From: Sasha Levin Date: Sun, 17 May 2020 03:54:59 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.4.224~51 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d3cd20fa2c9d8b5bd2cabb8134f3237a8fe40b1e;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/acpi-ec-pm-avoid-premature-returns-from-acpi_s2idle_.patch b/queue-5.4/acpi-ec-pm-avoid-premature-returns-from-acpi_s2idle_.patch new file mode 100644 index 00000000000..07900e4eec2 --- /dev/null +++ b/queue-5.4/acpi-ec-pm-avoid-premature-returns-from-acpi_s2idle_.patch @@ -0,0 +1,132 @@ +From e09bfa41833a897799ccaa3d91de215d9f5ee168 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 May 2020 10:44:41 +0200 +Subject: ACPI: EC: PM: Avoid premature returns from acpi_s2idle_wake() + +From: Rafael J. Wysocki + +[ Upstream commit 7b301750f7f8f6503e11f1af4a03832525f58c66 ] + +If the EC GPE status is not set after checking all of the other GPEs, +acpi_s2idle_wake() returns 'false', to indicate that the SCI event +that has just triggered is not a system wakeup one, but it does that +without canceling the pending wakeup and re-arming the SCI for system +wakeup which is a mistake, because it may cause s2idle_loop() to busy +spin until the next valid wakeup event. [If that happens, the first +spurious wakeup is still pending after acpi_s2idle_wake() has +returned, so s2idle_enter() does nothing, acpi_s2idle_wake() +is called again and it sees that the SCI has triggered, but no GPEs +are active, so 'false' is returned again, and so on.] + +Fix that by moving all of the GPE checking logic from +acpi_s2idle_wake() to acpi_ec_dispatch_gpe() and making the +latter return 'true' only if a non-EC GPE has triggered and +'false' otherwise, which will cause acpi_s2idle_wake() to +cancel the pending SCI wakeup and re-arm the SCI for system +wakeup regardless of the EC GPE status. + +This also addresses a lockup observed on an Elitegroup EF20EA laptop +after attempting to wake it up from suspend-to-idle by a key press. + +Fixes: d5406284ff80 ("ACPI: PM: s2idle: Refine active GPEs check") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=207603 +Reported-by: Todd Brandt +Fixes: fdde0ff8590b ("ACPI: PM: s2idle: Prevent spurious SCIs from waking up the system") +Link: https://lore.kernel.org/linux-acpi/CAB4CAwdqo7=MvyG_PE+PGVfeA17AHF5i5JucgaKqqMX6mjArbQ@mail.gmail.com/ +Reported-by: Chris Chiu +Tested-by: Chris Chiu +Cc: 5.4+ # 5.4+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/ec.c | 24 ++++++++++++++++-------- + drivers/acpi/internal.h | 1 - + drivers/acpi/sleep.c | 14 ++------------ + 3 files changed, 18 insertions(+), 21 deletions(-) + +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c +index 5e6c8bfc66125..5b53a66d403df 100644 +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -1962,23 +1962,31 @@ void acpi_ec_set_gpe_wake_mask(u8 action) + acpi_set_gpe_wake_mask(NULL, first_ec->gpe, action); + } + +-bool acpi_ec_other_gpes_active(void) +-{ +- return acpi_any_gpe_status_set(first_ec ? first_ec->gpe : U32_MAX); +-} +- + bool acpi_ec_dispatch_gpe(void) + { + u32 ret; + + if (!first_ec) ++ return acpi_any_gpe_status_set(U32_MAX); ++ ++ /* ++ * Report wakeup if the status bit is set for any enabled GPE other ++ * than the EC one. ++ */ ++ if (acpi_any_gpe_status_set(first_ec->gpe)) ++ return true; ++ ++ if (ec_no_wakeup) + return false; + ++ /* ++ * Dispatch the EC GPE in-band, but do not report wakeup in any case ++ * to allow the caller to process events properly after that. ++ */ + ret = acpi_dispatch_gpe(NULL, first_ec->gpe); +- if (ret == ACPI_INTERRUPT_HANDLED) { ++ if (ret == ACPI_INTERRUPT_HANDLED) + pm_pr_dbg("EC GPE dispatched\n"); +- return true; +- } ++ + return false; + } + #endif /* CONFIG_PM_SLEEP */ +diff --git a/drivers/acpi/internal.h b/drivers/acpi/internal.h +index cbf7f34c3ce76..afe6636f9ad39 100644 +--- a/drivers/acpi/internal.h ++++ b/drivers/acpi/internal.h +@@ -201,7 +201,6 @@ void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit); + + #ifdef CONFIG_PM_SLEEP + void acpi_ec_flush_work(void); +-bool acpi_ec_other_gpes_active(void); + bool acpi_ec_dispatch_gpe(void); + #endif + +diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c +index edad89e58c580..85514c0f3aa53 100644 +--- a/drivers/acpi/sleep.c ++++ b/drivers/acpi/sleep.c +@@ -1010,20 +1010,10 @@ static bool acpi_s2idle_wake(void) + if (acpi_check_wakeup_handlers()) + return true; + +- /* +- * If the status bit is set for any enabled GPE other than the +- * EC one, the wakeup is regarded as a genuine one. +- */ +- if (acpi_ec_other_gpes_active()) ++ /* Check non-EC GPE wakeups and dispatch the EC GPE. */ ++ if (acpi_ec_dispatch_gpe()) + return true; + +- /* +- * If the EC GPE status bit has not been set, the wakeup is +- * regarded as a spurious one. +- */ +- if (!acpi_ec_dispatch_gpe()) +- return false; +- + /* + * Cancel the wakeup and process all pending events in case + * there are any wakeup ones in there. +-- +2.20.1 + diff --git a/queue-5.4/alsa-firewire-lib-fix-function-sizeof-not-defined-er.patch b/queue-5.4/alsa-firewire-lib-fix-function-sizeof-not-defined-er.patch new file mode 100644 index 00000000000..08cd34533fd --- /dev/null +++ b/queue-5.4/alsa-firewire-lib-fix-function-sizeof-not-defined-er.patch @@ -0,0 +1,60 @@ +From 7477e551f38caf8d96f8cf712a7ab8b1d537e168 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 May 2020 13:57:18 +0900 +Subject: ALSA: firewire-lib: fix 'function sizeof not defined' error of + tracepoints format + +From: Takashi Sakamoto + +[ Upstream commit 1034872123a06b759aba772b1c99612ccb8e632a ] + +The snd-firewire-lib.ko has 'amdtp-packet' event of tracepoints. Current +printk format for the event includes 'sizeof(u8)' macro expected to be +extended in compilation time. However, this is not done. As a result, +perf tools cannot parse the event for printing: + +$ mount -l -t debugfs +debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime) +$ cat /sys/kernel/debug/tracing/events/snd_firewire_lib/amdtp_packet/format +... +print fmt: "%02u %04u %04x %04x %02d %03u %02u %03u %02u %01u %02u %s", + REC->second, REC->cycle, REC->src, REC->dest, REC->channel, + REC->payload_quadlets, REC->data_blocks, REC->data_block_counter, + REC->packet_index, REC->irq, REC->index, + __print_array(__get_dynamic_array(cip_header), + __get_dynamic_array_len(cip_header), + sizeof(u8)) + +$ sudo perf record -e snd_firewire_lib:amdtp_packet + [snd_firewire_lib:amdtp_packet] function sizeof not defined + Error: expected type 5 but read 0 + +This commit fixes it by obsoleting the macro with actual size. + +Cc: +Fixes: bde2bbdb307a ("ALSA: firewire-lib: use dynamic array for CIP header of tracing events") +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20200503045718.86337-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/amdtp-stream-trace.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/sound/firewire/amdtp-stream-trace.h b/sound/firewire/amdtp-stream-trace.h +index 16c7f6605511e..26e7cb555d3c5 100644 +--- a/sound/firewire/amdtp-stream-trace.h ++++ b/sound/firewire/amdtp-stream-trace.h +@@ -66,8 +66,7 @@ TRACE_EVENT(amdtp_packet, + __entry->irq, + __entry->index, + __print_array(__get_dynamic_array(cip_header), +- __get_dynamic_array_len(cip_header), +- sizeof(u8))) ++ __get_dynamic_array_len(cip_header), 1)) + ); + + #endif +-- +2.20.1 + diff --git a/queue-5.4/alsa-hda-hdmi-fix-race-in-monitor-detection-during-p.patch b/queue-5.4/alsa-hda-hdmi-fix-race-in-monitor-detection-during-p.patch new file mode 100644 index 00000000000..3eb27da1e74 --- /dev/null +++ b/queue-5.4/alsa-hda-hdmi-fix-race-in-monitor-detection-during-p.patch @@ -0,0 +1,49 @@ +From 65412b1f2fb42be71271d33e03bfee38fda54bf3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Apr 2020 15:38:36 +0300 +Subject: ALSA: hda/hdmi: fix race in monitor detection during probe + +From: Kai Vehmanen + +[ Upstream commit ca76282b6faffc83601c25bd2a95f635c03503ef ] + +A race exists between build_pcms() and build_controls() phases of codec +setup. Build_pcms() sets up notifier for jack events. If a monitor event +is received before build_controls() is run, the initial jack state is +lost and never reported via mixer controls. + +The problem can be hit at least with SOF as the controller driver. SOF +calls snd_hda_codec_build_controls() in its workqueue-based probe and +this can be delayed enough to hit the race condition. + +Fix the issue by invalidating the per-pin ELD information when +build_controls() is called. The existing call to hdmi_present_sense() +will update the ELD contents. This ensures initial monitor state is +correctly reflected via mixer controls. + +BugLink: https://github.com/thesofproject/linux/issues/1687 +Signed-off-by: Kai Vehmanen +Link: https://lore.kernel.org/r/20200428123836.24512-1-kai.vehmanen@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_hdmi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index 663168ddce722..d48263d1f6a24 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -2234,7 +2234,9 @@ static int generic_hdmi_build_controls(struct hda_codec *codec) + + for (pin_idx = 0; pin_idx < spec->num_pins; pin_idx++) { + struct hdmi_spec_per_pin *per_pin = get_pin(spec, pin_idx); ++ struct hdmi_eld *pin_eld = &per_pin->sink_eld; + ++ pin_eld->eld_valid = false; + hdmi_present_sense(per_pin, 0); + } + +-- +2.20.1 + diff --git a/queue-5.4/alsa-hda-realtek-fix-s3-pop-noise-on-dell-wyse.patch b/queue-5.4/alsa-hda-realtek-fix-s3-pop-noise-on-dell-wyse.patch new file mode 100644 index 00000000000..ae0c739d28a --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-fix-s3-pop-noise-on-dell-wyse.patch @@ -0,0 +1,72 @@ +From 4811e8b64862ceb6336fc96cd6776d7eb90985f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 May 2020 23:24:47 +0800 +Subject: ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse + +From: Kai-Heng Feng + +[ Upstream commit 52e4e36807aeac1cdd07b14e509c8a64101e1a09 ] + +Commit 317d9313925c ("ALSA: hda/realtek - Set default power save node to +0") makes the ALC225 have pop noise on S3 resume and cold boot. + +The previous fix enable power save node universally for ALC225, however +it makes some ALC225 systems unable to produce any sound. + +So let's only enable power save node for the affected Dell Wyse +platform. + +Fixes: 317d9313925c ("ALSA: hda/realtek - Set default power save node to 0") +BugLink: https://bugs.launchpad.net/bugs/1866357 +Signed-off-by: Kai-Heng Feng +Link: https://lore.kernel.org/r/20200503152449.22761-2-kai.heng.feng@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 64270983ab7db..1a01e7c5b6d0a 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5743,6 +5743,15 @@ static void alc233_alc662_fixup_lenovo_dual_codecs(struct hda_codec *codec, + } + } + ++static void alc225_fixup_s3_pop_noise(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ if (action != HDA_FIXUP_ACT_PRE_PROBE) ++ return; ++ ++ codec->power_save_node = 1; ++} ++ + /* Forcibly assign NID 0x03 to HP/LO while NID 0x02 to SPK for EQ */ + static void alc274_fixup_bind_dacs(struct hda_codec *codec, + const struct hda_fixup *fix, int action) +@@ -5932,6 +5941,7 @@ enum { + ALC233_FIXUP_ACER_HEADSET_MIC, + ALC294_FIXUP_LENOVO_MIC_LOCATION, + ALC225_FIXUP_DELL_WYSE_MIC_NO_PRESENCE, ++ ALC225_FIXUP_S3_POP_NOISE, + ALC700_FIXUP_INTEL_REFERENCE, + ALC274_FIXUP_DELL_BIND_DACS, + ALC274_FIXUP_DELL_AIO_LINEOUT_VERB, +@@ -6817,6 +6827,12 @@ static const struct hda_fixup alc269_fixups[] = { + { } + }, + .chained = true, ++ .chain_id = ALC225_FIXUP_S3_POP_NOISE ++ }, ++ [ALC225_FIXUP_S3_POP_NOISE] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc225_fixup_s3_pop_noise, ++ .chained = true, + .chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC + }, + [ALC700_FIXUP_INTEL_REFERENCE] = { +-- +2.20.1 + diff --git a/queue-5.4/arm64-fix-the-flush_icache_range-arguments-in-machin.patch b/queue-5.4/arm64-fix-the-flush_icache_range-arguments-in-machin.patch new file mode 100644 index 00000000000..296fc40dd58 --- /dev/null +++ b/queue-5.4/arm64-fix-the-flush_icache_range-arguments-in-machin.patch @@ -0,0 +1,35 @@ +From 502c2c219e555b98f1dc7b9a8ab8beaa4bdf49a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 May 2020 09:54:41 +0200 +Subject: arm64: fix the flush_icache_range arguments in machine_kexec + +From: Christoph Hellwig + +[ Upstream commit d51c214541c5154dda3037289ee895ea3ded5ebd ] + +The second argument is the end "pointer", not the length. + +Fixes: d28f6df1305a ("arm64/kexec: Add core kexec support") +Cc: # 4.8.x- +Signed-off-by: Christoph Hellwig +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/machine_kexec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/kernel/machine_kexec.c b/arch/arm64/kernel/machine_kexec.c +index 0df8493624e00..cc049ff5c6a53 100644 +--- a/arch/arm64/kernel/machine_kexec.c ++++ b/arch/arm64/kernel/machine_kexec.c +@@ -189,6 +189,7 @@ void machine_kexec(struct kimage *kimage) + * the offline CPUs. Therefore, we must use the __* variant here. + */ + __flush_icache_range((uintptr_t)reboot_code_buffer, ++ (uintptr_t)reboot_code_buffer + + arm64_relocate_new_kernel_size); + + /* Flush the kimage list and its buffers. */ +-- +2.20.1 + diff --git a/queue-5.4/bpf-fix-error-return-code-in-map_lookup_and_delete_e.patch b/queue-5.4/bpf-fix-error-return-code-in-map_lookup_and_delete_e.patch new file mode 100644 index 00000000000..f978bc1e2bc --- /dev/null +++ b/queue-5.4/bpf-fix-error-return-code-in-map_lookup_and_delete_e.patch @@ -0,0 +1,40 @@ +From 9017f1548a6f5731a12c61dbd1ba5ca67ecb1065 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Apr 2020 08:18:51 +0000 +Subject: bpf: Fix error return code in map_lookup_and_delete_elem() + +From: Wei Yongjun + +[ Upstream commit 7f645462ca01d01abb94d75e6768c8b3ed3a188b ] + +Fix to return negative error code -EFAULT from the copy_to_user() error +handling case instead of 0, as done elsewhere in this function. + +Fixes: bd513cd08f10 ("bpf: add MAP_LOOKUP_AND_DELETE_ELEM syscall") +Signed-off-by: Wei Yongjun +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20200430081851.166996-1-weiyongjun1@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/syscall.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 14f4a76b44d5f..946cfdd3b2cc2 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -1146,8 +1146,10 @@ static int map_lookup_and_delete_elem(union bpf_attr *attr) + if (err) + goto free_value; + +- if (copy_to_user(uvalue, value, value_size) != 0) ++ if (copy_to_user(uvalue, value, value_size) != 0) { ++ err = -EFAULT; + goto free_value; ++ } + + err = 0; + +-- +2.20.1 + diff --git a/queue-5.4/bpf-sockmap-bpf_tcp_ingress-needs-to-subtract-bytes-.patch b/queue-5.4/bpf-sockmap-bpf_tcp_ingress-needs-to-subtract-bytes-.patch new file mode 100644 index 00000000000..9d08f2529fd --- /dev/null +++ b/queue-5.4/bpf-sockmap-bpf_tcp_ingress-needs-to-subtract-bytes-.patch @@ -0,0 +1,80 @@ +From a13b76f20a2b79754d9f9539e7d2a35a4dd6dcae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 May 2020 10:21:44 -0700 +Subject: bpf, sockmap: bpf_tcp_ingress needs to subtract bytes from sg.size + +From: John Fastabend + +[ Upstream commit 81aabbb9fb7b4b1efd073b62f0505d3adad442f3 ] + +In bpf_tcp_ingress we used apply_bytes to subtract bytes from sg.size +which is used to track total bytes in a message. But this is not +correct because apply_bytes is itself modified in the main loop doing +the mem_charge. + +Then at the end of this we have sg.size incorrectly set and out of +sync with actual sk values. Then we can get a splat if we try to +cork the data later and again try to redirect the msg to ingress. To +fix instead of trying to track msg.size do the easy thing and include +it as part of the sk_msg_xfer logic so that when the msg is moved the +sg.size is always correct. + +To reproduce the below users will need ingress + cork and hit an +error path that will then try to 'free' the skmsg. + +[ 173.699981] BUG: KASAN: null-ptr-deref in sk_msg_free_elem+0xdd/0x120 +[ 173.699987] Read of size 8 at addr 0000000000000008 by task test_sockmap/5317 + +[ 173.700000] CPU: 2 PID: 5317 Comm: test_sockmap Tainted: G I 5.7.0-rc1+ #43 +[ 173.700005] Hardware name: Dell Inc. Precision 5820 Tower/002KVM, BIOS 1.9.2 01/24/2019 +[ 173.700009] Call Trace: +[ 173.700021] dump_stack+0x8e/0xcb +[ 173.700029] ? sk_msg_free_elem+0xdd/0x120 +[ 173.700034] ? sk_msg_free_elem+0xdd/0x120 +[ 173.700042] __kasan_report+0x102/0x15f +[ 173.700052] ? sk_msg_free_elem+0xdd/0x120 +[ 173.700060] kasan_report+0x32/0x50 +[ 173.700070] sk_msg_free_elem+0xdd/0x120 +[ 173.700080] __sk_msg_free+0x87/0x150 +[ 173.700094] tcp_bpf_send_verdict+0x179/0x4f0 +[ 173.700109] tcp_bpf_sendpage+0x3ce/0x5d0 + +Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Reviewed-by: Jakub Sitnicki +Acked-by: Martin KaFai Lau +Link: https://lore.kernel.org/bpf/158861290407.14306.5327773422227552482.stgit@john-Precision-5820-Tower +Signed-off-by: Sasha Levin +--- + include/linux/skmsg.h | 1 + + net/ipv4/tcp_bpf.c | 1 - + 2 files changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h +index 7eb6a8754f19a..a3adbe593505d 100644 +--- a/include/linux/skmsg.h ++++ b/include/linux/skmsg.h +@@ -186,6 +186,7 @@ static inline void sk_msg_xfer(struct sk_msg *dst, struct sk_msg *src, + dst->sg.data[which] = src->sg.data[which]; + dst->sg.data[which].length = size; + dst->sg.size += size; ++ src->sg.size -= size; + src->sg.data[which].length -= size; + src->sg.data[which].offset += size; + } +diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c +index 8a01428f80c1c..19bd10e6ab830 100644 +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -200,7 +200,6 @@ static int bpf_tcp_ingress(struct sock *sk, struct sk_psock *psock, + + if (!ret) { + msg->sg.start = i; +- msg->sg.size -= apply_bytes; + sk_psock_queue_msg(psock, tmp); + sk_psock_data_ready(sk, psock); + } else { +-- +2.20.1 + diff --git a/queue-5.4/bpf-sockmap-msg_pop_data-can-incorrecty-set-an-sge-l.patch b/queue-5.4/bpf-sockmap-msg_pop_data-can-incorrecty-set-an-sge-l.patch new file mode 100644 index 00000000000..b812421c700 --- /dev/null +++ b/queue-5.4/bpf-sockmap-msg_pop_data-can-incorrecty-set-an-sge-l.patch @@ -0,0 +1,54 @@ +From b6fe6e365d537db1c124d4cb7a8d0794a62ebf62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 May 2020 10:21:23 -0700 +Subject: bpf, sockmap: msg_pop_data can incorrecty set an sge length + +From: John Fastabend + +[ Upstream commit 3e104c23816220919ea1b3fd93fabe363c67c484 ] + +When sk_msg_pop() is called where the pop operation is working on +the end of a sge element and there is no additional trailing data +and there _is_ data in front of pop, like the following case, + + |____________a_____________|__pop__| + +We have out of order operations where we incorrectly set the pop +variable so that instead of zero'ing pop we incorrectly leave it +untouched, effectively. This can cause later logic to shift the +buffers around believing it should pop extra space. The result is +we have 'popped' more data then we expected potentially breaking +program logic. + +It took us a while to hit this case because typically we pop headers +which seem to rarely be at the end of a scatterlist elements but +we can't rely on this. + +Fixes: 7246d8ed4dcce ("bpf: helper to pop data from messages") +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Reviewed-by: Jakub Sitnicki +Acked-by: Martin KaFai Lau +Link: https://lore.kernel.org/bpf/158861288359.14306.7654891716919968144.stgit@john-Precision-5820-Tower +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/filter.c b/net/core/filter.c +index d59dbc88fef5d..f1f2304822e3b 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -2590,8 +2590,8 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_msg *, msg, u32, start, + } + pop = 0; + } else if (pop >= sge->length - a) { +- sge->length = a; + pop -= (sge->length - a); ++ sge->length = a; + } + } + +-- +2.20.1 + diff --git a/queue-5.4/cpufreq-intel_pstate-only-mention-the-bios-disabling.patch b/queue-5.4/cpufreq-intel_pstate-only-mention-the-bios-disabling.patch new file mode 100644 index 00000000000..1d484009af9 --- /dev/null +++ b/queue-5.4/cpufreq-intel_pstate-only-mention-the-bios-disabling.patch @@ -0,0 +1,37 @@ +From 98d388f0a84d4725b4decbe0f8fc7507410720ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Apr 2020 20:26:29 +0100 +Subject: cpufreq: intel_pstate: Only mention the BIOS disabling turbo mode + once + +From: Chris Wilson + +[ Upstream commit 8c539776ac83c0857395e1ccc9c6b516521a2d32 ] + +Make a note of the first time we discover the turbo mode has been +disabled by the BIOS, as otherwise we complain every time we try to +update the mode. + +Signed-off-by: Chris Wilson +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/intel_pstate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c +index 45499e0b9f2f3..d3d7c4ef7d045 100644 +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -1058,7 +1058,7 @@ static ssize_t store_no_turbo(struct kobject *a, struct kobj_attribute *b, + + update_turbo_state(); + if (global.turbo_disabled) { +- pr_warn("Turbo disabled by BIOS or unavailable on processor\n"); ++ pr_notice_once("Turbo disabled by BIOS or unavailable on processor\n"); + mutex_unlock(&intel_pstate_limits_lock); + mutex_unlock(&intel_pstate_driver_lock); + return -EPERM; +-- +2.20.1 + diff --git a/queue-5.4/dmaengine-mmp_tdma-do-not-ignore-slave-config-valida.patch b/queue-5.4/dmaengine-mmp_tdma-do-not-ignore-slave-config-valida.patch new file mode 100644 index 00000000000..37de8c0e3e6 --- /dev/null +++ b/queue-5.4/dmaengine-mmp_tdma-do-not-ignore-slave-config-valida.patch @@ -0,0 +1,40 @@ +From c22e04ae0dc71183f8cb5e73ef9ae7b3c21b7863 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Apr 2020 18:49:06 +0200 +Subject: dmaengine: mmp_tdma: Do not ignore slave config validation errors + +From: Lubomir Rintel + +[ Upstream commit 363c32701c7fdc8265a84b21a6a4f45d1202b9ca ] + +With an invalid dma_slave_config set previously, +mmp_tdma_prep_dma_cyclic() would detect an error whilst configuring the +channel, but proceed happily on: + + [ 120.756530] mmp-tdma d42a0800.adma: mmp_tdma: unknown burst size. + +Signed-off-by: Lubomir Rintel +Link: https://lore.kernel.org/r/20200419164912.670973-2-lkundrak@v3.sk +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/mmp_tdma.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/mmp_tdma.c b/drivers/dma/mmp_tdma.c +index e7d1e12bf4643..4d5b987e4841a 100644 +--- a/drivers/dma/mmp_tdma.c ++++ b/drivers/dma/mmp_tdma.c +@@ -443,7 +443,8 @@ static struct dma_async_tx_descriptor *mmp_tdma_prep_dma_cyclic( + if (!desc) + goto err_out; + +- mmp_tdma_config_write(chan, direction, &tdmac->slave_config); ++ if (mmp_tdma_config_write(chan, direction, &tdmac->slave_config)) ++ goto err_out; + + while (buf < buf_len) { + desc = &tdmac->desc_arr[i]; +-- +2.20.1 + diff --git a/queue-5.4/dmaengine-mmp_tdma-reset-channel-error-on-release.patch b/queue-5.4/dmaengine-mmp_tdma-reset-channel-error-on-release.patch new file mode 100644 index 00000000000..f5c3d8a6fd5 --- /dev/null +++ b/queue-5.4/dmaengine-mmp_tdma-reset-channel-error-on-release.patch @@ -0,0 +1,41 @@ +From 95107f7715e59473763daf1927f249828665fca1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Apr 2020 18:49:09 +0200 +Subject: dmaengine: mmp_tdma: Reset channel error on release + +From: Lubomir Rintel + +[ Upstream commit 0c89446379218698189a47871336cb30286a7197 ] + +When a channel configuration fails, the status of the channel is set to +DEV_ERROR so that an attempt to submit it fails. However, this status +sticks until the heat end of the universe, making it impossible to +recover from the error. + +Let's reset it when the channel is released so that further use of the +channel with correct configuration is not impacted. + +Signed-off-by: Lubomir Rintel +Link: https://lore.kernel.org/r/20200419164912.670973-5-lkundrak@v3.sk +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/mmp_tdma.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/dma/mmp_tdma.c b/drivers/dma/mmp_tdma.c +index 4d5b987e4841a..89d90c456c0ce 100644 +--- a/drivers/dma/mmp_tdma.c ++++ b/drivers/dma/mmp_tdma.c +@@ -363,6 +363,8 @@ static void mmp_tdma_free_descriptor(struct mmp_tdma_chan *tdmac) + gen_pool_free(gpool, (unsigned long)tdmac->desc_arr, + size); + tdmac->desc_arr = NULL; ++ if (tdmac->status == DMA_ERROR) ++ tdmac->status = DMA_COMPLETE; + + return; + } +-- +2.20.1 + diff --git a/queue-5.4/dmaengine-pch_dma.c-avoid-data-race-between-probe-an.patch b/queue-5.4/dmaengine-pch_dma.c-avoid-data-race-between-probe-an.patch new file mode 100644 index 00000000000..18a70c4d841 --- /dev/null +++ b/queue-5.4/dmaengine-pch_dma.c-avoid-data-race-between-probe-an.patch @@ -0,0 +1,47 @@ +From f57cc2310792c7efb61188a6e73dc357a7a5ceb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Apr 2020 11:53:35 +0530 +Subject: dmaengine: pch_dma.c: Avoid data race between probe and irq handler + +From: Madhuparna Bhowmik + +[ Upstream commit 2e45676a4d33af47259fa186ea039122ce263ba9 ] + +pd->dma.dev is read in irq handler pd_irq(). +However, it is set to pdev->dev after request_irq(). +Therefore, set pd->dma.dev to pdev->dev before request_irq() to +avoid data race between pch_dma_probe() and pd_irq(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Madhuparna Bhowmik +Link: https://lore.kernel.org/r/20200416062335.29223-1-madhuparnabhowmik10@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/pch_dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/pch_dma.c b/drivers/dma/pch_dma.c +index 581e7a290d98e..a3b0b4c56a190 100644 +--- a/drivers/dma/pch_dma.c ++++ b/drivers/dma/pch_dma.c +@@ -865,6 +865,7 @@ static int pch_dma_probe(struct pci_dev *pdev, + } + + pci_set_master(pdev); ++ pd->dma.dev = &pdev->dev; + + err = request_irq(pdev->irq, pd_irq, IRQF_SHARED, DRV_NAME, pd); + if (err) { +@@ -880,7 +881,6 @@ static int pch_dma_probe(struct pci_dev *pdev, + goto err_free_irq; + } + +- pd->dma.dev = &pdev->dev; + + INIT_LIST_HEAD(&pd->dma.channels); + +-- +2.20.1 + diff --git a/queue-5.4/drm-amd-display-check-if-refclk_cntl-register-is-pre.patch b/queue-5.4/drm-amd-display-check-if-refclk_cntl-register-is-pre.patch new file mode 100644 index 00000000000..6e58719d4c2 --- /dev/null +++ b/queue-5.4/drm-amd-display-check-if-refclk_cntl-register-is-pre.patch @@ -0,0 +1,38 @@ +From f6254793cb4507a9f9133528e0834bdbc519d1a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Apr 2020 18:07:52 -0400 +Subject: drm/amd/display: check if REFCLK_CNTL register is present + +From: Dmytro Laktyushkin + +[ Upstream commit 3159d41db3a04330c31ece32f8b29752fc114848 ] + +Check before programming the register since it isn't present on +all IPs using this code. + +Signed-off-by: Dmytro Laktyushkin +Reviewed-by: Eric Bernstein +Acked-by: Aurabindo Pillai +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c +index e933f6a369f92..083c42e521f5c 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c +@@ -2015,7 +2015,8 @@ static void dcn20_fpga_init_hw(struct dc *dc) + + REG_UPDATE(DCHUBBUB_GLOBAL_TIMER_CNTL, DCHUBBUB_GLOBAL_TIMER_REFDIV, 2); + REG_UPDATE(DCHUBBUB_GLOBAL_TIMER_CNTL, DCHUBBUB_GLOBAL_TIMER_ENABLE, 1); +- REG_WRITE(REFCLK_CNTL, 0); ++ if (REG(REFCLK_CNTL)) ++ REG_WRITE(REFCLK_CNTL, 0); + // + + +-- +2.20.1 + diff --git a/queue-5.4/drm-amd-display-update-downspread-percent-to-match-s.patch b/queue-5.4/drm-amd-display-update-downspread-percent-to-match-s.patch new file mode 100644 index 00000000000..cb11863158e --- /dev/null +++ b/queue-5.4/drm-amd-display-update-downspread-percent-to-match-s.patch @@ -0,0 +1,44 @@ +From a2b127512fed5def870dd074a3a4f1ebcd1cd8a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Apr 2020 18:07:57 -0400 +Subject: drm/amd/display: Update downspread percent to match spreadsheet for + DCN2.1 + +From: Sung Lee + +[ Upstream commit 668a6741f809f2d15d125cfe2b39661e8f1655ea ] + +[WHY] +The downspread percentage was copied over from a previous version +of the display_mode_lib spreadsheet. This value has been updated, +and the previous value is too high to allow for such modes as +4K120hz. The new value is sufficient for such modes. + +[HOW] +Update the value in dcn21_resource to match the spreadsheet. + +Signed-off-by: Sung Lee +Reviewed-by: Yongqiang Sun +Acked-by: Aurabindo Pillai +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c +index 161bf7caf3ae0..bb7add5ea2273 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c +@@ -247,7 +247,7 @@ struct _vcs_dpi_soc_bounding_box_st dcn2_1_soc = { + .dram_channel_width_bytes = 4, + .fabric_datapath_to_dcn_data_return_bytes = 32, + .dcn_downspread_percent = 0.5, +- .downspread_percent = 0.5, ++ .downspread_percent = 0.38, + .dram_page_open_time_ns = 50.0, + .dram_rw_turnaround_time_ns = 17.5, + .dram_return_buffer_per_channel_bytes = 8192, +-- +2.20.1 + diff --git a/queue-5.4/drm-amd-powerplay-avoid-using-pm_en-before-it-is-ini.patch b/queue-5.4/drm-amd-powerplay-avoid-using-pm_en-before-it-is-ini.patch new file mode 100644 index 00000000000..02bb3f80a0e --- /dev/null +++ b/queue-5.4/drm-amd-powerplay-avoid-using-pm_en-before-it-is-ini.patch @@ -0,0 +1,55 @@ +From 814e9aee4f5b75e18d4c45acf08bfbce3e51f529 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Apr 2020 19:03:17 +0800 +Subject: drm/amd/powerplay: avoid using pm_en before it is initialized revised + +From: Tiecheng Zhou + +[ Upstream commit 690ae30be163d5262feae01335b2a6f30569e5aa ] + +hwmgr->pm_en is initialized at hwmgr_hw_init. + +during amdgpu_device_init, there is amdgpu_asic_reset that calls to +soc15_asic_reset (for V320 usecase, Vega10 asic), in which: +1) soc15_asic_reset_method calls to pp_get_asic_baco_capability (pm_en) +2) soc15_asic_baco_reset calls to pp_set_asic_baco_state (pm_en) + +pm_en is used in the above two cases while it has not yet been initialized + +So avoid using pm_en in the above two functions for V320 passthrough. + +Reviewed-by: Evan Quan +Signed-off-by: Tiecheng Zhou +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/powerplay/amd_powerplay.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/powerplay/amd_powerplay.c b/drivers/gpu/drm/amd/powerplay/amd_powerplay.c +index d306cc7119976..8bb5fbef7de0f 100644 +--- a/drivers/gpu/drm/amd/powerplay/amd_powerplay.c ++++ b/drivers/gpu/drm/amd/powerplay/amd_powerplay.c +@@ -1425,7 +1425,8 @@ static int pp_get_asic_baco_capability(void *handle, bool *cap) + if (!hwmgr) + return -EINVAL; + +- if (!hwmgr->pm_en || !hwmgr->hwmgr_func->get_asic_baco_capability) ++ if (!(hwmgr->not_vf && amdgpu_dpm) || ++ !hwmgr->hwmgr_func->get_asic_baco_capability) + return 0; + + mutex_lock(&hwmgr->smu_lock); +@@ -1459,7 +1460,8 @@ static int pp_set_asic_baco_state(void *handle, int state) + if (!hwmgr) + return -EINVAL; + +- if (!hwmgr->pm_en || !hwmgr->hwmgr_func->set_asic_baco_state) ++ if (!(hwmgr->not_vf && amdgpu_dpm) || ++ !hwmgr->hwmgr_func->set_asic_baco_state) + return 0; + + mutex_lock(&hwmgr->smu_lock); +-- +2.20.1 + diff --git a/queue-5.4/drm-amdgpu-force-fbdev-into-vram.patch b/queue-5.4/drm-amdgpu-force-fbdev-into-vram.patch new file mode 100644 index 00000000000..636cb831652 --- /dev/null +++ b/queue-5.4/drm-amdgpu-force-fbdev-into-vram.patch @@ -0,0 +1,42 @@ +From 101523099d2cfc64c24a1c2cd0ce391c16205682 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 09:42:26 -0400 +Subject: drm/amdgpu: force fbdev into vram +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +[ Upstream commit a6aacb2b26e85aa619cf0c6f98d0ca77314cd2a1 ] + +We set the fb smem pointer to the offset into the BAR, so keep +the fbdev bo in vram. + +Bug: https://bugzilla.kernel.org/show_bug.cgi?id=207581 +Fixes: 6c8d74caa2fa33 ("drm/amdgpu: Enable scatter gather display support") +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_fb.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_fb.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_fb.c +index 143753d237e7c..eaa5e7b7c19d6 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_fb.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_fb.c +@@ -133,8 +133,7 @@ static int amdgpufb_create_pinned_object(struct amdgpu_fbdev *rfbdev, + u32 cpp; + u64 flags = AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED | + AMDGPU_GEM_CREATE_VRAM_CONTIGUOUS | +- AMDGPU_GEM_CREATE_VRAM_CLEARED | +- AMDGPU_GEM_CREATE_CPU_GTT_USWC; ++ AMDGPU_GEM_CREATE_VRAM_CLEARED; + + info = drm_get_format_info(adev->ddev, mode_cmd); + cpp = info->cpp[0]; +-- +2.20.1 + diff --git a/queue-5.4/drm-amdgpu-invalidate-l2-before-sdma-ibs-v2.patch b/queue-5.4/drm-amdgpu-invalidate-l2-before-sdma-ibs-v2.patch new file mode 100644 index 00000000000..d58808bef55 --- /dev/null +++ b/queue-5.4/drm-amdgpu-invalidate-l2-before-sdma-ibs-v2.patch @@ -0,0 +1,89 @@ +From a792f94ea5a6334820b4599f2c5c89046e73c331 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2020 15:59:22 -0400 +Subject: drm/amdgpu: invalidate L2 before SDMA IBs (v2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Olšák + +[ Upstream commit fdf83646c0542ecfb9adc4db8f741a1f43dca058 ] + +This fixes GPU hangs due to cache coherency issues. + +v2: Split the version bump to a separate patch + +Signed-off-by: Marek Olšák +Reviewed-by: Christian König +Tested-by: Pierre-Eric Pelloux-Prayer +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/amdgpu/navi10_sdma_pkt_open.h | 16 ++++++++++++++++ + drivers/gpu/drm/amd/amdgpu/sdma_v5_0.c | 14 +++++++++++++- + 2 files changed, 29 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/navi10_sdma_pkt_open.h b/drivers/gpu/drm/amd/amdgpu/navi10_sdma_pkt_open.h +index 074a9a09c0a79..a5b60c9a24189 100644 +--- a/drivers/gpu/drm/amd/amdgpu/navi10_sdma_pkt_open.h ++++ b/drivers/gpu/drm/amd/amdgpu/navi10_sdma_pkt_open.h +@@ -73,6 +73,22 @@ + #define SDMA_OP_AQL_COPY 0 + #define SDMA_OP_AQL_BARRIER_OR 0 + ++#define SDMA_GCR_RANGE_IS_PA (1 << 18) ++#define SDMA_GCR_SEQ(x) (((x) & 0x3) << 16) ++#define SDMA_GCR_GL2_WB (1 << 15) ++#define SDMA_GCR_GL2_INV (1 << 14) ++#define SDMA_GCR_GL2_DISCARD (1 << 13) ++#define SDMA_GCR_GL2_RANGE(x) (((x) & 0x3) << 11) ++#define SDMA_GCR_GL2_US (1 << 10) ++#define SDMA_GCR_GL1_INV (1 << 9) ++#define SDMA_GCR_GLV_INV (1 << 8) ++#define SDMA_GCR_GLK_INV (1 << 7) ++#define SDMA_GCR_GLK_WB (1 << 6) ++#define SDMA_GCR_GLM_INV (1 << 5) ++#define SDMA_GCR_GLM_WB (1 << 4) ++#define SDMA_GCR_GL1_RANGE(x) (((x) & 0x3) << 2) ++#define SDMA_GCR_GLI_INV(x) (((x) & 0x3) << 0) ++ + /*define for op field*/ + #define SDMA_PKT_HEADER_op_offset 0 + #define SDMA_PKT_HEADER_op_mask 0x000000FF +diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v5_0.c b/drivers/gpu/drm/amd/amdgpu/sdma_v5_0.c +index 2a792d7abe007..bd715012185c6 100644 +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v5_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v5_0.c +@@ -382,6 +382,18 @@ static void sdma_v5_0_ring_emit_ib(struct amdgpu_ring *ring, + unsigned vmid = AMDGPU_JOB_GET_VMID(job); + uint64_t csa_mc_addr = amdgpu_sdma_get_csa_mc_addr(ring, vmid); + ++ /* Invalidate L2, because if we don't do it, we might get stale cache ++ * lines from previous IBs. ++ */ ++ amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_GCR_REQ)); ++ amdgpu_ring_write(ring, 0); ++ amdgpu_ring_write(ring, (SDMA_GCR_GL2_INV | ++ SDMA_GCR_GL2_WB | ++ SDMA_GCR_GLM_INV | ++ SDMA_GCR_GLM_WB) << 16); ++ amdgpu_ring_write(ring, 0xffffff80); ++ amdgpu_ring_write(ring, 0xffff); ++ + /* An IB packet must end on a 8 DW boundary--the next dword + * must be on a 8-dword boundary. Our IB packet below is 6 + * dwords long, thus add x number of NOPs, such that, in +@@ -1607,7 +1619,7 @@ static const struct amdgpu_ring_funcs sdma_v5_0_ring_funcs = { + SOC15_FLUSH_GPU_TLB_NUM_WREG * 3 + + SOC15_FLUSH_GPU_TLB_NUM_REG_WAIT * 6 * 2 + + 10 + 10 + 10, /* sdma_v5_0_ring_emit_fence x3 for user fence, vm fence */ +- .emit_ib_size = 7 + 6, /* sdma_v5_0_ring_emit_ib */ ++ .emit_ib_size = 5 + 7 + 6, /* sdma_v5_0_ring_emit_ib */ + .emit_ib = sdma_v5_0_ring_emit_ib, + .emit_fence = sdma_v5_0_ring_emit_fence, + .emit_pipeline_sync = sdma_v5_0_ring_emit_pipeline_sync, +-- +2.20.1 + diff --git a/queue-5.4/drm-amdgpu-simplify-padding-calculations-v2.patch b/queue-5.4/drm-amdgpu-simplify-padding-calculations-v2.patch new file mode 100644 index 00000000000..67a8acc48d4 --- /dev/null +++ b/queue-5.4/drm-amdgpu-simplify-padding-calculations-v2.patch @@ -0,0 +1,163 @@ +From 75024c6868f2d70bc93e8e75200516d86042daf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2019 19:30:13 -0400 +Subject: drm/amdgpu: simplify padding calculations (v2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luben Tuikov + +[ Upstream commit ce73516d42c9ab011fad498168b892d28e181db4 ] + +Simplify padding calculations. + +v2: Comment update and spacing. + +Signed-off-by: Luben Tuikov +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/cik_sdma.c | 4 ++-- + drivers/gpu/drm/amd/amdgpu/sdma_v2_4.c | 4 ++-- + drivers/gpu/drm/amd/amdgpu/sdma_v3_0.c | 4 ++-- + drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 4 ++-- + drivers/gpu/drm/amd/amdgpu/sdma_v5_0.c | 17 ++++++++++++----- + 5 files changed, 20 insertions(+), 13 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/cik_sdma.c b/drivers/gpu/drm/amd/amdgpu/cik_sdma.c +index c45304f1047c5..4af9acc2dc4f9 100644 +--- a/drivers/gpu/drm/amd/amdgpu/cik_sdma.c ++++ b/drivers/gpu/drm/amd/amdgpu/cik_sdma.c +@@ -228,7 +228,7 @@ static void cik_sdma_ring_emit_ib(struct amdgpu_ring *ring, + u32 extra_bits = vmid & 0xf; + + /* IB packet must end on a 8 DW boundary */ +- cik_sdma_ring_insert_nop(ring, (12 - (lower_32_bits(ring->wptr) & 7)) % 8); ++ cik_sdma_ring_insert_nop(ring, (4 - lower_32_bits(ring->wptr)) & 7); + + amdgpu_ring_write(ring, SDMA_PACKET(SDMA_OPCODE_INDIRECT_BUFFER, 0, extra_bits)); + amdgpu_ring_write(ring, ib->gpu_addr & 0xffffffe0); /* base must be 32 byte aligned */ +@@ -811,7 +811,7 @@ static void cik_sdma_ring_pad_ib(struct amdgpu_ring *ring, struct amdgpu_ib *ib) + u32 pad_count; + int i; + +- pad_count = (8 - (ib->length_dw & 0x7)) % 8; ++ pad_count = (-ib->length_dw) & 7; + for (i = 0; i < pad_count; i++) + if (sdma && sdma->burst_nop && (i == 0)) + ib->ptr[ib->length_dw++] = +diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v2_4.c b/drivers/gpu/drm/amd/amdgpu/sdma_v2_4.c +index a101758380130..b6af67f6f2149 100644 +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v2_4.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v2_4.c +@@ -255,7 +255,7 @@ static void sdma_v2_4_ring_emit_ib(struct amdgpu_ring *ring, + unsigned vmid = AMDGPU_JOB_GET_VMID(job); + + /* IB packet must end on a 8 DW boundary */ +- sdma_v2_4_ring_insert_nop(ring, (10 - (lower_32_bits(ring->wptr) & 7)) % 8); ++ sdma_v2_4_ring_insert_nop(ring, (2 - lower_32_bits(ring->wptr)) & 7); + + amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_INDIRECT) | + SDMA_PKT_INDIRECT_HEADER_VMID(vmid & 0xf)); +@@ -750,7 +750,7 @@ static void sdma_v2_4_ring_pad_ib(struct amdgpu_ring *ring, struct amdgpu_ib *ib + u32 pad_count; + int i; + +- pad_count = (8 - (ib->length_dw & 0x7)) % 8; ++ pad_count = (-ib->length_dw) & 7; + for (i = 0; i < pad_count; i++) + if (sdma && sdma->burst_nop && (i == 0)) + ib->ptr[ib->length_dw++] = +diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v3_0.c b/drivers/gpu/drm/amd/amdgpu/sdma_v3_0.c +index 5f4e2c616241f..cd3ebed46d05f 100644 +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v3_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v3_0.c +@@ -429,7 +429,7 @@ static void sdma_v3_0_ring_emit_ib(struct amdgpu_ring *ring, + unsigned vmid = AMDGPU_JOB_GET_VMID(job); + + /* IB packet must end on a 8 DW boundary */ +- sdma_v3_0_ring_insert_nop(ring, (10 - (lower_32_bits(ring->wptr) & 7)) % 8); ++ sdma_v3_0_ring_insert_nop(ring, (2 - lower_32_bits(ring->wptr)) & 7); + + amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_INDIRECT) | + SDMA_PKT_INDIRECT_HEADER_VMID(vmid & 0xf)); +@@ -1021,7 +1021,7 @@ static void sdma_v3_0_ring_pad_ib(struct amdgpu_ring *ring, struct amdgpu_ib *ib + u32 pad_count; + int i; + +- pad_count = (8 - (ib->length_dw & 0x7)) % 8; ++ pad_count = (-ib->length_dw) & 7; + for (i = 0; i < pad_count; i++) + if (sdma && sdma->burst_nop && (i == 0)) + ib->ptr[ib->length_dw++] = +diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c +index 4554e72c83786..23de332f3c6ed 100644 +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c +@@ -698,7 +698,7 @@ static void sdma_v4_0_ring_emit_ib(struct amdgpu_ring *ring, + unsigned vmid = AMDGPU_JOB_GET_VMID(job); + + /* IB packet must end on a 8 DW boundary */ +- sdma_v4_0_ring_insert_nop(ring, (10 - (lower_32_bits(ring->wptr) & 7)) % 8); ++ sdma_v4_0_ring_insert_nop(ring, (2 - lower_32_bits(ring->wptr)) & 7); + + amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_INDIRECT) | + SDMA_PKT_INDIRECT_HEADER_VMID(vmid & 0xf)); +@@ -1579,7 +1579,7 @@ static void sdma_v4_0_ring_pad_ib(struct amdgpu_ring *ring, struct amdgpu_ib *ib + u32 pad_count; + int i; + +- pad_count = (8 - (ib->length_dw & 0x7)) % 8; ++ pad_count = (-ib->length_dw) & 7; + for (i = 0; i < pad_count; i++) + if (sdma && sdma->burst_nop && (i == 0)) + ib->ptr[ib->length_dw++] = +diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v5_0.c b/drivers/gpu/drm/amd/amdgpu/sdma_v5_0.c +index 8493bfbbc1484..2a792d7abe007 100644 +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v5_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v5_0.c +@@ -382,8 +382,15 @@ static void sdma_v5_0_ring_emit_ib(struct amdgpu_ring *ring, + unsigned vmid = AMDGPU_JOB_GET_VMID(job); + uint64_t csa_mc_addr = amdgpu_sdma_get_csa_mc_addr(ring, vmid); + +- /* IB packet must end on a 8 DW boundary */ +- sdma_v5_0_ring_insert_nop(ring, (10 - (lower_32_bits(ring->wptr) & 7)) % 8); ++ /* An IB packet must end on a 8 DW boundary--the next dword ++ * must be on a 8-dword boundary. Our IB packet below is 6 ++ * dwords long, thus add x number of NOPs, such that, in ++ * modular arithmetic, ++ * wptr + 6 + x = 8k, k >= 0, which in C is, ++ * (wptr + 6 + x) % 8 = 0. ++ * The expression below, is a solution of x. ++ */ ++ sdma_v5_0_ring_insert_nop(ring, (2 - lower_32_bits(ring->wptr)) & 7); + + amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_INDIRECT) | + SDMA_PKT_INDIRECT_HEADER_VMID(vmid & 0xf)); +@@ -1086,10 +1093,10 @@ static void sdma_v5_0_vm_set_pte_pde(struct amdgpu_ib *ib, + } + + /** +- * sdma_v5_0_ring_pad_ib - pad the IB to the required number of dw +- * ++ * sdma_v5_0_ring_pad_ib - pad the IB + * @ib: indirect buffer to fill with padding + * ++ * Pad the IB with NOPs to a boundary multiple of 8. + */ + static void sdma_v5_0_ring_pad_ib(struct amdgpu_ring *ring, struct amdgpu_ib *ib) + { +@@ -1097,7 +1104,7 @@ static void sdma_v5_0_ring_pad_ib(struct amdgpu_ring *ring, struct amdgpu_ib *ib + u32 pad_count; + int i; + +- pad_count = (8 - (ib->length_dw & 0x7)) % 8; ++ pad_count = (-ib->length_dw) & 0x7; + for (i = 0; i < pad_count; i++) + if (sdma && sdma->burst_nop && (i == 0)) + ib->ptr[ib->length_dw++] = +-- +2.20.1 + diff --git a/queue-5.4/drm-i915-don-t-enable-waincreaselatencyipcenabled-wh.patch b/queue-5.4/drm-i915-don-t-enable-waincreaselatencyipcenabled-wh.patch new file mode 100644 index 00000000000..d3010dd7ce9 --- /dev/null +++ b/queue-5.4/drm-i915-don-t-enable-waincreaselatencyipcenabled-wh.patch @@ -0,0 +1,46 @@ +From 7b7abb945c40af25d618f120c1963a4592a97256 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Apr 2020 14:46:54 -0700 +Subject: drm/i915: Don't enable WaIncreaseLatencyIPCEnabled when IPC is + disabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sultan Alsawaf + +[ Upstream commit 421abe200321a2c907ede1a6208c558284ba0b75 ] + +In commit 5a7d202b1574, a logical AND was erroneously changed to an OR, +causing WaIncreaseLatencyIPCEnabled to be enabled unconditionally for +kabylake and coffeelake, even when IPC is disabled. Fix the logic so +that WaIncreaseLatencyIPCEnabled is only used when IPC is enabled. + +Fixes: 5a7d202b1574 ("drm/i915: Drop WaIncreaseLatencyIPCEnabled/1140 for cnl") +Cc: stable@vger.kernel.org # 5.3.x+ +Signed-off-by: Sultan Alsawaf +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20200430214654.51314-1-sultan@kerneltoast.com +(cherry picked from commit 690d22dafa88b82453516387b475664047a6bd14) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/intel_pm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c +index 3ccfc025fde21..ade607d93e45d 100644 +--- a/drivers/gpu/drm/i915/intel_pm.c ++++ b/drivers/gpu/drm/i915/intel_pm.c +@@ -4784,7 +4784,7 @@ static void skl_compute_plane_wm(const struct intel_crtc_state *crtc_state, + * WaIncreaseLatencyIPCEnabled: kbl,cfl + * Display WA #1141: kbl,cfl + */ +- if ((IS_KABYLAKE(dev_priv) || IS_COFFEELAKE(dev_priv)) || ++ if ((IS_KABYLAKE(dev_priv) || IS_COFFEELAKE(dev_priv)) && + dev_priv->ipc_enabled) + latency += 4; + +-- +2.20.1 + diff --git a/queue-5.4/drm-i915-gvt-fix-kernel-oops-for-3-level-ppgtt-guest.patch b/queue-5.4/drm-i915-gvt-fix-kernel-oops-for-3-level-ppgtt-guest.patch new file mode 100644 index 00000000000..164714bcd45 --- /dev/null +++ b/queue-5.4/drm-i915-gvt-fix-kernel-oops-for-3-level-ppgtt-guest.patch @@ -0,0 +1,47 @@ +From e84901885e22a7456b0309779adc0dcbecd8d607 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 May 2020 17:59:18 +0800 +Subject: drm/i915/gvt: Fix kernel oops for 3-level ppgtt guest + +From: Zhenyu Wang + +[ Upstream commit 72a7a9925e2beea09b109dffb3384c9bf920d9da ] + +As i915 won't allocate extra PDP for current default PML4 table, +so for 3-level ppgtt guest, we would hit kernel pointer access +failure on extra PDP pointers. So this trys to bypass that now. +It won't impact real shadow PPGTT setup, so guest context still +works. + +This is verified on 4.15 guest kernel with i915.enable_ppgtt=1 +to force on old aliasing ppgtt behavior. + +Fixes: 4f15665ccbba ("drm/i915: Add ppgtt to GVT GEM context") +Reviewed-by: Xiong Zhang +Signed-off-by: Zhenyu Wang +Link: http://patchwork.freedesktop.org/patch/msgid/20200506095918.124913-1-zhenyuw@linux.intel.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gvt/scheduler.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/gvt/scheduler.c b/drivers/gpu/drm/i915/gvt/scheduler.c +index 6c79d16b381ea..058dcd5416440 100644 +--- a/drivers/gpu/drm/i915/gvt/scheduler.c ++++ b/drivers/gpu/drm/i915/gvt/scheduler.c +@@ -374,7 +374,11 @@ static void set_context_ppgtt_from_shadow(struct intel_vgpu_workload *workload, + for (i = 0; i < GVT_RING_CTX_NR_PDPS; i++) { + struct i915_page_directory * const pd = + i915_pd_entry(ppgtt->pd, i); +- ++ /* skip now as current i915 ppgtt alloc won't allocate ++ top level pdp for non 4-level table, won't impact ++ shadow ppgtt. */ ++ if (!pd) ++ break; + px_dma(pd) = mm->ppgtt_mm.shadow_pdps[i]; + } + } +-- +2.20.1 + diff --git a/queue-5.4/drm-qxl-lost-qxl_bo_kunmap_atomic_page-in-qxl_image_.patch b/queue-5.4/drm-qxl-lost-qxl_bo_kunmap_atomic_page-in-qxl_image_.patch new file mode 100644 index 00000000000..14a330594ff --- /dev/null +++ b/queue-5.4/drm-qxl-lost-qxl_bo_kunmap_atomic_page-in-qxl_image_.patch @@ -0,0 +1,36 @@ +From 062679e42734aa39517872d90fb5b8e16250b592 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Apr 2020 12:34:36 +0300 +Subject: drm/qxl: lost qxl_bo_kunmap_atomic_page in qxl_image_init_helper() + +From: Vasily Averin + +[ Upstream commit 5b5703dbafae74adfbe298a56a81694172caf5e6 ] + +v2: removed TODO reminder + +Signed-off-by: Vasily Averin +Link: http://patchwork.freedesktop.org/patch/msgid/a4e0ae09-a73c-1c62-04ef-3f990d41bea9@virtuozzo.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/qxl/qxl_image.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/qxl/qxl_image.c b/drivers/gpu/drm/qxl/qxl_image.c +index 43688ecdd8a04..60ab7151b84dc 100644 +--- a/drivers/gpu/drm/qxl/qxl_image.c ++++ b/drivers/gpu/drm/qxl/qxl_image.c +@@ -212,7 +212,8 @@ qxl_image_init_helper(struct qxl_device *qdev, + break; + default: + DRM_ERROR("unsupported image bit depth\n"); +- return -EINVAL; /* TODO: cleanup */ ++ qxl_bo_kunmap_atomic_page(qdev, image_bo, ptr); ++ return -EINVAL; + } + image->u.bitmap.flags = QXL_BITMAP_TOP_DOWN; + image->u.bitmap.x = width; +-- +2.20.1 + diff --git a/queue-5.4/fork-prevent-accidental-access-to-clone3-features.patch b/queue-5.4/fork-prevent-accidental-access-to-clone3-features.patch new file mode 100644 index 00000000000..20b86522461 --- /dev/null +++ b/queue-5.4/fork-prevent-accidental-access-to-clone3-features.patch @@ -0,0 +1,133 @@ +From adc7da559f0ce32395b9a0fed2ea1ba767742d73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 May 2020 12:32:14 +0200 +Subject: fork: prevent accidental access to clone3 features + +From: Christian Brauner + +[ Upstream commit 3f2c788a13143620c5471ac96ac4f033fc9ac3f3 ] + +Jan reported an issue where an interaction between sign-extending clone's +flag argument on ppc64le and the new CLONE_INTO_CGROUP feature causes +clone() to consistently fail with EBADF. + +The whole story is a little longer. The legacy clone() syscall is odd in a +bunch of ways and here two things interact. First, legacy clone's flag +argument is word-size dependent, i.e. it's an unsigned long whereas most +system calls with flag arguments use int or unsigned int. Second, legacy +clone() ignores unknown and deprecated flags. The two of them taken +together means that users on 64bit systems can pass garbage for the upper +32bit of the clone() syscall since forever and things would just work fine. +Just try this on a 64bit kernel prior to v5.7-rc1 where this will succeed +and on v5.7-rc1 where this will fail with EBADF: + +int main(int argc, char *argv[]) +{ + pid_t pid; + + /* Note that legacy clone() has different argument ordering on + * different architectures so this won't work everywhere. + * + * Only set the upper 32 bits. + */ + pid = syscall(__NR_clone, 0xffffffff00000000 | SIGCHLD, + NULL, NULL, NULL, NULL); + if (pid < 0) + exit(EXIT_FAILURE); + if (pid == 0) + exit(EXIT_SUCCESS); + if (wait(NULL) != pid) + exit(EXIT_FAILURE); + + exit(EXIT_SUCCESS); +} + +Since legacy clone() couldn't be extended this was not a problem so far and +nobody really noticed or cared since nothing in the kernel ever bothered to +look at the upper 32 bits. + +But once we introduced clone3() and expanded the flag argument in struct +clone_args to 64 bit we opened this can of worms. With the first flag-based +extension to clone3() making use of the upper 32 bits of the flag argument +we've effectively made it possible for the legacy clone() syscall to reach +clone3() only flags. The sign extension scenario is just the odd +corner-case that we needed to figure this out. + +The reason we just realized this now and not already when we introduced +CLONE_CLEAR_SIGHAND was that CLONE_INTO_CGROUP assumes that a valid cgroup +file descriptor has been given. So the sign extension (or the user +accidently passing garbage for the upper 32 bits) caused the +CLONE_INTO_CGROUP bit to be raised and the kernel to error out when it +didn't find a valid cgroup file descriptor. + +Let's fix this by always capping the upper 32 bits for all codepaths that +are not aware of clone3() features. This ensures that we can't reach +clone3() only features by accident via legacy clone as with the sign +extension case and also that legacy clone() works exactly like before, i.e. +ignoring any unknown flags. This solution risks no regressions and is also +pretty clean. + +Fixes: 7f192e3cd316 ("fork: add clone3") +Fixes: ef2c41cf38a7 ("clone3: allow spawning processes into cgroups") +Reported-by: Jan Stancek +Signed-off-by: Christian Brauner +Cc: Arnd Bergmann +Cc: Dmitry V. Levin +Cc: Andreas Schwab +Cc: Florian Weimer +Cc: libc-alpha@sourceware.org +Cc: stable@vger.kernel.org # 5.3+ +Link: https://sourceware.org/pipermail/libc-alpha/2020-May/113596.html +Link: https://lore.kernel.org/r/20200507103214.77218-1-christian.brauner@ubuntu.com +Signed-off-by: Sasha Levin +--- + kernel/fork.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/kernel/fork.c b/kernel/fork.c +index 27c0ef30002e2..9180f4416dbab 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -2412,11 +2412,11 @@ long do_fork(unsigned long clone_flags, + int __user *child_tidptr) + { + struct kernel_clone_args args = { +- .flags = (clone_flags & ~CSIGNAL), ++ .flags = (lower_32_bits(clone_flags) & ~CSIGNAL), + .pidfd = parent_tidptr, + .child_tid = child_tidptr, + .parent_tid = parent_tidptr, +- .exit_signal = (clone_flags & CSIGNAL), ++ .exit_signal = (lower_32_bits(clone_flags) & CSIGNAL), + .stack = stack_start, + .stack_size = stack_size, + }; +@@ -2434,8 +2434,9 @@ long do_fork(unsigned long clone_flags, + pid_t kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) + { + struct kernel_clone_args args = { +- .flags = ((flags | CLONE_VM | CLONE_UNTRACED) & ~CSIGNAL), +- .exit_signal = (flags & CSIGNAL), ++ .flags = ((lower_32_bits(flags) | CLONE_VM | ++ CLONE_UNTRACED) & ~CSIGNAL), ++ .exit_signal = (lower_32_bits(flags) & CSIGNAL), + .stack = (unsigned long)fn, + .stack_size = (unsigned long)arg, + }; +@@ -2496,11 +2497,11 @@ SYSCALL_DEFINE5(clone, unsigned long, clone_flags, unsigned long, newsp, + #endif + { + struct kernel_clone_args args = { +- .flags = (clone_flags & ~CSIGNAL), ++ .flags = (lower_32_bits(clone_flags) & ~CSIGNAL), + .pidfd = parent_tidptr, + .child_tid = child_tidptr, + .parent_tid = parent_tidptr, +- .exit_signal = (clone_flags & CSIGNAL), ++ .exit_signal = (lower_32_bits(clone_flags) & CSIGNAL), + .stack = newsp, + .tls = tls, + }; +-- +2.20.1 + diff --git a/queue-5.4/gfs2-another-gfs2_walk_metadata-fix.patch b/queue-5.4/gfs2-another-gfs2_walk_metadata-fix.patch new file mode 100644 index 00000000000..afb0ff5816c --- /dev/null +++ b/queue-5.4/gfs2-another-gfs2_walk_metadata-fix.patch @@ -0,0 +1,77 @@ +From 8580a1b9ea1a8a67f8eb206d4b681b80524d742c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Apr 2020 19:42:04 +0200 +Subject: gfs2: Another gfs2_walk_metadata fix + +From: Andreas Gruenbacher + +[ Upstream commit 566a2ab3c9005f62e784bd39022d58d34ef4365c ] + +Make sure we don't walk past the end of the metadata in gfs2_walk_metadata: the +inode holds fewer pointers than indirect blocks. + +Slightly clean up gfs2_iomap_get. + +Fixes: a27a0c9b6a20 ("gfs2: gfs2_walk_metadata fix") +Cc: stable@vger.kernel.org # v5.3+ +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Bob Peterson +Signed-off-by: Sasha Levin +--- + fs/gfs2/bmap.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/fs/gfs2/bmap.c b/fs/gfs2/bmap.c +index f63df54a08c6c..adbb8fef22162 100644 +--- a/fs/gfs2/bmap.c ++++ b/fs/gfs2/bmap.c +@@ -528,10 +528,12 @@ static int gfs2_walk_metadata(struct inode *inode, struct metapath *mp, + + /* Advance in metadata tree. */ + (mp->mp_list[hgt])++; +- if (mp->mp_list[hgt] >= sdp->sd_inptrs) { +- if (!hgt) ++ if (hgt) { ++ if (mp->mp_list[hgt] >= sdp->sd_inptrs) ++ goto lower_metapath; ++ } else { ++ if (mp->mp_list[hgt] >= sdp->sd_diptrs) + break; +- goto lower_metapath; + } + + fill_up_metapath: +@@ -876,10 +878,9 @@ static int gfs2_iomap_get(struct inode *inode, loff_t pos, loff_t length, + ret = -ENOENT; + goto unlock; + } else { +- /* report a hole */ + iomap->offset = pos; + iomap->length = length; +- goto do_alloc; ++ goto hole_found; + } + } + iomap->length = size; +@@ -933,8 +934,6 @@ static int gfs2_iomap_get(struct inode *inode, loff_t pos, loff_t length, + return ret; + + do_alloc: +- iomap->addr = IOMAP_NULL_ADDR; +- iomap->type = IOMAP_HOLE; + if (flags & IOMAP_REPORT) { + if (pos >= size) + ret = -ENOENT; +@@ -956,6 +955,9 @@ static int gfs2_iomap_get(struct inode *inode, loff_t pos, loff_t length, + if (pos < size && height == ip->i_height) + ret = gfs2_hole_size(inode, lblock, len, mp, iomap); + } ++hole_found: ++ iomap->addr = IOMAP_NULL_ADDR; ++ iomap->type = IOMAP_HOLE; + goto out; + } + +-- +2.20.1 + diff --git a/queue-5.4/gfs2-more-gfs2_find_jhead-fixes.patch b/queue-5.4/gfs2-more-gfs2_find_jhead-fixes.patch new file mode 100644 index 00000000000..f30095ea7a7 --- /dev/null +++ b/queue-5.4/gfs2-more-gfs2_find_jhead-fixes.patch @@ -0,0 +1,84 @@ +From 43545c0c484fd1950bbe3f2889e9bceaef166cd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Apr 2020 01:15:41 +0200 +Subject: gfs2: More gfs2_find_jhead fixes + +From: Andreas Gruenbacher + +[ Upstream commit aa83da7f47b26c9587bade6c4bc4736ffa308f0a ] + +It turns out that when extending an existing bio, gfs2_find_jhead fails to +check if the block number is consecutive, which leads to incorrect reads for +fragmented journals. + +In addition, limit the maximum bio size to an arbitrary value of 2 megabytes: +since commit 07173c3ec276 ("block: enable multipage bvecs"), if we just keep +adding pages until bio_add_page fails, bios will grow much larger than useful, +which pins more memory than necessary with barely any additional performance +gains. + +Fixes: f4686c26ecc3 ("gfs2: read journal in large chunks") +Cc: stable@vger.kernel.org # v5.2+ +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Bob Peterson +Signed-off-by: Sasha Levin +--- + fs/gfs2/lops.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/fs/gfs2/lops.c b/fs/gfs2/lops.c +index 7ca84be20cf69..8303b44a50682 100644 +--- a/fs/gfs2/lops.c ++++ b/fs/gfs2/lops.c +@@ -264,7 +264,7 @@ static struct bio *gfs2_log_alloc_bio(struct gfs2_sbd *sdp, u64 blkno, + struct super_block *sb = sdp->sd_vfs; + struct bio *bio = bio_alloc(GFP_NOIO, BIO_MAX_PAGES); + +- bio->bi_iter.bi_sector = blkno << (sb->s_blocksize_bits - 9); ++ bio->bi_iter.bi_sector = blkno << sdp->sd_fsb2bb_shift; + bio_set_dev(bio, sb->s_bdev); + bio->bi_end_io = end_io; + bio->bi_private = sdp; +@@ -504,7 +504,7 @@ int gfs2_find_jhead(struct gfs2_jdesc *jd, struct gfs2_log_header_host *head, + unsigned int bsize = sdp->sd_sb.sb_bsize, off; + unsigned int bsize_shift = sdp->sd_sb.sb_bsize_shift; + unsigned int shift = PAGE_SHIFT - bsize_shift; +- unsigned int readahead_blocks = BIO_MAX_PAGES << shift; ++ unsigned int max_bio_size = 2 * 1024 * 1024; + struct gfs2_journal_extent *je; + int sz, ret = 0; + struct bio *bio = NULL; +@@ -532,12 +532,17 @@ int gfs2_find_jhead(struct gfs2_jdesc *jd, struct gfs2_log_header_host *head, + off = 0; + } + +- if (!bio || (bio_chained && !off)) { ++ if (!bio || (bio_chained && !off) || ++ bio->bi_iter.bi_size >= max_bio_size) { + /* start new bio */ + } else { +- sz = bio_add_page(bio, page, bsize, off); +- if (sz == bsize) +- goto block_added; ++ sector_t sector = dblock << sdp->sd_fsb2bb_shift; ++ ++ if (bio_end_sector(bio) == sector) { ++ sz = bio_add_page(bio, page, bsize, off); ++ if (sz == bsize) ++ goto block_added; ++ } + if (off) { + unsigned int blocks = + (PAGE_SIZE - off) >> bsize_shift; +@@ -563,7 +568,7 @@ int gfs2_find_jhead(struct gfs2_jdesc *jd, struct gfs2_log_header_host *head, + off += bsize; + if (off == PAGE_SIZE) + page = NULL; +- if (blocks_submitted < blocks_read + readahead_blocks) { ++ if (blocks_submitted < 2 * max_bio_size >> bsize_shift) { + /* Keep at least one bio in flight */ + continue; + } +-- +2.20.1 + diff --git a/queue-5.4/hwmon-da9052-synchronize-access-with-mfd.patch b/queue-5.4/hwmon-da9052-synchronize-access-with-mfd.patch new file mode 100644 index 00000000000..741d37be09d --- /dev/null +++ b/queue-5.4/hwmon-da9052-synchronize-access-with-mfd.patch @@ -0,0 +1,46 @@ +From 68ff36ef69c5c409f9d2282fa9de34f2d695921b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 May 2020 13:02:19 +0200 +Subject: hwmon: (da9052) Synchronize access with mfd + +From: Samu Nuutamo + +[ Upstream commit 333e22db228f0bd0c839553015a6a8d3db4ba569 ] + +When tsi-as-adc is configured it is possible for in7[0123]_input read to +return an incorrect value if a concurrent read to in[456]_input is +performed. This is caused by a concurrent manipulation of the mux +channel without proper locking as hwmon and mfd use different locks for +synchronization. + +Switch hwmon to use the same lock as mfd when accessing the TSI channel. + +Fixes: 4f16cab19a3d5 ("hwmon: da9052: Add support for TSI channel") +Signed-off-by: Samu Nuutamo +[rebase to current master, reword commit message slightly] +Signed-off-by: Sebastian Reichel +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/da9052-hwmon.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/da9052-hwmon.c b/drivers/hwmon/da9052-hwmon.c +index 53b517dbe7e6e..4af2fc309c286 100644 +--- a/drivers/hwmon/da9052-hwmon.c ++++ b/drivers/hwmon/da9052-hwmon.c +@@ -244,9 +244,9 @@ static ssize_t da9052_tsi_show(struct device *dev, + int channel = to_sensor_dev_attr(devattr)->index; + int ret; + +- mutex_lock(&hwmon->hwmon_lock); ++ mutex_lock(&hwmon->da9052->auxadc_lock); + ret = __da9052_read_tsi(dev, channel); +- mutex_unlock(&hwmon->hwmon_lock); ++ mutex_unlock(&hwmon->da9052->auxadc_lock); + + if (ret < 0) + return ret; +-- +2.20.1 + diff --git a/queue-5.4/i40iw-fix-error-handling-in-i40iw_manage_arp_cache.patch b/queue-5.4/i40iw-fix-error-handling-in-i40iw_manage_arp_cache.patch new file mode 100644 index 00000000000..e8ec801c759 --- /dev/null +++ b/queue-5.4/i40iw-fix-error-handling-in-i40iw_manage_arp_cache.patch @@ -0,0 +1,38 @@ +From 3357ff3dcdfd455c2f1bfccf9ce902c9fbc08f33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Apr 2020 12:22:11 +0300 +Subject: i40iw: Fix error handling in i40iw_manage_arp_cache() + +From: Dan Carpenter + +[ Upstream commit 37e31d2d26a4124506c24e95434e9baf3405a23a ] + +The i40iw_arp_table() function can return -EOVERFLOW if +i40iw_alloc_resource() fails so we can't just test for "== -1". + +Fixes: 4e9042e647ff ("i40iw: add hw and utils files") +Link: https://lore.kernel.org/r/20200422092211.GA195357@mwanda +Signed-off-by: Dan Carpenter +Acked-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/i40iw/i40iw_hw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/i40iw/i40iw_hw.c b/drivers/infiniband/hw/i40iw/i40iw_hw.c +index 55a1fbf0e670c..ae8b97c306657 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_hw.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_hw.c +@@ -534,7 +534,7 @@ void i40iw_manage_arp_cache(struct i40iw_device *iwdev, + int arp_index; + + arp_index = i40iw_arp_table(iwdev, ip_addr, ipv4, mac_addr, action); +- if (arp_index == -1) ++ if (arp_index < 0) + return; + cqp_request = i40iw_get_cqp_request(&iwdev->cqp, false); + if (!cqp_request) +-- +2.20.1 + diff --git a/queue-5.4/ib-core-fix-potential-null-pointer-dereference-in-pk.patch b/queue-5.4/ib-core-fix-potential-null-pointer-dereference-in-pk.patch new file mode 100644 index 00000000000..115c30c1a97 --- /dev/null +++ b/queue-5.4/ib-core-fix-potential-null-pointer-dereference-in-pk.patch @@ -0,0 +1,60 @@ +From 60c28eb55d72fba222d4658ee04b6f44fbfd24af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 May 2020 10:10:12 +0300 +Subject: IB/core: Fix potential NULL pointer dereference in pkey cache + +From: Jack Morgenstein + +[ Upstream commit 1901b91f99821955eac2bd48fe25ee983385dc00 ] + +The IB core pkey cache is populated by procedure ib_cache_update(). +Initially, the pkey cache pointer is NULL. ib_cache_update allocates a +buffer and populates it with the device's pkeys, via repeated calls to +procedure ib_query_pkey(). + +If there is a failure in populating the pkey buffer via ib_query_pkey(), +ib_cache_update does not replace the old pkey buffer cache with the +updated one -- it leaves the old cache as is. + +Since initially the pkey buffer cache is NULL, when calling +ib_cache_update the first time, a failure in ib_query_pkey() will cause +the pkey buffer cache pointer to remain NULL. + +In this situation, any calls subsequent to ib_get_cached_pkey(), +ib_find_cached_pkey(), or ib_find_cached_pkey_exact() will try to +dereference the NULL pkey cache pointer, causing a kernel panic. + +Fix this by checking the ib_cache_update() return value. + +Fixes: 8faea9fd4a39 ("RDMA/cache: Move the cache per-port data into the main ib_port_data") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://lore.kernel.org/r/20200507071012.100594-1-leon@kernel.org +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cache.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c +index 65b10efca2b8c..7affe6b4ae210 100644 +--- a/drivers/infiniband/core/cache.c ++++ b/drivers/infiniband/core/cache.c +@@ -1542,8 +1542,11 @@ int ib_cache_setup_one(struct ib_device *device) + if (err) + return err; + +- rdma_for_each_port (device, p) +- ib_cache_update(device, p, true); ++ rdma_for_each_port (device, p) { ++ err = ib_cache_update(device, p, true); ++ if (err) ++ return err; ++ } + + return 0; + } +-- +2.20.1 + diff --git a/queue-5.4/ib-hfi1-fix-another-case-where-pq-is-left-on-waitlis.patch b/queue-5.4/ib-hfi1-fix-another-case-where-pq-is-left-on-waitlis.patch new file mode 100644 index 00000000000..c19ec9b9b49 --- /dev/null +++ b/queue-5.4/ib-hfi1-fix-another-case-where-pq-is-left-on-waitlis.patch @@ -0,0 +1,59 @@ +From 5e1f2aff5688e9a9d5684ef0223c42025fd42020 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 May 2020 09:09:17 -0400 +Subject: IB/hfi1: Fix another case where pq is left on waitlist + +From: Mike Marciniszyn + +[ Upstream commit fa8dac3968635dec8518a13ac78d662f2aa88e4d ] + +The commit noted below fixed a case where a pq is left on the sdma wait +list. + +It however missed another case. + +user_sdma_send_pkts() has two calls from hfi1_user_sdma_process_request(). + +If the first one fails as indicated by -EBUSY, the pq will be placed on +the waitlist as by design. + +If the second call then succeeds, the pq is still on the waitlist setting +up a race with the interrupt handler if a subsequent request uses a +different SDMA engine + +Fix by deleting the first call. + +The use of pcount and the intent to send a short burst of packets followed +by the larger balance of packets was never correctly implemented, because +the two calls always send pcount packets no matter what. A subsequent +patch will correct that issue. + +Fixes: 9a293d1e21a6 ("IB/hfi1: Ensure pq is not left on waitlist") +Link: https://lore.kernel.org/r/20200504130917.175613.43231.stgit@awfm-01.aw.intel.com +Cc: +Reviewed-by: Kaike Wan +Signed-off-by: Mike Marciniszyn +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/user_sdma.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/user_sdma.c b/drivers/infiniband/hw/hfi1/user_sdma.c +index 13e4203497b33..a92346e88628b 100644 +--- a/drivers/infiniband/hw/hfi1/user_sdma.c ++++ b/drivers/infiniband/hw/hfi1/user_sdma.c +@@ -589,10 +589,6 @@ int hfi1_user_sdma_process_request(struct hfi1_filedata *fd, + + set_comp_state(pq, cq, info.comp_idx, QUEUED, 0); + pq->state = SDMA_PKT_Q_ACTIVE; +- /* Send the first N packets in the request to buy us some time */ +- ret = user_sdma_send_pkts(req, pcount); +- if (unlikely(ret < 0 && ret != -EBUSY)) +- goto free_req; + + /* + * This is a somewhat blocking send implementation. +-- +2.20.1 + diff --git a/queue-5.4/ib-mlx4-test-return-value-of-calls-to-ib_get_cached_.patch b/queue-5.4/ib-mlx4-test-return-value-of-calls-to-ib_get_cached_.patch new file mode 100644 index 00000000000..47f83ba2f83 --- /dev/null +++ b/queue-5.4/ib-mlx4-test-return-value-of-calls-to-ib_get_cached_.patch @@ -0,0 +1,68 @@ +From d2cc0625f746ac91cb901cd4991d3159c83fbc5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Apr 2020 10:59:21 +0300 +Subject: IB/mlx4: Test return value of calls to ib_get_cached_pkey + +From: Jack Morgenstein + +[ Upstream commit 6693ca95bd4330a0ad7326967e1f9bcedd6b0800 ] + +In the mlx4_ib_post_send() flow, some functions call ib_get_cached_pkey() +without checking its return value. If ib_get_cached_pkey() returns an +error code, these functions should return failure. + +Fixes: 1ffeb2eb8be9 ("IB/mlx4: SR-IOV IB context objects and proxy/tunnel SQP support") +Fixes: 225c7b1feef1 ("IB/mlx4: Add a driver Mellanox ConnectX InfiniBand adapters") +Fixes: e622f2f4ad21 ("IB: split struct ib_send_wr") +Link: https://lore.kernel.org/r/20200426075921.130074-1-leon@kernel.org +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx4/qp.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c +index bd4aa04416c6b..6e2b3e2f83f16 100644 +--- a/drivers/infiniband/hw/mlx4/qp.c ++++ b/drivers/infiniband/hw/mlx4/qp.c +@@ -2891,6 +2891,7 @@ static int build_sriov_qp0_header(struct mlx4_ib_sqp *sqp, + int send_size; + int header_size; + int spc; ++ int err; + int i; + + if (wr->wr.opcode != IB_WR_SEND) +@@ -2925,7 +2926,9 @@ static int build_sriov_qp0_header(struct mlx4_ib_sqp *sqp, + + sqp->ud_header.lrh.virtual_lane = 0; + sqp->ud_header.bth.solicited_event = !!(wr->wr.send_flags & IB_SEND_SOLICITED); +- ib_get_cached_pkey(ib_dev, sqp->qp.port, 0, &pkey); ++ err = ib_get_cached_pkey(ib_dev, sqp->qp.port, 0, &pkey); ++ if (err) ++ return err; + sqp->ud_header.bth.pkey = cpu_to_be16(pkey); + if (sqp->qp.mlx4_ib_qp_type == MLX4_IB_QPT_TUN_SMI_OWNER) + sqp->ud_header.bth.destination_qpn = cpu_to_be32(wr->remote_qpn); +@@ -3212,9 +3215,14 @@ static int build_mlx_header(struct mlx4_ib_sqp *sqp, const struct ib_ud_wr *wr, + } + sqp->ud_header.bth.solicited_event = !!(wr->wr.send_flags & IB_SEND_SOLICITED); + if (!sqp->qp.ibqp.qp_num) +- ib_get_cached_pkey(ib_dev, sqp->qp.port, sqp->pkey_index, &pkey); ++ err = ib_get_cached_pkey(ib_dev, sqp->qp.port, sqp->pkey_index, ++ &pkey); + else +- ib_get_cached_pkey(ib_dev, sqp->qp.port, wr->pkey_index, &pkey); ++ err = ib_get_cached_pkey(ib_dev, sqp->qp.port, wr->pkey_index, ++ &pkey); ++ if (err) ++ return err; ++ + sqp->ud_header.bth.pkey = cpu_to_be16(pkey); + sqp->ud_header.bth.destination_qpn = cpu_to_be32(wr->remote_qpn); + sqp->ud_header.bth.psn = cpu_to_be32((sqp->send_psn++) & ((1 << 24) - 1)); +-- +2.20.1 + diff --git a/queue-5.4/ipc-util.c-sysvipc_find_ipc-incorrectly-updates-posi.patch b/queue-5.4/ipc-util.c-sysvipc_find_ipc-incorrectly-updates-posi.patch new file mode 100644 index 00000000000..e30ee4730e3 --- /dev/null +++ b/queue-5.4/ipc-util.c-sysvipc_find_ipc-incorrectly-updates-posi.patch @@ -0,0 +1,125 @@ +From 5e59243e71779c0d51fc3ad4a2631f0af60636ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 May 2020 17:50:48 -0700 +Subject: ipc/util.c: sysvipc_find_ipc() incorrectly updates position index + +From: Vasily Averin + +[ Upstream commit 5e698222c70257d13ae0816720dde57c56f81e15 ] + +Commit 89163f93c6f9 ("ipc/util.c: sysvipc_find_ipc() should increase +position index") is causing this bug (seen on 5.6.8): + + # ipcs -q + + ------ Message Queues -------- + key msqid owner perms used-bytes messages + + # ipcmk -Q + Message queue id: 0 + # ipcs -q + + ------ Message Queues -------- + key msqid owner perms used-bytes messages + 0x82db8127 0 root 644 0 0 + + # ipcmk -Q + Message queue id: 1 + # ipcs -q + + ------ Message Queues -------- + key msqid owner perms used-bytes messages + 0x82db8127 0 root 644 0 0 + 0x76d1fb2a 1 root 644 0 0 + + # ipcrm -q 0 + # ipcs -q + + ------ Message Queues -------- + key msqid owner perms used-bytes messages + 0x76d1fb2a 1 root 644 0 0 + 0x76d1fb2a 1 root 644 0 0 + + # ipcmk -Q + Message queue id: 2 + # ipcrm -q 2 + # ipcs -q + + ------ Message Queues -------- + key msqid owner perms used-bytes messages + 0x76d1fb2a 1 root 644 0 0 + 0x76d1fb2a 1 root 644 0 0 + + # ipcmk -Q + Message queue id: 3 + # ipcrm -q 1 + # ipcs -q + + ------ Message Queues -------- + key msqid owner perms used-bytes messages + 0x7c982867 3 root 644 0 0 + 0x7c982867 3 root 644 0 0 + 0x7c982867 3 root 644 0 0 + 0x7c982867 3 root 644 0 0 + +Whenever an IPC item with a low id is deleted, the items with higher ids +are duplicated, as if filling a hole. + +new_pos should jump through hole of unused ids, pos can be updated +inside "for" cycle. + +Fixes: 89163f93c6f9 ("ipc/util.c: sysvipc_find_ipc() should increase position index") +Reported-by: Andreas Schwab +Reported-by: Randy Dunlap +Signed-off-by: Vasily Averin +Signed-off-by: Andrew Morton +Acked-by: Waiman Long +Cc: NeilBrown +Cc: Steven Rostedt +Cc: Ingo Molnar +Cc: Peter Oberparleiter +Cc: Davidlohr Bueso +Cc: Manfred Spraul +Cc: +Link: http://lkml.kernel.org/r/4921fe9b-9385-a2b4-1dc4-1099be6d2e39@virtuozzo.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + ipc/util.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/ipc/util.c b/ipc/util.c +index 594871610d454..1821b6386d3b4 100644 +--- a/ipc/util.c ++++ b/ipc/util.c +@@ -764,21 +764,21 @@ static struct kern_ipc_perm *sysvipc_find_ipc(struct ipc_ids *ids, loff_t pos, + total++; + } + +- *new_pos = pos + 1; ++ ipc = NULL; + if (total >= ids->in_use) +- return NULL; ++ goto out; + + for (; pos < ipc_mni; pos++) { + ipc = idr_find(&ids->ipcs_idr, pos); + if (ipc != NULL) { + rcu_read_lock(); + ipc_lock_object(ipc); +- return ipc; ++ break; + } + } +- +- /* Out of range - return NULL to terminate iteration */ +- return NULL; ++out: ++ *new_pos = pos + 1; ++ return ipc; + } + + static void *sysvipc_proc_next(struct seq_file *s, void *it, loff_t *pos) +-- +2.20.1 + diff --git a/queue-5.4/mm-memcg-fix-inconsistent-oom-event-behavior.patch b/queue-5.4/mm-memcg-fix-inconsistent-oom-event-behavior.patch new file mode 100644 index 00000000000..e855f5366b9 --- /dev/null +++ b/queue-5.4/mm-memcg-fix-inconsistent-oom-event-behavior.patch @@ -0,0 +1,78 @@ +From f71344723ce1cfc4cafd64c9c2e9e81659278e57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 May 2020 17:50:34 -0700 +Subject: mm, memcg: fix inconsistent oom event behavior + +From: Yafang Shao + +[ Upstream commit 04fd61a4e01028210a91f0efc408c8bc61a3018c ] + +A recent commit 9852ae3fe529 ("mm, memcg: consider subtrees in +memory.events") changed the behavior of memcg events, which will now +consider subtrees in memory.events. + +But oom_kill event is a special one as it is used in both cgroup1 and +cgroup2. In cgroup1, it is displayed in memory.oom_control. The file +memory.oom_control is in both root memcg and non root memcg, that is +different with memory.event as it only in non-root memcg. That commit +is okay for cgroup2, but it is not okay for cgroup1 as it will cause +inconsistent behavior between root memcg and non-root memcg. + +Here's an example on why this behavior is inconsistent in cgroup1. + + root memcg + / + memcg foo + / + memcg bar + +Suppose there's an oom_kill in memcg bar, then the oon_kill will be + + root memcg : memory.oom_control(oom_kill) 0 + / + memcg foo : memory.oom_control(oom_kill) 1 + / + memcg bar : memory.oom_control(oom_kill) 1 + +For the non-root memcg, its memory.oom_control(oom_kill) includes its +descendants' oom_kill, but for root memcg, it doesn't include its +descendants' oom_kill. That means, memory.oom_control(oom_kill) has +different meanings in different memcgs. That is inconsistent. Then the +user has to know whether the memcg is root or not. + +If we can't fully support it in cgroup1, for example by adding +memory.events.local into cgroup1 as well, then let's don't touch its +original behavior. + +Fixes: 9852ae3fe529 ("mm, memcg: consider subtrees in memory.events") +Reported-by: Randy Dunlap +Signed-off-by: Yafang Shao +Signed-off-by: Andrew Morton +Reviewed-by: Shakeel Butt +Acked-by: Johannes Weiner +Acked-by: Chris Down +Acked-by: Michal Hocko +Cc: +Link: http://lkml.kernel.org/r/20200502141055.7378-1-laoar.shao@gmail.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/memcontrol.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/memcontrol.h b/include/linux/memcontrol.h +index 8faca7b525438..fb5b2a41bd456 100644 +--- a/include/linux/memcontrol.h ++++ b/include/linux/memcontrol.h +@@ -793,6 +793,8 @@ static inline void memcg_memory_event(struct mem_cgroup *memcg, + atomic_long_inc(&memcg->memory_events[event]); + cgroup_file_notify(&memcg->events_file); + ++ if (!cgroup_subsys_on_dfl(memory_cgrp_subsys)) ++ break; + if (cgrp_dfl_root.flags & CGRP_ROOT_MEMORY_LOCAL_EVENTS) + break; + } while ((memcg = parent_mem_cgroup(memcg)) && +-- +2.20.1 + diff --git a/queue-5.4/mmc-alcor-fix-a-resource-leak-in-the-error-path-for-.patch b/queue-5.4/mmc-alcor-fix-a-resource-leak-in-the-error-path-for-.patch new file mode 100644 index 00000000000..878d809692e --- /dev/null +++ b/queue-5.4/mmc-alcor-fix-a-resource-leak-in-the-error-path-for-.patch @@ -0,0 +1,49 @@ +From 856a262000e26292807b268b794c9557d26d5836 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Apr 2020 22:23:55 +0200 +Subject: mmc: alcor: Fix a resource leak in the error path for ->probe() + +From: Christophe JAILLET + +[ Upstream commit 7c277dd2b0ff6a16f1732a66c2c52a29f067163e ] + +If devm_request_threaded_irq() fails, the allocated struct mmc_host needs +to be freed via calling mmc_free_host(), so let's do that. + +Fixes: c5413ad815a6 ("mmc: add new Alcor Micro Cardreader SD/MMC driver") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/20200426202355.43055-1-christophe.jaillet@wanadoo.fr +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/alcor.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/alcor.c b/drivers/mmc/host/alcor.c +index 1aee485d56d4c..026ca9194ce5b 100644 +--- a/drivers/mmc/host/alcor.c ++++ b/drivers/mmc/host/alcor.c +@@ -1104,7 +1104,7 @@ static int alcor_pci_sdmmc_drv_probe(struct platform_device *pdev) + + if (ret) { + dev_err(&pdev->dev, "Failed to get irq for data line\n"); +- return ret; ++ goto free_host; + } + + mutex_init(&host->cmd_mutex); +@@ -1116,6 +1116,10 @@ static int alcor_pci_sdmmc_drv_probe(struct platform_device *pdev) + dev_set_drvdata(&pdev->dev, host); + mmc_add_host(mmc); + return 0; ++ ++free_host: ++ mmc_free_host(mmc); ++ return ret; + } + + static int alcor_pci_sdmmc_drv_remove(struct platform_device *pdev) +-- +2.20.1 + diff --git a/queue-5.4/mmc-block-fix-request-completion-in-the-cqe-timeout-.patch b/queue-5.4/mmc-block-fix-request-completion-in-the-cqe-timeout-.patch new file mode 100644 index 00000000000..78ea1557de5 --- /dev/null +++ b/queue-5.4/mmc-block-fix-request-completion-in-the-cqe-timeout-.patch @@ -0,0 +1,55 @@ +From 47d727f4d8d9cc985bc7e08758b4d3b72599135c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 May 2020 09:22:27 +0300 +Subject: mmc: block: Fix request completion in the CQE timeout path + +From: Adrian Hunter + +[ Upstream commit c077dc5e0620508a29497dac63a2822324ece52a ] + +First, it should be noted that the CQE timeout (60 seconds) is substantial +so a CQE request that times out is really stuck, and the race between +timeout and completion is extremely unlikely. Nevertheless this patch +fixes an issue with it. + +Commit ad73d6feadbd7b ("mmc: complete requests from ->timeout") +preserved the existing functionality, to complete the request. +However that had only been necessary because the block layer +timeout handler had been marking the request to prevent it from being +completed normally. That restriction was removed at the same time, the +result being that a request that has gone will have been completed anyway. +That is, the completion was unnecessary. + +At the time, the unnecessary completion was harmless because the block +layer would ignore it, although that changed in kernel v5.0. + +Note for stable, this patch will not apply cleanly without patch "mmc: +core: Fix recursive locking issue in CQE recovery path" + +Signed-off-by: Adrian Hunter +Fixes: ad73d6feadbd7b ("mmc: complete requests from ->timeout") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200508062227.23144-1-adrian.hunter@intel.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/core/queue.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/mmc/core/queue.c b/drivers/mmc/core/queue.c +index 4d1e468d39823..9c0ccb3744c28 100644 +--- a/drivers/mmc/core/queue.c ++++ b/drivers/mmc/core/queue.c +@@ -110,8 +110,7 @@ static enum blk_eh_timer_return mmc_cqe_timed_out(struct request *req) + mmc_cqe_recovery_notifier(mrq); + return BLK_EH_RESET_TIMER; + } +- /* No timeout (XXX: huh? comment doesn't make much sense) */ +- blk_mq_complete_request(req); ++ /* The request has gone already */ + return BLK_EH_DONE; + default: + /* Timeout is handled by mmc core */ +-- +2.20.1 + diff --git a/queue-5.4/mmc-core-check-request-type-before-completing-the-re.patch b/queue-5.4/mmc-core-check-request-type-before-completing-the-re.patch new file mode 100644 index 00000000000..7de82129e78 --- /dev/null +++ b/queue-5.4/mmc-core-check-request-type-before-completing-the-re.patch @@ -0,0 +1,56 @@ +From e7e0345bb688900e36b7d2676388d1bf96d204d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 May 2020 20:04:02 +0530 +Subject: mmc: core: Check request type before completing the request + +From: Veerabhadrarao Badiganti + +[ Upstream commit e6bfb1bf00852b55f4c771f47ae67004c04d3c87 ] + +In the request completion path with CQE, request type is being checked +after the request is getting completed. This is resulting in returning +the wrong request type and leading to the IO hang issue. + +ASYNC request type is getting returned for DCMD type requests. +Because of this mismatch, mq->cqe_busy flag is never getting cleared +and the driver is not invoking blk_mq_hw_run_queue. So requests are not +getting dispatched to the LLD from the block layer. + +All these eventually leading to IO hang issues. +So, get the request type before completing the request. + +Cc: +Fixes: 1e8e55b67030 ("mmc: block: Add CQE support") +Signed-off-by: Veerabhadrarao Badiganti +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/1588775643-18037-2-git-send-email-vbadigan@codeaurora.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/core/block.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c +index 95b41c0891d02..9d01b5dca5198 100644 +--- a/drivers/mmc/core/block.c ++++ b/drivers/mmc/core/block.c +@@ -1417,6 +1417,7 @@ static void mmc_blk_cqe_complete_rq(struct mmc_queue *mq, struct request *req) + struct mmc_request *mrq = &mqrq->brq.mrq; + struct request_queue *q = req->q; + struct mmc_host *host = mq->card->host; ++ enum mmc_issue_type issue_type = mmc_issue_type(mq, req); + unsigned long flags; + bool put_card; + int err; +@@ -1446,7 +1447,7 @@ static void mmc_blk_cqe_complete_rq(struct mmc_queue *mq, struct request *req) + + spin_lock_irqsave(&mq->lock, flags); + +- mq->in_flight[mmc_issue_type(mq, req)] -= 1; ++ mq->in_flight[issue_type] -= 1; + + put_card = (mmc_tot_in_flight(mq) == 0); + +-- +2.20.1 + diff --git a/queue-5.4/mmc-core-fix-recursive-locking-issue-in-cqe-recovery.patch b/queue-5.4/mmc-core-fix-recursive-locking-issue-in-cqe-recovery.patch new file mode 100644 index 00000000000..19dd3e0cae2 --- /dev/null +++ b/queue-5.4/mmc-core-fix-recursive-locking-issue-in-cqe-recovery.patch @@ -0,0 +1,76 @@ +From 0a132580173144e14ee954ff7ee7fdb882451a69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 May 2020 21:45:33 +0530 +Subject: mmc: core: Fix recursive locking issue in CQE recovery path + +From: Sarthak Garg + +[ Upstream commit 39a22f73744d5baee30b5f134ae2e30b668b66ed ] + +Consider the following stack trace + +-001|raw_spin_lock_irqsave +-002|mmc_blk_cqe_complete_rq +-003|__blk_mq_complete_request(inline) +-003|blk_mq_complete_request(rq) +-004|mmc_cqe_timed_out(inline) +-004|mmc_mq_timed_out + +mmc_mq_timed_out acquires the queue_lock for the first +time. The mmc_blk_cqe_complete_rq function also tries to acquire +the same queue lock resulting in recursive locking where the task +is spinning for the same lock which it has already acquired leading +to watchdog bark. + +Fix this issue with the lock only for the required critical section. + +Cc: +Fixes: 1e8e55b67030 ("mmc: block: Add CQE support") +Suggested-by: Sahitya Tummala +Signed-off-by: Sarthak Garg +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/1588868135-31783-1-git-send-email-vbadigan@codeaurora.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/core/queue.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +diff --git a/drivers/mmc/core/queue.c b/drivers/mmc/core/queue.c +index 9edc08685e86d..4d1e468d39823 100644 +--- a/drivers/mmc/core/queue.c ++++ b/drivers/mmc/core/queue.c +@@ -107,7 +107,7 @@ static enum blk_eh_timer_return mmc_cqe_timed_out(struct request *req) + case MMC_ISSUE_DCMD: + if (host->cqe_ops->cqe_timeout(host, mrq, &recovery_needed)) { + if (recovery_needed) +- __mmc_cqe_recovery_notifier(mq); ++ mmc_cqe_recovery_notifier(mrq); + return BLK_EH_RESET_TIMER; + } + /* No timeout (XXX: huh? comment doesn't make much sense) */ +@@ -125,18 +125,13 @@ static enum blk_eh_timer_return mmc_mq_timed_out(struct request *req, + struct request_queue *q = req->q; + struct mmc_queue *mq = q->queuedata; + unsigned long flags; +- int ret; ++ bool ignore_tout; + + spin_lock_irqsave(&mq->lock, flags); +- +- if (mq->recovery_needed || !mq->use_cqe) +- ret = BLK_EH_RESET_TIMER; +- else +- ret = mmc_cqe_timed_out(req); +- ++ ignore_tout = mq->recovery_needed || !mq->use_cqe; + spin_unlock_irqrestore(&mq->lock, flags); + +- return ret; ++ return ignore_tout ? BLK_EH_RESET_TIMER : mmc_cqe_timed_out(req); + } + + static void mmc_mq_recovery_handler(struct work_struct *work) +-- +2.20.1 + diff --git a/queue-5.4/mmc-sdhci-pci-gli-fix-can-not-access-gl9750-after-re.patch b/queue-5.4/mmc-sdhci-pci-gli-fix-can-not-access-gl9750-after-re.patch new file mode 100644 index 00000000000..073216b8e73 --- /dev/null +++ b/queue-5.4/mmc-sdhci-pci-gli-fix-can-not-access-gl9750-after-re.patch @@ -0,0 +1,52 @@ +From 620bc566108cd31dea431a469462091e6ebd324c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 May 2020 14:39:57 +0800 +Subject: mmc: sdhci-pci-gli: Fix can not access GL9750 after reboot from + Windows 10 + +From: Ben Chuang + +[ Upstream commit b56ff195c317ad28c05d354aeecbb9995b8e08c1 ] + +Need to clear some bits in a vendor-defined register after reboot from +Windows 10. + +Fixes: e51df6ce668a ("mmc: host: sdhci-pci: Add Genesys Logic GL975x support") +Reported-by: Grzegorz Kowal +Signed-off-by: Ben Chuang +Acked-by: Adrian Hunter +Tested-by: Grzegorz Kowal +Link: https://lore.kernel.org/r/20200504063957.6638-1-benchuanggli@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-pci-gli.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/mmc/host/sdhci-pci-gli.c b/drivers/mmc/host/sdhci-pci-gli.c +index ff39d81a5742c..fd76aa672e020 100644 +--- a/drivers/mmc/host/sdhci-pci-gli.c ++++ b/drivers/mmc/host/sdhci-pci-gli.c +@@ -26,6 +26,9 @@ + #define SDHCI_GLI_9750_DRIVING_2 GENMASK(27, 26) + #define GLI_9750_DRIVING_1_VALUE 0xFFF + #define GLI_9750_DRIVING_2_VALUE 0x3 ++#define SDHCI_GLI_9750_SEL_1 BIT(29) ++#define SDHCI_GLI_9750_SEL_2 BIT(31) ++#define SDHCI_GLI_9750_ALL_RST (BIT(24)|BIT(25)|BIT(28)|BIT(30)) + + #define SDHCI_GLI_9750_PLL 0x864 + #define SDHCI_GLI_9750_PLL_TX2_INV BIT(23) +@@ -122,6 +125,8 @@ static void gli_set_9750(struct sdhci_host *host) + GLI_9750_DRIVING_1_VALUE); + driving_value |= FIELD_PREP(SDHCI_GLI_9750_DRIVING_2, + GLI_9750_DRIVING_2_VALUE); ++ driving_value &= ~(SDHCI_GLI_9750_SEL_1|SDHCI_GLI_9750_SEL_2|SDHCI_GLI_9750_ALL_RST); ++ driving_value |= SDHCI_GLI_9750_SEL_2; + sdhci_writel(host, driving_value, SDHCI_GLI_9750_DRIVING); + + sw_ctrl_value &= ~SDHCI_GLI_9750_SW_CTRL_4; +-- +2.20.1 + diff --git a/queue-5.4/mmc-sdhci-pci-gli-fix-no-irq-handler-from-suspend.patch b/queue-5.4/mmc-sdhci-pci-gli-fix-no-irq-handler-from-suspend.patch new file mode 100644 index 00000000000..d648abe3a9e --- /dev/null +++ b/queue-5.4/mmc-sdhci-pci-gli-fix-no-irq-handler-from-suspend.patch @@ -0,0 +1,74 @@ +From 3d36e260f04d3190f1d94d49517ed910dc2d3796 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2020 18:30:48 +0800 +Subject: mmc: sdhci-pci-gli: Fix no irq handler from suspend + +From: Ben Chuang + +[ Upstream commit 282ede76e47048eebc8ce5324b412890f0ec0a69 ] + +The kernel prints a message similar to +"[ 28.881959] do_IRQ: 5.36 No irq handler for vector" +when GL975x resumes from suspend. Implement a resume callback to fix this. + +Fixes: 31e43f31890c ("mmc: sdhci-pci-gli: Enable MSI interrupt for GL975x") +Co-developed-by: Renius Chen +Signed-off-by: Renius Chen +Tested-by: Dave Flogeras +Signed-off-by: Ben Chuang +Tested-by: Vineeth Pillai +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20200427103048.20785-1-benchuanggli@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Samuel Zou +[Samuel Zou: Make sdhci_pci_gli_resume() static] +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-pci-gli.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/drivers/mmc/host/sdhci-pci-gli.c b/drivers/mmc/host/sdhci-pci-gli.c +index ce15a05f23d41..ff39d81a5742c 100644 +--- a/drivers/mmc/host/sdhci-pci-gli.c ++++ b/drivers/mmc/host/sdhci-pci-gli.c +@@ -334,6 +334,18 @@ static u32 sdhci_gl9750_readl(struct sdhci_host *host, int reg) + return value; + } + ++#ifdef CONFIG_PM_SLEEP ++static int sdhci_pci_gli_resume(struct sdhci_pci_chip *chip) ++{ ++ struct sdhci_pci_slot *slot = chip->slots[0]; ++ ++ pci_free_irq_vectors(slot->chip->pdev); ++ gli_pcie_enable_msi(slot); ++ ++ return sdhci_pci_resume_host(chip); ++} ++#endif ++ + static const struct sdhci_ops sdhci_gl9755_ops = { + .set_clock = sdhci_set_clock, + .enable_dma = sdhci_pci_enable_dma, +@@ -348,6 +360,9 @@ const struct sdhci_pci_fixes sdhci_gl9755 = { + .quirks2 = SDHCI_QUIRK2_BROKEN_DDR50, + .probe_slot = gli_probe_slot_gl9755, + .ops = &sdhci_gl9755_ops, ++#ifdef CONFIG_PM_SLEEP ++ .resume = sdhci_pci_gli_resume, ++#endif + }; + + static const struct sdhci_ops sdhci_gl9750_ops = { +@@ -366,4 +381,7 @@ const struct sdhci_pci_fixes sdhci_gl9750 = { + .quirks2 = SDHCI_QUIRK2_BROKEN_DDR50, + .probe_slot = gli_probe_slot_gl9750, + .ops = &sdhci_gl9750_ops, ++#ifdef CONFIG_PM_SLEEP ++ .resume = sdhci_pci_gli_resume, ++#endif + }; +-- +2.20.1 + diff --git a/queue-5.4/netfilter-conntrack-avoid-gcc-10-zero-length-bounds-.patch b/queue-5.4/netfilter-conntrack-avoid-gcc-10-zero-length-bounds-.patch new file mode 100644 index 00000000000..834c9b0e5ba --- /dev/null +++ b/queue-5.4/netfilter-conntrack-avoid-gcc-10-zero-length-bounds-.patch @@ -0,0 +1,66 @@ +From 4277a4222656f0720166b2676440866b05fe2581 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Apr 2020 23:30:48 +0200 +Subject: netfilter: conntrack: avoid gcc-10 zero-length-bounds warning + +From: Arnd Bergmann + +[ Upstream commit 2c407aca64977ede9b9f35158e919773cae2082f ] + +gcc-10 warns around a suspicious access to an empty struct member: + +net/netfilter/nf_conntrack_core.c: In function '__nf_conntrack_alloc': +net/netfilter/nf_conntrack_core.c:1522:9: warning: array subscript 0 is outside the bounds of an interior zero-length array 'u8[0]' {aka 'unsigned char[0]'} [-Wzero-length-bounds] + 1522 | memset(&ct->__nfct_init_offset[0], 0, + | ^~~~~~~~~~~~~~~~~~~~~~~~~~ +In file included from net/netfilter/nf_conntrack_core.c:37: +include/net/netfilter/nf_conntrack.h:90:5: note: while referencing '__nfct_init_offset' + 90 | u8 __nfct_init_offset[0]; + | ^~~~~~~~~~~~~~~~~~ + +The code is correct but a bit unusual. Rework it slightly in a way that +does not trigger the warning, using an empty struct instead of an empty +array. There are probably more elegant ways to do this, but this is the +smallest change. + +Fixes: c41884ce0562 ("netfilter: conntrack: avoid zeroing timer") +Signed-off-by: Arnd Bergmann +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_conntrack.h | 2 +- + net/netfilter/nf_conntrack_core.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h +index 9f551f3b69c65..90690e37a56f0 100644 +--- a/include/net/netfilter/nf_conntrack.h ++++ b/include/net/netfilter/nf_conntrack.h +@@ -87,7 +87,7 @@ struct nf_conn { + struct hlist_node nat_bysource; + #endif + /* all members below initialized via memset */ +- u8 __nfct_init_offset[0]; ++ struct { } __nfct_init_offset; + + /* If we were expected by an expectation, this will be it */ + struct nf_conn *master; +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index 5cd610b547e0d..c2ad462f33f1b 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -1381,9 +1381,9 @@ __nf_conntrack_alloc(struct net *net, + ct->status = 0; + ct->timeout = 0; + write_pnet(&ct->ct_net, net); +- memset(&ct->__nfct_init_offset[0], 0, ++ memset(&ct->__nfct_init_offset, 0, + offsetof(struct nf_conn, proto) - +- offsetof(struct nf_conn, __nfct_init_offset[0])); ++ offsetof(struct nf_conn, __nfct_init_offset)); + + nf_ct_zone_add(ct, zone); + +-- +2.20.1 + diff --git a/queue-5.4/netfilter-nft_set_rbtree-add-missing-expired-checks.patch b/queue-5.4/netfilter-nft_set_rbtree-add-missing-expired-checks.patch new file mode 100644 index 00000000000..93debdad3de --- /dev/null +++ b/queue-5.4/netfilter-nft_set_rbtree-add-missing-expired-checks.patch @@ -0,0 +1,74 @@ +From 37458b2736c525acad6781aa9808ec34b45c613a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 May 2020 15:31:41 +0200 +Subject: netfilter: nft_set_rbtree: Add missing expired checks + +From: Phil Sutter + +[ Upstream commit 340eaff651160234bdbce07ef34b92a8e45cd540 ] + +Expired intervals would still match and be dumped to user space until +garbage collection wiped them out. Make sure they stop matching and +disappear (from users' perspective) as soon as they expire. + +Fixes: 8d8540c4f5e03 ("netfilter: nft_set_rbtree: add timeout support") +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_rbtree.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c +index 95fcba34bfd35..ee7c29e0a9d7b 100644 +--- a/net/netfilter/nft_set_rbtree.c ++++ b/net/netfilter/nft_set_rbtree.c +@@ -79,6 +79,10 @@ static bool __nft_rbtree_lookup(const struct net *net, const struct nft_set *set + parent = rcu_dereference_raw(parent->rb_left); + continue; + } ++ ++ if (nft_set_elem_expired(&rbe->ext)) ++ return false; ++ + if (nft_rbtree_interval_end(rbe)) { + if (nft_set_is_anonymous(set)) + return false; +@@ -94,6 +98,7 @@ static bool __nft_rbtree_lookup(const struct net *net, const struct nft_set *set + + if (set->flags & NFT_SET_INTERVAL && interval != NULL && + nft_set_elem_active(&interval->ext, genmask) && ++ !nft_set_elem_expired(&interval->ext) && + nft_rbtree_interval_start(interval)) { + *ext = &interval->ext; + return true; +@@ -154,6 +159,9 @@ static bool __nft_rbtree_get(const struct net *net, const struct nft_set *set, + continue; + } + ++ if (nft_set_elem_expired(&rbe->ext)) ++ return false; ++ + if (!nft_set_ext_exists(&rbe->ext, NFT_SET_EXT_FLAGS) || + (*nft_set_ext_flags(&rbe->ext) & NFT_SET_ELEM_INTERVAL_END) == + (flags & NFT_SET_ELEM_INTERVAL_END)) { +@@ -170,6 +178,7 @@ static bool __nft_rbtree_get(const struct net *net, const struct nft_set *set, + + if (set->flags & NFT_SET_INTERVAL && interval != NULL && + nft_set_elem_active(&interval->ext, genmask) && ++ !nft_set_elem_expired(&interval->ext) && + ((!nft_rbtree_interval_end(interval) && + !(flags & NFT_SET_ELEM_INTERVAL_END)) || + (nft_rbtree_interval_end(interval) && +@@ -355,6 +364,8 @@ static void nft_rbtree_walk(const struct nft_ctx *ctx, + + if (iter->count < iter->skip) + goto cont; ++ if (nft_set_elem_expired(&rbe->ext)) ++ goto cont; + if (!nft_set_elem_active(&rbe->ext, iter->genmask)) + goto cont; + +-- +2.20.1 + diff --git a/queue-5.4/netfilter-nft_set_rbtree-introduce-and-use-nft_rbtre.patch b/queue-5.4/netfilter-nft_set_rbtree-introduce-and-use-nft_rbtre.patch new file mode 100644 index 00000000000..8f19cbc724a --- /dev/null +++ b/queue-5.4/netfilter-nft_set_rbtree-introduce-and-use-nft_rbtre.patch @@ -0,0 +1,86 @@ +From 04d9d1e94dd2820d567520dce6d53ccd9640aaaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Mar 2020 03:22:00 +0100 +Subject: netfilter: nft_set_rbtree: Introduce and use + nft_rbtree_interval_start() + +From: Stefano Brivio + +[ Upstream commit 6f7c9caf017be8ab0fe3b99509580d0793bf0833 ] + +Replace negations of nft_rbtree_interval_end() with a new helper, +nft_rbtree_interval_start(), wherever this helps to visualise the +problem at hand, that is, for all the occurrences except for the +comparison against given flags in __nft_rbtree_get(). + +This gets especially useful in the next patch. + +Signed-off-by: Stefano Brivio +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_rbtree.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c +index a9f804f7a04ac..95fcba34bfd35 100644 +--- a/net/netfilter/nft_set_rbtree.c ++++ b/net/netfilter/nft_set_rbtree.c +@@ -33,6 +33,11 @@ static bool nft_rbtree_interval_end(const struct nft_rbtree_elem *rbe) + (*nft_set_ext_flags(&rbe->ext) & NFT_SET_ELEM_INTERVAL_END); + } + ++static bool nft_rbtree_interval_start(const struct nft_rbtree_elem *rbe) ++{ ++ return !nft_rbtree_interval_end(rbe); ++} ++ + static bool nft_rbtree_equal(const struct nft_set *set, const void *this, + const struct nft_rbtree_elem *interval) + { +@@ -64,7 +69,7 @@ static bool __nft_rbtree_lookup(const struct net *net, const struct nft_set *set + if (interval && + nft_rbtree_equal(set, this, interval) && + nft_rbtree_interval_end(rbe) && +- !nft_rbtree_interval_end(interval)) ++ nft_rbtree_interval_start(interval)) + continue; + interval = rbe; + } else if (d > 0) +@@ -89,7 +94,7 @@ static bool __nft_rbtree_lookup(const struct net *net, const struct nft_set *set + + if (set->flags & NFT_SET_INTERVAL && interval != NULL && + nft_set_elem_active(&interval->ext, genmask) && +- !nft_rbtree_interval_end(interval)) { ++ nft_rbtree_interval_start(interval)) { + *ext = &interval->ext; + return true; + } +@@ -224,9 +229,9 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set, + p = &parent->rb_right; + else { + if (nft_rbtree_interval_end(rbe) && +- !nft_rbtree_interval_end(new)) { ++ nft_rbtree_interval_start(new)) { + p = &parent->rb_left; +- } else if (!nft_rbtree_interval_end(rbe) && ++ } else if (nft_rbtree_interval_start(rbe) && + nft_rbtree_interval_end(new)) { + p = &parent->rb_right; + } else if (nft_set_elem_active(&rbe->ext, genmask)) { +@@ -317,10 +322,10 @@ static void *nft_rbtree_deactivate(const struct net *net, + parent = parent->rb_right; + else { + if (nft_rbtree_interval_end(rbe) && +- !nft_rbtree_interval_end(this)) { ++ nft_rbtree_interval_start(this)) { + parent = parent->rb_left; + continue; +- } else if (!nft_rbtree_interval_end(rbe) && ++ } else if (nft_rbtree_interval_start(rbe) && + nft_rbtree_interval_end(this)) { + parent = parent->rb_right; + continue; +-- +2.20.1 + diff --git a/queue-5.4/nfs-fix-fscache-super_cookie-index_key-from-changing.patch b/queue-5.4/nfs-fix-fscache-super_cookie-index_key-from-changing.patch new file mode 100644 index 00000000000..b699a036b65 --- /dev/null +++ b/queue-5.4/nfs-fix-fscache-super_cookie-index_key-from-changing.patch @@ -0,0 +1,71 @@ +From 7bef1084c5f1e9c86172a036c1d24fab2d28bdfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Apr 2020 16:14:41 -0400 +Subject: NFS: Fix fscache super_cookie index_key from changing after umount + +From: Dave Wysochanski + +[ Upstream commit d9bfced1fbcb35b28d8fbed4e785d2807055ed2b ] + +Commit 402cb8dda949 ("fscache: Attach the index key and aux data to +the cookie") added the index_key and index_key_len parameters to +fscache_acquire_cookie(), and updated the callers in the NFS client. +One of the callers was inside nfs_fscache_get_super_cookie() +and was changed to use the full struct nfs_fscache_key as the +index_key. However, a couple members of this structure contain +pointers and thus will change each time the same NFS share is +remounted. Since index_key is used for fscache_cookie->key_hash +and this subsequently is used to compare cookies, the effectiveness +of fscache with NFS is reduced to the point at which a umount +occurs. Any subsequent remount of the same share will cause a +unique NFS super_block index_key and key_hash to be generated for +the same data, rendering any prior fscache data unable to be +found. A simple reproducer demonstrates the problem. + +1. Mount share with 'fsc', create a file, drop page cache +systemctl start cachefilesd +mount -o vers=3,fsc 127.0.0.1:/export /mnt +dd if=/dev/zero of=/mnt/file1.bin bs=4096 count=1 +echo 3 > /proc/sys/vm/drop_caches + +2. Read file into page cache and fscache, then unmount +dd if=/mnt/file1.bin of=/dev/null bs=4096 count=1 +umount /mnt + +3. Remount and re-read which should come from fscache +mount -o vers=3,fsc 127.0.0.1:/export /mnt +echo 3 > /proc/sys/vm/drop_caches +dd if=/mnt/file1.bin of=/dev/null bs=4096 count=1 + +4. Check for READ ops in mountstats - there should be none +grep READ: /proc/self/mountstats + +Looking at the history and the removed function, nfs_super_get_key(), +we should only use nfs_fscache_key.key plus any uniquifier, for +the fscache index_key. + +Fixes: 402cb8dda949 ("fscache: Attach the index key and aux data to the cookie") +Signed-off-by: Dave Wysochanski +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/nfs/fscache.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/fscache.c b/fs/nfs/fscache.c +index a6dcc2151e779..3184063322d48 100644 +--- a/fs/nfs/fscache.c ++++ b/fs/nfs/fscache.c +@@ -188,7 +188,8 @@ void nfs_fscache_get_super_cookie(struct super_block *sb, const char *uniq, int + /* create a cache index for looking up filehandles */ + nfss->fscache = fscache_acquire_cookie(nfss->nfs_client->fscache, + &nfs_fscache_super_index_def, +- key, sizeof(*key) + ulen, ++ &key->key, ++ sizeof(key->key) + ulen, + NULL, 0, + nfss, 0, true); + dfprintk(FSCACHE, "NFS: get superblock cookie (0x%p/0x%p)\n", +-- +2.20.1 + diff --git a/queue-5.4/nfs-fix-null-deference-in-nfs4_get_valid_delegation.patch b/queue-5.4/nfs-fix-null-deference-in-nfs4_get_valid_delegation.patch new file mode 100644 index 00000000000..9066ea6eefd --- /dev/null +++ b/queue-5.4/nfs-fix-null-deference-in-nfs4_get_valid_delegation.patch @@ -0,0 +1,64 @@ +From 91dbcdbab902da03336949de7e446a4ee3dc0694 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 May 2020 10:02:48 -0400 +Subject: nfs: fix NULL deference in nfs4_get_valid_delegation + +From: J. Bruce Fields + +[ Upstream commit 29fe839976266bc7c55b927360a1daae57477723 ] + +We add the new state to the nfsi->open_states list, making it +potentially visible to other threads, before we've finished initializing +it. + +That wasn't a problem when all the readers were also taking the i_lock +(as we do here), but since we switched to RCU, there's now a possibility +that a reader could see the partially initialized state. + +Symptoms observed were a crash when another thread called +nfs4_get_valid_delegation() on a NULL inode, resulting in an oops like: + + BUG: unable to handle page fault for address: ffffffffffffffb0 ... + RIP: 0010:nfs4_get_valid_delegation+0x6/0x30 [nfsv4] ... + Call Trace: + nfs4_open_prepare+0x80/0x1c0 [nfsv4] + __rpc_execute+0x75/0x390 [sunrpc] + ? finish_task_switch+0x75/0x260 + rpc_async_schedule+0x29/0x40 [sunrpc] + process_one_work+0x1ad/0x370 + worker_thread+0x30/0x390 + ? create_worker+0x1a0/0x1a0 + kthread+0x10c/0x130 + ? kthread_park+0x80/0x80 + ret_from_fork+0x22/0x30 + +Fixes: 9ae075fdd190 "NFSv4: Convert open state lookup to use RCU" +Reviewed-by: Seiichi Ikarashi +Tested-by: Daisuke Matsuda +Tested-by: Masayoshi Mizuma +Signed-off-by: J. Bruce Fields +Cc: stable@vger.kernel.org # v4.20+ +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4state.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c +index b53bcf40e2a77..ea680f619438b 100644 +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -733,9 +733,9 @@ nfs4_get_open_state(struct inode *inode, struct nfs4_state_owner *owner) + state = new; + state->owner = owner; + atomic_inc(&owner->so_count); +- list_add_rcu(&state->inode_states, &nfsi->open_states); + ihold(inode); + state->inode = inode; ++ list_add_rcu(&state->inode_states, &nfsi->open_states); + spin_unlock(&inode->i_lock); + /* Note: The reclaim code dictates that we add stateless + * and read-only stateids to the end of the list */ +-- +2.20.1 + diff --git a/queue-5.4/nfs-fscache-use-timespec64-in-inode-auxdata.patch b/queue-5.4/nfs-fscache-use-timespec64-in-inode-auxdata.patch new file mode 100644 index 00000000000..99bb040a091 --- /dev/null +++ b/queue-5.4/nfs-fscache-use-timespec64-in-inode-auxdata.patch @@ -0,0 +1,115 @@ +From 79cb2585390f288345cfd5207f343f6558c2115e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Nov 2019 21:16:25 +0100 +Subject: nfs: fscache: use timespec64 in inode auxdata + +From: Arnd Bergmann + +[ Upstream commit 6e31ded6895adfca97211118cc9b72236e8f6d53 ] + +nfs currently behaves differently on 32-bit and 64-bit kernels regarding +the on-disk format of nfs_fscache_inode_auxdata. + +That format should really be the same on any kernel, and we should avoid +the 'timespec' type in order to remove that from the kernel later on. + +Using plain 'timespec64' would not be good here, since that includes +implied padding and would possibly leak kernel stack data to the on-disk +format on 32-bit architectures. + +struct __kernel_timespec would work as a replacement, but open-coding +the two struct members in nfs_fscache_inode_auxdata makes it more +obvious what's going on here, and keeps the current format for 64-bit +architectures. + +Cc: David Howells +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + fs/nfs/fscache-index.c | 6 ++++-- + fs/nfs/fscache.c | 18 ++++++++++++------ + fs/nfs/fscache.h | 8 +++++--- + 3 files changed, 21 insertions(+), 11 deletions(-) + +diff --git a/fs/nfs/fscache-index.c b/fs/nfs/fscache-index.c +index 15f271401dcca..573b1da9342c1 100644 +--- a/fs/nfs/fscache-index.c ++++ b/fs/nfs/fscache-index.c +@@ -84,8 +84,10 @@ enum fscache_checkaux nfs_fscache_inode_check_aux(void *cookie_netfs_data, + return FSCACHE_CHECKAUX_OBSOLETE; + + memset(&auxdata, 0, sizeof(auxdata)); +- auxdata.mtime = timespec64_to_timespec(nfsi->vfs_inode.i_mtime); +- auxdata.ctime = timespec64_to_timespec(nfsi->vfs_inode.i_ctime); ++ auxdata.mtime_sec = nfsi->vfs_inode.i_mtime.tv_sec; ++ auxdata.mtime_nsec = nfsi->vfs_inode.i_mtime.tv_nsec; ++ auxdata.ctime_sec = nfsi->vfs_inode.i_ctime.tv_sec; ++ auxdata.ctime_nsec = nfsi->vfs_inode.i_ctime.tv_nsec; + + if (NFS_SERVER(&nfsi->vfs_inode)->nfs_client->rpc_ops->version == 4) + auxdata.change_attr = inode_peek_iversion_raw(&nfsi->vfs_inode); +diff --git a/fs/nfs/fscache.c b/fs/nfs/fscache.c +index 3184063322d48..d0c629f97789e 100644 +--- a/fs/nfs/fscache.c ++++ b/fs/nfs/fscache.c +@@ -241,8 +241,10 @@ void nfs_fscache_init_inode(struct inode *inode) + return; + + memset(&auxdata, 0, sizeof(auxdata)); +- auxdata.mtime = timespec64_to_timespec(nfsi->vfs_inode.i_mtime); +- auxdata.ctime = timespec64_to_timespec(nfsi->vfs_inode.i_ctime); ++ auxdata.mtime_sec = nfsi->vfs_inode.i_mtime.tv_sec; ++ auxdata.mtime_nsec = nfsi->vfs_inode.i_mtime.tv_nsec; ++ auxdata.ctime_sec = nfsi->vfs_inode.i_ctime.tv_sec; ++ auxdata.ctime_nsec = nfsi->vfs_inode.i_ctime.tv_nsec; + + if (NFS_SERVER(&nfsi->vfs_inode)->nfs_client->rpc_ops->version == 4) + auxdata.change_attr = inode_peek_iversion_raw(&nfsi->vfs_inode); +@@ -266,8 +268,10 @@ void nfs_fscache_clear_inode(struct inode *inode) + dfprintk(FSCACHE, "NFS: clear cookie (0x%p/0x%p)\n", nfsi, cookie); + + memset(&auxdata, 0, sizeof(auxdata)); +- auxdata.mtime = timespec64_to_timespec(nfsi->vfs_inode.i_mtime); +- auxdata.ctime = timespec64_to_timespec(nfsi->vfs_inode.i_ctime); ++ auxdata.mtime_sec = nfsi->vfs_inode.i_mtime.tv_sec; ++ auxdata.mtime_nsec = nfsi->vfs_inode.i_mtime.tv_nsec; ++ auxdata.ctime_sec = nfsi->vfs_inode.i_ctime.tv_sec; ++ auxdata.ctime_nsec = nfsi->vfs_inode.i_ctime.tv_nsec; + fscache_relinquish_cookie(cookie, &auxdata, false); + nfsi->fscache = NULL; + } +@@ -308,8 +312,10 @@ void nfs_fscache_open_file(struct inode *inode, struct file *filp) + return; + + memset(&auxdata, 0, sizeof(auxdata)); +- auxdata.mtime = timespec64_to_timespec(nfsi->vfs_inode.i_mtime); +- auxdata.ctime = timespec64_to_timespec(nfsi->vfs_inode.i_ctime); ++ auxdata.mtime_sec = nfsi->vfs_inode.i_mtime.tv_sec; ++ auxdata.mtime_nsec = nfsi->vfs_inode.i_mtime.tv_nsec; ++ auxdata.ctime_sec = nfsi->vfs_inode.i_ctime.tv_sec; ++ auxdata.ctime_nsec = nfsi->vfs_inode.i_ctime.tv_nsec; + + if (inode_is_open_for_write(inode)) { + dfprintk(FSCACHE, "NFS: nfsi 0x%p disabling cache\n", nfsi); +diff --git a/fs/nfs/fscache.h b/fs/nfs/fscache.h +index ad041cfbf9ec0..6754c8607230b 100644 +--- a/fs/nfs/fscache.h ++++ b/fs/nfs/fscache.h +@@ -62,9 +62,11 @@ struct nfs_fscache_key { + * cache object. + */ + struct nfs_fscache_inode_auxdata { +- struct timespec mtime; +- struct timespec ctime; +- u64 change_attr; ++ s64 mtime_sec; ++ s64 mtime_nsec; ++ s64 ctime_sec; ++ s64 ctime_nsec; ++ u64 change_attr; + }; + + /* +-- +2.20.1 + diff --git a/queue-5.4/nfsv3-fix-rpc-receive-buffer-size-for-mount-call.patch b/queue-5.4/nfsv3-fix-rpc-receive-buffer-size-for-mount-call.patch new file mode 100644 index 00000000000..0c8de1ae97d --- /dev/null +++ b/queue-5.4/nfsv3-fix-rpc-receive-buffer-size-for-mount-call.patch @@ -0,0 +1,51 @@ +From 8456eb9489dba0d305864bf9bc1253f7489cad67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 May 2020 16:09:40 -0400 +Subject: NFSv3: fix rpc receive buffer size for MOUNT call + +From: Olga Kornievskaia + +[ Upstream commit 8eed292bc8cbf737e46fb1c119d4c8f6dcb00650 ] + +Prior to commit e3d3ab64dd66 ("SUNRPC: Use au_rslack when +computing reply buffer size"), there was enough slack in the reply +buffer to commodate filehandles of size 60bytes. However, the real +problem was that the reply buffer size for the MOUNT operation was +not correctly calculated. Received buffer size used the filehandle +size for NFSv2 (32bytes) which is much smaller than the allowed +filehandle size for the v3 mounts. + +Fix the reply buffer size (decode arguments size) for the MNT command. + +Fixes: 2c94b8eca1a2 ("SUNRPC: Use au_rslack when computing reply buffer size") +Signed-off-by: Olga Kornievskaia +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/mount_clnt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/mount_clnt.c b/fs/nfs/mount_clnt.c +index cb7c10e9721eb..a2593b787cc73 100644 +--- a/fs/nfs/mount_clnt.c ++++ b/fs/nfs/mount_clnt.c +@@ -32,6 +32,7 @@ + #define MNT_fhs_status_sz (1) + #define MNT_fhandle_sz XDR_QUADLEN(NFS2_FHSIZE) + #define MNT_fhandle3_sz (1 + XDR_QUADLEN(NFS3_FHSIZE)) ++#define MNT_fhandlev3_sz XDR_QUADLEN(NFS3_FHSIZE) + #define MNT_authflav3_sz (1 + NFS_MAX_SECFLAVORS) + + /* +@@ -39,7 +40,7 @@ + */ + #define MNT_enc_dirpath_sz encode_dirpath_sz + #define MNT_dec_mountres_sz (MNT_status_sz + MNT_fhandle_sz) +-#define MNT_dec_mountres3_sz (MNT_status_sz + MNT_fhandle_sz + \ ++#define MNT_dec_mountres3_sz (MNT_status_sz + MNT_fhandlev3_sz + \ + MNT_authflav3_sz) + + /* +-- +2.20.1 + diff --git a/queue-5.4/nfsv4-fix-fscache-cookie-aux_data-to-ensure-change_a.patch b/queue-5.4/nfsv4-fix-fscache-cookie-aux_data-to-ensure-change_a.patch new file mode 100644 index 00000000000..7f5b4d81dc1 --- /dev/null +++ b/queue-5.4/nfsv4-fix-fscache-cookie-aux_data-to-ensure-change_a.patch @@ -0,0 +1,100 @@ +From 0c515c92c4248c65b531816c0c0b6ef971f2a169 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Apr 2020 06:06:08 -0400 +Subject: NFSv4: Fix fscache cookie aux_data to ensure change_attr is included + +From: Dave Wysochanski + +[ Upstream commit 50eaa652b54df1e2b48dc398d9e6114c9ed080eb ] + +Commit 402cb8dda949 ("fscache: Attach the index key and aux data to +the cookie") added the aux_data and aux_data_len to parameters to +fscache_acquire_cookie(), and updated the callers in the NFS client. +In the process it modified the aux_data to include the change_attr, +but missed adding change_attr to a couple places where aux_data was +used. Specifically, when opening a file and the change_attr is not +added, the following attempt to lookup an object will fail inside +cachefiles_check_object_xattr() = -116 due to +nfs_fscache_inode_check_aux() failing memcmp on auxdata and returning +FSCACHE_CHECKAUX_OBSOLETE. + +Fix this by adding nfs_fscache_update_auxdata() to set the auxdata +from all relevant fields in the inode, including the change_attr. + +Fixes: 402cb8dda949 ("fscache: Attach the index key and aux data to the cookie") +Signed-off-by: Dave Wysochanski +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/nfs/fscache.c | 34 ++++++++++++++++------------------ + 1 file changed, 16 insertions(+), 18 deletions(-) + +diff --git a/fs/nfs/fscache.c b/fs/nfs/fscache.c +index d0c629f97789e..7d6721ec31d4d 100644 +--- a/fs/nfs/fscache.c ++++ b/fs/nfs/fscache.c +@@ -227,6 +227,19 @@ void nfs_fscache_release_super_cookie(struct super_block *sb) + } + } + ++static void nfs_fscache_update_auxdata(struct nfs_fscache_inode_auxdata *auxdata, ++ struct nfs_inode *nfsi) ++{ ++ memset(auxdata, 0, sizeof(*auxdata)); ++ auxdata->mtime_sec = nfsi->vfs_inode.i_mtime.tv_sec; ++ auxdata->mtime_nsec = nfsi->vfs_inode.i_mtime.tv_nsec; ++ auxdata->ctime_sec = nfsi->vfs_inode.i_ctime.tv_sec; ++ auxdata->ctime_nsec = nfsi->vfs_inode.i_ctime.tv_nsec; ++ ++ if (NFS_SERVER(&nfsi->vfs_inode)->nfs_client->rpc_ops->version == 4) ++ auxdata->change_attr = inode_peek_iversion_raw(&nfsi->vfs_inode); ++} ++ + /* + * Initialise the per-inode cache cookie pointer for an NFS inode. + */ +@@ -240,14 +253,7 @@ void nfs_fscache_init_inode(struct inode *inode) + if (!(nfss->fscache && S_ISREG(inode->i_mode))) + return; + +- memset(&auxdata, 0, sizeof(auxdata)); +- auxdata.mtime_sec = nfsi->vfs_inode.i_mtime.tv_sec; +- auxdata.mtime_nsec = nfsi->vfs_inode.i_mtime.tv_nsec; +- auxdata.ctime_sec = nfsi->vfs_inode.i_ctime.tv_sec; +- auxdata.ctime_nsec = nfsi->vfs_inode.i_ctime.tv_nsec; +- +- if (NFS_SERVER(&nfsi->vfs_inode)->nfs_client->rpc_ops->version == 4) +- auxdata.change_attr = inode_peek_iversion_raw(&nfsi->vfs_inode); ++ nfs_fscache_update_auxdata(&auxdata, nfsi); + + nfsi->fscache = fscache_acquire_cookie(NFS_SB(inode->i_sb)->fscache, + &nfs_fscache_inode_object_def, +@@ -267,11 +273,7 @@ void nfs_fscache_clear_inode(struct inode *inode) + + dfprintk(FSCACHE, "NFS: clear cookie (0x%p/0x%p)\n", nfsi, cookie); + +- memset(&auxdata, 0, sizeof(auxdata)); +- auxdata.mtime_sec = nfsi->vfs_inode.i_mtime.tv_sec; +- auxdata.mtime_nsec = nfsi->vfs_inode.i_mtime.tv_nsec; +- auxdata.ctime_sec = nfsi->vfs_inode.i_ctime.tv_sec; +- auxdata.ctime_nsec = nfsi->vfs_inode.i_ctime.tv_nsec; ++ nfs_fscache_update_auxdata(&auxdata, nfsi); + fscache_relinquish_cookie(cookie, &auxdata, false); + nfsi->fscache = NULL; + } +@@ -311,11 +313,7 @@ void nfs_fscache_open_file(struct inode *inode, struct file *filp) + if (!fscache_cookie_valid(cookie)) + return; + +- memset(&auxdata, 0, sizeof(auxdata)); +- auxdata.mtime_sec = nfsi->vfs_inode.i_mtime.tv_sec; +- auxdata.mtime_nsec = nfsi->vfs_inode.i_mtime.tv_nsec; +- auxdata.ctime_sec = nfsi->vfs_inode.i_ctime.tv_sec; +- auxdata.ctime_nsec = nfsi->vfs_inode.i_ctime.tv_nsec; ++ nfs_fscache_update_auxdata(&auxdata, nfsi); + + if (inode_is_open_for_write(inode)) { + dfprintk(FSCACHE, "NFS: nfsi 0x%p disabling cache\n", nfsi); +-- +2.20.1 + diff --git a/queue-5.4/pinctrl-baytrail-enable-pin-configuration-setting-fo.patch b/queue-5.4/pinctrl-baytrail-enable-pin-configuration-setting-fo.patch new file mode 100644 index 00000000000..72e3dd49787 --- /dev/null +++ b/queue-5.4/pinctrl-baytrail-enable-pin-configuration-setting-fo.patch @@ -0,0 +1,38 @@ +From 18e893a6663e826e605f4108200ca3fd9b30f1f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2019 19:32:54 +0200 +Subject: pinctrl: baytrail: Enable pin configuration setting for GPIO chip + +From: Andy Shevchenko + +[ Upstream commit ccd025eaddaeb99e982029446197c544252108e2 ] + +It appears that pin configuration for GPIO chip hasn't been enabled yet +due to absence of ->set_config() callback. + +Enable it here for Intel Baytrail. + +Fixes: c501d0b149de ("pinctrl: baytrail: Add pin control operations") +Depends-on: 2956b5d94a76 ("pinctrl / gpio: Introduce .set_config() callback for GPIO chips") +Signed-off-by: Andy Shevchenko +Acked-by: Mika Westerberg +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-baytrail.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/intel/pinctrl-baytrail.c b/drivers/pinctrl/intel/pinctrl-baytrail.c +index 606fe216f902a..cae7caf5ab282 100644 +--- a/drivers/pinctrl/intel/pinctrl-baytrail.c ++++ b/drivers/pinctrl/intel/pinctrl-baytrail.c +@@ -1297,6 +1297,7 @@ static const struct gpio_chip byt_gpio_chip = { + .direction_output = byt_gpio_direction_output, + .get = byt_gpio_get, + .set = byt_gpio_set, ++ .set_config = gpiochip_generic_config, + .dbg_show = byt_gpio_dbg_show, + }; + +-- +2.20.1 + diff --git a/queue-5.4/pinctrl-cherryview-add-missing-spinlock-usage-in-chv.patch b/queue-5.4/pinctrl-cherryview-add-missing-spinlock-usage-in-chv.patch new file mode 100644 index 00000000000..4c25e763fc5 --- /dev/null +++ b/queue-5.4/pinctrl-cherryview-add-missing-spinlock-usage-in-chv.patch @@ -0,0 +1,51 @@ +From 02ef52746602417c3e3b06fef6235e7620703faa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Apr 2020 12:11:54 +0800 +Subject: pinctrl: cherryview: Add missing spinlock usage in + chv_gpio_irq_handler + +From: Grace Kao + +[ Upstream commit 69388e15f5078c961b9e5319e22baea4c57deff1 ] + +According to Braswell NDA Specification Update (#557593), +concurrent read accesses may result in returning 0xffffffff and write +instructions may be dropped. We have an established format for the +commit references, i.e. +cdca06e4e859 ("pinctrl: baytrail: Add missing spinlock usage in +byt_gpio_irq_handler") + +Fixes: 0bd50d719b00 ("pinctrl: cherryview: prevent concurrent access to GPIO controllers") +Signed-off-by: Grace Kao +Reported-by: Brian Norris +Reviewed-by: Brian Norris +Acked-by: Mika Westerberg +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-cherryview.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/pinctrl/intel/pinctrl-cherryview.c b/drivers/pinctrl/intel/pinctrl-cherryview.c +index 2c419fa5d1c1b..8f06445a8e39c 100644 +--- a/drivers/pinctrl/intel/pinctrl-cherryview.c ++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c +@@ -1474,11 +1474,15 @@ static void chv_gpio_irq_handler(struct irq_desc *desc) + struct chv_pinctrl *pctrl = gpiochip_get_data(gc); + struct irq_chip *chip = irq_desc_get_chip(desc); + unsigned long pending; ++ unsigned long flags; + u32 intr_line; + + chained_irq_enter(chip, desc); + ++ raw_spin_lock_irqsave(&chv_lock, flags); + pending = readl(pctrl->regs + CHV_INTSTAT); ++ raw_spin_unlock_irqrestore(&chv_lock, flags); ++ + for_each_set_bit(intr_line, &pending, pctrl->community->nirqs) { + unsigned irq, offset; + +-- +2.20.1 + diff --git a/queue-5.4/pinctrl-qcom-fix-wrong-write-in-update_dual_edge.patch b/queue-5.4/pinctrl-qcom-fix-wrong-write-in-update_dual_edge.patch new file mode 100644 index 00000000000..596f8d9b9da --- /dev/null +++ b/queue-5.4/pinctrl-qcom-fix-wrong-write-in-update_dual_edge.patch @@ -0,0 +1,39 @@ +From 367915a9434435e6ea5c30d4a7ab4cf23fa30970 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Apr 2020 02:37:26 +0200 +Subject: pinctrl: qcom: fix wrong write in update_dual_edge + +From: Ansuel Smith + +[ Upstream commit 90bcb0c3ca0809d1ed358bfbf838df4b3d4e58e0 ] + +Fix a typo in the readl/writel accessor conversion where val is used +instead of pol changing the behavior of the original code. + +Cc: stable@vger.kernel.org +Fixes: 6c73698904aa pinctrl: qcom: Introduce readl/writel accessors +Signed-off-by: Ansuel Smith +Reviewed-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20200414003726.25347-1-ansuelsmth@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/qcom/pinctrl-msm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/qcom/pinctrl-msm.c b/drivers/pinctrl/qcom/pinctrl-msm.c +index 763da0be10d6f..44320322037df 100644 +--- a/drivers/pinctrl/qcom/pinctrl-msm.c ++++ b/drivers/pinctrl/qcom/pinctrl-msm.c +@@ -688,7 +688,7 @@ static void msm_gpio_update_dual_edge_pos(struct msm_pinctrl *pctrl, + + pol = msm_readl_intr_cfg(pctrl, g); + pol ^= BIT(g->intr_polarity_bit); +- msm_writel_intr_cfg(val, pctrl, g); ++ msm_writel_intr_cfg(pol, pctrl, g); + + val2 = msm_readl_io(pctrl, g) & BIT(g->in_bit); + intstat = msm_readl_intr_status(pctrl, g); +-- +2.20.1 + diff --git a/queue-5.4/pinctrl-sunrisepoint-fix-pad-lock-register-offset-fo.patch b/queue-5.4/pinctrl-sunrisepoint-fix-pad-lock-register-offset-fo.patch new file mode 100644 index 00000000000..73deae34762 --- /dev/null +++ b/queue-5.4/pinctrl-sunrisepoint-fix-pad-lock-register-offset-fo.patch @@ -0,0 +1,61 @@ +From 703a8756bf88a1aaa3f901c18ba9ba0a74f40f2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2020 11:53:00 +0300 +Subject: pinctrl: sunrisepoint: Fix PAD lock register offset for SPT-H + +From: Andy Shevchenko + +[ Upstream commit 6b7275c87717652daace4c0b8131eb184c7d7516 ] + +It appears that SPT-H variant has different offset for PAD locking registers. +Fix it here. + +Fixes: 551fa5801ef1 ("pinctrl: intel: sunrisepoint: Add Intel Sunrisepoint-H support") +Signed-off-by: Andy Shevchenko +Acked-by: Mika Westerberg +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-sunrisepoint.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/pinctrl/intel/pinctrl-sunrisepoint.c b/drivers/pinctrl/intel/pinctrl-sunrisepoint.c +index d936e7aa74c4b..7b7736abe9d86 100644 +--- a/drivers/pinctrl/intel/pinctrl-sunrisepoint.c ++++ b/drivers/pinctrl/intel/pinctrl-sunrisepoint.c +@@ -15,17 +15,18 @@ + + #include "pinctrl-intel.h" + +-#define SPT_PAD_OWN 0x020 +-#define SPT_PADCFGLOCK 0x0a0 +-#define SPT_HOSTSW_OWN 0x0d0 +-#define SPT_GPI_IS 0x100 +-#define SPT_GPI_IE 0x120 ++#define SPT_PAD_OWN 0x020 ++#define SPT_H_PADCFGLOCK 0x090 ++#define SPT_LP_PADCFGLOCK 0x0a0 ++#define SPT_HOSTSW_OWN 0x0d0 ++#define SPT_GPI_IS 0x100 ++#define SPT_GPI_IE 0x120 + + #define SPT_COMMUNITY(b, s, e) \ + { \ + .barno = (b), \ + .padown_offset = SPT_PAD_OWN, \ +- .padcfglock_offset = SPT_PADCFGLOCK, \ ++ .padcfglock_offset = SPT_LP_PADCFGLOCK, \ + .hostown_offset = SPT_HOSTSW_OWN, \ + .is_offset = SPT_GPI_IS, \ + .ie_offset = SPT_GPI_IE, \ +@@ -47,7 +48,7 @@ + { \ + .barno = (b), \ + .padown_offset = SPT_PAD_OWN, \ +- .padcfglock_offset = SPT_PADCFGLOCK, \ ++ .padcfglock_offset = SPT_H_PADCFGLOCK, \ + .hostown_offset = SPT_HOSTSW_OWN, \ + .is_offset = SPT_GPI_IS, \ + .ie_offset = SPT_GPI_IE, \ +-- +2.20.1 + diff --git a/queue-5.4/rdma-core-fix-double-put-of-resource.patch b/queue-5.4/rdma-core-fix-double-put-of-resource.patch new file mode 100644 index 00000000000..9f567b7135f --- /dev/null +++ b/queue-5.4/rdma-core-fix-double-put-of-resource.patch @@ -0,0 +1,39 @@ +From bc514909be35b8f56ecae9eaba98475b49666248 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 May 2020 21:47:57 -0400 +Subject: RDMA/core: Fix double put of resource + +[ Upstream commit 50bbe3d34fea74b7c0fabe553c40c2f4a48bb9c3 ] + +Do not decrease the reference count of resource tracker object twice in +the error flow of res_get_common_doit. + +Fixes: c5dfe0ea6ffa ("RDMA/nldev: Add resource tracker doit callback") +Link: https://lore.kernel.org/r/20200507062942.98305-1-leon@kernel.org +Signed-off-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/nldev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c +index ef4b0c7061e4c..244ebf285fc3f 100644 +--- a/drivers/infiniband/core/nldev.c ++++ b/drivers/infiniband/core/nldev.c +@@ -1248,10 +1248,10 @@ static int res_get_common_doit(struct sk_buff *skb, struct nlmsghdr *nlh, + + has_cap_net_admin = netlink_capable(skb, CAP_NET_ADMIN); + ret = fe->fill_res_func(msg, has_cap_net_admin, res, port); +- rdma_restrack_put(res); + if (ret) + goto err_free; + ++ rdma_restrack_put(res); + nlmsg_end(msg, nlh); + ib_device_put(device); + return rdma_nl_unicast(sock_net(skb->sk), msg, NETLINK_CB(skb).portid); +-- +2.20.1 + diff --git a/queue-5.4/rdma-iw_cxgb4-fix-incorrect-function-parameters.patch b/queue-5.4/rdma-iw_cxgb4-fix-incorrect-function-parameters.patch new file mode 100644 index 00000000000..2aceb906278 --- /dev/null +++ b/queue-5.4/rdma-iw_cxgb4-fix-incorrect-function-parameters.patch @@ -0,0 +1,51 @@ +From 99dc5c55cf6c6365c961ac99433b063229253fdd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 May 2020 00:26:08 +0530 +Subject: RDMA/iw_cxgb4: Fix incorrect function parameters + +From: Potnuri Bharat Teja + +[ Upstream commit c8b1f340e54158662acfa41d6dee274846370282 ] + +While reading the TCB field in t4_tcb_get_field32() the wrong mask is +passed as a parameter which leads the driver eventually to a kernel +panic/app segfault from access to an illegal SRQ index while flushing the +SRQ completions during connection teardown. + +Fixes: 11a27e2121a5 ("iw_cxgb4: complete the cached SRQ buffers") +Link: https://lore.kernel.org/r/20200511185608.5202-1-bharat@chelsio.com +Signed-off-by: Potnuri Bharat Teja +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/cxgb4/cm.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index d82e0589cfd26..6b4e7235d2f56 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -2891,8 +2891,7 @@ static int peer_abort(struct c4iw_dev *dev, struct sk_buff *skb) + srqidx = ABORT_RSS_SRQIDX_G( + be32_to_cpu(req->srqidx_status)); + if (srqidx) { +- complete_cached_srq_buffers(ep, +- req->srqidx_status); ++ complete_cached_srq_buffers(ep, srqidx); + } else { + /* Hold ep ref until finish_peer_abort() */ + c4iw_get_ep(&ep->com); +@@ -3878,8 +3877,8 @@ static int read_tcb_rpl(struct c4iw_dev *dev, struct sk_buff *skb) + return 0; + } + +- ep->srqe_idx = t4_tcb_get_field32(tcb, TCB_RQ_START_W, TCB_RQ_START_W, +- TCB_RQ_START_S); ++ ep->srqe_idx = t4_tcb_get_field32(tcb, TCB_RQ_START_W, TCB_RQ_START_M, ++ TCB_RQ_START_S); + cleanup: + pr_debug("ep %p tid %u %016x\n", ep, ep->hwtid, ep->srqe_idx); + +-- +2.20.1 + diff --git a/queue-5.4/rdma-rxe-always-return-err_ptr-from-rxe_create_mmap_.patch b/queue-5.4/rdma-rxe-always-return-err_ptr-from-rxe_create_mmap_.patch new file mode 100644 index 00000000000..3b27799ecf1 --- /dev/null +++ b/queue-5.4/rdma-rxe-always-return-err_ptr-from-rxe_create_mmap_.patch @@ -0,0 +1,77 @@ +From e44d4c089c7b1a633db08ce2e81617a2592fed6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Apr 2020 00:35:45 +0100 +Subject: RDMA/rxe: Always return ERR_PTR from rxe_create_mmap_info() + +From: Sudip Mukherjee + +[ Upstream commit bb43c8e382e5da0ee253e3105d4099820ff4d922 ] + +The commit below modified rxe_create_mmap_info() to return ERR_PTR's but +didn't update the callers to handle them. Modify rxe_create_mmap_info() to +only return ERR_PTR and fix all error checking after +rxe_create_mmap_info() is called. + +Ensure that all other exit paths properly set the error return. + +Fixes: ff23dfa13457 ("IB: Pass only ib_udata in function prototypes") +Link: https://lore.kernel.org/r/20200425233545.17210-1-sudipm.mukherjee@gmail.com +Link: https://lore.kernel.org/r/20200511183742.GB225608@mwanda +Cc: stable@vger.kernel.org [5.4+] +Signed-off-by: Sudip Mukherjee +Signed-off-by: Dan Carpenter +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_mmap.c | 2 +- + drivers/infiniband/sw/rxe/rxe_queue.c | 11 +++++++---- + 2 files changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_mmap.c b/drivers/infiniband/sw/rxe/rxe_mmap.c +index 48f48122ddcb8..6a413d73b95dd 100644 +--- a/drivers/infiniband/sw/rxe/rxe_mmap.c ++++ b/drivers/infiniband/sw/rxe/rxe_mmap.c +@@ -151,7 +151,7 @@ struct rxe_mmap_info *rxe_create_mmap_info(struct rxe_dev *rxe, u32 size, + + ip = kmalloc(sizeof(*ip), GFP_KERNEL); + if (!ip) +- return NULL; ++ return ERR_PTR(-ENOMEM); + + size = PAGE_ALIGN(size); + +diff --git a/drivers/infiniband/sw/rxe/rxe_queue.c b/drivers/infiniband/sw/rxe/rxe_queue.c +index ff92704de32ff..245040c3a35d0 100644 +--- a/drivers/infiniband/sw/rxe/rxe_queue.c ++++ b/drivers/infiniband/sw/rxe/rxe_queue.c +@@ -45,12 +45,15 @@ int do_mmap_info(struct rxe_dev *rxe, struct mminfo __user *outbuf, + + if (outbuf) { + ip = rxe_create_mmap_info(rxe, buf_size, udata, buf); +- if (!ip) ++ if (IS_ERR(ip)) { ++ err = PTR_ERR(ip); + goto err1; ++ } + +- err = copy_to_user(outbuf, &ip->info, sizeof(ip->info)); +- if (err) ++ if (copy_to_user(outbuf, &ip->info, sizeof(ip->info))) { ++ err = -EFAULT; + goto err2; ++ } + + spin_lock_bh(&rxe->pending_lock); + list_add(&ip->pending_mmaps, &rxe->pending_mmaps); +@@ -64,7 +67,7 @@ int do_mmap_info(struct rxe_dev *rxe, struct mminfo __user *outbuf, + err2: + kfree(ip); + err1: +- return -EINVAL; ++ return err; + } + + inline void rxe_queue_reset(struct rxe_queue *q) +-- +2.20.1 + diff --git a/queue-5.4/riscv-fix-vdso-build-with-lld.patch b/queue-5.4/riscv-fix-vdso-build-with-lld.patch new file mode 100644 index 00000000000..457303371b5 --- /dev/null +++ b/queue-5.4/riscv-fix-vdso-build-with-lld.patch @@ -0,0 +1,55 @@ +From ba57e7f2c838a7c43ac652c9d2059c8674cd313f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Apr 2020 17:29:58 +0300 +Subject: riscv: fix vdso build with lld + +From: Ilie Halip + +[ Upstream commit 3c1918c8f54166598195d938564072664a8275b1 ] + +When building with the LLVM linker this error occurrs: + LD arch/riscv/kernel/vdso/vdso-syms.o + ld.lld: error: no input files + +This happens because the lld treats -R as an alias to -rpath, as opposed +to ld where -R means --just-symbols. + +Use the long option name for compatibility between the two. + +Link: https://github.com/ClangBuiltLinux/linux/issues/805 +Reported-by: Dmitry Golovin +Reviewed-by: Nick Desaulniers +Signed-off-by: Ilie Halip +Reviewed-by: Fangrui Song +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/vdso/Makefile | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/riscv/kernel/vdso/Makefile b/arch/riscv/kernel/vdso/Makefile +index 33b16f4212f7a..a4ee3a0e7d20d 100644 +--- a/arch/riscv/kernel/vdso/Makefile ++++ b/arch/riscv/kernel/vdso/Makefile +@@ -33,15 +33,15 @@ $(obj)/vdso.so.dbg: $(src)/vdso.lds $(obj-vdso) FORCE + $(call if_changed,vdsold) + + # We also create a special relocatable object that should mirror the symbol +-# table and layout of the linked DSO. With ld -R we can then refer to +-# these symbols in the kernel code rather than hand-coded addresses. ++# table and layout of the linked DSO. With ld --just-symbols we can then ++# refer to these symbols in the kernel code rather than hand-coded addresses. + + SYSCFLAGS_vdso.so.dbg = -shared -s -Wl,-soname=linux-vdso.so.1 \ + -Wl,--build-id -Wl,--hash-style=both + $(obj)/vdso-dummy.o: $(src)/vdso.lds $(obj)/rt_sigreturn.o FORCE + $(call if_changed,vdsold) + +-LDFLAGS_vdso-syms.o := -r -R ++LDFLAGS_vdso-syms.o := -r --just-symbols + $(obj)/vdso-syms.o: $(obj)/vdso-dummy.o FORCE + $(call if_changed,ld) + +-- +2.20.1 + diff --git a/queue-5.4/s390-ism-fix-error-return-code-in-ism_probe.patch b/queue-5.4/s390-ism-fix-error-return-code-in-ism_probe.patch new file mode 100644 index 00000000000..fcc673b353e --- /dev/null +++ b/queue-5.4/s390-ism-fix-error-return-code-in-ism_probe.patch @@ -0,0 +1,41 @@ +From 5c080bb021ac111e3c1095461d3bd6d3b97ca927 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 May 2020 09:42:29 +0200 +Subject: s390/ism: fix error return code in ism_probe() + +From: Wei Yongjun + +[ Upstream commit 29b74cb75e3572d83708745e81e24d37837415f9 ] + +Fix to return negative error code -ENOMEM from the smcd_alloc_dev() +error handling case instead of 0, as done elsewhere in this function. + +Fixes: 684b89bc39ce ("s390/ism: add device driver for internal shared memory") +Reported-by: Hulk Robot +Signed-off-by: Wei Yongjun +Signed-off-by: Ursula Braun +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/ism_drv.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/s390/net/ism_drv.c b/drivers/s390/net/ism_drv.c +index 4fc2056bd2272..e615dc240150b 100644 +--- a/drivers/s390/net/ism_drv.c ++++ b/drivers/s390/net/ism_drv.c +@@ -521,8 +521,10 @@ static int ism_probe(struct pci_dev *pdev, const struct pci_device_id *id) + + ism->smcd = smcd_alloc_dev(&pdev->dev, dev_name(&pdev->dev), &ism_ops, + ISM_NR_DMBS); +- if (!ism->smcd) ++ if (!ism->smcd) { ++ ret = -ENOMEM; + goto err_resource; ++ } + + ism->smcd->priv = ism; + ret = ism_dev_init(ism); +-- +2.20.1 + diff --git a/queue-5.4/selftests-ftrace-check-the-first-record-for-kprobe_a.patch b/queue-5.4/selftests-ftrace-check-the-first-record-for-kprobe_a.patch new file mode 100644 index 00000000000..2af1c4d2831 --- /dev/null +++ b/queue-5.4/selftests-ftrace-check-the-first-record-for-kprobe_a.patch @@ -0,0 +1,49 @@ +From 135cfcdc96cb165fb873a047988f337636fe4237 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2020 14:34:19 +0800 +Subject: selftests/ftrace: Check the first record for kprobe_args_type.tc + +From: Xiao Yang + +[ Upstream commit f0c0d0cf590f71b2213b29a7ded2cde3d0a1a0ba ] + +It is possible to get multiple records from trace during test and then more +than 4 arguments are assigned to ARGS. This situation results in the failure +of kprobe_args_type.tc. For example: +----------------------------------------------------------- +grep testprobe trace + ftracetest-5902 [001] d... 111195.682227: testprobe: (_do_fork+0x0/0x460) arg1=334823024 arg2=334823024 arg3=0x13f4fe70 arg4=7 + pmlogger-5949 [000] d... 111195.709898: testprobe: (_do_fork+0x0/0x460) arg1=345308784 arg2=345308784 arg3=0x1494fe70 arg4=7 + grep testprobe trace + sed -e 's/.* arg1=\(.*\) arg2=\(.*\) arg3=\(.*\) arg4=\(.*\)/\1 \2 \3 \4/' +ARGS='334823024 334823024 0x13f4fe70 7 +345308784 345308784 0x1494fe70 7' +----------------------------------------------------------- + +We don't care which process calls do_fork so just check the first record to +fix the issue. + +Signed-off-by: Xiao Yang +Acked-by: Masami Hiramatsu +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../testing/selftests/ftrace/test.d/kprobe/kprobe_args_type.tc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_type.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_type.tc +index 1bcb67dcae267..81490ecaaa927 100644 +--- a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_type.tc ++++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_type.tc +@@ -38,7 +38,7 @@ for width in 64 32 16 8; do + echo 0 > events/kprobes/testprobe/enable + + : "Confirm the arguments is recorded in given types correctly" +- ARGS=`grep "testprobe" trace | sed -e 's/.* arg1=\(.*\) arg2=\(.*\) arg3=\(.*\) arg4=\(.*\)/\1 \2 \3 \4/'` ++ ARGS=`grep "testprobe" trace | head -n 1 | sed -e 's/.* arg1=\(.*\) arg2=\(.*\) arg3=\(.*\) arg4=\(.*\)/\1 \2 \3 \4/'` + check_types $ARGS $width + + : "Clear event for next loop" +-- +2.20.1 + diff --git a/queue-5.4/series b/queue-5.4/series index d864ea27940..5c615e8f415 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -34,3 +34,59 @@ net-tcp-fix-rx-timestamp-behavior-for-tcp_recvmsg.patch nfp-abm-fix-error-return-code-in-nfp_abm_vnic_alloc.patch r8169-re-establish-support-for-rtl8401-chip-version.patch umh-fix-memory-leak-on-execve-failure.patch +riscv-fix-vdso-build-with-lld.patch +dmaengine-pch_dma.c-avoid-data-race-between-probe-an.patch +dmaengine-mmp_tdma-do-not-ignore-slave-config-valida.patch +dmaengine-mmp_tdma-reset-channel-error-on-release.patch +selftests-ftrace-check-the-first-record-for-kprobe_a.patch +cpufreq-intel_pstate-only-mention-the-bios-disabling.patch +alsa-hda-hdmi-fix-race-in-monitor-detection-during-p.patch +drm-amd-powerplay-avoid-using-pm_en-before-it-is-ini.patch +drm-amd-display-check-if-refclk_cntl-register-is-pre.patch +drm-amd-display-update-downspread-percent-to-match-s.patch +drm-qxl-lost-qxl_bo_kunmap_atomic_page-in-qxl_image_.patch +drm-amdgpu-simplify-padding-calculations-v2.patch +drm-amdgpu-invalidate-l2-before-sdma-ibs-v2.patch +ipc-util.c-sysvipc_find_ipc-incorrectly-updates-posi.patch +alsa-hda-realtek-fix-s3-pop-noise-on-dell-wyse.patch +gfs2-another-gfs2_walk_metadata-fix.patch +mmc-sdhci-pci-gli-fix-no-irq-handler-from-suspend.patch +ib-hfi1-fix-another-case-where-pq-is-left-on-waitlis.patch +acpi-ec-pm-avoid-premature-returns-from-acpi_s2idle_.patch +pinctrl-sunrisepoint-fix-pad-lock-register-offset-fo.patch +pinctrl-baytrail-enable-pin-configuration-setting-fo.patch +pinctrl-qcom-fix-wrong-write-in-update_dual_edge.patch +pinctrl-cherryview-add-missing-spinlock-usage-in-chv.patch +bpf-fix-error-return-code-in-map_lookup_and_delete_e.patch +alsa-firewire-lib-fix-function-sizeof-not-defined-er.patch +i40iw-fix-error-handling-in-i40iw_manage_arp_cache.patch +drm-i915-don-t-enable-waincreaselatencyipcenabled-wh.patch +bpf-sockmap-msg_pop_data-can-incorrecty-set-an-sge-l.patch +bpf-sockmap-bpf_tcp_ingress-needs-to-subtract-bytes-.patch +mmc-alcor-fix-a-resource-leak-in-the-error-path-for-.patch +mmc-sdhci-pci-gli-fix-can-not-access-gl9750-after-re.patch +mmc-core-check-request-type-before-completing-the-re.patch +mmc-core-fix-recursive-locking-issue-in-cqe-recovery.patch +mmc-block-fix-request-completion-in-the-cqe-timeout-.patch +gfs2-more-gfs2_find_jhead-fixes.patch +fork-prevent-accidental-access-to-clone3-features.patch +drm-amdgpu-force-fbdev-into-vram.patch +nfs-fix-fscache-super_cookie-index_key-from-changing.patch +nfs-fscache-use-timespec64-in-inode-auxdata.patch +nfsv4-fix-fscache-cookie-aux_data-to-ensure-change_a.patch +netfilter-conntrack-avoid-gcc-10-zero-length-bounds-.patch +drm-i915-gvt-fix-kernel-oops-for-3-level-ppgtt-guest.patch +arm64-fix-the-flush_icache_range-arguments-in-machin.patch +nfs-fix-null-deference-in-nfs4_get_valid_delegation.patch +sunrpc-signalled-async-tasks-need-to-exit.patch +netfilter-nft_set_rbtree-introduce-and-use-nft_rbtre.patch +netfilter-nft_set_rbtree-add-missing-expired-checks.patch +rdma-rxe-always-return-err_ptr-from-rxe_create_mmap_.patch +ib-mlx4-test-return-value-of-calls-to-ib_get_cached_.patch +ib-core-fix-potential-null-pointer-dereference-in-pk.patch +rdma-core-fix-double-put-of-resource.patch +rdma-iw_cxgb4-fix-incorrect-function-parameters.patch +hwmon-da9052-synchronize-access-with-mfd.patch +s390-ism-fix-error-return-code-in-ism_probe.patch +mm-memcg-fix-inconsistent-oom-event-behavior.patch +nfsv3-fix-rpc-receive-buffer-size-for-mount-call.patch diff --git a/queue-5.4/sunrpc-signalled-async-tasks-need-to-exit.patch b/queue-5.4/sunrpc-signalled-async-tasks-need-to-exit.patch new file mode 100644 index 00000000000..79eb22545f1 --- /dev/null +++ b/queue-5.4/sunrpc-signalled-async-tasks-need-to-exit.patch @@ -0,0 +1,43 @@ +From 1c940cbbd6fd1e187ff0e24f1fea5bf18edf870b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 May 2020 14:07:13 -0400 +Subject: SUNRPC: Signalled ASYNC tasks need to exit + +From: Chuck Lever + +[ Upstream commit ce99aa62e1eb793e259d023c7f6ccb7c4879917b ] + +Ensure that signalled ASYNC rpc_tasks exit immediately instead of +spinning until a timeout (or forever). + +To avoid checking for the signal flag on every scheduler iteration, +the check is instead introduced in the client's finite state +machine. + +Signed-off-by: Chuck Lever +Fixes: ae67bd3821bb ("SUNRPC: Fix up task signalling") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/clnt.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index f7f78566be463..f1088ca39d44c 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -2422,6 +2422,11 @@ rpc_check_timeout(struct rpc_task *task) + { + struct rpc_clnt *clnt = task->tk_client; + ++ if (RPC_SIGNALLED(task)) { ++ rpc_call_rpcerror(task, -ERESTARTSYS); ++ return; ++ } ++ + if (xprt_adjust_timeout(task->tk_rqstp) == 0) + return; + +-- +2.20.1 +