From: Greg Kroah-Hartman Date: Mon, 4 May 2020 12:38:52 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.4.222~19 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e15f2bdec21005df47f022d20f852843475e44bd;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: alsa-opti9xx-shut-up-gcc-10-range-warning.patch dmaengine-dmatest-fix-iteration-non-stop-logic.patch iommu-amd-fix-legacy-interrupt-remapping-for-x2apic-enabled-system.patch iommu-qcom-fix-local_base-status-check.patch nfs-fix-potential-posix_acl-refcnt-leak-in-nfs3_set_acl.patch rdma-core-fix-race-between-destroy-and-release-fd-object.patch rdma-core-prevent-mixed-use-of-fds-between-shared-ufiles.patch rdma-mlx4-initialize-ib_spec-on-the-stack.patch rdma-mlx5-set-grh-fields-in-query-qp-on-roce.patch scsi-qla2xxx-check-unloading-before-posting-async-work.patch scsi-qla2xxx-set-unloading-before-waiting-for-session-deletion.patch scsi-target-iblock-fix-write-same-zeroing.patch vfio-avoid-possible-overflow-in-vfio_iommu_type1_pin_pages.patch vfio-type1-fix-va-pa-translation-for-pfnmap-vmas-in-vaddr_get_pfn.patch --- diff --git a/queue-4.19/alsa-opti9xx-shut-up-gcc-10-range-warning.patch b/queue-4.19/alsa-opti9xx-shut-up-gcc-10-range-warning.patch new file mode 100644 index 00000000000..acf7ec35dae --- /dev/null +++ b/queue-4.19/alsa-opti9xx-shut-up-gcc-10-range-warning.patch @@ -0,0 +1,84 @@ +From 5ce00760a84848d008554c693ceb6286f4d9c509 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 29 Apr 2020 21:02:03 +0200 +Subject: ALSA: opti9xx: shut up gcc-10 range warning + +From: Arnd Bergmann + +commit 5ce00760a84848d008554c693ceb6286f4d9c509 upstream. + +gcc-10 points out a few instances of suspicious integer arithmetic +leading to value truncation: + +sound/isa/opti9xx/opti92x-ad1848.c: In function 'snd_opti9xx_configure': +sound/isa/opti9xx/opti92x-ad1848.c:322:43: error: overflow in conversion from 'int' to 'unsigned char' changes value from '(int)snd_opti9xx_read(chip, 3) & -256 | 240' to '240' [-Werror=overflow] + 322 | (snd_opti9xx_read(chip, reg) & ~(mask)) | ((value) & (mask))) + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~ +sound/isa/opti9xx/opti92x-ad1848.c:351:3: note: in expansion of macro 'snd_opti9xx_write_mask' + 351 | snd_opti9xx_write_mask(chip, OPTi9XX_MC_REG(3), 0xf0, 0xff); + | ^~~~~~~~~~~~~~~~~~~~~~ +sound/isa/opti9xx/miro.c: In function 'snd_miro_configure': +sound/isa/opti9xx/miro.c:873:40: error: overflow in conversion from 'int' to 'unsigned char' changes value from '(int)snd_miro_read(chip, 3) & -256 | 240' to '240' [-Werror=overflow] + 873 | (snd_miro_read(chip, reg) & ~(mask)) | ((value) & (mask))) + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~ +sound/isa/opti9xx/miro.c:1010:3: note: in expansion of macro 'snd_miro_write_mask' + 1010 | snd_miro_write_mask(chip, OPTi9XX_MC_REG(3), 0xf0, 0xff); + | ^~~~~~~~~~~~~~~~~~~ + +These are all harmless here as only the low 8 bit are passed down +anyway. Change the macros to inline functions to make the code +more readable and also avoid the warning. + +Strictly speaking those functions also need locking to make the +read/write pair atomic, but it seems unlikely that anyone would +still run into that issue. + +Fixes: 1841f613fd2e ("[ALSA] Add snd-miro driver") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20200429190216.85919-1-arnd@arndb.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/isa/opti9xx/miro.c | 9 ++++++--- + sound/isa/opti9xx/opti92x-ad1848.c | 9 ++++++--- + 2 files changed, 12 insertions(+), 6 deletions(-) + +--- a/sound/isa/opti9xx/miro.c ++++ b/sound/isa/opti9xx/miro.c +@@ -880,10 +880,13 @@ static void snd_miro_write(struct snd_mi + spin_unlock_irqrestore(&chip->lock, flags); + } + ++static inline void snd_miro_write_mask(struct snd_miro *chip, ++ unsigned char reg, unsigned char value, unsigned char mask) ++{ ++ unsigned char oldval = snd_miro_read(chip, reg); + +-#define snd_miro_write_mask(chip, reg, value, mask) \ +- snd_miro_write(chip, reg, \ +- (snd_miro_read(chip, reg) & ~(mask)) | ((value) & (mask))) ++ snd_miro_write(chip, reg, (oldval & ~mask) | (value & mask)); ++} + + /* + * Proc Interface +--- a/sound/isa/opti9xx/opti92x-ad1848.c ++++ b/sound/isa/opti9xx/opti92x-ad1848.c +@@ -329,10 +329,13 @@ static void snd_opti9xx_write(struct snd + } + + +-#define snd_opti9xx_write_mask(chip, reg, value, mask) \ +- snd_opti9xx_write(chip, reg, \ +- (snd_opti9xx_read(chip, reg) & ~(mask)) | ((value) & (mask))) ++static inline void snd_opti9xx_write_mask(struct snd_opti9xx *chip, ++ unsigned char reg, unsigned char value, unsigned char mask) ++{ ++ unsigned char oldval = snd_opti9xx_read(chip, reg); + ++ snd_opti9xx_write(chip, reg, (oldval & ~mask) | (value & mask)); ++} + + static int snd_opti9xx_configure(struct snd_opti9xx *chip, + long port, diff --git a/queue-4.19/dmaengine-dmatest-fix-iteration-non-stop-logic.patch b/queue-4.19/dmaengine-dmatest-fix-iteration-non-stop-logic.patch new file mode 100644 index 00000000000..8ffe4668276 --- /dev/null +++ b/queue-4.19/dmaengine-dmatest-fix-iteration-non-stop-logic.patch @@ -0,0 +1,61 @@ +From b9f960201249f20deea586b4ec814669b4c6b1c0 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Fri, 24 Apr 2020 19:11:42 +0300 +Subject: dmaengine: dmatest: Fix iteration non-stop logic + +From: Andy Shevchenko + +commit b9f960201249f20deea586b4ec814669b4c6b1c0 upstream. + +Under some circumstances, i.e. when test is still running and about to +time out and user runs, for example, + + grep -H . /sys/module/dmatest/parameters/* + +the iterations parameter is not respected and test is going on and on until +user gives + + echo 0 > /sys/module/dmatest/parameters/run + +This is not what expected. + +The history of this bug is interesting. I though that the commit + 2d88ce76eb98 ("dmatest: add a 'wait' parameter") +is a culprit, but looking closer to the code I think it simple revealed the +broken logic from the day one, i.e. in the commit + 0a2ff57d6fba ("dmaengine: dmatest: add a maximum number of test iterations") +which adds iterations parameter. + +So, to the point, the conditional of checking the thread to be stopped being +first part of conjunction logic prevents to check iterations. Thus, we have to +always check both conditions to be able to stop after given iterations. + +Since it wasn't visible before second commit appeared, I add a respective +Fixes tag. + +Fixes: 2d88ce76eb98 ("dmatest: add a 'wait' parameter") +Cc: Dan Williams +Cc: Nicolas Ferre +Signed-off-by: Andy Shevchenko +Acked-by: Nicolas Ferre +Link: https://lore.kernel.org/r/20200424161147.16895-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/dmatest.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/dma/dmatest.c ++++ b/drivers/dma/dmatest.c +@@ -567,8 +567,8 @@ static int dmatest_func(void *data) + flags = DMA_CTRL_ACK | DMA_PREP_INTERRUPT; + + ktime = ktime_get(); +- while (!kthread_should_stop() +- && !(params->iterations && total_tests >= params->iterations)) { ++ while (!(kthread_should_stop() || ++ (params->iterations && total_tests >= params->iterations))) { + struct dma_async_tx_descriptor *tx = NULL; + struct dmaengine_unmap_data *um; + dma_addr_t *dsts; diff --git a/queue-4.19/iommu-amd-fix-legacy-interrupt-remapping-for-x2apic-enabled-system.patch b/queue-4.19/iommu-amd-fix-legacy-interrupt-remapping-for-x2apic-enabled-system.patch new file mode 100644 index 00000000000..2f302589360 --- /dev/null +++ b/queue-4.19/iommu-amd-fix-legacy-interrupt-remapping-for-x2apic-enabled-system.patch @@ -0,0 +1,39 @@ +From b74aa02d7a30ee5e262072a7d6e8deff10b37924 Mon Sep 17 00:00:00 2001 +From: Suravee Suthikulpanit +Date: Wed, 22 Apr 2020 08:30:02 -0500 +Subject: iommu/amd: Fix legacy interrupt remapping for x2APIC-enabled system + +From: Suravee Suthikulpanit + +commit b74aa02d7a30ee5e262072a7d6e8deff10b37924 upstream. + +Currently, system fails to boot because the legacy interrupt remapping +mode does not enable 128-bit IRTE (GA), which is required for x2APIC +support. + +Fix by using AMD_IOMMU_GUEST_IR_LEGACY_GA mode when booting with +kernel option amd_iommu_intr=legacy instead. The initialization +logic will check GASup and automatically fallback to using +AMD_IOMMU_GUEST_IR_LEGACY if GA mode is not supported. + +Fixes: 3928aa3f5775 ("iommu/amd: Detect and enable guest vAPIC support") +Signed-off-by: Suravee Suthikulpanit +Link: https://lore.kernel.org/r/1587562202-14183-1-git-send-email-suravee.suthikulpanit@amd.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/amd_iommu_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/amd_iommu_init.c ++++ b/drivers/iommu/amd_iommu_init.c +@@ -2836,7 +2836,7 @@ static int __init parse_amd_iommu_intr(c + { + for (; *str; ++str) { + if (strncmp(str, "legacy", 6) == 0) { +- amd_iommu_guest_ir = AMD_IOMMU_GUEST_IR_LEGACY; ++ amd_iommu_guest_ir = AMD_IOMMU_GUEST_IR_LEGACY_GA; + break; + } + if (strncmp(str, "vapic", 5) == 0) { diff --git a/queue-4.19/iommu-qcom-fix-local_base-status-check.patch b/queue-4.19/iommu-qcom-fix-local_base-status-check.patch new file mode 100644 index 00000000000..c2d4a49764a --- /dev/null +++ b/queue-4.19/iommu-qcom-fix-local_base-status-check.patch @@ -0,0 +1,39 @@ +From b52649aee6243ea661905bdc5fbe28cc5f6dec76 Mon Sep 17 00:00:00 2001 +From: Tang Bin +Date: Sat, 18 Apr 2020 21:47:03 +0800 +Subject: iommu/qcom: Fix local_base status check + +From: Tang Bin + +commit b52649aee6243ea661905bdc5fbe28cc5f6dec76 upstream. + +The function qcom_iommu_device_probe() does not perform sufficient +error checking after executing devm_ioremap_resource(), which can +result in crashes if a critical error path is encountered. + +Fixes: 0ae349a0f33f ("iommu/qcom: Add qcom_iommu") +Signed-off-by: Tang Bin +Reviewed-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20200418134703.1760-1-tangbin@cmss.chinamobile.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/qcom_iommu.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/iommu/qcom_iommu.c ++++ b/drivers/iommu/qcom_iommu.c +@@ -797,8 +797,11 @@ static int qcom_iommu_device_probe(struc + qcom_iommu->dev = dev; + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- if (res) ++ if (res) { + qcom_iommu->local_base = devm_ioremap_resource(dev, res); ++ if (IS_ERR(qcom_iommu->local_base)) ++ return PTR_ERR(qcom_iommu->local_base); ++ } + + qcom_iommu->iface_clk = devm_clk_get(dev, "iface"); + if (IS_ERR(qcom_iommu->iface_clk)) { diff --git a/queue-4.19/nfs-fix-potential-posix_acl-refcnt-leak-in-nfs3_set_acl.patch b/queue-4.19/nfs-fix-potential-posix_acl-refcnt-leak-in-nfs3_set_acl.patch new file mode 100644 index 00000000000..32cf5dc0470 --- /dev/null +++ b/queue-4.19/nfs-fix-potential-posix_acl-refcnt-leak-in-nfs3_set_acl.patch @@ -0,0 +1,79 @@ +From 7648f939cb919b9d15c21fff8cd9eba908d595dc Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Mon, 20 Apr 2020 15:51:47 +0200 +Subject: nfs: Fix potential posix_acl refcnt leak in nfs3_set_acl + +From: Andreas Gruenbacher + +commit 7648f939cb919b9d15c21fff8cd9eba908d595dc upstream. + +nfs3_set_acl keeps track of the acl it allocated locally to determine if an acl +needs to be released at the end. This results in a memory leak when the +function allocates an acl as well as a default acl. Fix by releasing acls +that differ from the acl originally passed into nfs3_set_acl. + +Fixes: b7fa0554cf1b ("[PATCH] NFS: Add support for NFSv3 ACLs") +Reported-by: Xiyu Yang +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs3acl.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +--- a/fs/nfs/nfs3acl.c ++++ b/fs/nfs/nfs3acl.c +@@ -255,37 +255,45 @@ int nfs3_proc_setacls(struct inode *inod + + int nfs3_set_acl(struct inode *inode, struct posix_acl *acl, int type) + { +- struct posix_acl *alloc = NULL, *dfacl = NULL; ++ struct posix_acl *orig = acl, *dfacl = NULL, *alloc; + int status; + + if (S_ISDIR(inode->i_mode)) { + switch(type) { + case ACL_TYPE_ACCESS: +- alloc = dfacl = get_acl(inode, ACL_TYPE_DEFAULT); ++ alloc = get_acl(inode, ACL_TYPE_DEFAULT); + if (IS_ERR(alloc)) + goto fail; ++ dfacl = alloc; + break; + + case ACL_TYPE_DEFAULT: +- dfacl = acl; +- alloc = acl = get_acl(inode, ACL_TYPE_ACCESS); ++ alloc = get_acl(inode, ACL_TYPE_ACCESS); + if (IS_ERR(alloc)) + goto fail; ++ dfacl = acl; ++ acl = alloc; + break; + } + } + + if (acl == NULL) { +- alloc = acl = posix_acl_from_mode(inode->i_mode, GFP_KERNEL); ++ alloc = posix_acl_from_mode(inode->i_mode, GFP_KERNEL); + if (IS_ERR(alloc)) + goto fail; ++ acl = alloc; + } + status = __nfs3_proc_setacls(inode, acl, dfacl); +- posix_acl_release(alloc); ++out: ++ if (acl != orig) ++ posix_acl_release(acl); ++ if (dfacl != orig) ++ posix_acl_release(dfacl); + return status; + + fail: +- return PTR_ERR(alloc); ++ status = PTR_ERR(alloc); ++ goto out; + } + + const struct xattr_handler *nfs3_xattr_handlers[] = { diff --git a/queue-4.19/rdma-core-fix-race-between-destroy-and-release-fd-object.patch b/queue-4.19/rdma-core-fix-race-between-destroy-and-release-fd-object.patch new file mode 100644 index 00000000000..0eab16a3f0e --- /dev/null +++ b/queue-4.19/rdma-core-fix-race-between-destroy-and-release-fd-object.patch @@ -0,0 +1,55 @@ +From f0abc761bbb9418876cc4d1ebc473e4ea6352e42 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Thu, 23 Apr 2020 09:01:22 +0300 +Subject: RDMA/core: Fix race between destroy and release FD object + +From: Leon Romanovsky + +commit f0abc761bbb9418876cc4d1ebc473e4ea6352e42 upstream. + +The call to ->lookup_put() was too early and it caused an unlock of the +read/write protection of the uobject after the FD was put. This allows a +race: + + CPU1 CPU2 + rdma_lookup_put_uobject() + lookup_put_fd_uobject() + fput() + fput() + uverbs_uobject_fd_release() + WARN_ON(uverbs_try_lock_object(uobj, + UVERBS_LOOKUP_WRITE)); + atomic_dec(usecnt) + +Fix the code by changing the order, first unlock and call to +->lookup_put() after that. + +Fixes: 3832125624b7 ("IB/core: Add support for idr types") +Link: https://lore.kernel.org/r/20200423060122.6182-1-leon@kernel.org +Suggested-by: Jason Gunthorpe +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/rdma_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/core/rdma_core.c ++++ b/drivers/infiniband/core/rdma_core.c +@@ -697,7 +697,6 @@ void rdma_lookup_put_uobject(struct ib_u + enum rdma_lookup_mode mode) + { + assert_uverbs_usecnt(uobj, mode); +- uobj->uapi_object->type_class->lookup_put(uobj, mode); + /* + * In order to unlock an object, either decrease its usecnt for + * read access or zero it in case of exclusive access. See +@@ -714,6 +713,7 @@ void rdma_lookup_put_uobject(struct ib_u + break; + } + ++ uobj->uapi_object->type_class->lookup_put(uobj, mode); + /* Pairs with the kref obtained by type->lookup_get */ + uverbs_uobject_put(uobj); + } diff --git a/queue-4.19/rdma-core-prevent-mixed-use-of-fds-between-shared-ufiles.patch b/queue-4.19/rdma-core-prevent-mixed-use-of-fds-between-shared-ufiles.patch new file mode 100644 index 00000000000..05d433ddd8f --- /dev/null +++ b/queue-4.19/rdma-core-prevent-mixed-use-of-fds-between-shared-ufiles.patch @@ -0,0 +1,71 @@ +From 0fb00941dc63990a10951146df216fc7b0e20bc2 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Tue, 21 Apr 2020 11:29:28 +0300 +Subject: RDMA/core: Prevent mixed use of FDs between shared ufiles + +From: Leon Romanovsky + +commit 0fb00941dc63990a10951146df216fc7b0e20bc2 upstream. + +FDs can only be used on the ufile that created them, they cannot be mixed +to other ufiles. We are lacking a check to prevent it. + + BUG: KASAN: null-ptr-deref in atomic64_sub_and_test include/asm-generic/atomic-instrumented.h:1547 [inline] + BUG: KASAN: null-ptr-deref in atomic_long_sub_and_test include/asm-generic/atomic-long.h:460 [inline] + BUG: KASAN: null-ptr-deref in fput_many+0x1a/0x140 fs/file_table.c:336 + Write of size 8 at addr 0000000000000038 by task syz-executor179/284 + + CPU: 0 PID: 284 Comm: syz-executor179 Not tainted 5.5.0-rc5+ #1 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 + Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x94/0xce lib/dump_stack.c:118 + __kasan_report+0x18f/0x1b7 mm/kasan/report.c:510 + kasan_report+0xe/0x20 mm/kasan/common.c:639 + check_memory_region_inline mm/kasan/generic.c:185 [inline] + check_memory_region+0x15d/0x1b0 mm/kasan/generic.c:192 + atomic64_sub_and_test include/asm-generic/atomic-instrumented.h:1547 [inline] + atomic_long_sub_and_test include/asm-generic/atomic-long.h:460 [inline] + fput_many+0x1a/0x140 fs/file_table.c:336 + rdma_lookup_put_uobject+0x85/0x130 drivers/infiniband/core/rdma_core.c:692 + uobj_put_read include/rdma/uverbs_std_types.h:96 [inline] + _ib_uverbs_lookup_comp_file drivers/infiniband/core/uverbs_cmd.c:198 [inline] + create_cq+0x375/0xba0 drivers/infiniband/core/uverbs_cmd.c:1006 + ib_uverbs_create_cq+0x114/0x140 drivers/infiniband/core/uverbs_cmd.c:1089 + ib_uverbs_write+0xaa5/0xdf0 drivers/infiniband/core/uverbs_main.c:769 + __vfs_write+0x7c/0x100 fs/read_write.c:494 + vfs_write+0x168/0x4a0 fs/read_write.c:558 + ksys_write+0xc8/0x200 fs/read_write.c:611 + do_syscall_64+0x9c/0x390 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x44ef99 + Code: 00 b8 00 01 00 00 eb e1 e8 74 1c 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c4 ff ff ff f7 d8 64 89 01 48 + RSP: 002b:00007ffc0b74c028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 + RAX: ffffffffffffffda RBX: 00007ffc0b74c030 RCX: 000000000044ef99 + RDX: 0000000000000040 RSI: 0000000020000040 RDI: 0000000000000005 + RBP: 00007ffc0b74c038 R08: 0000000000401830 R09: 0000000000401830 + R10: 00007ffc0b74c038 R11: 0000000000000246 R12: 0000000000000000 + R13: 0000000000000000 R14: 00000000006be018 R15: 0000000000000000 + +Fixes: cf8966b3477d ("IB/core: Add support for fd objects") +Link: https://lore.kernel.org/r/20200421082929.311931-2-leon@kernel.org +Suggested-by: Jason Gunthorpe +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/rdma_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/core/rdma_core.c ++++ b/drivers/infiniband/core/rdma_core.c +@@ -381,7 +381,7 @@ lookup_get_fd_uobject(const struct uverb + * and the caller is expected to ensure that uverbs_close_fd is never + * done while a call top lookup is possible. + */ +- if (f->f_op != fd_type->fops) { ++ if (f->f_op != fd_type->fops || uobject->ufile != ufile) { + fput(f); + return ERR_PTR(-EBADF); + } diff --git a/queue-4.19/rdma-mlx4-initialize-ib_spec-on-the-stack.patch b/queue-4.19/rdma-mlx4-initialize-ib_spec-on-the-stack.patch new file mode 100644 index 00000000000..0288cf26dea --- /dev/null +++ b/queue-4.19/rdma-mlx4-initialize-ib_spec-on-the-stack.patch @@ -0,0 +1,38 @@ +From c08cfb2d8d78bfe81b37cc6ba84f0875bddd0d5c Mon Sep 17 00:00:00 2001 +From: Alaa Hleihel +Date: Mon, 13 Apr 2020 16:22:35 +0300 +Subject: RDMA/mlx4: Initialize ib_spec on the stack + +From: Alaa Hleihel + +commit c08cfb2d8d78bfe81b37cc6ba84f0875bddd0d5c upstream. + +Initialize ib_spec on the stack before using it, otherwise we will have +garbage values that will break creating default rules with invalid parsing +error. + +Fixes: a37a1a428431 ("IB/mlx4: Add mechanism to support flow steering over IB links") +Link: https://lore.kernel.org/r/20200413132235.930642-1-leon@kernel.org +Signed-off-by: Alaa Hleihel +Reviewed-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx4/main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx4/main.c ++++ b/drivers/infiniband/hw/mlx4/main.c +@@ -1606,8 +1606,9 @@ static int __mlx4_ib_create_default_rule + int i; + + for (i = 0; i < ARRAY_SIZE(pdefault_rules->rules_create_list); i++) { ++ union ib_flow_spec ib_spec = {}; + int ret; +- union ib_flow_spec ib_spec; ++ + switch (pdefault_rules->rules_create_list[i]) { + case 0: + /* no rule */ diff --git a/queue-4.19/rdma-mlx5-set-grh-fields-in-query-qp-on-roce.patch b/queue-4.19/rdma-mlx5-set-grh-fields-in-query-qp-on-roce.patch new file mode 100644 index 00000000000..28d767a54bd --- /dev/null +++ b/queue-4.19/rdma-mlx5-set-grh-fields-in-query-qp-on-roce.patch @@ -0,0 +1,43 @@ +From 2d7e3ff7b6f2c614eb21d0dc348957a47eaffb57 Mon Sep 17 00:00:00 2001 +From: Aharon Landau +Date: Mon, 13 Apr 2020 16:20:28 +0300 +Subject: RDMA/mlx5: Set GRH fields in query QP on RoCE + +From: Aharon Landau + +commit 2d7e3ff7b6f2c614eb21d0dc348957a47eaffb57 upstream. + +GRH fields such as sgid_index, hop limit, et. are set in the QP context +when QP is created/modified. + +Currently, when query QP is performed, we fill the GRH fields only if the +GRH bit is set in the QP context, but this bit is not set for RoCE. Adjust +the check so we will set all relevant data for the RoCE too. + +Since this data is returned to userspace, the below is an ABI regression. + +Fixes: d8966fcd4c25 ("IB/core: Use rdma_ah_attr accessor functions") +Link: https://lore.kernel.org/r/20200413132028.930109-1-leon@kernel.org +Signed-off-by: Aharon Landau +Reviewed-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/qp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -4887,7 +4887,9 @@ static void to_rdma_ah_attr(struct mlx5_ + rdma_ah_set_path_bits(ah_attr, path->grh_mlid & 0x7f); + rdma_ah_set_static_rate(ah_attr, + path->static_rate ? path->static_rate - 5 : 0); +- if (path->grh_mlid & (1 << 7)) { ++ ++ if (path->grh_mlid & (1 << 7) || ++ ah_attr->type == RDMA_AH_ATTR_TYPE_ROCE) { + u32 tc_fl = be32_to_cpu(path->tclass_flowlabel); + + rdma_ah_set_grh(ah_attr, NULL, diff --git a/queue-4.19/scsi-qla2xxx-check-unloading-before-posting-async-work.patch b/queue-4.19/scsi-qla2xxx-check-unloading-before-posting-async-work.patch new file mode 100644 index 00000000000..80fbf697656 --- /dev/null +++ b/queue-4.19/scsi-qla2xxx-check-unloading-before-posting-async-work.patch @@ -0,0 +1,43 @@ +From 5a263892d7d0b4fe351363f8d1a14c6a75955475 Mon Sep 17 00:00:00 2001 +From: Martin Wilck +Date: Tue, 21 Apr 2020 22:46:21 +0200 +Subject: scsi: qla2xxx: check UNLOADING before posting async work + +From: Martin Wilck + +commit 5a263892d7d0b4fe351363f8d1a14c6a75955475 upstream. + +qlt_free_session_done() tries to post async PRLO / LOGO, and waits for the +completion of these async commands. If UNLOADING is set, this is doomed to +timeout, because the async logout command will never complete. + +The only way to avoid waiting pointlessly is to fail posting these commands +in the first place if the driver is in UNLOADING state. In general, +posting any command should be avoided when the driver is UNLOADING. + +With this patch, "rmmod qla2xxx" completes without noticeable delay. + +Link: https://lore.kernel.org/r/20200421204621.19228-3-mwilck@suse.com +Fixes: 45235022da99 ("scsi: qla2xxx: Fix driver unload by shutting down chip") +Acked-by: Arun Easi +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin Wilck +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_os.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -4645,6 +4645,9 @@ qla2x00_alloc_work(struct scsi_qla_host + struct qla_work_evt *e; + uint8_t bail; + ++ if (test_bit(UNLOADING, &vha->dpc_flags)) ++ return NULL; ++ + QLA_VHA_MARK_BUSY(vha, bail); + if (bail) + return NULL; diff --git a/queue-4.19/scsi-qla2xxx-set-unloading-before-waiting-for-session-deletion.patch b/queue-4.19/scsi-qla2xxx-set-unloading-before-waiting-for-session-deletion.patch new file mode 100644 index 00000000000..086f0e92f44 --- /dev/null +++ b/queue-4.19/scsi-qla2xxx-set-unloading-before-waiting-for-session-deletion.patch @@ -0,0 +1,95 @@ +From 856e152a3c08bf7987cbd41900741d83d9cddc8e Mon Sep 17 00:00:00 2001 +From: Martin Wilck +Date: Tue, 21 Apr 2020 22:46:20 +0200 +Subject: scsi: qla2xxx: set UNLOADING before waiting for session deletion + +From: Martin Wilck + +commit 856e152a3c08bf7987cbd41900741d83d9cddc8e upstream. + +The purpose of the UNLOADING flag is to avoid port login procedures to +continue when a controller is in the process of shutting down. It makes +sense to set this flag before starting session teardown. + +Furthermore, use atomic test_and_set_bit() to avoid the shutdown being run +multiple times in parallel. In qla2x00_disable_board_on_pci_error(), the +test for UNLOADING is postponed until after the check for an already +disabled PCI board. + +Link: https://lore.kernel.org/r/20200421204621.19228-2-mwilck@suse.com +Fixes: 45235022da99 ("scsi: qla2xxx: Fix driver unload by shutting down chip") +Reviewed-by: Arun Easi +Reviewed-by: Daniel Wagner +Reviewed-by: Roman Bolshakov +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin Wilck +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_os.c | 32 ++++++++++++++------------------ + 1 file changed, 14 insertions(+), 18 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -3654,6 +3654,13 @@ qla2x00_remove_one(struct pci_dev *pdev) + } + qla2x00_wait_for_hba_ready(base_vha); + ++ /* ++ * if UNLOADING flag is already set, then continue unload, ++ * where it was set first. ++ */ ++ if (test_and_set_bit(UNLOADING, &base_vha->dpc_flags)) ++ return; ++ + if (IS_QLA25XX(ha) || IS_QLA2031(ha) || IS_QLA27XX(ha)) { + if (ha->flags.fw_started) + qla2x00_abort_isp_cleanup(base_vha); +@@ -3671,15 +3678,6 @@ qla2x00_remove_one(struct pci_dev *pdev) + + qla2x00_wait_for_sess_deletion(base_vha); + +- /* +- * if UNLOAD flag is already set, then continue unload, +- * where it was set first. +- */ +- if (test_bit(UNLOADING, &base_vha->dpc_flags)) +- return; +- +- set_bit(UNLOADING, &base_vha->dpc_flags); +- + qla_nvme_delete(base_vha); + + dma_free_coherent(&ha->pdev->dev, +@@ -5845,13 +5843,6 @@ qla2x00_disable_board_on_pci_error(struc + struct pci_dev *pdev = ha->pdev; + scsi_qla_host_t *base_vha = pci_get_drvdata(ha->pdev); + +- /* +- * if UNLOAD flag is already set, then continue unload, +- * where it was set first. +- */ +- if (test_bit(UNLOADING, &base_vha->dpc_flags)) +- return; +- + ql_log(ql_log_warn, base_vha, 0x015b, + "Disabling adapter.\n"); + +@@ -5862,9 +5853,14 @@ qla2x00_disable_board_on_pci_error(struc + return; + } + +- qla2x00_wait_for_sess_deletion(base_vha); ++ /* ++ * if UNLOADING flag is already set, then continue unload, ++ * where it was set first. ++ */ ++ if (test_and_set_bit(UNLOADING, &base_vha->dpc_flags)) ++ return; + +- set_bit(UNLOADING, &base_vha->dpc_flags); ++ qla2x00_wait_for_sess_deletion(base_vha); + + qla2x00_delete_all_vps(ha, base_vha); + diff --git a/queue-4.19/scsi-target-iblock-fix-write-same-zeroing.patch b/queue-4.19/scsi-target-iblock-fix-write-same-zeroing.patch new file mode 100644 index 00000000000..f7a63e14268 --- /dev/null +++ b/queue-4.19/scsi-target-iblock-fix-write-same-zeroing.patch @@ -0,0 +1,44 @@ +From 1d2ff149b263c9325875726a7804a0c75ef7112e Mon Sep 17 00:00:00 2001 +From: David Disseldorp +Date: Sun, 19 Apr 2020 18:31:09 +0200 +Subject: scsi: target/iblock: fix WRITE SAME zeroing + +From: David Disseldorp + +commit 1d2ff149b263c9325875726a7804a0c75ef7112e upstream. + +SBC4 specifies that WRITE SAME requests with the UNMAP bit set to zero +"shall perform the specified write operation to each LBA specified by the +command". Commit 2237498f0b5c ("target/iblock: Convert WRITE_SAME to +blkdev_issue_zeroout") modified the iblock backend to call +blkdev_issue_zeroout() when handling WRITE SAME requests with UNMAP=0 and a +zero data segment. + +The iblock blkdev_issue_zeroout() call incorrectly provides a flags +parameter of 0 (bool false), instead of BLKDEV_ZERO_NOUNMAP. The bool +false parameter reflects the blkdev_issue_zeroout() API prior to commit +ee472d835c26 ("block: add a flags argument to (__)blkdev_issue_zeroout") +which was merged shortly before 2237498f0b5c. + +Link: https://lore.kernel.org/r/20200419163109.11689-1-ddiss@suse.de +Fixes: 2237498f0b5c ("target/iblock: Convert WRITE_SAME to blkdev_issue_zeroout") +Reviewed-by: Bart Van Assche +Signed-off-by: David Disseldorp +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_iblock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/target/target_core_iblock.c ++++ b/drivers/target/target_core_iblock.c +@@ -445,7 +445,7 @@ iblock_execute_zero_out(struct block_dev + target_to_linux_sector(dev, cmd->t_task_lba), + target_to_linux_sector(dev, + sbc_get_write_same_sectors(cmd)), +- GFP_KERNEL, false); ++ GFP_KERNEL, BLKDEV_ZERO_NOUNMAP); + if (ret) + return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; + diff --git a/queue-4.19/series b/queue-4.19/series index db7c972bd02..f83bd5f5f09 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -12,6 +12,20 @@ pm-hibernate-freeze-kernel-threads-in-software_resume.patch dm-verity-fec-fix-hash-block-number-in-verity_fec_decode.patch dm-writecache-fix-data-corruption-when-reloading-the-target.patch dm-multipath-use-updated-mpathf_queue_io-on-mapping-for-bio-based-mpath.patch +scsi-qla2xxx-set-unloading-before-waiting-for-session-deletion.patch +scsi-qla2xxx-check-unloading-before-posting-async-work.patch +rdma-mlx5-set-grh-fields-in-query-qp-on-roce.patch +rdma-mlx4-initialize-ib_spec-on-the-stack.patch +rdma-core-prevent-mixed-use-of-fds-between-shared-ufiles.patch +rdma-core-fix-race-between-destroy-and-release-fd-object.patch +vfio-avoid-possible-overflow-in-vfio_iommu_type1_pin_pages.patch +vfio-type1-fix-va-pa-translation-for-pfnmap-vmas-in-vaddr_get_pfn.patch +iommu-qcom-fix-local_base-status-check.patch +scsi-target-iblock-fix-write-same-zeroing.patch +iommu-amd-fix-legacy-interrupt-remapping-for-x2apic-enabled-system.patch +alsa-opti9xx-shut-up-gcc-10-range-warning.patch +nfs-fix-potential-posix_acl-refcnt-leak-in-nfs3_set_acl.patch +dmaengine-dmatest-fix-iteration-non-stop-logic.patch btrfs-fix-partial-loss-of-prealloc-extent-past-i_size-after-fsync.patch btrfs-transaction-avoid-deadlock-due-to-bad-initialization-timing-of-fs_info-journal_info.patch mmc-cqhci-avoid-false-cqhci-cqe-stuck-on-by-not-open-coding-timeout-loop.patch diff --git a/queue-4.19/vfio-avoid-possible-overflow-in-vfio_iommu_type1_pin_pages.patch b/queue-4.19/vfio-avoid-possible-overflow-in-vfio_iommu_type1_pin_pages.patch new file mode 100644 index 00000000000..7b1a4efd4ff --- /dev/null +++ b/queue-4.19/vfio-avoid-possible-overflow-in-vfio_iommu_type1_pin_pages.patch @@ -0,0 +1,31 @@ +From 0ea971f8dcd6dee78a9a30ea70227cf305f11ff7 Mon Sep 17 00:00:00 2001 +From: Yan Zhao +Date: Wed, 8 Apr 2020 03:12:34 -0400 +Subject: vfio: avoid possible overflow in vfio_iommu_type1_pin_pages + +From: Yan Zhao + +commit 0ea971f8dcd6dee78a9a30ea70227cf305f11ff7 upstream. + +add parentheses to avoid possible vaddr overflow. + +Fixes: a54eb55045ae ("vfio iommu type1: Add support for mediated devices") +Signed-off-by: Yan Zhao +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vfio/vfio_iommu_type1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -598,7 +598,7 @@ static int vfio_iommu_type1_pin_pages(vo + continue; + } + +- remote_vaddr = dma->vaddr + iova - dma->iova; ++ remote_vaddr = dma->vaddr + (iova - dma->iova); + ret = vfio_pin_page_external(dma, remote_vaddr, &phys_pfn[i], + do_accounting); + if (ret) diff --git a/queue-4.19/vfio-type1-fix-va-pa-translation-for-pfnmap-vmas-in-vaddr_get_pfn.patch b/queue-4.19/vfio-type1-fix-va-pa-translation-for-pfnmap-vmas-in-vaddr_get_pfn.patch new file mode 100644 index 00000000000..caffdca74b5 --- /dev/null +++ b/queue-4.19/vfio-type1-fix-va-pa-translation-for-pfnmap-vmas-in-vaddr_get_pfn.patch @@ -0,0 +1,73 @@ +From 5cbf3264bc715e9eb384e2b68601f8c02bb9a61d Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 16 Apr 2020 15:50:57 -0700 +Subject: vfio/type1: Fix VA->PA translation for PFNMAP VMAs in vaddr_get_pfn() + +From: Sean Christopherson + +commit 5cbf3264bc715e9eb384e2b68601f8c02bb9a61d upstream. + +Use follow_pfn() to get the PFN of a PFNMAP VMA instead of assuming that +vma->vm_pgoff holds the base PFN of the VMA. This fixes a bug where +attempting to do VFIO_IOMMU_MAP_DMA on an arbitrary PFNMAP'd region of +memory calculates garbage for the PFN. + +Hilariously, this only got detected because the first "PFN" calculated +by vaddr_get_pfn() is PFN 0 (vma->vm_pgoff==0), and iommu_iova_to_phys() +uses PA==0 as an error, which triggers a WARN in vfio_unmap_unpin() +because the translation "failed". PFN 0 is now unconditionally reserved +on x86 in order to mitigate L1TF, which causes is_invalid_reserved_pfn() +to return true and in turns results in vaddr_get_pfn() returning success +for PFN 0. Eventually the bogus calculation runs into PFNs that aren't +reserved and leads to failure in vfio_pin_map_dma(). The subsequent +call to vfio_remove_dma() attempts to unmap PFN 0 and WARNs. + + WARNING: CPU: 8 PID: 5130 at drivers/vfio/vfio_iommu_type1.c:750 vfio_unmap_unpin+0x2e1/0x310 [vfio_iommu_type1] + Modules linked in: vfio_pci vfio_virqfd vfio_iommu_type1 vfio ... + CPU: 8 PID: 5130 Comm: sgx Tainted: G W 5.6.0-rc5-705d787c7fee-vfio+ #3 + Hardware name: Intel Corporation Mehlow UP Server Platform/Moss Beach Server, BIOS CNLSE2R1.D00.X119.B49.1803010910 03/01/2018 + RIP: 0010:vfio_unmap_unpin+0x2e1/0x310 [vfio_iommu_type1] + Code: <0f> 0b 49 81 c5 00 10 00 00 e9 c5 fe ff ff bb 00 10 00 00 e9 3d fe + RSP: 0018:ffffbeb5039ebda8 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: ffff9a55cbf8d480 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff9a52b771c200 + RBP: 0000000000000000 R08: 0000000000000040 R09: 00000000fffffff2 + R10: 0000000000000001 R11: ffff9a51fa896000 R12: 0000000184010000 + R13: 0000000184000000 R14: 0000000000010000 R15: ffff9a55cb66ea08 + FS: 00007f15d3830b40(0000) GS:ffff9a55d5600000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000561cf39429e0 CR3: 000000084f75f005 CR4: 00000000003626e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + vfio_remove_dma+0x17/0x70 [vfio_iommu_type1] + vfio_iommu_type1_ioctl+0x9e3/0xa7b [vfio_iommu_type1] + ksys_ioctl+0x92/0xb0 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x4c/0x180 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x7f15d04c75d7 + Code: <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 f7 d8 64 89 01 48 + +Fixes: 73fa0d10d077 ("vfio: Type1 IOMMU implementation") +Signed-off-by: Sean Christopherson +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vfio/vfio_iommu_type1.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -385,8 +385,8 @@ static int vaddr_get_pfn(struct mm_struc + vma = find_vma_intersection(mm, vaddr, vaddr + 1); + + if (vma && vma->vm_flags & VM_PFNMAP) { +- *pfn = ((vaddr - vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff; +- if (is_invalid_reserved_pfn(*pfn)) ++ if (!follow_pfn(vma, vaddr, pfn) && ++ is_invalid_reserved_pfn(*pfn)) + ret = 0; + } +