == MLX90632_ID_CONSUMER) { + dev_dbg(&client->dev, + "Detected Consumer EEPROM calibration %x\n", read); ++ } else if ((read & MLX90632_DSP_MASK) == MLX90632_DSP_VERSION) { ++ dev_dbg(&client->dev, ++ "Detected Unknown EEPROM calibration %x\n", read); + } else { + dev_err(&client->dev, +- "EEPROM version mismatch %x (expected %x or %x)\n", +- read, MLX90632_ID_CONSUMER, MLX90632_ID_MEDICAL); ++ "Wrong DSP version %x (expected %x)\n", ++ read, MLX90632_DSP_VERSION); + return -EPROTONOSUPPORT; + } + diff --git a/queue-5.1/input-silead-add-mssl0017-to-acpi_device_id.patch b/queue-5.1/input-silead-add-mssl0017-to-acpi_device_id.patch new file mode 100644 index 00000000000..32aaa6b7f93 --- /dev/null +++ b/queue-5.1/input-silead-add-mssl0017-to-acpi_device_id.patch @@ -0,0 +1,31 @@ +From 0e658060e5fc50dc282885dc424a94b5d95547e5 Mon Sep 17 00:00:00 2001 +From: Daniel Smith +Date: Thu, 23 May 2019 12:54:18 -0700 +Subject: Input: silead - add MSSL0017 to acpi_device_id + +From: Daniel Smith + +commit 0e658060e5fc50dc282885dc424a94b5d95547e5 upstream. + +On Chuwi Hi10 Plus, the Silead device id is MSSL0017. + +Signed-off-by: Daniel Smith +Reviewed-by: Hans de Goede +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/silead.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/input/touchscreen/silead.c ++++ b/drivers/input/touchscreen/silead.c +@@ -617,6 +617,7 @@ static const struct acpi_device_id silea + { "MSSL1680", 0 }, + { "MSSL0001", 0 }, + { "MSSL0002", 0 }, ++ { "MSSL0017", 0 }, + { } + }; + MODULE_DEVICE_TABLE(acpi, silead_ts_acpi_match); diff --git a/queue-5.1/input-synaptics-enable-smbus-on-thinkpad-e480-and-e580.patch b/queue-5.1/input-synaptics-enable-smbus-on-thinkpad-e480-and-e580.patch new file mode 100644 index 00000000000..bd9d0adc571 --- /dev/null +++ b/queue-5.1/input-synaptics-enable-smbus-on-thinkpad-e480-and-e580.patch @@ -0,0 +1,36 @@ +From 9843f3e08e2144724be7148e08d77a195dea257a Mon Sep 17 00:00:00 2001 +From: Alexander Mikhaylenko +Date: Wed, 12 Jun 2019 14:59:46 -0700 +Subject: Input: synaptics - enable SMBus on ThinkPad E480 and E580 + +From: Alexander Mikhaylenko + +commit 9843f3e08e2144724be7148e08d77a195dea257a upstream. + +They are capable of using intertouch and it works well with +psmouse.synaptics_intertouch=1, so add them to the list. + +Without it, scrolling and gestures are jumpy, three-finger pinch gesture +doesn't work and three- or four-finger swipes sometimes get stuck. + +Signed-off-by: Alexander Mikhaylenko +Reviewed-by: Benjamin Tissoires +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/synaptics.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/input/mouse/synaptics.c ++++ b/drivers/input/mouse/synaptics.c +@@ -179,6 +179,8 @@ static const char * const smbus_pnp_ids[ + "LEN0096", /* X280 */ + "LEN0097", /* X280 -> ALPS trackpoint */ + "LEN200f", /* T450s */ ++ "LEN2054", /* E480 */ ++ "LEN2055", /* E580 */ + "SYN3052", /* HP EliteBook 840 G4 */ + "SYN3221", /* HP 15-ay000 */ + NULL diff --git a/queue-5.1/input-uinput-add-compat-ioctl-number-translation-for-ui_-_ff_upload.patch b/queue-5.1/input-uinput-add-compat-ioctl-number-translation-for-ui_-_ff_upload.patch new file mode 100644 index 00000000000..affb4f95ed2 --- /dev/null +++ b/queue-5.1/input-uinput-add-compat-ioctl-number-translation-for-ui_-_ff_upload.patch @@ -0,0 +1,61 @@ +From 7c7da40da1640ce6814dab1e8031b44e19e5a3f6 Mon Sep 17 00:00:00 2001 +From: Andrey Smirnov +Date: Thu, 23 May 2019 12:55:26 -0700 +Subject: Input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD + +From: Andrey Smirnov + +commit 7c7da40da1640ce6814dab1e8031b44e19e5a3f6 upstream. + +In the case of compat syscall ioctl numbers for UI_BEGIN_FF_UPLOAD and +UI_END_FF_UPLOAD need to be adjusted before being passed on +uinput_ioctl_handler() since code built with -m32 will be passing +slightly different values. Extend the code already covering +UI_SET_PHYS to cover UI_BEGIN_FF_UPLOAD and UI_END_FF_UPLOAD as well. + +Reported-by: Pierre-Loup A. Griffais +Signed-off-by: Andrey Smirnov +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/misc/uinput.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +--- a/drivers/input/misc/uinput.c ++++ b/drivers/input/misc/uinput.c +@@ -1051,13 +1051,31 @@ static long uinput_ioctl(struct file *fi + + #ifdef CONFIG_COMPAT + +-#define UI_SET_PHYS_COMPAT _IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t) ++/* ++ * These IOCTLs change their size and thus their numbers between ++ * 32 and 64 bits. ++ */ ++#define UI_SET_PHYS_COMPAT \ ++ _IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t) ++#define UI_BEGIN_FF_UPLOAD_COMPAT \ ++ _IOWR(UINPUT_IOCTL_BASE, 200, struct uinput_ff_upload_compat) ++#define UI_END_FF_UPLOAD_COMPAT \ ++ _IOW(UINPUT_IOCTL_BASE, 201, struct uinput_ff_upload_compat) + + static long uinput_compat_ioctl(struct file *file, + unsigned int cmd, unsigned long arg) + { +- if (cmd == UI_SET_PHYS_COMPAT) ++ switch (cmd) { ++ case UI_SET_PHYS_COMPAT: + cmd = UI_SET_PHYS; ++ break; ++ case UI_BEGIN_FF_UPLOAD_COMPAT: ++ cmd = UI_BEGIN_FF_UPLOAD; ++ break; ++ case UI_END_FF_UPLOAD_COMPAT: ++ cmd = UI_END_FF_UPLOAD; ++ break; ++ } + + return uinput_ioctl_handler(file, cmd, arg, compat_ptr(arg)); + } diff --git a/queue-5.1/revert-brcmfmac-disable-command-decode-in-sdio_aos.patch b/queue-5.1/revert-brcmfmac-disable-command-decode-in-sdio_aos.patch new file mode 100644 index 00000000000..bc4bfdbb9e5 --- /dev/null +++ b/queue-5.1/revert-brcmfmac-disable-command-decode-in-sdio_aos.patch @@ -0,0 +1,56 @@ +From abdd5dcc00207e7c38680f3754d1bfffafff1093 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Mon, 17 Jun 2019 10:56:49 -0700 +Subject: Revert "brcmfmac: disable command decode in sdio_aos" + +From: Douglas Anderson + +commit abdd5dcc00207e7c38680f3754d1bfffafff1093 upstream. + +This reverts commit 29f6589140a10ece8c1d73f58043ea5b3473ab3e. + +After that patch landed I find that my kernel log on +rk3288-veyron-minnie and rk3288-veyron-speedy is filled with: +brcmfmac: brcmf_sdio_bus_sleep: error while changing bus sleep state -110 + +This seems to happen every time the Broadcom WiFi transitions out of +sleep mode. Reverting the commit fixes the problem for me, so that's +what this patch does. + +Note that, in general, the justification in the original commit seemed +a little weak. It looked like someone was testing on a SD card +controller that would sometimes die if there were CRC errors on the +bus. This used to happen back in early days of dw_mmc (the controller +on my boards), but we fixed it. Disabling a feature on all boards +just because one SD card controller is broken seems bad. + +Fixes: 29f6589140a1 ("brcmfmac: disable command decode in sdio_aos") +Cc: Wright Feng +Cc: Double Lo +Cc: Madhan Mohan R +Cc: Chi-Hsien Lin +Signed-off-by: Douglas Anderson +Cc: stable@vger.kernel.org +Acked-by: Kalle Valo +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -3373,11 +3373,7 @@ err: + + static bool brcmf_sdio_aos_no_decode(struct brcmf_sdio *bus) + { +- if (bus->ci->chip == CY_CC_43012_CHIP_ID || +- bus->ci->chip == CY_CC_4373_CHIP_ID || +- bus->ci->chip == BRCM_CC_4339_CHIP_ID || +- bus->ci->chip == BRCM_CC_4345_CHIP_ID || +- bus->ci->chip == BRCM_CC_4354_CHIP_ID) ++ if (bus->ci->chip == CY_CC_43012_CHIP_ID) + return true; + else + return false; diff --git a/queue-5.1/series b/queue-5.1/series index a782a43932c..58e126ddd05 100644 --- a/queue-5.1/series +++ b/queue-5.1/series @@ -10,3 +10,22 @@ scsi-ufs-avoid-runtime-suspend-possibly-being-blocked-forever.patch usb-chipidea-udc-workaround-for-endpoint-conflict-issue.patch xhci-detect-usb-3.2-capable-host-controllers-correctly.patch usb-xhci-don-t-try-to-recover-an-endpoint-if-port-is-in-error-state.patch +cifs-fix-panic-in-smb2_reconnect.patch +cifs-add-spinlock-for-the-openfilelist-to-cifsinodeinfo.patch +cifs-fix-globalmid_lock-bug-in-cifs_reconnect.patch +ib-hfi1-validate-fault-injection-opcode-user-input.patch +ib-hfi1-close-psm-sdma_progress-sleep-window.patch +ib-hfi1-avoid-hardlockup-with-flushlist_lock.patch +ib-hfi1-correct-tid-qp-rcd-to-match-verbs-context.patch +ib-hfi1-silence-txreq-allocation-warnings.patch +iio-imu-st_lsm6dsx-fix-pm-support-for-st_lsm6dsx-i2c-controller.patch +iio-temperature-mlx90632-relax-the-compatibility-check.patch +input-synaptics-enable-smbus-on-thinkpad-e480-and-e580.patch +input-uinput-add-compat-ioctl-number-translation-for-ui_-_ff_upload.patch +input-silead-add-mssl0017-to-acpi_device_id.patch +apparmor-fix-profile_mediates-for-untrusted-input.patch +apparmor-enforce-nullbyte-at-end-of-tag-string.patch +apparmor-reset-pos-on-failure-to-unpack-for-various-functions.patch +revert-brcmfmac-disable-command-decode-in-sdio_aos.patch +brcmfmac-sdio-disable-auto-tuning-around-commands-expected-to-fail.patch +brcmfmac-sdio-don-t-tune-while-the-card-is-off.patch -- 2.47.2