diff options
| author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2019-08-25 12:04:15 -0400 |
|---|---|---|
| committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2019-09-08 16:28:04 -0400 |
| commit | bbfe6ae44a68ef1b010bce93a218891f76804313 (patch) | |
| tree | a8e10ccd9bf9db0486de51b98034ee4bbbdd09f2 | |
| parent | 52d6d0fec455c0de5633bf021e10875de08f49a3 (diff) | |
| download | longterm-queue-4.18-bbfe6ae44a68ef1b010bce93a218891f76804313.tar.gz | |
raw import of commits used in 4.19.[48/49/50] for consideration
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
153 files changed, 13027 insertions, 0 deletions
diff --git a/queue/ALSA-hda-realtek-Improve-the-headset-mic-for-Acer-As.patch b/queue/ALSA-hda-realtek-Improve-the-headset-mic-for-Acer-As.patch new file mode 100644 index 0000000..acaabc4 --- /dev/null +++ b/queue/ALSA-hda-realtek-Improve-the-headset-mic-for-Acer-As.patch @@ -0,0 +1,67 @@ +From 9cb40eb184c4220d244a532bd940c6345ad9dbd9 Mon Sep 17 00:00:00 2001 +From: Hui Wang <hui.wang@canonical.com> +Date: Wed, 29 May 2019 12:41:38 +0800 +Subject: [PATCH] ALSA: hda/realtek - Improve the headset mic for Acer Aspire + laptops + +commit 9cb40eb184c4220d244a532bd940c6345ad9dbd9 upstream. + +We met another Acer Aspire laptop which has the problem on the +headset-mic, the Pin 0x19 is not set the corret configuration for a +mic and the pin presence can't be detected too after plugging a +headset. Kailang suggested that we should set the coeff to enable the +mic and apply the ALC269_FIXUP_LIFEBOOK_EXTMIC. After doing that, +both headset-mic presence and headset-mic work well. + +The existing ALC255_FIXUP_ACER_MIC_NO_PRESENCE set the headset-mic +jack to be a phantom jack. Now since the jack can support presence +unsol event, let us imporve it to set the jack to be a normal jack. + +https://bugs.launchpad.net/bugs/1821269 +Fixes: 5824ce8de7b1c ("ALSA: hda/realtek - Add support for Acer Aspire E5-475 headset mic") +Cc: Chris Chiu <chiu@endlessm.com> +CC: Daniel Drake <drake@endlessm.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Kailang Yang <kailang@realtek.com> +Signed-off-by: Hui Wang <hui.wang@canonical.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index f1bac03e954b..18cb48054e54 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6223,13 +6223,15 @@ static const struct hda_fixup alc269_fixups[] = { + .chain_id = ALC269_FIXUP_THINKPAD_ACPI, + }, + [ALC255_FIXUP_ACER_MIC_NO_PRESENCE] = { +- .type = HDA_FIXUP_PINS, +- .v.pins = (const struct hda_pintbl[]) { +- { 0x19, 0x01a1913c }, /* use as headset mic, without its own jack detect */ +- { } ++ .type = HDA_FIXUP_VERBS, ++ .v.verbs = (const struct hda_verb[]) { ++ /* Enable the Mic */ ++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x45 }, ++ { 0x20, AC_VERB_SET_PROC_COEF, 0x5089 }, ++ {} + }, + .chained = true, +- .chain_id = ALC255_FIXUP_HEADSET_MODE ++ .chain_id = ALC269_FIXUP_LIFEBOOK_EXTMIC + }, + [ALC255_FIXUP_ASUS_MIC_NO_PRESENCE] = { + .type = HDA_FIXUP_PINS, +@@ -7274,6 +7276,10 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = { + {0x19, 0x0181303F}, + {0x21, 0x0221102f}), + SND_HDA_PIN_QUIRK(0x10ec0255, 0x1025, "Acer", ALC255_FIXUP_ACER_MIC_NO_PRESENCE, ++ {0x12, 0x90a60140}, ++ {0x14, 0x90170120}, ++ {0x21, 0x02211030}), ++ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1025, "Acer", ALC255_FIXUP_ACER_MIC_NO_PRESENCE, + {0x12, 0x90a601c0}, + {0x14, 0x90171120}, + {0x21, 0x02211030}), +-- +2.9.5 + diff --git a/queue/ALSA-hda-realtek-Set-default-power-save-node-to-0.patch b/queue/ALSA-hda-realtek-Set-default-power-save-node-to-0.patch new file mode 100644 index 0000000..c2d361d --- /dev/null +++ b/queue/ALSA-hda-realtek-Set-default-power-save-node-to-0.patch @@ -0,0 +1,34 @@ +From 317d9313925cd8388304286c0d3c8dda7f060a2d Mon Sep 17 00:00:00 2001 +From: Kailang Yang <kailang@realtek.com> +Date: Thu, 23 May 2019 14:43:04 +0800 +Subject: [PATCH] ALSA: hda/realtek - Set default power save node to 0 + +commit 317d9313925cd8388304286c0d3c8dda7f060a2d upstream. + +I measured power consumption between power_save_node=1 and power_save_node=0. +It's almost the same. +Codec will enter to runtime suspend and suspend. +That pin also will enter to D3. Don't need to enter to D3 by single pin. +So, Disable power_save_node as default. It will avoid more issues. +Windows Driver also has not this option at runtime PM. + +Signed-off-by: Kailang Yang <kailang@realtek.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index b984bd1d1971..1ca2a83b65cd 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7711,7 +7711,7 @@ static int patch_alc269(struct hda_codec *codec) + + spec = codec->spec; + spec->gen.shared_mic_vref_pin = 0x18; +- codec->power_save_node = 1; ++ codec->power_save_node = 0; + + #ifdef CONFIG_PM + codec->patch_ops.suspend = alc269_suspend; +-- +2.9.5 + diff --git a/queue/ALSA-line6-Assure-canceling-delayed-work-at-disconne.patch b/queue/ALSA-line6-Assure-canceling-delayed-work-at-disconne.patch new file mode 100644 index 0000000..38e3a87 --- /dev/null +++ b/queue/ALSA-line6-Assure-canceling-delayed-work-at-disconne.patch @@ -0,0 +1,142 @@ +From 0b074ab7fc0d575247b9cc9f93bb7e007ca38840 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai <tiwai@suse.de> +Date: Tue, 28 May 2019 08:39:44 +0200 +Subject: [PATCH] ALSA: line6: Assure canceling delayed work at disconnection + +commit 0b074ab7fc0d575247b9cc9f93bb7e007ca38840 upstream. + +The current code performs the cancel of a delayed work at the late +stage of disconnection procedure, which may lead to the access to the +already cleared state. + +This patch assures to call cancel_delayed_work_sync() at the beginning +of the disconnection procedure for avoiding that race. The delayed +work object is now assigned in the common line6 object instead of its +derivative, so that we can call cancel_delayed_work_sync(). + +Along with the change, the startup function is called via the new +callback instead. This will make it easier to port other LINE6 +drivers to use the delayed work for startup in later patches. + +Reported-by: syzbot+5255458d5e0a2b10bbb9@syzkaller.appspotmail.com +Fixes: 7f84ff68be05 ("ALSA: line6: toneport: Fix broken usage of timer for delayed execution") +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +diff --git a/sound/usb/line6/driver.c b/sound/usb/line6/driver.c +index b61f65bed4e4..2b57854335b3 100644 +--- a/sound/usb/line6/driver.c ++++ b/sound/usb/line6/driver.c +@@ -720,6 +720,15 @@ static int line6_init_cap_control(struct usb_line6 *line6) + return 0; + } + ++static void line6_startup_work(struct work_struct *work) ++{ ++ struct usb_line6 *line6 = ++ container_of(work, struct usb_line6, startup_work.work); ++ ++ if (line6->startup) ++ line6->startup(line6); ++} ++ + /* + Probe USB device. + */ +@@ -755,6 +764,7 @@ int line6_probe(struct usb_interface *interface, + line6->properties = properties; + line6->usbdev = usbdev; + line6->ifcdev = &interface->dev; ++ INIT_DELAYED_WORK(&line6->startup_work, line6_startup_work); + + strcpy(card->id, properties->id); + strcpy(card->driver, driver_name); +@@ -825,6 +835,8 @@ void line6_disconnect(struct usb_interface *interface) + if (WARN_ON(usbdev != line6->usbdev)) + return; + ++ cancel_delayed_work(&line6->startup_work); ++ + if (line6->urb_listen != NULL) + line6_stop_listen(line6); + +diff --git a/sound/usb/line6/driver.h b/sound/usb/line6/driver.h +index 61425597eb61..650d909c9c4f 100644 +--- a/sound/usb/line6/driver.h ++++ b/sound/usb/line6/driver.h +@@ -178,11 +178,15 @@ struct usb_line6 { + fifo; + } messages; + ++ /* Work for delayed PCM startup */ ++ struct delayed_work startup_work; ++ + /* If MIDI is supported, buffer_message contains the pre-processed data; + * otherwise the data is only in urb_listen (buffer_incoming). + */ + void (*process_message)(struct usb_line6 *); + void (*disconnect)(struct usb_line6 *line6); ++ void (*startup)(struct usb_line6 *line6); + }; + + extern char *line6_alloc_sysex_buffer(struct usb_line6 *line6, int code1, +diff --git a/sound/usb/line6/toneport.c b/sound/usb/line6/toneport.c +index e28368d8eba2..55865f7e437d 100644 +--- a/sound/usb/line6/toneport.c ++++ b/sound/usb/line6/toneport.c +@@ -54,9 +54,6 @@ struct usb_line6_toneport { + /* Firmware version (x 100) */ + u8 firmware_version; + +- /* Work for delayed PCM startup */ +- struct delayed_work pcm_work; +- + /* Device type */ + enum line6_device_type type; + +@@ -241,12 +238,8 @@ static int snd_toneport_source_put(struct snd_kcontrol *kcontrol, + return 1; + } + +-static void toneport_start_pcm(struct work_struct *work) ++static void toneport_startup(struct usb_line6 *line6) + { +- struct usb_line6_toneport *toneport = +- container_of(work, struct usb_line6_toneport, pcm_work.work); +- struct usb_line6 *line6 = &toneport->line6; +- + line6_pcm_acquire(line6->line6pcm, LINE6_STREAM_MONITOR, true); + } + +@@ -394,7 +387,7 @@ static int toneport_setup(struct usb_line6_toneport *toneport) + if (toneport_has_led(toneport)) + toneport_update_led(toneport); + +- schedule_delayed_work(&toneport->pcm_work, ++ schedule_delayed_work(&toneport->line6.startup_work, + msecs_to_jiffies(TONEPORT_PCM_DELAY * 1000)); + return 0; + } +@@ -407,8 +400,6 @@ static void line6_toneport_disconnect(struct usb_line6 *line6) + struct usb_line6_toneport *toneport = + (struct usb_line6_toneport *)line6; + +- cancel_delayed_work_sync(&toneport->pcm_work); +- + if (toneport_has_led(toneport)) + toneport_remove_leds(toneport); + } +@@ -424,9 +415,9 @@ static int toneport_init(struct usb_line6 *line6, + struct usb_line6_toneport *toneport = (struct usb_line6_toneport *) line6; + + toneport->type = id->driver_info; +- INIT_DELAYED_WORK(&toneport->pcm_work, toneport_start_pcm); + + line6->disconnect = line6_toneport_disconnect; ++ line6->startup = toneport_startup; + + /* initialize PCM subsystem: */ + err = line6_init_pcm(line6, &toneport_pcm_properties); +-- +2.9.5 + diff --git a/queue/Btrfs-fix-fsync-not-persisting-changed-attributes-of.patch b/queue/Btrfs-fix-fsync-not-persisting-changed-attributes-of.patch new file mode 100644 index 0000000..9157d57 --- /dev/null +++ b/queue/Btrfs-fix-fsync-not-persisting-changed-attributes-of.patch @@ -0,0 +1,96 @@ +From 60d9f50308e5df19bc18c2fefab0eba4a843900a Mon Sep 17 00:00:00 2001 +From: Filipe Manana <fdmanana@suse.com> +Date: Thu, 16 May 2019 15:48:55 +0100 +Subject: [PATCH] Btrfs: fix fsync not persisting changed attributes of a + directory + +commit 60d9f50308e5df19bc18c2fefab0eba4a843900a upstream. + +While logging an inode we follow its ancestors and for each one we mark +it as logged in the current transaction, even if we have not logged it. +As a consequence if we change an attribute of an ancestor, such as the +UID or GID for example, and then explicitly fsync it, we end up not +logging the inode at all despite returning success to user space, which +results in the attribute being lost if a power failure happens after +the fsync. + +Sample reproducer: + + $ mkfs.btrfs -f /dev/sdb + $ mount /dev/sdb /mnt + + $ mkdir /mnt/dir + $ chown 6007:6007 /mnt/dir + + $ sync + + $ chown 9003:9003 /mnt/dir + $ touch /mnt/dir/file + $ xfs_io -c fsync /mnt/dir/file + + # fsync our directory after fsync'ing the new file, should persist the + # new values for the uid and gid. + $ xfs_io -c fsync /mnt/dir + + <power failure> + + $ mount /dev/sdb /mnt + $ stat -c %u:%g /mnt/dir + 6007:6007 + + --> should be 9003:9003, the uid and gid were not persisted, despite + the explicit fsync on the directory prior to the power failure + +Fix this by not updating the logged_trans field of ancestor inodes when +logging an inode, since we have not logged them. Let only future calls to +btrfs_log_inode() to mark inodes as logged. + +This could be triggered by my recent fsync fuzz tester for fstests, for +which an fstests patch exists titled "fstests: generic, fsync fuzz tester +with fsstress". + +Fixes: 12fcfd22fe5b ("Btrfs: tree logging unlink/rename fixes") +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Filipe Manana <fdmanana@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 6c47f6ed3e94..de729acee738 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -5478,7 +5478,6 @@ static noinline int check_parent_dirs_for_sync(struct btrfs_trans_handle *trans, + { + int ret = 0; + struct dentry *old_parent = NULL; +- struct btrfs_inode *orig_inode = inode; + + /* + * for regular files, if its inode is already on disk, we don't +@@ -5498,16 +5497,6 @@ static noinline int check_parent_dirs_for_sync(struct btrfs_trans_handle *trans, + } + + while (1) { +- /* +- * If we are logging a directory then we start with our inode, +- * not our parent's inode, so we need to skip setting the +- * logged_trans so that further down in the log code we don't +- * think this inode has already been logged. +- */ +- if (inode != orig_inode) +- inode->logged_trans = trans->transid; +- smp_mb(); +- + if (btrfs_must_commit_transaction(trans, inode)) { + ret = 1; + break; +@@ -6384,7 +6373,6 @@ void btrfs_record_unlink_dir(struct btrfs_trans_handle *trans, + * if this directory was already logged any new + * names for this file/dir will get recorded + */ +- smp_mb(); + if (dir->logged_trans == trans->transid) + return; + +-- +2.9.5 + diff --git a/queue/Btrfs-fix-race-updating-log-root-item-during-fsync.patch b/queue/Btrfs-fix-race-updating-log-root-item-during-fsync.patch new file mode 100644 index 0000000..5d59584 --- /dev/null +++ b/queue/Btrfs-fix-race-updating-log-root-item-during-fsync.patch @@ -0,0 +1,123 @@ +From 06989c799f04810f6876900d4760c0edda369cf7 Mon Sep 17 00:00:00 2001 +From: Filipe Manana <fdmanana@suse.com> +Date: Wed, 15 May 2019 16:03:17 +0100 +Subject: [PATCH] Btrfs: fix race updating log root item during fsync + +commit 06989c799f04810f6876900d4760c0edda369cf7 upstream. + +When syncing the log, the final phase of a fsync operation, we need to +either create a log root's item or update the existing item in the log +tree of log roots, and that depends on the current value of the log +root's log_transid - if it's 1 we need to create the log root item, +otherwise it must exist already and we update it. Since there is no +synchronization between updating the log_transid and checking it for +deciding whether the log root's item needs to be created or updated, we +end up with a tiny race window that results in attempts to update the +item to fail because the item was not yet created: + + CPU 1 CPU 2 + + btrfs_sync_log() + + lock root->log_mutex + + set log root's log_transid to 1 + + unlock root->log_mutex + + btrfs_sync_log() + + lock root->log_mutex + + sets log root's + log_transid to 2 + + unlock root->log_mutex + + update_log_root() + + sees log root's log_transid + with a value of 2 + + calls btrfs_update_root(), + which fails with -EUCLEAN + and causes transaction abort + +Until recently the race lead to a BUG_ON at btrfs_update_root(), but after +the recent commit 7ac1e464c4d47 ("btrfs: Don't panic when we can't find a +root key") we just abort the current transaction. + +A sample trace of the BUG_ON() on a SLE12 kernel: + + ------------[ cut here ]------------ + kernel BUG at ../fs/btrfs/root-tree.c:157! + Oops: Exception in kernel mode, sig: 5 [#1] + SMP NR_CPUS=2048 NUMA pSeries + (...) + Supported: Yes, External + CPU: 78 PID: 76303 Comm: rtas_errd Tainted: G X 4.4.156-94.57-default #1 + task: c00000ffa906d010 ti: c00000ff42b08000 task.ti: c00000ff42b08000 + NIP: d000000036ae5cdc LR: d000000036ae5cd8 CTR: 0000000000000000 + REGS: c00000ff42b0b860 TRAP: 0700 Tainted: G X (4.4.156-94.57-default) + MSR: 8000000002029033 <SF,VEC,EE,ME,IR,DR,RI,LE> CR: 22444484 XER: 20000000 + CFAR: d000000036aba66c SOFTE: 1 + GPR00: d000000036ae5cd8 c00000ff42b0bae0 d000000036bda220 0000000000000054 + GPR04: 0000000000000001 0000000000000000 c00007ffff8d37c8 0000000000000000 + GPR08: c000000000e19c00 0000000000000000 0000000000000000 3736343438312079 + GPR12: 3930373337303434 c000000007a3a800 00000000007fffff 0000000000000023 + GPR16: c00000ffa9d26028 c00000ffa9d261f8 0000000000000010 c00000ffa9d2ab28 + GPR20: c00000ff42b0bc48 0000000000000001 c00000ff9f0d9888 0000000000000001 + GPR24: c00000ffa9d26000 c00000ffa9d261e8 c00000ffa9d2a800 c00000ff9f0d9888 + GPR28: c00000ffa9d26028 c00000ffa9d2aa98 0000000000000001 c00000ffa98f5b20 + NIP [d000000036ae5cdc] btrfs_update_root+0x25c/0x4e0 [btrfs] + LR [d000000036ae5cd8] btrfs_update_root+0x258/0x4e0 [btrfs] + Call Trace: + [c00000ff42b0bae0] [d000000036ae5cd8] btrfs_update_root+0x258/0x4e0 [btrfs] (unreliable) + [c00000ff42b0bba0] [d000000036b53610] btrfs_sync_log+0x2d0/0xc60 [btrfs] + [c00000ff42b0bce0] [d000000036b1785c] btrfs_sync_file+0x44c/0x4e0 [btrfs] + [c00000ff42b0bd80] [c00000000032e300] vfs_fsync_range+0x70/0x120 + [c00000ff42b0bdd0] [c00000000032e44c] do_fsync+0x5c/0xb0 + [c00000ff42b0be10] [c00000000032e8dc] SyS_fdatasync+0x2c/0x40 + [c00000ff42b0be30] [c000000000009488] system_call+0x3c/0x100 + Instruction dump: + 7f43d378 4bffebb9 60000000 88d90008 3d220000 e8b90000 3b390009 e87a01f0 + e8898e08 e8f90000 4bfd48e5 60000000 <0fe00000> e95b0060 39200004 394a0ea0 + ---[ end trace 8f2dc8f919cabab8 ]--- + +So fix this by doing the check of log_transid and updating or creating the +log root's item while holding the root's log_mutex. + +Fixes: 7237f1833601d ("Btrfs: fix tree logs parallel sync") +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Filipe Manana <fdmanana@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index de729acee738..3fc8d854d7fb 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -3110,6 +3110,12 @@ int btrfs_sync_log(struct btrfs_trans_handle *trans, + log->log_transid = root->log_transid; + root->log_start_pid = 0; + /* ++ * Update or create log root item under the root's log_mutex to prevent ++ * races with concurrent log syncs that can lead to failure to update ++ * log root item because it was not created yet. ++ */ ++ ret = update_log_root(trans, log); ++ /* + * IO has been started, blocks of the log tree have WRITTEN flag set + * in their headers. new modifications of the log will be written to + * new positions. so it's safe to allow log writers to go in. +@@ -3128,8 +3134,6 @@ int btrfs_sync_log(struct btrfs_trans_handle *trans, + + mutex_unlock(&log_root_tree->log_mutex); + +- ret = update_log_root(trans, log); +- + mutex_lock(&log_root_tree->log_mutex); + if (atomic_dec_and_test(&log_root_tree->log_writers)) { + /* atomic_dec_and_test implies a barrier */ +-- +2.9.5 + diff --git a/queue/Btrfs-fix-wrong-ctime-and-mtime-of-a-directory-after.patch b/queue/Btrfs-fix-wrong-ctime-and-mtime-of-a-directory-after.patch new file mode 100644 index 0000000..f5b4d2e --- /dev/null +++ b/queue/Btrfs-fix-wrong-ctime-and-mtime-of-a-directory-after.patch @@ -0,0 +1,79 @@ +From 5338e43abbab13791144d37fd8846847062351c6 Mon Sep 17 00:00:00 2001 +From: Filipe Manana <fdmanana@suse.com> +Date: Wed, 15 May 2019 16:02:47 +0100 +Subject: [PATCH] Btrfs: fix wrong ctime and mtime of a directory after log + replay + +commit 5338e43abbab13791144d37fd8846847062351c6 upstream. + +When replaying a log that contains a new file or directory name that needs +to be added to its parent directory, we end up updating the mtime and the +ctime of the parent directory to the current time after we have set their +values to the correct ones (set at fsync time), efectivelly losing them. + +Sample reproducer: + + $ mkfs.btrfs -f /dev/sdb + $ mount /dev/sdb /mnt + + $ mkdir /mnt/dir + $ touch /mnt/dir/file + + # fsync of the directory is optional, not needed + $ xfs_io -c fsync /mnt/dir + $ xfs_io -c fsync /mnt/dir/file + + $ stat -c %Y /mnt/dir + 1557856079 + + <power failure> + + $ sleep 3 + $ mount /dev/sdb /mnt + $ stat -c %Y /mnt/dir + 1557856082 + + --> should have been 1557856079, the mtime is updated to the current + time when replaying the log + +Fix this by not updating the mtime and ctime to the current time at +btrfs_add_link() when we are replaying a log tree. + +This could be triggered by my recent fsync fuzz tester for fstests, for +which an fstests patch exists titled "fstests: generic, fsync fuzz tester +with fsstress". + +Fixes: e02119d5a7b43 ("Btrfs: Add a write ahead tree log to optimize synchronous operations") +CC: stable@vger.kernel.org # 4.4+ +Reviewed-by: Nikolay Borisov <nborisov@suse.com> +Signed-off-by: Filipe Manana <fdmanana@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index b6d549c993f6..6bebc0ca751d 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -6433,8 +6433,18 @@ int btrfs_add_link(struct btrfs_trans_handle *trans, + btrfs_i_size_write(parent_inode, parent_inode->vfs_inode.i_size + + name_len * 2); + inode_inc_iversion(&parent_inode->vfs_inode); +- parent_inode->vfs_inode.i_mtime = parent_inode->vfs_inode.i_ctime = +- current_time(&parent_inode->vfs_inode); ++ /* ++ * If we are replaying a log tree, we do not want to update the mtime ++ * and ctime of the parent directory with the current time, since the ++ * log replay procedure is responsible for setting them to their correct ++ * values (the ones it had when the fsync was done). ++ */ ++ if (!test_bit(BTRFS_FS_LOG_RECOVERING, &root->fs_info->flags)) { ++ struct timespec64 now = current_time(&parent_inode->vfs_inode); ++ ++ parent_inode->vfs_inode.i_mtime = now; ++ parent_inode->vfs_inode.i_ctime = now; ++ } + ret = btrfs_update_inode(trans, root, &parent_inode->vfs_inode); + if (ret) + btrfs_abort_transaction(trans, ret); +-- +2.9.5 + diff --git a/queue/Btrfs-incremental-send-fix-file-corruption-when-no-h.patch b/queue/Btrfs-incremental-send-fix-file-corruption-when-no-h.patch new file mode 100644 index 0000000..1722560 --- /dev/null +++ b/queue/Btrfs-incremental-send-fix-file-corruption-when-no-h.patch @@ -0,0 +1,79 @@ +From 6b1f72e5b82a5c2a4da4d1ebb8cc01913ddbea21 Mon Sep 17 00:00:00 2001 +From: Filipe Manana <fdmanana@suse.com> +Date: Mon, 20 May 2019 09:55:42 +0100 +Subject: [PATCH] Btrfs: incremental send, fix file corruption when no-holes + feature is enabled + +commit 6b1f72e5b82a5c2a4da4d1ebb8cc01913ddbea21 upstream. + +When using the no-holes feature, if we have a file with prealloc extents +with a start offset beyond the file's eof, doing an incremental send can +cause corruption of the file due to incorrect hole detection. Such case +requires that the prealloc extent(s) exist in both the parent and send +snapshots, and that a hole is punched into the file that covers all its +extents that do not cross the eof boundary. + +Example reproducer: + + $ mkfs.btrfs -f -O no-holes /dev/sdb + $ mount /dev/sdb /mnt/sdb + + $ xfs_io -f -c "pwrite -S 0xab 0 500K" /mnt/sdb/foobar + $ xfs_io -c "falloc -k 1200K 800K" /mnt/sdb/foobar + + $ btrfs subvolume snapshot -r /mnt/sdb /mnt/sdb/base + + $ btrfs send -f /tmp/base.snap /mnt/sdb/base + + $ xfs_io -c "fpunch 0 500K" /mnt/sdb/foobar + + $ btrfs subvolume snapshot -r /mnt/sdb /mnt/sdb/incr + + $ btrfs send -p /mnt/sdb/base -f /tmp/incr.snap /mnt/sdb/incr + + $ md5sum /mnt/sdb/incr/foobar + 816df6f64deba63b029ca19d880ee10a /mnt/sdb/incr/foobar + + $ mkfs.btrfs -f /dev/sdc + $ mount /dev/sdc /mnt/sdc + + $ btrfs receive -f /tmp/base.snap /mnt/sdc + $ btrfs receive -f /tmp/incr.snap /mnt/sdc + + $ md5sum /mnt/sdc/incr/foobar + cf2ef71f4a9e90c2f6013ba3b2257ed2 /mnt/sdc/incr/foobar + + --> Different checksum, because the prealloc extent beyond the + file's eof confused the hole detection code and it assumed + a hole starting at offset 0 and ending at the offset of the + prealloc extent (1200Kb) instead of ending at the offset + 500Kb (the file's size). + +Fix this by ensuring we never cross the file's size when issuing the +write operations for a hole. + +Fixes: 16e7549f045d33 ("Btrfs: incompatible format change to remove hole extents") +CC: stable@vger.kernel.org # 3.14+ +Signed-off-by: Filipe Manana <fdmanana@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> + +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index dd38dfe174df..ca30b1f06e2d 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -4999,6 +4999,12 @@ static int send_hole(struct send_ctx *sctx, u64 end) + if (offset >= sctx->cur_inode_size) + return 0; + ++ /* ++ * Don't go beyond the inode's i_size due to prealloc extents that start ++ * after the i_size. ++ */ ++ end = min_t(u64, end, sctx->cur_inode_size); ++ + if (sctx->flags & BTRFS_SEND_FLAG_NO_FILE_DATA) + return send_update_extent(sctx, offset, end - offset); + +-- +2.9.5 + diff --git a/queue/CIFS-cifs_read_allocate_pages-don-t-iterate-through-.patch b/queue/CIFS-cifs_read_allocate_pages-don-t-iterate-through-.patch new file mode 100644 index 0000000..fae8dc2 --- /dev/null +++ b/queue/CIFS-cifs_read_allocate_pages-don-t-iterate-through-.patch @@ -0,0 +1,36 @@ +From 31fad7d41e73731f05b8053d17078638cf850fa6 Mon Sep 17 00:00:00 2001 +From: Roberto Bergantinos Corpas <rbergant@redhat.com> +Date: Tue, 28 May 2019 09:38:14 +0200 +Subject: [PATCH] CIFS: cifs_read_allocate_pages: don't iterate through whole + page array on ENOMEM + +commit 31fad7d41e73731f05b8053d17078638cf850fa6 upstream. + + In cifs_read_allocate_pages, in case of ENOMEM, we go through +whole rdata->pages array but we have failed the allocation before +nr_pages, therefore we may end up calling put_page with NULL +pointer, causing oops + +Signed-off-by: Roberto Bergantinos Corpas <rbergant@redhat.com> +Acked-by: Pavel Shilovsky <pshilov@microsoft.com> +Signed-off-by: Steve French <stfrench@microsoft.com> +CC: Stable <stable@vger.kernel.org> + +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index ce9a5be11df5..06e27ac6d82c 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -3216,7 +3216,9 @@ cifs_read_allocate_pages(struct cifs_readdata *rdata, unsigned int nr_pages) + } + + if (rc) { +- for (i = 0; i < nr_pages; i++) { ++ unsigned int nr_page_failed = i; ++ ++ for (i = 0; i < nr_page_failed; i++) { + put_page(rdata->pages[i]); + rdata->pages[i] = NULL; + } +-- +2.9.5 + diff --git a/queue/Compiler-Attributes-add-support-for-__copy-gcc-9.patch b/queue/Compiler-Attributes-add-support-for-__copy-gcc-9.patch new file mode 100644 index 0000000..4f62c65 --- /dev/null +++ b/queue/Compiler-Attributes-add-support-for-__copy-gcc-9.patch @@ -0,0 +1,94 @@ +From c0d9782f5b6d7157635ae2fd782a4b27d55a6013 Mon Sep 17 00:00:00 2001 +From: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> +Date: Fri, 8 Feb 2019 23:51:05 +0100 +Subject: [PATCH] Compiler Attributes: add support for __copy (gcc >= 9) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit c0d9782f5b6d7157635ae2fd782a4b27d55a6013 upstream. + +From the GCC manual: + + copy + copy(function) + + The copy attribute applies the set of attributes with which function + has been declared to the declaration of the function to which + the attribute is applied. The attribute is designed for libraries + that define aliases or function resolvers that are expected + to specify the same set of attributes as their targets. The copy + attribute can be used with functions, variables, or types. However, + the kind of symbol to which the attribute is applied (either + function or variable) must match the kind of symbol to which + the argument refers. The copy attribute copies only syntactic and + semantic attributes but not attributes that affect a symbol’s + linkage or visibility such as alias, visibility, or weak. + The deprecated attribute is also not copied. + + https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html + +The upcoming GCC 9 release extends the -Wmissing-attributes warnings +(enabled by -Wall) to C and aliases: it warns when particular function +attributes are missing in the aliases but not in their target, e.g.: + + void __cold f(void) {} + void __alias("f") g(void); + +diagnoses: + + warning: 'g' specifies less restrictive attribute than + its target 'f': 'cold' [-Wmissing-attributes] + +Using __copy(f) we can copy the __cold attribute from f to g: + + void __cold f(void) {} + void __copy(f) __alias("f") g(void); + +This attribute is most useful to deal with situations where an alias +is declared but we don't know the exact attributes the target has. + +For instance, in the kernel, the widely used module_init/exit macros +define the init/cleanup_module aliases, but those cannot be marked +always as __init/__exit since some modules do not have their +functions marked as such. + +Suggested-by: Martin Sebor <msebor@gcc.gnu.org> +Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> +Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> + +diff --git a/include/linux/compiler_attributes.h b/include/linux/compiler_attributes.h +index 19f32b0c29af..6b318efd8a74 100644 +--- a/include/linux/compiler_attributes.h ++++ b/include/linux/compiler_attributes.h +@@ -34,6 +34,7 @@ + #ifndef __has_attribute + # define __has_attribute(x) __GCC4_has_attribute_##x + # define __GCC4_has_attribute___assume_aligned__ (__GNUC_MINOR__ >= 9) ++# define __GCC4_has_attribute___copy__ 0 + # define __GCC4_has_attribute___designated_init__ 0 + # define __GCC4_has_attribute___externally_visible__ 1 + # define __GCC4_has_attribute___noclone__ 1 +@@ -101,6 +102,19 @@ + #define __attribute_const__ __attribute__((__const__)) + + /* ++ * Optional: only supported since gcc >= 9 ++ * Optional: not supported by clang ++ * Optional: not supported by icc ++ * ++ * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-copy-function-attribute ++ */ ++#if __has_attribute(__copy__) ++# define __copy(symbol) __attribute__((__copy__(symbol))) ++#else ++# define __copy(symbol) ++#endif ++ ++/* + * Don't. Just don't. See commit 771c035372a0 ("deprecate the '__deprecated' + * attribute warnings entirely and for good") for more information. + * +-- +2.9.5 + diff --git a/queue/Fix-memory-leak-in-sctp_process_init.patch b/queue/Fix-memory-leak-in-sctp_process_init.patch new file mode 100644 index 0000000..8d097d1 --- /dev/null +++ b/queue/Fix-memory-leak-in-sctp_process_init.patch @@ -0,0 +1,125 @@ +From 0a8dd9f67cd0da7dc284f48b032ce00db1a68791 Mon Sep 17 00:00:00 2001 +From: Neil Horman <nhorman@tuxdriver.com> +Date: Mon, 3 Jun 2019 16:32:59 -0400 +Subject: [PATCH] Fix memory leak in sctp_process_init + +commit 0a8dd9f67cd0da7dc284f48b032ce00db1a68791 upstream. + +syzbot found the following leak in sctp_process_init +BUG: memory leak +unreferenced object 0xffff88810ef68400 (size 1024): + comm "syz-executor273", pid 7046, jiffies 4294945598 (age 28.770s) + hex dump (first 32 bytes): + 1d de 28 8d de 0b 1b e3 b5 c2 f9 68 fd 1a 97 25 ..(........h...% + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000a02cebbd>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 +[inline] + [<00000000a02cebbd>] slab_post_alloc_hook mm/slab.h:439 [inline] + [<00000000a02cebbd>] slab_alloc mm/slab.c:3326 [inline] + [<00000000a02cebbd>] __do_kmalloc mm/slab.c:3658 [inline] + [<00000000a02cebbd>] __kmalloc_track_caller+0x15d/0x2c0 mm/slab.c:3675 + [<000000009e6245e6>] kmemdup+0x27/0x60 mm/util.c:119 + [<00000000dfdc5d2d>] kmemdup include/linux/string.h:432 [inline] + [<00000000dfdc5d2d>] sctp_process_init+0xa7e/0xc20 +net/sctp/sm_make_chunk.c:2437 + [<00000000b58b62f8>] sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 +[inline] + [<00000000b58b62f8>] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1384 +[inline] + [<00000000b58b62f8>] sctp_side_effects net/sctp/sm_sideeffect.c:1194 +[inline] + [<00000000b58b62f8>] sctp_do_sm+0xbdc/0x1d60 net/sctp/sm_sideeffect.c:1165 + [<0000000044e11f96>] sctp_assoc_bh_rcv+0x13c/0x200 +net/sctp/associola.c:1074 + [<00000000ec43804d>] sctp_inq_push+0x7f/0xb0 net/sctp/inqueue.c:95 + [<00000000726aa954>] sctp_backlog_rcv+0x5e/0x2a0 net/sctp/input.c:354 + [<00000000d9e249a8>] sk_backlog_rcv include/net/sock.h:950 [inline] + [<00000000d9e249a8>] __release_sock+0xab/0x110 net/core/sock.c:2418 + [<00000000acae44fa>] release_sock+0x37/0xd0 net/core/sock.c:2934 + [<00000000963cc9ae>] sctp_sendmsg+0x2c0/0x990 net/sctp/socket.c:2122 + [<00000000a7fc7565>] inet_sendmsg+0x64/0x120 net/ipv4/af_inet.c:802 + [<00000000b732cbd3>] sock_sendmsg_nosec net/socket.c:652 [inline] + [<00000000b732cbd3>] sock_sendmsg+0x54/0x70 net/socket.c:671 + [<00000000274c57ab>] ___sys_sendmsg+0x393/0x3c0 net/socket.c:2292 + [<000000008252aedb>] __sys_sendmsg+0x80/0xf0 net/socket.c:2330 + [<00000000f7bf23d1>] __do_sys_sendmsg net/socket.c:2339 [inline] + [<00000000f7bf23d1>] __se_sys_sendmsg net/socket.c:2337 [inline] + [<00000000f7bf23d1>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2337 + [<00000000a8b4131f>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:3 + +The problem was that the peer.cookie value points to an skb allocated +area on the first pass through this function, at which point it is +overwritten with a heap allocated value, but in certain cases, where a +COOKIE_ECHO chunk is included in the packet, a second pass through +sctp_process_init is made, where the cookie value is re-allocated, +leaking the first allocation. + +Fix is to always allocate the cookie value, and free it when we are done +using it. + +Signed-off-by: Neil Horman <nhorman@tuxdriver.com> +Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com +CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> +CC: "David S. Miller" <davem@davemloft.net> +CC: netdev@vger.kernel.org +Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c +index 92331e1195c1..f17908f5c4f3 100644 +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -2312,7 +2312,6 @@ int sctp_process_init(struct sctp_association *asoc, struct sctp_chunk *chunk, + union sctp_addr addr; + struct sctp_af *af; + int src_match = 0; +- char *cookie; + + /* We must include the address that the INIT packet came from. + * This is the only address that matters for an INIT packet. +@@ -2416,14 +2415,6 @@ int sctp_process_init(struct sctp_association *asoc, struct sctp_chunk *chunk, + /* Peer Rwnd : Current calculated value of the peer's rwnd. */ + asoc->peer.rwnd = asoc->peer.i.a_rwnd; + +- /* Copy cookie in case we need to resend COOKIE-ECHO. */ +- cookie = asoc->peer.cookie; +- if (cookie) { +- asoc->peer.cookie = kmemdup(cookie, asoc->peer.cookie_len, gfp); +- if (!asoc->peer.cookie) +- goto clean_up; +- } +- + /* RFC 2960 7.2.1 The initial value of ssthresh MAY be arbitrarily + * high (for example, implementations MAY use the size of the receiver + * advertised window). +@@ -2592,7 +2583,9 @@ do_addr_param: + case SCTP_PARAM_STATE_COOKIE: + asoc->peer.cookie_len = + ntohs(param.p->length) - sizeof(struct sctp_paramhdr); +- asoc->peer.cookie = param.cookie->body; ++ asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp); ++ if (!asoc->peer.cookie) ++ retval = 0; + break; + + case SCTP_PARAM_HEARTBEAT_INFO: +diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c +index 9b50da548db2..a554d6d15d1b 100644 +--- a/net/sctp/sm_sideeffect.c ++++ b/net/sctp/sm_sideeffect.c +@@ -883,6 +883,11 @@ static void sctp_cmd_new_state(struct sctp_cmd_seq *cmds, + asoc->rto_initial; + } + ++ if (sctp_state(asoc, ESTABLISHED)) { ++ kfree(asoc->peer.cookie); ++ asoc->peer.cookie = NULL; ++ } ++ + if (sctp_state(asoc, ESTABLISHED) || + sctp_state(asoc, CLOSED) || + sctp_state(asoc, SHUTDOWN_RECEIVED)) { +-- +2.9.5 + diff --git a/queue/KVM-PPC-Book3S-HV-XIVE-Do-not-clear-IRQ-data-of-pass.patch b/queue/KVM-PPC-Book3S-HV-XIVE-Do-not-clear-IRQ-data-of-pass.patch new file mode 100644 index 0000000..0b0667c --- /dev/null +++ b/queue/KVM-PPC-Book3S-HV-XIVE-Do-not-clear-IRQ-data-of-pass.patch @@ -0,0 +1,98 @@ +From ef9740204051d0e00f5402fe96cf3a43ddd2bbbf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@kaod.org> +Date: Tue, 28 May 2019 14:17:15 +0200 +Subject: [PATCH] KVM: PPC: Book3S HV: XIVE: Do not clear IRQ data of + passthrough interrupts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit ef9740204051d0e00f5402fe96cf3a43ddd2bbbf upstream. + +The passthrough interrupts are defined at the host level and their IRQ +data should not be cleared unless specifically deconfigured (shutdown) +by the host. They differ from the IPI interrupts which are allocated +by the XIVE KVM device and reserved to the guest usage only. + +This fixes a host crash when destroying a VM in which a PCI adapter +was passed-through. In this case, the interrupt is cleared and freed +by the KVM device and then shutdown by vfio at the host level. + +[ 1007.360265] BUG: Kernel NULL pointer dereference at 0x00000d00 +[ 1007.360285] Faulting instruction address: 0xc00000000009da34 +[ 1007.360296] Oops: Kernel access of bad area, sig: 7 [#1] +[ 1007.360303] LE PAGE_SIZE=64K MMU=Radix MMU=Hash SMP NR_CPUS=2048 NUMA PowerNV +[ 1007.360314] Modules linked in: vhost_net vhost iptable_mangle ipt_MASQUERADE iptable_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv4 ipt_REJECT nf_reject_ipv4 tun bridge stp llc kvm_hv kvm xt_tcpudp iptable_filter squashfs fuse binfmt_misc vmx_crypto ib_iser rdma_cm iw_cm ib_cm libiscsi scsi_transport_iscsi nfsd ip_tables x_tables autofs4 btrfs zstd_decompress zstd_compress lzo_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq multipath mlx5_ib ib_uverbs ib_core crc32c_vpmsum mlx5_core +[ 1007.360425] CPU: 9 PID: 15576 Comm: CPU 18/KVM Kdump: loaded Not tainted 5.1.0-gad7e7d0ef #4 +[ 1007.360454] NIP: c00000000009da34 LR: c00000000009e50c CTR: c00000000009e5d0 +[ 1007.360482] REGS: c000007f24ccf330 TRAP: 0300 Not tainted (5.1.0-gad7e7d0ef) +[ 1007.360500] MSR: 900000000280b033 <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 24002484 XER: 00000000 +[ 1007.360532] CFAR: c00000000009da10 DAR: 0000000000000d00 DSISR: 00080000 IRQMASK: 1 +[ 1007.360532] GPR00: c00000000009e62c c000007f24ccf5c0 c000000001510600 c000007fe7f947c0 +[ 1007.360532] GPR04: 0000000000000d00 0000000000000000 0000000000000000 c000005eff02d200 +[ 1007.360532] GPR08: 0000000000400000 0000000000000000 0000000000000000 fffffffffffffffd +[ 1007.360532] GPR12: c00000000009e5d0 c000007fffff7b00 0000000000000031 000000012c345718 +[ 1007.360532] GPR16: 0000000000000000 0000000000000008 0000000000418004 0000000000040100 +[ 1007.360532] GPR20: 0000000000000000 0000000008430000 00000000003c0000 0000000000000027 +[ 1007.360532] GPR24: 00000000000000ff 0000000000000000 00000000000000ff c000007faa90d98c +[ 1007.360532] GPR28: c000007faa90da40 00000000000fe040 ffffffffffffffff c000007fe7f947c0 +[ 1007.360689] NIP [c00000000009da34] xive_esb_read+0x34/0x120 +[ 1007.360706] LR [c00000000009e50c] xive_do_source_set_mask.part.0+0x2c/0x50 +[ 1007.360732] Call Trace: +[ 1007.360738] [c000007f24ccf5c0] [c000000000a6383c] snooze_loop+0x15c/0x270 (unreliable) +[ 1007.360775] [c000007f24ccf5f0] [c00000000009e62c] xive_irq_shutdown+0x5c/0xe0 +[ 1007.360795] [c000007f24ccf630] [c00000000019e4a0] irq_shutdown+0x60/0xe0 +[ 1007.360813] [c000007f24ccf660] [c000000000198c44] __free_irq+0x3a4/0x420 +[ 1007.360831] [c000007f24ccf700] [c000000000198dc8] free_irq+0x78/0xe0 +[ 1007.360849] [c000007f24ccf730] [c00000000096c5a8] vfio_msi_set_vector_signal+0xa8/0x350 +[ 1007.360878] [c000007f24ccf7f0] [c00000000096c938] vfio_msi_set_block+0xe8/0x1e0 +[ 1007.360899] [c000007f24ccf850] [c00000000096cae0] vfio_msi_disable+0xb0/0x110 +[ 1007.360912] [c000007f24ccf8a0] [c00000000096cd04] vfio_pci_set_msi_trigger+0x1c4/0x3d0 +[ 1007.360922] [c000007f24ccf910] [c00000000096d910] vfio_pci_set_irqs_ioctl+0xa0/0x170 +[ 1007.360941] [c000007f24ccf930] [c00000000096b400] vfio_pci_disable+0x80/0x5e0 +[ 1007.360963] [c000007f24ccfa10] [c00000000096b9bc] vfio_pci_release+0x5c/0x90 +[ 1007.360991] [c000007f24ccfa40] [c000000000963a9c] vfio_device_fops_release+0x3c/0x70 +[ 1007.361012] [c000007f24ccfa70] [c0000000003b5668] __fput+0xc8/0x2b0 +[ 1007.361040] [c000007f24ccfac0] [c0000000001409b0] task_work_run+0x140/0x1b0 +[ 1007.361059] [c000007f24ccfb20] [c000000000118f8c] do_exit+0x3ac/0xd00 +[ 1007.361076] [c000007f24ccfc00] [c0000000001199b0] do_group_exit+0x60/0x100 +[ 1007.361094] [c000007f24ccfc40] [c00000000012b514] get_signal+0x1a4/0x8f0 +[ 1007.361112] [c000007f24ccfd30] [c000000000021cc8] do_notify_resume+0x1a8/0x430 +[ 1007.361141] [c000007f24ccfe20] [c00000000000e444] ret_from_except_lite+0x70/0x74 +[ 1007.361159] Instruction dump: +[ 1007.361175] 38422c00 e9230000 712a0004 41820010 548a2036 7d442378 78840020 71290020 +[ 1007.361194] 4082004c e9230010 7c892214 7c0004ac <e9240000> 0c090000 4c00012c 792a0022 + +Cc: stable@vger.kernel.org # v4.12+ +Fixes: 5af50993850a ("KVM: PPC: Book3S HV: Native usage of the XIVE interrupt controller") +Signed-off-by: CĂ©dric Le Goater <clg@kaod.org> +Signed-off-by: Greg Kurz <groug@kaod.org> +Signed-off-by: Paul Mackerras <paulus@ozlabs.org> + +diff --git a/arch/powerpc/kvm/book3s_xive.c b/arch/powerpc/kvm/book3s_xive.c +index 12c8a36dd980..922fd62bcd2a 100644 +--- a/arch/powerpc/kvm/book3s_xive.c ++++ b/arch/powerpc/kvm/book3s_xive.c +@@ -1828,7 +1828,6 @@ static void kvmppc_xive_cleanup_irq(u32 hw_num, struct xive_irq_data *xd) + { + xive_vm_esb_load(xd, XIVE_ESB_SET_PQ_01); + xive_native_configure_irq(hw_num, 0, MASKED, 0); +- xive_cleanup_irq_data(xd); + } + + void kvmppc_xive_free_sources(struct kvmppc_xive_src_block *sb) +@@ -1842,9 +1841,10 @@ void kvmppc_xive_free_sources(struct kvmppc_xive_src_block *sb) + continue; + + kvmppc_xive_cleanup_irq(state->ipi_number, &state->ipi_data); ++ xive_cleanup_irq_data(&state->ipi_data); + xive_native_free_irq(state->ipi_number); + +- /* Pass-through, cleanup too */ ++ /* Pass-through, cleanup too but keep IRQ hw data */ + if (state->pt_number) + kvmppc_xive_cleanup_irq(state->pt_number, state->pt_data); + +-- +2.9.5 + diff --git a/queue/KVM-s390-Do-not-report-unusabled-IDs-via-KVM_CAP_MAX.patch b/queue/KVM-s390-Do-not-report-unusabled-IDs-via-KVM_CAP_MAX.patch new file mode 100644 index 0000000..4415d69 --- /dev/null +++ b/queue/KVM-s390-Do-not-report-unusabled-IDs-via-KVM_CAP_MAX.patch @@ -0,0 +1,114 @@ +From a86cb413f4bf273a9d341a3ab2c2ca44e12eb317 Mon Sep 17 00:00:00 2001 +From: Thomas Huth <thuth@redhat.com> +Date: Thu, 23 May 2019 18:43:08 +0200 +Subject: [PATCH] KVM: s390: Do not report unusabled IDs via + KVM_CAP_MAX_VCPU_ID + +commit a86cb413f4bf273a9d341a3ab2c2ca44e12eb317 upstream. + +KVM_CAP_MAX_VCPU_ID is currently always reporting KVM_MAX_VCPU_ID on all +architectures. However, on s390x, the amount of usable CPUs is determined +during runtime - it is depending on the features of the machine the code +is running on. Since we are using the vcpu_id as an index into the SCA +structures that are defined by the hardware (see e.g. the sca_add_vcpu() +function), it is not only the amount of CPUs that is limited by the hard- +ware, but also the range of IDs that we can use. +Thus KVM_CAP_MAX_VCPU_ID must be determined during runtime on s390x, too. +So the handling of KVM_CAP_MAX_VCPU_ID has to be moved from the common +code into the architecture specific code, and on s390x we have to return +the same value here as for KVM_CAP_MAX_VCPUS. +This problem has been discovered with the kvm_create_max_vcpus selftest. +With this change applied, the selftest now passes on s390x, too. + +Reviewed-by: Andrew Jones <drjones@redhat.com> +Reviewed-by: Cornelia Huck <cohuck@redhat.com> +Reviewed-by: David Hildenbrand <david@redhat.com> +Signed-off-by: Thomas Huth <thuth@redhat.com> +Message-Id: <20190523164309.13345-9-thuth@redhat.com> +Cc: stable@vger.kernel.org +Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> + +diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c +index 6d0517ac18e5..0369f26ab96d 100644 +--- a/arch/mips/kvm/mips.c ++++ b/arch/mips/kvm/mips.c +@@ -1122,6 +1122,9 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext) + case KVM_CAP_MAX_VCPUS: + r = KVM_MAX_VCPUS; + break; ++ case KVM_CAP_MAX_VCPU_ID: ++ r = KVM_MAX_VCPU_ID; ++ break; + case KVM_CAP_MIPS_FPU: + /* We don't handle systems with inconsistent cpu_has_fpu */ + r = !!raw_cpu_has_fpu; +diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c +index 3393b166817a..aa3a678711be 100644 +--- a/arch/powerpc/kvm/powerpc.c ++++ b/arch/powerpc/kvm/powerpc.c +@@ -657,6 +657,9 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext) + case KVM_CAP_MAX_VCPUS: + r = KVM_MAX_VCPUS; + break; ++ case KVM_CAP_MAX_VCPU_ID: ++ r = KVM_MAX_VCPU_ID; ++ break; + #ifdef CONFIG_PPC_BOOK3S_64 + case KVM_CAP_PPC_GET_SMMU_INFO: + r = 1; +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index e5e8eb29e68e..28ebd647784c 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -539,6 +539,7 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext) + break; + case KVM_CAP_NR_VCPUS: + case KVM_CAP_MAX_VCPUS: ++ case KVM_CAP_MAX_VCPU_ID: + r = KVM_S390_BSCA_CPU_SLOTS; + if (!kvm_s390_use_sca_entries()) + r = KVM_MAX_VCPUS; +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index acb179f78fdc..83aefd759846 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -3122,6 +3122,9 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext) + case KVM_CAP_MAX_VCPUS: + r = KVM_MAX_VCPUS; + break; ++ case KVM_CAP_MAX_VCPU_ID: ++ r = KVM_MAX_VCPU_ID; ++ break; + case KVM_CAP_PV_MMU: /* obsolete */ + r = 0; + break; +diff --git a/virt/kvm/arm/arm.c b/virt/kvm/arm/arm.c +index 90cedebaeb94..7eeebe5e9da2 100644 +--- a/virt/kvm/arm/arm.c ++++ b/virt/kvm/arm/arm.c +@@ -224,6 +224,9 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext) + case KVM_CAP_MAX_VCPUS: + r = KVM_MAX_VCPUS; + break; ++ case KVM_CAP_MAX_VCPU_ID: ++ r = KVM_MAX_VCPU_ID; ++ break; + case KVM_CAP_MSI_DEVID: + if (!kvm) + r = -EINVAL; +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index 301089a462c4..ca54b09adf5b 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -3151,8 +3151,6 @@ static long kvm_vm_ioctl_check_extension_generic(struct kvm *kvm, long arg) + case KVM_CAP_MULTI_ADDRESS_SPACE: + return KVM_ADDRESS_SPACE_NUM; + #endif +- case KVM_CAP_MAX_VCPU_ID: +- return KVM_MAX_VCPU_ID; + case KVM_CAP_NR_MEMSLOTS: + return KVM_USER_MEM_SLOTS; + default: +-- +2.9.5 + diff --git a/queue/MIPS-Bounds-check-virt_addr_valid.patch b/queue/MIPS-Bounds-check-virt_addr_valid.patch new file mode 100644 index 0000000..2d8fd21 --- /dev/null +++ b/queue/MIPS-Bounds-check-virt_addr_valid.patch @@ -0,0 +1,74 @@ +From 074a1e1167afd82c26f6d03a9a8b997d564bb241 Mon Sep 17 00:00:00 2001 +From: Paul Burton <paul.burton@mips.com> +Date: Tue, 28 May 2019 17:05:03 +0000 +Subject: [PATCH] MIPS: Bounds check virt_addr_valid +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 074a1e1167afd82c26f6d03a9a8b997d564bb241 upstream. + +The virt_addr_valid() function is meant to return true iff +virt_to_page() will return a valid struct page reference. This is true +iff the address provided is found within the unmapped address range +between PAGE_OFFSET & MAP_BASE, but we don't currently check for that +condition. Instead we simply mask the address to obtain what will be a +physical address if the virtual address is indeed in the desired range, +shift it to form a PFN & then call pfn_valid(). This can incorrectly +return true if called with a virtual address which, after masking, +happens to form a physical address corresponding to a valid PFN. + +For example we may vmalloc an address in the kernel mapped region +starting a MAP_BASE & obtain the virtual address: + + addr = 0xc000000000002000 + +When masked by virt_to_phys(), which uses __pa() & in turn CPHYSADDR(), +we obtain the following (bogus) physical address: + + addr = 0x2000 + +In a common system with PHYS_OFFSET=0 this will correspond to a valid +struct page which should really be accessed by virtual address +PAGE_OFFSET+0x2000, causing virt_addr_valid() to incorrectly return 1 +indicating that the original address corresponds to a struct page. + +This is equivalent to the ARM64 change made in commit ca219452c6b8 +("arm64: Correctly bounds check virt_addr_valid"). + +This fixes fallout when hardened usercopy is enabled caused by the +related commit 517e1fbeb65f ("mm/usercopy: Drop extra +is_vmalloc_or_module() check") which removed a check for the vmalloc +range that was present from the introduction of the hardened usercopy +feature. + +Signed-off-by: Paul Burton <paul.burton@mips.com> +References: ca219452c6b8 ("arm64: Correctly bounds check virt_addr_valid") +References: 517e1fbeb65f ("mm/usercopy: Drop extra is_vmalloc_or_module() check") +Reported-by: Julien Cristau <jcristau@debian.org> +Reviewed-by: Philippe Mathieu-DaudĂ© <f4bug@amsat.org> +Tested-by: YunQiang Su <ysu@wavecomp.com> +URL: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929366 +Cc: stable@vger.kernel.org # v4.12+ +Cc: linux-mips@vger.kernel.org +Cc: Yunqiang Su <ysu@wavecomp.com> + +diff --git a/arch/mips/mm/mmap.c b/arch/mips/mm/mmap.c +index 2f616ebeb7e0..7755a1fad05a 100644 +--- a/arch/mips/mm/mmap.c ++++ b/arch/mips/mm/mmap.c +@@ -203,6 +203,11 @@ unsigned long arch_randomize_brk(struct mm_struct *mm) + + int __virt_addr_valid(const volatile void *kaddr) + { ++ unsigned long vaddr = (unsigned long)vaddr; ++ ++ if ((vaddr < PAGE_OFFSET) || (vaddr >= MAP_BASE)) ++ return 0; ++ + return pfn_valid(PFN_DOWN(virt_to_phys(kaddr))); + } + EXPORT_SYMBOL_GPL(__virt_addr_valid); +-- +2.9.5 + diff --git a/queue/MIPS-perf-ath79-Fix-perfcount-IRQ-assignment.patch b/queue/MIPS-perf-ath79-Fix-perfcount-IRQ-assignment.patch new file mode 100644 index 0000000..c947d29 --- /dev/null +++ b/queue/MIPS-perf-ath79-Fix-perfcount-IRQ-assignment.patch @@ -0,0 +1,113 @@ +From a1e8783db8e0d58891681bc1e6d9ada66eae8e20 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz> +Date: Fri, 12 Apr 2019 23:08:32 +0200 +Subject: [PATCH] MIPS: perf: ath79: Fix perfcount IRQ assignment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit a1e8783db8e0d58891681bc1e6d9ada66eae8e20 upstream. + +Currently it's not possible to use perf on ath79 due to genirq flags +mismatch happening on static virtual IRQ 13 which is used for +performance counters hardware IRQ 5. + +On TP-Link Archer C7v5: + + CPU0 + 2: 0 MIPS 2 ath9k + 4: 318 MIPS 4 19000000.eth + 7: 55034 MIPS 7 timer + 8: 1236 MISC 3 ttyS0 + 12: 0 INTC 1 ehci_hcd:usb1 + 13: 0 gpio-ath79 2 keys + 14: 0 gpio-ath79 5 keys + 15: 31 AR724X PCI 1 ath10k_pci + + $ perf top + genirq: Flags mismatch irq 13. 00014c83 (mips_perf_pmu) vs. 00002003 (keys) + +On TP-Link Archer C7v4: + + CPU0 + 4: 0 MIPS 4 19000000.eth + 5: 7135 MIPS 5 1a000000.eth + 7: 98379 MIPS 7 timer + 8: 30 MISC 3 ttyS0 + 12: 90028 INTC 0 ath9k + 13: 5520 INTC 1 ehci_hcd:usb1 + 14: 4623 INTC 2 ehci_hcd:usb2 + 15: 32844 AR724X PCI 1 ath10k_pci + 16: 0 gpio-ath79 16 keys + 23: 0 gpio-ath79 23 keys + + $ perf top + genirq: Flags mismatch irq 13. 00014c80 (mips_perf_pmu) vs. 00000080 (ehci_hcd:usb1) + +This problem is happening, because currently statically assigned virtual +IRQ 13 for performance counters is not claimed during the initialization +of MIPS PMU during the bootup, so the IRQ subsystem doesn't know, that +this interrupt isn't available for further use. + +So this patch fixes the issue by simply booking hardware IRQ 5 for MIPS PMU. + +Tested-by: Kevin 'ldir' Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> +Signed-off-by: Petr Å tetiar <ynezz@true.cz> +Acked-by: John Crispin <john@phrozen.org> +Acked-by: Marc Zyngier <marc.zyngier@arm.com> +Signed-off-by: Paul Burton <paul.burton@mips.com> +Cc: linux-mips@vger.kernel.org +Cc: Ralf Baechle <ralf@linux-mips.org> +Cc: James Hogan <jhogan@kernel.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: Jason Cooper <jason@lakedaemon.net> + +diff --git a/arch/mips/ath79/setup.c b/arch/mips/ath79/setup.c +index 4a70c5de8c92..25a57895a3a3 100644 +--- a/arch/mips/ath79/setup.c ++++ b/arch/mips/ath79/setup.c +@@ -210,12 +210,6 @@ const char *get_system_type(void) + return ath79_sys_type; + } + +-int get_c0_perfcount_int(void) +-{ +- return ATH79_MISC_IRQ(5); +-} +-EXPORT_SYMBOL_GPL(get_c0_perfcount_int); +- + unsigned int get_c0_compare_int(void) + { + return CP0_LEGACY_COMPARE_IRQ; +diff --git a/drivers/irqchip/irq-ath79-misc.c b/drivers/irqchip/irq-ath79-misc.c +index aa7290784636..0390603170b4 100644 +--- a/drivers/irqchip/irq-ath79-misc.c ++++ b/drivers/irqchip/irq-ath79-misc.c +@@ -22,6 +22,15 @@ + #define AR71XX_RESET_REG_MISC_INT_ENABLE 4 + + #define ATH79_MISC_IRQ_COUNT 32 ++#define ATH79_MISC_PERF_IRQ 5 ++ ++static int ath79_perfcount_irq; ++ ++int get_c0_perfcount_int(void) ++{ ++ return ath79_perfcount_irq; ++} ++EXPORT_SYMBOL_GPL(get_c0_perfcount_int); + + static void ath79_misc_irq_handler(struct irq_desc *desc) + { +@@ -113,6 +122,8 @@ static void __init ath79_misc_intc_domain_init( + { + void __iomem *base = domain->host_data; + ++ ath79_perfcount_irq = irq_create_mapping(domain, ATH79_MISC_PERF_IRQ); ++ + /* Disable and clear all interrupts */ + __raw_writel(0, base + AR71XX_RESET_REG_MISC_INT_ENABLE); + __raw_writel(0, base + AR71XX_RESET_REG_MISC_INT_STATUS); +-- +2.9.5 + diff --git a/queue/MIPS-pistachio-Build-uImage.gz-by-default.patch b/queue/MIPS-pistachio-Build-uImage.gz-by-default.patch new file mode 100644 index 0000000..2f75764 --- /dev/null +++ b/queue/MIPS-pistachio-Build-uImage.gz-by-default.patch @@ -0,0 +1,45 @@ +From e4f2d1af7163becb181419af9dece9206001e0a6 Mon Sep 17 00:00:00 2001 +From: Paul Burton <paul.burton@mips.com> +Date: Tue, 28 May 2019 17:21:26 +0000 +Subject: [PATCH] MIPS: pistachio: Build uImage.gz by default +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit e4f2d1af7163becb181419af9dece9206001e0a6 upstream. + +The pistachio platform uses the U-Boot bootloader & generally boots a +kernel in the uImage format. As such it's useful to build one when +building the kernel, but to do so currently requires the user to +manually specify a uImage target on the make command line. + +Make uImage.gz the pistachio platform's default build target, so that +the default is to build a kernel image that we can actually boot on a +board such as the MIPS Creator Ci40. + +Marked for stable backport as far as v4.1 where pistachio support was +introduced. This is primarily useful for CI systems such as kernelci.org +which will benefit from us building a suitable image which can then be +booted as part of automated testing, extending our test coverage to the +affected stable branches. + +Signed-off-by: Paul Burton <paul.burton@mips.com> +Reviewed-by: Philippe Mathieu-DaudĂ© <f4bug@amsat.org> +Reviewed-by: Kevin Hilman <khilman@baylibre.com> +Tested-by: Kevin Hilman <khilman@baylibre.com> +URL: https://groups.io/g/kernelci/message/388 +Cc: stable@vger.kernel.org # v4.1+ +Cc: linux-mips@vger.kernel.org + +diff --git a/arch/mips/pistachio/Platform b/arch/mips/pistachio/Platform +index d80cd612df1f..c3592b374ad2 100644 +--- a/arch/mips/pistachio/Platform ++++ b/arch/mips/pistachio/Platform +@@ -6,3 +6,4 @@ cflags-$(CONFIG_MACH_PISTACHIO) += \ + -I$(srctree)/arch/mips/include/asm/mach-pistachio + load-$(CONFIG_MACH_PISTACHIO) += 0xffffffff80400000 + zload-$(CONFIG_MACH_PISTACHIO) += 0xffffffff81000000 ++all-$(CONFIG_MACH_PISTACHIO) := uImage.gz +-- +2.9.5 + diff --git a/queue/NFSv4.1-Again-fix-a-race-where-CB_NOTIFY_LOCK-fails-.patch b/queue/NFSv4.1-Again-fix-a-race-where-CB_NOTIFY_LOCK-fails-.patch new file mode 100644 index 0000000..a08a21f --- /dev/null +++ b/queue/NFSv4.1-Again-fix-a-race-where-CB_NOTIFY_LOCK-fails-.patch @@ -0,0 +1,98 @@ +From 52b042ab9948cc367b61f9ca9c18603aa7813c3a Mon Sep 17 00:00:00 2001 +From: Yihao Wu <wuyihao@linux.alibaba.com> +Date: Wed, 22 May 2019 01:57:10 +0800 +Subject: [PATCH] NFSv4.1: Again fix a race where CB_NOTIFY_LOCK fails to wake + a waiter + +commit 52b042ab9948cc367b61f9ca9c18603aa7813c3a upstream. + +Commit b7dbcc0e433f "NFSv4.1: Fix a race where CB_NOTIFY_LOCK fails to wake a waiter" +found this bug. However it didn't fix it. + +This commit replaces schedule_timeout() with wait_woken() and +default_wake_function() with woken_wake_function() in function +nfs4_retry_setlk() and nfs4_wake_lock_waiter(). wait_woken() uses +memory barriers in its implementation to avoid potential race condition +when putting a process into sleeping state and then waking it up. + +Fixes: a1d617d8f134 ("nfs: allow blocking locks to be awoken by lock callbacks") +Cc: stable@vger.kernel.org #4.9+ +Signed-off-by: Yihao Wu <wuyihao@linux.alibaba.com> +Reviewed-by: Jeff Layton <jlayton@kernel.org> +Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index c29cbef6b53f..5f89bbd177c6 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -6932,7 +6932,6 @@ struct nfs4_lock_waiter { + struct task_struct *task; + struct inode *inode; + struct nfs_lowner *owner; +- bool notified; + }; + + static int +@@ -6954,13 +6953,13 @@ nfs4_wake_lock_waiter(wait_queue_entry_t *wait, unsigned int mode, int flags, vo + /* Make sure it's for the right inode */ + if (nfs_compare_fh(NFS_FH(waiter->inode), &cbnl->cbnl_fh)) + return 0; +- +- waiter->notified = true; + } + + /* override "private" so we can use default_wake_function */ + wait->private = waiter->task; +- ret = autoremove_wake_function(wait, mode, flags, key); ++ ret = woken_wake_function(wait, mode, flags, key); ++ if (ret) ++ list_del_init(&wait->entry); + wait->private = waiter; + return ret; + } +@@ -6969,7 +6968,6 @@ static int + nfs4_retry_setlk(struct nfs4_state *state, int cmd, struct file_lock *request) + { + int status = -ERESTARTSYS; +- unsigned long flags; + struct nfs4_lock_state *lsp = request->fl_u.nfs4_fl.owner; + struct nfs_server *server = NFS_SERVER(state->inode); + struct nfs_client *clp = server->nfs_client; +@@ -6979,8 +6977,7 @@ nfs4_retry_setlk(struct nfs4_state *state, int cmd, struct file_lock *request) + .s_dev = server->s_dev }; + struct nfs4_lock_waiter waiter = { .task = current, + .inode = state->inode, +- .owner = &owner, +- .notified = false }; ++ .owner = &owner}; + wait_queue_entry_t wait; + + /* Don't bother with waitqueue if we don't expect a callback */ +@@ -6993,21 +6990,14 @@ nfs4_retry_setlk(struct nfs4_state *state, int cmd, struct file_lock *request) + add_wait_queue(q, &wait); + + while(!signalled()) { +- waiter.notified = false; + status = nfs4_proc_setlk(state, cmd, request); + if ((status != -EAGAIN) || IS_SETLK(cmd)) + break; + + status = -ERESTARTSYS; +- spin_lock_irqsave(&q->lock, flags); +- if (waiter.notified) { +- spin_unlock_irqrestore(&q->lock, flags); +- continue; +- } +- set_current_state(TASK_INTERRUPTIBLE); +- spin_unlock_irqrestore(&q->lock, flags); +- +- freezable_schedule_timeout(NFS4_LOCK_MAXTIMEOUT); ++ freezer_do_not_count(); ++ wait_woken(&wait, TASK_INTERRUPTIBLE, NFS4_LOCK_MAXTIMEOUT); ++ freezer_count(); + } + + finish_wait(q, &wait); +-- +2.9.5 + diff --git a/queue/NFSv4.1-Fix-bug-only-first-CB_NOTIFY_LOCK-is-handled.patch b/queue/NFSv4.1-Fix-bug-only-first-CB_NOTIFY_LOCK-is-handled.patch new file mode 100644 index 0000000..7433061 --- /dev/null +++ b/queue/NFSv4.1-Fix-bug-only-first-CB_NOTIFY_LOCK-is-handled.patch @@ -0,0 +1,52 @@ +From ba851a39c9703f09684a541885ed176f8fb7c868 Mon Sep 17 00:00:00 2001 +From: Yihao Wu <wuyihao@linux.alibaba.com> +Date: Mon, 13 May 2019 14:58:22 +0800 +Subject: [PATCH] NFSv4.1: Fix bug only first CB_NOTIFY_LOCK is handled + +commit ba851a39c9703f09684a541885ed176f8fb7c868 upstream. + +When a waiter is waked by CB_NOTIFY_LOCK, it will retry +nfs4_proc_setlk(). The waiter may fail to nfs4_proc_setlk() and sleep +again. However, the waiter is already removed from clp->cl_lock_waitq +when handling CB_NOTIFY_LOCK in nfs4_wake_lock_waiter(). So any +subsequent CB_NOTIFY_LOCK won't wake this waiter anymore. We should +put the waiter back to clp->cl_lock_waitq before retrying. + +Cc: stable@vger.kernel.org #4.9+ +Signed-off-by: Yihao Wu <wuyihao@linux.alibaba.com> +Reviewed-by: Jeff Layton <jlayton@kernel.org> +Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 5f89bbd177c6..e38f4af20950 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -6987,20 +6987,22 @@ nfs4_retry_setlk(struct nfs4_state *state, int cmd, struct file_lock *request) + init_wait(&wait); + wait.private = &waiter; + wait.func = nfs4_wake_lock_waiter; +- add_wait_queue(q, &wait); + + while(!signalled()) { ++ add_wait_queue(q, &wait); + status = nfs4_proc_setlk(state, cmd, request); +- if ((status != -EAGAIN) || IS_SETLK(cmd)) ++ if ((status != -EAGAIN) || IS_SETLK(cmd)) { ++ finish_wait(q, &wait); + break; ++ } + + status = -ERESTARTSYS; + freezer_do_not_count(); + wait_woken(&wait, TASK_INTERRUPTIBLE, NFS4_LOCK_MAXTIMEOUT); + freezer_count(); ++ finish_wait(q, &wait); + } + +- finish_wait(q, &wait); + return status; + } + #else /* !CONFIG_NFS_V4_1 */ +-- +2.9.5 + diff --git a/queue/Revert-fib_rules-return-0-directly-if-an-exactly-sam.patch b/queue/Revert-fib_rules-return-0-directly-if-an-exactly-sam.patch new file mode 100644 index 0000000..bbd16a7 --- /dev/null +++ b/queue/Revert-fib_rules-return-0-directly-if-an-exactly-sam.patch @@ -0,0 +1,48 @@ +From 4970b42d5c362bf873982db7d93245c5281e58f4 Mon Sep 17 00:00:00 2001 +From: Hangbin Liu <liuhangbin@gmail.com> +Date: Wed, 5 Jun 2019 12:27:14 +0800 +Subject: [PATCH] Revert "fib_rules: return 0 directly if an exactly same rule + exists when NLM_F_EXCL not supplied" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 4970b42d5c362bf873982db7d93245c5281e58f4 upstream. + +This reverts commit e9919a24d3022f72bcadc407e73a6ef17093a849. + +Nathan reported the new behaviour breaks Android, as Android just add +new rules and delete old ones. + +If we return 0 without adding dup rules, Android will remove the new +added rules and causing system to soft-reboot. + +Fixes: e9919a24d302 ("fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied") +Reported-by: Nathan Chancellor <natechancellor@gmail.com> +Reported-by: Yaro Slav <yaro330@gmail.com> +Reported-by: Maciej Å»enczykowski <zenczykowski@gmail.com> +Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> +Reviewed-by: Nathan Chancellor <natechancellor@gmail.com> +Tested-by: Nathan Chancellor <natechancellor@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c +index 43f0115cce9c..18f8dd8329ed 100644 +--- a/net/core/fib_rules.c ++++ b/net/core/fib_rules.c +@@ -757,9 +757,9 @@ int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr *nlh, + if (err) + goto errout; + +- if (rule_exists(ops, frh, tb, rule)) { +- if (nlh->nlmsg_flags & NLM_F_EXCL) +- err = -EEXIST; ++ if ((nlh->nlmsg_flags & NLM_F_EXCL) && ++ rule_exists(ops, frh, tb, rule)) { ++ err = -EEXIST; + goto errout_free; + } + +-- +2.9.5 + diff --git a/queue/Revert-lockd-Show-pid-of-lockd-for-remote-locks.patch b/queue/Revert-lockd-Show-pid-of-lockd-for-remote-locks.patch new file mode 100644 index 0000000..a4c5ca4 --- /dev/null +++ b/queue/Revert-lockd-Show-pid-of-lockd-for-remote-locks.patch @@ -0,0 +1,67 @@ +From 141731d15d6eb2fd9aaefbf9b935ce86ae243074 Mon Sep 17 00:00:00 2001 +From: Benjamin Coddington <bcodding@redhat.com> +Date: Mon, 20 May 2019 10:33:07 -0400 +Subject: [PATCH] Revert "lockd: Show pid of lockd for remote locks" + +commit 141731d15d6eb2fd9aaefbf9b935ce86ae243074 upstream. + +This reverts most of commit b8eee0e90f97 ("lockd: Show pid of lockd for +remote locks"), which caused remote locks to not be differentiated between +remote processes for NLM. + +We retain the fixup for setting the client's fl_pid to a negative value. + +Fixes: b8eee0e90f97 ("lockd: Show pid of lockd for remote locks") +Cc: stable@vger.kernel.org + +Signed-off-by: Benjamin Coddington <bcodding@redhat.com> +Reviewed-by: XueWei Zhang <xueweiz@google.com> +Signed-off-by: J. Bruce Fields <bfields@redhat.com> + +diff --git a/fs/lockd/xdr.c b/fs/lockd/xdr.c +index 9846f7e95282..7147e4aebecc 100644 +--- a/fs/lockd/xdr.c ++++ b/fs/lockd/xdr.c +@@ -127,7 +127,7 @@ nlm_decode_lock(__be32 *p, struct nlm_lock *lock) + + locks_init_lock(fl); + fl->fl_owner = current->files; +- fl->fl_pid = current->tgid; ++ fl->fl_pid = (pid_t)lock->svid; + fl->fl_flags = FL_POSIX; + fl->fl_type = F_RDLCK; /* as good as anything else */ + start = ntohl(*p++); +@@ -269,7 +269,7 @@ nlmsvc_decode_shareargs(struct svc_rqst *rqstp, __be32 *p) + memset(lock, 0, sizeof(*lock)); + locks_init_lock(&lock->fl); + lock->svid = ~(u32) 0; +- lock->fl.fl_pid = current->tgid; ++ lock->fl.fl_pid = (pid_t)lock->svid; + + if (!(p = nlm_decode_cookie(p, &argp->cookie)) + || !(p = xdr_decode_string_inplace(p, &lock->caller, +diff --git a/fs/lockd/xdr4.c b/fs/lockd/xdr4.c +index 70154f376695..7ed9edf9aed4 100644 +--- a/fs/lockd/xdr4.c ++++ b/fs/lockd/xdr4.c +@@ -119,7 +119,7 @@ nlm4_decode_lock(__be32 *p, struct nlm_lock *lock) + + locks_init_lock(fl); + fl->fl_owner = current->files; +- fl->fl_pid = current->tgid; ++ fl->fl_pid = (pid_t)lock->svid; + fl->fl_flags = FL_POSIX; + fl->fl_type = F_RDLCK; /* as good as anything else */ + p = xdr_decode_hyper(p, &start); +@@ -266,7 +266,7 @@ nlm4svc_decode_shareargs(struct svc_rqst *rqstp, __be32 *p) + memset(lock, 0, sizeof(*lock)); + locks_init_lock(&lock->fl); + lock->svid = ~(u32) 0; +- lock->fl.fl_pid = current->tgid; ++ lock->fl.fl_pid = (pid_t)lock->svid; + + if (!(p = nlm4_decode_cookie(p, &argp->cookie)) + || !(p = xdr_decode_string_inplace(p, &lock->caller, +-- +2.9.5 + diff --git a/queue/Revert-tipc-fix-modprobe-tipc-failed-after-switch-or.patch b/queue/Revert-tipc-fix-modprobe-tipc-failed-after-switch-or.patch new file mode 100644 index 0000000..84144a4 --- /dev/null +++ b/queue/Revert-tipc-fix-modprobe-tipc-failed-after-switch-or.patch @@ -0,0 +1,77 @@ +From 5593530e56943182ebb6d81eca8a3be6db6dbba4 Mon Sep 17 00:00:00 2001 +From: "David S. Miller" <davem@davemloft.net> +Date: Fri, 17 May 2019 12:15:05 -0700 +Subject: [PATCH] Revert "tipc: fix modprobe tipc failed after switch order of + device registration" + +commit 5593530e56943182ebb6d81eca8a3be6db6dbba4 upstream. + +This reverts commit 532b0f7ece4cb2ffd24dc723ddf55242d1188e5e. + +More revisions coming up. + +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/tipc/core.c b/net/tipc/core.c +index 7d05d6823545..ddd2e0f67c07 100644 +--- a/net/tipc/core.c ++++ b/net/tipc/core.c +@@ -68,10 +68,6 @@ static int __net_init tipc_init_net(struct net *net) + INIT_LIST_HEAD(&tn->node_list); + spin_lock_init(&tn->node_list_lock); + +- err = tipc_socket_init(); +- if (err) +- goto out_socket; +- + err = tipc_sk_rht_init(net); + if (err) + goto out_sk_rht; +@@ -98,8 +94,6 @@ out_subscr: + out_nametbl: + tipc_sk_rht_destroy(net); + out_sk_rht: +- tipc_socket_stop(); +-out_socket: + return err; + } + +@@ -110,7 +104,6 @@ static void __net_exit tipc_exit_net(struct net *net) + tipc_bcast_stop(net); + tipc_nametbl_stop(net); + tipc_sk_rht_destroy(net); +- tipc_socket_stop(); + } + + static struct pernet_operations tipc_net_ops = { +@@ -146,6 +139,10 @@ static int __init tipc_init(void) + if (err) + goto out_pernet; + ++ err = tipc_socket_init(); ++ if (err) ++ goto out_socket; ++ + err = tipc_bearer_setup(); + if (err) + goto out_bearer; +@@ -153,6 +150,8 @@ static int __init tipc_init(void) + pr_info("Started in single node mode\n"); + return 0; + out_bearer: ++ tipc_socket_stop(); ++out_socket: + unregister_pernet_subsys(&tipc_net_ops); + out_pernet: + tipc_unregister_sysctl(); +@@ -168,6 +167,7 @@ out_netlink: + static void __exit tipc_exit(void) + { + tipc_bearer_cleanup(); ++ tipc_socket_stop(); + unregister_pernet_subsys(&tipc_net_ops); + tipc_netlink_stop(); + tipc_netlink_compat_stop(); +-- +2.9.5 + diff --git a/queue/TTY-serial_core-add-install.patch b/queue/TTY-serial_core-add-install.patch new file mode 100644 index 0000000..6c3229e --- /dev/null +++ b/queue/TTY-serial_core-add-install.patch @@ -0,0 +1,130 @@ +From 4cdd17ba1dff20ffc99fdbd2e6f0201fc7fe67df Mon Sep 17 00:00:00 2001 +From: Jiri Slaby <jslaby@suse.cz> +Date: Wed, 17 Apr 2019 10:58:53 +0200 +Subject: [PATCH] TTY: serial_core, add ->install + +commit 4cdd17ba1dff20ffc99fdbd2e6f0201fc7fe67df upstream. + +We need to compute the uart state only on the first open. This is +usually what is done in the ->install hook. serial_core used to do this +in ->open on every open. So move it to ->install. + +As a side effect, it ensures the state is set properly in the window +after tty_init_dev is called, but before uart_open. This fixes a bunch +of races between tty_open and flush_to_ldisc we were dealing with +recently. + +One of such bugs was attempted to fix in commit fedb5760648a (serial: +fix race between flush_to_ldisc and tty_open), but it only took care of +a couple of functions (uart_start and uart_unthrottle). I was able to +reproduce the crash on a SLE system, but in uart_write_room which is +also called from flush_to_ldisc via process_echoes. I was *unable* to +reproduce the bug locally. It is due to having this patch in my queue +since 2012! + + general protection fault: 0000 [#1] SMP KASAN PTI + CPU: 1 PID: 5 Comm: kworker/u4:0 Tainted: G L 4.12.14-396-default #1 SLE15-SP1 (unreleased) + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c89-prebuilt.qemu.org 04/01/2014 + Workqueue: events_unbound flush_to_ldisc + task: ffff8800427d8040 task.stack: ffff8800427f0000 + RIP: 0010:uart_write_room+0xc4/0x590 + RSP: 0018:ffff8800427f7088 EFLAGS: 00010202 + RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 + RDX: 000000000000002f RSI: 00000000000000ee RDI: ffff88003888bd90 + RBP: ffffffffb9545850 R08: 0000000000000001 R09: 0000000000000400 + R10: ffff8800427d825c R11: 000000000000006e R12: 1ffff100084fee12 + R13: ffffc900004c5000 R14: ffff88003888bb28 R15: 0000000000000178 + FS: 0000000000000000(0000) GS:ffff880043300000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000561da0794148 CR3: 000000000ebf4000 CR4: 00000000000006e0 + Call Trace: + tty_write_room+0x6d/0xc0 + __process_echoes+0x55/0x870 + n_tty_receive_buf_common+0x105e/0x26d0 + tty_ldisc_receive_buf+0xb7/0x1c0 + tty_port_default_receive_buf+0x107/0x180 + flush_to_ldisc+0x35d/0x5c0 +... + +0 in rbx means tty->driver_data is NULL in uart_write_room. 0x178 is +tried to be dereferenced (0x178 >> 3 is 0x2f in rdx) at +uart_write_room+0xc4. 0x178 is exactly (struct uart_state *)NULL->refcount +used in uart_port_lock from uart_write_room. + +So revert the upstream commit here as my local patch should fix the +whole family. + +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +Cc: Li RongQing <lirongqing@baidu.com> +Cc: Wang Li <wangli39@baidu.com> +Cc: Zhang Yu <zhangyu31@baidu.com> +Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c +index 69f48717546b..0decb0bf991d 100644 +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -130,9 +130,6 @@ static void uart_start(struct tty_struct *tty) + struct uart_port *port; + unsigned long flags; + +- if (!state) +- return; +- + port = uart_port_lock(state, flags); + __uart_start(tty); + uart_port_unlock(port, flags); +@@ -730,9 +727,6 @@ static void uart_unthrottle(struct tty_struct *tty) + upstat_t mask = UPSTAT_SYNC_FIFO; + struct uart_port *port; + +- if (!state) +- return; +- + port = uart_port_ref(state); + if (!port) + return; +@@ -1747,6 +1741,16 @@ static void uart_dtr_rts(struct tty_port *port, int raise) + uart_port_deref(uport); + } + ++static int uart_install(struct tty_driver *driver, struct tty_struct *tty) ++{ ++ struct uart_driver *drv = driver->driver_state; ++ struct uart_state *state = drv->state + tty->index; ++ ++ tty->driver_data = state; ++ ++ return tty_standard_install(driver, tty); ++} ++ + /* + * Calls to uart_open are serialised by the tty_lock in + * drivers/tty/tty_io.c:tty_open() +@@ -1759,11 +1763,8 @@ static void uart_dtr_rts(struct tty_port *port, int raise) + */ + static int uart_open(struct tty_struct *tty, struct file *filp) + { +- struct uart_driver *drv = tty->driver->driver_state; +- int retval, line = tty->index; +- struct uart_state *state = drv->state + line; +- +- tty->driver_data = state; ++ struct uart_state *state = tty->driver_data; ++ int retval; + + retval = tty_port_open(&state->port, tty, filp); + if (retval > 0) +@@ -2448,6 +2449,7 @@ static void uart_poll_put_char(struct tty_driver *driver, int line, char ch) + #endif + + static const struct tty_operations uart_ops = { ++ .install = uart_install, + .open = uart_open, + .close = uart_close, + .write = uart_write, +-- +2.9.5 + diff --git a/queue/USB-Add-LPM-quirk-for-Surface-Dock-GigE-adapter.patch b/queue/USB-Add-LPM-quirk-for-Surface-Dock-GigE-adapter.patch new file mode 100644 index 0000000..a792ab8 --- /dev/null +++ b/queue/USB-Add-LPM-quirk-for-Surface-Dock-GigE-adapter.patch @@ -0,0 +1,36 @@ +From ea261113385ac0a71c2838185f39e8452d54b152 Mon Sep 17 00:00:00 2001 +From: Maximilian Luz <luzmaximilian@gmail.com> +Date: Thu, 16 May 2019 17:08:31 +0200 +Subject: [PATCH] USB: Add LPM quirk for Surface Dock GigE adapter + +commit ea261113385ac0a71c2838185f39e8452d54b152 upstream. + +Without USB_QUIRK_NO_LPM ethernet will not work and rtl8152 will +complain with + + r8152 <device...>: Stop submitting intr, status -71 + +Adding the quirk resolves this. As the dock is externally powered, this +should not have any drawbacks. + +Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index 8bc35d53408b..6082b008969b 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -209,6 +209,9 @@ static const struct usb_device_id usb_quirk_list[] = { + /* Microsoft LifeCam-VX700 v2.0 */ + { USB_DEVICE(0x045e, 0x0770), .driver_info = USB_QUIRK_RESET_RESUME }, + ++ /* Microsoft Surface Dock Ethernet (RTL8153 GigE) */ ++ { USB_DEVICE(0x045e, 0x07c6), .driver_info = USB_QUIRK_NO_LPM }, ++ + /* Cherry Stream G230 2.0 (G85-231) and 3.0 (G85-232) */ + { USB_DEVICE(0x046a, 0x0023), .driver_info = USB_QUIRK_RESET_RESUME }, + +-- +2.9.5 + diff --git a/queue/USB-Fix-slab-out-of-bounds-write-in-usb_get_bos_desc.patch b/queue/USB-Fix-slab-out-of-bounds-write-in-usb_get_bos_desc.patch new file mode 100644 index 0000000..e98bad3 --- /dev/null +++ b/queue/USB-Fix-slab-out-of-bounds-write-in-usb_get_bos_desc.patch @@ -0,0 +1,37 @@ +From a03ff54460817c76105f81f3aa8ef655759ccc9a Mon Sep 17 00:00:00 2001 +From: Alan Stern <stern@rowland.harvard.edu> +Date: Mon, 13 May 2019 13:14:29 -0400 +Subject: [PATCH] USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor + +commit a03ff54460817c76105f81f3aa8ef655759ccc9a upstream. + +The syzkaller USB fuzzer found a slab-out-of-bounds write bug in the +USB core, caused by a failure to check the actual size of a BOS +descriptor. This patch adds a check to make sure the descriptor is at +least as large as it is supposed to be, so that the code doesn't +inadvertently access memory beyond the end of the allocated region +when assigning to dev->bos->desc->bNumDeviceCaps later on. + +Signed-off-by: Alan Stern <stern@rowland.harvard.edu> +Reported-and-tested-by: syzbot+71f1e64501a309fcc012@syzkaller.appspotmail.com +CC: <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c +index 20ff036b4c22..9d6cb709ca7b 100644 +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -932,8 +932,8 @@ int usb_get_bos_descriptor(struct usb_device *dev) + + /* Get BOS descriptor */ + ret = usb_get_descriptor(dev, USB_DT_BOS, 0, bos, USB_DT_BOS_SIZE); +- if (ret < USB_DT_BOS_SIZE) { +- dev_err(ddev, "unable to get BOS descriptor\n"); ++ if (ret < USB_DT_BOS_SIZE || bos->bLength < USB_DT_BOS_SIZE) { ++ dev_err(ddev, "unable to get BOS descriptor or descriptor too short\n"); + if (ret >= 0) + ret = -ENOMSG; + kfree(bos); +-- +2.9.5 + diff --git a/queue/USB-rio500-fix-memory-leak-in-close-after-disconnect.patch b/queue/USB-rio500-fix-memory-leak-in-close-after-disconnect.patch new file mode 100644 index 0000000..ea96993 --- /dev/null +++ b/queue/USB-rio500-fix-memory-leak-in-close-after-disconnect.patch @@ -0,0 +1,46 @@ +From e0feb73428b69322dd5caae90b0207de369b5575 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum <oneukum@suse.com> +Date: Thu, 9 May 2019 11:30:59 +0200 +Subject: [PATCH] USB: rio500: fix memory leak in close after disconnect + +commit e0feb73428b69322dd5caae90b0207de369b5575 upstream. + +If a disconnected device is closed, rio_close() must free +the buffers. + +Signed-off-by: Oliver Neukum <oneukum@suse.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/misc/rio500.c b/drivers/usb/misc/rio500.c +index 1d397d93d127..a32d61a79ab8 100644 +--- a/drivers/usb/misc/rio500.c ++++ b/drivers/usb/misc/rio500.c +@@ -86,9 +86,22 @@ static int close_rio(struct inode *inode, struct file *file) + { + struct rio_usb_data *rio = &rio_instance; + +- rio->isopen = 0; ++ /* against disconnect() */ ++ mutex_lock(&rio500_mutex); ++ mutex_lock(&(rio->lock)); + +- dev_info(&rio->rio_dev->dev, "Rio closed.\n"); ++ rio->isopen = 0; ++ if (!rio->present) { ++ /* cleanup has been delayed */ ++ kfree(rio->ibuf); ++ kfree(rio->obuf); ++ rio->ibuf = NULL; ++ rio->obuf = NULL; ++ } else { ++ dev_info(&rio->rio_dev->dev, "Rio closed.\n"); ++ } ++ mutex_unlock(&(rio->lock)); ++ mutex_unlock(&rio500_mutex); + return 0; + } + +-- +2.9.5 + diff --git a/queue/USB-rio500-refuse-more-than-one-device-at-a-time.patch b/queue/USB-rio500-refuse-more-than-one-device-at-a-time.patch new file mode 100644 index 0000000..f3be7c8 --- /dev/null +++ b/queue/USB-rio500-refuse-more-than-one-device-at-a-time.patch @@ -0,0 +1,82 @@ +From 3864d33943b4a76c6e64616280e98d2410b1190f Mon Sep 17 00:00:00 2001 +From: Oliver Neukum <oneukum@suse.com> +Date: Thu, 9 May 2019 11:30:58 +0200 +Subject: [PATCH] USB: rio500: refuse more than one device at a time + +commit 3864d33943b4a76c6e64616280e98d2410b1190f upstream. + +This driver is using a global variable. It cannot handle more than +one device at a time. The issue has been existing since the dawn +of the driver. + +Signed-off-by: Oliver Neukum <oneukum@suse.com> +Reported-by: syzbot+35f04d136fc975a70da4@syzkaller.appspotmail.com +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/misc/rio500.c b/drivers/usb/misc/rio500.c +index 7b9adeb3e7aa..1d397d93d127 100644 +--- a/drivers/usb/misc/rio500.c ++++ b/drivers/usb/misc/rio500.c +@@ -447,15 +447,23 @@ static int probe_rio(struct usb_interface *intf, + { + struct usb_device *dev = interface_to_usbdev(intf); + struct rio_usb_data *rio = &rio_instance; +- int retval; ++ int retval = 0; + +- dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum); ++ mutex_lock(&rio500_mutex); ++ if (rio->present) { ++ dev_info(&intf->dev, "Second USB Rio at address %d refused\n", dev->devnum); ++ retval = -EBUSY; ++ goto bail_out; ++ } else { ++ dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum); ++ } + + retval = usb_register_dev(intf, &usb_rio_class); + if (retval) { + dev_err(&dev->dev, + "Not able to get a minor for this device.\n"); +- return -ENOMEM; ++ retval = -ENOMEM; ++ goto bail_out; + } + + rio->rio_dev = dev; +@@ -464,7 +472,8 @@ static int probe_rio(struct usb_interface *intf, + dev_err(&dev->dev, + "probe_rio: Not enough memory for the output buffer\n"); + usb_deregister_dev(intf, &usb_rio_class); +- return -ENOMEM; ++ retval = -ENOMEM; ++ goto bail_out; + } + dev_dbg(&intf->dev, "obuf address:%p\n", rio->obuf); + +@@ -473,7 +482,8 @@ static int probe_rio(struct usb_interface *intf, + "probe_rio: Not enough memory for the input buffer\n"); + usb_deregister_dev(intf, &usb_rio_class); + kfree(rio->obuf); +- return -ENOMEM; ++ retval = -ENOMEM; ++ goto bail_out; + } + dev_dbg(&intf->dev, "ibuf address:%p\n", rio->ibuf); + +@@ -481,8 +491,10 @@ static int probe_rio(struct usb_interface *intf, + + usb_set_intfdata (intf, rio); + rio->present = 1; ++bail_out: ++ mutex_unlock(&rio500_mutex); + +- return 0; ++ return retval; + } + + static void disconnect_rio(struct usb_interface *intf) +-- +2.9.5 + diff --git a/queue/USB-sisusbvga-fix-oops-in-error-path-of-sisusb_probe.patch b/queue/USB-sisusbvga-fix-oops-in-error-path-of-sisusb_probe.patch new file mode 100644 index 0000000..e5c6759 --- /dev/null +++ b/queue/USB-sisusbvga-fix-oops-in-error-path-of-sisusb_probe.patch @@ -0,0 +1,54 @@ +From 9a5729f68d3a82786aea110b1bfe610be318f80a Mon Sep 17 00:00:00 2001 +From: Oliver Neukum <oneukum@suse.com> +Date: Thu, 9 May 2019 14:41:50 +0200 +Subject: [PATCH] USB: sisusbvga: fix oops in error path of sisusb_probe + +commit 9a5729f68d3a82786aea110b1bfe610be318f80a upstream. + +The pointer used to log a failure of usb_register_dev() must +be set before the error is logged. + +v2: fix that minor is not available before registration + +Signed-off-by: oliver Neukum <oneukum@suse.com> +Reported-by: syzbot+a0cbdbd6d169020c8959@syzkaller.appspotmail.com +Fixes: 7b5cd5fefbe02 ("USB: SisUSB2VGA: Convert printk to dev_* macros") +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/misc/sisusbvga/sisusb.c b/drivers/usb/misc/sisusbvga/sisusb.c +index 9560fde621ee..ea06f1fed6fa 100644 +--- a/drivers/usb/misc/sisusbvga/sisusb.c ++++ b/drivers/usb/misc/sisusbvga/sisusb.c +@@ -3029,6 +3029,13 @@ static int sisusb_probe(struct usb_interface *intf, + + mutex_init(&(sisusb->lock)); + ++ sisusb->sisusb_dev = dev; ++ sisusb->vrambase = SISUSB_PCI_MEMBASE; ++ sisusb->mmiobase = SISUSB_PCI_MMIOBASE; ++ sisusb->mmiosize = SISUSB_PCI_MMIOSIZE; ++ sisusb->ioportbase = SISUSB_PCI_IOPORTBASE; ++ /* Everything else is zero */ ++ + /* Register device */ + retval = usb_register_dev(intf, &usb_sisusb_class); + if (retval) { +@@ -3039,13 +3046,7 @@ static int sisusb_probe(struct usb_interface *intf, + goto error_1; + } + +- sisusb->sisusb_dev = dev; +- sisusb->minor = intf->minor; +- sisusb->vrambase = SISUSB_PCI_MEMBASE; +- sisusb->mmiobase = SISUSB_PCI_MMIOBASE; +- sisusb->mmiosize = SISUSB_PCI_MMIOSIZE; +- sisusb->ioportbase = SISUSB_PCI_IOPORTBASE; +- /* Everything else is zero */ ++ sisusb->minor = intf->minor; + + /* Allocate buffers */ + sisusb->ibufsize = SISUSB_IBUF_SIZE; +-- +2.9.5 + diff --git a/queue/arm64-Fix-the-arm64_personality-syscall-wrapper-redi.patch b/queue/arm64-Fix-the-arm64_personality-syscall-wrapper-redi.patch new file mode 100644 index 0000000..1c1bbe8 --- /dev/null +++ b/queue/arm64-Fix-the-arm64_personality-syscall-wrapper-redi.patch @@ -0,0 +1,35 @@ +From 00377277166bac6939d8f72b429301369acaf2d8 Mon Sep 17 00:00:00 2001 +From: Catalin Marinas <catalin.marinas@arm.com> +Date: Tue, 28 May 2019 12:39:34 +0100 +Subject: [PATCH] arm64: Fix the arm64_personality() syscall wrapper + redirection + +commit 00377277166bac6939d8f72b429301369acaf2d8 upstream. + +Following commit 4378a7d4be30 ("arm64: implement syscall wrappers"), the +syscall function names gained the '__arm64_' prefix. Ensure that we +have the correct #define for redirecting a default syscall through a +wrapper. + +Fixes: 4378a7d4be30 ("arm64: implement syscall wrappers") +Cc: <stable@vger.kernel.org> # 4.19.x- +Acked-by: Mark Rutland <mark.rutland@arm.com> +Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> +Signed-off-by: Will Deacon <will.deacon@arm.com> + +diff --git a/arch/arm64/kernel/sys.c b/arch/arm64/kernel/sys.c +index 6f91e8116514..162a95ed0881 100644 +--- a/arch/arm64/kernel/sys.c ++++ b/arch/arm64/kernel/sys.c +@@ -50,7 +50,7 @@ SYSCALL_DEFINE1(arm64_personality, unsigned int, personality) + /* + * Wrappers to pass the pt_regs argument. + */ +-#define sys_personality sys_arm64_personality ++#define __arm64_sys_personality __arm64_sys_arm64_personality + + asmlinkage long sys_ni_syscall(const struct pt_regs *); + #define __arm64_sys_ni_syscall sys_ni_syscall +-- +2.9.5 + diff --git a/queue/bnxt_en-Fix-aggregation-buffer-leak-under-OOM-condit.patch b/queue/bnxt_en-Fix-aggregation-buffer-leak-under-OOM-condit.patch new file mode 100644 index 0000000..64d0154 --- /dev/null +++ b/queue/bnxt_en-Fix-aggregation-buffer-leak-under-OOM-condit.patch @@ -0,0 +1,36 @@ +From 296d5b54163964b7ae536b8b57dfbd21d4e868e1 Mon Sep 17 00:00:00 2001 +From: Michael Chan <michael.chan@broadcom.com> +Date: Wed, 22 May 2019 19:12:54 -0400 +Subject: [PATCH] bnxt_en: Fix aggregation buffer leak under OOM condition. + +commit 296d5b54163964b7ae536b8b57dfbd21d4e868e1 upstream. + +For every RX packet, the driver replenishes all buffers used for that +packet and puts them back into the RX ring and RX aggregation ring. +In one code path where the RX packet has one RX buffer and one or more +aggregation buffers, we missed recycling the aggregation buffer(s) if +we are unable to allocate a new SKB buffer. This leads to the +aggregation ring slowly running out of buffers over time. Fix it +by properly recycling the aggregation buffers. + +Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") +Reported-by: Rakesh Hemnani <rhemnani@fb.com> +Signed-off-by: Michael Chan <michael.chan@broadcom.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 8314c00d7537..21f682610e6a 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -1642,6 +1642,8 @@ static int bnxt_rx_pkt(struct bnxt *bp, struct bnxt_cp_ring_info *cpr, + skb = bnxt_copy_skb(bnapi, data_ptr, len, dma_addr); + bnxt_reuse_rx_data(rxr, cons, data); + if (!skb) { ++ if (agg_bufs) ++ bnxt_reuse_rx_agg_bufs(cpr, cp_cons, agg_bufs); + rc = -ENOMEM; + goto next_rx; + } +-- +2.9.5 + diff --git a/queue/bonding-802.3ad-fix-slave-link-initialization-transi.patch b/queue/bonding-802.3ad-fix-slave-link-initialization-transi.patch new file mode 100644 index 0000000..baafca4 --- /dev/null +++ b/queue/bonding-802.3ad-fix-slave-link-initialization-transi.patch @@ -0,0 +1,67 @@ +From 334031219a84b9994594015aab85ed7754c80176 Mon Sep 17 00:00:00 2001 +From: Jarod Wilson <jarod@redhat.com> +Date: Fri, 24 May 2019 09:49:28 -0400 +Subject: [PATCH] bonding/802.3ad: fix slave link initialization transition + states + +commit 334031219a84b9994594015aab85ed7754c80176 upstream. + +Once in a while, with just the right timing, 802.3ad slaves will fail to +properly initialize, winding up in a weird state, with a partner system +mac address of 00:00:00:00:00:00. This started happening after a fix to +properly track link_failure_count tracking, where an 802.3ad slave that +reported itself as link up in the miimon code, but wasn't able to get a +valid speed/duplex, started getting set to BOND_LINK_FAIL instead of +BOND_LINK_DOWN. That was the proper thing to do for the general "my link +went down" case, but has created a link initialization race that can put +the interface in this odd state. + +The simple fix is to instead set the slave link to BOND_LINK_DOWN again, +if the link has never been up (last_link_up == 0), so the link state +doesn't bounce from BOND_LINK_DOWN to BOND_LINK_FAIL -- it hasn't failed +in this case, it simply hasn't been up yet, and this prevents the +unnecessary state change from DOWN to FAIL and getting stuck in an init +failure w/o a partner mac. + +Fixes: ea53abfab960 ("bonding/802.3ad: fix link_failure_count tracking") +CC: Jay Vosburgh <j.vosburgh@gmail.com> +CC: Veaceslav Falico <vfalico@gmail.com> +CC: Andy Gospodarek <andy@greyhouse.net> +CC: "David S. Miller" <davem@davemloft.net> +CC: netdev@vger.kernel.org +Tested-by: Heesoon Kim <Heesoon.Kim@stratus.com> +Signed-off-by: Jarod Wilson <jarod@redhat.com> +Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 062fa7e3af4c..407f4095a37a 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3122,13 +3122,18 @@ static int bond_slave_netdev_event(unsigned long event, + case NETDEV_CHANGE: + /* For 802.3ad mode only: + * Getting invalid Speed/Duplex values here will put slave +- * in weird state. So mark it as link-fail for the time +- * being and let link-monitoring (miimon) set it right when +- * correct speeds/duplex are available. ++ * in weird state. Mark it as link-fail if the link was ++ * previously up or link-down if it hasn't yet come up, and ++ * let link-monitoring (miimon) set it right when correct ++ * speeds/duplex are available. + */ + if (bond_update_speed_duplex(slave) && +- BOND_MODE(bond) == BOND_MODE_8023AD) +- slave->link = BOND_LINK_FAIL; ++ BOND_MODE(bond) == BOND_MODE_8023AD) { ++ if (slave->last_link_up) ++ slave->link = BOND_LINK_FAIL; ++ else ++ slave->link = BOND_LINK_DOWN; ++ } + + if (BOND_MODE(bond) == BOND_MODE_8023AD) + bond_3ad_adapter_speed_duplex_changed(slave); +-- +2.9.5 + diff --git a/queue/brcmfmac-fix-NULL-pointer-derefence-during-USB-disco.patch b/queue/brcmfmac-fix-NULL-pointer-derefence-during-USB-disco.patch new file mode 100644 index 0000000..5fdc573 --- /dev/null +++ b/queue/brcmfmac-fix-NULL-pointer-derefence-during-USB-disco.patch @@ -0,0 +1,227 @@ +From 5cdb0ef6144f47440850553579aa923c20a63f23 Mon Sep 17 00:00:00 2001 +From: Piotr Figiel <p.figiel@camlintechnologies.com> +Date: Mon, 4 Mar 2019 15:42:52 +0000 +Subject: [PATCH] brcmfmac: fix NULL pointer derefence during USB disconnect + +commit 5cdb0ef6144f47440850553579aa923c20a63f23 upstream. + +In case USB disconnect happens at the moment transmitting workqueue is in +progress the underlying interface may be gone causing a NULL pointer +dereference. Add synchronization of the workqueue destruction with the +detach implementation in core so that the transmitting workqueue is stopped +during detach before the interfaces are removed. + +Fix following Oops: + +Unable to handle kernel NULL pointer dereference at virtual address 00000008 +pgd = 9e6a802d +[00000008] *pgd=00000000 +Internal error: Oops: 5 [#1] PREEMPT SMP ARM +Modules linked in: nf_log_ipv4 nf_log_common xt_LOG xt_limit iptable_mangle +xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 +iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis u_ether +usb_serial_simple usbserial cdc_acm brcmfmac brcmutil smsc95xx usbnet +ci_hdrc_imx ci_hdrc ulpi usbmisc_imx 8250_exar 8250_pci 8250 8250_base +libcomposite configfs udc_core +CPU: 0 PID: 7 Comm: kworker/u8:0 Not tainted 4.19.23-00076-g03740aa-dirty #102 +Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) +Workqueue: brcmf_fws_wq brcmf_fws_dequeue_worker [brcmfmac] +PC is at brcmf_txfinalize+0x34/0x90 [brcmfmac] +LR is at brcmf_fws_dequeue_worker+0x218/0x33c [brcmfmac] +pc : [<7f0dee64>] lr : [<7f0e4140>] psr: 60010093 +sp : ee8abef0 ip : 00000000 fp : edf38000 +r10: ffffffed r9 : edf38970 r8 : edf38004 +r7 : edf3e970 r6 : 00000000 r5 : ede69000 r4 : 00000000 +r3 : 00000a97 r2 : 00000000 r1 : 0000888e r0 : ede69000 +Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment none +Control: 10c5387d Table: 7d03c04a DAC: 00000051 +Process kworker/u8:0 (pid: 7, stack limit = 0x24ec3e04) +Stack: (0xee8abef0 to 0xee8ac000) +bee0: ede69000 00000000 ed56c3e0 7f0e4140 +bf00: 00000001 00000000 edf38004 edf3e99c ed56c3e0 80d03d00 edfea43a edf3e970 +bf20: ee809880 ee804200 ee971100 00000000 edf3e974 00000000 ee804200 80135a70 +bf40: 80d03d00 ee804218 ee809880 ee809894 ee804200 80d03d00 ee804218 ee8aa000 +bf60: 00000088 80135d5c 00000000 ee829f00 ee829dc0 00000000 ee809880 80135d30 +bf80: ee829f1c ee873eac 00000000 8013b1a0 ee829dc0 8013b07c 00000000 00000000 +bfa0: 00000000 00000000 00000000 801010e8 00000000 00000000 00000000 00000000 +bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 +[<7f0dee64>] (brcmf_txfinalize [brcmfmac]) from [<7f0e4140>] (brcmf_fws_dequeue_worker+0x218/0x33c [brcmfmac]) +[<7f0e4140>] (brcmf_fws_dequeue_worker [brcmfmac]) from [<80135a70>] (process_one_work+0x138/0x3f8) +[<80135a70>] (process_one_work) from [<80135d5c>] (worker_thread+0x2c/0x554) +[<80135d5c>] (worker_thread) from [<8013b1a0>] (kthread+0x124/0x154) +[<8013b1a0>] (kthread) from [<801010e8>] (ret_from_fork+0x14/0x2c) +Exception stack(0xee8abfb0 to 0xee8abff8) +bfa0: 00000000 00000000 00000000 00000000 +bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 +Code: e1530001 0a000007 e3560000 e1a00005 (05942008) +---[ end trace 079239dd31c86e90 ]--- + +Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c +index 73d3c1a0a7c9..98b168736df0 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c +@@ -490,11 +490,18 @@ fail: + return -ENOMEM; + } + +-void brcmf_proto_bcdc_detach(struct brcmf_pub *drvr) ++void brcmf_proto_bcdc_detach_pre_delif(struct brcmf_pub *drvr) ++{ ++ struct brcmf_bcdc *bcdc = drvr->proto->pd; ++ ++ brcmf_fws_detach_pre_delif(bcdc->fws); ++} ++ ++void brcmf_proto_bcdc_detach_post_delif(struct brcmf_pub *drvr) + { + struct brcmf_bcdc *bcdc = drvr->proto->pd; + + drvr->proto->pd = NULL; +- brcmf_fws_detach(bcdc->fws); ++ brcmf_fws_detach_post_delif(bcdc->fws); + kfree(bcdc); + } +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.h +index 3b0e9eff21b5..4bc52240ccea 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.h ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.h +@@ -18,14 +18,16 @@ + + #ifdef CONFIG_BRCMFMAC_PROTO_BCDC + int brcmf_proto_bcdc_attach(struct brcmf_pub *drvr); +-void brcmf_proto_bcdc_detach(struct brcmf_pub *drvr); ++void brcmf_proto_bcdc_detach_pre_delif(struct brcmf_pub *drvr); ++void brcmf_proto_bcdc_detach_post_delif(struct brcmf_pub *drvr); + void brcmf_proto_bcdc_txflowblock(struct device *dev, bool state); + void brcmf_proto_bcdc_txcomplete(struct device *dev, struct sk_buff *txp, + bool success); + struct brcmf_fws_info *drvr_to_fws(struct brcmf_pub *drvr); + #else + static inline int brcmf_proto_bcdc_attach(struct brcmf_pub *drvr) { return 0; } +-static inline void brcmf_proto_bcdc_detach(struct brcmf_pub *drvr) {} ++static void brcmf_proto_bcdc_detach_pre_delif(struct brcmf_pub *drvr) {}; ++static inline void brcmf_proto_bcdc_detach_post_delif(struct brcmf_pub *drvr) {} + #endif + + #endif /* BRCMFMAC_BCDC_H */ +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +index 5f3548b13639..6faeb761c27e 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +@@ -1321,6 +1321,8 @@ void brcmf_detach(struct device *dev) + + brcmf_bus_change_state(bus_if, BRCMF_BUS_DOWN); + ++ brcmf_proto_detach_pre_delif(drvr); ++ + /* make sure primary interface removed last */ + for (i = BRCMF_MAX_IFS-1; i > -1; i--) + brcmf_remove_interface(drvr->iflist[i], false); +@@ -1330,7 +1332,7 @@ void brcmf_detach(struct device *dev) + + brcmf_bus_stop(drvr->bus_if); + +- brcmf_proto_detach(drvr); ++ brcmf_proto_detach_post_delif(drvr); + + bus_if->drvr = NULL; + wiphy_free(drvr->wiphy); +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c +index d48b8b2d946f..c22c49ae552e 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c +@@ -2443,17 +2443,25 @@ struct brcmf_fws_info *brcmf_fws_attach(struct brcmf_pub *drvr) + return fws; + + fail: +- brcmf_fws_detach(fws); ++ brcmf_fws_detach_pre_delif(fws); ++ brcmf_fws_detach_post_delif(fws); + return ERR_PTR(rc); + } + +-void brcmf_fws_detach(struct brcmf_fws_info *fws) ++void brcmf_fws_detach_pre_delif(struct brcmf_fws_info *fws) + { + if (!fws) + return; +- +- if (fws->fws_wq) ++ if (fws->fws_wq) { + destroy_workqueue(fws->fws_wq); ++ fws->fws_wq = NULL; ++ } ++} ++ ++void brcmf_fws_detach_post_delif(struct brcmf_fws_info *fws) ++{ ++ if (!fws) ++ return; + + /* cleanup */ + brcmf_fws_lock(fws); +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.h +index 4e6835766d5d..749c06dcdc17 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.h ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.h +@@ -19,7 +19,8 @@ + #define FWSIGNAL_H_ + + struct brcmf_fws_info *brcmf_fws_attach(struct brcmf_pub *drvr); +-void brcmf_fws_detach(struct brcmf_fws_info *fws); ++void brcmf_fws_detach_pre_delif(struct brcmf_fws_info *fws); ++void brcmf_fws_detach_post_delif(struct brcmf_fws_info *fws); + void brcmf_fws_debugfs_create(struct brcmf_pub *drvr); + bool brcmf_fws_queue_skbs(struct brcmf_fws_info *fws); + bool brcmf_fws_fc_active(struct brcmf_fws_info *fws); +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.c +index 024c643052bc..c7964ccdda69 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.c +@@ -67,16 +67,22 @@ fail: + return -ENOMEM; + } + +-void brcmf_proto_detach(struct brcmf_pub *drvr) ++void brcmf_proto_detach_post_delif(struct brcmf_pub *drvr) + { + brcmf_dbg(TRACE, "Enter\n"); + + if (drvr->proto) { + if (drvr->bus_if->proto_type == BRCMF_PROTO_BCDC) +- brcmf_proto_bcdc_detach(drvr); ++ brcmf_proto_bcdc_detach_post_delif(drvr); + else if (drvr->bus_if->proto_type == BRCMF_PROTO_MSGBUF) + brcmf_proto_msgbuf_detach(drvr); + kfree(drvr->proto); + drvr->proto = NULL; + } + } ++ ++void brcmf_proto_detach_pre_delif(struct brcmf_pub *drvr) ++{ ++ if (drvr->proto && drvr->bus_if->proto_type == BRCMF_PROTO_BCDC) ++ brcmf_proto_bcdc_detach_pre_delif(drvr); ++} +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.h +index d3c3b9a815ad..72355aea9028 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.h ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.h +@@ -54,7 +54,8 @@ struct brcmf_proto { + + + int brcmf_proto_attach(struct brcmf_pub *drvr); +-void brcmf_proto_detach(struct brcmf_pub *drvr); ++void brcmf_proto_detach_pre_delif(struct brcmf_pub *drvr); ++void brcmf_proto_detach_post_delif(struct brcmf_pub *drvr); + + static inline int brcmf_proto_hdrpull(struct brcmf_pub *drvr, bool do_fws, + struct sk_buff *skb, +-- +2.9.5 + diff --git a/queue/cifs-fix-memory-leak-of-pneg_inbuf-on-EOPNOTSUPP-ioc.patch b/queue/cifs-fix-memory-leak-of-pneg_inbuf-on-EOPNOTSUPP-ioc.patch new file mode 100644 index 0000000..d7092db --- /dev/null +++ b/queue/cifs-fix-memory-leak-of-pneg_inbuf-on-EOPNOTSUPP-ioc.patch @@ -0,0 +1,34 @@ +From 210782038b54ec8e9059a3c12d6f6ae173efa3a9 Mon Sep 17 00:00:00 2001 +From: Colin Ian King <colin.king@canonical.com> +Date: Fri, 17 May 2019 09:12:33 +0100 +Subject: [PATCH] cifs: fix memory leak of pneg_inbuf on -EOPNOTSUPP ioctl case + +commit 210782038b54ec8e9059a3c12d6f6ae173efa3a9 upstream. + +Currently in the case where SMB2_ioctl returns the -EOPNOTSUPP error +there is a memory leak of pneg_inbuf. Fix this by returning via +the out_free_inbuf exit path that will perform the relevant kfree. + +Addresses-Coverity: ("Resource leak") +Fixes: 969ae8e8d4ee ("cifs: Accept validate negotiate if server return NT_STATUS_NOT_SUPPORTED") +CC: Stable <stable@vger.kernel.org> # v5.1+ +Signed-off-by: Colin Ian King <colin.king@canonical.com> +Signed-off-by: Steve French <stfrench@microsoft.com> + +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index 710ceb875161..5b8d1482ffbd 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -1054,7 +1054,8 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) + * not supported error. Client should accept it. + */ + cifs_dbg(VFS, "Server does not support validate negotiate\n"); +- return 0; ++ rc = 0; ++ goto out_free_inbuf; + } else if (rc != 0) { + cifs_dbg(VFS, "validate protocol negotiate failed: %d\n", rc); + rc = -EIO; +-- +2.9.5 + diff --git a/queue/compiler.h-give-up-__compiletime_assert_fallback.patch b/queue/compiler.h-give-up-__compiletime_assert_fallback.patch new file mode 100644 index 0000000..3588a68 --- /dev/null +++ b/queue/compiler.h-give-up-__compiletime_assert_fallback.patch @@ -0,0 +1,82 @@ +From 81b45683487a51b0f4d3b29d37f20d6d078544e4 Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada <yamada.masahiro@socionext.com> +Date: Sun, 26 Aug 2018 03:16:29 +0900 +Subject: [PATCH] compiler.h: give up __compiletime_assert_fallback() + +commit 81b45683487a51b0f4d3b29d37f20d6d078544e4 upstream. + +__compiletime_assert_fallback() is supposed to stop building earlier +by using the negative-array-size method in case the compiler does not +support "error" attribute, but has never worked like that. + +You can simply try: + + BUILD_BUG_ON(1); + +GCC immediately terminates the build, but Clang does not report +anything because Clang does not support the "error" attribute now. +It will later fail at link time, but __compiletime_assert_fallback() +is not working at least. + +The root cause is commit 1d6a0d19c855 ("bug.h: prevent double evaluation +of `condition' in BUILD_BUG_ON"). Prior to that commit, BUILD_BUG_ON() +was checked by the negative-array-size method *and* the link-time trick. +Since that commit, the negative-array-size is not effective because +'__cond' is no longer constant. As the comment in <linux/build_bug.h> +says, GCC (and Clang as well) only emits the error for obvious cases. + +When '__cond' is a variable, + + ((void)sizeof(char[1 - 2 * __cond])) + +... is not obvious for the compiler to know the array size is negative. + +Reverting that commit would break BUILD_BUG() because negative-size-array +is evaluated before the code is optimized out. + +Let's give up __compiletime_assert_fallback(). This commit does not +change the current behavior since it just rips off the useless code. + +Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com> +Reviewed-by: Kees Cook <keescook@chromium.org> +Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> +Signed-off-by: Kees Cook <keescook@chromium.org> + +diff --git a/include/linux/compiler.h b/include/linux/compiler.h +index 681d866efb1e..87c776c3ce73 100644 +--- a/include/linux/compiler.h ++++ b/include/linux/compiler.h +@@ -314,29 +314,14 @@ static inline void *offset_to_ptr(const int *off) + #endif + #ifndef __compiletime_error + # define __compiletime_error(message) +-/* +- * Sparse complains of variable sized arrays due to the temporary variable in +- * __compiletime_assert. Unfortunately we can't just expand it out to make +- * sparse see a constant array size without breaking compiletime_assert on old +- * versions of GCC (e.g. 4.2.4), so hide the array from sparse altogether. +- */ +-# ifndef __CHECKER__ +-# define __compiletime_error_fallback(condition) \ +- do { ((void)sizeof(char[1 - 2 * condition])); } while (0) +-# endif +-#endif +-#ifndef __compiletime_error_fallback +-# define __compiletime_error_fallback(condition) do { } while (0) + #endif + + #ifdef __OPTIMIZE__ + # define __compiletime_assert(condition, msg, prefix, suffix) \ + do { \ +- int __cond = !(condition); \ + extern void prefix ## suffix(void) __compiletime_error(msg); \ +- if (__cond) \ ++ if (!(condition)) \ + prefix ## suffix(); \ +- __compiletime_error_fallback(__cond); \ + } while (0) + #else + # define __compiletime_assert(condition, msg, prefix, suffix) do { } while (0) +-- +2.9.5 + diff --git a/queue/crypto-vmx-ghash-do-nosimd-fallback-manually.patch b/queue/crypto-vmx-ghash-do-nosimd-fallback-manually.patch new file mode 100644 index 0000000..01201d2 --- /dev/null +++ b/queue/crypto-vmx-ghash-do-nosimd-fallback-manually.patch @@ -0,0 +1,309 @@ +From 357d065a44cdd77ed5ff35155a989f2a763e96ef Mon Sep 17 00:00:00 2001 +From: Daniel Axtens <dja@axtens.net> +Date: Fri, 17 May 2019 01:40:02 +1000 +Subject: [PATCH] crypto: vmx - ghash: do nosimd fallback manually + +commit 357d065a44cdd77ed5ff35155a989f2a763e96ef upstream. + +VMX ghash was using a fallback that did not support interleaving simd +and nosimd operations, leading to failures in the extended test suite. + +If I understood correctly, Eric's suggestion was to use the same +data format that the generic code uses, allowing us to call into it +with the same contexts. I wasn't able to get that to work - I think +there's a very different key structure and data layout being used. + +So instead steal the arm64 approach and perform the fallback +operations directly if required. + +Fixes: cc333cd68dfa ("crypto: vmx - Adding GHASH routines for VMX module") +Cc: stable@vger.kernel.org # v4.1+ +Reported-by: Eric Biggers <ebiggers@google.com> +Signed-off-by: Daniel Axtens <dja@axtens.net> +Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> +Tested-by: Michael Ellerman <mpe@ellerman.id.au> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> + +diff --git a/drivers/crypto/vmx/ghash.c b/drivers/crypto/vmx/ghash.c +index b5a6883bb09e..14807ac2e3b9 100644 +--- a/drivers/crypto/vmx/ghash.c ++++ b/drivers/crypto/vmx/ghash.c +@@ -1,22 +1,14 @@ ++// SPDX-License-Identifier: GPL-2.0 + /** + * GHASH routines supporting VMX instructions on the Power 8 + * +- * Copyright (C) 2015 International Business Machines Inc. +- * +- * This program is free software; you can redistribute it and/or modify +- * it under the terms of the GNU General Public License as published by +- * the Free Software Foundation; version 2 only. +- * +- * This program is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +- * GNU General Public License for more details. +- * +- * You should have received a copy of the GNU General Public License +- * along with this program; if not, write to the Free Software +- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++ * Copyright (C) 2015, 2019 International Business Machines Inc. + * + * Author: Marcelo Henrique Cerri <mhcerri@br.ibm.com> ++ * ++ * Extended by Daniel Axtens <dja@axtens.net> to replace the fallback ++ * mechanism. The new approach is based on arm64 code, which is: ++ * Copyright (C) 2014 - 2018 Linaro Ltd. <ard.biesheuvel@linaro.org> + */ + + #include <linux/types.h> +@@ -38,70 +30,25 @@ void gcm_ghash_p8(u64 Xi[2], const u128 htable[16], + const u8 *in, size_t len); + + struct p8_ghash_ctx { ++ /* key used by vector asm */ + u128 htable[16]; +- struct crypto_shash *fallback; ++ /* key used by software fallback */ ++ be128 key; + }; + + struct p8_ghash_desc_ctx { + u64 shash[2]; + u8 buffer[GHASH_DIGEST_SIZE]; + int bytes; +- struct shash_desc fallback_desc; + }; + +-static int p8_ghash_init_tfm(struct crypto_tfm *tfm) +-{ +- const char *alg = "ghash-generic"; +- struct crypto_shash *fallback; +- struct crypto_shash *shash_tfm = __crypto_shash_cast(tfm); +- struct p8_ghash_ctx *ctx = crypto_tfm_ctx(tfm); +- +- fallback = crypto_alloc_shash(alg, 0, CRYPTO_ALG_NEED_FALLBACK); +- if (IS_ERR(fallback)) { +- printk(KERN_ERR +- "Failed to allocate transformation for '%s': %ld\n", +- alg, PTR_ERR(fallback)); +- return PTR_ERR(fallback); +- } +- +- crypto_shash_set_flags(fallback, +- crypto_shash_get_flags((struct crypto_shash +- *) tfm)); +- +- /* Check if the descsize defined in the algorithm is still enough. */ +- if (shash_tfm->descsize < sizeof(struct p8_ghash_desc_ctx) +- + crypto_shash_descsize(fallback)) { +- printk(KERN_ERR +- "Desc size of the fallback implementation (%s) does not match the expected value: %lu vs %u\n", +- alg, +- shash_tfm->descsize - sizeof(struct p8_ghash_desc_ctx), +- crypto_shash_descsize(fallback)); +- return -EINVAL; +- } +- ctx->fallback = fallback; +- +- return 0; +-} +- +-static void p8_ghash_exit_tfm(struct crypto_tfm *tfm) +-{ +- struct p8_ghash_ctx *ctx = crypto_tfm_ctx(tfm); +- +- if (ctx->fallback) { +- crypto_free_shash(ctx->fallback); +- ctx->fallback = NULL; +- } +-} +- + static int p8_ghash_init(struct shash_desc *desc) + { +- struct p8_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(desc->tfm)); + struct p8_ghash_desc_ctx *dctx = shash_desc_ctx(desc); + + dctx->bytes = 0; + memset(dctx->shash, 0, GHASH_DIGEST_SIZE); +- dctx->fallback_desc.tfm = ctx->fallback; +- return crypto_shash_init(&dctx->fallback_desc); ++ return 0; + } + + static int p8_ghash_setkey(struct crypto_shash *tfm, const u8 *key, +@@ -119,7 +66,51 @@ static int p8_ghash_setkey(struct crypto_shash *tfm, const u8 *key, + disable_kernel_vsx(); + pagefault_enable(); + preempt_enable(); +- return crypto_shash_setkey(ctx->fallback, key, keylen); ++ ++ memcpy(&ctx->key, key, GHASH_BLOCK_SIZE); ++ ++ return 0; ++} ++ ++static inline void __ghash_block(struct p8_ghash_ctx *ctx, ++ struct p8_ghash_desc_ctx *dctx) ++{ ++ if (crypto_simd_usable()) { ++ preempt_disable(); ++ pagefault_disable(); ++ enable_kernel_vsx(); ++ gcm_ghash_p8(dctx->shash, ctx->htable, ++ dctx->buffer, GHASH_DIGEST_SIZE); ++ disable_kernel_vsx(); ++ pagefault_enable(); ++ preempt_enable(); ++ } else { ++ crypto_xor((u8 *)dctx->shash, dctx->buffer, GHASH_BLOCK_SIZE); ++ gf128mul_lle((be128 *)dctx->shash, &ctx->key); ++ } ++} ++ ++static inline void __ghash_blocks(struct p8_ghash_ctx *ctx, ++ struct p8_ghash_desc_ctx *dctx, ++ const u8 *src, unsigned int srclen) ++{ ++ if (crypto_simd_usable()) { ++ preempt_disable(); ++ pagefault_disable(); ++ enable_kernel_vsx(); ++ gcm_ghash_p8(dctx->shash, ctx->htable, ++ src, srclen); ++ disable_kernel_vsx(); ++ pagefault_enable(); ++ preempt_enable(); ++ } else { ++ while (srclen >= GHASH_BLOCK_SIZE) { ++ crypto_xor((u8 *)dctx->shash, src, GHASH_BLOCK_SIZE); ++ gf128mul_lle((be128 *)dctx->shash, &ctx->key); ++ srclen -= GHASH_BLOCK_SIZE; ++ src += GHASH_BLOCK_SIZE; ++ } ++ } + } + + static int p8_ghash_update(struct shash_desc *desc, +@@ -129,49 +120,33 @@ static int p8_ghash_update(struct shash_desc *desc, + struct p8_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(desc->tfm)); + struct p8_ghash_desc_ctx *dctx = shash_desc_ctx(desc); + +- if (!crypto_simd_usable()) { +- return crypto_shash_update(&dctx->fallback_desc, src, +- srclen); +- } else { +- if (dctx->bytes) { +- if (dctx->bytes + srclen < GHASH_DIGEST_SIZE) { +- memcpy(dctx->buffer + dctx->bytes, src, +- srclen); +- dctx->bytes += srclen; +- return 0; +- } ++ if (dctx->bytes) { ++ if (dctx->bytes + srclen < GHASH_DIGEST_SIZE) { + memcpy(dctx->buffer + dctx->bytes, src, +- GHASH_DIGEST_SIZE - dctx->bytes); +- preempt_disable(); +- pagefault_disable(); +- enable_kernel_vsx(); +- gcm_ghash_p8(dctx->shash, ctx->htable, +- dctx->buffer, GHASH_DIGEST_SIZE); +- disable_kernel_vsx(); +- pagefault_enable(); +- preempt_enable(); +- src += GHASH_DIGEST_SIZE - dctx->bytes; +- srclen -= GHASH_DIGEST_SIZE - dctx->bytes; +- dctx->bytes = 0; +- } +- len = srclen & ~(GHASH_DIGEST_SIZE - 1); +- if (len) { +- preempt_disable(); +- pagefault_disable(); +- enable_kernel_vsx(); +- gcm_ghash_p8(dctx->shash, ctx->htable, src, len); +- disable_kernel_vsx(); +- pagefault_enable(); +- preempt_enable(); +- src += len; +- srclen -= len; +- } +- if (srclen) { +- memcpy(dctx->buffer, src, srclen); +- dctx->bytes = srclen; ++ srclen); ++ dctx->bytes += srclen; ++ return 0; + } +- return 0; ++ memcpy(dctx->buffer + dctx->bytes, src, ++ GHASH_DIGEST_SIZE - dctx->bytes); ++ ++ __ghash_block(ctx, dctx); ++ ++ src += GHASH_DIGEST_SIZE - dctx->bytes; ++ srclen -= GHASH_DIGEST_SIZE - dctx->bytes; ++ dctx->bytes = 0; ++ } ++ len = srclen & ~(GHASH_DIGEST_SIZE - 1); ++ if (len) { ++ __ghash_blocks(ctx, dctx, src, len); ++ src += len; ++ srclen -= len; + } ++ if (srclen) { ++ memcpy(dctx->buffer, src, srclen); ++ dctx->bytes = srclen; ++ } ++ return 0; + } + + static int p8_ghash_final(struct shash_desc *desc, u8 *out) +@@ -180,25 +155,14 @@ static int p8_ghash_final(struct shash_desc *desc, u8 *out) + struct p8_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(desc->tfm)); + struct p8_ghash_desc_ctx *dctx = shash_desc_ctx(desc); + +- if (!crypto_simd_usable()) { +- return crypto_shash_final(&dctx->fallback_desc, out); +- } else { +- if (dctx->bytes) { +- for (i = dctx->bytes; i < GHASH_DIGEST_SIZE; i++) +- dctx->buffer[i] = 0; +- preempt_disable(); +- pagefault_disable(); +- enable_kernel_vsx(); +- gcm_ghash_p8(dctx->shash, ctx->htable, +- dctx->buffer, GHASH_DIGEST_SIZE); +- disable_kernel_vsx(); +- pagefault_enable(); +- preempt_enable(); +- dctx->bytes = 0; +- } +- memcpy(out, dctx->shash, GHASH_DIGEST_SIZE); +- return 0; ++ if (dctx->bytes) { ++ for (i = dctx->bytes; i < GHASH_DIGEST_SIZE; i++) ++ dctx->buffer[i] = 0; ++ __ghash_block(ctx, dctx); ++ dctx->bytes = 0; + } ++ memcpy(out, dctx->shash, GHASH_DIGEST_SIZE); ++ return 0; + } + + struct shash_alg p8_ghash_alg = { +@@ -213,11 +177,8 @@ struct shash_alg p8_ghash_alg = { + .cra_name = "ghash", + .cra_driver_name = "p8_ghash", + .cra_priority = 1000, +- .cra_flags = CRYPTO_ALG_NEED_FALLBACK, + .cra_blocksize = GHASH_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct p8_ghash_ctx), + .cra_module = THIS_MODULE, +- .cra_init = p8_ghash_init_tfm, +- .cra_exit = p8_ghash_exit_tfm, + }, + }; +-- +2.9.5 + diff --git a/queue/cxgb4-offload-VLAN-flows-regardless-of-VLAN-ethtype.patch b/queue/cxgb4-offload-VLAN-flows-regardless-of-VLAN-ethtype.patch new file mode 100644 index 0000000..b5d61ab --- /dev/null +++ b/queue/cxgb4-offload-VLAN-flows-regardless-of-VLAN-ethtype.patch @@ -0,0 +1,43 @@ +From b5730061d1056abf317caea823b94d6e12b5b4f6 Mon Sep 17 00:00:00 2001 +From: Raju Rangoju <rajur@chelsio.com> +Date: Thu, 23 May 2019 20:41:44 +0530 +Subject: [PATCH] cxgb4: offload VLAN flows regardless of VLAN ethtype + +commit b5730061d1056abf317caea823b94d6e12b5b4f6 upstream. + +VLAN flows never get offloaded unless ivlan_vld is set in filter spec. +It's not compulsory for vlan_ethtype to be set. + +So, always enable ivlan_vld bit for offloading VLAN flows regardless of +vlan_ethtype is set or not. + +Fixes: ad9af3e09c (cxgb4: add tc flower match support for vlan) +Signed-off-by: Raju Rangoju <rajur@chelsio.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c +index 6e2d80008a79..cfaf8f618d1f 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c +@@ -197,6 +197,9 @@ static void cxgb4_process_flow_match(struct net_device *dev, + fs->val.ivlan = vlan_tci; + fs->mask.ivlan = vlan_tci_mask; + ++ fs->val.ivlan_vld = 1; ++ fs->mask.ivlan_vld = 1; ++ + /* Chelsio adapters use ivlan_vld bit to match vlan packets + * as 802.1Q. Also, when vlan tag is present in packets, + * ethtype match is used then to match on ethtype of inner +@@ -207,8 +210,6 @@ static void cxgb4_process_flow_match(struct net_device *dev, + * ethtype value with ethtype of inner header. + */ + if (fs->val.ethtype == ETH_P_8021Q) { +- fs->val.ivlan_vld = 1; +- fs->mask.ivlan_vld = 1; + fs->val.ethtype = 0; + fs->mask.ethtype = 0; + } +-- +2.9.5 + diff --git a/queue/doc-Cope-with-Sphinx-logging-deprecations.patch b/queue/doc-Cope-with-Sphinx-logging-deprecations.patch new file mode 100644 index 0000000..34cadbb --- /dev/null +++ b/queue/doc-Cope-with-Sphinx-logging-deprecations.patch @@ -0,0 +1,228 @@ +From 096ea522e84ea68f8e6c41e5e7294731a81e29bc Mon Sep 17 00:00:00 2001 +From: Jonathan Corbet <corbet@lwn.net> +Date: Tue, 21 May 2019 14:23:43 -0600 +Subject: [PATCH] doc: Cope with Sphinx logging deprecations + +commit 096ea522e84ea68f8e6c41e5e7294731a81e29bc upstream. + +Recent versions of sphinx will emit messages like: + + Documentation/sphinx/kerneldoc.py:103: + RemovedInSphinx20Warning: app.warning() is now deprecated. + Use sphinx.util.logging instead. + +Switch to sphinx.util.logging to make this unsightly message go away. +Alas, that interface was only added in version 1.6, so we have to add a +version check to keep things working with older sphinxes. + +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Corbet <corbet@lwn.net> + +diff --git a/Documentation/sphinx/kerneldoc.py b/Documentation/sphinx/kerneldoc.py +index 9d0a7f08f93b..200c8aa4a04f 100644 +--- a/Documentation/sphinx/kerneldoc.py ++++ b/Documentation/sphinx/kerneldoc.py +@@ -39,6 +39,8 @@ from docutils.statemachine import ViewList + from docutils.parsers.rst import directives, Directive + from sphinx.ext.autodoc import AutodocReporter + ++import kernellog ++ + __version__ = '1.0' + + class KernelDocDirective(Directive): +@@ -90,7 +92,8 @@ class KernelDocDirective(Directive): + cmd += [filename] + + try: +- env.app.verbose('calling kernel-doc \'%s\'' % (" ".join(cmd))) ++ kernellog.verbose(env.app, ++ 'calling kernel-doc \'%s\'' % (" ".join(cmd))) + + p = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + out, err = p.communicate() +@@ -100,7 +103,8 @@ class KernelDocDirective(Directive): + if p.returncode != 0: + sys.stderr.write(err) + +- env.app.warn('kernel-doc \'%s\' failed with return code %d' % (" ".join(cmd), p.returncode)) ++ kernellog.warn(env.app, ++ 'kernel-doc \'%s\' failed with return code %d' % (" ".join(cmd), p.returncode)) + return [nodes.error(None, nodes.paragraph(text = "kernel-doc missing"))] + elif env.config.kerneldoc_verbosity > 0: + sys.stderr.write(err) +@@ -132,8 +136,8 @@ class KernelDocDirective(Directive): + return node.children + + except Exception as e: # pylint: disable=W0703 +- env.app.warn('kernel-doc \'%s\' processing failed with: %s' % +- (" ".join(cmd), str(e))) ++ kernellog.warn(env.app, 'kernel-doc \'%s\' processing failed with: %s' % ++ (" ".join(cmd), str(e))) + return [nodes.error(None, nodes.paragraph(text = "kernel-doc missing"))] + + def setup(app): +diff --git a/Documentation/sphinx/kernellog.py b/Documentation/sphinx/kernellog.py +new file mode 100644 +index 000000000000..af924f51a7dc +--- /dev/null ++++ b/Documentation/sphinx/kernellog.py +@@ -0,0 +1,28 @@ ++# SPDX-License-Identifier: GPL-2.0 ++# ++# Sphinx has deprecated its older logging interface, but the replacement ++# only goes back to 1.6. So here's a wrapper layer to keep around for ++# as long as we support 1.4. ++# ++import sphinx ++ ++if sphinx.__version__[:3] >= '1.6': ++ UseLogging = True ++ from sphinx.util import logging ++ logger = logging.getLogger('kerneldoc') ++else: ++ UseLogging = False ++ ++def warn(app, message): ++ if UseLogging: ++ logger.warning(message) ++ else: ++ app.warn(message) ++ ++def verbose(app, message): ++ if UseLogging: ++ logger.verbose(message) ++ else: ++ app.verbose(message) ++ ++ +diff --git a/Documentation/sphinx/kfigure.py b/Documentation/sphinx/kfigure.py +index b97228d2cc0e..fbfe6693bb60 100644 +--- a/Documentation/sphinx/kfigure.py ++++ b/Documentation/sphinx/kfigure.py +@@ -60,6 +60,8 @@ import sphinx + from sphinx.util.nodes import clean_astext + from six import iteritems + ++import kernellog ++ + PY3 = sys.version_info[0] == 3 + + if PY3: +@@ -171,20 +173,20 @@ def setupTools(app): + This function is called once, when the builder is initiated. + """ + global dot_cmd, convert_cmd # pylint: disable=W0603 +- app.verbose("kfigure: check installed tools ...") ++ kernellog.verbose(app, "kfigure: check installed tools ...") + + dot_cmd = which('dot') + convert_cmd = which('convert') + + if dot_cmd: +- app.verbose("use dot(1) from: " + dot_cmd) ++ kernellog.verbose(app, "use dot(1) from: " + dot_cmd) + else: +- app.warn("dot(1) not found, for better output quality install " +- "graphviz from http://www.graphviz.org") ++ kernellog.warn(app, "dot(1) not found, for better output quality install " ++ "graphviz from http://www.graphviz.org") + if convert_cmd: +- app.verbose("use convert(1) from: " + convert_cmd) ++ kernellog.verbose(app, "use convert(1) from: " + convert_cmd) + else: +- app.warn( ++ kernellog.warn(app, + "convert(1) not found, for SVG to PDF conversion install " + "ImageMagick (https://www.imagemagick.org)") + +@@ -220,12 +222,13 @@ def convert_image(img_node, translator, src_fname=None): + + # in kernel builds, use 'make SPHINXOPTS=-v' to see verbose messages + +- app.verbose('assert best format for: ' + img_node['uri']) ++ kernellog.verbose(app, 'assert best format for: ' + img_node['uri']) + + if in_ext == '.dot': + + if not dot_cmd: +- app.verbose("dot from graphviz not available / include DOT raw.") ++ kernellog.verbose(app, ++ "dot from graphviz not available / include DOT raw.") + img_node.replace_self(file2literal(src_fname)) + + elif translator.builder.format == 'latex': +@@ -252,7 +255,8 @@ def convert_image(img_node, translator, src_fname=None): + + if translator.builder.format == 'latex': + if convert_cmd is None: +- app.verbose("no SVG to PDF conversion available / include SVG raw.") ++ kernellog.verbose(app, ++ "no SVG to PDF conversion available / include SVG raw.") + img_node.replace_self(file2literal(src_fname)) + else: + dst_fname = path.join(translator.builder.outdir, fname + '.pdf') +@@ -265,18 +269,19 @@ def convert_image(img_node, translator, src_fname=None): + _name = dst_fname[len(translator.builder.outdir) + 1:] + + if isNewer(dst_fname, src_fname): +- app.verbose("convert: {out}/%s already exists and is newer" % _name) ++ kernellog.verbose(app, ++ "convert: {out}/%s already exists and is newer" % _name) + + else: + ok = False + mkdir(path.dirname(dst_fname)) + + if in_ext == '.dot': +- app.verbose('convert DOT to: {out}/' + _name) ++ kernellog.verbose(app, 'convert DOT to: {out}/' + _name) + ok = dot2format(app, src_fname, dst_fname) + + elif in_ext == '.svg': +- app.verbose('convert SVG to: {out}/' + _name) ++ kernellog.verbose(app, 'convert SVG to: {out}/' + _name) + ok = svg2pdf(app, src_fname, dst_fname) + + if not ok: +@@ -305,7 +310,8 @@ def dot2format(app, dot_fname, out_fname): + with open(out_fname, "w") as out: + exit_code = subprocess.call(cmd, stdout = out) + if exit_code != 0: +- app.warn("Error #%d when calling: %s" % (exit_code, " ".join(cmd))) ++ kernellog.warn(app, ++ "Error #%d when calling: %s" % (exit_code, " ".join(cmd))) + return bool(exit_code == 0) + + def svg2pdf(app, svg_fname, pdf_fname): +@@ -322,7 +328,7 @@ def svg2pdf(app, svg_fname, pdf_fname): + # use stdout and stderr from parent + exit_code = subprocess.call(cmd) + if exit_code != 0: +- app.warn("Error #%d when calling: %s" % (exit_code, " ".join(cmd))) ++ kernellog.warn(app, "Error #%d when calling: %s" % (exit_code, " ".join(cmd))) + return bool(exit_code == 0) + + +@@ -415,15 +421,15 @@ def visit_kernel_render(self, node): + app = self.builder.app + srclang = node.get('srclang') + +- app.verbose('visit kernel-render node lang: "%s"' % (srclang)) ++ kernellog.verbose(app, 'visit kernel-render node lang: "%s"' % (srclang)) + + tmp_ext = RENDER_MARKUP_EXT.get(srclang, None) + if tmp_ext is None: +- app.warn('kernel-render: "%s" unknown / include raw.' % (srclang)) ++ kernellog.warn(app, 'kernel-render: "%s" unknown / include raw.' % (srclang)) + return + + if not dot_cmd and tmp_ext == '.dot': +- app.verbose("dot from graphviz not available / include raw.") ++ kernellog.verbose(app, "dot from graphviz not available / include raw.") + return + + literal_block = node[0] +-- +2.9.5 + diff --git a/queue/doc-Cope-with-the-deprecation-of-AutoReporter.patch b/queue/doc-Cope-with-the-deprecation-of-AutoReporter.patch new file mode 100644 index 0000000..6f85b00 --- /dev/null +++ b/queue/doc-Cope-with-the-deprecation-of-AutoReporter.patch @@ -0,0 +1,81 @@ +From 2404dad1f67f8917e30fc22a85e0dbcc85b99955 Mon Sep 17 00:00:00 2001 +From: Jonathan Corbet <corbet@lwn.net> +Date: Tue, 21 May 2019 14:42:34 -0600 +Subject: [PATCH] doc: Cope with the deprecation of AutoReporter + +commit 2404dad1f67f8917e30fc22a85e0dbcc85b99955 upstream. + +AutoReporter is going away; recent versions of sphinx emit a warning like: + + Documentation/sphinx/kerneldoc.py:125: + RemovedInSphinx20Warning: AutodocReporter is now deprecated. + Use sphinx.util.docutils.switch_source_input() instead. + +Make the switch. But switch_source_input() only showed up in 1.7, so we +have to do ugly version checks to keep things working in older versions. + +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Corbet <corbet@lwn.net> + +diff --git a/Documentation/sphinx/kerneldoc.py b/Documentation/sphinx/kerneldoc.py +index 200c8aa4a04f..1159405cb920 100644 +--- a/Documentation/sphinx/kerneldoc.py ++++ b/Documentation/sphinx/kerneldoc.py +@@ -37,7 +37,17 @@ import glob + from docutils import nodes, statemachine + from docutils.statemachine import ViewList + from docutils.parsers.rst import directives, Directive +-from sphinx.ext.autodoc import AutodocReporter ++ ++# ++# AutodocReporter is only good up to Sphinx 1.7 ++# ++import sphinx ++ ++Use_SSI = sphinx.__version__[:3] >= '1.7' ++if Use_SSI: ++ from sphinx.util.docutils import switch_source_input ++else: ++ from sphinx.ext.autodoc import AutodocReporter + + import kernellog + +@@ -125,13 +135,7 @@ class KernelDocDirective(Directive): + lineoffset += 1 + + node = nodes.section() +- buf = self.state.memo.title_styles, self.state.memo.section_level, self.state.memo.reporter +- self.state.memo.reporter = AutodocReporter(result, self.state.memo.reporter) +- self.state.memo.title_styles, self.state.memo.section_level = [], 0 +- try: +- self.state.nested_parse(result, 0, node, match_titles=1) +- finally: +- self.state.memo.title_styles, self.state.memo.section_level, self.state.memo.reporter = buf ++ self.do_parse(result, node) + + return node.children + +@@ -140,6 +144,20 @@ class KernelDocDirective(Directive): + (" ".join(cmd), str(e))) + return [nodes.error(None, nodes.paragraph(text = "kernel-doc missing"))] + ++ def do_parse(self, result, node): ++ if Use_SSI: ++ with switch_source_input(self.state, result): ++ self.state.nested_parse(result, 0, node, match_titles=1) ++ else: ++ save = self.state.memo.title_styles, self.state.memo.section_level, self.state.memo.reporter ++ self.state.memo.reporter = AutodocReporter(result, self.state.memo.reporter) ++ self.state.memo.title_styles, self.state.memo.section_level = [], 0 ++ try: ++ self.state.nested_parse(result, 0, node, match_titles=1) ++ finally: ++ self.state.memo.title_styles, self.state.memo.section_level, self.state.memo.reporter = save ++ ++ + def setup(app): + app.add_config_value('kerneldoc_bin', None, 'env') + app.add_config_value('kerneldoc_srctree', None, 'env') +-- +2.9.5 + diff --git a/queue/docs-Fix-conf.py-for-Sphinx-2.0.patch b/queue/docs-Fix-conf.py-for-Sphinx-2.0.patch new file mode 100644 index 0000000..5bcd5b9 --- /dev/null +++ b/queue/docs-Fix-conf.py-for-Sphinx-2.0.patch @@ -0,0 +1,30 @@ +From 3bc8088464712fdcb078eefb68837ccfcc413c88 Mon Sep 17 00:00:00 2001 +From: Jonathan Corbet <corbet@lwn.net> +Date: Wed, 22 May 2019 14:30:45 -0600 +Subject: [PATCH] docs: Fix conf.py for Sphinx 2.0 + +commit 3bc8088464712fdcb078eefb68837ccfcc413c88 upstream. + +Our version check in Documentation/conf.py never envisioned a world where +Sphinx moved beyond 1.x. Now that the unthinkable has happened, fix our +version check to handle higher version numbers correctly. + +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Corbet <corbet@lwn.net> + +diff --git a/Documentation/conf.py b/Documentation/conf.py +index 72647a38b5c2..7ace3f8852bd 100644 +--- a/Documentation/conf.py ++++ b/Documentation/conf.py +@@ -37,7 +37,7 @@ needs_sphinx = '1.3' + extensions = ['kerneldoc', 'rstFlatTable', 'kernel_include', 'cdomain', 'kfigure', 'sphinx.ext.ifconfig'] + + # The name of the math extension changed on Sphinx 1.4 +-if major == 1 and minor > 3: ++if (major == 1 and minor > 3) or (major > 1): + extensions.append("sphinx.ext.imgmath") + else: + extensions.append("sphinx.ext.pngmath") +-- +2.9.5 + diff --git a/queue/drm-Turn-off-Legacy-Context-Functions.patch b/queue/drm-Turn-off-Legacy-Context-Functions.patch new file mode 100644 index 0000000..ab3aaa9 --- /dev/null +++ b/queue/drm-Turn-off-Legacy-Context-Functions.patch @@ -0,0 +1,254 @@ +From 0e975980d435d58df2d430d688b8c18778b42218 Mon Sep 17 00:00:00 2001 +From: Peter Antoine <peter.antoine@intel.com> +Date: Tue, 23 Jun 2015 08:18:49 +0100 +Subject: [PATCH] drm: Turn off Legacy Context Functions + +commit 0e975980d435d58df2d430d688b8c18778b42218 upstream. + +The context functions are not used by the i915 driver and should not +be used by modeset drivers. These driver functions contain several bugs +and security holes. This change makes these functions optional can be +turned on by a setting, they are turned off by default for modeset +driver with the exception of the nouvea driver that may require them with +an old version of libdrm. + +The previous attempt was + +commit 7c510133d93dd6f15ca040733ba7b2891ed61fd1 +Author: Daniel Vetter <daniel.vetter@ffwll.ch> +Date: Thu Aug 8 15:41:21 2013 +0200 + + drm: mark context support as a legacy subsystem + +but this had to be reverted + +commit c21eb21cb50d58e7cbdcb8b9e7ff68b85cfa5095 +Author: Dave Airlie <airlied@redhat.com> +Date: Fri Sep 20 08:32:59 2013 +1000 + + Revert "drm: mark context support as a legacy subsystem" + +v2: remove returns from void function, and formatting (Daniel Vetter) + +v3: +- s/Nova/nouveau/ in the commit message, and add references to the + previous attempts +- drop the part touching the drm hw lock, that should be a separate + patch. + +Signed-off-by: Peter Antoine <peter.antoine@intel.com> (v2) +Cc: Peter Antoine <peter.antoine@intel.com> (v2) +Reviewed-by: Peter Antoine <peter.antoine@intel.com> +Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> + +diff --git a/drivers/gpu/drm/drm_context.c b/drivers/gpu/drm/drm_context.c +index 9b23525c0ed0..32958dabd7b0 100644 +--- a/drivers/gpu/drm/drm_context.c ++++ b/drivers/gpu/drm/drm_context.c +@@ -53,6 +53,10 @@ struct drm_ctx_list { + */ + void drm_legacy_ctxbitmap_free(struct drm_device * dev, int ctx_handle) + { ++ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT) && ++ drm_core_check_feature(dev, DRIVER_MODESET)) ++ return; ++ + mutex_lock(&dev->struct_mutex); + idr_remove(&dev->ctx_idr, ctx_handle); + mutex_unlock(&dev->struct_mutex); +@@ -87,6 +91,10 @@ static int drm_legacy_ctxbitmap_next(struct drm_device * dev) + */ + int drm_legacy_ctxbitmap_init(struct drm_device * dev) + { ++ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT) && ++ drm_core_check_feature(dev, DRIVER_MODESET)) ++ return -EINVAL; ++ + idr_init(&dev->ctx_idr); + return 0; + } +@@ -101,6 +109,10 @@ int drm_legacy_ctxbitmap_init(struct drm_device * dev) + */ + void drm_legacy_ctxbitmap_cleanup(struct drm_device * dev) + { ++ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT) && ++ drm_core_check_feature(dev, DRIVER_MODESET)) ++ return; ++ + mutex_lock(&dev->struct_mutex); + idr_destroy(&dev->ctx_idr); + mutex_unlock(&dev->struct_mutex); +@@ -119,6 +131,10 @@ void drm_legacy_ctxbitmap_flush(struct drm_device *dev, struct drm_file *file) + { + struct drm_ctx_list *pos, *tmp; + ++ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT) && ++ drm_core_check_feature(dev, DRIVER_MODESET)) ++ return; ++ + mutex_lock(&dev->ctxlist_mutex); + + list_for_each_entry_safe(pos, tmp, &dev->ctxlist, head) { +@@ -161,6 +177,10 @@ int drm_legacy_getsareactx(struct drm_device *dev, void *data, + struct drm_local_map *map; + struct drm_map_list *_entry; + ++ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT) && ++ drm_core_check_feature(dev, DRIVER_MODESET)) ++ return -EINVAL; ++ + mutex_lock(&dev->struct_mutex); + + map = idr_find(&dev->ctx_idr, request->ctx_id); +@@ -205,6 +225,10 @@ int drm_legacy_setsareactx(struct drm_device *dev, void *data, + struct drm_local_map *map = NULL; + struct drm_map_list *r_list = NULL; + ++ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT) && ++ drm_core_check_feature(dev, DRIVER_MODESET)) ++ return -EINVAL; ++ + mutex_lock(&dev->struct_mutex); + list_for_each_entry(r_list, &dev->maplist, head) { + if (r_list->map +@@ -305,6 +329,10 @@ int drm_legacy_resctx(struct drm_device *dev, void *data, + struct drm_ctx ctx; + int i; + ++ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT) && ++ drm_core_check_feature(dev, DRIVER_MODESET)) ++ return -EINVAL; ++ + if (res->count >= DRM_RESERVED_CONTEXTS) { + memset(&ctx, 0, sizeof(ctx)); + for (i = 0; i < DRM_RESERVED_CONTEXTS; i++) { +@@ -335,6 +363,10 @@ int drm_legacy_addctx(struct drm_device *dev, void *data, + struct drm_ctx_list *ctx_entry; + struct drm_ctx *ctx = data; + ++ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT) && ++ drm_core_check_feature(dev, DRIVER_MODESET)) ++ return -EINVAL; ++ + ctx->handle = drm_legacy_ctxbitmap_next(dev); + if (ctx->handle == DRM_KERNEL_CONTEXT) { + /* Skip kernel's context and get a new one. */ +@@ -378,6 +410,10 @@ int drm_legacy_getctx(struct drm_device *dev, void *data, + { + struct drm_ctx *ctx = data; + ++ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT) && ++ drm_core_check_feature(dev, DRIVER_MODESET)) ++ return -EINVAL; ++ + /* This is 0, because we don't handle any context flags */ + ctx->flags = 0; + +@@ -400,6 +436,10 @@ int drm_legacy_switchctx(struct drm_device *dev, void *data, + { + struct drm_ctx *ctx = data; + ++ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT) && ++ drm_core_check_feature(dev, DRIVER_MODESET)) ++ return -EINVAL; ++ + DRM_DEBUG("%d\n", ctx->handle); + return drm_context_switch(dev, dev->last_context, ctx->handle); + } +@@ -420,6 +460,10 @@ int drm_legacy_newctx(struct drm_device *dev, void *data, + { + struct drm_ctx *ctx = data; + ++ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT) && ++ drm_core_check_feature(dev, DRIVER_MODESET)) ++ return -EINVAL; ++ + DRM_DEBUG("%d\n", ctx->handle); + drm_context_switch_complete(dev, file_priv, ctx->handle); + +@@ -442,6 +486,10 @@ int drm_legacy_rmctx(struct drm_device *dev, void *data, + { + struct drm_ctx *ctx = data; + ++ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT) && ++ drm_core_check_feature(dev, DRIVER_MODESET)) ++ return -EINVAL; ++ + DRM_DEBUG("%d\n", ctx->handle); + if (ctx->handle != DRM_KERNEL_CONTEXT) { + if (dev->driver->context_dtor) +diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c +index b7bf4ce8c012..838657503113 100644 +--- a/drivers/gpu/drm/drm_drv.c ++++ b/drivers/gpu/drm/drm_drv.c +@@ -582,11 +582,14 @@ struct drm_device *drm_dev_alloc(struct drm_driver *driver, + if (drm_ht_create(&dev->map_hash, 12)) + goto err_minors; + +- ret = drm_legacy_ctxbitmap_init(dev); +- if (ret) { +- DRM_ERROR("Cannot allocate memory for context bitmap.\n"); +- goto err_ht; +- } ++ if (drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT) || ++ !drm_core_check_feature(dev, DRIVER_MODESET)) ++ ret = drm_legacy_ctxbitmap_init(dev); ++ if (ret) { ++ DRM_ERROR( ++ "Cannot allocate memory for context bitmap.\n"); ++ goto err_ht; ++ } + + if (drm_core_check_feature(dev, DRIVER_GEM)) { + ret = drm_gem_init(dev); +diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c +index 89049335b738..9624b3827c34 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_drm.c ++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c +@@ -941,7 +941,8 @@ static struct drm_driver + driver_stub = { + .driver_features = + DRIVER_USE_AGP | +- DRIVER_GEM | DRIVER_MODESET | DRIVER_PRIME | DRIVER_RENDER, ++ DRIVER_GEM | DRIVER_MODESET | DRIVER_PRIME | DRIVER_RENDER | ++ DRIVER_KMS_LEGACY_CONTEXT, + + .load = nouveau_drm_load, + .unload = nouveau_drm_unload, +diff --git a/include/drm/drmP.h b/include/drm/drmP.h +index 48db6a56975f..3dc7c16c18f2 100644 +--- a/include/drm/drmP.h ++++ b/include/drm/drmP.h +@@ -137,17 +137,18 @@ void drm_err(const char *format, ...); + /*@{*/ + + /* driver capabilities and requirements mask */ +-#define DRIVER_USE_AGP 0x1 +-#define DRIVER_PCI_DMA 0x8 +-#define DRIVER_SG 0x10 +-#define DRIVER_HAVE_DMA 0x20 +-#define DRIVER_HAVE_IRQ 0x40 +-#define DRIVER_IRQ_SHARED 0x80 +-#define DRIVER_GEM 0x1000 +-#define DRIVER_MODESET 0x2000 +-#define DRIVER_PRIME 0x4000 +-#define DRIVER_RENDER 0x8000 +-#define DRIVER_ATOMIC 0x10000 ++#define DRIVER_USE_AGP 0x1 ++#define DRIVER_PCI_DMA 0x8 ++#define DRIVER_SG 0x10 ++#define DRIVER_HAVE_DMA 0x20 ++#define DRIVER_HAVE_IRQ 0x40 ++#define DRIVER_IRQ_SHARED 0x80 ++#define DRIVER_GEM 0x1000 ++#define DRIVER_MODESET 0x2000 ++#define DRIVER_PRIME 0x4000 ++#define DRIVER_RENDER 0x8000 ++#define DRIVER_ATOMIC 0x10000 ++#define DRIVER_KMS_LEGACY_CONTEXT 0x20000 + + /***********************************************************************/ + /** \name Macros to make printk easier */ +-- +2.9.5 + diff --git a/queue/drm-add-non-desktop-quirk-for-Valve-HMDs.patch b/queue/drm-add-non-desktop-quirk-for-Valve-HMDs.patch new file mode 100644 index 0000000..437c338 --- /dev/null +++ b/queue/drm-add-non-desktop-quirk-for-Valve-HMDs.patch @@ -0,0 +1,48 @@ +From 30d62d4453e49f85dd17b2ba60bbb68b6593dba0 Mon Sep 17 00:00:00 2001 +From: Andres Rodriguez <andresx7@gmail.com> +Date: Thu, 2 May 2019 15:31:57 -0400 +Subject: [PATCH] drm: add non-desktop quirk for Valve HMDs + +commit 30d62d4453e49f85dd17b2ba60bbb68b6593dba0 upstream. + +Add vendor/product pairs for the Valve Index HMDs. + +Signed-off-by: Andres Rodriguez <andresx7@gmail.com> +Cc: Dave Airlie <airlied@redhat.com> +Cc: <stable@vger.kernel.org> # v4.15 +Signed-off-by: Dave Airlie <airlied@redhat.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20190502193157.15692-1-andresx7@gmail.com + +diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c +index 2c22ea446075..649cfd8b4200 100644 +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -162,6 +162,25 @@ static const struct edid_quirk { + /* Rotel RSX-1058 forwards sink's EDID but only does HDMI 1.1*/ + { "ETR", 13896, EDID_QUIRK_FORCE_8BPC }, + ++ /* Valve Index Headset */ ++ { "VLV", 0x91a8, EDID_QUIRK_NON_DESKTOP }, ++ { "VLV", 0x91b0, EDID_QUIRK_NON_DESKTOP }, ++ { "VLV", 0x91b1, EDID_QUIRK_NON_DESKTOP }, ++ { "VLV", 0x91b2, EDID_QUIRK_NON_DESKTOP }, ++ { "VLV", 0x91b3, EDID_QUIRK_NON_DESKTOP }, ++ { "VLV", 0x91b4, EDID_QUIRK_NON_DESKTOP }, ++ { "VLV", 0x91b5, EDID_QUIRK_NON_DESKTOP }, ++ { "VLV", 0x91b6, EDID_QUIRK_NON_DESKTOP }, ++ { "VLV", 0x91b7, EDID_QUIRK_NON_DESKTOP }, ++ { "VLV", 0x91b8, EDID_QUIRK_NON_DESKTOP }, ++ { "VLV", 0x91b9, EDID_QUIRK_NON_DESKTOP }, ++ { "VLV", 0x91ba, EDID_QUIRK_NON_DESKTOP }, ++ { "VLV", 0x91bb, EDID_QUIRK_NON_DESKTOP }, ++ { "VLV", 0x91bc, EDID_QUIRK_NON_DESKTOP }, ++ { "VLV", 0x91bd, EDID_QUIRK_NON_DESKTOP }, ++ { "VLV", 0x91be, EDID_QUIRK_NON_DESKTOP }, ++ { "VLV", 0x91bf, EDID_QUIRK_NON_DESKTOP }, ++ + /* HTC Vive and Vive Pro VR Headsets */ + { "HVR", 0xaa01, EDID_QUIRK_NON_DESKTOP }, + { "HVR", 0xaa02, EDID_QUIRK_NON_DESKTOP }, +-- +2.9.5 + diff --git a/queue/drm-add-non-desktop-quirks-to-Sensics-and-OSVR-heads.patch b/queue/drm-add-non-desktop-quirks-to-Sensics-and-OSVR-heads.patch new file mode 100644 index 0000000..26ada60 --- /dev/null +++ b/queue/drm-add-non-desktop-quirks-to-Sensics-and-OSVR-heads.patch @@ -0,0 +1,37 @@ +From 29054230f3e11ea818eccfa7bb4e4b3e89544164 Mon Sep 17 00:00:00 2001 +From: Ryan Pavlik <ryan.pavlik@collabora.com> +Date: Mon, 3 Dec 2018 10:46:44 -0600 +Subject: [PATCH] drm: add non-desktop quirks to Sensics and OSVR headsets. + +commit 29054230f3e11ea818eccfa7bb4e4b3e89544164 upstream. + +Add two EDID vendor/product pairs used across a variety of +Sensics products, as well as the OSVR HDK and HDK 2. + +Signed-off-by: Ryan Pavlik <ryan.pavlik@collabora.com> +Signed-off-by: Daniel Stone <daniels@collabora.com> +Reviewed-by: Daniel Stone <daniels@collabora.com> +Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de> +Link: https://patchwork.freedesktop.org/patch/msgid/20181203164644.13974-1-ryan.pavlik@collabora.com +Cc: <stable@vger.kernel.org> # v4.15+ + +diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c +index 5f142530532a..fa39592ebc0a 100644 +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -193,6 +193,12 @@ static const struct edid_quirk { + + /* Sony PlayStation VR Headset */ + { "SNY", 0x0704, EDID_QUIRK_NON_DESKTOP }, ++ ++ /* Sensics VR Headsets */ ++ { "SEN", 0x1019, EDID_QUIRK_NON_DESKTOP }, ++ ++ /* OSVR HDK and HDK2 VR Headsets */ ++ { "SVR", 0x1019, EDID_QUIRK_NON_DESKTOP }, + }; + + /* +-- +2.9.5 + diff --git a/queue/drm-amdgpu-psp-move-psp-version-specific-function-po.patch b/queue/drm-amdgpu-psp-move-psp-version-specific-function-po.patch new file mode 100644 index 0000000..e4521f2 --- /dev/null +++ b/queue/drm-amdgpu-psp-move-psp-version-specific-function-po.patch @@ -0,0 +1,62 @@ +From 9d6fea5744d6798353f37ac42a8a653a2607ca69 Mon Sep 17 00:00:00 2001 +From: Alex Deucher <alexander.deucher@amd.com> +Date: Wed, 8 May 2019 21:45:06 -0500 +Subject: [PATCH] drm/amdgpu/psp: move psp version specific function pointers + to early_init +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 9d6fea5744d6798353f37ac42a8a653a2607ca69 upstream. + +In case we need to use them for GPU reset prior initializing the +asic. Fixes a crash if the driver attempts to reset the GPU at driver +load time. + +Acked-by: Christian König <christian.koenig@amd.com> +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> +Cc: stable@vger.kernel.org + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c +index 905cce1814f3..05897b05766b 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c +@@ -38,18 +38,10 @@ static void psp_set_funcs(struct amdgpu_device *adev); + static int psp_early_init(void *handle) + { + struct amdgpu_device *adev = (struct amdgpu_device *)handle; ++ struct psp_context *psp = &adev->psp; + + psp_set_funcs(adev); + +- return 0; +-} +- +-static int psp_sw_init(void *handle) +-{ +- struct amdgpu_device *adev = (struct amdgpu_device *)handle; +- struct psp_context *psp = &adev->psp; +- int ret; +- + switch (adev->asic_type) { + case CHIP_VEGA10: + case CHIP_VEGA12: +@@ -67,6 +59,15 @@ static int psp_sw_init(void *handle) + + psp->adev = adev; + ++ return 0; ++} ++ ++static int psp_sw_init(void *handle) ++{ ++ struct amdgpu_device *adev = (struct amdgpu_device *)handle; ++ struct psp_context *psp = &adev->psp; ++ int ret; ++ + ret = psp_init_microcode(psp); + if (ret) { + DRM_ERROR("Failed to load psp firmware!\n"); +-- +2.9.5 + diff --git a/queue/drm-amdgpu-remove-ATPX_DGPU_REQ_POWER_FOR_DISPLAYS-c.patch b/queue/drm-amdgpu-remove-ATPX_DGPU_REQ_POWER_FOR_DISPLAYS-c.patch new file mode 100644 index 0000000..8f83e09 --- /dev/null +++ b/queue/drm-amdgpu-remove-ATPX_DGPU_REQ_POWER_FOR_DISPLAYS-c.patch @@ -0,0 +1,34 @@ +From bdb1ccb080dafc1b4224873a5b759ff85a7d1c10 Mon Sep 17 00:00:00 2001 +From: Aaron Liu <aaron.liu@amd.com> +Date: Tue, 30 Apr 2019 09:47:25 +0800 +Subject: [PATCH] drm/amdgpu: remove ATPX_DGPU_REQ_POWER_FOR_DISPLAYS check + when hotplug-in + +commit bdb1ccb080dafc1b4224873a5b759ff85a7d1c10 upstream. + +In amdgpu_atif_handler, when hotplug event received, remove +ATPX_DGPU_REQ_POWER_FOR_DISPLAYS check. This bit's check will cause missing +system resume. + +Signed-off-by: Aaron Liu <aaron.liu@amd.com> +Reviewed-by: Alex Deucher <alexander.deucher@amd.com> +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> +Cc: stable@vger.kernel.org + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +index 4376b17ca594..56f8ca2a3bb4 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +@@ -464,8 +464,7 @@ static int amdgpu_atif_handler(struct amdgpu_device *adev, + } + } + if (req.pending & ATIF_DGPU_DISPLAY_EVENT) { +- if ((adev->flags & AMD_IS_PX) && +- amdgpu_atpx_dgpu_req_power_for_displays()) { ++ if (adev->flags & AMD_IS_PX) { + pm_runtime_get_sync(adev->ddev->dev); + /* Just fire off a uevent and let userspace tell us what to do */ + drm_helper_hpd_irq_event(adev->ddev); +-- +2.9.5 + diff --git a/queue/drm-don-t-block-fb-changes-for-async-plane-updates.patch b/queue/drm-don-t-block-fb-changes-for-async-plane-updates.patch new file mode 100644 index 0000000..7ca618d --- /dev/null +++ b/queue/drm-don-t-block-fb-changes-for-async-plane-updates.patch @@ -0,0 +1,131 @@ +From 89a4aac0ab0e6f5eea10d7bf4869dd15c3de2cd4 Mon Sep 17 00:00:00 2001 +From: Helen Koike <helen.koike@collabora.com> +Date: Mon, 3 Jun 2019 13:56:10 -0300 +Subject: [PATCH] drm: don't block fb changes for async plane updates + +commit 89a4aac0ab0e6f5eea10d7bf4869dd15c3de2cd4 upstream. + +In the case of a normal sync update, the preparation of framebuffers (be +it calling drm_atomic_helper_prepare_planes() or doing setups with +drm_framebuffer_get()) are performed in the new_state and the respective +cleanups are performed in the old_state. + +In the case of async updates, the preparation is also done in the +new_state but the cleanups are done in the new_state (because updates +are performed in place, i.e. in the current state). + +The current code blocks async udpates when the fb is changed, turning +async updates into sync updates, slowing down cursor updates and +introducing regressions in igt tests with errors of type: + +"CRITICAL: completed 97 cursor updated in a period of 30 flips, we +expect to complete approximately 15360 updates, with the threshold set +at 7680" + +Fb changes in async updates were prevented to avoid the following scenario: + +- Async update, oldfb = NULL, newfb = fb1, prepare fb1, cleanup fb1 +- Async update, oldfb = fb1, newfb = fb2, prepare fb2, cleanup fb2 +- Non-async commit, oldfb = fb2, newfb = fb1, prepare fb1, cleanup fb2 (wrong) +Where we have a single call to prepare fb2 but double cleanup call to fb2. + +To solve the above problems, instead of blocking async fb changes, we +place the old framebuffer in the new_state object, so when the code +performs cleanups in the new_state it will cleanup the old_fb and we +will have the following scenario instead: + +- Async update, oldfb = NULL, newfb = fb1, prepare fb1, no cleanup +- Async update, oldfb = fb1, newfb = fb2, prepare fb2, cleanup fb1 +- Non-async commit, oldfb = fb2, newfb = fb1, prepare fb1, cleanup fb2 + +Where calls to prepare/cleanup are balanced. + +Cc: <stable@vger.kernel.org> # v4.14+ +Fixes: 25dc194b34dd ("drm: Block fb changes for async plane updates") +Suggested-by: Boris Brezillon <boris.brezillon@collabora.com> +Signed-off-by: Helen Koike <helen.koike@collabora.com> +Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com> +Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com> +Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20190603165610.24614-6-helen.koike@collabora.com + +diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c +index 2e0cb4246cbd..22a5c617f670 100644 +--- a/drivers/gpu/drm/drm_atomic_helper.c ++++ b/drivers/gpu/drm/drm_atomic_helper.c +@@ -1607,15 +1607,6 @@ int drm_atomic_helper_async_check(struct drm_device *dev, + old_plane_state->crtc != new_plane_state->crtc) + return -EINVAL; + +- /* +- * FIXME: Since prepare_fb and cleanup_fb are always called on +- * the new_plane_state for async updates we need to block framebuffer +- * changes. This prevents use of a fb that's been cleaned up and +- * double cleanups from occuring. +- */ +- if (old_plane_state->fb != new_plane_state->fb) +- return -EINVAL; +- + funcs = plane->helper_private; + if (!funcs->atomic_async_update) + return -EINVAL; +@@ -1646,6 +1637,8 @@ EXPORT_SYMBOL(drm_atomic_helper_async_check); + * drm_atomic_async_check() succeeds. Async commits are not supposed to swap + * the states like normal sync commits, but just do in-place changes on the + * current state. ++ * ++ * TODO: Implement full swap instead of doing in-place changes. + */ + void drm_atomic_helper_async_commit(struct drm_device *dev, + struct drm_atomic_state *state) +@@ -1656,6 +1649,9 @@ void drm_atomic_helper_async_commit(struct drm_device *dev, + int i; + + for_each_new_plane_in_state(state, plane, plane_state, i) { ++ struct drm_framebuffer *new_fb = plane_state->fb; ++ struct drm_framebuffer *old_fb = plane->state->fb; ++ + funcs = plane->helper_private; + funcs->atomic_async_update(plane, plane_state); + +@@ -1664,11 +1660,17 @@ void drm_atomic_helper_async_commit(struct drm_device *dev, + * plane->state in-place, make sure at least common + * properties have been properly updated. + */ +- WARN_ON_ONCE(plane->state->fb != plane_state->fb); ++ WARN_ON_ONCE(plane->state->fb != new_fb); + WARN_ON_ONCE(plane->state->crtc_x != plane_state->crtc_x); + WARN_ON_ONCE(plane->state->crtc_y != plane_state->crtc_y); + WARN_ON_ONCE(plane->state->src_x != plane_state->src_x); + WARN_ON_ONCE(plane->state->src_y != plane_state->src_y); ++ ++ /* ++ * Make sure the FBs have been swapped so that cleanups in the ++ * new_state performs a cleanup in the old FB. ++ */ ++ WARN_ON_ONCE(plane_state->fb != old_fb); + } + } + EXPORT_SYMBOL(drm_atomic_helper_async_commit); +diff --git a/include/drm/drm_modeset_helper_vtables.h b/include/drm/drm_modeset_helper_vtables.h +index f9c94c2a1364..f7bbd0b0ecd1 100644 +--- a/include/drm/drm_modeset_helper_vtables.h ++++ b/include/drm/drm_modeset_helper_vtables.h +@@ -1185,6 +1185,14 @@ struct drm_plane_helper_funcs { + * current one with the new plane configurations in the new + * plane_state. + * ++ * Drivers should also swap the framebuffers between current plane ++ * state (&drm_plane.state) and new_state. ++ * This is required since cleanup for async commits is performed on ++ * the new state, rather than old state like for traditional commits. ++ * Since we want to give up the reference on the current (old) fb ++ * instead of our brand new one, swap them in the driver during the ++ * async commit. ++ * + * FIXME: + * - It only works for single plane updates + * - Async Pageflips are not supported yet +-- +2.9.5 + diff --git a/queue/drm-gma500-cdv-Check-vbt-config-bits-when-detecting-.patch b/queue/drm-gma500-cdv-Check-vbt-config-bits-when-detecting-.patch new file mode 100644 index 0000000..e94007d --- /dev/null +++ b/queue/drm-gma500-cdv-Check-vbt-config-bits-when-detecting-.patch @@ -0,0 +1,61 @@ +From 7c420636860a719049fae9403e2c87804f53bdde Mon Sep 17 00:00:00 2001 +From: Patrik Jakobsson <patrik.r.jakobsson@gmail.com> +Date: Tue, 16 Apr 2019 13:46:07 +0200 +Subject: [PATCH] drm/gma500/cdv: Check vbt config bits when detecting lvds + panels + +commit 7c420636860a719049fae9403e2c87804f53bdde upstream. + +Some machines have an lvds child device in vbt even though a panel is +not attached. To make detection more reliable we now also check the lvds +config bits available in the vbt. + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1665766 +Cc: stable@vger.kernel.org +Reviewed-by: Hans de Goede <hdegoede@redhat.com> +Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20190416114607.1072-1-patrik.r.jakobsson@gmail.com + +diff --git a/drivers/gpu/drm/gma500/cdv_intel_lvds.c b/drivers/gpu/drm/gma500/cdv_intel_lvds.c +index de9531caaca0..9c8446184b17 100644 +--- a/drivers/gpu/drm/gma500/cdv_intel_lvds.c ++++ b/drivers/gpu/drm/gma500/cdv_intel_lvds.c +@@ -594,6 +594,9 @@ void cdv_intel_lvds_init(struct drm_device *dev, + int pipe; + u8 pin; + ++ if (!dev_priv->lvds_enabled_in_vbt) ++ return; ++ + pin = GMBUS_PORT_PANEL; + if (!lvds_is_present_in_vbt(dev, &pin)) { + DRM_DEBUG_KMS("LVDS is not present in VBT\n"); +diff --git a/drivers/gpu/drm/gma500/intel_bios.c b/drivers/gpu/drm/gma500/intel_bios.c +index 63bde4e86c6a..e019ea271ffc 100644 +--- a/drivers/gpu/drm/gma500/intel_bios.c ++++ b/drivers/gpu/drm/gma500/intel_bios.c +@@ -436,6 +436,9 @@ parse_driver_features(struct drm_psb_private *dev_priv, + if (driver->lvds_config == BDB_DRIVER_FEATURE_EDP) + dev_priv->edp.support = 1; + ++ dev_priv->lvds_enabled_in_vbt = driver->lvds_config != 0; ++ DRM_DEBUG_KMS("LVDS VBT config bits: 0x%x\n", driver->lvds_config); ++ + /* This bit means to use 96Mhz for DPLL_A or not */ + if (driver->primary_lfp_id) + dev_priv->dplla_96mhz = true; +diff --git a/drivers/gpu/drm/gma500/psb_drv.h b/drivers/gpu/drm/gma500/psb_drv.h +index 941b238bdcc9..bc608ddc3bd1 100644 +--- a/drivers/gpu/drm/gma500/psb_drv.h ++++ b/drivers/gpu/drm/gma500/psb_drv.h +@@ -537,6 +537,7 @@ struct drm_psb_private { + int lvds_ssc_freq; + bool is_lvds_on; + bool is_mipi_on; ++ bool lvds_enabled_in_vbt; + u32 mipi_ctrl_display; + + unsigned int core_freq; +-- +2.9.5 + diff --git a/queue/drm-i915-Fix-I915_EXEC_RING_MASK.patch b/queue/drm-i915-Fix-I915_EXEC_RING_MASK.patch new file mode 100644 index 0000000..0e77aa1 --- /dev/null +++ b/queue/drm-i915-Fix-I915_EXEC_RING_MASK.patch @@ -0,0 +1,36 @@ +From d90c06d57027203f73021bb7ddb30b800d65c636 Mon Sep 17 00:00:00 2001 +From: Chris Wilson <chris@chris-wilson.co.uk> +Date: Fri, 1 Mar 2019 14:03:47 +0000 +Subject: [PATCH] drm/i915: Fix I915_EXEC_RING_MASK + +commit d90c06d57027203f73021bb7ddb30b800d65c636 upstream. + +This was supposed to be a mask of all known rings, but it is being used +by execbuffer to filter out invalid rings, and so is instead mapping high +unused values onto valid rings. Instead of a mask of all known rings, +we need it to be the mask of all possible rings. + +Fixes: 549f7365820a ("drm/i915: Enable SandyBridge blitter ring") +Fixes: de1add360522 ("drm/i915: Decouple execbuf uAPI from internal implementation") +Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> +Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com> +Cc: <stable@vger.kernel.org> # v4.6+ +Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20190301140404.26690-21-chris@chris-wilson.co.uk + +diff --git a/include/uapi/drm/i915_drm.h b/include/uapi/drm/i915_drm.h +index b10eea3f6d24..1a60642c1d61 100644 +--- a/include/uapi/drm/i915_drm.h ++++ b/include/uapi/drm/i915_drm.h +@@ -979,7 +979,7 @@ struct drm_i915_gem_execbuffer2 { + * struct drm_i915_gem_exec_fence *fences. + */ + __u64 cliprects_ptr; +-#define I915_EXEC_RING_MASK (7<<0) ++#define I915_EXEC_RING_MASK (0x3f) + #define I915_EXEC_DEFAULT (0<<0) + #define I915_EXEC_RENDER (1<<0) + #define I915_EXEC_BSD (2<<0) +-- +2.9.5 + diff --git a/queue/drm-i915-Maintain-consistent-documentation-subsectio.patch b/queue/drm-i915-Maintain-consistent-documentation-subsectio.patch new file mode 100644 index 0000000..b40315b --- /dev/null +++ b/queue/drm-i915-Maintain-consistent-documentation-subsectio.patch @@ -0,0 +1,86 @@ +From 551bd3368a7b3cfef01edaade8970948d178d40a Mon Sep 17 00:00:00 2001 +From: Jonathan Corbet <corbet@lwn.net> +Date: Thu, 23 May 2019 10:06:46 -0600 +Subject: [PATCH] drm/i915: Maintain consistent documentation subsection + ordering + +commit 551bd3368a7b3cfef01edaade8970948d178d40a upstream. + +With Sphinx 2.0 (or prior versions with the deprecation warnings fixed) the +docs build fails with: + + Documentation/gpu/i915.rst:403: WARNING: Title level inconsistent: + + Global GTT Fence Handling + ~~~~~~~~~~~~~~~~~~~~~~~~~ + + reST markup error: + Documentation/gpu/i915.rst:403: (SEVERE/4) Title level inconsistent: + +I "fixed" it by changing the subsections in i915.rst, but that didn't seem +like the correct change. It turns out that a couple of i915 files create +their own subsections in kerneldoc comments using apostrophes as the +heading marker: + + Layout + '''''' + +That breaks the normal subsection marker ordering, and newer Sphinx is +rather more strict about enforcing that ordering. So fix the offending +comments to make Sphinx happy. + +(This is unfortunate, in that kerneldoc comments shouldn't need to be aware +of where they might be included in the heading hierarchy, but I don't see +a better way around it). + +Cc: stable@vger.kernel.org # v4.14+ +Acked-by: Jani Nikula <jani.nikula@intel.com> +Signed-off-by: Jonathan Corbet <corbet@lwn.net> + +diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h +index b74824f0b5b1..249d35c12a75 100644 +--- a/drivers/gpu/drm/i915/i915_reg.h ++++ b/drivers/gpu/drm/i915/i915_reg.h +@@ -35,7 +35,7 @@ + * macros. Do **not** mass change existing definitions just to update the style. + * + * Layout +- * '''''' ++ * ~~~~~~ + * + * Keep helper macros near the top. For example, _PIPE() and friends. + * +@@ -79,7 +79,7 @@ + * style. Use lower case in hexadecimal values. + * + * Naming +- * '''''' ++ * ~~~~~~ + * + * Try to name registers according to the specs. If the register name changes in + * the specs from platform to another, stick to the original name. +@@ -97,7 +97,7 @@ + * suffix to the name. For example, ``_SKL`` or ``_GEN8``. + * + * Examples +- * '''''''' ++ * ~~~~~~~~ + * + * (Note that the values in the example are indented using spaces instead of + * TABs to avoid misalignment in generated documentation. Use TABs in the +diff --git a/drivers/gpu/drm/i915/intel_workarounds.c b/drivers/gpu/drm/i915/intel_workarounds.c +index 9682dd575152..6decd432f4d3 100644 +--- a/drivers/gpu/drm/i915/intel_workarounds.c ++++ b/drivers/gpu/drm/i915/intel_workarounds.c +@@ -37,7 +37,7 @@ + * costly and simplifies things. We can revisit this in the future. + * + * Layout +- * '''''' ++ * ~~~~~~ + * + * Keep things in this file ordered by WA type, as per the above (context, GT, + * display, register whitelist, batchbuffer). Then, inside each type, keep the +-- +2.9.5 + diff --git a/queue/drm-i915-fbc-disable-framebuffer-compression-on-Gemi.patch b/queue/drm-i915-fbc-disable-framebuffer-compression-on-Gemi.patch new file mode 100644 index 0000000..7899a52 --- /dev/null +++ b/queue/drm-i915-fbc-disable-framebuffer-compression-on-Gemi.patch @@ -0,0 +1,45 @@ +From 1d25724b41fad7eeb2c3058a5c8190d6ece73e08 Mon Sep 17 00:00:00 2001 +From: Daniel Drake <drake@endlessm.com> +Date: Tue, 23 Apr 2019 17:28:10 +0800 +Subject: [PATCH] drm/i915/fbc: disable framebuffer compression on GeminiLake + +commit 1d25724b41fad7eeb2c3058a5c8190d6ece73e08 upstream. + +On many (all?) the Gemini Lake systems we work with, there is frequent +momentary graphical corruption at the top of the screen, and it seems +that disabling framebuffer compression can avoid this. + +The ticket was reported 6 months ago and has already affected a +multitude of users, without any real progress being made. So, lets +disable framebuffer compression on GeminiLake until a solution is found. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108085 +Fixes: fd7d6c5c8f3e ("drm/i915: enable FBC on gen9+ too") +Cc: Paulo Zanoni <paulo.r.zanoni@intel.com> +Cc: Daniel Vetter <daniel.vetter@ffwll.ch> +Cc: Jani Nikula <jani.nikula@linux.intel.com> +Cc: <stable@vger.kernel.org> # v4.11+ +Reviewed-by: Paulo Zanoni <paulo.r.zanoni@intel.com> +Signed-off-by: Daniel Drake <drake@endlessm.com> +Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com> +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20190423092810.28359-1-jian-hong@endlessm.com + +diff --git a/drivers/gpu/drm/i915/intel_fbc.c b/drivers/gpu/drm/i915/intel_fbc.c +index c805a0966395..5679f2fffb7c 100644 +--- a/drivers/gpu/drm/i915/intel_fbc.c ++++ b/drivers/gpu/drm/i915/intel_fbc.c +@@ -1280,6 +1280,10 @@ static int intel_sanitize_fbc_option(struct drm_i915_private *dev_priv) + if (!HAS_FBC(dev_priv)) + return 0; + ++ /* https://bugs.freedesktop.org/show_bug.cgi?id=108085 */ ++ if (IS_GEMINILAKE(dev_priv)) ++ return 0; ++ + if (IS_BROADWELL(dev_priv) || INTEL_GEN(dev_priv) >= 9) + return 1; + +-- +2.9.5 + diff --git a/queue/drm-i915-gvt-Initialize-intel_gvt_gtt_entry-in-stack.patch b/queue/drm-i915-gvt-Initialize-intel_gvt_gtt_entry-in-stack.patch new file mode 100644 index 0000000..768bfd8 --- /dev/null +++ b/queue/drm-i915-gvt-Initialize-intel_gvt_gtt_entry-in-stack.patch @@ -0,0 +1,61 @@ +From 387a4c2b55291b37e245c840813bd8a8bd06ed49 Mon Sep 17 00:00:00 2001 +From: Tina Zhang <tina.zhang@intel.com> +Date: Thu, 23 May 2019 06:18:36 +0800 +Subject: [PATCH] drm/i915/gvt: Initialize intel_gvt_gtt_entry in stack + +commit 387a4c2b55291b37e245c840813bd8a8bd06ed49 upstream. + +Stack struct intel_gvt_gtt_entry value needs to be initialized before +being used, as the fields may contain garbage values. + +W/o this patch, set_ggtt_entry prints: +------------------------------------- +274.046840: set_ggtt_entry: vgpu1:set ggtt entry 0x9bed8000ffffe900 +274.046846: set_ggtt_entry: vgpu1:set ggtt entry 0xe55df001 +274.046852: set_ggtt_entry: vgpu1:set ggtt entry 0x9bed8000ffffe900 + +0x9bed8000 is the stack grabage. + +W/ this patch, set_ggtt_entry prints: +------------------------------------ +274.046840: set_ggtt_entry: vgpu1:set ggtt entry 0xffffe900 +274.046846: set_ggtt_entry: vgpu1:set ggtt entry 0xe55df001 +274.046852: set_ggtt_entry: vgpu1:set ggtt entry 0xffffe900 + +v2: +- Initialize during declaration. (Zhenyu) + +Fixes: 7598e8700e9a ("drm/i915/gvt: Missed to cancel dma map for ggtt entries") +Cc: stable@vger.kernel.org # v4.20+ +Cc: Zhenyu Wang <zhenyuw@linux.intel.com> +Reviewed-by: Zhenyu Wang <zhenyuw@linux.intel.com> +Signed-off-by: Tina Zhang <tina.zhang@intel.com> +Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com> + +diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c +index 244ad1729764..f3a75bb9ec27 100644 +--- a/drivers/gpu/drm/i915/gvt/gtt.c ++++ b/drivers/gpu/drm/i915/gvt/gtt.c +@@ -2183,7 +2183,8 @@ static int emulate_ggtt_mmio_write(struct intel_vgpu *vgpu, unsigned int off, + struct intel_gvt_gtt_pte_ops *ops = gvt->gtt.pte_ops; + unsigned long g_gtt_index = off >> info->gtt_entry_size_shift; + unsigned long gma, gfn; +- struct intel_gvt_gtt_entry e, m; ++ struct intel_gvt_gtt_entry e = {.val64 = 0, .type = GTT_TYPE_GGTT_PTE}; ++ struct intel_gvt_gtt_entry m = {.val64 = 0, .type = GTT_TYPE_GGTT_PTE}; + dma_addr_t dma_addr; + int ret; + struct intel_gvt_partial_pte *partial_pte, *pos, *n; +@@ -2250,7 +2251,8 @@ static int emulate_ggtt_mmio_write(struct intel_vgpu *vgpu, unsigned int off, + + if (!partial_update && (ops->test_present(&e))) { + gfn = ops->get_pfn(&e); +- m = e; ++ m.val64 = e.val64; ++ m.type = e.type; + + /* one PTE update may be issued in multiple writes and the + * first write may not construct a valid gfn +-- +2.9.5 + diff --git a/queue/drm-lease-Make-sure-implicit-planes-are-leased.patch b/queue/drm-lease-Make-sure-implicit-planes-are-leased.patch new file mode 100644 index 0000000..8f3ffbe --- /dev/null +++ b/queue/drm-lease-Make-sure-implicit-planes-are-leased.patch @@ -0,0 +1,67 @@ +From 204f640da6914844b3270b41b29c84f6e3b74083 Mon Sep 17 00:00:00 2001 +From: Daniel Vetter <daniel.vetter@ffwll.ch> +Date: Thu, 28 Feb 2019 15:49:08 +0100 +Subject: [PATCH] drm/lease: Make sure implicit planes are leased + +commit 204f640da6914844b3270b41b29c84f6e3b74083 upstream. + +If userspace doesn't enable universal planes, then we automatically +add the primary and cursor planes. But for universal userspace there's +no such check (and maybe we only want to give the lessee one plane, +maybe not even the primary one), hence we need to check for the +implied plane. + +v2: don't forget setcrtc ioctl. + +v3: Still allow disabling of the crtc in SETCRTC. + +Cc: stable@vger.kernel.org +Cc: Keith Packard <keithp@keithp.com> +Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com> +Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20190228144910.26488-6-daniel.vetter@ffwll.ch + +diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c +index 7dabbaf033a1..790ba5941954 100644 +--- a/drivers/gpu/drm/drm_crtc.c ++++ b/drivers/gpu/drm/drm_crtc.c +@@ -559,6 +559,10 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, + + plane = crtc->primary; + ++ /* allow disabling with the primary plane leased */ ++ if (crtc_req->mode_valid && !drm_lease_held(file_priv, plane->base.id)) ++ return -EACCES; ++ + mutex_lock(&crtc->dev->mode_config.mutex); + DRM_MODESET_LOCK_ALL_BEGIN(dev, ctx, + DRM_MODESET_ACQUIRE_INTERRUPTIBLE, ret); +diff --git a/drivers/gpu/drm/drm_plane.c b/drivers/gpu/drm/drm_plane.c +index 4cfb56893b7f..d6ad60ab0d38 100644 +--- a/drivers/gpu/drm/drm_plane.c ++++ b/drivers/gpu/drm/drm_plane.c +@@ -960,6 +960,11 @@ retry: + if (ret) + goto out; + ++ if (!drm_lease_held(file_priv, crtc->cursor->base.id)) { ++ ret = -EACCES; ++ goto out; ++ } ++ + ret = drm_mode_cursor_universal(crtc, req, file_priv, &ctx); + goto out; + } +@@ -1062,6 +1067,9 @@ int drm_mode_page_flip_ioctl(struct drm_device *dev, + + plane = crtc->primary; + ++ if (!drm_lease_held(file_priv, plane->base.id)) ++ return -EACCES; ++ + if (crtc->funcs->page_flip_target) { + u32 current_vblank; + int r; +-- +2.9.5 + diff --git a/queue/drm-msm-fix-fb-references-in-async-update.patch b/queue/drm-msm-fix-fb-references-in-async-update.patch new file mode 100644 index 0000000..5bdf7bb --- /dev/null +++ b/queue/drm-msm-fix-fb-references-in-async-update.patch @@ -0,0 +1,43 @@ +From 474d952b4870cfbdc55d3498f4d498775fe77e81 Mon Sep 17 00:00:00 2001 +From: Helen Koike <helen.koike@collabora.com> +Date: Mon, 3 Jun 2019 13:56:08 -0300 +Subject: [PATCH] drm/msm: fix fb references in async update + +commit 474d952b4870cfbdc55d3498f4d498775fe77e81 upstream. + +Async update callbacks are expected to set the old_fb in the new_state +so prepare/cleanup framebuffers are balanced. + +Cc: <stable@vger.kernel.org> # v4.14+ +Fixes: 224a4c970987 ("drm/msm: update cursors asynchronously through atomic") +Suggested-by: Boris Brezillon <boris.brezillon@collabora.com> +Signed-off-by: Helen Koike <helen.koike@collabora.com> +Acked-by: Rob Clark <robdclark@gmail.com> +Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20190603165610.24614-4-helen.koike@collabora.com + +diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c +index be13140967b4..b854f471e9e5 100644 +--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c ++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c +@@ -502,6 +502,8 @@ static int mdp5_plane_atomic_async_check(struct drm_plane *plane, + static void mdp5_plane_atomic_async_update(struct drm_plane *plane, + struct drm_plane_state *new_state) + { ++ struct drm_framebuffer *old_fb = plane->state->fb; ++ + plane->state->src_x = new_state->src_x; + plane->state->src_y = new_state->src_y; + plane->state->crtc_x = new_state->crtc_x; +@@ -524,6 +526,8 @@ static void mdp5_plane_atomic_async_update(struct drm_plane *plane, + + *to_mdp5_plane_state(plane->state) = + *to_mdp5_plane_state(new_state); ++ ++ new_state->fb = old_fb; + } + + static const struct drm_plane_helper_funcs mdp5_plane_helper_funcs = { +-- +2.9.5 + diff --git a/queue/drm-nouveau-add-kconfig-option-to-turn-off-nouveau-l.patch b/queue/drm-nouveau-add-kconfig-option-to-turn-off-nouveau-l.patch new file mode 100644 index 0000000..363067f --- /dev/null +++ b/queue/drm-nouveau-add-kconfig-option-to-turn-off-nouveau-l.patch @@ -0,0 +1,112 @@ +From b30a43ac7132cdda833ac4b13dd1ebd35ace14b7 Mon Sep 17 00:00:00 2001 +From: Dave Airlie <airlied@redhat.com> +Date: Thu, 18 Apr 2019 16:45:15 +1000 +Subject: [PATCH] drm/nouveau: add kconfig option to turn off nouveau legacy + contexts. (v3) + +commit b30a43ac7132cdda833ac4b13dd1ebd35ace14b7 upstream. + +There was a nouveau DDX that relied on legacy context ioctls to work, +but we fixed it years ago, give distros that have a modern DDX the +option to break the uAPI and close the mess of holes that legacy +context support is. + +Full context of the story: + +commit 0e975980d435d58df2d430d688b8c18778b42218 +Author: Peter Antoine <peter.antoine@intel.com> +Date: Tue Jun 23 08:18:49 2015 +0100 + + drm: Turn off Legacy Context Functions + + The context functions are not used by the i915 driver and should not + be used by modeset drivers. These driver functions contain several bugs + and security holes. This change makes these functions optional can be + turned on by a setting, they are turned off by default for modeset + driver with the exception of the nouvea driver that may require them with + an old version of libdrm. + + The previous attempt was + + commit 7c510133d93dd6f15ca040733ba7b2891ed61fd1 + Author: Daniel Vetter <daniel.vetter@ffwll.ch> + Date: Thu Aug 8 15:41:21 2013 +0200 + + drm: mark context support as a legacy subsystem + + but this had to be reverted + + commit c21eb21cb50d58e7cbdcb8b9e7ff68b85cfa5095 + Author: Dave Airlie <airlied@redhat.com> + Date: Fri Sep 20 08:32:59 2013 +1000 + + Revert "drm: mark context support as a legacy subsystem" + + v2: remove returns from void function, and formatting (Daniel Vetter) + + v3: + - s/Nova/nouveau/ in the commit message, and add references to the + previous attempts + - drop the part touching the drm hw lock, that should be a separate + patch. + + Signed-off-by: Peter Antoine <peter.antoine@intel.com> (v2) + Cc: Peter Antoine <peter.antoine@intel.com> (v2) + Reviewed-by: Peter Antoine <peter.antoine@intel.com> + Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> + +v2: move DRM_VM dependency into legacy config. +v3: fix missing dep (kbuild robot) + +Cc: stable@vger.kernel.org +Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> +Signed-off-by: Dave Airlie <airlied@redhat.com> + +diff --git a/drivers/gpu/drm/nouveau/Kconfig b/drivers/gpu/drm/nouveau/Kconfig +index 00cd9ab8948d..db28012dbf54 100644 +--- a/drivers/gpu/drm/nouveau/Kconfig ++++ b/drivers/gpu/drm/nouveau/Kconfig +@@ -17,10 +17,21 @@ config DRM_NOUVEAU + select INPUT if ACPI && X86 + select THERMAL if ACPI && X86 + select ACPI_VIDEO if ACPI && X86 +- select DRM_VM + help + Choose this option for open-source NVIDIA support. + ++config NOUVEAU_LEGACY_CTX_SUPPORT ++ bool "Nouveau legacy context support" ++ depends on DRM_NOUVEAU ++ select DRM_VM ++ default y ++ help ++ There was a version of the nouveau DDX that relied on legacy ++ ctx ioctls not erroring out. But that was back in time a long ++ ways, so offer a way to disable it now. For uapi compat with ++ old nouveau ddx this should be on by default, but modern distros ++ should consider turning it off. ++ + config NOUVEAU_PLATFORM_DRIVER + bool "Nouveau (NVIDIA) SoC GPUs" + depends on DRM_NOUVEAU && ARCH_TEGRA +diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c +index 5020265bfbd9..6ab9033f49da 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_drm.c ++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c +@@ -1094,8 +1094,11 @@ nouveau_driver_fops = { + static struct drm_driver + driver_stub = { + .driver_features = +- DRIVER_GEM | DRIVER_MODESET | DRIVER_PRIME | DRIVER_RENDER | +- DRIVER_KMS_LEGACY_CONTEXT, ++ DRIVER_GEM | DRIVER_MODESET | DRIVER_PRIME | DRIVER_RENDER ++#if defined(CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT) ++ | DRIVER_KMS_LEGACY_CONTEXT ++#endif ++ , + + .open = nouveau_drm_open, + .postclose = nouveau_drm_postclose, +-- +2.9.5 + diff --git a/queue/drm-nouveau-i2c-Disable-i2c-bus-access-after-fini.patch b/queue/drm-nouveau-i2c-Disable-i2c-bus-access-after-fini.patch new file mode 100644 index 0000000..d97918d --- /dev/null +++ b/queue/drm-nouveau-i2c-Disable-i2c-bus-access-after-fini.patch @@ -0,0 +1,268 @@ +From 342406e4fbba9a174125fbfe6aeac3d64ef90f76 Mon Sep 17 00:00:00 2001 +From: Lyude Paul <lyude@redhat.com> +Date: Tue, 9 Apr 2019 16:23:30 -0400 +Subject: [PATCH] drm/nouveau/i2c: Disable i2c bus access after ->fini() + +commit 342406e4fbba9a174125fbfe6aeac3d64ef90f76 upstream. + +For a while, we've had the problem of i2c bus access not grabbing +a runtime PM ref when it's being used in userspace by i2c-dev, resulting +in nouveau spamming the kernel log with errors if anything attempts to +access the i2c bus while the GPU is in runtime suspend. An example: + +[ 130.078386] nouveau 0000:01:00.0: i2c: aux 000d: begin idle timeout ffffffff + +Since the GPU is in runtime suspend, the MMIO region that the i2c bus is +on isn't accessible. On x86, the standard behavior for accessing an +unavailable MMIO region is to just return ~0. + +Except, that turned out to be a lie. While computers with a clean +concious will return ~0 in this scenario, some machines will actually +completely hang a CPU on certian bad MMIO accesses. This was witnessed +with someone's Lenovo ThinkPad P50, where sensors-detect attempting to +access the i2c bus while the GPU was suspended would result in a CPU +hang: + + CPU: 5 PID: 12438 Comm: sensors-detect Not tainted 5.0.0-0.rc4.git3.1.fc30.x86_64 #1 + Hardware name: LENOVO 20EQS64N17/20EQS64N17, BIOS N1EET74W (1.47 ) 11/21/2017 + RIP: 0010:ioread32+0x2b/0x30 + Code: 81 ff ff ff 03 00 77 20 48 81 ff 00 00 01 00 76 05 0f b7 d7 ed c3 + 48 c7 c6 e1 0c 36 96 e8 2d ff ff ff b8 ff ff ff ff c3 8b 07 <c3> 0f 1f + 40 00 49 89 f0 48 81 fe ff ff 03 00 76 04 40 88 3e c3 48 + RSP: 0018:ffffaac3c5007b48 EFLAGS: 00000292 ORIG_RAX: ffffffffffffff13 + RAX: 0000000001111000 RBX: 0000000001111000 RCX: 0000043017a97186 + RDX: 0000000000000aaa RSI: 0000000000000005 RDI: ffffaac3c400e4e4 + RBP: ffff9e6443902c00 R08: ffffaac3c400e4e4 R09: ffffaac3c5007be7 + R10: 0000000000000004 R11: 0000000000000001 R12: ffff9e6445dd0000 + R13: 000000000000e4e4 R14: 00000000000003c4 R15: 0000000000000000 + FS: 00007f253155a740(0000) GS:ffff9e644f600000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00005630d1500358 CR3: 0000000417c44006 CR4: 00000000003606e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + g94_i2c_aux_xfer+0x326/0x850 [nouveau] + nvkm_i2c_aux_i2c_xfer+0x9e/0x140 [nouveau] + __i2c_transfer+0x14b/0x620 + i2c_smbus_xfer_emulated+0x159/0x680 + ? _raw_spin_unlock_irqrestore+0x1/0x60 + ? rt_mutex_slowlock.constprop.0+0x13d/0x1e0 + ? __lock_is_held+0x59/0xa0 + __i2c_smbus_xfer+0x138/0x5a0 + i2c_smbus_xfer+0x4f/0x80 + i2cdev_ioctl_smbus+0x162/0x2d0 [i2c_dev] + i2cdev_ioctl+0x1db/0x2c0 [i2c_dev] + do_vfs_ioctl+0x408/0x750 + ksys_ioctl+0x5e/0x90 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x60/0x1e0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + RIP: 0033:0x7f25317f546b + Code: 0f 1e fa 48 8b 05 1d da 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff + ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 + f0 ff ff 73 01 c3 48 8b 0d ed d9 0c 00 f7 d8 64 89 01 48 + RSP: 002b:00007ffc88caab68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + RAX: ffffffffffffffda RBX: 00005630d0fe7260 RCX: 00007f25317f546b + RDX: 00005630d1598e80 RSI: 0000000000000720 RDI: 0000000000000003 + RBP: 00005630d155b968 R08: 0000000000000001 R09: 00005630d15a1da0 + R10: 0000000000000070 R11: 0000000000000246 R12: 00005630d1598e80 + R13: 00005630d12f3d28 R14: 0000000000000720 R15: 00005630d12f3ce0 + watchdog: BUG: soft lockup - CPU#5 stuck for 23s! [sensors-detect:12438] + +Yikes! While I wanted to try to make it so that accessing an i2c bus on +nouveau would wake up the GPU as needed, airlied pointed out that pretty +much any usecase for userspace accessing an i2c bus on a GPU (mainly for +the DDC brightness control that some displays have) is going to only be +useful while there's at least one display enabled on the GPU anyway, and +the GPU never sleeps while there's displays running. + +Since teaching the i2c bus to wake up the GPU on userspace accesses is a +good deal more difficult than it might seem, mostly due to the fact that +we have to use the i2c bus during runtime resume of the GPU, we instead +opt for the easiest solution: don't let userspace access i2c busses on +the GPU at all while it's in runtime suspend. + +Changes since v1: +* Also disable i2c busses that run over DP AUX + +Signed-off-by: Lyude Paul <lyude@redhat.com> +Cc: stable@vger.kernel.org +Signed-off-by: Ben Skeggs <bskeggs@redhat.com> + +diff --git a/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h b/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h +index eef54e9b5d77..7957eafa5f0e 100644 +--- a/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h ++++ b/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h +@@ -38,6 +38,7 @@ struct nvkm_i2c_bus { + struct mutex mutex; + struct list_head head; + struct i2c_adapter i2c; ++ u8 enabled; + }; + + int nvkm_i2c_bus_acquire(struct nvkm_i2c_bus *); +@@ -57,6 +58,7 @@ struct nvkm_i2c_aux { + struct mutex mutex; + struct list_head head; + struct i2c_adapter i2c; ++ u8 enabled; + + u32 intr; + }; +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c +index 4c1f547da463..b4e7404fe660 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c +@@ -105,9 +105,15 @@ nvkm_i2c_aux_acquire(struct nvkm_i2c_aux *aux) + { + struct nvkm_i2c_pad *pad = aux->pad; + int ret; ++ + AUX_TRACE(aux, "acquire"); + mutex_lock(&aux->mutex); +- ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_AUX); ++ ++ if (aux->enabled) ++ ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_AUX); ++ else ++ ret = -EIO; ++ + if (ret) + mutex_unlock(&aux->mutex); + return ret; +@@ -145,6 +151,24 @@ nvkm_i2c_aux_del(struct nvkm_i2c_aux **paux) + } + } + ++void ++nvkm_i2c_aux_init(struct nvkm_i2c_aux *aux) ++{ ++ AUX_TRACE(aux, "init"); ++ mutex_lock(&aux->mutex); ++ aux->enabled = true; ++ mutex_unlock(&aux->mutex); ++} ++ ++void ++nvkm_i2c_aux_fini(struct nvkm_i2c_aux *aux) ++{ ++ AUX_TRACE(aux, "fini"); ++ mutex_lock(&aux->mutex); ++ aux->enabled = false; ++ mutex_unlock(&aux->mutex); ++} ++ + int + nvkm_i2c_aux_ctor(const struct nvkm_i2c_aux_func *func, + struct nvkm_i2c_pad *pad, int id, +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h +index 7d56c4ba693c..08f6b2ee64ab 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h +@@ -16,6 +16,8 @@ int nvkm_i2c_aux_ctor(const struct nvkm_i2c_aux_func *, struct nvkm_i2c_pad *, + int nvkm_i2c_aux_new_(const struct nvkm_i2c_aux_func *, struct nvkm_i2c_pad *, + int id, struct nvkm_i2c_aux **); + void nvkm_i2c_aux_del(struct nvkm_i2c_aux **); ++void nvkm_i2c_aux_init(struct nvkm_i2c_aux *); ++void nvkm_i2c_aux_fini(struct nvkm_i2c_aux *); + int nvkm_i2c_aux_xfer(struct nvkm_i2c_aux *, bool retry, u8 type, + u32 addr, u8 *data, u8 *size); + +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c +index 4f197b15acf6..ecacb22834d7 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c +@@ -160,8 +160,18 @@ nvkm_i2c_fini(struct nvkm_subdev *subdev, bool suspend) + { + struct nvkm_i2c *i2c = nvkm_i2c(subdev); + struct nvkm_i2c_pad *pad; ++ struct nvkm_i2c_bus *bus; ++ struct nvkm_i2c_aux *aux; + u32 mask; + ++ list_for_each_entry(aux, &i2c->aux, head) { ++ nvkm_i2c_aux_fini(aux); ++ } ++ ++ list_for_each_entry(bus, &i2c->bus, head) { ++ nvkm_i2c_bus_fini(bus); ++ } ++ + if ((mask = (1 << i2c->func->aux) - 1), i2c->func->aux_stat) { + i2c->func->aux_mask(i2c, NVKM_I2C_ANY, mask, 0); + i2c->func->aux_stat(i2c, &mask, &mask, &mask, &mask); +@@ -180,6 +190,7 @@ nvkm_i2c_init(struct nvkm_subdev *subdev) + struct nvkm_i2c *i2c = nvkm_i2c(subdev); + struct nvkm_i2c_bus *bus; + struct nvkm_i2c_pad *pad; ++ struct nvkm_i2c_aux *aux; + + list_for_each_entry(pad, &i2c->pad, head) { + nvkm_i2c_pad_init(pad); +@@ -189,6 +200,10 @@ nvkm_i2c_init(struct nvkm_subdev *subdev) + nvkm_i2c_bus_init(bus); + } + ++ list_for_each_entry(aux, &i2c->aux, head) { ++ nvkm_i2c_aux_init(aux); ++ } ++ + return 0; + } + +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c +index 807a2b67bd64..ed50cc3736b9 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c +@@ -110,6 +110,19 @@ nvkm_i2c_bus_init(struct nvkm_i2c_bus *bus) + BUS_TRACE(bus, "init"); + if (bus->func->init) + bus->func->init(bus); ++ ++ mutex_lock(&bus->mutex); ++ bus->enabled = true; ++ mutex_unlock(&bus->mutex); ++} ++ ++void ++nvkm_i2c_bus_fini(struct nvkm_i2c_bus *bus) ++{ ++ BUS_TRACE(bus, "fini"); ++ mutex_lock(&bus->mutex); ++ bus->enabled = false; ++ mutex_unlock(&bus->mutex); + } + + void +@@ -126,9 +139,15 @@ nvkm_i2c_bus_acquire(struct nvkm_i2c_bus *bus) + { + struct nvkm_i2c_pad *pad = bus->pad; + int ret; ++ + BUS_TRACE(bus, "acquire"); + mutex_lock(&bus->mutex); +- ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_I2C); ++ ++ if (bus->enabled) ++ ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_I2C); ++ else ++ ret = -EIO; ++ + if (ret) + mutex_unlock(&bus->mutex); + return ret; +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h +index bea0dd33961e..465464bba58b 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h +@@ -18,6 +18,7 @@ int nvkm_i2c_bus_new_(const struct nvkm_i2c_bus_func *, struct nvkm_i2c_pad *, + int id, struct nvkm_i2c_bus **); + void nvkm_i2c_bus_del(struct nvkm_i2c_bus **); + void nvkm_i2c_bus_init(struct nvkm_i2c_bus *); ++void nvkm_i2c_bus_fini(struct nvkm_i2c_bus *); + + int nvkm_i2c_bit_xfer(struct nvkm_i2c_bus *, struct i2c_msg *, int); + +-- +2.9.5 + diff --git a/queue/drm-radeon-prefer-lower-reference-dividers.patch b/queue/drm-radeon-prefer-lower-reference-dividers.patch new file mode 100644 index 0000000..f0975e1 --- /dev/null +++ b/queue/drm-radeon-prefer-lower-reference-dividers.patch @@ -0,0 +1,42 @@ +From 2e26ccb119bde03584be53406bbd22e711b0d6e6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com> +Date: Mon, 6 May 2019 19:57:52 +0200 +Subject: [PATCH] drm/radeon: prefer lower reference dividers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 2e26ccb119bde03584be53406bbd22e711b0d6e6 upstream. + +Instead of the closest reference divider prefer the lowest, +this fixes flickering issues on HP Compaq nx9420. + +Bugs: https://bugs.freedesktop.org/show_bug.cgi?id=108514 +Suggested-by: Paul Dufresne <dufresnep@gmail.com> +Signed-off-by: Christian König <christian.koenig@amd.com> +Acked-by: Alex Deucher <alexander.deucher@amd.com> +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> +Cc: stable@vger.kernel.org + +diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c +index aa898c699101..433df7036f96 100644 +--- a/drivers/gpu/drm/radeon/radeon_display.c ++++ b/drivers/gpu/drm/radeon/radeon_display.c +@@ -922,12 +922,12 @@ static void avivo_get_fb_ref_div(unsigned nom, unsigned den, unsigned post_div, + ref_div_max = max(min(100 / post_div, ref_div_max), 1u); + + /* get matching reference and feedback divider */ +- *ref_div = min(max(DIV_ROUND_CLOSEST(den, post_div), 1u), ref_div_max); ++ *ref_div = min(max(den/post_div, 1u), ref_div_max); + *fb_div = DIV_ROUND_CLOSEST(nom * *ref_div * post_div, den); + + /* limit fb divider to its maximum */ + if (*fb_div > fb_div_max) { +- *ref_div = DIV_ROUND_CLOSEST(*ref_div * fb_div_max, *fb_div); ++ *ref_div = (*ref_div * fb_div_max)/(*fb_div); + *fb_div = fb_div_max; + } + } +-- +2.9.5 + diff --git a/queue/drm-rockchip-shutdown-drm-subsystem-on-shutdown.patch b/queue/drm-rockchip-shutdown-drm-subsystem-on-shutdown.patch new file mode 100644 index 0000000..9d54690 --- /dev/null +++ b/queue/drm-rockchip-shutdown-drm-subsystem-on-shutdown.patch @@ -0,0 +1,67 @@ +From b8f9d7f37b6af829c34c49d1a4f73ce6ed58e403 Mon Sep 17 00:00:00 2001 +From: Vicente Bergas <vicencb@gmail.com> +Date: Tue, 2 Apr 2019 13:37:53 +0200 +Subject: [PATCH] drm/rockchip: shutdown drm subsystem on shutdown + +commit b8f9d7f37b6af829c34c49d1a4f73ce6ed58e403 upstream. + +As explained by Robin Murphy: +> the IOMMU shutdown disables paging, so if the VOP is still +> scanning out then that will result in whatever IOVAs it was using now going +> straight out onto the bus as physical addresses. + +We had a more radical approach before in commit +7f3ef5dedb14 ("drm/rockchip: Allow driver to be shutdown on reboot/kexec") +but that resulted in new warnings and oopses on shutdown on rk3399 +chromeos devices. + +So second try is resurrecting Vicentes shutdown change which should +achieve the same result but in a less drastic way. + +Fixes: 63238173b2fa ("Revert "drm/rockchip: Allow driver to be shutdown on reboot/kexec"") +Cc: Jeffy Chen <jeffy.chen@rock-chips.com> +Cc: Robin Murphy <robin.murphy@arm.com> +Cc: Marc Zyngier <marc.zyngier@arm.com> +Cc: Brian Norris <briannorris@chromium.org> +Cc: Doug Anderson <dianders@chromium.org> +Cc: stable@vger.kernel.org +Suggested-by: JeffyChen <jeffy.chen@rock-chips.com> +Suggested-by: Robin Murphy <robin.murphy@arm.com> +Signed-off-by: Vicente Bergas <vicencb@gmail.com> +[adapted commit message to explain the history] +Signed-off-by: Heiko Stuebner <heiko@sntech.de> +Tested-by: Brian Norris <briannorris@chromium.org> +Tested-by: Douglas Anderson <dianders@chromium.org> +Acked-by: Marc Zyngier <marc.zyngier@arm.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20190402113753.10118-1-heiko@sntech.de + +diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_drv.c b/drivers/gpu/drm/rockchip/rockchip_drm_drv.c +index 8d7a634c12c2..cb938d3cd3c2 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_drm_drv.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_drv.c +@@ -448,6 +448,14 @@ static int rockchip_drm_platform_remove(struct platform_device *pdev) + return 0; + } + ++static void rockchip_drm_platform_shutdown(struct platform_device *pdev) ++{ ++ struct drm_device *drm = platform_get_drvdata(pdev); ++ ++ if (drm) ++ drm_atomic_helper_shutdown(drm); ++} ++ + static const struct of_device_id rockchip_drm_dt_ids[] = { + { .compatible = "rockchip,display-subsystem", }, + { /* sentinel */ }, +@@ -457,6 +465,7 @@ MODULE_DEVICE_TABLE(of, rockchip_drm_dt_ids); + static struct platform_driver rockchip_drm_platform_driver = { + .probe = rockchip_drm_platform_probe, + .remove = rockchip_drm_platform_remove, ++ .shutdown = rockchip_drm_platform_shutdown, + .driver = { + .name = "rockchip-drm", + .of_match_table = rockchip_drm_dt_ids, +-- +2.9.5 + diff --git a/queue/drm-sun4i-Fix-sun8i-HDMI-PHY-clock-initialization.patch b/queue/drm-sun4i-Fix-sun8i-HDMI-PHY-clock-initialization.patch new file mode 100644 index 0000000..699547c --- /dev/null +++ b/queue/drm-sun4i-Fix-sun8i-HDMI-PHY-clock-initialization.patch @@ -0,0 +1,84 @@ +From 8a943c6021ba8b95a36c842327e468df1fddd4a7 Mon Sep 17 00:00:00 2001 +From: Jernej Skrabec <jernej.skrabec@siol.net> +Date: Tue, 14 May 2019 22:43:36 +0200 +Subject: [PATCH] drm/sun4i: Fix sun8i HDMI PHY clock initialization + +commit 8a943c6021ba8b95a36c842327e468df1fddd4a7 upstream. + +Current code initializes HDMI PHY clock driver before reset line is +deasserted and clocks enabled. Because of that, initial readout of +clock divider is incorrect (0 instead of 2). This causes any clock +rate with divider 1 (register value 0) to be set incorrectly. + +Fix this by moving initialization of HDMI PHY clock driver after reset +line is deasserted and clocks enabled. + +Cc: stable@vger.kernel.org # 4.17+ +Fixes: 4f86e81748fe ("drm/sun4i: Add support for H3 HDMI PHY variant") +Signed-off-by: Jernej Skrabec <jernej.skrabec@siol.net> +Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20190514204337.11068-2-jernej.skrabec@siol.net + +diff --git a/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c b/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c +index 66ea3a902e36..afc6d4a9c20b 100644 +--- a/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c ++++ b/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c +@@ -672,22 +672,13 @@ int sun8i_hdmi_phy_probe(struct sun8i_dw_hdmi *hdmi, struct device_node *node) + goto err_put_clk_pll0; + } + } +- +- ret = sun8i_phy_clk_create(phy, dev, +- phy->variant->has_second_pll); +- if (ret) { +- dev_err(dev, "Couldn't create the PHY clock\n"); +- goto err_put_clk_pll1; +- } +- +- clk_prepare_enable(phy->clk_phy); + } + + phy->rst_phy = of_reset_control_get_shared(node, "phy"); + if (IS_ERR(phy->rst_phy)) { + dev_err(dev, "Could not get phy reset control\n"); + ret = PTR_ERR(phy->rst_phy); +- goto err_disable_clk_phy; ++ goto err_put_clk_pll1; + } + + ret = reset_control_deassert(phy->rst_phy); +@@ -708,18 +699,29 @@ int sun8i_hdmi_phy_probe(struct sun8i_dw_hdmi *hdmi, struct device_node *node) + goto err_disable_clk_bus; + } + ++ if (phy->variant->has_phy_clk) { ++ ret = sun8i_phy_clk_create(phy, dev, ++ phy->variant->has_second_pll); ++ if (ret) { ++ dev_err(dev, "Couldn't create the PHY clock\n"); ++ goto err_disable_clk_mod; ++ } ++ ++ clk_prepare_enable(phy->clk_phy); ++ } ++ + hdmi->phy = phy; + + return 0; + ++err_disable_clk_mod: ++ clk_disable_unprepare(phy->clk_mod); + err_disable_clk_bus: + clk_disable_unprepare(phy->clk_bus); + err_deassert_rst_phy: + reset_control_assert(phy->rst_phy); + err_put_rst_phy: + reset_control_put(phy->rst_phy); +-err_disable_clk_phy: +- clk_disable_unprepare(phy->clk_phy); + err_put_clk_pll1: + clk_put(phy->clk_pll1); + err_put_clk_pll0: +-- +2.9.5 + diff --git a/queue/drm-sun4i-Fix-sun8i-HDMI-PHY-configuration-for-148.5.patch b/queue/drm-sun4i-Fix-sun8i-HDMI-PHY-configuration-for-148.5.patch new file mode 100644 index 0000000..1c7ea61 --- /dev/null +++ b/queue/drm-sun4i-Fix-sun8i-HDMI-PHY-configuration-for-148.5.patch @@ -0,0 +1,35 @@ +From 831adffb3b7b8df4c8e20b7b00843129fb87a166 Mon Sep 17 00:00:00 2001 +From: Jernej Skrabec <jernej.skrabec@siol.net> +Date: Tue, 14 May 2019 22:43:37 +0200 +Subject: [PATCH] drm/sun4i: Fix sun8i HDMI PHY configuration for > 148.5 MHz + +commit 831adffb3b7b8df4c8e20b7b00843129fb87a166 upstream. + +Vendor provided documentation says that EMP bits should be set to 3 for +pixel clocks greater than 148.5 MHz. + +Fix that. + +Cc: stable@vger.kernel.org # 4.17+ +Fixes: 4f86e81748fe ("drm/sun4i: Add support for H3 HDMI PHY variant") +Signed-off-by: Jernej Skrabec <jernej.skrabec@siol.net> +Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20190514204337.11068-3-jernej.skrabec@siol.net + +diff --git a/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c b/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c +index afc6d4a9c20b..43643ad31730 100644 +--- a/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c ++++ b/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c +@@ -293,7 +293,8 @@ static int sun8i_hdmi_phy_config_h3(struct dw_hdmi *hdmi, + SUN8I_HDMI_PHY_ANA_CFG2_REG_BIGSW | + SUN8I_HDMI_PHY_ANA_CFG2_REG_SLV(4); + ana_cfg3_init |= SUN8I_HDMI_PHY_ANA_CFG3_REG_AMPCK(9) | +- SUN8I_HDMI_PHY_ANA_CFG3_REG_AMP(13); ++ SUN8I_HDMI_PHY_ANA_CFG3_REG_AMP(13) | ++ SUN8I_HDMI_PHY_ANA_CFG3_REG_EMP(3); + } + + regmap_update_bits(phy->regs, SUN8I_HDMI_PHY_ANA_CFG1_REG, +-- +2.9.5 + diff --git a/queue/drm-tegra-gem-Fix-CPU-cache-maintenance-for-BO-s-all.patch b/queue/drm-tegra-gem-Fix-CPU-cache-maintenance-for-BO-s-all.patch new file mode 100644 index 0000000..39c4d46 --- /dev/null +++ b/queue/drm-tegra-gem-Fix-CPU-cache-maintenance-for-BO-s-all.patch @@ -0,0 +1,50 @@ +From 61b51fb51c01a519a249d28ec55c6513a13be5a3 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko <digetx@gmail.com> +Date: Thu, 7 Mar 2019 01:55:19 +0300 +Subject: [PATCH] drm/tegra: gem: Fix CPU-cache maintenance for BO's allocated + using get_pages() + +commit 61b51fb51c01a519a249d28ec55c6513a13be5a3 upstream. + +The allocated pages need to be invalidated in CPU caches. On ARM32 the +DMA_BIDIRECTIONAL flag only ensures that data is written-back to DRAM and +the data stays in CPU cache lines. While the DMA_FROM_DEVICE flag ensures +that the corresponding CPU cache lines are getting invalidated and nothing +more, that's exactly what is needed for a newly allocated pages. + +This fixes randomly failing rendercheck tests on Tegra30 using the +Opentegra driver for tests that use small-sized pixmaps (10x10 and less, +i.e. 1-2 memory pages) because apparently CPU reads out stale data from +caches and/or that data is getting evicted to DRAM at the time of HW job +execution. + +Fixes: bd43c9f0fa1f ("drm/tegra: gem: Map pages via the DMA API") +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Dmitry Osipenko <digetx@gmail.com> +Signed-off-by: Thierry Reding <treding@nvidia.com> + +diff --git a/drivers/gpu/drm/tegra/gem.c b/drivers/gpu/drm/tegra/gem.c +index 4f80100ff5f3..4cce11fd8836 100644 +--- a/drivers/gpu/drm/tegra/gem.c ++++ b/drivers/gpu/drm/tegra/gem.c +@@ -204,7 +204,7 @@ static void tegra_bo_free(struct drm_device *drm, struct tegra_bo *bo) + { + if (bo->pages) { + dma_unmap_sg(drm->dev, bo->sgt->sgl, bo->sgt->nents, +- DMA_BIDIRECTIONAL); ++ DMA_FROM_DEVICE); + drm_gem_put_pages(&bo->gem, bo->pages, true, true); + sg_free_table(bo->sgt); + kfree(bo->sgt); +@@ -230,7 +230,7 @@ static int tegra_bo_get_pages(struct drm_device *drm, struct tegra_bo *bo) + } + + err = dma_map_sg(drm->dev, bo->sgt->sgl, bo->sgt->nents, +- DMA_BIDIRECTIONAL); ++ DMA_FROM_DEVICE); + if (err == 0) { + err = -EFAULT; + goto free_sgt; +-- +2.9.5 + diff --git a/queue/drm-vmwgfx-Don-t-send-drm-sysfs-hotplug-events-on-in.patch b/queue/drm-vmwgfx-Don-t-send-drm-sysfs-hotplug-events-on-in.patch new file mode 100644 index 0000000..569d7cb --- /dev/null +++ b/queue/drm-vmwgfx-Don-t-send-drm-sysfs-hotplug-events-on-in.patch @@ -0,0 +1,39 @@ +From 63cb44441826e842b7285575b96db631cc9f2505 Mon Sep 17 00:00:00 2001 +From: Thomas Hellstrom <thellstrom@vmware.com> +Date: Tue, 7 May 2019 11:07:53 +0200 +Subject: [PATCH] drm/vmwgfx: Don't send drm sysfs hotplug events on initial + master set + +commit 63cb44441826e842b7285575b96db631cc9f2505 upstream. + +This may confuse user-space clients like plymouth that opens a drm +file descriptor as a result of a hotplug event and then generates a +new event... + +Cc: <stable@vger.kernel.org> +Fixes: 5ea1734827bb ("drm/vmwgfx: Send a hotplug event at master_set") +Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> +Reviewed-by: Deepak Rawat <drawat@vmware.com> + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +index bf6c3500d363..4ff11a0077e1 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +@@ -1239,7 +1239,13 @@ static int vmw_master_set(struct drm_device *dev, + } + + dev_priv->active_master = vmaster; +- drm_sysfs_hotplug_event(dev); ++ ++ /* ++ * Inform a new master that the layout may have changed while ++ * it was gone. ++ */ ++ if (!from_open) ++ drm_sysfs_hotplug_event(dev); + + return 0; + } +-- +2.9.5 + diff --git a/queue/ethtool-check-the-return-value-of-get_regs_len.patch b/queue/ethtool-check-the-return-value-of-get_regs_len.patch new file mode 100644 index 0000000..cba8739 --- /dev/null +++ b/queue/ethtool-check-the-return-value-of-get_regs_len.patch @@ -0,0 +1,47 @@ +From f9fc54d313fab2834f44f516459cdc8ac91d797f Mon Sep 17 00:00:00 2001 +From: Yunsheng Lin <linyunsheng@huawei.com> +Date: Wed, 26 Dec 2018 19:51:46 +0800 +Subject: [PATCH] ethtool: check the return value of get_regs_len + +commit f9fc54d313fab2834f44f516459cdc8ac91d797f upstream. + +The return type for get_regs_len in struct ethtool_ops is int, +the hns3 driver may return error when failing to get the regs +len by sending cmd to firmware. + +Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/core/ethtool.c b/net/core/ethtool.c +index d05402868575..158264f7cfaf 100644 +--- a/net/core/ethtool.c ++++ b/net/core/ethtool.c +@@ -793,8 +793,13 @@ static noinline_for_stack int ethtool_get_drvinfo(struct net_device *dev, + if (rc >= 0) + info.n_priv_flags = rc; + } +- if (ops->get_regs_len) +- info.regdump_len = ops->get_regs_len(dev); ++ if (ops->get_regs_len) { ++ int ret = ops->get_regs_len(dev); ++ ++ if (ret > 0) ++ info.regdump_len = ret; ++ } ++ + if (ops->get_eeprom_len) + info.eedump_len = ops->get_eeprom_len(dev); + +@@ -1337,6 +1342,9 @@ static int ethtool_get_regs(struct net_device *dev, char __user *useraddr) + return -EFAULT; + + reglen = ops->get_regs_len(dev); ++ if (reglen <= 0) ++ return reglen; ++ + if (regs.len > reglen) + regs.len = reglen; + +-- +2.9.5 + diff --git a/queue/ethtool-fix-potential-userspace-buffer-overflow.patch b/queue/ethtool-fix-potential-userspace-buffer-overflow.patch new file mode 100644 index 0000000..d075b4c --- /dev/null +++ b/queue/ethtool-fix-potential-userspace-buffer-overflow.patch @@ -0,0 +1,53 @@ +From 0ee4e76937d69128a6a66861ba393ebdc2ffc8a2 Mon Sep 17 00:00:00 2001 +From: Vivien Didelot <vivien.didelot@gmail.com> +Date: Mon, 3 Jun 2019 16:57:13 -0400 +Subject: [PATCH] ethtool: fix potential userspace buffer overflow + +commit 0ee4e76937d69128a6a66861ba393ebdc2ffc8a2 upstream. + +ethtool_get_regs() allocates a buffer of size ops->get_regs_len(), +and pass it to the kernel driver via ops->get_regs() for filling. + +There is no restriction about what the kernel drivers can or cannot do +with the open ethtool_regs structure. They usually set regs->version +and ignore regs->len or set it to the same size as ops->get_regs_len(). + +But if userspace allocates a smaller buffer for the registers dump, +we would cause a userspace buffer overflow in the final copy_to_user() +call, which uses the regs.len value potentially reset by the driver. + +To fix this, make this case obvious and store regs.len before calling +ops->get_regs(), to only copy as much data as requested by userspace, +up to the value returned by ops->get_regs_len(). + +While at it, remove the redundant check for non-null regbuf. + +Signed-off-by: Vivien Didelot <vivien.didelot@gmail.com> +Reviewed-by: Michal Kubecek <mkubecek@suse.cz> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/core/ethtool.c b/net/core/ethtool.c +index 43e9add58340..1a0196fbb49c 100644 +--- a/net/core/ethtool.c ++++ b/net/core/ethtool.c +@@ -1359,13 +1359,16 @@ static int ethtool_get_regs(struct net_device *dev, char __user *useraddr) + if (!regbuf) + return -ENOMEM; + ++ if (regs.len < reglen) ++ reglen = regs.len; ++ + ops->get_regs(dev, ®s, regbuf); + + ret = -EFAULT; + if (copy_to_user(useraddr, ®s, sizeof(regs))) + goto out; + useraddr += offsetof(struct ethtool_regs, data); +- if (regbuf && copy_to_user(useraddr, regbuf, regs.len)) ++ if (copy_to_user(useraddr, regbuf, reglen)) + goto out; + ret = 0; + +-- +2.9.5 + diff --git a/queue/evm-check-hash-algorithm-passed-to-init_desc.patch b/queue/evm-check-hash-algorithm-passed-to-init_desc.patch new file mode 100644 index 0000000..c510577 --- /dev/null +++ b/queue/evm-check-hash-algorithm-passed-to-init_desc.patch @@ -0,0 +1,34 @@ +From 221be106d75c1b511973301542f47d6000d0b63e Mon Sep 17 00:00:00 2001 +From: Roberto Sassu <roberto.sassu@huawei.com> +Date: Wed, 29 May 2019 15:30:33 +0200 +Subject: [PATCH] evm: check hash algorithm passed to init_desc() + +commit 221be106d75c1b511973301542f47d6000d0b63e upstream. + +This patch prevents memory access beyond the evm_tfm array by checking the +validity of the index (hash algorithm) passed to init_desc(). The hash +algorithm can be arbitrarily set if the security.ima xattr type is not +EVM_XATTR_HMAC. + +Fixes: 5feeb61183dde ("evm: Allow non-SHA1 digital signatures") +Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> +Cc: stable@vger.kernel.org +Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> + +diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c +index e11564eb645b..82a38e801ee4 100644 +--- a/security/integrity/evm/evm_crypto.c ++++ b/security/integrity/evm/evm_crypto.c +@@ -89,6 +89,9 @@ static struct shash_desc *init_desc(char type, uint8_t hash_algo) + tfm = &hmac_tfm; + algo = evm_hmac; + } else { ++ if (hash_algo >= HASH_ALGO__LAST) ++ return ERR_PTR(-EINVAL); ++ + tfm = &evm_tfm[hash_algo]; + algo = hash_algo_name[hash_algo]; + } +-- +2.9.5 + diff --git a/queue/fuse-fallocate-fix-return-with-locked-inode.patch b/queue/fuse-fallocate-fix-return-with-locked-inode.patch new file mode 100644 index 0000000..e0616bc --- /dev/null +++ b/queue/fuse-fallocate-fix-return-with-locked-inode.patch @@ -0,0 +1,34 @@ +From 35d6fcbb7c3e296a52136347346a698a35af3fda Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi <mszeredi@redhat.com> +Date: Mon, 27 May 2019 11:42:07 +0200 +Subject: [PATCH] fuse: fallocate: fix return with locked inode + +commit 35d6fcbb7c3e296a52136347346a698a35af3fda upstream. + +Do the proper cleanup in case the size check fails. + +Tested with xfstests:generic/228 + +Reported-by: kbuild test robot <lkp@intel.com> +Reported-by: Dan Carpenter <dan.carpenter@oracle.com> +Fixes: 0cbade024ba5 ("fuse: honor RLIMIT_FSIZE in fuse_file_fallocate") +Cc: Liu Bo <bo.liu@linux.alibaba.com> +Cc: <stable@vger.kernel.org> # v3.5 +Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> + +diff --git a/fs/fuse/file.c b/fs/fuse/file.c +index 3959f08279e6..143c54f93f2d 100644 +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -3055,7 +3055,7 @@ static long fuse_file_fallocate(struct file *file, int mode, loff_t offset, + offset + length > i_size_read(inode)) { + err = inode_newsize_ok(inode, offset + length); + if (err) +- return err; ++ goto out; + } + + if (!(mode & FALLOC_FL_KEEP_SIZE)) +-- +2.9.5 + diff --git a/queue/gcc-plugins-Fix-build-failures-under-Darwin-host.patch b/queue/gcc-plugins-Fix-build-failures-under-Darwin-host.patch new file mode 100644 index 0000000..25e68c1 --- /dev/null +++ b/queue/gcc-plugins-Fix-build-failures-under-Darwin-host.patch @@ -0,0 +1,50 @@ +From 7210e060155b9cf557fb13128353c3e494fa5ed3 Mon Sep 17 00:00:00 2001 +From: Kees Cook <keescook@chromium.org> +Date: Mon, 20 May 2019 11:50:42 -0700 +Subject: [PATCH] gcc-plugins: Fix build failures under Darwin host + +commit 7210e060155b9cf557fb13128353c3e494fa5ed3 upstream. + +The gcc-common.h file did not take into account certain macros that +might have already been defined in the build environment. This updates +the header to avoid redefining the macros, as seen on a Darwin host +using gcc 4.9.2: + + HOSTCXX -fPIC scripts/gcc-plugins/arm_ssp_per_task_plugin.o - due to: scripts/gcc-plugins/gcc-common.h +In file included from scripts/gcc-plugins/arm_ssp_per_task_plugin.c:3:0: +scripts/gcc-plugins/gcc-common.h:153:0: warning: "__unused" redefined +^ +In file included from /usr/include/stdio.h:64:0, + from /Users/hns/Documents/Projects/QuantumSTEP/System/Library/Frameworks/System.framework/Versions-jessie/x86_64-apple-darwin15.0.0/gcc/arm-linux-gnueabi/bin/../lib/gcc/arm-linux-gnueabi/4.9.2/plugin/include/system.h:40, + from /Users/hns/Documents/Projects/QuantumSTEP/System/Library/Frameworks/System.framework/Versions-jessie/x86_64-apple-darwin15.0.0/gcc/arm-linux-gnueabi/bin/../lib/gcc/arm-linux-gnueabi/4.9.2/plugin/include/gcc-plugin.h:28, + from /Users/hns/Documents/Projects/QuantumSTEP/System/Library/Frameworks/System.framework/Versions-jessie/x86_64-apple-darwin15.0.0/gcc/arm-linux-gnueabi/bin/../lib/gcc/arm-linux-gnueabi/4.9.2/plugin/include/plugin.h:23, + from scripts/gcc-plugins/gcc-common.h:9, + from scripts/gcc-plugins/arm_ssp_per_task_plugin.c:3: +/usr/include/sys/cdefs.h:161:0: note: this is the location of the previous definition +^ + +Reported-and-tested-by: "H. Nikolaus Schaller" <hns@goldelico.com> +Fixes: 189af4657186 ("ARM: smp: add support for per-task stack canaries") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook <keescook@chromium.org> + +diff --git a/scripts/gcc-plugins/gcc-common.h b/scripts/gcc-plugins/gcc-common.h +index 552d5efd7cb7..17f06079a712 100644 +--- a/scripts/gcc-plugins/gcc-common.h ++++ b/scripts/gcc-plugins/gcc-common.h +@@ -150,8 +150,12 @@ void print_gimple_expr(FILE *, gimple, int, int); + void dump_gimple_stmt(pretty_printer *, gimple, int, int); + #endif + ++#ifndef __unused + #define __unused __attribute__((__unused__)) ++#endif ++#ifndef __visible + #define __visible __attribute__((visibility("default"))) ++#endif + + #define DECL_NAME_POINTER(node) IDENTIFIER_POINTER(DECL_NAME(node)) + #define DECL_NAME_LENGTH(node) IDENTIFIER_LENGTH(DECL_NAME(node)) +-- +2.9.5 + diff --git a/queue/genwqe-Prevent-an-integer-overflow-in-the-ioctl.patch b/queue/genwqe-Prevent-an-integer-overflow-in-the-ioctl.patch new file mode 100644 index 0000000..241cc4d --- /dev/null +++ b/queue/genwqe-Prevent-an-integer-overflow-in-the-ioctl.patch @@ -0,0 +1,57 @@ +From 110080cea0d0e4dfdb0b536e7f8a5633ead6a781 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Tue, 7 May 2019 11:36:34 +0300 +Subject: [PATCH] genwqe: Prevent an integer overflow in the ioctl + +commit 110080cea0d0e4dfdb0b536e7f8a5633ead6a781 upstream. + +There are a couple potential integer overflows here. + + round_up(m->size + (m->addr & ~PAGE_MASK), PAGE_SIZE); + +The first thing is that the "m->size + (...)" addition could overflow, +and the second is that round_up() overflows to zero if the result is +within PAGE_SIZE of the type max. + +In this code, the "m->size" variable is an u64 but we're saving the +result in "map_size" which is an unsigned long and genwqe_user_vmap() +takes an unsigned long as well. So I have used ULONG_MAX as the upper +bound. From a practical perspective unsigned long is fine/better than +trying to change all the types to u64. + +Fixes: eaf4722d4645 ("GenWQE Character device and DDCB queue") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/misc/genwqe/card_dev.c b/drivers/misc/genwqe/card_dev.c +index 8c1b63a4337b..d2098b4d2945 100644 +--- a/drivers/misc/genwqe/card_dev.c ++++ b/drivers/misc/genwqe/card_dev.c +@@ -780,6 +780,8 @@ static int genwqe_pin_mem(struct genwqe_file *cfile, struct genwqe_mem *m) + + if ((m->addr == 0x0) || (m->size == 0)) + return -EINVAL; ++ if (m->size > ULONG_MAX - PAGE_SIZE - (m->addr & ~PAGE_MASK)) ++ return -EINVAL; + + map_addr = (m->addr & PAGE_MASK); + map_size = round_up(m->size + (m->addr & ~PAGE_MASK), PAGE_SIZE); +diff --git a/drivers/misc/genwqe/card_utils.c b/drivers/misc/genwqe/card_utils.c +index 89cff9d1012b..7571700abc6e 100644 +--- a/drivers/misc/genwqe/card_utils.c ++++ b/drivers/misc/genwqe/card_utils.c +@@ -586,6 +586,10 @@ int genwqe_user_vmap(struct genwqe_dev *cd, struct dma_mapping *m, void *uaddr, + /* determine space needed for page_list. */ + data = (unsigned long)uaddr; + offs = offset_in_page(data); ++ if (size > ULONG_MAX - PAGE_SIZE - offs) { ++ m->size = 0; /* mark unused and not added */ ++ return -EINVAL; ++ } + m->nr_pages = DIV_ROUND_UP(offs + size, PAGE_SIZE); + + m->page_list = kcalloc(m->nr_pages, +-- +2.9.5 + diff --git a/queue/i2c-mlxcpld-Fix-wrong-initialization-order-in-probe.patch b/queue/i2c-mlxcpld-Fix-wrong-initialization-order-in-probe.patch new file mode 100644 index 0000000..7e7b367 --- /dev/null +++ b/queue/i2c-mlxcpld-Fix-wrong-initialization-order-in-probe.patch @@ -0,0 +1,42 @@ +From 13067ef73f337336e3149f5bb9f3fd05fe7f87a0 Mon Sep 17 00:00:00 2001 +From: Vadim Pasternak <vadimp@mellanox.com> +Date: Thu, 16 May 2019 17:15:41 +0000 +Subject: [PATCH] i2c: mlxcpld: Fix wrong initialization order in probe + +commit 13067ef73f337336e3149f5bb9f3fd05fe7f87a0 upstream. + +Fix wrong order in probing routine initialization - field `base_addr' +is used before it's initialized. Move assignment of 'priv->base_addr` +to the beginning, prior the call to mlxcpld_i2c_read_comm(). +Wrong order caused the first read of capability register to be executed +at wrong offset 0x0 instead of 0x2000. By chance it was a "good +garbage" at 0x0 offset. + +Fixes: 313ce648b5a4 ("i2c: mlxcpld: Add support for extended transaction length for i2c-mlxcpld") +Signed-off-by: Vadim Pasternak <vadimp@mellanox.com> +Signed-off-by: Wolfram Sang <wsa@the-dreams.de> +Cc: stable@kernel.org + +diff --git a/drivers/i2c/busses/i2c-mlxcpld.c b/drivers/i2c/busses/i2c-mlxcpld.c +index 745ed43a22d6..2fd717d8dd30 100644 +--- a/drivers/i2c/busses/i2c-mlxcpld.c ++++ b/drivers/i2c/busses/i2c-mlxcpld.c +@@ -503,6 +503,7 @@ static int mlxcpld_i2c_probe(struct platform_device *pdev) + platform_set_drvdata(pdev, priv); + + priv->dev = &pdev->dev; ++ priv->base_addr = MLXPLAT_CPLD_LPC_I2C_BASE_ADDR; + + /* Register with i2c layer */ + mlxcpld_i2c_adapter.timeout = usecs_to_jiffies(MLXCPLD_I2C_XFER_TO); +@@ -518,7 +519,6 @@ static int mlxcpld_i2c_probe(struct platform_device *pdev) + mlxcpld_i2c_adapter.nr = pdev->id; + priv->adap = mlxcpld_i2c_adapter; + priv->adap.dev.parent = &pdev->dev; +- priv->base_addr = MLXPLAT_CPLD_LPC_I2C_BASE_ADDR; + i2c_set_adapdata(&priv->adap, priv); + + err = i2c_add_numbered_adapter(&priv->adap); +-- +2.9.5 + diff --git a/queue/i2c-synquacer-fix-synquacer_i2c_doxfer-return-value.patch b/queue/i2c-synquacer-fix-synquacer_i2c_doxfer-return-value.patch new file mode 100644 index 0000000..caf1f66 --- /dev/null +++ b/queue/i2c-synquacer-fix-synquacer_i2c_doxfer-return-value.patch @@ -0,0 +1,33 @@ +From ff9378904d9d7a3fcb8406604e089e535e357b1d Mon Sep 17 00:00:00 2001 +From: Masahisa Kojima <masahisa.kojima@linaro.org> +Date: Tue, 21 May 2019 10:33:50 +0900 +Subject: [PATCH] i2c: synquacer: fix synquacer_i2c_doxfer() return value + +commit ff9378904d9d7a3fcb8406604e089e535e357b1d upstream. + +master_xfer should return the number of messages successfully +processed. + +Fixes: 0d676a6c4390 ("i2c: add support for Socionext SynQuacer I2C controller") +Cc: <stable@vger.kernel.org> # v4.19+ +Signed-off-by: Okamoto Satoru <okamoto.satoru@socionext.com> +Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> +Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> +Signed-off-by: Wolfram Sang <wsa@the-dreams.de> + +diff --git a/drivers/i2c/busses/i2c-synquacer.c b/drivers/i2c/busses/i2c-synquacer.c +index f14d4b3fab44..f724c8e6b360 100644 +--- a/drivers/i2c/busses/i2c-synquacer.c ++++ b/drivers/i2c/busses/i2c-synquacer.c +@@ -351,7 +351,7 @@ static int synquacer_i2c_doxfer(struct synquacer_i2c *i2c, + /* wait 2 clock periods to ensure the stop has been through the bus */ + udelay(DIV_ROUND_UP(2 * 1000, i2c->speed_khz)); + +- return 0; ++ return ret; + } + + static irqreturn_t synquacer_i2c_isr(int irq, void *dev_id) +-- +2.9.5 + diff --git a/queue/i2c-xiic-Add-max_read_len-quirk.patch b/queue/i2c-xiic-Add-max_read_len-quirk.patch new file mode 100644 index 0000000..72cd699 --- /dev/null +++ b/queue/i2c-xiic-Add-max_read_len-quirk.patch @@ -0,0 +1,47 @@ +From 49b809586730a77b57ce620b2f9689de765d790b Mon Sep 17 00:00:00 2001 +From: Robert Hancock <hancock@sedsystems.ca> +Date: Tue, 4 Jun 2019 15:55:51 -0600 +Subject: [PATCH] i2c: xiic: Add max_read_len quirk + +commit 49b809586730a77b57ce620b2f9689de765d790b upstream. + +This driver does not support reading more than 255 bytes at once because +the register for storing the number of bytes to read is only 8 bits. Add +a max_read_len quirk to enforce this. + +This was found when using this driver with the SFP driver, which was +previously reading all 256 bytes in the SFP EEPROM in one transaction. +This caused a bunch of hard-to-debug errors in the xiic driver since the +driver/logic was treating the number of bytes to read as zero. +Rejecting transactions that aren't supported at least allows the problem +to be diagnosed more easily. + +Signed-off-by: Robert Hancock <hancock@sedsystems.ca> +Reviewed-by: Michal Simek <michal.simek@xilinx.com> +Signed-off-by: Wolfram Sang <wsa@the-dreams.de> +Cc: stable@kernel.org + +diff --git a/drivers/i2c/busses/i2c-xiic.c b/drivers/i2c/busses/i2c-xiic.c +index 0fea7c54f788..37b3b9307d07 100644 +--- a/drivers/i2c/busses/i2c-xiic.c ++++ b/drivers/i2c/busses/i2c-xiic.c +@@ -709,11 +709,16 @@ static const struct i2c_algorithm xiic_algorithm = { + .functionality = xiic_func, + }; + ++static const struct i2c_adapter_quirks xiic_quirks = { ++ .max_read_len = 255, ++}; ++ + static const struct i2c_adapter xiic_adapter = { + .owner = THIS_MODULE, + .name = DRIVER_NAME, + .class = I2C_CLASS_DEPRECATED, + .algo = &xiic_algorithm, ++ .quirks = &xiic_quirks, + }; + + +-- +2.9.5 + diff --git a/queue/iio-adc-ti-ads8688-fix-timestamp-is-not-updated-in-b.patch b/queue/iio-adc-ti-ads8688-fix-timestamp-is-not-updated-in-b.patch new file mode 100644 index 0000000..009e82b --- /dev/null +++ b/queue/iio-adc-ti-ads8688-fix-timestamp-is-not-updated-in-b.patch @@ -0,0 +1,31 @@ +From e6d12298310fa1dc11f1d747e05b168016057fdd Mon Sep 17 00:00:00 2001 +From: Sean Nyekjaer <sean@geanix.com> +Date: Tue, 7 May 2019 10:23:04 +0200 +Subject: [PATCH] iio: adc: ti-ads8688: fix timestamp is not updated in buffer + +commit e6d12298310fa1dc11f1d747e05b168016057fdd upstream. + +When using the hrtimer iio trigger timestamp isn't updated. +If we use iio_get_time_ns it is updated correctly. + +Fixes: 2a86487786b5c ("iio: adc: ti-ads8688: add trigger and buffer support") +Signed-off-by: Sean Nyekjaer <sean@geanix.com> +Cc: <Stable@vger.kernel.org> +Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> + +diff --git a/drivers/iio/adc/ti-ads8688.c b/drivers/iio/adc/ti-ads8688.c +index 8b4568edd5cb..7f16c77b99fb 100644 +--- a/drivers/iio/adc/ti-ads8688.c ++++ b/drivers/iio/adc/ti-ads8688.c +@@ -397,7 +397,7 @@ static irqreturn_t ads8688_trigger_handler(int irq, void *p) + } + + iio_push_to_buffers_with_timestamp(indio_dev, buffer, +- pf->timestamp); ++ iio_get_time_ns(indio_dev)); + + iio_trigger_notify_done(indio_dev->trig); + +-- +2.9.5 + diff --git a/queue/iio-dac-ds4422-ds4424-fix-chip-verification.patch b/queue/iio-dac-ds4422-ds4424-fix-chip-verification.patch new file mode 100644 index 0000000..9905969 --- /dev/null +++ b/queue/iio-dac-ds4422-ds4424-fix-chip-verification.patch @@ -0,0 +1,33 @@ +From 60f2208699ec08ff9fdf1f97639a661a92a18f1c Mon Sep 17 00:00:00 2001 +From: Ruslan Babayev <ruslan@babayev.com> +Date: Sun, 5 May 2019 12:24:37 -0700 +Subject: [PATCH] iio: dac: ds4422/ds4424 fix chip verification + +commit 60f2208699ec08ff9fdf1f97639a661a92a18f1c upstream. + +The ds4424_get_value function takes channel number as it's 3rd +argument and translates it internally into I2C address using +DS4424_DAC_ADDR macro. The caller ds4424_verify_chip was passing an +already translated I2C address as its last argument. + +Signed-off-by: Ruslan Babayev <ruslan@babayev.com> +Cc: xe-linux-external@cisco.com +Cc: <Stable@vger.kernel.org> +Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> + +diff --git a/drivers/iio/dac/ds4424.c b/drivers/iio/dac/ds4424.c +index 883a47562055..714a97f91319 100644 +--- a/drivers/iio/dac/ds4424.c ++++ b/drivers/iio/dac/ds4424.c +@@ -166,7 +166,7 @@ static int ds4424_verify_chip(struct iio_dev *indio_dev) + { + int ret, val; + +- ret = ds4424_get_value(indio_dev, &val, DS4424_DAC_ADDR(0)); ++ ret = ds4424_get_value(indio_dev, &val, 0); + if (ret < 0) + dev_err(&indio_dev->dev, + "%s failed. ret: %d\n", __func__, ret); +-- +2.9.5 + diff --git a/queue/ima-show-rules-with-IMA_INMASK-correctly.patch b/queue/ima-show-rules-with-IMA_INMASK-correctly.patch new file mode 100644 index 0000000..1010fa3 --- /dev/null +++ b/queue/ima-show-rules-with-IMA_INMASK-correctly.patch @@ -0,0 +1,67 @@ +From 8cdc23a3d9ec0944000ad43bad588e36afdc38cd Mon Sep 17 00:00:00 2001 +From: Roberto Sassu <roberto.sassu@huawei.com> +Date: Wed, 29 May 2019 15:30:35 +0200 +Subject: [PATCH] ima: show rules with IMA_INMASK correctly + +commit 8cdc23a3d9ec0944000ad43bad588e36afdc38cd upstream. + +Show the '^' character when a policy rule has flag IMA_INMASK. + +Fixes: 80eae209d63ac ("IMA: allow reading back the current IMA policy") +Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> +Cc: stable@vger.kernel.org +Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> + +diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c +index 0f6fe53cef09..1cc822a59054 100644 +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -1147,10 +1147,10 @@ enum { + }; + + static const char *const mask_tokens[] = { +- "MAY_EXEC", +- "MAY_WRITE", +- "MAY_READ", +- "MAY_APPEND" ++ "^MAY_EXEC", ++ "^MAY_WRITE", ++ "^MAY_READ", ++ "^MAY_APPEND" + }; + + #define __ima_hook_stringify(str) (#str), +@@ -1210,6 +1210,7 @@ int ima_policy_show(struct seq_file *m, void *v) + struct ima_rule_entry *entry = v; + int i; + char tbuf[64] = {0,}; ++ int offset = 0; + + rcu_read_lock(); + +@@ -1233,15 +1234,17 @@ int ima_policy_show(struct seq_file *m, void *v) + if (entry->flags & IMA_FUNC) + policy_func_show(m, entry->func); + +- if (entry->flags & IMA_MASK) { ++ if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { ++ if (entry->flags & IMA_MASK) ++ offset = 1; + if (entry->mask & MAY_EXEC) +- seq_printf(m, pt(Opt_mask), mt(mask_exec)); ++ seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset); + if (entry->mask & MAY_WRITE) +- seq_printf(m, pt(Opt_mask), mt(mask_write)); ++ seq_printf(m, pt(Opt_mask), mt(mask_write) + offset); + if (entry->mask & MAY_READ) +- seq_printf(m, pt(Opt_mask), mt(mask_read)); ++ seq_printf(m, pt(Opt_mask), mt(mask_read) + offset); + if (entry->mask & MAY_APPEND) +- seq_printf(m, pt(Opt_mask), mt(mask_append)); ++ seq_printf(m, pt(Opt_mask), mt(mask_append) + offset); + seq_puts(m, " "); + } + +-- +2.9.5 + diff --git a/queue/include-linux-bitops.h-sanitize-rotate-primitives.patch b/queue/include-linux-bitops.h-sanitize-rotate-primitives.patch new file mode 100644 index 0000000..5bd56e3 --- /dev/null +++ b/queue/include-linux-bitops.h-sanitize-rotate-primitives.patch @@ -0,0 +1,130 @@ +From ef4d6f6b275c498f8e5626c99dbeefdc5027f843 Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes <linux@rasmusvillemoes.dk> +Date: Tue, 14 May 2019 15:43:27 -0700 +Subject: [PATCH] include/linux/bitops.h: sanitize rotate primitives + +commit ef4d6f6b275c498f8e5626c99dbeefdc5027f843 upstream. + +The ror32 implementation (word >> shift) | (word << (32 - shift) has +undefined behaviour if shift is outside the [1, 31] range. Similarly +for the 64 bit variants. Most callers pass a compile-time constant +(naturally in that range), but there's an UBSAN report that these may +actually be called with a shift count of 0. + +Instead of special-casing that, we can make them DTRT for all values of +shift while also avoiding UB. For some reason, this was already partly +done for rol32 (which was well-defined for [0, 31]). gcc 8 recognizes +these patterns as rotates, so for example + + __u32 rol32(__u32 word, unsigned int shift) + { + return (word << (shift & 31)) | (word >> ((-shift) & 31)); + } + +compiles to + +0000000000000020 <rol32>: + 20: 89 f8 mov %edi,%eax + 22: 89 f1 mov %esi,%ecx + 24: d3 c0 rol %cl,%eax + 26: c3 retq + +Older compilers unfortunately do not do as well, but this only affects +the small minority of users that don't pass constants. + +Due to integer promotions, ro[lr]8 were already well-defined for shifts +in [0, 8], and ro[lr]16 were mostly well-defined for shifts in [0, 16] +(only mostly - u16 gets promoted to _signed_ int, so if bit 15 is set, +word << 16 is undefined). For consistency, update those as well. + +Link: http://lkml.kernel.org/r/20190410211906.2190-1-linux@rasmusvillemoes.dk +Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> +Reported-by: Ido Schimmel <idosch@mellanox.com> +Tested-by: Ido Schimmel <idosch@mellanox.com> +Reviewed-by: Will Deacon <will.deacon@arm.com> +Cc: Vadim Pasternak <vadimp@mellanox.com> +Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> +Cc: Jacek Anaszewski <jacek.anaszewski@gmail.com> +Cc: Pavel Machek <pavel@ucw.cz> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> + +diff --git a/include/linux/bitops.h b/include/linux/bitops.h +index 602af23b98c7..cf074bce3eb3 100644 +--- a/include/linux/bitops.h ++++ b/include/linux/bitops.h +@@ -60,7 +60,7 @@ static __always_inline unsigned long hweight_long(unsigned long w) + */ + static inline __u64 rol64(__u64 word, unsigned int shift) + { +- return (word << shift) | (word >> (64 - shift)); ++ return (word << (shift & 63)) | (word >> ((-shift) & 63)); + } + + /** +@@ -70,7 +70,7 @@ static inline __u64 rol64(__u64 word, unsigned int shift) + */ + static inline __u64 ror64(__u64 word, unsigned int shift) + { +- return (word >> shift) | (word << (64 - shift)); ++ return (word >> (shift & 63)) | (word << ((-shift) & 63)); + } + + /** +@@ -80,7 +80,7 @@ static inline __u64 ror64(__u64 word, unsigned int shift) + */ + static inline __u32 rol32(__u32 word, unsigned int shift) + { +- return (word << shift) | (word >> ((-shift) & 31)); ++ return (word << (shift & 31)) | (word >> ((-shift) & 31)); + } + + /** +@@ -90,7 +90,7 @@ static inline __u32 rol32(__u32 word, unsigned int shift) + */ + static inline __u32 ror32(__u32 word, unsigned int shift) + { +- return (word >> shift) | (word << (32 - shift)); ++ return (word >> (shift & 31)) | (word << ((-shift) & 31)); + } + + /** +@@ -100,7 +100,7 @@ static inline __u32 ror32(__u32 word, unsigned int shift) + */ + static inline __u16 rol16(__u16 word, unsigned int shift) + { +- return (word << shift) | (word >> (16 - shift)); ++ return (word << (shift & 15)) | (word >> ((-shift) & 15)); + } + + /** +@@ -110,7 +110,7 @@ static inline __u16 rol16(__u16 word, unsigned int shift) + */ + static inline __u16 ror16(__u16 word, unsigned int shift) + { +- return (word >> shift) | (word << (16 - shift)); ++ return (word >> (shift & 15)) | (word << ((-shift) & 15)); + } + + /** +@@ -120,7 +120,7 @@ static inline __u16 ror16(__u16 word, unsigned int shift) + */ + static inline __u8 rol8(__u8 word, unsigned int shift) + { +- return (word << shift) | (word >> (8 - shift)); ++ return (word << (shift & 7)) | (word >> ((-shift) & 7)); + } + + /** +@@ -130,7 +130,7 @@ static inline __u8 rol8(__u8 word, unsigned int shift) + */ + static inline __u8 ror8(__u8 word, unsigned int shift) + { +- return (word >> shift) | (word << (8 - shift)); ++ return (word >> (shift & 7)) | (word << ((-shift) & 7)); + } + + /** +-- +2.9.5 + diff --git a/queue/include-linux-compiler-.h-define-asm_volatile_goto.patch b/queue/include-linux-compiler-.h-define-asm_volatile_goto.patch new file mode 100644 index 0000000..0d52a82 --- /dev/null +++ b/queue/include-linux-compiler-.h-define-asm_volatile_goto.patch @@ -0,0 +1,34 @@ +From 8bd66d147c88bd441178c7b4c774ae5a185f19b8 Mon Sep 17 00:00:00 2001 +From: "ndesaulniers@google.com" <ndesaulniers@google.com> +Date: Wed, 31 Oct 2018 12:39:01 -0700 +Subject: [PATCH] include/linux/compiler*.h: define asm_volatile_goto + +commit 8bd66d147c88bd441178c7b4c774ae5a185f19b8 upstream. + +asm_volatile_goto should also be defined for other compilers that support +asm goto. + +Fixes commit 815f0ddb346c ("include/linux/compiler*.h: make compiler-*.h +mutually exclusive"). + +Signed-off-by: Nick Desaulniers <ndesaulniers@google.com> +Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> + +diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h +index 3439d7d0249a..4a3f9c09c92d 100644 +--- a/include/linux/compiler_types.h ++++ b/include/linux/compiler_types.h +@@ -130,6 +130,10 @@ struct ftrace_likely_data { + # define randomized_struct_fields_end + #endif + ++#ifndef asm_volatile_goto ++#define asm_volatile_goto(x...) asm goto(x) ++#endif ++ + /* Are two types/vars the same type (ignoring qualifiers)? */ + #define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b)) + +-- +2.9.5 + diff --git a/queue/include-linux-module.h-copy-__init-__exit-attrs-to-i.patch b/queue/include-linux-module.h-copy-__init-__exit-attrs-to-i.patch new file mode 100644 index 0000000..05fa3c1 --- /dev/null +++ b/queue/include-linux-module.h-copy-__init-__exit-attrs-to-i.patch @@ -0,0 +1,78 @@ +From a6e60d84989fa0e91db7f236eda40453b0e44afa Mon Sep 17 00:00:00 2001 +From: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> +Date: Sat, 19 Jan 2019 20:59:34 +0100 +Subject: [PATCH] include/linux/module.h: copy __init/__exit attrs to + init/cleanup_module + +commit a6e60d84989fa0e91db7f236eda40453b0e44afa upstream. + +The upcoming GCC 9 release extends the -Wmissing-attributes warnings +(enabled by -Wall) to C and aliases: it warns when particular function +attributes are missing in the aliases but not in their target. + +In particular, it triggers for all the init/cleanup_module +aliases in the kernel (defined by the module_init/exit macros), +ending up being very noisy. + +These aliases point to the __init/__exit functions of a module, +which are defined as __cold (among other attributes). However, +the aliases themselves do not have the __cold attribute. + +Since the compiler behaves differently when compiling a __cold +function as well as when compiling paths leading to calls +to __cold functions, the warning is trying to point out +the possibly-forgotten attribute in the alias. + +In order to keep the warning enabled, we decided to silence +this case. Ideally, we would mark the aliases directly +as __init/__exit. However, there are currently around 132 modules +in the kernel which are missing __init/__exit in their init/cleanup +functions (either because they are missing, or for other reasons, +e.g. the functions being called from somewhere else); and +a section mismatch is a hard error. + +A conservative alternative was to mark the aliases as __cold only. +However, since we would like to eventually enforce __init/__exit +to be always marked, we chose to use the new __copy function +attribute (introduced by GCC 9 as well to deal with this). +With it, we copy the attributes used by the target functions +into the aliases. This way, functions that were not marked +as __init/__exit won't have their aliases marked either, +and therefore there won't be a section mismatch. + +Note that the warning would go away marking either the extern +declaration, the definition, or both. However, we only mark +the definition of the alias, since we do not want callers +(which only see the declaration) to be compiled as if the function +was __cold (and therefore the paths leading to those calls +would be assumed to be unlikely). + +Link: https://lore.kernel.org/lkml/20190123173707.GA16603@gmail.com/ +Link: https://lore.kernel.org/lkml/20190206175627.GA20399@gmail.com/ +Suggested-by: Martin Sebor <msebor@gcc.gnu.org> +Acked-by: Jessica Yu <jeyu@kernel.org> +Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> + +diff --git a/include/linux/module.h b/include/linux/module.h +index 8fa38d3e7538..f5bc4c046461 100644 +--- a/include/linux/module.h ++++ b/include/linux/module.h +@@ -129,13 +129,13 @@ extern void cleanup_module(void); + #define module_init(initfn) \ + static inline initcall_t __maybe_unused __inittest(void) \ + { return initfn; } \ +- int init_module(void) __attribute__((alias(#initfn))); ++ int init_module(void) __copy(initfn) __attribute__((alias(#initfn))); + + /* This is only required if you want to be unloadable. */ + #define module_exit(exitfn) \ + static inline exitcall_t __maybe_unused __exittest(void) \ + { return exitfn; } \ +- void cleanup_module(void) __attribute__((alias(#exitfn))); ++ void cleanup_module(void) __copy(exitfn) __attribute__((alias(#exitfn))); + + #endif + +-- +2.9.5 + diff --git a/queue/inet-switch-IP-ID-generator-to-siphash.patch b/queue/inet-switch-IP-ID-generator-to-siphash.patch new file mode 100644 index 0000000..0da8996 --- /dev/null +++ b/queue/inet-switch-IP-ID-generator-to-siphash.patch @@ -0,0 +1,154 @@ +From df453700e8d81b1bdafdf684365ee2b9431fb702 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Wed, 27 Mar 2019 12:40:33 -0700 +Subject: [PATCH] inet: switch IP ID generator to siphash + +commit df453700e8d81b1bdafdf684365ee2b9431fb702 upstream. + +According to Amit Klein and Benny Pinkas, IP ID generation is too weak +and might be used by attackers. + +Even with recent net_hash_mix() fix (netns: provide pure entropy for net_hash_mix()) +having 64bit key and Jenkins hash is risky. + +It is time to switch to siphash and its 128bit keys. + +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: Amit Klein <aksecurity@gmail.com> +Reported-by: Benny Pinkas <benny@pinkas.net> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/include/linux/siphash.h b/include/linux/siphash.h +index fa7a6b9cedbf..bf21591a9e5e 100644 +--- a/include/linux/siphash.h ++++ b/include/linux/siphash.h +@@ -21,6 +21,11 @@ typedef struct { + u64 key[2]; + } siphash_key_t; + ++static inline bool siphash_key_is_zero(const siphash_key_t *key) ++{ ++ return !(key->key[0] | key->key[1]); ++} ++ + u64 __siphash_aligned(const void *data, size_t len, const siphash_key_t *key); + #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS + u64 __siphash_unaligned(const void *data, size_t len, const siphash_key_t *key); +diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h +index 104a6669e344..7698460a3dd1 100644 +--- a/include/net/netns/ipv4.h ++++ b/include/net/netns/ipv4.h +@@ -9,6 +9,7 @@ + #include <linux/uidgid.h> + #include <net/inet_frag.h> + #include <linux/rcupdate.h> ++#include <linux/siphash.h> + + struct tcpm_hash_bucket; + struct ctl_table_header; +@@ -217,5 +218,6 @@ struct netns_ipv4 { + unsigned int ipmr_seq; /* protected by rtnl_mutex */ + + atomic_t rt_genid; ++ siphash_key_t ip_id_key; + }; + #endif +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 14c7fdacaa72..f2688fce39e1 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -500,15 +500,17 @@ EXPORT_SYMBOL(ip_idents_reserve); + + void __ip_select_ident(struct net *net, struct iphdr *iph, int segs) + { +- static u32 ip_idents_hashrnd __read_mostly; + u32 hash, id; + +- net_get_random_once(&ip_idents_hashrnd, sizeof(ip_idents_hashrnd)); ++ /* Note the following code is not safe, but this is okay. */ ++ if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key))) ++ get_random_bytes(&net->ipv4.ip_id_key, ++ sizeof(net->ipv4.ip_id_key)); + +- hash = jhash_3words((__force u32)iph->daddr, ++ hash = siphash_3u32((__force u32)iph->daddr, + (__force u32)iph->saddr, +- iph->protocol ^ net_hash_mix(net), +- ip_idents_hashrnd); ++ iph->protocol, ++ &net->ipv4.ip_id_key); + id = ip_idents_reserve(hash, segs); + iph->id = htons(id); + } +diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c +index 4fe7c90962dd..868ae23dbae1 100644 +--- a/net/ipv6/output_core.c ++++ b/net/ipv6/output_core.c +@@ -10,15 +10,25 @@ + #include <net/secure_seq.h> + #include <linux/netfilter.h> + +-static u32 __ipv6_select_ident(struct net *net, u32 hashrnd, ++static u32 __ipv6_select_ident(struct net *net, + const struct in6_addr *dst, + const struct in6_addr *src) + { ++ const struct { ++ struct in6_addr dst; ++ struct in6_addr src; ++ } __aligned(SIPHASH_ALIGNMENT) combined = { ++ .dst = *dst, ++ .src = *src, ++ }; + u32 hash, id; + +- hash = __ipv6_addr_jhash(dst, hashrnd); +- hash = __ipv6_addr_jhash(src, hash); +- hash ^= net_hash_mix(net); ++ /* Note the following code is not safe, but this is okay. */ ++ if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key))) ++ get_random_bytes(&net->ipv4.ip_id_key, ++ sizeof(net->ipv4.ip_id_key)); ++ ++ hash = siphash(&combined, sizeof(combined), &net->ipv4.ip_id_key); + + /* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve, + * set the hight order instead thus minimizing possible future +@@ -41,7 +51,6 @@ static u32 __ipv6_select_ident(struct net *net, u32 hashrnd, + */ + __be32 ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb) + { +- static u32 ip6_proxy_idents_hashrnd __read_mostly; + struct in6_addr buf[2]; + struct in6_addr *addrs; + u32 id; +@@ -53,11 +62,7 @@ __be32 ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb) + if (!addrs) + return 0; + +- net_get_random_once(&ip6_proxy_idents_hashrnd, +- sizeof(ip6_proxy_idents_hashrnd)); +- +- id = __ipv6_select_ident(net, ip6_proxy_idents_hashrnd, +- &addrs[1], &addrs[0]); ++ id = __ipv6_select_ident(net, &addrs[1], &addrs[0]); + return htonl(id); + } + EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident); +@@ -66,12 +71,9 @@ __be32 ipv6_select_ident(struct net *net, + const struct in6_addr *daddr, + const struct in6_addr *saddr) + { +- static u32 ip6_idents_hashrnd __read_mostly; + u32 id; + +- net_get_random_once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd)); +- +- id = __ipv6_select_ident(net, ip6_idents_hashrnd, daddr, saddr); ++ id = __ipv6_select_ident(net, daddr, saddr); + return htonl(id); + } + EXPORT_SYMBOL(ipv6_select_ident); +-- +2.9.5 + diff --git a/queue/ipv4-Define-__ipv4_neigh_lookup_noref-when-CONFIG_IN.patch b/queue/ipv4-Define-__ipv4_neigh_lookup_noref-when-CONFIG_IN.patch new file mode 100644 index 0000000..4873d3d --- /dev/null +++ b/queue/ipv4-Define-__ipv4_neigh_lookup_noref-when-CONFIG_IN.patch @@ -0,0 +1,44 @@ +From 9b3040a6aafd7898ece7fc7efcbca71e42aa8069 Mon Sep 17 00:00:00 2001 +From: David Ahern <dsahern@gmail.com> +Date: Sun, 5 May 2019 11:16:20 -0700 +Subject: [PATCH] ipv4: Define __ipv4_neigh_lookup_noref when CONFIG_INET is + disabled + +commit 9b3040a6aafd7898ece7fc7efcbca71e42aa8069 upstream. + +Define __ipv4_neigh_lookup_noref to return NULL when CONFIG_INET is disabled. + +Fixes: 4b2a2bfeb3f0 ("neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit") +Reported-by: kbuild test robot <lkp@intel.com> +Signed-off-by: David Ahern <dsahern@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/include/net/arp.h b/include/net/arp.h +index 977aabfcdc03..c8f580a0e6b1 100644 +--- a/include/net/arp.h ++++ b/include/net/arp.h +@@ -18,6 +18,7 @@ static inline u32 arp_hashfn(const void *pkey, const struct net_device *dev, u32 + return val * hash_rnd[0]; + } + ++#ifdef CONFIG_INET + static inline struct neighbour *__ipv4_neigh_lookup_noref(struct net_device *dev, u32 key) + { + if (dev->flags & (IFF_LOOPBACK | IFF_POINTOPOINT)) +@@ -25,6 +26,13 @@ static inline struct neighbour *__ipv4_neigh_lookup_noref(struct net_device *dev + + return ___neigh_lookup_noref(&arp_tbl, neigh_key_eq32, arp_hashfn, &key, dev); + } ++#else ++static inline ++struct neighbour *__ipv4_neigh_lookup_noref(struct net_device *dev, u32 key) ++{ ++ return NULL; ++} ++#endif + + static inline struct neighbour *__ipv4_neigh_lookup(struct net_device *dev, u32 key) + { +-- +2.9.5 + diff --git a/queue/ipv4-igmp-fix-another-memory-leak-in-igmpv3_del_delr.patch b/queue/ipv4-igmp-fix-another-memory-leak-in-igmpv3_del_delr.patch new file mode 100644 index 0000000..e578a99 --- /dev/null +++ b/queue/ipv4-igmp-fix-another-memory-leak-in-igmpv3_del_delr.patch @@ -0,0 +1,161 @@ +From 3580d04aa674383c42de7b635d28e52a1e5bc72c Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Wed, 22 May 2019 16:51:22 -0700 +Subject: [PATCH] ipv4/igmp: fix another memory leak in igmpv3_del_delrec() + +commit 3580d04aa674383c42de7b635d28e52a1e5bc72c upstream. + +syzbot reported memory leaks [1] that I have back tracked to +a missing cleanup from igmpv3_del_delrec() when +(im->sfmode != MCAST_INCLUDE) + +Add ip_sf_list_clear_all() and kfree_pmc() helpers to explicitely +handle the cleanups before freeing. + +[1] + +BUG: memory leak +unreferenced object 0xffff888123e32b00 (size 64): + comm "softirq", pid 0, jiffies 4294942968 (age 8.010s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 e0 00 00 01 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<000000006105011b>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] + [<000000006105011b>] slab_post_alloc_hook mm/slab.h:439 [inline] + [<000000006105011b>] slab_alloc mm/slab.c:3326 [inline] + [<000000006105011b>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 + [<000000004bba8073>] kmalloc include/linux/slab.h:547 [inline] + [<000000004bba8073>] kzalloc include/linux/slab.h:742 [inline] + [<000000004bba8073>] ip_mc_add1_src net/ipv4/igmp.c:1961 [inline] + [<000000004bba8073>] ip_mc_add_src+0x36b/0x400 net/ipv4/igmp.c:2085 + [<00000000a46a65a0>] ip_mc_msfilter+0x22d/0x310 net/ipv4/igmp.c:2475 + [<000000005956ca89>] do_ip_setsockopt.isra.0+0x1795/0x1930 net/ipv4/ip_sockglue.c:957 + [<00000000848e2d2f>] ip_setsockopt+0x3b/0xb0 net/ipv4/ip_sockglue.c:1246 + [<00000000b9db185c>] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2616 + [<000000003028e438>] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3130 + [<0000000015b65589>] __sys_setsockopt+0x98/0x120 net/socket.c:2078 + [<00000000ac198ef0>] __do_sys_setsockopt net/socket.c:2089 [inline] + [<00000000ac198ef0>] __se_sys_setsockopt net/socket.c:2086 [inline] + [<00000000ac198ef0>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2086 + [<000000000a770437>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301 + [<00000000d3adb93b>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 9c8bb163ae78 ("igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Cc: Hangbin Liu <liuhangbin@gmail.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c +index 6c2febc39dca..1a8d36dd49d4 100644 +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -633,6 +633,24 @@ static void igmpv3_clear_zeros(struct ip_sf_list **ppsf) + } + } + ++static void ip_sf_list_clear_all(struct ip_sf_list *psf) ++{ ++ struct ip_sf_list *next; ++ ++ while (psf) { ++ next = psf->sf_next; ++ kfree(psf); ++ psf = next; ++ } ++} ++ ++static void kfree_pmc(struct ip_mc_list *pmc) ++{ ++ ip_sf_list_clear_all(pmc->sources); ++ ip_sf_list_clear_all(pmc->tomb); ++ kfree(pmc); ++} ++ + static void igmpv3_send_cr(struct in_device *in_dev) + { + struct ip_mc_list *pmc, *pmc_prev, *pmc_next; +@@ -669,7 +687,7 @@ static void igmpv3_send_cr(struct in_device *in_dev) + else + in_dev->mc_tomb = pmc_next; + in_dev_put(pmc->interface); +- kfree(pmc); ++ kfree_pmc(pmc); + } else + pmc_prev = pmc; + } +@@ -1215,14 +1233,18 @@ static void igmpv3_del_delrec(struct in_device *in_dev, struct ip_mc_list *im) + im->interface = pmc->interface; + if (im->sfmode == MCAST_INCLUDE) { + im->tomb = pmc->tomb; ++ pmc->tomb = NULL; ++ + im->sources = pmc->sources; ++ pmc->sources = NULL; ++ + for (psf = im->sources; psf; psf = psf->sf_next) + psf->sf_crcount = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv; + } else { + im->crcount = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv; + } + in_dev_put(pmc->interface); +- kfree(pmc); ++ kfree_pmc(pmc); + } + spin_unlock_bh(&im->lock); + } +@@ -1243,21 +1265,18 @@ static void igmpv3_clear_delrec(struct in_device *in_dev) + nextpmc = pmc->next; + ip_mc_clear_src(pmc); + in_dev_put(pmc->interface); +- kfree(pmc); ++ kfree_pmc(pmc); + } + /* clear dead sources, too */ + rcu_read_lock(); + for_each_pmc_rcu(in_dev, pmc) { +- struct ip_sf_list *psf, *psf_next; ++ struct ip_sf_list *psf; + + spin_lock_bh(&pmc->lock); + psf = pmc->tomb; + pmc->tomb = NULL; + spin_unlock_bh(&pmc->lock); +- for (; psf; psf = psf_next) { +- psf_next = psf->sf_next; +- kfree(psf); +- } ++ ip_sf_list_clear_all(psf); + } + rcu_read_unlock(); + } +@@ -2123,7 +2142,7 @@ static int ip_mc_add_src(struct in_device *in_dev, __be32 *pmca, int sfmode, + + static void ip_mc_clear_src(struct ip_mc_list *pmc) + { +- struct ip_sf_list *psf, *nextpsf, *tomb, *sources; ++ struct ip_sf_list *tomb, *sources; + + spin_lock_bh(&pmc->lock); + tomb = pmc->tomb; +@@ -2135,14 +2154,8 @@ static void ip_mc_clear_src(struct ip_mc_list *pmc) + pmc->sfcount[MCAST_EXCLUDE] = 1; + spin_unlock_bh(&pmc->lock); + +- for (psf = tomb; psf; psf = nextpsf) { +- nextpsf = psf->sf_next; +- kfree(psf); +- } +- for (psf = sources; psf; psf = nextpsf) { +- nextpsf = psf->sf_next; +- kfree(psf); +- } ++ ip_sf_list_clear_all(tomb); ++ ip_sf_list_clear_all(sources); + } + + /* Join a multicast group +-- +2.9.5 + diff --git a/queue/ipv4-igmp-fix-build-error-if-CONFIG_IP_MULTICAST.patch b/queue/ipv4-igmp-fix-build-error-if-CONFIG_IP_MULTICAST.patch new file mode 100644 index 0000000..8f98ab8 --- /dev/null +++ b/queue/ipv4-igmp-fix-build-error-if-CONFIG_IP_MULTICAST.patch @@ -0,0 +1,57 @@ +From 903869bd10e6719b9df6718e785be7ec725df59f Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Wed, 22 May 2019 18:35:16 -0700 +Subject: [PATCH] ipv4/igmp: fix build error if !CONFIG_IP_MULTICAST + +commit 903869bd10e6719b9df6718e785be7ec725df59f upstream. + +ip_sf_list_clear_all() needs to be defined even if !CONFIG_IP_MULTICAST + +Fixes: 3580d04aa674 ("ipv4/igmp: fix another memory leak in igmpv3_del_delrec()") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: kbuild test robot <lkp@intel.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c +index 1a8d36dd49d4..eb03153dfe12 100644 +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -188,6 +188,17 @@ static void ip_ma_put(struct ip_mc_list *im) + pmc != NULL; \ + pmc = rtnl_dereference(pmc->next_rcu)) + ++static void ip_sf_list_clear_all(struct ip_sf_list *psf) ++{ ++ struct ip_sf_list *next; ++ ++ while (psf) { ++ next = psf->sf_next; ++ kfree(psf); ++ psf = next; ++ } ++} ++ + #ifdef CONFIG_IP_MULTICAST + + /* +@@ -633,17 +644,6 @@ static void igmpv3_clear_zeros(struct ip_sf_list **ppsf) + } + } + +-static void ip_sf_list_clear_all(struct ip_sf_list *psf) +-{ +- struct ip_sf_list *next; +- +- while (psf) { +- next = psf->sf_next; +- kfree(psf); +- psf = next; +- } +-} +- + static void kfree_pmc(struct ip_mc_list *pmc) + { + ip_sf_list_clear_all(pmc->sources); +-- +2.9.5 + diff --git a/queue/ipv4-not-do-cache-for-local-delivery-if-bc_forwardin.patch b/queue/ipv4-not-do-cache-for-local-delivery-if-bc_forwardin.patch new file mode 100644 index 0000000..ef91620 --- /dev/null +++ b/queue/ipv4-not-do-cache-for-local-delivery-if-bc_forwardin.patch @@ -0,0 +1,88 @@ +From 0a90478b93a46bdcd56ba33c37566a993e455d54 Mon Sep 17 00:00:00 2001 +From: Xin Long <lucien.xin@gmail.com> +Date: Sun, 2 Jun 2019 19:10:24 +0800 +Subject: [PATCH] ipv4: not do cache for local delivery if bc_forwarding is + enabled + +commit 0a90478b93a46bdcd56ba33c37566a993e455d54 upstream. + +With the topo: + + h1 ---| rp1 | + | route rp3 |--- h3 (192.168.200.1) + h2 ---| rp2 | + +If rp1 bc_forwarding is set while rp2 bc_forwarding is not, after +doing "ping 192.168.200.255" on h1, then ping 192.168.200.255 on +h2, and the packets can still be forwared. + +This issue was caused by the input route cache. It should only do +the cache for either bc forwarding or local delivery. Otherwise, +local delivery can use the route cache for bc forwarding of other +interfaces. + +This patch is to fix it by not doing cache for local delivery if +all.bc_forwarding is enabled. + +Note that we don't fix it by checking route cache local flag after +rt_cache_valid() in "local_input:" and "ip_mkroute_input", as the +common route code shouldn't be touched for bc_forwarding. + +Fixes: 5cbf777cfdf6 ("route: add support for directed broadcast forwarding") +Reported-by: Jianlin Shi <jishi@redhat.com> +Signed-off-by: Xin Long <lucien.xin@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 11ddc276776e..91bf75b8ac1c 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1985,7 +1985,7 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr, + u32 itag = 0; + struct rtable *rth; + struct flowi4 fl4; +- bool do_cache; ++ bool do_cache = true; + + /* IP on this device is disabled. */ + +@@ -2062,6 +2062,9 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr, + if (res->type == RTN_BROADCAST) { + if (IN_DEV_BFORWARD(in_dev)) + goto make_route; ++ /* not do cache if bc_forwarding is enabled */ ++ if (IPV4_DEVCONF_ALL(net, BC_FORWARDING)) ++ do_cache = false; + goto brd_input; + } + +@@ -2099,18 +2102,15 @@ brd_input: + RT_CACHE_STAT_INC(in_brd); + + local_input: +- do_cache = false; +- if (res->fi) { +- if (!itag) { +- struct fib_nh_common *nhc = FIB_RES_NHC(*res); ++ do_cache &= res->fi && !itag; ++ if (do_cache) { ++ struct fib_nh_common *nhc = FIB_RES_NHC(*res); + +- rth = rcu_dereference(nhc->nhc_rth_input); +- if (rt_cache_valid(rth)) { +- skb_dst_set_noref(skb, &rth->dst); +- err = 0; +- goto out; +- } +- do_cache = true; ++ rth = rcu_dereference(nhc->nhc_rth_input); ++ if (rt_cache_valid(rth)) { ++ skb_dst_set_noref(skb, &rth->dst); ++ err = 0; ++ goto out; + } + } + +-- +2.9.5 + diff --git a/queue/ipv6-Consider-sk_bound_dev_if-when-binding-a-raw-soc.patch b/queue/ipv6-Consider-sk_bound_dev_if-when-binding-a-raw-soc.patch new file mode 100644 index 0000000..2f47b73 --- /dev/null +++ b/queue/ipv6-Consider-sk_bound_dev_if-when-binding-a-raw-soc.patch @@ -0,0 +1,37 @@ +From 72f7cfab6f93a8ea825fab8ccfb016d064269f7f Mon Sep 17 00:00:00 2001 +From: Mike Manning <mmanning@vyatta.att-mail.com> +Date: Mon, 20 May 2019 19:57:17 +0100 +Subject: [PATCH] ipv6: Consider sk_bound_dev_if when binding a raw socket to + an address + +commit 72f7cfab6f93a8ea825fab8ccfb016d064269f7f upstream. + +IPv6 does not consider if the socket is bound to a device when binding +to an address. The result is that a socket can be bound to eth0 and +then bound to the address of eth1. If the device is a VRF, the result +is that a socket can only be bound to an address in the default VRF. + +Resolve by considering the device if sk_bound_dev_if is set. + +Signed-off-by: Mike Manning <mmanning@vyatta.att-mail.com> +Reviewed-by: David Ahern <dsahern@gmail.com> +Tested-by: David Ahern <dsahern@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c +index 84dbe21b71e5..96a3559f2a09 100644 +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -287,7 +287,9 @@ static int rawv6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len) + /* Binding to link-local address requires an interface */ + if (!sk->sk_bound_dev_if) + goto out_unlock; ++ } + ++ if (sk->sk_bound_dev_if) { + err = -ENODEV; + dev = dev_get_by_index_rcu(sock_net(sk), + sk->sk_bound_dev_if); +-- +2.9.5 + diff --git a/queue/ipv6-Fix-redirect-with-VRF.patch b/queue/ipv6-Fix-redirect-with-VRF.patch new file mode 100644 index 0000000..ded51ff --- /dev/null +++ b/queue/ipv6-Fix-redirect-with-VRF.patch @@ -0,0 +1,38 @@ +From 31680ac265802397937d75461a2809a067b9fb93 Mon Sep 17 00:00:00 2001 +From: David Ahern <dsahern@gmail.com> +Date: Wed, 22 May 2019 15:12:18 -0700 +Subject: [PATCH] ipv6: Fix redirect with VRF + +commit 31680ac265802397937d75461a2809a067b9fb93 upstream. + +IPv6 redirect is broken for VRF. __ip6_route_redirect walks the FIB +entries looking for an exact match on ifindex. With VRF the flowi6_oif +is updated by l3mdev_update_flow to the l3mdev index and the +FLOWI_FLAG_SKIP_NH_OIF set in the flags to tell the lookup to skip the +device match. For redirects the device match is requires so use that +flag to know when the oif needs to be reset to the skb device index. + +Fixes: ca254490c8df ("net: Add VRF support to IPv6 stack") +Signed-off-by: David Ahern <dsahern@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 7a014ca877ed..848e944f07df 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -2512,6 +2512,12 @@ static struct rt6_info *__ip6_route_redirect(struct net *net, + struct fib6_info *rt; + struct fib6_node *fn; + ++ /* l3mdev_update_flow overrides oif if the device is enslaved; in ++ * this case we must match on the real ingress device, so reset it ++ */ ++ if (fl6->flowi6_flags & FLOWI_FLAG_SKIP_NH_OIF) ++ fl6->flowi6_oif = skb->dev->ifindex; ++ + /* Get the "current" route for this destination and + * check if the redirect has come from appropriate router. + * +-- +2.9.5 + diff --git a/queue/ipv6-fix-EFAULT-on-sendto-with-icmpv6-and-hdrincl.patch b/queue/ipv6-fix-EFAULT-on-sendto-with-icmpv6-and-hdrincl.patch new file mode 100644 index 0000000..bb4a068 --- /dev/null +++ b/queue/ipv6-fix-EFAULT-on-sendto-with-icmpv6-and-hdrincl.patch @@ -0,0 +1,56 @@ +From b9aa52c4cb457e7416cc0c95f475e72ef4a61336 Mon Sep 17 00:00:00 2001 +From: Olivier Matz <olivier.matz@6wind.com> +Date: Thu, 6 Jun 2019 09:15:19 +0200 +Subject: [PATCH] ipv6: fix EFAULT on sendto with icmpv6 and hdrincl + +commit b9aa52c4cb457e7416cc0c95f475e72ef4a61336 upstream. + +The following code returns EFAULT (Bad address): + + s = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6); + setsockopt(s, SOL_IPV6, IPV6_HDRINCL, 1); + sendto(ipv6_icmp6_packet, addr); /* returns -1, errno = EFAULT */ + +The IPv4 equivalent code works. A workaround is to use IPPROTO_RAW +instead of IPPROTO_ICMPV6. + +The failure happens because 2 bytes are eaten from the msghdr by +rawv6_probe_proto_opt() starting from commit 19e3c66b52ca ("ipv6 +equivalent of "ipv4: Avoid reading user iov twice after +raw_probe_proto_opt""), but at that time it was not a problem because +IPV6_HDRINCL was not yet introduced. + +Only eat these 2 bytes if hdrincl == 0. + +Fixes: 715f504b1189 ("ipv6: add IPV6_HDRINCL option for raw sockets") +Signed-off-by: Olivier Matz <olivier.matz@6wind.com> +Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c +index af2f9a833c4e..1bb88b4b677b 100644 +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -895,11 +895,14 @@ static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + opt = ipv6_fixup_options(&opt_space, opt); + + fl6.flowi6_proto = proto; +- rfv.msg = msg; +- rfv.hlen = 0; +- err = rawv6_probe_proto_opt(&rfv, &fl6); +- if (err) +- goto out; ++ ++ if (!hdrincl) { ++ rfv.msg = msg; ++ rfv.hlen = 0; ++ err = rawv6_probe_proto_opt(&rfv, &fl6); ++ if (err) ++ goto out; ++ } + + if (!ipv6_addr_any(daddr)) + fl6.daddr = *daddr; +-- +2.9.5 + diff --git a/queue/ipv6-fix-the-check-before-getting-the-cookie-in-rt6_.patch b/queue/ipv6-fix-the-check-before-getting-the-cookie-in-rt6_.patch new file mode 100644 index 0000000..e4ac8c5 --- /dev/null +++ b/queue/ipv6-fix-the-check-before-getting-the-cookie-in-rt6_.patch @@ -0,0 +1,46 @@ +From b7999b07726c16974ba9ca3bb9fe98ecbec5f81c Mon Sep 17 00:00:00 2001 +From: Xin Long <lucien.xin@gmail.com> +Date: Sun, 2 Jun 2019 19:10:46 +0800 +Subject: [PATCH] ipv6: fix the check before getting the cookie in + rt6_get_cookie + +commit b7999b07726c16974ba9ca3bb9fe98ecbec5f81c upstream. + +In Jianlin's testing, netperf was broken with 'Connection reset by peer', +as the cookie check failed in rt6_check() and ip6_dst_check() always +returned NULL. + +It's caused by Commit 93531c674315 ("net/ipv6: separate handling of FIB +entries from dst based routes"), where the cookie can be got only when +'c1'(see below) for setting dst_cookie whereas rt6_check() is called +when !'c1' for checking dst_cookie, as we can see in ip6_dst_check(). + +Since in ip6_dst_check() both rt6_dst_from_check() (c1) and rt6_check() +(!c1) will check the 'from' cookie, this patch is to remove the c1 check +in rt6_get_cookie(), so that the dst_cookie can always be set properly. + +c1: + (rt->rt6i_flags & RTF_PCPU || unlikely(!list_empty(&rt->rt6i_uncached))) + +Fixes: 93531c674315 ("net/ipv6: separate handling of FIB entries from dst based routes") +Reported-by: Jianlin Shi <jishi@redhat.com> +Signed-off-by: Xin Long <lucien.xin@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/include/net/ip6_fib.h b/include/net/ip6_fib.h +index 525f701653ca..d6d936cbf6b3 100644 +--- a/include/net/ip6_fib.h ++++ b/include/net/ip6_fib.h +@@ -263,8 +263,7 @@ static inline u32 rt6_get_cookie(const struct rt6_info *rt) + rcu_read_lock(); + + from = rcu_dereference(rt->from); +- if (from && (rt->rt6i_flags & RTF_PCPU || +- unlikely(!list_empty(&rt->rt6i_uncached)))) ++ if (from) + fib6_get_cookie_safe(from, &cookie); + + rcu_read_unlock(); +-- +2.9.5 + diff --git a/queue/ipv6-use-READ_ONCE-for-inet-hdrincl-as-in-ipv4.patch b/queue/ipv6-use-READ_ONCE-for-inet-hdrincl-as-in-ipv4.patch new file mode 100644 index 0000000..232bb75 --- /dev/null +++ b/queue/ipv6-use-READ_ONCE-for-inet-hdrincl-as-in-ipv4.patch @@ -0,0 +1,63 @@ +From 59e3e4b52663a9d97efbce7307f62e4bc5c9ce91 Mon Sep 17 00:00:00 2001 +From: Olivier Matz <olivier.matz@6wind.com> +Date: Thu, 6 Jun 2019 09:15:18 +0200 +Subject: [PATCH] ipv6: use READ_ONCE() for inet->hdrincl as in ipv4 + +commit 59e3e4b52663a9d97efbce7307f62e4bc5c9ce91 upstream. + +As it was done in commit 8f659a03a0ba ("net: ipv4: fix for a race +condition in raw_sendmsg") and commit 20b50d79974e ("net: ipv4: emulate +READ_ONCE() on ->hdrincl bit-field in raw_sendmsg()") for ipv4, copy the +value of inet->hdrincl in a local variable, to avoid introducing a race +condition in the next commit. + +Signed-off-by: Olivier Matz <olivier.matz@6wind.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c +index 96a3559f2a09..af2f9a833c4e 100644 +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -783,6 +783,7 @@ static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + struct flowi6 fl6; + struct ipcm6_cookie ipc6; + int addr_len = msg->msg_namelen; ++ int hdrincl; + u16 proto; + int err; + +@@ -796,6 +797,13 @@ static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + if (msg->msg_flags & MSG_OOB) + return -EOPNOTSUPP; + ++ /* hdrincl should be READ_ONCE(inet->hdrincl) ++ * but READ_ONCE() doesn't work with bit fields. ++ * Doing this indirectly yields the same result. ++ */ ++ hdrincl = inet->hdrincl; ++ hdrincl = READ_ONCE(hdrincl); ++ + /* + * Get and verify the address. + */ +@@ -908,7 +916,7 @@ static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + fl6.flowi6_oif = np->ucast_oif; + security_sk_classify_flow(sk, flowi6_to_flowi(&fl6)); + +- if (inet->hdrincl) ++ if (hdrincl) + fl6.flowi6_flags |= FLOWI_FLAG_KNOWN_NH; + + if (ipc6.tclass < 0) +@@ -931,7 +939,7 @@ static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + goto do_confirm; + + back_from_confirm: +- if (inet->hdrincl) ++ if (hdrincl) + err = rawv6_send_hdrinc(sk, msg, len, &fl6, &dst, + msg->msg_flags, &ipc6.sockc); + else { +-- +2.9.5 + diff --git a/queue/jump_label-move-asm-goto-support-test-to-Kconfig.patch b/queue/jump_label-move-asm-goto-support-test-to-Kconfig.patch new file mode 100644 index 0000000..1494bff --- /dev/null +++ b/queue/jump_label-move-asm-goto-support-test-to-Kconfig.patch @@ -0,0 +1,915 @@ +From e9666d10a5677a494260d60d1fa0b73cc7646eb3 Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada <yamada.masahiro@socionext.com> +Date: Mon, 31 Dec 2018 00:14:15 +0900 +Subject: [PATCH] jump_label: move 'asm goto' support test to Kconfig + +commit e9666d10a5677a494260d60d1fa0b73cc7646eb3 upstream. + +Currently, CONFIG_JUMP_LABEL just means "I _want_ to use jump label". + +The jump label is controlled by HAVE_JUMP_LABEL, which is defined +like this: + + #if defined(CC_HAVE_ASM_GOTO) && defined(CONFIG_JUMP_LABEL) + # define HAVE_JUMP_LABEL + #endif + +We can improve this by testing 'asm goto' support in Kconfig, then +make JUMP_LABEL depend on CC_HAS_ASM_GOTO. + +Ugly #ifdef HAVE_JUMP_LABEL will go away, and CONFIG_JUMP_LABEL will +match to the real kernel capability. + +Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com> +Acked-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc) +Tested-by: Sedat Dilek <sedat.dilek@gmail.com> + +diff --git a/Makefile b/Makefile +index 60a473247657..04a857817f77 100644 +--- a/Makefile ++++ b/Makefile +@@ -514,13 +514,6 @@ RETPOLINE_VDSO_CFLAGS := $(call cc-option,$(RETPOLINE_VDSO_CFLAGS_GCC),$(call cc + export RETPOLINE_CFLAGS + export RETPOLINE_VDSO_CFLAGS + +-# check for 'asm goto' +-ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-goto.sh $(CC) $(KBUILD_CFLAGS)), y) +- CC_HAVE_ASM_GOTO := 1 +- KBUILD_CFLAGS += -DCC_HAVE_ASM_GOTO +- KBUILD_AFLAGS += -DCC_HAVE_ASM_GOTO +-endif +- + # The expansion should be delayed until arch/$(SRCARCH)/Makefile is included. + # Some architectures define CROSS_COMPILE in arch/$(SRCARCH)/Makefile. + # CC_VERSION_TEXT is referenced from Kconfig (so it needs export), +diff --git a/arch/Kconfig b/arch/Kconfig +index b70c952ac838..4cfb6de48f79 100644 +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -71,6 +71,7 @@ config KPROBES + config JUMP_LABEL + bool "Optimize very unlikely/likely branches" + depends on HAVE_ARCH_JUMP_LABEL ++ depends on CC_HAS_ASM_GOTO + help + This option enables a transparent branch optimization that + makes certain almost-always-true or almost-always-false branch +diff --git a/arch/arm/kernel/jump_label.c b/arch/arm/kernel/jump_label.c +index 90bce3d9928e..303b3ab87f7e 100644 +--- a/arch/arm/kernel/jump_label.c ++++ b/arch/arm/kernel/jump_label.c +@@ -4,8 +4,6 @@ + #include <asm/patch.h> + #include <asm/insn.h> + +-#ifdef HAVE_JUMP_LABEL +- + static void __arch_jump_label_transform(struct jump_entry *entry, + enum jump_label_type type, + bool is_static) +@@ -35,5 +33,3 @@ void arch_jump_label_transform_static(struct jump_entry *entry, + { + __arch_jump_label_transform(entry, type, true); + } +- +-#endif +diff --git a/arch/arm64/kernel/jump_label.c b/arch/arm64/kernel/jump_label.c +index 646b9562ee64..1eff270e8861 100644 +--- a/arch/arm64/kernel/jump_label.c ++++ b/arch/arm64/kernel/jump_label.c +@@ -20,8 +20,6 @@ + #include <linux/jump_label.h> + #include <asm/insn.h> + +-#ifdef HAVE_JUMP_LABEL +- + void arch_jump_label_transform(struct jump_entry *entry, + enum jump_label_type type) + { +@@ -49,5 +47,3 @@ void arch_jump_label_transform_static(struct jump_entry *entry, + * NOP needs to be replaced by a branch. + */ + } +- +-#endif /* HAVE_JUMP_LABEL */ +diff --git a/arch/mips/kernel/jump_label.c b/arch/mips/kernel/jump_label.c +index 32e3168316cd..ab943927f97a 100644 +--- a/arch/mips/kernel/jump_label.c ++++ b/arch/mips/kernel/jump_label.c +@@ -16,8 +16,6 @@ + #include <asm/cacheflush.h> + #include <asm/inst.h> + +-#ifdef HAVE_JUMP_LABEL +- + /* + * Define parameters for the standard MIPS and the microMIPS jump + * instruction encoding respectively: +@@ -70,5 +68,3 @@ void arch_jump_label_transform(struct jump_entry *e, + + mutex_unlock(&text_mutex); + } +- +-#endif /* HAVE_JUMP_LABEL */ +diff --git a/arch/powerpc/include/asm/asm-prototypes.h b/arch/powerpc/include/asm/asm-prototypes.h +index 6f201b199c02..1d911f68a23b 100644 +--- a/arch/powerpc/include/asm/asm-prototypes.h ++++ b/arch/powerpc/include/asm/asm-prototypes.h +@@ -38,7 +38,7 @@ extern struct static_key hcall_tracepoint_key; + void __trace_hcall_entry(unsigned long opcode, unsigned long *args); + void __trace_hcall_exit(long opcode, long retval, unsigned long *retbuf); + /* OPAL tracing */ +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + extern struct static_key opal_tracepoint_key; + #endif + +diff --git a/arch/powerpc/kernel/jump_label.c b/arch/powerpc/kernel/jump_label.c +index 6472472093d0..0080c5fbd225 100644 +--- a/arch/powerpc/kernel/jump_label.c ++++ b/arch/powerpc/kernel/jump_label.c +@@ -11,7 +11,6 @@ + #include <linux/jump_label.h> + #include <asm/code-patching.h> + +-#ifdef HAVE_JUMP_LABEL + void arch_jump_label_transform(struct jump_entry *entry, + enum jump_label_type type) + { +@@ -22,4 +21,3 @@ void arch_jump_label_transform(struct jump_entry *entry, + else + patch_instruction(addr, PPC_INST_NOP); + } +-#endif +diff --git a/arch/powerpc/platforms/powernv/opal-tracepoints.c b/arch/powerpc/platforms/powernv/opal-tracepoints.c +index 1ab7d26c0a2c..f16a43540e30 100644 +--- a/arch/powerpc/platforms/powernv/opal-tracepoints.c ++++ b/arch/powerpc/platforms/powernv/opal-tracepoints.c +@@ -4,7 +4,7 @@ + #include <asm/trace.h> + #include <asm/asm-prototypes.h> + +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + struct static_key opal_tracepoint_key = STATIC_KEY_INIT; + + int opal_tracepoint_regfunc(void) +diff --git a/arch/powerpc/platforms/powernv/opal-wrappers.S b/arch/powerpc/platforms/powernv/opal-wrappers.S +index 251528231a9e..f4875fe3f8ff 100644 +--- a/arch/powerpc/platforms/powernv/opal-wrappers.S ++++ b/arch/powerpc/platforms/powernv/opal-wrappers.S +@@ -20,7 +20,7 @@ + .section ".text" + + #ifdef CONFIG_TRACEPOINTS +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + #define OPAL_BRANCH(LABEL) \ + ARCH_STATIC_BRANCH(LABEL, opal_tracepoint_key) + #else +diff --git a/arch/powerpc/platforms/pseries/hvCall.S b/arch/powerpc/platforms/pseries/hvCall.S +index d91412c591ef..50dc9426d0be 100644 +--- a/arch/powerpc/platforms/pseries/hvCall.S ++++ b/arch/powerpc/platforms/pseries/hvCall.S +@@ -19,7 +19,7 @@ + + #ifdef CONFIG_TRACEPOINTS + +-#ifndef HAVE_JUMP_LABEL ++#ifndef CONFIG_JUMP_LABEL + .section ".toc","aw" + + .globl hcall_tracepoint_refcount +@@ -79,7 +79,7 @@ hcall_tracepoint_refcount: + mr r5,BUFREG; \ + __HCALL_INST_POSTCALL + +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + #define HCALL_BRANCH(LABEL) \ + ARCH_STATIC_BRANCH(LABEL, hcall_tracepoint_key) + #else +diff --git a/arch/powerpc/platforms/pseries/lpar.c b/arch/powerpc/platforms/pseries/lpar.c +index 32d4452973e7..f2a9f0adc2d3 100644 +--- a/arch/powerpc/platforms/pseries/lpar.c ++++ b/arch/powerpc/platforms/pseries/lpar.c +@@ -1040,7 +1040,7 @@ EXPORT_SYMBOL(arch_free_page); + #endif /* CONFIG_PPC_BOOK3S_64 */ + + #ifdef CONFIG_TRACEPOINTS +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + struct static_key hcall_tracepoint_key = STATIC_KEY_INIT; + + int hcall_tracepoint_regfunc(void) +diff --git a/arch/s390/kernel/Makefile b/arch/s390/kernel/Makefile +index 386b1abb217b..e216e116a9a9 100644 +--- a/arch/s390/kernel/Makefile ++++ b/arch/s390/kernel/Makefile +@@ -48,7 +48,7 @@ CFLAGS_ptrace.o += -DUTS_MACHINE='"$(UTS_MACHINE)"' + obj-y := traps.o time.o process.o base.o early.o setup.o idle.o vtime.o + obj-y += processor.o sys_s390.o ptrace.o signal.o cpcmd.o ebcdic.o nmi.o + obj-y += debug.o irq.o ipl.o dis.o diag.o vdso.o early_nobss.o +-obj-y += sysinfo.o jump_label.o lgr.o os_info.o machine_kexec.o pgm_check.o ++obj-y += sysinfo.o lgr.o os_info.o machine_kexec.o pgm_check.o + obj-y += runtime_instr.o cache.o fpu.o dumpstack.o guarded_storage.o sthyi.o + obj-y += entry.o reipl.o relocate_kernel.o kdebugfs.o alternative.o + obj-y += nospec-branch.o ipl_vmparm.o +@@ -72,6 +72,7 @@ obj-$(CONFIG_KPROBES) += kprobes.o + obj-$(CONFIG_FUNCTION_TRACER) += mcount.o ftrace.o + obj-$(CONFIG_CRASH_DUMP) += crash_dump.o + obj-$(CONFIG_UPROBES) += uprobes.o ++obj-$(CONFIG_JUMP_LABEL) += jump_label.o + + obj-$(CONFIG_KEXEC_FILE) += machine_kexec_file.o kexec_image.o + obj-$(CONFIG_KEXEC_FILE) += kexec_elf.o +diff --git a/arch/s390/kernel/jump_label.c b/arch/s390/kernel/jump_label.c +index 50a1798604a8..3f10b56bd5a3 100644 +--- a/arch/s390/kernel/jump_label.c ++++ b/arch/s390/kernel/jump_label.c +@@ -10,8 +10,6 @@ + #include <linux/jump_label.h> + #include <asm/ipl.h> + +-#ifdef HAVE_JUMP_LABEL +- + struct insn { + u16 opcode; + s32 offset; +@@ -103,5 +101,3 @@ void arch_jump_label_transform_static(struct jump_entry *entry, + { + __jump_label_transform(entry, type, 1); + } +- +-#endif +diff --git a/arch/sparc/kernel/Makefile b/arch/sparc/kernel/Makefile +index cf8640841b7a..97c0e19263d1 100644 +--- a/arch/sparc/kernel/Makefile ++++ b/arch/sparc/kernel/Makefile +@@ -118,4 +118,4 @@ pc--$(CONFIG_PERF_EVENTS) := perf_event.o + obj-$(CONFIG_SPARC64) += $(pc--y) + + obj-$(CONFIG_UPROBES) += uprobes.o +-obj-$(CONFIG_SPARC64) += jump_label.o ++obj-$(CONFIG_JUMP_LABEL) += jump_label.o +diff --git a/arch/sparc/kernel/jump_label.c b/arch/sparc/kernel/jump_label.c +index 7f8eac51df33..a4cfaeecaf5e 100644 +--- a/arch/sparc/kernel/jump_label.c ++++ b/arch/sparc/kernel/jump_label.c +@@ -9,8 +9,6 @@ + + #include <asm/cacheflush.h> + +-#ifdef HAVE_JUMP_LABEL +- + void arch_jump_label_transform(struct jump_entry *entry, + enum jump_label_type type) + { +@@ -47,5 +45,3 @@ void arch_jump_label_transform(struct jump_entry *entry, + flushi(insn); + mutex_unlock(&text_mutex); + } +- +-#endif +diff --git a/arch/x86/Makefile b/arch/x86/Makefile +index 16c3145c0a5f..9c5a67d1b9c1 100644 +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -289,7 +289,7 @@ vdso_install: + + archprepare: checkbin + checkbin: +-ifndef CC_HAVE_ASM_GOTO ++ifndef CONFIG_CC_HAS_ASM_GOTO + @echo Compiler lacks asm-goto support. + @exit 1 + endif +diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h +index 20d0885b00fb..efb0d1b1f15f 100644 +--- a/arch/x86/entry/calling.h ++++ b/arch/x86/entry/calling.h +@@ -351,7 +351,7 @@ For 32-bit we have the following conventions - kernel is built with + */ + .macro CALL_enter_from_user_mode + #ifdef CONFIG_CONTEXT_TRACKING +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + STATIC_JUMP_IF_FALSE .Lafter_call_\@, context_tracking_enabled, def=0 + #endif + call enter_from_user_mode +diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h +index aced6c9290d6..ce95b8cbd229 100644 +--- a/arch/x86/include/asm/cpufeature.h ++++ b/arch/x86/include/asm/cpufeature.h +@@ -140,7 +140,7 @@ extern void clear_cpu_cap(struct cpuinfo_x86 *c, unsigned int bit); + + #define setup_force_cpu_bug(bit) setup_force_cpu_cap(bit) + +-#if defined(__clang__) && !defined(CC_HAVE_ASM_GOTO) ++#if defined(__clang__) && !defined(CONFIG_CC_HAS_ASM_GOTO) + + /* + * Workaround for the sake of BPF compilation which utilizes kernel +diff --git a/arch/x86/include/asm/jump_label.h b/arch/x86/include/asm/jump_label.h +index 21efc9d07ed9..65191ce8e1cf 100644 +--- a/arch/x86/include/asm/jump_label.h ++++ b/arch/x86/include/asm/jump_label.h +@@ -2,19 +2,6 @@ + #ifndef _ASM_X86_JUMP_LABEL_H + #define _ASM_X86_JUMP_LABEL_H + +-#ifndef HAVE_JUMP_LABEL +-/* +- * For better or for worse, if jump labels (the gcc extension) are missing, +- * then the entire static branch patching infrastructure is compiled out. +- * If that happens, the code in here will malfunction. Raise a compiler +- * error instead. +- * +- * In theory, jump labels and the static branch patching infrastructure +- * could be decoupled to fix this. +- */ +-#error asm/jump_label.h included on a non-jump-label kernel +-#endif +- + #define JUMP_LABEL_NOP_SIZE 5 + + #ifdef CONFIG_X86_64 +diff --git a/arch/x86/include/asm/rmwcc.h b/arch/x86/include/asm/rmwcc.h +index 46ac84b506f5..8a9eba191516 100644 +--- a/arch/x86/include/asm/rmwcc.h ++++ b/arch/x86/include/asm/rmwcc.h +@@ -11,7 +11,7 @@ + + #define __CLOBBERS_MEM(clb...) "memory", ## clb + +-#if !defined(__GCC_ASM_FLAG_OUTPUTS__) && defined(CC_HAVE_ASM_GOTO) ++#if !defined(__GCC_ASM_FLAG_OUTPUTS__) && defined(CONFIG_CC_HAS_ASM_GOTO) + + /* Use asm goto */ + +@@ -27,7 +27,7 @@ cc_label: c = true; \ + c; \ + }) + +-#else /* defined(__GCC_ASM_FLAG_OUTPUTS__) || !defined(CC_HAVE_ASM_GOTO) */ ++#else /* defined(__GCC_ASM_FLAG_OUTPUTS__) || !defined(CONFIG_CC_HAS_ASM_GOTO) */ + + /* Use flags output or a set instruction */ + +@@ -40,7 +40,7 @@ cc_label: c = true; \ + c; \ + }) + +-#endif /* defined(__GCC_ASM_FLAG_OUTPUTS__) || !defined(CC_HAVE_ASM_GOTO) */ ++#endif /* defined(__GCC_ASM_FLAG_OUTPUTS__) || !defined(CONFIG_CC_HAS_ASM_GOTO) */ + + #define GEN_UNARY_RMWcc_4(op, var, cc, arg0) \ + __GEN_RMWcc(op " " arg0, var, cc, __CLOBBERS_MEM()) +diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile +index eb51b0e1189c..00b7e27bc2b7 100644 +--- a/arch/x86/kernel/Makefile ++++ b/arch/x86/kernel/Makefile +@@ -49,7 +49,8 @@ obj-$(CONFIG_COMPAT) += signal_compat.o + obj-y += traps.o idt.o irq.o irq_$(BITS).o dumpstack_$(BITS).o + obj-y += time.o ioport.o dumpstack.o nmi.o + obj-$(CONFIG_MODIFY_LDT_SYSCALL) += ldt.o +-obj-y += setup.o x86_init.o i8259.o irqinit.o jump_label.o ++obj-y += setup.o x86_init.o i8259.o irqinit.o ++obj-$(CONFIG_JUMP_LABEL) += jump_label.o + obj-$(CONFIG_IRQ_WORK) += irq_work.o + obj-y += probe_roms.o + obj-$(CONFIG_X86_64) += sys_x86_64.o +diff --git a/arch/x86/kernel/jump_label.c b/arch/x86/kernel/jump_label.c +index aac0c1f7e354..f99bd26bd3f1 100644 +--- a/arch/x86/kernel/jump_label.c ++++ b/arch/x86/kernel/jump_label.c +@@ -16,8 +16,6 @@ + #include <asm/alternative.h> + #include <asm/text-patching.h> + +-#ifdef HAVE_JUMP_LABEL +- + union jump_code_union { + char code[JUMP_LABEL_NOP_SIZE]; + struct { +@@ -130,5 +128,3 @@ __init_or_module void arch_jump_label_transform_static(struct jump_entry *entry, + if (jlstate == JL_STATE_UPDATE) + __jump_label_transform(entry, type, text_poke_early, 1); + } +- +-#endif +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index 78e430f4e15c..c338984c850d 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -456,7 +456,7 @@ FOP_END; + + /* + * XXX: inoutclob user must know where the argument is being expanded. +- * Relying on CC_HAVE_ASM_GOTO would allow us to remove _fault. ++ * Relying on CONFIG_CC_HAS_ASM_GOTO would allow us to remove _fault. + */ + #define asm_safe(insn, inoutclob...) \ + ({ \ +diff --git a/arch/xtensa/kernel/jump_label.c b/arch/xtensa/kernel/jump_label.c +index d108f721c116..61cf6497a646 100644 +--- a/arch/xtensa/kernel/jump_label.c ++++ b/arch/xtensa/kernel/jump_label.c +@@ -10,8 +10,6 @@ + + #include <asm/cacheflush.h> + +-#ifdef HAVE_JUMP_LABEL +- + #define J_OFFSET_MASK 0x0003ffff + #define J_SIGN_MASK (~(J_OFFSET_MASK >> 1)) + +@@ -95,5 +93,3 @@ void arch_jump_label_transform(struct jump_entry *e, + + patch_text(jump_entry_code(e), &insn, JUMP_LABEL_NOP_SIZE); + } +- +-#endif /* HAVE_JUMP_LABEL */ +diff --git a/include/linux/dynamic_debug.h b/include/linux/dynamic_debug.h +index 2fd8006153c3..b3419da1a776 100644 +--- a/include/linux/dynamic_debug.h ++++ b/include/linux/dynamic_debug.h +@@ -2,7 +2,7 @@ + #ifndef _DYNAMIC_DEBUG_H + #define _DYNAMIC_DEBUG_H + +-#if defined(CC_HAVE_ASM_GOTO) && defined(CONFIG_JUMP_LABEL) ++#if defined(CONFIG_JUMP_LABEL) + #include <linux/jump_label.h> + #endif + +@@ -38,7 +38,7 @@ struct _ddebug { + #define _DPRINTK_FLAGS_DEFAULT 0 + #endif + unsigned int flags:8; +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + union { + struct static_key_true dd_key_true; + struct static_key_false dd_key_false; +@@ -83,7 +83,7 @@ void __dynamic_netdev_dbg(struct _ddebug *descriptor, + dd_key_init(key, init) \ + } + +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + + #define dd_key_init(key, init) key = (init) + +diff --git a/include/linux/jump_label.h b/include/linux/jump_label.h +index 5df6a621e464..3e113a1fa0f1 100644 +--- a/include/linux/jump_label.h ++++ b/include/linux/jump_label.h +@@ -71,10 +71,6 @@ + * Additional babbling in: Documentation/static-keys.txt + */ + +-#if defined(CC_HAVE_ASM_GOTO) && defined(CONFIG_JUMP_LABEL) +-# define HAVE_JUMP_LABEL +-#endif +- + #ifndef __ASSEMBLY__ + + #include <linux/types.h> +@@ -86,7 +82,7 @@ extern bool static_key_initialized; + "%s(): static key '%pS' used before call to jump_label_init()", \ + __func__, (key)) + +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + + struct static_key { + atomic_t enabled; +@@ -114,10 +110,10 @@ struct static_key { + struct static_key { + atomic_t enabled; + }; +-#endif /* HAVE_JUMP_LABEL */ ++#endif /* CONFIG_JUMP_LABEL */ + #endif /* __ASSEMBLY__ */ + +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + #include <asm/jump_label.h> + + #ifndef __ASSEMBLY__ +@@ -192,7 +188,7 @@ enum jump_label_type { + + struct module; + +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + + #define JUMP_TYPE_FALSE 0UL + #define JUMP_TYPE_TRUE 1UL +@@ -245,7 +241,7 @@ extern void static_key_disable_cpuslocked(struct static_key *key); + { .enabled = { 0 }, \ + { .entries = (void *)JUMP_TYPE_FALSE } } + +-#else /* !HAVE_JUMP_LABEL */ ++#else /* !CONFIG_JUMP_LABEL */ + + #include <linux/atomic.h> + #include <linux/bug.h> +@@ -330,7 +326,7 @@ static inline void static_key_disable(struct static_key *key) + #define STATIC_KEY_INIT_TRUE { .enabled = ATOMIC_INIT(1) } + #define STATIC_KEY_INIT_FALSE { .enabled = ATOMIC_INIT(0) } + +-#endif /* HAVE_JUMP_LABEL */ ++#endif /* CONFIG_JUMP_LABEL */ + + #define STATIC_KEY_INIT STATIC_KEY_INIT_FALSE + #define jump_label_enabled static_key_enabled +@@ -394,7 +390,7 @@ extern bool ____wrong_branch_error(void); + static_key_count((struct static_key *)x) > 0; \ + }) + +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + + /* + * Combine the right initial value (type) with the right branch order +@@ -476,12 +472,12 @@ extern bool ____wrong_branch_error(void); + unlikely(branch); \ + }) + +-#else /* !HAVE_JUMP_LABEL */ ++#else /* !CONFIG_JUMP_LABEL */ + + #define static_branch_likely(x) likely(static_key_enabled(&(x)->key)) + #define static_branch_unlikely(x) unlikely(static_key_enabled(&(x)->key)) + +-#endif /* HAVE_JUMP_LABEL */ ++#endif /* CONFIG_JUMP_LABEL */ + + /* + * Advanced usage; refcount, branch is enabled when: count != 0 +diff --git a/include/linux/jump_label_ratelimit.h b/include/linux/jump_label_ratelimit.h +index baa8eabbaa56..a49f2b45b3f0 100644 +--- a/include/linux/jump_label_ratelimit.h ++++ b/include/linux/jump_label_ratelimit.h +@@ -5,21 +5,19 @@ + #include <linux/jump_label.h> + #include <linux/workqueue.h> + +-#if defined(CC_HAVE_ASM_GOTO) && defined(CONFIG_JUMP_LABEL) ++#if defined(CONFIG_JUMP_LABEL) + struct static_key_deferred { + struct static_key key; + unsigned long timeout; + struct delayed_work work; + }; +-#endif + +-#ifdef HAVE_JUMP_LABEL + extern void static_key_slow_dec_deferred(struct static_key_deferred *key); + extern void static_key_deferred_flush(struct static_key_deferred *key); + extern void + jump_label_rate_limit(struct static_key_deferred *key, unsigned long rl); + +-#else /* !HAVE_JUMP_LABEL */ ++#else /* !CONFIG_JUMP_LABEL */ + struct static_key_deferred { + struct static_key key; + }; +@@ -38,5 +36,5 @@ jump_label_rate_limit(struct static_key_deferred *key, + { + STATIC_KEY_CHECK_USE(key); + } +-#endif /* HAVE_JUMP_LABEL */ ++#endif /* CONFIG_JUMP_LABEL */ + #endif /* _LINUX_JUMP_LABEL_RATELIMIT_H */ +diff --git a/include/linux/module.h b/include/linux/module.h +index d5453eb5a68b..9a21fe3509af 100644 +--- a/include/linux/module.h ++++ b/include/linux/module.h +@@ -436,7 +436,7 @@ struct module { + unsigned int num_bpf_raw_events; + struct bpf_raw_event_map *bpf_raw_events; + #endif +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + struct jump_entry *jump_entries; + unsigned int num_jump_entries; + #endif +diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h +index bbe99d2b28b4..72cb19c3db6a 100644 +--- a/include/linux/netfilter.h ++++ b/include/linux/netfilter.h +@@ -176,7 +176,7 @@ void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg, + int nf_register_sockopt(struct nf_sockopt_ops *reg); + void nf_unregister_sockopt(struct nf_sockopt_ops *reg); + +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; + #endif + +@@ -198,7 +198,7 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net, + struct nf_hook_entries *hook_head = NULL; + int ret = 1; + +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + if (__builtin_constant_p(pf) && + __builtin_constant_p(hook) && + !static_key_false(&nf_hooks_needed[pf][hook])) +diff --git a/include/linux/netfilter_ingress.h b/include/linux/netfilter_ingress.h +index 554c920691dd..a13774be2eb5 100644 +--- a/include/linux/netfilter_ingress.h ++++ b/include/linux/netfilter_ingress.h +@@ -8,7 +8,7 @@ + #ifdef CONFIG_NETFILTER_INGRESS + static inline bool nf_hook_ingress_active(const struct sk_buff *skb) + { +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + if (!static_key_false(&nf_hooks_needed[NFPROTO_NETDEV][NF_NETDEV_INGRESS])) + return false; + #endif +diff --git a/init/Kconfig b/init/Kconfig +index 3e6be1694766..d47cb77a220e 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -23,6 +23,9 @@ config CLANG_VERSION + int + default $(shell,$(srctree)/scripts/clang-version.sh $(CC)) + ++config CC_HAS_ASM_GOTO ++ def_bool $(success,$(srctree)/scripts/gcc-goto.sh $(CC)) ++ + config CONSTRUCTORS + bool + depends on !UML +diff --git a/kernel/jump_label.c b/kernel/jump_label.c +index b28028b08d44..bad96b476eb6 100644 +--- a/kernel/jump_label.c ++++ b/kernel/jump_label.c +@@ -18,8 +18,6 @@ + #include <linux/cpu.h> + #include <asm/sections.h> + +-#ifdef HAVE_JUMP_LABEL +- + /* mutex to protect coming/going of the the jump_label table */ + static DEFINE_MUTEX(jump_label_mutex); + +@@ -80,13 +78,13 @@ jump_label_sort_entries(struct jump_entry *start, struct jump_entry *stop) + static void jump_label_update(struct static_key *key); + + /* +- * There are similar definitions for the !HAVE_JUMP_LABEL case in jump_label.h. ++ * There are similar definitions for the !CONFIG_JUMP_LABEL case in jump_label.h. + * The use of 'atomic_read()' requires atomic.h and its problematic for some + * kernel headers such as kernel.h and others. Since static_key_count() is not +- * used in the branch statements as it is for the !HAVE_JUMP_LABEL case its ok ++ * used in the branch statements as it is for the !CONFIG_JUMP_LABEL case its ok + * to have it be a function here. Similarly, for 'static_key_enable()' and + * 'static_key_disable()', which require bug.h. This should allow jump_label.h +- * to be included from most/all places for HAVE_JUMP_LABEL. ++ * to be included from most/all places for CONFIG_JUMP_LABEL. + */ + int static_key_count(struct static_key *key) + { +@@ -791,5 +789,3 @@ static __init int jump_label_test(void) + } + early_initcall(jump_label_test); + #endif /* STATIC_KEYS_SELFTEST */ +- +-#endif /* HAVE_JUMP_LABEL */ +diff --git a/kernel/module.c b/kernel/module.c +index fcbc0128810b..2ad1b5239910 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -3102,7 +3102,7 @@ static int find_module_sections(struct module *mod, struct load_info *info) + sizeof(*mod->bpf_raw_events), + &mod->num_bpf_raw_events); + #endif +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + mod->jump_entries = section_objs(info, "__jump_table", + sizeof(*mod->jump_entries), + &mod->num_jump_entries); +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 223f78d5c111..a674c7db2f29 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -24,7 +24,7 @@ + + DEFINE_PER_CPU_SHARED_ALIGNED(struct rq, runqueues); + +-#if defined(CONFIG_SCHED_DEBUG) && defined(HAVE_JUMP_LABEL) ++#if defined(CONFIG_SCHED_DEBUG) && defined(CONFIG_JUMP_LABEL) + /* + * Debugging: various feature bits + * +diff --git a/kernel/sched/debug.c b/kernel/sched/debug.c +index 02bd5f969b21..de3de997e245 100644 +--- a/kernel/sched/debug.c ++++ b/kernel/sched/debug.c +@@ -73,7 +73,7 @@ static int sched_feat_show(struct seq_file *m, void *v) + return 0; + } + +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + + #define jump_label_key__true STATIC_KEY_INIT_TRUE + #define jump_label_key__false STATIC_KEY_INIT_FALSE +@@ -99,7 +99,7 @@ static void sched_feat_enable(int i) + #else + static void sched_feat_disable(int i) { }; + static void sched_feat_enable(int i) { }; +-#endif /* HAVE_JUMP_LABEL */ ++#endif /* CONFIG_JUMP_LABEL */ + + static int sched_feat_set(char *cmp) + { +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 6483834f1278..50aa2aba69bd 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -4217,7 +4217,7 @@ entity_tick(struct cfs_rq *cfs_rq, struct sched_entity *curr, int queued) + + #ifdef CONFIG_CFS_BANDWIDTH + +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + static struct static_key __cfs_bandwidth_used; + + static inline bool cfs_bandwidth_used(void) +@@ -4234,7 +4234,7 @@ void cfs_bandwidth_usage_dec(void) + { + static_key_slow_dec_cpuslocked(&__cfs_bandwidth_used); + } +-#else /* HAVE_JUMP_LABEL */ ++#else /* CONFIG_JUMP_LABEL */ + static bool cfs_bandwidth_used(void) + { + return true; +@@ -4242,7 +4242,7 @@ static bool cfs_bandwidth_used(void) + + void cfs_bandwidth_usage_inc(void) {} + void cfs_bandwidth_usage_dec(void) {} +-#endif /* HAVE_JUMP_LABEL */ ++#endif /* CONFIG_JUMP_LABEL */ + + /* + * default period for cfs group bandwidth. +diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h +index 0ba08924e017..d04530bf251f 100644 +--- a/kernel/sched/sched.h ++++ b/kernel/sched/sched.h +@@ -1488,7 +1488,7 @@ enum { + + #undef SCHED_FEAT + +-#if defined(CONFIG_SCHED_DEBUG) && defined(HAVE_JUMP_LABEL) ++#if defined(CONFIG_SCHED_DEBUG) && defined(CONFIG_JUMP_LABEL) + + /* + * To support run-time toggling of sched features, all the translation units +@@ -1508,7 +1508,7 @@ static __always_inline bool static_branch_##name(struct static_key *key) \ + extern struct static_key sched_feat_keys[__SCHED_FEAT_NR]; + #define sched_feat(x) (static_branch_##x(&sched_feat_keys[__SCHED_FEAT_##x])) + +-#else /* !(SCHED_DEBUG && HAVE_JUMP_LABEL) */ ++#else /* !(SCHED_DEBUG && CONFIG_JUMP_LABEL) */ + + /* + * Each translation unit has its own copy of sysctl_sched_features to allow +@@ -1524,7 +1524,7 @@ static const_debug __maybe_unused unsigned int sysctl_sched_features = + + #define sched_feat(x) !!(sysctl_sched_features & (1UL << __SCHED_FEAT_##x)) + +-#endif /* SCHED_DEBUG && HAVE_JUMP_LABEL */ ++#endif /* SCHED_DEBUG && CONFIG_JUMP_LABEL */ + + extern struct static_key_false sched_numa_balancing; + extern struct static_key_false sched_schedstats; +diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c +index c7c96bc7654a..dbf2b457e47e 100644 +--- a/lib/dynamic_debug.c ++++ b/lib/dynamic_debug.c +@@ -188,7 +188,7 @@ static int ddebug_change(const struct ddebug_query *query, + newflags = (dp->flags & mask) | flags; + if (newflags == dp->flags) + continue; +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + if (dp->flags & _DPRINTK_FLAGS_PRINT) { + if (!(flags & _DPRINTK_FLAGS_PRINT)) + static_branch_disable(&dp->key.dd_key_true); +diff --git a/net/core/dev.c b/net/core/dev.c +index 1b5a4410be0e..82f20022259d 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -1821,7 +1821,7 @@ EXPORT_SYMBOL_GPL(net_dec_egress_queue); + #endif + + static DEFINE_STATIC_KEY_FALSE(netstamp_needed_key); +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + static atomic_t netstamp_needed_deferred; + static atomic_t netstamp_wanted; + static void netstamp_clear(struct work_struct *work) +@@ -1840,7 +1840,7 @@ static DECLARE_WORK(netstamp_work, netstamp_clear); + + void net_enable_timestamp(void) + { +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + int wanted; + + while (1) { +@@ -1860,7 +1860,7 @@ EXPORT_SYMBOL(net_enable_timestamp); + + void net_disable_timestamp(void) + { +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + int wanted; + + while (1) { +diff --git a/net/netfilter/core.c b/net/netfilter/core.c +index dc240cb47ddf..93aaec3a54ec 100644 +--- a/net/netfilter/core.c ++++ b/net/netfilter/core.c +@@ -33,7 +33,7 @@ EXPORT_SYMBOL_GPL(nf_ipv6_ops); + DEFINE_PER_CPU(bool, nf_skb_duplicated); + EXPORT_SYMBOL_GPL(nf_skb_duplicated); + +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; + EXPORT_SYMBOL(nf_hooks_needed); + #endif +@@ -347,7 +347,7 @@ static int __nf_register_net_hook(struct net *net, int pf, + if (pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS) + net_inc_ingress_queue(); + #endif +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + static_key_slow_inc(&nf_hooks_needed[pf][reg->hooknum]); + #endif + BUG_ON(p == new_hooks); +@@ -405,7 +405,7 @@ static void __nf_unregister_net_hook(struct net *net, int pf, + if (pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS) + net_dec_ingress_queue(); + #endif +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + static_key_slow_dec(&nf_hooks_needed[pf][reg->hooknum]); + #endif + } else { +diff --git a/scripts/gcc-goto.sh b/scripts/gcc-goto.sh +index 083c526073ef..8b980fb2270a 100755 +--- a/scripts/gcc-goto.sh ++++ b/scripts/gcc-goto.sh +@@ -3,7 +3,7 @@ + # Test for gcc 'asm goto' support + # Copyright (C) 2010, Jason Baron <jbaron@redhat.com> + +-cat << "END" | $@ -x c - -c -o /dev/null >/dev/null 2>&1 && echo "y" ++cat << "END" | $@ -x c - -fno-PIE -c -o /dev/null + int main(void) + { + #if defined(__arm__) || defined(__aarch64__) +diff --git a/tools/arch/x86/include/asm/rmwcc.h b/tools/arch/x86/include/asm/rmwcc.h +index dc90c0c2fae3..fee7983a90b4 100644 +--- a/tools/arch/x86/include/asm/rmwcc.h ++++ b/tools/arch/x86/include/asm/rmwcc.h +@@ -2,7 +2,7 @@ + #ifndef _TOOLS_LINUX_ASM_X86_RMWcc + #define _TOOLS_LINUX_ASM_X86_RMWcc + +-#ifdef CC_HAVE_ASM_GOTO ++#ifdef CONFIG_CC_HAS_ASM_GOTO + + #define __GEN_RMWcc(fullop, var, cc, ...) \ + do { \ +@@ -20,7 +20,7 @@ cc_label: \ + #define GEN_BINARY_RMWcc(op, var, vcon, val, arg0, cc) \ + __GEN_RMWcc(op " %1, " arg0, var, cc, vcon (val)) + +-#else /* !CC_HAVE_ASM_GOTO */ ++#else /* !CONFIG_CC_HAS_ASM_GOTO */ + + #define __GEN_RMWcc(fullop, var, cc, ...) \ + do { \ +@@ -37,6 +37,6 @@ do { \ + #define GEN_BINARY_RMWcc(op, var, vcon, val, arg0, cc) \ + __GEN_RMWcc(op " %2, " arg0, var, cc, vcon (val)) + +-#endif /* CC_HAVE_ASM_GOTO */ ++#endif /* CONFIG_CC_HAS_ASM_GOTO */ + + #endif /* _TOOLS_LINUX_ASM_X86_RMWcc */ +-- +2.9.5 + diff --git a/queue/kernel-signal.c-trace_signal_deliver-when-signal_gro.patch b/queue/kernel-signal.c-trace_signal_deliver-when-signal_gro.patch new file mode 100644 index 0000000..ce18ef6 --- /dev/null +++ b/queue/kernel-signal.c-trace_signal_deliver-when-signal_gro.patch @@ -0,0 +1,48 @@ +From 98af37d624ed8c83f1953b1b6b2f6866011fc064 Mon Sep 17 00:00:00 2001 +From: Zhenliang Wei <weizhenliang@huawei.com> +Date: Fri, 31 May 2019 22:30:52 -0700 +Subject: [PATCH] kernel/signal.c: trace_signal_deliver when signal_group_exit + +commit 98af37d624ed8c83f1953b1b6b2f6866011fc064 upstream. + +In the fixes commit, removing SIGKILL from each thread signal mask and +executing "goto fatal" directly will skip the call to +"trace_signal_deliver". At this point, the delivery tracking of the +SIGKILL signal will be inaccurate. + +Therefore, we need to add trace_signal_deliver before "goto fatal" after +executing sigdelset. + +Note: SEND_SIG_NOINFO matches the fact that SIGKILL doesn't have any info. + +Link: http://lkml.kernel.org/r/20190425025812.91424-1-weizhenliang@huawei.com +Fixes: cf43a757fd4944 ("signal: Restore the stop PTRACE_EVENT_EXIT") +Signed-off-by: Zhenliang Wei <weizhenliang@huawei.com> +Reviewed-by: Christian Brauner <christian@brauner.io> +Reviewed-by: Oleg Nesterov <oleg@redhat.com> +Cc: Eric W. Biederman <ebiederm@xmission.com> +Cc: Ivan Delalande <colona@arista.com> +Cc: Arnd Bergmann <arnd@arndb.de> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: Deepa Dinamani <deepa.kernel@gmail.com> +Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> + +diff --git a/kernel/signal.c b/kernel/signal.c +index d7b9d14ac80d..328a01e1a2f0 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -2485,6 +2485,8 @@ relock: + if (signal_group_exit(signal)) { + ksig->info.si_signo = signr = SIGKILL; + sigdelset(¤t->pending.signal, SIGKILL); ++ trace_signal_deliver(SIGKILL, SEND_SIG_NOINFO, ++ &sighand->action[SIGKILL - 1]); + recalc_sigpending(); + goto fatal; + } +-- +2.9.5 + diff --git a/queue/llc-fix-skb-leak-in-llc_build_and_send_ui_pkt.patch b/queue/llc-fix-skb-leak-in-llc_build_and_send_ui_pkt.patch new file mode 100644 index 0000000..c13e3cd --- /dev/null +++ b/queue/llc-fix-skb-leak-in-llc_build_and_send_ui_pkt.patch @@ -0,0 +1,83 @@ +From 8fb44d60d4142cd2a440620cd291d346e23c131e Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Mon, 27 May 2019 17:35:52 -0700 +Subject: [PATCH] llc: fix skb leak in llc_build_and_send_ui_pkt() + +commit 8fb44d60d4142cd2a440620cd291d346e23c131e upstream. + +If llc_mac_hdr_init() returns an error, we must drop the skb +since no llc_build_and_send_ui_pkt() caller will take care of this. + +BUG: memory leak +unreferenced object 0xffff8881202b6800 (size 2048): + comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.590s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 1a 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............ + backtrace: + [<00000000e25b5abe>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] + [<00000000e25b5abe>] slab_post_alloc_hook mm/slab.h:439 [inline] + [<00000000e25b5abe>] slab_alloc mm/slab.c:3326 [inline] + [<00000000e25b5abe>] __do_kmalloc mm/slab.c:3658 [inline] + [<00000000e25b5abe>] __kmalloc+0x161/0x2c0 mm/slab.c:3669 + [<00000000a1ae188a>] kmalloc include/linux/slab.h:552 [inline] + [<00000000a1ae188a>] sk_prot_alloc+0xd6/0x170 net/core/sock.c:1608 + [<00000000ded25bbe>] sk_alloc+0x35/0x2f0 net/core/sock.c:1662 + [<000000002ecae075>] llc_sk_alloc+0x35/0x170 net/llc/llc_conn.c:950 + [<00000000551f7c47>] llc_ui_create+0x7b/0x140 net/llc/af_llc.c:173 + [<0000000029027f0e>] __sock_create+0x164/0x250 net/socket.c:1430 + [<000000008bdec225>] sock_create net/socket.c:1481 [inline] + [<000000008bdec225>] __sys_socket+0x69/0x110 net/socket.c:1523 + [<00000000b6439228>] __do_sys_socket net/socket.c:1532 [inline] + [<00000000b6439228>] __se_sys_socket net/socket.c:1530 [inline] + [<00000000b6439228>] __x64_sys_socket+0x1e/0x30 net/socket.c:1530 + [<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301 + [<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +BUG: memory leak +unreferenced object 0xffff88811d750d00 (size 224): + comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.600s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 f0 0c 24 81 88 ff ff 00 68 2b 20 81 88 ff ff ...$.....h+ .... + backtrace: + [<0000000053026172>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] + [<0000000053026172>] slab_post_alloc_hook mm/slab.h:439 [inline] + [<0000000053026172>] slab_alloc_node mm/slab.c:3269 [inline] + [<0000000053026172>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579 + [<00000000fa8f3c30>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198 + [<00000000d96fdafb>] alloc_skb include/linux/skbuff.h:1058 [inline] + [<00000000d96fdafb>] alloc_skb_with_frags+0x5f/0x250 net/core/skbuff.c:5327 + [<000000000a34a2e7>] sock_alloc_send_pskb+0x269/0x2a0 net/core/sock.c:2225 + [<00000000ee39999b>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242 + [<00000000e034d810>] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933 + [<00000000c0bc8445>] sock_sendmsg_nosec net/socket.c:652 [inline] + [<00000000c0bc8445>] sock_sendmsg+0x54/0x70 net/socket.c:671 + [<000000003b687167>] __sys_sendto+0x148/0x1f0 net/socket.c:1964 + [<00000000922d78d9>] __do_sys_sendto net/socket.c:1976 [inline] + [<00000000922d78d9>] __se_sys_sendto net/socket.c:1972 [inline] + [<00000000922d78d9>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1972 + [<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301 + [<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/llc/llc_output.c b/net/llc/llc_output.c +index 94425e421213..9e4b6bcf6920 100644 +--- a/net/llc/llc_output.c ++++ b/net/llc/llc_output.c +@@ -72,6 +72,8 @@ int llc_build_and_send_ui_pkt(struct llc_sap *sap, struct sk_buff *skb, + rc = llc_mac_hdr_init(skb, skb->dev->dev_addr, dmac); + if (likely(!rc)) + rc = dev_queue_xmit(skb); ++ else ++ kfree_skb(skb); + return rc; + } + +-- +2.9.5 + diff --git a/queue/media-smsusb-better-handle-optional-alignment.patch b/queue/media-smsusb-better-handle-optional-alignment.patch new file mode 100644 index 0000000..312bd73 --- /dev/null +++ b/queue/media-smsusb-better-handle-optional-alignment.patch @@ -0,0 +1,71 @@ +From a47686636d84eaec5c9c6e84bd5f96bed34d526d Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> +Date: Fri, 24 May 2019 10:59:43 -0400 +Subject: [PATCH] media: smsusb: better handle optional alignment + +commit a47686636d84eaec5c9c6e84bd5f96bed34d526d upstream. + +Most Siano devices require an alignment for the response. + +Changeset f3be52b0056a ("media: usb: siano: Fix general protection fault in smsusb") +changed the logic with gets such aligment, but it now produces a +sparce warning: + +drivers/media/usb/siano/smsusb.c: In function 'smsusb_init_device': +drivers/media/usb/siano/smsusb.c:447:37: warning: 'in_maxp' may be used uninitialized in this function [-Wmaybe-uninitialized] + 447 | dev->response_alignment = in_maxp - sizeof(struct sms_msg_hdr); + | ~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The sparse message itself is bogus, but a broken (or fake) USB +eeprom could produce a negative value for response_alignment. + +So, change the code in order to check if the result is not +negative. + +Fixes: 31e0456de5be ("media: usb: siano: Fix general protection fault in smsusb") +CC: <stable@vger.kernel.org> +Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c +index 59b3c124b49d..e39f3f40dfdd 100644 +--- a/drivers/media/usb/siano/smsusb.c ++++ b/drivers/media/usb/siano/smsusb.c +@@ -400,7 +400,7 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) + struct smsusb_device_t *dev; + void *mdev; + int i, rc; +- int in_maxp = 0; ++ int align = 0; + + /* create device object */ + dev = kzalloc(sizeof(struct smsusb_device_t), GFP_KERNEL); +@@ -418,14 +418,14 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) + + if (desc->bEndpointAddress & USB_DIR_IN) { + dev->in_ep = desc->bEndpointAddress; +- in_maxp = usb_endpoint_maxp(desc); ++ align = usb_endpoint_maxp(desc) - sizeof(struct sms_msg_hdr); + } else { + dev->out_ep = desc->bEndpointAddress; + } + } + + pr_debug("in_ep = %02x, out_ep = %02x\n", dev->in_ep, dev->out_ep); +- if (!dev->in_ep || !dev->out_ep) { /* Missing endpoints? */ ++ if (!dev->in_ep || !dev->out_ep || align < 0) { /* Missing endpoints? */ + smsusb_term_device(intf); + return -ENODEV; + } +@@ -444,7 +444,7 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) + /* fall-thru */ + default: + dev->buffer_size = USB2_BUFFER_SIZE; +- dev->response_alignment = in_maxp - sizeof(struct sms_msg_hdr); ++ dev->response_alignment = align; + + params.flags |= SMS_DEVICE_FAMILY2; + break; +-- +2.9.5 + diff --git a/queue/media-usb-siano-Fix-false-positive-uninitialized-var.patch b/queue/media-usb-siano-Fix-false-positive-uninitialized-var.patch new file mode 100644 index 0000000..adcb04d --- /dev/null +++ b/queue/media-usb-siano-Fix-false-positive-uninitialized-var.patch @@ -0,0 +1,33 @@ +From 45457c01171fd1488a7000d1751c06ed8560ee38 Mon Sep 17 00:00:00 2001 +From: Alan Stern <stern@rowland.harvard.edu> +Date: Tue, 21 May 2019 11:38:07 -0400 +Subject: [PATCH] media: usb: siano: Fix false-positive "uninitialized + variable" warning + +commit 45457c01171fd1488a7000d1751c06ed8560ee38 upstream. + +GCC complains about an apparently uninitialized variable recently +added to smsusb_init_device(). It's a false positive, but to silence +the warning this patch adds a trivial initialization. + +Signed-off-by: Alan Stern <stern@rowland.harvard.edu> +Reported-by: kbuild test robot <lkp@intel.com> +CC: <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c +index 27ad14a3f831..59b3c124b49d 100644 +--- a/drivers/media/usb/siano/smsusb.c ++++ b/drivers/media/usb/siano/smsusb.c +@@ -400,7 +400,7 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) + struct smsusb_device_t *dev; + void *mdev; + int i, rc; +- int in_maxp; ++ int in_maxp = 0; + + /* create device object */ + dev = kzalloc(sizeof(struct smsusb_device_t), GFP_KERNEL); +-- +2.9.5 + diff --git a/queue/media-usb-siano-Fix-general-protection-fault-in-smsu.patch b/queue/media-usb-siano-Fix-general-protection-fault-in-smsu.patch new file mode 100644 index 0000000..2d81c71 --- /dev/null +++ b/queue/media-usb-siano-Fix-general-protection-fault-in-smsu.patch @@ -0,0 +1,89 @@ +From 31e0456de5be379b10fea0fa94a681057114a96e Mon Sep 17 00:00:00 2001 +From: Alan Stern <stern@rowland.harvard.edu> +Date: Tue, 7 May 2019 12:39:47 -0400 +Subject: [PATCH] media: usb: siano: Fix general protection fault in smsusb + +commit 31e0456de5be379b10fea0fa94a681057114a96e upstream. + +The syzkaller USB fuzzer found a general-protection-fault bug in the +smsusb part of the Siano DVB driver. The fault occurs during probe +because the driver assumes without checking that the device has both +IN and OUT endpoints and the IN endpoint is ep1. + +By slightly rearranging the driver's initialization code, we can make +the appropriate checks early on and thus avoid the problem. If the +expected endpoints aren't present, the new code safely returns -ENODEV +from the probe routine. + +Signed-off-by: Alan Stern <stern@rowland.harvard.edu> +Reported-and-tested-by: syzbot+53f029db71c19a47325a@syzkaller.appspotmail.com +CC: <stable@vger.kernel.org> +Reviewed-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c +index 4fc03ec8a4f1..27ad14a3f831 100644 +--- a/drivers/media/usb/siano/smsusb.c ++++ b/drivers/media/usb/siano/smsusb.c +@@ -400,6 +400,7 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) + struct smsusb_device_t *dev; + void *mdev; + int i, rc; ++ int in_maxp; + + /* create device object */ + dev = kzalloc(sizeof(struct smsusb_device_t), GFP_KERNEL); +@@ -411,6 +412,24 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) + dev->udev = interface_to_usbdev(intf); + dev->state = SMSUSB_DISCONNECTED; + ++ for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) { ++ struct usb_endpoint_descriptor *desc = ++ &intf->cur_altsetting->endpoint[i].desc; ++ ++ if (desc->bEndpointAddress & USB_DIR_IN) { ++ dev->in_ep = desc->bEndpointAddress; ++ in_maxp = usb_endpoint_maxp(desc); ++ } else { ++ dev->out_ep = desc->bEndpointAddress; ++ } ++ } ++ ++ pr_debug("in_ep = %02x, out_ep = %02x\n", dev->in_ep, dev->out_ep); ++ if (!dev->in_ep || !dev->out_ep) { /* Missing endpoints? */ ++ smsusb_term_device(intf); ++ return -ENODEV; ++ } ++ + params.device_type = sms_get_board(board_id)->type; + + switch (params.device_type) { +@@ -425,24 +444,12 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) + /* fall-thru */ + default: + dev->buffer_size = USB2_BUFFER_SIZE; +- dev->response_alignment = +- le16_to_cpu(dev->udev->ep_in[1]->desc.wMaxPacketSize) - +- sizeof(struct sms_msg_hdr); ++ dev->response_alignment = in_maxp - sizeof(struct sms_msg_hdr); + + params.flags |= SMS_DEVICE_FAMILY2; + break; + } + +- for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) { +- if (intf->cur_altsetting->endpoint[i].desc. bEndpointAddress & USB_DIR_IN) +- dev->in_ep = intf->cur_altsetting->endpoint[i].desc.bEndpointAddress; +- else +- dev->out_ep = intf->cur_altsetting->endpoint[i].desc.bEndpointAddress; +- } +- +- pr_debug("in_ep = %02x, out_ep = %02x\n", +- dev->in_ep, dev->out_ep); +- + params.device = &dev->udev->dev; + params.usb_device = dev->udev; + params.buffer_size = dev->buffer_size; +-- +2.9.5 + diff --git a/queue/media-uvcvideo-Fix-uvc_alloc_entity-allocation-align.patch b/queue/media-uvcvideo-Fix-uvc_alloc_entity-allocation-align.patch new file mode 100644 index 0000000..6b7ddd1 --- /dev/null +++ b/queue/media-uvcvideo-Fix-uvc_alloc_entity-allocation-align.patch @@ -0,0 +1,35 @@ +From 89dd34caf73e28018c58cd193751e41b1f8bdc56 Mon Sep 17 00:00:00 2001 +From: Nadav Amit <namit@vmware.com> +Date: Mon, 4 Jun 2018 09:47:13 -0400 +Subject: [PATCH] media: uvcvideo: Fix uvc_alloc_entity() allocation alignment + +commit 89dd34caf73e28018c58cd193751e41b1f8bdc56 upstream. + +The use of ALIGN() in uvc_alloc_entity() is incorrect, since the size of +(entity->pads) is not a power of two. As a stop-gap, until a better +solution is adapted, use roundup() instead. + +Found by a static assertion. Compile-tested only. + +Fixes: 4ffc2d89f38a ("uvcvideo: Register subdevices for each entity") + +Signed-off-by: Nadav Amit <namit@vmware.com> +Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> + +diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c +index 0692017f0b80..21b0270067c1 100644 +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -914,7 +914,7 @@ static struct uvc_entity *uvc_alloc_entity(u16 type, u8 id, + unsigned int size; + unsigned int i; + +- extra_size = ALIGN(extra_size, sizeof(*entity->pads)); ++ extra_size = roundup(extra_size, sizeof(*entity->pads)); + num_inputs = (type & UVC_TERM_OUTPUT) ? num_pads : num_pads - 1; + size = sizeof(*entity) + extra_size + sizeof(*entity->pads) * num_pads + + num_inputs; +-- +2.9.5 + diff --git a/queue/memcg-make-it-work-on-sparse-non-0-node-systems.patch b/queue/memcg-make-it-work-on-sparse-non-0-node-systems.patch new file mode 100644 index 0000000..a5b2831 --- /dev/null +++ b/queue/memcg-make-it-work-on-sparse-non-0-node-systems.patch @@ -0,0 +1,96 @@ +From 3e8589963773a5c23e2f1fe4bcad0e9a90b7f471 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby <jslaby@suse.cz> +Date: Fri, 31 May 2019 22:30:26 -0700 +Subject: [PATCH] memcg: make it work on sparse non-0-node systems + +commit 3e8589963773a5c23e2f1fe4bcad0e9a90b7f471 upstream. + +We have a single node system with node 0 disabled: + Scanning NUMA topology in Northbridge 24 + Number of physical nodes 2 + Skipping disabled node 0 + Node 1 MemBase 0000000000000000 Limit 00000000fbff0000 + NODE_DATA(1) allocated [mem 0xfbfda000-0xfbfeffff] + +This causes crashes in memcg when system boots: + BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 + #PF error: [normal kernel read fault] +... + RIP: 0010:list_lru_add+0x94/0x170 +... + Call Trace: + d_lru_add+0x44/0x50 + dput.part.34+0xfc/0x110 + __fput+0x108/0x230 + task_work_run+0x9f/0xc0 + exit_to_usermode_loop+0xf5/0x100 + +It is reproducible as far as 4.12. I did not try older kernels. You have +to have a new enough systemd, e.g. 241 (the reason is unknown -- was not +investigated). Cannot be reproduced with systemd 234. + +The system crashes because the size of lru array is never updated in +memcg_update_all_list_lrus and the reads are past the zero-sized array, +causing dereferences of random memory. + +The root cause are list_lru_memcg_aware checks in the list_lru code. The +test in list_lru_memcg_aware is broken: it assumes node 0 is always +present, but it is not true on some systems as can be seen above. + +So fix this by avoiding checks on node 0. Remember the memcg-awareness by +a bool flag in struct list_lru. + +Link: http://lkml.kernel.org/r/20190522091940.3615-1-jslaby@suse.cz +Fixes: 60d3fd32a7a9 ("list_lru: introduce per-memcg lists") +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +Acked-by: Michal Hocko <mhocko@suse.com> +Suggested-by: Vladimir Davydov <vdavydov.dev@gmail.com> +Acked-by: Vladimir Davydov <vdavydov.dev@gmail.com> +Reviewed-by: Shakeel Butt <shakeelb@google.com> +Cc: Johannes Weiner <hannes@cmpxchg.org> +Cc: Raghavendra K T <raghavendra.kt@linux.vnet.ibm.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> + +diff --git a/include/linux/list_lru.h b/include/linux/list_lru.h +index aa5efd9351eb..d5ceb2839a2d 100644 +--- a/include/linux/list_lru.h ++++ b/include/linux/list_lru.h +@@ -54,6 +54,7 @@ struct list_lru { + #ifdef CONFIG_MEMCG_KMEM + struct list_head list; + int shrinker_id; ++ bool memcg_aware; + #endif + }; + +diff --git a/mm/list_lru.c b/mm/list_lru.c +index 0bdf3152735e..e4709fdaa8e6 100644 +--- a/mm/list_lru.c ++++ b/mm/list_lru.c +@@ -38,11 +38,7 @@ static int lru_shrinker_id(struct list_lru *lru) + + static inline bool list_lru_memcg_aware(struct list_lru *lru) + { +- /* +- * This needs node 0 to be always present, even +- * in the systems supporting sparse numa ids. +- */ +- return !!lru->node[0].memcg_lrus; ++ return lru->memcg_aware; + } + + static inline struct list_lru_one * +@@ -452,6 +448,8 @@ static int memcg_init_list_lru(struct list_lru *lru, bool memcg_aware) + { + int i; + ++ lru->memcg_aware = memcg_aware; ++ + if (!memcg_aware) + return 0; + +-- +2.9.5 + diff --git a/queue/mtd-spinand-macronix-Fix-ECC-Status-Read.patch b/queue/mtd-spinand-macronix-Fix-ECC-Status-Read.patch new file mode 100644 index 0000000..9a394d0 --- /dev/null +++ b/queue/mtd-spinand-macronix-Fix-ECC-Status-Read.patch @@ -0,0 +1,43 @@ +From f4cb4d7b46f6409382fd981eec9556e1f3c1dc5d Mon Sep 17 00:00:00 2001 +From: Emil Lenngren <emil.lenngren@gmail.com> +Date: Thu, 20 Dec 2018 13:46:58 +0100 +Subject: [PATCH] mtd: spinand: macronix: Fix ECC Status Read + +commit f4cb4d7b46f6409382fd981eec9556e1f3c1dc5d upstream. + +The datasheet specifies the upper four bits are reserved. +Testing on real hardware shows that these bits can indeed be nonzero. + +Signed-off-by: Emil Lenngren <emil.lenngren@gmail.com> +Reviewed-by: Boris Brezillon <boris.brezillon@bootlin.com> +Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> + +diff --git a/drivers/mtd/nand/spi/macronix.c b/drivers/mtd/nand/spi/macronix.c +index 98f6b9c4b684..d16b57081c95 100644 +--- a/drivers/mtd/nand/spi/macronix.c ++++ b/drivers/mtd/nand/spi/macronix.c +@@ -10,6 +10,7 @@ + #include <linux/mtd/spinand.h> + + #define SPINAND_MFR_MACRONIX 0xC2 ++#define MACRONIX_ECCSR_MASK 0x0F + + static SPINAND_OP_VARIANTS(read_cache_variants, + SPINAND_PAGE_READ_FROM_CACHE_X4_OP(0, 1, NULL, 0), +@@ -55,7 +56,12 @@ static int mx35lf1ge4ab_get_eccsr(struct spinand_device *spinand, u8 *eccsr) + SPI_MEM_OP_DUMMY(1, 1), + SPI_MEM_OP_DATA_IN(1, eccsr, 1)); + +- return spi_mem_exec_op(spinand->spimem, &op); ++ int ret = spi_mem_exec_op(spinand->spimem, &op); ++ if (ret) ++ return ret; ++ ++ *eccsr &= MACRONIX_ECCSR_MASK; ++ return 0; + } + + static int mx35lf1ge4ab_ecc_get_status(struct spinand_device *spinand, +-- +2.9.5 + diff --git a/queue/neighbor-Call-__ipv4_neigh_lookup_noref-in-neigh_xmi.patch b/queue/neighbor-Call-__ipv4_neigh_lookup_noref-in-neigh_xmi.patch new file mode 100644 index 0000000..a45660c --- /dev/null +++ b/queue/neighbor-Call-__ipv4_neigh_lookup_noref-in-neigh_xmi.patch @@ -0,0 +1,56 @@ +From 4b2a2bfeb3f056461a90bd621e8bd7d03fa47f60 Mon Sep 17 00:00:00 2001 +From: David Ahern <dsahern@gmail.com> +Date: Wed, 1 May 2019 18:18:42 -0700 +Subject: [PATCH] neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit + +commit 4b2a2bfeb3f056461a90bd621e8bd7d03fa47f60 upstream. + +Commit cd9ff4de0107 changed the key for IFF_POINTOPOINT devices to +INADDR_ANY but neigh_xmit which is used for MPLS encapsulations was not +updated to use the altered key. The result is that every packet Tx does +a lookup on the gateway address which does not find an entry, a new one +is created only to find the existing one in the table right before the +insert since arp_constructor was updated to reset the primary key. This +is seen in the allocs and destroys counters: + ip -s -4 ntable show | head -10 | grep alloc + +which increase for each packet showing the unnecessary overhread. + +Fix by having neigh_xmit use __ipv4_neigh_lookup_noref for NEIGH_ARP_TABLE. + +Fixes: cd9ff4de0107 ("ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY") +Reported-by: Alan Maguire <alan.maguire@oracle.com> +Signed-off-by: David Ahern <dsahern@gmail.com> +Tested-by: Alan Maguire <alan.maguire@oracle.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index aff051e5521d..9b9da5142613 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -31,6 +31,7 @@ + #include <linux/times.h> + #include <net/net_namespace.h> + #include <net/neighbour.h> ++#include <net/arp.h> + #include <net/dst.h> + #include <net/sock.h> + #include <net/netevent.h> +@@ -2984,7 +2985,13 @@ int neigh_xmit(int index, struct net_device *dev, + if (!tbl) + goto out; + rcu_read_lock_bh(); +- neigh = __neigh_lookup_noref(tbl, addr, dev); ++ if (index == NEIGH_ARP_TABLE) { ++ u32 key = *((u32 *)addr); ++ ++ neigh = __ipv4_neigh_lookup_noref(dev, key); ++ } else { ++ neigh = __neigh_lookup_noref(tbl, addr, dev); ++ } + if (!neigh) + neigh = __neigh_create(tbl, addr, dev, false); + err = PTR_ERR(neigh); +-- +2.9.5 + diff --git a/queue/net-dsa-mv88e6xxx-fix-handling-of-upper-half-of-STAT.patch b/queue/net-dsa-mv88e6xxx-fix-handling-of-upper-half-of-STAT.patch new file mode 100644 index 0000000..83a49e4 --- /dev/null +++ b/queue/net-dsa-mv88e6xxx-fix-handling-of-upper-half-of-STAT.patch @@ -0,0 +1,33 @@ +From 84b3fd1fc9592d431e23b077e692fa4e3fd0f086 Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes <rasmus.villemoes@prevas.dk> +Date: Wed, 29 May 2019 07:02:11 +0000 +Subject: [PATCH] net: dsa: mv88e6xxx: fix handling of upper half of + STATS_TYPE_PORT + +commit 84b3fd1fc9592d431e23b077e692fa4e3fd0f086 upstream. + +Currently, the upper half of a 4-byte STATS_TYPE_PORT statistic ends +up in bits 47:32 of the return value, instead of bits 31:16 as they +should. + +Fixes: 6e46e2d821bb ("net: dsa: mv88e6xxx: Fix u64 statistics") +Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk> +Reviewed-by: Vivien Didelot <vivien.didelot@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 28414db979b0..12f165a71a6c 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -785,7 +785,7 @@ static uint64_t _mv88e6xxx_get_ethtool_stat(struct mv88e6xxx_chip *chip, + err = mv88e6xxx_port_read(chip, port, s->reg + 1, ®); + if (err) + return U64_MAX; +- high = reg; ++ low |= ((u32)reg) << 16; + } + break; + case STATS_TYPE_BANK1: +-- +2.9.5 + diff --git a/queue/net-ethernet-ti-cpsw_ethtool-fix-ethtool-ring-param-.patch b/queue/net-ethernet-ti-cpsw_ethtool-fix-ethtool-ring-param-.patch new file mode 100644 index 0000000..5fd444e --- /dev/null +++ b/queue/net-ethernet-ti-cpsw_ethtool-fix-ethtool-ring-param-.patch @@ -0,0 +1,32 @@ +From 09faf5a7d7c0bcb07faba072f611937af9dd5788 Mon Sep 17 00:00:00 2001 +From: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org> +Date: Fri, 31 May 2019 16:47:25 +0300 +Subject: [PATCH] net: ethernet: ti: cpsw_ethtool: fix ethtool ring param set + +commit 09faf5a7d7c0bcb07faba072f611937af9dd5788 upstream. + +Fix ability to set RX descriptor number, the reason - initially +"tx_max_pending" was set incorrectly, but the issue appears after +adding sanity check, so fix is for "sanity" patch. + +Fixes: 37e2d99b59c476 ("ethtool: Ensure new ring parameters are within bounds during SRINGPARAM") +Signed-off-by: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org> +Reviewed-by: Grygorii Strashko <grygorii.strashko@ti.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/ti/cpsw_ethtool.c b/drivers/net/ethernet/ti/cpsw_ethtool.c +index a4a7ec0d2531..6d1c9ebae7cc 100644 +--- a/drivers/net/ethernet/ti/cpsw_ethtool.c ++++ b/drivers/net/ethernet/ti/cpsw_ethtool.c +@@ -643,7 +643,7 @@ void cpsw_get_ringparam(struct net_device *ndev, + struct cpsw_common *cpsw = priv->cpsw; + + /* not supported */ +- ering->tx_max_pending = 0; ++ ering->tx_max_pending = cpsw->descs_pool_size - CPSW_MAX_QUEUES; + ering->tx_pending = cpdma_get_num_tx_descs(cpsw->dma); + ering->rx_max_pending = cpsw->descs_pool_size - CPSW_MAX_QUEUES; + ering->rx_pending = cpdma_get_num_rx_descs(cpsw->dma); +-- +2.9.5 + diff --git a/queue/net-fec-fix-the-clk-mismatch-in-failed_reset-path.patch b/queue/net-fec-fix-the-clk-mismatch-in-failed_reset-path.patch new file mode 100644 index 0000000..b39c417 --- /dev/null +++ b/queue/net-fec-fix-the-clk-mismatch-in-failed_reset-path.patch @@ -0,0 +1,33 @@ +From ce8d24f9a5965a58c588f9342689702a1024433c Mon Sep 17 00:00:00 2001 +From: Andy Duan <fugang.duan@nxp.com> +Date: Thu, 23 May 2019 01:55:28 +0000 +Subject: [PATCH] net: fec: fix the clk mismatch in failed_reset path + +commit ce8d24f9a5965a58c588f9342689702a1024433c upstream. + +Fix the clk mismatch in the error path "failed_reset" because +below error path will disable clk_ahb and clk_ipg directly, it +should use pm_runtime_put_noidle() instead of pm_runtime_put() +to avoid to call runtime resume callback. + +Reported-by: Baruch Siach <baruch@tkos.co.il> +Signed-off-by: Fugang Duan <fugang.duan@nxp.com> +Tested-by: Baruch Siach <baruch@tkos.co.il> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index aa7d4e27c5d1..38f10f7dcbc3 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3556,7 +3556,7 @@ failed_init: + if (fep->reg_phy) + regulator_disable(fep->reg_phy); + failed_reset: +- pm_runtime_put(&pdev->dev); ++ pm_runtime_put_noidle(&pdev->dev); + pm_runtime_disable(&pdev->dev); + failed_regulator: + clk_disable_unprepare(fep->clk_ahb); +-- +2.9.5 + diff --git a/queue/net-gro-fix-use-after-free-read-in-napi_gro_frags.patch b/queue/net-gro-fix-use-after-free-read-in-napi_gro_frags.patch new file mode 100644 index 0000000..5df63bd --- /dev/null +++ b/queue/net-gro-fix-use-after-free-read-in-napi_gro_frags.patch @@ -0,0 +1,68 @@ +From a4270d6795b0580287453ea55974d948393e66ef Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Wed, 29 May 2019 15:36:10 -0700 +Subject: [PATCH] net-gro: fix use-after-free read in napi_gro_frags() + +commit a4270d6795b0580287453ea55974d948393e66ef upstream. + +If a network driver provides to napi_gro_frags() an +skb with a page fragment of exactly 14 bytes, the call +to gro_pull_from_frag0() will 'consume' the fragment +by calling skb_frag_unref(skb, 0), and the page might +be freed and reused. + +Reading eth->h_proto at the end of napi_frags_skb() might +read mangled data, or crash under specific debugging features. + +BUG: KASAN: use-after-free in napi_frags_skb net/core/dev.c:5833 [inline] +BUG: KASAN: use-after-free in napi_gro_frags+0xc6f/0xd10 net/core/dev.c:5841 +Read of size 2 at addr ffff88809366840c by task syz-executor599/8957 + +CPU: 1 PID: 8957 Comm: syz-executor599 Not tainted 5.2.0-rc1+ #32 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x172/0x1f0 lib/dump_stack.c:113 + print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188 + __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 + kasan_report+0x12/0x20 mm/kasan/common.c:614 + __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:142 + napi_frags_skb net/core/dev.c:5833 [inline] + napi_gro_frags+0xc6f/0xd10 net/core/dev.c:5841 + tun_get_user+0x2f3c/0x3ff0 drivers/net/tun.c:1991 + tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2037 + call_write_iter include/linux/fs.h:1872 [inline] + do_iter_readv_writev+0x5f8/0x8f0 fs/read_write.c:693 + do_iter_write fs/read_write.c:970 [inline] + do_iter_write+0x184/0x610 fs/read_write.c:951 + vfs_writev+0x1b3/0x2f0 fs/read_write.c:1015 + do_writev+0x15b/0x330 fs/read_write.c:1058 + +Fixes: a50e233c50db ("net-gro: restore frag0 optimization") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/core/dev.c b/net/core/dev.c +index cc2a4e257324..66f7508825bd 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -5775,7 +5775,6 @@ static struct sk_buff *napi_frags_skb(struct napi_struct *napi) + skb_reset_mac_header(skb); + skb_gro_reset_offset(skb); + +- eth = skb_gro_header_fast(skb, 0); + if (unlikely(skb_gro_header_hard(skb, hlen))) { + eth = skb_gro_header_slow(skb, hlen, 0); + if (unlikely(!eth)) { +@@ -5785,6 +5784,7 @@ static struct sk_buff *napi_frags_skb(struct napi_struct *napi) + return NULL; + } + } else { ++ eth = (const struct ethhdr *)skb->data; + gro_pull_from_frag0(skb, hlen); + NAPI_GRO_CB(skb)->frag0 += hlen; + NAPI_GRO_CB(skb)->frag0_len -= hlen; +-- +2.9.5 + diff --git a/queue/net-mlx4_en-ethtool-Remove-unsupported-SFP-EEPROM-hi.patch b/queue/net-mlx4_en-ethtool-Remove-unsupported-SFP-EEPROM-hi.patch new file mode 100644 index 0000000..ce8621f --- /dev/null +++ b/queue/net-mlx4_en-ethtool-Remove-unsupported-SFP-EEPROM-hi.patch @@ -0,0 +1,61 @@ +From 135dd9594f127c8a82d141c3c8430e9e2143216a Mon Sep 17 00:00:00 2001 +From: Erez Alfasi <ereza@mellanox.com> +Date: Mon, 20 May 2019 17:42:52 +0300 +Subject: [PATCH] net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high + pages query + +commit 135dd9594f127c8a82d141c3c8430e9e2143216a upstream. + +Querying EEPROM high pages data for SFP module is currently +not supported by our driver but is still tried, resulting in +invalid FW queries. + +Set the EEPROM ethtool data length to 256 for SFP module to +limit the reading for page 0 only and prevent invalid FW queries. + +Fixes: 7202da8b7f71 ("ethtool, net/mlx4_en: Cable info, get_module_info/eeprom ethtool support") +Signed-off-by: Erez Alfasi <ereza@mellanox.com> +Signed-off-by: Tariq Toukan <tariqt@mellanox.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +index d290f0787dfb..94c59939a8cf 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +@@ -2010,6 +2010,8 @@ static int mlx4_en_set_tunable(struct net_device *dev, + return ret; + } + ++#define MLX4_EEPROM_PAGE_LEN 256 ++ + static int mlx4_en_get_module_info(struct net_device *dev, + struct ethtool_modinfo *modinfo) + { +@@ -2044,7 +2046,7 @@ static int mlx4_en_get_module_info(struct net_device *dev, + break; + case MLX4_MODULE_ID_SFP: + modinfo->type = ETH_MODULE_SFF_8472; +- modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN; ++ modinfo->eeprom_len = MLX4_EEPROM_PAGE_LEN; + break; + default: + return -EINVAL; +diff --git a/drivers/net/ethernet/mellanox/mlx4/port.c b/drivers/net/ethernet/mellanox/mlx4/port.c +index 10fcc22f4590..ba6ac31a339d 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/port.c ++++ b/drivers/net/ethernet/mellanox/mlx4/port.c +@@ -2077,11 +2077,6 @@ int mlx4_get_module_info(struct mlx4_dev *dev, u8 port, + size -= offset + size - I2C_PAGE_SIZE; + + i2c_addr = I2C_ADDR_LOW; +- if (offset >= I2C_PAGE_SIZE) { +- /* Reset offset to high page */ +- i2c_addr = I2C_ADDR_HIGH; +- offset -= I2C_PAGE_SIZE; +- } + + cable_info = (struct mlx4_cable_info *)inmad->data; + cable_info->dev_mem_address = cpu_to_be16(offset); +-- +2.9.5 + diff --git a/queue/net-mlx5-Allocate-root-ns-memory-using-kzalloc-to-ma.patch b/queue/net-mlx5-Allocate-root-ns-memory-using-kzalloc-to-ma.patch new file mode 100644 index 0000000..5afea01 --- /dev/null +++ b/queue/net-mlx5-Allocate-root-ns-memory-using-kzalloc-to-ma.patch @@ -0,0 +1,38 @@ +From 25fa506b70cadb580c1e9cbd836d6417276d4bcd Mon Sep 17 00:00:00 2001 +From: Parav Pandit <parav@mellanox.com> +Date: Fri, 10 May 2019 10:40:08 -0500 +Subject: [PATCH] net/mlx5: Allocate root ns memory using kzalloc to match + kfree + +commit 25fa506b70cadb580c1e9cbd836d6417276d4bcd upstream. + +root ns is yet another fs core node which is freed using kfree() by +tree_put_node(). +Rest of the other fs core objects are also allocated using kmalloc +variants. + +However, root ns memory is allocated using kvzalloc(). +Hence allocate root ns memory using kzalloc(). + +Fixes: 2530236303d9e ("net/mlx5_core: Flow steering tree initialization") +Signed-off-by: Parav Pandit <parav@mellanox.com> +Reviewed-by: Daniel Jurgens <danielj@mellanox.com> +Reviewed-by: Mark Bloch <markb@mellanox.com> +Signed-off-by: Saeed Mahameed <saeedm@mellanox.com> + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index 34276a2b6da2..fe76c6fd6d80 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -2284,7 +2284,7 @@ static struct mlx5_flow_root_namespace + cmds = mlx5_fs_cmd_get_default_ipsec_fpga_cmds(table_type); + + /* Create the root namespace */ +- root_ns = kvzalloc(sizeof(*root_ns), GFP_KERNEL); ++ root_ns = kzalloc(sizeof(*root_ns), GFP_KERNEL); + if (!root_ns) + return NULL; + +-- +2.9.5 + diff --git a/queue/net-mlx5-Avoid-double-free-in-fs-init-error-unwindin.patch b/queue/net-mlx5-Avoid-double-free-in-fs-init-error-unwindin.patch new file mode 100644 index 0000000..32461f6 --- /dev/null +++ b/queue/net-mlx5-Avoid-double-free-in-fs-init-error-unwindin.patch @@ -0,0 +1,70 @@ +From 9414277a5df3669c67e818708c0f881597e0118e Mon Sep 17 00:00:00 2001 +From: Parav Pandit <parav@mellanox.com> +Date: Fri, 10 May 2019 10:26:23 -0500 +Subject: [PATCH] net/mlx5: Avoid double free in fs init error unwinding path + +commit 9414277a5df3669c67e818708c0f881597e0118e upstream. + +In below code flow, for ingress acl table root ns memory leads +to double free. + +mlx5_init_fs + init_ingress_acls_root_ns() + init_ingress_acl_root_ns + kfree(steering->esw_ingress_root_ns); + /* steering->esw_ingress_root_ns is not marked NULL */ + mlx5_cleanup_fs + cleanup_ingress_acls_root_ns + steering->esw_ingress_root_ns non NULL check passes. + kfree(steering->esw_ingress_root_ns); + /* double free */ + +Similar issue exist for other tables. + +Hence zero out the pointers to not process the table again. + +Fixes: 9b93ab981e3bf ("net/mlx5: Separate ingress/egress namespaces for each vport") +Fixes: 40c3eebb49e51 ("net/mlx5: Add support in RDMA RX steering") +Signed-off-by: Parav Pandit <parav@mellanox.com> +Reviewed-by: Mark Bloch <markb@mellanox.com> +Signed-off-by: Saeed Mahameed <saeedm@mellanox.com> + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index 4fa87ca63bca..34276a2b6da2 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -2427,6 +2427,7 @@ static void cleanup_egress_acls_root_ns(struct mlx5_core_dev *dev) + cleanup_root_ns(steering->esw_egress_root_ns[i]); + + kfree(steering->esw_egress_root_ns); ++ steering->esw_egress_root_ns = NULL; + } + + static void cleanup_ingress_acls_root_ns(struct mlx5_core_dev *dev) +@@ -2441,6 +2442,7 @@ static void cleanup_ingress_acls_root_ns(struct mlx5_core_dev *dev) + cleanup_root_ns(steering->esw_ingress_root_ns[i]); + + kfree(steering->esw_ingress_root_ns); ++ steering->esw_ingress_root_ns = NULL; + } + + void mlx5_cleanup_fs(struct mlx5_core_dev *dev) +@@ -2625,6 +2627,7 @@ cleanup_root_ns: + for (i--; i >= 0; i--) + cleanup_root_ns(steering->esw_egress_root_ns[i]); + kfree(steering->esw_egress_root_ns); ++ steering->esw_egress_root_ns = NULL; + return err; + } + +@@ -2652,6 +2655,7 @@ cleanup_root_ns: + for (i--; i >= 0; i--) + cleanup_root_ns(steering->esw_ingress_root_ns[i]); + kfree(steering->esw_ingress_root_ns); ++ steering->esw_ingress_root_ns = NULL; + return err; + } + +-- +2.9.5 + diff --git a/queue/net-mlx5e-Disable-rxhash-when-CQE-compress-is-enable.patch b/queue/net-mlx5e-Disable-rxhash-when-CQE-compress-is-enable.patch new file mode 100644 index 0000000..4aeebb2 --- /dev/null +++ b/queue/net-mlx5e-Disable-rxhash-when-CQE-compress-is-enable.patch @@ -0,0 +1,63 @@ +From c0194e2d0ef0e5ce5e21a35640d23a706827ae28 Mon Sep 17 00:00:00 2001 +From: Saeed Mahameed <saeedm@mellanox.com> +Date: Thu, 23 May 2019 12:55:10 -0700 +Subject: [PATCH] net/mlx5e: Disable rxhash when CQE compress is enabled + +commit c0194e2d0ef0e5ce5e21a35640d23a706827ae28 upstream. + +When CQE compression is enabled (Multi-host systems), compressed CQEs +might arrive to the driver rx, compressed CQEs don't have a valid hash +offload and the driver already reports a hash value of 0 and invalid hash +type on the skb for compressed CQEs, but this is not good enough. + +On a congested PCIe, where CQE compression will kick in aggressively, +gro will deliver lots of out of order packets due to the invalid hash +and this might cause a serious performance drop. + +The only valid solution, is to disable rxhash offload at all when CQE +compression is favorable (Multi-host systems). + +Fixes: 7219ab34f184 ("net/mlx5e: CQE compression") +Signed-off-by: Saeed Mahameed <saeedm@mellanox.com> + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 457cc39423f2..c65cefd84eda 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3687,6 +3687,12 @@ static netdev_features_t mlx5e_fix_features(struct net_device *netdev, + netdev_warn(netdev, "Disabling LRO, not supported in legacy RQ\n"); + } + ++ if (MLX5E_GET_PFLAG(params, MLX5E_PFLAG_RX_CQE_COMPRESS)) { ++ features &= ~NETIF_F_RXHASH; ++ if (netdev->features & NETIF_F_RXHASH) ++ netdev_warn(netdev, "Disabling rxhash, not supported when CQE compress is active\n"); ++ } ++ + mutex_unlock(&priv->state_lock); + + return features; +@@ -3812,6 +3818,9 @@ int mlx5e_hwstamp_set(struct mlx5e_priv *priv, struct ifreq *ifr) + memcpy(&priv->tstamp, &config, sizeof(config)); + mutex_unlock(&priv->state_lock); + ++ /* might need to fix some features */ ++ netdev_update_features(priv->netdev); ++ + return copy_to_user(ifr->ifr_data, &config, + sizeof(config)) ? -EFAULT : 0; + } +@@ -4680,6 +4689,10 @@ static void mlx5e_build_nic_netdev(struct net_device *netdev) + if (!priv->channels.params.scatter_fcs_en) + netdev->features &= ~NETIF_F_RXFCS; + ++ /* prefere CQE compression over rxhash */ ++ if (MLX5E_GET_PFLAG(&priv->channels.params, MLX5E_PFLAG_RX_CQE_COMPRESS)) ++ netdev->features &= ~NETIF_F_RXHASH; ++ + #define FT_CAP(f) MLX5_CAP_FLOWTABLE(mdev, flow_table_properties_nic_receive.f) + if (FT_CAP(flow_modify_en) && + FT_CAP(modify_root) && +-- +2.9.5 + diff --git a/queue/net-mvneta-Fix-err-code-path-of-probe.patch b/queue/net-mvneta-Fix-err-code-path-of-probe.patch new file mode 100644 index 0000000..b4c3d24 --- /dev/null +++ b/queue/net-mvneta-Fix-err-code-path-of-probe.patch @@ -0,0 +1,48 @@ +From d484e06e25ebb937d841dac02ac1fe76ec7d4ddd Mon Sep 17 00:00:00 2001 +From: Jisheng Zhang <Jisheng.Zhang@synaptics.com> +Date: Mon, 27 May 2019 11:04:17 +0000 +Subject: [PATCH] net: mvneta: Fix err code path of probe + +commit d484e06e25ebb937d841dac02ac1fe76ec7d4ddd upstream. + +Fix below issues in err code path of probe: +1. we don't need to unregister_netdev() because the netdev isn't +registered. +2. when register_netdev() fails, we also need to destroy bm pool for +HWBM case. + +Fixes: dc35a10f68d3 ("net: mvneta: bm: add support for hardware buffer management") +Signed-off-by: Jisheng Zhang <Jisheng.Zhang@synaptics.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index e758650b2c26..269bd73be1a0 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -4674,7 +4674,7 @@ static int mvneta_probe(struct platform_device *pdev) + err = register_netdev(dev); + if (err < 0) { + dev_err(&pdev->dev, "failed to register\n"); +- goto err_free_stats; ++ goto err_netdev; + } + + netdev_info(dev, "Using %s mac address %pM\n", mac_from, +@@ -4685,14 +4685,12 @@ static int mvneta_probe(struct platform_device *pdev) + return 0; + + err_netdev: +- unregister_netdev(dev); + if (pp->bm_priv) { + mvneta_bm_pool_destroy(pp->bm_priv, pp->pool_long, 1 << pp->id); + mvneta_bm_pool_destroy(pp->bm_priv, pp->pool_short, + 1 << pp->id); + mvneta_bm_put(pp->bm_priv); + } +-err_free_stats: + free_percpu(pp->stats); + err_free_ports: + free_percpu(pp->ports); +-- +2.9.5 + diff --git a/queue/net-mvpp2-Use-strscpy-to-handle-stat-strings.patch b/queue/net-mvpp2-Use-strscpy-to-handle-stat-strings.patch new file mode 100644 index 0000000..a10e0c4 --- /dev/null +++ b/queue/net-mvpp2-Use-strscpy-to-handle-stat-strings.patch @@ -0,0 +1,33 @@ +From d37acd5aa99c57505b64913e0e2624ec3daed8c5 Mon Sep 17 00:00:00 2001 +From: Maxime Chevallier <maxime.chevallier@bootlin.com> +Date: Thu, 6 Jun 2019 10:42:56 +0200 +Subject: [PATCH] net: mvpp2: Use strscpy to handle stat strings + +commit d37acd5aa99c57505b64913e0e2624ec3daed8c5 upstream. + +Use a safe strscpy call to copy the ethtool stat strings into the +relevant buffers, instead of a memcpy that will be accessing +out-of-bound data. + +Fixes: 118d6298f6f0 ("net: mvpp2: add ethtool GOP statistics") +Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index 7a67e23a2c2b..d8e5241097a9 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -1304,8 +1304,8 @@ static void mvpp2_ethtool_get_strings(struct net_device *netdev, u32 sset, + int i; + + for (i = 0; i < ARRAY_SIZE(mvpp2_ethtool_regs); i++) +- memcpy(data + i * ETH_GSTRING_LEN, +- &mvpp2_ethtool_regs[i].string, ETH_GSTRING_LEN); ++ strscpy(data + i * ETH_GSTRING_LEN, ++ mvpp2_ethtool_regs[i].string, ETH_GSTRING_LEN); + } + } + +-- +2.9.5 + diff --git a/queue/net-mvpp2-fix-bad-MVPP2_TXQ_SCHED_TOKEN_CNTR_REG-que.patch b/queue/net-mvpp2-fix-bad-MVPP2_TXQ_SCHED_TOKEN_CNTR_REG-que.patch new file mode 100644 index 0000000..d7575d7 --- /dev/null +++ b/queue/net-mvpp2-fix-bad-MVPP2_TXQ_SCHED_TOKEN_CNTR_REG-que.patch @@ -0,0 +1,57 @@ +From 21808437214637952b61beaba6034d97880fbeb3 Mon Sep 17 00:00:00 2001 +From: Antoine Tenart <antoine.tenart@bootlin.com> +Date: Wed, 29 May 2019 15:59:48 +0200 +Subject: [PATCH] net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue + value + +commit 21808437214637952b61beaba6034d97880fbeb3 upstream. + +MVPP2_TXQ_SCHED_TOKEN_CNTR_REG() expects the logical queue id but +the current code is passing the global tx queue offset, so it ends +up writing to unknown registers (between 0x8280 and 0x82fc, which +seemed to be unused by the hardware). This fixes the issue by using +the logical queue id instead. + +Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit") +Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index d38952eb7aa9..7a67e23a2c2b 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -1455,7 +1455,7 @@ static inline void mvpp2_xlg_max_rx_size_set(struct mvpp2_port *port) + /* Set defaults to the MVPP2 port */ + static void mvpp2_defaults_set(struct mvpp2_port *port) + { +- int tx_port_num, val, queue, ptxq, lrxq; ++ int tx_port_num, val, queue, lrxq; + + if (port->priv->hw_version == MVPP21) { + /* Update TX FIFO MIN Threshold */ +@@ -1476,11 +1476,9 @@ static void mvpp2_defaults_set(struct mvpp2_port *port) + mvpp2_write(port->priv, MVPP2_TXP_SCHED_FIXED_PRIO_REG, 0); + + /* Close bandwidth for all queues */ +- for (queue = 0; queue < MVPP2_MAX_TXQ; queue++) { +- ptxq = mvpp2_txq_phys(port->id, queue); ++ for (queue = 0; queue < MVPP2_MAX_TXQ; queue++) + mvpp2_write(port->priv, +- MVPP2_TXQ_SCHED_TOKEN_CNTR_REG(ptxq), 0); +- } ++ MVPP2_TXQ_SCHED_TOKEN_CNTR_REG(queue), 0); + + /* Set refill period to 1 usec, refill tokens + * and bucket size to maximum +@@ -2336,7 +2334,7 @@ static void mvpp2_txq_deinit(struct mvpp2_port *port, + txq->descs_dma = 0; + + /* Set minimum bandwidth for disabled TXQs */ +- mvpp2_write(port->priv, MVPP2_TXQ_SCHED_TOKEN_CNTR_REG(txq->id), 0); ++ mvpp2_write(port->priv, MVPP2_TXQ_SCHED_TOKEN_CNTR_REG(txq->log_id), 0); + + /* Set Tx descriptors queue starting address and size */ + thread = mvpp2_cpu_to_thread(port->priv, get_cpu()); +-- +2.9.5 + diff --git a/queue/net-phy-marvell10g-report-if-the-PHY-fails-to-boot-f.patch b/queue/net-phy-marvell10g-report-if-the-PHY-fails-to-boot-f.patch new file mode 100644 index 0000000..d1d66bd --- /dev/null +++ b/queue/net-phy-marvell10g-report-if-the-PHY-fails-to-boot-f.patch @@ -0,0 +1,52 @@ +From 3d3ced2ec5d71b99d72ae6910fbdf890bc2eccf0 Mon Sep 17 00:00:00 2001 +From: Russell King <rmk+kernel@armlinux.org.uk> +Date: Tue, 28 May 2019 10:34:42 +0100 +Subject: [PATCH] net: phy: marvell10g: report if the PHY fails to boot + firmware + +commit 3d3ced2ec5d71b99d72ae6910fbdf890bc2eccf0 upstream. + +Some boards do not have the PHY firmware programmed in the 3310's flash, +which leads to the PHY not working as expected. Warn the user when the +PHY fails to boot the firmware and refuse to initialise. + +Fixes: 20b2af32ff3f ("net: phy: add Marvell Alaska X 88X3310 10Gigabit PHY support") +Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> +Tested-by: Maxime Chevallier <maxime.chevallier@bootlin.com> +Reviewed-by: Andrew Lunn <andrew@lunn.ch> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/phy/marvell10g.c b/drivers/net/phy/marvell10g.c +index 238a20e13d6a..3b99882692e3 100644 +--- a/drivers/net/phy/marvell10g.c ++++ b/drivers/net/phy/marvell10g.c +@@ -31,6 +31,9 @@ + #define MV_PHY_ALASKA_NBT_QUIRK_REV (MARVELL_PHY_ID_88X3310 | 0xa) + + enum { ++ MV_PMA_BOOT = 0xc050, ++ MV_PMA_BOOT_FATAL = BIT(0), ++ + MV_PCS_BASE_T = 0x0000, + MV_PCS_BASE_R = 0x1000, + MV_PCS_1000BASEX = 0x2000, +@@ -213,6 +216,16 @@ static int mv3310_probe(struct phy_device *phydev) + (phydev->c45_ids.devices_in_package & mmd_mask) != mmd_mask) + return -ENODEV; + ++ ret = phy_read_mmd(phydev, MDIO_MMD_PMAPMD, MV_PMA_BOOT); ++ if (ret < 0) ++ return ret; ++ ++ if (ret & MV_PMA_BOOT_FATAL) { ++ dev_warn(&phydev->mdio.dev, ++ "PHY failed to boot firmware, status=%04x\n", ret); ++ return -ENODEV; ++ } ++ + priv = devm_kzalloc(&phydev->mdio.dev, sizeof(*priv), GFP_KERNEL); + if (!priv) + return -ENOMEM; +-- +2.9.5 + diff --git a/queue/net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch b/queue/net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch new file mode 100644 index 0000000..01637bd --- /dev/null +++ b/queue/net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch @@ -0,0 +1,89 @@ +From 85cb928787eab6a2f4ca9d2a798b6f3bed53ced1 Mon Sep 17 00:00:00 2001 +From: Zhu Yanjun <yanjun.zhu@oracle.com> +Date: Thu, 6 Jun 2019 04:00:03 -0400 +Subject: [PATCH] net: rds: fix memory leak in rds_ib_flush_mr_pool + +commit 85cb928787eab6a2f4ca9d2a798b6f3bed53ced1 upstream. + +When the following tests last for several hours, the problem will occur. + +Server: + rds-stress -r 1.1.1.16 -D 1M +Client: + rds-stress -r 1.1.1.14 -s 1.1.1.16 -D 1M -T 30 + +The following will occur. + +" +Starting up.... +tsks tx/s rx/s tx+rx K/s mbi K/s mbo K/s tx us/c rtt us cpu +% + 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00 + 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00 + 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00 + 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00 +" +>From vmcore, we can find that clean_list is NULL. + +>From the source code, rds_mr_flushd calls rds_ib_mr_pool_flush_worker. +Then rds_ib_mr_pool_flush_worker calls +" + rds_ib_flush_mr_pool(pool, 0, NULL); +" +Then in function +" +int rds_ib_flush_mr_pool(struct rds_ib_mr_pool *pool, + int free_all, struct rds_ib_mr **ibmr_ret) +" +ibmr_ret is NULL. + +In the source code, +" +... +list_to_llist_nodes(pool, &unmap_list, &clean_nodes, &clean_tail); +if (ibmr_ret) + *ibmr_ret = llist_entry(clean_nodes, struct rds_ib_mr, llnode); + +/* more than one entry in llist nodes */ +if (clean_nodes->next) + llist_add_batch(clean_nodes->next, clean_tail, &pool->clean_list); +... +" +When ibmr_ret is NULL, llist_entry is not executed. clean_nodes->next +instead of clean_nodes is added in clean_list. +So clean_nodes is discarded. It can not be used again. +The workqueue is executed periodically. So more and more clean_nodes are +discarded. Finally the clean_list is NULL. +Then this problem will occur. + +Fixes: 1bc144b62524 ("net, rds, Replace xlist in net/rds/xlist.h with llist") +Signed-off-by: Zhu Yanjun <yanjun.zhu@oracle.com> +Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/rds/ib_rdma.c b/net/rds/ib_rdma.c +index d664e9ade74d..0b347f46b2f4 100644 +--- a/net/rds/ib_rdma.c ++++ b/net/rds/ib_rdma.c +@@ -428,12 +428,14 @@ int rds_ib_flush_mr_pool(struct rds_ib_mr_pool *pool, + wait_clean_list_grace(); + + list_to_llist_nodes(pool, &unmap_list, &clean_nodes, &clean_tail); +- if (ibmr_ret) ++ if (ibmr_ret) { + *ibmr_ret = llist_entry(clean_nodes, struct rds_ib_mr, llnode); +- ++ clean_nodes = clean_nodes->next; ++ } + /* more than one entry in llist nodes */ +- if (clean_nodes->next) +- llist_add_batch(clean_nodes->next, clean_tail, &pool->clean_list); ++ if (clean_nodes) ++ llist_add_batch(clean_nodes, clean_tail, ++ &pool->clean_list); + + } + +-- +2.9.5 + diff --git a/queue/net-sched-don-t-use-tc_action-order-during-action-du.patch b/queue/net-sched-don-t-use-tc_action-order-during-action-du.patch new file mode 100644 index 0000000..accd431 --- /dev/null +++ b/queue/net-sched-don-t-use-tc_action-order-during-action-du.patch @@ -0,0 +1,54 @@ +From 4097e9d250fb17958c1d9b94538386edd3f20144 Mon Sep 17 00:00:00 2001 +From: Vlad Buslov <vladbu@mellanox.com> +Date: Thu, 23 May 2019 09:32:31 +0300 +Subject: [PATCH] net: sched: don't use tc_action->order during action dump + +commit 4097e9d250fb17958c1d9b94538386edd3f20144 upstream. + +Function tcf_action_dump() relies on tc_action->order field when starting +nested nla to send action data to userspace. This approach breaks in +several cases: + +- When multiple filters point to same shared action, tc_action->order field + is overwritten each time it is attached to filter. This causes filter + dump to output action with incorrect attribute for all filters that have + the action in different position (different order) from the last set + tc_action->order value. + +- When action data is displayed using tc action API (RTM_GETACTION), action + order is overwritten by tca_action_gd() according to its position in + resulting array of nl attributes, which will break filter dump for all + filters attached to that shared action that expect it to have different + order value. + +Don't rely on tc_action->order when dumping actions. Set nla according to +action position in resulting array of actions instead. + +Signed-off-by: Vlad Buslov <vladbu@mellanox.com> +Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/sched/act_api.c b/net/sched/act_api.c +index 683fcc00da49..c42ecf4b3c10 100644 +--- a/net/sched/act_api.c ++++ b/net/sched/act_api.c +@@ -800,7 +800,7 @@ int tcf_action_dump(struct sk_buff *skb, struct tc_action *actions[], + + for (i = 0; i < TCA_ACT_MAX_PRIO && actions[i]; i++) { + a = actions[i]; +- nest = nla_nest_start_noflag(skb, a->order); ++ nest = nla_nest_start_noflag(skb, i + 1); + if (nest == NULL) + goto nla_put_failure; + err = tcf_action_dump_1(skb, a, bind, ref); +@@ -1303,7 +1303,6 @@ tca_action_gd(struct net *net, struct nlattr *nla, struct nlmsghdr *n, + ret = PTR_ERR(act); + goto err; + } +- act->order = i; + attr_size += tcf_action_fill_size(act); + actions[i - 1] = act; + } +-- +2.9.5 + diff --git a/queue/net-sfp-read-eeprom-in-maximum-16-byte-increments.patch b/queue/net-sfp-read-eeprom-in-maximum-16-byte-increments.patch new file mode 100644 index 0000000..f90c43c --- /dev/null +++ b/queue/net-sfp-read-eeprom-in-maximum-16-byte-increments.patch @@ -0,0 +1,74 @@ +From 28e74a7cfd6403f0d1c0f8b10b45d6fae37b227e Mon Sep 17 00:00:00 2001 +From: Russell King <rmk+kernel@armlinux.org.uk> +Date: Sun, 2 Jun 2019 15:13:00 +0100 +Subject: [PATCH] net: sfp: read eeprom in maximum 16 byte increments + +commit 28e74a7cfd6403f0d1c0f8b10b45d6fae37b227e upstream. + +Some SFP modules do not like reads longer than 16 bytes, so read the +EEPROM in chunks of 16 bytes at a time. This behaviour is not specified +in the SFP MSAs, which specifies: + + "The serial interface uses the 2-wire serial CMOS E2PROM protocol + defined for the ATMEL AT24C01A/02/04 family of components." + +and + + "As long as the SFP+ receives an acknowledge, it shall serially clock + out sequential data words. The sequence is terminated when the host + responds with a NACK and a STOP instead of an acknowledge." + +We must avoid breaking a read across a 16-bit quantity in the diagnostic +page, thankfully all 16-bit quantities in that page are naturally +aligned. + +Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> +Reviewed-by: Andrew Lunn <andrew@lunn.ch> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c +index d4635c2178d1..71812be0ac64 100644 +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -281,6 +281,7 @@ static int sfp_i2c_read(struct sfp *sfp, bool a2, u8 dev_addr, void *buf, + { + struct i2c_msg msgs[2]; + u8 bus_addr = a2 ? 0x51 : 0x50; ++ size_t this_len; + int ret; + + msgs[0].addr = bus_addr; +@@ -292,11 +293,26 @@ static int sfp_i2c_read(struct sfp *sfp, bool a2, u8 dev_addr, void *buf, + msgs[1].len = len; + msgs[1].buf = buf; + +- ret = i2c_transfer(sfp->i2c, msgs, ARRAY_SIZE(msgs)); +- if (ret < 0) +- return ret; ++ while (len) { ++ this_len = len; ++ if (this_len > 16) ++ this_len = 16; + +- return ret == ARRAY_SIZE(msgs) ? len : 0; ++ msgs[1].len = this_len; ++ ++ ret = i2c_transfer(sfp->i2c, msgs, ARRAY_SIZE(msgs)); ++ if (ret < 0) ++ return ret; ++ ++ if (ret != ARRAY_SIZE(msgs)) ++ break; ++ ++ msgs[1].buf += this_len; ++ dev_addr += this_len; ++ len -= this_len; ++ } ++ ++ return msgs[1].buf - (u8 *)buf; + } + + static int sfp_i2c_write(struct sfp *sfp, bool a2, u8 dev_addr, void *buf, +-- +2.9.5 + diff --git a/queue/net-stmmac-fix-reset-gpio-free-missing.patch b/queue/net-stmmac-fix-reset-gpio-free-missing.patch new file mode 100644 index 0000000..1160e91 --- /dev/null +++ b/queue/net-stmmac-fix-reset-gpio-free-missing.patch @@ -0,0 +1,35 @@ +From 49ce881c0d4c4a7a35358d9dccd5f26d0e56fc61 Mon Sep 17 00:00:00 2001 +From: Jisheng Zhang <Jisheng.Zhang@synaptics.com> +Date: Wed, 22 May 2019 10:05:09 +0000 +Subject: [PATCH] net: stmmac: fix reset gpio free missing + +commit 49ce881c0d4c4a7a35358d9dccd5f26d0e56fc61 upstream. + +Commit 984203ceff27 ("net: stmmac: mdio: remove reset gpio free") +removed the reset gpio free, when the driver is unbinded or rmmod, +we miss the gpio free. + +This patch uses managed API to request the reset gpio, so that the +gpio could be freed properly. + +Fixes: 984203ceff27 ("net: stmmac: mdio: remove reset gpio free") +Signed-off-by: Jisheng Zhang <Jisheng.Zhang@synaptics.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c +index bdd351597b55..093a223fe408 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c +@@ -267,7 +267,8 @@ int stmmac_mdio_reset(struct mii_bus *bus) + of_property_read_u32_array(np, + "snps,reset-delays-us", data->delays, 3); + +- if (gpio_request(data->reset_gpio, "mdio-reset")) ++ if (devm_gpio_request(priv->device, data->reset_gpio, ++ "mdio-reset")) + return 0; + } + +-- +2.9.5 + diff --git a/queue/net-tls-don-t-ignore-netdev-notifications-if-no-TLS-.patch b/queue/net-tls-don-t-ignore-netdev-notifications-if-no-TLS-.patch new file mode 100644 index 0000000..751bbb3 --- /dev/null +++ b/queue/net-tls-don-t-ignore-netdev-notifications-if-no-TLS-.patch @@ -0,0 +1,36 @@ +From c3f4a6c39cf269a40d45f813c05fa830318ad875 Mon Sep 17 00:00:00 2001 +From: Jakub Kicinski <jakub.kicinski@netronome.com> +Date: Tue, 21 May 2019 19:02:02 -0700 +Subject: [PATCH] net/tls: don't ignore netdev notifications if no TLS features + +commit c3f4a6c39cf269a40d45f813c05fa830318ad875 upstream. + +On device surprise removal path (the notifier) we can't +bail just because the features are disabled. They may +have been enabled during the lifetime of the device. +This bug leads to leaking netdev references and +use-after-frees if there are active connections while +device features are cleared. + +Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure") +Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> +Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c +index 07650446e892..b95c408fd771 100644 +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -997,7 +997,8 @@ static int tls_dev_event(struct notifier_block *this, unsigned long event, + { + struct net_device *dev = netdev_notifier_info_to_dev(ptr); + +- if (!(dev->features & (NETIF_F_HW_TLS_RX | NETIF_F_HW_TLS_TX))) ++ if (!dev->tlsdev_ops && ++ !(dev->features & (NETIF_F_HW_TLS_RX | NETIF_F_HW_TLS_TX))) + return NOTIFY_DONE; + + switch (event) { +-- +2.9.5 + diff --git a/queue/net-tls-fix-state-removal-with-feature-flags-off.patch b/queue/net-tls-fix-state-removal-with-feature-flags-off.patch new file mode 100644 index 0000000..7492829 --- /dev/null +++ b/queue/net-tls-fix-state-removal-with-feature-flags-off.patch @@ -0,0 +1,59 @@ +From 3686637e507b48525fcea6fb91e1988bdbc14530 Mon Sep 17 00:00:00 2001 +From: Jakub Kicinski <jakub.kicinski@netronome.com> +Date: Tue, 21 May 2019 19:02:01 -0700 +Subject: [PATCH] net/tls: fix state removal with feature flags off + +commit 3686637e507b48525fcea6fb91e1988bdbc14530 upstream. + +TLS offload drivers shouldn't (and currently don't) block +the TLS offload feature changes based on whether there are +active offloaded connections or not. + +This seems to be a good idea, because we want the admin to +be able to disable the TLS offload at any time, and there +is no clean way of disabling it for active connections +(TX side is quite problematic). So if features are cleared +existing connections will stay offloaded until they close, +and new connections will not attempt offload to a given +device. + +However, the offload state removal handling is currently +broken if feature flags get cleared while there are +active TLS offloads. + +RX side will completely bail from cleanup, even on normal +remove path, leaving device state dangling, potentially +causing issues when the 5-tuple is reused. It will also +fail to release the netdev reference. + +Remove the RX-side warning message, in next release cycle +it should be printed when features are disabled, rather +than when connection dies, but for that we need a more +efficient method of finding connection of a given netdev +(a'la BPF offload code). + +Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload") +Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> +Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c +index aa33e4accc32..07650446e892 100644 +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -939,12 +939,6 @@ void tls_device_offload_cleanup_rx(struct sock *sk) + if (!netdev) + goto out; + +- if (!(netdev->features & NETIF_F_HW_TLS_RX)) { +- pr_err_ratelimited("%s: device is missing NETIF_F_HW_TLS_RX cap\n", +- __func__); +- goto out; +- } +- + netdev->tlsdev_ops->tls_dev_del(netdev, tls_ctx, + TLS_OFFLOAD_CTX_DIR_RX); + +-- +2.9.5 + diff --git a/queue/net-tls-replace-the-sleeping-lock-around-RX-resync-w.patch b/queue/net-tls-replace-the-sleeping-lock-around-RX-resync-w.patch new file mode 100644 index 0000000..70e92d7 --- /dev/null +++ b/queue/net-tls-replace-the-sleeping-lock-around-RX-resync-w.patch @@ -0,0 +1,97 @@ +From e52972c11d6b1262964db96d65934196db621685 Mon Sep 17 00:00:00 2001 +From: Jakub Kicinski <jakub.kicinski@netronome.com> +Date: Tue, 4 Jun 2019 12:00:12 -0700 +Subject: [PATCH] net/tls: replace the sleeping lock around RX resync with a + bit lock + +commit e52972c11d6b1262964db96d65934196db621685 upstream. + +Commit 38030d7cb779 ("net/tls: avoid NULL-deref on resync during device removal") +tried to fix a potential NULL-dereference by taking the +context rwsem. Unfortunately the RX resync may get called +from soft IRQ, so we can't use the rwsem to protect from +the device disappearing. Because we are guaranteed there +can be only one resync at a time (it's called from strparser) +use a bit to indicate resync is busy and make device +removal wait for the bit to get cleared. + +Note that there is a leftover "flags" field in struct +tls_context already. + +Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload") +Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/include/net/tls.h b/include/net/tls.h +index 39ea62f0c1f6..4a55ce6a303f 100644 +--- a/include/net/tls.h ++++ b/include/net/tls.h +@@ -209,6 +209,10 @@ struct tls_offload_context_tx { + (ALIGN(sizeof(struct tls_offload_context_tx), sizeof(void *)) + \ + TLS_DRIVER_STATE_SIZE) + ++enum tls_context_flags { ++ TLS_RX_SYNC_RUNNING = 0, ++}; ++ + struct cipher_context { + char *iv; + char *rec_seq; +diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c +index 49b3a2ff8ef3..1f9cf57d9754 100644 +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -550,10 +550,22 @@ void tls_device_write_space(struct sock *sk, struct tls_context *ctx) + } + } + ++static void tls_device_resync_rx(struct tls_context *tls_ctx, ++ struct sock *sk, u32 seq, u64 rcd_sn) ++{ ++ struct net_device *netdev; ++ ++ if (WARN_ON(test_and_set_bit(TLS_RX_SYNC_RUNNING, &tls_ctx->flags))) ++ return; ++ netdev = READ_ONCE(tls_ctx->netdev); ++ if (netdev) ++ netdev->tlsdev_ops->tls_dev_resync_rx(netdev, sk, seq, rcd_sn); ++ clear_bit_unlock(TLS_RX_SYNC_RUNNING, &tls_ctx->flags); ++} ++ + void handle_device_resync(struct sock *sk, u32 seq, u64 rcd_sn) + { + struct tls_context *tls_ctx = tls_get_ctx(sk); +- struct net_device *netdev = tls_ctx->netdev; + struct tls_offload_context_rx *rx_ctx; + u32 is_req_pending; + s64 resync_req; +@@ -568,10 +580,10 @@ void handle_device_resync(struct sock *sk, u32 seq, u64 rcd_sn) + is_req_pending = resync_req; + + if (unlikely(is_req_pending) && req_seq == seq && +- atomic64_try_cmpxchg(&rx_ctx->resync_req, &resync_req, 0)) +- netdev->tlsdev_ops->tls_dev_resync_rx(netdev, sk, +- seq + TLS_HEADER_SIZE - 1, +- rcd_sn); ++ atomic64_try_cmpxchg(&rx_ctx->resync_req, &resync_req, 0)) { ++ seq += TLS_HEADER_SIZE - 1; ++ tls_device_resync_rx(tls_ctx, sk, seq, rcd_sn); ++ } + } + + static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb) +@@ -972,7 +984,10 @@ static int tls_device_down(struct net_device *netdev) + if (ctx->rx_conf == TLS_HW) + netdev->tlsdev_ops->tls_dev_del(netdev, ctx, + TLS_OFFLOAD_CTX_DIR_RX); +- ctx->netdev = NULL; ++ WRITE_ONCE(ctx->netdev, NULL); ++ smp_mb__before_atomic(); /* pairs with test_and_set_bit() */ ++ while (test_bit(TLS_RX_SYNC_RUNNING, &ctx->flags)) ++ usleep_range(10, 200); + dev_put(netdev); + list_del_init(&ctx->list); + +-- +2.9.5 + diff --git a/queue/of-overlay-set-node-fields-from-properties-when-add-.patch b/queue/of-overlay-set-node-fields-from-properties-when-add-.patch new file mode 100644 index 0000000..785867c --- /dev/null +++ b/queue/of-overlay-set-node-fields-from-properties-when-add-.patch @@ -0,0 +1,133 @@ +From f96278810150fc39085d1872e5b39ea06366d03e Mon Sep 17 00:00:00 2001 +From: Frank Rowand <frank.rowand@sony.com> +Date: Fri, 12 Oct 2018 19:21:16 -0700 +Subject: [PATCH] of: overlay: set node fields from properties when add new + overlay node + +commit f96278810150fc39085d1872e5b39ea06366d03e upstream. + +Overlay nodes added by add_changeset_node() do not have the node +fields name, phandle, and type set. + +The node passed to __of_attach_node() when the add node changeset +entry is processed does not contain any properties. The node's +properties are located in add property changeset entries that will +be processed after the add node changeset is applied. + +Set the node's fields in the node contained in the add node +changeset entry and do not set them to incorrect values in +add_changeset_node(). + +A visible symptom that is fixed by this patch is the names of nodes +added by overlays that have an entry in /sys/bus/platform/drivers/*/ +will contain the unit-address but the node-name will be <NULL>, for +example, "fc4ab000.<NULL>". After applying the patch the name, in +this example, for node restart@fc4ab000 is "fc4ab000.restart". + +Tested-by: Alan Tull <atull@kernel.org> +Signed-off-by: Frank Rowand <frank.rowand@sony.com> + +diff --git a/drivers/of/dynamic.c b/drivers/of/dynamic.c +index 146681540487..b4e5b90cb314 100644 +--- a/drivers/of/dynamic.c ++++ b/drivers/of/dynamic.c +@@ -205,15 +205,24 @@ static void __of_attach_node(struct device_node *np) + const __be32 *phandle; + int sz; + +- np->name = __of_get_property(np, "name", NULL) ? : "<NULL>"; +- np->type = __of_get_property(np, "device_type", NULL) ? : "<NULL>"; +- +- phandle = __of_get_property(np, "phandle", &sz); +- if (!phandle) +- phandle = __of_get_property(np, "linux,phandle", &sz); +- if (IS_ENABLED(CONFIG_PPC_PSERIES) && !phandle) +- phandle = __of_get_property(np, "ibm,phandle", &sz); +- np->phandle = (phandle && (sz >= 4)) ? be32_to_cpup(phandle) : 0; ++ if (!of_node_check_flag(np, OF_OVERLAY)) { ++ np->name = __of_get_property(np, "name", NULL); ++ np->type = __of_get_property(np, "device_type", NULL); ++ if (!np->name) ++ np->name = "<NULL>"; ++ if (!np->type) ++ np->type = "<NULL>"; ++ ++ phandle = __of_get_property(np, "phandle", &sz); ++ if (!phandle) ++ phandle = __of_get_property(np, "linux,phandle", &sz); ++ if (IS_ENABLED(CONFIG_PPC_PSERIES) && !phandle) ++ phandle = __of_get_property(np, "ibm,phandle", &sz); ++ if (phandle && (sz >= 4)) ++ np->phandle = be32_to_cpup(phandle); ++ else ++ np->phandle = 0; ++ } + + np->child = NULL; + np->sibling = np->parent->child; +diff --git a/drivers/of/overlay.c b/drivers/of/overlay.c +index 184cc2c4a931..2b5ac43a5690 100644 +--- a/drivers/of/overlay.c ++++ b/drivers/of/overlay.c +@@ -307,10 +307,11 @@ static int add_changeset_property(struct overlay_changeset *ovcs, + int ret = 0; + bool check_for_non_overlay_node = false; + +- if (!of_prop_cmp(overlay_prop->name, "name") || +- !of_prop_cmp(overlay_prop->name, "phandle") || +- !of_prop_cmp(overlay_prop->name, "linux,phandle")) +- return 0; ++ if (target->in_livetree) ++ if (!of_prop_cmp(overlay_prop->name, "name") || ++ !of_prop_cmp(overlay_prop->name, "phandle") || ++ !of_prop_cmp(overlay_prop->name, "linux,phandle")) ++ return 0; + + if (target->in_livetree) + prop = of_find_property(target->np, overlay_prop->name, NULL); +@@ -330,6 +331,10 @@ static int add_changeset_property(struct overlay_changeset *ovcs, + + if (!prop) { + check_for_non_overlay_node = true; ++ if (!target->in_livetree) { ++ new_prop->next = target->np->deadprops; ++ target->np->deadprops = new_prop; ++ } + ret = of_changeset_add_property(&ovcs->cset, target->np, + new_prop); + } else if (!of_prop_cmp(prop->name, "#address-cells")) { +@@ -400,9 +405,10 @@ static int add_changeset_node(struct overlay_changeset *ovcs, + struct target *target, struct device_node *node) + { + const char *node_kbasename; ++ const __be32 *phandle; + struct device_node *tchild; + struct target target_child; +- int ret = 0; ++ int ret = 0, size; + + node_kbasename = kbasename(node->full_name); + +@@ -416,6 +422,19 @@ static int add_changeset_node(struct overlay_changeset *ovcs, + return -ENOMEM; + + tchild->parent = target->np; ++ tchild->name = __of_get_property(node, "name", NULL); ++ tchild->type = __of_get_property(node, "device_type", NULL); ++ ++ if (!tchild->name) ++ tchild->name = "<NULL>"; ++ if (!tchild->type) ++ tchild->type = "<NULL>"; ++ ++ /* ignore obsolete "linux,phandle" */ ++ phandle = __of_get_property(node, "phandle", &size); ++ if (phandle && (size == 4)) ++ tchild->phandle = be32_to_cpup(phandle); ++ + of_node_set_flag(tchild, OF_OVERLAY); + + ret = of_changeset_attach_node(&ovcs->cset, tchild); +-- +2.9.5 + diff --git a/queue/of-overlay-validate-overlay-properties-address-cells.patch b/queue/of-overlay-validate-overlay-properties-address-cells.patch new file mode 100644 index 0000000..0a974b1 --- /dev/null +++ b/queue/of-overlay-validate-overlay-properties-address-cells.patch @@ -0,0 +1,101 @@ +From 6f75118800acf77f8ad6afec61ca1b2349ade371 Mon Sep 17 00:00:00 2001 +From: Frank Rowand <frank.rowand@sony.com> +Date: Thu, 4 Oct 2018 20:32:04 -0700 +Subject: [PATCH] of: overlay: validate overlay properties #address-cells and + #size-cells + +commit 6f75118800acf77f8ad6afec61ca1b2349ade371 upstream. + +If overlay properties #address-cells or #size-cells are already in +the live devicetree for any given node, then the values in the +overlay must match the values in the live tree. + +If the properties are already in the live tree then there is no +need to create a changeset entry to add them since they must +have the same value. This reduces the memory used by the +changeset and eliminates a possible memory leak. + +Tested-by: Alan Tull <atull@kernel.org> +Signed-off-by: Frank Rowand <frank.rowand@sony.com> + +diff --git a/drivers/of/overlay.c b/drivers/of/overlay.c +index 15be3da34fef..72bf00adb9c8 100644 +--- a/drivers/of/overlay.c ++++ b/drivers/of/overlay.c +@@ -287,7 +287,12 @@ err_free_target_path: + * @target may be either in the live devicetree or in a new subtree that + * is contained in the changeset. + * +- * Some special properties are not updated (no error returned). ++ * Some special properties are not added or updated (no error returned): ++ * "name", "phandle", "linux,phandle". ++ * ++ * Properties "#address-cells" and "#size-cells" are not updated if they ++ * are already in the live tree, but if present in the live tree, the values ++ * in the overlay must match the values in the live tree. + * + * Update of property in symbols node is not allowed. + * +@@ -300,6 +305,7 @@ static int add_changeset_property(struct overlay_changeset *ovcs, + { + struct property *new_prop = NULL, *prop; + int ret = 0; ++ bool check_for_non_overlay_node = false; + + if (!of_prop_cmp(overlay_prop->name, "name") || + !of_prop_cmp(overlay_prop->name, "phandle") || +@@ -322,12 +328,32 @@ static int add_changeset_property(struct overlay_changeset *ovcs, + if (!new_prop) + return -ENOMEM; + +- if (!prop) ++ if (!prop) { ++ check_for_non_overlay_node = true; + ret = of_changeset_add_property(&ovcs->cset, target->np, + new_prop); +- else ++ } else if (!of_prop_cmp(prop->name, "#address-cells")) { ++ if (!of_prop_val_eq(prop, new_prop)) { ++ pr_err("ERROR: changing value of #address-cells is not allowed in %pOF\n", ++ target->np); ++ ret = -EINVAL; ++ } ++ } else if (!of_prop_cmp(prop->name, "#size-cells")) { ++ if (!of_prop_val_eq(prop, new_prop)) { ++ pr_err("ERROR: changing value of #size-cells is not allowed in %pOF\n", ++ target->np); ++ ret = -EINVAL; ++ } ++ } else { ++ check_for_non_overlay_node = true; + ret = of_changeset_update_property(&ovcs->cset, target->np, + new_prop); ++ } ++ ++ if (check_for_non_overlay_node && ++ !of_node_check_flag(target->np, OF_OVERLAY)) ++ pr_err("WARNING: memory leak will occur if overlay removed, property: %pOF/%s\n", ++ target->np, new_prop->name); + + if (ret) { + kfree(new_prop->name); +diff --git a/include/linux/of.h b/include/linux/of.h +index 664cd5573ae2..18ac8921e90c 100644 +--- a/include/linux/of.h ++++ b/include/linux/of.h +@@ -990,6 +990,12 @@ static inline int of_map_rid(struct device_node *np, u32 rid, + #define of_node_cmp(s1, s2) strcasecmp((s1), (s2)) + #endif + ++static inline int of_prop_val_eq(struct property *p1, struct property *p2) ++{ ++ return p1->length == p2->length && ++ !memcmp(p1->value, p2->value, (size_t)p1->length); ++} ++ + #if defined(CONFIG_OF) && defined(CONFIG_NUMA) + extern int of_node_to_nid(struct device_node *np); + #else +-- +2.9.5 + diff --git a/queue/packet-unconditionally-free-po-rollover.patch b/queue/packet-unconditionally-free-po-rollover.patch new file mode 100644 index 0000000..2de21df --- /dev/null +++ b/queue/packet-unconditionally-free-po-rollover.patch @@ -0,0 +1,40 @@ +From afa0925c6fcc6a8f610e996ca09bc3215048033c Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn <willemb@google.com> +Date: Fri, 31 May 2019 12:37:23 -0400 +Subject: [PATCH] packet: unconditionally free po->rollover + +commit afa0925c6fcc6a8f610e996ca09bc3215048033c upstream. + +Rollover used to use a complex RCU mechanism for assignment, which had +a race condition. The below patch fixed the bug and greatly simplified +the logic. + +The feature depends on fanout, but the state is private to the socket. +Fanout_release returns f only when the last member leaves and the +fanout struct is to be freed. + +Destroy rollover unconditionally, regardless of fanout state. + +Fixes: 57f015f5eccf2 ("packet: fix crash in fanout_demux_rollover()") +Reported-by: syzbot <syzkaller@googlegroups.com> +Diagnosed-by: Dmitry Vyukov <dvyukov@google.com> +Signed-off-by: Willem de Bruijn <willemb@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index fbc775fbf712..d4889bf7248e 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3014,8 +3014,8 @@ static int packet_release(struct socket *sock) + + synchronize_net(); + ++ kfree(po->rollover); + if (f) { +- kfree(po->rollover); + fanout_release_data(f); + kfree(f); + } +-- +2.9.5 + diff --git a/queue/parisc-Use-implicit-space-register-selection-for-loa.patch b/queue/parisc-Use-implicit-space-register-selection-for-loa.patch new file mode 100644 index 0000000..e3787a1 --- /dev/null +++ b/queue/parisc-Use-implicit-space-register-selection-for-loa.patch @@ -0,0 +1,58 @@ +From 63923d2c3800919774f5c651d503d1dd2adaddd5 Mon Sep 17 00:00:00 2001 +From: John David Anglin <dave.anglin@bell.net> +Date: Mon, 27 May 2019 20:15:14 -0400 +Subject: [PATCH] parisc: Use implicit space register selection for loading the + coherence index of I/O pdirs + +commit 63923d2c3800919774f5c651d503d1dd2adaddd5 upstream. + +We only support I/O to kernel space. Using %sr1 to load the coherence +index may be racy unless interrupts are disabled. This patch changes the +code used to load the coherence index to use implicit space register +selection. This saves one instruction and eliminates the race. + +Tested on rp3440, c8000 and c3750. + +Signed-off-by: John David Anglin <dave.anglin@bell.net> +Cc: stable@vger.kernel.org +Signed-off-by: Helge Deller <deller@gmx.de> + +diff --git a/drivers/parisc/ccio-dma.c b/drivers/parisc/ccio-dma.c +index 8937ba70d817..9b434644524c 100644 +--- a/drivers/parisc/ccio-dma.c ++++ b/drivers/parisc/ccio-dma.c +@@ -565,8 +565,6 @@ ccio_io_pdir_entry(u64 *pdir_ptr, space_t sid, unsigned long vba, + /* We currently only support kernel addresses */ + BUG_ON(sid != KERNEL_SPACE); + +- mtsp(sid,1); +- + /* + ** WORD 1 - low order word + ** "hints" parm includes the VALID bit! +@@ -597,7 +595,7 @@ ccio_io_pdir_entry(u64 *pdir_ptr, space_t sid, unsigned long vba, + ** Grab virtual index [0:11] + ** Deposit virt_idx bits into I/O PDIR word + */ +- asm volatile ("lci %%r0(%%sr1, %1), %0" : "=r" (ci) : "r" (vba)); ++ asm volatile ("lci %%r0(%1), %0" : "=r" (ci) : "r" (vba)); + asm volatile ("extru %1,19,12,%0" : "+r" (ci) : "r" (ci)); + asm volatile ("depw %1,15,12,%0" : "+r" (pa) : "r" (ci)); + +diff --git a/drivers/parisc/sba_iommu.c b/drivers/parisc/sba_iommu.c +index afaf8e6aefe6..78df92600203 100644 +--- a/drivers/parisc/sba_iommu.c ++++ b/drivers/parisc/sba_iommu.c +@@ -575,8 +575,7 @@ sba_io_pdir_entry(u64 *pdir_ptr, space_t sid, unsigned long vba, + pa = virt_to_phys(vba); + pa &= IOVP_MASK; + +- mtsp(sid,1); +- asm("lci 0(%%sr1, %1), %0" : "=r" (ci) : "r" (vba)); ++ asm("lci 0(%1), %0" : "=r" (ci) : "r" (vba)); + pa |= (ci >> PAGE_SHIFT) & 0xff; /* move CI (8 bits) into lowest byte */ + + pa |= SBA_PDIR_VALID_BIT; /* set "valid" bit */ +-- +2.9.5 + diff --git a/queue/pktgen-do-not-sleep-with-the-thread-lock-held.patch b/queue/pktgen-do-not-sleep-with-the-thread-lock-held.patch new file mode 100644 index 0000000..8e6c059 --- /dev/null +++ b/queue/pktgen-do-not-sleep-with-the-thread-lock-held.patch @@ -0,0 +1,95 @@ +From 720f1de4021f09898b8c8443f3b3e995991b6e3a Mon Sep 17 00:00:00 2001 +From: Paolo Abeni <pabeni@redhat.com> +Date: Thu, 6 Jun 2019 15:45:03 +0200 +Subject: [PATCH] pktgen: do not sleep with the thread lock held. + +commit 720f1de4021f09898b8c8443f3b3e995991b6e3a upstream. + +Currently, the process issuing a "start" command on the pktgen procfs +interface, acquires the pktgen thread lock and never release it, until +all pktgen threads are completed. The above can blocks indefinitely any +other pktgen command and any (even unrelated) netdevice removal - as +the pktgen netdev notifier acquires the same lock. + +The issue is demonstrated by the following script, reported by Matteo: + +ip -b - <<'EOF' + link add type dummy + link add type veth + link set dummy0 up +EOF +modprobe pktgen +echo reset >/proc/net/pktgen/pgctrl +{ + echo rem_device_all + echo add_device dummy0 +} >/proc/net/pktgen/kpktgend_0 +echo count 0 >/proc/net/pktgen/dummy0 +echo start >/proc/net/pktgen/pgctrl & +sleep 1 +rmmod veth + +Fix the above releasing the thread lock around the sleep call. + +Additionally we must prevent racing with forcefull rmmod - as the +thread lock no more protects from them. Instead, acquire a self-reference +before waiting for any thread. As a side effect, running + +rmmod pktgen + +while some thread is running now fails with "module in use" error, +before this patch such command hanged indefinitely. + +Note: the issue predates the commit reported in the fixes tag, but +this fix can't be applied before the mentioned commit. + +v1 -> v2: + - no need to check for thread existence after flipping the lock, + pktgen threads are freed only at net exit time + - + +Fixes: 6146e6a43b35 ("[PKTGEN]: Removes thread_{un,}lock() macros.") +Reported-and-tested-by: Matteo Croce <mcroce@redhat.com> +Signed-off-by: Paolo Abeni <pabeni@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/core/pktgen.c b/net/core/pktgen.c +index 319ad5490fb3..a33d03c05ed6 100644 +--- a/net/core/pktgen.c ++++ b/net/core/pktgen.c +@@ -3066,7 +3066,13 @@ static int pktgen_wait_thread_run(struct pktgen_thread *t) + { + while (thread_is_running(t)) { + ++ /* note: 't' will still be around even after the unlock/lock ++ * cycle because pktgen_thread threads are only cleared at ++ * net exit ++ */ ++ mutex_unlock(&pktgen_thread_lock); + msleep_interruptible(100); ++ mutex_lock(&pktgen_thread_lock); + + if (signal_pending(current)) + goto signal; +@@ -3081,6 +3087,10 @@ static int pktgen_wait_all_threads_run(struct pktgen_net *pn) + struct pktgen_thread *t; + int sig = 1; + ++ /* prevent from racing with rmmod */ ++ if (!try_module_get(THIS_MODULE)) ++ return sig; ++ + mutex_lock(&pktgen_thread_lock); + + list_for_each_entry(t, &pn->pktgen_threads, th_list) { +@@ -3094,6 +3104,7 @@ static int pktgen_wait_all_threads_run(struct pktgen_net *pn) + t->control |= (T_STOP); + + mutex_unlock(&pktgen_thread_lock); ++ module_put(THIS_MODULE); + return sig; + } + +-- +2.9.5 + diff --git a/queue/powerpc-perf-Fix-MMCRA-corruption-by-bhrb_filter.patch b/queue/powerpc-perf-Fix-MMCRA-corruption-by-bhrb_filter.patch new file mode 100644 index 0000000..db6e4eb --- /dev/null +++ b/queue/powerpc-perf-Fix-MMCRA-corruption-by-bhrb_filter.patch @@ -0,0 +1,106 @@ +From 3202e35ec1c8fc19cea24253ff83edf702a60a02 Mon Sep 17 00:00:00 2001 +From: Ravi Bangoria <ravi.bangoria@linux.ibm.com> +Date: Sat, 11 May 2019 08:12:17 +0530 +Subject: [PATCH] powerpc/perf: Fix MMCRA corruption by bhrb_filter + +commit 3202e35ec1c8fc19cea24253ff83edf702a60a02 upstream. + +Consider a scenario where user creates two events: + + 1st event: + attr.sample_type |= PERF_SAMPLE_BRANCH_STACK; + attr.branch_sample_type = PERF_SAMPLE_BRANCH_ANY; + fd = perf_event_open(attr, 0, 1, -1, 0); + + This sets cpuhw->bhrb_filter to 0 and returns valid fd. + + 2nd event: + attr.sample_type |= PERF_SAMPLE_BRANCH_STACK; + attr.branch_sample_type = PERF_SAMPLE_BRANCH_CALL; + fd = perf_event_open(attr, 0, 1, -1, 0); + + It overrides cpuhw->bhrb_filter to -1 and returns with error. + +Now if power_pmu_enable() gets called by any path other than +power_pmu_add(), ppmu->config_bhrb(-1) will set MMCRA to -1. + +Fixes: 3925f46bb590 ("powerpc/perf: Enable branch stack sampling framework") +Cc: stable@vger.kernel.org # v3.10+ +Signed-off-by: Ravi Bangoria <ravi.bangoria@linux.ibm.com> +Reviewed-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> + +diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c +index a66fb9c01c9e..2c21ff896e2c 100644 +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -1850,6 +1850,7 @@ static int power_pmu_event_init(struct perf_event *event) + int n; + int err; + struct cpu_hw_events *cpuhw; ++ u64 bhrb_filter; + + if (!ppmu) + return -ENOENT; +@@ -1955,13 +1956,14 @@ static int power_pmu_event_init(struct perf_event *event) + err = power_check_constraints(cpuhw, events, cflags, n + 1); + + if (has_branch_stack(event)) { +- cpuhw->bhrb_filter = ppmu->bhrb_filter_map( ++ bhrb_filter = ppmu->bhrb_filter_map( + event->attr.branch_sample_type); + +- if (cpuhw->bhrb_filter == -1) { ++ if (bhrb_filter == -1) { + put_cpu_var(cpu_hw_events); + return -EOPNOTSUPP; + } ++ cpuhw->bhrb_filter = bhrb_filter; + } + + put_cpu_var(cpu_hw_events); +diff --git a/arch/powerpc/perf/power8-pmu.c b/arch/powerpc/perf/power8-pmu.c +index bcc3409a06de..c0eb3e2329f0 100644 +--- a/arch/powerpc/perf/power8-pmu.c ++++ b/arch/powerpc/perf/power8-pmu.c +@@ -29,6 +29,7 @@ enum { + #define POWER8_MMCRA_IFM1 0x0000000040000000UL + #define POWER8_MMCRA_IFM2 0x0000000080000000UL + #define POWER8_MMCRA_IFM3 0x00000000C0000000UL ++#define POWER8_MMCRA_BHRB_MASK 0x00000000C0000000UL + + /* + * Raw event encoding for PowerISA v2.07 (Power8): +@@ -243,6 +244,8 @@ static u64 power8_bhrb_filter_map(u64 branch_sample_type) + + static void power8_config_bhrb(u64 pmu_bhrb_filter) + { ++ pmu_bhrb_filter &= POWER8_MMCRA_BHRB_MASK; ++ + /* Enable BHRB filter in PMU */ + mtspr(SPRN_MMCRA, (mfspr(SPRN_MMCRA) | pmu_bhrb_filter)); + } +diff --git a/arch/powerpc/perf/power9-pmu.c b/arch/powerpc/perf/power9-pmu.c +index 3a31ac6f4805..e19c492bd6ec 100644 +--- a/arch/powerpc/perf/power9-pmu.c ++++ b/arch/powerpc/perf/power9-pmu.c +@@ -92,6 +92,7 @@ enum { + #define POWER9_MMCRA_IFM1 0x0000000040000000UL + #define POWER9_MMCRA_IFM2 0x0000000080000000UL + #define POWER9_MMCRA_IFM3 0x00000000C0000000UL ++#define POWER9_MMCRA_BHRB_MASK 0x00000000C0000000UL + + /* Nasty Power9 specific hack */ + #define PVR_POWER9_CUMULUS 0x00002000 +@@ -300,6 +301,8 @@ static u64 power9_bhrb_filter_map(u64 branch_sample_type) + + static void power9_config_bhrb(u64 pmu_bhrb_filter) + { ++ pmu_bhrb_filter &= POWER9_MMCRA_BHRB_MASK; ++ + /* Enable BHRB filter in PMU */ + mtspr(SPRN_MMCRA, (mfspr(SPRN_MMCRA) | pmu_bhrb_filter)); + } +-- +2.9.5 + diff --git a/queue/pstore-Convert-buf_lock-to-semaphore.patch b/queue/pstore-Convert-buf_lock-to-semaphore.patch new file mode 100644 index 0000000..6d2915e --- /dev/null +++ b/queue/pstore-Convert-buf_lock-to-semaphore.patch @@ -0,0 +1,245 @@ +From ea84b580b95521644429cc6748b6c2bf27c8b0f3 Mon Sep 17 00:00:00 2001 +From: Kees Cook <keescook@chromium.org> +Date: Fri, 30 Nov 2018 14:36:58 -0800 +Subject: [PATCH] pstore: Convert buf_lock to semaphore + +commit ea84b580b95521644429cc6748b6c2bf27c8b0f3 upstream. + +Instead of running with interrupts disabled, use a semaphore. This should +make it easier for backends that may need to sleep (e.g. EFI) when +performing a write: + +|BUG: sleeping function called from invalid context at kernel/sched/completion.c:99 +|in_atomic(): 1, irqs_disabled(): 1, pid: 2236, name: sig-xstate-bum +|Preemption disabled at: +|[<ffffffff99d60512>] pstore_dump+0x72/0x330 +|CPU: 26 PID: 2236 Comm: sig-xstate-bum Tainted: G D 4.20.0-rc3 #45 +|Call Trace: +| dump_stack+0x4f/0x6a +| ___might_sleep.cold.91+0xd3/0xe4 +| __might_sleep+0x50/0x90 +| wait_for_completion+0x32/0x130 +| virt_efi_query_variable_info+0x14e/0x160 +| efi_query_variable_store+0x51/0x1a0 +| efivar_entry_set_safe+0xa3/0x1b0 +| efi_pstore_write+0x109/0x140 +| pstore_dump+0x11c/0x330 +| kmsg_dump+0xa4/0xd0 +| oops_exit+0x22/0x30 +... + +Reported-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> +Fixes: 21b3ddd39fee ("efi: Don't use spinlocks for efi vars") +Signed-off-by: Kees Cook <keescook@chromium.org> + +diff --git a/arch/powerpc/kernel/nvram_64.c b/arch/powerpc/kernel/nvram_64.c +index 22e9d281324d..e7d4ce6964ae 100644 +--- a/arch/powerpc/kernel/nvram_64.c ++++ b/arch/powerpc/kernel/nvram_64.c +@@ -563,8 +563,6 @@ static int nvram_pstore_init(void) + nvram_pstore_info.buf = oops_data; + nvram_pstore_info.bufsize = oops_data_sz; + +- spin_lock_init(&nvram_pstore_info.buf_lock); +- + rc = pstore_register(&nvram_pstore_info); + if (rc && (rc != -EPERM)) + /* Print error only when pstore.backend == nvram */ +diff --git a/drivers/acpi/apei/erst.c b/drivers/acpi/apei/erst.c +index a5e1d963208e..9953e50667ec 100644 +--- a/drivers/acpi/apei/erst.c ++++ b/drivers/acpi/apei/erst.c +@@ -1176,7 +1176,6 @@ static int __init erst_init(void) + "Error Record Serialization Table (ERST) support is initialized.\n"); + + buf = kmalloc(erst_erange.size, GFP_KERNEL); +- spin_lock_init(&erst_info.buf_lock); + if (buf) { + erst_info.buf = buf + sizeof(struct cper_pstore_record); + erst_info.bufsize = erst_erange.size - +diff --git a/drivers/firmware/efi/efi-pstore.c b/drivers/firmware/efi/efi-pstore.c +index cfe87b465819..0f7d97917197 100644 +--- a/drivers/firmware/efi/efi-pstore.c ++++ b/drivers/firmware/efi/efi-pstore.c +@@ -259,8 +259,7 @@ static int efi_pstore_write(struct pstore_record *record) + efi_name[i] = name[i]; + + ret = efivar_entry_set_safe(efi_name, vendor, PSTORE_EFI_ATTRIBUTES, +- !pstore_cannot_block_path(record->reason), +- record->size, record->psi->buf); ++ preemptible(), record->size, record->psi->buf); + + if (record->reason == KMSG_DUMP_OOPS) + efivar_run_worker(); +@@ -369,7 +368,6 @@ static __init int efivars_pstore_init(void) + return -ENOMEM; + + efi_pstore_info.bufsize = 1024; +- spin_lock_init(&efi_pstore_info.buf_lock); + + if (pstore_register(&efi_pstore_info)) { + kfree(efi_pstore_info.buf); +diff --git a/fs/pstore/platform.c b/fs/pstore/platform.c +index 2387cb74f729..2d1066ed3c28 100644 +--- a/fs/pstore/platform.c ++++ b/fs/pstore/platform.c +@@ -161,26 +161,27 @@ static const char *get_reason_str(enum kmsg_dump_reason reason) + } + } + +-bool pstore_cannot_block_path(enum kmsg_dump_reason reason) ++/* ++ * Should pstore_dump() wait for a concurrent pstore_dump()? If ++ * not, the current pstore_dump() will report a failure to dump ++ * and return. ++ */ ++static bool pstore_cannot_wait(enum kmsg_dump_reason reason) + { +- /* +- * In case of NMI path, pstore shouldn't be blocked +- * regardless of reason. +- */ ++ /* In NMI path, pstore shouldn't block regardless of reason. */ + if (in_nmi()) + return true; + + switch (reason) { + /* In panic case, other cpus are stopped by smp_send_stop(). */ + case KMSG_DUMP_PANIC: +- /* Emergency restart shouldn't be blocked by spin lock. */ ++ /* Emergency restart shouldn't be blocked. */ + case KMSG_DUMP_EMERG: + return true; + default: + return false; + } + } +-EXPORT_SYMBOL_GPL(pstore_cannot_block_path); + + #if IS_ENABLED(CONFIG_PSTORE_DEFLATE_COMPRESS) + static int zbufsize_deflate(size_t size) +@@ -400,23 +401,23 @@ static void pstore_dump(struct kmsg_dumper *dumper, + unsigned long total = 0; + const char *why; + unsigned int part = 1; +- unsigned long flags = 0; +- int is_locked; + int ret; + + why = get_reason_str(reason); + +- if (pstore_cannot_block_path(reason)) { +- is_locked = spin_trylock_irqsave(&psinfo->buf_lock, flags); +- if (!is_locked) { +- pr_err("pstore dump routine blocked in %s path, may corrupt error record\n" +- , in_nmi() ? "NMI" : why); ++ if (down_trylock(&psinfo->buf_lock)) { ++ /* Failed to acquire lock: give up if we cannot wait. */ ++ if (pstore_cannot_wait(reason)) { ++ pr_err("dump skipped in %s path: may corrupt error record\n", ++ in_nmi() ? "NMI" : why); ++ return; ++ } ++ if (down_interruptible(&psinfo->buf_lock)) { ++ pr_err("could not grab semaphore?!\n"); + return; + } +- } else { +- spin_lock_irqsave(&psinfo->buf_lock, flags); +- is_locked = 1; + } ++ + oopscount++; + while (total < kmsg_bytes) { + char *dst; +@@ -433,7 +434,7 @@ static void pstore_dump(struct kmsg_dumper *dumper, + record.part = part; + record.buf = psinfo->buf; + +- if (big_oops_buf && is_locked) { ++ if (big_oops_buf) { + dst = big_oops_buf; + dst_size = big_oops_buf_sz; + } else { +@@ -451,7 +452,7 @@ static void pstore_dump(struct kmsg_dumper *dumper, + dst_size, &dump_size)) + break; + +- if (big_oops_buf && is_locked) { ++ if (big_oops_buf) { + zipped_len = pstore_compress(dst, psinfo->buf, + header_size + dump_size, + psinfo->bufsize); +@@ -474,8 +475,8 @@ static void pstore_dump(struct kmsg_dumper *dumper, + total += record.size; + part++; + } +- if (is_locked) +- spin_unlock_irqrestore(&psinfo->buf_lock, flags); ++ ++ up(&psinfo->buf_lock); + } + + static struct kmsg_dumper pstore_dumper = { +@@ -594,6 +595,7 @@ int pstore_register(struct pstore_info *psi) + psi->write_user = pstore_write_user_compat; + psinfo = psi; + mutex_init(&psinfo->read_mutex); ++ sema_init(&psinfo->buf_lock, 1); + spin_unlock(&pstore_lock); + + if (owner && !try_module_get(owner)) { +diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c +index 202eaa82bcc6..e6d9560ea455 100644 +--- a/fs/pstore/ram.c ++++ b/fs/pstore/ram.c +@@ -815,7 +815,6 @@ static int ramoops_probe(struct platform_device *pdev) + err = -ENOMEM; + goto fail_clear; + } +- spin_lock_init(&cxt->pstore.buf_lock); + + cxt->pstore.flags = PSTORE_FLAGS_DMESG; + if (cxt->console_size) +diff --git a/include/linux/pstore.h b/include/linux/pstore.h +index a9ec285d85d1..b146181e8709 100644 +--- a/include/linux/pstore.h ++++ b/include/linux/pstore.h +@@ -26,7 +26,7 @@ + #include <linux/errno.h> + #include <linux/kmsg_dump.h> + #include <linux/mutex.h> +-#include <linux/spinlock.h> ++#include <linux/semaphore.h> + #include <linux/time.h> + #include <linux/types.h> + +@@ -99,7 +99,7 @@ struct pstore_record { + * @owner: module which is responsible for this backend driver + * @name: name of the backend driver + * +- * @buf_lock: spinlock to serialize access to @buf ++ * @buf_lock: semaphore to serialize access to @buf + * @buf: preallocated crash dump buffer + * @bufsize: size of @buf available for crash dump bytes (must match + * smallest number of bytes available for writing to a +@@ -184,7 +184,7 @@ struct pstore_info { + struct module *owner; + char *name; + +- spinlock_t buf_lock; ++ struct semaphore buf_lock; + char *buf; + size_t bufsize; + +@@ -210,7 +210,6 @@ struct pstore_info { + + extern int pstore_register(struct pstore_info *); + extern void pstore_unregister(struct pstore_info *); +-extern bool pstore_cannot_block_path(enum kmsg_dump_reason reason); + + struct pstore_ftrace_record { + unsigned long ip; +-- +2.9.5 + diff --git a/queue/pstore-Remove-needless-lock-during-console-writes.patch b/queue/pstore-Remove-needless-lock-during-console-writes.patch new file mode 100644 index 0000000..fc13263 --- /dev/null +++ b/queue/pstore-Remove-needless-lock-during-console-writes.patch @@ -0,0 +1,59 @@ +From b77fa617a2ff4d6beccad3d3d4b3a1f2d10368aa Mon Sep 17 00:00:00 2001 +From: Kees Cook <keescook@chromium.org> +Date: Thu, 1 Nov 2018 14:08:07 -0700 +Subject: [PATCH] pstore: Remove needless lock during console writes + +commit b77fa617a2ff4d6beccad3d3d4b3a1f2d10368aa upstream. + +Since the console writer does not use the preallocated crash dump buffer +any more, there is no reason to perform locking around it. + +Fixes: 70ad35db3321 ("pstore: Convert console write to use ->write_buf") +Signed-off-by: Kees Cook <keescook@chromium.org> +Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org> + +diff --git a/fs/pstore/platform.c b/fs/pstore/platform.c +index 8b6028948cf3..a75756c48e10 100644 +--- a/fs/pstore/platform.c ++++ b/fs/pstore/platform.c +@@ -462,31 +462,14 @@ static void pstore_unregister_kmsg(void) + #ifdef CONFIG_PSTORE_CONSOLE + static void pstore_console_write(struct console *con, const char *s, unsigned c) + { +- const char *e = s + c; ++ struct pstore_record record; + +- while (s < e) { +- struct pstore_record record; +- unsigned long flags; +- +- pstore_record_init(&record, psinfo); +- record.type = PSTORE_TYPE_CONSOLE; +- +- if (c > psinfo->bufsize) +- c = psinfo->bufsize; ++ pstore_record_init(&record, psinfo); ++ record.type = PSTORE_TYPE_CONSOLE; + +- if (oops_in_progress) { +- if (!spin_trylock_irqsave(&psinfo->buf_lock, flags)) +- break; +- } else { +- spin_lock_irqsave(&psinfo->buf_lock, flags); +- } +- record.buf = (char *)s; +- record.size = c; +- psinfo->write(&record); +- spin_unlock_irqrestore(&psinfo->buf_lock, flags); +- s += c; +- c = e - s; +- } ++ record.buf = (char *)s; ++ record.size = c; ++ psinfo->write(&record); + } + + static struct console pstore_console = { +-- +2.9.5 + diff --git a/queue/pstore-Set-tfm-to-NULL-on-free_buf_for_compression.patch b/queue/pstore-Set-tfm-to-NULL-on-free_buf_for_compression.patch new file mode 100644 index 0000000..aa39601 --- /dev/null +++ b/queue/pstore-Set-tfm-to-NULL-on-free_buf_for_compression.patch @@ -0,0 +1,38 @@ +From a9fb94a99bb515d8720ba8440ce3aba84aec80f8 Mon Sep 17 00:00:00 2001 +From: Pi-Hsun Shih <pihsun@chromium.org> +Date: Mon, 20 May 2019 14:51:19 +0800 +Subject: [PATCH] pstore: Set tfm to NULL on free_buf_for_compression + +commit a9fb94a99bb515d8720ba8440ce3aba84aec80f8 upstream. + +Set tfm to NULL on free_buf_for_compression() after crypto_free_comp(). + +This avoid a use-after-free when allocate_buf_for_compression() +and free_buf_for_compression() are called twice. Although +free_buf_for_compression() freed the tfm, allocate_buf_for_compression() +won't reinitialize the tfm since the tfm pointer is not NULL. + +Fixes: 95047b0519c1 ("pstore: Refactor compression initialization") +Signed-off-by: Pi-Hsun Shih <pihsun@chromium.org> +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook <keescook@chromium.org> + +diff --git a/fs/pstore/platform.c b/fs/pstore/platform.c +index 75887a269b64..8355a46638d0 100644 +--- a/fs/pstore/platform.c ++++ b/fs/pstore/platform.c +@@ -347,8 +347,10 @@ static void allocate_buf_for_compression(void) + + static void free_buf_for_compression(void) + { +- if (IS_ENABLED(CONFIG_PSTORE_COMPRESS) && tfm) ++ if (IS_ENABLED(CONFIG_PSTORE_COMPRESS) && tfm) { + crypto_free_comp(tfm); ++ tfm = NULL; ++ } + kfree(big_oops_buf); + big_oops_buf = NULL; + big_oops_buf_sz = 0; +-- +2.9.5 + diff --git a/queue/pstore-ram-Run-without-kernel-crash-dump-region.patch b/queue/pstore-ram-Run-without-kernel-crash-dump-region.patch new file mode 100644 index 0000000..9741a70 --- /dev/null +++ b/queue/pstore-ram-Run-without-kernel-crash-dump-region.patch @@ -0,0 +1,105 @@ +From 8880fa32c557600f5f624084152668ed3c2ea51e Mon Sep 17 00:00:00 2001 +From: Kees Cook <keescook@chromium.org> +Date: Thu, 30 May 2019 23:37:29 -0700 +Subject: [PATCH] pstore/ram: Run without kernel crash dump region + +commit 8880fa32c557600f5f624084152668ed3c2ea51e upstream. + +The ram pstore backend has always had the crash dumper frontend enabled +unconditionally. However, it was possible to effectively disable it +by setting a record_size=0. All the machinery would run (storing dumps +to the temporary crash buffer), but 0 bytes would ultimately get stored +due to there being no przs allocated for dumps. Commit 89d328f637b9 +("pstore/ram: Correctly calculate usable PRZ bytes"), however, assumed +that there would always be at least one allocated dprz for calculating +the size of the temporary crash buffer. This was, of course, not the +case when record_size=0, and would lead to a NULL deref trying to find +the dprz buffer size: + +BUG: unable to handle kernel NULL pointer dereference at (null) +... +IP: ramoops_probe+0x285/0x37e (fs/pstore/ram.c:808) + + cxt->pstore.bufsize = cxt->dprzs[0]->buffer_size; + +Instead, we need to only enable the frontends based on the success of the +prz initialization and only take the needed actions when those zones are +available. (This also fixes a possible error in detecting if the ftrace +frontend should be enabled.) + +Reported-and-tested-by: Yaro Slav <yaro330@gmail.com> +Fixes: 89d328f637b9 ("pstore/ram: Correctly calculate usable PRZ bytes") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook <keescook@chromium.org> + +diff --git a/fs/pstore/platform.c b/fs/pstore/platform.c +index 8355a46638d0..dca07f239bd1 100644 +--- a/fs/pstore/platform.c ++++ b/fs/pstore/platform.c +@@ -608,7 +608,8 @@ int pstore_register(struct pstore_info *psi) + return -EINVAL; + } + +- allocate_buf_for_compression(); ++ if (psi->flags & PSTORE_FLAGS_DMESG) ++ allocate_buf_for_compression(); + + if (pstore_is_mounted()) + pstore_get_records(0); +diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c +index c5c685589e36..4310d547c3b2 100644 +--- a/fs/pstore/ram.c ++++ b/fs/pstore/ram.c +@@ -800,26 +800,36 @@ static int ramoops_probe(struct platform_device *pdev) + + cxt->pstore.data = cxt; + /* +- * Since bufsize is only used for dmesg crash dumps, it +- * must match the size of the dprz record (after PRZ header +- * and ECC bytes have been accounted for). ++ * Prepare frontend flags based on which areas are initialized. ++ * For ramoops_init_przs() cases, the "max count" variable tells ++ * if there are regions present. For ramoops_init_prz() cases, ++ * the single region size is how to check. + */ +- cxt->pstore.bufsize = cxt->dprzs[0]->buffer_size; +- cxt->pstore.buf = kzalloc(cxt->pstore.bufsize, GFP_KERNEL); +- if (!cxt->pstore.buf) { +- pr_err("cannot allocate pstore crash dump buffer\n"); +- err = -ENOMEM; +- goto fail_clear; +- } +- +- cxt->pstore.flags = PSTORE_FLAGS_DMESG; ++ cxt->pstore.flags = 0; ++ if (cxt->max_dump_cnt) ++ cxt->pstore.flags |= PSTORE_FLAGS_DMESG; + if (cxt->console_size) + cxt->pstore.flags |= PSTORE_FLAGS_CONSOLE; +- if (cxt->ftrace_size) ++ if (cxt->max_ftrace_cnt) + cxt->pstore.flags |= PSTORE_FLAGS_FTRACE; + if (cxt->pmsg_size) + cxt->pstore.flags |= PSTORE_FLAGS_PMSG; + ++ /* ++ * Since bufsize is only used for dmesg crash dumps, it ++ * must match the size of the dprz record (after PRZ header ++ * and ECC bytes have been accounted for). ++ */ ++ if (cxt->pstore.flags & PSTORE_FLAGS_DMESG) { ++ cxt->pstore.bufsize = cxt->dprzs[0]->buffer_size; ++ cxt->pstore.buf = kzalloc(cxt->pstore.bufsize, GFP_KERNEL); ++ if (!cxt->pstore.buf) { ++ pr_err("cannot allocate pstore crash dump buffer\n"); ++ err = -ENOMEM; ++ goto fail_clear; ++ } ++ } ++ + err = pstore_register(&cxt->pstore); + if (err) { + pr_err("registering with pstore failed\n"); +-- +2.9.5 + diff --git a/queue/rcu-locking-and-unlocking-need-to-always-be-at-least.patch b/queue/rcu-locking-and-unlocking-need-to-always-be-at-least.patch new file mode 100644 index 0000000..6611b2e --- /dev/null +++ b/queue/rcu-locking-and-unlocking-need-to-always-be-at-least.patch @@ -0,0 +1,66 @@ +From 66be4e66a7f422128748e3c3ef6ee72b20a6197b Mon Sep 17 00:00:00 2001 +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Mon, 3 Jun 2019 13:26:20 -0700 +Subject: [PATCH] rcu: locking and unlocking need to always be at least + barriers + +commit 66be4e66a7f422128748e3c3ef6ee72b20a6197b upstream. + +Herbert Xu pointed out that commit bb73c52bad36 ("rcu: Don't disable +preemption for Tiny and Tree RCU readers") was incorrect in making the +preempt_disable/enable() be conditional on CONFIG_PREEMPT_COUNT. + +If CONFIG_PREEMPT_COUNT isn't enabled, the preemption enable/disable is +a no-op, but still is a compiler barrier. + +And RCU locking still _needs_ that compiler barrier. + +It is simply fundamentally not true that RCU locking would be a complete +no-op: we still need to guarantee (for example) that things that can +trap and cause preemption cannot migrate into the RCU locked region. + +The way we do that is by making it a barrier. + +See for example commit 386afc91144b ("spinlocks and preemption points +need to be at least compiler barriers") from back in 2013 that had +similar issues with spinlocks that become no-ops on UP: they must still +constrain the compiler from moving other operations into the critical +region. + +Now, it is true that a lot of RCU operations already use READ_ONCE() and +WRITE_ONCE() (which in practice likely would never be re-ordered wrt +anything remotely interesting), but it is also true that that is not +globally the case, and that it's not even necessarily always possible +(ie bitfields etc). + +Reported-by: Herbert Xu <herbert@gondor.apana.org.au> +Fixes: bb73c52bad36 ("rcu: Don't disable preemption for Tiny and Tree RCU readers") +Cc: stable@kernel.org +Cc: Boqun Feng <boqun.feng@gmail.com> +Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> + +diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h +index 922bb6848813..b25d20822e75 100644 +--- a/include/linux/rcupdate.h ++++ b/include/linux/rcupdate.h +@@ -56,14 +56,12 @@ void __rcu_read_unlock(void); + + static inline void __rcu_read_lock(void) + { +- if (IS_ENABLED(CONFIG_PREEMPT_COUNT)) +- preempt_disable(); ++ preempt_disable(); + } + + static inline void __rcu_read_unlock(void) + { +- if (IS_ENABLED(CONFIG_PREEMPT_COUNT)) +- preempt_enable(); ++ preempt_enable(); + } + + static inline int rcu_preempt_depth(void) +-- +2.9.5 + diff --git a/queue/s390-crypto-fix-gcm-aes-s390-selftest-failures.patch b/queue/s390-crypto-fix-gcm-aes-s390-selftest-failures.patch new file mode 100644 index 0000000..72355ff --- /dev/null +++ b/queue/s390-crypto-fix-gcm-aes-s390-selftest-failures.patch @@ -0,0 +1,256 @@ +From bef9f0ba300a55d79a69aa172156072182176515 Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger <freude@linux.ibm.com> +Date: Thu, 23 May 2019 16:18:25 +0200 +Subject: [PATCH] s390/crypto: fix gcm-aes-s390 selftest failures + +commit bef9f0ba300a55d79a69aa172156072182176515 upstream. + +The current kernel uses improved crypto selftests. These +tests showed that the current implementation of gcm-aes-s390 +is not able to deal with chunks of output buffers which are +not a multiple of 16 bytes. This patch introduces a rework +of the gcm aes s390 scatter walk handling which now is able +to handle any input and output scatter list chunk sizes +correctly. + +Code has been verified by the crypto selftests, the tcrypt +kernel module and additional tests ran via the af_alg interface. + +Cc: <stable@vger.kernel.org> +Reported-by: Julian Wiedmann <jwi@linux.ibm.com> +Reviewed-by: Patrick Steuer <steuer@linux.ibm.com> +Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> +Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> + +diff --git a/arch/s390/crypto/aes_s390.c b/arch/s390/crypto/aes_s390.c +index dd456725189f..178c53036f7f 100644 +--- a/arch/s390/crypto/aes_s390.c ++++ b/arch/s390/crypto/aes_s390.c +@@ -826,19 +826,45 @@ static int gcm_aes_setauthsize(struct crypto_aead *tfm, unsigned int authsize) + return 0; + } + +-static void gcm_sg_walk_start(struct gcm_sg_walk *gw, struct scatterlist *sg, +- unsigned int len) ++static void gcm_walk_start(struct gcm_sg_walk *gw, struct scatterlist *sg, ++ unsigned int len) + { + memset(gw, 0, sizeof(*gw)); + gw->walk_bytes_remain = len; + scatterwalk_start(&gw->walk, sg); + } + +-static int gcm_sg_walk_go(struct gcm_sg_walk *gw, unsigned int minbytesneeded) ++static inline unsigned int _gcm_sg_clamp_and_map(struct gcm_sg_walk *gw) ++{ ++ struct scatterlist *nextsg; ++ ++ gw->walk_bytes = scatterwalk_clamp(&gw->walk, gw->walk_bytes_remain); ++ while (!gw->walk_bytes) { ++ nextsg = sg_next(gw->walk.sg); ++ if (!nextsg) ++ return 0; ++ scatterwalk_start(&gw->walk, nextsg); ++ gw->walk_bytes = scatterwalk_clamp(&gw->walk, ++ gw->walk_bytes_remain); ++ } ++ gw->walk_ptr = scatterwalk_map(&gw->walk); ++ return gw->walk_bytes; ++} ++ ++static inline void _gcm_sg_unmap_and_advance(struct gcm_sg_walk *gw, ++ unsigned int nbytes) ++{ ++ gw->walk_bytes_remain -= nbytes; ++ scatterwalk_unmap(&gw->walk); ++ scatterwalk_advance(&gw->walk, nbytes); ++ scatterwalk_done(&gw->walk, 0, gw->walk_bytes_remain); ++ gw->walk_ptr = NULL; ++} ++ ++static int gcm_in_walk_go(struct gcm_sg_walk *gw, unsigned int minbytesneeded) + { + int n; + +- /* minbytesneeded <= AES_BLOCK_SIZE */ + if (gw->buf_bytes && gw->buf_bytes >= minbytesneeded) { + gw->ptr = gw->buf; + gw->nbytes = gw->buf_bytes; +@@ -851,13 +877,11 @@ static int gcm_sg_walk_go(struct gcm_sg_walk *gw, unsigned int minbytesneeded) + goto out; + } + +- gw->walk_bytes = scatterwalk_clamp(&gw->walk, gw->walk_bytes_remain); +- if (!gw->walk_bytes) { +- scatterwalk_start(&gw->walk, sg_next(gw->walk.sg)); +- gw->walk_bytes = scatterwalk_clamp(&gw->walk, +- gw->walk_bytes_remain); ++ if (!_gcm_sg_clamp_and_map(gw)) { ++ gw->ptr = NULL; ++ gw->nbytes = 0; ++ goto out; + } +- gw->walk_ptr = scatterwalk_map(&gw->walk); + + if (!gw->buf_bytes && gw->walk_bytes >= minbytesneeded) { + gw->ptr = gw->walk_ptr; +@@ -869,51 +893,90 @@ static int gcm_sg_walk_go(struct gcm_sg_walk *gw, unsigned int minbytesneeded) + n = min(gw->walk_bytes, AES_BLOCK_SIZE - gw->buf_bytes); + memcpy(gw->buf + gw->buf_bytes, gw->walk_ptr, n); + gw->buf_bytes += n; +- gw->walk_bytes_remain -= n; +- scatterwalk_unmap(&gw->walk); +- scatterwalk_advance(&gw->walk, n); +- scatterwalk_done(&gw->walk, 0, gw->walk_bytes_remain); +- ++ _gcm_sg_unmap_and_advance(gw, n); + if (gw->buf_bytes >= minbytesneeded) { + gw->ptr = gw->buf; + gw->nbytes = gw->buf_bytes; + goto out; + } +- +- gw->walk_bytes = scatterwalk_clamp(&gw->walk, +- gw->walk_bytes_remain); +- if (!gw->walk_bytes) { +- scatterwalk_start(&gw->walk, sg_next(gw->walk.sg)); +- gw->walk_bytes = scatterwalk_clamp(&gw->walk, +- gw->walk_bytes_remain); ++ if (!_gcm_sg_clamp_and_map(gw)) { ++ gw->ptr = NULL; ++ gw->nbytes = 0; ++ goto out; + } +- gw->walk_ptr = scatterwalk_map(&gw->walk); + } + + out: + return gw->nbytes; + } + +-static void gcm_sg_walk_done(struct gcm_sg_walk *gw, unsigned int bytesdone) ++static int gcm_out_walk_go(struct gcm_sg_walk *gw, unsigned int minbytesneeded) + { +- int n; ++ if (gw->walk_bytes_remain == 0) { ++ gw->ptr = NULL; ++ gw->nbytes = 0; ++ goto out; ++ } + ++ if (!_gcm_sg_clamp_and_map(gw)) { ++ gw->ptr = NULL; ++ gw->nbytes = 0; ++ goto out; ++ } ++ ++ if (gw->walk_bytes >= minbytesneeded) { ++ gw->ptr = gw->walk_ptr; ++ gw->nbytes = gw->walk_bytes; ++ goto out; ++ } ++ ++ scatterwalk_unmap(&gw->walk); ++ gw->walk_ptr = NULL; ++ ++ gw->ptr = gw->buf; ++ gw->nbytes = sizeof(gw->buf); ++ ++out: ++ return gw->nbytes; ++} ++ ++static int gcm_in_walk_done(struct gcm_sg_walk *gw, unsigned int bytesdone) ++{ + if (gw->ptr == NULL) +- return; ++ return 0; + + if (gw->ptr == gw->buf) { +- n = gw->buf_bytes - bytesdone; ++ int n = gw->buf_bytes - bytesdone; + if (n > 0) { + memmove(gw->buf, gw->buf + bytesdone, n); +- gw->buf_bytes -= n; ++ gw->buf_bytes = n; + } else + gw->buf_bytes = 0; +- } else { +- gw->walk_bytes_remain -= bytesdone; +- scatterwalk_unmap(&gw->walk); +- scatterwalk_advance(&gw->walk, bytesdone); +- scatterwalk_done(&gw->walk, 0, gw->walk_bytes_remain); +- } ++ } else ++ _gcm_sg_unmap_and_advance(gw, bytesdone); ++ ++ return bytesdone; ++} ++ ++static int gcm_out_walk_done(struct gcm_sg_walk *gw, unsigned int bytesdone) ++{ ++ int i, n; ++ ++ if (gw->ptr == NULL) ++ return 0; ++ ++ if (gw->ptr == gw->buf) { ++ for (i = 0; i < bytesdone; i += n) { ++ if (!_gcm_sg_clamp_and_map(gw)) ++ return i; ++ n = min(gw->walk_bytes, bytesdone - i); ++ memcpy(gw->walk_ptr, gw->buf + i, n); ++ _gcm_sg_unmap_and_advance(gw, n); ++ } ++ } else ++ _gcm_sg_unmap_and_advance(gw, bytesdone); ++ ++ return bytesdone; + } + + static int gcm_aes_crypt(struct aead_request *req, unsigned int flags) +@@ -926,7 +989,7 @@ static int gcm_aes_crypt(struct aead_request *req, unsigned int flags) + unsigned int pclen = req->cryptlen; + int ret = 0; + +- unsigned int len, in_bytes, out_bytes, ++ unsigned int n, len, in_bytes, out_bytes, + min_bytes, bytes, aad_bytes, pc_bytes; + struct gcm_sg_walk gw_in, gw_out; + u8 tag[GHASH_DIGEST_SIZE]; +@@ -963,14 +1026,14 @@ static int gcm_aes_crypt(struct aead_request *req, unsigned int flags) + *(u32 *)(param.j0 + ivsize) = 1; + memcpy(param.k, ctx->key, ctx->key_len); + +- gcm_sg_walk_start(&gw_in, req->src, len); +- gcm_sg_walk_start(&gw_out, req->dst, len); ++ gcm_walk_start(&gw_in, req->src, len); ++ gcm_walk_start(&gw_out, req->dst, len); + + do { + min_bytes = min_t(unsigned int, + aadlen > 0 ? aadlen : pclen, AES_BLOCK_SIZE); +- in_bytes = gcm_sg_walk_go(&gw_in, min_bytes); +- out_bytes = gcm_sg_walk_go(&gw_out, min_bytes); ++ in_bytes = gcm_in_walk_go(&gw_in, min_bytes); ++ out_bytes = gcm_out_walk_go(&gw_out, min_bytes); + bytes = min(in_bytes, out_bytes); + + if (aadlen + pclen <= bytes) { +@@ -997,8 +1060,11 @@ static int gcm_aes_crypt(struct aead_request *req, unsigned int flags) + gw_in.ptr + aad_bytes, pc_bytes, + gw_in.ptr, aad_bytes); + +- gcm_sg_walk_done(&gw_in, aad_bytes + pc_bytes); +- gcm_sg_walk_done(&gw_out, aad_bytes + pc_bytes); ++ n = aad_bytes + pc_bytes; ++ if (gcm_in_walk_done(&gw_in, n) != n) ++ return -ENOMEM; ++ if (gcm_out_walk_done(&gw_out, n) != n) ++ return -ENOMEM; + aadlen -= aad_bytes; + pclen -= pc_bytes; + } while (aadlen + pclen > 0); +-- +2.9.5 + diff --git a/queue/s390-crypto-fix-possible-sleep-during-spinlock-aquir.patch b/queue/s390-crypto-fix-possible-sleep-during-spinlock-aquir.patch new file mode 100644 index 0000000..1b69d37 --- /dev/null +++ b/queue/s390-crypto-fix-possible-sleep-during-spinlock-aquir.patch @@ -0,0 +1,103 @@ +From 1c2c7029c008922d4d48902cc386250502e73d51 Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger <freude@linux.ibm.com> +Date: Mon, 27 May 2019 15:24:20 +0200 +Subject: [PATCH] s390/crypto: fix possible sleep during spinlock aquired + +commit 1c2c7029c008922d4d48902cc386250502e73d51 upstream. + +This patch fixes a complain about possible sleep during +spinlock aquired +"BUG: sleeping function called from invalid context at +include/crypto/algapi.h:426" +for the ctr(aes) and ctr(des) s390 specific ciphers. + +Instead of using a spinlock this patch introduces a mutex +which is save to be held in sleeping context. Please note +a deadlock is not possible as mutex_trylock() is used. + +Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> +Reported-by: Julian Wiedmann <jwi@linux.ibm.com> +Cc: stable@vger.kernel.org +Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> + +diff --git a/arch/s390/crypto/aes_s390.c b/arch/s390/crypto/aes_s390.c +index 178c53036f7f..d00f84add5f4 100644 +--- a/arch/s390/crypto/aes_s390.c ++++ b/arch/s390/crypto/aes_s390.c +@@ -27,14 +27,14 @@ + #include <linux/module.h> + #include <linux/cpufeature.h> + #include <linux/init.h> +-#include <linux/spinlock.h> ++#include <linux/mutex.h> + #include <linux/fips.h> + #include <linux/string.h> + #include <crypto/xts.h> + #include <asm/cpacf.h> + + static u8 *ctrblk; +-static DEFINE_SPINLOCK(ctrblk_lock); ++static DEFINE_MUTEX(ctrblk_lock); + + static cpacf_mask_t km_functions, kmc_functions, kmctr_functions, + kma_functions; +@@ -698,7 +698,7 @@ static int ctr_aes_crypt(struct blkcipher_desc *desc, unsigned long modifier, + unsigned int n, nbytes; + int ret, locked; + +- locked = spin_trylock(&ctrblk_lock); ++ locked = mutex_trylock(&ctrblk_lock); + + ret = blkcipher_walk_virt_block(desc, walk, AES_BLOCK_SIZE); + while ((nbytes = walk->nbytes) >= AES_BLOCK_SIZE) { +@@ -716,7 +716,7 @@ static int ctr_aes_crypt(struct blkcipher_desc *desc, unsigned long modifier, + ret = blkcipher_walk_done(desc, walk, nbytes - n); + } + if (locked) +- spin_unlock(&ctrblk_lock); ++ mutex_unlock(&ctrblk_lock); + /* + * final block may be < AES_BLOCK_SIZE, copy only nbytes + */ +diff --git a/arch/s390/crypto/des_s390.c b/arch/s390/crypto/des_s390.c +index 1f9ab24dc048..374b42fc7637 100644 +--- a/arch/s390/crypto/des_s390.c ++++ b/arch/s390/crypto/des_s390.c +@@ -14,6 +14,7 @@ + #include <linux/cpufeature.h> + #include <linux/crypto.h> + #include <linux/fips.h> ++#include <linux/mutex.h> + #include <crypto/algapi.h> + #include <crypto/des.h> + #include <asm/cpacf.h> +@@ -21,7 +22,7 @@ + #define DES3_KEY_SIZE (3 * DES_KEY_SIZE) + + static u8 *ctrblk; +-static DEFINE_SPINLOCK(ctrblk_lock); ++static DEFINE_MUTEX(ctrblk_lock); + + static cpacf_mask_t km_functions, kmc_functions, kmctr_functions; + +@@ -374,7 +375,7 @@ static int ctr_desall_crypt(struct blkcipher_desc *desc, unsigned long fc, + unsigned int n, nbytes; + int ret, locked; + +- locked = spin_trylock(&ctrblk_lock); ++ locked = mutex_trylock(&ctrblk_lock); + + ret = blkcipher_walk_virt_block(desc, walk, DES_BLOCK_SIZE); + while ((nbytes = walk->nbytes) >= DES_BLOCK_SIZE) { +@@ -391,7 +392,7 @@ static int ctr_desall_crypt(struct blkcipher_desc *desc, unsigned long fc, + ret = blkcipher_walk_done(desc, walk, nbytes - n); + } + if (locked) +- spin_unlock(&ctrblk_lock); ++ mutex_unlock(&ctrblk_lock); + /* final block may be < DES_BLOCK_SIZE, copy only nbytes */ + if (nbytes) { + cpacf_kmctr(fc, ctx->key, buf, walk->src.virt.addr, +-- +2.9.5 + diff --git a/queue/s390-mm-fix-address-space-detection-in-exception-han.patch b/queue/s390-mm-fix-address-space-detection-in-exception-han.patch new file mode 100644 index 0000000..68ea6a5 --- /dev/null +++ b/queue/s390-mm-fix-address-space-detection-in-exception-han.patch @@ -0,0 +1,49 @@ +From 962f0af83c239c0aef05639631e871c874b00f99 Mon Sep 17 00:00:00 2001 +From: Gerald Schaefer <gerald.schaefer@de.ibm.com> +Date: Mon, 27 May 2019 18:40:19 +0200 +Subject: [PATCH] s390/mm: fix address space detection in exception handling + +commit 962f0af83c239c0aef05639631e871c874b00f99 upstream. + +Commit 0aaba41b58bc ("s390: remove all code using the access register +mode") removed access register mode from the kernel, and also from the +address space detection logic. However, user space could still switch +to access register mode (trans_exc_code == 1), and exceptions in that +mode would not be correctly assigned. + +Fix this by adding a check for trans_exc_code == 1 to get_fault_type(), +and remove the wrong comment line before that function. + +Fixes: 0aaba41b58bc ("s390: remove all code using the access register mode") +Reviewed-by: Janosch Frank <frankja@linux.ibm.com> +Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com> +Cc: <stable@vger.kernel.org> # v4.15+ +Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com> +Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> + +diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c +index 91ce03fd0c84..df75d574246d 100644 +--- a/arch/s390/mm/fault.c ++++ b/arch/s390/mm/fault.c +@@ -83,7 +83,6 @@ static inline int notify_page_fault(struct pt_regs *regs) + + /* + * Find out which address space caused the exception. +- * Access register mode is impossible, ignore space == 3. + */ + static enum fault_type get_fault_type(struct pt_regs *regs) + { +@@ -108,6 +107,10 @@ static enum fault_type get_fault_type(struct pt_regs *regs) + } + return VDSO_FAULT; + } ++ if (trans_exc_code == 1) { ++ /* access register mode, not used in the kernel */ ++ return USER_FAULT; ++ } + /* home space exception -> access via kernel ASCE */ + return KERNEL_FAULT; + } +-- +2.9.5 + diff --git a/queue/scsi-zfcp-fix-missing-zfcp_port-reference-put-on-EBU.patch b/queue/scsi-zfcp-fix-missing-zfcp_port-reference-put-on-EBU.patch new file mode 100644 index 0000000..da8ff9d --- /dev/null +++ b/queue/scsi-zfcp-fix-missing-zfcp_port-reference-put-on-EBU.patch @@ -0,0 +1,34 @@ +From d27e5e07f9c49bf2a6a4ef254ce531c1b4fb5a38 Mon Sep 17 00:00:00 2001 +From: Steffen Maier <maier@linux.ibm.com> +Date: Thu, 23 May 2019 15:23:45 +0200 +Subject: [PATCH] scsi: zfcp: fix missing zfcp_port reference put on -EBUSY + from port_remove + +commit d27e5e07f9c49bf2a6a4ef254ce531c1b4fb5a38 upstream. + +With this early return due to zfcp_unit child(ren), we don't use the +zfcp_port reference from the earlier zfcp_get_port_by_wwpn() anymore and +need to put it. + +Signed-off-by: Steffen Maier <maier@linux.ibm.com> +Fixes: d99b601b6338 ("[SCSI] zfcp: restore refcount check on port_remove") +Cc: <stable@vger.kernel.org> #3.7+ +Reviewed-by: Jens Remus <jremus@linux.ibm.com> +Reviewed-by: Benjamin Block <bblock@linux.ibm.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> + +diff --git a/drivers/s390/scsi/zfcp_sysfs.c b/drivers/s390/scsi/zfcp_sysfs.c +index b277be6f7611..2d78732b270b 100644 +--- a/drivers/s390/scsi/zfcp_sysfs.c ++++ b/drivers/s390/scsi/zfcp_sysfs.c +@@ -261,6 +261,7 @@ static ssize_t zfcp_sysfs_port_remove_store(struct device *dev, + if (atomic_read(&port->units) > 0) { + retval = -EBUSY; + mutex_unlock(&zfcp_sysfs_port_units_mutex); ++ put_device(&port->dev); /* undo zfcp_get_port_by_wwpn() */ + goto out; + } + /* port is about to be removed, so no more unit_add */ +-- +2.9.5 + diff --git a/queue/scsi-zfcp-fix-to-prevent-port_remove-with-pure-auto-.patch b/queue/scsi-zfcp-fix-to-prevent-port_remove-with-pure-auto-.patch new file mode 100644 index 0000000..f85bf2a --- /dev/null +++ b/queue/scsi-zfcp-fix-to-prevent-port_remove-with-pure-auto-.patch @@ -0,0 +1,188 @@ +From ef4021fe5fd77ced0323cede27979d80a56211ca Mon Sep 17 00:00:00 2001 +From: Steffen Maier <maier@linux.ibm.com> +Date: Thu, 23 May 2019 15:23:46 +0200 +Subject: [PATCH] scsi: zfcp: fix to prevent port_remove with pure auto scan + LUNs (only sdevs) + +commit ef4021fe5fd77ced0323cede27979d80a56211ca upstream. + +When the user tries to remove a zfcp port via sysfs, we only rejected it if +there are zfcp unit children under the port. With purely automatically +scanned LUNs there are no zfcp units but only SCSI devices. In such cases, +the port_remove erroneously continued. We close the port and this +implicitly closes all LUNs under the port. The SCSI devices survive with +their private zfcp_scsi_dev still holding a reference to the "removed" +zfcp_port (still allocated but invisible in sysfs) [zfcp_get_port_by_wwpn +in zfcp_scsi_slave_alloc]. This is not a problem as long as the fc_rport +stays blocked. Once (auto) port scan brings back the removed port, we +unblock its fc_rport again by design. However, there is no mechanism that +would recover (open) the LUNs under the port (no "ersfs_3" without +zfcp_unit [zfcp_erp_strategy_followup_success]). Any pending or new I/O to +such LUN leads to repeated: + + Done: NEEDS_RETRY Result: hostbyte=DID_IMM_RETRY driverbyte=DRIVER_OK + +See also v4.10 commit 6f2ce1c6af37 ("scsi: zfcp: fix rport unblock race +with LUN recovery"). Even a manual LUN recovery +(echo 0 > /sys/bus/scsi/devices/H:C:T:L/zfcp_failed) +does not help, as the LUN links to the old "removed" port which remains +to lack ZFCP_STATUS_COMMON_RUNNING [zfcp_erp_required_act]. +The only workaround is to first ensure that the fc_rport is blocked +(e.g. port_remove again in case it was re-discovered by (auto) port scan), +then delete the SCSI devices, and finally re-discover by (auto) port scan. +The port scan includes an fc_rport unblock, which in turn triggers +a new scan on the scsi target to freshly get new pure auto scan LUNs. + +Fix this by rejecting port_remove also if there are SCSI devices +(even without any zfcp_unit) under this port. Re-use mechanics from v3.7 +commit d99b601b6338 ("[SCSI] zfcp: restore refcount check on port_remove"). +However, we have to give up zfcp_sysfs_port_units_mutex earlier in unit_add +to prevent a deadlock with scsi_host scan taking shost->scan_mutex first +and then zfcp_sysfs_port_units_mutex now in our zfcp_scsi_slave_alloc(). + +Signed-off-by: Steffen Maier <maier@linux.ibm.com> +Fixes: b62a8d9b45b9 ("[SCSI] zfcp: Use SCSI device data zfcp scsi dev instead of zfcp unit") +Fixes: f8210e34887e ("[SCSI] zfcp: Allow midlayer to scan for LUNs when running in NPIV mode") +Cc: <stable@vger.kernel.org> #2.6.37+ +Reviewed-by: Benjamin Block <bblock@linux.ibm.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> + +diff --git a/drivers/s390/scsi/zfcp_ext.h b/drivers/s390/scsi/zfcp_ext.h +index c6acca521ffe..31e8a7240fd7 100644 +--- a/drivers/s390/scsi/zfcp_ext.h ++++ b/drivers/s390/scsi/zfcp_ext.h +@@ -167,6 +167,7 @@ extern const struct attribute_group *zfcp_port_attr_groups[]; + extern struct mutex zfcp_sysfs_port_units_mutex; + extern struct device_attribute *zfcp_sysfs_sdev_attrs[]; + extern struct device_attribute *zfcp_sysfs_shost_attrs[]; ++bool zfcp_sysfs_port_is_removing(const struct zfcp_port *const port); + + /* zfcp_unit.c */ + extern int zfcp_unit_add(struct zfcp_port *, u64); +diff --git a/drivers/s390/scsi/zfcp_scsi.c b/drivers/s390/scsi/zfcp_scsi.c +index 221d0dfb8493..e9ded2befa0d 100644 +--- a/drivers/s390/scsi/zfcp_scsi.c ++++ b/drivers/s390/scsi/zfcp_scsi.c +@@ -129,6 +129,15 @@ static int zfcp_scsi_slave_alloc(struct scsi_device *sdev) + + zfcp_sdev->erp_action.port = port; + ++ mutex_lock(&zfcp_sysfs_port_units_mutex); ++ if (zfcp_sysfs_port_is_removing(port)) { ++ /* port is already gone */ ++ mutex_unlock(&zfcp_sysfs_port_units_mutex); ++ put_device(&port->dev); /* undo zfcp_get_port_by_wwpn() */ ++ return -ENXIO; ++ } ++ mutex_unlock(&zfcp_sysfs_port_units_mutex); ++ + unit = zfcp_unit_find(port, zfcp_scsi_dev_lun(sdev)); + if (unit) + put_device(&unit->dev); +diff --git a/drivers/s390/scsi/zfcp_sysfs.c b/drivers/s390/scsi/zfcp_sysfs.c +index 2d78732b270b..af197e2b3e69 100644 +--- a/drivers/s390/scsi/zfcp_sysfs.c ++++ b/drivers/s390/scsi/zfcp_sysfs.c +@@ -235,6 +235,53 @@ static ZFCP_DEV_ATTR(adapter, port_rescan, S_IWUSR, NULL, + + DEFINE_MUTEX(zfcp_sysfs_port_units_mutex); + ++static void zfcp_sysfs_port_set_removing(struct zfcp_port *const port) ++{ ++ lockdep_assert_held(&zfcp_sysfs_port_units_mutex); ++ atomic_set(&port->units, -1); ++} ++ ++bool zfcp_sysfs_port_is_removing(const struct zfcp_port *const port) ++{ ++ lockdep_assert_held(&zfcp_sysfs_port_units_mutex); ++ return atomic_read(&port->units) == -1; ++} ++ ++static bool zfcp_sysfs_port_in_use(struct zfcp_port *const port) ++{ ++ struct zfcp_adapter *const adapter = port->adapter; ++ unsigned long flags; ++ struct scsi_device *sdev; ++ bool in_use = true; ++ ++ mutex_lock(&zfcp_sysfs_port_units_mutex); ++ if (atomic_read(&port->units) > 0) ++ goto unlock_port_units_mutex; /* zfcp_unit(s) under port */ ++ ++ spin_lock_irqsave(adapter->scsi_host->host_lock, flags); ++ __shost_for_each_device(sdev, adapter->scsi_host) { ++ const struct zfcp_scsi_dev *zsdev = sdev_to_zfcp(sdev); ++ ++ if (sdev->sdev_state == SDEV_DEL || ++ sdev->sdev_state == SDEV_CANCEL) ++ continue; ++ if (zsdev->port != port) ++ continue; ++ /* alive scsi_device under port of interest */ ++ goto unlock_host_lock; ++ } ++ ++ /* port is about to be removed, so no more unit_add or slave_alloc */ ++ zfcp_sysfs_port_set_removing(port); ++ in_use = false; ++ ++unlock_host_lock: ++ spin_unlock_irqrestore(adapter->scsi_host->host_lock, flags); ++unlock_port_units_mutex: ++ mutex_unlock(&zfcp_sysfs_port_units_mutex); ++ return in_use; ++} ++ + static ssize_t zfcp_sysfs_port_remove_store(struct device *dev, + struct device_attribute *attr, + const char *buf, size_t count) +@@ -257,16 +304,11 @@ static ssize_t zfcp_sysfs_port_remove_store(struct device *dev, + else + retval = 0; + +- mutex_lock(&zfcp_sysfs_port_units_mutex); +- if (atomic_read(&port->units) > 0) { ++ if (zfcp_sysfs_port_in_use(port)) { + retval = -EBUSY; +- mutex_unlock(&zfcp_sysfs_port_units_mutex); + put_device(&port->dev); /* undo zfcp_get_port_by_wwpn() */ + goto out; + } +- /* port is about to be removed, so no more unit_add */ +- atomic_set(&port->units, -1); +- mutex_unlock(&zfcp_sysfs_port_units_mutex); + + write_lock_irq(&adapter->port_list_lock); + list_del(&port->list); +diff --git a/drivers/s390/scsi/zfcp_unit.c b/drivers/s390/scsi/zfcp_unit.c +index 1bf0a0984a09..e67bf7388cae 100644 +--- a/drivers/s390/scsi/zfcp_unit.c ++++ b/drivers/s390/scsi/zfcp_unit.c +@@ -124,7 +124,7 @@ int zfcp_unit_add(struct zfcp_port *port, u64 fcp_lun) + int retval = 0; + + mutex_lock(&zfcp_sysfs_port_units_mutex); +- if (atomic_read(&port->units) == -1) { ++ if (zfcp_sysfs_port_is_removing(port)) { + /* port is already gone */ + retval = -ENODEV; + goto out; +@@ -168,8 +168,14 @@ int zfcp_unit_add(struct zfcp_port *port, u64 fcp_lun) + write_lock_irq(&port->unit_list_lock); + list_add_tail(&unit->list, &port->unit_list); + write_unlock_irq(&port->unit_list_lock); ++ /* ++ * lock order: shost->scan_mutex before zfcp_sysfs_port_units_mutex ++ * due to zfcp_unit_scsi_scan() => zfcp_scsi_slave_alloc() ++ */ ++ mutex_unlock(&zfcp_sysfs_port_units_mutex); + + zfcp_unit_scsi_scan(unit); ++ return retval; + + out: + mutex_unlock(&zfcp_sysfs_port_units_mutex); +-- +2.9.5 + diff --git a/queue/serial-sh-sci-disable-DMA-for-uart_console.patch b/queue/serial-sh-sci-disable-DMA-for-uart_console.patch new file mode 100644 index 0000000..9b29e4c --- /dev/null +++ b/queue/serial-sh-sci-disable-DMA-for-uart_console.patch @@ -0,0 +1,44 @@ +From 099506cbbc79c0bd52b19cb6b930f256dabc3950 Mon Sep 17 00:00:00 2001 +From: "George G. Davis" <george_davis@mentor.com> +Date: Tue, 14 May 2019 23:29:34 -0400 +Subject: [PATCH] serial: sh-sci: disable DMA for uart_console + +commit 099506cbbc79c0bd52b19cb6b930f256dabc3950 upstream. + +As noted in commit 84b40e3b57ee ("serial: 8250: omap: Disable DMA for +console UART"), UART console lines use low-level PIO only access functions +which will conflict with use of the line when DMA is enabled, e.g. when +the console line is also used for systemd messages. So disable DMA +support for UART console lines. + +Reported-by: Michael Rodin <mrodin@de.adit-jv.com> +Link: https://patchwork.kernel.org/patch/10929511/ +Tested-by: Eugeniu Rosca <erosca@de.adit-jv.com> +Reviewed-by: Simon Horman <horms+renesas@verge.net.au> +Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com> +Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be> +Cc: stable@vger.kernel.org +Signed-off-by: George G. Davis <george_davis@mentor.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c +index 3cd139752d3f..abc705716aa0 100644 +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -1557,6 +1557,13 @@ static void sci_request_dma(struct uart_port *port) + + dev_dbg(port->dev, "%s: port %d\n", __func__, port->line); + ++ /* ++ * DMA on console may interfere with Kernel log messages which use ++ * plain putchar(). So, simply don't use it with a console. ++ */ ++ if (uart_console(port)) ++ return; ++ + if (!port->dev->of_node) + return; + +-- +2.9.5 + diff --git a/queue/series b/queue/series new file mode 100644 index 0000000..8950988 --- /dev/null +++ b/queue/series @@ -0,0 +1,154 @@ +bonding-802.3ad-fix-slave-link-initialization-transi.patch +jump_label-move-asm-goto-support-test-to-Kconfig.patch +cxgb4-offload-VLAN-flows-regardless-of-VLAN-ethtype.patch +inet-switch-IP-ID-generator-to-siphash.patch +ipv4-igmp-fix-another-memory-leak-in-igmpv3_del_delr.patch +ipv4-igmp-fix-build-error-if-CONFIG_IP_MULTICAST.patch +ipv6-Consider-sk_bound_dev_if-when-binding-a-raw-soc.patch +ipv6-Fix-redirect-with-VRF.patch +llc-fix-skb-leak-in-llc_build_and_send_ui_pkt.patch +net-dsa-mv88e6xxx-fix-handling-of-upper-half-of-STAT.patch +net-fec-fix-the-clk-mismatch-in-failed_reset-path.patch +net-gro-fix-use-after-free-read-in-napi_gro_frags.patch +net-mvneta-Fix-err-code-path-of-probe.patch +net-mvpp2-fix-bad-MVPP2_TXQ_SCHED_TOKEN_CNTR_REG-que.patch +net-phy-marvell10g-report-if-the-PHY-fails-to-boot-f.patch +net-sched-don-t-use-tc_action-order-during-action-du.patch +net-stmmac-fix-reset-gpio-free-missing.patch +usbnet-fix-kernel-crash-after-disconnect.patch +net-mlx5-Avoid-double-free-in-fs-init-error-unwindin.patch +net-mlx5-Allocate-root-ns-memory-using-kzalloc-to-ma.patch +net-mlx5e-Disable-rxhash-when-CQE-compress-is-enable.patch +bnxt_en-Fix-aggregation-buffer-leak-under-OOM-condit.patch +net-tls-fix-state-removal-with-feature-flags-off.patch +net-tls-don-t-ignore-netdev-notifications-if-no-TLS-.patch +crypto-vmx-ghash-do-nosimd-fallback-manually.patch +include-linux-compiler-.h-define-asm_volatile_goto.patch +compiler.h-give-up-__compiletime_assert_fallback.patch +jump_label-move-asm-goto-support-test-to-Kconfig.patch +xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch +Revert-tipc-fix-modprobe-tipc-failed-after-switch-or.patch +tipc-fix-modprobe-tipc-failed-after-switch-order-of-.patch +sparc64-Fix-regression-in-non-hypervisor-TLB-flush-x.patch +include-linux-bitops.h-sanitize-rotate-primitives.patch +xhci-update-bounce-buffer-with-correct-sg-num.patch +xhci-Use-zu-for-printing-size_t-type.patch +xhci-Convert-xhci_handshake-to-use-readl_poll_timeou.patch +usb-xhci-avoid-null-pointer-deref-when-bos-field-is-.patch +usbip-usbip_host-fix-BUG-sleeping-function-called-fr.patch +usbip-usbip_host-fix-stub_dev-lock-context-imbalance.patch +USB-Fix-slab-out-of-bounds-write-in-usb_get_bos_desc.patch +USB-sisusbvga-fix-oops-in-error-path-of-sisusb_probe.patch +USB-Add-LPM-quirk-for-Surface-Dock-GigE-adapter.patch +USB-rio500-refuse-more-than-one-device-at-a-time.patch +USB-rio500-fix-memory-leak-in-close-after-disconnect.patch +media-usb-siano-Fix-general-protection-fault-in-smsu.patch +media-usb-siano-Fix-false-positive-uninitialized-var.patch +media-smsusb-better-handle-optional-alignment.patch +brcmfmac-fix-NULL-pointer-derefence-during-USB-disco.patch +scsi-zfcp-fix-missing-zfcp_port-reference-put-on-EBU.patch +scsi-zfcp-fix-to-prevent-port_remove-with-pure-auto-.patch +tracing-Avoid-memory-leak-in-predicate_parse.patch +Btrfs-fix-wrong-ctime-and-mtime-of-a-directory-after.patch +Btrfs-fix-race-updating-log-root-item-during-fsync.patch +Btrfs-fix-fsync-not-persisting-changed-attributes-of.patch +Btrfs-incremental-send-fix-file-corruption-when-no-h.patch +iio-dac-ds4422-ds4424-fix-chip-verification.patch +iio-adc-ti-ads8688-fix-timestamp-is-not-updated-in-b.patch +s390-crypto-fix-gcm-aes-s390-selftest-failures.patch +s390-crypto-fix-possible-sleep-during-spinlock-aquir.patch +KVM-PPC-Book3S-HV-XIVE-Do-not-clear-IRQ-data-of-pass.patch +powerpc-perf-Fix-MMCRA-corruption-by-bhrb_filter.patch +ALSA-line6-Assure-canceling-delayed-work-at-disconne.patch +ALSA-hda-realtek-Set-default-power-save-node-to-0.patch +ALSA-hda-realtek-Improve-the-headset-mic-for-Acer-As.patch +KVM-s390-Do-not-report-unusabled-IDs-via-KVM_CAP_MAX.patch +drm-nouveau-i2c-Disable-i2c-bus-access-after-fini.patch +i2c-mlxcpld-Fix-wrong-initialization-order-in-probe.patch +i2c-synquacer-fix-synquacer_i2c_doxfer-return-value.patch +tty-serial-msm_serial-Fix-XON-XOFF.patch +tty-max310x-Fix-external-crystal-register-setup.patch +memcg-make-it-work-on-sparse-non-0-node-systems.patch +kernel-signal.c-trace_signal_deliver-when-signal_gro.patch +arm64-Fix-the-arm64_personality-syscall-wrapper-redi.patch +docs-Fix-conf.py-for-Sphinx-2.0.patch +doc-Cope-with-the-deprecation-of-AutoReporter.patch +doc-Cope-with-Sphinx-logging-deprecations.patch +ima-show-rules-with-IMA_INMASK-correctly.patch +evm-check-hash-algorithm-passed-to-init_desc.patch +vt-fbcon-deinitialize-resources-in-visual_init-after.patch +serial-sh-sci-disable-DMA-for-uart_console.patch +staging-vc04_services-prevent-integer-overflow-in-cr.patch +staging-wlan-ng-fix-adapter-initialization-failure.patch +cifs-fix-memory-leak-of-pneg_inbuf-on-EOPNOTSUPP-ioc.patch +CIFS-cifs_read_allocate_pages-don-t-iterate-through-.patch +Revert-lockd-Show-pid-of-lockd-for-remote-locks.patch +gcc-plugins-Fix-build-failures-under-Darwin-host.patch +drm-tegra-gem-Fix-CPU-cache-maintenance-for-BO-s-all.patch +drm-vmwgfx-Don-t-send-drm-sysfs-hotplug-events-on-in.patch +drm-sun4i-Fix-sun8i-HDMI-PHY-clock-initialization.patch +drm-sun4i-Fix-sun8i-HDMI-PHY-configuration-for-148.5.patch +drm-rockchip-shutdown-drm-subsystem-on-shutdown.patch +drm-lease-Make-sure-implicit-planes-are-leased.patch +Compiler-Attributes-add-support-for-__copy-gcc-9.patch +include-linux-module.h-copy-__init-__exit-attrs-to-i.patch +x86-ftrace-Do-not-call-function-graph-from-dynamic-t.patch +x86-ftrace-Set-trampoline-pages-as-executable.patch +x86-kprobes-Set-instruction-page-as-executable.patch +of-overlay-validate-overlay-properties-address-cells.patch +of-overlay-set-node-fields-from-properties-when-add-.patch +media-uvcvideo-Fix-uvc_alloc_entity-allocation-align.patch +ethtool-fix-potential-userspace-buffer-overflow.patch +Fix-memory-leak-in-sctp_process_init.patch +ipv4-not-do-cache-for-local-delivery-if-bc_forwardin.patch +ipv6-fix-the-check-before-getting-the-cookie-in-rt6_.patch +neighbor-Call-__ipv4_neigh_lookup_noref-in-neigh_xmi.patch +net-ethernet-ti-cpsw_ethtool-fix-ethtool-ring-param-.patch +net-mlx4_en-ethtool-Remove-unsupported-SFP-EEPROM-hi.patch +net-mvpp2-Use-strscpy-to-handle-stat-strings.patch +net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch +net-sfp-read-eeprom-in-maximum-16-byte-increments.patch +net-tls-replace-the-sleeping-lock-around-RX-resync-w.patch +packet-unconditionally-free-po-rollover.patch +pktgen-do-not-sleep-with-the-thread-lock-held.patch +Revert-fib_rules-return-0-directly-if-an-exactly-sam.patch +ipv6-use-READ_ONCE-for-inet-hdrincl-as-in-ipv4.patch +ipv6-fix-EFAULT-on-sendto-with-icmpv6-and-hdrincl.patch +mtd-spinand-macronix-Fix-ECC-Status-Read.patch +rcu-locking-and-unlocking-need-to-always-be-at-least.patch +parisc-Use-implicit-space-register-selection-for-loa.patch +NFSv4.1-Again-fix-a-race-where-CB_NOTIFY_LOCK-fails-.patch +NFSv4.1-Fix-bug-only-first-CB_NOTIFY_LOCK-is-handled.patch +fuse-fallocate-fix-return-with-locked-inode.patch +pstore-Remove-needless-lock-during-console-writes.patch +pstore-Convert-buf_lock-to-semaphore.patch +pstore-Set-tfm-to-NULL-on-free_buf_for_compression.patch +pstore-ram-Run-without-kernel-crash-dump-region.patch +x86-power-Fix-nosmt-vs-hibernation-triple-fault-duri.patch +x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch +i2c-xiic-Add-max_read_len-quirk.patch +s390-mm-fix-address-space-detection-in-exception-han.patch +xen-blkfront-switch-kcalloc-to-kvcalloc-for-large-ar.patch +MIPS-Bounds-check-virt_addr_valid.patch +MIPS-pistachio-Build-uImage.gz-by-default.patch +MIPS-perf-ath79-Fix-perfcount-IRQ-assignment.patch +genwqe-Prevent-an-integer-overflow-in-the-ioctl.patch +test_firmware-Use-correct-snprintf-limit.patch +drm-gma500-cdv-Check-vbt-config-bits-when-detecting-.patch +drm-msm-fix-fb-references-in-async-update.patch +drm-add-non-desktop-quirk-for-Valve-HMDs.patch +drm-nouveau-add-kconfig-option-to-turn-off-nouveau-l.patch +drm-Turn-off-Legacy-Context-Functions.patch +drm-add-non-desktop-quirks-to-Sensics-and-OSVR-heads.patch +drm-amdgpu-psp-move-psp-version-specific-function-po.patch +drm-radeon-prefer-lower-reference-dividers.patch +drm-amdgpu-remove-ATPX_DGPU_REQ_POWER_FOR_DISPLAYS-c.patch +drm-i915-Fix-I915_EXEC_RING_MASK.patch +drm-i915-fbc-disable-framebuffer-compression-on-Gemi.patch +drm-i915-fbc-disable-framebuffer-compression-on-Gemi.patch +drm-i915-Maintain-consistent-documentation-subsectio.patch +drm-don-t-block-fb-changes-for-async-plane-updates.patch +drm-i915-gvt-Initialize-intel_gvt_gtt_entry-in-stack.patch +TTY-serial_core-add-install.patch +ipv4-Define-__ipv4_neigh_lookup_noref-when-CONFIG_IN.patch +ethtool-check-the-return-value-of-get_regs_len.patch diff --git a/queue/sparc64-Fix-regression-in-non-hypervisor-TLB-flush-x.patch b/queue/sparc64-Fix-regression-in-non-hypervisor-TLB-flush-x.patch new file mode 100644 index 0000000..55ce44e --- /dev/null +++ b/queue/sparc64-Fix-regression-in-non-hypervisor-TLB-flush-x.patch @@ -0,0 +1,45 @@ +From d3c976c14ad8af421134c428b0a89ff8dd3bd8f8 Mon Sep 17 00:00:00 2001 +From: James Clarke <jrtc27@jrtc27.com> +Date: Wed, 29 May 2019 22:31:31 +0100 +Subject: [PATCH] sparc64: Fix regression in non-hypervisor TLB flush xcall + +commit d3c976c14ad8af421134c428b0a89ff8dd3bd8f8 upstream. + +Previously, %g2 would end up with the value PAGE_SIZE, but after the +commit mentioned below it ends up with the value 1 due to being reused +for a different purpose. We need it to be PAGE_SIZE as we use it to step +through pages in our demap loop, otherwise we set different flags in the +low 12 bits of the address written to, thereby doing things other than a +nucleus page flush. + +Fixes: a74ad5e660a9 ("sparc64: Handle extremely large kernel TLB range flushes more gracefully.") +Reported-by: Meelis Roos <mroos@linux.ee> +Tested-by: Meelis Roos <mroos@linux.ee> +Signed-off-by: James Clarke <jrtc27@jrtc27.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/arch/sparc/mm/ultra.S b/arch/sparc/mm/ultra.S +index d245f89d1395..d220b6848746 100644 +--- a/arch/sparc/mm/ultra.S ++++ b/arch/sparc/mm/ultra.S +@@ -587,7 +587,7 @@ xcall_flush_tlb_kernel_range: /* 44 insns */ + sub %g7, %g1, %g3 + srlx %g3, 18, %g2 + brnz,pn %g2, 2f +- add %g2, 1, %g2 ++ sethi %hi(PAGE_SIZE), %g2 + sub %g3, %g2, %g3 + or %g1, 0x20, %g1 ! Nucleus + 1: stxa %g0, [%g1 + %g3] ASI_DMMU_DEMAP +@@ -751,7 +751,7 @@ __cheetah_xcall_flush_tlb_kernel_range: /* 44 insns */ + sub %g7, %g1, %g3 + srlx %g3, 18, %g2 + brnz,pn %g2, 2f +- add %g2, 1, %g2 ++ sethi %hi(PAGE_SIZE), %g2 + sub %g3, %g2, %g3 + or %g1, 0x20, %g1 ! Nucleus + 1: stxa %g0, [%g1 + %g3] ASI_DMMU_DEMAP +-- +2.9.5 + diff --git a/queue/staging-vc04_services-prevent-integer-overflow-in-cr.patch b/queue/staging-vc04_services-prevent-integer-overflow-in-cr.patch new file mode 100644 index 0000000..cb8ceb9 --- /dev/null +++ b/queue/staging-vc04_services-prevent-integer-overflow-in-cr.patch @@ -0,0 +1,55 @@ +From ca641bae6da977d638458e78cd1487b6160a2718 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Wed, 15 May 2019 12:38:33 +0300 +Subject: [PATCH] staging: vc04_services: prevent integer overflow in + create_pagelist() + +commit ca641bae6da977d638458e78cd1487b6160a2718 upstream. + +The create_pagelist() "count" parameter comes from the user in +vchiq_ioctl() and it could overflow. If you look at how create_page() +is called in vchiq_prepare_bulk_data(), then the "size" variable is an +int so it doesn't make sense to allow negatives or larger than INT_MAX. + +I don't know this code terribly well, but I believe that typical values +of "count" are typically quite low and I don't think this check will +affect normal valid uses at all. + +The "pagelist_size" calculation can also overflow on 32 bit systems, but +not on 64 bit systems. I have added an integer overflow check for that +as well. + +The Raspberry PI doesn't offer the same level of memory protection that +x86 does so these sorts of bugs are probably not super critical to fix. + +Fixes: 71bad7f08641 ("staging: add bcm2708 vchiq driver") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c +index a9a22917ecdb..c557c9953724 100644 +--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c ++++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c +@@ -368,9 +368,18 @@ create_pagelist(char __user *buf, size_t count, unsigned short type) + int dma_buffers; + dma_addr_t dma_addr; + ++ if (count >= INT_MAX - PAGE_SIZE) ++ return NULL; ++ + offset = ((unsigned int)(unsigned long)buf & (PAGE_SIZE - 1)); + num_pages = DIV_ROUND_UP(count + offset, PAGE_SIZE); + ++ if (num_pages > (SIZE_MAX - sizeof(struct pagelist) - ++ sizeof(struct vchiq_pagelist_info)) / ++ (sizeof(u32) + sizeof(pages[0]) + ++ sizeof(struct scatterlist))) ++ return NULL; ++ + pagelist_size = sizeof(struct pagelist) + + (num_pages * sizeof(u32)) + + (num_pages * sizeof(pages[0]) + +-- +2.9.5 + diff --git a/queue/staging-wlan-ng-fix-adapter-initialization-failure.patch b/queue/staging-wlan-ng-fix-adapter-initialization-failure.patch new file mode 100644 index 0000000..085a90d --- /dev/null +++ b/queue/staging-wlan-ng-fix-adapter-initialization-failure.patch @@ -0,0 +1,51 @@ +From a67fedd788182764dc8ed59037c604b7e60349f1 Mon Sep 17 00:00:00 2001 +From: Tim Collier <osdevtc@gmail.com> +Date: Sat, 11 May 2019 18:40:46 +0100 +Subject: [PATCH] staging: wlan-ng: fix adapter initialization failure + +commit a67fedd788182764dc8ed59037c604b7e60349f1 upstream. + +Commit e895f00a8496 ("Staging: wlan-ng: hfa384x_usb.c Fixed too long +code line warnings.") moved the retrieval of the transfer buffer from +the URB from the top of function hfa384x_usbin_callback to a point +after reposting of the URB via a call to submit_rx_urb. The reposting +of the URB allocates a new transfer buffer so the new buffer is +retrieved instead of the buffer containing the response passed into +the callback. This results in failure to initialize the adapter with +an error reported in the system log (something like "CTLX[1] error: +state(Request failed)"). + +This change moves the retrieval to just before the point where the URB +is reposted so that the correct transfer buffer is retrieved and +initialization of the device succeeds. + +Signed-off-by: Tim Collier <osdevtc@gmail.com> +Fixes: e895f00a8496 ("Staging: wlan-ng: hfa384x_usb.c Fixed too long code line warnings.") +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/staging/wlan-ng/hfa384x_usb.c b/drivers/staging/wlan-ng/hfa384x_usb.c +index 6fde75d4f064..ab734534093b 100644 +--- a/drivers/staging/wlan-ng/hfa384x_usb.c ++++ b/drivers/staging/wlan-ng/hfa384x_usb.c +@@ -3119,7 +3119,9 @@ static void hfa384x_usbin_callback(struct urb *urb) + break; + } + ++ /* Save values from the RX URB before reposting overwrites it. */ + urb_status = urb->status; ++ usbin = (union hfa384x_usbin *)urb->transfer_buffer; + + if (action != ABORT) { + /* Repost the RX URB */ +@@ -3136,7 +3138,6 @@ static void hfa384x_usbin_callback(struct urb *urb) + /* Note: the check of the sw_support field, the type field doesn't + * have bit 12 set like the docs suggest. + */ +- usbin = (union hfa384x_usbin *)urb->transfer_buffer; + type = le16_to_cpu(usbin->type); + if (HFA384x_USB_ISRXFRM(type)) { + if (action == HANDLE) { +-- +2.9.5 + diff --git a/queue/test_firmware-Use-correct-snprintf-limit.patch b/queue/test_firmware-Use-correct-snprintf-limit.patch new file mode 100644 index 0000000..81936af --- /dev/null +++ b/queue/test_firmware-Use-correct-snprintf-limit.patch @@ -0,0 +1,67 @@ +From bd17cc5a20ae9aaa3ed775f360b75ff93cd66a1d Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Wed, 15 May 2019 12:33:22 +0300 +Subject: [PATCH] test_firmware: Use correct snprintf() limit + +commit bd17cc5a20ae9aaa3ed775f360b75ff93cd66a1d upstream. + +The limit here is supposed to be how much of the page is left, but it's +just using PAGE_SIZE as the limit. + +The other thing to remember is that snprintf() returns the number of +bytes which would have been copied if we had had enough room. So that +means that if we run out of space then this code would end up passing a +negative value as the limit and the kernel would print an error message. +I have change the code to use scnprintf() which returns the number of +bytes that were successfully printed (not counting the NUL terminator). + +Fixes: c92316bf8e94 ("test_firmware: add batched firmware tests") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/lib/test_firmware.c b/lib/test_firmware.c +index 7222093ee00b..b5487ed829d7 100644 +--- a/lib/test_firmware.c ++++ b/lib/test_firmware.c +@@ -223,30 +223,30 @@ static ssize_t config_show(struct device *dev, + + mutex_lock(&test_fw_mutex); + +- len += snprintf(buf, PAGE_SIZE, ++ len += scnprintf(buf, PAGE_SIZE - len, + "Custom trigger configuration for: %s\n", + dev_name(dev)); + + if (test_fw_config->name) +- len += snprintf(buf+len, PAGE_SIZE, ++ len += scnprintf(buf+len, PAGE_SIZE - len, + "name:\t%s\n", + test_fw_config->name); + else +- len += snprintf(buf+len, PAGE_SIZE, ++ len += scnprintf(buf+len, PAGE_SIZE - len, + "name:\tEMTPY\n"); + +- len += snprintf(buf+len, PAGE_SIZE, ++ len += scnprintf(buf+len, PAGE_SIZE - len, + "num_requests:\t%u\n", test_fw_config->num_requests); + +- len += snprintf(buf+len, PAGE_SIZE, ++ len += scnprintf(buf+len, PAGE_SIZE - len, + "send_uevent:\t\t%s\n", + test_fw_config->send_uevent ? + "FW_ACTION_HOTPLUG" : + "FW_ACTION_NOHOTPLUG"); +- len += snprintf(buf+len, PAGE_SIZE, ++ len += scnprintf(buf+len, PAGE_SIZE - len, + "sync_direct:\t\t%s\n", + test_fw_config->sync_direct ? "true" : "false"); +- len += snprintf(buf+len, PAGE_SIZE, ++ len += scnprintf(buf+len, PAGE_SIZE - len, + "read_fw_idx:\t%u\n", test_fw_config->read_fw_idx); + + mutex_unlock(&test_fw_mutex); +-- +2.9.5 + diff --git a/queue/tipc-fix-modprobe-tipc-failed-after-switch-order-of-.patch b/queue/tipc-fix-modprobe-tipc-failed-after-switch-order-of-.patch new file mode 100644 index 0000000..231674b --- /dev/null +++ b/queue/tipc-fix-modprobe-tipc-failed-after-switch-order-of-.patch @@ -0,0 +1,162 @@ +From 526f5b851a96566803ee4bee60d0a34df56c77f8 Mon Sep 17 00:00:00 2001 +From: Junwei Hu <hujunwei4@huawei.com> +Date: Mon, 20 May 2019 14:43:59 +0800 +Subject: [PATCH] tipc: fix modprobe tipc failed after switch order of device + registration + +commit 526f5b851a96566803ee4bee60d0a34df56c77f8 upstream. + +Error message printed: +modprobe: ERROR: could not insert 'tipc': Address family not +supported by protocol. +when modprobe tipc after the following patch: switch order of +device registration, commit 7e27e8d6130c +("tipc: switch order of device registration to fix a crash") + +Because sock_create_kern(net, AF_TIPC, ...) called by +tipc_topsrv_create_listener() in the initialization process +of tipc_init_net(), so tipc_socket_init() must be execute before that. +Meanwhile, tipc_net_id need to be initialized when sock_create() +called, and tipc_socket_init() is no need to be called for each namespace. + +I add a variable tipc_topsrv_net_ops, and split the +register_pernet_subsys() of tipc into two parts, and split +tipc_socket_init() with initialization of pernet params. + +By the way, I fixed resources rollback error when tipc_bcast_init() +failed in tipc_init_net(). + +Fixes: 7e27e8d6130c ("tipc: switch order of device registration to fix a crash") +Signed-off-by: Junwei Hu <hujunwei4@huawei.com> +Reported-by: Wang Wang <wangwang2@huawei.com> +Reported-by: syzbot+1e8114b61079bfe9cbc5@syzkaller.appspotmail.com +Reviewed-by: Kang Zhou <zhoukang7@huawei.com> +Reviewed-by: Suanming Mou <mousuanming@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/tipc/core.c b/net/tipc/core.c +index ddd2e0f67c07..ed536c05252a 100644 +--- a/net/tipc/core.c ++++ b/net/tipc/core.c +@@ -77,9 +77,6 @@ static int __net_init tipc_init_net(struct net *net) + goto out_nametbl; + + INIT_LIST_HEAD(&tn->dist_queue); +- err = tipc_topsrv_start(net); +- if (err) +- goto out_subscr; + + err = tipc_bcast_init(net); + if (err) +@@ -88,8 +85,6 @@ static int __net_init tipc_init_net(struct net *net) + return 0; + + out_bclink: +- tipc_bcast_stop(net); +-out_subscr: + tipc_nametbl_stop(net); + out_nametbl: + tipc_sk_rht_destroy(net); +@@ -99,7 +94,6 @@ out_sk_rht: + + static void __net_exit tipc_exit_net(struct net *net) + { +- tipc_topsrv_stop(net); + tipc_net_stop(net); + tipc_bcast_stop(net); + tipc_nametbl_stop(net); +@@ -113,6 +107,11 @@ static struct pernet_operations tipc_net_ops = { + .size = sizeof(struct tipc_net), + }; + ++static struct pernet_operations tipc_topsrv_net_ops = { ++ .init = tipc_topsrv_init_net, ++ .exit = tipc_topsrv_exit_net, ++}; ++ + static int __init tipc_init(void) + { + int err; +@@ -143,6 +142,10 @@ static int __init tipc_init(void) + if (err) + goto out_socket; + ++ err = register_pernet_subsys(&tipc_topsrv_net_ops); ++ if (err) ++ goto out_pernet_topsrv; ++ + err = tipc_bearer_setup(); + if (err) + goto out_bearer; +@@ -150,6 +153,8 @@ static int __init tipc_init(void) + pr_info("Started in single node mode\n"); + return 0; + out_bearer: ++ unregister_pernet_subsys(&tipc_topsrv_net_ops); ++out_pernet_topsrv: + tipc_socket_stop(); + out_socket: + unregister_pernet_subsys(&tipc_net_ops); +@@ -167,6 +172,7 @@ out_netlink: + static void __exit tipc_exit(void) + { + tipc_bearer_cleanup(); ++ unregister_pernet_subsys(&tipc_topsrv_net_ops); + tipc_socket_stop(); + unregister_pernet_subsys(&tipc_net_ops); + tipc_netlink_stop(); +diff --git a/net/tipc/subscr.h b/net/tipc/subscr.h +index d793b4343885..aa015c233898 100644 +--- a/net/tipc/subscr.h ++++ b/net/tipc/subscr.h +@@ -77,8 +77,9 @@ void tipc_sub_report_overlap(struct tipc_subscription *sub, + u32 found_lower, u32 found_upper, + u32 event, u32 port, u32 node, + u32 scope, int must); +-int tipc_topsrv_start(struct net *net); +-void tipc_topsrv_stop(struct net *net); ++ ++int __net_init tipc_topsrv_init_net(struct net *net); ++void __net_exit tipc_topsrv_exit_net(struct net *net); + + void tipc_sub_put(struct tipc_subscription *subscription); + void tipc_sub_get(struct tipc_subscription *subscription); +diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c +index b45932d78004..f345662890a6 100644 +--- a/net/tipc/topsrv.c ++++ b/net/tipc/topsrv.c +@@ -635,7 +635,7 @@ static void tipc_topsrv_work_stop(struct tipc_topsrv *s) + destroy_workqueue(s->send_wq); + } + +-int tipc_topsrv_start(struct net *net) ++static int tipc_topsrv_start(struct net *net) + { + struct tipc_net *tn = tipc_net(net); + const char name[] = "topology_server"; +@@ -668,7 +668,7 @@ int tipc_topsrv_start(struct net *net) + return ret; + } + +-void tipc_topsrv_stop(struct net *net) ++static void tipc_topsrv_stop(struct net *net) + { + struct tipc_topsrv *srv = tipc_topsrv(net); + struct socket *lsock = srv->listener; +@@ -693,3 +693,13 @@ void tipc_topsrv_stop(struct net *net) + idr_destroy(&srv->conn_idr); + kfree(srv); + } ++ ++int __net_init tipc_topsrv_init_net(struct net *net) ++{ ++ return tipc_topsrv_start(net); ++} ++ ++void __net_exit tipc_topsrv_exit_net(struct net *net) ++{ ++ tipc_topsrv_stop(net); ++} +-- +2.9.5 + diff --git a/queue/tracing-Avoid-memory-leak-in-predicate_parse.patch b/queue/tracing-Avoid-memory-leak-in-predicate_parse.patch new file mode 100644 index 0000000..741b5d9 --- /dev/null +++ b/queue/tracing-Avoid-memory-leak-in-predicate_parse.patch @@ -0,0 +1,51 @@ +From dfb4a6f2191a80c8b790117d0ff592fd712d3296 Mon Sep 17 00:00:00 2001 +From: Tomas Bortoli <tomasbortoli@gmail.com> +Date: Tue, 28 May 2019 17:43:38 +0200 +Subject: [PATCH] tracing: Avoid memory leak in predicate_parse() + +commit dfb4a6f2191a80c8b790117d0ff592fd712d3296 upstream. + +In case of errors, predicate_parse() goes to the out_free label +to free memory and to return an error code. + +However, predicate_parse() does not free the predicates of the +temporary prog_stack array, thence leaking them. + +Link: http://lkml.kernel.org/r/20190528154338.29976-1-tomasbortoli@gmail.com + +Cc: stable@vger.kernel.org +Fixes: 80765597bc587 ("tracing: Rewrite filter logic to be simpler and faster") +Reported-by: syzbot+6b8e0fb820e570c59e19@syzkaller.appspotmail.com +Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com> +[ Added protection around freeing prog_stack[i].pred ] +Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> + +diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c +index d3e59312ef40..5079d1db3754 100644 +--- a/kernel/trace/trace_events_filter.c ++++ b/kernel/trace/trace_events_filter.c +@@ -428,7 +428,7 @@ predicate_parse(const char *str, int nr_parens, int nr_preds, + op_stack = kmalloc_array(nr_parens, sizeof(*op_stack), GFP_KERNEL); + if (!op_stack) + return ERR_PTR(-ENOMEM); +- prog_stack = kmalloc_array(nr_preds, sizeof(*prog_stack), GFP_KERNEL); ++ prog_stack = kcalloc(nr_preds, sizeof(*prog_stack), GFP_KERNEL); + if (!prog_stack) { + parse_error(pe, -ENOMEM, 0); + goto out_free; +@@ -579,7 +579,11 @@ predicate_parse(const char *str, int nr_parens, int nr_preds, + out_free: + kfree(op_stack); + kfree(inverts); +- kfree(prog_stack); ++ if (prog_stack) { ++ for (i = 0; prog_stack[i].pred; i++) ++ kfree(prog_stack[i].pred); ++ kfree(prog_stack); ++ } + return ERR_PTR(ret); + } + +-- +2.9.5 + diff --git a/queue/tty-max310x-Fix-external-crystal-register-setup.patch b/queue/tty-max310x-Fix-external-crystal-register-setup.patch new file mode 100644 index 0000000..451f551 --- /dev/null +++ b/queue/tty-max310x-Fix-external-crystal-register-setup.patch @@ -0,0 +1,41 @@ +From 5d24f455c182d5116dd5db8e1dc501115ecc9c2c Mon Sep 17 00:00:00 2001 +From: Joe Burmeister <joe.burmeister@devtank.co.uk> +Date: Mon, 13 May 2019 11:23:57 +0100 +Subject: [PATCH] tty: max310x: Fix external crystal register setup + +commit 5d24f455c182d5116dd5db8e1dc501115ecc9c2c upstream. + +The datasheet states: + + Bit 4: ClockEnSet the ClockEn bit high to enable an external clocking +(crystal or clock generator at XIN). Set the ClockEn bit to 0 to disable +clocking + Bit 1: CrystalEnSet the CrystalEn bit high to enable the crystal +oscillator. When using an external clock source at XIN, CrystalEn must +be set low. + +The bit 4, MAX310X_CLKSRC_EXTCLK_BIT, should be set and was not. + +This was required to make the MAX3107 with an external crystal on our +board able to send or receive data. + +Signed-off-by: Joe Burmeister <joe.burmeister@devtank.co.uk> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/tty/serial/max310x.c b/drivers/tty/serial/max310x.c +index 450ba6d7996c..e5aebbf5f302 100644 +--- a/drivers/tty/serial/max310x.c ++++ b/drivers/tty/serial/max310x.c +@@ -581,7 +581,7 @@ static int max310x_set_ref_clk(struct device *dev, struct max310x_port *s, + } + + /* Configure clock source */ +- clksrc = xtal ? MAX310X_CLKSRC_CRYST_BIT : MAX310X_CLKSRC_EXTCLK_BIT; ++ clksrc = MAX310X_CLKSRC_EXTCLK_BIT | (xtal ? MAX310X_CLKSRC_CRYST_BIT : 0); + + /* Configure PLL */ + if (pllcfg) { +-- +2.9.5 + diff --git a/queue/tty-serial-msm_serial-Fix-XON-XOFF.patch b/queue/tty-serial-msm_serial-Fix-XON-XOFF.patch new file mode 100644 index 0000000..cbc4953 --- /dev/null +++ b/queue/tty-serial-msm_serial-Fix-XON-XOFF.patch @@ -0,0 +1,52 @@ +From 61c0e37950b88bad590056286c1d766b1f167f4e Mon Sep 17 00:00:00 2001 +From: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org> +Date: Mon, 20 May 2019 20:38:48 +0200 +Subject: [PATCH] tty: serial: msm_serial: Fix XON/XOFF + +commit 61c0e37950b88bad590056286c1d766b1f167f4e upstream. + +When the tty layer requests the uart to throttle, the current code +executing in msm_serial will trigger "Bad mode in Error Handler" and +generate an invalid stack frame in pstore before rebooting (that is if +pstore is indeed configured: otherwise the user shall just notice a +reboot with no further information dumped to the console). + +This patch replaces the PIO byte accessor with the word accessor +already used in PIO mode. + +Fixes: 68252424a7c7 ("tty: serial: msm: Support big-endian CPUs") +Cc: stable@vger.kernel.org +Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org> +Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org> +Reviewed-by: Stephen Boyd <swboyd@chromium.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/tty/serial/msm_serial.c b/drivers/tty/serial/msm_serial.c +index 109096033bb1..23833ad952ba 100644 +--- a/drivers/tty/serial/msm_serial.c ++++ b/drivers/tty/serial/msm_serial.c +@@ -860,6 +860,7 @@ static void msm_handle_tx(struct uart_port *port) + struct circ_buf *xmit = &msm_port->uart.state->xmit; + struct msm_dma *dma = &msm_port->tx_dma; + unsigned int pio_count, dma_count, dma_min; ++ char buf[4] = { 0 }; + void __iomem *tf; + int err = 0; + +@@ -869,10 +870,12 @@ static void msm_handle_tx(struct uart_port *port) + else + tf = port->membase + UART_TF; + ++ buf[0] = port->x_char; ++ + if (msm_port->is_uartdm) + msm_reset_dm_count(port, 1); + +- iowrite8_rep(tf, &port->x_char, 1); ++ iowrite32_rep(tf, buf, 1); + port->icount.tx++; + port->x_char = 0; + return; +-- +2.9.5 + diff --git a/queue/usb-xhci-avoid-null-pointer-deref-when-bos-field-is-.patch b/queue/usb-xhci-avoid-null-pointer-deref-when-bos-field-is-.patch new file mode 100644 index 0000000..b6ec437 --- /dev/null +++ b/queue/usb-xhci-avoid-null-pointer-deref-when-bos-field-is-.patch @@ -0,0 +1,105 @@ +From 7aa1bb2ffd84d6b9b5f546b079bb15cd0ab6e76e Mon Sep 17 00:00:00 2001 +From: Carsten Schmid <carsten_schmid@mentor.com> +Date: Wed, 22 May 2019 14:33:59 +0300 +Subject: [PATCH] usb: xhci: avoid null pointer deref when bos field is NULL + +commit 7aa1bb2ffd84d6b9b5f546b079bb15cd0ab6e76e upstream. + +With defective USB sticks we see the following error happen: +usb 1-3: new high-speed USB device number 6 using xhci_hcd +usb 1-3: device descriptor read/64, error -71 +usb 1-3: device descriptor read/64, error -71 +usb 1-3: new high-speed USB device number 7 using xhci_hcd +usb 1-3: device descriptor read/64, error -71 +usb 1-3: unable to get BOS descriptor set +usb 1-3: New USB device found, idVendor=0781, idProduct=5581 +usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 +... +BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 + +This comes from the following place: +[ 1660.215380] IP: xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd] +[ 1660.222092] PGD 0 P4D 0 +[ 1660.224918] Oops: 0000 [#1] PREEMPT SMP NOPTI +[ 1660.425520] CPU: 1 PID: 38 Comm: kworker/1:1 Tainted: P U W O 4.14.67-apl #1 +[ 1660.434277] Workqueue: usb_hub_wq hub_event [usbcore] +[ 1660.439918] task: ffffa295b6ae4c80 task.stack: ffffad4580150000 +[ 1660.446532] RIP: 0010:xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd] +[ 1660.453821] RSP: 0018:ffffad4580153c70 EFLAGS: 00010046 +[ 1660.459655] RAX: 0000000000000000 RBX: ffffa295b4d7c000 RCX: 0000000000000002 +[ 1660.467625] RDX: 0000000000000002 RSI: ffffffff984a55b2 RDI: ffffffff984a55b2 +[ 1660.475586] RBP: ffffad4580153cc8 R08: 0000000000d6520a R09: 0000000000000001 +[ 1660.483556] R10: ffffad4580a004a0 R11: 0000000000000286 R12: ffffa295b4d7c000 +[ 1660.491525] R13: 0000000000010648 R14: ffffa295a84e1800 R15: 0000000000000000 +[ 1660.499494] FS: 0000000000000000(0000) GS:ffffa295bfc80000(0000) knlGS:0000000000000000 +[ 1660.508530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1660.514947] CR2: 0000000000000008 CR3: 000000025a114000 CR4: 00000000003406a0 +[ 1660.522917] Call Trace: +[ 1660.525657] usb_set_usb2_hardware_lpm+0x3d/0x70 [usbcore] +[ 1660.531792] usb_disable_device+0x242/0x260 [usbcore] +[ 1660.537439] usb_disconnect+0xc1/0x2b0 [usbcore] +[ 1660.542600] hub_event+0x596/0x18f0 [usbcore] +[ 1660.547467] ? trace_preempt_on+0xdf/0x100 +[ 1660.552040] ? process_one_work+0x1c1/0x410 +[ 1660.556708] process_one_work+0x1d2/0x410 +[ 1660.561184] ? preempt_count_add.part.3+0x21/0x60 +[ 1660.566436] worker_thread+0x2d/0x3f0 +[ 1660.570522] kthread+0x122/0x140 +[ 1660.574123] ? process_one_work+0x410/0x410 +[ 1660.578792] ? kthread_create_on_node+0x60/0x60 +[ 1660.583849] ret_from_fork+0x3a/0x50 +[ 1660.587839] Code: 00 49 89 c3 49 8b 84 24 50 16 00 00 8d 4a ff 48 8d 04 c8 48 89 ca 4c 8b 10 45 8b 6a 04 48 8b 00 48 89 45 c0 49 8b 86 80 03 00 00 <48> 8b 40 08 8b 40 03 0f 1f 44 00 00 45 85 ff 0f 84 81 01 00 00 +[ 1660.608980] RIP: xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd] RSP: ffffad4580153c70 +[ 1660.617921] CR2: 0000000000000008 + +Tracking this down shows that udev->bos is NULL in the following code: +(xhci.c, in xhci_set_usb2_hardware_lpm) + field = le32_to_cpu(udev->bos->ext_cap->bmAttributes); <<<<<<< here + + xhci_dbg(xhci, "%s port %d USB2 hardware LPM\n", + enable ? "enable" : "disable", port_num + 1); + + if (enable) { + /* Host supports BESL timeout instead of HIRD */ + if (udev->usb2_hw_lpm_besl_capable) { + /* if device doesn't have a preferred BESL value use a + * default one which works with mixed HIRD and BESL + * systems. See XHCI_DEFAULT_BESL definition in xhci.h + */ + if ((field & USB_BESL_SUPPORT) && + (field & USB_BESL_BASELINE_VALID)) + hird = USB_GET_BESL_BASELINE(field); + else + hird = udev->l1_params.besl; + +The failing case is when disabling LPM. So it is sufficient to avoid +access to udev->bos by moving the instruction into the "enable" clause. + +Cc: Stable <stable@vger.kernel.org> +Signed-off-by: Carsten Schmid <carsten_schmid@mentor.com> +Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index a9bb796794e3..048a675bbc52 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -4320,7 +4320,6 @@ static int xhci_set_usb2_hardware_lpm(struct usb_hcd *hcd, + pm_addr = ports[port_num]->addr + PORTPMSC; + pm_val = readl(pm_addr); + hlpm_addr = ports[port_num]->addr + PORTHLPMC; +- field = le32_to_cpu(udev->bos->ext_cap->bmAttributes); + + xhci_dbg(xhci, "%s port %d USB2 hardware LPM\n", + enable ? "enable" : "disable", port_num + 1); +@@ -4332,6 +4331,7 @@ static int xhci_set_usb2_hardware_lpm(struct usb_hcd *hcd, + * default one which works with mixed HIRD and BESL + * systems. See XHCI_DEFAULT_BESL definition in xhci.h + */ ++ field = le32_to_cpu(udev->bos->ext_cap->bmAttributes); + if ((field & USB_BESL_SUPPORT) && + (field & USB_BESL_BASELINE_VALID)) + hird = USB_GET_BESL_BASELINE(field); +-- +2.9.5 + diff --git a/queue/usbip-usbip_host-fix-BUG-sleeping-function-called-fr.patch b/queue/usbip-usbip_host-fix-BUG-sleeping-function-called-fr.patch new file mode 100644 index 0000000..a11e766 --- /dev/null +++ b/queue/usbip-usbip_host-fix-BUG-sleeping-function-called-fr.patch @@ -0,0 +1,242 @@ +From 0c9e8b3cad654bfc499c10b652fbf8f0b890af8f Mon Sep 17 00:00:00 2001 +From: Shuah Khan <skhan@linuxfoundation.org> +Date: Thu, 2 May 2019 13:47:02 -0600 +Subject: [PATCH] usbip: usbip_host: fix BUG: sleeping function called from + invalid context + +commit 0c9e8b3cad654bfc499c10b652fbf8f0b890af8f upstream. + +stub_probe() and stub_disconnect() call functions which could call +sleeping function in invalid context whil holding busid_lock. + +Fix the problem by refining the lock holds to short critical sections +to change the busid_priv fields. This fix restructures the code to +limit the lock holds in stub_probe() and stub_disconnect(). + +stub_probe(): + +[15217.927028] BUG: sleeping function called from invalid context at mm/slab.h:418 +[15217.927038] in_atomic(): 1, irqs_disabled(): 0, pid: 29087, name: usbip +[15217.927044] 5 locks held by usbip/29087: +[15217.927047] #0: 0000000091647f28 (sb_writers#6){....}, at: vfs_write+0x191/0x1c0 +[15217.927062] #1: 000000008f9ba75b (&of->mutex){....}, at: kernfs_fop_write+0xf7/0x1b0 +[15217.927072] #2: 00000000872e5b4b (&dev->mutex){....}, at: __device_driver_lock+0x3b/0x50 +[15217.927082] #3: 00000000e74ececc (&dev->mutex){....}, at: __device_driver_lock+0x46/0x50 +[15217.927090] #4: 00000000b20abbe0 (&(&busid_table[i].busid_lock)->rlock){....}, at: get_busid_priv+0x48/0x60 [usbip_host] +[15217.927103] CPU: 3 PID: 29087 Comm: usbip Tainted: G W 5.1.0-rc6+ #40 +[15217.927106] Hardware name: Dell Inc. OptiPlex 790/0HY9JP, BIOS A18 09/24/2013 +[15217.927109] Call Trace: +[15217.927118] dump_stack+0x63/0x85 +[15217.927127] ___might_sleep+0xff/0x120 +[15217.927133] __might_sleep+0x4a/0x80 +[15217.927143] kmem_cache_alloc_trace+0x1aa/0x210 +[15217.927156] stub_probe+0xe8/0x440 [usbip_host] +[15217.927171] usb_probe_device+0x34/0x70 + +stub_disconnect(): + +[15279.182478] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:908 +[15279.182487] in_atomic(): 1, irqs_disabled(): 0, pid: 29114, name: usbip +[15279.182492] 5 locks held by usbip/29114: +[15279.182494] #0: 0000000091647f28 (sb_writers#6){....}, at: vfs_write+0x191/0x1c0 +[15279.182506] #1: 00000000702cf0f3 (&of->mutex){....}, at: kernfs_fop_write+0xf7/0x1b0 +[15279.182514] #2: 00000000872e5b4b (&dev->mutex){....}, at: __device_driver_lock+0x3b/0x50 +[15279.182522] #3: 00000000e74ececc (&dev->mutex){....}, at: __device_driver_lock+0x46/0x50 +[15279.182529] #4: 00000000b20abbe0 (&(&busid_table[i].busid_lock)->rlock){....}, at: get_busid_priv+0x48/0x60 [usbip_host] +[15279.182541] CPU: 0 PID: 29114 Comm: usbip Tainted: G W 5.1.0-rc6+ #40 +[15279.182543] Hardware name: Dell Inc. OptiPlex 790/0HY9JP, BIOS A18 09/24/2013 +[15279.182546] Call Trace: +[15279.182554] dump_stack+0x63/0x85 +[15279.182561] ___might_sleep+0xff/0x120 +[15279.182566] __might_sleep+0x4a/0x80 +[15279.182574] __mutex_lock+0x55/0x950 +[15279.182582] ? get_busid_priv+0x48/0x60 [usbip_host] +[15279.182587] ? reacquire_held_locks+0xec/0x1a0 +[15279.182591] ? get_busid_priv+0x48/0x60 [usbip_host] +[15279.182597] ? find_held_lock+0x94/0xa0 +[15279.182609] mutex_lock_nested+0x1b/0x20 +[15279.182614] ? mutex_lock_nested+0x1b/0x20 +[15279.182618] kernfs_remove_by_name_ns+0x2a/0x90 +[15279.182625] sysfs_remove_file_ns+0x15/0x20 +[15279.182629] device_remove_file+0x19/0x20 +[15279.182634] stub_disconnect+0x6d/0x180 [usbip_host] +[15279.182643] usb_unbind_device+0x27/0x60 + +Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c +index c0d6ff1baa72..d094c96643d2 100644 +--- a/drivers/usb/usbip/stub_dev.c ++++ b/drivers/usb/usbip/stub_dev.c +@@ -301,9 +301,17 @@ static int stub_probe(struct usb_device *udev) + const char *udev_busid = dev_name(&udev->dev); + struct bus_id_priv *busid_priv; + int rc = 0; ++ char save_status; + + dev_dbg(&udev->dev, "Enter probe\n"); + ++ /* Not sure if this is our device. Allocate here to avoid ++ * calling alloc while holding busid_table lock. ++ */ ++ sdev = stub_device_alloc(udev); ++ if (!sdev) ++ return -ENOMEM; ++ + /* check we should claim or not by busid_table */ + busid_priv = get_busid_priv(udev_busid); + if (!busid_priv || (busid_priv->status == STUB_BUSID_REMOV) || +@@ -318,14 +326,14 @@ static int stub_probe(struct usb_device *udev) + * See driver_probe_device() in driver/base/dd.c + */ + rc = -ENODEV; +- goto call_put_busid_priv; ++ goto sdev_free; + } + + if (udev->descriptor.bDeviceClass == USB_CLASS_HUB) { + dev_dbg(&udev->dev, "%s is a usb hub device... skip!\n", + udev_busid); + rc = -ENODEV; +- goto call_put_busid_priv; ++ goto sdev_free; + } + + if (!strcmp(udev->bus->bus_name, "vhci_hcd")) { +@@ -334,15 +342,9 @@ static int stub_probe(struct usb_device *udev) + udev_busid); + + rc = -ENODEV; +- goto call_put_busid_priv; ++ goto sdev_free; + } + +- /* ok, this is my device */ +- sdev = stub_device_alloc(udev); +- if (!sdev) { +- rc = -ENOMEM; +- goto call_put_busid_priv; +- } + + dev_info(&udev->dev, + "usbip-host: register new device (bus %u dev %u)\n", +@@ -352,9 +354,13 @@ static int stub_probe(struct usb_device *udev) + + /* set private data to usb_device */ + dev_set_drvdata(&udev->dev, sdev); ++ + busid_priv->sdev = sdev; + busid_priv->udev = udev; + ++ save_status = busid_priv->status; ++ busid_priv->status = STUB_BUSID_ALLOC; ++ + /* + * Claim this hub port. + * It doesn't matter what value we pass as owner +@@ -367,15 +373,16 @@ static int stub_probe(struct usb_device *udev) + goto err_port; + } + ++ /* release the busid_lock */ ++ put_busid_priv(busid_priv); ++ + rc = stub_add_files(&udev->dev); + if (rc) { + dev_err(&udev->dev, "stub_add_files for %s\n", udev_busid); + goto err_files; + } +- busid_priv->status = STUB_BUSID_ALLOC; + +- rc = 0; +- goto call_put_busid_priv; ++ return 0; + + err_files: + usb_hub_release_port(udev->parent, udev->portnum, +@@ -384,23 +391,24 @@ err_port: + dev_set_drvdata(&udev->dev, NULL); + usb_put_dev(udev); + ++ /* we already have busid_priv, just lock busid_lock */ ++ spin_lock(&busid_priv->busid_lock); + busid_priv->sdev = NULL; ++ busid_priv->status = save_status; ++sdev_free: + stub_device_free(sdev); +- +-call_put_busid_priv: ++ /* release the busid_lock */ + put_busid_priv(busid_priv); ++ + return rc; + } + + static void shutdown_busid(struct bus_id_priv *busid_priv) + { +- if (busid_priv->sdev && !busid_priv->shutdown_busid) { +- busid_priv->shutdown_busid = 1; +- usbip_event_add(&busid_priv->sdev->ud, SDEV_EVENT_REMOVED); ++ usbip_event_add(&busid_priv->sdev->ud, SDEV_EVENT_REMOVED); + +- /* wait for the stop of the event handler */ +- usbip_stop_eh(&busid_priv->sdev->ud); +- } ++ /* wait for the stop of the event handler */ ++ usbip_stop_eh(&busid_priv->sdev->ud); + } + + /* +@@ -432,6 +440,9 @@ static void stub_disconnect(struct usb_device *udev) + + dev_set_drvdata(&udev->dev, NULL); + ++ /* release busid_lock before call to remove device files */ ++ put_busid_priv(busid_priv); ++ + /* + * NOTE: rx/tx threads are invoked for each usb_device. + */ +@@ -442,18 +453,27 @@ static void stub_disconnect(struct usb_device *udev) + (struct usb_dev_state *) udev); + if (rc) { + dev_dbg(&udev->dev, "unable to release port\n"); +- goto call_put_busid_priv; ++ return; + } + + /* If usb reset is called from event handler */ + if (usbip_in_eh(current)) +- goto call_put_busid_priv; ++ return; ++ ++ /* we already have busid_priv, just lock busid_lock */ ++ spin_lock(&busid_priv->busid_lock); ++ if (!busid_priv->shutdown_busid) ++ busid_priv->shutdown_busid = 1; ++ /* release busid_lock */ ++ put_busid_priv(busid_priv); + + /* shutdown the current connection */ + shutdown_busid(busid_priv); + + usb_put_dev(sdev->udev); + ++ /* we already have busid_priv, just lock busid_lock */ ++ spin_lock(&busid_priv->busid_lock); + /* free sdev */ + busid_priv->sdev = NULL; + stub_device_free(sdev); +@@ -462,6 +482,7 @@ static void stub_disconnect(struct usb_device *udev) + busid_priv->status = STUB_BUSID_ADDED; + + call_put_busid_priv: ++ /* release busid_lock */ + put_busid_priv(busid_priv); + } + +-- +2.9.5 + diff --git a/queue/usbip-usbip_host-fix-stub_dev-lock-context-imbalance.patch b/queue/usbip-usbip_host-fix-stub_dev-lock-context-imbalance.patch new file mode 100644 index 0000000..3873bfe --- /dev/null +++ b/queue/usbip-usbip_host-fix-stub_dev-lock-context-imbalance.patch @@ -0,0 +1,154 @@ +From 3ea3091f1bd8586125848c62be295910e9802af0 Mon Sep 17 00:00:00 2001 +From: Shuah Khan <skhan@linuxfoundation.org> +Date: Wed, 29 May 2019 13:46:15 -0600 +Subject: [PATCH] usbip: usbip_host: fix stub_dev lock context imbalance + regression +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 3ea3091f1bd8586125848c62be295910e9802af0 upstream. + +Fix the following sparse context imbalance regression introduced in +a patch that fixed sleeping function called from invalid context bug. + +kbuild test robot reported on: + +tree/branch: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-linus + +Regressions in current branch: + +drivers/usb/usbip/stub_dev.c:399:9: sparse: sparse: context imbalance in 'stub_probe' - different lock contexts for basic block +drivers/usb/usbip/stub_dev.c:418:13: sparse: sparse: context imbalance in 'stub_disconnect' - different lock contexts for basic block +drivers/usb/usbip/stub_dev.c:464:1-10: second lock on line 476 + +Error ids grouped by kconfigs: + +recent_errors +├── i386-allmodconfig +│ └── drivers-usb-usbip-stub_dev.c:second-lock-on-line +├── x86_64-allmodconfig +│ ├── drivers-usb-usbip-stub_dev.c:sparse:sparse:context-imbalance-in-stub_disconnect-different-lock-contexts-for-basic-block +│ └── drivers-usb-usbip-stub_dev.c:sparse:sparse:context-imbalance-in-stub_probe-different-lock-contexts-for-basic-block +└── x86_64-allyesconfig + └── drivers-usb-usbip-stub_dev.c:second-lock-on-line + +This is a real problem in an error leg where spin_lock() is called on an +already held lock. + +Fix the imbalance in stub_probe() and stub_disconnect(). + +Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> +Fixes: 0c9e8b3cad65 ("usbip: usbip_host: fix BUG: sleeping function called from invalid context") +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c +index d094c96643d2..7931e6cecc70 100644 +--- a/drivers/usb/usbip/stub_dev.c ++++ b/drivers/usb/usbip/stub_dev.c +@@ -326,14 +326,17 @@ static int stub_probe(struct usb_device *udev) + * See driver_probe_device() in driver/base/dd.c + */ + rc = -ENODEV; +- goto sdev_free; ++ if (!busid_priv) ++ goto sdev_free; ++ ++ goto call_put_busid_priv; + } + + if (udev->descriptor.bDeviceClass == USB_CLASS_HUB) { + dev_dbg(&udev->dev, "%s is a usb hub device... skip!\n", + udev_busid); + rc = -ENODEV; +- goto sdev_free; ++ goto call_put_busid_priv; + } + + if (!strcmp(udev->bus->bus_name, "vhci_hcd")) { +@@ -342,7 +345,7 @@ static int stub_probe(struct usb_device *udev) + udev_busid); + + rc = -ENODEV; +- goto sdev_free; ++ goto call_put_busid_priv; + } + + +@@ -361,6 +364,9 @@ static int stub_probe(struct usb_device *udev) + save_status = busid_priv->status; + busid_priv->status = STUB_BUSID_ALLOC; + ++ /* release the busid_lock */ ++ put_busid_priv(busid_priv); ++ + /* + * Claim this hub port. + * It doesn't matter what value we pass as owner +@@ -373,9 +379,6 @@ static int stub_probe(struct usb_device *udev) + goto err_port; + } + +- /* release the busid_lock */ +- put_busid_priv(busid_priv); +- + rc = stub_add_files(&udev->dev); + if (rc) { + dev_err(&udev->dev, "stub_add_files for %s\n", udev_busid); +@@ -395,11 +398,17 @@ err_port: + spin_lock(&busid_priv->busid_lock); + busid_priv->sdev = NULL; + busid_priv->status = save_status; +-sdev_free: +- stub_device_free(sdev); ++ spin_unlock(&busid_priv->busid_lock); ++ /* lock is released - go to free */ ++ goto sdev_free; ++ ++call_put_busid_priv: + /* release the busid_lock */ + put_busid_priv(busid_priv); + ++sdev_free: ++ stub_device_free(sdev); ++ + return rc; + } + +@@ -435,7 +444,9 @@ static void stub_disconnect(struct usb_device *udev) + /* get stub_device */ + if (!sdev) { + dev_err(&udev->dev, "could not get device"); +- goto call_put_busid_priv; ++ /* release busid_lock */ ++ put_busid_priv(busid_priv); ++ return; + } + + dev_set_drvdata(&udev->dev, NULL); +@@ -465,7 +476,7 @@ static void stub_disconnect(struct usb_device *udev) + if (!busid_priv->shutdown_busid) + busid_priv->shutdown_busid = 1; + /* release busid_lock */ +- put_busid_priv(busid_priv); ++ spin_unlock(&busid_priv->busid_lock); + + /* shutdown the current connection */ + shutdown_busid(busid_priv); +@@ -480,10 +491,9 @@ static void stub_disconnect(struct usb_device *udev) + + if (busid_priv->status == STUB_BUSID_ALLOC) + busid_priv->status = STUB_BUSID_ADDED; +- +-call_put_busid_priv: + /* release busid_lock */ +- put_busid_priv(busid_priv); ++ spin_unlock(&busid_priv->busid_lock); ++ return; + } + + #ifdef CONFIG_PM +-- +2.9.5 + diff --git a/queue/usbnet-fix-kernel-crash-after-disconnect.patch b/queue/usbnet-fix-kernel-crash-after-disconnect.patch new file mode 100644 index 0000000..2a812b0 --- /dev/null +++ b/queue/usbnet-fix-kernel-crash-after-disconnect.patch @@ -0,0 +1,92 @@ +From ad70411a978d1e6e97b1e341a7bde9a79af0c93d Mon Sep 17 00:00:00 2001 +From: Kloetzke Jan <Jan.Kloetzke@preh.de> +Date: Tue, 21 May 2019 13:18:40 +0000 +Subject: [PATCH] usbnet: fix kernel crash after disconnect +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit ad70411a978d1e6e97b1e341a7bde9a79af0c93d upstream. + +When disconnecting cdc_ncm the kernel sporadically crashes shortly +after the disconnect: + + [ 57.868812] Unable to handle kernel NULL pointer dereference at virtual address 00000000 + ... + [ 58.006653] PC is at 0x0 + [ 58.009202] LR is at call_timer_fn+0xec/0x1b4 + [ 58.013567] pc : [<0000000000000000>] lr : [<ffffff80080f5130>] pstate: 00000145 + [ 58.020976] sp : ffffff8008003da0 + [ 58.024295] x29: ffffff8008003da0 x28: 0000000000000001 + [ 58.029618] x27: 000000000000000a x26: 0000000000000100 + [ 58.034941] x25: 0000000000000000 x24: ffffff8008003e68 + [ 58.040263] x23: 0000000000000000 x22: 0000000000000000 + [ 58.045587] x21: 0000000000000000 x20: ffffffc68fac1808 + [ 58.050910] x19: 0000000000000100 x18: 0000000000000000 + [ 58.056232] x17: 0000007f885aff8c x16: 0000007f883a9f10 + [ 58.061556] x15: 0000000000000001 x14: 000000000000006e + [ 58.066878] x13: 0000000000000000 x12: 00000000000000ba + [ 58.072201] x11: ffffffc69ff1db30 x10: 0000000000000020 + [ 58.077524] x9 : 8000100008001000 x8 : 0000000000000001 + [ 58.082847] x7 : 0000000000000800 x6 : ffffff8008003e70 + [ 58.088169] x5 : ffffffc69ff17a28 x4 : 00000000ffff138b + [ 58.093492] x3 : 0000000000000000 x2 : 0000000000000000 + [ 58.098814] x1 : 0000000000000000 x0 : 0000000000000000 + ... + [ 58.205800] [< (null)>] (null) + [ 58.210521] [<ffffff80080f5298>] expire_timers+0xa0/0x14c + [ 58.215937] [<ffffff80080f542c>] run_timer_softirq+0xe8/0x128 + [ 58.221702] [<ffffff8008081120>] __do_softirq+0x298/0x348 + [ 58.227118] [<ffffff80080a6304>] irq_exit+0x74/0xbc + [ 58.232009] [<ffffff80080e17dc>] __handle_domain_irq+0x78/0xac + [ 58.237857] [<ffffff8008080cf4>] gic_handle_irq+0x80/0xac + ... + +The crash happens roughly 125..130ms after the disconnect. This +correlates with the 'delay' timer that is started on certain USB tx/rx +errors in the URB completion handler. + +The problem is a race of usbnet_stop() with usbnet_start_xmit(). In +usbnet_stop() we call usbnet_terminate_urbs() to cancel all URBs in +flight. This only makes sense if no new URBs are submitted +concurrently, though. But the usbnet_start_xmit() can run at the same +time on another CPU which almost unconditionally submits an URB. The +error callback of the new URB will then schedule the timer after it was +already stopped. + +The fix adds a check if the tx queue is stopped after the tx list lock +has been taken. This should reliably prevent the submission of new URBs +while usbnet_terminate_urbs() does its job. The same thing is done on +the rx side even though it might be safe due to other flags that are +checked there. + +Signed-off-by: Jan Klötzke <Jan.Kloetzke@preh.de> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index 504282af27e5..921cc0571bd0 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -506,6 +506,7 @@ static int rx_submit (struct usbnet *dev, struct urb *urb, gfp_t flags) + + if (netif_running (dev->net) && + netif_device_present (dev->net) && ++ test_bit(EVENT_DEV_OPEN, &dev->flags) && + !test_bit (EVENT_RX_HALT, &dev->flags) && + !test_bit (EVENT_DEV_ASLEEP, &dev->flags)) { + switch (retval = usb_submit_urb (urb, GFP_ATOMIC)) { +@@ -1431,6 +1432,11 @@ netdev_tx_t usbnet_start_xmit (struct sk_buff *skb, + spin_unlock_irqrestore(&dev->txq.lock, flags); + goto drop; + } ++ if (netif_queue_stopped(net)) { ++ usb_autopm_put_interface_async(dev->intf); ++ spin_unlock_irqrestore(&dev->txq.lock, flags); ++ goto drop; ++ } + + #ifdef CONFIG_PM + /* if this triggers the device is still a sleep */ +-- +2.9.5 + diff --git a/queue/vt-fbcon-deinitialize-resources-in-visual_init-after.patch b/queue/vt-fbcon-deinitialize-resources-in-visual_init-after.patch new file mode 100644 index 0000000..284810d --- /dev/null +++ b/queue/vt-fbcon-deinitialize-resources-in-visual_init-after.patch @@ -0,0 +1,97 @@ +From a1ad1cc9704f64c169261a76e1aee1cf1ae51832 Mon Sep 17 00:00:00 2001 +From: Grzegorz Halat <ghalat@redhat.com> +Date: Fri, 26 Apr 2019 16:59:46 +0200 +Subject: [PATCH] vt/fbcon: deinitialize resources in visual_init() after + failed memory allocation + +commit a1ad1cc9704f64c169261a76e1aee1cf1ae51832 upstream. + +After memory allocation failure vc_allocate() doesn't clean up data +which has been initialized in visual_init(). In case of fbcon this +leads to divide-by-0 in fbcon_init() on next open of the same tty. + +memory allocation in vc_allocate() may fail here: +1097: vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL); + +on next open() fbcon_init() skips vc_font.data initialization: +1088: if (!p->fontdata) { + +division by zero in fbcon_init() happens here: +1149: new_cols /= vc->vc_font.width; + +Additional check is needed in fbcon_deinit() to prevent +usage of uninitialized vc_screenbuf: + +1251: if (vc->vc_hi_font_mask && vc->vc_screenbuf) +1252: set_vc_hi_font(vc, false); + +Crash: + + #6 [ffffc90001eafa60] divide_error at ffffffff81a00be4 + [exception RIP: fbcon_init+463] + RIP: ffffffff814b860f RSP: ffffc90001eafb18 RFLAGS: 00010246 +... + #7 [ffffc90001eafb60] visual_init at ffffffff8154c36e + #8 [ffffc90001eafb80] vc_allocate at ffffffff8154f53c + #9 [ffffc90001eafbc8] con_install at ffffffff8154f624 +... + +Signed-off-by: Grzegorz Halat <ghalat@redhat.com> +Reviewed-by: Oleksandr Natalenko <oleksandr@redhat.com> +Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c +index fdd12f8c3deb..5c0ca1c24b6f 100644 +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -1056,6 +1056,13 @@ static void visual_init(struct vc_data *vc, int num, int init) + vc->vc_screenbuf_size = vc->vc_rows * vc->vc_size_row; + } + ++ ++static void visual_deinit(struct vc_data *vc) ++{ ++ vc->vc_sw->con_deinit(vc); ++ module_put(vc->vc_sw->owner); ++} ++ + int vc_allocate(unsigned int currcons) /* return 0 on success */ + { + struct vt_notifier_param param; +@@ -1103,6 +1110,7 @@ int vc_allocate(unsigned int currcons) /* return 0 on success */ + + return 0; + err_free: ++ visual_deinit(vc); + kfree(vc); + vc_cons[currcons].d = NULL; + return -ENOMEM; +@@ -1331,9 +1339,8 @@ struct vc_data *vc_deallocate(unsigned int currcons) + param.vc = vc = vc_cons[currcons].d; + atomic_notifier_call_chain(&vt_notifier_list, VT_DEALLOCATE, ¶m); + vcs_remove_sysfs(currcons); +- vc->vc_sw->con_deinit(vc); ++ visual_deinit(vc); + put_pid(vc->vt_pid); +- module_put(vc->vc_sw->owner); + vc_uniscr_set(vc, NULL); + kfree(vc->vc_screenbuf); + vc_cons[currcons].d = NULL; +diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c +index 786f9aab55df..a9c69ae30878 100644 +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -1248,7 +1248,7 @@ finished: + if (free_font) + vc->vc_font.data = NULL; + +- if (vc->vc_hi_font_mask) ++ if (vc->vc_hi_font_mask && vc->vc_screenbuf) + set_vc_hi_font(vc, false); + + if (!con_is_bound(&fb_con)) +-- +2.9.5 + diff --git a/queue/x86-ftrace-Do-not-call-function-graph-from-dynamic-t.patch b/queue/x86-ftrace-Do-not-call-function-graph-from-dynamic-t.patch new file mode 100644 index 0000000..9b7f7ac --- /dev/null +++ b/queue/x86-ftrace-Do-not-call-function-graph-from-dynamic-t.patch @@ -0,0 +1,167 @@ +From d2a68c4effd821f0871d20368f76b609349c8a3b Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" <rostedt@goodmis.org> +Date: Sat, 8 Dec 2018 12:58:51 -0500 +Subject: [PATCH] x86/ftrace: Do not call function graph from dynamic + trampolines + +commit d2a68c4effd821f0871d20368f76b609349c8a3b upstream. + +Since commit 79922b8009c07 ("ftrace: Optimize function graph to be +called directly"), dynamic trampolines should not be calling the +function graph tracer at the end. If they do, it could cause the function +graph tracer to trace functions that it filtered out. + +Right now it does not cause a problem because there's a test to check if +the function graph tracer is attached to the same function as the +function tracer, which for now is true. But the function graph tracer is +undergoing changes that can make this no longer true which will cause +the function graph tracer to trace other functions. + + For example: + + # cd /sys/kernel/tracing/ + # echo do_IRQ > set_ftrace_filter + # mkdir instances/foo + # echo ip_rcv > instances/foo/set_ftrace_filter + # echo function_graph > current_tracer + # echo function > instances/foo/current_tracer + +Would cause the function graph tracer to trace both do_IRQ and ip_rcv, +if the current tests change. + +As the current tests prevent this from being a problem, this code does +not need to be backported. But it does make the code cleaner. + +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: Borislav Petkov <bp@alien8.de> +Cc: "H. Peter Anvin" <hpa@zytor.com> +Cc: x86@kernel.org +Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> + +diff --git a/arch/x86/kernel/ftrace.c b/arch/x86/kernel/ftrace.c +index 7ee8067cbf45..8257a59704ae 100644 +--- a/arch/x86/kernel/ftrace.c ++++ b/arch/x86/kernel/ftrace.c +@@ -733,18 +733,20 @@ union ftrace_op_code_union { + } __attribute__((packed)); + }; + ++#define RET_SIZE 1 ++ + static unsigned long + create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size) + { +- unsigned const char *jmp; + unsigned long start_offset; + unsigned long end_offset; + unsigned long op_offset; + unsigned long offset; + unsigned long size; +- unsigned long ip; ++ unsigned long retq; + unsigned long *ptr; + void *trampoline; ++ void *ip; + /* 48 8b 15 <offset> is movq <offset>(%rip), %rdx */ + unsigned const char op_ref[] = { 0x48, 0x8b, 0x15 }; + union ftrace_op_code_union op_ptr; +@@ -764,27 +766,27 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size) + + /* + * Allocate enough size to store the ftrace_caller code, +- * the jmp to ftrace_epilogue, as well as the address of +- * the ftrace_ops this trampoline is used for. ++ * the iret , as well as the address of the ftrace_ops this ++ * trampoline is used for. + */ +- trampoline = alloc_tramp(size + MCOUNT_INSN_SIZE + sizeof(void *)); ++ trampoline = alloc_tramp(size + RET_SIZE + sizeof(void *)); + if (!trampoline) + return 0; + +- *tramp_size = size + MCOUNT_INSN_SIZE + sizeof(void *); ++ *tramp_size = size + RET_SIZE + sizeof(void *); + + /* Copy ftrace_caller onto the trampoline memory */ + ret = probe_kernel_read(trampoline, (void *)start_offset, size); +- if (WARN_ON(ret < 0)) { +- tramp_free(trampoline, *tramp_size); +- return 0; +- } ++ if (WARN_ON(ret < 0)) ++ goto fail; + +- ip = (unsigned long)trampoline + size; ++ ip = trampoline + size; + +- /* The trampoline ends with a jmp to ftrace_epilogue */ +- jmp = ftrace_jmp_replace(ip, (unsigned long)ftrace_epilogue); +- memcpy(trampoline + size, jmp, MCOUNT_INSN_SIZE); ++ /* The trampoline ends with ret(q) */ ++ retq = (unsigned long)ftrace_stub; ++ ret = probe_kernel_read(ip, (void *)retq, RET_SIZE); ++ if (WARN_ON(ret < 0)) ++ goto fail; + + /* + * The address of the ftrace_ops that is used for this trampoline +@@ -794,17 +796,15 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size) + * the global function_trace_op variable. + */ + +- ptr = (unsigned long *)(trampoline + size + MCOUNT_INSN_SIZE); ++ ptr = (unsigned long *)(trampoline + size + RET_SIZE); + *ptr = (unsigned long)ops; + + op_offset -= start_offset; + memcpy(&op_ptr, trampoline + op_offset, OP_REF_SIZE); + + /* Are we pointing to the reference? */ +- if (WARN_ON(memcmp(op_ptr.op, op_ref, 3) != 0)) { +- tramp_free(trampoline, *tramp_size); +- return 0; +- } ++ if (WARN_ON(memcmp(op_ptr.op, op_ref, 3) != 0)) ++ goto fail; + + /* Load the contents of ptr into the callback parameter */ + offset = (unsigned long)ptr; +@@ -819,6 +819,9 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size) + ops->flags |= FTRACE_OPS_FL_ALLOC_TRAMP; + + return (unsigned long)trampoline; ++fail: ++ tramp_free(trampoline, *tramp_size); ++ return 0; + } + + static unsigned long calc_trampoline_call_offset(bool save_regs) +diff --git a/arch/x86/kernel/ftrace_64.S b/arch/x86/kernel/ftrace_64.S +index 91b2cff4b79a..75f2b36b41a6 100644 +--- a/arch/x86/kernel/ftrace_64.S ++++ b/arch/x86/kernel/ftrace_64.S +@@ -171,9 +171,6 @@ GLOBAL(ftrace_call) + restore_mcount_regs + + /* +- * The copied trampoline must call ftrace_epilogue as it +- * still may need to call the function graph tracer. +- * + * The code up to this label is copied into trampolines so + * think twice before adding any new code or changing the + * layout here. +@@ -185,7 +182,10 @@ GLOBAL(ftrace_graph_call) + jmp ftrace_stub + #endif + +-/* This is weak to keep gas from relaxing the jumps */ ++/* ++ * This is weak to keep gas from relaxing the jumps. ++ * It is also used to copy the retq for trampolines. ++ */ + WEAK(ftrace_stub) + retq + ENDPROC(ftrace_caller) +-- +2.9.5 + diff --git a/queue/x86-ftrace-Set-trampoline-pages-as-executable.patch b/queue/x86-ftrace-Set-trampoline-pages-as-executable.patch new file mode 100644 index 0000000..8e52b90 --- /dev/null +++ b/queue/x86-ftrace-Set-trampoline-pages-as-executable.patch @@ -0,0 +1,70 @@ +From 3c0dab44e22782359a0a706cbce72de99a22aa75 Mon Sep 17 00:00:00 2001 +From: Nadav Amit <namit@vmware.com> +Date: Thu, 25 Apr 2019 17:11:29 -0700 +Subject: [PATCH] x86/ftrace: Set trampoline pages as executable + +commit 3c0dab44e22782359a0a706cbce72de99a22aa75 upstream. + +Since alloc_module() will not set the pages as executable soon, set +ftrace trampoline pages as executable after they are allocated. + +For the time being, do not change ftrace to use the text_poke() +interface. As a result, ftrace still breaks W^X. + +Signed-off-by: Nadav Amit <namit@vmware.com> +Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com> +Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org> +Cc: <akpm@linux-foundation.org> +Cc: <ard.biesheuvel@linaro.org> +Cc: <deneen.t.dock@intel.com> +Cc: <kernel-hardening@lists.openwall.com> +Cc: <kristen@linux.intel.com> +Cc: <linux_dti@icloud.com> +Cc: <will.deacon@arm.com> +Cc: Andy Lutomirski <luto@kernel.org> +Cc: Borislav Petkov <bp@alien8.de> +Cc: Dave Hansen <dave.hansen@linux.intel.com> +Cc: H. Peter Anvin <hpa@zytor.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Rik van Riel <riel@surriel.com> +Cc: Thomas Gleixner <tglx@linutronix.de> +Link: https://lkml.kernel.org/r/20190426001143.4983-10-namit@vmware.com +Signed-off-by: Ingo Molnar <mingo@kernel.org> + +diff --git a/arch/x86/kernel/ftrace.c b/arch/x86/kernel/ftrace.c +index ef49517f6bb2..53ba1aa3a01f 100644 +--- a/arch/x86/kernel/ftrace.c ++++ b/arch/x86/kernel/ftrace.c +@@ -730,6 +730,7 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size) + unsigned long end_offset; + unsigned long op_offset; + unsigned long offset; ++ unsigned long npages; + unsigned long size; + unsigned long retq; + unsigned long *ptr; +@@ -762,6 +763,7 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size) + return 0; + + *tramp_size = size + RET_SIZE + sizeof(void *); ++ npages = DIV_ROUND_UP(*tramp_size, PAGE_SIZE); + + /* Copy ftrace_caller onto the trampoline memory */ + ret = probe_kernel_read(trampoline, (void *)start_offset, size); +@@ -806,6 +808,12 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size) + /* ALLOC_TRAMP flags lets us know we created it */ + ops->flags |= FTRACE_OPS_FL_ALLOC_TRAMP; + ++ /* ++ * Module allocation needs to be completed by making the page ++ * executable. The page is still writable, which is a security hazard, ++ * but anyhow ftrace breaks W^X completely. ++ */ ++ set_memory_x((unsigned long)trampoline, npages); + return (unsigned long)trampoline; + fail: + tramp_free(trampoline, *tramp_size); +-- +2.9.5 + diff --git a/queue/x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch b/queue/x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch new file mode 100644 index 0000000..2d08cd9 --- /dev/null +++ b/queue/x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch @@ -0,0 +1,173 @@ +From de9f869616dd95e95c00bdd6b0fcd3421e8a4323 Mon Sep 17 00:00:00 2001 +From: Jann Horn <jannh@google.com> +Date: Sun, 2 Jun 2019 03:15:58 +0200 +Subject: [PATCH] x86/insn-eval: Fix use-after-free access to LDT entry + +commit de9f869616dd95e95c00bdd6b0fcd3421e8a4323 upstream. + +get_desc() computes a pointer into the LDT while holding a lock that +protects the LDT from being freed, but then drops the lock and returns the +(now potentially dangling) pointer to its caller. + +Fix it by giving the caller a copy of the LDT entry instead. + +Fixes: 670f928ba09b ("x86/insn-eval: Add utility function to get segment descriptor") +Cc: stable@vger.kernel.org +Signed-off-by: Jann Horn <jannh@google.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> + +diff --git a/arch/x86/lib/insn-eval.c b/arch/x86/lib/insn-eval.c +index cf00ab6c6621..306c3a0902ba 100644 +--- a/arch/x86/lib/insn-eval.c ++++ b/arch/x86/lib/insn-eval.c +@@ -557,7 +557,8 @@ static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs, + } + + /** +- * get_desc() - Obtain pointer to a segment descriptor ++ * get_desc() - Obtain contents of a segment descriptor ++ * @out: Segment descriptor contents on success + * @sel: Segment selector + * + * Given a segment selector, obtain a pointer to the segment descriptor. +@@ -565,18 +566,18 @@ static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs, + * + * Returns: + * +- * Pointer to segment descriptor on success. ++ * True on success, false on failure. + * + * NULL on error. + */ +-static struct desc_struct *get_desc(unsigned short sel) ++static bool get_desc(struct desc_struct *out, unsigned short sel) + { + struct desc_ptr gdt_desc = {0, 0}; + unsigned long desc_base; + + #ifdef CONFIG_MODIFY_LDT_SYSCALL + if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) { +- struct desc_struct *desc = NULL; ++ bool success = false; + struct ldt_struct *ldt; + + /* Bits [15:3] contain the index of the desired entry. */ +@@ -584,12 +585,14 @@ static struct desc_struct *get_desc(unsigned short sel) + + mutex_lock(¤t->active_mm->context.lock); + ldt = current->active_mm->context.ldt; +- if (ldt && sel < ldt->nr_entries) +- desc = &ldt->entries[sel]; ++ if (ldt && sel < ldt->nr_entries) { ++ *out = ldt->entries[sel]; ++ success = true; ++ } + + mutex_unlock(¤t->active_mm->context.lock); + +- return desc; ++ return success; + } + #endif + native_store_gdt(&gdt_desc); +@@ -604,9 +607,10 @@ static struct desc_struct *get_desc(unsigned short sel) + desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK); + + if (desc_base > gdt_desc.size) +- return NULL; ++ return false; + +- return (struct desc_struct *)(gdt_desc.address + desc_base); ++ *out = *(struct desc_struct *)(gdt_desc.address + desc_base); ++ return true; + } + + /** +@@ -628,7 +632,7 @@ static struct desc_struct *get_desc(unsigned short sel) + */ + unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx) + { +- struct desc_struct *desc; ++ struct desc_struct desc; + short sel; + + sel = get_segment_selector(regs, seg_reg_idx); +@@ -666,11 +670,10 @@ unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx) + if (!sel) + return -1L; + +- desc = get_desc(sel); +- if (!desc) ++ if (!get_desc(&desc, sel)) + return -1L; + +- return get_desc_base(desc); ++ return get_desc_base(&desc); + } + + /** +@@ -692,7 +695,7 @@ unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx) + */ + static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) + { +- struct desc_struct *desc; ++ struct desc_struct desc; + unsigned long limit; + short sel; + +@@ -706,8 +709,7 @@ static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) + if (!sel) + return 0; + +- desc = get_desc(sel); +- if (!desc) ++ if (!get_desc(&desc, sel)) + return 0; + + /* +@@ -716,8 +718,8 @@ static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) + * not tested when checking the segment limits. In practice, + * this means that the segment ends in (limit << 12) + 0xfff. + */ +- limit = get_desc_limit(desc); +- if (desc->g) ++ limit = get_desc_limit(&desc); ++ if (desc.g) + limit = (limit << 12) + 0xfff; + + return limit; +@@ -741,7 +743,7 @@ static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) + */ + int insn_get_code_seg_params(struct pt_regs *regs) + { +- struct desc_struct *desc; ++ struct desc_struct desc; + short sel; + + if (v8086_mode(regs)) +@@ -752,8 +754,7 @@ int insn_get_code_seg_params(struct pt_regs *regs) + if (sel < 0) + return sel; + +- desc = get_desc(sel); +- if (!desc) ++ if (!get_desc(&desc, sel)) + return -EINVAL; + + /* +@@ -761,10 +762,10 @@ int insn_get_code_seg_params(struct pt_regs *regs) + * determines whether a segment contains data or code. If this is a data + * segment, return error. + */ +- if (!(desc->type & BIT(3))) ++ if (!(desc.type & BIT(3))) + return -EINVAL; + +- switch ((desc->l << 1) | desc->d) { ++ switch ((desc.l << 1) | desc.d) { + case 0: /* + * Legacy mode. CS.L=0, CS.D=0. Address and operand size are + * both 16-bit. +-- +2.9.5 + diff --git a/queue/x86-kprobes-Set-instruction-page-as-executable.patch b/queue/x86-kprobes-Set-instruction-page-as-executable.patch new file mode 100644 index 0000000..7dce4ae --- /dev/null +++ b/queue/x86-kprobes-Set-instruction-page-as-executable.patch @@ -0,0 +1,79 @@ +From 7298e24f904224fa79eb8fd7e0fbd78950ccf2db Mon Sep 17 00:00:00 2001 +From: Nadav Amit <namit@vmware.com> +Date: Thu, 25 Apr 2019 17:11:30 -0700 +Subject: [PATCH] x86/kprobes: Set instruction page as executable + +commit 7298e24f904224fa79eb8fd7e0fbd78950ccf2db upstream. + +Set the page as executable after allocation. This patch is a +preparatory patch for a following patch that makes module allocated +pages non-executable. + +While at it, do some small cleanup of what appears to be unnecessary +masking. + +Signed-off-by: Nadav Amit <namit@vmware.com> +Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com> +Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Cc: <akpm@linux-foundation.org> +Cc: <ard.biesheuvel@linaro.org> +Cc: <deneen.t.dock@intel.com> +Cc: <kernel-hardening@lists.openwall.com> +Cc: <kristen@linux.intel.com> +Cc: <linux_dti@icloud.com> +Cc: <will.deacon@arm.com> +Cc: Andy Lutomirski <luto@kernel.org> +Cc: Borislav Petkov <bp@alien8.de> +Cc: Dave Hansen <dave.hansen@linux.intel.com> +Cc: H. Peter Anvin <hpa@zytor.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Rik van Riel <riel@surriel.com> +Cc: Thomas Gleixner <tglx@linutronix.de> +Link: https://lkml.kernel.org/r/20190426001143.4983-11-namit@vmware.com +Signed-off-by: Ingo Molnar <mingo@kernel.org> + +diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c +index fed46ddb1eef..06058c44ab57 100644 +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -431,8 +431,20 @@ void *alloc_insn_page(void) + void *page; + + page = module_alloc(PAGE_SIZE); +- if (page) +- set_memory_ro((unsigned long)page & PAGE_MASK, 1); ++ if (!page) ++ return NULL; ++ ++ /* ++ * First make the page read-only, and only then make it executable to ++ * prevent it from being W+X in between. ++ */ ++ set_memory_ro((unsigned long)page, 1); ++ ++ /* ++ * TODO: Once additional kernel code protection mechanisms are set, ensure ++ * that the page was not maliciously altered and it is still zeroed. ++ */ ++ set_memory_x((unsigned long)page, 1); + + return page; + } +@@ -440,8 +452,12 @@ void *alloc_insn_page(void) + /* Recover page to RW mode before releasing it */ + void free_insn_page(void *page) + { +- set_memory_nx((unsigned long)page & PAGE_MASK, 1); +- set_memory_rw((unsigned long)page & PAGE_MASK, 1); ++ /* ++ * First make the page non-executable, and only then make it writable to ++ * prevent it from being W+X in between. ++ */ ++ set_memory_nx((unsigned long)page, 1); ++ set_memory_rw((unsigned long)page, 1); + module_memfree(page); + } + +-- +2.9.5 + diff --git a/queue/x86-power-Fix-nosmt-vs-hibernation-triple-fault-duri.patch b/queue/x86-power-Fix-nosmt-vs-hibernation-triple-fault-duri.patch new file mode 100644 index 0000000..27e7d82 --- /dev/null +++ b/queue/x86-power-Fix-nosmt-vs-hibernation-triple-fault-duri.patch @@ -0,0 +1,190 @@ +From ec527c318036a65a083ef68d8ba95789d2212246 Mon Sep 17 00:00:00 2001 +From: Jiri Kosina <jkosina@suse.cz> +Date: Thu, 30 May 2019 00:09:39 +0200 +Subject: [PATCH] x86/power: Fix 'nosmt' vs hibernation triple fault during + resume + +commit ec527c318036a65a083ef68d8ba95789d2212246 upstream. + +As explained in + + 0cc3cd21657b ("cpu/hotplug: Boot HT siblings at least once") + +we always, no matter what, have to bring up x86 HT siblings during boot at +least once in order to avoid first MCE bringing the system to its knees. + +That means that whenever 'nosmt' is supplied on the kernel command-line, +all the HT siblings are as a result sitting in mwait or cpudile after +going through the online-offline cycle at least once. + +This causes a serious issue though when a kernel, which saw 'nosmt' on its +commandline, is going to perform resume from hibernation: if the resume +from the hibernated image is successful, cr3 is flipped in order to point +to the address space of the kernel that is being resumed, which in turn +means that all the HT siblings are all of a sudden mwaiting on address +which is no longer valid. + +That results in triple fault shortly after cr3 is switched, and machine +reboots. + +Fix this by always waking up all the SMT siblings before initiating the +'restore from hibernation' process; this guarantees that all the HT +siblings will be properly carried over to the resumed kernel waiting in +resume_play_dead(), and acted upon accordingly afterwards, based on the +target kernel configuration. + +Symmetricaly, the resumed kernel has to push the SMT siblings to mwait +again in case it has SMT disabled; this means it has to online all +the siblings when resuming (so that they come out of hlt) and offline +them again to let them reach mwait. + +Cc: 4.19+ <stable@vger.kernel.org> # v4.19+ +Debugged-by: Thomas Gleixner <tglx@linutronix.de> +Fixes: 0cc3cd21657b ("cpu/hotplug: Boot HT siblings at least once") +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +Acked-by: Pavel Machek <pavel@ucw.cz> +Reviewed-by: Thomas Gleixner <tglx@linutronix.de> +Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com> +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> + +diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c +index a7d966964c6f..513ce09e9950 100644 +--- a/arch/x86/power/cpu.c ++++ b/arch/x86/power/cpu.c +@@ -299,7 +299,17 @@ int hibernate_resume_nonboot_cpu_disable(void) + * address in its instruction pointer may not be possible to resolve + * any more at that point (the page tables used by it previously may + * have been overwritten by hibernate image data). ++ * ++ * First, make sure that we wake up all the potentially disabled SMT ++ * threads which have been initially brought up and then put into ++ * mwait/cpuidle sleep. ++ * Those will be put to proper (not interfering with hibernation ++ * resume) sleep afterwards, and the resumed kernel will decide itself ++ * what to do with them. + */ ++ ret = cpuhp_smt_enable(); ++ if (ret) ++ return ret; + smp_ops.play_dead = resume_play_dead; + ret = disable_nonboot_cpus(); + smp_ops.play_dead = play_dead; +diff --git a/arch/x86/power/hibernate.c b/arch/x86/power/hibernate.c +index 4845b8c7be7f..fc413717a45f 100644 +--- a/arch/x86/power/hibernate.c ++++ b/arch/x86/power/hibernate.c +@@ -11,6 +11,7 @@ + #include <linux/suspend.h> + #include <linux/scatterlist.h> + #include <linux/kdebug.h> ++#include <linux/cpu.h> + + #include <crypto/hash.h> + +@@ -245,3 +246,35 @@ out: + __flush_tlb_all(); + return 0; + } ++ ++int arch_resume_nosmt(void) ++{ ++ int ret = 0; ++ /* ++ * We reached this while coming out of hibernation. This means ++ * that SMT siblings are sleeping in hlt, as mwait is not safe ++ * against control transition during resume (see comment in ++ * hibernate_resume_nonboot_cpu_disable()). ++ * ++ * If the resumed kernel has SMT disabled, we have to take all the ++ * SMT siblings out of hlt, and offline them again so that they ++ * end up in mwait proper. ++ * ++ * Called with hotplug disabled. ++ */ ++ cpu_hotplug_enable(); ++ if (cpu_smt_control == CPU_SMT_DISABLED || ++ cpu_smt_control == CPU_SMT_FORCE_DISABLED) { ++ enum cpuhp_smt_control old = cpu_smt_control; ++ ++ ret = cpuhp_smt_enable(); ++ if (ret) ++ goto out; ++ ret = cpuhp_smt_disable(old); ++ if (ret) ++ goto out; ++ } ++out: ++ cpu_hotplug_disable(); ++ return ret; ++} +diff --git a/include/linux/cpu.h b/include/linux/cpu.h +index 3813fe45effd..fcb1386bb0d4 100644 +--- a/include/linux/cpu.h ++++ b/include/linux/cpu.h +@@ -201,10 +201,14 @@ enum cpuhp_smt_control { + extern enum cpuhp_smt_control cpu_smt_control; + extern void cpu_smt_disable(bool force); + extern void cpu_smt_check_topology(void); ++extern int cpuhp_smt_enable(void); ++extern int cpuhp_smt_disable(enum cpuhp_smt_control ctrlval); + #else + # define cpu_smt_control (CPU_SMT_NOT_IMPLEMENTED) + static inline void cpu_smt_disable(bool force) { } + static inline void cpu_smt_check_topology(void) { } ++static inline int cpuhp_smt_enable(void) { return 0; } ++static inline int cpuhp_smt_disable(enum cpuhp_smt_control ctrlval) { return 0; } + #endif + + /* +diff --git a/kernel/cpu.c b/kernel/cpu.c +index f2ef10460698..077fde6fb953 100644 +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -2061,7 +2061,7 @@ static void cpuhp_online_cpu_device(unsigned int cpu) + kobject_uevent(&dev->kobj, KOBJ_ONLINE); + } + +-static int cpuhp_smt_disable(enum cpuhp_smt_control ctrlval) ++int cpuhp_smt_disable(enum cpuhp_smt_control ctrlval) + { + int cpu, ret = 0; + +@@ -2093,7 +2093,7 @@ static int cpuhp_smt_disable(enum cpuhp_smt_control ctrlval) + return ret; + } + +-static int cpuhp_smt_enable(void) ++int cpuhp_smt_enable(void) + { + int cpu, ret = 0; + +diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c +index c8c272df7154..b65635753e8e 100644 +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -257,6 +257,11 @@ void swsusp_show_speed(ktime_t start, ktime_t stop, + (kps % 1000) / 10); + } + ++__weak int arch_resume_nosmt(void) ++{ ++ return 0; ++} ++ + /** + * create_image - Create a hibernation image. + * @platform_mode: Whether or not to use the platform driver. +@@ -324,6 +329,10 @@ static int create_image(int platform_mode) + Enable_cpus: + suspend_enable_secondary_cpus(); + ++ /* Allow architectures to do nosmt-specific post-resume dances */ ++ if (!in_suspend) ++ error = arch_resume_nosmt(); ++ + Platform_finish: + platform_finish(platform_mode); + +-- +2.9.5 + diff --git a/queue/xen-blkfront-switch-kcalloc-to-kvcalloc-for-large-ar.patch b/queue/xen-blkfront-switch-kcalloc-to-kvcalloc-for-large-ar.patch new file mode 100644 index 0000000..6d0dc1f --- /dev/null +++ b/queue/xen-blkfront-switch-kcalloc-to-kvcalloc-for-large-ar.patch @@ -0,0 +1,109 @@ +From 1d5c76e66433382a1e170d1d5845bb0fed7467aa Mon Sep 17 00:00:00 2001 +From: Roger Pau Monne <roger.pau@citrix.com> +Date: Fri, 3 May 2019 17:04:01 +0200 +Subject: [PATCH] xen-blkfront: switch kcalloc to kvcalloc for large array + allocation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 1d5c76e66433382a1e170d1d5845bb0fed7467aa upstream. + +There's no reason to request physically contiguous memory for those +allocations. + +[boris: added CC to stable] + +Cc: stable@vger.kernel.org +Reported-by: Ian Jackson <ian.jackson@citrix.com> +Signed-off-by: Roger Pau MonnĂ© <roger.pau@citrix.com> +Reviewed-by: Juergen Gross <jgross@suse.com> +Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> + +diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c +index d43a5677ccbc..a74d03913822 100644 +--- a/drivers/block/xen-blkfront.c ++++ b/drivers/block/xen-blkfront.c +@@ -1310,11 +1310,11 @@ static void blkif_free_ring(struct blkfront_ring_info *rinfo) + } + + free_shadow: +- kfree(rinfo->shadow[i].grants_used); ++ kvfree(rinfo->shadow[i].grants_used); + rinfo->shadow[i].grants_used = NULL; +- kfree(rinfo->shadow[i].indirect_grants); ++ kvfree(rinfo->shadow[i].indirect_grants); + rinfo->shadow[i].indirect_grants = NULL; +- kfree(rinfo->shadow[i].sg); ++ kvfree(rinfo->shadow[i].sg); + rinfo->shadow[i].sg = NULL; + } + +@@ -1353,7 +1353,7 @@ static void blkif_free(struct blkfront_info *info, int suspend) + for (i = 0; i < info->nr_rings; i++) + blkif_free_ring(&info->rinfo[i]); + +- kfree(info->rinfo); ++ kvfree(info->rinfo); + info->rinfo = NULL; + info->nr_rings = 0; + } +@@ -1914,9 +1914,9 @@ static int negotiate_mq(struct blkfront_info *info) + if (!info->nr_rings) + info->nr_rings = 1; + +- info->rinfo = kcalloc(info->nr_rings, +- sizeof(struct blkfront_ring_info), +- GFP_KERNEL); ++ info->rinfo = kvcalloc(info->nr_rings, ++ sizeof(struct blkfront_ring_info), ++ GFP_KERNEL); + if (!info->rinfo) { + xenbus_dev_fatal(info->xbdev, -ENOMEM, "allocating ring_info structure"); + info->nr_rings = 0; +@@ -2232,17 +2232,17 @@ static int blkfront_setup_indirect(struct blkfront_ring_info *rinfo) + + for (i = 0; i < BLK_RING_SIZE(info); i++) { + rinfo->shadow[i].grants_used = +- kcalloc(grants, +- sizeof(rinfo->shadow[i].grants_used[0]), +- GFP_NOIO); +- rinfo->shadow[i].sg = kcalloc(psegs, +- sizeof(rinfo->shadow[i].sg[0]), +- GFP_NOIO); ++ kvcalloc(grants, ++ sizeof(rinfo->shadow[i].grants_used[0]), ++ GFP_NOIO); ++ rinfo->shadow[i].sg = kvcalloc(psegs, ++ sizeof(rinfo->shadow[i].sg[0]), ++ GFP_NOIO); + if (info->max_indirect_segments) + rinfo->shadow[i].indirect_grants = +- kcalloc(INDIRECT_GREFS(grants), +- sizeof(rinfo->shadow[i].indirect_grants[0]), +- GFP_NOIO); ++ kvcalloc(INDIRECT_GREFS(grants), ++ sizeof(rinfo->shadow[i].indirect_grants[0]), ++ GFP_NOIO); + if ((rinfo->shadow[i].grants_used == NULL) || + (rinfo->shadow[i].sg == NULL) || + (info->max_indirect_segments && +@@ -2256,11 +2256,11 @@ static int blkfront_setup_indirect(struct blkfront_ring_info *rinfo) + + out_of_memory: + for (i = 0; i < BLK_RING_SIZE(info); i++) { +- kfree(rinfo->shadow[i].grants_used); ++ kvfree(rinfo->shadow[i].grants_used); + rinfo->shadow[i].grants_used = NULL; +- kfree(rinfo->shadow[i].sg); ++ kvfree(rinfo->shadow[i].sg); + rinfo->shadow[i].sg = NULL; +- kfree(rinfo->shadow[i].indirect_grants); ++ kvfree(rinfo->shadow[i].indirect_grants); + rinfo->shadow[i].indirect_grants = NULL; + } + if (!list_empty(&rinfo->indirect_pages)) { +-- +2.9.5 + diff --git a/queue/xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch b/queue/xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch new file mode 100644 index 0000000..f170094 --- /dev/null +++ b/queue/xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch @@ -0,0 +1,53 @@ +From 7681f31ec9cdacab4fd10570be924f2cef6669ba Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Date: Wed, 13 Feb 2019 18:21:31 -0500 +Subject: [PATCH] xen/pciback: Don't disable PCI_COMMAND on PCI device reset. + +commit 7681f31ec9cdacab4fd10570be924f2cef6669ba upstream. + +There is no need for this at all. Worst it means that if +the guest tries to write to BARs it could lead (on certain +platforms) to PCI SERR errors. + +Please note that with af6fc858a35b90e89ea7a7ee58e66628c55c776b +"xen-pciback: limit guest control of command register" +a guest is still allowed to enable those control bits (safely), but +is not allowed to disable them and that therefore a well behaved +frontend which enables things before using them will still +function correctly. + +This is done via an write to the configuration register 0x4 which +triggers on the backend side: +command_write + \- pci_enable_device + \- pci_enable_device_flags + \- do_pci_enable_device + \- pcibios_enable_device + \-pci_enable_resourcess + [which enables the PCI_COMMAND_MEMORY|PCI_COMMAND_IO] + +However guests (and drivers) which don't do this could cause +problems, including the security issues which XSA-120 sought +to address. + +Reported-by: Jan Beulich <jbeulich@suse.com> +Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Reviewed-by: Prarit Bhargava <prarit@redhat.com> +Signed-off-by: Juergen Gross <jgross@suse.com> + +diff --git a/drivers/xen/xen-pciback/pciback_ops.c b/drivers/xen/xen-pciback/pciback_ops.c +index ea4a08b83fa0..787966f44589 100644 +--- a/drivers/xen/xen-pciback/pciback_ops.c ++++ b/drivers/xen/xen-pciback/pciback_ops.c +@@ -127,8 +127,6 @@ void xen_pcibk_reset_device(struct pci_dev *dev) + if (pci_is_enabled(dev)) + pci_disable_device(dev); + +- pci_write_config_word(dev, PCI_COMMAND, 0); +- + dev->is_busmaster = 0; + } else { + pci_read_config_word(dev, PCI_COMMAND, &cmd); +-- +2.9.5 + diff --git a/queue/xhci-Convert-xhci_handshake-to-use-readl_poll_timeou.patch b/queue/xhci-Convert-xhci_handshake-to-use-readl_poll_timeou.patch new file mode 100644 index 0000000..dd9a56f --- /dev/null +++ b/queue/xhci-Convert-xhci_handshake-to-use-readl_poll_timeou.patch @@ -0,0 +1,76 @@ +From f7fac17ca925faa03fc5eb854c081a24075f8bad Mon Sep 17 00:00:00 2001 +From: Andrey Smirnov <andrew.smirnov@gmail.com> +Date: Wed, 22 May 2019 14:34:01 +0300 +Subject: [PATCH] xhci: Convert xhci_handshake() to use + readl_poll_timeout_atomic() + +commit f7fac17ca925faa03fc5eb854c081a24075f8bad upstream. + +Xhci_handshake() implements the algorithm already captured by +readl_poll_timeout_atomic(). Convert the former to use the latter to +avoid repetition. + +Turned out this patch also fixes a bug on the AMD Stoneyridge platform +where usleep(1) sometimes takes over 10ms. +This means a 5 second timeout can easily take over 15 seconds which will +trigger the watchdog and reboot the system. + +[Add info about patch fixing a bug to commit message -Mathias] +Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com> +Tested-by: Raul E Rangel <rrangel@chromium.org> +Reviewed-by: Raul E Rangel <rrangel@chromium.org> +Cc: <stable@vger.kernel.org> +Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index 048a675bbc52..20db378a6012 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -9,6 +9,7 @@ + */ + + #include <linux/pci.h> ++#include <linux/iopoll.h> + #include <linux/irq.h> + #include <linux/log2.h> + #include <linux/module.h> +@@ -52,7 +53,6 @@ static bool td_on_ring(struct xhci_td *td, struct xhci_ring *ring) + return false; + } + +-/* TODO: copied from ehci-hcd.c - can this be refactored? */ + /* + * xhci_handshake - spin reading hc until handshake completes or fails + * @ptr: address of hc register to be read +@@ -69,18 +69,16 @@ static bool td_on_ring(struct xhci_td *td, struct xhci_ring *ring) + int xhci_handshake(void __iomem *ptr, u32 mask, u32 done, int usec) + { + u32 result; ++ int ret; + +- do { +- result = readl(ptr); +- if (result == ~(u32)0) /* card removed */ +- return -ENODEV; +- result &= mask; +- if (result == done) +- return 0; +- udelay(1); +- usec--; +- } while (usec > 0); +- return -ETIMEDOUT; ++ ret = readl_poll_timeout_atomic(ptr, result, ++ (result & mask) == done || ++ result == U32_MAX, ++ 1, usec); ++ if (result == U32_MAX) /* card removed */ ++ return -ENODEV; ++ ++ return ret; + } + + /* +-- +2.9.5 + diff --git a/queue/xhci-Use-zu-for-printing-size_t-type.patch b/queue/xhci-Use-zu-for-printing-size_t-type.patch new file mode 100644 index 0000000..9c2210a --- /dev/null +++ b/queue/xhci-Use-zu-for-printing-size_t-type.patch @@ -0,0 +1,46 @@ +From c1a145a3ed9a40f3b6145feb97789e8eb49c5566 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam <festevam@gmail.com> +Date: Wed, 22 May 2019 10:35:29 -0300 +Subject: [PATCH] xhci: Use %zu for printing size_t type + +commit c1a145a3ed9a40f3b6145feb97789e8eb49c5566 upstream. + +Commit 597c56e372da ("xhci: update bounce buffer with correct sg num") +caused the following build warnings: + +drivers/usb/host/xhci-ring.c:676:19: warning: format '%ld' expects argument of type 'long int', but argument 3 has type 'size_t {aka unsigned int}' [-Wformat=] + +Use %zu for printing size_t type in order to fix the warnings. + +Fixes: 597c56e372da ("xhci: update bounce buffer with correct sg num") +Reported-by: kbuild test robot <lkp@intel.com> +Signed-off-by: Fabio Estevam <festevam@gmail.com> +Cc: stable <stable@vger.kernel.org> +Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 88392aa65722..feffceb31e8a 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -673,7 +673,7 @@ static void xhci_unmap_td_bounce_buffer(struct xhci_hcd *xhci, + len = sg_pcopy_from_buffer(urb->sg, urb->num_sgs, seg->bounce_buf, + seg->bounce_len, seg->bounce_offs); + if (len != seg->bounce_len) +- xhci_warn(xhci, "WARN Wrong bounce buffer read length: %ld != %d\n", ++ xhci_warn(xhci, "WARN Wrong bounce buffer read length: %zu != %d\n", + len, seg->bounce_len); + seg->bounce_len = 0; + seg->bounce_offs = 0; +@@ -3166,7 +3166,7 @@ static int xhci_align_td(struct xhci_hcd *xhci, struct urb *urb, u32 enqd_len, + seg->bounce_buf, new_buff_len, enqd_len); + if (len != seg->bounce_len) + xhci_warn(xhci, +- "WARN Wrong bounce buffer write length: %ld != %d\n", ++ "WARN Wrong bounce buffer write length: %zu != %d\n", + len, seg->bounce_len); + seg->bounce_dma = dma_map_single(dev, seg->bounce_buf, + max_pkt, DMA_TO_DEVICE); +-- +2.9.5 + diff --git a/queue/xhci-update-bounce-buffer-with-correct-sg-num.patch b/queue/xhci-update-bounce-buffer-with-correct-sg-num.patch new file mode 100644 index 0000000..671b54c --- /dev/null +++ b/queue/xhci-update-bounce-buffer-with-correct-sg-num.patch @@ -0,0 +1,81 @@ +From 597c56e372dab2c7f79b8d700aad3a5deebf9d1b Mon Sep 17 00:00:00 2001 +From: Henry Lin <henryl@nvidia.com> +Date: Wed, 22 May 2019 14:33:57 +0300 +Subject: [PATCH] xhci: update bounce buffer with correct sg num + +commit 597c56e372dab2c7f79b8d700aad3a5deebf9d1b upstream. + +This change fixes a data corruption issue occurred on USB hard disk for +the case that bounce buffer is used during transferring data. + +While updating data between sg list and bounce buffer, current +implementation passes mapped sg number (urb->num_mapped_sgs) to +sg_pcopy_from_buffer() and sg_pcopy_to_buffer(). This causes data +not get copied if target buffer is located in the elements after +mapped sg elements. This change passes sg number for full list to +fix issue. + +Besides, for copying data from bounce buffer, calling dma_unmap_single() +on the bounce buffer before copying data to sg list can avoid cache issue. + +Fixes: f9c589e142d0 ("xhci: TD-fragment, align the unsplittable case with a bounce buffer") +Cc: <stable@vger.kernel.org> # v4.8+ +Signed-off-by: Henry Lin <henryl@nvidia.com> +Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index fed3385aeac0..ef7c8698772e 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -656,6 +656,7 @@ static void xhci_unmap_td_bounce_buffer(struct xhci_hcd *xhci, + struct device *dev = xhci_to_hcd(xhci)->self.controller; + struct xhci_segment *seg = td->bounce_seg; + struct urb *urb = td->urb; ++ size_t len; + + if (!ring || !seg || !urb) + return; +@@ -666,11 +667,14 @@ static void xhci_unmap_td_bounce_buffer(struct xhci_hcd *xhci, + return; + } + +- /* for in tranfers we need to copy the data from bounce to sg */ +- sg_pcopy_from_buffer(urb->sg, urb->num_mapped_sgs, seg->bounce_buf, +- seg->bounce_len, seg->bounce_offs); + dma_unmap_single(dev, seg->bounce_dma, ring->bounce_buf_len, + DMA_FROM_DEVICE); ++ /* for in tranfers we need to copy the data from bounce to sg */ ++ len = sg_pcopy_from_buffer(urb->sg, urb->num_sgs, seg->bounce_buf, ++ seg->bounce_len, seg->bounce_offs); ++ if (len != seg->bounce_len) ++ xhci_warn(xhci, "WARN Wrong bounce buffer read length: %ld != %d\n", ++ len, seg->bounce_len); + seg->bounce_len = 0; + seg->bounce_offs = 0; + } +@@ -3127,6 +3131,7 @@ static int xhci_align_td(struct xhci_hcd *xhci, struct urb *urb, u32 enqd_len, + unsigned int unalign; + unsigned int max_pkt; + u32 new_buff_len; ++ size_t len; + + max_pkt = usb_endpoint_maxp(&urb->ep->desc); + unalign = (enqd_len + *trb_buff_len) % max_pkt; +@@ -3157,8 +3162,12 @@ static int xhci_align_td(struct xhci_hcd *xhci, struct urb *urb, u32 enqd_len, + + /* create a max max_pkt sized bounce buffer pointed to by last trb */ + if (usb_urb_dir_out(urb)) { +- sg_pcopy_to_buffer(urb->sg, urb->num_mapped_sgs, ++ len = sg_pcopy_to_buffer(urb->sg, urb->num_sgs, + seg->bounce_buf, new_buff_len, enqd_len); ++ if (len != seg->bounce_len) ++ xhci_warn(xhci, ++ "WARN Wrong bounce buffer write length: %ld != %d\n", ++ len, seg->bounce_len); + seg->bounce_dma = dma_map_single(dev, seg->bounce_buf, + max_pkt, DMA_TO_DEVICE); + } else { +-- +2.9.5 + |