From 03da68edc389427845c26dd840bf0e2de08db9c8 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 4 May 2020 14:39:21 +0200 Subject: [PATCH] 5.6-stable patches added patches: alsa-opti9xx-shut-up-gcc-10-range-warning.patch arm64-vdso-add-fasynchronous-unwind-tables-to-cflags.patch block-remove-the-bd_openers-checks-in-blk_drop_partitions.patch dmaengine-dmatest-fix-iteration-non-stop-logic.patch dmaengine-dmatest-fix-process-hang-when-reading-wait-parameter.patch dmaengine-fix-channel-index-enumeration.patch dmaengine-hisilicon-fix-build-error-without-pci_msi.patch dmaengine-ti-k3-psil-fix-deadlock-on-error-path.patch drm-i915-selftests-fix-i915_address_space-refcnt-leak.patch drm-i915-use-proper-fault-mask-in-interrupt-postinstall-too.patch fix-use-after-free-in-get_tree_bdev.patch i2c-aspeed-avoid-i2c-interrupt-status-clear-race-condition.patch i2c-iproc-generate-stop-event-for-slave-writes.patch iommu-amd-fix-legacy-interrupt-remapping-for-x2apic-enabled-system.patch iommu-properly-export-iommu_group_get_for_dev.patch iommu-qcom-fix-local_base-status-check.patch iommu-vt-d-use-right-kconfig-option-name.patch nfs-fix-potential-posix_acl-refcnt-leak-in-nfs3_set_acl.patch nvme-prevent-double-free-in-nvme_alloc_ns-error-handling.patch rdma-cm-fix-an-error-check-in-cm_alloc_id_priv.patch rdma-cm-fix-ordering-of-xa_alloc_cyclic-in-ib_create_cm_id.patch rdma-core-fix-overwriting-of-uobj-in-case-of-error.patch rdma-core-fix-race-between-destroy-and-release-fd-object.patch rdma-core-prevent-mixed-use-of-fds-between-shared-ufiles.patch rdma-mlx4-initialize-ib_spec-on-the-stack.patch rdma-mlx5-set-grh-fields-in-query-qp-on-roce.patch rdma-siw-fix-potential-siw_mem-refcnt-leak-in-siw_fastreg_mr.patch rdma-uverbs-fix-a-race-with-disassociate-and-exit_mmap.patch scsi-qla2xxx-check-unloading-before-posting-async-work.patch scsi-qla2xxx-set-unloading-before-waiting-for-session-deletion.patch scsi-target-iblock-fix-write-same-zeroing.patch vfio-avoid-possible-overflow-in-vfio_iommu_type1_pin_pages.patch vfio-type1-fix-va-pa-translation-for-pfnmap-vmas-in-vaddr_get_pfn.patch xprtrdma-fix-trace-point-use-after-free-race.patch --- ...opti9xx-shut-up-gcc-10-range-warning.patch | 84 ++++++++ ...asynchronous-unwind-tables-to-cflags.patch | 46 ++++ ...peners-checks-in-blk_drop_partitions.patch | 44 ++++ ...dmatest-fix-iteration-non-stop-logic.patch | 61 ++++++ ...ess-hang-when-reading-wait-parameter.patch | 56 +++++ ...engine-fix-channel-index-enumeration.patch | 198 ++++++++++++++++++ ...icon-fix-build-error-without-pci_msi.patch | 44 ++++ ...i-k3-psil-fix-deadlock-on-error-path.patch | 33 +++ ...s-fix-i915_address_space-refcnt-leak.patch | 66 ++++++ ...lt-mask-in-interrupt-postinstall-too.patch | 56 +++++ .../fix-use-after-free-in-get_tree_bdev.patch | 46 ++++ ...nterrupt-status-clear-race-condition.patch | 48 +++++ ...generate-stop-event-for-slave-writes.patch | 33 +++ ...-remapping-for-x2apic-enabled-system.patch | 39 ++++ ...perly-export-iommu_group_get_for_dev.patch | 39 ++++ ...mmu-qcom-fix-local_base-status-check.patch | 39 ++++ ...u-vt-d-use-right-kconfig-option-name.patch | 39 ++++ ...osix_acl-refcnt-leak-in-nfs3_set_acl.patch | 79 +++++++ ...free-in-nvme_alloc_ns-error-handling.patch | 43 ++++ ...x-an-error-check-in-cm_alloc_id_priv.patch | 35 ++++ ...f-xa_alloc_cyclic-in-ib_create_cm_id.patch | 92 ++++++++ ...overwriting-of-uobj-in-case-of-error.patch | 83 ++++++++ ...etween-destroy-and-release-fd-object.patch | 55 +++++ ...xed-use-of-fds-between-shared-ufiles.patch | 71 +++++++ ...mlx4-initialize-ib_spec-on-the-stack.patch | 38 ++++ ...5-set-grh-fields-in-query-qp-on-roce.patch | 43 ++++ ...iw_mem-refcnt-leak-in-siw_fastreg_mr.patch | 64 ++++++ ...race-with-disassociate-and-exit_mmap.patch | 106 ++++++++++ ...-unloading-before-posting-async-work.patch | 43 ++++ ...-before-waiting-for-session-deletion.patch | 95 +++++++++ ...target-iblock-fix-write-same-zeroing.patch | 44 ++++ queue-5.6/series | 34 +++ ...erflow-in-vfio_iommu_type1_pin_pages.patch | 31 +++ ...ion-for-pfnmap-vmas-in-vaddr_get_pfn.patch | 73 +++++++ ...-fix-trace-point-use-after-free-race.patch | 83 ++++++++ 35 files changed, 2083 insertions(+) create mode 100644 queue-5.6/alsa-opti9xx-shut-up-gcc-10-range-warning.patch create mode 100644 queue-5.6/arm64-vdso-add-fasynchronous-unwind-tables-to-cflags.patch create mode 100644 queue-5.6/block-remove-the-bd_openers-checks-in-blk_drop_partitions.patch create mode 100644 queue-5.6/dmaengine-dmatest-fix-iteration-non-stop-logic.patch create mode 100644 queue-5.6/dmaengine-dmatest-fix-process-hang-when-reading-wait-parameter.patch create mode 100644 queue-5.6/dmaengine-fix-channel-index-enumeration.patch create mode 100644 queue-5.6/dmaengine-hisilicon-fix-build-error-without-pci_msi.patch create mode 100644 queue-5.6/dmaengine-ti-k3-psil-fix-deadlock-on-error-path.patch create mode 100644 queue-5.6/drm-i915-selftests-fix-i915_address_space-refcnt-leak.patch create mode 100644 queue-5.6/drm-i915-use-proper-fault-mask-in-interrupt-postinstall-too.patch create mode 100644 queue-5.6/fix-use-after-free-in-get_tree_bdev.patch create mode 100644 queue-5.6/i2c-aspeed-avoid-i2c-interrupt-status-clear-race-condition.patch create mode 100644 queue-5.6/i2c-iproc-generate-stop-event-for-slave-writes.patch create mode 100644 queue-5.6/iommu-amd-fix-legacy-interrupt-remapping-for-x2apic-enabled-system.patch create mode 100644 queue-5.6/iommu-properly-export-iommu_group_get_for_dev.patch create mode 100644 queue-5.6/iommu-qcom-fix-local_base-status-check.patch create mode 100644 queue-5.6/iommu-vt-d-use-right-kconfig-option-name.patch create mode 100644 queue-5.6/nfs-fix-potential-posix_acl-refcnt-leak-in-nfs3_set_acl.patch create mode 100644 queue-5.6/nvme-prevent-double-free-in-nvme_alloc_ns-error-handling.patch create mode 100644 queue-5.6/rdma-cm-fix-an-error-check-in-cm_alloc_id_priv.patch create mode 100644 queue-5.6/rdma-cm-fix-ordering-of-xa_alloc_cyclic-in-ib_create_cm_id.patch create mode 100644 queue-5.6/rdma-core-fix-overwriting-of-uobj-in-case-of-error.patch create mode 100644 queue-5.6/rdma-core-fix-race-between-destroy-and-release-fd-object.patch create mode 100644 queue-5.6/rdma-core-prevent-mixed-use-of-fds-between-shared-ufiles.patch create mode 100644 queue-5.6/rdma-mlx4-initialize-ib_spec-on-the-stack.patch create mode 100644 queue-5.6/rdma-mlx5-set-grh-fields-in-query-qp-on-roce.patch create mode 100644 queue-5.6/rdma-siw-fix-potential-siw_mem-refcnt-leak-in-siw_fastreg_mr.patch create mode 100644 queue-5.6/rdma-uverbs-fix-a-race-with-disassociate-and-exit_mmap.patch create mode 100644 queue-5.6/scsi-qla2xxx-check-unloading-before-posting-async-work.patch create mode 100644 queue-5.6/scsi-qla2xxx-set-unloading-before-waiting-for-session-deletion.patch create mode 100644 queue-5.6/scsi-target-iblock-fix-write-same-zeroing.patch create mode 100644 queue-5.6/vfio-avoid-possible-overflow-in-vfio_iommu_type1_pin_pages.patch create mode 100644 queue-5.6/vfio-type1-fix-va-pa-translation-for-pfnmap-vmas-in-vaddr_get_pfn.patch create mode 100644 queue-5.6/xprtrdma-fix-trace-point-use-after-free-race.patch diff --git a/queue-5.6/alsa-opti9xx-shut-up-gcc-10-range-warning.patch b/queue-5.6/alsa-opti9xx-shut-up-gcc-10-range-warning.patch new file mode 100644 index 00000000000..281f9426970 --- /dev/null +++ b/queue-5.6/alsa-opti9xx-shut-up-gcc-10-range-warning.patch @@ -0,0 +1,84 @@ +From 5ce00760a84848d008554c693ceb6286f4d9c509 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 29 Apr 2020 21:02:03 +0200 +Subject: ALSA: opti9xx: shut up gcc-10 range warning + +From: Arnd Bergmann + +commit 5ce00760a84848d008554c693ceb6286f4d9c509 upstream. + +gcc-10 points out a few instances of suspicious integer arithmetic +leading to value truncation: + +sound/isa/opti9xx/opti92x-ad1848.c: In function 'snd_opti9xx_configure': +sound/isa/opti9xx/opti92x-ad1848.c:322:43: error: overflow in conversion from 'int' to 'unsigned char' changes value from '(int)snd_opti9xx_read(chip, 3) & -256 | 240' to '240' [-Werror=overflow] + 322 | (snd_opti9xx_read(chip, reg) & ~(mask)) | ((value) & (mask))) + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~ +sound/isa/opti9xx/opti92x-ad1848.c:351:3: note: in expansion of macro 'snd_opti9xx_write_mask' + 351 | snd_opti9xx_write_mask(chip, OPTi9XX_MC_REG(3), 0xf0, 0xff); + | ^~~~~~~~~~~~~~~~~~~~~~ +sound/isa/opti9xx/miro.c: In function 'snd_miro_configure': +sound/isa/opti9xx/miro.c:873:40: error: overflow in conversion from 'int' to 'unsigned char' changes value from '(int)snd_miro_read(chip, 3) & -256 | 240' to '240' [-Werror=overflow] + 873 | (snd_miro_read(chip, reg) & ~(mask)) | ((value) & (mask))) + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~ +sound/isa/opti9xx/miro.c:1010:3: note: in expansion of macro 'snd_miro_write_mask' + 1010 | snd_miro_write_mask(chip, OPTi9XX_MC_REG(3), 0xf0, 0xff); + | ^~~~~~~~~~~~~~~~~~~ + +These are all harmless here as only the low 8 bit are passed down +anyway. Change the macros to inline functions to make the code +more readable and also avoid the warning. + +Strictly speaking those functions also need locking to make the +read/write pair atomic, but it seems unlikely that anyone would +still run into that issue. + +Fixes: 1841f613fd2e ("[ALSA] Add snd-miro driver") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20200429190216.85919-1-arnd@arndb.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/isa/opti9xx/miro.c | 9 ++++++--- + sound/isa/opti9xx/opti92x-ad1848.c | 9 ++++++--- + 2 files changed, 12 insertions(+), 6 deletions(-) + +--- a/sound/isa/opti9xx/miro.c ++++ b/sound/isa/opti9xx/miro.c +@@ -867,10 +867,13 @@ static void snd_miro_write(struct snd_mi + spin_unlock_irqrestore(&chip->lock, flags); + } + ++static inline void snd_miro_write_mask(struct snd_miro *chip, ++ unsigned char reg, unsigned char value, unsigned char mask) ++{ ++ unsigned char oldval = snd_miro_read(chip, reg); + +-#define snd_miro_write_mask(chip, reg, value, mask) \ +- snd_miro_write(chip, reg, \ +- (snd_miro_read(chip, reg) & ~(mask)) | ((value) & (mask))) ++ snd_miro_write(chip, reg, (oldval & ~mask) | (value & mask)); ++} + + /* + * Proc Interface +--- a/sound/isa/opti9xx/opti92x-ad1848.c ++++ b/sound/isa/opti9xx/opti92x-ad1848.c +@@ -317,10 +317,13 @@ static void snd_opti9xx_write(struct snd + } + + +-#define snd_opti9xx_write_mask(chip, reg, value, mask) \ +- snd_opti9xx_write(chip, reg, \ +- (snd_opti9xx_read(chip, reg) & ~(mask)) | ((value) & (mask))) ++static inline void snd_opti9xx_write_mask(struct snd_opti9xx *chip, ++ unsigned char reg, unsigned char value, unsigned char mask) ++{ ++ unsigned char oldval = snd_opti9xx_read(chip, reg); + ++ snd_opti9xx_write(chip, reg, (oldval & ~mask) | (value & mask)); ++} + + static int snd_opti9xx_configure(struct snd_opti9xx *chip, + long port, diff --git a/queue-5.6/arm64-vdso-add-fasynchronous-unwind-tables-to-cflags.patch b/queue-5.6/arm64-vdso-add-fasynchronous-unwind-tables-to-cflags.patch new file mode 100644 index 00000000000..e6e292a6a3a --- /dev/null +++ b/queue-5.6/arm64-vdso-add-fasynchronous-unwind-tables-to-cflags.patch @@ -0,0 +1,46 @@ +From 1578e5d03112e3e9d37e1c4d95b6dfb734c73955 Mon Sep 17 00:00:00 2001 +From: Vincenzo Frascino +Date: Wed, 29 Apr 2020 16:10:50 +0100 +Subject: arm64: vdso: Add -fasynchronous-unwind-tables to cflags + +From: Vincenzo Frascino + +commit 1578e5d03112e3e9d37e1c4d95b6dfb734c73955 upstream. + +On arm64 linux gcc uses -fasynchronous-unwind-tables -funwind-tables +by default since gcc-8, so now the de facto platform ABI is to allow +unwinding from async signal handlers. + +However on bare metal targets (aarch64-none-elf), and on old gcc, +async and sync unwind tables are not enabled by default to avoid +runtime memory costs. + +This means if linux is built with a baremetal toolchain the vdso.so +may not have unwind tables which breaks the gcc platform ABI guarantee +in userspace. + +Add -fasynchronous-unwind-tables explicitly to the vgettimeofday.o +cflags to address the ABI change. + +Fixes: 28b1a824a4f4 ("arm64: vdso: Substitute gettimeofday() with C implementation") +Cc: Will Deacon +Reported-by: Szabolcs Nagy +Signed-off-by: Vincenzo Frascino +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/vdso/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/vdso/Makefile ++++ b/arch/arm64/kernel/vdso/Makefile +@@ -32,7 +32,7 @@ UBSAN_SANITIZE := n + OBJECT_FILES_NON_STANDARD := y + KCOV_INSTRUMENT := n + +-CFLAGS_vgettimeofday.o = -O2 -mcmodel=tiny ++CFLAGS_vgettimeofday.o = -O2 -mcmodel=tiny -fasynchronous-unwind-tables + + ifneq ($(c-gettimeofday-y),) + CFLAGS_vgettimeofday.o += -include $(c-gettimeofday-y) diff --git a/queue-5.6/block-remove-the-bd_openers-checks-in-blk_drop_partitions.patch b/queue-5.6/block-remove-the-bd_openers-checks-in-blk_drop_partitions.patch new file mode 100644 index 00000000000..4a3be9f3dbb --- /dev/null +++ b/queue-5.6/block-remove-the-bd_openers-checks-in-blk_drop_partitions.patch @@ -0,0 +1,44 @@ +From 10c70d95c0f2f9a6f52d0e33243d2877370cef51 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Tue, 28 Apr 2020 10:52:03 +0200 +Subject: block: remove the bd_openers checks in blk_drop_partitions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christoph Hellwig + +commit 10c70d95c0f2f9a6f52d0e33243d2877370cef51 upstream. + +When replacing the bd_super check with a bd_openers I followed a logical +conclusion, which turns out to be utterly wrong. When a block device has +bd_super sets it has a mount file system on it (although not every +mounted file system sets bd_super), but that also implies it doesn't even +have partitions to start with. + +So instead of trying to come up with a logical check for all openers, +just remove the check entirely. + +Fixes: d3ef5536274f ("block: fix busy device checking in blk_drop_partitions") +Fixes: cb6b771b05c3 ("block: fix busy device checking in blk_drop_partitions again") +Reported-by: Michal Koutný +Reported-by: Yang Xu +Signed-off-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/partition-generic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/block/partition-generic.c ++++ b/block/partition-generic.c +@@ -468,7 +468,7 @@ int blk_drop_partitions(struct gendisk * + + if (!disk_part_scan_enabled(disk)) + return 0; +- if (bdev->bd_part_count || bdev->bd_openers > 1) ++ if (bdev->bd_part_count) + return -EBUSY; + res = invalidate_partition(disk, 0); + if (res) diff --git a/queue-5.6/dmaengine-dmatest-fix-iteration-non-stop-logic.patch b/queue-5.6/dmaengine-dmatest-fix-iteration-non-stop-logic.patch new file mode 100644 index 00000000000..d7fae2c6753 --- /dev/null +++ b/queue-5.6/dmaengine-dmatest-fix-iteration-non-stop-logic.patch @@ -0,0 +1,61 @@ +From b9f960201249f20deea586b4ec814669b4c6b1c0 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Fri, 24 Apr 2020 19:11:42 +0300 +Subject: dmaengine: dmatest: Fix iteration non-stop logic + +From: Andy Shevchenko + +commit b9f960201249f20deea586b4ec814669b4c6b1c0 upstream. + +Under some circumstances, i.e. when test is still running and about to +time out and user runs, for example, + + grep -H . /sys/module/dmatest/parameters/* + +the iterations parameter is not respected and test is going on and on until +user gives + + echo 0 > /sys/module/dmatest/parameters/run + +This is not what expected. + +The history of this bug is interesting. I though that the commit + 2d88ce76eb98 ("dmatest: add a 'wait' parameter") +is a culprit, but looking closer to the code I think it simple revealed the +broken logic from the day one, i.e. in the commit + 0a2ff57d6fba ("dmaengine: dmatest: add a maximum number of test iterations") +which adds iterations parameter. + +So, to the point, the conditional of checking the thread to be stopped being +first part of conjunction logic prevents to check iterations. Thus, we have to +always check both conditions to be able to stop after given iterations. + +Since it wasn't visible before second commit appeared, I add a respective +Fixes tag. + +Fixes: 2d88ce76eb98 ("dmatest: add a 'wait' parameter") +Cc: Dan Williams +Cc: Nicolas Ferre +Signed-off-by: Andy Shevchenko +Acked-by: Nicolas Ferre +Link: https://lore.kernel.org/r/20200424161147.16895-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/dmatest.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/dma/dmatest.c ++++ b/drivers/dma/dmatest.c +@@ -662,8 +662,8 @@ static int dmatest_func(void *data) + flags = DMA_CTRL_ACK | DMA_PREP_INTERRUPT; + + ktime = ktime_get(); +- while (!kthread_should_stop() +- && !(params->iterations && total_tests >= params->iterations)) { ++ while (!(kthread_should_stop() || ++ (params->iterations && total_tests >= params->iterations))) { + struct dma_async_tx_descriptor *tx = NULL; + struct dmaengine_unmap_data *um; + dma_addr_t *dsts; diff --git a/queue-5.6/dmaengine-dmatest-fix-process-hang-when-reading-wait-parameter.patch b/queue-5.6/dmaengine-dmatest-fix-process-hang-when-reading-wait-parameter.patch new file mode 100644 index 00000000000..1e9b9f10305 --- /dev/null +++ b/queue-5.6/dmaengine-dmatest-fix-process-hang-when-reading-wait-parameter.patch @@ -0,0 +1,56 @@ +From aa72f1d20ee973d68f26d46fce5e1cf6f9b7e1ca Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Tue, 28 Apr 2020 14:35:18 +0300 +Subject: dmaengine: dmatest: Fix process hang when reading 'wait' parameter + +From: Andy Shevchenko + +commit aa72f1d20ee973d68f26d46fce5e1cf6f9b7e1ca upstream. + +If we do + + % echo 1 > /sys/module/dmatest/parameters/run + [ 115.851124] dmatest: Could not start test, no channels configured + + % echo dma8chan7 > /sys/module/dmatest/parameters/channel + [ 127.563872] dmatest: Added 1 threads using dma8chan7 + + % cat /sys/module/dmatest/parameters/wait + ... !!! HANG !!! ... + +The culprit is the commit 6138f967bccc + + ("dmaengine: dmatest: Use fixed point div to calculate iops") + +which makes threads not to run, but pending and being kicked off by writing +to the 'run' node. However, it forgot to consider 'wait' routine to avoid +above mentioned case. + +In order to fix this, check for really running threads, i.e. with pending +and done flags unset. + +It's pity the culprit commit hadn't updated documentation and tested all +possible scenarios. + +Fixes: 6138f967bccc ("dmaengine: dmatest: Use fixed point div to calculate iops") +Cc: Seraj Alijan +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20200428113518.70620-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/dmatest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma/dmatest.c ++++ b/drivers/dma/dmatest.c +@@ -240,7 +240,7 @@ static bool is_threaded_test_run(struct + struct dmatest_thread *thread; + + list_for_each_entry(thread, &dtc->threads, node) { +- if (!thread->done) ++ if (!thread->done && !thread->pending) + return true; + } + } diff --git a/queue-5.6/dmaengine-fix-channel-index-enumeration.patch b/queue-5.6/dmaengine-fix-channel-index-enumeration.patch new file mode 100644 index 00000000000..67acc889683 --- /dev/null +++ b/queue-5.6/dmaengine-fix-channel-index-enumeration.patch @@ -0,0 +1,198 @@ +From 0821009445a8261ac4d32a6df4b83938e007c765 Mon Sep 17 00:00:00 2001 +From: Dave Jiang +Date: Mon, 13 Apr 2020 10:40:12 -0700 +Subject: dmaengine: fix channel index enumeration + +From: Dave Jiang + +commit 0821009445a8261ac4d32a6df4b83938e007c765 upstream. + +When the channel register code was changed to allow hotplug operations, +dynamic indexing wasn't taken into account. When channels are randomly +plugged and unplugged out of order, the serial indexing breaks. Convert +channel indexing to using IDA tracking in order to allow dynamic +assignment. The previous code does not cause any regression bug for +existing channel allocation besides idxd driver since the hotplug usage +case is only used by idxd at this point. + +With this change, the chan->idr_ref is also not needed any longer. We can +have a device with no channels registered due to hot plug. The channel +device release code no longer should attempt to free the dma device id on +the last channel release. + +Fixes: e81274cd6b52 ("dmaengine: add support to dynamic register/unregister of channels") + +Reported-by: Yixin Zhang +Signed-off-by: Dave Jiang +Tested-by: Yixin Zhang +Link: https://lore.kernel.org/r/158679961260.7674.8485924270472851852.stgit@djiang5-desk3.ch.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/dmaengine.c | 60 +++++++++++++++++++--------------------------- + include/linux/dmaengine.h | 4 +-- + 2 files changed, 28 insertions(+), 36 deletions(-) + +--- a/drivers/dma/dmaengine.c ++++ b/drivers/dma/dmaengine.c +@@ -151,10 +151,6 @@ static void chan_dev_release(struct devi + struct dma_chan_dev *chan_dev; + + chan_dev = container_of(dev, typeof(*chan_dev), device); +- if (atomic_dec_and_test(chan_dev->idr_ref)) { +- ida_free(&dma_ida, chan_dev->dev_id); +- kfree(chan_dev->idr_ref); +- } + kfree(chan_dev); + } + +@@ -952,27 +948,9 @@ static int get_dma_id(struct dma_device + } + + static int __dma_async_device_channel_register(struct dma_device *device, +- struct dma_chan *chan, +- int chan_id) ++ struct dma_chan *chan) + { + int rc = 0; +- int chancnt = device->chancnt; +- atomic_t *idr_ref; +- struct dma_chan *tchan; +- +- tchan = list_first_entry_or_null(&device->channels, +- struct dma_chan, device_node); +- if (!tchan) +- return -ENODEV; +- +- if (tchan->dev) { +- idr_ref = tchan->dev->idr_ref; +- } else { +- idr_ref = kmalloc(sizeof(*idr_ref), GFP_KERNEL); +- if (!idr_ref) +- return -ENOMEM; +- atomic_set(idr_ref, 0); +- } + + chan->local = alloc_percpu(typeof(*chan->local)); + if (!chan->local) +@@ -988,29 +966,36 @@ static int __dma_async_device_channel_re + * When the chan_id is a negative value, we are dynamically adding + * the channel. Otherwise we are static enumerating. + */ +- chan->chan_id = chan_id < 0 ? chancnt : chan_id; ++ mutex_lock(&device->chan_mutex); ++ chan->chan_id = ida_alloc(&device->chan_ida, GFP_KERNEL); ++ mutex_unlock(&device->chan_mutex); ++ if (chan->chan_id < 0) { ++ pr_err("%s: unable to alloc ida for chan: %d\n", ++ __func__, chan->chan_id); ++ goto err_out; ++ } ++ + chan->dev->device.class = &dma_devclass; + chan->dev->device.parent = device->dev; + chan->dev->chan = chan; +- chan->dev->idr_ref = idr_ref; + chan->dev->dev_id = device->dev_id; +- atomic_inc(idr_ref); + dev_set_name(&chan->dev->device, "dma%dchan%d", + device->dev_id, chan->chan_id); +- + rc = device_register(&chan->dev->device); + if (rc) +- goto err_out; ++ goto err_out_ida; + chan->client_count = 0; +- device->chancnt = chan->chan_id + 1; ++ device->chancnt++; + + return 0; + ++ err_out_ida: ++ mutex_lock(&device->chan_mutex); ++ ida_free(&device->chan_ida, chan->chan_id); ++ mutex_unlock(&device->chan_mutex); + err_out: + free_percpu(chan->local); + kfree(chan->dev); +- if (atomic_dec_return(idr_ref) == 0) +- kfree(idr_ref); + return rc; + } + +@@ -1019,7 +1004,7 @@ int dma_async_device_channel_register(st + { + int rc; + +- rc = __dma_async_device_channel_register(device, chan, -1); ++ rc = __dma_async_device_channel_register(device, chan); + if (rc < 0) + return rc; + +@@ -1039,6 +1024,9 @@ static void __dma_async_device_channel_u + device->chancnt--; + chan->dev->chan = NULL; + mutex_unlock(&dma_list_mutex); ++ mutex_lock(&device->chan_mutex); ++ ida_free(&device->chan_ida, chan->chan_id); ++ mutex_unlock(&device->chan_mutex); + device_unregister(&chan->dev->device); + free_percpu(chan->local); + } +@@ -1061,7 +1049,7 @@ EXPORT_SYMBOL_GPL(dma_async_device_chann + */ + int dma_async_device_register(struct dma_device *device) + { +- int rc, i = 0; ++ int rc; + struct dma_chan* chan; + + if (!device) +@@ -1166,9 +1154,12 @@ int dma_async_device_register(struct dma + if (rc != 0) + return rc; + ++ mutex_init(&device->chan_mutex); ++ ida_init(&device->chan_ida); ++ + /* represent channels in sysfs. Probably want devs too */ + list_for_each_entry(chan, &device->channels, device_node) { +- rc = __dma_async_device_channel_register(device, chan, i++); ++ rc = __dma_async_device_channel_register(device, chan); + if (rc < 0) + goto err_out; + } +@@ -1239,6 +1230,7 @@ void dma_async_device_unregister(struct + */ + dma_cap_set(DMA_PRIVATE, device->cap_mask); + dma_channel_rebalance(); ++ ida_free(&dma_ida, device->dev_id); + dma_device_put(device); + mutex_unlock(&dma_list_mutex); + } +--- a/include/linux/dmaengine.h ++++ b/include/linux/dmaengine.h +@@ -336,13 +336,11 @@ struct dma_chan { + * @chan: driver channel device + * @device: sysfs device + * @dev_id: parent dma_device dev_id +- * @idr_ref: reference count to gate release of dma_device dev_id + */ + struct dma_chan_dev { + struct dma_chan *chan; + struct device device; + int dev_id; +- atomic_t *idr_ref; + }; + + /** +@@ -827,6 +825,8 @@ struct dma_device { + int dev_id; + struct device *dev; + struct module *owner; ++ struct ida chan_ida; ++ struct mutex chan_mutex; /* to protect chan_ida */ + + u32 src_addr_widths; + u32 dst_addr_widths; diff --git a/queue-5.6/dmaengine-hisilicon-fix-build-error-without-pci_msi.patch b/queue-5.6/dmaengine-hisilicon-fix-build-error-without-pci_msi.patch new file mode 100644 index 00000000000..9017cd17742 --- /dev/null +++ b/queue-5.6/dmaengine-hisilicon-fix-build-error-without-pci_msi.patch @@ -0,0 +1,44 @@ +From ae148b43516d90756ff8255925fb7df142b0c76e Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Sat, 28 Mar 2020 19:41:33 +0800 +Subject: dmaengine: hisilicon: Fix build error without PCI_MSI +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: YueHaibing + +commit ae148b43516d90756ff8255925fb7df142b0c76e upstream. + +If PCI_MSI is not set, building fais: + +drivers/dma/hisi_dma.c: In function ‘hisi_dma_free_irq_vectors’: +drivers/dma/hisi_dma.c:138:2: error: implicit declaration of function ‘pci_free_irq_vectors’; + did you mean ‘pci_alloc_irq_vectors’? [-Werror=implicit-function-declaration] + pci_free_irq_vectors(data); + ^~~~~~~~~~~~~~~~~~~~ + +Make HISI_DMA depends on PCI_MSI to fix this. + +Fixes: e9f08b65250d ("dmaengine: hisilicon: Add Kunpeng DMA engine support") +Signed-off-by: YueHaibing +Link: https://lore.kernel.org/r/20200328114133.17560-1-yuehaibing@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/Kconfig | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/dma/Kconfig ++++ b/drivers/dma/Kconfig +@@ -241,7 +241,8 @@ config FSL_RAID + + config HISI_DMA + tristate "HiSilicon DMA Engine support" +- depends on ARM64 || (COMPILE_TEST && PCI_MSI) ++ depends on ARM64 || COMPILE_TEST ++ depends on PCI_MSI + select DMA_ENGINE + select DMA_VIRTUAL_CHANNELS + help diff --git a/queue-5.6/dmaengine-ti-k3-psil-fix-deadlock-on-error-path.patch b/queue-5.6/dmaengine-ti-k3-psil-fix-deadlock-on-error-path.patch new file mode 100644 index 00000000000..d844fe0d446 --- /dev/null +++ b/queue-5.6/dmaengine-ti-k3-psil-fix-deadlock-on-error-path.patch @@ -0,0 +1,33 @@ +From 172d59ecd61b89f535ad99a7e531c0f111453b9a Mon Sep 17 00:00:00 2001 +From: Grygorii Strashko +Date: Wed, 8 Apr 2020 21:55:01 +0300 +Subject: dmaengine: ti: k3-psil: fix deadlock on error path + +From: Grygorii Strashko + +commit 172d59ecd61b89f535ad99a7e531c0f111453b9a upstream. + +The mutex_unlock() is missed on error path of psil_get_ep_config() +which causes deadlock, so add missed mutex_unlock(). + +Fixes: 8c6bb62f6b4a ("dmaengine: ti: k3 PSI-L remote endpoint configuration") +Signed-off-by: Grygorii Strashko +Acked-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20200408185501.30776-1-grygorii.strashko@ti.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/ti/k3-psil.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/dma/ti/k3-psil.c ++++ b/drivers/dma/ti/k3-psil.c +@@ -27,6 +27,7 @@ struct psil_endpoint_config *psil_get_ep + soc_ep_map = &j721e_ep_map; + } else { + pr_err("PSIL: No compatible machine found for map\n"); ++ mutex_unlock(&ep_map_mutex); + return ERR_PTR(-ENOTSUPP); + } + pr_debug("%s: Using map for %s\n", __func__, soc_ep_map->name); diff --git a/queue-5.6/drm-i915-selftests-fix-i915_address_space-refcnt-leak.patch b/queue-5.6/drm-i915-selftests-fix-i915_address_space-refcnt-leak.patch new file mode 100644 index 00000000000..65d3ad37934 --- /dev/null +++ b/queue-5.6/drm-i915-selftests-fix-i915_address_space-refcnt-leak.patch @@ -0,0 +1,66 @@ +From 5d5e100a20348c336e56df604b353b978f8adbb9 Mon Sep 17 00:00:00 2001 +From: Xiyu Yang +Date: Mon, 20 Apr 2020 13:41:54 +0800 +Subject: drm/i915/selftests: Fix i915_address_space refcnt leak + +From: Xiyu Yang + +commit 5d5e100a20348c336e56df604b353b978f8adbb9 upstream. + +igt_ppgtt_pin_update() invokes i915_gem_context_get_vm_rcu(), which +returns a reference of the i915_address_space object to "vm" with +increased refcount. + +When igt_ppgtt_pin_update() returns, "vm" becomes invalid, so the +refcount should be decreased to keep refcount balanced. + +The reference counting issue happens in two exception handling paths of +igt_ppgtt_pin_update(). When i915_gem_object_create_internal() returns +IS_ERR, the refcnt increased by i915_gem_context_get_vm_rcu() is not +decreased, causing a refcnt leak. + +Fix this issue by jumping to "out_vm" label when +i915_gem_object_create_internal() returns IS_ERR. + +Fixes: a4e7ccdac38e ("drm/i915: Move context management under GEM") +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Reviewed-by: Chris Wilson +Signed-off-by: Chris Wilson +Link: https://patchwork.freedesktop.org/patch/msgid/1587361342-83494-1-git-send-email-xiyuyang19@fudan.edu.cn +(cherry picked from commit e07c7606a00c4361bad72ff4e72ed0dfbefa23b0) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/gem/selftests/huge_pages.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/i915/gem/selftests/huge_pages.c ++++ b/drivers/gpu/drm/i915/gem/selftests/huge_pages.c +@@ -1578,8 +1578,10 @@ static int igt_ppgtt_pin_update(void *ar + unsigned int page_size = BIT(first); + + obj = i915_gem_object_create_internal(dev_priv, page_size); +- if (IS_ERR(obj)) +- return PTR_ERR(obj); ++ if (IS_ERR(obj)) { ++ err = PTR_ERR(obj); ++ goto out_vm; ++ } + + vma = i915_vma_instance(obj, vm, NULL); + if (IS_ERR(vma)) { +@@ -1632,8 +1634,10 @@ static int igt_ppgtt_pin_update(void *ar + } + + obj = i915_gem_object_create_internal(dev_priv, PAGE_SIZE); +- if (IS_ERR(obj)) +- return PTR_ERR(obj); ++ if (IS_ERR(obj)) { ++ err = PTR_ERR(obj); ++ goto out_vm; ++ } + + vma = i915_vma_instance(obj, vm, NULL); + if (IS_ERR(vma)) { diff --git a/queue-5.6/drm-i915-use-proper-fault-mask-in-interrupt-postinstall-too.patch b/queue-5.6/drm-i915-use-proper-fault-mask-in-interrupt-postinstall-too.patch new file mode 100644 index 00000000000..42210fb73e7 --- /dev/null +++ b/queue-5.6/drm-i915-use-proper-fault-mask-in-interrupt-postinstall-too.patch @@ -0,0 +1,56 @@ +From 8598eb781cf68fd6cb67c479f1479ae58bd54fb9 Mon Sep 17 00:00:00 2001 +From: Matt Roper +Date: Fri, 24 Apr 2020 16:14:23 -0700 +Subject: drm/i915: Use proper fault mask in interrupt postinstall too +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matt Roper + +commit 8598eb781cf68fd6cb67c479f1479ae58bd54fb9 upstream. + +The IRQ postinstall handling had open-coded pipe fault mask selection +that never got updated for gen11. Switch it to use +gen8_de_pipe_fault_mask() to ensure we don't miss updates for new +platforms. + +Cc: José Roberto de Souza +Fixes: d506a65d56fd ("drm/i915: Catch GTT fault errors for gen11+ planes") +Signed-off-by: Matt Roper +Link: https://patchwork.freedesktop.org/patch/msgid/20200424231423.4065231-1-matthew.d.roper@intel.com +Reviewed-by: Ville Syrjälä +(cherry picked from commit 869129ee0c624a78c74e50b51635e183196cd2c6) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_irq.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_irq.c ++++ b/drivers/gpu/drm/i915/i915_irq.c +@@ -3321,7 +3321,8 @@ static void gen8_de_irq_postinstall(stru + { + struct intel_uncore *uncore = &dev_priv->uncore; + +- u32 de_pipe_masked = GEN8_PIPE_CDCLK_CRC_DONE; ++ u32 de_pipe_masked = gen8_de_pipe_fault_mask(dev_priv) | ++ GEN8_PIPE_CDCLK_CRC_DONE; + u32 de_pipe_enables; + u32 de_port_masked = GEN8_AUX_CHANNEL_A; + u32 de_port_enables; +@@ -3332,13 +3333,10 @@ static void gen8_de_irq_postinstall(stru + de_misc_masked |= GEN8_DE_MISC_GSE; + + if (INTEL_GEN(dev_priv) >= 9) { +- de_pipe_masked |= GEN9_DE_PIPE_IRQ_FAULT_ERRORS; + de_port_masked |= GEN9_AUX_CHANNEL_B | GEN9_AUX_CHANNEL_C | + GEN9_AUX_CHANNEL_D; + if (IS_GEN9_LP(dev_priv)) + de_port_masked |= BXT_DE_PORT_GMBUS; +- } else { +- de_pipe_masked |= GEN8_DE_PIPE_IRQ_FAULT_ERRORS; + } + + if (INTEL_GEN(dev_priv) >= 11) diff --git a/queue-5.6/fix-use-after-free-in-get_tree_bdev.patch b/queue-5.6/fix-use-after-free-in-get_tree_bdev.patch new file mode 100644 index 00000000000..8bde6bcc5ca --- /dev/null +++ b/queue-5.6/fix-use-after-free-in-get_tree_bdev.patch @@ -0,0 +1,46 @@ +From dd7bc8158b413e0b580c491e8bd18cb91057c7c2 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Tue, 28 Apr 2020 21:27:48 +0100 +Subject: Fix use after free in get_tree_bdev() + +From: David Howells + +commit dd7bc8158b413e0b580c491e8bd18cb91057c7c2 upstream. + +Commit 6fcf0c72e4b9, a fix to get_tree_bdev() put a missing blkdev_put() in +the wrong place, before a warnf() that displays the bdev under +consideration rather after it. + +This results in a silent lockup in printk("%pg") called via warnf() from +get_tree_bdev() under some circumstances when there's a race with the +blockdev being frozen. This can be caused by xfstests/tests/generic/085 in +combination with Lukas Czerner's ext4 mount API conversion patchset. It +looks like it ought to occur with other users of get_tree_bdev() such as +XFS, but apparently doesn't. + +Fix this by switching the order of the lines. + +Fixes: 6fcf0c72e4b9 ("vfs: add missing blkdev_put() in get_tree_bdev()") +Reported-by: Lukas Czerner +Signed-off-by: David Howells +cc: Ian Kent +cc: Al Viro +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/super.c ++++ b/fs/super.c +@@ -1302,8 +1302,8 @@ int get_tree_bdev(struct fs_context *fc, + mutex_lock(&bdev->bd_fsfreeze_mutex); + if (bdev->bd_fsfreeze_count > 0) { + mutex_unlock(&bdev->bd_fsfreeze_mutex); +- blkdev_put(bdev, mode); + warnf(fc, "%pg: Can't mount, blockdev is frozen", bdev); ++ blkdev_put(bdev, mode); + return -EBUSY; + } + diff --git a/queue-5.6/i2c-aspeed-avoid-i2c-interrupt-status-clear-race-condition.patch b/queue-5.6/i2c-aspeed-avoid-i2c-interrupt-status-clear-race-condition.patch new file mode 100644 index 00000000000..28661c4ea60 --- /dev/null +++ b/queue-5.6/i2c-aspeed-avoid-i2c-interrupt-status-clear-race-condition.patch @@ -0,0 +1,48 @@ +From c926c87b8e36dcc0ea5c2a0a0227ed4f32d0516a Mon Sep 17 00:00:00 2001 +From: ryan_chen +Date: Wed, 29 Apr 2020 11:37:37 +0800 +Subject: i2c: aspeed: Avoid i2c interrupt status clear race condition. + +From: ryan_chen + +commit c926c87b8e36dcc0ea5c2a0a0227ed4f32d0516a upstream. + +In AST2600 there have a slow peripheral bus between CPU and i2c +controller. Therefore GIC i2c interrupt status clear have delay timing, +when CPU issue write clear i2c controller interrupt status. To avoid +this issue, the driver need have read after write clear at i2c ISR. + +Fixes: f327c686d3ba ("i2c: aspeed: added driver for Aspeed I2C") +Signed-off-by: ryan_chen +Acked-by: Benjamin Herrenschmidt +[wsa: added Fixes tag] +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-aspeed.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-aspeed.c ++++ b/drivers/i2c/busses/i2c-aspeed.c +@@ -603,6 +603,7 @@ static irqreturn_t aspeed_i2c_bus_irq(in + /* Ack all interrupts except for Rx done */ + writel(irq_received & ~ASPEED_I2CD_INTR_RX_DONE, + bus->base + ASPEED_I2C_INTR_STS_REG); ++ readl(bus->base + ASPEED_I2C_INTR_STS_REG); + irq_remaining = irq_received; + + #if IS_ENABLED(CONFIG_I2C_SLAVE) +@@ -645,9 +646,11 @@ static irqreturn_t aspeed_i2c_bus_irq(in + irq_received, irq_handled); + + /* Ack Rx done */ +- if (irq_received & ASPEED_I2CD_INTR_RX_DONE) ++ if (irq_received & ASPEED_I2CD_INTR_RX_DONE) { + writel(ASPEED_I2CD_INTR_RX_DONE, + bus->base + ASPEED_I2C_INTR_STS_REG); ++ readl(bus->base + ASPEED_I2C_INTR_STS_REG); ++ } + spin_unlock(&bus->lock); + return irq_remaining ? IRQ_NONE : IRQ_HANDLED; + } diff --git a/queue-5.6/i2c-iproc-generate-stop-event-for-slave-writes.patch b/queue-5.6/i2c-iproc-generate-stop-event-for-slave-writes.patch new file mode 100644 index 00000000000..6853a1b55db --- /dev/null +++ b/queue-5.6/i2c-iproc-generate-stop-event-for-slave-writes.patch @@ -0,0 +1,33 @@ +From 068143a8195fb0fdeea1f3ca430b3db0f6d04a53 Mon Sep 17 00:00:00 2001 +From: Rayagonda Kokatanur +Date: Sun, 22 Mar 2020 23:50:19 +0530 +Subject: i2c: iproc: generate stop event for slave writes + +From: Rayagonda Kokatanur + +commit 068143a8195fb0fdeea1f3ca430b3db0f6d04a53 upstream. + +When slave status is I2C_SLAVE_RX_END, generate I2C_SLAVE_STOP +event to i2c_client. + +Fixes: c245d94ed106 ("i2c: iproc: Add multi byte read-write support for slave mode") +Signed-off-by: Rayagonda Kokatanur +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-bcm-iproc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/i2c/busses/i2c-bcm-iproc.c ++++ b/drivers/i2c/busses/i2c-bcm-iproc.c +@@ -360,6 +360,9 @@ static bool bcm_iproc_i2c_slave_isr(stru + value = (u8)((val >> S_RX_DATA_SHIFT) & S_RX_DATA_MASK); + i2c_slave_event(iproc_i2c->slave, + I2C_SLAVE_WRITE_RECEIVED, &value); ++ if (rx_status == I2C_SLAVE_RX_END) ++ i2c_slave_event(iproc_i2c->slave, ++ I2C_SLAVE_STOP, &value); + } + } else if (status & BIT(IS_S_TX_UNDERRUN_SHIFT)) { + /* Master read other than start */ diff --git a/queue-5.6/iommu-amd-fix-legacy-interrupt-remapping-for-x2apic-enabled-system.patch b/queue-5.6/iommu-amd-fix-legacy-interrupt-remapping-for-x2apic-enabled-system.patch new file mode 100644 index 00000000000..75de254069a --- /dev/null +++ b/queue-5.6/iommu-amd-fix-legacy-interrupt-remapping-for-x2apic-enabled-system.patch @@ -0,0 +1,39 @@ +From b74aa02d7a30ee5e262072a7d6e8deff10b37924 Mon Sep 17 00:00:00 2001 +From: Suravee Suthikulpanit +Date: Wed, 22 Apr 2020 08:30:02 -0500 +Subject: iommu/amd: Fix legacy interrupt remapping for x2APIC-enabled system + +From: Suravee Suthikulpanit + +commit b74aa02d7a30ee5e262072a7d6e8deff10b37924 upstream. + +Currently, system fails to boot because the legacy interrupt remapping +mode does not enable 128-bit IRTE (GA), which is required for x2APIC +support. + +Fix by using AMD_IOMMU_GUEST_IR_LEGACY_GA mode when booting with +kernel option amd_iommu_intr=legacy instead. The initialization +logic will check GASup and automatically fallback to using +AMD_IOMMU_GUEST_IR_LEGACY if GA mode is not supported. + +Fixes: 3928aa3f5775 ("iommu/amd: Detect and enable guest vAPIC support") +Signed-off-by: Suravee Suthikulpanit +Link: https://lore.kernel.org/r/1587562202-14183-1-git-send-email-suravee.suthikulpanit@amd.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/amd_iommu_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/amd_iommu_init.c ++++ b/drivers/iommu/amd_iommu_init.c +@@ -2936,7 +2936,7 @@ static int __init parse_amd_iommu_intr(c + { + for (; *str; ++str) { + if (strncmp(str, "legacy", 6) == 0) { +- amd_iommu_guest_ir = AMD_IOMMU_GUEST_IR_LEGACY; ++ amd_iommu_guest_ir = AMD_IOMMU_GUEST_IR_LEGACY_GA; + break; + } + if (strncmp(str, "vapic", 5) == 0) { diff --git a/queue-5.6/iommu-properly-export-iommu_group_get_for_dev.patch b/queue-5.6/iommu-properly-export-iommu_group_get_for_dev.patch new file mode 100644 index 00000000000..63056b254f5 --- /dev/null +++ b/queue-5.6/iommu-properly-export-iommu_group_get_for_dev.patch @@ -0,0 +1,39 @@ +From ae74c19faa7d7996e857e13165bd40fc4a285e0d Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 30 Apr 2020 14:01:20 +0200 +Subject: iommu: Properly export iommu_group_get_for_dev() + +From: Greg Kroah-Hartman + +commit ae74c19faa7d7996e857e13165bd40fc4a285e0d upstream. + +In commit a7ba5c3d008d ("drivers/iommu: Export core IOMMU API symbols to +permit modular drivers") a bunch of iommu symbols were exported, all +with _GPL markings except iommu_group_get_for_dev(). That export should +also be _GPL like the others. + +Fixes: a7ba5c3d008d ("drivers/iommu: Export core IOMMU API symbols to permit modular drivers") +Signed-off-by: Greg Kroah-Hartman +Acked-by: Will Deacon +Cc: Joerg Roedel +Cc: John Garry +Cc: Will Deacon +Link: https://lore.kernel.org/r/20200430120120.2948448-1-gregkh@linuxfoundation.org +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/iommu.c ++++ b/drivers/iommu/iommu.c +@@ -1428,7 +1428,7 @@ struct iommu_group *iommu_group_get_for_ + + return group; + } +-EXPORT_SYMBOL(iommu_group_get_for_dev); ++EXPORT_SYMBOL_GPL(iommu_group_get_for_dev); + + struct iommu_domain *iommu_group_default_domain(struct iommu_group *group) + { diff --git a/queue-5.6/iommu-qcom-fix-local_base-status-check.patch b/queue-5.6/iommu-qcom-fix-local_base-status-check.patch new file mode 100644 index 00000000000..ce3e1df965a --- /dev/null +++ b/queue-5.6/iommu-qcom-fix-local_base-status-check.patch @@ -0,0 +1,39 @@ +From b52649aee6243ea661905bdc5fbe28cc5f6dec76 Mon Sep 17 00:00:00 2001 +From: Tang Bin +Date: Sat, 18 Apr 2020 21:47:03 +0800 +Subject: iommu/qcom: Fix local_base status check + +From: Tang Bin + +commit b52649aee6243ea661905bdc5fbe28cc5f6dec76 upstream. + +The function qcom_iommu_device_probe() does not perform sufficient +error checking after executing devm_ioremap_resource(), which can +result in crashes if a critical error path is encountered. + +Fixes: 0ae349a0f33f ("iommu/qcom: Add qcom_iommu") +Signed-off-by: Tang Bin +Reviewed-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20200418134703.1760-1-tangbin@cmss.chinamobile.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/qcom_iommu.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/iommu/qcom_iommu.c ++++ b/drivers/iommu/qcom_iommu.c +@@ -813,8 +813,11 @@ static int qcom_iommu_device_probe(struc + qcom_iommu->dev = dev; + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- if (res) ++ if (res) { + qcom_iommu->local_base = devm_ioremap_resource(dev, res); ++ if (IS_ERR(qcom_iommu->local_base)) ++ return PTR_ERR(qcom_iommu->local_base); ++ } + + qcom_iommu->iface_clk = devm_clk_get(dev, "iface"); + if (IS_ERR(qcom_iommu->iface_clk)) { diff --git a/queue-5.6/iommu-vt-d-use-right-kconfig-option-name.patch b/queue-5.6/iommu-vt-d-use-right-kconfig-option-name.patch new file mode 100644 index 00000000000..0eb6f514419 --- /dev/null +++ b/queue-5.6/iommu-vt-d-use-right-kconfig-option-name.patch @@ -0,0 +1,39 @@ +From ba61c3da00f4a5bf8805aeca1ba5ac3c9bd82e96 Mon Sep 17 00:00:00 2001 +From: Lu Baolu +Date: Fri, 1 May 2020 15:24:27 +0800 +Subject: iommu/vt-d: Use right Kconfig option name + +From: Lu Baolu + +commit ba61c3da00f4a5bf8805aeca1ba5ac3c9bd82e96 upstream. + +The CONFIG_ prefix should be added in the code. + +Fixes: 046182525db61 ("iommu/vt-d: Add Kconfig option to enable/disable scalable mode") +Reported-and-tested-by: Kumar, Sanjay K +Signed-off-by: Lu Baolu +Cc: Ashok Raj +Link: https://lore.kernel.org/r/20200501072427.14265-1-baolu.lu@linux.intel.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/intel-iommu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -371,11 +371,11 @@ int dmar_disabled = 0; + int dmar_disabled = 1; + #endif /* CONFIG_INTEL_IOMMU_DEFAULT_ON */ + +-#ifdef INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON ++#ifdef CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON + int intel_iommu_sm = 1; + #else + int intel_iommu_sm; +-#endif /* INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON */ ++#endif /* CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON */ + + int intel_iommu_enabled = 0; + EXPORT_SYMBOL_GPL(intel_iommu_enabled); diff --git a/queue-5.6/nfs-fix-potential-posix_acl-refcnt-leak-in-nfs3_set_acl.patch b/queue-5.6/nfs-fix-potential-posix_acl-refcnt-leak-in-nfs3_set_acl.patch new file mode 100644 index 00000000000..a6c56ef3c77 --- /dev/null +++ b/queue-5.6/nfs-fix-potential-posix_acl-refcnt-leak-in-nfs3_set_acl.patch @@ -0,0 +1,79 @@ +From 7648f939cb919b9d15c21fff8cd9eba908d595dc Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Mon, 20 Apr 2020 15:51:47 +0200 +Subject: nfs: Fix potential posix_acl refcnt leak in nfs3_set_acl + +From: Andreas Gruenbacher + +commit 7648f939cb919b9d15c21fff8cd9eba908d595dc upstream. + +nfs3_set_acl keeps track of the acl it allocated locally to determine if an acl +needs to be released at the end. This results in a memory leak when the +function allocates an acl as well as a default acl. Fix by releasing acls +that differ from the acl originally passed into nfs3_set_acl. + +Fixes: b7fa0554cf1b ("[PATCH] NFS: Add support for NFSv3 ACLs") +Reported-by: Xiyu Yang +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs3acl.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +--- a/fs/nfs/nfs3acl.c ++++ b/fs/nfs/nfs3acl.c +@@ -253,37 +253,45 @@ int nfs3_proc_setacls(struct inode *inod + + int nfs3_set_acl(struct inode *inode, struct posix_acl *acl, int type) + { +- struct posix_acl *alloc = NULL, *dfacl = NULL; ++ struct posix_acl *orig = acl, *dfacl = NULL, *alloc; + int status; + + if (S_ISDIR(inode->i_mode)) { + switch(type) { + case ACL_TYPE_ACCESS: +- alloc = dfacl = get_acl(inode, ACL_TYPE_DEFAULT); ++ alloc = get_acl(inode, ACL_TYPE_DEFAULT); + if (IS_ERR(alloc)) + goto fail; ++ dfacl = alloc; + break; + + case ACL_TYPE_DEFAULT: +- dfacl = acl; +- alloc = acl = get_acl(inode, ACL_TYPE_ACCESS); ++ alloc = get_acl(inode, ACL_TYPE_ACCESS); + if (IS_ERR(alloc)) + goto fail; ++ dfacl = acl; ++ acl = alloc; + break; + } + } + + if (acl == NULL) { +- alloc = acl = posix_acl_from_mode(inode->i_mode, GFP_KERNEL); ++ alloc = posix_acl_from_mode(inode->i_mode, GFP_KERNEL); + if (IS_ERR(alloc)) + goto fail; ++ acl = alloc; + } + status = __nfs3_proc_setacls(inode, acl, dfacl); +- posix_acl_release(alloc); ++out: ++ if (acl != orig) ++ posix_acl_release(acl); ++ if (dfacl != orig) ++ posix_acl_release(dfacl); + return status; + + fail: +- return PTR_ERR(alloc); ++ status = PTR_ERR(alloc); ++ goto out; + } + + const struct xattr_handler *nfs3_xattr_handlers[] = { diff --git a/queue-5.6/nvme-prevent-double-free-in-nvme_alloc_ns-error-handling.patch b/queue-5.6/nvme-prevent-double-free-in-nvme_alloc_ns-error-handling.patch new file mode 100644 index 00000000000..4198b9aae51 --- /dev/null +++ b/queue-5.6/nvme-prevent-double-free-in-nvme_alloc_ns-error-handling.patch @@ -0,0 +1,43 @@ +From 132be62387c7a72a38872676c18b0dfae264adb8 Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Mon, 27 Apr 2020 14:34:41 +0200 +Subject: nvme: prevent double free in nvme_alloc_ns() error handling + +From: Niklas Cassel + +commit 132be62387c7a72a38872676c18b0dfae264adb8 upstream. + +When jumping to the out_put_disk label, we will call put_disk(), which will +trigger a call to disk_release(), which calls blk_put_queue(). + +Later in the cleanup code, we do blk_cleanup_queue(), which will also call +blk_put_queue(). + +Putting the queue twice is incorrect, and will generate a KASAN splat. + +Set the disk->queue pointer to NULL, before calling put_disk(), so that the +first call to blk_put_queue() will not free the queue. + +The second call to blk_put_queue() uses another pointer to the same queue, +so this call will still free the queue. + +Fixes: 85136c010285 ("lightnvm: simplify geometry enumeration") +Signed-off-by: Niklas Cassel +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvme/host/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -3580,6 +3580,8 @@ static int nvme_alloc_ns(struct nvme_ctr + + return 0; + out_put_disk: ++ /* prevent double queue cleanup */ ++ ns->disk->queue = NULL; + put_disk(ns->disk); + out_unlink_ns: + mutex_lock(&ctrl->subsys->lock); diff --git a/queue-5.6/rdma-cm-fix-an-error-check-in-cm_alloc_id_priv.patch b/queue-5.6/rdma-cm-fix-an-error-check-in-cm_alloc_id_priv.patch new file mode 100644 index 00000000000..644d981805d --- /dev/null +++ b/queue-5.6/rdma-cm-fix-an-error-check-in-cm_alloc_id_priv.patch @@ -0,0 +1,35 @@ +From 983653515849fb56b78ce55d349bb384d43030f6 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 7 Apr 2020 12:37:14 +0300 +Subject: RDMA/cm: Fix an error check in cm_alloc_id_priv() + +From: Dan Carpenter + +commit 983653515849fb56b78ce55d349bb384d43030f6 upstream. + +The xa_alloc_cyclic_irq() function returns either 0 or 1 on success and +negatives on error. This code treats 1 as an error and returns ERR_PTR(1) +which will cause an Oops in the caller. + +Fixes: ae78ff3a0f0c ("RDMA/cm: Convert local_id_table to XArray") +Link: https://lore.kernel.org/r/20200407093714.GA80285@mwanda +Signed-off-by: Dan Carpenter +Reviewed-by: Matthew Wilcox (Oracle) +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/cm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/core/cm.c ++++ b/drivers/infiniband/core/cm.c +@@ -836,7 +836,7 @@ struct ib_cm_id *ib_create_cm_id(struct + + ret = xa_alloc_cyclic_irq(&cm.local_id_table, &id, NULL, xa_limit_32b, + &cm.local_id_next, GFP_KERNEL); +- if (ret) ++ if (ret < 0) + goto error; + cm_id_priv->id.local_id = (__force __be32)id ^ cm.random_id_operand; + xa_store_irq(&cm.local_id_table, cm_local_id(cm_id_priv->id.local_id), diff --git a/queue-5.6/rdma-cm-fix-ordering-of-xa_alloc_cyclic-in-ib_create_cm_id.patch b/queue-5.6/rdma-cm-fix-ordering-of-xa_alloc_cyclic-in-ib_create_cm_id.patch new file mode 100644 index 00000000000..ba60c784050 --- /dev/null +++ b/queue-5.6/rdma-cm-fix-ordering-of-xa_alloc_cyclic-in-ib_create_cm_id.patch @@ -0,0 +1,92 @@ +From e8dc4e885c459343970b25acd9320fe9ee5492e7 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Tue, 10 Mar 2020 11:25:31 +0200 +Subject: RDMA/cm: Fix ordering of xa_alloc_cyclic() in ib_create_cm_id() + +From: Jason Gunthorpe + +commit e8dc4e885c459343970b25acd9320fe9ee5492e7 upstream. + +xa_alloc_cyclic() is a SMP release to be paired with some later acquire +during xa_load() as part of cm_acquire_id(). + +As such, xa_alloc_cyclic() must be done after the cm_id is fully +initialized, in particular, it absolutely must be after the +refcount_set(), otherwise the refcount_inc() in cm_acquire_id() may not +see the set. + +As there are several cases where a reader will be able to use the +id.local_id after cm_acquire_id in the IB_CM_IDLE state there needs to be +an unfortunate split into a NULL allocate and a finalizing xa_store. + +Fixes: a977049dacde ("[PATCH] IB: Add the kernel CM implementation") +Link: https://lore.kernel.org/r/20200310092545.251365-2-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/cm.c | 27 +++++++++++---------------- + 1 file changed, 11 insertions(+), 16 deletions(-) + +--- a/drivers/infiniband/core/cm.c ++++ b/drivers/infiniband/core/cm.c +@@ -572,18 +572,6 @@ static int cm_init_av_by_path(struct sa_ + return 0; + } + +-static int cm_alloc_id(struct cm_id_private *cm_id_priv) +-{ +- int err; +- u32 id; +- +- err = xa_alloc_cyclic_irq(&cm.local_id_table, &id, cm_id_priv, +- xa_limit_32b, &cm.local_id_next, GFP_KERNEL); +- +- cm_id_priv->id.local_id = (__force __be32)id ^ cm.random_id_operand; +- return err; +-} +- + static u32 cm_local_id(__be32 local_id) + { + return (__force u32) (local_id ^ cm.random_id_operand); +@@ -825,6 +813,7 @@ struct ib_cm_id *ib_create_cm_id(struct + void *context) + { + struct cm_id_private *cm_id_priv; ++ u32 id; + int ret; + + cm_id_priv = kzalloc(sizeof *cm_id_priv, GFP_KERNEL); +@@ -836,9 +825,6 @@ struct ib_cm_id *ib_create_cm_id(struct + cm_id_priv->id.cm_handler = cm_handler; + cm_id_priv->id.context = context; + cm_id_priv->id.remote_cm_qpn = 1; +- ret = cm_alloc_id(cm_id_priv); +- if (ret) +- goto error; + + spin_lock_init(&cm_id_priv->lock); + init_completion(&cm_id_priv->comp); +@@ -847,11 +833,20 @@ struct ib_cm_id *ib_create_cm_id(struct + INIT_LIST_HEAD(&cm_id_priv->altr_list); + atomic_set(&cm_id_priv->work_count, -1); + refcount_set(&cm_id_priv->refcount, 1); ++ ++ ret = xa_alloc_cyclic_irq(&cm.local_id_table, &id, NULL, xa_limit_32b, ++ &cm.local_id_next, GFP_KERNEL); ++ if (ret) ++ goto error; ++ cm_id_priv->id.local_id = (__force __be32)id ^ cm.random_id_operand; ++ xa_store_irq(&cm.local_id_table, cm_local_id(cm_id_priv->id.local_id), ++ cm_id_priv, GFP_KERNEL); ++ + return &cm_id_priv->id; + + error: + kfree(cm_id_priv); +- return ERR_PTR(-ENOMEM); ++ return ERR_PTR(ret); + } + EXPORT_SYMBOL(ib_create_cm_id); + diff --git a/queue-5.6/rdma-core-fix-overwriting-of-uobj-in-case-of-error.patch b/queue-5.6/rdma-core-fix-overwriting-of-uobj-in-case-of-error.patch new file mode 100644 index 00000000000..7ec8d46edbf --- /dev/null +++ b/queue-5.6/rdma-core-fix-overwriting-of-uobj-in-case-of-error.patch @@ -0,0 +1,83 @@ +From 83a2670212215a569ed133efc10c92055c96cc8c Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Tue, 21 Apr 2020 11:29:29 +0300 +Subject: RDMA/core: Fix overwriting of uobj in case of error + +From: Leon Romanovsky + +commit 83a2670212215a569ed133efc10c92055c96cc8c upstream. + +In case of failure to get file, the uobj is overwritten and causes to +supply bad pointer as an input to uverbs_uobject_put(). + + BUG: KASAN: null-ptr-deref in atomic_fetch_sub include/asm-generic/atomic-instrumented.h:199 [inline] + BUG: KASAN: null-ptr-deref in refcount_sub_and_test include/linux/refcount.h:253 [inline] + BUG: KASAN: null-ptr-deref in refcount_dec_and_test include/linux/refcount.h:281 [inline] + BUG: KASAN: null-ptr-deref in kref_put include/linux/kref.h:64 [inline] + BUG: KASAN: null-ptr-deref in uverbs_uobject_put+0x22/0x90 drivers/infiniband/core/rdma_core.c:57 + Write of size 4 at addr 0000000000000030 by task syz-executor.4/1691 + + CPU: 1 PID: 1691 Comm: syz-executor.4 Not tainted 5.6.0 #17 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 + Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x94/0xce lib/dump_stack.c:118 + __kasan_report+0x10c/0x190 mm/kasan/report.c:515 + kasan_report+0x32/0x50 mm/kasan/common.c:625 + check_memory_region_inline mm/kasan/generic.c:187 [inline] + check_memory_region+0x16d/0x1c0 mm/kasan/generic.c:193 + atomic_fetch_sub include/asm-generic/atomic-instrumented.h:199 [inline] + refcount_sub_and_test include/linux/refcount.h:253 [inline] + refcount_dec_and_test include/linux/refcount.h:281 [inline] + kref_put include/linux/kref.h:64 [inline] + uverbs_uobject_put+0x22/0x90 drivers/infiniband/core/rdma_core.c:57 + alloc_begin_fd_uobject+0x1d0/0x250 drivers/infiniband/core/rdma_core.c:486 + rdma_alloc_begin_uobject+0xa8/0xf0 drivers/infiniband/core/rdma_core.c:509 + __uobj_alloc include/rdma/uverbs_std_types.h:117 [inline] + ib_uverbs_create_comp_channel+0x16d/0x230 drivers/infiniband/core/uverbs_cmd.c:982 + ib_uverbs_write+0xaa5/0xdf0 drivers/infiniband/core/uverbs_main.c:665 + __vfs_write+0x7c/0x100 fs/read_write.c:494 + vfs_write+0x168/0x4a0 fs/read_write.c:558 + ksys_write+0xc8/0x200 fs/read_write.c:611 + do_syscall_64+0x9c/0x390 arch/x86/entry/common.c:295 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x466479 + Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 + RSP: 002b:00007efe9f6a7c48 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 + RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000466479 + RDX: 0000000000000018 RSI: 0000000020000040 RDI: 0000000000000003 + RBP: 00007efe9f6a86bc R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005 + R13: 0000000000000bf2 R14: 00000000004cb80a R15: 00000000006fefc0 + +Fixes: 849e149063bd ("RDMA/core: Do not allow alloc_commit to fail") +Link: https://lore.kernel.org/r/20200421082929.311931-3-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/rdma_core.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/core/rdma_core.c ++++ b/drivers/infiniband/core/rdma_core.c +@@ -474,16 +474,15 @@ alloc_begin_fd_uobject(const struct uver + filp = anon_inode_getfile(fd_type->name, fd_type->fops, NULL, + fd_type->flags); + if (IS_ERR(filp)) { ++ uverbs_uobject_put(uobj); + uobj = ERR_CAST(filp); +- goto err_uobj; ++ goto err_fd; + } + uobj->object = filp; + + uobj->id = new_fd; + return uobj; + +-err_uobj: +- uverbs_uobject_put(uobj); + err_fd: + put_unused_fd(new_fd); + return uobj; diff --git a/queue-5.6/rdma-core-fix-race-between-destroy-and-release-fd-object.patch b/queue-5.6/rdma-core-fix-race-between-destroy-and-release-fd-object.patch new file mode 100644 index 00000000000..c75afc71c80 --- /dev/null +++ b/queue-5.6/rdma-core-fix-race-between-destroy-and-release-fd-object.patch @@ -0,0 +1,55 @@ +From f0abc761bbb9418876cc4d1ebc473e4ea6352e42 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Thu, 23 Apr 2020 09:01:22 +0300 +Subject: RDMA/core: Fix race between destroy and release FD object + +From: Leon Romanovsky + +commit f0abc761bbb9418876cc4d1ebc473e4ea6352e42 upstream. + +The call to ->lookup_put() was too early and it caused an unlock of the +read/write protection of the uobject after the FD was put. This allows a +race: + + CPU1 CPU2 + rdma_lookup_put_uobject() + lookup_put_fd_uobject() + fput() + fput() + uverbs_uobject_fd_release() + WARN_ON(uverbs_try_lock_object(uobj, + UVERBS_LOOKUP_WRITE)); + atomic_dec(usecnt) + +Fix the code by changing the order, first unlock and call to +->lookup_put() after that. + +Fixes: 3832125624b7 ("IB/core: Add support for idr types") +Link: https://lore.kernel.org/r/20200423060122.6182-1-leon@kernel.org +Suggested-by: Jason Gunthorpe +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/rdma_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/core/rdma_core.c ++++ b/drivers/infiniband/core/rdma_core.c +@@ -678,7 +678,6 @@ void rdma_lookup_put_uobject(struct ib_u + enum rdma_lookup_mode mode) + { + assert_uverbs_usecnt(uobj, mode); +- uobj->uapi_object->type_class->lookup_put(uobj, mode); + /* + * In order to unlock an object, either decrease its usecnt for + * read access or zero it in case of exclusive access. See +@@ -695,6 +694,7 @@ void rdma_lookup_put_uobject(struct ib_u + break; + } + ++ uobj->uapi_object->type_class->lookup_put(uobj, mode); + /* Pairs with the kref obtained by type->lookup_get */ + uverbs_uobject_put(uobj); + } diff --git a/queue-5.6/rdma-core-prevent-mixed-use-of-fds-between-shared-ufiles.patch b/queue-5.6/rdma-core-prevent-mixed-use-of-fds-between-shared-ufiles.patch new file mode 100644 index 00000000000..e9f7d71385e --- /dev/null +++ b/queue-5.6/rdma-core-prevent-mixed-use-of-fds-between-shared-ufiles.patch @@ -0,0 +1,71 @@ +From 0fb00941dc63990a10951146df216fc7b0e20bc2 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Tue, 21 Apr 2020 11:29:28 +0300 +Subject: RDMA/core: Prevent mixed use of FDs between shared ufiles + +From: Leon Romanovsky + +commit 0fb00941dc63990a10951146df216fc7b0e20bc2 upstream. + +FDs can only be used on the ufile that created them, they cannot be mixed +to other ufiles. We are lacking a check to prevent it. + + BUG: KASAN: null-ptr-deref in atomic64_sub_and_test include/asm-generic/atomic-instrumented.h:1547 [inline] + BUG: KASAN: null-ptr-deref in atomic_long_sub_and_test include/asm-generic/atomic-long.h:460 [inline] + BUG: KASAN: null-ptr-deref in fput_many+0x1a/0x140 fs/file_table.c:336 + Write of size 8 at addr 0000000000000038 by task syz-executor179/284 + + CPU: 0 PID: 284 Comm: syz-executor179 Not tainted 5.5.0-rc5+ #1 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 + Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x94/0xce lib/dump_stack.c:118 + __kasan_report+0x18f/0x1b7 mm/kasan/report.c:510 + kasan_report+0xe/0x20 mm/kasan/common.c:639 + check_memory_region_inline mm/kasan/generic.c:185 [inline] + check_memory_region+0x15d/0x1b0 mm/kasan/generic.c:192 + atomic64_sub_and_test include/asm-generic/atomic-instrumented.h:1547 [inline] + atomic_long_sub_and_test include/asm-generic/atomic-long.h:460 [inline] + fput_many+0x1a/0x140 fs/file_table.c:336 + rdma_lookup_put_uobject+0x85/0x130 drivers/infiniband/core/rdma_core.c:692 + uobj_put_read include/rdma/uverbs_std_types.h:96 [inline] + _ib_uverbs_lookup_comp_file drivers/infiniband/core/uverbs_cmd.c:198 [inline] + create_cq+0x375/0xba0 drivers/infiniband/core/uverbs_cmd.c:1006 + ib_uverbs_create_cq+0x114/0x140 drivers/infiniband/core/uverbs_cmd.c:1089 + ib_uverbs_write+0xaa5/0xdf0 drivers/infiniband/core/uverbs_main.c:769 + __vfs_write+0x7c/0x100 fs/read_write.c:494 + vfs_write+0x168/0x4a0 fs/read_write.c:558 + ksys_write+0xc8/0x200 fs/read_write.c:611 + do_syscall_64+0x9c/0x390 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x44ef99 + Code: 00 b8 00 01 00 00 eb e1 e8 74 1c 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c4 ff ff ff f7 d8 64 89 01 48 + RSP: 002b:00007ffc0b74c028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 + RAX: ffffffffffffffda RBX: 00007ffc0b74c030 RCX: 000000000044ef99 + RDX: 0000000000000040 RSI: 0000000020000040 RDI: 0000000000000005 + RBP: 00007ffc0b74c038 R08: 0000000000401830 R09: 0000000000401830 + R10: 00007ffc0b74c038 R11: 0000000000000246 R12: 0000000000000000 + R13: 0000000000000000 R14: 00000000006be018 R15: 0000000000000000 + +Fixes: cf8966b3477d ("IB/core: Add support for fd objects") +Link: https://lore.kernel.org/r/20200421082929.311931-2-leon@kernel.org +Suggested-by: Jason Gunthorpe +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/rdma_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/core/rdma_core.c ++++ b/drivers/infiniband/core/rdma_core.c +@@ -360,7 +360,7 @@ lookup_get_fd_uobject(const struct uverb + * uverbs_uobject_fd_release(), and the caller is expected to ensure + * that release is never done while a call to lookup is possible. + */ +- if (f->f_op != fd_type->fops) { ++ if (f->f_op != fd_type->fops || uobject->ufile != ufile) { + fput(f); + return ERR_PTR(-EBADF); + } diff --git a/queue-5.6/rdma-mlx4-initialize-ib_spec-on-the-stack.patch b/queue-5.6/rdma-mlx4-initialize-ib_spec-on-the-stack.patch new file mode 100644 index 00000000000..79a306a58b2 --- /dev/null +++ b/queue-5.6/rdma-mlx4-initialize-ib_spec-on-the-stack.patch @@ -0,0 +1,38 @@ +From c08cfb2d8d78bfe81b37cc6ba84f0875bddd0d5c Mon Sep 17 00:00:00 2001 +From: Alaa Hleihel +Date: Mon, 13 Apr 2020 16:22:35 +0300 +Subject: RDMA/mlx4: Initialize ib_spec on the stack + +From: Alaa Hleihel + +commit c08cfb2d8d78bfe81b37cc6ba84f0875bddd0d5c upstream. + +Initialize ib_spec on the stack before using it, otherwise we will have +garbage values that will break creating default rules with invalid parsing +error. + +Fixes: a37a1a428431 ("IB/mlx4: Add mechanism to support flow steering over IB links") +Link: https://lore.kernel.org/r/20200413132235.930642-1-leon@kernel.org +Signed-off-by: Alaa Hleihel +Reviewed-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx4/main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx4/main.c ++++ b/drivers/infiniband/hw/mlx4/main.c +@@ -1502,8 +1502,9 @@ static int __mlx4_ib_create_default_rule + int i; + + for (i = 0; i < ARRAY_SIZE(pdefault_rules->rules_create_list); i++) { ++ union ib_flow_spec ib_spec = {}; + int ret; +- union ib_flow_spec ib_spec; ++ + switch (pdefault_rules->rules_create_list[i]) { + case 0: + /* no rule */ diff --git a/queue-5.6/rdma-mlx5-set-grh-fields-in-query-qp-on-roce.patch b/queue-5.6/rdma-mlx5-set-grh-fields-in-query-qp-on-roce.patch new file mode 100644 index 00000000000..e7772980b8c --- /dev/null +++ b/queue-5.6/rdma-mlx5-set-grh-fields-in-query-qp-on-roce.patch @@ -0,0 +1,43 @@ +From 2d7e3ff7b6f2c614eb21d0dc348957a47eaffb57 Mon Sep 17 00:00:00 2001 +From: Aharon Landau +Date: Mon, 13 Apr 2020 16:20:28 +0300 +Subject: RDMA/mlx5: Set GRH fields in query QP on RoCE + +From: Aharon Landau + +commit 2d7e3ff7b6f2c614eb21d0dc348957a47eaffb57 upstream. + +GRH fields such as sgid_index, hop limit, et. are set in the QP context +when QP is created/modified. + +Currently, when query QP is performed, we fill the GRH fields only if the +GRH bit is set in the QP context, but this bit is not set for RoCE. Adjust +the check so we will set all relevant data for the RoCE too. + +Since this data is returned to userspace, the below is an ABI regression. + +Fixes: d8966fcd4c25 ("IB/core: Use rdma_ah_attr accessor functions") +Link: https://lore.kernel.org/r/20200413132028.930109-1-leon@kernel.org +Signed-off-by: Aharon Landau +Reviewed-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/qp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -5545,7 +5545,9 @@ static void to_rdma_ah_attr(struct mlx5_ + rdma_ah_set_path_bits(ah_attr, path->grh_mlid & 0x7f); + rdma_ah_set_static_rate(ah_attr, + path->static_rate ? path->static_rate - 5 : 0); +- if (path->grh_mlid & (1 << 7)) { ++ ++ if (path->grh_mlid & (1 << 7) || ++ ah_attr->type == RDMA_AH_ATTR_TYPE_ROCE) { + u32 tc_fl = be32_to_cpu(path->tclass_flowlabel); + + rdma_ah_set_grh(ah_attr, NULL, diff --git a/queue-5.6/rdma-siw-fix-potential-siw_mem-refcnt-leak-in-siw_fastreg_mr.patch b/queue-5.6/rdma-siw-fix-potential-siw_mem-refcnt-leak-in-siw_fastreg_mr.patch new file mode 100644 index 00000000000..32b0a992bf1 --- /dev/null +++ b/queue-5.6/rdma-siw-fix-potential-siw_mem-refcnt-leak-in-siw_fastreg_mr.patch @@ -0,0 +1,64 @@ +From 6e051971b0e2eeb0ce7ec65d3cc8180450512d36 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Wed, 15 Apr 2020 11:09:22 -0300 +Subject: RDMA/siw: Fix potential siw_mem refcnt leak in siw_fastreg_mr() + +From: Jason Gunthorpe + +commit 6e051971b0e2eeb0ce7ec65d3cc8180450512d36 upstream. + +siw_fastreg_mr() invokes siw_mem_id2obj(), which returns a local reference +of the siw_mem object to "mem" with increased refcnt. When +siw_fastreg_mr() returns, "mem" becomes invalid, so the refcount should be +decreased to keep refcount balanced. + +The issue happens in one error path of siw_fastreg_mr(). When "base_mr" +equals to NULL but "mem" is not NULL, the function forgets to decrease the +refcnt increased by siw_mem_id2obj() and causes a refcnt leak. + +Reorganize the flow so that the goto unwind can be used as expected. + +Fixes: b9be6f18cf9e ("rdma/siw: transmit path") +Link: https://lore.kernel.org/r/1586939949-69856-1-git-send-email-xiyuyang19@fudan.edu.cn +Reported-by: Xiyu Yang +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/sw/siw/siw_qp_tx.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/infiniband/sw/siw/siw_qp_tx.c ++++ b/drivers/infiniband/sw/siw/siw_qp_tx.c +@@ -920,20 +920,27 @@ static int siw_fastreg_mr(struct ib_pd * + { + struct ib_mr *base_mr = (struct ib_mr *)(uintptr_t)sqe->base_mr; + struct siw_device *sdev = to_siw_dev(pd->device); +- struct siw_mem *mem = siw_mem_id2obj(sdev, sqe->rkey >> 8); ++ struct siw_mem *mem; + int rv = 0; + + siw_dbg_pd(pd, "STag 0x%08x\n", sqe->rkey); + +- if (unlikely(!mem || !base_mr)) { ++ if (unlikely(!base_mr)) { + pr_warn("siw: fastreg: STag 0x%08x unknown\n", sqe->rkey); + return -EINVAL; + } ++ + if (unlikely(base_mr->rkey >> 8 != sqe->rkey >> 8)) { + pr_warn("siw: fastreg: STag 0x%08x: bad MR\n", sqe->rkey); +- rv = -EINVAL; +- goto out; ++ return -EINVAL; ++ } ++ ++ mem = siw_mem_id2obj(sdev, sqe->rkey >> 8); ++ if (unlikely(!mem)) { ++ pr_warn("siw: fastreg: STag 0x%08x unknown\n", sqe->rkey); ++ return -EINVAL; + } ++ + if (unlikely(mem->pd != pd)) { + pr_warn("siw: fastreg: PD mismatch\n"); + rv = -EINVAL; diff --git a/queue-5.6/rdma-uverbs-fix-a-race-with-disassociate-and-exit_mmap.patch b/queue-5.6/rdma-uverbs-fix-a-race-with-disassociate-and-exit_mmap.patch new file mode 100644 index 00000000000..2cd58b2b90b --- /dev/null +++ b/queue-5.6/rdma-uverbs-fix-a-race-with-disassociate-and-exit_mmap.patch @@ -0,0 +1,106 @@ +From 39c011a538272589b9eb02ff1228af528522a22c Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Mon, 13 Apr 2020 16:21:36 +0300 +Subject: RDMA/uverbs: Fix a race with disassociate and exit_mmap() + +From: Jason Gunthorpe + +commit 39c011a538272589b9eb02ff1228af528522a22c upstream. + +If uverbs_user_mmap_disassociate() is called while the mmap is +concurrently doing exit_mmap then the ordering of the +rdma_user_mmap_entry_put() is not reliable. + +The put must be done before uvers_user_mmap_disassociate() returns, +otherwise there can be a use after free on the ucontext, and a left over +entry in the xarray. If the put is not done here then it is done during +rdma_umap_close() later. + +Add the missing put to the error exit path. + + WARNING: CPU: 7 PID: 7111 at drivers/infiniband/core/rdma_core.c:810 uverbs_destroy_ufile_hw+0x2a5/0x340 [ib_uverbs] + Modules linked in: bonding ipip tunnel4 geneve ip6_udp_tunnel udp_tunnel ip6_gre ip6_tunnel tunnel6 ip_gre ip_tunnel gre mlx5_ib mlx5_core mlxfw pci_hyperv_intf act_ct nf_flow_table ptp pps_core rdma_ucm ib_uverbs ib_ipoib ib_umad 8021q garp mrp openvswitch nsh nf_conncount nfsv3 nfs_acl xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype iptable_filter xt_conntrack br_netfilter bridge stp llc rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache overlay rpcrdma ib_isert iscsi_target_mod ib_iser kvm_intel ib_srpt iTCO_wdt target_core_mod iTCO_vendor_support kvm ib_srp nf_nat irqbypass crc32_pclmul crc32c_intel nf_conntrack rfkill nf_defrag_ipv6 virtio_net nf_defrag_ipv4 pcspkr ghash_clmulni_intel i2c_i801 net_failover failover i2c_core lpc_ich mfd_core rdma_cm ib_cm iw_cm button ib_core sunrpc sch_fq_codel ip_tables serio_raw [last unloaded: tunnel4] + CPU: 7 PID: 7111 Comm: python3 Tainted: G W 5.6.0-rc6-for-upstream-dbg-2020-03-21_06-41-26-18 #1 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 + RIP: 0010:uverbs_destroy_ufile_hw+0x2a5/0x340 [ib_uverbs] + Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 74 49 8b 84 24 08 01 00 00 48 85 c0 0f 84 13 ff ff ff 48 89 ef ff d0 e9 09 ff ff ff <0f> 0b e9 77 ff ff ff e8 0f d8 fa e0 e9 c5 fd ff ff e8 05 d8 fa e0 + RSP: 0018:ffff88840e0779a0 EFLAGS: 00010286 + RAX: dffffc0000000000 RBX: ffff8882a7721c00 RCX: 0000000000000000 + RDX: 1ffff11054ee469f RSI: ffffffff8446d7e0 RDI: ffff8882a77234f8 + RBP: ffff8882a7723400 R08: ffffed1085c0112c R09: 0000000000000001 + R10: 0000000000000001 R11: ffffed1085c0112b R12: ffff888403c30000 + R13: 0000000000000002 R14: ffff8882a7721cb0 R15: ffff8882a7721cd0 + FS: 00007f2046089700(0000) GS:ffff88842de00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f7cfe9a6e20 CR3: 000000040b8ac006 CR4: 0000000000360ee0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + ib_uverbs_remove_one+0x273/0x480 [ib_uverbs] + ? up_write+0x15c/0x4a0 + remove_client_context+0xa6/0xf0 [ib_core] + disable_device+0x12d/0x200 [ib_core] + ? remove_client_context+0xf0/0xf0 [ib_core] + ? mnt_get_count+0x1d0/0x1d0 + __ib_unregister_device+0x79/0x150 [ib_core] + ib_unregister_device+0x21/0x30 [ib_core] + __mlx5_ib_remove+0x91/0x110 [mlx5_ib] + ? __mlx5_ib_remove+0x110/0x110 [mlx5_ib] + mlx5_remove_device+0x241/0x310 [mlx5_core] + mlx5_unregister_device+0x4d/0x1e0 [mlx5_core] + mlx5_unload_one+0xc0/0x260 [mlx5_core] + remove_one+0x5c/0x160 [mlx5_core] + pci_device_remove+0xef/0x2a0 + ? pcibios_free_irq+0x10/0x10 + device_release_driver_internal+0x1d8/0x470 + unbind_store+0x152/0x200 + ? sysfs_kf_write+0x3b/0x180 + ? sysfs_file_ops+0x160/0x160 + kernfs_fop_write+0x284/0x460 + ? __sb_start_write+0x243/0x3a0 + vfs_write+0x197/0x4a0 + ksys_write+0x156/0x1e0 + ? __x64_sys_read+0xb0/0xb0 + ? do_syscall_64+0x73/0x1330 + ? do_syscall_64+0x73/0x1330 + do_syscall_64+0xe7/0x1330 + ? down_write_nested+0x3e0/0x3e0 + ? syscall_return_slowpath+0x970/0x970 + ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe + ? lockdep_hardirqs_off+0x1de/0x2d0 + ? trace_hardirqs_off_thunk+0x1a/0x1c + entry_SYSCALL_64_after_hwframe+0x49/0xbe + RIP: 0033:0x7f20a3ff0cdb + Code: 53 48 89 d5 48 89 f3 48 83 ec 18 48 89 7c 24 08 e8 5a fd ff ff 48 89 ea 41 89 c0 48 89 de 48 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 90 fd ff ff 48 + RSP: 002b:00007f2046087040 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 + RAX: ffffffffffffffda RBX: 00007f2038016df0 RCX: 00007f20a3ff0cdb + RDX: 000000000000000d RSI: 00007f2038016df0 RDI: 0000000000000018 + RBP: 000000000000000d R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000100 R11: 0000000000000293 R12: 00007f2046e29630 + R13: 00007f20280035a0 R14: 0000000000000018 R15: 00007f2038016df0 + +Fixes: c043ff2cfb7f ("RDMA: Connect between the mmap entry and the umap_priv structure") +Link: https://lore.kernel.org/r/20200413132136.930388-1-leon@kernel.org +Signed-off-by: Yishai Hadas +Signed-off-by: Leon Romanovsky +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/uverbs_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/infiniband/core/uverbs_main.c ++++ b/drivers/infiniband/core/uverbs_main.c +@@ -820,6 +820,10 @@ void uverbs_user_mmap_disassociate(struc + ret = mmget_not_zero(mm); + if (!ret) { + list_del_init(&priv->list); ++ if (priv->entry) { ++ rdma_user_mmap_entry_put(priv->entry); ++ priv->entry = NULL; ++ } + mm = NULL; + continue; + } diff --git a/queue-5.6/scsi-qla2xxx-check-unloading-before-posting-async-work.patch b/queue-5.6/scsi-qla2xxx-check-unloading-before-posting-async-work.patch new file mode 100644 index 00000000000..173304cad30 --- /dev/null +++ b/queue-5.6/scsi-qla2xxx-check-unloading-before-posting-async-work.patch @@ -0,0 +1,43 @@ +From 5a263892d7d0b4fe351363f8d1a14c6a75955475 Mon Sep 17 00:00:00 2001 +From: Martin Wilck +Date: Tue, 21 Apr 2020 22:46:21 +0200 +Subject: scsi: qla2xxx: check UNLOADING before posting async work + +From: Martin Wilck + +commit 5a263892d7d0b4fe351363f8d1a14c6a75955475 upstream. + +qlt_free_session_done() tries to post async PRLO / LOGO, and waits for the +completion of these async commands. If UNLOADING is set, this is doomed to +timeout, because the async logout command will never complete. + +The only way to avoid waiting pointlessly is to fail posting these commands +in the first place if the driver is in UNLOADING state. In general, +posting any command should be avoided when the driver is UNLOADING. + +With this patch, "rmmod qla2xxx" completes without noticeable delay. + +Link: https://lore.kernel.org/r/20200421204621.19228-3-mwilck@suse.com +Fixes: 45235022da99 ("scsi: qla2xxx: Fix driver unload by shutting down chip") +Acked-by: Arun Easi +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin Wilck +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_os.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -4854,6 +4854,9 @@ qla2x00_alloc_work(struct scsi_qla_host + struct qla_work_evt *e; + uint8_t bail; + ++ if (test_bit(UNLOADING, &vha->dpc_flags)) ++ return NULL; ++ + QLA_VHA_MARK_BUSY(vha, bail); + if (bail) + return NULL; diff --git a/queue-5.6/scsi-qla2xxx-set-unloading-before-waiting-for-session-deletion.patch b/queue-5.6/scsi-qla2xxx-set-unloading-before-waiting-for-session-deletion.patch new file mode 100644 index 00000000000..988967e49c7 --- /dev/null +++ b/queue-5.6/scsi-qla2xxx-set-unloading-before-waiting-for-session-deletion.patch @@ -0,0 +1,95 @@ +From 856e152a3c08bf7987cbd41900741d83d9cddc8e Mon Sep 17 00:00:00 2001 +From: Martin Wilck +Date: Tue, 21 Apr 2020 22:46:20 +0200 +Subject: scsi: qla2xxx: set UNLOADING before waiting for session deletion + +From: Martin Wilck + +commit 856e152a3c08bf7987cbd41900741d83d9cddc8e upstream. + +The purpose of the UNLOADING flag is to avoid port login procedures to +continue when a controller is in the process of shutting down. It makes +sense to set this flag before starting session teardown. + +Furthermore, use atomic test_and_set_bit() to avoid the shutdown being run +multiple times in parallel. In qla2x00_disable_board_on_pci_error(), the +test for UNLOADING is postponed until after the check for an already +disabled PCI board. + +Link: https://lore.kernel.org/r/20200421204621.19228-2-mwilck@suse.com +Fixes: 45235022da99 ("scsi: qla2xxx: Fix driver unload by shutting down chip") +Reviewed-by: Arun Easi +Reviewed-by: Daniel Wagner +Reviewed-by: Roman Bolshakov +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin Wilck +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_os.c | 32 ++++++++++++++------------------ + 1 file changed, 14 insertions(+), 18 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -3720,6 +3720,13 @@ qla2x00_remove_one(struct pci_dev *pdev) + } + qla2x00_wait_for_hba_ready(base_vha); + ++ /* ++ * if UNLOADING flag is already set, then continue unload, ++ * where it was set first. ++ */ ++ if (test_and_set_bit(UNLOADING, &base_vha->dpc_flags)) ++ return; ++ + if (IS_QLA25XX(ha) || IS_QLA2031(ha) || IS_QLA27XX(ha) || + IS_QLA28XX(ha)) { + if (ha->flags.fw_started) +@@ -3738,15 +3745,6 @@ qla2x00_remove_one(struct pci_dev *pdev) + + qla2x00_wait_for_sess_deletion(base_vha); + +- /* +- * if UNLOAD flag is already set, then continue unload, +- * where it was set first. +- */ +- if (test_bit(UNLOADING, &base_vha->dpc_flags)) +- return; +- +- set_bit(UNLOADING, &base_vha->dpc_flags); +- + qla_nvme_delete(base_vha); + + dma_free_coherent(&ha->pdev->dev, +@@ -6044,13 +6042,6 @@ qla2x00_disable_board_on_pci_error(struc + struct pci_dev *pdev = ha->pdev; + scsi_qla_host_t *base_vha = pci_get_drvdata(ha->pdev); + +- /* +- * if UNLOAD flag is already set, then continue unload, +- * where it was set first. +- */ +- if (test_bit(UNLOADING, &base_vha->dpc_flags)) +- return; +- + ql_log(ql_log_warn, base_vha, 0x015b, + "Disabling adapter.\n"); + +@@ -6061,9 +6052,14 @@ qla2x00_disable_board_on_pci_error(struc + return; + } + +- qla2x00_wait_for_sess_deletion(base_vha); ++ /* ++ * if UNLOADING flag is already set, then continue unload, ++ * where it was set first. ++ */ ++ if (test_and_set_bit(UNLOADING, &base_vha->dpc_flags)) ++ return; + +- set_bit(UNLOADING, &base_vha->dpc_flags); ++ qla2x00_wait_for_sess_deletion(base_vha); + + qla2x00_delete_all_vps(ha, base_vha); + diff --git a/queue-5.6/scsi-target-iblock-fix-write-same-zeroing.patch b/queue-5.6/scsi-target-iblock-fix-write-same-zeroing.patch new file mode 100644 index 00000000000..281171fc557 --- /dev/null +++ b/queue-5.6/scsi-target-iblock-fix-write-same-zeroing.patch @@ -0,0 +1,44 @@ +From 1d2ff149b263c9325875726a7804a0c75ef7112e Mon Sep 17 00:00:00 2001 +From: David Disseldorp +Date: Sun, 19 Apr 2020 18:31:09 +0200 +Subject: scsi: target/iblock: fix WRITE SAME zeroing + +From: David Disseldorp + +commit 1d2ff149b263c9325875726a7804a0c75ef7112e upstream. + +SBC4 specifies that WRITE SAME requests with the UNMAP bit set to zero +"shall perform the specified write operation to each LBA specified by the +command". Commit 2237498f0b5c ("target/iblock: Convert WRITE_SAME to +blkdev_issue_zeroout") modified the iblock backend to call +blkdev_issue_zeroout() when handling WRITE SAME requests with UNMAP=0 and a +zero data segment. + +The iblock blkdev_issue_zeroout() call incorrectly provides a flags +parameter of 0 (bool false), instead of BLKDEV_ZERO_NOUNMAP. The bool +false parameter reflects the blkdev_issue_zeroout() API prior to commit +ee472d835c26 ("block: add a flags argument to (__)blkdev_issue_zeroout") +which was merged shortly before 2237498f0b5c. + +Link: https://lore.kernel.org/r/20200419163109.11689-1-ddiss@suse.de +Fixes: 2237498f0b5c ("target/iblock: Convert WRITE_SAME to blkdev_issue_zeroout") +Reviewed-by: Bart Van Assche +Signed-off-by: David Disseldorp +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_iblock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/target/target_core_iblock.c ++++ b/drivers/target/target_core_iblock.c +@@ -432,7 +432,7 @@ iblock_execute_zero_out(struct block_dev + target_to_linux_sector(dev, cmd->t_task_lba), + target_to_linux_sector(dev, + sbc_get_write_same_sectors(cmd)), +- GFP_KERNEL, false); ++ GFP_KERNEL, BLKDEV_ZERO_NOUNMAP); + if (ret) + return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; + diff --git a/queue-5.6/series b/queue-5.6/series index e2edcab884e..d134cdf7ee5 100644 --- a/queue-5.6/series +++ b/queue-5.6/series @@ -37,3 +37,37 @@ dm-verity-fec-fix-hash-block-number-in-verity_fec_decode.patch dm-writecache-fix-data-corruption-when-reloading-the-target.patch dm-multipath-use-updated-mpathf_queue_io-on-mapping-for-bio-based-mpath.patch arm-dts-imx6qdl-sr-som-ti-indicate-powering-off-wifi-is-safe.patch +block-remove-the-bd_openers-checks-in-blk_drop_partitions.patch +scsi-qla2xxx-set-unloading-before-waiting-for-session-deletion.patch +scsi-qla2xxx-check-unloading-before-posting-async-work.patch +rdma-mlx5-set-grh-fields-in-query-qp-on-roce.patch +rdma-uverbs-fix-a-race-with-disassociate-and-exit_mmap.patch +rdma-mlx4-initialize-ib_spec-on-the-stack.patch +rdma-siw-fix-potential-siw_mem-refcnt-leak-in-siw_fastreg_mr.patch +rdma-core-prevent-mixed-use-of-fds-between-shared-ufiles.patch +rdma-core-fix-overwriting-of-uobj-in-case-of-error.patch +rdma-core-fix-race-between-destroy-and-release-fd-object.patch +rdma-cm-fix-ordering-of-xa_alloc_cyclic-in-ib_create_cm_id.patch +rdma-cm-fix-an-error-check-in-cm_alloc_id_priv.patch +i2c-iproc-generate-stop-event-for-slave-writes.patch +dmaengine-hisilicon-fix-build-error-without-pci_msi.patch +vfio-avoid-possible-overflow-in-vfio_iommu_type1_pin_pages.patch +vfio-type1-fix-va-pa-translation-for-pfnmap-vmas-in-vaddr_get_pfn.patch +iommu-qcom-fix-local_base-status-check.patch +dmaengine-ti-k3-psil-fix-deadlock-on-error-path.patch +dmaengine-fix-channel-index-enumeration.patch +scsi-target-iblock-fix-write-same-zeroing.patch +iommu-properly-export-iommu_group_get_for_dev.patch +iommu-vt-d-use-right-kconfig-option-name.patch +iommu-amd-fix-legacy-interrupt-remapping-for-x2apic-enabled-system.patch +i2c-aspeed-avoid-i2c-interrupt-status-clear-race-condition.patch +alsa-opti9xx-shut-up-gcc-10-range-warning.patch +fix-use-after-free-in-get_tree_bdev.patch +nvme-prevent-double-free-in-nvme_alloc_ns-error-handling.patch +xprtrdma-fix-trace-point-use-after-free-race.patch +drm-i915-selftests-fix-i915_address_space-refcnt-leak.patch +nfs-fix-potential-posix_acl-refcnt-leak-in-nfs3_set_acl.patch +dmaengine-dmatest-fix-iteration-non-stop-logic.patch +drm-i915-use-proper-fault-mask-in-interrupt-postinstall-too.patch +dmaengine-dmatest-fix-process-hang-when-reading-wait-parameter.patch +arm64-vdso-add-fasynchronous-unwind-tables-to-cflags.patch diff --git a/queue-5.6/vfio-avoid-possible-overflow-in-vfio_iommu_type1_pin_pages.patch b/queue-5.6/vfio-avoid-possible-overflow-in-vfio_iommu_type1_pin_pages.patch new file mode 100644 index 00000000000..502e47ace8e --- /dev/null +++ b/queue-5.6/vfio-avoid-possible-overflow-in-vfio_iommu_type1_pin_pages.patch @@ -0,0 +1,31 @@ +From 0ea971f8dcd6dee78a9a30ea70227cf305f11ff7 Mon Sep 17 00:00:00 2001 +From: Yan Zhao +Date: Wed, 8 Apr 2020 03:12:34 -0400 +Subject: vfio: avoid possible overflow in vfio_iommu_type1_pin_pages + +From: Yan Zhao + +commit 0ea971f8dcd6dee78a9a30ea70227cf305f11ff7 upstream. + +add parentheses to avoid possible vaddr overflow. + +Fixes: a54eb55045ae ("vfio iommu type1: Add support for mediated devices") +Signed-off-by: Yan Zhao +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vfio/vfio_iommu_type1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -554,7 +554,7 @@ static int vfio_iommu_type1_pin_pages(vo + continue; + } + +- remote_vaddr = dma->vaddr + iova - dma->iova; ++ remote_vaddr = dma->vaddr + (iova - dma->iova); + ret = vfio_pin_page_external(dma, remote_vaddr, &phys_pfn[i], + do_accounting); + if (ret) diff --git a/queue-5.6/vfio-type1-fix-va-pa-translation-for-pfnmap-vmas-in-vaddr_get_pfn.patch b/queue-5.6/vfio-type1-fix-va-pa-translation-for-pfnmap-vmas-in-vaddr_get_pfn.patch new file mode 100644 index 00000000000..752a7135bd9 --- /dev/null +++ b/queue-5.6/vfio-type1-fix-va-pa-translation-for-pfnmap-vmas-in-vaddr_get_pfn.patch @@ -0,0 +1,73 @@ +From 5cbf3264bc715e9eb384e2b68601f8c02bb9a61d Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 16 Apr 2020 15:50:57 -0700 +Subject: vfio/type1: Fix VA->PA translation for PFNMAP VMAs in vaddr_get_pfn() + +From: Sean Christopherson + +commit 5cbf3264bc715e9eb384e2b68601f8c02bb9a61d upstream. + +Use follow_pfn() to get the PFN of a PFNMAP VMA instead of assuming that +vma->vm_pgoff holds the base PFN of the VMA. This fixes a bug where +attempting to do VFIO_IOMMU_MAP_DMA on an arbitrary PFNMAP'd region of +memory calculates garbage for the PFN. + +Hilariously, this only got detected because the first "PFN" calculated +by vaddr_get_pfn() is PFN 0 (vma->vm_pgoff==0), and iommu_iova_to_phys() +uses PA==0 as an error, which triggers a WARN in vfio_unmap_unpin() +because the translation "failed". PFN 0 is now unconditionally reserved +on x86 in order to mitigate L1TF, which causes is_invalid_reserved_pfn() +to return true and in turns results in vaddr_get_pfn() returning success +for PFN 0. Eventually the bogus calculation runs into PFNs that aren't +reserved and leads to failure in vfio_pin_map_dma(). The subsequent +call to vfio_remove_dma() attempts to unmap PFN 0 and WARNs. + + WARNING: CPU: 8 PID: 5130 at drivers/vfio/vfio_iommu_type1.c:750 vfio_unmap_unpin+0x2e1/0x310 [vfio_iommu_type1] + Modules linked in: vfio_pci vfio_virqfd vfio_iommu_type1 vfio ... + CPU: 8 PID: 5130 Comm: sgx Tainted: G W 5.6.0-rc5-705d787c7fee-vfio+ #3 + Hardware name: Intel Corporation Mehlow UP Server Platform/Moss Beach Server, BIOS CNLSE2R1.D00.X119.B49.1803010910 03/01/2018 + RIP: 0010:vfio_unmap_unpin+0x2e1/0x310 [vfio_iommu_type1] + Code: <0f> 0b 49 81 c5 00 10 00 00 e9 c5 fe ff ff bb 00 10 00 00 e9 3d fe + RSP: 0018:ffffbeb5039ebda8 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: ffff9a55cbf8d480 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff9a52b771c200 + RBP: 0000000000000000 R08: 0000000000000040 R09: 00000000fffffff2 + R10: 0000000000000001 R11: ffff9a51fa896000 R12: 0000000184010000 + R13: 0000000184000000 R14: 0000000000010000 R15: ffff9a55cb66ea08 + FS: 00007f15d3830b40(0000) GS:ffff9a55d5600000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000561cf39429e0 CR3: 000000084f75f005 CR4: 00000000003626e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + vfio_remove_dma+0x17/0x70 [vfio_iommu_type1] + vfio_iommu_type1_ioctl+0x9e3/0xa7b [vfio_iommu_type1] + ksys_ioctl+0x92/0xb0 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x4c/0x180 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x7f15d04c75d7 + Code: <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 f7 d8 64 89 01 48 + +Fixes: 73fa0d10d077 ("vfio: Type1 IOMMU implementation") +Signed-off-by: Sean Christopherson +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vfio/vfio_iommu_type1.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -341,8 +341,8 @@ static int vaddr_get_pfn(struct mm_struc + vma = find_vma_intersection(mm, vaddr, vaddr + 1); + + if (vma && vma->vm_flags & VM_PFNMAP) { +- *pfn = ((vaddr - vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff; +- if (is_invalid_reserved_pfn(*pfn)) ++ if (!follow_pfn(vma, vaddr, pfn) && ++ is_invalid_reserved_pfn(*pfn)) + ret = 0; + } + done: diff --git a/queue-5.6/xprtrdma-fix-trace-point-use-after-free-race.patch b/queue-5.6/xprtrdma-fix-trace-point-use-after-free-race.patch new file mode 100644 index 00000000000..d2bfd8ce156 --- /dev/null +++ b/queue-5.6/xprtrdma-fix-trace-point-use-after-free-race.patch @@ -0,0 +1,83 @@ +From bdb2ce82818577ba6e57b7d68b698b8d17329281 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Sun, 19 Apr 2020 20:03:05 -0400 +Subject: xprtrdma: Fix trace point use-after-free race + +From: Chuck Lever + +commit bdb2ce82818577ba6e57b7d68b698b8d17329281 upstream. + +It's not safe to use resources pointed to by the @send_wr of +ib_post_send() _after_ that function returns. Those resources are +typically freed by the Send completion handler, which can run before +ib_post_send() returns. + +Thus the trace points currently around ib_post_send() in the +client's RPC/RDMA transport are a hazard, even when they are +disabled. Rearrange them so that they touch the Work Request only +_before_ ib_post_send() is invoked. + +Fixes: ab03eff58eb5 ("xprtrdma: Add trace points in RPC Call transmit paths") +Signed-off-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + include/trace/events/rpcrdma.h | 12 ++++-------- + net/sunrpc/xprtrdma/verbs.c | 2 +- + 2 files changed, 5 insertions(+), 9 deletions(-) + +--- a/include/trace/events/rpcrdma.h ++++ b/include/trace/events/rpcrdma.h +@@ -721,11 +721,10 @@ TRACE_EVENT(xprtrdma_prepsend_failed, + + TRACE_EVENT(xprtrdma_post_send, + TP_PROTO( +- const struct rpcrdma_req *req, +- int status ++ const struct rpcrdma_req *req + ), + +- TP_ARGS(req, status), ++ TP_ARGS(req), + + TP_STRUCT__entry( + __field(const void *, req) +@@ -734,7 +733,6 @@ TRACE_EVENT(xprtrdma_post_send, + __field(unsigned int, client_id) + __field(int, num_sge) + __field(int, signaled) +- __field(int, status) + ), + + TP_fast_assign( +@@ -747,15 +745,13 @@ TRACE_EVENT(xprtrdma_post_send, + __entry->sc = req->rl_sendctx; + __entry->num_sge = req->rl_wr.num_sge; + __entry->signaled = req->rl_wr.send_flags & IB_SEND_SIGNALED; +- __entry->status = status; + ), + +- TP_printk("task:%u@%u req=%p sc=%p (%d SGE%s) %sstatus=%d", ++ TP_printk("task:%u@%u req=%p sc=%p (%d SGE%s) %s", + __entry->task_id, __entry->client_id, + __entry->req, __entry->sc, __entry->num_sge, + (__entry->num_sge == 1 ? "" : "s"), +- (__entry->signaled ? "signaled " : ""), +- __entry->status ++ (__entry->signaled ? "signaled" : "") + ) + ); + +--- a/net/sunrpc/xprtrdma/verbs.c ++++ b/net/sunrpc/xprtrdma/verbs.c +@@ -1526,8 +1526,8 @@ rpcrdma_ep_post(struct rpcrdma_ia *ia, + --ep->rep_send_count; + } + +- rc = frwr_send(ia, req); + trace_xprtrdma_post_send(req, rc); ++ rc = frwr_send(ia, req); + if (rc) + return -ENOTCONN; + return 0; -- 2.47.3