From e2e52b9829cd83c4d080412139361cbfb76dccec Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 12 Feb 2020 17:28:43 -0800 Subject: [PATCH] 5.4-stable patches added patches: ath10k-pci-only-dump-ath10k_mem_region_type_ioreg-when-safe.patch ib-mlx4-fix-leak-in-id_map_find_del.patch ib-mlx4-fix-memory-leak-in-add_gid-error-flow.patch ib-srp-never-use-immediate-data-if-it-is-disabled-by-a-user.patch iwlwifi-mvm-avoid-use-after-free-for-pmsr-request.patch nfs-fix-fix-of-show_nfs_errors.patch nfs-nfs_swap-should-depend-on-swap.patch nfs-pnfs-fix-pnfs_generic_prepare_to_resend_writes.patch nfs-revalidate-the-file-size-on-a-fatal-write-error.patch nfsd-fixing-possible-null-pointer-derefering-in-copy-offload.patch nfsv4-pnfs_roc-must-use-cred_fscmp-to-compare-creds.patch nfsv4-try-lease-recovery-on-nfs4err_expired.patch nfsv4.0-nfs4_do_fsinfo-should-not-do-implicit-lease-renewals.patch pci-aer-initialize-aer_fifo.patch pci-don-t-disable-bridge-bars-when-assigning-bus-resources.patch pci-iov-fix-memory-leak-in-pci_iov_add_virtfn.patch pci-switchtec-fix-vep_vector_number-ioread-width.patch pci-switchtec-use-dma_set_mask_and_coherent.patch pci-tegra-fix-afi_pex2_ctrl-reg-offset-for-tegra30.patch rdma-cma-fix-unbalanced-cm_id-reference-count-during-address-resolve.patch rdma-core-fix-locking-in-ib_uverbs_event_read.patch rdma-i40iw-fix-a-potential-null-pointer-dereference.patch rdma-netlink-do-not-always-generate-an-ack-for-some-netlink-operations.patch rdma-umem-fix-ib_umem_find_best_pgsz.patch rdma-uverbs-verify-mr-access-flags.patch scsi-ufs-fix-ufshcd_probe_hba-reture-value-in-case-ufshcd_scsi_add_wlus-fails.patch --- ...h10k_mem_region_type_ioreg-when-safe.patch | 69 ++++++++ .../ib-mlx4-fix-leak-in-id_map_find_del.patch | 130 ++++++++++++++ ...ix-memory-leak-in-add_gid-error-flow.patch | 78 +++++++++ ...ate-data-if-it-is-disabled-by-a-user.patch | 48 ++++++ ...void-use-after-free-for-pmsr-request.patch | 64 +++++++ .../nfs-fix-fix-of-show_nfs_errors.patch | 159 ++++++++++++++++++ .../nfs-nfs_swap-should-depend-on-swap.patch | 38 +++++ ...nfs_generic_prepare_to_resend_writes.patch | 118 +++++++++++++ ...the-file-size-on-a-fatal-write-error.patch | 40 +++++ ...l-pointer-derefering-in-copy-offload.patch | 34 ++++ ...must-use-cred_fscmp-to-compare-creds.patch | 32 ++++ ...ry-lease-recovery-on-nfs4err_expired.patch | 36 ++++ ...hould-not-do-implicit-lease-renewals.patch | 152 +++++++++++++++++ queue-5.4/pci-aer-initialize-aer_fifo.patch | 45 +++++ ...ge-bars-when-assigning-bus-resources.patch | 111 ++++++++++++ ...ix-memory-leak-in-pci_iov_add_virtfn.patch | 52 ++++++ ...c-fix-vep_vector_number-ioread-width.patch | 34 ++++ ...tchtec-use-dma_set_mask_and_coherent.patch | 36 ++++ ...afi_pex2_ctrl-reg-offset-for-tegra30.patch | 43 +++++ ...ference-count-during-address-resolve.patch | 55 ++++++ ...-fix-locking-in-ib_uverbs_event_read.patch | 110 ++++++++++++ ...a-potential-null-pointer-dereference.patch | 36 ++++ ...e-an-ack-for-some-netlink-operations.patch | 80 +++++++++ ...rdma-umem-fix-ib_umem_find_best_pgsz.patch | 45 +++++ .../rdma-uverbs-verify-mr-access-flags.patch | 35 ++++ ...e-in-case-ufshcd_scsi_add_wlus-fails.patch | 39 +++++ queue-5.4/series | 26 +++ 27 files changed, 1745 insertions(+) create mode 100644 queue-5.4/ath10k-pci-only-dump-ath10k_mem_region_type_ioreg-when-safe.patch create mode 100644 queue-5.4/ib-mlx4-fix-leak-in-id_map_find_del.patch create mode 100644 queue-5.4/ib-mlx4-fix-memory-leak-in-add_gid-error-flow.patch create mode 100644 queue-5.4/ib-srp-never-use-immediate-data-if-it-is-disabled-by-a-user.patch create mode 100644 queue-5.4/iwlwifi-mvm-avoid-use-after-free-for-pmsr-request.patch create mode 100644 queue-5.4/nfs-fix-fix-of-show_nfs_errors.patch create mode 100644 queue-5.4/nfs-nfs_swap-should-depend-on-swap.patch create mode 100644 queue-5.4/nfs-pnfs-fix-pnfs_generic_prepare_to_resend_writes.patch create mode 100644 queue-5.4/nfs-revalidate-the-file-size-on-a-fatal-write-error.patch create mode 100644 queue-5.4/nfsd-fixing-possible-null-pointer-derefering-in-copy-offload.patch create mode 100644 queue-5.4/nfsv4-pnfs_roc-must-use-cred_fscmp-to-compare-creds.patch create mode 100644 queue-5.4/nfsv4-try-lease-recovery-on-nfs4err_expired.patch create mode 100644 queue-5.4/nfsv4.0-nfs4_do_fsinfo-should-not-do-implicit-lease-renewals.patch create mode 100644 queue-5.4/pci-aer-initialize-aer_fifo.patch create mode 100644 queue-5.4/pci-don-t-disable-bridge-bars-when-assigning-bus-resources.patch create mode 100644 queue-5.4/pci-iov-fix-memory-leak-in-pci_iov_add_virtfn.patch create mode 100644 queue-5.4/pci-switchtec-fix-vep_vector_number-ioread-width.patch create mode 100644 queue-5.4/pci-switchtec-use-dma_set_mask_and_coherent.patch create mode 100644 queue-5.4/pci-tegra-fix-afi_pex2_ctrl-reg-offset-for-tegra30.patch create mode 100644 queue-5.4/rdma-cma-fix-unbalanced-cm_id-reference-count-during-address-resolve.patch create mode 100644 queue-5.4/rdma-core-fix-locking-in-ib_uverbs_event_read.patch create mode 100644 queue-5.4/rdma-i40iw-fix-a-potential-null-pointer-dereference.patch create mode 100644 queue-5.4/rdma-netlink-do-not-always-generate-an-ack-for-some-netlink-operations.patch create mode 100644 queue-5.4/rdma-umem-fix-ib_umem_find_best_pgsz.patch create mode 100644 queue-5.4/rdma-uverbs-verify-mr-access-flags.patch create mode 100644 queue-5.4/scsi-ufs-fix-ufshcd_probe_hba-reture-value-in-case-ufshcd_scsi_add_wlus-fails.patch diff --git a/queue-5.4/ath10k-pci-only-dump-ath10k_mem_region_type_ioreg-when-safe.patch b/queue-5.4/ath10k-pci-only-dump-ath10k_mem_region_type_ioreg-when-safe.patch new file mode 100644 index 00000000000..0552c15b1fe --- /dev/null +++ b/queue-5.4/ath10k-pci-only-dump-ath10k_mem_region_type_ioreg-when-safe.patch @@ -0,0 +1,69 @@ +From d239380196c4e27a26fa4bea73d2bf994c14ec2d Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Thu, 19 Dec 2019 13:15:38 +0000 +Subject: ath10k: pci: Only dump ATH10K_MEM_REGION_TYPE_IOREG when safe + +From: Bryan O'Donoghue + +commit d239380196c4e27a26fa4bea73d2bf994c14ec2d upstream. + +ath10k_pci_dump_memory_reg() will try to access memory of type +ATH10K_MEM_REGION_TYPE_IOREG however, if a hardware restart is in progress +this can crash a system. + +Individual ioread32() time has been observed to jump from 15-20 ticks to > +80k ticks followed by a secure-watchdog bite and a system reset. + +Work around this corner case by only issuing the read transaction when the +driver state is ATH10K_STATE_ON. + +Tested-on: QCA9988 PCI 10.4-3.9.0.2-00044 + +Fixes: 219cc084c6706 ("ath10k: add memory dump support QCA9984") +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath10k/pci.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/pci.c ++++ b/drivers/net/wireless/ath/ath10k/pci.c +@@ -1604,11 +1604,22 @@ static int ath10k_pci_dump_memory_reg(st + { + struct ath10k_pci *ar_pci = ath10k_pci_priv(ar); + u32 i; ++ int ret; ++ ++ mutex_lock(&ar->conf_mutex); ++ if (ar->state != ATH10K_STATE_ON) { ++ ath10k_warn(ar, "Skipping pci_dump_memory_reg invalid state\n"); ++ ret = -EIO; ++ goto done; ++ } + + for (i = 0; i < region->len; i += 4) + *(u32 *)(buf + i) = ioread32(ar_pci->mem + region->start + i); + +- return region->len; ++ ret = region->len; ++done: ++ mutex_unlock(&ar->conf_mutex); ++ return ret; + } + + /* if an error happened returns < 0, otherwise the length */ +@@ -1704,7 +1715,11 @@ static void ath10k_pci_dump_memory(struc + count = ath10k_pci_dump_memory_sram(ar, current_region, buf); + break; + case ATH10K_MEM_REGION_TYPE_IOREG: +- count = ath10k_pci_dump_memory_reg(ar, current_region, buf); ++ ret = ath10k_pci_dump_memory_reg(ar, current_region, buf); ++ if (ret < 0) ++ break; ++ ++ count = ret; + break; + default: + ret = ath10k_pci_dump_memory_generic(ar, current_region, buf); diff --git a/queue-5.4/ib-mlx4-fix-leak-in-id_map_find_del.patch b/queue-5.4/ib-mlx4-fix-leak-in-id_map_find_del.patch new file mode 100644 index 00000000000..77d8078fefb --- /dev/null +++ b/queue-5.4/ib-mlx4-fix-leak-in-id_map_find_del.patch @@ -0,0 +1,130 @@ +From ea660ad7c1c476fd6e5e3b17780d47159db71dea Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?H=C3=A5kon=20Bugge?= +Date: Thu, 23 Jan 2020 16:55:21 +0100 +Subject: IB/mlx4: Fix leak in id_map_find_del +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: HÃ¥kon Bugge + +commit ea660ad7c1c476fd6e5e3b17780d47159db71dea upstream. + +Using CX-3 virtual functions, either from a bare-metal machine or +pass-through from a VM, MAD packets are proxied through the PF driver. + +Since the VF drivers have separate name spaces for MAD Transaction Ids +(TIDs), the PF driver has to re-map the TIDs and keep the book keeping in +a cache. + +Following the RDMA Connection Manager (CM) protocol, it is clear when an +entry has to evicted from the cache. When a DREP is sent from +mlx4_ib_multiplex_cm_handler(), id_map_find_del() is called. Similar when +a REJ is received by the mlx4_ib_demux_cm_handler(), id_map_find_del() is +called. + +This function wipes out the TID in use from the IDR or XArray and removes +the id_map_entry from the table. + +In short, it does everything except the topping of the cake, which is to +remove the entry from the list and free it. In other words, for the REJ +case enumerated above, one id_map_entry will be leaked. + +For the other case above, a DREQ has been received first. The reception of +the DREQ will trigger queuing of a delayed work to delete the +id_map_entry, for the case where the VM doesn't send back a DREP. + +In the normal case, the VM _will_ send back a DREP, and id_map_find_del() +will be called. + +But this scenario introduces a secondary leak. First, when the DREQ is +received, a delayed work is queued. The VM will then return a DREP, which +will call id_map_find_del(). As stated above, this will free the TID used +from the XArray or IDR. Now, there is window where that particular TID can +be re-allocated, lets say by an outgoing REQ. This TID will later be wiped +out by the delayed work, when the function id_map_ent_timeout() is +called. But the id_map_entry allocated by the outgoing REQ will not be +de-allocated, and we have a leak. + +Both leaks are fixed by removing the id_map_find_del() function and only +using schedule_delayed(). Of course, a check in schedule_delayed() to see +if the work already has been queued, has been added. + +Another benefit of always using the delayed version for deleting entries, +is that we do get a TimeWait effect; a TID no longer in use, will occupy +the XArray or IDR for CM_CLEANUP_CACHE_TIMEOUT time, without any ability +of being re-used for that time period. + +Fixes: 3cf69cc8dbeb ("IB/mlx4: Add CM paravirtualization") +Link: https://lore.kernel.org/r/20200123155521.1212288-1-haakon.bugge@oracle.com +Signed-off-by: HÃ¥kon Bugge +Signed-off-by: Manjunath Patil +Reviewed-by: Rama Nichanamatlu +Reviewed-by: Jack Morgenstein +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx4/cm.c | 29 +++-------------------------- + 1 file changed, 3 insertions(+), 26 deletions(-) + +--- a/drivers/infiniband/hw/mlx4/cm.c ++++ b/drivers/infiniband/hw/mlx4/cm.c +@@ -186,23 +186,6 @@ out: + kfree(ent); + } + +-static void id_map_find_del(struct ib_device *ibdev, int pv_cm_id) +-{ +- struct mlx4_ib_sriov *sriov = &to_mdev(ibdev)->sriov; +- struct rb_root *sl_id_map = &sriov->sl_id_map; +- struct id_map_entry *ent, *found_ent; +- +- spin_lock(&sriov->id_map_lock); +- ent = xa_erase(&sriov->pv_id_table, pv_cm_id); +- if (!ent) +- goto out; +- found_ent = id_map_find_by_sl_id(ibdev, ent->slave_id, ent->sl_cm_id); +- if (found_ent && found_ent == ent) +- rb_erase(&found_ent->node, sl_id_map); +-out: +- spin_unlock(&sriov->id_map_lock); +-} +- + static void sl_id_map_add(struct ib_device *ibdev, struct id_map_entry *new) + { + struct rb_root *sl_id_map = &to_mdev(ibdev)->sriov.sl_id_map; +@@ -294,7 +277,7 @@ static void schedule_delayed(struct ib_d + spin_lock(&sriov->id_map_lock); + spin_lock_irqsave(&sriov->going_down_lock, flags); + /*make sure that there is no schedule inside the scheduled work.*/ +- if (!sriov->is_going_down) { ++ if (!sriov->is_going_down && !id->scheduled_delete) { + id->scheduled_delete = 1; + schedule_delayed_work(&id->timeout, CM_CLEANUP_CACHE_TIMEOUT); + } +@@ -341,9 +324,6 @@ cont: + + if (mad->mad_hdr.attr_id == CM_DREQ_ATTR_ID) + schedule_delayed(ibdev, id); +- else if (mad->mad_hdr.attr_id == CM_DREP_ATTR_ID) +- id_map_find_del(ibdev, pv_cm_id); +- + return 0; + } + +@@ -382,12 +362,9 @@ int mlx4_ib_demux_cm_handler(struct ib_d + *slave = id->slave_id; + set_remote_comm_id(mad, id->sl_cm_id); + +- if (mad->mad_hdr.attr_id == CM_DREQ_ATTR_ID) ++ if (mad->mad_hdr.attr_id == CM_DREQ_ATTR_ID || ++ mad->mad_hdr.attr_id == CM_REJ_ATTR_ID) + schedule_delayed(ibdev, id); +- else if (mad->mad_hdr.attr_id == CM_REJ_ATTR_ID || +- mad->mad_hdr.attr_id == CM_DREP_ATTR_ID) { +- id_map_find_del(ibdev, (int) pv_cm_id); +- } + + return 0; + } diff --git a/queue-5.4/ib-mlx4-fix-memory-leak-in-add_gid-error-flow.patch b/queue-5.4/ib-mlx4-fix-memory-leak-in-add_gid-error-flow.patch new file mode 100644 index 00000000000..57c2a1a63f8 --- /dev/null +++ b/queue-5.4/ib-mlx4-fix-memory-leak-in-add_gid-error-flow.patch @@ -0,0 +1,78 @@ +From eaad647e5cc27f7b46a27f3b85b14c4c8a64bffa Mon Sep 17 00:00:00 2001 +From: Jack Morgenstein +Date: Wed, 15 Jan 2020 10:50:50 +0200 +Subject: IB/mlx4: Fix memory leak in add_gid error flow + +From: Jack Morgenstein + +commit eaad647e5cc27f7b46a27f3b85b14c4c8a64bffa upstream. + +In procedure mlx4_ib_add_gid(), if the driver is unable to update the FW +gid table, there is a memory leak in the driver's copy of the gid table: +the gid entry's context buffer is not freed. + +If such an error occurs, free the entry's context buffer, and mark the +entry as available (by setting its context pointer to NULL). + +Fixes: e26be1bfef81 ("IB/mlx4: Implement ib_device callbacks") +Link: https://lore.kernel.org/r/20200115085050.73746-1-leon@kernel.org +Signed-off-by: Jack Morgenstein +Reviewed-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx4/main.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +--- a/drivers/infiniband/hw/mlx4/main.c ++++ b/drivers/infiniband/hw/mlx4/main.c +@@ -246,6 +246,13 @@ static int mlx4_ib_update_gids(struct gi + return mlx4_ib_update_gids_v1(gids, ibdev, port_num); + } + ++static void free_gid_entry(struct gid_entry *entry) ++{ ++ memset(&entry->gid, 0, sizeof(entry->gid)); ++ kfree(entry->ctx); ++ entry->ctx = NULL; ++} ++ + static int mlx4_ib_add_gid(const struct ib_gid_attr *attr, void **context) + { + struct mlx4_ib_dev *ibdev = to_mdev(attr->device); +@@ -306,6 +313,8 @@ static int mlx4_ib_add_gid(const struct + GFP_ATOMIC); + if (!gids) { + ret = -ENOMEM; ++ *context = NULL; ++ free_gid_entry(&port_gid_table->gids[free]); + } else { + for (i = 0; i < MLX4_MAX_PORT_GIDS; i++) { + memcpy(&gids[i].gid, &port_gid_table->gids[i].gid, sizeof(union ib_gid)); +@@ -317,6 +326,12 @@ static int mlx4_ib_add_gid(const struct + + if (!ret && hw_update) { + ret = mlx4_ib_update_gids(gids, ibdev, attr->port_num); ++ if (ret) { ++ spin_lock_bh(&iboe->lock); ++ *context = NULL; ++ free_gid_entry(&port_gid_table->gids[free]); ++ spin_unlock_bh(&iboe->lock); ++ } + kfree(gids); + } + +@@ -346,10 +361,7 @@ static int mlx4_ib_del_gid(const struct + if (!ctx->refcount) { + unsigned int real_index = ctx->real_index; + +- memset(&port_gid_table->gids[real_index].gid, 0, +- sizeof(port_gid_table->gids[real_index].gid)); +- kfree(port_gid_table->gids[real_index].ctx); +- port_gid_table->gids[real_index].ctx = NULL; ++ free_gid_entry(&port_gid_table->gids[real_index]); + hw_update = 1; + } + } diff --git a/queue-5.4/ib-srp-never-use-immediate-data-if-it-is-disabled-by-a-user.patch b/queue-5.4/ib-srp-never-use-immediate-data-if-it-is-disabled-by-a-user.patch new file mode 100644 index 00000000000..93307e6a976 --- /dev/null +++ b/queue-5.4/ib-srp-never-use-immediate-data-if-it-is-disabled-by-a-user.patch @@ -0,0 +1,48 @@ +From 0fbb37dd82998b5c83355997b3bdba2806968ac7 Mon Sep 17 00:00:00 2001 +From: Sergey Gorenko +Date: Wed, 15 Jan 2020 13:30:55 +0000 +Subject: IB/srp: Never use immediate data if it is disabled by a user + +From: Sergey Gorenko + +commit 0fbb37dd82998b5c83355997b3bdba2806968ac7 upstream. + +Some SRP targets that do not support specification SRP-2, put the garbage +to the reserved bits of the SRP login response. The problem was not +detected for a long time because the SRP initiator ignored those bits. But +now one of them is used as SRP_LOGIN_RSP_IMMED_SUPP. And it causes a +critical error on the target when the initiator sends immediate data. + +The ib_srp module has a use_imm_date parameter to enable or disable +immediate data manually. But it does not help in the above case, because +use_imm_date is ignored at handling the SRP login response. The problem is +definitely caused by a bug on the target side, but the initiator's +behavior also does not look correct. The initiator should not use +immediate data if use_imm_date is disabled by a user. + +This commit adds an additional checking of use_imm_date at the handling of +SRP login response to avoid unexpected use of immediate data. + +Fixes: 882981f4a411 ("RDMA/srp: Add support for immediate data") +Link: https://lore.kernel.org/r/20200115133055.30232-1-sergeygo@mellanox.com +Signed-off-by: Sergey Gorenko +Reviewed-by: Bart Van Assche +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srp/ib_srp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -2536,7 +2536,8 @@ static void srp_cm_rep_handler(struct ib + if (lrsp->opcode == SRP_LOGIN_RSP) { + ch->max_ti_iu_len = be32_to_cpu(lrsp->max_ti_iu_len); + ch->req_lim = be32_to_cpu(lrsp->req_lim_delta); +- ch->use_imm_data = lrsp->rsp_flags & SRP_LOGIN_RSP_IMMED_SUPP; ++ ch->use_imm_data = srp_use_imm_data && ++ (lrsp->rsp_flags & SRP_LOGIN_RSP_IMMED_SUPP); + ch->max_it_iu_len = srp_max_it_iu_len(target->cmd_sg_cnt, + ch->use_imm_data); + WARN_ON_ONCE(ch->max_it_iu_len > diff --git a/queue-5.4/iwlwifi-mvm-avoid-use-after-free-for-pmsr-request.patch b/queue-5.4/iwlwifi-mvm-avoid-use-after-free-for-pmsr-request.patch new file mode 100644 index 00000000000..dc2a06bf9fc --- /dev/null +++ b/queue-5.4/iwlwifi-mvm-avoid-use-after-free-for-pmsr-request.patch @@ -0,0 +1,64 @@ +From cc4255eff523f25187bb95561642941de0e57497 Mon Sep 17 00:00:00 2001 +From: Avraham Stern +Date: Fri, 31 Jan 2020 15:45:27 +0200 +Subject: iwlwifi: mvm: avoid use after free for pmsr request + +From: Avraham Stern + +commit cc4255eff523f25187bb95561642941de0e57497 upstream. + +When a FTM request is aborted, the driver sends the abort command to +the fw and waits for a response. When the response arrives, the driver +calls cfg80211_pmsr_complete() for that request. +However, cfg80211 frees the requested data immediately after sending +the abort command, so this may lead to use after free. + +Fix it by clearing the request data in the driver when the abort +command arrives and ignoring the fw notification that will come +afterwards. + +Signed-off-by: Avraham Stern +Fixes: fc36ffda3267 ("iwlwifi: mvm: support FTM initiator") +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c +@@ -8,6 +8,7 @@ + * Copyright(c) 2015 - 2017 Intel Deutschland GmbH + * Copyright (C) 2018 Intel Corporation + * Copyright (C) 2019 Intel Corporation ++ * Copyright (C) 2020 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of version 2 of the GNU General Public License as +@@ -30,6 +31,7 @@ + * Copyright(c) 2015 - 2017 Intel Deutschland GmbH + * Copyright (C) 2018 Intel Corporation + * Copyright (C) 2019 Intel Corporation ++ * Copyright (C) 2020 Intel Corporation + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -389,6 +391,8 @@ void iwl_mvm_ftm_abort(struct iwl_mvm *m + if (req != mvm->ftm_initiator.req) + return; + ++ iwl_mvm_ftm_reset(mvm); ++ + if (iwl_mvm_send_cmd_pdu(mvm, iwl_cmd_id(TOF_RANGE_ABORT_CMD, + LOCATION_GROUP, 0), + 0, sizeof(cmd), &cmd)) +@@ -502,7 +506,6 @@ void iwl_mvm_ftm_range_resp(struct iwl_m + lockdep_assert_held(&mvm->mutex); + + if (!mvm->ftm_initiator.req) { +- IWL_ERR(mvm, "Got FTM response but have no request?\n"); + return; + } + diff --git a/queue-5.4/nfs-fix-fix-of-show_nfs_errors.patch b/queue-5.4/nfs-fix-fix-of-show_nfs_errors.patch new file mode 100644 index 00000000000..7b617982861 --- /dev/null +++ b/queue-5.4/nfs-fix-fix-of-show_nfs_errors.patch @@ -0,0 +1,159 @@ +From 118b6292195cfb86a9f43cb65610fc6d980c65f4 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 6 Jan 2020 15:25:06 -0500 +Subject: NFS: Fix fix of show_nfs_errors + +From: Trond Myklebust + +commit 118b6292195cfb86a9f43cb65610fc6d980c65f4 upstream. + +Casting a negative value to an unsigned long is not the same as +converting it to its absolute value. + +Fixes: 96650e2effa2 ("NFS: Fix show_nfs_errors macros again") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4trace.h | 31 ++++++++++++++++--------------- + 1 file changed, 16 insertions(+), 15 deletions(-) + +--- a/fs/nfs/nfs4trace.h ++++ b/fs/nfs/nfs4trace.h +@@ -352,7 +352,7 @@ DECLARE_EVENT_CLASS(nfs4_clientid_event, + ), + + TP_fast_assign( +- __entry->error = error; ++ __entry->error = error < 0 ? -error : 0; + __assign_str(dstaddr, clp->cl_hostname); + ), + +@@ -432,7 +432,8 @@ TRACE_EVENT(nfs4_sequence_done, + __entry->target_highest_slotid = + res->sr_target_highest_slotid; + __entry->status_flags = res->sr_status_flags; +- __entry->error = res->sr_status; ++ __entry->error = res->sr_status < 0 ? ++ -res->sr_status : 0; + ), + TP_printk( + "error=%ld (%s) session=0x%08x slot_nr=%u seq_nr=%u " +@@ -566,7 +567,7 @@ TRACE_EVENT(nfs4_xdr_status, + TP_PROTO( + const struct xdr_stream *xdr, + u32 op, +- int error ++ u32 error + ), + + TP_ARGS(xdr, op, error), +@@ -756,7 +757,7 @@ TRACE_EVENT(nfs4_close, + __entry->fileid = NFS_FILEID(inode); + __entry->fhandle = nfs_fhandle_hash(NFS_FH(inode)); + __entry->fmode = (__force unsigned int)state->state; +- __entry->error = error; ++ __entry->error = error < 0 ? -error : 0; + __entry->stateid_seq = + be32_to_cpu(args->stateid.seqid); + __entry->stateid_hash = +@@ -821,7 +822,7 @@ DECLARE_EVENT_CLASS(nfs4_lock_event, + TP_fast_assign( + const struct inode *inode = state->inode; + +- __entry->error = error; ++ __entry->error = error < 0 ? -error : 0; + __entry->cmd = cmd; + __entry->type = request->fl_type; + __entry->start = request->fl_start; +@@ -893,7 +894,7 @@ TRACE_EVENT(nfs4_set_lock, + TP_fast_assign( + const struct inode *inode = state->inode; + +- __entry->error = error; ++ __entry->error = error < 0 ? -error : 0; + __entry->cmd = cmd; + __entry->type = request->fl_type; + __entry->start = request->fl_start; +@@ -989,7 +990,7 @@ TRACE_EVENT(nfs4_delegreturn_exit, + TP_fast_assign( + __entry->dev = res->server->s_dev; + __entry->fhandle = nfs_fhandle_hash(args->fhandle); +- __entry->error = error; ++ __entry->error = error < 0 ? -error : 0; + __entry->stateid_seq = + be32_to_cpu(args->stateid->seqid); + __entry->stateid_hash = +@@ -1029,7 +1030,7 @@ DECLARE_EVENT_CLASS(nfs4_test_stateid_ev + TP_fast_assign( + const struct inode *inode = state->inode; + +- __entry->error = error; ++ __entry->error = error < 0 ? -error : 0; + __entry->dev = inode->i_sb->s_dev; + __entry->fileid = NFS_FILEID(inode); + __entry->fhandle = nfs_fhandle_hash(NFS_FH(inode)); +@@ -1131,7 +1132,7 @@ TRACE_EVENT(nfs4_lookupp, + TP_fast_assign( + __entry->dev = inode->i_sb->s_dev; + __entry->ino = NFS_FILEID(inode); +- __entry->error = error; ++ __entry->error = error < 0 ? -error : 0; + ), + + TP_printk( +@@ -1167,7 +1168,7 @@ TRACE_EVENT(nfs4_rename, + __entry->dev = olddir->i_sb->s_dev; + __entry->olddir = NFS_FILEID(olddir); + __entry->newdir = NFS_FILEID(newdir); +- __entry->error = error; ++ __entry->error = error < 0 ? -error : 0; + __assign_str(oldname, oldname->name); + __assign_str(newname, newname->name); + ), +@@ -1258,7 +1259,7 @@ DECLARE_EVENT_CLASS(nfs4_inode_stateid_e + __entry->dev = inode->i_sb->s_dev; + __entry->fileid = NFS_FILEID(inode); + __entry->fhandle = nfs_fhandle_hash(NFS_FH(inode)); +- __entry->error = error; ++ __entry->error = error < 0 ? -error : 0; + __entry->stateid_seq = + be32_to_cpu(stateid->seqid); + __entry->stateid_hash = +@@ -1314,7 +1315,7 @@ DECLARE_EVENT_CLASS(nfs4_getattr_event, + __entry->valid = fattr->valid; + __entry->fhandle = nfs_fhandle_hash(fhandle); + __entry->fileid = (fattr->valid & NFS_ATTR_FATTR_FILEID) ? fattr->fileid : 0; +- __entry->error = error; ++ __entry->error = error < 0 ? -error : 0; + ), + + TP_printk( +@@ -1361,7 +1362,7 @@ DECLARE_EVENT_CLASS(nfs4_inode_callback_ + ), + + TP_fast_assign( +- __entry->error = error; ++ __entry->error = error < 0 ? -error : 0; + __entry->fhandle = nfs_fhandle_hash(fhandle); + if (!IS_ERR_OR_NULL(inode)) { + __entry->fileid = NFS_FILEID(inode); +@@ -1418,7 +1419,7 @@ DECLARE_EVENT_CLASS(nfs4_inode_stateid_c + ), + + TP_fast_assign( +- __entry->error = error; ++ __entry->error = error < 0 ? -error : 0; + __entry->fhandle = nfs_fhandle_hash(fhandle); + if (!IS_ERR_OR_NULL(inode)) { + __entry->fileid = NFS_FILEID(inode); +@@ -1721,7 +1722,7 @@ TRACE_EVENT(nfs4_layoutget, + __entry->iomode = args->iomode; + __entry->offset = args->offset; + __entry->count = args->length; +- __entry->error = error; ++ __entry->error = error < 0 ? -error : 0; + __entry->stateid_seq = + be32_to_cpu(state->stateid.seqid); + __entry->stateid_hash = diff --git a/queue-5.4/nfs-nfs_swap-should-depend-on-swap.patch b/queue-5.4/nfs-nfs_swap-should-depend-on-swap.patch new file mode 100644 index 00000000000..a9dfe98cc7c --- /dev/null +++ b/queue-5.4/nfs-nfs_swap-should-depend-on-swap.patch @@ -0,0 +1,38 @@ +From 474c4f306eefbb21b67ebd1de802d005c7d7ecdc Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 30 Dec 2019 16:32:38 +0100 +Subject: nfs: NFS_SWAP should depend on SWAP + +From: Geert Uytterhoeven + +commit 474c4f306eefbb21b67ebd1de802d005c7d7ecdc upstream. + +If CONFIG_SWAP=n, it does not make much sense to offer the user the +option to enable support for swapping over NFS, as that will still fail +at run time: + + # swapon /swap + swapon: /swap: swapon failed: Function not implemented + +Fix this by adding a dependency on CONFIG_SWAP. + +Fixes: a564b8f0398636ba ("nfs: enable swap on NFS") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/Kconfig ++++ b/fs/nfs/Kconfig +@@ -90,7 +90,7 @@ config NFS_V4 + config NFS_SWAP + bool "Provide swap over NFS support" + default n +- depends on NFS_FS ++ depends on NFS_FS && SWAP + select SUNRPC_SWAP + help + This option enables swapon to work on files located on NFS mounts. diff --git a/queue-5.4/nfs-pnfs-fix-pnfs_generic_prepare_to_resend_writes.patch b/queue-5.4/nfs-pnfs-fix-pnfs_generic_prepare_to_resend_writes.patch new file mode 100644 index 00000000000..f3d13004e3c --- /dev/null +++ b/queue-5.4/nfs-pnfs-fix-pnfs_generic_prepare_to_resend_writes.patch @@ -0,0 +1,118 @@ +From 221203ce6406273cf00e5c6397257d986c003ee6 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 6 Jan 2020 15:25:04 -0500 +Subject: NFS/pnfs: Fix pnfs_generic_prepare_to_resend_writes() + +From: Trond Myklebust + +commit 221203ce6406273cf00e5c6397257d986c003ee6 upstream. + +Instead of making assumptions about the commit verifier contents, change +the commit code to ensure we always check that the verifier was set +by the XDR code. + +Fixes: f54bcf2ecee9 ("pnfs: Prepare for flexfiles by pulling out common code") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/direct.c | 4 ++-- + fs/nfs/nfs3xdr.c | 5 ++++- + fs/nfs/nfs4xdr.c | 5 ++++- + fs/nfs/pnfs_nfs.c | 7 +++---- + fs/nfs/write.c | 4 +++- + 5 files changed, 16 insertions(+), 9 deletions(-) + +--- a/fs/nfs/direct.c ++++ b/fs/nfs/direct.c +@@ -245,10 +245,10 @@ static int nfs_direct_cmp_commit_data_ve + data->ds_commit_index); + + /* verifier not set so always fail */ +- if (verfp->committed < 0) ++ if (verfp->committed < 0 || data->res.verf->committed <= NFS_UNSTABLE) + return 1; + +- return nfs_direct_cmp_verf(verfp, &data->verf); ++ return nfs_direct_cmp_verf(verfp, data->res.verf); + } + + /** +--- a/fs/nfs/nfs3xdr.c ++++ b/fs/nfs/nfs3xdr.c +@@ -2338,6 +2338,7 @@ static int nfs3_xdr_dec_commit3res(struc + void *data) + { + struct nfs_commitres *result = data; ++ struct nfs_writeverf *verf = result->verf; + enum nfs_stat status; + int error; + +@@ -2350,7 +2351,9 @@ static int nfs3_xdr_dec_commit3res(struc + result->op_status = status; + if (status != NFS3_OK) + goto out_status; +- error = decode_writeverf3(xdr, &result->verf->verifier); ++ error = decode_writeverf3(xdr, &verf->verifier); ++ if (!error) ++ verf->committed = NFS_FILE_SYNC; + out: + return error; + out_status: +--- a/fs/nfs/nfs4xdr.c ++++ b/fs/nfs/nfs4xdr.c +@@ -4316,11 +4316,14 @@ static int decode_write_verifier(struct + + static int decode_commit(struct xdr_stream *xdr, struct nfs_commitres *res) + { ++ struct nfs_writeverf *verf = res->verf; + int status; + + status = decode_op_hdr(xdr, OP_COMMIT); + if (!status) +- status = decode_write_verifier(xdr, &res->verf->verifier); ++ status = decode_write_verifier(xdr, &verf->verifier); ++ if (!status) ++ verf->committed = NFS_FILE_SYNC; + return status; + } + +--- a/fs/nfs/pnfs_nfs.c ++++ b/fs/nfs/pnfs_nfs.c +@@ -31,12 +31,11 @@ EXPORT_SYMBOL_GPL(pnfs_generic_rw_releas + /* Fake up some data that will cause nfs_commit_release to retry the writes. */ + void pnfs_generic_prepare_to_resend_writes(struct nfs_commit_data *data) + { +- struct nfs_page *first = nfs_list_entry(data->pages.next); ++ struct nfs_writeverf *verf = data->res.verf; + + data->task.tk_status = 0; +- memcpy(&data->verf.verifier, &first->wb_verf, +- sizeof(data->verf.verifier)); +- data->verf.verifier.data[0]++; /* ensure verifier mismatch */ ++ memset(&verf->verifier, 0, sizeof(verf->verifier)); ++ verf->committed = NFS_UNSTABLE; + } + EXPORT_SYMBOL_GPL(pnfs_generic_prepare_to_resend_writes); + +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -1837,6 +1837,7 @@ static void nfs_commit_done(struct rpc_t + + static void nfs_commit_release_pages(struct nfs_commit_data *data) + { ++ const struct nfs_writeverf *verf = data->res.verf; + struct nfs_page *req; + int status = data->task.tk_status; + struct nfs_commit_info cinfo; +@@ -1864,7 +1865,8 @@ static void nfs_commit_release_pages(str + + /* Okay, COMMIT succeeded, apparently. Check the verifier + * returned by the server against all stored verfs. */ +- if (!nfs_write_verifier_cmp(&req->wb_verf, &data->verf.verifier)) { ++ if (verf->committed > NFS_UNSTABLE && ++ !nfs_write_verifier_cmp(&req->wb_verf, &verf->verifier)) { + /* We have a match */ + if (req->wb_page) + nfs_inode_remove_request(req); diff --git a/queue-5.4/nfs-revalidate-the-file-size-on-a-fatal-write-error.patch b/queue-5.4/nfs-revalidate-the-file-size-on-a-fatal-write-error.patch new file mode 100644 index 00000000000..c49896a3601 --- /dev/null +++ b/queue-5.4/nfs-revalidate-the-file-size-on-a-fatal-write-error.patch @@ -0,0 +1,40 @@ +From 0df68ced55443243951d02cc497be31fadf28173 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 6 Jan 2020 15:25:00 -0500 +Subject: NFS: Revalidate the file size on a fatal write error + +From: Trond Myklebust + +commit 0df68ced55443243951d02cc497be31fadf28173 upstream. + +If we suffer a fatal error upon writing a file, which causes us to +need to revalidate the entire mapping, then we should also revalidate +the file size. + +Fixes: d2ceb7e57086 ("NFS: Don't use page_file_mapping after removing the page") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/write.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -243,7 +243,15 @@ out: + /* A writeback failed: mark the page as bad, and invalidate the page cache */ + static void nfs_set_pageerror(struct address_space *mapping) + { ++ struct inode *inode = mapping->host; ++ + nfs_zap_mapping(mapping->host, mapping); ++ /* Force file size revalidation */ ++ spin_lock(&inode->i_lock); ++ NFS_I(inode)->cache_validity |= NFS_INO_REVAL_FORCED | ++ NFS_INO_REVAL_PAGECACHE | ++ NFS_INO_INVALID_SIZE; ++ spin_unlock(&inode->i_lock); + } + + static void nfs_mapping_set_error(struct page *page, int error) diff --git a/queue-5.4/nfsd-fixing-possible-null-pointer-derefering-in-copy-offload.patch b/queue-5.4/nfsd-fixing-possible-null-pointer-derefering-in-copy-offload.patch new file mode 100644 index 00000000000..21d80011bbf --- /dev/null +++ b/queue-5.4/nfsd-fixing-possible-null-pointer-derefering-in-copy-offload.patch @@ -0,0 +1,34 @@ +From 2e577f0faca4640348c398cb85d60a1eedac4b1e Mon Sep 17 00:00:00 2001 +From: Olga Kornievskaia +Date: Wed, 4 Dec 2019 15:13:54 -0500 +Subject: NFSD fixing possible null pointer derefering in copy offload + +From: Olga Kornievskaia + +commit 2e577f0faca4640348c398cb85d60a1eedac4b1e upstream. + +Static checker revealed possible error path leading to possible +NULL pointer dereferencing. + +Reported-by: Dan Carpenter +Fixes: e0639dc5805a: ("NFSD introduce async copy feature") +Signed-off-by: Olga Kornievskaia +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4proc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1223,7 +1223,8 @@ static void cleanup_async_copy(struct nf + { + nfs4_free_cp_state(copy); + nfsd_file_put(copy->nf_dst); +- nfsd_file_put(copy->nf_src); ++ if (copy->cp_intra) ++ nfsd_file_put(copy->nf_src); + spin_lock(©->cp_clp->async_lock); + list_del(©->copies); + spin_unlock(©->cp_clp->async_lock); diff --git a/queue-5.4/nfsv4-pnfs_roc-must-use-cred_fscmp-to-compare-creds.patch b/queue-5.4/nfsv4-pnfs_roc-must-use-cred_fscmp-to-compare-creds.patch new file mode 100644 index 00000000000..324c5b3892f --- /dev/null +++ b/queue-5.4/nfsv4-pnfs_roc-must-use-cred_fscmp-to-compare-creds.patch @@ -0,0 +1,32 @@ +From 387122478775be5d9816c34aa29de53d0b926835 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sun, 26 Jan 2020 17:31:13 -0500 +Subject: NFSv4: pnfs_roc() must use cred_fscmp() to compare creds + +From: Trond Myklebust + +commit 387122478775be5d9816c34aa29de53d0b926835 upstream. + +When comparing two 'struct cred' for equality w.r.t. behaviour under +filesystem access, we need to use cred_fscmp(). + +Fixes: a52458b48af1 ("NFS/NFSD/SUNRPC: replace generic creds with 'struct cred'.") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/pnfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -1425,7 +1425,7 @@ retry: + /* lo ref dropped in pnfs_roc_release() */ + layoutreturn = pnfs_prepare_layoutreturn(lo, &stateid, &iomode); + /* If the creds don't match, we can't compound the layoutreturn */ +- if (!layoutreturn || cred != lo->plh_lc_cred) ++ if (!layoutreturn || cred_fscmp(cred, lo->plh_lc_cred) != 0) + goto out_noroc; + + roc = layoutreturn; diff --git a/queue-5.4/nfsv4-try-lease-recovery-on-nfs4err_expired.patch b/queue-5.4/nfsv4-try-lease-recovery-on-nfs4err_expired.patch new file mode 100644 index 00000000000..b78122c9933 --- /dev/null +++ b/queue-5.4/nfsv4-try-lease-recovery-on-nfs4err_expired.patch @@ -0,0 +1,36 @@ +From 924491f2e476f7234d722b24171a4daff61bbe13 Mon Sep 17 00:00:00 2001 +From: Robert Milkowski +Date: Tue, 28 Jan 2020 08:37:47 +0000 +Subject: NFSv4: try lease recovery on NFS4ERR_EXPIRED + +From: Robert Milkowski + +commit 924491f2e476f7234d722b24171a4daff61bbe13 upstream. + +Currently, if an nfs server returns NFS4ERR_EXPIRED to open(), +we return EIO to applications without even trying to recover. + +Fixes: 272289a3df72 ("NFSv4: nfs4_do_handle_exception() handle revoke/expiry of a single stateid") +Signed-off-by: Robert Milkowski +Reviewed-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3187,6 +3187,11 @@ static struct nfs4_state *nfs4_do_open(s + exception.retry = 1; + continue; + } ++ if (status == -NFS4ERR_EXPIRED) { ++ nfs4_schedule_lease_recovery(server->nfs_client); ++ exception.retry = 1; ++ continue; ++ } + if (status == -EAGAIN) { + /* We must have found a delegation */ + exception.retry = 1; diff --git a/queue-5.4/nfsv4.0-nfs4_do_fsinfo-should-not-do-implicit-lease-renewals.patch b/queue-5.4/nfsv4.0-nfs4_do_fsinfo-should-not-do-implicit-lease-renewals.patch new file mode 100644 index 00000000000..732768d6367 --- /dev/null +++ b/queue-5.4/nfsv4.0-nfs4_do_fsinfo-should-not-do-implicit-lease-renewals.patch @@ -0,0 +1,152 @@ +From 7dc2993a9e51dd2eee955944efec65bef90265b7 Mon Sep 17 00:00:00 2001 +From: Robert Milkowski +Date: Thu, 30 Jan 2020 09:43:25 +0000 +Subject: NFSv4.0: nfs4_do_fsinfo() should not do implicit lease renewals + +From: Robert Milkowski + +commit 7dc2993a9e51dd2eee955944efec65bef90265b7 upstream. + +Currently, each time nfs4_do_fsinfo() is called it will do an implicit +NFS4 lease renewal, which is not compliant with the NFS4 specification. +This can result in a lease being expired by an NFS server. + +Commit 83ca7f5ab31f ("NFS: Avoid PUTROOTFH when managing leases") +introduced implicit client lease renewal in nfs4_do_fsinfo(), +which can result in the NFSv4.0 lease to expire on a server side, +and servers returning NFS4ERR_EXPIRED or NFS4ERR_STALE_CLIENTID. + +This can easily be reproduced by frequently unmounting a sub-mount, +then stat'ing it to get it mounted again, which will delay or even +completely prevent client from sending RENEW operations if no other +NFS operations are issued. Eventually nfs server will expire client's +lease and return an error on file access or next RENEW. + +This can also happen when a sub-mount is automatically unmounted +due to inactivity (after nfs_mountpoint_expiry_timeout), then it is +mounted again via stat(). This can result in a short window during +which client's lease will expire on a server but not on a client. +This specific case was observed on production systems. + +This patch removes the implicit lease renewal from nfs4_do_fsinfo(). + +Fixes: 83ca7f5ab31f ("NFS: Avoid PUTROOTFH when managing leases") +Signed-off-by: Robert Milkowski +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4_fs.h | 4 +--- + fs/nfs/nfs4proc.c | 12 ++++++++---- + fs/nfs/nfs4renewd.c | 5 +---- + fs/nfs/nfs4state.c | 4 +--- + 4 files changed, 11 insertions(+), 14 deletions(-) + +--- a/fs/nfs/nfs4_fs.h ++++ b/fs/nfs/nfs4_fs.h +@@ -439,9 +439,7 @@ extern void nfs4_schedule_state_renewal( + extern void nfs4_renewd_prepare_shutdown(struct nfs_server *); + extern void nfs4_kill_renewd(struct nfs_client *); + extern void nfs4_renew_state(struct work_struct *); +-extern void nfs4_set_lease_period(struct nfs_client *clp, +- unsigned long lease, +- unsigned long lastrenewed); ++extern void nfs4_set_lease_period(struct nfs_client *clp, unsigned long lease); + + + /* nfs4state.c */ +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -5024,16 +5024,13 @@ static int nfs4_do_fsinfo(struct nfs_ser + struct nfs4_exception exception = { + .interruptible = true, + }; +- unsigned long now = jiffies; + int err; + + do { + err = _nfs4_do_fsinfo(server, fhandle, fsinfo); + trace_nfs4_fsinfo(server, fhandle, fsinfo->fattr, err); + if (err == 0) { +- nfs4_set_lease_period(server->nfs_client, +- fsinfo->lease_time * HZ, +- now); ++ nfs4_set_lease_period(server->nfs_client, fsinfo->lease_time * HZ); + break; + } + err = nfs4_handle_exception(server, err, &exception); +@@ -6089,6 +6086,7 @@ int nfs4_proc_setclientid(struct nfs_cli + .callback_data = &setclientid, + .flags = RPC_TASK_TIMEOUT | RPC_TASK_NO_ROUND_ROBIN, + }; ++ unsigned long now = jiffies; + int status; + + /* nfs_client_id4 */ +@@ -6121,6 +6119,9 @@ int nfs4_proc_setclientid(struct nfs_cli + clp->cl_acceptor = rpcauth_stringify_acceptor(setclientid.sc_cred); + put_rpccred(setclientid.sc_cred); + } ++ ++ if (status == 0) ++ do_renew_lease(clp, now); + out: + trace_nfs4_setclientid(clp, status); + dprintk("NFS reply setclientid: %d\n", status); +@@ -8204,6 +8205,7 @@ static int _nfs4_proc_exchange_id(struct + struct rpc_task *task; + struct nfs41_exchange_id_args *argp; + struct nfs41_exchange_id_res *resp; ++ unsigned long now = jiffies; + int status; + + task = nfs4_run_exchange_id(clp, cred, sp4_how, NULL); +@@ -8224,6 +8226,8 @@ static int _nfs4_proc_exchange_id(struct + if (status != 0) + goto out; + ++ do_renew_lease(clp, now); ++ + clp->cl_clientid = resp->clientid; + clp->cl_exchange_flags = resp->flags; + clp->cl_seqid = resp->seqid; +--- a/fs/nfs/nfs4renewd.c ++++ b/fs/nfs/nfs4renewd.c +@@ -138,15 +138,12 @@ nfs4_kill_renewd(struct nfs_client *clp) + * + * @clp: pointer to nfs_client + * @lease: new value for lease period +- * @lastrenewed: time at which lease was last renewed + */ + void nfs4_set_lease_period(struct nfs_client *clp, +- unsigned long lease, +- unsigned long lastrenewed) ++ unsigned long lease) + { + spin_lock(&clp->cl_lock); + clp->cl_lease_time = lease; +- clp->cl_last_renewal = lastrenewed; + spin_unlock(&clp->cl_lock); + + /* Cap maximum reconnect timeout at 1/2 lease period */ +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -91,17 +91,15 @@ static int nfs4_setup_state_renewal(stru + { + int status; + struct nfs_fsinfo fsinfo; +- unsigned long now; + + if (!test_bit(NFS_CS_CHECK_LEASE_TIME, &clp->cl_res_state)) { + nfs4_schedule_state_renewal(clp); + return 0; + } + +- now = jiffies; + status = nfs4_proc_get_lease_time(clp, &fsinfo); + if (status == 0) { +- nfs4_set_lease_period(clp, fsinfo.lease_time * HZ, now); ++ nfs4_set_lease_period(clp, fsinfo.lease_time * HZ); + nfs4_schedule_state_renewal(clp); + } + diff --git a/queue-5.4/pci-aer-initialize-aer_fifo.patch b/queue-5.4/pci-aer-initialize-aer_fifo.patch new file mode 100644 index 00000000000..c7f1197add2 --- /dev/null +++ b/queue-5.4/pci-aer-initialize-aer_fifo.patch @@ -0,0 +1,45 @@ +From d95f20c4f07020ebc605f3b46af4b6db9eb5fc99 Mon Sep 17 00:00:00 2001 +From: Dongdong Liu +Date: Thu, 23 Jan 2020 16:26:31 +0800 +Subject: PCI/AER: Initialize aer_fifo + +From: Dongdong Liu + +commit d95f20c4f07020ebc605f3b46af4b6db9eb5fc99 upstream. + +Previously we did not call INIT_KFIFO() for aer_fifo. This leads to +kfifo_put() sometimes returning 0 (queue full) when in fact it is not. + +It is easy to reproduce the problem by using aer-inject: + + $ aer-inject -s :82:00.0 multiple-corr-nonfatal + +The content of the multiple-corr-nonfatal file is as below: + + AER + COR RCVR + HL 0 1 2 3 + AER + UNCOR POISON_TLP + HL 4 5 6 7 + +Fixes: 27c1ce8bbed7 ("PCI/AER: Use kfifo for tracking events instead of reimplementing it") +Link: https://lore.kernel.org/r/1579767991-103898-1-git-send-email-liudongdong3@huawei.com +Signed-off-by: Dongdong Liu +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pcie/aer.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pci/pcie/aer.c ++++ b/drivers/pci/pcie/aer.c +@@ -1387,6 +1387,7 @@ static int aer_probe(struct pcie_device + return -ENOMEM; + + rpc->rpd = port; ++ INIT_KFIFO(rpc->aer_fifo); + set_service_data(dev, rpc); + + status = devm_request_threaded_irq(device, dev->irq, aer_irq, aer_isr, diff --git a/queue-5.4/pci-don-t-disable-bridge-bars-when-assigning-bus-resources.patch b/queue-5.4/pci-don-t-disable-bridge-bars-when-assigning-bus-resources.patch new file mode 100644 index 00000000000..e8c7b0c0d7a --- /dev/null +++ b/queue-5.4/pci-don-t-disable-bridge-bars-when-assigning-bus-resources.patch @@ -0,0 +1,111 @@ +From 9db8dc6d0785225c42a37be7b44d1b07b31b8957 Mon Sep 17 00:00:00 2001 +From: Logan Gunthorpe +Date: Wed, 8 Jan 2020 14:32:08 -0700 +Subject: PCI: Don't disable bridge BARs when assigning bus resources + +From: Logan Gunthorpe + +commit 9db8dc6d0785225c42a37be7b44d1b07b31b8957 upstream. + +Some PCI bridges implement BARs in addition to bridge windows. For +example, here's a PLX switch: + + 04:00.0 PCI bridge: PLX Technology, Inc. PEX 8724 24-Lane, 6-Port PCI + Express Gen 3 (8 GT/s) Switch, 19 x 19mm FCBGA (rev ca) + (prog-if 00 [Normal decode]) + Flags: bus master, fast devsel, latency 0, IRQ 30, NUMA node 0 + Memory at 90a00000 (32-bit, non-prefetchable) [size=256K] + Bus: primary=04, secondary=05, subordinate=0a, sec-latency=0 + I/O behind bridge: 00002000-00003fff + Memory behind bridge: 90000000-909fffff + Prefetchable memory behind bridge: 0000380000800000-0000380000bfffff + +Previously, when the kernel assigned resource addresses (with the +pci=realloc command line parameter, for example) it could clear the struct +resource corresponding to the BAR. When this happened, lspci would report +this BAR as "ignored": + + Region 0: Memory at (32-bit, non-prefetchable) [size=256K] + +This is because the kernel reports a zero start address and zero flags +in the corresponding sysfs resource file and in /proc/bus/pci/devices. +Investigation with 'lspci -x', however, shows the BIOS-assigned address +will still be programmed in the device's BAR registers. + +It's clearly a bug that the kernel lost track of the BAR value, but in most +cases, this still won't result in a visible issue because nothing uses the +memory, so nothing is affected. However, when an IOMMU is in use, it will +not reserve this space in the IOVA because the kernel no longer thinks the +range is valid. (See dmar_init_reserved_ranges() for the Intel +implementation of this.) + +Without the proper reserved range, a DMA mapping may allocate an IOVA that +matches a bridge BAR, which results in DMA accesses going to the BAR +instead of the intended RAM. + +The problem was in pci_assign_unassigned_root_bus_resources(). When any +resource from a bridge device fails to get assigned, the code set the +resource's flags to zero. This makes sense for bridge windows, as they +will be re-enabled later, but for regular BARs, it makes the kernel +permanently lose track of the fact that they decode address space. + +Change pci_assign_unassigned_root_bus_resources() and +pci_assign_unassigned_bridge_resources() so they only clear "res->flags" +for bridge *windows*, not bridge BARs. + +Fixes: da7822e5ad71 ("PCI: update bridge resources to get more big ranges when allocating space (again)") +Link: https://lore.kernel.org/r/20200108213208.4612-1-logang@deltatee.com +[bhelgaas: commit log, check for pci_is_bridge()] +Reported-by: Kit Chow +Signed-off-by: Logan Gunthorpe +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/setup-bus.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +--- a/drivers/pci/setup-bus.c ++++ b/drivers/pci/setup-bus.c +@@ -1785,12 +1785,18 @@ again: + /* Restore size and flags */ + list_for_each_entry(fail_res, &fail_head, list) { + struct resource *res = fail_res->res; ++ int idx; + + res->start = fail_res->start; + res->end = fail_res->end; + res->flags = fail_res->flags; +- if (fail_res->dev->subordinate) +- res->flags = 0; ++ ++ if (pci_is_bridge(fail_res->dev)) { ++ idx = res - &fail_res->dev->resource[0]; ++ if (idx >= PCI_BRIDGE_RESOURCES && ++ idx <= PCI_BRIDGE_RESOURCE_END) ++ res->flags = 0; ++ } + } + free_list(&fail_head); + +@@ -2037,12 +2043,18 @@ again: + /* Restore size and flags */ + list_for_each_entry(fail_res, &fail_head, list) { + struct resource *res = fail_res->res; ++ int idx; + + res->start = fail_res->start; + res->end = fail_res->end; + res->flags = fail_res->flags; +- if (fail_res->dev->subordinate) +- res->flags = 0; ++ ++ if (pci_is_bridge(fail_res->dev)) { ++ idx = res - &fail_res->dev->resource[0]; ++ if (idx >= PCI_BRIDGE_RESOURCES && ++ idx <= PCI_BRIDGE_RESOURCE_END) ++ res->flags = 0; ++ } + } + free_list(&fail_head); + diff --git a/queue-5.4/pci-iov-fix-memory-leak-in-pci_iov_add_virtfn.patch b/queue-5.4/pci-iov-fix-memory-leak-in-pci_iov_add_virtfn.patch new file mode 100644 index 00000000000..6c7420cccae --- /dev/null +++ b/queue-5.4/pci-iov-fix-memory-leak-in-pci_iov_add_virtfn.patch @@ -0,0 +1,52 @@ +From 8c386cc817878588195dde38e919aa6ba9409d58 Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Mon, 25 Nov 2019 13:52:52 -0600 +Subject: PCI/IOV: Fix memory leak in pci_iov_add_virtfn() + +From: Navid Emamdoost + +commit 8c386cc817878588195dde38e919aa6ba9409d58 upstream. + +In the implementation of pci_iov_add_virtfn() the allocated virtfn is +leaked if pci_setup_device() fails. The error handling is not calling +pci_stop_and_remove_bus_device(). Change the goto label to failed2. + +Fixes: 156c55325d30 ("PCI: Check for pci_setup_device() failure in pci_iov_add_virtfn()") +Link: https://lore.kernel.org/r/20191125195255.23740-1-navid.emamdoost@gmail.com +Signed-off-by: Navid Emamdoost +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/iov.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/pci/iov.c ++++ b/drivers/pci/iov.c +@@ -187,10 +187,10 @@ int pci_iov_add_virtfn(struct pci_dev *d + sprintf(buf, "virtfn%u", id); + rc = sysfs_create_link(&dev->dev.kobj, &virtfn->dev.kobj, buf); + if (rc) +- goto failed2; ++ goto failed1; + rc = sysfs_create_link(&virtfn->dev.kobj, &dev->dev.kobj, "physfn"); + if (rc) +- goto failed3; ++ goto failed2; + + kobject_uevent(&virtfn->dev.kobj, KOBJ_CHANGE); + +@@ -198,11 +198,10 @@ int pci_iov_add_virtfn(struct pci_dev *d + + return 0; + +-failed3: +- sysfs_remove_link(&dev->dev.kobj, buf); + failed2: +- pci_stop_and_remove_bus_device(virtfn); ++ sysfs_remove_link(&dev->dev.kobj, buf); + failed1: ++ pci_stop_and_remove_bus_device(virtfn); + pci_dev_put(dev); + failed0: + virtfn_remove_bus(dev->bus, bus); diff --git a/queue-5.4/pci-switchtec-fix-vep_vector_number-ioread-width.patch b/queue-5.4/pci-switchtec-fix-vep_vector_number-ioread-width.patch new file mode 100644 index 00000000000..046f046b407 --- /dev/null +++ b/queue-5.4/pci-switchtec-fix-vep_vector_number-ioread-width.patch @@ -0,0 +1,34 @@ +From 9375646b4cf03aee81bc6c305aa18cc80b682796 Mon Sep 17 00:00:00 2001 +From: Logan Gunthorpe +Date: Mon, 6 Jan 2020 12:03:27 -0700 +Subject: PCI/switchtec: Fix vep_vector_number ioread width + +From: Logan Gunthorpe + +commit 9375646b4cf03aee81bc6c305aa18cc80b682796 upstream. + +vep_vector_number is actually a 16 bit register which should be read with +ioread16() instead of ioread32(). + +Fixes: 080b47def5e5 ("MicroSemi Switchtec management interface driver") +Link: https://lore.kernel.org/r/20200106190337.2428-3-logang@deltatee.com +Reported-by: Doug Meyer +Signed-off-by: Logan Gunthorpe +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/switch/switchtec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/switch/switchtec.c ++++ b/drivers/pci/switch/switchtec.c +@@ -1276,7 +1276,7 @@ static int switchtec_init_isr(struct swi + if (nvecs < 0) + return nvecs; + +- event_irq = ioread32(&stdev->mmio_part_cfg->vep_vector_number); ++ event_irq = ioread16(&stdev->mmio_part_cfg->vep_vector_number); + if (event_irq < 0 || event_irq >= nvecs) + return -EFAULT; + diff --git a/queue-5.4/pci-switchtec-use-dma_set_mask_and_coherent.patch b/queue-5.4/pci-switchtec-use-dma_set_mask_and_coherent.patch new file mode 100644 index 00000000000..f794d64171e --- /dev/null +++ b/queue-5.4/pci-switchtec-use-dma_set_mask_and_coherent.patch @@ -0,0 +1,36 @@ +From aa82130a22f77c1aa5794703730304d035a0c1f4 Mon Sep 17 00:00:00 2001 +From: Wesley Sheng +Date: Mon, 6 Jan 2020 12:03:26 -0700 +Subject: PCI/switchtec: Use dma_set_mask_and_coherent() + +From: Wesley Sheng + +commit aa82130a22f77c1aa5794703730304d035a0c1f4 upstream. + +Use dma_set_mask_and_coherent() instead of dma_set_coherent_mask() as the +Switchtec hardware fully supports 64bit addressing and we should set both +the streaming and coherent masks the same. + +[logang@deltatee.com: reworked commit message] +Fixes: aff614c6339c ("switchtec: Set DMA coherent mask") +Link: https://lore.kernel.org/r/20200106190337.2428-2-logang@deltatee.com +Signed-off-by: Wesley Sheng +Signed-off-by: Logan Gunthorpe +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/switch/switchtec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/switch/switchtec.c ++++ b/drivers/pci/switch/switchtec.c +@@ -1349,7 +1349,7 @@ static int switchtec_init_pci(struct swi + if (rc) + return rc; + +- rc = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(64)); ++ rc = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(64)); + if (rc) + return rc; + diff --git a/queue-5.4/pci-tegra-fix-afi_pex2_ctrl-reg-offset-for-tegra30.patch b/queue-5.4/pci-tegra-fix-afi_pex2_ctrl-reg-offset-for-tegra30.patch new file mode 100644 index 00000000000..15cf4856090 --- /dev/null +++ b/queue-5.4/pci-tegra-fix-afi_pex2_ctrl-reg-offset-for-tegra30.patch @@ -0,0 +1,43 @@ +From 21a92676e1fe292acb077b13106b08c22ed36b14 Mon Sep 17 00:00:00 2001 +From: Marcel Ziswiler +Date: Tue, 7 Jan 2020 09:14:02 +0100 +Subject: PCI: tegra: Fix afi_pex2_ctrl reg offset for Tegra30 + +From: Marcel Ziswiler + +commit 21a92676e1fe292acb077b13106b08c22ed36b14 upstream. + +Fix AFI_PEX2_CTRL reg offset for Tegra30 by moving it from the Tegra20 +SoC struct where it erroneously got added. This fixes the AFI_PEX2_CTRL +reg offset being uninitialised subsequently failing to bring up the +third PCIe port. + +Fixes: adb2653b3d2e ("PCI: tegra: Add AFI_PEX2_CTRL reg offset as part of SoC struct") +Signed-off-by: Marcel Ziswiler +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Andrew Murray +Acked-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/controller/pci-tegra.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/controller/pci-tegra.c ++++ b/drivers/pci/controller/pci-tegra.c +@@ -2499,7 +2499,6 @@ static const struct tegra_pcie_soc tegra + .num_ports = 2, + .ports = tegra20_pcie_ports, + .msi_base_shift = 0, +- .afi_pex2_ctrl = 0x128, + .pads_pll_ctl = PADS_PLL_CTL_TEGRA20, + .tx_ref_sel = PADS_PLL_CTL_TXCLKREF_DIV10, + .pads_refclk_cfg0 = 0xfa5cfa5c, +@@ -2528,6 +2527,7 @@ static const struct tegra_pcie_soc tegra + .num_ports = 3, + .ports = tegra30_pcie_ports, + .msi_base_shift = 8, ++ .afi_pex2_ctrl = 0x128, + .pads_pll_ctl = PADS_PLL_CTL_TEGRA30, + .tx_ref_sel = PADS_PLL_CTL_TXCLKREF_BUF_EN, + .pads_refclk_cfg0 = 0xfa5cfa5c, diff --git a/queue-5.4/rdma-cma-fix-unbalanced-cm_id-reference-count-during-address-resolve.patch b/queue-5.4/rdma-cma-fix-unbalanced-cm_id-reference-count-during-address-resolve.patch new file mode 100644 index 00000000000..7e28baf6841 --- /dev/null +++ b/queue-5.4/rdma-cma-fix-unbalanced-cm_id-reference-count-during-address-resolve.patch @@ -0,0 +1,55 @@ +From b4fb4cc5ba83b20dae13cef116c33648e81d2f44 Mon Sep 17 00:00:00 2001 +From: Parav Pandit +Date: Sun, 26 Jan 2020 16:26:46 +0200 +Subject: RDMA/cma: Fix unbalanced cm_id reference count during address resolve + +From: Parav Pandit + +commit b4fb4cc5ba83b20dae13cef116c33648e81d2f44 upstream. + +Below commit missed the AF_IB and loopback code flow in +rdma_resolve_addr(). This leads to an unbalanced cm_id refcount in +cma_work_handler() which puts the refcount which was not incremented prior +to queuing the work. + +A call trace is observed with such code flow: + + BUG: unable to handle kernel NULL pointer dereference at (null) + [] __mutex_lock_slowpath+0x166/0x1d0 + [] mutex_lock+0x1f/0x2f + [] cma_work_handler+0x25/0xa0 + [] process_one_work+0x17f/0x440 + [] worker_thread+0x126/0x3c0 + +Hence, hold the cm_id reference when scheduling the resolve work item. + +Fixes: 722c7b2bfead ("RDMA/{cma, core}: Avoid callback on rdma_addr_cancel()") +Link: https://lore.kernel.org/r/20200126142652.104803-2-leon@kernel.org +Signed-off-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/cma.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -3091,6 +3091,7 @@ static int cma_resolve_loopback(struct r + rdma_addr_get_sgid(&id_priv->id.route.addr.dev_addr, &gid); + rdma_addr_set_dgid(&id_priv->id.route.addr.dev_addr, &gid); + ++ atomic_inc(&id_priv->refcount); + cma_init_resolve_addr_work(work, id_priv); + queue_work(cma_wq, &work->work); + return 0; +@@ -3117,6 +3118,7 @@ static int cma_resolve_ib_addr(struct rd + rdma_addr_set_dgid(&id_priv->id.route.addr.dev_addr, (union ib_gid *) + &(((struct sockaddr_ib *) &id_priv->id.route.addr.dst_addr)->sib_addr)); + ++ atomic_inc(&id_priv->refcount); + cma_init_resolve_addr_work(work, id_priv); + queue_work(cma_wq, &work->work); + return 0; diff --git a/queue-5.4/rdma-core-fix-locking-in-ib_uverbs_event_read.patch b/queue-5.4/rdma-core-fix-locking-in-ib_uverbs_event_read.patch new file mode 100644 index 00000000000..98ebc6880df --- /dev/null +++ b/queue-5.4/rdma-core-fix-locking-in-ib_uverbs_event_read.patch @@ -0,0 +1,110 @@ +From 14e23bd6d22123f6f3b2747701fa6cd4c6d05873 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Wed, 8 Jan 2020 19:22:03 +0200 +Subject: RDMA/core: Fix locking in ib_uverbs_event_read +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jason Gunthorpe + +commit 14e23bd6d22123f6f3b2747701fa6cd4c6d05873 upstream. + +This should not be using ib_dev to test for disassociation, during +disassociation is_closed is set under lock and the waitq is triggered. + +Instead check is_closed and be sure to re-obtain the lock to test the +value after the wait_event returns. + +Fixes: 036b10635739 ("IB/uverbs: Enable device removal when there are active user space applications") +Link: https://lore.kernel.org/r/1578504126-9400-12-git-send-email-yishaih@mellanox.com +Signed-off-by: Yishai Hadas +Reviewed-by: HÃ¥kon Bugge +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/uverbs_main.c | 32 ++++++++++++++------------------ + 1 file changed, 14 insertions(+), 18 deletions(-) + +--- a/drivers/infiniband/core/uverbs_main.c ++++ b/drivers/infiniband/core/uverbs_main.c +@@ -220,7 +220,6 @@ void ib_uverbs_release_file(struct kref + } + + static ssize_t ib_uverbs_event_read(struct ib_uverbs_event_queue *ev_queue, +- struct ib_uverbs_file *uverbs_file, + struct file *filp, char __user *buf, + size_t count, loff_t *pos, + size_t eventsz) +@@ -238,19 +237,16 @@ static ssize_t ib_uverbs_event_read(stru + + if (wait_event_interruptible(ev_queue->poll_wait, + (!list_empty(&ev_queue->event_list) || +- /* The barriers built into wait_event_interruptible() +- * and wake_up() guarentee this will see the null set +- * without using RCU +- */ +- !uverbs_file->device->ib_dev))) ++ ev_queue->is_closed))) + return -ERESTARTSYS; + ++ spin_lock_irq(&ev_queue->lock); ++ + /* If device was disassociated and no event exists set an error */ +- if (list_empty(&ev_queue->event_list) && +- !uverbs_file->device->ib_dev) ++ if (list_empty(&ev_queue->event_list) && ev_queue->is_closed) { ++ spin_unlock_irq(&ev_queue->lock); + return -EIO; +- +- spin_lock_irq(&ev_queue->lock); ++ } + } + + event = list_entry(ev_queue->event_list.next, struct ib_uverbs_event, list); +@@ -285,8 +281,7 @@ static ssize_t ib_uverbs_async_event_rea + { + struct ib_uverbs_async_event_file *file = filp->private_data; + +- return ib_uverbs_event_read(&file->ev_queue, file->uverbs_file, filp, +- buf, count, pos, ++ return ib_uverbs_event_read(&file->ev_queue, filp, buf, count, pos, + sizeof(struct ib_uverbs_async_event_desc)); + } + +@@ -296,9 +291,8 @@ static ssize_t ib_uverbs_comp_event_read + struct ib_uverbs_completion_event_file *comp_ev_file = + filp->private_data; + +- return ib_uverbs_event_read(&comp_ev_file->ev_queue, +- comp_ev_file->uobj.ufile, filp, +- buf, count, pos, ++ return ib_uverbs_event_read(&comp_ev_file->ev_queue, filp, buf, count, ++ pos, + sizeof(struct ib_uverbs_comp_event_desc)); + } + +@@ -321,7 +315,9 @@ static __poll_t ib_uverbs_event_poll(str + static __poll_t ib_uverbs_async_event_poll(struct file *filp, + struct poll_table_struct *wait) + { +- return ib_uverbs_event_poll(filp->private_data, filp, wait); ++ struct ib_uverbs_async_event_file *file = filp->private_data; ++ ++ return ib_uverbs_event_poll(&file->ev_queue, filp, wait); + } + + static __poll_t ib_uverbs_comp_event_poll(struct file *filp, +@@ -335,9 +331,9 @@ static __poll_t ib_uverbs_comp_event_pol + + static int ib_uverbs_async_event_fasync(int fd, struct file *filp, int on) + { +- struct ib_uverbs_event_queue *ev_queue = filp->private_data; ++ struct ib_uverbs_async_event_file *file = filp->private_data; + +- return fasync_helper(fd, filp, on, &ev_queue->async_queue); ++ return fasync_helper(fd, filp, on, &file->ev_queue.async_queue); + } + + static int ib_uverbs_comp_event_fasync(int fd, struct file *filp, int on) diff --git a/queue-5.4/rdma-i40iw-fix-a-potential-null-pointer-dereference.patch b/queue-5.4/rdma-i40iw-fix-a-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..db5f1c46b44 --- /dev/null +++ b/queue-5.4/rdma-i40iw-fix-a-potential-null-pointer-dereference.patch @@ -0,0 +1,36 @@ +From 04db1580b5e48a79e24aa51ecae0cd4b2296ec23 Mon Sep 17 00:00:00 2001 +From: Xiyu Yang +Date: Mon, 30 Dec 2019 10:24:28 +0800 +Subject: RDMA/i40iw: fix a potential NULL pointer dereference + +From: Xiyu Yang + +commit 04db1580b5e48a79e24aa51ecae0cd4b2296ec23 upstream. + +A NULL pointer can be returned by in_dev_get(). Thus add a corresponding +check so that a NULL pointer dereference will be avoided at this place. + +Fixes: 8e06af711bf2 ("i40iw: add main, hdr, status") +Link: https://lore.kernel.org/r/1577672668-46499-1-git-send-email-xiyuyang19@fudan.edu.cn +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Reviewed-by: Leon Romanovsky +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/i40iw/i40iw_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/infiniband/hw/i40iw/i40iw_main.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_main.c +@@ -1225,6 +1225,8 @@ static void i40iw_add_ipv4_addr(struct i + const struct in_ifaddr *ifa; + + idev = in_dev_get(dev); ++ if (!idev) ++ continue; + in_dev_for_each_ifa_rtnl(ifa, idev) { + i40iw_debug(&iwdev->sc_dev, I40IW_DEBUG_CM, + "IP=%pI4, vlan_id=%d, MAC=%pM\n", &ifa->ifa_address, diff --git a/queue-5.4/rdma-netlink-do-not-always-generate-an-ack-for-some-netlink-operations.patch b/queue-5.4/rdma-netlink-do-not-always-generate-an-ack-for-some-netlink-operations.patch new file mode 100644 index 00000000000..4f9876d28fc --- /dev/null +++ b/queue-5.4/rdma-netlink-do-not-always-generate-an-ack-for-some-netlink-operations.patch @@ -0,0 +1,80 @@ +From a242c36951ecd24bc16086940dbe6b522205c461 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?H=C3=A5kon=20Bugge?= +Date: Mon, 16 Dec 2019 13:04:36 +0100 +Subject: RDMA/netlink: Do not always generate an ACK for some netlink operations +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: HÃ¥kon Bugge + +commit a242c36951ecd24bc16086940dbe6b522205c461 upstream. + +In rdma_nl_rcv_skb(), the local variable err is assigned the return value +of the supplied callback function, which could be one of +ib_nl_handle_resolve_resp(), ib_nl_handle_set_timeout(), or +ib_nl_handle_ip_res_resp(). These three functions all return skb->len on +success. + +rdma_nl_rcv_skb() is merely a copy of netlink_rcv_skb(). The callback +functions used by the latter have the convention: "Returns 0 on success or +a negative error code". + +In particular, the statement (equal for both functions): + + if (nlh->nlmsg_flags & NLM_F_ACK || err) + +implies that rdma_nl_rcv_skb() always will ack a message, independent of +the NLM_F_ACK being set in nlmsg_flags or not. + +The fix could be to change the above statement, but it is better to keep +the two *_rcv_skb() functions equal in this respect and instead change the +three callback functions in the rdma subsystem to the correct convention. + +Fixes: 2ca546b92a02 ("IB/sa: Route SA pathrecord query through netlink") +Fixes: ae43f8286730 ("IB/core: Add IP to GID netlink offload") +Link: https://lore.kernel.org/r/20191216120436.3204814-1-haakon.bugge@oracle.com +Suggested-by: Mark Haywood +Signed-off-by: HÃ¥kon Bugge +Tested-by: Mark Haywood +Reviewed-by: Leon Romanovsky +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/addr.c | 2 +- + drivers/infiniband/core/sa_query.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/core/addr.c ++++ b/drivers/infiniband/core/addr.c +@@ -139,7 +139,7 @@ int ib_nl_handle_ip_res_resp(struct sk_b + if (ib_nl_is_good_ip_resp(nlh)) + ib_nl_process_good_ip_rsep(nlh); + +- return skb->len; ++ return 0; + } + + static int ib_nl_ip_send_msg(struct rdma_dev_addr *dev_addr, +--- a/drivers/infiniband/core/sa_query.c ++++ b/drivers/infiniband/core/sa_query.c +@@ -1068,7 +1068,7 @@ int ib_nl_handle_set_timeout(struct sk_b + } + + settimeout_out: +- return skb->len; ++ return 0; + } + + static inline int ib_nl_is_good_resolve_resp(const struct nlmsghdr *nlh) +@@ -1139,7 +1139,7 @@ int ib_nl_handle_resolve_resp(struct sk_ + } + + resp_out: +- return skb->len; ++ return 0; + } + + static void free_sm_ah(struct kref *kref) diff --git a/queue-5.4/rdma-umem-fix-ib_umem_find_best_pgsz.patch b/queue-5.4/rdma-umem-fix-ib_umem_find_best_pgsz.patch new file mode 100644 index 00000000000..41c91295a3c --- /dev/null +++ b/queue-5.4/rdma-umem-fix-ib_umem_find_best_pgsz.patch @@ -0,0 +1,45 @@ +From 36798d5ae1af62e830c5e045b2e41ce038690c61 Mon Sep 17 00:00:00 2001 +From: Artemy Kovalyov +Date: Tue, 28 Jan 2020 15:56:12 +0200 +Subject: RDMA/umem: Fix ib_umem_find_best_pgsz() + +From: Artemy Kovalyov + +commit 36798d5ae1af62e830c5e045b2e41ce038690c61 upstream. + +Except for the last entry, the ending iova alignment sets the maximum +possible page size as the low bits of the iova must be zero when starting +the next chunk. + +Fixes: 4a35339958f1 ("RDMA/umem: Add API to find best driver supported page size in an MR") +Link: https://lore.kernel.org/r/20200128135612.174820-1-leon@kernel.org +Signed-off-by: Artemy Kovalyov +Signed-off-by: Leon Romanovsky +Tested-by: Gal Pressman +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/umem.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -166,10 +166,13 @@ unsigned long ib_umem_find_best_pgsz(str + * for any address. + */ + mask |= (sg_dma_address(sg) + pgoff) ^ va; +- if (i && i != (umem->nmap - 1)) +- /* restrict by length as well for interior SGEs */ +- mask |= sg_dma_len(sg); + va += sg_dma_len(sg) - pgoff; ++ /* Except for the last entry, the ending iova alignment sets ++ * the maximum possible page size as the low bits of the iova ++ * must be zero when starting the next chunk. ++ */ ++ if (i != (umem->nmap - 1)) ++ mask |= va; + pgoff = 0; + } + best_pg_bit = rdma_find_pg_bit(mask, pgsz_bitmap); diff --git a/queue-5.4/rdma-uverbs-verify-mr-access-flags.patch b/queue-5.4/rdma-uverbs-verify-mr-access-flags.patch new file mode 100644 index 00000000000..90d8714f801 --- /dev/null +++ b/queue-5.4/rdma-uverbs-verify-mr-access-flags.patch @@ -0,0 +1,35 @@ +From ca95c1411198c2d87217c19d44571052cdc94725 Mon Sep 17 00:00:00 2001 +From: Michael Guralnik +Date: Wed, 8 Jan 2020 20:05:35 +0200 +Subject: RDMA/uverbs: Verify MR access flags + +From: Michael Guralnik + +commit ca95c1411198c2d87217c19d44571052cdc94725 upstream. + +Verify that MR access flags that are passed from user are all supported +ones, otherwise an error is returned. + +Fixes: 4fca03778351 ("IB/uverbs: Move ib_access_flags and ib_read_counters_flags to uapi") +Link: https://lore.kernel.org/r/1578506740-22188-6-git-send-email-yishaih@mellanox.com +Signed-off-by: Michael Guralnik +Signed-off-by: Yishai Hadas +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + include/rdma/ib_verbs.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/include/rdma/ib_verbs.h ++++ b/include/rdma/ib_verbs.h +@@ -4252,6 +4252,9 @@ static inline int ib_check_mr_access(int + !(flags & IB_ACCESS_LOCAL_WRITE)) + return -EINVAL; + ++ if (flags & ~IB_ACCESS_SUPPORTED) ++ return -EINVAL; ++ + return 0; + } + diff --git a/queue-5.4/scsi-ufs-fix-ufshcd_probe_hba-reture-value-in-case-ufshcd_scsi_add_wlus-fails.patch b/queue-5.4/scsi-ufs-fix-ufshcd_probe_hba-reture-value-in-case-ufshcd_scsi_add_wlus-fails.patch new file mode 100644 index 00000000000..a56a7988d77 --- /dev/null +++ b/queue-5.4/scsi-ufs-fix-ufshcd_probe_hba-reture-value-in-case-ufshcd_scsi_add_wlus-fails.patch @@ -0,0 +1,39 @@ +From b9fc5320212efdfb4e08b825aaa007815fd11d16 Mon Sep 17 00:00:00 2001 +From: Bean Huo +Date: Mon, 20 Jan 2020 14:08:13 +0100 +Subject: scsi: ufs: Fix ufshcd_probe_hba() reture value in case ufshcd_scsi_add_wlus() fails + +From: Bean Huo + +commit b9fc5320212efdfb4e08b825aaa007815fd11d16 upstream. + +A non-zero error value likely being returned by ufshcd_scsi_add_wlus() in +case of failure of adding the WLs, but ufshcd_probe_hba() doesn't use this +value, and doesn't report this failure to upper caller. This patch is to +fix this issue. + +Fixes: 2a8fa600445c ("ufs: manually add well known logical units") +Link: https://lore.kernel.org/r/20200120130820.1737-2-huobean@gmail.com +Reviewed-by: Asutosh Das +Reviewed-by: Alim Akhtar +Reviewed-by: Stanley Chu +Signed-off-by: Bean Huo +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ufs/ufshcd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -6953,7 +6953,8 @@ static int ufshcd_probe_hba(struct ufs_h + ufshcd_init_icc_levels(hba); + + /* Add required well known logical units to scsi mid layer */ +- if (ufshcd_scsi_add_wlus(hba)) ++ ret = ufshcd_scsi_add_wlus(hba); ++ if (ret) + goto out; + + /* Initialize devfreq after UFS device is detected */ diff --git a/queue-5.4/series b/queue-5.4/series index d9af5a4c81c..1c0169ae75a 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -1,2 +1,28 @@ asoc-pcm-update-fe-be-trigger-order-based-on-the-com.patch hv_sock-remove-the-accept-port-restriction.patch +ib-mlx4-fix-memory-leak-in-add_gid-error-flow.patch +ib-srp-never-use-immediate-data-if-it-is-disabled-by-a-user.patch +ib-mlx4-fix-leak-in-id_map_find_del.patch +rdma-netlink-do-not-always-generate-an-ack-for-some-netlink-operations.patch +rdma-i40iw-fix-a-potential-null-pointer-dereference.patch +rdma-core-fix-locking-in-ib_uverbs_event_read.patch +rdma-uverbs-verify-mr-access-flags.patch +rdma-cma-fix-unbalanced-cm_id-reference-count-during-address-resolve.patch +rdma-umem-fix-ib_umem_find_best_pgsz.patch +scsi-ufs-fix-ufshcd_probe_hba-reture-value-in-case-ufshcd_scsi_add_wlus-fails.patch +pci-iov-fix-memory-leak-in-pci_iov_add_virtfn.patch +ath10k-pci-only-dump-ath10k_mem_region_type_ioreg-when-safe.patch +pci-switchtec-use-dma_set_mask_and_coherent.patch +pci-switchtec-fix-vep_vector_number-ioread-width.patch +pci-tegra-fix-afi_pex2_ctrl-reg-offset-for-tegra30.patch +pci-don-t-disable-bridge-bars-when-assigning-bus-resources.patch +pci-aer-initialize-aer_fifo.patch +iwlwifi-mvm-avoid-use-after-free-for-pmsr-request.patch +nfsd-fixing-possible-null-pointer-derefering-in-copy-offload.patch +nfs-nfs_swap-should-depend-on-swap.patch +nfs-revalidate-the-file-size-on-a-fatal-write-error.patch +nfs-pnfs-fix-pnfs_generic_prepare_to_resend_writes.patch +nfs-fix-fix-of-show_nfs_errors.patch +nfsv4-pnfs_roc-must-use-cred_fscmp-to-compare-creds.patch +nfsv4-try-lease-recovery-on-nfs4err_expired.patch +nfsv4.0-nfs4_do_fsinfo-should-not-do-implicit-lease-renewals.patch -- 2.47.3