From: Greg Kroah-Hartman Date: Thu, 30 Apr 2020 15:09:45 +0000 (+0200) Subject: 5.6-stable patches X-Git-Tag: v5.4.37~31 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=22fbbb698b22be335d5fccfc6e15e3566986691d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.6-stable patches added patches: arm-dts-bcm283x-disable-dsi0-node.patch blk-iocost-fix-error-on-iocost_ioc_vrate_adj.patch bpf-fix-handling-of-xadd-on-btf-memory.patch bpf-propagate-expected_attach_type-when-verifying-freplace-programs.patch bpf-x86-fix-encoding-for-lower-8-bit-registers-in-bpf_stx-bpf_b.patch bpf-x86_32-fix-clobbering-of-dst-for-bpf_jset.patch bpf-x86_32-fix-incorrect-encoding-in-bpf_ldx-zero-extension.patch bpf-x86_32-fix-logic-error-in-bpf_ldx-zero-extension.patch cpumap-avoid-warning-when-config_debug_per_cpu_maps-is-enabled.patch net-mlx5-fix-failing-fw-tracer-allocation-on-s390.patch net-mlx5e-don-t-trigger-irq-multiple-times-on-xsk-wakeup-to-avoid-wq-overruns.patch net-mlx5e-get-the-latest-values-from-counters-in-switchdev-mode.patch netfilter-nat-fix-error-handling-upon-registering-inet-hook.patch pci-add-acs-quirk-for-zhaoxin-multi-function-devices.patch pci-add-acs-quirk-for-zhaoxin-root-downstream-ports.patch pci-avoid-asmedia-xhci-usb-pme-from-d0-defect.patch pci-move-apex-edge-tpu-class-quirk-to-fix-bar-assignment.patch perf-core-fix-parent-pid-tid-in-task-exit-events.patch pm-sleep-core-switch-back-to-async_schedule_dev.patch remoteproc-mtk_scp-use-dma_addr_t-for-dma-api.patch s390-pci-do-not-set-affinity-for-floating-irqs.patch sched-core-fix-reset-on-fork-from-rt-with-uclamp.patch selftests-bpf-fix-a-couple-of-broken-test_btf-cases.patch svcrdma-fix-leak-of-svc_rdma_recv_ctxt-objects.patch svcrdma-fix-trace-point-use-after-free-race.patch um-ensure-make-arch-um-mrproper-removes-arch-subarch-include-generated.patch --- diff --git a/queue-5.6/arm-dts-bcm283x-disable-dsi0-node.patch b/queue-5.6/arm-dts-bcm283x-disable-dsi0-node.patch new file mode 100644 index 00000000000..79d763606d1 --- /dev/null +++ b/queue-5.6/arm-dts-bcm283x-disable-dsi0-node.patch @@ -0,0 +1,32 @@ +From 90444b958461a5f8fc299ece0fe17eab15cba1e1 Mon Sep 17 00:00:00 2001 +From: Nicolas Saenz Julienne +Date: Wed, 15 Apr 2020 16:42:33 +0200 +Subject: ARM: dts: bcm283x: Disable dsi0 node + +From: Nicolas Saenz Julienne + +commit 90444b958461a5f8fc299ece0fe17eab15cba1e1 upstream. + +Since its inception the module was meant to be disabled by default, but +the original commit failed to add the relevant property. + +Fixes: 4aba4cf82054 ("ARM: dts: bcm2835: Add the DSI module nodes and clocks") +Signed-off-by: Nicolas Saenz Julienne +Reviewed-by: Eric Anholt +Signed-off-by: Florian Fainelli +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/bcm283x.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/boot/dts/bcm283x.dtsi ++++ b/arch/arm/boot/dts/bcm283x.dtsi +@@ -372,6 +372,7 @@ + "dsi0_ddr2", + "dsi0_ddr"; + ++ status = "disabled"; + }; + + aux: aux@7e215000 { diff --git a/queue-5.6/blk-iocost-fix-error-on-iocost_ioc_vrate_adj.patch b/queue-5.6/blk-iocost-fix-error-on-iocost_ioc_vrate_adj.patch new file mode 100644 index 00000000000..21ad7b8ed20 --- /dev/null +++ b/queue-5.6/blk-iocost-fix-error-on-iocost_ioc_vrate_adj.patch @@ -0,0 +1,79 @@ +From d6c8e949a35d6906d6c03a50e9a9cdf4e494528a Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Tue, 21 Apr 2020 09:07:55 -0400 +Subject: blk-iocost: Fix error on iocost_ioc_vrate_adj +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Waiman Long + +commit d6c8e949a35d6906d6c03a50e9a9cdf4e494528a upstream. + +Systemtap 4.2 is unable to correctly interpret the "u32 (*missed_ppm)[2]" +argument of the iocost_ioc_vrate_adj trace entry defined in +include/trace/events/iocost.h leading to the following error: + + /tmp/stapAcz0G0/stap_c89c58b83cea1724e26395efa9ed4939_6321_aux_6.c:78:8: + error: expected ‘;’, ‘,’ or ‘)’ before ‘*’ token + , u32[]* __tracepoint_arg_missed_ppm + +That argument type is indeed rather complex and hard to read. Looking +at block/blk-iocost.c. It is just a 2-entry u32 array. By simplifying +the argument to a simple "u32 *missed_ppm" and adjusting the trace +entry accordingly, the compilation error was gone. + +Fixes: 7caa47151ab2 ("blkcg: implement blk-iocost") +Acked-by: Steven Rostedt (VMware) +Acked-by: Tejun Heo +Signed-off-by: Waiman Long +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-iocost.c | 4 ++-- + include/trace/events/iocost.h | 6 +++--- + 2 files changed, 5 insertions(+), 5 deletions(-) + +--- a/block/blk-iocost.c ++++ b/block/blk-iocost.c +@@ -1594,7 +1594,7 @@ skip_surplus_transfers: + vrate_min, vrate_max); + } + +- trace_iocost_ioc_vrate_adj(ioc, vrate, &missed_ppm, rq_wait_pct, ++ trace_iocost_ioc_vrate_adj(ioc, vrate, missed_ppm, rq_wait_pct, + nr_lagging, nr_shortages, + nr_surpluses); + +@@ -1603,7 +1603,7 @@ skip_surplus_transfers: + ioc->period_us * vrate * INUSE_MARGIN_PCT, 100); + } else if (ioc->busy_level != prev_busy_level || nr_lagging) { + trace_iocost_ioc_vrate_adj(ioc, atomic64_read(&ioc->vtime_rate), +- &missed_ppm, rq_wait_pct, nr_lagging, ++ missed_ppm, rq_wait_pct, nr_lagging, + nr_shortages, nr_surpluses); + } + +--- a/include/trace/events/iocost.h ++++ b/include/trace/events/iocost.h +@@ -130,7 +130,7 @@ DEFINE_EVENT(iocg_inuse_update, iocost_i + + TRACE_EVENT(iocost_ioc_vrate_adj, + +- TP_PROTO(struct ioc *ioc, u64 new_vrate, u32 (*missed_ppm)[2], ++ TP_PROTO(struct ioc *ioc, u64 new_vrate, u32 *missed_ppm, + u32 rq_wait_pct, int nr_lagging, int nr_shortages, + int nr_surpluses), + +@@ -155,8 +155,8 @@ TRACE_EVENT(iocost_ioc_vrate_adj, + __entry->old_vrate = atomic64_read(&ioc->vtime_rate);; + __entry->new_vrate = new_vrate; + __entry->busy_level = ioc->busy_level; +- __entry->read_missed_ppm = (*missed_ppm)[READ]; +- __entry->write_missed_ppm = (*missed_ppm)[WRITE]; ++ __entry->read_missed_ppm = missed_ppm[READ]; ++ __entry->write_missed_ppm = missed_ppm[WRITE]; + __entry->rq_wait_pct = rq_wait_pct; + __entry->nr_lagging = nr_lagging; + __entry->nr_shortages = nr_shortages; diff --git a/queue-5.6/bpf-fix-handling-of-xadd-on-btf-memory.patch b/queue-5.6/bpf-fix-handling-of-xadd-on-btf-memory.patch new file mode 100644 index 00000000000..f8ad631ea3e --- /dev/null +++ b/queue-5.6/bpf-fix-handling-of-xadd-on-btf-memory.patch @@ -0,0 +1,45 @@ +From 8ff3571f7e1bf3f293cc5e3dc14f2943f4fa7fcf Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Fri, 17 Apr 2020 02:00:07 +0200 +Subject: bpf: Fix handling of XADD on BTF memory + +From: Jann Horn + +commit 8ff3571f7e1bf3f293cc5e3dc14f2943f4fa7fcf upstream. + +check_xadd() can cause check_ptr_to_btf_access() to be executed with +atype==BPF_READ and value_regno==-1 (meaning "just check whether the access +is okay, don't tell me what type it will result in"). +Handle that case properly and skip writing type information, instead of +indexing into the registers at index -1 and writing into out-of-bounds +memory. + +Note that at least at the moment, you can't actually write through a BTF +pointer, so check_xadd() will reject the program after calling +check_ptr_to_btf_access with atype==BPF_WRITE; but that's after the +verifier has already corrupted memory. + +This patch assumes that BTF pointers are not available in unprivileged +programs. + +Fixes: 9e15db66136a ("bpf: Implement accurate raw_tp context access via BTF") +Signed-off-by: Jann Horn +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20200417000007.10734-2-jannh@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/bpf/verifier.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2885,7 +2885,7 @@ static int check_ptr_to_btf_access(struc + if (ret < 0) + return ret; + +- if (atype == BPF_READ) { ++ if (atype == BPF_READ && value_regno >= 0) { + if (ret == SCALAR_VALUE) { + mark_reg_unknown(env, regs, value_regno); + return 0; diff --git a/queue-5.6/bpf-propagate-expected_attach_type-when-verifying-freplace-programs.patch b/queue-5.6/bpf-propagate-expected_attach_type-when-verifying-freplace-programs.patch new file mode 100644 index 00000000000..5de3936d927 --- /dev/null +++ b/queue-5.6/bpf-propagate-expected_attach_type-when-verifying-freplace-programs.patch @@ -0,0 +1,64 @@ +From 03f87c0b45b177ba5f6b4a9bbe9f95e4aba31026 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= +Date: Fri, 24 Apr 2020 15:34:27 +0200 +Subject: bpf: Propagate expected_attach_type when verifying freplace programs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +commit 03f87c0b45b177ba5f6b4a9bbe9f95e4aba31026 upstream. + +For some program types, the verifier relies on the expected_attach_type of +the program being verified in the verification process. However, for +freplace programs, the attach type was not propagated along with the +verifier ops, so the expected_attach_type would always be zero for freplace +programs. + +This in turn caused the verifier to sometimes make the wrong call for +freplace programs. For all existing uses of expected_attach_type for this +purpose, the result of this was only false negatives (i.e., freplace +functions would be rejected by the verifier even though they were valid +programs for the target they were replacing). However, should a false +positive be introduced, this can lead to out-of-bounds accesses and/or +crashes. + +The fix introduced in this patch is to propagate the expected_attach_type +to the freplace program during verification, and reset it after that is +done. + +Fixes: be8704ff07d2 ("bpf: Introduce dynamic program extensions") +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/158773526726.293902.13257293296560360508.stgit@toke.dk +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/bpf/verifier.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -9892,6 +9892,7 @@ static int check_attach_btf_id(struct bp + return -EINVAL; + } + env->ops = bpf_verifier_ops[tgt_prog->type]; ++ prog->expected_attach_type = tgt_prog->expected_attach_type; + } + if (!tgt_prog->jited) { + verbose(env, "Can attach to only JITed progs\n"); +@@ -10225,6 +10226,13 @@ err_release_maps: + * them now. Otherwise free_used_maps() will release them. + */ + release_maps(env); ++ ++ /* extension progs temporarily inherit the attach_type of their targets ++ for verification purposes, so set it back to zero before returning ++ */ ++ if (env->prog->type == BPF_PROG_TYPE_EXT) ++ env->prog->expected_attach_type = 0; ++ + *prog = env->prog; + err_unlock: + if (!is_priv) diff --git a/queue-5.6/bpf-x86-fix-encoding-for-lower-8-bit-registers-in-bpf_stx-bpf_b.patch b/queue-5.6/bpf-x86-fix-encoding-for-lower-8-bit-registers-in-bpf_stx-bpf_b.patch new file mode 100644 index 00000000000..1a99fd5f194 --- /dev/null +++ b/queue-5.6/bpf-x86-fix-encoding-for-lower-8-bit-registers-in-bpf_stx-bpf_b.patch @@ -0,0 +1,75 @@ +From aee194b14dd2b2bde6252b3acf57d36dccfc743a Mon Sep 17 00:00:00 2001 +From: Luke Nelson +Date: Sat, 18 Apr 2020 16:26:53 -0700 +Subject: bpf, x86: Fix encoding for lower 8-bit registers in BPF_STX BPF_B + +From: Luke Nelson + +commit aee194b14dd2b2bde6252b3acf57d36dccfc743a upstream. + +This patch fixes an encoding bug in emit_stx for BPF_B when the source +register is BPF_REG_FP. + +The current implementation for BPF_STX BPF_B in emit_stx saves one REX +byte when the operands can be encoded using Mod-R/M alone. The lower 8 +bits of registers %rax, %rbx, %rcx, and %rdx can be accessed without using +a REX prefix via %al, %bl, %cl, and %dl, respectively. Other registers, +(e.g., %rsi, %rdi, %rbp, %rsp) require a REX prefix to use their 8-bit +equivalents (%sil, %dil, %bpl, %spl). + +The current code checks if the source for BPF_STX BPF_B is BPF_REG_1 +or BPF_REG_2 (which map to %rdi and %rsi), in which case it emits the +required REX prefix. However, it misses the case when the source is +BPF_REG_FP (mapped to %rbp). + +The result is that BPF_STX BPF_B with BPF_REG_FP as the source operand +will read from register %ch instead of the correct %bpl. This patch fixes +the problem by fixing and refactoring the check on which registers need +the extra REX byte. Since no BPF registers map to %rsp, there is no need +to handle %spl. + +Fixes: 622582786c9e0 ("net: filter: x86: internal BPF JIT") +Signed-off-by: Xi Wang +Signed-off-by: Luke Nelson +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20200418232655.23870-1-luke.r.nels@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/net/bpf_jit_comp.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -158,6 +158,19 @@ static bool is_ereg(u32 reg) + BIT(BPF_REG_AX)); + } + ++/* ++ * is_ereg_8l() == true if BPF register 'reg' is mapped to access x86-64 ++ * lower 8-bit registers dil,sil,bpl,spl,r8b..r15b, which need extra byte ++ * of encoding. al,cl,dl,bl have simpler encoding. ++ */ ++static bool is_ereg_8l(u32 reg) ++{ ++ return is_ereg(reg) || ++ (1 << reg) & (BIT(BPF_REG_1) | ++ BIT(BPF_REG_2) | ++ BIT(BPF_REG_FP)); ++} ++ + static bool is_axreg(u32 reg) + { + return reg == BPF_REG_0; +@@ -598,9 +611,8 @@ static void emit_stx(u8 **pprog, u32 siz + switch (size) { + case BPF_B: + /* Emit 'mov byte ptr [rax + off], al' */ +- if (is_ereg(dst_reg) || is_ereg(src_reg) || +- /* We have to add extra byte for x86 SIL, DIL regs */ +- src_reg == BPF_REG_1 || src_reg == BPF_REG_2) ++ if (is_ereg(dst_reg) || is_ereg_8l(src_reg)) ++ /* Add extra byte for eregs or SIL,DIL,BPL in src_reg */ + EMIT2(add_2mod(0x40, dst_reg, src_reg), 0x88); + else + EMIT1(0x88); diff --git a/queue-5.6/bpf-x86_32-fix-clobbering-of-dst-for-bpf_jset.patch b/queue-5.6/bpf-x86_32-fix-clobbering-of-dst-for-bpf_jset.patch new file mode 100644 index 00000000000..9b1f6c8ef68 --- /dev/null +++ b/queue-5.6/bpf-x86_32-fix-clobbering-of-dst-for-bpf_jset.patch @@ -0,0 +1,86 @@ +From 50fe7ebb6475711c15b3397467e6424e20026d94 Mon Sep 17 00:00:00 2001 +From: Luke Nelson +Date: Wed, 22 Apr 2020 10:36:30 -0700 +Subject: bpf, x86_32: Fix clobbering of dst for BPF_JSET + +From: Luke Nelson + +commit 50fe7ebb6475711c15b3397467e6424e20026d94 upstream. + +The current JIT clobbers the destination register for BPF_JSET BPF_X +and BPF_K by using "and" and "or" instructions. This is fine when the +destination register is a temporary loaded from a register stored on +the stack but not otherwise. + +This patch fixes the problem (for both BPF_K and BPF_X) by always loading +the destination register into temporaries since BPF_JSET should not +modify the destination register. + +This bug may not be currently triggerable as BPF_REG_AX is the only +register not stored on the stack and the verifier uses it in a limited +way. + +Fixes: 03f5781be2c7b ("bpf, x86_32: add eBPF JIT compiler for ia32") +Signed-off-by: Xi Wang +Signed-off-by: Luke Nelson +Signed-off-by: Alexei Starovoitov +Acked-by: Wang YanQing +Link: https://lore.kernel.org/bpf/20200422173630.8351-2-luke.r.nels@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/net/bpf_jit_comp32.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +--- a/arch/x86/net/bpf_jit_comp32.c ++++ b/arch/x86/net/bpf_jit_comp32.c +@@ -2015,8 +2015,8 @@ static int do_jit(struct bpf_prog *bpf_p + case BPF_JMP | BPF_JSET | BPF_X: + case BPF_JMP32 | BPF_JSET | BPF_X: { + bool is_jmp64 = BPF_CLASS(insn->code) == BPF_JMP; +- u8 dreg_lo = dstk ? IA32_EAX : dst_lo; +- u8 dreg_hi = dstk ? IA32_EDX : dst_hi; ++ u8 dreg_lo = IA32_EAX; ++ u8 dreg_hi = IA32_EDX; + u8 sreg_lo = sstk ? IA32_ECX : src_lo; + u8 sreg_hi = sstk ? IA32_EBX : src_hi; + +@@ -2028,6 +2028,13 @@ static int do_jit(struct bpf_prog *bpf_p + add_2reg(0x40, IA32_EBP, + IA32_EDX), + STACK_VAR(dst_hi)); ++ } else { ++ /* mov dreg_lo,dst_lo */ ++ EMIT2(0x89, add_2reg(0xC0, dreg_lo, dst_lo)); ++ if (is_jmp64) ++ /* mov dreg_hi,dst_hi */ ++ EMIT2(0x89, ++ add_2reg(0xC0, dreg_hi, dst_hi)); + } + + if (sstk) { +@@ -2052,8 +2059,8 @@ static int do_jit(struct bpf_prog *bpf_p + case BPF_JMP | BPF_JSET | BPF_K: + case BPF_JMP32 | BPF_JSET | BPF_K: { + bool is_jmp64 = BPF_CLASS(insn->code) == BPF_JMP; +- u8 dreg_lo = dstk ? IA32_EAX : dst_lo; +- u8 dreg_hi = dstk ? IA32_EDX : dst_hi; ++ u8 dreg_lo = IA32_EAX; ++ u8 dreg_hi = IA32_EDX; + u8 sreg_lo = IA32_ECX; + u8 sreg_hi = IA32_EBX; + u32 hi; +@@ -2066,6 +2073,13 @@ static int do_jit(struct bpf_prog *bpf_p + add_2reg(0x40, IA32_EBP, + IA32_EDX), + STACK_VAR(dst_hi)); ++ } else { ++ /* mov dreg_lo,dst_lo */ ++ EMIT2(0x89, add_2reg(0xC0, dreg_lo, dst_lo)); ++ if (is_jmp64) ++ /* mov dreg_hi,dst_hi */ ++ EMIT2(0x89, ++ add_2reg(0xC0, dreg_hi, dst_hi)); + } + + /* mov ecx,imm32 */ diff --git a/queue-5.6/bpf-x86_32-fix-incorrect-encoding-in-bpf_ldx-zero-extension.patch b/queue-5.6/bpf-x86_32-fix-incorrect-encoding-in-bpf_ldx-zero-extension.patch new file mode 100644 index 00000000000..019069e336b --- /dev/null +++ b/queue-5.6/bpf-x86_32-fix-incorrect-encoding-in-bpf_ldx-zero-extension.patch @@ -0,0 +1,55 @@ +From 5fa9a98fb10380e48a398998cd36a85e4ef711d6 Mon Sep 17 00:00:00 2001 +From: Luke Nelson +Date: Wed, 22 Apr 2020 10:36:29 -0700 +Subject: bpf, x86_32: Fix incorrect encoding in BPF_LDX zero-extension + +From: Luke Nelson + +commit 5fa9a98fb10380e48a398998cd36a85e4ef711d6 upstream. + +The current JIT uses the following sequence to zero-extend into the +upper 32 bits of the destination register for BPF_LDX BPF_{B,H,W}, +when the destination register is not on the stack: + + EMIT3(0xC7, add_1reg(0xC0, dst_hi), 0); + +The problem is that C7 /0 encodes a MOV instruction that requires a 4-byte +immediate; the current code emits only 1 byte of the immediate. This +means that the first 3 bytes of the next instruction will be treated as +the rest of the immediate, breaking the stream of instructions. + +This patch fixes the problem by instead emitting "xor dst_hi,dst_hi" +to clear the upper 32 bits. This fixes the problem and is more efficient +than using MOV to load a zero immediate. + +This bug may not be currently triggerable as BPF_REG_AX is the only +register not stored on the stack and the verifier uses it in a limited +way, and the verifier implements a zero-extension optimization. But the +JIT should avoid emitting incorrect encodings regardless. + +Fixes: 03f5781be2c7b ("bpf, x86_32: add eBPF JIT compiler for ia32") +Signed-off-by: Xi Wang +Signed-off-by: Luke Nelson +Signed-off-by: Alexei Starovoitov +Reviewed-by: H. Peter Anvin (Intel) +Acked-by: Wang YanQing +Link: https://lore.kernel.org/bpf/20200422173630.8351-1-luke.r.nels@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/net/bpf_jit_comp32.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/net/bpf_jit_comp32.c ++++ b/arch/x86/net/bpf_jit_comp32.c +@@ -1854,7 +1854,9 @@ static int do_jit(struct bpf_prog *bpf_p + STACK_VAR(dst_hi)); + EMIT(0x0, 4); + } else { +- EMIT3(0xC7, add_1reg(0xC0, dst_hi), 0); ++ /* xor dst_hi,dst_hi */ ++ EMIT2(0x33, ++ add_2reg(0xC0, dst_hi, dst_hi)); + } + break; + case BPF_DW: diff --git a/queue-5.6/bpf-x86_32-fix-logic-error-in-bpf_ldx-zero-extension.patch b/queue-5.6/bpf-x86_32-fix-logic-error-in-bpf_ldx-zero-extension.patch new file mode 100644 index 00000000000..c84ad0f557a --- /dev/null +++ b/queue-5.6/bpf-x86_32-fix-logic-error-in-bpf_ldx-zero-extension.patch @@ -0,0 +1,33 @@ +From 5ca1ca01fae1e90f8d010eb1d83374f28dc11ee6 Mon Sep 17 00:00:00 2001 +From: Wang YanQing +Date: Thu, 23 Apr 2020 13:06:37 +0800 +Subject: bpf, x86_32: Fix logic error in BPF_LDX zero-extension + +From: Wang YanQing + +commit 5ca1ca01fae1e90f8d010eb1d83374f28dc11ee6 upstream. + +When verifier_zext is true, we don't need to emit code +for zero-extension. + +Fixes: 836256bf5f37 ("x32: bpf: eliminate zero extension code-gen") +Signed-off-by: Wang YanQing +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20200423050637.GA4029@udknight +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/net/bpf_jit_comp32.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/net/bpf_jit_comp32.c ++++ b/arch/x86/net/bpf_jit_comp32.c +@@ -1847,7 +1847,7 @@ static int do_jit(struct bpf_prog *bpf_p + case BPF_B: + case BPF_H: + case BPF_W: +- if (!bpf_prog->aux->verifier_zext) ++ if (bpf_prog->aux->verifier_zext) + break; + if (dstk) { + EMIT3(0xC7, add_1reg(0x40, IA32_EBP), diff --git a/queue-5.6/cpumap-avoid-warning-when-config_debug_per_cpu_maps-is-enabled.patch b/queue-5.6/cpumap-avoid-warning-when-config_debug_per_cpu_maps-is-enabled.patch new file mode 100644 index 00000000000..9a760a3dfe7 --- /dev/null +++ b/queue-5.6/cpumap-avoid-warning-when-config_debug_per_cpu_maps-is-enabled.patch @@ -0,0 +1,46 @@ +From bc23d0e3f717ced21fbfacab3ab887d55e5ba367 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= +Date: Thu, 16 Apr 2020 10:31:20 +0200 +Subject: cpumap: Avoid warning when CONFIG_DEBUG_PER_CPU_MAPS is enabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +commit bc23d0e3f717ced21fbfacab3ab887d55e5ba367 upstream. + +When the kernel is built with CONFIG_DEBUG_PER_CPU_MAPS, the cpumap code +can trigger a spurious warning if CONFIG_CPUMASK_OFFSTACK is also set. This +happens because in this configuration, NR_CPUS can be larger than +nr_cpumask_bits, so the initial check in cpu_map_alloc() is not sufficient +to guard against hitting the warning in cpumask_check(). + +Fix this by explicitly checking the supplied key against the +nr_cpumask_bits variable before calling cpu_possible(). + +Fixes: 6710e1126934 ("bpf: introduce new bpf cpu map type BPF_MAP_TYPE_CPUMAP") +Reported-by: Xiumei Mu +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: Alexei Starovoitov +Tested-by: Xiumei Mu +Acked-by: Jesper Dangaard Brouer +Acked-by: Song Liu +Link: https://lore.kernel.org/bpf/20200416083120.453718-1-toke@redhat.com +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/bpf/cpumap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/bpf/cpumap.c ++++ b/kernel/bpf/cpumap.c +@@ -469,7 +469,7 @@ static int cpu_map_update_elem(struct bp + return -EOVERFLOW; + + /* Make sure CPU is a valid possible cpu */ +- if (!cpu_possible(key_cpu)) ++ if (key_cpu >= nr_cpumask_bits || !cpu_possible(key_cpu)) + return -ENODEV; + + if (qsize == 0) { diff --git a/queue-5.6/net-mlx5-fix-failing-fw-tracer-allocation-on-s390.patch b/queue-5.6/net-mlx5-fix-failing-fw-tracer-allocation-on-s390.patch new file mode 100644 index 00000000000..7744e05fbe2 --- /dev/null +++ b/queue-5.6/net-mlx5-fix-failing-fw-tracer-allocation-on-s390.patch @@ -0,0 +1,56 @@ +From a019b36123aec9700b21ae0724710f62928a8bc1 Mon Sep 17 00:00:00 2001 +From: Niklas Schnelle +Date: Thu, 9 Apr 2020 09:46:20 +0200 +Subject: net/mlx5: Fix failing fw tracer allocation on s390 + +From: Niklas Schnelle + +commit a019b36123aec9700b21ae0724710f62928a8bc1 upstream. + +On s390 FORCE_MAX_ZONEORDER is 9 instead of 11, thus a larger kzalloc() +allocation as done for the firmware tracer will always fail. + +Looking at mlx5_fw_tracer_save_trace(), it is actually the driver itself +that copies the debug data into the trace array and there is no need for +the allocation to be contiguous in physical memory. We can therefor use +kvzalloc() instead of kzalloc() and get rid of the large contiguous +allcoation. + +Fixes: f53aaa31cce7 ("net/mlx5: FW tracer, implement tracer logic") +Signed-off-by: Niklas Schnelle +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +@@ -935,7 +935,7 @@ struct mlx5_fw_tracer *mlx5_fw_tracer_cr + return NULL; + } + +- tracer = kzalloc(sizeof(*tracer), GFP_KERNEL); ++ tracer = kvzalloc(sizeof(*tracer), GFP_KERNEL); + if (!tracer) + return ERR_PTR(-ENOMEM); + +@@ -982,7 +982,7 @@ destroy_workqueue: + tracer->dev = NULL; + destroy_workqueue(tracer->work_queue); + free_tracer: +- kfree(tracer); ++ kvfree(tracer); + return ERR_PTR(err); + } + +@@ -1061,7 +1061,7 @@ void mlx5_fw_tracer_destroy(struct mlx5_ + mlx5_fw_tracer_destroy_log_buf(tracer); + flush_workqueue(tracer->work_queue); + destroy_workqueue(tracer->work_queue); +- kfree(tracer); ++ kvfree(tracer); + } + + static int fw_tracer_event(struct notifier_block *nb, unsigned long action, void *data) diff --git a/queue-5.6/net-mlx5e-don-t-trigger-irq-multiple-times-on-xsk-wakeup-to-avoid-wq-overruns.patch b/queue-5.6/net-mlx5e-don-t-trigger-irq-multiple-times-on-xsk-wakeup-to-avoid-wq-overruns.patch new file mode 100644 index 00000000000..dd36d3e0a41 --- /dev/null +++ b/queue-5.6/net-mlx5e-don-t-trigger-irq-multiple-times-on-xsk-wakeup-to-avoid-wq-overruns.patch @@ -0,0 +1,111 @@ +From e7e0004abdd6f83ae4be5613b29ed396beff576c Mon Sep 17 00:00:00 2001 +From: Maxim Mikityanskiy +Date: Tue, 11 Feb 2020 16:02:35 +0200 +Subject: net/mlx5e: Don't trigger IRQ multiple times on XSK wakeup to avoid WQ overruns + +From: Maxim Mikityanskiy + +commit e7e0004abdd6f83ae4be5613b29ed396beff576c upstream. + +XSK wakeup function triggers NAPI by posting a NOP WQE to a special XSK +ICOSQ. When the application floods the driver with wakeup requests by +calling sendto() in a certain pattern that ends up in mlx5e_trigger_irq, +the XSK ICOSQ may overflow. + +Multiple NOPs are not required and won't accelerate the process, so +avoid posting a second NOP if there is one already on the way. This way +we also avoid increasing the queue size (which might not help anyway). + +Fixes: db05815b36cb ("net/mlx5e: Add XSK zero-copy support") +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mellanox/mlx5/core/en.h | 3 ++- + drivers/net/ethernet/mellanox/mlx5/core/en/xsk/tx.c | 3 +++ + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 8 +++++--- + drivers/net/ethernet/mellanox/mlx5/core/en_txrx.c | 6 +++++- + 4 files changed, 15 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h +@@ -367,6 +367,7 @@ enum { + MLX5E_SQ_STATE_AM, + MLX5E_SQ_STATE_TLS, + MLX5E_SQ_STATE_VLAN_NEED_L2_INLINE, ++ MLX5E_SQ_STATE_PENDING_XSK_TX, + }; + + struct mlx5e_sq_wqe_info { +@@ -950,7 +951,7 @@ void mlx5e_page_release_dynamic(struct m + void mlx5e_handle_rx_cqe(struct mlx5e_rq *rq, struct mlx5_cqe64 *cqe); + void mlx5e_handle_rx_cqe_mpwrq(struct mlx5e_rq *rq, struct mlx5_cqe64 *cqe); + bool mlx5e_post_rx_wqes(struct mlx5e_rq *rq); +-void mlx5e_poll_ico_cq(struct mlx5e_cq *cq); ++int mlx5e_poll_ico_cq(struct mlx5e_cq *cq); + bool mlx5e_post_rx_mpwqes(struct mlx5e_rq *rq); + void mlx5e_dealloc_rx_wqe(struct mlx5e_rq *rq, u16 ix); + void mlx5e_dealloc_rx_mpwqe(struct mlx5e_rq *rq, u16 ix); +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/tx.c +@@ -33,6 +33,9 @@ int mlx5e_xsk_wakeup(struct net_device * + if (unlikely(!test_bit(MLX5E_SQ_STATE_ENABLED, &c->xskicosq.state))) + return 0; + ++ if (test_and_set_bit(MLX5E_SQ_STATE_PENDING_XSK_TX, &c->xskicosq.state)) ++ return 0; ++ + spin_lock(&c->xskicosq_lock); + mlx5e_trigger_irq(&c->xskicosq); + spin_unlock(&c->xskicosq_lock); +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -587,7 +587,7 @@ bool mlx5e_post_rx_wqes(struct mlx5e_rq + return !!err; + } + +-void mlx5e_poll_ico_cq(struct mlx5e_cq *cq) ++int mlx5e_poll_ico_cq(struct mlx5e_cq *cq) + { + struct mlx5e_icosq *sq = container_of(cq, struct mlx5e_icosq, cq); + struct mlx5_cqe64 *cqe; +@@ -595,11 +595,11 @@ void mlx5e_poll_ico_cq(struct mlx5e_cq * + int i; + + if (unlikely(!test_bit(MLX5E_SQ_STATE_ENABLED, &sq->state))) +- return; ++ return 0; + + cqe = mlx5_cqwq_get_cqe(&cq->wq); + if (likely(!cqe)) +- return; ++ return 0; + + /* sq->cc must be updated only after mlx5_cqwq_update_db_record(), + * otherwise a cq overrun may occur +@@ -648,6 +648,8 @@ void mlx5e_poll_ico_cq(struct mlx5e_cq * + sq->cc = sqcc; + + mlx5_cqwq_update_db_record(&cq->wq); ++ ++ return i; + } + + bool mlx5e_post_rx_mpwqes(struct mlx5e_rq *rq) +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_txrx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_txrx.c +@@ -145,7 +145,11 @@ int mlx5e_napi_poll(struct napi_struct * + + busy |= rq->post_wqes(rq); + if (xsk_open) { +- mlx5e_poll_ico_cq(&c->xskicosq.cq); ++ if (mlx5e_poll_ico_cq(&c->xskicosq.cq)) ++ /* Don't clear the flag if nothing was polled to prevent ++ * queueing more WQEs and overflowing XSKICOSQ. ++ */ ++ clear_bit(MLX5E_SQ_STATE_PENDING_XSK_TX, &c->xskicosq.state); + busy |= mlx5e_poll_xdpsq_cq(&xsksq->cq); + busy_xsk |= mlx5e_napi_xsk_post(xsksq, xskrq); + } diff --git a/queue-5.6/net-mlx5e-get-the-latest-values-from-counters-in-switchdev-mode.patch b/queue-5.6/net-mlx5e-get-the-latest-values-from-counters-in-switchdev-mode.patch new file mode 100644 index 00000000000..0e84514c1f5 --- /dev/null +++ b/queue-5.6/net-mlx5e-get-the-latest-values-from-counters-in-switchdev-mode.patch @@ -0,0 +1,53 @@ +From dcdf4ce0ff4ba206fc362e149c8ae81d6a2f849c Mon Sep 17 00:00:00 2001 +From: Zhu Yanjun +Date: Wed, 8 Apr 2020 14:51:52 +0800 +Subject: net/mlx5e: Get the latest values from counters in switchdev mode + +From: Zhu Yanjun + +commit dcdf4ce0ff4ba206fc362e149c8ae81d6a2f849c upstream. + +In the switchdev mode, when running "cat +/sys/class/net/NIC/statistics/tx_packets", the ppcnt register is +accessed to get the latest values. But currently this command can +not get the correct values from ppcnt. + +From firmware manual, before getting the 802_3 counters, the 802_3 +data layout should be set to the ppcnt register. + +When the command "cat /sys/class/net/NIC/statistics/tx_packets" is +run, before updating 802_3 data layout with ppcnt register, the +monitor counters are tested. The test result will decide the +802_3 data layout is updated or not. + +Actually the monitor counters do not support to monitor rx/tx +stats of 802_3 in switchdev mode. So the rx/tx counters change +will not trigger monitor counters. So the 802_3 data layout will +not be updated in ppcnt register. Finally this command can not get +the latest values from ppcnt register with 802_3 data layout. + +Fixes: 5c7e8bbb0257 ("net/mlx5e: Use monitor counters for update stats") +Signed-off-by: Zhu Yanjun +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3568,7 +3568,12 @@ mlx5e_get_stats(struct net_device *dev, + struct mlx5e_vport_stats *vstats = &priv->stats.vport; + struct mlx5e_pport_stats *pstats = &priv->stats.pport; + +- if (!mlx5e_monitor_counter_supported(priv)) { ++ /* In switchdev mode, monitor counters doesn't monitor ++ * rx/tx stats of 802_3. The update stats mechanism ++ * should keep the 802_3 layout counters updated ++ */ ++ if (!mlx5e_monitor_counter_supported(priv) || ++ mlx5e_is_uplink_rep(priv)) { + /* update HW stats in background for next time */ + mlx5e_queue_update_stats(priv); + } diff --git a/queue-5.6/netfilter-nat-fix-error-handling-upon-registering-inet-hook.patch b/queue-5.6/netfilter-nat-fix-error-handling-upon-registering-inet-hook.patch new file mode 100644 index 00000000000..dc626e22079 --- /dev/null +++ b/queue-5.6/netfilter-nat-fix-error-handling-upon-registering-inet-hook.patch @@ -0,0 +1,84 @@ +From b4faef1739dd1f3b3981b8bf173a2266ea86b1eb Mon Sep 17 00:00:00 2001 +From: Hillf Danton +Date: Sat, 18 Apr 2020 16:28:32 +0800 +Subject: netfilter: nat: fix error handling upon registering inet hook + +From: Hillf Danton + +commit b4faef1739dd1f3b3981b8bf173a2266ea86b1eb upstream. + +A case of warning was reported by syzbot. + +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 19934 at net/netfilter/nf_nat_core.c:1106 +nf_nat_unregister_fn+0x532/0x5c0 net/netfilter/nf_nat_core.c:1106 +Kernel panic - not syncing: panic_on_warn set ... +CPU: 0 PID: 19934 Comm: syz-executor.5 Not tainted 5.6.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x188/0x20d lib/dump_stack.c:118 + panic+0x2e3/0x75c kernel/panic.c:221 + __warn.cold+0x2f/0x35 kernel/panic.c:582 + report_bug+0x27b/0x2f0 lib/bug.c:195 + fixup_bug arch/x86/kernel/traps.c:175 [inline] + fixup_bug arch/x86/kernel/traps.c:170 [inline] + do_error_trap+0x12b/0x220 arch/x86/kernel/traps.c:267 + do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286 + invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027 +RIP: 0010:nf_nat_unregister_fn+0x532/0x5c0 net/netfilter/nf_nat_core.c:1106 +Code: ff df 48 c1 ea 03 80 3c 02 00 75 75 48 8b 44 24 10 4c 89 ef 48 c7 00 00 00 00 00 e8 e8 f8 53 fb e9 4d fe ff ff e8 ee 9c 16 fb <0f> 0b e9 41 fe ff ff e8 e2 45 54 fb e9 b5 fd ff ff 48 8b 7c 24 20 +RSP: 0018:ffffc90005487208 EFLAGS: 00010246 +RAX: 0000000000040000 RBX: 0000000000000004 RCX: ffffc9001444a000 +RDX: 0000000000040000 RSI: ffffffff865c94a2 RDI: 0000000000000005 +RBP: ffff88808b5cf000 R08: ffff8880a2620140 R09: fffffbfff14bcd79 +R10: ffffc90005487208 R11: fffffbfff14bcd78 R12: 0000000000000000 +R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000 + nf_nat_ipv6_unregister_fn net/netfilter/nf_nat_proto.c:1017 [inline] + nf_nat_inet_register_fn net/netfilter/nf_nat_proto.c:1038 [inline] + nf_nat_inet_register_fn+0xfc/0x140 net/netfilter/nf_nat_proto.c:1023 + nf_tables_register_hook net/netfilter/nf_tables_api.c:224 [inline] + nf_tables_addchain.constprop.0+0x82e/0x13c0 net/netfilter/nf_tables_api.c:1981 + nf_tables_newchain+0xf68/0x16a0 net/netfilter/nf_tables_api.c:2235 + nfnetlink_rcv_batch+0x83a/0x1610 net/netfilter/nfnetlink.c:433 + nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:543 [inline] + nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:561 + netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] + netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329 + netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:672 + ____sys_sendmsg+0x6bf/0x7e0 net/socket.c:2362 + ___sys_sendmsg+0x100/0x170 net/socket.c:2416 + __sys_sendmsg+0xec/0x1b0 net/socket.c:2449 + do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 + entry_SYSCALL_64_after_hwframe+0x49/0xb3 + +and to quiesce it, unregister NFPROTO_IPV6 hook instead of NFPROTO_INET +in case of failing to register NFPROTO_IPV4 hook. + +Reported-by: syzbot +Fixes: d164385ec572 ("netfilter: nat: add inet family nat support") +Cc: Florian Westphal +Cc: Stefano Brivio +Signed-off-by: Hillf Danton +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_nat_proto.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/netfilter/nf_nat_proto.c ++++ b/net/netfilter/nf_nat_proto.c +@@ -1035,8 +1035,8 @@ int nf_nat_inet_register_fn(struct net * + ret = nf_nat_register_fn(net, NFPROTO_IPV4, ops, nf_nat_ipv4_ops, + ARRAY_SIZE(nf_nat_ipv4_ops)); + if (ret) +- nf_nat_ipv6_unregister_fn(net, ops); +- ++ nf_nat_unregister_fn(net, NFPROTO_IPV6, ops, ++ ARRAY_SIZE(nf_nat_ipv6_ops)); + return ret; + } + EXPORT_SYMBOL_GPL(nf_nat_inet_register_fn); diff --git a/queue-5.6/pci-add-acs-quirk-for-zhaoxin-multi-function-devices.patch b/queue-5.6/pci-add-acs-quirk-for-zhaoxin-multi-function-devices.patch new file mode 100644 index 00000000000..b0996a85715 --- /dev/null +++ b/queue-5.6/pci-add-acs-quirk-for-zhaoxin-multi-function-devices.patch @@ -0,0 +1,35 @@ +From 0325837c51cb7c9a5bd3e354ac0c0cda0667d50e Mon Sep 17 00:00:00 2001 +From: Raymond Pang +Date: Fri, 27 Mar 2020 17:11:47 +0800 +Subject: PCI: Add ACS quirk for Zhaoxin multi-function devices + +From: Raymond Pang + +commit 0325837c51cb7c9a5bd3e354ac0c0cda0667d50e upstream. + +Some Zhaoxin endpoints are implemented as multi-function devices without an +ACS capability, but they actually don't support peer-to-peer transactions. +Add ACS quirks to declare DMA isolation. + +Link: https://lore.kernel.org/r/20200327091148.5190-3-RaymondPang-oc@zhaoxin.com +Signed-off-by: Raymond Pang +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4767,6 +4767,10 @@ static const struct pci_dev_acs_enabled + { PCI_VENDOR_ID_BROADCOM, 0xD714, pci_quirk_brcm_acs }, + /* Amazon Annapurna Labs */ + { PCI_VENDOR_ID_AMAZON_ANNAPURNA_LABS, 0x0031, pci_quirk_al_acs }, ++ /* Zhaoxin multi-function devices */ ++ { PCI_VENDOR_ID_ZHAOXIN, 0x3038, pci_quirk_mf_endpoint_acs }, ++ { PCI_VENDOR_ID_ZHAOXIN, 0x3104, pci_quirk_mf_endpoint_acs }, ++ { PCI_VENDOR_ID_ZHAOXIN, 0x9083, pci_quirk_mf_endpoint_acs }, + { 0 } + }; + diff --git a/queue-5.6/pci-add-acs-quirk-for-zhaoxin-root-downstream-ports.patch b/queue-5.6/pci-add-acs-quirk-for-zhaoxin-root-downstream-ports.patch new file mode 100644 index 00000000000..90937c73383 --- /dev/null +++ b/queue-5.6/pci-add-acs-quirk-for-zhaoxin-root-downstream-ports.patch @@ -0,0 +1,64 @@ +From 299bd044a6f332b4a6c8f708575c27cad70a35c1 Mon Sep 17 00:00:00 2001 +From: Raymond Pang +Date: Fri, 27 Mar 2020 17:11:48 +0800 +Subject: PCI: Add ACS quirk for Zhaoxin Root/Downstream Ports + +From: Raymond Pang + +commit 299bd044a6f332b4a6c8f708575c27cad70a35c1 upstream. + +Many Zhaoxin Root Ports and Switch Downstream Ports do provide ACS-like +capability but have no ACS Capability Structure. Peer-to-Peer transactions +could be blocked between these ports, so add quirk so devices behind them +could be assigned to different IOMMU group. + +Link: https://lore.kernel.org/r/20200327091148.5190-4-RaymondPang-oc@zhaoxin.com +Signed-off-by: Raymond Pang +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4466,6 +4466,29 @@ static int pci_quirk_xgene_acs(struct pc + } + + /* ++ * Many Zhaoxin Root Ports and Switch Downstream Ports have no ACS capability. ++ * But the implementation could block peer-to-peer transactions between them ++ * and provide ACS-like functionality. ++ */ ++static int pci_quirk_zhaoxin_pcie_ports_acs(struct pci_dev *dev, u16 acs_flags) ++{ ++ if (!pci_is_pcie(dev) || ++ ((pci_pcie_type(dev) != PCI_EXP_TYPE_ROOT_PORT) && ++ (pci_pcie_type(dev) != PCI_EXP_TYPE_DOWNSTREAM))) ++ return -ENOTTY; ++ ++ switch (dev->device) { ++ case 0x0710 ... 0x071e: ++ case 0x0721: ++ case 0x0723 ... 0x0732: ++ return pci_acs_ctrl_enabled(acs_flags, ++ PCI_ACS_SV | PCI_ACS_RR | PCI_ACS_CR | PCI_ACS_UF); ++ } ++ ++ return false; ++} ++ ++/* + * Many Intel PCH Root Ports do provide ACS-like features to disable peer + * transactions and validate bus numbers in requests, but do not provide an + * actual PCIe ACS capability. This is the list of device IDs known to fall +@@ -4771,6 +4794,8 @@ static const struct pci_dev_acs_enabled + { PCI_VENDOR_ID_ZHAOXIN, 0x3038, pci_quirk_mf_endpoint_acs }, + { PCI_VENDOR_ID_ZHAOXIN, 0x3104, pci_quirk_mf_endpoint_acs }, + { PCI_VENDOR_ID_ZHAOXIN, 0x9083, pci_quirk_mf_endpoint_acs }, ++ /* Zhaoxin Root/Downstream Ports */ ++ { PCI_VENDOR_ID_ZHAOXIN, PCI_ANY_ID, pci_quirk_zhaoxin_pcie_ports_acs }, + { 0 } + }; + diff --git a/queue-5.6/pci-avoid-asmedia-xhci-usb-pme-from-d0-defect.patch b/queue-5.6/pci-avoid-asmedia-xhci-usb-pme-from-d0-defect.patch new file mode 100644 index 00000000000..b3729f69d3c --- /dev/null +++ b/queue-5.6/pci-avoid-asmedia-xhci-usb-pme-from-d0-defect.patch @@ -0,0 +1,50 @@ +From 2880325bda8d53566dcb9725abc929eec871608e Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Fri, 20 Dec 2019 03:20:06 +0800 +Subject: PCI: Avoid ASMedia XHCI USB PME# from D0 defect + +From: Kai-Heng Feng + +commit 2880325bda8d53566dcb9725abc929eec871608e upstream. + +The ASMedia USB XHCI Controller claims to support generating PME# while +in D0: + + 01:00.0 USB controller: ASMedia Technology Inc. Device 2142 (prog-if 30 [XHCI]) + Subsystem: SUNIX Co., Ltd. Device 312b + Capabilities: [78] Power Management version 3 + Flags: PMEClk- DSI- D1- D2- AuxCurrent=55mA PME(D0+,D1-,D2-,D3hot-,D3cold-) + Status: D0 NoSoftRst+ PME-Enable+ DSel=0 DScale=0 PME- + +However PME# only gets asserted when plugging USB 2.0 or USB 1.1 devices, +but not for USB 3.0 devices. + +Remove PCI_PM_CAP_PME_D0 to avoid using PME under D0. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=205919 +Link: https://lore.kernel.org/r/20191219192006.16270-1-kai.heng.feng@canonical.com +Signed-off-by: Kai-Heng Feng +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -5527,3 +5527,14 @@ out_disable: + DECLARE_PCI_FIXUP_CLASS_FINAL(PCI_VENDOR_ID_NVIDIA, 0x13b1, + PCI_CLASS_DISPLAY_VGA, 8, + quirk_reset_lenovo_thinkpad_p50_nvgpu); ++ ++/* ++ * Device [1b21:2142] ++ * When in D0, PME# doesn't get asserted when plugging USB 3.0 device. ++ */ ++static void pci_fixup_no_d0_pme(struct pci_dev *dev) ++{ ++ pci_info(dev, "PME# does not work under D0, disabling it\n"); ++ dev->pme_support &= ~(PCI_PM_CAP_PME_D0 >> PCI_PM_CAP_PME_SHIFT); ++} ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ASMEDIA, 0x2142, pci_fixup_no_d0_pme); diff --git a/queue-5.6/pci-move-apex-edge-tpu-class-quirk-to-fix-bar-assignment.patch b/queue-5.6/pci-move-apex-edge-tpu-class-quirk-to-fix-bar-assignment.patch new file mode 100644 index 00000000000..0c4202de7e7 --- /dev/null +++ b/queue-5.6/pci-move-apex-edge-tpu-class-quirk-to-fix-bar-assignment.patch @@ -0,0 +1,75 @@ +From 0a8f41023e8a3c100b3dc458ed2da651bf961ead Mon Sep 17 00:00:00 2001 +From: Bjorn Helgaas +Date: Thu, 9 Apr 2020 12:43:45 -0500 +Subject: PCI: Move Apex Edge TPU class quirk to fix BAR assignment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bjorn Helgaas + +commit 0a8f41023e8a3c100b3dc458ed2da651bf961ead upstream. + +Some Google Apex Edge TPU devices have a class code of 0 +(PCI_CLASS_NOT_DEFINED). This prevents the PCI core from assigning +resources for the Apex BARs because __dev_sort_resources() ignores +classless devices, host bridges, and IOAPICs. + +On x86, firmware typically assigns those resources, so this was not a +problem. But on some architectures, firmware does *not* assign BARs, and +since the PCI core didn't do it either, the Apex device didn't work +correctly: + + apex 0000:01:00.0: can't enable device: BAR 0 [mem 0x00000000-0x00003fff 64bit pref] not claimed + apex 0000:01:00.0: error enabling PCI device + +f390d08d8b87 ("staging: gasket: apex: fixup undefined PCI class") added a +quirk to fix the class code, but it was in the apex driver, and if the +driver was built as a module, it was too late to help. + +Move the quirk to the PCI core, where it will always run early enough that +the PCI core will assign resources if necessary. + +Link: https://lore.kernel.org/r/CAEzXK1r0Er039iERnc2KJ4jn7ySNUOG9H=Ha8TD8XroVqiZjgg@mail.gmail.com +Fixes: f390d08d8b87 ("staging: gasket: apex: fixup undefined PCI class") +Reported-by: Luís Mendes +Debugged-by: Luís Mendes +Tested-by: Luis Mendes +Signed-off-by: Bjorn Helgaas +Cc: Todd Poynor +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 7 +++++++ + drivers/staging/gasket/apex_driver.c | 7 ------- + 2 files changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -5567,3 +5567,10 @@ static void pci_fixup_no_d0_pme(struct p + dev->pme_support &= ~(PCI_PM_CAP_PME_D0 >> PCI_PM_CAP_PME_SHIFT); + } + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ASMEDIA, 0x2142, pci_fixup_no_d0_pme); ++ ++static void apex_pci_fixup_class(struct pci_dev *pdev) ++{ ++ pdev->class = (PCI_CLASS_SYSTEM_OTHER << 8) | pdev->class; ++} ++DECLARE_PCI_FIXUP_CLASS_HEADER(0x1ac1, 0x089a, ++ PCI_CLASS_NOT_DEFINED, 8, apex_pci_fixup_class); +--- a/drivers/staging/gasket/apex_driver.c ++++ b/drivers/staging/gasket/apex_driver.c +@@ -570,13 +570,6 @@ static const struct pci_device_id apex_p + { PCI_DEVICE(APEX_PCI_VENDOR_ID, APEX_PCI_DEVICE_ID) }, { 0 } + }; + +-static void apex_pci_fixup_class(struct pci_dev *pdev) +-{ +- pdev->class = (PCI_CLASS_SYSTEM_OTHER << 8) | pdev->class; +-} +-DECLARE_PCI_FIXUP_CLASS_HEADER(APEX_PCI_VENDOR_ID, APEX_PCI_DEVICE_ID, +- PCI_CLASS_NOT_DEFINED, 8, apex_pci_fixup_class); +- + static int apex_pci_probe(struct pci_dev *pci_dev, + const struct pci_device_id *id) + { diff --git a/queue-5.6/perf-core-fix-parent-pid-tid-in-task-exit-events.patch b/queue-5.6/perf-core-fix-parent-pid-tid-in-task-exit-events.patch new file mode 100644 index 00000000000..984da22a6e9 --- /dev/null +++ b/queue-5.6/perf-core-fix-parent-pid-tid-in-task-exit-events.patch @@ -0,0 +1,59 @@ +From f3bed55e850926614b9898fe982f66d2541a36a5 Mon Sep 17 00:00:00 2001 +From: Ian Rogers +Date: Fri, 17 Apr 2020 11:28:42 -0700 +Subject: perf/core: fix parent pid/tid in task exit events + +From: Ian Rogers + +commit f3bed55e850926614b9898fe982f66d2541a36a5 upstream. + +Current logic yields the child task as the parent. + +Before: +$ perf record bash -c "perf list > /dev/null" +$ perf script -D |grep 'FORK\|EXIT' +4387036190981094 0x5a70 [0x30]: PERF_RECORD_FORK(10472:10472):(10470:10470) +4387036606207580 0xf050 [0x30]: PERF_RECORD_EXIT(10472:10472):(10472:10472) +4387036607103839 0x17150 [0x30]: PERF_RECORD_EXIT(10470:10470):(10470:10470) + ^ + Note the repeated values here -------------------/ + +After: +383281514043 0x9d8 [0x30]: PERF_RECORD_FORK(2268:2268):(2266:2266) +383442003996 0x2180 [0x30]: PERF_RECORD_EXIT(2268:2268):(2266:2266) +383451297778 0xb70 [0x30]: PERF_RECORD_EXIT(2266:2266):(2265:2265) + +Fixes: 94d5d1b2d891 ("perf_counter: Report the cloning task as parent on perf_counter_fork()") +Reported-by: KP Singh +Signed-off-by: Ian Rogers +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20200417182842.12522-1-irogers@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/core.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -7278,10 +7278,17 @@ static void perf_event_task_output(struc + goto out; + + task_event->event_id.pid = perf_event_pid(event, task); +- task_event->event_id.ppid = perf_event_pid(event, current); +- + task_event->event_id.tid = perf_event_tid(event, task); +- task_event->event_id.ptid = perf_event_tid(event, current); ++ ++ if (task_event->event_id.header.type == PERF_RECORD_EXIT) { ++ task_event->event_id.ppid = perf_event_pid(event, ++ task->real_parent); ++ task_event->event_id.ptid = perf_event_pid(event, ++ task->real_parent); ++ } else { /* PERF_RECORD_FORK */ ++ task_event->event_id.ppid = perf_event_pid(event, current); ++ task_event->event_id.ptid = perf_event_tid(event, current); ++ } + + task_event->event_id.time = perf_event_clock(event); + diff --git a/queue-5.6/pm-sleep-core-switch-back-to-async_schedule_dev.patch b/queue-5.6/pm-sleep-core-switch-back-to-async_schedule_dev.patch new file mode 100644 index 00000000000..5b88d7100b8 --- /dev/null +++ b/queue-5.6/pm-sleep-core-switch-back-to-async_schedule_dev.patch @@ -0,0 +1,37 @@ +From 09beebd8f93b3c8bf894e342f0a203a5c612478c Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Tue, 21 Apr 2020 16:21:55 +0800 +Subject: PM: sleep: core: Switch back to async_schedule_dev() + +From: Kai-Heng Feng + +commit 09beebd8f93b3c8bf894e342f0a203a5c612478c upstream. + +Commit 8b9ec6b73277 ("PM core: Use new async_schedule_dev command") +introduced a new function for better performance. + +However commit f2a424f6c613 ("PM / core: Introduce dpm_async_fn() +helper") went back to the non-optimized version, async_schedule(). + +So switch back to the sync_schedule_dev() to improve performance + +Fixes: f2a424f6c613 ("PM / core: Introduce dpm_async_fn() helper") +Signed-off-by: Kai-Heng Feng +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/power/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -726,7 +726,7 @@ static bool dpm_async_fn(struct device * + + if (is_async(dev)) { + get_device(dev); +- async_schedule(func, dev); ++ async_schedule_dev(func, dev); + return true; + } + diff --git a/queue-5.6/remoteproc-mtk_scp-use-dma_addr_t-for-dma-api.patch b/queue-5.6/remoteproc-mtk_scp-use-dma_addr_t-for-dma-api.patch new file mode 100644 index 00000000000..76ed9b78727 --- /dev/null +++ b/queue-5.6/remoteproc-mtk_scp-use-dma_addr_t-for-dma-api.patch @@ -0,0 +1,79 @@ +From c2781e4d9bc6d925dfc1ff833dfdaf12b69679de Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 8 Apr 2020 17:54:29 +0200 +Subject: remoteproc: mtk_scp: use dma_addr_t for DMA API + +From: Arnd Bergmann + +commit c2781e4d9bc6d925dfc1ff833dfdaf12b69679de upstream. + +dma_addr_t and phys_addr_t are distinct types and must not be +mixed, as both the values and the size of the type may be +different depending on what the remote device uses. + +In this driver the compiler warns when the two types are different: + +drivers/remoteproc/mtk_scp.c: In function 'scp_map_memory_region': +drivers/remoteproc/mtk_scp.c:454:9: error: passing argument 3 of 'dma_alloc_coherent' from incompatible pointer type [-Werror=incompatible-pointer-types] + 454 | &scp->phys_addr, GFP_KERNEL); + | ^~~~~~~~~~~~~~~ + | | + | phys_addr_t * {aka unsigned int *} +In file included from drivers/remoteproc/mtk_scp.c:7: +include/linux/dma-mapping.h:642:15: note: expected 'dma_addr_t *' {aka 'long long unsigned int *'} but argument is of type 'phys_addr_t *' {aka 'unsigned int *'} + 642 | dma_addr_t *dma_handle, gfp_t gfp) + +Change the phys_addr member to be typed and named according +to how it is allocated. + +Fixes: 63c13d61eafe ("remoteproc/mediatek: add SCP support for mt8183") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20200408155450.2186471-1-arnd@arndb.de +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/remoteproc/mtk_common.h | 2 +- + drivers/remoteproc/mtk_scp.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/remoteproc/mtk_common.h ++++ b/drivers/remoteproc/mtk_common.h +@@ -68,7 +68,7 @@ struct mtk_scp { + wait_queue_head_t ack_wq; + + void __iomem *cpu_addr; +- phys_addr_t phys_addr; ++ dma_addr_t dma_addr; + size_t dram_size; + + struct rproc_subdev *rpmsg_subdev; +--- a/drivers/remoteproc/mtk_scp.c ++++ b/drivers/remoteproc/mtk_scp.c +@@ -330,7 +330,7 @@ static void *scp_da_to_va(struct rproc * + if (offset >= 0 && (offset + len) < scp->sram_size) + return (void __force *)scp->sram_base + offset; + } else { +- offset = da - scp->phys_addr; ++ offset = da - scp->dma_addr; + if (offset >= 0 && (offset + len) < scp->dram_size) + return (void __force *)scp->cpu_addr + offset; + } +@@ -451,7 +451,7 @@ static int scp_map_memory_region(struct + /* Reserved SCP code size */ + scp->dram_size = MAX_CODE_SIZE; + scp->cpu_addr = dma_alloc_coherent(scp->dev, scp->dram_size, +- &scp->phys_addr, GFP_KERNEL); ++ &scp->dma_addr, GFP_KERNEL); + if (!scp->cpu_addr) + return -ENOMEM; + +@@ -461,7 +461,7 @@ static int scp_map_memory_region(struct + static void scp_unmap_memory_region(struct mtk_scp *scp) + { + dma_free_coherent(scp->dev, scp->dram_size, scp->cpu_addr, +- scp->phys_addr); ++ scp->dma_addr); + of_reserved_mem_device_release(scp->dev); + } + diff --git a/queue-5.6/s390-pci-do-not-set-affinity-for-floating-irqs.patch b/queue-5.6/s390-pci-do-not-set-affinity-for-floating-irqs.patch new file mode 100644 index 00000000000..98b30102f50 --- /dev/null +++ b/queue-5.6/s390-pci-do-not-set-affinity-for-floating-irqs.patch @@ -0,0 +1,54 @@ +From 86dbf32da150339ca81509fa2eb84c814b55258b Mon Sep 17 00:00:00 2001 +From: Niklas Schnelle +Date: Thu, 16 Apr 2020 13:44:30 +0200 +Subject: s390/pci: do not set affinity for floating irqs + +From: Niklas Schnelle + +commit 86dbf32da150339ca81509fa2eb84c814b55258b upstream. + +with the introduction of CPU directed interrupts the kernel +parameter pci=force_floating was introduced to fall back +to the previous behavior using floating irqs. + +However we were still setting the affinity in that case, +both in __irq_alloc_descs() and via the irq_set_affinity +callback in struct irq_chip. + +For the former only set the affinity in the directed case. + +The latter is explicitly set in zpci_directed_irq_init() +so we can just leave it unset for the floating case. + +Fixes: e979ce7bced2 ("s390/pci: provide support for CPU directed interrupts") +Co-developed-by: Alexander Schmidt +Signed-off-by: Alexander Schmidt +Signed-off-by: Niklas Schnelle +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/pci/pci_irq.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/s390/pci/pci_irq.c ++++ b/arch/s390/pci/pci_irq.c +@@ -115,7 +115,6 @@ static struct irq_chip zpci_irq_chip = { + .name = "PCI-MSI", + .irq_unmask = pci_msi_unmask_irq, + .irq_mask = pci_msi_mask_irq, +- .irq_set_affinity = zpci_set_irq_affinity, + }; + + static void zpci_handle_cpu_local_irq(bool rescan) +@@ -276,7 +275,9 @@ int arch_setup_msi_irqs(struct pci_dev * + rc = -EIO; + if (hwirq - bit >= msi_vecs) + break; +- irq = __irq_alloc_descs(-1, 0, 1, 0, THIS_MODULE, msi->affinity); ++ irq = __irq_alloc_descs(-1, 0, 1, 0, THIS_MODULE, ++ (irq_delivery == DIRECTED) ? ++ msi->affinity : NULL); + if (irq < 0) + return -ENOMEM; + rc = irq_set_msi_desc(irq, msi); diff --git a/queue-5.6/sched-core-fix-reset-on-fork-from-rt-with-uclamp.patch b/queue-5.6/sched-core-fix-reset-on-fork-from-rt-with-uclamp.patch new file mode 100644 index 00000000000..a8e8dc07df9 --- /dev/null +++ b/queue-5.6/sched-core-fix-reset-on-fork-from-rt-with-uclamp.patch @@ -0,0 +1,51 @@ +From eaf5a92ebde5bca3bb2565616115bd6d579486cd Mon Sep 17 00:00:00 2001 +From: Quentin Perret +Date: Thu, 16 Apr 2020 09:59:56 +0100 +Subject: sched/core: Fix reset-on-fork from RT with uclamp + +From: Quentin Perret + +commit eaf5a92ebde5bca3bb2565616115bd6d579486cd upstream. + +uclamp_fork() resets the uclamp values to their default when the +reset-on-fork flag is set. It also checks whether the task has a RT +policy, and sets its uclamp.min to 1024 accordingly. However, during +reset-on-fork, the task's policy is lowered to SCHED_NORMAL right after, +hence leading to an erroneous uclamp.min setting for the new task if it +was forked from RT. + +Fix this by removing the unnecessary check on rt_task() in +uclamp_fork() as this doesn't make sense if the reset-on-fork flag is +set. + +Fixes: 1a00d999971c ("sched/uclamp: Set default clamps for RT tasks") +Reported-by: Chitti Babu Theegala +Signed-off-by: Quentin Perret +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Patrick Bellasi +Reviewed-by: Dietmar Eggemann +Link: https://lkml.kernel.org/r/20200416085956.217587-1-qperret@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched/core.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -1239,13 +1239,8 @@ static void uclamp_fork(struct task_stru + return; + + for_each_clamp_id(clamp_id) { +- unsigned int clamp_value = uclamp_none(clamp_id); +- +- /* By default, RT tasks always get 100% boost */ +- if (unlikely(rt_task(p) && clamp_id == UCLAMP_MIN)) +- clamp_value = uclamp_none(UCLAMP_MAX); +- +- uclamp_se_set(&p->uclamp_req[clamp_id], clamp_value, false); ++ uclamp_se_set(&p->uclamp_req[clamp_id], ++ uclamp_none(clamp_id), false); + } + } + diff --git a/queue-5.6/selftests-bpf-fix-a-couple-of-broken-test_btf-cases.patch b/queue-5.6/selftests-bpf-fix-a-couple-of-broken-test_btf-cases.patch new file mode 100644 index 00000000000..7cb009b58f3 --- /dev/null +++ b/queue-5.6/selftests-bpf-fix-a-couple-of-broken-test_btf-cases.patch @@ -0,0 +1,231 @@ +From e1cebd841b0aa1ceda771706d54a0501986a3c88 Mon Sep 17 00:00:00 2001 +From: Stanislav Fomichev +Date: Tue, 21 Apr 2020 17:37:53 -0700 +Subject: selftests/bpf: Fix a couple of broken test_btf cases + +From: Stanislav Fomichev + +commit e1cebd841b0aa1ceda771706d54a0501986a3c88 upstream. + +Commit 51c39bb1d5d1 ("bpf: Introduce function-by-function verification") +introduced function linkage flag and changed the error message from +"vlen != 0" to "Invalid func linkage" and broke some fake BPF programs. + +Adjust the test accordingly. + +AFACT, the programs don't really need any arguments and only look +at BTF for maps, so let's drop the args altogether. + +Before: +BTF raw test[103] (func (Non zero vlen)): do_test_raw:3703:FAIL expected +err_str:vlen != 0 +magic: 0xeb9f +version: 1 +flags: 0x0 +hdr_len: 24 +type_off: 0 +type_len: 72 +str_off: 72 +str_len: 10 +btf_total_size: 106 +[1] INT (anon) size=4 bits_offset=0 nr_bits=32 encoding=SIGNED +[2] INT (anon) size=4 bits_offset=0 nr_bits=32 encoding=(none) +[3] FUNC_PROTO (anon) return=0 args=(1 a, 2 b) +[4] FUNC func type_id=3 Invalid func linkage + +BTF libbpf test[1] (test_btf_haskv.o): libbpf: load bpf program failed: +Invalid argument +libbpf: -- BEGIN DUMP LOG --- +libbpf: +Validating test_long_fname_2() func#1... +Arg#0 type PTR in test_long_fname_2() is not supported yet. +processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 +peak_states 0 mark_read 0 + +libbpf: -- END LOG -- +libbpf: failed to load program 'dummy_tracepoint' +libbpf: failed to load object 'test_btf_haskv.o' +do_test_file:4201:FAIL bpf_object__load: -4007 +BTF libbpf test[2] (test_btf_newkv.o): libbpf: load bpf program failed: +Invalid argument +libbpf: -- BEGIN DUMP LOG --- +libbpf: +Validating test_long_fname_2() func#1... +Arg#0 type PTR in test_long_fname_2() is not supported yet. +processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 +peak_states 0 mark_read 0 + +libbpf: -- END LOG -- +libbpf: failed to load program 'dummy_tracepoint' +libbpf: failed to load object 'test_btf_newkv.o' +do_test_file:4201:FAIL bpf_object__load: -4007 +BTF libbpf test[3] (test_btf_nokv.o): libbpf: load bpf program failed: +Invalid argument +libbpf: -- BEGIN DUMP LOG --- +libbpf: +Validating test_long_fname_2() func#1... +Arg#0 type PTR in test_long_fname_2() is not supported yet. +processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 +peak_states 0 mark_read 0 + +libbpf: -- END LOG -- +libbpf: failed to load program 'dummy_tracepoint' +libbpf: failed to load object 'test_btf_nokv.o' +do_test_file:4201:FAIL bpf_object__load: -4007 + +Fixes: 51c39bb1d5d1 ("bpf: Introduce function-by-function verification") +Signed-off-by: Stanislav Fomichev +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20200422003753.124921-1-sdf@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/bpf/progs/test_btf_haskv.c | 18 +++++------------- + tools/testing/selftests/bpf/progs/test_btf_newkv.c | 18 +++++------------- + tools/testing/selftests/bpf/progs/test_btf_nokv.c | 18 +++++------------- + tools/testing/selftests/bpf/test_btf.c | 2 +- + 4 files changed, 16 insertions(+), 40 deletions(-) + +--- a/tools/testing/selftests/bpf/progs/test_btf_haskv.c ++++ b/tools/testing/selftests/bpf/progs/test_btf_haskv.c +@@ -20,20 +20,12 @@ struct bpf_map_def SEC("maps") btf_map = + + BPF_ANNOTATE_KV_PAIR(btf_map, int, struct ipv_counts); + +-struct dummy_tracepoint_args { +- unsigned long long pad; +- struct sock *sock; +-}; +- + __attribute__((noinline)) +-int test_long_fname_2(struct dummy_tracepoint_args *arg) ++int test_long_fname_2(void) + { + struct ipv_counts *counts; + int key = 0; + +- if (!arg->sock) +- return 0; +- + counts = bpf_map_lookup_elem(&btf_map, &key); + if (!counts) + return 0; +@@ -44,15 +36,15 @@ int test_long_fname_2(struct dummy_trace + } + + __attribute__((noinline)) +-int test_long_fname_1(struct dummy_tracepoint_args *arg) ++int test_long_fname_1(void) + { +- return test_long_fname_2(arg); ++ return test_long_fname_2(); + } + + SEC("dummy_tracepoint") +-int _dummy_tracepoint(struct dummy_tracepoint_args *arg) ++int _dummy_tracepoint(void *arg) + { +- return test_long_fname_1(arg); ++ return test_long_fname_1(); + } + + char _license[] SEC("license") = "GPL"; +--- a/tools/testing/selftests/bpf/progs/test_btf_newkv.c ++++ b/tools/testing/selftests/bpf/progs/test_btf_newkv.c +@@ -28,20 +28,12 @@ struct { + __type(value, struct ipv_counts); + } btf_map SEC(".maps"); + +-struct dummy_tracepoint_args { +- unsigned long long pad; +- struct sock *sock; +-}; +- + __attribute__((noinline)) +-int test_long_fname_2(struct dummy_tracepoint_args *arg) ++int test_long_fname_2(void) + { + struct ipv_counts *counts; + int key = 0; + +- if (!arg->sock) +- return 0; +- + counts = bpf_map_lookup_elem(&btf_map, &key); + if (!counts) + return 0; +@@ -57,15 +49,15 @@ int test_long_fname_2(struct dummy_trace + } + + __attribute__((noinline)) +-int test_long_fname_1(struct dummy_tracepoint_args *arg) ++int test_long_fname_1(void) + { +- return test_long_fname_2(arg); ++ return test_long_fname_2(); + } + + SEC("dummy_tracepoint") +-int _dummy_tracepoint(struct dummy_tracepoint_args *arg) ++int _dummy_tracepoint(void *arg) + { +- return test_long_fname_1(arg); ++ return test_long_fname_1(); + } + + char _license[] SEC("license") = "GPL"; +--- a/tools/testing/selftests/bpf/progs/test_btf_nokv.c ++++ b/tools/testing/selftests/bpf/progs/test_btf_nokv.c +@@ -17,20 +17,12 @@ struct bpf_map_def SEC("maps") btf_map = + .max_entries = 4, + }; + +-struct dummy_tracepoint_args { +- unsigned long long pad; +- struct sock *sock; +-}; +- + __attribute__((noinline)) +-int test_long_fname_2(struct dummy_tracepoint_args *arg) ++int test_long_fname_2(void) + { + struct ipv_counts *counts; + int key = 0; + +- if (!arg->sock) +- return 0; +- + counts = bpf_map_lookup_elem(&btf_map, &key); + if (!counts) + return 0; +@@ -41,15 +33,15 @@ int test_long_fname_2(struct dummy_trace + } + + __attribute__((noinline)) +-int test_long_fname_1(struct dummy_tracepoint_args *arg) ++int test_long_fname_1(void) + { +- return test_long_fname_2(arg); ++ return test_long_fname_2(); + } + + SEC("dummy_tracepoint") +-int _dummy_tracepoint(struct dummy_tracepoint_args *arg) ++int _dummy_tracepoint(void *arg) + { +- return test_long_fname_1(arg); ++ return test_long_fname_1(); + } + + char _license[] SEC("license") = "GPL"; +--- a/tools/testing/selftests/bpf/test_btf.c ++++ b/tools/testing/selftests/bpf/test_btf.c +@@ -2854,7 +2854,7 @@ static struct btf_raw_test raw_tests[] = + .value_type_id = 1, + .max_entries = 4, + .btf_load_err = true, +- .err_str = "vlen != 0", ++ .err_str = "Invalid func linkage", + }, + + { diff --git a/queue-5.6/series b/queue-5.6/series index 440c9d6784c..ecdc0a5102c 100644 --- a/queue-5.6/series +++ b/queue-5.6/series @@ -36,3 +36,29 @@ efi-x86-don-t-remap-text-rodata-gap-read-only-for-mixed-mode.patch net-cxgb4-check-the-return-from-t4_query_params-properly.patch tipc-fix-incorrect-increasing-of-link-window.patch xfs-acquire-superblock-freeze-protection-on-eofblocks-scans.patch +svcrdma-fix-trace-point-use-after-free-race.patch +svcrdma-fix-leak-of-svc_rdma_recv_ctxt-objects.patch +net-mlx5e-don-t-trigger-irq-multiple-times-on-xsk-wakeup-to-avoid-wq-overruns.patch +net-mlx5e-get-the-latest-values-from-counters-in-switchdev-mode.patch +pci-avoid-asmedia-xhci-usb-pme-from-d0-defect.patch +pci-add-acs-quirk-for-zhaoxin-multi-function-devices.patch +pci-add-acs-quirk-for-zhaoxin-root-downstream-ports.patch +pci-move-apex-edge-tpu-class-quirk-to-fix-bar-assignment.patch +arm-dts-bcm283x-disable-dsi0-node.patch +cpumap-avoid-warning-when-config_debug_per_cpu_maps-is-enabled.patch +s390-pci-do-not-set-affinity-for-floating-irqs.patch +remoteproc-mtk_scp-use-dma_addr_t-for-dma-api.patch +net-mlx5-fix-failing-fw-tracer-allocation-on-s390.patch +sched-core-fix-reset-on-fork-from-rt-with-uclamp.patch +perf-core-fix-parent-pid-tid-in-task-exit-events.patch +netfilter-nat-fix-error-handling-upon-registering-inet-hook.patch +pm-sleep-core-switch-back-to-async_schedule_dev.patch +blk-iocost-fix-error-on-iocost_ioc_vrate_adj.patch +um-ensure-make-arch-um-mrproper-removes-arch-subarch-include-generated.patch +bpf-fix-handling-of-xadd-on-btf-memory.patch +bpf-x86-fix-encoding-for-lower-8-bit-registers-in-bpf_stx-bpf_b.patch +bpf-x86_32-fix-incorrect-encoding-in-bpf_ldx-zero-extension.patch +bpf-x86_32-fix-clobbering-of-dst-for-bpf_jset.patch +bpf-x86_32-fix-logic-error-in-bpf_ldx-zero-extension.patch +bpf-propagate-expected_attach_type-when-verifying-freplace-programs.patch +selftests-bpf-fix-a-couple-of-broken-test_btf-cases.patch diff --git a/queue-5.6/svcrdma-fix-leak-of-svc_rdma_recv_ctxt-objects.patch b/queue-5.6/svcrdma-fix-leak-of-svc_rdma_recv_ctxt-objects.patch new file mode 100644 index 00000000000..f6207f1a011 --- /dev/null +++ b/queue-5.6/svcrdma-fix-leak-of-svc_rdma_recv_ctxt-objects.patch @@ -0,0 +1,169 @@ +From 23cf1ee1f1869966b75518c59b5cbda4c6c92450 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Tue, 31 Mar 2020 17:02:33 -0400 +Subject: svcrdma: Fix leak of svc_rdma_recv_ctxt objects + +From: Chuck Lever + +commit 23cf1ee1f1869966b75518c59b5cbda4c6c92450 upstream. + +Utilize the xpo_release_rqst transport method to ensure that each +rqstp's svc_rdma_recv_ctxt object is released even when the server +cannot return a Reply for that rqstp. + +Without this fix, each RPC whose Reply cannot be sent leaks one +svc_rdma_recv_ctxt. This is a 2.5KB structure, a 4KB DMA-mapped +Receive buffer, and any pages that might be part of the Reply +message. + +The leak is infrequent unless the network fabric is unreliable or +Kerberos is in use, as GSS sequence window overruns, which result +in connection loss, are more common on fast transports. + +Fixes: 3a88092ee319 ("svcrdma: Preserve Receive buffer until svc_rdma_sendto") +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/sunrpc/svc_rdma.h | 1 + + net/sunrpc/svc_xprt.c | 3 --- + net/sunrpc/svcsock.c | 4 ++++ + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 22 ++++++++++++++++++++++ + net/sunrpc/xprtrdma/svc_rdma_sendto.c | 13 +++---------- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 5 ----- + 6 files changed, 30 insertions(+), 18 deletions(-) + +--- a/include/linux/sunrpc/svc_rdma.h ++++ b/include/linux/sunrpc/svc_rdma.h +@@ -162,6 +162,7 @@ extern bool svc_rdma_post_recvs(struct s + extern void svc_rdma_recv_ctxt_put(struct svcxprt_rdma *rdma, + struct svc_rdma_recv_ctxt *ctxt); + extern void svc_rdma_flush_recv_queues(struct svcxprt_rdma *rdma); ++extern void svc_rdma_release_rqst(struct svc_rqst *rqstp); + extern int svc_rdma_recvfrom(struct svc_rqst *); + + /* svc_rdma_rw.c */ +--- a/net/sunrpc/svc_xprt.c ++++ b/net/sunrpc/svc_xprt.c +@@ -897,9 +897,6 @@ int svc_send(struct svc_rqst *rqstp) + if (!xprt) + goto out; + +- /* release the receive skb before sending the reply */ +- xprt->xpt_ops->xpo_release_rqst(rqstp); +- + /* calculate over-all length */ + xb = &rqstp->rq_res; + xb->len = xb->head[0].iov_len + +--- a/net/sunrpc/svcsock.c ++++ b/net/sunrpc/svcsock.c +@@ -605,6 +605,8 @@ svc_udp_sendto(struct svc_rqst *rqstp) + { + int error; + ++ svc_release_udp_skb(rqstp); ++ + error = svc_sendto(rqstp, &rqstp->rq_res); + if (error == -ECONNREFUSED) + /* ICMP error on earlier request. */ +@@ -1137,6 +1139,8 @@ static int svc_tcp_sendto(struct svc_rqs + int sent; + __be32 reclen; + ++ svc_release_skb(rqstp); ++ + /* Set up the first element of the reply kvec. + * Any other kvecs that may be in use have been taken + * care of by the server implementation itself. +--- a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c +@@ -222,6 +222,26 @@ void svc_rdma_recv_ctxt_put(struct svcxp + svc_rdma_recv_ctxt_destroy(rdma, ctxt); + } + ++/** ++ * svc_rdma_release_rqst - Release transport-specific per-rqst resources ++ * @rqstp: svc_rqst being released ++ * ++ * Ensure that the recv_ctxt is released whether or not a Reply ++ * was sent. For example, the client could close the connection, ++ * or svc_process could drop an RPC, before the Reply is sent. ++ */ ++void svc_rdma_release_rqst(struct svc_rqst *rqstp) ++{ ++ struct svc_rdma_recv_ctxt *ctxt = rqstp->rq_xprt_ctxt; ++ struct svc_xprt *xprt = rqstp->rq_xprt; ++ struct svcxprt_rdma *rdma = ++ container_of(xprt, struct svcxprt_rdma, sc_xprt); ++ ++ rqstp->rq_xprt_ctxt = NULL; ++ if (ctxt) ++ svc_rdma_recv_ctxt_put(rdma, ctxt); ++} ++ + static int __svc_rdma_post_recv(struct svcxprt_rdma *rdma, + struct svc_rdma_recv_ctxt *ctxt) + { +@@ -756,6 +776,8 @@ int svc_rdma_recvfrom(struct svc_rqst *r + __be32 *p; + int ret; + ++ rqstp->rq_xprt_ctxt = NULL; ++ + spin_lock(&rdma_xprt->sc_rq_dto_lock); + ctxt = svc_rdma_next_recv_ctxt(&rdma_xprt->sc_read_complete_q); + if (ctxt) { +--- a/net/sunrpc/xprtrdma/svc_rdma_sendto.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_sendto.c +@@ -877,12 +877,7 @@ int svc_rdma_sendto(struct svc_rqst *rqs + wr_lst, rp_ch); + if (ret < 0) + goto err1; +- ret = 0; +- +-out: +- rqstp->rq_xprt_ctxt = NULL; +- svc_rdma_recv_ctxt_put(rdma, rctxt); +- return ret; ++ return 0; + + err2: + if (ret != -E2BIG && ret != -EINVAL) +@@ -891,14 +886,12 @@ out: + ret = svc_rdma_send_error_msg(rdma, sctxt, rqstp); + if (ret < 0) + goto err1; +- ret = 0; +- goto out; ++ return 0; + + err1: + svc_rdma_send_ctxt_put(rdma, sctxt); + err0: + trace_svcrdma_send_failed(rqstp, ret); + set_bit(XPT_CLOSE, &xprt->xpt_flags); +- ret = -ENOTCONN; +- goto out; ++ return -ENOTCONN; + } +--- a/net/sunrpc/xprtrdma/svc_rdma_transport.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c +@@ -71,7 +71,6 @@ static struct svc_xprt *svc_rdma_create( + struct sockaddr *sa, int salen, + int flags); + static struct svc_xprt *svc_rdma_accept(struct svc_xprt *xprt); +-static void svc_rdma_release_rqst(struct svc_rqst *); + static void svc_rdma_detach(struct svc_xprt *xprt); + static void svc_rdma_free(struct svc_xprt *xprt); + static int svc_rdma_has_wspace(struct svc_xprt *xprt); +@@ -558,10 +557,6 @@ static struct svc_xprt *svc_rdma_accept( + return NULL; + } + +-static void svc_rdma_release_rqst(struct svc_rqst *rqstp) +-{ +-} +- + /* + * When connected, an svc_xprt has at least two references: + * diff --git a/queue-5.6/svcrdma-fix-trace-point-use-after-free-race.patch b/queue-5.6/svcrdma-fix-trace-point-use-after-free-race.patch new file mode 100644 index 00000000000..3e8fca5b817 --- /dev/null +++ b/queue-5.6/svcrdma-fix-trace-point-use-after-free-race.patch @@ -0,0 +1,214 @@ +From e28b4fc652c1830796a4d3e09565f30c20f9a2cf Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Mon, 30 Mar 2020 14:27:37 -0400 +Subject: svcrdma: Fix trace point use-after-free race + +From: Chuck Lever + +commit e28b4fc652c1830796a4d3e09565f30c20f9a2cf upstream. + +I hit this while testing nfsd-5.7 with kernel memory debugging +enabled on my server: + +Mar 30 13:21:45 klimt kernel: BUG: unable to handle page fault for address: ffff8887e6c279a8 +Mar 30 13:21:45 klimt kernel: #PF: supervisor read access in kernel mode +Mar 30 13:21:45 klimt kernel: #PF: error_code(0x0000) - not-present page +Mar 30 13:21:45 klimt kernel: PGD 3601067 P4D 3601067 PUD 87c519067 PMD 87c3e2067 PTE 800ffff8193d8060 +Mar 30 13:21:45 klimt kernel: Oops: 0000 [#1] SMP DEBUG_PAGEALLOC PTI +Mar 30 13:21:45 klimt kernel: CPU: 2 PID: 1933 Comm: nfsd Not tainted 5.6.0-rc6-00040-g881e87a3c6f9 #1591 +Mar 30 13:21:45 klimt kernel: Hardware name: Supermicro Super Server/X10SRL-F, BIOS 1.0c 09/09/2015 +Mar 30 13:21:45 klimt kernel: RIP: 0010:svc_rdma_post_chunk_ctxt+0xab/0x284 [rpcrdma] +Mar 30 13:21:45 klimt kernel: Code: c1 83 34 02 00 00 29 d0 85 c0 7e 72 48 8b bb a0 02 00 00 48 8d 54 24 08 4c 89 e6 48 8b 07 48 8b 40 20 e8 5a 5c 2b e1 41 89 c6 <8b> 45 20 89 44 24 04 8b 05 02 e9 01 00 85 c0 7e 33 e9 5e 01 00 00 +Mar 30 13:21:45 klimt kernel: RSP: 0018:ffffc90000dfbdd8 EFLAGS: 00010286 +Mar 30 13:21:45 klimt kernel: RAX: 0000000000000000 RBX: ffff8887db8db400 RCX: 0000000000000030 +Mar 30 13:21:45 klimt kernel: RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000246 +Mar 30 13:21:45 klimt kernel: RBP: ffff8887e6c27988 R08: 0000000000000000 R09: 0000000000000004 +Mar 30 13:21:45 klimt kernel: R10: ffffc90000dfbdd8 R11: 00c068ef00000000 R12: ffff8887eb4e4a80 +Mar 30 13:21:45 klimt kernel: R13: ffff8887db8db634 R14: 0000000000000000 R15: ffff8887fc931000 +Mar 30 13:21:45 klimt kernel: FS: 0000000000000000(0000) GS:ffff88885bd00000(0000) knlGS:0000000000000000 +Mar 30 13:21:45 klimt kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +Mar 30 13:21:45 klimt kernel: CR2: ffff8887e6c279a8 CR3: 000000081b72e002 CR4: 00000000001606e0 +Mar 30 13:21:45 klimt kernel: Call Trace: +Mar 30 13:21:45 klimt kernel: ? svc_rdma_vec_to_sg+0x7f/0x7f [rpcrdma] +Mar 30 13:21:45 klimt kernel: svc_rdma_send_write_chunk+0x59/0xce [rpcrdma] +Mar 30 13:21:45 klimt kernel: svc_rdma_sendto+0xf9/0x3ae [rpcrdma] +Mar 30 13:21:45 klimt kernel: ? nfsd_destroy+0x51/0x51 [nfsd] +Mar 30 13:21:45 klimt kernel: svc_send+0x105/0x1e3 [sunrpc] +Mar 30 13:21:45 klimt kernel: nfsd+0xf2/0x149 [nfsd] +Mar 30 13:21:45 klimt kernel: kthread+0xf6/0xfb +Mar 30 13:21:45 klimt kernel: ? kthread_queue_delayed_work+0x74/0x74 +Mar 30 13:21:45 klimt kernel: ret_from_fork+0x3a/0x50 +Mar 30 13:21:45 klimt kernel: Modules linked in: ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue ib_umad ib_ipoib mlx4_ib sb_edac x86_pkg_temp_thermal iTCO_wdt iTCO_vendor_support coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel glue_helper crypto_simd cryptd pcspkr rpcrdma i2c_i801 rdma_ucm lpc_ich mfd_core ib_iser rdma_cm iw_cm ib_cm mei_me raid0 libiscsi mei sg scsi_transport_iscsi ioatdma wmi ipmi_si ipmi_devintf ipmi_msghandler acpi_power_meter nfsd nfs_acl lockd auth_rpcgss grace sunrpc ip_tables xfs libcrc32c mlx4_en sd_mod sr_mod cdrom mlx4_core crc32c_intel igb nvme i2c_algo_bit ahci i2c_core libahci nvme_core dca libata t10_pi qedr dm_mirror dm_region_hash dm_log dm_mod dax qede qed crc8 ib_uverbs ib_core +Mar 30 13:21:45 klimt kernel: CR2: ffff8887e6c279a8 +Mar 30 13:21:45 klimt kernel: ---[ end trace 87971d2ad3429424 ]--- + +It's absolutely not safe to use resources pointed to by the @send_wr +argument of ib_post_send() _after_ that function returns. Those +resources are typically freed by the Send completion handler, which +can run before ib_post_send() returns. + +Thus the trace points currently around ib_post_send() in the +server's RPC/RDMA transport are a hazard, even when they are +disabled. Rearrange them so that they touch the Work Request only +_before_ ib_post_send() is invoked. + +Fixes: bd2abef33394 ("svcrdma: Trace key RDMA API events") +Fixes: 4201c7464753 ("svcrdma: Introduce svc_rdma_send_ctxt") +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman + +--- + include/trace/events/rpcrdma.h | 50 ++++++++++++++++++++++++---------- + net/sunrpc/xprtrdma/svc_rdma_rw.c | 3 -- + net/sunrpc/xprtrdma/svc_rdma_sendto.c | 16 ++++++---- + 3 files changed, 46 insertions(+), 23 deletions(-) + +--- a/include/trace/events/rpcrdma.h ++++ b/include/trace/events/rpcrdma.h +@@ -1699,17 +1699,15 @@ DECLARE_EVENT_CLASS(svcrdma_sendcomp_eve + + TRACE_EVENT(svcrdma_post_send, + TP_PROTO( +- const struct ib_send_wr *wr, +- int status ++ const struct ib_send_wr *wr + ), + +- TP_ARGS(wr, status), ++ TP_ARGS(wr), + + TP_STRUCT__entry( + __field(const void *, cqe) + __field(unsigned int, num_sge) + __field(u32, inv_rkey) +- __field(int, status) + ), + + TP_fast_assign( +@@ -1717,12 +1715,11 @@ TRACE_EVENT(svcrdma_post_send, + __entry->num_sge = wr->num_sge; + __entry->inv_rkey = (wr->opcode == IB_WR_SEND_WITH_INV) ? + wr->ex.invalidate_rkey : 0; +- __entry->status = status; + ), + +- TP_printk("cqe=%p num_sge=%u inv_rkey=0x%08x status=%d", ++ TP_printk("cqe=%p num_sge=%u inv_rkey=0x%08x", + __entry->cqe, __entry->num_sge, +- __entry->inv_rkey, __entry->status ++ __entry->inv_rkey + ) + ); + +@@ -1787,26 +1784,23 @@ TRACE_EVENT(svcrdma_wc_receive, + TRACE_EVENT(svcrdma_post_rw, + TP_PROTO( + const void *cqe, +- int sqecount, +- int status ++ int sqecount + ), + +- TP_ARGS(cqe, sqecount, status), ++ TP_ARGS(cqe, sqecount), + + TP_STRUCT__entry( + __field(const void *, cqe) + __field(int, sqecount) +- __field(int, status) + ), + + TP_fast_assign( + __entry->cqe = cqe; + __entry->sqecount = sqecount; +- __entry->status = status; + ), + +- TP_printk("cqe=%p sqecount=%d status=%d", +- __entry->cqe, __entry->sqecount, __entry->status ++ TP_printk("cqe=%p sqecount=%d", ++ __entry->cqe, __entry->sqecount + ) + ); + +@@ -1902,6 +1896,34 @@ DECLARE_EVENT_CLASS(svcrdma_sendqueue_ev + DEFINE_SQ_EVENT(full); + DEFINE_SQ_EVENT(retry); + ++TRACE_EVENT(svcrdma_sq_post_err, ++ TP_PROTO( ++ const struct svcxprt_rdma *rdma, ++ int status ++ ), ++ ++ TP_ARGS(rdma, status), ++ ++ TP_STRUCT__entry( ++ __field(int, avail) ++ __field(int, depth) ++ __field(int, status) ++ __string(addr, rdma->sc_xprt.xpt_remotebuf) ++ ), ++ ++ TP_fast_assign( ++ __entry->avail = atomic_read(&rdma->sc_sq_avail); ++ __entry->depth = rdma->sc_sq_depth; ++ __entry->status = status; ++ __assign_str(addr, rdma->sc_xprt.xpt_remotebuf); ++ ), ++ ++ TP_printk("addr=%s sc_sq_avail=%d/%d status=%d", ++ __get_str(addr), __entry->avail, __entry->depth, ++ __entry->status ++ ) ++); ++ + #endif /* _TRACE_RPCRDMA_H */ + + #include +--- a/net/sunrpc/xprtrdma/svc_rdma_rw.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_rw.c +@@ -323,8 +323,6 @@ static int svc_rdma_post_chunk_ctxt(stru + if (atomic_sub_return(cc->cc_sqecount, + &rdma->sc_sq_avail) > 0) { + ret = ib_post_send(rdma->sc_qp, first_wr, &bad_wr); +- trace_svcrdma_post_rw(&cc->cc_cqe, +- cc->cc_sqecount, ret); + if (ret) + break; + return 0; +@@ -337,6 +335,7 @@ static int svc_rdma_post_chunk_ctxt(stru + trace_svcrdma_sq_retry(rdma); + } while (1); + ++ trace_svcrdma_sq_post_err(rdma, ret); + set_bit(XPT_CLOSE, &xprt->xpt_flags); + + /* If even one was posted, there will be a completion. */ +--- a/net/sunrpc/xprtrdma/svc_rdma_sendto.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_sendto.c +@@ -310,15 +310,17 @@ int svc_rdma_send(struct svcxprt_rdma *r + } + + svc_xprt_get(&rdma->sc_xprt); ++ trace_svcrdma_post_send(wr); + ret = ib_post_send(rdma->sc_qp, wr, NULL); +- trace_svcrdma_post_send(wr, ret); +- if (ret) { +- set_bit(XPT_CLOSE, &rdma->sc_xprt.xpt_flags); +- svc_xprt_put(&rdma->sc_xprt); +- wake_up(&rdma->sc_send_wait); +- } +- break; ++ if (ret) ++ break; ++ return 0; + } ++ ++ trace_svcrdma_sq_post_err(rdma, ret); ++ set_bit(XPT_CLOSE, &rdma->sc_xprt.xpt_flags); ++ svc_xprt_put(&rdma->sc_xprt); ++ wake_up(&rdma->sc_send_wait); + return ret; + } + diff --git a/queue-5.6/um-ensure-make-arch-um-mrproper-removes-arch-subarch-include-generated.patch b/queue-5.6/um-ensure-make-arch-um-mrproper-removes-arch-subarch-include-generated.patch new file mode 100644 index 00000000000..2ab5c672308 --- /dev/null +++ b/queue-5.6/um-ensure-make-arch-um-mrproper-removes-arch-subarch-include-generated.patch @@ -0,0 +1,58 @@ +From 63ec90f18204f2fe072df108de8a021b28b1b173 Mon Sep 17 00:00:00 2001 +From: Vitor Massaru Iha +Date: Tue, 21 Apr 2020 21:48:44 -0300 +Subject: um: ensure `make ARCH=um mrproper` removes arch/$(SUBARCH)/include/generated/ + +From: Vitor Massaru Iha + +commit 63ec90f18204f2fe072df108de8a021b28b1b173 upstream. + +In this workflow: + +$ make ARCH=um defconfig && make ARCH=um -j8 + [snip] +$ make ARCH=um mrproper + [snip] +$ make ARCH=um defconfig O=./build_um && make ARCH=um -j8 O=./build_um + [snip] + CC scripts/mod/empty.o +In file included from ../include/linux/types.h:6, + from ../include/linux/mod_devicetable.h:12, + from ../scripts/mod/devicetable-offsets.c:3: +../include/uapi/linux/types.h:5:10: fatal error: asm/types.h: No such file or directory + 5 | #include + | ^~~~~~~~~~~~~ +compilation terminated. +make[2]: *** [../scripts/Makefile.build:100: scripts/mod/devicetable-offsets.s] Error 1 +make[2]: *** Waiting for unfinished jobs.... +make[1]: *** [/home/iha/sdb/opensource/lkmp/linux-kselftest.git/Makefile:1140: prepare0] Error 2 +make[1]: Leaving directory '/home/iha/sdb/opensource/lkmp/linux-kselftest.git/build_um' +make: *** [Makefile:180: sub-make] Error 2 + +The cause of the error was because arch/$(SUBARCH)/include/generated files +weren't properly cleaned by `make ARCH=um mrproper`. + +Fixes: a788b2ed81ab ("kbuild: check arch/$(SRCARCH)/include/generated before out-of-tree build") +Reported-by: Theodore Ts'o +Suggested-by: Masahiro Yamada +Signed-off-by: Vitor Massaru Iha +Reviewed-by: Brendan Higgins +Tested-by: Brendan Higgins +Link: https://groups.google.com/forum/#!msg/kunit-dev/QmA27YEgEgI/hvS1kiz2CwAJ +Signed-off-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman + +--- + arch/um/Makefile | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/um/Makefile ++++ b/arch/um/Makefile +@@ -140,6 +140,7 @@ export CFLAGS_vmlinux := $(LINK-y) $(LIN + # When cleaning we don't include .config, so we don't include + # TT or skas makefiles and don't clean skas_ptregs.h. + CLEAN_FILES += linux x.i gmon.out ++MRPROPER_DIRS += arch/$(SUBARCH)/include/generated + + archclean: + @find . \( -name '*.bb' -o -name '*.bbg' -o -name '*.da' \