From: Sasha Levin Date: Sun, 17 May 2020 03:55:01 +0000 (-0400) Subject: Fixes for 4.4 X-Git-Tag: v4.4.224~47 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3d6111c7a83e70eab10c04c8209706aaf27a0627;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/dmaengine-mmp_tdma-reset-channel-error-on-release.patch b/queue-4.4/dmaengine-mmp_tdma-reset-channel-error-on-release.patch new file mode 100644 index 00000000000..ed35f578f57 --- /dev/null +++ b/queue-4.4/dmaengine-mmp_tdma-reset-channel-error-on-release.patch @@ -0,0 +1,41 @@ +From 0b578053895a1092e6c9833e5b3624970f776621 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Apr 2020 18:49:09 +0200 +Subject: dmaengine: mmp_tdma: Reset channel error on release + +From: Lubomir Rintel + +[ Upstream commit 0c89446379218698189a47871336cb30286a7197 ] + +When a channel configuration fails, the status of the channel is set to +DEV_ERROR so that an attempt to submit it fails. However, this status +sticks until the heat end of the universe, making it impossible to +recover from the error. + +Let's reset it when the channel is released so that further use of the +channel with correct configuration is not impacted. + +Signed-off-by: Lubomir Rintel +Link: https://lore.kernel.org/r/20200419164912.670973-5-lkundrak@v3.sk +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/mmp_tdma.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/dma/mmp_tdma.c b/drivers/dma/mmp_tdma.c +index 3df0422607d59..ac9aede1bfbec 100644 +--- a/drivers/dma/mmp_tdma.c ++++ b/drivers/dma/mmp_tdma.c +@@ -364,6 +364,8 @@ static void mmp_tdma_free_descriptor(struct mmp_tdma_chan *tdmac) + gen_pool_free(gpool, (unsigned long)tdmac->desc_arr, + size); + tdmac->desc_arr = NULL; ++ if (tdmac->status == DMA_ERROR) ++ tdmac->status = DMA_COMPLETE; + + return; + } +-- +2.20.1 + diff --git a/queue-4.4/dmaengine-pch_dma.c-avoid-data-race-between-probe-an.patch b/queue-4.4/dmaengine-pch_dma.c-avoid-data-race-between-probe-an.patch new file mode 100644 index 00000000000..94ca927cb1c --- /dev/null +++ b/queue-4.4/dmaengine-pch_dma.c-avoid-data-race-between-probe-an.patch @@ -0,0 +1,47 @@ +From a7b24465ede2bc6c1958654591091d71dbb56260 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Apr 2020 11:53:35 +0530 +Subject: dmaengine: pch_dma.c: Avoid data race between probe and irq handler + +From: Madhuparna Bhowmik + +[ Upstream commit 2e45676a4d33af47259fa186ea039122ce263ba9 ] + +pd->dma.dev is read in irq handler pd_irq(). +However, it is set to pdev->dev after request_irq(). +Therefore, set pd->dma.dev to pdev->dev before request_irq() to +avoid data race between pch_dma_probe() and pd_irq(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Madhuparna Bhowmik +Link: https://lore.kernel.org/r/20200416062335.29223-1-madhuparnabhowmik10@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/pch_dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/pch_dma.c b/drivers/dma/pch_dma.c +index 113605f6fe208..32517003e118e 100644 +--- a/drivers/dma/pch_dma.c ++++ b/drivers/dma/pch_dma.c +@@ -877,6 +877,7 @@ static int pch_dma_probe(struct pci_dev *pdev, + } + + pci_set_master(pdev); ++ pd->dma.dev = &pdev->dev; + + err = request_irq(pdev->irq, pd_irq, IRQF_SHARED, DRV_NAME, pd); + if (err) { +@@ -892,7 +893,6 @@ static int pch_dma_probe(struct pci_dev *pdev, + goto err_free_irq; + } + +- pd->dma.dev = &pdev->dev; + + INIT_LIST_HEAD(&pd->dma.channels); + +-- +2.20.1 + diff --git a/queue-4.4/drm-qxl-lost-qxl_bo_kunmap_atomic_page-in-qxl_image_.patch b/queue-4.4/drm-qxl-lost-qxl_bo_kunmap_atomic_page-in-qxl_image_.patch new file mode 100644 index 00000000000..bff341cac20 --- /dev/null +++ b/queue-4.4/drm-qxl-lost-qxl_bo_kunmap_atomic_page-in-qxl_image_.patch @@ -0,0 +1,36 @@ +From e77221641a0cfcb4b40f84251139ab44115fed81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Apr 2020 12:34:36 +0300 +Subject: drm/qxl: lost qxl_bo_kunmap_atomic_page in qxl_image_init_helper() + +From: Vasily Averin + +[ Upstream commit 5b5703dbafae74adfbe298a56a81694172caf5e6 ] + +v2: removed TODO reminder + +Signed-off-by: Vasily Averin +Link: http://patchwork.freedesktop.org/patch/msgid/a4e0ae09-a73c-1c62-04ef-3f990d41bea9@virtuozzo.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/qxl/qxl_image.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/qxl/qxl_image.c b/drivers/gpu/drm/qxl/qxl_image.c +index 7fbcc35e8ad35..c89c10055641e 100644 +--- a/drivers/gpu/drm/qxl/qxl_image.c ++++ b/drivers/gpu/drm/qxl/qxl_image.c +@@ -210,7 +210,8 @@ qxl_image_init_helper(struct qxl_device *qdev, + break; + default: + DRM_ERROR("unsupported image bit depth\n"); +- return -EINVAL; /* TODO: cleanup */ ++ qxl_bo_kunmap_atomic_page(qdev, image_bo, ptr); ++ return -EINVAL; + } + image->u.bitmap.flags = QXL_BITMAP_TOP_DOWN; + image->u.bitmap.x = width; +-- +2.20.1 + diff --git a/queue-4.4/gre-do-not-keep-the-gre-header-around-in-collect-med.patch b/queue-4.4/gre-do-not-keep-the-gre-header-around-in-collect-med.patch new file mode 100644 index 00000000000..db7450df0f6 --- /dev/null +++ b/queue-4.4/gre-do-not-keep-the-gre-header-around-in-collect-med.patch @@ -0,0 +1,56 @@ +From 01879b723f80f18e27901ace90903d57f78a7a34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 May 2016 15:53:57 +0200 +Subject: gre: do not keep the GRE header around in collect medata mode + +From: Jiri Benc + +[ Upstream commit e271c7b4420ddbb9fae82a2b31a5ab3edafcf4fe ] + +For ipgre interface in collect metadata mode, it doesn't make sense for the +interface to be of ARPHRD_IPGRE type. The outer header of received packets +is not needed, as all the information from it is present in metadata_dst. We +already don't set ipgre_header_ops for collect metadata interfaces, which is +the only consumer of mac_header pointing to the outer IP header. + +Just set the interface type to ARPHRD_NONE in collect metadata mode for +ipgre (not gretap, that still correctly stays ARPHRD_ETHER) and reset +mac_header. + +Fixes: a64b04d86d14 ("gre: do not assign header_ops in collect metadata mode") +Fixes: 2e15ea390e6f4 ("ip_gre: Add support to collect tunnel metadata.") +Signed-off-by: Jiri Benc +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index e5448570d6483..900ee28bda99a 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -399,7 +399,10 @@ static int ipgre_rcv(struct sk_buff *skb, const struct tnl_ptk_info *tpi) + iph->saddr, iph->daddr, tpi->key); + + if (tunnel) { +- skb_pop_mac_header(skb); ++ if (tunnel->dev->type != ARPHRD_NONE) ++ skb_pop_mac_header(skb); ++ else ++ skb_reset_mac_header(skb); + if (tunnel->collect_md) { + __be16 flags; + __be64 tun_id; +@@ -1015,6 +1018,8 @@ static void ipgre_netlink_parms(struct net_device *dev, + struct ip_tunnel *t = netdev_priv(dev); + + t->collect_md = true; ++ if (dev->type == ARPHRD_IPGRE) ++ dev->type = ARPHRD_NONE; + } + } + +-- +2.20.1 + diff --git a/queue-4.4/i40e-avoid-nvm-acquire-deadlock-during-nvm-update.patch b/queue-4.4/i40e-avoid-nvm-acquire-deadlock-during-nvm-update.patch new file mode 100644 index 00000000000..feece0a2f14 --- /dev/null +++ b/queue-4.4/i40e-avoid-nvm-acquire-deadlock-during-nvm-update.patch @@ -0,0 +1,264 @@ +From fb3bd2b0f1825c6ee623e25d2407a19bc708783d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2017 13:42:49 -0700 +Subject: i40e: avoid NVM acquire deadlock during NVM update + +From: Anjali Singhai Jain + +[ Upstream commit 09f79fd49d94cda5837e9bfd0cb222232b3b6d9f ] + +X722 devices use the AdminQ to access the NVM, and this requires taking +the AdminQ lock. Because of this, we lock the AdminQ during +i40e_read_nvm(), which is also called in places where the lock is +already held, such as the firmware update path which wants to lock once +and then unlock when finished after performing several tasks. + +Although this should have only affected X722 devices, commit +96a39aed25e6 ("i40e: Acquire NVM lock before reads on all devices", +2016-12-02) added locking for all NVM reads, regardless of device +family. + +This resulted in us accidentally causing NVM acquire timeouts on all +devices, causing failed firmware updates which left the eeprom in +a corrupt state. + +Create unsafe non-locked variants of i40e_read_nvm_word and +i40e_read_nvm_buffer, __i40e_read_nvm_word and __i40e_read_nvm_buffer +respectively. These variants will not take the NVM lock and are expected +to only be called in places where the NVM lock is already held if +needed. + +Since the only caller of i40e_read_nvm_buffer() was in such a path, +remove it entirely in favor of the unsafe version. If necessary we can +always add it back in the future. + +Additionally, we now need to hold the NVM lock in i40e_validate_checksum +because the call to i40e_calc_nvm_checksum now assumes that the NVM lock +is held. We can further move the call to read I40E_SR_SW_CHECKSUM_WORD +up a bit so that we do not need to acquire the NVM lock twice. + +This should resolve firmware updates and also fix potential raise that +could have caused the driver to report an invalid NVM checksum upon +driver load. + +Reported-by: Stefan Assmann +Fixes: 96a39aed25e6 ("i40e: Acquire NVM lock before reads on all devices", 2016-12-02) +Signed-off-by: Anjali Singhai Jain +Signed-off-by: Jacob Keller +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_nvm.c | 98 ++++++++++++------- + .../net/ethernet/intel/i40e/i40e_prototype.h | 2 - + 2 files changed, 60 insertions(+), 40 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_nvm.c b/drivers/net/ethernet/intel/i40e/i40e_nvm.c +index dd4e6ea9e0e1b..af7f97791320d 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_nvm.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_nvm.c +@@ -266,7 +266,7 @@ static i40e_status i40e_read_nvm_aq(struct i40e_hw *hw, u8 module_pointer, + * @offset: offset of the Shadow RAM word to read (0x000000 - 0x001FFF) + * @data: word read from the Shadow RAM + * +- * Reads one 16 bit word from the Shadow RAM using the GLNVM_SRCTL register. ++ * Reads one 16 bit word from the Shadow RAM using the AdminQ + **/ + static i40e_status i40e_read_nvm_word_aq(struct i40e_hw *hw, u16 offset, + u16 *data) +@@ -280,27 +280,49 @@ static i40e_status i40e_read_nvm_word_aq(struct i40e_hw *hw, u16 offset, + } + + /** +- * i40e_read_nvm_word - Reads Shadow RAM ++ * __i40e_read_nvm_word - Reads nvm word, assumes called does the locking + * @hw: pointer to the HW structure + * @offset: offset of the Shadow RAM word to read (0x000000 - 0x001FFF) + * @data: word read from the Shadow RAM + * +- * Reads one 16 bit word from the Shadow RAM using the GLNVM_SRCTL register. ++ * Reads one 16 bit word from the Shadow RAM. ++ * ++ * Do not use this function except in cases where the nvm lock is already ++ * taken via i40e_acquire_nvm(). ++ **/ ++static i40e_status __i40e_read_nvm_word(struct i40e_hw *hw, ++ u16 offset, u16 *data) ++{ ++ i40e_status ret_code = 0; ++ ++ if (hw->flags & I40E_HW_FLAG_AQ_SRCTL_ACCESS_ENABLE) ++ ret_code = i40e_read_nvm_word_aq(hw, offset, data); ++ else ++ ret_code = i40e_read_nvm_word_srctl(hw, offset, data); ++ return ret_code; ++} ++ ++/** ++ * i40e_read_nvm_word - Reads nvm word and acquire lock if necessary ++ * @hw: pointer to the HW structure ++ * @offset: offset of the Shadow RAM word to read (0x000000 - 0x001FFF) ++ * @data: word read from the Shadow RAM ++ * ++ * Reads one 16 bit word from the Shadow RAM. + **/ + i40e_status i40e_read_nvm_word(struct i40e_hw *hw, u16 offset, + u16 *data) + { +- enum i40e_status_code ret_code = 0; ++ i40e_status ret_code = 0; + + ret_code = i40e_acquire_nvm(hw, I40E_RESOURCE_READ); +- if (!ret_code) { +- if (hw->flags & I40E_HW_FLAG_AQ_SRCTL_ACCESS_ENABLE) { +- ret_code = i40e_read_nvm_word_aq(hw, offset, data); +- } else { +- ret_code = i40e_read_nvm_word_srctl(hw, offset, data); +- } +- i40e_release_nvm(hw); +- } ++ if (ret_code) ++ return ret_code; ++ ++ ret_code = __i40e_read_nvm_word(hw, offset, data); ++ ++ i40e_release_nvm(hw); ++ + return ret_code; + } + +@@ -393,31 +415,25 @@ static i40e_status i40e_read_nvm_buffer_aq(struct i40e_hw *hw, u16 offset, + } + + /** +- * i40e_read_nvm_buffer - Reads Shadow RAM buffer ++ * __i40e_read_nvm_buffer - Reads nvm buffer, caller must acquire lock + * @hw: pointer to the HW structure + * @offset: offset of the Shadow RAM word to read (0x000000 - 0x001FFF). + * @words: (in) number of words to read; (out) number of words actually read + * @data: words read from the Shadow RAM + * + * Reads 16 bit words (data buffer) from the SR using the i40e_read_nvm_srrd() +- * method. The buffer read is preceded by the NVM ownership take +- * and followed by the release. ++ * method. + **/ +-i40e_status i40e_read_nvm_buffer(struct i40e_hw *hw, u16 offset, +- u16 *words, u16 *data) ++static i40e_status __i40e_read_nvm_buffer(struct i40e_hw *hw, ++ u16 offset, u16 *words, ++ u16 *data) + { +- enum i40e_status_code ret_code = 0; ++ i40e_status ret_code = 0; + +- if (hw->flags & I40E_HW_FLAG_AQ_SRCTL_ACCESS_ENABLE) { +- ret_code = i40e_acquire_nvm(hw, I40E_RESOURCE_READ); +- if (!ret_code) { +- ret_code = i40e_read_nvm_buffer_aq(hw, offset, words, +- data); +- i40e_release_nvm(hw); +- } +- } else { ++ if (hw->flags & I40E_HW_FLAG_AQ_SRCTL_ACCESS_ENABLE) ++ ret_code = i40e_read_nvm_buffer_aq(hw, offset, words, data); ++ else + ret_code = i40e_read_nvm_buffer_srctl(hw, offset, words, data); +- } + return ret_code; + } + +@@ -499,15 +515,15 @@ static i40e_status i40e_calc_nvm_checksum(struct i40e_hw *hw, + data = (u16 *)vmem.va; + + /* read pointer to VPD area */ +- ret_code = i40e_read_nvm_word(hw, I40E_SR_VPD_PTR, &vpd_module); ++ ret_code = __i40e_read_nvm_word(hw, I40E_SR_VPD_PTR, &vpd_module); + if (ret_code) { + ret_code = I40E_ERR_NVM_CHECKSUM; + goto i40e_calc_nvm_checksum_exit; + } + + /* read pointer to PCIe Alt Auto-load module */ +- ret_code = i40e_read_nvm_word(hw, I40E_SR_PCIE_ALT_AUTO_LOAD_PTR, +- &pcie_alt_module); ++ ret_code = __i40e_read_nvm_word(hw, I40E_SR_PCIE_ALT_AUTO_LOAD_PTR, ++ &pcie_alt_module); + if (ret_code) { + ret_code = I40E_ERR_NVM_CHECKSUM; + goto i40e_calc_nvm_checksum_exit; +@@ -521,7 +537,7 @@ static i40e_status i40e_calc_nvm_checksum(struct i40e_hw *hw, + if ((i % I40E_SR_SECTOR_SIZE_IN_WORDS) == 0) { + u16 words = I40E_SR_SECTOR_SIZE_IN_WORDS; + +- ret_code = i40e_read_nvm_buffer(hw, i, &words, data); ++ ret_code = __i40e_read_nvm_buffer(hw, i, &words, data); + if (ret_code) { + ret_code = I40E_ERR_NVM_CHECKSUM; + goto i40e_calc_nvm_checksum_exit; +@@ -593,14 +609,19 @@ i40e_status i40e_validate_nvm_checksum(struct i40e_hw *hw, + u16 checksum_sr = 0; + u16 checksum_local = 0; + ++ /* We must acquire the NVM lock in order to correctly synchronize the ++ * NVM accesses across multiple PFs. Without doing so it is possible ++ * for one of the PFs to read invalid data potentially indicating that ++ * the checksum is invalid. ++ */ ++ ret_code = i40e_acquire_nvm(hw, I40E_RESOURCE_READ); ++ if (ret_code) ++ return ret_code; + ret_code = i40e_calc_nvm_checksum(hw, &checksum_local); ++ __i40e_read_nvm_word(hw, I40E_SR_SW_CHECKSUM_WORD, &checksum_sr); ++ i40e_release_nvm(hw); + if (ret_code) +- goto i40e_validate_nvm_checksum_exit; +- +- /* Do not use i40e_read_nvm_word() because we do not want to take +- * the synchronization semaphores twice here. +- */ +- i40e_read_nvm_word(hw, I40E_SR_SW_CHECKSUM_WORD, &checksum_sr); ++ return ret_code; + + /* Verify read checksum from EEPROM is the same as + * calculated checksum +@@ -612,7 +633,6 @@ i40e_status i40e_validate_nvm_checksum(struct i40e_hw *hw, + if (checksum) + *checksum = checksum_local; + +-i40e_validate_nvm_checksum_exit: + return ret_code; + } + +@@ -958,6 +978,7 @@ static i40e_status i40e_nvmupd_state_writing(struct i40e_hw *hw, + break; + + case I40E_NVMUPD_CSUM_CON: ++ /* Assumes the caller has acquired the nvm */ + status = i40e_update_nvm_checksum(hw); + if (status) { + *perrno = hw->aq.asq_last_status ? +@@ -971,6 +992,7 @@ static i40e_status i40e_nvmupd_state_writing(struct i40e_hw *hw, + break; + + case I40E_NVMUPD_CSUM_LCB: ++ /* Assumes the caller has acquired the nvm */ + status = i40e_update_nvm_checksum(hw); + if (status) { + *perrno = hw->aq.asq_last_status ? +diff --git a/drivers/net/ethernet/intel/i40e/i40e_prototype.h b/drivers/net/ethernet/intel/i40e/i40e_prototype.h +index bb9d583e5416f..6caa2ab0ad743 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_prototype.h ++++ b/drivers/net/ethernet/intel/i40e/i40e_prototype.h +@@ -282,8 +282,6 @@ i40e_status i40e_acquire_nvm(struct i40e_hw *hw, + void i40e_release_nvm(struct i40e_hw *hw); + i40e_status i40e_read_nvm_word(struct i40e_hw *hw, u16 offset, + u16 *data); +-i40e_status i40e_read_nvm_buffer(struct i40e_hw *hw, u16 offset, +- u16 *words, u16 *data); + i40e_status i40e_update_nvm_checksum(struct i40e_hw *hw); + i40e_status i40e_validate_nvm_checksum(struct i40e_hw *hw, + u16 *checksum); +-- +2.20.1 + diff --git a/queue-4.4/ib-mlx4-test-return-value-of-calls-to-ib_get_cached_.patch b/queue-4.4/ib-mlx4-test-return-value-of-calls-to-ib_get_cached_.patch new file mode 100644 index 00000000000..26d6a21533a --- /dev/null +++ b/queue-4.4/ib-mlx4-test-return-value-of-calls-to-ib_get_cached_.patch @@ -0,0 +1,68 @@ +From 0b09040765863bff841cd6b411e59cf439689ef1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Apr 2020 10:59:21 +0300 +Subject: IB/mlx4: Test return value of calls to ib_get_cached_pkey + +From: Jack Morgenstein + +[ Upstream commit 6693ca95bd4330a0ad7326967e1f9bcedd6b0800 ] + +In the mlx4_ib_post_send() flow, some functions call ib_get_cached_pkey() +without checking its return value. If ib_get_cached_pkey() returns an +error code, these functions should return failure. + +Fixes: 1ffeb2eb8be9 ("IB/mlx4: SR-IOV IB context objects and proxy/tunnel SQP support") +Fixes: 225c7b1feef1 ("IB/mlx4: Add a driver Mellanox ConnectX InfiniBand adapters") +Fixes: e622f2f4ad21 ("IB: split struct ib_send_wr") +Link: https://lore.kernel.org/r/20200426075921.130074-1-leon@kernel.org +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx4/qp.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c +index 348828271cb07..ecd461ee6dbe2 100644 +--- a/drivers/infiniband/hw/mlx4/qp.c ++++ b/drivers/infiniband/hw/mlx4/qp.c +@@ -2156,6 +2156,7 @@ static int build_sriov_qp0_header(struct mlx4_ib_sqp *sqp, + int send_size; + int header_size; + int spc; ++ int err; + int i; + + if (wr->wr.opcode != IB_WR_SEND) +@@ -2190,7 +2191,9 @@ static int build_sriov_qp0_header(struct mlx4_ib_sqp *sqp, + + sqp->ud_header.lrh.virtual_lane = 0; + sqp->ud_header.bth.solicited_event = !!(wr->wr.send_flags & IB_SEND_SOLICITED); +- ib_get_cached_pkey(ib_dev, sqp->qp.port, 0, &pkey); ++ err = ib_get_cached_pkey(ib_dev, sqp->qp.port, 0, &pkey); ++ if (err) ++ return err; + sqp->ud_header.bth.pkey = cpu_to_be16(pkey); + if (sqp->qp.mlx4_ib_qp_type == MLX4_IB_QPT_TUN_SMI_OWNER) + sqp->ud_header.bth.destination_qpn = cpu_to_be32(wr->remote_qpn); +@@ -2423,9 +2426,14 @@ static int build_mlx_header(struct mlx4_ib_sqp *sqp, struct ib_ud_wr *wr, + } + sqp->ud_header.bth.solicited_event = !!(wr->wr.send_flags & IB_SEND_SOLICITED); + if (!sqp->qp.ibqp.qp_num) +- ib_get_cached_pkey(ib_dev, sqp->qp.port, sqp->pkey_index, &pkey); ++ err = ib_get_cached_pkey(ib_dev, sqp->qp.port, sqp->pkey_index, ++ &pkey); + else +- ib_get_cached_pkey(ib_dev, sqp->qp.port, wr->pkey_index, &pkey); ++ err = ib_get_cached_pkey(ib_dev, sqp->qp.port, wr->pkey_index, ++ &pkey); ++ if (err) ++ return err; ++ + sqp->ud_header.bth.pkey = cpu_to_be16(pkey); + sqp->ud_header.bth.destination_qpn = cpu_to_be32(wr->remote_qpn); + sqp->ud_header.bth.psn = cpu_to_be32((sqp->send_psn++) & ((1 << 24) - 1)); +-- +2.20.1 + diff --git a/queue-4.4/ipc-util.c-sysvipc_find_ipc-incorrectly-updates-posi.patch b/queue-4.4/ipc-util.c-sysvipc_find_ipc-incorrectly-updates-posi.patch new file mode 100644 index 00000000000..4a290742b1f --- /dev/null +++ b/queue-4.4/ipc-util.c-sysvipc_find_ipc-incorrectly-updates-posi.patch @@ -0,0 +1,125 @@ +From 2adba60ae08c314e11654aaa05324c4c8481dfd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 May 2020 17:50:48 -0700 +Subject: ipc/util.c: sysvipc_find_ipc() incorrectly updates position index + +From: Vasily Averin + +[ Upstream commit 5e698222c70257d13ae0816720dde57c56f81e15 ] + +Commit 89163f93c6f9 ("ipc/util.c: sysvipc_find_ipc() should increase +position index") is causing this bug (seen on 5.6.8): + + # ipcs -q + + ------ Message Queues -------- + key msqid owner perms used-bytes messages + + # ipcmk -Q + Message queue id: 0 + # ipcs -q + + ------ Message Queues -------- + key msqid owner perms used-bytes messages + 0x82db8127 0 root 644 0 0 + + # ipcmk -Q + Message queue id: 1 + # ipcs -q + + ------ Message Queues -------- + key msqid owner perms used-bytes messages + 0x82db8127 0 root 644 0 0 + 0x76d1fb2a 1 root 644 0 0 + + # ipcrm -q 0 + # ipcs -q + + ------ Message Queues -------- + key msqid owner perms used-bytes messages + 0x76d1fb2a 1 root 644 0 0 + 0x76d1fb2a 1 root 644 0 0 + + # ipcmk -Q + Message queue id: 2 + # ipcrm -q 2 + # ipcs -q + + ------ Message Queues -------- + key msqid owner perms used-bytes messages + 0x76d1fb2a 1 root 644 0 0 + 0x76d1fb2a 1 root 644 0 0 + + # ipcmk -Q + Message queue id: 3 + # ipcrm -q 1 + # ipcs -q + + ------ Message Queues -------- + key msqid owner perms used-bytes messages + 0x7c982867 3 root 644 0 0 + 0x7c982867 3 root 644 0 0 + 0x7c982867 3 root 644 0 0 + 0x7c982867 3 root 644 0 0 + +Whenever an IPC item with a low id is deleted, the items with higher ids +are duplicated, as if filling a hole. + +new_pos should jump through hole of unused ids, pos can be updated +inside "for" cycle. + +Fixes: 89163f93c6f9 ("ipc/util.c: sysvipc_find_ipc() should increase position index") +Reported-by: Andreas Schwab +Reported-by: Randy Dunlap +Signed-off-by: Vasily Averin +Signed-off-by: Andrew Morton +Acked-by: Waiman Long +Cc: NeilBrown +Cc: Steven Rostedt +Cc: Ingo Molnar +Cc: Peter Oberparleiter +Cc: Davidlohr Bueso +Cc: Manfred Spraul +Cc: +Link: http://lkml.kernel.org/r/4921fe9b-9385-a2b4-1dc4-1099be6d2e39@virtuozzo.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + ipc/util.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/ipc/util.c b/ipc/util.c +index 2724f9071ab39..7af476b6dcdde 100644 +--- a/ipc/util.c ++++ b/ipc/util.c +@@ -756,21 +756,21 @@ static struct kern_ipc_perm *sysvipc_find_ipc(struct ipc_ids *ids, loff_t pos, + total++; + } + +- *new_pos = pos + 1; ++ ipc = NULL; + if (total >= ids->in_use) +- return NULL; ++ goto out; + + for (; pos < IPCMNI; pos++) { + ipc = idr_find(&ids->ipcs_idr, pos); + if (ipc != NULL) { + rcu_read_lock(); + ipc_lock_object(ipc); +- return ipc; ++ break; + } + } +- +- /* Out of range - return NULL to terminate iteration */ +- return NULL; ++out: ++ *new_pos = pos + 1; ++ return ipc; + } + + static void *sysvipc_proc_next(struct seq_file *s, void *it, loff_t *pos) +-- +2.20.1 + diff --git a/queue-4.4/mm-memory_hotplug.c-fix-overflow-in-test_pages_in_a_.patch b/queue-4.4/mm-memory_hotplug.c-fix-overflow-in-test_pages_in_a_.patch new file mode 100644 index 00000000000..75fbad0003c --- /dev/null +++ b/queue-4.4/mm-memory_hotplug.c-fix-overflow-in-test_pages_in_a_.patch @@ -0,0 +1,57 @@ +From 80eb9df19322ea5f7fd20ebdb68aa15f10850989 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Feb 2017 14:59:30 -0800 +Subject: mm/memory_hotplug.c: fix overflow in test_pages_in_a_zone() + +From: zhong jiang + +[ Upstream commit d6d8c8a48291b929b2e039f220f0b62958cccfea ] + +When mainline introduced commit a96dfddbcc04 ("base/memory, hotplug: fix +a kernel oops in show_valid_zones()"), it obtained the valid start and +end pfn from the given pfn range. The valid start pfn can fix the +actual issue, but it introduced another issue. The valid end pfn will +may exceed the given end_pfn. + +Although the incorrect overflow will not result in actual problem at +present, but I think it need to be fixed. + +[toshi.kani@hpe.com: remove assumption that end_pfn is aligned by MAX_ORDER_NR_PAGES] +Fixes: a96dfddbcc04 ("base/memory, hotplug: fix a kernel oops in show_valid_zones()") +Link: http://lkml.kernel.org/r/1486467299-22648-1-git-send-email-zhongjiang@huawei.com +Signed-off-by: zhong jiang +Signed-off-by: Toshi Kani +Cc: Vlastimil Babka +Cc: Mel Gorman +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/memory_hotplug.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c +index 804cbfe9132dd..5fa8a3606f409 100644 +--- a/mm/memory_hotplug.c ++++ b/mm/memory_hotplug.c +@@ -1397,7 +1397,7 @@ int test_pages_in_a_zone(unsigned long start_pfn, unsigned long end_pfn, + while ((i < MAX_ORDER_NR_PAGES) && + !pfn_valid_within(pfn + i)) + i++; +- if (i == MAX_ORDER_NR_PAGES) ++ if (i == MAX_ORDER_NR_PAGES || pfn + i >= end_pfn) + continue; + /* Check if we got outside of the zone */ + if (zone && !zone_spans_pfn(zone, pfn + i)) +@@ -1414,7 +1414,7 @@ int test_pages_in_a_zone(unsigned long start_pfn, unsigned long end_pfn, + + if (zone) { + *valid_start = start; +- *valid_end = end; ++ *valid_end = min(end, end_pfn); + return 1; + } else { + return 0; +-- +2.20.1 + diff --git a/queue-4.4/net-mlx5-fix-driver-load-error-flow-when-firmware-is.patch b/queue-4.4/net-mlx5-fix-driver-load-error-flow-when-firmware-is.patch new file mode 100644 index 00000000000..cf035ce72a0 --- /dev/null +++ b/queue-4.4/net-mlx5-fix-driver-load-error-flow-when-firmware-is.patch @@ -0,0 +1,36 @@ +From 040b488465f49b1e3f73c916c81608dd49d85920 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2017 18:25:59 +0300 +Subject: net/mlx5: Fix driver load error flow when firmware is stuck + +From: Gal Pressman + +[ Upstream commit 8ce59b16b4b6eacedaec1f7b652b4781cdbfe15f ] + +When wait for firmware init fails, previous code would mistakenly +return success and cause inconsistency in the driver state. + +Fixes: 6c780a0267b8 ("net/mlx5: Wait for FW readiness before initializing command interface") +Signed-off-by: Gal Pressman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c +index bf4447581072f..e88605de84cca 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -933,7 +933,7 @@ static int mlx5_load_one(struct mlx5_core_dev *dev, struct mlx5_priv *priv) + if (err) { + dev_err(&dev->pdev->dev, "Firmware over %d MS in pre-initializing state, aborting\n", + FW_PRE_INIT_TIMEOUT_MILI); +- goto out; ++ goto out_err; + } + + err = mlx5_cmd_init(dev); +-- +2.20.1 + diff --git a/queue-4.4/net-openvswitch-fix-csum-updates-for-mpls-actions.patch b/queue-4.4/net-openvswitch-fix-csum-updates-for-mpls-actions.patch new file mode 100644 index 00000000000..9f9513baeea --- /dev/null +++ b/queue-4.4/net-openvswitch-fix-csum-updates-for-mpls-actions.patch @@ -0,0 +1,78 @@ +From b07c83d099b6fa3c948becd2d09220821b09e9db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jun 2019 14:37:30 +0100 +Subject: net: openvswitch: fix csum updates for MPLS actions + +From: John Hurley + +[ Upstream commit 0e3183cd2a64843a95b62f8bd4a83605a4cf0615 ] + +Skbs may have their checksum value populated by HW. If this is a checksum +calculated over the entire packet then the CHECKSUM_COMPLETE field is +marked. Changes to the data pointer on the skb throughout the network +stack still try to maintain this complete csum value if it is required +through functions such as skb_postpush_rcsum. + +The MPLS actions in Open vSwitch modify a CHECKSUM_COMPLETE value when +changes are made to packet data without a push or a pull. This occurs when +the ethertype of the MAC header is changed or when MPLS lse fields are +modified. + +The modification is carried out using the csum_partial function to get the +csum of a buffer and add it into the larger checksum. The buffer is an +inversion of the data to be removed followed by the new data. Because the +csum is calculated over 16 bits and these values align with 16 bits, the +effect is the removal of the old value from the CHECKSUM_COMPLETE and +addition of the new value. + +However, the csum fed into the function and the outcome of the +calculation are also inverted. This would only make sense if it was the +new value rather than the old that was inverted in the input buffer. + +Fix the issue by removing the bit inverts in the csum_partial calculation. + +The bug was verified and the fix tested by comparing the folded value of +the updated CHECKSUM_COMPLETE value with the folded value of a full +software checksum calculation (reset skb->csum to 0 and run +skb_checksum_complete(skb)). Prior to the fix the outcomes differed but +after they produce the same result. + +Fixes: 25cd9ba0abc0 ("openvswitch: Add basic MPLS support to kernel") +Fixes: bc7cc5999fd3 ("openvswitch: update checksum in {push,pop}_mpls") +Signed-off-by: John Hurley +Reviewed-by: Jakub Kicinski +Reviewed-by: Simon Horman +Acked-by: Pravin B Shelar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/openvswitch/actions.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c +index fd6c587b6a040..828fdced4ecd8 100644 +--- a/net/openvswitch/actions.c ++++ b/net/openvswitch/actions.c +@@ -143,8 +143,7 @@ static void update_ethertype(struct sk_buff *skb, struct ethhdr *hdr, + if (skb->ip_summed == CHECKSUM_COMPLETE) { + __be16 diff[] = { ~(hdr->h_proto), ethertype }; + +- skb->csum = ~csum_partial((char *)diff, sizeof(diff), +- ~skb->csum); ++ skb->csum = csum_partial((char *)diff, sizeof(diff), skb->csum); + } + + hdr->h_proto = ethertype; +@@ -227,8 +226,7 @@ static int set_mpls(struct sk_buff *skb, struct sw_flow_key *flow_key, + if (skb->ip_summed == CHECKSUM_COMPLETE) { + __be32 diff[] = { ~(*stack), lse }; + +- skb->csum = ~csum_partial((char *)diff, sizeof(diff), +- ~skb->csum); ++ skb->csum = csum_partial((char *)diff, sizeof(diff), skb->csum); + } + + *stack = lse; +-- +2.20.1 + diff --git a/queue-4.4/netfilter-conntrack-avoid-gcc-10-zero-length-bounds-.patch b/queue-4.4/netfilter-conntrack-avoid-gcc-10-zero-length-bounds-.patch new file mode 100644 index 00000000000..19cafb47d5e --- /dev/null +++ b/queue-4.4/netfilter-conntrack-avoid-gcc-10-zero-length-bounds-.patch @@ -0,0 +1,66 @@ +From 5b817a3a82da0413533d9c9e1d1c91c2f177ead7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Apr 2020 23:30:48 +0200 +Subject: netfilter: conntrack: avoid gcc-10 zero-length-bounds warning + +From: Arnd Bergmann + +[ Upstream commit 2c407aca64977ede9b9f35158e919773cae2082f ] + +gcc-10 warns around a suspicious access to an empty struct member: + +net/netfilter/nf_conntrack_core.c: In function '__nf_conntrack_alloc': +net/netfilter/nf_conntrack_core.c:1522:9: warning: array subscript 0 is outside the bounds of an interior zero-length array 'u8[0]' {aka 'unsigned char[0]'} [-Wzero-length-bounds] + 1522 | memset(&ct->__nfct_init_offset[0], 0, + | ^~~~~~~~~~~~~~~~~~~~~~~~~~ +In file included from net/netfilter/nf_conntrack_core.c:37: +include/net/netfilter/nf_conntrack.h:90:5: note: while referencing '__nfct_init_offset' + 90 | u8 __nfct_init_offset[0]; + | ^~~~~~~~~~~~~~~~~~ + +The code is correct but a bit unusual. Rework it slightly in a way that +does not trigger the warning, using an empty struct instead of an empty +array. There are probably more elegant ways to do this, but this is the +smallest change. + +Fixes: c41884ce0562 ("netfilter: conntrack: avoid zeroing timer") +Signed-off-by: Arnd Bergmann +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_conntrack.h | 2 +- + net/netfilter/nf_conntrack_core.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h +index 636e9e11bd5f6..e3f73fd1d53a9 100644 +--- a/include/net/netfilter/nf_conntrack.h ++++ b/include/net/netfilter/nf_conntrack.h +@@ -98,7 +98,7 @@ struct nf_conn { + possible_net_t ct_net; + + /* all members below initialized via memset */ +- u8 __nfct_init_offset[0]; ++ struct { } __nfct_init_offset; + + /* If we were expected by an expectation, this will be it */ + struct nf_conn *master; +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index de0aad12b91d2..e58516274e86a 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -898,9 +898,9 @@ __nf_conntrack_alloc(struct net *net, + /* Don't set timer yet: wait for confirmation */ + setup_timer(&ct->timeout, death_by_timeout, (unsigned long)ct); + write_pnet(&ct->ct_net, net); +- memset(&ct->__nfct_init_offset[0], 0, ++ memset(&ct->__nfct_init_offset, 0, + offsetof(struct nf_conn, proto) - +- offsetof(struct nf_conn, __nfct_init_offset[0])); ++ offsetof(struct nf_conn, __nfct_init_offset)); + + if (zone && nf_ct_zone_add(ct, GFP_ATOMIC, zone) < 0) + goto out_free; +-- +2.20.1 + diff --git a/queue-4.4/scsi-qla2xxx-avoid-double-completion-of-abort-comman.patch b/queue-4.4/scsi-qla2xxx-avoid-double-completion-of-abort-comman.patch new file mode 100644 index 00000000000..b7cce5d3a1c --- /dev/null +++ b/queue-4.4/scsi-qla2xxx-avoid-double-completion-of-abort-comman.patch @@ -0,0 +1,42 @@ +From 34c94ad03388bb60e911b505a7086449e82f7012 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Mar 2018 21:05:48 +0000 +Subject: scsi: qla2xxx: Avoid double completion of abort command + +From: Ben Hutchings + +[ Upstream commit 3a9910d7b686546dcc9986e790af17e148f1c888 ] + +qla2x00_tmf_sp_done() now deletes the timer that will run +qla2x00_tmf_iocb_timeout(), but doesn't check whether the timer already +expired. Check the return value from del_timer() to avoid calling +complete() a second time. + +Fixes: 4440e46d5db7 ("[SCSI] qla2xxx: Add IOCB Abort command asynchronous ...") +Fixes: 1514839b3664 ("scsi: qla2xxx: Fix NULL pointer crash due to active ...") +Signed-off-by: Ben Hutchings +Acked-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_init.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index 41a646696babb..0772804dbc27e 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -364,8 +364,8 @@ qla24xx_abort_sp_done(void *data, void *ptr, int res) + srb_t *sp = (srb_t *)ptr; + struct srb_iocb *abt = &sp->u.iocb_cmd; + +- del_timer(&sp->u.iocb_cmd.timer); +- complete(&abt->u.abt.comp); ++ if (del_timer(&sp->u.iocb_cmd.timer)) ++ complete(&abt->u.abt.comp); + } + + static int +-- +2.20.1 + diff --git a/queue-4.4/series b/queue-4.4/series index 811d666f50d..2f2939fb1c9 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -40,3 +40,15 @@ scsi-sg-add-sg_remove_request-in-sg_write.patch spi-spi-dw-add-lock-protect-dw_spi-rx-tx-to-prevent-concurrent-calls.patch cifs-check-for-timeout-on-negotiate-stage.patch cifs-fix-a-race-condition-with-cifs_echo_request.patch +dmaengine-pch_dma.c-avoid-data-race-between-probe-an.patch +dmaengine-mmp_tdma-reset-channel-error-on-release.patch +drm-qxl-lost-qxl_bo_kunmap_atomic_page-in-qxl_image_.patch +ipc-util.c-sysvipc_find_ipc-incorrectly-updates-posi.patch +net-openvswitch-fix-csum-updates-for-mpls-actions.patch +gre-do-not-keep-the-gre-header-around-in-collect-med.patch +mm-memory_hotplug.c-fix-overflow-in-test_pages_in_a_.patch +scsi-qla2xxx-avoid-double-completion-of-abort-comman.patch +i40e-avoid-nvm-acquire-deadlock-during-nvm-update.patch +net-mlx5-fix-driver-load-error-flow-when-firmware-is.patch +netfilter-conntrack-avoid-gcc-10-zero-length-bounds-.patch +ib-mlx4-test-return-value-of-calls-to-ib_get_cached_.patch