From: Sasha Levin Date: Mon, 29 Jun 2020 04:36:06 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v5.7.7~39^2~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e0e5168195d148aa1796e30aa2d13b16b24fdc65;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/arm-dts-fix-duovero-smsc-interrupt-for-suspend.patch b/queue-4.19/arm-dts-fix-duovero-smsc-interrupt-for-suspend.patch new file mode 100644 index 00000000000..1b6f84857c3 --- /dev/null +++ b/queue-4.19/arm-dts-fix-duovero-smsc-interrupt-for-suspend.patch @@ -0,0 +1,40 @@ +From 175eeee224a63bfbf26faa08ebbdd916ed3510d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jun 2020 10:19:50 -0700 +Subject: ARM: dts: Fix duovero smsc interrupt for suspend + +From: Tony Lindgren + +[ Upstream commit 9cf28e41f9f768791f54ee18333239fda6927ed8 ] + +While testing the recent suspend and resume regressions I noticed that +duovero can still end up losing edge gpio interrupts on runtime +suspend. This causes NFSroot easily stopping working after resume on +duovero. + +Let's fix the issue by using gpio level interrupts for smsc as then +the gpio interrupt state is seen by the gpio controller on resume. + +Fixes: 731b409878a3 ("ARM: dts: Configure duovero for to allow core retention during idle") +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/omap4-duovero-parlor.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/omap4-duovero-parlor.dts b/arch/arm/boot/dts/omap4-duovero-parlor.dts +index cfcac0d73851e..93d6fb6db5785 100644 +--- a/arch/arm/boot/dts/omap4-duovero-parlor.dts ++++ b/arch/arm/boot/dts/omap4-duovero-parlor.dts +@@ -142,7 +142,7 @@ &gpmc { + ethernet@gpmc { + reg = <5 0 0xff>; + interrupt-parent = <&gpio2>; +- interrupts = <12 IRQ_TYPE_EDGE_FALLING>; /* gpio_44 */ ++ interrupts = <12 IRQ_TYPE_LEVEL_LOW>; /* gpio_44 */ + + phy-mode = "mii"; + +-- +2.25.1 + diff --git a/queue-4.19/arm-dts-nsp-correct-fa2-mailbox-node.patch b/queue-4.19/arm-dts-nsp-correct-fa2-mailbox-node.patch new file mode 100644 index 00000000000..530c10e0f48 --- /dev/null +++ b/queue-4.19/arm-dts-nsp-correct-fa2-mailbox-node.patch @@ -0,0 +1,42 @@ +From f2fc1231fd2b4cc733cb35b58c887d9e8f8c9669 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 15:19:00 -0700 +Subject: ARM: dts: NSP: Correct FA2 mailbox node + +From: Matthew Hagan + +[ Upstream commit ac4e106d8934a5894811fc263f4b03fc8ed0fb7a ] + +The FA2 mailbox is specified at 0x18025000 but should actually be +0x18025c00, length 0x400 according to socregs_nsp.h and board_bu.c. Also +the interrupt was off by one and should be GIC SPI 151 instead of 150. + +Fixes: 17d517172300 ("ARM: dts: NSP: Add mailbox (PDC) to NSP") +Signed-off-by: Matthew Hagan +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm-nsp.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/bcm-nsp.dtsi b/arch/arm/boot/dts/bcm-nsp.dtsi +index 2b219addeb449..273a316045798 100644 +--- a/arch/arm/boot/dts/bcm-nsp.dtsi ++++ b/arch/arm/boot/dts/bcm-nsp.dtsi +@@ -249,10 +249,10 @@ amac2: ethernet@24000 { + status = "disabled"; + }; + +- mailbox: mailbox@25000 { ++ mailbox: mailbox@25c00 { + compatible = "brcm,iproc-fa2-mbox"; +- reg = <0x25000 0x445>; +- interrupts = ; ++ reg = <0x25c00 0x400>; ++ interrupts = ; + #mbox-cells = <1>; + brcm,rx-status-len = <32>; + brcm,use-bcm-hdr; +-- +2.25.1 + diff --git a/queue-4.19/arm-imx5-add-missing-put_device-call-in-imx_suspend_.patch b/queue-4.19/arm-imx5-add-missing-put_device-call-in-imx_suspend_.patch new file mode 100644 index 00000000000..56deea3bc4a --- /dev/null +++ b/queue-4.19/arm-imx5-add-missing-put_device-call-in-imx_suspend_.patch @@ -0,0 +1,54 @@ +From d28e6b927679b6116a7cc5de9fcc0741a840a625 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 20:42:06 +0800 +Subject: ARM: imx5: add missing put_device() call in imx_suspend_alloc_ocram() + +From: yu kuai + +[ Upstream commit 586745f1598ccf71b0a5a6df2222dee0a865954e ] + +if of_find_device_by_node() succeed, imx_suspend_alloc_ocram() doesn't +have a corresponding put_device(). Thus add a jump target to fix the +exception handling for this function implementation. + +Fixes: 1579c7b9fe01 ("ARM: imx53: Set DDR pins to high impedance when in suspend to RAM.") +Signed-off-by: yu kuai +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/mach-imx/pm-imx5.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/mach-imx/pm-imx5.c b/arch/arm/mach-imx/pm-imx5.c +index 868781fd460c7..14c630c899c5d 100644 +--- a/arch/arm/mach-imx/pm-imx5.c ++++ b/arch/arm/mach-imx/pm-imx5.c +@@ -301,14 +301,14 @@ static int __init imx_suspend_alloc_ocram( + if (!ocram_pool) { + pr_warn("%s: ocram pool unavailable!\n", __func__); + ret = -ENODEV; +- goto put_node; ++ goto put_device; + } + + ocram_base = gen_pool_alloc(ocram_pool, size); + if (!ocram_base) { + pr_warn("%s: unable to alloc ocram!\n", __func__); + ret = -ENOMEM; +- goto put_node; ++ goto put_device; + } + + phys = gen_pool_virt_to_phys(ocram_pool, ocram_base); +@@ -318,6 +318,8 @@ static int __init imx_suspend_alloc_ocram( + if (virt_out) + *virt_out = virt; + ++put_device: ++ put_device(&pdev->dev); + put_node: + of_node_put(node); + +-- +2.25.1 + diff --git a/queue-4.19/arm64-sve-eliminate-data-races-on-sve_default_vl.patch b/queue-4.19/arm64-sve-eliminate-data-races-on-sve_default_vl.patch new file mode 100644 index 00000000000..15c2b2e7981 --- /dev/null +++ b/queue-4.19/arm64-sve-eliminate-data-races-on-sve_default_vl.patch @@ -0,0 +1,120 @@ +From 62100a21e88288b36d5722b4c61bd35f25c3e940 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jun 2020 18:03:10 +0100 +Subject: arm64/sve: Eliminate data races on sve_default_vl + +From: Dave Martin + +[ Upstream commit 1e570f512cbdc5e9e401ba640d9827985c1bea1e ] + +sve_default_vl can be modified via the /proc/sys/abi/sve_default_vl +sysctl concurrently with use, and modified concurrently by multiple +threads. + +Adding a lock for this seems overkill, and I don't want to think any +more than necessary, so just define wrappers using READ_ONCE()/ +WRITE_ONCE(). + +This will avoid the possibility of torn accesses and repeated loads +and stores. + +There's no evidence yet that this is going wrong in practice: this +is just hygiene. For generic sysctl users, it would be better to +build this kind of thing into the sysctl common code somehow. + +Reported-by: Will Deacon +Signed-off-by: Dave Martin +Link: https://lore.kernel.org/r/1591808590-20210-3-git-send-email-Dave.Martin@arm.com +[will: move set_sve_default_vl() inside #ifdef to squash allnoconfig warning] +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/fpsimd.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c +index 14fdbaa6ee3ab..af59b42973141 100644 +--- a/arch/arm64/kernel/fpsimd.c ++++ b/arch/arm64/kernel/fpsimd.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -124,10 +125,20 @@ struct fpsimd_last_state_struct { + static DEFINE_PER_CPU(struct fpsimd_last_state_struct, fpsimd_last_state); + + /* Default VL for tasks that don't set it explicitly: */ +-static int sve_default_vl = -1; ++static int __sve_default_vl = -1; ++ ++static int get_sve_default_vl(void) ++{ ++ return READ_ONCE(__sve_default_vl); ++} + + #ifdef CONFIG_ARM64_SVE + ++static void set_sve_default_vl(int val) ++{ ++ WRITE_ONCE(__sve_default_vl, val); ++} ++ + /* Maximum supported vector length across all CPUs (initially poisoned) */ + int __ro_after_init sve_max_vl = SVE_VL_MIN; + /* Set of available vector lengths, as vq_to_bit(vq): */ +@@ -311,7 +322,7 @@ static int sve_proc_do_default_vl(struct ctl_table *table, int write, + loff_t *ppos) + { + int ret; +- int vl = sve_default_vl; ++ int vl = get_sve_default_vl(); + struct ctl_table tmp_table = { + .data = &vl, + .maxlen = sizeof(vl), +@@ -328,7 +339,7 @@ static int sve_proc_do_default_vl(struct ctl_table *table, int write, + if (!sve_vl_valid(vl)) + return -EINVAL; + +- sve_default_vl = find_supported_vector_length(vl); ++ set_sve_default_vl(find_supported_vector_length(vl)); + return 0; + } + +@@ -772,12 +783,12 @@ void __init sve_setup(void) + * For the default VL, pick the maximum supported value <= 64. + * VL == 64 is guaranteed not to grow the signal frame. + */ +- sve_default_vl = find_supported_vector_length(64); ++ set_sve_default_vl(find_supported_vector_length(64)); + + pr_info("SVE: maximum available vector length %u bytes per vector\n", + sve_max_vl); + pr_info("SVE: default vector length %u bytes per vector\n", +- sve_default_vl); ++ get_sve_default_vl()); + + sve_efi_setup(); + } +@@ -914,13 +925,13 @@ void fpsimd_flush_thread(void) + * vector length configured: no kernel task can become a user + * task without an exec and hence a call to this function. + * By the time the first call to this function is made, all +- * early hardware probing is complete, so sve_default_vl ++ * early hardware probing is complete, so __sve_default_vl + * should be valid. + * If a bug causes this to go wrong, we make some noise and + * try to fudge thread.sve_vl to a safe value here. + */ + vl = current->thread.sve_vl_onexec ? +- current->thread.sve_vl_onexec : sve_default_vl; ++ current->thread.sve_vl_onexec : get_sve_default_vl(); + + if (WARN_ON(!sve_vl_valid(vl))) + vl = SVE_VL_MIN; +-- +2.25.1 + diff --git a/queue-4.19/arm64-sve-fix-build-failure-when-arm64_sve-y-and-sys.patch b/queue-4.19/arm64-sve-fix-build-failure-when-arm64_sve-y-and-sys.patch new file mode 100644 index 00000000000..97b3df3738b --- /dev/null +++ b/queue-4.19/arm64-sve-fix-build-failure-when-arm64_sve-y-and-sys.patch @@ -0,0 +1,55 @@ +From deae3261f6069c9e505678ebeffe5ead0ada65b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jun 2020 18:29:11 +0100 +Subject: arm64: sve: Fix build failure when ARM64_SVE=y and SYSCTL=n + +From: Will Deacon + +[ Upstream commit e575fb9e76c8e33440fb859572a8b7d430f053d6 ] + +When I squashed the 'allnoconfig' compiler warning about the +set_sve_default_vl() function being defined but not used in commit +1e570f512cbd ("arm64/sve: Eliminate data races on sve_default_vl"), I +accidentally broke the build for configs where ARM64_SVE is enabled, but +SYSCTL is not. + +Fix this by only compiling the SVE sysctl support if both CONFIG_SVE=y +and CONFIG_SYSCTL=y. + +Cc: Dave Martin +Reported-by: Qian Cai +Link: https://lore.kernel.org/r/20200616131808.GA1040@lca.pw +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/fpsimd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c +index af59b42973141..177363abbd3e3 100644 +--- a/arch/arm64/kernel/fpsimd.c ++++ b/arch/arm64/kernel/fpsimd.c +@@ -315,7 +315,7 @@ static unsigned int find_supported_vector_length(unsigned int vl) + return sve_vl_from_vq(bit_to_vq(bit)); + } + +-#ifdef CONFIG_SYSCTL ++#if defined(CONFIG_ARM64_SVE) && defined(CONFIG_SYSCTL) + + static int sve_proc_do_default_vl(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, +@@ -361,9 +361,9 @@ static int __init sve_sysctl_init(void) + return 0; + } + +-#else /* ! CONFIG_SYSCTL */ ++#else /* ! (CONFIG_ARM64_SVE && CONFIG_SYSCTL) */ + static int __init sve_sysctl_init(void) { return 0; } +-#endif /* ! CONFIG_SYSCTL */ ++#endif /* ! (CONFIG_ARM64_SVE && CONFIG_SYSCTL) */ + + #define ZREG(sve_state, vq, n) ((char *)(sve_state) + \ + (SVE_SIG_ZREG_OFFSET(vq, n) - SVE_SIG_REGS_OFFSET)) +-- +2.25.1 + diff --git a/queue-4.19/asoc-fsl_ssi-fix-bclk-calculation-for-mono-channel.patch b/queue-4.19/asoc-fsl_ssi-fix-bclk-calculation-for-mono-channel.patch new file mode 100644 index 00000000000..045103122e3 --- /dev/null +++ b/queue-4.19/asoc-fsl_ssi-fix-bclk-calculation-for-mono-channel.patch @@ -0,0 +1,70 @@ +From 627e83acaa0d5d680ed9195848d397e55e25009e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jun 2020 10:53:48 +0800 +Subject: ASoC: fsl_ssi: Fix bclk calculation for mono channel + +From: Shengjiu Wang + +[ Upstream commit ed1220df6e666500ebf58c4f2fccc681941646fb ] + +For mono channel, SSI will switch to Normal mode. + +In Normal mode and Network mode, the Word Length Control bits +control the word length divider in clock generator, which is +different with I2S Master mode (the word length is fixed to +32bit), it should be the value of params_width(hw_params). + +The condition "slots == 2" is not good for I2S Master mode, +because for Network mode and Normal mode, the slots can also +be 2. Then we need to use (ssi->i2s_net & SSI_SCR_I2S_MODE_MASK) +to check if it is I2S Master mode. + +So we refine the formula for mono channel, otherwise there +will be sound issue for S24_LE. + +Fixes: b0a7043d5c2c ("ASoC: fsl_ssi: Caculate bit clock rate using slot number and width") +Signed-off-by: Shengjiu Wang +Reviewed-by: Nicolin Chen +Link: https://lore.kernel.org/r/034eff1435ff6ce300b6c781130cefd9db22ab9a.1592276147.git.shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_ssi.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/fsl/fsl_ssi.c b/sound/soc/fsl/fsl_ssi.c +index d83be26d64467..0e2bdad373d66 100644 +--- a/sound/soc/fsl/fsl_ssi.c ++++ b/sound/soc/fsl/fsl_ssi.c +@@ -678,8 +678,9 @@ static int fsl_ssi_set_bclk(struct snd_pcm_substream *substream, + struct regmap *regs = ssi->regs; + u32 pm = 999, div2, psr, stccr, mask, afreq, factor, i; + unsigned long clkrate, baudrate, tmprate; +- unsigned int slots = params_channels(hw_params); +- unsigned int slot_width = 32; ++ unsigned int channels = params_channels(hw_params); ++ unsigned int slot_width = params_width(hw_params); ++ unsigned int slots = 2; + u64 sub, savesub = 100000; + unsigned int freq; + bool baudclk_is_used; +@@ -688,10 +689,14 @@ static int fsl_ssi_set_bclk(struct snd_pcm_substream *substream, + /* Override slots and slot_width if being specifically set... */ + if (ssi->slots) + slots = ssi->slots; +- /* ...but keep 32 bits if slots is 2 -- I2S Master mode */ +- if (ssi->slot_width && slots != 2) ++ if (ssi->slot_width) + slot_width = ssi->slot_width; + ++ /* ...but force 32 bits for stereo audio using I2S Master Mode */ ++ if (channels == 2 && ++ (ssi->i2s_net & SSI_SCR_I2S_MODE_MASK) == SSI_SCR_I2S_MODE_MASTER) ++ slot_width = 32; ++ + /* Generate bit clock based on the slot number and slot width */ + freq = slots * slot_width * params_rate(hw_params); + +-- +2.25.1 + diff --git a/queue-4.19/asoc-q6asm-handle-eos-correctly.patch b/queue-4.19/asoc-q6asm-handle-eos-correctly.patch new file mode 100644 index 00000000000..4e83c7af7db --- /dev/null +++ b/queue-4.19/asoc-q6asm-handle-eos-correctly.patch @@ -0,0 +1,60 @@ +From ea48b908b1660b3e9f680dae7883acff92ebe7fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jun 2020 13:41:53 +0100 +Subject: ASoC: q6asm: handle EOS correctly + +From: Srinivas Kandagatla + +[ Upstream commit 6476b60f32866be49d05e2e0163f337374c55b06 ] + +Successful send of EOS command does not indicate that EOS is actually +finished, correct event to wait EOS is finished is EOS_RENDERED event. +EOS_RENDERED means that the DSP has finished processing all the buffers +for that particular session and stream. + +This patch fixes EOS handling! + +Fixes: 68fd8480bb7b ("ASoC: qdsp6: q6asm: Add support to audio stream apis") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20200611124159.20742-3-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/qcom/qdsp6/q6asm.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/qcom/qdsp6/q6asm.c b/sound/soc/qcom/qdsp6/q6asm.c +index 2b2c7233bb5fa..1bdacf7976139 100644 +--- a/sound/soc/qcom/qdsp6/q6asm.c ++++ b/sound/soc/qcom/qdsp6/q6asm.c +@@ -25,6 +25,7 @@ + #define ASM_STREAM_CMD_FLUSH 0x00010BCE + #define ASM_SESSION_CMD_PAUSE 0x00010BD3 + #define ASM_DATA_CMD_EOS 0x00010BDB ++#define ASM_DATA_EVENT_RENDERED_EOS 0x00010C1C + #define ASM_NULL_POPP_TOPOLOGY 0x00010C68 + #define ASM_STREAM_CMD_FLUSH_READBUFS 0x00010C09 + #define ASM_STREAM_CMD_SET_ENCDEC_PARAM 0x00010C10 +@@ -545,9 +546,6 @@ static int32_t q6asm_stream_callback(struct apr_device *adev, + case ASM_SESSION_CMD_SUSPEND: + client_event = ASM_CLIENT_EVENT_CMD_SUSPEND_DONE; + break; +- case ASM_DATA_CMD_EOS: +- client_event = ASM_CLIENT_EVENT_CMD_EOS_DONE; +- break; + case ASM_STREAM_CMD_FLUSH: + client_event = ASM_CLIENT_EVENT_CMD_FLUSH_DONE; + break; +@@ -650,6 +648,9 @@ static int32_t q6asm_stream_callback(struct apr_device *adev, + spin_unlock_irqrestore(&ac->lock, flags); + } + ++ break; ++ case ASM_DATA_EVENT_RENDERED_EOS: ++ client_event = ASM_CLIENT_EVENT_CMD_EOS_DONE; + break; + } + +-- +2.25.1 + diff --git a/queue-4.19/asoc-rockchip-fix-a-reference-count-leak.patch b/queue-4.19/asoc-rockchip-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..fb5c1d436a0 --- /dev/null +++ b/queue-4.19/asoc-rockchip-fix-a-reference-count-leak.patch @@ -0,0 +1,42 @@ +From dd7bf9914b4fdc19ddca6ece842326d0b68102f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 15:51:58 -0500 +Subject: ASoC: rockchip: Fix a reference count leak. + +From: Qiushi Wu + +[ Upstream commit f141a422159a199f4c8dedb7e0df55b3b2cf16cd ] + +Calling pm_runtime_get_sync increments the counter even in case of +failure, causing incorrect ref count if pm_runtime_put is not called in +error handling paths. Call pm_runtime_put if pm_runtime_get_sync fails. + +Fixes: fc05a5b22253 ("ASoC: rockchip: add support for pdm controller") +Signed-off-by: Qiushi Wu +Reviewed-by: Heiko Stuebner +Link: https://lore.kernel.org/r/20200613205158.27296-1-wu000273@umn.edu +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/rockchip/rockchip_pdm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/rockchip/rockchip_pdm.c b/sound/soc/rockchip/rockchip_pdm.c +index 8a2e3bbce3a16..ad16c8310dd38 100644 +--- a/sound/soc/rockchip/rockchip_pdm.c ++++ b/sound/soc/rockchip/rockchip_pdm.c +@@ -478,8 +478,10 @@ static int rockchip_pdm_resume(struct device *dev) + int ret; + + ret = pm_runtime_get_sync(dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put(dev); + return ret; ++ } + + ret = regcache_sync(pdm->regmap); + +-- +2.25.1 + diff --git a/queue-4.19/ata-libata-fix-usage-of-page-address-by-page_address.patch b/queue-4.19/ata-libata-fix-usage-of-page-address-by-page_address.patch new file mode 100644 index 00000000000..7a027e44c80 --- /dev/null +++ b/queue-4.19/ata-libata-fix-usage-of-page-address-by-page_address.patch @@ -0,0 +1,182 @@ +From 2d01d73951c3f59218463396a8e480f819ed9b02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2020 09:41:49 +0800 +Subject: ata/libata: Fix usage of page address by page_address in + ata_scsi_mode_select_xlat function + +From: Ye Bin + +[ Upstream commit f650ef61e040bcb175dd8762164b00a5d627f20e ] + +BUG: KASAN: use-after-free in ata_scsi_mode_select_xlat+0x10bd/0x10f0 +drivers/ata/libata-scsi.c:4045 +Read of size 1 at addr ffff88803b8cd003 by task syz-executor.6/12621 + +CPU: 1 PID: 12621 Comm: syz-executor.6 Not tainted 4.19.95 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +1.10.2-1ubuntu1 04/01/2014 +Call Trace: +__dump_stack lib/dump_stack.c:77 [inline] +dump_stack+0xac/0xee lib/dump_stack.c:118 +print_address_description+0x60/0x223 mm/kasan/report.c:253 +kasan_report_error mm/kasan/report.c:351 [inline] +kasan_report mm/kasan/report.c:409 [inline] +kasan_report.cold+0xae/0x2d8 mm/kasan/report.c:393 +ata_scsi_mode_select_xlat+0x10bd/0x10f0 drivers/ata/libata-scsi.c:4045 +ata_scsi_translate+0x2da/0x680 drivers/ata/libata-scsi.c:2035 +__ata_scsi_queuecmd drivers/ata/libata-scsi.c:4360 [inline] +ata_scsi_queuecmd+0x2e4/0x790 drivers/ata/libata-scsi.c:4409 +scsi_dispatch_cmd+0x2ee/0x6c0 drivers/scsi/scsi_lib.c:1867 +scsi_queue_rq+0xfd7/0x1990 drivers/scsi/scsi_lib.c:2170 +blk_mq_dispatch_rq_list+0x1e1/0x19a0 block/blk-mq.c:1186 +blk_mq_do_dispatch_sched+0x147/0x3d0 block/blk-mq-sched.c:108 +blk_mq_sched_dispatch_requests+0x427/0x680 block/blk-mq-sched.c:204 +__blk_mq_run_hw_queue+0xbc/0x200 block/blk-mq.c:1308 +__blk_mq_delay_run_hw_queue+0x3c0/0x460 block/blk-mq.c:1376 +blk_mq_run_hw_queue+0x152/0x310 block/blk-mq.c:1413 +blk_mq_sched_insert_request+0x337/0x6c0 block/blk-mq-sched.c:397 +blk_execute_rq_nowait+0x124/0x320 block/blk-exec.c:64 +blk_execute_rq+0xc5/0x112 block/blk-exec.c:101 +sg_scsi_ioctl+0x3b0/0x6a0 block/scsi_ioctl.c:507 +sg_ioctl+0xd37/0x23f0 drivers/scsi/sg.c:1106 +vfs_ioctl fs/ioctl.c:46 [inline] +file_ioctl fs/ioctl.c:501 [inline] +do_vfs_ioctl+0xae6/0x1030 fs/ioctl.c:688 +ksys_ioctl+0x76/0xa0 fs/ioctl.c:705 +__do_sys_ioctl fs/ioctl.c:712 [inline] +__se_sys_ioctl fs/ioctl.c:710 [inline] +__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710 +do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293 +entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x45c479 +Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 +f7 48 +89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff +ff 0f +83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007fb0e9602c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007fb0e96036d4 RCX: 000000000045c479 +RDX: 0000000020000040 RSI: 0000000000000001 RDI: 0000000000000003 +RBP: 000000000076bfc0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff +R13: 000000000000046d R14: 00000000004c6e1a R15: 000000000076bfcc + +Allocated by task 12577: +set_track mm/kasan/kasan.c:460 [inline] +kasan_kmalloc mm/kasan/kasan.c:553 [inline] +kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531 +__kmalloc+0xf3/0x1e0 mm/slub.c:3749 +kmalloc include/linux/slab.h:520 [inline] +load_elf_phdrs+0x118/0x1b0 fs/binfmt_elf.c:441 +load_elf_binary+0x2de/0x4610 fs/binfmt_elf.c:737 +search_binary_handler fs/exec.c:1654 [inline] +search_binary_handler+0x15c/0x4e0 fs/exec.c:1632 +exec_binprm fs/exec.c:1696 [inline] +__do_execve_file.isra.0+0xf52/0x1a90 fs/exec.c:1820 +do_execveat_common fs/exec.c:1866 [inline] +do_execve fs/exec.c:1883 [inline] +__do_sys_execve fs/exec.c:1964 [inline] +__se_sys_execve fs/exec.c:1959 [inline] +__x64_sys_execve+0x8a/0xb0 fs/exec.c:1959 +do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293 +entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Freed by task 12577: +set_track mm/kasan/kasan.c:460 [inline] +__kasan_slab_free+0x129/0x170 mm/kasan/kasan.c:521 +slab_free_hook mm/slub.c:1370 [inline] +slab_free_freelist_hook mm/slub.c:1397 [inline] +slab_free mm/slub.c:2952 [inline] +kfree+0x8b/0x1a0 mm/slub.c:3904 +load_elf_binary+0x1be7/0x4610 fs/binfmt_elf.c:1118 +search_binary_handler fs/exec.c:1654 [inline] +search_binary_handler+0x15c/0x4e0 fs/exec.c:1632 +exec_binprm fs/exec.c:1696 [inline] +__do_execve_file.isra.0+0xf52/0x1a90 fs/exec.c:1820 +do_execveat_common fs/exec.c:1866 [inline] +do_execve fs/exec.c:1883 [inline] +__do_sys_execve fs/exec.c:1964 [inline] +__se_sys_execve fs/exec.c:1959 [inline] +__x64_sys_execve+0x8a/0xb0 fs/exec.c:1959 +do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293 +entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The buggy address belongs to the object at ffff88803b8ccf00 +which belongs to the cache kmalloc-512 of size 512 +The buggy address is located 259 bytes inside of +512-byte region [ffff88803b8ccf00, ffff88803b8cd100) +The buggy address belongs to the page: +page:ffffea0000ee3300 count:1 mapcount:0 mapping:ffff88806cc03080 +index:0xffff88803b8cc780 compound_mapcount: 0 +flags: 0x100000000008100(slab|head) +raw: 0100000000008100 ffffea0001104080 0000000200000002 ffff88806cc03080 +raw: ffff88803b8cc780 00000000800c000b 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: +ffff88803b8ccf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +ffff88803b8ccf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff88803b8cd000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +^ +ffff88803b8cd080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +ffff88803b8cd100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + +You can refer to "https://www.lkml.org/lkml/2019/1/17/474" reproduce +this error. + +The exception code is "bd_len = p[3];", "p" value is ffff88803b8cd000 +which belongs to the cache kmalloc-512 of size 512. The "page_address(sg_page(scsi_sglist(scmd)))" +maybe from sg_scsi_ioctl function "buffer" which allocated by kzalloc, so "buffer" +may not page aligned. +This also looks completely buggy on highmem systems and really needs to use a +kmap_atomic. --Christoph Hellwig +To address above bugs, Paolo Bonzini advise to simpler to just make a char array +of size CACHE_MPAGE_LEN+8+8+4-2(or just 64 to make it easy), use sg_copy_to_buffer +to copy from the sglist into the buffer, and workthere. + +Signed-off-by: Ye Bin +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-scsi.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c +index 0c1572a1cc5ed..6c2c2b07f029e 100644 +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -3995,12 +3995,13 @@ static unsigned int ata_scsi_mode_select_xlat(struct ata_queued_cmd *qc) + { + struct scsi_cmnd *scmd = qc->scsicmd; + const u8 *cdb = scmd->cmnd; +- const u8 *p; + u8 pg, spg; + unsigned six_byte, pg_len, hdr_len, bd_len; + int len; + u16 fp = (u16)-1; + u8 bp = 0xff; ++ u8 buffer[64]; ++ const u8 *p = buffer; + + VPRINTK("ENTER\n"); + +@@ -4034,12 +4035,14 @@ static unsigned int ata_scsi_mode_select_xlat(struct ata_queued_cmd *qc) + if (!scsi_sg_count(scmd) || scsi_sglist(scmd)->length < len) + goto invalid_param_len; + +- p = page_address(sg_page(scsi_sglist(scmd))); +- + /* Move past header and block descriptors. */ + if (len < hdr_len) + goto invalid_param_len; + ++ if (!sg_copy_to_buffer(scsi_sglist(scmd), scsi_sg_count(scmd), ++ buffer, sizeof(buffer))) ++ goto invalid_param_len; ++ + if (six_byte) + bd_len = p[3]; + else +-- +2.25.1 + diff --git a/queue-4.19/blktrace-break-out-of-blktrace-setup-on-concurrent-c.patch b/queue-4.19/blktrace-break-out-of-blktrace-setup-on-concurrent-c.patch new file mode 100644 index 00000000000..7f8b5b26f85 --- /dev/null +++ b/queue-4.19/blktrace-break-out-of-blktrace-setup-on-concurrent-c.patch @@ -0,0 +1,93 @@ +From 87691bb77fe35930d37b63005301234f486f1d02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2020 16:58:36 +0200 +Subject: blktrace: break out of blktrace setup on concurrent calls + +From: Luis Chamberlain + +[ Upstream commit 1b0b283648163dae2a214ca28ed5a99f62a77319 ] + +We use one blktrace per request_queue, that means one per the entire +disk. So we cannot run one blktrace on say /dev/vda and then /dev/vda1, +or just two calls on /dev/vda. + +We check for concurrent setup only at the very end of the blktrace setup though. + +If we try to run two concurrent blktraces on the same block device the +second one will fail, and the first one seems to go on. However when +one tries to kill the first one one will see things like this: + +The kernel will show these: + +``` +debugfs: File 'dropped' in directory 'nvme1n1' already present! +debugfs: File 'msg' in directory 'nvme1n1' already present! +debugfs: File 'trace0' in directory 'nvme1n1' already present! +`` + +And userspace just sees this error message for the second call: + +``` +blktrace /dev/nvme1n1 +BLKTRACESETUP(2) /dev/nvme1n1 failed: 5/Input/output error +``` + +The first userspace process #1 will also claim that the files +were taken underneath their nose as well. The files are taken +away form the first process given that when the second blktrace +fails, it will follow up with a BLKTRACESTOP and BLKTRACETEARDOWN. +This means that even if go-happy process #1 is waiting for blktrace +data, we *have* been asked to take teardown the blktrace. + +This can easily be reproduced with break-blktrace [0] run_0005.sh test. + +Just break out early if we know we're already going to fail, this will +prevent trying to create the files all over again, which we know still +exist. + +[0] https://github.com/mcgrof/break-blktrace + +Signed-off-by: Luis Chamberlain +Signed-off-by: Jan Kara +Reviewed-by: Bart Van Assche +Reviewed-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + kernel/trace/blktrace.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c +index b7e1e09a0bef5..7a4ca2deb39bc 100644 +--- a/kernel/trace/blktrace.c ++++ b/kernel/trace/blktrace.c +@@ -3,6 +3,9 @@ + * Copyright (C) 2006 Jens Axboe + * + */ ++ ++#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt ++ + #include + #include + #include +@@ -495,6 +498,16 @@ static int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev, + */ + strreplace(buts->name, '/', '_'); + ++ /* ++ * bdev can be NULL, as with scsi-generic, this is a helpful as ++ * we can be. ++ */ ++ if (q->blk_trace) { ++ pr_warn("Concurrent blktraces are not allowed on %s\n", ++ buts->name); ++ return -EBUSY; ++ } ++ + bt = kzalloc(sizeof(*bt), GFP_KERNEL); + if (!bt) + return -ENOMEM; +-- +2.25.1 + diff --git a/queue-4.19/cxgb4-move-handling-l2t-arp-failures-to-caller.patch b/queue-4.19/cxgb4-move-handling-l2t-arp-failures-to-caller.patch new file mode 100644 index 00000000000..610231937f1 --- /dev/null +++ b/queue-4.19/cxgb4-move-handling-l2t-arp-failures-to-caller.patch @@ -0,0 +1,105 @@ +From ca89d85181a21eeb468e364446bd1ee59a6535f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jun 2020 01:51:31 +0530 +Subject: cxgb4: move handling L2T ARP failures to caller + +From: Rahul Lakkireddy + +[ Upstream commit 11d8cd5c9f3b46f397f889cefdb66795518aaebd ] + +Move code handling L2T ARP failures to the only caller. + +Fixes following sparse warning: +skbuff.h:2091:29: warning: context imbalance in +'handle_failed_resolution' - unexpected unlock + +Fixes: 749cb5fe48bb ("cxgb4: Replace arpq_head/arpq_tail with SKB double link-list code") +Signed-off-by: Rahul Lakkireddy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/l2t.c | 52 +++++++++++------------- + 1 file changed, 24 insertions(+), 28 deletions(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/l2t.c b/drivers/net/ethernet/chelsio/cxgb4/l2t.c +index 986277744611c..08f4780e7fe7a 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/l2t.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/l2t.c +@@ -507,41 +507,20 @@ u64 cxgb4_select_ntuple(struct net_device *dev, + } + EXPORT_SYMBOL(cxgb4_select_ntuple); + +-/* +- * Called when address resolution fails for an L2T entry to handle packets +- * on the arpq head. If a packet specifies a failure handler it is invoked, +- * otherwise the packet is sent to the device. +- */ +-static void handle_failed_resolution(struct adapter *adap, struct l2t_entry *e) +-{ +- struct sk_buff *skb; +- +- while ((skb = __skb_dequeue(&e->arpq)) != NULL) { +- const struct l2t_skb_cb *cb = L2T_SKB_CB(skb); +- +- spin_unlock(&e->lock); +- if (cb->arp_err_handler) +- cb->arp_err_handler(cb->handle, skb); +- else +- t4_ofld_send(adap, skb); +- spin_lock(&e->lock); +- } +-} +- + /* + * Called when the host's neighbor layer makes a change to some entry that is + * loaded into the HW L2 table. + */ + void t4_l2t_update(struct adapter *adap, struct neighbour *neigh) + { +- struct l2t_entry *e; +- struct sk_buff_head *arpq = NULL; +- struct l2t_data *d = adap->l2t; + unsigned int addr_len = neigh->tbl->key_len; + u32 *addr = (u32 *) neigh->primary_key; +- int ifidx = neigh->dev->ifindex; +- int hash = addr_hash(d, addr, addr_len, ifidx); ++ int hash, ifidx = neigh->dev->ifindex; ++ struct sk_buff_head *arpq = NULL; ++ struct l2t_data *d = adap->l2t; ++ struct l2t_entry *e; + ++ hash = addr_hash(d, addr, addr_len, ifidx); + read_lock_bh(&d->lock); + for (e = d->l2tab[hash].first; e; e = e->next) + if (!addreq(e, addr) && e->ifindex == ifidx) { +@@ -574,8 +553,25 @@ void t4_l2t_update(struct adapter *adap, struct neighbour *neigh) + write_l2e(adap, e, 0); + } + +- if (arpq) +- handle_failed_resolution(adap, e); ++ if (arpq) { ++ struct sk_buff *skb; ++ ++ /* Called when address resolution fails for an L2T ++ * entry to handle packets on the arpq head. If a ++ * packet specifies a failure handler it is invoked, ++ * otherwise the packet is sent to the device. ++ */ ++ while ((skb = __skb_dequeue(&e->arpq)) != NULL) { ++ const struct l2t_skb_cb *cb = L2T_SKB_CB(skb); ++ ++ spin_unlock(&e->lock); ++ if (cb->arp_err_handler) ++ cb->arp_err_handler(cb->handle, skb); ++ else ++ t4_ofld_send(adap, skb); ++ spin_lock(&e->lock); ++ } ++ } + spin_unlock_bh(&e->lock); + } + +-- +2.25.1 + diff --git a/queue-4.19/drm-amd-display-use-kfree-to-free-rgb_user-in-calcul.patch b/queue-4.19/drm-amd-display-use-kfree-to-free-rgb_user-in-calcul.patch new file mode 100644 index 00000000000..648606cf15e --- /dev/null +++ b/queue-4.19/drm-amd-display-use-kfree-to-free-rgb_user-in-calcul.patch @@ -0,0 +1,37 @@ +From 735a9cdfc219a747ee8580806e44f5b233ba43e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2020 20:37:44 +0300 +Subject: drm/amd/display: Use kfree() to free rgb_user in + calculate_user_regamma_ramp() + +From: Denis Efremov + +[ Upstream commit 43a562774fceba867e8eebba977d7d42f8a2eac7 ] + +Use kfree() instead of kvfree() to free rgb_user in +calculate_user_regamma_ramp() because the memory is allocated with +kcalloc(). + +Signed-off-by: Denis Efremov +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/modules/color/color_gamma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/modules/color/color_gamma.c b/drivers/gpu/drm/amd/display/modules/color/color_gamma.c +index 962900932beed..11ea1a0e629bd 100644 +--- a/drivers/gpu/drm/amd/display/modules/color/color_gamma.c ++++ b/drivers/gpu/drm/amd/display/modules/color/color_gamma.c +@@ -1561,7 +1561,7 @@ bool calculate_user_regamma_ramp(struct dc_transfer_func *output_tf, + + kfree(rgb_regamma); + rgb_regamma_alloc_fail: +- kvfree(rgb_user); ++ kfree(rgb_user); + rgb_user_alloc_fail: + return ret; + } +-- +2.25.1 + diff --git a/queue-4.19/efi-esrt-fix-reference-count-leak-in-esre_create_sys.patch b/queue-4.19/efi-esrt-fix-reference-count-leak-in-esre_create_sys.patch new file mode 100644 index 00000000000..f81da3dfdbc --- /dev/null +++ b/queue-4.19/efi-esrt-fix-reference-count-leak-in-esre_create_sys.patch @@ -0,0 +1,39 @@ +From d6f78243512850eb1cdd25bf492777a8559ccd76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 May 2020 13:38:04 -0500 +Subject: efi/esrt: Fix reference count leak in esre_create_sysfs_entry. + +From: Qiushi Wu + +[ Upstream commit 4ddf4739be6e375116c375f0a68bf3893ffcee21 ] + +kobject_init_and_add() takes reference even when it fails. +If this function returns an error, kobject_put() must be called to +properly clean up the memory associated with the object. Previous +commit "b8eb718348b8" fixed a similar problem. + +Fixes: 0bb549052d33 ("efi: Add esrt support") +Signed-off-by: Qiushi Wu +Link: https://lore.kernel.org/r/20200528183804.4497-1-wu000273@umn.edu +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/esrt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/efi/esrt.c b/drivers/firmware/efi/esrt.c +index 5d06bd247d073..2f6204b2fdd38 100644 +--- a/drivers/firmware/efi/esrt.c ++++ b/drivers/firmware/efi/esrt.c +@@ -180,7 +180,7 @@ static int esre_create_sysfs_entry(void *esre, int entry_num) + rc = kobject_init_and_add(&entry->kobj, &esre1_ktype, NULL, + "entry%d", entry_num); + if (rc) { +- kfree(entry); ++ kobject_put(&entry->kobj); + return rc; + } + } +-- +2.25.1 + diff --git a/queue-4.19/hwrng-ks-sa-fix-runtime-pm-imbalance-on-error.patch b/queue-4.19/hwrng-ks-sa-fix-runtime-pm-imbalance-on-error.patch new file mode 100644 index 00000000000..908e924121a --- /dev/null +++ b/queue-4.19/hwrng-ks-sa-fix-runtime-pm-imbalance-on-error.patch @@ -0,0 +1,36 @@ +From 2d0729dab1c05eacd77962a67f507a15cc201498 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 May 2020 15:21:04 +0800 +Subject: hwrng: ks-sa - Fix runtime PM imbalance on error + +From: Dinghao Liu + +[ Upstream commit 95459261c99f1621d90bc628c2a48e60b7cf9a88 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +the call returns an error code. Thus a pairing decrement is needed +on the error handling path to keep the counter balanced. + +Signed-off-by: Dinghao Liu +Reviewed-by: Alexander Sverdlin +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/ks-sa-rng.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/char/hw_random/ks-sa-rng.c b/drivers/char/hw_random/ks-sa-rng.c +index 62c6696c1dbd8..b6d7db362b217 100644 +--- a/drivers/char/hw_random/ks-sa-rng.c ++++ b/drivers/char/hw_random/ks-sa-rng.c +@@ -216,6 +216,7 @@ static int ks_sa_rng_probe(struct platform_device *pdev) + ret = pm_runtime_get_sync(dev); + if (ret < 0) { + dev_err(dev, "Failed to enable SA power-domain\n"); ++ pm_runtime_put_noidle(dev); + pm_runtime_disable(dev); + return ret; + } +-- +2.25.1 + diff --git a/queue-4.19/i2c-core-check-returned-size-of-emulated-smbus-block.patch b/queue-4.19/i2c-core-check-returned-size-of-emulated-smbus-block.patch new file mode 100644 index 00000000000..6de1cc35515 --- /dev/null +++ b/queue-4.19/i2c-core-check-returned-size-of-emulated-smbus-block.patch @@ -0,0 +1,47 @@ +From 2093311a5dac2926564c9765e572676154e757b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 11:41:09 +0100 +Subject: i2c: core: check returned size of emulated smbus block read + +From: Mans Rullgard + +[ Upstream commit 40e05200593af06633f64ab0effff052eee6f076 ] + +If the i2c bus driver ignores the I2C_M_RECV_LEN flag (as some of +them do), it is possible for an I2C_SMBUS_BLOCK_DATA read issued +on some random device to return an arbitrary value in the first +byte (and nothing else). When this happens, i2c_smbus_xfer_emulated() +will happily write past the end of the supplied data buffer, thus +causing Bad Things to happen. To prevent this, check the size +before copying the data block and return an error if it is too large. + +Fixes: 209d27c3b167 ("i2c: Emulate SMBus block read over I2C") +Signed-off-by: Mans Rullgard +[wsa: use better errno] +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-core-smbus.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/i2c/i2c-core-smbus.c b/drivers/i2c/i2c-core-smbus.c +index 9cd66cabb84fd..8d6fad05b0c7f 100644 +--- a/drivers/i2c/i2c-core-smbus.c ++++ b/drivers/i2c/i2c-core-smbus.c +@@ -497,6 +497,13 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr, + break; + case I2C_SMBUS_BLOCK_DATA: + case I2C_SMBUS_BLOCK_PROC_CALL: ++ if (msg[1].buf[0] > I2C_SMBUS_BLOCK_MAX) { ++ dev_err(&adapter->dev, ++ "Invalid block size returned: %d\n", ++ msg[1].buf[0]); ++ status = -EPROTO; ++ goto cleanup; ++ } + for (i = 0; i < msg[1].buf[0] + 1; i++) + data->block[i] = msg[1].buf[i]; + break; +-- +2.25.1 + diff --git a/queue-4.19/i2c-fsi-fix-the-port-number-field-in-status-register.patch b/queue-4.19/i2c-fsi-fix-the-port-number-field-in-status-register.patch new file mode 100644 index 00000000000..8e17880eb1f --- /dev/null +++ b/queue-4.19/i2c-fsi-fix-the-port-number-field-in-status-register.patch @@ -0,0 +1,36 @@ +From d0d155e45a7e7dda14ae432d010a1922fd64c461 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jun 2020 15:15:54 -0500 +Subject: i2c: fsi: Fix the port number field in status register + +From: Eddie James + +[ Upstream commit 502035e284cc7e9efef22b01771d822d49698ab9 ] + +The port number field in the status register was not correct, so fix it. + +Fixes: d6ffb6300116 ("i2c: Add FSI-attached I2C master algorithm") +Signed-off-by: Eddie James +Signed-off-by: Joel Stanley +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-fsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-fsi.c b/drivers/i2c/busses/i2c-fsi.c +index 1e2be2219a602..46aef609fb708 100644 +--- a/drivers/i2c/busses/i2c-fsi.c ++++ b/drivers/i2c/busses/i2c-fsi.c +@@ -98,7 +98,7 @@ + #define I2C_STAT_DAT_REQ BIT(25) + #define I2C_STAT_CMD_COMP BIT(24) + #define I2C_STAT_STOP_ERR BIT(23) +-#define I2C_STAT_MAX_PORT GENMASK(19, 16) ++#define I2C_STAT_MAX_PORT GENMASK(22, 16) + #define I2C_STAT_ANY_INT BIT(15) + #define I2C_STAT_SCL_IN BIT(11) + #define I2C_STAT_SDA_IN BIT(10) +-- +2.25.1 + diff --git a/queue-4.19/ib-mad-fix-use-after-free-when-destroying-mad-agent.patch b/queue-4.19/ib-mad-fix-use-after-free-when-destroying-mad-agent.patch new file mode 100644 index 00000000000..c6ebf338663 --- /dev/null +++ b/queue-4.19/ib-mad-fix-use-after-free-when-destroying-mad-agent.patch @@ -0,0 +1,63 @@ +From a0a00dc6afcd7429de3b9d8d8b67a01a28d21ec1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Jun 2020 13:47:35 +0300 +Subject: IB/mad: Fix use after free when destroying MAD agent + +From: Shay Drory + +[ Upstream commit 116a1b9f1cb769b83e5adff323f977a62b1dcb2e ] + +Currently, when RMPP MADs are processed while the MAD agent is destroyed, +it could result in use after free of rmpp_recv, as decribed below: + + cpu-0 cpu-1 + ----- ----- +ib_mad_recv_done() + ib_mad_complete_recv() + ib_process_rmpp_recv_wc() + unregister_mad_agent() + ib_cancel_rmpp_recvs() + cancel_delayed_work() + process_rmpp_data() + start_rmpp() + queue_delayed_work(rmpp_recv->cleanup_work) + destroy_rmpp_recv() + free_rmpp_recv() + cleanup_work()[1] + spin_lock_irqsave(&rmpp_recv->agent->lock) <-- use after free + +[1] cleanup_work() == recv_cleanup_handler + +Fix it by waiting for the MAD agent reference count becoming zero before +calling to ib_cancel_rmpp_recvs(). + +Fixes: 9a41e38a467c ("IB/mad: Use IDR for agent IDs") +Link: https://lore.kernel.org/r/20200621104738.54850-2-leon@kernel.org +Signed-off-by: Shay Drory +Reviewed-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/mad.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c +index fd0a2fd8bfdf7..a36b3b4f5c0a2 100644 +--- a/drivers/infiniband/core/mad.c ++++ b/drivers/infiniband/core/mad.c +@@ -615,10 +615,10 @@ static void unregister_mad_agent(struct ib_mad_agent_private *mad_agent_priv) + idr_unlock(&ib_mad_clients); + + flush_workqueue(port_priv->wq); +- ib_cancel_rmpp_recvs(mad_agent_priv); + + deref_mad_agent(mad_agent_priv); + wait_for_completion(&mad_agent_priv->comp); ++ ib_cancel_rmpp_recvs(mad_agent_priv); + + ib_mad_agent_security_cleanup(&mad_agent_priv->agent); + +-- +2.25.1 + diff --git a/queue-4.19/ibmvnic-harden-device-login-requests.patch b/queue-4.19/ibmvnic-harden-device-login-requests.patch new file mode 100644 index 00000000000..dba2486390b --- /dev/null +++ b/queue-4.19/ibmvnic-harden-device-login-requests.patch @@ -0,0 +1,74 @@ +From fba84f6749206e99da798a1d00c9d9584102378f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 10:29:23 -0500 +Subject: ibmvnic: Harden device login requests + +From: Thomas Falcon + +[ Upstream commit dff515a3e71dc8ab3b9dcc2e23a9b5fca88b3c18 ] + +The VNIC driver's "login" command sequence is the final step +in the driver's initialization process with device firmware, +confirming the available device queue resources to be utilized +by the driver. Under high system load, firmware may not respond +to the request in a timely manner or may abort the request. In +such cases, the driver should reattempt the login command +sequence. In case of a device error, the number of retries +is bounded. + +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmvnic.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index 645298628b6f7..5e9e45befc875 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -792,12 +792,13 @@ static int ibmvnic_login(struct net_device *netdev) + struct ibmvnic_adapter *adapter = netdev_priv(netdev); + unsigned long timeout = msecs_to_jiffies(30000); + int retry_count = 0; ++ int retries = 10; + bool retry; + int rc; + + do { + retry = false; +- if (retry_count > IBMVNIC_MAX_QUEUES) { ++ if (retry_count > retries) { + netdev_warn(netdev, "Login attempts exceeded\n"); + return -1; + } +@@ -812,11 +813,23 @@ static int ibmvnic_login(struct net_device *netdev) + + if (!wait_for_completion_timeout(&adapter->init_done, + timeout)) { +- netdev_warn(netdev, "Login timed out\n"); +- return -1; ++ netdev_warn(netdev, "Login timed out, retrying...\n"); ++ retry = true; ++ adapter->init_done_rc = 0; ++ retry_count++; ++ continue; + } + +- if (adapter->init_done_rc == PARTIALSUCCESS) { ++ if (adapter->init_done_rc == ABORTED) { ++ netdev_warn(netdev, "Login aborted, retrying...\n"); ++ retry = true; ++ adapter->init_done_rc = 0; ++ retry_count++; ++ /* FW or device may be busy, so ++ * wait a bit before retrying login ++ */ ++ msleep(500); ++ } else if (adapter->init_done_rc == PARTIALSUCCESS) { + retry_count++; + release_sub_crqs(adapter, 1); + +-- +2.25.1 + diff --git a/queue-4.19/kbuild-improve-cc-option-to-clean-up-all-temporary-f.patch b/queue-4.19/kbuild-improve-cc-option-to-clean-up-all-temporary-f.patch new file mode 100644 index 00000000000..a197349684a --- /dev/null +++ b/queue-4.19/kbuild-improve-cc-option-to-clean-up-all-temporary-f.patch @@ -0,0 +1,72 @@ +From ccddb7ab0230cd950e64cee48d3e849479263b2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 23:43:40 +0900 +Subject: kbuild: improve cc-option to clean up all temporary files + +From: Masahiro Yamada + +[ Upstream commit f2f02ebd8f3833626642688b2d2c6a7b3c141fa9 ] + +When cc-option and friends evaluate compiler flags, the temporary file +$$TMP is created as an output object, and automatically cleaned up. +The actual file path of $$TMP is ..tmp, here is the process +ID of $(shell ...) invoked from cc-option. (Please note $$$$ is the +escape sequence of $$). + +Such garbage files are cleaned up in most cases, but some compiler flags +create additional output files. + +For example, -gsplit-dwarf creates a .dwo file. + +When CONFIG_DEBUG_INFO_SPLIT=y, you will see a bunch of ..dwo files +left in the top of build directories. You may not notice them unless you +do 'ls -a', but the garbage files will increase every time you run 'make'. + +This commit changes the temporary object path to .tmp_/tmp, and +removes .tmp_ directory when exiting. Separate build artifacts such +as *.dwo will be cleaned up all together because their file paths are +usually determined based on the base name of the object. + +Another example is -ftest-coverage, which outputs the coverage data into +.gcno + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/Kbuild.include | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/scripts/Kbuild.include b/scripts/Kbuild.include +index ce53639a864a1..c830750d725b7 100644 +--- a/scripts/Kbuild.include ++++ b/scripts/Kbuild.include +@@ -81,20 +81,21 @@ cc-cross-prefix = \ + fi))) + + # output directory for tests below +-TMPOUT := $(if $(KBUILD_EXTMOD),$(firstword $(KBUILD_EXTMOD))/) ++TMPOUT = $(if $(KBUILD_EXTMOD),$(firstword $(KBUILD_EXTMOD))/).tmp_$$$$ + + # try-run + # Usage: option = $(call try-run, $(CC)...-o "$$TMP",option-ok,otherwise) + # Exit code chooses option. "$$TMP" serves as a temporary file and is + # automatically cleaned up. + try-run = $(shell set -e; \ +- TMP="$(TMPOUT).$$$$.tmp"; \ +- TMPO="$(TMPOUT).$$$$.o"; \ ++ TMP=$(TMPOUT)/tmp; \ ++ TMPO=$(TMPOUT)/tmp.o; \ ++ mkdir -p $(TMPOUT); \ ++ trap "rm -rf $(TMPOUT)" EXIT; \ + if ($(1)) >/dev/null 2>&1; \ + then echo "$(2)"; \ + else echo "$(3)"; \ +- fi; \ +- rm -f "$$TMP" "$$TMPO") ++ fi) + + # as-option + # Usage: cflags-y += $(call as-option,-Wa$(comma)-isa=foo,) +-- +2.25.1 + diff --git a/queue-4.19/net-alx-fix-race-condition-in-alx_remove.patch b/queue-4.19/net-alx-fix-race-condition-in-alx_remove.patch new file mode 100644 index 00000000000..ffe70014388 --- /dev/null +++ b/queue-4.19/net-alx-fix-race-condition-in-alx_remove.patch @@ -0,0 +1,59 @@ +From 2abbff41927b65e495d0ccac838192a52f404dbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 11:50:29 -0400 +Subject: net: alx: fix race condition in alx_remove + +From: Zekun Shen + +[ Upstream commit e89df5c4322c1bf495f62d74745895b5fd2a4393 ] + +There is a race condition exist during termination. The path is +alx_stop and then alx_remove. An alx_schedule_link_check could be called +before alx_stop by interrupt handler and invoke alx_link_check later. +Alx_stop frees the napis, and alx_remove cancels any pending works. +If any of the work is scheduled before termination and invoked before +alx_remove, a null-ptr-deref occurs because both expect alx->napis[i]. + +This patch fix the race condition by moving cancel_work_sync functions +before alx_free_napis inside alx_stop. Because interrupt handler can call +alx_schedule_link_check again, alx_free_irq is moved before +cancel_work_sync calls too. + +Signed-off-by: Zekun Shen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/atheros/alx/main.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c +index 6d32211349275..dd63b993ce7b3 100644 +--- a/drivers/net/ethernet/atheros/alx/main.c ++++ b/drivers/net/ethernet/atheros/alx/main.c +@@ -1250,8 +1250,12 @@ static int __alx_open(struct alx_priv *alx, bool resume) + + static void __alx_stop(struct alx_priv *alx) + { +- alx_halt(alx); + alx_free_irq(alx); ++ ++ cancel_work_sync(&alx->link_check_wk); ++ cancel_work_sync(&alx->reset_wk); ++ ++ alx_halt(alx); + alx_free_rings(alx); + alx_free_napis(alx); + } +@@ -1861,9 +1865,6 @@ static void alx_remove(struct pci_dev *pdev) + struct alx_priv *alx = pci_get_drvdata(pdev); + struct alx_hw *hw = &alx->hw; + +- cancel_work_sync(&alx->link_check_wk); +- cancel_work_sync(&alx->reset_wk); +- + /* restore permanent mac address */ + alx_set_macaddr(hw, hw->perm_addr); + +-- +2.25.1 + diff --git a/queue-4.19/net-bcmgenet-use-hardware-padding-of-runt-frames.patch b/queue-4.19/net-bcmgenet-use-hardware-padding-of-runt-frames.patch new file mode 100644 index 00000000000..657cddbe38f --- /dev/null +++ b/queue-4.19/net-bcmgenet-use-hardware-padding-of-runt-frames.patch @@ -0,0 +1,65 @@ +From 2488abcd69d838e27d77c9e136aef6e2d3427d04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jun 2020 18:14:55 -0700 +Subject: net: bcmgenet: use hardware padding of runt frames + +From: Doug Berger + +[ Upstream commit 20d1f2d1b024f6be199a3bedf1578a1d21592bc5 ] + +When commit 474ea9cafc45 ("net: bcmgenet: correctly pad short +packets") added the call to skb_padto() it should have been +located before the nr_frags parameter was read since that value +could be changed when padding packets with lengths between 55 +and 59 bytes (inclusive). + +The use of a stale nr_frags value can cause corruption of the +pad data when tx-scatter-gather is enabled. This corruption of +the pad can cause invalid checksum computation when hardware +offload of tx-checksum is also enabled. + +Since the original reason for the padding was corrected by +commit 7dd399130efb ("net: bcmgenet: fix skb_len in +bcmgenet_xmit_single()") we can remove the software padding all +together and make use of hardware padding of short frames as +long as the hardware also always appends the FCS value to the +frame. + +Fixes: 474ea9cafc45 ("net: bcmgenet: correctly pad short packets") +Signed-off-by: Doug Berger +Acked-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index 40e8ef984b624..c7667017c1a3f 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -1593,11 +1593,6 @@ static netdev_tx_t bcmgenet_xmit(struct sk_buff *skb, struct net_device *dev) + goto out; + } + +- if (skb_padto(skb, ETH_ZLEN)) { +- ret = NETDEV_TX_OK; +- goto out; +- } +- + /* Retain how many bytes will be sent on the wire, without TSB inserted + * by transmit checksum offload + */ +@@ -1646,6 +1641,9 @@ static netdev_tx_t bcmgenet_xmit(struct sk_buff *skb, struct net_device *dev) + len_stat = (size << DMA_BUFLENGTH_SHIFT) | + (priv->hw_params->qtag_mask << DMA_TX_QTAG_SHIFT); + ++ /* Note: if we ever change from DMA_TX_APPEND_CRC below we ++ * will need to restore software padding of "runt" packets ++ */ + if (!i) { + len_stat |= DMA_TX_APPEND_CRC | DMA_SOP; + if (skb->ip_summed == CHECKSUM_PARTIAL) +-- +2.25.1 + diff --git a/queue-4.19/net-qed-fix-excessive-qm-ilt-lines-consumption.patch b/queue-4.19/net-qed-fix-excessive-qm-ilt-lines-consumption.patch new file mode 100644 index 00000000000..ce8a37a32b7 --- /dev/null +++ b/queue-4.19/net-qed-fix-excessive-qm-ilt-lines-consumption.patch @@ -0,0 +1,40 @@ +From cf44ee53437890015d484fdb8527fb42046d2d19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jun 2020 16:51:33 +0300 +Subject: net: qed: fix excessive QM ILT lines consumption + +From: Alexander Lobakin + +[ Upstream commit d434d02f7e7c24c721365fd594ed781acb18e0da ] + +This is likely a copy'n'paste mistake. The amount of ILT lines to +reserve for a single VF was being multiplied by the total VFs count. +This led to a huge redundancy in reservation and potential lines +drainouts. + +Fixes: 1408cc1fa48c ("qed: Introduce VFs") +Signed-off-by: Alexander Lobakin +Signed-off-by: Igor Russkikh +Signed-off-by: Michal Kalderon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_cxt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_cxt.c b/drivers/net/ethernet/qlogic/qed/qed_cxt.c +index f1977aa440e5d..f3d7c38f539a8 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c +@@ -397,7 +397,7 @@ static void qed_cxt_qm_iids(struct qed_hwfn *p_hwfn, + vf_tids += segs[NUM_TASK_PF_SEGMENTS].count; + } + +- iids->vf_cids += vf_cids * p_mngr->vf_count; ++ iids->vf_cids = vf_cids; + iids->tids += vf_tids * p_mngr->vf_count; + + DP_VERBOSE(p_hwfn, QED_MSG_ILT, +-- +2.25.1 + diff --git a/queue-4.19/net-qed-fix-left-elements-count-calculation.patch b/queue-4.19/net-qed-fix-left-elements-count-calculation.patch new file mode 100644 index 00000000000..1fbef48d29f --- /dev/null +++ b/queue-4.19/net-qed-fix-left-elements-count-calculation.patch @@ -0,0 +1,80 @@ +From 16cb39a9af4637f731754365f461710da6d966fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jun 2020 16:51:29 +0300 +Subject: net: qed: fix left elements count calculation + +From: Alexander Lobakin + +[ Upstream commit 97dd1abd026ae4e6a82fa68645928404ad483409 ] + +qed_chain_get_element_left{,_u32} returned 0 when the difference +between producer and consumer page count was equal to the total +page count. +Fix this by conditional expanding of producer value (vs +unconditional). This allowed to eliminate normalizaton against +total page count, which was the cause of this bug. + +Misc: replace open-coded constants with common defines. + +Fixes: a91eb52abb50 ("qed: Revisit chain implementation") +Signed-off-by: Alexander Lobakin +Signed-off-by: Igor Russkikh +Signed-off-by: Michal Kalderon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/qed/qed_chain.h | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +diff --git a/include/linux/qed/qed_chain.h b/include/linux/qed/qed_chain.h +index 733fad7dfbed9..6d15040c642cb 100644 +--- a/include/linux/qed/qed_chain.h ++++ b/include/linux/qed/qed_chain.h +@@ -207,28 +207,34 @@ static inline u32 qed_chain_get_cons_idx_u32(struct qed_chain *p_chain) + + static inline u16 qed_chain_get_elem_left(struct qed_chain *p_chain) + { ++ u16 elem_per_page = p_chain->elem_per_page; ++ u32 prod = p_chain->u.chain16.prod_idx; ++ u32 cons = p_chain->u.chain16.cons_idx; + u16 used; + +- used = (u16) (((u32)0x10000 + +- (u32)p_chain->u.chain16.prod_idx) - +- (u32)p_chain->u.chain16.cons_idx); ++ if (prod < cons) ++ prod += (u32)U16_MAX + 1; ++ ++ used = (u16)(prod - cons); + if (p_chain->mode == QED_CHAIN_MODE_NEXT_PTR) +- used -= p_chain->u.chain16.prod_idx / p_chain->elem_per_page - +- p_chain->u.chain16.cons_idx / p_chain->elem_per_page; ++ used -= prod / elem_per_page - cons / elem_per_page; + + return (u16)(p_chain->capacity - used); + } + + static inline u32 qed_chain_get_elem_left_u32(struct qed_chain *p_chain) + { ++ u16 elem_per_page = p_chain->elem_per_page; ++ u64 prod = p_chain->u.chain32.prod_idx; ++ u64 cons = p_chain->u.chain32.cons_idx; + u32 used; + +- used = (u32) (((u64)0x100000000ULL + +- (u64)p_chain->u.chain32.prod_idx) - +- (u64)p_chain->u.chain32.cons_idx); ++ if (prod < cons) ++ prod += (u64)U32_MAX + 1; ++ ++ used = (u32)(prod - cons); + if (p_chain->mode == QED_CHAIN_MODE_NEXT_PTR) +- used -= p_chain->u.chain32.prod_idx / p_chain->elem_per_page - +- p_chain->u.chain32.cons_idx / p_chain->elem_per_page; ++ used -= (u32)(prod / elem_per_page - cons / elem_per_page); + + return p_chain->capacity - used; + } +-- +2.25.1 + diff --git a/queue-4.19/net-qed-fix-nvme-login-fails-over-vfs.patch b/queue-4.19/net-qed-fix-nvme-login-fails-over-vfs.patch new file mode 100644 index 00000000000..534555b10d6 --- /dev/null +++ b/queue-4.19/net-qed-fix-nvme-login-fails-over-vfs.patch @@ -0,0 +1,80 @@ +From 713a966ea963fcdc129cb6ad760315d23db5d64a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jun 2020 16:51:32 +0300 +Subject: net: qed: fix NVMe login fails over VFs + +From: Alexander Lobakin + +[ Upstream commit ccd7c7ce167a21dbf2b698ffcf00f11d96d44f9b ] + +25ms sleep cycles in waiting for PF response are excessive and may lead +to different timeout failures. + +Start to wait with short udelays, and in most cases polling will end +here. If the time was not sufficient, switch to msleeps. +usleep_range() may go far beyond 100us depending on platform and tick +configuration, hence atomic udelays for consistency. + +Also add explicit DMA barriers since 'done' always comes from a shared +request-response DMA pool, and note that in the comment nearby. + +Fixes: 1408cc1fa48c ("qed: Introduce VFs") +Signed-off-by: Alexander Lobakin +Signed-off-by: Igor Russkikh +Signed-off-by: Michal Kalderon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_vf.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_vf.c b/drivers/net/ethernet/qlogic/qed/qed_vf.c +index 5dda547772c13..93a0fbf6a132b 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_vf.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_vf.c +@@ -81,12 +81,17 @@ static void qed_vf_pf_req_end(struct qed_hwfn *p_hwfn, int req_status) + mutex_unlock(&(p_hwfn->vf_iov_info->mutex)); + } + ++#define QED_VF_CHANNEL_USLEEP_ITERATIONS 90 ++#define QED_VF_CHANNEL_USLEEP_DELAY 100 ++#define QED_VF_CHANNEL_MSLEEP_ITERATIONS 10 ++#define QED_VF_CHANNEL_MSLEEP_DELAY 25 ++ + static int qed_send_msg2pf(struct qed_hwfn *p_hwfn, u8 *done, u32 resp_size) + { + union vfpf_tlvs *p_req = p_hwfn->vf_iov_info->vf2pf_request; + struct ustorm_trigger_vf_zone trigger; + struct ustorm_vf_zone *zone_data; +- int rc = 0, time = 100; ++ int iter, rc = 0; + + zone_data = (struct ustorm_vf_zone *)PXP_VF_BAR0_START_USDM_ZONE_B; + +@@ -126,11 +131,19 @@ static int qed_send_msg2pf(struct qed_hwfn *p_hwfn, u8 *done, u32 resp_size) + REG_WR(p_hwfn, (uintptr_t)&zone_data->trigger, *((u32 *)&trigger)); + + /* When PF would be done with the response, it would write back to the +- * `done' address. Poll until then. ++ * `done' address from a coherent DMA zone. Poll until then. + */ +- while ((!*done) && time) { +- msleep(25); +- time--; ++ ++ iter = QED_VF_CHANNEL_USLEEP_ITERATIONS; ++ while (!*done && iter--) { ++ udelay(QED_VF_CHANNEL_USLEEP_DELAY); ++ dma_rmb(); ++ } ++ ++ iter = QED_VF_CHANNEL_MSLEEP_ITERATIONS; ++ while (!*done && iter--) { ++ msleep(QED_VF_CHANNEL_MSLEEP_DELAY); ++ dma_rmb(); + } + + if (!*done) { +-- +2.25.1 + diff --git a/queue-4.19/netfilter-ipset-fix-unaligned-atomic-access.patch b/queue-4.19/netfilter-ipset-fix-unaligned-atomic-access.patch new file mode 100644 index 00000000000..fd089a97115 --- /dev/null +++ b/queue-4.19/netfilter-ipset-fix-unaligned-atomic-access.patch @@ -0,0 +1,57 @@ +From 0a4813eb66f192d72f35e9c5a84e93831c716afa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jun 2020 21:51:11 +0100 +Subject: netfilter: ipset: fix unaligned atomic access + +From: Russell King + +[ Upstream commit 715028460082d07a7ec6fcd87b14b46784346a72 ] + +When using ip_set with counters and comment, traffic causes the kernel +to panic on 32-bit ARM: + +Alignment trap: not handling instruction e1b82f9f at [] +Unhandled fault: alignment exception (0x221) at 0xea08133c +PC is at ip_set_match_extensions+0xe0/0x224 [ip_set] + +The problem occurs when we try to update the 64-bit counters - the +faulting address above is not 64-bit aligned. The problem occurs +due to the way elements are allocated, for example: + + set->dsize = ip_set_elem_len(set, tb, 0, 0); + map = ip_set_alloc(sizeof(*map) + elements * set->dsize); + +If the element has a requirement for a member to be 64-bit aligned, +and set->dsize is not a multiple of 8, but is a multiple of four, +then every odd numbered elements will be misaligned - and hitting +an atomic64_add() on that element will cause the kernel to panic. + +ip_set_elem_len() must return a size that is rounded to the maximum +alignment of any extension field stored in the element. This change +ensures that is the case. + +Fixes: 95ad1f4a9358 ("netfilter: ipset: Fix extension alignment") +Signed-off-by: Russell King +Acked-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c +index 21eb53f6d4fe3..36ebc40a4313c 100644 +--- a/net/netfilter/ipset/ip_set_core.c ++++ b/net/netfilter/ipset/ip_set_core.c +@@ -385,6 +385,8 @@ ip_set_elem_len(struct ip_set *set, struct nlattr *tb[], size_t len, + for (id = 0; id < IPSET_EXT_ID_MAX; id++) { + if (!add_extension(id, cadt_flags, tb)) + continue; ++ if (align < ip_set_extensions[id].align) ++ align = ip_set_extensions[id].align; + len = ALIGN(len, ip_set_extensions[id].align); + set->offset[id] = len; + set->extensions |= ip_set_extensions[id].type; +-- +2.25.1 + diff --git a/queue-4.19/nvme-fix-possible-deadlock-when-i-o-is-blocked.patch b/queue-4.19/nvme-fix-possible-deadlock-when-i-o-is-blocked.patch new file mode 100644 index 00000000000..c2aa3fbea68 --- /dev/null +++ b/queue-4.19/nvme-fix-possible-deadlock-when-i-o-is-blocked.patch @@ -0,0 +1,124 @@ +From afc6f75bcc7b635708e953a7cdc768d77f85f572 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jun 2020 01:53:08 -0700 +Subject: nvme: fix possible deadlock when I/O is blocked + +From: Sagi Grimberg + +[ Upstream commit 3b4b19721ec652ad2c4fe51dfbe5124212b5f581 ] + +Revert fab7772bfbcf ("nvme-multipath: revalidate nvme_ns_head gendisk +in nvme_validate_ns") + +When adding a new namespace to the head disk (via nvme_mpath_set_live) +we will see partition scan which triggers I/O on the mpath device node. +This process will usually be triggered from the scan_work which holds +the scan_lock. If I/O blocks (if we got ana change currently have only +available paths but none are accessible) this can deadlock on the head +disk bd_mutex as both partition scan I/O takes it, and head disk revalidation +takes it to check for resize (also triggered from scan_work on a different +path). See trace [1]. + +The mpath disk revalidation was originally added to detect online disk +size change, but this is no longer needed since commit cb224c3af4df +("nvme: Convert to use set_capacity_revalidate_and_notify") which already +updates resize info without unnecessarily revalidating the disk (the +mpath disk doesn't even implement .revalidate_disk fop). + +[1]: +-- +kernel: INFO: task kworker/u65:9:494 blocked for more than 241 seconds. +kernel: Tainted: G OE 5.3.5-050305-generic #201910071830 +kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +kernel: kworker/u65:9 D 0 494 2 0x80004000 +kernel: Workqueue: nvme-wq nvme_scan_work [nvme_core] +kernel: Call Trace: +kernel: __schedule+0x2b9/0x6c0 +kernel: schedule+0x42/0xb0 +kernel: schedule_preempt_disabled+0xe/0x10 +kernel: __mutex_lock.isra.0+0x182/0x4f0 +kernel: __mutex_lock_slowpath+0x13/0x20 +kernel: mutex_lock+0x2e/0x40 +kernel: revalidate_disk+0x63/0xa0 +kernel: __nvme_revalidate_disk+0xfe/0x110 [nvme_core] +kernel: nvme_revalidate_disk+0xa4/0x160 [nvme_core] +kernel: ? evict+0x14c/0x1b0 +kernel: revalidate_disk+0x2b/0xa0 +kernel: nvme_validate_ns+0x49/0x940 [nvme_core] +kernel: ? blk_mq_free_request+0xd2/0x100 +kernel: ? __nvme_submit_sync_cmd+0xbe/0x1e0 [nvme_core] +kernel: nvme_scan_work+0x24f/0x380 [nvme_core] +kernel: process_one_work+0x1db/0x380 +kernel: worker_thread+0x249/0x400 +kernel: kthread+0x104/0x140 +kernel: ? process_one_work+0x380/0x380 +kernel: ? kthread_park+0x80/0x80 +kernel: ret_from_fork+0x1f/0x40 +... +kernel: INFO: task kworker/u65:1:2630 blocked for more than 241 seconds. +kernel: Tainted: G OE 5.3.5-050305-generic #201910071830 +kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +kernel: kworker/u65:1 D 0 2630 2 0x80004000 +kernel: Workqueue: nvme-wq nvme_scan_work [nvme_core] +kernel: Call Trace: +kernel: __schedule+0x2b9/0x6c0 +kernel: schedule+0x42/0xb0 +kernel: io_schedule+0x16/0x40 +kernel: do_read_cache_page+0x438/0x830 +kernel: ? __switch_to_asm+0x34/0x70 +kernel: ? file_fdatawait_range+0x30/0x30 +kernel: read_cache_page+0x12/0x20 +kernel: read_dev_sector+0x27/0xc0 +kernel: read_lba+0xc1/0x220 +kernel: ? kmem_cache_alloc_trace+0x19c/0x230 +kernel: efi_partition+0x1e6/0x708 +kernel: ? vsnprintf+0x39e/0x4e0 +kernel: ? snprintf+0x49/0x60 +kernel: check_partition+0x154/0x244 +kernel: rescan_partitions+0xae/0x280 +kernel: __blkdev_get+0x40f/0x560 +kernel: blkdev_get+0x3d/0x140 +kernel: __device_add_disk+0x388/0x480 +kernel: device_add_disk+0x13/0x20 +kernel: nvme_mpath_set_live+0x119/0x140 [nvme_core] +kernel: nvme_update_ns_ana_state+0x5c/0x60 [nvme_core] +kernel: nvme_set_ns_ana_state+0x1e/0x30 [nvme_core] +kernel: nvme_parse_ana_log+0xa1/0x180 [nvme_core] +kernel: ? nvme_update_ns_ana_state+0x60/0x60 [nvme_core] +kernel: nvme_mpath_add_disk+0x47/0x90 [nvme_core] +kernel: nvme_validate_ns+0x396/0x940 [nvme_core] +kernel: ? blk_mq_free_request+0xd2/0x100 +kernel: nvme_scan_work+0x24f/0x380 [nvme_core] +kernel: process_one_work+0x1db/0x380 +kernel: worker_thread+0x249/0x400 +kernel: kthread+0x104/0x140 +kernel: ? process_one_work+0x380/0x380 +kernel: ? kthread_park+0x80/0x80 +kernel: ret_from_fork+0x1f/0x40 +-- + +Fixes: fab7772bfbcf ("nvme-multipath: revalidate nvme_ns_head gendisk +in nvme_validate_ns") +Signed-off-by: Anton Eidelman +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 0d60f2f8f3eec..5c9326777334f 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1602,7 +1602,6 @@ static void __nvme_revalidate_disk(struct gendisk *disk, struct nvme_id_ns *id) + if (ns->head->disk) { + nvme_update_disk_info(ns->head->disk, ns, id); + blk_queue_stack_limits(ns->head->disk->queue, ns->queue); +- revalidate_disk(ns->head->disk); + } + #endif + } +-- +2.25.1 + diff --git a/queue-4.19/nvme-multipath-fix-deadlock-between-ana_work-and-sca.patch b/queue-4.19/nvme-multipath-fix-deadlock-between-ana_work-and-sca.patch new file mode 100644 index 00000000000..42818c7e8c8 --- /dev/null +++ b/queue-4.19/nvme-multipath-fix-deadlock-between-ana_work-and-sca.patch @@ -0,0 +1,134 @@ +From 90ab3045208e61be9f8e0342975c68bcbf57ecf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jun 2020 01:53:09 -0700 +Subject: nvme-multipath: fix deadlock between ana_work and scan_work + +From: Anton Eidelman + +[ Upstream commit 489dd102a2c7c94d783a35f9412eb085b8da1aa4 ] + +When scan_work calls nvme_mpath_add_disk() this holds ana_lock +and invokes nvme_parse_ana_log(), which may issue IO +in device_add_disk() and hang waiting for an accessible path. +While nvme_mpath_set_live() only called when nvme_state_is_live(), +a transition may cause NVME_SC_ANA_TRANSITION and requeue the IO. + +In order to recover and complete the IO ana_work on the same ctrl +should be able to update the path state and remove NVME_NS_ANA_PENDING. + +The deadlock occurs because scan_work keeps holding ana_lock, +so ana_work hangs [1]. + +Fix: +Now nvme_mpath_add_disk() uses nvme_parse_ana_log() to obtain a copy +of the ANA group desc, and then calls nvme_update_ns_ana_state() without +holding ana_lock. + +[1]: +kernel: Workqueue: nvme-wq nvme_scan_work [nvme_core] +kernel: Call Trace: +kernel: __schedule+0x2b9/0x6c0 +kernel: schedule+0x42/0xb0 +kernel: io_schedule+0x16/0x40 +kernel: do_read_cache_page+0x438/0x830 +kernel: read_cache_page+0x12/0x20 +kernel: read_dev_sector+0x27/0xc0 +kernel: read_lba+0xc1/0x220 +kernel: efi_partition+0x1e6/0x708 +kernel: check_partition+0x154/0x244 +kernel: rescan_partitions+0xae/0x280 +kernel: __blkdev_get+0x40f/0x560 +kernel: blkdev_get+0x3d/0x140 +kernel: __device_add_disk+0x388/0x480 +kernel: device_add_disk+0x13/0x20 +kernel: nvme_mpath_set_live+0x119/0x140 [nvme_core] +kernel: nvme_update_ns_ana_state+0x5c/0x60 [nvme_core] +kernel: nvme_set_ns_ana_state+0x1e/0x30 [nvme_core] +kernel: nvme_parse_ana_log+0xa1/0x180 [nvme_core] +kernel: nvme_mpath_add_disk+0x47/0x90 [nvme_core] +kernel: nvme_validate_ns+0x396/0x940 [nvme_core] +kernel: nvme_scan_work+0x24f/0x380 [nvme_core] +kernel: process_one_work+0x1db/0x380 +kernel: worker_thread+0x249/0x400 +kernel: kthread+0x104/0x140 + +kernel: Workqueue: nvme-wq nvme_ana_work [nvme_core] +kernel: Call Trace: +kernel: __schedule+0x2b9/0x6c0 +kernel: schedule+0x42/0xb0 +kernel: schedule_preempt_disabled+0xe/0x10 +kernel: __mutex_lock.isra.0+0x182/0x4f0 +kernel: ? __switch_to_asm+0x34/0x70 +kernel: ? select_task_rq_fair+0x1aa/0x5c0 +kernel: ? kvm_sched_clock_read+0x11/0x20 +kernel: ? sched_clock+0x9/0x10 +kernel: __mutex_lock_slowpath+0x13/0x20 +kernel: mutex_lock+0x2e/0x40 +kernel: nvme_read_ana_log+0x3a/0x100 [nvme_core] +kernel: nvme_ana_work+0x15/0x20 [nvme_core] +kernel: process_one_work+0x1db/0x380 +kernel: worker_thread+0x4d/0x400 +kernel: kthread+0x104/0x140 +kernel: ? process_one_work+0x380/0x380 +kernel: ? kthread_park+0x80/0x80 +kernel: ret_from_fork+0x35/0x40 + +Fixes: 0d0b660f214d ("nvme: add ANA support") +Signed-off-by: Anton Eidelman +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/multipath.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index 6f584a9515f42..3ad6183c5e6b4 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -496,26 +496,34 @@ static ssize_t ana_state_show(struct device *dev, struct device_attribute *attr, + } + DEVICE_ATTR_RO(ana_state); + +-static int nvme_set_ns_ana_state(struct nvme_ctrl *ctrl, ++static int nvme_lookup_ana_group_desc(struct nvme_ctrl *ctrl, + struct nvme_ana_group_desc *desc, void *data) + { +- struct nvme_ns *ns = data; ++ struct nvme_ana_group_desc *dst = data; + +- if (ns->ana_grpid == le32_to_cpu(desc->grpid)) { +- nvme_update_ns_ana_state(desc, ns); +- return -ENXIO; /* just break out of the loop */ +- } ++ if (desc->grpid != dst->grpid) ++ return 0; + +- return 0; ++ *dst = *desc; ++ return -ENXIO; /* just break out of the loop */ + } + + void nvme_mpath_add_disk(struct nvme_ns *ns, struct nvme_id_ns *id) + { + if (nvme_ctrl_use_ana(ns->ctrl)) { ++ struct nvme_ana_group_desc desc = { ++ .grpid = id->anagrpid, ++ .state = 0, ++ }; ++ + mutex_lock(&ns->ctrl->ana_lock); + ns->ana_grpid = le32_to_cpu(id->anagrpid); +- nvme_parse_ana_log(ns->ctrl, ns, nvme_set_ns_ana_state); ++ nvme_parse_ana_log(ns->ctrl, &desc, nvme_lookup_ana_group_desc); + mutex_unlock(&ns->ctrl->ana_lock); ++ if (desc.state) { ++ /* found the group desc: update */ ++ nvme_update_ns_ana_state(&desc, ns); ++ } + } else { + mutex_lock(&ns->head->lock); + ns->ana_state = NVME_ANA_OPTIMIZED; +-- +2.25.1 + diff --git a/queue-4.19/nvme-multipath-set-bdi-capabilities-once.patch b/queue-4.19/nvme-multipath-set-bdi-capabilities-once.patch new file mode 100644 index 00000000000..bdf0cf79932 --- /dev/null +++ b/queue-4.19/nvme-multipath-set-bdi-capabilities-once.patch @@ -0,0 +1,51 @@ +From d18a99a506620a80566806c5d65a3fd7ee875792 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Apr 2020 09:09:04 -0700 +Subject: nvme-multipath: set bdi capabilities once + +From: Keith Busch + +[ Upstream commit b2ce4d90690bd29ce5b554e203cd03682dd59697 ] + +The queues' backing device info capabilities don't change with each +namespace revalidation. Set it only when each path's request_queue +is initially added to a multipath queue. + +Signed-off-by: Keith Busch +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/multipath.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index 588864beabd80..6f584a9515f42 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -11,6 +11,7 @@ + * more details. + */ + ++#include + #include + #include + #include "nvme.h" +@@ -521,6 +522,13 @@ void nvme_mpath_add_disk(struct nvme_ns *ns, struct nvme_id_ns *id) + nvme_mpath_set_live(ns); + mutex_unlock(&ns->head->lock); + } ++ ++ if (bdi_cap_stable_pages_required(ns->queue->backing_dev_info)) { ++ struct backing_dev_info *info = ++ ns->head->disk->queue->backing_dev_info; ++ ++ info->capabilities |= BDI_CAP_STABLE_WRITES; ++ } + } + + void nvme_mpath_remove_disk(struct nvme_ns_head *head) +-- +2.25.1 + diff --git a/queue-4.19/rdma-cma-protect-bind_list-and-listen_list-while-fin.patch b/queue-4.19/rdma-cma-protect-bind_list-and-listen_list-while-fin.patch new file mode 100644 index 00000000000..d096363f919 --- /dev/null +++ b/queue-4.19/rdma-cma-protect-bind_list-and-listen_list-while-fin.patch @@ -0,0 +1,162 @@ +From 93584b194ae04a4a578902a47e21e50cd24d9c4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jun 2020 13:43:04 +0300 +Subject: RDMA/cma: Protect bind_list and listen_list while finding matching cm + id + +From: Mark Zhang + +[ Upstream commit 730c8912484186d4623d0c76509066d285c3a755 ] + +The bind_list and listen_list must be accessed under a lock, add the +missing locking around the access in cm_ib_id_from_event() + +In addition add lockdep asserts to make it clearer what the locking +semantic is here. + + general protection fault: 0000 [#1] SMP NOPTI + CPU: 226 PID: 126135 Comm: kworker/226:1 Tainted: G OE 4.12.14-150.47-default #1 SLE15 + Hardware name: Cray Inc. Windom/Windom, BIOS 0.8.7 01-10-2020 + Workqueue: ib_cm cm_work_handler [ib_cm] + task: ffff9c5a60a1d2c0 task.stack: ffffc1d91f554000 + RIP: 0010:cma_ib_req_handler+0x3f1/0x11b0 [rdma_cm] + RSP: 0018:ffffc1d91f557b40 EFLAGS: 00010286 + RAX: deacffffffffff30 RBX: 0000000000000001 RCX: ffff9c2af5bb6000 + RDX: 00000000000000a9 RSI: ffff9c5aa4ed2f10 RDI: ffffc1d91f557b08 + RBP: ffffc1d91f557d90 R08: ffff9c340cc80000 R09: ffff9c2c0f901900 + R10: 0000000000000000 R11: 0000000000000001 R12: deacffffffffff30 + R13: ffff9c5a48aeec00 R14: ffffc1d91f557c30 R15: ffff9c5c2eea3688 + FS: 0000000000000000(0000) GS:ffff9c5c2fa80000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00002b5cc03fa320 CR3: 0000003f8500a000 CR4: 00000000003406e0 + Call Trace: + ? rdma_addr_cancel+0xa0/0xa0 [ib_core] + ? cm_process_work+0x28/0x140 [ib_cm] + cm_process_work+0x28/0x140 [ib_cm] + ? cm_get_bth_pkey.isra.44+0x34/0xa0 [ib_cm] + cm_work_handler+0xa06/0x1a6f [ib_cm] + ? __switch_to_asm+0x34/0x70 + ? __switch_to_asm+0x34/0x70 + ? __switch_to_asm+0x40/0x70 + ? __switch_to_asm+0x34/0x70 + ? __switch_to_asm+0x40/0x70 + ? __switch_to_asm+0x34/0x70 + ? __switch_to_asm+0x40/0x70 + ? __switch_to+0x7c/0x4b0 + ? __switch_to_asm+0x40/0x70 + ? __switch_to_asm+0x34/0x70 + process_one_work+0x1da/0x400 + worker_thread+0x2b/0x3f0 + ? process_one_work+0x400/0x400 + kthread+0x118/0x140 + ? kthread_create_on_node+0x40/0x40 + ret_from_fork+0x22/0x40 + Code: 00 66 83 f8 02 0f 84 ca 05 00 00 49 8b 84 24 d0 01 00 00 48 85 c0 0f 84 68 07 00 00 48 2d d0 01 + 00 00 49 89 c4 0f 84 59 07 00 00 <41> 0f b7 44 24 20 49 8b 77 50 66 83 f8 0a 75 9e 49 8b 7c 24 28 + +Fixes: 4c21b5bcef73 ("IB/cma: Add net_dev and private data checks to RDMA CM") +Link: https://lore.kernel.org/r/20200616104304.2426081-1-leon@kernel.org +Signed-off-by: Mark Zhang +Reviewed-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 5c03f4701ece2..1f14cd4ce3db5 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -1507,6 +1507,8 @@ static struct rdma_id_private *cma_find_listener( + { + struct rdma_id_private *id_priv, *id_priv_dev; + ++ lockdep_assert_held(&lock); ++ + if (!bind_list) + return ERR_PTR(-EINVAL); + +@@ -1552,6 +1554,7 @@ cma_ib_id_from_event(struct ib_cm_id *cm_id, + } + } + ++ mutex_lock(&lock); + /* + * Net namespace might be getting deleted while route lookup, + * cm_id lookup is in progress. Therefore, perform netdevice +@@ -1593,6 +1596,7 @@ cma_ib_id_from_event(struct ib_cm_id *cm_id, + id_priv = cma_find_listener(bind_list, cm_id, ib_event, &req, *net_dev); + err: + rcu_read_unlock(); ++ mutex_unlock(&lock); + if (IS_ERR(id_priv) && *net_dev) { + dev_put(*net_dev); + *net_dev = NULL; +@@ -2346,6 +2350,8 @@ static void cma_listen_on_dev(struct rdma_id_private *id_priv, + struct net *net = id_priv->id.route.addr.dev_addr.net; + int ret; + ++ lockdep_assert_held(&lock); ++ + if (cma_family(id_priv) == AF_IB && !rdma_cap_ib_cm(cma_dev->device, 1)) + return; + +@@ -3081,6 +3087,8 @@ static void cma_bind_port(struct rdma_bind_list *bind_list, + u64 sid, mask; + __be16 port; + ++ lockdep_assert_held(&lock); ++ + addr = cma_src_addr(id_priv); + port = htons(bind_list->port); + +@@ -3109,6 +3117,8 @@ static int cma_alloc_port(enum rdma_ucm_port_space ps, + struct rdma_bind_list *bind_list; + int ret; + ++ lockdep_assert_held(&lock); ++ + bind_list = kzalloc(sizeof *bind_list, GFP_KERNEL); + if (!bind_list) + return -ENOMEM; +@@ -3135,6 +3145,8 @@ static int cma_port_is_unique(struct rdma_bind_list *bind_list, + struct sockaddr *saddr = cma_src_addr(id_priv); + __be16 dport = cma_port(daddr); + ++ lockdep_assert_held(&lock); ++ + hlist_for_each_entry(cur_id, &bind_list->owners, node) { + struct sockaddr *cur_daddr = cma_dst_addr(cur_id); + struct sockaddr *cur_saddr = cma_src_addr(cur_id); +@@ -3174,6 +3186,8 @@ static int cma_alloc_any_port(enum rdma_ucm_port_space ps, + unsigned int rover; + struct net *net = id_priv->id.route.addr.dev_addr.net; + ++ lockdep_assert_held(&lock); ++ + inet_get_local_port_range(net, &low, &high); + remaining = (high - low) + 1; + rover = prandom_u32() % remaining + low; +@@ -3221,6 +3235,8 @@ static int cma_check_port(struct rdma_bind_list *bind_list, + struct rdma_id_private *cur_id; + struct sockaddr *addr, *cur_addr; + ++ lockdep_assert_held(&lock); ++ + addr = cma_src_addr(id_priv); + hlist_for_each_entry(cur_id, &bind_list->owners, node) { + if (id_priv == cur_id) +@@ -3251,6 +3267,8 @@ static int cma_use_port(enum rdma_ucm_port_space ps, + unsigned short snum; + int ret; + ++ lockdep_assert_held(&lock); ++ + snum = ntohs(cma_port(cma_src_addr(id_priv))); + if (snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE)) + return -EACCES; +-- +2.25.1 + diff --git a/queue-4.19/rdma-mad-fix-possible-memory-leak-in-ib_mad_post_rec.patch b/queue-4.19/rdma-mad-fix-possible-memory-leak-in-ib_mad_post_rec.patch new file mode 100644 index 00000000000..4fe17cb0982 --- /dev/null +++ b/queue-4.19/rdma-mad-fix-possible-memory-leak-in-ib_mad_post_rec.patch @@ -0,0 +1,38 @@ +From 53ff781a10484341b611aafda1aa1a58b69a86f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jun 2020 14:38:24 +0800 +Subject: RDMA/mad: Fix possible memory leak in ib_mad_post_receive_mads() + +From: Fan Guo + +[ Upstream commit a17f4bed811c60712d8131883cdba11a105d0161 ] + +If ib_dma_mapping_error() returns non-zero value, +ib_mad_post_receive_mads() will jump out of loops and return -ENOMEM +without freeing mad_priv. Fix this memory-leak problem by freeing mad_priv +in this case. + +Fixes: 2c34e68f4261 ("IB/mad: Check and handle potential DMA mapping errors") +Link: https://lore.kernel.org/r/20200612063824.180611-1-guofan5@huawei.com +Signed-off-by: Fan Guo +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/mad.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c +index 218411282069b..fd0a2fd8bfdf7 100644 +--- a/drivers/infiniband/core/mad.c ++++ b/drivers/infiniband/core/mad.c +@@ -2920,6 +2920,7 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info, + DMA_FROM_DEVICE); + if (unlikely(ib_dma_mapping_error(qp_info->port_priv->device, + sg_list.addr))) { ++ kfree(mad_priv); + ret = -ENOMEM; + break; + } +-- +2.25.1 + diff --git a/queue-4.19/rdma-qedr-fix-kasan-use-after-free-in-ucma_event_han.patch b/queue-4.19/rdma-qedr-fix-kasan-use-after-free-in-ucma_event_han.patch new file mode 100644 index 00000000000..4fc4e4ac8cd --- /dev/null +++ b/queue-4.19/rdma-qedr-fix-kasan-use-after-free-in-ucma_event_han.patch @@ -0,0 +1,76 @@ +From 566db0deda4a007af16369e8c2122dc040342b6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jun 2020 12:34:08 +0300 +Subject: RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532 + +From: Michal Kalderon + +[ Upstream commit 0dfbd5ecf28cbcb81674c49d34ee97366db1be44 ] + +Private data passed to iwarp_cm_handler is copied for connection request / +response, but ignored otherwise. If junk is passed, it is stored in the +event and used later in the event processing. + +The driver passes an old junk pointer during connection close which leads +to a use-after-free on event processing. Set private data to NULL for +events that don 't have private data. + + BUG: KASAN: use-after-free in ucma_event_handler+0x532/0x560 [rdma_ucm] + kernel: Read of size 4 at addr ffff8886caa71200 by task kworker/u128:1/5250 + kernel: + kernel: Workqueue: iw_cm_wq cm_work_handler [iw_cm] + kernel: Call Trace: + kernel: dump_stack+0x8c/0xc0 + kernel: print_address_description.constprop.0+0x1b/0x210 + kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm] + kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm] + kernel: __kasan_report.cold+0x1a/0x33 + kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm] + kernel: kasan_report+0xe/0x20 + kernel: check_memory_region+0x130/0x1a0 + kernel: memcpy+0x20/0x50 + kernel: ucma_event_handler+0x532/0x560 [rdma_ucm] + kernel: ? __rpc_execute+0x608/0x620 [sunrpc] + kernel: cma_iw_handler+0x212/0x330 [rdma_cm] + kernel: ? iw_conn_req_handler+0x6e0/0x6e0 [rdma_cm] + kernel: ? enqueue_timer+0x86/0x140 + kernel: ? _raw_write_lock_irq+0xd0/0xd0 + kernel: cm_work_handler+0xd3d/0x1070 [iw_cm] + +Fixes: e411e0587e0d ("RDMA/qedr: Add iWARP connection management functions") +Link: https://lore.kernel.org/r/20200616093408.17827-1-michal.kalderon@marvell.com +Signed-off-by: Ariel Elior +Signed-off-by: Michal Kalderon +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qedr/qedr_iw_cm.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/qedr/qedr_iw_cm.c b/drivers/infiniband/hw/qedr/qedr_iw_cm.c +index 93b16237b7677..2566715773675 100644 +--- a/drivers/infiniband/hw/qedr/qedr_iw_cm.c ++++ b/drivers/infiniband/hw/qedr/qedr_iw_cm.c +@@ -128,8 +128,17 @@ qedr_iw_issue_event(void *context, + if (params->cm_info) { + event.ird = params->cm_info->ird; + event.ord = params->cm_info->ord; +- event.private_data_len = params->cm_info->private_data_len; +- event.private_data = (void *)params->cm_info->private_data; ++ /* Only connect_request and reply have valid private data ++ * the rest of the events this may be left overs from ++ * connection establishment. CONNECT_REQUEST is issued via ++ * qedr_iw_mpa_request ++ */ ++ if (event_type == IW_CM_EVENT_CONNECT_REPLY) { ++ event.private_data_len = ++ params->cm_info->private_data_len; ++ event.private_data = ++ (void *)params->cm_info->private_data; ++ } + } + + if (ep->cm_id) +-- +2.25.1 + diff --git a/queue-4.19/regmap-fix-memory-leak-from-regmap_register_patch.patch b/queue-4.19/regmap-fix-memory-leak-from-regmap_register_patch.patch new file mode 100644 index 00000000000..f14521bc995 --- /dev/null +++ b/queue-4.19/regmap-fix-memory-leak-from-regmap_register_patch.patch @@ -0,0 +1,37 @@ +From 6f712a03a3b8c83587e21b381fbed9197dc39c09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jun 2020 16:21:29 +0100 +Subject: regmap: Fix memory leak from regmap_register_patch + +From: Charles Keepax + +[ Upstream commit 95b2c3ec4cb1689db2389c251d39f64490ba641c ] + +When a register patch is registered the reg_sequence is copied but the +memory allocated is never freed. Add a kfree in regmap_exit to clean it +up. + +Fixes: 22f0d90a3482 ("regmap: Support register patch sets") +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20200617152129.19655-1-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regmap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index 6c9f6988bc093..b38b2d8c333d5 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -1336,6 +1336,7 @@ void regmap_exit(struct regmap *map) + if (map->hwlock) + hwspin_lock_free(map->hwlock); + kfree_const(map->name); ++ kfree(map->patch); + kfree(map); + } + EXPORT_SYMBOL_GPL(regmap_exit); +-- +2.25.1 + diff --git a/queue-4.19/regualtor-pfuze100-correct-sw1a-sw2-on-pfuze3000.patch b/queue-4.19/regualtor-pfuze100-correct-sw1a-sw2-on-pfuze3000.patch new file mode 100644 index 00000000000..02a5a3b13ec --- /dev/null +++ b/queue-4.19/regualtor-pfuze100-correct-sw1a-sw2-on-pfuze3000.patch @@ -0,0 +1,121 @@ +From c7d3dae8c0af841e6c5da0f20a1cfa9a11bce5a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 05:54:08 +0800 +Subject: regualtor: pfuze100: correct sw1a/sw2 on pfuze3000 + +From: Robin Gong + +[ Upstream commit 6f1cf5257acc6e6242ddf2f52bc7912aed77b79f ] + +PFUZE100_SWB_REG is not proper for sw1a/sw2, because enable_mask/enable_reg +is not correct. On PFUZE3000, sw1a/sw2 should be the same as sw1a/sw2 on +pfuze100 except that voltages are not linear, so add new PFUZE3000_SW_REG +and pfuze3000_sw_regulator_ops which like the non-linear PFUZE100_SW_REG +and pfuze100_sw_regulator_ops. + +Fixes: 1dced996ee70 ("regulator: pfuze100: update voltage setting for pfuze3000 sw1a") +Reported-by: Christophe Meynard +Signed-off-by: Robin Gong +Link: https://lore.kernel.org/r/1592171648-8752-1-git-send-email-yibin.gong@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/pfuze100-regulator.c | 60 +++++++++++++++++--------- + 1 file changed, 39 insertions(+), 21 deletions(-) + +diff --git a/drivers/regulator/pfuze100-regulator.c b/drivers/regulator/pfuze100-regulator.c +index 69a377ab26041..30e92a9cc97e9 100644 +--- a/drivers/regulator/pfuze100-regulator.c ++++ b/drivers/regulator/pfuze100-regulator.c +@@ -196,6 +196,19 @@ static const struct regulator_ops pfuze100_swb_regulator_ops = { + + }; + ++static const struct regulator_ops pfuze3000_sw_regulator_ops = { ++ .enable = regulator_enable_regmap, ++ .disable = regulator_disable_regmap, ++ .is_enabled = regulator_is_enabled_regmap, ++ .list_voltage = regulator_list_voltage_table, ++ .map_voltage = regulator_map_voltage_ascend, ++ .set_voltage_sel = regulator_set_voltage_sel_regmap, ++ .get_voltage_sel = regulator_get_voltage_sel_regmap, ++ .set_voltage_time_sel = regulator_set_voltage_time_sel, ++ .set_ramp_delay = pfuze100_set_ramp_delay, ++ ++}; ++ + #define PFUZE100_FIXED_REG(_chip, _name, base, voltage) \ + [_chip ## _ ## _name] = { \ + .desc = { \ +@@ -305,23 +318,28 @@ static const struct regulator_ops pfuze100_swb_regulator_ops = { + .stby_mask = 0x20, \ + } + +- +-#define PFUZE3000_SW2_REG(_chip, _name, base, min, max, step) { \ +- .desc = { \ +- .name = #_name,\ +- .n_voltages = ((max) - (min)) / (step) + 1, \ +- .ops = &pfuze100_sw_regulator_ops, \ +- .type = REGULATOR_VOLTAGE, \ +- .id = _chip ## _ ## _name, \ +- .owner = THIS_MODULE, \ +- .min_uV = (min), \ +- .uV_step = (step), \ +- .vsel_reg = (base) + PFUZE100_VOL_OFFSET, \ +- .vsel_mask = 0x7, \ +- }, \ +- .stby_reg = (base) + PFUZE100_STANDBY_OFFSET, \ +- .stby_mask = 0x7, \ +-} ++/* No linar case for the some switches of PFUZE3000 */ ++#define PFUZE3000_SW_REG(_chip, _name, base, mask, voltages) \ ++ [_chip ## _ ## _name] = { \ ++ .desc = { \ ++ .name = #_name, \ ++ .n_voltages = ARRAY_SIZE(voltages), \ ++ .ops = &pfuze3000_sw_regulator_ops, \ ++ .type = REGULATOR_VOLTAGE, \ ++ .id = _chip ## _ ## _name, \ ++ .owner = THIS_MODULE, \ ++ .volt_table = voltages, \ ++ .vsel_reg = (base) + PFUZE100_VOL_OFFSET, \ ++ .vsel_mask = (mask), \ ++ .enable_reg = (base) + PFUZE100_MODE_OFFSET, \ ++ .enable_mask = 0xf, \ ++ .enable_val = 0x8, \ ++ .enable_time = 500, \ ++ }, \ ++ .stby_reg = (base) + PFUZE100_STANDBY_OFFSET, \ ++ .stby_mask = (mask), \ ++ .sw_reg = true, \ ++ } + + #define PFUZE3000_SW3_REG(_chip, _name, base, min, max, step) { \ + .desc = { \ +@@ -377,9 +395,9 @@ static struct pfuze_regulator pfuze200_regulators[] = { + }; + + static struct pfuze_regulator pfuze3000_regulators[] = { +- PFUZE100_SWB_REG(PFUZE3000, SW1A, PFUZE100_SW1ABVOL, 0x1f, pfuze3000_sw1a), ++ PFUZE3000_SW_REG(PFUZE3000, SW1A, PFUZE100_SW1ABVOL, 0x1f, pfuze3000_sw1a), + PFUZE100_SW_REG(PFUZE3000, SW1B, PFUZE100_SW1CVOL, 700000, 1475000, 25000), +- PFUZE100_SWB_REG(PFUZE3000, SW2, PFUZE100_SW2VOL, 0x7, pfuze3000_sw2lo), ++ PFUZE3000_SW_REG(PFUZE3000, SW2, PFUZE100_SW2VOL, 0x7, pfuze3000_sw2lo), + PFUZE3000_SW3_REG(PFUZE3000, SW3, PFUZE100_SW3AVOL, 900000, 1650000, 50000), + PFUZE100_SWB_REG(PFUZE3000, SWBST, PFUZE100_SWBSTCON1, 0x3, pfuze100_swbst), + PFUZE100_SWB_REG(PFUZE3000, VSNVS, PFUZE100_VSNVSVOL, 0x7, pfuze100_vsnvs), +@@ -393,8 +411,8 @@ static struct pfuze_regulator pfuze3000_regulators[] = { + }; + + static struct pfuze_regulator pfuze3001_regulators[] = { +- PFUZE100_SWB_REG(PFUZE3001, SW1, PFUZE100_SW1ABVOL, 0x1f, pfuze3000_sw1a), +- PFUZE100_SWB_REG(PFUZE3001, SW2, PFUZE100_SW2VOL, 0x7, pfuze3000_sw2lo), ++ PFUZE3000_SW_REG(PFUZE3001, SW1, PFUZE100_SW1ABVOL, 0x1f, pfuze3000_sw1a), ++ PFUZE3000_SW_REG(PFUZE3001, SW2, PFUZE100_SW2VOL, 0x7, pfuze3000_sw2lo), + PFUZE3000_SW3_REG(PFUZE3001, SW3, PFUZE100_SW3AVOL, 900000, 1650000, 50000), + PFUZE100_SWB_REG(PFUZE3001, VSNVS, PFUZE100_VSNVSVOL, 0x7, pfuze100_vsnvs), + PFUZE100_VGEN_REG(PFUZE3001, VLDO1, PFUZE100_VGEN1VOL, 1800000, 3300000, 100000), +-- +2.25.1 + diff --git a/queue-4.19/risc-v-don-t-allow-write-exec-only-page-mapping-requ.patch b/queue-4.19/risc-v-don-t-allow-write-exec-only-page-mapping-requ.patch new file mode 100644 index 00000000000..be2d3ba4275 --- /dev/null +++ b/queue-4.19/risc-v-don-t-allow-write-exec-only-page-mapping-requ.patch @@ -0,0 +1,63 @@ +From e91e8b6418e874a6754c41a504b6cbec56f59616 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jun 2020 19:33:06 +0530 +Subject: RISC-V: Don't allow write+exec only page mapping request in mmap + +From: Yash Shah + +[ Upstream commit e0d17c842c0f824fd4df9f4688709fc6907201e1 ] + +As per the table 4.4 of version "20190608-Priv-MSU-Ratified" of the +RISC-V instruction set manual[0], the PTE permission bit combination of +"write+exec only" is reserved for future use. Hence, don't allow such +mapping request in mmap call. + +An issue is been reported by David Abdurachmanov, that while running +stress-ng with "sysbadaddr" argument, RCU stalls are observed on RISC-V +specific kernel. + +This issue arises when the stress-sysbadaddr request for pages with +"write+exec only" permission bits and then passes the address obtain +from this mmap call to various system call. For the riscv kernel, the +mmap call should fail for this particular combination of permission bits +since it's not valid. + +[0]: http://dabbelt.com/~palmer/keep/riscv-isa-manual/riscv-privileged-20190608-1.pdf + +Signed-off-by: Yash Shah +Reported-by: David Abdurachmanov +[Palmer: Refer to the latest ISA specification at the only link I could +find, and update the terminology.] +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/sys_riscv.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/riscv/kernel/sys_riscv.c b/arch/riscv/kernel/sys_riscv.c +index fb03a4482ad60..db44da32701f2 100644 +--- a/arch/riscv/kernel/sys_riscv.c ++++ b/arch/riscv/kernel/sys_riscv.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + + static long riscv_sys_mmap(unsigned long addr, unsigned long len, + unsigned long prot, unsigned long flags, +@@ -24,6 +25,11 @@ static long riscv_sys_mmap(unsigned long addr, unsigned long len, + { + if (unlikely(offset & (~PAGE_MASK >> page_shift_offset))) + return -EINVAL; ++ ++ if ((prot & PROT_WRITE) && (prot & PROT_EXEC)) ++ if (unlikely(!(prot & PROT_READ))) ++ return -EINVAL; ++ + return ksys_mmap_pgoff(addr, len, prot, flags, fd, + offset >> (PAGE_SHIFT - page_shift_offset)); + } +-- +2.25.1 + diff --git a/queue-4.19/riscv-atomic-fix-sign-extension-for-rv64i.patch b/queue-4.19/riscv-atomic-fix-sign-extension-for-rv64i.patch new file mode 100644 index 00000000000..a71434936d3 --- /dev/null +++ b/queue-4.19/riscv-atomic-fix-sign-extension-for-rv64i.patch @@ -0,0 +1,67 @@ +From 85c88ccae9bd67b45e58a26ec37078f648fa6f6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jun 2020 18:32:35 +0000 +Subject: riscv/atomic: Fix sign extension for RV64I + +From: Nathan Huckleberry + +[ Upstream commit 6c58f25e6938c073198af8b1e1832f83f8f0df33 ] + +The argument passed to cmpxchg is not guaranteed to be sign +extended, but lr.w sign extends on RV64I. This makes cmpxchg +fail on clang built kernels when __old is negative. + +To fix this, we just cast __old to long which sign extends on +RV64I. With this fix, clang built RISC-V kernels now boot. + +Link: https://github.com/ClangBuiltLinux/linux/issues/867 +Signed-off-by: Nathan Huckleberry +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/include/asm/cmpxchg.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/riscv/include/asm/cmpxchg.h b/arch/riscv/include/asm/cmpxchg.h +index c12833f7b6bd1..42978aac99d53 100644 +--- a/arch/riscv/include/asm/cmpxchg.h ++++ b/arch/riscv/include/asm/cmpxchg.h +@@ -187,7 +187,7 @@ + " bnez %1, 0b\n" \ + "1:\n" \ + : "=&r" (__ret), "=&r" (__rc), "+A" (*__ptr) \ +- : "rJ" (__old), "rJ" (__new) \ ++ : "rJ" ((long)__old), "rJ" (__new) \ + : "memory"); \ + break; \ + case 8: \ +@@ -232,7 +232,7 @@ + RISCV_ACQUIRE_BARRIER \ + "1:\n" \ + : "=&r" (__ret), "=&r" (__rc), "+A" (*__ptr) \ +- : "rJ" (__old), "rJ" (__new) \ ++ : "rJ" ((long)__old), "rJ" (__new) \ + : "memory"); \ + break; \ + case 8: \ +@@ -278,7 +278,7 @@ + " bnez %1, 0b\n" \ + "1:\n" \ + : "=&r" (__ret), "=&r" (__rc), "+A" (*__ptr) \ +- : "rJ" (__old), "rJ" (__new) \ ++ : "rJ" ((long)__old), "rJ" (__new) \ + : "memory"); \ + break; \ + case 8: \ +@@ -324,7 +324,7 @@ + " fence rw, rw\n" \ + "1:\n" \ + : "=&r" (__ret), "=&r" (__rc), "+A" (*__ptr) \ +- : "rJ" (__old), "rJ" (__new) \ ++ : "rJ" ((long)__old), "rJ" (__new) \ + : "memory"); \ + break; \ + case 8: \ +-- +2.25.1 + diff --git a/queue-4.19/rxrpc-fix-handling-of-rwind-from-an-ack-packet.patch b/queue-4.19/rxrpc-fix-handling-of-rwind-from-an-ack-packet.patch new file mode 100644 index 00000000000..a5d575bd0a7 --- /dev/null +++ b/queue-4.19/rxrpc-fix-handling-of-rwind-from-an-ack-packet.patch @@ -0,0 +1,53 @@ +From d77a8b2c1b67a15899110ba98c12d84d6db2c29a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jun 2020 23:01:23 +0100 +Subject: rxrpc: Fix handling of rwind from an ACK packet + +From: David Howells + +[ Upstream commit a2ad7c21ad8cf1ce4ad65e13df1c2a1c29b38ac5 ] + +The handling of the receive window size (rwind) from a received ACK packet +is not correct. The rxrpc_input_ackinfo() function currently checks the +current Tx window size against the rwind from the ACK to see if it has +changed, but then limits the rwind size before storing it in the tx_winsize +member and, if it increased, wake up the transmitting process. This means +that if rwind > RXRPC_RXTX_BUFF_SIZE - 1, this path will always be +followed. + +Fix this by limiting rwind before we compare it to tx_winsize. + +The effect of this can be seen by enabling the rxrpc_rx_rwind_change +tracepoint. + +Fixes: 702f2ac87a9a ("rxrpc: Wake up the transmitter if Rx window size increases on the peer") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/input.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c +index e65b230fce4c4..58bd558a277a4 100644 +--- a/net/rxrpc/input.c ++++ b/net/rxrpc/input.c +@@ -735,13 +735,12 @@ static void rxrpc_input_ackinfo(struct rxrpc_call *call, struct sk_buff *skb, + ntohl(ackinfo->rxMTU), ntohl(ackinfo->maxMTU), + rwind, ntohl(ackinfo->jumbo_max)); + ++ if (rwind > RXRPC_RXTX_BUFF_SIZE - 1) ++ rwind = RXRPC_RXTX_BUFF_SIZE - 1; + if (call->tx_winsize != rwind) { +- if (rwind > RXRPC_RXTX_BUFF_SIZE - 1) +- rwind = RXRPC_RXTX_BUFF_SIZE - 1; + if (rwind > call->tx_winsize) + wake = true; +- trace_rxrpc_rx_rwind_change(call, sp->hdr.serial, +- ntohl(ackinfo->rwind), wake); ++ trace_rxrpc_rx_rwind_change(call, sp->hdr.serial, rwind, wake); + call->tx_winsize = rwind; + } + +-- +2.25.1 + diff --git a/queue-4.19/s390-ptrace-fix-setting-syscall-number.patch b/queue-4.19/s390-ptrace-fix-setting-syscall-number.patch new file mode 100644 index 00000000000..da13cd26466 --- /dev/null +++ b/queue-4.19/s390-ptrace-fix-setting-syscall-number.patch @@ -0,0 +1,92 @@ +From cccac21db5a9b7c1b03b1078f8093be1751a6e1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2020 16:44:50 +0100 +Subject: s390/ptrace: fix setting syscall number + +From: Sven Schnelle + +[ Upstream commit 873e5a763d604c32988c4a78913a8dab3862d2f9 ] + +When strace wants to update the syscall number, it sets GPR2 +to the desired number and updates the GPR via PTRACE_SETREGSET. +It doesn't update regs->int_code which would cause the old syscall +executed on syscall restart. As we cannot change the ptrace ABI and +don't have a field for the interruption code, check whether the tracee +is in a syscall and the last instruction was svc. In that case assume +that the tracer wants to update the syscall number and copy the GPR2 +value to regs->int_code. + +Signed-off-by: Sven Schnelle +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/ptrace.c | 31 ++++++++++++++++++++++++++++++- + 1 file changed, 30 insertions(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c +index cd3df5514552c..65fefbf61e1ca 100644 +--- a/arch/s390/kernel/ptrace.c ++++ b/arch/s390/kernel/ptrace.c +@@ -325,6 +325,25 @@ static inline void __poke_user_per(struct task_struct *child, + child->thread.per_user.end = data; + } + ++static void fixup_int_code(struct task_struct *child, addr_t data) ++{ ++ struct pt_regs *regs = task_pt_regs(child); ++ int ilc = regs->int_code >> 16; ++ u16 insn; ++ ++ if (ilc > 6) ++ return; ++ ++ if (ptrace_access_vm(child, regs->psw.addr - (regs->int_code >> 16), ++ &insn, sizeof(insn), FOLL_FORCE) != sizeof(insn)) ++ return; ++ ++ /* double check that tracee stopped on svc instruction */ ++ if ((insn >> 8) != 0xa) ++ return; ++ ++ regs->int_code = 0x20000 | (data & 0xffff); ++} + /* + * Write a word to the user area of a process at location addr. This + * operation does have an additional problem compared to peek_user. +@@ -336,7 +355,9 @@ static int __poke_user(struct task_struct *child, addr_t addr, addr_t data) + struct user *dummy = NULL; + addr_t offset; + ++ + if (addr < (addr_t) &dummy->regs.acrs) { ++ struct pt_regs *regs = task_pt_regs(child); + /* + * psw and gprs are stored on the stack + */ +@@ -354,7 +375,11 @@ static int __poke_user(struct task_struct *child, addr_t addr, addr_t data) + /* Invalid addressing mode bits */ + return -EINVAL; + } +- *(addr_t *)((addr_t) &task_pt_regs(child)->psw + addr) = data; ++ ++ if (test_pt_regs_flag(regs, PIF_SYSCALL) && ++ addr == offsetof(struct user, regs.gprs[2])) ++ fixup_int_code(child, data); ++ *(addr_t *)((addr_t) ®s->psw + addr) = data; + + } else if (addr < (addr_t) (&dummy->regs.orig_gpr2)) { + /* +@@ -720,6 +745,10 @@ static int __poke_user_compat(struct task_struct *child, + regs->psw.mask = (regs->psw.mask & ~PSW_MASK_BA) | + (__u64)(tmp & PSW32_ADDR_AMODE); + } else { ++ ++ if (test_pt_regs_flag(regs, PIF_SYSCALL) && ++ addr == offsetof(struct compat_user, regs.gprs[2])) ++ fixup_int_code(child, data); + /* gpr 0-15 */ + *(__u32*)((addr_t) ®s->psw + addr*2 + 4) = tmp; + } +-- +2.25.1 + diff --git a/queue-4.19/s390-vdso-fix-vdso-clock_getres.patch b/queue-4.19/s390-vdso-fix-vdso-clock_getres.patch new file mode 100644 index 00000000000..9902769d82a --- /dev/null +++ b/queue-4.19/s390-vdso-fix-vdso-clock_getres.patch @@ -0,0 +1,119 @@ +From 16077a8140677362c97c3e2aeaf1f235d7bbdc7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Mar 2020 12:10:27 +0000 +Subject: s390/vdso: fix vDSO clock_getres() + +From: Vincenzo Frascino + +[ Upstream commit 478237a595120a18e9b52fd2c57a6e8b7a01e411 ] + +clock_getres in the vDSO library has to preserve the same behaviour +of posix_get_hrtimer_res(). + +In particular, posix_get_hrtimer_res() does: + sec = 0; + ns = hrtimer_resolution; +and hrtimer_resolution depends on the enablement of the high +resolution timers that can happen either at compile or at run time. + +Fix the s390 vdso implementation of clock_getres keeping a copy of +hrtimer_resolution in vdso data and using that directly. + +Link: https://lkml.kernel.org/r/20200324121027.21665-1-vincenzo.frascino@arm.com +Signed-off-by: Vincenzo Frascino +Acked-by: Martin Schwidefsky +[heiko.carstens@de.ibm.com: use llgf for proper zero extension] +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/vdso.h | 1 + + arch/s390/kernel/asm-offsets.c | 2 +- + arch/s390/kernel/time.c | 1 + + arch/s390/kernel/vdso64/clock_getres.S | 10 +++++----- + 4 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/arch/s390/include/asm/vdso.h b/arch/s390/include/asm/vdso.h +index 169d7604eb804..f3ba84fa9bd18 100644 +--- a/arch/s390/include/asm/vdso.h ++++ b/arch/s390/include/asm/vdso.h +@@ -36,6 +36,7 @@ struct vdso_data { + __u32 tk_shift; /* Shift used for xtime_nsec 0x60 */ + __u32 ts_dir; /* TOD steering direction 0x64 */ + __u64 ts_end; /* TOD steering end 0x68 */ ++ __u32 hrtimer_res; /* hrtimer resolution 0x70 */ + }; + + struct vdso_per_cpu_data { +diff --git a/arch/s390/kernel/asm-offsets.c b/arch/s390/kernel/asm-offsets.c +index 66e830f1c7bfe..e9d09f6e81d25 100644 +--- a/arch/s390/kernel/asm-offsets.c ++++ b/arch/s390/kernel/asm-offsets.c +@@ -75,6 +75,7 @@ int main(void) + OFFSET(__VDSO_TK_SHIFT, vdso_data, tk_shift); + OFFSET(__VDSO_TS_DIR, vdso_data, ts_dir); + OFFSET(__VDSO_TS_END, vdso_data, ts_end); ++ OFFSET(__VDSO_CLOCK_REALTIME_RES, vdso_data, hrtimer_res); + OFFSET(__VDSO_ECTG_BASE, vdso_per_cpu_data, ectg_timer_base); + OFFSET(__VDSO_ECTG_USER, vdso_per_cpu_data, ectg_user_time); + OFFSET(__VDSO_CPU_NR, vdso_per_cpu_data, cpu_nr); +@@ -86,7 +87,6 @@ int main(void) + DEFINE(__CLOCK_REALTIME_COARSE, CLOCK_REALTIME_COARSE); + DEFINE(__CLOCK_MONOTONIC_COARSE, CLOCK_MONOTONIC_COARSE); + DEFINE(__CLOCK_THREAD_CPUTIME_ID, CLOCK_THREAD_CPUTIME_ID); +- DEFINE(__CLOCK_REALTIME_RES, MONOTONIC_RES_NSEC); + DEFINE(__CLOCK_COARSE_RES, LOW_RES_NSEC); + BLANK(); + /* idle data offsets */ +diff --git a/arch/s390/kernel/time.c b/arch/s390/kernel/time.c +index e8766beee5ad8..8ea9db599d38d 100644 +--- a/arch/s390/kernel/time.c ++++ b/arch/s390/kernel/time.c +@@ -310,6 +310,7 @@ void update_vsyscall(struct timekeeper *tk) + + vdso_data->tk_mult = tk->tkr_mono.mult; + vdso_data->tk_shift = tk->tkr_mono.shift; ++ vdso_data->hrtimer_res = hrtimer_resolution; + smp_wmb(); + ++vdso_data->tb_update_count; + } +diff --git a/arch/s390/kernel/vdso64/clock_getres.S b/arch/s390/kernel/vdso64/clock_getres.S +index 081435398e0a1..0c79caa32b592 100644 +--- a/arch/s390/kernel/vdso64/clock_getres.S ++++ b/arch/s390/kernel/vdso64/clock_getres.S +@@ -17,12 +17,14 @@ + .type __kernel_clock_getres,@function + __kernel_clock_getres: + CFI_STARTPROC +- larl %r1,4f ++ larl %r1,3f ++ lg %r0,0(%r1) + cghi %r2,__CLOCK_REALTIME_COARSE + je 0f + cghi %r2,__CLOCK_MONOTONIC_COARSE + je 0f +- larl %r1,3f ++ larl %r1,_vdso_data ++ llgf %r0,__VDSO_CLOCK_REALTIME_RES(%r1) + cghi %r2,__CLOCK_REALTIME + je 0f + cghi %r2,__CLOCK_MONOTONIC +@@ -36,7 +38,6 @@ __kernel_clock_getres: + jz 2f + 0: ltgr %r3,%r3 + jz 1f /* res == NULL */ +- lg %r0,0(%r1) + xc 0(8,%r3),0(%r3) /* set tp->tv_sec to zero */ + stg %r0,8(%r3) /* store tp->tv_usec */ + 1: lghi %r2,0 +@@ -45,6 +46,5 @@ __kernel_clock_getres: + svc 0 + br %r14 + CFI_ENDPROC +-3: .quad __CLOCK_REALTIME_RES +-4: .quad __CLOCK_COARSE_RES ++3: .quad __CLOCK_COARSE_RES + .size __kernel_clock_getres,.-__kernel_clock_getres +-- +2.25.1 + diff --git a/queue-4.19/sata_rcar-handle-pm_runtime_get_sync-failure-cases.patch b/queue-4.19/sata_rcar-handle-pm_runtime_get_sync-failure-cases.patch new file mode 100644 index 00000000000..5819dded14d --- /dev/null +++ b/queue-4.19/sata_rcar-handle-pm_runtime_get_sync-failure-cases.patch @@ -0,0 +1,68 @@ +From a0453b75d0768144b719a1d73401c2896c8dc38d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 22:06:43 -0500 +Subject: sata_rcar: handle pm_runtime_get_sync failure cases + +From: Navid Emamdoost + +[ Upstream commit eea1238867205b9e48a67c1a63219529a73c46fd ] + +Calling pm_runtime_get_sync increments the counter even in case of +failure, causing incorrect ref count. Call pm_runtime_put if +pm_runtime_get_sync fails. + +Signed-off-by: Navid Emamdoost +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/sata_rcar.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/ata/sata_rcar.c b/drivers/ata/sata_rcar.c +index 03867f539f3a8..50ebd779d975f 100644 +--- a/drivers/ata/sata_rcar.c ++++ b/drivers/ata/sata_rcar.c +@@ -909,7 +909,7 @@ static int sata_rcar_probe(struct platform_device *pdev) + pm_runtime_enable(dev); + ret = pm_runtime_get_sync(dev); + if (ret < 0) +- goto err_pm_disable; ++ goto err_pm_put; + + host = ata_host_alloc(dev, 1); + if (!host) { +@@ -940,7 +940,6 @@ static int sata_rcar_probe(struct platform_device *pdev) + + err_pm_put: + pm_runtime_put(dev); +-err_pm_disable: + pm_runtime_disable(dev); + return ret; + } +@@ -994,8 +993,10 @@ static int sata_rcar_resume(struct device *dev) + int ret; + + ret = pm_runtime_get_sync(dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put(dev); + return ret; ++ } + + if (priv->type == RCAR_GEN3_SATA) { + sata_rcar_init_module(priv); +@@ -1020,8 +1021,10 @@ static int sata_rcar_restore(struct device *dev) + int ret; + + ret = pm_runtime_get_sync(dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put(dev); + return ret; ++ } + + sata_rcar_setup_port(host); + +-- +2.25.1 + diff --git a/queue-4.19/sched-core-fix-pi-boosting-between-rt-and-deadline-t.patch b/queue-4.19/sched-core-fix-pi-boosting-between-rt-and-deadline-t.patch new file mode 100644 index 00000000000..9092fbf33e5 --- /dev/null +++ b/queue-4.19/sched-core-fix-pi-boosting-between-rt-and-deadline-t.patch @@ -0,0 +1,75 @@ +From a07b499b86e9113ae4eda81ba6f60bb9dda0fdf6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Nov 2018 16:32:01 +0100 +Subject: sched/core: Fix PI boosting between RT and DEADLINE tasks + +From: Juri Lelli + +[ Upstream commit 740797ce3a124b7dd22b7fb832d87bc8fba1cf6f ] + +syzbot reported the following warning: + + WARNING: CPU: 1 PID: 6351 at kernel/sched/deadline.c:628 + enqueue_task_dl+0x22da/0x38a0 kernel/sched/deadline.c:1504 + +At deadline.c:628 we have: + + 623 static inline void setup_new_dl_entity(struct sched_dl_entity *dl_se) + 624 { + 625 struct dl_rq *dl_rq = dl_rq_of_se(dl_se); + 626 struct rq *rq = rq_of_dl_rq(dl_rq); + 627 + 628 WARN_ON(dl_se->dl_boosted); + 629 WARN_ON(dl_time_before(rq_clock(rq), dl_se->deadline)); + [...] + } + +Which means that setup_new_dl_entity() has been called on a task +currently boosted. This shouldn't happen though, as setup_new_dl_entity() +is only called when the 'dynamic' deadline of the new entity +is in the past w.r.t. rq_clock and boosted tasks shouldn't verify this +condition. + +Digging through the PI code I noticed that what above might in fact happen +if an RT tasks blocks on an rt_mutex hold by a DEADLINE task. In the +first branch of boosting conditions we check only if a pi_task 'dynamic' +deadline is earlier than mutex holder's and in this case we set mutex +holder to be dl_boosted. However, since RT 'dynamic' deadlines are only +initialized if such tasks get boosted at some point (or if they become +DEADLINE of course), in general RT 'dynamic' deadlines are usually equal +to 0 and this verifies the aforementioned condition. + +Fix it by checking that the potential donor task is actually (even if +temporary because in turn boosted) running at DEADLINE priority before +using its 'dynamic' deadline value. + +Fixes: 2d3d891d3344 ("sched/deadline: Add SCHED_DEADLINE inheritance logic") +Reported-by: syzbot+119ba87189432ead09b4@syzkaller.appspotmail.com +Signed-off-by: Juri Lelli +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Reviewed-by: Daniel Bristot de Oliveira +Tested-by: Daniel Wagner +Link: https://lkml.kernel.org/r/20181119153201.GB2119@localhost.localdomain +Signed-off-by: Sasha Levin +--- + kernel/sched/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 0325ccf3a8e45..843394d0ea426 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -3862,7 +3862,8 @@ void rt_mutex_setprio(struct task_struct *p, struct task_struct *pi_task) + */ + if (dl_prio(prio)) { + if (!dl_prio(p->normal_prio) || +- (pi_task && dl_entity_preempt(&pi_task->dl, &p->dl))) { ++ (pi_task && dl_prio(pi_task->prio) && ++ dl_entity_preempt(&pi_task->dl, &p->dl))) { + p->dl.dl_boosted = 1; + queue_flag |= ENQUEUE_REPLENISH; + } else +-- +2.25.1 + diff --git a/queue-4.19/sched-deadline-initialize-dl_boosted.patch b/queue-4.19/sched-deadline-initialize-dl_boosted.patch new file mode 100644 index 00000000000..36b938be73c --- /dev/null +++ b/queue-4.19/sched-deadline-initialize-dl_boosted.patch @@ -0,0 +1,48 @@ +From 3fcdde09b0dcb6d8169841765118d05859c8c79e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jun 2020 09:29:19 +0200 +Subject: sched/deadline: Initialize ->dl_boosted + +From: Juri Lelli + +[ Upstream commit ce9bc3b27f2a21a7969b41ffb04df8cf61bd1592 ] + +syzbot reported the following warning triggered via SYSC_sched_setattr(): + + WARNING: CPU: 0 PID: 6973 at kernel/sched/deadline.c:593 setup_new_dl_entity /kernel/sched/deadline.c:594 [inline] + WARNING: CPU: 0 PID: 6973 at kernel/sched/deadline.c:593 enqueue_dl_entity /kernel/sched/deadline.c:1370 [inline] + WARNING: CPU: 0 PID: 6973 at kernel/sched/deadline.c:593 enqueue_task_dl+0x1c17/0x2ba0 /kernel/sched/deadline.c:1441 + +This happens because the ->dl_boosted flag is currently not initialized by +__dl_clear_params() (unlike the other flags) and setup_new_dl_entity() +rightfully complains about it. + +Initialize dl_boosted to 0. + +Fixes: 2d3d891d3344 ("sched/deadline: Add SCHED_DEADLINE inheritance logic") +Reported-by: syzbot+5ac8bac25f95e8b221e7@syzkaller.appspotmail.com +Signed-off-by: Juri Lelli +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Tested-by: Daniel Wagner +Link: https://lkml.kernel.org/r/20200617072919.818409-1-juri.lelli@redhat.com +Signed-off-by: Sasha Levin +--- + kernel/sched/deadline.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c +index ebec37cb3be9a..8aecfb143859d 100644 +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -2688,6 +2688,7 @@ void __dl_clear_params(struct task_struct *p) + dl_se->dl_bw = 0; + dl_se->dl_density = 0; + ++ dl_se->dl_boosted = 0; + dl_se->dl_throttled = 0; + dl_se->dl_yielded = 0; + dl_se->dl_non_contending = 0; +-- +2.25.1 + diff --git a/queue-4.19/series b/queue-4.19/series index 0172e316a1c..5ab15c2020a 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -56,3 +56,47 @@ xhci-return-if-xhci-doesn-t-support-lpm.patch cdc-acm-add-disable_echo-quirk-for-microchip-smsc-chip.patch cifs-smb3-fix-data-inconsistent-when-punch-hole.patch cifs-smb3-fix-data-inconsistent-when-zero-file-range.patch +xfrm-fix-double-esp-trailer-insertion-in-ipsec-crypt.patch +asoc-q6asm-handle-eos-correctly.patch +efi-esrt-fix-reference-count-leak-in-esre_create_sys.patch +regualtor-pfuze100-correct-sw1a-sw2-on-pfuze3000.patch +asoc-fsl_ssi-fix-bclk-calculation-for-mono-channel.patch +arm-dts-fix-duovero-smsc-interrupt-for-suspend.patch +x86-resctrl-fix-a-null-vs-is_err-static-checker-warn.patch +regmap-fix-memory-leak-from-regmap_register_patch.patch +arm-dts-nsp-correct-fa2-mailbox-node.patch +rxrpc-fix-handling-of-rwind-from-an-ack-packet.patch +rdma-qedr-fix-kasan-use-after-free-in-ucma_event_han.patch +rdma-cma-protect-bind_list-and-listen_list-while-fin.patch +asoc-rockchip-fix-a-reference-count-leak.patch +rdma-mad-fix-possible-memory-leak-in-ib_mad_post_rec.patch +ib-mad-fix-use-after-free-when-destroying-mad-agent.patch +net-qed-fix-left-elements-count-calculation.patch +net-qed-fix-nvme-login-fails-over-vfs.patch +net-qed-fix-excessive-qm-ilt-lines-consumption.patch +cxgb4-move-handling-l2t-arp-failures-to-caller.patch +arm-imx5-add-missing-put_device-call-in-imx_suspend_.patch +usb-gadget-udc-potential-oops-in-error-handling-code.patch +nvme-multipath-set-bdi-capabilities-once.patch +nvme-fix-possible-deadlock-when-i-o-is-blocked.patch +nvme-multipath-fix-deadlock-between-ana_work-and-sca.patch +netfilter-ipset-fix-unaligned-atomic-access.patch +net-bcmgenet-use-hardware-padding-of-runt-frames.patch +i2c-fsi-fix-the-port-number-field-in-status-register.patch +i2c-core-check-returned-size-of-emulated-smbus-block.patch +sched-deadline-initialize-dl_boosted.patch +sched-core-fix-pi-boosting-between-rt-and-deadline-t.patch +sata_rcar-handle-pm_runtime_get_sync-failure-cases.patch +ata-libata-fix-usage-of-page-address-by-page_address.patch +drm-amd-display-use-kfree-to-free-rgb_user-in-calcul.patch +riscv-atomic-fix-sign-extension-for-rv64i.patch +hwrng-ks-sa-fix-runtime-pm-imbalance-on-error.patch +arm64-sve-eliminate-data-races-on-sve_default_vl.patch +ibmvnic-harden-device-login-requests.patch +net-alx-fix-race-condition-in-alx_remove.patch +s390-ptrace-fix-setting-syscall-number.patch +s390-vdso-fix-vdso-clock_getres.patch +arm64-sve-fix-build-failure-when-arm64_sve-y-and-sys.patch +kbuild-improve-cc-option-to-clean-up-all-temporary-f.patch +blktrace-break-out-of-blktrace-setup-on-concurrent-c.patch +risc-v-don-t-allow-write-exec-only-page-mapping-requ.patch diff --git a/queue-4.19/usb-gadget-udc-potential-oops-in-error-handling-code.patch b/queue-4.19/usb-gadget-udc-potential-oops-in-error-handling-code.patch new file mode 100644 index 00000000000..d9bceb1c8cd --- /dev/null +++ b/queue-4.19/usb-gadget-udc-potential-oops-in-error-handling-code.patch @@ -0,0 +1,38 @@ +From 2aeb963ead0eb3b0ea5373380a3e28446824b859 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 14:27:19 +0300 +Subject: usb: gadget: udc: Potential Oops in error handling code + +From: Dan Carpenter + +[ Upstream commit e55f3c37cb8d31c7e301f46396b2ac6a19eb3a7c ] + +If this is in "transceiver" mode the the ->qwork isn't required and is +a NULL pointer. This can lead to a NULL dereference when we call +destroy_workqueue(udc->qwork). + +Fixes: 3517c31a8ece ("usb: gadget: mv_udc: use devm_xxx for probe") +Signed-off-by: Dan Carpenter +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/mv_udc_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/mv_udc_core.c b/drivers/usb/gadget/udc/mv_udc_core.c +index 95f52232493b2..83e98b59910ec 100644 +--- a/drivers/usb/gadget/udc/mv_udc_core.c ++++ b/drivers/usb/gadget/udc/mv_udc_core.c +@@ -2313,7 +2313,8 @@ static int mv_udc_probe(struct platform_device *pdev) + return 0; + + err_create_workqueue: +- destroy_workqueue(udc->qwork); ++ if (udc->qwork) ++ destroy_workqueue(udc->qwork); + err_destroy_dma: + dma_pool_destroy(udc->dtd_pool); + err_free_dma: +-- +2.25.1 + diff --git a/queue-4.19/x86-resctrl-fix-a-null-vs-is_err-static-checker-warn.patch b/queue-4.19/x86-resctrl-fix-a-null-vs-is_err-static-checker-warn.patch new file mode 100644 index 00000000000..633d77de237 --- /dev/null +++ b/queue-4.19/x86-resctrl-fix-a-null-vs-is_err-static-checker-warn.patch @@ -0,0 +1,53 @@ +From 8361b99aea414a3328c5dfa87e31b86ba88b8fb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jun 2020 22:36:11 +0300 +Subject: x86/resctrl: Fix a NULL vs IS_ERR() static checker warning in + rdt_cdp_peer_get() + +From: Dan Carpenter + +[ Upstream commit cc5277fe66cf3ad68f41f1c539b2ef0d5e432974 ] + +The callers don't expect *d_cdp to be set to an error pointer, they only +check for NULL. This leads to a static checker warning: + + arch/x86/kernel/cpu/resctrl/rdtgroup.c:2648 __init_one_rdt_domain() + warn: 'd_cdp' could be an error pointer + +This would not trigger a bug in this specific case because +__init_one_rdt_domain() calls it with a valid domain that would not have +a negative id and thus not trigger the return of the ERR_PTR(). If this +was a negative domain id then the call to rdt_find_domain() in +domain_add_cpu() would have returned the ERR_PTR() much earlier and the +creation of the domain with an invalid id would have been prevented. + +Even though a bug is not triggered currently the right and safe thing to +do is to set the pointer to NULL because that is what can be checked for +when the caller is handling the CDP and non-CDP cases. + +Fixes: 52eb74339a62 ("x86/resctrl: Fix rdt_find_domain() return value and checks") +Signed-off-by: Dan Carpenter +Signed-off-by: Borislav Petkov +Acked-by: Reinette Chatre +Acked-by: Fenghua Yu +Link: https://lkml.kernel.org/r/20200602193611.GA190851@mwanda +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/intel_rdt_rdtgroup.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c b/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c +index cea7e01a346d3..e62e416dd1162 100644 +--- a/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c ++++ b/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c +@@ -1035,6 +1035,7 @@ static int rdt_cdp_peer_get(struct rdt_resource *r, struct rdt_domain *d, + _d_cdp = rdt_find_domain(_r_cdp, d->id, NULL); + if (WARN_ON(IS_ERR_OR_NULL(_d_cdp))) { + _r_cdp = NULL; ++ _d_cdp = NULL; + ret = -EINVAL; + } + +-- +2.25.1 + diff --git a/queue-4.19/xfrm-fix-double-esp-trailer-insertion-in-ipsec-crypt.patch b/queue-4.19/xfrm-fix-double-esp-trailer-insertion-in-ipsec-crypt.patch new file mode 100644 index 00000000000..26b05985f90 --- /dev/null +++ b/queue-4.19/xfrm-fix-double-esp-trailer-insertion-in-ipsec-crypt.patch @@ -0,0 +1,68 @@ +From fc49a85fbc7398f0714b9cf33679e78d8259227d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jun 2020 16:39:37 -0500 +Subject: xfrm: Fix double ESP trailer insertion in IPsec crypto offload. + +From: Huy Nguyen + +[ Upstream commit 94579ac3f6d0820adc83b5dc5358ead0158101e9 ] + +During IPsec performance testing, we see bad ICMP checksum. The error packet +has duplicated ESP trailer due to double validate_xmit_xfrm calls. The first call +is from ip_output, but the packet cannot be sent because +netif_xmit_frozen_or_stopped is true and the packet gets dev_requeue_skb. The second +call is from NET_TX softirq. However after the first call, the packet already +has the ESP trailer. + +Fix by marking the skb with XFRM_XMIT bit after the packet is handled by +validate_xmit_xfrm to avoid duplicate ESP trailer insertion. + +Fixes: f6e27114a60a ("net: Add a xfrm validate function to validate_xmit_skb") +Signed-off-by: Huy Nguyen +Reviewed-by: Boris Pismenny +Reviewed-by: Raed Salem +Reviewed-by: Saeed Mahameed +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + include/net/xfrm.h | 1 + + net/xfrm/xfrm_device.c | 4 +++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index 48dc1ce2170d8..f087c8d125b8f 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -1083,6 +1083,7 @@ struct xfrm_offload { + #define XFRM_GRO 32 + #define XFRM_ESP_NO_TRAILER 64 + #define XFRM_DEV_RESUME 128 ++#define XFRM_XMIT 256 + + __u32 status; + #define CRYPTO_SUCCESS 1 +diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c +index 8634ce6771421..e7a0ce98479f3 100644 +--- a/net/xfrm/xfrm_device.c ++++ b/net/xfrm/xfrm_device.c +@@ -33,7 +33,7 @@ struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t featur + netdev_features_t esp_features = features; + struct xfrm_offload *xo = xfrm_offload(skb); + +- if (!xo) ++ if (!xo || (xo->flags & XFRM_XMIT)) + return skb; + + if (!(features & NETIF_F_HW_ESP)) +@@ -53,6 +53,8 @@ struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t featur + return skb; + } + ++ xo->flags |= XFRM_XMIT; ++ + if (skb_is_gso(skb)) { + struct net_device *dev = skb->dev; + +-- +2.25.1 +